Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/kernel-magellan/patches-5.0/0109-5.0.10-all-fixes.patch

    Annotation of /trunk/kernel-magellan/patches-5.0/0109-5.0.10-all-fixes.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 3338 - (hide annotations) (download)
    Thu May 2 14:04:40 2019 UTC (5 years ago) by niro
    File size: 137119 byte(s) 
    -linux-5.0.10
    1 niro 3338 diff --git a/Makefile b/Makefile
    2     index ef192ca04330..b282c4143b21 100644
    3     --- a/Makefile
    4     +++ b/Makefile
    5     @@ -1,7 +1,7 @@
    6     # SPDX-License-Identifier: GPL-2.0
    7     VERSION = 5
    8     PATCHLEVEL = 0
    9     -SUBLEVEL = 9
    10     +SUBLEVEL = 10
    11     EXTRAVERSION =
    12     NAME = Shy Crocodile
    13    
    14     @@ -678,8 +678,7 @@ KBUILD_CFLAGS += $(call cc-disable-warning, format-overflow)
    15     KBUILD_CFLAGS += $(call cc-disable-warning, int-in-bool-context)
    16    
    17     ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE
    18     -KBUILD_CFLAGS += $(call cc-option,-Oz,-Os)
    19     -KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,)
    20     +KBUILD_CFLAGS += -Os $(call cc-disable-warning,maybe-uninitialized,)
    21     else
    22     ifdef CONFIG_PROFILE_ALL_BRANCHES
    23     KBUILD_CFLAGS += -O2 $(call cc-disable-warning,maybe-uninitialized,)
    24     diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h
    25     index e1d95f08f8e1..c7e1a7837706 100644
    26     --- a/arch/arm64/include/asm/futex.h
    27     +++ b/arch/arm64/include/asm/futex.h
    28     @@ -50,7 +50,7 @@ do { \
    29     static inline int
    30     arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *_uaddr)
    31     {
    32     - int oldval, ret, tmp;
    33     + int oldval = 0, ret, tmp;
    34     u32 __user *uaddr = __uaccess_mask_ptr(_uaddr);
    35    
    36     pagefault_disable();
    37     diff --git a/arch/s390/boot/mem_detect.c b/arch/s390/boot/mem_detect.c
    38     index 4cb771ba13fa..5d316fe40480 100644
    39     --- a/arch/s390/boot/mem_detect.c
    40     +++ b/arch/s390/boot/mem_detect.c
    41     @@ -25,7 +25,7 @@ static void *mem_detect_alloc_extended(void)
    42     {
    43     unsigned long offset = ALIGN(mem_safe_offset(), sizeof(u64));
    44    
    45     - if (IS_ENABLED(BLK_DEV_INITRD) && INITRD_START && INITRD_SIZE &&
    46     + if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && INITRD_START && INITRD_SIZE &&
    47     INITRD_START < offset + ENTRIES_EXTENDED_MAX)
    48     offset = ALIGN(INITRD_START + INITRD_SIZE, sizeof(u64));
    49    
    50     diff --git a/arch/x86/crypto/poly1305-avx2-x86_64.S b/arch/x86/crypto/poly1305-avx2-x86_64.S
    51     index 3b6e70d085da..8457cdd47f75 100644
    52     --- a/arch/x86/crypto/poly1305-avx2-x86_64.S
    53     +++ b/arch/x86/crypto/poly1305-avx2-x86_64.S
    54     @@ -323,6 +323,12 @@ ENTRY(poly1305_4block_avx2)
    55     vpaddq t2,t1,t1
    56     vmovq t1x,d4
    57    
    58     + # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
    59     + # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
    60     + # amount. Careful: we must not assume the carry bits 'd0 >> 26',
    61     + # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
    62     + # integers. It's true in a single-block implementation, but not here.
    63     +
    64     # d1 += d0 >> 26
    65     mov d0,%rax
    66     shr $26,%rax
    67     @@ -361,16 +367,16 @@ ENTRY(poly1305_4block_avx2)
    68     # h0 += (d4 >> 26) * 5
    69     mov d4,%rax
    70     shr $26,%rax
    71     - lea (%eax,%eax,4),%eax
    72     - add %eax,%ebx
    73     + lea (%rax,%rax,4),%rax
    74     + add %rax,%rbx
    75     # h4 = d4 & 0x3ffffff
    76     mov d4,%rax
    77     and $0x3ffffff,%eax
    78     mov %eax,h4
    79    
    80     # h1 += h0 >> 26
    81     - mov %ebx,%eax
    82     - shr $26,%eax
    83     + mov %rbx,%rax
    84     + shr $26,%rax
    85     add %eax,h1
    86     # h0 = h0 & 0x3ffffff
    87     andl $0x3ffffff,%ebx
    88     diff --git a/arch/x86/crypto/poly1305-sse2-x86_64.S b/arch/x86/crypto/poly1305-sse2-x86_64.S
    89     index c88c670cb5fc..5851c7418fb7 100644
    90     --- a/arch/x86/crypto/poly1305-sse2-x86_64.S
    91     +++ b/arch/x86/crypto/poly1305-sse2-x86_64.S
    92     @@ -253,16 +253,16 @@ ENTRY(poly1305_block_sse2)
    93     # h0 += (d4 >> 26) * 5
    94     mov d4,%rax
    95     shr $26,%rax
    96     - lea (%eax,%eax,4),%eax
    97     - add %eax,%ebx
    98     + lea (%rax,%rax,4),%rax
    99     + add %rax,%rbx
    100     # h4 = d4 & 0x3ffffff
    101     mov d4,%rax
    102     and $0x3ffffff,%eax
    103     mov %eax,h4
    104    
    105     # h1 += h0 >> 26
    106     - mov %ebx,%eax
    107     - shr $26,%eax
    108     + mov %rbx,%rax
    109     + shr $26,%rax
    110     add %eax,h1
    111     # h0 = h0 & 0x3ffffff
    112     andl $0x3ffffff,%ebx
    113     @@ -520,6 +520,12 @@ ENTRY(poly1305_2block_sse2)
    114     paddq t2,t1
    115     movq t1,d4
    116    
    117     + # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
    118     + # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
    119     + # amount. Careful: we must not assume the carry bits 'd0 >> 26',
    120     + # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
    121     + # integers. It's true in a single-block implementation, but not here.
    122     +
    123     # d1 += d0 >> 26
    124     mov d0,%rax
    125     shr $26,%rax
    126     @@ -558,16 +564,16 @@ ENTRY(poly1305_2block_sse2)
    127     # h0 += (d4 >> 26) * 5
    128     mov d4,%rax
    129     shr $26,%rax
    130     - lea (%eax,%eax,4),%eax
    131     - add %eax,%ebx
    132     + lea (%rax,%rax,4),%rax
    133     + add %rax,%rbx
    134     # h4 = d4 & 0x3ffffff
    135     mov d4,%rax
    136     and $0x3ffffff,%eax
    137     mov %eax,h4
    138    
    139     # h1 += h0 >> 26
    140     - mov %ebx,%eax
    141     - shr $26,%eax
    142     + mov %rbx,%rax
    143     + shr $26,%rax
    144     add %eax,h1
    145     # h0 = h0 & 0x3ffffff
    146     andl $0x3ffffff,%ebx
    147     diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c
    148     index 0ecfac84ba91..d45f3fbd232e 100644
    149     --- a/arch/x86/events/amd/core.c
    150     +++ b/arch/x86/events/amd/core.c
    151     @@ -117,22 +117,39 @@ static __initconst const u64 amd_hw_cache_event_ids
    152     };
    153    
    154     /*
    155     - * AMD Performance Monitor K7 and later.
    156     + * AMD Performance Monitor K7 and later, up to and including Family 16h:
    157     */
    158     static const u64 amd_perfmon_event_map[PERF_COUNT_HW_MAX] =
    159     {
    160     - [PERF_COUNT_HW_CPU_CYCLES] = 0x0076,
    161     - [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0,
    162     - [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d,
    163     - [PERF_COUNT_HW_CACHE_MISSES] = 0x077e,
    164     - [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2,
    165     - [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3,
    166     - [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */
    167     - [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */
    168     + [PERF_COUNT_HW_CPU_CYCLES] = 0x0076,
    169     + [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0,
    170     + [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d,
    171     + [PERF_COUNT_HW_CACHE_MISSES] = 0x077e,
    172     + [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2,
    173     + [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3,
    174     + [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */
    175     + [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */
    176     +};
    177     +
    178     +/*
    179     + * AMD Performance Monitor Family 17h and later:
    180     + */
    181     +static const u64 amd_f17h_perfmon_event_map[PERF_COUNT_HW_MAX] =
    182     +{
    183     + [PERF_COUNT_HW_CPU_CYCLES] = 0x0076,
    184     + [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0,
    185     + [PERF_COUNT_HW_CACHE_REFERENCES] = 0xff60,
    186     + [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2,
    187     + [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3,
    188     + [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x0287,
    189     + [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x0187,
    190     };
    191    
    192     static u64 amd_pmu_event_map(int hw_event)
    193     {
    194     + if (boot_cpu_data.x86 >= 0x17)
    195     + return amd_f17h_perfmon_event_map[hw_event];
    196     +
    197     return amd_perfmon_event_map[hw_event];
    198     }
    199    
    200     diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
    201     index 2480feb07df3..470d7daa915d 100644
    202     --- a/arch/x86/events/intel/core.c
    203     +++ b/arch/x86/events/intel/core.c
    204     @@ -3130,7 +3130,7 @@ static unsigned long intel_pmu_large_pebs_flags(struct perf_event *event)
    205     flags &= ~PERF_SAMPLE_TIME;
    206     if (!event->attr.exclude_kernel)
    207     flags &= ~PERF_SAMPLE_REGS_USER;
    208     - if (event->attr.sample_regs_user & ~PEBS_REGS)
    209     + if (event->attr.sample_regs_user & ~PEBS_GP_REGS)
    210     flags &= ~(PERF_SAMPLE_REGS_USER | PERF_SAMPLE_REGS_INTR);
    211     return flags;
    212     }
    213     diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h
    214     index acd72e669c04..b68ab65454ff 100644
    215     --- a/arch/x86/events/perf_event.h
    216     +++ b/arch/x86/events/perf_event.h
    217     @@ -96,25 +96,25 @@ struct amd_nb {
    218     PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER | \
    219     PERF_SAMPLE_PERIOD)
    220    
    221     -#define PEBS_REGS \
    222     - (PERF_REG_X86_AX | \
    223     - PERF_REG_X86_BX | \
    224     - PERF_REG_X86_CX | \
    225     - PERF_REG_X86_DX | \
    226     - PERF_REG_X86_DI | \
    227     - PERF_REG_X86_SI | \
    228     - PERF_REG_X86_SP | \
    229     - PERF_REG_X86_BP | \
    230     - PERF_REG_X86_IP | \
    231     - PERF_REG_X86_FLAGS | \
    232     - PERF_REG_X86_R8 | \
    233     - PERF_REG_X86_R9 | \
    234     - PERF_REG_X86_R10 | \
    235     - PERF_REG_X86_R11 | \
    236     - PERF_REG_X86_R12 | \
    237     - PERF_REG_X86_R13 | \
    238     - PERF_REG_X86_R14 | \
    239     - PERF_REG_X86_R15)
    240     +#define PEBS_GP_REGS \
    241     + ((1ULL << PERF_REG_X86_AX) | \
    242     + (1ULL << PERF_REG_X86_BX) | \
    243     + (1ULL << PERF_REG_X86_CX) | \
    244     + (1ULL << PERF_REG_X86_DX) | \
    245     + (1ULL << PERF_REG_X86_DI) | \
    246     + (1ULL << PERF_REG_X86_SI) | \
    247     + (1ULL << PERF_REG_X86_SP) | \
    248     + (1ULL << PERF_REG_X86_BP) | \
    249     + (1ULL << PERF_REG_X86_IP) | \
    250     + (1ULL << PERF_REG_X86_FLAGS) | \
    251     + (1ULL << PERF_REG_X86_R8) | \
    252     + (1ULL << PERF_REG_X86_R9) | \
    253     + (1ULL << PERF_REG_X86_R10) | \
    254     + (1ULL << PERF_REG_X86_R11) | \
    255     + (1ULL << PERF_REG_X86_R12) | \
    256     + (1ULL << PERF_REG_X86_R13) | \
    257     + (1ULL << PERF_REG_X86_R14) | \
    258     + (1ULL << PERF_REG_X86_R15))
    259    
    260     /*
    261     * Per register state.
    262     diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
    263     index 01874d54f4fd..482383c2b184 100644
    264     --- a/arch/x86/kernel/cpu/bugs.c
    265     +++ b/arch/x86/kernel/cpu/bugs.c
    266     @@ -275,7 +275,7 @@ static const struct {
    267     const char *option;
    268     enum spectre_v2_user_cmd cmd;
    269     bool secure;
    270     -} v2_user_options[] __initdata = {
    271     +} v2_user_options[] __initconst = {
    272     { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
    273     { "off", SPECTRE_V2_USER_CMD_NONE, false },
    274     { "on", SPECTRE_V2_USER_CMD_FORCE, true },
    275     @@ -419,7 +419,7 @@ static const struct {
    276     const char *option;
    277     enum spectre_v2_mitigation_cmd cmd;
    278     bool secure;
    279     -} mitigation_options[] __initdata = {
    280     +} mitigation_options[] __initconst = {
    281     { "off", SPECTRE_V2_CMD_NONE, false },
    282     { "on", SPECTRE_V2_CMD_FORCE, true },
    283     { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
    284     @@ -658,7 +658,7 @@ static const char * const ssb_strings[] = {
    285     static const struct {
    286     const char *option;
    287     enum ssb_mitigation_cmd cmd;
    288     -} ssb_mitigation_options[] __initdata = {
    289     +} ssb_mitigation_options[] __initconst = {
    290     { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
    291     { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
    292     { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
    293     diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
    294     index 4ba75afba527..f4b954ff5b89 100644
    295     --- a/arch/x86/kernel/kprobes/core.c
    296     +++ b/arch/x86/kernel/kprobes/core.c
    297     @@ -569,6 +569,7 @@ void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs)
    298     unsigned long *sara = stack_addr(regs);
    299    
    300     ri->ret_addr = (kprobe_opcode_t *) *sara;
    301     + ri->fp = sara;
    302    
    303     /* Replace the return addr with trampoline addr */
    304     *sara = (unsigned long) &kretprobe_trampoline;
    305     @@ -748,26 +749,48 @@ asm(
    306     NOKPROBE_SYMBOL(kretprobe_trampoline);
    307     STACK_FRAME_NON_STANDARD(kretprobe_trampoline);
    308    
    309     +static struct kprobe kretprobe_kprobe = {
    310     + .addr = (void *)kretprobe_trampoline,
    311     +};
    312     +
    313     /*
    314     * Called from kretprobe_trampoline
    315     */
    316     static __used void *trampoline_handler(struct pt_regs *regs)
    317     {
    318     + struct kprobe_ctlblk *kcb;
    319     struct kretprobe_instance *ri = NULL;
    320     struct hlist_head *head, empty_rp;
    321     struct hlist_node *tmp;
    322     unsigned long flags, orig_ret_address = 0;
    323     unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
    324     kprobe_opcode_t *correct_ret_addr = NULL;
    325     + void *frame_pointer;
    326     + bool skipped = false;
    327     +
    328     + preempt_disable();
    329     +
    330     + /*
    331     + * Set a dummy kprobe for avoiding kretprobe recursion.
    332     + * Since kretprobe never run in kprobe handler, kprobe must not
    333     + * be running at this point.
    334     + */
    335     + kcb = get_kprobe_ctlblk();
    336     + __this_cpu_write(current_kprobe, &kretprobe_kprobe);
    337     + kcb->kprobe_status = KPROBE_HIT_ACTIVE;
    338    
    339     INIT_HLIST_HEAD(&empty_rp);
    340     kretprobe_hash_lock(current, &head, &flags);
    341     /* fixup registers */
    342     #ifdef CONFIG_X86_64
    343     regs->cs = __KERNEL_CS;
    344     + /* On x86-64, we use pt_regs->sp for return address holder. */
    345     + frame_pointer = &regs->sp;
    346     #else
    347     regs->cs = __KERNEL_CS | get_kernel_rpl();
    348     regs->gs = 0;
    349     + /* On x86-32, we use pt_regs->flags for return address holder. */
    350     + frame_pointer = &regs->flags;
    351     #endif
    352     regs->ip = trampoline_address;
    353     regs->orig_ax = ~0UL;
    354     @@ -789,8 +812,25 @@ static __used void *trampoline_handler(struct pt_regs *regs)
    355     if (ri->task != current)
    356     /* another task is sharing our hash bucket */
    357     continue;
    358     + /*
    359     + * Return probes must be pushed on this hash list correct
    360     + * order (same as return order) so that it can be poped
    361     + * correctly. However, if we find it is pushed it incorrect
    362     + * order, this means we find a function which should not be
    363     + * probed, because the wrong order entry is pushed on the
    364     + * path of processing other kretprobe itself.
    365     + */
    366     + if (ri->fp != frame_pointer) {
    367     + if (!skipped)
    368     + pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n");
    369     + skipped = true;
    370     + continue;
    371     + }
    372    
    373     orig_ret_address = (unsigned long)ri->ret_addr;
    374     + if (skipped)
    375     + pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n",
    376     + ri->rp->kp.addr);
    377    
    378     if (orig_ret_address != trampoline_address)
    379     /*
    380     @@ -808,14 +848,15 @@ static __used void *trampoline_handler(struct pt_regs *regs)
    381     if (ri->task != current)
    382     /* another task is sharing our hash bucket */
    383     continue;
    384     + if (ri->fp != frame_pointer)
    385     + continue;
    386    
    387     orig_ret_address = (unsigned long)ri->ret_addr;
    388     if (ri->rp && ri->rp->handler) {
    389     __this_cpu_write(current_kprobe, &ri->rp->kp);
    390     - get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
    391     ri->ret_addr = correct_ret_addr;
    392     ri->rp->handler(ri, regs);
    393     - __this_cpu_write(current_kprobe, NULL);
    394     + __this_cpu_write(current_kprobe, &kretprobe_kprobe);
    395     }
    396    
    397     recycle_rp_inst(ri, &empty_rp);
    398     @@ -831,6 +872,9 @@ static __used void *trampoline_handler(struct pt_regs *regs)
    399    
    400     kretprobe_hash_unlock(current, &flags);
    401    
    402     + __this_cpu_write(current_kprobe, NULL);
    403     + preempt_enable();
    404     +
    405     hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
    406     hlist_del(&ri->hlist);
    407     kfree(ri);
    408     diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
    409     index 90ae0ca51083..9db049f06f2f 100644
    410     --- a/arch/x86/kernel/process.c
    411     +++ b/arch/x86/kernel/process.c
    412     @@ -414,6 +414,8 @@ static __always_inline void __speculation_ctrl_update(unsigned long tifp,
    413     u64 msr = x86_spec_ctrl_base;
    414     bool updmsr = false;
    415    
    416     + lockdep_assert_irqs_disabled();
    417     +
    418     /*
    419     * If TIF_SSBD is different, select the proper mitigation
    420     * method. Note that if SSBD mitigation is disabled or permanentely
    421     @@ -465,10 +467,12 @@ static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk)
    422    
    423     void speculation_ctrl_update(unsigned long tif)
    424     {
    425     + unsigned long flags;
    426     +
    427     /* Forced update. Make sure all relevant TIF flags are different */
    428     - preempt_disable();
    429     + local_irq_save(flags);
    430     __speculation_ctrl_update(~tif, tif);
    431     - preempt_enable();
    432     + local_irq_restore(flags);
    433     }
    434    
    435     /* Called from seccomp/prctl update */
    436     diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
    437     index c338984c850d..81be2165821f 100644
    438     --- a/arch/x86/kvm/emulate.c
    439     +++ b/arch/x86/kvm/emulate.c
    440     @@ -2575,15 +2575,13 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt)
    441     * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU
    442     * supports long mode.
    443     */
    444     - cr4 = ctxt->ops->get_cr(ctxt, 4);
    445     if (emulator_has_longmode(ctxt)) {
    446     struct desc_struct cs_desc;
    447    
    448     /* Zero CR4.PCIDE before CR0.PG. */
    449     - if (cr4 & X86_CR4_PCIDE) {
    450     + cr4 = ctxt->ops->get_cr(ctxt, 4);
    451     + if (cr4 & X86_CR4_PCIDE)
    452     ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE);
    453     - cr4 &= ~X86_CR4_PCIDE;
    454     - }
    455    
    456     /* A 32-bit code segment is required to clear EFER.LMA. */
    457     memset(&cs_desc, 0, sizeof(cs_desc));
    458     @@ -2597,13 +2595,16 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt)
    459     if (cr0 & X86_CR0_PE)
    460     ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE));
    461    
    462     - /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */
    463     - if (cr4 & X86_CR4_PAE)
    464     - ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
    465     + if (emulator_has_longmode(ctxt)) {
    466     + /* Clear CR4.PAE before clearing EFER.LME. */
    467     + cr4 = ctxt->ops->get_cr(ctxt, 4);
    468     + if (cr4 & X86_CR4_PAE)
    469     + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE);
    470    
    471     - /* And finally go back to 32-bit mode. */
    472     - efer = 0;
    473     - ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
    474     + /* And finally go back to 32-bit mode. */
    475     + efer = 0;
    476     + ctxt->ops->set_msr(ctxt, MSR_EFER, efer);
    477     + }
    478    
    479     smbase = ctxt->ops->get_smbase(ctxt);
    480    
    481     diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
    482     index a9b8e38d78ad..516c1de03d47 100644
    483     --- a/arch/x86/kvm/svm.c
    484     +++ b/arch/x86/kvm/svm.c
    485     @@ -2687,6 +2687,7 @@ static int npf_interception(struct vcpu_svm *svm)
    486     static int db_interception(struct vcpu_svm *svm)
    487     {
    488     struct kvm_run *kvm_run = svm->vcpu.run;
    489     + struct kvm_vcpu *vcpu = &svm->vcpu;
    490    
    491     if (!(svm->vcpu.guest_debug &
    492     (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) &&
    493     @@ -2697,6 +2698,8 @@ static int db_interception(struct vcpu_svm *svm)
    494    
    495     if (svm->nmi_singlestep) {
    496     disable_nmi_singlestep(svm);
    497     + /* Make sure we check for pending NMIs upon entry */
    498     + kvm_make_request(KVM_REQ_EVENT, vcpu);
    499     }
    500    
    501     if (svm->vcpu.guest_debug &
    502     @@ -4512,14 +4515,25 @@ static int avic_incomplete_ipi_interception(struct vcpu_svm *svm)
    503     kvm_lapic_reg_write(apic, APIC_ICR, icrl);
    504     break;
    505     case AVIC_IPI_FAILURE_TARGET_NOT_RUNNING: {
    506     + int i;
    507     + struct kvm_vcpu *vcpu;
    508     + struct kvm *kvm = svm->vcpu.kvm;
    509     struct kvm_lapic *apic = svm->vcpu.arch.apic;
    510    
    511     /*
    512     - * Update ICR high and low, then emulate sending IPI,
    513     - * which is handled when writing APIC_ICR.
    514     + * At this point, we expect that the AVIC HW has already
    515     + * set the appropriate IRR bits on the valid target
    516     + * vcpus. So, we just need to kick the appropriate vcpu.
    517     */
    518     - kvm_lapic_reg_write(apic, APIC_ICR2, icrh);
    519     - kvm_lapic_reg_write(apic, APIC_ICR, icrl);
    520     + kvm_for_each_vcpu(i, vcpu, kvm) {
    521     + bool m = kvm_apic_match_dest(vcpu, apic,
    522     + icrl & KVM_APIC_SHORT_MASK,
    523     + GET_APIC_DEST_FIELD(icrh),
    524     + icrl & KVM_APIC_DEST_MASK);
    525     +
    526     + if (m && !avic_vcpu_is_running(vcpu))
    527     + kvm_vcpu_wake_up(vcpu);
    528     + }
    529     break;
    530     }
    531     case AVIC_IPI_FAILURE_INVALID_TARGET:
    532     @@ -5620,6 +5634,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
    533     svm->vmcb->save.cr2 = vcpu->arch.cr2;
    534    
    535     clgi();
    536     + kvm_load_guest_xcr0(vcpu);
    537    
    538     /*
    539     * If this vCPU has touched SPEC_CTRL, restore the guest's value if
    540     @@ -5765,6 +5780,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
    541     if (unlikely(svm->vmcb->control.exit_code == SVM_EXIT_NMI))
    542     kvm_before_interrupt(&svm->vcpu);
    543    
    544     + kvm_put_guest_xcr0(vcpu);
    545     stgi();
    546    
    547     /* Any pending NMI will happen here */
    548     diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
    549     index a0a770816429..34499081022c 100644
    550     --- a/arch/x86/kvm/vmx/vmx.c
    551     +++ b/arch/x86/kvm/vmx/vmx.c
    552     @@ -6548,6 +6548,8 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu)
    553     if (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)
    554     vmx_set_interrupt_shadow(vcpu, 0);
    555    
    556     + kvm_load_guest_xcr0(vcpu);
    557     +
    558     if (static_cpu_has(X86_FEATURE_PKU) &&
    559     kvm_read_cr4_bits(vcpu, X86_CR4_PKE) &&
    560     vcpu->arch.pkru != vmx->host_pkru)
    561     @@ -6635,6 +6637,8 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu)
    562     __write_pkru(vmx->host_pkru);
    563     }
    564    
    565     + kvm_put_guest_xcr0(vcpu);
    566     +
    567     vmx->nested.nested_run_pending = 0;
    568     vmx->idt_vectoring_info = 0;
    569    
    570     diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
    571     index 7ee802a92bc8..2db58067bb59 100644
    572     --- a/arch/x86/kvm/x86.c
    573     +++ b/arch/x86/kvm/x86.c
    574     @@ -800,7 +800,7 @@ void kvm_lmsw(struct kvm_vcpu *vcpu, unsigned long msw)
    575     }
    576     EXPORT_SYMBOL_GPL(kvm_lmsw);
    577    
    578     -static void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu)
    579     +void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu)
    580     {
    581     if (kvm_read_cr4_bits(vcpu, X86_CR4_OSXSAVE) &&
    582     !vcpu->guest_xcr0_loaded) {
    583     @@ -810,8 +810,9 @@ static void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu)
    584     vcpu->guest_xcr0_loaded = 1;
    585     }
    586     }
    587     +EXPORT_SYMBOL_GPL(kvm_load_guest_xcr0);
    588    
    589     -static void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu)
    590     +void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu)
    591     {
    592     if (vcpu->guest_xcr0_loaded) {
    593     if (vcpu->arch.xcr0 != host_xcr0)
    594     @@ -819,6 +820,7 @@ static void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu)
    595     vcpu->guest_xcr0_loaded = 0;
    596     }
    597     }
    598     +EXPORT_SYMBOL_GPL(kvm_put_guest_xcr0);
    599    
    600     static int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr)
    601     {
    602     @@ -7856,8 +7858,6 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
    603     goto cancel_injection;
    604     }
    605    
    606     - kvm_load_guest_xcr0(vcpu);
    607     -
    608     if (req_immediate_exit) {
    609     kvm_make_request(KVM_REQ_EVENT, vcpu);
    610     kvm_x86_ops->request_immediate_exit(vcpu);
    611     @@ -7910,8 +7910,6 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
    612     vcpu->mode = OUTSIDE_GUEST_MODE;
    613     smp_wmb();
    614    
    615     - kvm_put_guest_xcr0(vcpu);
    616     -
    617     kvm_before_interrupt(vcpu);
    618     kvm_x86_ops->handle_external_intr(vcpu);
    619     kvm_after_interrupt(vcpu);
    620     diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
    621     index 20ede17202bf..de3d46769ee3 100644
    622     --- a/arch/x86/kvm/x86.h
    623     +++ b/arch/x86/kvm/x86.h
    624     @@ -347,4 +347,6 @@ static inline void kvm_after_interrupt(struct kvm_vcpu *vcpu)
    625     __this_cpu_write(current_vcpu, NULL);
    626     }
    627    
    628     +void kvm_load_guest_xcr0(struct kvm_vcpu *vcpu);
    629     +void kvm_put_guest_xcr0(struct kvm_vcpu *vcpu);
    630     #endif
    631     diff --git a/crypto/testmgr.h b/crypto/testmgr.h
    632     index ca8e8ebef309..db496aa360a3 100644
    633     --- a/crypto/testmgr.h
    634     +++ b/crypto/testmgr.h
    635     @@ -5706,7 +5706,49 @@ static const struct hash_testvec poly1305_tv_template[] = {
    636     .psize = 80,
    637     .digest = "\x13\x00\x00\x00\x00\x00\x00\x00"
    638     "\x00\x00\x00\x00\x00\x00\x00\x00",
    639     - },
    640     + }, { /* Regression test for overflow in AVX2 implementation */
    641     + .plaintext = "\xff\xff\xff\xff\xff\xff\xff\xff"
    642     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    643     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    644     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    645     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    646     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    647     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    648     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    649     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    650     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    651     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    652     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    653     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    654     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    655     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    656     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    657     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    658     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    659     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    660     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    661     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    662     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    663     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    664     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    665     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    666     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    667     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    668     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    669     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    670     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    671     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    672     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    673     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    674     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    675     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    676     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    677     + "\xff\xff\xff\xff\xff\xff\xff\xff"
    678     + "\xff\xff\xff\xff",
    679     + .psize = 300,
    680     + .digest = "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8"
    681     + "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1",
    682     + }
    683     };
    684    
    685     /* NHPoly1305 test vectors from https://github.com/google/adiantum */
    686     diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
    687     index f75f8f870ce3..4be4dc3e8aa6 100644
    688     --- a/drivers/acpi/nfit/core.c
    689     +++ b/drivers/acpi/nfit/core.c
    690     @@ -1319,19 +1319,30 @@ static ssize_t scrub_show(struct device *dev,
    691     struct device_attribute *attr, char *buf)
    692     {
    693     struct nvdimm_bus_descriptor *nd_desc;
    694     + struct acpi_nfit_desc *acpi_desc;
    695     ssize_t rc = -ENXIO;
    696     + bool busy;
    697    
    698     device_lock(dev);
    699     nd_desc = dev_get_drvdata(dev);
    700     - if (nd_desc) {
    701     - struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc);
    702     + if (!nd_desc) {
    703     + device_unlock(dev);
    704     + return rc;
    705     + }
    706     + acpi_desc = to_acpi_desc(nd_desc);
    707    
    708     - mutex_lock(&acpi_desc->init_mutex);
    709     - rc = sprintf(buf, "%d%s", acpi_desc->scrub_count,
    710     - acpi_desc->scrub_busy
    711     - && !acpi_desc->cancel ? "+\n" : "\n");
    712     - mutex_unlock(&acpi_desc->init_mutex);
    713     + mutex_lock(&acpi_desc->init_mutex);
    714     + busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags)
    715     + && !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
    716     + rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n");
    717     + /* Allow an admin to poll the busy state at a higher rate */
    718     + if (busy && capable(CAP_SYS_RAWIO) && !test_and_set_bit(ARS_POLL,
    719     + &acpi_desc->scrub_flags)) {
    720     + acpi_desc->scrub_tmo = 1;
    721     + mod_delayed_work(nfit_wq, &acpi_desc->dwork, HZ);
    722     }
    723     +
    724     + mutex_unlock(&acpi_desc->init_mutex);
    725     device_unlock(dev);
    726     return rc;
    727     }
    728     @@ -2650,7 +2661,10 @@ static int ars_start(struct acpi_nfit_desc *acpi_desc,
    729    
    730     if (rc < 0)
    731     return rc;
    732     - return cmd_rc;
    733     + if (cmd_rc < 0)
    734     + return cmd_rc;
    735     + set_bit(ARS_VALID, &acpi_desc->scrub_flags);
    736     + return 0;
    737     }
    738    
    739     static int ars_continue(struct acpi_nfit_desc *acpi_desc)
    740     @@ -2660,11 +2674,11 @@ static int ars_continue(struct acpi_nfit_desc *acpi_desc)
    741     struct nvdimm_bus_descriptor *nd_desc = &acpi_desc->nd_desc;
    742     struct nd_cmd_ars_status *ars_status = acpi_desc->ars_status;
    743    
    744     - memset(&ars_start, 0, sizeof(ars_start));
    745     - ars_start.address = ars_status->restart_address;
    746     - ars_start.length = ars_status->restart_length;
    747     - ars_start.type = ars_status->type;
    748     - ars_start.flags = acpi_desc->ars_start_flags;
    749     + ars_start = (struct nd_cmd_ars_start) {
    750     + .address = ars_status->restart_address,
    751     + .length = ars_status->restart_length,
    752     + .type = ars_status->type,
    753     + };
    754     rc = nd_desc->ndctl(nd_desc, NULL, ND_CMD_ARS_START, &ars_start,
    755     sizeof(ars_start), &cmd_rc);
    756     if (rc < 0)
    757     @@ -2743,6 +2757,17 @@ static int ars_status_process_records(struct acpi_nfit_desc *acpi_desc)
    758     */
    759     if (ars_status->out_length < 44)
    760     return 0;
    761     +
    762     + /*
    763     + * Ignore potentially stale results that are only refreshed
    764     + * after a start-ARS event.
    765     + */
    766     + if (!test_and_clear_bit(ARS_VALID, &acpi_desc->scrub_flags)) {
    767     + dev_dbg(acpi_desc->dev, "skip %d stale records\n",
    768     + ars_status->num_records);
    769     + return 0;
    770     + }
    771     +
    772     for (i = 0; i < ars_status->num_records; i++) {
    773     /* only process full records */
    774     if (ars_status->out_length
    775     @@ -3081,7 +3106,7 @@ static unsigned int __acpi_nfit_scrub(struct acpi_nfit_desc *acpi_desc,
    776    
    777     lockdep_assert_held(&acpi_desc->init_mutex);
    778    
    779     - if (acpi_desc->cancel)
    780     + if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags))
    781     return 0;
    782    
    783     if (query_rc == -EBUSY) {
    784     @@ -3155,7 +3180,7 @@ static void __sched_ars(struct acpi_nfit_desc *acpi_desc, unsigned int tmo)
    785     {
    786     lockdep_assert_held(&acpi_desc->init_mutex);
    787    
    788     - acpi_desc->scrub_busy = 1;
    789     + set_bit(ARS_BUSY, &acpi_desc->scrub_flags);
    790     /* note this should only be set from within the workqueue */
    791     if (tmo)
    792     acpi_desc->scrub_tmo = tmo;
    793     @@ -3171,7 +3196,7 @@ static void notify_ars_done(struct acpi_nfit_desc *acpi_desc)
    794     {
    795     lockdep_assert_held(&acpi_desc->init_mutex);
    796    
    797     - acpi_desc->scrub_busy = 0;
    798     + clear_bit(ARS_BUSY, &acpi_desc->scrub_flags);
    799     acpi_desc->scrub_count++;
    800     if (acpi_desc->scrub_count_state)
    801     sysfs_notify_dirent(acpi_desc->scrub_count_state);
    802     @@ -3192,6 +3217,7 @@ static void acpi_nfit_scrub(struct work_struct *work)
    803     else
    804     notify_ars_done(acpi_desc);
    805     memset(acpi_desc->ars_status, 0, acpi_desc->max_ars);
    806     + clear_bit(ARS_POLL, &acpi_desc->scrub_flags);
    807     mutex_unlock(&acpi_desc->init_mutex);
    808     }
    809    
    810     @@ -3226,6 +3252,7 @@ static int acpi_nfit_register_regions(struct acpi_nfit_desc *acpi_desc)
    811     struct nfit_spa *nfit_spa;
    812     int rc;
    813    
    814     + set_bit(ARS_VALID, &acpi_desc->scrub_flags);
    815     list_for_each_entry(nfit_spa, &acpi_desc->spas, list) {
    816     switch (nfit_spa_type(nfit_spa->spa)) {
    817     case NFIT_SPA_VOLATILE:
    818     @@ -3460,7 +3487,7 @@ int acpi_nfit_ars_rescan(struct acpi_nfit_desc *acpi_desc,
    819     struct nfit_spa *nfit_spa;
    820    
    821     mutex_lock(&acpi_desc->init_mutex);
    822     - if (acpi_desc->cancel) {
    823     + if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags)) {
    824     mutex_unlock(&acpi_desc->init_mutex);
    825     return 0;
    826     }
    827     @@ -3539,7 +3566,7 @@ void acpi_nfit_shutdown(void *data)
    828     mutex_unlock(&acpi_desc_lock);
    829    
    830     mutex_lock(&acpi_desc->init_mutex);
    831     - acpi_desc->cancel = 1;
    832     + set_bit(ARS_CANCEL, &acpi_desc->scrub_flags);
    833     cancel_delayed_work_sync(&acpi_desc->dwork);
    834     mutex_unlock(&acpi_desc->init_mutex);
    835    
    836     diff --git a/drivers/acpi/nfit/nfit.h b/drivers/acpi/nfit/nfit.h
    837     index 33691aecfcee..0cbe5009eb2c 100644
    838     --- a/drivers/acpi/nfit/nfit.h
    839     +++ b/drivers/acpi/nfit/nfit.h
    840     @@ -210,6 +210,13 @@ struct nfit_mem {
    841     int family;
    842     };
    843    
    844     +enum scrub_flags {
    845     + ARS_BUSY,
    846     + ARS_CANCEL,
    847     + ARS_VALID,
    848     + ARS_POLL,
    849     +};
    850     +
    851     struct acpi_nfit_desc {
    852     struct nvdimm_bus_descriptor nd_desc;
    853     struct acpi_table_header acpi_header;
    854     @@ -223,7 +230,6 @@ struct acpi_nfit_desc {
    855     struct list_head idts;
    856     struct nvdimm_bus *nvdimm_bus;
    857     struct device *dev;
    858     - u8 ars_start_flags;
    859     struct nd_cmd_ars_status *ars_status;
    860     struct nfit_spa *scrub_spa;
    861     struct delayed_work dwork;
    862     @@ -232,8 +238,7 @@ struct acpi_nfit_desc {
    863     unsigned int max_ars;
    864     unsigned int scrub_count;
    865     unsigned int scrub_mode;
    866     - unsigned int scrub_busy:1;
    867     - unsigned int cancel:1;
    868     + unsigned long scrub_flags;
    869     unsigned long dimm_cmd_force_en;
    870     unsigned long bus_cmd_force_en;
    871     unsigned long bus_nfit_cmd_force_en;
    872     diff --git a/drivers/base/memory.c b/drivers/base/memory.c
    873     index 048cbf7d5233..23125f276ff1 100644
    874     --- a/drivers/base/memory.c
    875     +++ b/drivers/base/memory.c
    876     @@ -505,7 +505,7 @@ static ssize_t probe_store(struct device *dev, struct device_attribute *attr,
    877    
    878     ret = lock_device_hotplug_sysfs();
    879     if (ret)
    880     - goto out;
    881     + return ret;
    882    
    883     nid = memory_add_physaddr_to_nid(phys_addr);
    884     ret = __add_memory(nid, phys_addr,
    885     diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
    886     index c518659b4d9f..ff9dd9adf803 100644
    887     --- a/drivers/char/ipmi/ipmi_msghandler.c
    888     +++ b/drivers/char/ipmi/ipmi_msghandler.c
    889     @@ -214,6 +214,9 @@ struct ipmi_user {
    890    
    891     /* Does this interface receive IPMI events? */
    892     bool gets_events;
    893     +
    894     + /* Free must run in process context for RCU cleanup. */
    895     + struct work_struct remove_work;
    896     };
    897    
    898     static struct ipmi_user *acquire_ipmi_user(struct ipmi_user *user, int *index)
    899     @@ -1079,6 +1082,15 @@ static int intf_err_seq(struct ipmi_smi *intf,
    900     }
    901    
    902    
    903     +static void free_user_work(struct work_struct *work)
    904     +{
    905     + struct ipmi_user *user = container_of(work, struct ipmi_user,
    906     + remove_work);
    907     +
    908     + cleanup_srcu_struct(&user->release_barrier);
    909     + kfree(user);
    910     +}
    911     +
    912     int ipmi_create_user(unsigned int if_num,
    913     const struct ipmi_user_hndl *handler,
    914     void *handler_data,
    915     @@ -1122,6 +1134,8 @@ int ipmi_create_user(unsigned int if_num,
    916     goto out_kfree;
    917    
    918     found:
    919     + INIT_WORK(&new_user->remove_work, free_user_work);
    920     +
    921     rv = init_srcu_struct(&new_user->release_barrier);
    922     if (rv)
    923     goto out_kfree;
    924     @@ -1184,8 +1198,9 @@ EXPORT_SYMBOL(ipmi_get_smi_info);
    925     static void free_user(struct kref *ref)
    926     {
    927     struct ipmi_user *user = container_of(ref, struct ipmi_user, refcount);
    928     - cleanup_srcu_struct(&user->release_barrier);
    929     - kfree(user);
    930     +
    931     + /* SRCU cleanup must happen in task context. */
    932     + schedule_work(&user->remove_work);
    933     }
    934    
    935     static void _ipmi_destroy_user(struct ipmi_user *user)
    936     diff --git a/drivers/char/tpm/eventlog/tpm2.c b/drivers/char/tpm/eventlog/tpm2.c
    937     index 1b8fa9de2cac..41b9f6c92da7 100644
    938     --- a/drivers/char/tpm/eventlog/tpm2.c
    939     +++ b/drivers/char/tpm/eventlog/tpm2.c
    940     @@ -37,8 +37,8 @@
    941     *
    942     * Returns size of the event. If it is an invalid event, returns 0.
    943     */
    944     -static int calc_tpm2_event_size(struct tcg_pcr_event2 *event,
    945     - struct tcg_pcr_event *event_header)
    946     +static size_t calc_tpm2_event_size(struct tcg_pcr_event2 *event,
    947     + struct tcg_pcr_event *event_header)
    948     {
    949     struct tcg_efi_specid_event *efispecid;
    950     struct tcg_event_field *event_field;
    951     diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c
    952     index 5eecad233ea1..744b0237300a 100644
    953     --- a/drivers/char/tpm/tpm-dev-common.c
    954     +++ b/drivers/char/tpm/tpm-dev-common.c
    955     @@ -203,12 +203,19 @@ __poll_t tpm_common_poll(struct file *file, poll_table *wait)
    956     __poll_t mask = 0;
    957    
    958     poll_wait(file, &priv->async_wait, wait);
    959     + mutex_lock(&priv->buffer_mutex);
    960    
    961     - if (!priv->response_read || priv->response_length)
    962     + /*
    963     + * The response_length indicates if there is still response
    964     + * (or part of it) to be consumed. Partial reads decrease it
    965     + * by the number of bytes read, and write resets it the zero.
    966     + */
    967     + if (priv->response_length)
    968     mask = EPOLLIN | EPOLLRDNORM;
    969     else
    970     mask = EPOLLOUT | EPOLLWRNORM;
    971    
    972     + mutex_unlock(&priv->buffer_mutex);
    973     return mask;
    974     }
    975    
    976     diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c
    977     index 32a8e27c5382..cc4e642d3180 100644
    978     --- a/drivers/char/tpm/tpm_i2c_atmel.c
    979     +++ b/drivers/char/tpm/tpm_i2c_atmel.c
    980     @@ -69,6 +69,10 @@ static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t len)
    981     if (status < 0)
    982     return status;
    983    
    984     + /* The upper layer does not support incomplete sends. */
    985     + if (status != len)
    986     + return -E2BIG;
    987     +
    988     return 0;
    989     }
    990    
    991     diff --git a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c
    992     index d0d966d6080a..1696644ec022 100644
    993     --- a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c
    994     +++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c
    995     @@ -182,6 +182,7 @@ static void mmhub_v1_0_init_cache_regs(struct amdgpu_device *adev)
    996     tmp = REG_SET_FIELD(tmp, VM_L2_CNTL3,
    997     L2_CACHE_BIGK_FRAGMENT_SIZE, 6);
    998     }
    999     + WREG32_SOC15(MMHUB, 0, mmVM_L2_CNTL3, tmp);
    1000    
    1001     tmp = mmVM_L2_CNTL4_DEFAULT;
    1002     tmp = REG_SET_FIELD(tmp, VM_L2_CNTL4, VMC_TAP_PDE_REQUEST_PHYSICAL, 0);
    1003     diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
    1004     index f841accc2c00..f77c81db161b 100644
    1005     --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
    1006     +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
    1007     @@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
    1008     }
    1009    
    1010     #ifdef CONFIG_TRANSPARENT_HUGEPAGE
    1011     - if (!(flags & TTM_PAGE_FLAG_DMA32)) {
    1012     + if (!(flags & TTM_PAGE_FLAG_DMA32) &&
    1013     + (npages - i) >= HPAGE_PMD_NR) {
    1014     for (j = 0; j < HPAGE_PMD_NR; ++j)
    1015     if (p++ != pages[i + j])
    1016     break;
    1017     @@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
    1018     unsigned max_size, n2free;
    1019    
    1020     spin_lock_irqsave(&huge->lock, irq_flags);
    1021     - while (i < npages) {
    1022     + while ((npages - i) >= HPAGE_PMD_NR) {
    1023     struct page *p = pages[i];
    1024     unsigned j;
    1025    
    1026     diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
    1027     index 2dc628d4f1ae..1412abcff010 100644
    1028     --- a/drivers/i3c/master.c
    1029     +++ b/drivers/i3c/master.c
    1030     @@ -1980,7 +1980,6 @@ of_i3c_master_add_i3c_boardinfo(struct i3c_master_controller *master,
    1031     {
    1032     struct i3c_dev_boardinfo *boardinfo;
    1033     struct device *dev = &master->dev;
    1034     - struct i3c_device_info info = { };
    1035     enum i3c_addr_slot_status addrstatus;
    1036     u32 init_dyn_addr = 0;
    1037    
    1038     @@ -2012,8 +2011,8 @@ of_i3c_master_add_i3c_boardinfo(struct i3c_master_controller *master,
    1039    
    1040     boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
    1041    
    1042     - if ((info.pid & GENMASK_ULL(63, 48)) ||
    1043     - I3C_PID_RND_LOWER_32BITS(info.pid))
    1044     + if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
    1045     + I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
    1046     return -EINVAL;
    1047    
    1048     boardinfo->init_dyn_addr = init_dyn_addr;
    1049     diff --git a/drivers/i3c/master/dw-i3c-master.c b/drivers/i3c/master/dw-i3c-master.c
    1050     index bb03079fbade..ec385fbfef4c 100644
    1051     --- a/drivers/i3c/master/dw-i3c-master.c
    1052     +++ b/drivers/i3c/master/dw-i3c-master.c
    1053     @@ -300,7 +300,7 @@ to_dw_i3c_master(struct i3c_master_controller *master)
    1054    
    1055     static void dw_i3c_master_disable(struct dw_i3c_master *master)
    1056     {
    1057     - writel(readl(master->regs + DEVICE_CTRL) & DEV_CTRL_ENABLE,
    1058     + writel(readl(master->regs + DEVICE_CTRL) & ~DEV_CTRL_ENABLE,
    1059     master->regs + DEVICE_CTRL);
    1060     }
    1061    
    1062     diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c
    1063     index 7096e577b23f..50f3ff386bea 100644
    1064     --- a/drivers/iio/accel/kxcjk-1013.c
    1065     +++ b/drivers/iio/accel/kxcjk-1013.c
    1066     @@ -1437,6 +1437,8 @@ static int kxcjk1013_resume(struct device *dev)
    1067    
    1068     mutex_lock(&data->mutex);
    1069     ret = kxcjk1013_set_mode(data, OPERATION);
    1070     + if (ret == 0)
    1071     + ret = kxcjk1013_set_range(data, data->range);
    1072     mutex_unlock(&data->mutex);
    1073    
    1074     return ret;
    1075     diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
    1076     index ff5f2da2e1b1..54d9978b2740 100644
    1077     --- a/drivers/iio/adc/ad_sigma_delta.c
    1078     +++ b/drivers/iio/adc/ad_sigma_delta.c
    1079     @@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_sigma_delta *sigma_delta,
    1080     if (sigma_delta->info->has_registers) {
    1081     data[0] = reg << sigma_delta->info->addr_shift;
    1082     data[0] |= sigma_delta->info->read_mask;
    1083     + data[0] |= sigma_delta->comm;
    1084     spi_message_add_tail(&t[0], &m);
    1085     }
    1086     spi_message_add_tail(&t[1], &m);
    1087     diff --git a/drivers/iio/adc/at91_adc.c b/drivers/iio/adc/at91_adc.c
    1088     index 75d2f73582a3..596841a3c4db 100644
    1089     --- a/drivers/iio/adc/at91_adc.c
    1090     +++ b/drivers/iio/adc/at91_adc.c
    1091     @@ -704,23 +704,29 @@ static int at91_adc_read_raw(struct iio_dev *idev,
    1092     ret = wait_event_interruptible_timeout(st->wq_data_avail,
    1093     st->done,
    1094     msecs_to_jiffies(1000));
    1095     - if (ret == 0)
    1096     - ret = -ETIMEDOUT;
    1097     - if (ret < 0) {
    1098     - mutex_unlock(&st->lock);
    1099     - return ret;
    1100     - }
    1101     -
    1102     - *val = st->last_value;
    1103    
    1104     + /* Disable interrupts, regardless if adc conversion was
    1105     + * successful or not
    1106     + */
    1107     at91_adc_writel(st, AT91_ADC_CHDR,
    1108     AT91_ADC_CH(chan->channel));
    1109     at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel));
    1110    
    1111     - st->last_value = 0;
    1112     - st->done = false;
    1113     + if (ret > 0) {
    1114     + /* a valid conversion took place */
    1115     + *val = st->last_value;
    1116     + st->last_value = 0;
    1117     + st->done = false;
    1118     + ret = IIO_VAL_INT;
    1119     + } else if (ret == 0) {
    1120     + /* conversion timeout */
    1121     + dev_err(&idev->dev, "ADC Channel %d timeout.\n",
    1122     + chan->channel);
    1123     + ret = -ETIMEDOUT;
    1124     + }
    1125     +
    1126     mutex_unlock(&st->lock);
    1127     - return IIO_VAL_INT;
    1128     + return ret;
    1129    
    1130     case IIO_CHAN_INFO_SCALE:
    1131     *val = st->vref_mv;
    1132     diff --git a/drivers/iio/chemical/bme680.h b/drivers/iio/chemical/bme680.h
    1133     index 0ae89b87e2d6..4edc5d21cb9f 100644
    1134     --- a/drivers/iio/chemical/bme680.h
    1135     +++ b/drivers/iio/chemical/bme680.h
    1136     @@ -2,11 +2,9 @@
    1137     #ifndef BME680_H_
    1138     #define BME680_H_
    1139    
    1140     -#define BME680_REG_CHIP_I2C_ID 0xD0
    1141     -#define BME680_REG_CHIP_SPI_ID 0x50
    1142     +#define BME680_REG_CHIP_ID 0xD0
    1143     #define BME680_CHIP_ID_VAL 0x61
    1144     -#define BME680_REG_SOFT_RESET_I2C 0xE0
    1145     -#define BME680_REG_SOFT_RESET_SPI 0x60
    1146     +#define BME680_REG_SOFT_RESET 0xE0
    1147     #define BME680_CMD_SOFTRESET 0xB6
    1148     #define BME680_REG_STATUS 0x73
    1149     #define BME680_SPI_MEM_PAGE_BIT BIT(4)
    1150     diff --git a/drivers/iio/chemical/bme680_core.c b/drivers/iio/chemical/bme680_core.c
    1151     index 70c1fe4366f4..ccde4c65ff93 100644
    1152     --- a/drivers/iio/chemical/bme680_core.c
    1153     +++ b/drivers/iio/chemical/bme680_core.c
    1154     @@ -63,9 +63,23 @@ struct bme680_data {
    1155     s32 t_fine;
    1156     };
    1157    
    1158     +static const struct regmap_range bme680_volatile_ranges[] = {
    1159     + regmap_reg_range(BME680_REG_MEAS_STAT_0, BME680_REG_GAS_R_LSB),
    1160     + regmap_reg_range(BME680_REG_STATUS, BME680_REG_STATUS),
    1161     + regmap_reg_range(BME680_T2_LSB_REG, BME680_GH3_REG),
    1162     +};
    1163     +
    1164     +static const struct regmap_access_table bme680_volatile_table = {
    1165     + .yes_ranges = bme680_volatile_ranges,
    1166     + .n_yes_ranges = ARRAY_SIZE(bme680_volatile_ranges),
    1167     +};
    1168     +
    1169     const struct regmap_config bme680_regmap_config = {
    1170     .reg_bits = 8,
    1171     .val_bits = 8,
    1172     + .max_register = 0xef,
    1173     + .volatile_table = &bme680_volatile_table,
    1174     + .cache_type = REGCACHE_RBTREE,
    1175     };
    1176     EXPORT_SYMBOL(bme680_regmap_config);
    1177    
    1178     @@ -316,6 +330,10 @@ static s16 bme680_compensate_temp(struct bme680_data *data,
    1179     s64 var1, var2, var3;
    1180     s16 calc_temp;
    1181    
    1182     + /* If the calibration is invalid, attempt to reload it */
    1183     + if (!calib->par_t2)
    1184     + bme680_read_calib(data, calib);
    1185     +
    1186     var1 = (adc_temp >> 3) - (calib->par_t1 << 1);
    1187     var2 = (var1 * calib->par_t2) >> 11;
    1188     var3 = ((var1 >> 1) * (var1 >> 1)) >> 12;
    1189     @@ -583,8 +601,7 @@ static int bme680_gas_config(struct bme680_data *data)
    1190     return ret;
    1191     }
    1192    
    1193     -static int bme680_read_temp(struct bme680_data *data,
    1194     - int *val, int *val2)
    1195     +static int bme680_read_temp(struct bme680_data *data, int *val)
    1196     {
    1197     struct device *dev = regmap_get_device(data->regmap);
    1198     int ret;
    1199     @@ -617,10 +634,9 @@ static int bme680_read_temp(struct bme680_data *data,
    1200     * compensate_press/compensate_humid to get compensated
    1201     * pressure/humidity readings.
    1202     */
    1203     - if (val && val2) {
    1204     - *val = comp_temp;
    1205     - *val2 = 100;
    1206     - return IIO_VAL_FRACTIONAL;
    1207     + if (val) {
    1208     + *val = comp_temp * 10; /* Centidegrees to millidegrees */
    1209     + return IIO_VAL_INT;
    1210     }
    1211    
    1212     return ret;
    1213     @@ -635,7 +651,7 @@ static int bme680_read_press(struct bme680_data *data,
    1214     s32 adc_press;
    1215    
    1216     /* Read and compensate temperature to get a reading of t_fine */
    1217     - ret = bme680_read_temp(data, NULL, NULL);
    1218     + ret = bme680_read_temp(data, NULL);
    1219     if (ret < 0)
    1220     return ret;
    1221    
    1222     @@ -668,7 +684,7 @@ static int bme680_read_humid(struct bme680_data *data,
    1223     u32 comp_humidity;
    1224    
    1225     /* Read and compensate temperature to get a reading of t_fine */
    1226     - ret = bme680_read_temp(data, NULL, NULL);
    1227     + ret = bme680_read_temp(data, NULL);
    1228     if (ret < 0)
    1229     return ret;
    1230    
    1231     @@ -761,7 +777,7 @@ static int bme680_read_raw(struct iio_dev *indio_dev,
    1232     case IIO_CHAN_INFO_PROCESSED:
    1233     switch (chan->type) {
    1234     case IIO_TEMP:
    1235     - return bme680_read_temp(data, val, val2);
    1236     + return bme680_read_temp(data, val);
    1237     case IIO_PRESSURE:
    1238     return bme680_read_press(data, val, val2);
    1239     case IIO_HUMIDITYRELATIVE:
    1240     @@ -867,8 +883,28 @@ int bme680_core_probe(struct device *dev, struct regmap *regmap,
    1241     {
    1242     struct iio_dev *indio_dev;
    1243     struct bme680_data *data;
    1244     + unsigned int val;
    1245     int ret;
    1246    
    1247     + ret = regmap_write(regmap, BME680_REG_SOFT_RESET,
    1248     + BME680_CMD_SOFTRESET);
    1249     + if (ret < 0) {
    1250     + dev_err(dev, "Failed to reset chip\n");
    1251     + return ret;
    1252     + }
    1253     +
    1254     + ret = regmap_read(regmap, BME680_REG_CHIP_ID, &val);
    1255     + if (ret < 0) {
    1256     + dev_err(dev, "Error reading chip ID\n");
    1257     + return ret;
    1258     + }
    1259     +
    1260     + if (val != BME680_CHIP_ID_VAL) {
    1261     + dev_err(dev, "Wrong chip ID, got %x expected %x\n",
    1262     + val, BME680_CHIP_ID_VAL);
    1263     + return -ENODEV;
    1264     + }
    1265     +
    1266     indio_dev = devm_iio_device_alloc(dev, sizeof(*data));
    1267     if (!indio_dev)
    1268     return -ENOMEM;
    1269     diff --git a/drivers/iio/chemical/bme680_i2c.c b/drivers/iio/chemical/bme680_i2c.c
    1270     index 06d4be539d2e..cfc4449edf1b 100644
    1271     --- a/drivers/iio/chemical/bme680_i2c.c
    1272     +++ b/drivers/iio/chemical/bme680_i2c.c
    1273     @@ -23,8 +23,6 @@ static int bme680_i2c_probe(struct i2c_client *client,
    1274     {
    1275     struct regmap *regmap;
    1276     const char *name = NULL;
    1277     - unsigned int val;
    1278     - int ret;
    1279    
    1280     regmap = devm_regmap_init_i2c(client, &bme680_regmap_config);
    1281     if (IS_ERR(regmap)) {
    1282     @@ -33,25 +31,6 @@ static int bme680_i2c_probe(struct i2c_client *client,
    1283     return PTR_ERR(regmap);
    1284     }
    1285    
    1286     - ret = regmap_write(regmap, BME680_REG_SOFT_RESET_I2C,
    1287     - BME680_CMD_SOFTRESET);
    1288     - if (ret < 0) {
    1289     - dev_err(&client->dev, "Failed to reset chip\n");
    1290     - return ret;
    1291     - }
    1292     -
    1293     - ret = regmap_read(regmap, BME680_REG_CHIP_I2C_ID, &val);
    1294     - if (ret < 0) {
    1295     - dev_err(&client->dev, "Error reading I2C chip ID\n");
    1296     - return ret;
    1297     - }
    1298     -
    1299     - if (val != BME680_CHIP_ID_VAL) {
    1300     - dev_err(&client->dev, "Wrong chip ID, got %x expected %x\n",
    1301     - val, BME680_CHIP_ID_VAL);
    1302     - return -ENODEV;
    1303     - }
    1304     -
    1305     if (id)
    1306     name = id->name;
    1307    
    1308     diff --git a/drivers/iio/chemical/bme680_spi.c b/drivers/iio/chemical/bme680_spi.c
    1309     index c9fb05e8d0b9..881778e55d38 100644
    1310     --- a/drivers/iio/chemical/bme680_spi.c
    1311     +++ b/drivers/iio/chemical/bme680_spi.c
    1312     @@ -11,28 +11,93 @@
    1313    
    1314     #include "bme680.h"
    1315    
    1316     +struct bme680_spi_bus_context {
    1317     + struct spi_device *spi;
    1318     + u8 current_page;
    1319     +};
    1320     +
    1321     +/*
    1322     + * In SPI mode there are only 7 address bits, a "page" register determines
    1323     + * which part of the 8-bit range is active. This function looks at the address
    1324     + * and writes the page selection bit if needed
    1325     + */
    1326     +static int bme680_regmap_spi_select_page(
    1327     + struct bme680_spi_bus_context *ctx, u8 reg)
    1328     +{
    1329     + struct spi_device *spi = ctx->spi;
    1330     + int ret;
    1331     + u8 buf[2];
    1332     + u8 page = (reg & 0x80) ? 0 : 1; /* Page "1" is low range */
    1333     +
    1334     + if (page == ctx->current_page)
    1335     + return 0;
    1336     +
    1337     + /*
    1338     + * Data sheet claims we're only allowed to change bit 4, so we must do
    1339     + * a read-modify-write on each and every page select
    1340     + */
    1341     + buf[0] = BME680_REG_STATUS;
    1342     + ret = spi_write_then_read(spi, buf, 1, buf + 1, 1);
    1343     + if (ret < 0) {
    1344     + dev_err(&spi->dev, "failed to set page %u\n", page);
    1345     + return ret;
    1346     + }
    1347     +
    1348     + buf[0] = BME680_REG_STATUS;
    1349     + if (page)
    1350     + buf[1] |= BME680_SPI_MEM_PAGE_BIT;
    1351     + else
    1352     + buf[1] &= ~BME680_SPI_MEM_PAGE_BIT;
    1353     +
    1354     + ret = spi_write(spi, buf, 2);
    1355     + if (ret < 0) {
    1356     + dev_err(&spi->dev, "failed to set page %u\n", page);
    1357     + return ret;
    1358     + }
    1359     +
    1360     + ctx->current_page = page;
    1361     +
    1362     + return 0;
    1363     +}
    1364     +
    1365     static int bme680_regmap_spi_write(void *context, const void *data,
    1366     size_t count)
    1367     {
    1368     - struct spi_device *spi = context;
    1369     + struct bme680_spi_bus_context *ctx = context;
    1370     + struct spi_device *spi = ctx->spi;
    1371     + int ret;
    1372     u8 buf[2];
    1373    
    1374     memcpy(buf, data, 2);
    1375     +
    1376     + ret = bme680_regmap_spi_select_page(ctx, buf[0]);
    1377     + if (ret)
    1378     + return ret;
    1379     +
    1380     /*
    1381     * The SPI register address (= full register address without bit 7)
    1382     * and the write command (bit7 = RW = '0')
    1383     */
    1384     buf[0] &= ~0x80;
    1385    
    1386     - return spi_write_then_read(spi, buf, 2, NULL, 0);
    1387     + return spi_write(spi, buf, 2);
    1388     }
    1389    
    1390     static int bme680_regmap_spi_read(void *context, const void *reg,
    1391     size_t reg_size, void *val, size_t val_size)
    1392     {
    1393     - struct spi_device *spi = context;
    1394     + struct bme680_spi_bus_context *ctx = context;
    1395     + struct spi_device *spi = ctx->spi;
    1396     + int ret;
    1397     + u8 addr = *(const u8 *)reg;
    1398     +
    1399     + ret = bme680_regmap_spi_select_page(ctx, addr);
    1400     + if (ret)
    1401     + return ret;
    1402    
    1403     - return spi_write_then_read(spi, reg, reg_size, val, val_size);
    1404     + addr |= 0x80; /* bit7 = RW = '1' */
    1405     +
    1406     + return spi_write_then_read(spi, &addr, 1, val, val_size);
    1407     }
    1408    
    1409     static struct regmap_bus bme680_regmap_bus = {
    1410     @@ -45,8 +110,8 @@ static struct regmap_bus bme680_regmap_bus = {
    1411     static int bme680_spi_probe(struct spi_device *spi)
    1412     {
    1413     const struct spi_device_id *id = spi_get_device_id(spi);
    1414     + struct bme680_spi_bus_context *bus_context;
    1415     struct regmap *regmap;
    1416     - unsigned int val;
    1417     int ret;
    1418    
    1419     spi->bits_per_word = 8;
    1420     @@ -56,45 +121,21 @@ static int bme680_spi_probe(struct spi_device *spi)
    1421     return ret;
    1422     }
    1423    
    1424     + bus_context = devm_kzalloc(&spi->dev, sizeof(*bus_context), GFP_KERNEL);
    1425     + if (!bus_context)
    1426     + return -ENOMEM;
    1427     +
    1428     + bus_context->spi = spi;
    1429     + bus_context->current_page = 0xff; /* Undefined on warm boot */
    1430     +
    1431     regmap = devm_regmap_init(&spi->dev, &bme680_regmap_bus,
    1432     - &spi->dev, &bme680_regmap_config);
    1433     + bus_context, &bme680_regmap_config);
    1434     if (IS_ERR(regmap)) {
    1435     dev_err(&spi->dev, "Failed to register spi regmap %d\n",
    1436     (int)PTR_ERR(regmap));
    1437     return PTR_ERR(regmap);
    1438     }
    1439    
    1440     - ret = regmap_write(regmap, BME680_REG_SOFT_RESET_SPI,
    1441     - BME680_CMD_SOFTRESET);
    1442     - if (ret < 0) {
    1443     - dev_err(&spi->dev, "Failed to reset chip\n");
    1444     - return ret;
    1445     - }
    1446     -
    1447     - /* after power-on reset, Page 0(0x80-0xFF) of spi_mem_page is active */
    1448     - ret = regmap_read(regmap, BME680_REG_CHIP_SPI_ID, &val);
    1449     - if (ret < 0) {
    1450     - dev_err(&spi->dev, "Error reading SPI chip ID\n");
    1451     - return ret;
    1452     - }
    1453     -
    1454     - if (val != BME680_CHIP_ID_VAL) {
    1455     - dev_err(&spi->dev, "Wrong chip ID, got %x expected %x\n",
    1456     - val, BME680_CHIP_ID_VAL);
    1457     - return -ENODEV;
    1458     - }
    1459     - /*
    1460     - * select Page 1 of spi_mem_page to enable access to
    1461     - * to registers from address 0x00 to 0x7F.
    1462     - */
    1463     - ret = regmap_write_bits(regmap, BME680_REG_STATUS,
    1464     - BME680_SPI_MEM_PAGE_BIT,
    1465     - BME680_SPI_MEM_PAGE_1_VAL);
    1466     - if (ret < 0) {
    1467     - dev_err(&spi->dev, "failed to set page 1 of spi_mem_page\n");
    1468     - return ret;
    1469     - }
    1470     -
    1471     return bme680_core_probe(&spi->dev, regmap, id->name);
    1472     }
    1473    
    1474     diff --git a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c
    1475     index 89cb0066a6e0..8d76afb87d87 100644
    1476     --- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c
    1477     +++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c
    1478     @@ -103,9 +103,10 @@ static int cros_ec_sensors_read(struct iio_dev *indio_dev,
    1479     * Do not use IIO_DEGREE_TO_RAD to avoid precision
    1480     * loss. Round to the nearest integer.
    1481     */
    1482     - *val = div_s64(val64 * 314159 + 9000000ULL, 1000);
    1483     - *val2 = 18000 << (CROS_EC_SENSOR_BITS - 1);
    1484     - ret = IIO_VAL_FRACTIONAL;
    1485     + *val = 0;
    1486     + *val2 = div_s64(val64 * 3141592653ULL,
    1487     + 180 << (CROS_EC_SENSOR_BITS - 1));
    1488     + ret = IIO_VAL_INT_PLUS_NANO;
    1489     break;
    1490     case MOTIONSENSE_TYPE_MAG:
    1491     /*
    1492     diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c
    1493     index 6d71fd905e29..c701a45469f6 100644
    1494     --- a/drivers/iio/dac/mcp4725.c
    1495     +++ b/drivers/iio/dac/mcp4725.c
    1496     @@ -92,6 +92,7 @@ static ssize_t mcp4725_store_eeprom(struct device *dev,
    1497    
    1498     inoutbuf[0] = 0x60; /* write EEPROM */
    1499     inoutbuf[0] |= data->ref_mode << 3;
    1500     + inoutbuf[0] |= data->powerdown ? ((data->powerdown_mode + 1) << 1) : 0;
    1501     inoutbuf[1] = data->dac_value >> 4;
    1502     inoutbuf[2] = (data->dac_value & 0xf) << 4;
    1503    
    1504     diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c
    1505     index 63ca31628a93..92c07ab826eb 100644
    1506     --- a/drivers/iio/gyro/bmg160_core.c
    1507     +++ b/drivers/iio/gyro/bmg160_core.c
    1508     @@ -582,11 +582,10 @@ static int bmg160_read_raw(struct iio_dev *indio_dev,
    1509     case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
    1510     return bmg160_get_filter(data, val);
    1511     case IIO_CHAN_INFO_SCALE:
    1512     - *val = 0;
    1513     switch (chan->type) {
    1514     case IIO_TEMP:
    1515     - *val2 = 500000;
    1516     - return IIO_VAL_INT_PLUS_MICRO;
    1517     + *val = 500;
    1518     + return IIO_VAL_INT;
    1519     case IIO_ANGL_VEL:
    1520     {
    1521     int i;
    1522     @@ -594,6 +593,7 @@ static int bmg160_read_raw(struct iio_dev *indio_dev,
    1523     for (i = 0; i < ARRAY_SIZE(bmg160_scale_table); ++i) {
    1524     if (bmg160_scale_table[i].dps_range ==
    1525     data->dps_range) {
    1526     + *val = 0;
    1527     *val2 = bmg160_scale_table[i].scale;
    1528     return IIO_VAL_INT_PLUS_MICRO;
    1529     }
    1530     diff --git a/drivers/iio/gyro/mpu3050-core.c b/drivers/iio/gyro/mpu3050-core.c
    1531     index 77fac81a3adc..5ddebede31a6 100644
    1532     --- a/drivers/iio/gyro/mpu3050-core.c
    1533     +++ b/drivers/iio/gyro/mpu3050-core.c
    1534     @@ -29,7 +29,8 @@
    1535    
    1536     #include "mpu3050.h"
    1537    
    1538     -#define MPU3050_CHIP_ID 0x69
    1539     +#define MPU3050_CHIP_ID 0x68
    1540     +#define MPU3050_CHIP_ID_MASK 0x7E
    1541    
    1542     /*
    1543     * Register map: anything suffixed *_H is a big-endian high byte and always
    1544     @@ -1176,8 +1177,9 @@ int mpu3050_common_probe(struct device *dev,
    1545     goto err_power_down;
    1546     }
    1547    
    1548     - if (val != MPU3050_CHIP_ID) {
    1549     - dev_err(dev, "unsupported chip id %02x\n", (u8)val);
    1550     + if ((val & MPU3050_CHIP_ID_MASK) != MPU3050_CHIP_ID) {
    1551     + dev_err(dev, "unsupported chip id %02x\n",
    1552     + (u8)(val & MPU3050_CHIP_ID_MASK));
    1553     ret = -ENODEV;
    1554     goto err_power_down;
    1555     }
    1556     diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
    1557     index cd5bfe39591b..dadd921a4a30 100644
    1558     --- a/drivers/iio/industrialio-buffer.c
    1559     +++ b/drivers/iio/industrialio-buffer.c
    1560     @@ -320,9 +320,8 @@ static int iio_scan_mask_set(struct iio_dev *indio_dev,
    1561     const unsigned long *mask;
    1562     unsigned long *trialmask;
    1563    
    1564     - trialmask = kmalloc_array(BITS_TO_LONGS(indio_dev->masklength),
    1565     - sizeof(*trialmask),
    1566     - GFP_KERNEL);
    1567     + trialmask = kcalloc(BITS_TO_LONGS(indio_dev->masklength),
    1568     + sizeof(*trialmask), GFP_KERNEL);
    1569     if (trialmask == NULL)
    1570     return -ENOMEM;
    1571     if (!indio_dev->masklength) {
    1572     diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
    1573     index 4f5cd9f60870..5b65750ce775 100644
    1574     --- a/drivers/iio/industrialio-core.c
    1575     +++ b/drivers/iio/industrialio-core.c
    1576     @@ -1738,10 +1738,10 @@ EXPORT_SYMBOL(__iio_device_register);
    1577     **/
    1578     void iio_device_unregister(struct iio_dev *indio_dev)
    1579     {
    1580     - mutex_lock(&indio_dev->info_exist_lock);
    1581     -
    1582     cdev_device_del(&indio_dev->chrdev, &indio_dev->dev);
    1583    
    1584     + mutex_lock(&indio_dev->info_exist_lock);
    1585     +
    1586     iio_device_unregister_debugfs(indio_dev);
    1587    
    1588     iio_disable_all_buffers(indio_dev);
    1589     diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
    1590     index 5f366838b7ff..e2a4570a47e8 100644
    1591     --- a/drivers/infiniband/core/uverbs_main.c
    1592     +++ b/drivers/infiniband/core/uverbs_main.c
    1593     @@ -992,6 +992,8 @@ void uverbs_user_mmap_disassociate(struct ib_uverbs_file *ufile)
    1594     * will only be one mm, so no big deal.
    1595     */
    1596     down_write(&mm->mmap_sem);
    1597     + if (!mmget_still_valid(mm))
    1598     + goto skip_mm;
    1599     mutex_lock(&ufile->umap_lock);
    1600     list_for_each_entry_safe (priv, next_priv, &ufile->umaps,
    1601     list) {
    1602     @@ -1006,6 +1008,7 @@ void uverbs_user_mmap_disassociate(struct ib_uverbs_file *ufile)
    1603     vma->vm_flags &= ~(VM_SHARED | VM_MAYSHARE);
    1604     }
    1605     mutex_unlock(&ufile->umap_lock);
    1606     + skip_mm:
    1607     up_write(&mm->mmap_sem);
    1608     mmput(mm);
    1609     }
    1610     diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
    1611     index 628ef617bb2f..f9525d6f0bfe 100644
    1612     --- a/drivers/input/mouse/elan_i2c_core.c
    1613     +++ b/drivers/input/mouse/elan_i2c_core.c
    1614     @@ -1339,21 +1339,46 @@ static const struct acpi_device_id elan_acpi_id[] = {
    1615     { "ELAN0600", 0 },
    1616     { "ELAN0601", 0 },
    1617     { "ELAN0602", 0 },
    1618     + { "ELAN0603", 0 },
    1619     + { "ELAN0604", 0 },
    1620     { "ELAN0605", 0 },
    1621     + { "ELAN0606", 0 },
    1622     + { "ELAN0607", 0 },
    1623     { "ELAN0608", 0 },
    1624     { "ELAN0609", 0 },
    1625     { "ELAN060B", 0 },
    1626     { "ELAN060C", 0 },
    1627     + { "ELAN060F", 0 },
    1628     + { "ELAN0610", 0 },
    1629     { "ELAN0611", 0 },
    1630     { "ELAN0612", 0 },
    1631     + { "ELAN0615", 0 },
    1632     + { "ELAN0616", 0 },
    1633     { "ELAN0617", 0 },
    1634     { "ELAN0618", 0 },
    1635     + { "ELAN0619", 0 },
    1636     + { "ELAN061A", 0 },
    1637     + { "ELAN061B", 0 },
    1638     { "ELAN061C", 0 },
    1639     { "ELAN061D", 0 },
    1640     { "ELAN061E", 0 },
    1641     + { "ELAN061F", 0 },
    1642     { "ELAN0620", 0 },
    1643     { "ELAN0621", 0 },
    1644     { "ELAN0622", 0 },
    1645     + { "ELAN0623", 0 },
    1646     + { "ELAN0624", 0 },
    1647     + { "ELAN0625", 0 },
    1648     + { "ELAN0626", 0 },
    1649     + { "ELAN0627", 0 },
    1650     + { "ELAN0628", 0 },
    1651     + { "ELAN0629", 0 },
    1652     + { "ELAN062A", 0 },
    1653     + { "ELAN062B", 0 },
    1654     + { "ELAN062C", 0 },
    1655     + { "ELAN062D", 0 },
    1656     + { "ELAN0631", 0 },
    1657     + { "ELAN0632", 0 },
    1658     { "ELAN1000", 0 },
    1659     { }
    1660     };
    1661     diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
    1662     index 537c90c8eb0a..f89fc6ea6078 100644
    1663     --- a/drivers/net/bonding/bond_main.c
    1664     +++ b/drivers/net/bonding/bond_main.c
    1665     @@ -3214,8 +3214,12 @@ static int bond_netdev_event(struct notifier_block *this,
    1666     return NOTIFY_DONE;
    1667    
    1668     if (event_dev->flags & IFF_MASTER) {
    1669     + int ret;
    1670     +
    1671     netdev_dbg(event_dev, "IFF_MASTER\n");
    1672     - return bond_master_netdev_event(event, event_dev);
    1673     + ret = bond_master_netdev_event(event, event_dev);
    1674     + if (ret != NOTIFY_DONE)
    1675     + return ret;
    1676     }
    1677    
    1678     if (event_dev->flags & IFF_SLAVE) {
    1679     diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
    1680     index d4ee9f9c8c34..36263c77df46 100644
    1681     --- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
    1682     +++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
    1683     @@ -32,6 +32,13 @@
    1684     #define DRV_NAME "nicvf"
    1685     #define DRV_VERSION "1.0"
    1686    
    1687     +/* NOTE: Packets bigger than 1530 are split across multiple pages and XDP needs
    1688     + * the buffer to be contiguous. Allow XDP to be set up only if we don't exceed
    1689     + * this value, keeping headroom for the 14 byte Ethernet header and two
    1690     + * VLAN tags (for QinQ)
    1691     + */
    1692     +#define MAX_XDP_MTU (1530 - ETH_HLEN - VLAN_HLEN * 2)
    1693     +
    1694     /* Supported devices */
    1695     static const struct pci_device_id nicvf_id_table[] = {
    1696     { PCI_DEVICE_SUB(PCI_VENDOR_ID_CAVIUM,
    1697     @@ -1582,6 +1589,15 @@ static int nicvf_change_mtu(struct net_device *netdev, int new_mtu)
    1698     struct nicvf *nic = netdev_priv(netdev);
    1699     int orig_mtu = netdev->mtu;
    1700    
    1701     + /* For now just support only the usual MTU sized frames,
    1702     + * plus some headroom for VLAN, QinQ.
    1703     + */
    1704     + if (nic->xdp_prog && new_mtu > MAX_XDP_MTU) {
    1705     + netdev_warn(netdev, "Jumbo frames not yet supported with XDP, current MTU %d.\n",
    1706     + netdev->mtu);
    1707     + return -EINVAL;
    1708     + }
    1709     +
    1710     netdev->mtu = new_mtu;
    1711    
    1712     if (!netif_running(netdev))
    1713     @@ -1830,8 +1846,10 @@ static int nicvf_xdp_setup(struct nicvf *nic, struct bpf_prog *prog)
    1714     bool bpf_attached = false;
    1715     int ret = 0;
    1716    
    1717     - /* For now just support only the usual MTU sized frames */
    1718     - if (prog && (dev->mtu > 1500)) {
    1719     + /* For now just support only the usual MTU sized frames,
    1720     + * plus some headroom for VLAN, QinQ.
    1721     + */
    1722     + if (prog && dev->mtu > MAX_XDP_MTU) {
    1723     netdev_warn(dev, "Jumbo frames not yet supported with XDP, current MTU %d.\n",
    1724     dev->mtu);
    1725     return -EOPNOTSUPP;
    1726     diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
    1727     index 697c2427f2b7..a96ad20ee484 100644
    1728     --- a/drivers/net/ethernet/freescale/fec_main.c
    1729     +++ b/drivers/net/ethernet/freescale/fec_main.c
    1730     @@ -1840,13 +1840,9 @@ static int fec_enet_clk_enable(struct net_device *ndev, bool enable)
    1731     int ret;
    1732    
    1733     if (enable) {
    1734     - ret = clk_prepare_enable(fep->clk_ahb);
    1735     - if (ret)
    1736     - return ret;
    1737     -
    1738     ret = clk_prepare_enable(fep->clk_enet_out);
    1739     if (ret)
    1740     - goto failed_clk_enet_out;
    1741     + return ret;
    1742    
    1743     if (fep->clk_ptp) {
    1744     mutex_lock(&fep->ptp_clk_mutex);
    1745     @@ -1866,7 +1862,6 @@ static int fec_enet_clk_enable(struct net_device *ndev, bool enable)
    1746    
    1747     phy_reset_after_clk_enable(ndev->phydev);
    1748     } else {
    1749     - clk_disable_unprepare(fep->clk_ahb);
    1750     clk_disable_unprepare(fep->clk_enet_out);
    1751     if (fep->clk_ptp) {
    1752     mutex_lock(&fep->ptp_clk_mutex);
    1753     @@ -1885,8 +1880,6 @@ failed_clk_ref:
    1754     failed_clk_ptp:
    1755     if (fep->clk_enet_out)
    1756     clk_disable_unprepare(fep->clk_enet_out);
    1757     -failed_clk_enet_out:
    1758     - clk_disable_unprepare(fep->clk_ahb);
    1759    
    1760     return ret;
    1761     }
    1762     @@ -3470,6 +3463,9 @@ fec_probe(struct platform_device *pdev)
    1763     ret = clk_prepare_enable(fep->clk_ipg);
    1764     if (ret)
    1765     goto failed_clk_ipg;
    1766     + ret = clk_prepare_enable(fep->clk_ahb);
    1767     + if (ret)
    1768     + goto failed_clk_ahb;
    1769    
    1770     fep->reg_phy = devm_regulator_get_optional(&pdev->dev, "phy");
    1771     if (!IS_ERR(fep->reg_phy)) {
    1772     @@ -3563,6 +3559,9 @@ failed_reset:
    1773     pm_runtime_put(&pdev->dev);
    1774     pm_runtime_disable(&pdev->dev);
    1775     failed_regulator:
    1776     + clk_disable_unprepare(fep->clk_ahb);
    1777     +failed_clk_ahb:
    1778     + clk_disable_unprepare(fep->clk_ipg);
    1779     failed_clk_ipg:
    1780     fec_enet_clk_enable(ndev, false);
    1781     failed_clk:
    1782     @@ -3686,6 +3685,7 @@ static int __maybe_unused fec_runtime_suspend(struct device *dev)
    1783     struct net_device *ndev = dev_get_drvdata(dev);
    1784     struct fec_enet_private *fep = netdev_priv(ndev);
    1785    
    1786     + clk_disable_unprepare(fep->clk_ahb);
    1787     clk_disable_unprepare(fep->clk_ipg);
    1788    
    1789     return 0;
    1790     @@ -3695,8 +3695,20 @@ static int __maybe_unused fec_runtime_resume(struct device *dev)
    1791     {
    1792     struct net_device *ndev = dev_get_drvdata(dev);
    1793     struct fec_enet_private *fep = netdev_priv(ndev);
    1794     + int ret;
    1795    
    1796     - return clk_prepare_enable(fep->clk_ipg);
    1797     + ret = clk_prepare_enable(fep->clk_ahb);
    1798     + if (ret)
    1799     + return ret;
    1800     + ret = clk_prepare_enable(fep->clk_ipg);
    1801     + if (ret)
    1802     + goto failed_clk_ipg;
    1803     +
    1804     + return 0;
    1805     +
    1806     +failed_clk_ipg:
    1807     + clk_disable_unprepare(fep->clk_ahb);
    1808     + return ret;
    1809     }
    1810    
    1811     static const struct dev_pm_ops fec_pm_ops = {
    1812     diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
    1813     index f3c7ab6faea5..b8521e2f64ac 100644
    1814     --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
    1815     +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
    1816     @@ -39,6 +39,10 @@ static int get_route_and_out_devs(struct mlx5e_priv *priv,
    1817     return -EOPNOTSUPP;
    1818     }
    1819    
    1820     + if (!(mlx5e_eswitch_rep(*out_dev) &&
    1821     + mlx5e_is_uplink_rep(netdev_priv(*out_dev))))
    1822     + return -EOPNOTSUPP;
    1823     +
    1824     return 0;
    1825     }
    1826    
    1827     diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
    1828     index e6099f51d25f..3b9e5f0d0212 100644
    1829     --- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
    1830     +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
    1831     @@ -1665,7 +1665,8 @@ static int set_pflag_rx_no_csum_complete(struct net_device *netdev, bool enable)
    1832     struct mlx5e_channel *c;
    1833     int i;
    1834    
    1835     - if (!test_bit(MLX5E_STATE_OPENED, &priv->state))
    1836     + if (!test_bit(MLX5E_STATE_OPENED, &priv->state) ||
    1837     + priv->channels.params.xdp_prog)
    1838     return 0;
    1839    
    1840     for (i = 0; i < channels->num; i++) {
    1841     diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
    1842     index 93e50ccd44c3..0cb19e4dd439 100644
    1843     --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
    1844     +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
    1845     @@ -950,7 +950,11 @@ static int mlx5e_open_rq(struct mlx5e_channel *c,
    1846     if (params->rx_dim_enabled)
    1847     __set_bit(MLX5E_RQ_STATE_AM, &c->rq.state);
    1848    
    1849     - if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_NO_CSUM_COMPLETE))
    1850     + /* We disable csum_complete when XDP is enabled since
    1851     + * XDP programs might manipulate packets which will render
    1852     + * skb->checksum incorrect.
    1853     + */
    1854     + if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_NO_CSUM_COMPLETE) || c->xdp)
    1855     __set_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &c->rq.state);
    1856    
    1857     return 0;
    1858     @@ -4570,7 +4574,7 @@ void mlx5e_build_rss_params(struct mlx5e_rss_params *rss_params,
    1859     {
    1860     enum mlx5e_traffic_types tt;
    1861    
    1862     - rss_params->hfunc = ETH_RSS_HASH_XOR;
    1863     + rss_params->hfunc = ETH_RSS_HASH_TOP;
    1864     netdev_rss_key_fill(rss_params->toeplitz_hash_key,
    1865     sizeof(rss_params->toeplitz_hash_key));
    1866     mlx5e_build_default_indir_rqt(rss_params->indirection_rqt,
    1867     diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
    1868     index f86e4804e83e..2cbda8abd8b9 100644
    1869     --- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
    1870     +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
    1871     @@ -693,7 +693,14 @@ static inline bool is_last_ethertype_ip(struct sk_buff *skb, int *network_depth,
    1872     {
    1873     *proto = ((struct ethhdr *)skb->data)->h_proto;
    1874     *proto = __vlan_get_protocol(skb, *proto, network_depth);
    1875     - return (*proto == htons(ETH_P_IP) || *proto == htons(ETH_P_IPV6));
    1876     +
    1877     + if (*proto == htons(ETH_P_IP))
    1878     + return pskb_may_pull(skb, *network_depth + sizeof(struct iphdr));
    1879     +
    1880     + if (*proto == htons(ETH_P_IPV6))
    1881     + return pskb_may_pull(skb, *network_depth + sizeof(struct ipv6hdr));
    1882     +
    1883     + return false;
    1884     }
    1885    
    1886     static inline void mlx5e_enable_ecn(struct mlx5e_rq *rq, struct sk_buff *skb)
    1887     @@ -713,17 +720,6 @@ static inline void mlx5e_enable_ecn(struct mlx5e_rq *rq, struct sk_buff *skb)
    1888     rq->stats->ecn_mark += !!rc;
    1889     }
    1890    
    1891     -static u32 mlx5e_get_fcs(const struct sk_buff *skb)
    1892     -{
    1893     - const void *fcs_bytes;
    1894     - u32 _fcs_bytes;
    1895     -
    1896     - fcs_bytes = skb_header_pointer(skb, skb->len - ETH_FCS_LEN,
    1897     - ETH_FCS_LEN, &_fcs_bytes);
    1898     -
    1899     - return __get_unaligned_cpu32(fcs_bytes);
    1900     -}
    1901     -
    1902     static u8 get_ip_proto(struct sk_buff *skb, int network_depth, __be16 proto)
    1903     {
    1904     void *ip_p = skb->data + network_depth;
    1905     @@ -734,6 +730,68 @@ static u8 get_ip_proto(struct sk_buff *skb, int network_depth, __be16 proto)
    1906    
    1907     #define short_frame(size) ((size) <= ETH_ZLEN + ETH_FCS_LEN)
    1908    
    1909     +#define MAX_PADDING 8
    1910     +
    1911     +static void
    1912     +tail_padding_csum_slow(struct sk_buff *skb, int offset, int len,
    1913     + struct mlx5e_rq_stats *stats)
    1914     +{
    1915     + stats->csum_complete_tail_slow++;
    1916     + skb->csum = csum_block_add(skb->csum,
    1917     + skb_checksum(skb, offset, len, 0),
    1918     + offset);
    1919     +}
    1920     +
    1921     +static void
    1922     +tail_padding_csum(struct sk_buff *skb, int offset,
    1923     + struct mlx5e_rq_stats *stats)
    1924     +{
    1925     + u8 tail_padding[MAX_PADDING];
    1926     + int len = skb->len - offset;
    1927     + void *tail;
    1928     +
    1929     + if (unlikely(len > MAX_PADDING)) {
    1930     + tail_padding_csum_slow(skb, offset, len, stats);
    1931     + return;
    1932     + }
    1933     +
    1934     + tail = skb_header_pointer(skb, offset, len, tail_padding);
    1935     + if (unlikely(!tail)) {
    1936     + tail_padding_csum_slow(skb, offset, len, stats);
    1937     + return;
    1938     + }
    1939     +
    1940     + stats->csum_complete_tail++;
    1941     + skb->csum = csum_block_add(skb->csum, csum_partial(tail, len, 0), offset);
    1942     +}
    1943     +
    1944     +static void
    1945     +mlx5e_skb_padding_csum(struct sk_buff *skb, int network_depth, __be16 proto,
    1946     + struct mlx5e_rq_stats *stats)
    1947     +{
    1948     + struct ipv6hdr *ip6;
    1949     + struct iphdr *ip4;
    1950     + int pkt_len;
    1951     +
    1952     + switch (proto) {
    1953     + case htons(ETH_P_IP):
    1954     + ip4 = (struct iphdr *)(skb->data + network_depth);
    1955     + pkt_len = network_depth + ntohs(ip4->tot_len);
    1956     + break;
    1957     + case htons(ETH_P_IPV6):
    1958     + ip6 = (struct ipv6hdr *)(skb->data + network_depth);
    1959     + pkt_len = network_depth + sizeof(*ip6) + ntohs(ip6->payload_len);
    1960     + break;
    1961     + default:
    1962     + return;
    1963     + }
    1964     +
    1965     + if (likely(pkt_len >= skb->len))
    1966     + return;
    1967     +
    1968     + tail_padding_csum(skb, pkt_len, stats);
    1969     +}
    1970     +
    1971     static inline void mlx5e_handle_csum(struct net_device *netdev,
    1972     struct mlx5_cqe64 *cqe,
    1973     struct mlx5e_rq *rq,
    1974     @@ -753,7 +811,8 @@ static inline void mlx5e_handle_csum(struct net_device *netdev,
    1975     return;
    1976     }
    1977    
    1978     - if (unlikely(test_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &rq->state)))
    1979     + /* True when explicitly set via priv flag, or XDP prog is loaded */
    1980     + if (test_bit(MLX5E_RQ_STATE_NO_CSUM_COMPLETE, &rq->state))
    1981     goto csum_unnecessary;
    1982    
    1983     /* CQE csum doesn't cover padding octets in short ethernet
    1984     @@ -781,18 +840,15 @@ static inline void mlx5e_handle_csum(struct net_device *netdev,
    1985     skb->csum = csum_partial(skb->data + ETH_HLEN,
    1986     network_depth - ETH_HLEN,
    1987     skb->csum);
    1988     - if (unlikely(netdev->features & NETIF_F_RXFCS))
    1989     - skb->csum = csum_block_add(skb->csum,
    1990     - (__force __wsum)mlx5e_get_fcs(skb),
    1991     - skb->len - ETH_FCS_LEN);
    1992     +
    1993     + mlx5e_skb_padding_csum(skb, network_depth, proto, stats);
    1994     stats->csum_complete++;
    1995     return;
    1996     }
    1997    
    1998     csum_unnecessary:
    1999     if (likely((cqe->hds_ip_ext & CQE_L3_OK) &&
    2000     - ((cqe->hds_ip_ext & CQE_L4_OK) ||
    2001     - (get_cqe_l4_hdr_type(cqe) == CQE_L4_HDR_TYPE_NONE)))) {
    2002     + (cqe->hds_ip_ext & CQE_L4_OK))) {
    2003     skb->ip_summed = CHECKSUM_UNNECESSARY;
    2004     if (cqe_is_tunneled(cqe)) {
    2005     skb->csum_level = 1;
    2006     diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
    2007     index d3fe48ff9da9..4461b44acafc 100644
    2008     --- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
    2009     +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
    2010     @@ -59,6 +59,8 @@ static const struct counter_desc sw_stats_desc[] = {
    2011     { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_unnecessary) },
    2012     { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_none) },
    2013     { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_complete) },
    2014     + { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_complete_tail) },
    2015     + { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_complete_tail_slow) },
    2016     { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_csum_unnecessary_inner) },
    2017     { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_xdp_drop) },
    2018     { MLX5E_DECLARE_STAT(struct mlx5e_sw_stats, rx_xdp_redirect) },
    2019     @@ -151,6 +153,8 @@ void mlx5e_grp_sw_update_stats(struct mlx5e_priv *priv)
    2020     s->rx_removed_vlan_packets += rq_stats->removed_vlan_packets;
    2021     s->rx_csum_none += rq_stats->csum_none;
    2022     s->rx_csum_complete += rq_stats->csum_complete;
    2023     + s->rx_csum_complete_tail += rq_stats->csum_complete_tail;
    2024     + s->rx_csum_complete_tail_slow += rq_stats->csum_complete_tail_slow;
    2025     s->rx_csum_unnecessary += rq_stats->csum_unnecessary;
    2026     s->rx_csum_unnecessary_inner += rq_stats->csum_unnecessary_inner;
    2027     s->rx_xdp_drop += rq_stats->xdp_drop;
    2028     @@ -1192,6 +1196,8 @@ static const struct counter_desc rq_stats_desc[] = {
    2029     { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, packets) },
    2030     { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, bytes) },
    2031     { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_complete) },
    2032     + { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_complete_tail) },
    2033     + { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_complete_tail_slow) },
    2034     { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_unnecessary) },
    2035     { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_unnecessary_inner) },
    2036     { MLX5E_DECLARE_RX_STAT(struct mlx5e_rq_stats, csum_none) },
    2037     diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
    2038     index fe91ec06e3c7..714303bf0797 100644
    2039     --- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
    2040     +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
    2041     @@ -71,6 +71,8 @@ struct mlx5e_sw_stats {
    2042     u64 rx_csum_unnecessary;
    2043     u64 rx_csum_none;
    2044     u64 rx_csum_complete;
    2045     + u64 rx_csum_complete_tail;
    2046     + u64 rx_csum_complete_tail_slow;
    2047     u64 rx_csum_unnecessary_inner;
    2048     u64 rx_xdp_drop;
    2049     u64 rx_xdp_redirect;
    2050     @@ -181,6 +183,8 @@ struct mlx5e_rq_stats {
    2051     u64 packets;
    2052     u64 bytes;
    2053     u64 csum_complete;
    2054     + u64 csum_complete_tail;
    2055     + u64 csum_complete_tail_slow;
    2056     u64 csum_unnecessary;
    2057     u64 csum_unnecessary_inner;
    2058     u64 csum_none;
    2059     diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
    2060     index 8de64e88c670..22a2ef111514 100644
    2061     --- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
    2062     +++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
    2063     @@ -148,14 +148,16 @@ static int mlx5_fpga_tls_alloc_swid(struct idr *idr, spinlock_t *idr_spinlock,
    2064     return ret;
    2065     }
    2066    
    2067     -static void mlx5_fpga_tls_release_swid(struct idr *idr,
    2068     - spinlock_t *idr_spinlock, u32 swid)
    2069     +static void *mlx5_fpga_tls_release_swid(struct idr *idr,
    2070     + spinlock_t *idr_spinlock, u32 swid)
    2071     {
    2072     unsigned long flags;
    2073     + void *ptr;
    2074    
    2075     spin_lock_irqsave(idr_spinlock, flags);
    2076     - idr_remove(idr, swid);
    2077     + ptr = idr_remove(idr, swid);
    2078     spin_unlock_irqrestore(idr_spinlock, flags);
    2079     + return ptr;
    2080     }
    2081    
    2082     static void mlx_tls_kfree_complete(struct mlx5_fpga_conn *conn,
    2083     @@ -165,20 +167,12 @@ static void mlx_tls_kfree_complete(struct mlx5_fpga_conn *conn,
    2084     kfree(buf);
    2085     }
    2086    
    2087     -struct mlx5_teardown_stream_context {
    2088     - struct mlx5_fpga_tls_command_context cmd;
    2089     - u32 swid;
    2090     -};
    2091     -
    2092     static void
    2093     mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_conn *conn,
    2094     struct mlx5_fpga_device *fdev,
    2095     struct mlx5_fpga_tls_command_context *cmd,
    2096     struct mlx5_fpga_dma_buf *resp)
    2097     {
    2098     - struct mlx5_teardown_stream_context *ctx =
    2099     - container_of(cmd, struct mlx5_teardown_stream_context, cmd);
    2100     -
    2101     if (resp) {
    2102     u32 syndrome = MLX5_GET(tls_resp, resp->sg[0].data, syndrome);
    2103    
    2104     @@ -186,14 +180,6 @@ mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_conn *conn,
    2105     mlx5_fpga_err(fdev,
    2106     "Teardown stream failed with syndrome = %d",
    2107     syndrome);
    2108     - else if (MLX5_GET(tls_cmd, cmd->buf.sg[0].data, direction_sx))
    2109     - mlx5_fpga_tls_release_swid(&fdev->tls->tx_idr,
    2110     - &fdev->tls->tx_idr_spinlock,
    2111     - ctx->swid);
    2112     - else
    2113     - mlx5_fpga_tls_release_swid(&fdev->tls->rx_idr,
    2114     - &fdev->tls->rx_idr_spinlock,
    2115     - ctx->swid);
    2116     }
    2117     mlx5_fpga_tls_put_command_ctx(cmd);
    2118     }
    2119     @@ -217,22 +203,22 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq,
    2120     void *cmd;
    2121     int ret;
    2122    
    2123     - rcu_read_lock();
    2124     - flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
    2125     - rcu_read_unlock();
    2126     -
    2127     - if (!flow) {
    2128     - WARN_ONCE(1, "Received NULL pointer for handle\n");
    2129     - return -EINVAL;
    2130     - }
    2131     -
    2132     buf = kzalloc(size, GFP_ATOMIC);
    2133     if (!buf)
    2134     return -ENOMEM;
    2135    
    2136     cmd = (buf + 1);
    2137    
    2138     + rcu_read_lock();
    2139     + flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
    2140     + if (unlikely(!flow)) {
    2141     + rcu_read_unlock();
    2142     + WARN_ONCE(1, "Received NULL pointer for handle\n");
    2143     + kfree(buf);
    2144     + return -EINVAL;
    2145     + }
    2146     mlx5_fpga_tls_flow_to_cmd(flow, cmd);
    2147     + rcu_read_unlock();
    2148    
    2149     MLX5_SET(tls_cmd, cmd, swid, ntohl(handle));
    2150     MLX5_SET64(tls_cmd, cmd, tls_rcd_sn, be64_to_cpu(rcd_sn));
    2151     @@ -253,7 +239,7 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq,
    2152     static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev,
    2153     void *flow, u32 swid, gfp_t flags)
    2154     {
    2155     - struct mlx5_teardown_stream_context *ctx;
    2156     + struct mlx5_fpga_tls_command_context *ctx;
    2157     struct mlx5_fpga_dma_buf *buf;
    2158     void *cmd;
    2159    
    2160     @@ -261,7 +247,7 @@ static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev,
    2161     if (!ctx)
    2162     return;
    2163    
    2164     - buf = &ctx->cmd.buf;
    2165     + buf = &ctx->buf;
    2166     cmd = (ctx + 1);
    2167     MLX5_SET(tls_cmd, cmd, command_type, CMD_TEARDOWN_STREAM);
    2168     MLX5_SET(tls_cmd, cmd, swid, swid);
    2169     @@ -272,8 +258,7 @@ static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev,
    2170     buf->sg[0].data = cmd;
    2171     buf->sg[0].size = MLX5_TLS_COMMAND_SIZE;
    2172    
    2173     - ctx->swid = swid;
    2174     - mlx5_fpga_tls_cmd_send(mdev->fpga, &ctx->cmd,
    2175     + mlx5_fpga_tls_cmd_send(mdev->fpga, ctx,
    2176     mlx5_fpga_tls_teardown_completion);
    2177     }
    2178    
    2179     @@ -283,13 +268,14 @@ void mlx5_fpga_tls_del_flow(struct mlx5_core_dev *mdev, u32 swid,
    2180     struct mlx5_fpga_tls *tls = mdev->fpga->tls;
    2181     void *flow;
    2182    
    2183     - rcu_read_lock();
    2184     if (direction_sx)
    2185     - flow = idr_find(&tls->tx_idr, swid);
    2186     + flow = mlx5_fpga_tls_release_swid(&tls->tx_idr,
    2187     + &tls->tx_idr_spinlock,
    2188     + swid);
    2189     else
    2190     - flow = idr_find(&tls->rx_idr, swid);
    2191     -
    2192     - rcu_read_unlock();
    2193     + flow = mlx5_fpga_tls_release_swid(&tls->rx_idr,
    2194     + &tls->rx_idr_spinlock,
    2195     + swid);
    2196    
    2197     if (!flow) {
    2198     mlx5_fpga_err(mdev->fpga, "No flow information for swid %u\n",
    2199     @@ -297,6 +283,7 @@ void mlx5_fpga_tls_del_flow(struct mlx5_core_dev *mdev, u32 swid,
    2200     return;
    2201     }
    2202    
    2203     + synchronize_rcu(); /* before kfree(flow) */
    2204     mlx5_fpga_tls_send_teardown_cmd(mdev, flow, swid, flags);
    2205     }
    2206    
    2207     diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c
    2208     index ddedf8ab5b64..fc643fde5a4a 100644
    2209     --- a/drivers/net/ethernet/mellanox/mlxsw/core.c
    2210     +++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
    2211     @@ -568,7 +568,7 @@ static int mlxsw_emad_init(struct mlxsw_core *mlxsw_core)
    2212     if (!(mlxsw_core->bus->features & MLXSW_BUS_F_TXRX))
    2213     return 0;
    2214    
    2215     - emad_wq = alloc_workqueue("mlxsw_core_emad", WQ_MEM_RECLAIM, 0);
    2216     + emad_wq = alloc_workqueue("mlxsw_core_emad", 0, 0);
    2217     if (!emad_wq)
    2218     return -ENOMEM;
    2219     mlxsw_core->emad_wq = emad_wq;
    2220     @@ -1912,10 +1912,10 @@ static int __init mlxsw_core_module_init(void)
    2221     {
    2222     int err;
    2223    
    2224     - mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, WQ_MEM_RECLAIM, 0);
    2225     + mlxsw_wq = alloc_workqueue(mlxsw_core_driver_name, 0, 0);
    2226     if (!mlxsw_wq)
    2227     return -ENOMEM;
    2228     - mlxsw_owq = alloc_ordered_workqueue("%s_ordered", WQ_MEM_RECLAIM,
    2229     + mlxsw_owq = alloc_ordered_workqueue("%s_ordered", 0,
    2230     mlxsw_core_driver_name);
    2231     if (!mlxsw_owq) {
    2232     err = -ENOMEM;
    2233     diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
    2234     index 98e5ffd71b91..2f6afbfd689f 100644
    2235     --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
    2236     +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
    2237     @@ -6745,7 +6745,7 @@ static int mlxsw_sp_router_port_check_rif_addr(struct mlxsw_sp *mlxsw_sp,
    2238     /* A RIF is not created for macvlan netdevs. Their MAC is used to
    2239     * populate the FDB
    2240     */
    2241     - if (netif_is_macvlan(dev))
    2242     + if (netif_is_macvlan(dev) || netif_is_l3_master(dev))
    2243     return 0;
    2244    
    2245     for (i = 0; i < MLXSW_CORE_RES_GET(mlxsw_sp->core, MAX_RIFS); i++) {
    2246     diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
    2247     index c772109b638d..f5a10e286400 100644
    2248     --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
    2249     +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
    2250     @@ -1654,7 +1654,7 @@ static int mlxsw_sp_port_mdb_add(struct mlxsw_sp_port *mlxsw_sp_port,
    2251     u16 fid_index;
    2252     int err = 0;
    2253    
    2254     - if (switchdev_trans_ph_prepare(trans))
    2255     + if (switchdev_trans_ph_commit(trans))
    2256     return 0;
    2257    
    2258     bridge_port = mlxsw_sp_bridge_port_find(mlxsw_sp->bridge, orig_dev);
    2259     diff --git a/drivers/net/ethernet/netronome/nfp/flower/action.c b/drivers/net/ethernet/netronome/nfp/flower/action.c
    2260     index 8d54b36afee8..2bbc5b8f92c2 100644
    2261     --- a/drivers/net/ethernet/netronome/nfp/flower/action.c
    2262     +++ b/drivers/net/ethernet/netronome/nfp/flower/action.c
    2263     @@ -49,8 +49,7 @@ nfp_fl_push_vlan(struct nfp_fl_push_vlan *push_vlan,
    2264    
    2265     tmp_push_vlan_tci =
    2266     FIELD_PREP(NFP_FL_PUSH_VLAN_PRIO, tcf_vlan_push_prio(action)) |
    2267     - FIELD_PREP(NFP_FL_PUSH_VLAN_VID, tcf_vlan_push_vid(action)) |
    2268     - NFP_FL_PUSH_VLAN_CFI;
    2269     + FIELD_PREP(NFP_FL_PUSH_VLAN_VID, tcf_vlan_push_vid(action));
    2270     push_vlan->vlan_tci = cpu_to_be16(tmp_push_vlan_tci);
    2271     }
    2272    
    2273     diff --git a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
    2274     index 15f41cfef9f1..ab07d76b4186 100644
    2275     --- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
    2276     +++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
    2277     @@ -26,7 +26,7 @@
    2278     #define NFP_FLOWER_LAYER2_GENEVE_OP BIT(6)
    2279    
    2280     #define NFP_FLOWER_MASK_VLAN_PRIO GENMASK(15, 13)
    2281     -#define NFP_FLOWER_MASK_VLAN_CFI BIT(12)
    2282     +#define NFP_FLOWER_MASK_VLAN_PRESENT BIT(12)
    2283     #define NFP_FLOWER_MASK_VLAN_VID GENMASK(11, 0)
    2284    
    2285     #define NFP_FLOWER_MASK_MPLS_LB GENMASK(31, 12)
    2286     @@ -82,7 +82,6 @@
    2287     #define NFP_FL_OUT_FLAGS_TYPE_IDX GENMASK(2, 0)
    2288    
    2289     #define NFP_FL_PUSH_VLAN_PRIO GENMASK(15, 13)
    2290     -#define NFP_FL_PUSH_VLAN_CFI BIT(12)
    2291     #define NFP_FL_PUSH_VLAN_VID GENMASK(11, 0)
    2292    
    2293     #define IPV6_FLOW_LABEL_MASK cpu_to_be32(0x000fffff)
    2294     diff --git a/drivers/net/ethernet/netronome/nfp/flower/match.c b/drivers/net/ethernet/netronome/nfp/flower/match.c
    2295     index cdf75595f627..571cc8ced33e 100644
    2296     --- a/drivers/net/ethernet/netronome/nfp/flower/match.c
    2297     +++ b/drivers/net/ethernet/netronome/nfp/flower/match.c
    2298     @@ -26,14 +26,12 @@ nfp_flower_compile_meta_tci(struct nfp_flower_meta_tci *frame,
    2299     FLOW_DISSECTOR_KEY_VLAN,
    2300     target);
    2301     /* Populate the tci field. */
    2302     - if (flow_vlan->vlan_id || flow_vlan->vlan_priority) {
    2303     - tmp_tci = FIELD_PREP(NFP_FLOWER_MASK_VLAN_PRIO,
    2304     - flow_vlan->vlan_priority) |
    2305     - FIELD_PREP(NFP_FLOWER_MASK_VLAN_VID,
    2306     - flow_vlan->vlan_id) |
    2307     - NFP_FLOWER_MASK_VLAN_CFI;
    2308     - frame->tci = cpu_to_be16(tmp_tci);
    2309     - }
    2310     + tmp_tci = NFP_FLOWER_MASK_VLAN_PRESENT;
    2311     + tmp_tci |= FIELD_PREP(NFP_FLOWER_MASK_VLAN_PRIO,
    2312     + flow_vlan->vlan_priority) |
    2313     + FIELD_PREP(NFP_FLOWER_MASK_VLAN_VID,
    2314     + flow_vlan->vlan_id);
    2315     + frame->tci = cpu_to_be16(tmp_tci);
    2316     }
    2317     }
    2318    
    2319     diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
    2320     index 6ce3f666d142..1283632091d5 100644
    2321     --- a/drivers/net/team/team.c
    2322     +++ b/drivers/net/team/team.c
    2323     @@ -1247,6 +1247,23 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
    2324     goto err_option_port_add;
    2325     }
    2326    
    2327     + /* set promiscuity level to new slave */
    2328     + if (dev->flags & IFF_PROMISC) {
    2329     + err = dev_set_promiscuity(port_dev, 1);
    2330     + if (err)
    2331     + goto err_set_slave_promisc;
    2332     + }
    2333     +
    2334     + /* set allmulti level to new slave */
    2335     + if (dev->flags & IFF_ALLMULTI) {
    2336     + err = dev_set_allmulti(port_dev, 1);
    2337     + if (err) {
    2338     + if (dev->flags & IFF_PROMISC)
    2339     + dev_set_promiscuity(port_dev, -1);
    2340     + goto err_set_slave_promisc;
    2341     + }
    2342     + }
    2343     +
    2344     netif_addr_lock_bh(dev);
    2345     dev_uc_sync_multiple(port_dev, dev);
    2346     dev_mc_sync_multiple(port_dev, dev);
    2347     @@ -1263,6 +1280,9 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
    2348    
    2349     return 0;
    2350    
    2351     +err_set_slave_promisc:
    2352     + __team_option_inst_del_port(team, port);
    2353     +
    2354     err_option_port_add:
    2355     team_upper_dev_unlink(team, port);
    2356    
    2357     @@ -1308,6 +1328,12 @@ static int team_port_del(struct team *team, struct net_device *port_dev)
    2358    
    2359     team_port_disable(team, port);
    2360     list_del_rcu(&port->list);
    2361     +
    2362     + if (dev->flags & IFF_PROMISC)
    2363     + dev_set_promiscuity(port_dev, -1);
    2364     + if (dev->flags & IFF_ALLMULTI)
    2365     + dev_set_allmulti(port_dev, -1);
    2366     +
    2367     team_upper_dev_unlink(team, port);
    2368     netdev_rx_handler_unregister(port_dev);
    2369     team_port_disable_netpoll(port);
    2370     diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
    2371     index 7c9dfa54fee8..9678322aca60 100644
    2372     --- a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
    2373     +++ b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
    2374     @@ -421,7 +421,6 @@ void mt76x02_send_tx_status(struct mt76x02_dev *dev,
    2375     return;
    2376    
    2377     rcu_read_lock();
    2378     - mt76_tx_status_lock(mdev, &list);
    2379    
    2380     if (stat->wcid < ARRAY_SIZE(dev->mt76.wcid))
    2381     wcid = rcu_dereference(dev->mt76.wcid[stat->wcid]);
    2382     @@ -434,6 +433,8 @@ void mt76x02_send_tx_status(struct mt76x02_dev *dev,
    2383     drv_priv);
    2384     }
    2385    
    2386     + mt76_tx_status_lock(mdev, &list);
    2387     +
    2388     if (wcid) {
    2389     if (stat->pktid)
    2390     status.skb = mt76_tx_status_skb_get(mdev, wcid,
    2391     @@ -453,7 +454,9 @@ void mt76x02_send_tx_status(struct mt76x02_dev *dev,
    2392     if (*update == 0 && stat_val == stat_cache &&
    2393     stat->wcid == msta->status.wcid && msta->n_frames < 32) {
    2394     msta->n_frames++;
    2395     - goto out;
    2396     + mt76_tx_status_unlock(mdev, &list);
    2397     + rcu_read_unlock();
    2398     + return;
    2399     }
    2400    
    2401     mt76x02_mac_fill_tx_status(dev, status.info, &msta->status,
    2402     @@ -469,11 +472,10 @@ void mt76x02_send_tx_status(struct mt76x02_dev *dev,
    2403    
    2404     if (status.skb)
    2405     mt76_tx_status_skb_done(mdev, status.skb, &list);
    2406     - else
    2407     - ieee80211_tx_status_ext(mt76_hw(dev), &status);
    2408     -
    2409     -out:
    2410     mt76_tx_status_unlock(mdev, &list);
    2411     +
    2412     + if (!status.skb)
    2413     + ieee80211_tx_status_ext(mt76_hw(dev), &status);
    2414     rcu_read_unlock();
    2415     }
    2416    
    2417     diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00.h b/drivers/net/wireless/ralink/rt2x00/rt2x00.h
    2418     index 4b1744e9fb78..50b92ca92bd7 100644
    2419     --- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h
    2420     +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h
    2421     @@ -673,7 +673,6 @@ enum rt2x00_state_flags {
    2422     CONFIG_CHANNEL_HT40,
    2423     CONFIG_POWERSAVING,
    2424     CONFIG_HT_DISABLED,
    2425     - CONFIG_QOS_DISABLED,
    2426     CONFIG_MONITORING,
    2427    
    2428     /*
    2429     diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
    2430     index 2825560e2424..e8462f25d252 100644
    2431     --- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
    2432     +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
    2433     @@ -642,18 +642,8 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
    2434     rt2x00dev->intf_associated--;
    2435    
    2436     rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated);
    2437     -
    2438     - clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
    2439     }
    2440    
    2441     - /*
    2442     - * Check for access point which do not support 802.11e . We have to
    2443     - * generate data frames sequence number in S/W for such AP, because
    2444     - * of H/W bug.
    2445     - */
    2446     - if (changes & BSS_CHANGED_QOS && !bss_conf->qos)
    2447     - set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
    2448     -
    2449     /*
    2450     * When the erp information has changed, we should perform
    2451     * additional configuration steps. For all other changes we are done.
    2452     diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
    2453     index 92ddc19e7bf7..4834b4eb0206 100644
    2454     --- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
    2455     +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
    2456     @@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev,
    2457     if (!rt2x00_has_cap_flag(rt2x00dev, REQUIRE_SW_SEQNO)) {
    2458     /*
    2459     * rt2800 has a H/W (or F/W) bug, device incorrectly increase
    2460     - * seqno on retransmited data (non-QOS) frames. To workaround
    2461     - * the problem let's generate seqno in software if QOS is
    2462     - * disabled.
    2463     + * seqno on retransmitted data (non-QOS) and management frames.
    2464     + * To workaround the problem let's generate seqno in software.
    2465     + * Except for beacons which are transmitted periodically by H/W
    2466     + * hence hardware has to assign seqno for them.
    2467     */
    2468     - if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags))
    2469     - __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
    2470     - else
    2471     + if (ieee80211_is_beacon(hdr->frame_control)) {
    2472     + __set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
    2473     /* H/W will generate sequence number */
    2474     return;
    2475     + }
    2476     +
    2477     + __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
    2478     }
    2479    
    2480     /*
    2481     diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c
    2482     index dfba4921b265..5bf61431434b 100644
    2483     --- a/drivers/scsi/libfc/fc_rport.c
    2484     +++ b/drivers/scsi/libfc/fc_rport.c
    2485     @@ -2162,7 +2162,6 @@ static void fc_rport_recv_logo_req(struct fc_lport *lport, struct fc_frame *fp)
    2486     FC_RPORT_DBG(rdata, "Received LOGO request while in state %s\n",
    2487     fc_rport_state(rdata));
    2488    
    2489     - rdata->flags &= ~FC_RP_STARTED;
    2490     fc_rport_enter_delete(rdata, RPORT_EV_STOP);
    2491     mutex_unlock(&rdata->rp_mutex);
    2492     kref_put(&rdata->kref, fc_rport_destroy);
    2493     diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
    2494     index 655ad26106e4..5c78710b713f 100644
    2495     --- a/drivers/scsi/scsi_lib.c
    2496     +++ b/drivers/scsi/scsi_lib.c
    2497     @@ -1763,8 +1763,12 @@ out_put_budget:
    2498     ret = BLK_STS_DEV_RESOURCE;
    2499     break;
    2500     default:
    2501     + if (unlikely(!scsi_device_online(sdev)))
    2502     + scsi_req(req)->result = DID_NO_CONNECT << 16;
    2503     + else
    2504     + scsi_req(req)->result = DID_ERROR << 16;
    2505     /*
    2506     - * Make sure to release all allocated ressources when
    2507     + * Make sure to release all allocated resources when
    2508     * we hit an error, as we will never see this command
    2509     * again.
    2510     */
    2511     diff --git a/drivers/staging/comedi/drivers/ni_usb6501.c b/drivers/staging/comedi/drivers/ni_usb6501.c
    2512     index 808ed92ed66f..1bb1cb651349 100644
    2513     --- a/drivers/staging/comedi/drivers/ni_usb6501.c
    2514     +++ b/drivers/staging/comedi/drivers/ni_usb6501.c
    2515     @@ -463,10 +463,8 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev)
    2516    
    2517     size = usb_endpoint_maxp(devpriv->ep_tx);
    2518     devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
    2519     - if (!devpriv->usb_tx_buf) {
    2520     - kfree(devpriv->usb_rx_buf);
    2521     + if (!devpriv->usb_tx_buf)
    2522     return -ENOMEM;
    2523     - }
    2524    
    2525     return 0;
    2526     }
    2527     @@ -518,6 +516,9 @@ static int ni6501_auto_attach(struct comedi_device *dev,
    2528     if (!devpriv)
    2529     return -ENOMEM;
    2530    
    2531     + mutex_init(&devpriv->mut);
    2532     + usb_set_intfdata(intf, devpriv);
    2533     +
    2534     ret = ni6501_find_endpoints(dev);
    2535     if (ret)
    2536     return ret;
    2537     @@ -526,9 +527,6 @@ static int ni6501_auto_attach(struct comedi_device *dev,
    2538     if (ret)
    2539     return ret;
    2540    
    2541     - mutex_init(&devpriv->mut);
    2542     - usb_set_intfdata(intf, devpriv);
    2543     -
    2544     ret = comedi_alloc_subdevices(dev, 2);
    2545     if (ret)
    2546     return ret;
    2547     diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c
    2548     index 6234b649d887..65dc6c51037e 100644
    2549     --- a/drivers/staging/comedi/drivers/vmk80xx.c
    2550     +++ b/drivers/staging/comedi/drivers/vmk80xx.c
    2551     @@ -682,10 +682,8 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev)
    2552    
    2553     size = usb_endpoint_maxp(devpriv->ep_tx);
    2554     devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
    2555     - if (!devpriv->usb_tx_buf) {
    2556     - kfree(devpriv->usb_rx_buf);
    2557     + if (!devpriv->usb_tx_buf)
    2558     return -ENOMEM;
    2559     - }
    2560    
    2561     return 0;
    2562     }
    2563     @@ -800,6 +798,8 @@ static int vmk80xx_auto_attach(struct comedi_device *dev,
    2564    
    2565     devpriv->model = board->model;
    2566    
    2567     + sema_init(&devpriv->limit_sem, 8);
    2568     +
    2569     ret = vmk80xx_find_usb_endpoints(dev);
    2570     if (ret)
    2571     return ret;
    2572     @@ -808,8 +808,6 @@ static int vmk80xx_auto_attach(struct comedi_device *dev,
    2573     if (ret)
    2574     return ret;
    2575    
    2576     - sema_init(&devpriv->limit_sem, 8);
    2577     -
    2578     usb_set_intfdata(intf, devpriv);
    2579    
    2580     if (devpriv->model == VMK8055_MODEL)
    2581     diff --git a/drivers/staging/iio/adc/ad7192.c b/drivers/staging/iio/adc/ad7192.c
    2582     index acdbc07fd259..2fc8bc22b57b 100644
    2583     --- a/drivers/staging/iio/adc/ad7192.c
    2584     +++ b/drivers/staging/iio/adc/ad7192.c
    2585     @@ -109,10 +109,10 @@
    2586     #define AD7192_CH_AIN3 BIT(6) /* AIN3 - AINCOM */
    2587     #define AD7192_CH_AIN4 BIT(7) /* AIN4 - AINCOM */
    2588    
    2589     -#define AD7193_CH_AIN1P_AIN2M 0x000 /* AIN1(+) - AIN2(-) */
    2590     -#define AD7193_CH_AIN3P_AIN4M 0x001 /* AIN3(+) - AIN4(-) */
    2591     -#define AD7193_CH_AIN5P_AIN6M 0x002 /* AIN5(+) - AIN6(-) */
    2592     -#define AD7193_CH_AIN7P_AIN8M 0x004 /* AIN7(+) - AIN8(-) */
    2593     +#define AD7193_CH_AIN1P_AIN2M 0x001 /* AIN1(+) - AIN2(-) */
    2594     +#define AD7193_CH_AIN3P_AIN4M 0x002 /* AIN3(+) - AIN4(-) */
    2595     +#define AD7193_CH_AIN5P_AIN6M 0x004 /* AIN5(+) - AIN6(-) */
    2596     +#define AD7193_CH_AIN7P_AIN8M 0x008 /* AIN7(+) - AIN8(-) */
    2597     #define AD7193_CH_TEMP 0x100 /* Temp senseor */
    2598     #define AD7193_CH_AIN2P_AIN2M 0x200 /* AIN2(+) - AIN2(-) */
    2599     #define AD7193_CH_AIN1 0x401 /* AIN1 - AINCOM */
    2600     diff --git a/drivers/staging/iio/meter/ade7854.c b/drivers/staging/iio/meter/ade7854.c
    2601     index 029c3bf42d4d..07774c000c5a 100644
    2602     --- a/drivers/staging/iio/meter/ade7854.c
    2603     +++ b/drivers/staging/iio/meter/ade7854.c
    2604     @@ -269,7 +269,7 @@ static IIO_DEV_ATTR_VPEAK(0644,
    2605     static IIO_DEV_ATTR_IPEAK(0644,
    2606     ade7854_read_32bit,
    2607     ade7854_write_32bit,
    2608     - ADE7854_VPEAK);
    2609     + ADE7854_IPEAK);
    2610     static IIO_DEV_ATTR_APHCAL(0644,
    2611     ade7854_read_16bit,
    2612     ade7854_write_16bit,
    2613     diff --git a/drivers/staging/most/core.c b/drivers/staging/most/core.c
    2614     index 18936cdb1083..956daf8c3bd2 100644
    2615     --- a/drivers/staging/most/core.c
    2616     +++ b/drivers/staging/most/core.c
    2617     @@ -1431,7 +1431,7 @@ int most_register_interface(struct most_interface *iface)
    2618    
    2619     INIT_LIST_HEAD(&iface->p->channel_list);
    2620     iface->p->dev_id = id;
    2621     - snprintf(iface->p->name, STRING_SIZE, "mdev%d", id);
    2622     + strcpy(iface->p->name, iface->description);
    2623     iface->dev.init_name = iface->p->name;
    2624     iface->dev.bus = &mc.bus;
    2625     iface->dev.parent = &mc.dev;
    2626     diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
    2627     index 93bd90f1ff14..e9a8b79ba77e 100644
    2628     --- a/drivers/tty/serial/sh-sci.c
    2629     +++ b/drivers/tty/serial/sh-sci.c
    2630     @@ -2497,14 +2497,16 @@ done:
    2631     * center of the last stop bit in sampling clocks.
    2632     */
    2633     int last_stop = bits * 2 - 1;
    2634     - int deviation = min_err * srr * last_stop / 2 / baud;
    2635     + int deviation = DIV_ROUND_CLOSEST(min_err * last_stop *
    2636     + (int)(srr + 1),
    2637     + 2 * (int)baud);
    2638    
    2639     if (abs(deviation) >= 2) {
    2640     /* At least two sampling clocks off at the
    2641     * last stop bit; we can increase the error
    2642     * margin by shifting the sampling point.
    2643     */
    2644     - int shift = min(-8, max(7, deviation / 2));
    2645     + int shift = clamp(deviation / 2, -8, 7);
    2646    
    2647     hssrr |= (shift << HSCIF_SRHP_SHIFT) &
    2648     HSCIF_SRHP_MASK;
    2649     diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
    2650     index 9646ff63e77a..b6621a2e916d 100644
    2651     --- a/drivers/tty/vt/vt.c
    2652     +++ b/drivers/tty/vt/vt.c
    2653     @@ -1518,7 +1518,8 @@ static void csi_J(struct vc_data *vc, int vpar)
    2654     return;
    2655     }
    2656     scr_memsetw(start, vc->vc_video_erase_char, 2 * count);
    2657     - update_region(vc, (unsigned long) start, count);
    2658     + if (con_should_update(vc))
    2659     + do_update_region(vc, (unsigned long) start, count);
    2660     vc->vc_need_wrap = 0;
    2661     }
    2662    
    2663     diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
    2664     index a2e5dc7716e2..674cfc5a4084 100644
    2665     --- a/drivers/vhost/vhost.c
    2666     +++ b/drivers/vhost/vhost.c
    2667     @@ -911,8 +911,12 @@ static int vhost_new_umem_range(struct vhost_umem *umem,
    2668     u64 start, u64 size, u64 end,
    2669     u64 userspace_addr, int perm)
    2670     {
    2671     - struct vhost_umem_node *tmp, *node = kmalloc(sizeof(*node), GFP_ATOMIC);
    2672     + struct vhost_umem_node *tmp, *node;
    2673    
    2674     + if (!size)
    2675     + return -EFAULT;
    2676     +
    2677     + node = kmalloc(sizeof(*node), GFP_ATOMIC);
    2678     if (!node)
    2679     return -ENOMEM;
    2680    
    2681     diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
    2682     index 6c934ab3722b..10ead04346ee 100644
    2683     --- a/fs/cifs/cifsglob.h
    2684     +++ b/fs/cifs/cifsglob.h
    2685     @@ -1303,6 +1303,7 @@ cifsFileInfo_get_locked(struct cifsFileInfo *cifs_file)
    2686     }
    2687    
    2688     struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file);
    2689     +void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr);
    2690     void cifsFileInfo_put(struct cifsFileInfo *cifs_file);
    2691    
    2692     #define CIFS_CACHE_READ_FLG 1
    2693     @@ -1824,6 +1825,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock;
    2694     #endif /* CONFIG_CIFS_ACL */
    2695    
    2696     void cifs_oplock_break(struct work_struct *work);
    2697     +void cifs_queue_oplock_break(struct cifsFileInfo *cfile);
    2698    
    2699     extern const struct slow_work_ops cifs_oplock_break_ops;
    2700     extern struct workqueue_struct *cifsiod_wq;
    2701     diff --git a/fs/cifs/file.c b/fs/cifs/file.c
    2702     index 8d107587208f..7c05353b766c 100644
    2703     --- a/fs/cifs/file.c
    2704     +++ b/fs/cifs/file.c
    2705     @@ -360,12 +360,30 @@ cifsFileInfo_get(struct cifsFileInfo *cifs_file)
    2706     return cifs_file;
    2707     }
    2708    
    2709     -/*
    2710     - * Release a reference on the file private data. This may involve closing
    2711     - * the filehandle out on the server. Must be called without holding
    2712     - * tcon->open_file_lock and cifs_file->file_info_lock.
    2713     +/**
    2714     + * cifsFileInfo_put - release a reference of file priv data
    2715     + *
    2716     + * Always potentially wait for oplock handler. See _cifsFileInfo_put().
    2717     */
    2718     void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
    2719     +{
    2720     + _cifsFileInfo_put(cifs_file, true);
    2721     +}
    2722     +
    2723     +/**
    2724     + * _cifsFileInfo_put - release a reference of file priv data
    2725     + *
    2726     + * This may involve closing the filehandle @cifs_file out on the
    2727     + * server. Must be called without holding tcon->open_file_lock and
    2728     + * cifs_file->file_info_lock.
    2729     + *
    2730     + * If @wait_for_oplock_handler is true and we are releasing the last
    2731     + * reference, wait for any running oplock break handler of the file
    2732     + * and cancel any pending one. If calling this function from the
    2733     + * oplock break handler, you need to pass false.
    2734     + *
    2735     + */
    2736     +void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler)
    2737     {
    2738     struct inode *inode = d_inode(cifs_file->dentry);
    2739     struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink);
    2740     @@ -414,7 +432,8 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file)
    2741    
    2742     spin_unlock(&tcon->open_file_lock);
    2743    
    2744     - oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break);
    2745     + oplock_break_cancelled = wait_oplock_handler ?
    2746     + cancel_work_sync(&cifs_file->oplock_break) : false;
    2747    
    2748     if (!tcon->need_reconnect && !cifs_file->invalidHandle) {
    2749     struct TCP_Server_Info *server = tcon->ses->server;
    2750     @@ -4480,6 +4499,7 @@ void cifs_oplock_break(struct work_struct *work)
    2751     cinode);
    2752     cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
    2753     }
    2754     + _cifsFileInfo_put(cfile, false /* do not wait for ourself */);
    2755     cifs_done_oplock_break(cinode);
    2756     }
    2757    
    2758     diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
    2759     index bee203055b30..1e1626a2cfc3 100644
    2760     --- a/fs/cifs/misc.c
    2761     +++ b/fs/cifs/misc.c
    2762     @@ -501,8 +501,7 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv)
    2763     CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
    2764     &pCifsInode->flags);
    2765    
    2766     - queue_work(cifsoplockd_wq,
    2767     - &netfile->oplock_break);
    2768     + cifs_queue_oplock_break(netfile);
    2769     netfile->oplock_break_cancelled = false;
    2770    
    2771     spin_unlock(&tcon->open_file_lock);
    2772     @@ -607,6 +606,28 @@ void cifs_put_writer(struct cifsInodeInfo *cinode)
    2773     spin_unlock(&cinode->writers_lock);
    2774     }
    2775    
    2776     +/**
    2777     + * cifs_queue_oplock_break - queue the oplock break handler for cfile
    2778     + *
    2779     + * This function is called from the demultiplex thread when it
    2780     + * receives an oplock break for @cfile.
    2781     + *
    2782     + * Assumes the tcon->open_file_lock is held.
    2783     + * Assumes cfile->file_info_lock is NOT held.
    2784     + */
    2785     +void cifs_queue_oplock_break(struct cifsFileInfo *cfile)
    2786     +{
    2787     + /*
    2788     + * Bump the handle refcount now while we hold the
    2789     + * open_file_lock to enforce the validity of it for the oplock
    2790     + * break handler. The matching put is done at the end of the
    2791     + * handler.
    2792     + */
    2793     + cifsFileInfo_get(cfile);
    2794     +
    2795     + queue_work(cifsoplockd_wq, &cfile->oplock_break);
    2796     +}
    2797     +
    2798     void cifs_done_oplock_break(struct cifsInodeInfo *cinode)
    2799     {
    2800     clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
    2801     diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
    2802     index 58700d2ba8cd..0a7ed2e3ad4f 100644
    2803     --- a/fs/cifs/smb2misc.c
    2804     +++ b/fs/cifs/smb2misc.c
    2805     @@ -555,7 +555,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
    2806     clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
    2807     &cinode->flags);
    2808    
    2809     - queue_work(cifsoplockd_wq, &cfile->oplock_break);
    2810     + cifs_queue_oplock_break(cfile);
    2811     kfree(lw);
    2812     return true;
    2813     }
    2814     @@ -719,8 +719,8 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
    2815     CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
    2816     &cinode->flags);
    2817     spin_unlock(&cfile->file_info_lock);
    2818     - queue_work(cifsoplockd_wq,
    2819     - &cfile->oplock_break);
    2820     +
    2821     + cifs_queue_oplock_break(cfile);
    2822    
    2823     spin_unlock(&tcon->open_file_lock);
    2824     spin_unlock(&cifs_tcp_ses_lock);
    2825     diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
    2826     index ea56b1cdbdde..d5434ac0571b 100644
    2827     --- a/fs/cifs/smb2ops.c
    2828     +++ b/fs/cifs/smb2ops.c
    2829     @@ -2210,6 +2210,8 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
    2830    
    2831     rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_iov,
    2832     &resp_buftype);
    2833     + if (!rc)
    2834     + SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid);
    2835     if (!rc || !err_iov.iov_base) {
    2836     rc = -ENOENT;
    2837     goto free_path;
    2838     diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
    2839     index 068febe37fe4..938e75cc3b66 100644
    2840     --- a/fs/cifs/smb2pdu.c
    2841     +++ b/fs/cifs/smb2pdu.c
    2842     @@ -815,8 +815,11 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses)
    2843     } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
    2844     /* ops set to 3.0 by default for default so update */
    2845     ses->server->ops = &smb21_operations;
    2846     - } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID))
    2847     + ses->server->vals = &smb21_values;
    2848     + } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {
    2849     ses->server->ops = &smb311_operations;
    2850     + ses->server->vals = &smb311_values;
    2851     + }
    2852     } else if (le16_to_cpu(rsp->DialectRevision) !=
    2853     ses->server->vals->protocol_id) {
    2854     /* if requested single dialect ensure returned dialect matched */
    2855     @@ -3387,8 +3390,6 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
    2856     rqst.rq_nvec = 1;
    2857    
    2858     rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags, &rsp_iov);
    2859     - cifs_small_buf_release(req);
    2860     -
    2861     rsp = (struct smb2_read_rsp *)rsp_iov.iov_base;
    2862    
    2863     if (rc) {
    2864     @@ -3407,6 +3408,8 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
    2865     io_parms->tcon->tid, ses->Suid,
    2866     io_parms->offset, io_parms->length);
    2867    
    2868     + cifs_small_buf_release(req);
    2869     +
    2870     *nbytes = le32_to_cpu(rsp->DataLength);
    2871     if ((*nbytes > CIFS_MAX_MSGSIZE) ||
    2872     (*nbytes > io_parms->length)) {
    2873     @@ -3705,7 +3708,6 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms,
    2874    
    2875     rc = cifs_send_recv(xid, io_parms->tcon->ses, &rqst,
    2876     &resp_buftype, flags, &rsp_iov);
    2877     - cifs_small_buf_release(req);
    2878     rsp = (struct smb2_write_rsp *)rsp_iov.iov_base;
    2879    
    2880     if (rc) {
    2881     @@ -3723,6 +3725,7 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms,
    2882     io_parms->offset, *nbytes);
    2883     }
    2884    
    2885     + cifs_small_buf_release(req);
    2886     free_rsp_buf(resp_buftype, rsp);
    2887     return rc;
    2888     }
    2889     diff --git a/fs/dax.c b/fs/dax.c
    2890     index 05cca2214ae3..827ee143413e 100644
    2891     --- a/fs/dax.c
    2892     +++ b/fs/dax.c
    2893     @@ -33,6 +33,7 @@
    2894     #include <linux/sizes.h>
    2895     #include <linux/mmu_notifier.h>
    2896     #include <linux/iomap.h>
    2897     +#include <asm/pgalloc.h>
    2898     #include "internal.h"
    2899    
    2900     #define CREATE_TRACE_POINTS
    2901     @@ -1409,7 +1410,9 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state *xas, struct vm_fault *vmf,
    2902     {
    2903     struct address_space *mapping = vmf->vma->vm_file->f_mapping;
    2904     unsigned long pmd_addr = vmf->address & PMD_MASK;
    2905     + struct vm_area_struct *vma = vmf->vma;
    2906     struct inode *inode = mapping->host;
    2907     + pgtable_t pgtable = NULL;
    2908     struct page *zero_page;
    2909     spinlock_t *ptl;
    2910     pmd_t pmd_entry;
    2911     @@ -1424,12 +1427,22 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state *xas, struct vm_fault *vmf,
    2912     *entry = dax_insert_entry(xas, mapping, vmf, *entry, pfn,
    2913     DAX_PMD | DAX_ZERO_PAGE, false);
    2914    
    2915     + if (arch_needs_pgtable_deposit()) {
    2916     + pgtable = pte_alloc_one(vma->vm_mm);
    2917     + if (!pgtable)
    2918     + return VM_FAULT_OOM;
    2919     + }
    2920     +
    2921     ptl = pmd_lock(vmf->vma->vm_mm, vmf->pmd);
    2922     if (!pmd_none(*(vmf->pmd))) {
    2923     spin_unlock(ptl);
    2924     goto fallback;
    2925     }
    2926    
    2927     + if (pgtable) {
    2928     + pgtable_trans_huge_deposit(vma->vm_mm, vmf->pmd, pgtable);
    2929     + mm_inc_nr_ptes(vma->vm_mm);
    2930     + }
    2931     pmd_entry = mk_pmd(zero_page, vmf->vma->vm_page_prot);
    2932     pmd_entry = pmd_mkhuge(pmd_entry);
    2933     set_pmd_at(vmf->vma->vm_mm, pmd_addr, vmf->pmd, pmd_entry);
    2934     @@ -1438,6 +1451,8 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state *xas, struct vm_fault *vmf,
    2935     return VM_FAULT_NOPAGE;
    2936    
    2937     fallback:
    2938     + if (pgtable)
    2939     + pte_free(vma->vm_mm, pgtable);
    2940     trace_dax_pmd_load_hole_fallback(inode, vmf, zero_page, *entry);
    2941     return VM_FAULT_FALLBACK;
    2942     }
    2943     diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
    2944     index 85b0ef890b28..91bd2ff0c62c 100644
    2945     --- a/fs/proc/task_mmu.c
    2946     +++ b/fs/proc/task_mmu.c
    2947     @@ -1141,6 +1141,24 @@ static ssize_t clear_refs_write(struct file *file, const char __user *buf,
    2948     count = -EINTR;
    2949     goto out_mm;
    2950     }
    2951     + /*
    2952     + * Avoid to modify vma->vm_flags
    2953     + * without locked ops while the
    2954     + * coredump reads the vm_flags.
    2955     + */
    2956     + if (!mmget_still_valid(mm)) {
    2957     + /*
    2958     + * Silently return "count"
    2959     + * like if get_task_mm()
    2960     + * failed. FIXME: should this
    2961     + * function have returned
    2962     + * -ESRCH if get_task_mm()
    2963     + * failed like if
    2964     + * get_proc_task() fails?
    2965     + */
    2966     + up_write(&mm->mmap_sem);
    2967     + goto out_mm;
    2968     + }
    2969     for (vma = mm->mmap; vma; vma = vma->vm_next) {
    2970     vma->vm_flags &= ~VM_SOFTDIRTY;
    2971     vma_set_page_prot(vma);
    2972     diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
    2973     index 89800fc7dc9d..f5de1e726356 100644
    2974     --- a/fs/userfaultfd.c
    2975     +++ b/fs/userfaultfd.c
    2976     @@ -629,6 +629,8 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
    2977    
    2978     /* the various vma->vm_userfaultfd_ctx still points to it */
    2979     down_write(&mm->mmap_sem);
    2980     + /* no task can run (and in turn coredump) yet */
    2981     + VM_WARN_ON(!mmget_still_valid(mm));
    2982     for (vma = mm->mmap; vma; vma = vma->vm_next)
    2983     if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
    2984     vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
    2985     @@ -883,6 +885,8 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
    2986     * taking the mmap_sem for writing.
    2987     */
    2988     down_write(&mm->mmap_sem);
    2989     + if (!mmget_still_valid(mm))
    2990     + goto skip_mm;
    2991     prev = NULL;
    2992     for (vma = mm->mmap; vma; vma = vma->vm_next) {
    2993     cond_resched();
    2994     @@ -905,6 +909,7 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
    2995     vma->vm_flags = new_flags;
    2996     vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
    2997     }
    2998     +skip_mm:
    2999     up_write(&mm->mmap_sem);
    3000     mmput(mm);
    3001     wakeup:
    3002     @@ -1333,6 +1338,8 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
    3003     goto out;
    3004    
    3005     down_write(&mm->mmap_sem);
    3006     + if (!mmget_still_valid(mm))
    3007     + goto out_unlock;
    3008     vma = find_vma_prev(mm, start, &prev);
    3009     if (!vma)
    3010     goto out_unlock;
    3011     @@ -1520,6 +1527,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
    3012     goto out;
    3013    
    3014     down_write(&mm->mmap_sem);
    3015     + if (!mmget_still_valid(mm))
    3016     + goto out_unlock;
    3017     vma = find_vma_prev(mm, start, &prev);
    3018     if (!vma)
    3019     goto out_unlock;
    3020     diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h
    3021     index e07e91daaacc..72ff78c33033 100644
    3022     --- a/include/linux/kprobes.h
    3023     +++ b/include/linux/kprobes.h
    3024     @@ -173,6 +173,7 @@ struct kretprobe_instance {
    3025     struct kretprobe *rp;
    3026     kprobe_opcode_t *ret_addr;
    3027     struct task_struct *task;
    3028     + void *fp;
    3029     char data[0];
    3030     };
    3031    
    3032     diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
    3033     index 848b54b7ec91..7df56decae37 100644
    3034     --- a/include/linux/netdevice.h
    3035     +++ b/include/linux/netdevice.h
    3036     @@ -1484,6 +1484,7 @@ struct net_device_ops {
    3037     * @IFF_FAILOVER: device is a failover master device
    3038     * @IFF_FAILOVER_SLAVE: device is lower dev of a failover master device
    3039     * @IFF_L3MDEV_RX_HANDLER: only invoke the rx handler of L3 master device
    3040     + * @IFF_LIVE_RENAME_OK: rename is allowed while device is up and running
    3041     */
    3042     enum netdev_priv_flags {
    3043     IFF_802_1Q_VLAN = 1<<0,
    3044     @@ -1516,6 +1517,7 @@ enum netdev_priv_flags {
    3045     IFF_FAILOVER = 1<<27,
    3046     IFF_FAILOVER_SLAVE = 1<<28,
    3047     IFF_L3MDEV_RX_HANDLER = 1<<29,
    3048     + IFF_LIVE_RENAME_OK = 1<<30,
    3049     };
    3050    
    3051     #define IFF_802_1Q_VLAN IFF_802_1Q_VLAN
    3052     @@ -1547,6 +1549,7 @@ enum netdev_priv_flags {
    3053     #define IFF_FAILOVER IFF_FAILOVER
    3054     #define IFF_FAILOVER_SLAVE IFF_FAILOVER_SLAVE
    3055     #define IFF_L3MDEV_RX_HANDLER IFF_L3MDEV_RX_HANDLER
    3056     +#define IFF_LIVE_RENAME_OK IFF_LIVE_RENAME_OK
    3057    
    3058     /**
    3059     * struct net_device - The DEVICE structure.
    3060     diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h
    3061     index 3bfa6a0cbba4..c1dbb737a36c 100644
    3062     --- a/include/linux/sched/mm.h
    3063     +++ b/include/linux/sched/mm.h
    3064     @@ -49,6 +49,27 @@ static inline void mmdrop(struct mm_struct *mm)
    3065     __mmdrop(mm);
    3066     }
    3067    
    3068     +/*
    3069     + * This has to be called after a get_task_mm()/mmget_not_zero()
    3070     + * followed by taking the mmap_sem for writing before modifying the
    3071     + * vmas or anything the coredump pretends not to change from under it.
    3072     + *
    3073     + * NOTE: find_extend_vma() called from GUP context is the only place
    3074     + * that can modify the "mm" (notably the vm_start/end) under mmap_sem
    3075     + * for reading and outside the context of the process, so it is also
    3076     + * the only case that holds the mmap_sem for reading that must call
    3077     + * this function. Generally if the mmap_sem is hold for reading
    3078     + * there's no need of this check after get_task_mm()/mmget_not_zero().
    3079     + *
    3080     + * This function can be obsoleted and the check can be removed, after
    3081     + * the coredump code will hold the mmap_sem for writing before
    3082     + * invoking the ->core_dump methods.
    3083     + */
    3084     +static inline bool mmget_still_valid(struct mm_struct *mm)
    3085     +{
    3086     + return likely(!mm->core_state);
    3087     +}
    3088     +
    3089     /**
    3090     * mmget() - Pin the address space associated with a &struct mm_struct.
    3091     * @mm: The address space to pin.
    3092     diff --git a/include/net/nfc/nci_core.h b/include/net/nfc/nci_core.h
    3093     index 87499b6b35d6..df5c69db68af 100644
    3094     --- a/include/net/nfc/nci_core.h
    3095     +++ b/include/net/nfc/nci_core.h
    3096     @@ -166,7 +166,7 @@ struct nci_conn_info {
    3097     * According to specification 102 622 chapter 4.4 Pipes,
    3098     * the pipe identifier is 7 bits long.
    3099     */
    3100     -#define NCI_HCI_MAX_PIPES 127
    3101     +#define NCI_HCI_MAX_PIPES 128
    3102    
    3103     struct nci_hci_gate {
    3104     u8 gate;
    3105     diff --git a/include/net/tls.h b/include/net/tls.h
    3106     index 1486b60c4de8..8b3d10917d99 100644
    3107     --- a/include/net/tls.h
    3108     +++ b/include/net/tls.h
    3109     @@ -289,6 +289,7 @@ int tls_device_sendmsg(struct sock *sk, struct msghdr *msg, size_t size);
    3110     int tls_device_sendpage(struct sock *sk, struct page *page,
    3111     int offset, size_t size, int flags);
    3112     void tls_device_sk_destruct(struct sock *sk);
    3113     +void tls_device_free_resources_tx(struct sock *sk);
    3114     void tls_device_init(void);
    3115     void tls_device_cleanup(void);
    3116     int tls_tx_records(struct sock *sk, int flags);
    3117     @@ -312,6 +313,7 @@ int tls_push_sg(struct sock *sk, struct tls_context *ctx,
    3118     int flags);
    3119     int tls_push_partial_record(struct sock *sk, struct tls_context *ctx,
    3120     int flags);
    3121     +bool tls_free_partial_record(struct sock *sk, struct tls_context *ctx);
    3122    
    3123     int tls_push_pending_closed_record(struct sock *sk, struct tls_context *ctx,
    3124     int flags, long *timeo);
    3125     @@ -364,7 +366,7 @@ tls_validate_xmit_skb(struct sock *sk, struct net_device *dev,
    3126     static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk)
    3127     {
    3128     #ifdef CONFIG_SOCK_VALIDATE_XMIT
    3129     - return sk_fullsock(sk) &
    3130     + return sk_fullsock(sk) &&
    3131     (smp_load_acquire(&sk->sk_validate_xmit_skb) ==
    3132     &tls_validate_xmit_skb);
    3133     #else
    3134     diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
    3135     index 878c62ec0190..dbd7656b4f73 100644
    3136     --- a/kernel/events/ring_buffer.c
    3137     +++ b/kernel/events/ring_buffer.c
    3138     @@ -456,24 +456,21 @@ void perf_aux_output_end(struct perf_output_handle *handle, unsigned long size)
    3139     rb->aux_head += size;
    3140     }
    3141    
    3142     - if (size || handle->aux_flags) {
    3143     - /*
    3144     - * Only send RECORD_AUX if we have something useful to communicate
    3145     - *
    3146     - * Note: the OVERWRITE records by themselves are not considered
    3147     - * useful, as they don't communicate any *new* information,
    3148     - * aside from the short-lived offset, that becomes history at
    3149     - * the next event sched-in and therefore isn't useful.
    3150     - * The userspace that needs to copy out AUX data in overwrite
    3151     - * mode should know to use user_page::aux_head for the actual
    3152     - * offset. So, from now on we don't output AUX records that
    3153     - * have *only* OVERWRITE flag set.
    3154     - */
    3155     -
    3156     - if (handle->aux_flags & ~(u64)PERF_AUX_FLAG_OVERWRITE)
    3157     - perf_event_aux_event(handle->event, aux_head, size,
    3158     - handle->aux_flags);
    3159     - }
    3160     + /*
    3161     + * Only send RECORD_AUX if we have something useful to communicate
    3162     + *
    3163     + * Note: the OVERWRITE records by themselves are not considered
    3164     + * useful, as they don't communicate any *new* information,
    3165     + * aside from the short-lived offset, that becomes history at
    3166     + * the next event sched-in and therefore isn't useful.
    3167     + * The userspace that needs to copy out AUX data in overwrite
    3168     + * mode should know to use user_page::aux_head for the actual
    3169     + * offset. So, from now on we don't output AUX records that
    3170     + * have *only* OVERWRITE flag set.
    3171     + */
    3172     + if (size || (handle->aux_flags & ~(u64)PERF_AUX_FLAG_OVERWRITE))
    3173     + perf_event_aux_event(handle->event, aux_head, size,
    3174     + handle->aux_flags);
    3175    
    3176     rb->user_page->aux_head = rb->aux_head;
    3177     if (rb_need_aux_wakeup(rb))
    3178     diff --git a/kernel/kprobes.c b/kernel/kprobes.c
    3179     index f4ddfdd2d07e..de78d1b998f8 100644
    3180     --- a/kernel/kprobes.c
    3181     +++ b/kernel/kprobes.c
    3182     @@ -709,7 +709,6 @@ static void unoptimize_kprobe(struct kprobe *p, bool force)
    3183     static int reuse_unused_kprobe(struct kprobe *ap)
    3184     {
    3185     struct optimized_kprobe *op;
    3186     - int ret;
    3187    
    3188     /*
    3189     * Unused kprobe MUST be on the way of delayed unoptimizing (means
    3190     @@ -720,9 +719,8 @@ static int reuse_unused_kprobe(struct kprobe *ap)
    3191     /* Enable the probe again */
    3192     ap->flags &= ~KPROBE_FLAG_DISABLED;
    3193     /* Optimize it again (remove from op->list) */
    3194     - ret = kprobe_optready(ap);
    3195     - if (ret)
    3196     - return ret;
    3197     + if (!kprobe_optready(ap))
    3198     + return -EINVAL;
    3199    
    3200     optimize_kprobe(ap);
    3201     return 0;
    3202     diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
    3203     index 5e61a1a99e38..eeb605656d59 100644
    3204     --- a/kernel/sched/fair.c
    3205     +++ b/kernel/sched/fair.c
    3206     @@ -4859,12 +4859,15 @@ static enum hrtimer_restart sched_cfs_slack_timer(struct hrtimer *timer)
    3207     return HRTIMER_NORESTART;
    3208     }
    3209    
    3210     +extern const u64 max_cfs_quota_period;
    3211     +
    3212     static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
    3213     {
    3214     struct cfs_bandwidth *cfs_b =
    3215     container_of(timer, struct cfs_bandwidth, period_timer);
    3216     int overrun;
    3217     int idle = 0;
    3218     + int count = 0;
    3219    
    3220     raw_spin_lock(&cfs_b->lock);
    3221     for (;;) {
    3222     @@ -4872,6 +4875,28 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer)
    3223     if (!overrun)
    3224     break;
    3225    
    3226     + if (++count > 3) {
    3227     + u64 new, old = ktime_to_ns(cfs_b->period);
    3228     +
    3229     + new = (old * 147) / 128; /* ~115% */
    3230     + new = min(new, max_cfs_quota_period);
    3231     +
    3232     + cfs_b->period = ns_to_ktime(new);
    3233     +
    3234     + /* since max is 1s, this is limited to 1e9^2, which fits in u64 */
    3235     + cfs_b->quota *= new;
    3236     + cfs_b->quota = div64_u64(cfs_b->quota, old);
    3237     +
    3238     + pr_warn_ratelimited(
    3239     + "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n",
    3240     + smp_processor_id(),
    3241     + div_u64(new, NSEC_PER_USEC),
    3242     + div_u64(cfs_b->quota, NSEC_PER_USEC));
    3243     +
    3244     + /* reset count so we don't come right back in here */
    3245     + count = 0;
    3246     + }
    3247     +
    3248     idle = do_sched_cfs_period_timer(cfs_b, overrun);
    3249     }
    3250     if (idle)
    3251     diff --git a/kernel/sysctl.c b/kernel/sysctl.c
    3252     index 28ec71d914c7..f50f1471c119 100644
    3253     --- a/kernel/sysctl.c
    3254     +++ b/kernel/sysctl.c
    3255     @@ -126,6 +126,7 @@ static int zero;
    3256     static int __maybe_unused one = 1;
    3257     static int __maybe_unused two = 2;
    3258     static int __maybe_unused four = 4;
    3259     +static unsigned long zero_ul;
    3260     static unsigned long one_ul = 1;
    3261     static unsigned long long_max = LONG_MAX;
    3262     static int one_hundred = 100;
    3263     @@ -1723,7 +1724,7 @@ static struct ctl_table fs_table[] = {
    3264     .maxlen = sizeof(files_stat.max_files),
    3265     .mode = 0644,
    3266     .proc_handler = proc_doulongvec_minmax,
    3267     - .extra1 = &zero,
    3268     + .extra1 = &zero_ul,
    3269     .extra2 = &long_max,
    3270     },
    3271     {
    3272     diff --git a/kernel/time/sched_clock.c b/kernel/time/sched_clock.c
    3273     index 094b82ca95e5..930113b9799a 100644
    3274     --- a/kernel/time/sched_clock.c
    3275     +++ b/kernel/time/sched_clock.c
    3276     @@ -272,7 +272,7 @@ static u64 notrace suspended_sched_clock_read(void)
    3277     return cd.read_data[seq & 1].epoch_cyc;
    3278     }
    3279    
    3280     -static int sched_clock_suspend(void)
    3281     +int sched_clock_suspend(void)
    3282     {
    3283     struct clock_read_data *rd = &cd.read_data[0];
    3284    
    3285     @@ -283,7 +283,7 @@ static int sched_clock_suspend(void)
    3286     return 0;
    3287     }
    3288    
    3289     -static void sched_clock_resume(void)
    3290     +void sched_clock_resume(void)
    3291     {
    3292     struct clock_read_data *rd = &cd.read_data[0];
    3293    
    3294     diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c
    3295     index 529143b4c8d2..df401463a191 100644
    3296     --- a/kernel/time/tick-common.c
    3297     +++ b/kernel/time/tick-common.c
    3298     @@ -487,6 +487,7 @@ void tick_freeze(void)
    3299     trace_suspend_resume(TPS("timekeeping_freeze"),
    3300     smp_processor_id(), true);
    3301     system_state = SYSTEM_SUSPEND;
    3302     + sched_clock_suspend();
    3303     timekeeping_suspend();
    3304     } else {
    3305     tick_suspend_local();
    3306     @@ -510,6 +511,7 @@ void tick_unfreeze(void)
    3307    
    3308     if (tick_freeze_depth == num_online_cpus()) {
    3309     timekeeping_resume();
    3310     + sched_clock_resume();
    3311     system_state = SYSTEM_RUNNING;
    3312     trace_suspend_resume(TPS("timekeeping_freeze"),
    3313     smp_processor_id(), false);
    3314     diff --git a/kernel/time/timekeeping.h b/kernel/time/timekeeping.h
    3315     index 7a9b4eb7a1d5..141ab3ab0354 100644
    3316     --- a/kernel/time/timekeeping.h
    3317     +++ b/kernel/time/timekeeping.h
    3318     @@ -14,6 +14,13 @@ extern u64 timekeeping_max_deferment(void);
    3319     extern void timekeeping_warp_clock(void);
    3320     extern int timekeeping_suspend(void);
    3321     extern void timekeeping_resume(void);
    3322     +#ifdef CONFIG_GENERIC_SCHED_CLOCK
    3323     +extern int sched_clock_suspend(void);
    3324     +extern void sched_clock_resume(void);
    3325     +#else
    3326     +static inline int sched_clock_suspend(void) { return 0; }
    3327     +static inline void sched_clock_resume(void) { }
    3328     +#endif
    3329    
    3330     extern void do_timer(unsigned long ticks);
    3331     extern void update_wall_time(void);
    3332     diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
    3333     index aac7847c0214..f546ae5102e0 100644
    3334     --- a/kernel/trace/ftrace.c
    3335     +++ b/kernel/trace/ftrace.c
    3336     @@ -33,6 +33,7 @@
    3337     #include <linux/list.h>
    3338     #include <linux/hash.h>
    3339     #include <linux/rcupdate.h>
    3340     +#include <linux/kprobes.h>
    3341    
    3342     #include <trace/events/sched.h>
    3343    
    3344     @@ -6216,7 +6217,7 @@ void ftrace_reset_array_ops(struct trace_array *tr)
    3345     tr->ops->func = ftrace_stub;
    3346     }
    3347    
    3348     -static inline void
    3349     +static nokprobe_inline void
    3350     __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip,
    3351     struct ftrace_ops *ignored, struct pt_regs *regs)
    3352     {
    3353     @@ -6276,11 +6277,13 @@ static void ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip,
    3354     {
    3355     __ftrace_ops_list_func(ip, parent_ip, NULL, regs);
    3356     }
    3357     +NOKPROBE_SYMBOL(ftrace_ops_list_func);
    3358     #else
    3359     static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip)
    3360     {
    3361     __ftrace_ops_list_func(ip, parent_ip, NULL, NULL);
    3362     }
    3363     +NOKPROBE_SYMBOL(ftrace_ops_no_ops);
    3364     #endif
    3365    
    3366     /*
    3367     @@ -6307,6 +6310,7 @@ static void ftrace_ops_assist_func(unsigned long ip, unsigned long parent_ip,
    3368     preempt_enable_notrace();
    3369     trace_clear_recursion(bit);
    3370     }
    3371     +NOKPROBE_SYMBOL(ftrace_ops_assist_func);
    3372    
    3373     /**
    3374     * ftrace_ops_get_func - get the function a trampoline should call
    3375     diff --git a/mm/mmap.c b/mm/mmap.c
    3376     index fc1809b1bed6..da9236a5022e 100644
    3377     --- a/mm/mmap.c
    3378     +++ b/mm/mmap.c
    3379     @@ -45,6 +45,7 @@
    3380     #include <linux/moduleparam.h>
    3381     #include <linux/pkeys.h>
    3382     #include <linux/oom.h>
    3383     +#include <linux/sched/mm.h>
    3384    
    3385     #include <linux/uaccess.h>
    3386     #include <asm/cacheflush.h>
    3387     @@ -2526,7 +2527,8 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
    3388     vma = find_vma_prev(mm, addr, &prev);
    3389     if (vma && (vma->vm_start <= addr))
    3390     return vma;
    3391     - if (!prev || expand_stack(prev, addr))
    3392     + /* don't alter vm_end if the coredump is running */
    3393     + if (!prev || !mmget_still_valid(mm) || expand_stack(prev, addr))
    3394     return NULL;
    3395     if (prev->vm_flags & VM_LOCKED)
    3396     populate_vma_page_range(prev, addr, prev->vm_end, NULL);
    3397     @@ -2552,6 +2554,9 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
    3398     return vma;
    3399     if (!(vma->vm_flags & VM_GROWSDOWN))
    3400     return NULL;
    3401     + /* don't alter vm_start if the coredump is running */
    3402     + if (!mmget_still_valid(mm))
    3403     + return NULL;
    3404     start = vma->vm_start;
    3405     if (expand_stack(vma, addr))
    3406     return NULL;
    3407     diff --git a/mm/percpu.c b/mm/percpu.c
    3408     index db86282fd024..59bd6a51954c 100644
    3409     --- a/mm/percpu.c
    3410     +++ b/mm/percpu.c
    3411     @@ -2531,8 +2531,8 @@ int __init pcpu_embed_first_chunk(size_t reserved_size, size_t dyn_size,
    3412     ai->groups[group].base_offset = areas[group] - base;
    3413     }
    3414    
    3415     - pr_info("Embedded %zu pages/cpu @%p s%zu r%zu d%zu u%zu\n",
    3416     - PFN_DOWN(size_sum), base, ai->static_size, ai->reserved_size,
    3417     + pr_info("Embedded %zu pages/cpu s%zu r%zu d%zu u%zu\n",
    3418     + PFN_DOWN(size_sum), ai->static_size, ai->reserved_size,
    3419     ai->dyn_size, ai->unit_size);
    3420    
    3421     rc = pcpu_setup_first_chunk(ai, base);
    3422     @@ -2653,8 +2653,8 @@ int __init pcpu_page_first_chunk(size_t reserved_size,
    3423     }
    3424    
    3425     /* we're ready, commit */
    3426     - pr_info("%d %s pages/cpu @%p s%zu r%zu d%zu\n",
    3427     - unit_pages, psize_str, vm.addr, ai->static_size,
    3428     + pr_info("%d %s pages/cpu s%zu r%zu d%zu\n",
    3429     + unit_pages, psize_str, ai->static_size,
    3430     ai->reserved_size, ai->dyn_size);
    3431    
    3432     rc = pcpu_setup_first_chunk(ai, vm.addr);
    3433     diff --git a/mm/vmstat.c b/mm/vmstat.c
    3434     index 83b30edc2f7f..f807f2e3b4cb 100644
    3435     --- a/mm/vmstat.c
    3436     +++ b/mm/vmstat.c
    3437     @@ -1274,13 +1274,8 @@ const char * const vmstat_text[] = {
    3438     #endif
    3439     #endif /* CONFIG_MEMORY_BALLOON */
    3440     #ifdef CONFIG_DEBUG_TLBFLUSH
    3441     -#ifdef CONFIG_SMP
    3442     "nr_tlb_remote_flush",
    3443     "nr_tlb_remote_flush_received",
    3444     -#else
    3445     - "", /* nr_tlb_remote_flush */
    3446     - "", /* nr_tlb_remote_flush_received */
    3447     -#endif /* CONFIG_SMP */
    3448     "nr_tlb_local_flush_all",
    3449     "nr_tlb_local_flush_one",
    3450     #endif /* CONFIG_DEBUG_TLBFLUSH */
    3451     diff --git a/net/atm/lec.c b/net/atm/lec.c
    3452     index d7f5cf5b7594..ad4f829193f0 100644
    3453     --- a/net/atm/lec.c
    3454     +++ b/net/atm/lec.c
    3455     @@ -710,7 +710,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg)
    3456    
    3457     static int lec_mcast_attach(struct atm_vcc *vcc, int arg)
    3458     {
    3459     - if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg])
    3460     + if (arg < 0 || arg >= MAX_LEC_ITF)
    3461     + return -EINVAL;
    3462     + arg = array_index_nospec(arg, MAX_LEC_ITF);
    3463     + if (!dev_lec[arg])
    3464     return -EINVAL;
    3465     vcc->proto_data = dev_lec[arg];
    3466     return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc);
    3467     @@ -728,6 +731,7 @@ static int lecd_attach(struct atm_vcc *vcc, int arg)
    3468     i = arg;
    3469     if (arg >= MAX_LEC_ITF)
    3470     return -EINVAL;
    3471     + i = array_index_nospec(arg, MAX_LEC_ITF);
    3472     if (!dev_lec[i]) {
    3473     int size;
    3474    
    3475     diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
    3476     index 5ea7e56119c1..ba303ee99b9b 100644
    3477     --- a/net/bridge/br_input.c
    3478     +++ b/net/bridge/br_input.c
    3479     @@ -197,13 +197,10 @@ static void __br_handle_local_finish(struct sk_buff *skb)
    3480     /* note: already called with rcu_read_lock */
    3481     static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
    3482     {
    3483     - struct net_bridge_port *p = br_port_get_rcu(skb->dev);
    3484     -
    3485     __br_handle_local_finish(skb);
    3486    
    3487     - BR_INPUT_SKB_CB(skb)->brdev = p->br->dev;
    3488     - br_pass_frame_up(skb);
    3489     - return 0;
    3490     + /* return 1 to signal the okfn() was called so it's ok to use the skb */
    3491     + return 1;
    3492     }
    3493    
    3494     /*
    3495     @@ -280,10 +277,18 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
    3496     goto forward;
    3497     }
    3498    
    3499     - /* Deliver packet to local host only */
    3500     - NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, dev_net(skb->dev),
    3501     - NULL, skb, skb->dev, NULL, br_handle_local_finish);
    3502     - return RX_HANDLER_CONSUMED;
    3503     + /* The else clause should be hit when nf_hook():
    3504     + * - returns < 0 (drop/error)
    3505     + * - returns = 0 (stolen/nf_queue)
    3506     + * Thus return 1 from the okfn() to signal the skb is ok to pass
    3507     + */
    3508     + if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
    3509     + dev_net(skb->dev), NULL, skb, skb->dev, NULL,
    3510     + br_handle_local_finish) == 1) {
    3511     + return RX_HANDLER_PASS;
    3512     + } else {
    3513     + return RX_HANDLER_CONSUMED;
    3514     + }
    3515     }
    3516    
    3517     forward:
    3518     diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
    3519     index e4777614a8a0..61ff0d497da6 100644
    3520     --- a/net/bridge/br_multicast.c
    3521     +++ b/net/bridge/br_multicast.c
    3522     @@ -1916,7 +1916,8 @@ static void br_multicast_start_querier(struct net_bridge *br,
    3523    
    3524     __br_multicast_open(br, query);
    3525    
    3526     - list_for_each_entry(port, &br->port_list, list) {
    3527     + rcu_read_lock();
    3528     + list_for_each_entry_rcu(port, &br->port_list, list) {
    3529     if (port->state == BR_STATE_DISABLED ||
    3530     port->state == BR_STATE_BLOCKING)
    3531     continue;
    3532     @@ -1928,6 +1929,7 @@ static void br_multicast_start_querier(struct net_bridge *br,
    3533     br_multicast_enable(&port->ip6_own_query);
    3534     #endif
    3535     }
    3536     + rcu_read_unlock();
    3537     }
    3538    
    3539     int br_multicast_toggle(struct net_bridge *br, unsigned long val)
    3540     diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
    3541     index 9c07591b0232..7104cf13da84 100644
    3542     --- a/net/bridge/br_netlink.c
    3543     +++ b/net/bridge/br_netlink.c
    3544     @@ -1441,7 +1441,7 @@ static int br_fill_info(struct sk_buff *skb, const struct net_device *brdev)
    3545     nla_put_u8(skb, IFLA_BR_VLAN_STATS_ENABLED,
    3546     br_opt_get(br, BROPT_VLAN_STATS_ENABLED)) ||
    3547     nla_put_u8(skb, IFLA_BR_VLAN_STATS_PER_PORT,
    3548     - br_opt_get(br, IFLA_BR_VLAN_STATS_PER_PORT)))
    3549     + br_opt_get(br, BROPT_VLAN_STATS_PER_PORT)))
    3550     return -EMSGSIZE;
    3551     #endif
    3552     #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
    3553     diff --git a/net/core/dev.c b/net/core/dev.c
    3554     index 12824e007e06..7277dd393c00 100644
    3555     --- a/net/core/dev.c
    3556     +++ b/net/core/dev.c
    3557     @@ -1184,7 +1184,21 @@ int dev_change_name(struct net_device *dev, const char *newname)
    3558     BUG_ON(!dev_net(dev));
    3559    
    3560     net = dev_net(dev);
    3561     - if (dev->flags & IFF_UP)
    3562     +
    3563     + /* Some auto-enslaved devices e.g. failover slaves are
    3564     + * special, as userspace might rename the device after
    3565     + * the interface had been brought up and running since
    3566     + * the point kernel initiated auto-enslavement. Allow
    3567     + * live name change even when these slave devices are
    3568     + * up and running.
    3569     + *
    3570     + * Typically, users of these auto-enslaving devices
    3571     + * don't actually care about slave name change, as
    3572     + * they are supposed to operate on master interface
    3573     + * directly.
    3574     + */
    3575     + if (dev->flags & IFF_UP &&
    3576     + likely(!(dev->priv_flags & IFF_LIVE_RENAME_OK)))
    3577     return -EBUSY;
    3578    
    3579     write_seqcount_begin(&devnet_rename_seq);
    3580     diff --git a/net/core/failover.c b/net/core/failover.c
    3581     index 4a92a98ccce9..b5cd3c727285 100644
    3582     --- a/net/core/failover.c
    3583     +++ b/net/core/failover.c
    3584     @@ -80,14 +80,14 @@ static int failover_slave_register(struct net_device *slave_dev)
    3585     goto err_upper_link;
    3586     }
    3587    
    3588     - slave_dev->priv_flags |= IFF_FAILOVER_SLAVE;
    3589     + slave_dev->priv_flags |= (IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK);
    3590    
    3591     if (fops && fops->slave_register &&
    3592     !fops->slave_register(slave_dev, failover_dev))
    3593     return NOTIFY_OK;
    3594    
    3595     netdev_upper_dev_unlink(slave_dev, failover_dev);
    3596     - slave_dev->priv_flags &= ~IFF_FAILOVER_SLAVE;
    3597     + slave_dev->priv_flags &= ~(IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK);
    3598     err_upper_link:
    3599     netdev_rx_handler_unregister(slave_dev);
    3600     done:
    3601     @@ -121,7 +121,7 @@ int failover_slave_unregister(struct net_device *slave_dev)
    3602    
    3603     netdev_rx_handler_unregister(slave_dev);
    3604     netdev_upper_dev_unlink(slave_dev, failover_dev);
    3605     - slave_dev->priv_flags &= ~IFF_FAILOVER_SLAVE;
    3606     + slave_dev->priv_flags &= ~(IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK);
    3607    
    3608     if (fops && fops->slave_unregister &&
    3609     !fops->slave_unregister(slave_dev, failover_dev))
    3610     diff --git a/net/core/skbuff.c b/net/core/skbuff.c
    3611     index ef2cd5712098..40796b8bf820 100644
    3612     --- a/net/core/skbuff.c
    3613     +++ b/net/core/skbuff.c
    3614     @@ -5083,7 +5083,8 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
    3615    
    3616     static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
    3617     {
    3618     - int mac_len;
    3619     + int mac_len, meta_len;
    3620     + void *meta;
    3621    
    3622     if (skb_cow(skb, skb_headroom(skb)) < 0) {
    3623     kfree_skb(skb);
    3624     @@ -5095,6 +5096,13 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
    3625     memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
    3626     mac_len - VLAN_HLEN - ETH_TLEN);
    3627     }
    3628     +
    3629     + meta_len = skb_metadata_len(skb);
    3630     + if (meta_len) {
    3631     + meta = skb_metadata_end(skb) - meta_len;
    3632     + memmove(meta + VLAN_HLEN, meta, meta_len);
    3633     + }
    3634     +
    3635     skb->mac_header += VLAN_HLEN;
    3636     return skb;
    3637     }
    3638     diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
    3639     index 79e98e21cdd7..12ce6c526d72 100644
    3640     --- a/net/ipv4/fou.c
    3641     +++ b/net/ipv4/fou.c
    3642     @@ -121,6 +121,7 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
    3643     struct guehdr *guehdr;
    3644     void *data;
    3645     u16 doffset = 0;
    3646     + u8 proto_ctype;
    3647    
    3648     if (!fou)
    3649     return 1;
    3650     @@ -212,13 +213,14 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
    3651     if (unlikely(guehdr->control))
    3652     return gue_control_message(skb, guehdr);
    3653    
    3654     + proto_ctype = guehdr->proto_ctype;
    3655     __skb_pull(skb, sizeof(struct udphdr) + hdrlen);
    3656     skb_reset_transport_header(skb);
    3657    
    3658     if (iptunnel_pull_offloads(skb))
    3659     goto drop;
    3660    
    3661     - return -guehdr->proto_ctype;
    3662     + return -proto_ctype;
    3663    
    3664     drop:
    3665     kfree_skb(skb);
    3666     diff --git a/net/ipv4/route.c b/net/ipv4/route.c
    3667     index e04cdb58a602..25d9bef27d03 100644
    3668     --- a/net/ipv4/route.c
    3669     +++ b/net/ipv4/route.c
    3670     @@ -1185,9 +1185,23 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie)
    3671    
    3672     static void ipv4_link_failure(struct sk_buff *skb)
    3673     {
    3674     + struct ip_options opt;
    3675     struct rtable *rt;
    3676     + int res;
    3677    
    3678     - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
    3679     + /* Recompile ip options since IPCB may not be valid anymore.
    3680     + */
    3681     + memset(&opt, 0, sizeof(opt));
    3682     + opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
    3683     +
    3684     + rcu_read_lock();
    3685     + res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
    3686     + rcu_read_unlock();
    3687     +
    3688     + if (res)
    3689     + return;
    3690     +
    3691     + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
    3692    
    3693     rt = skb_rtable(skb);
    3694     if (rt)
    3695     diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
    3696     index 7b1ef897b398..95b2e31fff08 100644
    3697     --- a/net/ipv4/tcp_input.c
    3698     +++ b/net/ipv4/tcp_input.c
    3699     @@ -402,11 +402,12 @@ static int __tcp_grow_window(const struct sock *sk, const struct sk_buff *skb)
    3700     static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
    3701     {
    3702     struct tcp_sock *tp = tcp_sk(sk);
    3703     + int room;
    3704     +
    3705     + room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh;
    3706    
    3707     /* Check #1 */
    3708     - if (tp->rcv_ssthresh < tp->window_clamp &&
    3709     - (int)tp->rcv_ssthresh < tcp_space(sk) &&
    3710     - !tcp_under_memory_pressure(sk)) {
    3711     + if (room > 0 && !tcp_under_memory_pressure(sk)) {
    3712     int incr;
    3713    
    3714     /* Check #2. Increase window, if skb with such overhead
    3715     @@ -419,8 +420,7 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
    3716    
    3717     if (incr) {
    3718     incr = max_t(int, incr, 2 * skb->len);
    3719     - tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr,
    3720     - tp->window_clamp);
    3721     + tp->rcv_ssthresh += min(room, incr);
    3722     inet_csk(sk)->icsk_ack.quick |= 1;
    3723     }
    3724     }
    3725     diff --git a/net/ipv6/route.c b/net/ipv6/route.c
    3726     index 0086acc16f3c..b6a97115a906 100644
    3727     --- a/net/ipv6/route.c
    3728     +++ b/net/ipv6/route.c
    3729     @@ -2336,6 +2336,10 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
    3730    
    3731     rcu_read_lock();
    3732     from = rcu_dereference(rt6->from);
    3733     + if (!from) {
    3734     + rcu_read_unlock();
    3735     + return;
    3736     + }
    3737     nrt6 = ip6_rt_cache_alloc(from, daddr, saddr);
    3738     if (nrt6) {
    3739     rt6_do_update_pmtu(nrt6, mtu);
    3740     diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
    3741     index 3e0d5922a440..a9c1d6e3cdae 100644
    3742     --- a/net/mac80211/driver-ops.h
    3743     +++ b/net/mac80211/driver-ops.h
    3744     @@ -1166,6 +1166,9 @@ static inline void drv_wake_tx_queue(struct ieee80211_local *local,
    3745     {
    3746     struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif);
    3747    
    3748     + if (local->in_reconfig)
    3749     + return;
    3750     +
    3751     if (!check_sdata_in_driver(sdata))
    3752     return;
    3753    
    3754     diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c
    3755     index ddfc52ac1f9b..c0d323b58e73 100644
    3756     --- a/net/nfc/nci/hci.c
    3757     +++ b/net/nfc/nci/hci.c
    3758     @@ -312,6 +312,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe,
    3759     create_info = (struct nci_hci_create_pipe_resp *)skb->data;
    3760     dest_gate = create_info->dest_gate;
    3761     new_pipe = create_info->pipe;
    3762     + if (new_pipe >= NCI_HCI_MAX_PIPES) {
    3763     + status = NCI_HCI_ANY_E_NOK;
    3764     + goto exit;
    3765     + }
    3766    
    3767     /* Save the new created pipe and bind with local gate,
    3768     * the description for skb->data[3] is destination gate id
    3769     @@ -336,6 +340,10 @@ static void nci_hci_cmd_received(struct nci_dev *ndev, u8 pipe,
    3770     goto exit;
    3771     }
    3772     delete_info = (struct nci_hci_delete_pipe_noti *)skb->data;
    3773     + if (delete_info->pipe >= NCI_HCI_MAX_PIPES) {
    3774     + status = NCI_HCI_ANY_E_NOK;
    3775     + goto exit;
    3776     + }
    3777    
    3778     ndev->hci_dev->pipes[delete_info->pipe].gate =
    3779     NCI_HCI_INVALID_GATE;
    3780     diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
    3781     index 73940293700d..7b5ce1343474 100644
    3782     --- a/net/sched/sch_cake.c
    3783     +++ b/net/sched/sch_cake.c
    3784     @@ -1508,32 +1508,29 @@ static unsigned int cake_drop(struct Qdisc *sch, struct sk_buff **to_free)
    3785     return idx + (tin << 16);
    3786     }
    3787    
    3788     -static void cake_wash_diffserv(struct sk_buff *skb)
    3789     -{
    3790     - switch (skb->protocol) {
    3791     - case htons(ETH_P_IP):
    3792     - ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0);
    3793     - break;
    3794     - case htons(ETH_P_IPV6):
    3795     - ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0);
    3796     - break;
    3797     - default:
    3798     - break;
    3799     - }
    3800     -}
    3801     -
    3802     static u8 cake_handle_diffserv(struct sk_buff *skb, u16 wash)
    3803     {
    3804     + int wlen = skb_network_offset(skb);
    3805     u8 dscp;
    3806    
    3807     - switch (skb->protocol) {
    3808     + switch (tc_skb_protocol(skb)) {
    3809     case htons(ETH_P_IP):
    3810     + wlen += sizeof(struct iphdr);
    3811     + if (!pskb_may_pull(skb, wlen) ||
    3812     + skb_try_make_writable(skb, wlen))
    3813     + return 0;
    3814     +
    3815     dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2;
    3816     if (wash && dscp)
    3817     ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0);
    3818     return dscp;
    3819    
    3820     case htons(ETH_P_IPV6):
    3821     + wlen += sizeof(struct ipv6hdr);
    3822     + if (!pskb_may_pull(skb, wlen) ||
    3823     + skb_try_make_writable(skb, wlen))
    3824     + return 0;
    3825     +
    3826     dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> 2;
    3827     if (wash && dscp)
    3828     ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0);
    3829     @@ -1553,25 +1550,27 @@ static struct cake_tin_data *cake_select_tin(struct Qdisc *sch,
    3830     {
    3831     struct cake_sched_data *q = qdisc_priv(sch);
    3832     u32 tin;
    3833     + u8 dscp;
    3834     +
    3835     + /* Tin selection: Default to diffserv-based selection, allow overriding
    3836     + * using firewall marks or skb->priority.
    3837     + */
    3838     + dscp = cake_handle_diffserv(skb,
    3839     + q->rate_flags & CAKE_FLAG_WASH);
    3840    
    3841     - if (TC_H_MAJ(skb->priority) == sch->handle &&
    3842     - TC_H_MIN(skb->priority) > 0 &&
    3843     - TC_H_MIN(skb->priority) <= q->tin_cnt) {
    3844     + if (q->tin_mode == CAKE_DIFFSERV_BESTEFFORT)
    3845     + tin = 0;
    3846     +
    3847     + else if (TC_H_MAJ(skb->priority) == sch->handle &&
    3848     + TC_H_MIN(skb->priority) > 0 &&
    3849     + TC_H_MIN(skb->priority) <= q->tin_cnt)
    3850     tin = q->tin_order[TC_H_MIN(skb->priority) - 1];
    3851    
    3852     - if (q->rate_flags & CAKE_FLAG_WASH)
    3853     - cake_wash_diffserv(skb);
    3854     - } else if (q->tin_mode != CAKE_DIFFSERV_BESTEFFORT) {
    3855     - /* extract the Diffserv Precedence field, if it exists */
    3856     - /* and clear DSCP bits if washing */
    3857     - tin = q->tin_index[cake_handle_diffserv(skb,
    3858     - q->rate_flags & CAKE_FLAG_WASH)];
    3859     + else {
    3860     + tin = q->tin_index[dscp];
    3861     +
    3862     if (unlikely(tin >= q->tin_cnt))
    3863     tin = 0;
    3864     - } else {
    3865     - tin = 0;
    3866     - if (q->rate_flags & CAKE_FLAG_WASH)
    3867     - cake_wash_diffserv(skb);
    3868     }
    3869    
    3870     return &q->tins[tin];
    3871     diff --git a/net/strparser/strparser.c b/net/strparser/strparser.c
    3872     index da1a676860ca..0f4e42792878 100644
    3873     --- a/net/strparser/strparser.c
    3874     +++ b/net/strparser/strparser.c
    3875     @@ -140,13 +140,11 @@ static int __strp_recv(read_descriptor_t *desc, struct sk_buff *orig_skb,
    3876     /* We are going to append to the frags_list of head.
    3877     * Need to unshare the frag_list.
    3878     */
    3879     - if (skb_has_frag_list(head)) {
    3880     - err = skb_unclone(head, GFP_ATOMIC);
    3881     - if (err) {
    3882     - STRP_STATS_INCR(strp->stats.mem_fail);
    3883     - desc->error = err;
    3884     - return 0;
    3885     - }
    3886     + err = skb_unclone(head, GFP_ATOMIC);
    3887     + if (err) {
    3888     + STRP_STATS_INCR(strp->stats.mem_fail);
    3889     + desc->error = err;
    3890     + return 0;
    3891     }
    3892    
    3893     if (unlikely(skb_shinfo(head)->frag_list)) {
    3894     diff --git a/net/tipc/name_table.c b/net/tipc/name_table.c
    3895     index bff241f03525..89993afe0fbd 100644
    3896     --- a/net/tipc/name_table.c
    3897     +++ b/net/tipc/name_table.c
    3898     @@ -909,7 +909,8 @@ static int tipc_nl_service_list(struct net *net, struct tipc_nl_msg *msg,
    3899     for (; i < TIPC_NAMETBL_SIZE; i++) {
    3900     head = &tn->nametbl->services[i];
    3901    
    3902     - if (*last_type) {
    3903     + if (*last_type ||
    3904     + (!i && *last_key && (*last_lower == *last_key))) {
    3905     service = tipc_service_find(net, *last_type);
    3906     if (!service)
    3907     return -EPIPE;
    3908     diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
    3909     index d753e362d2d9..4b5ff3d44912 100644
    3910     --- a/net/tls/tls_device.c
    3911     +++ b/net/tls/tls_device.c
    3912     @@ -52,8 +52,11 @@ static DEFINE_SPINLOCK(tls_device_lock);
    3913    
    3914     static void tls_device_free_ctx(struct tls_context *ctx)
    3915     {
    3916     - if (ctx->tx_conf == TLS_HW)
    3917     + if (ctx->tx_conf == TLS_HW) {
    3918     kfree(tls_offload_ctx_tx(ctx));
    3919     + kfree(ctx->tx.rec_seq);
    3920     + kfree(ctx->tx.iv);
    3921     + }
    3922    
    3923     if (ctx->rx_conf == TLS_HW)
    3924     kfree(tls_offload_ctx_rx(ctx));
    3925     @@ -216,6 +219,13 @@ void tls_device_sk_destruct(struct sock *sk)
    3926     }
    3927     EXPORT_SYMBOL(tls_device_sk_destruct);
    3928    
    3929     +void tls_device_free_resources_tx(struct sock *sk)
    3930     +{
    3931     + struct tls_context *tls_ctx = tls_get_ctx(sk);
    3932     +
    3933     + tls_free_partial_record(sk, tls_ctx);
    3934     +}
    3935     +
    3936     static void tls_append_frag(struct tls_record_info *record,
    3937     struct page_frag *pfrag,
    3938     int size)
    3939     diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
    3940     index 78cb4a584080..96dbac91ac6e 100644
    3941     --- a/net/tls/tls_main.c
    3942     +++ b/net/tls/tls_main.c
    3943     @@ -220,6 +220,26 @@ int tls_push_pending_closed_record(struct sock *sk,
    3944     return tls_ctx->push_pending_record(sk, flags);
    3945     }
    3946    
    3947     +bool tls_free_partial_record(struct sock *sk, struct tls_context *ctx)
    3948     +{
    3949     + struct scatterlist *sg;
    3950     +
    3951     + sg = ctx->partially_sent_record;
    3952     + if (!sg)
    3953     + return false;
    3954     +
    3955     + while (1) {
    3956     + put_page(sg_page(sg));
    3957     + sk_mem_uncharge(sk, sg->length);
    3958     +
    3959     + if (sg_is_last(sg))
    3960     + break;
    3961     + sg++;
    3962     + }
    3963     + ctx->partially_sent_record = NULL;
    3964     + return true;
    3965     +}
    3966     +
    3967     static void tls_write_space(struct sock *sk)
    3968     {
    3969     struct tls_context *ctx = tls_get_ctx(sk);
    3970     @@ -278,6 +298,10 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
    3971     kfree(ctx->tx.rec_seq);
    3972     kfree(ctx->tx.iv);
    3973     tls_sw_free_resources_tx(sk);
    3974     +#ifdef CONFIG_TLS_DEVICE
    3975     + } else if (ctx->tx_conf == TLS_HW) {
    3976     + tls_device_free_resources_tx(sk);
    3977     +#endif
    3978     }
    3979    
    3980     if (ctx->rx_conf == TLS_SW) {
    3981     diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
    3982     index bf5b54b513bc..d2d4f7c0d4be 100644
    3983     --- a/net/tls/tls_sw.c
    3984     +++ b/net/tls/tls_sw.c
    3985     @@ -1804,20 +1804,7 @@ void tls_sw_free_resources_tx(struct sock *sk)
    3986     /* Free up un-sent records in tx_list. First, free
    3987     * the partially sent record if any at head of tx_list.
    3988     */
    3989     - if (tls_ctx->partially_sent_record) {
    3990     - struct scatterlist *sg = tls_ctx->partially_sent_record;
    3991     -
    3992     - while (1) {
    3993     - put_page(sg_page(sg));
    3994     - sk_mem_uncharge(sk, sg->length);
    3995     -
    3996     - if (sg_is_last(sg))
    3997     - break;
    3998     - sg++;
    3999     - }
    4000     -
    4001     - tls_ctx->partially_sent_record = NULL;
    4002     -
    4003     + if (tls_free_partial_record(sk, tls_ctx)) {
    4004     rec = list_first_entry(&ctx->tx_list,
    4005     struct tls_rec, list);
    4006     list_del(&rec->list);
    4007     diff --git a/security/device_cgroup.c b/security/device_cgroup.c
    4008     index cd97929fac66..dc28914fa72e 100644
    4009     --- a/security/device_cgroup.c
    4010     +++ b/security/device_cgroup.c
    4011     @@ -560,7 +560,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root,
    4012     devcg->behavior == DEVCG_DEFAULT_ALLOW) {
    4013     rc = dev_exception_add(devcg, ex);
    4014     if (rc)
    4015     - break;
    4016     + return rc;
    4017     } else {
    4018     /*
    4019     * in the other possible cases:
    4020     diff --git a/sound/core/info.c b/sound/core/info.c
    4021     index fe502bc5e6d2..679136fba730 100644
    4022     --- a/sound/core/info.c
    4023     +++ b/sound/core/info.c
    4024     @@ -722,8 +722,11 @@ snd_info_create_entry(const char *name, struct snd_info_entry *parent)
    4025     INIT_LIST_HEAD(&entry->children);
    4026     INIT_LIST_HEAD(&entry->list);
    4027     entry->parent = parent;
    4028     - if (parent)
    4029     + if (parent) {
    4030     + mutex_lock(&parent->access);
    4031     list_add_tail(&entry->list, &parent->children);
    4032     + mutex_unlock(&parent->access);
    4033     + }
    4034     return entry;
    4035     }
    4036    
    4037     @@ -805,7 +808,12 @@ void snd_info_free_entry(struct snd_info_entry * entry)
    4038     list_for_each_entry_safe(p, n, &entry->children, list)
    4039     snd_info_free_entry(p);
    4040    
    4041     - list_del(&entry->list);
    4042     + p = entry->parent;
    4043     + if (p) {
    4044     + mutex_lock(&p->access);
    4045     + list_del(&entry->list);
    4046     + mutex_unlock(&p->access);
    4047     + }
    4048     kfree(entry->name);
    4049     if (entry->private_free)
    4050     entry->private_free(entry);
    4051     diff --git a/sound/core/init.c b/sound/core/init.c
    4052     index 4849c611c0fe..16b7cc7aa66b 100644
    4053     --- a/sound/core/init.c
    4054     +++ b/sound/core/init.c
    4055     @@ -407,14 +407,7 @@ int snd_card_disconnect(struct snd_card *card)
    4056     card->shutdown = 1;
    4057     spin_unlock(&card->files_lock);
    4058    
    4059     - /* phase 1: disable fops (user space) operations for ALSA API */
    4060     - mutex_lock(&snd_card_mutex);
    4061     - snd_cards[card->number] = NULL;
    4062     - clear_bit(card->number, snd_cards_lock);
    4063     - mutex_unlock(&snd_card_mutex);
    4064     -
    4065     - /* phase 2: replace file->f_op with special dummy operations */
    4066     -
    4067     + /* replace file->f_op with special dummy operations */
    4068     spin_lock(&card->files_lock);
    4069     list_for_each_entry(mfile, &card->files_list, list) {
    4070     /* it's critical part, use endless loop */
    4071     @@ -430,7 +423,7 @@ int snd_card_disconnect(struct snd_card *card)
    4072     }
    4073     spin_unlock(&card->files_lock);
    4074    
    4075     - /* phase 3: notify all connected devices about disconnection */
    4076     + /* notify all connected devices about disconnection */
    4077     /* at this point, they cannot respond to any calls except release() */
    4078    
    4079     #if IS_ENABLED(CONFIG_SND_MIXER_OSS)
    4080     @@ -446,6 +439,13 @@ int snd_card_disconnect(struct snd_card *card)
    4081     device_del(&card->card_dev);
    4082     card->registered = false;
    4083     }
    4084     +
    4085     + /* disable fops (user space) operations for ALSA API */
    4086     + mutex_lock(&snd_card_mutex);
    4087     + snd_cards[card->number] = NULL;
    4088     + clear_bit(card->number, snd_cards_lock);
    4089     + mutex_unlock(&snd_card_mutex);
    4090     +
    4091     #ifdef CONFIG_PM
    4092     wake_up(&card->power_sleep);
    4093     #endif
    4094     diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
    4095     index 84fae0df59e9..f061167062bc 100644
    4096     --- a/sound/pci/hda/patch_realtek.c
    4097     +++ b/sound/pci/hda/patch_realtek.c
    4098     @@ -7247,6 +7247,8 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
    4099     {0x12, 0x90a60140},
    4100     {0x14, 0x90170150},
    4101     {0x21, 0x02211020}),
    4102     + SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
    4103     + {0x21, 0x02211020}),
    4104     SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL2_MIC_NO_PRESENCE,
    4105     {0x14, 0x90170110},
    4106     {0x21, 0x02211020}),
    4107     @@ -7357,6 +7359,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
    4108     {0x21, 0x0221101f}),
    4109     SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
    4110     ALC256_STANDARD_PINS),
    4111     + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
    4112     + {0x14, 0x90170110},
    4113     + {0x1b, 0x01011020},
    4114     + {0x21, 0x0221101f}),
    4115     SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC,
    4116     {0x14, 0x90170110},
    4117     {0x1b, 0x90a70130},