Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.4 commit in: /
Date: Wed, 29 Jan 2020 16:18:49
Message-Id: 1580314630.bfe9312182d69deb9786d697a6fb0e57b6cd9ffa.mpagano@gentoo
1 commit: bfe9312182d69deb9786d697a6fb0e57b6cd9ffa
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jan 29 16:17:10 2020 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Jan 29 16:17:10 2020 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=bfe93121
7
8 Linux patch 5.4.16
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1015_linux-5.4.16.patch | 5662 +++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 5666 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 34417c5..85cdd05 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -103,6 +103,10 @@ Patch: 1014_linux-5.4.15.patch
21 From: http://www.kernel.org
22 Desc: Linux 5.4.15
23
24 +Patch: 1015_linux-5.4.16.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 5.4.16
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1015_linux-5.4.16.patch b/1015_linux-5.4.16.patch
33 new file mode 100644
34 index 0000000..2c9e8a8
35 --- /dev/null
36 +++ b/1015_linux-5.4.16.patch
37 @@ -0,0 +1,5662 @@
38 +diff --git a/Makefile b/Makefile
39 +index 30600e309c73..e16d2e58ed4b 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,7 +1,7 @@
43 + # SPDX-License-Identifier: GPL-2.0
44 + VERSION = 5
45 + PATCHLEVEL = 4
46 +-SUBLEVEL = 15
47 ++SUBLEVEL = 16
48 + EXTRAVERSION =
49 + NAME = Kleptomaniac Octopus
50 +
51 +diff --git a/arch/powerpc/include/asm/book3s/64/mmu-hash.h b/arch/powerpc/include/asm/book3s/64/mmu-hash.h
52 +index 15b75005bc34..3fa1b962dc27 100644
53 +--- a/arch/powerpc/include/asm/book3s/64/mmu-hash.h
54 ++++ b/arch/powerpc/include/asm/book3s/64/mmu-hash.h
55 +@@ -600,8 +600,11 @@ extern void slb_set_size(u16 size);
56 + *
57 + */
58 + #define MAX_USER_CONTEXT ((ASM_CONST(1) << CONTEXT_BITS) - 2)
59 ++
60 ++// The + 2 accounts for INVALID_REGION and 1 more to avoid overlap with kernel
61 + #define MIN_USER_CONTEXT (MAX_KERNEL_CTX_CNT + MAX_VMALLOC_CTX_CNT + \
62 +- MAX_IO_CTX_CNT + MAX_VMEMMAP_CTX_CNT)
63 ++ MAX_IO_CTX_CNT + MAX_VMEMMAP_CTX_CNT + 2)
64 ++
65 + /*
66 + * For platforms that support on 65bit VA we limit the context bits
67 + */
68 +diff --git a/arch/powerpc/include/asm/xive-regs.h b/arch/powerpc/include/asm/xive-regs.h
69 +index f2dfcd50a2d3..33aee7490cbb 100644
70 +--- a/arch/powerpc/include/asm/xive-regs.h
71 ++++ b/arch/powerpc/include/asm/xive-regs.h
72 +@@ -39,6 +39,7 @@
73 +
74 + #define XIVE_ESB_VAL_P 0x2
75 + #define XIVE_ESB_VAL_Q 0x1
76 ++#define XIVE_ESB_INVALID 0xFF
77 +
78 + /*
79 + * Thread Management (aka "TM") registers
80 +diff --git a/arch/powerpc/sysdev/xive/common.c b/arch/powerpc/sysdev/xive/common.c
81 +index f5fadbd2533a..9651ca061828 100644
82 +--- a/arch/powerpc/sysdev/xive/common.c
83 ++++ b/arch/powerpc/sysdev/xive/common.c
84 +@@ -972,12 +972,21 @@ static int xive_get_irqchip_state(struct irq_data *data,
85 + enum irqchip_irq_state which, bool *state)
86 + {
87 + struct xive_irq_data *xd = irq_data_get_irq_handler_data(data);
88 ++ u8 pq;
89 +
90 + switch (which) {
91 + case IRQCHIP_STATE_ACTIVE:
92 +- *state = !xd->stale_p &&
93 +- (xd->saved_p ||
94 +- !!(xive_esb_read(xd, XIVE_ESB_GET) & XIVE_ESB_VAL_P));
95 ++ pq = xive_esb_read(xd, XIVE_ESB_GET);
96 ++
97 ++ /*
98 ++ * The esb value being all 1's means we couldn't get
99 ++ * the PQ state of the interrupt through mmio. It may
100 ++ * happen, for example when querying a PHB interrupt
101 ++ * while the PHB is in an error state. We consider the
102 ++ * interrupt to be inactive in that case.
103 ++ */
104 ++ *state = (pq != XIVE_ESB_INVALID) && !xd->stale_p &&
105 ++ (xd->saved_p || !!(pq & XIVE_ESB_VAL_P));
106 + return 0;
107 + default:
108 + return -EINVAL;
109 +diff --git a/drivers/atm/firestream.c b/drivers/atm/firestream.c
110 +index 2bbab0230aeb..d287837ed755 100644
111 +--- a/drivers/atm/firestream.c
112 ++++ b/drivers/atm/firestream.c
113 +@@ -912,6 +912,7 @@ static int fs_open(struct atm_vcc *atm_vcc)
114 + }
115 + if (!to) {
116 + printk ("No more free channels for FS50..\n");
117 ++ kfree(vcc);
118 + return -EBUSY;
119 + }
120 + vcc->channo = dev->channo;
121 +@@ -922,6 +923,7 @@ static int fs_open(struct atm_vcc *atm_vcc)
122 + if (((DO_DIRECTION(rxtp) && dev->atm_vccs[vcc->channo])) ||
123 + ( DO_DIRECTION(txtp) && test_bit (vcc->channo, dev->tx_inuse))) {
124 + printk ("Channel is in use for FS155.\n");
125 ++ kfree(vcc);
126 + return -EBUSY;
127 + }
128 + }
129 +@@ -935,6 +937,7 @@ static int fs_open(struct atm_vcc *atm_vcc)
130 + tc, sizeof (struct fs_transmit_config));
131 + if (!tc) {
132 + fs_dprintk (FS_DEBUG_OPEN, "fs: can't alloc transmit_config.\n");
133 ++ kfree(vcc);
134 + return -ENOMEM;
135 + }
136 +
137 +diff --git a/drivers/gpu/drm/i915/gem/i915_gem_busy.c b/drivers/gpu/drm/i915/gem/i915_gem_busy.c
138 +index 3d4f5775a4ba..25235ef630c1 100644
139 +--- a/drivers/gpu/drm/i915/gem/i915_gem_busy.c
140 ++++ b/drivers/gpu/drm/i915/gem/i915_gem_busy.c
141 +@@ -9,16 +9,16 @@
142 + #include "i915_gem_ioctls.h"
143 + #include "i915_gem_object.h"
144 +
145 +-static __always_inline u32 __busy_read_flag(u8 id)
146 ++static __always_inline u32 __busy_read_flag(u16 id)
147 + {
148 +- if (id == (u8)I915_ENGINE_CLASS_INVALID)
149 ++ if (id == (u16)I915_ENGINE_CLASS_INVALID)
150 + return 0xffff0000u;
151 +
152 + GEM_BUG_ON(id >= 16);
153 + return 0x10000u << id;
154 + }
155 +
156 +-static __always_inline u32 __busy_write_id(u8 id)
157 ++static __always_inline u32 __busy_write_id(u16 id)
158 + {
159 + /*
160 + * The uABI guarantees an active writer is also amongst the read
161 +@@ -29,14 +29,14 @@ static __always_inline u32 __busy_write_id(u8 id)
162 + * last_read - hence we always set both read and write busy for
163 + * last_write.
164 + */
165 +- if (id == (u8)I915_ENGINE_CLASS_INVALID)
166 ++ if (id == (u16)I915_ENGINE_CLASS_INVALID)
167 + return 0xffffffffu;
168 +
169 + return (id + 1) | __busy_read_flag(id);
170 + }
171 +
172 + static __always_inline unsigned int
173 +-__busy_set_if_active(const struct dma_fence *fence, u32 (*flag)(u8 id))
174 ++__busy_set_if_active(const struct dma_fence *fence, u32 (*flag)(u16 id))
175 + {
176 + const struct i915_request *rq;
177 +
178 +@@ -57,7 +57,7 @@ __busy_set_if_active(const struct dma_fence *fence, u32 (*flag)(u8 id))
179 + return 0;
180 +
181 + /* Beware type-expansion follies! */
182 +- BUILD_BUG_ON(!typecheck(u8, rq->engine->uabi_class));
183 ++ BUILD_BUG_ON(!typecheck(u16, rq->engine->uabi_class));
184 + return flag(rq->engine->uabi_class);
185 + }
186 +
187 +diff --git a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
188 +index abfbac49b8e8..968d9b2705d0 100644
189 +--- a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
190 ++++ b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
191 +@@ -427,7 +427,7 @@ struct get_pages_work {
192 +
193 + static struct sg_table *
194 + __i915_gem_userptr_alloc_pages(struct drm_i915_gem_object *obj,
195 +- struct page **pvec, int num_pages)
196 ++ struct page **pvec, unsigned long num_pages)
197 + {
198 + unsigned int max_segment = i915_sg_segment_size();
199 + struct sg_table *st;
200 +@@ -473,9 +473,10 @@ __i915_gem_userptr_get_pages_worker(struct work_struct *_work)
201 + {
202 + struct get_pages_work *work = container_of(_work, typeof(*work), work);
203 + struct drm_i915_gem_object *obj = work->obj;
204 +- const int npages = obj->base.size >> PAGE_SHIFT;
205 ++ const unsigned long npages = obj->base.size >> PAGE_SHIFT;
206 ++ unsigned long pinned;
207 + struct page **pvec;
208 +- int pinned, ret;
209 ++ int ret;
210 +
211 + ret = -ENOMEM;
212 + pinned = 0;
213 +@@ -578,7 +579,7 @@ __i915_gem_userptr_get_pages_schedule(struct drm_i915_gem_object *obj)
214 +
215 + static int i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj)
216 + {
217 +- const int num_pages = obj->base.size >> PAGE_SHIFT;
218 ++ const unsigned long num_pages = obj->base.size >> PAGE_SHIFT;
219 + struct mm_struct *mm = obj->userptr.mm->mm;
220 + struct page **pvec;
221 + struct sg_table *pages;
222 +diff --git a/drivers/gpu/drm/i915/gt/intel_engine_types.h b/drivers/gpu/drm/i915/gt/intel_engine_types.h
223 +index 9dd8c299cb2d..798e1b024406 100644
224 +--- a/drivers/gpu/drm/i915/gt/intel_engine_types.h
225 ++++ b/drivers/gpu/drm/i915/gt/intel_engine_types.h
226 +@@ -300,8 +300,8 @@ struct intel_engine_cs {
227 + u8 class;
228 + u8 instance;
229 +
230 +- u8 uabi_class;
231 +- u8 uabi_instance;
232 ++ u16 uabi_class;
233 ++ u16 uabi_instance;
234 +
235 + u32 context_size;
236 + u32 mmio_base;
237 +diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
238 +index b1a7a8b9b46a..f614646ed3f9 100644
239 +--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
240 ++++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
241 +@@ -1178,6 +1178,7 @@ gen8_ppgtt_insert_pte(struct i915_ppgtt *ppgtt,
242 + pd = i915_pd_entry(pdp, gen8_pd_index(idx, 2));
243 + vaddr = kmap_atomic_px(i915_pt_entry(pd, gen8_pd_index(idx, 1)));
244 + do {
245 ++ GEM_BUG_ON(iter->sg->length < I915_GTT_PAGE_SIZE);
246 + vaddr[gen8_pd_index(idx, 0)] = pte_encode | iter->dma;
247 +
248 + iter->dma += I915_GTT_PAGE_SIZE;
249 +@@ -1657,6 +1658,7 @@ static void gen6_ppgtt_insert_entries(struct i915_address_space *vm,
250 +
251 + vaddr = kmap_atomic_px(i915_pt_entry(pd, act_pt));
252 + do {
253 ++ GEM_BUG_ON(iter.sg->length < I915_GTT_PAGE_SIZE);
254 + vaddr[act_pte] = pte_encode | GEN6_PTE_ADDR_ENCODE(iter.dma);
255 +
256 + iter.dma += I915_GTT_PAGE_SIZE;
257 +diff --git a/drivers/gpu/drm/panfrost/panfrost_drv.c b/drivers/gpu/drm/panfrost/panfrost_drv.c
258 +index 1c67ac434e10..5906c80c4b2c 100644
259 +--- a/drivers/gpu/drm/panfrost/panfrost_drv.c
260 ++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c
261 +@@ -78,8 +78,10 @@ static int panfrost_ioctl_get_param(struct drm_device *ddev, void *data, struct
262 + static int panfrost_ioctl_create_bo(struct drm_device *dev, void *data,
263 + struct drm_file *file)
264 + {
265 ++ struct panfrost_file_priv *priv = file->driver_priv;
266 + struct panfrost_gem_object *bo;
267 + struct drm_panfrost_create_bo *args = data;
268 ++ struct panfrost_gem_mapping *mapping;
269 +
270 + if (!args->size || args->pad ||
271 + (args->flags & ~(PANFROST_BO_NOEXEC | PANFROST_BO_HEAP)))
272 +@@ -95,7 +97,14 @@ static int panfrost_ioctl_create_bo(struct drm_device *dev, void *data,
273 + if (IS_ERR(bo))
274 + return PTR_ERR(bo);
275 +
276 +- args->offset = bo->node.start << PAGE_SHIFT;
277 ++ mapping = panfrost_gem_mapping_get(bo, priv);
278 ++ if (!mapping) {
279 ++ drm_gem_object_put_unlocked(&bo->base.base);
280 ++ return -EINVAL;
281 ++ }
282 ++
283 ++ args->offset = mapping->mmnode.start << PAGE_SHIFT;
284 ++ panfrost_gem_mapping_put(mapping);
285 +
286 + return 0;
287 + }
288 +@@ -119,6 +128,11 @@ panfrost_lookup_bos(struct drm_device *dev,
289 + struct drm_panfrost_submit *args,
290 + struct panfrost_job *job)
291 + {
292 ++ struct panfrost_file_priv *priv = file_priv->driver_priv;
293 ++ struct panfrost_gem_object *bo;
294 ++ unsigned int i;
295 ++ int ret;
296 ++
297 + job->bo_count = args->bo_handle_count;
298 +
299 + if (!job->bo_count)
300 +@@ -130,9 +144,32 @@ panfrost_lookup_bos(struct drm_device *dev,
301 + if (!job->implicit_fences)
302 + return -ENOMEM;
303 +
304 +- return drm_gem_objects_lookup(file_priv,
305 +- (void __user *)(uintptr_t)args->bo_handles,
306 +- job->bo_count, &job->bos);
307 ++ ret = drm_gem_objects_lookup(file_priv,
308 ++ (void __user *)(uintptr_t)args->bo_handles,
309 ++ job->bo_count, &job->bos);
310 ++ if (ret)
311 ++ return ret;
312 ++
313 ++ job->mappings = kvmalloc_array(job->bo_count,
314 ++ sizeof(struct panfrost_gem_mapping *),
315 ++ GFP_KERNEL | __GFP_ZERO);
316 ++ if (!job->mappings)
317 ++ return -ENOMEM;
318 ++
319 ++ for (i = 0; i < job->bo_count; i++) {
320 ++ struct panfrost_gem_mapping *mapping;
321 ++
322 ++ bo = to_panfrost_bo(job->bos[i]);
323 ++ mapping = panfrost_gem_mapping_get(bo, priv);
324 ++ if (!mapping) {
325 ++ ret = -EINVAL;
326 ++ break;
327 ++ }
328 ++
329 ++ job->mappings[i] = mapping;
330 ++ }
331 ++
332 ++ return ret;
333 + }
334 +
335 + /**
336 +@@ -320,7 +357,9 @@ out:
337 + static int panfrost_ioctl_get_bo_offset(struct drm_device *dev, void *data,
338 + struct drm_file *file_priv)
339 + {
340 ++ struct panfrost_file_priv *priv = file_priv->driver_priv;
341 + struct drm_panfrost_get_bo_offset *args = data;
342 ++ struct panfrost_gem_mapping *mapping;
343 + struct drm_gem_object *gem_obj;
344 + struct panfrost_gem_object *bo;
345 +
346 +@@ -331,18 +370,26 @@ static int panfrost_ioctl_get_bo_offset(struct drm_device *dev, void *data,
347 + }
348 + bo = to_panfrost_bo(gem_obj);
349 +
350 +- args->offset = bo->node.start << PAGE_SHIFT;
351 +-
352 ++ mapping = panfrost_gem_mapping_get(bo, priv);
353 + drm_gem_object_put_unlocked(gem_obj);
354 ++
355 ++ if (!mapping)
356 ++ return -EINVAL;
357 ++
358 ++ args->offset = mapping->mmnode.start << PAGE_SHIFT;
359 ++ panfrost_gem_mapping_put(mapping);
360 + return 0;
361 + }
362 +
363 + static int panfrost_ioctl_madvise(struct drm_device *dev, void *data,
364 + struct drm_file *file_priv)
365 + {
366 ++ struct panfrost_file_priv *priv = file_priv->driver_priv;
367 + struct drm_panfrost_madvise *args = data;
368 + struct panfrost_device *pfdev = dev->dev_private;
369 + struct drm_gem_object *gem_obj;
370 ++ struct panfrost_gem_object *bo;
371 ++ int ret = 0;
372 +
373 + gem_obj = drm_gem_object_lookup(file_priv, args->handle);
374 + if (!gem_obj) {
375 +@@ -350,22 +397,48 @@ static int panfrost_ioctl_madvise(struct drm_device *dev, void *data,
376 + return -ENOENT;
377 + }
378 +
379 ++ bo = to_panfrost_bo(gem_obj);
380 ++
381 + mutex_lock(&pfdev->shrinker_lock);
382 ++ mutex_lock(&bo->mappings.lock);
383 ++ if (args->madv == PANFROST_MADV_DONTNEED) {
384 ++ struct panfrost_gem_mapping *first;
385 ++
386 ++ first = list_first_entry(&bo->mappings.list,
387 ++ struct panfrost_gem_mapping,
388 ++ node);
389 ++
390 ++ /*
391 ++ * If we want to mark the BO purgeable, there must be only one
392 ++ * user: the caller FD.
393 ++ * We could do something smarter and mark the BO purgeable only
394 ++ * when all its users have marked it purgeable, but globally
395 ++ * visible/shared BOs are likely to never be marked purgeable
396 ++ * anyway, so let's not bother.
397 ++ */
398 ++ if (!list_is_singular(&bo->mappings.list) ||
399 ++ WARN_ON_ONCE(first->mmu != &priv->mmu)) {
400 ++ ret = -EINVAL;
401 ++ goto out_unlock_mappings;
402 ++ }
403 ++ }
404 ++
405 + args->retained = drm_gem_shmem_madvise(gem_obj, args->madv);
406 +
407 + if (args->retained) {
408 +- struct panfrost_gem_object *bo = to_panfrost_bo(gem_obj);
409 +-
410 + if (args->madv == PANFROST_MADV_DONTNEED)
411 + list_add_tail(&bo->base.madv_list,
412 + &pfdev->shrinker_list);
413 + else if (args->madv == PANFROST_MADV_WILLNEED)
414 + list_del_init(&bo->base.madv_list);
415 + }
416 ++
417 ++out_unlock_mappings:
418 ++ mutex_unlock(&bo->mappings.lock);
419 + mutex_unlock(&pfdev->shrinker_lock);
420 +
421 + drm_gem_object_put_unlocked(gem_obj);
422 +- return 0;
423 ++ return ret;
424 + }
425 +
426 + int panfrost_unstable_ioctl_check(void)
427 +diff --git a/drivers/gpu/drm/panfrost/panfrost_gem.c b/drivers/gpu/drm/panfrost/panfrost_gem.c
428 +index 92a95210a899..77c3a3855c68 100644
429 +--- a/drivers/gpu/drm/panfrost/panfrost_gem.c
430 ++++ b/drivers/gpu/drm/panfrost/panfrost_gem.c
431 +@@ -29,6 +29,12 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj)
432 + list_del_init(&bo->base.madv_list);
433 + mutex_unlock(&pfdev->shrinker_lock);
434 +
435 ++ /*
436 ++ * If we still have mappings attached to the BO, there's a problem in
437 ++ * our refcounting.
438 ++ */
439 ++ WARN_ON_ONCE(!list_empty(&bo->mappings.list));
440 ++
441 + if (bo->sgts) {
442 + int i;
443 + int n_sgt = bo->base.base.size / SZ_2M;
444 +@@ -46,6 +52,69 @@ static void panfrost_gem_free_object(struct drm_gem_object *obj)
445 + drm_gem_shmem_free_object(obj);
446 + }
447 +
448 ++struct panfrost_gem_mapping *
449 ++panfrost_gem_mapping_get(struct panfrost_gem_object *bo,
450 ++ struct panfrost_file_priv *priv)
451 ++{
452 ++ struct panfrost_gem_mapping *iter, *mapping = NULL;
453 ++
454 ++ mutex_lock(&bo->mappings.lock);
455 ++ list_for_each_entry(iter, &bo->mappings.list, node) {
456 ++ if (iter->mmu == &priv->mmu) {
457 ++ kref_get(&iter->refcount);
458 ++ mapping = iter;
459 ++ break;
460 ++ }
461 ++ }
462 ++ mutex_unlock(&bo->mappings.lock);
463 ++
464 ++ return mapping;
465 ++}
466 ++
467 ++static void
468 ++panfrost_gem_teardown_mapping(struct panfrost_gem_mapping *mapping)
469 ++{
470 ++ struct panfrost_file_priv *priv;
471 ++
472 ++ if (mapping->active)
473 ++ panfrost_mmu_unmap(mapping);
474 ++
475 ++ priv = container_of(mapping->mmu, struct panfrost_file_priv, mmu);
476 ++ spin_lock(&priv->mm_lock);
477 ++ if (drm_mm_node_allocated(&mapping->mmnode))
478 ++ drm_mm_remove_node(&mapping->mmnode);
479 ++ spin_unlock(&priv->mm_lock);
480 ++}
481 ++
482 ++static void panfrost_gem_mapping_release(struct kref *kref)
483 ++{
484 ++ struct panfrost_gem_mapping *mapping;
485 ++
486 ++ mapping = container_of(kref, struct panfrost_gem_mapping, refcount);
487 ++
488 ++ panfrost_gem_teardown_mapping(mapping);
489 ++ drm_gem_object_put_unlocked(&mapping->obj->base.base);
490 ++ kfree(mapping);
491 ++}
492 ++
493 ++void panfrost_gem_mapping_put(struct panfrost_gem_mapping *mapping)
494 ++{
495 ++ if (!mapping)
496 ++ return;
497 ++
498 ++ kref_put(&mapping->refcount, panfrost_gem_mapping_release);
499 ++}
500 ++
501 ++void panfrost_gem_teardown_mappings(struct panfrost_gem_object *bo)
502 ++{
503 ++ struct panfrost_gem_mapping *mapping;
504 ++
505 ++ mutex_lock(&bo->mappings.lock);
506 ++ list_for_each_entry(mapping, &bo->mappings.list, node)
507 ++ panfrost_gem_teardown_mapping(mapping);
508 ++ mutex_unlock(&bo->mappings.lock);
509 ++}
510 ++
511 + int panfrost_gem_open(struct drm_gem_object *obj, struct drm_file *file_priv)
512 + {
513 + int ret;
514 +@@ -54,6 +123,16 @@ int panfrost_gem_open(struct drm_gem_object *obj, struct drm_file *file_priv)
515 + struct panfrost_gem_object *bo = to_panfrost_bo(obj);
516 + unsigned long color = bo->noexec ? PANFROST_BO_NOEXEC : 0;
517 + struct panfrost_file_priv *priv = file_priv->driver_priv;
518 ++ struct panfrost_gem_mapping *mapping;
519 ++
520 ++ mapping = kzalloc(sizeof(*mapping), GFP_KERNEL);
521 ++ if (!mapping)
522 ++ return -ENOMEM;
523 ++
524 ++ INIT_LIST_HEAD(&mapping->node);
525 ++ kref_init(&mapping->refcount);
526 ++ drm_gem_object_get(obj);
527 ++ mapping->obj = bo;
528 +
529 + /*
530 + * Executable buffers cannot cross a 16MB boundary as the program
531 +@@ -66,37 +145,48 @@ int panfrost_gem_open(struct drm_gem_object *obj, struct drm_file *file_priv)
532 + else
533 + align = size >= SZ_2M ? SZ_2M >> PAGE_SHIFT : 0;
534 +
535 +- bo->mmu = &priv->mmu;
536 ++ mapping->mmu = &priv->mmu;
537 + spin_lock(&priv->mm_lock);
538 +- ret = drm_mm_insert_node_generic(&priv->mm, &bo->node,
539 ++ ret = drm_mm_insert_node_generic(&priv->mm, &mapping->mmnode,
540 + size >> PAGE_SHIFT, align, color, 0);
541 + spin_unlock(&priv->mm_lock);
542 + if (ret)
543 +- return ret;
544 ++ goto err;
545 +
546 + if (!bo->is_heap) {
547 +- ret = panfrost_mmu_map(bo);
548 +- if (ret) {
549 +- spin_lock(&priv->mm_lock);
550 +- drm_mm_remove_node(&bo->node);
551 +- spin_unlock(&priv->mm_lock);
552 +- }
553 ++ ret = panfrost_mmu_map(mapping);
554 ++ if (ret)
555 ++ goto err;
556 + }
557 ++
558 ++ mutex_lock(&bo->mappings.lock);
559 ++ WARN_ON(bo->base.madv != PANFROST_MADV_WILLNEED);
560 ++ list_add_tail(&mapping->node, &bo->mappings.list);
561 ++ mutex_unlock(&bo->mappings.lock);
562 ++
563 ++err:
564 ++ if (ret)
565 ++ panfrost_gem_mapping_put(mapping);
566 + return ret;
567 + }
568 +
569 + void panfrost_gem_close(struct drm_gem_object *obj, struct drm_file *file_priv)
570 + {
571 +- struct panfrost_gem_object *bo = to_panfrost_bo(obj);
572 + struct panfrost_file_priv *priv = file_priv->driver_priv;
573 ++ struct panfrost_gem_object *bo = to_panfrost_bo(obj);
574 ++ struct panfrost_gem_mapping *mapping = NULL, *iter;
575 +
576 +- if (bo->is_mapped)
577 +- panfrost_mmu_unmap(bo);
578 ++ mutex_lock(&bo->mappings.lock);
579 ++ list_for_each_entry(iter, &bo->mappings.list, node) {
580 ++ if (iter->mmu == &priv->mmu) {
581 ++ mapping = iter;
582 ++ list_del(&iter->node);
583 ++ break;
584 ++ }
585 ++ }
586 ++ mutex_unlock(&bo->mappings.lock);
587 +
588 +- spin_lock(&priv->mm_lock);
589 +- if (drm_mm_node_allocated(&bo->node))
590 +- drm_mm_remove_node(&bo->node);
591 +- spin_unlock(&priv->mm_lock);
592 ++ panfrost_gem_mapping_put(mapping);
593 + }
594 +
595 + static int panfrost_gem_pin(struct drm_gem_object *obj)
596 +@@ -136,6 +226,8 @@ struct drm_gem_object *panfrost_gem_create_object(struct drm_device *dev, size_t
597 + if (!obj)
598 + return NULL;
599 +
600 ++ INIT_LIST_HEAD(&obj->mappings.list);
601 ++ mutex_init(&obj->mappings.lock);
602 + obj->base.base.funcs = &panfrost_gem_funcs;
603 +
604 + return &obj->base.base;
605 +diff --git a/drivers/gpu/drm/panfrost/panfrost_gem.h b/drivers/gpu/drm/panfrost/panfrost_gem.h
606 +index 4b17e7308764..ca1bc9019600 100644
607 +--- a/drivers/gpu/drm/panfrost/panfrost_gem.h
608 ++++ b/drivers/gpu/drm/panfrost/panfrost_gem.h
609 +@@ -13,23 +13,46 @@ struct panfrost_gem_object {
610 + struct drm_gem_shmem_object base;
611 + struct sg_table *sgts;
612 +
613 +- struct panfrost_mmu *mmu;
614 +- struct drm_mm_node node;
615 +- bool is_mapped :1;
616 ++ /*
617 ++ * Use a list for now. If searching a mapping ever becomes the
618 ++ * bottleneck, we should consider using an RB-tree, or even better,
619 ++ * let the core store drm_gem_object_mapping entries (where we
620 ++ * could place driver specific data) instead of drm_gem_object ones
621 ++ * in its drm_file->object_idr table.
622 ++ *
623 ++ * struct drm_gem_object_mapping {
624 ++ * struct drm_gem_object *obj;
625 ++ * void *driver_priv;
626 ++ * };
627 ++ */
628 ++ struct {
629 ++ struct list_head list;
630 ++ struct mutex lock;
631 ++ } mappings;
632 ++
633 + bool noexec :1;
634 + bool is_heap :1;
635 + };
636 +
637 ++struct panfrost_gem_mapping {
638 ++ struct list_head node;
639 ++ struct kref refcount;
640 ++ struct panfrost_gem_object *obj;
641 ++ struct drm_mm_node mmnode;
642 ++ struct panfrost_mmu *mmu;
643 ++ bool active :1;
644 ++};
645 ++
646 + static inline
647 + struct panfrost_gem_object *to_panfrost_bo(struct drm_gem_object *obj)
648 + {
649 + return container_of(to_drm_gem_shmem_obj(obj), struct panfrost_gem_object, base);
650 + }
651 +
652 +-static inline
653 +-struct panfrost_gem_object *drm_mm_node_to_panfrost_bo(struct drm_mm_node *node)
654 ++static inline struct panfrost_gem_mapping *
655 ++drm_mm_node_to_panfrost_mapping(struct drm_mm_node *node)
656 + {
657 +- return container_of(node, struct panfrost_gem_object, node);
658 ++ return container_of(node, struct panfrost_gem_mapping, mmnode);
659 + }
660 +
661 + struct drm_gem_object *panfrost_gem_create_object(struct drm_device *dev, size_t size);
662 +@@ -49,6 +72,12 @@ int panfrost_gem_open(struct drm_gem_object *obj, struct drm_file *file_priv);
663 + void panfrost_gem_close(struct drm_gem_object *obj,
664 + struct drm_file *file_priv);
665 +
666 ++struct panfrost_gem_mapping *
667 ++panfrost_gem_mapping_get(struct panfrost_gem_object *bo,
668 ++ struct panfrost_file_priv *priv);
669 ++void panfrost_gem_mapping_put(struct panfrost_gem_mapping *mapping);
670 ++void panfrost_gem_teardown_mappings(struct panfrost_gem_object *bo);
671 ++
672 + void panfrost_gem_shrinker_init(struct drm_device *dev);
673 + void panfrost_gem_shrinker_cleanup(struct drm_device *dev);
674 +
675 +diff --git a/drivers/gpu/drm/panfrost/panfrost_gem_shrinker.c b/drivers/gpu/drm/panfrost/panfrost_gem_shrinker.c
676 +index 458f0fa68111..f5dd7b29bc95 100644
677 +--- a/drivers/gpu/drm/panfrost/panfrost_gem_shrinker.c
678 ++++ b/drivers/gpu/drm/panfrost/panfrost_gem_shrinker.c
679 +@@ -39,11 +39,12 @@ panfrost_gem_shrinker_count(struct shrinker *shrinker, struct shrink_control *sc
680 + static bool panfrost_gem_purge(struct drm_gem_object *obj)
681 + {
682 + struct drm_gem_shmem_object *shmem = to_drm_gem_shmem_obj(obj);
683 ++ struct panfrost_gem_object *bo = to_panfrost_bo(obj);
684 +
685 + if (!mutex_trylock(&shmem->pages_lock))
686 + return false;
687 +
688 +- panfrost_mmu_unmap(to_panfrost_bo(obj));
689 ++ panfrost_gem_teardown_mappings(bo);
690 + drm_gem_shmem_purge_locked(obj);
691 +
692 + mutex_unlock(&shmem->pages_lock);
693 +diff --git a/drivers/gpu/drm/panfrost/panfrost_job.c b/drivers/gpu/drm/panfrost/panfrost_job.c
694 +index 21f34d44aac2..bbb0c5e3ca6f 100644
695 +--- a/drivers/gpu/drm/panfrost/panfrost_job.c
696 ++++ b/drivers/gpu/drm/panfrost/panfrost_job.c
697 +@@ -269,9 +269,20 @@ static void panfrost_job_cleanup(struct kref *ref)
698 + dma_fence_put(job->done_fence);
699 + dma_fence_put(job->render_done_fence);
700 +
701 +- if (job->bos) {
702 ++ if (job->mappings) {
703 + for (i = 0; i < job->bo_count; i++)
704 ++ panfrost_gem_mapping_put(job->mappings[i]);
705 ++ kvfree(job->mappings);
706 ++ }
707 ++
708 ++ if (job->bos) {
709 ++ struct panfrost_gem_object *bo;
710 ++
711 ++ for (i = 0; i < job->bo_count; i++) {
712 ++ bo = to_panfrost_bo(job->bos[i]);
713 + drm_gem_object_put_unlocked(job->bos[i]);
714 ++ }
715 ++
716 + kvfree(job->bos);
717 + }
718 +
719 +diff --git a/drivers/gpu/drm/panfrost/panfrost_job.h b/drivers/gpu/drm/panfrost/panfrost_job.h
720 +index 62454128a792..bbd3ba97ff67 100644
721 +--- a/drivers/gpu/drm/panfrost/panfrost_job.h
722 ++++ b/drivers/gpu/drm/panfrost/panfrost_job.h
723 +@@ -32,6 +32,7 @@ struct panfrost_job {
724 +
725 + /* Exclusive fences we have taken from the BOs to wait for */
726 + struct dma_fence **implicit_fences;
727 ++ struct panfrost_gem_mapping **mappings;
728 + struct drm_gem_object **bos;
729 + u32 bo_count;
730 +
731 +diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.c b/drivers/gpu/drm/panfrost/panfrost_mmu.c
732 +index a3ed64a1f15e..763cfca886a7 100644
733 +--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c
734 ++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c
735 +@@ -269,14 +269,15 @@ static int mmu_map_sg(struct panfrost_device *pfdev, struct panfrost_mmu *mmu,
736 + return 0;
737 + }
738 +
739 +-int panfrost_mmu_map(struct panfrost_gem_object *bo)
740 ++int panfrost_mmu_map(struct panfrost_gem_mapping *mapping)
741 + {
742 ++ struct panfrost_gem_object *bo = mapping->obj;
743 + struct drm_gem_object *obj = &bo->base.base;
744 + struct panfrost_device *pfdev = to_panfrost_device(obj->dev);
745 + struct sg_table *sgt;
746 + int prot = IOMMU_READ | IOMMU_WRITE;
747 +
748 +- if (WARN_ON(bo->is_mapped))
749 ++ if (WARN_ON(mapping->active))
750 + return 0;
751 +
752 + if (bo->noexec)
753 +@@ -286,25 +287,28 @@ int panfrost_mmu_map(struct panfrost_gem_object *bo)
754 + if (WARN_ON(IS_ERR(sgt)))
755 + return PTR_ERR(sgt);
756 +
757 +- mmu_map_sg(pfdev, bo->mmu, bo->node.start << PAGE_SHIFT, prot, sgt);
758 +- bo->is_mapped = true;
759 ++ mmu_map_sg(pfdev, mapping->mmu, mapping->mmnode.start << PAGE_SHIFT,
760 ++ prot, sgt);
761 ++ mapping->active = true;
762 +
763 + return 0;
764 + }
765 +
766 +-void panfrost_mmu_unmap(struct panfrost_gem_object *bo)
767 ++void panfrost_mmu_unmap(struct panfrost_gem_mapping *mapping)
768 + {
769 ++ struct panfrost_gem_object *bo = mapping->obj;
770 + struct drm_gem_object *obj = &bo->base.base;
771 + struct panfrost_device *pfdev = to_panfrost_device(obj->dev);
772 +- struct io_pgtable_ops *ops = bo->mmu->pgtbl_ops;
773 +- u64 iova = bo->node.start << PAGE_SHIFT;
774 +- size_t len = bo->node.size << PAGE_SHIFT;
775 ++ struct io_pgtable_ops *ops = mapping->mmu->pgtbl_ops;
776 ++ u64 iova = mapping->mmnode.start << PAGE_SHIFT;
777 ++ size_t len = mapping->mmnode.size << PAGE_SHIFT;
778 + size_t unmapped_len = 0;
779 +
780 +- if (WARN_ON(!bo->is_mapped))
781 ++ if (WARN_ON(!mapping->active))
782 + return;
783 +
784 +- dev_dbg(pfdev->dev, "unmap: as=%d, iova=%llx, len=%zx", bo->mmu->as, iova, len);
785 ++ dev_dbg(pfdev->dev, "unmap: as=%d, iova=%llx, len=%zx",
786 ++ mapping->mmu->as, iova, len);
787 +
788 + while (unmapped_len < len) {
789 + size_t unmapped_page;
790 +@@ -318,8 +322,9 @@ void panfrost_mmu_unmap(struct panfrost_gem_object *bo)
791 + unmapped_len += pgsize;
792 + }
793 +
794 +- panfrost_mmu_flush_range(pfdev, bo->mmu, bo->node.start << PAGE_SHIFT, len);
795 +- bo->is_mapped = false;
796 ++ panfrost_mmu_flush_range(pfdev, mapping->mmu,
797 ++ mapping->mmnode.start << PAGE_SHIFT, len);
798 ++ mapping->active = false;
799 + }
800 +
801 + static void mmu_tlb_inv_context_s1(void *cookie)
802 +@@ -394,10 +399,10 @@ void panfrost_mmu_pgtable_free(struct panfrost_file_priv *priv)
803 + free_io_pgtable_ops(mmu->pgtbl_ops);
804 + }
805 +
806 +-static struct panfrost_gem_object *
807 +-addr_to_drm_mm_node(struct panfrost_device *pfdev, int as, u64 addr)
808 ++static struct panfrost_gem_mapping *
809 ++addr_to_mapping(struct panfrost_device *pfdev, int as, u64 addr)
810 + {
811 +- struct panfrost_gem_object *bo = NULL;
812 ++ struct panfrost_gem_mapping *mapping = NULL;
813 + struct panfrost_file_priv *priv;
814 + struct drm_mm_node *node;
815 + u64 offset = addr >> PAGE_SHIFT;
816 +@@ -418,8 +423,9 @@ found_mmu:
817 + drm_mm_for_each_node(node, &priv->mm) {
818 + if (offset >= node->start &&
819 + offset < (node->start + node->size)) {
820 +- bo = drm_mm_node_to_panfrost_bo(node);
821 +- drm_gem_object_get(&bo->base.base);
822 ++ mapping = drm_mm_node_to_panfrost_mapping(node);
823 ++
824 ++ kref_get(&mapping->refcount);
825 + break;
826 + }
827 + }
828 +@@ -427,7 +433,7 @@ found_mmu:
829 + spin_unlock(&priv->mm_lock);
830 + out:
831 + spin_unlock(&pfdev->as_lock);
832 +- return bo;
833 ++ return mapping;
834 + }
835 +
836 + #define NUM_FAULT_PAGES (SZ_2M / PAGE_SIZE)
837 +@@ -436,28 +442,30 @@ static int panfrost_mmu_map_fault_addr(struct panfrost_device *pfdev, int as,
838 + u64 addr)
839 + {
840 + int ret, i;
841 ++ struct panfrost_gem_mapping *bomapping;
842 + struct panfrost_gem_object *bo;
843 + struct address_space *mapping;
844 + pgoff_t page_offset;
845 + struct sg_table *sgt;
846 + struct page **pages;
847 +
848 +- bo = addr_to_drm_mm_node(pfdev, as, addr);
849 +- if (!bo)
850 ++ bomapping = addr_to_mapping(pfdev, as, addr);
851 ++ if (!bomapping)
852 + return -ENOENT;
853 +
854 ++ bo = bomapping->obj;
855 + if (!bo->is_heap) {
856 + dev_WARN(pfdev->dev, "matching BO is not heap type (GPU VA = %llx)",
857 +- bo->node.start << PAGE_SHIFT);
858 ++ bomapping->mmnode.start << PAGE_SHIFT);
859 + ret = -EINVAL;
860 + goto err_bo;
861 + }
862 +- WARN_ON(bo->mmu->as != as);
863 ++ WARN_ON(bomapping->mmu->as != as);
864 +
865 + /* Assume 2MB alignment and size multiple */
866 + addr &= ~((u64)SZ_2M - 1);
867 + page_offset = addr >> PAGE_SHIFT;
868 +- page_offset -= bo->node.start;
869 ++ page_offset -= bomapping->mmnode.start;
870 +
871 + mutex_lock(&bo->base.pages_lock);
872 +
873 +@@ -509,13 +517,14 @@ static int panfrost_mmu_map_fault_addr(struct panfrost_device *pfdev, int as,
874 + goto err_map;
875 + }
876 +
877 +- mmu_map_sg(pfdev, bo->mmu, addr, IOMMU_WRITE | IOMMU_READ | IOMMU_NOEXEC, sgt);
878 ++ mmu_map_sg(pfdev, bomapping->mmu, addr,
879 ++ IOMMU_WRITE | IOMMU_READ | IOMMU_NOEXEC, sgt);
880 +
881 +- bo->is_mapped = true;
882 ++ bomapping->active = true;
883 +
884 + dev_dbg(pfdev->dev, "mapped page fault @ AS%d %llx", as, addr);
885 +
886 +- drm_gem_object_put_unlocked(&bo->base.base);
887 ++ panfrost_gem_mapping_put(bomapping);
888 +
889 + return 0;
890 +
891 +diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.h b/drivers/gpu/drm/panfrost/panfrost_mmu.h
892 +index 7c5b6775ae23..44fc2edf63ce 100644
893 +--- a/drivers/gpu/drm/panfrost/panfrost_mmu.h
894 ++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.h
895 +@@ -4,12 +4,12 @@
896 + #ifndef __PANFROST_MMU_H__
897 + #define __PANFROST_MMU_H__
898 +
899 +-struct panfrost_gem_object;
900 ++struct panfrost_gem_mapping;
901 + struct panfrost_file_priv;
902 + struct panfrost_mmu;
903 +
904 +-int panfrost_mmu_map(struct panfrost_gem_object *bo);
905 +-void panfrost_mmu_unmap(struct panfrost_gem_object *bo);
906 ++int panfrost_mmu_map(struct panfrost_gem_mapping *mapping);
907 ++void panfrost_mmu_unmap(struct panfrost_gem_mapping *mapping);
908 +
909 + int panfrost_mmu_init(struct panfrost_device *pfdev);
910 + void panfrost_mmu_fini(struct panfrost_device *pfdev);
911 +diff --git a/drivers/gpu/drm/panfrost/panfrost_perfcnt.c b/drivers/gpu/drm/panfrost/panfrost_perfcnt.c
912 +index 2c04e858c50a..684820448be3 100644
913 +--- a/drivers/gpu/drm/panfrost/panfrost_perfcnt.c
914 ++++ b/drivers/gpu/drm/panfrost/panfrost_perfcnt.c
915 +@@ -25,7 +25,7 @@
916 + #define V4_SHADERS_PER_COREGROUP 4
917 +
918 + struct panfrost_perfcnt {
919 +- struct panfrost_gem_object *bo;
920 ++ struct panfrost_gem_mapping *mapping;
921 + size_t bosize;
922 + void *buf;
923 + struct panfrost_file_priv *user;
924 +@@ -49,7 +49,7 @@ static int panfrost_perfcnt_dump_locked(struct panfrost_device *pfdev)
925 + int ret;
926 +
927 + reinit_completion(&pfdev->perfcnt->dump_comp);
928 +- gpuva = pfdev->perfcnt->bo->node.start << PAGE_SHIFT;
929 ++ gpuva = pfdev->perfcnt->mapping->mmnode.start << PAGE_SHIFT;
930 + gpu_write(pfdev, GPU_PERFCNT_BASE_LO, gpuva);
931 + gpu_write(pfdev, GPU_PERFCNT_BASE_HI, gpuva >> 32);
932 + gpu_write(pfdev, GPU_INT_CLEAR,
933 +@@ -89,17 +89,22 @@ static int panfrost_perfcnt_enable_locked(struct panfrost_device *pfdev,
934 + if (IS_ERR(bo))
935 + return PTR_ERR(bo);
936 +
937 +- perfcnt->bo = to_panfrost_bo(&bo->base);
938 +-
939 + /* Map the perfcnt buf in the address space attached to file_priv. */
940 +- ret = panfrost_gem_open(&perfcnt->bo->base.base, file_priv);
941 ++ ret = panfrost_gem_open(&bo->base, file_priv);
942 + if (ret)
943 + goto err_put_bo;
944 +
945 ++ perfcnt->mapping = panfrost_gem_mapping_get(to_panfrost_bo(&bo->base),
946 ++ user);
947 ++ if (!perfcnt->mapping) {
948 ++ ret = -EINVAL;
949 ++ goto err_close_bo;
950 ++ }
951 ++
952 + perfcnt->buf = drm_gem_shmem_vmap(&bo->base);
953 + if (IS_ERR(perfcnt->buf)) {
954 + ret = PTR_ERR(perfcnt->buf);
955 +- goto err_close_bo;
956 ++ goto err_put_mapping;
957 + }
958 +
959 + /*
960 +@@ -154,12 +159,17 @@ static int panfrost_perfcnt_enable_locked(struct panfrost_device *pfdev,
961 + if (panfrost_has_hw_issue(pfdev, HW_ISSUE_8186))
962 + gpu_write(pfdev, GPU_PRFCNT_TILER_EN, 0xffffffff);
963 +
964 ++ /* The BO ref is retained by the mapping. */
965 ++ drm_gem_object_put_unlocked(&bo->base);
966 ++
967 + return 0;
968 +
969 + err_vunmap:
970 +- drm_gem_shmem_vunmap(&perfcnt->bo->base.base, perfcnt->buf);
971 ++ drm_gem_shmem_vunmap(&bo->base, perfcnt->buf);
972 ++err_put_mapping:
973 ++ panfrost_gem_mapping_put(perfcnt->mapping);
974 + err_close_bo:
975 +- panfrost_gem_close(&perfcnt->bo->base.base, file_priv);
976 ++ panfrost_gem_close(&bo->base, file_priv);
977 + err_put_bo:
978 + drm_gem_object_put_unlocked(&bo->base);
979 + return ret;
980 +@@ -182,11 +192,11 @@ static int panfrost_perfcnt_disable_locked(struct panfrost_device *pfdev,
981 + GPU_PERFCNT_CFG_MODE(GPU_PERFCNT_CFG_MODE_OFF));
982 +
983 + perfcnt->user = NULL;
984 +- drm_gem_shmem_vunmap(&perfcnt->bo->base.base, perfcnt->buf);
985 ++ drm_gem_shmem_vunmap(&perfcnt->mapping->obj->base.base, perfcnt->buf);
986 + perfcnt->buf = NULL;
987 +- panfrost_gem_close(&perfcnt->bo->base.base, file_priv);
988 +- drm_gem_object_put_unlocked(&perfcnt->bo->base.base);
989 +- perfcnt->bo = NULL;
990 ++ panfrost_gem_close(&perfcnt->mapping->obj->base.base, file_priv);
991 ++ panfrost_gem_mapping_put(perfcnt->mapping);
992 ++ perfcnt->mapping = NULL;
993 + pm_runtime_mark_last_busy(pfdev->dev);
994 + pm_runtime_put_autosuspend(pfdev->dev);
995 +
996 +diff --git a/drivers/hwmon/adt7475.c b/drivers/hwmon/adt7475.c
997 +index 6c64d50c9aae..01c2eeb02aa9 100644
998 +--- a/drivers/hwmon/adt7475.c
999 ++++ b/drivers/hwmon/adt7475.c
1000 +@@ -294,9 +294,10 @@ static inline u16 volt2reg(int channel, long volt, u8 bypass_attn)
1001 + long reg;
1002 +
1003 + if (bypass_attn & (1 << channel))
1004 +- reg = (volt * 1024) / 2250;
1005 ++ reg = DIV_ROUND_CLOSEST(volt * 1024, 2250);
1006 + else
1007 +- reg = (volt * r[1] * 1024) / ((r[0] + r[1]) * 2250);
1008 ++ reg = DIV_ROUND_CLOSEST(volt * r[1] * 1024,
1009 ++ (r[0] + r[1]) * 2250);
1010 + return clamp_val(reg, 0, 1023) & (0xff << 2);
1011 + }
1012 +
1013 +diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
1014 +index 1f3b30b085b9..d018b20089ec 100644
1015 +--- a/drivers/hwmon/hwmon.c
1016 ++++ b/drivers/hwmon/hwmon.c
1017 +@@ -51,6 +51,7 @@ struct hwmon_device_attribute {
1018 +
1019 + #define to_hwmon_attr(d) \
1020 + container_of(d, struct hwmon_device_attribute, dev_attr)
1021 ++#define to_dev_attr(a) container_of(a, struct device_attribute, attr)
1022 +
1023 + /*
1024 + * Thermal zone information
1025 +@@ -58,7 +59,7 @@ struct hwmon_device_attribute {
1026 + * also provides the sensor index.
1027 + */
1028 + struct hwmon_thermal_data {
1029 +- struct hwmon_device *hwdev; /* Reference to hwmon device */
1030 ++ struct device *dev; /* Reference to hwmon device */
1031 + int index; /* sensor index */
1032 + };
1033 +
1034 +@@ -95,9 +96,27 @@ static const struct attribute_group *hwmon_dev_attr_groups[] = {
1035 + NULL
1036 + };
1037 +
1038 ++static void hwmon_free_attrs(struct attribute **attrs)
1039 ++{
1040 ++ int i;
1041 ++
1042 ++ for (i = 0; attrs[i]; i++) {
1043 ++ struct device_attribute *dattr = to_dev_attr(attrs[i]);
1044 ++ struct hwmon_device_attribute *hattr = to_hwmon_attr(dattr);
1045 ++
1046 ++ kfree(hattr);
1047 ++ }
1048 ++ kfree(attrs);
1049 ++}
1050 ++
1051 + static void hwmon_dev_release(struct device *dev)
1052 + {
1053 +- kfree(to_hwmon_device(dev));
1054 ++ struct hwmon_device *hwdev = to_hwmon_device(dev);
1055 ++
1056 ++ if (hwdev->group.attrs)
1057 ++ hwmon_free_attrs(hwdev->group.attrs);
1058 ++ kfree(hwdev->groups);
1059 ++ kfree(hwdev);
1060 + }
1061 +
1062 + static struct class hwmon_class = {
1063 +@@ -119,11 +138,11 @@ static DEFINE_IDA(hwmon_ida);
1064 + static int hwmon_thermal_get_temp(void *data, int *temp)
1065 + {
1066 + struct hwmon_thermal_data *tdata = data;
1067 +- struct hwmon_device *hwdev = tdata->hwdev;
1068 ++ struct hwmon_device *hwdev = to_hwmon_device(tdata->dev);
1069 + int ret;
1070 + long t;
1071 +
1072 +- ret = hwdev->chip->ops->read(&hwdev->dev, hwmon_temp, hwmon_temp_input,
1073 ++ ret = hwdev->chip->ops->read(tdata->dev, hwmon_temp, hwmon_temp_input,
1074 + tdata->index, &t);
1075 + if (ret < 0)
1076 + return ret;
1077 +@@ -137,8 +156,7 @@ static const struct thermal_zone_of_device_ops hwmon_thermal_ops = {
1078 + .get_temp = hwmon_thermal_get_temp,
1079 + };
1080 +
1081 +-static int hwmon_thermal_add_sensor(struct device *dev,
1082 +- struct hwmon_device *hwdev, int index)
1083 ++static int hwmon_thermal_add_sensor(struct device *dev, int index)
1084 + {
1085 + struct hwmon_thermal_data *tdata;
1086 + struct thermal_zone_device *tzd;
1087 +@@ -147,10 +165,10 @@ static int hwmon_thermal_add_sensor(struct device *dev,
1088 + if (!tdata)
1089 + return -ENOMEM;
1090 +
1091 +- tdata->hwdev = hwdev;
1092 ++ tdata->dev = dev;
1093 + tdata->index = index;
1094 +
1095 +- tzd = devm_thermal_zone_of_sensor_register(&hwdev->dev, index, tdata,
1096 ++ tzd = devm_thermal_zone_of_sensor_register(dev, index, tdata,
1097 + &hwmon_thermal_ops);
1098 + /*
1099 + * If CONFIG_THERMAL_OF is disabled, this returns -ENODEV,
1100 +@@ -162,8 +180,7 @@ static int hwmon_thermal_add_sensor(struct device *dev,
1101 + return 0;
1102 + }
1103 + #else
1104 +-static int hwmon_thermal_add_sensor(struct device *dev,
1105 +- struct hwmon_device *hwdev, int index)
1106 ++static int hwmon_thermal_add_sensor(struct device *dev, int index)
1107 + {
1108 + return 0;
1109 + }
1110 +@@ -250,8 +267,7 @@ static bool is_string_attr(enum hwmon_sensor_types type, u32 attr)
1111 + (type == hwmon_fan && attr == hwmon_fan_label);
1112 + }
1113 +
1114 +-static struct attribute *hwmon_genattr(struct device *dev,
1115 +- const void *drvdata,
1116 ++static struct attribute *hwmon_genattr(const void *drvdata,
1117 + enum hwmon_sensor_types type,
1118 + u32 attr,
1119 + int index,
1120 +@@ -279,7 +295,7 @@ static struct attribute *hwmon_genattr(struct device *dev,
1121 + if ((mode & 0222) && !ops->write)
1122 + return ERR_PTR(-EINVAL);
1123 +
1124 +- hattr = devm_kzalloc(dev, sizeof(*hattr), GFP_KERNEL);
1125 ++ hattr = kzalloc(sizeof(*hattr), GFP_KERNEL);
1126 + if (!hattr)
1127 + return ERR_PTR(-ENOMEM);
1128 +
1129 +@@ -492,8 +508,7 @@ static int hwmon_num_channel_attrs(const struct hwmon_channel_info *info)
1130 + return n;
1131 + }
1132 +
1133 +-static int hwmon_genattrs(struct device *dev,
1134 +- const void *drvdata,
1135 ++static int hwmon_genattrs(const void *drvdata,
1136 + struct attribute **attrs,
1137 + const struct hwmon_ops *ops,
1138 + const struct hwmon_channel_info *info)
1139 +@@ -519,7 +534,7 @@ static int hwmon_genattrs(struct device *dev,
1140 + attr_mask &= ~BIT(attr);
1141 + if (attr >= template_size)
1142 + return -EINVAL;
1143 +- a = hwmon_genattr(dev, drvdata, info->type, attr, i,
1144 ++ a = hwmon_genattr(drvdata, info->type, attr, i,
1145 + templates[attr], ops);
1146 + if (IS_ERR(a)) {
1147 + if (PTR_ERR(a) != -ENOENT)
1148 +@@ -533,8 +548,7 @@ static int hwmon_genattrs(struct device *dev,
1149 + }
1150 +
1151 + static struct attribute **
1152 +-__hwmon_create_attrs(struct device *dev, const void *drvdata,
1153 +- const struct hwmon_chip_info *chip)
1154 ++__hwmon_create_attrs(const void *drvdata, const struct hwmon_chip_info *chip)
1155 + {
1156 + int ret, i, aindex = 0, nattrs = 0;
1157 + struct attribute **attrs;
1158 +@@ -545,15 +559,17 @@ __hwmon_create_attrs(struct device *dev, const void *drvdata,
1159 + if (nattrs == 0)
1160 + return ERR_PTR(-EINVAL);
1161 +
1162 +- attrs = devm_kcalloc(dev, nattrs + 1, sizeof(*attrs), GFP_KERNEL);
1163 ++ attrs = kcalloc(nattrs + 1, sizeof(*attrs), GFP_KERNEL);
1164 + if (!attrs)
1165 + return ERR_PTR(-ENOMEM);
1166 +
1167 + for (i = 0; chip->info[i]; i++) {
1168 +- ret = hwmon_genattrs(dev, drvdata, &attrs[aindex], chip->ops,
1169 ++ ret = hwmon_genattrs(drvdata, &attrs[aindex], chip->ops,
1170 + chip->info[i]);
1171 +- if (ret < 0)
1172 ++ if (ret < 0) {
1173 ++ hwmon_free_attrs(attrs);
1174 + return ERR_PTR(ret);
1175 ++ }
1176 + aindex += ret;
1177 + }
1178 +
1179 +@@ -595,14 +611,13 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata,
1180 + for (i = 0; groups[i]; i++)
1181 + ngroups++;
1182 +
1183 +- hwdev->groups = devm_kcalloc(dev, ngroups, sizeof(*groups),
1184 +- GFP_KERNEL);
1185 ++ hwdev->groups = kcalloc(ngroups, sizeof(*groups), GFP_KERNEL);
1186 + if (!hwdev->groups) {
1187 + err = -ENOMEM;
1188 + goto free_hwmon;
1189 + }
1190 +
1191 +- attrs = __hwmon_create_attrs(dev, drvdata, chip);
1192 ++ attrs = __hwmon_create_attrs(drvdata, chip);
1193 + if (IS_ERR(attrs)) {
1194 + err = PTR_ERR(attrs);
1195 + goto free_hwmon;
1196 +@@ -647,8 +662,7 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata,
1197 + hwmon_temp_input, j))
1198 + continue;
1199 + if (info[i]->config[j] & HWMON_T_INPUT) {
1200 +- err = hwmon_thermal_add_sensor(dev,
1201 +- hwdev, j);
1202 ++ err = hwmon_thermal_add_sensor(hdev, j);
1203 + if (err) {
1204 + device_unregister(hdev);
1205 + /*
1206 +@@ -667,7 +681,7 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata,
1207 + return hdev;
1208 +
1209 + free_hwmon:
1210 +- kfree(hwdev);
1211 ++ hwmon_dev_release(hdev);
1212 + ida_remove:
1213 + ida_simple_remove(&hwmon_ida, id);
1214 + return ERR_PTR(err);
1215 +diff --git a/drivers/hwmon/nct7802.c b/drivers/hwmon/nct7802.c
1216 +index f3dd2a17bd42..2e97e56c72c7 100644
1217 +--- a/drivers/hwmon/nct7802.c
1218 ++++ b/drivers/hwmon/nct7802.c
1219 +@@ -23,8 +23,8 @@
1220 + static const u8 REG_VOLTAGE[5] = { 0x09, 0x0a, 0x0c, 0x0d, 0x0e };
1221 +
1222 + static const u8 REG_VOLTAGE_LIMIT_LSB[2][5] = {
1223 +- { 0x40, 0x00, 0x42, 0x44, 0x46 },
1224 +- { 0x3f, 0x00, 0x41, 0x43, 0x45 },
1225 ++ { 0x46, 0x00, 0x40, 0x42, 0x44 },
1226 ++ { 0x45, 0x00, 0x3f, 0x41, 0x43 },
1227 + };
1228 +
1229 + static const u8 REG_VOLTAGE_LIMIT_MSB[5] = { 0x48, 0x00, 0x47, 0x47, 0x48 };
1230 +@@ -58,6 +58,8 @@ static const u8 REG_VOLTAGE_LIMIT_MSB_SHIFT[2][5] = {
1231 + struct nct7802_data {
1232 + struct regmap *regmap;
1233 + struct mutex access_lock; /* for multi-byte read and write operations */
1234 ++ u8 in_status;
1235 ++ struct mutex in_alarm_lock;
1236 + };
1237 +
1238 + static ssize_t temp_type_show(struct device *dev,
1239 +@@ -368,6 +370,66 @@ static ssize_t in_store(struct device *dev, struct device_attribute *attr,
1240 + return err ? : count;
1241 + }
1242 +
1243 ++static ssize_t in_alarm_show(struct device *dev, struct device_attribute *attr,
1244 ++ char *buf)
1245 ++{
1246 ++ struct sensor_device_attribute_2 *sattr = to_sensor_dev_attr_2(attr);
1247 ++ struct nct7802_data *data = dev_get_drvdata(dev);
1248 ++ int volt, min, max, ret;
1249 ++ unsigned int val;
1250 ++
1251 ++ mutex_lock(&data->in_alarm_lock);
1252 ++
1253 ++ /*
1254 ++ * The SMI Voltage status register is the only register giving a status
1255 ++ * for voltages. A bit is set for each input crossing a threshold, in
1256 ++ * both direction, but the "inside" or "outside" limits info is not
1257 ++ * available. Also this register is cleared on read.
1258 ++ * Note: this is not explicitly spelled out in the datasheet, but
1259 ++ * from experiment.
1260 ++ * To deal with this we use a status cache with one validity bit and
1261 ++ * one status bit for each input. Validity is cleared at startup and
1262 ++ * each time the register reports a change, and the status is processed
1263 ++ * by software based on current input value and limits.
1264 ++ */
1265 ++ ret = regmap_read(data->regmap, 0x1e, &val); /* SMI Voltage status */
1266 ++ if (ret < 0)
1267 ++ goto abort;
1268 ++
1269 ++ /* invalidate cached status for all inputs crossing a threshold */
1270 ++ data->in_status &= ~((val & 0x0f) << 4);
1271 ++
1272 ++ /* if cached status for requested input is invalid, update it */
1273 ++ if (!(data->in_status & (0x10 << sattr->index))) {
1274 ++ ret = nct7802_read_voltage(data, sattr->nr, 0);
1275 ++ if (ret < 0)
1276 ++ goto abort;
1277 ++ volt = ret;
1278 ++
1279 ++ ret = nct7802_read_voltage(data, sattr->nr, 1);
1280 ++ if (ret < 0)
1281 ++ goto abort;
1282 ++ min = ret;
1283 ++
1284 ++ ret = nct7802_read_voltage(data, sattr->nr, 2);
1285 ++ if (ret < 0)
1286 ++ goto abort;
1287 ++ max = ret;
1288 ++
1289 ++ if (volt < min || volt > max)
1290 ++ data->in_status |= (1 << sattr->index);
1291 ++ else
1292 ++ data->in_status &= ~(1 << sattr->index);
1293 ++
1294 ++ data->in_status |= 0x10 << sattr->index;
1295 ++ }
1296 ++
1297 ++ ret = sprintf(buf, "%u\n", !!(data->in_status & (1 << sattr->index)));
1298 ++abort:
1299 ++ mutex_unlock(&data->in_alarm_lock);
1300 ++ return ret;
1301 ++}
1302 ++
1303 + static ssize_t temp_show(struct device *dev, struct device_attribute *attr,
1304 + char *buf)
1305 + {
1306 +@@ -660,7 +722,7 @@ static const struct attribute_group nct7802_temp_group = {
1307 + static SENSOR_DEVICE_ATTR_2_RO(in0_input, in, 0, 0);
1308 + static SENSOR_DEVICE_ATTR_2_RW(in0_min, in, 0, 1);
1309 + static SENSOR_DEVICE_ATTR_2_RW(in0_max, in, 0, 2);
1310 +-static SENSOR_DEVICE_ATTR_2_RO(in0_alarm, alarm, 0x1e, 3);
1311 ++static SENSOR_DEVICE_ATTR_2_RO(in0_alarm, in_alarm, 0, 3);
1312 + static SENSOR_DEVICE_ATTR_2_RW(in0_beep, beep, 0x5a, 3);
1313 +
1314 + static SENSOR_DEVICE_ATTR_2_RO(in1_input, in, 1, 0);
1315 +@@ -668,19 +730,19 @@ static SENSOR_DEVICE_ATTR_2_RO(in1_input, in, 1, 0);
1316 + static SENSOR_DEVICE_ATTR_2_RO(in2_input, in, 2, 0);
1317 + static SENSOR_DEVICE_ATTR_2_RW(in2_min, in, 2, 1);
1318 + static SENSOR_DEVICE_ATTR_2_RW(in2_max, in, 2, 2);
1319 +-static SENSOR_DEVICE_ATTR_2_RO(in2_alarm, alarm, 0x1e, 0);
1320 ++static SENSOR_DEVICE_ATTR_2_RO(in2_alarm, in_alarm, 2, 0);
1321 + static SENSOR_DEVICE_ATTR_2_RW(in2_beep, beep, 0x5a, 0);
1322 +
1323 + static SENSOR_DEVICE_ATTR_2_RO(in3_input, in, 3, 0);
1324 + static SENSOR_DEVICE_ATTR_2_RW(in3_min, in, 3, 1);
1325 + static SENSOR_DEVICE_ATTR_2_RW(in3_max, in, 3, 2);
1326 +-static SENSOR_DEVICE_ATTR_2_RO(in3_alarm, alarm, 0x1e, 1);
1327 ++static SENSOR_DEVICE_ATTR_2_RO(in3_alarm, in_alarm, 3, 1);
1328 + static SENSOR_DEVICE_ATTR_2_RW(in3_beep, beep, 0x5a, 1);
1329 +
1330 + static SENSOR_DEVICE_ATTR_2_RO(in4_input, in, 4, 0);
1331 + static SENSOR_DEVICE_ATTR_2_RW(in4_min, in, 4, 1);
1332 + static SENSOR_DEVICE_ATTR_2_RW(in4_max, in, 4, 2);
1333 +-static SENSOR_DEVICE_ATTR_2_RO(in4_alarm, alarm, 0x1e, 2);
1334 ++static SENSOR_DEVICE_ATTR_2_RO(in4_alarm, in_alarm, 4, 2);
1335 + static SENSOR_DEVICE_ATTR_2_RW(in4_beep, beep, 0x5a, 2);
1336 +
1337 + static struct attribute *nct7802_in_attrs[] = {
1338 +@@ -1011,6 +1073,7 @@ static int nct7802_probe(struct i2c_client *client,
1339 + return PTR_ERR(data->regmap);
1340 +
1341 + mutex_init(&data->access_lock);
1342 ++ mutex_init(&data->in_alarm_lock);
1343 +
1344 + ret = nct7802_init_chip(data);
1345 + if (ret < 0)
1346 +diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
1347 +index a1a035270cab..b273e421e910 100644
1348 +--- a/drivers/infiniband/ulp/isert/ib_isert.c
1349 ++++ b/drivers/infiniband/ulp/isert/ib_isert.c
1350 +@@ -2575,17 +2575,6 @@ isert_wait4logout(struct isert_conn *isert_conn)
1351 + }
1352 + }
1353 +
1354 +-static void
1355 +-isert_wait4cmds(struct iscsi_conn *conn)
1356 +-{
1357 +- isert_info("iscsi_conn %p\n", conn);
1358 +-
1359 +- if (conn->sess) {
1360 +- target_sess_cmd_list_set_waiting(conn->sess->se_sess);
1361 +- target_wait_for_sess_cmds(conn->sess->se_sess);
1362 +- }
1363 +-}
1364 +-
1365 + /**
1366 + * isert_put_unsol_pending_cmds() - Drop commands waiting for
1367 + * unsolicitate dataout
1368 +@@ -2633,7 +2622,6 @@ static void isert_wait_conn(struct iscsi_conn *conn)
1369 +
1370 + ib_drain_qp(isert_conn->qp);
1371 + isert_put_unsol_pending_cmds(conn);
1372 +- isert_wait4cmds(conn);
1373 + isert_wait4logout(isert_conn);
1374 +
1375 + queue_work(isert_release_wq, &isert_conn->release_work);
1376 +diff --git a/drivers/input/misc/keyspan_remote.c b/drivers/input/misc/keyspan_remote.c
1377 +index 83368f1e7c4e..4650f4a94989 100644
1378 +--- a/drivers/input/misc/keyspan_remote.c
1379 ++++ b/drivers/input/misc/keyspan_remote.c
1380 +@@ -336,7 +336,8 @@ static int keyspan_setup(struct usb_device* dev)
1381 + int retval = 0;
1382 +
1383 + retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
1384 +- 0x11, 0x40, 0x5601, 0x0, NULL, 0, 0);
1385 ++ 0x11, 0x40, 0x5601, 0x0, NULL, 0,
1386 ++ USB_CTRL_SET_TIMEOUT);
1387 + if (retval) {
1388 + dev_dbg(&dev->dev, "%s - failed to set bit rate due to error: %d\n",
1389 + __func__, retval);
1390 +@@ -344,7 +345,8 @@ static int keyspan_setup(struct usb_device* dev)
1391 + }
1392 +
1393 + retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
1394 +- 0x44, 0x40, 0x0, 0x0, NULL, 0, 0);
1395 ++ 0x44, 0x40, 0x0, 0x0, NULL, 0,
1396 ++ USB_CTRL_SET_TIMEOUT);
1397 + if (retval) {
1398 + dev_dbg(&dev->dev, "%s - failed to set resume sensitivity due to error: %d\n",
1399 + __func__, retval);
1400 +@@ -352,7 +354,8 @@ static int keyspan_setup(struct usb_device* dev)
1401 + }
1402 +
1403 + retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
1404 +- 0x22, 0x40, 0x0, 0x0, NULL, 0, 0);
1405 ++ 0x22, 0x40, 0x0, 0x0, NULL, 0,
1406 ++ USB_CTRL_SET_TIMEOUT);
1407 + if (retval) {
1408 + dev_dbg(&dev->dev, "%s - failed to turn receive on due to error: %d\n",
1409 + __func__, retval);
1410 +diff --git a/drivers/input/misc/pm8xxx-vibrator.c b/drivers/input/misc/pm8xxx-vibrator.c
1411 +index ecd762f93732..53ad25eaf1a2 100644
1412 +--- a/drivers/input/misc/pm8xxx-vibrator.c
1413 ++++ b/drivers/input/misc/pm8xxx-vibrator.c
1414 +@@ -90,7 +90,7 @@ static int pm8xxx_vib_set(struct pm8xxx_vib *vib, bool on)
1415 +
1416 + if (regs->enable_mask)
1417 + rc = regmap_update_bits(vib->regmap, regs->enable_addr,
1418 +- on ? regs->enable_mask : 0, val);
1419 ++ regs->enable_mask, on ? ~0 : 0);
1420 +
1421 + return rc;
1422 + }
1423 +diff --git a/drivers/input/rmi4/rmi_smbus.c b/drivers/input/rmi4/rmi_smbus.c
1424 +index b313c579914f..2407ea43de59 100644
1425 +--- a/drivers/input/rmi4/rmi_smbus.c
1426 ++++ b/drivers/input/rmi4/rmi_smbus.c
1427 +@@ -163,6 +163,7 @@ static int rmi_smb_write_block(struct rmi_transport_dev *xport, u16 rmiaddr,
1428 + /* prepare to write next block of bytes */
1429 + cur_len -= SMB_MAX_COUNT;
1430 + databuff += SMB_MAX_COUNT;
1431 ++ rmiaddr += SMB_MAX_COUNT;
1432 + }
1433 + exit:
1434 + mutex_unlock(&rmi_smb->page_mutex);
1435 +@@ -214,6 +215,7 @@ static int rmi_smb_read_block(struct rmi_transport_dev *xport, u16 rmiaddr,
1436 + /* prepare to read next block of bytes */
1437 + cur_len -= SMB_MAX_COUNT;
1438 + databuff += SMB_MAX_COUNT;
1439 ++ rmiaddr += SMB_MAX_COUNT;
1440 + }
1441 +
1442 + retval = 0;
1443 +diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c
1444 +index 2ca586fb914f..06d0ffef4a17 100644
1445 +--- a/drivers/input/tablet/aiptek.c
1446 ++++ b/drivers/input/tablet/aiptek.c
1447 +@@ -1802,14 +1802,14 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id)
1448 + input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
1449 +
1450 + /* Verify that a device really has an endpoint */
1451 +- if (intf->altsetting[0].desc.bNumEndpoints < 1) {
1452 ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
1453 + dev_err(&intf->dev,
1454 + "interface has %d endpoints, but must have minimum 1\n",
1455 +- intf->altsetting[0].desc.bNumEndpoints);
1456 ++ intf->cur_altsetting->desc.bNumEndpoints);
1457 + err = -EINVAL;
1458 + goto fail3;
1459 + }
1460 +- endpoint = &intf->altsetting[0].endpoint[0].desc;
1461 ++ endpoint = &intf->cur_altsetting->endpoint[0].desc;
1462 +
1463 + /* Go set up our URB, which is called when the tablet receives
1464 + * input.
1465 +diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
1466 +index 35031228a6d0..799c94dda651 100644
1467 +--- a/drivers/input/tablet/gtco.c
1468 ++++ b/drivers/input/tablet/gtco.c
1469 +@@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
1470 + }
1471 +
1472 + /* Sanity check that a device has an endpoint */
1473 +- if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
1474 ++ if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) {
1475 + dev_err(&usbinterface->dev,
1476 + "Invalid number of endpoints\n");
1477 + error = -EINVAL;
1478 + goto err_free_urb;
1479 + }
1480 +
1481 +- /*
1482 +- * The endpoint is always altsetting 0, we know this since we know
1483 +- * this device only has one interrupt endpoint
1484 +- */
1485 +- endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
1486 ++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
1487 +
1488 + /* Some debug */
1489 + dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting);
1490 +@@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
1491 + input_dev->dev.parent = &usbinterface->dev;
1492 +
1493 + /* Setup the URB, it will be posted later on open of input device */
1494 +- endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
1495 ++ endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
1496 +
1497 + usb_fill_int_urb(gtco->urbinfo,
1498 + udev,
1499 +diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c
1500 +index a1f3a0cb197e..38f087404f7a 100644
1501 +--- a/drivers/input/tablet/pegasus_notetaker.c
1502 ++++ b/drivers/input/tablet/pegasus_notetaker.c
1503 +@@ -275,7 +275,7 @@ static int pegasus_probe(struct usb_interface *intf,
1504 + return -ENODEV;
1505 +
1506 + /* Sanity check that the device has an endpoint */
1507 +- if (intf->altsetting[0].desc.bNumEndpoints < 1) {
1508 ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
1509 + dev_err(&intf->dev, "Invalid number of endpoints\n");
1510 + return -EINVAL;
1511 + }
1512 +diff --git a/drivers/input/touchscreen/sun4i-ts.c b/drivers/input/touchscreen/sun4i-ts.c
1513 +index 0af0fe8c40d7..742a7e96c1b5 100644
1514 +--- a/drivers/input/touchscreen/sun4i-ts.c
1515 ++++ b/drivers/input/touchscreen/sun4i-ts.c
1516 +@@ -237,6 +237,7 @@ static int sun4i_ts_probe(struct platform_device *pdev)
1517 + struct device *dev = &pdev->dev;
1518 + struct device_node *np = dev->of_node;
1519 + struct device *hwmon;
1520 ++ struct thermal_zone_device *thermal;
1521 + int error;
1522 + u32 reg;
1523 + bool ts_attached;
1524 +@@ -355,7 +356,10 @@ static int sun4i_ts_probe(struct platform_device *pdev)
1525 + if (IS_ERR(hwmon))
1526 + return PTR_ERR(hwmon);
1527 +
1528 +- devm_thermal_zone_of_sensor_register(ts->dev, 0, ts, &sun4i_ts_tz_ops);
1529 ++ thermal = devm_thermal_zone_of_sensor_register(ts->dev, 0, ts,
1530 ++ &sun4i_ts_tz_ops);
1531 ++ if (IS_ERR(thermal))
1532 ++ return PTR_ERR(thermal);
1533 +
1534 + writel(TEMP_IRQ_EN(1), ts->base + TP_INT_FIFOC);
1535 +
1536 +diff --git a/drivers/input/touchscreen/sur40.c b/drivers/input/touchscreen/sur40.c
1537 +index 3fd3e862269b..2e2ea5719c90 100644
1538 +--- a/drivers/input/touchscreen/sur40.c
1539 ++++ b/drivers/input/touchscreen/sur40.c
1540 +@@ -653,7 +653,7 @@ static int sur40_probe(struct usb_interface *interface,
1541 + int error;
1542 +
1543 + /* Check if we really have the right interface. */
1544 +- iface_desc = &interface->altsetting[0];
1545 ++ iface_desc = interface->cur_altsetting;
1546 + if (iface_desc->desc.bInterfaceClass != 0xFF)
1547 + return -ENODEV;
1548 +
1549 +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
1550 +index 568c52317757..483f7bc379fa 100644
1551 +--- a/drivers/iommu/amd_iommu_init.c
1552 ++++ b/drivers/iommu/amd_iommu_init.c
1553 +@@ -1655,27 +1655,39 @@ static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr,
1554 + static void init_iommu_perf_ctr(struct amd_iommu *iommu)
1555 + {
1556 + struct pci_dev *pdev = iommu->dev;
1557 +- u64 val = 0xabcd, val2 = 0;
1558 ++ u64 val = 0xabcd, val2 = 0, save_reg = 0;
1559 +
1560 + if (!iommu_feature(iommu, FEATURE_PC))
1561 + return;
1562 +
1563 + amd_iommu_pc_present = true;
1564 +
1565 ++ /* save the value to restore, if writable */
1566 ++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false))
1567 ++ goto pc_false;
1568 ++
1569 + /* Check if the performance counters can be written to */
1570 + if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) ||
1571 + (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) ||
1572 +- (val != val2)) {
1573 +- pci_err(pdev, "Unable to write to IOMMU perf counter.\n");
1574 +- amd_iommu_pc_present = false;
1575 +- return;
1576 +- }
1577 ++ (val != val2))
1578 ++ goto pc_false;
1579 ++
1580 ++ /* restore */
1581 ++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true))
1582 ++ goto pc_false;
1583 +
1584 + pci_info(pdev, "IOMMU performance counters supported\n");
1585 +
1586 + val = readl(iommu->mmio_base + MMIO_CNTR_CONF_OFFSET);
1587 + iommu->max_banks = (u8) ((val >> 12) & 0x3f);
1588 + iommu->max_counters = (u8) ((val >> 7) & 0xf);
1589 ++
1590 ++ return;
1591 ++
1592 ++pc_false:
1593 ++ pci_err(pdev, "Unable to read/write to IOMMU perf counter.\n");
1594 ++ amd_iommu_pc_present = false;
1595 ++ return;
1596 + }
1597 +
1598 + static ssize_t amd_iommu_show_cap(struct device *dev,
1599 +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
1600 +index e84c5dfe146f..dd5db856dcaf 100644
1601 +--- a/drivers/iommu/intel-iommu.c
1602 ++++ b/drivers/iommu/intel-iommu.c
1603 +@@ -5132,7 +5132,8 @@ static void dmar_remove_one_dev_info(struct device *dev)
1604 +
1605 + spin_lock_irqsave(&device_domain_lock, flags);
1606 + info = dev->archdata.iommu;
1607 +- if (info)
1608 ++ if (info && info != DEFER_DEVICE_DOMAIN_INFO
1609 ++ && info != DUMMY_DEVICE_DOMAIN_INFO)
1610 + __dmar_remove_one_dev_info(info);
1611 + spin_unlock_irqrestore(&device_domain_lock, flags);
1612 + }
1613 +diff --git a/drivers/leds/leds-gpio.c b/drivers/leds/leds-gpio.c
1614 +index a5c73f3d5f79..2bf74595610f 100644
1615 +--- a/drivers/leds/leds-gpio.c
1616 ++++ b/drivers/leds/leds-gpio.c
1617 +@@ -151,9 +151,14 @@ static struct gpio_leds_priv *gpio_leds_create(struct platform_device *pdev)
1618 + struct gpio_led led = {};
1619 + const char *state = NULL;
1620 +
1621 ++ /*
1622 ++ * Acquire gpiod from DT with uninitialized label, which
1623 ++ * will be updated after LED class device is registered,
1624 ++ * Only then the final LED name is known.
1625 ++ */
1626 + led.gpiod = devm_fwnode_get_gpiod_from_child(dev, NULL, child,
1627 + GPIOD_ASIS,
1628 +- led.name);
1629 ++ NULL);
1630 + if (IS_ERR(led.gpiod)) {
1631 + fwnode_handle_put(child);
1632 + return ERR_CAST(led.gpiod);
1633 +@@ -186,6 +191,9 @@ static struct gpio_leds_priv *gpio_leds_create(struct platform_device *pdev)
1634 + fwnode_handle_put(child);
1635 + return ERR_PTR(ret);
1636 + }
1637 ++ /* Set gpiod label to match the corresponding LED name. */
1638 ++ gpiod_set_consumer_name(led_dat->gpiod,
1639 ++ led_dat->cdev.dev->kobj.name);
1640 + priv->num_leds++;
1641 + }
1642 +
1643 +diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
1644 +index 21bb96ce4cd6..58868d7129eb 100644
1645 +--- a/drivers/media/v4l2-core/v4l2-ioctl.c
1646 ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c
1647 +@@ -1605,12 +1605,12 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops,
1648 + case V4L2_BUF_TYPE_VBI_CAPTURE:
1649 + if (unlikely(!ops->vidioc_s_fmt_vbi_cap))
1650 + break;
1651 +- CLEAR_AFTER_FIELD(p, fmt.vbi);
1652 ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags);
1653 + return ops->vidioc_s_fmt_vbi_cap(file, fh, arg);
1654 + case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
1655 + if (unlikely(!ops->vidioc_s_fmt_sliced_vbi_cap))
1656 + break;
1657 +- CLEAR_AFTER_FIELD(p, fmt.sliced);
1658 ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size);
1659 + return ops->vidioc_s_fmt_sliced_vbi_cap(file, fh, arg);
1660 + case V4L2_BUF_TYPE_VIDEO_OUTPUT:
1661 + if (unlikely(!ops->vidioc_s_fmt_vid_out))
1662 +@@ -1636,22 +1636,22 @@ static int v4l_s_fmt(const struct v4l2_ioctl_ops *ops,
1663 + case V4L2_BUF_TYPE_VBI_OUTPUT:
1664 + if (unlikely(!ops->vidioc_s_fmt_vbi_out))
1665 + break;
1666 +- CLEAR_AFTER_FIELD(p, fmt.vbi);
1667 ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags);
1668 + return ops->vidioc_s_fmt_vbi_out(file, fh, arg);
1669 + case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
1670 + if (unlikely(!ops->vidioc_s_fmt_sliced_vbi_out))
1671 + break;
1672 +- CLEAR_AFTER_FIELD(p, fmt.sliced);
1673 ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size);
1674 + return ops->vidioc_s_fmt_sliced_vbi_out(file, fh, arg);
1675 + case V4L2_BUF_TYPE_SDR_CAPTURE:
1676 + if (unlikely(!ops->vidioc_s_fmt_sdr_cap))
1677 + break;
1678 +- CLEAR_AFTER_FIELD(p, fmt.sdr);
1679 ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);
1680 + return ops->vidioc_s_fmt_sdr_cap(file, fh, arg);
1681 + case V4L2_BUF_TYPE_SDR_OUTPUT:
1682 + if (unlikely(!ops->vidioc_s_fmt_sdr_out))
1683 + break;
1684 +- CLEAR_AFTER_FIELD(p, fmt.sdr);
1685 ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);
1686 + return ops->vidioc_s_fmt_sdr_out(file, fh, arg);
1687 + case V4L2_BUF_TYPE_META_CAPTURE:
1688 + if (unlikely(!ops->vidioc_s_fmt_meta_cap))
1689 +@@ -1707,12 +1707,12 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops,
1690 + case V4L2_BUF_TYPE_VBI_CAPTURE:
1691 + if (unlikely(!ops->vidioc_try_fmt_vbi_cap))
1692 + break;
1693 +- CLEAR_AFTER_FIELD(p, fmt.vbi);
1694 ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags);
1695 + return ops->vidioc_try_fmt_vbi_cap(file, fh, arg);
1696 + case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
1697 + if (unlikely(!ops->vidioc_try_fmt_sliced_vbi_cap))
1698 + break;
1699 +- CLEAR_AFTER_FIELD(p, fmt.sliced);
1700 ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size);
1701 + return ops->vidioc_try_fmt_sliced_vbi_cap(file, fh, arg);
1702 + case V4L2_BUF_TYPE_VIDEO_OUTPUT:
1703 + if (unlikely(!ops->vidioc_try_fmt_vid_out))
1704 +@@ -1738,22 +1738,22 @@ static int v4l_try_fmt(const struct v4l2_ioctl_ops *ops,
1705 + case V4L2_BUF_TYPE_VBI_OUTPUT:
1706 + if (unlikely(!ops->vidioc_try_fmt_vbi_out))
1707 + break;
1708 +- CLEAR_AFTER_FIELD(p, fmt.vbi);
1709 ++ CLEAR_AFTER_FIELD(p, fmt.vbi.flags);
1710 + return ops->vidioc_try_fmt_vbi_out(file, fh, arg);
1711 + case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
1712 + if (unlikely(!ops->vidioc_try_fmt_sliced_vbi_out))
1713 + break;
1714 +- CLEAR_AFTER_FIELD(p, fmt.sliced);
1715 ++ CLEAR_AFTER_FIELD(p, fmt.sliced.io_size);
1716 + return ops->vidioc_try_fmt_sliced_vbi_out(file, fh, arg);
1717 + case V4L2_BUF_TYPE_SDR_CAPTURE:
1718 + if (unlikely(!ops->vidioc_try_fmt_sdr_cap))
1719 + break;
1720 +- CLEAR_AFTER_FIELD(p, fmt.sdr);
1721 ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);
1722 + return ops->vidioc_try_fmt_sdr_cap(file, fh, arg);
1723 + case V4L2_BUF_TYPE_SDR_OUTPUT:
1724 + if (unlikely(!ops->vidioc_try_fmt_sdr_out))
1725 + break;
1726 +- CLEAR_AFTER_FIELD(p, fmt.sdr);
1727 ++ CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);
1728 + return ops->vidioc_try_fmt_sdr_out(file, fh, arg);
1729 + case V4L2_BUF_TYPE_META_CAPTURE:
1730 + if (unlikely(!ops->vidioc_try_fmt_meta_cap))
1731 +diff --git a/drivers/mmc/host/sdhci-tegra.c b/drivers/mmc/host/sdhci-tegra.c
1732 +index 7bc950520fd9..403ac44a7378 100644
1733 +--- a/drivers/mmc/host/sdhci-tegra.c
1734 ++++ b/drivers/mmc/host/sdhci-tegra.c
1735 +@@ -386,7 +386,7 @@ static void tegra_sdhci_reset(struct sdhci_host *host, u8 mask)
1736 + misc_ctrl |= SDHCI_MISC_CTRL_ENABLE_DDR50;
1737 + if (soc_data->nvquirks & NVQUIRK_ENABLE_SDR104)
1738 + misc_ctrl |= SDHCI_MISC_CTRL_ENABLE_SDR104;
1739 +- if (soc_data->nvquirks & SDHCI_MISC_CTRL_ENABLE_SDR50)
1740 ++ if (soc_data->nvquirks & NVQUIRK_ENABLE_SDR50)
1741 + clk_ctrl |= SDHCI_CLOCK_CTRL_SDR50_TUNING_OVERRIDE;
1742 + }
1743 +
1744 +diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
1745 +index 5f9df2dbde06..4478b94d4791 100644
1746 +--- a/drivers/mmc/host/sdhci.c
1747 ++++ b/drivers/mmc/host/sdhci.c
1748 +@@ -3902,11 +3902,13 @@ int sdhci_setup_host(struct sdhci_host *host)
1749 + if (host->ops->get_min_clock)
1750 + mmc->f_min = host->ops->get_min_clock(host);
1751 + else if (host->version >= SDHCI_SPEC_300) {
1752 +- if (host->clk_mul) {
1753 +- mmc->f_min = (host->max_clk * host->clk_mul) / 1024;
1754 ++ if (host->clk_mul)
1755 + max_clk = host->max_clk * host->clk_mul;
1756 +- } else
1757 +- mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_300;
1758 ++ /*
1759 ++ * Divided Clock Mode minimum clock rate is always less than
1760 ++ * Programmable Clock Mode minimum clock rate.
1761 ++ */
1762 ++ mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_300;
1763 + } else
1764 + mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_200;
1765 +
1766 +diff --git a/drivers/mmc/host/sdhci_am654.c b/drivers/mmc/host/sdhci_am654.c
1767 +index bb90757ecace..4cbb764c9822 100644
1768 +--- a/drivers/mmc/host/sdhci_am654.c
1769 ++++ b/drivers/mmc/host/sdhci_am654.c
1770 +@@ -236,6 +236,22 @@ static void sdhci_am654_write_b(struct sdhci_host *host, u8 val, int reg)
1771 + writeb(val, host->ioaddr + reg);
1772 + }
1773 +
1774 ++static int sdhci_am654_execute_tuning(struct mmc_host *mmc, u32 opcode)
1775 ++{
1776 ++ struct sdhci_host *host = mmc_priv(mmc);
1777 ++ int err = sdhci_execute_tuning(mmc, opcode);
1778 ++
1779 ++ if (err)
1780 ++ return err;
1781 ++ /*
1782 ++ * Tuning data remains in the buffer after tuning.
1783 ++ * Do a command and data reset to get rid of it
1784 ++ */
1785 ++ sdhci_reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA);
1786 ++
1787 ++ return 0;
1788 ++}
1789 ++
1790 + static struct sdhci_ops sdhci_am654_ops = {
1791 + .get_max_clock = sdhci_pltfm_clk_get_max_clock,
1792 + .get_timeout_clock = sdhci_pltfm_clk_get_max_clock,
1793 +@@ -249,8 +265,7 @@ static struct sdhci_ops sdhci_am654_ops = {
1794 +
1795 + static const struct sdhci_pltfm_data sdhci_am654_pdata = {
1796 + .ops = &sdhci_am654_ops,
1797 +- .quirks = SDHCI_QUIRK_INVERTED_WRITE_PROTECT |
1798 +- SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
1799 ++ .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
1800 + .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
1801 + };
1802 +
1803 +@@ -272,8 +287,7 @@ static struct sdhci_ops sdhci_j721e_8bit_ops = {
1804 +
1805 + static const struct sdhci_pltfm_data sdhci_j721e_8bit_pdata = {
1806 + .ops = &sdhci_j721e_8bit_ops,
1807 +- .quirks = SDHCI_QUIRK_INVERTED_WRITE_PROTECT |
1808 +- SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
1809 ++ .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
1810 + .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
1811 + };
1812 +
1813 +@@ -295,8 +309,7 @@ static struct sdhci_ops sdhci_j721e_4bit_ops = {
1814 +
1815 + static const struct sdhci_pltfm_data sdhci_j721e_4bit_pdata = {
1816 + .ops = &sdhci_j721e_4bit_ops,
1817 +- .quirks = SDHCI_QUIRK_INVERTED_WRITE_PROTECT |
1818 +- SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
1819 ++ .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
1820 + .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
1821 + };
1822 +
1823 +@@ -480,6 +493,8 @@ static int sdhci_am654_probe(struct platform_device *pdev)
1824 + goto pm_runtime_put;
1825 + }
1826 +
1827 ++ host->mmc_host_ops.execute_tuning = sdhci_am654_execute_tuning;
1828 ++
1829 + ret = sdhci_am654_init(host);
1830 + if (ret)
1831 + goto pm_runtime_put;
1832 +diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c
1833 +index 2e57122f02fb..2f5c287eac95 100644
1834 +--- a/drivers/net/can/slcan.c
1835 ++++ b/drivers/net/can/slcan.c
1836 +@@ -344,9 +344,16 @@ static void slcan_transmit(struct work_struct *work)
1837 + */
1838 + static void slcan_write_wakeup(struct tty_struct *tty)
1839 + {
1840 +- struct slcan *sl = tty->disc_data;
1841 ++ struct slcan *sl;
1842 ++
1843 ++ rcu_read_lock();
1844 ++ sl = rcu_dereference(tty->disc_data);
1845 ++ if (!sl)
1846 ++ goto out;
1847 +
1848 + schedule_work(&sl->tx_work);
1849 ++out:
1850 ++ rcu_read_unlock();
1851 + }
1852 +
1853 + /* Send a can_frame to a TTY queue. */
1854 +@@ -644,10 +651,11 @@ static void slcan_close(struct tty_struct *tty)
1855 + return;
1856 +
1857 + spin_lock_bh(&sl->lock);
1858 +- tty->disc_data = NULL;
1859 ++ rcu_assign_pointer(tty->disc_data, NULL);
1860 + sl->tty = NULL;
1861 + spin_unlock_bh(&sl->lock);
1862 +
1863 ++ synchronize_rcu();
1864 + flush_work(&sl->tx_work);
1865 +
1866 + /* Flush network side */
1867 +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
1868 +index 1de51811fcb4..8f909d57501f 100644
1869 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
1870 ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
1871 +@@ -2164,8 +2164,8 @@ static void bcmgenet_init_tx_ring(struct bcmgenet_priv *priv,
1872 + DMA_END_ADDR);
1873 +
1874 + /* Initialize Tx NAPI */
1875 +- netif_napi_add(priv->dev, &ring->napi, bcmgenet_tx_poll,
1876 +- NAPI_POLL_WEIGHT);
1877 ++ netif_tx_napi_add(priv->dev, &ring->napi, bcmgenet_tx_poll,
1878 ++ NAPI_POLL_WEIGHT);
1879 + }
1880 +
1881 + /* Initialize a RDMA ring */
1882 +diff --git a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
1883 +index 58f89f6a040f..97ff8608f0ab 100644
1884 +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
1885 ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
1886 +@@ -2448,6 +2448,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr)
1887 +
1888 + if (!is_offload(adapter))
1889 + return -EOPNOTSUPP;
1890 ++ if (!capable(CAP_NET_ADMIN))
1891 ++ return -EPERM;
1892 + if (!(adapter->flags & FULL_INIT_DONE))
1893 + return -EIO; /* need the memory controllers */
1894 + if (copy_from_user(&t, useraddr, sizeof(t)))
1895 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c
1896 +index 778dab1af8fc..f260dd96873b 100644
1897 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c
1898 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c
1899 +@@ -180,7 +180,7 @@ mlx5e_ktls_tx_post_param_wqes(struct mlx5e_txqsq *sq,
1900 +
1901 + struct tx_sync_info {
1902 + u64 rcd_sn;
1903 +- s32 sync_len;
1904 ++ u32 sync_len;
1905 + int nr_frags;
1906 + skb_frag_t frags[MAX_SKB_FRAGS];
1907 + };
1908 +@@ -193,13 +193,14 @@ enum mlx5e_ktls_sync_retval {
1909 +
1910 + static enum mlx5e_ktls_sync_retval
1911 + tx_sync_info_get(struct mlx5e_ktls_offload_context_tx *priv_tx,
1912 +- u32 tcp_seq, struct tx_sync_info *info)
1913 ++ u32 tcp_seq, int datalen, struct tx_sync_info *info)
1914 + {
1915 + struct tls_offload_context_tx *tx_ctx = priv_tx->tx_ctx;
1916 + enum mlx5e_ktls_sync_retval ret = MLX5E_KTLS_SYNC_DONE;
1917 + struct tls_record_info *record;
1918 + int remaining, i = 0;
1919 + unsigned long flags;
1920 ++ bool ends_before;
1921 +
1922 + spin_lock_irqsave(&tx_ctx->lock, flags);
1923 + record = tls_get_record(tx_ctx, tcp_seq, &info->rcd_sn);
1924 +@@ -209,9 +210,21 @@ tx_sync_info_get(struct mlx5e_ktls_offload_context_tx *priv_tx,
1925 + goto out;
1926 + }
1927 +
1928 +- if (unlikely(tcp_seq < tls_record_start_seq(record))) {
1929 +- ret = tls_record_is_start_marker(record) ?
1930 +- MLX5E_KTLS_SYNC_SKIP_NO_DATA : MLX5E_KTLS_SYNC_FAIL;
1931 ++ /* There are the following cases:
1932 ++ * 1. packet ends before start marker: bypass offload.
1933 ++ * 2. packet starts before start marker and ends after it: drop,
1934 ++ * not supported, breaks contract with kernel.
1935 ++ * 3. packet ends before tls record info starts: drop,
1936 ++ * this packet was already acknowledged and its record info
1937 ++ * was released.
1938 ++ */
1939 ++ ends_before = before(tcp_seq + datalen, tls_record_start_seq(record));
1940 ++
1941 ++ if (unlikely(tls_record_is_start_marker(record))) {
1942 ++ ret = ends_before ? MLX5E_KTLS_SYNC_SKIP_NO_DATA : MLX5E_KTLS_SYNC_FAIL;
1943 ++ goto out;
1944 ++ } else if (ends_before) {
1945 ++ ret = MLX5E_KTLS_SYNC_FAIL;
1946 + goto out;
1947 + }
1948 +
1949 +@@ -337,7 +350,7 @@ mlx5e_ktls_tx_handle_ooo(struct mlx5e_ktls_offload_context_tx *priv_tx,
1950 + u8 num_wqebbs;
1951 + int i = 0;
1952 +
1953 +- ret = tx_sync_info_get(priv_tx, seq, &info);
1954 ++ ret = tx_sync_info_get(priv_tx, seq, datalen, &info);
1955 + if (unlikely(ret != MLX5E_KTLS_SYNC_DONE)) {
1956 + if (ret == MLX5E_KTLS_SYNC_SKIP_NO_DATA) {
1957 + stats->tls_skip_no_sync_data++;
1958 +@@ -351,14 +364,6 @@ mlx5e_ktls_tx_handle_ooo(struct mlx5e_ktls_offload_context_tx *priv_tx,
1959 + goto err_out;
1960 + }
1961 +
1962 +- if (unlikely(info.sync_len < 0)) {
1963 +- if (likely(datalen <= -info.sync_len))
1964 +- return MLX5E_KTLS_SYNC_DONE;
1965 +-
1966 +- stats->tls_drop_bypass_req++;
1967 +- goto err_out;
1968 +- }
1969 +-
1970 + stats->tls_ooo++;
1971 +
1972 + tx_post_resync_params(sq, priv_tx, info.rcd_sn);
1973 +@@ -378,8 +383,6 @@ mlx5e_ktls_tx_handle_ooo(struct mlx5e_ktls_offload_context_tx *priv_tx,
1974 + if (unlikely(contig_wqebbs_room < num_wqebbs))
1975 + mlx5e_fill_sq_frag_edge(sq, wq, pi, contig_wqebbs_room);
1976 +
1977 +- tx_post_resync_params(sq, priv_tx, info.rcd_sn);
1978 +-
1979 + for (; i < info.nr_frags; i++) {
1980 + unsigned int orig_fsz, frag_offset = 0, n = 0;
1981 + skb_frag_t *f = &info.frags[i];
1982 +@@ -455,12 +458,18 @@ struct sk_buff *mlx5e_ktls_handle_tx_skb(struct net_device *netdev,
1983 + enum mlx5e_ktls_sync_retval ret =
1984 + mlx5e_ktls_tx_handle_ooo(priv_tx, sq, datalen, seq);
1985 +
1986 +- if (likely(ret == MLX5E_KTLS_SYNC_DONE))
1987 ++ switch (ret) {
1988 ++ case MLX5E_KTLS_SYNC_DONE:
1989 + *wqe = mlx5e_sq_fetch_wqe(sq, sizeof(**wqe), pi);
1990 +- else if (ret == MLX5E_KTLS_SYNC_FAIL)
1991 ++ break;
1992 ++ case MLX5E_KTLS_SYNC_SKIP_NO_DATA:
1993 ++ if (likely(!skb->decrypted))
1994 ++ goto out;
1995 ++ WARN_ON_ONCE(1);
1996 ++ /* fall-through */
1997 ++ default: /* MLX5E_KTLS_SYNC_FAIL */
1998 + goto err_out;
1999 +- else /* ret == MLX5E_KTLS_SYNC_SKIP_NO_DATA */
2000 +- goto out;
2001 ++ }
2002 + }
2003 +
2004 + priv_tx->expected_seq = seq + datalen;
2005 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
2006 +index 96711e34d248..1f9107d83848 100644
2007 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
2008 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
2009 +@@ -3951,6 +3951,13 @@ static int apply_police_params(struct mlx5e_priv *priv, u32 rate,
2010 + u32 rate_mbps;
2011 + int err;
2012 +
2013 ++ vport_num = rpriv->rep->vport;
2014 ++ if (vport_num >= MLX5_VPORT_ECPF) {
2015 ++ NL_SET_ERR_MSG_MOD(extack,
2016 ++ "Ingress rate limit is supported only for Eswitch ports connected to VFs");
2017 ++ return -EOPNOTSUPP;
2018 ++ }
2019 ++
2020 + esw = priv->mdev->priv.eswitch;
2021 + /* rate is given in bytes/sec.
2022 + * First convert to bits/sec and then round to the nearest mbit/secs.
2023 +@@ -3959,8 +3966,6 @@ static int apply_police_params(struct mlx5e_priv *priv, u32 rate,
2024 + * 1 mbit/sec.
2025 + */
2026 + rate_mbps = rate ? max_t(u32, (rate * 8 + 500000) / 1000000, 1) : 0;
2027 +- vport_num = rpriv->rep->vport;
2028 +-
2029 + err = mlx5_esw_modify_vport_rate(esw, vport_num, rate_mbps);
2030 + if (err)
2031 + NL_SET_ERR_MSG_MOD(extack, "failed applying action to hardware");
2032 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
2033 +index 9004a07e457a..5acfdea3a75a 100644
2034 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
2035 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
2036 +@@ -858,7 +858,7 @@ out:
2037 + */
2038 + #define ESW_SIZE (16 * 1024 * 1024)
2039 + const unsigned int ESW_POOLS[4] = { 4 * 1024 * 1024, 1 * 1024 * 1024,
2040 +- 64 * 1024, 4 * 1024 };
2041 ++ 64 * 1024, 128 };
2042 +
2043 + static int
2044 + get_sz_from_pool(struct mlx5_eswitch *esw)
2045 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
2046 +index 051ab845b501..c96a0e501007 100644
2047 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
2048 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
2049 +@@ -1569,6 +1569,7 @@ static const struct pci_device_id mlx5_core_pci_table[] = {
2050 + { PCI_VDEVICE(MELLANOX, 0x101d) }, /* ConnectX-6 Dx */
2051 + { PCI_VDEVICE(MELLANOX, 0x101e), MLX5_PCI_DEV_IS_VF}, /* ConnectX Family mlx5Gen Virtual Function */
2052 + { PCI_VDEVICE(MELLANOX, 0x101f) }, /* ConnectX-6 LX */
2053 ++ { PCI_VDEVICE(MELLANOX, 0x1021) }, /* ConnectX-7 */
2054 + { PCI_VDEVICE(MELLANOX, 0xa2d2) }, /* BlueField integrated ConnectX-5 network controller */
2055 + { PCI_VDEVICE(MELLANOX, 0xa2d3), MLX5_PCI_DEV_IS_VF}, /* BlueField integrated ConnectX-5 network controller VF */
2056 + { PCI_VDEVICE(MELLANOX, 0xa2d6) }, /* BlueField-2 integrated ConnectX-6 Dx network controller */
2057 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
2058 +index 51803eef13dd..c7f10d4f8f8d 100644
2059 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
2060 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
2061 +@@ -1,6 +1,7 @@
2062 + // SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB
2063 + /* Copyright (c) 2019 Mellanox Technologies. */
2064 +
2065 ++#include <linux/smp.h>
2066 + #include "dr_types.h"
2067 +
2068 + #define QUEUE_SIZE 128
2069 +@@ -729,7 +730,7 @@ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev,
2070 + if (!in)
2071 + goto err_cqwq;
2072 +
2073 +- vector = smp_processor_id() % mlx5_comp_vectors_count(mdev);
2074 ++ vector = raw_smp_processor_id() % mlx5_comp_vectors_count(mdev);
2075 + err = mlx5_vector2eqn(mdev, vector, &eqn, &irqn);
2076 + if (err) {
2077 + kvfree(in);
2078 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c
2079 +index 3d587d0bdbbe..1e32e2443f73 100644
2080 +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c
2081 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c
2082 +@@ -352,26 +352,16 @@ static int mlx5_cmd_dr_create_fte(struct mlx5_flow_root_namespace *ns,
2083 + if (fte->action.action & MLX5_FLOW_CONTEXT_ACTION_FWD_DEST) {
2084 + list_for_each_entry(dst, &fte->node.children, node.list) {
2085 + enum mlx5_flow_destination_type type = dst->dest_attr.type;
2086 +- u32 id;
2087 +
2088 + if (num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX) {
2089 + err = -ENOSPC;
2090 + goto free_actions;
2091 + }
2092 +
2093 +- switch (type) {
2094 +- case MLX5_FLOW_DESTINATION_TYPE_COUNTER:
2095 +- id = dst->dest_attr.counter_id;
2096 ++ if (type == MLX5_FLOW_DESTINATION_TYPE_COUNTER)
2097 ++ continue;
2098 +
2099 +- tmp_action =
2100 +- mlx5dr_action_create_flow_counter(id);
2101 +- if (!tmp_action) {
2102 +- err = -ENOMEM;
2103 +- goto free_actions;
2104 +- }
2105 +- fs_dr_actions[fs_dr_num_actions++] = tmp_action;
2106 +- actions[num_actions++] = tmp_action;
2107 +- break;
2108 ++ switch (type) {
2109 + case MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE:
2110 + tmp_action = create_ft_action(dev, dst);
2111 + if (!tmp_action) {
2112 +@@ -397,6 +387,32 @@ static int mlx5_cmd_dr_create_fte(struct mlx5_flow_root_namespace *ns,
2113 + }
2114 + }
2115 +
2116 ++ if (fte->action.action & MLX5_FLOW_CONTEXT_ACTION_COUNT) {
2117 ++ list_for_each_entry(dst, &fte->node.children, node.list) {
2118 ++ u32 id;
2119 ++
2120 ++ if (dst->dest_attr.type !=
2121 ++ MLX5_FLOW_DESTINATION_TYPE_COUNTER)
2122 ++ continue;
2123 ++
2124 ++ if (num_actions == MLX5_FLOW_CONTEXT_ACTION_MAX) {
2125 ++ err = -ENOSPC;
2126 ++ goto free_actions;
2127 ++ }
2128 ++
2129 ++ id = dst->dest_attr.counter_id;
2130 ++ tmp_action =
2131 ++ mlx5dr_action_create_flow_counter(id);
2132 ++ if (!tmp_action) {
2133 ++ err = -ENOMEM;
2134 ++ goto free_actions;
2135 ++ }
2136 ++
2137 ++ fs_dr_actions[fs_dr_num_actions++] = tmp_action;
2138 ++ actions[num_actions++] = tmp_action;
2139 ++ }
2140 ++ }
2141 ++
2142 + params.match_sz = match_sz;
2143 + params.match_buf = (u64 *)fte->val;
2144 +
2145 +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c
2146 +index 150b3a144b83..3d3cca596116 100644
2147 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c
2148 ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c
2149 +@@ -8,6 +8,7 @@
2150 + #include <linux/string.h>
2151 + #include <linux/rhashtable.h>
2152 + #include <linux/netdevice.h>
2153 ++#include <linux/mutex.h>
2154 + #include <net/net_namespace.h>
2155 + #include <net/tc_act/tc_vlan.h>
2156 +
2157 +@@ -25,6 +26,7 @@ struct mlxsw_sp_acl {
2158 + struct mlxsw_sp_fid *dummy_fid;
2159 + struct rhashtable ruleset_ht;
2160 + struct list_head rules;
2161 ++ struct mutex rules_lock; /* Protects rules list */
2162 + struct {
2163 + struct delayed_work dw;
2164 + unsigned long interval; /* ms */
2165 +@@ -701,7 +703,9 @@ int mlxsw_sp_acl_rule_add(struct mlxsw_sp *mlxsw_sp,
2166 + goto err_ruleset_block_bind;
2167 + }
2168 +
2169 ++ mutex_lock(&mlxsw_sp->acl->rules_lock);
2170 + list_add_tail(&rule->list, &mlxsw_sp->acl->rules);
2171 ++ mutex_unlock(&mlxsw_sp->acl->rules_lock);
2172 + block->rule_count++;
2173 + block->egress_blocker_rule_count += rule->rulei->egress_bind_blocker;
2174 + return 0;
2175 +@@ -723,7 +727,9 @@ void mlxsw_sp_acl_rule_del(struct mlxsw_sp *mlxsw_sp,
2176 +
2177 + block->egress_blocker_rule_count -= rule->rulei->egress_bind_blocker;
2178 + ruleset->ht_key.block->rule_count--;
2179 ++ mutex_lock(&mlxsw_sp->acl->rules_lock);
2180 + list_del(&rule->list);
2181 ++ mutex_unlock(&mlxsw_sp->acl->rules_lock);
2182 + if (!ruleset->ht_key.chain_index &&
2183 + mlxsw_sp_acl_ruleset_is_singular(ruleset))
2184 + mlxsw_sp_acl_ruleset_block_unbind(mlxsw_sp, ruleset,
2185 +@@ -783,19 +789,18 @@ static int mlxsw_sp_acl_rules_activity_update(struct mlxsw_sp_acl *acl)
2186 + struct mlxsw_sp_acl_rule *rule;
2187 + int err;
2188 +
2189 +- /* Protect internal structures from changes */
2190 +- rtnl_lock();
2191 ++ mutex_lock(&acl->rules_lock);
2192 + list_for_each_entry(rule, &acl->rules, list) {
2193 + err = mlxsw_sp_acl_rule_activity_update(acl->mlxsw_sp,
2194 + rule);
2195 + if (err)
2196 + goto err_rule_update;
2197 + }
2198 +- rtnl_unlock();
2199 ++ mutex_unlock(&acl->rules_lock);
2200 + return 0;
2201 +
2202 + err_rule_update:
2203 +- rtnl_unlock();
2204 ++ mutex_unlock(&acl->rules_lock);
2205 + return err;
2206 + }
2207 +
2208 +@@ -880,6 +885,7 @@ int mlxsw_sp_acl_init(struct mlxsw_sp *mlxsw_sp)
2209 + acl->dummy_fid = fid;
2210 +
2211 + INIT_LIST_HEAD(&acl->rules);
2212 ++ mutex_init(&acl->rules_lock);
2213 + err = mlxsw_sp_acl_tcam_init(mlxsw_sp, &acl->tcam);
2214 + if (err)
2215 + goto err_acl_ops_init;
2216 +@@ -892,6 +898,7 @@ int mlxsw_sp_acl_init(struct mlxsw_sp *mlxsw_sp)
2217 + return 0;
2218 +
2219 + err_acl_ops_init:
2220 ++ mutex_destroy(&acl->rules_lock);
2221 + mlxsw_sp_fid_put(fid);
2222 + err_fid_get:
2223 + rhashtable_destroy(&acl->ruleset_ht);
2224 +@@ -908,6 +915,7 @@ void mlxsw_sp_acl_fini(struct mlxsw_sp *mlxsw_sp)
2225 +
2226 + cancel_delayed_work_sync(&mlxsw_sp->acl->rule_activity_update.dw);
2227 + mlxsw_sp_acl_tcam_fini(mlxsw_sp, &acl->tcam);
2228 ++ mutex_destroy(&acl->rules_lock);
2229 + WARN_ON(!list_empty(&acl->rules));
2230 + mlxsw_sp_fid_put(acl->dummy_fid);
2231 + rhashtable_destroy(&acl->ruleset_ht);
2232 +diff --git a/drivers/net/ethernet/mellanox/mlxsw/switchx2.c b/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
2233 +index 1c14c051ee52..63e7a058b7c6 100644
2234 +--- a/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
2235 ++++ b/drivers/net/ethernet/mellanox/mlxsw/switchx2.c
2236 +@@ -299,22 +299,17 @@ static netdev_tx_t mlxsw_sx_port_xmit(struct sk_buff *skb,
2237 + u64 len;
2238 + int err;
2239 +
2240 ++ if (skb_cow_head(skb, MLXSW_TXHDR_LEN)) {
2241 ++ this_cpu_inc(mlxsw_sx_port->pcpu_stats->tx_dropped);
2242 ++ dev_kfree_skb_any(skb);
2243 ++ return NETDEV_TX_OK;
2244 ++ }
2245 ++
2246 + memset(skb->cb, 0, sizeof(struct mlxsw_skb_cb));
2247 +
2248 + if (mlxsw_core_skb_transmit_busy(mlxsw_sx->core, &tx_info))
2249 + return NETDEV_TX_BUSY;
2250 +
2251 +- if (unlikely(skb_headroom(skb) < MLXSW_TXHDR_LEN)) {
2252 +- struct sk_buff *skb_orig = skb;
2253 +-
2254 +- skb = skb_realloc_headroom(skb, MLXSW_TXHDR_LEN);
2255 +- if (!skb) {
2256 +- this_cpu_inc(mlxsw_sx_port->pcpu_stats->tx_dropped);
2257 +- dev_kfree_skb_any(skb_orig);
2258 +- return NETDEV_TX_OK;
2259 +- }
2260 +- dev_consume_skb_any(skb_orig);
2261 +- }
2262 + mlxsw_sx_txhdr_construct(skb, &tx_info);
2263 + /* TX header is consumed by HW on the way so we shouldn't count its
2264 + * bytes as being sent.
2265 +diff --git a/drivers/net/ethernet/natsemi/sonic.c b/drivers/net/ethernet/natsemi/sonic.c
2266 +index b339125b2f09..05e760444a92 100644
2267 +--- a/drivers/net/ethernet/natsemi/sonic.c
2268 ++++ b/drivers/net/ethernet/natsemi/sonic.c
2269 +@@ -64,6 +64,8 @@ static int sonic_open(struct net_device *dev)
2270 +
2271 + netif_dbg(lp, ifup, dev, "%s: initializing sonic driver\n", __func__);
2272 +
2273 ++ spin_lock_init(&lp->lock);
2274 ++
2275 + for (i = 0; i < SONIC_NUM_RRS; i++) {
2276 + struct sk_buff *skb = netdev_alloc_skb(dev, SONIC_RBSIZE + 2);
2277 + if (skb == NULL) {
2278 +@@ -114,6 +116,24 @@ static int sonic_open(struct net_device *dev)
2279 + return 0;
2280 + }
2281 +
2282 ++/* Wait for the SONIC to become idle. */
2283 ++static void sonic_quiesce(struct net_device *dev, u16 mask)
2284 ++{
2285 ++ struct sonic_local * __maybe_unused lp = netdev_priv(dev);
2286 ++ int i;
2287 ++ u16 bits;
2288 ++
2289 ++ for (i = 0; i < 1000; ++i) {
2290 ++ bits = SONIC_READ(SONIC_CMD) & mask;
2291 ++ if (!bits)
2292 ++ return;
2293 ++ if (irqs_disabled() || in_interrupt())
2294 ++ udelay(20);
2295 ++ else
2296 ++ usleep_range(100, 200);
2297 ++ }
2298 ++ WARN_ONCE(1, "command deadline expired! 0x%04x\n", bits);
2299 ++}
2300 +
2301 + /*
2302 + * Close the SONIC device
2303 +@@ -130,6 +150,9 @@ static int sonic_close(struct net_device *dev)
2304 + /*
2305 + * stop the SONIC, disable interrupts
2306 + */
2307 ++ SONIC_WRITE(SONIC_CMD, SONIC_CR_RXDIS);
2308 ++ sonic_quiesce(dev, SONIC_CR_ALL);
2309 ++
2310 + SONIC_WRITE(SONIC_IMR, 0);
2311 + SONIC_WRITE(SONIC_ISR, 0x7fff);
2312 + SONIC_WRITE(SONIC_CMD, SONIC_CR_RST);
2313 +@@ -169,6 +192,9 @@ static void sonic_tx_timeout(struct net_device *dev)
2314 + * put the Sonic into software-reset mode and
2315 + * disable all interrupts before releasing DMA buffers
2316 + */
2317 ++ SONIC_WRITE(SONIC_CMD, SONIC_CR_RXDIS);
2318 ++ sonic_quiesce(dev, SONIC_CR_ALL);
2319 ++
2320 + SONIC_WRITE(SONIC_IMR, 0);
2321 + SONIC_WRITE(SONIC_ISR, 0x7fff);
2322 + SONIC_WRITE(SONIC_CMD, SONIC_CR_RST);
2323 +@@ -206,8 +232,6 @@ static void sonic_tx_timeout(struct net_device *dev)
2324 + * wake the tx queue
2325 + * Concurrently with all of this, the SONIC is potentially writing to
2326 + * the status flags of the TDs.
2327 +- * Until some mutual exclusion is added, this code will not work with SMP. However,
2328 +- * MIPS Jazz machines and m68k Macs were all uni-processor machines.
2329 + */
2330 +
2331 + static int sonic_send_packet(struct sk_buff *skb, struct net_device *dev)
2332 +@@ -215,7 +239,8 @@ static int sonic_send_packet(struct sk_buff *skb, struct net_device *dev)
2333 + struct sonic_local *lp = netdev_priv(dev);
2334 + dma_addr_t laddr;
2335 + int length;
2336 +- int entry = lp->next_tx;
2337 ++ int entry;
2338 ++ unsigned long flags;
2339 +
2340 + netif_dbg(lp, tx_queued, dev, "%s: skb=%p\n", __func__, skb);
2341 +
2342 +@@ -237,6 +262,10 @@ static int sonic_send_packet(struct sk_buff *skb, struct net_device *dev)
2343 + return NETDEV_TX_OK;
2344 + }
2345 +
2346 ++ spin_lock_irqsave(&lp->lock, flags);
2347 ++
2348 ++ entry = lp->next_tx;
2349 ++
2350 + sonic_tda_put(dev, entry, SONIC_TD_STATUS, 0); /* clear status */
2351 + sonic_tda_put(dev, entry, SONIC_TD_FRAG_COUNT, 1); /* single fragment */
2352 + sonic_tda_put(dev, entry, SONIC_TD_PKTSIZE, length); /* length of packet */
2353 +@@ -246,10 +275,6 @@ static int sonic_send_packet(struct sk_buff *skb, struct net_device *dev)
2354 + sonic_tda_put(dev, entry, SONIC_TD_LINK,
2355 + sonic_tda_get(dev, entry, SONIC_TD_LINK) | SONIC_EOL);
2356 +
2357 +- /*
2358 +- * Must set tx_skb[entry] only after clearing status, and
2359 +- * before clearing EOL and before stopping queue
2360 +- */
2361 + wmb();
2362 + lp->tx_len[entry] = length;
2363 + lp->tx_laddr[entry] = laddr;
2364 +@@ -272,6 +297,8 @@ static int sonic_send_packet(struct sk_buff *skb, struct net_device *dev)
2365 +
2366 + SONIC_WRITE(SONIC_CMD, SONIC_CR_TXP);
2367 +
2368 ++ spin_unlock_irqrestore(&lp->lock, flags);
2369 ++
2370 + return NETDEV_TX_OK;
2371 + }
2372 +
2373 +@@ -284,15 +311,28 @@ static irqreturn_t sonic_interrupt(int irq, void *dev_id)
2374 + struct net_device *dev = dev_id;
2375 + struct sonic_local *lp = netdev_priv(dev);
2376 + int status;
2377 ++ unsigned long flags;
2378 ++
2379 ++ /* The lock has two purposes. Firstly, it synchronizes sonic_interrupt()
2380 ++ * with sonic_send_packet() so that the two functions can share state.
2381 ++ * Secondly, it makes sonic_interrupt() re-entrant, as that is required
2382 ++ * by macsonic which must use two IRQs with different priority levels.
2383 ++ */
2384 ++ spin_lock_irqsave(&lp->lock, flags);
2385 ++
2386 ++ status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT;
2387 ++ if (!status) {
2388 ++ spin_unlock_irqrestore(&lp->lock, flags);
2389 +
2390 +- if (!(status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT))
2391 + return IRQ_NONE;
2392 ++ }
2393 +
2394 + do {
2395 ++ SONIC_WRITE(SONIC_ISR, status); /* clear the interrupt(s) */
2396 ++
2397 + if (status & SONIC_INT_PKTRX) {
2398 + netif_dbg(lp, intr, dev, "%s: packet rx\n", __func__);
2399 + sonic_rx(dev); /* got packet(s) */
2400 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_PKTRX); /* clear the interrupt */
2401 + }
2402 +
2403 + if (status & SONIC_INT_TXDN) {
2404 +@@ -300,11 +340,12 @@ static irqreturn_t sonic_interrupt(int irq, void *dev_id)
2405 + int td_status;
2406 + int freed_some = 0;
2407 +
2408 +- /* At this point, cur_tx is the index of a TD that is one of:
2409 +- * unallocated/freed (status set & tx_skb[entry] clear)
2410 +- * allocated and sent (status set & tx_skb[entry] set )
2411 +- * allocated and not yet sent (status clear & tx_skb[entry] set )
2412 +- * still being allocated by sonic_send_packet (status clear & tx_skb[entry] clear)
2413 ++ /* The state of a Transmit Descriptor may be inferred
2414 ++ * from { tx_skb[entry], td_status } as follows.
2415 ++ * { clear, clear } => the TD has never been used
2416 ++ * { set, clear } => the TD was handed to SONIC
2417 ++ * { set, set } => the TD was handed back
2418 ++ * { clear, set } => the TD is available for re-use
2419 + */
2420 +
2421 + netif_dbg(lp, intr, dev, "%s: tx done\n", __func__);
2422 +@@ -313,18 +354,19 @@ static irqreturn_t sonic_interrupt(int irq, void *dev_id)
2423 + if ((td_status = sonic_tda_get(dev, entry, SONIC_TD_STATUS)) == 0)
2424 + break;
2425 +
2426 +- if (td_status & 0x0001) {
2427 ++ if (td_status & SONIC_TCR_PTX) {
2428 + lp->stats.tx_packets++;
2429 + lp->stats.tx_bytes += sonic_tda_get(dev, entry, SONIC_TD_PKTSIZE);
2430 + } else {
2431 +- lp->stats.tx_errors++;
2432 +- if (td_status & 0x0642)
2433 ++ if (td_status & (SONIC_TCR_EXD |
2434 ++ SONIC_TCR_EXC | SONIC_TCR_BCM))
2435 + lp->stats.tx_aborted_errors++;
2436 +- if (td_status & 0x0180)
2437 ++ if (td_status &
2438 ++ (SONIC_TCR_NCRS | SONIC_TCR_CRLS))
2439 + lp->stats.tx_carrier_errors++;
2440 +- if (td_status & 0x0020)
2441 ++ if (td_status & SONIC_TCR_OWC)
2442 + lp->stats.tx_window_errors++;
2443 +- if (td_status & 0x0004)
2444 ++ if (td_status & SONIC_TCR_FU)
2445 + lp->stats.tx_fifo_errors++;
2446 + }
2447 +
2448 +@@ -346,7 +388,6 @@ static irqreturn_t sonic_interrupt(int irq, void *dev_id)
2449 + if (freed_some || lp->tx_skb[entry] == NULL)
2450 + netif_wake_queue(dev); /* The ring is no longer full */
2451 + lp->cur_tx = entry;
2452 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_TXDN); /* clear the interrupt */
2453 + }
2454 +
2455 + /*
2456 +@@ -355,42 +396,37 @@ static irqreturn_t sonic_interrupt(int irq, void *dev_id)
2457 + if (status & SONIC_INT_RFO) {
2458 + netif_dbg(lp, rx_err, dev, "%s: rx fifo overrun\n",
2459 + __func__);
2460 +- lp->stats.rx_fifo_errors++;
2461 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_RFO); /* clear the interrupt */
2462 + }
2463 + if (status & SONIC_INT_RDE) {
2464 + netif_dbg(lp, rx_err, dev, "%s: rx descriptors exhausted\n",
2465 + __func__);
2466 +- lp->stats.rx_dropped++;
2467 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_RDE); /* clear the interrupt */
2468 + }
2469 + if (status & SONIC_INT_RBAE) {
2470 + netif_dbg(lp, rx_err, dev, "%s: rx buffer area exceeded\n",
2471 + __func__);
2472 +- lp->stats.rx_dropped++;
2473 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_RBAE); /* clear the interrupt */
2474 + }
2475 +
2476 + /* counter overruns; all counters are 16bit wide */
2477 +- if (status & SONIC_INT_FAE) {
2478 ++ if (status & SONIC_INT_FAE)
2479 + lp->stats.rx_frame_errors += 65536;
2480 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_FAE); /* clear the interrupt */
2481 +- }
2482 +- if (status & SONIC_INT_CRC) {
2483 ++ if (status & SONIC_INT_CRC)
2484 + lp->stats.rx_crc_errors += 65536;
2485 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_CRC); /* clear the interrupt */
2486 +- }
2487 +- if (status & SONIC_INT_MP) {
2488 ++ if (status & SONIC_INT_MP)
2489 + lp->stats.rx_missed_errors += 65536;
2490 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_MP); /* clear the interrupt */
2491 +- }
2492 +
2493 + /* transmit error */
2494 + if (status & SONIC_INT_TXER) {
2495 +- if (SONIC_READ(SONIC_TCR) & SONIC_TCR_FU)
2496 +- netif_dbg(lp, tx_err, dev, "%s: tx fifo underrun\n",
2497 +- __func__);
2498 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_TXER); /* clear the interrupt */
2499 ++ u16 tcr = SONIC_READ(SONIC_TCR);
2500 ++
2501 ++ netif_dbg(lp, tx_err, dev, "%s: TXER intr, TCR %04x\n",
2502 ++ __func__, tcr);
2503 ++
2504 ++ if (tcr & (SONIC_TCR_EXD | SONIC_TCR_EXC |
2505 ++ SONIC_TCR_FU | SONIC_TCR_BCM)) {
2506 ++ /* Aborted transmission. Try again. */
2507 ++ netif_stop_queue(dev);
2508 ++ SONIC_WRITE(SONIC_CMD, SONIC_CR_TXP);
2509 ++ }
2510 + }
2511 +
2512 + /* bus retry */
2513 +@@ -400,107 +436,164 @@ static irqreturn_t sonic_interrupt(int irq, void *dev_id)
2514 + /* ... to help debug DMA problems causing endless interrupts. */
2515 + /* Bounce the eth interface to turn on the interrupt again. */
2516 + SONIC_WRITE(SONIC_IMR, 0);
2517 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_BR); /* clear the interrupt */
2518 + }
2519 +
2520 +- /* load CAM done */
2521 +- if (status & SONIC_INT_LCD)
2522 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_LCD); /* clear the interrupt */
2523 +- } while((status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT));
2524 ++ status = SONIC_READ(SONIC_ISR) & SONIC_IMR_DEFAULT;
2525 ++ } while (status);
2526 ++
2527 ++ spin_unlock_irqrestore(&lp->lock, flags);
2528 ++
2529 + return IRQ_HANDLED;
2530 + }
2531 +
2532 ++/* Return the array index corresponding to a given Receive Buffer pointer. */
2533 ++static int index_from_addr(struct sonic_local *lp, dma_addr_t addr,
2534 ++ unsigned int last)
2535 ++{
2536 ++ unsigned int i = last;
2537 ++
2538 ++ do {
2539 ++ i = (i + 1) & SONIC_RRS_MASK;
2540 ++ if (addr == lp->rx_laddr[i])
2541 ++ return i;
2542 ++ } while (i != last);
2543 ++
2544 ++ return -ENOENT;
2545 ++}
2546 ++
2547 ++/* Allocate and map a new skb to be used as a receive buffer. */
2548 ++static bool sonic_alloc_rb(struct net_device *dev, struct sonic_local *lp,
2549 ++ struct sk_buff **new_skb, dma_addr_t *new_addr)
2550 ++{
2551 ++ *new_skb = netdev_alloc_skb(dev, SONIC_RBSIZE + 2);
2552 ++ if (!*new_skb)
2553 ++ return false;
2554 ++
2555 ++ if (SONIC_BUS_SCALE(lp->dma_bitmode) == 2)
2556 ++ skb_reserve(*new_skb, 2);
2557 ++
2558 ++ *new_addr = dma_map_single(lp->device, skb_put(*new_skb, SONIC_RBSIZE),
2559 ++ SONIC_RBSIZE, DMA_FROM_DEVICE);
2560 ++ if (!*new_addr) {
2561 ++ dev_kfree_skb(*new_skb);
2562 ++ *new_skb = NULL;
2563 ++ return false;
2564 ++ }
2565 ++
2566 ++ return true;
2567 ++}
2568 ++
2569 ++/* Place a new receive resource in the Receive Resource Area and update RWP. */
2570 ++static void sonic_update_rra(struct net_device *dev, struct sonic_local *lp,
2571 ++ dma_addr_t old_addr, dma_addr_t new_addr)
2572 ++{
2573 ++ unsigned int entry = sonic_rr_entry(dev, SONIC_READ(SONIC_RWP));
2574 ++ unsigned int end = sonic_rr_entry(dev, SONIC_READ(SONIC_RRP));
2575 ++ u32 buf;
2576 ++
2577 ++ /* The resources in the range [RRP, RWP) belong to the SONIC. This loop
2578 ++ * scans the other resources in the RRA, those in the range [RWP, RRP).
2579 ++ */
2580 ++ do {
2581 ++ buf = (sonic_rra_get(dev, entry, SONIC_RR_BUFADR_H) << 16) |
2582 ++ sonic_rra_get(dev, entry, SONIC_RR_BUFADR_L);
2583 ++
2584 ++ if (buf == old_addr)
2585 ++ break;
2586 ++
2587 ++ entry = (entry + 1) & SONIC_RRS_MASK;
2588 ++ } while (entry != end);
2589 ++
2590 ++ WARN_ONCE(buf != old_addr, "failed to find resource!\n");
2591 ++
2592 ++ sonic_rra_put(dev, entry, SONIC_RR_BUFADR_H, new_addr >> 16);
2593 ++ sonic_rra_put(dev, entry, SONIC_RR_BUFADR_L, new_addr & 0xffff);
2594 ++
2595 ++ entry = (entry + 1) & SONIC_RRS_MASK;
2596 ++
2597 ++ SONIC_WRITE(SONIC_RWP, sonic_rr_addr(dev, entry));
2598 ++}
2599 ++
2600 + /*
2601 + * We have a good packet(s), pass it/them up the network stack.
2602 + */
2603 + static void sonic_rx(struct net_device *dev)
2604 + {
2605 + struct sonic_local *lp = netdev_priv(dev);
2606 +- int status;
2607 + int entry = lp->cur_rx;
2608 ++ int prev_entry = lp->eol_rx;
2609 ++ bool rbe = false;
2610 +
2611 + while (sonic_rda_get(dev, entry, SONIC_RD_IN_USE) == 0) {
2612 +- struct sk_buff *used_skb;
2613 +- struct sk_buff *new_skb;
2614 +- dma_addr_t new_laddr;
2615 +- u16 bufadr_l;
2616 +- u16 bufadr_h;
2617 +- int pkt_len;
2618 +-
2619 +- status = sonic_rda_get(dev, entry, SONIC_RD_STATUS);
2620 +- if (status & SONIC_RCR_PRX) {
2621 +- /* Malloc up new buffer. */
2622 +- new_skb = netdev_alloc_skb(dev, SONIC_RBSIZE + 2);
2623 +- if (new_skb == NULL) {
2624 +- lp->stats.rx_dropped++;
2625 ++ u16 status = sonic_rda_get(dev, entry, SONIC_RD_STATUS);
2626 ++
2627 ++ /* If the RD has LPKT set, the chip has finished with the RB */
2628 ++ if ((status & SONIC_RCR_PRX) && (status & SONIC_RCR_LPKT)) {
2629 ++ struct sk_buff *new_skb;
2630 ++ dma_addr_t new_laddr;
2631 ++ u32 addr = (sonic_rda_get(dev, entry,
2632 ++ SONIC_RD_PKTPTR_H) << 16) |
2633 ++ sonic_rda_get(dev, entry, SONIC_RD_PKTPTR_L);
2634 ++ int i = index_from_addr(lp, addr, entry);
2635 ++
2636 ++ if (i < 0) {
2637 ++ WARN_ONCE(1, "failed to find buffer!\n");
2638 + break;
2639 + }
2640 +- /* provide 16 byte IP header alignment unless DMA requires otherwise */
2641 +- if(SONIC_BUS_SCALE(lp->dma_bitmode) == 2)
2642 +- skb_reserve(new_skb, 2);
2643 +-
2644 +- new_laddr = dma_map_single(lp->device, skb_put(new_skb, SONIC_RBSIZE),
2645 +- SONIC_RBSIZE, DMA_FROM_DEVICE);
2646 +- if (!new_laddr) {
2647 +- dev_kfree_skb(new_skb);
2648 +- printk(KERN_ERR "%s: Failed to map rx buffer, dropping packet.\n", dev->name);
2649 ++
2650 ++ if (sonic_alloc_rb(dev, lp, &new_skb, &new_laddr)) {
2651 ++ struct sk_buff *used_skb = lp->rx_skb[i];
2652 ++ int pkt_len;
2653 ++
2654 ++ /* Pass the used buffer up the stack */
2655 ++ dma_unmap_single(lp->device, addr, SONIC_RBSIZE,
2656 ++ DMA_FROM_DEVICE);
2657 ++
2658 ++ pkt_len = sonic_rda_get(dev, entry,
2659 ++ SONIC_RD_PKTLEN);
2660 ++ skb_trim(used_skb, pkt_len);
2661 ++ used_skb->protocol = eth_type_trans(used_skb,
2662 ++ dev);
2663 ++ netif_rx(used_skb);
2664 ++ lp->stats.rx_packets++;
2665 ++ lp->stats.rx_bytes += pkt_len;
2666 ++
2667 ++ lp->rx_skb[i] = new_skb;
2668 ++ lp->rx_laddr[i] = new_laddr;
2669 ++ } else {
2670 ++ /* Failed to obtain a new buffer so re-use it */
2671 ++ new_laddr = addr;
2672 + lp->stats.rx_dropped++;
2673 +- break;
2674 + }
2675 +-
2676 +- /* now we have a new skb to replace it, pass the used one up the stack */
2677 +- dma_unmap_single(lp->device, lp->rx_laddr[entry], SONIC_RBSIZE, DMA_FROM_DEVICE);
2678 +- used_skb = lp->rx_skb[entry];
2679 +- pkt_len = sonic_rda_get(dev, entry, SONIC_RD_PKTLEN);
2680 +- skb_trim(used_skb, pkt_len);
2681 +- used_skb->protocol = eth_type_trans(used_skb, dev);
2682 +- netif_rx(used_skb);
2683 +- lp->stats.rx_packets++;
2684 +- lp->stats.rx_bytes += pkt_len;
2685 +-
2686 +- /* and insert the new skb */
2687 +- lp->rx_laddr[entry] = new_laddr;
2688 +- lp->rx_skb[entry] = new_skb;
2689 +-
2690 +- bufadr_l = (unsigned long)new_laddr & 0xffff;
2691 +- bufadr_h = (unsigned long)new_laddr >> 16;
2692 +- sonic_rra_put(dev, entry, SONIC_RR_BUFADR_L, bufadr_l);
2693 +- sonic_rra_put(dev, entry, SONIC_RR_BUFADR_H, bufadr_h);
2694 +- } else {
2695 +- /* This should only happen, if we enable accepting broken packets. */
2696 +- lp->stats.rx_errors++;
2697 +- if (status & SONIC_RCR_FAER)
2698 +- lp->stats.rx_frame_errors++;
2699 +- if (status & SONIC_RCR_CRCR)
2700 +- lp->stats.rx_crc_errors++;
2701 +- }
2702 +- if (status & SONIC_RCR_LPKT) {
2703 +- /*
2704 +- * this was the last packet out of the current receive buffer
2705 +- * give the buffer back to the SONIC
2706 ++ /* If RBE is already asserted when RWP advances then
2707 ++ * it's safe to clear RBE after processing this packet.
2708 + */
2709 +- lp->cur_rwp += SIZEOF_SONIC_RR * SONIC_BUS_SCALE(lp->dma_bitmode);
2710 +- if (lp->cur_rwp >= lp->rra_end) lp->cur_rwp = lp->rra_laddr & 0xffff;
2711 +- SONIC_WRITE(SONIC_RWP, lp->cur_rwp);
2712 +- if (SONIC_READ(SONIC_ISR) & SONIC_INT_RBE) {
2713 +- netif_dbg(lp, rx_err, dev, "%s: rx buffer exhausted\n",
2714 +- __func__);
2715 +- SONIC_WRITE(SONIC_ISR, SONIC_INT_RBE); /* clear the flag */
2716 +- }
2717 +- } else
2718 +- printk(KERN_ERR "%s: rx desc without RCR_LPKT. Shouldn't happen !?\n",
2719 +- dev->name);
2720 ++ rbe = rbe || SONIC_READ(SONIC_ISR) & SONIC_INT_RBE;
2721 ++ sonic_update_rra(dev, lp, addr, new_laddr);
2722 ++ }
2723 + /*
2724 + * give back the descriptor
2725 + */
2726 +- sonic_rda_put(dev, entry, SONIC_RD_LINK,
2727 +- sonic_rda_get(dev, entry, SONIC_RD_LINK) | SONIC_EOL);
2728 ++ sonic_rda_put(dev, entry, SONIC_RD_STATUS, 0);
2729 + sonic_rda_put(dev, entry, SONIC_RD_IN_USE, 1);
2730 +- sonic_rda_put(dev, lp->eol_rx, SONIC_RD_LINK,
2731 +- sonic_rda_get(dev, lp->eol_rx, SONIC_RD_LINK) & ~SONIC_EOL);
2732 +- lp->eol_rx = entry;
2733 +- lp->cur_rx = entry = (entry + 1) & SONIC_RDS_MASK;
2734 ++
2735 ++ prev_entry = entry;
2736 ++ entry = (entry + 1) & SONIC_RDS_MASK;
2737 ++ }
2738 ++
2739 ++ lp->cur_rx = entry;
2740 ++
2741 ++ if (prev_entry != lp->eol_rx) {
2742 ++ /* Advance the EOL flag to put descriptors back into service */
2743 ++ sonic_rda_put(dev, prev_entry, SONIC_RD_LINK, SONIC_EOL |
2744 ++ sonic_rda_get(dev, prev_entry, SONIC_RD_LINK));
2745 ++ sonic_rda_put(dev, lp->eol_rx, SONIC_RD_LINK, ~SONIC_EOL &
2746 ++ sonic_rda_get(dev, lp->eol_rx, SONIC_RD_LINK));
2747 ++ lp->eol_rx = prev_entry;
2748 + }
2749 ++
2750 ++ if (rbe)
2751 ++ SONIC_WRITE(SONIC_ISR, SONIC_INT_RBE);
2752 + /*
2753 + * If any worth-while packets have been received, netif_rx()
2754 + * has done a mark_bh(NET_BH) for us and will work on them
2755 +@@ -550,6 +643,8 @@ static void sonic_multicast_list(struct net_device *dev)
2756 + (netdev_mc_count(dev) > 15)) {
2757 + rcr |= SONIC_RCR_AMC;
2758 + } else {
2759 ++ unsigned long flags;
2760 ++
2761 + netif_dbg(lp, ifup, dev, "%s: mc_count %d\n", __func__,
2762 + netdev_mc_count(dev));
2763 + sonic_set_cam_enable(dev, 1); /* always enable our own address */
2764 +@@ -563,9 +658,14 @@ static void sonic_multicast_list(struct net_device *dev)
2765 + i++;
2766 + }
2767 + SONIC_WRITE(SONIC_CDC, 16);
2768 +- /* issue Load CAM command */
2769 + SONIC_WRITE(SONIC_CDP, lp->cda_laddr & 0xffff);
2770 ++
2771 ++ /* LCAM and TXP commands can't be used simultaneously */
2772 ++ spin_lock_irqsave(&lp->lock, flags);
2773 ++ sonic_quiesce(dev, SONIC_CR_TXP);
2774 + SONIC_WRITE(SONIC_CMD, SONIC_CR_LCAM);
2775 ++ sonic_quiesce(dev, SONIC_CR_LCAM);
2776 ++ spin_unlock_irqrestore(&lp->lock, flags);
2777 + }
2778 + }
2779 +
2780 +@@ -580,7 +680,6 @@ static void sonic_multicast_list(struct net_device *dev)
2781 + */
2782 + static int sonic_init(struct net_device *dev)
2783 + {
2784 +- unsigned int cmd;
2785 + struct sonic_local *lp = netdev_priv(dev);
2786 + int i;
2787 +
2788 +@@ -592,12 +691,16 @@ static int sonic_init(struct net_device *dev)
2789 + SONIC_WRITE(SONIC_ISR, 0x7fff);
2790 + SONIC_WRITE(SONIC_CMD, SONIC_CR_RST);
2791 +
2792 ++ /* While in reset mode, clear CAM Enable register */
2793 ++ SONIC_WRITE(SONIC_CE, 0);
2794 ++
2795 + /*
2796 + * clear software reset flag, disable receiver, clear and
2797 + * enable interrupts, then completely initialize the SONIC
2798 + */
2799 + SONIC_WRITE(SONIC_CMD, 0);
2800 +- SONIC_WRITE(SONIC_CMD, SONIC_CR_RXDIS);
2801 ++ SONIC_WRITE(SONIC_CMD, SONIC_CR_RXDIS | SONIC_CR_STP);
2802 ++ sonic_quiesce(dev, SONIC_CR_ALL);
2803 +
2804 + /*
2805 + * initialize the receive resource area
2806 +@@ -615,15 +718,10 @@ static int sonic_init(struct net_device *dev)
2807 + }
2808 +
2809 + /* initialize all RRA registers */
2810 +- lp->rra_end = (lp->rra_laddr + SONIC_NUM_RRS * SIZEOF_SONIC_RR *
2811 +- SONIC_BUS_SCALE(lp->dma_bitmode)) & 0xffff;
2812 +- lp->cur_rwp = (lp->rra_laddr + (SONIC_NUM_RRS - 1) * SIZEOF_SONIC_RR *
2813 +- SONIC_BUS_SCALE(lp->dma_bitmode)) & 0xffff;
2814 +-
2815 +- SONIC_WRITE(SONIC_RSA, lp->rra_laddr & 0xffff);
2816 +- SONIC_WRITE(SONIC_REA, lp->rra_end);
2817 +- SONIC_WRITE(SONIC_RRP, lp->rra_laddr & 0xffff);
2818 +- SONIC_WRITE(SONIC_RWP, lp->cur_rwp);
2819 ++ SONIC_WRITE(SONIC_RSA, sonic_rr_addr(dev, 0));
2820 ++ SONIC_WRITE(SONIC_REA, sonic_rr_addr(dev, SONIC_NUM_RRS));
2821 ++ SONIC_WRITE(SONIC_RRP, sonic_rr_addr(dev, 0));
2822 ++ SONIC_WRITE(SONIC_RWP, sonic_rr_addr(dev, SONIC_NUM_RRS - 1));
2823 + SONIC_WRITE(SONIC_URRA, lp->rra_laddr >> 16);
2824 + SONIC_WRITE(SONIC_EOBC, (SONIC_RBSIZE >> 1) - (lp->dma_bitmode ? 2 : 1));
2825 +
2826 +@@ -631,14 +729,7 @@ static int sonic_init(struct net_device *dev)
2827 + netif_dbg(lp, ifup, dev, "%s: issuing RRRA command\n", __func__);
2828 +
2829 + SONIC_WRITE(SONIC_CMD, SONIC_CR_RRRA);
2830 +- i = 0;
2831 +- while (i++ < 100) {
2832 +- if (SONIC_READ(SONIC_CMD) & SONIC_CR_RRRA)
2833 +- break;
2834 +- }
2835 +-
2836 +- netif_dbg(lp, ifup, dev, "%s: status=%x, i=%d\n", __func__,
2837 +- SONIC_READ(SONIC_CMD), i);
2838 ++ sonic_quiesce(dev, SONIC_CR_RRRA);
2839 +
2840 + /*
2841 + * Initialize the receive descriptors so that they
2842 +@@ -713,28 +804,17 @@ static int sonic_init(struct net_device *dev)
2843 + * load the CAM
2844 + */
2845 + SONIC_WRITE(SONIC_CMD, SONIC_CR_LCAM);
2846 +-
2847 +- i = 0;
2848 +- while (i++ < 100) {
2849 +- if (SONIC_READ(SONIC_ISR) & SONIC_INT_LCD)
2850 +- break;
2851 +- }
2852 +- netif_dbg(lp, ifup, dev, "%s: CMD=%x, ISR=%x, i=%d\n", __func__,
2853 +- SONIC_READ(SONIC_CMD), SONIC_READ(SONIC_ISR), i);
2854 ++ sonic_quiesce(dev, SONIC_CR_LCAM);
2855 +
2856 + /*
2857 + * enable receiver, disable loopback
2858 + * and enable all interrupts
2859 + */
2860 +- SONIC_WRITE(SONIC_CMD, SONIC_CR_RXEN | SONIC_CR_STP);
2861 + SONIC_WRITE(SONIC_RCR, SONIC_RCR_DEFAULT);
2862 + SONIC_WRITE(SONIC_TCR, SONIC_TCR_DEFAULT);
2863 + SONIC_WRITE(SONIC_ISR, 0x7fff);
2864 + SONIC_WRITE(SONIC_IMR, SONIC_IMR_DEFAULT);
2865 +-
2866 +- cmd = SONIC_READ(SONIC_CMD);
2867 +- if ((cmd & SONIC_CR_RXEN) == 0 || (cmd & SONIC_CR_STP) == 0)
2868 +- printk(KERN_ERR "sonic_init: failed, status=%x\n", cmd);
2869 ++ SONIC_WRITE(SONIC_CMD, SONIC_CR_RXEN);
2870 +
2871 + netif_dbg(lp, ifup, dev, "%s: new status=%x\n", __func__,
2872 + SONIC_READ(SONIC_CMD));
2873 +diff --git a/drivers/net/ethernet/natsemi/sonic.h b/drivers/net/ethernet/natsemi/sonic.h
2874 +index 2b27f7049acb..1df6d2f06cc4 100644
2875 +--- a/drivers/net/ethernet/natsemi/sonic.h
2876 ++++ b/drivers/net/ethernet/natsemi/sonic.h
2877 +@@ -110,6 +110,9 @@
2878 + #define SONIC_CR_TXP 0x0002
2879 + #define SONIC_CR_HTX 0x0001
2880 +
2881 ++#define SONIC_CR_ALL (SONIC_CR_LCAM | SONIC_CR_RRRA | \
2882 ++ SONIC_CR_RXEN | SONIC_CR_TXP)
2883 ++
2884 + /*
2885 + * SONIC data configuration bits
2886 + */
2887 +@@ -175,6 +178,7 @@
2888 + #define SONIC_TCR_NCRS 0x0100
2889 + #define SONIC_TCR_CRLS 0x0080
2890 + #define SONIC_TCR_EXC 0x0040
2891 ++#define SONIC_TCR_OWC 0x0020
2892 + #define SONIC_TCR_PMB 0x0008
2893 + #define SONIC_TCR_FU 0x0004
2894 + #define SONIC_TCR_BCM 0x0002
2895 +@@ -274,8 +278,9 @@
2896 + #define SONIC_NUM_RDS SONIC_NUM_RRS /* number of receive descriptors */
2897 + #define SONIC_NUM_TDS 16 /* number of transmit descriptors */
2898 +
2899 +-#define SONIC_RDS_MASK (SONIC_NUM_RDS-1)
2900 +-#define SONIC_TDS_MASK (SONIC_NUM_TDS-1)
2901 ++#define SONIC_RRS_MASK (SONIC_NUM_RRS - 1)
2902 ++#define SONIC_RDS_MASK (SONIC_NUM_RDS - 1)
2903 ++#define SONIC_TDS_MASK (SONIC_NUM_TDS - 1)
2904 +
2905 + #define SONIC_RBSIZE 1520 /* size of one resource buffer */
2906 +
2907 +@@ -312,8 +317,6 @@ struct sonic_local {
2908 + u32 rda_laddr; /* logical DMA address of RDA */
2909 + dma_addr_t rx_laddr[SONIC_NUM_RRS]; /* logical DMA addresses of rx skbuffs */
2910 + dma_addr_t tx_laddr[SONIC_NUM_TDS]; /* logical DMA addresses of tx skbuffs */
2911 +- unsigned int rra_end;
2912 +- unsigned int cur_rwp;
2913 + unsigned int cur_rx;
2914 + unsigned int cur_tx; /* first unacked transmit packet */
2915 + unsigned int eol_rx;
2916 +@@ -322,6 +325,7 @@ struct sonic_local {
2917 + int msg_enable;
2918 + struct device *device; /* generic device */
2919 + struct net_device_stats stats;
2920 ++ spinlock_t lock;
2921 + };
2922 +
2923 + #define TX_TIMEOUT (3 * HZ)
2924 +@@ -344,30 +348,30 @@ static void sonic_msg_init(struct net_device *dev);
2925 + as far as we can tell. */
2926 + /* OpenBSD calls this "SWO". I'd like to think that sonic_buf_put()
2927 + is a much better name. */
2928 +-static inline void sonic_buf_put(void* base, int bitmode,
2929 ++static inline void sonic_buf_put(u16 *base, int bitmode,
2930 + int offset, __u16 val)
2931 + {
2932 + if (bitmode)
2933 + #ifdef __BIG_ENDIAN
2934 +- ((__u16 *) base + (offset*2))[1] = val;
2935 ++ __raw_writew(val, base + (offset * 2) + 1);
2936 + #else
2937 +- ((__u16 *) base + (offset*2))[0] = val;
2938 ++ __raw_writew(val, base + (offset * 2) + 0);
2939 + #endif
2940 + else
2941 +- ((__u16 *) base)[offset] = val;
2942 ++ __raw_writew(val, base + (offset * 1) + 0);
2943 + }
2944 +
2945 +-static inline __u16 sonic_buf_get(void* base, int bitmode,
2946 ++static inline __u16 sonic_buf_get(u16 *base, int bitmode,
2947 + int offset)
2948 + {
2949 + if (bitmode)
2950 + #ifdef __BIG_ENDIAN
2951 +- return ((volatile __u16 *) base + (offset*2))[1];
2952 ++ return __raw_readw(base + (offset * 2) + 1);
2953 + #else
2954 +- return ((volatile __u16 *) base + (offset*2))[0];
2955 ++ return __raw_readw(base + (offset * 2) + 0);
2956 + #endif
2957 + else
2958 +- return ((volatile __u16 *) base)[offset];
2959 ++ return __raw_readw(base + (offset * 1) + 0);
2960 + }
2961 +
2962 + /* Inlines that you should actually use for reading/writing DMA buffers */
2963 +@@ -447,6 +451,22 @@ static inline __u16 sonic_rra_get(struct net_device* dev, int entry,
2964 + (entry * SIZEOF_SONIC_RR) + offset);
2965 + }
2966 +
2967 ++static inline u16 sonic_rr_addr(struct net_device *dev, int entry)
2968 ++{
2969 ++ struct sonic_local *lp = netdev_priv(dev);
2970 ++
2971 ++ return lp->rra_laddr +
2972 ++ entry * SIZEOF_SONIC_RR * SONIC_BUS_SCALE(lp->dma_bitmode);
2973 ++}
2974 ++
2975 ++static inline u16 sonic_rr_entry(struct net_device *dev, u16 addr)
2976 ++{
2977 ++ struct sonic_local *lp = netdev_priv(dev);
2978 ++
2979 ++ return (addr - (u16)lp->rra_laddr) / (SIZEOF_SONIC_RR *
2980 ++ SONIC_BUS_SCALE(lp->dma_bitmode));
2981 ++}
2982 ++
2983 + static const char version[] =
2984 + "sonic.c:v0.92 20.9.98 tsbogend@×××××××××××××.de\n";
2985 +
2986 +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
2987 +index f6222ada6818..9b3ba98726d7 100644
2988 +--- a/drivers/net/gtp.c
2989 ++++ b/drivers/net/gtp.c
2990 +@@ -804,19 +804,21 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
2991 + return NULL;
2992 + }
2993 +
2994 +- if (sock->sk->sk_protocol != IPPROTO_UDP) {
2995 ++ sk = sock->sk;
2996 ++ if (sk->sk_protocol != IPPROTO_UDP ||
2997 ++ sk->sk_type != SOCK_DGRAM ||
2998 ++ (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)) {
2999 + pr_debug("socket fd=%d not UDP\n", fd);
3000 + sk = ERR_PTR(-EINVAL);
3001 + goto out_sock;
3002 + }
3003 +
3004 +- lock_sock(sock->sk);
3005 +- if (sock->sk->sk_user_data) {
3006 ++ lock_sock(sk);
3007 ++ if (sk->sk_user_data) {
3008 + sk = ERR_PTR(-EBUSY);
3009 + goto out_rel_sock;
3010 + }
3011 +
3012 +- sk = sock->sk;
3013 + sock_hold(sk);
3014 +
3015 + tuncfg.sk_user_data = gtp;
3016 +diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
3017 +index 2a91c192659f..61d7e0d1d77d 100644
3018 +--- a/drivers/net/slip/slip.c
3019 ++++ b/drivers/net/slip/slip.c
3020 +@@ -452,9 +452,16 @@ static void slip_transmit(struct work_struct *work)
3021 + */
3022 + static void slip_write_wakeup(struct tty_struct *tty)
3023 + {
3024 +- struct slip *sl = tty->disc_data;
3025 ++ struct slip *sl;
3026 ++
3027 ++ rcu_read_lock();
3028 ++ sl = rcu_dereference(tty->disc_data);
3029 ++ if (!sl)
3030 ++ goto out;
3031 +
3032 + schedule_work(&sl->tx_work);
3033 ++out:
3034 ++ rcu_read_unlock();
3035 + }
3036 +
3037 + static void sl_tx_timeout(struct net_device *dev)
3038 +@@ -882,10 +889,11 @@ static void slip_close(struct tty_struct *tty)
3039 + return;
3040 +
3041 + spin_lock_bh(&sl->lock);
3042 +- tty->disc_data = NULL;
3043 ++ rcu_assign_pointer(tty->disc_data, NULL);
3044 + sl->tty = NULL;
3045 + spin_unlock_bh(&sl->lock);
3046 +
3047 ++ synchronize_rcu();
3048 + flush_work(&sl->tx_work);
3049 +
3050 + /* VSV = very important to remove timers */
3051 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
3052 +index 16564ebcde50..69f553a028ee 100644
3053 +--- a/drivers/net/tun.c
3054 ++++ b/drivers/net/tun.c
3055 +@@ -1936,6 +1936,10 @@ drop:
3056 + if (ret != XDP_PASS) {
3057 + rcu_read_unlock();
3058 + local_bh_enable();
3059 ++ if (frags) {
3060 ++ tfile->napi.skb = NULL;
3061 ++ mutex_unlock(&tfile->napi_mutex);
3062 ++ }
3063 + return total_len;
3064 + }
3065 + }
3066 +diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
3067 +index c232f1612083..0170a441208a 100644
3068 +--- a/drivers/net/usb/lan78xx.c
3069 ++++ b/drivers/net/usb/lan78xx.c
3070 +@@ -20,6 +20,7 @@
3071 + #include <linux/mdio.h>
3072 + #include <linux/phy.h>
3073 + #include <net/ip6_checksum.h>
3074 ++#include <net/vxlan.h>
3075 + #include <linux/interrupt.h>
3076 + #include <linux/irqdomain.h>
3077 + #include <linux/irq.h>
3078 +@@ -3668,6 +3669,19 @@ static void lan78xx_tx_timeout(struct net_device *net)
3079 + tasklet_schedule(&dev->bh);
3080 + }
3081 +
3082 ++static netdev_features_t lan78xx_features_check(struct sk_buff *skb,
3083 ++ struct net_device *netdev,
3084 ++ netdev_features_t features)
3085 ++{
3086 ++ if (skb->len + TX_OVERHEAD > MAX_SINGLE_PACKET_SIZE)
3087 ++ features &= ~NETIF_F_GSO_MASK;
3088 ++
3089 ++ features = vlan_features_check(skb, features);
3090 ++ features = vxlan_features_check(skb, features);
3091 ++
3092 ++ return features;
3093 ++}
3094 ++
3095 + static const struct net_device_ops lan78xx_netdev_ops = {
3096 + .ndo_open = lan78xx_open,
3097 + .ndo_stop = lan78xx_stop,
3098 +@@ -3681,6 +3695,7 @@ static const struct net_device_ops lan78xx_netdev_ops = {
3099 + .ndo_set_features = lan78xx_set_features,
3100 + .ndo_vlan_rx_add_vid = lan78xx_vlan_rx_add_vid,
3101 + .ndo_vlan_rx_kill_vid = lan78xx_vlan_rx_kill_vid,
3102 ++ .ndo_features_check = lan78xx_features_check,
3103 + };
3104 +
3105 + static void lan78xx_stat_monitor(struct timer_list *t)
3106 +diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c
3107 +index f43c06569ea1..c4c8f1b62e1e 100644
3108 +--- a/drivers/net/wireless/cisco/airo.c
3109 ++++ b/drivers/net/wireless/cisco/airo.c
3110 +@@ -7790,16 +7790,8 @@ static int readrids(struct net_device *dev, aironet_ioctl *comp) {
3111 + case AIROGVLIST: ridcode = RID_APLIST; break;
3112 + case AIROGDRVNAM: ridcode = RID_DRVNAME; break;
3113 + case AIROGEHTENC: ridcode = RID_ETHERENCAP; break;
3114 +- case AIROGWEPKTMP: ridcode = RID_WEP_TEMP;
3115 +- /* Only super-user can read WEP keys */
3116 +- if (!capable(CAP_NET_ADMIN))
3117 +- return -EPERM;
3118 +- break;
3119 +- case AIROGWEPKNV: ridcode = RID_WEP_PERM;
3120 +- /* Only super-user can read WEP keys */
3121 +- if (!capable(CAP_NET_ADMIN))
3122 +- return -EPERM;
3123 +- break;
3124 ++ case AIROGWEPKTMP: ridcode = RID_WEP_TEMP; break;
3125 ++ case AIROGWEPKNV: ridcode = RID_WEP_PERM; break;
3126 + case AIROGSTAT: ridcode = RID_STATUS; break;
3127 + case AIROGSTATSD32: ridcode = RID_STATSDELTA; break;
3128 + case AIROGSTATSC32: ridcode = RID_STATS; break;
3129 +@@ -7813,7 +7805,13 @@ static int readrids(struct net_device *dev, aironet_ioctl *comp) {
3130 + return -EINVAL;
3131 + }
3132 +
3133 +- if ((iobuf = kmalloc(RIDSIZE, GFP_KERNEL)) == NULL)
3134 ++ if (ridcode == RID_WEP_TEMP || ridcode == RID_WEP_PERM) {
3135 ++ /* Only super-user can read WEP keys */
3136 ++ if (!capable(CAP_NET_ADMIN))
3137 ++ return -EPERM;
3138 ++ }
3139 ++
3140 ++ if ((iobuf = kzalloc(RIDSIZE, GFP_KERNEL)) == NULL)
3141 + return -ENOMEM;
3142 +
3143 + PC4500_readrid(ai,ridcode,iobuf,RIDSIZE, 1);
3144 +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/constants.h b/drivers/net/wireless/intel/iwlwifi/mvm/constants.h
3145 +index 60aff2ecec12..58df25e2fb32 100644
3146 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/constants.h
3147 ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/constants.h
3148 +@@ -154,5 +154,6 @@
3149 + #define IWL_MVM_D3_DEBUG false
3150 + #define IWL_MVM_USE_TWT false
3151 + #define IWL_MVM_AMPDU_CONSEC_DROPS_DELBA 10
3152 ++#define IWL_MVM_USE_NSSN_SYNC 0
3153 +
3154 + #endif /* __MVM_CONSTANTS_H */
3155 +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
3156 +index d31f96c3f925..49aeab7c27a2 100644
3157 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
3158 ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
3159 +@@ -742,6 +742,20 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm)
3160 + return ret;
3161 + }
3162 +
3163 ++static void iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
3164 ++ struct ieee80211_sta *sta)
3165 ++{
3166 ++ if (likely(sta)) {
3167 ++ if (likely(iwl_mvm_tx_skb_sta(mvm, skb, sta) == 0))
3168 ++ return;
3169 ++ } else {
3170 ++ if (likely(iwl_mvm_tx_skb_non_sta(mvm, skb) == 0))
3171 ++ return;
3172 ++ }
3173 ++
3174 ++ ieee80211_free_txskb(mvm->hw, skb);
3175 ++}
3176 ++
3177 + static void iwl_mvm_mac_tx(struct ieee80211_hw *hw,
3178 + struct ieee80211_tx_control *control,
3179 + struct sk_buff *skb)
3180 +@@ -785,14 +799,7 @@ static void iwl_mvm_mac_tx(struct ieee80211_hw *hw,
3181 + }
3182 + }
3183 +
3184 +- if (sta) {
3185 +- if (iwl_mvm_tx_skb(mvm, skb, sta))
3186 +- goto drop;
3187 +- return;
3188 +- }
3189 +-
3190 +- if (iwl_mvm_tx_skb_non_sta(mvm, skb))
3191 +- goto drop;
3192 ++ iwl_mvm_tx_skb(mvm, skb, sta);
3193 + return;
3194 + drop:
3195 + ieee80211_free_txskb(hw, skb);
3196 +@@ -842,10 +849,7 @@ void iwl_mvm_mac_itxq_xmit(struct ieee80211_hw *hw, struct ieee80211_txq *txq)
3197 + break;
3198 + }
3199 +
3200 +- if (!txq->sta)
3201 +- iwl_mvm_tx_skb_non_sta(mvm, skb);
3202 +- else
3203 +- iwl_mvm_tx_skb(mvm, skb, txq->sta);
3204 ++ iwl_mvm_tx_skb(mvm, skb, txq->sta);
3205 + }
3206 + } while (atomic_dec_return(&mvmtxq->tx_request));
3207 + rcu_read_unlock();
3208 +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
3209 +index 5ca50f39a023..5f1ecbb6fb71 100644
3210 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
3211 ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
3212 +@@ -1508,8 +1508,8 @@ int __must_check iwl_mvm_send_cmd_status(struct iwl_mvm *mvm,
3213 + int __must_check iwl_mvm_send_cmd_pdu_status(struct iwl_mvm *mvm, u32 id,
3214 + u16 len, const void *data,
3215 + u32 *status);
3216 +-int iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
3217 +- struct ieee80211_sta *sta);
3218 ++int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
3219 ++ struct ieee80211_sta *sta);
3220 + int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb);
3221 + void iwl_mvm_set_tx_cmd(struct iwl_mvm *mvm, struct sk_buff *skb,
3222 + struct iwl_tx_cmd *tx_cmd,
3223 +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
3224 +index 77b03b757193..a6e2a30eb310 100644
3225 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
3226 ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
3227 +@@ -514,14 +514,17 @@ static bool iwl_mvm_is_sn_less(u16 sn1, u16 sn2, u16 buffer_size)
3228 +
3229 + static void iwl_mvm_sync_nssn(struct iwl_mvm *mvm, u8 baid, u16 nssn)
3230 + {
3231 +- struct iwl_mvm_rss_sync_notif notif = {
3232 +- .metadata.type = IWL_MVM_RXQ_NSSN_SYNC,
3233 +- .metadata.sync = 0,
3234 +- .nssn_sync.baid = baid,
3235 +- .nssn_sync.nssn = nssn,
3236 +- };
3237 +-
3238 +- iwl_mvm_sync_rx_queues_internal(mvm, (void *)&notif, sizeof(notif));
3239 ++ if (IWL_MVM_USE_NSSN_SYNC) {
3240 ++ struct iwl_mvm_rss_sync_notif notif = {
3241 ++ .metadata.type = IWL_MVM_RXQ_NSSN_SYNC,
3242 ++ .metadata.sync = 0,
3243 ++ .nssn_sync.baid = baid,
3244 ++ .nssn_sync.nssn = nssn,
3245 ++ };
3246 ++
3247 ++ iwl_mvm_sync_rx_queues_internal(mvm, (void *)&notif,
3248 ++ sizeof(notif));
3249 ++ }
3250 + }
3251 +
3252 + #define RX_REORDER_BUF_TIMEOUT_MQ (HZ / 10)
3253 +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
3254 +index fcafa22ec6ce..8aa567d7912c 100644
3255 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
3256 ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
3257 +@@ -1220,7 +1220,7 @@ static int iwl_mvm_legacy_config_scan(struct iwl_mvm *mvm)
3258 + cmd_size = sizeof(struct iwl_scan_config_v2);
3259 + else
3260 + cmd_size = sizeof(struct iwl_scan_config_v1);
3261 +- cmd_size += num_channels;
3262 ++ cmd_size += mvm->fw->ucode_capa.n_scan_channels;
3263 +
3264 + cfg = kzalloc(cmd_size, GFP_KERNEL);
3265 + if (!cfg)
3266 +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
3267 +index e3b2a2bf3863..d9d82f6b5e87 100644
3268 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
3269 ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
3270 +@@ -1151,7 +1151,7 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
3271 + if (WARN_ONCE(txq_id == IWL_MVM_INVALID_QUEUE, "Invalid TXQ id")) {
3272 + iwl_trans_free_tx_cmd(mvm->trans, dev_cmd);
3273 + spin_unlock(&mvmsta->lock);
3274 +- return 0;
3275 ++ return -1;
3276 + }
3277 +
3278 + if (!iwl_mvm_has_new_tx_api(mvm)) {
3279 +@@ -1203,8 +1203,8 @@ drop:
3280 + return -1;
3281 + }
3282 +
3283 +-int iwl_mvm_tx_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
3284 +- struct ieee80211_sta *sta)
3285 ++int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
3286 ++ struct ieee80211_sta *sta)
3287 + {
3288 + struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
3289 + struct ieee80211_tx_info info;
3290 +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
3291 +index 041dd75ac72b..64c74acadb99 100644
3292 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
3293 ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/rx.c
3294 +@@ -1537,13 +1537,13 @@ out:
3295 +
3296 + napi = &rxq->napi;
3297 + if (napi->poll) {
3298 ++ napi_gro_flush(napi, false);
3299 ++
3300 + if (napi->rx_count) {
3301 + netif_receive_skb_list(&napi->rx_list);
3302 + INIT_LIST_HEAD(&napi->rx_list);
3303 + napi->rx_count = 0;
3304 + }
3305 +-
3306 +- napi_gro_flush(napi, false);
3307 + }
3308 +
3309 + iwl_pcie_rxq_restock(trans, rxq);
3310 +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
3311 +index 57edfada0665..c9401c121a14 100644
3312 +--- a/drivers/net/wireless/marvell/libertas/cfg.c
3313 ++++ b/drivers/net/wireless/marvell/libertas/cfg.c
3314 +@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int *nrates)
3315 + int hw, ap, ap_max = ie[1];
3316 + u8 hw_rate;
3317 +
3318 ++ if (ap_max > MAX_RATES) {
3319 ++ lbs_deb_assoc("invalid rates\n");
3320 ++ return tlv;
3321 ++ }
3322 + /* Advance past IE header */
3323 + ie += 2;
3324 +
3325 +@@ -1717,6 +1721,9 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
3326 + struct cmd_ds_802_11_ad_hoc_join cmd;
3327 + u8 preamble = RADIO_PREAMBLE_SHORT;
3328 + int ret = 0;
3329 ++ int hw, i;
3330 ++ u8 rates_max;
3331 ++ u8 *rates;
3332 +
3333 + /* TODO: set preamble based on scan result */
3334 + ret = lbs_set_radio(priv, preamble, 1);
3335 +@@ -1775,9 +1782,12 @@ static int lbs_ibss_join_existing(struct lbs_private *priv,
3336 + if (!rates_eid) {
3337 + lbs_add_rates(cmd.bss.rates);
3338 + } else {
3339 +- int hw, i;
3340 +- u8 rates_max = rates_eid[1];
3341 +- u8 *rates = cmd.bss.rates;
3342 ++ rates_max = rates_eid[1];
3343 ++ if (rates_max > MAX_RATES) {
3344 ++ lbs_deb_join("invalid rates");
3345 ++ goto out;
3346 ++ }
3347 ++ rates = cmd.bss.rates;
3348 + for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
3349 + u8 hw_rate = lbs_rates[hw].bitrate / 5;
3350 + for (i = 0; i < rates_max; i++) {
3351 +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
3352 +index 308f744393eb..1593b8494ebb 100644
3353 +--- a/drivers/pci/quirks.c
3354 ++++ b/drivers/pci/quirks.c
3355 +@@ -5021,18 +5021,25 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0422, quirk_no_ext_tags);
3356 +
3357 + #ifdef CONFIG_PCI_ATS
3358 + /*
3359 +- * Some devices have a broken ATS implementation causing IOMMU stalls.
3360 +- * Don't use ATS for those devices.
3361 ++ * Some devices require additional driver setup to enable ATS. Don't use
3362 ++ * ATS for those devices as ATS will be enabled before the driver has had a
3363 ++ * chance to load and configure the device.
3364 + */
3365 +-static void quirk_no_ats(struct pci_dev *pdev)
3366 ++static void quirk_amd_harvest_no_ats(struct pci_dev *pdev)
3367 + {
3368 +- pci_info(pdev, "disabling ATS (broken on this device)\n");
3369 ++ if (pdev->device == 0x7340 && pdev->revision != 0xc5)
3370 ++ return;
3371 ++
3372 ++ pci_info(pdev, "disabling ATS\n");
3373 + pdev->ats_cap = 0;
3374 + }
3375 +
3376 + /* AMD Stoney platform GPU */
3377 +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x98e4, quirk_no_ats);
3378 +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x6900, quirk_no_ats);
3379 ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x98e4, quirk_amd_harvest_no_ats);
3380 ++/* AMD Iceland dGPU */
3381 ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x6900, quirk_amd_harvest_no_ats);
3382 ++/* AMD Navi14 dGPU */
3383 ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7340, quirk_amd_harvest_no_ats);
3384 + #endif /* CONFIG_PCI_ATS */
3385 +
3386 + /* Freescale PCIe doesn't support MSI in RC mode */
3387 +diff --git a/drivers/pinctrl/intel/pinctrl-sunrisepoint.c b/drivers/pinctrl/intel/pinctrl-sunrisepoint.c
3388 +index 44d7f50bbc82..d936e7aa74c4 100644
3389 +--- a/drivers/pinctrl/intel/pinctrl-sunrisepoint.c
3390 ++++ b/drivers/pinctrl/intel/pinctrl-sunrisepoint.c
3391 +@@ -49,6 +49,7 @@
3392 + .padown_offset = SPT_PAD_OWN, \
3393 + .padcfglock_offset = SPT_PADCFGLOCK, \
3394 + .hostown_offset = SPT_HOSTSW_OWN, \
3395 ++ .is_offset = SPT_GPI_IS, \
3396 + .ie_offset = SPT_GPI_IE, \
3397 + .pin_base = (s), \
3398 + .npins = ((e) - (s) + 1), \
3399 +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
3400 +index f194ffc4699e..c070cb2a6a5b 100644
3401 +--- a/drivers/target/iscsi/iscsi_target.c
3402 ++++ b/drivers/target/iscsi/iscsi_target.c
3403 +@@ -4151,9 +4151,6 @@ int iscsit_close_connection(
3404 + iscsit_stop_nopin_response_timer(conn);
3405 + iscsit_stop_nopin_timer(conn);
3406 +
3407 +- if (conn->conn_transport->iscsit_wait_conn)
3408 +- conn->conn_transport->iscsit_wait_conn(conn);
3409 +-
3410 + /*
3411 + * During Connection recovery drop unacknowledged out of order
3412 + * commands for this connection, and prepare the other commands
3413 +@@ -4239,6 +4236,9 @@ int iscsit_close_connection(
3414 + target_sess_cmd_list_set_waiting(sess->se_sess);
3415 + target_wait_for_sess_cmds(sess->se_sess);
3416 +
3417 ++ if (conn->conn_transport->iscsit_wait_conn)
3418 ++ conn->conn_transport->iscsit_wait_conn(conn);
3419 ++
3420 + ahash_request_free(conn->conn_tx_hash);
3421 + if (conn->conn_rx_hash) {
3422 + struct crypto_ahash *tfm;
3423 +diff --git a/fs/afs/cell.c b/fs/afs/cell.c
3424 +index fd5133e26a38..78ba5f932287 100644
3425 +--- a/fs/afs/cell.c
3426 ++++ b/fs/afs/cell.c
3427 +@@ -134,8 +134,17 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net,
3428 + _leave(" = -ENAMETOOLONG");
3429 + return ERR_PTR(-ENAMETOOLONG);
3430 + }
3431 +- if (namelen == 5 && memcmp(name, "@cell", 5) == 0)
3432 ++
3433 ++ /* Prohibit cell names that contain unprintable chars, '/' and '@' or
3434 ++ * that begin with a dot. This also precludes "@cell".
3435 ++ */
3436 ++ if (name[0] == '.')
3437 + return ERR_PTR(-EINVAL);
3438 ++ for (i = 0; i < namelen; i++) {
3439 ++ char ch = name[i];
3440 ++ if (!isprint(ch) || ch == '/' || ch == '@')
3441 ++ return ERR_PTR(-EINVAL);
3442 ++ }
3443 +
3444 + _enter("%*.*s,%s", namelen, namelen, name, addresses);
3445 +
3446 +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
3447 +index a5163296d9d9..ee02a742fff5 100644
3448 +--- a/fs/ceph/mds_client.c
3449 ++++ b/fs/ceph/mds_client.c
3450 +@@ -708,8 +708,10 @@ void ceph_mdsc_release_request(struct kref *kref)
3451 + /* avoid calling iput_final() in mds dispatch threads */
3452 + ceph_async_iput(req->r_inode);
3453 + }
3454 +- if (req->r_parent)
3455 ++ if (req->r_parent) {
3456 + ceph_put_cap_refs(ceph_inode(req->r_parent), CEPH_CAP_PIN);
3457 ++ ceph_async_iput(req->r_parent);
3458 ++ }
3459 + ceph_async_iput(req->r_target_inode);
3460 + if (req->r_dentry)
3461 + dput(req->r_dentry);
3462 +@@ -2670,8 +2672,10 @@ int ceph_mdsc_submit_request(struct ceph_mds_client *mdsc, struct inode *dir,
3463 + /* take CAP_PIN refs for r_inode, r_parent, r_old_dentry */
3464 + if (req->r_inode)
3465 + ceph_get_cap_refs(ceph_inode(req->r_inode), CEPH_CAP_PIN);
3466 +- if (req->r_parent)
3467 ++ if (req->r_parent) {
3468 + ceph_get_cap_refs(ceph_inode(req->r_parent), CEPH_CAP_PIN);
3469 ++ ihold(req->r_parent);
3470 ++ }
3471 + if (req->r_old_dentry_dir)
3472 + ceph_get_cap_refs(ceph_inode(req->r_old_dentry_dir),
3473 + CEPH_CAP_PIN);
3474 +diff --git a/fs/io_uring.c b/fs/io_uring.c
3475 +index b1c9ad1fb9e1..709671faaed6 100644
3476 +--- a/fs/io_uring.c
3477 ++++ b/fs/io_uring.c
3478 +@@ -3716,12 +3716,6 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
3479 + wake_up(&ctx->sqo_wait);
3480 + submitted = to_submit;
3481 + } else if (to_submit) {
3482 +- if (current->mm != ctx->sqo_mm ||
3483 +- current_cred() != ctx->creds) {
3484 +- ret = -EPERM;
3485 +- goto out;
3486 +- }
3487 +-
3488 + to_submit = min(to_submit, ctx->sq_entries);
3489 +
3490 + mutex_lock(&ctx->uring_lock);
3491 +diff --git a/fs/namei.c b/fs/namei.c
3492 +index 671c3c1a3425..e81521c87f98 100644
3493 +--- a/fs/namei.c
3494 ++++ b/fs/namei.c
3495 +@@ -1001,7 +1001,8 @@ static int may_linkat(struct path *link)
3496 + * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
3497 + * should be allowed, or not, on files that already
3498 + * exist.
3499 +- * @dir: the sticky parent directory
3500 ++ * @dir_mode: mode bits of directory
3501 ++ * @dir_uid: owner of directory
3502 + * @inode: the inode of the file to open
3503 + *
3504 + * Block an O_CREAT open of a FIFO (or a regular file) when:
3505 +@@ -1017,18 +1018,18 @@ static int may_linkat(struct path *link)
3506 + *
3507 + * Returns 0 if the open is allowed, -ve on error.
3508 + */
3509 +-static int may_create_in_sticky(struct dentry * const dir,
3510 ++static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid,
3511 + struct inode * const inode)
3512 + {
3513 + if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
3514 + (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
3515 +- likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
3516 +- uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
3517 ++ likely(!(dir_mode & S_ISVTX)) ||
3518 ++ uid_eq(inode->i_uid, dir_uid) ||
3519 + uid_eq(current_fsuid(), inode->i_uid))
3520 + return 0;
3521 +
3522 +- if (likely(dir->d_inode->i_mode & 0002) ||
3523 +- (dir->d_inode->i_mode & 0020 &&
3524 ++ if (likely(dir_mode & 0002) ||
3525 ++ (dir_mode & 0020 &&
3526 + ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
3527 + (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
3528 + return -EACCES;
3529 +@@ -3248,6 +3249,8 @@ static int do_last(struct nameidata *nd,
3530 + struct file *file, const struct open_flags *op)
3531 + {
3532 + struct dentry *dir = nd->path.dentry;
3533 ++ kuid_t dir_uid = dir->d_inode->i_uid;
3534 ++ umode_t dir_mode = dir->d_inode->i_mode;
3535 + int open_flag = op->open_flag;
3536 + bool will_truncate = (open_flag & O_TRUNC) != 0;
3537 + bool got_write = false;
3538 +@@ -3383,7 +3386,7 @@ finish_open:
3539 + error = -EISDIR;
3540 + if (d_is_dir(nd->path.dentry))
3541 + goto out;
3542 +- error = may_create_in_sticky(dir,
3543 ++ error = may_create_in_sticky(dir_mode, dir_uid,
3544 + d_backing_inode(nd->path.dentry));
3545 + if (unlikely(error))
3546 + goto out;
3547 +diff --git a/fs/readdir.c b/fs/readdir.c
3548 +index d26d5ea4de7b..de2eceffdee8 100644
3549 +--- a/fs/readdir.c
3550 ++++ b/fs/readdir.c
3551 +@@ -102,10 +102,14 @@ EXPORT_SYMBOL(iterate_dir);
3552 + * filename length, and the above "soft error" worry means
3553 + * that it's probably better left alone until we have that
3554 + * issue clarified.
3555 ++ *
3556 ++ * Note the PATH_MAX check - it's arbitrary but the real
3557 ++ * kernel limit on a possible path component, not NAME_MAX,
3558 ++ * which is the technical standard limit.
3559 + */
3560 + static int verify_dirent_name(const char *name, int len)
3561 + {
3562 +- if (!len)
3563 ++ if (len <= 0 || len >= PATH_MAX)
3564 + return -EIO;
3565 + if (memchr(name, '/', len))
3566 + return -EIO;
3567 +@@ -206,7 +210,7 @@ struct linux_dirent {
3568 + struct getdents_callback {
3569 + struct dir_context ctx;
3570 + struct linux_dirent __user * current_dir;
3571 +- struct linux_dirent __user * previous;
3572 ++ int prev_reclen;
3573 + int count;
3574 + int error;
3575 + };
3576 +@@ -214,12 +218,13 @@ struct getdents_callback {
3577 + static int filldir(struct dir_context *ctx, const char *name, int namlen,
3578 + loff_t offset, u64 ino, unsigned int d_type)
3579 + {
3580 +- struct linux_dirent __user * dirent;
3581 ++ struct linux_dirent __user *dirent, *prev;
3582 + struct getdents_callback *buf =
3583 + container_of(ctx, struct getdents_callback, ctx);
3584 + unsigned long d_ino;
3585 + int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2,
3586 + sizeof(long));
3587 ++ int prev_reclen;
3588 +
3589 + buf->error = verify_dirent_name(name, namlen);
3590 + if (unlikely(buf->error))
3591 +@@ -232,28 +237,24 @@ static int filldir(struct dir_context *ctx, const char *name, int namlen,
3592 + buf->error = -EOVERFLOW;
3593 + return -EOVERFLOW;
3594 + }
3595 +- dirent = buf->previous;
3596 +- if (dirent && signal_pending(current))
3597 ++ prev_reclen = buf->prev_reclen;
3598 ++ if (prev_reclen && signal_pending(current))
3599 + return -EINTR;
3600 +-
3601 +- /*
3602 +- * Note! This range-checks 'previous' (which may be NULL).
3603 +- * The real range was checked in getdents
3604 +- */
3605 +- if (!user_access_begin(dirent, sizeof(*dirent)))
3606 +- goto efault;
3607 +- if (dirent)
3608 +- unsafe_put_user(offset, &dirent->d_off, efault_end);
3609 + dirent = buf->current_dir;
3610 ++ prev = (void __user *) dirent - prev_reclen;
3611 ++ if (!user_access_begin(prev, reclen + prev_reclen))
3612 ++ goto efault;
3613 ++
3614 ++ /* This might be 'dirent->d_off', but if so it will get overwritten */
3615 ++ unsafe_put_user(offset, &prev->d_off, efault_end);
3616 + unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
3617 + unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
3618 + unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
3619 + unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
3620 + user_access_end();
3621 +
3622 +- buf->previous = dirent;
3623 +- dirent = (void __user *)dirent + reclen;
3624 +- buf->current_dir = dirent;
3625 ++ buf->current_dir = (void __user *)dirent + reclen;
3626 ++ buf->prev_reclen = reclen;
3627 + buf->count -= reclen;
3628 + return 0;
3629 + efault_end:
3630 +@@ -267,7 +268,6 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
3631 + struct linux_dirent __user *, dirent, unsigned int, count)
3632 + {
3633 + struct fd f;
3634 +- struct linux_dirent __user * lastdirent;
3635 + struct getdents_callback buf = {
3636 + .ctx.actor = filldir,
3637 + .count = count,
3638 +@@ -285,8 +285,10 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
3639 + error = iterate_dir(f.file, &buf.ctx);
3640 + if (error >= 0)
3641 + error = buf.error;
3642 +- lastdirent = buf.previous;
3643 +- if (lastdirent) {
3644 ++ if (buf.prev_reclen) {
3645 ++ struct linux_dirent __user * lastdirent;
3646 ++ lastdirent = (void __user *)buf.current_dir - buf.prev_reclen;
3647 ++
3648 + if (put_user(buf.ctx.pos, &lastdirent->d_off))
3649 + error = -EFAULT;
3650 + else
3651 +@@ -299,7 +301,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
3652 + struct getdents_callback64 {
3653 + struct dir_context ctx;
3654 + struct linux_dirent64 __user * current_dir;
3655 +- struct linux_dirent64 __user * previous;
3656 ++ int prev_reclen;
3657 + int count;
3658 + int error;
3659 + };
3660 +@@ -307,11 +309,12 @@ struct getdents_callback64 {
3661 + static int filldir64(struct dir_context *ctx, const char *name, int namlen,
3662 + loff_t offset, u64 ino, unsigned int d_type)
3663 + {
3664 +- struct linux_dirent64 __user *dirent;
3665 ++ struct linux_dirent64 __user *dirent, *prev;
3666 + struct getdents_callback64 *buf =
3667 + container_of(ctx, struct getdents_callback64, ctx);
3668 + int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1,
3669 + sizeof(u64));
3670 ++ int prev_reclen;
3671 +
3672 + buf->error = verify_dirent_name(name, namlen);
3673 + if (unlikely(buf->error))
3674 +@@ -319,30 +322,27 @@ static int filldir64(struct dir_context *ctx, const char *name, int namlen,
3675 + buf->error = -EINVAL; /* only used if we fail.. */
3676 + if (reclen > buf->count)
3677 + return -EINVAL;
3678 +- dirent = buf->previous;
3679 +- if (dirent && signal_pending(current))
3680 ++ prev_reclen = buf->prev_reclen;
3681 ++ if (prev_reclen && signal_pending(current))
3682 + return -EINTR;
3683 +-
3684 +- /*
3685 +- * Note! This range-checks 'previous' (which may be NULL).
3686 +- * The real range was checked in getdents
3687 +- */
3688 +- if (!user_access_begin(dirent, sizeof(*dirent)))
3689 +- goto efault;
3690 +- if (dirent)
3691 +- unsafe_put_user(offset, &dirent->d_off, efault_end);
3692 + dirent = buf->current_dir;
3693 ++ prev = (void __user *)dirent - prev_reclen;
3694 ++ if (!user_access_begin(prev, reclen + prev_reclen))
3695 ++ goto efault;
3696 ++
3697 ++ /* This might be 'dirent->d_off', but if so it will get overwritten */
3698 ++ unsafe_put_user(offset, &prev->d_off, efault_end);
3699 + unsafe_put_user(ino, &dirent->d_ino, efault_end);
3700 + unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
3701 + unsafe_put_user(d_type, &dirent->d_type, efault_end);
3702 + unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
3703 + user_access_end();
3704 +
3705 +- buf->previous = dirent;
3706 +- dirent = (void __user *)dirent + reclen;
3707 +- buf->current_dir = dirent;
3708 ++ buf->prev_reclen = reclen;
3709 ++ buf->current_dir = (void __user *)dirent + reclen;
3710 + buf->count -= reclen;
3711 + return 0;
3712 ++
3713 + efault_end:
3714 + user_access_end();
3715 + efault:
3716 +@@ -354,7 +354,6 @@ int ksys_getdents64(unsigned int fd, struct linux_dirent64 __user *dirent,
3717 + unsigned int count)
3718 + {
3719 + struct fd f;
3720 +- struct linux_dirent64 __user * lastdirent;
3721 + struct getdents_callback64 buf = {
3722 + .ctx.actor = filldir64,
3723 + .count = count,
3724 +@@ -372,9 +371,11 @@ int ksys_getdents64(unsigned int fd, struct linux_dirent64 __user *dirent,
3725 + error = iterate_dir(f.file, &buf.ctx);
3726 + if (error >= 0)
3727 + error = buf.error;
3728 +- lastdirent = buf.previous;
3729 +- if (lastdirent) {
3730 ++ if (buf.prev_reclen) {
3731 ++ struct linux_dirent64 __user * lastdirent;
3732 + typeof(lastdirent->d_off) d_off = buf.ctx.pos;
3733 ++
3734 ++ lastdirent = (void __user *) buf.current_dir - buf.prev_reclen;
3735 + if (__put_user(d_off, &lastdirent->d_off))
3736 + error = -EFAULT;
3737 + else
3738 +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
3739 +index 13f09706033a..f8fde9fa479c 100644
3740 +--- a/include/linux/netdevice.h
3741 ++++ b/include/linux/netdevice.h
3742 +@@ -3666,6 +3666,8 @@ int dev_set_alias(struct net_device *, const char *, size_t);
3743 + int dev_get_alias(const struct net_device *, char *, size_t);
3744 + int dev_change_net_namespace(struct net_device *, struct net *, const char *);
3745 + int __dev_set_mtu(struct net_device *, int);
3746 ++int dev_validate_mtu(struct net_device *dev, int mtu,
3747 ++ struct netlink_ext_ack *extack);
3748 + int dev_set_mtu_ext(struct net_device *dev, int mtu,
3749 + struct netlink_ext_ack *extack);
3750 + int dev_set_mtu(struct net_device *, int);
3751 +diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
3752 +index 9bc255a8461b..77336f4c4b1c 100644
3753 +--- a/include/linux/netfilter/ipset/ip_set.h
3754 ++++ b/include/linux/netfilter/ipset/ip_set.h
3755 +@@ -445,13 +445,6 @@ ip6addrptr(const struct sk_buff *skb, bool src, struct in6_addr *addr)
3756 + sizeof(*addr));
3757 + }
3758 +
3759 +-/* Calculate the bytes required to store the inclusive range of a-b */
3760 +-static inline int
3761 +-bitmap_bytes(u32 a, u32 b)
3762 +-{
3763 +- return 4 * ((((b - a + 8) / 8) + 3) / 4);
3764 +-}
3765 +-
3766 + /* How often should the gc be run by default */
3767 + #define IPSET_GC_TIME (3 * 60)
3768 +
3769 +diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
3770 +index cf09ab37b45b..851425c3178f 100644
3771 +--- a/include/linux/netfilter/nfnetlink.h
3772 ++++ b/include/linux/netfilter/nfnetlink.h
3773 +@@ -31,7 +31,7 @@ struct nfnetlink_subsystem {
3774 + const struct nfnl_callback *cb; /* callback for individual types */
3775 + struct module *owner;
3776 + int (*commit)(struct net *net, struct sk_buff *skb);
3777 +- int (*abort)(struct net *net, struct sk_buff *skb);
3778 ++ int (*abort)(struct net *net, struct sk_buff *skb, bool autoload);
3779 + void (*cleanup)(struct net *net);
3780 + bool (*valid_genid)(struct net *net, u32 genid);
3781 + };
3782 +diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h
3783 +index 286fd960896f..a1a8d45adb42 100644
3784 +--- a/include/net/netns/nftables.h
3785 ++++ b/include/net/netns/nftables.h
3786 +@@ -7,6 +7,7 @@
3787 + struct netns_nftables {
3788 + struct list_head tables;
3789 + struct list_head commit_list;
3790 ++ struct list_head module_list;
3791 + struct mutex commit_mutex;
3792 + unsigned int base_seq;
3793 + u8 gencursor;
3794 +diff --git a/include/trace/events/xen.h b/include/trace/events/xen.h
3795 +index 9a0e8af21310..a5ccfa67bc5c 100644
3796 +--- a/include/trace/events/xen.h
3797 ++++ b/include/trace/events/xen.h
3798 +@@ -66,7 +66,11 @@ TRACE_EVENT(xen_mc_callback,
3799 + TP_PROTO(xen_mc_callback_fn_t fn, void *data),
3800 + TP_ARGS(fn, data),
3801 + TP_STRUCT__entry(
3802 +- __field(xen_mc_callback_fn_t, fn)
3803 ++ /*
3804 ++ * Use field_struct to avoid is_signed_type()
3805 ++ * comparison of a function pointer.
3806 ++ */
3807 ++ __field_struct(xen_mc_callback_fn_t, fn)
3808 + __field(void *, data)
3809 + ),
3810 + TP_fast_assign(
3811 +diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
3812 +index 26b9168321e7..d65f2d5ab694 100644
3813 +--- a/kernel/power/snapshot.c
3814 ++++ b/kernel/power/snapshot.c
3815 +@@ -1147,24 +1147,24 @@ void free_basic_memory_bitmaps(void)
3816 +
3817 + void clear_free_pages(void)
3818 + {
3819 +-#ifdef CONFIG_PAGE_POISONING_ZERO
3820 + struct memory_bitmap *bm = free_pages_map;
3821 + unsigned long pfn;
3822 +
3823 + if (WARN_ON(!(free_pages_map)))
3824 + return;
3825 +
3826 +- memory_bm_position_reset(bm);
3827 +- pfn = memory_bm_next_pfn(bm);
3828 +- while (pfn != BM_END_OF_MAP) {
3829 +- if (pfn_valid(pfn))
3830 +- clear_highpage(pfn_to_page(pfn));
3831 +-
3832 ++ if (IS_ENABLED(CONFIG_PAGE_POISONING_ZERO) || want_init_on_free()) {
3833 ++ memory_bm_position_reset(bm);
3834 + pfn = memory_bm_next_pfn(bm);
3835 ++ while (pfn != BM_END_OF_MAP) {
3836 ++ if (pfn_valid(pfn))
3837 ++ clear_highpage(pfn_to_page(pfn));
3838 ++
3839 ++ pfn = memory_bm_next_pfn(bm);
3840 ++ }
3841 ++ memory_bm_position_reset(bm);
3842 ++ pr_info("free pages cleared after restore\n");
3843 + }
3844 +- memory_bm_position_reset(bm);
3845 +- pr_info("free pages cleared after restore\n");
3846 +-#endif /* PAGE_POISONING_ZERO */
3847 + }
3848 +
3849 + /**
3850 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
3851 +index bcb72f102613..341aab32c946 100644
3852 +--- a/kernel/trace/trace.c
3853 ++++ b/kernel/trace/trace.c
3854 +@@ -9270,6 +9270,11 @@ __init static int tracing_set_default_clock(void)
3855 + {
3856 + /* sched_clock_stable() is determined in late_initcall */
3857 + if (!trace_boot_clock && !sched_clock_stable()) {
3858 ++ if (security_locked_down(LOCKDOWN_TRACEFS)) {
3859 ++ pr_warn("Can not set tracing clock due to lockdown\n");
3860 ++ return -EPERM;
3861 ++ }
3862 ++
3863 + printk(KERN_WARNING
3864 + "Unstable clock detected, switching default tracing clock to \"global\"\n"
3865 + "If you want to keep using the local clock, then add:\n"
3866 +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
3867 +index c2783915600c..205692181e7b 100644
3868 +--- a/kernel/trace/trace_events_hist.c
3869 ++++ b/kernel/trace/trace_events_hist.c
3870 +@@ -116,6 +116,7 @@ struct hist_field {
3871 + struct ftrace_event_field *field;
3872 + unsigned long flags;
3873 + hist_field_fn_t fn;
3874 ++ unsigned int ref;
3875 + unsigned int size;
3876 + unsigned int offset;
3877 + unsigned int is_signed;
3878 +@@ -1766,11 +1767,13 @@ static struct hist_field *find_var(struct hist_trigger_data *hist_data,
3879 + struct event_trigger_data *test;
3880 + struct hist_field *hist_field;
3881 +
3882 ++ lockdep_assert_held(&event_mutex);
3883 ++
3884 + hist_field = find_var_field(hist_data, var_name);
3885 + if (hist_field)
3886 + return hist_field;
3887 +
3888 +- list_for_each_entry_rcu(test, &file->triggers, list) {
3889 ++ list_for_each_entry(test, &file->triggers, list) {
3890 + if (test->cmd_ops->trigger_type == ETT_EVENT_HIST) {
3891 + test_data = test->private_data;
3892 + hist_field = find_var_field(test_data, var_name);
3893 +@@ -1820,7 +1823,9 @@ static struct hist_field *find_file_var(struct trace_event_file *file,
3894 + struct event_trigger_data *test;
3895 + struct hist_field *hist_field;
3896 +
3897 +- list_for_each_entry_rcu(test, &file->triggers, list) {
3898 ++ lockdep_assert_held(&event_mutex);
3899 ++
3900 ++ list_for_each_entry(test, &file->triggers, list) {
3901 + if (test->cmd_ops->trigger_type == ETT_EVENT_HIST) {
3902 + test_data = test->private_data;
3903 + hist_field = find_var_field(test_data, var_name);
3904 +@@ -2423,8 +2428,16 @@ static int contains_operator(char *str)
3905 + return field_op;
3906 + }
3907 +
3908 ++static void get_hist_field(struct hist_field *hist_field)
3909 ++{
3910 ++ hist_field->ref++;
3911 ++}
3912 ++
3913 + static void __destroy_hist_field(struct hist_field *hist_field)
3914 + {
3915 ++ if (--hist_field->ref > 1)
3916 ++ return;
3917 ++
3918 + kfree(hist_field->var.name);
3919 + kfree(hist_field->name);
3920 + kfree(hist_field->type);
3921 +@@ -2466,6 +2479,8 @@ static struct hist_field *create_hist_field(struct hist_trigger_data *hist_data,
3922 + if (!hist_field)
3923 + return NULL;
3924 +
3925 ++ hist_field->ref = 1;
3926 ++
3927 + hist_field->hist_data = hist_data;
3928 +
3929 + if (flags & HIST_FIELD_FL_EXPR || flags & HIST_FIELD_FL_ALIAS)
3930 +@@ -2661,6 +2676,17 @@ static struct hist_field *create_var_ref(struct hist_trigger_data *hist_data,
3931 + {
3932 + unsigned long flags = HIST_FIELD_FL_VAR_REF;
3933 + struct hist_field *ref_field;
3934 ++ int i;
3935 ++
3936 ++ /* Check if the variable already exists */
3937 ++ for (i = 0; i < hist_data->n_var_refs; i++) {
3938 ++ ref_field = hist_data->var_refs[i];
3939 ++ if (ref_field->var.idx == var_field->var.idx &&
3940 ++ ref_field->var.hist_data == var_field->hist_data) {
3941 ++ get_hist_field(ref_field);
3942 ++ return ref_field;
3943 ++ }
3944 ++ }
3945 +
3946 + ref_field = create_hist_field(var_field->hist_data, NULL, flags, NULL);
3947 + if (ref_field) {
3948 +@@ -3115,7 +3141,9 @@ static char *find_trigger_filter(struct hist_trigger_data *hist_data,
3949 + {
3950 + struct event_trigger_data *test;
3951 +
3952 +- list_for_each_entry_rcu(test, &file->triggers, list) {
3953 ++ lockdep_assert_held(&event_mutex);
3954 ++
3955 ++ list_for_each_entry(test, &file->triggers, list) {
3956 + if (test->cmd_ops->trigger_type == ETT_EVENT_HIST) {
3957 + if (test->private_data == hist_data)
3958 + return test->filter_str;
3959 +@@ -3166,9 +3194,11 @@ find_compatible_hist(struct hist_trigger_data *target_hist_data,
3960 + struct event_trigger_data *test;
3961 + unsigned int n_keys;
3962 +
3963 ++ lockdep_assert_held(&event_mutex);
3964 ++
3965 + n_keys = target_hist_data->n_fields - target_hist_data->n_vals;
3966 +
3967 +- list_for_each_entry_rcu(test, &file->triggers, list) {
3968 ++ list_for_each_entry(test, &file->triggers, list) {
3969 + if (test->cmd_ops->trigger_type == ETT_EVENT_HIST) {
3970 + hist_data = test->private_data;
3971 +
3972 +@@ -5528,7 +5558,7 @@ static int hist_show(struct seq_file *m, void *v)
3973 + goto out_unlock;
3974 + }
3975 +
3976 +- list_for_each_entry_rcu(data, &event_file->triggers, list) {
3977 ++ list_for_each_entry(data, &event_file->triggers, list) {
3978 + if (data->cmd_ops->trigger_type == ETT_EVENT_HIST)
3979 + hist_trigger_show(m, data, n++);
3980 + }
3981 +@@ -5921,7 +5951,9 @@ static int hist_register_trigger(char *glob, struct event_trigger_ops *ops,
3982 + if (hist_data->attrs->name && !named_data)
3983 + goto new;
3984 +
3985 +- list_for_each_entry_rcu(test, &file->triggers, list) {
3986 ++ lockdep_assert_held(&event_mutex);
3987 ++
3988 ++ list_for_each_entry(test, &file->triggers, list) {
3989 + if (test->cmd_ops->trigger_type == ETT_EVENT_HIST) {
3990 + if (!hist_trigger_match(data, test, named_data, false))
3991 + continue;
3992 +@@ -6005,10 +6037,12 @@ static bool have_hist_trigger_match(struct event_trigger_data *data,
3993 + struct event_trigger_data *test, *named_data = NULL;
3994 + bool match = false;
3995 +
3996 ++ lockdep_assert_held(&event_mutex);
3997 ++
3998 + if (hist_data->attrs->name)
3999 + named_data = find_named_trigger(hist_data->attrs->name);
4000 +
4001 +- list_for_each_entry_rcu(test, &file->triggers, list) {
4002 ++ list_for_each_entry(test, &file->triggers, list) {
4003 + if (test->cmd_ops->trigger_type == ETT_EVENT_HIST) {
4004 + if (hist_trigger_match(data, test, named_data, false)) {
4005 + match = true;
4006 +@@ -6026,10 +6060,12 @@ static bool hist_trigger_check_refs(struct event_trigger_data *data,
4007 + struct hist_trigger_data *hist_data = data->private_data;
4008 + struct event_trigger_data *test, *named_data = NULL;
4009 +
4010 ++ lockdep_assert_held(&event_mutex);
4011 ++
4012 + if (hist_data->attrs->name)
4013 + named_data = find_named_trigger(hist_data->attrs->name);
4014 +
4015 +- list_for_each_entry_rcu(test, &file->triggers, list) {
4016 ++ list_for_each_entry(test, &file->triggers, list) {
4017 + if (test->cmd_ops->trigger_type == ETT_EVENT_HIST) {
4018 + if (!hist_trigger_match(data, test, named_data, false))
4019 + continue;
4020 +@@ -6051,10 +6087,12 @@ static void hist_unregister_trigger(char *glob, struct event_trigger_ops *ops,
4021 + struct event_trigger_data *test, *named_data = NULL;
4022 + bool unregistered = false;
4023 +
4024 ++ lockdep_assert_held(&event_mutex);
4025 ++
4026 + if (hist_data->attrs->name)
4027 + named_data = find_named_trigger(hist_data->attrs->name);
4028 +
4029 +- list_for_each_entry_rcu(test, &file->triggers, list) {
4030 ++ list_for_each_entry(test, &file->triggers, list) {
4031 + if (test->cmd_ops->trigger_type == ETT_EVENT_HIST) {
4032 + if (!hist_trigger_match(data, test, named_data, false))
4033 + continue;
4034 +@@ -6080,7 +6118,9 @@ static bool hist_file_check_refs(struct trace_event_file *file)
4035 + struct hist_trigger_data *hist_data;
4036 + struct event_trigger_data *test;
4037 +
4038 +- list_for_each_entry_rcu(test, &file->triggers, list) {
4039 ++ lockdep_assert_held(&event_mutex);
4040 ++
4041 ++ list_for_each_entry(test, &file->triggers, list) {
4042 + if (test->cmd_ops->trigger_type == ETT_EVENT_HIST) {
4043 + hist_data = test->private_data;
4044 + if (check_var_refs(hist_data))
4045 +@@ -6323,7 +6363,8 @@ hist_enable_trigger(struct event_trigger_data *data, void *rec,
4046 + struct enable_trigger_data *enable_data = data->private_data;
4047 + struct event_trigger_data *test;
4048 +
4049 +- list_for_each_entry_rcu(test, &enable_data->file->triggers, list) {
4050 ++ list_for_each_entry_rcu(test, &enable_data->file->triggers, list,
4051 ++ lockdep_is_held(&event_mutex)) {
4052 + if (test->cmd_ops->trigger_type == ETT_EVENT_HIST) {
4053 + if (enable_data->enable)
4054 + test->paused = false;
4055 +diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
4056 +index 2cd53ca21b51..40106fff06a4 100644
4057 +--- a/kernel/trace/trace_events_trigger.c
4058 ++++ b/kernel/trace/trace_events_trigger.c
4059 +@@ -501,7 +501,9 @@ void update_cond_flag(struct trace_event_file *file)
4060 + struct event_trigger_data *data;
4061 + bool set_cond = false;
4062 +
4063 +- list_for_each_entry_rcu(data, &file->triggers, list) {
4064 ++ lockdep_assert_held(&event_mutex);
4065 ++
4066 ++ list_for_each_entry(data, &file->triggers, list) {
4067 + if (data->filter || event_command_post_trigger(data->cmd_ops) ||
4068 + event_command_needs_rec(data->cmd_ops)) {
4069 + set_cond = true;
4070 +@@ -536,7 +538,9 @@ static int register_trigger(char *glob, struct event_trigger_ops *ops,
4071 + struct event_trigger_data *test;
4072 + int ret = 0;
4073 +
4074 +- list_for_each_entry_rcu(test, &file->triggers, list) {
4075 ++ lockdep_assert_held(&event_mutex);
4076 ++
4077 ++ list_for_each_entry(test, &file->triggers, list) {
4078 + if (test->cmd_ops->trigger_type == data->cmd_ops->trigger_type) {
4079 + ret = -EEXIST;
4080 + goto out;
4081 +@@ -581,7 +585,9 @@ static void unregister_trigger(char *glob, struct event_trigger_ops *ops,
4082 + struct event_trigger_data *data;
4083 + bool unregistered = false;
4084 +
4085 +- list_for_each_entry_rcu(data, &file->triggers, list) {
4086 ++ lockdep_assert_held(&event_mutex);
4087 ++
4088 ++ list_for_each_entry(data, &file->triggers, list) {
4089 + if (data->cmd_ops->trigger_type == test->cmd_ops->trigger_type) {
4090 + unregistered = true;
4091 + list_del_rcu(&data->list);
4092 +@@ -1497,7 +1503,9 @@ int event_enable_register_trigger(char *glob,
4093 + struct event_trigger_data *test;
4094 + int ret = 0;
4095 +
4096 +- list_for_each_entry_rcu(test, &file->triggers, list) {
4097 ++ lockdep_assert_held(&event_mutex);
4098 ++
4099 ++ list_for_each_entry(test, &file->triggers, list) {
4100 + test_enable_data = test->private_data;
4101 + if (test_enable_data &&
4102 + (test->cmd_ops->trigger_type ==
4103 +@@ -1537,7 +1545,9 @@ void event_enable_unregister_trigger(char *glob,
4104 + struct event_trigger_data *data;
4105 + bool unregistered = false;
4106 +
4107 +- list_for_each_entry_rcu(data, &file->triggers, list) {
4108 ++ lockdep_assert_held(&event_mutex);
4109 ++
4110 ++ list_for_each_entry(data, &file->triggers, list) {
4111 + enable_data = data->private_data;
4112 + if (enable_data &&
4113 + (data->cmd_ops->trigger_type ==
4114 +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
4115 +index 7f890262c8a3..3e5f9c7d939c 100644
4116 +--- a/kernel/trace/trace_kprobe.c
4117 ++++ b/kernel/trace/trace_kprobe.c
4118 +@@ -290,7 +290,7 @@ static struct trace_kprobe *alloc_trace_kprobe(const char *group,
4119 + INIT_HLIST_NODE(&tk->rp.kp.hlist);
4120 + INIT_LIST_HEAD(&tk->rp.kp.list);
4121 +
4122 +- ret = trace_probe_init(&tk->tp, event, group);
4123 ++ ret = trace_probe_init(&tk->tp, event, group, 0);
4124 + if (ret < 0)
4125 + goto error;
4126 +
4127 +diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
4128 +index 905b10af5d5c..bba18cf44a30 100644
4129 +--- a/kernel/trace/trace_probe.c
4130 ++++ b/kernel/trace/trace_probe.c
4131 +@@ -984,7 +984,7 @@ void trace_probe_cleanup(struct trace_probe *tp)
4132 + }
4133 +
4134 + int trace_probe_init(struct trace_probe *tp, const char *event,
4135 +- const char *group)
4136 ++ const char *group, size_t event_data_size)
4137 + {
4138 + struct trace_event_call *call;
4139 + int ret = 0;
4140 +@@ -992,7 +992,8 @@ int trace_probe_init(struct trace_probe *tp, const char *event,
4141 + if (!event || !group)
4142 + return -EINVAL;
4143 +
4144 +- tp->event = kzalloc(sizeof(struct trace_probe_event), GFP_KERNEL);
4145 ++ tp->event = kzalloc(sizeof(struct trace_probe_event) + event_data_size,
4146 ++ GFP_KERNEL);
4147 + if (!tp->event)
4148 + return -ENOMEM;
4149 +
4150 +diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h
4151 +index 4ee703728aec..03e4e180058d 100644
4152 +--- a/kernel/trace/trace_probe.h
4153 ++++ b/kernel/trace/trace_probe.h
4154 +@@ -230,6 +230,7 @@ struct trace_probe_event {
4155 + struct trace_event_call call;
4156 + struct list_head files;
4157 + struct list_head probes;
4158 ++ char data[0];
4159 + };
4160 +
4161 + struct trace_probe {
4162 +@@ -322,7 +323,7 @@ static inline bool trace_probe_has_single_file(struct trace_probe *tp)
4163 + }
4164 +
4165 + int trace_probe_init(struct trace_probe *tp, const char *event,
4166 +- const char *group);
4167 ++ const char *group, size_t event_data_size);
4168 + void trace_probe_cleanup(struct trace_probe *tp);
4169 + int trace_probe_append(struct trace_probe *tp, struct trace_probe *to);
4170 + void trace_probe_unlink(struct trace_probe *tp);
4171 +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
4172 +index 352073d36585..f66e202fec13 100644
4173 +--- a/kernel/trace/trace_uprobe.c
4174 ++++ b/kernel/trace/trace_uprobe.c
4175 +@@ -60,7 +60,6 @@ static struct dyn_event_operations trace_uprobe_ops = {
4176 + */
4177 + struct trace_uprobe {
4178 + struct dyn_event devent;
4179 +- struct trace_uprobe_filter filter;
4180 + struct uprobe_consumer consumer;
4181 + struct path path;
4182 + struct inode *inode;
4183 +@@ -264,6 +263,14 @@ process_fetch_insn(struct fetch_insn *code, struct pt_regs *regs, void *dest,
4184 + }
4185 + NOKPROBE_SYMBOL(process_fetch_insn)
4186 +
4187 ++static struct trace_uprobe_filter *
4188 ++trace_uprobe_get_filter(struct trace_uprobe *tu)
4189 ++{
4190 ++ struct trace_probe_event *event = tu->tp.event;
4191 ++
4192 ++ return (struct trace_uprobe_filter *)&event->data[0];
4193 ++}
4194 ++
4195 + static inline void init_trace_uprobe_filter(struct trace_uprobe_filter *filter)
4196 + {
4197 + rwlock_init(&filter->rwlock);
4198 +@@ -351,7 +358,8 @@ alloc_trace_uprobe(const char *group, const char *event, int nargs, bool is_ret)
4199 + if (!tu)
4200 + return ERR_PTR(-ENOMEM);
4201 +
4202 +- ret = trace_probe_init(&tu->tp, event, group);
4203 ++ ret = trace_probe_init(&tu->tp, event, group,
4204 ++ sizeof(struct trace_uprobe_filter));
4205 + if (ret < 0)
4206 + goto error;
4207 +
4208 +@@ -359,7 +367,7 @@ alloc_trace_uprobe(const char *group, const char *event, int nargs, bool is_ret)
4209 + tu->consumer.handler = uprobe_dispatcher;
4210 + if (is_ret)
4211 + tu->consumer.ret_handler = uretprobe_dispatcher;
4212 +- init_trace_uprobe_filter(&tu->filter);
4213 ++ init_trace_uprobe_filter(trace_uprobe_get_filter(tu));
4214 + return tu;
4215 +
4216 + error:
4217 +@@ -1067,13 +1075,14 @@ static void __probe_event_disable(struct trace_probe *tp)
4218 + struct trace_probe *pos;
4219 + struct trace_uprobe *tu;
4220 +
4221 ++ tu = container_of(tp, struct trace_uprobe, tp);
4222 ++ WARN_ON(!uprobe_filter_is_empty(trace_uprobe_get_filter(tu)));
4223 ++
4224 + list_for_each_entry(pos, trace_probe_probe_list(tp), list) {
4225 + tu = container_of(pos, struct trace_uprobe, tp);
4226 + if (!tu->inode)
4227 + continue;
4228 +
4229 +- WARN_ON(!uprobe_filter_is_empty(&tu->filter));
4230 +-
4231 + uprobe_unregister(tu->inode, tu->offset, &tu->consumer);
4232 + tu->inode = NULL;
4233 + }
4234 +@@ -1108,7 +1117,7 @@ static int probe_event_enable(struct trace_event_call *call,
4235 + }
4236 +
4237 + tu = container_of(tp, struct trace_uprobe, tp);
4238 +- WARN_ON(!uprobe_filter_is_empty(&tu->filter));
4239 ++ WARN_ON(!uprobe_filter_is_empty(trace_uprobe_get_filter(tu)));
4240 +
4241 + if (enabled)
4242 + return 0;
4243 +@@ -1205,39 +1214,39 @@ __uprobe_perf_filter(struct trace_uprobe_filter *filter, struct mm_struct *mm)
4244 + }
4245 +
4246 + static inline bool
4247 +-uprobe_filter_event(struct trace_uprobe *tu, struct perf_event *event)
4248 ++trace_uprobe_filter_event(struct trace_uprobe_filter *filter,
4249 ++ struct perf_event *event)
4250 + {
4251 +- return __uprobe_perf_filter(&tu->filter, event->hw.target->mm);
4252 ++ return __uprobe_perf_filter(filter, event->hw.target->mm);
4253 + }
4254 +
4255 +-static int uprobe_perf_close(struct trace_uprobe *tu, struct perf_event *event)
4256 ++static bool trace_uprobe_filter_remove(struct trace_uprobe_filter *filter,
4257 ++ struct perf_event *event)
4258 + {
4259 + bool done;
4260 +
4261 +- write_lock(&tu->filter.rwlock);
4262 ++ write_lock(&filter->rwlock);
4263 + if (event->hw.target) {
4264 + list_del(&event->hw.tp_list);
4265 +- done = tu->filter.nr_systemwide ||
4266 ++ done = filter->nr_systemwide ||
4267 + (event->hw.target->flags & PF_EXITING) ||
4268 +- uprobe_filter_event(tu, event);
4269 ++ trace_uprobe_filter_event(filter, event);
4270 + } else {
4271 +- tu->filter.nr_systemwide--;
4272 +- done = tu->filter.nr_systemwide;
4273 ++ filter->nr_systemwide--;
4274 ++ done = filter->nr_systemwide;
4275 + }
4276 +- write_unlock(&tu->filter.rwlock);
4277 +-
4278 +- if (!done)
4279 +- return uprobe_apply(tu->inode, tu->offset, &tu->consumer, false);
4280 ++ write_unlock(&filter->rwlock);
4281 +
4282 +- return 0;
4283 ++ return done;
4284 + }
4285 +
4286 +-static int uprobe_perf_open(struct trace_uprobe *tu, struct perf_event *event)
4287 ++/* This returns true if the filter always covers target mm */
4288 ++static bool trace_uprobe_filter_add(struct trace_uprobe_filter *filter,
4289 ++ struct perf_event *event)
4290 + {
4291 + bool done;
4292 +- int err;
4293 +
4294 +- write_lock(&tu->filter.rwlock);
4295 ++ write_lock(&filter->rwlock);
4296 + if (event->hw.target) {
4297 + /*
4298 + * event->parent != NULL means copy_process(), we can avoid
4299 +@@ -1247,28 +1256,21 @@ static int uprobe_perf_open(struct trace_uprobe *tu, struct perf_event *event)
4300 + * attr.enable_on_exec means that exec/mmap will install the
4301 + * breakpoints we need.
4302 + */
4303 +- done = tu->filter.nr_systemwide ||
4304 ++ done = filter->nr_systemwide ||
4305 + event->parent || event->attr.enable_on_exec ||
4306 +- uprobe_filter_event(tu, event);
4307 +- list_add(&event->hw.tp_list, &tu->filter.perf_events);
4308 ++ trace_uprobe_filter_event(filter, event);
4309 ++ list_add(&event->hw.tp_list, &filter->perf_events);
4310 + } else {
4311 +- done = tu->filter.nr_systemwide;
4312 +- tu->filter.nr_systemwide++;
4313 ++ done = filter->nr_systemwide;
4314 ++ filter->nr_systemwide++;
4315 + }
4316 +- write_unlock(&tu->filter.rwlock);
4317 ++ write_unlock(&filter->rwlock);
4318 +
4319 +- err = 0;
4320 +- if (!done) {
4321 +- err = uprobe_apply(tu->inode, tu->offset, &tu->consumer, true);
4322 +- if (err)
4323 +- uprobe_perf_close(tu, event);
4324 +- }
4325 +- return err;
4326 ++ return done;
4327 + }
4328 +
4329 +-static int uprobe_perf_multi_call(struct trace_event_call *call,
4330 +- struct perf_event *event,
4331 +- int (*op)(struct trace_uprobe *tu, struct perf_event *event))
4332 ++static int uprobe_perf_close(struct trace_event_call *call,
4333 ++ struct perf_event *event)
4334 + {
4335 + struct trace_probe *pos, *tp;
4336 + struct trace_uprobe *tu;
4337 +@@ -1278,25 +1280,59 @@ static int uprobe_perf_multi_call(struct trace_event_call *call,
4338 + if (WARN_ON_ONCE(!tp))
4339 + return -ENODEV;
4340 +
4341 ++ tu = container_of(tp, struct trace_uprobe, tp);
4342 ++ if (trace_uprobe_filter_remove(trace_uprobe_get_filter(tu), event))
4343 ++ return 0;
4344 ++
4345 + list_for_each_entry(pos, trace_probe_probe_list(tp), list) {
4346 + tu = container_of(pos, struct trace_uprobe, tp);
4347 +- ret = op(tu, event);
4348 ++ ret = uprobe_apply(tu->inode, tu->offset, &tu->consumer, false);
4349 + if (ret)
4350 + break;
4351 + }
4352 +
4353 + return ret;
4354 + }
4355 ++
4356 ++static int uprobe_perf_open(struct trace_event_call *call,
4357 ++ struct perf_event *event)
4358 ++{
4359 ++ struct trace_probe *pos, *tp;
4360 ++ struct trace_uprobe *tu;
4361 ++ int err = 0;
4362 ++
4363 ++ tp = trace_probe_primary_from_call(call);
4364 ++ if (WARN_ON_ONCE(!tp))
4365 ++ return -ENODEV;
4366 ++
4367 ++ tu = container_of(tp, struct trace_uprobe, tp);
4368 ++ if (trace_uprobe_filter_add(trace_uprobe_get_filter(tu), event))
4369 ++ return 0;
4370 ++
4371 ++ list_for_each_entry(pos, trace_probe_probe_list(tp), list) {
4372 ++ err = uprobe_apply(tu->inode, tu->offset, &tu->consumer, true);
4373 ++ if (err) {
4374 ++ uprobe_perf_close(call, event);
4375 ++ break;
4376 ++ }
4377 ++ }
4378 ++
4379 ++ return err;
4380 ++}
4381 ++
4382 + static bool uprobe_perf_filter(struct uprobe_consumer *uc,
4383 + enum uprobe_filter_ctx ctx, struct mm_struct *mm)
4384 + {
4385 ++ struct trace_uprobe_filter *filter;
4386 + struct trace_uprobe *tu;
4387 + int ret;
4388 +
4389 + tu = container_of(uc, struct trace_uprobe, consumer);
4390 +- read_lock(&tu->filter.rwlock);
4391 +- ret = __uprobe_perf_filter(&tu->filter, mm);
4392 +- read_unlock(&tu->filter.rwlock);
4393 ++ filter = trace_uprobe_get_filter(tu);
4394 ++
4395 ++ read_lock(&filter->rwlock);
4396 ++ ret = __uprobe_perf_filter(filter, mm);
4397 ++ read_unlock(&filter->rwlock);
4398 +
4399 + return ret;
4400 + }
4401 +@@ -1419,10 +1455,10 @@ trace_uprobe_register(struct trace_event_call *event, enum trace_reg type,
4402 + return 0;
4403 +
4404 + case TRACE_REG_PERF_OPEN:
4405 +- return uprobe_perf_multi_call(event, data, uprobe_perf_open);
4406 ++ return uprobe_perf_open(event, data);
4407 +
4408 + case TRACE_REG_PERF_CLOSE:
4409 +- return uprobe_perf_multi_call(event, data, uprobe_perf_close);
4410 ++ return uprobe_perf_close(event, data);
4411 +
4412 + #endif
4413 + default:
4414 +diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
4415 +index dccb95af6003..706020b06617 100644
4416 +--- a/lib/strncpy_from_user.c
4417 ++++ b/lib/strncpy_from_user.c
4418 +@@ -30,13 +30,6 @@ static inline long do_strncpy_from_user(char *dst, const char __user *src,
4419 + const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
4420 + unsigned long res = 0;
4421 +
4422 +- /*
4423 +- * Truncate 'max' to the user-specified limit, so that
4424 +- * we only have one limit we need to check in the loop
4425 +- */
4426 +- if (max > count)
4427 +- max = count;
4428 +-
4429 + if (IS_UNALIGNED(src, dst))
4430 + goto byte_at_a_time;
4431 +
4432 +@@ -114,6 +107,13 @@ long strncpy_from_user(char *dst, const char __user *src, long count)
4433 + unsigned long max = max_addr - src_addr;
4434 + long retval;
4435 +
4436 ++ /*
4437 ++ * Truncate 'max' to the user-specified limit, so that
4438 ++ * we only have one limit we need to check in the loop
4439 ++ */
4440 ++ if (max > count)
4441 ++ max = count;
4442 ++
4443 + kasan_check_write(dst, count);
4444 + check_object_size(dst, count, false);
4445 + if (user_access_begin(src, max)) {
4446 +diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
4447 +index 6c0005d5dd5c..41670d4a5816 100644
4448 +--- a/lib/strnlen_user.c
4449 ++++ b/lib/strnlen_user.c
4450 +@@ -26,13 +26,6 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
4451 + unsigned long align, res = 0;
4452 + unsigned long c;
4453 +
4454 +- /*
4455 +- * Truncate 'max' to the user-specified limit, so that
4456 +- * we only have one limit we need to check in the loop
4457 +- */
4458 +- if (max > count)
4459 +- max = count;
4460 +-
4461 + /*
4462 + * Do everything aligned. But that means that we
4463 + * need to also expand the maximum..
4464 +@@ -109,6 +102,13 @@ long strnlen_user(const char __user *str, long count)
4465 + unsigned long max = max_addr - src_addr;
4466 + long retval;
4467 +
4468 ++ /*
4469 ++ * Truncate 'max' to the user-specified limit, so that
4470 ++ * we only have one limit we need to check in the loop
4471 ++ */
4472 ++ if (max > count)
4473 ++ max = count;
4474 ++
4475 + if (user_access_begin(str, max)) {
4476 + retval = do_strnlen_user(str, count, max);
4477 + user_access_end();
4478 +diff --git a/lib/test_xarray.c b/lib/test_xarray.c
4479 +index 7df4f7f395bf..03c3f42966ce 100644
4480 +--- a/lib/test_xarray.c
4481 ++++ b/lib/test_xarray.c
4482 +@@ -2,6 +2,7 @@
4483 + /*
4484 + * test_xarray.c: Test the XArray API
4485 + * Copyright (c) 2017-2018 Microsoft Corporation
4486 ++ * Copyright (c) 2019-2020 Oracle
4487 + * Author: Matthew Wilcox <willy@×××××××××.org>
4488 + */
4489 +
4490 +@@ -902,28 +903,34 @@ static noinline void check_store_iter(struct xarray *xa)
4491 + XA_BUG_ON(xa, !xa_empty(xa));
4492 + }
4493 +
4494 +-static noinline void check_multi_find(struct xarray *xa)
4495 ++static noinline void check_multi_find_1(struct xarray *xa, unsigned order)
4496 + {
4497 + #ifdef CONFIG_XARRAY_MULTI
4498 ++ unsigned long multi = 3 << order;
4499 ++ unsigned long next = 4 << order;
4500 + unsigned long index;
4501 +
4502 +- xa_store_order(xa, 12, 2, xa_mk_value(12), GFP_KERNEL);
4503 +- XA_BUG_ON(xa, xa_store_index(xa, 16, GFP_KERNEL) != NULL);
4504 ++ xa_store_order(xa, multi, order, xa_mk_value(multi), GFP_KERNEL);
4505 ++ XA_BUG_ON(xa, xa_store_index(xa, next, GFP_KERNEL) != NULL);
4506 ++ XA_BUG_ON(xa, xa_store_index(xa, next + 1, GFP_KERNEL) != NULL);
4507 +
4508 + index = 0;
4509 + XA_BUG_ON(xa, xa_find(xa, &index, ULONG_MAX, XA_PRESENT) !=
4510 +- xa_mk_value(12));
4511 +- XA_BUG_ON(xa, index != 12);
4512 +- index = 13;
4513 ++ xa_mk_value(multi));
4514 ++ XA_BUG_ON(xa, index != multi);
4515 ++ index = multi + 1;
4516 + XA_BUG_ON(xa, xa_find(xa, &index, ULONG_MAX, XA_PRESENT) !=
4517 +- xa_mk_value(12));
4518 +- XA_BUG_ON(xa, (index < 12) || (index >= 16));
4519 ++ xa_mk_value(multi));
4520 ++ XA_BUG_ON(xa, (index < multi) || (index >= next));
4521 + XA_BUG_ON(xa, xa_find_after(xa, &index, ULONG_MAX, XA_PRESENT) !=
4522 +- xa_mk_value(16));
4523 +- XA_BUG_ON(xa, index != 16);
4524 +-
4525 +- xa_erase_index(xa, 12);
4526 +- xa_erase_index(xa, 16);
4527 ++ xa_mk_value(next));
4528 ++ XA_BUG_ON(xa, index != next);
4529 ++ XA_BUG_ON(xa, xa_find_after(xa, &index, next, XA_PRESENT) != NULL);
4530 ++ XA_BUG_ON(xa, index != next);
4531 ++
4532 ++ xa_erase_index(xa, multi);
4533 ++ xa_erase_index(xa, next);
4534 ++ xa_erase_index(xa, next + 1);
4535 + XA_BUG_ON(xa, !xa_empty(xa));
4536 + #endif
4537 + }
4538 +@@ -1046,12 +1053,33 @@ static noinline void check_find_3(struct xarray *xa)
4539 + xa_destroy(xa);
4540 + }
4541 +
4542 ++static noinline void check_find_4(struct xarray *xa)
4543 ++{
4544 ++ unsigned long index = 0;
4545 ++ void *entry;
4546 ++
4547 ++ xa_store_index(xa, ULONG_MAX, GFP_KERNEL);
4548 ++
4549 ++ entry = xa_find_after(xa, &index, ULONG_MAX, XA_PRESENT);
4550 ++ XA_BUG_ON(xa, entry != xa_mk_index(ULONG_MAX));
4551 ++
4552 ++ entry = xa_find_after(xa, &index, ULONG_MAX, XA_PRESENT);
4553 ++ XA_BUG_ON(xa, entry);
4554 ++
4555 ++ xa_erase_index(xa, ULONG_MAX);
4556 ++}
4557 ++
4558 + static noinline void check_find(struct xarray *xa)
4559 + {
4560 ++ unsigned i;
4561 ++
4562 + check_find_1(xa);
4563 + check_find_2(xa);
4564 + check_find_3(xa);
4565 +- check_multi_find(xa);
4566 ++ check_find_4(xa);
4567 ++
4568 ++ for (i = 2; i < 10; i++)
4569 ++ check_multi_find_1(xa, i);
4570 + check_multi_find_2(xa);
4571 + }
4572 +
4573 +diff --git a/lib/xarray.c b/lib/xarray.c
4574 +index 1237c213f52b..47e17d46e5f8 100644
4575 +--- a/lib/xarray.c
4576 ++++ b/lib/xarray.c
4577 +@@ -1,7 +1,8 @@
4578 + // SPDX-License-Identifier: GPL-2.0+
4579 + /*
4580 + * XArray implementation
4581 +- * Copyright (c) 2017 Microsoft Corporation
4582 ++ * Copyright (c) 2017-2018 Microsoft Corporation
4583 ++ * Copyright (c) 2018-2020 Oracle
4584 + * Author: Matthew Wilcox <willy@×××××××××.org>
4585 + */
4586 +
4587 +@@ -1081,6 +1082,8 @@ void *xas_find(struct xa_state *xas, unsigned long max)
4588 +
4589 + if (xas_error(xas))
4590 + return NULL;
4591 ++ if (xas->xa_index > max)
4592 ++ return set_bounds(xas);
4593 +
4594 + if (!xas->xa_node) {
4595 + xas->xa_index = 1;
4596 +@@ -1150,6 +1153,8 @@ void *xas_find_marked(struct xa_state *xas, unsigned long max, xa_mark_t mark)
4597 +
4598 + if (xas_error(xas))
4599 + return NULL;
4600 ++ if (xas->xa_index > max)
4601 ++ goto max;
4602 +
4603 + if (!xas->xa_node) {
4604 + xas->xa_index = 1;
4605 +@@ -1824,6 +1829,17 @@ void *xa_find(struct xarray *xa, unsigned long *indexp,
4606 + }
4607 + EXPORT_SYMBOL(xa_find);
4608 +
4609 ++static bool xas_sibling(struct xa_state *xas)
4610 ++{
4611 ++ struct xa_node *node = xas->xa_node;
4612 ++ unsigned long mask;
4613 ++
4614 ++ if (!node)
4615 ++ return false;
4616 ++ mask = (XA_CHUNK_SIZE << node->shift) - 1;
4617 ++ return (xas->xa_index & mask) > (xas->xa_offset << node->shift);
4618 ++}
4619 ++
4620 + /**
4621 + * xa_find_after() - Search the XArray for a present entry.
4622 + * @xa: XArray.
4623 +@@ -1847,21 +1863,20 @@ void *xa_find_after(struct xarray *xa, unsigned long *indexp,
4624 + XA_STATE(xas, xa, *indexp + 1);
4625 + void *entry;
4626 +
4627 ++ if (xas.xa_index == 0)
4628 ++ return NULL;
4629 ++
4630 + rcu_read_lock();
4631 + for (;;) {
4632 + if ((__force unsigned int)filter < XA_MAX_MARKS)
4633 + entry = xas_find_marked(&xas, max, filter);
4634 + else
4635 + entry = xas_find(&xas, max);
4636 +- if (xas.xa_node == XAS_BOUNDS)
4637 ++
4638 ++ if (xas_invalid(&xas))
4639 + break;
4640 +- if (xas.xa_shift) {
4641 +- if (xas.xa_index & ((1UL << xas.xa_shift) - 1))
4642 +- continue;
4643 +- } else {
4644 +- if (xas.xa_offset < (xas.xa_index & XA_CHUNK_MASK))
4645 +- continue;
4646 +- }
4647 ++ if (xas_sibling(&xas))
4648 ++ continue;
4649 + if (!xas_retry(&xas, entry))
4650 + break;
4651 + }
4652 +diff --git a/net/core/dev.c b/net/core/dev.c
4653 +index 3098c90d60e2..82325d3d1371 100644
4654 +--- a/net/core/dev.c
4655 ++++ b/net/core/dev.c
4656 +@@ -5270,9 +5270,29 @@ static void flush_all_backlogs(void)
4657 + put_online_cpus();
4658 + }
4659 +
4660 ++/* Pass the currently batched GRO_NORMAL SKBs up to the stack. */
4661 ++static void gro_normal_list(struct napi_struct *napi)
4662 ++{
4663 ++ if (!napi->rx_count)
4664 ++ return;
4665 ++ netif_receive_skb_list_internal(&napi->rx_list);
4666 ++ INIT_LIST_HEAD(&napi->rx_list);
4667 ++ napi->rx_count = 0;
4668 ++}
4669 ++
4670 ++/* Queue one GRO_NORMAL SKB up for list processing. If batch size exceeded,
4671 ++ * pass the whole batch up to the stack.
4672 ++ */
4673 ++static void gro_normal_one(struct napi_struct *napi, struct sk_buff *skb)
4674 ++{
4675 ++ list_add_tail(&skb->list, &napi->rx_list);
4676 ++ if (++napi->rx_count >= gro_normal_batch)
4677 ++ gro_normal_list(napi);
4678 ++}
4679 ++
4680 + INDIRECT_CALLABLE_DECLARE(int inet_gro_complete(struct sk_buff *, int));
4681 + INDIRECT_CALLABLE_DECLARE(int ipv6_gro_complete(struct sk_buff *, int));
4682 +-static int napi_gro_complete(struct sk_buff *skb)
4683 ++static int napi_gro_complete(struct napi_struct *napi, struct sk_buff *skb)
4684 + {
4685 + struct packet_offload *ptype;
4686 + __be16 type = skb->protocol;
4687 +@@ -5305,7 +5325,8 @@ static int napi_gro_complete(struct sk_buff *skb)
4688 + }
4689 +
4690 + out:
4691 +- return netif_receive_skb_internal(skb);
4692 ++ gro_normal_one(napi, skb);
4693 ++ return NET_RX_SUCCESS;
4694 + }
4695 +
4696 + static void __napi_gro_flush_chain(struct napi_struct *napi, u32 index,
4697 +@@ -5318,7 +5339,7 @@ static void __napi_gro_flush_chain(struct napi_struct *napi, u32 index,
4698 + if (flush_old && NAPI_GRO_CB(skb)->age == jiffies)
4699 + return;
4700 + skb_list_del_init(skb);
4701 +- napi_gro_complete(skb);
4702 ++ napi_gro_complete(napi, skb);
4703 + napi->gro_hash[index].count--;
4704 + }
4705 +
4706 +@@ -5421,7 +5442,7 @@ static void gro_pull_from_frag0(struct sk_buff *skb, int grow)
4707 + }
4708 + }
4709 +
4710 +-static void gro_flush_oldest(struct list_head *head)
4711 ++static void gro_flush_oldest(struct napi_struct *napi, struct list_head *head)
4712 + {
4713 + struct sk_buff *oldest;
4714 +
4715 +@@ -5437,7 +5458,7 @@ static void gro_flush_oldest(struct list_head *head)
4716 + * SKB to the chain.
4717 + */
4718 + skb_list_del_init(oldest);
4719 +- napi_gro_complete(oldest);
4720 ++ napi_gro_complete(napi, oldest);
4721 + }
4722 +
4723 + INDIRECT_CALLABLE_DECLARE(struct sk_buff *inet_gro_receive(struct list_head *,
4724 +@@ -5513,7 +5534,7 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff
4725 +
4726 + if (pp) {
4727 + skb_list_del_init(pp);
4728 +- napi_gro_complete(pp);
4729 ++ napi_gro_complete(napi, pp);
4730 + napi->gro_hash[hash].count--;
4731 + }
4732 +
4733 +@@ -5524,7 +5545,7 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff
4734 + goto normal;
4735 +
4736 + if (unlikely(napi->gro_hash[hash].count >= MAX_GRO_SKBS)) {
4737 +- gro_flush_oldest(gro_head);
4738 ++ gro_flush_oldest(napi, gro_head);
4739 + } else {
4740 + napi->gro_hash[hash].count++;
4741 + }
4742 +@@ -5672,26 +5693,6 @@ struct sk_buff *napi_get_frags(struct napi_struct *napi)
4743 + }
4744 + EXPORT_SYMBOL(napi_get_frags);
4745 +
4746 +-/* Pass the currently batched GRO_NORMAL SKBs up to the stack. */
4747 +-static void gro_normal_list(struct napi_struct *napi)
4748 +-{
4749 +- if (!napi->rx_count)
4750 +- return;
4751 +- netif_receive_skb_list_internal(&napi->rx_list);
4752 +- INIT_LIST_HEAD(&napi->rx_list);
4753 +- napi->rx_count = 0;
4754 +-}
4755 +-
4756 +-/* Queue one GRO_NORMAL SKB up for list processing. If batch size exceeded,
4757 +- * pass the whole batch up to the stack.
4758 +- */
4759 +-static void gro_normal_one(struct napi_struct *napi, struct sk_buff *skb)
4760 +-{
4761 +- list_add_tail(&skb->list, &napi->rx_list);
4762 +- if (++napi->rx_count >= gro_normal_batch)
4763 +- gro_normal_list(napi);
4764 +-}
4765 +-
4766 + static gro_result_t napi_frags_finish(struct napi_struct *napi,
4767 + struct sk_buff *skb,
4768 + gro_result_t ret)
4769 +@@ -5979,8 +5980,6 @@ bool napi_complete_done(struct napi_struct *n, int work_done)
4770 + NAPIF_STATE_IN_BUSY_POLL)))
4771 + return false;
4772 +
4773 +- gro_normal_list(n);
4774 +-
4775 + if (n->gro_bitmask) {
4776 + unsigned long timeout = 0;
4777 +
4778 +@@ -5996,6 +5995,9 @@ bool napi_complete_done(struct napi_struct *n, int work_done)
4779 + hrtimer_start(&n->timer, ns_to_ktime(timeout),
4780 + HRTIMER_MODE_REL_PINNED);
4781 + }
4782 ++
4783 ++ gro_normal_list(n);
4784 ++
4785 + if (unlikely(!list_empty(&n->poll_list))) {
4786 + /* If n->poll_list is not empty, we need to mask irqs */
4787 + local_irq_save(flags);
4788 +@@ -6327,8 +6329,6 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll)
4789 + goto out_unlock;
4790 + }
4791 +
4792 +- gro_normal_list(n);
4793 +-
4794 + if (n->gro_bitmask) {
4795 + /* flush too old packets
4796 + * If HZ < 1000, flush all packets.
4797 +@@ -6336,6 +6336,8 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll)
4798 + napi_gro_flush(n, HZ >= 1000);
4799 + }
4800 +
4801 ++ gro_normal_list(n);
4802 ++
4803 + /* Some drivers may have called napi_schedule
4804 + * prior to exhausting their budget.
4805 + */
4806 +@@ -7973,6 +7975,22 @@ int __dev_set_mtu(struct net_device *dev, int new_mtu)
4807 + }
4808 + EXPORT_SYMBOL(__dev_set_mtu);
4809 +
4810 ++int dev_validate_mtu(struct net_device *dev, int new_mtu,
4811 ++ struct netlink_ext_ack *extack)
4812 ++{
4813 ++ /* MTU must be positive, and in range */
4814 ++ if (new_mtu < 0 || new_mtu < dev->min_mtu) {
4815 ++ NL_SET_ERR_MSG(extack, "mtu less than device minimum");
4816 ++ return -EINVAL;
4817 ++ }
4818 ++
4819 ++ if (dev->max_mtu > 0 && new_mtu > dev->max_mtu) {
4820 ++ NL_SET_ERR_MSG(extack, "mtu greater than device maximum");
4821 ++ return -EINVAL;
4822 ++ }
4823 ++ return 0;
4824 ++}
4825 ++
4826 + /**
4827 + * dev_set_mtu_ext - Change maximum transfer unit
4828 + * @dev: device
4829 +@@ -7989,16 +8007,9 @@ int dev_set_mtu_ext(struct net_device *dev, int new_mtu,
4830 + if (new_mtu == dev->mtu)
4831 + return 0;
4832 +
4833 +- /* MTU must be positive, and in range */
4834 +- if (new_mtu < 0 || new_mtu < dev->min_mtu) {
4835 +- NL_SET_ERR_MSG(extack, "mtu less than device minimum");
4836 +- return -EINVAL;
4837 +- }
4838 +-
4839 +- if (dev->max_mtu > 0 && new_mtu > dev->max_mtu) {
4840 +- NL_SET_ERR_MSG(extack, "mtu greater than device maximum");
4841 +- return -EINVAL;
4842 +- }
4843 ++ err = dev_validate_mtu(dev, new_mtu, extack);
4844 ++ if (err)
4845 ++ return err;
4846 +
4847 + if (!netif_device_present(dev))
4848 + return -ENODEV;
4849 +@@ -9073,8 +9084,10 @@ int register_netdevice(struct net_device *dev)
4850 + goto err_uninit;
4851 +
4852 + ret = netdev_register_kobject(dev);
4853 +- if (ret)
4854 ++ if (ret) {
4855 ++ dev->reg_state = NETREG_UNREGISTERED;
4856 + goto err_uninit;
4857 ++ }
4858 + dev->reg_state = NETREG_REGISTERED;
4859 +
4860 + __netdev_update_features(dev);
4861 +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
4862 +index e4ec575c1fba..944acb1a9f29 100644
4863 +--- a/net/core/rtnetlink.c
4864 ++++ b/net/core/rtnetlink.c
4865 +@@ -2959,8 +2959,17 @@ struct net_device *rtnl_create_link(struct net *net, const char *ifname,
4866 + dev->rtnl_link_ops = ops;
4867 + dev->rtnl_link_state = RTNL_LINK_INITIALIZING;
4868 +
4869 +- if (tb[IFLA_MTU])
4870 +- dev->mtu = nla_get_u32(tb[IFLA_MTU]);
4871 ++ if (tb[IFLA_MTU]) {
4872 ++ u32 mtu = nla_get_u32(tb[IFLA_MTU]);
4873 ++ int err;
4874 ++
4875 ++ err = dev_validate_mtu(dev, mtu, extack);
4876 ++ if (err) {
4877 ++ free_netdev(dev);
4878 ++ return ERR_PTR(err);
4879 ++ }
4880 ++ dev->mtu = mtu;
4881 ++ }
4882 + if (tb[IFLA_ADDRESS]) {
4883 + memcpy(dev->dev_addr, nla_data(tb[IFLA_ADDRESS]),
4884 + nla_len(tb[IFLA_ADDRESS]));
4885 +diff --git a/net/core/skmsg.c b/net/core/skmsg.c
4886 +index 3866d7e20c07..ded2d5227678 100644
4887 +--- a/net/core/skmsg.c
4888 ++++ b/net/core/skmsg.c
4889 +@@ -594,8 +594,6 @@ EXPORT_SYMBOL_GPL(sk_psock_destroy);
4890 +
4891 + void sk_psock_drop(struct sock *sk, struct sk_psock *psock)
4892 + {
4893 +- sock_owned_by_me(sk);
4894 +-
4895 + sk_psock_cork_free(psock);
4896 + sk_psock_zap_ingress(psock);
4897 +
4898 +diff --git a/net/hsr/hsr_main.h b/net/hsr/hsr_main.h
4899 +index d40de84a637f..754d84b217f0 100644
4900 +--- a/net/hsr/hsr_main.h
4901 ++++ b/net/hsr/hsr_main.h
4902 +@@ -191,7 +191,7 @@ void hsr_debugfs_term(struct hsr_priv *priv);
4903 + void hsr_debugfs_create_root(void);
4904 + void hsr_debugfs_remove_root(void);
4905 + #else
4906 +-static inline void void hsr_debugfs_rename(struct net_device *dev)
4907 ++static inline void hsr_debugfs_rename(struct net_device *dev)
4908 + {
4909 + }
4910 + static inline void hsr_debugfs_init(struct hsr_priv *priv,
4911 +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
4912 +index 0e4a7cf6bc87..e2e219c7854a 100644
4913 +--- a/net/ipv4/esp4_offload.c
4914 ++++ b/net/ipv4/esp4_offload.c
4915 +@@ -57,6 +57,8 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
4916 + if (!x)
4917 + goto out_reset;
4918 +
4919 ++ skb->mark = xfrm_smark_get(skb->mark, x);
4920 ++
4921 + sp->xvec[sp->len++] = x;
4922 + sp->olen++;
4923 +
4924 +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
4925 +index 1ab2fb6bb37d..f12fa8da6127 100644
4926 +--- a/net/ipv4/fib_trie.c
4927 ++++ b/net/ipv4/fib_trie.c
4928 +@@ -2175,6 +2175,12 @@ int fib_table_dump(struct fib_table *tb, struct sk_buff *skb,
4929 + int count = cb->args[2];
4930 + t_key key = cb->args[3];
4931 +
4932 ++ /* First time here, count and key are both always 0. Count > 0
4933 ++ * and key == 0 means the dump has wrapped around and we are done.
4934 ++ */
4935 ++ if (count && !key)
4936 ++ return skb->len;
4937 ++
4938 + while ((l = leaf_walk_rcu(&tp, key)) != NULL) {
4939 + int err;
4940 +
4941 +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
4942 +index 30fa771d382a..dcc79ff54b41 100644
4943 +--- a/net/ipv4/fou.c
4944 ++++ b/net/ipv4/fou.c
4945 +@@ -662,8 +662,8 @@ static const struct nla_policy fou_nl_policy[FOU_ATTR_MAX + 1] = {
4946 + [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
4947 + [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
4948 + [FOU_ATTR_PEER_V4] = { .type = NLA_U32, },
4949 +- [FOU_ATTR_LOCAL_V6] = { .type = sizeof(struct in6_addr), },
4950 +- [FOU_ATTR_PEER_V6] = { .type = sizeof(struct in6_addr), },
4951 ++ [FOU_ATTR_LOCAL_V6] = { .len = sizeof(struct in6_addr), },
4952 ++ [FOU_ATTR_PEER_V6] = { .len = sizeof(struct in6_addr), },
4953 + [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, },
4954 + [FOU_ATTR_IFINDEX] = { .type = NLA_S32, },
4955 + };
4956 +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
4957 +index 0fe2a5d3e258..74e1d964a615 100644
4958 +--- a/net/ipv4/ip_tunnel.c
4959 ++++ b/net/ipv4/ip_tunnel.c
4960 +@@ -1236,10 +1236,8 @@ int ip_tunnel_init(struct net_device *dev)
4961 + iph->version = 4;
4962 + iph->ihl = 5;
4963 +
4964 +- if (tunnel->collect_md) {
4965 +- dev->features |= NETIF_F_NETNS_LOCAL;
4966 ++ if (tunnel->collect_md)
4967 + netif_keep_dst(dev);
4968 +- }
4969 + return 0;
4970 + }
4971 + EXPORT_SYMBOL_GPL(ip_tunnel_init);
4972 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
4973 +index 84115577d3dc..3640e8563a10 100644
4974 +--- a/net/ipv4/tcp.c
4975 ++++ b/net/ipv4/tcp.c
4976 +@@ -2520,6 +2520,7 @@ static void tcp_rtx_queue_purge(struct sock *sk)
4977 + {
4978 + struct rb_node *p = rb_first(&sk->tcp_rtx_queue);
4979 +
4980 ++ tcp_sk(sk)->highest_sack = NULL;
4981 + while (p) {
4982 + struct sk_buff *skb = rb_to_skb(p);
4983 +
4984 +diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c
4985 +index a6545ef0d27b..6c4d79baff26 100644
4986 +--- a/net/ipv4/tcp_bbr.c
4987 ++++ b/net/ipv4/tcp_bbr.c
4988 +@@ -779,8 +779,7 @@ static void bbr_update_bw(struct sock *sk, const struct rate_sample *rs)
4989 + * bandwidth sample. Delivered is in packets and interval_us in uS and
4990 + * ratio will be <<1 for most connections. So delivered is first scaled.
4991 + */
4992 +- bw = (u64)rs->delivered * BW_UNIT;
4993 +- do_div(bw, rs->interval_us);
4994 ++ bw = div64_long((u64)rs->delivered * BW_UNIT, rs->interval_us);
4995 +
4996 + /* If this sample is application-limited, it is likely to have a very
4997 + * low delivered count that represents application behavior rather than
4998 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
4999 +index 59b78ce2ce2e..6f7155d91313 100644
5000 +--- a/net/ipv4/tcp_input.c
5001 ++++ b/net/ipv4/tcp_input.c
5002 +@@ -3164,6 +3164,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, u32 prior_fack,
5003 + tp->retransmit_skb_hint = NULL;
5004 + if (unlikely(skb == tp->lost_skb_hint))
5005 + tp->lost_skb_hint = NULL;
5006 ++ tcp_highest_sack_replace(sk, skb, next);
5007 + tcp_rtx_queue_unlink_and_free(skb, sk);
5008 + }
5009 +
5010 +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
5011 +index e4ba915c4bb5..660b24fe041e 100644
5012 +--- a/net/ipv4/tcp_output.c
5013 ++++ b/net/ipv4/tcp_output.c
5014 +@@ -3231,6 +3231,7 @@ int tcp_send_synack(struct sock *sk)
5015 + if (!nskb)
5016 + return -ENOMEM;
5017 + INIT_LIST_HEAD(&nskb->tcp_tsorted_anchor);
5018 ++ tcp_highest_sack_replace(sk, skb, nskb);
5019 + tcp_rtx_queue_unlink_and_free(skb, sk);
5020 + __skb_header_release(nskb);
5021 + tcp_rbtree_insert(&sk->tcp_rtx_queue, nskb);
5022 +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
5023 +index 7aa4e77161f6..7ae7065758bd 100644
5024 +--- a/net/ipv4/udp.c
5025 ++++ b/net/ipv4/udp.c
5026 +@@ -1368,7 +1368,8 @@ static void udp_rmem_release(struct sock *sk, int size, int partial,
5027 + if (likely(partial)) {
5028 + up->forward_deficit += size;
5029 + size = up->forward_deficit;
5030 +- if (size < (sk->sk_rcvbuf >> 2))
5031 ++ if (size < (sk->sk_rcvbuf >> 2) &&
5032 ++ !skb_queue_empty(&up->reader_queue))
5033 + return;
5034 + } else {
5035 + size += up->forward_deficit;
5036 +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
5037 +index e31626ffccd1..fd535053245b 100644
5038 +--- a/net/ipv6/esp6_offload.c
5039 ++++ b/net/ipv6/esp6_offload.c
5040 +@@ -79,6 +79,8 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
5041 + if (!x)
5042 + goto out_reset;
5043 +
5044 ++ skb->mark = xfrm_smark_get(skb->mark, x);
5045 ++
5046 + sp->xvec[sp->len++] = x;
5047 + sp->olen++;
5048 +
5049 +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
5050 +index 189de56f5e36..9ec05a1df5e1 100644
5051 +--- a/net/ipv6/ip6_gre.c
5052 ++++ b/net/ipv6/ip6_gre.c
5053 +@@ -1466,7 +1466,6 @@ static int ip6gre_tunnel_init_common(struct net_device *dev)
5054 + dev->mtu -= 8;
5055 +
5056 + if (tunnel->parms.collect_md) {
5057 +- dev->features |= NETIF_F_NETNS_LOCAL;
5058 + netif_keep_dst(dev);
5059 + }
5060 + ip6gre_tnl_init_features(dev);
5061 +@@ -1894,7 +1893,6 @@ static void ip6gre_tap_setup(struct net_device *dev)
5062 + dev->needs_free_netdev = true;
5063 + dev->priv_destructor = ip6gre_dev_free;
5064 +
5065 +- dev->features |= NETIF_F_NETNS_LOCAL;
5066 + dev->priv_flags &= ~IFF_TX_SKB_SHARING;
5067 + dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
5068 + netif_keep_dst(dev);
5069 +@@ -2197,7 +2195,6 @@ static void ip6erspan_tap_setup(struct net_device *dev)
5070 + dev->needs_free_netdev = true;
5071 + dev->priv_destructor = ip6gre_dev_free;
5072 +
5073 +- dev->features |= NETIF_F_NETNS_LOCAL;
5074 + dev->priv_flags &= ~IFF_TX_SKB_SHARING;
5075 + dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
5076 + netif_keep_dst(dev);
5077 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
5078 +index 2f376dbc37d5..b5dd20c4599b 100644
5079 +--- a/net/ipv6/ip6_tunnel.c
5080 ++++ b/net/ipv6/ip6_tunnel.c
5081 +@@ -1877,10 +1877,8 @@ static int ip6_tnl_dev_init(struct net_device *dev)
5082 + if (err)
5083 + return err;
5084 + ip6_tnl_link_config(t);
5085 +- if (t->parms.collect_md) {
5086 +- dev->features |= NETIF_F_NETNS_LOCAL;
5087 ++ if (t->parms.collect_md)
5088 + netif_keep_dst(dev);
5089 +- }
5090 + return 0;
5091 + }
5092 +
5093 +diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
5094 +index e70567446f28..802eebf8ac4b 100644
5095 +--- a/net/ipv6/seg6_local.c
5096 ++++ b/net/ipv6/seg6_local.c
5097 +@@ -23,6 +23,7 @@
5098 + #include <net/addrconf.h>
5099 + #include <net/ip6_route.h>
5100 + #include <net/dst_cache.h>
5101 ++#include <net/ip_tunnels.h>
5102 + #ifdef CONFIG_IPV6_SEG6_HMAC
5103 + #include <net/seg6_hmac.h>
5104 + #endif
5105 +@@ -135,7 +136,8 @@ static bool decap_and_validate(struct sk_buff *skb, int proto)
5106 +
5107 + skb_reset_network_header(skb);
5108 + skb_reset_transport_header(skb);
5109 +- skb->encapsulation = 0;
5110 ++ if (iptunnel_pull_offloads(skb))
5111 ++ return false;
5112 +
5113 + return true;
5114 + }
5115 +diff --git a/net/netfilter/ipset/ip_set_bitmap_gen.h b/net/netfilter/ipset/ip_set_bitmap_gen.h
5116 +index e1f271a1b2c1..bfd4b42ba305 100644
5117 +--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
5118 ++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
5119 +@@ -75,7 +75,7 @@ mtype_flush(struct ip_set *set)
5120 +
5121 + if (set->extensions & IPSET_EXT_DESTROY)
5122 + mtype_ext_cleanup(set);
5123 +- memset(map->members, 0, map->memsize);
5124 ++ bitmap_zero(map->members, map->elements);
5125 + set->elements = 0;
5126 + set->ext_size = 0;
5127 + }
5128 +diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
5129 +index 11ff9d4a7006..d934384f31ad 100644
5130 +--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
5131 ++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
5132 +@@ -37,7 +37,7 @@ MODULE_ALIAS("ip_set_bitmap:ip");
5133 +
5134 + /* Type structure */
5135 + struct bitmap_ip {
5136 +- void *members; /* the set members */
5137 ++ unsigned long *members; /* the set members */
5138 + u32 first_ip; /* host byte order, included in range */
5139 + u32 last_ip; /* host byte order, included in range */
5140 + u32 elements; /* number of max elements in the set */
5141 +@@ -220,7 +220,7 @@ init_map_ip(struct ip_set *set, struct bitmap_ip *map,
5142 + u32 first_ip, u32 last_ip,
5143 + u32 elements, u32 hosts, u8 netmask)
5144 + {
5145 +- map->members = ip_set_alloc(map->memsize);
5146 ++ map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN);
5147 + if (!map->members)
5148 + return false;
5149 + map->first_ip = first_ip;
5150 +@@ -310,7 +310,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
5151 + if (!map)
5152 + return -ENOMEM;
5153 +
5154 +- map->memsize = bitmap_bytes(0, elements - 1);
5155 ++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
5156 + set->variant = &bitmap_ip;
5157 + if (!init_map_ip(set, map, first_ip, last_ip,
5158 + elements, hosts, netmask)) {
5159 +diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
5160 +index 1d4e63326e68..e8532783b43a 100644
5161 +--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
5162 ++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
5163 +@@ -42,7 +42,7 @@ enum {
5164 +
5165 + /* Type structure */
5166 + struct bitmap_ipmac {
5167 +- void *members; /* the set members */
5168 ++ unsigned long *members; /* the set members */
5169 + u32 first_ip; /* host byte order, included in range */
5170 + u32 last_ip; /* host byte order, included in range */
5171 + u32 elements; /* number of max elements in the set */
5172 +@@ -299,7 +299,7 @@ static bool
5173 + init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
5174 + u32 first_ip, u32 last_ip, u32 elements)
5175 + {
5176 +- map->members = ip_set_alloc(map->memsize);
5177 ++ map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN);
5178 + if (!map->members)
5179 + return false;
5180 + map->first_ip = first_ip;
5181 +@@ -360,7 +360,7 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
5182 + if (!map)
5183 + return -ENOMEM;
5184 +
5185 +- map->memsize = bitmap_bytes(0, elements - 1);
5186 ++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
5187 + set->variant = &bitmap_ipmac;
5188 + if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
5189 + kfree(map);
5190 +diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
5191 +index 704a0dda1609..e3ac914fff1a 100644
5192 +--- a/net/netfilter/ipset/ip_set_bitmap_port.c
5193 ++++ b/net/netfilter/ipset/ip_set_bitmap_port.c
5194 +@@ -30,7 +30,7 @@ MODULE_ALIAS("ip_set_bitmap:port");
5195 +
5196 + /* Type structure */
5197 + struct bitmap_port {
5198 +- void *members; /* the set members */
5199 ++ unsigned long *members; /* the set members */
5200 + u16 first_port; /* host byte order, included in range */
5201 + u16 last_port; /* host byte order, included in range */
5202 + u32 elements; /* number of max elements in the set */
5203 +@@ -204,7 +204,7 @@ static bool
5204 + init_map_port(struct ip_set *set, struct bitmap_port *map,
5205 + u16 first_port, u16 last_port)
5206 + {
5207 +- map->members = ip_set_alloc(map->memsize);
5208 ++ map->members = bitmap_zalloc(map->elements, GFP_KERNEL | __GFP_NOWARN);
5209 + if (!map->members)
5210 + return false;
5211 + map->first_port = first_port;
5212 +@@ -244,7 +244,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
5213 + return -ENOMEM;
5214 +
5215 + map->elements = elements;
5216 +- map->memsize = bitmap_bytes(0, map->elements);
5217 ++ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
5218 + set->variant = &bitmap_port;
5219 + if (!init_map_port(set, map, first_port, last_port)) {
5220 + kfree(map);
5221 +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
5222 +index 9fefd0150091..23544842b692 100644
5223 +--- a/net/netfilter/nf_tables_api.c
5224 ++++ b/net/netfilter/nf_tables_api.c
5225 +@@ -488,48 +488,71 @@ static inline u64 nf_tables_alloc_handle(struct nft_table *table)
5226 +
5227 + static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
5228 +
5229 ++static const struct nft_chain_type *
5230 ++__nft_chain_type_get(u8 family, enum nft_chain_types type)
5231 ++{
5232 ++ if (family >= NFPROTO_NUMPROTO ||
5233 ++ type >= NFT_CHAIN_T_MAX)
5234 ++ return NULL;
5235 ++
5236 ++ return chain_type[family][type];
5237 ++}
5238 ++
5239 + static const struct nft_chain_type *
5240 + __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
5241 + {
5242 ++ const struct nft_chain_type *type;
5243 + int i;
5244 +
5245 + for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
5246 +- if (chain_type[family][i] != NULL &&
5247 +- !nla_strcmp(nla, chain_type[family][i]->name))
5248 +- return chain_type[family][i];
5249 ++ type = __nft_chain_type_get(family, i);
5250 ++ if (!type)
5251 ++ continue;
5252 ++ if (!nla_strcmp(nla, type->name))
5253 ++ return type;
5254 + }
5255 + return NULL;
5256 + }
5257 +
5258 +-/*
5259 +- * Loading a module requires dropping mutex that guards the transaction.
5260 +- * A different client might race to start a new transaction meanwhile. Zap the
5261 +- * list of pending transaction and then restore it once the mutex is grabbed
5262 +- * again. Users of this function return EAGAIN which implicitly triggers the
5263 +- * transaction abort path to clean up the list of pending transactions.
5264 +- */
5265 ++struct nft_module_request {
5266 ++ struct list_head list;
5267 ++ char module[MODULE_NAME_LEN];
5268 ++ bool done;
5269 ++};
5270 ++
5271 + #ifdef CONFIG_MODULES
5272 +-static void nft_request_module(struct net *net, const char *fmt, ...)
5273 ++static int nft_request_module(struct net *net, const char *fmt, ...)
5274 + {
5275 + char module_name[MODULE_NAME_LEN];
5276 +- LIST_HEAD(commit_list);
5277 ++ struct nft_module_request *req;
5278 + va_list args;
5279 + int ret;
5280 +
5281 +- list_splice_init(&net->nft.commit_list, &commit_list);
5282 +-
5283 + va_start(args, fmt);
5284 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
5285 + va_end(args);
5286 + if (ret >= MODULE_NAME_LEN)
5287 +- return;
5288 ++ return 0;
5289 +
5290 +- mutex_unlock(&net->nft.commit_mutex);
5291 +- request_module("%s", module_name);
5292 +- mutex_lock(&net->nft.commit_mutex);
5293 ++ list_for_each_entry(req, &net->nft.module_list, list) {
5294 ++ if (!strcmp(req->module, module_name)) {
5295 ++ if (req->done)
5296 ++ return 0;
5297 +
5298 +- WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
5299 +- list_splice(&commit_list, &net->nft.commit_list);
5300 ++ /* A request to load this module already exists. */
5301 ++ return -EAGAIN;
5302 ++ }
5303 ++ }
5304 ++
5305 ++ req = kmalloc(sizeof(*req), GFP_KERNEL);
5306 ++ if (!req)
5307 ++ return -ENOMEM;
5308 ++
5309 ++ req->done = false;
5310 ++ strlcpy(req->module, module_name, MODULE_NAME_LEN);
5311 ++ list_add_tail(&req->list, &net->nft.module_list);
5312 ++
5313 ++ return -EAGAIN;
5314 + }
5315 + #endif
5316 +
5317 +@@ -553,10 +576,9 @@ nf_tables_chain_type_lookup(struct net *net, const struct nlattr *nla,
5318 + lockdep_nfnl_nft_mutex_not_held();
5319 + #ifdef CONFIG_MODULES
5320 + if (autoload) {
5321 +- nft_request_module(net, "nft-chain-%u-%.*s", family,
5322 +- nla_len(nla), (const char *)nla_data(nla));
5323 +- type = __nf_tables_chain_type_lookup(nla, family);
5324 +- if (type != NULL)
5325 ++ if (nft_request_module(net, "nft-chain-%u-%.*s", family,
5326 ++ nla_len(nla),
5327 ++ (const char *)nla_data(nla)) == -EAGAIN)
5328 + return ERR_PTR(-EAGAIN);
5329 + }
5330 + #endif
5331 +@@ -1095,11 +1117,8 @@ static void nf_tables_table_destroy(struct nft_ctx *ctx)
5332 +
5333 + void nft_register_chain_type(const struct nft_chain_type *ctype)
5334 + {
5335 +- if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
5336 +- return;
5337 +-
5338 + nfnl_lock(NFNL_SUBSYS_NFTABLES);
5339 +- if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
5340 ++ if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
5341 + nfnl_unlock(NFNL_SUBSYS_NFTABLES);
5342 + return;
5343 + }
5344 +@@ -1551,7 +1570,10 @@ static int nft_chain_parse_hook(struct net *net,
5345 + hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
5346 + hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
5347 +
5348 +- type = chain_type[family][NFT_CHAIN_T_DEFAULT];
5349 ++ type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
5350 ++ if (!type)
5351 ++ return -EOPNOTSUPP;
5352 ++
5353 + if (nla[NFTA_CHAIN_TYPE]) {
5354 + type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
5355 + family, autoload);
5356 +@@ -2060,9 +2082,8 @@ static const struct nft_expr_type *__nft_expr_type_get(u8 family,
5357 + static int nft_expr_type_request_module(struct net *net, u8 family,
5358 + struct nlattr *nla)
5359 + {
5360 +- nft_request_module(net, "nft-expr-%u-%.*s", family,
5361 +- nla_len(nla), (char *)nla_data(nla));
5362 +- if (__nft_expr_type_get(family, nla))
5363 ++ if (nft_request_module(net, "nft-expr-%u-%.*s", family,
5364 ++ nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
5365 + return -EAGAIN;
5366 +
5367 + return 0;
5368 +@@ -2088,9 +2109,9 @@ static const struct nft_expr_type *nft_expr_type_get(struct net *net,
5369 + if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
5370 + return ERR_PTR(-EAGAIN);
5371 +
5372 +- nft_request_module(net, "nft-expr-%.*s",
5373 +- nla_len(nla), (char *)nla_data(nla));
5374 +- if (__nft_expr_type_get(family, nla))
5375 ++ if (nft_request_module(net, "nft-expr-%.*s",
5376 ++ nla_len(nla),
5377 ++ (char *)nla_data(nla)) == -EAGAIN)
5378 + return ERR_PTR(-EAGAIN);
5379 + }
5380 + #endif
5381 +@@ -2181,9 +2202,10 @@ static int nf_tables_expr_parse(const struct nft_ctx *ctx,
5382 + err = PTR_ERR(ops);
5383 + #ifdef CONFIG_MODULES
5384 + if (err == -EAGAIN)
5385 +- nft_expr_type_request_module(ctx->net,
5386 +- ctx->family,
5387 +- tb[NFTA_EXPR_NAME]);
5388 ++ if (nft_expr_type_request_module(ctx->net,
5389 ++ ctx->family,
5390 ++ tb[NFTA_EXPR_NAME]) != -EAGAIN)
5391 ++ err = -ENOENT;
5392 + #endif
5393 + goto err1;
5394 + }
5395 +@@ -3020,8 +3042,7 @@ nft_select_set_ops(const struct nft_ctx *ctx,
5396 + lockdep_nfnl_nft_mutex_not_held();
5397 + #ifdef CONFIG_MODULES
5398 + if (list_empty(&nf_tables_set_types)) {
5399 +- nft_request_module(ctx->net, "nft-set");
5400 +- if (!list_empty(&nf_tables_set_types))
5401 ++ if (nft_request_module(ctx->net, "nft-set") == -EAGAIN)
5402 + return ERR_PTR(-EAGAIN);
5403 + }
5404 + #endif
5405 +@@ -5147,8 +5168,7 @@ nft_obj_type_get(struct net *net, u32 objtype)
5406 + lockdep_nfnl_nft_mutex_not_held();
5407 + #ifdef CONFIG_MODULES
5408 + if (type == NULL) {
5409 +- nft_request_module(net, "nft-obj-%u", objtype);
5410 +- if (__nft_obj_type_get(objtype))
5411 ++ if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5412 + return ERR_PTR(-EAGAIN);
5413 + }
5414 + #endif
5415 +@@ -5764,8 +5784,7 @@ nft_flowtable_type_get(struct net *net, u8 family)
5416 + lockdep_nfnl_nft_mutex_not_held();
5417 + #ifdef CONFIG_MODULES
5418 + if (type == NULL) {
5419 +- nft_request_module(net, "nf-flowtable-%u", family);
5420 +- if (__nft_flowtable_type_get(family))
5421 ++ if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
5422 + return ERR_PTR(-EAGAIN);
5423 + }
5424 + #endif
5425 +@@ -6712,6 +6731,18 @@ static void nft_chain_del(struct nft_chain *chain)
5426 + list_del_rcu(&chain->list);
5427 + }
5428 +
5429 ++static void nf_tables_module_autoload_cleanup(struct net *net)
5430 ++{
5431 ++ struct nft_module_request *req, *next;
5432 ++
5433 ++ WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
5434 ++ list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
5435 ++ WARN_ON_ONCE(!req->done);
5436 ++ list_del(&req->list);
5437 ++ kfree(req);
5438 ++ }
5439 ++}
5440 ++
5441 + static void nf_tables_commit_release(struct net *net)
5442 + {
5443 + struct nft_trans *trans;
5444 +@@ -6724,6 +6755,7 @@ static void nf_tables_commit_release(struct net *net)
5445 + * to prevent expensive synchronize_rcu() in commit phase.
5446 + */
5447 + if (list_empty(&net->nft.commit_list)) {
5448 ++ nf_tables_module_autoload_cleanup(net);
5449 + mutex_unlock(&net->nft.commit_mutex);
5450 + return;
5451 + }
5452 +@@ -6738,6 +6770,7 @@ static void nf_tables_commit_release(struct net *net)
5453 + list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
5454 + spin_unlock(&nf_tables_destroy_list_lock);
5455 +
5456 ++ nf_tables_module_autoload_cleanup(net);
5457 + mutex_unlock(&net->nft.commit_mutex);
5458 +
5459 + schedule_work(&trans_destroy_work);
5460 +@@ -6929,6 +6962,26 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
5461 + return 0;
5462 + }
5463 +
5464 ++static void nf_tables_module_autoload(struct net *net)
5465 ++{
5466 ++ struct nft_module_request *req, *next;
5467 ++ LIST_HEAD(module_list);
5468 ++
5469 ++ list_splice_init(&net->nft.module_list, &module_list);
5470 ++ mutex_unlock(&net->nft.commit_mutex);
5471 ++ list_for_each_entry_safe(req, next, &module_list, list) {
5472 ++ if (req->done) {
5473 ++ list_del(&req->list);
5474 ++ kfree(req);
5475 ++ } else {
5476 ++ request_module("%s", req->module);
5477 ++ req->done = true;
5478 ++ }
5479 ++ }
5480 ++ mutex_lock(&net->nft.commit_mutex);
5481 ++ list_splice(&module_list, &net->nft.module_list);
5482 ++}
5483 ++
5484 + static void nf_tables_abort_release(struct nft_trans *trans)
5485 + {
5486 + switch (trans->msg_type) {
5487 +@@ -6958,7 +7011,7 @@ static void nf_tables_abort_release(struct nft_trans *trans)
5488 + kfree(trans);
5489 + }
5490 +
5491 +-static int __nf_tables_abort(struct net *net)
5492 ++static int __nf_tables_abort(struct net *net, bool autoload)
5493 + {
5494 + struct nft_trans *trans, *next;
5495 + struct nft_trans_elem *te;
5496 +@@ -7080,6 +7133,11 @@ static int __nf_tables_abort(struct net *net)
5497 + nf_tables_abort_release(trans);
5498 + }
5499 +
5500 ++ if (autoload)
5501 ++ nf_tables_module_autoload(net);
5502 ++ else
5503 ++ nf_tables_module_autoload_cleanup(net);
5504 ++
5505 + return 0;
5506 + }
5507 +
5508 +@@ -7088,9 +7146,9 @@ static void nf_tables_cleanup(struct net *net)
5509 + nft_validate_state_update(net, NFT_VALIDATE_SKIP);
5510 + }
5511 +
5512 +-static int nf_tables_abort(struct net *net, struct sk_buff *skb)
5513 ++static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
5514 + {
5515 +- int ret = __nf_tables_abort(net);
5516 ++ int ret = __nf_tables_abort(net, autoload);
5517 +
5518 + mutex_unlock(&net->nft.commit_mutex);
5519 +
5520 +@@ -7685,6 +7743,7 @@ static int __net_init nf_tables_init_net(struct net *net)
5521 + {
5522 + INIT_LIST_HEAD(&net->nft.tables);
5523 + INIT_LIST_HEAD(&net->nft.commit_list);
5524 ++ INIT_LIST_HEAD(&net->nft.module_list);
5525 + mutex_init(&net->nft.commit_mutex);
5526 + net->nft.base_seq = 1;
5527 + net->nft.validate_state = NFT_VALIDATE_SKIP;
5528 +@@ -7696,7 +7755,7 @@ static void __net_exit nf_tables_exit_net(struct net *net)
5529 + {
5530 + mutex_lock(&net->nft.commit_mutex);
5531 + if (!list_empty(&net->nft.commit_list))
5532 +- __nf_tables_abort(net);
5533 ++ __nf_tables_abort(net, false);
5534 + __nft_release_tables(net);
5535 + mutex_unlock(&net->nft.commit_mutex);
5536 + WARN_ON_ONCE(!list_empty(&net->nft.tables));
5537 +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
5538 +index 4abbb452cf6c..99127e2d95a8 100644
5539 +--- a/net/netfilter/nfnetlink.c
5540 ++++ b/net/netfilter/nfnetlink.c
5541 +@@ -476,7 +476,7 @@ ack:
5542 + }
5543 + done:
5544 + if (status & NFNL_BATCH_REPLAY) {
5545 +- ss->abort(net, oskb);
5546 ++ ss->abort(net, oskb, true);
5547 + nfnl_err_reset(&err_list);
5548 + kfree_skb(skb);
5549 + module_put(ss->owner);
5550 +@@ -487,11 +487,11 @@ done:
5551 + status |= NFNL_BATCH_REPLAY;
5552 + goto done;
5553 + } else if (err) {
5554 +- ss->abort(net, oskb);
5555 ++ ss->abort(net, oskb, false);
5556 + netlink_ack(oskb, nlmsg_hdr(oskb), err, NULL);
5557 + }
5558 + } else {
5559 +- ss->abort(net, oskb);
5560 ++ ss->abort(net, oskb, false);
5561 + }
5562 + if (ss->cleanup)
5563 + ss->cleanup(net);
5564 +diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
5565 +index f54d6ae15bb1..b42247aa48a9 100644
5566 +--- a/net/netfilter/nft_osf.c
5567 ++++ b/net/netfilter/nft_osf.c
5568 +@@ -61,6 +61,9 @@ static int nft_osf_init(const struct nft_ctx *ctx,
5569 + int err;
5570 + u8 ttl;
5571 +
5572 ++ if (!tb[NFTA_OSF_DREG])
5573 ++ return -EINVAL;
5574 ++
5575 + if (tb[NFTA_OSF_TTL]) {
5576 + ttl = nla_get_u8(tb[NFTA_OSF_TTL]);
5577 + if (ttl > 2)
5578 +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
5579 +index 76e0d122616a..c2cdd0fc2e70 100644
5580 +--- a/net/sched/cls_api.c
5581 ++++ b/net/sched/cls_api.c
5582 +@@ -2055,9 +2055,8 @@ replay:
5583 + &chain_info));
5584 +
5585 + mutex_unlock(&chain->filter_chain_lock);
5586 +- tp_new = tcf_proto_create(nla_data(tca[TCA_KIND]),
5587 +- protocol, prio, chain, rtnl_held,
5588 +- extack);
5589 ++ tp_new = tcf_proto_create(name, protocol, prio, chain,
5590 ++ rtnl_held, extack);
5591 + if (IS_ERR(tp_new)) {
5592 + err = PTR_ERR(tp_new);
5593 + goto errout_tp;
5594 +diff --git a/net/sched/ematch.c b/net/sched/ematch.c
5595 +index 8f2ad706784d..d0140a92694a 100644
5596 +--- a/net/sched/ematch.c
5597 ++++ b/net/sched/ematch.c
5598 +@@ -263,12 +263,12 @@ static int tcf_em_validate(struct tcf_proto *tp,
5599 + }
5600 + em->data = (unsigned long) v;
5601 + }
5602 ++ em->datalen = data_len;
5603 + }
5604 + }
5605 +
5606 + em->matchid = em_hdr->matchid;
5607 + em->flags = em_hdr->flags;
5608 +- em->datalen = data_len;
5609 + em->net = net;
5610 +
5611 + err = 0;
5612 +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
5613 +index a80920f261ca..41e9c2932b34 100644
5614 +--- a/net/tls/tls_sw.c
5615 ++++ b/net/tls/tls_sw.c
5616 +@@ -793,7 +793,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
5617 + psock = sk_psock_get(sk);
5618 + if (!psock || !policy) {
5619 + err = tls_push_record(sk, flags, record_type);
5620 +- if (err) {
5621 ++ if (err && err != -EINPROGRESS) {
5622 + *copied -= sk_msg_free(sk, msg);
5623 + tls_free_open_rec(sk);
5624 + }
5625 +@@ -819,7 +819,7 @@ more_data:
5626 + switch (psock->eval) {
5627 + case __SK_PASS:
5628 + err = tls_push_record(sk, flags, record_type);
5629 +- if (err < 0) {
5630 ++ if (err && err != -EINPROGRESS) {
5631 + *copied -= sk_msg_free(sk, msg);
5632 + tls_free_open_rec(sk);
5633 + goto out_err;
5634 +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
5635 +index 6aee9f5e8e71..256f3e97d1f3 100644
5636 +--- a/net/x25/af_x25.c
5637 ++++ b/net/x25/af_x25.c
5638 +@@ -760,6 +760,10 @@ static int x25_connect(struct socket *sock, struct sockaddr *uaddr,
5639 + if (sk->sk_state == TCP_ESTABLISHED)
5640 + goto out;
5641 +
5642 ++ rc = -EALREADY; /* Do nothing if call is already in progress */
5643 ++ if (sk->sk_state == TCP_SYN_SENT)
5644 ++ goto out;
5645 ++
5646 + sk->sk_state = TCP_CLOSE;
5647 + sock->state = SS_UNCONNECTED;
5648 +
5649 +@@ -806,7 +810,7 @@ static int x25_connect(struct socket *sock, struct sockaddr *uaddr,
5650 + /* Now the loop */
5651 + rc = -EINPROGRESS;
5652 + if (sk->sk_state != TCP_ESTABLISHED && (flags & O_NONBLOCK))
5653 +- goto out_put_neigh;
5654 ++ goto out;
5655 +
5656 + rc = x25_wait_for_connection_establishment(sk);
5657 + if (rc)
5658 +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c
5659 +index 612268eabef4..7225107a9aaf 100644
5660 +--- a/scripts/recordmcount.c
5661 ++++ b/scripts/recordmcount.c
5662 +@@ -38,6 +38,10 @@
5663 + #define R_AARCH64_ABS64 257
5664 + #endif
5665 +
5666 ++#define R_ARM_PC24 1
5667 ++#define R_ARM_THM_CALL 10
5668 ++#define R_ARM_CALL 28
5669 ++
5670 + static int fd_map; /* File descriptor for file being modified. */
5671 + static int mmap_failed; /* Boolean flag. */
5672 + static char gpfx; /* prefix for global symbol name (sometimes '_') */
5673 +@@ -418,6 +422,18 @@ static char const *already_has_rel_mcount = "success"; /* our work here is done!
5674 + #define RECORD_MCOUNT_64
5675 + #include "recordmcount.h"
5676 +
5677 ++static int arm_is_fake_mcount(Elf32_Rel const *rp)
5678 ++{
5679 ++ switch (ELF32_R_TYPE(w(rp->r_info))) {
5680 ++ case R_ARM_THM_CALL:
5681 ++ case R_ARM_CALL:
5682 ++ case R_ARM_PC24:
5683 ++ return 0;
5684 ++ }
5685 ++
5686 ++ return 1;
5687 ++}
5688 ++
5689 + /* 64-bit EM_MIPS has weird ELF64_Rela.r_info.
5690 + * http://techpubs.sgi.com/library/manuals/4000/007-4658-001/pdf/007-4658-001.pdf
5691 + * We interpret Table 29 Relocation Operation (Elf64_Rel, Elf64_Rela) [p.40]
5692 +@@ -523,6 +539,7 @@ static int do_file(char const *const fname)
5693 + altmcount = "__gnu_mcount_nc";
5694 + make_nop = make_nop_arm;
5695 + rel_type_nop = R_ARM_NONE;
5696 ++ is_fake_mcount32 = arm_is_fake_mcount;
5697 + gpfx = 0;
5698 + break;
5699 + case EM_AARCH64:
Report Message
Find on MARC Find on Google Groups