Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.19 commit in: /
Date: Wed, 05 Dec 2018 20:16:33
Message-Id: 1544040952.5a7c485603ea79c3f41cc5db9f8206335fc9b819.mpagano@gentoo
1 commit: 5a7c485603ea79c3f41cc5db9f8206335fc9b819
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Dec 5 20:15:52 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Dec 5 20:15:52 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=5a7c4856
7
8 proj/linux-patches: Linuxpatch 4.19.7
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1006_linux-4.19.7.patch | 5500 +++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 5504 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index c4c0a77..e91fad4 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -67,6 +67,10 @@ Patch: 1005_linux-4.19.6.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.19.6
23
24 +Patch: 1006_linux-4.19.7.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.19.7
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1006_linux-4.19.7.patch b/1006_linux-4.19.7.patch
33 new file mode 100644
34 index 0000000..0840b0c
35 --- /dev/null
36 +++ b/1006_linux-4.19.7.patch
37 @@ -0,0 +1,5500 @@
38 +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
39 +index fa4eec22816d..0c404cda531a 100644
40 +--- a/Documentation/admin-guide/kernel-parameters.txt
41 ++++ b/Documentation/admin-guide/kernel-parameters.txt
42 +@@ -4169,9 +4169,13 @@
43 +
44 + spectre_v2= [X86] Control mitigation of Spectre variant 2
45 + (indirect branch speculation) vulnerability.
46 ++ The default operation protects the kernel from
47 ++ user space attacks.
48 +
49 +- on - unconditionally enable
50 +- off - unconditionally disable
51 ++ on - unconditionally enable, implies
52 ++ spectre_v2_user=on
53 ++ off - unconditionally disable, implies
54 ++ spectre_v2_user=off
55 + auto - kernel detects whether your CPU model is
56 + vulnerable
57 +
58 +@@ -4181,6 +4185,12 @@
59 + CONFIG_RETPOLINE configuration option, and the
60 + compiler with which the kernel was built.
61 +
62 ++ Selecting 'on' will also enable the mitigation
63 ++ against user space to user space task attacks.
64 ++
65 ++ Selecting 'off' will disable both the kernel and
66 ++ the user space protections.
67 ++
68 + Specific mitigations can also be selected manually:
69 +
70 + retpoline - replace indirect branches
71 +@@ -4190,6 +4200,48 @@
72 + Not specifying this option is equivalent to
73 + spectre_v2=auto.
74 +
75 ++ spectre_v2_user=
76 ++ [X86] Control mitigation of Spectre variant 2
77 ++ (indirect branch speculation) vulnerability between
78 ++ user space tasks
79 ++
80 ++ on - Unconditionally enable mitigations. Is
81 ++ enforced by spectre_v2=on
82 ++
83 ++ off - Unconditionally disable mitigations. Is
84 ++ enforced by spectre_v2=off
85 ++
86 ++ prctl - Indirect branch speculation is enabled,
87 ++ but mitigation can be enabled via prctl
88 ++ per thread. The mitigation control state
89 ++ is inherited on fork.
90 ++
91 ++ prctl,ibpb
92 ++ - Like "prctl" above, but only STIBP is
93 ++ controlled per thread. IBPB is issued
94 ++ always when switching between different user
95 ++ space processes.
96 ++
97 ++ seccomp
98 ++ - Same as "prctl" above, but all seccomp
99 ++ threads will enable the mitigation unless
100 ++ they explicitly opt out.
101 ++
102 ++ seccomp,ibpb
103 ++ - Like "seccomp" above, but only STIBP is
104 ++ controlled per thread. IBPB is issued
105 ++ always when switching between different
106 ++ user space processes.
107 ++
108 ++ auto - Kernel selects the mitigation depending on
109 ++ the available CPU features and vulnerability.
110 ++
111 ++ Default mitigation:
112 ++ If CONFIG_SECCOMP=y then "seccomp", otherwise "prctl"
113 ++
114 ++ Not specifying this option is equivalent to
115 ++ spectre_v2_user=auto.
116 ++
117 + spec_store_bypass_disable=
118 + [HW] Control Speculative Store Bypass (SSB) Disable mitigation
119 + (Speculative Store Bypass vulnerability)
120 +diff --git a/Documentation/userspace-api/spec_ctrl.rst b/Documentation/userspace-api/spec_ctrl.rst
121 +index 32f3d55c54b7..c4dbe6f7cdae 100644
122 +--- a/Documentation/userspace-api/spec_ctrl.rst
123 ++++ b/Documentation/userspace-api/spec_ctrl.rst
124 +@@ -92,3 +92,12 @@ Speculation misfeature controls
125 + * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
126 + * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
127 + * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
128 ++
129 ++- PR_SPEC_INDIR_BRANCH: Indirect Branch Speculation in User Processes
130 ++ (Mitigate Spectre V2 style attacks against user processes)
131 ++
132 ++ Invocations:
133 ++ * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0);
134 ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_ENABLE, 0, 0);
135 ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_DISABLE, 0, 0);
136 ++ * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0);
137 +diff --git a/Makefile b/Makefile
138 +index 20cbb8e84650..d2b4efcfb388 100644
139 +--- a/Makefile
140 ++++ b/Makefile
141 +@@ -1,7 +1,7 @@
142 + # SPDX-License-Identifier: GPL-2.0
143 + VERSION = 4
144 + PATCHLEVEL = 19
145 +-SUBLEVEL = 6
146 ++SUBLEVEL = 7
147 + EXTRAVERSION =
148 + NAME = "People's Front"
149 +
150 +diff --git a/arch/arm/boot/dts/rk3288-veyron.dtsi b/arch/arm/boot/dts/rk3288-veyron.dtsi
151 +index 2075120cfc4d..d8bf939a3aff 100644
152 +--- a/arch/arm/boot/dts/rk3288-veyron.dtsi
153 ++++ b/arch/arm/boot/dts/rk3288-veyron.dtsi
154 +@@ -10,7 +10,11 @@
155 + #include "rk3288.dtsi"
156 +
157 + / {
158 +- memory@0 {
159 ++ /*
160 ++ * The default coreboot on veyron devices ignores memory@0 nodes
161 ++ * and would instead create another memory node.
162 ++ */
163 ++ memory {
164 + device_type = "memory";
165 + reg = <0x0 0x0 0x0 0x80000000>;
166 + };
167 +diff --git a/arch/arm/kernel/ftrace.c b/arch/arm/kernel/ftrace.c
168 +index 5617932a83df..ee673c09aa6c 100644
169 +--- a/arch/arm/kernel/ftrace.c
170 ++++ b/arch/arm/kernel/ftrace.c
171 +@@ -227,9 +227,7 @@ void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr,
172 + unsigned long frame_pointer)
173 + {
174 + unsigned long return_hooker = (unsigned long) &return_to_handler;
175 +- struct ftrace_graph_ent trace;
176 + unsigned long old;
177 +- int err;
178 +
179 + if (unlikely(atomic_read(&current->tracing_graph_pause)))
180 + return;
181 +@@ -237,21 +235,8 @@ void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr,
182 + old = *parent;
183 + *parent = return_hooker;
184 +
185 +- trace.func = self_addr;
186 +- trace.depth = current->curr_ret_stack + 1;
187 +-
188 +- /* Only trace if the calling function expects to */
189 +- if (!ftrace_graph_entry(&trace)) {
190 ++ if (function_graph_enter(old, self_addr, frame_pointer, NULL))
191 + *parent = old;
192 +- return;
193 +- }
194 +-
195 +- err = ftrace_push_return_trace(old, self_addr, &trace.depth,
196 +- frame_pointer, NULL);
197 +- if (err == -EBUSY) {
198 +- *parent = old;
199 +- return;
200 +- }
201 + }
202 +
203 + #ifdef CONFIG_DYNAMIC_FTRACE
204 +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
205 +index e0d64f862322..8ce4a79d9360 100644
206 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
207 ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
208 +@@ -153,7 +153,7 @@
209 + };
210 +
211 + &pcie0 {
212 +- ep-gpios = <&gpio4 RK_PC6 GPIO_ACTIVE_LOW>;
213 ++ ep-gpios = <&gpio4 RK_PC6 GPIO_ACTIVE_HIGH>;
214 + num-lanes = <4>;
215 + pinctrl-names = "default";
216 + pinctrl-0 = <&pcie_clkreqn_cpm>;
217 +diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c
218 +index 50986e388d2b..57e962290df3 100644
219 +--- a/arch/arm64/kernel/ftrace.c
220 ++++ b/arch/arm64/kernel/ftrace.c
221 +@@ -216,8 +216,6 @@ void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr,
222 + {
223 + unsigned long return_hooker = (unsigned long)&return_to_handler;
224 + unsigned long old;
225 +- struct ftrace_graph_ent trace;
226 +- int err;
227 +
228 + if (unlikely(atomic_read(&current->tracing_graph_pause)))
229 + return;
230 +@@ -229,18 +227,7 @@ void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr,
231 + */
232 + old = *parent;
233 +
234 +- trace.func = self_addr;
235 +- trace.depth = current->curr_ret_stack + 1;
236 +-
237 +- /* Only trace if the calling function expects to */
238 +- if (!ftrace_graph_entry(&trace))
239 +- return;
240 +-
241 +- err = ftrace_push_return_trace(old, self_addr, &trace.depth,
242 +- frame_pointer, NULL);
243 +- if (err == -EBUSY)
244 +- return;
245 +- else
246 ++ if (!function_graph_enter(old, self_addr, frame_pointer, NULL))
247 + *parent = return_hooker;
248 + }
249 +
250 +diff --git a/arch/microblaze/kernel/ftrace.c b/arch/microblaze/kernel/ftrace.c
251 +index d57563c58a26..224eea40e1ee 100644
252 +--- a/arch/microblaze/kernel/ftrace.c
253 ++++ b/arch/microblaze/kernel/ftrace.c
254 +@@ -22,8 +22,7 @@
255 + void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr)
256 + {
257 + unsigned long old;
258 +- int faulted, err;
259 +- struct ftrace_graph_ent trace;
260 ++ int faulted;
261 + unsigned long return_hooker = (unsigned long)
262 + &return_to_handler;
263 +
264 +@@ -63,18 +62,8 @@ void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr)
265 + return;
266 + }
267 +
268 +- err = ftrace_push_return_trace(old, self_addr, &trace.depth, 0, NULL);
269 +- if (err == -EBUSY) {
270 ++ if (function_graph_enter(old, self_addr, 0, NULL))
271 + *parent = old;
272 +- return;
273 +- }
274 +-
275 +- trace.func = self_addr;
276 +- /* Only trace if the calling function expects to */
277 +- if (!ftrace_graph_entry(&trace)) {
278 +- current->curr_ret_stack--;
279 +- *parent = old;
280 +- }
281 + }
282 + #endif /* CONFIG_FUNCTION_GRAPH_TRACER */
283 +
284 +diff --git a/arch/mips/kernel/ftrace.c b/arch/mips/kernel/ftrace.c
285 +index 7f3dfdbc3657..b122cbb4aad1 100644
286 +--- a/arch/mips/kernel/ftrace.c
287 ++++ b/arch/mips/kernel/ftrace.c
288 +@@ -322,7 +322,6 @@ void prepare_ftrace_return(unsigned long *parent_ra_addr, unsigned long self_ra,
289 + unsigned long fp)
290 + {
291 + unsigned long old_parent_ra;
292 +- struct ftrace_graph_ent trace;
293 + unsigned long return_hooker = (unsigned long)
294 + &return_to_handler;
295 + int faulted, insns;
296 +@@ -369,12 +368,6 @@ void prepare_ftrace_return(unsigned long *parent_ra_addr, unsigned long self_ra,
297 + if (unlikely(faulted))
298 + goto out;
299 +
300 +- if (ftrace_push_return_trace(old_parent_ra, self_ra, &trace.depth, fp,
301 +- NULL) == -EBUSY) {
302 +- *parent_ra_addr = old_parent_ra;
303 +- return;
304 +- }
305 +-
306 + /*
307 + * Get the recorded ip of the current mcount calling site in the
308 + * __mcount_loc section, which will be used to filter the function
309 +@@ -382,13 +375,10 @@ void prepare_ftrace_return(unsigned long *parent_ra_addr, unsigned long self_ra,
310 + */
311 +
312 + insns = core_kernel_text(self_ra) ? 2 : MCOUNT_OFFSET_INSNS + 1;
313 +- trace.func = self_ra - (MCOUNT_INSN_SIZE * insns);
314 ++ self_ra -= (MCOUNT_INSN_SIZE * insns);
315 +
316 +- /* Only trace if the calling function expects to */
317 +- if (!ftrace_graph_entry(&trace)) {
318 +- current->curr_ret_stack--;
319 ++ if (function_graph_enter(old_parent_ra, self_ra, fp, NULL))
320 + *parent_ra_addr = old_parent_ra;
321 +- }
322 + return;
323 + out:
324 + ftrace_graph_stop();
325 +diff --git a/arch/nds32/kernel/ftrace.c b/arch/nds32/kernel/ftrace.c
326 +index a0a9679ad5de..8a41372551ff 100644
327 +--- a/arch/nds32/kernel/ftrace.c
328 ++++ b/arch/nds32/kernel/ftrace.c
329 +@@ -211,29 +211,15 @@ void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr,
330 + unsigned long frame_pointer)
331 + {
332 + unsigned long return_hooker = (unsigned long)&return_to_handler;
333 +- struct ftrace_graph_ent trace;
334 + unsigned long old;
335 +- int err;
336 +
337 + if (unlikely(atomic_read(&current->tracing_graph_pause)))
338 + return;
339 +
340 + old = *parent;
341 +
342 +- trace.func = self_addr;
343 +- trace.depth = current->curr_ret_stack + 1;
344 +-
345 +- /* Only trace if the calling function expects to */
346 +- if (!ftrace_graph_entry(&trace))
347 +- return;
348 +-
349 +- err = ftrace_push_return_trace(old, self_addr, &trace.depth,
350 +- frame_pointer, NULL);
351 +-
352 +- if (err == -EBUSY)
353 +- return;
354 +-
355 +- *parent = return_hooker;
356 ++ if (!function_graph_enter(old, self_addr, frame_pointer, NULL))
357 ++ *parent = return_hooker;
358 + }
359 +
360 + noinline void ftrace_graph_caller(void)
361 +diff --git a/arch/parisc/kernel/ftrace.c b/arch/parisc/kernel/ftrace.c
362 +index 6fa8535d3cce..e46a4157a894 100644
363 +--- a/arch/parisc/kernel/ftrace.c
364 ++++ b/arch/parisc/kernel/ftrace.c
365 +@@ -30,7 +30,6 @@ static void __hot prepare_ftrace_return(unsigned long *parent,
366 + unsigned long self_addr)
367 + {
368 + unsigned long old;
369 +- struct ftrace_graph_ent trace;
370 + extern int parisc_return_to_handler;
371 +
372 + if (unlikely(ftrace_graph_is_dead()))
373 +@@ -41,19 +40,9 @@ static void __hot prepare_ftrace_return(unsigned long *parent,
374 +
375 + old = *parent;
376 +
377 +- trace.func = self_addr;
378 +- trace.depth = current->curr_ret_stack + 1;
379 +-
380 +- /* Only trace if the calling function expects to */
381 +- if (!ftrace_graph_entry(&trace))
382 +- return;
383 +-
384 +- if (ftrace_push_return_trace(old, self_addr, &trace.depth,
385 +- 0, NULL) == -EBUSY)
386 +- return;
387 +-
388 +- /* activate parisc_return_to_handler() as return point */
389 +- *parent = (unsigned long) &parisc_return_to_handler;
390 ++ if (!function_graph_enter(old, self_addr, 0, NULL))
391 ++ /* activate parisc_return_to_handler() as return point */
392 ++ *parent = (unsigned long) &parisc_return_to_handler;
393 + }
394 + #endif /* CONFIG_FUNCTION_GRAPH_TRACER */
395 +
396 +diff --git a/arch/powerpc/kernel/trace/ftrace.c b/arch/powerpc/kernel/trace/ftrace.c
397 +index 4bfbb54dee51..19ef4f5866b6 100644
398 +--- a/arch/powerpc/kernel/trace/ftrace.c
399 ++++ b/arch/powerpc/kernel/trace/ftrace.c
400 +@@ -697,7 +697,6 @@ int ftrace_disable_ftrace_graph_caller(void)
401 + */
402 + unsigned long prepare_ftrace_return(unsigned long parent, unsigned long ip)
403 + {
404 +- struct ftrace_graph_ent trace;
405 + unsigned long return_hooker;
406 +
407 + if (unlikely(ftrace_graph_is_dead()))
408 +@@ -708,18 +707,8 @@ unsigned long prepare_ftrace_return(unsigned long parent, unsigned long ip)
409 +
410 + return_hooker = ppc_function_entry(return_to_handler);
411 +
412 +- trace.func = ip;
413 +- trace.depth = current->curr_ret_stack + 1;
414 +-
415 +- /* Only trace if the calling function expects to */
416 +- if (!ftrace_graph_entry(&trace))
417 +- goto out;
418 +-
419 +- if (ftrace_push_return_trace(parent, ip, &trace.depth, 0,
420 +- NULL) == -EBUSY)
421 +- goto out;
422 +-
423 +- parent = return_hooker;
424 ++ if (!function_graph_enter(parent, ip, 0, NULL))
425 ++ parent = return_hooker;
426 + out:
427 + return parent;
428 + }
429 +diff --git a/arch/riscv/kernel/ftrace.c b/arch/riscv/kernel/ftrace.c
430 +index 1157b6b52d25..c433f6d3dd64 100644
431 +--- a/arch/riscv/kernel/ftrace.c
432 ++++ b/arch/riscv/kernel/ftrace.c
433 +@@ -132,7 +132,6 @@ void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr,
434 + {
435 + unsigned long return_hooker = (unsigned long)&return_to_handler;
436 + unsigned long old;
437 +- struct ftrace_graph_ent trace;
438 + int err;
439 +
440 + if (unlikely(atomic_read(&current->tracing_graph_pause)))
441 +@@ -144,17 +143,8 @@ void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr,
442 + */
443 + old = *parent;
444 +
445 +- trace.func = self_addr;
446 +- trace.depth = current->curr_ret_stack + 1;
447 +-
448 +- if (!ftrace_graph_entry(&trace))
449 +- return;
450 +-
451 +- err = ftrace_push_return_trace(old, self_addr, &trace.depth,
452 +- frame_pointer, parent);
453 +- if (err == -EBUSY)
454 +- return;
455 +- *parent = return_hooker;
456 ++ if (function_graph_enter(old, self_addr, frame_pointer, parent))
457 ++ *parent = return_hooker;
458 + }
459 +
460 + #ifdef CONFIG_DYNAMIC_FTRACE
461 +diff --git a/arch/s390/kernel/ftrace.c b/arch/s390/kernel/ftrace.c
462 +index 84be7f02d0c2..39b13d71a8fe 100644
463 +--- a/arch/s390/kernel/ftrace.c
464 ++++ b/arch/s390/kernel/ftrace.c
465 +@@ -203,22 +203,13 @@ device_initcall(ftrace_plt_init);
466 + */
467 + unsigned long prepare_ftrace_return(unsigned long parent, unsigned long ip)
468 + {
469 +- struct ftrace_graph_ent trace;
470 +-
471 + if (unlikely(ftrace_graph_is_dead()))
472 + goto out;
473 + if (unlikely(atomic_read(&current->tracing_graph_pause)))
474 + goto out;
475 + ip -= MCOUNT_INSN_SIZE;
476 +- trace.func = ip;
477 +- trace.depth = current->curr_ret_stack + 1;
478 +- /* Only trace if the calling function expects to. */
479 +- if (!ftrace_graph_entry(&trace))
480 +- goto out;
481 +- if (ftrace_push_return_trace(parent, ip, &trace.depth, 0,
482 +- NULL) == -EBUSY)
483 +- goto out;
484 +- parent = (unsigned long) return_to_handler;
485 ++ if (!function_graph_enter(parent, ip, 0, NULL))
486 ++ parent = (unsigned long) return_to_handler;
487 + out:
488 + return parent;
489 + }
490 +diff --git a/arch/sh/kernel/ftrace.c b/arch/sh/kernel/ftrace.c
491 +index 96dd9f7da250..1b04270e5460 100644
492 +--- a/arch/sh/kernel/ftrace.c
493 ++++ b/arch/sh/kernel/ftrace.c
494 +@@ -321,8 +321,7 @@ int ftrace_disable_ftrace_graph_caller(void)
495 + void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr)
496 + {
497 + unsigned long old;
498 +- int faulted, err;
499 +- struct ftrace_graph_ent trace;
500 ++ int faulted;
501 + unsigned long return_hooker = (unsigned long)&return_to_handler;
502 +
503 + if (unlikely(ftrace_graph_is_dead()))
504 +@@ -365,18 +364,7 @@ void prepare_ftrace_return(unsigned long *parent, unsigned long self_addr)
505 + return;
506 + }
507 +
508 +- err = ftrace_push_return_trace(old, self_addr, &trace.depth, 0, NULL);
509 +- if (err == -EBUSY) {
510 ++ if (function_graph_enter(old, self_addr, 0, NULL))
511 + __raw_writel(old, parent);
512 +- return;
513 +- }
514 +-
515 +- trace.func = self_addr;
516 +-
517 +- /* Only trace if the calling function expects to */
518 +- if (!ftrace_graph_entry(&trace)) {
519 +- current->curr_ret_stack--;
520 +- __raw_writel(old, parent);
521 +- }
522 + }
523 + #endif /* CONFIG_FUNCTION_GRAPH_TRACER */
524 +diff --git a/arch/sparc/kernel/ftrace.c b/arch/sparc/kernel/ftrace.c
525 +index 915dda4ae412..684b84ce397f 100644
526 +--- a/arch/sparc/kernel/ftrace.c
527 ++++ b/arch/sparc/kernel/ftrace.c
528 +@@ -126,20 +126,11 @@ unsigned long prepare_ftrace_return(unsigned long parent,
529 + unsigned long frame_pointer)
530 + {
531 + unsigned long return_hooker = (unsigned long) &return_to_handler;
532 +- struct ftrace_graph_ent trace;
533 +
534 + if (unlikely(atomic_read(&current->tracing_graph_pause)))
535 + return parent + 8UL;
536 +
537 +- trace.func = self_addr;
538 +- trace.depth = current->curr_ret_stack + 1;
539 +-
540 +- /* Only trace if the calling function expects to */
541 +- if (!ftrace_graph_entry(&trace))
542 +- return parent + 8UL;
543 +-
544 +- if (ftrace_push_return_trace(parent, self_addr, &trace.depth,
545 +- frame_pointer, NULL) == -EBUSY)
546 ++ if (function_graph_enter(parent, self_addr, frame_pointer, NULL))
547 + return parent + 8UL;
548 +
549 + return return_hooker;
550 +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
551 +index 1a0be022f91d..44c6a82b7ce5 100644
552 +--- a/arch/x86/Kconfig
553 ++++ b/arch/x86/Kconfig
554 +@@ -441,10 +441,6 @@ config RETPOLINE
555 + branches. Requires a compiler with -mindirect-branch=thunk-extern
556 + support for full protection. The kernel may run slower.
557 +
558 +- Without compiler support, at least indirect branches in assembler
559 +- code are eliminated. Since this includes the syscall entry path,
560 +- it is not entirely pointless.
561 +-
562 + config INTEL_RDT
563 + bool "Intel Resource Director Technology support"
564 + default n
565 +@@ -1005,13 +1001,7 @@ config NR_CPUS
566 + to the kernel image.
567 +
568 + config SCHED_SMT
569 +- bool "SMT (Hyperthreading) scheduler support"
570 +- depends on SMP
571 +- ---help---
572 +- SMT scheduler support improves the CPU scheduler's decision making
573 +- when dealing with Intel Pentium 4 chips with HyperThreading at a
574 +- cost of slightly increased overhead in some places. If unsure say
575 +- N here.
576 ++ def_bool y if SMP
577 +
578 + config SCHED_MC
579 + def_bool y
580 +diff --git a/arch/x86/Makefile b/arch/x86/Makefile
581 +index 8f6e7eb8ae9f..9298f0f3817a 100644
582 +--- a/arch/x86/Makefile
583 ++++ b/arch/x86/Makefile
584 +@@ -223,9 +223,10 @@ KBUILD_CFLAGS += -fno-asynchronous-unwind-tables
585 +
586 + # Avoid indirect branches in kernel to deal with Spectre
587 + ifdef CONFIG_RETPOLINE
588 +-ifneq ($(RETPOLINE_CFLAGS),)
589 +- KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE
590 ++ifeq ($(RETPOLINE_CFLAGS),)
591 ++ $(error You are building kernel with non-retpoline compiler, please update your compiler.)
592 + endif
593 ++ KBUILD_CFLAGS += $(RETPOLINE_CFLAGS)
594 + endif
595 +
596 + archscripts: scripts_basic
597 +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
598 +index dfb2f7c0d019..c8d08da5b308 100644
599 +--- a/arch/x86/events/core.c
600 ++++ b/arch/x86/events/core.c
601 +@@ -438,26 +438,6 @@ int x86_setup_perfctr(struct perf_event *event)
602 + if (config == -1LL)
603 + return -EINVAL;
604 +
605 +- /*
606 +- * Branch tracing:
607 +- */
608 +- if (attr->config == PERF_COUNT_HW_BRANCH_INSTRUCTIONS &&
609 +- !attr->freq && hwc->sample_period == 1) {
610 +- /* BTS is not supported by this architecture. */
611 +- if (!x86_pmu.bts_active)
612 +- return -EOPNOTSUPP;
613 +-
614 +- /* BTS is currently only allowed for user-mode. */
615 +- if (!attr->exclude_kernel)
616 +- return -EOPNOTSUPP;
617 +-
618 +- /* disallow bts if conflicting events are present */
619 +- if (x86_add_exclusive(x86_lbr_exclusive_lbr))
620 +- return -EBUSY;
621 +-
622 +- event->destroy = hw_perf_lbr_event_destroy;
623 +- }
624 +-
625 + hwc->config |= config;
626 +
627 + return 0;
628 +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
629 +index 035c37481f57..155fa4b53c56 100644
630 +--- a/arch/x86/events/intel/core.c
631 ++++ b/arch/x86/events/intel/core.c
632 +@@ -2358,16 +2358,7 @@ done:
633 + static struct event_constraint *
634 + intel_bts_constraints(struct perf_event *event)
635 + {
636 +- struct hw_perf_event *hwc = &event->hw;
637 +- unsigned int hw_event, bts_event;
638 +-
639 +- if (event->attr.freq)
640 +- return NULL;
641 +-
642 +- hw_event = hwc->config & INTEL_ARCH_EVENT_MASK;
643 +- bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS);
644 +-
645 +- if (unlikely(hw_event == bts_event && hwc->sample_period == 1))
646 ++ if (unlikely(intel_pmu_has_bts(event)))
647 + return &bts_constraint;
648 +
649 + return NULL;
650 +@@ -2986,10 +2977,51 @@ static unsigned long intel_pmu_large_pebs_flags(struct perf_event *event)
651 + return flags;
652 + }
653 +
654 ++static int intel_pmu_bts_config(struct perf_event *event)
655 ++{
656 ++ struct perf_event_attr *attr = &event->attr;
657 ++
658 ++ if (unlikely(intel_pmu_has_bts(event))) {
659 ++ /* BTS is not supported by this architecture. */
660 ++ if (!x86_pmu.bts_active)
661 ++ return -EOPNOTSUPP;
662 ++
663 ++ /* BTS is currently only allowed for user-mode. */
664 ++ if (!attr->exclude_kernel)
665 ++ return -EOPNOTSUPP;
666 ++
667 ++ /* BTS is not allowed for precise events. */
668 ++ if (attr->precise_ip)
669 ++ return -EOPNOTSUPP;
670 ++
671 ++ /* disallow bts if conflicting events are present */
672 ++ if (x86_add_exclusive(x86_lbr_exclusive_lbr))
673 ++ return -EBUSY;
674 ++
675 ++ event->destroy = hw_perf_lbr_event_destroy;
676 ++ }
677 ++
678 ++ return 0;
679 ++}
680 ++
681 ++static int core_pmu_hw_config(struct perf_event *event)
682 ++{
683 ++ int ret = x86_pmu_hw_config(event);
684 ++
685 ++ if (ret)
686 ++ return ret;
687 ++
688 ++ return intel_pmu_bts_config(event);
689 ++}
690 ++
691 + static int intel_pmu_hw_config(struct perf_event *event)
692 + {
693 + int ret = x86_pmu_hw_config(event);
694 +
695 ++ if (ret)
696 ++ return ret;
697 ++
698 ++ ret = intel_pmu_bts_config(event);
699 + if (ret)
700 + return ret;
701 +
702 +@@ -3015,7 +3047,7 @@ static int intel_pmu_hw_config(struct perf_event *event)
703 + /*
704 + * BTS is set up earlier in this path, so don't account twice
705 + */
706 +- if (!intel_pmu_has_bts(event)) {
707 ++ if (!unlikely(intel_pmu_has_bts(event))) {
708 + /* disallow lbr if conflicting events are present */
709 + if (x86_add_exclusive(x86_lbr_exclusive_lbr))
710 + return -EBUSY;
711 +@@ -3478,7 +3510,7 @@ static __initconst const struct x86_pmu core_pmu = {
712 + .enable_all = core_pmu_enable_all,
713 + .enable = core_pmu_enable_event,
714 + .disable = x86_pmu_disable_event,
715 +- .hw_config = x86_pmu_hw_config,
716 ++ .hw_config = core_pmu_hw_config,
717 + .schedule_events = x86_schedule_events,
718 + .eventsel = MSR_ARCH_PERFMON_EVENTSEL0,
719 + .perfctr = MSR_ARCH_PERFMON_PERFCTR0,
720 +diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h
721 +index 156286335351..c5ad9cc61f4b 100644
722 +--- a/arch/x86/events/perf_event.h
723 ++++ b/arch/x86/events/perf_event.h
724 +@@ -857,11 +857,16 @@ static inline int amd_pmu_init(void)
725 +
726 + static inline bool intel_pmu_has_bts(struct perf_event *event)
727 + {
728 +- if (event->attr.config == PERF_COUNT_HW_BRANCH_INSTRUCTIONS &&
729 +- !event->attr.freq && event->hw.sample_period == 1)
730 +- return true;
731 ++ struct hw_perf_event *hwc = &event->hw;
732 ++ unsigned int hw_event, bts_event;
733 ++
734 ++ if (event->attr.freq)
735 ++ return false;
736 ++
737 ++ hw_event = hwc->config & INTEL_ARCH_EVENT_MASK;
738 ++ bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS);
739 +
740 +- return false;
741 ++ return hw_event == bts_event && hwc->sample_period == 1;
742 + }
743 +
744 + int intel_pmu_save_and_restart(struct perf_event *event);
745 +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
746 +index 1c09a0d1771f..022845ee0c88 100644
747 +--- a/arch/x86/include/asm/kvm_host.h
748 ++++ b/arch/x86/include/asm/kvm_host.h
749 +@@ -1046,7 +1046,8 @@ struct kvm_x86_ops {
750 + bool (*has_wbinvd_exit)(void);
751 +
752 + u64 (*read_l1_tsc_offset)(struct kvm_vcpu *vcpu);
753 +- void (*write_tsc_offset)(struct kvm_vcpu *vcpu, u64 offset);
754 ++ /* Returns actual tsc_offset set in active VMCS */
755 ++ u64 (*write_l1_tsc_offset)(struct kvm_vcpu *vcpu, u64 offset);
756 +
757 + void (*get_exit_info)(struct kvm_vcpu *vcpu, u64 *info1, u64 *info2);
758 +
759 +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
760 +index 4731f0cf97c5..b3486c8b570a 100644
761 +--- a/arch/x86/include/asm/msr-index.h
762 ++++ b/arch/x86/include/asm/msr-index.h
763 +@@ -41,9 +41,10 @@
764 +
765 + #define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */
766 + #define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */
767 +-#define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */
768 ++#define SPEC_CTRL_STIBP_SHIFT 1 /* Single Thread Indirect Branch Predictor (STIBP) bit */
769 ++#define SPEC_CTRL_STIBP (1 << SPEC_CTRL_STIBP_SHIFT) /* STIBP mask */
770 + #define SPEC_CTRL_SSBD_SHIFT 2 /* Speculative Store Bypass Disable bit */
771 +-#define SPEC_CTRL_SSBD (1 << SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */
772 ++#define SPEC_CTRL_SSBD (1 << SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */
773 +
774 + #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */
775 + #define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */
776 +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
777 +index fd2a8c1b88bc..032b6009baab 100644
778 +--- a/arch/x86/include/asm/nospec-branch.h
779 ++++ b/arch/x86/include/asm/nospec-branch.h
780 +@@ -3,6 +3,8 @@
781 + #ifndef _ASM_X86_NOSPEC_BRANCH_H_
782 + #define _ASM_X86_NOSPEC_BRANCH_H_
783 +
784 ++#include <linux/static_key.h>
785 ++
786 + #include <asm/alternative.h>
787 + #include <asm/alternative-asm.h>
788 + #include <asm/cpufeatures.h>
789 +@@ -162,29 +164,35 @@
790 + _ASM_PTR " 999b\n\t" \
791 + ".popsection\n\t"
792 +
793 +-#if defined(CONFIG_X86_64) && defined(RETPOLINE)
794 ++#ifdef CONFIG_RETPOLINE
795 ++#ifdef CONFIG_X86_64
796 +
797 + /*
798 +- * Since the inline asm uses the %V modifier which is only in newer GCC,
799 +- * the 64-bit one is dependent on RETPOLINE not CONFIG_RETPOLINE.
800 ++ * Inline asm uses the %V modifier which is only in newer GCC
801 ++ * which is ensured when CONFIG_RETPOLINE is defined.
802 + */
803 + # define CALL_NOSPEC \
804 + ANNOTATE_NOSPEC_ALTERNATIVE \
805 +- ALTERNATIVE( \
806 ++ ALTERNATIVE_2( \
807 + ANNOTATE_RETPOLINE_SAFE \
808 + "call *%[thunk_target]\n", \
809 + "call __x86_indirect_thunk_%V[thunk_target]\n", \
810 +- X86_FEATURE_RETPOLINE)
811 ++ X86_FEATURE_RETPOLINE, \
812 ++ "lfence;\n" \
813 ++ ANNOTATE_RETPOLINE_SAFE \
814 ++ "call *%[thunk_target]\n", \
815 ++ X86_FEATURE_RETPOLINE_AMD)
816 + # define THUNK_TARGET(addr) [thunk_target] "r" (addr)
817 +
818 +-#elif defined(CONFIG_X86_32) && defined(CONFIG_RETPOLINE)
819 ++#else /* CONFIG_X86_32 */
820 + /*
821 + * For i386 we use the original ret-equivalent retpoline, because
822 + * otherwise we'll run out of registers. We don't care about CET
823 + * here, anyway.
824 + */
825 + # define CALL_NOSPEC \
826 +- ALTERNATIVE( \
827 ++ ANNOTATE_NOSPEC_ALTERNATIVE \
828 ++ ALTERNATIVE_2( \
829 + ANNOTATE_RETPOLINE_SAFE \
830 + "call *%[thunk_target]\n", \
831 + " jmp 904f;\n" \
832 +@@ -199,9 +207,14 @@
833 + " ret;\n" \
834 + " .align 16\n" \
835 + "904: call 901b;\n", \
836 +- X86_FEATURE_RETPOLINE)
837 ++ X86_FEATURE_RETPOLINE, \
838 ++ "lfence;\n" \
839 ++ ANNOTATE_RETPOLINE_SAFE \
840 ++ "call *%[thunk_target]\n", \
841 ++ X86_FEATURE_RETPOLINE_AMD)
842 +
843 + # define THUNK_TARGET(addr) [thunk_target] "rm" (addr)
844 ++#endif
845 + #else /* No retpoline for C / inline asm */
846 + # define CALL_NOSPEC "call *%[thunk_target]\n"
847 + # define THUNK_TARGET(addr) [thunk_target] "rm" (addr)
848 +@@ -210,13 +223,19 @@
849 + /* The Spectre V2 mitigation variants */
850 + enum spectre_v2_mitigation {
851 + SPECTRE_V2_NONE,
852 +- SPECTRE_V2_RETPOLINE_MINIMAL,
853 +- SPECTRE_V2_RETPOLINE_MINIMAL_AMD,
854 + SPECTRE_V2_RETPOLINE_GENERIC,
855 + SPECTRE_V2_RETPOLINE_AMD,
856 + SPECTRE_V2_IBRS_ENHANCED,
857 + };
858 +
859 ++/* The indirect branch speculation control variants */
860 ++enum spectre_v2_user_mitigation {
861 ++ SPECTRE_V2_USER_NONE,
862 ++ SPECTRE_V2_USER_STRICT,
863 ++ SPECTRE_V2_USER_PRCTL,
864 ++ SPECTRE_V2_USER_SECCOMP,
865 ++};
866 ++
867 + /* The Speculative Store Bypass disable variants */
868 + enum ssb_mitigation {
869 + SPEC_STORE_BYPASS_NONE,
870 +@@ -294,6 +313,10 @@ do { \
871 + preempt_enable(); \
872 + } while (0)
873 +
874 ++DECLARE_STATIC_KEY_FALSE(switch_to_cond_stibp);
875 ++DECLARE_STATIC_KEY_FALSE(switch_mm_cond_ibpb);
876 ++DECLARE_STATIC_KEY_FALSE(switch_mm_always_ibpb);
877 ++
878 + #endif /* __ASSEMBLY__ */
879 +
880 + /*
881 +diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
882 +index ae7c2c5cd7f0..5393babc0598 100644
883 +--- a/arch/x86/include/asm/spec-ctrl.h
884 ++++ b/arch/x86/include/asm/spec-ctrl.h
885 +@@ -53,12 +53,24 @@ static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn)
886 + return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
887 + }
888 +
889 ++static inline u64 stibp_tif_to_spec_ctrl(u64 tifn)
890 ++{
891 ++ BUILD_BUG_ON(TIF_SPEC_IB < SPEC_CTRL_STIBP_SHIFT);
892 ++ return (tifn & _TIF_SPEC_IB) >> (TIF_SPEC_IB - SPEC_CTRL_STIBP_SHIFT);
893 ++}
894 ++
895 + static inline unsigned long ssbd_spec_ctrl_to_tif(u64 spec_ctrl)
896 + {
897 + BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
898 + return (spec_ctrl & SPEC_CTRL_SSBD) << (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
899 + }
900 +
901 ++static inline unsigned long stibp_spec_ctrl_to_tif(u64 spec_ctrl)
902 ++{
903 ++ BUILD_BUG_ON(TIF_SPEC_IB < SPEC_CTRL_STIBP_SHIFT);
904 ++ return (spec_ctrl & SPEC_CTRL_STIBP) << (TIF_SPEC_IB - SPEC_CTRL_STIBP_SHIFT);
905 ++}
906 ++
907 + static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn)
908 + {
909 + return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
910 +@@ -70,11 +82,7 @@ extern void speculative_store_bypass_ht_init(void);
911 + static inline void speculative_store_bypass_ht_init(void) { }
912 + #endif
913 +
914 +-extern void speculative_store_bypass_update(unsigned long tif);
915 +-
916 +-static inline void speculative_store_bypass_update_current(void)
917 +-{
918 +- speculative_store_bypass_update(current_thread_info()->flags);
919 +-}
920 ++extern void speculation_ctrl_update(unsigned long tif);
921 ++extern void speculation_ctrl_update_current(void);
922 +
923 + #endif
924 +diff --git a/arch/x86/include/asm/switch_to.h b/arch/x86/include/asm/switch_to.h
925 +index 36bd243843d6..7cf1a270d891 100644
926 +--- a/arch/x86/include/asm/switch_to.h
927 ++++ b/arch/x86/include/asm/switch_to.h
928 +@@ -11,9 +11,6 @@ struct task_struct *__switch_to_asm(struct task_struct *prev,
929 +
930 + __visible struct task_struct *__switch_to(struct task_struct *prev,
931 + struct task_struct *next);
932 +-struct tss_struct;
933 +-void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
934 +- struct tss_struct *tss);
935 +
936 + /* This runs runs on the previous thread's stack. */
937 + static inline void prepare_switch_to(struct task_struct *next)
938 +diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
939 +index 2ff2a30a264f..82b73b75d67c 100644
940 +--- a/arch/x86/include/asm/thread_info.h
941 ++++ b/arch/x86/include/asm/thread_info.h
942 +@@ -79,10 +79,12 @@ struct thread_info {
943 + #define TIF_SIGPENDING 2 /* signal pending */
944 + #define TIF_NEED_RESCHED 3 /* rescheduling necessary */
945 + #define TIF_SINGLESTEP 4 /* reenable singlestep on user return*/
946 +-#define TIF_SSBD 5 /* Reduced data speculation */
947 ++#define TIF_SSBD 5 /* Speculative store bypass disable */
948 + #define TIF_SYSCALL_EMU 6 /* syscall emulation active */
949 + #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */
950 + #define TIF_SECCOMP 8 /* secure computing */
951 ++#define TIF_SPEC_IB 9 /* Indirect branch speculation mitigation */
952 ++#define TIF_SPEC_FORCE_UPDATE 10 /* Force speculation MSR update in context switch */
953 + #define TIF_USER_RETURN_NOTIFY 11 /* notify kernel of userspace return */
954 + #define TIF_UPROBE 12 /* breakpointed or singlestepping */
955 + #define TIF_PATCH_PENDING 13 /* pending live patching update */
956 +@@ -110,6 +112,8 @@ struct thread_info {
957 + #define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU)
958 + #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
959 + #define _TIF_SECCOMP (1 << TIF_SECCOMP)
960 ++#define _TIF_SPEC_IB (1 << TIF_SPEC_IB)
961 ++#define _TIF_SPEC_FORCE_UPDATE (1 << TIF_SPEC_FORCE_UPDATE)
962 + #define _TIF_USER_RETURN_NOTIFY (1 << TIF_USER_RETURN_NOTIFY)
963 + #define _TIF_UPROBE (1 << TIF_UPROBE)
964 + #define _TIF_PATCH_PENDING (1 << TIF_PATCH_PENDING)
965 +@@ -145,8 +149,18 @@ struct thread_info {
966 + _TIF_FSCHECK)
967 +
968 + /* flags to check in __switch_to() */
969 +-#define _TIF_WORK_CTXSW \
970 +- (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_SSBD)
971 ++#define _TIF_WORK_CTXSW_BASE \
972 ++ (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP| \
973 ++ _TIF_SSBD | _TIF_SPEC_FORCE_UPDATE)
974 ++
975 ++/*
976 ++ * Avoid calls to __switch_to_xtra() on UP as STIBP is not evaluated.
977 ++ */
978 ++#ifdef CONFIG_SMP
979 ++# define _TIF_WORK_CTXSW (_TIF_WORK_CTXSW_BASE | _TIF_SPEC_IB)
980 ++#else
981 ++# define _TIF_WORK_CTXSW (_TIF_WORK_CTXSW_BASE)
982 ++#endif
983 +
984 + #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY)
985 + #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW)
986 +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
987 +index 0e2130d8d6b1..79ec7add5f98 100644
988 +--- a/arch/x86/include/asm/tlbflush.h
989 ++++ b/arch/x86/include/asm/tlbflush.h
990 +@@ -185,10 +185,14 @@ struct tlb_state {
991 +
992 + #define LOADED_MM_SWITCHING ((struct mm_struct *)1)
993 +
994 ++ /* Last user mm for optimizing IBPB */
995 ++ union {
996 ++ struct mm_struct *last_user_mm;
997 ++ unsigned long last_user_mm_ibpb;
998 ++ };
999 ++
1000 + u16 loaded_mm_asid;
1001 + u16 next_asid;
1002 +- /* last user mm's ctx id */
1003 +- u64 last_ctx_id;
1004 +
1005 + /*
1006 + * We can be in one of several states:
1007 +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
1008 +index 40bdaea97fe7..78928f56cf72 100644
1009 +--- a/arch/x86/kernel/cpu/bugs.c
1010 ++++ b/arch/x86/kernel/cpu/bugs.c
1011 +@@ -14,6 +14,7 @@
1012 + #include <linux/module.h>
1013 + #include <linux/nospec.h>
1014 + #include <linux/prctl.h>
1015 ++#include <linux/sched/smt.h>
1016 +
1017 + #include <asm/spec-ctrl.h>
1018 + #include <asm/cmdline.h>
1019 +@@ -35,12 +36,10 @@ static void __init spectre_v2_select_mitigation(void);
1020 + static void __init ssb_select_mitigation(void);
1021 + static void __init l1tf_select_mitigation(void);
1022 +
1023 +-/*
1024 +- * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
1025 +- * writes to SPEC_CTRL contain whatever reserved bits have been set.
1026 +- */
1027 +-u64 __ro_after_init x86_spec_ctrl_base;
1028 ++/* The base value of the SPEC_CTRL MSR that always has to be preserved. */
1029 ++u64 x86_spec_ctrl_base;
1030 + EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
1031 ++static DEFINE_MUTEX(spec_ctrl_mutex);
1032 +
1033 + /*
1034 + * The vendor and possibly platform specific bits which can be modified in
1035 +@@ -55,6 +54,13 @@ static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS;
1036 + u64 __ro_after_init x86_amd_ls_cfg_base;
1037 + u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
1038 +
1039 ++/* Control conditional STIPB in switch_to() */
1040 ++DEFINE_STATIC_KEY_FALSE(switch_to_cond_stibp);
1041 ++/* Control conditional IBPB in switch_mm() */
1042 ++DEFINE_STATIC_KEY_FALSE(switch_mm_cond_ibpb);
1043 ++/* Control unconditional IBPB in switch_mm() */
1044 ++DEFINE_STATIC_KEY_FALSE(switch_mm_always_ibpb);
1045 ++
1046 + void __init check_bugs(void)
1047 + {
1048 + identify_boot_cpu();
1049 +@@ -125,31 +131,6 @@ void __init check_bugs(void)
1050 + #endif
1051 + }
1052 +
1053 +-/* The kernel command line selection */
1054 +-enum spectre_v2_mitigation_cmd {
1055 +- SPECTRE_V2_CMD_NONE,
1056 +- SPECTRE_V2_CMD_AUTO,
1057 +- SPECTRE_V2_CMD_FORCE,
1058 +- SPECTRE_V2_CMD_RETPOLINE,
1059 +- SPECTRE_V2_CMD_RETPOLINE_GENERIC,
1060 +- SPECTRE_V2_CMD_RETPOLINE_AMD,
1061 +-};
1062 +-
1063 +-static const char *spectre_v2_strings[] = {
1064 +- [SPECTRE_V2_NONE] = "Vulnerable",
1065 +- [SPECTRE_V2_RETPOLINE_MINIMAL] = "Vulnerable: Minimal generic ASM retpoline",
1066 +- [SPECTRE_V2_RETPOLINE_MINIMAL_AMD] = "Vulnerable: Minimal AMD ASM retpoline",
1067 +- [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline",
1068 +- [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline",
1069 +- [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS",
1070 +-};
1071 +-
1072 +-#undef pr_fmt
1073 +-#define pr_fmt(fmt) "Spectre V2 : " fmt
1074 +-
1075 +-static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
1076 +- SPECTRE_V2_NONE;
1077 +-
1078 + void
1079 + x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
1080 + {
1081 +@@ -171,6 +152,10 @@ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
1082 + static_cpu_has(X86_FEATURE_AMD_SSBD))
1083 + hostval |= ssbd_tif_to_spec_ctrl(ti->flags);
1084 +
1085 ++ /* Conditional STIBP enabled? */
1086 ++ if (static_branch_unlikely(&switch_to_cond_stibp))
1087 ++ hostval |= stibp_tif_to_spec_ctrl(ti->flags);
1088 ++
1089 + if (hostval != guestval) {
1090 + msrval = setguest ? guestval : hostval;
1091 + wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
1092 +@@ -204,7 +189,7 @@ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
1093 + tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
1094 + ssbd_spec_ctrl_to_tif(hostval);
1095 +
1096 +- speculative_store_bypass_update(tif);
1097 ++ speculation_ctrl_update(tif);
1098 + }
1099 + }
1100 + EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
1101 +@@ -219,6 +204,15 @@ static void x86_amd_ssb_disable(void)
1102 + wrmsrl(MSR_AMD64_LS_CFG, msrval);
1103 + }
1104 +
1105 ++#undef pr_fmt
1106 ++#define pr_fmt(fmt) "Spectre V2 : " fmt
1107 ++
1108 ++static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
1109 ++ SPECTRE_V2_NONE;
1110 ++
1111 ++static enum spectre_v2_user_mitigation spectre_v2_user __ro_after_init =
1112 ++ SPECTRE_V2_USER_NONE;
1113 ++
1114 + #ifdef RETPOLINE
1115 + static bool spectre_v2_bad_module;
1116 +
1117 +@@ -240,67 +234,217 @@ static inline const char *spectre_v2_module_string(void)
1118 + static inline const char *spectre_v2_module_string(void) { return ""; }
1119 + #endif
1120 +
1121 +-static void __init spec2_print_if_insecure(const char *reason)
1122 ++static inline bool match_option(const char *arg, int arglen, const char *opt)
1123 + {
1124 +- if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
1125 +- pr_info("%s selected on command line.\n", reason);
1126 ++ int len = strlen(opt);
1127 ++
1128 ++ return len == arglen && !strncmp(arg, opt, len);
1129 + }
1130 +
1131 +-static void __init spec2_print_if_secure(const char *reason)
1132 ++/* The kernel command line selection for spectre v2 */
1133 ++enum spectre_v2_mitigation_cmd {
1134 ++ SPECTRE_V2_CMD_NONE,
1135 ++ SPECTRE_V2_CMD_AUTO,
1136 ++ SPECTRE_V2_CMD_FORCE,
1137 ++ SPECTRE_V2_CMD_RETPOLINE,
1138 ++ SPECTRE_V2_CMD_RETPOLINE_GENERIC,
1139 ++ SPECTRE_V2_CMD_RETPOLINE_AMD,
1140 ++};
1141 ++
1142 ++enum spectre_v2_user_cmd {
1143 ++ SPECTRE_V2_USER_CMD_NONE,
1144 ++ SPECTRE_V2_USER_CMD_AUTO,
1145 ++ SPECTRE_V2_USER_CMD_FORCE,
1146 ++ SPECTRE_V2_USER_CMD_PRCTL,
1147 ++ SPECTRE_V2_USER_CMD_PRCTL_IBPB,
1148 ++ SPECTRE_V2_USER_CMD_SECCOMP,
1149 ++ SPECTRE_V2_USER_CMD_SECCOMP_IBPB,
1150 ++};
1151 ++
1152 ++static const char * const spectre_v2_user_strings[] = {
1153 ++ [SPECTRE_V2_USER_NONE] = "User space: Vulnerable",
1154 ++ [SPECTRE_V2_USER_STRICT] = "User space: Mitigation: STIBP protection",
1155 ++ [SPECTRE_V2_USER_PRCTL] = "User space: Mitigation: STIBP via prctl",
1156 ++ [SPECTRE_V2_USER_SECCOMP] = "User space: Mitigation: STIBP via seccomp and prctl",
1157 ++};
1158 ++
1159 ++static const struct {
1160 ++ const char *option;
1161 ++ enum spectre_v2_user_cmd cmd;
1162 ++ bool secure;
1163 ++} v2_user_options[] __initdata = {
1164 ++ { "auto", SPECTRE_V2_USER_CMD_AUTO, false },
1165 ++ { "off", SPECTRE_V2_USER_CMD_NONE, false },
1166 ++ { "on", SPECTRE_V2_USER_CMD_FORCE, true },
1167 ++ { "prctl", SPECTRE_V2_USER_CMD_PRCTL, false },
1168 ++ { "prctl,ibpb", SPECTRE_V2_USER_CMD_PRCTL_IBPB, false },
1169 ++ { "seccomp", SPECTRE_V2_USER_CMD_SECCOMP, false },
1170 ++ { "seccomp,ibpb", SPECTRE_V2_USER_CMD_SECCOMP_IBPB, false },
1171 ++};
1172 ++
1173 ++static void __init spec_v2_user_print_cond(const char *reason, bool secure)
1174 + {
1175 +- if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
1176 +- pr_info("%s selected on command line.\n", reason);
1177 ++ if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1178 ++ pr_info("spectre_v2_user=%s forced on command line.\n", reason);
1179 + }
1180 +
1181 +-static inline bool retp_compiler(void)
1182 ++static enum spectre_v2_user_cmd __init
1183 ++spectre_v2_parse_user_cmdline(enum spectre_v2_mitigation_cmd v2_cmd)
1184 + {
1185 +- return __is_defined(RETPOLINE);
1186 ++ char arg[20];
1187 ++ int ret, i;
1188 ++
1189 ++ switch (v2_cmd) {
1190 ++ case SPECTRE_V2_CMD_NONE:
1191 ++ return SPECTRE_V2_USER_CMD_NONE;
1192 ++ case SPECTRE_V2_CMD_FORCE:
1193 ++ return SPECTRE_V2_USER_CMD_FORCE;
1194 ++ default:
1195 ++ break;
1196 ++ }
1197 ++
1198 ++ ret = cmdline_find_option(boot_command_line, "spectre_v2_user",
1199 ++ arg, sizeof(arg));
1200 ++ if (ret < 0)
1201 ++ return SPECTRE_V2_USER_CMD_AUTO;
1202 ++
1203 ++ for (i = 0; i < ARRAY_SIZE(v2_user_options); i++) {
1204 ++ if (match_option(arg, ret, v2_user_options[i].option)) {
1205 ++ spec_v2_user_print_cond(v2_user_options[i].option,
1206 ++ v2_user_options[i].secure);
1207 ++ return v2_user_options[i].cmd;
1208 ++ }
1209 ++ }
1210 ++
1211 ++ pr_err("Unknown user space protection option (%s). Switching to AUTO select\n", arg);
1212 ++ return SPECTRE_V2_USER_CMD_AUTO;
1213 + }
1214 +
1215 +-static inline bool match_option(const char *arg, int arglen, const char *opt)
1216 ++static void __init
1217 ++spectre_v2_user_select_mitigation(enum spectre_v2_mitigation_cmd v2_cmd)
1218 + {
1219 +- int len = strlen(opt);
1220 ++ enum spectre_v2_user_mitigation mode = SPECTRE_V2_USER_NONE;
1221 ++ bool smt_possible = IS_ENABLED(CONFIG_SMP);
1222 ++ enum spectre_v2_user_cmd cmd;
1223 +
1224 +- return len == arglen && !strncmp(arg, opt, len);
1225 ++ if (!boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_STIBP))
1226 ++ return;
1227 ++
1228 ++ if (cpu_smt_control == CPU_SMT_FORCE_DISABLED ||
1229 ++ cpu_smt_control == CPU_SMT_NOT_SUPPORTED)
1230 ++ smt_possible = false;
1231 ++
1232 ++ cmd = spectre_v2_parse_user_cmdline(v2_cmd);
1233 ++ switch (cmd) {
1234 ++ case SPECTRE_V2_USER_CMD_NONE:
1235 ++ goto set_mode;
1236 ++ case SPECTRE_V2_USER_CMD_FORCE:
1237 ++ mode = SPECTRE_V2_USER_STRICT;
1238 ++ break;
1239 ++ case SPECTRE_V2_USER_CMD_PRCTL:
1240 ++ case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1241 ++ mode = SPECTRE_V2_USER_PRCTL;
1242 ++ break;
1243 ++ case SPECTRE_V2_USER_CMD_AUTO:
1244 ++ case SPECTRE_V2_USER_CMD_SECCOMP:
1245 ++ case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1246 ++ if (IS_ENABLED(CONFIG_SECCOMP))
1247 ++ mode = SPECTRE_V2_USER_SECCOMP;
1248 ++ else
1249 ++ mode = SPECTRE_V2_USER_PRCTL;
1250 ++ break;
1251 ++ }
1252 ++
1253 ++ /* Initialize Indirect Branch Prediction Barrier */
1254 ++ if (boot_cpu_has(X86_FEATURE_IBPB)) {
1255 ++ setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
1256 ++
1257 ++ switch (cmd) {
1258 ++ case SPECTRE_V2_USER_CMD_FORCE:
1259 ++ case SPECTRE_V2_USER_CMD_PRCTL_IBPB:
1260 ++ case SPECTRE_V2_USER_CMD_SECCOMP_IBPB:
1261 ++ static_branch_enable(&switch_mm_always_ibpb);
1262 ++ break;
1263 ++ case SPECTRE_V2_USER_CMD_PRCTL:
1264 ++ case SPECTRE_V2_USER_CMD_AUTO:
1265 ++ case SPECTRE_V2_USER_CMD_SECCOMP:
1266 ++ static_branch_enable(&switch_mm_cond_ibpb);
1267 ++ break;
1268 ++ default:
1269 ++ break;
1270 ++ }
1271 ++
1272 ++ pr_info("mitigation: Enabling %s Indirect Branch Prediction Barrier\n",
1273 ++ static_key_enabled(&switch_mm_always_ibpb) ?
1274 ++ "always-on" : "conditional");
1275 ++ }
1276 ++
1277 ++ /* If enhanced IBRS is enabled no STIPB required */
1278 ++ if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
1279 ++ return;
1280 ++
1281 ++ /*
1282 ++ * If SMT is not possible or STIBP is not available clear the STIPB
1283 ++ * mode.
1284 ++ */
1285 ++ if (!smt_possible || !boot_cpu_has(X86_FEATURE_STIBP))
1286 ++ mode = SPECTRE_V2_USER_NONE;
1287 ++set_mode:
1288 ++ spectre_v2_user = mode;
1289 ++ /* Only print the STIBP mode when SMT possible */
1290 ++ if (smt_possible)
1291 ++ pr_info("%s\n", spectre_v2_user_strings[mode]);
1292 + }
1293 +
1294 ++static const char * const spectre_v2_strings[] = {
1295 ++ [SPECTRE_V2_NONE] = "Vulnerable",
1296 ++ [SPECTRE_V2_RETPOLINE_GENERIC] = "Mitigation: Full generic retpoline",
1297 ++ [SPECTRE_V2_RETPOLINE_AMD] = "Mitigation: Full AMD retpoline",
1298 ++ [SPECTRE_V2_IBRS_ENHANCED] = "Mitigation: Enhanced IBRS",
1299 ++};
1300 ++
1301 + static const struct {
1302 + const char *option;
1303 + enum spectre_v2_mitigation_cmd cmd;
1304 + bool secure;
1305 +-} mitigation_options[] = {
1306 +- { "off", SPECTRE_V2_CMD_NONE, false },
1307 +- { "on", SPECTRE_V2_CMD_FORCE, true },
1308 +- { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
1309 +- { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false },
1310 +- { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
1311 +- { "auto", SPECTRE_V2_CMD_AUTO, false },
1312 ++} mitigation_options[] __initdata = {
1313 ++ { "off", SPECTRE_V2_CMD_NONE, false },
1314 ++ { "on", SPECTRE_V2_CMD_FORCE, true },
1315 ++ { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false },
1316 ++ { "retpoline,amd", SPECTRE_V2_CMD_RETPOLINE_AMD, false },
1317 ++ { "retpoline,generic", SPECTRE_V2_CMD_RETPOLINE_GENERIC, false },
1318 ++ { "auto", SPECTRE_V2_CMD_AUTO, false },
1319 + };
1320 +
1321 ++static void __init spec_v2_print_cond(const char *reason, bool secure)
1322 ++{
1323 ++ if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2) != secure)
1324 ++ pr_info("%s selected on command line.\n", reason);
1325 ++}
1326 ++
1327 + static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
1328 + {
1329 ++ enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
1330 + char arg[20];
1331 + int ret, i;
1332 +- enum spectre_v2_mitigation_cmd cmd = SPECTRE_V2_CMD_AUTO;
1333 +
1334 + if (cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
1335 + return SPECTRE_V2_CMD_NONE;
1336 +- else {
1337 +- ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
1338 +- if (ret < 0)
1339 +- return SPECTRE_V2_CMD_AUTO;
1340 +
1341 +- for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
1342 +- if (!match_option(arg, ret, mitigation_options[i].option))
1343 +- continue;
1344 +- cmd = mitigation_options[i].cmd;
1345 +- break;
1346 +- }
1347 ++ ret = cmdline_find_option(boot_command_line, "spectre_v2", arg, sizeof(arg));
1348 ++ if (ret < 0)
1349 ++ return SPECTRE_V2_CMD_AUTO;
1350 +
1351 +- if (i >= ARRAY_SIZE(mitigation_options)) {
1352 +- pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1353 +- return SPECTRE_V2_CMD_AUTO;
1354 +- }
1355 ++ for (i = 0; i < ARRAY_SIZE(mitigation_options); i++) {
1356 ++ if (!match_option(arg, ret, mitigation_options[i].option))
1357 ++ continue;
1358 ++ cmd = mitigation_options[i].cmd;
1359 ++ break;
1360 ++ }
1361 ++
1362 ++ if (i >= ARRAY_SIZE(mitigation_options)) {
1363 ++ pr_err("unknown option (%s). Switching to AUTO select\n", arg);
1364 ++ return SPECTRE_V2_CMD_AUTO;
1365 + }
1366 +
1367 + if ((cmd == SPECTRE_V2_CMD_RETPOLINE ||
1368 +@@ -317,11 +461,8 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
1369 + return SPECTRE_V2_CMD_AUTO;
1370 + }
1371 +
1372 +- if (mitigation_options[i].secure)
1373 +- spec2_print_if_secure(mitigation_options[i].option);
1374 +- else
1375 +- spec2_print_if_insecure(mitigation_options[i].option);
1376 +-
1377 ++ spec_v2_print_cond(mitigation_options[i].option,
1378 ++ mitigation_options[i].secure);
1379 + return cmd;
1380 + }
1381 +
1382 +@@ -377,14 +518,12 @@ retpoline_auto:
1383 + pr_err("Spectre mitigation: LFENCE not serializing, switching to generic retpoline\n");
1384 + goto retpoline_generic;
1385 + }
1386 +- mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_AMD :
1387 +- SPECTRE_V2_RETPOLINE_MINIMAL_AMD;
1388 ++ mode = SPECTRE_V2_RETPOLINE_AMD;
1389 + setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD);
1390 + setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
1391 + } else {
1392 + retpoline_generic:
1393 +- mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_GENERIC :
1394 +- SPECTRE_V2_RETPOLINE_MINIMAL;
1395 ++ mode = SPECTRE_V2_RETPOLINE_GENERIC;
1396 + setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
1397 + }
1398 +
1399 +@@ -403,12 +542,6 @@ specv2_set_mode:
1400 + setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
1401 + pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
1402 +
1403 +- /* Initialize Indirect Branch Prediction Barrier if supported */
1404 +- if (boot_cpu_has(X86_FEATURE_IBPB)) {
1405 +- setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
1406 +- pr_info("Spectre v2 mitigation: Enabling Indirect Branch Prediction Barrier\n");
1407 +- }
1408 +-
1409 + /*
1410 + * Retpoline means the kernel is safe because it has no indirect
1411 + * branches. Enhanced IBRS protects firmware too, so, enable restricted
1412 +@@ -424,6 +557,66 @@ specv2_set_mode:
1413 + setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
1414 + pr_info("Enabling Restricted Speculation for firmware calls\n");
1415 + }
1416 ++
1417 ++ /* Set up IBPB and STIBP depending on the general spectre V2 command */
1418 ++ spectre_v2_user_select_mitigation(cmd);
1419 ++
1420 ++ /* Enable STIBP if appropriate */
1421 ++ arch_smt_update();
1422 ++}
1423 ++
1424 ++static void update_stibp_msr(void * __unused)
1425 ++{
1426 ++ wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
1427 ++}
1428 ++
1429 ++/* Update x86_spec_ctrl_base in case SMT state changed. */
1430 ++static void update_stibp_strict(void)
1431 ++{
1432 ++ u64 mask = x86_spec_ctrl_base & ~SPEC_CTRL_STIBP;
1433 ++
1434 ++ if (sched_smt_active())
1435 ++ mask |= SPEC_CTRL_STIBP;
1436 ++
1437 ++ if (mask == x86_spec_ctrl_base)
1438 ++ return;
1439 ++
1440 ++ pr_info("Update user space SMT mitigation: STIBP %s\n",
1441 ++ mask & SPEC_CTRL_STIBP ? "always-on" : "off");
1442 ++ x86_spec_ctrl_base = mask;
1443 ++ on_each_cpu(update_stibp_msr, NULL, 1);
1444 ++}
1445 ++
1446 ++/* Update the static key controlling the evaluation of TIF_SPEC_IB */
1447 ++static void update_indir_branch_cond(void)
1448 ++{
1449 ++ if (sched_smt_active())
1450 ++ static_branch_enable(&switch_to_cond_stibp);
1451 ++ else
1452 ++ static_branch_disable(&switch_to_cond_stibp);
1453 ++}
1454 ++
1455 ++void arch_smt_update(void)
1456 ++{
1457 ++ /* Enhanced IBRS implies STIBP. No update required. */
1458 ++ if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
1459 ++ return;
1460 ++
1461 ++ mutex_lock(&spec_ctrl_mutex);
1462 ++
1463 ++ switch (spectre_v2_user) {
1464 ++ case SPECTRE_V2_USER_NONE:
1465 ++ break;
1466 ++ case SPECTRE_V2_USER_STRICT:
1467 ++ update_stibp_strict();
1468 ++ break;
1469 ++ case SPECTRE_V2_USER_PRCTL:
1470 ++ case SPECTRE_V2_USER_SECCOMP:
1471 ++ update_indir_branch_cond();
1472 ++ break;
1473 ++ }
1474 ++
1475 ++ mutex_unlock(&spec_ctrl_mutex);
1476 + }
1477 +
1478 + #undef pr_fmt
1479 +@@ -440,7 +633,7 @@ enum ssb_mitigation_cmd {
1480 + SPEC_STORE_BYPASS_CMD_SECCOMP,
1481 + };
1482 +
1483 +-static const char *ssb_strings[] = {
1484 ++static const char * const ssb_strings[] = {
1485 + [SPEC_STORE_BYPASS_NONE] = "Vulnerable",
1486 + [SPEC_STORE_BYPASS_DISABLE] = "Mitigation: Speculative Store Bypass disabled",
1487 + [SPEC_STORE_BYPASS_PRCTL] = "Mitigation: Speculative Store Bypass disabled via prctl",
1488 +@@ -450,7 +643,7 @@ static const char *ssb_strings[] = {
1489 + static const struct {
1490 + const char *option;
1491 + enum ssb_mitigation_cmd cmd;
1492 +-} ssb_mitigation_options[] = {
1493 ++} ssb_mitigation_options[] __initdata = {
1494 + { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */
1495 + { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */
1496 + { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */
1497 +@@ -561,10 +754,25 @@ static void ssb_select_mitigation(void)
1498 + #undef pr_fmt
1499 + #define pr_fmt(fmt) "Speculation prctl: " fmt
1500 +
1501 +-static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
1502 ++static void task_update_spec_tif(struct task_struct *tsk)
1503 + {
1504 +- bool update;
1505 ++ /* Force the update of the real TIF bits */
1506 ++ set_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE);
1507 +
1508 ++ /*
1509 ++ * Immediately update the speculation control MSRs for the current
1510 ++ * task, but for a non-current task delay setting the CPU
1511 ++ * mitigation until it is scheduled next.
1512 ++ *
1513 ++ * This can only happen for SECCOMP mitigation. For PRCTL it's
1514 ++ * always the current task.
1515 ++ */
1516 ++ if (tsk == current)
1517 ++ speculation_ctrl_update_current();
1518 ++}
1519 ++
1520 ++static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
1521 ++{
1522 + if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
1523 + ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
1524 + return -ENXIO;
1525 +@@ -575,28 +783,56 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
1526 + if (task_spec_ssb_force_disable(task))
1527 + return -EPERM;
1528 + task_clear_spec_ssb_disable(task);
1529 +- update = test_and_clear_tsk_thread_flag(task, TIF_SSBD);
1530 ++ task_update_spec_tif(task);
1531 + break;
1532 + case PR_SPEC_DISABLE:
1533 + task_set_spec_ssb_disable(task);
1534 +- update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
1535 ++ task_update_spec_tif(task);
1536 + break;
1537 + case PR_SPEC_FORCE_DISABLE:
1538 + task_set_spec_ssb_disable(task);
1539 + task_set_spec_ssb_force_disable(task);
1540 +- update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
1541 ++ task_update_spec_tif(task);
1542 + break;
1543 + default:
1544 + return -ERANGE;
1545 + }
1546 ++ return 0;
1547 ++}
1548 +
1549 +- /*
1550 +- * If being set on non-current task, delay setting the CPU
1551 +- * mitigation until it is next scheduled.
1552 +- */
1553 +- if (task == current && update)
1554 +- speculative_store_bypass_update_current();
1555 +-
1556 ++static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
1557 ++{
1558 ++ switch (ctrl) {
1559 ++ case PR_SPEC_ENABLE:
1560 ++ if (spectre_v2_user == SPECTRE_V2_USER_NONE)
1561 ++ return 0;
1562 ++ /*
1563 ++ * Indirect branch speculation is always disabled in strict
1564 ++ * mode.
1565 ++ */
1566 ++ if (spectre_v2_user == SPECTRE_V2_USER_STRICT)
1567 ++ return -EPERM;
1568 ++ task_clear_spec_ib_disable(task);
1569 ++ task_update_spec_tif(task);
1570 ++ break;
1571 ++ case PR_SPEC_DISABLE:
1572 ++ case PR_SPEC_FORCE_DISABLE:
1573 ++ /*
1574 ++ * Indirect branch speculation is always allowed when
1575 ++ * mitigation is force disabled.
1576 ++ */
1577 ++ if (spectre_v2_user == SPECTRE_V2_USER_NONE)
1578 ++ return -EPERM;
1579 ++ if (spectre_v2_user == SPECTRE_V2_USER_STRICT)
1580 ++ return 0;
1581 ++ task_set_spec_ib_disable(task);
1582 ++ if (ctrl == PR_SPEC_FORCE_DISABLE)
1583 ++ task_set_spec_ib_force_disable(task);
1584 ++ task_update_spec_tif(task);
1585 ++ break;
1586 ++ default:
1587 ++ return -ERANGE;
1588 ++ }
1589 + return 0;
1590 + }
1591 +
1592 +@@ -606,6 +842,8 @@ int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
1593 + switch (which) {
1594 + case PR_SPEC_STORE_BYPASS:
1595 + return ssb_prctl_set(task, ctrl);
1596 ++ case PR_SPEC_INDIRECT_BRANCH:
1597 ++ return ib_prctl_set(task, ctrl);
1598 + default:
1599 + return -ENODEV;
1600 + }
1601 +@@ -616,6 +854,8 @@ void arch_seccomp_spec_mitigate(struct task_struct *task)
1602 + {
1603 + if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
1604 + ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1605 ++ if (spectre_v2_user == SPECTRE_V2_USER_SECCOMP)
1606 ++ ib_prctl_set(task, PR_SPEC_FORCE_DISABLE);
1607 + }
1608 + #endif
1609 +
1610 +@@ -638,11 +878,35 @@ static int ssb_prctl_get(struct task_struct *task)
1611 + }
1612 + }
1613 +
1614 ++static int ib_prctl_get(struct task_struct *task)
1615 ++{
1616 ++ if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
1617 ++ return PR_SPEC_NOT_AFFECTED;
1618 ++
1619 ++ switch (spectre_v2_user) {
1620 ++ case SPECTRE_V2_USER_NONE:
1621 ++ return PR_SPEC_ENABLE;
1622 ++ case SPECTRE_V2_USER_PRCTL:
1623 ++ case SPECTRE_V2_USER_SECCOMP:
1624 ++ if (task_spec_ib_force_disable(task))
1625 ++ return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
1626 ++ if (task_spec_ib_disable(task))
1627 ++ return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
1628 ++ return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
1629 ++ case SPECTRE_V2_USER_STRICT:
1630 ++ return PR_SPEC_DISABLE;
1631 ++ default:
1632 ++ return PR_SPEC_NOT_AFFECTED;
1633 ++ }
1634 ++}
1635 ++
1636 + int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
1637 + {
1638 + switch (which) {
1639 + case PR_SPEC_STORE_BYPASS:
1640 + return ssb_prctl_get(task);
1641 ++ case PR_SPEC_INDIRECT_BRANCH:
1642 ++ return ib_prctl_get(task);
1643 + default:
1644 + return -ENODEV;
1645 + }
1646 +@@ -780,7 +1044,7 @@ early_param("l1tf", l1tf_cmdline);
1647 + #define L1TF_DEFAULT_MSG "Mitigation: PTE Inversion"
1648 +
1649 + #if IS_ENABLED(CONFIG_KVM_INTEL)
1650 +-static const char *l1tf_vmx_states[] = {
1651 ++static const char * const l1tf_vmx_states[] = {
1652 + [VMENTER_L1D_FLUSH_AUTO] = "auto",
1653 + [VMENTER_L1D_FLUSH_NEVER] = "vulnerable",
1654 + [VMENTER_L1D_FLUSH_COND] = "conditional cache flushes",
1655 +@@ -796,13 +1060,14 @@ static ssize_t l1tf_show_state(char *buf)
1656 +
1657 + if (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_EPT_DISABLED ||
1658 + (l1tf_vmx_mitigation == VMENTER_L1D_FLUSH_NEVER &&
1659 +- cpu_smt_control == CPU_SMT_ENABLED))
1660 ++ sched_smt_active())) {
1661 + return sprintf(buf, "%s; VMX: %s\n", L1TF_DEFAULT_MSG,
1662 + l1tf_vmx_states[l1tf_vmx_mitigation]);
1663 ++ }
1664 +
1665 + return sprintf(buf, "%s; VMX: %s, SMT %s\n", L1TF_DEFAULT_MSG,
1666 + l1tf_vmx_states[l1tf_vmx_mitigation],
1667 +- cpu_smt_control == CPU_SMT_ENABLED ? "vulnerable" : "disabled");
1668 ++ sched_smt_active() ? "vulnerable" : "disabled");
1669 + }
1670 + #else
1671 + static ssize_t l1tf_show_state(char *buf)
1672 +@@ -811,6 +1076,36 @@ static ssize_t l1tf_show_state(char *buf)
1673 + }
1674 + #endif
1675 +
1676 ++static char *stibp_state(void)
1677 ++{
1678 ++ if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED)
1679 ++ return "";
1680 ++
1681 ++ switch (spectre_v2_user) {
1682 ++ case SPECTRE_V2_USER_NONE:
1683 ++ return ", STIBP: disabled";
1684 ++ case SPECTRE_V2_USER_STRICT:
1685 ++ return ", STIBP: forced";
1686 ++ case SPECTRE_V2_USER_PRCTL:
1687 ++ case SPECTRE_V2_USER_SECCOMP:
1688 ++ if (static_key_enabled(&switch_to_cond_stibp))
1689 ++ return ", STIBP: conditional";
1690 ++ }
1691 ++ return "";
1692 ++}
1693 ++
1694 ++static char *ibpb_state(void)
1695 ++{
1696 ++ if (boot_cpu_has(X86_FEATURE_IBPB)) {
1697 ++ if (static_key_enabled(&switch_mm_always_ibpb))
1698 ++ return ", IBPB: always-on";
1699 ++ if (static_key_enabled(&switch_mm_cond_ibpb))
1700 ++ return ", IBPB: conditional";
1701 ++ return ", IBPB: disabled";
1702 ++ }
1703 ++ return "";
1704 ++}
1705 ++
1706 + static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
1707 + char *buf, unsigned int bug)
1708 + {
1709 +@@ -831,9 +1126,11 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
1710 + return sprintf(buf, "Mitigation: __user pointer sanitization\n");
1711 +
1712 + case X86_BUG_SPECTRE_V2:
1713 +- return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
1714 +- boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
1715 ++ return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
1716 ++ ibpb_state(),
1717 + boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
1718 ++ stibp_state(),
1719 ++ boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
1720 + spectre_v2_module_string());
1721 +
1722 + case X86_BUG_SPEC_STORE_BYPASS:
1723 +diff --git a/arch/x86/kernel/cpu/mcheck/mce_amd.c b/arch/x86/kernel/cpu/mcheck/mce_amd.c
1724 +index dd33c357548f..e12454e21b8a 100644
1725 +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
1726 ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
1727 +@@ -56,7 +56,7 @@
1728 + /* Threshold LVT offset is at MSR0xC0000410[15:12] */
1729 + #define SMCA_THR_LVT_OFF 0xF000
1730 +
1731 +-static bool thresholding_en;
1732 ++static bool thresholding_irq_en;
1733 +
1734 + static const char * const th_names[] = {
1735 + "load_store",
1736 +@@ -534,9 +534,8 @@ prepare_threshold_block(unsigned int bank, unsigned int block, u32 addr,
1737 +
1738 + set_offset:
1739 + offset = setup_APIC_mce_threshold(offset, new);
1740 +-
1741 +- if ((offset == new) && (mce_threshold_vector != amd_threshold_interrupt))
1742 +- mce_threshold_vector = amd_threshold_interrupt;
1743 ++ if (offset == new)
1744 ++ thresholding_irq_en = true;
1745 +
1746 + done:
1747 + mce_threshold_block_init(&b, offset);
1748 +@@ -1357,9 +1356,6 @@ int mce_threshold_remove_device(unsigned int cpu)
1749 + {
1750 + unsigned int bank;
1751 +
1752 +- if (!thresholding_en)
1753 +- return 0;
1754 +-
1755 + for (bank = 0; bank < mca_cfg.banks; ++bank) {
1756 + if (!(per_cpu(bank_map, cpu) & (1 << bank)))
1757 + continue;
1758 +@@ -1377,9 +1373,6 @@ int mce_threshold_create_device(unsigned int cpu)
1759 + struct threshold_bank **bp;
1760 + int err = 0;
1761 +
1762 +- if (!thresholding_en)
1763 +- return 0;
1764 +-
1765 + bp = per_cpu(threshold_banks, cpu);
1766 + if (bp)
1767 + return 0;
1768 +@@ -1408,9 +1401,6 @@ static __init int threshold_init_device(void)
1769 + {
1770 + unsigned lcpu = 0;
1771 +
1772 +- if (mce_threshold_vector == amd_threshold_interrupt)
1773 +- thresholding_en = true;
1774 +-
1775 + /* to hit CPUs online before the notifier is up */
1776 + for_each_online_cpu(lcpu) {
1777 + int err = mce_threshold_create_device(lcpu);
1778 +@@ -1419,6 +1409,9 @@ static __init int threshold_init_device(void)
1779 + return err;
1780 + }
1781 +
1782 ++ if (thresholding_irq_en)
1783 ++ mce_threshold_vector = amd_threshold_interrupt;
1784 ++
1785 + return 0;
1786 + }
1787 + /*
1788 +diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
1789 +index 61a949d84dfa..d99a8ee9e185 100644
1790 +--- a/arch/x86/kernel/fpu/signal.c
1791 ++++ b/arch/x86/kernel/fpu/signal.c
1792 +@@ -344,10 +344,10 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
1793 + sanitize_restored_xstate(tsk, &env, xfeatures, fx_only);
1794 + }
1795 +
1796 ++ local_bh_disable();
1797 + fpu->initialized = 1;
1798 +- preempt_disable();
1799 + fpu__restore(fpu);
1800 +- preempt_enable();
1801 ++ local_bh_enable();
1802 +
1803 + return err;
1804 + } else {
1805 +diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
1806 +index 01ebcb6f263e..7ee8067cbf45 100644
1807 +--- a/arch/x86/kernel/ftrace.c
1808 ++++ b/arch/x86/kernel/ftrace.c
1809 +@@ -994,7 +994,6 @@ void prepare_ftrace_return(unsigned long self_addr, unsigned long *parent,
1810 + {
1811 + unsigned long old;
1812 + int faulted;
1813 +- struct ftrace_graph_ent trace;
1814 + unsigned long return_hooker = (unsigned long)
1815 + &return_to_handler;
1816 +
1817 +@@ -1046,19 +1045,7 @@ void prepare_ftrace_return(unsigned long self_addr, unsigned long *parent,
1818 + return;
1819 + }
1820 +
1821 +- trace.func = self_addr;
1822 +- trace.depth = current->curr_ret_stack + 1;
1823 +-
1824 +- /* Only trace if the calling function expects to */
1825 +- if (!ftrace_graph_entry(&trace)) {
1826 ++ if (function_graph_enter(old, self_addr, frame_pointer, parent))
1827 + *parent = old;
1828 +- return;
1829 +- }
1830 +-
1831 +- if (ftrace_push_return_trace(old, self_addr, &trace.depth,
1832 +- frame_pointer, parent) == -EBUSY) {
1833 +- *parent = old;
1834 +- return;
1835 +- }
1836 + }
1837 + #endif /* CONFIG_FUNCTION_GRAPH_TRACER */
1838 +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
1839 +index c93fcfdf1673..7d31192296a8 100644
1840 +--- a/arch/x86/kernel/process.c
1841 ++++ b/arch/x86/kernel/process.c
1842 +@@ -40,6 +40,8 @@
1843 + #include <asm/prctl.h>
1844 + #include <asm/spec-ctrl.h>
1845 +
1846 ++#include "process.h"
1847 ++
1848 + /*
1849 + * per-CPU TSS segments. Threads are completely 'soft' on Linux,
1850 + * no more per-task TSS's. The TSS size is kept cacheline-aligned
1851 +@@ -252,11 +254,12 @@ void arch_setup_new_exec(void)
1852 + enable_cpuid();
1853 + }
1854 +
1855 +-static inline void switch_to_bitmap(struct tss_struct *tss,
1856 +- struct thread_struct *prev,
1857 ++static inline void switch_to_bitmap(struct thread_struct *prev,
1858 + struct thread_struct *next,
1859 + unsigned long tifp, unsigned long tifn)
1860 + {
1861 ++ struct tss_struct *tss = this_cpu_ptr(&cpu_tss_rw);
1862 ++
1863 + if (tifn & _TIF_IO_BITMAP) {
1864 + /*
1865 + * Copy the relevant range of the IO bitmap.
1866 +@@ -395,32 +398,85 @@ static __always_inline void amd_set_ssb_virt_state(unsigned long tifn)
1867 + wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, ssbd_tif_to_spec_ctrl(tifn));
1868 + }
1869 +
1870 +-static __always_inline void intel_set_ssb_state(unsigned long tifn)
1871 ++/*
1872 ++ * Update the MSRs managing speculation control, during context switch.
1873 ++ *
1874 ++ * tifp: Previous task's thread flags
1875 ++ * tifn: Next task's thread flags
1876 ++ */
1877 ++static __always_inline void __speculation_ctrl_update(unsigned long tifp,
1878 ++ unsigned long tifn)
1879 + {
1880 +- u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
1881 ++ unsigned long tif_diff = tifp ^ tifn;
1882 ++ u64 msr = x86_spec_ctrl_base;
1883 ++ bool updmsr = false;
1884 ++
1885 ++ /*
1886 ++ * If TIF_SSBD is different, select the proper mitigation
1887 ++ * method. Note that if SSBD mitigation is disabled or permanentely
1888 ++ * enabled this branch can't be taken because nothing can set
1889 ++ * TIF_SSBD.
1890 ++ */
1891 ++ if (tif_diff & _TIF_SSBD) {
1892 ++ if (static_cpu_has(X86_FEATURE_VIRT_SSBD)) {
1893 ++ amd_set_ssb_virt_state(tifn);
1894 ++ } else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) {
1895 ++ amd_set_core_ssb_state(tifn);
1896 ++ } else if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) ||
1897 ++ static_cpu_has(X86_FEATURE_AMD_SSBD)) {
1898 ++ msr |= ssbd_tif_to_spec_ctrl(tifn);
1899 ++ updmsr = true;
1900 ++ }
1901 ++ }
1902 ++
1903 ++ /*
1904 ++ * Only evaluate TIF_SPEC_IB if conditional STIBP is enabled,
1905 ++ * otherwise avoid the MSR write.
1906 ++ */
1907 ++ if (IS_ENABLED(CONFIG_SMP) &&
1908 ++ static_branch_unlikely(&switch_to_cond_stibp)) {
1909 ++ updmsr |= !!(tif_diff & _TIF_SPEC_IB);
1910 ++ msr |= stibp_tif_to_spec_ctrl(tifn);
1911 ++ }
1912 +
1913 +- wrmsrl(MSR_IA32_SPEC_CTRL, msr);
1914 ++ if (updmsr)
1915 ++ wrmsrl(MSR_IA32_SPEC_CTRL, msr);
1916 + }
1917 +
1918 +-static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
1919 ++static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk)
1920 + {
1921 +- if (static_cpu_has(X86_FEATURE_VIRT_SSBD))
1922 +- amd_set_ssb_virt_state(tifn);
1923 +- else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD))
1924 +- amd_set_core_ssb_state(tifn);
1925 +- else
1926 +- intel_set_ssb_state(tifn);
1927 ++ if (test_and_clear_tsk_thread_flag(tsk, TIF_SPEC_FORCE_UPDATE)) {
1928 ++ if (task_spec_ssb_disable(tsk))
1929 ++ set_tsk_thread_flag(tsk, TIF_SSBD);
1930 ++ else
1931 ++ clear_tsk_thread_flag(tsk, TIF_SSBD);
1932 ++
1933 ++ if (task_spec_ib_disable(tsk))
1934 ++ set_tsk_thread_flag(tsk, TIF_SPEC_IB);
1935 ++ else
1936 ++ clear_tsk_thread_flag(tsk, TIF_SPEC_IB);
1937 ++ }
1938 ++ /* Return the updated threadinfo flags*/
1939 ++ return task_thread_info(tsk)->flags;
1940 + }
1941 +
1942 +-void speculative_store_bypass_update(unsigned long tif)
1943 ++void speculation_ctrl_update(unsigned long tif)
1944 + {
1945 ++ /* Forced update. Make sure all relevant TIF flags are different */
1946 + preempt_disable();
1947 +- __speculative_store_bypass_update(tif);
1948 ++ __speculation_ctrl_update(~tif, tif);
1949 + preempt_enable();
1950 + }
1951 +
1952 +-void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
1953 +- struct tss_struct *tss)
1954 ++/* Called from seccomp/prctl update */
1955 ++void speculation_ctrl_update_current(void)
1956 ++{
1957 ++ preempt_disable();
1958 ++ speculation_ctrl_update(speculation_ctrl_update_tif(current));
1959 ++ preempt_enable();
1960 ++}
1961 ++
1962 ++void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p)
1963 + {
1964 + struct thread_struct *prev, *next;
1965 + unsigned long tifp, tifn;
1966 +@@ -430,7 +486,7 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
1967 +
1968 + tifn = READ_ONCE(task_thread_info(next_p)->flags);
1969 + tifp = READ_ONCE(task_thread_info(prev_p)->flags);
1970 +- switch_to_bitmap(tss, prev, next, tifp, tifn);
1971 ++ switch_to_bitmap(prev, next, tifp, tifn);
1972 +
1973 + propagate_user_return_notify(prev_p, next_p);
1974 +
1975 +@@ -451,8 +507,15 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
1976 + if ((tifp ^ tifn) & _TIF_NOCPUID)
1977 + set_cpuid_faulting(!!(tifn & _TIF_NOCPUID));
1978 +
1979 +- if ((tifp ^ tifn) & _TIF_SSBD)
1980 +- __speculative_store_bypass_update(tifn);
1981 ++ if (likely(!((tifp | tifn) & _TIF_SPEC_FORCE_UPDATE))) {
1982 ++ __speculation_ctrl_update(tifp, tifn);
1983 ++ } else {
1984 ++ speculation_ctrl_update_tif(prev_p);
1985 ++ tifn = speculation_ctrl_update_tif(next_p);
1986 ++
1987 ++ /* Enforce MSR update to ensure consistent state */
1988 ++ __speculation_ctrl_update(~tifn, tifn);
1989 ++ }
1990 + }
1991 +
1992 + /*
1993 +diff --git a/arch/x86/kernel/process.h b/arch/x86/kernel/process.h
1994 +new file mode 100644
1995 +index 000000000000..898e97cf6629
1996 +--- /dev/null
1997 ++++ b/arch/x86/kernel/process.h
1998 +@@ -0,0 +1,39 @@
1999 ++// SPDX-License-Identifier: GPL-2.0
2000 ++//
2001 ++// Code shared between 32 and 64 bit
2002 ++
2003 ++#include <asm/spec-ctrl.h>
2004 ++
2005 ++void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p);
2006 ++
2007 ++/*
2008 ++ * This needs to be inline to optimize for the common case where no extra
2009 ++ * work needs to be done.
2010 ++ */
2011 ++static inline void switch_to_extra(struct task_struct *prev,
2012 ++ struct task_struct *next)
2013 ++{
2014 ++ unsigned long next_tif = task_thread_info(next)->flags;
2015 ++ unsigned long prev_tif = task_thread_info(prev)->flags;
2016 ++
2017 ++ if (IS_ENABLED(CONFIG_SMP)) {
2018 ++ /*
2019 ++ * Avoid __switch_to_xtra() invocation when conditional
2020 ++ * STIPB is disabled and the only different bit is
2021 ++ * TIF_SPEC_IB. For CONFIG_SMP=n TIF_SPEC_IB is not
2022 ++ * in the TIF_WORK_CTXSW masks.
2023 ++ */
2024 ++ if (!static_branch_likely(&switch_to_cond_stibp)) {
2025 ++ prev_tif &= ~_TIF_SPEC_IB;
2026 ++ next_tif &= ~_TIF_SPEC_IB;
2027 ++ }
2028 ++ }
2029 ++
2030 ++ /*
2031 ++ * __switch_to_xtra() handles debug registers, i/o bitmaps,
2032 ++ * speculation mitigations etc.
2033 ++ */
2034 ++ if (unlikely(next_tif & _TIF_WORK_CTXSW_NEXT ||
2035 ++ prev_tif & _TIF_WORK_CTXSW_PREV))
2036 ++ __switch_to_xtra(prev, next);
2037 ++}
2038 +diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
2039 +index 5046a3c9dec2..d3e593eb189f 100644
2040 +--- a/arch/x86/kernel/process_32.c
2041 ++++ b/arch/x86/kernel/process_32.c
2042 +@@ -59,6 +59,8 @@
2043 + #include <asm/intel_rdt_sched.h>
2044 + #include <asm/proto.h>
2045 +
2046 ++#include "process.h"
2047 ++
2048 + void __show_regs(struct pt_regs *regs, enum show_regs_mode mode)
2049 + {
2050 + unsigned long cr0 = 0L, cr2 = 0L, cr3 = 0L, cr4 = 0L;
2051 +@@ -232,7 +234,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
2052 + struct fpu *prev_fpu = &prev->fpu;
2053 + struct fpu *next_fpu = &next->fpu;
2054 + int cpu = smp_processor_id();
2055 +- struct tss_struct *tss = &per_cpu(cpu_tss_rw, cpu);
2056 +
2057 + /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
2058 +
2059 +@@ -264,12 +265,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
2060 + if (get_kernel_rpl() && unlikely(prev->iopl != next->iopl))
2061 + set_iopl_mask(next->iopl);
2062 +
2063 +- /*
2064 +- * Now maybe handle debug registers and/or IO bitmaps
2065 +- */
2066 +- if (unlikely(task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV ||
2067 +- task_thread_info(next_p)->flags & _TIF_WORK_CTXSW_NEXT))
2068 +- __switch_to_xtra(prev_p, next_p, tss);
2069 ++ switch_to_extra(prev_p, next_p);
2070 +
2071 + /*
2072 + * Leave lazy mode, flushing any hypercalls made here.
2073 +diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
2074 +index ea5ea850348d..a0854f283efd 100644
2075 +--- a/arch/x86/kernel/process_64.c
2076 ++++ b/arch/x86/kernel/process_64.c
2077 +@@ -59,6 +59,8 @@
2078 + #include <asm/unistd_32_ia32.h>
2079 + #endif
2080 +
2081 ++#include "process.h"
2082 ++
2083 + __visible DEFINE_PER_CPU(unsigned long, rsp_scratch);
2084 +
2085 + /* Prints also some state that isn't saved in the pt_regs */
2086 +@@ -422,7 +424,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
2087 + struct fpu *prev_fpu = &prev->fpu;
2088 + struct fpu *next_fpu = &next->fpu;
2089 + int cpu = smp_processor_id();
2090 +- struct tss_struct *tss = &per_cpu(cpu_tss_rw, cpu);
2091 +
2092 + WARN_ON_ONCE(IS_ENABLED(CONFIG_DEBUG_ENTRY) &&
2093 + this_cpu_read(irq_count) != -1);
2094 +@@ -489,12 +490,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
2095 + /* Reload sp0. */
2096 + update_task_stack(next_p);
2097 +
2098 +- /*
2099 +- * Now maybe reload the debug registers and handle I/O bitmaps
2100 +- */
2101 +- if (unlikely(task_thread_info(next_p)->flags & _TIF_WORK_CTXSW_NEXT ||
2102 +- task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV))
2103 +- __switch_to_xtra(prev_p, next_p, tss);
2104 ++ switch_to_extra(prev_p, next_p);
2105 +
2106 + #ifdef CONFIG_XEN_PV
2107 + /*
2108 +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
2109 +index fbb0e6df121b..2216d21e955d 100644
2110 +--- a/arch/x86/kvm/lapic.c
2111 ++++ b/arch/x86/kvm/lapic.c
2112 +@@ -571,6 +571,11 @@ int kvm_pv_send_ipi(struct kvm *kvm, unsigned long ipi_bitmap_low,
2113 + rcu_read_lock();
2114 + map = rcu_dereference(kvm->arch.apic_map);
2115 +
2116 ++ if (unlikely(!map)) {
2117 ++ count = -EOPNOTSUPP;
2118 ++ goto out;
2119 ++ }
2120 ++
2121 + if (min > map->max_apic_id)
2122 + goto out;
2123 + /* Bits above cluster_size are masked in the caller. */
2124 +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
2125 +index 51b953ad9d4e..1b82bc7c3cca 100644
2126 +--- a/arch/x86/kvm/mmu.c
2127 ++++ b/arch/x86/kvm/mmu.c
2128 +@@ -5013,9 +5013,9 @@ static bool need_remote_flush(u64 old, u64 new)
2129 + }
2130 +
2131 + static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa,
2132 +- const u8 *new, int *bytes)
2133 ++ int *bytes)
2134 + {
2135 +- u64 gentry;
2136 ++ u64 gentry = 0;
2137 + int r;
2138 +
2139 + /*
2140 +@@ -5027,22 +5027,12 @@ static u64 mmu_pte_write_fetch_gpte(struct kvm_vcpu *vcpu, gpa_t *gpa,
2141 + /* Handle a 32-bit guest writing two halves of a 64-bit gpte */
2142 + *gpa &= ~(gpa_t)7;
2143 + *bytes = 8;
2144 +- r = kvm_vcpu_read_guest(vcpu, *gpa, &gentry, 8);
2145 +- if (r)
2146 +- gentry = 0;
2147 +- new = (const u8 *)&gentry;
2148 + }
2149 +
2150 +- switch (*bytes) {
2151 +- case 4:
2152 +- gentry = *(const u32 *)new;
2153 +- break;
2154 +- case 8:
2155 +- gentry = *(const u64 *)new;
2156 +- break;
2157 +- default:
2158 +- gentry = 0;
2159 +- break;
2160 ++ if (*bytes == 4 || *bytes == 8) {
2161 ++ r = kvm_vcpu_read_guest_atomic(vcpu, *gpa, &gentry, *bytes);
2162 ++ if (r)
2163 ++ gentry = 0;
2164 + }
2165 +
2166 + return gentry;
2167 +@@ -5146,8 +5136,6 @@ static void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
2168 +
2169 + pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
2170 +
2171 +- gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, new, &bytes);
2172 +-
2173 + /*
2174 + * No need to care whether allocation memory is successful
2175 + * or not since pte prefetch is skiped if it does not have
2176 +@@ -5156,6 +5144,9 @@ static void kvm_mmu_pte_write(struct kvm_vcpu *vcpu, gpa_t gpa,
2177 + mmu_topup_memory_caches(vcpu);
2178 +
2179 + spin_lock(&vcpu->kvm->mmu_lock);
2180 ++
2181 ++ gentry = mmu_pte_write_fetch_gpte(vcpu, &gpa, &bytes);
2182 ++
2183 + ++vcpu->kvm->stat.mmu_pte_write;
2184 + kvm_mmu_audit(vcpu, AUDIT_PRE_PTE_WRITE);
2185 +
2186 +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
2187 +index 61ccfb13899e..4397fa0c448f 100644
2188 +--- a/arch/x86/kvm/svm.c
2189 ++++ b/arch/x86/kvm/svm.c
2190 +@@ -1444,7 +1444,7 @@ static u64 svm_read_l1_tsc_offset(struct kvm_vcpu *vcpu)
2191 + return vcpu->arch.tsc_offset;
2192 + }
2193 +
2194 +-static void svm_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
2195 ++static u64 svm_write_l1_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
2196 + {
2197 + struct vcpu_svm *svm = to_svm(vcpu);
2198 + u64 g_tsc_offset = 0;
2199 +@@ -1462,6 +1462,7 @@ static void svm_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
2200 + svm->vmcb->control.tsc_offset = offset + g_tsc_offset;
2201 +
2202 + mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
2203 ++ return svm->vmcb->control.tsc_offset;
2204 + }
2205 +
2206 + static void avic_init_vmcb(struct vcpu_svm *svm)
2207 +@@ -2187,21 +2188,31 @@ out:
2208 + return ERR_PTR(err);
2209 + }
2210 +
2211 ++static void svm_clear_current_vmcb(struct vmcb *vmcb)
2212 ++{
2213 ++ int i;
2214 ++
2215 ++ for_each_online_cpu(i)
2216 ++ cmpxchg(&per_cpu(svm_data, i)->current_vmcb, vmcb, NULL);
2217 ++}
2218 ++
2219 + static void svm_free_vcpu(struct kvm_vcpu *vcpu)
2220 + {
2221 + struct vcpu_svm *svm = to_svm(vcpu);
2222 +
2223 ++ /*
2224 ++ * The vmcb page can be recycled, causing a false negative in
2225 ++ * svm_vcpu_load(). So, ensure that no logical CPU has this
2226 ++ * vmcb page recorded as its current vmcb.
2227 ++ */
2228 ++ svm_clear_current_vmcb(svm->vmcb);
2229 ++
2230 + __free_page(pfn_to_page(__sme_clr(svm->vmcb_pa) >> PAGE_SHIFT));
2231 + __free_pages(virt_to_page(svm->msrpm), MSRPM_ALLOC_ORDER);
2232 + __free_page(virt_to_page(svm->nested.hsave));
2233 + __free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER);
2234 + kvm_vcpu_uninit(vcpu);
2235 + kmem_cache_free(kvm_vcpu_cache, svm);
2236 +- /*
2237 +- * The vmcb page can be recycled, causing a false negative in
2238 +- * svm_vcpu_load(). So do a full IBPB now.
2239 +- */
2240 +- indirect_branch_prediction_barrier();
2241 + }
2242 +
2243 + static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
2244 +@@ -7145,7 +7156,7 @@ static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
2245 + .has_wbinvd_exit = svm_has_wbinvd_exit,
2246 +
2247 + .read_l1_tsc_offset = svm_read_l1_tsc_offset,
2248 +- .write_tsc_offset = svm_write_tsc_offset,
2249 ++ .write_l1_tsc_offset = svm_write_l1_tsc_offset,
2250 +
2251 + .set_tdp_cr3 = set_tdp_cr3,
2252 +
2253 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
2254 +index 9f3def7baa6d..e55f7a90d4b2 100644
2255 +--- a/arch/x86/kvm/vmx.c
2256 ++++ b/arch/x86/kvm/vmx.c
2257 +@@ -170,6 +170,7 @@ module_param_named(preemption_timer, enable_preemption_timer, bool, S_IRUGO);
2258 + * refer SDM volume 3b section 21.6.13 & 22.1.3.
2259 + */
2260 + static unsigned int ple_gap = KVM_DEFAULT_PLE_GAP;
2261 ++module_param(ple_gap, uint, 0444);
2262 +
2263 + static unsigned int ple_window = KVM_VMX_DEFAULT_PLE_WINDOW;
2264 + module_param(ple_window, uint, 0444);
2265 +@@ -3433,11 +3434,9 @@ static u64 vmx_read_l1_tsc_offset(struct kvm_vcpu *vcpu)
2266 + return vcpu->arch.tsc_offset;
2267 + }
2268 +
2269 +-/*
2270 +- * writes 'offset' into guest's timestamp counter offset register
2271 +- */
2272 +-static void vmx_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
2273 ++static u64 vmx_write_l1_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
2274 + {
2275 ++ u64 active_offset = offset;
2276 + if (is_guest_mode(vcpu)) {
2277 + /*
2278 + * We're here if L1 chose not to trap WRMSR to TSC. According
2279 +@@ -3445,17 +3444,16 @@ static void vmx_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
2280 + * set for L2 remains unchanged, and still needs to be added
2281 + * to the newly set TSC to get L2's TSC.
2282 + */
2283 +- struct vmcs12 *vmcs12;
2284 +- /* recalculate vmcs02.TSC_OFFSET: */
2285 +- vmcs12 = get_vmcs12(vcpu);
2286 +- vmcs_write64(TSC_OFFSET, offset +
2287 +- (nested_cpu_has(vmcs12, CPU_BASED_USE_TSC_OFFSETING) ?
2288 +- vmcs12->tsc_offset : 0));
2289 ++ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
2290 ++ if (nested_cpu_has(vmcs12, CPU_BASED_USE_TSC_OFFSETING))
2291 ++ active_offset += vmcs12->tsc_offset;
2292 + } else {
2293 + trace_kvm_write_tsc_offset(vcpu->vcpu_id,
2294 + vmcs_read64(TSC_OFFSET), offset);
2295 +- vmcs_write64(TSC_OFFSET, offset);
2296 + }
2297 ++
2298 ++ vmcs_write64(TSC_OFFSET, active_offset);
2299 ++ return active_offset;
2300 + }
2301 +
2302 + /*
2303 +@@ -14203,7 +14201,7 @@ static struct kvm_x86_ops vmx_x86_ops __ro_after_init = {
2304 + .has_wbinvd_exit = cpu_has_vmx_wbinvd_exit,
2305 +
2306 + .read_l1_tsc_offset = vmx_read_l1_tsc_offset,
2307 +- .write_tsc_offset = vmx_write_tsc_offset,
2308 ++ .write_l1_tsc_offset = vmx_write_l1_tsc_offset,
2309 +
2310 + .set_tdp_cr3 = vmx_set_cr3,
2311 +
2312 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
2313 +index ca717737347e..68b53f05a420 100644
2314 +--- a/arch/x86/kvm/x86.c
2315 ++++ b/arch/x86/kvm/x86.c
2316 +@@ -1582,8 +1582,7 @@ EXPORT_SYMBOL_GPL(kvm_read_l1_tsc);
2317 +
2318 + static void kvm_vcpu_write_tsc_offset(struct kvm_vcpu *vcpu, u64 offset)
2319 + {
2320 +- kvm_x86_ops->write_tsc_offset(vcpu, offset);
2321 +- vcpu->arch.tsc_offset = offset;
2322 ++ vcpu->arch.tsc_offset = kvm_x86_ops->write_l1_tsc_offset(vcpu, offset);
2323 + }
2324 +
2325 + static inline bool kvm_check_tsc_unstable(void)
2326 +@@ -1711,7 +1710,8 @@ EXPORT_SYMBOL_GPL(kvm_write_tsc);
2327 + static inline void adjust_tsc_offset_guest(struct kvm_vcpu *vcpu,
2328 + s64 adjustment)
2329 + {
2330 +- kvm_vcpu_write_tsc_offset(vcpu, vcpu->arch.tsc_offset + adjustment);
2331 ++ u64 tsc_offset = kvm_x86_ops->read_l1_tsc_offset(vcpu);
2332 ++ kvm_vcpu_write_tsc_offset(vcpu, tsc_offset + adjustment);
2333 + }
2334 +
2335 + static inline void adjust_tsc_offset_host(struct kvm_vcpu *vcpu, s64 adjustment)
2336 +@@ -6788,6 +6788,7 @@ static int kvm_pv_clock_pairing(struct kvm_vcpu *vcpu, gpa_t paddr,
2337 + clock_pairing.nsec = ts.tv_nsec;
2338 + clock_pairing.tsc = kvm_read_l1_tsc(vcpu, cycle);
2339 + clock_pairing.flags = 0;
2340 ++ memset(&clock_pairing.pad, 0, sizeof(clock_pairing.pad));
2341 +
2342 + ret = 0;
2343 + if (kvm_write_guest(vcpu->kvm, paddr, &clock_pairing,
2344 +@@ -7313,7 +7314,8 @@ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
2345 + else {
2346 + if (vcpu->arch.apicv_active)
2347 + kvm_x86_ops->sync_pir_to_irr(vcpu);
2348 +- kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
2349 ++ if (ioapic_in_kernel(vcpu->kvm))
2350 ++ kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
2351 + }
2352 +
2353 + if (is_guest_mode(vcpu))
2354 +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
2355 +index e96b99eb800c..a6d1b0241aea 100644
2356 +--- a/arch/x86/mm/tlb.c
2357 ++++ b/arch/x86/mm/tlb.c
2358 +@@ -29,6 +29,12 @@
2359 + * Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
2360 + */
2361 +
2362 ++/*
2363 ++ * Use bit 0 to mangle the TIF_SPEC_IB state into the mm pointer which is
2364 ++ * stored in cpu_tlb_state.last_user_mm_ibpb.
2365 ++ */
2366 ++#define LAST_USER_MM_IBPB 0x1UL
2367 ++
2368 + /*
2369 + * We get here when we do something requiring a TLB invalidation
2370 + * but could not go invalidate all of the contexts. We do the
2371 +@@ -180,6 +186,89 @@ static void sync_current_stack_to_mm(struct mm_struct *mm)
2372 + }
2373 + }
2374 +
2375 ++static inline unsigned long mm_mangle_tif_spec_ib(struct task_struct *next)
2376 ++{
2377 ++ unsigned long next_tif = task_thread_info(next)->flags;
2378 ++ unsigned long ibpb = (next_tif >> TIF_SPEC_IB) & LAST_USER_MM_IBPB;
2379 ++
2380 ++ return (unsigned long)next->mm | ibpb;
2381 ++}
2382 ++
2383 ++static void cond_ibpb(struct task_struct *next)
2384 ++{
2385 ++ if (!next || !next->mm)
2386 ++ return;
2387 ++
2388 ++ /*
2389 ++ * Both, the conditional and the always IBPB mode use the mm
2390 ++ * pointer to avoid the IBPB when switching between tasks of the
2391 ++ * same process. Using the mm pointer instead of mm->context.ctx_id
2392 ++ * opens a hypothetical hole vs. mm_struct reuse, which is more or
2393 ++ * less impossible to control by an attacker. Aside of that it
2394 ++ * would only affect the first schedule so the theoretically
2395 ++ * exposed data is not really interesting.
2396 ++ */
2397 ++ if (static_branch_likely(&switch_mm_cond_ibpb)) {
2398 ++ unsigned long prev_mm, next_mm;
2399 ++
2400 ++ /*
2401 ++ * This is a bit more complex than the always mode because
2402 ++ * it has to handle two cases:
2403 ++ *
2404 ++ * 1) Switch from a user space task (potential attacker)
2405 ++ * which has TIF_SPEC_IB set to a user space task
2406 ++ * (potential victim) which has TIF_SPEC_IB not set.
2407 ++ *
2408 ++ * 2) Switch from a user space task (potential attacker)
2409 ++ * which has TIF_SPEC_IB not set to a user space task
2410 ++ * (potential victim) which has TIF_SPEC_IB set.
2411 ++ *
2412 ++ * This could be done by unconditionally issuing IBPB when
2413 ++ * a task which has TIF_SPEC_IB set is either scheduled in
2414 ++ * or out. Though that results in two flushes when:
2415 ++ *
2416 ++ * - the same user space task is scheduled out and later
2417 ++ * scheduled in again and only a kernel thread ran in
2418 ++ * between.
2419 ++ *
2420 ++ * - a user space task belonging to the same process is
2421 ++ * scheduled in after a kernel thread ran in between
2422 ++ *
2423 ++ * - a user space task belonging to the same process is
2424 ++ * scheduled in immediately.
2425 ++ *
2426 ++ * Optimize this with reasonably small overhead for the
2427 ++ * above cases. Mangle the TIF_SPEC_IB bit into the mm
2428 ++ * pointer of the incoming task which is stored in
2429 ++ * cpu_tlbstate.last_user_mm_ibpb for comparison.
2430 ++ */
2431 ++ next_mm = mm_mangle_tif_spec_ib(next);
2432 ++ prev_mm = this_cpu_read(cpu_tlbstate.last_user_mm_ibpb);
2433 ++
2434 ++ /*
2435 ++ * Issue IBPB only if the mm's are different and one or
2436 ++ * both have the IBPB bit set.
2437 ++ */
2438 ++ if (next_mm != prev_mm &&
2439 ++ (next_mm | prev_mm) & LAST_USER_MM_IBPB)
2440 ++ indirect_branch_prediction_barrier();
2441 ++
2442 ++ this_cpu_write(cpu_tlbstate.last_user_mm_ibpb, next_mm);
2443 ++ }
2444 ++
2445 ++ if (static_branch_unlikely(&switch_mm_always_ibpb)) {
2446 ++ /*
2447 ++ * Only flush when switching to a user space task with a
2448 ++ * different context than the user space task which ran
2449 ++ * last on this CPU.
2450 ++ */
2451 ++ if (this_cpu_read(cpu_tlbstate.last_user_mm) != next->mm) {
2452 ++ indirect_branch_prediction_barrier();
2453 ++ this_cpu_write(cpu_tlbstate.last_user_mm, next->mm);
2454 ++ }
2455 ++ }
2456 ++}
2457 ++
2458 + void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
2459 + struct task_struct *tsk)
2460 + {
2461 +@@ -254,27 +343,13 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
2462 + } else {
2463 + u16 new_asid;
2464 + bool need_flush;
2465 +- u64 last_ctx_id = this_cpu_read(cpu_tlbstate.last_ctx_id);
2466 +
2467 + /*
2468 + * Avoid user/user BTB poisoning by flushing the branch
2469 + * predictor when switching between processes. This stops
2470 + * one process from doing Spectre-v2 attacks on another.
2471 +- *
2472 +- * As an optimization, flush indirect branches only when
2473 +- * switching into processes that disable dumping. This
2474 +- * protects high value processes like gpg, without having
2475 +- * too high performance overhead. IBPB is *expensive*!
2476 +- *
2477 +- * This will not flush branches when switching into kernel
2478 +- * threads. It will also not flush if we switch to idle
2479 +- * thread and back to the same process. It will flush if we
2480 +- * switch to a different non-dumpable process.
2481 + */
2482 +- if (tsk && tsk->mm &&
2483 +- tsk->mm->context.ctx_id != last_ctx_id &&
2484 +- get_dumpable(tsk->mm) != SUID_DUMP_USER)
2485 +- indirect_branch_prediction_barrier();
2486 ++ cond_ibpb(tsk);
2487 +
2488 + if (IS_ENABLED(CONFIG_VMAP_STACK)) {
2489 + /*
2490 +@@ -331,14 +406,6 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
2491 + trace_tlb_flush_rcuidle(TLB_FLUSH_ON_TASK_SWITCH, 0);
2492 + }
2493 +
2494 +- /*
2495 +- * Record last user mm's context id, so we can avoid
2496 +- * flushing branch buffer with IBPB if we switch back
2497 +- * to the same user.
2498 +- */
2499 +- if (next != &init_mm)
2500 +- this_cpu_write(cpu_tlbstate.last_ctx_id, next->context.ctx_id);
2501 +-
2502 + /* Make sure we write CR3 before loaded_mm. */
2503 + barrier();
2504 +
2505 +@@ -419,7 +486,7 @@ void initialize_tlbstate_and_flush(void)
2506 + write_cr3(build_cr3(mm->pgd, 0));
2507 +
2508 + /* Reinitialize tlbstate. */
2509 +- this_cpu_write(cpu_tlbstate.last_ctx_id, mm->context.ctx_id);
2510 ++ this_cpu_write(cpu_tlbstate.last_user_mm_ibpb, LAST_USER_MM_IBPB);
2511 + this_cpu_write(cpu_tlbstate.loaded_mm_asid, 0);
2512 + this_cpu_write(cpu_tlbstate.next_asid, 1);
2513 + this_cpu_write(cpu_tlbstate.ctxs[0].ctx_id, mm->context.ctx_id);
2514 +diff --git a/arch/xtensa/kernel/asm-offsets.c b/arch/xtensa/kernel/asm-offsets.c
2515 +index 67904f55f188..120dd746a147 100644
2516 +--- a/arch/xtensa/kernel/asm-offsets.c
2517 ++++ b/arch/xtensa/kernel/asm-offsets.c
2518 +@@ -94,14 +94,14 @@ int main(void)
2519 + DEFINE(THREAD_SP, offsetof (struct task_struct, thread.sp));
2520 + DEFINE(THREAD_CPENABLE, offsetof (struct thread_info, cpenable));
2521 + #if XTENSA_HAVE_COPROCESSORS
2522 +- DEFINE(THREAD_XTREGS_CP0, offsetof (struct thread_info, xtregs_cp));
2523 +- DEFINE(THREAD_XTREGS_CP1, offsetof (struct thread_info, xtregs_cp));
2524 +- DEFINE(THREAD_XTREGS_CP2, offsetof (struct thread_info, xtregs_cp));
2525 +- DEFINE(THREAD_XTREGS_CP3, offsetof (struct thread_info, xtregs_cp));
2526 +- DEFINE(THREAD_XTREGS_CP4, offsetof (struct thread_info, xtregs_cp));
2527 +- DEFINE(THREAD_XTREGS_CP5, offsetof (struct thread_info, xtregs_cp));
2528 +- DEFINE(THREAD_XTREGS_CP6, offsetof (struct thread_info, xtregs_cp));
2529 +- DEFINE(THREAD_XTREGS_CP7, offsetof (struct thread_info, xtregs_cp));
2530 ++ DEFINE(THREAD_XTREGS_CP0, offsetof(struct thread_info, xtregs_cp.cp0));
2531 ++ DEFINE(THREAD_XTREGS_CP1, offsetof(struct thread_info, xtregs_cp.cp1));
2532 ++ DEFINE(THREAD_XTREGS_CP2, offsetof(struct thread_info, xtregs_cp.cp2));
2533 ++ DEFINE(THREAD_XTREGS_CP3, offsetof(struct thread_info, xtregs_cp.cp3));
2534 ++ DEFINE(THREAD_XTREGS_CP4, offsetof(struct thread_info, xtregs_cp.cp4));
2535 ++ DEFINE(THREAD_XTREGS_CP5, offsetof(struct thread_info, xtregs_cp.cp5));
2536 ++ DEFINE(THREAD_XTREGS_CP6, offsetof(struct thread_info, xtregs_cp.cp6));
2537 ++ DEFINE(THREAD_XTREGS_CP7, offsetof(struct thread_info, xtregs_cp.cp7));
2538 + #endif
2539 + DEFINE(THREAD_XTREGS_USER, offsetof (struct thread_info, xtregs_user));
2540 + DEFINE(XTREGS_USER_SIZE, sizeof(xtregs_user_t));
2541 +diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c
2542 +index 483dcfb6e681..4bb68133a72a 100644
2543 +--- a/arch/xtensa/kernel/process.c
2544 ++++ b/arch/xtensa/kernel/process.c
2545 +@@ -94,18 +94,21 @@ void coprocessor_release_all(struct thread_info *ti)
2546 +
2547 + void coprocessor_flush_all(struct thread_info *ti)
2548 + {
2549 +- unsigned long cpenable;
2550 ++ unsigned long cpenable, old_cpenable;
2551 + int i;
2552 +
2553 + preempt_disable();
2554 +
2555 ++ RSR_CPENABLE(old_cpenable);
2556 + cpenable = ti->cpenable;
2557 ++ WSR_CPENABLE(cpenable);
2558 +
2559 + for (i = 0; i < XCHAL_CP_MAX; i++) {
2560 + if ((cpenable & 1) != 0 && coprocessor_owner[i] == ti)
2561 + coprocessor_flush(ti, i);
2562 + cpenable >>= 1;
2563 + }
2564 ++ WSR_CPENABLE(old_cpenable);
2565 +
2566 + preempt_enable();
2567 + }
2568 +diff --git a/arch/xtensa/kernel/ptrace.c b/arch/xtensa/kernel/ptrace.c
2569 +index c0845cb1cbb9..d9541be0605a 100644
2570 +--- a/arch/xtensa/kernel/ptrace.c
2571 ++++ b/arch/xtensa/kernel/ptrace.c
2572 +@@ -127,12 +127,37 @@ static int ptrace_setregs(struct task_struct *child, void __user *uregs)
2573 + }
2574 +
2575 +
2576 ++#if XTENSA_HAVE_COPROCESSORS
2577 ++#define CP_OFFSETS(cp) \
2578 ++ { \
2579 ++ .elf_xtregs_offset = offsetof(elf_xtregs_t, cp), \
2580 ++ .ti_offset = offsetof(struct thread_info, xtregs_cp.cp), \
2581 ++ .sz = sizeof(xtregs_ ## cp ## _t), \
2582 ++ }
2583 ++
2584 ++static const struct {
2585 ++ size_t elf_xtregs_offset;
2586 ++ size_t ti_offset;
2587 ++ size_t sz;
2588 ++} cp_offsets[] = {
2589 ++ CP_OFFSETS(cp0),
2590 ++ CP_OFFSETS(cp1),
2591 ++ CP_OFFSETS(cp2),
2592 ++ CP_OFFSETS(cp3),
2593 ++ CP_OFFSETS(cp4),
2594 ++ CP_OFFSETS(cp5),
2595 ++ CP_OFFSETS(cp6),
2596 ++ CP_OFFSETS(cp7),
2597 ++};
2598 ++#endif
2599 ++
2600 + static int ptrace_getxregs(struct task_struct *child, void __user *uregs)
2601 + {
2602 + struct pt_regs *regs = task_pt_regs(child);
2603 + struct thread_info *ti = task_thread_info(child);
2604 + elf_xtregs_t __user *xtregs = uregs;
2605 + int ret = 0;
2606 ++ int i __maybe_unused;
2607 +
2608 + if (!access_ok(VERIFY_WRITE, uregs, sizeof(elf_xtregs_t)))
2609 + return -EIO;
2610 +@@ -140,8 +165,13 @@ static int ptrace_getxregs(struct task_struct *child, void __user *uregs)
2611 + #if XTENSA_HAVE_COPROCESSORS
2612 + /* Flush all coprocessor registers to memory. */
2613 + coprocessor_flush_all(ti);
2614 +- ret |= __copy_to_user(&xtregs->cp0, &ti->xtregs_cp,
2615 +- sizeof(xtregs_coprocessor_t));
2616 ++
2617 ++ for (i = 0; i < ARRAY_SIZE(cp_offsets); ++i)
2618 ++ ret |= __copy_to_user((char __user *)xtregs +
2619 ++ cp_offsets[i].elf_xtregs_offset,
2620 ++ (const char *)ti +
2621 ++ cp_offsets[i].ti_offset,
2622 ++ cp_offsets[i].sz);
2623 + #endif
2624 + ret |= __copy_to_user(&xtregs->opt, &regs->xtregs_opt,
2625 + sizeof(xtregs->opt));
2626 +@@ -157,6 +187,7 @@ static int ptrace_setxregs(struct task_struct *child, void __user *uregs)
2627 + struct pt_regs *regs = task_pt_regs(child);
2628 + elf_xtregs_t *xtregs = uregs;
2629 + int ret = 0;
2630 ++ int i __maybe_unused;
2631 +
2632 + if (!access_ok(VERIFY_READ, uregs, sizeof(elf_xtregs_t)))
2633 + return -EFAULT;
2634 +@@ -166,8 +197,11 @@ static int ptrace_setxregs(struct task_struct *child, void __user *uregs)
2635 + coprocessor_flush_all(ti);
2636 + coprocessor_release_all(ti);
2637 +
2638 +- ret |= __copy_from_user(&ti->xtregs_cp, &xtregs->cp0,
2639 +- sizeof(xtregs_coprocessor_t));
2640 ++ for (i = 0; i < ARRAY_SIZE(cp_offsets); ++i)
2641 ++ ret |= __copy_from_user((char *)ti + cp_offsets[i].ti_offset,
2642 ++ (const char __user *)xtregs +
2643 ++ cp_offsets[i].elf_xtregs_offset,
2644 ++ cp_offsets[i].sz);
2645 + #endif
2646 + ret |= __copy_from_user(&regs->xtregs_opt, &xtregs->opt,
2647 + sizeof(xtregs->opt));
2648 +diff --git a/drivers/android/binder.c b/drivers/android/binder.c
2649 +index d58763b6b009..ce0e4d317d24 100644
2650 +--- a/drivers/android/binder.c
2651 ++++ b/drivers/android/binder.c
2652 +@@ -2971,7 +2971,6 @@ static void binder_transaction(struct binder_proc *proc,
2653 + t->buffer = NULL;
2654 + goto err_binder_alloc_buf_failed;
2655 + }
2656 +- t->buffer->allow_user_free = 0;
2657 + t->buffer->debug_id = t->debug_id;
2658 + t->buffer->transaction = t;
2659 + t->buffer->target_node = target_node;
2660 +@@ -3465,14 +3464,18 @@ static int binder_thread_write(struct binder_proc *proc,
2661 +
2662 + buffer = binder_alloc_prepare_to_free(&proc->alloc,
2663 + data_ptr);
2664 +- if (buffer == NULL) {
2665 +- binder_user_error("%d:%d BC_FREE_BUFFER u%016llx no match\n",
2666 +- proc->pid, thread->pid, (u64)data_ptr);
2667 +- break;
2668 +- }
2669 +- if (!buffer->allow_user_free) {
2670 +- binder_user_error("%d:%d BC_FREE_BUFFER u%016llx matched unreturned buffer\n",
2671 +- proc->pid, thread->pid, (u64)data_ptr);
2672 ++ if (IS_ERR_OR_NULL(buffer)) {
2673 ++ if (PTR_ERR(buffer) == -EPERM) {
2674 ++ binder_user_error(
2675 ++ "%d:%d BC_FREE_BUFFER u%016llx matched unreturned or currently freeing buffer\n",
2676 ++ proc->pid, thread->pid,
2677 ++ (u64)data_ptr);
2678 ++ } else {
2679 ++ binder_user_error(
2680 ++ "%d:%d BC_FREE_BUFFER u%016llx no match\n",
2681 ++ proc->pid, thread->pid,
2682 ++ (u64)data_ptr);
2683 ++ }
2684 + break;
2685 + }
2686 + binder_debug(BINDER_DEBUG_FREE_BUFFER,
2687 +diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
2688 +index 64fd96eada31..030c98f35cca 100644
2689 +--- a/drivers/android/binder_alloc.c
2690 ++++ b/drivers/android/binder_alloc.c
2691 +@@ -151,16 +151,12 @@ static struct binder_buffer *binder_alloc_prepare_to_free_locked(
2692 + else {
2693 + /*
2694 + * Guard against user threads attempting to
2695 +- * free the buffer twice
2696 ++ * free the buffer when in use by kernel or
2697 ++ * after it's already been freed.
2698 + */
2699 +- if (buffer->free_in_progress) {
2700 +- binder_alloc_debug(BINDER_DEBUG_USER_ERROR,
2701 +- "%d:%d FREE_BUFFER u%016llx user freed buffer twice\n",
2702 +- alloc->pid, current->pid,
2703 +- (u64)user_ptr);
2704 +- return NULL;
2705 +- }
2706 +- buffer->free_in_progress = 1;
2707 ++ if (!buffer->allow_user_free)
2708 ++ return ERR_PTR(-EPERM);
2709 ++ buffer->allow_user_free = 0;
2710 + return buffer;
2711 + }
2712 + }
2713 +@@ -500,7 +496,7 @@ static struct binder_buffer *binder_alloc_new_buf_locked(
2714 +
2715 + rb_erase(best_fit, &alloc->free_buffers);
2716 + buffer->free = 0;
2717 +- buffer->free_in_progress = 0;
2718 ++ buffer->allow_user_free = 0;
2719 + binder_insert_allocated_buffer_locked(alloc, buffer);
2720 + binder_alloc_debug(BINDER_DEBUG_BUFFER_ALLOC,
2721 + "%d: binder_alloc_buf size %zd got %pK\n",
2722 +diff --git a/drivers/android/binder_alloc.h b/drivers/android/binder_alloc.h
2723 +index 9ef64e563856..fb3238c74c8a 100644
2724 +--- a/drivers/android/binder_alloc.h
2725 ++++ b/drivers/android/binder_alloc.h
2726 +@@ -50,8 +50,7 @@ struct binder_buffer {
2727 + unsigned free:1;
2728 + unsigned allow_user_free:1;
2729 + unsigned async_transaction:1;
2730 +- unsigned free_in_progress:1;
2731 +- unsigned debug_id:28;
2732 ++ unsigned debug_id:29;
2733 +
2734 + struct binder_transaction *transaction;
2735 +
2736 +diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
2737 +index 75f38d19fcbe..dbc51154f122 100644
2738 +--- a/drivers/dma/at_hdmac.c
2739 ++++ b/drivers/dma/at_hdmac.c
2740 +@@ -1641,6 +1641,12 @@ static void atc_free_chan_resources(struct dma_chan *chan)
2741 + atchan->descs_allocated = 0;
2742 + atchan->status = 0;
2743 +
2744 ++ /*
2745 ++ * Free atslave allocated in at_dma_xlate()
2746 ++ */
2747 ++ kfree(chan->private);
2748 ++ chan->private = NULL;
2749 ++
2750 + dev_vdbg(chan2dev(chan), "free_chan_resources: done\n");
2751 + }
2752 +
2753 +@@ -1675,7 +1681,7 @@ static struct dma_chan *at_dma_xlate(struct of_phandle_args *dma_spec,
2754 + dma_cap_zero(mask);
2755 + dma_cap_set(DMA_SLAVE, mask);
2756 +
2757 +- atslave = devm_kzalloc(&dmac_pdev->dev, sizeof(*atslave), GFP_KERNEL);
2758 ++ atslave = kzalloc(sizeof(*atslave), GFP_KERNEL);
2759 + if (!atslave)
2760 + return NULL;
2761 +
2762 +@@ -2000,6 +2006,8 @@ static int at_dma_remove(struct platform_device *pdev)
2763 + struct resource *io;
2764 +
2765 + at_dma_off(atdma);
2766 ++ if (pdev->dev.of_node)
2767 ++ of_dma_controller_free(pdev->dev.of_node);
2768 + dma_async_device_unregister(&atdma->dma_common);
2769 +
2770 + dma_pool_destroy(atdma->memset_pool);
2771 +diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
2772 +index e8a114157f87..bb012bc032e0 100644
2773 +--- a/drivers/hid/hid-sensor-custom.c
2774 ++++ b/drivers/hid/hid-sensor-custom.c
2775 +@@ -358,7 +358,7 @@ static ssize_t show_value(struct device *dev, struct device_attribute *attr,
2776 + sensor_inst->hsdev,
2777 + sensor_inst->hsdev->usage,
2778 + usage, report_id,
2779 +- SENSOR_HUB_SYNC);
2780 ++ SENSOR_HUB_SYNC, false);
2781 + } else if (!strncmp(name, "units", strlen("units")))
2782 + value = sensor_inst->fields[field_index].attribute.units;
2783 + else if (!strncmp(name, "unit-expo", strlen("unit-expo")))
2784 +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
2785 +index 2b63487057c2..4256fdc5cd6d 100644
2786 +--- a/drivers/hid/hid-sensor-hub.c
2787 ++++ b/drivers/hid/hid-sensor-hub.c
2788 +@@ -299,7 +299,8 @@ EXPORT_SYMBOL_GPL(sensor_hub_get_feature);
2789 + int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev,
2790 + u32 usage_id,
2791 + u32 attr_usage_id, u32 report_id,
2792 +- enum sensor_hub_read_flags flag)
2793 ++ enum sensor_hub_read_flags flag,
2794 ++ bool is_signed)
2795 + {
2796 + struct sensor_hub_data *data = hid_get_drvdata(hsdev->hdev);
2797 + unsigned long flags;
2798 +@@ -331,10 +332,16 @@ int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev,
2799 + &hsdev->pending.ready, HZ*5);
2800 + switch (hsdev->pending.raw_size) {
2801 + case 1:
2802 +- ret_val = *(u8 *)hsdev->pending.raw_data;
2803 ++ if (is_signed)
2804 ++ ret_val = *(s8 *)hsdev->pending.raw_data;
2805 ++ else
2806 ++ ret_val = *(u8 *)hsdev->pending.raw_data;
2807 + break;
2808 + case 2:
2809 +- ret_val = *(u16 *)hsdev->pending.raw_data;
2810 ++ if (is_signed)
2811 ++ ret_val = *(s16 *)hsdev->pending.raw_data;
2812 ++ else
2813 ++ ret_val = *(u16 *)hsdev->pending.raw_data;
2814 + break;
2815 + case 4:
2816 + ret_val = *(u32 *)hsdev->pending.raw_data;
2817 +diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
2818 +index 741857d80da1..2f164bd74687 100644
2819 +--- a/drivers/hv/channel.c
2820 ++++ b/drivers/hv/channel.c
2821 +@@ -482,6 +482,14 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
2822 + }
2823 + wait_for_completion(&msginfo->waitevent);
2824 +
2825 ++ if (msginfo->response.gpadl_created.creation_status != 0) {
2826 ++ pr_err("Failed to establish GPADL: err = 0x%x\n",
2827 ++ msginfo->response.gpadl_created.creation_status);
2828 ++
2829 ++ ret = -EDQUOT;
2830 ++ goto cleanup;
2831 ++ }
2832 ++
2833 + if (channel->rescind) {
2834 + ret = -ENODEV;
2835 + goto cleanup;
2836 +diff --git a/drivers/iio/accel/hid-sensor-accel-3d.c b/drivers/iio/accel/hid-sensor-accel-3d.c
2837 +index 41d97faf5013..38ff374a3ca4 100644
2838 +--- a/drivers/iio/accel/hid-sensor-accel-3d.c
2839 ++++ b/drivers/iio/accel/hid-sensor-accel-3d.c
2840 +@@ -149,6 +149,7 @@ static int accel_3d_read_raw(struct iio_dev *indio_dev,
2841 + int report_id = -1;
2842 + u32 address;
2843 + int ret_type;
2844 ++ s32 min;
2845 + struct hid_sensor_hub_device *hsdev =
2846 + accel_state->common_attributes.hsdev;
2847 +
2848 +@@ -158,12 +159,14 @@ static int accel_3d_read_raw(struct iio_dev *indio_dev,
2849 + case IIO_CHAN_INFO_RAW:
2850 + hid_sensor_power_state(&accel_state->common_attributes, true);
2851 + report_id = accel_state->accel[chan->scan_index].report_id;
2852 ++ min = accel_state->accel[chan->scan_index].logical_minimum;
2853 + address = accel_3d_addresses[chan->scan_index];
2854 + if (report_id >= 0)
2855 + *val = sensor_hub_input_attr_get_raw_value(
2856 + accel_state->common_attributes.hsdev,
2857 + hsdev->usage, address, report_id,
2858 +- SENSOR_HUB_SYNC);
2859 ++ SENSOR_HUB_SYNC,
2860 ++ min < 0);
2861 + else {
2862 + *val = 0;
2863 + hid_sensor_power_state(&accel_state->common_attributes,
2864 +diff --git a/drivers/iio/gyro/hid-sensor-gyro-3d.c b/drivers/iio/gyro/hid-sensor-gyro-3d.c
2865 +index 36941e69f959..88e857c4baf4 100644
2866 +--- a/drivers/iio/gyro/hid-sensor-gyro-3d.c
2867 ++++ b/drivers/iio/gyro/hid-sensor-gyro-3d.c
2868 +@@ -111,6 +111,7 @@ static int gyro_3d_read_raw(struct iio_dev *indio_dev,
2869 + int report_id = -1;
2870 + u32 address;
2871 + int ret_type;
2872 ++ s32 min;
2873 +
2874 + *val = 0;
2875 + *val2 = 0;
2876 +@@ -118,13 +119,15 @@ static int gyro_3d_read_raw(struct iio_dev *indio_dev,
2877 + case IIO_CHAN_INFO_RAW:
2878 + hid_sensor_power_state(&gyro_state->common_attributes, true);
2879 + report_id = gyro_state->gyro[chan->scan_index].report_id;
2880 ++ min = gyro_state->gyro[chan->scan_index].logical_minimum;
2881 + address = gyro_3d_addresses[chan->scan_index];
2882 + if (report_id >= 0)
2883 + *val = sensor_hub_input_attr_get_raw_value(
2884 + gyro_state->common_attributes.hsdev,
2885 + HID_USAGE_SENSOR_GYRO_3D, address,
2886 + report_id,
2887 +- SENSOR_HUB_SYNC);
2888 ++ SENSOR_HUB_SYNC,
2889 ++ min < 0);
2890 + else {
2891 + *val = 0;
2892 + hid_sensor_power_state(&gyro_state->common_attributes,
2893 +diff --git a/drivers/iio/humidity/hid-sensor-humidity.c b/drivers/iio/humidity/hid-sensor-humidity.c
2894 +index beab6d6fd6e1..4bc95f31c730 100644
2895 +--- a/drivers/iio/humidity/hid-sensor-humidity.c
2896 ++++ b/drivers/iio/humidity/hid-sensor-humidity.c
2897 +@@ -75,7 +75,8 @@ static int humidity_read_raw(struct iio_dev *indio_dev,
2898 + HID_USAGE_SENSOR_HUMIDITY,
2899 + HID_USAGE_SENSOR_ATMOSPHERIC_HUMIDITY,
2900 + humid_st->humidity_attr.report_id,
2901 +- SENSOR_HUB_SYNC);
2902 ++ SENSOR_HUB_SYNC,
2903 ++ humid_st->humidity_attr.logical_minimum < 0);
2904 + hid_sensor_power_state(&humid_st->common_attributes, false);
2905 +
2906 + return IIO_VAL_INT;
2907 +diff --git a/drivers/iio/light/hid-sensor-als.c b/drivers/iio/light/hid-sensor-als.c
2908 +index 406caaee9a3c..94f33250ba5a 100644
2909 +--- a/drivers/iio/light/hid-sensor-als.c
2910 ++++ b/drivers/iio/light/hid-sensor-als.c
2911 +@@ -93,6 +93,7 @@ static int als_read_raw(struct iio_dev *indio_dev,
2912 + int report_id = -1;
2913 + u32 address;
2914 + int ret_type;
2915 ++ s32 min;
2916 +
2917 + *val = 0;
2918 + *val2 = 0;
2919 +@@ -102,8 +103,8 @@ static int als_read_raw(struct iio_dev *indio_dev,
2920 + case CHANNEL_SCAN_INDEX_INTENSITY:
2921 + case CHANNEL_SCAN_INDEX_ILLUM:
2922 + report_id = als_state->als_illum.report_id;
2923 +- address =
2924 +- HID_USAGE_SENSOR_LIGHT_ILLUM;
2925 ++ min = als_state->als_illum.logical_minimum;
2926 ++ address = HID_USAGE_SENSOR_LIGHT_ILLUM;
2927 + break;
2928 + default:
2929 + report_id = -1;
2930 +@@ -116,7 +117,8 @@ static int als_read_raw(struct iio_dev *indio_dev,
2931 + als_state->common_attributes.hsdev,
2932 + HID_USAGE_SENSOR_ALS, address,
2933 + report_id,
2934 +- SENSOR_HUB_SYNC);
2935 ++ SENSOR_HUB_SYNC,
2936 ++ min < 0);
2937 + hid_sensor_power_state(&als_state->common_attributes,
2938 + false);
2939 + } else {
2940 +diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c
2941 +index 45107f7537b5..cf5a0c242609 100644
2942 +--- a/drivers/iio/light/hid-sensor-prox.c
2943 ++++ b/drivers/iio/light/hid-sensor-prox.c
2944 +@@ -73,6 +73,7 @@ static int prox_read_raw(struct iio_dev *indio_dev,
2945 + int report_id = -1;
2946 + u32 address;
2947 + int ret_type;
2948 ++ s32 min;
2949 +
2950 + *val = 0;
2951 + *val2 = 0;
2952 +@@ -81,8 +82,8 @@ static int prox_read_raw(struct iio_dev *indio_dev,
2953 + switch (chan->scan_index) {
2954 + case CHANNEL_SCAN_INDEX_PRESENCE:
2955 + report_id = prox_state->prox_attr.report_id;
2956 +- address =
2957 +- HID_USAGE_SENSOR_HUMAN_PRESENCE;
2958 ++ min = prox_state->prox_attr.logical_minimum;
2959 ++ address = HID_USAGE_SENSOR_HUMAN_PRESENCE;
2960 + break;
2961 + default:
2962 + report_id = -1;
2963 +@@ -95,7 +96,8 @@ static int prox_read_raw(struct iio_dev *indio_dev,
2964 + prox_state->common_attributes.hsdev,
2965 + HID_USAGE_SENSOR_PROX, address,
2966 + report_id,
2967 +- SENSOR_HUB_SYNC);
2968 ++ SENSOR_HUB_SYNC,
2969 ++ min < 0);
2970 + hid_sensor_power_state(&prox_state->common_attributes,
2971 + false);
2972 + } else {
2973 +diff --git a/drivers/iio/magnetometer/hid-sensor-magn-3d.c b/drivers/iio/magnetometer/hid-sensor-magn-3d.c
2974 +index d55c4885211a..f3c0d41e5a8c 100644
2975 +--- a/drivers/iio/magnetometer/hid-sensor-magn-3d.c
2976 ++++ b/drivers/iio/magnetometer/hid-sensor-magn-3d.c
2977 +@@ -163,21 +163,23 @@ static int magn_3d_read_raw(struct iio_dev *indio_dev,
2978 + int report_id = -1;
2979 + u32 address;
2980 + int ret_type;
2981 ++ s32 min;
2982 +
2983 + *val = 0;
2984 + *val2 = 0;
2985 + switch (mask) {
2986 + case IIO_CHAN_INFO_RAW:
2987 + hid_sensor_power_state(&magn_state->magn_flux_attributes, true);
2988 +- report_id =
2989 +- magn_state->magn[chan->address].report_id;
2990 ++ report_id = magn_state->magn[chan->address].report_id;
2991 ++ min = magn_state->magn[chan->address].logical_minimum;
2992 + address = magn_3d_addresses[chan->address];
2993 + if (report_id >= 0)
2994 + *val = sensor_hub_input_attr_get_raw_value(
2995 + magn_state->magn_flux_attributes.hsdev,
2996 + HID_USAGE_SENSOR_COMPASS_3D, address,
2997 + report_id,
2998 +- SENSOR_HUB_SYNC);
2999 ++ SENSOR_HUB_SYNC,
3000 ++ min < 0);
3001 + else {
3002 + *val = 0;
3003 + hid_sensor_power_state(
3004 +diff --git a/drivers/iio/magnetometer/st_magn_buffer.c b/drivers/iio/magnetometer/st_magn_buffer.c
3005 +index 0a9e8fadfa9d..37ab30566464 100644
3006 +--- a/drivers/iio/magnetometer/st_magn_buffer.c
3007 ++++ b/drivers/iio/magnetometer/st_magn_buffer.c
3008 +@@ -30,11 +30,6 @@ int st_magn_trig_set_state(struct iio_trigger *trig, bool state)
3009 + return st_sensors_set_dataready_irq(indio_dev, state);
3010 + }
3011 +
3012 +-static int st_magn_buffer_preenable(struct iio_dev *indio_dev)
3013 +-{
3014 +- return st_sensors_set_enable(indio_dev, true);
3015 +-}
3016 +-
3017 + static int st_magn_buffer_postenable(struct iio_dev *indio_dev)
3018 + {
3019 + int err;
3020 +@@ -50,7 +45,7 @@ static int st_magn_buffer_postenable(struct iio_dev *indio_dev)
3021 + if (err < 0)
3022 + goto st_magn_buffer_postenable_error;
3023 +
3024 +- return err;
3025 ++ return st_sensors_set_enable(indio_dev, true);
3026 +
3027 + st_magn_buffer_postenable_error:
3028 + kfree(mdata->buffer_data);
3029 +@@ -63,11 +58,11 @@ static int st_magn_buffer_predisable(struct iio_dev *indio_dev)
3030 + int err;
3031 + struct st_sensor_data *mdata = iio_priv(indio_dev);
3032 +
3033 +- err = iio_triggered_buffer_predisable(indio_dev);
3034 ++ err = st_sensors_set_enable(indio_dev, false);
3035 + if (err < 0)
3036 + goto st_magn_buffer_predisable_error;
3037 +
3038 +- err = st_sensors_set_enable(indio_dev, false);
3039 ++ err = iio_triggered_buffer_predisable(indio_dev);
3040 +
3041 + st_magn_buffer_predisable_error:
3042 + kfree(mdata->buffer_data);
3043 +@@ -75,7 +70,6 @@ st_magn_buffer_predisable_error:
3044 + }
3045 +
3046 + static const struct iio_buffer_setup_ops st_magn_buffer_setup_ops = {
3047 +- .preenable = &st_magn_buffer_preenable,
3048 + .postenable = &st_magn_buffer_postenable,
3049 + .predisable = &st_magn_buffer_predisable,
3050 + };
3051 +diff --git a/drivers/iio/orientation/hid-sensor-incl-3d.c b/drivers/iio/orientation/hid-sensor-incl-3d.c
3052 +index 1e5451d1ff88..bdc5e4554ee4 100644
3053 +--- a/drivers/iio/orientation/hid-sensor-incl-3d.c
3054 ++++ b/drivers/iio/orientation/hid-sensor-incl-3d.c
3055 +@@ -111,21 +111,23 @@ static int incl_3d_read_raw(struct iio_dev *indio_dev,
3056 + int report_id = -1;
3057 + u32 address;
3058 + int ret_type;
3059 ++ s32 min;
3060 +
3061 + *val = 0;
3062 + *val2 = 0;
3063 + switch (mask) {
3064 + case IIO_CHAN_INFO_RAW:
3065 + hid_sensor_power_state(&incl_state->common_attributes, true);
3066 +- report_id =
3067 +- incl_state->incl[chan->scan_index].report_id;
3068 ++ report_id = incl_state->incl[chan->scan_index].report_id;
3069 ++ min = incl_state->incl[chan->scan_index].logical_minimum;
3070 + address = incl_3d_addresses[chan->scan_index];
3071 + if (report_id >= 0)
3072 + *val = sensor_hub_input_attr_get_raw_value(
3073 + incl_state->common_attributes.hsdev,
3074 + HID_USAGE_SENSOR_INCLINOMETER_3D, address,
3075 + report_id,
3076 +- SENSOR_HUB_SYNC);
3077 ++ SENSOR_HUB_SYNC,
3078 ++ min < 0);
3079 + else {
3080 + hid_sensor_power_state(&incl_state->common_attributes,
3081 + false);
3082 +diff --git a/drivers/iio/pressure/hid-sensor-press.c b/drivers/iio/pressure/hid-sensor-press.c
3083 +index 4c437918f1d2..d7b1c00ceb4d 100644
3084 +--- a/drivers/iio/pressure/hid-sensor-press.c
3085 ++++ b/drivers/iio/pressure/hid-sensor-press.c
3086 +@@ -77,6 +77,7 @@ static int press_read_raw(struct iio_dev *indio_dev,
3087 + int report_id = -1;
3088 + u32 address;
3089 + int ret_type;
3090 ++ s32 min;
3091 +
3092 + *val = 0;
3093 + *val2 = 0;
3094 +@@ -85,8 +86,8 @@ static int press_read_raw(struct iio_dev *indio_dev,
3095 + switch (chan->scan_index) {
3096 + case CHANNEL_SCAN_INDEX_PRESSURE:
3097 + report_id = press_state->press_attr.report_id;
3098 +- address =
3099 +- HID_USAGE_SENSOR_ATMOSPHERIC_PRESSURE;
3100 ++ min = press_state->press_attr.logical_minimum;
3101 ++ address = HID_USAGE_SENSOR_ATMOSPHERIC_PRESSURE;
3102 + break;
3103 + default:
3104 + report_id = -1;
3105 +@@ -99,7 +100,8 @@ static int press_read_raw(struct iio_dev *indio_dev,
3106 + press_state->common_attributes.hsdev,
3107 + HID_USAGE_SENSOR_PRESSURE, address,
3108 + report_id,
3109 +- SENSOR_HUB_SYNC);
3110 ++ SENSOR_HUB_SYNC,
3111 ++ min < 0);
3112 + hid_sensor_power_state(&press_state->common_attributes,
3113 + false);
3114 + } else {
3115 +diff --git a/drivers/iio/temperature/hid-sensor-temperature.c b/drivers/iio/temperature/hid-sensor-temperature.c
3116 +index beaf6fd3e337..b592fc4f007e 100644
3117 +--- a/drivers/iio/temperature/hid-sensor-temperature.c
3118 ++++ b/drivers/iio/temperature/hid-sensor-temperature.c
3119 +@@ -76,7 +76,8 @@ static int temperature_read_raw(struct iio_dev *indio_dev,
3120 + HID_USAGE_SENSOR_TEMPERATURE,
3121 + HID_USAGE_SENSOR_DATA_ENVIRONMENTAL_TEMPERATURE,
3122 + temp_st->temperature_attr.report_id,
3123 +- SENSOR_HUB_SYNC);
3124 ++ SENSOR_HUB_SYNC,
3125 ++ temp_st->temperature_attr.logical_minimum < 0);
3126 + hid_sensor_power_state(
3127 + &temp_st->common_attributes,
3128 + false);
3129 +diff --git a/drivers/misc/mic/scif/scif_rma.c b/drivers/misc/mic/scif/scif_rma.c
3130 +index c824329f7012..0e4193cb08cf 100644
3131 +--- a/drivers/misc/mic/scif/scif_rma.c
3132 ++++ b/drivers/misc/mic/scif/scif_rma.c
3133 +@@ -416,7 +416,7 @@ static int scif_create_remote_lookup(struct scif_dev *remote_dev,
3134 + if (err)
3135 + goto error_window;
3136 + err = scif_map_page(&window->num_pages_lookup.lookup[j],
3137 +- vmalloc_dma_phys ?
3138 ++ vmalloc_num_pages ?
3139 + vmalloc_to_page(&window->num_pages[i]) :
3140 + virt_to_page(&window->num_pages[i]),
3141 + remote_dev);
3142 +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
3143 +index 768f584f8392..88f8a8fa93cd 100644
3144 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
3145 ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
3146 +@@ -1784,6 +1784,7 @@ static int nicvf_xdp_setup(struct nicvf *nic, struct bpf_prog *prog)
3147 + bool if_up = netif_running(nic->netdev);
3148 + struct bpf_prog *old_prog;
3149 + bool bpf_attached = false;
3150 ++ int ret = 0;
3151 +
3152 + /* For now just support only the usual MTU sized frames */
3153 + if (prog && (dev->mtu > 1500)) {
3154 +@@ -1817,8 +1818,12 @@ static int nicvf_xdp_setup(struct nicvf *nic, struct bpf_prog *prog)
3155 + if (nic->xdp_prog) {
3156 + /* Attach BPF program */
3157 + nic->xdp_prog = bpf_prog_add(nic->xdp_prog, nic->rx_queues - 1);
3158 +- if (!IS_ERR(nic->xdp_prog))
3159 ++ if (!IS_ERR(nic->xdp_prog)) {
3160 + bpf_attached = true;
3161 ++ } else {
3162 ++ ret = PTR_ERR(nic->xdp_prog);
3163 ++ nic->xdp_prog = NULL;
3164 ++ }
3165 + }
3166 +
3167 + /* Calculate Tx queues needed for XDP and network stack */
3168 +@@ -1830,7 +1835,7 @@ static int nicvf_xdp_setup(struct nicvf *nic, struct bpf_prog *prog)
3169 + netif_trans_update(nic->netdev);
3170 + }
3171 +
3172 +- return 0;
3173 ++ return ret;
3174 + }
3175 +
3176 + static int nicvf_xdp(struct net_device *netdev, struct netdev_bpf *xdp)
3177 +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
3178 +index 187a249ff2d1..fcaf18fa3904 100644
3179 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
3180 ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
3181 +@@ -585,10 +585,12 @@ static void nicvf_free_snd_queue(struct nicvf *nic, struct snd_queue *sq)
3182 + if (!sq->dmem.base)
3183 + return;
3184 +
3185 +- if (sq->tso_hdrs)
3186 ++ if (sq->tso_hdrs) {
3187 + dma_free_coherent(&nic->pdev->dev,
3188 + sq->dmem.q_len * TSO_HEADER_SIZE,
3189 + sq->tso_hdrs, sq->tso_hdrs_phys);
3190 ++ sq->tso_hdrs = NULL;
3191 ++ }
3192 +
3193 + /* Free pending skbs in the queue */
3194 + smp_rmb();
3195 +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
3196 +index 1c9ad3630c77..dfd1ad0b1cb9 100644
3197 +--- a/drivers/net/ethernet/cortina/gemini.c
3198 ++++ b/drivers/net/ethernet/cortina/gemini.c
3199 +@@ -661,7 +661,7 @@ static void gmac_clean_txq(struct net_device *netdev, struct gmac_txq *txq,
3200 +
3201 + u64_stats_update_begin(&port->tx_stats_syncp);
3202 + port->tx_frag_stats[nfrags]++;
3203 +- u64_stats_update_end(&port->ir_stats_syncp);
3204 ++ u64_stats_update_end(&port->tx_stats_syncp);
3205 + }
3206 + }
3207 +
3208 +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
3209 +index 001b5f714c1b..aaedf1072460 100644
3210 +--- a/drivers/net/ethernet/microchip/lan743x_main.c
3211 ++++ b/drivers/net/ethernet/microchip/lan743x_main.c
3212 +@@ -1675,7 +1675,7 @@ static int lan743x_tx_napi_poll(struct napi_struct *napi, int weight)
3213 + netif_wake_queue(adapter->netdev);
3214 + }
3215 +
3216 +- if (!napi_complete_done(napi, weight))
3217 ++ if (!napi_complete(napi))
3218 + goto done;
3219 +
3220 + /* enable isr */
3221 +@@ -1684,7 +1684,7 @@ static int lan743x_tx_napi_poll(struct napi_struct *napi, int weight)
3222 + lan743x_csr_read(adapter, INT_STS);
3223 +
3224 + done:
3225 +- return weight;
3226 ++ return 0;
3227 + }
3228 +
3229 + static void lan743x_tx_ring_cleanup(struct lan743x_tx *tx)
3230 +@@ -1873,9 +1873,9 @@ static int lan743x_tx_open(struct lan743x_tx *tx)
3231 + tx->vector_flags = lan743x_intr_get_vector_flags(adapter,
3232 + INT_BIT_DMA_TX_
3233 + (tx->channel_number));
3234 +- netif_napi_add(adapter->netdev,
3235 +- &tx->napi, lan743x_tx_napi_poll,
3236 +- tx->ring_size - 1);
3237 ++ netif_tx_napi_add(adapter->netdev,
3238 ++ &tx->napi, lan743x_tx_napi_poll,
3239 ++ tx->ring_size - 1);
3240 + napi_enable(&tx->napi);
3241 +
3242 + data = 0;
3243 +@@ -3020,6 +3020,7 @@ static const struct dev_pm_ops lan743x_pm_ops = {
3244 +
3245 + static const struct pci_device_id lan743x_pcidev_tbl[] = {
3246 + { PCI_DEVICE(PCI_VENDOR_ID_SMSC, PCI_DEVICE_ID_SMSC_LAN7430) },
3247 ++ { PCI_DEVICE(PCI_VENDOR_ID_SMSC, PCI_DEVICE_ID_SMSC_LAN7431) },
3248 + { 0, }
3249 + };
3250 +
3251 +diff --git a/drivers/net/ethernet/microchip/lan743x_main.h b/drivers/net/ethernet/microchip/lan743x_main.h
3252 +index 0e82b6368798..2d6eea18973e 100644
3253 +--- a/drivers/net/ethernet/microchip/lan743x_main.h
3254 ++++ b/drivers/net/ethernet/microchip/lan743x_main.h
3255 +@@ -548,6 +548,7 @@ struct lan743x_adapter;
3256 + /* SMSC acquired EFAR late 1990's, MCHP acquired SMSC 2012 */
3257 + #define PCI_VENDOR_ID_SMSC PCI_VENDOR_ID_EFAR
3258 + #define PCI_DEVICE_ID_SMSC_LAN7430 (0x7430)
3259 ++#define PCI_DEVICE_ID_SMSC_LAN7431 (0x7431)
3260 +
3261 + #define PCI_CONFIG_LENGTH (0x1000)
3262 +
3263 +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
3264 +index 19ab8a7d1e48..733e35b7c4bb 100644
3265 +--- a/drivers/net/phy/phy_device.c
3266 ++++ b/drivers/net/phy/phy_device.c
3267 +@@ -1930,6 +1930,14 @@ int phy_driver_register(struct phy_driver *new_driver, struct module *owner)
3268 + new_driver->mdiodrv.driver.remove = phy_remove;
3269 + new_driver->mdiodrv.driver.owner = owner;
3270 +
3271 ++ /* The following works around an issue where the PHY driver doesn't bind
3272 ++ * to the device, resulting in the genphy driver being used instead of
3273 ++ * the dedicated driver. The root cause of the issue isn't known yet
3274 ++ * and seems to be in the base driver core. Once this is fixed we may
3275 ++ * remove this workaround.
3276 ++ */
3277 ++ new_driver->mdiodrv.driver.probe_type = PROBE_FORCE_SYNCHRONOUS;
3278 ++
3279 + retval = driver_register(&new_driver->mdiodrv.driver);
3280 + if (retval) {
3281 + pr_err("%s: Error %d in registering driver\n",
3282 +diff --git a/drivers/net/rionet.c b/drivers/net/rionet.c
3283 +index e9f101c9bae2..bfbb39f93554 100644
3284 +--- a/drivers/net/rionet.c
3285 ++++ b/drivers/net/rionet.c
3286 +@@ -216,9 +216,9 @@ static int rionet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
3287 + * it just report sending a packet to the target
3288 + * (without actual packet transfer).
3289 + */
3290 +- dev_kfree_skb_any(skb);
3291 + ndev->stats.tx_packets++;
3292 + ndev->stats.tx_bytes += skb->len;
3293 ++ dev_kfree_skb_any(skb);
3294 + }
3295 + }
3296 +
3297 +diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
3298 +index 7275761a1177..3d8a70d3ea9b 100644
3299 +--- a/drivers/net/usb/ipheth.c
3300 ++++ b/drivers/net/usb/ipheth.c
3301 +@@ -140,7 +140,6 @@ struct ipheth_device {
3302 + struct usb_device *udev;
3303 + struct usb_interface *intf;
3304 + struct net_device *net;
3305 +- struct sk_buff *tx_skb;
3306 + struct urb *tx_urb;
3307 + struct urb *rx_urb;
3308 + unsigned char *tx_buf;
3309 +@@ -230,6 +229,7 @@ static void ipheth_rcvbulk_callback(struct urb *urb)
3310 + case -ENOENT:
3311 + case -ECONNRESET:
3312 + case -ESHUTDOWN:
3313 ++ case -EPROTO:
3314 + return;
3315 + case 0:
3316 + break;
3317 +@@ -281,7 +281,6 @@ static void ipheth_sndbulk_callback(struct urb *urb)
3318 + dev_err(&dev->intf->dev, "%s: urb status: %d\n",
3319 + __func__, status);
3320 +
3321 +- dev_kfree_skb_irq(dev->tx_skb);
3322 + if (status == 0)
3323 + netif_wake_queue(dev->net);
3324 + else
3325 +@@ -423,7 +422,7 @@ static int ipheth_tx(struct sk_buff *skb, struct net_device *net)
3326 + if (skb->len > IPHETH_BUF_SIZE) {
3327 + WARN(1, "%s: skb too large: %d bytes\n", __func__, skb->len);
3328 + dev->net->stats.tx_dropped++;
3329 +- dev_kfree_skb_irq(skb);
3330 ++ dev_kfree_skb_any(skb);
3331 + return NETDEV_TX_OK;
3332 + }
3333 +
3334 +@@ -443,12 +442,11 @@ static int ipheth_tx(struct sk_buff *skb, struct net_device *net)
3335 + dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n",
3336 + __func__, retval);
3337 + dev->net->stats.tx_errors++;
3338 +- dev_kfree_skb_irq(skb);
3339 ++ dev_kfree_skb_any(skb);
3340 + } else {
3341 +- dev->tx_skb = skb;
3342 +-
3343 + dev->net->stats.tx_packets++;
3344 + dev->net->stats.tx_bytes += skb->len;
3345 ++ dev_consume_skb_any(skb);
3346 + netif_stop_queue(net);
3347 + }
3348 +
3349 +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
3350 +index ddfa3f24204c..c2ca6cd3fbe0 100644
3351 +--- a/drivers/net/virtio_net.c
3352 ++++ b/drivers/net/virtio_net.c
3353 +@@ -70,7 +70,8 @@ static const unsigned long guest_offloads[] = {
3354 + VIRTIO_NET_F_GUEST_TSO4,
3355 + VIRTIO_NET_F_GUEST_TSO6,
3356 + VIRTIO_NET_F_GUEST_ECN,
3357 +- VIRTIO_NET_F_GUEST_UFO
3358 ++ VIRTIO_NET_F_GUEST_UFO,
3359 ++ VIRTIO_NET_F_GUEST_CSUM
3360 + };
3361 +
3362 + struct virtnet_stat_desc {
3363 +@@ -2285,9 +2286,6 @@ static int virtnet_clear_guest_offloads(struct virtnet_info *vi)
3364 + if (!vi->guest_offloads)
3365 + return 0;
3366 +
3367 +- if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_CSUM))
3368 +- offloads = 1ULL << VIRTIO_NET_F_GUEST_CSUM;
3369 +-
3370 + return virtnet_set_guest_offloads(vi, offloads);
3371 + }
3372 +
3373 +@@ -2297,8 +2295,6 @@ static int virtnet_restore_guest_offloads(struct virtnet_info *vi)
3374 +
3375 + if (!vi->guest_offloads)
3376 + return 0;
3377 +- if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_CSUM))
3378 +- offloads |= 1ULL << VIRTIO_NET_F_GUEST_CSUM;
3379 +
3380 + return virtnet_set_guest_offloads(vi, offloads);
3381 + }
3382 +@@ -2316,8 +2312,9 @@ static int virtnet_xdp_set(struct net_device *dev, struct bpf_prog *prog,
3383 + && (virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_TSO4) ||
3384 + virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_TSO6) ||
3385 + virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_ECN) ||
3386 +- virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_UFO))) {
3387 +- NL_SET_ERR_MSG_MOD(extack, "Can't set XDP while host is implementing LRO, disable LRO first");
3388 ++ virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_UFO) ||
3389 ++ virtio_has_feature(vi->vdev, VIRTIO_NET_F_GUEST_CSUM))) {
3390 ++ NL_SET_ERR_MSG_MOD(extack, "Can't set XDP while host is implementing LRO/CSUM, disable LRO/CSUM first");
3391 + return -EOPNOTSUPP;
3392 + }
3393 +
3394 +diff --git a/drivers/pci/controller/dwc/pci-layerscape.c b/drivers/pci/controller/dwc/pci-layerscape.c
3395 +index 3724d3ef7008..7aa9a82b7ebd 100644
3396 +--- a/drivers/pci/controller/dwc/pci-layerscape.c
3397 ++++ b/drivers/pci/controller/dwc/pci-layerscape.c
3398 +@@ -88,7 +88,7 @@ static void ls_pcie_disable_outbound_atus(struct ls_pcie *pcie)
3399 + int i;
3400 +
3401 + for (i = 0; i < PCIE_IATU_NUM; i++)
3402 +- dw_pcie_disable_atu(pcie->pci, DW_PCIE_REGION_OUTBOUND, i);
3403 ++ dw_pcie_disable_atu(pcie->pci, i, DW_PCIE_REGION_OUTBOUND);
3404 + }
3405 +
3406 + static int ls1021_pcie_link_up(struct dw_pcie *pci)
3407 +diff --git a/drivers/pci/controller/dwc/pcie-designware-ep.c b/drivers/pci/controller/dwc/pcie-designware-ep.c
3408 +index 1e7b02221eac..de8635af4cde 100644
3409 +--- a/drivers/pci/controller/dwc/pcie-designware-ep.c
3410 ++++ b/drivers/pci/controller/dwc/pcie-designware-ep.c
3411 +@@ -440,7 +440,6 @@ int dw_pcie_ep_raise_msix_irq(struct dw_pcie_ep *ep, u8 func_no,
3412 + tbl_offset = dw_pcie_readl_dbi(pci, reg);
3413 + bir = (tbl_offset & PCI_MSIX_TABLE_BIR);
3414 + tbl_offset &= PCI_MSIX_TABLE_OFFSET;
3415 +- tbl_offset >>= 3;
3416 +
3417 + reg = PCI_BASE_ADDRESS_0 + (4 * bir);
3418 + bar_addr_upper = 0;
3419 +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
3420 +index 51b6c81671c1..afc4680c584f 100644
3421 +--- a/drivers/pci/pci.c
3422 ++++ b/drivers/pci/pci.c
3423 +@@ -5473,9 +5473,13 @@ enum pci_bus_speed pcie_get_speed_cap(struct pci_dev *dev)
3424 + u32 lnkcap2, lnkcap;
3425 +
3426 + /*
3427 +- * PCIe r4.0 sec 7.5.3.18 recommends using the Supported Link
3428 +- * Speeds Vector in Link Capabilities 2 when supported, falling
3429 +- * back to Max Link Speed in Link Capabilities otherwise.
3430 ++ * Link Capabilities 2 was added in PCIe r3.0, sec 7.8.18. The
3431 ++ * implementation note there recommends using the Supported Link
3432 ++ * Speeds Vector in Link Capabilities 2 when supported.
3433 ++ *
3434 ++ * Without Link Capabilities 2, i.e., prior to PCIe r3.0, software
3435 ++ * should use the Supported Link Speeds field in Link Capabilities,
3436 ++ * where only 2.5 GT/s and 5.0 GT/s speeds were defined.
3437 + */
3438 + pcie_capability_read_dword(dev, PCI_EXP_LNKCAP2, &lnkcap2);
3439 + if (lnkcap2) { /* PCIe r3.0-compliant */
3440 +@@ -5491,16 +5495,10 @@ enum pci_bus_speed pcie_get_speed_cap(struct pci_dev *dev)
3441 + }
3442 +
3443 + pcie_capability_read_dword(dev, PCI_EXP_LNKCAP, &lnkcap);
3444 +- if (lnkcap) {
3445 +- if (lnkcap & PCI_EXP_LNKCAP_SLS_16_0GB)
3446 +- return PCIE_SPEED_16_0GT;
3447 +- else if (lnkcap & PCI_EXP_LNKCAP_SLS_8_0GB)
3448 +- return PCIE_SPEED_8_0GT;
3449 +- else if (lnkcap & PCI_EXP_LNKCAP_SLS_5_0GB)
3450 +- return PCIE_SPEED_5_0GT;
3451 +- else if (lnkcap & PCI_EXP_LNKCAP_SLS_2_5GB)
3452 +- return PCIE_SPEED_2_5GT;
3453 +- }
3454 ++ if ((lnkcap & PCI_EXP_LNKCAP_SLS) == PCI_EXP_LNKCAP_SLS_5_0GB)
3455 ++ return PCIE_SPEED_5_0GT;
3456 ++ else if ((lnkcap & PCI_EXP_LNKCAP_SLS) == PCI_EXP_LNKCAP_SLS_2_5GB)
3457 ++ return PCIE_SPEED_2_5GT;
3458 +
3459 + return PCI_SPEED_UNKNOWN;
3460 + }
3461 +diff --git a/drivers/rtc/rtc-hid-sensor-time.c b/drivers/rtc/rtc-hid-sensor-time.c
3462 +index 2751dba850c6..3e1abb455472 100644
3463 +--- a/drivers/rtc/rtc-hid-sensor-time.c
3464 ++++ b/drivers/rtc/rtc-hid-sensor-time.c
3465 +@@ -213,7 +213,7 @@ static int hid_rtc_read_time(struct device *dev, struct rtc_time *tm)
3466 + /* get a report with all values through requesting one value */
3467 + sensor_hub_input_attr_get_raw_value(time_state->common_attributes.hsdev,
3468 + HID_USAGE_SENSOR_TIME, hid_time_addresses[0],
3469 +- time_state->info[0].report_id, SENSOR_HUB_SYNC);
3470 ++ time_state->info[0].report_id, SENSOR_HUB_SYNC, false);
3471 + /* wait for all values (event) */
3472 + ret = wait_for_completion_killable_timeout(
3473 + &time_state->comp_last_time, HZ*6);
3474 +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
3475 +index ffce6f39828a..b03515d43745 100644
3476 +--- a/drivers/s390/net/qeth_core_main.c
3477 ++++ b/drivers/s390/net/qeth_core_main.c
3478 +@@ -4524,8 +4524,8 @@ static int qeth_snmp_command_cb(struct qeth_card *card,
3479 + {
3480 + struct qeth_ipa_cmd *cmd;
3481 + struct qeth_arp_query_info *qinfo;
3482 +- struct qeth_snmp_cmd *snmp;
3483 + unsigned char *data;
3484 ++ void *snmp_data;
3485 + __u16 data_len;
3486 +
3487 + QETH_CARD_TEXT(card, 3, "snpcmdcb");
3488 +@@ -4533,7 +4533,6 @@ static int qeth_snmp_command_cb(struct qeth_card *card,
3489 + cmd = (struct qeth_ipa_cmd *) sdata;
3490 + data = (unsigned char *)((char *)cmd - reply->offset);
3491 + qinfo = (struct qeth_arp_query_info *) reply->param;
3492 +- snmp = &cmd->data.setadapterparms.data.snmp;
3493 +
3494 + if (cmd->hdr.return_code) {
3495 + QETH_CARD_TEXT_(card, 4, "scer1%x", cmd->hdr.return_code);
3496 +@@ -4546,10 +4545,15 @@ static int qeth_snmp_command_cb(struct qeth_card *card,
3497 + return 0;
3498 + }
3499 + data_len = *((__u16 *)QETH_IPA_PDU_LEN_PDU1(data));
3500 +- if (cmd->data.setadapterparms.hdr.seq_no == 1)
3501 +- data_len -= (__u16)((char *)&snmp->data - (char *)cmd);
3502 +- else
3503 +- data_len -= (__u16)((char *)&snmp->request - (char *)cmd);
3504 ++ if (cmd->data.setadapterparms.hdr.seq_no == 1) {
3505 ++ snmp_data = &cmd->data.setadapterparms.data.snmp;
3506 ++ data_len -= offsetof(struct qeth_ipa_cmd,
3507 ++ data.setadapterparms.data.snmp);
3508 ++ } else {
3509 ++ snmp_data = &cmd->data.setadapterparms.data.snmp.request;
3510 ++ data_len -= offsetof(struct qeth_ipa_cmd,
3511 ++ data.setadapterparms.data.snmp.request);
3512 ++ }
3513 +
3514 + /* check if there is enough room in userspace */
3515 + if ((qinfo->udata_len - qinfo->udata_offset) < data_len) {
3516 +@@ -4562,16 +4566,9 @@ static int qeth_snmp_command_cb(struct qeth_card *card,
3517 + QETH_CARD_TEXT_(card, 4, "sseqn%i",
3518 + cmd->data.setadapterparms.hdr.seq_no);
3519 + /*copy entries to user buffer*/
3520 +- if (cmd->data.setadapterparms.hdr.seq_no == 1) {
3521 +- memcpy(qinfo->udata + qinfo->udata_offset,
3522 +- (char *)snmp,
3523 +- data_len + offsetof(struct qeth_snmp_cmd, data));
3524 +- qinfo->udata_offset += offsetof(struct qeth_snmp_cmd, data);
3525 +- } else {
3526 +- memcpy(qinfo->udata + qinfo->udata_offset,
3527 +- (char *)&snmp->request, data_len);
3528 +- }
3529 ++ memcpy(qinfo->udata + qinfo->udata_offset, snmp_data, data_len);
3530 + qinfo->udata_offset += data_len;
3531 ++
3532 + /* check if all replies received ... */
3533 + QETH_CARD_TEXT_(card, 4, "srtot%i",
3534 + cmd->data.setadapterparms.hdr.used_total);
3535 +diff --git a/drivers/staging/most/core.c b/drivers/staging/most/core.c
3536 +index f4c464625a67..52ad62722996 100644
3537 +--- a/drivers/staging/most/core.c
3538 ++++ b/drivers/staging/most/core.c
3539 +@@ -351,7 +351,7 @@ static ssize_t set_datatype_show(struct device *dev,
3540 +
3541 + for (i = 0; i < ARRAY_SIZE(ch_data_type); i++) {
3542 + if (c->cfg.data_type & ch_data_type[i].most_ch_data_type)
3543 +- return snprintf(buf, PAGE_SIZE, ch_data_type[i].name);
3544 ++ return snprintf(buf, PAGE_SIZE, "%s", ch_data_type[i].name);
3545 + }
3546 + return snprintf(buf, PAGE_SIZE, "unconfigured\n");
3547 + }
3548 +diff --git a/drivers/staging/mt7621-dma/mtk-hsdma.c b/drivers/staging/mt7621-dma/mtk-hsdma.c
3549 +index df6ebf41bdea..5831f816c17b 100644
3550 +--- a/drivers/staging/mt7621-dma/mtk-hsdma.c
3551 ++++ b/drivers/staging/mt7621-dma/mtk-hsdma.c
3552 +@@ -335,6 +335,8 @@ static int mtk_hsdma_start_transfer(struct mtk_hsdam_engine *hsdma,
3553 + /* tx desc */
3554 + src = sg->src_addr;
3555 + for (i = 0; i < chan->desc->num_sgs; i++) {
3556 ++ tx_desc = &chan->tx_ring[chan->tx_idx];
3557 ++
3558 + if (len > HSDMA_MAX_PLEN)
3559 + tlen = HSDMA_MAX_PLEN;
3560 + else
3561 +@@ -344,7 +346,6 @@ static int mtk_hsdma_start_transfer(struct mtk_hsdam_engine *hsdma,
3562 + tx_desc->addr1 = src;
3563 + tx_desc->flags |= HSDMA_DESC_PLEN1(tlen);
3564 + } else {
3565 +- tx_desc = &chan->tx_ring[chan->tx_idx];
3566 + tx_desc->addr0 = src;
3567 + tx_desc->flags = HSDMA_DESC_PLEN0(tlen);
3568 +
3569 +diff --git a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c
3570 +index b8566ed898f1..aa98fbb17013 100644
3571 +--- a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c
3572 ++++ b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c
3573 +@@ -82,7 +82,7 @@ static int rt2880_pinctrl_dt_node_to_map(struct pinctrl_dev *pctrldev,
3574 + struct property *prop;
3575 + const char *function_name, *group_name;
3576 + int ret;
3577 +- int ngroups;
3578 ++ int ngroups = 0;
3579 + unsigned int reserved_maps = 0;
3580 +
3581 + for_each_node_with_property(np_config, "group")
3582 +diff --git a/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c b/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
3583 +index 85077947b9b8..85aba8a503cd 100644
3584 +--- a/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
3585 ++++ b/drivers/staging/rtl8723bs/hal/rtl8723bs_recv.c
3586 +@@ -109,12 +109,12 @@ static void update_recvframe_phyinfo(union recv_frame *precvframe,
3587 + rx_bssid = get_hdr_bssid(wlanhdr);
3588 + pkt_info.bssid_match = ((!IsFrameTypeCtrl(wlanhdr)) &&
3589 + !pattrib->icv_err && !pattrib->crc_err &&
3590 +- !ether_addr_equal(rx_bssid, my_bssid));
3591 ++ ether_addr_equal(rx_bssid, my_bssid));
3592 +
3593 + rx_ra = get_ra(wlanhdr);
3594 + my_hwaddr = myid(&padapter->eeprompriv);
3595 + pkt_info.to_self = pkt_info.bssid_match &&
3596 +- !ether_addr_equal(rx_ra, my_hwaddr);
3597 ++ ether_addr_equal(rx_ra, my_hwaddr);
3598 +
3599 +
3600 + pkt_info.is_beacon = pkt_info.bssid_match &&
3601 +diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
3602 +index af2234798fa8..db553f2e4c0b 100644
3603 +--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
3604 ++++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
3605 +@@ -1277,7 +1277,7 @@ static int cfg80211_rtw_get_station(struct wiphy *wiphy,
3606 +
3607 + sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
3608 + sinfo->tx_packets = psta->sta_stats.tx_pkts;
3609 +-
3610 ++ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
3611 + }
3612 +
3613 + /* for Ad-Hoc/AP mode */
3614 +diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
3615 +index bc05c69383b8..fe431302a030 100644
3616 +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
3617 ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
3618 +@@ -1787,6 +1787,7 @@ vchiq_compat_ioctl_await_completion(struct file *file,
3619 + struct vchiq_await_completion32 args32;
3620 + struct vchiq_completion_data32 completion32;
3621 + unsigned int *msgbufcount32;
3622 ++ unsigned int msgbufcount_native;
3623 + compat_uptr_t msgbuf32;
3624 + void *msgbuf;
3625 + void **msgbufptr;
3626 +@@ -1898,7 +1899,11 @@ vchiq_compat_ioctl_await_completion(struct file *file,
3627 + sizeof(completion32)))
3628 + return -EFAULT;
3629 +
3630 +- args32.msgbufcount--;
3631 ++ if (get_user(msgbufcount_native, &args->msgbufcount))
3632 ++ return -EFAULT;
3633 ++
3634 ++ if (!msgbufcount_native)
3635 ++ args32.msgbufcount--;
3636 +
3637 + msgbufcount32 =
3638 + &((struct vchiq_await_completion32 __user *)arg)->msgbufcount;
3639 +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
3640 +index f9ff03e6af93..0690fcff0ea2 100644
3641 +--- a/drivers/usb/core/quirks.c
3642 ++++ b/drivers/usb/core/quirks.c
3643 +@@ -209,6 +209,9 @@ static const struct usb_device_id usb_quirk_list[] = {
3644 + /* Microsoft LifeCam-VX700 v2.0 */
3645 + { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
3646 +
3647 ++ /* Cherry Stream G230 2.0 (G85-231) and 3.0 (G85-232) */
3648 ++ { USB_DEVICE(0x046a, 0x0023), .driver_info = USB_QUIRK_RESET_RESUME },
3649 ++
3650 + /* Logitech HD Pro Webcams C920, C920-C, C925e and C930e */
3651 + { USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT },
3652 + { USB_DEVICE(0x046d, 0x0841), .driver_info = USB_QUIRK_DELAY_INIT },
3653 +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
3654 +index 2de1a3971a26..558949b826d0 100644
3655 +--- a/drivers/usb/dwc3/gadget.c
3656 ++++ b/drivers/usb/dwc3/gadget.c
3657 +@@ -1461,9 +1461,6 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol)
3658 + unsigned transfer_in_flight;
3659 + unsigned started;
3660 +
3661 +- if (dep->flags & DWC3_EP_STALL)
3662 +- return 0;
3663 +-
3664 + if (dep->number > 1)
3665 + trb = dwc3_ep_prev_trb(dep, dep->trb_enqueue);
3666 + else
3667 +@@ -1485,8 +1482,6 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol)
3668 + else
3669 + dep->flags |= DWC3_EP_STALL;
3670 + } else {
3671 +- if (!(dep->flags & DWC3_EP_STALL))
3672 +- return 0;
3673 +
3674 + ret = dwc3_send_clear_stall_ep_cmd(dep);
3675 + if (ret)
3676 +diff --git a/drivers/usb/storage/unusual_realtek.h b/drivers/usb/storage/unusual_realtek.h
3677 +index d17cd95b55bb..6b2140f966ef 100644
3678 +--- a/drivers/usb/storage/unusual_realtek.h
3679 ++++ b/drivers/usb/storage/unusual_realtek.h
3680 +@@ -27,4 +27,14 @@ UNUSUAL_DEV(0x0bda, 0x0159, 0x0000, 0x9999,
3681 + "USB Card Reader",
3682 + USB_SC_DEVICE, USB_PR_DEVICE, init_realtek_cr, 0),
3683 +
3684 ++UNUSUAL_DEV(0x0bda, 0x0177, 0x0000, 0x9999,
3685 ++ "Realtek",
3686 ++ "USB Card Reader",
3687 ++ USB_SC_DEVICE, USB_PR_DEVICE, init_realtek_cr, 0),
3688 ++
3689 ++UNUSUAL_DEV(0x0bda, 0x0184, 0x0000, 0x9999,
3690 ++ "Realtek",
3691 ++ "USB Card Reader",
3692 ++ USB_SC_DEVICE, USB_PR_DEVICE, init_realtek_cr, 0),
3693 ++
3694 + #endif /* defined(CONFIG_USB_STORAGE_REALTEK) || ... */
3695 +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
3696 +index dc52ce5e495f..834a3f5ef642 100644
3697 +--- a/fs/btrfs/disk-io.c
3698 ++++ b/fs/btrfs/disk-io.c
3699 +@@ -477,9 +477,9 @@ static int btree_read_extent_buffer_pages(struct btrfs_fs_info *fs_info,
3700 + int mirror_num = 0;
3701 + int failed_mirror = 0;
3702 +
3703 +- clear_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags);
3704 + io_tree = &BTRFS_I(fs_info->btree_inode)->io_tree;
3705 + while (1) {
3706 ++ clear_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags);
3707 + ret = read_extent_buffer_pages(io_tree, eb, WAIT_COMPLETE,
3708 + mirror_num);
3709 + if (!ret) {
3710 +@@ -493,15 +493,6 @@ static int btree_read_extent_buffer_pages(struct btrfs_fs_info *fs_info,
3711 + break;
3712 + }
3713 +
3714 +- /*
3715 +- * This buffer's crc is fine, but its contents are corrupted, so
3716 +- * there is no reason to read the other copies, they won't be
3717 +- * any less wrong.
3718 +- */
3719 +- if (test_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags) ||
3720 +- ret == -EUCLEAN)
3721 +- break;
3722 +-
3723 + num_copies = btrfs_num_copies(fs_info,
3724 + eb->start, eb->len);
3725 + if (num_copies == 1)
3726 +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
3727 +index 7d81cc415264..ca4902c66dc4 100644
3728 +--- a/fs/btrfs/file.c
3729 ++++ b/fs/btrfs/file.c
3730 +@@ -2088,6 +2088,30 @@ int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
3731 +
3732 + atomic_inc(&root->log_batch);
3733 +
3734 ++ /*
3735 ++ * Before we acquired the inode's lock, someone may have dirtied more
3736 ++ * pages in the target range. We need to make sure that writeback for
3737 ++ * any such pages does not start while we are logging the inode, because
3738 ++ * if it does, any of the following might happen when we are not doing a
3739 ++ * full inode sync:
3740 ++ *
3741 ++ * 1) We log an extent after its writeback finishes but before its
3742 ++ * checksums are added to the csum tree, leading to -EIO errors
3743 ++ * when attempting to read the extent after a log replay.
3744 ++ *
3745 ++ * 2) We can end up logging an extent before its writeback finishes.
3746 ++ * Therefore after the log replay we will have a file extent item
3747 ++ * pointing to an unwritten extent (and no data checksums as well).
3748 ++ *
3749 ++ * So trigger writeback for any eventual new dirty pages and then we
3750 ++ * wait for all ordered extents to complete below.
3751 ++ */
3752 ++ ret = start_ordered_ops(inode, start, end);
3753 ++ if (ret) {
3754 ++ inode_unlock(inode);
3755 ++ goto out;
3756 ++ }
3757 ++
3758 + /*
3759 + * We have to do this here to avoid the priority inversion of waiting on
3760 + * IO of a lower priority task while holding a transaciton open.
3761 +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
3762 +index b070401406be..ff434663d65b 100644
3763 +--- a/fs/btrfs/qgroup.c
3764 ++++ b/fs/btrfs/qgroup.c
3765 +@@ -2244,7 +2244,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
3766 + int i;
3767 + u64 *i_qgroups;
3768 + struct btrfs_fs_info *fs_info = trans->fs_info;
3769 +- struct btrfs_root *quota_root = fs_info->quota_root;
3770 ++ struct btrfs_root *quota_root;
3771 + struct btrfs_qgroup *srcgroup;
3772 + struct btrfs_qgroup *dstgroup;
3773 + u32 level_size = 0;
3774 +@@ -2254,6 +2254,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
3775 + if (!test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags))
3776 + goto out;
3777 +
3778 ++ quota_root = fs_info->quota_root;
3779 + if (!quota_root) {
3780 + ret = -EINVAL;
3781 + goto out;
3782 +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
3783 +index 60bf8dfe7df4..0526b6c473c7 100644
3784 +--- a/fs/btrfs/relocation.c
3785 ++++ b/fs/btrfs/relocation.c
3786 +@@ -3963,6 +3963,7 @@ static noinline_for_stack int relocate_block_group(struct reloc_control *rc)
3787 + restart:
3788 + if (update_backref_cache(trans, &rc->backref_cache)) {
3789 + btrfs_end_transaction(trans);
3790 ++ trans = NULL;
3791 + continue;
3792 + }
3793 +
3794 +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
3795 +index 6601c9aa5e35..8ad145820ea8 100644
3796 +--- a/fs/btrfs/super.c
3797 ++++ b/fs/btrfs/super.c
3798 +@@ -2235,6 +2235,7 @@ static long btrfs_control_ioctl(struct file *file, unsigned int cmd,
3799 + vol = memdup_user((void __user *)arg, sizeof(*vol));
3800 + if (IS_ERR(vol))
3801 + return PTR_ERR(vol);
3802 ++ vol->name[BTRFS_PATH_NAME_MAX] = '\0';
3803 +
3804 + switch (cmd) {
3805 + case BTRFS_IOC_SCAN_DEV:
3806 +diff --git a/fs/direct-io.c b/fs/direct-io.c
3807 +index 093fb54cd316..199146036093 100644
3808 +--- a/fs/direct-io.c
3809 ++++ b/fs/direct-io.c
3810 +@@ -325,8 +325,8 @@ static ssize_t dio_complete(struct dio *dio, ssize_t ret, unsigned int flags)
3811 + */
3812 + dio->iocb->ki_pos += transferred;
3813 +
3814 +- if (dio->op == REQ_OP_WRITE)
3815 +- ret = generic_write_sync(dio->iocb, transferred);
3816 ++ if (ret > 0 && dio->op == REQ_OP_WRITE)
3817 ++ ret = generic_write_sync(dio->iocb, ret);
3818 + dio->iocb->ki_complete(dio->iocb, ret, 0);
3819 + }
3820 +
3821 +diff --git a/fs/ext2/super.c b/fs/ext2/super.c
3822 +index 73bd58fa13de..0c38e31ec938 100644
3823 +--- a/fs/ext2/super.c
3824 ++++ b/fs/ext2/super.c
3825 +@@ -895,6 +895,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
3826 + if (sb->s_magic != EXT2_SUPER_MAGIC)
3827 + goto cantfind_ext2;
3828 +
3829 ++ opts.s_mount_opt = 0;
3830 + /* Set defaults before we parse the mount options */
3831 + def_mount_opts = le32_to_cpu(es->s_default_mount_opts);
3832 + if (def_mount_opts & EXT2_DEFM_DEBUG)
3833 +diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
3834 +index 62d9a659a8ff..dd8f10db82e9 100644
3835 +--- a/fs/ext2/xattr.c
3836 ++++ b/fs/ext2/xattr.c
3837 +@@ -612,9 +612,9 @@ skip_replace:
3838 + }
3839 +
3840 + cleanup:
3841 +- brelse(bh);
3842 + if (!(bh && header == HDR(bh)))
3843 + kfree(header);
3844 ++ brelse(bh);
3845 + up_write(&EXT2_I(inode)->xattr_sem);
3846 +
3847 + return error;
3848 +diff --git a/fs/udf/super.c b/fs/udf/super.c
3849 +index b997e3116e37..c495db7165ae 100644
3850 +--- a/fs/udf/super.c
3851 ++++ b/fs/udf/super.c
3852 +@@ -831,16 +831,20 @@ static int udf_load_pvoldesc(struct super_block *sb, sector_t block)
3853 +
3854 +
3855 + ret = udf_dstrCS0toChar(sb, outstr, 31, pvoldesc->volIdent, 32);
3856 +- if (ret < 0)
3857 +- goto out_bh;
3858 +-
3859 +- strncpy(UDF_SB(sb)->s_volume_ident, outstr, ret);
3860 ++ if (ret < 0) {
3861 ++ strcpy(UDF_SB(sb)->s_volume_ident, "InvalidName");
3862 ++ pr_warn("incorrect volume identification, setting to "
3863 ++ "'InvalidName'\n");
3864 ++ } else {
3865 ++ strncpy(UDF_SB(sb)->s_volume_ident, outstr, ret);
3866 ++ }
3867 + udf_debug("volIdent[] = '%s'\n", UDF_SB(sb)->s_volume_ident);
3868 +
3869 + ret = udf_dstrCS0toChar(sb, outstr, 127, pvoldesc->volSetIdent, 128);
3870 +- if (ret < 0)
3871 ++ if (ret < 0) {
3872 ++ ret = 0;
3873 + goto out_bh;
3874 +-
3875 ++ }
3876 + outstr[ret] = 0;
3877 + udf_debug("volSetIdent[] = '%s'\n", outstr);
3878 +
3879 +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
3880 +index 45234791fec2..5fcfa96463eb 100644
3881 +--- a/fs/udf/unicode.c
3882 ++++ b/fs/udf/unicode.c
3883 +@@ -351,6 +351,11 @@ try_again:
3884 + return u_len;
3885 + }
3886 +
3887 ++/*
3888 ++ * Convert CS0 dstring to output charset. Warning: This function may truncate
3889 ++ * input string if it is too long as it is used for informational strings only
3890 ++ * and it is better to truncate the string than to refuse mounting a media.
3891 ++ */
3892 + int udf_dstrCS0toChar(struct super_block *sb, uint8_t *utf_o, int o_len,
3893 + const uint8_t *ocu_i, int i_len)
3894 + {
3895 +@@ -359,9 +364,12 @@ int udf_dstrCS0toChar(struct super_block *sb, uint8_t *utf_o, int o_len,
3896 + if (i_len > 0) {
3897 + s_len = ocu_i[i_len - 1];
3898 + if (s_len >= i_len) {
3899 +- pr_err("incorrect dstring lengths (%d/%d)\n",
3900 +- s_len, i_len);
3901 +- return -EINVAL;
3902 ++ pr_warn("incorrect dstring lengths (%d/%d),"
3903 ++ " truncating\n", s_len, i_len);
3904 ++ s_len = i_len - 1;
3905 ++ /* 2-byte encoding? Need to round properly... */
3906 ++ if (ocu_i[0] == 16)
3907 ++ s_len -= (s_len - 1) & 2;
3908 + }
3909 + }
3910 +
3911 +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
3912 +index 356d2b8568c1..cd58939dc977 100644
3913 +--- a/fs/userfaultfd.c
3914 ++++ b/fs/userfaultfd.c
3915 +@@ -1361,6 +1361,19 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
3916 + ret = -EINVAL;
3917 + if (!vma_can_userfault(cur))
3918 + goto out_unlock;
3919 ++
3920 ++ /*
3921 ++ * UFFDIO_COPY will fill file holes even without
3922 ++ * PROT_WRITE. This check enforces that if this is a
3923 ++ * MAP_SHARED, the process has write permission to the backing
3924 ++ * file. If VM_MAYWRITE is set it also enforces that on a
3925 ++ * MAP_SHARED vma: there is no F_WRITE_SEAL and no further
3926 ++ * F_WRITE_SEAL can be taken until the vma is destroyed.
3927 ++ */
3928 ++ ret = -EPERM;
3929 ++ if (unlikely(!(cur->vm_flags & VM_MAYWRITE)))
3930 ++ goto out_unlock;
3931 ++
3932 + /*
3933 + * If this vma contains ending address, and huge pages
3934 + * check alignment.
3935 +@@ -1406,6 +1419,7 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
3936 + BUG_ON(!vma_can_userfault(vma));
3937 + BUG_ON(vma->vm_userfaultfd_ctx.ctx &&
3938 + vma->vm_userfaultfd_ctx.ctx != ctx);
3939 ++ WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
3940 +
3941 + /*
3942 + * Nothing to do: this vma is already registered into this
3943 +@@ -1552,6 +1566,7 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
3944 + cond_resched();
3945 +
3946 + BUG_ON(!vma_can_userfault(vma));
3947 ++ WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
3948 +
3949 + /*
3950 + * Nothing to do: this vma is already registered into this
3951 +diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h
3952 +index a397907e8d72..dd16e8218db3 100644
3953 +--- a/include/linux/ftrace.h
3954 ++++ b/include/linux/ftrace.h
3955 +@@ -777,8 +777,8 @@ struct ftrace_ret_stack {
3956 + extern void return_to_handler(void);
3957 +
3958 + extern int
3959 +-ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
3960 +- unsigned long frame_pointer, unsigned long *retp);
3961 ++function_graph_enter(unsigned long ret, unsigned long func,
3962 ++ unsigned long frame_pointer, unsigned long *retp);
3963 +
3964 + unsigned long ftrace_graph_ret_addr(struct task_struct *task, int *idx,
3965 + unsigned long ret, unsigned long *retp);
3966 +diff --git a/include/linux/hid-sensor-hub.h b/include/linux/hid-sensor-hub.h
3967 +index 331dc377c275..dc12f5c4b076 100644
3968 +--- a/include/linux/hid-sensor-hub.h
3969 ++++ b/include/linux/hid-sensor-hub.h
3970 +@@ -177,6 +177,7 @@ int sensor_hub_input_get_attribute_info(struct hid_sensor_hub_device *hsdev,
3971 + * @attr_usage_id: Attribute usage id as per spec
3972 + * @report_id: Report id to look for
3973 + * @flag: Synchronous or asynchronous read
3974 ++* @is_signed: If true then fields < 32 bits will be sign-extended
3975 + *
3976 + * Issues a synchronous or asynchronous read request for an input attribute.
3977 + * Returns data upto 32 bits.
3978 +@@ -190,7 +191,8 @@ enum sensor_hub_read_flags {
3979 + int sensor_hub_input_attr_get_raw_value(struct hid_sensor_hub_device *hsdev,
3980 + u32 usage_id,
3981 + u32 attr_usage_id, u32 report_id,
3982 +- enum sensor_hub_read_flags flag
3983 ++ enum sensor_hub_read_flags flag,
3984 ++ bool is_signed
3985 + );
3986 +
3987 + /**
3988 +diff --git a/include/linux/net_dim.h b/include/linux/net_dim.h
3989 +index c79e859408e6..fd458389f7d1 100644
3990 +--- a/include/linux/net_dim.h
3991 ++++ b/include/linux/net_dim.h
3992 +@@ -406,6 +406,8 @@ static inline void net_dim(struct net_dim *dim,
3993 + }
3994 + /* fall through */
3995 + case NET_DIM_START_MEASURE:
3996 ++ net_dim_sample(end_sample.event_ctr, end_sample.pkt_ctr, end_sample.byte_ctr,
3997 ++ &dim->start_sample);
3998 + dim->state = NET_DIM_MEASURE_IN_PROGRESS;
3999 + break;
4000 + case NET_DIM_APPLY_NEW_PROFILE:
4001 +diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h
4002 +index 4f36431c380b..561feb560619 100644
4003 +--- a/include/linux/ptrace.h
4004 ++++ b/include/linux/ptrace.h
4005 +@@ -62,8 +62,8 @@ extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead);
4006 + #define PTRACE_MODE_READ 0x01
4007 + #define PTRACE_MODE_ATTACH 0x02
4008 + #define PTRACE_MODE_NOAUDIT 0x04
4009 +-#define PTRACE_MODE_FSCREDS 0x08
4010 +-#define PTRACE_MODE_REALCREDS 0x10
4011 ++#define PTRACE_MODE_FSCREDS 0x08
4012 ++#define PTRACE_MODE_REALCREDS 0x10
4013 +
4014 + /* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */
4015 + #define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS)
4016 +diff --git a/include/linux/sched.h b/include/linux/sched.h
4017 +index 977cb57d7bc9..4abb5bd74b04 100644
4018 +--- a/include/linux/sched.h
4019 ++++ b/include/linux/sched.h
4020 +@@ -1108,6 +1108,7 @@ struct task_struct {
4021 + #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4022 + /* Index of current stored address in ret_stack: */
4023 + int curr_ret_stack;
4024 ++ int curr_ret_depth;
4025 +
4026 + /* Stack of return addresses for return function tracing: */
4027 + struct ftrace_ret_stack *ret_stack;
4028 +@@ -1439,6 +1440,8 @@ static inline bool is_percpu_thread(void)
4029 + #define PFA_SPREAD_SLAB 2 /* Spread some slab caches over cpuset */
4030 + #define PFA_SPEC_SSB_DISABLE 3 /* Speculative Store Bypass disabled */
4031 + #define PFA_SPEC_SSB_FORCE_DISABLE 4 /* Speculative Store Bypass force disabled*/
4032 ++#define PFA_SPEC_IB_DISABLE 5 /* Indirect branch speculation restricted */
4033 ++#define PFA_SPEC_IB_FORCE_DISABLE 6 /* Indirect branch speculation permanently restricted */
4034 +
4035 + #define TASK_PFA_TEST(name, func) \
4036 + static inline bool task_##func(struct task_struct *p) \
4037 +@@ -1470,6 +1473,13 @@ TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable)
4038 + TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
4039 + TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
4040 +
4041 ++TASK_PFA_TEST(SPEC_IB_DISABLE, spec_ib_disable)
4042 ++TASK_PFA_SET(SPEC_IB_DISABLE, spec_ib_disable)
4043 ++TASK_PFA_CLEAR(SPEC_IB_DISABLE, spec_ib_disable)
4044 ++
4045 ++TASK_PFA_TEST(SPEC_IB_FORCE_DISABLE, spec_ib_force_disable)
4046 ++TASK_PFA_SET(SPEC_IB_FORCE_DISABLE, spec_ib_force_disable)
4047 ++
4048 + static inline void
4049 + current_restore_flags(unsigned long orig_flags, unsigned long flags)
4050 + {
4051 +diff --git a/include/linux/sched/smt.h b/include/linux/sched/smt.h
4052 +new file mode 100644
4053 +index 000000000000..59d3736c454c
4054 +--- /dev/null
4055 ++++ b/include/linux/sched/smt.h
4056 +@@ -0,0 +1,20 @@
4057 ++/* SPDX-License-Identifier: GPL-2.0 */
4058 ++#ifndef _LINUX_SCHED_SMT_H
4059 ++#define _LINUX_SCHED_SMT_H
4060 ++
4061 ++#include <linux/static_key.h>
4062 ++
4063 ++#ifdef CONFIG_SCHED_SMT
4064 ++extern struct static_key_false sched_smt_present;
4065 ++
4066 ++static __always_inline bool sched_smt_active(void)
4067 ++{
4068 ++ return static_branch_likely(&sched_smt_present);
4069 ++}
4070 ++#else
4071 ++static inline bool sched_smt_active(void) { return false; }
4072 ++#endif
4073 ++
4074 ++void arch_smt_update(void);
4075 ++
4076 ++#endif
4077 +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
4078 +index 17a13e4785fc..e6ef9cc05e60 100644
4079 +--- a/include/linux/skbuff.h
4080 ++++ b/include/linux/skbuff.h
4081 +@@ -1311,6 +1311,22 @@ static inline void skb_zcopy_set(struct sk_buff *skb, struct ubuf_info *uarg)
4082 + }
4083 + }
4084 +
4085 ++static inline void skb_zcopy_set_nouarg(struct sk_buff *skb, void *val)
4086 ++{
4087 ++ skb_shinfo(skb)->destructor_arg = (void *)((uintptr_t) val | 0x1UL);
4088 ++ skb_shinfo(skb)->tx_flags |= SKBTX_ZEROCOPY_FRAG;
4089 ++}
4090 ++
4091 ++static inline bool skb_zcopy_is_nouarg(struct sk_buff *skb)
4092 ++{
4093 ++ return (uintptr_t) skb_shinfo(skb)->destructor_arg & 0x1UL;
4094 ++}
4095 ++
4096 ++static inline void *skb_zcopy_get_nouarg(struct sk_buff *skb)
4097 ++{
4098 ++ return (void *)((uintptr_t) skb_shinfo(skb)->destructor_arg & ~0x1UL);
4099 ++}
4100 ++
4101 + /* Release a reference on a zerocopy structure */
4102 + static inline void skb_zcopy_clear(struct sk_buff *skb, bool zerocopy)
4103 + {
4104 +@@ -1320,7 +1336,7 @@ static inline void skb_zcopy_clear(struct sk_buff *skb, bool zerocopy)
4105 + if (uarg->callback == sock_zerocopy_callback) {
4106 + uarg->zerocopy = uarg->zerocopy && zerocopy;
4107 + sock_zerocopy_put(uarg);
4108 +- } else {
4109 ++ } else if (!skb_zcopy_is_nouarg(skb)) {
4110 + uarg->callback(uarg, zerocopy);
4111 + }
4112 +
4113 +diff --git a/include/linux/tcp.h b/include/linux/tcp.h
4114 +index 263e37271afd..d2c8f280e48f 100644
4115 +--- a/include/linux/tcp.h
4116 ++++ b/include/linux/tcp.h
4117 +@@ -196,6 +196,7 @@ struct tcp_sock {
4118 + u32 rcv_tstamp; /* timestamp of last received ACK (for keepalives) */
4119 + u32 lsndtime; /* timestamp of last sent data packet (for restart window) */
4120 + u32 last_oow_ack_time; /* timestamp of last out-of-window ACK */
4121 ++ u32 compressed_ack_rcv_nxt;
4122 +
4123 + u32 tsoffset; /* timestamp offset */
4124 +
4125 +diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
4126 +index c0d7ea0bf5b6..b17201edfa09 100644
4127 +--- a/include/uapi/linux/prctl.h
4128 ++++ b/include/uapi/linux/prctl.h
4129 +@@ -212,6 +212,7 @@ struct prctl_mm_map {
4130 + #define PR_SET_SPECULATION_CTRL 53
4131 + /* Speculation control variants */
4132 + # define PR_SPEC_STORE_BYPASS 0
4133 ++# define PR_SPEC_INDIRECT_BRANCH 1
4134 + /* Return and control values for PR_SET/GET_SPECULATION_CTRL */
4135 + # define PR_SPEC_NOT_AFFECTED 0
4136 + # define PR_SPEC_PRCTL (1UL << 0)
4137 +diff --git a/kernel/cpu.c b/kernel/cpu.c
4138 +index 0097acec1c71..1699ff68c412 100644
4139 +--- a/kernel/cpu.c
4140 ++++ b/kernel/cpu.c
4141 +@@ -10,6 +10,7 @@
4142 + #include <linux/sched/signal.h>
4143 + #include <linux/sched/hotplug.h>
4144 + #include <linux/sched/task.h>
4145 ++#include <linux/sched/smt.h>
4146 + #include <linux/unistd.h>
4147 + #include <linux/cpu.h>
4148 + #include <linux/oom.h>
4149 +@@ -346,6 +347,12 @@ void cpu_hotplug_enable(void)
4150 + EXPORT_SYMBOL_GPL(cpu_hotplug_enable);
4151 + #endif /* CONFIG_HOTPLUG_CPU */
4152 +
4153 ++/*
4154 ++ * Architectures that need SMT-specific errata handling during SMT hotplug
4155 ++ * should override this.
4156 ++ */
4157 ++void __weak arch_smt_update(void) { }
4158 ++
4159 + #ifdef CONFIG_HOTPLUG_SMT
4160 + enum cpuhp_smt_control cpu_smt_control __read_mostly = CPU_SMT_ENABLED;
4161 + EXPORT_SYMBOL_GPL(cpu_smt_control);
4162 +@@ -982,6 +989,7 @@ out:
4163 + * concurrent CPU hotplug via cpu_add_remove_lock.
4164 + */
4165 + lockup_detector_cleanup();
4166 ++ arch_smt_update();
4167 + return ret;
4168 + }
4169 +
4170 +@@ -1110,6 +1118,7 @@ static int _cpu_up(unsigned int cpu, int tasks_frozen, enum cpuhp_state target)
4171 + ret = cpuhp_up_callbacks(cpu, st, target);
4172 + out:
4173 + cpus_write_unlock();
4174 ++ arch_smt_update();
4175 + return ret;
4176 + }
4177 +
4178 +@@ -2052,8 +2061,10 @@ static int cpuhp_smt_disable(enum cpuhp_smt_control ctrlval)
4179 + */
4180 + cpuhp_offline_cpu_device(cpu);
4181 + }
4182 +- if (!ret)
4183 ++ if (!ret) {
4184 + cpu_smt_control = ctrlval;
4185 ++ arch_smt_update();
4186 ++ }
4187 + cpu_maps_update_done();
4188 + return ret;
4189 + }
4190 +@@ -2064,6 +2075,7 @@ static int cpuhp_smt_enable(void)
4191 +
4192 + cpu_maps_update_begin();
4193 + cpu_smt_control = CPU_SMT_ENABLED;
4194 ++ arch_smt_update();
4195 + for_each_present_cpu(cpu) {
4196 + /* Skip online CPUs and CPUs on offline nodes */
4197 + if (cpu_online(cpu) || !node_online(cpu_to_node(cpu)))
4198 +diff --git a/kernel/sched/core.c b/kernel/sched/core.c
4199 +index 35551110d277..2beda4b726e2 100644
4200 +--- a/kernel/sched/core.c
4201 ++++ b/kernel/sched/core.c
4202 +@@ -5741,15 +5741,10 @@ int sched_cpu_activate(unsigned int cpu)
4203 +
4204 + #ifdef CONFIG_SCHED_SMT
4205 + /*
4206 +- * The sched_smt_present static key needs to be evaluated on every
4207 +- * hotplug event because at boot time SMT might be disabled when
4208 +- * the number of booted CPUs is limited.
4209 +- *
4210 +- * If then later a sibling gets hotplugged, then the key would stay
4211 +- * off and SMT scheduling would never be functional.
4212 ++ * When going up, increment the number of cores with SMT present.
4213 + */
4214 +- if (cpumask_weight(cpu_smt_mask(cpu)) > 1)
4215 +- static_branch_enable_cpuslocked(&sched_smt_present);
4216 ++ if (cpumask_weight(cpu_smt_mask(cpu)) == 2)
4217 ++ static_branch_inc_cpuslocked(&sched_smt_present);
4218 + #endif
4219 + set_cpu_active(cpu, true);
4220 +
4221 +@@ -5793,6 +5788,14 @@ int sched_cpu_deactivate(unsigned int cpu)
4222 + */
4223 + synchronize_rcu_mult(call_rcu, call_rcu_sched);
4224 +
4225 ++#ifdef CONFIG_SCHED_SMT
4226 ++ /*
4227 ++ * When going down, decrement the number of cores with SMT present.
4228 ++ */
4229 ++ if (cpumask_weight(cpu_smt_mask(cpu)) == 2)
4230 ++ static_branch_dec_cpuslocked(&sched_smt_present);
4231 ++#endif
4232 ++
4233 + if (!sched_smp_initialized)
4234 + return 0;
4235 +
4236 +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
4237 +index 9683f458aec7..6c25bbe87bd3 100644
4238 +--- a/kernel/sched/sched.h
4239 ++++ b/kernel/sched/sched.h
4240 +@@ -23,6 +23,7 @@
4241 + #include <linux/sched/prio.h>
4242 + #include <linux/sched/rt.h>
4243 + #include <linux/sched/signal.h>
4244 ++#include <linux/sched/smt.h>
4245 + #include <linux/sched/stat.h>
4246 + #include <linux/sched/sysctl.h>
4247 + #include <linux/sched/task.h>
4248 +@@ -930,9 +931,6 @@ static inline int cpu_of(struct rq *rq)
4249 +
4250 +
4251 + #ifdef CONFIG_SCHED_SMT
4252 +-
4253 +-extern struct static_key_false sched_smt_present;
4254 +-
4255 + extern void __update_idle_core(struct rq *rq);
4256 +
4257 + static inline void update_idle_core(struct rq *rq)
4258 +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
4259 +index f536f601bd46..77734451cb05 100644
4260 +--- a/kernel/trace/ftrace.c
4261 ++++ b/kernel/trace/ftrace.c
4262 +@@ -817,7 +817,7 @@ function_profile_call(unsigned long ip, unsigned long parent_ip,
4263 + #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4264 + static int profile_graph_entry(struct ftrace_graph_ent *trace)
4265 + {
4266 +- int index = trace->depth;
4267 ++ int index = current->curr_ret_stack;
4268 +
4269 + function_profile_call(trace->func, 0, NULL, NULL);
4270 +
4271 +@@ -852,7 +852,7 @@ static void profile_graph_return(struct ftrace_graph_ret *trace)
4272 + if (!fgraph_graph_time) {
4273 + int index;
4274 +
4275 +- index = trace->depth;
4276 ++ index = current->curr_ret_stack;
4277 +
4278 + /* Append this call time to the parent time to subtract */
4279 + if (index)
4280 +@@ -6814,6 +6814,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
4281 + atomic_set(&t->tracing_graph_pause, 0);
4282 + atomic_set(&t->trace_overrun, 0);
4283 + t->curr_ret_stack = -1;
4284 ++ t->curr_ret_depth = -1;
4285 + /* Make sure the tasks see the -1 first: */
4286 + smp_wmb();
4287 + t->ret_stack = ret_stack_list[start++];
4288 +@@ -7038,6 +7039,7 @@ graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
4289 + void ftrace_graph_init_idle_task(struct task_struct *t, int cpu)
4290 + {
4291 + t->curr_ret_stack = -1;
4292 ++ t->curr_ret_depth = -1;
4293 + /*
4294 + * The idle task has no parent, it either has its own
4295 + * stack or no stack at all.
4296 +@@ -7068,6 +7070,7 @@ void ftrace_graph_init_task(struct task_struct *t)
4297 + /* Make sure we do not use the parent ret_stack */
4298 + t->ret_stack = NULL;
4299 + t->curr_ret_stack = -1;
4300 ++ t->curr_ret_depth = -1;
4301 +
4302 + if (ftrace_graph_active) {
4303 + struct ftrace_ret_stack *ret_stack;
4304 +diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
4305 +index 169b3c44ee97..2561460d7baf 100644
4306 +--- a/kernel/trace/trace_functions_graph.c
4307 ++++ b/kernel/trace/trace_functions_graph.c
4308 +@@ -118,8 +118,8 @@ print_graph_duration(struct trace_array *tr, unsigned long long duration,
4309 + struct trace_seq *s, u32 flags);
4310 +
4311 + /* Add a function return address to the trace stack on thread info.*/
4312 +-int
4313 +-ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
4314 ++static int
4315 ++ftrace_push_return_trace(unsigned long ret, unsigned long func,
4316 + unsigned long frame_pointer, unsigned long *retp)
4317 + {
4318 + unsigned long long calltime;
4319 +@@ -177,9 +177,31 @@ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
4320 + #ifdef HAVE_FUNCTION_GRAPH_RET_ADDR_PTR
4321 + current->ret_stack[index].retp = retp;
4322 + #endif
4323 +- *depth = current->curr_ret_stack;
4324 ++ return 0;
4325 ++}
4326 ++
4327 ++int function_graph_enter(unsigned long ret, unsigned long func,
4328 ++ unsigned long frame_pointer, unsigned long *retp)
4329 ++{
4330 ++ struct ftrace_graph_ent trace;
4331 ++
4332 ++ trace.func = func;
4333 ++ trace.depth = ++current->curr_ret_depth;
4334 ++
4335 ++ if (ftrace_push_return_trace(ret, func,
4336 ++ frame_pointer, retp))
4337 ++ goto out;
4338 ++
4339 ++ /* Only trace if the calling function expects to */
4340 ++ if (!ftrace_graph_entry(&trace))
4341 ++ goto out_ret;
4342 +
4343 + return 0;
4344 ++ out_ret:
4345 ++ current->curr_ret_stack--;
4346 ++ out:
4347 ++ current->curr_ret_depth--;
4348 ++ return -EBUSY;
4349 + }
4350 +
4351 + /* Retrieve a function return address to the trace stack on thread info.*/
4352 +@@ -241,7 +263,13 @@ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret,
4353 + trace->func = current->ret_stack[index].func;
4354 + trace->calltime = current->ret_stack[index].calltime;
4355 + trace->overrun = atomic_read(&current->trace_overrun);
4356 +- trace->depth = index;
4357 ++ trace->depth = current->curr_ret_depth--;
4358 ++ /*
4359 ++ * We still want to trace interrupts coming in if
4360 ++ * max_depth is set to 1. Make sure the decrement is
4361 ++ * seen before ftrace_graph_return.
4362 ++ */
4363 ++ barrier();
4364 + }
4365 +
4366 + /*
4367 +@@ -255,6 +283,12 @@ unsigned long ftrace_return_to_handler(unsigned long frame_pointer)
4368 +
4369 + ftrace_pop_return_trace(&trace, &ret, frame_pointer);
4370 + trace.rettime = trace_clock_local();
4371 ++ ftrace_graph_return(&trace);
4372 ++ /*
4373 ++ * The ftrace_graph_return() may still access the current
4374 ++ * ret_stack structure, we need to make sure the update of
4375 ++ * curr_ret_stack is after that.
4376 ++ */
4377 + barrier();
4378 + current->curr_ret_stack--;
4379 + /*
4380 +@@ -267,13 +301,6 @@ unsigned long ftrace_return_to_handler(unsigned long frame_pointer)
4381 + return ret;
4382 + }
4383 +
4384 +- /*
4385 +- * The trace should run after decrementing the ret counter
4386 +- * in case an interrupt were to come in. We don't want to
4387 +- * lose the interrupt if max_depth is set.
4388 +- */
4389 +- ftrace_graph_return(&trace);
4390 +-
4391 + if (unlikely(!ret)) {
4392 + ftrace_graph_stop();
4393 + WARN_ON(1);
4394 +diff --git a/lib/test_kmod.c b/lib/test_kmod.c
4395 +index e3ddd836491f..d82d022111e0 100644
4396 +--- a/lib/test_kmod.c
4397 ++++ b/lib/test_kmod.c
4398 +@@ -1214,7 +1214,6 @@ void unregister_test_dev_kmod(struct kmod_test_device *test_dev)
4399 +
4400 + dev_info(test_dev->dev, "removing interface\n");
4401 + misc_deregister(&test_dev->misc_dev);
4402 +- kfree(&test_dev->misc_dev.name);
4403 +
4404 + mutex_unlock(&test_dev->config_mutex);
4405 + mutex_unlock(&test_dev->trigger_mutex);
4406 +diff --git a/mm/huge_memory.c b/mm/huge_memory.c
4407 +index deed97fba979..15310f14c25e 100644
4408 +--- a/mm/huge_memory.c
4409 ++++ b/mm/huge_memory.c
4410 +@@ -2322,7 +2322,7 @@ void vma_adjust_trans_huge(struct vm_area_struct *vma,
4411 + }
4412 + }
4413 +
4414 +-static void freeze_page(struct page *page)
4415 ++static void unmap_page(struct page *page)
4416 + {
4417 + enum ttu_flags ttu_flags = TTU_IGNORE_MLOCK | TTU_IGNORE_ACCESS |
4418 + TTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD;
4419 +@@ -2337,7 +2337,7 @@ static void freeze_page(struct page *page)
4420 + VM_BUG_ON_PAGE(!unmap_success, page);
4421 + }
4422 +
4423 +-static void unfreeze_page(struct page *page)
4424 ++static void remap_page(struct page *page)
4425 + {
4426 + int i;
4427 + if (PageTransHuge(page)) {
4428 +@@ -2373,6 +2373,12 @@ static void __split_huge_page_tail(struct page *head, int tail,
4429 + (1L << PG_unevictable) |
4430 + (1L << PG_dirty)));
4431 +
4432 ++ /* ->mapping in first tail page is compound_mapcount */
4433 ++ VM_BUG_ON_PAGE(tail > 2 && page_tail->mapping != TAIL_MAPPING,
4434 ++ page_tail);
4435 ++ page_tail->mapping = head->mapping;
4436 ++ page_tail->index = head->index + tail;
4437 ++
4438 + /* Page flags must be visible before we make the page non-compound. */
4439 + smp_wmb();
4440 +
4441 +@@ -2393,12 +2399,6 @@ static void __split_huge_page_tail(struct page *head, int tail,
4442 + if (page_is_idle(head))
4443 + set_page_idle(page_tail);
4444 +
4445 +- /* ->mapping in first tail page is compound_mapcount */
4446 +- VM_BUG_ON_PAGE(tail > 2 && page_tail->mapping != TAIL_MAPPING,
4447 +- page_tail);
4448 +- page_tail->mapping = head->mapping;
4449 +-
4450 +- page_tail->index = head->index + tail;
4451 + page_cpupid_xchg_last(page_tail, page_cpupid_last(head));
4452 +
4453 + /*
4454 +@@ -2410,12 +2410,11 @@ static void __split_huge_page_tail(struct page *head, int tail,
4455 + }
4456 +
4457 + static void __split_huge_page(struct page *page, struct list_head *list,
4458 +- unsigned long flags)
4459 ++ pgoff_t end, unsigned long flags)
4460 + {
4461 + struct page *head = compound_head(page);
4462 + struct zone *zone = page_zone(head);
4463 + struct lruvec *lruvec;
4464 +- pgoff_t end = -1;
4465 + int i;
4466 +
4467 + lruvec = mem_cgroup_page_lruvec(head, zone->zone_pgdat);
4468 +@@ -2423,9 +2422,6 @@ static void __split_huge_page(struct page *page, struct list_head *list,
4469 + /* complete memcg works before add pages to LRU */
4470 + mem_cgroup_split_huge_fixup(head);
4471 +
4472 +- if (!PageAnon(page))
4473 +- end = DIV_ROUND_UP(i_size_read(head->mapping->host), PAGE_SIZE);
4474 +-
4475 + for (i = HPAGE_PMD_NR - 1; i >= 1; i--) {
4476 + __split_huge_page_tail(head, i, lruvec, list);
4477 + /* Some pages can be beyond i_size: drop them from page cache */
4478 +@@ -2454,7 +2450,7 @@ static void __split_huge_page(struct page *page, struct list_head *list,
4479 +
4480 + spin_unlock_irqrestore(zone_lru_lock(page_zone(head)), flags);
4481 +
4482 +- unfreeze_page(head);
4483 ++ remap_page(head);
4484 +
4485 + for (i = 0; i < HPAGE_PMD_NR; i++) {
4486 + struct page *subpage = head + i;
4487 +@@ -2597,6 +2593,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
4488 + int count, mapcount, extra_pins, ret;
4489 + bool mlocked;
4490 + unsigned long flags;
4491 ++ pgoff_t end;
4492 +
4493 + VM_BUG_ON_PAGE(is_huge_zero_page(page), page);
4494 + VM_BUG_ON_PAGE(!PageLocked(page), page);
4495 +@@ -2619,6 +2616,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
4496 + ret = -EBUSY;
4497 + goto out;
4498 + }
4499 ++ end = -1;
4500 + mapping = NULL;
4501 + anon_vma_lock_write(anon_vma);
4502 + } else {
4503 +@@ -2632,10 +2630,19 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
4504 +
4505 + anon_vma = NULL;
4506 + i_mmap_lock_read(mapping);
4507 ++
4508 ++ /*
4509 ++ *__split_huge_page() may need to trim off pages beyond EOF:
4510 ++ * but on 32-bit, i_size_read() takes an irq-unsafe seqlock,
4511 ++ * which cannot be nested inside the page tree lock. So note
4512 ++ * end now: i_size itself may be changed at any moment, but
4513 ++ * head page lock is good enough to serialize the trimming.
4514 ++ */
4515 ++ end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE);
4516 + }
4517 +
4518 + /*
4519 +- * Racy check if we can split the page, before freeze_page() will
4520 ++ * Racy check if we can split the page, before unmap_page() will
4521 + * split PMDs
4522 + */
4523 + if (!can_split_huge_page(head, &extra_pins)) {
4524 +@@ -2644,7 +2651,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
4525 + }
4526 +
4527 + mlocked = PageMlocked(page);
4528 +- freeze_page(head);
4529 ++ unmap_page(head);
4530 + VM_BUG_ON_PAGE(compound_mapcount(head), head);
4531 +
4532 + /* Make sure the page is not on per-CPU pagevec as it takes pin */
4533 +@@ -2681,7 +2688,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
4534 + if (mapping)
4535 + __dec_node_page_state(page, NR_SHMEM_THPS);
4536 + spin_unlock(&pgdata->split_queue_lock);
4537 +- __split_huge_page(page, list, flags);
4538 ++ __split_huge_page(page, list, end, flags);
4539 + if (PageSwapCache(head)) {
4540 + swp_entry_t entry = { .val = page_private(head) };
4541 +
4542 +@@ -2701,7 +2708,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
4543 + fail: if (mapping)
4544 + xa_unlock(&mapping->i_pages);
4545 + spin_unlock_irqrestore(zone_lru_lock(page_zone(head)), flags);
4546 +- unfreeze_page(head);
4547 ++ remap_page(head);
4548 + ret = -EBUSY;
4549 + }
4550 +
4551 +diff --git a/mm/khugepaged.c b/mm/khugepaged.c
4552 +index a31d740e6cd1..fde5820be24d 100644
4553 +--- a/mm/khugepaged.c
4554 ++++ b/mm/khugepaged.c
4555 +@@ -1287,7 +1287,7 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff)
4556 + * collapse_shmem - collapse small tmpfs/shmem pages into huge one.
4557 + *
4558 + * Basic scheme is simple, details are more complex:
4559 +- * - allocate and freeze a new huge page;
4560 ++ * - allocate and lock a new huge page;
4561 + * - scan over radix tree replacing old pages the new one
4562 + * + swap in pages if necessary;
4563 + * + fill in gaps;
4564 +@@ -1295,11 +1295,11 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff)
4565 + * - if replacing succeed:
4566 + * + copy data over;
4567 + * + free old pages;
4568 +- * + unfreeze huge page;
4569 ++ * + unlock huge page;
4570 + * - if replacing failed;
4571 + * + put all pages back and unfreeze them;
4572 + * + restore gaps in the radix-tree;
4573 +- * + free huge page;
4574 ++ * + unlock and free huge page;
4575 + */
4576 + static void collapse_shmem(struct mm_struct *mm,
4577 + struct address_space *mapping, pgoff_t start,
4578 +@@ -1330,18 +1330,15 @@ static void collapse_shmem(struct mm_struct *mm,
4579 + goto out;
4580 + }
4581 +
4582 ++ __SetPageLocked(new_page);
4583 ++ __SetPageSwapBacked(new_page);
4584 + new_page->index = start;
4585 + new_page->mapping = mapping;
4586 +- __SetPageSwapBacked(new_page);
4587 +- __SetPageLocked(new_page);
4588 +- BUG_ON(!page_ref_freeze(new_page, 1));
4589 +-
4590 +
4591 + /*
4592 +- * At this point the new_page is 'frozen' (page_count() is zero), locked
4593 +- * and not up-to-date. It's safe to insert it into radix tree, because
4594 +- * nobody would be able to map it or use it in other way until we
4595 +- * unfreeze it.
4596 ++ * At this point the new_page is locked and not up-to-date.
4597 ++ * It's safe to insert it into the page cache, because nobody would
4598 ++ * be able to map it or use it in another way until we unlock it.
4599 + */
4600 +
4601 + index = start;
4602 +@@ -1349,19 +1346,29 @@ static void collapse_shmem(struct mm_struct *mm,
4603 + radix_tree_for_each_slot(slot, &mapping->i_pages, &iter, start) {
4604 + int n = min(iter.index, end) - index;
4605 +
4606 ++ /*
4607 ++ * Stop if extent has been hole-punched, and is now completely
4608 ++ * empty (the more obvious i_size_read() check would take an
4609 ++ * irq-unsafe seqlock on 32-bit).
4610 ++ */
4611 ++ if (n >= HPAGE_PMD_NR) {
4612 ++ result = SCAN_TRUNCATED;
4613 ++ goto tree_locked;
4614 ++ }
4615 ++
4616 + /*
4617 + * Handle holes in the radix tree: charge it from shmem and
4618 + * insert relevant subpage of new_page into the radix-tree.
4619 + */
4620 + if (n && !shmem_charge(mapping->host, n)) {
4621 + result = SCAN_FAIL;
4622 +- break;
4623 ++ goto tree_locked;
4624 + }
4625 +- nr_none += n;
4626 + for (; index < min(iter.index, end); index++) {
4627 + radix_tree_insert(&mapping->i_pages, index,
4628 + new_page + (index % HPAGE_PMD_NR));
4629 + }
4630 ++ nr_none += n;
4631 +
4632 + /* We are done. */
4633 + if (index >= end)
4634 +@@ -1377,12 +1384,12 @@ static void collapse_shmem(struct mm_struct *mm,
4635 + result = SCAN_FAIL;
4636 + goto tree_unlocked;
4637 + }
4638 +- xa_lock_irq(&mapping->i_pages);
4639 + } else if (trylock_page(page)) {
4640 + get_page(page);
4641 ++ xa_unlock_irq(&mapping->i_pages);
4642 + } else {
4643 + result = SCAN_PAGE_LOCK;
4644 +- break;
4645 ++ goto tree_locked;
4646 + }
4647 +
4648 + /*
4649 +@@ -1391,17 +1398,24 @@ static void collapse_shmem(struct mm_struct *mm,
4650 + */
4651 + VM_BUG_ON_PAGE(!PageLocked(page), page);
4652 + VM_BUG_ON_PAGE(!PageUptodate(page), page);
4653 +- VM_BUG_ON_PAGE(PageTransCompound(page), page);
4654 ++
4655 ++ /*
4656 ++ * If file was truncated then extended, or hole-punched, before
4657 ++ * we locked the first page, then a THP might be there already.
4658 ++ */
4659 ++ if (PageTransCompound(page)) {
4660 ++ result = SCAN_PAGE_COMPOUND;
4661 ++ goto out_unlock;
4662 ++ }
4663 +
4664 + if (page_mapping(page) != mapping) {
4665 + result = SCAN_TRUNCATED;
4666 + goto out_unlock;
4667 + }
4668 +- xa_unlock_irq(&mapping->i_pages);
4669 +
4670 + if (isolate_lru_page(page)) {
4671 + result = SCAN_DEL_PAGE_LRU;
4672 +- goto out_isolate_failed;
4673 ++ goto out_unlock;
4674 + }
4675 +
4676 + if (page_mapped(page))
4677 +@@ -1422,7 +1436,9 @@ static void collapse_shmem(struct mm_struct *mm,
4678 + */
4679 + if (!page_ref_freeze(page, 3)) {
4680 + result = SCAN_PAGE_COUNT;
4681 +- goto out_lru;
4682 ++ xa_unlock_irq(&mapping->i_pages);
4683 ++ putback_lru_page(page);
4684 ++ goto out_unlock;
4685 + }
4686 +
4687 + /*
4688 +@@ -1438,17 +1454,10 @@ static void collapse_shmem(struct mm_struct *mm,
4689 + slot = radix_tree_iter_resume(slot, &iter);
4690 + index++;
4691 + continue;
4692 +-out_lru:
4693 +- xa_unlock_irq(&mapping->i_pages);
4694 +- putback_lru_page(page);
4695 +-out_isolate_failed:
4696 +- unlock_page(page);
4697 +- put_page(page);
4698 +- goto tree_unlocked;
4699 + out_unlock:
4700 + unlock_page(page);
4701 + put_page(page);
4702 +- break;
4703 ++ goto tree_unlocked;
4704 + }
4705 +
4706 + /*
4707 +@@ -1456,14 +1465,18 @@ out_unlock:
4708 + * This code only triggers if there's nothing in radix tree
4709 + * beyond 'end'.
4710 + */
4711 +- if (result == SCAN_SUCCEED && index < end) {
4712 ++ if (index < end) {
4713 + int n = end - index;
4714 +
4715 ++ /* Stop if extent has been truncated, and is now empty */
4716 ++ if (n >= HPAGE_PMD_NR) {
4717 ++ result = SCAN_TRUNCATED;
4718 ++ goto tree_locked;
4719 ++ }
4720 + if (!shmem_charge(mapping->host, n)) {
4721 + result = SCAN_FAIL;
4722 + goto tree_locked;
4723 + }
4724 +-
4725 + for (; index < end; index++) {
4726 + radix_tree_insert(&mapping->i_pages, index,
4727 + new_page + (index % HPAGE_PMD_NR));
4728 +@@ -1471,59 +1484,64 @@ out_unlock:
4729 + nr_none += n;
4730 + }
4731 +
4732 ++ __inc_node_page_state(new_page, NR_SHMEM_THPS);
4733 ++ if (nr_none) {
4734 ++ struct zone *zone = page_zone(new_page);
4735 ++
4736 ++ __mod_node_page_state(zone->zone_pgdat, NR_FILE_PAGES, nr_none);
4737 ++ __mod_node_page_state(zone->zone_pgdat, NR_SHMEM, nr_none);
4738 ++ }
4739 ++
4740 + tree_locked:
4741 + xa_unlock_irq(&mapping->i_pages);
4742 + tree_unlocked:
4743 +
4744 + if (result == SCAN_SUCCEED) {
4745 +- unsigned long flags;
4746 +- struct zone *zone = page_zone(new_page);
4747 +-
4748 + /*
4749 + * Replacing old pages with new one has succeed, now we need to
4750 + * copy the content and free old pages.
4751 + */
4752 ++ index = start;
4753 + list_for_each_entry_safe(page, tmp, &pagelist, lru) {
4754 ++ while (index < page->index) {
4755 ++ clear_highpage(new_page + (index % HPAGE_PMD_NR));
4756 ++ index++;
4757 ++ }
4758 + copy_highpage(new_page + (page->index % HPAGE_PMD_NR),
4759 + page);
4760 + list_del(&page->lru);
4761 +- unlock_page(page);
4762 +- page_ref_unfreeze(page, 1);
4763 + page->mapping = NULL;
4764 ++ page_ref_unfreeze(page, 1);
4765 + ClearPageActive(page);
4766 + ClearPageUnevictable(page);
4767 ++ unlock_page(page);
4768 + put_page(page);
4769 ++ index++;
4770 + }
4771 +-
4772 +- local_irq_save(flags);
4773 +- __inc_node_page_state(new_page, NR_SHMEM_THPS);
4774 +- if (nr_none) {
4775 +- __mod_node_page_state(zone->zone_pgdat, NR_FILE_PAGES, nr_none);
4776 +- __mod_node_page_state(zone->zone_pgdat, NR_SHMEM, nr_none);
4777 ++ while (index < end) {
4778 ++ clear_highpage(new_page + (index % HPAGE_PMD_NR));
4779 ++ index++;
4780 + }
4781 +- local_irq_restore(flags);
4782 +
4783 +- /*
4784 +- * Remove pte page tables, so we can re-faulti
4785 +- * the page as huge.
4786 +- */
4787 +- retract_page_tables(mapping, start);
4788 +-
4789 +- /* Everything is ready, let's unfreeze the new_page */
4790 +- set_page_dirty(new_page);
4791 + SetPageUptodate(new_page);
4792 +- page_ref_unfreeze(new_page, HPAGE_PMD_NR);
4793 ++ page_ref_add(new_page, HPAGE_PMD_NR - 1);
4794 ++ set_page_dirty(new_page);
4795 + mem_cgroup_commit_charge(new_page, memcg, false, true);
4796 + lru_cache_add_anon(new_page);
4797 +- unlock_page(new_page);
4798 +
4799 ++ /*
4800 ++ * Remove pte page tables, so we can re-fault the page as huge.
4801 ++ */
4802 ++ retract_page_tables(mapping, start);
4803 + *hpage = NULL;
4804 +
4805 + khugepaged_pages_collapsed++;
4806 + } else {
4807 + /* Something went wrong: rollback changes to the radix-tree */
4808 +- shmem_uncharge(mapping->host, nr_none);
4809 + xa_lock_irq(&mapping->i_pages);
4810 ++ mapping->nrpages -= nr_none;
4811 ++ shmem_uncharge(mapping->host, nr_none);
4812 ++
4813 + radix_tree_for_each_slot(slot, &mapping->i_pages, &iter, start) {
4814 + if (iter.index >= end)
4815 + break;
4816 +@@ -1546,19 +1564,18 @@ tree_unlocked:
4817 + radix_tree_replace_slot(&mapping->i_pages, slot, page);
4818 + slot = radix_tree_iter_resume(slot, &iter);
4819 + xa_unlock_irq(&mapping->i_pages);
4820 +- putback_lru_page(page);
4821 + unlock_page(page);
4822 ++ putback_lru_page(page);
4823 + xa_lock_irq(&mapping->i_pages);
4824 + }
4825 + VM_BUG_ON(nr_none);
4826 + xa_unlock_irq(&mapping->i_pages);
4827 +
4828 +- /* Unfreeze new_page, caller would take care about freeing it */
4829 +- page_ref_unfreeze(new_page, 1);
4830 + mem_cgroup_cancel_charge(new_page, memcg, true);
4831 +- unlock_page(new_page);
4832 + new_page->mapping = NULL;
4833 + }
4834 ++
4835 ++ unlock_page(new_page);
4836 + out:
4837 + VM_BUG_ON(!list_empty(&pagelist));
4838 + /* TODO: tracepoints */
4839 +diff --git a/mm/rmap.c b/mm/rmap.c
4840 +index 1e79fac3186b..85b7f9423352 100644
4841 +--- a/mm/rmap.c
4842 ++++ b/mm/rmap.c
4843 +@@ -1627,16 +1627,9 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma,
4844 + address + PAGE_SIZE);
4845 + } else {
4846 + /*
4847 +- * We should not need to notify here as we reach this
4848 +- * case only from freeze_page() itself only call from
4849 +- * split_huge_page_to_list() so everything below must
4850 +- * be true:
4851 +- * - page is not anonymous
4852 +- * - page is locked
4853 +- *
4854 +- * So as it is a locked file back page thus it can not
4855 +- * be remove from the page cache and replace by a new
4856 +- * page before mmu_notifier_invalidate_range_end so no
4857 ++ * This is a locked file-backed page, thus it cannot
4858 ++ * be removed from the page cache and replaced by a new
4859 ++ * page before mmu_notifier_invalidate_range_end, so no
4860 + * concurrent thread might update its page table to
4861 + * point at new page while a device still is using this
4862 + * page.
4863 +diff --git a/mm/shmem.c b/mm/shmem.c
4864 +index 38d228a30fdc..0b02b539072e 100644
4865 +--- a/mm/shmem.c
4866 ++++ b/mm/shmem.c
4867 +@@ -297,12 +297,14 @@ bool shmem_charge(struct inode *inode, long pages)
4868 + if (!shmem_inode_acct_block(inode, pages))
4869 + return false;
4870 +
4871 ++ /* nrpages adjustment first, then shmem_recalc_inode() when balanced */
4872 ++ inode->i_mapping->nrpages += pages;
4873 ++
4874 + spin_lock_irqsave(&info->lock, flags);
4875 + info->alloced += pages;
4876 + inode->i_blocks += pages * BLOCKS_PER_PAGE;
4877 + shmem_recalc_inode(inode);
4878 + spin_unlock_irqrestore(&info->lock, flags);
4879 +- inode->i_mapping->nrpages += pages;
4880 +
4881 + return true;
4882 + }
4883 +@@ -312,6 +314,8 @@ void shmem_uncharge(struct inode *inode, long pages)
4884 + struct shmem_inode_info *info = SHMEM_I(inode);
4885 + unsigned long flags;
4886 +
4887 ++ /* nrpages adjustment done by __delete_from_page_cache() or caller */
4888 ++
4889 + spin_lock_irqsave(&info->lock, flags);
4890 + info->alloced -= pages;
4891 + inode->i_blocks -= pages * BLOCKS_PER_PAGE;
4892 +@@ -1547,11 +1551,13 @@ static int shmem_replace_page(struct page **pagep, gfp_t gfp,
4893 + {
4894 + struct page *oldpage, *newpage;
4895 + struct address_space *swap_mapping;
4896 ++ swp_entry_t entry;
4897 + pgoff_t swap_index;
4898 + int error;
4899 +
4900 + oldpage = *pagep;
4901 +- swap_index = page_private(oldpage);
4902 ++ entry.val = page_private(oldpage);
4903 ++ swap_index = swp_offset(entry);
4904 + swap_mapping = page_mapping(oldpage);
4905 +
4906 + /*
4907 +@@ -1570,7 +1576,7 @@ static int shmem_replace_page(struct page **pagep, gfp_t gfp,
4908 + __SetPageLocked(newpage);
4909 + __SetPageSwapBacked(newpage);
4910 + SetPageUptodate(newpage);
4911 +- set_page_private(newpage, swap_index);
4912 ++ set_page_private(newpage, entry.val);
4913 + SetPageSwapCache(newpage);
4914 +
4915 + /*
4916 +diff --git a/mm/truncate.c b/mm/truncate.c
4917 +index 1d2fb2dca96f..71b65aab8077 100644
4918 +--- a/mm/truncate.c
4919 ++++ b/mm/truncate.c
4920 +@@ -520,9 +520,13 @@ void truncate_inode_pages_final(struct address_space *mapping)
4921 + */
4922 + xa_lock_irq(&mapping->i_pages);
4923 + xa_unlock_irq(&mapping->i_pages);
4924 +-
4925 +- truncate_inode_pages(mapping, 0);
4926 + }
4927 ++
4928 ++ /*
4929 ++ * Cleancache needs notification even if there are no pages or shadow
4930 ++ * entries.
4931 ++ */
4932 ++ truncate_inode_pages(mapping, 0);
4933 + }
4934 + EXPORT_SYMBOL(truncate_inode_pages_final);
4935 +
4936 +diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
4937 +index 5029f241908f..f0af11b1cdf3 100644
4938 +--- a/mm/userfaultfd.c
4939 ++++ b/mm/userfaultfd.c
4940 +@@ -205,8 +205,9 @@ retry:
4941 + if (!dst_vma || !is_vm_hugetlb_page(dst_vma))
4942 + goto out_unlock;
4943 + /*
4944 +- * Only allow __mcopy_atomic_hugetlb on userfaultfd
4945 +- * registered ranges.
4946 ++ * Check the vma is registered in uffd, this is
4947 ++ * required to enforce the VM_MAYWRITE check done at
4948 ++ * uffd registration time.
4949 + */
4950 + if (!dst_vma->vm_userfaultfd_ctx.ctx)
4951 + goto out_unlock;
4952 +@@ -449,13 +450,9 @@ retry:
4953 + if (!dst_vma)
4954 + goto out_unlock;
4955 + /*
4956 +- * Be strict and only allow __mcopy_atomic on userfaultfd
4957 +- * registered ranges to prevent userland errors going
4958 +- * unnoticed. As far as the VM consistency is concerned, it
4959 +- * would be perfectly safe to remove this check, but there's
4960 +- * no useful usage for __mcopy_atomic ouside of userfaultfd
4961 +- * registered ranges. This is after all why these are ioctls
4962 +- * belonging to the userfaultfd and not syscalls.
4963 ++ * Check the vma is registered in uffd, this is required to
4964 ++ * enforce the VM_MAYWRITE check done at uffd registration
4965 ++ * time.
4966 + */
4967 + if (!dst_vma->vm_userfaultfd_ctx.ctx)
4968 + goto out_unlock;
4969 +diff --git a/net/core/dev.c b/net/core/dev.c
4970 +index 097c02101450..22af88c47756 100644
4971 +--- a/net/core/dev.c
4972 ++++ b/net/core/dev.c
4973 +@@ -5945,11 +5945,14 @@ bool napi_complete_done(struct napi_struct *n, int work_done)
4974 + if (work_done)
4975 + timeout = n->dev->gro_flush_timeout;
4976 +
4977 ++ /* When the NAPI instance uses a timeout and keeps postponing
4978 ++ * it, we need to bound somehow the time packets are kept in
4979 ++ * the GRO layer
4980 ++ */
4981 ++ napi_gro_flush(n, !!timeout);
4982 + if (timeout)
4983 + hrtimer_start(&n->timer, ns_to_ktime(timeout),
4984 + HRTIMER_MODE_REL_PINNED);
4985 +- else
4986 +- napi_gro_flush(n, false);
4987 + }
4988 + if (unlikely(!list_empty(&n->poll_list))) {
4989 + /* If n->poll_list is not empty, we need to mask irqs */
4990 +diff --git a/net/core/skbuff.c b/net/core/skbuff.c
4991 +index f817f336595d..abbbd7fd17fe 100644
4992 +--- a/net/core/skbuff.c
4993 ++++ b/net/core/skbuff.c
4994 +@@ -4912,6 +4912,11 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet)
4995 + nf_reset(skb);
4996 + nf_reset_trace(skb);
4997 +
4998 ++#ifdef CONFIG_NET_SWITCHDEV
4999 ++ skb->offload_fwd_mark = 0;
5000 ++ skb->offload_mr_fwd_mark = 0;
5001 ++#endif
5002 ++
5003 + if (!xnet)
5004 + return;
5005 +
5006 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
5007 +index 72898cbef43d..664fa7d8f7d9 100644
5008 +--- a/net/ipv4/tcp_input.c
5009 ++++ b/net/ipv4/tcp_input.c
5010 +@@ -4276,7 +4276,7 @@ static void tcp_sack_new_ofo_skb(struct sock *sk, u32 seq, u32 end_seq)
5011 + * If the sack array is full, forget about the last one.
5012 + */
5013 + if (this_sack >= TCP_NUM_SACKS) {
5014 +- if (tp->compressed_ack)
5015 ++ if (tp->compressed_ack > TCP_FASTRETRANS_THRESH)
5016 + tcp_send_ack(sk);
5017 + this_sack--;
5018 + tp->rx_opt.num_sacks--;
5019 +@@ -5196,7 +5196,17 @@ send_now:
5020 + if (!tcp_is_sack(tp) ||
5021 + tp->compressed_ack >= sock_net(sk)->ipv4.sysctl_tcp_comp_sack_nr)
5022 + goto send_now;
5023 +- tp->compressed_ack++;
5024 ++
5025 ++ if (tp->compressed_ack_rcv_nxt != tp->rcv_nxt) {
5026 ++ tp->compressed_ack_rcv_nxt = tp->rcv_nxt;
5027 ++ if (tp->compressed_ack > TCP_FASTRETRANS_THRESH)
5028 ++ NET_ADD_STATS(sock_net(sk), LINUX_MIB_TCPACKCOMPRESSED,
5029 ++ tp->compressed_ack - TCP_FASTRETRANS_THRESH);
5030 ++ tp->compressed_ack = 0;
5031 ++ }
5032 ++
5033 ++ if (++tp->compressed_ack <= TCP_FASTRETRANS_THRESH)
5034 ++ goto send_now;
5035 +
5036 + if (hrtimer_is_queued(&tp->compressed_ack_timer))
5037 + return;
5038 +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
5039 +index 597dbd749f05..68f65ddf9e3c 100644
5040 +--- a/net/ipv4/tcp_output.c
5041 ++++ b/net/ipv4/tcp_output.c
5042 +@@ -165,10 +165,10 @@ static inline void tcp_event_ack_sent(struct sock *sk, unsigned int pkts,
5043 + {
5044 + struct tcp_sock *tp = tcp_sk(sk);
5045 +
5046 +- if (unlikely(tp->compressed_ack)) {
5047 ++ if (unlikely(tp->compressed_ack > TCP_FASTRETRANS_THRESH)) {
5048 + NET_ADD_STATS(sock_net(sk), LINUX_MIB_TCPACKCOMPRESSED,
5049 +- tp->compressed_ack);
5050 +- tp->compressed_ack = 0;
5051 ++ tp->compressed_ack - TCP_FASTRETRANS_THRESH);
5052 ++ tp->compressed_ack = TCP_FASTRETRANS_THRESH;
5053 + if (hrtimer_try_to_cancel(&tp->compressed_ack_timer) == 1)
5054 + __sock_put(sk);
5055 + }
5056 +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
5057 +index 7fdf222a0bdf..57eae8d70ba1 100644
5058 +--- a/net/ipv4/tcp_timer.c
5059 ++++ b/net/ipv4/tcp_timer.c
5060 +@@ -740,7 +740,7 @@ static enum hrtimer_restart tcp_compressed_ack_kick(struct hrtimer *timer)
5061 +
5062 + bh_lock_sock(sk);
5063 + if (!sock_owned_by_user(sk)) {
5064 +- if (tp->compressed_ack)
5065 ++ if (tp->compressed_ack > TCP_FASTRETRANS_THRESH)
5066 + tcp_send_ack(sk);
5067 + } else {
5068 + if (!test_and_set_bit(TCP_DELACK_TIMER_DEFERRED,
5069 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
5070 +index d6e94dc7e290..6477b131e809 100644
5071 +--- a/net/packet/af_packet.c
5072 ++++ b/net/packet/af_packet.c
5073 +@@ -2394,7 +2394,7 @@ static void tpacket_destruct_skb(struct sk_buff *skb)
5074 + void *ph;
5075 + __u32 ts;
5076 +
5077 +- ph = skb_shinfo(skb)->destructor_arg;
5078 ++ ph = skb_zcopy_get_nouarg(skb);
5079 + packet_dec_pending(&po->tx_ring);
5080 +
5081 + ts = __packet_set_timestamp(po, ph, skb);
5082 +@@ -2461,7 +2461,7 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
5083 + skb->mark = po->sk.sk_mark;
5084 + skb->tstamp = sockc->transmit_time;
5085 + sock_tx_timestamp(&po->sk, sockc->tsflags, &skb_shinfo(skb)->tx_flags);
5086 +- skb_shinfo(skb)->destructor_arg = ph.raw;
5087 ++ skb_zcopy_set_nouarg(skb, ph.raw);
5088 +
5089 + skb_reserve(skb, hlen);
5090 + skb_reset_network_header(skb);
5091 +diff --git a/net/tipc/node.c b/net/tipc/node.c
5092 +index 2afc4f8c37a7..488019766433 100644
5093 +--- a/net/tipc/node.c
5094 ++++ b/net/tipc/node.c
5095 +@@ -584,12 +584,15 @@ static void tipc_node_clear_links(struct tipc_node *node)
5096 + /* tipc_node_cleanup - delete nodes that does not
5097 + * have active links for NODE_CLEANUP_AFTER time
5098 + */
5099 +-static int tipc_node_cleanup(struct tipc_node *peer)
5100 ++static bool tipc_node_cleanup(struct tipc_node *peer)
5101 + {
5102 + struct tipc_net *tn = tipc_net(peer->net);
5103 + bool deleted = false;
5104 +
5105 +- spin_lock_bh(&tn->node_list_lock);
5106 ++ /* If lock held by tipc_node_stop() the node will be deleted anyway */
5107 ++ if (!spin_trylock_bh(&tn->node_list_lock))
5108 ++ return false;
5109 ++
5110 + tipc_node_write_lock(peer);
5111 +
5112 + if (!node_is_up(peer) && time_after(jiffies, peer->delete_at)) {
5113 +diff --git a/scripts/Makefile.build b/scripts/Makefile.build
5114 +index 54da4b070db3..64fac0ad32d6 100644
5115 +--- a/scripts/Makefile.build
5116 ++++ b/scripts/Makefile.build
5117 +@@ -248,10 +248,8 @@ ifdef CONFIG_GCOV_KERNEL
5118 + objtool_args += --no-unreachable
5119 + endif
5120 + ifdef CONFIG_RETPOLINE
5121 +-ifneq ($(RETPOLINE_CFLAGS),)
5122 + objtool_args += --retpoline
5123 + endif
5124 +-endif
5125 +
5126 +
5127 + ifdef CONFIG_MODVERSIONS
5128 +diff --git a/sound/core/control.c b/sound/core/control.c
5129 +index 9aa15bfc7936..649d3217590e 100644
5130 +--- a/sound/core/control.c
5131 ++++ b/sound/core/control.c
5132 +@@ -348,6 +348,40 @@ static int snd_ctl_find_hole(struct snd_card *card, unsigned int count)
5133 + return 0;
5134 + }
5135 +
5136 ++/* add a new kcontrol object; call with card->controls_rwsem locked */
5137 ++static int __snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
5138 ++{
5139 ++ struct snd_ctl_elem_id id;
5140 ++ unsigned int idx;
5141 ++ unsigned int count;
5142 ++
5143 ++ id = kcontrol->id;
5144 ++ if (id.index > UINT_MAX - kcontrol->count)
5145 ++ return -EINVAL;
5146 ++
5147 ++ if (snd_ctl_find_id(card, &id)) {
5148 ++ dev_err(card->dev,
5149 ++ "control %i:%i:%i:%s:%i is already present\n",
5150 ++ id.iface, id.device, id.subdevice, id.name, id.index);
5151 ++ return -EBUSY;
5152 ++ }
5153 ++
5154 ++ if (snd_ctl_find_hole(card, kcontrol->count) < 0)
5155 ++ return -ENOMEM;
5156 ++
5157 ++ list_add_tail(&kcontrol->list, &card->controls);
5158 ++ card->controls_count += kcontrol->count;
5159 ++ kcontrol->id.numid = card->last_numid + 1;
5160 ++ card->last_numid += kcontrol->count;
5161 ++
5162 ++ id = kcontrol->id;
5163 ++ count = kcontrol->count;
5164 ++ for (idx = 0; idx < count; idx++, id.index++, id.numid++)
5165 ++ snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
5166 ++
5167 ++ return 0;
5168 ++}
5169 ++
5170 + /**
5171 + * snd_ctl_add - add the control instance to the card
5172 + * @card: the card instance
5173 +@@ -364,45 +398,18 @@ static int snd_ctl_find_hole(struct snd_card *card, unsigned int count)
5174 + */
5175 + int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
5176 + {
5177 +- struct snd_ctl_elem_id id;
5178 +- unsigned int idx;
5179 +- unsigned int count;
5180 + int err = -EINVAL;
5181 +
5182 + if (! kcontrol)
5183 + return err;
5184 + if (snd_BUG_ON(!card || !kcontrol->info))
5185 + goto error;
5186 +- id = kcontrol->id;
5187 +- if (id.index > UINT_MAX - kcontrol->count)
5188 +- goto error;
5189 +
5190 + down_write(&card->controls_rwsem);
5191 +- if (snd_ctl_find_id(card, &id)) {
5192 +- up_write(&card->controls_rwsem);
5193 +- dev_err(card->dev, "control %i:%i:%i:%s:%i is already present\n",
5194 +- id.iface,
5195 +- id.device,
5196 +- id.subdevice,
5197 +- id.name,
5198 +- id.index);
5199 +- err = -EBUSY;
5200 +- goto error;
5201 +- }
5202 +- if (snd_ctl_find_hole(card, kcontrol->count) < 0) {
5203 +- up_write(&card->controls_rwsem);
5204 +- err = -ENOMEM;
5205 +- goto error;
5206 +- }
5207 +- list_add_tail(&kcontrol->list, &card->controls);
5208 +- card->controls_count += kcontrol->count;
5209 +- kcontrol->id.numid = card->last_numid + 1;
5210 +- card->last_numid += kcontrol->count;
5211 +- id = kcontrol->id;
5212 +- count = kcontrol->count;
5213 ++ err = __snd_ctl_add(card, kcontrol);
5214 + up_write(&card->controls_rwsem);
5215 +- for (idx = 0; idx < count; idx++, id.index++, id.numid++)
5216 +- snd_ctl_notify(card, SNDRV_CTL_EVENT_MASK_ADD, &id);
5217 ++ if (err < 0)
5218 ++ goto error;
5219 + return 0;
5220 +
5221 + error:
5222 +@@ -1361,9 +1368,12 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
5223 + kctl->tlv.c = snd_ctl_elem_user_tlv;
5224 +
5225 + /* This function manage to free the instance on failure. */
5226 +- err = snd_ctl_add(card, kctl);
5227 +- if (err < 0)
5228 +- return err;
5229 ++ down_write(&card->controls_rwsem);
5230 ++ err = __snd_ctl_add(card, kctl);
5231 ++ if (err < 0) {
5232 ++ snd_ctl_free_one(kctl);
5233 ++ goto unlock;
5234 ++ }
5235 + offset = snd_ctl_get_ioff(kctl, &info->id);
5236 + snd_ctl_build_ioff(&info->id, kctl, offset);
5237 + /*
5238 +@@ -1374,10 +1384,10 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
5239 + * which locks the element.
5240 + */
5241 +
5242 +- down_write(&card->controls_rwsem);
5243 + card->user_ctl_count++;
5244 +- up_write(&card->controls_rwsem);
5245 +
5246 ++ unlock:
5247 ++ up_write(&card->controls_rwsem);
5248 + return 0;
5249 + }
5250 +
5251 +diff --git a/sound/isa/wss/wss_lib.c b/sound/isa/wss/wss_lib.c
5252 +index 32453f81b95a..3a5008837576 100644
5253 +--- a/sound/isa/wss/wss_lib.c
5254 ++++ b/sound/isa/wss/wss_lib.c
5255 +@@ -1531,7 +1531,6 @@ static int snd_wss_playback_open(struct snd_pcm_substream *substream)
5256 + if (err < 0) {
5257 + if (chip->release_dma)
5258 + chip->release_dma(chip, chip->dma_private_data, chip->dma1);
5259 +- snd_free_pages(runtime->dma_area, runtime->dma_bytes);
5260 + return err;
5261 + }
5262 + chip->playback_substream = substream;
5263 +@@ -1572,7 +1571,6 @@ static int snd_wss_capture_open(struct snd_pcm_substream *substream)
5264 + if (err < 0) {
5265 + if (chip->release_dma)
5266 + chip->release_dma(chip, chip->dma_private_data, chip->dma2);
5267 +- snd_free_pages(runtime->dma_area, runtime->dma_bytes);
5268 + return err;
5269 + }
5270 + chip->capture_substream = substream;
5271 +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c
5272 +index f4459d1a9d67..27b468f057dd 100644
5273 +--- a/sound/pci/ac97/ac97_codec.c
5274 ++++ b/sound/pci/ac97/ac97_codec.c
5275 +@@ -824,7 +824,7 @@ static int snd_ac97_put_spsa(struct snd_kcontrol *kcontrol, struct snd_ctl_elem_
5276 + {
5277 + struct snd_ac97 *ac97 = snd_kcontrol_chip(kcontrol);
5278 + int reg = kcontrol->private_value & 0xff;
5279 +- int shift = (kcontrol->private_value >> 8) & 0xff;
5280 ++ int shift = (kcontrol->private_value >> 8) & 0x0f;
5281 + int mask = (kcontrol->private_value >> 16) & 0xff;
5282 + // int invert = (kcontrol->private_value >> 24) & 0xff;
5283 + unsigned short value, old, new;
5284 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
5285 +index 625cb6c7b7d6..5810be2c6c34 100644
5286 +--- a/sound/pci/hda/hda_intel.c
5287 ++++ b/sound/pci/hda/hda_intel.c
5288 +@@ -2256,6 +2256,8 @@ static struct snd_pci_quirk power_save_blacklist[] = {
5289 + /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
5290 + SND_PCI_QUIRK(0x1849, 0xc892, "Asrock B85M-ITX", 0),
5291 + /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
5292 ++ SND_PCI_QUIRK(0x1849, 0x0397, "Asrock N68C-S UCC", 0),
5293 ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
5294 + SND_PCI_QUIRK(0x1849, 0x7662, "Asrock H81M-HDS", 0),
5295 + /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
5296 + SND_PCI_QUIRK(0x1043, 0x8733, "Asus Prime X370-Pro", 0),
5297 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
5298 +index e58537e13ad3..cf5d26642bcd 100644
5299 +--- a/sound/pci/hda/patch_realtek.c
5300 ++++ b/sound/pci/hda/patch_realtek.c
5301 +@@ -388,6 +388,7 @@ static void alc_fill_eapd_coef(struct hda_codec *codec)
5302 + case 0x10ec0285:
5303 + case 0x10ec0298:
5304 + case 0x10ec0289:
5305 ++ case 0x10ec0300:
5306 + alc_update_coef_idx(codec, 0x10, 1<<9, 0);
5307 + break;
5308 + case 0x10ec0275:
5309 +@@ -2830,6 +2831,7 @@ enum {
5310 + ALC269_TYPE_ALC215,
5311 + ALC269_TYPE_ALC225,
5312 + ALC269_TYPE_ALC294,
5313 ++ ALC269_TYPE_ALC300,
5314 + ALC269_TYPE_ALC700,
5315 + };
5316 +
5317 +@@ -2864,6 +2866,7 @@ static int alc269_parse_auto_config(struct hda_codec *codec)
5318 + case ALC269_TYPE_ALC215:
5319 + case ALC269_TYPE_ALC225:
5320 + case ALC269_TYPE_ALC294:
5321 ++ case ALC269_TYPE_ALC300:
5322 + case ALC269_TYPE_ALC700:
5323 + ssids = alc269_ssids;
5324 + break;
5325 +@@ -5358,6 +5361,16 @@ static void alc274_fixup_bind_dacs(struct hda_codec *codec,
5326 + spec->gen.preferred_dacs = preferred_pairs;
5327 + }
5328 +
5329 ++/* The DAC of NID 0x3 will introduce click/pop noise on headphones, so invalidate it */
5330 ++static void alc285_fixup_invalidate_dacs(struct hda_codec *codec,
5331 ++ const struct hda_fixup *fix, int action)
5332 ++{
5333 ++ if (action != HDA_FIXUP_ACT_PRE_PROBE)
5334 ++ return;
5335 ++
5336 ++ snd_hda_override_wcaps(codec, 0x03, 0);
5337 ++}
5338 ++
5339 + /* for hda_fixup_thinkpad_acpi() */
5340 + #include "thinkpad_helper.c"
5341 +
5342 +@@ -5495,6 +5508,8 @@ enum {
5343 + ALC255_FIXUP_DELL_HEADSET_MIC,
5344 + ALC295_FIXUP_HP_X360,
5345 + ALC221_FIXUP_HP_HEADSET_MIC,
5346 ++ ALC285_FIXUP_LENOVO_HEADPHONE_NOISE,
5347 ++ ALC295_FIXUP_HP_AUTO_MUTE,
5348 + };
5349 +
5350 + static const struct hda_fixup alc269_fixups[] = {
5351 +@@ -5659,6 +5674,8 @@ static const struct hda_fixup alc269_fixups[] = {
5352 + [ALC269_FIXUP_HP_MUTE_LED_MIC3] = {
5353 + .type = HDA_FIXUP_FUNC,
5354 + .v.func = alc269_fixup_hp_mute_led_mic3,
5355 ++ .chained = true,
5356 ++ .chain_id = ALC295_FIXUP_HP_AUTO_MUTE
5357 + },
5358 + [ALC269_FIXUP_HP_GPIO_LED] = {
5359 + .type = HDA_FIXUP_FUNC,
5360 +@@ -6362,6 +6379,14 @@ static const struct hda_fixup alc269_fixups[] = {
5361 + .chained = true,
5362 + .chain_id = ALC269_FIXUP_HEADSET_MIC
5363 + },
5364 ++ [ALC285_FIXUP_LENOVO_HEADPHONE_NOISE] = {
5365 ++ .type = HDA_FIXUP_FUNC,
5366 ++ .v.func = alc285_fixup_invalidate_dacs,
5367 ++ },
5368 ++ [ALC295_FIXUP_HP_AUTO_MUTE] = {
5369 ++ .type = HDA_FIXUP_FUNC,
5370 ++ .v.func = alc_fixup_auto_mute_via_amp,
5371 ++ },
5372 + };
5373 +
5374 + static const struct snd_pci_quirk alc269_fixup_tbl[] = {
5375 +@@ -6532,6 +6557,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
5376 + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8),
5377 + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC),
5378 + SND_PCI_QUIRK(0x1462, 0xb120, "MSI Cubi MS-B120", ALC283_FIXUP_HEADSET_MIC),
5379 ++ SND_PCI_QUIRK(0x1462, 0xb171, "Cubi N 8GL (MS-B171)", ALC283_FIXUP_HEADSET_MIC),
5380 + SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC233_FIXUP_LENOVO_MULTI_CODECS),
5381 + SND_PCI_QUIRK(0x17aa, 0x20f2, "Thinkpad SL410/510", ALC269_FIXUP_SKU_IGNORE),
5382 + SND_PCI_QUIRK(0x17aa, 0x215e, "Thinkpad L512", ALC269_FIXUP_SKU_IGNORE),
5383 +@@ -7034,6 +7060,11 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
5384 + {0x12, 0x90a60130},
5385 + {0x19, 0x03a11020},
5386 + {0x21, 0x0321101f}),
5387 ++ SND_HDA_PIN_QUIRK(0x10ec0285, 0x17aa, "Lenovo", ALC285_FIXUP_LENOVO_HEADPHONE_NOISE,
5388 ++ {0x12, 0x90a60130},
5389 ++ {0x14, 0x90170110},
5390 ++ {0x19, 0x04a11040},
5391 ++ {0x21, 0x04211020}),
5392 + SND_HDA_PIN_QUIRK(0x10ec0288, 0x1028, "Dell", ALC288_FIXUP_DELL1_MIC_NO_PRESENCE,
5393 + {0x12, 0x90a60120},
5394 + {0x14, 0x90170110},
5395 +@@ -7295,6 +7326,10 @@ static int patch_alc269(struct hda_codec *codec)
5396 + spec->gen.mixer_nid = 0; /* ALC2x4 does not have any loopback mixer path */
5397 + alc_update_coef_idx(codec, 0x6b, 0x0018, (1<<4) | (1<<3)); /* UAJ MIC Vref control by verb */
5398 + break;
5399 ++ case 0x10ec0300:
5400 ++ spec->codec_variant = ALC269_TYPE_ALC300;
5401 ++ spec->gen.mixer_nid = 0; /* no loopback on ALC300 */
5402 ++ break;
5403 + case 0x10ec0700:
5404 + case 0x10ec0701:
5405 + case 0x10ec0703:
5406 +@@ -8404,6 +8439,7 @@ static const struct hda_device_id snd_hda_id_realtek[] = {
5407 + HDA_CODEC_ENTRY(0x10ec0295, "ALC295", patch_alc269),
5408 + HDA_CODEC_ENTRY(0x10ec0298, "ALC298", patch_alc269),
5409 + HDA_CODEC_ENTRY(0x10ec0299, "ALC299", patch_alc269),
5410 ++ HDA_CODEC_ENTRY(0x10ec0300, "ALC300", patch_alc269),
5411 + HDA_CODEC_REV_ENTRY(0x10ec0861, 0x100340, "ALC660", patch_alc861),
5412 + HDA_CODEC_ENTRY(0x10ec0660, "ALC660-VD", patch_alc861vd),
5413 + HDA_CODEC_ENTRY(0x10ec0861, "ALC861", patch_alc861),
5414 +diff --git a/sound/soc/codecs/pcm186x.h b/sound/soc/codecs/pcm186x.h
5415 +index 2c6ba55bf394..bb3f0c42a1cd 100644
5416 +--- a/sound/soc/codecs/pcm186x.h
5417 ++++ b/sound/soc/codecs/pcm186x.h
5418 +@@ -139,7 +139,7 @@ enum pcm186x_type {
5419 + #define PCM186X_MAX_REGISTER PCM186X_CURR_TRIM_CTRL
5420 +
5421 + /* PCM186X_PAGE */
5422 +-#define PCM186X_RESET 0xff
5423 ++#define PCM186X_RESET 0xfe
5424 +
5425 + /* PCM186X_ADCX_INPUT_SEL_X */
5426 + #define PCM186X_ADC_INPUT_SEL_POL BIT(7)
5427 +diff --git a/sound/soc/intel/boards/cht_bsw_max98090_ti.c b/sound/soc/intel/boards/cht_bsw_max98090_ti.c
5428 +index db6976f4ddaa..9d9f6e41d81c 100644
5429 +--- a/sound/soc/intel/boards/cht_bsw_max98090_ti.c
5430 ++++ b/sound/soc/intel/boards/cht_bsw_max98090_ti.c
5431 +@@ -19,6 +19,7 @@
5432 + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5433 + */
5434 +
5435 ++#include <linux/dmi.h>
5436 + #include <linux/module.h>
5437 + #include <linux/platform_device.h>
5438 + #include <linux/slab.h>
5439 +@@ -35,6 +36,8 @@
5440 + #define CHT_PLAT_CLK_3_HZ 19200000
5441 + #define CHT_CODEC_DAI "HiFi"
5442 +
5443 ++#define QUIRK_PMC_PLT_CLK_0 0x01
5444 ++
5445 + struct cht_mc_private {
5446 + struct clk *mclk;
5447 + struct snd_soc_jack jack;
5448 +@@ -385,11 +388,29 @@ static struct snd_soc_card snd_soc_card_cht = {
5449 + .num_controls = ARRAY_SIZE(cht_mc_controls),
5450 + };
5451 +
5452 ++static const struct dmi_system_id cht_max98090_quirk_table[] = {
5453 ++ {
5454 ++ /* Swanky model Chromebook (Toshiba Chromebook 2) */
5455 ++ .matches = {
5456 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Swanky"),
5457 ++ },
5458 ++ .driver_data = (void *)QUIRK_PMC_PLT_CLK_0,
5459 ++ },
5460 ++ {}
5461 ++};
5462 ++
5463 + static int snd_cht_mc_probe(struct platform_device *pdev)
5464 + {
5465 ++ const struct dmi_system_id *dmi_id;
5466 + struct device *dev = &pdev->dev;
5467 + int ret_val = 0;
5468 + struct cht_mc_private *drv;
5469 ++ const char *mclk_name;
5470 ++ int quirks = 0;
5471 ++
5472 ++ dmi_id = dmi_first_match(cht_max98090_quirk_table);
5473 ++ if (dmi_id)
5474 ++ quirks = (unsigned long)dmi_id->driver_data;
5475 +
5476 + drv = devm_kzalloc(&pdev->dev, sizeof(*drv), GFP_KERNEL);
5477 + if (!drv)
5478 +@@ -411,11 +432,16 @@ static int snd_cht_mc_probe(struct platform_device *pdev)
5479 + snd_soc_card_cht.dev = &pdev->dev;
5480 + snd_soc_card_set_drvdata(&snd_soc_card_cht, drv);
5481 +
5482 +- drv->mclk = devm_clk_get(&pdev->dev, "pmc_plt_clk_3");
5483 ++ if (quirks & QUIRK_PMC_PLT_CLK_0)
5484 ++ mclk_name = "pmc_plt_clk_0";
5485 ++ else
5486 ++ mclk_name = "pmc_plt_clk_3";
5487 ++
5488 ++ drv->mclk = devm_clk_get(&pdev->dev, mclk_name);
5489 + if (IS_ERR(drv->mclk)) {
5490 + dev_err(&pdev->dev,
5491 +- "Failed to get MCLK from pmc_plt_clk_3: %ld\n",
5492 +- PTR_ERR(drv->mclk));
5493 ++ "Failed to get MCLK from %s: %ld\n",
5494 ++ mclk_name, PTR_ERR(drv->mclk));
5495 + return PTR_ERR(drv->mclk);
5496 + }
5497 +
5498 +diff --git a/sound/sparc/cs4231.c b/sound/sparc/cs4231.c
5499 +index e73c962590eb..079063d8038d 100644
5500 +--- a/sound/sparc/cs4231.c
5501 ++++ b/sound/sparc/cs4231.c
5502 +@@ -1146,10 +1146,8 @@ static int snd_cs4231_playback_open(struct snd_pcm_substream *substream)
5503 + runtime->hw = snd_cs4231_playback;
5504 +
5505 + err = snd_cs4231_open(chip, CS4231_MODE_PLAY);
5506 +- if (err < 0) {
5507 +- snd_free_pages(runtime->dma_area, runtime->dma_bytes);
5508 ++ if (err < 0)
5509 + return err;
5510 +- }
5511 + chip->playback_substream = substream;
5512 + chip->p_periods_sent = 0;
5513 + snd_pcm_set_sync(substream);
5514 +@@ -1167,10 +1165,8 @@ static int snd_cs4231_capture_open(struct snd_pcm_substream *substream)
5515 + runtime->hw = snd_cs4231_capture;
5516 +
5517 + err = snd_cs4231_open(chip, CS4231_MODE_RECORD);
5518 +- if (err < 0) {
5519 +- snd_free_pages(runtime->dma_area, runtime->dma_bytes);
5520 ++ if (err < 0)
5521 + return err;
5522 +- }
5523 + chip->capture_substream = substream;
5524 + chip->c_periods_sent = 0;
5525 + snd_pcm_set_sync(substream);
5526 +diff --git a/tools/include/uapi/linux/prctl.h b/tools/include/uapi/linux/prctl.h
5527 +index c0d7ea0bf5b6..b17201edfa09 100644
5528 +--- a/tools/include/uapi/linux/prctl.h
5529 ++++ b/tools/include/uapi/linux/prctl.h
5530 +@@ -212,6 +212,7 @@ struct prctl_mm_map {
5531 + #define PR_SET_SPECULATION_CTRL 53
5532 + /* Speculation control variants */
5533 + # define PR_SPEC_STORE_BYPASS 0
5534 ++# define PR_SPEC_INDIRECT_BRANCH 1
5535 + /* Return and control values for PR_SET/GET_SPECULATION_CTRL */
5536 + # define PR_SPEC_NOT_AFFECTED 0
5537 + # define PR_SPEC_PRCTL (1UL << 0)
Report Message
Find on MARC Find on Google Groups