Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.19 commit in: /
Date: Thu, 02 May 2019 10:13:58
Message-Id: 1556792016.52f0bee9c888fcd51ddadcf3fa91689ea0a2da70.mpagano@gentoo
1 commit: 52f0bee9c888fcd51ddadcf3fa91689ea0a2da70
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Thu May 2 10:13:36 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Thu May 2 10:13:36 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=52f0bee9
7
8 Linux patch 4.19.38
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1037_linux-4.19.38.patch | 4023 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 4027 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 2acba8b..ad3e29c 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -191,6 +191,10 @@ Patch: 1036_linux-4.19.37.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.19.37
23
24 +Patch: 1037_linux-4.19.38.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.19.38
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1037_linux-4.19.38.patch b/1037_linux-4.19.38.patch
33 new file mode 100644
34 index 0000000..71a6d7d
35 --- /dev/null
36 +++ b/1037_linux-4.19.38.patch
37 @@ -0,0 +1,4023 @@
38 +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
39 +index f5acf35c712f..8b6567f7cb9b 100644
40 +--- a/Documentation/admin-guide/kernel-parameters.txt
41 ++++ b/Documentation/admin-guide/kernel-parameters.txt
42 +@@ -2805,7 +2805,7 @@
43 + check bypass). With this option data leaks are possible
44 + in the system.
45 +
46 +- nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2
47 ++ nospectre_v2 [X86,PPC_FSL_BOOK3E] Disable all mitigations for the Spectre variant 2
48 + (indirect branch prediction) vulnerability. System may
49 + allow data leaks with this option, which is equivalent
50 + to spectre_v2=off.
51 +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
52 +index 960de8fe3f40..2c31208528d5 100644
53 +--- a/Documentation/networking/ip-sysctl.txt
54 ++++ b/Documentation/networking/ip-sysctl.txt
55 +@@ -410,6 +410,7 @@ tcp_min_rtt_wlen - INTEGER
56 + minimum RTT when it is moved to a longer path (e.g., due to traffic
57 + engineering). A longer window makes the filter more resistant to RTT
58 + inflations such as transient congestion. The unit is seconds.
59 ++ Possible values: 0 - 86400 (1 day)
60 + Default: 300
61 +
62 + tcp_moderate_rcvbuf - BOOLEAN
63 +diff --git a/Makefile b/Makefile
64 +index 7b495cad8c2e..14d4aeb48907 100644
65 +--- a/Makefile
66 ++++ b/Makefile
67 +@@ -1,7 +1,7 @@
68 + # SPDX-License-Identifier: GPL-2.0
69 + VERSION = 4
70 + PATCHLEVEL = 19
71 +-SUBLEVEL = 37
72 ++SUBLEVEL = 38
73 + EXTRAVERSION =
74 + NAME = "People's Front"
75 +
76 +diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
77 +index 517e0e18f0b8..e205bbbe2794 100644
78 +--- a/arch/arm/boot/compressed/head.S
79 ++++ b/arch/arm/boot/compressed/head.S
80 +@@ -1395,7 +1395,21 @@ ENTRY(efi_stub_entry)
81 +
82 + @ Preserve return value of efi_entry() in r4
83 + mov r4, r0
84 +- bl cache_clean_flush
85 ++
86 ++ @ our cache maintenance code relies on CP15 barrier instructions
87 ++ @ but since we arrived here with the MMU and caches configured
88 ++ @ by UEFI, we must check that the CP15BEN bit is set in SCTLR.
89 ++ @ Note that this bit is RAO/WI on v6 and earlier, so the ISB in
90 ++ @ the enable path will be executed on v7+ only.
91 ++ mrc p15, 0, r1, c1, c0, 0 @ read SCTLR
92 ++ tst r1, #(1 << 5) @ CP15BEN bit set?
93 ++ bne 0f
94 ++ orr r1, r1, #(1 << 5) @ CP15 barrier instructions
95 ++ mcr p15, 0, r1, c1, c0, 0 @ write SCTLR
96 ++ ARM( .inst 0xf57ff06f @ v7+ isb )
97 ++ THUMB( isb )
98 ++
99 ++0: bl cache_clean_flush
100 + bl cache_off
101 +
102 + @ Set parameters for booting zImage according to boot protocol
103 +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
104 +index 73913f072e39..579608342ac6 100644
105 +--- a/arch/mips/kernel/scall64-o32.S
106 ++++ b/arch/mips/kernel/scall64-o32.S
107 +@@ -125,7 +125,7 @@ trace_a_syscall:
108 + subu t1, v0, __NR_O32_Linux
109 + move a1, v0
110 + bnez t1, 1f /* __NR_syscall at offset 0 */
111 +- lw a1, PT_R4(sp) /* Arg1 for __NR_syscall case */
112 ++ ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */
113 + .set pop
114 +
115 + 1: jal syscall_trace_enter
116 +diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
117 +index 6bd5e7261335..ffeaed63675b 100644
118 +--- a/arch/powerpc/configs/skiroot_defconfig
119 ++++ b/arch/powerpc/configs/skiroot_defconfig
120 +@@ -195,6 +195,7 @@ CONFIG_UDF_FS=m
121 + CONFIG_MSDOS_FS=m
122 + CONFIG_VFAT_FS=m
123 + CONFIG_PROC_KCORE=y
124 ++CONFIG_HUGETLBFS=y
125 + CONFIG_TMPFS=y
126 + CONFIG_TMPFS_POSIX_ACL=y
127 + # CONFIG_MISC_FILESYSTEMS is not set
128 +diff --git a/arch/powerpc/kernel/vdso32/gettimeofday.S b/arch/powerpc/kernel/vdso32/gettimeofday.S
129 +index 769c2624e0a6..75cff3f336b3 100644
130 +--- a/arch/powerpc/kernel/vdso32/gettimeofday.S
131 ++++ b/arch/powerpc/kernel/vdso32/gettimeofday.S
132 +@@ -98,7 +98,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
133 + * can be used, r7 contains NSEC_PER_SEC.
134 + */
135 +
136 +- lwz r5,WTOM_CLOCK_SEC(r9)
137 ++ lwz r5,(WTOM_CLOCK_SEC+LOPART)(r9)
138 + lwz r6,WTOM_CLOCK_NSEC(r9)
139 +
140 + /* We now have our offset in r5,r6. We create a fake dependency
141 +diff --git a/arch/powerpc/platforms/Kconfig.cputype b/arch/powerpc/platforms/Kconfig.cputype
142 +index 6c6a7c72cae4..ad0216c41d2c 100644
143 +--- a/arch/powerpc/platforms/Kconfig.cputype
144 ++++ b/arch/powerpc/platforms/Kconfig.cputype
145 +@@ -330,7 +330,7 @@ config ARCH_ENABLE_SPLIT_PMD_PTLOCK
146 +
147 + config PPC_RADIX_MMU
148 + bool "Radix MMU Support"
149 +- depends on PPC_BOOK3S_64
150 ++ depends on PPC_BOOK3S_64 && HUGETLB_PAGE
151 + select ARCH_HAS_GIGANTIC_PAGE if (MEMORY_ISOLATION && COMPACTION) || CMA
152 + default y
153 + help
154 +diff --git a/arch/x86/Makefile b/arch/x86/Makefile
155 +index b84f61bc5e7a..ffc823a8312f 100644
156 +--- a/arch/x86/Makefile
157 ++++ b/arch/x86/Makefile
158 +@@ -224,6 +224,15 @@ KBUILD_CFLAGS += -fno-asynchronous-unwind-tables
159 + # Avoid indirect branches in kernel to deal with Spectre
160 + ifdef CONFIG_RETPOLINE
161 + KBUILD_CFLAGS += $(RETPOLINE_CFLAGS)
162 ++ # Additionally, avoid generating expensive indirect jumps which
163 ++ # are subject to retpolines for small number of switch cases.
164 ++ # clang turns off jump table generation by default when under
165 ++ # retpoline builds, however, gcc does not for x86. This has
166 ++ # only been fixed starting from gcc stable version 8.4.0 and
167 ++ # onwards, but not for older ones. See gcc bug #86952.
168 ++ ifndef CONFIG_CC_IS_CLANG
169 ++ KBUILD_CFLAGS += $(call cc-option,-fno-jump-tables)
170 ++ endif
171 + endif
172 +
173 + archscripts: scripts_basic
174 +diff --git a/arch/x86/events/intel/cstate.c b/arch/x86/events/intel/cstate.c
175 +index 9f8084f18d58..6eb76106c469 100644
176 +--- a/arch/x86/events/intel/cstate.c
177 ++++ b/arch/x86/events/intel/cstate.c
178 +@@ -76,15 +76,15 @@
179 + * Scope: Package (physical package)
180 + * MSR_PKG_C8_RESIDENCY: Package C8 Residency Counter.
181 + * perf code: 0x04
182 +- * Available model: HSW ULT,CNL
183 ++ * Available model: HSW ULT,KBL,CNL
184 + * Scope: Package (physical package)
185 + * MSR_PKG_C9_RESIDENCY: Package C9 Residency Counter.
186 + * perf code: 0x05
187 +- * Available model: HSW ULT,CNL
188 ++ * Available model: HSW ULT,KBL,CNL
189 + * Scope: Package (physical package)
190 + * MSR_PKG_C10_RESIDENCY: Package C10 Residency Counter.
191 + * perf code: 0x06
192 +- * Available model: HSW ULT,GLM,CNL
193 ++ * Available model: HSW ULT,KBL,GLM,CNL
194 + * Scope: Package (physical package)
195 + *
196 + */
197 +@@ -572,8 +572,8 @@ static const struct x86_cpu_id intel_cstates_match[] __initconst = {
198 + X86_CSTATES_MODEL(INTEL_FAM6_SKYLAKE_DESKTOP, snb_cstates),
199 + X86_CSTATES_MODEL(INTEL_FAM6_SKYLAKE_X, snb_cstates),
200 +
201 +- X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_MOBILE, snb_cstates),
202 +- X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_DESKTOP, snb_cstates),
203 ++ X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_MOBILE, hswult_cstates),
204 ++ X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_DESKTOP, hswult_cstates),
205 +
206 + X86_CSTATES_MODEL(INTEL_FAM6_CANNONLAKE_MOBILE, cnl_cstates),
207 +
208 +diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
209 +index cec5fae23eb3..baa549f8e918 100644
210 +--- a/arch/x86/include/asm/efi.h
211 ++++ b/arch/x86/include/asm/efi.h
212 +@@ -82,8 +82,7 @@ struct efi_scratch {
213 + #define arch_efi_call_virt_setup() \
214 + ({ \
215 + efi_sync_low_kernel_mappings(); \
216 +- preempt_disable(); \
217 +- __kernel_fpu_begin(); \
218 ++ kernel_fpu_begin(); \
219 + firmware_restrict_branch_speculation_start(); \
220 + \
221 + if (!efi_enabled(EFI_OLD_MEMMAP)) \
222 +@@ -99,8 +98,7 @@ struct efi_scratch {
223 + efi_switch_mm(efi_scratch.prev_mm); \
224 + \
225 + firmware_restrict_branch_speculation_end(); \
226 +- __kernel_fpu_end(); \
227 +- preempt_enable(); \
228 ++ kernel_fpu_end(); \
229 + })
230 +
231 + extern void __iomem *__init efi_ioremap(unsigned long addr, unsigned long size,
232 +diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h
233 +index a9caac9d4a72..b56d504af654 100644
234 +--- a/arch/x86/include/asm/fpu/api.h
235 ++++ b/arch/x86/include/asm/fpu/api.h
236 +@@ -12,17 +12,12 @@
237 + #define _ASM_X86_FPU_API_H
238 +
239 + /*
240 +- * Careful: __kernel_fpu_begin/end() must be called with preempt disabled
241 +- * and they don't touch the preempt state on their own.
242 +- * If you enable preemption after __kernel_fpu_begin(), preempt notifier
243 +- * should call the __kernel_fpu_end() to prevent the kernel/user FPU
244 +- * state from getting corrupted. KVM for example uses this model.
245 +- *
246 +- * All other cases use kernel_fpu_begin/end() which disable preemption
247 +- * during kernel FPU usage.
248 ++ * Use kernel_fpu_begin/end() if you intend to use FPU in kernel context. It
249 ++ * disables preemption so be careful if you intend to use it for long periods
250 ++ * of time.
251 ++ * If you intend to use the FPU in softirq you need to check first with
252 ++ * irq_fpu_usable() if it is possible.
253 + */
254 +-extern void __kernel_fpu_begin(void);
255 +-extern void __kernel_fpu_end(void);
256 + extern void kernel_fpu_begin(void);
257 + extern void kernel_fpu_end(void);
258 + extern bool irq_fpu_usable(void);
259 +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
260 +index 2ea85b32421a..2e5003fef51a 100644
261 +--- a/arch/x86/kernel/fpu/core.c
262 ++++ b/arch/x86/kernel/fpu/core.c
263 +@@ -93,7 +93,7 @@ bool irq_fpu_usable(void)
264 + }
265 + EXPORT_SYMBOL(irq_fpu_usable);
266 +
267 +-void __kernel_fpu_begin(void)
268 ++static void __kernel_fpu_begin(void)
269 + {
270 + struct fpu *fpu = &current->thread.fpu;
271 +
272 +@@ -111,9 +111,8 @@ void __kernel_fpu_begin(void)
273 + __cpu_invalidate_fpregs_state();
274 + }
275 + }
276 +-EXPORT_SYMBOL(__kernel_fpu_begin);
277 +
278 +-void __kernel_fpu_end(void)
279 ++static void __kernel_fpu_end(void)
280 + {
281 + struct fpu *fpu = &current->thread.fpu;
282 +
283 +@@ -122,7 +121,6 @@ void __kernel_fpu_end(void)
284 +
285 + kernel_fpu_enable();
286 + }
287 +-EXPORT_SYMBOL(__kernel_fpu_end);
288 +
289 + void kernel_fpu_begin(void)
290 + {
291 +diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
292 +index 030c98f35cca..a654ccfd1a22 100644
293 +--- a/drivers/android/binder_alloc.c
294 ++++ b/drivers/android/binder_alloc.c
295 +@@ -958,14 +958,13 @@ enum lru_status binder_alloc_free_page(struct list_head *item,
296 +
297 + index = page - alloc->pages;
298 + page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE;
299 ++
300 ++ mm = alloc->vma_vm_mm;
301 ++ if (!mmget_not_zero(mm))
302 ++ goto err_mmget;
303 ++ if (!down_write_trylock(&mm->mmap_sem))
304 ++ goto err_down_write_mmap_sem_failed;
305 + vma = binder_alloc_get_vma(alloc);
306 +- if (vma) {
307 +- if (!mmget_not_zero(alloc->vma_vm_mm))
308 +- goto err_mmget;
309 +- mm = alloc->vma_vm_mm;
310 +- if (!down_write_trylock(&mm->mmap_sem))
311 +- goto err_down_write_mmap_sem_failed;
312 +- }
313 +
314 + list_lru_isolate(lru, item);
315 + spin_unlock(lock);
316 +@@ -978,10 +977,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item,
317 + PAGE_SIZE);
318 +
319 + trace_binder_unmap_user_end(alloc, index);
320 +-
321 +- up_write(&mm->mmap_sem);
322 +- mmput(mm);
323 + }
324 ++ up_write(&mm->mmap_sem);
325 ++ mmput(mm);
326 +
327 + trace_binder_unmap_kernel_start(alloc, index);
328 +
329 +diff --git a/drivers/block/loop.c b/drivers/block/loop.c
330 +index a63da9e07341..f1e63eb7cbca 100644
331 +--- a/drivers/block/loop.c
332 ++++ b/drivers/block/loop.c
333 +@@ -1112,8 +1112,9 @@ out_unlock:
334 + err = __blkdev_reread_part(bdev);
335 + else
336 + err = blkdev_reread_part(bdev);
337 +- pr_warn("%s: partition scan of loop%d failed (rc=%d)\n",
338 +- __func__, lo_number, err);
339 ++ if (err)
340 ++ pr_warn("%s: partition scan of loop%d failed (rc=%d)\n",
341 ++ __func__, lo_number, err);
342 + /* Device is gone, no point in returning error */
343 + err = 0;
344 + }
345 +diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c
346 +index a65505db09e5..70cbd0ee1b07 100644
347 +--- a/drivers/block/zram/zram_drv.c
348 ++++ b/drivers/block/zram/zram_drv.c
349 +@@ -515,18 +515,18 @@ struct zram_work {
350 + struct zram *zram;
351 + unsigned long entry;
352 + struct bio *bio;
353 ++ struct bio_vec bvec;
354 + };
355 +
356 + #if PAGE_SIZE != 4096
357 + static void zram_sync_read(struct work_struct *work)
358 + {
359 +- struct bio_vec bvec;
360 + struct zram_work *zw = container_of(work, struct zram_work, work);
361 + struct zram *zram = zw->zram;
362 + unsigned long entry = zw->entry;
363 + struct bio *bio = zw->bio;
364 +
365 +- read_from_bdev_async(zram, &bvec, entry, bio);
366 ++ read_from_bdev_async(zram, &zw->bvec, entry, bio);
367 + }
368 +
369 + /*
370 +@@ -539,6 +539,7 @@ static int read_from_bdev_sync(struct zram *zram, struct bio_vec *bvec,
371 + {
372 + struct zram_work work;
373 +
374 ++ work.bvec = *bvec;
375 + work.zram = zram;
376 + work.entry = entry;
377 + work.bio = bio;
378 +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c
379 +index 48ee35e2bce6..0b05a1e08d21 100644
380 +--- a/drivers/dma/sh/rcar-dmac.c
381 ++++ b/drivers/dma/sh/rcar-dmac.c
382 +@@ -1281,6 +1281,9 @@ static unsigned int rcar_dmac_chan_get_residue(struct rcar_dmac_chan *chan,
383 + enum dma_status status;
384 + unsigned int residue = 0;
385 + unsigned int dptr = 0;
386 ++ unsigned int chcrb;
387 ++ unsigned int tcrb;
388 ++ unsigned int i;
389 +
390 + if (!desc)
391 + return 0;
392 +@@ -1328,6 +1331,24 @@ static unsigned int rcar_dmac_chan_get_residue(struct rcar_dmac_chan *chan,
393 + return 0;
394 + }
395 +
396 ++ /*
397 ++ * We need to read two registers.
398 ++ * Make sure the control register does not skip to next chunk
399 ++ * while reading the counter.
400 ++ * Trying it 3 times should be enough: Initial read, retry, retry
401 ++ * for the paranoid.
402 ++ */
403 ++ for (i = 0; i < 3; i++) {
404 ++ chcrb = rcar_dmac_chan_read(chan, RCAR_DMACHCRB) &
405 ++ RCAR_DMACHCRB_DPTR_MASK;
406 ++ tcrb = rcar_dmac_chan_read(chan, RCAR_DMATCRB);
407 ++ /* Still the same? */
408 ++ if (chcrb == (rcar_dmac_chan_read(chan, RCAR_DMACHCRB) &
409 ++ RCAR_DMACHCRB_DPTR_MASK))
410 ++ break;
411 ++ }
412 ++ WARN_ONCE(i >= 3, "residue might be not continuous!");
413 ++
414 + /*
415 + * In descriptor mode the descriptor running pointer is not maintained
416 + * by the interrupt handler, find the running descriptor from the
417 +@@ -1335,8 +1356,7 @@ static unsigned int rcar_dmac_chan_get_residue(struct rcar_dmac_chan *chan,
418 + * mode just use the running descriptor pointer.
419 + */
420 + if (desc->hwdescs.use) {
421 +- dptr = (rcar_dmac_chan_read(chan, RCAR_DMACHCRB) &
422 +- RCAR_DMACHCRB_DPTR_MASK) >> RCAR_DMACHCRB_DPTR_SHIFT;
423 ++ dptr = chcrb >> RCAR_DMACHCRB_DPTR_SHIFT;
424 + if (dptr == 0)
425 + dptr = desc->nchunks;
426 + dptr--;
427 +@@ -1354,7 +1374,7 @@ static unsigned int rcar_dmac_chan_get_residue(struct rcar_dmac_chan *chan,
428 + }
429 +
430 + /* Add the residue for the current chunk. */
431 +- residue += rcar_dmac_chan_read(chan, RCAR_DMATCRB) << desc->xfer_shift;
432 ++ residue += tcrb << desc->xfer_shift;
433 +
434 + return residue;
435 + }
436 +@@ -1367,6 +1387,7 @@ static enum dma_status rcar_dmac_tx_status(struct dma_chan *chan,
437 + enum dma_status status;
438 + unsigned long flags;
439 + unsigned int residue;
440 ++ bool cyclic;
441 +
442 + status = dma_cookie_status(chan, cookie, txstate);
443 + if (status == DMA_COMPLETE || !txstate)
444 +@@ -1374,10 +1395,11 @@ static enum dma_status rcar_dmac_tx_status(struct dma_chan *chan,
445 +
446 + spin_lock_irqsave(&rchan->lock, flags);
447 + residue = rcar_dmac_chan_get_residue(rchan, cookie);
448 ++ cyclic = rchan->desc.running ? rchan->desc.running->cyclic : false;
449 + spin_unlock_irqrestore(&rchan->lock, flags);
450 +
451 + /* if there's no residue, the cookie is complete */
452 +- if (!residue)
453 ++ if (!residue && !cyclic)
454 + return DMA_COMPLETE;
455 +
456 + dma_set_residue(txstate, residue);
457 +diff --git a/drivers/gpio/gpio-eic-sprd.c b/drivers/gpio/gpio-eic-sprd.c
458 +index e41223c05f6e..6cf2e2ce4093 100644
459 +--- a/drivers/gpio/gpio-eic-sprd.c
460 ++++ b/drivers/gpio/gpio-eic-sprd.c
461 +@@ -414,6 +414,7 @@ static int sprd_eic_irq_set_type(struct irq_data *data, unsigned int flow_type)
462 + irq_set_handler_locked(data, handle_edge_irq);
463 + break;
464 + case IRQ_TYPE_EDGE_BOTH:
465 ++ sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTMODE, 0);
466 + sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTBOTH, 1);
467 + irq_set_handler_locked(data, handle_edge_irq);
468 + break;
469 +diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c
470 +index 6f91634880aa..2d6506c08bf7 100644
471 +--- a/drivers/gpu/drm/i915/intel_fbdev.c
472 ++++ b/drivers/gpu/drm/i915/intel_fbdev.c
473 +@@ -334,8 +334,8 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper,
474 + bool *enabled, int width, int height)
475 + {
476 + struct drm_i915_private *dev_priv = to_i915(fb_helper->dev);
477 ++ unsigned long conn_configured, conn_seq, mask;
478 + unsigned int count = min(fb_helper->connector_count, BITS_PER_LONG);
479 +- unsigned long conn_configured, conn_seq;
480 + int i, j;
481 + bool *save_enabled;
482 + bool fallback = true, ret = true;
483 +@@ -353,9 +353,10 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper,
484 + drm_modeset_backoff(&ctx);
485 +
486 + memcpy(save_enabled, enabled, count);
487 +- conn_seq = GENMASK(count - 1, 0);
488 ++ mask = GENMASK(count - 1, 0);
489 + conn_configured = 0;
490 + retry:
491 ++ conn_seq = conn_configured;
492 + for (i = 0; i < count; i++) {
493 + struct drm_fb_helper_connector *fb_conn;
494 + struct drm_connector *connector;
495 +@@ -368,8 +369,7 @@ retry:
496 + if (conn_configured & BIT(i))
497 + continue;
498 +
499 +- /* First pass, only consider tiled connectors */
500 +- if (conn_seq == GENMASK(count - 1, 0) && !connector->has_tile)
501 ++ if (conn_seq == 0 && !connector->has_tile)
502 + continue;
503 +
504 + if (connector->status == connector_status_connected)
505 +@@ -473,10 +473,8 @@ retry:
506 + conn_configured |= BIT(i);
507 + }
508 +
509 +- if (conn_configured != conn_seq) { /* repeat until no more are found */
510 +- conn_seq = conn_configured;
511 ++ if ((conn_configured & mask) != mask && conn_configured != conn_seq)
512 + goto retry;
513 +- }
514 +
515 + /*
516 + * If the BIOS didn't enable everything it could, fall back to have the
517 +diff --git a/drivers/gpu/drm/rockchip/cdn-dp-reg.c b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
518 +index 5a485489a1e2..6c8b14fb1d2f 100644
519 +--- a/drivers/gpu/drm/rockchip/cdn-dp-reg.c
520 ++++ b/drivers/gpu/drm/rockchip/cdn-dp-reg.c
521 +@@ -113,7 +113,7 @@ static int cdp_dp_mailbox_write(struct cdn_dp_device *dp, u8 val)
522 +
523 + static int cdn_dp_mailbox_validate_receive(struct cdn_dp_device *dp,
524 + u8 module_id, u8 opcode,
525 +- u8 req_size)
526 ++ u16 req_size)
527 + {
528 + u32 mbox_size, i;
529 + u8 header[4];
530 +diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c
531 +index 0e6a121858d1..5615ceb15708 100644
532 +--- a/drivers/gpu/drm/vc4/vc4_crtc.c
533 ++++ b/drivers/gpu/drm/vc4/vc4_crtc.c
534 +@@ -998,7 +998,7 @@ static void
535 + vc4_crtc_reset(struct drm_crtc *crtc)
536 + {
537 + if (crtc->state)
538 +- __drm_atomic_helper_crtc_destroy_state(crtc->state);
539 ++ vc4_crtc_destroy_state(crtc, crtc->state);
540 +
541 + crtc->state = kzalloc(sizeof(struct vc4_crtc_state), GFP_KERNEL);
542 + if (crtc->state)
543 +diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c
544 +index cc287cf6eb29..edc52d75e6bd 100644
545 +--- a/drivers/hwtracing/intel_th/gth.c
546 ++++ b/drivers/hwtracing/intel_th/gth.c
547 +@@ -616,7 +616,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev,
548 + othdev->output.port = -1;
549 + othdev->output.active = false;
550 + gth->output[port].output = NULL;
551 +- for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++)
552 ++ for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++)
553 + if (gth->master[master] == port)
554 + gth->master[master] = -1;
555 + spin_unlock(&gth->gth_lock);
556 +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
557 +index 50be240df331..8cc4da62f050 100644
558 +--- a/drivers/infiniband/hw/mlx5/main.c
559 ++++ b/drivers/infiniband/hw/mlx5/main.c
560 +@@ -2014,6 +2014,7 @@ static int mlx5_ib_mmap_clock_info_page(struct mlx5_ib_dev *dev,
561 +
562 + if (vma->vm_flags & VM_WRITE)
563 + return -EPERM;
564 ++ vma->vm_flags &= ~VM_MAYWRITE;
565 +
566 + if (!dev->mdev->clock_info_page)
567 + return -EOPNOTSUPP;
568 +@@ -2197,6 +2198,7 @@ static int mlx5_ib_mmap(struct ib_ucontext *ibcontext, struct vm_area_struct *vm
569 +
570 + if (vma->vm_flags & VM_WRITE)
571 + return -EPERM;
572 ++ vma->vm_flags &= ~VM_MAYWRITE;
573 +
574 + /* Don't expose to user-space information it shouldn't have */
575 + if (PAGE_SIZE > 4096)
576 +diff --git a/drivers/infiniband/sw/rdmavt/mr.c b/drivers/infiniband/sw/rdmavt/mr.c
577 +index 49c9541050d4..5819c9d6ffdc 100644
578 +--- a/drivers/infiniband/sw/rdmavt/mr.c
579 ++++ b/drivers/infiniband/sw/rdmavt/mr.c
580 +@@ -611,11 +611,6 @@ static int rvt_set_page(struct ib_mr *ibmr, u64 addr)
581 + if (unlikely(mapped_segs == mr->mr.max_segs))
582 + return -ENOMEM;
583 +
584 +- if (mr->mr.length == 0) {
585 +- mr->mr.user_base = addr;
586 +- mr->mr.iova = addr;
587 +- }
588 +-
589 + m = mapped_segs / RVT_SEGSZ;
590 + n = mapped_segs % RVT_SEGSZ;
591 + mr->mr.map[m]->segs[n].vaddr = (void *)addr;
592 +@@ -633,17 +628,24 @@ static int rvt_set_page(struct ib_mr *ibmr, u64 addr)
593 + * @sg_nents: number of entries in sg
594 + * @sg_offset: offset in bytes into sg
595 + *
596 ++ * Overwrite rvt_mr length with mr length calculated by ib_sg_to_pages.
597 ++ *
598 + * Return: number of sg elements mapped to the memory region
599 + */
600 + int rvt_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg,
601 + int sg_nents, unsigned int *sg_offset)
602 + {
603 + struct rvt_mr *mr = to_imr(ibmr);
604 ++ int ret;
605 +
606 + mr->mr.length = 0;
607 + mr->mr.page_shift = PAGE_SHIFT;
608 +- return ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset,
609 +- rvt_set_page);
610 ++ ret = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, rvt_set_page);
611 ++ mr->mr.user_base = ibmr->iova;
612 ++ mr->mr.iova = ibmr->iova;
613 ++ mr->mr.offset = ibmr->iova - (u64)mr->mr.map[0]->segs[0].vaddr;
614 ++ mr->mr.length = (size_t)ibmr->length;
615 ++ return ret;
616 + }
617 +
618 + /**
619 +@@ -674,6 +676,7 @@ int rvt_fast_reg_mr(struct rvt_qp *qp, struct ib_mr *ibmr, u32 key,
620 + ibmr->rkey = key;
621 + mr->mr.lkey = key;
622 + mr->mr.access_flags = access;
623 ++ mr->mr.iova = ibmr->iova;
624 + atomic_set(&mr->mr.lkey_invalid, 0);
625 +
626 + return 0;
627 +diff --git a/drivers/input/rmi4/rmi_f11.c b/drivers/input/rmi4/rmi_f11.c
628 +index df64d6aed4f7..93901ebd122a 100644
629 +--- a/drivers/input/rmi4/rmi_f11.c
630 ++++ b/drivers/input/rmi4/rmi_f11.c
631 +@@ -1230,7 +1230,7 @@ static int rmi_f11_initialize(struct rmi_function *fn)
632 + }
633 +
634 + rc = f11_write_control_regs(fn, &f11->sens_query,
635 +- &f11->dev_controls, fn->fd.query_base_addr);
636 ++ &f11->dev_controls, fn->fd.control_base_addr);
637 + if (rc)
638 + dev_warn(&fn->dev, "Failed to write control registers\n");
639 +
640 +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
641 +index dabe89968a78..2caa5c0c2bc4 100644
642 +--- a/drivers/net/dsa/mv88e6xxx/chip.c
643 ++++ b/drivers/net/dsa/mv88e6xxx/chip.c
644 +@@ -4821,6 +4821,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev)
645 + if (err)
646 + goto out;
647 +
648 ++ mv88e6xxx_ports_cmode_init(chip);
649 + mv88e6xxx_phy_init(chip);
650 +
651 + if (chip->info->ops->get_eeprom) {
652 +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
653 +index b043370c2685..cc84133c184d 100644
654 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
655 ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
656 +@@ -1169,6 +1169,12 @@ int hns_nic_init_phy(struct net_device *ndev, struct hnae_handle *h)
657 + if (!h->phy_dev)
658 + return 0;
659 +
660 ++ phy_dev->supported &= h->if_support;
661 ++ phy_dev->advertising = phy_dev->supported;
662 ++
663 ++ if (h->phy_if == PHY_INTERFACE_MODE_XGMII)
664 ++ phy_dev->autoneg = false;
665 ++
666 + if (h->phy_if != PHY_INTERFACE_MODE_XGMII) {
667 + phy_dev->dev_flags = 0;
668 +
669 +@@ -1180,15 +1186,6 @@ int hns_nic_init_phy(struct net_device *ndev, struct hnae_handle *h)
670 + if (unlikely(ret))
671 + return -ENODEV;
672 +
673 +- phy_dev->supported &= h->if_support;
674 +- phy_dev->advertising = phy_dev->supported;
675 +-
676 +- if (h->phy_if == PHY_INTERFACE_MODE_XGMII)
677 +- phy_dev->autoneg = false;
678 +-
679 +- if (h->phy_if == PHY_INTERFACE_MODE_SGMII)
680 +- phy_stop(phy_dev);
681 +-
682 + return 0;
683 + }
684 +
685 +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
686 +index a475f36ddf8c..426789e2c23d 100644
687 +--- a/drivers/net/ethernet/ibm/ibmvnic.c
688 ++++ b/drivers/net/ethernet/ibm/ibmvnic.c
689 +@@ -1859,7 +1859,7 @@ static int do_reset(struct ibmvnic_adapter *adapter,
690 +
691 + if (adapter->reset_reason != VNIC_RESET_FAILOVER &&
692 + adapter->reset_reason != VNIC_RESET_CHANGE_PARAM)
693 +- netdev_notify_peers(netdev);
694 ++ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, netdev);
695 +
696 + netif_carrier_on(netdev);
697 +
698 +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_main.c b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
699 +index 3f536541f45f..78a43d688cb1 100644
700 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c
701 ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
702 +@@ -41,6 +41,8 @@ static int __init fm10k_init_module(void)
703 + /* create driver workqueue */
704 + fm10k_workqueue = alloc_workqueue("%s", WQ_MEM_RECLAIM, 0,
705 + fm10k_driver_name);
706 ++ if (!fm10k_workqueue)
707 ++ return -ENOMEM;
708 +
709 + fm10k_dbg_init();
710 +
711 +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
712 +index 9988c89ed9fd..9b10abb604cb 100644
713 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
714 ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
715 +@@ -4272,7 +4272,7 @@ static void mvpp2_phylink_validate(struct net_device *dev,
716 + case PHY_INTERFACE_MODE_RGMII_ID:
717 + case PHY_INTERFACE_MODE_RGMII_RXID:
718 + case PHY_INTERFACE_MODE_RGMII_TXID:
719 +- if (port->gop_id == 0)
720 ++ if (port->priv->hw_version == MVPP22 && port->gop_id == 0)
721 + goto empty_set;
722 + break;
723 + default:
724 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
725 +index 4a33c9a7cac7..599114ab7821 100644
726 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
727 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
728 +@@ -33,6 +33,26 @@
729 + #include <linux/bpf_trace.h>
730 + #include "en/xdp.h"
731 +
732 ++int mlx5e_xdp_max_mtu(struct mlx5e_params *params)
733 ++{
734 ++ int hr = NET_IP_ALIGN + XDP_PACKET_HEADROOM;
735 ++
736 ++ /* Let S := SKB_DATA_ALIGN(sizeof(struct skb_shared_info)).
737 ++ * The condition checked in mlx5e_rx_is_linear_skb is:
738 ++ * SKB_DATA_ALIGN(sw_mtu + hard_mtu + hr) + S <= PAGE_SIZE (1)
739 ++ * (Note that hw_mtu == sw_mtu + hard_mtu.)
740 ++ * What is returned from this function is:
741 ++ * max_mtu = PAGE_SIZE - S - hr - hard_mtu (2)
742 ++ * After assigning sw_mtu := max_mtu, the left side of (1) turns to
743 ++ * SKB_DATA_ALIGN(PAGE_SIZE - S) + S, which is equal to PAGE_SIZE,
744 ++ * because both PAGE_SIZE and S are already aligned. Any number greater
745 ++ * than max_mtu would make the left side of (1) greater than PAGE_SIZE,
746 ++ * so max_mtu is the maximum MTU allowed.
747 ++ */
748 ++
749 ++ return MLX5E_HW2SW_MTU(params, SKB_MAX_HEAD(hr));
750 ++}
751 ++
752 + static inline bool
753 + mlx5e_xmit_xdp_buff(struct mlx5e_xdpsq *sq, struct mlx5e_dma_info *di,
754 + struct xdp_buff *xdp)
755 +@@ -207,9 +227,9 @@ bool mlx5e_poll_xdpsq_cq(struct mlx5e_cq *cq)
756 + sqcc++;
757 +
758 + if (is_redirect) {
759 +- xdp_return_frame(xdpi->xdpf);
760 + dma_unmap_single(sq->pdev, xdpi->dma_addr,
761 + xdpi->xdpf->len, DMA_TO_DEVICE);
762 ++ xdp_return_frame(xdpi->xdpf);
763 + } else {
764 + /* Recycle RX page */
765 + mlx5e_page_release(rq, &xdpi->di, true);
766 +@@ -243,9 +263,9 @@ void mlx5e_free_xdpsq_descs(struct mlx5e_xdpsq *sq)
767 + sq->cc++;
768 +
769 + if (is_redirect) {
770 +- xdp_return_frame(xdpi->xdpf);
771 + dma_unmap_single(sq->pdev, xdpi->dma_addr,
772 + xdpi->xdpf->len, DMA_TO_DEVICE);
773 ++ xdp_return_frame(xdpi->xdpf);
774 + } else {
775 + /* Recycle RX page */
776 + mlx5e_page_release(rq, &xdpi->di, false);
777 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h
778 +index 4d096623178b..827ceef5fa93 100644
779 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h
780 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h
781 +@@ -34,12 +34,11 @@
782 +
783 + #include "en.h"
784 +
785 +-#define MLX5E_XDP_MAX_MTU ((int)(PAGE_SIZE - \
786 +- MLX5_SKB_FRAG_SZ(XDP_PACKET_HEADROOM)))
787 + #define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)
788 + #define MLX5E_XDP_TX_DS_COUNT \
789 + ((sizeof(struct mlx5e_tx_wqe) / MLX5_SEND_WQE_DS) + 1 /* SG DS */)
790 +
791 ++int mlx5e_xdp_max_mtu(struct mlx5e_params *params);
792 + bool mlx5e_xdp_handle(struct mlx5e_rq *rq, struct mlx5e_dma_info *di,
793 + void *va, u16 *rx_headroom, u32 *len);
794 + bool mlx5e_poll_xdpsq_cq(struct mlx5e_cq *cq);
795 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
796 +index 5e5423076b03..9ca4f88d7cf6 100644
797 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
798 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
799 +@@ -1317,7 +1317,7 @@ static int mlx5e_get_module_info(struct net_device *netdev,
800 + break;
801 + case MLX5_MODULE_ID_SFP:
802 + modinfo->type = ETH_MODULE_SFF_8472;
803 +- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
804 ++ modinfo->eeprom_len = MLX5_EEPROM_PAGE_LENGTH;
805 + break;
806 + default:
807 + netdev_err(priv->netdev, "%s: cable type not recognized:0x%x\n",
808 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
809 +index 637d59c01fe5..b190c447aeb0 100644
810 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
811 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
812 +@@ -3761,7 +3761,7 @@ int mlx5e_change_mtu(struct net_device *netdev, int new_mtu,
813 + if (params->xdp_prog &&
814 + !mlx5e_rx_is_linear_skb(priv->mdev, &new_channels.params)) {
815 + netdev_err(netdev, "MTU(%d) > %d is not allowed while XDP enabled\n",
816 +- new_mtu, MLX5E_XDP_MAX_MTU);
817 ++ new_mtu, mlx5e_xdp_max_mtu(params));
818 + err = -EINVAL;
819 + goto out;
820 + }
821 +@@ -4227,7 +4227,8 @@ static int mlx5e_xdp_allowed(struct mlx5e_priv *priv, struct bpf_prog *prog)
822 +
823 + if (!mlx5e_rx_is_linear_skb(priv->mdev, &new_channels.params)) {
824 + netdev_warn(netdev, "XDP is not allowed with MTU(%d) > %d\n",
825 +- new_channels.params.sw_mtu, MLX5E_XDP_MAX_MTU);
826 ++ new_channels.params.sw_mtu,
827 ++ mlx5e_xdp_max_mtu(&new_channels.params));
828 + return -EINVAL;
829 + }
830 +
831 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c
832 +index 31a9cbd85689..09b6b1bfbfa8 100644
833 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c
834 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c
835 +@@ -404,10 +404,6 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev,
836 + size -= offset + size - MLX5_EEPROM_PAGE_LENGTH;
837 +
838 + i2c_addr = MLX5_I2C_ADDR_LOW;
839 +- if (offset >= MLX5_EEPROM_PAGE_LENGTH) {
840 +- i2c_addr = MLX5_I2C_ADDR_HIGH;
841 +- offset -= MLX5_EEPROM_PAGE_LENGTH;
842 +- }
843 +
844 + MLX5_SET(mcia_reg, in, l, 0);
845 + MLX5_SET(mcia_reg, in, module, module_num);
846 +diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h b/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h
847 +index 72cdaa01d56d..100618531021 100644
848 +--- a/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h
849 ++++ b/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h
850 +@@ -27,7 +27,7 @@
851 +
852 + #define MLXSW_PCI_SW_RESET 0xF0010
853 + #define MLXSW_PCI_SW_RESET_RST_BIT BIT(0)
854 +-#define MLXSW_PCI_SW_RESET_TIMEOUT_MSECS 13000
855 ++#define MLXSW_PCI_SW_RESET_TIMEOUT_MSECS 20000
856 + #define MLXSW_PCI_SW_RESET_WAIT_MSECS 100
857 + #define MLXSW_PCI_FW_READY 0xA1844
858 + #define MLXSW_PCI_FW_READY_MASK 0xFFFF
859 +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
860 +index f9bef030ee05..c5b82e283d13 100644
861 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
862 ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
863 +@@ -2504,11 +2504,11 @@ mlxsw_sp_port_set_link_ksettings(struct net_device *dev,
864 + if (err)
865 + return err;
866 +
867 ++ mlxsw_sp_port->link.autoneg = autoneg;
868 ++
869 + if (!netif_running(dev))
870 + return 0;
871 +
872 +- mlxsw_sp_port->link.autoneg = autoneg;
873 +-
874 + mlxsw_sp_port_admin_status_set(mlxsw_sp_port, false);
875 + mlxsw_sp_port_admin_status_set(mlxsw_sp_port, true);
876 +
877 +@@ -2783,7 +2783,7 @@ static int mlxsw_sp_port_ets_init(struct mlxsw_sp_port *mlxsw_sp_port)
878 + err = mlxsw_sp_port_ets_set(mlxsw_sp_port,
879 + MLXSW_REG_QEEC_HIERARCY_TC,
880 + i + 8, i,
881 +- false, 0);
882 ++ true, 100);
883 + if (err)
884 + return err;
885 + }
886 +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
887 +index 886176be818e..62460a5b4ad9 100644
888 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
889 ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
890 +@@ -2595,8 +2595,6 @@ static int stmmac_open(struct net_device *dev)
891 + u32 chan;
892 + int ret;
893 +
894 +- stmmac_check_ether_addr(priv);
895 +-
896 + if (priv->hw->pcs != STMMAC_PCS_RGMII &&
897 + priv->hw->pcs != STMMAC_PCS_TBI &&
898 + priv->hw->pcs != STMMAC_PCS_RTBI) {
899 +@@ -4296,6 +4294,8 @@ int stmmac_dvr_probe(struct device *device,
900 + if (ret)
901 + goto error_hw_init;
902 +
903 ++ stmmac_check_ether_addr(priv);
904 ++
905 + /* Configure real RX and TX queues */
906 + netif_set_real_num_rx_queues(ndev, priv->plat->rx_queues_to_use);
907 + netif_set_real_num_tx_queues(ndev, priv->plat->tx_queues_to_use);
908 +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
909 +index d819e8eaba12..cc1e887e47b5 100644
910 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
911 ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
912 +@@ -159,6 +159,12 @@ static const struct dmi_system_id quark_pci_dmi[] = {
913 + },
914 + .driver_data = (void *)&galileo_stmmac_dmi_data,
915 + },
916 ++ /*
917 ++ * There are 2 types of SIMATIC IOT2000: IOT20202 and IOT2040.
918 ++ * The asset tag "6ES7647-0AA00-0YA2" is only for IOT2020 which
919 ++ * has only one pci network device while other asset tags are
920 ++ * for IOT2040 which has two.
921 ++ */
922 + {
923 + .matches = {
924 + DMI_EXACT_MATCH(DMI_BOARD_NAME, "SIMATIC IOT2000"),
925 +@@ -170,8 +176,6 @@ static const struct dmi_system_id quark_pci_dmi[] = {
926 + {
927 + .matches = {
928 + DMI_EXACT_MATCH(DMI_BOARD_NAME, "SIMATIC IOT2000"),
929 +- DMI_EXACT_MATCH(DMI_BOARD_ASSET_TAG,
930 +- "6ES7647-0AA00-1YA2"),
931 + },
932 + .driver_data = (void *)&iot2040_stmmac_dmi_data,
933 + },
934 +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
935 +index f4e93f5fc204..ea90db3c7705 100644
936 +--- a/drivers/net/slip/slhc.c
937 ++++ b/drivers/net/slip/slhc.c
938 +@@ -153,7 +153,7 @@ out_fail:
939 + void
940 + slhc_free(struct slcompress *comp)
941 + {
942 +- if ( comp == NULLSLCOMPR )
943 ++ if ( IS_ERR_OR_NULL(comp) )
944 + return;
945 +
946 + if ( comp->tstate != NULLSLSTATE )
947 +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
948 +index e23eaf3f6d03..6c6230b44bcd 100644
949 +--- a/drivers/net/team/team.c
950 ++++ b/drivers/net/team/team.c
951 +@@ -1160,6 +1160,13 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
952 + return -EINVAL;
953 + }
954 +
955 ++ if (netdev_has_upper_dev(dev, port_dev)) {
956 ++ NL_SET_ERR_MSG(extack, "Device is already an upper device of the team interface");
957 ++ netdev_err(dev, "Device %s is already an upper device of the team interface\n",
958 ++ portname);
959 ++ return -EBUSY;
960 ++ }
961 ++
962 + if (port_dev->features & NETIF_F_VLAN_CHALLENGED &&
963 + vlan_uses_dev(dev)) {
964 + NL_SET_ERR_MSG(extack, "Device is VLAN challenged and team device has VLAN set up");
965 +diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
966 +index a1f225f077cd..ef47c226e1d2 100644
967 +--- a/drivers/usb/core/driver.c
968 ++++ b/drivers/usb/core/driver.c
969 +@@ -1899,14 +1899,11 @@ int usb_runtime_idle(struct device *dev)
970 + return -EBUSY;
971 + }
972 +
973 +-int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable)
974 ++static int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable)
975 + {
976 + struct usb_hcd *hcd = bus_to_hcd(udev->bus);
977 + int ret = -EPERM;
978 +
979 +- if (enable && !udev->usb2_hw_lpm_allowed)
980 +- return 0;
981 +-
982 + if (hcd->driver->set_usb2_hw_lpm) {
983 + ret = hcd->driver->set_usb2_hw_lpm(hcd, udev, enable);
984 + if (!ret)
985 +@@ -1916,6 +1913,24 @@ int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable)
986 + return ret;
987 + }
988 +
989 ++int usb_enable_usb2_hardware_lpm(struct usb_device *udev)
990 ++{
991 ++ if (!udev->usb2_hw_lpm_capable ||
992 ++ !udev->usb2_hw_lpm_allowed ||
993 ++ udev->usb2_hw_lpm_enabled)
994 ++ return 0;
995 ++
996 ++ return usb_set_usb2_hardware_lpm(udev, 1);
997 ++}
998 ++
999 ++int usb_disable_usb2_hardware_lpm(struct usb_device *udev)
1000 ++{
1001 ++ if (!udev->usb2_hw_lpm_enabled)
1002 ++ return 0;
1003 ++
1004 ++ return usb_set_usb2_hardware_lpm(udev, 0);
1005 ++}
1006 ++
1007 + #endif /* CONFIG_PM */
1008 +
1009 + struct bus_type usb_bus_type = {
1010 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
1011 +index 3adff4da2ee1..bbcfa63d0233 100644
1012 +--- a/drivers/usb/core/hub.c
1013 ++++ b/drivers/usb/core/hub.c
1014 +@@ -3217,8 +3217,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg)
1015 + }
1016 +
1017 + /* disable USB2 hardware LPM */
1018 +- if (udev->usb2_hw_lpm_enabled == 1)
1019 +- usb_set_usb2_hardware_lpm(udev, 0);
1020 ++ usb_disable_usb2_hardware_lpm(udev);
1021 +
1022 + if (usb_disable_ltm(udev)) {
1023 + dev_err(&udev->dev, "Failed to disable LTM before suspend\n");
1024 +@@ -3256,8 +3255,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg)
1025 + usb_enable_ltm(udev);
1026 + err_ltm:
1027 + /* Try to enable USB2 hardware LPM again */
1028 +- if (udev->usb2_hw_lpm_capable == 1)
1029 +- usb_set_usb2_hardware_lpm(udev, 1);
1030 ++ usb_enable_usb2_hardware_lpm(udev);
1031 +
1032 + if (udev->do_remote_wakeup)
1033 + (void) usb_disable_remote_wakeup(udev);
1034 +@@ -3540,8 +3538,7 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg)
1035 + hub_port_logical_disconnect(hub, port1);
1036 + } else {
1037 + /* Try to enable USB2 hardware LPM */
1038 +- if (udev->usb2_hw_lpm_capable == 1)
1039 +- usb_set_usb2_hardware_lpm(udev, 1);
1040 ++ usb_enable_usb2_hardware_lpm(udev);
1041 +
1042 + /* Try to enable USB3 LTM */
1043 + usb_enable_ltm(udev);
1044 +@@ -4432,7 +4429,7 @@ static void hub_set_initial_usb2_lpm_policy(struct usb_device *udev)
1045 + if ((udev->bos->ext_cap->bmAttributes & cpu_to_le32(USB_BESL_SUPPORT)) ||
1046 + connect_type == USB_PORT_CONNECT_TYPE_HARD_WIRED) {
1047 + udev->usb2_hw_lpm_allowed = 1;
1048 +- usb_set_usb2_hardware_lpm(udev, 1);
1049 ++ usb_enable_usb2_hardware_lpm(udev);
1050 + }
1051 + }
1052 +
1053 +@@ -5608,8 +5605,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev)
1054 + /* Disable USB2 hardware LPM.
1055 + * It will be re-enabled by the enumeration process.
1056 + */
1057 +- if (udev->usb2_hw_lpm_enabled == 1)
1058 +- usb_set_usb2_hardware_lpm(udev, 0);
1059 ++ usb_disable_usb2_hardware_lpm(udev);
1060 +
1061 + /* Disable LPM while we reset the device and reinstall the alt settings.
1062 + * Device-initiated LPM, and system exit latency settings are cleared
1063 +@@ -5712,7 +5708,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev)
1064 +
1065 + done:
1066 + /* Now that the alt settings are re-installed, enable LTM and LPM. */
1067 +- usb_set_usb2_hardware_lpm(udev, 1);
1068 ++ usb_enable_usb2_hardware_lpm(udev);
1069 + usb_unlocked_enable_lpm(udev);
1070 + usb_enable_ltm(udev);
1071 + usb_release_bos_descriptor(udev);
1072 +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
1073 +index bfa5eda0cc26..4f33eb632a88 100644
1074 +--- a/drivers/usb/core/message.c
1075 ++++ b/drivers/usb/core/message.c
1076 +@@ -1243,8 +1243,7 @@ void usb_disable_device(struct usb_device *dev, int skip_ep0)
1077 + dev->actconfig->interface[i] = NULL;
1078 + }
1079 +
1080 +- if (dev->usb2_hw_lpm_enabled == 1)
1081 +- usb_set_usb2_hardware_lpm(dev, 0);
1082 ++ usb_disable_usb2_hardware_lpm(dev);
1083 + usb_unlocked_disable_lpm(dev);
1084 + usb_disable_ltm(dev);
1085 +
1086 +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
1087 +index ea18284dfa9a..7e88fdfe3cf5 100644
1088 +--- a/drivers/usb/core/sysfs.c
1089 ++++ b/drivers/usb/core/sysfs.c
1090 +@@ -528,7 +528,10 @@ static ssize_t usb2_hardware_lpm_store(struct device *dev,
1091 +
1092 + if (!ret) {
1093 + udev->usb2_hw_lpm_allowed = value;
1094 +- ret = usb_set_usb2_hardware_lpm(udev, value);
1095 ++ if (value)
1096 ++ ret = usb_enable_usb2_hardware_lpm(udev);
1097 ++ else
1098 ++ ret = usb_disable_usb2_hardware_lpm(udev);
1099 + }
1100 +
1101 + usb_unlock_device(udev);
1102 +diff --git a/drivers/usb/core/usb.h b/drivers/usb/core/usb.h
1103 +index 546a2219454b..d95a5358f73d 100644
1104 +--- a/drivers/usb/core/usb.h
1105 ++++ b/drivers/usb/core/usb.h
1106 +@@ -92,7 +92,8 @@ extern int usb_remote_wakeup(struct usb_device *dev);
1107 + extern int usb_runtime_suspend(struct device *dev);
1108 + extern int usb_runtime_resume(struct device *dev);
1109 + extern int usb_runtime_idle(struct device *dev);
1110 +-extern int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable);
1111 ++extern int usb_enable_usb2_hardware_lpm(struct usb_device *udev);
1112 ++extern int usb_disable_usb2_hardware_lpm(struct usb_device *udev);
1113 +
1114 + #else
1115 +
1116 +@@ -112,7 +113,12 @@ static inline int usb_autoresume_device(struct usb_device *udev)
1117 + return 0;
1118 + }
1119 +
1120 +-static inline int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable)
1121 ++static inline int usb_enable_usb2_hardware_lpm(struct usb_device *udev)
1122 ++{
1123 ++ return 0;
1124 ++}
1125 ++
1126 ++static inline int usb_disable_usb2_hardware_lpm(struct usb_device *udev)
1127 + {
1128 + return 0;
1129 + }
1130 +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
1131 +index 64cbc2d007c9..c36275754086 100644
1132 +--- a/drivers/vfio/vfio_iommu_type1.c
1133 ++++ b/drivers/vfio/vfio_iommu_type1.c
1134 +@@ -58,12 +58,18 @@ module_param_named(disable_hugepages,
1135 + MODULE_PARM_DESC(disable_hugepages,
1136 + "Disable VFIO IOMMU support for IOMMU hugepages.");
1137 +
1138 ++static unsigned int dma_entry_limit __read_mostly = U16_MAX;
1139 ++module_param_named(dma_entry_limit, dma_entry_limit, uint, 0644);
1140 ++MODULE_PARM_DESC(dma_entry_limit,
1141 ++ "Maximum number of user DMA mappings per container (65535).");
1142 ++
1143 + struct vfio_iommu {
1144 + struct list_head domain_list;
1145 + struct vfio_domain *external_domain; /* domain for external user */
1146 + struct mutex lock;
1147 + struct rb_root dma_list;
1148 + struct blocking_notifier_head notifier;
1149 ++ unsigned int dma_avail;
1150 + bool v2;
1151 + bool nesting;
1152 + };
1153 +@@ -836,6 +842,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma)
1154 + vfio_unlink_dma(iommu, dma);
1155 + put_task_struct(dma->task);
1156 + kfree(dma);
1157 ++ iommu->dma_avail++;
1158 + }
1159 +
1160 + static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu)
1161 +@@ -1110,12 +1117,18 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
1162 + goto out_unlock;
1163 + }
1164 +
1165 ++ if (!iommu->dma_avail) {
1166 ++ ret = -ENOSPC;
1167 ++ goto out_unlock;
1168 ++ }
1169 ++
1170 + dma = kzalloc(sizeof(*dma), GFP_KERNEL);
1171 + if (!dma) {
1172 + ret = -ENOMEM;
1173 + goto out_unlock;
1174 + }
1175 +
1176 ++ iommu->dma_avail--;
1177 + dma->iova = iova;
1178 + dma->vaddr = vaddr;
1179 + dma->prot = prot;
1180 +@@ -1612,6 +1625,7 @@ static void *vfio_iommu_type1_open(unsigned long arg)
1181 +
1182 + INIT_LIST_HEAD(&iommu->domain_list);
1183 + iommu->dma_list = RB_ROOT;
1184 ++ iommu->dma_avail = dma_entry_limit;
1185 + mutex_init(&iommu->lock);
1186 + BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier);
1187 +
1188 +diff --git a/fs/aio.c b/fs/aio.c
1189 +index 45d5ef8dd0a8..911e23087dfb 100644
1190 +--- a/fs/aio.c
1191 ++++ b/fs/aio.c
1192 +@@ -161,9 +161,13 @@ struct kioctx {
1193 + unsigned id;
1194 + };
1195 +
1196 ++/*
1197 ++ * First field must be the file pointer in all the
1198 ++ * iocb unions! See also 'struct kiocb' in <linux/fs.h>
1199 ++ */
1200 + struct fsync_iocb {
1201 +- struct work_struct work;
1202 + struct file *file;
1203 ++ struct work_struct work;
1204 + bool datasync;
1205 + };
1206 +
1207 +@@ -171,14 +175,21 @@ struct poll_iocb {
1208 + struct file *file;
1209 + struct wait_queue_head *head;
1210 + __poll_t events;
1211 +- bool woken;
1212 ++ bool done;
1213 + bool cancelled;
1214 + struct wait_queue_entry wait;
1215 + struct work_struct work;
1216 + };
1217 +
1218 ++/*
1219 ++ * NOTE! Each of the iocb union members has the file pointer
1220 ++ * as the first entry in their struct definition. So you can
1221 ++ * access the file pointer through any of the sub-structs,
1222 ++ * or directly as just 'ki_filp' in this struct.
1223 ++ */
1224 + struct aio_kiocb {
1225 + union {
1226 ++ struct file *ki_filp;
1227 + struct kiocb rw;
1228 + struct fsync_iocb fsync;
1229 + struct poll_iocb poll;
1230 +@@ -187,8 +198,7 @@ struct aio_kiocb {
1231 + struct kioctx *ki_ctx;
1232 + kiocb_cancel_fn *ki_cancel;
1233 +
1234 +- struct iocb __user *ki_user_iocb; /* user's aiocb */
1235 +- __u64 ki_user_data; /* user's data for completion */
1236 ++ struct io_event ki_res;
1237 +
1238 + struct list_head ki_list; /* the aio core uses this
1239 + * for cancellation */
1240 +@@ -902,7 +912,7 @@ static void put_reqs_available(struct kioctx *ctx, unsigned nr)
1241 + local_irq_restore(flags);
1242 + }
1243 +
1244 +-static bool get_reqs_available(struct kioctx *ctx)
1245 ++static bool __get_reqs_available(struct kioctx *ctx)
1246 + {
1247 + struct kioctx_cpu *kcpu;
1248 + bool ret = false;
1249 +@@ -994,32 +1004,35 @@ static void user_refill_reqs_available(struct kioctx *ctx)
1250 + spin_unlock_irq(&ctx->completion_lock);
1251 + }
1252 +
1253 ++static bool get_reqs_available(struct kioctx *ctx)
1254 ++{
1255 ++ if (__get_reqs_available(ctx))
1256 ++ return true;
1257 ++ user_refill_reqs_available(ctx);
1258 ++ return __get_reqs_available(ctx);
1259 ++}
1260 ++
1261 + /* aio_get_req
1262 + * Allocate a slot for an aio request.
1263 + * Returns NULL if no requests are free.
1264 ++ *
1265 ++ * The refcount is initialized to 2 - one for the async op completion,
1266 ++ * one for the synchronous code that does this.
1267 + */
1268 + static inline struct aio_kiocb *aio_get_req(struct kioctx *ctx)
1269 + {
1270 + struct aio_kiocb *req;
1271 +
1272 +- if (!get_reqs_available(ctx)) {
1273 +- user_refill_reqs_available(ctx);
1274 +- if (!get_reqs_available(ctx))
1275 +- return NULL;
1276 +- }
1277 +-
1278 +- req = kmem_cache_alloc(kiocb_cachep, GFP_KERNEL|__GFP_ZERO);
1279 ++ req = kmem_cache_alloc(kiocb_cachep, GFP_KERNEL);
1280 + if (unlikely(!req))
1281 +- goto out_put;
1282 ++ return NULL;
1283 +
1284 + percpu_ref_get(&ctx->reqs);
1285 +- INIT_LIST_HEAD(&req->ki_list);
1286 +- refcount_set(&req->ki_refcnt, 0);
1287 + req->ki_ctx = ctx;
1288 ++ INIT_LIST_HEAD(&req->ki_list);
1289 ++ refcount_set(&req->ki_refcnt, 2);
1290 ++ req->ki_eventfd = NULL;
1291 + return req;
1292 +-out_put:
1293 +- put_reqs_available(ctx, 1);
1294 +- return NULL;
1295 + }
1296 +
1297 + static struct kioctx *lookup_ioctx(unsigned long ctx_id)
1298 +@@ -1050,19 +1063,18 @@ out:
1299 + return ret;
1300 + }
1301 +
1302 +-static inline void iocb_put(struct aio_kiocb *iocb)
1303 ++static inline void iocb_destroy(struct aio_kiocb *iocb)
1304 + {
1305 +- if (refcount_read(&iocb->ki_refcnt) == 0 ||
1306 +- refcount_dec_and_test(&iocb->ki_refcnt)) {
1307 +- percpu_ref_put(&iocb->ki_ctx->reqs);
1308 +- kmem_cache_free(kiocb_cachep, iocb);
1309 +- }
1310 ++ if (iocb->ki_filp)
1311 ++ fput(iocb->ki_filp);
1312 ++ percpu_ref_put(&iocb->ki_ctx->reqs);
1313 ++ kmem_cache_free(kiocb_cachep, iocb);
1314 + }
1315 +
1316 + /* aio_complete
1317 + * Called when the io request on the given iocb is complete.
1318 + */
1319 +-static void aio_complete(struct aio_kiocb *iocb, long res, long res2)
1320 ++static void aio_complete(struct aio_kiocb *iocb)
1321 + {
1322 + struct kioctx *ctx = iocb->ki_ctx;
1323 + struct aio_ring *ring;
1324 +@@ -1086,17 +1098,14 @@ static void aio_complete(struct aio_kiocb *iocb, long res, long res2)
1325 + ev_page = kmap_atomic(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]);
1326 + event = ev_page + pos % AIO_EVENTS_PER_PAGE;
1327 +
1328 +- event->obj = (u64)(unsigned long)iocb->ki_user_iocb;
1329 +- event->data = iocb->ki_user_data;
1330 +- event->res = res;
1331 +- event->res2 = res2;
1332 ++ *event = iocb->ki_res;
1333 +
1334 + kunmap_atomic(ev_page);
1335 + flush_dcache_page(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]);
1336 +
1337 +- pr_debug("%p[%u]: %p: %p %Lx %lx %lx\n",
1338 +- ctx, tail, iocb, iocb->ki_user_iocb, iocb->ki_user_data,
1339 +- res, res2);
1340 ++ pr_debug("%p[%u]: %p: %p %Lx %Lx %Lx\n", ctx, tail, iocb,
1341 ++ (void __user *)(unsigned long)iocb->ki_res.obj,
1342 ++ iocb->ki_res.data, iocb->ki_res.res, iocb->ki_res.res2);
1343 +
1344 + /* after flagging the request as done, we
1345 + * must never even look at it again
1346 +@@ -1138,7 +1147,14 @@ static void aio_complete(struct aio_kiocb *iocb, long res, long res2)
1347 +
1348 + if (waitqueue_active(&ctx->wait))
1349 + wake_up(&ctx->wait);
1350 +- iocb_put(iocb);
1351 ++}
1352 ++
1353 ++static inline void iocb_put(struct aio_kiocb *iocb)
1354 ++{
1355 ++ if (refcount_dec_and_test(&iocb->ki_refcnt)) {
1356 ++ aio_complete(iocb);
1357 ++ iocb_destroy(iocb);
1358 ++ }
1359 + }
1360 +
1361 + /* aio_read_events_ring
1362 +@@ -1412,18 +1428,17 @@ static void aio_complete_rw(struct kiocb *kiocb, long res, long res2)
1363 + file_end_write(kiocb->ki_filp);
1364 + }
1365 +
1366 +- fput(kiocb->ki_filp);
1367 +- aio_complete(iocb, res, res2);
1368 ++ iocb->ki_res.res = res;
1369 ++ iocb->ki_res.res2 = res2;
1370 ++ iocb_put(iocb);
1371 + }
1372 +
1373 +-static int aio_prep_rw(struct kiocb *req, struct iocb *iocb)
1374 ++static int aio_prep_rw(struct kiocb *req, const struct iocb *iocb)
1375 + {
1376 + int ret;
1377 +
1378 +- req->ki_filp = fget(iocb->aio_fildes);
1379 +- if (unlikely(!req->ki_filp))
1380 +- return -EBADF;
1381 + req->ki_complete = aio_complete_rw;
1382 ++ req->private = NULL;
1383 + req->ki_pos = iocb->aio_offset;
1384 + req->ki_flags = iocb_flags(req->ki_filp);
1385 + if (iocb->aio_flags & IOCB_FLAG_RESFD)
1386 +@@ -1438,7 +1453,6 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb)
1387 + ret = ioprio_check_cap(iocb->aio_reqprio);
1388 + if (ret) {
1389 + pr_debug("aio ioprio check cap error: %d\n", ret);
1390 +- fput(req->ki_filp);
1391 + return ret;
1392 + }
1393 +
1394 +@@ -1448,11 +1462,13 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb)
1395 +
1396 + ret = kiocb_set_rw_flags(req, iocb->aio_rw_flags);
1397 + if (unlikely(ret))
1398 +- fput(req->ki_filp);
1399 +- return ret;
1400 ++ return ret;
1401 ++
1402 ++ req->ki_flags &= ~IOCB_HIPRI; /* no one is going to poll for this I/O */
1403 ++ return 0;
1404 + }
1405 +
1406 +-static int aio_setup_rw(int rw, struct iocb *iocb, struct iovec **iovec,
1407 ++static int aio_setup_rw(int rw, const struct iocb *iocb, struct iovec **iovec,
1408 + bool vectored, bool compat, struct iov_iter *iter)
1409 + {
1410 + void __user *buf = (void __user *)(uintptr_t)iocb->aio_buf;
1411 +@@ -1487,12 +1503,12 @@ static inline void aio_rw_done(struct kiocb *req, ssize_t ret)
1412 + ret = -EINTR;
1413 + /*FALLTHRU*/
1414 + default:
1415 +- aio_complete_rw(req, ret, 0);
1416 ++ req->ki_complete(req, ret, 0);
1417 + }
1418 + }
1419 +
1420 +-static ssize_t aio_read(struct kiocb *req, struct iocb *iocb, bool vectored,
1421 +- bool compat)
1422 ++static ssize_t aio_read(struct kiocb *req, const struct iocb *iocb,
1423 ++ bool vectored, bool compat)
1424 + {
1425 + struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
1426 + struct iov_iter iter;
1427 +@@ -1503,29 +1519,24 @@ static ssize_t aio_read(struct kiocb *req, struct iocb *iocb, bool vectored,
1428 + if (ret)
1429 + return ret;
1430 + file = req->ki_filp;
1431 +-
1432 +- ret = -EBADF;
1433 + if (unlikely(!(file->f_mode & FMODE_READ)))
1434 +- goto out_fput;
1435 ++ return -EBADF;
1436 + ret = -EINVAL;
1437 + if (unlikely(!file->f_op->read_iter))
1438 +- goto out_fput;
1439 ++ return -EINVAL;
1440 +
1441 + ret = aio_setup_rw(READ, iocb, &iovec, vectored, compat, &iter);
1442 + if (ret)
1443 +- goto out_fput;
1444 ++ return ret;
1445 + ret = rw_verify_area(READ, file, &req->ki_pos, iov_iter_count(&iter));
1446 + if (!ret)
1447 + aio_rw_done(req, call_read_iter(file, req, &iter));
1448 + kfree(iovec);
1449 +-out_fput:
1450 +- if (unlikely(ret))
1451 +- fput(file);
1452 + return ret;
1453 + }
1454 +
1455 +-static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored,
1456 +- bool compat)
1457 ++static ssize_t aio_write(struct kiocb *req, const struct iocb *iocb,
1458 ++ bool vectored, bool compat)
1459 + {
1460 + struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
1461 + struct iov_iter iter;
1462 +@@ -1537,16 +1548,14 @@ static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored,
1463 + return ret;
1464 + file = req->ki_filp;
1465 +
1466 +- ret = -EBADF;
1467 + if (unlikely(!(file->f_mode & FMODE_WRITE)))
1468 +- goto out_fput;
1469 +- ret = -EINVAL;
1470 ++ return -EBADF;
1471 + if (unlikely(!file->f_op->write_iter))
1472 +- goto out_fput;
1473 ++ return -EINVAL;
1474 +
1475 + ret = aio_setup_rw(WRITE, iocb, &iovec, vectored, compat, &iter);
1476 + if (ret)
1477 +- goto out_fput;
1478 ++ return ret;
1479 + ret = rw_verify_area(WRITE, file, &req->ki_pos, iov_iter_count(&iter));
1480 + if (!ret) {
1481 + /*
1482 +@@ -1564,35 +1573,26 @@ static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored,
1483 + aio_rw_done(req, call_write_iter(file, req, &iter));
1484 + }
1485 + kfree(iovec);
1486 +-out_fput:
1487 +- if (unlikely(ret))
1488 +- fput(file);
1489 + return ret;
1490 + }
1491 +
1492 + static void aio_fsync_work(struct work_struct *work)
1493 + {
1494 +- struct fsync_iocb *req = container_of(work, struct fsync_iocb, work);
1495 +- int ret;
1496 ++ struct aio_kiocb *iocb = container_of(work, struct aio_kiocb, fsync.work);
1497 +
1498 +- ret = vfs_fsync(req->file, req->datasync);
1499 +- fput(req->file);
1500 +- aio_complete(container_of(req, struct aio_kiocb, fsync), ret, 0);
1501 ++ iocb->ki_res.res = vfs_fsync(iocb->fsync.file, iocb->fsync.datasync);
1502 ++ iocb_put(iocb);
1503 + }
1504 +
1505 +-static int aio_fsync(struct fsync_iocb *req, struct iocb *iocb, bool datasync)
1506 ++static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb,
1507 ++ bool datasync)
1508 + {
1509 + if (unlikely(iocb->aio_buf || iocb->aio_offset || iocb->aio_nbytes ||
1510 + iocb->aio_rw_flags))
1511 + return -EINVAL;
1512 +
1513 +- req->file = fget(iocb->aio_fildes);
1514 +- if (unlikely(!req->file))
1515 +- return -EBADF;
1516 +- if (unlikely(!req->file->f_op->fsync)) {
1517 +- fput(req->file);
1518 ++ if (unlikely(!req->file->f_op->fsync))
1519 + return -EINVAL;
1520 +- }
1521 +
1522 + req->datasync = datasync;
1523 + INIT_WORK(&req->work, aio_fsync_work);
1524 +@@ -1600,14 +1600,6 @@ static int aio_fsync(struct fsync_iocb *req, struct iocb *iocb, bool datasync)
1525 + return 0;
1526 + }
1527 +
1528 +-static inline void aio_poll_complete(struct aio_kiocb *iocb, __poll_t mask)
1529 +-{
1530 +- struct file *file = iocb->poll.file;
1531 +-
1532 +- aio_complete(iocb, mangle_poll(mask), 0);
1533 +- fput(file);
1534 +-}
1535 +-
1536 + static void aio_poll_complete_work(struct work_struct *work)
1537 + {
1538 + struct poll_iocb *req = container_of(work, struct poll_iocb, work);
1539 +@@ -1633,9 +1625,11 @@ static void aio_poll_complete_work(struct work_struct *work)
1540 + return;
1541 + }
1542 + list_del_init(&iocb->ki_list);
1543 ++ iocb->ki_res.res = mangle_poll(mask);
1544 ++ req->done = true;
1545 + spin_unlock_irq(&ctx->ctx_lock);
1546 +
1547 +- aio_poll_complete(iocb, mask);
1548 ++ iocb_put(iocb);
1549 + }
1550 +
1551 + /* assumes we are called with irqs disabled */
1552 +@@ -1663,31 +1657,27 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
1553 + __poll_t mask = key_to_poll(key);
1554 + unsigned long flags;
1555 +
1556 +- req->woken = true;
1557 +-
1558 + /* for instances that support it check for an event match first: */
1559 +- if (mask) {
1560 +- if (!(mask & req->events))
1561 +- return 0;
1562 ++ if (mask && !(mask & req->events))
1563 ++ return 0;
1564 ++
1565 ++ list_del_init(&req->wait.entry);
1566 +
1567 ++ if (mask && spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) {
1568 + /*
1569 + * Try to complete the iocb inline if we can. Use
1570 + * irqsave/irqrestore because not all filesystems (e.g. fuse)
1571 + * call this function with IRQs disabled and because IRQs
1572 + * have to be disabled before ctx_lock is obtained.
1573 + */
1574 +- if (spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) {
1575 +- list_del(&iocb->ki_list);
1576 +- spin_unlock_irqrestore(&iocb->ki_ctx->ctx_lock, flags);
1577 +-
1578 +- list_del_init(&req->wait.entry);
1579 +- aio_poll_complete(iocb, mask);
1580 +- return 1;
1581 +- }
1582 ++ list_del(&iocb->ki_list);
1583 ++ iocb->ki_res.res = mangle_poll(mask);
1584 ++ req->done = true;
1585 ++ spin_unlock_irqrestore(&iocb->ki_ctx->ctx_lock, flags);
1586 ++ iocb_put(iocb);
1587 ++ } else {
1588 ++ schedule_work(&req->work);
1589 + }
1590 +-
1591 +- list_del_init(&req->wait.entry);
1592 +- schedule_work(&req->work);
1593 + return 1;
1594 + }
1595 +
1596 +@@ -1714,11 +1704,12 @@ aio_poll_queue_proc(struct file *file, struct wait_queue_head *head,
1597 + add_wait_queue(head, &pt->iocb->poll.wait);
1598 + }
1599 +
1600 +-static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb)
1601 ++static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb)
1602 + {
1603 + struct kioctx *ctx = aiocb->ki_ctx;
1604 + struct poll_iocb *req = &aiocb->poll;
1605 + struct aio_poll_table apt;
1606 ++ bool cancel = false;
1607 + __poll_t mask;
1608 +
1609 + /* reject any unknown events outside the normal event mask. */
1610 +@@ -1730,9 +1721,10 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb)
1611 +
1612 + INIT_WORK(&req->work, aio_poll_complete_work);
1613 + req->events = demangle_poll(iocb->aio_buf) | EPOLLERR | EPOLLHUP;
1614 +- req->file = fget(iocb->aio_fildes);
1615 +- if (unlikely(!req->file))
1616 +- return -EBADF;
1617 ++
1618 ++ req->head = NULL;
1619 ++ req->done = false;
1620 ++ req->cancelled = false;
1621 +
1622 + apt.pt._qproc = aio_poll_queue_proc;
1623 + apt.pt._key = req->events;
1624 +@@ -1743,83 +1735,79 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb)
1625 + INIT_LIST_HEAD(&req->wait.entry);
1626 + init_waitqueue_func_entry(&req->wait, aio_poll_wake);
1627 +
1628 +- /* one for removal from waitqueue, one for this function */
1629 +- refcount_set(&aiocb->ki_refcnt, 2);
1630 +-
1631 + mask = vfs_poll(req->file, &apt.pt) & req->events;
1632 +- if (unlikely(!req->head)) {
1633 +- /* we did not manage to set up a waitqueue, done */
1634 +- goto out;
1635 +- }
1636 +-
1637 + spin_lock_irq(&ctx->ctx_lock);
1638 +- spin_lock(&req->head->lock);
1639 +- if (req->woken) {
1640 +- /* wake_up context handles the rest */
1641 +- mask = 0;
1642 ++ if (likely(req->head)) {
1643 ++ spin_lock(&req->head->lock);
1644 ++ if (unlikely(list_empty(&req->wait.entry))) {
1645 ++ if (apt.error)
1646 ++ cancel = true;
1647 ++ apt.error = 0;
1648 ++ mask = 0;
1649 ++ }
1650 ++ if (mask || apt.error) {
1651 ++ list_del_init(&req->wait.entry);
1652 ++ } else if (cancel) {
1653 ++ WRITE_ONCE(req->cancelled, true);
1654 ++ } else if (!req->done) { /* actually waiting for an event */
1655 ++ list_add_tail(&aiocb->ki_list, &ctx->active_reqs);
1656 ++ aiocb->ki_cancel = aio_poll_cancel;
1657 ++ }
1658 ++ spin_unlock(&req->head->lock);
1659 ++ }
1660 ++ if (mask) { /* no async, we'd stolen it */
1661 ++ aiocb->ki_res.res = mangle_poll(mask);
1662 + apt.error = 0;
1663 +- } else if (mask || apt.error) {
1664 +- /* if we get an error or a mask we are done */
1665 +- WARN_ON_ONCE(list_empty(&req->wait.entry));
1666 +- list_del_init(&req->wait.entry);
1667 +- } else {
1668 +- /* actually waiting for an event */
1669 +- list_add_tail(&aiocb->ki_list, &ctx->active_reqs);
1670 +- aiocb->ki_cancel = aio_poll_cancel;
1671 + }
1672 +- spin_unlock(&req->head->lock);
1673 + spin_unlock_irq(&ctx->ctx_lock);
1674 +-
1675 +-out:
1676 +- if (unlikely(apt.error)) {
1677 +- fput(req->file);
1678 +- return apt.error;
1679 +- }
1680 +-
1681 + if (mask)
1682 +- aio_poll_complete(aiocb, mask);
1683 +- iocb_put(aiocb);
1684 +- return 0;
1685 ++ iocb_put(aiocb);
1686 ++ return apt.error;
1687 + }
1688 +
1689 +-static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
1690 +- bool compat)
1691 ++static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb,
1692 ++ struct iocb __user *user_iocb, bool compat)
1693 + {
1694 + struct aio_kiocb *req;
1695 +- struct iocb iocb;
1696 + ssize_t ret;
1697 +
1698 +- if (unlikely(copy_from_user(&iocb, user_iocb, sizeof(iocb))))
1699 +- return -EFAULT;
1700 +-
1701 + /* enforce forwards compatibility on users */
1702 +- if (unlikely(iocb.aio_reserved2)) {
1703 ++ if (unlikely(iocb->aio_reserved2)) {
1704 + pr_debug("EINVAL: reserve field set\n");
1705 + return -EINVAL;
1706 + }
1707 +
1708 + /* prevent overflows */
1709 + if (unlikely(
1710 +- (iocb.aio_buf != (unsigned long)iocb.aio_buf) ||
1711 +- (iocb.aio_nbytes != (size_t)iocb.aio_nbytes) ||
1712 +- ((ssize_t)iocb.aio_nbytes < 0)
1713 ++ (iocb->aio_buf != (unsigned long)iocb->aio_buf) ||
1714 ++ (iocb->aio_nbytes != (size_t)iocb->aio_nbytes) ||
1715 ++ ((ssize_t)iocb->aio_nbytes < 0)
1716 + )) {
1717 + pr_debug("EINVAL: overflow check\n");
1718 + return -EINVAL;
1719 + }
1720 +
1721 ++ if (!get_reqs_available(ctx))
1722 ++ return -EAGAIN;
1723 ++
1724 ++ ret = -EAGAIN;
1725 + req = aio_get_req(ctx);
1726 + if (unlikely(!req))
1727 +- return -EAGAIN;
1728 ++ goto out_put_reqs_available;
1729 ++
1730 ++ req->ki_filp = fget(iocb->aio_fildes);
1731 ++ ret = -EBADF;
1732 ++ if (unlikely(!req->ki_filp))
1733 ++ goto out_put_req;
1734 +
1735 +- if (iocb.aio_flags & IOCB_FLAG_RESFD) {
1736 ++ if (iocb->aio_flags & IOCB_FLAG_RESFD) {
1737 + /*
1738 + * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an
1739 + * instance of the file* now. The file descriptor must be
1740 + * an eventfd() fd, and will be signaled for each completed
1741 + * event using the eventfd_signal() function.
1742 + */
1743 +- req->ki_eventfd = eventfd_ctx_fdget((int) iocb.aio_resfd);
1744 ++ req->ki_eventfd = eventfd_ctx_fdget((int) iocb->aio_resfd);
1745 + if (IS_ERR(req->ki_eventfd)) {
1746 + ret = PTR_ERR(req->ki_eventfd);
1747 + req->ki_eventfd = NULL;
1748 +@@ -1833,54 +1821,70 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
1749 + goto out_put_req;
1750 + }
1751 +
1752 +- req->ki_user_iocb = user_iocb;
1753 +- req->ki_user_data = iocb.aio_data;
1754 ++ req->ki_res.obj = (u64)(unsigned long)user_iocb;
1755 ++ req->ki_res.data = iocb->aio_data;
1756 ++ req->ki_res.res = 0;
1757 ++ req->ki_res.res2 = 0;
1758 +
1759 +- switch (iocb.aio_lio_opcode) {
1760 ++ switch (iocb->aio_lio_opcode) {
1761 + case IOCB_CMD_PREAD:
1762 +- ret = aio_read(&req->rw, &iocb, false, compat);
1763 ++ ret = aio_read(&req->rw, iocb, false, compat);
1764 + break;
1765 + case IOCB_CMD_PWRITE:
1766 +- ret = aio_write(&req->rw, &iocb, false, compat);
1767 ++ ret = aio_write(&req->rw, iocb, false, compat);
1768 + break;
1769 + case IOCB_CMD_PREADV:
1770 +- ret = aio_read(&req->rw, &iocb, true, compat);
1771 ++ ret = aio_read(&req->rw, iocb, true, compat);
1772 + break;
1773 + case IOCB_CMD_PWRITEV:
1774 +- ret = aio_write(&req->rw, &iocb, true, compat);
1775 ++ ret = aio_write(&req->rw, iocb, true, compat);
1776 + break;
1777 + case IOCB_CMD_FSYNC:
1778 +- ret = aio_fsync(&req->fsync, &iocb, false);
1779 ++ ret = aio_fsync(&req->fsync, iocb, false);
1780 + break;
1781 + case IOCB_CMD_FDSYNC:
1782 +- ret = aio_fsync(&req->fsync, &iocb, true);
1783 ++ ret = aio_fsync(&req->fsync, iocb, true);
1784 + break;
1785 + case IOCB_CMD_POLL:
1786 +- ret = aio_poll(req, &iocb);
1787 ++ ret = aio_poll(req, iocb);
1788 + break;
1789 + default:
1790 +- pr_debug("invalid aio operation %d\n", iocb.aio_lio_opcode);
1791 ++ pr_debug("invalid aio operation %d\n", iocb->aio_lio_opcode);
1792 + ret = -EINVAL;
1793 + break;
1794 + }
1795 +
1796 ++ /* Done with the synchronous reference */
1797 ++ iocb_put(req);
1798 ++
1799 + /*
1800 + * If ret is 0, we'd either done aio_complete() ourselves or have
1801 + * arranged for that to be done asynchronously. Anything non-zero
1802 + * means that we need to destroy req ourselves.
1803 + */
1804 +- if (ret)
1805 +- goto out_put_req;
1806 +- return 0;
1807 ++ if (!ret)
1808 ++ return 0;
1809 ++
1810 + out_put_req:
1811 +- put_reqs_available(ctx, 1);
1812 +- percpu_ref_put(&ctx->reqs);
1813 + if (req->ki_eventfd)
1814 + eventfd_ctx_put(req->ki_eventfd);
1815 +- kmem_cache_free(kiocb_cachep, req);
1816 ++ iocb_destroy(req);
1817 ++out_put_reqs_available:
1818 ++ put_reqs_available(ctx, 1);
1819 + return ret;
1820 + }
1821 +
1822 ++static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
1823 ++ bool compat)
1824 ++{
1825 ++ struct iocb iocb;
1826 ++
1827 ++ if (unlikely(copy_from_user(&iocb, user_iocb, sizeof(iocb))))
1828 ++ return -EFAULT;
1829 ++
1830 ++ return __io_submit_one(ctx, &iocb, user_iocb, compat);
1831 ++}
1832 ++
1833 + /* sys_io_submit:
1834 + * Queue the nr iocbs pointed to by iocbpp for processing. Returns
1835 + * the number of iocbs queued. May return -EINVAL if the aio_context
1836 +@@ -1973,24 +1977,6 @@ COMPAT_SYSCALL_DEFINE3(io_submit, compat_aio_context_t, ctx_id,
1837 + }
1838 + #endif
1839 +
1840 +-/* lookup_kiocb
1841 +- * Finds a given iocb for cancellation.
1842 +- */
1843 +-static struct aio_kiocb *
1844 +-lookup_kiocb(struct kioctx *ctx, struct iocb __user *iocb)
1845 +-{
1846 +- struct aio_kiocb *kiocb;
1847 +-
1848 +- assert_spin_locked(&ctx->ctx_lock);
1849 +-
1850 +- /* TODO: use a hash or array, this sucks. */
1851 +- list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) {
1852 +- if (kiocb->ki_user_iocb == iocb)
1853 +- return kiocb;
1854 +- }
1855 +- return NULL;
1856 +-}
1857 +-
1858 + /* sys_io_cancel:
1859 + * Attempts to cancel an iocb previously passed to io_submit. If
1860 + * the operation is successfully cancelled, the resulting event is
1861 +@@ -2008,6 +1994,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
1862 + struct aio_kiocb *kiocb;
1863 + int ret = -EINVAL;
1864 + u32 key;
1865 ++ u64 obj = (u64)(unsigned long)iocb;
1866 +
1867 + if (unlikely(get_user(key, &iocb->aio_key)))
1868 + return -EFAULT;
1869 +@@ -2019,10 +2006,13 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
1870 + return -EINVAL;
1871 +
1872 + spin_lock_irq(&ctx->ctx_lock);
1873 +- kiocb = lookup_kiocb(ctx, iocb);
1874 +- if (kiocb) {
1875 +- ret = kiocb->ki_cancel(&kiocb->rw);
1876 +- list_del_init(&kiocb->ki_list);
1877 ++ /* TODO: use a hash or array, this sucks. */
1878 ++ list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) {
1879 ++ if (kiocb->ki_res.obj == obj) {
1880 ++ ret = kiocb->ki_cancel(&kiocb->rw);
1881 ++ list_del_init(&kiocb->ki_list);
1882 ++ break;
1883 ++ }
1884 + }
1885 + spin_unlock_irq(&ctx->ctx_lock);
1886 +
1887 +diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
1888 +index 82928cea0209..7f3f64ba464f 100644
1889 +--- a/fs/ceph/dir.c
1890 ++++ b/fs/ceph/dir.c
1891 +@@ -1470,6 +1470,7 @@ void ceph_dentry_lru_del(struct dentry *dn)
1892 + unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn)
1893 + {
1894 + struct ceph_inode_info *dci = ceph_inode(dir);
1895 ++ unsigned hash;
1896 +
1897 + switch (dci->i_dir_layout.dl_dir_hash) {
1898 + case 0: /* for backward compat */
1899 +@@ -1477,8 +1478,11 @@ unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn)
1900 + return dn->d_name.hash;
1901 +
1902 + default:
1903 +- return ceph_str_hash(dci->i_dir_layout.dl_dir_hash,
1904 ++ spin_lock(&dn->d_lock);
1905 ++ hash = ceph_str_hash(dci->i_dir_layout.dl_dir_hash,
1906 + dn->d_name.name, dn->d_name.len);
1907 ++ spin_unlock(&dn->d_lock);
1908 ++ return hash;
1909 + }
1910 + }
1911 +
1912 +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
1913 +index bc43c822426a..bfcf11c70bfa 100644
1914 +--- a/fs/ceph/mds_client.c
1915 ++++ b/fs/ceph/mds_client.c
1916 +@@ -1290,6 +1290,15 @@ static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap,
1917 + list_add(&ci->i_prealloc_cap_flush->i_list, &to_remove);
1918 + ci->i_prealloc_cap_flush = NULL;
1919 + }
1920 ++
1921 ++ if (drop &&
1922 ++ ci->i_wrbuffer_ref_head == 0 &&
1923 ++ ci->i_wr_ref == 0 &&
1924 ++ ci->i_dirty_caps == 0 &&
1925 ++ ci->i_flushing_caps == 0) {
1926 ++ ceph_put_snap_context(ci->i_head_snapc);
1927 ++ ci->i_head_snapc = NULL;
1928 ++ }
1929 + }
1930 + spin_unlock(&ci->i_ceph_lock);
1931 + while (!list_empty(&to_remove)) {
1932 +@@ -1945,10 +1954,39 @@ retry:
1933 + return path;
1934 + }
1935 +
1936 ++/* Duplicate the dentry->d_name.name safely */
1937 ++static int clone_dentry_name(struct dentry *dentry, const char **ppath,
1938 ++ int *ppathlen)
1939 ++{
1940 ++ u32 len;
1941 ++ char *name;
1942 ++
1943 ++retry:
1944 ++ len = READ_ONCE(dentry->d_name.len);
1945 ++ name = kmalloc(len + 1, GFP_NOFS);
1946 ++ if (!name)
1947 ++ return -ENOMEM;
1948 ++
1949 ++ spin_lock(&dentry->d_lock);
1950 ++ if (dentry->d_name.len != len) {
1951 ++ spin_unlock(&dentry->d_lock);
1952 ++ kfree(name);
1953 ++ goto retry;
1954 ++ }
1955 ++ memcpy(name, dentry->d_name.name, len);
1956 ++ spin_unlock(&dentry->d_lock);
1957 ++
1958 ++ name[len] = '\0';
1959 ++ *ppath = name;
1960 ++ *ppathlen = len;
1961 ++ return 0;
1962 ++}
1963 ++
1964 + static int build_dentry_path(struct dentry *dentry, struct inode *dir,
1965 + const char **ppath, int *ppathlen, u64 *pino,
1966 +- int *pfreepath)
1967 ++ bool *pfreepath, bool parent_locked)
1968 + {
1969 ++ int ret;
1970 + char *path;
1971 +
1972 + rcu_read_lock();
1973 +@@ -1957,8 +1995,15 @@ static int build_dentry_path(struct dentry *dentry, struct inode *dir,
1974 + if (dir && ceph_snap(dir) == CEPH_NOSNAP) {
1975 + *pino = ceph_ino(dir);
1976 + rcu_read_unlock();
1977 +- *ppath = dentry->d_name.name;
1978 +- *ppathlen = dentry->d_name.len;
1979 ++ if (parent_locked) {
1980 ++ *ppath = dentry->d_name.name;
1981 ++ *ppathlen = dentry->d_name.len;
1982 ++ } else {
1983 ++ ret = clone_dentry_name(dentry, ppath, ppathlen);
1984 ++ if (ret)
1985 ++ return ret;
1986 ++ *pfreepath = true;
1987 ++ }
1988 + return 0;
1989 + }
1990 + rcu_read_unlock();
1991 +@@ -1966,13 +2011,13 @@ static int build_dentry_path(struct dentry *dentry, struct inode *dir,
1992 + if (IS_ERR(path))
1993 + return PTR_ERR(path);
1994 + *ppath = path;
1995 +- *pfreepath = 1;
1996 ++ *pfreepath = true;
1997 + return 0;
1998 + }
1999 +
2000 + static int build_inode_path(struct inode *inode,
2001 + const char **ppath, int *ppathlen, u64 *pino,
2002 +- int *pfreepath)
2003 ++ bool *pfreepath)
2004 + {
2005 + struct dentry *dentry;
2006 + char *path;
2007 +@@ -1988,7 +2033,7 @@ static int build_inode_path(struct inode *inode,
2008 + if (IS_ERR(path))
2009 + return PTR_ERR(path);
2010 + *ppath = path;
2011 +- *pfreepath = 1;
2012 ++ *pfreepath = true;
2013 + return 0;
2014 + }
2015 +
2016 +@@ -1999,7 +2044,7 @@ static int build_inode_path(struct inode *inode,
2017 + static int set_request_path_attr(struct inode *rinode, struct dentry *rdentry,
2018 + struct inode *rdiri, const char *rpath,
2019 + u64 rino, const char **ppath, int *pathlen,
2020 +- u64 *ino, int *freepath)
2021 ++ u64 *ino, bool *freepath, bool parent_locked)
2022 + {
2023 + int r = 0;
2024 +
2025 +@@ -2009,7 +2054,7 @@ static int set_request_path_attr(struct inode *rinode, struct dentry *rdentry,
2026 + ceph_snap(rinode));
2027 + } else if (rdentry) {
2028 + r = build_dentry_path(rdentry, rdiri, ppath, pathlen, ino,
2029 +- freepath);
2030 ++ freepath, parent_locked);
2031 + dout(" dentry %p %llx/%.*s\n", rdentry, *ino, *pathlen,
2032 + *ppath);
2033 + } else if (rpath || rino) {
2034 +@@ -2035,7 +2080,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc,
2035 + const char *path2 = NULL;
2036 + u64 ino1 = 0, ino2 = 0;
2037 + int pathlen1 = 0, pathlen2 = 0;
2038 +- int freepath1 = 0, freepath2 = 0;
2039 ++ bool freepath1 = false, freepath2 = false;
2040 + int len;
2041 + u16 releases;
2042 + void *p, *end;
2043 +@@ -2043,16 +2088,19 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc,
2044 +
2045 + ret = set_request_path_attr(req->r_inode, req->r_dentry,
2046 + req->r_parent, req->r_path1, req->r_ino1.ino,
2047 +- &path1, &pathlen1, &ino1, &freepath1);
2048 ++ &path1, &pathlen1, &ino1, &freepath1,
2049 ++ test_bit(CEPH_MDS_R_PARENT_LOCKED,
2050 ++ &req->r_req_flags));
2051 + if (ret < 0) {
2052 + msg = ERR_PTR(ret);
2053 + goto out;
2054 + }
2055 +
2056 ++ /* If r_old_dentry is set, then assume that its parent is locked */
2057 + ret = set_request_path_attr(NULL, req->r_old_dentry,
2058 + req->r_old_dentry_dir,
2059 + req->r_path2, req->r_ino2.ino,
2060 +- &path2, &pathlen2, &ino2, &freepath2);
2061 ++ &path2, &pathlen2, &ino2, &freepath2, true);
2062 + if (ret < 0) {
2063 + msg = ERR_PTR(ret);
2064 + goto out_free1;
2065 +diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
2066 +index f74193da0e09..1f46b02f7314 100644
2067 +--- a/fs/ceph/snap.c
2068 ++++ b/fs/ceph/snap.c
2069 +@@ -568,7 +568,12 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
2070 + old_snapc = NULL;
2071 +
2072 + update_snapc:
2073 +- if (ci->i_head_snapc) {
2074 ++ if (ci->i_wrbuffer_ref_head == 0 &&
2075 ++ ci->i_wr_ref == 0 &&
2076 ++ ci->i_dirty_caps == 0 &&
2077 ++ ci->i_flushing_caps == 0) {
2078 ++ ci->i_head_snapc = NULL;
2079 ++ } else {
2080 + ci->i_head_snapc = ceph_get_snap_context(new_snapc);
2081 + dout(" new snapc is %p\n", new_snapc);
2082 + }
2083 +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
2084 +index b59ebed4f615..1fadd314ae7f 100644
2085 +--- a/fs/cifs/inode.c
2086 ++++ b/fs/cifs/inode.c
2087 +@@ -1735,6 +1735,10 @@ cifs_do_rename(const unsigned int xid, struct dentry *from_dentry,
2088 + if (rc == 0 || rc != -EBUSY)
2089 + goto do_rename_exit;
2090 +
2091 ++ /* Don't fall back to using SMB on SMB 2+ mount */
2092 ++ if (server->vals->protocol_id != 0)
2093 ++ goto do_rename_exit;
2094 ++
2095 + /* open-file renames don't work across directories */
2096 + if (to_dentry->d_parent != from_dentry->d_parent)
2097 + goto do_rename_exit;
2098 +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
2099 +index c6fd3acc5560..33afb637e6f8 100644
2100 +--- a/fs/cifs/smb2pdu.c
2101 ++++ b/fs/cifs/smb2pdu.c
2102 +@@ -3285,6 +3285,7 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms,
2103 + rc);
2104 + }
2105 + free_rsp_buf(resp_buftype, rsp_iov.iov_base);
2106 ++ cifs_small_buf_release(req);
2107 + return rc == -ENODATA ? 0 : rc;
2108 + } else
2109 + trace_smb3_read_done(xid, req->PersistentFileId,
2110 +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
2111 +index c0ba5206cd9d..006c277dc22e 100644
2112 +--- a/fs/ext4/xattr.c
2113 ++++ b/fs/ext4/xattr.c
2114 +@@ -829,6 +829,7 @@ int ext4_get_inode_usage(struct inode *inode, qsize_t *usage)
2115 + bh = ext4_sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl, REQ_PRIO);
2116 + if (IS_ERR(bh)) {
2117 + ret = PTR_ERR(bh);
2118 ++ bh = NULL;
2119 + goto out;
2120 + }
2121 +
2122 +@@ -2907,6 +2908,7 @@ int ext4_xattr_delete_inode(handle_t *handle, struct inode *inode,
2123 + if (error == -EIO)
2124 + EXT4_ERROR_INODE(inode, "block %llu read error",
2125 + EXT4_I(inode)->i_file_acl);
2126 ++ bh = NULL;
2127 + goto cleanup;
2128 + }
2129 + error = ext4_xattr_check_block(inode, bh);
2130 +@@ -3063,6 +3065,7 @@ ext4_xattr_block_cache_find(struct inode *inode,
2131 + if (IS_ERR(bh)) {
2132 + if (PTR_ERR(bh) == -ENOMEM)
2133 + return NULL;
2134 ++ bh = NULL;
2135 + EXT4_ERROR_INODE(inode, "block %lu read error",
2136 + (unsigned long)ce->e_value);
2137 + } else if (ext4_xattr_cmp(header, BHDR(bh)) == 0) {
2138 +diff --git a/fs/nfs/super.c b/fs/nfs/super.c
2139 +index 6b666d187907..6df9b85caf20 100644
2140 +--- a/fs/nfs/super.c
2141 ++++ b/fs/nfs/super.c
2142 +@@ -2052,7 +2052,8 @@ static int nfs23_validate_mount_data(void *options,
2143 + memcpy(sap, &data->addr, sizeof(data->addr));
2144 + args->nfs_server.addrlen = sizeof(data->addr);
2145 + args->nfs_server.port = ntohs(data->addr.sin_port);
2146 +- if (!nfs_verify_server_address(sap))
2147 ++ if (sap->sa_family != AF_INET ||
2148 ++ !nfs_verify_server_address(sap))
2149 + goto out_no_address;
2150 +
2151 + if (!(data->flags & NFS_MOUNT_TCP))
2152 +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
2153 +index 601bf33c26a0..ebbb0285addb 100644
2154 +--- a/fs/nfsd/nfs4callback.c
2155 ++++ b/fs/nfsd/nfs4callback.c
2156 +@@ -926,8 +926,9 @@ static void nfsd4_cb_prepare(struct rpc_task *task, void *calldata)
2157 + cb->cb_seq_status = 1;
2158 + cb->cb_status = 0;
2159 + if (minorversion) {
2160 +- if (!nfsd41_cb_get_slot(clp, task))
2161 ++ if (!cb->cb_holds_slot && !nfsd41_cb_get_slot(clp, task))
2162 + return;
2163 ++ cb->cb_holds_slot = true;
2164 + }
2165 + rpc_call_start(task);
2166 + }
2167 +@@ -954,6 +955,9 @@ static bool nfsd4_cb_sequence_done(struct rpc_task *task, struct nfsd4_callback
2168 + return true;
2169 + }
2170 +
2171 ++ if (!cb->cb_holds_slot)
2172 ++ goto need_restart;
2173 ++
2174 + switch (cb->cb_seq_status) {
2175 + case 0:
2176 + /*
2177 +@@ -992,6 +996,7 @@ static bool nfsd4_cb_sequence_done(struct rpc_task *task, struct nfsd4_callback
2178 + cb->cb_seq_status);
2179 + }
2180 +
2181 ++ cb->cb_holds_slot = false;
2182 + clear_bit(0, &clp->cl_cb_slot_busy);
2183 + rpc_wake_up_next(&clp->cl_cb_waitq);
2184 + dprintk("%s: freed slot, new seqid=%d\n", __func__,
2185 +@@ -1199,6 +1204,7 @@ void nfsd4_init_cb(struct nfsd4_callback *cb, struct nfs4_client *clp,
2186 + cb->cb_seq_status = 1;
2187 + cb->cb_status = 0;
2188 + cb->cb_need_restart = false;
2189 ++ cb->cb_holds_slot = false;
2190 + }
2191 +
2192 + void nfsd4_run_cb(struct nfsd4_callback *cb)
2193 +diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h
2194 +index 0b15dac7e609..0f07ad6dc1ef 100644
2195 +--- a/fs/nfsd/state.h
2196 ++++ b/fs/nfsd/state.h
2197 +@@ -70,6 +70,7 @@ struct nfsd4_callback {
2198 + int cb_seq_status;
2199 + int cb_status;
2200 + bool cb_need_restart;
2201 ++ bool cb_holds_slot;
2202 + };
2203 +
2204 + struct nfsd4_callback_ops {
2205 +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
2206 +index d65390727541..7325baa8f9d4 100644
2207 +--- a/fs/proc/proc_sysctl.c
2208 ++++ b/fs/proc/proc_sysctl.c
2209 +@@ -1626,9 +1626,11 @@ static void drop_sysctl_table(struct ctl_table_header *header)
2210 + if (--header->nreg)
2211 + return;
2212 +
2213 +- if (parent)
2214 ++ if (parent) {
2215 + put_links(header);
2216 +- start_unregistering(header);
2217 ++ start_unregistering(header);
2218 ++ }
2219 ++
2220 + if (!--header->count)
2221 + kfree_rcu(header, rcu);
2222 +
2223 +diff --git a/fs/splice.c b/fs/splice.c
2224 +index 29e92b506394..c78e0e3ff6c4 100644
2225 +--- a/fs/splice.c
2226 ++++ b/fs/splice.c
2227 +@@ -333,8 +333,8 @@ const struct pipe_buf_operations default_pipe_buf_ops = {
2228 + .get = generic_pipe_buf_get,
2229 + };
2230 +
2231 +-static int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe,
2232 +- struct pipe_buffer *buf)
2233 ++int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe,
2234 ++ struct pipe_buffer *buf)
2235 + {
2236 + return 1;
2237 + }
2238 +diff --git a/include/linux/fs.h b/include/linux/fs.h
2239 +index 7b6084854bfe..111c94c4baa1 100644
2240 +--- a/include/linux/fs.h
2241 ++++ b/include/linux/fs.h
2242 +@@ -304,13 +304,19 @@ enum rw_hint {
2243 +
2244 + struct kiocb {
2245 + struct file *ki_filp;
2246 ++
2247 ++ /* The 'ki_filp' pointer is shared in a union for aio */
2248 ++ randomized_struct_fields_start
2249 ++
2250 + loff_t ki_pos;
2251 + void (*ki_complete)(struct kiocb *iocb, long ret, long ret2);
2252 + void *private;
2253 + int ki_flags;
2254 + u16 ki_hint;
2255 + u16 ki_ioprio; /* See linux/ioprio.h */
2256 +-} __randomize_layout;
2257 ++
2258 ++ randomized_struct_fields_end
2259 ++};
2260 +
2261 + static inline bool is_sync_kiocb(struct kiocb *kiocb)
2262 + {
2263 +diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
2264 +index 3ecd7ea212ae..66ee63cd5968 100644
2265 +--- a/include/linux/pipe_fs_i.h
2266 ++++ b/include/linux/pipe_fs_i.h
2267 +@@ -181,6 +181,7 @@ void free_pipe_info(struct pipe_inode_info *);
2268 + void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
2269 + int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);
2270 + int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
2271 ++int generic_pipe_buf_nosteal(struct pipe_inode_info *, struct pipe_buffer *);
2272 + void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);
2273 + void pipe_buf_mark_unmergeable(struct pipe_buffer *buf);
2274 +
2275 +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
2276 +index 0f39ac487012..f2be5d041ba3 100644
2277 +--- a/include/net/netfilter/nf_tables.h
2278 ++++ b/include/net/netfilter/nf_tables.h
2279 +@@ -382,6 +382,7 @@ void nft_unregister_set(struct nft_set_type *type);
2280 + * @dtype: data type (verdict or numeric type defined by userspace)
2281 + * @objtype: object type (see NFT_OBJECT_* definitions)
2282 + * @size: maximum set size
2283 ++ * @use: number of rules references to this set
2284 + * @nelems: number of elements
2285 + * @ndeact: number of deactivated elements queued for removal
2286 + * @timeout: default timeout value in jiffies
2287 +@@ -407,6 +408,7 @@ struct nft_set {
2288 + u32 dtype;
2289 + u32 objtype;
2290 + u32 size;
2291 ++ u32 use;
2292 + atomic_t nelems;
2293 + u32 ndeact;
2294 + u64 timeout;
2295 +@@ -416,7 +418,8 @@ struct nft_set {
2296 + unsigned char *udata;
2297 + /* runtime data below here */
2298 + const struct nft_set_ops *ops ____cacheline_aligned;
2299 +- u16 flags:14,
2300 ++ u16 flags:13,
2301 ++ bound:1,
2302 + genmask:2;
2303 + u8 klen;
2304 + u8 dlen;
2305 +@@ -466,10 +469,15 @@ struct nft_set_binding {
2306 + u32 flags;
2307 + };
2308 +
2309 ++enum nft_trans_phase;
2310 ++void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
2311 ++ struct nft_set_binding *binding,
2312 ++ enum nft_trans_phase phase);
2313 + int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2314 + struct nft_set_binding *binding);
2315 + void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2316 +- struct nft_set_binding *binding);
2317 ++ struct nft_set_binding *binding, bool commit);
2318 ++void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set);
2319 +
2320 + /**
2321 + * enum nft_set_extensions - set extension type IDs
2322 +@@ -689,10 +697,12 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
2323 + gcb->elems[gcb->head.cnt++] = elem;
2324 + }
2325 +
2326 ++struct nft_expr_ops;
2327 + /**
2328 + * struct nft_expr_type - nf_tables expression type
2329 + *
2330 + * @select_ops: function to select nft_expr_ops
2331 ++ * @release_ops: release nft_expr_ops
2332 + * @ops: default ops, used when no select_ops functions is present
2333 + * @list: used internally
2334 + * @name: Identifier
2335 +@@ -705,6 +715,7 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb,
2336 + struct nft_expr_type {
2337 + const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *,
2338 + const struct nlattr * const tb[]);
2339 ++ void (*release_ops)(const struct nft_expr_ops *ops);
2340 + const struct nft_expr_ops *ops;
2341 + struct list_head list;
2342 + const char *name;
2343 +@@ -718,13 +729,22 @@ struct nft_expr_type {
2344 + #define NFT_EXPR_STATEFUL 0x1
2345 + #define NFT_EXPR_GC 0x2
2346 +
2347 ++enum nft_trans_phase {
2348 ++ NFT_TRANS_PREPARE,
2349 ++ NFT_TRANS_ABORT,
2350 ++ NFT_TRANS_COMMIT,
2351 ++ NFT_TRANS_RELEASE
2352 ++};
2353 ++
2354 + /**
2355 + * struct nft_expr_ops - nf_tables expression operations
2356 + *
2357 + * @eval: Expression evaluation function
2358 + * @size: full expression size, including private data size
2359 + * @init: initialization function
2360 +- * @destroy: destruction function
2361 ++ * @activate: activate expression in the next generation
2362 ++ * @deactivate: deactivate expression in next generation
2363 ++ * @destroy: destruction function, called after synchronize_rcu
2364 + * @dump: function to dump parameters
2365 + * @type: expression type
2366 + * @validate: validate expression, called during loop detection
2367 +@@ -745,7 +765,8 @@ struct nft_expr_ops {
2368 + void (*activate)(const struct nft_ctx *ctx,
2369 + const struct nft_expr *expr);
2370 + void (*deactivate)(const struct nft_ctx *ctx,
2371 +- const struct nft_expr *expr);
2372 ++ const struct nft_expr *expr,
2373 ++ enum nft_trans_phase phase);
2374 + void (*destroy)(const struct nft_ctx *ctx,
2375 + const struct nft_expr *expr);
2376 + void (*destroy_clone)(const struct nft_ctx *ctx,
2377 +diff --git a/include/net/netrom.h b/include/net/netrom.h
2378 +index 5a0714ff500f..80f15b1c1a48 100644
2379 +--- a/include/net/netrom.h
2380 ++++ b/include/net/netrom.h
2381 +@@ -266,7 +266,7 @@ void nr_stop_idletimer(struct sock *);
2382 + int nr_t1timer_running(struct sock *);
2383 +
2384 + /* sysctl_net_netrom.c */
2385 +-void nr_register_sysctl(void);
2386 ++int nr_register_sysctl(void);
2387 + void nr_unregister_sysctl(void);
2388 +
2389 + #endif
2390 +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
2391 +index 91e4202b0634..72c07059ef37 100644
2392 +--- a/kernel/sched/deadline.c
2393 ++++ b/kernel/sched/deadline.c
2394 +@@ -252,7 +252,6 @@ static void task_non_contending(struct task_struct *p)
2395 + if (dl_entity_is_special(dl_se))
2396 + return;
2397 +
2398 +- WARN_ON(hrtimer_active(&dl_se->inactive_timer));
2399 + WARN_ON(dl_se->dl_non_contending);
2400 +
2401 + zerolag_time = dl_se->deadline -
2402 +@@ -269,7 +268,7 @@ static void task_non_contending(struct task_struct *p)
2403 + * If the "0-lag time" already passed, decrease the active
2404 + * utilization now, instead of starting a timer
2405 + */
2406 +- if (zerolag_time < 0) {
2407 ++ if ((zerolag_time < 0) || hrtimer_active(&dl_se->inactive_timer)) {
2408 + if (dl_task(p))
2409 + sub_running_bw(dl_se, dl_rq);
2410 + if (!dl_task(p) || p->state == TASK_DEAD) {
2411 +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
2412 +index 4aa8e7d90c25..d31916366d39 100644
2413 +--- a/kernel/sched/fair.c
2414 ++++ b/kernel/sched/fair.c
2415 +@@ -2016,6 +2016,10 @@ static u64 numa_get_avg_runtime(struct task_struct *p, u64 *period)
2416 + if (p->last_task_numa_placement) {
2417 + delta = runtime - p->last_sum_exec_runtime;
2418 + *period = now - p->last_task_numa_placement;
2419 ++
2420 ++ /* Avoid time going backwards, prevent potential divide error: */
2421 ++ if (unlikely((s64)*period < 0))
2422 ++ *period = 0;
2423 + } else {
2424 + delta = p->se.avg.load_sum;
2425 + *period = LOAD_AVG_MAX;
2426 +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
2427 +index 34b4c32b0692..805aef83b5cf 100644
2428 +--- a/kernel/trace/ring_buffer.c
2429 ++++ b/kernel/trace/ring_buffer.c
2430 +@@ -730,7 +730,7 @@ u64 ring_buffer_time_stamp(struct ring_buffer *buffer, int cpu)
2431 +
2432 + preempt_disable_notrace();
2433 + time = rb_time_stamp(buffer);
2434 +- preempt_enable_no_resched_notrace();
2435 ++ preempt_enable_notrace();
2436 +
2437 + return time;
2438 + }
2439 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
2440 +index c65cea71d1ee..5455ee05bc3b 100644
2441 +--- a/kernel/trace/trace.c
2442 ++++ b/kernel/trace/trace.c
2443 +@@ -496,8 +496,10 @@ int trace_pid_write(struct trace_pid_list *filtered_pids,
2444 + * not modified.
2445 + */
2446 + pid_list = kmalloc(sizeof(*pid_list), GFP_KERNEL);
2447 +- if (!pid_list)
2448 ++ if (!pid_list) {
2449 ++ trace_parser_put(&parser);
2450 + return -ENOMEM;
2451 ++ }
2452 +
2453 + pid_list->pid_max = READ_ONCE(pid_max);
2454 +
2455 +@@ -507,6 +509,7 @@ int trace_pid_write(struct trace_pid_list *filtered_pids,
2456 +
2457 + pid_list->pids = vzalloc((pid_list->pid_max + 7) >> 3);
2458 + if (!pid_list->pids) {
2459 ++ trace_parser_put(&parser);
2460 + kfree(pid_list);
2461 + return -ENOMEM;
2462 + }
2463 +@@ -6800,19 +6803,23 @@ struct buffer_ref {
2464 + struct ring_buffer *buffer;
2465 + void *page;
2466 + int cpu;
2467 +- int ref;
2468 ++ refcount_t refcount;
2469 + };
2470 +
2471 ++static void buffer_ref_release(struct buffer_ref *ref)
2472 ++{
2473 ++ if (!refcount_dec_and_test(&ref->refcount))
2474 ++ return;
2475 ++ ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page);
2476 ++ kfree(ref);
2477 ++}
2478 ++
2479 + static void buffer_pipe_buf_release(struct pipe_inode_info *pipe,
2480 + struct pipe_buffer *buf)
2481 + {
2482 + struct buffer_ref *ref = (struct buffer_ref *)buf->private;
2483 +
2484 +- if (--ref->ref)
2485 +- return;
2486 +-
2487 +- ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page);
2488 +- kfree(ref);
2489 ++ buffer_ref_release(ref);
2490 + buf->private = 0;
2491 + }
2492 +
2493 +@@ -6821,7 +6828,7 @@ static void buffer_pipe_buf_get(struct pipe_inode_info *pipe,
2494 + {
2495 + struct buffer_ref *ref = (struct buffer_ref *)buf->private;
2496 +
2497 +- ref->ref++;
2498 ++ refcount_inc(&ref->refcount);
2499 + }
2500 +
2501 + /* Pipe buffer operations for a buffer. */
2502 +@@ -6829,7 +6836,7 @@ static const struct pipe_buf_operations buffer_pipe_buf_ops = {
2503 + .can_merge = 0,
2504 + .confirm = generic_pipe_buf_confirm,
2505 + .release = buffer_pipe_buf_release,
2506 +- .steal = generic_pipe_buf_steal,
2507 ++ .steal = generic_pipe_buf_nosteal,
2508 + .get = buffer_pipe_buf_get,
2509 + };
2510 +
2511 +@@ -6842,11 +6849,7 @@ static void buffer_spd_release(struct splice_pipe_desc *spd, unsigned int i)
2512 + struct buffer_ref *ref =
2513 + (struct buffer_ref *)spd->partial[i].private;
2514 +
2515 +- if (--ref->ref)
2516 +- return;
2517 +-
2518 +- ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page);
2519 +- kfree(ref);
2520 ++ buffer_ref_release(ref);
2521 + spd->partial[i].private = 0;
2522 + }
2523 +
2524 +@@ -6901,7 +6904,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
2525 + break;
2526 + }
2527 +
2528 +- ref->ref = 1;
2529 ++ refcount_set(&ref->refcount, 1);
2530 + ref->buffer = iter->trace_buffer->buffer;
2531 + ref->page = ring_buffer_alloc_read_page(ref->buffer, iter->cpu_file);
2532 + if (IS_ERR(ref->page)) {
2533 +diff --git a/kernel/workqueue.c b/kernel/workqueue.c
2534 +index 0280deac392e..cd8b61bded78 100644
2535 +--- a/kernel/workqueue.c
2536 ++++ b/kernel/workqueue.c
2537 +@@ -2908,6 +2908,9 @@ static bool __flush_work(struct work_struct *work, bool from_cancel)
2538 + if (WARN_ON(!wq_online))
2539 + return false;
2540 +
2541 ++ if (WARN_ON(!work->func))
2542 ++ return false;
2543 ++
2544 + if (!from_cancel) {
2545 + lock_map_acquire(&work->lockdep_map);
2546 + lock_map_release(&work->lockdep_map);
2547 +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
2548 +index 4966c4fbe7f7..3dea52f7be9c 100644
2549 +--- a/lib/Kconfig.debug
2550 ++++ b/lib/Kconfig.debug
2551 +@@ -1934,6 +1934,7 @@ config TEST_KMOD
2552 + depends on m
2553 + depends on BLOCK && (64BIT || LBDAF) # for XFS, BTRFS
2554 + depends on NETDEVICES && NET_CORE && INET # for TUN
2555 ++ depends on BLOCK
2556 + select TEST_LKM
2557 + select XFS_FS
2558 + select TUN
2559 +diff --git a/mm/memory.c b/mm/memory.c
2560 +index 5b3f71bcd1ae..9c69278173b7 100644
2561 +--- a/mm/memory.c
2562 ++++ b/mm/memory.c
2563 +@@ -1787,10 +1787,15 @@ static int insert_pfn(struct vm_area_struct *vma, unsigned long addr,
2564 + * in may not match the PFN we have mapped if the
2565 + * mapped PFN is a writeable COW page. In the mkwrite
2566 + * case we are creating a writable PTE for a shared
2567 +- * mapping and we expect the PFNs to match.
2568 ++ * mapping and we expect the PFNs to match. If they
2569 ++ * don't match, we are likely racing with block
2570 ++ * allocation and mapping invalidation so just skip the
2571 ++ * update.
2572 + */
2573 +- if (WARN_ON_ONCE(pte_pfn(*pte) != pfn_t_to_pfn(pfn)))
2574 ++ if (pte_pfn(*pte) != pfn_t_to_pfn(pfn)) {
2575 ++ WARN_ON_ONCE(!is_zero_pfn(pte_pfn(*pte)));
2576 + goto out_unlock;
2577 ++ }
2578 + entry = *pte;
2579 + goto out_mkwrite;
2580 + } else
2581 +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
2582 +index f77888ec93f1..0bb4d712b80c 100644
2583 +--- a/net/bridge/netfilter/ebtables.c
2584 ++++ b/net/bridge/netfilter/ebtables.c
2585 +@@ -2032,7 +2032,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
2586 + if (match_kern)
2587 + match_kern->match_size = ret;
2588 +
2589 +- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
2590 ++ /* rule should have no remaining data after target */
2591 ++ if (type == EBT_COMPAT_TARGET && size_left)
2592 + return -EINVAL;
2593 +
2594 + match32 = (struct compat_ebt_entry_mwt *) buf;
2595 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
2596 +index 98c81c21b753..8bacbcd2db90 100644
2597 +--- a/net/ipv4/route.c
2598 ++++ b/net/ipv4/route.c
2599 +@@ -1185,25 +1185,39 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie)
2600 + return dst;
2601 + }
2602 +
2603 +-static void ipv4_link_failure(struct sk_buff *skb)
2604 ++static void ipv4_send_dest_unreach(struct sk_buff *skb)
2605 + {
2606 + struct ip_options opt;
2607 +- struct rtable *rt;
2608 + int res;
2609 +
2610 + /* Recompile ip options since IPCB may not be valid anymore.
2611 ++ * Also check we have a reasonable ipv4 header.
2612 + */
2613 +- memset(&opt, 0, sizeof(opt));
2614 +- opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
2615 ++ if (!pskb_network_may_pull(skb, sizeof(struct iphdr)) ||
2616 ++ ip_hdr(skb)->version != 4 || ip_hdr(skb)->ihl < 5)
2617 ++ return;
2618 +
2619 +- rcu_read_lock();
2620 +- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
2621 +- rcu_read_unlock();
2622 ++ memset(&opt, 0, sizeof(opt));
2623 ++ if (ip_hdr(skb)->ihl > 5) {
2624 ++ if (!pskb_network_may_pull(skb, ip_hdr(skb)->ihl * 4))
2625 ++ return;
2626 ++ opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr);
2627 +
2628 +- if (res)
2629 +- return;
2630 ++ rcu_read_lock();
2631 ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
2632 ++ rcu_read_unlock();
2633 +
2634 ++ if (res)
2635 ++ return;
2636 ++ }
2637 + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
2638 ++}
2639 ++
2640 ++static void ipv4_link_failure(struct sk_buff *skb)
2641 ++{
2642 ++ struct rtable *rt;
2643 ++
2644 ++ ipv4_send_dest_unreach(skb);
2645 +
2646 + rt = skb_rtable(skb);
2647 + if (rt)
2648 +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
2649 +index 891ed2f91467..ce64453d337d 100644
2650 +--- a/net/ipv4/sysctl_net_ipv4.c
2651 ++++ b/net/ipv4/sysctl_net_ipv4.c
2652 +@@ -49,6 +49,7 @@ static int ip_ping_group_range_min[] = { 0, 0 };
2653 + static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
2654 + static int comp_sack_nr_max = 255;
2655 + static u32 u32_max_div_HZ = UINT_MAX / HZ;
2656 ++static int one_day_secs = 24 * 3600;
2657 +
2658 + /* obsolete */
2659 + static int sysctl_tcp_low_latency __read_mostly;
2660 +@@ -1140,7 +1141,9 @@ static struct ctl_table ipv4_net_table[] = {
2661 + .data = &init_net.ipv4.sysctl_tcp_min_rtt_wlen,
2662 + .maxlen = sizeof(int),
2663 + .mode = 0644,
2664 +- .proc_handler = proc_dointvec
2665 ++ .proc_handler = proc_dointvec_minmax,
2666 ++ .extra1 = &zero,
2667 ++ .extra2 = &one_day_secs
2668 + },
2669 + {
2670 + .procname = "tcp_autocorking",
2671 +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
2672 +index 8fd8d06454d6..2d4e048762f6 100644
2673 +--- a/net/netfilter/ipvs/ip_vs_ctl.c
2674 ++++ b/net/netfilter/ipvs/ip_vs_ctl.c
2675 +@@ -896,12 +896,13 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
2676 + {
2677 + struct ip_vs_dest *dest;
2678 + unsigned int atype, i;
2679 +- int ret = 0;
2680 +
2681 + EnterFunction(2);
2682 +
2683 + #ifdef CONFIG_IP_VS_IPV6
2684 + if (udest->af == AF_INET6) {
2685 ++ int ret;
2686 ++
2687 + atype = ipv6_addr_type(&udest->addr.in6);
2688 + if ((!(atype & IPV6_ADDR_UNICAST) ||
2689 + atype & IPV6_ADDR_LINKLOCAL) &&
2690 +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
2691 +index c06393fc716d..1af54119bafc 100644
2692 +--- a/net/netfilter/nf_tables_api.c
2693 ++++ b/net/netfilter/nf_tables_api.c
2694 +@@ -112,6 +112,23 @@ static void nft_trans_destroy(struct nft_trans *trans)
2695 + kfree(trans);
2696 + }
2697 +
2698 ++static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
2699 ++{
2700 ++ struct net *net = ctx->net;
2701 ++ struct nft_trans *trans;
2702 ++
2703 ++ if (!nft_set_is_anonymous(set))
2704 ++ return;
2705 ++
2706 ++ list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
2707 ++ if (trans->msg_type == NFT_MSG_NEWSET &&
2708 ++ nft_trans_set(trans) == set) {
2709 ++ set->bound = true;
2710 ++ break;
2711 ++ }
2712 ++ }
2713 ++}
2714 ++
2715 + static int nf_tables_register_hook(struct net *net,
2716 + const struct nft_table *table,
2717 + struct nft_chain *chain)
2718 +@@ -222,14 +239,15 @@ static void nft_rule_expr_activate(const struct nft_ctx *ctx,
2719 + }
2720 +
2721 + static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
2722 +- struct nft_rule *rule)
2723 ++ struct nft_rule *rule,
2724 ++ enum nft_trans_phase phase)
2725 + {
2726 + struct nft_expr *expr;
2727 +
2728 + expr = nft_expr_first(rule);
2729 + while (expr != nft_expr_last(rule) && expr->ops) {
2730 + if (expr->ops->deactivate)
2731 +- expr->ops->deactivate(ctx, expr);
2732 ++ expr->ops->deactivate(ctx, expr, phase);
2733 +
2734 + expr = nft_expr_next(expr);
2735 + }
2736 +@@ -280,7 +298,7 @@ static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
2737 + nft_trans_destroy(trans);
2738 + return err;
2739 + }
2740 +- nft_rule_expr_deactivate(ctx, rule);
2741 ++ nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
2742 +
2743 + return 0;
2744 + }
2745 +@@ -301,7 +319,7 @@ static int nft_delrule_by_chain(struct nft_ctx *ctx)
2746 + return 0;
2747 + }
2748 +
2749 +-static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
2750 ++static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
2751 + struct nft_set *set)
2752 + {
2753 + struct nft_trans *trans;
2754 +@@ -321,7 +339,7 @@ static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type,
2755 + return 0;
2756 + }
2757 +
2758 +-static int nft_delset(struct nft_ctx *ctx, struct nft_set *set)
2759 ++static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
2760 + {
2761 + int err;
2762 +
2763 +@@ -2105,6 +2123,7 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2764 + {
2765 + struct nft_expr_info info;
2766 + struct nft_expr *expr;
2767 ++ struct module *owner;
2768 + int err;
2769 +
2770 + err = nf_tables_expr_parse(ctx, nla, &info);
2771 +@@ -2124,7 +2143,11 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
2772 + err3:
2773 + kfree(expr);
2774 + err2:
2775 +- module_put(info.ops->type->owner);
2776 ++ owner = info.ops->type->owner;
2777 ++ if (info.ops->type->release_ops)
2778 ++ info.ops->type->release_ops(info.ops);
2779 ++
2780 ++ module_put(owner);
2781 + err1:
2782 + return ERR_PTR(err);
2783 + }
2784 +@@ -2458,7 +2481,7 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
2785 + static void nf_tables_rule_release(const struct nft_ctx *ctx,
2786 + struct nft_rule *rule)
2787 + {
2788 +- nft_rule_expr_deactivate(ctx, rule);
2789 ++ nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
2790 + nf_tables_rule_destroy(ctx, rule);
2791 + }
2792 +
2793 +@@ -3562,19 +3585,15 @@ err1:
2794 +
2795 + static void nft_set_destroy(struct nft_set *set)
2796 + {
2797 ++ if (WARN_ON(set->use > 0))
2798 ++ return;
2799 ++
2800 + set->ops->destroy(set);
2801 + module_put(to_set_type(set->ops)->owner);
2802 + kfree(set->name);
2803 + kvfree(set);
2804 + }
2805 +
2806 +-static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
2807 +-{
2808 +- list_del_rcu(&set->list);
2809 +- nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
2810 +- nft_set_destroy(set);
2811 +-}
2812 +-
2813 + static int nf_tables_delset(struct net *net, struct sock *nlsk,
2814 + struct sk_buff *skb, const struct nlmsghdr *nlh,
2815 + const struct nlattr * const nla[],
2816 +@@ -3609,7 +3628,7 @@ static int nf_tables_delset(struct net *net, struct sock *nlsk,
2817 + NL_SET_BAD_ATTR(extack, attr);
2818 + return PTR_ERR(set);
2819 + }
2820 +- if (!list_empty(&set->bindings) ||
2821 ++ if (set->use ||
2822 + (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) {
2823 + NL_SET_BAD_ATTR(extack, attr);
2824 + return -EBUSY;
2825 +@@ -3639,6 +3658,9 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2826 + struct nft_set_binding *i;
2827 + struct nft_set_iter iter;
2828 +
2829 ++ if (set->use == UINT_MAX)
2830 ++ return -EOVERFLOW;
2831 ++
2832 + if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
2833 + return -EBUSY;
2834 +
2835 +@@ -3665,21 +3687,53 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
2836 + bind:
2837 + binding->chain = ctx->chain;
2838 + list_add_tail_rcu(&binding->list, &set->bindings);
2839 ++ nft_set_trans_bind(ctx, set);
2840 ++ set->use++;
2841 ++
2842 + return 0;
2843 + }
2844 + EXPORT_SYMBOL_GPL(nf_tables_bind_set);
2845 +
2846 + void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
2847 +- struct nft_set_binding *binding)
2848 ++ struct nft_set_binding *binding, bool event)
2849 + {
2850 + list_del_rcu(&binding->list);
2851 +
2852 +- if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
2853 +- nft_is_active(ctx->net, set))
2854 +- nf_tables_set_destroy(ctx, set);
2855 ++ if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
2856 ++ list_del_rcu(&set->list);
2857 ++ if (event)
2858 ++ nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
2859 ++ GFP_KERNEL);
2860 ++ }
2861 + }
2862 + EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
2863 +
2864 ++void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
2865 ++ struct nft_set_binding *binding,
2866 ++ enum nft_trans_phase phase)
2867 ++{
2868 ++ switch (phase) {
2869 ++ case NFT_TRANS_PREPARE:
2870 ++ set->use--;
2871 ++ return;
2872 ++ case NFT_TRANS_ABORT:
2873 ++ case NFT_TRANS_RELEASE:
2874 ++ set->use--;
2875 ++ /* fall through */
2876 ++ default:
2877 ++ nf_tables_unbind_set(ctx, set, binding,
2878 ++ phase == NFT_TRANS_COMMIT);
2879 ++ }
2880 ++}
2881 ++EXPORT_SYMBOL_GPL(nf_tables_deactivate_set);
2882 ++
2883 ++void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
2884 ++{
2885 ++ if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
2886 ++ nft_set_destroy(set);
2887 ++}
2888 ++EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
2889 ++
2890 + const struct nft_set_ext_type nft_set_ext_types[] = {
2891 + [NFT_SET_EXT_KEY] = {
2892 + .align = __alignof__(u32),
2893 +@@ -6429,6 +6483,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
2894 + nf_tables_rule_notify(&trans->ctx,
2895 + nft_trans_rule(trans),
2896 + NFT_MSG_DELRULE);
2897 ++ nft_rule_expr_deactivate(&trans->ctx,
2898 ++ nft_trans_rule(trans),
2899 ++ NFT_TRANS_COMMIT);
2900 + break;
2901 + case NFT_MSG_NEWSET:
2902 + nft_clear(net, nft_trans_set(trans));
2903 +@@ -6577,7 +6634,9 @@ static int __nf_tables_abort(struct net *net)
2904 + case NFT_MSG_NEWRULE:
2905 + trans->ctx.chain->use--;
2906 + list_del_rcu(&nft_trans_rule(trans)->list);
2907 +- nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
2908 ++ nft_rule_expr_deactivate(&trans->ctx,
2909 ++ nft_trans_rule(trans),
2910 ++ NFT_TRANS_ABORT);
2911 + break;
2912 + case NFT_MSG_DELRULE:
2913 + trans->ctx.chain->use++;
2914 +@@ -6587,6 +6646,10 @@ static int __nf_tables_abort(struct net *net)
2915 + break;
2916 + case NFT_MSG_NEWSET:
2917 + trans->ctx.table->use--;
2918 ++ if (nft_trans_set(trans)->bound) {
2919 ++ nft_trans_destroy(trans);
2920 ++ break;
2921 ++ }
2922 + list_del_rcu(&nft_trans_set(trans)->list);
2923 + break;
2924 + case NFT_MSG_DELSET:
2925 +@@ -6595,8 +6658,11 @@ static int __nf_tables_abort(struct net *net)
2926 + nft_trans_destroy(trans);
2927 + break;
2928 + case NFT_MSG_NEWSETELEM:
2929 ++ if (nft_trans_elem_set(trans)->bound) {
2930 ++ nft_trans_destroy(trans);
2931 ++ break;
2932 ++ }
2933 + te = (struct nft_trans_elem *)trans->data;
2934 +-
2935 + te->set->ops->remove(net, te->set, &te->elem);
2936 + atomic_dec(&te->set->nelems);
2937 + break;
2938 +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
2939 +index 38da1f5436b4..1245e02239d9 100644
2940 +--- a/net/netfilter/nft_compat.c
2941 ++++ b/net/netfilter/nft_compat.c
2942 +@@ -23,19 +23,6 @@
2943 + #include <linux/netfilter_arp/arp_tables.h>
2944 + #include <net/netfilter/nf_tables.h>
2945 +
2946 +-struct nft_xt {
2947 +- struct list_head head;
2948 +- struct nft_expr_ops ops;
2949 +- unsigned int refcnt;
2950 +-
2951 +- /* Unlike other expressions, ops doesn't have static storage duration.
2952 +- * nft core assumes they do. We use kfree_rcu so that nft core can
2953 +- * can check expr->ops->size even after nft_compat->destroy() frees
2954 +- * the nft_xt struct that holds the ops structure.
2955 +- */
2956 +- struct rcu_head rcu_head;
2957 +-};
2958 +-
2959 + /* Used for matches where *info is larger than X byte */
2960 + #define NFT_MATCH_LARGE_THRESH 192
2961 +
2962 +@@ -43,17 +30,6 @@ struct nft_xt_match_priv {
2963 + void *info;
2964 + };
2965 +
2966 +-static bool nft_xt_put(struct nft_xt *xt)
2967 +-{
2968 +- if (--xt->refcnt == 0) {
2969 +- list_del(&xt->head);
2970 +- kfree_rcu(xt, rcu_head);
2971 +- return true;
2972 +- }
2973 +-
2974 +- return false;
2975 +-}
2976 +-
2977 + static int nft_compat_chain_validate_dependency(const struct nft_ctx *ctx,
2978 + const char *tablename)
2979 + {
2980 +@@ -248,7 +224,6 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
2981 + struct xt_target *target = expr->ops->data;
2982 + struct xt_tgchk_param par;
2983 + size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
2984 +- struct nft_xt *nft_xt;
2985 + u16 proto = 0;
2986 + bool inv = false;
2987 + union nft_entry e = {};
2988 +@@ -272,8 +247,6 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
2989 + if (!target->target)
2990 + return -EINVAL;
2991 +
2992 +- nft_xt = container_of(expr->ops, struct nft_xt, ops);
2993 +- nft_xt->refcnt++;
2994 + return 0;
2995 + }
2996 +
2997 +@@ -292,8 +265,8 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
2998 + if (par.target->destroy != NULL)
2999 + par.target->destroy(&par);
3000 +
3001 +- if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
3002 +- module_put(me);
3003 ++ module_put(me);
3004 ++ kfree(expr->ops);
3005 + }
3006 +
3007 + static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
3008 +@@ -447,7 +420,6 @@ __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
3009 + struct xt_match *match = expr->ops->data;
3010 + struct xt_mtchk_param par;
3011 + size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO]));
3012 +- struct nft_xt *nft_xt;
3013 + u16 proto = 0;
3014 + bool inv = false;
3015 + union nft_entry e = {};
3016 +@@ -463,13 +435,7 @@ __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
3017 +
3018 + nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);
3019 +
3020 +- ret = xt_check_match(&par, size, proto, inv);
3021 +- if (ret < 0)
3022 +- return ret;
3023 +-
3024 +- nft_xt = container_of(expr->ops, struct nft_xt, ops);
3025 +- nft_xt->refcnt++;
3026 +- return 0;
3027 ++ return xt_check_match(&par, size, proto, inv);
3028 + }
3029 +
3030 + static int
3031 +@@ -512,8 +478,8 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr,
3032 + if (par.match->destroy != NULL)
3033 + par.match->destroy(&par);
3034 +
3035 +- if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
3036 +- module_put(me);
3037 ++ module_put(me);
3038 ++ kfree(expr->ops);
3039 + }
3040 +
3041 + static void
3042 +@@ -715,22 +681,13 @@ static const struct nfnetlink_subsystem nfnl_compat_subsys = {
3043 + .cb = nfnl_nft_compat_cb,
3044 + };
3045 +
3046 +-static LIST_HEAD(nft_match_list);
3047 +-
3048 + static struct nft_expr_type nft_match_type;
3049 +
3050 +-static bool nft_match_cmp(const struct xt_match *match,
3051 +- const char *name, u32 rev, u32 family)
3052 +-{
3053 +- return strcmp(match->name, name) == 0 && match->revision == rev &&
3054 +- (match->family == NFPROTO_UNSPEC || match->family == family);
3055 +-}
3056 +-
3057 + static const struct nft_expr_ops *
3058 + nft_match_select_ops(const struct nft_ctx *ctx,
3059 + const struct nlattr * const tb[])
3060 + {
3061 +- struct nft_xt *nft_match;
3062 ++ struct nft_expr_ops *ops;
3063 + struct xt_match *match;
3064 + unsigned int matchsize;
3065 + char *mt_name;
3066 +@@ -746,14 +703,6 @@ nft_match_select_ops(const struct nft_ctx *ctx,
3067 + rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
3068 + family = ctx->family;
3069 +
3070 +- /* Re-use the existing match if it's already loaded. */
3071 +- list_for_each_entry(nft_match, &nft_match_list, head) {
3072 +- struct xt_match *match = nft_match->ops.data;
3073 +-
3074 +- if (nft_match_cmp(match, mt_name, rev, family))
3075 +- return &nft_match->ops;
3076 +- }
3077 +-
3078 + match = xt_request_find_match(family, mt_name, rev);
3079 + if (IS_ERR(match))
3080 + return ERR_PTR(-ENOENT);
3081 +@@ -763,66 +712,62 @@ nft_match_select_ops(const struct nft_ctx *ctx,
3082 + goto err;
3083 + }
3084 +
3085 +- /* This is the first time we use this match, allocate operations */
3086 +- nft_match = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
3087 +- if (nft_match == NULL) {
3088 ++ ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL);
3089 ++ if (!ops) {
3090 + err = -ENOMEM;
3091 + goto err;
3092 + }
3093 +
3094 +- nft_match->refcnt = 0;
3095 +- nft_match->ops.type = &nft_match_type;
3096 +- nft_match->ops.eval = nft_match_eval;
3097 +- nft_match->ops.init = nft_match_init;
3098 +- nft_match->ops.destroy = nft_match_destroy;
3099 +- nft_match->ops.dump = nft_match_dump;
3100 +- nft_match->ops.validate = nft_match_validate;
3101 +- nft_match->ops.data = match;
3102 ++ ops->type = &nft_match_type;
3103 ++ ops->eval = nft_match_eval;
3104 ++ ops->init = nft_match_init;
3105 ++ ops->destroy = nft_match_destroy;
3106 ++ ops->dump = nft_match_dump;
3107 ++ ops->validate = nft_match_validate;
3108 ++ ops->data = match;
3109 +
3110 + matchsize = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
3111 + if (matchsize > NFT_MATCH_LARGE_THRESH) {
3112 + matchsize = NFT_EXPR_SIZE(sizeof(struct nft_xt_match_priv));
3113 +
3114 +- nft_match->ops.eval = nft_match_large_eval;
3115 +- nft_match->ops.init = nft_match_large_init;
3116 +- nft_match->ops.destroy = nft_match_large_destroy;
3117 +- nft_match->ops.dump = nft_match_large_dump;
3118 ++ ops->eval = nft_match_large_eval;
3119 ++ ops->init = nft_match_large_init;
3120 ++ ops->destroy = nft_match_large_destroy;
3121 ++ ops->dump = nft_match_large_dump;
3122 + }
3123 +
3124 +- nft_match->ops.size = matchsize;
3125 +-
3126 +- list_add(&nft_match->head, &nft_match_list);
3127 ++ ops->size = matchsize;
3128 +
3129 +- return &nft_match->ops;
3130 ++ return ops;
3131 + err:
3132 + module_put(match->me);
3133 + return ERR_PTR(err);
3134 + }
3135 +
3136 ++static void nft_match_release_ops(const struct nft_expr_ops *ops)
3137 ++{
3138 ++ struct xt_match *match = ops->data;
3139 ++
3140 ++ module_put(match->me);
3141 ++ kfree(ops);
3142 ++}
3143 ++
3144 + static struct nft_expr_type nft_match_type __read_mostly = {
3145 + .name = "match",
3146 + .select_ops = nft_match_select_ops,
3147 ++ .release_ops = nft_match_release_ops,
3148 + .policy = nft_match_policy,
3149 + .maxattr = NFTA_MATCH_MAX,
3150 + .owner = THIS_MODULE,
3151 + };
3152 +
3153 +-static LIST_HEAD(nft_target_list);
3154 +-
3155 + static struct nft_expr_type nft_target_type;
3156 +
3157 +-static bool nft_target_cmp(const struct xt_target *tg,
3158 +- const char *name, u32 rev, u32 family)
3159 +-{
3160 +- return strcmp(tg->name, name) == 0 && tg->revision == rev &&
3161 +- (tg->family == NFPROTO_UNSPEC || tg->family == family);
3162 +-}
3163 +-
3164 + static const struct nft_expr_ops *
3165 + nft_target_select_ops(const struct nft_ctx *ctx,
3166 + const struct nlattr * const tb[])
3167 + {
3168 +- struct nft_xt *nft_target;
3169 ++ struct nft_expr_ops *ops;
3170 + struct xt_target *target;
3171 + char *tg_name;
3172 + u32 rev, family;
3173 +@@ -842,17 +787,6 @@ nft_target_select_ops(const struct nft_ctx *ctx,
3174 + strcmp(tg_name, "standard") == 0)
3175 + return ERR_PTR(-EINVAL);
3176 +
3177 +- /* Re-use the existing target if it's already loaded. */
3178 +- list_for_each_entry(nft_target, &nft_target_list, head) {
3179 +- struct xt_target *target = nft_target->ops.data;
3180 +-
3181 +- if (!target->target)
3182 +- continue;
3183 +-
3184 +- if (nft_target_cmp(target, tg_name, rev, family))
3185 +- return &nft_target->ops;
3186 +- }
3187 +-
3188 + target = xt_request_find_target(family, tg_name, rev);
3189 + if (IS_ERR(target))
3190 + return ERR_PTR(-ENOENT);
3191 +@@ -867,38 +801,43 @@ nft_target_select_ops(const struct nft_ctx *ctx,
3192 + goto err;
3193 + }
3194 +
3195 +- /* This is the first time we use this target, allocate operations */
3196 +- nft_target = kzalloc(sizeof(struct nft_xt), GFP_KERNEL);
3197 +- if (nft_target == NULL) {
3198 ++ ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL);
3199 ++ if (!ops) {
3200 + err = -ENOMEM;
3201 + goto err;
3202 + }
3203 +
3204 +- nft_target->refcnt = 0;
3205 +- nft_target->ops.type = &nft_target_type;
3206 +- nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
3207 +- nft_target->ops.init = nft_target_init;
3208 +- nft_target->ops.destroy = nft_target_destroy;
3209 +- nft_target->ops.dump = nft_target_dump;
3210 +- nft_target->ops.validate = nft_target_validate;
3211 +- nft_target->ops.data = target;
3212 ++ ops->type = &nft_target_type;
3213 ++ ops->size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
3214 ++ ops->init = nft_target_init;
3215 ++ ops->destroy = nft_target_destroy;
3216 ++ ops->dump = nft_target_dump;
3217 ++ ops->validate = nft_target_validate;
3218 ++ ops->data = target;
3219 +
3220 + if (family == NFPROTO_BRIDGE)
3221 +- nft_target->ops.eval = nft_target_eval_bridge;
3222 ++ ops->eval = nft_target_eval_bridge;
3223 + else
3224 +- nft_target->ops.eval = nft_target_eval_xt;
3225 +-
3226 +- list_add(&nft_target->head, &nft_target_list);
3227 ++ ops->eval = nft_target_eval_xt;
3228 +
3229 +- return &nft_target->ops;
3230 ++ return ops;
3231 + err:
3232 + module_put(target->me);
3233 + return ERR_PTR(err);
3234 + }
3235 +
3236 ++static void nft_target_release_ops(const struct nft_expr_ops *ops)
3237 ++{
3238 ++ struct xt_target *target = ops->data;
3239 ++
3240 ++ module_put(target->me);
3241 ++ kfree(ops);
3242 ++}
3243 ++
3244 + static struct nft_expr_type nft_target_type __read_mostly = {
3245 + .name = "target",
3246 + .select_ops = nft_target_select_ops,
3247 ++ .release_ops = nft_target_release_ops,
3248 + .policy = nft_target_policy,
3249 + .maxattr = NFTA_TARGET_MAX,
3250 + .owner = THIS_MODULE,
3251 +@@ -923,7 +862,6 @@ static int __init nft_compat_module_init(void)
3252 + }
3253 +
3254 + return ret;
3255 +-
3256 + err_target:
3257 + nft_unregister_expr(&nft_target_type);
3258 + err_match:
3259 +@@ -933,32 +871,6 @@ err_match:
3260 +
3261 + static void __exit nft_compat_module_exit(void)
3262 + {
3263 +- struct nft_xt *xt, *next;
3264 +-
3265 +- /* list should be empty here, it can be non-empty only in case there
3266 +- * was an error that caused nft_xt expr to not be initialized fully
3267 +- * and noone else requested the same expression later.
3268 +- *
3269 +- * In this case, the lists contain 0-refcount entries that still
3270 +- * hold module reference.
3271 +- */
3272 +- list_for_each_entry_safe(xt, next, &nft_target_list, head) {
3273 +- struct xt_target *target = xt->ops.data;
3274 +-
3275 +- if (WARN_ON_ONCE(xt->refcnt))
3276 +- continue;
3277 +- module_put(target->me);
3278 +- kfree(xt);
3279 +- }
3280 +-
3281 +- list_for_each_entry_safe(xt, next, &nft_match_list, head) {
3282 +- struct xt_match *match = xt->ops.data;
3283 +-
3284 +- if (WARN_ON_ONCE(xt->refcnt))
3285 +- continue;
3286 +- module_put(match->me);
3287 +- kfree(xt);
3288 +- }
3289 + nfnetlink_subsys_unregister(&nfnl_compat_subsys);
3290 + nft_unregister_expr(&nft_target_type);
3291 + nft_unregister_expr(&nft_match_type);
3292 +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
3293 +index 6e91a37d57f2..eb7f9a5f2aeb 100644
3294 +--- a/net/netfilter/nft_dynset.c
3295 ++++ b/net/netfilter/nft_dynset.c
3296 +@@ -235,14 +235,32 @@ err1:
3297 + return err;
3298 + }
3299 +
3300 ++static void nft_dynset_deactivate(const struct nft_ctx *ctx,
3301 ++ const struct nft_expr *expr,
3302 ++ enum nft_trans_phase phase)
3303 ++{
3304 ++ struct nft_dynset *priv = nft_expr_priv(expr);
3305 ++
3306 ++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
3307 ++}
3308 ++
3309 ++static void nft_dynset_activate(const struct nft_ctx *ctx,
3310 ++ const struct nft_expr *expr)
3311 ++{
3312 ++ struct nft_dynset *priv = nft_expr_priv(expr);
3313 ++
3314 ++ priv->set->use++;
3315 ++}
3316 ++
3317 + static void nft_dynset_destroy(const struct nft_ctx *ctx,
3318 + const struct nft_expr *expr)
3319 + {
3320 + struct nft_dynset *priv = nft_expr_priv(expr);
3321 +
3322 +- nf_tables_unbind_set(ctx, priv->set, &priv->binding);
3323 + if (priv->expr != NULL)
3324 + nft_expr_destroy(ctx, priv->expr);
3325 ++
3326 ++ nf_tables_destroy_set(ctx, priv->set);
3327 + }
3328 +
3329 + static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr)
3330 +@@ -279,6 +297,8 @@ static const struct nft_expr_ops nft_dynset_ops = {
3331 + .eval = nft_dynset_eval,
3332 + .init = nft_dynset_init,
3333 + .destroy = nft_dynset_destroy,
3334 ++ .activate = nft_dynset_activate,
3335 ++ .deactivate = nft_dynset_deactivate,
3336 + .dump = nft_dynset_dump,
3337 + };
3338 +
3339 +diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
3340 +index 0777a93211e2..3f6d1d2a6281 100644
3341 +--- a/net/netfilter/nft_immediate.c
3342 ++++ b/net/netfilter/nft_immediate.c
3343 +@@ -72,10 +72,14 @@ static void nft_immediate_activate(const struct nft_ctx *ctx,
3344 + }
3345 +
3346 + static void nft_immediate_deactivate(const struct nft_ctx *ctx,
3347 +- const struct nft_expr *expr)
3348 ++ const struct nft_expr *expr,
3349 ++ enum nft_trans_phase phase)
3350 + {
3351 + const struct nft_immediate_expr *priv = nft_expr_priv(expr);
3352 +
3353 ++ if (phase == NFT_TRANS_COMMIT)
3354 ++ return;
3355 ++
3356 + return nft_data_release(&priv->data, nft_dreg_to_type(priv->dreg));
3357 + }
3358 +
3359 +diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
3360 +index ad13e8643599..161c3451a747 100644
3361 +--- a/net/netfilter/nft_lookup.c
3362 ++++ b/net/netfilter/nft_lookup.c
3363 +@@ -121,12 +121,29 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
3364 + return 0;
3365 + }
3366 +
3367 ++static void nft_lookup_deactivate(const struct nft_ctx *ctx,
3368 ++ const struct nft_expr *expr,
3369 ++ enum nft_trans_phase phase)
3370 ++{
3371 ++ struct nft_lookup *priv = nft_expr_priv(expr);
3372 ++
3373 ++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
3374 ++}
3375 ++
3376 ++static void nft_lookup_activate(const struct nft_ctx *ctx,
3377 ++ const struct nft_expr *expr)
3378 ++{
3379 ++ struct nft_lookup *priv = nft_expr_priv(expr);
3380 ++
3381 ++ priv->set->use++;
3382 ++}
3383 ++
3384 + static void nft_lookup_destroy(const struct nft_ctx *ctx,
3385 + const struct nft_expr *expr)
3386 + {
3387 + struct nft_lookup *priv = nft_expr_priv(expr);
3388 +
3389 +- nf_tables_unbind_set(ctx, priv->set, &priv->binding);
3390 ++ nf_tables_destroy_set(ctx, priv->set);
3391 + }
3392 +
3393 + static int nft_lookup_dump(struct sk_buff *skb, const struct nft_expr *expr)
3394 +@@ -209,6 +226,8 @@ static const struct nft_expr_ops nft_lookup_ops = {
3395 + .size = NFT_EXPR_SIZE(sizeof(struct nft_lookup)),
3396 + .eval = nft_lookup_eval,
3397 + .init = nft_lookup_init,
3398 ++ .activate = nft_lookup_activate,
3399 ++ .deactivate = nft_lookup_deactivate,
3400 + .destroy = nft_lookup_destroy,
3401 + .dump = nft_lookup_dump,
3402 + .validate = nft_lookup_validate,
3403 +diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
3404 +index cdf348f751ec..bf92a40dd1b2 100644
3405 +--- a/net/netfilter/nft_objref.c
3406 ++++ b/net/netfilter/nft_objref.c
3407 +@@ -64,21 +64,34 @@ nla_put_failure:
3408 + return -1;
3409 + }
3410 +
3411 +-static void nft_objref_destroy(const struct nft_ctx *ctx,
3412 +- const struct nft_expr *expr)
3413 ++static void nft_objref_deactivate(const struct nft_ctx *ctx,
3414 ++ const struct nft_expr *expr,
3415 ++ enum nft_trans_phase phase)
3416 + {
3417 + struct nft_object *obj = nft_objref_priv(expr);
3418 +
3419 ++ if (phase == NFT_TRANS_COMMIT)
3420 ++ return;
3421 ++
3422 + obj->use--;
3423 + }
3424 +
3425 ++static void nft_objref_activate(const struct nft_ctx *ctx,
3426 ++ const struct nft_expr *expr)
3427 ++{
3428 ++ struct nft_object *obj = nft_objref_priv(expr);
3429 ++
3430 ++ obj->use++;
3431 ++}
3432 ++
3433 + static struct nft_expr_type nft_objref_type;
3434 + static const struct nft_expr_ops nft_objref_ops = {
3435 + .type = &nft_objref_type,
3436 + .size = NFT_EXPR_SIZE(sizeof(struct nft_object *)),
3437 + .eval = nft_objref_eval,
3438 + .init = nft_objref_init,
3439 +- .destroy = nft_objref_destroy,
3440 ++ .activate = nft_objref_activate,
3441 ++ .deactivate = nft_objref_deactivate,
3442 + .dump = nft_objref_dump,
3443 + };
3444 +
3445 +@@ -155,12 +168,29 @@ nla_put_failure:
3446 + return -1;
3447 + }
3448 +
3449 ++static void nft_objref_map_deactivate(const struct nft_ctx *ctx,
3450 ++ const struct nft_expr *expr,
3451 ++ enum nft_trans_phase phase)
3452 ++{
3453 ++ struct nft_objref_map *priv = nft_expr_priv(expr);
3454 ++
3455 ++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
3456 ++}
3457 ++
3458 ++static void nft_objref_map_activate(const struct nft_ctx *ctx,
3459 ++ const struct nft_expr *expr)
3460 ++{
3461 ++ struct nft_objref_map *priv = nft_expr_priv(expr);
3462 ++
3463 ++ priv->set->use++;
3464 ++}
3465 ++
3466 + static void nft_objref_map_destroy(const struct nft_ctx *ctx,
3467 + const struct nft_expr *expr)
3468 + {
3469 + struct nft_objref_map *priv = nft_expr_priv(expr);
3470 +
3471 +- nf_tables_unbind_set(ctx, priv->set, &priv->binding);
3472 ++ nf_tables_destroy_set(ctx, priv->set);
3473 + }
3474 +
3475 + static struct nft_expr_type nft_objref_type;
3476 +@@ -169,6 +199,8 @@ static const struct nft_expr_ops nft_objref_map_ops = {
3477 + .size = NFT_EXPR_SIZE(sizeof(struct nft_objref_map)),
3478 + .eval = nft_objref_map_eval,
3479 + .init = nft_objref_map_init,
3480 ++ .activate = nft_objref_map_activate,
3481 ++ .deactivate = nft_objref_map_deactivate,
3482 + .destroy = nft_objref_map_destroy,
3483 + .dump = nft_objref_map_dump,
3484 + };
3485 +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
3486 +index 1d3144d19903..71ffd1a6dc7c 100644
3487 +--- a/net/netrom/af_netrom.c
3488 ++++ b/net/netrom/af_netrom.c
3489 +@@ -1392,18 +1392,22 @@ static int __init nr_proto_init(void)
3490 + int i;
3491 + int rc = proto_register(&nr_proto, 0);
3492 +
3493 +- if (rc != 0)
3494 +- goto out;
3495 ++ if (rc)
3496 ++ return rc;
3497 +
3498 + if (nr_ndevs > 0x7fffffff/sizeof(struct net_device *)) {
3499 +- printk(KERN_ERR "NET/ROM: nr_proto_init - nr_ndevs parameter to large\n");
3500 +- return -1;
3501 ++ pr_err("NET/ROM: %s - nr_ndevs parameter too large\n",
3502 ++ __func__);
3503 ++ rc = -EINVAL;
3504 ++ goto unregister_proto;
3505 + }
3506 +
3507 + dev_nr = kcalloc(nr_ndevs, sizeof(struct net_device *), GFP_KERNEL);
3508 +- if (dev_nr == NULL) {
3509 +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device array\n");
3510 +- return -1;
3511 ++ if (!dev_nr) {
3512 ++ pr_err("NET/ROM: %s - unable to allocate device array\n",
3513 ++ __func__);
3514 ++ rc = -ENOMEM;
3515 ++ goto unregister_proto;
3516 + }
3517 +
3518 + for (i = 0; i < nr_ndevs; i++) {
3519 +@@ -1413,13 +1417,13 @@ static int __init nr_proto_init(void)
3520 + sprintf(name, "nr%d", i);
3521 + dev = alloc_netdev(0, name, NET_NAME_UNKNOWN, nr_setup);
3522 + if (!dev) {
3523 +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device structure\n");
3524 ++ rc = -ENOMEM;
3525 + goto fail;
3526 + }
3527 +
3528 + dev->base_addr = i;
3529 +- if (register_netdev(dev)) {
3530 +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to register network device\n");
3531 ++ rc = register_netdev(dev);
3532 ++ if (rc) {
3533 + free_netdev(dev);
3534 + goto fail;
3535 + }
3536 +@@ -1427,36 +1431,64 @@ static int __init nr_proto_init(void)
3537 + dev_nr[i] = dev;
3538 + }
3539 +
3540 +- if (sock_register(&nr_family_ops)) {
3541 +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to register socket family\n");
3542 ++ rc = sock_register(&nr_family_ops);
3543 ++ if (rc)
3544 + goto fail;
3545 +- }
3546 +
3547 +- register_netdevice_notifier(&nr_dev_notifier);
3548 ++ rc = register_netdevice_notifier(&nr_dev_notifier);
3549 ++ if (rc)
3550 ++ goto out_sock;
3551 +
3552 + ax25_register_pid(&nr_pid);
3553 + ax25_linkfail_register(&nr_linkfail_notifier);
3554 +
3555 + #ifdef CONFIG_SYSCTL
3556 +- nr_register_sysctl();
3557 ++ rc = nr_register_sysctl();
3558 ++ if (rc)
3559 ++ goto out_sysctl;
3560 + #endif
3561 +
3562 + nr_loopback_init();
3563 +
3564 +- proc_create_seq("nr", 0444, init_net.proc_net, &nr_info_seqops);
3565 +- proc_create_seq("nr_neigh", 0444, init_net.proc_net, &nr_neigh_seqops);
3566 +- proc_create_seq("nr_nodes", 0444, init_net.proc_net, &nr_node_seqops);
3567 +-out:
3568 +- return rc;
3569 ++ rc = -ENOMEM;
3570 ++ if (!proc_create_seq("nr", 0444, init_net.proc_net, &nr_info_seqops))
3571 ++ goto proc_remove1;
3572 ++ if (!proc_create_seq("nr_neigh", 0444, init_net.proc_net,
3573 ++ &nr_neigh_seqops))
3574 ++ goto proc_remove2;
3575 ++ if (!proc_create_seq("nr_nodes", 0444, init_net.proc_net,
3576 ++ &nr_node_seqops))
3577 ++ goto proc_remove3;
3578 ++
3579 ++ return 0;
3580 ++
3581 ++proc_remove3:
3582 ++ remove_proc_entry("nr_neigh", init_net.proc_net);
3583 ++proc_remove2:
3584 ++ remove_proc_entry("nr", init_net.proc_net);
3585 ++proc_remove1:
3586 ++
3587 ++ nr_loopback_clear();
3588 ++ nr_rt_free();
3589 ++
3590 ++#ifdef CONFIG_SYSCTL
3591 ++ nr_unregister_sysctl();
3592 ++out_sysctl:
3593 ++#endif
3594 ++ ax25_linkfail_release(&nr_linkfail_notifier);
3595 ++ ax25_protocol_release(AX25_P_NETROM);
3596 ++ unregister_netdevice_notifier(&nr_dev_notifier);
3597 ++out_sock:
3598 ++ sock_unregister(PF_NETROM);
3599 + fail:
3600 + while (--i >= 0) {
3601 + unregister_netdev(dev_nr[i]);
3602 + free_netdev(dev_nr[i]);
3603 + }
3604 + kfree(dev_nr);
3605 ++unregister_proto:
3606 + proto_unregister(&nr_proto);
3607 +- rc = -1;
3608 +- goto out;
3609 ++ return rc;
3610 + }
3611 +
3612 + module_init(nr_proto_init);
3613 +diff --git a/net/netrom/nr_loopback.c b/net/netrom/nr_loopback.c
3614 +index 215ad22a9647..93d13f019981 100644
3615 +--- a/net/netrom/nr_loopback.c
3616 ++++ b/net/netrom/nr_loopback.c
3617 +@@ -70,7 +70,7 @@ static void nr_loopback_timer(struct timer_list *unused)
3618 + }
3619 + }
3620 +
3621 +-void __exit nr_loopback_clear(void)
3622 ++void nr_loopback_clear(void)
3623 + {
3624 + del_timer_sync(&loopback_timer);
3625 + skb_queue_purge(&loopback_queue);
3626 +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
3627 +index 6485f593e2f0..b76aa668a94b 100644
3628 +--- a/net/netrom/nr_route.c
3629 ++++ b/net/netrom/nr_route.c
3630 +@@ -953,7 +953,7 @@ const struct seq_operations nr_neigh_seqops = {
3631 + /*
3632 + * Free all memory associated with the nodes and routes lists.
3633 + */
3634 +-void __exit nr_rt_free(void)
3635 ++void nr_rt_free(void)
3636 + {
3637 + struct nr_neigh *s = NULL;
3638 + struct nr_node *t = NULL;
3639 +diff --git a/net/netrom/sysctl_net_netrom.c b/net/netrom/sysctl_net_netrom.c
3640 +index ba1c368b3f18..771011b84270 100644
3641 +--- a/net/netrom/sysctl_net_netrom.c
3642 ++++ b/net/netrom/sysctl_net_netrom.c
3643 +@@ -146,9 +146,12 @@ static struct ctl_table nr_table[] = {
3644 + { }
3645 + };
3646 +
3647 +-void __init nr_register_sysctl(void)
3648 ++int __init nr_register_sysctl(void)
3649 + {
3650 + nr_table_header = register_net_sysctl(&init_net, "net/netrom", nr_table);
3651 ++ if (!nr_table_header)
3652 ++ return -ENOMEM;
3653 ++ return 0;
3654 + }
3655 +
3656 + void nr_unregister_sysctl(void)
3657 +diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c
3658 +index 65387e1e6964..cd7e01ea8144 100644
3659 +--- a/net/rds/af_rds.c
3660 ++++ b/net/rds/af_rds.c
3661 +@@ -506,6 +506,9 @@ static int rds_connect(struct socket *sock, struct sockaddr *uaddr,
3662 + struct rds_sock *rs = rds_sk_to_rs(sk);
3663 + int ret = 0;
3664 +
3665 ++ if (addr_len < offsetofend(struct sockaddr, sa_family))
3666 ++ return -EINVAL;
3667 ++
3668 + lock_sock(sk);
3669 +
3670 + switch (uaddr->sa_family) {
3671 +diff --git a/net/rds/bind.c b/net/rds/bind.c
3672 +index 17c9d9f0c848..0f4398e7f2a7 100644
3673 +--- a/net/rds/bind.c
3674 ++++ b/net/rds/bind.c
3675 +@@ -173,6 +173,8 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
3676 + /* We allow an RDS socket to be bound to either IPv4 or IPv6
3677 + * address.
3678 + */
3679 ++ if (addr_len < offsetofend(struct sockaddr, sa_family))
3680 ++ return -EINVAL;
3681 + if (uaddr->sa_family == AF_INET) {
3682 + struct sockaddr_in *sin = (struct sockaddr_in *)uaddr;
3683 +
3684 +diff --git a/net/rds/ib_fmr.c b/net/rds/ib_fmr.c
3685 +index e0f70c4051b6..01e764f8f224 100644
3686 +--- a/net/rds/ib_fmr.c
3687 ++++ b/net/rds/ib_fmr.c
3688 +@@ -44,6 +44,17 @@ struct rds_ib_mr *rds_ib_alloc_fmr(struct rds_ib_device *rds_ibdev, int npages)
3689 + else
3690 + pool = rds_ibdev->mr_1m_pool;
3691 +
3692 ++ if (atomic_read(&pool->dirty_count) >= pool->max_items / 10)
3693 ++ queue_delayed_work(rds_ib_mr_wq, &pool->flush_worker, 10);
3694 ++
3695 ++ /* Switch pools if one of the pool is reaching upper limit */
3696 ++ if (atomic_read(&pool->dirty_count) >= pool->max_items * 9 / 10) {
3697 ++ if (pool->pool_type == RDS_IB_MR_8K_POOL)
3698 ++ pool = rds_ibdev->mr_1m_pool;
3699 ++ else
3700 ++ pool = rds_ibdev->mr_8k_pool;
3701 ++ }
3702 ++
3703 + ibmr = rds_ib_try_reuse_ibmr(pool);
3704 + if (ibmr)
3705 + return ibmr;
3706 +diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
3707 +index 63c8d107adcf..d664e9ade74d 100644
3708 +--- a/net/rds/ib_rdma.c
3709 ++++ b/net/rds/ib_rdma.c
3710 +@@ -454,9 +454,6 @@ struct rds_ib_mr *rds_ib_try_reuse_ibmr(struct rds_ib_mr_pool *pool)
3711 + struct rds_ib_mr *ibmr = NULL;
3712 + int iter = 0;
3713 +
3714 +- if (atomic_read(&pool->dirty_count) >= pool->max_items_soft / 10)
3715 +- queue_delayed_work(rds_ib_mr_wq, &pool->flush_worker, 10);
3716 +-
3717 + while (1) {
3718 + ibmr = rds_ib_reuse_mr(pool);
3719 + if (ibmr)
3720 +diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
3721 +index 7af4f99c4a93..094a6621f8e8 100644
3722 +--- a/net/rose/rose_loopback.c
3723 ++++ b/net/rose/rose_loopback.c
3724 +@@ -16,6 +16,7 @@
3725 + #include <linux/init.h>
3726 +
3727 + static struct sk_buff_head loopback_queue;
3728 ++#define ROSE_LOOPBACK_LIMIT 1000
3729 + static struct timer_list loopback_timer;
3730 +
3731 + static void rose_set_loopback_timer(void);
3732 +@@ -35,29 +36,27 @@ static int rose_loopback_running(void)
3733 +
3734 + int rose_loopback_queue(struct sk_buff *skb, struct rose_neigh *neigh)
3735 + {
3736 +- struct sk_buff *skbn;
3737 ++ struct sk_buff *skbn = NULL;
3738 +
3739 +- skbn = skb_clone(skb, GFP_ATOMIC);
3740 ++ if (skb_queue_len(&loopback_queue) < ROSE_LOOPBACK_LIMIT)
3741 ++ skbn = skb_clone(skb, GFP_ATOMIC);
3742 +
3743 +- kfree_skb(skb);
3744 +-
3745 +- if (skbn != NULL) {
3746 ++ if (skbn) {
3747 ++ consume_skb(skb);
3748 + skb_queue_tail(&loopback_queue, skbn);
3749 +
3750 + if (!rose_loopback_running())
3751 + rose_set_loopback_timer();
3752 ++ } else {
3753 ++ kfree_skb(skb);
3754 + }
3755 +
3756 + return 1;
3757 + }
3758 +
3759 +-
3760 + static void rose_set_loopback_timer(void)
3761 + {
3762 +- del_timer(&loopback_timer);
3763 +-
3764 +- loopback_timer.expires = jiffies + 10;
3765 +- add_timer(&loopback_timer);
3766 ++ mod_timer(&loopback_timer, jiffies + 10);
3767 + }
3768 +
3769 + static void rose_loopback_timer(struct timer_list *unused)
3770 +@@ -68,8 +67,12 @@ static void rose_loopback_timer(struct timer_list *unused)
3771 + struct sock *sk;
3772 + unsigned short frametype;
3773 + unsigned int lci_i, lci_o;
3774 ++ int count;
3775 +
3776 +- while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
3777 ++ for (count = 0; count < ROSE_LOOPBACK_LIMIT; count++) {
3778 ++ skb = skb_dequeue(&loopback_queue);
3779 ++ if (!skb)
3780 ++ return;
3781 + if (skb->len < ROSE_MIN_LEN) {
3782 + kfree_skb(skb);
3783 + continue;
3784 +@@ -106,6 +109,8 @@ static void rose_loopback_timer(struct timer_list *unused)
3785 + kfree_skb(skb);
3786 + }
3787 + }
3788 ++ if (!skb_queue_empty(&loopback_queue))
3789 ++ mod_timer(&loopback_timer, jiffies + 1);
3790 + }
3791 +
3792 + void __exit rose_loopback_clear(void)
3793 +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
3794 +index 570b49d2da42..d591f54cb91f 100644
3795 +--- a/net/rxrpc/input.c
3796 ++++ b/net/rxrpc/input.c
3797 +@@ -1155,19 +1155,19 @@ int rxrpc_extract_header(struct rxrpc_skb_priv *sp, struct sk_buff *skb)
3798 + * handle data received on the local endpoint
3799 + * - may be called in interrupt context
3800 + *
3801 +- * The socket is locked by the caller and this prevents the socket from being
3802 +- * shut down and the local endpoint from going away, thus sk_user_data will not
3803 +- * be cleared until this function returns.
3804 ++ * [!] Note that as this is called from the encap_rcv hook, the socket is not
3805 ++ * held locked by the caller and nothing prevents sk_user_data on the UDP from
3806 ++ * being cleared in the middle of processing this function.
3807 + *
3808 + * Called with the RCU read lock held from the IP layer via UDP.
3809 + */
3810 + int rxrpc_input_packet(struct sock *udp_sk, struct sk_buff *skb)
3811 + {
3812 ++ struct rxrpc_local *local = rcu_dereference_sk_user_data(udp_sk);
3813 + struct rxrpc_connection *conn;
3814 + struct rxrpc_channel *chan;
3815 + struct rxrpc_call *call = NULL;
3816 + struct rxrpc_skb_priv *sp;
3817 +- struct rxrpc_local *local = udp_sk->sk_user_data;
3818 + struct rxrpc_peer *peer = NULL;
3819 + struct rxrpc_sock *rx = NULL;
3820 + unsigned int channel;
3821 +@@ -1175,6 +1175,10 @@ int rxrpc_input_packet(struct sock *udp_sk, struct sk_buff *skb)
3822 +
3823 + _enter("%p", udp_sk);
3824 +
3825 ++ if (unlikely(!local)) {
3826 ++ kfree_skb(skb);
3827 ++ return 0;
3828 ++ }
3829 + if (skb->tstamp == 0)
3830 + skb->tstamp = ktime_get_real();
3831 +
3832 +diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
3833 +index 0906e51d3cfb..10317dbdab5f 100644
3834 +--- a/net/rxrpc/local_object.c
3835 ++++ b/net/rxrpc/local_object.c
3836 +@@ -304,7 +304,8 @@ nomem:
3837 + ret = -ENOMEM;
3838 + sock_error:
3839 + mutex_unlock(&rxnet->local_mutex);
3840 +- kfree(local);
3841 ++ if (local)
3842 ++ call_rcu(&local->rcu, rxrpc_local_rcu);
3843 + _leave(" = %d", ret);
3844 + return ERR_PTR(ret);
3845 +
3846 +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
3847 +index b6e8eccf2a52..214440c5b14e 100644
3848 +--- a/net/sunrpc/cache.c
3849 ++++ b/net/sunrpc/cache.c
3850 +@@ -54,6 +54,7 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail)
3851 + h->last_refresh = now;
3852 + }
3853 +
3854 ++static inline int cache_is_valid(struct cache_head *h);
3855 + static void cache_fresh_locked(struct cache_head *head, time_t expiry,
3856 + struct cache_detail *detail);
3857 + static void cache_fresh_unlocked(struct cache_head *head,
3858 +@@ -100,6 +101,8 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
3859 + if (cache_is_expired(detail, tmp)) {
3860 + hlist_del_init(&tmp->cache_list);
3861 + detail->entries --;
3862 ++ if (cache_is_valid(tmp) == -EAGAIN)
3863 ++ set_bit(CACHE_NEGATIVE, &tmp->flags);
3864 + cache_fresh_locked(tmp, 0, detail);
3865 + freeme = tmp;
3866 + break;
3867 +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
3868 +index 0b21187d74df..588d5aa14c41 100644
3869 +--- a/net/tipc/netlink_compat.c
3870 ++++ b/net/tipc/netlink_compat.c
3871 +@@ -267,8 +267,14 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
3872 + if (msg->rep_type)
3873 + tipc_tlv_init(msg->rep, msg->rep_type);
3874 +
3875 +- if (cmd->header)
3876 +- (*cmd->header)(msg);
3877 ++ if (cmd->header) {
3878 ++ err = (*cmd->header)(msg);
3879 ++ if (err) {
3880 ++ kfree_skb(msg->rep);
3881 ++ msg->rep = NULL;
3882 ++ return err;
3883 ++ }
3884 ++ }
3885 +
3886 + arg = nlmsg_new(0, GFP_KERNEL);
3887 + if (!arg) {
3888 +@@ -397,7 +403,12 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
3889 + if (!bearer)
3890 + return -EMSGSIZE;
3891 +
3892 +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
3893 ++ len = TLV_GET_DATA_LEN(msg->req);
3894 ++ len -= offsetof(struct tipc_bearer_config, name);
3895 ++ if (len <= 0)
3896 ++ return -EINVAL;
3897 ++
3898 ++ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
3899 + if (!string_is_valid(b->name, len))
3900 + return -EINVAL;
3901 +
3902 +@@ -766,7 +777,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd,
3903 +
3904 + lc = (struct tipc_link_config *)TLV_DATA(msg->req);
3905 +
3906 +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
3907 ++ len = TLV_GET_DATA_LEN(msg->req);
3908 ++ len -= offsetof(struct tipc_link_config, name);
3909 ++ if (len <= 0)
3910 ++ return -EINVAL;
3911 ++
3912 ++ len = min_t(int, len, TIPC_MAX_LINK_NAME);
3913 + if (!string_is_valid(lc->name, len))
3914 + return -EINVAL;
3915 +
3916 +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
3917 +index 961b07d4d41c..c9588b682db4 100644
3918 +--- a/net/tls/tls_device.c
3919 ++++ b/net/tls/tls_device.c
3920 +@@ -874,7 +874,9 @@ int tls_set_device_offload_rx(struct sock *sk, struct tls_context *ctx)
3921 + goto release_netdev;
3922 +
3923 + free_sw_resources:
3924 ++ up_read(&device_offload_lock);
3925 + tls_sw_free_resources_rx(sk);
3926 ++ down_read(&device_offload_lock);
3927 + release_ctx:
3928 + ctx->priv_ctx_rx = NULL;
3929 + release_netdev:
3930 +@@ -909,8 +911,6 @@ void tls_device_offload_cleanup_rx(struct sock *sk)
3931 + }
3932 + out:
3933 + up_read(&device_offload_lock);
3934 +- kfree(tls_ctx->rx.rec_seq);
3935 +- kfree(tls_ctx->rx.iv);
3936 + tls_sw_release_resources_rx(sk);
3937 + }
3938 +
3939 +diff --git a/net/tls/tls_device_fallback.c b/net/tls/tls_device_fallback.c
3940 +index 450a6dbc5a88..ef8934fd8698 100644
3941 +--- a/net/tls/tls_device_fallback.c
3942 ++++ b/net/tls/tls_device_fallback.c
3943 +@@ -193,6 +193,9 @@ static void update_chksum(struct sk_buff *skb, int headln)
3944 +
3945 + static void complete_skb(struct sk_buff *nskb, struct sk_buff *skb, int headln)
3946 + {
3947 ++ struct sock *sk = skb->sk;
3948 ++ int delta;
3949 ++
3950 + skb_copy_header(nskb, skb);
3951 +
3952 + skb_put(nskb, skb->len);
3953 +@@ -200,11 +203,15 @@ static void complete_skb(struct sk_buff *nskb, struct sk_buff *skb, int headln)
3954 + update_chksum(nskb, headln);
3955 +
3956 + nskb->destructor = skb->destructor;
3957 +- nskb->sk = skb->sk;
3958 ++ nskb->sk = sk;
3959 + skb->destructor = NULL;
3960 + skb->sk = NULL;
3961 +- refcount_add(nskb->truesize - skb->truesize,
3962 +- &nskb->sk->sk_wmem_alloc);
3963 ++
3964 ++ delta = nskb->truesize - skb->truesize;
3965 ++ if (likely(delta < 0))
3966 ++ WARN_ON_ONCE(refcount_sub_and_test(-delta, &sk->sk_wmem_alloc));
3967 ++ else if (delta)
3968 ++ refcount_add(delta, &sk->sk_wmem_alloc);
3969 + }
3970 +
3971 + /* This function may be called after the user socket is already
3972 +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
3973 +index a091c03abcb2..25b3fb585777 100644
3974 +--- a/net/tls/tls_main.c
3975 ++++ b/net/tls/tls_main.c
3976 +@@ -290,11 +290,8 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
3977 + tls_sw_free_resources_tx(sk);
3978 + }
3979 +
3980 +- if (ctx->rx_conf == TLS_SW) {
3981 +- kfree(ctx->rx.rec_seq);
3982 +- kfree(ctx->rx.iv);
3983 ++ if (ctx->rx_conf == TLS_SW)
3984 + tls_sw_free_resources_rx(sk);
3985 +- }
3986 +
3987 + #ifdef CONFIG_TLS_DEVICE
3988 + if (ctx->rx_conf == TLS_HW)
3989 +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
3990 +index b9c6ecfbcfea..6848a8196711 100644
3991 +--- a/net/tls/tls_sw.c
3992 ++++ b/net/tls/tls_sw.c
3993 +@@ -1118,6 +1118,9 @@ void tls_sw_release_resources_rx(struct sock *sk)
3994 + struct tls_context *tls_ctx = tls_get_ctx(sk);
3995 + struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
3996 +
3997 ++ kfree(tls_ctx->rx.rec_seq);
3998 ++ kfree(tls_ctx->rx.iv);
3999 ++
4000 + if (ctx->aead_recv) {
4001 + kfree_skb(ctx->recv_pkt);
4002 + ctx->recv_pkt = NULL;
4003 +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
4004 +index 3ae3a33da70b..602715fc9a75 100644
4005 +--- a/net/vmw_vsock/virtio_transport_common.c
4006 ++++ b/net/vmw_vsock/virtio_transport_common.c
4007 +@@ -662,6 +662,8 @@ static int virtio_transport_reset(struct vsock_sock *vsk,
4008 + */
4009 + static int virtio_transport_reset_no_sock(struct virtio_vsock_pkt *pkt)
4010 + {
4011 ++ const struct virtio_transport *t;
4012 ++ struct virtio_vsock_pkt *reply;
4013 + struct virtio_vsock_pkt_info info = {
4014 + .op = VIRTIO_VSOCK_OP_RST,
4015 + .type = le16_to_cpu(pkt->hdr.type),
4016 +@@ -672,15 +674,21 @@ static int virtio_transport_reset_no_sock(struct virtio_vsock_pkt *pkt)
4017 + if (le16_to_cpu(pkt->hdr.op) == VIRTIO_VSOCK_OP_RST)
4018 + return 0;
4019 +
4020 +- pkt = virtio_transport_alloc_pkt(&info, 0,
4021 +- le64_to_cpu(pkt->hdr.dst_cid),
4022 +- le32_to_cpu(pkt->hdr.dst_port),
4023 +- le64_to_cpu(pkt->hdr.src_cid),
4024 +- le32_to_cpu(pkt->hdr.src_port));
4025 +- if (!pkt)
4026 ++ reply = virtio_transport_alloc_pkt(&info, 0,
4027 ++ le64_to_cpu(pkt->hdr.dst_cid),
4028 ++ le32_to_cpu(pkt->hdr.dst_port),
4029 ++ le64_to_cpu(pkt->hdr.src_cid),
4030 ++ le32_to_cpu(pkt->hdr.src_port));
4031 ++ if (!reply)
4032 + return -ENOMEM;
4033 +
4034 +- return virtio_transport_get_ops()->send_pkt(pkt);
4035 ++ t = virtio_transport_get_ops();
4036 ++ if (!t) {
4037 ++ virtio_transport_free_pkt(reply);
4038 ++ return -ENOTCONN;
4039 ++ }
4040 ++
4041 ++ return t->send_pkt(reply);
4042 + }
4043 +
4044 + static void virtio_transport_wait_close(struct sock *sk, long timeout)
4045 +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
4046 +index 80f73810b21b..0436789e7cd8 100644
4047 +--- a/sound/pci/hda/patch_ca0132.c
4048 ++++ b/sound/pci/hda/patch_ca0132.c
4049 +@@ -7394,8 +7394,10 @@ static void ca0132_free(struct hda_codec *codec)
4050 + ca0132_exit_chip(codec);
4051 +
4052 + snd_hda_power_down(codec);
4053 +- if (IS_ENABLED(CONFIG_PCI) && spec->mem_base)
4054 ++#ifdef CONFIG_PCI
4055 ++ if (spec->mem_base)
4056 + pci_iounmap(codec->bus->pci, spec->mem_base);
4057 ++#endif
4058 + kfree(spec->spec_init_verbs);
4059 + kfree(codec->spec);
4060 + }
Report Message
Find on MARC Find on Google Groups