Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.4 commit in: /
Date: Wed, 09 Sep 2020 18:00:45
Message-Id: 1599674429.cd545d73e2a8cc8e16787fe182c06b6a4f40ead8.mpagano@gentoo
1 commit: cd545d73e2a8cc8e16787fe182c06b6a4f40ead8
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Sep 9 18:00:29 2020 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Sep 9 18:00:29 2020 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=cd545d73
7
8 Linux patch 5.4.64
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1063_linux-5.4.64.patch | 4987 +++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 4991 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 85c6dae..282897d 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -295,6 +295,10 @@ Patch: 1062_linux-5.4.63.patch
21 From: http://www.kernel.org
22 Desc: Linux 5.4.63
23
24 +Patch: 1063_linux-5.4.64.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 5.4.64
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1063_linux-5.4.64.patch b/1063_linux-5.4.64.patch
33 new file mode 100644
34 index 0000000..92e487b
35 --- /dev/null
36 +++ b/1063_linux-5.4.64.patch
37 @@ -0,0 +1,4987 @@
38 +diff --git a/Documentation/devicetree/bindings/mmc/mtk-sd.txt b/Documentation/devicetree/bindings/mmc/mtk-sd.txt
39 +index 8a532f4453f26..09aecec47003a 100644
40 +--- a/Documentation/devicetree/bindings/mmc/mtk-sd.txt
41 ++++ b/Documentation/devicetree/bindings/mmc/mtk-sd.txt
42 +@@ -49,6 +49,8 @@ Optional properties:
43 + error caused by stop clock(fifo full)
44 + Valid range = [0:0x7]. if not present, default value is 0.
45 + applied to compatible "mediatek,mt2701-mmc".
46 ++- resets: Phandle and reset specifier pair to softreset line of MSDC IP.
47 ++- reset-names: Should be "hrst".
48 +
49 + Examples:
50 + mmc0: mmc@11230000 {
51 +diff --git a/Documentation/filesystems/affs.txt b/Documentation/filesystems/affs.txt
52 +index 71b63c2b98410..a8f1a58e36922 100644
53 +--- a/Documentation/filesystems/affs.txt
54 ++++ b/Documentation/filesystems/affs.txt
55 +@@ -93,13 +93,15 @@ The Amiga protection flags RWEDRWEDHSPARWED are handled as follows:
56 +
57 + - R maps to r for user, group and others. On directories, R implies x.
58 +
59 +- - If both W and D are allowed, w will be set.
60 ++ - W maps to w.
61 +
62 + - E maps to x.
63 +
64 +- - H and P are always retained and ignored under Linux.
65 ++ - D is ignored.
66 +
67 +- - A is always reset when a file is written to.
68 ++ - H, S and P are always retained and ignored under Linux.
69 ++
70 ++ - A is cleared when a file is written to.
71 +
72 + User id and group id will be used unless set[gu]id are given as mount
73 + options. Since most of the Amiga file systems are single user systems
74 +@@ -111,11 +113,13 @@ Linux -> Amiga:
75 +
76 + The Linux rwxrwxrwx file mode is handled as follows:
77 +
78 +- - r permission will set R for user, group and others.
79 ++ - r permission will allow R for user, group and others.
80 ++
81 ++ - w permission will allow W for user, group and others.
82 +
83 +- - w permission will set W and D for user, group and others.
84 ++ - x permission of the user will allow E for plain files.
85 +
86 +- - x permission of the user will set E for plain files.
87 ++ - D will be allowed for user, group and others.
88 +
89 + - All other flags (suid, sgid, ...) are ignored and will
90 + not be retained.
91 +diff --git a/Makefile b/Makefile
92 +index 418814b108ae6..7bdfb21bb9269 100644
93 +--- a/Makefile
94 ++++ b/Makefile
95 +@@ -1,7 +1,7 @@
96 + # SPDX-License-Identifier: GPL-2.0
97 + VERSION = 5
98 + PATCHLEVEL = 4
99 +-SUBLEVEL = 63
100 ++SUBLEVEL = 64
101 + EXTRAVERSION =
102 + NAME = Kleptomaniac Octopus
103 +
104 +diff --git a/arch/arc/kernel/perf_event.c b/arch/arc/kernel/perf_event.c
105 +index 661fd842ea97d..79849f37e782c 100644
106 +--- a/arch/arc/kernel/perf_event.c
107 ++++ b/arch/arc/kernel/perf_event.c
108 +@@ -562,7 +562,7 @@ static int arc_pmu_device_probe(struct platform_device *pdev)
109 + {
110 + struct arc_reg_pct_build pct_bcr;
111 + struct arc_reg_cc_build cc_bcr;
112 +- int i, has_interrupts;
113 ++ int i, has_interrupts, irq;
114 + int counter_size; /* in bits */
115 +
116 + union cc_name {
117 +@@ -637,13 +637,7 @@ static int arc_pmu_device_probe(struct platform_device *pdev)
118 + .attr_groups = arc_pmu->attr_groups,
119 + };
120 +
121 +- if (has_interrupts) {
122 +- int irq = platform_get_irq(pdev, 0);
123 +-
124 +- if (irq < 0) {
125 +- pr_err("Cannot get IRQ number for the platform\n");
126 +- return -ENODEV;
127 +- }
128 ++ if (has_interrupts && (irq = platform_get_irq(pdev, 0) >= 0)) {
129 +
130 + arc_pmu->irq = irq;
131 +
132 +@@ -652,9 +646,9 @@ static int arc_pmu_device_probe(struct platform_device *pdev)
133 + this_cpu_ptr(&arc_pmu_cpu));
134 +
135 + on_each_cpu(arc_cpu_pmu_irq_init, &irq, 1);
136 +-
137 +- } else
138 ++ } else {
139 + arc_pmu->pmu.capabilities |= PERF_PMU_CAP_NO_INTERRUPT;
140 ++ }
141 +
142 + /*
143 + * perf parser doesn't really like '-' symbol in events name, so let's
144 +diff --git a/arch/arm64/boot/dts/mediatek/mt7622.dtsi b/arch/arm64/boot/dts/mediatek/mt7622.dtsi
145 +index dac51e98204c0..7cd8c3f52b471 100644
146 +--- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi
147 ++++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi
148 +@@ -686,6 +686,8 @@
149 + clocks = <&pericfg CLK_PERI_MSDC30_0_PD>,
150 + <&topckgen CLK_TOP_MSDC50_0_SEL>;
151 + clock-names = "source", "hclk";
152 ++ resets = <&pericfg MT7622_PERI_MSDC0_SW_RST>;
153 ++ reset-names = "hrst";
154 + status = "disabled";
155 + };
156 +
157 +diff --git a/arch/mips/kernel/smp-bmips.c b/arch/mips/kernel/smp-bmips.c
158 +index 712c15de6ab9f..6b304acf506fe 100644
159 +--- a/arch/mips/kernel/smp-bmips.c
160 ++++ b/arch/mips/kernel/smp-bmips.c
161 +@@ -241,6 +241,8 @@ static int bmips_boot_secondary(int cpu, struct task_struct *idle)
162 + */
163 + static void bmips_init_secondary(void)
164 + {
165 ++ bmips_cpu_setup();
166 ++
167 + switch (current_cpu_type()) {
168 + case CPU_BMIPS4350:
169 + case CPU_BMIPS4380:
170 +diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
171 +index 6a25364600266..8282d0feb0b21 100644
172 +--- a/arch/mips/kernel/traps.c
173 ++++ b/arch/mips/kernel/traps.c
174 +@@ -1240,6 +1240,18 @@ static int enable_restore_fp_context(int msa)
175 + err = own_fpu_inatomic(1);
176 + if (msa && !err) {
177 + enable_msa();
178 ++ /*
179 ++ * with MSA enabled, userspace can see MSACSR
180 ++ * and MSA regs, but the values in them are from
181 ++ * other task before current task, restore them
182 ++ * from saved fp/msa context
183 ++ */
184 ++ write_msa_csr(current->thread.fpu.msacsr);
185 ++ /*
186 ++ * own_fpu_inatomic(1) just restore low 64bit,
187 ++ * fix the high 64bit
188 ++ */
189 ++ init_msa_upper();
190 + set_thread_flag(TIF_USEDMSA);
191 + set_thread_flag(TIF_MSA_CTX_LIVE);
192 + }
193 +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c
194 +index 89b9c851d8227..c4785a456dedc 100644
195 +--- a/arch/mips/mm/c-r4k.c
196 ++++ b/arch/mips/mm/c-r4k.c
197 +@@ -1676,7 +1676,11 @@ static void setup_scache(void)
198 + printk("MIPS secondary cache %ldkB, %s, linesize %d bytes.\n",
199 + scache_size >> 10,
200 + way_string[c->scache.ways], c->scache.linesz);
201 ++
202 ++ if (current_cpu_type() == CPU_BMIPS5000)
203 ++ c->options |= MIPS_CPU_INCLUSIVE_CACHES;
204 + }
205 ++
206 + #else
207 + if (!(c->scache.flags & MIPS_CACHE_NOT_PRESENT))
208 + panic("Dunno how to handle MIPS32 / MIPS64 second level cache");
209 +diff --git a/arch/s390/include/asm/percpu.h b/arch/s390/include/asm/percpu.h
210 +index 50b4ce8cddfdc..918f0ba4f4d20 100644
211 +--- a/arch/s390/include/asm/percpu.h
212 ++++ b/arch/s390/include/asm/percpu.h
213 +@@ -29,7 +29,7 @@
214 + typedef typeof(pcp) pcp_op_T__; \
215 + pcp_op_T__ old__, new__, prev__; \
216 + pcp_op_T__ *ptr__; \
217 +- preempt_disable(); \
218 ++ preempt_disable_notrace(); \
219 + ptr__ = raw_cpu_ptr(&(pcp)); \
220 + prev__ = *ptr__; \
221 + do { \
222 +@@ -37,7 +37,7 @@
223 + new__ = old__ op (val); \
224 + prev__ = cmpxchg(ptr__, old__, new__); \
225 + } while (prev__ != old__); \
226 +- preempt_enable(); \
227 ++ preempt_enable_notrace(); \
228 + new__; \
229 + })
230 +
231 +@@ -68,7 +68,7 @@
232 + typedef typeof(pcp) pcp_op_T__; \
233 + pcp_op_T__ val__ = (val); \
234 + pcp_op_T__ old__, *ptr__; \
235 +- preempt_disable(); \
236 ++ preempt_disable_notrace(); \
237 + ptr__ = raw_cpu_ptr(&(pcp)); \
238 + if (__builtin_constant_p(val__) && \
239 + ((szcast)val__ > -129) && ((szcast)val__ < 128)) { \
240 +@@ -84,7 +84,7 @@
241 + : [val__] "d" (val__) \
242 + : "cc"); \
243 + } \
244 +- preempt_enable(); \
245 ++ preempt_enable_notrace(); \
246 + }
247 +
248 + #define this_cpu_add_4(pcp, val) arch_this_cpu_add(pcp, val, "laa", "asi", int)
249 +@@ -95,14 +95,14 @@
250 + typedef typeof(pcp) pcp_op_T__; \
251 + pcp_op_T__ val__ = (val); \
252 + pcp_op_T__ old__, *ptr__; \
253 +- preempt_disable(); \
254 ++ preempt_disable_notrace(); \
255 + ptr__ = raw_cpu_ptr(&(pcp)); \
256 + asm volatile( \
257 + op " %[old__],%[val__],%[ptr__]\n" \
258 + : [old__] "=d" (old__), [ptr__] "+Q" (*ptr__) \
259 + : [val__] "d" (val__) \
260 + : "cc"); \
261 +- preempt_enable(); \
262 ++ preempt_enable_notrace(); \
263 + old__ + val__; \
264 + })
265 +
266 +@@ -114,14 +114,14 @@
267 + typedef typeof(pcp) pcp_op_T__; \
268 + pcp_op_T__ val__ = (val); \
269 + pcp_op_T__ old__, *ptr__; \
270 +- preempt_disable(); \
271 ++ preempt_disable_notrace(); \
272 + ptr__ = raw_cpu_ptr(&(pcp)); \
273 + asm volatile( \
274 + op " %[old__],%[val__],%[ptr__]\n" \
275 + : [old__] "=d" (old__), [ptr__] "+Q" (*ptr__) \
276 + : [val__] "d" (val__) \
277 + : "cc"); \
278 +- preempt_enable(); \
279 ++ preempt_enable_notrace(); \
280 + }
281 +
282 + #define this_cpu_and_4(pcp, val) arch_this_cpu_to_op(pcp, val, "lan")
283 +@@ -136,10 +136,10 @@
284 + typedef typeof(pcp) pcp_op_T__; \
285 + pcp_op_T__ ret__; \
286 + pcp_op_T__ *ptr__; \
287 +- preempt_disable(); \
288 ++ preempt_disable_notrace(); \
289 + ptr__ = raw_cpu_ptr(&(pcp)); \
290 + ret__ = cmpxchg(ptr__, oval, nval); \
291 +- preempt_enable(); \
292 ++ preempt_enable_notrace(); \
293 + ret__; \
294 + })
295 +
296 +@@ -152,10 +152,10 @@
297 + ({ \
298 + typeof(pcp) *ptr__; \
299 + typeof(pcp) ret__; \
300 +- preempt_disable(); \
301 ++ preempt_disable_notrace(); \
302 + ptr__ = raw_cpu_ptr(&(pcp)); \
303 + ret__ = xchg(ptr__, nval); \
304 +- preempt_enable(); \
305 ++ preempt_enable_notrace(); \
306 + ret__; \
307 + })
308 +
309 +@@ -171,11 +171,11 @@
310 + typeof(pcp1) *p1__; \
311 + typeof(pcp2) *p2__; \
312 + int ret__; \
313 +- preempt_disable(); \
314 ++ preempt_disable_notrace(); \
315 + p1__ = raw_cpu_ptr(&(pcp1)); \
316 + p2__ = raw_cpu_ptr(&(pcp2)); \
317 + ret__ = __cmpxchg_double(p1__, p2__, o1__, o2__, n1__, n2__); \
318 +- preempt_enable(); \
319 ++ preempt_enable_notrace(); \
320 + ret__; \
321 + })
322 +
323 +diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
324 +index 332eb35258676..902be2e6e96cf 100644
325 +--- a/arch/x86/include/asm/ptrace.h
326 ++++ b/arch/x86/include/asm/ptrace.h
327 +@@ -309,8 +309,8 @@ static inline unsigned long regs_get_kernel_argument(struct pt_regs *regs,
328 + static const unsigned int argument_offs[] = {
329 + #ifdef __i386__
330 + offsetof(struct pt_regs, ax),
331 +- offsetof(struct pt_regs, cx),
332 + offsetof(struct pt_regs, dx),
333 ++ offsetof(struct pt_regs, cx),
334 + #define NR_REG_ARGUMENTS 3
335 + #else
336 + offsetof(struct pt_regs, di),
337 +diff --git a/arch/x86/mm/numa_emulation.c b/arch/x86/mm/numa_emulation.c
338 +index abffa0be80da1..87282258d5bea 100644
339 +--- a/arch/x86/mm/numa_emulation.c
340 ++++ b/arch/x86/mm/numa_emulation.c
341 +@@ -321,7 +321,7 @@ static int __init split_nodes_size_interleave(struct numa_meminfo *ei,
342 + u64 addr, u64 max_addr, u64 size)
343 + {
344 + return split_nodes_size_interleave_uniform(ei, pi, addr, max_addr, size,
345 +- 0, NULL, NUMA_NO_NODE);
346 ++ 0, NULL, 0);
347 + }
348 +
349 + int __init setup_emu2phys_nid(int *dfl_phys_nid)
350 +diff --git a/block/blk-core.c b/block/blk-core.c
351 +index d5e668ec751b5..ca6b677356864 100644
352 +--- a/block/blk-core.c
353 ++++ b/block/blk-core.c
354 +@@ -502,6 +502,7 @@ struct request_queue *blk_alloc_queue_node(gfp_t gfp_mask, int node_id)
355 + goto fail_stats;
356 +
357 + q->backing_dev_info->ra_pages = VM_READAHEAD_PAGES;
358 ++ q->backing_dev_info->io_pages = VM_READAHEAD_PAGES;
359 + q->backing_dev_info->capabilities = BDI_CAP_CGROUP_WRITEBACK;
360 + q->backing_dev_info->name = "block";
361 + q->node = node_id;
362 +diff --git a/block/blk-iocost.c b/block/blk-iocost.c
363 +index dcc6685d5becc..ef287c33d6d97 100644
364 +--- a/block/blk-iocost.c
365 ++++ b/block/blk-iocost.c
366 +@@ -2074,14 +2074,15 @@ static void ioc_pd_free(struct blkg_policy_data *pd)
367 + {
368 + struct ioc_gq *iocg = pd_to_iocg(pd);
369 + struct ioc *ioc = iocg->ioc;
370 ++ unsigned long flags;
371 +
372 + if (ioc) {
373 +- spin_lock(&ioc->lock);
374 ++ spin_lock_irqsave(&ioc->lock, flags);
375 + if (!list_empty(&iocg->active_list)) {
376 + propagate_active_weight(iocg, 0, 0);
377 + list_del_init(&iocg->active_list);
378 + }
379 +- spin_unlock(&ioc->lock);
380 ++ spin_unlock_irqrestore(&ioc->lock, flags);
381 +
382 + hrtimer_cancel(&iocg->waitq_timer);
383 + hrtimer_cancel(&iocg->delay_timer);
384 +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
385 +index 35f75c691d7cf..066b37963ad5f 100644
386 +--- a/drivers/ata/libata-core.c
387 ++++ b/drivers/ata/libata-core.c
388 +@@ -4474,9 +4474,8 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
389 + /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */
390 + { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, },
391 +
392 +- /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on
393 +- SD7SN6S256G and SD8SN8U256G */
394 +- { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, },
395 ++ /* Sandisk SD7/8/9s lock up hard on large trims */
396 ++ { "SanDisk SD[789]*", NULL, ATA_HORKAGE_MAX_TRIM_128M, },
397 +
398 + /* devices which puke on READ_NATIVE_MAX */
399 + { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, },
400 +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
401 +index 5596c9b6ebf23..464efedc778b0 100644
402 +--- a/drivers/ata/libata-scsi.c
403 ++++ b/drivers/ata/libata-scsi.c
404 +@@ -2374,6 +2374,7 @@ static unsigned int ata_scsiop_inq_89(struct ata_scsi_args *args, u8 *rbuf)
405 +
406 + static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf)
407 + {
408 ++ struct ata_device *dev = args->dev;
409 + u16 min_io_sectors;
410 +
411 + rbuf[1] = 0xb0;
412 +@@ -2399,7 +2400,12 @@ static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf)
413 + * with the unmap bit set.
414 + */
415 + if (ata_id_has_trim(args->id)) {
416 +- put_unaligned_be64(65535 * ATA_MAX_TRIM_RNUM, &rbuf[36]);
417 ++ u64 max_blocks = 65535 * ATA_MAX_TRIM_RNUM;
418 ++
419 ++ if (dev->horkage & ATA_HORKAGE_MAX_TRIM_128M)
420 ++ max_blocks = 128 << (20 - SECTOR_SHIFT);
421 ++
422 ++ put_unaligned_be64(max_blocks, &rbuf[36]);
423 + put_unaligned_be32(1, &rbuf[28]);
424 + }
425 +
426 +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
427 +index 7b61d53ba050e..7c577cabb9c3b 100644
428 +--- a/drivers/block/nbd.c
429 ++++ b/drivers/block/nbd.c
430 +@@ -1349,6 +1349,8 @@ static void nbd_set_cmd_timeout(struct nbd_device *nbd, u64 timeout)
431 + nbd->tag_set.timeout = timeout * HZ;
432 + if (timeout)
433 + blk_queue_rq_timeout(nbd->disk->queue, timeout * HZ);
434 ++ else
435 ++ blk_queue_rq_timeout(nbd->disk->queue, 30 * HZ);
436 + }
437 +
438 + /* Must be called with config_lock held */
439 +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c
440 +index 29d2d7a21bd7b..73f08cda21e0e 100644
441 +--- a/drivers/cpuidle/cpuidle.c
442 ++++ b/drivers/cpuidle/cpuidle.c
443 +@@ -148,7 +148,8 @@ static void enter_s2idle_proper(struct cpuidle_driver *drv,
444 + */
445 + stop_critical_timings();
446 + drv->states[index].enter_s2idle(dev, drv, index);
447 +- WARN_ON(!irqs_disabled());
448 ++ if (WARN_ON_ONCE(!irqs_disabled()))
449 ++ local_irq_disable();
450 + /*
451 + * timekeeping_resume() that will be called by tick_unfreeze() for the
452 + * first CPU executing it calls functions containing RCU read-side
453 +diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
454 +index 672c73b4a2d4f..ff366c2f58c18 100644
455 +--- a/drivers/dma/at_hdmac.c
456 ++++ b/drivers/dma/at_hdmac.c
457 +@@ -1667,6 +1667,8 @@ static struct dma_chan *at_dma_xlate(struct of_phandle_args *dma_spec,
458 + return NULL;
459 +
460 + dmac_pdev = of_find_device_by_node(dma_spec->np);
461 ++ if (!dmac_pdev)
462 ++ return NULL;
463 +
464 + dma_cap_zero(mask);
465 + dma_cap_set(DMA_SLAVE, mask);
466 +diff --git a/drivers/dma/dw-edma/dw-edma-core.c b/drivers/dma/dw-edma/dw-edma-core.c
467 +index ff392c01bad1f..7f9a86c3c58ff 100644
468 +--- a/drivers/dma/dw-edma/dw-edma-core.c
469 ++++ b/drivers/dma/dw-edma/dw-edma-core.c
470 +@@ -391,7 +391,7 @@ dw_edma_device_transfer(struct dw_edma_transfer *xfer)
471 + if (xfer->cyclic) {
472 + burst->dar = xfer->xfer.cyclic.paddr;
473 + } else {
474 +- burst->dar = sg_dma_address(sg);
475 ++ burst->dar = dst_addr;
476 + /* Unlike the typical assumption by other
477 + * drivers/IPs the peripheral memory isn't
478 + * a FIFO memory, in this case, it's a
479 +@@ -399,14 +399,13 @@ dw_edma_device_transfer(struct dw_edma_transfer *xfer)
480 + * and destination addresses are increased
481 + * by the same portion (data length)
482 + */
483 +- src_addr += sg_dma_len(sg);
484 + }
485 + } else {
486 + burst->dar = dst_addr;
487 + if (xfer->cyclic) {
488 + burst->sar = xfer->xfer.cyclic.paddr;
489 + } else {
490 +- burst->sar = sg_dma_address(sg);
491 ++ burst->sar = src_addr;
492 + /* Unlike the typical assumption by other
493 + * drivers/IPs the peripheral memory isn't
494 + * a FIFO memory, in this case, it's a
495 +@@ -414,12 +413,14 @@ dw_edma_device_transfer(struct dw_edma_transfer *xfer)
496 + * and destination addresses are increased
497 + * by the same portion (data length)
498 + */
499 +- dst_addr += sg_dma_len(sg);
500 + }
501 + }
502 +
503 +- if (!xfer->cyclic)
504 ++ if (!xfer->cyclic) {
505 ++ src_addr += sg_dma_len(sg);
506 ++ dst_addr += sg_dma_len(sg);
507 + sg = sg_next(sg);
508 ++ }
509 + }
510 +
511 + return vchan_tx_prep(&chan->vc, &desc->vd, xfer->flags);
512 +diff --git a/drivers/dma/fsldma.h b/drivers/dma/fsldma.h
513 +index 56f18ae992332..308bed0a560ac 100644
514 +--- a/drivers/dma/fsldma.h
515 ++++ b/drivers/dma/fsldma.h
516 +@@ -205,10 +205,10 @@ struct fsldma_chan {
517 + #else
518 + static u64 fsl_ioread64(const u64 __iomem *addr)
519 + {
520 +- u32 fsl_addr = lower_32_bits(addr);
521 +- u64 fsl_addr_hi = (u64)in_le32((u32 *)(fsl_addr + 1)) << 32;
522 ++ u32 val_lo = in_le32((u32 __iomem *)addr);
523 ++ u32 val_hi = in_le32((u32 __iomem *)addr + 1);
524 +
525 +- return fsl_addr_hi | in_le32((u32 *)fsl_addr);
526 ++ return ((u64)val_hi << 32) + val_lo;
527 + }
528 +
529 + static void fsl_iowrite64(u64 val, u64 __iomem *addr)
530 +@@ -219,10 +219,10 @@ static void fsl_iowrite64(u64 val, u64 __iomem *addr)
531 +
532 + static u64 fsl_ioread64be(const u64 __iomem *addr)
533 + {
534 +- u32 fsl_addr = lower_32_bits(addr);
535 +- u64 fsl_addr_hi = (u64)in_be32((u32 *)fsl_addr) << 32;
536 ++ u32 val_hi = in_be32((u32 __iomem *)addr);
537 ++ u32 val_lo = in_be32((u32 __iomem *)addr + 1);
538 +
539 +- return fsl_addr_hi | in_be32((u32 *)(fsl_addr + 1));
540 ++ return ((u64)val_hi << 32) + val_lo;
541 + }
542 +
543 + static void fsl_iowrite64be(u64 val, u64 __iomem *addr)
544 +diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c
545 +index c2d779daa4b51..4bbf4172b9bf9 100644
546 +--- a/drivers/dma/of-dma.c
547 ++++ b/drivers/dma/of-dma.c
548 +@@ -69,12 +69,12 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec,
549 + return NULL;
550 +
551 + chan = ofdma_target->of_dma_xlate(&dma_spec_target, ofdma_target);
552 +- if (chan) {
553 +- chan->router = ofdma->dma_router;
554 +- chan->route_data = route_data;
555 +- } else {
556 ++ if (IS_ERR_OR_NULL(chan)) {
557 + ofdma->dma_router->route_free(ofdma->dma_router->dev,
558 + route_data);
559 ++ } else {
560 ++ chan->router = ofdma->dma_router;
561 ++ chan->route_data = route_data;
562 + }
563 +
564 + /*
565 +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
566 +index 6cce9ef61b294..cd81d10974a29 100644
567 +--- a/drivers/dma/pl330.c
568 ++++ b/drivers/dma/pl330.c
569 +@@ -2788,6 +2788,7 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst,
570 + while (burst != (1 << desc->rqcfg.brst_size))
571 + desc->rqcfg.brst_size++;
572 +
573 ++ desc->rqcfg.brst_len = get_burst_len(desc, len);
574 + /*
575 + * If burst size is smaller than bus width then make sure we only
576 + * transfer one at a time to avoid a burst stradling an MFIFO entry.
577 +@@ -2795,7 +2796,6 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst,
578 + if (desc->rqcfg.brst_size * 8 < pl330->pcfg.data_bus_width)
579 + desc->rqcfg.brst_len = 1;
580 +
581 +- desc->rqcfg.brst_len = get_burst_len(desc, len);
582 + desc->bytes_requested = len;
583 +
584 + desc->txd.flags = flags;
585 +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
586 +index 247f53d41993d..60e50181f6d39 100644
587 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
588 ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
589 +@@ -2043,12 +2043,18 @@ static int amdgpu_dm_mode_config_init(struct amdgpu_device *adev)
590 + &dm_atomic_state_funcs);
591 +
592 + r = amdgpu_display_modeset_create_props(adev);
593 +- if (r)
594 ++ if (r) {
595 ++ dc_release_state(state->context);
596 ++ kfree(state);
597 + return r;
598 ++ }
599 +
600 + r = amdgpu_dm_audio_init(adev);
601 +- if (r)
602 ++ if (r) {
603 ++ dc_release_state(state->context);
604 ++ kfree(state);
605 + return r;
606 ++ }
607 +
608 + return 0;
609 + }
610 +@@ -2064,6 +2070,8 @@ static void amdgpu_dm_update_backlight_caps(struct amdgpu_display_manager *dm)
611 + #if defined(CONFIG_ACPI)
612 + struct amdgpu_dm_backlight_caps caps;
613 +
614 ++ memset(&caps, 0, sizeof(caps));
615 ++
616 + if (dm->backlight_caps.caps_valid)
617 + return;
618 +
619 +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
620 +index 28a6c7b2ef4bb..2f858507ca702 100644
621 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
622 ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
623 +@@ -101,7 +101,7 @@ static ssize_t dm_dp_aux_transfer(struct drm_dp_aux *aux,
624 + result = dc_link_aux_transfer_raw(TO_DM_AUX(aux)->ddc_service, &payload,
625 + &operation_result);
626 +
627 +- if (payload.write)
628 ++ if (payload.write && result >= 0)
629 + result = msg->size;
630 +
631 + if (result < 0)
632 +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
633 +index 1599bb9711111..e860ae05feda1 100644
634 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
635 ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
636 +@@ -1151,6 +1151,7 @@ static enum dc_status dcn10_validate_global(struct dc *dc, struct dc_state *cont
637 + bool video_large = false;
638 + bool desktop_large = false;
639 + bool dcc_disabled = false;
640 ++ bool mpo_enabled = false;
641 +
642 + for (i = 0; i < context->stream_count; i++) {
643 + if (context->stream_status[i].plane_count == 0)
644 +@@ -1159,6 +1160,9 @@ static enum dc_status dcn10_validate_global(struct dc *dc, struct dc_state *cont
645 + if (context->stream_status[i].plane_count > 2)
646 + return DC_FAIL_UNSUPPORTED_1;
647 +
648 ++ if (context->stream_status[i].plane_count > 1)
649 ++ mpo_enabled = true;
650 ++
651 + for (j = 0; j < context->stream_status[i].plane_count; j++) {
652 + struct dc_plane_state *plane =
653 + context->stream_status[i].plane_states[j];
654 +@@ -1182,6 +1186,10 @@ static enum dc_status dcn10_validate_global(struct dc *dc, struct dc_state *cont
655 + }
656 + }
657 +
658 ++ /* Disable MPO in multi-display configurations. */
659 ++ if (context->stream_count > 1 && mpo_enabled)
660 ++ return DC_FAIL_UNSUPPORTED_1;
661 ++
662 + /*
663 + * Workaround: On DCN10 there is UMC issue that causes underflow when
664 + * playing 4k video on 4k desktop with video downscaled and single channel
665 +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c
666 +index 36a17caa3761d..e8d01abf27fa8 100644
667 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c
668 ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_thermal.c
669 +@@ -375,8 +375,18 @@ static int vega10_thermal_set_temperature_range(struct pp_hwmgr *hwmgr,
670 + /* compare them in unit celsius degree */
671 + if (low < range->min / PP_TEMPERATURE_UNITS_PER_CENTIGRADES)
672 + low = range->min / PP_TEMPERATURE_UNITS_PER_CENTIGRADES;
673 +- if (high > tdp_table->usSoftwareShutdownTemp)
674 +- high = tdp_table->usSoftwareShutdownTemp;
675 ++
676 ++ /*
677 ++ * As a common sense, usSoftwareShutdownTemp should be bigger
678 ++ * than ThotspotLimit. For any invalid usSoftwareShutdownTemp,
679 ++ * we will just use the max possible setting VEGA10_THERMAL_MAXIMUM_ALERT_TEMP
680 ++ * to avoid false alarms.
681 ++ */
682 ++ if ((tdp_table->usSoftwareShutdownTemp >
683 ++ range->hotspot_crit_max / PP_TEMPERATURE_UNITS_PER_CENTIGRADES)) {
684 ++ if (high > tdp_table->usSoftwareShutdownTemp)
685 ++ high = tdp_table->usSoftwareShutdownTemp;
686 ++ }
687 +
688 + if (low > high)
689 + return -EINVAL;
690 +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
691 +index 9ea748667fab0..40431a09dc97c 100644
692 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
693 ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
694 +@@ -199,12 +199,22 @@ static int a6xx_gmu_start(struct a6xx_gmu *gmu)
695 + {
696 + int ret;
697 + u32 val;
698 ++ u32 mask, reset_val;
699 ++
700 ++ val = gmu_read(gmu, REG_A6XX_GMU_CM3_DTCM_START + 0xff8);
701 ++ if (val <= 0x20010004) {
702 ++ mask = 0xffffffff;
703 ++ reset_val = 0xbabeface;
704 ++ } else {
705 ++ mask = 0x1ff;
706 ++ reset_val = 0x100;
707 ++ }
708 +
709 + gmu_write(gmu, REG_A6XX_GMU_CM3_SYSRESET, 1);
710 + gmu_write(gmu, REG_A6XX_GMU_CM3_SYSRESET, 0);
711 +
712 + ret = gmu_poll_timeout(gmu, REG_A6XX_GMU_CM3_FW_INIT_RESULT, val,
713 +- val == 0xbabeface, 100, 10000);
714 ++ (val & mask) == reset_val, 100, 10000);
715 +
716 + if (ret)
717 + DRM_DEV_ERROR(gmu->dev, "GMU firmware initialization timed out\n");
718 +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
719 +index 58d5acbcfc5c2..b984bafd27e25 100644
720 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
721 ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
722 +@@ -853,9 +853,9 @@ static int dpu_plane_atomic_check(struct drm_plane *plane,
723 + crtc_state = drm_atomic_get_new_crtc_state(state->state,
724 + state->crtc);
725 +
726 +- min_scale = FRAC_16_16(1, pdpu->pipe_sblk->maxdwnscale);
727 ++ min_scale = FRAC_16_16(1, pdpu->pipe_sblk->maxupscale);
728 + ret = drm_atomic_helper_check_plane_state(state, crtc_state, min_scale,
729 +- pdpu->pipe_sblk->maxupscale << 16,
730 ++ pdpu->pipe_sblk->maxdwnscale << 16,
731 + true, true);
732 + if (ret) {
733 + DPU_ERROR_PLANE(pdpu, "Check plane state failed (%d)\n", ret);
734 +diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
735 +index 5ccfad794c6a5..561bfa48841c3 100644
736 +--- a/drivers/gpu/drm/msm/msm_atomic.c
737 ++++ b/drivers/gpu/drm/msm/msm_atomic.c
738 +@@ -27,6 +27,34 @@ int msm_atomic_prepare_fb(struct drm_plane *plane,
739 + return msm_framebuffer_prepare(new_state->fb, kms->aspace);
740 + }
741 +
742 ++/*
743 ++ * Helpers to control vblanks while we flush.. basically just to ensure
744 ++ * that vblank accounting is switched on, so we get valid seqn/timestamp
745 ++ * on pageflip events (if requested)
746 ++ */
747 ++
748 ++static void vblank_get(struct msm_kms *kms, unsigned crtc_mask)
749 ++{
750 ++ struct drm_crtc *crtc;
751 ++
752 ++ for_each_crtc_mask(kms->dev, crtc, crtc_mask) {
753 ++ if (!crtc->state->active)
754 ++ continue;
755 ++ drm_crtc_vblank_get(crtc);
756 ++ }
757 ++}
758 ++
759 ++static void vblank_put(struct msm_kms *kms, unsigned crtc_mask)
760 ++{
761 ++ struct drm_crtc *crtc;
762 ++
763 ++ for_each_crtc_mask(kms->dev, crtc, crtc_mask) {
764 ++ if (!crtc->state->active)
765 ++ continue;
766 ++ drm_crtc_vblank_put(crtc);
767 ++ }
768 ++}
769 ++
770 + static void msm_atomic_async_commit(struct msm_kms *kms, int crtc_idx)
771 + {
772 + unsigned crtc_mask = BIT(crtc_idx);
773 +@@ -44,6 +72,8 @@ static void msm_atomic_async_commit(struct msm_kms *kms, int crtc_idx)
774 +
775 + kms->funcs->enable_commit(kms);
776 +
777 ++ vblank_get(kms, crtc_mask);
778 ++
779 + /*
780 + * Flush hardware updates:
781 + */
782 +@@ -58,6 +88,8 @@ static void msm_atomic_async_commit(struct msm_kms *kms, int crtc_idx)
783 + kms->funcs->wait_flush(kms, crtc_mask);
784 + trace_msm_atomic_wait_flush_finish(crtc_mask);
785 +
786 ++ vblank_put(kms, crtc_mask);
787 ++
788 + mutex_lock(&kms->commit_lock);
789 + kms->funcs->complete_commit(kms, crtc_mask);
790 + mutex_unlock(&kms->commit_lock);
791 +@@ -221,6 +253,8 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
792 + */
793 + kms->pending_crtc_mask &= ~crtc_mask;
794 +
795 ++ vblank_get(kms, crtc_mask);
796 ++
797 + /*
798 + * Flush hardware updates:
799 + */
800 +@@ -235,6 +269,8 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
801 + kms->funcs->wait_flush(kms, crtc_mask);
802 + trace_msm_atomic_wait_flush_finish(crtc_mask);
803 +
804 ++ vblank_put(kms, crtc_mask);
805 ++
806 + mutex_lock(&kms->commit_lock);
807 + kms->funcs->complete_commit(kms, crtc_mask);
808 + mutex_unlock(&kms->commit_lock);
809 +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
810 +index b73fbb65e14b2..4558d66761b3c 100644
811 +--- a/drivers/gpu/drm/msm/msm_drv.c
812 ++++ b/drivers/gpu/drm/msm/msm_drv.c
813 +@@ -1321,6 +1321,13 @@ static int msm_pdev_remove(struct platform_device *pdev)
814 + return 0;
815 + }
816 +
817 ++static void msm_pdev_shutdown(struct platform_device *pdev)
818 ++{
819 ++ struct drm_device *drm = platform_get_drvdata(pdev);
820 ++
821 ++ drm_atomic_helper_shutdown(drm);
822 ++}
823 ++
824 + static const struct of_device_id dt_match[] = {
825 + { .compatible = "qcom,mdp4", .data = (void *)KMS_MDP4 },
826 + { .compatible = "qcom,mdss", .data = (void *)KMS_MDP5 },
827 +@@ -1332,6 +1339,7 @@ MODULE_DEVICE_TABLE(of, dt_match);
828 + static struct platform_driver msm_platform_driver = {
829 + .probe = msm_pdev_probe,
830 + .remove = msm_pdev_remove,
831 ++ .shutdown = msm_pdev_shutdown,
832 + .driver = {
833 + .name = "msm",
834 + .of_match_table = dt_match,
835 +diff --git a/drivers/gpu/drm/omapdrm/omap_crtc.c b/drivers/gpu/drm/omapdrm/omap_crtc.c
836 +index 3c5ddbf30e974..f5e18802e7bc6 100644
837 +--- a/drivers/gpu/drm/omapdrm/omap_crtc.c
838 ++++ b/drivers/gpu/drm/omapdrm/omap_crtc.c
839 +@@ -451,11 +451,12 @@ static void omap_crtc_atomic_enable(struct drm_crtc *crtc,
840 + if (omap_state->manually_updated)
841 + return;
842 +
843 +- spin_lock_irq(&crtc->dev->event_lock);
844 + drm_crtc_vblank_on(crtc);
845 ++
846 + ret = drm_crtc_vblank_get(crtc);
847 + WARN_ON(ret != 0);
848 +
849 ++ spin_lock_irq(&crtc->dev->event_lock);
850 + omap_crtc_arm_event(crtc);
851 + spin_unlock_irq(&crtc->dev->event_lock);
852 + }
853 +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
854 +index 09df5ecc2c79b..fbc93d8dda5ed 100644
855 +--- a/drivers/hid/hid-ids.h
856 ++++ b/drivers/hid/hid-ids.h
857 +@@ -730,6 +730,9 @@
858 + #define USB_DEVICE_ID_LENOVO_X1_TAB 0x60a3
859 + #define USB_DEVICE_ID_LENOVO_X1_TAB3 0x60b5
860 + #define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_608D 0x608d
861 ++#define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6019 0x6019
862 ++#define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_602E 0x602e
863 ++#define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6093 0x6093
864 +
865 + #define USB_VENDOR_ID_LG 0x1fd2
866 + #define USB_DEVICE_ID_LG_MULTITOUCH 0x0064
867 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
868 +index b3dd60897ffda..8a739ec50cc00 100644
869 +--- a/drivers/hid/hid-quirks.c
870 ++++ b/drivers/hid/hid-quirks.c
871 +@@ -105,6 +105,9 @@ static const struct hid_device_id hid_quirks[] = {
872 + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_M406XE), HID_QUIRK_MULTI_INPUT },
873 + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE_ID2), HID_QUIRK_ALWAYS_POLL },
874 + { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_608D), HID_QUIRK_ALWAYS_POLL },
875 ++ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6019), HID_QUIRK_ALWAYS_POLL },
876 ++ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_602E), HID_QUIRK_ALWAYS_POLL },
877 ++ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6093), HID_QUIRK_ALWAYS_POLL },
878 + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C007), HID_QUIRK_ALWAYS_POLL },
879 + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_C077), HID_QUIRK_ALWAYS_POLL },
880 + { HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_KEYBOARD_G710_PLUS), HID_QUIRK_NOGET },
881 +diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
882 +index 183ff3d251299..006bc07bcd301 100644
883 +--- a/drivers/hwmon/applesmc.c
884 ++++ b/drivers/hwmon/applesmc.c
885 +@@ -748,15 +748,18 @@ static ssize_t applesmc_light_show(struct device *dev,
886 + }
887 +
888 + ret = applesmc_read_key(LIGHT_SENSOR_LEFT_KEY, buffer, data_length);
889 ++ if (ret)
890 ++ goto out;
891 + /* newer macbooks report a single 10-bit bigendian value */
892 + if (data_length == 10) {
893 + left = be16_to_cpu(*(__be16 *)(buffer + 6)) >> 2;
894 + goto out;
895 + }
896 + left = buffer[2];
897 ++
898 ++ ret = applesmc_read_key(LIGHT_SENSOR_RIGHT_KEY, buffer, data_length);
899 + if (ret)
900 + goto out;
901 +- ret = applesmc_read_key(LIGHT_SENSOR_RIGHT_KEY, buffer, data_length);
902 + right = buffer[2];
903 +
904 + out:
905 +@@ -805,12 +808,11 @@ static ssize_t applesmc_show_fan_speed(struct device *dev,
906 + to_index(attr));
907 +
908 + ret = applesmc_read_key(newkey, buffer, 2);
909 +- speed = ((buffer[0] << 8 | buffer[1]) >> 2);
910 +-
911 + if (ret)
912 + return ret;
913 +- else
914 +- return snprintf(sysfsbuf, PAGE_SIZE, "%u\n", speed);
915 ++
916 ++ speed = ((buffer[0] << 8 | buffer[1]) >> 2);
917 ++ return snprintf(sysfsbuf, PAGE_SIZE, "%u\n", speed);
918 + }
919 +
920 + static ssize_t applesmc_store_fan_speed(struct device *dev,
921 +@@ -846,12 +848,11 @@ static ssize_t applesmc_show_fan_manual(struct device *dev,
922 + u8 buffer[2];
923 +
924 + ret = applesmc_read_key(FANS_MANUAL, buffer, 2);
925 +- manual = ((buffer[0] << 8 | buffer[1]) >> to_index(attr)) & 0x01;
926 +-
927 + if (ret)
928 + return ret;
929 +- else
930 +- return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", manual);
931 ++
932 ++ manual = ((buffer[0] << 8 | buffer[1]) >> to_index(attr)) & 0x01;
933 ++ return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", manual);
934 + }
935 +
936 + static ssize_t applesmc_store_fan_manual(struct device *dev,
937 +@@ -867,10 +868,11 @@ static ssize_t applesmc_store_fan_manual(struct device *dev,
938 + return -EINVAL;
939 +
940 + ret = applesmc_read_key(FANS_MANUAL, buffer, 2);
941 +- val = (buffer[0] << 8 | buffer[1]);
942 + if (ret)
943 + goto out;
944 +
945 ++ val = (buffer[0] << 8 | buffer[1]);
946 ++
947 + if (input)
948 + val = val | (0x01 << to_index(attr));
949 + else
950 +@@ -946,13 +948,12 @@ static ssize_t applesmc_key_count_show(struct device *dev,
951 + u32 count;
952 +
953 + ret = applesmc_read_key(KEY_COUNT_KEY, buffer, 4);
954 +- count = ((u32)buffer[0]<<24) + ((u32)buffer[1]<<16) +
955 +- ((u32)buffer[2]<<8) + buffer[3];
956 +-
957 + if (ret)
958 + return ret;
959 +- else
960 +- return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", count);
961 ++
962 ++ count = ((u32)buffer[0]<<24) + ((u32)buffer[1]<<16) +
963 ++ ((u32)buffer[2]<<8) + buffer[3];
964 ++ return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", count);
965 + }
966 +
967 + static ssize_t applesmc_key_at_index_read_show(struct device *dev,
968 +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
969 +index 3a7094f4813f2..cdafc652d9d1a 100644
970 +--- a/drivers/iommu/amd_iommu.c
971 ++++ b/drivers/iommu/amd_iommu.c
972 +@@ -4431,6 +4431,7 @@ int amd_iommu_deactivate_guest_mode(void *data)
973 + struct amd_ir_data *ir_data = (struct amd_ir_data *)data;
974 + struct irte_ga *entry = (struct irte_ga *) ir_data->entry;
975 + struct irq_cfg *cfg = ir_data->cfg;
976 ++ u64 valid = entry->lo.fields_remap.valid;
977 +
978 + if (!AMD_IOMMU_GUEST_IR_VAPIC(amd_iommu_guest_ir) ||
979 + !entry || !entry->lo.fields_vapic.guest_mode)
980 +@@ -4439,6 +4440,7 @@ int amd_iommu_deactivate_guest_mode(void *data)
981 + entry->lo.val = 0;
982 + entry->hi.val = 0;
983 +
984 ++ entry->lo.fields_remap.valid = valid;
985 + entry->lo.fields_remap.dm = apic->irq_dest_mode;
986 + entry->lo.fields_remap.int_type = apic->irq_delivery_mode;
987 + entry->hi.fields.vector = cfg->vector;
988 +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
989 +index cdc1f4736a116..2ffec65df3889 100644
990 +--- a/drivers/iommu/intel-iommu.c
991 ++++ b/drivers/iommu/intel-iommu.c
992 +@@ -123,29 +123,29 @@ static inline unsigned int level_to_offset_bits(int level)
993 + return (level - 1) * LEVEL_STRIDE;
994 + }
995 +
996 +-static inline int pfn_level_offset(unsigned long pfn, int level)
997 ++static inline int pfn_level_offset(u64 pfn, int level)
998 + {
999 + return (pfn >> level_to_offset_bits(level)) & LEVEL_MASK;
1000 + }
1001 +
1002 +-static inline unsigned long level_mask(int level)
1003 ++static inline u64 level_mask(int level)
1004 + {
1005 +- return -1UL << level_to_offset_bits(level);
1006 ++ return -1ULL << level_to_offset_bits(level);
1007 + }
1008 +
1009 +-static inline unsigned long level_size(int level)
1010 ++static inline u64 level_size(int level)
1011 + {
1012 +- return 1UL << level_to_offset_bits(level);
1013 ++ return 1ULL << level_to_offset_bits(level);
1014 + }
1015 +
1016 +-static inline unsigned long align_to_level(unsigned long pfn, int level)
1017 ++static inline u64 align_to_level(u64 pfn, int level)
1018 + {
1019 + return (pfn + level_size(level) - 1) & level_mask(level);
1020 + }
1021 +
1022 + static inline unsigned long lvl_to_nr_pages(unsigned int lvl)
1023 + {
1024 +- return 1 << min_t(int, (lvl - 1) * LEVEL_STRIDE, MAX_AGAW_PFN_WIDTH);
1025 ++ return 1UL << min_t(int, (lvl - 1) * LEVEL_STRIDE, MAX_AGAW_PFN_WIDTH);
1026 + }
1027 +
1028 + /* VT-d pages must always be _smaller_ than MM pages. Otherwise things
1029 +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c
1030 +index 6bfb283e6f287..f697f3a1d46bc 100644
1031 +--- a/drivers/iommu/intel_irq_remapping.c
1032 ++++ b/drivers/iommu/intel_irq_remapping.c
1033 +@@ -507,12 +507,18 @@ static void iommu_enable_irq_remapping(struct intel_iommu *iommu)
1034 +
1035 + /* Enable interrupt-remapping */
1036 + iommu->gcmd |= DMA_GCMD_IRE;
1037 +- iommu->gcmd &= ~DMA_GCMD_CFI; /* Block compatibility-format MSIs */
1038 + writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG);
1039 +-
1040 + IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG,
1041 + readl, (sts & DMA_GSTS_IRES), sts);
1042 +
1043 ++ /* Block compatibility-format MSIs */
1044 ++ if (sts & DMA_GSTS_CFIS) {
1045 ++ iommu->gcmd &= ~DMA_GCMD_CFI;
1046 ++ writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG);
1047 ++ IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG,
1048 ++ readl, !(sts & DMA_GSTS_CFIS), sts);
1049 ++ }
1050 ++
1051 + /*
1052 + * With CFI clear in the Global Command register, we should be
1053 + * protected from dangerous (i.e. compatibility) interrupts
1054 +diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
1055 +index 151aa95775be2..af6d4f898e4c1 100644
1056 +--- a/drivers/md/dm-cache-metadata.c
1057 ++++ b/drivers/md/dm-cache-metadata.c
1058 +@@ -537,12 +537,16 @@ static int __create_persistent_data_objects(struct dm_cache_metadata *cmd,
1059 + CACHE_MAX_CONCURRENT_LOCKS);
1060 + if (IS_ERR(cmd->bm)) {
1061 + DMERR("could not create block manager");
1062 +- return PTR_ERR(cmd->bm);
1063 ++ r = PTR_ERR(cmd->bm);
1064 ++ cmd->bm = NULL;
1065 ++ return r;
1066 + }
1067 +
1068 + r = __open_or_format_metadata(cmd, may_format_device);
1069 +- if (r)
1070 ++ if (r) {
1071 + dm_block_manager_destroy(cmd->bm);
1072 ++ cmd->bm = NULL;
1073 ++ }
1074 +
1075 + return r;
1076 + }
1077 +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
1078 +index ffbda729e26e9..1af82fbbac0c4 100644
1079 +--- a/drivers/md/dm-crypt.c
1080 ++++ b/drivers/md/dm-crypt.c
1081 +@@ -720,7 +720,7 @@ static int crypt_iv_eboiv_gen(struct crypt_config *cc, u8 *iv,
1082 + u8 buf[MAX_CIPHER_BLOCKSIZE] __aligned(__alignof__(__le64));
1083 + struct skcipher_request *req;
1084 + struct scatterlist src, dst;
1085 +- struct crypto_wait wait;
1086 ++ DECLARE_CRYPTO_WAIT(wait);
1087 + int err;
1088 +
1089 + req = skcipher_request_alloc(any_tfm(cc), GFP_NOIO);
1090 +diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
1091 +index 1f63084ef3291..d6edfe84e7490 100644
1092 +--- a/drivers/md/dm-integrity.c
1093 ++++ b/drivers/md/dm-integrity.c
1094 +@@ -2365,6 +2365,7 @@ next_chunk:
1095 + range.logical_sector = le64_to_cpu(ic->sb->recalc_sector);
1096 + if (unlikely(range.logical_sector >= ic->provided_data_sectors)) {
1097 + if (ic->mode == 'B') {
1098 ++ block_bitmap_op(ic, ic->recalc_bitmap, 0, ic->provided_data_sectors, BITMAP_OP_CLEAR);
1099 + DEBUG_print("queue_delayed_work: bitmap_flush_work\n");
1100 + queue_delayed_work(ic->commit_wq, &ic->bitmap_flush_work, 0);
1101 + }
1102 +@@ -2442,6 +2443,17 @@ next_chunk:
1103 + goto err;
1104 + }
1105 +
1106 ++ if (ic->mode == 'B') {
1107 ++ sector_t start, end;
1108 ++ start = (range.logical_sector >>
1109 ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit)) <<
1110 ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit);
1111 ++ end = ((range.logical_sector + range.n_sectors) >>
1112 ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit)) <<
1113 ++ (ic->sb->log2_sectors_per_block + ic->log2_blocks_per_bitmap_bit);
1114 ++ block_bitmap_op(ic, ic->recalc_bitmap, start, end - start, BITMAP_OP_CLEAR);
1115 ++ }
1116 ++
1117 + advance_and_next:
1118 + cond_resched();
1119 +
1120 +diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
1121 +index f2de4c73cc8fa..54ecfea2cf47b 100644
1122 +--- a/drivers/md/dm-mpath.c
1123 ++++ b/drivers/md/dm-mpath.c
1124 +@@ -1190,17 +1190,25 @@ static void multipath_wait_for_pg_init_completion(struct multipath *m)
1125 + static void flush_multipath_work(struct multipath *m)
1126 + {
1127 + if (m->hw_handler_name) {
1128 +- set_bit(MPATHF_PG_INIT_DISABLED, &m->flags);
1129 +- smp_mb__after_atomic();
1130 ++ unsigned long flags;
1131 ++
1132 ++ if (!atomic_read(&m->pg_init_in_progress))
1133 ++ goto skip;
1134 ++
1135 ++ spin_lock_irqsave(&m->lock, flags);
1136 ++ if (atomic_read(&m->pg_init_in_progress) &&
1137 ++ !test_and_set_bit(MPATHF_PG_INIT_DISABLED, &m->flags)) {
1138 ++ spin_unlock_irqrestore(&m->lock, flags);
1139 +
1140 +- if (atomic_read(&m->pg_init_in_progress))
1141 + flush_workqueue(kmpath_handlerd);
1142 +- multipath_wait_for_pg_init_completion(m);
1143 ++ multipath_wait_for_pg_init_completion(m);
1144 +
1145 +- clear_bit(MPATHF_PG_INIT_DISABLED, &m->flags);
1146 +- smp_mb__after_atomic();
1147 ++ spin_lock_irqsave(&m->lock, flags);
1148 ++ clear_bit(MPATHF_PG_INIT_DISABLED, &m->flags);
1149 ++ }
1150 ++ spin_unlock_irqrestore(&m->lock, flags);
1151 + }
1152 +-
1153 ++skip:
1154 + if (m->queue_mode == DM_TYPE_BIO_BASED)
1155 + flush_work(&m->process_queued_bios);
1156 + flush_work(&m->trigger_event);
1157 +diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
1158 +index 4cd8868f80040..a5ed59eafdc51 100644
1159 +--- a/drivers/md/dm-thin-metadata.c
1160 ++++ b/drivers/md/dm-thin-metadata.c
1161 +@@ -739,12 +739,16 @@ static int __create_persistent_data_objects(struct dm_pool_metadata *pmd, bool f
1162 + THIN_MAX_CONCURRENT_LOCKS);
1163 + if (IS_ERR(pmd->bm)) {
1164 + DMERR("could not create block manager");
1165 +- return PTR_ERR(pmd->bm);
1166 ++ r = PTR_ERR(pmd->bm);
1167 ++ pmd->bm = NULL;
1168 ++ return r;
1169 + }
1170 +
1171 + r = __open_or_format_metadata(pmd, format_device);
1172 +- if (r)
1173 ++ if (r) {
1174 + dm_block_manager_destroy(pmd->bm);
1175 ++ pmd->bm = NULL;
1176 ++ }
1177 +
1178 + return r;
1179 + }
1180 +@@ -954,7 +958,7 @@ int dm_pool_metadata_close(struct dm_pool_metadata *pmd)
1181 + }
1182 +
1183 + pmd_write_lock_in_core(pmd);
1184 +- if (!dm_bm_is_read_only(pmd->bm) && !pmd->fail_io) {
1185 ++ if (!pmd->fail_io && !dm_bm_is_read_only(pmd->bm)) {
1186 + r = __commit_transaction(pmd);
1187 + if (r < 0)
1188 + DMWARN("%s: __commit_transaction() failed, error = %d",
1189 +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c
1190 +index ed2f711c24c48..4e414b06192eb 100644
1191 +--- a/drivers/md/dm-writecache.c
1192 ++++ b/drivers/md/dm-writecache.c
1193 +@@ -224,6 +224,7 @@ static int persistent_memory_claim(struct dm_writecache *wc)
1194 + pfn_t pfn;
1195 + int id;
1196 + struct page **pages;
1197 ++ sector_t offset;
1198 +
1199 + wc->memory_vmapped = false;
1200 +
1201 +@@ -242,9 +243,16 @@ static int persistent_memory_claim(struct dm_writecache *wc)
1202 + goto err1;
1203 + }
1204 +
1205 ++ offset = get_start_sect(wc->ssd_dev->bdev);
1206 ++ if (offset & (PAGE_SIZE / 512 - 1)) {
1207 ++ r = -EINVAL;
1208 ++ goto err1;
1209 ++ }
1210 ++ offset >>= PAGE_SHIFT - 9;
1211 ++
1212 + id = dax_read_lock();
1213 +
1214 +- da = dax_direct_access(wc->ssd_dev->dax_dev, 0, p, &wc->memory_map, &pfn);
1215 ++ da = dax_direct_access(wc->ssd_dev->dax_dev, offset, p, &wc->memory_map, &pfn);
1216 + if (da < 0) {
1217 + wc->memory_map = NULL;
1218 + r = da;
1219 +@@ -266,7 +274,7 @@ static int persistent_memory_claim(struct dm_writecache *wc)
1220 + i = 0;
1221 + do {
1222 + long daa;
1223 +- daa = dax_direct_access(wc->ssd_dev->dax_dev, i, p - i,
1224 ++ daa = dax_direct_access(wc->ssd_dev->dax_dev, offset + i, p - i,
1225 + NULL, &pfn);
1226 + if (daa <= 0) {
1227 + r = daa ? daa : -EINVAL;
1228 +diff --git a/drivers/md/persistent-data/dm-block-manager.c b/drivers/md/persistent-data/dm-block-manager.c
1229 +index 749ec268d957d..54c089a50b152 100644
1230 +--- a/drivers/md/persistent-data/dm-block-manager.c
1231 ++++ b/drivers/md/persistent-data/dm-block-manager.c
1232 +@@ -493,7 +493,7 @@ int dm_bm_write_lock(struct dm_block_manager *bm,
1233 + void *p;
1234 + int r;
1235 +
1236 +- if (bm->read_only)
1237 ++ if (dm_bm_is_read_only(bm))
1238 + return -EPERM;
1239 +
1240 + p = dm_bufio_read(bm->bufio, b, (struct dm_buffer **) result);
1241 +@@ -562,7 +562,7 @@ int dm_bm_write_lock_zero(struct dm_block_manager *bm,
1242 + struct buffer_aux *aux;
1243 + void *p;
1244 +
1245 +- if (bm->read_only)
1246 ++ if (dm_bm_is_read_only(bm))
1247 + return -EPERM;
1248 +
1249 + p = dm_bufio_new(bm->bufio, b, (struct dm_buffer **) result);
1250 +@@ -602,7 +602,7 @@ EXPORT_SYMBOL_GPL(dm_bm_unlock);
1251 +
1252 + int dm_bm_flush(struct dm_block_manager *bm)
1253 + {
1254 +- if (bm->read_only)
1255 ++ if (dm_bm_is_read_only(bm))
1256 + return -EPERM;
1257 +
1258 + return dm_bufio_write_dirty_buffers(bm->bufio);
1259 +@@ -616,19 +616,21 @@ void dm_bm_prefetch(struct dm_block_manager *bm, dm_block_t b)
1260 +
1261 + bool dm_bm_is_read_only(struct dm_block_manager *bm)
1262 + {
1263 +- return bm->read_only;
1264 ++ return (bm ? bm->read_only : true);
1265 + }
1266 + EXPORT_SYMBOL_GPL(dm_bm_is_read_only);
1267 +
1268 + void dm_bm_set_read_only(struct dm_block_manager *bm)
1269 + {
1270 +- bm->read_only = true;
1271 ++ if (bm)
1272 ++ bm->read_only = true;
1273 + }
1274 + EXPORT_SYMBOL_GPL(dm_bm_set_read_only);
1275 +
1276 + void dm_bm_set_read_write(struct dm_block_manager *bm)
1277 + {
1278 +- bm->read_only = false;
1279 ++ if (bm)
1280 ++ bm->read_only = false;
1281 + }
1282 + EXPORT_SYMBOL_GPL(dm_bm_set_read_write);
1283 +
1284 +diff --git a/drivers/media/platform/vicodec/vicodec-core.c b/drivers/media/platform/vicodec/vicodec-core.c
1285 +index 84ec36156f73f..c77281d43f892 100644
1286 +--- a/drivers/media/platform/vicodec/vicodec-core.c
1287 ++++ b/drivers/media/platform/vicodec/vicodec-core.c
1288 +@@ -2052,6 +2052,7 @@ static int vicodec_request_validate(struct media_request *req)
1289 + }
1290 + ctrl = v4l2_ctrl_request_hdl_ctrl_find(hdl,
1291 + vicodec_ctrl_stateless_state.id);
1292 ++ v4l2_ctrl_request_hdl_put(hdl);
1293 + if (!ctrl) {
1294 + v4l2_info(&ctx->dev->v4l2_dev,
1295 + "Missing required codec control\n");
1296 +diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
1297 +index 6f80c251f6413..e84f9dccf448a 100644
1298 +--- a/drivers/media/rc/rc-main.c
1299 ++++ b/drivers/media/rc/rc-main.c
1300 +@@ -1256,6 +1256,10 @@ static ssize_t store_protocols(struct device *device,
1301 + }
1302 +
1303 + mutex_lock(&dev->lock);
1304 ++ if (!dev->registered) {
1305 ++ mutex_unlock(&dev->lock);
1306 ++ return -ENODEV;
1307 ++ }
1308 +
1309 + old_protocols = *current_protocols;
1310 + new_protocols = old_protocols;
1311 +@@ -1394,6 +1398,10 @@ static ssize_t store_filter(struct device *device,
1312 + return -EINVAL;
1313 +
1314 + mutex_lock(&dev->lock);
1315 ++ if (!dev->registered) {
1316 ++ mutex_unlock(&dev->lock);
1317 ++ return -ENODEV;
1318 ++ }
1319 +
1320 + new_filter = *filter;
1321 + if (fattr->mask)
1322 +@@ -1508,6 +1516,10 @@ static ssize_t store_wakeup_protocols(struct device *device,
1323 + int i;
1324 +
1325 + mutex_lock(&dev->lock);
1326 ++ if (!dev->registered) {
1327 ++ mutex_unlock(&dev->lock);
1328 ++ return -ENODEV;
1329 ++ }
1330 +
1331 + allowed = dev->allowed_wakeup_protocols;
1332 +
1333 +@@ -1565,25 +1577,25 @@ static void rc_dev_release(struct device *device)
1334 + kfree(dev);
1335 + }
1336 +
1337 +-#define ADD_HOTPLUG_VAR(fmt, val...) \
1338 +- do { \
1339 +- int err = add_uevent_var(env, fmt, val); \
1340 +- if (err) \
1341 +- return err; \
1342 +- } while (0)
1343 +-
1344 + static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env)
1345 + {
1346 + struct rc_dev *dev = to_rc_dev(device);
1347 ++ int ret = 0;
1348 +
1349 +- if (dev->rc_map.name)
1350 +- ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name);
1351 +- if (dev->driver_name)
1352 +- ADD_HOTPLUG_VAR("DRV_NAME=%s", dev->driver_name);
1353 +- if (dev->device_name)
1354 +- ADD_HOTPLUG_VAR("DEV_NAME=%s", dev->device_name);
1355 ++ mutex_lock(&dev->lock);
1356 +
1357 +- return 0;
1358 ++ if (!dev->registered)
1359 ++ ret = -ENODEV;
1360 ++ if (ret == 0 && dev->rc_map.name)
1361 ++ ret = add_uevent_var(env, "NAME=%s", dev->rc_map.name);
1362 ++ if (ret == 0 && dev->driver_name)
1363 ++ ret = add_uevent_var(env, "DRV_NAME=%s", dev->driver_name);
1364 ++ if (ret == 0 && dev->device_name)
1365 ++ ret = add_uevent_var(env, "DEV_NAME=%s", dev->device_name);
1366 ++
1367 ++ mutex_unlock(&dev->lock);
1368 ++
1369 ++ return ret;
1370 + }
1371 +
1372 + /*
1373 +@@ -1975,14 +1987,14 @@ void rc_unregister_device(struct rc_dev *dev)
1374 + del_timer_sync(&dev->timer_keyup);
1375 + del_timer_sync(&dev->timer_repeat);
1376 +
1377 +- rc_free_rx_device(dev);
1378 +-
1379 + mutex_lock(&dev->lock);
1380 + if (dev->users && dev->close)
1381 + dev->close(dev);
1382 + dev->registered = false;
1383 + mutex_unlock(&dev->lock);
1384 +
1385 ++ rc_free_rx_device(dev);
1386 ++
1387 + /*
1388 + * lirc device should be freed with dev->registered = false, so
1389 + * that userspace polling will get notified.
1390 +diff --git a/drivers/misc/habanalabs/firmware_if.c b/drivers/misc/habanalabs/firmware_if.c
1391 +index ea2ca67fbfbfa..153858475abc1 100644
1392 +--- a/drivers/misc/habanalabs/firmware_if.c
1393 ++++ b/drivers/misc/habanalabs/firmware_if.c
1394 +@@ -11,6 +11,7 @@
1395 + #include <linux/genalloc.h>
1396 + #include <linux/io-64-nonatomic-lo-hi.h>
1397 +
1398 ++#define FW_FILE_MAX_SIZE 0x1400000 /* maximum size of 20MB */
1399 + /**
1400 + * hl_fw_push_fw_to_device() - Push FW code to device.
1401 + * @hdev: pointer to hl_device structure.
1402 +@@ -43,6 +44,14 @@ int hl_fw_push_fw_to_device(struct hl_device *hdev, const char *fw_name,
1403 +
1404 + dev_dbg(hdev->dev, "%s firmware size == %zu\n", fw_name, fw_size);
1405 +
1406 ++ if (fw_size > FW_FILE_MAX_SIZE) {
1407 ++ dev_err(hdev->dev,
1408 ++ "FW file size %zu exceeds maximum of %u bytes\n",
1409 ++ fw_size, FW_FILE_MAX_SIZE);
1410 ++ rc = -EINVAL;
1411 ++ goto out;
1412 ++ }
1413 ++
1414 + fw_data = (const u64 *) fw->data;
1415 +
1416 + memcpy_toio(dst, fw_data, fw_size);
1417 +diff --git a/drivers/misc/habanalabs/memory.c b/drivers/misc/habanalabs/memory.c
1418 +index 22566b75ca50c..acfccf32be6b9 100644
1419 +--- a/drivers/misc/habanalabs/memory.c
1420 ++++ b/drivers/misc/habanalabs/memory.c
1421 +@@ -67,6 +67,11 @@ static int alloc_device_memory(struct hl_ctx *ctx, struct hl_mem_in *args,
1422 + num_pgs = (args->alloc.mem_size + (page_size - 1)) >> page_shift;
1423 + total_size = num_pgs << page_shift;
1424 +
1425 ++ if (!total_size) {
1426 ++ dev_err(hdev->dev, "Cannot allocate 0 bytes\n");
1427 ++ return -EINVAL;
1428 ++ }
1429 ++
1430 + contiguous = args->flags & HL_MEM_CONTIGUOUS;
1431 +
1432 + if (contiguous) {
1433 +@@ -94,7 +99,7 @@ static int alloc_device_memory(struct hl_ctx *ctx, struct hl_mem_in *args,
1434 + phys_pg_pack->contiguous = contiguous;
1435 +
1436 + phys_pg_pack->pages = kvmalloc_array(num_pgs, sizeof(u64), GFP_KERNEL);
1437 +- if (!phys_pg_pack->pages) {
1438 ++ if (ZERO_OR_NULL_PTR(phys_pg_pack->pages)) {
1439 + rc = -ENOMEM;
1440 + goto pages_arr_err;
1441 + }
1442 +@@ -689,7 +694,7 @@ static int init_phys_pg_pack_from_userptr(struct hl_ctx *ctx,
1443 +
1444 + phys_pg_pack->pages = kvmalloc_array(total_npages, sizeof(u64),
1445 + GFP_KERNEL);
1446 +- if (!phys_pg_pack->pages) {
1447 ++ if (ZERO_OR_NULL_PTR(phys_pg_pack->pages)) {
1448 + rc = -ENOMEM;
1449 + goto page_pack_arr_mem_err;
1450 + }
1451 +diff --git a/drivers/misc/habanalabs/mmu.c b/drivers/misc/habanalabs/mmu.c
1452 +index 176c315836f12..d66e16de4cda3 100644
1453 +--- a/drivers/misc/habanalabs/mmu.c
1454 ++++ b/drivers/misc/habanalabs/mmu.c
1455 +@@ -422,7 +422,7 @@ int hl_mmu_init(struct hl_device *hdev)
1456 + hdev->mmu_shadow_hop0 = kvmalloc_array(prop->max_asid,
1457 + prop->mmu_hop_table_size,
1458 + GFP_KERNEL | __GFP_ZERO);
1459 +- if (!hdev->mmu_shadow_hop0) {
1460 ++ if (ZERO_OR_NULL_PTR(hdev->mmu_shadow_hop0)) {
1461 + rc = -ENOMEM;
1462 + goto err_pool_add;
1463 + }
1464 +diff --git a/drivers/mmc/host/cqhci.c b/drivers/mmc/host/cqhci.c
1465 +index c19f4c3f115a4..2d65b32d205a5 100644
1466 +--- a/drivers/mmc/host/cqhci.c
1467 ++++ b/drivers/mmc/host/cqhci.c
1468 +@@ -299,16 +299,16 @@ static void __cqhci_disable(struct cqhci_host *cq_host)
1469 + cq_host->activated = false;
1470 + }
1471 +
1472 +-int cqhci_suspend(struct mmc_host *mmc)
1473 ++int cqhci_deactivate(struct mmc_host *mmc)
1474 + {
1475 + struct cqhci_host *cq_host = mmc->cqe_private;
1476 +
1477 +- if (cq_host->enabled)
1478 ++ if (cq_host->enabled && cq_host->activated)
1479 + __cqhci_disable(cq_host);
1480 +
1481 + return 0;
1482 + }
1483 +-EXPORT_SYMBOL(cqhci_suspend);
1484 ++EXPORT_SYMBOL(cqhci_deactivate);
1485 +
1486 + int cqhci_resume(struct mmc_host *mmc)
1487 + {
1488 +diff --git a/drivers/mmc/host/cqhci.h b/drivers/mmc/host/cqhci.h
1489 +index def76e9b5cacf..437700179de4d 100644
1490 +--- a/drivers/mmc/host/cqhci.h
1491 ++++ b/drivers/mmc/host/cqhci.h
1492 +@@ -230,7 +230,11 @@ irqreturn_t cqhci_irq(struct mmc_host *mmc, u32 intmask, int cmd_error,
1493 + int data_error);
1494 + int cqhci_init(struct cqhci_host *cq_host, struct mmc_host *mmc, bool dma64);
1495 + struct cqhci_host *cqhci_pltfm_init(struct platform_device *pdev);
1496 +-int cqhci_suspend(struct mmc_host *mmc);
1497 ++int cqhci_deactivate(struct mmc_host *mmc);
1498 ++static inline int cqhci_suspend(struct mmc_host *mmc)
1499 ++{
1500 ++ return cqhci_deactivate(mmc);
1501 ++}
1502 + int cqhci_resume(struct mmc_host *mmc);
1503 +
1504 + #endif
1505 +diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
1506 +index 010fe29a48883..9d47a2bd2546b 100644
1507 +--- a/drivers/mmc/host/mtk-sd.c
1508 ++++ b/drivers/mmc/host/mtk-sd.c
1509 +@@ -22,6 +22,7 @@
1510 + #include <linux/slab.h>
1511 + #include <linux/spinlock.h>
1512 + #include <linux/interrupt.h>
1513 ++#include <linux/reset.h>
1514 +
1515 + #include <linux/mmc/card.h>
1516 + #include <linux/mmc/core.h>
1517 +@@ -412,6 +413,7 @@ struct msdc_host {
1518 + struct pinctrl_state *pins_uhs;
1519 + struct delayed_work req_timeout;
1520 + int irq; /* host interrupt */
1521 ++ struct reset_control *reset;
1522 +
1523 + struct clk *src_clk; /* msdc source clock */
1524 + struct clk *h_clk; /* msdc h_clk */
1525 +@@ -1474,6 +1476,12 @@ static void msdc_init_hw(struct msdc_host *host)
1526 + u32 val;
1527 + u32 tune_reg = host->dev_comp->pad_tune_reg;
1528 +
1529 ++ if (host->reset) {
1530 ++ reset_control_assert(host->reset);
1531 ++ usleep_range(10, 50);
1532 ++ reset_control_deassert(host->reset);
1533 ++ }
1534 ++
1535 + /* Configure to MMC/SD mode, clock free running */
1536 + sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_MODE | MSDC_CFG_CKPDN);
1537 +
1538 +@@ -2232,6 +2240,11 @@ static int msdc_drv_probe(struct platform_device *pdev)
1539 + if (IS_ERR(host->src_clk_cg))
1540 + host->src_clk_cg = NULL;
1541 +
1542 ++ host->reset = devm_reset_control_get_optional_exclusive(&pdev->dev,
1543 ++ "hrst");
1544 ++ if (IS_ERR(host->reset))
1545 ++ return PTR_ERR(host->reset);
1546 ++
1547 + host->irq = platform_get_irq(pdev, 0);
1548 + if (host->irq < 0) {
1549 + ret = -EINVAL;
1550 +diff --git a/drivers/mmc/host/sdhci-acpi.c b/drivers/mmc/host/sdhci-acpi.c
1551 +index 01fc437ed9659..5581a5c86fce3 100644
1552 +--- a/drivers/mmc/host/sdhci-acpi.c
1553 ++++ b/drivers/mmc/host/sdhci-acpi.c
1554 +@@ -532,6 +532,11 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_qcom_sd = {
1555 + .caps = MMC_CAP_NONREMOVABLE,
1556 + };
1557 +
1558 ++struct amd_sdhci_host {
1559 ++ bool tuned_clock;
1560 ++ bool dll_enabled;
1561 ++};
1562 ++
1563 + /* AMD sdhci reset dll register. */
1564 + #define SDHCI_AMD_RESET_DLL_REGISTER 0x908
1565 +
1566 +@@ -551,26 +556,66 @@ static void sdhci_acpi_amd_hs400_dll(struct sdhci_host *host)
1567 + }
1568 +
1569 + /*
1570 +- * For AMD Platform it is required to disable the tuning
1571 +- * bit first controller to bring to HS Mode from HS200
1572 +- * mode, later enable to tune to HS400 mode.
1573 ++ * The initialization sequence for HS400 is:
1574 ++ * HS->HS200->Perform Tuning->HS->HS400
1575 ++ *
1576 ++ * The re-tuning sequence is:
1577 ++ * HS400->DDR52->HS->HS200->Perform Tuning->HS->HS400
1578 ++ *
1579 ++ * The AMD eMMC Controller can only use the tuned clock while in HS200 and HS400
1580 ++ * mode. If we switch to a different mode, we need to disable the tuned clock.
1581 ++ * If we have previously performed tuning and switch back to HS200 or
1582 ++ * HS400, we can re-enable the tuned clock.
1583 ++ *
1584 + */
1585 + static void amd_set_ios(struct mmc_host *mmc, struct mmc_ios *ios)
1586 + {
1587 + struct sdhci_host *host = mmc_priv(mmc);
1588 ++ struct sdhci_acpi_host *acpi_host = sdhci_priv(host);
1589 ++ struct amd_sdhci_host *amd_host = sdhci_acpi_priv(acpi_host);
1590 + unsigned int old_timing = host->timing;
1591 ++ u16 val;
1592 +
1593 + sdhci_set_ios(mmc, ios);
1594 +- if (old_timing == MMC_TIMING_MMC_HS200 &&
1595 +- ios->timing == MMC_TIMING_MMC_HS)
1596 +- sdhci_writew(host, 0x9, SDHCI_HOST_CONTROL2);
1597 +- if (old_timing != MMC_TIMING_MMC_HS400 &&
1598 +- ios->timing == MMC_TIMING_MMC_HS400) {
1599 +- sdhci_writew(host, 0x80, SDHCI_HOST_CONTROL2);
1600 +- sdhci_acpi_amd_hs400_dll(host);
1601 ++
1602 ++ if (old_timing != host->timing && amd_host->tuned_clock) {
1603 ++ if (host->timing == MMC_TIMING_MMC_HS400 ||
1604 ++ host->timing == MMC_TIMING_MMC_HS200) {
1605 ++ val = sdhci_readw(host, SDHCI_HOST_CONTROL2);
1606 ++ val |= SDHCI_CTRL_TUNED_CLK;
1607 ++ sdhci_writew(host, val, SDHCI_HOST_CONTROL2);
1608 ++ } else {
1609 ++ val = sdhci_readw(host, SDHCI_HOST_CONTROL2);
1610 ++ val &= ~SDHCI_CTRL_TUNED_CLK;
1611 ++ sdhci_writew(host, val, SDHCI_HOST_CONTROL2);
1612 ++ }
1613 ++
1614 ++ /* DLL is only required for HS400 */
1615 ++ if (host->timing == MMC_TIMING_MMC_HS400 &&
1616 ++ !amd_host->dll_enabled) {
1617 ++ sdhci_acpi_amd_hs400_dll(host);
1618 ++ amd_host->dll_enabled = true;
1619 ++ }
1620 + }
1621 + }
1622 +
1623 ++static int amd_sdhci_execute_tuning(struct mmc_host *mmc, u32 opcode)
1624 ++{
1625 ++ int err;
1626 ++ struct sdhci_host *host = mmc_priv(mmc);
1627 ++ struct sdhci_acpi_host *acpi_host = sdhci_priv(host);
1628 ++ struct amd_sdhci_host *amd_host = sdhci_acpi_priv(acpi_host);
1629 ++
1630 ++ amd_host->tuned_clock = false;
1631 ++
1632 ++ err = sdhci_execute_tuning(mmc, opcode);
1633 ++
1634 ++ if (!err && !host->tuning_err)
1635 ++ amd_host->tuned_clock = true;
1636 ++
1637 ++ return err;
1638 ++}
1639 ++
1640 + static const struct sdhci_ops sdhci_acpi_ops_amd = {
1641 + .set_clock = sdhci_set_clock,
1642 + .set_bus_width = sdhci_set_bus_width,
1643 +@@ -598,6 +643,7 @@ static int sdhci_acpi_emmc_amd_probe_slot(struct platform_device *pdev,
1644 +
1645 + host->mmc_host_ops.select_drive_strength = amd_select_drive_strength;
1646 + host->mmc_host_ops.set_ios = amd_set_ios;
1647 ++ host->mmc_host_ops.execute_tuning = amd_sdhci_execute_tuning;
1648 + return 0;
1649 + }
1650 +
1651 +@@ -609,6 +655,7 @@ static const struct sdhci_acpi_slot sdhci_acpi_slot_amd_emmc = {
1652 + SDHCI_QUIRK_32BIT_ADMA_SIZE,
1653 + .quirks2 = SDHCI_QUIRK2_BROKEN_64_BIT_DMA,
1654 + .probe_slot = sdhci_acpi_emmc_amd_probe_slot,
1655 ++ .priv_size = sizeof(struct amd_sdhci_host),
1656 + };
1657 +
1658 + struct sdhci_acpi_uid_slot {
1659 +diff --git a/drivers/mmc/host/sdhci-pci-core.c b/drivers/mmc/host/sdhci-pci-core.c
1660 +index 9b66e8b374ed7..425aa898e797a 100644
1661 +--- a/drivers/mmc/host/sdhci-pci-core.c
1662 ++++ b/drivers/mmc/host/sdhci-pci-core.c
1663 +@@ -232,6 +232,14 @@ static void sdhci_pci_dumpregs(struct mmc_host *mmc)
1664 + sdhci_dumpregs(mmc_priv(mmc));
1665 + }
1666 +
1667 ++static void sdhci_cqhci_reset(struct sdhci_host *host, u8 mask)
1668 ++{
1669 ++ if ((host->mmc->caps2 & MMC_CAP2_CQE) && (mask & SDHCI_RESET_ALL) &&
1670 ++ host->mmc->cqe_private)
1671 ++ cqhci_deactivate(host->mmc);
1672 ++ sdhci_reset(host, mask);
1673 ++}
1674 ++
1675 + /*****************************************************************************\
1676 + * *
1677 + * Hardware specific quirk handling *
1678 +@@ -722,7 +730,7 @@ static const struct sdhci_ops sdhci_intel_glk_ops = {
1679 + .set_power = sdhci_intel_set_power,
1680 + .enable_dma = sdhci_pci_enable_dma,
1681 + .set_bus_width = sdhci_set_bus_width,
1682 +- .reset = sdhci_reset,
1683 ++ .reset = sdhci_cqhci_reset,
1684 + .set_uhs_signaling = sdhci_set_uhs_signaling,
1685 + .hw_reset = sdhci_pci_hw_reset,
1686 + .irq = sdhci_cqhci_irq,
1687 +diff --git a/drivers/mmc/host/sdhci-tegra.c b/drivers/mmc/host/sdhci-tegra.c
1688 +index e37d271ca9636..c105356ad4cb7 100644
1689 +--- a/drivers/mmc/host/sdhci-tegra.c
1690 ++++ b/drivers/mmc/host/sdhci-tegra.c
1691 +@@ -100,6 +100,12 @@
1692 + #define NVQUIRK_DIS_CARD_CLK_CONFIG_TAP BIT(8)
1693 + #define NVQUIRK_CQHCI_DCMD_R1B_CMD_TIMING BIT(9)
1694 +
1695 ++/*
1696 ++ * NVQUIRK_HAS_TMCLK is for SoC's having separate timeout clock for Tegra
1697 ++ * SDMMC hardware data timeout.
1698 ++ */
1699 ++#define NVQUIRK_HAS_TMCLK BIT(10)
1700 ++
1701 + /* SDMMC CQE Base Address for Tegra Host Ver 4.1 and Higher */
1702 + #define SDHCI_TEGRA_CQE_BASE_ADDR 0xF000
1703 +
1704 +@@ -130,6 +136,7 @@ struct sdhci_tegra_autocal_offsets {
1705 + struct sdhci_tegra {
1706 + const struct sdhci_tegra_soc_data *soc_data;
1707 + struct gpio_desc *power_gpio;
1708 ++ struct clk *tmclk;
1709 + bool ddr_signaling;
1710 + bool pad_calib_required;
1711 + bool pad_control_available;
1712 +@@ -1385,7 +1392,8 @@ static const struct sdhci_tegra_soc_data soc_data_tegra210 = {
1713 + NVQUIRK_HAS_PADCALIB |
1714 + NVQUIRK_DIS_CARD_CLK_CONFIG_TAP |
1715 + NVQUIRK_ENABLE_SDR50 |
1716 +- NVQUIRK_ENABLE_SDR104,
1717 ++ NVQUIRK_ENABLE_SDR104 |
1718 ++ NVQUIRK_HAS_TMCLK,
1719 + .min_tap_delay = 106,
1720 + .max_tap_delay = 185,
1721 + };
1722 +@@ -1422,6 +1430,7 @@ static const struct sdhci_tegra_soc_data soc_data_tegra186 = {
1723 + NVQUIRK_DIS_CARD_CLK_CONFIG_TAP |
1724 + NVQUIRK_ENABLE_SDR50 |
1725 + NVQUIRK_ENABLE_SDR104 |
1726 ++ NVQUIRK_HAS_TMCLK |
1727 + NVQUIRK_CQHCI_DCMD_R1B_CMD_TIMING,
1728 + .min_tap_delay = 84,
1729 + .max_tap_delay = 136,
1730 +@@ -1434,7 +1443,8 @@ static const struct sdhci_tegra_soc_data soc_data_tegra194 = {
1731 + NVQUIRK_HAS_PADCALIB |
1732 + NVQUIRK_DIS_CARD_CLK_CONFIG_TAP |
1733 + NVQUIRK_ENABLE_SDR50 |
1734 +- NVQUIRK_ENABLE_SDR104,
1735 ++ NVQUIRK_ENABLE_SDR104 |
1736 ++ NVQUIRK_HAS_TMCLK,
1737 + .min_tap_delay = 96,
1738 + .max_tap_delay = 139,
1739 + };
1740 +@@ -1562,6 +1572,43 @@ static int sdhci_tegra_probe(struct platform_device *pdev)
1741 + goto err_power_req;
1742 + }
1743 +
1744 ++ /*
1745 ++ * Tegra210 has a separate SDMMC_LEGACY_TM clock used for host
1746 ++ * timeout clock and SW can choose TMCLK or SDCLK for hardware
1747 ++ * data timeout through the bit USE_TMCLK_FOR_DATA_TIMEOUT of
1748 ++ * the register SDHCI_TEGRA_VENDOR_SYS_SW_CTRL.
1749 ++ *
1750 ++ * USE_TMCLK_FOR_DATA_TIMEOUT bit default is set to 1 and SDMMC uses
1751 ++ * 12Mhz TMCLK which is advertised in host capability register.
1752 ++ * With TMCLK of 12Mhz provides maximum data timeout period that can
1753 ++ * be achieved is 11s better than using SDCLK for data timeout.
1754 ++ *
1755 ++ * So, TMCLK is set to 12Mhz and kept enabled all the time on SoC's
1756 ++ * supporting separate TMCLK.
1757 ++ */
1758 ++
1759 ++ if (soc_data->nvquirks & NVQUIRK_HAS_TMCLK) {
1760 ++ clk = devm_clk_get(&pdev->dev, "tmclk");
1761 ++ if (IS_ERR(clk)) {
1762 ++ rc = PTR_ERR(clk);
1763 ++ if (rc == -EPROBE_DEFER)
1764 ++ goto err_power_req;
1765 ++
1766 ++ dev_warn(&pdev->dev, "failed to get tmclk: %d\n", rc);
1767 ++ clk = NULL;
1768 ++ }
1769 ++
1770 ++ clk_set_rate(clk, 12000000);
1771 ++ rc = clk_prepare_enable(clk);
1772 ++ if (rc) {
1773 ++ dev_err(&pdev->dev,
1774 ++ "failed to enable tmclk: %d\n", rc);
1775 ++ goto err_power_req;
1776 ++ }
1777 ++
1778 ++ tegra_host->tmclk = clk;
1779 ++ }
1780 ++
1781 + clk = devm_clk_get(mmc_dev(host->mmc), NULL);
1782 + if (IS_ERR(clk)) {
1783 + rc = PTR_ERR(clk);
1784 +@@ -1605,6 +1652,7 @@ err_add_host:
1785 + err_rst_get:
1786 + clk_disable_unprepare(pltfm_host->clk);
1787 + err_clk_get:
1788 ++ clk_disable_unprepare(tegra_host->tmclk);
1789 + err_power_req:
1790 + err_parse_dt:
1791 + sdhci_pltfm_free(pdev);
1792 +@@ -1622,6 +1670,7 @@ static int sdhci_tegra_remove(struct platform_device *pdev)
1793 + reset_control_assert(tegra_host->rst);
1794 + usleep_range(2000, 4000);
1795 + clk_disable_unprepare(pltfm_host->clk);
1796 ++ clk_disable_unprepare(tegra_host->tmclk);
1797 +
1798 + sdhci_pltfm_free(pdev);
1799 +
1800 +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
1801 +index 8d50aacd19e51..84c4319e3b31f 100644
1802 +--- a/drivers/net/dsa/microchip/ksz8795.c
1803 ++++ b/drivers/net/dsa/microchip/ksz8795.c
1804 +@@ -1270,9 +1270,6 @@ static int ksz8795_switch_init(struct ksz_device *dev)
1805 + /* set the real number of ports */
1806 + dev->ds->num_ports = dev->port_cnt;
1807 +
1808 +- /* set the real number of ports */
1809 +- dev->ds->num_ports = dev->port_cnt;
1810 +-
1811 + return 0;
1812 + }
1813 +
1814 +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c
1815 +index b15da9a8e3bb9..49ab1346dc3f7 100644
1816 +--- a/drivers/net/dsa/microchip/ksz9477.c
1817 ++++ b/drivers/net/dsa/microchip/ksz9477.c
1818 +@@ -515,9 +515,6 @@ static int ksz9477_port_vlan_filtering(struct dsa_switch *ds, int port,
1819 + PORT_VLAN_LOOKUP_VID_0, false);
1820 + }
1821 +
1822 +- /* set the real number of ports */
1823 +- dev->ds->num_ports = dev->port_cnt;
1824 +-
1825 + return 0;
1826 + }
1827 +
1828 +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
1829 +index dc9a3bb241149..00d680cb44418 100644
1830 +--- a/drivers/net/dsa/mt7530.c
1831 ++++ b/drivers/net/dsa/mt7530.c
1832 +@@ -1456,7 +1456,7 @@ unsupported:
1833 + phylink_set(mask, 100baseT_Full);
1834 +
1835 + if (state->interface != PHY_INTERFACE_MODE_MII) {
1836 +- phylink_set(mask, 1000baseT_Half);
1837 ++ /* This switch only supports 1G full-duplex. */
1838 + phylink_set(mask, 1000baseT_Full);
1839 + if (port == 5)
1840 + phylink_set(mask, 1000baseX_Full);
1841 +diff --git a/drivers/net/ethernet/arc/emac_mdio.c b/drivers/net/ethernet/arc/emac_mdio.c
1842 +index 0187dbf3b87df..54cdafdd067db 100644
1843 +--- a/drivers/net/ethernet/arc/emac_mdio.c
1844 ++++ b/drivers/net/ethernet/arc/emac_mdio.c
1845 +@@ -153,6 +153,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv)
1846 + if (IS_ERR(data->reset_gpio)) {
1847 + error = PTR_ERR(data->reset_gpio);
1848 + dev_err(priv->dev, "Failed to request gpio: %d\n", error);
1849 ++ mdiobus_free(bus);
1850 + return error;
1851 + }
1852 +
1853 +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
1854 +index 4dfdb5a58025b..71eb8914e620b 100644
1855 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c
1856 ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
1857 +@@ -2453,8 +2453,10 @@ static int bcm_sysport_probe(struct platform_device *pdev)
1858 + priv->tx_rings = devm_kcalloc(&pdev->dev, txq,
1859 + sizeof(struct bcm_sysport_tx_ring),
1860 + GFP_KERNEL);
1861 +- if (!priv->tx_rings)
1862 +- return -ENOMEM;
1863 ++ if (!priv->tx_rings) {
1864 ++ ret = -ENOMEM;
1865 ++ goto err_free_netdev;
1866 ++ }
1867 +
1868 + priv->is_lite = params->is_lite;
1869 + priv->num_rx_desc_words = params->num_rx_desc_words;
1870 +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
1871 +index 2cbfe0cd7eefa..4030020f92be5 100644
1872 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
1873 ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
1874 +@@ -1143,6 +1143,9 @@ static int bnxt_discard_rx(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
1875 +
1876 + static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay)
1877 + {
1878 ++ if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state)))
1879 ++ return;
1880 ++
1881 + if (BNXT_PF(bp))
1882 + queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay);
1883 + else
1884 +@@ -1159,10 +1162,12 @@ static void bnxt_queue_sp_work(struct bnxt *bp)
1885 +
1886 + static void bnxt_cancel_sp_work(struct bnxt *bp)
1887 + {
1888 +- if (BNXT_PF(bp))
1889 ++ if (BNXT_PF(bp)) {
1890 + flush_workqueue(bnxt_pf_wq);
1891 +- else
1892 ++ } else {
1893 + cancel_work_sync(&bp->sp_task);
1894 ++ cancel_delayed_work_sync(&bp->fw_reset_task);
1895 ++ }
1896 + }
1897 +
1898 + static void bnxt_sched_reset(struct bnxt *bp, struct bnxt_rx_ring_info *rxr)
1899 +@@ -8933,16 +8938,19 @@ static ssize_t bnxt_show_temp(struct device *dev,
1900 + struct hwrm_temp_monitor_query_input req = {0};
1901 + struct hwrm_temp_monitor_query_output *resp;
1902 + struct bnxt *bp = dev_get_drvdata(dev);
1903 +- u32 temp = 0;
1904 ++ u32 len = 0;
1905 +
1906 + resp = bp->hwrm_cmd_resp_addr;
1907 + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1);
1908 + mutex_lock(&bp->hwrm_cmd_lock);
1909 +- if (!_hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT))
1910 +- temp = resp->temp * 1000; /* display millidegree */
1911 ++ if (!_hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT))
1912 ++ len = sprintf(buf, "%u\n", resp->temp * 1000); /* display millidegree */
1913 + mutex_unlock(&bp->hwrm_cmd_lock);
1914 +
1915 +- return sprintf(buf, "%u\n", temp);
1916 ++ if (len)
1917 ++ return len;
1918 ++
1919 ++ return sprintf(buf, "unknown\n");
1920 + }
1921 + static SENSOR_DEVICE_ATTR(temp1_input, 0444, bnxt_show_temp, NULL, 0);
1922 +
1923 +@@ -9124,15 +9132,15 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init)
1924 + }
1925 + }
1926 +
1927 +- bnxt_enable_napi(bp);
1928 +- bnxt_debug_dev_init(bp);
1929 +-
1930 + rc = bnxt_init_nic(bp, irq_re_init);
1931 + if (rc) {
1932 + netdev_err(bp->dev, "bnxt_init_nic err: %x\n", rc);
1933 +- goto open_err;
1934 ++ goto open_err_irq;
1935 + }
1936 +
1937 ++ bnxt_enable_napi(bp);
1938 ++ bnxt_debug_dev_init(bp);
1939 ++
1940 + if (link_re_init) {
1941 + mutex_lock(&bp->link_lock);
1942 + rc = bnxt_update_phy_setting(bp);
1943 +@@ -9163,10 +9171,6 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init)
1944 + bnxt_vf_reps_open(bp);
1945 + return 0;
1946 +
1947 +-open_err:
1948 +- bnxt_debug_dev_exit(bp);
1949 +- bnxt_disable_napi(bp);
1950 +-
1951 + open_err_irq:
1952 + bnxt_del_napi(bp);
1953 +
1954 +@@ -11386,6 +11390,7 @@ static void bnxt_remove_one(struct pci_dev *pdev)
1955 + unregister_netdev(dev);
1956 + bnxt_dl_unregister(bp);
1957 + bnxt_shutdown_tc(bp);
1958 ++ clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state);
1959 + bnxt_cancel_sp_work(bp);
1960 + bp->sp_event = 0;
1961 +
1962 +@@ -11900,6 +11905,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
1963 + (long)pci_resource_start(pdev, 0), dev->dev_addr);
1964 + pcie_print_link_status(pdev);
1965 +
1966 ++ pci_save_state(pdev);
1967 + return 0;
1968 +
1969 + init_err_cleanup:
1970 +@@ -12066,6 +12072,8 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev)
1971 + "Cannot re-enable PCI device after reset.\n");
1972 + } else {
1973 + pci_set_master(pdev);
1974 ++ pci_restore_state(pdev);
1975 ++ pci_save_state(pdev);
1976 +
1977 + err = bnxt_hwrm_func_reset(bp);
1978 + if (!err && netif_running(netdev))
1979 +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
1980 +index 1f512e7c3d434..fd01bcc8e28d4 100644
1981 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
1982 ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
1983 +@@ -769,7 +769,7 @@ static void bnxt_get_channels(struct net_device *dev,
1984 + int max_tx_sch_inputs;
1985 +
1986 + /* Get the most up-to-date max_tx_sch_inputs. */
1987 +- if (BNXT_NEW_RM(bp))
1988 ++ if (netif_running(dev) && BNXT_NEW_RM(bp))
1989 + bnxt_hwrm_func_resc_qcaps(bp, false);
1990 + max_tx_sch_inputs = hw_resc->max_tx_sch_inputs;
1991 +
1992 +@@ -2161,6 +2161,9 @@ static int bnxt_get_nvram_directory(struct net_device *dev, u32 len, u8 *data)
1993 + if (rc != 0)
1994 + return rc;
1995 +
1996 ++ if (!dir_entries || !entry_length)
1997 ++ return -EIO;
1998 ++
1999 + /* Insert 2 bytes of directory info (count and size of entries) */
2000 + if (len < 2)
2001 + return -EINVAL;
2002 +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
2003 +index e12ba81288e64..70bd79dc43f2e 100644
2004 +--- a/drivers/net/ethernet/broadcom/tg3.c
2005 ++++ b/drivers/net/ethernet/broadcom/tg3.c
2006 +@@ -7227,8 +7227,8 @@ static inline void tg3_reset_task_schedule(struct tg3 *tp)
2007 +
2008 + static inline void tg3_reset_task_cancel(struct tg3 *tp)
2009 + {
2010 +- cancel_work_sync(&tp->reset_task);
2011 +- tg3_flag_clear(tp, RESET_TASK_PENDING);
2012 ++ if (test_and_clear_bit(TG3_FLAG_RESET_TASK_PENDING, tp->tg3_flags))
2013 ++ cancel_work_sync(&tp->reset_task);
2014 + tg3_flag_clear(tp, TX_RECOVERY_PENDING);
2015 + }
2016 +
2017 +@@ -11219,18 +11219,27 @@ static void tg3_reset_task(struct work_struct *work)
2018 +
2019 + tg3_halt(tp, RESET_KIND_SHUTDOWN, 0);
2020 + err = tg3_init_hw(tp, true);
2021 +- if (err)
2022 ++ if (err) {
2023 ++ tg3_full_unlock(tp);
2024 ++ tp->irq_sync = 0;
2025 ++ tg3_napi_enable(tp);
2026 ++ /* Clear this flag so that tg3_reset_task_cancel() will not
2027 ++ * call cancel_work_sync() and wait forever.
2028 ++ */
2029 ++ tg3_flag_clear(tp, RESET_TASK_PENDING);
2030 ++ dev_close(tp->dev);
2031 + goto out;
2032 ++ }
2033 +
2034 + tg3_netif_start(tp);
2035 +
2036 +-out:
2037 + tg3_full_unlock(tp);
2038 +
2039 + if (!err)
2040 + tg3_phy_start(tp);
2041 +
2042 + tg3_flag_clear(tp, RESET_TASK_PENDING);
2043 ++out:
2044 + rtnl_unlock();
2045 + }
2046 +
2047 +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c
2048 +index 3de8a5e83b6c7..d7fefdbf3e575 100644
2049 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c
2050 ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_thermal.c
2051 +@@ -62,6 +62,7 @@ static struct thermal_zone_device_ops cxgb4_thermal_ops = {
2052 + int cxgb4_thermal_init(struct adapter *adap)
2053 + {
2054 + struct ch_thermal *ch_thermal = &adap->ch_thermal;
2055 ++ char ch_tz_name[THERMAL_NAME_LENGTH];
2056 + int num_trip = CXGB4_NUM_TRIPS;
2057 + u32 param, val;
2058 + int ret;
2059 +@@ -82,7 +83,8 @@ int cxgb4_thermal_init(struct adapter *adap)
2060 + ch_thermal->trip_type = THERMAL_TRIP_CRITICAL;
2061 + }
2062 +
2063 +- ch_thermal->tzdev = thermal_zone_device_register("cxgb4", num_trip,
2064 ++ snprintf(ch_tz_name, sizeof(ch_tz_name), "cxgb4_%s", adap->name);
2065 ++ ch_thermal->tzdev = thermal_zone_device_register(ch_tz_name, num_trip,
2066 + 0, adap,
2067 + &cxgb4_thermal_ops,
2068 + NULL, 0, 0);
2069 +@@ -97,7 +99,9 @@ int cxgb4_thermal_init(struct adapter *adap)
2070 +
2071 + int cxgb4_thermal_remove(struct adapter *adap)
2072 + {
2073 +- if (adap->ch_thermal.tzdev)
2074 ++ if (adap->ch_thermal.tzdev) {
2075 + thermal_zone_device_unregister(adap->ch_thermal.tzdev);
2076 ++ adap->ch_thermal.tzdev = NULL;
2077 ++ }
2078 + return 0;
2079 + }
2080 +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
2081 +index 28d4c54505f9a..c9fb1ec625d8b 100644
2082 +--- a/drivers/net/ethernet/cortina/gemini.c
2083 ++++ b/drivers/net/ethernet/cortina/gemini.c
2084 +@@ -2445,8 +2445,8 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
2085 + port->reset = devm_reset_control_get_exclusive(dev, NULL);
2086 + if (IS_ERR(port->reset)) {
2087 + dev_err(dev, "no reset\n");
2088 +- clk_disable_unprepare(port->pclk);
2089 +- return PTR_ERR(port->reset);
2090 ++ ret = PTR_ERR(port->reset);
2091 ++ goto unprepare;
2092 + }
2093 + reset_control_reset(port->reset);
2094 + usleep_range(100, 500);
2095 +@@ -2501,25 +2501,25 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
2096 + IRQF_SHARED,
2097 + port_names[port->id],
2098 + port);
2099 +- if (ret) {
2100 +- clk_disable_unprepare(port->pclk);
2101 +- return ret;
2102 +- }
2103 ++ if (ret)
2104 ++ goto unprepare;
2105 +
2106 + ret = register_netdev(netdev);
2107 +- if (!ret) {
2108 ++ if (ret)
2109 ++ goto unprepare;
2110 ++
2111 ++ netdev_info(netdev,
2112 ++ "irq %d, DMA @ 0x%pap, GMAC @ 0x%pap\n",
2113 ++ port->irq, &dmares->start,
2114 ++ &gmacres->start);
2115 ++ ret = gmac_setup_phy(netdev);
2116 ++ if (ret)
2117 + netdev_info(netdev,
2118 +- "irq %d, DMA @ 0x%pap, GMAC @ 0x%pap\n",
2119 +- port->irq, &dmares->start,
2120 +- &gmacres->start);
2121 +- ret = gmac_setup_phy(netdev);
2122 +- if (ret)
2123 +- netdev_info(netdev,
2124 +- "PHY init failed, deferring to ifup time\n");
2125 +- return 0;
2126 +- }
2127 ++ "PHY init failed, deferring to ifup time\n");
2128 ++ return 0;
2129 +
2130 +- port->netdev = NULL;
2131 ++unprepare:
2132 ++ clk_disable_unprepare(port->pclk);
2133 + return ret;
2134 + }
2135 +
2136 +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
2137 +index eb69e5c81a4d0..6d5d53cfc7ab4 100644
2138 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
2139 ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
2140 +@@ -2296,8 +2296,10 @@ static int hns_nic_dev_probe(struct platform_device *pdev)
2141 + priv->enet_ver = AE_VERSION_1;
2142 + else if (acpi_dev_found(hns_enet_acpi_match[1].id))
2143 + priv->enet_ver = AE_VERSION_2;
2144 +- else
2145 +- return -ENXIO;
2146 ++ else {
2147 ++ ret = -ENXIO;
2148 ++ goto out_read_prop_fail;
2149 ++ }
2150 +
2151 + /* try to find port-idx-in-ae first */
2152 + ret = acpi_node_get_property_reference(dev->fwnode,
2153 +@@ -2313,7 +2315,8 @@ static int hns_nic_dev_probe(struct platform_device *pdev)
2154 + priv->fwnode = args.fwnode;
2155 + } else {
2156 + dev_err(dev, "cannot read cfg data from OF or acpi\n");
2157 +- return -ENXIO;
2158 ++ ret = -ENXIO;
2159 ++ goto out_read_prop_fail;
2160 + }
2161 +
2162 + ret = device_property_read_u32(dev, "port-idx-in-ae", &port_id);
2163 +diff --git a/drivers/net/ethernet/mellanox/mlx4/mr.c b/drivers/net/ethernet/mellanox/mlx4/mr.c
2164 +index 1a11bc0e16123..cfa0bba3940fb 100644
2165 +--- a/drivers/net/ethernet/mellanox/mlx4/mr.c
2166 ++++ b/drivers/net/ethernet/mellanox/mlx4/mr.c
2167 +@@ -114,7 +114,7 @@ static int mlx4_buddy_init(struct mlx4_buddy *buddy, int max_order)
2168 + goto err_out;
2169 +
2170 + for (i = 0; i <= buddy->max_order; ++i) {
2171 +- s = BITS_TO_LONGS(1 << (buddy->max_order - i));
2172 ++ s = BITS_TO_LONGS(1UL << (buddy->max_order - i));
2173 + buddy->bits[i] = kvmalloc_array(s, sizeof(long), GFP_KERNEL | __GFP_ZERO);
2174 + if (!buddy->bits[i])
2175 + goto err_out_free;
2176 +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
2177 +index 30cdabf64ccc1..907ae1359a7c1 100644
2178 +--- a/drivers/net/ethernet/renesas/ravb_main.c
2179 ++++ b/drivers/net/ethernet/renesas/ravb_main.c
2180 +@@ -1336,6 +1336,51 @@ static inline int ravb_hook_irq(unsigned int irq, irq_handler_t handler,
2181 + return error;
2182 + }
2183 +
2184 ++/* MDIO bus init function */
2185 ++static int ravb_mdio_init(struct ravb_private *priv)
2186 ++{
2187 ++ struct platform_device *pdev = priv->pdev;
2188 ++ struct device *dev = &pdev->dev;
2189 ++ int error;
2190 ++
2191 ++ /* Bitbang init */
2192 ++ priv->mdiobb.ops = &bb_ops;
2193 ++
2194 ++ /* MII controller setting */
2195 ++ priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb);
2196 ++ if (!priv->mii_bus)
2197 ++ return -ENOMEM;
2198 ++
2199 ++ /* Hook up MII support for ethtool */
2200 ++ priv->mii_bus->name = "ravb_mii";
2201 ++ priv->mii_bus->parent = dev;
2202 ++ snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x",
2203 ++ pdev->name, pdev->id);
2204 ++
2205 ++ /* Register MDIO bus */
2206 ++ error = of_mdiobus_register(priv->mii_bus, dev->of_node);
2207 ++ if (error)
2208 ++ goto out_free_bus;
2209 ++
2210 ++ return 0;
2211 ++
2212 ++out_free_bus:
2213 ++ free_mdio_bitbang(priv->mii_bus);
2214 ++ return error;
2215 ++}
2216 ++
2217 ++/* MDIO bus release function */
2218 ++static int ravb_mdio_release(struct ravb_private *priv)
2219 ++{
2220 ++ /* Unregister mdio bus */
2221 ++ mdiobus_unregister(priv->mii_bus);
2222 ++
2223 ++ /* Free bitbang info */
2224 ++ free_mdio_bitbang(priv->mii_bus);
2225 ++
2226 ++ return 0;
2227 ++}
2228 ++
2229 + /* Network device open function for Ethernet AVB */
2230 + static int ravb_open(struct net_device *ndev)
2231 + {
2232 +@@ -1344,6 +1389,13 @@ static int ravb_open(struct net_device *ndev)
2233 + struct device *dev = &pdev->dev;
2234 + int error;
2235 +
2236 ++ /* MDIO bus init */
2237 ++ error = ravb_mdio_init(priv);
2238 ++ if (error) {
2239 ++ netdev_err(ndev, "failed to initialize MDIO\n");
2240 ++ return error;
2241 ++ }
2242 ++
2243 + napi_enable(&priv->napi[RAVB_BE]);
2244 + napi_enable(&priv->napi[RAVB_NC]);
2245 +
2246 +@@ -1421,6 +1473,7 @@ out_free_irq:
2247 + out_napi_off:
2248 + napi_disable(&priv->napi[RAVB_NC]);
2249 + napi_disable(&priv->napi[RAVB_BE]);
2250 ++ ravb_mdio_release(priv);
2251 + return error;
2252 + }
2253 +
2254 +@@ -1730,6 +1783,8 @@ static int ravb_close(struct net_device *ndev)
2255 + ravb_ring_free(ndev, RAVB_BE);
2256 + ravb_ring_free(ndev, RAVB_NC);
2257 +
2258 ++ ravb_mdio_release(priv);
2259 ++
2260 + return 0;
2261 + }
2262 +
2263 +@@ -1881,51 +1936,6 @@ static const struct net_device_ops ravb_netdev_ops = {
2264 + .ndo_set_features = ravb_set_features,
2265 + };
2266 +
2267 +-/* MDIO bus init function */
2268 +-static int ravb_mdio_init(struct ravb_private *priv)
2269 +-{
2270 +- struct platform_device *pdev = priv->pdev;
2271 +- struct device *dev = &pdev->dev;
2272 +- int error;
2273 +-
2274 +- /* Bitbang init */
2275 +- priv->mdiobb.ops = &bb_ops;
2276 +-
2277 +- /* MII controller setting */
2278 +- priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb);
2279 +- if (!priv->mii_bus)
2280 +- return -ENOMEM;
2281 +-
2282 +- /* Hook up MII support for ethtool */
2283 +- priv->mii_bus->name = "ravb_mii";
2284 +- priv->mii_bus->parent = dev;
2285 +- snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x",
2286 +- pdev->name, pdev->id);
2287 +-
2288 +- /* Register MDIO bus */
2289 +- error = of_mdiobus_register(priv->mii_bus, dev->of_node);
2290 +- if (error)
2291 +- goto out_free_bus;
2292 +-
2293 +- return 0;
2294 +-
2295 +-out_free_bus:
2296 +- free_mdio_bitbang(priv->mii_bus);
2297 +- return error;
2298 +-}
2299 +-
2300 +-/* MDIO bus release function */
2301 +-static int ravb_mdio_release(struct ravb_private *priv)
2302 +-{
2303 +- /* Unregister mdio bus */
2304 +- mdiobus_unregister(priv->mii_bus);
2305 +-
2306 +- /* Free bitbang info */
2307 +- free_mdio_bitbang(priv->mii_bus);
2308 +-
2309 +- return 0;
2310 +-}
2311 +-
2312 + static const struct of_device_id ravb_match_table[] = {
2313 + { .compatible = "renesas,etheravb-r8a7790", .data = (void *)RCAR_GEN2 },
2314 + { .compatible = "renesas,etheravb-r8a7794", .data = (void *)RCAR_GEN2 },
2315 +@@ -2166,13 +2176,6 @@ static int ravb_probe(struct platform_device *pdev)
2316 + eth_hw_addr_random(ndev);
2317 + }
2318 +
2319 +- /* MDIO bus init */
2320 +- error = ravb_mdio_init(priv);
2321 +- if (error) {
2322 +- dev_err(&pdev->dev, "failed to initialize MDIO\n");
2323 +- goto out_dma_free;
2324 +- }
2325 +-
2326 + netif_napi_add(ndev, &priv->napi[RAVB_BE], ravb_poll, 64);
2327 + netif_napi_add(ndev, &priv->napi[RAVB_NC], ravb_poll, 64);
2328 +
2329 +@@ -2194,8 +2197,6 @@ static int ravb_probe(struct platform_device *pdev)
2330 + out_napi_del:
2331 + netif_napi_del(&priv->napi[RAVB_NC]);
2332 + netif_napi_del(&priv->napi[RAVB_BE]);
2333 +- ravb_mdio_release(priv);
2334 +-out_dma_free:
2335 + dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
2336 + priv->desc_bat_dma);
2337 +
2338 +@@ -2227,7 +2228,6 @@ static int ravb_remove(struct platform_device *pdev)
2339 + unregister_netdev(ndev);
2340 + netif_napi_del(&priv->napi[RAVB_NC]);
2341 + netif_napi_del(&priv->napi[RAVB_BE]);
2342 +- ravb_mdio_release(priv);
2343 + pm_runtime_disable(&pdev->dev);
2344 + free_netdev(ndev);
2345 + platform_set_drvdata(pdev, NULL);
2346 +diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
2347 +index 39df8c8feb6ce..e7b4d93e3f288 100644
2348 +--- a/drivers/net/ethernet/ti/cpsw.c
2349 ++++ b/drivers/net/ethernet/ti/cpsw.c
2350 +@@ -2209,7 +2209,7 @@ static int cpsw_ndo_vlan_rx_kill_vid(struct net_device *ndev,
2351 + HOST_PORT_NUM, ALE_VLAN, vid);
2352 + ret |= cpsw_ale_del_mcast(cpsw->ale, priv->ndev->broadcast,
2353 + 0, ALE_VLAN, vid);
2354 +- ret |= cpsw_ale_flush_multicast(cpsw->ale, 0, vid);
2355 ++ ret |= cpsw_ale_flush_multicast(cpsw->ale, ALE_PORT_HOST, vid);
2356 + err:
2357 + pm_runtime_put(cpsw->dev);
2358 + return ret;
2359 +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
2360 +index d89ec99abcd63..634bdea38ecb3 100644
2361 +--- a/drivers/net/gtp.c
2362 ++++ b/drivers/net/gtp.c
2363 +@@ -1182,6 +1182,7 @@ static int gtp_genl_fill_info(struct sk_buff *skb, u32 snd_portid, u32 snd_seq,
2364 + goto nlmsg_failure;
2365 +
2366 + if (nla_put_u32(skb, GTPA_VERSION, pctx->gtp_version) ||
2367 ++ nla_put_u32(skb, GTPA_LINK, pctx->dev->ifindex) ||
2368 + nla_put_be32(skb, GTPA_PEER_ADDRESS, pctx->peer_addr_ip4.s_addr) ||
2369 + nla_put_be32(skb, GTPA_MS_ADDRESS, pctx->ms_addr_ip4.s_addr))
2370 + goto nla_put_failure;
2371 +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
2372 +index e39f41efda3ec..7bc6e8f856fe0 100644
2373 +--- a/drivers/net/usb/asix_common.c
2374 ++++ b/drivers/net/usb/asix_common.c
2375 +@@ -296,7 +296,7 @@ int asix_read_phy_addr(struct usbnet *dev, int internal)
2376 +
2377 + netdev_dbg(dev->net, "asix_get_phy_addr()\n");
2378 +
2379 +- if (ret < 0) {
2380 ++ if (ret < 2) {
2381 + netdev_err(dev->net, "Error reading PHYID register: %02x\n", ret);
2382 + goto out;
2383 + }
2384 +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
2385 +index ff5681da8780d..3cb017fa3a790 100644
2386 +--- a/drivers/nvme/host/core.c
2387 ++++ b/drivers/nvme/host/core.c
2388 +@@ -4012,7 +4012,7 @@ static void nvme_free_ctrl(struct device *dev)
2389 + container_of(dev, struct nvme_ctrl, ctrl_device);
2390 + struct nvme_subsystem *subsys = ctrl->subsys;
2391 +
2392 +- if (subsys && ctrl->instance != subsys->instance)
2393 ++ if (!subsys || ctrl->instance != subsys->instance)
2394 + ida_simple_remove(&nvme_instance_ida, ctrl->instance);
2395 +
2396 + kfree(ctrl->effects);
2397 +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
2398 +index 57a4062cbb59e..7d7176369edf7 100644
2399 +--- a/drivers/nvme/target/core.c
2400 ++++ b/drivers/nvme/target/core.c
2401 +@@ -369,6 +369,9 @@ static void nvmet_keep_alive_timer(struct work_struct *work)
2402 +
2403 + static void nvmet_start_keep_alive_timer(struct nvmet_ctrl *ctrl)
2404 + {
2405 ++ if (unlikely(ctrl->kato == 0))
2406 ++ return;
2407 ++
2408 + pr_debug("ctrl %d start keep-alive timer for %d secs\n",
2409 + ctrl->cntlid, ctrl->kato);
2410 +
2411 +@@ -378,6 +381,9 @@ static void nvmet_start_keep_alive_timer(struct nvmet_ctrl *ctrl)
2412 +
2413 + static void nvmet_stop_keep_alive_timer(struct nvmet_ctrl *ctrl)
2414 + {
2415 ++ if (unlikely(ctrl->kato == 0))
2416 ++ return;
2417 ++
2418 + pr_debug("ctrl %d stop keep-alive\n", ctrl->cntlid);
2419 +
2420 + cancel_delayed_work_sync(&ctrl->ka_work);
2421 +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c
2422 +index ce8d819f86ccc..fc35f7ae67b0a 100644
2423 +--- a/drivers/nvme/target/fc.c
2424 ++++ b/drivers/nvme/target/fc.c
2425 +@@ -1994,9 +1994,9 @@ nvmet_fc_fod_op_done(struct nvmet_fc_fcp_iod *fod)
2426 + return;
2427 + if (fcpreq->fcp_error ||
2428 + fcpreq->transferred_length != fcpreq->transfer_length) {
2429 +- spin_lock(&fod->flock);
2430 ++ spin_lock_irqsave(&fod->flock, flags);
2431 + fod->abort = true;
2432 +- spin_unlock(&fod->flock);
2433 ++ spin_unlock_irqrestore(&fod->flock, flags);
2434 +
2435 + nvmet_req_complete(&fod->req, NVME_SC_INTERNAL);
2436 + return;
2437 +diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c
2438 +index 3439f6ad63380..e80e82a276e93 100644
2439 +--- a/drivers/staging/media/sunxi/cedrus/cedrus.c
2440 ++++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
2441 +@@ -159,6 +159,7 @@ static int cedrus_request_validate(struct media_request *req)
2442 + struct v4l2_ctrl *ctrl_test;
2443 + unsigned int count;
2444 + unsigned int i;
2445 ++ int ret = 0;
2446 +
2447 + list_for_each_entry(obj, &req->objects, list) {
2448 + struct vb2_buffer *vb;
2449 +@@ -203,12 +204,16 @@ static int cedrus_request_validate(struct media_request *req)
2450 + if (!ctrl_test) {
2451 + v4l2_info(&ctx->dev->v4l2_dev,
2452 + "Missing required codec control\n");
2453 +- return -ENOENT;
2454 ++ ret = -ENOENT;
2455 ++ break;
2456 + }
2457 + }
2458 +
2459 + v4l2_ctrl_request_hdl_put(hdl);
2460 +
2461 ++ if (ret)
2462 ++ return ret;
2463 ++
2464 + return vb2_request_validate(req);
2465 + }
2466 +
2467 +diff --git a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
2468 +index bf7bae42c141c..6dc879fea9c8a 100644
2469 +--- a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
2470 ++++ b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
2471 +@@ -1,6 +1,6 @@
2472 + // SPDX-License-Identifier: GPL-2.0-only
2473 + /*
2474 +- * Copyright (c) 2011-2015, 2017, The Linux Foundation. All rights reserved.
2475 ++ * Copyright (c) 2011-2015, 2017, 2020, The Linux Foundation. All rights reserved.
2476 + */
2477 +
2478 + #include <linux/bitops.h>
2479 +@@ -191,7 +191,7 @@ static int qpnp_tm_get_temp(void *data, int *temp)
2480 + chip->temp = mili_celsius;
2481 + }
2482 +
2483 +- *temp = chip->temp < 0 ? 0 : chip->temp;
2484 ++ *temp = chip->temp;
2485 +
2486 + return 0;
2487 + }
2488 +diff --git a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c
2489 +index 63b02bfb2adf6..fdb8a495ab69a 100644
2490 +--- a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c
2491 ++++ b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c
2492 +@@ -37,20 +37,21 @@ static struct temp_sensor_data omap4430_mpu_temp_sensor_data = {
2493 +
2494 + /*
2495 + * Temperature values in milli degree celsius
2496 +- * ADC code values from 530 to 923
2497 ++ * ADC code values from 13 to 107, see TRM
2498 ++ * "18.4.10.2.3 ADC Codes Versus Temperature".
2499 + */
2500 + static const int
2501 + omap4430_adc_to_temp[OMAP4430_ADC_END_VALUE - OMAP4430_ADC_START_VALUE + 1] = {
2502 +- -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, -22000,
2503 +- -20000, -18000, -17000, -15000, -13000, -12000, -10000, -8000, -6000,
2504 +- -5000, -3000, -1000, 0, 2000, 3000, 5000, 6000, 8000, 10000, 12000,
2505 +- 13000, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28000, 30000,
2506 +- 32000, 33000, 35000, 37000, 38000, 40000, 42000, 43000, 45000, 47000,
2507 +- 48000, 50000, 52000, 53000, 55000, 57000, 58000, 60000, 62000, 64000,
2508 +- 66000, 68000, 70000, 71000, 73000, 75000, 77000, 78000, 80000, 82000,
2509 +- 83000, 85000, 87000, 88000, 90000, 92000, 93000, 95000, 97000, 98000,
2510 +- 100000, 102000, 103000, 105000, 107000, 109000, 111000, 113000, 115000,
2511 +- 117000, 118000, 120000, 122000, 123000,
2512 ++ -40000, -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000,
2513 ++ -22000, -20000, -18500, -17000, -15000, -13500, -12000, -10000, -8000,
2514 ++ -6500, -5000, -3500, -1500, 0, 2000, 3500, 5000, 6500, 8500, 10000,
2515 ++ 12000, 13500, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28500,
2516 ++ 30000, 32000, 33500, 35000, 37000, 38500, 40000, 42000, 43500, 45000,
2517 ++ 47000, 48500, 50000, 52000, 53500, 55000, 57000, 58500, 60000, 62000,
2518 ++ 64000, 66000, 68000, 70000, 71500, 73500, 75000, 77000, 78500, 80000,
2519 ++ 82000, 83500, 85000, 87000, 88500, 90000, 92000, 93500, 95000, 97000,
2520 ++ 98500, 100000, 102000, 103500, 105000, 107000, 109000, 111000, 113000,
2521 ++ 115000, 117000, 118500, 120000, 122000, 123500, 125000,
2522 + };
2523 +
2524 + /* OMAP4430 data */
2525 +diff --git a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h
2526 +index a453ff8eb313e..9a3955c3853ba 100644
2527 +--- a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h
2528 ++++ b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h
2529 +@@ -53,9 +53,13 @@
2530 + * and thresholds for OMAP4430.
2531 + */
2532 +
2533 +-/* ADC conversion table limits */
2534 +-#define OMAP4430_ADC_START_VALUE 0
2535 +-#define OMAP4430_ADC_END_VALUE 127
2536 ++/*
2537 ++ * ADC conversion table limits. Ignore values outside the TRM listed
2538 ++ * range to avoid bogus thermal shutdowns. See omap4430 TRM chapter
2539 ++ * "18.4.10.2.3 ADC Codes Versus Temperature".
2540 ++ */
2541 ++#define OMAP4430_ADC_START_VALUE 13
2542 ++#define OMAP4430_ADC_END_VALUE 107
2543 + /* bandgap clock limits (no control on 4430) */
2544 + #define OMAP4430_MAX_FREQ 32768
2545 + #define OMAP4430_MIN_FREQ 32768
2546 +diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c
2547 +index f98a79172ad23..0b184256034fb 100644
2548 +--- a/drivers/tty/serial/qcom_geni_serial.c
2549 ++++ b/drivers/tty/serial/qcom_geni_serial.c
2550 +@@ -1063,7 +1063,7 @@ static unsigned int qcom_geni_serial_tx_empty(struct uart_port *uport)
2551 + }
2552 +
2553 + #ifdef CONFIG_SERIAL_QCOM_GENI_CONSOLE
2554 +-static int __init qcom_geni_console_setup(struct console *co, char *options)
2555 ++static int qcom_geni_console_setup(struct console *co, char *options)
2556 + {
2557 + struct uart_port *uport;
2558 + struct qcom_geni_serial_port *port;
2559 +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
2560 +index 02206162eaa9e..0d16f9806655f 100644
2561 +--- a/drivers/vfio/pci/vfio_pci.c
2562 ++++ b/drivers/vfio/pci/vfio_pci.c
2563 +@@ -27,6 +27,7 @@
2564 + #include <linux/vfio.h>
2565 + #include <linux/vgaarb.h>
2566 + #include <linux/nospec.h>
2567 ++#include <linux/sched/mm.h>
2568 +
2569 + #include "vfio_pci_private.h"
2570 +
2571 +@@ -177,6 +178,7 @@ no_mmap:
2572 +
2573 + static void vfio_pci_try_bus_reset(struct vfio_pci_device *vdev);
2574 + static void vfio_pci_disable(struct vfio_pci_device *vdev);
2575 ++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data);
2576 +
2577 + /*
2578 + * INTx masking requires the ability to disable INTx signaling via PCI_COMMAND
2579 +@@ -688,6 +690,12 @@ int vfio_pci_register_dev_region(struct vfio_pci_device *vdev,
2580 + return 0;
2581 + }
2582 +
2583 ++struct vfio_devices {
2584 ++ struct vfio_device **devices;
2585 ++ int cur_index;
2586 ++ int max_index;
2587 ++};
2588 ++
2589 + static long vfio_pci_ioctl(void *device_data,
2590 + unsigned int cmd, unsigned long arg)
2591 + {
2592 +@@ -761,7 +769,7 @@ static long vfio_pci_ioctl(void *device_data,
2593 + {
2594 + void __iomem *io;
2595 + size_t size;
2596 +- u16 orig_cmd;
2597 ++ u16 cmd;
2598 +
2599 + info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index);
2600 + info.flags = 0;
2601 +@@ -781,10 +789,7 @@ static long vfio_pci_ioctl(void *device_data,
2602 + * Is it really there? Enable memory decode for
2603 + * implicit access in pci_map_rom().
2604 + */
2605 +- pci_read_config_word(pdev, PCI_COMMAND, &orig_cmd);
2606 +- pci_write_config_word(pdev, PCI_COMMAND,
2607 +- orig_cmd | PCI_COMMAND_MEMORY);
2608 +-
2609 ++ cmd = vfio_pci_memory_lock_and_enable(vdev);
2610 + io = pci_map_rom(pdev, &size);
2611 + if (io) {
2612 + info.flags = VFIO_REGION_INFO_FLAG_READ;
2613 +@@ -792,8 +797,8 @@ static long vfio_pci_ioctl(void *device_data,
2614 + } else {
2615 + info.size = 0;
2616 + }
2617 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
2618 +
2619 +- pci_write_config_word(pdev, PCI_COMMAND, orig_cmd);
2620 + break;
2621 + }
2622 + case VFIO_PCI_VGA_REGION_INDEX:
2623 +@@ -936,8 +941,16 @@ static long vfio_pci_ioctl(void *device_data,
2624 + return ret;
2625 +
2626 + } else if (cmd == VFIO_DEVICE_RESET) {
2627 +- return vdev->reset_works ?
2628 +- pci_try_reset_function(vdev->pdev) : -EINVAL;
2629 ++ int ret;
2630 ++
2631 ++ if (!vdev->reset_works)
2632 ++ return -EINVAL;
2633 ++
2634 ++ vfio_pci_zap_and_down_write_memory_lock(vdev);
2635 ++ ret = pci_try_reset_function(vdev->pdev);
2636 ++ up_write(&vdev->memory_lock);
2637 ++
2638 ++ return ret;
2639 +
2640 + } else if (cmd == VFIO_DEVICE_GET_PCI_HOT_RESET_INFO) {
2641 + struct vfio_pci_hot_reset_info hdr;
2642 +@@ -1017,8 +1030,9 @@ reset_info_exit:
2643 + int32_t *group_fds;
2644 + struct vfio_pci_group_entry *groups;
2645 + struct vfio_pci_group_info info;
2646 ++ struct vfio_devices devs = { .cur_index = 0 };
2647 + bool slot = false;
2648 +- int i, count = 0, ret = 0;
2649 ++ int i, group_idx, mem_idx = 0, count = 0, ret = 0;
2650 +
2651 + minsz = offsetofend(struct vfio_pci_hot_reset, count);
2652 +
2653 +@@ -1070,9 +1084,9 @@ reset_info_exit:
2654 + * user interface and store the group and iommu ID. This
2655 + * ensures the group is held across the reset.
2656 + */
2657 +- for (i = 0; i < hdr.count; i++) {
2658 ++ for (group_idx = 0; group_idx < hdr.count; group_idx++) {
2659 + struct vfio_group *group;
2660 +- struct fd f = fdget(group_fds[i]);
2661 ++ struct fd f = fdget(group_fds[group_idx]);
2662 + if (!f.file) {
2663 + ret = -EBADF;
2664 + break;
2665 +@@ -1085,8 +1099,9 @@ reset_info_exit:
2666 + break;
2667 + }
2668 +
2669 +- groups[i].group = group;
2670 +- groups[i].id = vfio_external_user_iommu_id(group);
2671 ++ groups[group_idx].group = group;
2672 ++ groups[group_idx].id =
2673 ++ vfio_external_user_iommu_id(group);
2674 + }
2675 +
2676 + kfree(group_fds);
2677 +@@ -1105,13 +1120,63 @@ reset_info_exit:
2678 + ret = vfio_pci_for_each_slot_or_bus(vdev->pdev,
2679 + vfio_pci_validate_devs,
2680 + &info, slot);
2681 +- if (!ret)
2682 +- /* User has access, do the reset */
2683 +- ret = pci_reset_bus(vdev->pdev);
2684 ++ if (ret)
2685 ++ goto hot_reset_release;
2686 ++
2687 ++ devs.max_index = count;
2688 ++ devs.devices = kcalloc(count, sizeof(struct vfio_device *),
2689 ++ GFP_KERNEL);
2690 ++ if (!devs.devices) {
2691 ++ ret = -ENOMEM;
2692 ++ goto hot_reset_release;
2693 ++ }
2694 ++
2695 ++ /*
2696 ++ * We need to get memory_lock for each device, but devices
2697 ++ * can share mmap_sem, therefore we need to zap and hold
2698 ++ * the vma_lock for each device, and only then get each
2699 ++ * memory_lock.
2700 ++ */
2701 ++ ret = vfio_pci_for_each_slot_or_bus(vdev->pdev,
2702 ++ vfio_pci_try_zap_and_vma_lock_cb,
2703 ++ &devs, slot);
2704 ++ if (ret)
2705 ++ goto hot_reset_release;
2706 ++
2707 ++ for (; mem_idx < devs.cur_index; mem_idx++) {
2708 ++ struct vfio_pci_device *tmp;
2709 ++
2710 ++ tmp = vfio_device_data(devs.devices[mem_idx]);
2711 ++
2712 ++ ret = down_write_trylock(&tmp->memory_lock);
2713 ++ if (!ret) {
2714 ++ ret = -EBUSY;
2715 ++ goto hot_reset_release;
2716 ++ }
2717 ++ mutex_unlock(&tmp->vma_lock);
2718 ++ }
2719 ++
2720 ++ /* User has access, do the reset */
2721 ++ ret = pci_reset_bus(vdev->pdev);
2722 +
2723 + hot_reset_release:
2724 +- for (i--; i >= 0; i--)
2725 +- vfio_group_put_external_user(groups[i].group);
2726 ++ for (i = 0; i < devs.cur_index; i++) {
2727 ++ struct vfio_device *device;
2728 ++ struct vfio_pci_device *tmp;
2729 ++
2730 ++ device = devs.devices[i];
2731 ++ tmp = vfio_device_data(device);
2732 ++
2733 ++ if (i < mem_idx)
2734 ++ up_write(&tmp->memory_lock);
2735 ++ else
2736 ++ mutex_unlock(&tmp->vma_lock);
2737 ++ vfio_device_put(device);
2738 ++ }
2739 ++ kfree(devs.devices);
2740 ++
2741 ++ for (group_idx--; group_idx >= 0; group_idx--)
2742 ++ vfio_group_put_external_user(groups[group_idx].group);
2743 +
2744 + kfree(groups);
2745 + return ret;
2746 +@@ -1192,6 +1257,202 @@ static ssize_t vfio_pci_write(void *device_data, const char __user *buf,
2747 + return vfio_pci_rw(device_data, (char __user *)buf, count, ppos, true);
2748 + }
2749 +
2750 ++/* Return 1 on zap and vma_lock acquired, 0 on contention (only with @try) */
2751 ++static int vfio_pci_zap_and_vma_lock(struct vfio_pci_device *vdev, bool try)
2752 ++{
2753 ++ struct vfio_pci_mmap_vma *mmap_vma, *tmp;
2754 ++
2755 ++ /*
2756 ++ * Lock ordering:
2757 ++ * vma_lock is nested under mmap_sem for vm_ops callback paths.
2758 ++ * The memory_lock semaphore is used by both code paths calling
2759 ++ * into this function to zap vmas and the vm_ops.fault callback
2760 ++ * to protect the memory enable state of the device.
2761 ++ *
2762 ++ * When zapping vmas we need to maintain the mmap_sem => vma_lock
2763 ++ * ordering, which requires using vma_lock to walk vma_list to
2764 ++ * acquire an mm, then dropping vma_lock to get the mmap_sem and
2765 ++ * reacquiring vma_lock. This logic is derived from similar
2766 ++ * requirements in uverbs_user_mmap_disassociate().
2767 ++ *
2768 ++ * mmap_sem must always be the top-level lock when it is taken.
2769 ++ * Therefore we can only hold the memory_lock write lock when
2770 ++ * vma_list is empty, as we'd need to take mmap_sem to clear
2771 ++ * entries. vma_list can only be guaranteed empty when holding
2772 ++ * vma_lock, thus memory_lock is nested under vma_lock.
2773 ++ *
2774 ++ * This enables the vm_ops.fault callback to acquire vma_lock,
2775 ++ * followed by memory_lock read lock, while already holding
2776 ++ * mmap_sem without risk of deadlock.
2777 ++ */
2778 ++ while (1) {
2779 ++ struct mm_struct *mm = NULL;
2780 ++
2781 ++ if (try) {
2782 ++ if (!mutex_trylock(&vdev->vma_lock))
2783 ++ return 0;
2784 ++ } else {
2785 ++ mutex_lock(&vdev->vma_lock);
2786 ++ }
2787 ++ while (!list_empty(&vdev->vma_list)) {
2788 ++ mmap_vma = list_first_entry(&vdev->vma_list,
2789 ++ struct vfio_pci_mmap_vma,
2790 ++ vma_next);
2791 ++ mm = mmap_vma->vma->vm_mm;
2792 ++ if (mmget_not_zero(mm))
2793 ++ break;
2794 ++
2795 ++ list_del(&mmap_vma->vma_next);
2796 ++ kfree(mmap_vma);
2797 ++ mm = NULL;
2798 ++ }
2799 ++ if (!mm)
2800 ++ return 1;
2801 ++ mutex_unlock(&vdev->vma_lock);
2802 ++
2803 ++ if (try) {
2804 ++ if (!down_read_trylock(&mm->mmap_sem)) {
2805 ++ mmput(mm);
2806 ++ return 0;
2807 ++ }
2808 ++ } else {
2809 ++ down_read(&mm->mmap_sem);
2810 ++ }
2811 ++ if (mmget_still_valid(mm)) {
2812 ++ if (try) {
2813 ++ if (!mutex_trylock(&vdev->vma_lock)) {
2814 ++ up_read(&mm->mmap_sem);
2815 ++ mmput(mm);
2816 ++ return 0;
2817 ++ }
2818 ++ } else {
2819 ++ mutex_lock(&vdev->vma_lock);
2820 ++ }
2821 ++ list_for_each_entry_safe(mmap_vma, tmp,
2822 ++ &vdev->vma_list, vma_next) {
2823 ++ struct vm_area_struct *vma = mmap_vma->vma;
2824 ++
2825 ++ if (vma->vm_mm != mm)
2826 ++ continue;
2827 ++
2828 ++ list_del(&mmap_vma->vma_next);
2829 ++ kfree(mmap_vma);
2830 ++
2831 ++ zap_vma_ptes(vma, vma->vm_start,
2832 ++ vma->vm_end - vma->vm_start);
2833 ++ }
2834 ++ mutex_unlock(&vdev->vma_lock);
2835 ++ }
2836 ++ up_read(&mm->mmap_sem);
2837 ++ mmput(mm);
2838 ++ }
2839 ++}
2840 ++
2841 ++void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device *vdev)
2842 ++{
2843 ++ vfio_pci_zap_and_vma_lock(vdev, false);
2844 ++ down_write(&vdev->memory_lock);
2845 ++ mutex_unlock(&vdev->vma_lock);
2846 ++}
2847 ++
2848 ++u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev)
2849 ++{
2850 ++ u16 cmd;
2851 ++
2852 ++ down_write(&vdev->memory_lock);
2853 ++ pci_read_config_word(vdev->pdev, PCI_COMMAND, &cmd);
2854 ++ if (!(cmd & PCI_COMMAND_MEMORY))
2855 ++ pci_write_config_word(vdev->pdev, PCI_COMMAND,
2856 ++ cmd | PCI_COMMAND_MEMORY);
2857 ++
2858 ++ return cmd;
2859 ++}
2860 ++
2861 ++void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev, u16 cmd)
2862 ++{
2863 ++ pci_write_config_word(vdev->pdev, PCI_COMMAND, cmd);
2864 ++ up_write(&vdev->memory_lock);
2865 ++}
2866 ++
2867 ++/* Caller holds vma_lock */
2868 ++static int __vfio_pci_add_vma(struct vfio_pci_device *vdev,
2869 ++ struct vm_area_struct *vma)
2870 ++{
2871 ++ struct vfio_pci_mmap_vma *mmap_vma;
2872 ++
2873 ++ mmap_vma = kmalloc(sizeof(*mmap_vma), GFP_KERNEL);
2874 ++ if (!mmap_vma)
2875 ++ return -ENOMEM;
2876 ++
2877 ++ mmap_vma->vma = vma;
2878 ++ list_add(&mmap_vma->vma_next, &vdev->vma_list);
2879 ++
2880 ++ return 0;
2881 ++}
2882 ++
2883 ++/*
2884 ++ * Zap mmaps on open so that we can fault them in on access and therefore
2885 ++ * our vma_list only tracks mappings accessed since last zap.
2886 ++ */
2887 ++static void vfio_pci_mmap_open(struct vm_area_struct *vma)
2888 ++{
2889 ++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start);
2890 ++}
2891 ++
2892 ++static void vfio_pci_mmap_close(struct vm_area_struct *vma)
2893 ++{
2894 ++ struct vfio_pci_device *vdev = vma->vm_private_data;
2895 ++ struct vfio_pci_mmap_vma *mmap_vma;
2896 ++
2897 ++ mutex_lock(&vdev->vma_lock);
2898 ++ list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) {
2899 ++ if (mmap_vma->vma == vma) {
2900 ++ list_del(&mmap_vma->vma_next);
2901 ++ kfree(mmap_vma);
2902 ++ break;
2903 ++ }
2904 ++ }
2905 ++ mutex_unlock(&vdev->vma_lock);
2906 ++}
2907 ++
2908 ++static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf)
2909 ++{
2910 ++ struct vm_area_struct *vma = vmf->vma;
2911 ++ struct vfio_pci_device *vdev = vma->vm_private_data;
2912 ++ vm_fault_t ret = VM_FAULT_NOPAGE;
2913 ++
2914 ++ mutex_lock(&vdev->vma_lock);
2915 ++ down_read(&vdev->memory_lock);
2916 ++
2917 ++ if (!__vfio_pci_memory_enabled(vdev)) {
2918 ++ ret = VM_FAULT_SIGBUS;
2919 ++ mutex_unlock(&vdev->vma_lock);
2920 ++ goto up_out;
2921 ++ }
2922 ++
2923 ++ if (__vfio_pci_add_vma(vdev, vma)) {
2924 ++ ret = VM_FAULT_OOM;
2925 ++ mutex_unlock(&vdev->vma_lock);
2926 ++ goto up_out;
2927 ++ }
2928 ++
2929 ++ mutex_unlock(&vdev->vma_lock);
2930 ++
2931 ++ if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
2932 ++ vma->vm_end - vma->vm_start, vma->vm_page_prot))
2933 ++ ret = VM_FAULT_SIGBUS;
2934 ++
2935 ++up_out:
2936 ++ up_read(&vdev->memory_lock);
2937 ++ return ret;
2938 ++}
2939 ++
2940 ++static const struct vm_operations_struct vfio_pci_mmap_ops = {
2941 ++ .open = vfio_pci_mmap_open,
2942 ++ .close = vfio_pci_mmap_close,
2943 ++ .fault = vfio_pci_mmap_fault,
2944 ++};
2945 ++
2946 + static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma)
2947 + {
2948 + struct vfio_pci_device *vdev = device_data;
2949 +@@ -1250,8 +1511,14 @@ static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma)
2950 + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
2951 + vma->vm_pgoff = (pci_resource_start(pdev, index) >> PAGE_SHIFT) + pgoff;
2952 +
2953 +- return remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
2954 +- req_len, vma->vm_page_prot);
2955 ++ /*
2956 ++ * See remap_pfn_range(), called from vfio_pci_fault() but we can't
2957 ++ * change vm_flags within the fault handler. Set them now.
2958 ++ */
2959 ++ vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
2960 ++ vma->vm_ops = &vfio_pci_mmap_ops;
2961 ++
2962 ++ return 0;
2963 + }
2964 +
2965 + static void vfio_pci_request(void *device_data, unsigned int count)
2966 +@@ -1327,6 +1594,9 @@ static int vfio_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
2967 + spin_lock_init(&vdev->irqlock);
2968 + mutex_init(&vdev->ioeventfds_lock);
2969 + INIT_LIST_HEAD(&vdev->ioeventfds_list);
2970 ++ mutex_init(&vdev->vma_lock);
2971 ++ INIT_LIST_HEAD(&vdev->vma_list);
2972 ++ init_rwsem(&vdev->memory_lock);
2973 +
2974 + ret = vfio_add_group_dev(&pdev->dev, &vfio_pci_ops, vdev);
2975 + if (ret) {
2976 +@@ -1516,12 +1786,6 @@ static void vfio_pci_reflck_put(struct vfio_pci_reflck *reflck)
2977 + kref_put_mutex(&reflck->kref, vfio_pci_reflck_release, &reflck_lock);
2978 + }
2979 +
2980 +-struct vfio_devices {
2981 +- struct vfio_device **devices;
2982 +- int cur_index;
2983 +- int max_index;
2984 +-};
2985 +-
2986 + static int vfio_pci_get_unused_devs(struct pci_dev *pdev, void *data)
2987 + {
2988 + struct vfio_devices *devs = data;
2989 +@@ -1552,6 +1816,39 @@ static int vfio_pci_get_unused_devs(struct pci_dev *pdev, void *data)
2990 + return 0;
2991 + }
2992 +
2993 ++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data)
2994 ++{
2995 ++ struct vfio_devices *devs = data;
2996 ++ struct vfio_device *device;
2997 ++ struct vfio_pci_device *vdev;
2998 ++
2999 ++ if (devs->cur_index == devs->max_index)
3000 ++ return -ENOSPC;
3001 ++
3002 ++ device = vfio_device_get_from_dev(&pdev->dev);
3003 ++ if (!device)
3004 ++ return -EINVAL;
3005 ++
3006 ++ if (pci_dev_driver(pdev) != &vfio_pci_driver) {
3007 ++ vfio_device_put(device);
3008 ++ return -EBUSY;
3009 ++ }
3010 ++
3011 ++ vdev = vfio_device_data(device);
3012 ++
3013 ++ /*
3014 ++ * Locking multiple devices is prone to deadlock, runaway and
3015 ++ * unwind if we hit contention.
3016 ++ */
3017 ++ if (!vfio_pci_zap_and_vma_lock(vdev, true)) {
3018 ++ vfio_device_put(device);
3019 ++ return -EBUSY;
3020 ++ }
3021 ++
3022 ++ devs->devices[devs->cur_index++] = device;
3023 ++ return 0;
3024 ++}
3025 ++
3026 + /*
3027 + * If a bus or slot reset is available for the provided device and:
3028 + * - All of the devices affected by that bus or slot reset are unused
3029 +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
3030 +index d6359c37c9e55..927b608461c82 100644
3031 +--- a/drivers/vfio/pci/vfio_pci_config.c
3032 ++++ b/drivers/vfio/pci/vfio_pci_config.c
3033 +@@ -395,6 +395,20 @@ static inline void p_setd(struct perm_bits *p, int off, u32 virt, u32 write)
3034 + *(__le32 *)(&p->write[off]) = cpu_to_le32(write);
3035 + }
3036 +
3037 ++/* Caller should hold memory_lock semaphore */
3038 ++bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev)
3039 ++{
3040 ++ struct pci_dev *pdev = vdev->pdev;
3041 ++ u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]);
3042 ++
3043 ++ /*
3044 ++ * SR-IOV VF memory enable is handled by the MSE bit in the
3045 ++ * PF SR-IOV capability, there's therefore no need to trigger
3046 ++ * faults based on the virtual value.
3047 ++ */
3048 ++ return pdev->is_virtfn || (cmd & PCI_COMMAND_MEMORY);
3049 ++}
3050 ++
3051 + /*
3052 + * Restore the *real* BARs after we detect a FLR or backdoor reset.
3053 + * (backdoor = some device specific technique that we didn't catch)
3054 +@@ -554,13 +568,18 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos,
3055 +
3056 + new_cmd = le32_to_cpu(val);
3057 +
3058 ++ phys_io = !!(phys_cmd & PCI_COMMAND_IO);
3059 ++ virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO);
3060 ++ new_io = !!(new_cmd & PCI_COMMAND_IO);
3061 ++
3062 + phys_mem = !!(phys_cmd & PCI_COMMAND_MEMORY);
3063 + virt_mem = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_MEMORY);
3064 + new_mem = !!(new_cmd & PCI_COMMAND_MEMORY);
3065 +
3066 +- phys_io = !!(phys_cmd & PCI_COMMAND_IO);
3067 +- virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO);
3068 +- new_io = !!(new_cmd & PCI_COMMAND_IO);
3069 ++ if (!new_mem)
3070 ++ vfio_pci_zap_and_down_write_memory_lock(vdev);
3071 ++ else
3072 ++ down_write(&vdev->memory_lock);
3073 +
3074 + /*
3075 + * If the user is writing mem/io enable (new_mem/io) and we
3076 +@@ -577,8 +596,11 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos,
3077 + }
3078 +
3079 + count = vfio_default_config_write(vdev, pos, count, perm, offset, val);
3080 +- if (count < 0)
3081 ++ if (count < 0) {
3082 ++ if (offset == PCI_COMMAND)
3083 ++ up_write(&vdev->memory_lock);
3084 + return count;
3085 ++ }
3086 +
3087 + /*
3088 + * Save current memory/io enable bits in vconfig to allow for
3089 +@@ -589,6 +611,8 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos,
3090 +
3091 + *virt_cmd &= cpu_to_le16(~mask);
3092 + *virt_cmd |= cpu_to_le16(new_cmd & mask);
3093 ++
3094 ++ up_write(&vdev->memory_lock);
3095 + }
3096 +
3097 + /* Emulate INTx disable */
3098 +@@ -826,8 +850,11 @@ static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos,
3099 + pos - offset + PCI_EXP_DEVCAP,
3100 + &cap);
3101 +
3102 +- if (!ret && (cap & PCI_EXP_DEVCAP_FLR))
3103 ++ if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) {
3104 ++ vfio_pci_zap_and_down_write_memory_lock(vdev);
3105 + pci_try_reset_function(vdev->pdev);
3106 ++ up_write(&vdev->memory_lock);
3107 ++ }
3108 + }
3109 +
3110 + /*
3111 +@@ -905,8 +932,11 @@ static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos,
3112 + pos - offset + PCI_AF_CAP,
3113 + &cap);
3114 +
3115 +- if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP))
3116 ++ if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) {
3117 ++ vfio_pci_zap_and_down_write_memory_lock(vdev);
3118 + pci_try_reset_function(vdev->pdev);
3119 ++ up_write(&vdev->memory_lock);
3120 ++ }
3121 + }
3122 +
3123 + return count;
3124 +@@ -1702,6 +1732,15 @@ int vfio_config_init(struct vfio_pci_device *vdev)
3125 + vconfig[PCI_INTERRUPT_PIN]);
3126 +
3127 + vconfig[PCI_INTERRUPT_PIN] = 0; /* Gratuitous for good VFs */
3128 ++
3129 ++ /*
3130 ++ * VFs do no implement the memory enable bit of the COMMAND
3131 ++ * register therefore we'll not have it set in our initial
3132 ++ * copy of config space after pci_enable_device(). For
3133 ++ * consistency with PFs, set the virtual enable bit here.
3134 ++ */
3135 ++ *(__le16 *)&vconfig[PCI_COMMAND] |=
3136 ++ cpu_to_le16(PCI_COMMAND_MEMORY);
3137 + }
3138 +
3139 + if (!IS_ENABLED(CONFIG_VFIO_PCI_INTX) || vdev->nointx)
3140 +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
3141 +index 2056f3f85f59b..1d9fb25929459 100644
3142 +--- a/drivers/vfio/pci/vfio_pci_intrs.c
3143 ++++ b/drivers/vfio/pci/vfio_pci_intrs.c
3144 +@@ -249,6 +249,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
3145 + struct pci_dev *pdev = vdev->pdev;
3146 + unsigned int flag = msix ? PCI_IRQ_MSIX : PCI_IRQ_MSI;
3147 + int ret;
3148 ++ u16 cmd;
3149 +
3150 + if (!is_irq_none(vdev))
3151 + return -EINVAL;
3152 +@@ -258,13 +259,16 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
3153 + return -ENOMEM;
3154 +
3155 + /* return the number of supported vectors if we can't get all: */
3156 ++ cmd = vfio_pci_memory_lock_and_enable(vdev);
3157 + ret = pci_alloc_irq_vectors(pdev, 1, nvec, flag);
3158 + if (ret < nvec) {
3159 + if (ret > 0)
3160 + pci_free_irq_vectors(pdev);
3161 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
3162 + kfree(vdev->ctx);
3163 + return ret;
3164 + }
3165 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
3166 +
3167 + vdev->num_ctx = nvec;
3168 + vdev->irq_type = msix ? VFIO_PCI_MSIX_IRQ_INDEX :
3169 +@@ -287,6 +291,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
3170 + struct pci_dev *pdev = vdev->pdev;
3171 + struct eventfd_ctx *trigger;
3172 + int irq, ret;
3173 ++ u16 cmd;
3174 +
3175 + if (vector < 0 || vector >= vdev->num_ctx)
3176 + return -EINVAL;
3177 +@@ -295,7 +300,11 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
3178 +
3179 + if (vdev->ctx[vector].trigger) {
3180 + irq_bypass_unregister_producer(&vdev->ctx[vector].producer);
3181 ++
3182 ++ cmd = vfio_pci_memory_lock_and_enable(vdev);
3183 + free_irq(irq, vdev->ctx[vector].trigger);
3184 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
3185 ++
3186 + kfree(vdev->ctx[vector].name);
3187 + eventfd_ctx_put(vdev->ctx[vector].trigger);
3188 + vdev->ctx[vector].trigger = NULL;
3189 +@@ -323,6 +332,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
3190 + * such a reset it would be unsuccessful. To avoid this, restore the
3191 + * cached value of the message prior to enabling.
3192 + */
3193 ++ cmd = vfio_pci_memory_lock_and_enable(vdev);
3194 + if (msix) {
3195 + struct msi_msg msg;
3196 +
3197 +@@ -332,6 +342,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
3198 +
3199 + ret = request_irq(irq, vfio_msihandler, 0,
3200 + vdev->ctx[vector].name, trigger);
3201 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
3202 + if (ret) {
3203 + kfree(vdev->ctx[vector].name);
3204 + eventfd_ctx_put(trigger);
3205 +@@ -376,6 +387,7 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix)
3206 + {
3207 + struct pci_dev *pdev = vdev->pdev;
3208 + int i;
3209 ++ u16 cmd;
3210 +
3211 + for (i = 0; i < vdev->num_ctx; i++) {
3212 + vfio_virqfd_disable(&vdev->ctx[i].unmask);
3213 +@@ -384,7 +396,9 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix)
3214 +
3215 + vfio_msi_set_block(vdev, 0, vdev->num_ctx, NULL, msix);
3216 +
3217 ++ cmd = vfio_pci_memory_lock_and_enable(vdev);
3218 + pci_free_irq_vectors(pdev);
3219 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
3220 +
3221 + /*
3222 + * Both disable paths above use pci_intx_for_msi() to clear DisINTx
3223 +diff --git a/drivers/vfio/pci/vfio_pci_private.h b/drivers/vfio/pci/vfio_pci_private.h
3224 +index ee6ee91718a4d..987b4d311fde9 100644
3225 +--- a/drivers/vfio/pci/vfio_pci_private.h
3226 ++++ b/drivers/vfio/pci/vfio_pci_private.h
3227 +@@ -84,6 +84,11 @@ struct vfio_pci_reflck {
3228 + struct mutex lock;
3229 + };
3230 +
3231 ++struct vfio_pci_mmap_vma {
3232 ++ struct vm_area_struct *vma;
3233 ++ struct list_head vma_next;
3234 ++};
3235 ++
3236 + struct vfio_pci_device {
3237 + struct pci_dev *pdev;
3238 + void __iomem *barmap[PCI_STD_RESOURCE_END + 1];
3239 +@@ -122,6 +127,9 @@ struct vfio_pci_device {
3240 + struct list_head dummy_resources_list;
3241 + struct mutex ioeventfds_lock;
3242 + struct list_head ioeventfds_list;
3243 ++ struct mutex vma_lock;
3244 ++ struct list_head vma_list;
3245 ++ struct rw_semaphore memory_lock;
3246 + };
3247 +
3248 + #define is_intx(vdev) (vdev->irq_type == VFIO_PCI_INTX_IRQ_INDEX)
3249 +@@ -164,6 +172,13 @@ extern int vfio_pci_register_dev_region(struct vfio_pci_device *vdev,
3250 + extern int vfio_pci_set_power_state(struct vfio_pci_device *vdev,
3251 + pci_power_t state);
3252 +
3253 ++extern bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev);
3254 ++extern void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device
3255 ++ *vdev);
3256 ++extern u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev);
3257 ++extern void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev,
3258 ++ u16 cmd);
3259 ++
3260 + #ifdef CONFIG_VFIO_PCI_IGD
3261 + extern int vfio_pci_igd_init(struct vfio_pci_device *vdev);
3262 + #else
3263 +diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c
3264 +index 0120d8324a402..83f81d24df78e 100644
3265 +--- a/drivers/vfio/pci/vfio_pci_rdwr.c
3266 ++++ b/drivers/vfio/pci/vfio_pci_rdwr.c
3267 +@@ -162,6 +162,7 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
3268 + size_t x_start = 0, x_end = 0;
3269 + resource_size_t end;
3270 + void __iomem *io;
3271 ++ struct resource *res = &vdev->pdev->resource[bar];
3272 + ssize_t done;
3273 +
3274 + if (pci_resource_start(pdev, bar))
3275 +@@ -177,6 +178,14 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
3276 +
3277 + count = min(count, (size_t)(end - pos));
3278 +
3279 ++ if (res->flags & IORESOURCE_MEM) {
3280 ++ down_read(&vdev->memory_lock);
3281 ++ if (!__vfio_pci_memory_enabled(vdev)) {
3282 ++ up_read(&vdev->memory_lock);
3283 ++ return -EIO;
3284 ++ }
3285 ++ }
3286 ++
3287 + if (bar == PCI_ROM_RESOURCE) {
3288 + /*
3289 + * The ROM can fill less space than the BAR, so we start the
3290 +@@ -184,13 +193,17 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
3291 + * filling large ROM BARs much faster.
3292 + */
3293 + io = pci_map_rom(pdev, &x_start);
3294 +- if (!io)
3295 +- return -ENOMEM;
3296 ++ if (!io) {
3297 ++ done = -ENOMEM;
3298 ++ goto out;
3299 ++ }
3300 + x_end = end;
3301 + } else {
3302 + int ret = vfio_pci_setup_barmap(vdev, bar);
3303 +- if (ret)
3304 +- return ret;
3305 ++ if (ret) {
3306 ++ done = ret;
3307 ++ goto out;
3308 ++ }
3309 +
3310 + io = vdev->barmap[bar];
3311 + }
3312 +@@ -207,6 +220,9 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
3313 +
3314 + if (bar == PCI_ROM_RESOURCE)
3315 + pci_unmap_rom(pdev, io);
3316 ++out:
3317 ++ if (res->flags & IORESOURCE_MEM)
3318 ++ up_read(&vdev->memory_lock);
3319 +
3320 + return done;
3321 + }
3322 +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
3323 +index ca8c10aa4a4bc..c6220f57fdf3e 100644
3324 +--- a/drivers/vfio/vfio_iommu_type1.c
3325 ++++ b/drivers/vfio/vfio_iommu_type1.c
3326 +@@ -335,6 +335,32 @@ static int put_pfn(unsigned long pfn, int prot)
3327 + return 0;
3328 + }
3329 +
3330 ++static int follow_fault_pfn(struct vm_area_struct *vma, struct mm_struct *mm,
3331 ++ unsigned long vaddr, unsigned long *pfn,
3332 ++ bool write_fault)
3333 ++{
3334 ++ int ret;
3335 ++
3336 ++ ret = follow_pfn(vma, vaddr, pfn);
3337 ++ if (ret) {
3338 ++ bool unlocked = false;
3339 ++
3340 ++ ret = fixup_user_fault(NULL, mm, vaddr,
3341 ++ FAULT_FLAG_REMOTE |
3342 ++ (write_fault ? FAULT_FLAG_WRITE : 0),
3343 ++ &unlocked);
3344 ++ if (unlocked)
3345 ++ return -EAGAIN;
3346 ++
3347 ++ if (ret)
3348 ++ return ret;
3349 ++
3350 ++ ret = follow_pfn(vma, vaddr, pfn);
3351 ++ }
3352 ++
3353 ++ return ret;
3354 ++}
3355 ++
3356 + static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr,
3357 + int prot, unsigned long *pfn)
3358 + {
3359 +@@ -377,12 +403,16 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr,
3360 +
3361 + vaddr = untagged_addr(vaddr);
3362 +
3363 ++retry:
3364 + vma = find_vma_intersection(mm, vaddr, vaddr + 1);
3365 +
3366 + if (vma && vma->vm_flags & VM_PFNMAP) {
3367 +- if (!follow_pfn(vma, vaddr, pfn) &&
3368 +- is_invalid_reserved_pfn(*pfn))
3369 +- ret = 0;
3370 ++ ret = follow_fault_pfn(vma, mm, vaddr, pfn, prot & IOMMU_WRITE);
3371 ++ if (ret == -EAGAIN)
3372 ++ goto retry;
3373 ++
3374 ++ if (!ret && !is_invalid_reserved_pfn(*pfn))
3375 ++ ret = -EFAULT;
3376 + }
3377 +
3378 + up_read(&mm->mmap_sem);
3379 +diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c
3380 +index a38292ef79f6d..f38bdaea0ef11 100644
3381 +--- a/drivers/xen/xenbus/xenbus_client.c
3382 ++++ b/drivers/xen/xenbus/xenbus_client.c
3383 +@@ -363,8 +363,14 @@ int xenbus_grant_ring(struct xenbus_device *dev, void *vaddr,
3384 + int i, j;
3385 +
3386 + for (i = 0; i < nr_pages; i++) {
3387 +- err = gnttab_grant_foreign_access(dev->otherend_id,
3388 +- virt_to_gfn(vaddr), 0);
3389 ++ unsigned long gfn;
3390 ++
3391 ++ if (is_vmalloc_addr(vaddr))
3392 ++ gfn = pfn_to_gfn(vmalloc_to_pfn(vaddr));
3393 ++ else
3394 ++ gfn = virt_to_gfn(vaddr);
3395 ++
3396 ++ err = gnttab_grant_foreign_access(dev->otherend_id, gfn, 0);
3397 + if (err < 0) {
3398 + xenbus_dev_fatal(dev, err,
3399 + "granting access to ring page");
3400 +diff --git a/fs/affs/amigaffs.c b/fs/affs/amigaffs.c
3401 +index f708c45d5f664..29f11e10a7c7d 100644
3402 +--- a/fs/affs/amigaffs.c
3403 ++++ b/fs/affs/amigaffs.c
3404 +@@ -420,24 +420,51 @@ affs_mode_to_prot(struct inode *inode)
3405 + u32 prot = AFFS_I(inode)->i_protect;
3406 + umode_t mode = inode->i_mode;
3407 +
3408 ++ /*
3409 ++ * First, clear all RWED bits for owner, group, other.
3410 ++ * Then, recalculate them afresh.
3411 ++ *
3412 ++ * We'll always clear the delete-inhibit bit for the owner, as that is
3413 ++ * the classic single-user mode AmigaOS protection bit and we need to
3414 ++ * stay compatible with all scenarios.
3415 ++ *
3416 ++ * Since multi-user AmigaOS is an extension, we'll only set the
3417 ++ * delete-allow bit if any of the other bits in the same user class
3418 ++ * (group/other) are used.
3419 ++ */
3420 ++ prot &= ~(FIBF_NOEXECUTE | FIBF_NOREAD
3421 ++ | FIBF_NOWRITE | FIBF_NODELETE
3422 ++ | FIBF_GRP_EXECUTE | FIBF_GRP_READ
3423 ++ | FIBF_GRP_WRITE | FIBF_GRP_DELETE
3424 ++ | FIBF_OTR_EXECUTE | FIBF_OTR_READ
3425 ++ | FIBF_OTR_WRITE | FIBF_OTR_DELETE);
3426 ++
3427 ++ /* Classic single-user AmigaOS flags. These are inverted. */
3428 + if (!(mode & 0100))
3429 + prot |= FIBF_NOEXECUTE;
3430 + if (!(mode & 0400))
3431 + prot |= FIBF_NOREAD;
3432 + if (!(mode & 0200))
3433 + prot |= FIBF_NOWRITE;
3434 ++
3435 ++ /* Multi-user extended flags. Not inverted. */
3436 + if (mode & 0010)
3437 + prot |= FIBF_GRP_EXECUTE;
3438 + if (mode & 0040)
3439 + prot |= FIBF_GRP_READ;
3440 + if (mode & 0020)
3441 + prot |= FIBF_GRP_WRITE;
3442 ++ if (mode & 0070)
3443 ++ prot |= FIBF_GRP_DELETE;
3444 ++
3445 + if (mode & 0001)
3446 + prot |= FIBF_OTR_EXECUTE;
3447 + if (mode & 0004)
3448 + prot |= FIBF_OTR_READ;
3449 + if (mode & 0002)
3450 + prot |= FIBF_OTR_WRITE;
3451 ++ if (mode & 0007)
3452 ++ prot |= FIBF_OTR_DELETE;
3453 +
3454 + AFFS_I(inode)->i_protect = prot;
3455 + }
3456 +diff --git a/fs/affs/file.c b/fs/affs/file.c
3457 +index a85817f54483f..ba084b0b214b9 100644
3458 +--- a/fs/affs/file.c
3459 ++++ b/fs/affs/file.c
3460 +@@ -428,6 +428,24 @@ static int affs_write_begin(struct file *file, struct address_space *mapping,
3461 + return ret;
3462 + }
3463 +
3464 ++static int affs_write_end(struct file *file, struct address_space *mapping,
3465 ++ loff_t pos, unsigned int len, unsigned int copied,
3466 ++ struct page *page, void *fsdata)
3467 ++{
3468 ++ struct inode *inode = mapping->host;
3469 ++ int ret;
3470 ++
3471 ++ ret = generic_write_end(file, mapping, pos, len, copied, page, fsdata);
3472 ++
3473 ++ /* Clear Archived bit on file writes, as AmigaOS would do */
3474 ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) {
3475 ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED;
3476 ++ mark_inode_dirty(inode);
3477 ++ }
3478 ++
3479 ++ return ret;
3480 ++}
3481 ++
3482 + static sector_t _affs_bmap(struct address_space *mapping, sector_t block)
3483 + {
3484 + return generic_block_bmap(mapping,block,affs_get_block);
3485 +@@ -437,7 +455,7 @@ const struct address_space_operations affs_aops = {
3486 + .readpage = affs_readpage,
3487 + .writepage = affs_writepage,
3488 + .write_begin = affs_write_begin,
3489 +- .write_end = generic_write_end,
3490 ++ .write_end = affs_write_end,
3491 + .direct_IO = affs_direct_IO,
3492 + .bmap = _affs_bmap
3493 + };
3494 +@@ -794,6 +812,12 @@ done:
3495 + if (tmp > inode->i_size)
3496 + inode->i_size = AFFS_I(inode)->mmu_private = tmp;
3497 +
3498 ++ /* Clear Archived bit on file writes, as AmigaOS would do */
3499 ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) {
3500 ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED;
3501 ++ mark_inode_dirty(inode);
3502 ++ }
3503 ++
3504 + err_first_bh:
3505 + unlock_page(page);
3506 + put_page(page);
3507 +diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c
3508 +index 02e976ca5732f..51ee3dd79700f 100644
3509 +--- a/fs/afs/fs_probe.c
3510 ++++ b/fs/afs/fs_probe.c
3511 +@@ -92,8 +92,8 @@ responded:
3512 + }
3513 + }
3514 +
3515 +- rtt_us = rxrpc_kernel_get_srtt(call->net->socket, call->rxcall);
3516 +- if (rtt_us < server->probe.rtt) {
3517 ++ if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) &&
3518 ++ rtt_us < server->probe.rtt) {
3519 + server->probe.rtt = rtt_us;
3520 + alist->preferred = index;
3521 + have_result = true;
3522 +diff --git a/fs/afs/vl_probe.c b/fs/afs/vl_probe.c
3523 +index e3aa013c21779..081b7e5b13f58 100644
3524 +--- a/fs/afs/vl_probe.c
3525 ++++ b/fs/afs/vl_probe.c
3526 +@@ -92,8 +92,8 @@ responded:
3527 + }
3528 + }
3529 +
3530 +- rtt_us = rxrpc_kernel_get_srtt(call->net->socket, call->rxcall);
3531 +- if (rtt_us < server->probe.rtt) {
3532 ++ if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) &&
3533 ++ rtt_us < server->probe.rtt) {
3534 + server->probe.rtt = rtt_us;
3535 + alist->preferred = index;
3536 + have_result = true;
3537 +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
3538 +index a989105d39c86..c05127f506373 100644
3539 +--- a/fs/btrfs/ctree.c
3540 ++++ b/fs/btrfs/ctree.c
3541 +@@ -1339,6 +1339,8 @@ tree_mod_log_rewind(struct btrfs_fs_info *fs_info, struct btrfs_path *path,
3542 + btrfs_tree_read_unlock_blocking(eb);
3543 + free_extent_buffer(eb);
3544 +
3545 ++ btrfs_set_buffer_lockdep_class(btrfs_header_owner(eb_rewin),
3546 ++ eb_rewin, btrfs_header_level(eb_rewin));
3547 + btrfs_tree_read_lock(eb_rewin);
3548 + __tree_mod_log_rewind(fs_info, eb_rewin, time_seq, tm);
3549 + WARN_ON(btrfs_header_nritems(eb_rewin) >
3550 +@@ -1412,7 +1414,6 @@ get_old_root(struct btrfs_root *root, u64 time_seq)
3551 +
3552 + if (!eb)
3553 + return NULL;
3554 +- btrfs_tree_read_lock(eb);
3555 + if (old_root) {
3556 + btrfs_set_header_bytenr(eb, eb->start);
3557 + btrfs_set_header_backref_rev(eb, BTRFS_MIXED_BACKREF_REV);
3558 +@@ -1420,6 +1421,9 @@ get_old_root(struct btrfs_root *root, u64 time_seq)
3559 + btrfs_set_header_level(eb, old_root->level);
3560 + btrfs_set_header_generation(eb, old_generation);
3561 + }
3562 ++ btrfs_set_buffer_lockdep_class(btrfs_header_owner(eb), eb,
3563 ++ btrfs_header_level(eb));
3564 ++ btrfs_tree_read_lock(eb);
3565 + if (tm)
3566 + __tree_mod_log_rewind(fs_info, eb, time_seq, tm);
3567 + else
3568 +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
3569 +index ef05cbacef73f..541497036cc24 100644
3570 +--- a/fs/btrfs/extent-tree.c
3571 ++++ b/fs/btrfs/extent-tree.c
3572 +@@ -4446,7 +4446,7 @@ btrfs_init_new_buffer(struct btrfs_trans_handle *trans, struct btrfs_root *root,
3573 + return ERR_PTR(-EUCLEAN);
3574 + }
3575 +
3576 +- btrfs_set_buffer_lockdep_class(root->root_key.objectid, buf, level);
3577 ++ btrfs_set_buffer_lockdep_class(owner, buf, level);
3578 + btrfs_tree_lock(buf);
3579 + btrfs_clean_tree_block(buf);
3580 + clear_bit(EXTENT_BUFFER_STALE, &buf->bflags);
3581 +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
3582 +index 5707bf0575d43..60c21cfb19480 100644
3583 +--- a/fs/btrfs/extent_io.c
3584 ++++ b/fs/btrfs/extent_io.c
3585 +@@ -5607,9 +5607,9 @@ void read_extent_buffer(const struct extent_buffer *eb, void *dstv,
3586 + }
3587 + }
3588 +
3589 +-int read_extent_buffer_to_user(const struct extent_buffer *eb,
3590 +- void __user *dstv,
3591 +- unsigned long start, unsigned long len)
3592 ++int read_extent_buffer_to_user_nofault(const struct extent_buffer *eb,
3593 ++ void __user *dstv,
3594 ++ unsigned long start, unsigned long len)
3595 + {
3596 + size_t cur;
3597 + size_t offset;
3598 +@@ -5630,7 +5630,7 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb,
3599 +
3600 + cur = min(len, (PAGE_SIZE - offset));
3601 + kaddr = page_address(page);
3602 +- if (copy_to_user(dst, kaddr + offset, cur)) {
3603 ++ if (probe_user_write(dst, kaddr + offset, cur)) {
3604 + ret = -EFAULT;
3605 + break;
3606 + }
3607 +diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h
3608 +index cf3424d58fec7..bc858c8cef0a6 100644
3609 +--- a/fs/btrfs/extent_io.h
3610 ++++ b/fs/btrfs/extent_io.h
3611 +@@ -457,9 +457,9 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
3612 + void read_extent_buffer(const struct extent_buffer *eb, void *dst,
3613 + unsigned long start,
3614 + unsigned long len);
3615 +-int read_extent_buffer_to_user(const struct extent_buffer *eb,
3616 +- void __user *dst, unsigned long start,
3617 +- unsigned long len);
3618 ++int read_extent_buffer_to_user_nofault(const struct extent_buffer *eb,
3619 ++ void __user *dst, unsigned long start,
3620 ++ unsigned long len);
3621 + void write_extent_buffer_fsid(struct extent_buffer *eb, const void *src);
3622 + void write_extent_buffer_chunk_tree_uuid(struct extent_buffer *eb,
3623 + const void *src);
3624 +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
3625 +index 88745b5182126..775fd5975191b 100644
3626 +--- a/fs/btrfs/ioctl.c
3627 ++++ b/fs/btrfs/ioctl.c
3628 +@@ -2105,9 +2105,14 @@ static noinline int copy_to_sk(struct btrfs_path *path,
3629 + sh.len = item_len;
3630 + sh.transid = found_transid;
3631 +
3632 +- /* copy search result header */
3633 +- if (copy_to_user(ubuf + *sk_offset, &sh, sizeof(sh))) {
3634 +- ret = -EFAULT;
3635 ++ /*
3636 ++ * Copy search result header. If we fault then loop again so we
3637 ++ * can fault in the pages and -EFAULT there if there's a
3638 ++ * problem. Otherwise we'll fault and then copy the buffer in
3639 ++ * properly this next time through
3640 ++ */
3641 ++ if (probe_user_write(ubuf + *sk_offset, &sh, sizeof(sh))) {
3642 ++ ret = 0;
3643 + goto out;
3644 + }
3645 +
3646 +@@ -2115,10 +2120,14 @@ static noinline int copy_to_sk(struct btrfs_path *path,
3647 +
3648 + if (item_len) {
3649 + char __user *up = ubuf + *sk_offset;
3650 +- /* copy the item */
3651 +- if (read_extent_buffer_to_user(leaf, up,
3652 +- item_off, item_len)) {
3653 +- ret = -EFAULT;
3654 ++ /*
3655 ++ * Copy the item, same behavior as above, but reset the
3656 ++ * * sk_offset so we copy the full thing again.
3657 ++ */
3658 ++ if (read_extent_buffer_to_user_nofault(leaf, up,
3659 ++ item_off, item_len)) {
3660 ++ ret = 0;
3661 ++ *sk_offset -= sizeof(sh);
3662 + goto out;
3663 + }
3664 +
3665 +@@ -2206,6 +2215,10 @@ static noinline int search_ioctl(struct inode *inode,
3666 + key.offset = sk->min_offset;
3667 +
3668 + while (1) {
3669 ++ ret = fault_in_pages_writeable(ubuf, *buf_size - sk_offset);
3670 ++ if (ret)
3671 ++ break;
3672 ++
3673 + ret = btrfs_search_forward(root, &key, path, sk->min_transid);
3674 + if (ret != 0) {
3675 + if (ret > 0)
3676 +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
3677 +index 498b824148187..93d7cb56e44b2 100644
3678 +--- a/fs/btrfs/scrub.c
3679 ++++ b/fs/btrfs/scrub.c
3680 +@@ -3742,50 +3742,84 @@ static noinline_for_stack int scrub_supers(struct scrub_ctx *sctx,
3681 + return 0;
3682 + }
3683 +
3684 ++static void scrub_workers_put(struct btrfs_fs_info *fs_info)
3685 ++{
3686 ++ if (refcount_dec_and_mutex_lock(&fs_info->scrub_workers_refcnt,
3687 ++ &fs_info->scrub_lock)) {
3688 ++ struct btrfs_workqueue *scrub_workers = NULL;
3689 ++ struct btrfs_workqueue *scrub_wr_comp = NULL;
3690 ++ struct btrfs_workqueue *scrub_parity = NULL;
3691 ++
3692 ++ scrub_workers = fs_info->scrub_workers;
3693 ++ scrub_wr_comp = fs_info->scrub_wr_completion_workers;
3694 ++ scrub_parity = fs_info->scrub_parity_workers;
3695 ++
3696 ++ fs_info->scrub_workers = NULL;
3697 ++ fs_info->scrub_wr_completion_workers = NULL;
3698 ++ fs_info->scrub_parity_workers = NULL;
3699 ++ mutex_unlock(&fs_info->scrub_lock);
3700 ++
3701 ++ btrfs_destroy_workqueue(scrub_workers);
3702 ++ btrfs_destroy_workqueue(scrub_wr_comp);
3703 ++ btrfs_destroy_workqueue(scrub_parity);
3704 ++ }
3705 ++}
3706 ++
3707 + /*
3708 + * get a reference count on fs_info->scrub_workers. start worker if necessary
3709 + */
3710 + static noinline_for_stack int scrub_workers_get(struct btrfs_fs_info *fs_info,
3711 + int is_dev_replace)
3712 + {
3713 ++ struct btrfs_workqueue *scrub_workers = NULL;
3714 ++ struct btrfs_workqueue *scrub_wr_comp = NULL;
3715 ++ struct btrfs_workqueue *scrub_parity = NULL;
3716 + unsigned int flags = WQ_FREEZABLE | WQ_UNBOUND;
3717 + int max_active = fs_info->thread_pool_size;
3718 ++ int ret = -ENOMEM;
3719 +
3720 +- lockdep_assert_held(&fs_info->scrub_lock);
3721 ++ if (refcount_inc_not_zero(&fs_info->scrub_workers_refcnt))
3722 ++ return 0;
3723 +
3724 +- if (refcount_read(&fs_info->scrub_workers_refcnt) == 0) {
3725 +- ASSERT(fs_info->scrub_workers == NULL);
3726 +- fs_info->scrub_workers = btrfs_alloc_workqueue(fs_info, "scrub",
3727 +- flags, is_dev_replace ? 1 : max_active, 4);
3728 +- if (!fs_info->scrub_workers)
3729 +- goto fail_scrub_workers;
3730 +-
3731 +- ASSERT(fs_info->scrub_wr_completion_workers == NULL);
3732 +- fs_info->scrub_wr_completion_workers =
3733 +- btrfs_alloc_workqueue(fs_info, "scrubwrc", flags,
3734 +- max_active, 2);
3735 +- if (!fs_info->scrub_wr_completion_workers)
3736 +- goto fail_scrub_wr_completion_workers;
3737 ++ scrub_workers = btrfs_alloc_workqueue(fs_info, "scrub", flags,
3738 ++ is_dev_replace ? 1 : max_active, 4);
3739 ++ if (!scrub_workers)
3740 ++ goto fail_scrub_workers;
3741 +
3742 +- ASSERT(fs_info->scrub_parity_workers == NULL);
3743 +- fs_info->scrub_parity_workers =
3744 +- btrfs_alloc_workqueue(fs_info, "scrubparity", flags,
3745 ++ scrub_wr_comp = btrfs_alloc_workqueue(fs_info, "scrubwrc", flags,
3746 + max_active, 2);
3747 +- if (!fs_info->scrub_parity_workers)
3748 +- goto fail_scrub_parity_workers;
3749 ++ if (!scrub_wr_comp)
3750 ++ goto fail_scrub_wr_completion_workers;
3751 +
3752 ++ scrub_parity = btrfs_alloc_workqueue(fs_info, "scrubparity", flags,
3753 ++ max_active, 2);
3754 ++ if (!scrub_parity)
3755 ++ goto fail_scrub_parity_workers;
3756 ++
3757 ++ mutex_lock(&fs_info->scrub_lock);
3758 ++ if (refcount_read(&fs_info->scrub_workers_refcnt) == 0) {
3759 ++ ASSERT(fs_info->scrub_workers == NULL &&
3760 ++ fs_info->scrub_wr_completion_workers == NULL &&
3761 ++ fs_info->scrub_parity_workers == NULL);
3762 ++ fs_info->scrub_workers = scrub_workers;
3763 ++ fs_info->scrub_wr_completion_workers = scrub_wr_comp;
3764 ++ fs_info->scrub_parity_workers = scrub_parity;
3765 + refcount_set(&fs_info->scrub_workers_refcnt, 1);
3766 +- } else {
3767 +- refcount_inc(&fs_info->scrub_workers_refcnt);
3768 ++ mutex_unlock(&fs_info->scrub_lock);
3769 ++ return 0;
3770 + }
3771 +- return 0;
3772 ++ /* Other thread raced in and created the workers for us */
3773 ++ refcount_inc(&fs_info->scrub_workers_refcnt);
3774 ++ mutex_unlock(&fs_info->scrub_lock);
3775 +
3776 ++ ret = 0;
3777 ++ btrfs_destroy_workqueue(scrub_parity);
3778 + fail_scrub_parity_workers:
3779 +- btrfs_destroy_workqueue(fs_info->scrub_wr_completion_workers);
3780 ++ btrfs_destroy_workqueue(scrub_wr_comp);
3781 + fail_scrub_wr_completion_workers:
3782 +- btrfs_destroy_workqueue(fs_info->scrub_workers);
3783 ++ btrfs_destroy_workqueue(scrub_workers);
3784 + fail_scrub_workers:
3785 +- return -ENOMEM;
3786 ++ return ret;
3787 + }
3788 +
3789 + int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
3790 +@@ -3796,9 +3830,6 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
3791 + int ret;
3792 + struct btrfs_device *dev;
3793 + unsigned int nofs_flag;
3794 +- struct btrfs_workqueue *scrub_workers = NULL;
3795 +- struct btrfs_workqueue *scrub_wr_comp = NULL;
3796 +- struct btrfs_workqueue *scrub_parity = NULL;
3797 +
3798 + if (btrfs_fs_closing(fs_info))
3799 + return -EAGAIN;
3800 +@@ -3845,13 +3876,17 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
3801 + if (IS_ERR(sctx))
3802 + return PTR_ERR(sctx);
3803 +
3804 ++ ret = scrub_workers_get(fs_info, is_dev_replace);
3805 ++ if (ret)
3806 ++ goto out_free_ctx;
3807 ++
3808 + mutex_lock(&fs_info->fs_devices->device_list_mutex);
3809 + dev = btrfs_find_device(fs_info->fs_devices, devid, NULL, NULL, true);
3810 + if (!dev || (test_bit(BTRFS_DEV_STATE_MISSING, &dev->dev_state) &&
3811 + !is_dev_replace)) {
3812 + mutex_unlock(&fs_info->fs_devices->device_list_mutex);
3813 + ret = -ENODEV;
3814 +- goto out_free_ctx;
3815 ++ goto out;
3816 + }
3817 +
3818 + if (!is_dev_replace && !readonly &&
3819 +@@ -3860,7 +3895,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
3820 + btrfs_err_in_rcu(fs_info, "scrub: device %s is not writable",
3821 + rcu_str_deref(dev->name));
3822 + ret = -EROFS;
3823 +- goto out_free_ctx;
3824 ++ goto out;
3825 + }
3826 +
3827 + mutex_lock(&fs_info->scrub_lock);
3828 +@@ -3869,7 +3904,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
3829 + mutex_unlock(&fs_info->scrub_lock);
3830 + mutex_unlock(&fs_info->fs_devices->device_list_mutex);
3831 + ret = -EIO;
3832 +- goto out_free_ctx;
3833 ++ goto out;
3834 + }
3835 +
3836 + down_read(&fs_info->dev_replace.rwsem);
3837 +@@ -3880,17 +3915,10 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
3838 + mutex_unlock(&fs_info->scrub_lock);
3839 + mutex_unlock(&fs_info->fs_devices->device_list_mutex);
3840 + ret = -EINPROGRESS;
3841 +- goto out_free_ctx;
3842 ++ goto out;
3843 + }
3844 + up_read(&fs_info->dev_replace.rwsem);
3845 +
3846 +- ret = scrub_workers_get(fs_info, is_dev_replace);
3847 +- if (ret) {
3848 +- mutex_unlock(&fs_info->scrub_lock);
3849 +- mutex_unlock(&fs_info->fs_devices->device_list_mutex);
3850 +- goto out_free_ctx;
3851 +- }
3852 +-
3853 + sctx->readonly = readonly;
3854 + dev->scrub_ctx = sctx;
3855 + mutex_unlock(&fs_info->fs_devices->device_list_mutex);
3856 +@@ -3943,24 +3971,14 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
3857 +
3858 + mutex_lock(&fs_info->scrub_lock);
3859 + dev->scrub_ctx = NULL;
3860 +- if (refcount_dec_and_test(&fs_info->scrub_workers_refcnt)) {
3861 +- scrub_workers = fs_info->scrub_workers;
3862 +- scrub_wr_comp = fs_info->scrub_wr_completion_workers;
3863 +- scrub_parity = fs_info->scrub_parity_workers;
3864 +-
3865 +- fs_info->scrub_workers = NULL;
3866 +- fs_info->scrub_wr_completion_workers = NULL;
3867 +- fs_info->scrub_parity_workers = NULL;
3868 +- }
3869 + mutex_unlock(&fs_info->scrub_lock);
3870 +
3871 +- btrfs_destroy_workqueue(scrub_workers);
3872 +- btrfs_destroy_workqueue(scrub_wr_comp);
3873 +- btrfs_destroy_workqueue(scrub_parity);
3874 ++ scrub_workers_put(fs_info);
3875 + scrub_put_ctx(sctx);
3876 +
3877 + return ret;
3878 +-
3879 ++out:
3880 ++ scrub_workers_put(fs_info);
3881 + out_free_ctx:
3882 + scrub_free_ctx(sctx);
3883 +
3884 +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
3885 +index 0e44db066641e..91ea38506fbb7 100644
3886 +--- a/fs/btrfs/tree-checker.c
3887 ++++ b/fs/btrfs/tree-checker.c
3888 +@@ -772,7 +772,7 @@ static int check_inode_item(struct extent_buffer *leaf,
3889 + /* Here we use super block generation + 1 to handle log tree */
3890 + if (btrfs_inode_generation(leaf, iitem) > super_gen + 1) {
3891 + inode_item_err(fs_info, leaf, slot,
3892 +- "invalid inode generation: has %llu expect (0, %llu]",
3893 ++ "invalid inode transid: has %llu expect [0, %llu]",
3894 + btrfs_inode_generation(leaf, iitem),
3895 + super_gen + 1);
3896 + return -EUCLEAN;
3897 +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
3898 +index 196ddbcd29360..81be71fb569e1 100644
3899 +--- a/fs/btrfs/volumes.c
3900 ++++ b/fs/btrfs/volumes.c
3901 +@@ -4568,6 +4568,7 @@ static int btrfs_uuid_scan_kthread(void *data)
3902 + goto skip;
3903 + }
3904 + update_tree:
3905 ++ btrfs_release_path(path);
3906 + if (!btrfs_is_empty_uuid(root_item.uuid)) {
3907 + ret = btrfs_uuid_tree_add(trans, root_item.uuid,
3908 + BTRFS_UUID_KEY_SUBVOL,
3909 +@@ -4592,6 +4593,7 @@ update_tree:
3910 + }
3911 +
3912 + skip:
3913 ++ btrfs_release_path(path);
3914 + if (trans) {
3915 + ret = btrfs_end_transaction(trans);
3916 + trans = NULL;
3917 +@@ -4599,7 +4601,6 @@ skip:
3918 + break;
3919 + }
3920 +
3921 +- btrfs_release_path(path);
3922 + if (key.offset < (u64)-1) {
3923 + key.offset++;
3924 + } else if (key.type < BTRFS_ROOT_ITEM_KEY) {
3925 +diff --git a/fs/ceph/file.c b/fs/ceph/file.c
3926 +index 4a6b14a2bd7f9..a10711a6337af 100644
3927 +--- a/fs/ceph/file.c
3928 ++++ b/fs/ceph/file.c
3929 +@@ -2198,6 +2198,7 @@ const struct file_operations ceph_file_fops = {
3930 + .mmap = ceph_mmap,
3931 + .fsync = ceph_fsync,
3932 + .lock = ceph_lock,
3933 ++ .setlease = simple_nosetlease,
3934 + .flock = ceph_flock,
3935 + .splice_read = generic_file_splice_read,
3936 + .splice_write = iter_file_splice_write,
3937 +diff --git a/fs/eventpoll.c b/fs/eventpoll.c
3938 +index 0d9b1e2b9da72..ae1d32344f7ac 100644
3939 +--- a/fs/eventpoll.c
3940 ++++ b/fs/eventpoll.c
3941 +@@ -1992,9 +1992,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
3942 + * during ep_insert().
3943 + */
3944 + if (list_empty(&epi->ffd.file->f_tfile_llink)) {
3945 +- get_file(epi->ffd.file);
3946 +- list_add(&epi->ffd.file->f_tfile_llink,
3947 +- &tfile_check_list);
3948 ++ if (get_file_rcu(epi->ffd.file))
3949 ++ list_add(&epi->ffd.file->f_tfile_llink,
3950 ++ &tfile_check_list);
3951 + }
3952 + }
3953 + }
3954 +diff --git a/fs/ext2/file.c b/fs/ext2/file.c
3955 +index 39c4772e96c9d..d73103cdda210 100644
3956 +--- a/fs/ext2/file.c
3957 ++++ b/fs/ext2/file.c
3958 +@@ -93,8 +93,10 @@ static vm_fault_t ext2_dax_fault(struct vm_fault *vmf)
3959 + struct inode *inode = file_inode(vmf->vma->vm_file);
3960 + struct ext2_inode_info *ei = EXT2_I(inode);
3961 + vm_fault_t ret;
3962 ++ bool write = (vmf->flags & FAULT_FLAG_WRITE) &&
3963 ++ (vmf->vma->vm_flags & VM_SHARED);
3964 +
3965 +- if (vmf->flags & FAULT_FLAG_WRITE) {
3966 ++ if (write) {
3967 + sb_start_pagefault(inode->i_sb);
3968 + file_update_time(vmf->vma->vm_file);
3969 + }
3970 +@@ -103,7 +105,7 @@ static vm_fault_t ext2_dax_fault(struct vm_fault *vmf)
3971 + ret = dax_iomap_fault(vmf, PE_SIZE_PTE, NULL, NULL, &ext2_iomap_ops);
3972 +
3973 + up_read(&ei->dax_sem);
3974 +- if (vmf->flags & FAULT_FLAG_WRITE)
3975 ++ if (write)
3976 + sb_end_pagefault(inode->i_sb);
3977 + return ret;
3978 + }
3979 +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
3980 +index f0089e862216c..fe277ee5ec7c4 100644
3981 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c
3982 ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c
3983 +@@ -946,8 +946,10 @@ xfs_attr_shortform_verify(
3984 + * struct xfs_attr_sf_entry has a variable length.
3985 + * Check the fixed-offset parts of the structure are
3986 + * within the data buffer.
3987 ++ * xfs_attr_sf_entry is defined with a 1-byte variable
3988 ++ * array at the end, so we must subtract that off.
3989 + */
3990 +- if (((char *)sfep + sizeof(*sfep)) >= endp)
3991 ++ if (((char *)sfep + sizeof(*sfep) - 1) >= endp)
3992 + return __this_address;
3993 +
3994 + /* Don't allow names with known bad length. */
3995 +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
3996 +index 3f76da11197c4..19a600443b9ee 100644
3997 +--- a/fs/xfs/libxfs/xfs_bmap.c
3998 ++++ b/fs/xfs/libxfs/xfs_bmap.c
3999 +@@ -6179,7 +6179,7 @@ xfs_bmap_validate_extent(
4000 +
4001 + isrt = XFS_IS_REALTIME_INODE(ip);
4002 + endfsb = irec->br_startblock + irec->br_blockcount - 1;
4003 +- if (isrt) {
4004 ++ if (isrt && whichfork == XFS_DATA_FORK) {
4005 + if (!xfs_verify_rtbno(mp, irec->br_startblock))
4006 + return __this_address;
4007 + if (!xfs_verify_rtbno(mp, endfsb))
4008 +diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
4009 +index 1ffb179f35d23..1e2176190c86f 100644
4010 +--- a/fs/xfs/xfs_file.c
4011 ++++ b/fs/xfs/xfs_file.c
4012 +@@ -1172,6 +1172,14 @@ __xfs_filemap_fault(
4013 + return ret;
4014 + }
4015 +
4016 ++static inline bool
4017 ++xfs_is_write_fault(
4018 ++ struct vm_fault *vmf)
4019 ++{
4020 ++ return (vmf->flags & FAULT_FLAG_WRITE) &&
4021 ++ (vmf->vma->vm_flags & VM_SHARED);
4022 ++}
4023 ++
4024 + static vm_fault_t
4025 + xfs_filemap_fault(
4026 + struct vm_fault *vmf)
4027 +@@ -1179,7 +1187,7 @@ xfs_filemap_fault(
4028 + /* DAX can shortcut the normal fault path on write faults! */
4029 + return __xfs_filemap_fault(vmf, PE_SIZE_PTE,
4030 + IS_DAX(file_inode(vmf->vma->vm_file)) &&
4031 +- (vmf->flags & FAULT_FLAG_WRITE));
4032 ++ xfs_is_write_fault(vmf));
4033 + }
4034 +
4035 + static vm_fault_t
4036 +@@ -1192,7 +1200,7 @@ xfs_filemap_huge_fault(
4037 +
4038 + /* DAX can shortcut the normal fault path on write faults! */
4039 + return __xfs_filemap_fault(vmf, pe_size,
4040 +- (vmf->flags & FAULT_FLAG_WRITE));
4041 ++ xfs_is_write_fault(vmf));
4042 + }
4043 +
4044 + static vm_fault_t
4045 +diff --git a/include/linux/bvec.h b/include/linux/bvec.h
4046 +index a032f01e928c5..d7a628e066ee8 100644
4047 +--- a/include/linux/bvec.h
4048 ++++ b/include/linux/bvec.h
4049 +@@ -110,11 +110,18 @@ static inline bool bvec_iter_advance(const struct bio_vec *bv,
4050 + return true;
4051 + }
4052 +
4053 ++static inline void bvec_iter_skip_zero_bvec(struct bvec_iter *iter)
4054 ++{
4055 ++ iter->bi_bvec_done = 0;
4056 ++ iter->bi_idx++;
4057 ++}
4058 ++
4059 + #define for_each_bvec(bvl, bio_vec, iter, start) \
4060 + for (iter = (start); \
4061 + (iter).bi_size && \
4062 + ((bvl = bvec_iter_bvec((bio_vec), (iter))), 1); \
4063 +- bvec_iter_advance((bio_vec), &(iter), (bvl).bv_len))
4064 ++ (bvl).bv_len ? (void)bvec_iter_advance((bio_vec), &(iter), \
4065 ++ (bvl).bv_len) : bvec_iter_skip_zero_bvec(&(iter)))
4066 +
4067 + /* for iterating one bio from start to end */
4068 + #define BVEC_ITER_ALL_INIT (struct bvec_iter) \
4069 +diff --git a/include/linux/libata.h b/include/linux/libata.h
4070 +index b9970f5bab67c..e752368ea3516 100644
4071 +--- a/include/linux/libata.h
4072 ++++ b/include/linux/libata.h
4073 +@@ -422,6 +422,7 @@ enum {
4074 + ATA_HORKAGE_NO_DMA_LOG = (1 << 23), /* don't use DMA for log read */
4075 + ATA_HORKAGE_NOTRIM = (1 << 24), /* don't use TRIM */
4076 + ATA_HORKAGE_MAX_SEC_1024 = (1 << 25), /* Limit max sects to 1024 */
4077 ++ ATA_HORKAGE_MAX_TRIM_128M = (1 << 26), /* Limit max trim size to 128M */
4078 +
4079 + /* DMA mask for user DMA control: User visible values; DO NOT
4080 + renumber */
4081 +diff --git a/include/linux/log2.h b/include/linux/log2.h
4082 +index 83a4a3ca3e8a7..c619ec6eff4ae 100644
4083 +--- a/include/linux/log2.h
4084 ++++ b/include/linux/log2.h
4085 +@@ -173,7 +173,7 @@ unsigned long __rounddown_pow_of_two(unsigned long n)
4086 + #define roundup_pow_of_two(n) \
4087 + ( \
4088 + __builtin_constant_p(n) ? ( \
4089 +- (n == 1) ? 1 : \
4090 ++ ((n) == 1) ? 1 : \
4091 + (1UL << (ilog2((n) - 1) + 1)) \
4092 + ) : \
4093 + __roundup_pow_of_two(n) \
4094 +diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
4095 +index 851425c3178f1..89016d08f6a27 100644
4096 +--- a/include/linux/netfilter/nfnetlink.h
4097 ++++ b/include/linux/netfilter/nfnetlink.h
4098 +@@ -43,8 +43,7 @@ int nfnetlink_has_listeners(struct net *net, unsigned int group);
4099 + int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 portid,
4100 + unsigned int group, int echo, gfp_t flags);
4101 + int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error);
4102 +-int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid,
4103 +- int flags);
4104 ++int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid);
4105 +
4106 + static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type)
4107 + {
4108 +diff --git a/include/net/af_rxrpc.h b/include/net/af_rxrpc.h
4109 +index ab988940bf045..55b980b21f4b4 100644
4110 +--- a/include/net/af_rxrpc.h
4111 ++++ b/include/net/af_rxrpc.h
4112 +@@ -59,7 +59,7 @@ bool rxrpc_kernel_abort_call(struct socket *, struct rxrpc_call *,
4113 + void rxrpc_kernel_end_call(struct socket *, struct rxrpc_call *);
4114 + void rxrpc_kernel_get_peer(struct socket *, struct rxrpc_call *,
4115 + struct sockaddr_rxrpc *);
4116 +-u32 rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *);
4117 ++bool rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *, u32 *);
4118 + int rxrpc_kernel_charge_accept(struct socket *, rxrpc_notify_rx_t,
4119 + rxrpc_user_attach_call_t, unsigned long, gfp_t,
4120 + unsigned int);
4121 +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
4122 +index 2d0275f13bbfd..bc2c73f549622 100644
4123 +--- a/include/net/netfilter/nf_tables.h
4124 ++++ b/include/net/netfilter/nf_tables.h
4125 +@@ -143,6 +143,8 @@ static inline u64 nft_reg_load64(u32 *sreg)
4126 + static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
4127 + unsigned int len)
4128 + {
4129 ++ if (len % NFT_REG32_SIZE)
4130 ++ dst[len / NFT_REG32_SIZE] = 0;
4131 + memcpy(dst, src, len);
4132 + }
4133 +
4134 +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
4135 +index ed8881ad18edd..0a995403172cc 100644
4136 +--- a/include/uapi/linux/netfilter/nf_tables.h
4137 ++++ b/include/uapi/linux/netfilter/nf_tables.h
4138 +@@ -132,7 +132,7 @@ enum nf_tables_msg_types {
4139 + * @NFTA_LIST_ELEM: list element (NLA_NESTED)
4140 + */
4141 + enum nft_list_attributes {
4142 +- NFTA_LIST_UNPEC,
4143 ++ NFTA_LIST_UNSPEC,
4144 + NFTA_LIST_ELEM,
4145 + __NFTA_LIST_MAX
4146 + };
4147 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
4148 +index 2a83b03c54a69..62ec514dae658 100644
4149 +--- a/mm/hugetlb.c
4150 ++++ b/mm/hugetlb.c
4151 +@@ -3082,6 +3082,22 @@ static unsigned int cpuset_mems_nr(unsigned int *array)
4152 + }
4153 +
4154 + #ifdef CONFIG_SYSCTL
4155 ++static int proc_hugetlb_doulongvec_minmax(struct ctl_table *table, int write,
4156 ++ void *buffer, size_t *length,
4157 ++ loff_t *ppos, unsigned long *out)
4158 ++{
4159 ++ struct ctl_table dup_table;
4160 ++
4161 ++ /*
4162 ++ * In order to avoid races with __do_proc_doulongvec_minmax(), we
4163 ++ * can duplicate the @table and alter the duplicate of it.
4164 ++ */
4165 ++ dup_table = *table;
4166 ++ dup_table.data = out;
4167 ++
4168 ++ return proc_doulongvec_minmax(&dup_table, write, buffer, length, ppos);
4169 ++}
4170 ++
4171 + static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
4172 + struct ctl_table *table, int write,
4173 + void __user *buffer, size_t *length, loff_t *ppos)
4174 +@@ -3093,9 +3109,8 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
4175 + if (!hugepages_supported())
4176 + return -EOPNOTSUPP;
4177 +
4178 +- table->data = &tmp;
4179 +- table->maxlen = sizeof(unsigned long);
4180 +- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
4181 ++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos,
4182 ++ &tmp);
4183 + if (ret)
4184 + goto out;
4185 +
4186 +@@ -3139,9 +3154,8 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
4187 + if (write && hstate_is_gigantic(h))
4188 + return -EINVAL;
4189 +
4190 +- table->data = &tmp;
4191 +- table->maxlen = sizeof(unsigned long);
4192 +- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
4193 ++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos,
4194 ++ &tmp);
4195 + if (ret)
4196 + goto out;
4197 +
4198 +diff --git a/mm/khugepaged.c b/mm/khugepaged.c
4199 +index 3623d1c5343f2..9ec618d5ea557 100644
4200 +--- a/mm/khugepaged.c
4201 ++++ b/mm/khugepaged.c
4202 +@@ -1592,7 +1592,7 @@ static void collapse_file(struct mm_struct *mm,
4203 + xas_unlock_irq(&xas);
4204 + page_cache_sync_readahead(mapping, &file->f_ra,
4205 + file, index,
4206 +- PAGE_SIZE);
4207 ++ end - index);
4208 + /* drain pagevecs to help isolate_lru_page() */
4209 + lru_add_drain();
4210 + page = find_lock_page(mapping, index);
4211 +diff --git a/mm/madvise.c b/mm/madvise.c
4212 +index d8cfc3a0c1534..26f7954865ed9 100644
4213 +--- a/mm/madvise.c
4214 ++++ b/mm/madvise.c
4215 +@@ -288,9 +288,9 @@ static long madvise_willneed(struct vm_area_struct *vma,
4216 + */
4217 + *prev = NULL; /* tell sys_madvise we drop mmap_sem */
4218 + get_file(file);
4219 +- up_read(&current->mm->mmap_sem);
4220 + offset = (loff_t)(start - vma->vm_start)
4221 + + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
4222 ++ up_read(&current->mm->mmap_sem);
4223 + vfs_fadvise(file, offset, end - start, POSIX_FADV_WILLNEED);
4224 + fput(file);
4225 + down_read(&current->mm->mmap_sem);
4226 +diff --git a/mm/slub.c b/mm/slub.c
4227 +index 709e31002504c..822ba07245291 100644
4228 +--- a/mm/slub.c
4229 ++++ b/mm/slub.c
4230 +@@ -645,12 +645,12 @@ static void slab_fix(struct kmem_cache *s, char *fmt, ...)
4231 + }
4232 +
4233 + static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
4234 +- void *freelist, void *nextfree)
4235 ++ void **freelist, void *nextfree)
4236 + {
4237 + if ((s->flags & SLAB_CONSISTENCY_CHECKS) &&
4238 +- !check_valid_pointer(s, page, nextfree)) {
4239 +- object_err(s, page, freelist, "Freechain corrupt");
4240 +- freelist = NULL;
4241 ++ !check_valid_pointer(s, page, nextfree) && freelist) {
4242 ++ object_err(s, page, *freelist, "Freechain corrupt");
4243 ++ *freelist = NULL;
4244 + slab_fix(s, "Isolate corrupted freechain");
4245 + return true;
4246 + }
4247 +@@ -1394,7 +1394,7 @@ static inline void dec_slabs_node(struct kmem_cache *s, int node,
4248 + int objects) {}
4249 +
4250 + static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
4251 +- void *freelist, void *nextfree)
4252 ++ void **freelist, void *nextfree)
4253 + {
4254 + return false;
4255 + }
4256 +@@ -2086,7 +2086,7 @@ static void deactivate_slab(struct kmem_cache *s, struct page *page,
4257 + * 'freelist' is already corrupted. So isolate all objects
4258 + * starting at 'freelist'.
4259 + */
4260 +- if (freelist_corrupted(s, page, freelist, nextfree))
4261 ++ if (freelist_corrupted(s, page, &freelist, nextfree))
4262 + break;
4263 +
4264 + do {
4265 +diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
4266 +index a9e7540c56918..3165f6ff8ee71 100644
4267 +--- a/net/batman-adv/bat_v_ogm.c
4268 ++++ b/net/batman-adv/bat_v_ogm.c
4269 +@@ -878,6 +878,12 @@ static void batadv_v_ogm_process(const struct sk_buff *skb, int ogm_offset,
4270 + ntohl(ogm_packet->seqno), ogm_throughput, ogm_packet->ttl,
4271 + ogm_packet->version, ntohs(ogm_packet->tvlv_len));
4272 +
4273 ++ if (batadv_is_my_mac(bat_priv, ogm_packet->orig)) {
4274 ++ batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
4275 ++ "Drop packet: originator packet from ourself\n");
4276 ++ return;
4277 ++ }
4278 ++
4279 + /* If the throughput metric is 0, immediately drop the packet. No need
4280 + * to create orig_node / neigh_node for an unusable route.
4281 + */
4282 +@@ -1005,11 +1011,6 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb,
4283 + if (batadv_is_my_mac(bat_priv, ethhdr->h_source))
4284 + goto free_skb;
4285 +
4286 +- ogm_packet = (struct batadv_ogm2_packet *)skb->data;
4287 +-
4288 +- if (batadv_is_my_mac(bat_priv, ogm_packet->orig))
4289 +- goto free_skb;
4290 +-
4291 + batadv_inc_counter(bat_priv, BATADV_CNT_MGMT_RX);
4292 + batadv_add_counter(bat_priv, BATADV_CNT_MGMT_RX_BYTES,
4293 + skb->len + ETH_HLEN);
4294 +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
4295 +index 663a53b6d36e6..5f6309ade1ea1 100644
4296 +--- a/net/batman-adv/bridge_loop_avoidance.c
4297 ++++ b/net/batman-adv/bridge_loop_avoidance.c
4298 +@@ -437,7 +437,10 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, u8 *mac,
4299 + batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,
4300 + skb->len + ETH_HLEN);
4301 +
4302 +- netif_rx(skb);
4303 ++ if (in_interrupt())
4304 ++ netif_rx(skb);
4305 ++ else
4306 ++ netif_rx_ni(skb);
4307 + out:
4308 + if (primary_if)
4309 + batadv_hardif_put(primary_if);
4310 +diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
4311 +index 47df4c6789886..89c9097007c3a 100644
4312 +--- a/net/batman-adv/gateway_client.c
4313 ++++ b/net/batman-adv/gateway_client.c
4314 +@@ -703,8 +703,10 @@ batadv_gw_dhcp_recipient_get(struct sk_buff *skb, unsigned int *header_len,
4315 +
4316 + chaddr_offset = *header_len + BATADV_DHCP_CHADDR_OFFSET;
4317 + /* store the client address if the message is going to a client */
4318 +- if (ret == BATADV_DHCP_TO_CLIENT &&
4319 +- pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) {
4320 ++ if (ret == BATADV_DHCP_TO_CLIENT) {
4321 ++ if (!pskb_may_pull(skb, chaddr_offset + ETH_ALEN))
4322 ++ return BATADV_DHCP_NO;
4323 ++
4324 + /* check if the DHCP packet carries an Ethernet DHCP */
4325 + p = skb->data + *header_len + BATADV_DHCP_HTYPE_OFFSET;
4326 + if (*p != BATADV_DHCP_HTYPE_ETHERNET)
4327 +diff --git a/net/core/dev.c b/net/core/dev.c
4328 +index 25858f1f67cf7..56cd7b83a3829 100644
4329 +--- a/net/core/dev.c
4330 ++++ b/net/core/dev.c
4331 +@@ -5602,12 +5602,13 @@ static void napi_skb_free_stolen_head(struct sk_buff *skb)
4332 + kmem_cache_free(skbuff_head_cache, skb);
4333 + }
4334 +
4335 +-static gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb)
4336 ++static gro_result_t napi_skb_finish(struct napi_struct *napi,
4337 ++ struct sk_buff *skb,
4338 ++ gro_result_t ret)
4339 + {
4340 + switch (ret) {
4341 + case GRO_NORMAL:
4342 +- if (netif_receive_skb_internal(skb))
4343 +- ret = GRO_DROP;
4344 ++ gro_normal_one(napi, skb);
4345 + break;
4346 +
4347 + case GRO_DROP:
4348 +@@ -5639,7 +5640,7 @@ gro_result_t napi_gro_receive(struct napi_struct *napi, struct sk_buff *skb)
4349 +
4350 + skb_gro_reset_offset(skb);
4351 +
4352 +- ret = napi_skb_finish(dev_gro_receive(napi, skb), skb);
4353 ++ ret = napi_skb_finish(napi, skb, dev_gro_receive(napi, skb));
4354 + trace_napi_gro_receive_exit(ret);
4355 +
4356 + return ret;
4357 +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
4358 +index f7129232c8250..2023650c27249 100644
4359 +--- a/net/netfilter/nf_tables_api.c
4360 ++++ b/net/netfilter/nf_tables_api.c
4361 +@@ -744,11 +744,11 @@ static int nf_tables_gettable(struct net *net, struct sock *nlsk,
4362 + nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
4363 + family, table);
4364 + if (err < 0)
4365 +- goto err;
4366 ++ goto err_fill_table_info;
4367 +
4368 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4369 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4370 +
4371 +-err:
4372 ++err_fill_table_info:
4373 + kfree_skb(skb2);
4374 + return err;
4375 + }
4376 +@@ -1443,11 +1443,11 @@ static int nf_tables_getchain(struct net *net, struct sock *nlsk,
4377 + nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
4378 + family, table, chain);
4379 + if (err < 0)
4380 +- goto err;
4381 ++ goto err_fill_chain_info;
4382 +
4383 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4384 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4385 +
4386 +-err:
4387 ++err_fill_chain_info:
4388 + kfree_skb(skb2);
4389 + return err;
4390 + }
4391 +@@ -2622,11 +2622,11 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk,
4392 + nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
4393 + family, table, chain, rule, NULL);
4394 + if (err < 0)
4395 +- goto err;
4396 ++ goto err_fill_rule_info;
4397 +
4398 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4399 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4400 +
4401 +-err:
4402 ++err_fill_rule_info:
4403 + kfree_skb(skb2);
4404 + return err;
4405 + }
4406 +@@ -3353,7 +3353,8 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
4407 + goto nla_put_failure;
4408 + }
4409 +
4410 +- if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4411 ++ if (set->udata &&
4412 ++ nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
4413 + goto nla_put_failure;
4414 +
4415 + desc = nla_nest_start_noflag(skb, NFTA_SET_DESC);
4416 +@@ -3525,11 +3526,11 @@ static int nf_tables_getset(struct net *net, struct sock *nlsk,
4417 +
4418 + err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
4419 + if (err < 0)
4420 +- goto err;
4421 ++ goto err_fill_set_info;
4422 +
4423 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4424 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4425 +
4426 +-err:
4427 ++err_fill_set_info:
4428 + kfree_skb(skb2);
4429 + return err;
4430 + }
4431 +@@ -4304,24 +4305,18 @@ static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
4432 + err = -ENOMEM;
4433 + skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
4434 + if (skb == NULL)
4435 +- goto err1;
4436 ++ return err;
4437 +
4438 + err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
4439 + NFT_MSG_NEWSETELEM, 0, set, &elem);
4440 + if (err < 0)
4441 +- goto err2;
4442 ++ goto err_fill_setelem;
4443 +
4444 +- err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
4445 +- /* This avoids a loop in nfnetlink. */
4446 +- if (err < 0)
4447 +- goto err1;
4448 ++ return nfnetlink_unicast(skb, ctx->net, ctx->portid);
4449 +
4450 +- return 0;
4451 +-err2:
4452 ++err_fill_setelem:
4453 + kfree_skb(skb);
4454 +-err1:
4455 +- /* this avoids a loop in nfnetlink. */
4456 +- return err == -EAGAIN ? -ENOBUFS : err;
4457 ++ return err;
4458 + }
4459 +
4460 + /* called with rcu_read_lock held */
4461 +@@ -5498,10 +5493,11 @@ static int nf_tables_getobj(struct net *net, struct sock *nlsk,
4462 + nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
4463 + family, table, obj, reset);
4464 + if (err < 0)
4465 +- goto err;
4466 ++ goto err_fill_obj_info;
4467 +
4468 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4469 +-err:
4470 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4471 ++
4472 ++err_fill_obj_info:
4473 + kfree_skb(skb2);
4474 + return err;
4475 + }
4476 +@@ -6173,10 +6169,11 @@ static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
4477 + NFT_MSG_NEWFLOWTABLE, 0, family,
4478 + flowtable);
4479 + if (err < 0)
4480 +- goto err;
4481 ++ goto err_fill_flowtable_info;
4482 +
4483 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4484 +-err:
4485 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4486 ++
4487 ++err_fill_flowtable_info:
4488 + kfree_skb(skb2);
4489 + return err;
4490 + }
4491 +@@ -6337,10 +6334,11 @@ static int nf_tables_getgen(struct net *net, struct sock *nlsk,
4492 + err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
4493 + nlh->nlmsg_seq);
4494 + if (err < 0)
4495 +- goto err;
4496 ++ goto err_fill_gen_info;
4497 +
4498 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
4499 +-err:
4500 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
4501 ++
4502 ++err_fill_gen_info:
4503 + kfree_skb(skb2);
4504 + return err;
4505 + }
4506 +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
4507 +index 99127e2d95a84..6d03b09096210 100644
4508 +--- a/net/netfilter/nfnetlink.c
4509 ++++ b/net/netfilter/nfnetlink.c
4510 +@@ -148,10 +148,15 @@ int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error)
4511 + }
4512 + EXPORT_SYMBOL_GPL(nfnetlink_set_err);
4513 +
4514 +-int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid,
4515 +- int flags)
4516 ++int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid)
4517 + {
4518 +- return netlink_unicast(net->nfnl, skb, portid, flags);
4519 ++ int err;
4520 ++
4521 ++ err = nlmsg_unicast(net->nfnl, skb, portid);
4522 ++ if (err == -EAGAIN)
4523 ++ err = -ENOBUFS;
4524 ++
4525 ++ return err;
4526 + }
4527 + EXPORT_SYMBOL_GPL(nfnetlink_unicast);
4528 +
4529 +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
4530 +index 0ba020ca38e68..7ca2ca4bba055 100644
4531 +--- a/net/netfilter/nfnetlink_log.c
4532 ++++ b/net/netfilter/nfnetlink_log.c
4533 +@@ -356,8 +356,7 @@ __nfulnl_send(struct nfulnl_instance *inst)
4534 + goto out;
4535 + }
4536 + }
4537 +- nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid,
4538 +- MSG_DONTWAIT);
4539 ++ nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid);
4540 + out:
4541 + inst->qlen = 0;
4542 + inst->skb = NULL;
4543 +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
4544 +index feabdfb22920b..6f0a2bad8ad5e 100644
4545 +--- a/net/netfilter/nfnetlink_queue.c
4546 ++++ b/net/netfilter/nfnetlink_queue.c
4547 +@@ -681,7 +681,7 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
4548 + *packet_id_ptr = htonl(entry->id);
4549 +
4550 + /* nfnetlink_unicast will either free the nskb or add it to a socket */
4551 +- err = nfnetlink_unicast(nskb, net, queue->peer_portid, MSG_DONTWAIT);
4552 ++ err = nfnetlink_unicast(nskb, net, queue->peer_portid);
4553 + if (err < 0) {
4554 + if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
4555 + failopen = 1;
4556 +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
4557 +index 0e3bfbc26e790..62dc728bf93c9 100644
4558 +--- a/net/netfilter/nft_payload.c
4559 ++++ b/net/netfilter/nft_payload.c
4560 +@@ -79,7 +79,9 @@ void nft_payload_eval(const struct nft_expr *expr,
4561 + u32 *dest = &regs->data[priv->dreg];
4562 + int offset;
4563 +
4564 +- dest[priv->len / NFT_REG32_SIZE] = 0;
4565 ++ if (priv->len % NFT_REG32_SIZE)
4566 ++ dest[priv->len / NFT_REG32_SIZE] = 0;
4567 ++
4568 + switch (priv->base) {
4569 + case NFT_PAYLOAD_LL_HEADER:
4570 + if (!skb_mac_header_was_set(skb))
4571 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
4572 +index 7735340c892eb..fbc2d4dfddf0e 100644
4573 +--- a/net/packet/af_packet.c
4574 ++++ b/net/packet/af_packet.c
4575 +@@ -2169,7 +2169,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
4576 + int skb_len = skb->len;
4577 + unsigned int snaplen, res;
4578 + unsigned long status = TP_STATUS_USER;
4579 +- unsigned short macoff, netoff, hdrlen;
4580 ++ unsigned short macoff, hdrlen;
4581 ++ unsigned int netoff;
4582 + struct sk_buff *copy_skb = NULL;
4583 + struct timespec ts;
4584 + __u32 ts_status;
4585 +@@ -2238,6 +2239,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
4586 + }
4587 + macoff = netoff - maclen;
4588 + }
4589 ++ if (netoff > USHRT_MAX) {
4590 ++ atomic_inc(&po->tp_drops);
4591 ++ goto drop_n_restore;
4592 ++ }
4593 + if (po->tp_version <= TPACKET_V2) {
4594 + if (macoff + snaplen > po->rx_ring.frame_size) {
4595 + if (po->copy_thresh &&
4596 +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
4597 +index 22dec6049e1bb..6cace43b217ee 100644
4598 +--- a/net/rxrpc/input.c
4599 ++++ b/net/rxrpc/input.c
4600 +@@ -844,7 +844,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
4601 + struct rxrpc_ackinfo info;
4602 + u8 acks[RXRPC_MAXACKS];
4603 + } buf;
4604 +- rxrpc_serial_t acked_serial;
4605 ++ rxrpc_serial_t ack_serial, acked_serial;
4606 + rxrpc_seq_t first_soft_ack, hard_ack, prev_pkt;
4607 + int nr_acks, offset, ioffset;
4608 +
4609 +@@ -857,6 +857,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
4610 + }
4611 + offset += sizeof(buf.ack);
4612 +
4613 ++ ack_serial = sp->hdr.serial;
4614 + acked_serial = ntohl(buf.ack.serial);
4615 + first_soft_ack = ntohl(buf.ack.firstPacket);
4616 + prev_pkt = ntohl(buf.ack.previousPacket);
4617 +@@ -865,31 +866,31 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
4618 + summary.ack_reason = (buf.ack.reason < RXRPC_ACK__INVALID ?
4619 + buf.ack.reason : RXRPC_ACK__INVALID);
4620 +
4621 +- trace_rxrpc_rx_ack(call, sp->hdr.serial, acked_serial,
4622 ++ trace_rxrpc_rx_ack(call, ack_serial, acked_serial,
4623 + first_soft_ack, prev_pkt,
4624 + summary.ack_reason, nr_acks);
4625 +
4626 + if (buf.ack.reason == RXRPC_ACK_PING_RESPONSE)
4627 + rxrpc_input_ping_response(call, skb->tstamp, acked_serial,
4628 +- sp->hdr.serial);
4629 ++ ack_serial);
4630 + if (buf.ack.reason == RXRPC_ACK_REQUESTED)
4631 + rxrpc_input_requested_ack(call, skb->tstamp, acked_serial,
4632 +- sp->hdr.serial);
4633 ++ ack_serial);
4634 +
4635 + if (buf.ack.reason == RXRPC_ACK_PING) {
4636 +- _proto("Rx ACK %%%u PING Request", sp->hdr.serial);
4637 ++ _proto("Rx ACK %%%u PING Request", ack_serial);
4638 + rxrpc_propose_ACK(call, RXRPC_ACK_PING_RESPONSE,
4639 +- sp->hdr.serial, true, true,
4640 ++ ack_serial, true, true,
4641 + rxrpc_propose_ack_respond_to_ping);
4642 + } else if (sp->hdr.flags & RXRPC_REQUEST_ACK) {
4643 + rxrpc_propose_ACK(call, RXRPC_ACK_REQUESTED,
4644 +- sp->hdr.serial, true, true,
4645 ++ ack_serial, true, true,
4646 + rxrpc_propose_ack_respond_to_ack);
4647 + }
4648 +
4649 + /* Discard any out-of-order or duplicate ACKs (outside lock). */
4650 + if (!rxrpc_is_ack_valid(call, first_soft_ack, prev_pkt)) {
4651 +- trace_rxrpc_rx_discard_ack(call->debug_id, sp->hdr.serial,
4652 ++ trace_rxrpc_rx_discard_ack(call->debug_id, ack_serial,
4653 + first_soft_ack, call->ackr_first_seq,
4654 + prev_pkt, call->ackr_prev_seq);
4655 + return;
4656 +@@ -905,7 +906,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
4657 +
4658 + /* Discard any out-of-order or duplicate ACKs (inside lock). */
4659 + if (!rxrpc_is_ack_valid(call, first_soft_ack, prev_pkt)) {
4660 +- trace_rxrpc_rx_discard_ack(call->debug_id, sp->hdr.serial,
4661 ++ trace_rxrpc_rx_discard_ack(call->debug_id, ack_serial,
4662 + first_soft_ack, call->ackr_first_seq,
4663 + prev_pkt, call->ackr_prev_seq);
4664 + goto out;
4665 +@@ -965,7 +966,7 @@ static void rxrpc_input_ack(struct rxrpc_call *call, struct sk_buff *skb)
4666 + RXRPC_TX_ANNO_LAST &&
4667 + summary.nr_acks == call->tx_top - hard_ack &&
4668 + rxrpc_is_client_call(call))
4669 +- rxrpc_propose_ACK(call, RXRPC_ACK_PING, sp->hdr.serial,
4670 ++ rxrpc_propose_ACK(call, RXRPC_ACK_PING, ack_serial,
4671 + false, true,
4672 + rxrpc_propose_ack_ping_for_lost_reply);
4673 +
4674 +diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
4675 +index efce27802a74f..e011594adcd13 100644
4676 +--- a/net/rxrpc/peer_object.c
4677 ++++ b/net/rxrpc/peer_object.c
4678 +@@ -500,11 +500,21 @@ EXPORT_SYMBOL(rxrpc_kernel_get_peer);
4679 + * rxrpc_kernel_get_srtt - Get a call's peer smoothed RTT
4680 + * @sock: The socket on which the call is in progress.
4681 + * @call: The call to query
4682 ++ * @_srtt: Where to store the SRTT value.
4683 + *
4684 +- * Get the call's peer smoothed RTT.
4685 ++ * Get the call's peer smoothed RTT in uS.
4686 + */
4687 +-u32 rxrpc_kernel_get_srtt(struct socket *sock, struct rxrpc_call *call)
4688 ++bool rxrpc_kernel_get_srtt(struct socket *sock, struct rxrpc_call *call,
4689 ++ u32 *_srtt)
4690 + {
4691 +- return call->peer->srtt_us >> 3;
4692 ++ struct rxrpc_peer *peer = call->peer;
4693 ++
4694 ++ if (peer->rtt_count == 0) {
4695 ++ *_srtt = 1000000; /* 1S */
4696 ++ return false;
4697 ++ }
4698 ++
4699 ++ *_srtt = call->peer->srtt_us >> 3;
4700 ++ return true;
4701 + }
4702 + EXPORT_SYMBOL(rxrpc_kernel_get_srtt);
4703 +diff --git a/net/wireless/reg.c b/net/wireless/reg.c
4704 +index 1a8218f1bbe07..20a8e6af88c45 100644
4705 +--- a/net/wireless/reg.c
4706 ++++ b/net/wireless/reg.c
4707 +@@ -2941,6 +2941,9 @@ int regulatory_hint_user(const char *alpha2,
4708 + if (WARN_ON(!alpha2))
4709 + return -EINVAL;
4710 +
4711 ++ if (!is_world_regdom(alpha2) && !is_an_alpha2(alpha2))
4712 ++ return -EINVAL;
4713 ++
4714 + request = kzalloc(sizeof(struct regulatory_request), GFP_KERNEL);
4715 + if (!request)
4716 + return -ENOMEM;
4717 +diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
4718 +index 6fcc66afb0880..0c9b114202796 100755
4719 +--- a/scripts/checkpatch.pl
4720 ++++ b/scripts/checkpatch.pl
4721 +@@ -2576,8 +2576,8 @@ sub process {
4722 +
4723 + # Check if the commit log has what seems like a diff which can confuse patch
4724 + if ($in_commit_log && !$commit_log_has_diff &&
4725 +- (($line =~ m@^\s+diff\b.*a/[\w/]+@ &&
4726 +- $line =~ m@^\s+diff\b.*a/([\w/]+)\s+b/$1\b@) ||
4727 ++ (($line =~ m@^\s+diff\b.*a/([\w/]+)@ &&
4728 ++ $line =~ m@^\s+diff\b.*a/[\w/]+\s+b/$1\b@) ||
4729 + $line =~ m@^\s*(?:\-\-\-\s+a/|\+\+\+\s+b/)@ ||
4730 + $line =~ m/^\s*\@\@ \-\d+,\d+ \+\d+,\d+ \@\@/)) {
4731 + ERROR("DIFF_IN_COMMIT_MSG",
4732 +diff --git a/sound/core/oss/mulaw.c b/sound/core/oss/mulaw.c
4733 +index 3788906421a73..fe27034f28460 100644
4734 +--- a/sound/core/oss/mulaw.c
4735 ++++ b/sound/core/oss/mulaw.c
4736 +@@ -329,8 +329,8 @@ int snd_pcm_plugin_build_mulaw(struct snd_pcm_substream *plug,
4737 + snd_BUG();
4738 + return -EINVAL;
4739 + }
4740 +- if (snd_BUG_ON(!snd_pcm_format_linear(format->format)))
4741 +- return -ENXIO;
4742 ++ if (!snd_pcm_format_linear(format->format))
4743 ++ return -EINVAL;
4744 +
4745 + err = snd_pcm_plugin_build(plug, "Mu-Law<->linear conversion",
4746 + src_format, dst_format,
4747 +diff --git a/sound/firewire/digi00x/digi00x.c b/sound/firewire/digi00x/digi00x.c
4748 +index 1f5fc0e7c0243..0e4b0eac30159 100644
4749 +--- a/sound/firewire/digi00x/digi00x.c
4750 ++++ b/sound/firewire/digi00x/digi00x.c
4751 +@@ -14,6 +14,7 @@ MODULE_LICENSE("GPL v2");
4752 + #define VENDOR_DIGIDESIGN 0x00a07e
4753 + #define MODEL_CONSOLE 0x000001
4754 + #define MODEL_RACK 0x000002
4755 ++#define SPEC_VERSION 0x000001
4756 +
4757 + static int name_card(struct snd_dg00x *dg00x)
4758 + {
4759 +@@ -175,14 +176,18 @@ static const struct ieee1394_device_id snd_dg00x_id_table[] = {
4760 + /* Both of 002/003 use the same ID. */
4761 + {
4762 + .match_flags = IEEE1394_MATCH_VENDOR_ID |
4763 ++ IEEE1394_MATCH_VERSION |
4764 + IEEE1394_MATCH_MODEL_ID,
4765 + .vendor_id = VENDOR_DIGIDESIGN,
4766 ++ .version = SPEC_VERSION,
4767 + .model_id = MODEL_CONSOLE,
4768 + },
4769 + {
4770 + .match_flags = IEEE1394_MATCH_VENDOR_ID |
4771 ++ IEEE1394_MATCH_VERSION |
4772 + IEEE1394_MATCH_MODEL_ID,
4773 + .vendor_id = VENDOR_DIGIDESIGN,
4774 ++ .version = SPEC_VERSION,
4775 + .model_id = MODEL_RACK,
4776 + },
4777 + {}
4778 +diff --git a/sound/firewire/tascam/tascam.c b/sound/firewire/tascam/tascam.c
4779 +index addc464503bcf..0175e3e835ead 100644
4780 +--- a/sound/firewire/tascam/tascam.c
4781 ++++ b/sound/firewire/tascam/tascam.c
4782 +@@ -39,9 +39,6 @@ static const struct snd_tscm_spec model_specs[] = {
4783 + .midi_capture_ports = 2,
4784 + .midi_playback_ports = 4,
4785 + },
4786 +- // This kernel module doesn't support FE-8 because the most of features
4787 +- // can be implemented in userspace without any specific support of this
4788 +- // module.
4789 + };
4790 +
4791 + static int identify_model(struct snd_tscm *tscm)
4792 +@@ -211,11 +208,39 @@ static void snd_tscm_remove(struct fw_unit *unit)
4793 + }
4794 +
4795 + static const struct ieee1394_device_id snd_tscm_id_table[] = {
4796 ++ // Tascam, FW-1884.
4797 ++ {
4798 ++ .match_flags = IEEE1394_MATCH_VENDOR_ID |
4799 ++ IEEE1394_MATCH_SPECIFIER_ID |
4800 ++ IEEE1394_MATCH_VERSION,
4801 ++ .vendor_id = 0x00022e,
4802 ++ .specifier_id = 0x00022e,
4803 ++ .version = 0x800000,
4804 ++ },
4805 ++ // Tascam, FE-8 (.version = 0x800001)
4806 ++ // This kernel module doesn't support FE-8 because the most of features
4807 ++ // can be implemented in userspace without any specific support of this
4808 ++ // module.
4809 ++ //
4810 ++ // .version = 0x800002 is unknown.
4811 ++ //
4812 ++ // Tascam, FW-1082.
4813 ++ {
4814 ++ .match_flags = IEEE1394_MATCH_VENDOR_ID |
4815 ++ IEEE1394_MATCH_SPECIFIER_ID |
4816 ++ IEEE1394_MATCH_VERSION,
4817 ++ .vendor_id = 0x00022e,
4818 ++ .specifier_id = 0x00022e,
4819 ++ .version = 0x800003,
4820 ++ },
4821 ++ // Tascam, FW-1804.
4822 + {
4823 + .match_flags = IEEE1394_MATCH_VENDOR_ID |
4824 +- IEEE1394_MATCH_SPECIFIER_ID,
4825 ++ IEEE1394_MATCH_SPECIFIER_ID |
4826 ++ IEEE1394_MATCH_VERSION,
4827 + .vendor_id = 0x00022e,
4828 + .specifier_id = 0x00022e,
4829 ++ .version = 0x800004,
4830 + },
4831 + {}
4832 + };
4833 +diff --git a/sound/pci/ca0106/ca0106_main.c b/sound/pci/ca0106/ca0106_main.c
4834 +index 478412e0aa3c7..7aedaeb7a1968 100644
4835 +--- a/sound/pci/ca0106/ca0106_main.c
4836 ++++ b/sound/pci/ca0106/ca0106_main.c
4837 +@@ -537,7 +537,8 @@ static int snd_ca0106_pcm_power_dac(struct snd_ca0106 *chip, int channel_id,
4838 + else
4839 + /* Power down */
4840 + chip->spi_dac_reg[reg] |= bit;
4841 +- return snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]);
4842 ++ if (snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]) != 0)
4843 ++ return -ENXIO;
4844 + }
4845 + return 0;
4846 + }
4847 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
4848 +index 3a456410937b5..7353d2ec359ae 100644
4849 +--- a/sound/pci/hda/hda_intel.c
4850 ++++ b/sound/pci/hda/hda_intel.c
4851 +@@ -2671,8 +2671,6 @@ static const struct pci_device_id azx_ids[] = {
4852 + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_HDMI },
4853 + /* Zhaoxin */
4854 + { PCI_DEVICE(0x1d17, 0x3288), .driver_data = AZX_DRIVER_ZHAOXIN },
4855 +- /* Loongson */
4856 +- { PCI_DEVICE(0x0014, 0x7a07), .driver_data = AZX_DRIVER_GENERIC },
4857 + { 0, }
4858 + };
4859 + MODULE_DEVICE_TABLE(pci, azx_ids);
4860 +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
4861 +index ec9460f3a288e..a13bad262598d 100644
4862 +--- a/sound/pci/hda/patch_hdmi.c
4863 ++++ b/sound/pci/hda/patch_hdmi.c
4864 +@@ -2798,6 +2798,7 @@ static void i915_pin_cvt_fixup(struct hda_codec *codec,
4865 + hda_nid_t cvt_nid)
4866 + {
4867 + if (per_pin) {
4868 ++ haswell_verify_D0(codec, per_pin->cvt_nid, per_pin->pin_nid);
4869 + snd_hda_set_dev_select(codec, per_pin->pin_nid,
4870 + per_pin->dev_id);
4871 + intel_verify_pin_cvt_connect(codec, per_pin);
4872 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
4873 +index d1b74c7cacd76..d614090dae49d 100644
4874 +--- a/sound/pci/hda/patch_realtek.c
4875 ++++ b/sound/pci/hda/patch_realtek.c
4876 +@@ -2466,6 +2466,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
4877 + SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950),
4878 + SND_PCI_QUIRK(0x1462, 0x1293, "MSI-GP65", ALC1220_FIXUP_CLEVO_P950),
4879 + SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD),
4880 ++ SND_PCI_QUIRK(0x1462, 0x9c37, "MSI X570-A PRO", ALC1220_FIXUP_CLEVO_P950),
4881 + SND_PCI_QUIRK(0x1462, 0xda57, "MSI Z270-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS),
4882 + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3),
4883 + SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX),
4884 +@@ -5849,6 +5850,39 @@ static void alc275_fixup_gpio4_off(struct hda_codec *codec,
4885 + }
4886 + }
4887 +
4888 ++/* Quirk for Thinkpad X1 7th and 8th Gen
4889 ++ * The following fixed routing needed
4890 ++ * DAC1 (NID 0x02) -> Speaker (NID 0x14); some eq applied secretly
4891 ++ * DAC2 (NID 0x03) -> Bass (NID 0x17) & Headphone (NID 0x21); sharing a DAC
4892 ++ * DAC3 (NID 0x06) -> Unused, due to the lack of volume amp
4893 ++ */
4894 ++static void alc285_fixup_thinkpad_x1_gen7(struct hda_codec *codec,
4895 ++ const struct hda_fixup *fix, int action)
4896 ++{
4897 ++ static const hda_nid_t conn[] = { 0x02, 0x03 }; /* exclude 0x06 */
4898 ++ static const hda_nid_t preferred_pairs[] = {
4899 ++ 0x14, 0x02, 0x17, 0x03, 0x21, 0x03, 0
4900 ++ };
4901 ++ struct alc_spec *spec = codec->spec;
4902 ++
4903 ++ switch (action) {
4904 ++ case HDA_FIXUP_ACT_PRE_PROBE:
4905 ++ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn);
4906 ++ spec->gen.preferred_dacs = preferred_pairs;
4907 ++ break;
4908 ++ case HDA_FIXUP_ACT_BUILD:
4909 ++ /* The generic parser creates somewhat unintuitive volume ctls
4910 ++ * with the fixed routing above, and the shared DAC2 may be
4911 ++ * confusing for PA.
4912 ++ * Rename those to unique names so that PA doesn't touch them
4913 ++ * and use only Master volume.
4914 ++ */
4915 ++ rename_ctl(codec, "Front Playback Volume", "DAC1 Playback Volume");
4916 ++ rename_ctl(codec, "Bass Speaker Playback Volume", "DAC2 Playback Volume");
4917 ++ break;
4918 ++ }
4919 ++}
4920 ++
4921 + static void alc233_alc662_fixup_lenovo_dual_codecs(struct hda_codec *codec,
4922 + const struct hda_fixup *fix,
4923 + int action)
4924 +@@ -6117,6 +6151,7 @@ enum {
4925 + ALC289_FIXUP_DUAL_SPK,
4926 + ALC294_FIXUP_SPK2_TO_DAC1,
4927 + ALC294_FIXUP_ASUS_DUAL_SPK,
4928 ++ ALC285_FIXUP_THINKPAD_X1_GEN7,
4929 + ALC285_FIXUP_THINKPAD_HEADSET_JACK,
4930 + ALC294_FIXUP_ASUS_HPE,
4931 + ALC294_FIXUP_ASUS_COEF_1B,
4932 +@@ -7262,11 +7297,17 @@ static const struct hda_fixup alc269_fixups[] = {
4933 + .chained = true,
4934 + .chain_id = ALC294_FIXUP_SPK2_TO_DAC1
4935 + },
4936 ++ [ALC285_FIXUP_THINKPAD_X1_GEN7] = {
4937 ++ .type = HDA_FIXUP_FUNC,
4938 ++ .v.func = alc285_fixup_thinkpad_x1_gen7,
4939 ++ .chained = true,
4940 ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI
4941 ++ },
4942 + [ALC285_FIXUP_THINKPAD_HEADSET_JACK] = {
4943 + .type = HDA_FIXUP_FUNC,
4944 + .v.func = alc_fixup_headset_jack,
4945 + .chained = true,
4946 +- .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1
4947 ++ .chain_id = ALC285_FIXUP_THINKPAD_X1_GEN7
4948 + },
4949 + [ALC294_FIXUP_ASUS_HPE] = {
4950 + .type = HDA_FIXUP_VERBS,
4951 +@@ -7677,7 +7718,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
4952 + SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
4953 + SND_PCI_QUIRK(0x144d, 0xc176, "Samsung Notebook 9 Pro (NP930MBE-K04US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
4954 + SND_PCI_QUIRK(0x144d, 0xc189, "Samsung Galaxy Flex Book (NT950QCG-X716)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
4955 +- SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
4956 ++ SND_PCI_QUIRK(0x144d, 0xc18a, "Samsung Galaxy Book Ion (NP930XCJ-K01US)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
4957 ++ SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
4958 + SND_PCI_QUIRK(0x144d, 0xc740, "Samsung Ativ book 8 (NP870Z5G)", ALC269_FIXUP_ATIV_BOOK_8),
4959 + SND_PCI_QUIRK(0x144d, 0xc812, "Samsung Notebook Pen S (NT950SBE-X58)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
4960 + SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC),
4961 +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
4962 +index 7b41f97489788..878f1201aad6e 100644
4963 +--- a/sound/usb/pcm.c
4964 ++++ b/sound/usb/pcm.c
4965 +@@ -356,6 +356,7 @@ static int set_sync_ep_implicit_fb_quirk(struct snd_usb_substream *subs,
4966 + case USB_ID(0x07fd, 0x0008): /* MOTU M Series */
4967 + case USB_ID(0x31e9, 0x0001): /* Solid State Logic SSL2 */
4968 + case USB_ID(0x31e9, 0x0002): /* Solid State Logic SSL2+ */
4969 ++ case USB_ID(0x0499, 0x172f): /* Steinberg UR22C */
4970 + case USB_ID(0x0d9a, 0x00df): /* RTX6001 */
4971 + ep = 0x81;
4972 + ifnum = 2;
4973 +diff --git a/tools/include/uapi/linux/perf_event.h b/tools/include/uapi/linux/perf_event.h
4974 +index bb7b271397a66..fabe5aeaa351a 100644
4975 +--- a/tools/include/uapi/linux/perf_event.h
4976 ++++ b/tools/include/uapi/linux/perf_event.h
4977 +@@ -1131,7 +1131,7 @@ union perf_mem_data_src {
4978 +
4979 + #define PERF_MEM_SNOOPX_FWD 0x01 /* forward */
4980 + /* 1 free */
4981 +-#define PERF_MEM_SNOOPX_SHIFT 37
4982 ++#define PERF_MEM_SNOOPX_SHIFT 38
4983 +
4984 + /* locked instruction */
4985 + #define PERF_MEM_LOCK_NA 0x01 /* not available */
4986 +diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
4987 +index 23332861de6e4..454e275cd5dff 100644
4988 +--- a/tools/perf/builtin-record.c
4989 ++++ b/tools/perf/builtin-record.c
4990 +@@ -2137,7 +2137,7 @@ static struct option __record_options[] = {
4991 + OPT_BOOLEAN(0, "tail-synthesize", &record.opts.tail_synthesize,
4992 + "synthesize non-sample events at the end of output"),
4993 + OPT_BOOLEAN(0, "overwrite", &record.opts.overwrite, "use overwrite mode"),
4994 +- OPT_BOOLEAN(0, "no-bpf-event", &record.opts.no_bpf_event, "record bpf events"),
4995 ++ OPT_BOOLEAN(0, "no-bpf-event", &record.opts.no_bpf_event, "do not record bpf events"),
4996 + OPT_BOOLEAN(0, "strict-freq", &record.opts.strict_freq,
4997 + "Fail if the specified frequency can't be used"),
4998 + OPT_CALLBACK('F', "freq", &record.opts, "freq or 'max'",
4999 +diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c
5000 +index 99e3fd04a5cb3..d36ae65ae3330 100644
5001 +--- a/tools/perf/pmu-events/jevents.c
5002 ++++ b/tools/perf/pmu-events/jevents.c
5003 +@@ -137,7 +137,7 @@ static char *fixregex(char *s)
5004 + return s;
5005 +
5006 + /* allocate space for a new string */
5007 +- fixed = (char *) malloc(len + 1);
5008 ++ fixed = (char *) malloc(len + esc_count + 1);
5009 + if (!fixed)
5010 + return NULL;
5011 +
5012 +diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c
5013 +index c812f0178b643..1c4219ceced2f 100644
5014 +--- a/tools/testing/selftests/bpf/test_maps.c
5015 ++++ b/tools/testing/selftests/bpf/test_maps.c
5016 +@@ -1282,6 +1282,8 @@ static void __run_parallel(unsigned int tasks,
5017 + pid_t pid[tasks];
5018 + int i;
5019 +
5020 ++ fflush(stdout);
5021 ++
5022 + for (i = 0; i < tasks; i++) {
5023 + pid[i] = fork();
5024 + if (pid[i] == 0) {
Report Message
Find on MARC Find on Google Groups