Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.4 commit in: /
Date: Fri, 29 Jul 2022 15:29:53
Message-Id: 1659108576.e7156b6245475d4c9bb6eeeb88d03653df4da664.mpagano@gentoo
1 commit: e7156b6245475d4c9bb6eeeb88d03653df4da664
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Fri Jul 29 15:29:36 2022 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Fri Jul 29 15:29:36 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e7156b62
7
8 Linux patch 5.4.208
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1207_linux-5.4.208.patch | 4094 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 4098 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 50eda9b4..d4fe1a15 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -871,6 +871,10 @@ Patch: 1206_linux-5.4.207.patch
21 From: http://www.kernel.org
22 Desc: Linux 5.4.207
23
24 +Patch: 1207_linux-5.4.208.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 5.4.208
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1207_linux-5.4.208.patch b/1207_linux-5.4.208.patch
33 new file mode 100644
34 index 00000000..7b70b2ac
35 --- /dev/null
36 +++ b/1207_linux-5.4.208.patch
37 @@ -0,0 +1,4094 @@
38 +diff --git a/Makefile b/Makefile
39 +index 89d19f04faabf..884a3f314baf8 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,7 +1,7 @@
43 + # SPDX-License-Identifier: GPL-2.0
44 + VERSION = 5
45 + PATCHLEVEL = 4
46 +-SUBLEVEL = 207
47 ++SUBLEVEL = 208
48 + EXTRAVERSION =
49 + NAME = Kleptomaniac Octopus
50 +
51 +diff --git a/arch/Kconfig b/arch/Kconfig
52 +index a8df66e645442..2219a07dca1ef 100644
53 +--- a/arch/Kconfig
54 ++++ b/arch/Kconfig
55 +@@ -915,27 +915,6 @@ config STRICT_MODULE_RWX
56 + config ARCH_HAS_PHYS_TO_DMA
57 + bool
58 +
59 +-config ARCH_HAS_REFCOUNT
60 +- bool
61 +- help
62 +- An architecture selects this when it has implemented refcount_t
63 +- using open coded assembly primitives that provide an optimized
64 +- refcount_t implementation, possibly at the expense of some full
65 +- refcount state checks of CONFIG_REFCOUNT_FULL=y.
66 +-
67 +- The refcount overflow check behavior, however, must be retained.
68 +- Catching overflows is the primary security concern for protecting
69 +- against bugs in reference counts.
70 +-
71 +-config REFCOUNT_FULL
72 +- bool "Perform full reference count validation at the expense of speed"
73 +- help
74 +- Enabling this switches the refcounting infrastructure from a fast
75 +- unchecked atomic_t implementation to a fully state checked
76 +- implementation, which can be (slightly) slower but provides protections
77 +- against various use-after-free conditions that can be used in
78 +- security flaw exploits.
79 +-
80 + config HAVE_ARCH_COMPILER_H
81 + bool
82 + help
83 +diff --git a/arch/alpha/kernel/srmcons.c b/arch/alpha/kernel/srmcons.c
84 +index 438b10c44d732..2b7a314b84522 100644
85 +--- a/arch/alpha/kernel/srmcons.c
86 ++++ b/arch/alpha/kernel/srmcons.c
87 +@@ -59,7 +59,7 @@ srmcons_do_receive_chars(struct tty_port *port)
88 + } while((result.bits.status & 1) && (++loops < 10));
89 +
90 + if (count)
91 +- tty_schedule_flip(port);
92 ++ tty_flip_buffer_push(port);
93 +
94 + return count;
95 + }
96 +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
97 +index a1622b9290fd5..a4364cce85f8d 100644
98 +--- a/arch/arm/Kconfig
99 ++++ b/arch/arm/Kconfig
100 +@@ -119,7 +119,6 @@ config ARM
101 + select OLD_SIGSUSPEND3
102 + select PCI_SYSCALL if PCI
103 + select PERF_USE_VMALLOC
104 +- select REFCOUNT_FULL
105 + select RTC_LIB
106 + select SYS_SUPPORTS_APM_EMULATION
107 + # Above selects are sorted alphabetically; please add new ones
108 +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
109 +index a1a828ca188cf..6b73143f0cf8c 100644
110 +--- a/arch/arm64/Kconfig
111 ++++ b/arch/arm64/Kconfig
112 +@@ -181,7 +181,6 @@ config ARM64
113 + select PCI_SYSCALL if PCI
114 + select POWER_RESET
115 + select POWER_SUPPLY
116 +- select REFCOUNT_FULL
117 + select SPARSE_IRQ
118 + select SWIOTLB
119 + select SYSCTL_EXCEPTION_TRACE
120 +diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile
121 +index 7b579a003e30a..d1a9615391010 100644
122 +--- a/arch/riscv/Makefile
123 ++++ b/arch/riscv/Makefile
124 +@@ -74,6 +74,7 @@ ifeq ($(CONFIG_PERF_EVENTS),y)
125 + endif
126 +
127 + KBUILD_CFLAGS_MODULE += $(call cc-option,-mno-relax)
128 ++KBUILD_AFLAGS_MODULE += $(call as-option,-Wa$(comma)-mno-relax)
129 +
130 + # GCC versions that support the "-mstrict-align" option default to allowing
131 + # unaligned accesses. While unaligned accesses are explicitly allowed in the
132 +diff --git a/arch/s390/configs/debug_defconfig b/arch/s390/configs/debug_defconfig
133 +index 38d64030aacf6..2e60c80395ab0 100644
134 +--- a/arch/s390/configs/debug_defconfig
135 ++++ b/arch/s390/configs/debug_defconfig
136 +@@ -62,7 +62,6 @@ CONFIG_OPROFILE=m
137 + CONFIG_KPROBES=y
138 + CONFIG_JUMP_LABEL=y
139 + CONFIG_STATIC_KEYS_SELFTEST=y
140 +-CONFIG_REFCOUNT_FULL=y
141 + CONFIG_LOCK_EVENT_COUNTS=y
142 + CONFIG_MODULES=y
143 + CONFIG_MODULE_FORCE_LOAD=y
144 +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
145 +index c6c71592f6e46..6002252692af4 100644
146 +--- a/arch/x86/Kconfig
147 ++++ b/arch/x86/Kconfig
148 +@@ -73,7 +73,6 @@ config X86
149 + select ARCH_HAS_PMEM_API if X86_64
150 + select ARCH_HAS_PTE_DEVMAP if X86_64
151 + select ARCH_HAS_PTE_SPECIAL
152 +- select ARCH_HAS_REFCOUNT
153 + select ARCH_HAS_UACCESS_FLUSHCACHE if X86_64
154 + select ARCH_HAS_UACCESS_MCSAFE if X86_64 && X86_MCE
155 + select ARCH_HAS_SET_MEMORY
156 +diff --git a/arch/x86/include/asm/asm.h b/arch/x86/include/asm/asm.h
157 +index 1b563f9167eae..cd339b88d5d46 100644
158 +--- a/arch/x86/include/asm/asm.h
159 ++++ b/arch/x86/include/asm/asm.h
160 +@@ -141,9 +141,6 @@
161 + # define _ASM_EXTABLE_EX(from, to) \
162 + _ASM_EXTABLE_HANDLE(from, to, ex_handler_ext)
163 +
164 +-# define _ASM_EXTABLE_REFCOUNT(from, to) \
165 +- _ASM_EXTABLE_HANDLE(from, to, ex_handler_refcount)
166 +-
167 + # define _ASM_NOKPROBE(entry) \
168 + .pushsection "_kprobe_blacklist","aw" ; \
169 + _ASM_ALIGN ; \
170 +@@ -172,9 +169,6 @@
171 + # define _ASM_EXTABLE_EX(from, to) \
172 + _ASM_EXTABLE_HANDLE(from, to, ex_handler_ext)
173 +
174 +-# define _ASM_EXTABLE_REFCOUNT(from, to) \
175 +- _ASM_EXTABLE_HANDLE(from, to, ex_handler_refcount)
176 +-
177 + /* For C file, we already have NOKPROBE_SYMBOL macro */
178 + #endif
179 +
180 +diff --git a/arch/x86/include/asm/refcount.h b/arch/x86/include/asm/refcount.h
181 +deleted file mode 100644
182 +index 232f856e0db06..0000000000000
183 +--- a/arch/x86/include/asm/refcount.h
184 ++++ /dev/null
185 +@@ -1,126 +0,0 @@
186 +-#ifndef __ASM_X86_REFCOUNT_H
187 +-#define __ASM_X86_REFCOUNT_H
188 +-/*
189 +- * x86-specific implementation of refcount_t. Based on PAX_REFCOUNT from
190 +- * PaX/grsecurity.
191 +- */
192 +-#include <linux/refcount.h>
193 +-#include <asm/bug.h>
194 +-
195 +-/*
196 +- * This is the first portion of the refcount error handling, which lives in
197 +- * .text.unlikely, and is jumped to from the CPU flag check (in the
198 +- * following macros). This saves the refcount value location into CX for
199 +- * the exception handler to use (in mm/extable.c), and then triggers the
200 +- * central refcount exception. The fixup address for the exception points
201 +- * back to the regular execution flow in .text.
202 +- */
203 +-#define _REFCOUNT_EXCEPTION \
204 +- ".pushsection .text..refcount\n" \
205 +- "111:\tlea %[var], %%" _ASM_CX "\n" \
206 +- "112:\t" ASM_UD2 "\n" \
207 +- ASM_UNREACHABLE \
208 +- ".popsection\n" \
209 +- "113:\n" \
210 +- _ASM_EXTABLE_REFCOUNT(112b, 113b)
211 +-
212 +-/* Trigger refcount exception if refcount result is negative. */
213 +-#define REFCOUNT_CHECK_LT_ZERO \
214 +- "js 111f\n\t" \
215 +- _REFCOUNT_EXCEPTION
216 +-
217 +-/* Trigger refcount exception if refcount result is zero or negative. */
218 +-#define REFCOUNT_CHECK_LE_ZERO \
219 +- "jz 111f\n\t" \
220 +- REFCOUNT_CHECK_LT_ZERO
221 +-
222 +-/* Trigger refcount exception unconditionally. */
223 +-#define REFCOUNT_ERROR \
224 +- "jmp 111f\n\t" \
225 +- _REFCOUNT_EXCEPTION
226 +-
227 +-static __always_inline void refcount_add(unsigned int i, refcount_t *r)
228 +-{
229 +- asm volatile(LOCK_PREFIX "addl %1,%0\n\t"
230 +- REFCOUNT_CHECK_LT_ZERO
231 +- : [var] "+m" (r->refs.counter)
232 +- : "ir" (i)
233 +- : "cc", "cx");
234 +-}
235 +-
236 +-static __always_inline void refcount_inc(refcount_t *r)
237 +-{
238 +- asm volatile(LOCK_PREFIX "incl %0\n\t"
239 +- REFCOUNT_CHECK_LT_ZERO
240 +- : [var] "+m" (r->refs.counter)
241 +- : : "cc", "cx");
242 +-}
243 +-
244 +-static __always_inline void refcount_dec(refcount_t *r)
245 +-{
246 +- asm volatile(LOCK_PREFIX "decl %0\n\t"
247 +- REFCOUNT_CHECK_LE_ZERO
248 +- : [var] "+m" (r->refs.counter)
249 +- : : "cc", "cx");
250 +-}
251 +-
252 +-static __always_inline __must_check
253 +-bool refcount_sub_and_test(unsigned int i, refcount_t *r)
254 +-{
255 +- bool ret = GEN_BINARY_SUFFIXED_RMWcc(LOCK_PREFIX "subl",
256 +- REFCOUNT_CHECK_LT_ZERO,
257 +- r->refs.counter, e, "er", i, "cx");
258 +-
259 +- if (ret) {
260 +- smp_acquire__after_ctrl_dep();
261 +- return true;
262 +- }
263 +-
264 +- return false;
265 +-}
266 +-
267 +-static __always_inline __must_check bool refcount_dec_and_test(refcount_t *r)
268 +-{
269 +- bool ret = GEN_UNARY_SUFFIXED_RMWcc(LOCK_PREFIX "decl",
270 +- REFCOUNT_CHECK_LT_ZERO,
271 +- r->refs.counter, e, "cx");
272 +-
273 +- if (ret) {
274 +- smp_acquire__after_ctrl_dep();
275 +- return true;
276 +- }
277 +-
278 +- return false;
279 +-}
280 +-
281 +-static __always_inline __must_check
282 +-bool refcount_add_not_zero(unsigned int i, refcount_t *r)
283 +-{
284 +- int c, result;
285 +-
286 +- c = atomic_read(&(r->refs));
287 +- do {
288 +- if (unlikely(c == 0))
289 +- return false;
290 +-
291 +- result = c + i;
292 +-
293 +- /* Did we try to increment from/to an undesirable state? */
294 +- if (unlikely(c < 0 || c == INT_MAX || result < c)) {
295 +- asm volatile(REFCOUNT_ERROR
296 +- : : [var] "m" (r->refs.counter)
297 +- : "cc", "cx");
298 +- break;
299 +- }
300 +-
301 +- } while (!atomic_try_cmpxchg(&(r->refs), &c, result));
302 +-
303 +- return c != 0;
304 +-}
305 +-
306 +-static __always_inline __must_check bool refcount_inc_not_zero(refcount_t *r)
307 +-{
308 +- return refcount_add_not_zero(1, r);
309 +-}
310 +-
311 +-#endif
312 +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
313 +index 61d93f062a36e..d6a0e57ecc073 100644
314 +--- a/arch/x86/include/asm/uaccess.h
315 ++++ b/arch/x86/include/asm/uaccess.h
316 +@@ -378,18 +378,6 @@ do { \
317 + : "=r" (err), ltype(x) \
318 + : "m" (__m(addr)), "i" (errret), "0" (err))
319 +
320 +-#define __get_user_asm_nozero(x, addr, err, itype, rtype, ltype, errret) \
321 +- asm volatile("\n" \
322 +- "1: mov"itype" %2,%"rtype"1\n" \
323 +- "2:\n" \
324 +- ".section .fixup,\"ax\"\n" \
325 +- "3: mov %3,%0\n" \
326 +- " jmp 2b\n" \
327 +- ".previous\n" \
328 +- _ASM_EXTABLE_UA(1b, 3b) \
329 +- : "=r" (err), ltype(x) \
330 +- : "m" (__m(addr)), "i" (errret), "0" (err))
331 +-
332 + /*
333 + * This doesn't do __uaccess_begin/end - the exception handling
334 + * around it must do that.
335 +@@ -453,6 +441,103 @@ __pu_label: \
336 + __builtin_expect(__gu_err, 0); \
337 + })
338 +
339 ++#ifdef CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT
340 ++#define __try_cmpxchg_user_asm(itype, ltype, _ptr, _pold, _new, label) ({ \
341 ++ bool success; \
342 ++ __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \
343 ++ __typeof__(*(_ptr)) __old = *_old; \
344 ++ __typeof__(*(_ptr)) __new = (_new); \
345 ++ asm_volatile_goto("\n" \
346 ++ "1: " LOCK_PREFIX "cmpxchg"itype" %[new], %[ptr]\n"\
347 ++ _ASM_EXTABLE_UA(1b, %l[label]) \
348 ++ : CC_OUT(z) (success), \
349 ++ [ptr] "+m" (*_ptr), \
350 ++ [old] "+a" (__old) \
351 ++ : [new] ltype (__new) \
352 ++ : "memory" \
353 ++ : label); \
354 ++ if (unlikely(!success)) \
355 ++ *_old = __old; \
356 ++ likely(success); })
357 ++
358 ++#ifdef CONFIG_X86_32
359 ++#define __try_cmpxchg64_user_asm(_ptr, _pold, _new, label) ({ \
360 ++ bool success; \
361 ++ __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \
362 ++ __typeof__(*(_ptr)) __old = *_old; \
363 ++ __typeof__(*(_ptr)) __new = (_new); \
364 ++ asm_volatile_goto("\n" \
365 ++ "1: " LOCK_PREFIX "cmpxchg8b %[ptr]\n" \
366 ++ _ASM_EXTABLE_UA(1b, %l[label]) \
367 ++ : CC_OUT(z) (success), \
368 ++ "+A" (__old), \
369 ++ [ptr] "+m" (*_ptr) \
370 ++ : "b" ((u32)__new), \
371 ++ "c" ((u32)((u64)__new >> 32)) \
372 ++ : "memory" \
373 ++ : label); \
374 ++ if (unlikely(!success)) \
375 ++ *_old = __old; \
376 ++ likely(success); })
377 ++#endif // CONFIG_X86_32
378 ++#else // !CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT
379 ++#define __try_cmpxchg_user_asm(itype, ltype, _ptr, _pold, _new, label) ({ \
380 ++ int __err = 0; \
381 ++ bool success; \
382 ++ __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \
383 ++ __typeof__(*(_ptr)) __old = *_old; \
384 ++ __typeof__(*(_ptr)) __new = (_new); \
385 ++ asm volatile("\n" \
386 ++ "1: " LOCK_PREFIX "cmpxchg"itype" %[new], %[ptr]\n"\
387 ++ CC_SET(z) \
388 ++ "2:\n" \
389 ++ _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG, \
390 ++ %[errout]) \
391 ++ : CC_OUT(z) (success), \
392 ++ [errout] "+r" (__err), \
393 ++ [ptr] "+m" (*_ptr), \
394 ++ [old] "+a" (__old) \
395 ++ : [new] ltype (__new) \
396 ++ : "memory"); \
397 ++ if (unlikely(__err)) \
398 ++ goto label; \
399 ++ if (unlikely(!success)) \
400 ++ *_old = __old; \
401 ++ likely(success); })
402 ++
403 ++#ifdef CONFIG_X86_32
404 ++/*
405 ++ * Unlike the normal CMPXCHG, hardcode ECX for both success/fail and error.
406 ++ * There are only six GPRs available and four (EAX, EBX, ECX, and EDX) are
407 ++ * hardcoded by CMPXCHG8B, leaving only ESI and EDI. If the compiler uses
408 ++ * both ESI and EDI for the memory operand, compilation will fail if the error
409 ++ * is an input+output as there will be no register available for input.
410 ++ */
411 ++#define __try_cmpxchg64_user_asm(_ptr, _pold, _new, label) ({ \
412 ++ int __result; \
413 ++ __typeof__(_ptr) _old = (__typeof__(_ptr))(_pold); \
414 ++ __typeof__(*(_ptr)) __old = *_old; \
415 ++ __typeof__(*(_ptr)) __new = (_new); \
416 ++ asm volatile("\n" \
417 ++ "1: " LOCK_PREFIX "cmpxchg8b %[ptr]\n" \
418 ++ "mov $0, %%ecx\n\t" \
419 ++ "setz %%cl\n" \
420 ++ "2:\n" \
421 ++ _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG, %%ecx) \
422 ++ : [result]"=c" (__result), \
423 ++ "+A" (__old), \
424 ++ [ptr] "+m" (*_ptr) \
425 ++ : "b" ((u32)__new), \
426 ++ "c" ((u32)((u64)__new >> 32)) \
427 ++ : "memory", "cc"); \
428 ++ if (unlikely(__result < 0)) \
429 ++ goto label; \
430 ++ if (unlikely(!__result)) \
431 ++ *_old = __old; \
432 ++ likely(__result); })
433 ++#endif // CONFIG_X86_32
434 ++#endif // CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT
435 ++
436 + /* FIXME: this hack is definitely wrong -AK */
437 + struct __large_struct { unsigned long buf[100]; };
438 + #define __m(x) (*(struct __large_struct __user *)(x))
439 +@@ -734,6 +819,51 @@ do { \
440 + if (unlikely(__gu_err)) goto err_label; \
441 + } while (0)
442 +
443 ++extern void __try_cmpxchg_user_wrong_size(void);
444 ++
445 ++#ifndef CONFIG_X86_32
446 ++#define __try_cmpxchg64_user_asm(_ptr, _oldp, _nval, _label) \
447 ++ __try_cmpxchg_user_asm("q", "r", (_ptr), (_oldp), (_nval), _label)
448 ++#endif
449 ++
450 ++/*
451 ++ * Force the pointer to u<size> to match the size expected by the asm helper.
452 ++ * clang/LLVM compiles all cases and only discards the unused paths after
453 ++ * processing errors, which breaks i386 if the pointer is an 8-byte value.
454 ++ */
455 ++#define unsafe_try_cmpxchg_user(_ptr, _oldp, _nval, _label) ({ \
456 ++ bool __ret; \
457 ++ __chk_user_ptr(_ptr); \
458 ++ switch (sizeof(*(_ptr))) { \
459 ++ case 1: __ret = __try_cmpxchg_user_asm("b", "q", \
460 ++ (__force u8 *)(_ptr), (_oldp), \
461 ++ (_nval), _label); \
462 ++ break; \
463 ++ case 2: __ret = __try_cmpxchg_user_asm("w", "r", \
464 ++ (__force u16 *)(_ptr), (_oldp), \
465 ++ (_nval), _label); \
466 ++ break; \
467 ++ case 4: __ret = __try_cmpxchg_user_asm("l", "r", \
468 ++ (__force u32 *)(_ptr), (_oldp), \
469 ++ (_nval), _label); \
470 ++ break; \
471 ++ case 8: __ret = __try_cmpxchg64_user_asm((__force u64 *)(_ptr), (_oldp),\
472 ++ (_nval), _label); \
473 ++ break; \
474 ++ default: __try_cmpxchg_user_wrong_size(); \
475 ++ } \
476 ++ __ret; })
477 ++
478 ++/* "Returns" 0 on success, 1 on failure, -EFAULT if the access faults. */
479 ++#define __try_cmpxchg_user(_ptr, _oldp, _nval, _label) ({ \
480 ++ int __ret = -EFAULT; \
481 ++ __uaccess_begin_nospec(); \
482 ++ __ret = !unsafe_try_cmpxchg_user(_ptr, _oldp, _nval, _label); \
483 ++_label: \
484 ++ __uaccess_end(); \
485 ++ __ret; \
486 ++ })
487 ++
488 + /*
489 + * We want the unsafe accessors to always be inlined and use
490 + * the error labels - thus the macro games.
491 +diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
492 +index ba2dc19306303..388a40660c7b5 100644
493 +--- a/arch/x86/include/asm/uaccess_32.h
494 ++++ b/arch/x86/include/asm/uaccess_32.h
495 +@@ -23,33 +23,6 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n)
496 + static __always_inline unsigned long
497 + raw_copy_from_user(void *to, const void __user *from, unsigned long n)
498 + {
499 +- if (__builtin_constant_p(n)) {
500 +- unsigned long ret;
501 +-
502 +- switch (n) {
503 +- case 1:
504 +- ret = 0;
505 +- __uaccess_begin_nospec();
506 +- __get_user_asm_nozero(*(u8 *)to, from, ret,
507 +- "b", "b", "=q", 1);
508 +- __uaccess_end();
509 +- return ret;
510 +- case 2:
511 +- ret = 0;
512 +- __uaccess_begin_nospec();
513 +- __get_user_asm_nozero(*(u16 *)to, from, ret,
514 +- "w", "w", "=r", 2);
515 +- __uaccess_end();
516 +- return ret;
517 +- case 4:
518 +- ret = 0;
519 +- __uaccess_begin_nospec();
520 +- __get_user_asm_nozero(*(u32 *)to, from, ret,
521 +- "l", "k", "=r", 4);
522 +- __uaccess_end();
523 +- return ret;
524 +- }
525 +- }
526 + return __copy_user_ll(to, (__force const void *)from, n);
527 + }
528 +
529 +diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
530 +index 5cd1caa8bc653..bc10e3dc64fed 100644
531 +--- a/arch/x86/include/asm/uaccess_64.h
532 ++++ b/arch/x86/include/asm/uaccess_64.h
533 +@@ -65,117 +65,13 @@ copy_to_user_mcsafe(void *to, const void *from, unsigned len)
534 + static __always_inline __must_check unsigned long
535 + raw_copy_from_user(void *dst, const void __user *src, unsigned long size)
536 + {
537 +- int ret = 0;
538 +-
539 +- if (!__builtin_constant_p(size))
540 +- return copy_user_generic(dst, (__force void *)src, size);
541 +- switch (size) {
542 +- case 1:
543 +- __uaccess_begin_nospec();
544 +- __get_user_asm_nozero(*(u8 *)dst, (u8 __user *)src,
545 +- ret, "b", "b", "=q", 1);
546 +- __uaccess_end();
547 +- return ret;
548 +- case 2:
549 +- __uaccess_begin_nospec();
550 +- __get_user_asm_nozero(*(u16 *)dst, (u16 __user *)src,
551 +- ret, "w", "w", "=r", 2);
552 +- __uaccess_end();
553 +- return ret;
554 +- case 4:
555 +- __uaccess_begin_nospec();
556 +- __get_user_asm_nozero(*(u32 *)dst, (u32 __user *)src,
557 +- ret, "l", "k", "=r", 4);
558 +- __uaccess_end();
559 +- return ret;
560 +- case 8:
561 +- __uaccess_begin_nospec();
562 +- __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src,
563 +- ret, "q", "", "=r", 8);
564 +- __uaccess_end();
565 +- return ret;
566 +- case 10:
567 +- __uaccess_begin_nospec();
568 +- __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src,
569 +- ret, "q", "", "=r", 10);
570 +- if (likely(!ret))
571 +- __get_user_asm_nozero(*(u16 *)(8 + (char *)dst),
572 +- (u16 __user *)(8 + (char __user *)src),
573 +- ret, "w", "w", "=r", 2);
574 +- __uaccess_end();
575 +- return ret;
576 +- case 16:
577 +- __uaccess_begin_nospec();
578 +- __get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src,
579 +- ret, "q", "", "=r", 16);
580 +- if (likely(!ret))
581 +- __get_user_asm_nozero(*(u64 *)(8 + (char *)dst),
582 +- (u64 __user *)(8 + (char __user *)src),
583 +- ret, "q", "", "=r", 8);
584 +- __uaccess_end();
585 +- return ret;
586 +- default:
587 +- return copy_user_generic(dst, (__force void *)src, size);
588 +- }
589 ++ return copy_user_generic(dst, (__force void *)src, size);
590 + }
591 +
592 + static __always_inline __must_check unsigned long
593 + raw_copy_to_user(void __user *dst, const void *src, unsigned long size)
594 + {
595 +- int ret = 0;
596 +-
597 +- if (!__builtin_constant_p(size))
598 +- return copy_user_generic((__force void *)dst, src, size);
599 +- switch (size) {
600 +- case 1:
601 +- __uaccess_begin();
602 +- __put_user_asm(*(u8 *)src, (u8 __user *)dst,
603 +- ret, "b", "b", "iq", 1);
604 +- __uaccess_end();
605 +- return ret;
606 +- case 2:
607 +- __uaccess_begin();
608 +- __put_user_asm(*(u16 *)src, (u16 __user *)dst,
609 +- ret, "w", "w", "ir", 2);
610 +- __uaccess_end();
611 +- return ret;
612 +- case 4:
613 +- __uaccess_begin();
614 +- __put_user_asm(*(u32 *)src, (u32 __user *)dst,
615 +- ret, "l", "k", "ir", 4);
616 +- __uaccess_end();
617 +- return ret;
618 +- case 8:
619 +- __uaccess_begin();
620 +- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
621 +- ret, "q", "", "er", 8);
622 +- __uaccess_end();
623 +- return ret;
624 +- case 10:
625 +- __uaccess_begin();
626 +- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
627 +- ret, "q", "", "er", 10);
628 +- if (likely(!ret)) {
629 +- asm("":::"memory");
630 +- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
631 +- ret, "w", "w", "ir", 2);
632 +- }
633 +- __uaccess_end();
634 +- return ret;
635 +- case 16:
636 +- __uaccess_begin();
637 +- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
638 +- ret, "q", "", "er", 16);
639 +- if (likely(!ret)) {
640 +- asm("":::"memory");
641 +- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
642 +- ret, "q", "", "er", 8);
643 +- }
644 +- __uaccess_end();
645 +- return ret;
646 +- default:
647 +- return copy_user_generic((__force void *)dst, src, size);
648 +- }
649 ++ return copy_user_generic((__force void *)dst, src, size);
650 + }
651 +
652 + static __always_inline __must_check
653 +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
654 +index 8a2b8e7913149..9b98a7d8ac604 100644
655 +--- a/arch/x86/kernel/cpu/mce/core.c
656 ++++ b/arch/x86/kernel/cpu/mce/core.c
657 +@@ -397,13 +397,16 @@ static int msr_to_offset(u32 msr)
658 + return -1;
659 + }
660 +
661 +-__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup,
662 +- struct pt_regs *regs, int trapnr,
663 +- unsigned long error_code,
664 +- unsigned long fault_addr)
665 ++static void ex_handler_msr_mce(struct pt_regs *regs, bool wrmsr)
666 + {
667 +- pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n",
668 +- (unsigned int)regs->cx, regs->ip, (void *)regs->ip);
669 ++ if (wrmsr) {
670 ++ pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n",
671 ++ (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax,
672 ++ regs->ip, (void *)regs->ip);
673 ++ } else {
674 ++ pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n",
675 ++ (unsigned int)regs->cx, regs->ip, (void *)regs->ip);
676 ++ }
677 +
678 + show_stack_regs(regs);
679 +
680 +@@ -411,7 +414,14 @@ __visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup,
681 +
682 + while (true)
683 + cpu_relax();
684 ++}
685 +
686 ++__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup,
687 ++ struct pt_regs *regs, int trapnr,
688 ++ unsigned long error_code,
689 ++ unsigned long fault_addr)
690 ++{
691 ++ ex_handler_msr_mce(regs, false);
692 + return true;
693 + }
694 +
695 +@@ -447,17 +457,7 @@ __visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup,
696 + unsigned long error_code,
697 + unsigned long fault_addr)
698 + {
699 +- pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n",
700 +- (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax,
701 +- regs->ip, (void *)regs->ip);
702 +-
703 +- show_stack_regs(regs);
704 +-
705 +- panic("MCA architectural violation!\n");
706 +-
707 +- while (true)
708 +- cpu_relax();
709 +-
710 ++ ex_handler_msr_mce(regs, true);
711 + return true;
712 + }
713 +
714 +diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
715 +index 4d75bc656f971..30bb0bd3b1b88 100644
716 +--- a/arch/x86/mm/extable.c
717 ++++ b/arch/x86/mm/extable.c
718 +@@ -44,55 +44,6 @@ __visible bool ex_handler_fault(const struct exception_table_entry *fixup,
719 + }
720 + EXPORT_SYMBOL_GPL(ex_handler_fault);
721 +
722 +-/*
723 +- * Handler for UD0 exception following a failed test against the
724 +- * result of a refcount inc/dec/add/sub.
725 +- */
726 +-__visible bool ex_handler_refcount(const struct exception_table_entry *fixup,
727 +- struct pt_regs *regs, int trapnr,
728 +- unsigned long error_code,
729 +- unsigned long fault_addr)
730 +-{
731 +- /* First unconditionally saturate the refcount. */
732 +- *(int *)regs->cx = INT_MIN / 2;
733 +-
734 +- /*
735 +- * Strictly speaking, this reports the fixup destination, not
736 +- * the fault location, and not the actually overflowing
737 +- * instruction, which is the instruction before the "js", but
738 +- * since that instruction could be a variety of lengths, just
739 +- * report the location after the overflow, which should be close
740 +- * enough for finding the overflow, as it's at least back in
741 +- * the function, having returned from .text.unlikely.
742 +- */
743 +- regs->ip = ex_fixup_addr(fixup);
744 +-
745 +- /*
746 +- * This function has been called because either a negative refcount
747 +- * value was seen by any of the refcount functions, or a zero
748 +- * refcount value was seen by refcount_dec().
749 +- *
750 +- * If we crossed from INT_MAX to INT_MIN, OF (Overflow Flag: result
751 +- * wrapped around) will be set. Additionally, seeing the refcount
752 +- * reach 0 will set ZF (Zero Flag: result was zero). In each of
753 +- * these cases we want a report, since it's a boundary condition.
754 +- * The SF case is not reported since it indicates post-boundary
755 +- * manipulations below zero or above INT_MAX. And if none of the
756 +- * flags are set, something has gone very wrong, so report it.
757 +- */
758 +- if (regs->flags & (X86_EFLAGS_OF | X86_EFLAGS_ZF)) {
759 +- bool zero = regs->flags & X86_EFLAGS_ZF;
760 +-
761 +- refcount_error_report(regs, zero ? "hit zero" : "overflow");
762 +- } else if ((regs->flags & X86_EFLAGS_SF) == 0) {
763 +- /* Report if none of OF, ZF, nor SF are set. */
764 +- refcount_error_report(regs, "unexpected saturation");
765 +- }
766 +-
767 +- return true;
768 +-}
769 +-EXPORT_SYMBOL(ex_handler_refcount);
770 +-
771 + /*
772 + * Handler for when we fail to restore a task's FPU state. We should never get
773 + * here because the FPU state of a task using the FPU (task->thread.fpu.state)
774 +diff --git a/drivers/crypto/chelsio/chtls/chtls_cm.c b/drivers/crypto/chelsio/chtls/chtls_cm.c
775 +index 82b76df43ae57..3b79bcd03e7bc 100644
776 +--- a/drivers/crypto/chelsio/chtls/chtls_cm.c
777 ++++ b/drivers/crypto/chelsio/chtls/chtls_cm.c
778 +@@ -1103,8 +1103,8 @@ static struct sock *chtls_recv_sock(struct sock *lsk,
779 + csk->sndbuf = newsk->sk_sndbuf;
780 + csk->smac_idx = ((struct port_info *)netdev_priv(ndev))->smt_idx;
781 + RCV_WSCALE(tp) = select_rcv_wscale(tcp_full_space(newsk),
782 +- sock_net(newsk)->
783 +- ipv4.sysctl_tcp_window_scaling,
784 ++ READ_ONCE(sock_net(newsk)->
785 ++ ipv4.sysctl_tcp_window_scaling),
786 + tp->window_clamp);
787 + neigh_release(n);
788 + inet_inherit_port(&tcp_hashinfo, lsk, newsk);
789 +@@ -1235,7 +1235,7 @@ static void chtls_pass_accept_request(struct sock *sk,
790 + chtls_set_req_addr(oreq, iph->daddr, iph->saddr);
791 + ip_dsfield = ipv4_get_dsfield(iph);
792 + if (req->tcpopt.wsf <= 14 &&
793 +- sock_net(sk)->ipv4.sysctl_tcp_window_scaling) {
794 ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling)) {
795 + inet_rsk(oreq)->wscale_ok = 1;
796 + inet_rsk(oreq)->snd_wscale = req->tcpopt.wsf;
797 + }
798 +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
799 +index 54da66d02b0e5..317f54f19477e 100644
800 +--- a/drivers/gpio/gpio-pca953x.c
801 ++++ b/drivers/gpio/gpio-pca953x.c
802 +@@ -379,6 +379,9 @@ static const struct regmap_config pca953x_i2c_regmap = {
803 + .reg_bits = 8,
804 + .val_bits = 8,
805 +
806 ++ .use_single_read = true,
807 ++ .use_single_write = true,
808 ++
809 + .readable_reg = pca953x_readable_register,
810 + .writeable_reg = pca953x_writeable_register,
811 + .volatile_reg = pca953x_volatile_register,
812 +diff --git a/drivers/gpu/drm/i915/Kconfig.debug b/drivers/gpu/drm/i915/Kconfig.debug
813 +index 41c8e39a73ba8..e4f03fcb125e4 100644
814 +--- a/drivers/gpu/drm/i915/Kconfig.debug
815 ++++ b/drivers/gpu/drm/i915/Kconfig.debug
816 +@@ -21,7 +21,6 @@ config DRM_I915_DEBUG
817 + depends on DRM_I915
818 + select DEBUG_FS
819 + select PREEMPT_COUNT
820 +- select REFCOUNT_FULL
821 + select I2C_CHARDEV
822 + select STACKDEPOT
823 + select DRM_DP_AUX_CHARDEV
824 +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
825 +index 3a1bdc75275f4..8750e444f4492 100644
826 +--- a/drivers/i2c/busses/i2c-cadence.c
827 ++++ b/drivers/i2c/busses/i2c-cadence.c
828 +@@ -198,9 +198,9 @@ static inline bool cdns_is_holdquirk(struct cdns_i2c *id, bool hold_wrkaround)
829 + */
830 + static irqreturn_t cdns_i2c_isr(int irq, void *ptr)
831 + {
832 +- unsigned int isr_status, avail_bytes, updatetx;
833 ++ unsigned int isr_status, avail_bytes;
834 + unsigned int bytes_to_send;
835 +- bool hold_quirk;
836 ++ bool updatetx;
837 + struct cdns_i2c *id = ptr;
838 + /* Signal completion only after everything is updated */
839 + int done_flag = 0;
840 +@@ -219,11 +219,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr)
841 + * Check if transfer size register needs to be updated again for a
842 + * large data receive operation.
843 + */
844 +- updatetx = 0;
845 +- if (id->recv_count > id->curr_recv_count)
846 +- updatetx = 1;
847 +-
848 +- hold_quirk = (id->quirks & CDNS_I2C_BROKEN_HOLD_BIT) && updatetx;
849 ++ updatetx = id->recv_count > id->curr_recv_count;
850 +
851 + /* When receiving, handle data interrupt and completion interrupt */
852 + if (id->p_recv_buf &&
853 +@@ -246,7 +242,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr)
854 + id->recv_count--;
855 + id->curr_recv_count--;
856 +
857 +- if (cdns_is_holdquirk(id, hold_quirk))
858 ++ if (cdns_is_holdquirk(id, updatetx))
859 + break;
860 + }
861 +
862 +@@ -257,7 +253,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr)
863 + * maintain transfer size non-zero while performing a large
864 + * receive operation.
865 + */
866 +- if (cdns_is_holdquirk(id, hold_quirk)) {
867 ++ if (cdns_is_holdquirk(id, updatetx)) {
868 + /* wait while fifo is full */
869 + while (cdns_i2c_readreg(CDNS_I2C_XFER_SIZE_OFFSET) !=
870 + (id->curr_recv_count - CDNS_I2C_FIFO_DEPTH))
871 +@@ -279,22 +275,6 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr)
872 + CDNS_I2C_XFER_SIZE_OFFSET);
873 + id->curr_recv_count = id->recv_count;
874 + }
875 +- } else if (id->recv_count && !hold_quirk &&
876 +- !id->curr_recv_count) {
877 +-
878 +- /* Set the slave address in address register*/
879 +- cdns_i2c_writereg(id->p_msg->addr & CDNS_I2C_ADDR_MASK,
880 +- CDNS_I2C_ADDR_OFFSET);
881 +-
882 +- if (id->recv_count > CDNS_I2C_TRANSFER_SIZE) {
883 +- cdns_i2c_writereg(CDNS_I2C_TRANSFER_SIZE,
884 +- CDNS_I2C_XFER_SIZE_OFFSET);
885 +- id->curr_recv_count = CDNS_I2C_TRANSFER_SIZE;
886 +- } else {
887 +- cdns_i2c_writereg(id->recv_count,
888 +- CDNS_I2C_XFER_SIZE_OFFSET);
889 +- id->curr_recv_count = id->recv_count;
890 +- }
891 + }
892 +
893 + /* Clear hold (if not repeated start) and signal completion */
894 +diff --git a/drivers/misc/lkdtm/refcount.c b/drivers/misc/lkdtm/refcount.c
895 +index 0a146b32da132..abf3b7c1f686c 100644
896 +--- a/drivers/misc/lkdtm/refcount.c
897 ++++ b/drivers/misc/lkdtm/refcount.c
898 +@@ -6,14 +6,6 @@
899 + #include "lkdtm.h"
900 + #include <linux/refcount.h>
901 +
902 +-#ifdef CONFIG_REFCOUNT_FULL
903 +-#define REFCOUNT_MAX (UINT_MAX - 1)
904 +-#define REFCOUNT_SATURATED UINT_MAX
905 +-#else
906 +-#define REFCOUNT_MAX INT_MAX
907 +-#define REFCOUNT_SATURATED (INT_MIN / 2)
908 +-#endif
909 +-
910 + static void overflow_check(refcount_t *ref)
911 + {
912 + switch (refcount_read(ref)) {
913 +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c
914 +index 649c5c429bd7c..1288b5e3d2201 100644
915 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
916 ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
917 +@@ -2287,7 +2287,7 @@ err:
918 +
919 + /* Uses sync mcc */
920 + int be_cmd_read_port_transceiver_data(struct be_adapter *adapter,
921 +- u8 page_num, u8 *data)
922 ++ u8 page_num, u32 off, u32 len, u8 *data)
923 + {
924 + struct be_dma_mem cmd;
925 + struct be_mcc_wrb *wrb;
926 +@@ -2321,10 +2321,10 @@ int be_cmd_read_port_transceiver_data(struct be_adapter *adapter,
927 + req->port = cpu_to_le32(adapter->hba_port_num);
928 + req->page_num = cpu_to_le32(page_num);
929 + status = be_mcc_notify_wait(adapter);
930 +- if (!status) {
931 ++ if (!status && len > 0) {
932 + struct be_cmd_resp_port_type *resp = cmd.va;
933 +
934 +- memcpy(data, resp->page_data, PAGE_DATA_LEN);
935 ++ memcpy(data, resp->page_data + off, len);
936 + }
937 + err:
938 + mutex_unlock(&adapter->mcc_lock);
939 +@@ -2415,7 +2415,7 @@ int be_cmd_query_cable_type(struct be_adapter *adapter)
940 + int status;
941 +
942 + status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0,
943 +- page_data);
944 ++ 0, PAGE_DATA_LEN, page_data);
945 + if (!status) {
946 + switch (adapter->phy.interface_type) {
947 + case PHY_TYPE_QSFP:
948 +@@ -2440,7 +2440,7 @@ int be_cmd_query_sfp_info(struct be_adapter *adapter)
949 + int status;
950 +
951 + status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0,
952 +- page_data);
953 ++ 0, PAGE_DATA_LEN, page_data);
954 + if (!status) {
955 + strlcpy(adapter->phy.vendor_name, page_data +
956 + SFP_VENDOR_NAME_OFFSET, SFP_VENDOR_NAME_LEN - 1);
957 +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.h b/drivers/net/ethernet/emulex/benet/be_cmds.h
958 +index c30d6d6f0f3a0..9e17d6a7ab8cd 100644
959 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.h
960 ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.h
961 +@@ -2427,7 +2427,7 @@ int be_cmd_set_beacon_state(struct be_adapter *adapter, u8 port_num, u8 beacon,
962 + int be_cmd_get_beacon_state(struct be_adapter *adapter, u8 port_num,
963 + u32 *state);
964 + int be_cmd_read_port_transceiver_data(struct be_adapter *adapter,
965 +- u8 page_num, u8 *data);
966 ++ u8 page_num, u32 off, u32 len, u8 *data);
967 + int be_cmd_query_cable_type(struct be_adapter *adapter);
968 + int be_cmd_query_sfp_info(struct be_adapter *adapter);
969 + int lancer_cmd_read_object(struct be_adapter *adapter, struct be_dma_mem *cmd,
970 +diff --git a/drivers/net/ethernet/emulex/benet/be_ethtool.c b/drivers/net/ethernet/emulex/benet/be_ethtool.c
971 +index 5bb5abf995887..7cc1f41971c57 100644
972 +--- a/drivers/net/ethernet/emulex/benet/be_ethtool.c
973 ++++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c
974 +@@ -1339,7 +1339,7 @@ static int be_get_module_info(struct net_device *netdev,
975 + return -EOPNOTSUPP;
976 +
977 + status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0,
978 +- page_data);
979 ++ 0, PAGE_DATA_LEN, page_data);
980 + if (!status) {
981 + if (!page_data[SFP_PLUS_SFF_8472_COMP]) {
982 + modinfo->type = ETH_MODULE_SFF_8079;
983 +@@ -1357,25 +1357,32 @@ static int be_get_module_eeprom(struct net_device *netdev,
984 + {
985 + struct be_adapter *adapter = netdev_priv(netdev);
986 + int status;
987 ++ u32 begin, end;
988 +
989 + if (!check_privilege(adapter, MAX_PRIVILEGES))
990 + return -EOPNOTSUPP;
991 +
992 +- status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0,
993 +- data);
994 +- if (status)
995 +- goto err;
996 ++ begin = eeprom->offset;
997 ++ end = eeprom->offset + eeprom->len;
998 ++
999 ++ if (begin < PAGE_DATA_LEN) {
1000 ++ status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A0, begin,
1001 ++ min_t(u32, end, PAGE_DATA_LEN) - begin,
1002 ++ data);
1003 ++ if (status)
1004 ++ goto err;
1005 ++
1006 ++ data += PAGE_DATA_LEN - begin;
1007 ++ begin = PAGE_DATA_LEN;
1008 ++ }
1009 +
1010 +- if (eeprom->offset + eeprom->len > PAGE_DATA_LEN) {
1011 +- status = be_cmd_read_port_transceiver_data(adapter,
1012 +- TR_PAGE_A2,
1013 +- data +
1014 +- PAGE_DATA_LEN);
1015 ++ if (end > PAGE_DATA_LEN) {
1016 ++ status = be_cmd_read_port_transceiver_data(adapter, TR_PAGE_A2,
1017 ++ begin - PAGE_DATA_LEN,
1018 ++ end - begin, data);
1019 + if (status)
1020 + goto err;
1021 + }
1022 +- if (eeprom->offset)
1023 +- memcpy(data, data + eeprom->offset, eeprom->len);
1024 + err:
1025 + return be_cmd_status(status);
1026 + }
1027 +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
1028 +index 05442bbc218cd..0610d344fdbf0 100644
1029 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
1030 ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
1031 +@@ -10068,7 +10068,7 @@ static int i40e_reset(struct i40e_pf *pf)
1032 + **/
1033 + static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired)
1034 + {
1035 +- int old_recovery_mode_bit = test_bit(__I40E_RECOVERY_MODE, pf->state);
1036 ++ const bool is_recovery_mode_reported = i40e_check_recovery_mode(pf);
1037 + struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi];
1038 + struct i40e_hw *hw = &pf->hw;
1039 + i40e_status ret;
1040 +@@ -10076,13 +10076,11 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired)
1041 + int v;
1042 +
1043 + if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) &&
1044 +- i40e_check_recovery_mode(pf)) {
1045 ++ is_recovery_mode_reported)
1046 + i40e_set_ethtool_ops(pf->vsi[pf->lan_vsi]->netdev);
1047 +- }
1048 +
1049 + if (test_bit(__I40E_DOWN, pf->state) &&
1050 +- !test_bit(__I40E_RECOVERY_MODE, pf->state) &&
1051 +- !old_recovery_mode_bit)
1052 ++ !test_bit(__I40E_RECOVERY_MODE, pf->state))
1053 + goto clear_recovery;
1054 + dev_dbg(&pf->pdev->dev, "Rebuilding internal switch\n");
1055 +
1056 +@@ -10109,13 +10107,12 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired)
1057 + * accordingly with regard to resources initialization
1058 + * and deinitialization
1059 + */
1060 +- if (test_bit(__I40E_RECOVERY_MODE, pf->state) ||
1061 +- old_recovery_mode_bit) {
1062 ++ if (test_bit(__I40E_RECOVERY_MODE, pf->state)) {
1063 + if (i40e_get_capabilities(pf,
1064 + i40e_aqc_opc_list_func_capabilities))
1065 + goto end_unlock;
1066 +
1067 +- if (test_bit(__I40E_RECOVERY_MODE, pf->state)) {
1068 ++ if (is_recovery_mode_reported) {
1069 + /* we're staying in recovery mode so we'll reinitialize
1070 + * misc vector here
1071 + */
1072 +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c
1073 +index 7a30d5d5ef53a..c6905d1b6182c 100644
1074 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c
1075 ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c
1076 +@@ -1263,11 +1263,10 @@ static struct iavf_rx_buffer *iavf_get_rx_buffer(struct iavf_ring *rx_ring,
1077 + {
1078 + struct iavf_rx_buffer *rx_buffer;
1079 +
1080 +- if (!size)
1081 +- return NULL;
1082 +-
1083 + rx_buffer = &rx_ring->rx_bi[rx_ring->next_to_clean];
1084 + prefetchw(rx_buffer->page);
1085 ++ if (!size)
1086 ++ return rx_buffer;
1087 +
1088 + /* we are reusing so sync this buffer for CPU use */
1089 + dma_sync_single_range_for_cpu(rx_ring->dev,
1090 +diff --git a/drivers/net/ethernet/intel/igc/igc_regs.h b/drivers/net/ethernet/intel/igc/igc_regs.h
1091 +index 50d7c04dccf59..7bc7d7618fe1e 100644
1092 +--- a/drivers/net/ethernet/intel/igc/igc_regs.h
1093 ++++ b/drivers/net/ethernet/intel/igc/igc_regs.h
1094 +@@ -236,4 +236,6 @@ do { \
1095 +
1096 + #define array_rd32(reg, offset) (igc_rd32(hw, (reg) + ((offset) << 2)))
1097 +
1098 ++#define IGC_REMOVED(h) unlikely(!(h))
1099 ++
1100 + #endif
1101 +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
1102 +index 39e73ad60352f..fa49ef2afde5f 100644
1103 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h
1104 ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
1105 +@@ -773,6 +773,7 @@ struct ixgbe_adapter {
1106 + #ifdef CONFIG_IXGBE_IPSEC
1107 + struct ixgbe_ipsec *ipsec;
1108 + #endif /* CONFIG_IXGBE_IPSEC */
1109 ++ spinlock_t vfs_lock;
1110 + };
1111 +
1112 + static inline u8 ixgbe_max_rss_indices(struct ixgbe_adapter *adapter)
1113 +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
1114 +index 8a894e5d923f0..f8aa1a0b89c5d 100644
1115 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
1116 ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
1117 +@@ -6396,6 +6396,9 @@ static int ixgbe_sw_init(struct ixgbe_adapter *adapter,
1118 + /* n-tuple support exists, always init our spinlock */
1119 + spin_lock_init(&adapter->fdir_perfect_lock);
1120 +
1121 ++ /* init spinlock to avoid concurrency of VF resources */
1122 ++ spin_lock_init(&adapter->vfs_lock);
1123 ++
1124 + #ifdef CONFIG_IXGBE_DCB
1125 + ixgbe_init_dcb(adapter);
1126 + #endif
1127 +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
1128 +index cf5c2b9465eba..0e73e3b1af19a 100644
1129 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
1130 ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
1131 +@@ -204,10 +204,13 @@ void ixgbe_enable_sriov(struct ixgbe_adapter *adapter, unsigned int max_vfs)
1132 + int ixgbe_disable_sriov(struct ixgbe_adapter *adapter)
1133 + {
1134 + unsigned int num_vfs = adapter->num_vfs, vf;
1135 ++ unsigned long flags;
1136 + int rss;
1137 +
1138 ++ spin_lock_irqsave(&adapter->vfs_lock, flags);
1139 + /* set num VFs to 0 to prevent access to vfinfo */
1140 + adapter->num_vfs = 0;
1141 ++ spin_unlock_irqrestore(&adapter->vfs_lock, flags);
1142 +
1143 + /* put the reference to all of the vf devices */
1144 + for (vf = 0; vf < num_vfs; ++vf) {
1145 +@@ -1305,8 +1308,10 @@ static void ixgbe_rcv_ack_from_vf(struct ixgbe_adapter *adapter, u32 vf)
1146 + void ixgbe_msg_task(struct ixgbe_adapter *adapter)
1147 + {
1148 + struct ixgbe_hw *hw = &adapter->hw;
1149 ++ unsigned long flags;
1150 + u32 vf;
1151 +
1152 ++ spin_lock_irqsave(&adapter->vfs_lock, flags);
1153 + for (vf = 0; vf < adapter->num_vfs; vf++) {
1154 + /* process any reset requests */
1155 + if (!ixgbe_check_for_rst(hw, vf))
1156 +@@ -1320,6 +1325,7 @@ void ixgbe_msg_task(struct ixgbe_adapter *adapter)
1157 + if (!ixgbe_check_for_ack(hw, vf))
1158 + ixgbe_rcv_ack_from_vf(adapter, vf);
1159 + }
1160 ++ spin_unlock_irqrestore(&adapter->vfs_lock, flags);
1161 + }
1162 +
1163 + void ixgbe_disable_tx_rx(struct ixgbe_adapter *adapter)
1164 +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
1165 +index 2f013fc716985..91214cce874b1 100644
1166 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
1167 ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
1168 +@@ -3871,7 +3871,7 @@ static bool mlxsw_sp_fi_is_gateway(const struct mlxsw_sp *mlxsw_sp,
1169 + {
1170 + const struct fib_nh *nh = fib_info_nh(fi, 0);
1171 +
1172 +- return nh->fib_nh_scope == RT_SCOPE_LINK ||
1173 ++ return nh->fib_nh_gw_family ||
1174 + mlxsw_sp_nexthop4_ipip_type(mlxsw_sp, nh, NULL);
1175 + }
1176 +
1177 +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
1178 +index 66e60c7e98504..c440b192ec715 100644
1179 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
1180 ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
1181 +@@ -215,6 +215,9 @@ static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan)
1182 + if (queue == 0 || queue == 4) {
1183 + value &= ~MTL_RXQ_DMA_Q04MDMACH_MASK;
1184 + value |= MTL_RXQ_DMA_Q04MDMACH(chan);
1185 ++ } else if (queue > 4) {
1186 ++ value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue - 4);
1187 ++ value |= MTL_RXQ_DMA_QXMDMACH(chan, queue - 4);
1188 + } else {
1189 + value &= ~MTL_RXQ_DMA_QXMDMACH_MASK(queue);
1190 + value |= MTL_RXQ_DMA_QXMDMACH(chan, queue);
1191 +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
1192 +index ea9c8361bf464..5ee3e457a79c7 100644
1193 +--- a/drivers/net/usb/ax88179_178a.c
1194 ++++ b/drivers/net/usb/ax88179_178a.c
1195 +@@ -1690,7 +1690,7 @@ static const struct driver_info ax88179_info = {
1196 + .link_reset = ax88179_link_reset,
1197 + .reset = ax88179_reset,
1198 + .stop = ax88179_stop,
1199 +- .flags = FLAG_ETHER | FLAG_FRAMING_AX,
1200 ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
1201 + .rx_fixup = ax88179_rx_fixup,
1202 + .tx_fixup = ax88179_tx_fixup,
1203 + };
1204 +@@ -1703,7 +1703,7 @@ static const struct driver_info ax88178a_info = {
1205 + .link_reset = ax88179_link_reset,
1206 + .reset = ax88179_reset,
1207 + .stop = ax88179_stop,
1208 +- .flags = FLAG_ETHER | FLAG_FRAMING_AX,
1209 ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
1210 + .rx_fixup = ax88179_rx_fixup,
1211 + .tx_fixup = ax88179_tx_fixup,
1212 + };
1213 +@@ -1716,7 +1716,7 @@ static const struct driver_info cypress_GX3_info = {
1214 + .link_reset = ax88179_link_reset,
1215 + .reset = ax88179_reset,
1216 + .stop = ax88179_stop,
1217 +- .flags = FLAG_ETHER | FLAG_FRAMING_AX,
1218 ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
1219 + .rx_fixup = ax88179_rx_fixup,
1220 + .tx_fixup = ax88179_tx_fixup,
1221 + };
1222 +@@ -1729,7 +1729,7 @@ static const struct driver_info dlink_dub1312_info = {
1223 + .link_reset = ax88179_link_reset,
1224 + .reset = ax88179_reset,
1225 + .stop = ax88179_stop,
1226 +- .flags = FLAG_ETHER | FLAG_FRAMING_AX,
1227 ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
1228 + .rx_fixup = ax88179_rx_fixup,
1229 + .tx_fixup = ax88179_tx_fixup,
1230 + };
1231 +@@ -1742,7 +1742,7 @@ static const struct driver_info sitecom_info = {
1232 + .link_reset = ax88179_link_reset,
1233 + .reset = ax88179_reset,
1234 + .stop = ax88179_stop,
1235 +- .flags = FLAG_ETHER | FLAG_FRAMING_AX,
1236 ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
1237 + .rx_fixup = ax88179_rx_fixup,
1238 + .tx_fixup = ax88179_tx_fixup,
1239 + };
1240 +@@ -1755,7 +1755,7 @@ static const struct driver_info samsung_info = {
1241 + .link_reset = ax88179_link_reset,
1242 + .reset = ax88179_reset,
1243 + .stop = ax88179_stop,
1244 +- .flags = FLAG_ETHER | FLAG_FRAMING_AX,
1245 ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
1246 + .rx_fixup = ax88179_rx_fixup,
1247 + .tx_fixup = ax88179_tx_fixup,
1248 + };
1249 +@@ -1768,7 +1768,7 @@ static const struct driver_info lenovo_info = {
1250 + .link_reset = ax88179_link_reset,
1251 + .reset = ax88179_reset,
1252 + .stop = ax88179_stop,
1253 +- .flags = FLAG_ETHER | FLAG_FRAMING_AX,
1254 ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
1255 + .rx_fixup = ax88179_rx_fixup,
1256 + .tx_fixup = ax88179_tx_fixup,
1257 + };
1258 +@@ -1781,7 +1781,7 @@ static const struct driver_info belkin_info = {
1259 + .link_reset = ax88179_link_reset,
1260 + .reset = ax88179_reset,
1261 + .stop = ax88179_stop,
1262 +- .flags = FLAG_ETHER | FLAG_FRAMING_AX,
1263 ++ .flags = FLAG_ETHER | FLAG_FRAMING_AX | FLAG_SEND_ZLP,
1264 + .rx_fixup = ax88179_rx_fixup,
1265 + .tx_fixup = ax88179_tx_fixup,
1266 + };
1267 +diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
1268 +index 8c45d6c32c30e..3d48fa685aaae 100644
1269 +--- a/drivers/pci/controller/pci-hyperv.c
1270 ++++ b/drivers/pci/controller/pci-hyperv.c
1271 +@@ -1110,6 +1110,10 @@ static void hv_int_desc_free(struct hv_pci_dev *hpdev,
1272 + u8 buffer[sizeof(struct pci_delete_interrupt)];
1273 + } ctxt;
1274 +
1275 ++ if (!int_desc->vector_count) {
1276 ++ kfree(int_desc);
1277 ++ return;
1278 ++ }
1279 + memset(&ctxt, 0, sizeof(ctxt));
1280 + int_pkt = (struct pci_delete_interrupt *)&ctxt.pkt.message;
1281 + int_pkt->message_type.type =
1282 +@@ -1172,6 +1176,28 @@ static void hv_irq_mask(struct irq_data *data)
1283 + pci_msi_mask_irq(data);
1284 + }
1285 +
1286 ++static unsigned int hv_msi_get_int_vector(struct irq_data *data)
1287 ++{
1288 ++ struct irq_cfg *cfg = irqd_cfg(data);
1289 ++
1290 ++ return cfg->vector;
1291 ++}
1292 ++
1293 ++static int hv_msi_prepare(struct irq_domain *domain, struct device *dev,
1294 ++ int nvec, msi_alloc_info_t *info)
1295 ++{
1296 ++ int ret = pci_msi_prepare(domain, dev, nvec, info);
1297 ++
1298 ++ /*
1299 ++ * By using the interrupt remapper in the hypervisor IOMMU, contiguous
1300 ++ * CPU vectors is not needed for multi-MSI
1301 ++ */
1302 ++ if (info->type == X86_IRQ_ALLOC_TYPE_MSI)
1303 ++ info->flags &= ~X86_IRQ_ALLOC_CONTIGUOUS_VECTORS;
1304 ++
1305 ++ return ret;
1306 ++}
1307 ++
1308 + /**
1309 + * hv_irq_unmask() - "Unmask" the IRQ by setting its current
1310 + * affinity.
1311 +@@ -1187,6 +1213,7 @@ static void hv_irq_unmask(struct irq_data *data)
1312 + struct msi_desc *msi_desc = irq_data_get_msi_desc(data);
1313 + struct irq_cfg *cfg = irqd_cfg(data);
1314 + struct retarget_msi_interrupt *params;
1315 ++ struct tran_int_desc *int_desc;
1316 + struct hv_pcibus_device *hbus;
1317 + struct cpumask *dest;
1318 + cpumask_var_t tmp;
1319 +@@ -1201,6 +1228,7 @@ static void hv_irq_unmask(struct irq_data *data)
1320 + pdev = msi_desc_to_pci_dev(msi_desc);
1321 + pbus = pdev->bus;
1322 + hbus = container_of(pbus->sysdata, struct hv_pcibus_device, sysdata);
1323 ++ int_desc = data->chip_data;
1324 +
1325 + spin_lock_irqsave(&hbus->retarget_msi_interrupt_lock, flags);
1326 +
1327 +@@ -1208,8 +1236,8 @@ static void hv_irq_unmask(struct irq_data *data)
1328 + memset(params, 0, sizeof(*params));
1329 + params->partition_id = HV_PARTITION_ID_SELF;
1330 + params->int_entry.source = 1; /* MSI(-X) */
1331 +- params->int_entry.address = msi_desc->msg.address_lo;
1332 +- params->int_entry.data = msi_desc->msg.data;
1333 ++ params->int_entry.address = int_desc->address & 0xffffffff;
1334 ++ params->int_entry.data = int_desc->data;
1335 + params->device_id = (hbus->hdev->dev_instance.b[5] << 24) |
1336 + (hbus->hdev->dev_instance.b[4] << 16) |
1337 + (hbus->hdev->dev_instance.b[7] << 8) |
1338 +@@ -1296,12 +1324,12 @@ static void hv_pci_compose_compl(void *context, struct pci_response *resp,
1339 +
1340 + static u32 hv_compose_msi_req_v1(
1341 + struct pci_create_interrupt *int_pkt, struct cpumask *affinity,
1342 +- u32 slot, u8 vector)
1343 ++ u32 slot, u8 vector, u8 vector_count)
1344 + {
1345 + int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE;
1346 + int_pkt->wslot.slot = slot;
1347 + int_pkt->int_desc.vector = vector;
1348 +- int_pkt->int_desc.vector_count = 1;
1349 ++ int_pkt->int_desc.vector_count = vector_count;
1350 + int_pkt->int_desc.delivery_mode = dest_Fixed;
1351 +
1352 + /*
1353 +@@ -1315,14 +1343,14 @@ static u32 hv_compose_msi_req_v1(
1354 +
1355 + static u32 hv_compose_msi_req_v2(
1356 + struct pci_create_interrupt2 *int_pkt, struct cpumask *affinity,
1357 +- u32 slot, u8 vector)
1358 ++ u32 slot, u8 vector, u8 vector_count)
1359 + {
1360 + int cpu;
1361 +
1362 + int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE2;
1363 + int_pkt->wslot.slot = slot;
1364 + int_pkt->int_desc.vector = vector;
1365 +- int_pkt->int_desc.vector_count = 1;
1366 ++ int_pkt->int_desc.vector_count = vector_count;
1367 + int_pkt->int_desc.delivery_mode = dest_Fixed;
1368 +
1369 + /*
1370 +@@ -1350,7 +1378,6 @@ static u32 hv_compose_msi_req_v2(
1371 + */
1372 + static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
1373 + {
1374 +- struct irq_cfg *cfg = irqd_cfg(data);
1375 + struct hv_pcibus_device *hbus;
1376 + struct hv_pci_dev *hpdev;
1377 + struct pci_bus *pbus;
1378 +@@ -1359,6 +1386,8 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
1379 + unsigned long flags;
1380 + struct compose_comp_ctxt comp;
1381 + struct tran_int_desc *int_desc;
1382 ++ struct msi_desc *msi_desc;
1383 ++ u8 vector, vector_count;
1384 + struct {
1385 + struct pci_packet pci_pkt;
1386 + union {
1387 +@@ -1370,7 +1399,17 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
1388 + u32 size;
1389 + int ret;
1390 +
1391 +- pdev = msi_desc_to_pci_dev(irq_data_get_msi_desc(data));
1392 ++ /* Reuse the previous allocation */
1393 ++ if (data->chip_data) {
1394 ++ int_desc = data->chip_data;
1395 ++ msg->address_hi = int_desc->address >> 32;
1396 ++ msg->address_lo = int_desc->address & 0xffffffff;
1397 ++ msg->data = int_desc->data;
1398 ++ return;
1399 ++ }
1400 ++
1401 ++ msi_desc = irq_data_get_msi_desc(data);
1402 ++ pdev = msi_desc_to_pci_dev(msi_desc);
1403 + dest = irq_data_get_effective_affinity_mask(data);
1404 + pbus = pdev->bus;
1405 + hbus = container_of(pbus->sysdata, struct hv_pcibus_device, sysdata);
1406 +@@ -1378,17 +1417,40 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
1407 + if (!hpdev)
1408 + goto return_null_message;
1409 +
1410 +- /* Free any previous message that might have already been composed. */
1411 +- if (data->chip_data) {
1412 +- int_desc = data->chip_data;
1413 +- data->chip_data = NULL;
1414 +- hv_int_desc_free(hpdev, int_desc);
1415 +- }
1416 +-
1417 + int_desc = kzalloc(sizeof(*int_desc), GFP_ATOMIC);
1418 + if (!int_desc)
1419 + goto drop_reference;
1420 +
1421 ++ if (!msi_desc->msi_attrib.is_msix && msi_desc->nvec_used > 1) {
1422 ++ /*
1423 ++ * If this is not the first MSI of Multi MSI, we already have
1424 ++ * a mapping. Can exit early.
1425 ++ */
1426 ++ if (msi_desc->irq != data->irq) {
1427 ++ data->chip_data = int_desc;
1428 ++ int_desc->address = msi_desc->msg.address_lo |
1429 ++ (u64)msi_desc->msg.address_hi << 32;
1430 ++ int_desc->data = msi_desc->msg.data +
1431 ++ (data->irq - msi_desc->irq);
1432 ++ msg->address_hi = msi_desc->msg.address_hi;
1433 ++ msg->address_lo = msi_desc->msg.address_lo;
1434 ++ msg->data = int_desc->data;
1435 ++ put_pcichild(hpdev);
1436 ++ return;
1437 ++ }
1438 ++ /*
1439 ++ * The vector we select here is a dummy value. The correct
1440 ++ * value gets sent to the hypervisor in unmask(). This needs
1441 ++ * to be aligned with the count, and also not zero. Multi-msi
1442 ++ * is powers of 2 up to 32, so 32 will always work here.
1443 ++ */
1444 ++ vector = 32;
1445 ++ vector_count = msi_desc->nvec_used;
1446 ++ } else {
1447 ++ vector = hv_msi_get_int_vector(data);
1448 ++ vector_count = 1;
1449 ++ }
1450 ++
1451 + memset(&ctxt, 0, sizeof(ctxt));
1452 + init_completion(&comp.comp_pkt.host_event);
1453 + ctxt.pci_pkt.completion_func = hv_pci_compose_compl;
1454 +@@ -1399,14 +1461,16 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
1455 + size = hv_compose_msi_req_v1(&ctxt.int_pkts.v1,
1456 + dest,
1457 + hpdev->desc.win_slot.slot,
1458 +- cfg->vector);
1459 ++ vector,
1460 ++ vector_count);
1461 + break;
1462 +
1463 + case PCI_PROTOCOL_VERSION_1_2:
1464 + size = hv_compose_msi_req_v2(&ctxt.int_pkts.v2,
1465 + dest,
1466 + hpdev->desc.win_slot.slot,
1467 +- cfg->vector);
1468 ++ vector,
1469 ++ vector_count);
1470 + break;
1471 +
1472 + default:
1473 +@@ -1518,7 +1582,7 @@ static irq_hw_number_t hv_msi_domain_ops_get_hwirq(struct msi_domain_info *info,
1474 +
1475 + static struct msi_domain_ops hv_msi_ops = {
1476 + .get_hwirq = hv_msi_domain_ops_get_hwirq,
1477 +- .msi_prepare = pci_msi_prepare,
1478 ++ .msi_prepare = hv_msi_prepare,
1479 + .set_desc = pci_msi_set_desc,
1480 + .msi_free = hv_msi_free,
1481 + };
1482 +diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
1483 +index f9abd4364fbaa..e8149ff1d401c 100644
1484 +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
1485 ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
1486 +@@ -1215,15 +1215,17 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl,
1487 + bank->bank_ioport_nr = bank_ioport_nr;
1488 + spin_lock_init(&bank->lock);
1489 +
1490 +- /* create irq hierarchical domain */
1491 +- bank->fwnode = of_node_to_fwnode(np);
1492 ++ if (pctl->domain) {
1493 ++ /* create irq hierarchical domain */
1494 ++ bank->fwnode = of_node_to_fwnode(np);
1495 +
1496 +- bank->domain = irq_domain_create_hierarchy(pctl->domain, 0,
1497 +- STM32_GPIO_IRQ_LINE, bank->fwnode,
1498 +- &stm32_gpio_domain_ops, bank);
1499 ++ bank->domain = irq_domain_create_hierarchy(pctl->domain, 0, STM32_GPIO_IRQ_LINE,
1500 ++ bank->fwnode, &stm32_gpio_domain_ops,
1501 ++ bank);
1502 +
1503 +- if (!bank->domain)
1504 +- return -ENODEV;
1505 ++ if (!bank->domain)
1506 ++ return -ENODEV;
1507 ++ }
1508 +
1509 + err = gpiochip_add_data(&bank->gpio_chip, bank);
1510 + if (err) {
1511 +@@ -1393,6 +1395,8 @@ int stm32_pctl_probe(struct platform_device *pdev)
1512 + pctl->domain = stm32_pctrl_get_irq_domain(np);
1513 + if (IS_ERR(pctl->domain))
1514 + return PTR_ERR(pctl->domain);
1515 ++ if (!pctl->domain)
1516 ++ dev_warn(dev, "pinctrl without interrupt support\n");
1517 +
1518 + /* hwspinlock is optional */
1519 + hwlock_id = of_hwspin_lock_get_id(pdev->dev.of_node, 0);
1520 +diff --git a/drivers/power/reset/arm-versatile-reboot.c b/drivers/power/reset/arm-versatile-reboot.c
1521 +index 08d0a07b58ef2..c7624d7611a7e 100644
1522 +--- a/drivers/power/reset/arm-versatile-reboot.c
1523 ++++ b/drivers/power/reset/arm-versatile-reboot.c
1524 +@@ -146,6 +146,7 @@ static int __init versatile_reboot_probe(void)
1525 + versatile_reboot_type = (enum versatile_reboot)reboot_id->data;
1526 +
1527 + syscon_regmap = syscon_node_to_regmap(np);
1528 ++ of_node_put(np);
1529 + if (IS_ERR(syscon_regmap))
1530 + return PTR_ERR(syscon_regmap);
1531 +
1532 +diff --git a/drivers/s390/char/keyboard.h b/drivers/s390/char/keyboard.h
1533 +index c467589c7f452..c06d399b9b1f1 100644
1534 +--- a/drivers/s390/char/keyboard.h
1535 ++++ b/drivers/s390/char/keyboard.h
1536 +@@ -56,7 +56,7 @@ static inline void
1537 + kbd_put_queue(struct tty_port *port, int ch)
1538 + {
1539 + tty_insert_flip_char(port, ch, 0);
1540 +- tty_schedule_flip(port);
1541 ++ tty_flip_buffer_push(port);
1542 + }
1543 +
1544 + static inline void
1545 +@@ -64,5 +64,5 @@ kbd_puts_queue(struct tty_port *port, char *cp)
1546 + {
1547 + while (*cp)
1548 + tty_insert_flip_char(port, *cp++, 0);
1549 +- tty_schedule_flip(port);
1550 ++ tty_flip_buffer_push(port);
1551 + }
1552 +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
1553 +index c86c3ac6097dd..b1003876cb350 100644
1554 +--- a/drivers/spi/spi-bcm2835.c
1555 ++++ b/drivers/spi/spi-bcm2835.c
1556 +@@ -1159,10 +1159,14 @@ static void bcm2835_spi_handle_err(struct spi_controller *ctlr,
1557 + struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr);
1558 +
1559 + /* if an error occurred and we have an active dma, then terminate */
1560 +- dmaengine_terminate_sync(ctlr->dma_tx);
1561 +- bs->tx_dma_active = false;
1562 +- dmaengine_terminate_sync(ctlr->dma_rx);
1563 +- bs->rx_dma_active = false;
1564 ++ if (ctlr->dma_tx) {
1565 ++ dmaengine_terminate_sync(ctlr->dma_tx);
1566 ++ bs->tx_dma_active = false;
1567 ++ }
1568 ++ if (ctlr->dma_rx) {
1569 ++ dmaengine_terminate_sync(ctlr->dma_rx);
1570 ++ bs->rx_dma_active = false;
1571 ++ }
1572 + bcm2835_spi_undo_prologue(bs);
1573 +
1574 + /* and reset */
1575 +diff --git a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c
1576 +index 0ba4e4e070a9f..7cfbdfb10e23e 100644
1577 +--- a/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c
1578 ++++ b/drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c
1579 +@@ -267,6 +267,8 @@ static int rt2880_pinmux_pins(struct rt2880_priv *p)
1580 + p->func[i]->pin_count,
1581 + sizeof(int),
1582 + GFP_KERNEL);
1583 ++ if (!p->func[i]->pins)
1584 ++ return -ENOMEM;
1585 + for (j = 0; j < p->func[i]->pin_count; j++)
1586 + p->func[i]->pins[j] = p->func[i]->pin_first + j;
1587 +
1588 +diff --git a/drivers/staging/speakup/spk_ttyio.c b/drivers/staging/speakup/spk_ttyio.c
1589 +index 472804c3f44dc..aec8222361743 100644
1590 +--- a/drivers/staging/speakup/spk_ttyio.c
1591 ++++ b/drivers/staging/speakup/spk_ttyio.c
1592 +@@ -88,7 +88,7 @@ static int spk_ttyio_receive_buf2(struct tty_struct *tty,
1593 + }
1594 +
1595 + if (!ldisc_data->buf_free)
1596 +- /* ttyio_in will tty_schedule_flip */
1597 ++ /* ttyio_in will tty_flip_buffer_push */
1598 + return 0;
1599 +
1600 + /* Make sure the consumer has read buf before we have seen
1601 +@@ -325,7 +325,7 @@ static unsigned char ttyio_in(int timeout)
1602 + mb();
1603 + ldisc_data->buf_free = true;
1604 + /* Let TTY push more characters */
1605 +- tty_schedule_flip(speakup_tty->port);
1606 ++ tty_flip_buffer_push(speakup_tty->port);
1607 +
1608 + return rv;
1609 + }
1610 +diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c
1611 +index 4562c8060d09e..26581d2456c8f 100644
1612 +--- a/drivers/tty/cyclades.c
1613 ++++ b/drivers/tty/cyclades.c
1614 +@@ -556,7 +556,7 @@ static void cyy_chip_rx(struct cyclades_card *cinfo, int chip,
1615 + }
1616 + info->idle_stats.recv_idle = jiffies;
1617 + }
1618 +- tty_schedule_flip(port);
1619 ++ tty_flip_buffer_push(port);
1620 +
1621 + /* end of service */
1622 + cyy_writeb(info, CyRIR, save_xir & 0x3f);
1623 +@@ -996,7 +996,7 @@ static void cyz_handle_rx(struct cyclades_port *info)
1624 + mod_timer(&info->rx_full_timer, jiffies + 1);
1625 + #endif
1626 + info->idle_stats.recv_idle = jiffies;
1627 +- tty_schedule_flip(&info->port);
1628 ++ tty_flip_buffer_push(&info->port);
1629 +
1630 + /* Update rx_get */
1631 + cy_writel(&buf_ctrl->rx_get, new_rx_get);
1632 +@@ -1172,7 +1172,7 @@ static void cyz_handle_cmd(struct cyclades_card *cinfo)
1633 + if (delta_count)
1634 + wake_up_interruptible(&info->port.delta_msr_wait);
1635 + if (special_count)
1636 +- tty_schedule_flip(&info->port);
1637 ++ tty_flip_buffer_push(&info->port);
1638 + }
1639 + }
1640 +
1641 +diff --git a/drivers/tty/goldfish.c b/drivers/tty/goldfish.c
1642 +index 9180ca5e4dcd4..d6e82eb61fc2d 100644
1643 +--- a/drivers/tty/goldfish.c
1644 ++++ b/drivers/tty/goldfish.c
1645 +@@ -151,7 +151,7 @@ static irqreturn_t goldfish_tty_interrupt(int irq, void *dev_id)
1646 + address = (unsigned long)(void *)buf;
1647 + goldfish_tty_rw(qtty, address, count, 0);
1648 +
1649 +- tty_schedule_flip(&qtty->port);
1650 ++ tty_flip_buffer_push(&qtty->port);
1651 + return IRQ_HANDLED;
1652 + }
1653 +
1654 +diff --git a/drivers/tty/moxa.c b/drivers/tty/moxa.c
1655 +index 1254b39074edb..e67a1aef1fd0d 100644
1656 +--- a/drivers/tty/moxa.c
1657 ++++ b/drivers/tty/moxa.c
1658 +@@ -1385,7 +1385,7 @@ static int moxa_poll_port(struct moxa_port *p, unsigned int handle,
1659 + if (inited && !tty_throttled(tty) &&
1660 + MoxaPortRxQueue(p) > 0) { /* RX */
1661 + MoxaPortReadData(p);
1662 +- tty_schedule_flip(&p->port);
1663 ++ tty_flip_buffer_push(&p->port);
1664 + }
1665 + } else {
1666 + clear_bit(EMPTYWAIT, &p->statusflags);
1667 +@@ -1410,7 +1410,7 @@ static int moxa_poll_port(struct moxa_port *p, unsigned int handle,
1668 +
1669 + if (tty && (intr & IntrBreak) && !I_IGNBRK(tty)) { /* BREAK */
1670 + tty_insert_flip_char(&p->port, 0, TTY_BREAK);
1671 +- tty_schedule_flip(&p->port);
1672 ++ tty_flip_buffer_push(&p->port);
1673 + }
1674 +
1675 + if (intr & IntrLine)
1676 +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
1677 +index c6a1d8c4e6894..73226e482e919 100644
1678 +--- a/drivers/tty/pty.c
1679 ++++ b/drivers/tty/pty.c
1680 +@@ -111,21 +111,11 @@ static void pty_unthrottle(struct tty_struct *tty)
1681 + static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c)
1682 + {
1683 + struct tty_struct *to = tty->link;
1684 +- unsigned long flags;
1685 +
1686 +- if (tty->stopped)
1687 ++ if (tty->stopped || !c)
1688 + return 0;
1689 +
1690 +- if (c > 0) {
1691 +- spin_lock_irqsave(&to->port->lock, flags);
1692 +- /* Stuff the data into the input queue of the other end */
1693 +- c = tty_insert_flip_string(to->port, buf, c);
1694 +- spin_unlock_irqrestore(&to->port->lock, flags);
1695 +- /* And shovel */
1696 +- if (c)
1697 +- tty_flip_buffer_push(to->port);
1698 +- }
1699 +- return c;
1700 ++ return tty_insert_flip_string_and_push_buffer(to->port, buf, c);
1701 + }
1702 +
1703 + /**
1704 +diff --git a/drivers/tty/serial/lpc32xx_hs.c b/drivers/tty/serial/lpc32xx_hs.c
1705 +index 9a836dcac157c..a03618f89c0dd 100644
1706 +--- a/drivers/tty/serial/lpc32xx_hs.c
1707 ++++ b/drivers/tty/serial/lpc32xx_hs.c
1708 +@@ -345,7 +345,7 @@ static irqreturn_t serial_lpc32xx_interrupt(int irq, void *dev_id)
1709 + LPC32XX_HSUART_IIR(port->membase));
1710 + port->icount.overrun++;
1711 + tty_insert_flip_char(tport, 0, TTY_OVERRUN);
1712 +- tty_schedule_flip(tport);
1713 ++ tty_flip_buffer_push(tport);
1714 + }
1715 +
1716 + /* Data received? */
1717 +diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c
1718 +index 13db15118cb94..2ce0d05be3681 100644
1719 +--- a/drivers/tty/serial/mvebu-uart.c
1720 ++++ b/drivers/tty/serial/mvebu-uart.c
1721 +@@ -443,13 +443,13 @@ static void mvebu_uart_shutdown(struct uart_port *port)
1722 + }
1723 + }
1724 +
1725 +-static int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud)
1726 ++static unsigned int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud)
1727 + {
1728 + unsigned int d_divisor, m_divisor;
1729 + u32 brdv, osamp;
1730 +
1731 + if (!port->uartclk)
1732 +- return -EOPNOTSUPP;
1733 ++ return 0;
1734 +
1735 + /*
1736 + * The baudrate is derived from the UART clock thanks to two divisors:
1737 +@@ -473,7 +473,7 @@ static int mvebu_uart_baud_rate_set(struct uart_port *port, unsigned int baud)
1738 + osamp &= ~OSAMP_DIVISORS_MASK;
1739 + writel(osamp, port->membase + UART_OSAMP);
1740 +
1741 +- return 0;
1742 ++ return DIV_ROUND_CLOSEST(port->uartclk, d_divisor * m_divisor);
1743 + }
1744 +
1745 + static void mvebu_uart_set_termios(struct uart_port *port,
1746 +@@ -510,15 +510,11 @@ static void mvebu_uart_set_termios(struct uart_port *port,
1747 + max_baud = 230400;
1748 +
1749 + baud = uart_get_baud_rate(port, termios, old, min_baud, max_baud);
1750 +- if (mvebu_uart_baud_rate_set(port, baud)) {
1751 +- /* No clock available, baudrate cannot be changed */
1752 +- if (old)
1753 +- baud = uart_get_baud_rate(port, old, NULL,
1754 +- min_baud, max_baud);
1755 +- } else {
1756 +- tty_termios_encode_baud_rate(termios, baud, baud);
1757 +- uart_update_timeout(port, termios->c_cflag, baud);
1758 +- }
1759 ++ baud = mvebu_uart_baud_rate_set(port, baud);
1760 ++
1761 ++ /* In case baudrate cannot be changed, report previous old value */
1762 ++ if (baud == 0 && old)
1763 ++ baud = tty_termios_baud_rate(old);
1764 +
1765 + /* Only the following flag changes are supported */
1766 + if (old) {
1767 +@@ -529,6 +525,11 @@ static void mvebu_uart_set_termios(struct uart_port *port,
1768 + termios->c_cflag |= CS8;
1769 + }
1770 +
1771 ++ if (baud != 0) {
1772 ++ tty_termios_encode_baud_rate(termios, baud, baud);
1773 ++ uart_update_timeout(port, termios->c_cflag, baud);
1774 ++ }
1775 ++
1776 + spin_unlock_irqrestore(&port->lock, flags);
1777 + }
1778 +
1779 +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
1780 +index 47f2370ad85cb..49f39c041c351 100644
1781 +--- a/drivers/tty/tty_buffer.c
1782 ++++ b/drivers/tty/tty_buffer.c
1783 +@@ -394,27 +394,6 @@ int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag)
1784 + }
1785 + EXPORT_SYMBOL(__tty_insert_flip_char);
1786 +
1787 +-/**
1788 +- * tty_schedule_flip - push characters to ldisc
1789 +- * @port: tty port to push from
1790 +- *
1791 +- * Takes any pending buffers and transfers their ownership to the
1792 +- * ldisc side of the queue. It then schedules those characters for
1793 +- * processing by the line discipline.
1794 +- */
1795 +-
1796 +-void tty_schedule_flip(struct tty_port *port)
1797 +-{
1798 +- struct tty_bufhead *buf = &port->buf;
1799 +-
1800 +- /* paired w/ acquire in flush_to_ldisc(); ensures
1801 +- * flush_to_ldisc() sees buffer data.
1802 +- */
1803 +- smp_store_release(&buf->tail->commit, buf->tail->used);
1804 +- queue_work(system_unbound_wq, &buf->work);
1805 +-}
1806 +-EXPORT_SYMBOL(tty_schedule_flip);
1807 +-
1808 + /**
1809 + * tty_prepare_flip_string - make room for characters
1810 + * @port: tty port
1811 +@@ -544,6 +523,15 @@ static void flush_to_ldisc(struct work_struct *work)
1812 +
1813 + }
1814 +
1815 ++static inline void tty_flip_buffer_commit(struct tty_buffer *tail)
1816 ++{
1817 ++ /*
1818 ++ * Paired w/ acquire in flush_to_ldisc(); ensures flush_to_ldisc() sees
1819 ++ * buffer data.
1820 ++ */
1821 ++ smp_store_release(&tail->commit, tail->used);
1822 ++}
1823 ++
1824 + /**
1825 + * tty_flip_buffer_push - terminal
1826 + * @port: tty port to push
1827 +@@ -557,10 +545,44 @@ static void flush_to_ldisc(struct work_struct *work)
1828 +
1829 + void tty_flip_buffer_push(struct tty_port *port)
1830 + {
1831 +- tty_schedule_flip(port);
1832 ++ struct tty_bufhead *buf = &port->buf;
1833 ++
1834 ++ tty_flip_buffer_commit(buf->tail);
1835 ++ queue_work(system_unbound_wq, &buf->work);
1836 + }
1837 + EXPORT_SYMBOL(tty_flip_buffer_push);
1838 +
1839 ++/**
1840 ++ * tty_insert_flip_string_and_push_buffer - add characters to the tty buffer and
1841 ++ * push
1842 ++ * @port: tty port
1843 ++ * @chars: characters
1844 ++ * @size: size
1845 ++ *
1846 ++ * The function combines tty_insert_flip_string() and tty_flip_buffer_push()
1847 ++ * with the exception of properly holding the @port->lock.
1848 ++ *
1849 ++ * To be used only internally (by pty currently).
1850 ++ *
1851 ++ * Returns: the number added.
1852 ++ */
1853 ++int tty_insert_flip_string_and_push_buffer(struct tty_port *port,
1854 ++ const unsigned char *chars, size_t size)
1855 ++{
1856 ++ struct tty_bufhead *buf = &port->buf;
1857 ++ unsigned long flags;
1858 ++
1859 ++ spin_lock_irqsave(&port->lock, flags);
1860 ++ size = tty_insert_flip_string(port, chars, size);
1861 ++ if (size)
1862 ++ tty_flip_buffer_commit(buf->tail);
1863 ++ spin_unlock_irqrestore(&port->lock, flags);
1864 ++
1865 ++ queue_work(system_unbound_wq, &buf->work);
1866 ++
1867 ++ return size;
1868 ++}
1869 ++
1870 + /**
1871 + * tty_buffer_init - prepare a tty buffer structure
1872 + * @tty: tty to initialise
1873 +diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
1874 +index b6e78fdbfdff9..68643f61f6f90 100644
1875 +--- a/drivers/tty/vt/keyboard.c
1876 ++++ b/drivers/tty/vt/keyboard.c
1877 +@@ -310,7 +310,7 @@ int kbd_rate(struct kbd_repeat *rpt)
1878 + static void put_queue(struct vc_data *vc, int ch)
1879 + {
1880 + tty_insert_flip_char(&vc->port, ch, 0);
1881 +- tty_schedule_flip(&vc->port);
1882 ++ tty_flip_buffer_push(&vc->port);
1883 + }
1884 +
1885 + static void puts_queue(struct vc_data *vc, char *cp)
1886 +@@ -319,7 +319,7 @@ static void puts_queue(struct vc_data *vc, char *cp)
1887 + tty_insert_flip_char(&vc->port, *cp, 0);
1888 + cp++;
1889 + }
1890 +- tty_schedule_flip(&vc->port);
1891 ++ tty_flip_buffer_push(&vc->port);
1892 + }
1893 +
1894 + static void applkey(struct vc_data *vc, int key, char mode)
1895 +@@ -564,7 +564,7 @@ static void fn_inc_console(struct vc_data *vc)
1896 + static void fn_send_intr(struct vc_data *vc)
1897 + {
1898 + tty_insert_flip_char(&vc->port, 0, TTY_BREAK);
1899 +- tty_schedule_flip(&vc->port);
1900 ++ tty_flip_buffer_push(&vc->port);
1901 + }
1902 +
1903 + static void fn_scroll_forw(struct vc_data *vc)
1904 +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
1905 +index c3df1660cb5c5..9d9e056f94ac8 100644
1906 +--- a/drivers/tty/vt/vt.c
1907 ++++ b/drivers/tty/vt/vt.c
1908 +@@ -1837,7 +1837,7 @@ static void respond_string(const char *p, struct tty_port *port)
1909 + tty_insert_flip_char(port, *p, 0);
1910 + p++;
1911 + }
1912 +- tty_schedule_flip(port);
1913 ++ tty_flip_buffer_push(port);
1914 + }
1915 +
1916 + static void cursor_report(struct vc_data *vc, struct tty_struct *tty)
1917 +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
1918 +index f464793477650..bba849e5d8a7b 100644
1919 +--- a/drivers/xen/gntdev.c
1920 ++++ b/drivers/xen/gntdev.c
1921 +@@ -413,7 +413,8 @@ static void __unmap_grant_pages_done(int result,
1922 + unsigned int offset = data->unmap_ops - map->unmap_ops;
1923 +
1924 + for (i = 0; i < data->count; i++) {
1925 +- WARN_ON(map->unmap_ops[offset+i].status);
1926 ++ WARN_ON(map->unmap_ops[offset+i].status &&
1927 ++ map->unmap_ops[offset+i].handle != -1);
1928 + pr_debug("unmap handle=%d st=%d\n",
1929 + map->unmap_ops[offset+i].handle,
1930 + map->unmap_ops[offset+i].status);
1931 +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
1932 +index 4ae8becdb51db..9165bf56c6e8e 100644
1933 +--- a/fs/dlm/lock.c
1934 ++++ b/fs/dlm/lock.c
1935 +@@ -4067,13 +4067,14 @@ static void send_repeat_remove(struct dlm_ls *ls, char *ms_name, int len)
1936 + rv = _create_message(ls, sizeof(struct dlm_message) + len,
1937 + dir_nodeid, DLM_MSG_REMOVE, &ms, &mh);
1938 + if (rv)
1939 +- return;
1940 ++ goto out;
1941 +
1942 + memcpy(ms->m_extra, name, len);
1943 + ms->m_hash = hash;
1944 +
1945 + send_message(mh, ms);
1946 +
1947 ++out:
1948 + spin_lock(&ls->ls_remove_spin);
1949 + ls->ls_remove_len = 0;
1950 + memset(ls->ls_remove_name, 0, DLM_RESNAME_MAXLEN);
1951 +diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h
1952 +index 4c0224ff0a14b..4f1c0f8e1bb0b 100644
1953 +--- a/include/linux/bitfield.h
1954 ++++ b/include/linux/bitfield.h
1955 +@@ -41,6 +41,22 @@
1956 +
1957 + #define __bf_shf(x) (__builtin_ffsll(x) - 1)
1958 +
1959 ++#define __scalar_type_to_unsigned_cases(type) \
1960 ++ unsigned type: (unsigned type)0, \
1961 ++ signed type: (unsigned type)0
1962 ++
1963 ++#define __unsigned_scalar_typeof(x) typeof( \
1964 ++ _Generic((x), \
1965 ++ char: (unsigned char)0, \
1966 ++ __scalar_type_to_unsigned_cases(char), \
1967 ++ __scalar_type_to_unsigned_cases(short), \
1968 ++ __scalar_type_to_unsigned_cases(int), \
1969 ++ __scalar_type_to_unsigned_cases(long), \
1970 ++ __scalar_type_to_unsigned_cases(long long), \
1971 ++ default: (x)))
1972 ++
1973 ++#define __bf_cast_unsigned(type, x) ((__unsigned_scalar_typeof(type))(x))
1974 ++
1975 + #define __BF_FIELD_CHECK(_mask, _reg, _val, _pfx) \
1976 + ({ \
1977 + BUILD_BUG_ON_MSG(!__builtin_constant_p(_mask), \
1978 +@@ -49,7 +65,8 @@
1979 + BUILD_BUG_ON_MSG(__builtin_constant_p(_val) ? \
1980 + ~((_mask) >> __bf_shf(_mask)) & (_val) : 0, \
1981 + _pfx "value too large for the field"); \
1982 +- BUILD_BUG_ON_MSG((_mask) > (typeof(_reg))~0ull, \
1983 ++ BUILD_BUG_ON_MSG(__bf_cast_unsigned(_mask, _mask) > \
1984 ++ __bf_cast_unsigned(_reg, ~0ull), \
1985 + _pfx "type of reg too small for mask"); \
1986 + __BUILD_BUG_ON_NOT_POWER_OF_2((_mask) + \
1987 + (1ULL << __bf_shf(_mask))); \
1988 +diff --git a/include/linux/mm.h b/include/linux/mm.h
1989 +index c125fea49752f..d35c29d322d83 100644
1990 +--- a/include/linux/mm.h
1991 ++++ b/include/linux/mm.h
1992 +@@ -15,6 +15,7 @@
1993 + #include <linux/atomic.h>
1994 + #include <linux/debug_locks.h>
1995 + #include <linux/mm_types.h>
1996 ++#include <linux/mmap_lock.h>
1997 + #include <linux/range.h>
1998 + #include <linux/pfn.h>
1999 + #include <linux/percpu-refcount.h>
2000 +diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h
2001 +new file mode 100644
2002 +index 0000000000000..97ac53b66052e
2003 +--- /dev/null
2004 ++++ b/include/linux/mmap_lock.h
2005 +@@ -0,0 +1,54 @@
2006 ++#ifndef _LINUX_MMAP_LOCK_H
2007 ++#define _LINUX_MMAP_LOCK_H
2008 ++
2009 ++static inline void mmap_init_lock(struct mm_struct *mm)
2010 ++{
2011 ++ init_rwsem(&mm->mmap_sem);
2012 ++}
2013 ++
2014 ++static inline void mmap_write_lock(struct mm_struct *mm)
2015 ++{
2016 ++ down_write(&mm->mmap_sem);
2017 ++}
2018 ++
2019 ++static inline int mmap_write_lock_killable(struct mm_struct *mm)
2020 ++{
2021 ++ return down_write_killable(&mm->mmap_sem);
2022 ++}
2023 ++
2024 ++static inline bool mmap_write_trylock(struct mm_struct *mm)
2025 ++{
2026 ++ return down_write_trylock(&mm->mmap_sem) != 0;
2027 ++}
2028 ++
2029 ++static inline void mmap_write_unlock(struct mm_struct *mm)
2030 ++{
2031 ++ up_write(&mm->mmap_sem);
2032 ++}
2033 ++
2034 ++static inline void mmap_write_downgrade(struct mm_struct *mm)
2035 ++{
2036 ++ downgrade_write(&mm->mmap_sem);
2037 ++}
2038 ++
2039 ++static inline void mmap_read_lock(struct mm_struct *mm)
2040 ++{
2041 ++ down_read(&mm->mmap_sem);
2042 ++}
2043 ++
2044 ++static inline int mmap_read_lock_killable(struct mm_struct *mm)
2045 ++{
2046 ++ return down_read_killable(&mm->mmap_sem);
2047 ++}
2048 ++
2049 ++static inline bool mmap_read_trylock(struct mm_struct *mm)
2050 ++{
2051 ++ return down_read_trylock(&mm->mmap_sem) != 0;
2052 ++}
2053 ++
2054 ++static inline void mmap_read_unlock(struct mm_struct *mm)
2055 ++{
2056 ++ up_read(&mm->mmap_sem);
2057 ++}
2058 ++
2059 ++#endif /* _LINUX_MMAP_LOCK_H */
2060 +diff --git a/include/linux/refcount.h b/include/linux/refcount.h
2061 +index e28cce21bad6c..0ac50cf62d062 100644
2062 +--- a/include/linux/refcount.h
2063 ++++ b/include/linux/refcount.h
2064 +@@ -1,9 +1,88 @@
2065 + /* SPDX-License-Identifier: GPL-2.0 */
2066 ++/*
2067 ++ * Variant of atomic_t specialized for reference counts.
2068 ++ *
2069 ++ * The interface matches the atomic_t interface (to aid in porting) but only
2070 ++ * provides the few functions one should use for reference counting.
2071 ++ *
2072 ++ * Saturation semantics
2073 ++ * ====================
2074 ++ *
2075 ++ * refcount_t differs from atomic_t in that the counter saturates at
2076 ++ * REFCOUNT_SATURATED and will not move once there. This avoids wrapping the
2077 ++ * counter and causing 'spurious' use-after-free issues. In order to avoid the
2078 ++ * cost associated with introducing cmpxchg() loops into all of the saturating
2079 ++ * operations, we temporarily allow the counter to take on an unchecked value
2080 ++ * and then explicitly set it to REFCOUNT_SATURATED on detecting that underflow
2081 ++ * or overflow has occurred. Although this is racy when multiple threads
2082 ++ * access the refcount concurrently, by placing REFCOUNT_SATURATED roughly
2083 ++ * equidistant from 0 and INT_MAX we minimise the scope for error:
2084 ++ *
2085 ++ * INT_MAX REFCOUNT_SATURATED UINT_MAX
2086 ++ * 0 (0x7fff_ffff) (0xc000_0000) (0xffff_ffff)
2087 ++ * +--------------------------------+----------------+----------------+
2088 ++ * <---------- bad value! ---------->
2089 ++ *
2090 ++ * (in a signed view of the world, the "bad value" range corresponds to
2091 ++ * a negative counter value).
2092 ++ *
2093 ++ * As an example, consider a refcount_inc() operation that causes the counter
2094 ++ * to overflow:
2095 ++ *
2096 ++ * int old = atomic_fetch_add_relaxed(r);
2097 ++ * // old is INT_MAX, refcount now INT_MIN (0x8000_0000)
2098 ++ * if (old < 0)
2099 ++ * atomic_set(r, REFCOUNT_SATURATED);
2100 ++ *
2101 ++ * If another thread also performs a refcount_inc() operation between the two
2102 ++ * atomic operations, then the count will continue to edge closer to 0. If it
2103 ++ * reaches a value of 1 before /any/ of the threads reset it to the saturated
2104 ++ * value, then a concurrent refcount_dec_and_test() may erroneously free the
2105 ++ * underlying object. Given the precise timing details involved with the
2106 ++ * round-robin scheduling of each thread manipulating the refcount and the need
2107 ++ * to hit the race multiple times in succession, there doesn't appear to be a
2108 ++ * practical avenue of attack even if using refcount_add() operations with
2109 ++ * larger increments.
2110 ++ *
2111 ++ * Memory ordering
2112 ++ * ===============
2113 ++ *
2114 ++ * Memory ordering rules are slightly relaxed wrt regular atomic_t functions
2115 ++ * and provide only what is strictly required for refcounts.
2116 ++ *
2117 ++ * The increments are fully relaxed; these will not provide ordering. The
2118 ++ * rationale is that whatever is used to obtain the object we're increasing the
2119 ++ * reference count on will provide the ordering. For locked data structures,
2120 ++ * its the lock acquire, for RCU/lockless data structures its the dependent
2121 ++ * load.
2122 ++ *
2123 ++ * Do note that inc_not_zero() provides a control dependency which will order
2124 ++ * future stores against the inc, this ensures we'll never modify the object
2125 ++ * if we did not in fact acquire a reference.
2126 ++ *
2127 ++ * The decrements will provide release order, such that all the prior loads and
2128 ++ * stores will be issued before, it also provides a control dependency, which
2129 ++ * will order us against the subsequent free().
2130 ++ *
2131 ++ * The control dependency is against the load of the cmpxchg (ll/sc) that
2132 ++ * succeeded. This means the stores aren't fully ordered, but this is fine
2133 ++ * because the 1->0 transition indicates no concurrency.
2134 ++ *
2135 ++ * Note that the allocator is responsible for ordering things between free()
2136 ++ * and alloc().
2137 ++ *
2138 ++ * The decrements dec_and_test() and sub_and_test() also provide acquire
2139 ++ * ordering on success.
2140 ++ *
2141 ++ */
2142 ++
2143 + #ifndef _LINUX_REFCOUNT_H
2144 + #define _LINUX_REFCOUNT_H
2145 +
2146 + #include <linux/atomic.h>
2147 ++#include <linux/bug.h>
2148 + #include <linux/compiler.h>
2149 ++#include <linux/limits.h>
2150 + #include <linux/spinlock_types.h>
2151 +
2152 + struct mutex;
2153 +@@ -12,7 +91,7 @@ struct mutex;
2154 + * struct refcount_t - variant of atomic_t specialized for reference counts
2155 + * @refs: atomic_t counter field
2156 + *
2157 +- * The counter saturates at UINT_MAX and will not move once
2158 ++ * The counter saturates at REFCOUNT_SATURATED and will not move once
2159 + * there. This avoids wrapping the counter and causing 'spurious'
2160 + * use-after-free bugs.
2161 + */
2162 +@@ -21,13 +100,25 @@ typedef struct refcount_struct {
2163 + } refcount_t;
2164 +
2165 + #define REFCOUNT_INIT(n) { .refs = ATOMIC_INIT(n), }
2166 ++#define REFCOUNT_MAX INT_MAX
2167 ++#define REFCOUNT_SATURATED (INT_MIN / 2)
2168 ++
2169 ++enum refcount_saturation_type {
2170 ++ REFCOUNT_ADD_NOT_ZERO_OVF,
2171 ++ REFCOUNT_ADD_OVF,
2172 ++ REFCOUNT_ADD_UAF,
2173 ++ REFCOUNT_SUB_UAF,
2174 ++ REFCOUNT_DEC_LEAK,
2175 ++};
2176 ++
2177 ++void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t);
2178 +
2179 + /**
2180 + * refcount_set - set a refcount's value
2181 + * @r: the refcount
2182 + * @n: value to which the refcount will be set
2183 + */
2184 +-static inline void refcount_set(refcount_t *r, unsigned int n)
2185 ++static inline void refcount_set(refcount_t *r, int n)
2186 + {
2187 + atomic_set(&r->refs, n);
2188 + }
2189 +@@ -43,70 +134,168 @@ static inline unsigned int refcount_read(const refcount_t *r)
2190 + return atomic_read(&r->refs);
2191 + }
2192 +
2193 +-extern __must_check bool refcount_add_not_zero_checked(unsigned int i, refcount_t *r);
2194 +-extern void refcount_add_checked(unsigned int i, refcount_t *r);
2195 +-
2196 +-extern __must_check bool refcount_inc_not_zero_checked(refcount_t *r);
2197 +-extern void refcount_inc_checked(refcount_t *r);
2198 +-
2199 +-extern __must_check bool refcount_sub_and_test_checked(unsigned int i, refcount_t *r);
2200 +-
2201 +-extern __must_check bool refcount_dec_and_test_checked(refcount_t *r);
2202 +-extern void refcount_dec_checked(refcount_t *r);
2203 +-
2204 +-#ifdef CONFIG_REFCOUNT_FULL
2205 +-
2206 +-#define refcount_add_not_zero refcount_add_not_zero_checked
2207 +-#define refcount_add refcount_add_checked
2208 +-
2209 +-#define refcount_inc_not_zero refcount_inc_not_zero_checked
2210 +-#define refcount_inc refcount_inc_checked
2211 ++/**
2212 ++ * refcount_add_not_zero - add a value to a refcount unless it is 0
2213 ++ * @i: the value to add to the refcount
2214 ++ * @r: the refcount
2215 ++ *
2216 ++ * Will saturate at REFCOUNT_SATURATED and WARN.
2217 ++ *
2218 ++ * Provides no memory ordering, it is assumed the caller has guaranteed the
2219 ++ * object memory to be stable (RCU, etc.). It does provide a control dependency
2220 ++ * and thereby orders future stores. See the comment on top.
2221 ++ *
2222 ++ * Use of this function is not recommended for the normal reference counting
2223 ++ * use case in which references are taken and released one at a time. In these
2224 ++ * cases, refcount_inc(), or one of its variants, should instead be used to
2225 ++ * increment a reference count.
2226 ++ *
2227 ++ * Return: false if the passed refcount is 0, true otherwise
2228 ++ */
2229 ++static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r)
2230 ++{
2231 ++ int old = refcount_read(r);
2232 +
2233 +-#define refcount_sub_and_test refcount_sub_and_test_checked
2234 ++ do {
2235 ++ if (!old)
2236 ++ break;
2237 ++ } while (!atomic_try_cmpxchg_relaxed(&r->refs, &old, old + i));
2238 +
2239 +-#define refcount_dec_and_test refcount_dec_and_test_checked
2240 +-#define refcount_dec refcount_dec_checked
2241 ++ if (unlikely(old < 0 || old + i < 0))
2242 ++ refcount_warn_saturate(r, REFCOUNT_ADD_NOT_ZERO_OVF);
2243 +
2244 +-#else
2245 +-# ifdef CONFIG_ARCH_HAS_REFCOUNT
2246 +-# include <asm/refcount.h>
2247 +-# else
2248 +-static inline __must_check bool refcount_add_not_zero(unsigned int i, refcount_t *r)
2249 +-{
2250 +- return atomic_add_unless(&r->refs, i, 0);
2251 ++ return old;
2252 + }
2253 +
2254 +-static inline void refcount_add(unsigned int i, refcount_t *r)
2255 ++/**
2256 ++ * refcount_add - add a value to a refcount
2257 ++ * @i: the value to add to the refcount
2258 ++ * @r: the refcount
2259 ++ *
2260 ++ * Similar to atomic_add(), but will saturate at REFCOUNT_SATURATED and WARN.
2261 ++ *
2262 ++ * Provides no memory ordering, it is assumed the caller has guaranteed the
2263 ++ * object memory to be stable (RCU, etc.). It does provide a control dependency
2264 ++ * and thereby orders future stores. See the comment on top.
2265 ++ *
2266 ++ * Use of this function is not recommended for the normal reference counting
2267 ++ * use case in which references are taken and released one at a time. In these
2268 ++ * cases, refcount_inc(), or one of its variants, should instead be used to
2269 ++ * increment a reference count.
2270 ++ */
2271 ++static inline void refcount_add(int i, refcount_t *r)
2272 + {
2273 +- atomic_add(i, &r->refs);
2274 ++ int old = atomic_fetch_add_relaxed(i, &r->refs);
2275 ++
2276 ++ if (unlikely(!old))
2277 ++ refcount_warn_saturate(r, REFCOUNT_ADD_UAF);
2278 ++ else if (unlikely(old < 0 || old + i < 0))
2279 ++ refcount_warn_saturate(r, REFCOUNT_ADD_OVF);
2280 + }
2281 +
2282 ++/**
2283 ++ * refcount_inc_not_zero - increment a refcount unless it is 0
2284 ++ * @r: the refcount to increment
2285 ++ *
2286 ++ * Similar to atomic_inc_not_zero(), but will saturate at REFCOUNT_SATURATED
2287 ++ * and WARN.
2288 ++ *
2289 ++ * Provides no memory ordering, it is assumed the caller has guaranteed the
2290 ++ * object memory to be stable (RCU, etc.). It does provide a control dependency
2291 ++ * and thereby orders future stores. See the comment on top.
2292 ++ *
2293 ++ * Return: true if the increment was successful, false otherwise
2294 ++ */
2295 + static inline __must_check bool refcount_inc_not_zero(refcount_t *r)
2296 + {
2297 +- return atomic_add_unless(&r->refs, 1, 0);
2298 ++ return refcount_add_not_zero(1, r);
2299 + }
2300 +
2301 ++/**
2302 ++ * refcount_inc - increment a refcount
2303 ++ * @r: the refcount to increment
2304 ++ *
2305 ++ * Similar to atomic_inc(), but will saturate at REFCOUNT_SATURATED and WARN.
2306 ++ *
2307 ++ * Provides no memory ordering, it is assumed the caller already has a
2308 ++ * reference on the object.
2309 ++ *
2310 ++ * Will WARN if the refcount is 0, as this represents a possible use-after-free
2311 ++ * condition.
2312 ++ */
2313 + static inline void refcount_inc(refcount_t *r)
2314 + {
2315 +- atomic_inc(&r->refs);
2316 ++ refcount_add(1, r);
2317 + }
2318 +
2319 +-static inline __must_check bool refcount_sub_and_test(unsigned int i, refcount_t *r)
2320 ++/**
2321 ++ * refcount_sub_and_test - subtract from a refcount and test if it is 0
2322 ++ * @i: amount to subtract from the refcount
2323 ++ * @r: the refcount
2324 ++ *
2325 ++ * Similar to atomic_dec_and_test(), but it will WARN, return false and
2326 ++ * ultimately leak on underflow and will fail to decrement when saturated
2327 ++ * at REFCOUNT_SATURATED.
2328 ++ *
2329 ++ * Provides release memory ordering, such that prior loads and stores are done
2330 ++ * before, and provides an acquire ordering on success such that free()
2331 ++ * must come after.
2332 ++ *
2333 ++ * Use of this function is not recommended for the normal reference counting
2334 ++ * use case in which references are taken and released one at a time. In these
2335 ++ * cases, refcount_dec(), or one of its variants, should instead be used to
2336 ++ * decrement a reference count.
2337 ++ *
2338 ++ * Return: true if the resulting refcount is 0, false otherwise
2339 ++ */
2340 ++static inline __must_check bool refcount_sub_and_test(int i, refcount_t *r)
2341 + {
2342 +- return atomic_sub_and_test(i, &r->refs);
2343 ++ int old = atomic_fetch_sub_release(i, &r->refs);
2344 ++
2345 ++ if (old == i) {
2346 ++ smp_acquire__after_ctrl_dep();
2347 ++ return true;
2348 ++ }
2349 ++
2350 ++ if (unlikely(old < 0 || old - i < 0))
2351 ++ refcount_warn_saturate(r, REFCOUNT_SUB_UAF);
2352 ++
2353 ++ return false;
2354 + }
2355 +
2356 ++/**
2357 ++ * refcount_dec_and_test - decrement a refcount and test if it is 0
2358 ++ * @r: the refcount
2359 ++ *
2360 ++ * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to
2361 ++ * decrement when saturated at REFCOUNT_SATURATED.
2362 ++ *
2363 ++ * Provides release memory ordering, such that prior loads and stores are done
2364 ++ * before, and provides an acquire ordering on success such that free()
2365 ++ * must come after.
2366 ++ *
2367 ++ * Return: true if the resulting refcount is 0, false otherwise
2368 ++ */
2369 + static inline __must_check bool refcount_dec_and_test(refcount_t *r)
2370 + {
2371 +- return atomic_dec_and_test(&r->refs);
2372 ++ return refcount_sub_and_test(1, r);
2373 + }
2374 +
2375 ++/**
2376 ++ * refcount_dec - decrement a refcount
2377 ++ * @r: the refcount
2378 ++ *
2379 ++ * Similar to atomic_dec(), it will WARN on underflow and fail to decrement
2380 ++ * when saturated at REFCOUNT_SATURATED.
2381 ++ *
2382 ++ * Provides release memory ordering, such that prior loads and stores are done
2383 ++ * before.
2384 ++ */
2385 + static inline void refcount_dec(refcount_t *r)
2386 + {
2387 +- atomic_dec(&r->refs);
2388 ++ if (unlikely(atomic_fetch_sub_release(1, &r->refs) <= 1))
2389 ++ refcount_warn_saturate(r, REFCOUNT_DEC_LEAK);
2390 + }
2391 +-# endif /* !CONFIG_ARCH_HAS_REFCOUNT */
2392 +-#endif /* CONFIG_REFCOUNT_FULL */
2393 +
2394 + extern __must_check bool refcount_dec_if_one(refcount_t *r);
2395 + extern __must_check bool refcount_dec_not_one(refcount_t *r);
2396 +diff --git a/include/linux/tty_flip.h b/include/linux/tty_flip.h
2397 +index 767f62086bd9b..c326bfdb5ec2c 100644
2398 +--- a/include/linux/tty_flip.h
2399 ++++ b/include/linux/tty_flip.h
2400 +@@ -12,7 +12,6 @@ extern int tty_insert_flip_string_fixed_flag(struct tty_port *port,
2401 + extern int tty_prepare_flip_string(struct tty_port *port,
2402 + unsigned char **chars, size_t size);
2403 + extern void tty_flip_buffer_push(struct tty_port *port);
2404 +-void tty_schedule_flip(struct tty_port *port);
2405 + int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag);
2406 +
2407 + static inline int tty_insert_flip_char(struct tty_port *port,
2408 +@@ -40,4 +39,7 @@ static inline int tty_insert_flip_string(struct tty_port *port,
2409 + extern void tty_buffer_lock_exclusive(struct tty_port *port);
2410 + extern void tty_buffer_unlock_exclusive(struct tty_port *port);
2411 +
2412 ++int tty_insert_flip_string_and_push_buffer(struct tty_port *port,
2413 ++ const unsigned char *chars, size_t cnt);
2414 ++
2415 + #endif /* _LINUX_TTY_FLIP_H */
2416 +diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
2417 +index fabee6db0abb7..421d41ef4e9ca 100644
2418 +--- a/include/net/bluetooth/bluetooth.h
2419 ++++ b/include/net/bluetooth/bluetooth.h
2420 +@@ -370,6 +370,71 @@ out:
2421 + return NULL;
2422 + }
2423 +
2424 ++/* Shall not be called with lock_sock held */
2425 ++static inline struct sk_buff *bt_skb_sendmsg(struct sock *sk,
2426 ++ struct msghdr *msg,
2427 ++ size_t len, size_t mtu,
2428 ++ size_t headroom, size_t tailroom)
2429 ++{
2430 ++ struct sk_buff *skb;
2431 ++ size_t size = min_t(size_t, len, mtu);
2432 ++ int err;
2433 ++
2434 ++ skb = bt_skb_send_alloc(sk, size + headroom + tailroom,
2435 ++ msg->msg_flags & MSG_DONTWAIT, &err);
2436 ++ if (!skb)
2437 ++ return ERR_PTR(err);
2438 ++
2439 ++ skb_reserve(skb, headroom);
2440 ++ skb_tailroom_reserve(skb, mtu, tailroom);
2441 ++
2442 ++ if (!copy_from_iter_full(skb_put(skb, size), size, &msg->msg_iter)) {
2443 ++ kfree_skb(skb);
2444 ++ return ERR_PTR(-EFAULT);
2445 ++ }
2446 ++
2447 ++ skb->priority = sk->sk_priority;
2448 ++
2449 ++ return skb;
2450 ++}
2451 ++
2452 ++/* Similar to bt_skb_sendmsg but can split the msg into multiple fragments
2453 ++ * accourding to the MTU.
2454 ++ */
2455 ++static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk,
2456 ++ struct msghdr *msg,
2457 ++ size_t len, size_t mtu,
2458 ++ size_t headroom, size_t tailroom)
2459 ++{
2460 ++ struct sk_buff *skb, **frag;
2461 ++
2462 ++ skb = bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom);
2463 ++ if (IS_ERR_OR_NULL(skb))
2464 ++ return skb;
2465 ++
2466 ++ len -= skb->len;
2467 ++ if (!len)
2468 ++ return skb;
2469 ++
2470 ++ /* Add remaining data over MTU as continuation fragments */
2471 ++ frag = &skb_shinfo(skb)->frag_list;
2472 ++ while (len) {
2473 ++ struct sk_buff *tmp;
2474 ++
2475 ++ tmp = bt_skb_sendmsg(sk, msg, len, mtu, headroom, tailroom);
2476 ++ if (IS_ERR(tmp)) {
2477 ++ return skb;
2478 ++ }
2479 ++
2480 ++ len -= tmp->len;
2481 ++
2482 ++ *frag = tmp;
2483 ++ frag = &(*frag)->next;
2484 ++ }
2485 ++
2486 ++ return skb;
2487 ++}
2488 ++
2489 + int bt_to_errno(u16 code);
2490 +
2491 + void hci_sock_set_flag(struct sock *sk, int nr);
2492 +diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
2493 +index 34c4436fd18ff..58db7c69c146d 100644
2494 +--- a/include/net/inet_sock.h
2495 ++++ b/include/net/inet_sock.h
2496 +@@ -107,7 +107,8 @@ static inline struct inet_request_sock *inet_rsk(const struct request_sock *sk)
2497 +
2498 + static inline u32 inet_request_mark(const struct sock *sk, struct sk_buff *skb)
2499 + {
2500 +- if (!sk->sk_mark && sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)
2501 ++ if (!sk->sk_mark &&
2502 ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept))
2503 + return skb->mark;
2504 +
2505 + return sk->sk_mark;
2506 +@@ -375,7 +376,7 @@ static inline bool inet_get_convert_csum(struct sock *sk)
2507 + static inline bool inet_can_nonlocal_bind(struct net *net,
2508 + struct inet_sock *inet)
2509 + {
2510 +- return net->ipv4.sysctl_ip_nonlocal_bind ||
2511 ++ return READ_ONCE(net->ipv4.sysctl_ip_nonlocal_bind) ||
2512 + inet->freebind || inet->transparent;
2513 + }
2514 +
2515 +diff --git a/include/net/ip.h b/include/net/ip.h
2516 +index 3f3ea86b2173c..db841ab388c0e 100644
2517 +--- a/include/net/ip.h
2518 ++++ b/include/net/ip.h
2519 +@@ -381,7 +381,7 @@ void ipfrag_init(void);
2520 + void ip_static_sysctl_init(void);
2521 +
2522 + #define IP4_REPLY_MARK(net, mark) \
2523 +- ((net)->ipv4.sysctl_fwmark_reflect ? (mark) : 0)
2524 ++ (READ_ONCE((net)->ipv4.sysctl_fwmark_reflect) ? (mark) : 0)
2525 +
2526 + static inline bool ip_is_fragment(const struct iphdr *iph)
2527 + {
2528 +@@ -442,7 +442,7 @@ static inline unsigned int ip_dst_mtu_maybe_forward(const struct dst_entry *dst,
2529 + struct net *net = dev_net(dst->dev);
2530 + unsigned int mtu;
2531 +
2532 +- if (net->ipv4.sysctl_ip_fwd_use_pmtu ||
2533 ++ if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) ||
2534 + ip_mtu_locked(dst) ||
2535 + !forwarding)
2536 + return dst_mtu(dst);
2537 +diff --git a/include/net/tcp.h b/include/net/tcp.h
2538 +index 65be8bd1f0f4a..aaf1d5d5a13b0 100644
2539 +--- a/include/net/tcp.h
2540 ++++ b/include/net/tcp.h
2541 +@@ -1373,8 +1373,8 @@ static inline void tcp_slow_start_after_idle_check(struct sock *sk)
2542 + struct tcp_sock *tp = tcp_sk(sk);
2543 + s32 delta;
2544 +
2545 +- if (!sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle || tp->packets_out ||
2546 +- ca_ops->cong_control)
2547 ++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle) ||
2548 ++ tp->packets_out || ca_ops->cong_control)
2549 + return;
2550 + delta = tcp_jiffies32 - tp->lsndtime;
2551 + if (delta > inet_csk(sk)->icsk_rto)
2552 +@@ -1465,7 +1465,8 @@ static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp)
2553 +
2554 + static inline int tcp_fin_time(const struct sock *sk)
2555 + {
2556 +- int fin_timeout = tcp_sk(sk)->linger2 ? : sock_net(sk)->ipv4.sysctl_tcp_fin_timeout;
2557 ++ int fin_timeout = tcp_sk(sk)->linger2 ? :
2558 ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fin_timeout);
2559 + const int rto = inet_csk(sk)->icsk_rto;
2560 +
2561 + if (fin_timeout < (rto << 2) - (rto >> 1))
2562 +@@ -1946,7 +1947,7 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr);
2563 + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp)
2564 + {
2565 + struct net *net = sock_net((struct sock *)tp);
2566 +- return tp->notsent_lowat ?: net->ipv4.sysctl_tcp_notsent_lowat;
2567 ++ return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat);
2568 + }
2569 +
2570 + /* @wake is one when sk_stream_write_space() calls us.
2571 +diff --git a/include/net/udp.h b/include/net/udp.h
2572 +index 9787a42f7ed3e..e66854e767dcc 100644
2573 +--- a/include/net/udp.h
2574 ++++ b/include/net/udp.h
2575 +@@ -252,7 +252,7 @@ static inline bool udp_sk_bound_dev_eq(struct net *net, int bound_dev_if,
2576 + int dif, int sdif)
2577 + {
2578 + #if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV)
2579 +- return inet_bound_dev_eq(!!net->ipv4.sysctl_udp_l3mdev_accept,
2580 ++ return inet_bound_dev_eq(!!READ_ONCE(net->ipv4.sysctl_udp_l3mdev_accept),
2581 + bound_dev_if, dif, sdif);
2582 + #else
2583 + return inet_bound_dev_eq(true, bound_dev_if, dif, sdif);
2584 +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
2585 +index 1238ef9c569df..6b33a8a148b85 100644
2586 +--- a/kernel/bpf/core.c
2587 ++++ b/kernel/bpf/core.c
2588 +@@ -64,11 +64,13 @@ void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, uns
2589 + {
2590 + u8 *ptr = NULL;
2591 +
2592 +- if (k >= SKF_NET_OFF)
2593 ++ if (k >= SKF_NET_OFF) {
2594 + ptr = skb_network_header(skb) + k - SKF_NET_OFF;
2595 +- else if (k >= SKF_LL_OFF)
2596 ++ } else if (k >= SKF_LL_OFF) {
2597 ++ if (unlikely(!skb_mac_header_was_set(skb)))
2598 ++ return NULL;
2599 + ptr = skb_mac_header(skb) + k - SKF_LL_OFF;
2600 +-
2601 ++ }
2602 + if (ptr >= skb->head && ptr + size <= skb_tail_pointer(skb))
2603 + return ptr;
2604 +
2605 +diff --git a/kernel/events/core.c b/kernel/events/core.c
2606 +index 8336dcb2bd432..0a54780e0942d 100644
2607 +--- a/kernel/events/core.c
2608 ++++ b/kernel/events/core.c
2609 +@@ -5819,10 +5819,10 @@ again:
2610 +
2611 + if (!atomic_inc_not_zero(&event->rb->mmap_count)) {
2612 + /*
2613 +- * Raced against perf_mmap_close() through
2614 +- * perf_event_set_output(). Try again, hope for better
2615 +- * luck.
2616 ++ * Raced against perf_mmap_close(); remove the
2617 ++ * event and try again.
2618 + */
2619 ++ ring_buffer_attach(event, NULL);
2620 + mutex_unlock(&event->mmap_mutex);
2621 + goto again;
2622 + }
2623 +@@ -10763,14 +10763,25 @@ err_size:
2624 + goto out;
2625 + }
2626 +
2627 ++static void mutex_lock_double(struct mutex *a, struct mutex *b)
2628 ++{
2629 ++ if (b < a)
2630 ++ swap(a, b);
2631 ++
2632 ++ mutex_lock(a);
2633 ++ mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
2634 ++}
2635 ++
2636 + static int
2637 + perf_event_set_output(struct perf_event *event, struct perf_event *output_event)
2638 + {
2639 + struct ring_buffer *rb = NULL;
2640 + int ret = -EINVAL;
2641 +
2642 +- if (!output_event)
2643 ++ if (!output_event) {
2644 ++ mutex_lock(&event->mmap_mutex);
2645 + goto set;
2646 ++ }
2647 +
2648 + /* don't allow circular references */
2649 + if (event == output_event)
2650 +@@ -10808,8 +10819,15 @@ perf_event_set_output(struct perf_event *event, struct perf_event *output_event)
2651 + event->pmu != output_event->pmu)
2652 + goto out;
2653 +
2654 ++ /*
2655 ++ * Hold both mmap_mutex to serialize against perf_mmap_close(). Since
2656 ++ * output_event is already on rb->event_list, and the list iteration
2657 ++ * restarts after every removal, it is guaranteed this new event is
2658 ++ * observed *OR* if output_event is already removed, it's guaranteed we
2659 ++ * observe !rb->mmap_count.
2660 ++ */
2661 ++ mutex_lock_double(&event->mmap_mutex, &output_event->mmap_mutex);
2662 + set:
2663 +- mutex_lock(&event->mmap_mutex);
2664 + /* Can't redirect output if we've got an active mmap() */
2665 + if (atomic_read(&event->mmap_count))
2666 + goto unlock;
2667 +@@ -10819,6 +10837,12 @@ set:
2668 + rb = ring_buffer_get(output_event);
2669 + if (!rb)
2670 + goto unlock;
2671 ++
2672 ++ /* did we race against perf_mmap_close() */
2673 ++ if (!atomic_read(&rb->mmap_count)) {
2674 ++ ring_buffer_put(rb);
2675 ++ goto unlock;
2676 ++ }
2677 + }
2678 +
2679 + ring_buffer_attach(event, rb);
2680 +@@ -10826,20 +10850,13 @@ set:
2681 + ret = 0;
2682 + unlock:
2683 + mutex_unlock(&event->mmap_mutex);
2684 ++ if (output_event)
2685 ++ mutex_unlock(&output_event->mmap_mutex);
2686 +
2687 + out:
2688 + return ret;
2689 + }
2690 +
2691 +-static void mutex_lock_double(struct mutex *a, struct mutex *b)
2692 +-{
2693 +- if (b < a)
2694 +- swap(a, b);
2695 +-
2696 +- mutex_lock(a);
2697 +- mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
2698 +-}
2699 +-
2700 + static int perf_event_set_clock(struct perf_event *event, clockid_t clk_id)
2701 + {
2702 + bool nmi_safe = false;
2703 +diff --git a/lib/refcount.c b/lib/refcount.c
2704 +index 6e904af0fb3e1..ebac8b7d15a7c 100644
2705 +--- a/lib/refcount.c
2706 ++++ b/lib/refcount.c
2707 +@@ -1,41 +1,6 @@
2708 + // SPDX-License-Identifier: GPL-2.0
2709 + /*
2710 +- * Variant of atomic_t specialized for reference counts.
2711 +- *
2712 +- * The interface matches the atomic_t interface (to aid in porting) but only
2713 +- * provides the few functions one should use for reference counting.
2714 +- *
2715 +- * It differs in that the counter saturates at UINT_MAX and will not move once
2716 +- * there. This avoids wrapping the counter and causing 'spurious'
2717 +- * use-after-free issues.
2718 +- *
2719 +- * Memory ordering rules are slightly relaxed wrt regular atomic_t functions
2720 +- * and provide only what is strictly required for refcounts.
2721 +- *
2722 +- * The increments are fully relaxed; these will not provide ordering. The
2723 +- * rationale is that whatever is used to obtain the object we're increasing the
2724 +- * reference count on will provide the ordering. For locked data structures,
2725 +- * its the lock acquire, for RCU/lockless data structures its the dependent
2726 +- * load.
2727 +- *
2728 +- * Do note that inc_not_zero() provides a control dependency which will order
2729 +- * future stores against the inc, this ensures we'll never modify the object
2730 +- * if we did not in fact acquire a reference.
2731 +- *
2732 +- * The decrements will provide release order, such that all the prior loads and
2733 +- * stores will be issued before, it also provides a control dependency, which
2734 +- * will order us against the subsequent free().
2735 +- *
2736 +- * The control dependency is against the load of the cmpxchg (ll/sc) that
2737 +- * succeeded. This means the stores aren't fully ordered, but this is fine
2738 +- * because the 1->0 transition indicates no concurrency.
2739 +- *
2740 +- * Note that the allocator is responsible for ordering things between free()
2741 +- * and alloc().
2742 +- *
2743 +- * The decrements dec_and_test() and sub_and_test() also provide acquire
2744 +- * ordering on success.
2745 +- *
2746 ++ * Out-of-line refcount functions.
2747 + */
2748 +
2749 + #include <linux/mutex.h>
2750 +@@ -43,199 +8,33 @@
2751 + #include <linux/spinlock.h>
2752 + #include <linux/bug.h>
2753 +
2754 +-/**
2755 +- * refcount_add_not_zero_checked - add a value to a refcount unless it is 0
2756 +- * @i: the value to add to the refcount
2757 +- * @r: the refcount
2758 +- *
2759 +- * Will saturate at UINT_MAX and WARN.
2760 +- *
2761 +- * Provides no memory ordering, it is assumed the caller has guaranteed the
2762 +- * object memory to be stable (RCU, etc.). It does provide a control dependency
2763 +- * and thereby orders future stores. See the comment on top.
2764 +- *
2765 +- * Use of this function is not recommended for the normal reference counting
2766 +- * use case in which references are taken and released one at a time. In these
2767 +- * cases, refcount_inc(), or one of its variants, should instead be used to
2768 +- * increment a reference count.
2769 +- *
2770 +- * Return: false if the passed refcount is 0, true otherwise
2771 +- */
2772 +-bool refcount_add_not_zero_checked(unsigned int i, refcount_t *r)
2773 +-{
2774 +- unsigned int new, val = atomic_read(&r->refs);
2775 +-
2776 +- do {
2777 +- if (!val)
2778 +- return false;
2779 +-
2780 +- if (unlikely(val == UINT_MAX))
2781 +- return true;
2782 +-
2783 +- new = val + i;
2784 +- if (new < val)
2785 +- new = UINT_MAX;
2786 +-
2787 +- } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
2788 +-
2789 +- WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
2790 +-
2791 +- return true;
2792 +-}
2793 +-EXPORT_SYMBOL(refcount_add_not_zero_checked);
2794 +-
2795 +-/**
2796 +- * refcount_add_checked - add a value to a refcount
2797 +- * @i: the value to add to the refcount
2798 +- * @r: the refcount
2799 +- *
2800 +- * Similar to atomic_add(), but will saturate at UINT_MAX and WARN.
2801 +- *
2802 +- * Provides no memory ordering, it is assumed the caller has guaranteed the
2803 +- * object memory to be stable (RCU, etc.). It does provide a control dependency
2804 +- * and thereby orders future stores. See the comment on top.
2805 +- *
2806 +- * Use of this function is not recommended for the normal reference counting
2807 +- * use case in which references are taken and released one at a time. In these
2808 +- * cases, refcount_inc(), or one of its variants, should instead be used to
2809 +- * increment a reference count.
2810 +- */
2811 +-void refcount_add_checked(unsigned int i, refcount_t *r)
2812 +-{
2813 +- WARN_ONCE(!refcount_add_not_zero_checked(i, r), "refcount_t: addition on 0; use-after-free.\n");
2814 +-}
2815 +-EXPORT_SYMBOL(refcount_add_checked);
2816 +-
2817 +-/**
2818 +- * refcount_inc_not_zero_checked - increment a refcount unless it is 0
2819 +- * @r: the refcount to increment
2820 +- *
2821 +- * Similar to atomic_inc_not_zero(), but will saturate at UINT_MAX and WARN.
2822 +- *
2823 +- * Provides no memory ordering, it is assumed the caller has guaranteed the
2824 +- * object memory to be stable (RCU, etc.). It does provide a control dependency
2825 +- * and thereby orders future stores. See the comment on top.
2826 +- *
2827 +- * Return: true if the increment was successful, false otherwise
2828 +- */
2829 +-bool refcount_inc_not_zero_checked(refcount_t *r)
2830 +-{
2831 +- unsigned int new, val = atomic_read(&r->refs);
2832 +-
2833 +- do {
2834 +- new = val + 1;
2835 +-
2836 +- if (!val)
2837 +- return false;
2838 +-
2839 +- if (unlikely(!new))
2840 +- return true;
2841 +-
2842 +- } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new));
2843 ++#define REFCOUNT_WARN(str) WARN_ONCE(1, "refcount_t: " str ".\n")
2844 +
2845 +- WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n");
2846 +-
2847 +- return true;
2848 +-}
2849 +-EXPORT_SYMBOL(refcount_inc_not_zero_checked);
2850 +-
2851 +-/**
2852 +- * refcount_inc_checked - increment a refcount
2853 +- * @r: the refcount to increment
2854 +- *
2855 +- * Similar to atomic_inc(), but will saturate at UINT_MAX and WARN.
2856 +- *
2857 +- * Provides no memory ordering, it is assumed the caller already has a
2858 +- * reference on the object.
2859 +- *
2860 +- * Will WARN if the refcount is 0, as this represents a possible use-after-free
2861 +- * condition.
2862 +- */
2863 +-void refcount_inc_checked(refcount_t *r)
2864 ++void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t)
2865 + {
2866 +- WARN_ONCE(!refcount_inc_not_zero_checked(r), "refcount_t: increment on 0; use-after-free.\n");
2867 +-}
2868 +-EXPORT_SYMBOL(refcount_inc_checked);
2869 +-
2870 +-/**
2871 +- * refcount_sub_and_test_checked - subtract from a refcount and test if it is 0
2872 +- * @i: amount to subtract from the refcount
2873 +- * @r: the refcount
2874 +- *
2875 +- * Similar to atomic_dec_and_test(), but it will WARN, return false and
2876 +- * ultimately leak on underflow and will fail to decrement when saturated
2877 +- * at UINT_MAX.
2878 +- *
2879 +- * Provides release memory ordering, such that prior loads and stores are done
2880 +- * before, and provides an acquire ordering on success such that free()
2881 +- * must come after.
2882 +- *
2883 +- * Use of this function is not recommended for the normal reference counting
2884 +- * use case in which references are taken and released one at a time. In these
2885 +- * cases, refcount_dec(), or one of its variants, should instead be used to
2886 +- * decrement a reference count.
2887 +- *
2888 +- * Return: true if the resulting refcount is 0, false otherwise
2889 +- */
2890 +-bool refcount_sub_and_test_checked(unsigned int i, refcount_t *r)
2891 +-{
2892 +- unsigned int new, val = atomic_read(&r->refs);
2893 +-
2894 +- do {
2895 +- if (unlikely(val == UINT_MAX))
2896 +- return false;
2897 +-
2898 +- new = val - i;
2899 +- if (new > val) {
2900 +- WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n");
2901 +- return false;
2902 +- }
2903 +-
2904 +- } while (!atomic_try_cmpxchg_release(&r->refs, &val, new));
2905 +-
2906 +- if (!new) {
2907 +- smp_acquire__after_ctrl_dep();
2908 +- return true;
2909 ++ refcount_set(r, REFCOUNT_SATURATED);
2910 ++
2911 ++ switch (t) {
2912 ++ case REFCOUNT_ADD_NOT_ZERO_OVF:
2913 ++ REFCOUNT_WARN("saturated; leaking memory");
2914 ++ break;
2915 ++ case REFCOUNT_ADD_OVF:
2916 ++ REFCOUNT_WARN("saturated; leaking memory");
2917 ++ break;
2918 ++ case REFCOUNT_ADD_UAF:
2919 ++ REFCOUNT_WARN("addition on 0; use-after-free");
2920 ++ break;
2921 ++ case REFCOUNT_SUB_UAF:
2922 ++ REFCOUNT_WARN("underflow; use-after-free");
2923 ++ break;
2924 ++ case REFCOUNT_DEC_LEAK:
2925 ++ REFCOUNT_WARN("decrement hit 0; leaking memory");
2926 ++ break;
2927 ++ default:
2928 ++ REFCOUNT_WARN("unknown saturation event!?");
2929 + }
2930 +- return false;
2931 +-
2932 +-}
2933 +-EXPORT_SYMBOL(refcount_sub_and_test_checked);
2934 +-
2935 +-/**
2936 +- * refcount_dec_and_test_checked - decrement a refcount and test if it is 0
2937 +- * @r: the refcount
2938 +- *
2939 +- * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to
2940 +- * decrement when saturated at UINT_MAX.
2941 +- *
2942 +- * Provides release memory ordering, such that prior loads and stores are done
2943 +- * before, and provides an acquire ordering on success such that free()
2944 +- * must come after.
2945 +- *
2946 +- * Return: true if the resulting refcount is 0, false otherwise
2947 +- */
2948 +-bool refcount_dec_and_test_checked(refcount_t *r)
2949 +-{
2950 +- return refcount_sub_and_test_checked(1, r);
2951 +-}
2952 +-EXPORT_SYMBOL(refcount_dec_and_test_checked);
2953 +-
2954 +-/**
2955 +- * refcount_dec_checked - decrement a refcount
2956 +- * @r: the refcount
2957 +- *
2958 +- * Similar to atomic_dec(), it will WARN on underflow and fail to decrement
2959 +- * when saturated at UINT_MAX.
2960 +- *
2961 +- * Provides release memory ordering, such that prior loads and stores are done
2962 +- * before.
2963 +- */
2964 +-void refcount_dec_checked(refcount_t *r)
2965 +-{
2966 +- WARN_ONCE(refcount_dec_and_test_checked(r), "refcount_t: decrement hit 0; leaking memory.\n");
2967 + }
2968 +-EXPORT_SYMBOL(refcount_dec_checked);
2969 ++EXPORT_SYMBOL(refcount_warn_saturate);
2970 +
2971 + /**
2972 + * refcount_dec_if_one - decrement a refcount if it is 1
2973 +@@ -277,7 +76,7 @@ bool refcount_dec_not_one(refcount_t *r)
2974 + unsigned int new, val = atomic_read(&r->refs);
2975 +
2976 + do {
2977 +- if (unlikely(val == UINT_MAX))
2978 ++ if (unlikely(val == REFCOUNT_SATURATED))
2979 + return true;
2980 +
2981 + if (val == 1)
2982 +@@ -302,7 +101,7 @@ EXPORT_SYMBOL(refcount_dec_not_one);
2983 + * @lock: the mutex to be locked
2984 + *
2985 + * Similar to atomic_dec_and_mutex_lock(), it will WARN on underflow and fail
2986 +- * to decrement when saturated at UINT_MAX.
2987 ++ * to decrement when saturated at REFCOUNT_SATURATED.
2988 + *
2989 + * Provides release memory ordering, such that prior loads and stores are done
2990 + * before, and provides a control dependency such that free() must come after.
2991 +@@ -333,7 +132,7 @@ EXPORT_SYMBOL(refcount_dec_and_mutex_lock);
2992 + * @lock: the spinlock to be locked
2993 + *
2994 + * Similar to atomic_dec_and_lock(), it will WARN on underflow and fail to
2995 +- * decrement when saturated at UINT_MAX.
2996 ++ * decrement when saturated at REFCOUNT_SATURATED.
2997 + *
2998 + * Provides release memory ordering, such that prior loads and stores are done
2999 + * before, and provides a control dependency such that free() must come after.
3000 +diff --git a/mm/mempolicy.c b/mm/mempolicy.c
3001 +index d79ab5116a7be..f7b231f67156b 100644
3002 +--- a/mm/mempolicy.c
3003 ++++ b/mm/mempolicy.c
3004 +@@ -348,7 +348,7 @@ static void mpol_rebind_preferred(struct mempolicy *pol,
3005 + */
3006 + static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask)
3007 + {
3008 +- if (!pol)
3009 ++ if (!pol || pol->mode == MPOL_LOCAL)
3010 + return;
3011 + if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) &&
3012 + nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
3013 +diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
3014 +index 3a9e9d9670be4..83a8c48dfaa8b 100644
3015 +--- a/net/bluetooth/rfcomm/core.c
3016 ++++ b/net/bluetooth/rfcomm/core.c
3017 +@@ -553,22 +553,58 @@ struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
3018 + return dlc;
3019 + }
3020 +
3021 ++static int rfcomm_dlc_send_frag(struct rfcomm_dlc *d, struct sk_buff *frag)
3022 ++{
3023 ++ int len = frag->len;
3024 ++
3025 ++ BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
3026 ++
3027 ++ if (len > d->mtu)
3028 ++ return -EINVAL;
3029 ++
3030 ++ rfcomm_make_uih(frag, d->addr);
3031 ++ __skb_queue_tail(&d->tx_queue, frag);
3032 ++
3033 ++ return len;
3034 ++}
3035 ++
3036 + int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
3037 + {
3038 +- int len = skb->len;
3039 ++ unsigned long flags;
3040 ++ struct sk_buff *frag, *next;
3041 ++ int len;
3042 +
3043 + if (d->state != BT_CONNECTED)
3044 + return -ENOTCONN;
3045 +
3046 +- BT_DBG("dlc %p mtu %d len %d", d, d->mtu, len);
3047 ++ frag = skb_shinfo(skb)->frag_list;
3048 ++ skb_shinfo(skb)->frag_list = NULL;
3049 +
3050 +- if (len > d->mtu)
3051 +- return -EINVAL;
3052 ++ /* Queue all fragments atomically. */
3053 ++ spin_lock_irqsave(&d->tx_queue.lock, flags);
3054 +
3055 +- rfcomm_make_uih(skb, d->addr);
3056 +- skb_queue_tail(&d->tx_queue, skb);
3057 ++ len = rfcomm_dlc_send_frag(d, skb);
3058 ++ if (len < 0 || !frag)
3059 ++ goto unlock;
3060 ++
3061 ++ for (; frag; frag = next) {
3062 ++ int ret;
3063 ++
3064 ++ next = frag->next;
3065 ++
3066 ++ ret = rfcomm_dlc_send_frag(d, frag);
3067 ++ if (ret < 0) {
3068 ++ kfree_skb(frag);
3069 ++ goto unlock;
3070 ++ }
3071 ++
3072 ++ len += ret;
3073 ++ }
3074 ++
3075 ++unlock:
3076 ++ spin_unlock_irqrestore(&d->tx_queue.lock, flags);
3077 +
3078 +- if (!test_bit(RFCOMM_TX_THROTTLED, &d->flags))
3079 ++ if (len > 0 && !test_bit(RFCOMM_TX_THROTTLED, &d->flags))
3080 + rfcomm_schedule();
3081 + return len;
3082 + }
3083 +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
3084 +index 90bb53aa4beed..e67310a749d27 100644
3085 +--- a/net/bluetooth/rfcomm/sock.c
3086 ++++ b/net/bluetooth/rfcomm/sock.c
3087 +@@ -578,46 +578,20 @@ static int rfcomm_sock_sendmsg(struct socket *sock, struct msghdr *msg,
3088 + lock_sock(sk);
3089 +
3090 + sent = bt_sock_wait_ready(sk, msg->msg_flags);
3091 +- if (sent)
3092 +- goto done;
3093 +-
3094 +- while (len) {
3095 +- size_t size = min_t(size_t, len, d->mtu);
3096 +- int err;
3097 +-
3098 +- skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE,
3099 +- msg->msg_flags & MSG_DONTWAIT, &err);
3100 +- if (!skb) {
3101 +- if (sent == 0)
3102 +- sent = err;
3103 +- break;
3104 +- }
3105 +- skb_reserve(skb, RFCOMM_SKB_HEAD_RESERVE);
3106 +-
3107 +- err = memcpy_from_msg(skb_put(skb, size), msg, size);
3108 +- if (err) {
3109 +- kfree_skb(skb);
3110 +- if (sent == 0)
3111 +- sent = err;
3112 +- break;
3113 +- }
3114 +
3115 +- skb->priority = sk->sk_priority;
3116 ++ release_sock(sk);
3117 +
3118 +- err = rfcomm_dlc_send(d, skb);
3119 +- if (err < 0) {
3120 +- kfree_skb(skb);
3121 +- if (sent == 0)
3122 +- sent = err;
3123 +- break;
3124 +- }
3125 ++ if (sent)
3126 ++ return sent;
3127 +
3128 +- sent += size;
3129 +- len -= size;
3130 +- }
3131 ++ skb = bt_skb_sendmmsg(sk, msg, len, d->mtu, RFCOMM_SKB_HEAD_RESERVE,
3132 ++ RFCOMM_SKB_TAIL_RESERVE);
3133 ++ if (IS_ERR(skb))
3134 ++ return PTR_ERR(skb);
3135 +
3136 +-done:
3137 +- release_sock(sk);
3138 ++ sent = rfcomm_dlc_send(d, skb);
3139 ++ if (sent < 0)
3140 ++ kfree_skb(skb);
3141 +
3142 + return sent;
3143 + }
3144 +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
3145 +index fbfb12e430101..78a549e506b12 100644
3146 +--- a/net/bluetooth/sco.c
3147 ++++ b/net/bluetooth/sco.c
3148 +@@ -279,12 +279,10 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk)
3149 + return err;
3150 + }
3151 +
3152 +-static int sco_send_frame(struct sock *sk, void *buf, int len,
3153 +- unsigned int msg_flags)
3154 ++static int sco_send_frame(struct sock *sk, struct sk_buff *skb)
3155 + {
3156 + struct sco_conn *conn = sco_pi(sk)->conn;
3157 +- struct sk_buff *skb;
3158 +- int err;
3159 ++ int len = skb->len;
3160 +
3161 + /* Check outgoing MTU */
3162 + if (len > conn->mtu)
3163 +@@ -292,11 +290,6 @@ static int sco_send_frame(struct sock *sk, void *buf, int len,
3164 +
3165 + BT_DBG("sk %p len %d", sk, len);
3166 +
3167 +- skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err);
3168 +- if (!skb)
3169 +- return err;
3170 +-
3171 +- memcpy(skb_put(skb, len), buf, len);
3172 + hci_send_sco(conn->hcon, skb);
3173 +
3174 + return len;
3175 +@@ -715,7 +708,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
3176 + size_t len)
3177 + {
3178 + struct sock *sk = sock->sk;
3179 +- void *buf;
3180 ++ struct sk_buff *skb;
3181 + int err;
3182 +
3183 + BT_DBG("sock %p, sk %p", sock, sk);
3184 +@@ -727,24 +720,21 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg,
3185 + if (msg->msg_flags & MSG_OOB)
3186 + return -EOPNOTSUPP;
3187 +
3188 +- buf = kmalloc(len, GFP_KERNEL);
3189 +- if (!buf)
3190 +- return -ENOMEM;
3191 +-
3192 +- if (memcpy_from_msg(buf, msg, len)) {
3193 +- kfree(buf);
3194 +- return -EFAULT;
3195 +- }
3196 ++ skb = bt_skb_sendmsg(sk, msg, len, len, 0, 0);
3197 ++ if (IS_ERR(skb))
3198 ++ return PTR_ERR(skb);
3199 +
3200 + lock_sock(sk);
3201 +
3202 + if (sk->sk_state == BT_CONNECTED)
3203 +- err = sco_send_frame(sk, buf, len, msg->msg_flags);
3204 ++ err = sco_send_frame(sk, skb);
3205 + else
3206 + err = -ENOTCONN;
3207 +
3208 + release_sock(sk);
3209 +- kfree(buf);
3210 ++
3211 ++ if (err < 0)
3212 ++ kfree_skb(skb);
3213 + return err;
3214 + }
3215 +
3216 +diff --git a/net/core/filter.c b/net/core/filter.c
3217 +index 75f53b5e63893..72bf78032f458 100644
3218 +--- a/net/core/filter.c
3219 ++++ b/net/core/filter.c
3220 +@@ -5839,7 +5839,7 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk, void *, iph, u32, iph_len
3221 + if (sk->sk_protocol != IPPROTO_TCP || sk->sk_state != TCP_LISTEN)
3222 + return -EINVAL;
3223 +
3224 +- if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies)
3225 ++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies))
3226 + return -EINVAL;
3227 +
3228 + if (!th->ack || th->rst || th->syn)
3229 +@@ -5914,7 +5914,7 @@ BPF_CALL_5(bpf_tcp_gen_syncookie, struct sock *, sk, void *, iph, u32, iph_len,
3230 + if (sk->sk_protocol != IPPROTO_TCP || sk->sk_state != TCP_LISTEN)
3231 + return -EINVAL;
3232 +
3233 +- if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies)
3234 ++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies))
3235 + return -ENOENT;
3236 +
3237 + if (!th->syn || th->ack || th->fin || th->rst)
3238 +diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
3239 +index a1867c65ac632..6d86506e315f3 100644
3240 +--- a/net/core/secure_seq.c
3241 ++++ b/net/core/secure_seq.c
3242 +@@ -65,7 +65,7 @@ u32 secure_tcpv6_ts_off(const struct net *net,
3243 + .daddr = *(struct in6_addr *)daddr,
3244 + };
3245 +
3246 +- if (net->ipv4.sysctl_tcp_timestamps != 1)
3247 ++ if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) != 1)
3248 + return 0;
3249 +
3250 + ts_secret_init();
3251 +@@ -121,7 +121,7 @@ EXPORT_SYMBOL(secure_ipv6_port_ephemeral);
3252 + #ifdef CONFIG_INET
3253 + u32 secure_tcp_ts_off(const struct net *net, __be32 saddr, __be32 daddr)
3254 + {
3255 +- if (net->ipv4.sysctl_tcp_timestamps != 1)
3256 ++ if (READ_ONCE(net->ipv4.sysctl_tcp_timestamps) != 1)
3257 + return 0;
3258 +
3259 + ts_secret_init();
3260 +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
3261 +index 9ab73fcc7411c..d61ca7be6eda6 100644
3262 +--- a/net/ipv4/af_inet.c
3263 ++++ b/net/ipv4/af_inet.c
3264 +@@ -219,7 +219,7 @@ int inet_listen(struct socket *sock, int backlog)
3265 + * because the socket was in TCP_LISTEN state previously but
3266 + * was shutdown() rather than close().
3267 + */
3268 +- tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen;
3269 ++ tcp_fastopen = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen);
3270 + if ((tcp_fastopen & TFO_SERVER_WO_SOCKOPT1) &&
3271 + (tcp_fastopen & TFO_SERVER_ENABLE) &&
3272 + !inet_csk(sk)->icsk_accept_queue.fastopenq.max_qlen) {
3273 +@@ -337,7 +337,7 @@ lookup_protocol:
3274 + inet->hdrincl = 1;
3275 + }
3276 +
3277 +- if (net->ipv4.sysctl_ip_no_pmtu_disc)
3278 ++ if (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc))
3279 + inet->pmtudisc = IP_PMTUDISC_DONT;
3280 + else
3281 + inet->pmtudisc = IP_PMTUDISC_WANT;
3282 +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
3283 +index 16fe034615635..28da0443f3e9e 100644
3284 +--- a/net/ipv4/fib_semantics.c
3285 ++++ b/net/ipv4/fib_semantics.c
3286 +@@ -2209,7 +2209,7 @@ void fib_select_multipath(struct fib_result *res, int hash)
3287 + }
3288 +
3289 + change_nexthops(fi) {
3290 +- if (net->ipv4.sysctl_fib_multipath_use_neigh) {
3291 ++ if (READ_ONCE(net->ipv4.sysctl_fib_multipath_use_neigh)) {
3292 + if (!fib_good_nh(nexthop_nh))
3293 + continue;
3294 + if (!first) {
3295 +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
3296 +index 9bc01411be4cc..b44f51e404aee 100644
3297 +--- a/net/ipv4/icmp.c
3298 ++++ b/net/ipv4/icmp.c
3299 +@@ -886,7 +886,7 @@ static bool icmp_unreach(struct sk_buff *skb)
3300 + * values please see
3301 + * Documentation/networking/ip-sysctl.txt
3302 + */
3303 +- switch (net->ipv4.sysctl_ip_no_pmtu_disc) {
3304 ++ switch (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc)) {
3305 + default:
3306 + net_dbg_ratelimited("%pI4: fragmentation needed and DF set\n",
3307 + &iph->daddr);
3308 +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
3309 +index cac2fdd08df05..660b41040c771 100644
3310 +--- a/net/ipv4/igmp.c
3311 ++++ b/net/ipv4/igmp.c
3312 +@@ -469,7 +469,8 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
3313 +
3314 + if (pmc->multiaddr == IGMP_ALL_HOSTS)
3315 + return skb;
3316 +- if (ipv4_is_local_multicast(pmc->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports)
3317 ++ if (ipv4_is_local_multicast(pmc->multiaddr) &&
3318 ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports))
3319 + return skb;
3320 +
3321 + mtu = READ_ONCE(dev->mtu);
3322 +@@ -595,7 +596,7 @@ static int igmpv3_send_report(struct in_device *in_dev, struct ip_mc_list *pmc)
3323 + if (pmc->multiaddr == IGMP_ALL_HOSTS)
3324 + continue;
3325 + if (ipv4_is_local_multicast(pmc->multiaddr) &&
3326 +- !net->ipv4.sysctl_igmp_llm_reports)
3327 ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports))
3328 + continue;
3329 + spin_lock_bh(&pmc->lock);
3330 + if (pmc->sfcount[MCAST_EXCLUDE])
3331 +@@ -738,7 +739,8 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
3332 + if (type == IGMPV3_HOST_MEMBERSHIP_REPORT)
3333 + return igmpv3_send_report(in_dev, pmc);
3334 +
3335 +- if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports)
3336 ++ if (ipv4_is_local_multicast(group) &&
3337 ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports))
3338 + return 0;
3339 +
3340 + if (type == IGMP_HOST_LEAVE_MESSAGE)
3341 +@@ -922,7 +924,8 @@ static bool igmp_heard_report(struct in_device *in_dev, __be32 group)
3342 +
3343 + if (group == IGMP_ALL_HOSTS)
3344 + return false;
3345 +- if (ipv4_is_local_multicast(group) && !net->ipv4.sysctl_igmp_llm_reports)
3346 ++ if (ipv4_is_local_multicast(group) &&
3347 ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports))
3348 + return false;
3349 +
3350 + rcu_read_lock();
3351 +@@ -1047,7 +1050,7 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
3352 + if (im->multiaddr == IGMP_ALL_HOSTS)
3353 + continue;
3354 + if (ipv4_is_local_multicast(im->multiaddr) &&
3355 +- !net->ipv4.sysctl_igmp_llm_reports)
3356 ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports))
3357 + continue;
3358 + spin_lock_bh(&im->lock);
3359 + if (im->tm_running)
3360 +@@ -1298,7 +1301,8 @@ static void __igmp_group_dropped(struct ip_mc_list *im, gfp_t gfp)
3361 + #ifdef CONFIG_IP_MULTICAST
3362 + if (im->multiaddr == IGMP_ALL_HOSTS)
3363 + return;
3364 +- if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports)
3365 ++ if (ipv4_is_local_multicast(im->multiaddr) &&
3366 ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports))
3367 + return;
3368 +
3369 + reporter = im->reporter;
3370 +@@ -1340,7 +1344,8 @@ static void igmp_group_added(struct ip_mc_list *im)
3371 + #ifdef CONFIG_IP_MULTICAST
3372 + if (im->multiaddr == IGMP_ALL_HOSTS)
3373 + return;
3374 +- if (ipv4_is_local_multicast(im->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports)
3375 ++ if (ipv4_is_local_multicast(im->multiaddr) &&
3376 ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports))
3377 + return;
3378 +
3379 + if (in_dev->dead)
3380 +@@ -1644,7 +1649,7 @@ static void ip_mc_rejoin_groups(struct in_device *in_dev)
3381 + if (im->multiaddr == IGMP_ALL_HOSTS)
3382 + continue;
3383 + if (ipv4_is_local_multicast(im->multiaddr) &&
3384 +- !net->ipv4.sysctl_igmp_llm_reports)
3385 ++ !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports))
3386 + continue;
3387 +
3388 + /* a failover is happening and switches
3389 +@@ -2194,7 +2199,7 @@ static int __ip_mc_join_group(struct sock *sk, struct ip_mreqn *imr,
3390 + count++;
3391 + }
3392 + err = -ENOBUFS;
3393 +- if (count >= net->ipv4.sysctl_igmp_max_memberships)
3394 ++ if (count >= READ_ONCE(net->ipv4.sysctl_igmp_max_memberships))
3395 + goto done;
3396 + iml = sock_kmalloc(sk, sizeof(*iml), GFP_KERNEL);
3397 + if (!iml)
3398 +diff --git a/net/ipv4/route.c b/net/ipv4/route.c
3399 +index 9280e50871596..7004e379c325f 100644
3400 +--- a/net/ipv4/route.c
3401 ++++ b/net/ipv4/route.c
3402 +@@ -1423,7 +1423,7 @@ u32 ip_mtu_from_fib_result(struct fib_result *res, __be32 daddr)
3403 + struct fib_info *fi = res->fi;
3404 + u32 mtu = 0;
3405 +
3406 +- if (dev_net(dev)->ipv4.sysctl_ip_fwd_use_pmtu ||
3407 ++ if (READ_ONCE(dev_net(dev)->ipv4.sysctl_ip_fwd_use_pmtu) ||
3408 + fi->fib_metrics->metrics[RTAX_LOCK - 1] & (1 << RTAX_MTU))
3409 + mtu = fi->fib_mtu;
3410 +
3411 +diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
3412 +index 6811174ad5189..3f6c9514c7a93 100644
3413 +--- a/net/ipv4/syncookies.c
3414 ++++ b/net/ipv4/syncookies.c
3415 +@@ -243,12 +243,12 @@ bool cookie_timestamp_decode(const struct net *net,
3416 + return true;
3417 + }
3418 +
3419 +- if (!net->ipv4.sysctl_tcp_timestamps)
3420 ++ if (!READ_ONCE(net->ipv4.sysctl_tcp_timestamps))
3421 + return false;
3422 +
3423 + tcp_opt->sack_ok = (options & TS_OPT_SACK) ? TCP_SACK_SEEN : 0;
3424 +
3425 +- if (tcp_opt->sack_ok && !net->ipv4.sysctl_tcp_sack)
3426 ++ if (tcp_opt->sack_ok && !READ_ONCE(net->ipv4.sysctl_tcp_sack))
3427 + return false;
3428 +
3429 + if ((options & TS_OPT_WSCALE_MASK) == TS_OPT_WSCALE_MASK)
3430 +@@ -257,7 +257,7 @@ bool cookie_timestamp_decode(const struct net *net,
3431 + tcp_opt->wscale_ok = 1;
3432 + tcp_opt->snd_wscale = options & TS_OPT_WSCALE_MASK;
3433 +
3434 +- return net->ipv4.sysctl_tcp_window_scaling != 0;
3435 ++ return READ_ONCE(net->ipv4.sysctl_tcp_window_scaling) != 0;
3436 + }
3437 + EXPORT_SYMBOL(cookie_timestamp_decode);
3438 +
3439 +@@ -297,7 +297,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
3440 + struct flowi4 fl4;
3441 + u32 tsoff = 0;
3442 +
3443 +- if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst)
3444 ++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) ||
3445 ++ !th->ack || th->rst)
3446 + goto out;
3447 +
3448 + if (tcp_synq_no_recent_overflow(sk))
3449 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
3450 +index 4815cf72569e0..4b31f6e9ec61f 100644
3451 +--- a/net/ipv4/tcp.c
3452 ++++ b/net/ipv4/tcp.c
3453 +@@ -437,7 +437,7 @@ void tcp_init_sock(struct sock *sk)
3454 + tp->snd_cwnd_clamp = ~0;
3455 + tp->mss_cache = TCP_MSS_DEFAULT;
3456 +
3457 +- tp->reordering = sock_net(sk)->ipv4.sysctl_tcp_reordering;
3458 ++ tp->reordering = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering);
3459 + tcp_assign_congestion_control(sk);
3460 +
3461 + tp->tsoffset = 0;
3462 +@@ -1148,7 +1148,8 @@ static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg,
3463 + struct sockaddr *uaddr = msg->msg_name;
3464 + int err, flags;
3465 +
3466 +- if (!(sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) ||
3467 ++ if (!(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) &
3468 ++ TFO_CLIENT_ENABLE) ||
3469 + (uaddr && msg->msg_namelen >= sizeof(uaddr->sa_family) &&
3470 + uaddr->sa_family == AF_UNSPEC))
3471 + return -EOPNOTSUPP;
3472 +@@ -3127,7 +3128,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
3473 + case TCP_FASTOPEN_CONNECT:
3474 + if (val > 1 || val < 0) {
3475 + err = -EINVAL;
3476 +- } else if (net->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) {
3477 ++ } else if (READ_ONCE(net->ipv4.sysctl_tcp_fastopen) &
3478 ++ TFO_CLIENT_ENABLE) {
3479 + if (sk->sk_state == TCP_CLOSE)
3480 + tp->fastopen_connect = val;
3481 + else
3482 +@@ -3466,7 +3468,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
3483 + case TCP_LINGER2:
3484 + val = tp->linger2;
3485 + if (val >= 0)
3486 +- val = (val ? : net->ipv4.sysctl_tcp_fin_timeout) / HZ;
3487 ++ val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ;
3488 + break;
3489 + case TCP_DEFER_ACCEPT:
3490 + val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept,
3491 +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
3492 +index a5ec77a5ad6f5..21705b2ddaffa 100644
3493 +--- a/net/ipv4/tcp_fastopen.c
3494 ++++ b/net/ipv4/tcp_fastopen.c
3495 +@@ -349,7 +349,7 @@ static bool tcp_fastopen_no_cookie(const struct sock *sk,
3496 + const struct dst_entry *dst,
3497 + int flag)
3498 + {
3499 +- return (sock_net(sk)->ipv4.sysctl_tcp_fastopen & flag) ||
3500 ++ return (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) & flag) ||
3501 + tcp_sk(sk)->fastopen_no_cookie ||
3502 + (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE));
3503 + }
3504 +@@ -364,7 +364,7 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
3505 + const struct dst_entry *dst)
3506 + {
3507 + bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1;
3508 +- int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen;
3509 ++ int tcp_fastopen = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen);
3510 + struct tcp_fastopen_cookie valid_foc = { .len = -1 };
3511 + struct sock *child;
3512 + int ret = 0;
3513 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
3514 +index 0808110451a0f..c151c4dd4ae63 100644
3515 +--- a/net/ipv4/tcp_input.c
3516 ++++ b/net/ipv4/tcp_input.c
3517 +@@ -905,7 +905,7 @@ static void tcp_check_sack_reordering(struct sock *sk, const u32 low_seq,
3518 + tp->undo_marker ? tp->undo_retrans : 0);
3519 + #endif
3520 + tp->reordering = min_t(u32, (metric + mss - 1) / mss,
3521 +- sock_net(sk)->ipv4.sysctl_tcp_max_reordering);
3522 ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering));
3523 + }
3524 +
3525 + /* This exciting event is worth to be remembered. 8) */
3526 +@@ -1886,7 +1886,7 @@ static void tcp_check_reno_reordering(struct sock *sk, const int addend)
3527 + return;
3528 +
3529 + tp->reordering = min_t(u32, tp->packets_out + addend,
3530 +- sock_net(sk)->ipv4.sysctl_tcp_max_reordering);
3531 ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_max_reordering));
3532 + tp->reord_seen++;
3533 + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPRENOREORDER);
3534 + }
3535 +@@ -1950,7 +1950,8 @@ static inline void tcp_init_undo(struct tcp_sock *tp)
3536 +
3537 + static bool tcp_is_rack(const struct sock *sk)
3538 + {
3539 +- return sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_LOSS_DETECTION;
3540 ++ return READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) &
3541 ++ TCP_RACK_LOSS_DETECTION;
3542 + }
3543 +
3544 + /* If we detect SACK reneging, forget all SACK information
3545 +@@ -1994,6 +1995,7 @@ void tcp_enter_loss(struct sock *sk)
3546 + struct tcp_sock *tp = tcp_sk(sk);
3547 + struct net *net = sock_net(sk);
3548 + bool new_recovery = icsk->icsk_ca_state < TCP_CA_Recovery;
3549 ++ u8 reordering;
3550 +
3551 + tcp_timeout_mark_lost(sk);
3552 +
3553 +@@ -2014,10 +2016,12 @@ void tcp_enter_loss(struct sock *sk)
3554 + /* Timeout in disordered state after receiving substantial DUPACKs
3555 + * suggests that the degree of reordering is over-estimated.
3556 + */
3557 ++ reordering = READ_ONCE(net->ipv4.sysctl_tcp_reordering);
3558 + if (icsk->icsk_ca_state <= TCP_CA_Disorder &&
3559 +- tp->sacked_out >= net->ipv4.sysctl_tcp_reordering)
3560 ++ tp->sacked_out >= reordering)
3561 + tp->reordering = min_t(unsigned int, tp->reordering,
3562 +- net->ipv4.sysctl_tcp_reordering);
3563 ++ reordering);
3564 ++
3565 + tcp_set_ca_state(sk, TCP_CA_Loss);
3566 + tp->high_seq = tp->snd_nxt;
3567 + tcp_ecn_queue_cwr(tp);
3568 +@@ -3319,7 +3323,8 @@ static inline bool tcp_may_raise_cwnd(const struct sock *sk, const int flag)
3569 + * new SACK or ECE mark may first advance cwnd here and later reduce
3570 + * cwnd in tcp_fastretrans_alert() based on more states.
3571 + */
3572 +- if (tcp_sk(sk)->reordering > sock_net(sk)->ipv4.sysctl_tcp_reordering)
3573 ++ if (tcp_sk(sk)->reordering >
3574 ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reordering))
3575 + return flag & FLAG_FORWARD_PROGRESS;
3576 +
3577 + return flag & FLAG_DATA_ACKED;
3578 +@@ -3902,7 +3907,7 @@ void tcp_parse_options(const struct net *net,
3579 + break;
3580 + case TCPOPT_WINDOW:
3581 + if (opsize == TCPOLEN_WINDOW && th->syn &&
3582 +- !estab && net->ipv4.sysctl_tcp_window_scaling) {
3583 ++ !estab && READ_ONCE(net->ipv4.sysctl_tcp_window_scaling)) {
3584 + __u8 snd_wscale = *(__u8 *)ptr;
3585 + opt_rx->wscale_ok = 1;
3586 + if (snd_wscale > TCP_MAX_WSCALE) {
3587 +@@ -3918,7 +3923,7 @@ void tcp_parse_options(const struct net *net,
3588 + case TCPOPT_TIMESTAMP:
3589 + if ((opsize == TCPOLEN_TIMESTAMP) &&
3590 + ((estab && opt_rx->tstamp_ok) ||
3591 +- (!estab && net->ipv4.sysctl_tcp_timestamps))) {
3592 ++ (!estab && READ_ONCE(net->ipv4.sysctl_tcp_timestamps)))) {
3593 + opt_rx->saw_tstamp = 1;
3594 + opt_rx->rcv_tsval = get_unaligned_be32(ptr);
3595 + opt_rx->rcv_tsecr = get_unaligned_be32(ptr + 4);
3596 +@@ -3926,7 +3931,7 @@ void tcp_parse_options(const struct net *net,
3597 + break;
3598 + case TCPOPT_SACK_PERM:
3599 + if (opsize == TCPOLEN_SACK_PERM && th->syn &&
3600 +- !estab && net->ipv4.sysctl_tcp_sack) {
3601 ++ !estab && READ_ONCE(net->ipv4.sysctl_tcp_sack)) {
3602 + opt_rx->sack_ok = TCP_SACK_SEEN;
3603 + tcp_sack_reset(opt_rx);
3604 + }
3605 +@@ -5351,7 +5356,7 @@ static void tcp_check_urg(struct sock *sk, const struct tcphdr *th)
3606 + struct tcp_sock *tp = tcp_sk(sk);
3607 + u32 ptr = ntohs(th->urg_ptr);
3608 +
3609 +- if (ptr && !sock_net(sk)->ipv4.sysctl_tcp_stdurg)
3610 ++ if (ptr && !READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_stdurg))
3611 + ptr--;
3612 + ptr += ntohl(th->seq);
3613 +
3614 +@@ -6530,11 +6535,14 @@ static bool tcp_syn_flood_action(const struct sock *sk, const char *proto)
3615 + {
3616 + struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
3617 + const char *msg = "Dropping request";
3618 +- bool want_cookie = false;
3619 + struct net *net = sock_net(sk);
3620 ++ bool want_cookie = false;
3621 ++ u8 syncookies;
3622 ++
3623 ++ syncookies = READ_ONCE(net->ipv4.sysctl_tcp_syncookies);
3624 +
3625 + #ifdef CONFIG_SYN_COOKIES
3626 +- if (net->ipv4.sysctl_tcp_syncookies) {
3627 ++ if (syncookies) {
3628 + msg = "Sending cookies";
3629 + want_cookie = true;
3630 + __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPREQQFULLDOCOOKIES);
3631 +@@ -6542,8 +6550,7 @@ static bool tcp_syn_flood_action(const struct sock *sk, const char *proto)
3632 + #endif
3633 + __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP);
3634 +
3635 +- if (!queue->synflood_warned &&
3636 +- net->ipv4.sysctl_tcp_syncookies != 2 &&
3637 ++ if (!queue->synflood_warned && syncookies != 2 &&
3638 + xchg(&queue->synflood_warned, 1) == 0)
3639 + net_info_ratelimited("%s: Possible SYN flooding on port %d. %s. Check SNMP counters.\n",
3640 + proto, sk->sk_num, msg);
3641 +@@ -6578,7 +6585,7 @@ u16 tcp_get_syncookie_mss(struct request_sock_ops *rsk_ops,
3642 + struct tcp_sock *tp = tcp_sk(sk);
3643 + u16 mss;
3644 +
3645 +- if (sock_net(sk)->ipv4.sysctl_tcp_syncookies != 2 &&
3646 ++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) != 2 &&
3647 + !inet_csk_reqsk_queue_is_full(sk))
3648 + return 0;
3649 +
3650 +@@ -6612,13 +6619,15 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
3651 + bool want_cookie = false;
3652 + struct dst_entry *dst;
3653 + struct flowi fl;
3654 ++ u8 syncookies;
3655 ++
3656 ++ syncookies = READ_ONCE(net->ipv4.sysctl_tcp_syncookies);
3657 +
3658 + /* TW buckets are converted to open requests without
3659 + * limitations, they conserve resources and peer is
3660 + * evidently real one.
3661 + */
3662 +- if ((net->ipv4.sysctl_tcp_syncookies == 2 ||
3663 +- inet_csk_reqsk_queue_is_full(sk)) && !isn) {
3664 ++ if ((syncookies == 2 || inet_csk_reqsk_queue_is_full(sk)) && !isn) {
3665 + want_cookie = tcp_syn_flood_action(sk, rsk_ops->slab_name);
3666 + if (!want_cookie)
3667 + goto drop;
3668 +@@ -6668,10 +6677,12 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
3669 + goto drop_and_free;
3670 +
3671 + if (!want_cookie && !isn) {
3672 ++ int max_syn_backlog = READ_ONCE(net->ipv4.sysctl_max_syn_backlog);
3673 ++
3674 + /* Kill the following clause, if you dislike this way. */
3675 +- if (!net->ipv4.sysctl_tcp_syncookies &&
3676 +- (net->ipv4.sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) <
3677 +- (net->ipv4.sysctl_max_syn_backlog >> 2)) &&
3678 ++ if (!syncookies &&
3679 ++ (max_syn_backlog - inet_csk_reqsk_queue_len(sk) <
3680 ++ (max_syn_backlog >> 2)) &&
3681 + !tcp_peer_is_proven(req, dst)) {
3682 + /* Without syncookies last quarter of
3683 + * backlog is filled with destinations,
3684 +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
3685 +index 72fe93ace7d73..b95e1a3487c8b 100644
3686 +--- a/net/ipv4/tcp_ipv4.c
3687 ++++ b/net/ipv4/tcp_ipv4.c
3688 +@@ -105,10 +105,10 @@ static u32 tcp_v4_init_ts_off(const struct net *net, const struct sk_buff *skb)
3689 +
3690 + int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp)
3691 + {
3692 ++ int reuse = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_tw_reuse);
3693 + const struct inet_timewait_sock *tw = inet_twsk(sktw);
3694 + const struct tcp_timewait_sock *tcptw = tcp_twsk(sktw);
3695 + struct tcp_sock *tp = tcp_sk(sk);
3696 +- int reuse = sock_net(sk)->ipv4.sysctl_tcp_tw_reuse;
3697 +
3698 + if (reuse == 2) {
3699 + /* Still does not detect *everything* that goes through
3700 +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
3701 +index c4848e7a0aad1..9a7d8a5998578 100644
3702 +--- a/net/ipv4/tcp_metrics.c
3703 ++++ b/net/ipv4/tcp_metrics.c
3704 +@@ -425,7 +425,8 @@ void tcp_update_metrics(struct sock *sk)
3705 + if (!tcp_metric_locked(tm, TCP_METRIC_REORDERING)) {
3706 + val = tcp_metric_get(tm, TCP_METRIC_REORDERING);
3707 + if (val < tp->reordering &&
3708 +- tp->reordering != net->ipv4.sysctl_tcp_reordering)
3709 ++ tp->reordering !=
3710 ++ READ_ONCE(net->ipv4.sysctl_tcp_reordering))
3711 + tcp_metric_set(tm, TCP_METRIC_REORDERING,
3712 + tp->reordering);
3713 + }
3714 +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
3715 +index 9b038cb0a43d2..324f43fadb37a 100644
3716 +--- a/net/ipv4/tcp_minisocks.c
3717 ++++ b/net/ipv4/tcp_minisocks.c
3718 +@@ -180,7 +180,7 @@ tcp_timewait_state_process(struct inet_timewait_sock *tw, struct sk_buff *skb,
3719 + * Oh well... nobody has a sufficient solution to this
3720 + * protocol bug yet.
3721 + */
3722 +- if (twsk_net(tw)->ipv4.sysctl_tcp_rfc1337 == 0) {
3723 ++ if (!READ_ONCE(twsk_net(tw)->ipv4.sysctl_tcp_rfc1337)) {
3724 + kill:
3725 + inet_twsk_deschedule_put(tw);
3726 + return TCP_TW_SUCCESS;
3727 +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
3728 +index 739fc69cdcc62..97f29ece38000 100644
3729 +--- a/net/ipv4/tcp_output.c
3730 ++++ b/net/ipv4/tcp_output.c
3731 +@@ -620,18 +620,18 @@ static unsigned int tcp_syn_options(struct sock *sk, struct sk_buff *skb,
3732 + opts->mss = tcp_advertise_mss(sk);
3733 + remaining -= TCPOLEN_MSS_ALIGNED;
3734 +
3735 +- if (likely(sock_net(sk)->ipv4.sysctl_tcp_timestamps && !*md5)) {
3736 ++ if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps) && !*md5)) {
3737 + opts->options |= OPTION_TS;
3738 + opts->tsval = tcp_skb_timestamp(skb) + tp->tsoffset;
3739 + opts->tsecr = tp->rx_opt.ts_recent;
3740 + remaining -= TCPOLEN_TSTAMP_ALIGNED;
3741 + }
3742 +- if (likely(sock_net(sk)->ipv4.sysctl_tcp_window_scaling)) {
3743 ++ if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling))) {
3744 + opts->ws = tp->rx_opt.rcv_wscale;
3745 + opts->options |= OPTION_WSCALE;
3746 + remaining -= TCPOLEN_WSCALE_ALIGNED;
3747 + }
3748 +- if (likely(sock_net(sk)->ipv4.sysctl_tcp_sack)) {
3749 ++ if (likely(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_sack))) {
3750 + opts->options |= OPTION_SACK_ADVERTISE;
3751 + if (unlikely(!(OPTION_TS & opts->options)))
3752 + remaining -= TCPOLEN_SACKPERM_ALIGNED;
3753 +@@ -1494,7 +1494,8 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, int pmtu)
3754 + mss_now -= icsk->icsk_ext_hdr_len;
3755 +
3756 + /* Then reserve room for full set of TCP options and 8 bytes of data */
3757 +- mss_now = max(mss_now, sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss);
3758 ++ mss_now = max(mss_now,
3759 ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss));
3760 + return mss_now;
3761 + }
3762 +
3763 +@@ -1537,10 +1538,10 @@ void tcp_mtup_init(struct sock *sk)
3764 + struct inet_connection_sock *icsk = inet_csk(sk);
3765 + struct net *net = sock_net(sk);
3766 +
3767 +- icsk->icsk_mtup.enabled = net->ipv4.sysctl_tcp_mtu_probing > 1;
3768 ++ icsk->icsk_mtup.enabled = READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing) > 1;
3769 + icsk->icsk_mtup.search_high = tp->rx_opt.mss_clamp + sizeof(struct tcphdr) +
3770 + icsk->icsk_af_ops->net_header_len;
3771 +- icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, net->ipv4.sysctl_tcp_base_mss);
3772 ++ icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, READ_ONCE(net->ipv4.sysctl_tcp_base_mss));
3773 + icsk->icsk_mtup.probe_size = 0;
3774 + if (icsk->icsk_mtup.enabled)
3775 + icsk->icsk_mtup.probe_timestamp = tcp_jiffies32;
3776 +@@ -1672,7 +1673,7 @@ static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited)
3777 + if (tp->packets_out > tp->snd_cwnd_used)
3778 + tp->snd_cwnd_used = tp->packets_out;
3779 +
3780 +- if (sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle &&
3781 ++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_slow_start_after_idle) &&
3782 + (s32)(tcp_jiffies32 - tp->snd_cwnd_stamp) >= inet_csk(sk)->icsk_rto &&
3783 + !ca_ops->cong_control)
3784 + tcp_cwnd_application_limited(sk);
3785 +@@ -2051,7 +2052,7 @@ static inline void tcp_mtu_check_reprobe(struct sock *sk)
3786 + u32 interval;
3787 + s32 delta;
3788 +
3789 +- interval = net->ipv4.sysctl_tcp_probe_interval;
3790 ++ interval = READ_ONCE(net->ipv4.sysctl_tcp_probe_interval);
3791 + delta = tcp_jiffies32 - icsk->icsk_mtup.probe_timestamp;
3792 + if (unlikely(delta >= interval * HZ)) {
3793 + int mss = tcp_current_mss(sk);
3794 +@@ -2133,7 +2134,7 @@ static int tcp_mtu_probe(struct sock *sk)
3795 + * probing process by not resetting search range to its orignal.
3796 + */
3797 + if (probe_size > tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_high) ||
3798 +- interval < net->ipv4.sysctl_tcp_probe_threshold) {
3799 ++ interval < READ_ONCE(net->ipv4.sysctl_tcp_probe_threshold)) {
3800 + /* Check whether enough time has elaplased for
3801 + * another round of probing.
3802 + */
3803 +@@ -2508,7 +2509,7 @@ bool tcp_schedule_loss_probe(struct sock *sk, bool advancing_rto)
3804 + if (rcu_access_pointer(tp->fastopen_rsk))
3805 + return false;
3806 +
3807 +- early_retrans = sock_net(sk)->ipv4.sysctl_tcp_early_retrans;
3808 ++ early_retrans = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_early_retrans);
3809 + /* Schedule a loss probe in 2*RTT for SACK capable connections
3810 + * not in loss recovery, that are either limited by cwnd or application.
3811 + */
3812 +@@ -2870,7 +2871,7 @@ static void tcp_retrans_try_collapse(struct sock *sk, struct sk_buff *to,
3813 + struct sk_buff *skb = to, *tmp;
3814 + bool first = true;
3815 +
3816 +- if (!sock_net(sk)->ipv4.sysctl_tcp_retrans_collapse)
3817 ++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retrans_collapse))
3818 + return;
3819 + if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_SYN)
3820 + return;
3821 +@@ -3406,7 +3407,7 @@ static void tcp_connect_init(struct sock *sk)
3822 + * See tcp_input.c:tcp_rcv_state_process case TCP_SYN_SENT.
3823 + */
3824 + tp->tcp_header_len = sizeof(struct tcphdr);
3825 +- if (sock_net(sk)->ipv4.sysctl_tcp_timestamps)
3826 ++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_timestamps))
3827 + tp->tcp_header_len += TCPOLEN_TSTAMP_ALIGNED;
3828 +
3829 + #ifdef CONFIG_TCP_MD5SIG
3830 +@@ -3442,7 +3443,7 @@ static void tcp_connect_init(struct sock *sk)
3831 + tp->advmss - (tp->rx_opt.ts_recent_stamp ? tp->tcp_header_len - sizeof(struct tcphdr) : 0),
3832 + &tp->rcv_wnd,
3833 + &tp->window_clamp,
3834 +- sock_net(sk)->ipv4.sysctl_tcp_window_scaling,
3835 ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_window_scaling),
3836 + &rcv_wscale,
3837 + rcv_wnd);
3838 +
3839 +@@ -3846,7 +3847,7 @@ void tcp_send_probe0(struct sock *sk)
3840 +
3841 + icsk->icsk_probes_out++;
3842 + if (err <= 0) {
3843 +- if (icsk->icsk_backoff < net->ipv4.sysctl_tcp_retries2)
3844 ++ if (icsk->icsk_backoff < READ_ONCE(net->ipv4.sysctl_tcp_retries2))
3845 + icsk->icsk_backoff++;
3846 + timeout = tcp_probe0_when(sk, TCP_RTO_MAX);
3847 + } else {
3848 +diff --git a/net/ipv4/tcp_recovery.c b/net/ipv4/tcp_recovery.c
3849 +index 8757bb6cb1d93..22ec8dcc1428a 100644
3850 +--- a/net/ipv4/tcp_recovery.c
3851 ++++ b/net/ipv4/tcp_recovery.c
3852 +@@ -33,7 +33,8 @@ static u32 tcp_rack_reo_wnd(const struct sock *sk)
3853 + return 0;
3854 +
3855 + if (tp->sacked_out >= tp->reordering &&
3856 +- !(sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_NO_DUPTHRESH))
3857 ++ !(READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) &
3858 ++ TCP_RACK_NO_DUPTHRESH))
3859 + return 0;
3860 + }
3861 +
3862 +@@ -204,7 +205,8 @@ void tcp_rack_update_reo_wnd(struct sock *sk, struct rate_sample *rs)
3863 + {
3864 + struct tcp_sock *tp = tcp_sk(sk);
3865 +
3866 +- if (sock_net(sk)->ipv4.sysctl_tcp_recovery & TCP_RACK_STATIC_REO_WND ||
3867 ++ if ((READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_recovery) &
3868 ++ TCP_RACK_STATIC_REO_WND) ||
3869 + !rs->prior_delivered)
3870 + return;
3871 +
3872 +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
3873 +index fa2ae96ecdc40..a0107eb02ae4c 100644
3874 +--- a/net/ipv4/tcp_timer.c
3875 ++++ b/net/ipv4/tcp_timer.c
3876 +@@ -143,7 +143,7 @@ static int tcp_out_of_resources(struct sock *sk, bool do_reset)
3877 + */
3878 + static int tcp_orphan_retries(struct sock *sk, bool alive)
3879 + {
3880 +- int retries = sock_net(sk)->ipv4.sysctl_tcp_orphan_retries; /* May be zero. */
3881 ++ int retries = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_orphan_retries); /* May be zero. */
3882 +
3883 + /* We know from an ICMP that something is wrong. */
3884 + if (sk->sk_err_soft && !alive)
3885 +@@ -163,7 +163,7 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk)
3886 + int mss;
3887 +
3888 + /* Black hole detection */
3889 +- if (!net->ipv4.sysctl_tcp_mtu_probing)
3890 ++ if (!READ_ONCE(net->ipv4.sysctl_tcp_mtu_probing))
3891 + return;
3892 +
3893 + if (!icsk->icsk_mtup.enabled) {
3894 +@@ -171,9 +171,9 @@ static void tcp_mtu_probing(struct inet_connection_sock *icsk, struct sock *sk)
3895 + icsk->icsk_mtup.probe_timestamp = tcp_jiffies32;
3896 + } else {
3897 + mss = tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1;
3898 +- mss = min(net->ipv4.sysctl_tcp_base_mss, mss);
3899 +- mss = max(mss, net->ipv4.sysctl_tcp_mtu_probe_floor);
3900 +- mss = max(mss, net->ipv4.sysctl_tcp_min_snd_mss);
3901 ++ mss = min(READ_ONCE(net->ipv4.sysctl_tcp_base_mss), mss);
3902 ++ mss = max(mss, READ_ONCE(net->ipv4.sysctl_tcp_mtu_probe_floor));
3903 ++ mss = max(mss, READ_ONCE(net->ipv4.sysctl_tcp_min_snd_mss));
3904 + icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, mss);
3905 + }
3906 + tcp_sync_mss(sk, icsk->icsk_pmtu_cookie);
3907 +@@ -245,7 +245,7 @@ static int tcp_write_timeout(struct sock *sk)
3908 + retry_until = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries;
3909 + expired = icsk->icsk_retransmits >= retry_until;
3910 + } else {
3911 +- if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1, 0)) {
3912 ++ if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1), 0)) {
3913 + /* Black hole detection */
3914 + tcp_mtu_probing(icsk, sk);
3915 +
3916 +@@ -254,7 +254,7 @@ static int tcp_write_timeout(struct sock *sk)
3917 + sk_rethink_txhash(sk);
3918 + }
3919 +
3920 +- retry_until = net->ipv4.sysctl_tcp_retries2;
3921 ++ retry_until = READ_ONCE(net->ipv4.sysctl_tcp_retries2);
3922 + if (sock_flag(sk, SOCK_DEAD)) {
3923 + const bool alive = icsk->icsk_rto < TCP_RTO_MAX;
3924 +
3925 +@@ -381,7 +381,7 @@ static void tcp_probe_timer(struct sock *sk)
3926 + msecs_to_jiffies(icsk->icsk_user_timeout))
3927 + goto abort;
3928 +
3929 +- max_probes = sock_net(sk)->ipv4.sysctl_tcp_retries2;
3930 ++ max_probes = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_retries2);
3931 + if (sock_flag(sk, SOCK_DEAD)) {
3932 + const bool alive = inet_csk_rto_backoff(icsk, TCP_RTO_MAX) < TCP_RTO_MAX;
3933 +
3934 +@@ -569,7 +569,7 @@ out_reset_timer:
3935 + * linear-timeout retransmissions into a black hole
3936 + */
3937 + if (sk->sk_state == TCP_ESTABLISHED &&
3938 +- (tp->thin_lto || net->ipv4.sysctl_tcp_thin_linear_timeouts) &&
3939 ++ (tp->thin_lto || READ_ONCE(net->ipv4.sysctl_tcp_thin_linear_timeouts)) &&
3940 + tcp_stream_is_thin(tp) &&
3941 + icsk->icsk_retransmits <= TCP_THIN_LINEAR_RETRIES) {
3942 + icsk->icsk_backoff = 0;
3943 +@@ -580,7 +580,7 @@ out_reset_timer:
3944 + }
3945 + inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
3946 + tcp_clamp_rto_to_user_timeout(sk), TCP_RTO_MAX);
3947 +- if (retransmits_timed_out(sk, net->ipv4.sysctl_tcp_retries1 + 1, 0))
3948 ++ if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1) + 1, 0))
3949 + __sk_dst_reset(sk);
3950 +
3951 + out:;
3952 +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
3953 +index 942da168f18fb..56f396ecc26b7 100644
3954 +--- a/net/ipv6/af_inet6.c
3955 ++++ b/net/ipv6/af_inet6.c
3956 +@@ -222,7 +222,7 @@ lookup_protocol:
3957 + inet->mc_list = NULL;
3958 + inet->rcv_tos = 0;
3959 +
3960 +- if (net->ipv4.sysctl_ip_no_pmtu_disc)
3961 ++ if (READ_ONCE(net->ipv4.sysctl_ip_no_pmtu_disc))
3962 + inet->pmtudisc = IP_PMTUDISC_DONT;
3963 + else
3964 + inet->pmtudisc = IP_PMTUDISC_WANT;
3965 +diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
3966 +index 37ab254f7b92d..7e55505465949 100644
3967 +--- a/net/ipv6/syncookies.c
3968 ++++ b/net/ipv6/syncookies.c
3969 +@@ -141,7 +141,8 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
3970 + __u8 rcv_wscale;
3971 + u32 tsoff = 0;
3972 +
3973 +- if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst)
3974 ++ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_syncookies) ||
3975 ++ !th->ack || th->rst)
3976 + goto out;
3977 +
3978 + if (tcp_synq_no_recent_overflow(sk))
3979 +diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
3980 +index bb370a7948f42..363a64c124144 100644
3981 +--- a/net/sctp/protocol.c
3982 ++++ b/net/sctp/protocol.c
3983 +@@ -358,7 +358,7 @@ static int sctp_v4_available(union sctp_addr *addr, struct sctp_sock *sp)
3984 + if (addr->v4.sin_addr.s_addr != htonl(INADDR_ANY) &&
3985 + ret != RTN_LOCAL &&
3986 + !sp->inet.freebind &&
3987 +- !net->ipv4.sysctl_ip_nonlocal_bind)
3988 ++ !READ_ONCE(net->ipv4.sysctl_ip_nonlocal_bind))
3989 + return 0;
3990 +
3991 + if (ipv6_only_sock(sctp_opt2sk(sp)))
3992 +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
3993 +index abb93f7343c53..2c3cf47d730bb 100644
3994 +--- a/net/tls/tls_device.c
3995 ++++ b/net/tls/tls_device.c
3996 +@@ -94,13 +94,16 @@ static void tls_device_queue_ctx_destruction(struct tls_context *ctx)
3997 + unsigned long flags;
3998 +
3999 + spin_lock_irqsave(&tls_device_lock, flags);
4000 ++ if (unlikely(!refcount_dec_and_test(&ctx->refcount)))
4001 ++ goto unlock;
4002 ++
4003 + list_move_tail(&ctx->list, &tls_device_gc_list);
4004 +
4005 + /* schedule_work inside the spinlock
4006 + * to make sure tls_device_down waits for that work.
4007 + */
4008 + schedule_work(&tls_device_gc_work);
4009 +-
4010 ++unlock:
4011 + spin_unlock_irqrestore(&tls_device_lock, flags);
4012 + }
4013 +
4014 +@@ -191,8 +194,7 @@ static void tls_device_sk_destruct(struct sock *sk)
4015 + clean_acked_data_disable(inet_csk(sk));
4016 + }
4017 +
4018 +- if (refcount_dec_and_test(&tls_ctx->refcount))
4019 +- tls_device_queue_ctx_destruction(tls_ctx);
4020 ++ tls_device_queue_ctx_destruction(tls_ctx);
4021 + }
4022 +
4023 + void tls_device_free_resources_tx(struct sock *sk)
4024 +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
4025 +index 3ecb77c58c44e..28a8cdef8e51f 100644
4026 +--- a/net/xfrm/xfrm_policy.c
4027 ++++ b/net/xfrm/xfrm_policy.c
4028 +@@ -2679,8 +2679,10 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
4029 + *num_xfrms = 0;
4030 + return 0;
4031 + }
4032 +- if (IS_ERR(pols[0]))
4033 ++ if (IS_ERR(pols[0])) {
4034 ++ *num_pols = 0;
4035 + return PTR_ERR(pols[0]);
4036 ++ }
4037 +
4038 + *num_xfrms = pols[0]->xfrm_nr;
4039 +
4040 +@@ -2695,6 +2697,7 @@ static int xfrm_expand_policies(const struct flowi *fl, u16 family,
4041 + if (pols[1]) {
4042 + if (IS_ERR(pols[1])) {
4043 + xfrm_pols_put(pols, *num_pols);
4044 ++ *num_pols = 0;
4045 + return PTR_ERR(pols[1]);
4046 + }
4047 + (*num_pols)++;
4048 +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
4049 +index 268bba29bb603..bee1a8143d75f 100644
4050 +--- a/net/xfrm/xfrm_state.c
4051 ++++ b/net/xfrm/xfrm_state.c
4052 +@@ -2488,7 +2488,7 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload)
4053 + int err;
4054 +
4055 + if (family == AF_INET &&
4056 +- xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc)
4057 ++ READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc))
4058 + x->props.flags |= XFRM_STATE_NOPMTUDISC;
4059 +
4060 + err = -EPROTONOSUPPORT;
4061 +diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
4062 +index 748f3ee27b23d..44b3315f32352 100644
4063 +--- a/security/integrity/ima/Kconfig
4064 ++++ b/security/integrity/ima/Kconfig
4065 +@@ -69,10 +69,9 @@ choice
4066 + hash, defined as 20 bytes, and a null terminated pathname,
4067 + limited to 255 characters. The 'ima-ng' measurement list
4068 + template permits both larger hash digests and longer
4069 +- pathnames.
4070 ++ pathnames. The configured default template can be replaced
4071 ++ by specifying "ima_template=" on the boot command line.
4072 +
4073 +- config IMA_TEMPLATE
4074 +- bool "ima"
4075 + config IMA_NG_TEMPLATE
4076 + bool "ima-ng (default)"
4077 + config IMA_SIG_TEMPLATE
4078 +@@ -82,7 +81,6 @@ endchoice
4079 + config IMA_DEFAULT_TEMPLATE
4080 + string
4081 + depends on IMA
4082 +- default "ima" if IMA_TEMPLATE
4083 + default "ima-ng" if IMA_NG_TEMPLATE
4084 + default "ima-sig" if IMA_SIG_TEMPLATE
4085 +
4086 +@@ -102,15 +100,15 @@ choice
4087 +
4088 + config IMA_DEFAULT_HASH_SHA256
4089 + bool "SHA256"
4090 +- depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
4091 ++ depends on CRYPTO_SHA256=y
4092 +
4093 + config IMA_DEFAULT_HASH_SHA512
4094 + bool "SHA512"
4095 +- depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
4096 ++ depends on CRYPTO_SHA512=y
4097 +
4098 + config IMA_DEFAULT_HASH_WP512
4099 + bool "WP512"
4100 +- depends on CRYPTO_WP512=y && !IMA_TEMPLATE
4101 ++ depends on CRYPTO_WP512=y
4102 + endchoice
4103 +
4104 + config IMA_DEFAULT_HASH
4105 +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
4106 +index a073e49d5cd7d..14aef74d3588a 100644
4107 +--- a/security/integrity/ima/ima_policy.c
4108 ++++ b/security/integrity/ima/ima_policy.c
4109 +@@ -1542,6 +1542,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id)
4110 + if (id >= READING_MAX_ID)
4111 + return false;
4112 +
4113 ++ if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE)
4114 ++ && security_locked_down(LOCKDOWN_KEXEC))
4115 ++ return false;
4116 ++
4117 + func = read_idmap[id] ?: FILE_CHECK;
4118 +
4119 + rcu_read_lock();
4120 +diff --git a/sound/core/memalloc.c b/sound/core/memalloc.c
4121 +index fe1ea03582cbb..9fc7c81ec6ae5 100644
4122 +--- a/sound/core/memalloc.c
4123 ++++ b/sound/core/memalloc.c
4124 +@@ -124,6 +124,7 @@ int snd_dma_alloc_pages(int type, struct device *device, size_t size,
4125 + if (WARN_ON(!device))
4126 + return -EINVAL;
4127 +
4128 ++ size = PAGE_ALIGN(size);
4129 + dmab->dev.type = type;
4130 + dmab->dev.dev = device;
4131 + dmab->bytes = 0;
Report Message
Find on MARC Find on Google Groups