Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.0 commit in: /
Date: Sat, 04 May 2019 18:29:56
Message-Id: 1556994578.dc81aa26ea1bd832413eabc76bcff4c1421e0b2c.mpagano@gentoo
1 commit: dc81aa26ea1bd832413eabc76bcff4c1421e0b2c
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sat May 4 18:29:38 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sat May 4 18:29:38 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=dc81aa26
7
8 Linux patch 5.0.12
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1011_linux-5.0.12.patch | 3398 +++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 3402 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 4dfa486..3b63726 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -87,6 +87,10 @@ Patch: 1010_linux-5.0.11.patch
21 From: http://www.kernel.org
22 Desc: Linux 5.0.11
23
24 +Patch: 1011_linux-5.0.12.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 5.0.12
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1011_linux-5.0.12.patch b/1011_linux-5.0.12.patch
33 new file mode 100644
34 index 0000000..f1fc8ab
35 --- /dev/null
36 +++ b/1011_linux-5.0.12.patch
37 @@ -0,0 +1,3398 @@
38 +diff --git a/Documentation/i2c/busses/i2c-i801 b/Documentation/i2c/busses/i2c-i801
39 +index d1ee484a787d..ee9984f35868 100644
40 +--- a/Documentation/i2c/busses/i2c-i801
41 ++++ b/Documentation/i2c/busses/i2c-i801
42 +@@ -36,6 +36,7 @@ Supported adapters:
43 + * Intel Cannon Lake (PCH)
44 + * Intel Cedar Fork (PCH)
45 + * Intel Ice Lake (PCH)
46 ++ * Intel Comet Lake (PCH)
47 + Datasheets: Publicly available at the Intel website
48 +
49 + On Intel Patsburg and later chipsets, both the normal host SMBus controller
50 +diff --git a/Makefile b/Makefile
51 +index c3daaefa979c..fd044f594bbf 100644
52 +--- a/Makefile
53 ++++ b/Makefile
54 +@@ -1,7 +1,7 @@
55 + # SPDX-License-Identifier: GPL-2.0
56 + VERSION = 5
57 + PATCHLEVEL = 0
58 +-SUBLEVEL = 11
59 ++SUBLEVEL = 12
60 + EXTRAVERSION =
61 + NAME = Shy Crocodile
62 +
63 +@@ -31,7 +31,7 @@ _all:
64 + # descending is started. They are now explicitly listed as the
65 + # prepare rule.
66 +
67 +-ifneq ($(sub-make-done),1)
68 ++ifneq ($(sub_make_done),1)
69 +
70 + # Do not use make's built-in rules and variables
71 + # (this increases performance and avoids hard-to-debug behaviour)
72 +@@ -159,6 +159,8 @@ need-sub-make := 1
73 + $(lastword $(MAKEFILE_LIST)): ;
74 + endif
75 +
76 ++export sub_make_done := 1
77 ++
78 + ifeq ($(need-sub-make),1)
79 +
80 + PHONY += $(MAKECMDGOALS) sub-make
81 +@@ -168,12 +170,12 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
82 +
83 + # Invoke a second make in the output directory, passing relevant variables
84 + sub-make:
85 +- $(Q)$(MAKE) sub-make-done=1 \
86 ++ $(Q)$(MAKE) \
87 + $(if $(KBUILD_OUTPUT),-C $(KBUILD_OUTPUT) KBUILD_SRC=$(CURDIR)) \
88 + -f $(CURDIR)/Makefile $(filter-out _all sub-make,$(MAKECMDGOALS))
89 +
90 + endif # need-sub-make
91 +-endif # sub-make-done
92 ++endif # sub_make_done
93 +
94 + # We process the rest of the Makefile if this is the final invocation of make
95 + ifeq ($(need-sub-make),)
96 +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
97 +index 26524b75970a..e5d56d9b712c 100644
98 +--- a/arch/arm/Kconfig
99 ++++ b/arch/arm/Kconfig
100 +@@ -593,6 +593,7 @@ config ARCH_DAVINCI
101 + select HAVE_IDE
102 + select PM_GENERIC_DOMAINS if PM
103 + select PM_GENERIC_DOMAINS_OF if PM && OF
104 ++ select REGMAP_MMIO
105 + select RESET_CONTROLLER
106 + select USE_OF
107 + select ZONE_DMA
108 +diff --git a/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts b/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts
109 +index 5641d162dfdb..28e7513ce617 100644
110 +--- a/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts
111 ++++ b/arch/arm/boot/dts/bcm2835-rpi-b-rev2.dts
112 +@@ -93,7 +93,7 @@
113 + };
114 +
115 + &hdmi {
116 +- hpd-gpios = <&gpio 46 GPIO_ACTIVE_LOW>;
117 ++ hpd-gpios = <&gpio 46 GPIO_ACTIVE_HIGH>;
118 + };
119 +
120 + &pwm {
121 +diff --git a/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi b/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi
122 +index 1d1b4bd0670f..a4217f564a53 100644
123 +--- a/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi
124 ++++ b/arch/arm/boot/dts/imx6qdl-icore-rqs.dtsi
125 +@@ -264,7 +264,7 @@
126 + pinctrl-2 = <&pinctrl_usdhc3_200mhz>;
127 + vmcc-supply = <&reg_sd3_vmmc>;
128 + cd-gpios = <&gpio1 1 GPIO_ACTIVE_LOW>;
129 +- bus-witdh = <4>;
130 ++ bus-width = <4>;
131 + no-1-8-v;
132 + status = "okay";
133 + };
134 +@@ -275,7 +275,7 @@
135 + pinctrl-1 = <&pinctrl_usdhc4_100mhz>;
136 + pinctrl-2 = <&pinctrl_usdhc4_200mhz>;
137 + vmcc-supply = <&reg_sd4_vmmc>;
138 +- bus-witdh = <8>;
139 ++ bus-width = <8>;
140 + no-1-8-v;
141 + non-removable;
142 + status = "okay";
143 +diff --git a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
144 +index 1b50b01e9bac..65d03c5d409b 100644
145 +--- a/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
146 ++++ b/arch/arm/boot/dts/imx6qdl-phytec-pfla02.dtsi
147 +@@ -90,6 +90,7 @@
148 + pinctrl-names = "default";
149 + pinctrl-0 = <&pinctrl_enet>;
150 + phy-mode = "rgmii";
151 ++ phy-reset-duration = <10>; /* in msecs */
152 + phy-reset-gpios = <&gpio3 23 GPIO_ACTIVE_LOW>;
153 + phy-supply = <&vdd_eth_io_reg>;
154 + status = "disabled";
155 +diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h
156 +index 3a875fc1b63c..cee06509f00a 100644
157 +--- a/arch/arm/include/asm/kvm_mmu.h
158 ++++ b/arch/arm/include/asm/kvm_mmu.h
159 +@@ -381,6 +381,17 @@ static inline int kvm_read_guest_lock(struct kvm *kvm,
160 + return ret;
161 + }
162 +
163 ++static inline int kvm_write_guest_lock(struct kvm *kvm, gpa_t gpa,
164 ++ const void *data, unsigned long len)
165 ++{
166 ++ int srcu_idx = srcu_read_lock(&kvm->srcu);
167 ++ int ret = kvm_write_guest(kvm, gpa, data, len);
168 ++
169 ++ srcu_read_unlock(&kvm->srcu, srcu_idx);
170 ++
171 ++ return ret;
172 ++}
173 ++
174 + static inline void *kvm_get_hyp_vector(void)
175 + {
176 + switch(read_cpuid_part()) {
177 +diff --git a/arch/arm/include/asm/stage2_pgtable.h b/arch/arm/include/asm/stage2_pgtable.h
178 +index de2089501b8b..9e11dce55e06 100644
179 +--- a/arch/arm/include/asm/stage2_pgtable.h
180 ++++ b/arch/arm/include/asm/stage2_pgtable.h
181 +@@ -75,6 +75,8 @@ static inline bool kvm_stage2_has_pud(struct kvm *kvm)
182 +
183 + #define S2_PMD_MASK PMD_MASK
184 + #define S2_PMD_SIZE PMD_SIZE
185 ++#define S2_PUD_MASK PUD_MASK
186 ++#define S2_PUD_SIZE PUD_SIZE
187 +
188 + static inline bool kvm_stage2_has_pmd(struct kvm *kvm)
189 + {
190 +diff --git a/arch/arm/mach-imx/mach-imx51.c b/arch/arm/mach-imx/mach-imx51.c
191 +index c7169c2f94c4..08c7892866c2 100644
192 +--- a/arch/arm/mach-imx/mach-imx51.c
193 ++++ b/arch/arm/mach-imx/mach-imx51.c
194 +@@ -59,6 +59,7 @@ static void __init imx51_m4if_setup(void)
195 + return;
196 +
197 + m4if_base = of_iomap(np, 0);
198 ++ of_node_put(np);
199 + if (!m4if_base) {
200 + pr_err("Unable to map M4IF registers\n");
201 + return;
202 +diff --git a/arch/arm64/boot/dts/renesas/r8a77990.dtsi b/arch/arm64/boot/dts/renesas/r8a77990.dtsi
203 +index b2f606e286ce..327d12097643 100644
204 +--- a/arch/arm64/boot/dts/renesas/r8a77990.dtsi
205 ++++ b/arch/arm64/boot/dts/renesas/r8a77990.dtsi
206 +@@ -2,7 +2,7 @@
207 + /*
208 + * Device Tree Source for the R-Car E3 (R8A77990) SoC
209 + *
210 +- * Copyright (C) 2018 Renesas Electronics Corp.
211 ++ * Copyright (C) 2018-2019 Renesas Electronics Corp.
212 + */
213 +
214 + #include <dt-bindings/clock/r8a77990-cpg-mssr.h>
215 +@@ -1040,9 +1040,8 @@
216 + <&cpg CPG_CORE R8A77990_CLK_S3D1C>,
217 + <&scif_clk>;
218 + clock-names = "fck", "brg_int", "scif_clk";
219 +- dmas = <&dmac1 0x5b>, <&dmac1 0x5a>,
220 +- <&dmac2 0x5b>, <&dmac2 0x5a>;
221 +- dma-names = "tx", "rx", "tx", "rx";
222 ++ dmas = <&dmac0 0x5b>, <&dmac0 0x5a>;
223 ++ dma-names = "tx", "rx";
224 + power-domains = <&sysc R8A77990_PD_ALWAYS_ON>;
225 + resets = <&cpg 202>;
226 + status = "disabled";
227 +diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h
228 +index 8af4b1befa42..c246effd1b67 100644
229 +--- a/arch/arm64/include/asm/kvm_mmu.h
230 ++++ b/arch/arm64/include/asm/kvm_mmu.h
231 +@@ -444,6 +444,17 @@ static inline int kvm_read_guest_lock(struct kvm *kvm,
232 + return ret;
233 + }
234 +
235 ++static inline int kvm_write_guest_lock(struct kvm *kvm, gpa_t gpa,
236 ++ const void *data, unsigned long len)
237 ++{
238 ++ int srcu_idx = srcu_read_lock(&kvm->srcu);
239 ++ int ret = kvm_write_guest(kvm, gpa, data, len);
240 ++
241 ++ srcu_read_unlock(&kvm->srcu, srcu_idx);
242 ++
243 ++ return ret;
244 ++}
245 ++
246 + #ifdef CONFIG_KVM_INDIRECT_VECTORS
247 + /*
248 + * EL2 vectors can be mapped and rerouted in a number of ways,
249 +diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c
250 +index f16a5f8ff2b4..e2a0500cd7a2 100644
251 +--- a/arch/arm64/kvm/reset.c
252 ++++ b/arch/arm64/kvm/reset.c
253 +@@ -123,6 +123,9 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu)
254 + int ret = -EINVAL;
255 + bool loaded;
256 +
257 ++ /* Reset PMU outside of the non-preemptible section */
258 ++ kvm_pmu_vcpu_reset(vcpu);
259 ++
260 + preempt_disable();
261 + loaded = (vcpu->cpu != -1);
262 + if (loaded)
263 +@@ -170,9 +173,6 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu)
264 + vcpu->arch.reset_state.reset = false;
265 + }
266 +
267 +- /* Reset PMU */
268 +- kvm_pmu_vcpu_reset(vcpu);
269 +-
270 + /* Default workaround setup is enabled (if supported) */
271 + if (kvm_arm_have_ssbd() == KVM_SSBD_KERNEL)
272 + vcpu->arch.workaround_flags |= VCPU_WORKAROUND_2_FLAG;
273 +diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h
274 +index 7d22a474a040..f74639a05f0f 100644
275 +--- a/arch/s390/include/asm/elf.h
276 ++++ b/arch/s390/include/asm/elf.h
277 +@@ -252,11 +252,14 @@ do { \
278 +
279 + /*
280 + * Cache aliasing on the latest machines calls for a mapping granularity
281 +- * of 512KB. For 64-bit processes use a 512KB alignment and a randomization
282 +- * of up to 1GB. For 31-bit processes the virtual address space is limited,
283 +- * use no alignment and limit the randomization to 8MB.
284 ++ * of 512KB for the anonymous mapping base. For 64-bit processes use a
285 ++ * 512KB alignment and a randomization of up to 1GB. For 31-bit processes
286 ++ * the virtual address space is limited, use no alignment and limit the
287 ++ * randomization to 8MB.
288 ++ * For the additional randomization of the program break use 32MB for
289 ++ * 64-bit and 8MB for 31-bit.
290 + */
291 +-#define BRK_RND_MASK (is_compat_task() ? 0x7ffUL : 0x3ffffUL)
292 ++#define BRK_RND_MASK (is_compat_task() ? 0x7ffUL : 0x1fffUL)
293 + #define MMAP_RND_MASK (is_compat_task() ? 0x7ffUL : 0x3ff80UL)
294 + #define MMAP_ALIGN_MASK (is_compat_task() ? 0 : 0x7fUL)
295 + #define STACK_RND_MASK MMAP_RND_MASK
296 +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
297 +index 71d763ad2637..9f2d890733a9 100644
298 +--- a/arch/x86/include/asm/kvm_host.h
299 ++++ b/arch/x86/include/asm/kvm_host.h
300 +@@ -1198,6 +1198,8 @@ struct kvm_x86_ops {
301 + int (*nested_enable_evmcs)(struct kvm_vcpu *vcpu,
302 + uint16_t *vmcs_version);
303 + uint16_t (*nested_get_evmcs_version)(struct kvm_vcpu *vcpu);
304 ++
305 ++ bool (*need_emulation_on_page_fault)(struct kvm_vcpu *vcpu);
306 + };
307 +
308 + struct kvm_arch_async_pf {
309 +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
310 +index 89d20ed1d2e8..371c669696d7 100644
311 +--- a/arch/x86/kvm/hyperv.c
312 ++++ b/arch/x86/kvm/hyperv.c
313 +@@ -526,7 +526,9 @@ static int stimer_set_config(struct kvm_vcpu_hv_stimer *stimer, u64 config,
314 + new_config.enable = 0;
315 + stimer->config.as_uint64 = new_config.as_uint64;
316 +
317 +- stimer_mark_pending(stimer, false);
318 ++ if (stimer->config.enable)
319 ++ stimer_mark_pending(stimer, false);
320 ++
321 + return 0;
322 + }
323 +
324 +@@ -542,7 +544,10 @@ static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count,
325 + stimer->config.enable = 0;
326 + else if (stimer->config.auto_enable)
327 + stimer->config.enable = 1;
328 +- stimer_mark_pending(stimer, false);
329 ++
330 ++ if (stimer->config.enable)
331 ++ stimer_mark_pending(stimer, false);
332 ++
333 + return 0;
334 + }
335 +
336 +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
337 +index 9ab33cab9486..77dbb57412cc 100644
338 +--- a/arch/x86/kvm/mmu.c
339 ++++ b/arch/x86/kvm/mmu.c
340 +@@ -4915,11 +4915,15 @@ static union kvm_mmu_role
341 + kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_dirty,
342 + bool execonly)
343 + {
344 +- union kvm_mmu_role role;
345 ++ union kvm_mmu_role role = {0};
346 ++ union kvm_mmu_page_role root_base = vcpu->arch.root_mmu.mmu_role.base;
347 +
348 +- /* Base role is inherited from root_mmu */
349 +- role.base.word = vcpu->arch.root_mmu.mmu_role.base.word;
350 +- role.ext = kvm_calc_mmu_role_ext(vcpu);
351 ++ /* Legacy paging and SMM flags are inherited from root_mmu */
352 ++ role.base.smm = root_base.smm;
353 ++ role.base.nxe = root_base.nxe;
354 ++ role.base.cr0_wp = root_base.cr0_wp;
355 ++ role.base.smep_andnot_wp = root_base.smep_andnot_wp;
356 ++ role.base.smap_andnot_wp = root_base.smap_andnot_wp;
357 +
358 + role.base.level = PT64_ROOT_4LEVEL;
359 + role.base.direct = false;
360 +@@ -4927,6 +4931,7 @@ kvm_calc_shadow_ept_root_page_role(struct kvm_vcpu *vcpu, bool accessed_dirty,
361 + role.base.guest_mode = true;
362 + role.base.access = ACC_ALL;
363 +
364 ++ role.ext = kvm_calc_mmu_role_ext(vcpu);
365 + role.ext.execonly = execonly;
366 +
367 + return role;
368 +@@ -5390,10 +5395,12 @@ emulate:
369 + * This can happen if a guest gets a page-fault on data access but the HW
370 + * table walker is not able to read the instruction page (e.g instruction
371 + * page is not present in memory). In those cases we simply restart the
372 +- * guest.
373 ++ * guest, with the exception of AMD Erratum 1096 which is unrecoverable.
374 + */
375 +- if (unlikely(insn && !insn_len))
376 +- return 1;
377 ++ if (unlikely(insn && !insn_len)) {
378 ++ if (!kvm_x86_ops->need_emulation_on_page_fault(vcpu))
379 ++ return 1;
380 ++ }
381 +
382 + er = x86_emulate_instruction(vcpu, cr2, emulation_type, insn, insn_len);
383 +
384 +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
385 +index 516c1de03d47..e544cec812f9 100644
386 +--- a/arch/x86/kvm/svm.c
387 ++++ b/arch/x86/kvm/svm.c
388 +@@ -7114,6 +7114,36 @@ static int nested_enable_evmcs(struct kvm_vcpu *vcpu,
389 + return -ENODEV;
390 + }
391 +
392 ++static bool svm_need_emulation_on_page_fault(struct kvm_vcpu *vcpu)
393 ++{
394 ++ bool is_user, smap;
395 ++
396 ++ is_user = svm_get_cpl(vcpu) == 3;
397 ++ smap = !kvm_read_cr4_bits(vcpu, X86_CR4_SMAP);
398 ++
399 ++ /*
400 ++ * Detect and workaround Errata 1096 Fam_17h_00_0Fh
401 ++ *
402 ++ * In non SEV guest, hypervisor will be able to read the guest
403 ++ * memory to decode the instruction pointer when insn_len is zero
404 ++ * so we return true to indicate that decoding is possible.
405 ++ *
406 ++ * But in the SEV guest, the guest memory is encrypted with the
407 ++ * guest specific key and hypervisor will not be able to decode the
408 ++ * instruction pointer so we will not able to workaround it. Lets
409 ++ * print the error and request to kill the guest.
410 ++ */
411 ++ if (is_user && smap) {
412 ++ if (!sev_guest(vcpu->kvm))
413 ++ return true;
414 ++
415 ++ pr_err_ratelimited("KVM: Guest triggered AMD Erratum 1096\n");
416 ++ kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
417 ++ }
418 ++
419 ++ return false;
420 ++}
421 ++
422 + static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
423 + .cpu_has_kvm_support = has_svm,
424 + .disabled_by_bios = is_disabled,
425 +@@ -7247,6 +7277,8 @@ static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
426 +
427 + .nested_enable_evmcs = nested_enable_evmcs,
428 + .nested_get_evmcs_version = nested_get_evmcs_version,
429 ++
430 ++ .need_emulation_on_page_fault = svm_need_emulation_on_page_fault,
431 + };
432 +
433 + static int __init svm_init(void)
434 +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
435 +index 34499081022c..e7fe8c692362 100644
436 +--- a/arch/x86/kvm/vmx/vmx.c
437 ++++ b/arch/x86/kvm/vmx/vmx.c
438 +@@ -7526,6 +7526,11 @@ static int enable_smi_window(struct kvm_vcpu *vcpu)
439 + return 0;
440 + }
441 +
442 ++static bool vmx_need_emulation_on_page_fault(struct kvm_vcpu *vcpu)
443 ++{
444 ++ return 0;
445 ++}
446 ++
447 + static __init int hardware_setup(void)
448 + {
449 + unsigned long host_bndcfgs;
450 +@@ -7828,6 +7833,7 @@ static struct kvm_x86_ops vmx_x86_ops __ro_after_init = {
451 + .set_nested_state = NULL,
452 + .get_vmcs12_pages = NULL,
453 + .nested_enable_evmcs = NULL,
454 ++ .need_emulation_on_page_fault = vmx_need_emulation_on_page_fault,
455 + };
456 +
457 + static void vmx_cleanup_l1d_flush(void)
458 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
459 +index 2db58067bb59..8c9fb6453b2f 100644
460 +--- a/arch/x86/kvm/x86.c
461 ++++ b/arch/x86/kvm/x86.c
462 +@@ -1127,7 +1127,7 @@ static u32 msrs_to_save[] = {
463 + #endif
464 + MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
465 + MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX,
466 +- MSR_IA32_SPEC_CTRL, MSR_IA32_ARCH_CAPABILITIES,
467 ++ MSR_IA32_SPEC_CTRL,
468 + MSR_IA32_RTIT_CTL, MSR_IA32_RTIT_STATUS, MSR_IA32_RTIT_CR3_MATCH,
469 + MSR_IA32_RTIT_OUTPUT_BASE, MSR_IA32_RTIT_OUTPUT_MASK,
470 + MSR_IA32_RTIT_ADDR0_A, MSR_IA32_RTIT_ADDR0_B,
471 +@@ -1160,6 +1160,7 @@ static u32 emulated_msrs[] = {
472 +
473 + MSR_IA32_TSC_ADJUST,
474 + MSR_IA32_TSCDEADLINE,
475 ++ MSR_IA32_ARCH_CAPABILITIES,
476 + MSR_IA32_MISC_ENABLE,
477 + MSR_IA32_MCG_STATUS,
478 + MSR_IA32_MCG_CTL,
479 +diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
480 +index db3165714521..dc726e07d8ba 100644
481 +--- a/arch/x86/mm/mmap.c
482 ++++ b/arch/x86/mm/mmap.c
483 +@@ -230,7 +230,7 @@ bool mmap_address_hint_valid(unsigned long addr, unsigned long len)
484 + /* Can we access it for direct reading/writing? Must be RAM: */
485 + int valid_phys_addr_range(phys_addr_t addr, size_t count)
486 + {
487 +- return addr + count <= __pa(high_memory);
488 ++ return addr + count - 1 <= __pa(high_memory - 1);
489 + }
490 +
491 + /* Can we access it through mmap? Must be a valid physical address: */
492 +diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
493 +index d10105825d57..47d097946872 100644
494 +--- a/arch/x86/realmode/init.c
495 ++++ b/arch/x86/realmode/init.c
496 +@@ -20,8 +20,6 @@ void __init set_real_mode_mem(phys_addr_t mem, size_t size)
497 + void *base = __va(mem);
498 +
499 + real_mode_header = (struct real_mode_header *) base;
500 +- printk(KERN_DEBUG "Base memory trampoline at [%p] %llx size %zu\n",
501 +- base, (unsigned long long)mem, size);
502 + }
503 +
504 + void __init reserve_real_mode(void)
505 +diff --git a/drivers/acpi/acpica/evgpe.c b/drivers/acpi/acpica/evgpe.c
506 +index 4424997ecf30..e10fec99a182 100644
507 +--- a/drivers/acpi/acpica/evgpe.c
508 ++++ b/drivers/acpi/acpica/evgpe.c
509 +@@ -81,12 +81,8 @@ acpi_status acpi_ev_enable_gpe(struct acpi_gpe_event_info *gpe_event_info)
510 +
511 + ACPI_FUNCTION_TRACE(ev_enable_gpe);
512 +
513 +- /* Clear the GPE status */
514 +- status = acpi_hw_clear_gpe(gpe_event_info);
515 +- if (ACPI_FAILURE(status))
516 +- return_ACPI_STATUS(status);
517 +-
518 + /* Enable the requested GPE */
519 ++
520 + status = acpi_hw_low_set_gpe(gpe_event_info, ACPI_GPE_ENABLE);
521 + return_ACPI_STATUS(status);
522 + }
523 +diff --git a/drivers/ata/libata-zpodd.c b/drivers/ata/libata-zpodd.c
524 +index b3ed8f9953a8..173e6f2dd9af 100644
525 +--- a/drivers/ata/libata-zpodd.c
526 ++++ b/drivers/ata/libata-zpodd.c
527 +@@ -52,38 +52,52 @@ static int eject_tray(struct ata_device *dev)
528 + /* Per the spec, only slot type and drawer type ODD can be supported */
529 + static enum odd_mech_type zpodd_get_mech_type(struct ata_device *dev)
530 + {
531 +- char buf[16];
532 ++ char *buf;
533 + unsigned int ret;
534 +- struct rm_feature_desc *desc = (void *)(buf + 8);
535 ++ struct rm_feature_desc *desc;
536 + struct ata_taskfile tf;
537 + static const char cdb[] = { GPCMD_GET_CONFIGURATION,
538 + 2, /* only 1 feature descriptor requested */
539 + 0, 3, /* 3, removable medium feature */
540 + 0, 0, 0,/* reserved */
541 +- 0, sizeof(buf),
542 ++ 0, 16,
543 + 0, 0, 0,
544 + };
545 +
546 ++ buf = kzalloc(16, GFP_KERNEL);
547 ++ if (!buf)
548 ++ return ODD_MECH_TYPE_UNSUPPORTED;
549 ++ desc = (void *)(buf + 8);
550 ++
551 + ata_tf_init(dev, &tf);
552 + tf.flags = ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE;
553 + tf.command = ATA_CMD_PACKET;
554 + tf.protocol = ATAPI_PROT_PIO;
555 +- tf.lbam = sizeof(buf);
556 ++ tf.lbam = 16;
557 +
558 + ret = ata_exec_internal(dev, &tf, cdb, DMA_FROM_DEVICE,
559 +- buf, sizeof(buf), 0);
560 +- if (ret)
561 ++ buf, 16, 0);
562 ++ if (ret) {
563 ++ kfree(buf);
564 + return ODD_MECH_TYPE_UNSUPPORTED;
565 ++ }
566 +
567 +- if (be16_to_cpu(desc->feature_code) != 3)
568 ++ if (be16_to_cpu(desc->feature_code) != 3) {
569 ++ kfree(buf);
570 + return ODD_MECH_TYPE_UNSUPPORTED;
571 ++ }
572 +
573 +- if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1)
574 ++ if (desc->mech_type == 0 && desc->load == 0 && desc->eject == 1) {
575 ++ kfree(buf);
576 + return ODD_MECH_TYPE_SLOT;
577 +- else if (desc->mech_type == 1 && desc->load == 0 && desc->eject == 1)
578 ++ } else if (desc->mech_type == 1 && desc->load == 0 &&
579 ++ desc->eject == 1) {
580 ++ kfree(buf);
581 + return ODD_MECH_TYPE_DRAWER;
582 +- else
583 ++ } else {
584 ++ kfree(buf);
585 + return ODD_MECH_TYPE_UNSUPPORTED;
586 ++ }
587 + }
588 +
589 + /* Test if ODD is zero power ready by sense code */
590 +diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c
591 +index 854bce4fb9e7..217507002dbc 100644
592 +--- a/drivers/gpio/gpio-aspeed.c
593 ++++ b/drivers/gpio/gpio-aspeed.c
594 +@@ -1224,6 +1224,8 @@ static int __init aspeed_gpio_probe(struct platform_device *pdev)
595 +
596 + gpio->offset_timer =
597 + devm_kzalloc(&pdev->dev, gpio->chip.ngpio, GFP_KERNEL);
598 ++ if (!gpio->offset_timer)
599 ++ return -ENOMEM;
600 +
601 + return aspeed_gpio_setup_irqs(gpio, pdev);
602 + }
603 +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c
604 +index a1dd2f1c0d02..13a402ede07a 100644
605 +--- a/drivers/gpio/gpiolib-of.c
606 ++++ b/drivers/gpio/gpiolib-of.c
607 +@@ -119,7 +119,8 @@ static void of_gpio_flags_quirks(struct device_node *np,
608 + * to determine if the flags should have inverted semantics.
609 + */
610 + if (IS_ENABLED(CONFIG_SPI_MASTER) &&
611 +- of_property_read_bool(np, "cs-gpios")) {
612 ++ of_property_read_bool(np, "cs-gpios") &&
613 ++ !strcmp(propname, "cs-gpios")) {
614 + struct device_node *child;
615 + u32 cs;
616 + int ret;
617 +@@ -141,16 +142,16 @@ static void of_gpio_flags_quirks(struct device_node *np,
618 + * conflict and the "spi-cs-high" flag will
619 + * take precedence.
620 + */
621 +- if (of_property_read_bool(np, "spi-cs-high")) {
622 ++ if (of_property_read_bool(child, "spi-cs-high")) {
623 + if (*flags & OF_GPIO_ACTIVE_LOW) {
624 + pr_warn("%s GPIO handle specifies active low - ignored\n",
625 +- of_node_full_name(np));
626 ++ of_node_full_name(child));
627 + *flags &= ~OF_GPIO_ACTIVE_LOW;
628 + }
629 + } else {
630 + if (!(*flags & OF_GPIO_ACTIVE_LOW))
631 + pr_info("%s enforce active low on chipselect handle\n",
632 +- of_node_full_name(np));
633 ++ of_node_full_name(child));
634 + *flags |= OF_GPIO_ACTIVE_LOW;
635 + }
636 + break;
637 +@@ -711,7 +712,13 @@ int of_gpiochip_add(struct gpio_chip *chip)
638 +
639 + of_node_get(chip->of_node);
640 +
641 +- return of_gpiochip_scan_gpios(chip);
642 ++ status = of_gpiochip_scan_gpios(chip);
643 ++ if (status) {
644 ++ of_node_put(chip->of_node);
645 ++ gpiochip_remove_pin_ranges(chip);
646 ++ }
647 ++
648 ++ return status;
649 + }
650 +
651 + void of_gpiochip_remove(struct gpio_chip *chip)
652 +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
653 +index 12e5e2be7890..7a59b8b3ed5a 100644
654 +--- a/drivers/gpu/drm/drm_drv.c
655 ++++ b/drivers/gpu/drm/drm_drv.c
656 +@@ -381,11 +381,7 @@ void drm_dev_unplug(struct drm_device *dev)
657 + synchronize_srcu(&drm_unplug_srcu);
658 +
659 + drm_dev_unregister(dev);
660 +-
661 +- mutex_lock(&drm_global_mutex);
662 +- if (dev->open_count == 0)
663 +- drm_dev_put(dev);
664 +- mutex_unlock(&drm_global_mutex);
665 ++ drm_dev_put(dev);
666 + }
667 + EXPORT_SYMBOL(drm_dev_unplug);
668 +
669 +diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
670 +index 46f48f245eb5..3f20f598cd7c 100644
671 +--- a/drivers/gpu/drm/drm_file.c
672 ++++ b/drivers/gpu/drm/drm_file.c
673 +@@ -479,11 +479,9 @@ int drm_release(struct inode *inode, struct file *filp)
674 +
675 + drm_file_free(file_priv);
676 +
677 +- if (!--dev->open_count) {
678 ++ if (!--dev->open_count)
679 + drm_lastclose(dev);
680 +- if (drm_dev_is_unplugged(dev))
681 +- drm_put_dev(dev);
682 +- }
683 ++
684 + mutex_unlock(&drm_global_mutex);
685 +
686 + drm_minor_release(minor);
687 +diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
688 +index dcd1df5322e8..21c6016ccba5 100644
689 +--- a/drivers/gpu/drm/i915/intel_dp.c
690 ++++ b/drivers/gpu/drm/i915/intel_dp.c
691 +@@ -1871,6 +1871,9 @@ static bool intel_dp_dsc_compute_config(struct intel_dp *intel_dp,
692 + u8 dsc_max_bpc;
693 + int pipe_bpp;
694 +
695 ++ pipe_config->fec_enable = !intel_dp_is_edp(intel_dp) &&
696 ++ intel_dp_supports_fec(intel_dp, pipe_config);
697 ++
698 + if (!intel_dp_supports_dsc(intel_dp, pipe_config))
699 + return false;
700 +
701 +@@ -2097,9 +2100,6 @@ intel_dp_compute_config(struct intel_encoder *encoder,
702 + if (adjusted_mode->flags & DRM_MODE_FLAG_DBLCLK)
703 + return false;
704 +
705 +- pipe_config->fec_enable = !intel_dp_is_edp(intel_dp) &&
706 +- intel_dp_supports_fec(intel_dp, pipe_config);
707 +-
708 + if (!intel_dp_compute_link_config(encoder, pipe_config, conn_state))
709 + return false;
710 +
711 +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
712 +index 12ff47b13668..a13704ab5d11 100644
713 +--- a/drivers/gpu/drm/meson/meson_drv.c
714 ++++ b/drivers/gpu/drm/meson/meson_drv.c
715 +@@ -317,12 +317,14 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
716 +
717 + ret = drm_dev_register(drm, 0);
718 + if (ret)
719 +- goto free_drm;
720 ++ goto uninstall_irq;
721 +
722 + drm_fbdev_generic_setup(drm, 32);
723 +
724 + return 0;
725 +
726 ++uninstall_irq:
727 ++ drm_irq_uninstall(drm);
728 + free_drm:
729 + drm_dev_put(drm);
730 +
731 +@@ -336,8 +338,8 @@ static int meson_drv_bind(struct device *dev)
732 +
733 + static void meson_drv_unbind(struct device *dev)
734 + {
735 +- struct drm_device *drm = dev_get_drvdata(dev);
736 +- struct meson_drm *priv = drm->dev_private;
737 ++ struct meson_drm *priv = dev_get_drvdata(dev);
738 ++ struct drm_device *drm = priv->drm;
739 +
740 + if (priv->canvas) {
741 + meson_canvas_free(priv->canvas, priv->canvas_id_osd1);
742 +@@ -347,6 +349,7 @@ static void meson_drv_unbind(struct device *dev)
743 + }
744 +
745 + drm_dev_unregister(drm);
746 ++ drm_irq_uninstall(drm);
747 + drm_kms_helper_poll_fini(drm);
748 + drm_mode_config_cleanup(drm);
749 + drm_dev_put(drm);
750 +diff --git a/drivers/gpu/drm/tegra/hub.c b/drivers/gpu/drm/tegra/hub.c
751 +index 922a48d5a483..c7c612579270 100644
752 +--- a/drivers/gpu/drm/tegra/hub.c
753 ++++ b/drivers/gpu/drm/tegra/hub.c
754 +@@ -378,14 +378,16 @@ static int tegra_shared_plane_atomic_check(struct drm_plane *plane,
755 + static void tegra_shared_plane_atomic_disable(struct drm_plane *plane,
756 + struct drm_plane_state *old_state)
757 + {
758 +- struct tegra_dc *dc = to_tegra_dc(old_state->crtc);
759 + struct tegra_plane *p = to_tegra_plane(plane);
760 ++ struct tegra_dc *dc;
761 + u32 value;
762 +
763 + /* rien ne va plus */
764 + if (!old_state || !old_state->crtc)
765 + return;
766 +
767 ++ dc = to_tegra_dc(old_state->crtc);
768 ++
769 + /*
770 + * XXX Legacy helpers seem to sometimes call ->atomic_disable() even
771 + * on planes that are already disabled. Make sure we fallback to the
772 +diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig
773 +index f2c681971201..f8979abb9a19 100644
774 +--- a/drivers/i2c/busses/Kconfig
775 ++++ b/drivers/i2c/busses/Kconfig
776 +@@ -131,6 +131,7 @@ config I2C_I801
777 + Cannon Lake (PCH)
778 + Cedar Fork (PCH)
779 + Ice Lake (PCH)
780 ++ Comet Lake (PCH)
781 +
782 + This driver can also be built as a module. If so, the module
783 + will be called i2c-i801.
784 +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
785 +index c91e145ef5a5..679c6c41f64b 100644
786 +--- a/drivers/i2c/busses/i2c-i801.c
787 ++++ b/drivers/i2c/busses/i2c-i801.c
788 +@@ -71,6 +71,7 @@
789 + * Cannon Lake-LP (PCH) 0x9da3 32 hard yes yes yes
790 + * Cedar Fork (PCH) 0x18df 32 hard yes yes yes
791 + * Ice Lake-LP (PCH) 0x34a3 32 hard yes yes yes
792 ++ * Comet Lake (PCH) 0x02a3 32 hard yes yes yes
793 + *
794 + * Features supported by this driver:
795 + * Software PEC no
796 +@@ -240,6 +241,7 @@
797 + #define PCI_DEVICE_ID_INTEL_LEWISBURG_SSKU_SMBUS 0xa223
798 + #define PCI_DEVICE_ID_INTEL_KABYLAKE_PCH_H_SMBUS 0xa2a3
799 + #define PCI_DEVICE_ID_INTEL_CANNONLAKE_H_SMBUS 0xa323
800 ++#define PCI_DEVICE_ID_INTEL_COMETLAKE_SMBUS 0x02a3
801 +
802 + struct i801_mux_config {
803 + char *gpio_chip;
804 +@@ -1038,6 +1040,7 @@ static const struct pci_device_id i801_ids[] = {
805 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CANNONLAKE_H_SMBUS) },
806 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CANNONLAKE_LP_SMBUS) },
807 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICELAKE_LP_SMBUS) },
808 ++ { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_COMETLAKE_SMBUS) },
809 + { 0, }
810 + };
811 +
812 +@@ -1534,6 +1537,7 @@ static int i801_probe(struct pci_dev *dev, const struct pci_device_id *id)
813 + case PCI_DEVICE_ID_INTEL_DNV_SMBUS:
814 + case PCI_DEVICE_ID_INTEL_KABYLAKE_PCH_H_SMBUS:
815 + case PCI_DEVICE_ID_INTEL_ICELAKE_LP_SMBUS:
816 ++ case PCI_DEVICE_ID_INTEL_COMETLAKE_SMBUS:
817 + priv->features |= FEATURE_I2C_BLOCK_READ;
818 + priv->features |= FEATURE_IRQ;
819 + priv->features |= FEATURE_SMBUS_PEC;
820 +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
821 +index e628ef23418f..55b3e4b9d5dc 100644
822 +--- a/drivers/iommu/amd_iommu.c
823 ++++ b/drivers/iommu/amd_iommu.c
824 +@@ -3166,21 +3166,24 @@ static void amd_iommu_get_resv_regions(struct device *dev,
825 + return;
826 +
827 + list_for_each_entry(entry, &amd_iommu_unity_map, list) {
828 ++ int type, prot = 0;
829 + size_t length;
830 +- int prot = 0;
831 +
832 + if (devid < entry->devid_start || devid > entry->devid_end)
833 + continue;
834 +
835 ++ type = IOMMU_RESV_DIRECT;
836 + length = entry->address_end - entry->address_start;
837 + if (entry->prot & IOMMU_PROT_IR)
838 + prot |= IOMMU_READ;
839 + if (entry->prot & IOMMU_PROT_IW)
840 + prot |= IOMMU_WRITE;
841 ++ if (entry->prot & IOMMU_UNITY_MAP_FLAG_EXCL_RANGE)
842 ++ /* Exclusion range */
843 ++ type = IOMMU_RESV_RESERVED;
844 +
845 + region = iommu_alloc_resv_region(entry->address_start,
846 +- length, prot,
847 +- IOMMU_RESV_DIRECT);
848 ++ length, prot, type);
849 + if (!region) {
850 + pr_err("Out of memory allocating dm-regions for %s\n",
851 + dev_name(dev));
852 +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
853 +index 66123b911ec8..84fa5b22371e 100644
854 +--- a/drivers/iommu/amd_iommu_init.c
855 ++++ b/drivers/iommu/amd_iommu_init.c
856 +@@ -2013,6 +2013,9 @@ static int __init init_unity_map_range(struct ivmd_header *m)
857 + if (e == NULL)
858 + return -ENOMEM;
859 +
860 ++ if (m->flags & IVMD_FLAG_EXCL_RANGE)
861 ++ init_exclusion_range(m);
862 ++
863 + switch (m->type) {
864 + default:
865 + kfree(e);
866 +@@ -2059,9 +2062,7 @@ static int __init init_memory_definitions(struct acpi_table_header *table)
867 +
868 + while (p < end) {
869 + m = (struct ivmd_header *)p;
870 +- if (m->flags & IVMD_FLAG_EXCL_RANGE)
871 +- init_exclusion_range(m);
872 +- else if (m->flags & IVMD_FLAG_UNITY_MAP)
873 ++ if (m->flags & (IVMD_FLAG_UNITY_MAP | IVMD_FLAG_EXCL_RANGE))
874 + init_unity_map_range(m);
875 +
876 + p += m->length;
877 +diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h
878 +index eae0741f72dc..87965e4d9647 100644
879 +--- a/drivers/iommu/amd_iommu_types.h
880 ++++ b/drivers/iommu/amd_iommu_types.h
881 +@@ -374,6 +374,8 @@
882 + #define IOMMU_PROT_IR 0x01
883 + #define IOMMU_PROT_IW 0x02
884 +
885 ++#define IOMMU_UNITY_MAP_FLAG_EXCL_RANGE (1 << 2)
886 ++
887 + /* IOMMU capabilities */
888 + #define IOMMU_CAP_IOTLB 24
889 + #define IOMMU_CAP_NPCACHE 26
890 +diff --git a/drivers/leds/leds-pca9532.c b/drivers/leds/leds-pca9532.c
891 +index 7fea18b0c15d..7cb4d685a1f1 100644
892 +--- a/drivers/leds/leds-pca9532.c
893 ++++ b/drivers/leds/leds-pca9532.c
894 +@@ -513,6 +513,7 @@ static int pca9532_probe(struct i2c_client *client,
895 + const struct i2c_device_id *id)
896 + {
897 + int devid;
898 ++ const struct of_device_id *of_id;
899 + struct pca9532_data *data = i2c_get_clientdata(client);
900 + struct pca9532_platform_data *pca9532_pdata =
901 + dev_get_platdata(&client->dev);
902 +@@ -528,8 +529,11 @@ static int pca9532_probe(struct i2c_client *client,
903 + dev_err(&client->dev, "no platform data\n");
904 + return -EINVAL;
905 + }
906 +- devid = (int)(uintptr_t)of_match_device(
907 +- of_pca9532_leds_match, &client->dev)->data;
908 ++ of_id = of_match_device(of_pca9532_leds_match,
909 ++ &client->dev);
910 ++ if (unlikely(!of_id))
911 ++ return -EINVAL;
912 ++ devid = (int)(uintptr_t) of_id->data;
913 + } else {
914 + devid = id->driver_data;
915 + }
916 +diff --git a/drivers/leds/trigger/ledtrig-netdev.c b/drivers/leds/trigger/ledtrig-netdev.c
917 +index 3dd3ed46d473..136f86a1627d 100644
918 +--- a/drivers/leds/trigger/ledtrig-netdev.c
919 ++++ b/drivers/leds/trigger/ledtrig-netdev.c
920 +@@ -122,7 +122,8 @@ static ssize_t device_name_store(struct device *dev,
921 + trigger_data->net_dev = NULL;
922 + }
923 +
924 +- strncpy(trigger_data->device_name, buf, size);
925 ++ memcpy(trigger_data->device_name, buf, size);
926 ++ trigger_data->device_name[size] = 0;
927 + if (size > 0 && trigger_data->device_name[size - 1] == '\n')
928 + trigger_data->device_name[size - 1] = 0;
929 +
930 +@@ -301,11 +302,11 @@ static int netdev_trig_notify(struct notifier_block *nb,
931 + container_of(nb, struct led_netdev_data, notifier);
932 +
933 + if (evt != NETDEV_UP && evt != NETDEV_DOWN && evt != NETDEV_CHANGE
934 +- && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER
935 +- && evt != NETDEV_CHANGENAME)
936 ++ && evt != NETDEV_REGISTER && evt != NETDEV_UNREGISTER)
937 + return NOTIFY_DONE;
938 +
939 +- if (strcmp(dev->name, trigger_data->device_name))
940 ++ if (!(dev == trigger_data->net_dev ||
941 ++ (evt == NETDEV_REGISTER && !strcmp(dev->name, trigger_data->device_name))))
942 + return NOTIFY_DONE;
943 +
944 + cancel_delayed_work_sync(&trigger_data->work);
945 +@@ -320,12 +321,9 @@ static int netdev_trig_notify(struct notifier_block *nb,
946 + dev_hold(dev);
947 + trigger_data->net_dev = dev;
948 + break;
949 +- case NETDEV_CHANGENAME:
950 + case NETDEV_UNREGISTER:
951 +- if (trigger_data->net_dev) {
952 +- dev_put(trigger_data->net_dev);
953 +- trigger_data->net_dev = NULL;
954 +- }
955 ++ dev_put(trigger_data->net_dev);
956 ++ trigger_data->net_dev = NULL;
957 + break;
958 + case NETDEV_UP:
959 + case NETDEV_CHANGE:
960 +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
961 +index 2b2882615e8b..6cbe515bfdeb 100644
962 +--- a/drivers/net/ethernet/cadence/macb_main.c
963 ++++ b/drivers/net/ethernet/cadence/macb_main.c
964 +@@ -3318,14 +3318,20 @@ static int macb_clk_init(struct platform_device *pdev, struct clk **pclk,
965 + *hclk = devm_clk_get(&pdev->dev, "hclk");
966 + }
967 +
968 +- if (IS_ERR(*pclk)) {
969 ++ if (IS_ERR_OR_NULL(*pclk)) {
970 + err = PTR_ERR(*pclk);
971 ++ if (!err)
972 ++ err = -ENODEV;
973 ++
974 + dev_err(&pdev->dev, "failed to get macb_clk (%u)\n", err);
975 + return err;
976 + }
977 +
978 +- if (IS_ERR(*hclk)) {
979 ++ if (IS_ERR_OR_NULL(*hclk)) {
980 + err = PTR_ERR(*hclk);
981 ++ if (!err)
982 ++ err = -ENODEV;
983 ++
984 + dev_err(&pdev->dev, "failed to get hclk (%u)\n", err);
985 + return err;
986 + }
987 +diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c
988 +index 3baabdc89726..90b62c1412c8 100644
989 +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
990 ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
991 +@@ -3160,6 +3160,7 @@ static ssize_t ehea_probe_port(struct device *dev,
992 +
993 + if (ehea_add_adapter_mr(adapter)) {
994 + pr_err("creating MR failed\n");
995 ++ of_node_put(eth_dn);
996 + return -EIO;
997 + }
998 +
999 +diff --git a/drivers/net/ethernet/micrel/ks8851.c b/drivers/net/ethernet/micrel/ks8851.c
1000 +index bd6e9014bc74..b83b070a9eec 100644
1001 +--- a/drivers/net/ethernet/micrel/ks8851.c
1002 ++++ b/drivers/net/ethernet/micrel/ks8851.c
1003 +@@ -535,9 +535,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks)
1004 + /* set dma read address */
1005 + ks8851_wrreg16(ks, KS_RXFDPR, RXFDPR_RXFPAI | 0x00);
1006 +
1007 +- /* start the packet dma process, and set auto-dequeue rx */
1008 +- ks8851_wrreg16(ks, KS_RXQCR,
1009 +- ks->rc_rxqcr | RXQCR_SDA | RXQCR_ADRFE);
1010 ++ /* start DMA access */
1011 ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
1012 +
1013 + if (rxlen > 4) {
1014 + unsigned int rxalign;
1015 +@@ -568,7 +567,8 @@ static void ks8851_rx_pkts(struct ks8851_net *ks)
1016 + }
1017 + }
1018 +
1019 +- ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
1020 ++ /* end DMA access and dequeue packet */
1021 ++ ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_RRXEF);
1022 + }
1023 + }
1024 +
1025 +@@ -785,6 +785,15 @@ static void ks8851_tx_work(struct work_struct *work)
1026 + static int ks8851_net_open(struct net_device *dev)
1027 + {
1028 + struct ks8851_net *ks = netdev_priv(dev);
1029 ++ int ret;
1030 ++
1031 ++ ret = request_threaded_irq(dev->irq, NULL, ks8851_irq,
1032 ++ IRQF_TRIGGER_LOW | IRQF_ONESHOT,
1033 ++ dev->name, ks);
1034 ++ if (ret < 0) {
1035 ++ netdev_err(dev, "failed to get irq\n");
1036 ++ return ret;
1037 ++ }
1038 +
1039 + /* lock the card, even if we may not actually be doing anything
1040 + * else at the moment */
1041 +@@ -849,6 +858,7 @@ static int ks8851_net_open(struct net_device *dev)
1042 + netif_dbg(ks, ifup, ks->netdev, "network device up\n");
1043 +
1044 + mutex_unlock(&ks->lock);
1045 ++ mii_check_link(&ks->mii);
1046 + return 0;
1047 + }
1048 +
1049 +@@ -899,6 +909,8 @@ static int ks8851_net_stop(struct net_device *dev)
1050 + dev_kfree_skb(txb);
1051 + }
1052 +
1053 ++ free_irq(dev->irq, ks);
1054 ++
1055 + return 0;
1056 + }
1057 +
1058 +@@ -1508,6 +1520,7 @@ static int ks8851_probe(struct spi_device *spi)
1059 +
1060 + spi_set_drvdata(spi, ks);
1061 +
1062 ++ netif_carrier_off(ks->netdev);
1063 + ndev->if_port = IF_PORT_100BASET;
1064 + ndev->netdev_ops = &ks8851_netdev_ops;
1065 + ndev->irq = spi->irq;
1066 +@@ -1529,14 +1542,6 @@ static int ks8851_probe(struct spi_device *spi)
1067 + ks8851_read_selftest(ks);
1068 + ks8851_init_mac(ks);
1069 +
1070 +- ret = request_threaded_irq(spi->irq, NULL, ks8851_irq,
1071 +- IRQF_TRIGGER_LOW | IRQF_ONESHOT,
1072 +- ndev->name, ks);
1073 +- if (ret < 0) {
1074 +- dev_err(&spi->dev, "failed to get irq\n");
1075 +- goto err_irq;
1076 +- }
1077 +-
1078 + ret = register_netdev(ndev);
1079 + if (ret) {
1080 + dev_err(&spi->dev, "failed to register network device\n");
1081 +@@ -1549,14 +1554,10 @@ static int ks8851_probe(struct spi_device *spi)
1082 +
1083 + return 0;
1084 +
1085 +-
1086 + err_netdev:
1087 +- free_irq(ndev->irq, ks);
1088 +-
1089 +-err_irq:
1090 ++err_id:
1091 + if (gpio_is_valid(gpio))
1092 + gpio_set_value(gpio, 0);
1093 +-err_id:
1094 + regulator_disable(ks->vdd_reg);
1095 + err_reg:
1096 + regulator_disable(ks->vdd_io);
1097 +@@ -1574,7 +1575,6 @@ static int ks8851_remove(struct spi_device *spi)
1098 + dev_info(&spi->dev, "remove\n");
1099 +
1100 + unregister_netdev(priv->netdev);
1101 +- free_irq(spi->irq, priv);
1102 + if (gpio_is_valid(priv->gpio))
1103 + gpio_set_value(priv->gpio, 0);
1104 + regulator_disable(priv->vdd_reg);
1105 +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
1106 +index 3b0adda7cc9c..a4cd6f2cfb86 100644
1107 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
1108 ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
1109 +@@ -1048,6 +1048,8 @@ int qlcnic_do_lb_test(struct qlcnic_adapter *adapter, u8 mode)
1110 +
1111 + for (i = 0; i < QLCNIC_NUM_ILB_PKT; i++) {
1112 + skb = netdev_alloc_skb(adapter->netdev, QLCNIC_ILB_PKT_SIZE);
1113 ++ if (!skb)
1114 ++ break;
1115 + qlcnic_create_loopback_buff(skb->data, adapter->mac_addr);
1116 + skb_put(skb, QLCNIC_ILB_PKT_SIZE);
1117 + adapter->ahw->diag_cnt = 0;
1118 +diff --git a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
1119 +index c0c75c111abb..4d9bcb4d0378 100644
1120 +--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
1121 ++++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
1122 +@@ -59,7 +59,7 @@ static int jumbo_frm(void *p, struct sk_buff *skb, int csum)
1123 +
1124 + desc->des3 = cpu_to_le32(des2 + BUF_SIZE_4KiB);
1125 + stmmac_prepare_tx_desc(priv, desc, 1, bmax, csum,
1126 +- STMMAC_RING_MODE, 1, false, skb->len);
1127 ++ STMMAC_RING_MODE, 0, false, skb->len);
1128 + tx_q->tx_skbuff[entry] = NULL;
1129 + entry = STMMAC_GET_ENTRY(entry, DMA_TX_SIZE);
1130 +
1131 +@@ -79,7 +79,8 @@ static int jumbo_frm(void *p, struct sk_buff *skb, int csum)
1132 +
1133 + desc->des3 = cpu_to_le32(des2 + BUF_SIZE_4KiB);
1134 + stmmac_prepare_tx_desc(priv, desc, 0, len, csum,
1135 +- STMMAC_RING_MODE, 1, true, skb->len);
1136 ++ STMMAC_RING_MODE, 1, !skb_is_nonlinear(skb),
1137 ++ skb->len);
1138 + } else {
1139 + des2 = dma_map_single(priv->device, skb->data,
1140 + nopaged_len, DMA_TO_DEVICE);
1141 +@@ -91,7 +92,8 @@ static int jumbo_frm(void *p, struct sk_buff *skb, int csum)
1142 + tx_q->tx_skbuff_dma[entry].is_jumbo = true;
1143 + desc->des3 = cpu_to_le32(des2 + BUF_SIZE_4KiB);
1144 + stmmac_prepare_tx_desc(priv, desc, 1, nopaged_len, csum,
1145 +- STMMAC_RING_MODE, 1, true, skb->len);
1146 ++ STMMAC_RING_MODE, 0, !skb_is_nonlinear(skb),
1147 ++ skb->len);
1148 + }
1149 +
1150 + tx_q->cur_tx = entry;
1151 +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
1152 +index 1d8d6f2ddfd6..0bc3632880b5 100644
1153 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
1154 ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
1155 +@@ -3190,14 +3190,16 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
1156 + stmmac_prepare_tx_desc(priv, first, 1, nopaged_len,
1157 + csum_insertion, priv->mode, 1, last_segment,
1158 + skb->len);
1159 +-
1160 +- /* The own bit must be the latest setting done when prepare the
1161 +- * descriptor and then barrier is needed to make sure that
1162 +- * all is coherent before granting the DMA engine.
1163 +- */
1164 +- wmb();
1165 ++ } else {
1166 ++ stmmac_set_tx_owner(priv, first);
1167 + }
1168 +
1169 ++ /* The own bit must be the latest setting done when prepare the
1170 ++ * descriptor and then barrier is needed to make sure that
1171 ++ * all is coherent before granting the DMA engine.
1172 ++ */
1173 ++ wmb();
1174 ++
1175 + netdev_tx_sent_queue(netdev_get_tx_queue(dev, queue), skb->len);
1176 +
1177 + stmmac_enable_dma_transmission(priv, priv->ioaddr);
1178 +diff --git a/drivers/net/ethernet/ti/netcp_ethss.c b/drivers/net/ethernet/ti/netcp_ethss.c
1179 +index 5174d318901e..0a920c5936b2 100644
1180 +--- a/drivers/net/ethernet/ti/netcp_ethss.c
1181 ++++ b/drivers/net/ethernet/ti/netcp_ethss.c
1182 +@@ -3657,12 +3657,16 @@ static int gbe_probe(struct netcp_device *netcp_device, struct device *dev,
1183 +
1184 + ret = netcp_txpipe_init(&gbe_dev->tx_pipe, netcp_device,
1185 + gbe_dev->dma_chan_name, gbe_dev->tx_queue_id);
1186 +- if (ret)
1187 ++ if (ret) {
1188 ++ of_node_put(interfaces);
1189 + return ret;
1190 ++ }
1191 +
1192 + ret = netcp_txpipe_open(&gbe_dev->tx_pipe);
1193 +- if (ret)
1194 ++ if (ret) {
1195 ++ of_node_put(interfaces);
1196 + return ret;
1197 ++ }
1198 +
1199 + /* Create network interfaces */
1200 + INIT_LIST_HEAD(&gbe_dev->gbe_intf_head);
1201 +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
1202 +index 0789d8af7d72..1ef56edb3918 100644
1203 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
1204 ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
1205 +@@ -1575,12 +1575,14 @@ static int axienet_probe(struct platform_device *pdev)
1206 + ret = of_address_to_resource(np, 0, &dmares);
1207 + if (ret) {
1208 + dev_err(&pdev->dev, "unable to get DMA resource\n");
1209 ++ of_node_put(np);
1210 + goto free_netdev;
1211 + }
1212 + lp->dma_regs = devm_ioremap_resource(&pdev->dev, &dmares);
1213 + if (IS_ERR(lp->dma_regs)) {
1214 + dev_err(&pdev->dev, "could not map DMA regs\n");
1215 + ret = PTR_ERR(lp->dma_regs);
1216 ++ of_node_put(np);
1217 + goto free_netdev;
1218 + }
1219 + lp->rx_irq = irq_of_parse_and_map(np, 1);
1220 +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
1221 +index cd1d8faccca5..cd6b95e673a5 100644
1222 +--- a/drivers/net/ieee802154/adf7242.c
1223 ++++ b/drivers/net/ieee802154/adf7242.c
1224 +@@ -1268,6 +1268,10 @@ static int adf7242_probe(struct spi_device *spi)
1225 + INIT_DELAYED_WORK(&lp->work, adf7242_rx_cal_work);
1226 + lp->wqueue = alloc_ordered_workqueue(dev_name(&spi->dev),
1227 + WQ_MEM_RECLAIM);
1228 ++ if (unlikely(!lp->wqueue)) {
1229 ++ ret = -ENOMEM;
1230 ++ goto err_hw_init;
1231 ++ }
1232 +
1233 + ret = adf7242_hw_init(lp);
1234 + if (ret)
1235 +diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
1236 +index b6743f03dce0..3b88846de31b 100644
1237 +--- a/drivers/net/ieee802154/mac802154_hwsim.c
1238 ++++ b/drivers/net/ieee802154/mac802154_hwsim.c
1239 +@@ -324,7 +324,7 @@ static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info)
1240 + goto out_err;
1241 + }
1242 +
1243 +- genlmsg_reply(skb, info);
1244 ++ res = genlmsg_reply(skb, info);
1245 + break;
1246 + }
1247 +
1248 +diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c
1249 +index 24c7f149f3e6..e11057892f07 100644
1250 +--- a/drivers/net/phy/dp83822.c
1251 ++++ b/drivers/net/phy/dp83822.c
1252 +@@ -23,6 +23,8 @@
1253 + #include <linux/netdevice.h>
1254 +
1255 + #define DP83822_PHY_ID 0x2000a240
1256 ++#define DP83825I_PHY_ID 0x2000a150
1257 ++
1258 + #define DP83822_DEVADDR 0x1f
1259 +
1260 + #define MII_DP83822_PHYSCR 0x11
1261 +@@ -312,26 +314,30 @@ static int dp83822_resume(struct phy_device *phydev)
1262 + return 0;
1263 + }
1264 +
1265 ++#define DP83822_PHY_DRIVER(_id, _name) \
1266 ++ { \
1267 ++ PHY_ID_MATCH_MODEL(_id), \
1268 ++ .name = (_name), \
1269 ++ .features = PHY_BASIC_FEATURES, \
1270 ++ .soft_reset = dp83822_phy_reset, \
1271 ++ .config_init = dp83822_config_init, \
1272 ++ .get_wol = dp83822_get_wol, \
1273 ++ .set_wol = dp83822_set_wol, \
1274 ++ .ack_interrupt = dp83822_ack_interrupt, \
1275 ++ .config_intr = dp83822_config_intr, \
1276 ++ .suspend = dp83822_suspend, \
1277 ++ .resume = dp83822_resume, \
1278 ++ }
1279 ++
1280 + static struct phy_driver dp83822_driver[] = {
1281 +- {
1282 +- .phy_id = DP83822_PHY_ID,
1283 +- .phy_id_mask = 0xfffffff0,
1284 +- .name = "TI DP83822",
1285 +- .features = PHY_BASIC_FEATURES,
1286 +- .config_init = dp83822_config_init,
1287 +- .soft_reset = dp83822_phy_reset,
1288 +- .get_wol = dp83822_get_wol,
1289 +- .set_wol = dp83822_set_wol,
1290 +- .ack_interrupt = dp83822_ack_interrupt,
1291 +- .config_intr = dp83822_config_intr,
1292 +- .suspend = dp83822_suspend,
1293 +- .resume = dp83822_resume,
1294 +- },
1295 ++ DP83822_PHY_DRIVER(DP83822_PHY_ID, "TI DP83822"),
1296 ++ DP83822_PHY_DRIVER(DP83825I_PHY_ID, "TI DP83825I"),
1297 + };
1298 + module_phy_driver(dp83822_driver);
1299 +
1300 + static struct mdio_device_id __maybe_unused dp83822_tbl[] = {
1301 + { DP83822_PHY_ID, 0xfffffff0 },
1302 ++ { DP83825I_PHY_ID, 0xfffffff0 },
1303 + { },
1304 + };
1305 + MODULE_DEVICE_TABLE(mdio, dp83822_tbl);
1306 +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_usb_core.c b/drivers/net/wireless/mediatek/mt76/mt76x02_usb_core.c
1307 +index 81970cf777c0..8cafa5a749ca 100644
1308 +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_usb_core.c
1309 ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_usb_core.c
1310 +@@ -81,8 +81,9 @@ int mt76x02u_tx_prepare_skb(struct mt76_dev *mdev, void *data,
1311 +
1312 + mt76x02_insert_hdr_pad(skb);
1313 +
1314 +- txwi = skb_push(skb, sizeof(struct mt76x02_txwi));
1315 ++ txwi = (struct mt76x02_txwi *)(skb->data - sizeof(struct mt76x02_txwi));
1316 + mt76x02_mac_write_txwi(dev, txwi, skb, wcid, sta, len);
1317 ++ skb_push(skb, sizeof(struct mt76x02_txwi));
1318 +
1319 + pid = mt76_tx_status_skb_add(mdev, wcid, skb);
1320 + txwi->pktid = pid;
1321 +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c b/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c
1322 +index c9634a774705..2f618536ef2a 100644
1323 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c
1324 ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/phy.c
1325 +@@ -260,10 +260,15 @@ mt76x2_phy_set_gain_val(struct mt76x02_dev *dev)
1326 + gain_val[0] = dev->cal.agc_gain_cur[0] - dev->cal.agc_gain_adjust;
1327 + gain_val[1] = dev->cal.agc_gain_cur[1] - dev->cal.agc_gain_adjust;
1328 +
1329 +- if (dev->mt76.chandef.width >= NL80211_CHAN_WIDTH_40)
1330 ++ val = 0x1836 << 16;
1331 ++ if (!mt76x2_has_ext_lna(dev) &&
1332 ++ dev->mt76.chandef.width >= NL80211_CHAN_WIDTH_40)
1333 + val = 0x1e42 << 16;
1334 +- else
1335 +- val = 0x1836 << 16;
1336 ++
1337 ++ if (mt76x2_has_ext_lna(dev) &&
1338 ++ dev->mt76.chandef.chan->band == NL80211_BAND_2GHZ &&
1339 ++ dev->mt76.chandef.width < NL80211_CHAN_WIDTH_40)
1340 ++ val = 0x0f36 << 16;
1341 +
1342 + val |= 0xf8;
1343 +
1344 +@@ -280,6 +285,7 @@ void mt76x2_phy_update_channel_gain(struct mt76x02_dev *dev)
1345 + {
1346 + u8 *gain = dev->cal.agc_gain_init;
1347 + u8 low_gain_delta, gain_delta;
1348 ++ u32 agc_35, agc_37;
1349 + bool gain_change;
1350 + int low_gain;
1351 + u32 val;
1352 +@@ -316,6 +322,16 @@ void mt76x2_phy_update_channel_gain(struct mt76x02_dev *dev)
1353 + else
1354 + low_gain_delta = 14;
1355 +
1356 ++ agc_37 = 0x2121262c;
1357 ++ if (dev->mt76.chandef.chan->band == NL80211_BAND_2GHZ)
1358 ++ agc_35 = 0x11111516;
1359 ++ else if (low_gain == 2)
1360 ++ agc_35 = agc_37 = 0x08080808;
1361 ++ else if (dev->mt76.chandef.width == NL80211_CHAN_WIDTH_80)
1362 ++ agc_35 = 0x10101014;
1363 ++ else
1364 ++ agc_35 = 0x11111116;
1365 ++
1366 + if (low_gain == 2) {
1367 + mt76_wr(dev, MT_BBP(RXO, 18), 0xf000a990);
1368 + mt76_wr(dev, MT_BBP(AGC, 35), 0x08080808);
1369 +@@ -324,15 +340,13 @@ void mt76x2_phy_update_channel_gain(struct mt76x02_dev *dev)
1370 + dev->cal.agc_gain_adjust = 0;
1371 + } else {
1372 + mt76_wr(dev, MT_BBP(RXO, 18), 0xf000a991);
1373 +- if (dev->mt76.chandef.width == NL80211_CHAN_WIDTH_80)
1374 +- mt76_wr(dev, MT_BBP(AGC, 35), 0x10101014);
1375 +- else
1376 +- mt76_wr(dev, MT_BBP(AGC, 35), 0x11111116);
1377 +- mt76_wr(dev, MT_BBP(AGC, 37), 0x2121262C);
1378 + gain_delta = 0;
1379 + dev->cal.agc_gain_adjust = low_gain_delta;
1380 + }
1381 +
1382 ++ mt76_wr(dev, MT_BBP(AGC, 35), agc_35);
1383 ++ mt76_wr(dev, MT_BBP(AGC, 37), agc_37);
1384 ++
1385 + dev->cal.agc_gain_cur[0] = gain[0] - gain_delta;
1386 + dev->cal.agc_gain_cur[1] = gain[1] - gain_delta;
1387 + mt76x2_phy_set_gain_val(dev);
1388 +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
1389 +index b9fff3b8ed1b..23da7beadd62 100644
1390 +--- a/drivers/nvme/host/multipath.c
1391 ++++ b/drivers/nvme/host/multipath.c
1392 +@@ -366,15 +366,12 @@ static inline bool nvme_state_is_live(enum nvme_ana_state state)
1393 + static void nvme_update_ns_ana_state(struct nvme_ana_group_desc *desc,
1394 + struct nvme_ns *ns)
1395 + {
1396 +- enum nvme_ana_state old;
1397 +-
1398 + mutex_lock(&ns->head->lock);
1399 +- old = ns->ana_state;
1400 + ns->ana_grpid = le32_to_cpu(desc->grpid);
1401 + ns->ana_state = desc->state;
1402 + clear_bit(NVME_NS_ANA_PENDING, &ns->flags);
1403 +
1404 +- if (nvme_state_is_live(ns->ana_state) && !nvme_state_is_live(old))
1405 ++ if (nvme_state_is_live(ns->ana_state))
1406 + nvme_mpath_set_live(ns);
1407 + mutex_unlock(&ns->head->lock);
1408 + }
1409 +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
1410 +index 02c63c463222..7bad21a2283f 100644
1411 +--- a/drivers/nvme/target/core.c
1412 ++++ b/drivers/nvme/target/core.c
1413 +@@ -517,7 +517,7 @@ int nvmet_ns_enable(struct nvmet_ns *ns)
1414 +
1415 + ret = nvmet_p2pmem_ns_enable(ns);
1416 + if (ret)
1417 +- goto out_unlock;
1418 ++ goto out_dev_disable;
1419 +
1420 + list_for_each_entry(ctrl, &subsys->ctrls, subsys_entry)
1421 + nvmet_p2pmem_ns_add_p2p(ctrl, ns);
1422 +@@ -558,7 +558,7 @@ out_unlock:
1423 + out_dev_put:
1424 + list_for_each_entry(ctrl, &subsys->ctrls, subsys_entry)
1425 + pci_dev_put(radix_tree_delete(&ctrl->p2p_ns_map, ns->nsid));
1426 +-
1427 ++out_dev_disable:
1428 + nvmet_ns_dev_disable(ns);
1429 + goto out_unlock;
1430 + }
1431 +diff --git a/drivers/nvme/target/io-cmd-file.c b/drivers/nvme/target/io-cmd-file.c
1432 +index 517522305e5c..9a0fa3943ca7 100644
1433 +--- a/drivers/nvme/target/io-cmd-file.c
1434 ++++ b/drivers/nvme/target/io-cmd-file.c
1435 +@@ -75,11 +75,11 @@ err:
1436 + return ret;
1437 + }
1438 +
1439 +-static void nvmet_file_init_bvec(struct bio_vec *bv, struct sg_page_iter *iter)
1440 ++static void nvmet_file_init_bvec(struct bio_vec *bv, struct scatterlist *sg)
1441 + {
1442 +- bv->bv_page = sg_page_iter_page(iter);
1443 +- bv->bv_offset = iter->sg->offset;
1444 +- bv->bv_len = PAGE_SIZE - iter->sg->offset;
1445 ++ bv->bv_page = sg_page(sg);
1446 ++ bv->bv_offset = sg->offset;
1447 ++ bv->bv_len = sg->length;
1448 + }
1449 +
1450 + static ssize_t nvmet_file_submit_bvec(struct nvmet_req *req, loff_t pos,
1451 +@@ -128,14 +128,14 @@ static void nvmet_file_io_done(struct kiocb *iocb, long ret, long ret2)
1452 +
1453 + static bool nvmet_file_execute_io(struct nvmet_req *req, int ki_flags)
1454 + {
1455 +- ssize_t nr_bvec = DIV_ROUND_UP(req->data_len, PAGE_SIZE);
1456 +- struct sg_page_iter sg_pg_iter;
1457 ++ ssize_t nr_bvec = req->sg_cnt;
1458 + unsigned long bv_cnt = 0;
1459 + bool is_sync = false;
1460 + size_t len = 0, total_len = 0;
1461 + ssize_t ret = 0;
1462 + loff_t pos;
1463 +-
1464 ++ int i;
1465 ++ struct scatterlist *sg;
1466 +
1467 + if (req->f.mpool_alloc && nr_bvec > NVMET_MAX_MPOOL_BVEC)
1468 + is_sync = true;
1469 +@@ -147,8 +147,8 @@ static bool nvmet_file_execute_io(struct nvmet_req *req, int ki_flags)
1470 + }
1471 +
1472 + memset(&req->f.iocb, 0, sizeof(struct kiocb));
1473 +- for_each_sg_page(req->sg, &sg_pg_iter, req->sg_cnt, 0) {
1474 +- nvmet_file_init_bvec(&req->f.bvec[bv_cnt], &sg_pg_iter);
1475 ++ for_each_sg(req->sg, sg, req->sg_cnt, i) {
1476 ++ nvmet_file_init_bvec(&req->f.bvec[bv_cnt], sg);
1477 + len += req->f.bvec[bv_cnt].bv_len;
1478 + total_len += req->f.bvec[bv_cnt].bv_len;
1479 + bv_cnt++;
1480 +@@ -225,7 +225,7 @@ static void nvmet_file_submit_buffered_io(struct nvmet_req *req)
1481 +
1482 + static void nvmet_file_execute_rw(struct nvmet_req *req)
1483 + {
1484 +- ssize_t nr_bvec = DIV_ROUND_UP(req->data_len, PAGE_SIZE);
1485 ++ ssize_t nr_bvec = req->sg_cnt;
1486 +
1487 + if (!req->sg_cnt || !nr_bvec) {
1488 + nvmet_req_complete(req, 0);
1489 +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
1490 +index df34bff4ac31..f73ce96e9603 100644
1491 +--- a/drivers/s390/net/qeth_l3_main.c
1492 ++++ b/drivers/s390/net/qeth_l3_main.c
1493 +@@ -2316,12 +2316,14 @@ static int qeth_l3_probe_device(struct ccwgroup_device *gdev)
1494 + struct qeth_card *card = dev_get_drvdata(&gdev->dev);
1495 + int rc;
1496 +
1497 ++ hash_init(card->ip_htable);
1498 ++
1499 + if (gdev->dev.type == &qeth_generic_devtype) {
1500 + rc = qeth_l3_create_device_attributes(&gdev->dev);
1501 + if (rc)
1502 + return rc;
1503 + }
1504 +- hash_init(card->ip_htable);
1505 ++
1506 + hash_init(card->ip_mc_htable);
1507 + card->info.hwtrap = 0;
1508 + return 0;
1509 +diff --git a/drivers/s390/scsi/zfcp_fc.c b/drivers/s390/scsi/zfcp_fc.c
1510 +index db00b5e3abbe..33eddb02ee30 100644
1511 +--- a/drivers/s390/scsi/zfcp_fc.c
1512 ++++ b/drivers/s390/scsi/zfcp_fc.c
1513 +@@ -239,10 +239,6 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range,
1514 + list_for_each_entry(port, &adapter->port_list, list) {
1515 + if ((port->d_id & range) == (ntoh24(page->rscn_fid) & range))
1516 + zfcp_fc_test_link(port);
1517 +- if (!port->d_id)
1518 +- zfcp_erp_port_reopen(port,
1519 +- ZFCP_STATUS_COMMON_ERP_FAILED,
1520 +- "fcrscn1");
1521 + }
1522 + read_unlock_irqrestore(&adapter->port_list_lock, flags);
1523 + }
1524 +@@ -250,6 +246,7 @@ static void _zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req, u32 range,
1525 + static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req)
1526 + {
1527 + struct fsf_status_read_buffer *status_buffer = (void *)fsf_req->data;
1528 ++ struct zfcp_adapter *adapter = fsf_req->adapter;
1529 + struct fc_els_rscn *head;
1530 + struct fc_els_rscn_page *page;
1531 + u16 i;
1532 +@@ -263,6 +260,22 @@ static void zfcp_fc_incoming_rscn(struct zfcp_fsf_req *fsf_req)
1533 + no_entries = be16_to_cpu(head->rscn_plen) /
1534 + sizeof(struct fc_els_rscn_page);
1535 +
1536 ++ if (no_entries > 1) {
1537 ++ /* handle failed ports */
1538 ++ unsigned long flags;
1539 ++ struct zfcp_port *port;
1540 ++
1541 ++ read_lock_irqsave(&adapter->port_list_lock, flags);
1542 ++ list_for_each_entry(port, &adapter->port_list, list) {
1543 ++ if (port->d_id)
1544 ++ continue;
1545 ++ zfcp_erp_port_reopen(port,
1546 ++ ZFCP_STATUS_COMMON_ERP_FAILED,
1547 ++ "fcrscn1");
1548 ++ }
1549 ++ read_unlock_irqrestore(&adapter->port_list_lock, flags);
1550 ++ }
1551 ++
1552 + for (i = 1; i < no_entries; i++) {
1553 + /* skip head and start with 1st element */
1554 + page++;
1555 +diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h
1556 +index 3291d1c16864..8bd09b96ea18 100644
1557 +--- a/drivers/scsi/aacraid/aacraid.h
1558 ++++ b/drivers/scsi/aacraid/aacraid.h
1559 +@@ -2640,9 +2640,14 @@ static inline unsigned int cap_to_cyls(sector_t capacity, unsigned divisor)
1560 + return capacity;
1561 + }
1562 +
1563 ++static inline int aac_pci_offline(struct aac_dev *dev)
1564 ++{
1565 ++ return pci_channel_offline(dev->pdev) || dev->handle_pci_error;
1566 ++}
1567 ++
1568 + static inline int aac_adapter_check_health(struct aac_dev *dev)
1569 + {
1570 +- if (unlikely(pci_channel_offline(dev->pdev)))
1571 ++ if (unlikely(aac_pci_offline(dev)))
1572 + return -1;
1573 +
1574 + return (dev)->a_ops.adapter_check_health(dev);
1575 +diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
1576 +index a3adc954f40f..09367b8a3885 100644
1577 +--- a/drivers/scsi/aacraid/commsup.c
1578 ++++ b/drivers/scsi/aacraid/commsup.c
1579 +@@ -672,7 +672,7 @@ int aac_fib_send(u16 command, struct fib *fibptr, unsigned long size,
1580 + return -ETIMEDOUT;
1581 + }
1582 +
1583 +- if (unlikely(pci_channel_offline(dev->pdev)))
1584 ++ if (unlikely(aac_pci_offline(dev)))
1585 + return -EFAULT;
1586 +
1587 + if ((blink = aac_adapter_check_health(dev)) > 0) {
1588 +@@ -772,7 +772,7 @@ int aac_hba_send(u8 command, struct fib *fibptr, fib_callback callback,
1589 +
1590 + spin_unlock_irqrestore(&fibptr->event_lock, flags);
1591 +
1592 +- if (unlikely(pci_channel_offline(dev->pdev)))
1593 ++ if (unlikely(aac_pci_offline(dev)))
1594 + return -EFAULT;
1595 +
1596 + fibptr->flags |= FIB_CONTEXT_FLAG_WAIT;
1597 +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
1598 +index 0a6cb8f0680c..c39f88100f31 100644
1599 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
1600 ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
1601 +@@ -3281,12 +3281,18 @@ mpt3sas_base_free_smid(struct MPT3SAS_ADAPTER *ioc, u16 smid)
1602 +
1603 + if (smid < ioc->hi_priority_smid) {
1604 + struct scsiio_tracker *st;
1605 ++ void *request;
1606 +
1607 + st = _get_st_from_smid(ioc, smid);
1608 + if (!st) {
1609 + _base_recovery_check(ioc);
1610 + return;
1611 + }
1612 ++
1613 ++ /* Clear MPI request frame */
1614 ++ request = mpt3sas_base_get_msg_frame(ioc, smid);
1615 ++ memset(request, 0, ioc->request_sz);
1616 ++
1617 + mpt3sas_base_clear_st(ioc, st);
1618 + _base_recovery_check(ioc);
1619 + return;
1620 +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
1621 +index 6be39dc27103..6173c211a5e5 100644
1622 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
1623 ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
1624 +@@ -1462,11 +1462,23 @@ mpt3sas_scsih_scsi_lookup_get(struct MPT3SAS_ADAPTER *ioc, u16 smid)
1625 + {
1626 + struct scsi_cmnd *scmd = NULL;
1627 + struct scsiio_tracker *st;
1628 ++ Mpi25SCSIIORequest_t *mpi_request;
1629 +
1630 + if (smid > 0 &&
1631 + smid <= ioc->scsiio_depth - INTERNAL_SCSIIO_CMDS_COUNT) {
1632 + u32 unique_tag = smid - 1;
1633 +
1634 ++ mpi_request = mpt3sas_base_get_msg_frame(ioc, smid);
1635 ++
1636 ++ /*
1637 ++ * If SCSI IO request is outstanding at driver level then
1638 ++ * DevHandle filed must be non-zero. If DevHandle is zero
1639 ++ * then it means that this smid is free at driver level,
1640 ++ * so return NULL.
1641 ++ */
1642 ++ if (!mpi_request->DevHandle)
1643 ++ return scmd;
1644 ++
1645 + scmd = scsi_host_find_tag(ioc->shost, unique_tag);
1646 + if (scmd) {
1647 + st = scsi_cmd_priv(scmd);
1648 +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
1649 +index a77bfb224248..80289c885c07 100644
1650 +--- a/drivers/scsi/qla4xxx/ql4_os.c
1651 ++++ b/drivers/scsi/qla4xxx/ql4_os.c
1652 +@@ -3203,6 +3203,8 @@ static int qla4xxx_conn_bind(struct iscsi_cls_session *cls_session,
1653 + if (iscsi_conn_bind(cls_session, cls_conn, is_leading))
1654 + return -EINVAL;
1655 + ep = iscsi_lookup_endpoint(transport_fd);
1656 ++ if (!ep)
1657 ++ return -EINVAL;
1658 + conn = cls_conn->dd_data;
1659 + qla_conn = conn->dd_data;
1660 + qla_conn->qla_ep = ep->dd_data;
1661 +diff --git a/drivers/staging/axis-fifo/Kconfig b/drivers/staging/axis-fifo/Kconfig
1662 +index 687537203d9c..d9725888af6f 100644
1663 +--- a/drivers/staging/axis-fifo/Kconfig
1664 ++++ b/drivers/staging/axis-fifo/Kconfig
1665 +@@ -3,6 +3,7 @@
1666 + #
1667 + config XIL_AXIS_FIFO
1668 + tristate "Xilinx AXI-Stream FIFO IP core driver"
1669 ++ depends on OF
1670 + default n
1671 + help
1672 + This adds support for the Xilinx AXI-Stream
1673 +diff --git a/drivers/staging/mt7621-pci/Kconfig b/drivers/staging/mt7621-pci/Kconfig
1674 +index d33533872a16..c8fa17cfa807 100644
1675 +--- a/drivers/staging/mt7621-pci/Kconfig
1676 ++++ b/drivers/staging/mt7621-pci/Kconfig
1677 +@@ -1,6 +1,7 @@
1678 + config PCI_MT7621
1679 + tristate "MediaTek MT7621 PCI Controller"
1680 + depends on RALINK
1681 ++ depends on PCI
1682 + select PCI_DRIVERS_GENERIC
1683 + help
1684 + This selects a driver for the MediaTek MT7621 PCI Controller.
1685 +diff --git a/drivers/staging/rtl8188eu/core/rtw_xmit.c b/drivers/staging/rtl8188eu/core/rtw_xmit.c
1686 +index 3b1ccd138c3f..6fb6ea29a8b6 100644
1687 +--- a/drivers/staging/rtl8188eu/core/rtw_xmit.c
1688 ++++ b/drivers/staging/rtl8188eu/core/rtw_xmit.c
1689 +@@ -174,7 +174,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
1690 +
1691 + pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf;
1692 +
1693 +- rtw_alloc_hwxmits(padapter);
1694 ++ res = rtw_alloc_hwxmits(padapter);
1695 ++ if (res == _FAIL)
1696 ++ goto exit;
1697 + rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
1698 +
1699 + for (i = 0; i < 4; i++)
1700 +@@ -1503,7 +1505,7 @@ exit:
1701 + return res;
1702 + }
1703 +
1704 +-void rtw_alloc_hwxmits(struct adapter *padapter)
1705 ++s32 rtw_alloc_hwxmits(struct adapter *padapter)
1706 + {
1707 + struct hw_xmit *hwxmits;
1708 + struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
1709 +@@ -1512,6 +1514,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
1710 +
1711 + pxmitpriv->hwxmits = kcalloc(pxmitpriv->hwxmit_entry,
1712 + sizeof(struct hw_xmit), GFP_KERNEL);
1713 ++ if (!pxmitpriv->hwxmits)
1714 ++ return _FAIL;
1715 +
1716 + hwxmits = pxmitpriv->hwxmits;
1717 +
1718 +@@ -1519,6 +1523,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
1719 + hwxmits[1] .sta_queue = &pxmitpriv->vi_pending;
1720 + hwxmits[2] .sta_queue = &pxmitpriv->be_pending;
1721 + hwxmits[3] .sta_queue = &pxmitpriv->bk_pending;
1722 ++ return _SUCCESS;
1723 + }
1724 +
1725 + void rtw_free_hwxmits(struct adapter *padapter)
1726 +diff --git a/drivers/staging/rtl8188eu/include/rtw_xmit.h b/drivers/staging/rtl8188eu/include/rtw_xmit.h
1727 +index 788f59c74ea1..ba7e15fbde72 100644
1728 +--- a/drivers/staging/rtl8188eu/include/rtw_xmit.h
1729 ++++ b/drivers/staging/rtl8188eu/include/rtw_xmit.h
1730 +@@ -336,7 +336,7 @@ s32 rtw_txframes_sta_ac_pending(struct adapter *padapter,
1731 + void rtw_init_hwxmits(struct hw_xmit *phwxmit, int entry);
1732 + s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
1733 + void _rtw_free_xmit_priv(struct xmit_priv *pxmitpriv);
1734 +-void rtw_alloc_hwxmits(struct adapter *padapter);
1735 ++s32 rtw_alloc_hwxmits(struct adapter *padapter);
1736 + void rtw_free_hwxmits(struct adapter *padapter);
1737 + s32 rtw_xmit(struct adapter *padapter, struct sk_buff **pkt);
1738 +
1739 +diff --git a/drivers/staging/rtl8712/rtl8712_cmd.c b/drivers/staging/rtl8712/rtl8712_cmd.c
1740 +index 1920d02f7c9f..8c36acedf507 100644
1741 +--- a/drivers/staging/rtl8712/rtl8712_cmd.c
1742 ++++ b/drivers/staging/rtl8712/rtl8712_cmd.c
1743 +@@ -147,17 +147,9 @@ static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf)
1744 +
1745 + static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)
1746 + {
1747 +- u32 val;
1748 +- void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj *pcmd);
1749 + struct cmd_obj *pcmd = (struct cmd_obj *)pbuf;
1750 +
1751 +- if (pcmd->rsp && pcmd->rspsz > 0)
1752 +- memcpy(pcmd->rsp, (u8 *)&val, pcmd->rspsz);
1753 +- pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
1754 +- if (!pcmd_callback)
1755 +- r8712_free_cmd_obj(pcmd);
1756 +- else
1757 +- pcmd_callback(padapter, pcmd);
1758 ++ r8712_free_cmd_obj(pcmd);
1759 + return H2C_SUCCESS;
1760 + }
1761 +
1762 +diff --git a/drivers/staging/rtl8712/rtl8712_cmd.h b/drivers/staging/rtl8712/rtl8712_cmd.h
1763 +index 92fb77666d44..1ef86b8c592f 100644
1764 +--- a/drivers/staging/rtl8712/rtl8712_cmd.h
1765 ++++ b/drivers/staging/rtl8712/rtl8712_cmd.h
1766 +@@ -140,7 +140,7 @@ enum rtl8712_h2c_cmd {
1767 + static struct _cmd_callback cmd_callback[] = {
1768 + {GEN_CMD_CODE(_Read_MACREG), NULL}, /*0*/
1769 + {GEN_CMD_CODE(_Write_MACREG), NULL},
1770 +- {GEN_CMD_CODE(_Read_BBREG), &r8712_getbbrfreg_cmdrsp_callback},
1771 ++ {GEN_CMD_CODE(_Read_BBREG), NULL},
1772 + {GEN_CMD_CODE(_Write_BBREG), NULL},
1773 + {GEN_CMD_CODE(_Read_RFREG), &r8712_getbbrfreg_cmdrsp_callback},
1774 + {GEN_CMD_CODE(_Write_RFREG), NULL}, /*5*/
1775 +diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
1776 +index 625e67f39889..a36b2213d8ee 100644
1777 +--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
1778 ++++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
1779 +@@ -260,7 +260,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
1780 + }
1781 + }
1782 +
1783 +- rtw_alloc_hwxmits(padapter);
1784 ++ res = rtw_alloc_hwxmits(padapter);
1785 ++ if (res == _FAIL)
1786 ++ goto exit;
1787 + rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
1788 +
1789 + for (i = 0; i < 4; i++) {
1790 +@@ -2144,7 +2146,7 @@ exit:
1791 + return res;
1792 + }
1793 +
1794 +-void rtw_alloc_hwxmits(struct adapter *padapter)
1795 ++s32 rtw_alloc_hwxmits(struct adapter *padapter)
1796 + {
1797 + struct hw_xmit *hwxmits;
1798 + struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
1799 +@@ -2155,10 +2157,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
1800 +
1801 + pxmitpriv->hwxmits = rtw_zmalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry);
1802 +
1803 +- if (pxmitpriv->hwxmits == NULL) {
1804 +- DBG_871X("alloc hwxmits fail!...\n");
1805 +- return;
1806 +- }
1807 ++ if (!pxmitpriv->hwxmits)
1808 ++ return _FAIL;
1809 +
1810 + hwxmits = pxmitpriv->hwxmits;
1811 +
1812 +@@ -2204,7 +2204,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
1813 +
1814 + }
1815 +
1816 +-
1817 ++ return _SUCCESS;
1818 + }
1819 +
1820 + void rtw_free_hwxmits(struct adapter *padapter)
1821 +diff --git a/drivers/staging/rtl8723bs/include/rtw_xmit.h b/drivers/staging/rtl8723bs/include/rtw_xmit.h
1822 +index 1b38b9182b31..37f42b2f22f1 100644
1823 +--- a/drivers/staging/rtl8723bs/include/rtw_xmit.h
1824 ++++ b/drivers/staging/rtl8723bs/include/rtw_xmit.h
1825 +@@ -487,7 +487,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
1826 + void _rtw_free_xmit_priv (struct xmit_priv *pxmitpriv);
1827 +
1828 +
1829 +-void rtw_alloc_hwxmits(struct adapter *padapter);
1830 ++s32 rtw_alloc_hwxmits(struct adapter *padapter);
1831 + void rtw_free_hwxmits(struct adapter *padapter);
1832 +
1833 +
1834 +diff --git a/drivers/staging/rtlwifi/phydm/rtl_phydm.c b/drivers/staging/rtlwifi/phydm/rtl_phydm.c
1835 +index 9930ed954abb..4cc77b2016e1 100644
1836 +--- a/drivers/staging/rtlwifi/phydm/rtl_phydm.c
1837 ++++ b/drivers/staging/rtlwifi/phydm/rtl_phydm.c
1838 +@@ -180,6 +180,8 @@ static int rtl_phydm_init_priv(struct rtl_priv *rtlpriv,
1839 +
1840 + rtlpriv->phydm.internal =
1841 + kzalloc(sizeof(struct phy_dm_struct), GFP_KERNEL);
1842 ++ if (!rtlpriv->phydm.internal)
1843 ++ return 0;
1844 +
1845 + _rtl_phydm_init_com_info(rtlpriv, ic, params);
1846 +
1847 +diff --git a/drivers/staging/rtlwifi/rtl8822be/fw.c b/drivers/staging/rtlwifi/rtl8822be/fw.c
1848 +index a40396614814..c1ed52df05f0 100644
1849 +--- a/drivers/staging/rtlwifi/rtl8822be/fw.c
1850 ++++ b/drivers/staging/rtlwifi/rtl8822be/fw.c
1851 +@@ -741,6 +741,8 @@ void rtl8822be_set_fw_rsvdpagepkt(struct ieee80211_hw *hw, bool b_dl_finished)
1852 + u1_rsvd_page_loc, 3);
1853 +
1854 + skb = dev_alloc_skb(totalpacketlen);
1855 ++ if (!skb)
1856 ++ return;
1857 + memcpy((u8 *)skb_put(skb, totalpacketlen), &reserved_page_packet,
1858 + totalpacketlen);
1859 +
1860 +diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
1861 +index 804daf83be35..064d0db4c51e 100644
1862 +--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
1863 ++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
1864 +@@ -3513,6 +3513,7 @@ static int vchiq_probe(struct platform_device *pdev)
1865 + struct device_node *fw_node;
1866 + const struct of_device_id *of_id;
1867 + struct vchiq_drvdata *drvdata;
1868 ++ struct device *vchiq_dev;
1869 + int err;
1870 +
1871 + of_id = of_match_node(vchiq_of_match, pdev->dev.of_node);
1872 +@@ -3547,9 +3548,12 @@ static int vchiq_probe(struct platform_device *pdev)
1873 + goto failed_platform_init;
1874 + }
1875 +
1876 +- if (IS_ERR(device_create(vchiq_class, &pdev->dev, vchiq_devid,
1877 +- NULL, "vchiq")))
1878 ++ vchiq_dev = device_create(vchiq_class, &pdev->dev, vchiq_devid, NULL,
1879 ++ "vchiq");
1880 ++ if (IS_ERR(vchiq_dev)) {
1881 ++ err = PTR_ERR(vchiq_dev);
1882 + goto failed_device_create;
1883 ++ }
1884 +
1885 + vchiq_debugfs_init();
1886 +
1887 +diff --git a/drivers/tty/serial/ar933x_uart.c b/drivers/tty/serial/ar933x_uart.c
1888 +index db5df3d54818..3bdd56a1021b 100644
1889 +--- a/drivers/tty/serial/ar933x_uart.c
1890 ++++ b/drivers/tty/serial/ar933x_uart.c
1891 +@@ -49,11 +49,6 @@ struct ar933x_uart_port {
1892 + struct clk *clk;
1893 + };
1894 +
1895 +-static inline bool ar933x_uart_console_enabled(void)
1896 +-{
1897 +- return IS_ENABLED(CONFIG_SERIAL_AR933X_CONSOLE);
1898 +-}
1899 +-
1900 + static inline unsigned int ar933x_uart_read(struct ar933x_uart_port *up,
1901 + int offset)
1902 + {
1903 +@@ -508,6 +503,7 @@ static const struct uart_ops ar933x_uart_ops = {
1904 + .verify_port = ar933x_uart_verify_port,
1905 + };
1906 +
1907 ++#ifdef CONFIG_SERIAL_AR933X_CONSOLE
1908 + static struct ar933x_uart_port *
1909 + ar933x_console_ports[CONFIG_SERIAL_AR933X_NR_UARTS];
1910 +
1911 +@@ -604,14 +600,7 @@ static struct console ar933x_uart_console = {
1912 + .index = -1,
1913 + .data = &ar933x_uart_driver,
1914 + };
1915 +-
1916 +-static void ar933x_uart_add_console_port(struct ar933x_uart_port *up)
1917 +-{
1918 +- if (!ar933x_uart_console_enabled())
1919 +- return;
1920 +-
1921 +- ar933x_console_ports[up->port.line] = up;
1922 +-}
1923 ++#endif /* CONFIG_SERIAL_AR933X_CONSOLE */
1924 +
1925 + static struct uart_driver ar933x_uart_driver = {
1926 + .owner = THIS_MODULE,
1927 +@@ -700,7 +689,9 @@ static int ar933x_uart_probe(struct platform_device *pdev)
1928 + baud = ar933x_uart_get_baud(port->uartclk, 0, AR933X_UART_MAX_STEP);
1929 + up->max_baud = min_t(unsigned int, baud, AR933X_UART_MAX_BAUD);
1930 +
1931 +- ar933x_uart_add_console_port(up);
1932 ++#ifdef CONFIG_SERIAL_AR933X_CONSOLE
1933 ++ ar933x_console_ports[up->port.line] = up;
1934 ++#endif
1935 +
1936 + ret = uart_add_one_port(&ar933x_uart_driver, &up->port);
1937 + if (ret)
1938 +@@ -749,8 +740,9 @@ static int __init ar933x_uart_init(void)
1939 + {
1940 + int ret;
1941 +
1942 +- if (ar933x_uart_console_enabled())
1943 +- ar933x_uart_driver.cons = &ar933x_uart_console;
1944 ++#ifdef CONFIG_SERIAL_AR933X_CONSOLE
1945 ++ ar933x_uart_driver.cons = &ar933x_uart_console;
1946 ++#endif
1947 +
1948 + ret = uart_register_driver(&ar933x_uart_driver);
1949 + if (ret)
1950 +diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
1951 +index 268098681856..114e94f476c6 100644
1952 +--- a/drivers/tty/serial/sc16is7xx.c
1953 ++++ b/drivers/tty/serial/sc16is7xx.c
1954 +@@ -1509,7 +1509,7 @@ static int __init sc16is7xx_init(void)
1955 + ret = i2c_add_driver(&sc16is7xx_i2c_uart_driver);
1956 + if (ret < 0) {
1957 + pr_err("failed to init sc16is7xx i2c --> %d\n", ret);
1958 +- return ret;
1959 ++ goto err_i2c;
1960 + }
1961 + #endif
1962 +
1963 +@@ -1517,10 +1517,18 @@ static int __init sc16is7xx_init(void)
1964 + ret = spi_register_driver(&sc16is7xx_spi_uart_driver);
1965 + if (ret < 0) {
1966 + pr_err("failed to init sc16is7xx spi --> %d\n", ret);
1967 +- return ret;
1968 ++ goto err_spi;
1969 + }
1970 + #endif
1971 + return ret;
1972 ++
1973 ++err_spi:
1974 ++#ifdef CONFIG_SERIAL_SC16IS7XX_I2C
1975 ++ i2c_del_driver(&sc16is7xx_i2c_uart_driver);
1976 ++#endif
1977 ++err_i2c:
1978 ++ uart_unregister_driver(&sc16is7xx_uart);
1979 ++ return ret;
1980 + }
1981 + module_init(sc16is7xx_init);
1982 +
1983 +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
1984 +index fdc6e4e403e8..8cced3609e24 100644
1985 +--- a/drivers/usb/dwc3/dwc3-pci.c
1986 ++++ b/drivers/usb/dwc3/dwc3-pci.c
1987 +@@ -29,6 +29,7 @@
1988 + #define PCI_DEVICE_ID_INTEL_BXT_M 0x1aaa
1989 + #define PCI_DEVICE_ID_INTEL_APL 0x5aaa
1990 + #define PCI_DEVICE_ID_INTEL_KBP 0xa2b0
1991 ++#define PCI_DEVICE_ID_INTEL_CMLH 0x02ee
1992 + #define PCI_DEVICE_ID_INTEL_GLK 0x31aa
1993 + #define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee
1994 + #define PCI_DEVICE_ID_INTEL_CNPH 0xa36e
1995 +@@ -305,6 +306,9 @@ static const struct pci_device_id dwc3_pci_id_table[] = {
1996 + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_MRFLD),
1997 + (kernel_ulong_t) &dwc3_pci_mrfld_properties, },
1998 +
1999 ++ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_CMLH),
2000 ++ (kernel_ulong_t) &dwc3_pci_intel_properties, },
2001 ++
2002 + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_SPTLP),
2003 + (kernel_ulong_t) &dwc3_pci_intel_properties, },
2004 +
2005 +diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c
2006 +index b77f3126580e..c2011cd7df8c 100644
2007 +--- a/drivers/usb/gadget/udc/net2272.c
2008 ++++ b/drivers/usb/gadget/udc/net2272.c
2009 +@@ -945,6 +945,7 @@ net2272_dequeue(struct usb_ep *_ep, struct usb_request *_req)
2010 + break;
2011 + }
2012 + if (&req->req != _req) {
2013 ++ ep->stopped = stopped;
2014 + spin_unlock_irqrestore(&ep->dev->lock, flags);
2015 + return -EINVAL;
2016 + }
2017 +diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
2018 +index e7dae5379e04..d93cf4171953 100644
2019 +--- a/drivers/usb/gadget/udc/net2280.c
2020 ++++ b/drivers/usb/gadget/udc/net2280.c
2021 +@@ -866,9 +866,6 @@ static void start_queue(struct net2280_ep *ep, u32 dmactl, u32 td_dma)
2022 + (void) readl(&ep->dev->pci->pcimstctl);
2023 +
2024 + writel(BIT(DMA_START), &dma->dmastat);
2025 +-
2026 +- if (!ep->is_in)
2027 +- stop_out_naking(ep);
2028 + }
2029 +
2030 + static void start_dma(struct net2280_ep *ep, struct net2280_request *req)
2031 +@@ -907,6 +904,7 @@ static void start_dma(struct net2280_ep *ep, struct net2280_request *req)
2032 + writel(BIT(DMA_START), &dma->dmastat);
2033 + return;
2034 + }
2035 ++ stop_out_naking(ep);
2036 + }
2037 +
2038 + tmp = dmactl_default;
2039 +@@ -1275,9 +1273,9 @@ static int net2280_dequeue(struct usb_ep *_ep, struct usb_request *_req)
2040 + break;
2041 + }
2042 + if (&req->req != _req) {
2043 ++ ep->stopped = stopped;
2044 + spin_unlock_irqrestore(&ep->dev->lock, flags);
2045 +- dev_err(&ep->dev->pdev->dev, "%s: Request mismatch\n",
2046 +- __func__);
2047 ++ ep_dbg(ep->dev, "%s: Request mismatch\n", __func__);
2048 + return -EINVAL;
2049 + }
2050 +
2051 +diff --git a/drivers/usb/host/u132-hcd.c b/drivers/usb/host/u132-hcd.c
2052 +index 5b8a3d9530c4..5cac83aaeac3 100644
2053 +--- a/drivers/usb/host/u132-hcd.c
2054 ++++ b/drivers/usb/host/u132-hcd.c
2055 +@@ -3202,6 +3202,9 @@ static int __init u132_hcd_init(void)
2056 + printk(KERN_INFO "driver %s\n", hcd_name);
2057 + workqueue = create_singlethread_workqueue("u132");
2058 + retval = platform_driver_register(&u132_platform_driver);
2059 ++ if (retval)
2060 ++ destroy_workqueue(workqueue);
2061 ++
2062 + return retval;
2063 + }
2064 +
2065 +diff --git a/drivers/usb/misc/usb251xb.c b/drivers/usb/misc/usb251xb.c
2066 +index a6efb9a72939..5f7734c729b1 100644
2067 +--- a/drivers/usb/misc/usb251xb.c
2068 ++++ b/drivers/usb/misc/usb251xb.c
2069 +@@ -601,7 +601,7 @@ static int usb251xb_probe(struct usb251xb *hub)
2070 + dev);
2071 + int err;
2072 +
2073 +- if (np) {
2074 ++ if (np && of_id) {
2075 + err = usb251xb_get_ofdata(hub,
2076 + (struct usb251xb_data *)of_id->data);
2077 + if (err) {
2078 +diff --git a/fs/afs/fsclient.c b/fs/afs/fsclient.c
2079 +index ca08c83168f5..0b37867b5c20 100644
2080 +--- a/fs/afs/fsclient.c
2081 ++++ b/fs/afs/fsclient.c
2082 +@@ -1515,8 +1515,8 @@ static int afs_fs_setattr_size64(struct afs_fs_cursor *fc, struct iattr *attr)
2083 +
2084 + xdr_encode_AFS_StoreStatus(&bp, attr);
2085 +
2086 +- *bp++ = 0; /* position of start of write */
2087 +- *bp++ = 0;
2088 ++ *bp++ = htonl(attr->ia_size >> 32); /* position of start of write */
2089 ++ *bp++ = htonl((u32) attr->ia_size);
2090 + *bp++ = 0; /* size of write */
2091 + *bp++ = 0;
2092 + *bp++ = htonl(attr->ia_size >> 32); /* new file length */
2093 +@@ -1564,7 +1564,7 @@ static int afs_fs_setattr_size(struct afs_fs_cursor *fc, struct iattr *attr)
2094 +
2095 + xdr_encode_AFS_StoreStatus(&bp, attr);
2096 +
2097 +- *bp++ = 0; /* position of start of write */
2098 ++ *bp++ = htonl(attr->ia_size); /* position of start of write */
2099 + *bp++ = 0; /* size of write */
2100 + *bp++ = htonl(attr->ia_size); /* new file length */
2101 +
2102 +diff --git a/fs/afs/yfsclient.c b/fs/afs/yfsclient.c
2103 +index 5aa57929e8c2..6e97a42d24d1 100644
2104 +--- a/fs/afs/yfsclient.c
2105 ++++ b/fs/afs/yfsclient.c
2106 +@@ -1514,7 +1514,7 @@ static int yfs_fs_setattr_size(struct afs_fs_cursor *fc, struct iattr *attr)
2107 + bp = xdr_encode_u32(bp, 0); /* RPC flags */
2108 + bp = xdr_encode_YFSFid(bp, &vnode->fid);
2109 + bp = xdr_encode_YFS_StoreStatus(bp, attr);
2110 +- bp = xdr_encode_u64(bp, 0); /* position of start of write */
2111 ++ bp = xdr_encode_u64(bp, attr->ia_size); /* position of start of write */
2112 + bp = xdr_encode_u64(bp, 0); /* size of write */
2113 + bp = xdr_encode_u64(bp, attr->ia_size); /* new file length */
2114 + yfs_check_req(call, bp);
2115 +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
2116 +index 4ec2b660d014..7f3ece91a4d0 100644
2117 +--- a/fs/btrfs/transaction.c
2118 ++++ b/fs/btrfs/transaction.c
2119 +@@ -1886,8 +1886,10 @@ static void btrfs_cleanup_pending_block_groups(struct btrfs_trans_handle *trans)
2120 + }
2121 + }
2122 +
2123 +-static inline int btrfs_start_delalloc_flush(struct btrfs_fs_info *fs_info)
2124 ++static inline int btrfs_start_delalloc_flush(struct btrfs_trans_handle *trans)
2125 + {
2126 ++ struct btrfs_fs_info *fs_info = trans->fs_info;
2127 ++
2128 + /*
2129 + * We use writeback_inodes_sb here because if we used
2130 + * btrfs_start_delalloc_roots we would deadlock with fs freeze.
2131 +@@ -1897,15 +1899,50 @@ static inline int btrfs_start_delalloc_flush(struct btrfs_fs_info *fs_info)
2132 + * from already being in a transaction and our join_transaction doesn't
2133 + * have to re-take the fs freeze lock.
2134 + */
2135 +- if (btrfs_test_opt(fs_info, FLUSHONCOMMIT))
2136 ++ if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) {
2137 + writeback_inodes_sb(fs_info->sb, WB_REASON_SYNC);
2138 ++ } else {
2139 ++ struct btrfs_pending_snapshot *pending;
2140 ++ struct list_head *head = &trans->transaction->pending_snapshots;
2141 ++
2142 ++ /*
2143 ++ * Flush dellaloc for any root that is going to be snapshotted.
2144 ++ * This is done to avoid a corrupted version of files, in the
2145 ++ * snapshots, that had both buffered and direct IO writes (even
2146 ++ * if they were done sequentially) due to an unordered update of
2147 ++ * the inode's size on disk.
2148 ++ */
2149 ++ list_for_each_entry(pending, head, list) {
2150 ++ int ret;
2151 ++
2152 ++ ret = btrfs_start_delalloc_snapshot(pending->root);
2153 ++ if (ret)
2154 ++ return ret;
2155 ++ }
2156 ++ }
2157 + return 0;
2158 + }
2159 +
2160 +-static inline void btrfs_wait_delalloc_flush(struct btrfs_fs_info *fs_info)
2161 ++static inline void btrfs_wait_delalloc_flush(struct btrfs_trans_handle *trans)
2162 + {
2163 +- if (btrfs_test_opt(fs_info, FLUSHONCOMMIT))
2164 ++ struct btrfs_fs_info *fs_info = trans->fs_info;
2165 ++
2166 ++ if (btrfs_test_opt(fs_info, FLUSHONCOMMIT)) {
2167 + btrfs_wait_ordered_roots(fs_info, U64_MAX, 0, (u64)-1);
2168 ++ } else {
2169 ++ struct btrfs_pending_snapshot *pending;
2170 ++ struct list_head *head = &trans->transaction->pending_snapshots;
2171 ++
2172 ++ /*
2173 ++ * Wait for any dellaloc that we started previously for the roots
2174 ++ * that are going to be snapshotted. This is to avoid a corrupted
2175 ++ * version of files in the snapshots that had both buffered and
2176 ++ * direct IO writes (even if they were done sequentially).
2177 ++ */
2178 ++ list_for_each_entry(pending, head, list)
2179 ++ btrfs_wait_ordered_extents(pending->root,
2180 ++ U64_MAX, 0, U64_MAX);
2181 ++ }
2182 + }
2183 +
2184 + int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
2185 +@@ -2024,7 +2061,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
2186 +
2187 + extwriter_counter_dec(cur_trans, trans->type);
2188 +
2189 +- ret = btrfs_start_delalloc_flush(fs_info);
2190 ++ ret = btrfs_start_delalloc_flush(trans);
2191 + if (ret)
2192 + goto cleanup_transaction;
2193 +
2194 +@@ -2040,7 +2077,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
2195 + if (ret)
2196 + goto cleanup_transaction;
2197 +
2198 +- btrfs_wait_delalloc_flush(fs_info);
2199 ++ btrfs_wait_delalloc_flush(trans);
2200 +
2201 + btrfs_scrub_pause(fs_info);
2202 + /*
2203 +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
2204 +index 9d1f34d46627..f7f9e305aaf8 100644
2205 +--- a/fs/ceph/inode.c
2206 ++++ b/fs/ceph/inode.c
2207 +@@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head)
2208 + struct inode *inode = container_of(head, struct inode, i_rcu);
2209 + struct ceph_inode_info *ci = ceph_inode(inode);
2210 +
2211 ++ kfree(ci->i_symlink);
2212 + kmem_cache_free(ceph_inode_cachep, ci);
2213 + }
2214 +
2215 +@@ -561,7 +562,6 @@ void ceph_destroy_inode(struct inode *inode)
2216 + ceph_put_snap_realm(mdsc, realm);
2217 + }
2218 +
2219 +- kfree(ci->i_symlink);
2220 + while ((n = rb_first(&ci->i_fragtree)) != NULL) {
2221 + frag = rb_entry(n, struct ceph_inode_frag, node);
2222 + rb_erase(n, &ci->i_fragtree);
2223 +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
2224 +index 809c0f2f9942..64f4de983468 100644
2225 +--- a/fs/fuse/dev.c
2226 ++++ b/fs/fuse/dev.c
2227 +@@ -2034,10 +2034,8 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
2228 + rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;
2229 +
2230 + ret = -EINVAL;
2231 +- if (rem < len) {
2232 +- pipe_unlock(pipe);
2233 +- goto out;
2234 +- }
2235 ++ if (rem < len)
2236 ++ goto out_free;
2237 +
2238 + rem = len;
2239 + while (rem) {
2240 +@@ -2055,7 +2053,9 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
2241 + pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
2242 + pipe->nrbufs--;
2243 + } else {
2244 +- pipe_buf_get(pipe, ibuf);
2245 ++ if (!pipe_buf_get(pipe, ibuf))
2246 ++ goto out_free;
2247 ++
2248 + *obuf = *ibuf;
2249 + obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
2250 + obuf->len = rem;
2251 +@@ -2078,11 +2078,11 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
2252 + ret = fuse_dev_do_write(fud, &cs, len);
2253 +
2254 + pipe_lock(pipe);
2255 ++out_free:
2256 + for (idx = 0; idx < nbuf; idx++)
2257 + pipe_buf_release(pipe, &bufs[idx]);
2258 + pipe_unlock(pipe);
2259 +
2260 +-out:
2261 + kvfree(bufs);
2262 + return ret;
2263 + }
2264 +diff --git a/fs/nfs/client.c b/fs/nfs/client.c
2265 +index fb1cf1a4bda2..90d71fda65ce 100644
2266 +--- a/fs/nfs/client.c
2267 ++++ b/fs/nfs/client.c
2268 +@@ -453,7 +453,7 @@ void nfs_init_timeout_values(struct rpc_timeout *to, int proto,
2269 + case XPRT_TRANSPORT_RDMA:
2270 + if (retrans == NFS_UNSPEC_RETRANS)
2271 + to->to_retries = NFS_DEF_TCP_RETRANS;
2272 +- if (timeo == NFS_UNSPEC_TIMEO || to->to_retries == 0)
2273 ++ if (timeo == NFS_UNSPEC_TIMEO || to->to_initval == 0)
2274 + to->to_initval = NFS_DEF_TCP_TIMEO * HZ / 10;
2275 + if (to->to_initval > NFS_MAX_TCP_TIMEOUT)
2276 + to->to_initval = NFS_MAX_TCP_TIMEOUT;
2277 +diff --git a/fs/pipe.c b/fs/pipe.c
2278 +index c51750ed4011..2a297bce381f 100644
2279 +--- a/fs/pipe.c
2280 ++++ b/fs/pipe.c
2281 +@@ -189,9 +189,9 @@ EXPORT_SYMBOL(generic_pipe_buf_steal);
2282 + * in the tee() system call, when we duplicate the buffers in one
2283 + * pipe into another.
2284 + */
2285 +-void generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
2286 ++bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
2287 + {
2288 +- get_page(buf->page);
2289 ++ return try_get_page(buf->page);
2290 + }
2291 + EXPORT_SYMBOL(generic_pipe_buf_get);
2292 +
2293 +diff --git a/fs/splice.c b/fs/splice.c
2294 +index 7da7d5437472..c38c7e7a49c9 100644
2295 +--- a/fs/splice.c
2296 ++++ b/fs/splice.c
2297 +@@ -1588,7 +1588,11 @@ retry:
2298 + * Get a reference to this pipe buffer,
2299 + * so we can copy the contents over.
2300 + */
2301 +- pipe_buf_get(ipipe, ibuf);
2302 ++ if (!pipe_buf_get(ipipe, ibuf)) {
2303 ++ if (ret == 0)
2304 ++ ret = -EFAULT;
2305 ++ break;
2306 ++ }
2307 + *obuf = *ibuf;
2308 +
2309 + /*
2310 +@@ -1662,7 +1666,11 @@ static int link_pipe(struct pipe_inode_info *ipipe,
2311 + * Get a reference to this pipe buffer,
2312 + * so we can copy the contents over.
2313 + */
2314 +- pipe_buf_get(ipipe, ibuf);
2315 ++ if (!pipe_buf_get(ipipe, ibuf)) {
2316 ++ if (ret == 0)
2317 ++ ret = -EFAULT;
2318 ++ break;
2319 ++ }
2320 +
2321 + obuf = opipe->bufs + nbuf;
2322 + *obuf = *ibuf;
2323 +diff --git a/include/linux/mm.h b/include/linux/mm.h
2324 +index 80bb6408fe73..7000ddd807e0 100644
2325 +--- a/include/linux/mm.h
2326 ++++ b/include/linux/mm.h
2327 +@@ -965,6 +965,10 @@ static inline bool is_pci_p2pdma_page(const struct page *page)
2328 + }
2329 + #endif /* CONFIG_DEV_PAGEMAP_OPS */
2330 +
2331 ++/* 127: arbitrary random number, small enough to assemble well */
2332 ++#define page_ref_zero_or_close_to_overflow(page) \
2333 ++ ((unsigned int) page_ref_count(page) + 127u <= 127u)
2334 ++
2335 + static inline void get_page(struct page *page)
2336 + {
2337 + page = compound_head(page);
2338 +@@ -972,8 +976,17 @@ static inline void get_page(struct page *page)
2339 + * Getting a normal page or the head of a compound page
2340 + * requires to already have an elevated page->_refcount.
2341 + */
2342 +- VM_BUG_ON_PAGE(page_ref_count(page) <= 0, page);
2343 ++ VM_BUG_ON_PAGE(page_ref_zero_or_close_to_overflow(page), page);
2344 ++ page_ref_inc(page);
2345 ++}
2346 ++
2347 ++static inline __must_check bool try_get_page(struct page *page)
2348 ++{
2349 ++ page = compound_head(page);
2350 ++ if (WARN_ON_ONCE(page_ref_count(page) <= 0))
2351 ++ return false;
2352 + page_ref_inc(page);
2353 ++ return true;
2354 + }
2355 +
2356 + static inline void put_page(struct page *page)
2357 +diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
2358 +index 66ee63cd5968..7897a3cc05b9 100644
2359 +--- a/include/linux/pipe_fs_i.h
2360 ++++ b/include/linux/pipe_fs_i.h
2361 +@@ -108,18 +108,20 @@ struct pipe_buf_operations {
2362 + /*
2363 + * Get a reference to the pipe buffer.
2364 + */
2365 +- void (*get)(struct pipe_inode_info *, struct pipe_buffer *);
2366 ++ bool (*get)(struct pipe_inode_info *, struct pipe_buffer *);
2367 + };
2368 +
2369 + /**
2370 + * pipe_buf_get - get a reference to a pipe_buffer
2371 + * @pipe: the pipe that the buffer belongs to
2372 + * @buf: the buffer to get a reference to
2373 ++ *
2374 ++ * Return: %true if the reference was successfully obtained.
2375 + */
2376 +-static inline void pipe_buf_get(struct pipe_inode_info *pipe,
2377 ++static inline __must_check bool pipe_buf_get(struct pipe_inode_info *pipe,
2378 + struct pipe_buffer *buf)
2379 + {
2380 +- buf->ops->get(pipe, buf);
2381 ++ return buf->ops->get(pipe, buf);
2382 + }
2383 +
2384 + /**
2385 +@@ -178,7 +180,7 @@ struct pipe_inode_info *alloc_pipe_info(void);
2386 + void free_pipe_info(struct pipe_inode_info *);
2387 +
2388 + /* Generic pipe buffer ops functions */
2389 +-void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
2390 ++bool generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *);
2391 + int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);
2392 + int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
2393 + int generic_pipe_buf_nosteal(struct pipe_inode_info *, struct pipe_buffer *);
2394 +diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h
2395 +index 13789d10a50e..76b8399b17f6 100644
2396 +--- a/include/linux/sched/signal.h
2397 ++++ b/include/linux/sched/signal.h
2398 +@@ -417,10 +417,20 @@ static inline void set_restore_sigmask(void)
2399 + set_thread_flag(TIF_RESTORE_SIGMASK);
2400 + WARN_ON(!test_thread_flag(TIF_SIGPENDING));
2401 + }
2402 ++
2403 ++static inline void clear_tsk_restore_sigmask(struct task_struct *tsk)
2404 ++{
2405 ++ clear_tsk_thread_flag(tsk, TIF_RESTORE_SIGMASK);
2406 ++}
2407 ++
2408 + static inline void clear_restore_sigmask(void)
2409 + {
2410 + clear_thread_flag(TIF_RESTORE_SIGMASK);
2411 + }
2412 ++static inline bool test_tsk_restore_sigmask(struct task_struct *tsk)
2413 ++{
2414 ++ return test_tsk_thread_flag(tsk, TIF_RESTORE_SIGMASK);
2415 ++}
2416 + static inline bool test_restore_sigmask(void)
2417 + {
2418 + return test_thread_flag(TIF_RESTORE_SIGMASK);
2419 +@@ -438,6 +448,10 @@ static inline void set_restore_sigmask(void)
2420 + current->restore_sigmask = true;
2421 + WARN_ON(!test_thread_flag(TIF_SIGPENDING));
2422 + }
2423 ++static inline void clear_tsk_restore_sigmask(struct task_struct *tsk)
2424 ++{
2425 ++ tsk->restore_sigmask = false;
2426 ++}
2427 + static inline void clear_restore_sigmask(void)
2428 + {
2429 + current->restore_sigmask = false;
2430 +@@ -446,6 +460,10 @@ static inline bool test_restore_sigmask(void)
2431 + {
2432 + return current->restore_sigmask;
2433 + }
2434 ++static inline bool test_tsk_restore_sigmask(struct task_struct *tsk)
2435 ++{
2436 ++ return tsk->restore_sigmask;
2437 ++}
2438 + static inline bool test_and_clear_restore_sigmask(void)
2439 + {
2440 + if (!current->restore_sigmask)
2441 +diff --git a/include/net/tc_act/tc_gact.h b/include/net/tc_act/tc_gact.h
2442 +index ef8dd0db70ce..56935bf027a7 100644
2443 +--- a/include/net/tc_act/tc_gact.h
2444 ++++ b/include/net/tc_act/tc_gact.h
2445 +@@ -56,7 +56,7 @@ static inline bool is_tcf_gact_goto_chain(const struct tc_action *a)
2446 +
2447 + static inline u32 tcf_gact_goto_chain_index(const struct tc_action *a)
2448 + {
2449 +- return a->goto_chain->index;
2450 ++ return READ_ONCE(a->tcfa_action) & TC_ACT_EXT_VAL_MASK;
2451 + }
2452 +
2453 + #endif /* __NET_TC_GACT_H */
2454 +diff --git a/include/net/xdp_sock.h b/include/net/xdp_sock.h
2455 +index 13acb9803a6d..05d39e579953 100644
2456 +--- a/include/net/xdp_sock.h
2457 ++++ b/include/net/xdp_sock.h
2458 +@@ -36,7 +36,6 @@ struct xdp_umem {
2459 + u32 headroom;
2460 + u32 chunk_size_nohr;
2461 + struct user_struct *user;
2462 +- struct pid *pid;
2463 + unsigned long address;
2464 + refcount_t users;
2465 + struct work_struct work;
2466 +diff --git a/kernel/ptrace.c b/kernel/ptrace.c
2467 +index 771e93f9c43f..6f357f4fc859 100644
2468 +--- a/kernel/ptrace.c
2469 ++++ b/kernel/ptrace.c
2470 +@@ -29,6 +29,7 @@
2471 + #include <linux/hw_breakpoint.h>
2472 + #include <linux/cn_proc.h>
2473 + #include <linux/compat.h>
2474 ++#include <linux/sched/signal.h>
2475 +
2476 + /*
2477 + * Access another process' address space via ptrace.
2478 +@@ -924,18 +925,26 @@ int ptrace_request(struct task_struct *child, long request,
2479 + ret = ptrace_setsiginfo(child, &siginfo);
2480 + break;
2481 +
2482 +- case PTRACE_GETSIGMASK:
2483 ++ case PTRACE_GETSIGMASK: {
2484 ++ sigset_t *mask;
2485 ++
2486 + if (addr != sizeof(sigset_t)) {
2487 + ret = -EINVAL;
2488 + break;
2489 + }
2490 +
2491 +- if (copy_to_user(datavp, &child->blocked, sizeof(sigset_t)))
2492 ++ if (test_tsk_restore_sigmask(child))
2493 ++ mask = &child->saved_sigmask;
2494 ++ else
2495 ++ mask = &child->blocked;
2496 ++
2497 ++ if (copy_to_user(datavp, mask, sizeof(sigset_t)))
2498 + ret = -EFAULT;
2499 + else
2500 + ret = 0;
2501 +
2502 + break;
2503 ++ }
2504 +
2505 + case PTRACE_SETSIGMASK: {
2506 + sigset_t new_set;
2507 +@@ -961,6 +970,8 @@ int ptrace_request(struct task_struct *child, long request,
2508 + child->blocked = new_set;
2509 + spin_unlock_irq(&child->sighand->siglock);
2510 +
2511 ++ clear_tsk_restore_sigmask(child);
2512 ++
2513 + ret = 0;
2514 + break;
2515 + }
2516 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
2517 +index d07fc2836786..3842773b8aee 100644
2518 +--- a/kernel/trace/trace.c
2519 ++++ b/kernel/trace/trace.c
2520 +@@ -6843,12 +6843,16 @@ static void buffer_pipe_buf_release(struct pipe_inode_info *pipe,
2521 + buf->private = 0;
2522 + }
2523 +
2524 +-static void buffer_pipe_buf_get(struct pipe_inode_info *pipe,
2525 ++static bool buffer_pipe_buf_get(struct pipe_inode_info *pipe,
2526 + struct pipe_buffer *buf)
2527 + {
2528 + struct buffer_ref *ref = (struct buffer_ref *)buf->private;
2529 +
2530 ++ if (refcount_read(&ref->refcount) > INT_MAX/2)
2531 ++ return false;
2532 ++
2533 + refcount_inc(&ref->refcount);
2534 ++ return true;
2535 + }
2536 +
2537 + /* Pipe buffer operations for a buffer. */
2538 +diff --git a/lib/sbitmap.c b/lib/sbitmap.c
2539 +index 5b382c1244ed..155fe38756ec 100644
2540 +--- a/lib/sbitmap.c
2541 ++++ b/lib/sbitmap.c
2542 +@@ -591,6 +591,17 @@ EXPORT_SYMBOL_GPL(sbitmap_queue_wake_up);
2543 + void sbitmap_queue_clear(struct sbitmap_queue *sbq, unsigned int nr,
2544 + unsigned int cpu)
2545 + {
2546 ++ /*
2547 ++ * Once the clear bit is set, the bit may be allocated out.
2548 ++ *
2549 ++ * Orders READ/WRITE on the asssociated instance(such as request
2550 ++ * of blk_mq) by this bit for avoiding race with re-allocation,
2551 ++ * and its pair is the memory barrier implied in __sbitmap_get_word.
2552 ++ *
2553 ++ * One invariant is that the clear bit has to be zero when the bit
2554 ++ * is in use.
2555 ++ */
2556 ++ smp_mb__before_atomic();
2557 + sbitmap_deferred_clear_bit(&sbq->sb, nr);
2558 +
2559 + /*
2560 +diff --git a/mm/gup.c b/mm/gup.c
2561 +index 75029649baca..81e0bdefa2cc 100644
2562 +--- a/mm/gup.c
2563 ++++ b/mm/gup.c
2564 +@@ -157,8 +157,12 @@ retry:
2565 + goto retry;
2566 + }
2567 +
2568 +- if (flags & FOLL_GET)
2569 +- get_page(page);
2570 ++ if (flags & FOLL_GET) {
2571 ++ if (unlikely(!try_get_page(page))) {
2572 ++ page = ERR_PTR(-ENOMEM);
2573 ++ goto out;
2574 ++ }
2575 ++ }
2576 + if (flags & FOLL_TOUCH) {
2577 + if ((flags & FOLL_WRITE) &&
2578 + !pte_dirty(pte) && !PageDirty(page))
2579 +@@ -295,7 +299,10 @@ retry_locked:
2580 + if (pmd_trans_unstable(pmd))
2581 + ret = -EBUSY;
2582 + } else {
2583 +- get_page(page);
2584 ++ if (unlikely(!try_get_page(page))) {
2585 ++ spin_unlock(ptl);
2586 ++ return ERR_PTR(-ENOMEM);
2587 ++ }
2588 + spin_unlock(ptl);
2589 + lock_page(page);
2590 + ret = split_huge_page(page);
2591 +@@ -497,7 +504,10 @@ static int get_gate_page(struct mm_struct *mm, unsigned long address,
2592 + if (is_device_public_page(*page))
2593 + goto unmap;
2594 + }
2595 +- get_page(*page);
2596 ++ if (unlikely(!try_get_page(*page))) {
2597 ++ ret = -ENOMEM;
2598 ++ goto unmap;
2599 ++ }
2600 + out:
2601 + ret = 0;
2602 + unmap:
2603 +@@ -1393,6 +1403,20 @@ static void undo_dev_pagemap(int *nr, int nr_start, struct page **pages)
2604 + }
2605 + }
2606 +
2607 ++/*
2608 ++ * Return the compund head page with ref appropriately incremented,
2609 ++ * or NULL if that failed.
2610 ++ */
2611 ++static inline struct page *try_get_compound_head(struct page *page, int refs)
2612 ++{
2613 ++ struct page *head = compound_head(page);
2614 ++ if (WARN_ON_ONCE(page_ref_count(head) < 0))
2615 ++ return NULL;
2616 ++ if (unlikely(!page_cache_add_speculative(head, refs)))
2617 ++ return NULL;
2618 ++ return head;
2619 ++}
2620 ++
2621 + #ifdef CONFIG_ARCH_HAS_PTE_SPECIAL
2622 + static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
2623 + int write, struct page **pages, int *nr)
2624 +@@ -1427,9 +1451,9 @@ static int gup_pte_range(pmd_t pmd, unsigned long addr, unsigned long end,
2625 +
2626 + VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
2627 + page = pte_page(pte);
2628 +- head = compound_head(page);
2629 +
2630 +- if (!page_cache_get_speculative(head))
2631 ++ head = try_get_compound_head(page, 1);
2632 ++ if (!head)
2633 + goto pte_unmap;
2634 +
2635 + if (unlikely(pte_val(pte) != pte_val(*ptep))) {
2636 +@@ -1568,8 +1592,8 @@ static int gup_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
2637 + refs++;
2638 + } while (addr += PAGE_SIZE, addr != end);
2639 +
2640 +- head = compound_head(pmd_page(orig));
2641 +- if (!page_cache_add_speculative(head, refs)) {
2642 ++ head = try_get_compound_head(pmd_page(orig), refs);
2643 ++ if (!head) {
2644 + *nr -= refs;
2645 + return 0;
2646 + }
2647 +@@ -1606,8 +1630,8 @@ static int gup_huge_pud(pud_t orig, pud_t *pudp, unsigned long addr,
2648 + refs++;
2649 + } while (addr += PAGE_SIZE, addr != end);
2650 +
2651 +- head = compound_head(pud_page(orig));
2652 +- if (!page_cache_add_speculative(head, refs)) {
2653 ++ head = try_get_compound_head(pud_page(orig), refs);
2654 ++ if (!head) {
2655 + *nr -= refs;
2656 + return 0;
2657 + }
2658 +@@ -1643,8 +1667,8 @@ static int gup_huge_pgd(pgd_t orig, pgd_t *pgdp, unsigned long addr,
2659 + refs++;
2660 + } while (addr += PAGE_SIZE, addr != end);
2661 +
2662 +- head = compound_head(pgd_page(orig));
2663 +- if (!page_cache_add_speculative(head, refs)) {
2664 ++ head = try_get_compound_head(pgd_page(orig), refs);
2665 ++ if (!head) {
2666 + *nr -= refs;
2667 + return 0;
2668 + }
2669 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
2670 +index 8dfdffc34a99..c220315dc533 100644
2671 +--- a/mm/hugetlb.c
2672 ++++ b/mm/hugetlb.c
2673 +@@ -4298,6 +4298,19 @@ long follow_hugetlb_page(struct mm_struct *mm, struct vm_area_struct *vma,
2674 +
2675 + pfn_offset = (vaddr & ~huge_page_mask(h)) >> PAGE_SHIFT;
2676 + page = pte_page(huge_ptep_get(pte));
2677 ++
2678 ++ /*
2679 ++ * Instead of doing 'try_get_page()' below in the same_page
2680 ++ * loop, just check the count once here.
2681 ++ */
2682 ++ if (unlikely(page_count(page) <= 0)) {
2683 ++ if (pages) {
2684 ++ spin_unlock(ptl);
2685 ++ remainder = 0;
2686 ++ err = -ENOMEM;
2687 ++ break;
2688 ++ }
2689 ++ }
2690 + same_page:
2691 + if (pages) {
2692 + pages[i] = mem_map_offset(page, pfn_offset);
2693 +diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
2694 +index ea51b2d898ec..c980ce43e3ba 100644
2695 +--- a/mm/kasan/kasan.h
2696 ++++ b/mm/kasan/kasan.h
2697 +@@ -164,7 +164,10 @@ static inline u8 random_tag(void)
2698 + #endif
2699 +
2700 + #ifndef arch_kasan_set_tag
2701 +-#define arch_kasan_set_tag(addr, tag) ((void *)(addr))
2702 ++static inline const void *arch_kasan_set_tag(const void *addr, u8 tag)
2703 ++{
2704 ++ return addr;
2705 ++}
2706 + #endif
2707 + #ifndef arch_kasan_reset_tag
2708 + #define arch_kasan_reset_tag(addr) ((void *)(addr))
2709 +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
2710 +index 40d058378b52..fc605758323b 100644
2711 +--- a/net/bridge/br_netfilter_hooks.c
2712 ++++ b/net/bridge/br_netfilter_hooks.c
2713 +@@ -502,6 +502,7 @@ static unsigned int br_nf_pre_routing(void *priv,
2714 + nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
2715 +
2716 + skb->protocol = htons(ETH_P_IP);
2717 ++ skb->transport_header = skb->network_header + ip_hdr(skb)->ihl * 4;
2718 +
2719 + NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
2720 + skb->dev, NULL,
2721 +diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
2722 +index 564710f88f93..e88d6641647b 100644
2723 +--- a/net/bridge/br_netfilter_ipv6.c
2724 ++++ b/net/bridge/br_netfilter_ipv6.c
2725 +@@ -235,6 +235,8 @@ unsigned int br_nf_pre_routing_ipv6(void *priv,
2726 + nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr;
2727 +
2728 + skb->protocol = htons(ETH_P_IPV6);
2729 ++ skb->transport_header = skb->network_header + sizeof(struct ipv6hdr);
2730 ++
2731 + NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->net, state->sk, skb,
2732 + skb->dev, NULL,
2733 + br_nf_pre_routing_finish_ipv6);
2734 +diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
2735 +index 1059894a6f4c..4cb83fb69844 100644
2736 +--- a/net/ipv6/netfilter/ip6t_srh.c
2737 ++++ b/net/ipv6/netfilter/ip6t_srh.c
2738 +@@ -210,6 +210,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par)
2739 + psidoff = srhoff + sizeof(struct ipv6_sr_hdr) +
2740 + ((srh->segments_left + 1) * sizeof(struct in6_addr));
2741 + psid = skb_header_pointer(skb, psidoff, sizeof(_psid), &_psid);
2742 ++ if (!psid)
2743 ++ return false;
2744 + if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID,
2745 + ipv6_masked_addr_cmp(psid, &srhinfo->psid_msk,
2746 + &srhinfo->psid_addr)))
2747 +@@ -223,6 +225,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par)
2748 + nsidoff = srhoff + sizeof(struct ipv6_sr_hdr) +
2749 + ((srh->segments_left - 1) * sizeof(struct in6_addr));
2750 + nsid = skb_header_pointer(skb, nsidoff, sizeof(_nsid), &_nsid);
2751 ++ if (!nsid)
2752 ++ return false;
2753 + if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NSID,
2754 + ipv6_masked_addr_cmp(nsid, &srhinfo->nsid_msk,
2755 + &srhinfo->nsid_addr)))
2756 +@@ -233,6 +237,8 @@ static bool srh1_mt6(const struct sk_buff *skb, struct xt_action_param *par)
2757 + if (srhinfo->mt_flags & IP6T_SRH_LSID) {
2758 + lsidoff = srhoff + sizeof(struct ipv6_sr_hdr);
2759 + lsid = skb_header_pointer(skb, lsidoff, sizeof(_lsid), &_lsid);
2760 ++ if (!lsid)
2761 ++ return false;
2762 + if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LSID,
2763 + ipv6_masked_addr_cmp(lsid, &srhinfo->lsid_msk,
2764 + &srhinfo->lsid_addr)))
2765 +diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
2766 +index beb3a69ce1d4..0f0e5806bf77 100644
2767 +--- a/net/netfilter/Kconfig
2768 ++++ b/net/netfilter/Kconfig
2769 +@@ -995,6 +995,7 @@ config NETFILTER_XT_TARGET_TEE
2770 + depends on NETFILTER_ADVANCED
2771 + depends on IPV6 || IPV6=n
2772 + depends on !NF_CONNTRACK || NF_CONNTRACK
2773 ++ depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
2774 + select NF_DUP_IPV4
2775 + select NF_DUP_IPV6 if IP6_NF_IPTABLES
2776 + ---help---
2777 +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
2778 +index fa61208371f8..321a0036fdf5 100644
2779 +--- a/net/netfilter/nft_set_rbtree.c
2780 ++++ b/net/netfilter/nft_set_rbtree.c
2781 +@@ -308,10 +308,6 @@ static void *nft_rbtree_deactivate(const struct net *net,
2782 + else if (d > 0)
2783 + parent = parent->rb_right;
2784 + else {
2785 +- if (!nft_set_elem_active(&rbe->ext, genmask)) {
2786 +- parent = parent->rb_left;
2787 +- continue;
2788 +- }
2789 + if (nft_rbtree_interval_end(rbe) &&
2790 + !nft_rbtree_interval_end(this)) {
2791 + parent = parent->rb_left;
2792 +@@ -320,6 +316,9 @@ static void *nft_rbtree_deactivate(const struct net *net,
2793 + nft_rbtree_interval_end(this)) {
2794 + parent = parent->rb_right;
2795 + continue;
2796 ++ } else if (!nft_set_elem_active(&rbe->ext, genmask)) {
2797 ++ parent = parent->rb_left;
2798 ++ continue;
2799 + }
2800 + nft_rbtree_flush(net, set, rbe);
2801 + return rbe;
2802 +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
2803 +index 7754aa3e434f..f88c2bd1335a 100644
2804 +--- a/net/sunrpc/xprtsock.c
2805 ++++ b/net/sunrpc/xprtsock.c
2806 +@@ -486,8 +486,8 @@ xs_read_stream_request(struct sock_xprt *transport, struct msghdr *msg,
2807 + int flags, struct rpc_rqst *req)
2808 + {
2809 + struct xdr_buf *buf = &req->rq_private_buf;
2810 +- size_t want, read;
2811 +- ssize_t ret;
2812 ++ size_t want, uninitialized_var(read);
2813 ++ ssize_t uninitialized_var(ret);
2814 +
2815 + xs_read_header(transport, buf);
2816 +
2817 +diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
2818 +index 37e1fe180769..9c767c68ed3a 100644
2819 +--- a/net/xdp/xdp_umem.c
2820 ++++ b/net/xdp/xdp_umem.c
2821 +@@ -189,9 +189,6 @@ static void xdp_umem_unaccount_pages(struct xdp_umem *umem)
2822 +
2823 + static void xdp_umem_release(struct xdp_umem *umem)
2824 + {
2825 +- struct task_struct *task;
2826 +- struct mm_struct *mm;
2827 +-
2828 + xdp_umem_clear_dev(umem);
2829 +
2830 + if (umem->fq) {
2831 +@@ -208,21 +205,10 @@ static void xdp_umem_release(struct xdp_umem *umem)
2832 +
2833 + xdp_umem_unpin_pages(umem);
2834 +
2835 +- task = get_pid_task(umem->pid, PIDTYPE_PID);
2836 +- put_pid(umem->pid);
2837 +- if (!task)
2838 +- goto out;
2839 +- mm = get_task_mm(task);
2840 +- put_task_struct(task);
2841 +- if (!mm)
2842 +- goto out;
2843 +-
2844 +- mmput(mm);
2845 + kfree(umem->pages);
2846 + umem->pages = NULL;
2847 +
2848 + xdp_umem_unaccount_pages(umem);
2849 +-out:
2850 + kfree(umem);
2851 + }
2852 +
2853 +@@ -351,7 +337,6 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
2854 + if (size_chk < 0)
2855 + return -EINVAL;
2856 +
2857 +- umem->pid = get_task_pid(current, PIDTYPE_PID);
2858 + umem->address = (unsigned long)addr;
2859 + umem->chunk_mask = ~((u64)chunk_size - 1);
2860 + umem->size = size;
2861 +@@ -367,7 +352,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
2862 +
2863 + err = xdp_umem_account_pages(umem);
2864 + if (err)
2865 +- goto out;
2866 ++ return err;
2867 +
2868 + err = xdp_umem_pin_pages(umem);
2869 + if (err)
2870 +@@ -386,8 +371,6 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
2871 +
2872 + out_account:
2873 + xdp_umem_unaccount_pages(umem);
2874 +-out:
2875 +- put_pid(umem->pid);
2876 + return err;
2877 + }
2878 +
2879 +diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
2880 +index 611945611bf8..1dcfb288ee63 100644
2881 +--- a/scripts/kconfig/lxdialog/inputbox.c
2882 ++++ b/scripts/kconfig/lxdialog/inputbox.c
2883 +@@ -113,7 +113,8 @@ do_resize:
2884 + case KEY_DOWN:
2885 + break;
2886 + case KEY_BACKSPACE:
2887 +- case 127:
2888 ++ case 8: /* ^H */
2889 ++ case 127: /* ^? */
2890 + if (pos) {
2891 + wattrset(dialog, dlg.inputbox.atr);
2892 + if (input_x == 0) {
2893 +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
2894 +index a4670f4e825a..ac92c0ded6c5 100644
2895 +--- a/scripts/kconfig/nconf.c
2896 ++++ b/scripts/kconfig/nconf.c
2897 +@@ -1048,7 +1048,7 @@ static int do_match(int key, struct match_state *state, int *ans)
2898 + state->match_direction = FIND_NEXT_MATCH_UP;
2899 + *ans = get_mext_match(state->pattern,
2900 + state->match_direction);
2901 +- } else if (key == KEY_BACKSPACE || key == 127) {
2902 ++ } else if (key == KEY_BACKSPACE || key == 8 || key == 127) {
2903 + state->pattern[strlen(state->pattern)-1] = '\0';
2904 + adj_match_dir(&state->match_direction);
2905 + } else
2906 +diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
2907 +index 7be620a1fcdb..77f525a8617c 100644
2908 +--- a/scripts/kconfig/nconf.gui.c
2909 ++++ b/scripts/kconfig/nconf.gui.c
2910 +@@ -439,7 +439,8 @@ int dialog_inputbox(WINDOW *main_window,
2911 + case KEY_F(F_EXIT):
2912 + case KEY_F(F_BACK):
2913 + break;
2914 +- case 127:
2915 ++ case 8: /* ^H */
2916 ++ case 127: /* ^? */
2917 + case KEY_BACKSPACE:
2918 + if (cursor_position > 0) {
2919 + memmove(&result[cursor_position-1],
2920 +diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
2921 +index 1ceedea847dd..544ca126a8a8 100644
2922 +--- a/scripts/selinux/genheaders/genheaders.c
2923 ++++ b/scripts/selinux/genheaders/genheaders.c
2924 +@@ -9,7 +9,6 @@
2925 + #include <string.h>
2926 + #include <errno.h>
2927 + #include <ctype.h>
2928 +-#include <sys/socket.h>
2929 +
2930 + struct security_class_mapping {
2931 + const char *name;
2932 +diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
2933 +index 073fe7537f6c..6d51b74bc679 100644
2934 +--- a/scripts/selinux/mdp/mdp.c
2935 ++++ b/scripts/selinux/mdp/mdp.c
2936 +@@ -32,7 +32,6 @@
2937 + #include <stdlib.h>
2938 + #include <unistd.h>
2939 + #include <string.h>
2940 +-#include <sys/socket.h>
2941 +
2942 + static void usage(char *name)
2943 + {
2944 +diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
2945 +index bd5fe0d3204a..201f7e588a29 100644
2946 +--- a/security/selinux/include/classmap.h
2947 ++++ b/security/selinux/include/classmap.h
2948 +@@ -1,5 +1,6 @@
2949 + /* SPDX-License-Identifier: GPL-2.0 */
2950 + #include <linux/capability.h>
2951 ++#include <linux/socket.h>
2952 +
2953 + #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
2954 + "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map"
2955 +diff --git a/tools/build/feature/test-libopencsd.c b/tools/build/feature/test-libopencsd.c
2956 +index d68eb4fb40cc..2b0e02c38870 100644
2957 +--- a/tools/build/feature/test-libopencsd.c
2958 ++++ b/tools/build/feature/test-libopencsd.c
2959 +@@ -4,9 +4,9 @@
2960 + /*
2961 + * Check OpenCSD library version is sufficient to provide required features
2962 + */
2963 +-#define OCSD_MIN_VER ((0 << 16) | (10 << 8) | (0))
2964 ++#define OCSD_MIN_VER ((0 << 16) | (11 << 8) | (0))
2965 + #if !defined(OCSD_VER_NUM) || (OCSD_VER_NUM < OCSD_MIN_VER)
2966 +-#error "OpenCSD >= 0.10.0 is required"
2967 ++#error "OpenCSD >= 0.11.0 is required"
2968 + #endif
2969 +
2970 + int main(void)
2971 +diff --git a/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c b/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
2972 +index 8c155575c6c5..2a8bf6b45a30 100644
2973 +--- a/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
2974 ++++ b/tools/perf/util/cs-etm-decoder/cs-etm-decoder.c
2975 +@@ -374,6 +374,7 @@ cs_etm_decoder__buffer_range(struct cs_etm_decoder *decoder,
2976 + break;
2977 + case OCSD_INSTR_ISB:
2978 + case OCSD_INSTR_DSB_DMB:
2979 ++ case OCSD_INSTR_WFI_WFE:
2980 + case OCSD_INSTR_OTHER:
2981 + default:
2982 + packet->last_instr_taken_branch = false;
2983 +diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
2984 +index 143f7057d581..596db1daee35 100644
2985 +--- a/tools/perf/util/machine.c
2986 ++++ b/tools/perf/util/machine.c
2987 +@@ -1358,6 +1358,20 @@ static void machine__set_kernel_mmap(struct machine *machine,
2988 + machine->vmlinux_map->end = ~0ULL;
2989 + }
2990 +
2991 ++static void machine__update_kernel_mmap(struct machine *machine,
2992 ++ u64 start, u64 end)
2993 ++{
2994 ++ struct map *map = machine__kernel_map(machine);
2995 ++
2996 ++ map__get(map);
2997 ++ map_groups__remove(&machine->kmaps, map);
2998 ++
2999 ++ machine__set_kernel_mmap(machine, start, end);
3000 ++
3001 ++ map_groups__insert(&machine->kmaps, map);
3002 ++ map__put(map);
3003 ++}
3004 ++
3005 + int machine__create_kernel_maps(struct machine *machine)
3006 + {
3007 + struct dso *kernel = machine__get_kernel(machine);
3008 +@@ -1390,17 +1404,11 @@ int machine__create_kernel_maps(struct machine *machine)
3009 + goto out_put;
3010 + }
3011 +
3012 +- /* we have a real start address now, so re-order the kmaps */
3013 +- map = machine__kernel_map(machine);
3014 +-
3015 +- map__get(map);
3016 +- map_groups__remove(&machine->kmaps, map);
3017 +-
3018 +- /* assume it's the last in the kmaps */
3019 +- machine__set_kernel_mmap(machine, addr, ~0ULL);
3020 +-
3021 +- map_groups__insert(&machine->kmaps, map);
3022 +- map__put(map);
3023 ++ /*
3024 ++ * we have a real start address now, so re-order the kmaps
3025 ++ * assume it's the last in the kmaps
3026 ++ */
3027 ++ machine__update_kernel_mmap(machine, addr, ~0ULL);
3028 + }
3029 +
3030 + if (machine__create_extra_kernel_maps(machine, kernel))
3031 +@@ -1536,7 +1544,7 @@ static int machine__process_kernel_mmap_event(struct machine *machine,
3032 + if (strstr(kernel->long_name, "vmlinux"))
3033 + dso__set_short_name(kernel, "[kernel.vmlinux]", false);
3034 +
3035 +- machine__set_kernel_mmap(machine, event->mmap.start,
3036 ++ machine__update_kernel_mmap(machine, event->mmap.start,
3037 + event->mmap.start + event->mmap.len);
3038 +
3039 + /*
3040 +diff --git a/tools/testing/selftests/kvm/Makefile b/tools/testing/selftests/kvm/Makefile
3041 +index f9a0e9938480..cb4a992d6dd3 100644
3042 +--- a/tools/testing/selftests/kvm/Makefile
3043 ++++ b/tools/testing/selftests/kvm/Makefile
3044 +@@ -28,8 +28,8 @@ LIBKVM += $(LIBKVM_$(UNAME_M))
3045 + INSTALL_HDR_PATH = $(top_srcdir)/usr
3046 + LINUX_HDR_PATH = $(INSTALL_HDR_PATH)/include/
3047 + LINUX_TOOL_INCLUDE = $(top_srcdir)/tools/include
3048 +-CFLAGS += -O2 -g -std=gnu99 -I$(LINUX_TOOL_INCLUDE) -I$(LINUX_HDR_PATH) -Iinclude -I$(<D) -Iinclude/$(UNAME_M) -I..
3049 +-LDFLAGS += -pthread
3050 ++CFLAGS += -O2 -g -std=gnu99 -fno-stack-protector -fno-PIE -I$(LINUX_TOOL_INCLUDE) -I$(LINUX_HDR_PATH) -Iinclude -I$(<D) -Iinclude/$(UNAME_M) -I..
3051 ++LDFLAGS += -pthread -no-pie
3052 +
3053 + # After inclusion, $(OUTPUT) is defined and
3054 + # $(TEST_GEN_PROGS) starts with $(OUTPUT)/
3055 +diff --git a/tools/testing/selftests/kvm/include/kvm_util.h b/tools/testing/selftests/kvm/include/kvm_util.h
3056 +index a84785b02557..07b71ad9734a 100644
3057 +--- a/tools/testing/selftests/kvm/include/kvm_util.h
3058 ++++ b/tools/testing/selftests/kvm/include/kvm_util.h
3059 +@@ -102,6 +102,7 @@ vm_paddr_t addr_gva2gpa(struct kvm_vm *vm, vm_vaddr_t gva);
3060 + struct kvm_run *vcpu_state(struct kvm_vm *vm, uint32_t vcpuid);
3061 + void vcpu_run(struct kvm_vm *vm, uint32_t vcpuid);
3062 + int _vcpu_run(struct kvm_vm *vm, uint32_t vcpuid);
3063 ++void vcpu_run_complete_io(struct kvm_vm *vm, uint32_t vcpuid);
3064 + void vcpu_set_mp_state(struct kvm_vm *vm, uint32_t vcpuid,
3065 + struct kvm_mp_state *mp_state);
3066 + void vcpu_regs_get(struct kvm_vm *vm, uint32_t vcpuid, struct kvm_regs *regs);
3067 +diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c
3068 +index b52cfdefecbf..efa0aad8b3c6 100644
3069 +--- a/tools/testing/selftests/kvm/lib/kvm_util.c
3070 ++++ b/tools/testing/selftests/kvm/lib/kvm_util.c
3071 +@@ -1121,6 +1121,22 @@ int _vcpu_run(struct kvm_vm *vm, uint32_t vcpuid)
3072 + return rc;
3073 + }
3074 +
3075 ++void vcpu_run_complete_io(struct kvm_vm *vm, uint32_t vcpuid)
3076 ++{
3077 ++ struct vcpu *vcpu = vcpu_find(vm, vcpuid);
3078 ++ int ret;
3079 ++
3080 ++ TEST_ASSERT(vcpu != NULL, "vcpu not found, vcpuid: %u", vcpuid);
3081 ++
3082 ++ vcpu->state->immediate_exit = 1;
3083 ++ ret = ioctl(vcpu->fd, KVM_RUN, NULL);
3084 ++ vcpu->state->immediate_exit = 0;
3085 ++
3086 ++ TEST_ASSERT(ret == -1 && errno == EINTR,
3087 ++ "KVM_RUN IOCTL didn't exit immediately, rc: %i, errno: %i",
3088 ++ ret, errno);
3089 ++}
3090 ++
3091 + /*
3092 + * VM VCPU Set MP State
3093 + *
3094 +diff --git a/tools/testing/selftests/kvm/x86_64/cr4_cpuid_sync_test.c b/tools/testing/selftests/kvm/x86_64/cr4_cpuid_sync_test.c
3095 +index d503a51fad30..7c2c4d4055a8 100644
3096 +--- a/tools/testing/selftests/kvm/x86_64/cr4_cpuid_sync_test.c
3097 ++++ b/tools/testing/selftests/kvm/x86_64/cr4_cpuid_sync_test.c
3098 +@@ -87,22 +87,25 @@ int main(int argc, char *argv[])
3099 + while (1) {
3100 + rc = _vcpu_run(vm, VCPU_ID);
3101 +
3102 +- if (run->exit_reason == KVM_EXIT_IO) {
3103 +- switch (get_ucall(vm, VCPU_ID, &uc)) {
3104 +- case UCALL_SYNC:
3105 +- /* emulate hypervisor clearing CR4.OSXSAVE */
3106 +- vcpu_sregs_get(vm, VCPU_ID, &sregs);
3107 +- sregs.cr4 &= ~X86_CR4_OSXSAVE;
3108 +- vcpu_sregs_set(vm, VCPU_ID, &sregs);
3109 +- break;
3110 +- case UCALL_ABORT:
3111 +- TEST_ASSERT(false, "Guest CR4 bit (OSXSAVE) unsynchronized with CPUID bit.");
3112 +- break;
3113 +- case UCALL_DONE:
3114 +- goto done;
3115 +- default:
3116 +- TEST_ASSERT(false, "Unknown ucall 0x%x.", uc.cmd);
3117 +- }
3118 ++ TEST_ASSERT(run->exit_reason == KVM_EXIT_IO,
3119 ++ "Unexpected exit reason: %u (%s),\n",
3120 ++ run->exit_reason,
3121 ++ exit_reason_str(run->exit_reason));
3122 ++
3123 ++ switch (get_ucall(vm, VCPU_ID, &uc)) {
3124 ++ case UCALL_SYNC:
3125 ++ /* emulate hypervisor clearing CR4.OSXSAVE */
3126 ++ vcpu_sregs_get(vm, VCPU_ID, &sregs);
3127 ++ sregs.cr4 &= ~X86_CR4_OSXSAVE;
3128 ++ vcpu_sregs_set(vm, VCPU_ID, &sregs);
3129 ++ break;
3130 ++ case UCALL_ABORT:
3131 ++ TEST_ASSERT(false, "Guest CR4 bit (OSXSAVE) unsynchronized with CPUID bit.");
3132 ++ break;
3133 ++ case UCALL_DONE:
3134 ++ goto done;
3135 ++ default:
3136 ++ TEST_ASSERT(false, "Unknown ucall 0x%x.", uc.cmd);
3137 + }
3138 + }
3139 +
3140 +diff --git a/tools/testing/selftests/kvm/x86_64/state_test.c b/tools/testing/selftests/kvm/x86_64/state_test.c
3141 +index 4b3f556265f1..30f75856cf39 100644
3142 +--- a/tools/testing/selftests/kvm/x86_64/state_test.c
3143 ++++ b/tools/testing/selftests/kvm/x86_64/state_test.c
3144 +@@ -134,6 +134,11 @@ int main(int argc, char *argv[])
3145 +
3146 + struct kvm_cpuid_entry2 *entry = kvm_get_supported_cpuid_entry(1);
3147 +
3148 ++ if (!kvm_check_cap(KVM_CAP_IMMEDIATE_EXIT)) {
3149 ++ fprintf(stderr, "immediate_exit not available, skipping test\n");
3150 ++ exit(KSFT_SKIP);
3151 ++ }
3152 ++
3153 + /* Create VM */
3154 + vm = vm_create_default(VCPU_ID, 0, guest_code);
3155 + vcpu_set_cpuid(vm, VCPU_ID, kvm_get_supported_cpuid());
3156 +@@ -156,8 +161,6 @@ int main(int argc, char *argv[])
3157 + stage, run->exit_reason,
3158 + exit_reason_str(run->exit_reason));
3159 +
3160 +- memset(&regs1, 0, sizeof(regs1));
3161 +- vcpu_regs_get(vm, VCPU_ID, &regs1);
3162 + switch (get_ucall(vm, VCPU_ID, &uc)) {
3163 + case UCALL_ABORT:
3164 + TEST_ASSERT(false, "%s at %s:%d", (const char *)uc.args[0],
3165 +@@ -176,6 +179,17 @@ int main(int argc, char *argv[])
3166 + uc.args[1] == stage, "Unexpected register values vmexit #%lx, got %lx",
3167 + stage, (ulong)uc.args[1]);
3168 +
3169 ++ /*
3170 ++ * When KVM exits to userspace with KVM_EXIT_IO, KVM guarantees
3171 ++ * guest state is consistent only after userspace re-enters the
3172 ++ * kernel with KVM_RUN. Complete IO prior to migrating state
3173 ++ * to a new VM.
3174 ++ */
3175 ++ vcpu_run_complete_io(vm, VCPU_ID);
3176 ++
3177 ++ memset(&regs1, 0, sizeof(regs1));
3178 ++ vcpu_regs_get(vm, VCPU_ID, &regs1);
3179 ++
3180 + state = vcpu_save_state(vm, VCPU_ID);
3181 + kvm_vm_release(vm);
3182 +
3183 +diff --git a/virt/kvm/arm/hyp/vgic-v3-sr.c b/virt/kvm/arm/hyp/vgic-v3-sr.c
3184 +index 9652c453480f..3c3f7cda95c7 100644
3185 +--- a/virt/kvm/arm/hyp/vgic-v3-sr.c
3186 ++++ b/virt/kvm/arm/hyp/vgic-v3-sr.c
3187 +@@ -222,7 +222,7 @@ void __hyp_text __vgic_v3_save_state(struct kvm_vcpu *vcpu)
3188 + }
3189 + }
3190 +
3191 +- if (used_lrs) {
3192 ++ if (used_lrs || cpu_if->its_vpe.its_vm) {
3193 + int i;
3194 + u32 elrsr;
3195 +
3196 +@@ -247,7 +247,7 @@ void __hyp_text __vgic_v3_restore_state(struct kvm_vcpu *vcpu)
3197 + u64 used_lrs = vcpu->arch.vgic_cpu.used_lrs;
3198 + int i;
3199 +
3200 +- if (used_lrs) {
3201 ++ if (used_lrs || cpu_if->its_vpe.its_vm) {
3202 + write_gicreg(cpu_if->vgic_hcr, ICH_HCR_EL2);
3203 +
3204 + for (i = 0; i < used_lrs; i++)
3205 +diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c
3206 +index 5cc22cdaa5ba..31e22b615d99 100644
3207 +--- a/virt/kvm/arm/mmu.c
3208 ++++ b/virt/kvm/arm/mmu.c
3209 +@@ -1060,25 +1060,43 @@ static int stage2_set_pmd_huge(struct kvm *kvm, struct kvm_mmu_memory_cache
3210 + {
3211 + pmd_t *pmd, old_pmd;
3212 +
3213 ++retry:
3214 + pmd = stage2_get_pmd(kvm, cache, addr);
3215 + VM_BUG_ON(!pmd);
3216 +
3217 + old_pmd = *pmd;
3218 ++ /*
3219 ++ * Multiple vcpus faulting on the same PMD entry, can
3220 ++ * lead to them sequentially updating the PMD with the
3221 ++ * same value. Following the break-before-make
3222 ++ * (pmd_clear() followed by tlb_flush()) process can
3223 ++ * hinder forward progress due to refaults generated
3224 ++ * on missing translations.
3225 ++ *
3226 ++ * Skip updating the page table if the entry is
3227 ++ * unchanged.
3228 ++ */
3229 ++ if (pmd_val(old_pmd) == pmd_val(*new_pmd))
3230 ++ return 0;
3231 ++
3232 + if (pmd_present(old_pmd)) {
3233 + /*
3234 +- * Multiple vcpus faulting on the same PMD entry, can
3235 +- * lead to them sequentially updating the PMD with the
3236 +- * same value. Following the break-before-make
3237 +- * (pmd_clear() followed by tlb_flush()) process can
3238 +- * hinder forward progress due to refaults generated
3239 +- * on missing translations.
3240 ++ * If we already have PTE level mapping for this block,
3241 ++ * we must unmap it to avoid inconsistent TLB state and
3242 ++ * leaking the table page. We could end up in this situation
3243 ++ * if the memory slot was marked for dirty logging and was
3244 ++ * reverted, leaving PTE level mappings for the pages accessed
3245 ++ * during the period. So, unmap the PTE level mapping for this
3246 ++ * block and retry, as we could have released the upper level
3247 ++ * table in the process.
3248 + *
3249 +- * Skip updating the page table if the entry is
3250 +- * unchanged.
3251 ++ * Normal THP split/merge follows mmu_notifier callbacks and do
3252 ++ * get handled accordingly.
3253 + */
3254 +- if (pmd_val(old_pmd) == pmd_val(*new_pmd))
3255 +- return 0;
3256 +-
3257 ++ if (!pmd_thp_or_huge(old_pmd)) {
3258 ++ unmap_stage2_range(kvm, addr & S2_PMD_MASK, S2_PMD_SIZE);
3259 ++ goto retry;
3260 ++ }
3261 + /*
3262 + * Mapping in huge pages should only happen through a
3263 + * fault. If a page is merged into a transparent huge
3264 +@@ -1090,8 +1108,7 @@ static int stage2_set_pmd_huge(struct kvm *kvm, struct kvm_mmu_memory_cache
3265 + * should become splitting first, unmapped, merged,
3266 + * and mapped back in on-demand.
3267 + */
3268 +- VM_BUG_ON(pmd_pfn(old_pmd) != pmd_pfn(*new_pmd));
3269 +-
3270 ++ WARN_ON_ONCE(pmd_pfn(old_pmd) != pmd_pfn(*new_pmd));
3271 + pmd_clear(pmd);
3272 + kvm_tlb_flush_vmid_ipa(kvm, addr);
3273 + } else {
3274 +@@ -1107,6 +1124,7 @@ static int stage2_set_pud_huge(struct kvm *kvm, struct kvm_mmu_memory_cache *cac
3275 + {
3276 + pud_t *pudp, old_pud;
3277 +
3278 ++retry:
3279 + pudp = stage2_get_pud(kvm, cache, addr);
3280 + VM_BUG_ON(!pudp);
3281 +
3282 +@@ -1114,14 +1132,23 @@ static int stage2_set_pud_huge(struct kvm *kvm, struct kvm_mmu_memory_cache *cac
3283 +
3284 + /*
3285 + * A large number of vcpus faulting on the same stage 2 entry,
3286 +- * can lead to a refault due to the
3287 +- * stage2_pud_clear()/tlb_flush(). Skip updating the page
3288 +- * tables if there is no change.
3289 ++ * can lead to a refault due to the stage2_pud_clear()/tlb_flush().
3290 ++ * Skip updating the page tables if there is no change.
3291 + */
3292 + if (pud_val(old_pud) == pud_val(*new_pudp))
3293 + return 0;
3294 +
3295 + if (stage2_pud_present(kvm, old_pud)) {
3296 ++ /*
3297 ++ * If we already have table level mapping for this block, unmap
3298 ++ * the range for this block and retry.
3299 ++ */
3300 ++ if (!stage2_pud_huge(kvm, old_pud)) {
3301 ++ unmap_stage2_range(kvm, addr & S2_PUD_MASK, S2_PUD_SIZE);
3302 ++ goto retry;
3303 ++ }
3304 ++
3305 ++ WARN_ON_ONCE(kvm_pud_pfn(old_pud) != kvm_pud_pfn(*new_pudp));
3306 + stage2_pud_clear(kvm, pudp);
3307 + kvm_tlb_flush_vmid_ipa(kvm, addr);
3308 + } else {
3309 +diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c
3310 +index ab3f47745d9c..fcb2fceaa4a5 100644
3311 +--- a/virt/kvm/arm/vgic/vgic-its.c
3312 ++++ b/virt/kvm/arm/vgic/vgic-its.c
3313 +@@ -754,8 +754,9 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
3314 + u64 indirect_ptr, type = GITS_BASER_TYPE(baser);
3315 + phys_addr_t base = GITS_BASER_ADDR_48_to_52(baser);
3316 + int esz = GITS_BASER_ENTRY_SIZE(baser);
3317 +- int index;
3318 ++ int index, idx;
3319 + gfn_t gfn;
3320 ++ bool ret;
3321 +
3322 + switch (type) {
3323 + case GITS_BASER_TYPE_DEVICE:
3324 +@@ -782,7 +783,8 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
3325 +
3326 + if (eaddr)
3327 + *eaddr = addr;
3328 +- return kvm_is_visible_gfn(its->dev->kvm, gfn);
3329 ++
3330 ++ goto out;
3331 + }
3332 +
3333 + /* calculate and check the index into the 1st level */
3334 +@@ -812,7 +814,12 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id,
3335 +
3336 + if (eaddr)
3337 + *eaddr = indirect_ptr;
3338 +- return kvm_is_visible_gfn(its->dev->kvm, gfn);
3339 ++
3340 ++out:
3341 ++ idx = srcu_read_lock(&its->dev->kvm->srcu);
3342 ++ ret = kvm_is_visible_gfn(its->dev->kvm, gfn);
3343 ++ srcu_read_unlock(&its->dev->kvm->srcu, idx);
3344 ++ return ret;
3345 + }
3346 +
3347 + static int vgic_its_alloc_collection(struct vgic_its *its,
3348 +@@ -1919,7 +1926,7 @@ static int vgic_its_save_ite(struct vgic_its *its, struct its_device *dev,
3349 + ((u64)ite->irq->intid << KVM_ITS_ITE_PINTID_SHIFT) |
3350 + ite->collection->collection_id;
3351 + val = cpu_to_le64(val);
3352 +- return kvm_write_guest(kvm, gpa, &val, ite_esz);
3353 ++ return kvm_write_guest_lock(kvm, gpa, &val, ite_esz);
3354 + }
3355 +
3356 + /**
3357 +@@ -2066,7 +2073,7 @@ static int vgic_its_save_dte(struct vgic_its *its, struct its_device *dev,
3358 + (itt_addr_field << KVM_ITS_DTE_ITTADDR_SHIFT) |
3359 + (dev->num_eventid_bits - 1));
3360 + val = cpu_to_le64(val);
3361 +- return kvm_write_guest(kvm, ptr, &val, dte_esz);
3362 ++ return kvm_write_guest_lock(kvm, ptr, &val, dte_esz);
3363 + }
3364 +
3365 + /**
3366 +@@ -2246,7 +2253,7 @@ static int vgic_its_save_cte(struct vgic_its *its,
3367 + ((u64)collection->target_addr << KVM_ITS_CTE_RDBASE_SHIFT) |
3368 + collection->collection_id);
3369 + val = cpu_to_le64(val);
3370 +- return kvm_write_guest(its->dev->kvm, gpa, &val, esz);
3371 ++ return kvm_write_guest_lock(its->dev->kvm, gpa, &val, esz);
3372 + }
3373 +
3374 + static int vgic_its_restore_cte(struct vgic_its *its, gpa_t gpa, int esz)
3375 +@@ -2317,7 +2324,7 @@ static int vgic_its_save_collection_table(struct vgic_its *its)
3376 + */
3377 + val = 0;
3378 + BUG_ON(cte_esz > sizeof(val));
3379 +- ret = kvm_write_guest(its->dev->kvm, gpa, &val, cte_esz);
3380 ++ ret = kvm_write_guest_lock(its->dev->kvm, gpa, &val, cte_esz);
3381 + return ret;
3382 + }
3383 +
3384 +diff --git a/virt/kvm/arm/vgic/vgic-v3.c b/virt/kvm/arm/vgic/vgic-v3.c
3385 +index 4ee0aeb9a905..89260964be73 100644
3386 +--- a/virt/kvm/arm/vgic/vgic-v3.c
3387 ++++ b/virt/kvm/arm/vgic/vgic-v3.c
3388 +@@ -358,7 +358,7 @@ retry:
3389 + if (status) {
3390 + /* clear consumed data */
3391 + val &= ~(1 << bit_nr);
3392 +- ret = kvm_write_guest(kvm, ptr, &val, 1);
3393 ++ ret = kvm_write_guest_lock(kvm, ptr, &val, 1);
3394 + if (ret)
3395 + return ret;
3396 + }
3397 +@@ -409,7 +409,7 @@ int vgic_v3_save_pending_tables(struct kvm *kvm)
3398 + else
3399 + val &= ~(1 << bit_nr);
3400 +
3401 +- ret = kvm_write_guest(kvm, ptr, &val, 1);
3402 ++ ret = kvm_write_guest_lock(kvm, ptr, &val, 1);
3403 + if (ret)
3404 + return ret;
3405 + }
3406 +diff --git a/virt/kvm/arm/vgic/vgic.c b/virt/kvm/arm/vgic/vgic.c
3407 +index abd9c7352677..3af69f2a3866 100644
3408 +--- a/virt/kvm/arm/vgic/vgic.c
3409 ++++ b/virt/kvm/arm/vgic/vgic.c
3410 +@@ -867,15 +867,21 @@ void kvm_vgic_flush_hwstate(struct kvm_vcpu *vcpu)
3411 + * either observe the new interrupt before or after doing this check,
3412 + * and introducing additional synchronization mechanism doesn't change
3413 + * this.
3414 ++ *
3415 ++ * Note that we still need to go through the whole thing if anything
3416 ++ * can be directly injected (GICv4).
3417 + */
3418 +- if (list_empty(&vcpu->arch.vgic_cpu.ap_list_head))
3419 ++ if (list_empty(&vcpu->arch.vgic_cpu.ap_list_head) &&
3420 ++ !vgic_supports_direct_msis(vcpu->kvm))
3421 + return;
3422 +
3423 + DEBUG_SPINLOCK_BUG_ON(!irqs_disabled());
3424 +
3425 +- raw_spin_lock(&vcpu->arch.vgic_cpu.ap_list_lock);
3426 +- vgic_flush_lr_state(vcpu);
3427 +- raw_spin_unlock(&vcpu->arch.vgic_cpu.ap_list_lock);
3428 ++ if (!list_empty(&vcpu->arch.vgic_cpu.ap_list_head)) {
3429 ++ raw_spin_lock(&vcpu->arch.vgic_cpu.ap_list_lock);
3430 ++ vgic_flush_lr_state(vcpu);
3431 ++ raw_spin_unlock(&vcpu->arch.vgic_cpu.ap_list_lock);
3432 ++ }
3433 +
3434 + if (can_access_vgic_from_kernel())
3435 + vgic_restore_state(vcpu);
Report Message
Find on MARC Find on Google Groups