Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.19 commit in: /
Date: Wed, 09 Sep 2020 17:59:57
Message-Id: 1599674366.da15fdc8f254f2da7da6a4e9dfa62b88ed14034e.mpagano@gentoo
1 commit: da15fdc8f254f2da7da6a4e9dfa62b88ed14034e
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Sep 9 17:59:26 2020 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Sep 9 17:59:26 2020 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=da15fdc8
7
8 Linux patch 4.19.144
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1143_linux-4.19.144.patch | 3925 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 3929 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index f31a3e5..be0a5e0 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -611,6 +611,10 @@ Patch: 1142_linux-4.19.143.patch
21 From: https://www.kernel.org
22 Desc: Linux 4.19.143
23
24 +Patch: 1143_linux-4.19.144.patch
25 +From: https://www.kernel.org
26 +Desc: Linux 4.19.144
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1143_linux-4.19.144.patch b/1143_linux-4.19.144.patch
33 new file mode 100644
34 index 0000000..f86fb4f
35 --- /dev/null
36 +++ b/1143_linux-4.19.144.patch
37 @@ -0,0 +1,3925 @@
38 +diff --git a/Documentation/filesystems/affs.txt b/Documentation/filesystems/affs.txt
39 +index 71b63c2b98410..a8f1a58e36922 100644
40 +--- a/Documentation/filesystems/affs.txt
41 ++++ b/Documentation/filesystems/affs.txt
42 +@@ -93,13 +93,15 @@ The Amiga protection flags RWEDRWEDHSPARWED are handled as follows:
43 +
44 + - R maps to r for user, group and others. On directories, R implies x.
45 +
46 +- - If both W and D are allowed, w will be set.
47 ++ - W maps to w.
48 +
49 + - E maps to x.
50 +
51 +- - H and P are always retained and ignored under Linux.
52 ++ - D is ignored.
53 +
54 +- - A is always reset when a file is written to.
55 ++ - H, S and P are always retained and ignored under Linux.
56 ++
57 ++ - A is cleared when a file is written to.
58 +
59 + User id and group id will be used unless set[gu]id are given as mount
60 + options. Since most of the Amiga file systems are single user systems
61 +@@ -111,11 +113,13 @@ Linux -> Amiga:
62 +
63 + The Linux rwxrwxrwx file mode is handled as follows:
64 +
65 +- - r permission will set R for user, group and others.
66 ++ - r permission will allow R for user, group and others.
67 ++
68 ++ - w permission will allow W for user, group and others.
69 +
70 +- - w permission will set W and D for user, group and others.
71 ++ - x permission of the user will allow E for plain files.
72 +
73 +- - x permission of the user will set E for plain files.
74 ++ - D will be allowed for user, group and others.
75 +
76 + - All other flags (suid, sgid, ...) are ignored and will
77 + not be retained.
78 +diff --git a/Makefile b/Makefile
79 +index 6fa3278df77c9..ba9d0b4476e11 100644
80 +--- a/Makefile
81 ++++ b/Makefile
82 +@@ -1,7 +1,7 @@
83 + # SPDX-License-Identifier: GPL-2.0
84 + VERSION = 4
85 + PATCHLEVEL = 19
86 +-SUBLEVEL = 143
87 ++SUBLEVEL = 144
88 + EXTRAVERSION =
89 + NAME = "People's Front"
90 +
91 +diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h
92 +index 8b284cbf8162f..a3b6f58d188c9 100644
93 +--- a/arch/arm64/include/asm/kvm_arm.h
94 ++++ b/arch/arm64/include/asm/kvm_arm.h
95 +@@ -83,11 +83,12 @@
96 + * IMO: Override CPSR.I and enable signaling with VI
97 + * FMO: Override CPSR.F and enable signaling with VF
98 + * SWIO: Turn set/way invalidates into set/way clean+invalidate
99 ++ * PTW: Take a stage2 fault if a stage1 walk steps in device memory
100 + */
101 + #define HCR_GUEST_FLAGS (HCR_TSC | HCR_TSW | HCR_TWE | HCR_TWI | HCR_VM | \
102 + HCR_TVM | HCR_BSU_IS | HCR_FB | HCR_TAC | \
103 + HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW | HCR_TLOR | \
104 +- HCR_FMO | HCR_IMO)
105 ++ HCR_FMO | HCR_IMO | HCR_PTW )
106 + #define HCR_VIRT_EXCP_MASK (HCR_VSE | HCR_VI | HCR_VF)
107 + #define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK)
108 + #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H)
109 +diff --git a/arch/arm64/include/asm/kvm_asm.h b/arch/arm64/include/asm/kvm_asm.h
110 +index 102b5a5c47b6c..e3c0dba5bddea 100644
111 +--- a/arch/arm64/include/asm/kvm_asm.h
112 ++++ b/arch/arm64/include/asm/kvm_asm.h
113 +@@ -87,6 +87,34 @@ extern u32 __init_stage2_translation(void);
114 + *__hyp_this_cpu_ptr(sym); \
115 + })
116 +
117 ++#define __KVM_EXTABLE(from, to) \
118 ++ " .pushsection __kvm_ex_table, \"a\"\n" \
119 ++ " .align 3\n" \
120 ++ " .long (" #from " - .), (" #to " - .)\n" \
121 ++ " .popsection\n"
122 ++
123 ++
124 ++#define __kvm_at(at_op, addr) \
125 ++( { \
126 ++ int __kvm_at_err = 0; \
127 ++ u64 spsr, elr; \
128 ++ asm volatile( \
129 ++ " mrs %1, spsr_el2\n" \
130 ++ " mrs %2, elr_el2\n" \
131 ++ "1: at "at_op", %3\n" \
132 ++ " isb\n" \
133 ++ " b 9f\n" \
134 ++ "2: msr spsr_el2, %1\n" \
135 ++ " msr elr_el2, %2\n" \
136 ++ " mov %w0, %4\n" \
137 ++ "9:\n" \
138 ++ __KVM_EXTABLE(1b, 2b) \
139 ++ : "+r" (__kvm_at_err), "=&r" (spsr), "=&r" (elr) \
140 ++ : "r" (addr), "i" (-EFAULT)); \
141 ++ __kvm_at_err; \
142 ++} )
143 ++
144 ++
145 + #else /* __ASSEMBLY__ */
146 +
147 + .macro hyp_adr_this_cpu reg, sym, tmp
148 +@@ -111,6 +139,21 @@ extern u32 __init_stage2_translation(void);
149 + kern_hyp_va \vcpu
150 + .endm
151 +
152 ++/*
153 ++ * KVM extable for unexpected exceptions.
154 ++ * In the same format _asm_extable, but output to a different section so that
155 ++ * it can be mapped to EL2. The KVM version is not sorted. The caller must
156 ++ * ensure:
157 ++ * x18 has the hypervisor value to allow any Shadow-Call-Stack instrumented
158 ++ * code to write to it, and that SPSR_EL2 and ELR_EL2 are restored by the fixup.
159 ++ */
160 ++.macro _kvm_extable, from, to
161 ++ .pushsection __kvm_ex_table, "a"
162 ++ .align 3
163 ++ .long (\from - .), (\to - .)
164 ++ .popsection
165 ++.endm
166 ++
167 + #endif
168 +
169 + #endif /* __ARM_KVM_ASM_H__ */
170 +diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S
171 +index d6050c6e65bc1..69e7c8d4a00f6 100644
172 +--- a/arch/arm64/kernel/vmlinux.lds.S
173 ++++ b/arch/arm64/kernel/vmlinux.lds.S
174 +@@ -24,6 +24,13 @@ ENTRY(_text)
175 +
176 + jiffies = jiffies_64;
177 +
178 ++
179 ++#define HYPERVISOR_EXTABLE \
180 ++ . = ALIGN(SZ_8); \
181 ++ __start___kvm_ex_table = .; \
182 ++ *(__kvm_ex_table) \
183 ++ __stop___kvm_ex_table = .;
184 ++
185 + #define HYPERVISOR_TEXT \
186 + /* \
187 + * Align to 4 KB so that \
188 +@@ -39,6 +46,7 @@ jiffies = jiffies_64;
189 + __hyp_idmap_text_end = .; \
190 + __hyp_text_start = .; \
191 + *(.hyp.text) \
192 ++ HYPERVISOR_EXTABLE \
193 + __hyp_text_end = .;
194 +
195 + #define IDMAP_TEXT \
196 +diff --git a/arch/arm64/kvm/hyp/entry.S b/arch/arm64/kvm/hyp/entry.S
197 +index fad1e164fe488..fc83e932afbe3 100644
198 +--- a/arch/arm64/kvm/hyp/entry.S
199 ++++ b/arch/arm64/kvm/hyp/entry.S
200 +@@ -17,6 +17,7 @@
201 +
202 + #include <linux/linkage.h>
203 +
204 ++#include <asm/alternative.h>
205 + #include <asm/asm-offsets.h>
206 + #include <asm/assembler.h>
207 + #include <asm/fpsimdmacros.h>
208 +@@ -62,6 +63,20 @@ ENTRY(__guest_enter)
209 + // Store the host regs
210 + save_callee_saved_regs x1
211 +
212 ++ // Now the host state is stored if we have a pending RAS SError it must
213 ++ // affect the host. If any asynchronous exception is pending we defer
214 ++ // the guest entry. The DSB isn't necessary before v8.2 as any SError
215 ++ // would be fatal.
216 ++alternative_if ARM64_HAS_RAS_EXTN
217 ++ dsb nshst
218 ++ isb
219 ++alternative_else_nop_endif
220 ++ mrs x1, isr_el1
221 ++ cbz x1, 1f
222 ++ mov x0, #ARM_EXCEPTION_IRQ
223 ++ ret
224 ++
225 ++1:
226 + add x18, x0, #VCPU_CONTEXT
227 +
228 + // Restore guest regs x0-x17
229 +@@ -148,18 +163,22 @@ alternative_endif
230 + // This is our single instruction exception window. A pending
231 + // SError is guaranteed to occur at the earliest when we unmask
232 + // it, and at the latest just after the ISB.
233 +- .global abort_guest_exit_start
234 + abort_guest_exit_start:
235 +
236 + isb
237 +
238 +- .global abort_guest_exit_end
239 + abort_guest_exit_end:
240 ++ msr daifset, #4 // Mask aborts
241 ++ ret
242 ++
243 ++ _kvm_extable abort_guest_exit_start, 9997f
244 ++ _kvm_extable abort_guest_exit_end, 9997f
245 ++9997:
246 ++ msr daifset, #4 // Mask aborts
247 ++ mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT)
248 +
249 +- // If the exception took place, restore the EL1 exception
250 +- // context so that we can report some information.
251 +- // Merge the exception code with the SError pending bit.
252 +- tbz x0, #ARM_EXIT_WITH_SERROR_BIT, 1f
253 ++ // restore the EL1 exception context so that we can report some
254 ++ // information. Merge the exception code with the SError pending bit.
255 + msr elr_el2, x2
256 + msr esr_el2, x3
257 + msr spsr_el2, x4
258 +diff --git a/arch/arm64/kvm/hyp/hyp-entry.S b/arch/arm64/kvm/hyp/hyp-entry.S
259 +index 24b4fbafe3e4a..ea063312bca18 100644
260 +--- a/arch/arm64/kvm/hyp/hyp-entry.S
261 ++++ b/arch/arm64/kvm/hyp/hyp-entry.S
262 +@@ -26,6 +26,30 @@
263 + #include <asm/kvm_mmu.h>
264 + #include <asm/mmu.h>
265 +
266 ++.macro save_caller_saved_regs_vect
267 ++ /* x0 and x1 were saved in the vector entry */
268 ++ stp x2, x3, [sp, #-16]!
269 ++ stp x4, x5, [sp, #-16]!
270 ++ stp x6, x7, [sp, #-16]!
271 ++ stp x8, x9, [sp, #-16]!
272 ++ stp x10, x11, [sp, #-16]!
273 ++ stp x12, x13, [sp, #-16]!
274 ++ stp x14, x15, [sp, #-16]!
275 ++ stp x16, x17, [sp, #-16]!
276 ++.endm
277 ++
278 ++.macro restore_caller_saved_regs_vect
279 ++ ldp x16, x17, [sp], #16
280 ++ ldp x14, x15, [sp], #16
281 ++ ldp x12, x13, [sp], #16
282 ++ ldp x10, x11, [sp], #16
283 ++ ldp x8, x9, [sp], #16
284 ++ ldp x6, x7, [sp], #16
285 ++ ldp x4, x5, [sp], #16
286 ++ ldp x2, x3, [sp], #16
287 ++ ldp x0, x1, [sp], #16
288 ++.endm
289 ++
290 + .text
291 + .pushsection .hyp.text, "ax"
292 +
293 +@@ -162,28 +186,24 @@ el1_error:
294 + mov x0, #ARM_EXCEPTION_EL1_SERROR
295 + b __guest_exit
296 +
297 ++el2_sync:
298 ++ save_caller_saved_regs_vect
299 ++ stp x29, x30, [sp, #-16]!
300 ++ bl kvm_unexpected_el2_exception
301 ++ ldp x29, x30, [sp], #16
302 ++ restore_caller_saved_regs_vect
303 ++
304 ++ eret
305 ++
306 + el2_error:
307 +- ldp x0, x1, [sp], #16
308 ++ save_caller_saved_regs_vect
309 ++ stp x29, x30, [sp, #-16]!
310 ++
311 ++ bl kvm_unexpected_el2_exception
312 ++
313 ++ ldp x29, x30, [sp], #16
314 ++ restore_caller_saved_regs_vect
315 +
316 +- /*
317 +- * Only two possibilities:
318 +- * 1) Either we come from the exit path, having just unmasked
319 +- * PSTATE.A: change the return code to an EL2 fault, and
320 +- * carry on, as we're already in a sane state to handle it.
321 +- * 2) Or we come from anywhere else, and that's a bug: we panic.
322 +- *
323 +- * For (1), x0 contains the original return code and x1 doesn't
324 +- * contain anything meaningful at that stage. We can reuse them
325 +- * as temp registers.
326 +- * For (2), who cares?
327 +- */
328 +- mrs x0, elr_el2
329 +- adr x1, abort_guest_exit_start
330 +- cmp x0, x1
331 +- adr x1, abort_guest_exit_end
332 +- ccmp x0, x1, #4, ne
333 +- b.ne __hyp_panic
334 +- mov x0, #(1 << ARM_EXIT_WITH_SERROR_BIT)
335 + eret
336 +
337 + ENTRY(__hyp_do_panic)
338 +@@ -212,7 +232,6 @@ ENDPROC(\label)
339 + invalid_vector el2t_irq_invalid
340 + invalid_vector el2t_fiq_invalid
341 + invalid_vector el2t_error_invalid
342 +- invalid_vector el2h_sync_invalid
343 + invalid_vector el2h_irq_invalid
344 + invalid_vector el2h_fiq_invalid
345 + invalid_vector el1_fiq_invalid
346 +@@ -240,7 +259,7 @@ ENTRY(__kvm_hyp_vector)
347 + invalid_vect el2t_fiq_invalid // FIQ EL2t
348 + invalid_vect el2t_error_invalid // Error EL2t
349 +
350 +- invalid_vect el2h_sync_invalid // Synchronous EL2h
351 ++ valid_vect el2_sync // Synchronous EL2h
352 + invalid_vect el2h_irq_invalid // IRQ EL2h
353 + invalid_vect el2h_fiq_invalid // FIQ EL2h
354 + valid_vect el2_error // Error EL2h
355 +diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c
356 +index 3cdefd84af545..f146bff53edf9 100644
357 +--- a/arch/arm64/kvm/hyp/switch.c
358 ++++ b/arch/arm64/kvm/hyp/switch.c
359 +@@ -23,6 +23,7 @@
360 + #include <kvm/arm_psci.h>
361 +
362 + #include <asm/cpufeature.h>
363 ++#include <asm/extable.h>
364 + #include <asm/kprobes.h>
365 + #include <asm/kvm_asm.h>
366 + #include <asm/kvm_emulate.h>
367 +@@ -34,6 +35,9 @@
368 + #include <asm/processor.h>
369 + #include <asm/thread_info.h>
370 +
371 ++extern struct exception_table_entry __start___kvm_ex_table;
372 ++extern struct exception_table_entry __stop___kvm_ex_table;
373 ++
374 + /* Check whether the FP regs were dirtied while in the host-side run loop: */
375 + static bool __hyp_text update_fp_enabled(struct kvm_vcpu *vcpu)
376 + {
377 +@@ -264,10 +268,10 @@ static bool __hyp_text __translate_far_to_hpfar(u64 far, u64 *hpfar)
378 + * saved the guest context yet, and we may return early...
379 + */
380 + par = read_sysreg(par_el1);
381 +- asm volatile("at s1e1r, %0" : : "r" (far));
382 +- isb();
383 +-
384 +- tmp = read_sysreg(par_el1);
385 ++ if (!__kvm_at("s1e1r", far))
386 ++ tmp = read_sysreg(par_el1);
387 ++ else
388 ++ tmp = 1; /* back to the guest */
389 + write_sysreg(par, par_el1);
390 +
391 + if (unlikely(tmp & 1))
392 +@@ -663,3 +667,30 @@ void __hyp_text __noreturn hyp_panic(struct kvm_cpu_context *host_ctxt)
393 +
394 + unreachable();
395 + }
396 ++
397 ++asmlinkage void __hyp_text kvm_unexpected_el2_exception(void)
398 ++{
399 ++ unsigned long addr, fixup;
400 ++ struct kvm_cpu_context *host_ctxt;
401 ++ struct exception_table_entry *entry, *end;
402 ++ unsigned long elr_el2 = read_sysreg(elr_el2);
403 ++
404 ++ entry = hyp_symbol_addr(__start___kvm_ex_table);
405 ++ end = hyp_symbol_addr(__stop___kvm_ex_table);
406 ++ host_ctxt = __hyp_this_cpu_ptr(kvm_host_cpu_state);
407 ++
408 ++ while (entry < end) {
409 ++ addr = (unsigned long)&entry->insn + entry->insn;
410 ++ fixup = (unsigned long)&entry->fixup + entry->fixup;
411 ++
412 ++ if (addr != elr_el2) {
413 ++ entry++;
414 ++ continue;
415 ++ }
416 ++
417 ++ write_sysreg(fixup, elr_el2);
418 ++ return;
419 ++ }
420 ++
421 ++ hyp_panic(host_ctxt);
422 ++}
423 +diff --git a/arch/mips/kernel/smp-bmips.c b/arch/mips/kernel/smp-bmips.c
424 +index 5ec546b5eed1c..d16e6654a6555 100644
425 +--- a/arch/mips/kernel/smp-bmips.c
426 ++++ b/arch/mips/kernel/smp-bmips.c
427 +@@ -240,6 +240,8 @@ static int bmips_boot_secondary(int cpu, struct task_struct *idle)
428 + */
429 + static void bmips_init_secondary(void)
430 + {
431 ++ bmips_cpu_setup();
432 ++
433 + switch (current_cpu_type()) {
434 + case CPU_BMIPS4350:
435 + case CPU_BMIPS4380:
436 +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c
437 +index 05a539d3a5970..7650edd5cf7ff 100644
438 +--- a/arch/mips/mm/c-r4k.c
439 ++++ b/arch/mips/mm/c-r4k.c
440 +@@ -1789,7 +1789,11 @@ static void setup_scache(void)
441 + printk("MIPS secondary cache %ldkB, %s, linesize %d bytes.\n",
442 + scache_size >> 10,
443 + way_string[c->scache.ways], c->scache.linesz);
444 ++
445 ++ if (current_cpu_type() == CPU_BMIPS5000)
446 ++ c->options |= MIPS_CPU_INCLUSIVE_CACHES;
447 + }
448 ++
449 + #else
450 + if (!(c->scache.flags & MIPS_CACHE_NOT_PRESENT))
451 + panic("Dunno how to handle MIPS32 / MIPS64 second level cache");
452 +diff --git a/arch/s390/include/asm/percpu.h b/arch/s390/include/asm/percpu.h
453 +index 0095ddb58ff69..50f6661ba5664 100644
454 +--- a/arch/s390/include/asm/percpu.h
455 ++++ b/arch/s390/include/asm/percpu.h
456 +@@ -29,7 +29,7 @@
457 + typedef typeof(pcp) pcp_op_T__; \
458 + pcp_op_T__ old__, new__, prev__; \
459 + pcp_op_T__ *ptr__; \
460 +- preempt_disable(); \
461 ++ preempt_disable_notrace(); \
462 + ptr__ = raw_cpu_ptr(&(pcp)); \
463 + prev__ = *ptr__; \
464 + do { \
465 +@@ -37,7 +37,7 @@
466 + new__ = old__ op (val); \
467 + prev__ = cmpxchg(ptr__, old__, new__); \
468 + } while (prev__ != old__); \
469 +- preempt_enable(); \
470 ++ preempt_enable_notrace(); \
471 + new__; \
472 + })
473 +
474 +@@ -68,7 +68,7 @@
475 + typedef typeof(pcp) pcp_op_T__; \
476 + pcp_op_T__ val__ = (val); \
477 + pcp_op_T__ old__, *ptr__; \
478 +- preempt_disable(); \
479 ++ preempt_disable_notrace(); \
480 + ptr__ = raw_cpu_ptr(&(pcp)); \
481 + if (__builtin_constant_p(val__) && \
482 + ((szcast)val__ > -129) && ((szcast)val__ < 128)) { \
483 +@@ -84,7 +84,7 @@
484 + : [val__] "d" (val__) \
485 + : "cc"); \
486 + } \
487 +- preempt_enable(); \
488 ++ preempt_enable_notrace(); \
489 + }
490 +
491 + #define this_cpu_add_4(pcp, val) arch_this_cpu_add(pcp, val, "laa", "asi", int)
492 +@@ -95,14 +95,14 @@
493 + typedef typeof(pcp) pcp_op_T__; \
494 + pcp_op_T__ val__ = (val); \
495 + pcp_op_T__ old__, *ptr__; \
496 +- preempt_disable(); \
497 ++ preempt_disable_notrace(); \
498 + ptr__ = raw_cpu_ptr(&(pcp)); \
499 + asm volatile( \
500 + op " %[old__],%[val__],%[ptr__]\n" \
501 + : [old__] "=d" (old__), [ptr__] "+Q" (*ptr__) \
502 + : [val__] "d" (val__) \
503 + : "cc"); \
504 +- preempt_enable(); \
505 ++ preempt_enable_notrace(); \
506 + old__ + val__; \
507 + })
508 +
509 +@@ -114,14 +114,14 @@
510 + typedef typeof(pcp) pcp_op_T__; \
511 + pcp_op_T__ val__ = (val); \
512 + pcp_op_T__ old__, *ptr__; \
513 +- preempt_disable(); \
514 ++ preempt_disable_notrace(); \
515 + ptr__ = raw_cpu_ptr(&(pcp)); \
516 + asm volatile( \
517 + op " %[old__],%[val__],%[ptr__]\n" \
518 + : [old__] "=d" (old__), [ptr__] "+Q" (*ptr__) \
519 + : [val__] "d" (val__) \
520 + : "cc"); \
521 +- preempt_enable(); \
522 ++ preempt_enable_notrace(); \
523 + }
524 +
525 + #define this_cpu_and_4(pcp, val) arch_this_cpu_to_op(pcp, val, "lan")
526 +@@ -136,10 +136,10 @@
527 + typedef typeof(pcp) pcp_op_T__; \
528 + pcp_op_T__ ret__; \
529 + pcp_op_T__ *ptr__; \
530 +- preempt_disable(); \
531 ++ preempt_disable_notrace(); \
532 + ptr__ = raw_cpu_ptr(&(pcp)); \
533 + ret__ = cmpxchg(ptr__, oval, nval); \
534 +- preempt_enable(); \
535 ++ preempt_enable_notrace(); \
536 + ret__; \
537 + })
538 +
539 +@@ -152,10 +152,10 @@
540 + ({ \
541 + typeof(pcp) *ptr__; \
542 + typeof(pcp) ret__; \
543 +- preempt_disable(); \
544 ++ preempt_disable_notrace(); \
545 + ptr__ = raw_cpu_ptr(&(pcp)); \
546 + ret__ = xchg(ptr__, nval); \
547 +- preempt_enable(); \
548 ++ preempt_enable_notrace(); \
549 + ret__; \
550 + })
551 +
552 +@@ -171,11 +171,11 @@
553 + typeof(pcp1) *p1__; \
554 + typeof(pcp2) *p2__; \
555 + int ret__; \
556 +- preempt_disable(); \
557 ++ preempt_disable_notrace(); \
558 + p1__ = raw_cpu_ptr(&(pcp1)); \
559 + p2__ = raw_cpu_ptr(&(pcp2)); \
560 + ret__ = __cmpxchg_double(p1__, p2__, o1__, o2__, n1__, n2__); \
561 +- preempt_enable(); \
562 ++ preempt_enable_notrace(); \
563 + ret__; \
564 + })
565 +
566 +diff --git a/arch/x86/mm/numa_emulation.c b/arch/x86/mm/numa_emulation.c
567 +index d71d72cf6c666..4686757a74d75 100644
568 +--- a/arch/x86/mm/numa_emulation.c
569 ++++ b/arch/x86/mm/numa_emulation.c
570 +@@ -322,7 +322,7 @@ static int __init split_nodes_size_interleave(struct numa_meminfo *ei,
571 + u64 addr, u64 max_addr, u64 size)
572 + {
573 + return split_nodes_size_interleave_uniform(ei, pi, addr, max_addr, size,
574 +- 0, NULL, NUMA_NO_NODE);
575 ++ 0, NULL, 0);
576 + }
577 +
578 + int __init setup_emu2phys_nid(int *dfl_phys_nid)
579 +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
580 +index 6b372fa583822..fead7243930c0 100644
581 +--- a/drivers/ata/libata-core.c
582 ++++ b/drivers/ata/libata-core.c
583 +@@ -4492,9 +4492,8 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
584 + /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */
585 + { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, },
586 +
587 +- /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on
588 +- SD7SN6S256G and SD8SN8U256G */
589 +- { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, },
590 ++ /* Sandisk SD7/8/9s lock up hard on large trims */
591 ++ { "SanDisk SD[789]*", NULL, ATA_HORKAGE_MAX_TRIM_128M, },
592 +
593 + /* devices which puke on READ_NATIVE_MAX */
594 + { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, },
595 +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
596 +index 6c2c2b07f029e..e7af41d95490d 100644
597 +--- a/drivers/ata/libata-scsi.c
598 ++++ b/drivers/ata/libata-scsi.c
599 +@@ -2391,6 +2391,7 @@ static unsigned int ata_scsiop_inq_89(struct ata_scsi_args *args, u8 *rbuf)
600 +
601 + static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf)
602 + {
603 ++ struct ata_device *dev = args->dev;
604 + u16 min_io_sectors;
605 +
606 + rbuf[1] = 0xb0;
607 +@@ -2416,7 +2417,12 @@ static unsigned int ata_scsiop_inq_b0(struct ata_scsi_args *args, u8 *rbuf)
608 + * with the unmap bit set.
609 + */
610 + if (ata_id_has_trim(args->id)) {
611 +- put_unaligned_be64(65535 * ATA_MAX_TRIM_RNUM, &rbuf[36]);
612 ++ u64 max_blocks = 65535 * ATA_MAX_TRIM_RNUM;
613 ++
614 ++ if (dev->horkage & ATA_HORKAGE_MAX_TRIM_128M)
615 ++ max_blocks = 128 << (20 - SECTOR_SHIFT);
616 ++
617 ++ put_unaligned_be64(max_blocks, &rbuf[36]);
618 + put_unaligned_be32(1, &rbuf[28]);
619 + }
620 +
621 +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c
622 +index 6df894d65d9e2..2d182dc1b49ed 100644
623 +--- a/drivers/cpuidle/cpuidle.c
624 ++++ b/drivers/cpuidle/cpuidle.c
625 +@@ -148,7 +148,8 @@ static void enter_s2idle_proper(struct cpuidle_driver *drv,
626 + */
627 + stop_critical_timings();
628 + drv->states[index].enter_s2idle(dev, drv, index);
629 +- WARN_ON(!irqs_disabled());
630 ++ if (WARN_ON_ONCE(!irqs_disabled()))
631 ++ local_irq_disable();
632 + /*
633 + * timekeeping_resume() that will be called by tick_unfreeze() for the
634 + * first CPU executing it calls functions containing RCU read-side
635 +diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
636 +index dbc51154f1229..86427f6ba78cb 100644
637 +--- a/drivers/dma/at_hdmac.c
638 ++++ b/drivers/dma/at_hdmac.c
639 +@@ -1677,6 +1677,8 @@ static struct dma_chan *at_dma_xlate(struct of_phandle_args *dma_spec,
640 + return NULL;
641 +
642 + dmac_pdev = of_find_device_by_node(dma_spec->np);
643 ++ if (!dmac_pdev)
644 ++ return NULL;
645 +
646 + dma_cap_zero(mask);
647 + dma_cap_set(DMA_SLAVE, mask);
648 +diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c
649 +index 91fd395c90c4c..8344a60c2131b 100644
650 +--- a/drivers/dma/of-dma.c
651 ++++ b/drivers/dma/of-dma.c
652 +@@ -72,12 +72,12 @@ static struct dma_chan *of_dma_router_xlate(struct of_phandle_args *dma_spec,
653 + return NULL;
654 +
655 + chan = ofdma_target->of_dma_xlate(&dma_spec_target, ofdma_target);
656 +- if (chan) {
657 +- chan->router = ofdma->dma_router;
658 +- chan->route_data = route_data;
659 +- } else {
660 ++ if (IS_ERR_OR_NULL(chan)) {
661 + ofdma->dma_router->route_free(ofdma->dma_router->dev,
662 + route_data);
663 ++ } else {
664 ++ chan->router = ofdma->dma_router;
665 ++ chan->route_data = route_data;
666 + }
667 +
668 + /*
669 +diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
670 +index bc8050c025b7b..c564df713efc3 100644
671 +--- a/drivers/dma/pl330.c
672 ++++ b/drivers/dma/pl330.c
673 +@@ -2769,6 +2769,7 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst,
674 + while (burst != (1 << desc->rqcfg.brst_size))
675 + desc->rqcfg.brst_size++;
676 +
677 ++ desc->rqcfg.brst_len = get_burst_len(desc, len);
678 + /*
679 + * If burst size is smaller than bus width then make sure we only
680 + * transfer one at a time to avoid a burst stradling an MFIFO entry.
681 +@@ -2776,7 +2777,6 @@ pl330_prep_dma_memcpy(struct dma_chan *chan, dma_addr_t dst,
682 + if (desc->rqcfg.brst_size * 8 < pl330->pcfg.data_bus_width)
683 + desc->rqcfg.brst_len = 1;
684 +
685 +- desc->rqcfg.brst_len = get_burst_len(desc, len);
686 + desc->bytes_requested = len;
687 +
688 + desc->txd.flags = flags;
689 +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
690 +index 9cde79a7335c8..739ca9c2081a6 100644
691 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
692 ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
693 +@@ -117,12 +117,22 @@ static int a6xx_gmu_start(struct a6xx_gmu *gmu)
694 + {
695 + int ret;
696 + u32 val;
697 ++ u32 mask, reset_val;
698 ++
699 ++ val = gmu_read(gmu, REG_A6XX_GMU_CM3_DTCM_START + 0xff8);
700 ++ if (val <= 0x20010004) {
701 ++ mask = 0xffffffff;
702 ++ reset_val = 0xbabeface;
703 ++ } else {
704 ++ mask = 0x1ff;
705 ++ reset_val = 0x100;
706 ++ }
707 +
708 + gmu_write(gmu, REG_A6XX_GMU_CM3_SYSRESET, 1);
709 + gmu_write(gmu, REG_A6XX_GMU_CM3_SYSRESET, 0);
710 +
711 + ret = gmu_poll_timeout(gmu, REG_A6XX_GMU_CM3_FW_INIT_RESULT, val,
712 +- val == 0xbabeface, 100, 10000);
713 ++ (val & mask) == reset_val, 100, 10000);
714 +
715 + if (ret)
716 + dev_err(gmu->dev, "GMU firmware initialization timed out\n");
717 +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
718 +index 6f81de85fb860..7f45486b6650b 100644
719 +--- a/drivers/gpu/drm/msm/msm_drv.c
720 ++++ b/drivers/gpu/drm/msm/msm_drv.c
721 +@@ -1358,6 +1358,13 @@ static int msm_pdev_remove(struct platform_device *pdev)
722 + return 0;
723 + }
724 +
725 ++static void msm_pdev_shutdown(struct platform_device *pdev)
726 ++{
727 ++ struct drm_device *drm = platform_get_drvdata(pdev);
728 ++
729 ++ drm_atomic_helper_shutdown(drm);
730 ++}
731 ++
732 + static const struct of_device_id dt_match[] = {
733 + { .compatible = "qcom,mdp4", .data = (void *)KMS_MDP4 },
734 + { .compatible = "qcom,mdss", .data = (void *)KMS_MDP5 },
735 +@@ -1369,6 +1376,7 @@ MODULE_DEVICE_TABLE(of, dt_match);
736 + static struct platform_driver msm_platform_driver = {
737 + .probe = msm_pdev_probe,
738 + .remove = msm_pdev_remove,
739 ++ .shutdown = msm_pdev_shutdown,
740 + .driver = {
741 + .name = "msm",
742 + .of_match_table = dt_match,
743 +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
744 +index 2c85d075daee1..05122167d9d85 100644
745 +--- a/drivers/hid/hid-core.c
746 ++++ b/drivers/hid/hid-core.c
747 +@@ -1425,6 +1425,17 @@ static void hid_output_field(const struct hid_device *hid,
748 + }
749 + }
750 +
751 ++/*
752 ++ * Compute the size of a report.
753 ++ */
754 ++static size_t hid_compute_report_size(struct hid_report *report)
755 ++{
756 ++ if (report->size)
757 ++ return ((report->size - 1) >> 3) + 1;
758 ++
759 ++ return 0;
760 ++}
761 ++
762 + /*
763 + * Create a report. 'data' has to be allocated using
764 + * hid_alloc_report_buf() so that it has proper size.
765 +@@ -1437,7 +1448,7 @@ void hid_output_report(struct hid_report *report, __u8 *data)
766 + if (report->id > 0)
767 + *data++ = report->id;
768 +
769 +- memset(data, 0, ((report->size - 1) >> 3) + 1);
770 ++ memset(data, 0, hid_compute_report_size(report));
771 + for (n = 0; n < report->maxfield; n++)
772 + hid_output_field(report->device, report->field[n], data);
773 + }
774 +@@ -1564,7 +1575,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
775 + csize--;
776 + }
777 +
778 +- rsize = ((report->size - 1) >> 3) + 1;
779 ++ rsize = hid_compute_report_size(report);
780 +
781 + if (report_enum->numbered && rsize >= HID_MAX_BUFFER_SIZE)
782 + rsize = HID_MAX_BUFFER_SIZE - 1;
783 +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
784 +index 51bfe23d00bc5..a9da1526c40ae 100644
785 +--- a/drivers/hid/hid-input.c
786 ++++ b/drivers/hid/hid-input.c
787 +@@ -1125,6 +1125,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
788 + }
789 +
790 + mapped:
791 ++ /* Mapping failed, bail out */
792 ++ if (!bit)
793 ++ return;
794 ++
795 + if (device->driver->input_mapped &&
796 + device->driver->input_mapped(device, hidinput, field, usage,
797 + &bit, &max) < 0) {
798 +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
799 +index 8baf10beb1d5d..ccda72f748ee5 100644
800 +--- a/drivers/hid/hid-multitouch.c
801 ++++ b/drivers/hid/hid-multitouch.c
802 +@@ -841,6 +841,8 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi,
803 + code = BTN_0 + ((usage->hid - 1) & HID_USAGE);
804 +
805 + hid_map_usage(hi, usage, bit, max, EV_KEY, code);
806 ++ if (!*bit)
807 ++ return -1;
808 + input_set_capability(hi->input, EV_KEY, code);
809 + return 1;
810 +
811 +diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
812 +index 5c677ba440143..b201129a9beae 100644
813 +--- a/drivers/hwmon/applesmc.c
814 ++++ b/drivers/hwmon/applesmc.c
815 +@@ -760,15 +760,18 @@ static ssize_t applesmc_light_show(struct device *dev,
816 + }
817 +
818 + ret = applesmc_read_key(LIGHT_SENSOR_LEFT_KEY, buffer, data_length);
819 ++ if (ret)
820 ++ goto out;
821 + /* newer macbooks report a single 10-bit bigendian value */
822 + if (data_length == 10) {
823 + left = be16_to_cpu(*(__be16 *)(buffer + 6)) >> 2;
824 + goto out;
825 + }
826 + left = buffer[2];
827 ++
828 ++ ret = applesmc_read_key(LIGHT_SENSOR_RIGHT_KEY, buffer, data_length);
829 + if (ret)
830 + goto out;
831 +- ret = applesmc_read_key(LIGHT_SENSOR_RIGHT_KEY, buffer, data_length);
832 + right = buffer[2];
833 +
834 + out:
835 +@@ -817,12 +820,11 @@ static ssize_t applesmc_show_fan_speed(struct device *dev,
836 + to_index(attr));
837 +
838 + ret = applesmc_read_key(newkey, buffer, 2);
839 +- speed = ((buffer[0] << 8 | buffer[1]) >> 2);
840 +-
841 + if (ret)
842 + return ret;
843 +- else
844 +- return snprintf(sysfsbuf, PAGE_SIZE, "%u\n", speed);
845 ++
846 ++ speed = ((buffer[0] << 8 | buffer[1]) >> 2);
847 ++ return snprintf(sysfsbuf, PAGE_SIZE, "%u\n", speed);
848 + }
849 +
850 + static ssize_t applesmc_store_fan_speed(struct device *dev,
851 +@@ -858,12 +860,11 @@ static ssize_t applesmc_show_fan_manual(struct device *dev,
852 + u8 buffer[2];
853 +
854 + ret = applesmc_read_key(FANS_MANUAL, buffer, 2);
855 +- manual = ((buffer[0] << 8 | buffer[1]) >> to_index(attr)) & 0x01;
856 +-
857 + if (ret)
858 + return ret;
859 +- else
860 +- return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", manual);
861 ++
862 ++ manual = ((buffer[0] << 8 | buffer[1]) >> to_index(attr)) & 0x01;
863 ++ return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", manual);
864 + }
865 +
866 + static ssize_t applesmc_store_fan_manual(struct device *dev,
867 +@@ -879,10 +880,11 @@ static ssize_t applesmc_store_fan_manual(struct device *dev,
868 + return -EINVAL;
869 +
870 + ret = applesmc_read_key(FANS_MANUAL, buffer, 2);
871 +- val = (buffer[0] << 8 | buffer[1]);
872 + if (ret)
873 + goto out;
874 +
875 ++ val = (buffer[0] << 8 | buffer[1]);
876 ++
877 + if (input)
878 + val = val | (0x01 << to_index(attr));
879 + else
880 +@@ -958,13 +960,12 @@ static ssize_t applesmc_key_count_show(struct device *dev,
881 + u32 count;
882 +
883 + ret = applesmc_read_key(KEY_COUNT_KEY, buffer, 4);
884 +- count = ((u32)buffer[0]<<24) + ((u32)buffer[1]<<16) +
885 +- ((u32)buffer[2]<<8) + buffer[3];
886 +-
887 + if (ret)
888 + return ret;
889 +- else
890 +- return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", count);
891 ++
892 ++ count = ((u32)buffer[0]<<24) + ((u32)buffer[1]<<16) +
893 ++ ((u32)buffer[2]<<8) + buffer[3];
894 ++ return snprintf(sysfsbuf, PAGE_SIZE, "%d\n", count);
895 + }
896 +
897 + static ssize_t applesmc_key_at_index_read_show(struct device *dev,
898 +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c
899 +index 15a4ad31c510a..9d2d03545bb07 100644
900 +--- a/drivers/iommu/intel_irq_remapping.c
901 ++++ b/drivers/iommu/intel_irq_remapping.c
902 +@@ -479,12 +479,18 @@ static void iommu_enable_irq_remapping(struct intel_iommu *iommu)
903 +
904 + /* Enable interrupt-remapping */
905 + iommu->gcmd |= DMA_GCMD_IRE;
906 +- iommu->gcmd &= ~DMA_GCMD_CFI; /* Block compatibility-format MSIs */
907 + writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG);
908 +-
909 + IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG,
910 + readl, (sts & DMA_GSTS_IRES), sts);
911 +
912 ++ /* Block compatibility-format MSIs */
913 ++ if (sts & DMA_GSTS_CFIS) {
914 ++ iommu->gcmd &= ~DMA_GCMD_CFI;
915 ++ writel(iommu->gcmd, iommu->reg + DMAR_GCMD_REG);
916 ++ IOMMU_WAIT_OP(iommu, DMAR_GSTS_REG,
917 ++ readl, !(sts & DMA_GSTS_CFIS), sts);
918 ++ }
919 ++
920 + /*
921 + * With CFI clear in the Global Command register, we should be
922 + * protected from dangerous (i.e. compatibility) interrupts
923 +diff --git a/drivers/md/dm-cache-metadata.c b/drivers/md/dm-cache-metadata.c
924 +index 151aa95775be2..af6d4f898e4c1 100644
925 +--- a/drivers/md/dm-cache-metadata.c
926 ++++ b/drivers/md/dm-cache-metadata.c
927 +@@ -537,12 +537,16 @@ static int __create_persistent_data_objects(struct dm_cache_metadata *cmd,
928 + CACHE_MAX_CONCURRENT_LOCKS);
929 + if (IS_ERR(cmd->bm)) {
930 + DMERR("could not create block manager");
931 +- return PTR_ERR(cmd->bm);
932 ++ r = PTR_ERR(cmd->bm);
933 ++ cmd->bm = NULL;
934 ++ return r;
935 + }
936 +
937 + r = __open_or_format_metadata(cmd, may_format_device);
938 +- if (r)
939 ++ if (r) {
940 + dm_block_manager_destroy(cmd->bm);
941 ++ cmd->bm = NULL;
942 ++ }
943 +
944 + return r;
945 + }
946 +diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
947 +index 6a26afcc1fd6b..85077f4d257a7 100644
948 +--- a/drivers/md/dm-thin-metadata.c
949 ++++ b/drivers/md/dm-thin-metadata.c
950 +@@ -698,12 +698,16 @@ static int __create_persistent_data_objects(struct dm_pool_metadata *pmd, bool f
951 + THIN_MAX_CONCURRENT_LOCKS);
952 + if (IS_ERR(pmd->bm)) {
953 + DMERR("could not create block manager");
954 +- return PTR_ERR(pmd->bm);
955 ++ r = PTR_ERR(pmd->bm);
956 ++ pmd->bm = NULL;
957 ++ return r;
958 + }
959 +
960 + r = __open_or_format_metadata(pmd, format_device);
961 +- if (r)
962 ++ if (r) {
963 + dm_block_manager_destroy(pmd->bm);
964 ++ pmd->bm = NULL;
965 ++ }
966 +
967 + return r;
968 + }
969 +diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c
970 +index cc028353f9d55..776aaf5951e4a 100644
971 +--- a/drivers/md/dm-writecache.c
972 ++++ b/drivers/md/dm-writecache.c
973 +@@ -226,6 +226,7 @@ static int persistent_memory_claim(struct dm_writecache *wc)
974 + pfn_t pfn;
975 + int id;
976 + struct page **pages;
977 ++ sector_t offset;
978 +
979 + wc->memory_vmapped = false;
980 +
981 +@@ -244,9 +245,16 @@ static int persistent_memory_claim(struct dm_writecache *wc)
982 + goto err1;
983 + }
984 +
985 ++ offset = get_start_sect(wc->ssd_dev->bdev);
986 ++ if (offset & (PAGE_SIZE / 512 - 1)) {
987 ++ r = -EINVAL;
988 ++ goto err1;
989 ++ }
990 ++ offset >>= PAGE_SHIFT - 9;
991 ++
992 + id = dax_read_lock();
993 +
994 +- da = dax_direct_access(wc->ssd_dev->dax_dev, 0, p, &wc->memory_map, &pfn);
995 ++ da = dax_direct_access(wc->ssd_dev->dax_dev, offset, p, &wc->memory_map, &pfn);
996 + if (da < 0) {
997 + wc->memory_map = NULL;
998 + r = da;
999 +@@ -268,7 +276,7 @@ static int persistent_memory_claim(struct dm_writecache *wc)
1000 + i = 0;
1001 + do {
1002 + long daa;
1003 +- daa = dax_direct_access(wc->ssd_dev->dax_dev, i, p - i,
1004 ++ daa = dax_direct_access(wc->ssd_dev->dax_dev, offset + i, p - i,
1005 + NULL, &pfn);
1006 + if (daa <= 0) {
1007 + r = daa ? daa : -EINVAL;
1008 +diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
1009 +index c30affbd43a98..cf3df733d9605 100644
1010 +--- a/drivers/media/rc/rc-main.c
1011 ++++ b/drivers/media/rc/rc-main.c
1012 +@@ -1245,6 +1245,10 @@ static ssize_t store_protocols(struct device *device,
1013 + }
1014 +
1015 + mutex_lock(&dev->lock);
1016 ++ if (!dev->registered) {
1017 ++ mutex_unlock(&dev->lock);
1018 ++ return -ENODEV;
1019 ++ }
1020 +
1021 + old_protocols = *current_protocols;
1022 + new_protocols = old_protocols;
1023 +@@ -1383,6 +1387,10 @@ static ssize_t store_filter(struct device *device,
1024 + return -EINVAL;
1025 +
1026 + mutex_lock(&dev->lock);
1027 ++ if (!dev->registered) {
1028 ++ mutex_unlock(&dev->lock);
1029 ++ return -ENODEV;
1030 ++ }
1031 +
1032 + new_filter = *filter;
1033 + if (fattr->mask)
1034 +@@ -1497,6 +1505,10 @@ static ssize_t store_wakeup_protocols(struct device *device,
1035 + int i;
1036 +
1037 + mutex_lock(&dev->lock);
1038 ++ if (!dev->registered) {
1039 ++ mutex_unlock(&dev->lock);
1040 ++ return -ENODEV;
1041 ++ }
1042 +
1043 + allowed = dev->allowed_wakeup_protocols;
1044 +
1045 +@@ -1556,25 +1568,25 @@ static void rc_dev_release(struct device *device)
1046 + kfree(dev);
1047 + }
1048 +
1049 +-#define ADD_HOTPLUG_VAR(fmt, val...) \
1050 +- do { \
1051 +- int err = add_uevent_var(env, fmt, val); \
1052 +- if (err) \
1053 +- return err; \
1054 +- } while (0)
1055 +-
1056 + static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env)
1057 + {
1058 + struct rc_dev *dev = to_rc_dev(device);
1059 ++ int ret = 0;
1060 +
1061 +- if (dev->rc_map.name)
1062 +- ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name);
1063 +- if (dev->driver_name)
1064 +- ADD_HOTPLUG_VAR("DRV_NAME=%s", dev->driver_name);
1065 +- if (dev->device_name)
1066 +- ADD_HOTPLUG_VAR("DEV_NAME=%s", dev->device_name);
1067 ++ mutex_lock(&dev->lock);
1068 +
1069 +- return 0;
1070 ++ if (!dev->registered)
1071 ++ ret = -ENODEV;
1072 ++ if (ret == 0 && dev->rc_map.name)
1073 ++ ret = add_uevent_var(env, "NAME=%s", dev->rc_map.name);
1074 ++ if (ret == 0 && dev->driver_name)
1075 ++ ret = add_uevent_var(env, "DRV_NAME=%s", dev->driver_name);
1076 ++ if (ret == 0 && dev->device_name)
1077 ++ ret = add_uevent_var(env, "DEV_NAME=%s", dev->device_name);
1078 ++
1079 ++ mutex_unlock(&dev->lock);
1080 ++
1081 ++ return ret;
1082 + }
1083 +
1084 + /*
1085 +@@ -1958,14 +1970,14 @@ void rc_unregister_device(struct rc_dev *dev)
1086 + del_timer_sync(&dev->timer_keyup);
1087 + del_timer_sync(&dev->timer_repeat);
1088 +
1089 +- rc_free_rx_device(dev);
1090 +-
1091 + mutex_lock(&dev->lock);
1092 + if (dev->users && dev->close)
1093 + dev->close(dev);
1094 + dev->registered = false;
1095 + mutex_unlock(&dev->lock);
1096 +
1097 ++ rc_free_rx_device(dev);
1098 ++
1099 + /*
1100 + * lirc device should be freed with dev->registered = false, so
1101 + * that userspace polling will get notified.
1102 +diff --git a/drivers/net/ethernet/arc/emac_mdio.c b/drivers/net/ethernet/arc/emac_mdio.c
1103 +index 0187dbf3b87df..54cdafdd067db 100644
1104 +--- a/drivers/net/ethernet/arc/emac_mdio.c
1105 ++++ b/drivers/net/ethernet/arc/emac_mdio.c
1106 +@@ -153,6 +153,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv)
1107 + if (IS_ERR(data->reset_gpio)) {
1108 + error = PTR_ERR(data->reset_gpio);
1109 + dev_err(priv->dev, "Failed to request gpio: %d\n", error);
1110 ++ mdiobus_free(bus);
1111 + return error;
1112 + }
1113 +
1114 +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
1115 +index 6b761f6b8fd56..9a614c5cdfa22 100644
1116 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c
1117 ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
1118 +@@ -2441,8 +2441,10 @@ static int bcm_sysport_probe(struct platform_device *pdev)
1119 + priv->tx_rings = devm_kcalloc(&pdev->dev, txq,
1120 + sizeof(struct bcm_sysport_tx_ring),
1121 + GFP_KERNEL);
1122 +- if (!priv->tx_rings)
1123 +- return -ENOMEM;
1124 ++ if (!priv->tx_rings) {
1125 ++ ret = -ENOMEM;
1126 ++ goto err_free_netdev;
1127 ++ }
1128 +
1129 + priv->is_lite = params->is_lite;
1130 + priv->num_rx_desc_words = params->num_rx_desc_words;
1131 +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
1132 +index ab4d1dacb5854..a267380b267d7 100644
1133 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
1134 ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
1135 +@@ -6836,16 +6836,19 @@ static ssize_t bnxt_show_temp(struct device *dev,
1136 + struct hwrm_temp_monitor_query_input req = {0};
1137 + struct hwrm_temp_monitor_query_output *resp;
1138 + struct bnxt *bp = dev_get_drvdata(dev);
1139 +- u32 temp = 0;
1140 ++ u32 len = 0;
1141 +
1142 + resp = bp->hwrm_cmd_resp_addr;
1143 + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1);
1144 + mutex_lock(&bp->hwrm_cmd_lock);
1145 +- if (!_hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT))
1146 +- temp = resp->temp * 1000; /* display millidegree */
1147 ++ if (!_hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT))
1148 ++ len = sprintf(buf, "%u\n", resp->temp * 1000); /* display millidegree */
1149 + mutex_unlock(&bp->hwrm_cmd_lock);
1150 +
1151 +- return sprintf(buf, "%u\n", temp);
1152 ++ if (len)
1153 ++ return len;
1154 ++
1155 ++ return sprintf(buf, "unknown\n");
1156 + }
1157 + static SENSOR_DEVICE_ATTR(temp1_input, 0444, bnxt_show_temp, NULL, 0);
1158 +
1159 +@@ -7024,15 +7027,15 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init)
1160 + }
1161 + }
1162 +
1163 +- bnxt_enable_napi(bp);
1164 +- bnxt_debug_dev_init(bp);
1165 +-
1166 + rc = bnxt_init_nic(bp, irq_re_init);
1167 + if (rc) {
1168 + netdev_err(bp->dev, "bnxt_init_nic err: %x\n", rc);
1169 +- goto open_err;
1170 ++ goto open_err_irq;
1171 + }
1172 +
1173 ++ bnxt_enable_napi(bp);
1174 ++ bnxt_debug_dev_init(bp);
1175 ++
1176 + if (link_re_init) {
1177 + mutex_lock(&bp->link_lock);
1178 + rc = bnxt_update_phy_setting(bp);
1179 +@@ -7063,10 +7066,6 @@ static int __bnxt_open_nic(struct bnxt *bp, bool irq_re_init, bool link_re_init)
1180 + bnxt_vf_reps_open(bp);
1181 + return 0;
1182 +
1183 +-open_err:
1184 +- bnxt_debug_dev_exit(bp);
1185 +- bnxt_disable_napi(bp);
1186 +-
1187 + open_err_irq:
1188 + bnxt_del_napi(bp);
1189 +
1190 +@@ -9128,6 +9127,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
1191 + (long)pci_resource_start(pdev, 0), dev->dev_addr);
1192 + pcie_print_link_status(pdev);
1193 +
1194 ++ pci_save_state(pdev);
1195 + return 0;
1196 +
1197 + init_err_cleanup_tc:
1198 +@@ -9289,6 +9289,8 @@ static pci_ers_result_t bnxt_io_slot_reset(struct pci_dev *pdev)
1199 + "Cannot re-enable PCI device after reset.\n");
1200 + } else {
1201 + pci_set_master(pdev);
1202 ++ pci_restore_state(pdev);
1203 ++ pci_save_state(pdev);
1204 +
1205 + err = bnxt_hwrm_func_reset(bp);
1206 + if (!err && netif_running(netdev))
1207 +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
1208 +index 63730e449e088..a1cb99110092d 100644
1209 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
1210 ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
1211 +@@ -471,7 +471,7 @@ static void bnxt_get_channels(struct net_device *dev,
1212 + int max_tx_sch_inputs;
1213 +
1214 + /* Get the most up-to-date max_tx_sch_inputs. */
1215 +- if (BNXT_NEW_RM(bp))
1216 ++ if (netif_running(dev) && BNXT_NEW_RM(bp))
1217 + bnxt_hwrm_func_resc_qcaps(bp, false);
1218 + max_tx_sch_inputs = hw_resc->max_tx_sch_inputs;
1219 +
1220 +@@ -1877,6 +1877,9 @@ static int bnxt_get_nvram_directory(struct net_device *dev, u32 len, u8 *data)
1221 + if (rc != 0)
1222 + return rc;
1223 +
1224 ++ if (!dir_entries || !entry_length)
1225 ++ return -EIO;
1226 ++
1227 + /* Insert 2 bytes of directory info (count and size of entries) */
1228 + if (len < 2)
1229 + return -EINVAL;
1230 +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
1231 +index be845df050399..6fcf9646d141b 100644
1232 +--- a/drivers/net/ethernet/broadcom/tg3.c
1233 ++++ b/drivers/net/ethernet/broadcom/tg3.c
1234 +@@ -7219,8 +7219,8 @@ static inline void tg3_reset_task_schedule(struct tg3 *tp)
1235 +
1236 + static inline void tg3_reset_task_cancel(struct tg3 *tp)
1237 + {
1238 +- cancel_work_sync(&tp->reset_task);
1239 +- tg3_flag_clear(tp, RESET_TASK_PENDING);
1240 ++ if (test_and_clear_bit(TG3_FLAG_RESET_TASK_PENDING, tp->tg3_flags))
1241 ++ cancel_work_sync(&tp->reset_task);
1242 + tg3_flag_clear(tp, TX_RECOVERY_PENDING);
1243 + }
1244 +
1245 +@@ -11213,18 +11213,27 @@ static void tg3_reset_task(struct work_struct *work)
1246 +
1247 + tg3_halt(tp, RESET_KIND_SHUTDOWN, 0);
1248 + err = tg3_init_hw(tp, true);
1249 +- if (err)
1250 ++ if (err) {
1251 ++ tg3_full_unlock(tp);
1252 ++ tp->irq_sync = 0;
1253 ++ tg3_napi_enable(tp);
1254 ++ /* Clear this flag so that tg3_reset_task_cancel() will not
1255 ++ * call cancel_work_sync() and wait forever.
1256 ++ */
1257 ++ tg3_flag_clear(tp, RESET_TASK_PENDING);
1258 ++ dev_close(tp->dev);
1259 + goto out;
1260 ++ }
1261 +
1262 + tg3_netif_start(tp);
1263 +
1264 +-out:
1265 + tg3_full_unlock(tp);
1266 +
1267 + if (!err)
1268 + tg3_phy_start(tp);
1269 +
1270 + tg3_flag_clear(tp, RESET_TASK_PENDING);
1271 ++out:
1272 + rtnl_unlock();
1273 + }
1274 +
1275 +diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
1276 +index 16de0fa92ab74..5242687060b44 100644
1277 +--- a/drivers/net/ethernet/cortina/gemini.c
1278 ++++ b/drivers/net/ethernet/cortina/gemini.c
1279 +@@ -2451,8 +2451,8 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
1280 + port->reset = devm_reset_control_get_exclusive(dev, NULL);
1281 + if (IS_ERR(port->reset)) {
1282 + dev_err(dev, "no reset\n");
1283 +- clk_disable_unprepare(port->pclk);
1284 +- return PTR_ERR(port->reset);
1285 ++ ret = PTR_ERR(port->reset);
1286 ++ goto unprepare;
1287 + }
1288 + reset_control_reset(port->reset);
1289 + usleep_range(100, 500);
1290 +@@ -2507,25 +2507,25 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
1291 + IRQF_SHARED,
1292 + port_names[port->id],
1293 + port);
1294 +- if (ret) {
1295 +- clk_disable_unprepare(port->pclk);
1296 +- return ret;
1297 +- }
1298 ++ if (ret)
1299 ++ goto unprepare;
1300 +
1301 + ret = register_netdev(netdev);
1302 +- if (!ret) {
1303 ++ if (ret)
1304 ++ goto unprepare;
1305 ++
1306 ++ netdev_info(netdev,
1307 ++ "irq %d, DMA @ 0x%pap, GMAC @ 0x%pap\n",
1308 ++ port->irq, &dmares->start,
1309 ++ &gmacres->start);
1310 ++ ret = gmac_setup_phy(netdev);
1311 ++ if (ret)
1312 + netdev_info(netdev,
1313 +- "irq %d, DMA @ 0x%pap, GMAC @ 0x%pap\n",
1314 +- port->irq, &dmares->start,
1315 +- &gmacres->start);
1316 +- ret = gmac_setup_phy(netdev);
1317 +- if (ret)
1318 +- netdev_info(netdev,
1319 +- "PHY init failed, deferring to ifup time\n");
1320 +- return 0;
1321 +- }
1322 ++ "PHY init failed, deferring to ifup time\n");
1323 ++ return 0;
1324 +
1325 +- port->netdev = NULL;
1326 ++unprepare:
1327 ++ clk_disable_unprepare(port->pclk);
1328 + return ret;
1329 + }
1330 +
1331 +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
1332 +index 024b08fafd3b2..4de65a9de0a63 100644
1333 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
1334 ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
1335 +@@ -2297,8 +2297,10 @@ static int hns_nic_dev_probe(struct platform_device *pdev)
1336 + priv->enet_ver = AE_VERSION_1;
1337 + else if (acpi_dev_found(hns_enet_acpi_match[1].id))
1338 + priv->enet_ver = AE_VERSION_2;
1339 +- else
1340 +- return -ENXIO;
1341 ++ else {
1342 ++ ret = -ENXIO;
1343 ++ goto out_read_prop_fail;
1344 ++ }
1345 +
1346 + /* try to find port-idx-in-ae first */
1347 + ret = acpi_node_get_property_reference(dev->fwnode,
1348 +@@ -2314,7 +2316,8 @@ static int hns_nic_dev_probe(struct platform_device *pdev)
1349 + priv->fwnode = args.fwnode;
1350 + } else {
1351 + dev_err(dev, "cannot read cfg data from OF or acpi\n");
1352 +- return -ENXIO;
1353 ++ ret = -ENXIO;
1354 ++ goto out_read_prop_fail;
1355 + }
1356 +
1357 + ret = device_property_read_u32(dev, "port-idx-in-ae", &port_id);
1358 +diff --git a/drivers/net/ethernet/mellanox/mlx4/mr.c b/drivers/net/ethernet/mellanox/mlx4/mr.c
1359 +index 1a11bc0e16123..cfa0bba3940fb 100644
1360 +--- a/drivers/net/ethernet/mellanox/mlx4/mr.c
1361 ++++ b/drivers/net/ethernet/mellanox/mlx4/mr.c
1362 +@@ -114,7 +114,7 @@ static int mlx4_buddy_init(struct mlx4_buddy *buddy, int max_order)
1363 + goto err_out;
1364 +
1365 + for (i = 0; i <= buddy->max_order; ++i) {
1366 +- s = BITS_TO_LONGS(1 << (buddy->max_order - i));
1367 ++ s = BITS_TO_LONGS(1UL << (buddy->max_order - i));
1368 + buddy->bits[i] = kvmalloc_array(s, sizeof(long), GFP_KERNEL | __GFP_ZERO);
1369 + if (!buddy->bits[i])
1370 + goto err_out_free;
1371 +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
1372 +index 569e698b5c807..b5066cf86c856 100644
1373 +--- a/drivers/net/ethernet/renesas/ravb_main.c
1374 ++++ b/drivers/net/ethernet/renesas/ravb_main.c
1375 +@@ -1337,6 +1337,51 @@ static inline int ravb_hook_irq(unsigned int irq, irq_handler_t handler,
1376 + return error;
1377 + }
1378 +
1379 ++/* MDIO bus init function */
1380 ++static int ravb_mdio_init(struct ravb_private *priv)
1381 ++{
1382 ++ struct platform_device *pdev = priv->pdev;
1383 ++ struct device *dev = &pdev->dev;
1384 ++ int error;
1385 ++
1386 ++ /* Bitbang init */
1387 ++ priv->mdiobb.ops = &bb_ops;
1388 ++
1389 ++ /* MII controller setting */
1390 ++ priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb);
1391 ++ if (!priv->mii_bus)
1392 ++ return -ENOMEM;
1393 ++
1394 ++ /* Hook up MII support for ethtool */
1395 ++ priv->mii_bus->name = "ravb_mii";
1396 ++ priv->mii_bus->parent = dev;
1397 ++ snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x",
1398 ++ pdev->name, pdev->id);
1399 ++
1400 ++ /* Register MDIO bus */
1401 ++ error = of_mdiobus_register(priv->mii_bus, dev->of_node);
1402 ++ if (error)
1403 ++ goto out_free_bus;
1404 ++
1405 ++ return 0;
1406 ++
1407 ++out_free_bus:
1408 ++ free_mdio_bitbang(priv->mii_bus);
1409 ++ return error;
1410 ++}
1411 ++
1412 ++/* MDIO bus release function */
1413 ++static int ravb_mdio_release(struct ravb_private *priv)
1414 ++{
1415 ++ /* Unregister mdio bus */
1416 ++ mdiobus_unregister(priv->mii_bus);
1417 ++
1418 ++ /* Free bitbang info */
1419 ++ free_mdio_bitbang(priv->mii_bus);
1420 ++
1421 ++ return 0;
1422 ++}
1423 ++
1424 + /* Network device open function for Ethernet AVB */
1425 + static int ravb_open(struct net_device *ndev)
1426 + {
1427 +@@ -1345,6 +1390,13 @@ static int ravb_open(struct net_device *ndev)
1428 + struct device *dev = &pdev->dev;
1429 + int error;
1430 +
1431 ++ /* MDIO bus init */
1432 ++ error = ravb_mdio_init(priv);
1433 ++ if (error) {
1434 ++ netdev_err(ndev, "failed to initialize MDIO\n");
1435 ++ return error;
1436 ++ }
1437 ++
1438 + napi_enable(&priv->napi[RAVB_BE]);
1439 + napi_enable(&priv->napi[RAVB_NC]);
1440 +
1441 +@@ -1422,6 +1474,7 @@ out_free_irq:
1442 + out_napi_off:
1443 + napi_disable(&priv->napi[RAVB_NC]);
1444 + napi_disable(&priv->napi[RAVB_BE]);
1445 ++ ravb_mdio_release(priv);
1446 + return error;
1447 + }
1448 +
1449 +@@ -1721,6 +1774,8 @@ static int ravb_close(struct net_device *ndev)
1450 + ravb_ring_free(ndev, RAVB_BE);
1451 + ravb_ring_free(ndev, RAVB_NC);
1452 +
1453 ++ ravb_mdio_release(priv);
1454 ++
1455 + return 0;
1456 + }
1457 +
1458 +@@ -1867,51 +1922,6 @@ static const struct net_device_ops ravb_netdev_ops = {
1459 + .ndo_set_features = ravb_set_features,
1460 + };
1461 +
1462 +-/* MDIO bus init function */
1463 +-static int ravb_mdio_init(struct ravb_private *priv)
1464 +-{
1465 +- struct platform_device *pdev = priv->pdev;
1466 +- struct device *dev = &pdev->dev;
1467 +- int error;
1468 +-
1469 +- /* Bitbang init */
1470 +- priv->mdiobb.ops = &bb_ops;
1471 +-
1472 +- /* MII controller setting */
1473 +- priv->mii_bus = alloc_mdio_bitbang(&priv->mdiobb);
1474 +- if (!priv->mii_bus)
1475 +- return -ENOMEM;
1476 +-
1477 +- /* Hook up MII support for ethtool */
1478 +- priv->mii_bus->name = "ravb_mii";
1479 +- priv->mii_bus->parent = dev;
1480 +- snprintf(priv->mii_bus->id, MII_BUS_ID_SIZE, "%s-%x",
1481 +- pdev->name, pdev->id);
1482 +-
1483 +- /* Register MDIO bus */
1484 +- error = of_mdiobus_register(priv->mii_bus, dev->of_node);
1485 +- if (error)
1486 +- goto out_free_bus;
1487 +-
1488 +- return 0;
1489 +-
1490 +-out_free_bus:
1491 +- free_mdio_bitbang(priv->mii_bus);
1492 +- return error;
1493 +-}
1494 +-
1495 +-/* MDIO bus release function */
1496 +-static int ravb_mdio_release(struct ravb_private *priv)
1497 +-{
1498 +- /* Unregister mdio bus */
1499 +- mdiobus_unregister(priv->mii_bus);
1500 +-
1501 +- /* Free bitbang info */
1502 +- free_mdio_bitbang(priv->mii_bus);
1503 +-
1504 +- return 0;
1505 +-}
1506 +-
1507 + static const struct of_device_id ravb_match_table[] = {
1508 + { .compatible = "renesas,etheravb-r8a7790", .data = (void *)RCAR_GEN2 },
1509 + { .compatible = "renesas,etheravb-r8a7794", .data = (void *)RCAR_GEN2 },
1510 +@@ -2138,13 +2148,6 @@ static int ravb_probe(struct platform_device *pdev)
1511 + eth_hw_addr_random(ndev);
1512 + }
1513 +
1514 +- /* MDIO bus init */
1515 +- error = ravb_mdio_init(priv);
1516 +- if (error) {
1517 +- dev_err(&pdev->dev, "failed to initialize MDIO\n");
1518 +- goto out_dma_free;
1519 +- }
1520 +-
1521 + netif_napi_add(ndev, &priv->napi[RAVB_BE], ravb_poll, 64);
1522 + netif_napi_add(ndev, &priv->napi[RAVB_NC], ravb_poll, 64);
1523 +
1524 +@@ -2166,8 +2169,6 @@ static int ravb_probe(struct platform_device *pdev)
1525 + out_napi_del:
1526 + netif_napi_del(&priv->napi[RAVB_NC]);
1527 + netif_napi_del(&priv->napi[RAVB_BE]);
1528 +- ravb_mdio_release(priv);
1529 +-out_dma_free:
1530 + dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
1531 + priv->desc_bat_dma);
1532 +
1533 +@@ -2199,7 +2200,6 @@ static int ravb_remove(struct platform_device *pdev)
1534 + unregister_netdev(ndev);
1535 + netif_napi_del(&priv->napi[RAVB_NC]);
1536 + netif_napi_del(&priv->napi[RAVB_BE]);
1537 +- ravb_mdio_release(priv);
1538 + pm_runtime_disable(&pdev->dev);
1539 + free_netdev(ndev);
1540 + platform_set_drvdata(pdev, NULL);
1541 +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
1542 +index d73850ebb671f..f2fecb6842209 100644
1543 +--- a/drivers/net/gtp.c
1544 ++++ b/drivers/net/gtp.c
1545 +@@ -1187,6 +1187,7 @@ static int gtp_genl_fill_info(struct sk_buff *skb, u32 snd_portid, u32 snd_seq,
1546 + goto nlmsg_failure;
1547 +
1548 + if (nla_put_u32(skb, GTPA_VERSION, pctx->gtp_version) ||
1549 ++ nla_put_u32(skb, GTPA_LINK, pctx->dev->ifindex) ||
1550 + nla_put_be32(skb, GTPA_PEER_ADDRESS, pctx->peer_addr_ip4.s_addr) ||
1551 + nla_put_be32(skb, GTPA_MS_ADDRESS, pctx->ms_addr_ip4.s_addr))
1552 + goto nla_put_failure;
1553 +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
1554 +index 023b8d0bf1754..8d27786acad91 100644
1555 +--- a/drivers/net/usb/asix_common.c
1556 ++++ b/drivers/net/usb/asix_common.c
1557 +@@ -309,7 +309,7 @@ int asix_read_phy_addr(struct usbnet *dev, int internal)
1558 +
1559 + netdev_dbg(dev->net, "asix_get_phy_addr()\n");
1560 +
1561 +- if (ret < 0) {
1562 ++ if (ret < 2) {
1563 + netdev_err(dev->net, "Error reading PHYID register: %02x\n", ret);
1564 + goto out;
1565 + }
1566 +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
1567 +index ea3c891186147..af58bf54aa9b6 100644
1568 +--- a/drivers/net/usb/qmi_wwan.c
1569 ++++ b/drivers/net/usb/qmi_wwan.c
1570 +@@ -1227,6 +1227,7 @@ static const struct usb_device_id products[] = {
1571 + {QMI_FIXED_INTF(0x2001, 0x7e16, 3)}, /* D-Link DWM-221 */
1572 + {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */
1573 + {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */
1574 ++ {QMI_FIXED_INTF(0x2001, 0x7e3d, 4)}, /* D-Link DWM-222 A2 */
1575 + {QMI_FIXED_INTF(0x2020, 0x2031, 4)}, /* Olicard 600 */
1576 + {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */
1577 + {QMI_FIXED_INTF(0x2020, 0x2060, 4)}, /* BroadMobi BM818 */
1578 +@@ -1262,6 +1263,7 @@ static const struct usb_device_id products[] = {
1579 + {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
1580 + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1031, 3)}, /* Telit LE910C1-EUX */
1581 + {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */
1582 ++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */
1583 + {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */
1584 + {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */
1585 + {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
1586 +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
1587 +index 776b7e9e23b9e..f28df233dfcd0 100644
1588 +--- a/drivers/nvme/target/core.c
1589 ++++ b/drivers/nvme/target/core.c
1590 +@@ -307,6 +307,9 @@ static void nvmet_keep_alive_timer(struct work_struct *work)
1591 +
1592 + static void nvmet_start_keep_alive_timer(struct nvmet_ctrl *ctrl)
1593 + {
1594 ++ if (unlikely(ctrl->kato == 0))
1595 ++ return;
1596 ++
1597 + pr_debug("ctrl %d start keep-alive timer for %d secs\n",
1598 + ctrl->cntlid, ctrl->kato);
1599 +
1600 +@@ -316,6 +319,9 @@ static void nvmet_start_keep_alive_timer(struct nvmet_ctrl *ctrl)
1601 +
1602 + static void nvmet_stop_keep_alive_timer(struct nvmet_ctrl *ctrl)
1603 + {
1604 ++ if (unlikely(ctrl->kato == 0))
1605 ++ return;
1606 ++
1607 + pr_debug("ctrl %d stop keep-alive\n", ctrl->cntlid);
1608 +
1609 + cancel_delayed_work_sync(&ctrl->ka_work);
1610 +diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c
1611 +index 29b4b236afd85..77e4d184bc995 100644
1612 +--- a/drivers/nvme/target/fc.c
1613 ++++ b/drivers/nvme/target/fc.c
1614 +@@ -1986,9 +1986,9 @@ nvmet_fc_fod_op_done(struct nvmet_fc_fcp_iod *fod)
1615 + return;
1616 + if (fcpreq->fcp_error ||
1617 + fcpreq->transferred_length != fcpreq->transfer_length) {
1618 +- spin_lock(&fod->flock);
1619 ++ spin_lock_irqsave(&fod->flock, flags);
1620 + fod->abort = true;
1621 +- spin_unlock(&fod->flock);
1622 ++ spin_unlock_irqrestore(&fod->flock, flags);
1623 +
1624 + nvmet_req_complete(&fod->req, NVME_SC_INTERNAL);
1625 + return;
1626 +diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
1627 +index 91dbac7446a47..99314e5162447 100644
1628 +--- a/drivers/target/target_core_user.c
1629 ++++ b/drivers/target/target_core_user.c
1630 +@@ -687,8 +687,10 @@ static void scatter_data_area(struct tcmu_dev *udev,
1631 + from = kmap_atomic(sg_page(sg)) + sg->offset;
1632 + while (sg_remaining > 0) {
1633 + if (block_remaining == 0) {
1634 +- if (to)
1635 ++ if (to) {
1636 ++ flush_dcache_page(page);
1637 + kunmap_atomic(to);
1638 ++ }
1639 +
1640 + block_remaining = DATA_BLOCK_SIZE;
1641 + dbi = tcmu_cmd_get_dbi(tcmu_cmd);
1642 +@@ -733,7 +735,6 @@ static void scatter_data_area(struct tcmu_dev *udev,
1643 + memcpy(to + offset,
1644 + from + sg->length - sg_remaining,
1645 + copy_bytes);
1646 +- tcmu_flush_dcache_range(to, copy_bytes);
1647 + }
1648 +
1649 + sg_remaining -= copy_bytes;
1650 +@@ -742,8 +743,10 @@ static void scatter_data_area(struct tcmu_dev *udev,
1651 + kunmap_atomic(from - sg->offset);
1652 + }
1653 +
1654 +- if (to)
1655 ++ if (to) {
1656 ++ flush_dcache_page(page);
1657 + kunmap_atomic(to);
1658 ++ }
1659 + }
1660 +
1661 + static void gather_data_area(struct tcmu_dev *udev, struct tcmu_cmd *cmd,
1662 +@@ -789,13 +792,13 @@ static void gather_data_area(struct tcmu_dev *udev, struct tcmu_cmd *cmd,
1663 + dbi = tcmu_cmd_get_dbi(cmd);
1664 + page = tcmu_get_block_page(udev, dbi);
1665 + from = kmap_atomic(page);
1666 ++ flush_dcache_page(page);
1667 + }
1668 + copy_bytes = min_t(size_t, sg_remaining,
1669 + block_remaining);
1670 + if (read_len < copy_bytes)
1671 + copy_bytes = read_len;
1672 + offset = DATA_BLOCK_SIZE - block_remaining;
1673 +- tcmu_flush_dcache_range(from, copy_bytes);
1674 + memcpy(to + sg->length - sg_remaining, from + offset,
1675 + copy_bytes);
1676 +
1677 +@@ -1018,7 +1021,7 @@ static int queue_cmd_ring(struct tcmu_cmd *tcmu_cmd, sense_reason_t *scsi_err)
1678 + entry->hdr.cmd_id = 0; /* not used for PAD */
1679 + entry->hdr.kflags = 0;
1680 + entry->hdr.uflags = 0;
1681 +- tcmu_flush_dcache_range(entry, sizeof(*entry));
1682 ++ tcmu_flush_dcache_range(entry, sizeof(entry->hdr));
1683 +
1684 + UPDATE_HEAD(mb->cmd_head, pad_size, udev->cmdr_size);
1685 + tcmu_flush_dcache_range(mb, sizeof(*mb));
1686 +@@ -1083,7 +1086,7 @@ static int queue_cmd_ring(struct tcmu_cmd *tcmu_cmd, sense_reason_t *scsi_err)
1687 + cdb_off = CMDR_OFF + cmd_head + base_command_size;
1688 + memcpy((void *) mb + cdb_off, se_cmd->t_task_cdb, scsi_command_size(se_cmd->t_task_cdb));
1689 + entry->req.cdb_off = cdb_off;
1690 +- tcmu_flush_dcache_range(entry, sizeof(*entry));
1691 ++ tcmu_flush_dcache_range(entry, command_size);
1692 +
1693 + UPDATE_HEAD(mb->cmd_head, command_size, udev->cmdr_size);
1694 + tcmu_flush_dcache_range(mb, sizeof(*mb));
1695 +diff --git a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c
1696 +index c12211eaaac4d..0b9f835d931f0 100644
1697 +--- a/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c
1698 ++++ b/drivers/thermal/ti-soc-thermal/omap4-thermal-data.c
1699 +@@ -46,20 +46,21 @@ static struct temp_sensor_data omap4430_mpu_temp_sensor_data = {
1700 +
1701 + /*
1702 + * Temperature values in milli degree celsius
1703 +- * ADC code values from 530 to 923
1704 ++ * ADC code values from 13 to 107, see TRM
1705 ++ * "18.4.10.2.3 ADC Codes Versus Temperature".
1706 + */
1707 + static const int
1708 + omap4430_adc_to_temp[OMAP4430_ADC_END_VALUE - OMAP4430_ADC_START_VALUE + 1] = {
1709 +- -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000, -22000,
1710 +- -20000, -18000, -17000, -15000, -13000, -12000, -10000, -8000, -6000,
1711 +- -5000, -3000, -1000, 0, 2000, 3000, 5000, 6000, 8000, 10000, 12000,
1712 +- 13000, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28000, 30000,
1713 +- 32000, 33000, 35000, 37000, 38000, 40000, 42000, 43000, 45000, 47000,
1714 +- 48000, 50000, 52000, 53000, 55000, 57000, 58000, 60000, 62000, 64000,
1715 +- 66000, 68000, 70000, 71000, 73000, 75000, 77000, 78000, 80000, 82000,
1716 +- 83000, 85000, 87000, 88000, 90000, 92000, 93000, 95000, 97000, 98000,
1717 +- 100000, 102000, 103000, 105000, 107000, 109000, 111000, 113000, 115000,
1718 +- 117000, 118000, 120000, 122000, 123000,
1719 ++ -40000, -38000, -35000, -34000, -32000, -30000, -28000, -26000, -24000,
1720 ++ -22000, -20000, -18500, -17000, -15000, -13500, -12000, -10000, -8000,
1721 ++ -6500, -5000, -3500, -1500, 0, 2000, 3500, 5000, 6500, 8500, 10000,
1722 ++ 12000, 13500, 15000, 17000, 19000, 21000, 23000, 25000, 27000, 28500,
1723 ++ 30000, 32000, 33500, 35000, 37000, 38500, 40000, 42000, 43500, 45000,
1724 ++ 47000, 48500, 50000, 52000, 53500, 55000, 57000, 58500, 60000, 62000,
1725 ++ 64000, 66000, 68000, 70000, 71500, 73500, 75000, 77000, 78500, 80000,
1726 ++ 82000, 83500, 85000, 87000, 88500, 90000, 92000, 93500, 95000, 97000,
1727 ++ 98500, 100000, 102000, 103500, 105000, 107000, 109000, 111000, 113000,
1728 ++ 115000, 117000, 118500, 120000, 122000, 123500, 125000,
1729 + };
1730 +
1731 + /* OMAP4430 data */
1732 +diff --git a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h
1733 +index b87c8659ec608..8a081abce4b5f 100644
1734 +--- a/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h
1735 ++++ b/drivers/thermal/ti-soc-thermal/omap4xxx-bandgap.h
1736 +@@ -67,9 +67,13 @@
1737 + * and thresholds for OMAP4430.
1738 + */
1739 +
1740 +-/* ADC conversion table limits */
1741 +-#define OMAP4430_ADC_START_VALUE 0
1742 +-#define OMAP4430_ADC_END_VALUE 127
1743 ++/*
1744 ++ * ADC conversion table limits. Ignore values outside the TRM listed
1745 ++ * range to avoid bogus thermal shutdowns. See omap4430 TRM chapter
1746 ++ * "18.4.10.2.3 ADC Codes Versus Temperature".
1747 ++ */
1748 ++#define OMAP4430_ADC_START_VALUE 13
1749 ++#define OMAP4430_ADC_END_VALUE 107
1750 + /* bandgap clock limits (no control on 4430) */
1751 + #define OMAP4430_MAX_FREQ 32768
1752 + #define OMAP4430_MIN_FREQ 32768
1753 +diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c
1754 +index 0d405cc58e722..cd0768c3e773e 100644
1755 +--- a/drivers/tty/serial/qcom_geni_serial.c
1756 ++++ b/drivers/tty/serial/qcom_geni_serial.c
1757 +@@ -1050,7 +1050,7 @@ static unsigned int qcom_geni_serial_tx_empty(struct uart_port *uport)
1758 + }
1759 +
1760 + #ifdef CONFIG_SERIAL_QCOM_GENI_CONSOLE
1761 +-static int __init qcom_geni_console_setup(struct console *co, char *options)
1762 ++static int qcom_geni_console_setup(struct console *co, char *options)
1763 + {
1764 + struct uart_port *uport;
1765 + struct qcom_geni_serial_port *port;
1766 +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
1767 +index 66783a37f450c..9f72a6ee13b53 100644
1768 +--- a/drivers/vfio/pci/vfio_pci.c
1769 ++++ b/drivers/vfio/pci/vfio_pci.c
1770 +@@ -29,6 +29,7 @@
1771 + #include <linux/vfio.h>
1772 + #include <linux/vgaarb.h>
1773 + #include <linux/nospec.h>
1774 ++#include <linux/sched/mm.h>
1775 +
1776 + #include "vfio_pci_private.h"
1777 +
1778 +@@ -181,6 +182,7 @@ no_mmap:
1779 +
1780 + static void vfio_pci_try_bus_reset(struct vfio_pci_device *vdev);
1781 + static void vfio_pci_disable(struct vfio_pci_device *vdev);
1782 ++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data);
1783 +
1784 + /*
1785 + * INTx masking requires the ability to disable INTx signaling via PCI_COMMAND
1786 +@@ -623,6 +625,12 @@ int vfio_pci_register_dev_region(struct vfio_pci_device *vdev,
1787 + return 0;
1788 + }
1789 +
1790 ++struct vfio_devices {
1791 ++ struct vfio_device **devices;
1792 ++ int cur_index;
1793 ++ int max_index;
1794 ++};
1795 ++
1796 + static long vfio_pci_ioctl(void *device_data,
1797 + unsigned int cmd, unsigned long arg)
1798 + {
1799 +@@ -696,7 +704,7 @@ static long vfio_pci_ioctl(void *device_data,
1800 + {
1801 + void __iomem *io;
1802 + size_t size;
1803 +- u16 orig_cmd;
1804 ++ u16 cmd;
1805 +
1806 + info.offset = VFIO_PCI_INDEX_TO_OFFSET(info.index);
1807 + info.flags = 0;
1808 +@@ -716,10 +724,7 @@ static long vfio_pci_ioctl(void *device_data,
1809 + * Is it really there? Enable memory decode for
1810 + * implicit access in pci_map_rom().
1811 + */
1812 +- pci_read_config_word(pdev, PCI_COMMAND, &orig_cmd);
1813 +- pci_write_config_word(pdev, PCI_COMMAND,
1814 +- orig_cmd | PCI_COMMAND_MEMORY);
1815 +-
1816 ++ cmd = vfio_pci_memory_lock_and_enable(vdev);
1817 + io = pci_map_rom(pdev, &size);
1818 + if (io) {
1819 + info.flags = VFIO_REGION_INFO_FLAG_READ;
1820 +@@ -727,8 +732,8 @@ static long vfio_pci_ioctl(void *device_data,
1821 + } else {
1822 + info.size = 0;
1823 + }
1824 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
1825 +
1826 +- pci_write_config_word(pdev, PCI_COMMAND, orig_cmd);
1827 + break;
1828 + }
1829 + case VFIO_PCI_VGA_REGION_INDEX:
1830 +@@ -865,8 +870,16 @@ static long vfio_pci_ioctl(void *device_data,
1831 + return ret;
1832 +
1833 + } else if (cmd == VFIO_DEVICE_RESET) {
1834 +- return vdev->reset_works ?
1835 +- pci_try_reset_function(vdev->pdev) : -EINVAL;
1836 ++ int ret;
1837 ++
1838 ++ if (!vdev->reset_works)
1839 ++ return -EINVAL;
1840 ++
1841 ++ vfio_pci_zap_and_down_write_memory_lock(vdev);
1842 ++ ret = pci_try_reset_function(vdev->pdev);
1843 ++ up_write(&vdev->memory_lock);
1844 ++
1845 ++ return ret;
1846 +
1847 + } else if (cmd == VFIO_DEVICE_GET_PCI_HOT_RESET_INFO) {
1848 + struct vfio_pci_hot_reset_info hdr;
1849 +@@ -946,8 +959,9 @@ reset_info_exit:
1850 + int32_t *group_fds;
1851 + struct vfio_pci_group_entry *groups;
1852 + struct vfio_pci_group_info info;
1853 ++ struct vfio_devices devs = { .cur_index = 0 };
1854 + bool slot = false;
1855 +- int i, count = 0, ret = 0;
1856 ++ int i, group_idx, mem_idx = 0, count = 0, ret = 0;
1857 +
1858 + minsz = offsetofend(struct vfio_pci_hot_reset, count);
1859 +
1860 +@@ -999,9 +1013,9 @@ reset_info_exit:
1861 + * user interface and store the group and iommu ID. This
1862 + * ensures the group is held across the reset.
1863 + */
1864 +- for (i = 0; i < hdr.count; i++) {
1865 ++ for (group_idx = 0; group_idx < hdr.count; group_idx++) {
1866 + struct vfio_group *group;
1867 +- struct fd f = fdget(group_fds[i]);
1868 ++ struct fd f = fdget(group_fds[group_idx]);
1869 + if (!f.file) {
1870 + ret = -EBADF;
1871 + break;
1872 +@@ -1014,8 +1028,9 @@ reset_info_exit:
1873 + break;
1874 + }
1875 +
1876 +- groups[i].group = group;
1877 +- groups[i].id = vfio_external_user_iommu_id(group);
1878 ++ groups[group_idx].group = group;
1879 ++ groups[group_idx].id =
1880 ++ vfio_external_user_iommu_id(group);
1881 + }
1882 +
1883 + kfree(group_fds);
1884 +@@ -1034,13 +1049,63 @@ reset_info_exit:
1885 + ret = vfio_pci_for_each_slot_or_bus(vdev->pdev,
1886 + vfio_pci_validate_devs,
1887 + &info, slot);
1888 +- if (!ret)
1889 +- /* User has access, do the reset */
1890 +- ret = pci_reset_bus(vdev->pdev);
1891 ++ if (ret)
1892 ++ goto hot_reset_release;
1893 ++
1894 ++ devs.max_index = count;
1895 ++ devs.devices = kcalloc(count, sizeof(struct vfio_device *),
1896 ++ GFP_KERNEL);
1897 ++ if (!devs.devices) {
1898 ++ ret = -ENOMEM;
1899 ++ goto hot_reset_release;
1900 ++ }
1901 ++
1902 ++ /*
1903 ++ * We need to get memory_lock for each device, but devices
1904 ++ * can share mmap_sem, therefore we need to zap and hold
1905 ++ * the vma_lock for each device, and only then get each
1906 ++ * memory_lock.
1907 ++ */
1908 ++ ret = vfio_pci_for_each_slot_or_bus(vdev->pdev,
1909 ++ vfio_pci_try_zap_and_vma_lock_cb,
1910 ++ &devs, slot);
1911 ++ if (ret)
1912 ++ goto hot_reset_release;
1913 ++
1914 ++ for (; mem_idx < devs.cur_index; mem_idx++) {
1915 ++ struct vfio_pci_device *tmp;
1916 ++
1917 ++ tmp = vfio_device_data(devs.devices[mem_idx]);
1918 ++
1919 ++ ret = down_write_trylock(&tmp->memory_lock);
1920 ++ if (!ret) {
1921 ++ ret = -EBUSY;
1922 ++ goto hot_reset_release;
1923 ++ }
1924 ++ mutex_unlock(&tmp->vma_lock);
1925 ++ }
1926 ++
1927 ++ /* User has access, do the reset */
1928 ++ ret = pci_reset_bus(vdev->pdev);
1929 +
1930 + hot_reset_release:
1931 +- for (i--; i >= 0; i--)
1932 +- vfio_group_put_external_user(groups[i].group);
1933 ++ for (i = 0; i < devs.cur_index; i++) {
1934 ++ struct vfio_device *device;
1935 ++ struct vfio_pci_device *tmp;
1936 ++
1937 ++ device = devs.devices[i];
1938 ++ tmp = vfio_device_data(device);
1939 ++
1940 ++ if (i < mem_idx)
1941 ++ up_write(&tmp->memory_lock);
1942 ++ else
1943 ++ mutex_unlock(&tmp->vma_lock);
1944 ++ vfio_device_put(device);
1945 ++ }
1946 ++ kfree(devs.devices);
1947 ++
1948 ++ for (group_idx--; group_idx >= 0; group_idx--)
1949 ++ vfio_group_put_external_user(groups[group_idx].group);
1950 +
1951 + kfree(groups);
1952 + return ret;
1953 +@@ -1121,6 +1186,202 @@ static ssize_t vfio_pci_write(void *device_data, const char __user *buf,
1954 + return vfio_pci_rw(device_data, (char __user *)buf, count, ppos, true);
1955 + }
1956 +
1957 ++/* Return 1 on zap and vma_lock acquired, 0 on contention (only with @try) */
1958 ++static int vfio_pci_zap_and_vma_lock(struct vfio_pci_device *vdev, bool try)
1959 ++{
1960 ++ struct vfio_pci_mmap_vma *mmap_vma, *tmp;
1961 ++
1962 ++ /*
1963 ++ * Lock ordering:
1964 ++ * vma_lock is nested under mmap_sem for vm_ops callback paths.
1965 ++ * The memory_lock semaphore is used by both code paths calling
1966 ++ * into this function to zap vmas and the vm_ops.fault callback
1967 ++ * to protect the memory enable state of the device.
1968 ++ *
1969 ++ * When zapping vmas we need to maintain the mmap_sem => vma_lock
1970 ++ * ordering, which requires using vma_lock to walk vma_list to
1971 ++ * acquire an mm, then dropping vma_lock to get the mmap_sem and
1972 ++ * reacquiring vma_lock. This logic is derived from similar
1973 ++ * requirements in uverbs_user_mmap_disassociate().
1974 ++ *
1975 ++ * mmap_sem must always be the top-level lock when it is taken.
1976 ++ * Therefore we can only hold the memory_lock write lock when
1977 ++ * vma_list is empty, as we'd need to take mmap_sem to clear
1978 ++ * entries. vma_list can only be guaranteed empty when holding
1979 ++ * vma_lock, thus memory_lock is nested under vma_lock.
1980 ++ *
1981 ++ * This enables the vm_ops.fault callback to acquire vma_lock,
1982 ++ * followed by memory_lock read lock, while already holding
1983 ++ * mmap_sem without risk of deadlock.
1984 ++ */
1985 ++ while (1) {
1986 ++ struct mm_struct *mm = NULL;
1987 ++
1988 ++ if (try) {
1989 ++ if (!mutex_trylock(&vdev->vma_lock))
1990 ++ return 0;
1991 ++ } else {
1992 ++ mutex_lock(&vdev->vma_lock);
1993 ++ }
1994 ++ while (!list_empty(&vdev->vma_list)) {
1995 ++ mmap_vma = list_first_entry(&vdev->vma_list,
1996 ++ struct vfio_pci_mmap_vma,
1997 ++ vma_next);
1998 ++ mm = mmap_vma->vma->vm_mm;
1999 ++ if (mmget_not_zero(mm))
2000 ++ break;
2001 ++
2002 ++ list_del(&mmap_vma->vma_next);
2003 ++ kfree(mmap_vma);
2004 ++ mm = NULL;
2005 ++ }
2006 ++ if (!mm)
2007 ++ return 1;
2008 ++ mutex_unlock(&vdev->vma_lock);
2009 ++
2010 ++ if (try) {
2011 ++ if (!down_read_trylock(&mm->mmap_sem)) {
2012 ++ mmput(mm);
2013 ++ return 0;
2014 ++ }
2015 ++ } else {
2016 ++ down_read(&mm->mmap_sem);
2017 ++ }
2018 ++ if (mmget_still_valid(mm)) {
2019 ++ if (try) {
2020 ++ if (!mutex_trylock(&vdev->vma_lock)) {
2021 ++ up_read(&mm->mmap_sem);
2022 ++ mmput(mm);
2023 ++ return 0;
2024 ++ }
2025 ++ } else {
2026 ++ mutex_lock(&vdev->vma_lock);
2027 ++ }
2028 ++ list_for_each_entry_safe(mmap_vma, tmp,
2029 ++ &vdev->vma_list, vma_next) {
2030 ++ struct vm_area_struct *vma = mmap_vma->vma;
2031 ++
2032 ++ if (vma->vm_mm != mm)
2033 ++ continue;
2034 ++
2035 ++ list_del(&mmap_vma->vma_next);
2036 ++ kfree(mmap_vma);
2037 ++
2038 ++ zap_vma_ptes(vma, vma->vm_start,
2039 ++ vma->vm_end - vma->vm_start);
2040 ++ }
2041 ++ mutex_unlock(&vdev->vma_lock);
2042 ++ }
2043 ++ up_read(&mm->mmap_sem);
2044 ++ mmput(mm);
2045 ++ }
2046 ++}
2047 ++
2048 ++void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device *vdev)
2049 ++{
2050 ++ vfio_pci_zap_and_vma_lock(vdev, false);
2051 ++ down_write(&vdev->memory_lock);
2052 ++ mutex_unlock(&vdev->vma_lock);
2053 ++}
2054 ++
2055 ++u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev)
2056 ++{
2057 ++ u16 cmd;
2058 ++
2059 ++ down_write(&vdev->memory_lock);
2060 ++ pci_read_config_word(vdev->pdev, PCI_COMMAND, &cmd);
2061 ++ if (!(cmd & PCI_COMMAND_MEMORY))
2062 ++ pci_write_config_word(vdev->pdev, PCI_COMMAND,
2063 ++ cmd | PCI_COMMAND_MEMORY);
2064 ++
2065 ++ return cmd;
2066 ++}
2067 ++
2068 ++void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev, u16 cmd)
2069 ++{
2070 ++ pci_write_config_word(vdev->pdev, PCI_COMMAND, cmd);
2071 ++ up_write(&vdev->memory_lock);
2072 ++}
2073 ++
2074 ++/* Caller holds vma_lock */
2075 ++static int __vfio_pci_add_vma(struct vfio_pci_device *vdev,
2076 ++ struct vm_area_struct *vma)
2077 ++{
2078 ++ struct vfio_pci_mmap_vma *mmap_vma;
2079 ++
2080 ++ mmap_vma = kmalloc(sizeof(*mmap_vma), GFP_KERNEL);
2081 ++ if (!mmap_vma)
2082 ++ return -ENOMEM;
2083 ++
2084 ++ mmap_vma->vma = vma;
2085 ++ list_add(&mmap_vma->vma_next, &vdev->vma_list);
2086 ++
2087 ++ return 0;
2088 ++}
2089 ++
2090 ++/*
2091 ++ * Zap mmaps on open so that we can fault them in on access and therefore
2092 ++ * our vma_list only tracks mappings accessed since last zap.
2093 ++ */
2094 ++static void vfio_pci_mmap_open(struct vm_area_struct *vma)
2095 ++{
2096 ++ zap_vma_ptes(vma, vma->vm_start, vma->vm_end - vma->vm_start);
2097 ++}
2098 ++
2099 ++static void vfio_pci_mmap_close(struct vm_area_struct *vma)
2100 ++{
2101 ++ struct vfio_pci_device *vdev = vma->vm_private_data;
2102 ++ struct vfio_pci_mmap_vma *mmap_vma;
2103 ++
2104 ++ mutex_lock(&vdev->vma_lock);
2105 ++ list_for_each_entry(mmap_vma, &vdev->vma_list, vma_next) {
2106 ++ if (mmap_vma->vma == vma) {
2107 ++ list_del(&mmap_vma->vma_next);
2108 ++ kfree(mmap_vma);
2109 ++ break;
2110 ++ }
2111 ++ }
2112 ++ mutex_unlock(&vdev->vma_lock);
2113 ++}
2114 ++
2115 ++static vm_fault_t vfio_pci_mmap_fault(struct vm_fault *vmf)
2116 ++{
2117 ++ struct vm_area_struct *vma = vmf->vma;
2118 ++ struct vfio_pci_device *vdev = vma->vm_private_data;
2119 ++ vm_fault_t ret = VM_FAULT_NOPAGE;
2120 ++
2121 ++ mutex_lock(&vdev->vma_lock);
2122 ++ down_read(&vdev->memory_lock);
2123 ++
2124 ++ if (!__vfio_pci_memory_enabled(vdev)) {
2125 ++ ret = VM_FAULT_SIGBUS;
2126 ++ mutex_unlock(&vdev->vma_lock);
2127 ++ goto up_out;
2128 ++ }
2129 ++
2130 ++ if (__vfio_pci_add_vma(vdev, vma)) {
2131 ++ ret = VM_FAULT_OOM;
2132 ++ mutex_unlock(&vdev->vma_lock);
2133 ++ goto up_out;
2134 ++ }
2135 ++
2136 ++ mutex_unlock(&vdev->vma_lock);
2137 ++
2138 ++ if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
2139 ++ vma->vm_end - vma->vm_start, vma->vm_page_prot))
2140 ++ ret = VM_FAULT_SIGBUS;
2141 ++
2142 ++up_out:
2143 ++ up_read(&vdev->memory_lock);
2144 ++ return ret;
2145 ++}
2146 ++
2147 ++static const struct vm_operations_struct vfio_pci_mmap_ops = {
2148 ++ .open = vfio_pci_mmap_open,
2149 ++ .close = vfio_pci_mmap_close,
2150 ++ .fault = vfio_pci_mmap_fault,
2151 ++};
2152 ++
2153 + static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma)
2154 + {
2155 + struct vfio_pci_device *vdev = device_data;
2156 +@@ -1170,8 +1431,14 @@ static int vfio_pci_mmap(void *device_data, struct vm_area_struct *vma)
2157 + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
2158 + vma->vm_pgoff = (pci_resource_start(pdev, index) >> PAGE_SHIFT) + pgoff;
2159 +
2160 +- return remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
2161 +- req_len, vma->vm_page_prot);
2162 ++ /*
2163 ++ * See remap_pfn_range(), called from vfio_pci_fault() but we can't
2164 ++ * change vm_flags within the fault handler. Set them now.
2165 ++ */
2166 ++ vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
2167 ++ vma->vm_ops = &vfio_pci_mmap_ops;
2168 ++
2169 ++ return 0;
2170 + }
2171 +
2172 + static void vfio_pci_request(void *device_data, unsigned int count)
2173 +@@ -1243,6 +1510,9 @@ static int vfio_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
2174 + spin_lock_init(&vdev->irqlock);
2175 + mutex_init(&vdev->ioeventfds_lock);
2176 + INIT_LIST_HEAD(&vdev->ioeventfds_list);
2177 ++ mutex_init(&vdev->vma_lock);
2178 ++ INIT_LIST_HEAD(&vdev->vma_list);
2179 ++ init_rwsem(&vdev->memory_lock);
2180 +
2181 + ret = vfio_add_group_dev(&pdev->dev, &vfio_pci_ops, vdev);
2182 + if (ret) {
2183 +@@ -1338,12 +1608,6 @@ static struct pci_driver vfio_pci_driver = {
2184 + .err_handler = &vfio_err_handlers,
2185 + };
2186 +
2187 +-struct vfio_devices {
2188 +- struct vfio_device **devices;
2189 +- int cur_index;
2190 +- int max_index;
2191 +-};
2192 +-
2193 + static int vfio_pci_get_devs(struct pci_dev *pdev, void *data)
2194 + {
2195 + struct vfio_devices *devs = data;
2196 +@@ -1365,6 +1629,39 @@ static int vfio_pci_get_devs(struct pci_dev *pdev, void *data)
2197 + return 0;
2198 + }
2199 +
2200 ++static int vfio_pci_try_zap_and_vma_lock_cb(struct pci_dev *pdev, void *data)
2201 ++{
2202 ++ struct vfio_devices *devs = data;
2203 ++ struct vfio_device *device;
2204 ++ struct vfio_pci_device *vdev;
2205 ++
2206 ++ if (devs->cur_index == devs->max_index)
2207 ++ return -ENOSPC;
2208 ++
2209 ++ device = vfio_device_get_from_dev(&pdev->dev);
2210 ++ if (!device)
2211 ++ return -EINVAL;
2212 ++
2213 ++ if (pci_dev_driver(pdev) != &vfio_pci_driver) {
2214 ++ vfio_device_put(device);
2215 ++ return -EBUSY;
2216 ++ }
2217 ++
2218 ++ vdev = vfio_device_data(device);
2219 ++
2220 ++ /*
2221 ++ * Locking multiple devices is prone to deadlock, runaway and
2222 ++ * unwind if we hit contention.
2223 ++ */
2224 ++ if (!vfio_pci_zap_and_vma_lock(vdev, true)) {
2225 ++ vfio_device_put(device);
2226 ++ return -EBUSY;
2227 ++ }
2228 ++
2229 ++ devs->devices[devs->cur_index++] = device;
2230 ++ return 0;
2231 ++}
2232 ++
2233 + /*
2234 + * Attempt to do a bus/slot reset if there are devices affected by a reset for
2235 + * this device that are needs_reset and all of the affected devices are unused
2236 +diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
2237 +index 36bc8f104e42e..a1a26465d224c 100644
2238 +--- a/drivers/vfio/pci/vfio_pci_config.c
2239 ++++ b/drivers/vfio/pci/vfio_pci_config.c
2240 +@@ -398,6 +398,20 @@ static inline void p_setd(struct perm_bits *p, int off, u32 virt, u32 write)
2241 + *(__le32 *)(&p->write[off]) = cpu_to_le32(write);
2242 + }
2243 +
2244 ++/* Caller should hold memory_lock semaphore */
2245 ++bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev)
2246 ++{
2247 ++ struct pci_dev *pdev = vdev->pdev;
2248 ++ u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]);
2249 ++
2250 ++ /*
2251 ++ * SR-IOV VF memory enable is handled by the MSE bit in the
2252 ++ * PF SR-IOV capability, there's therefore no need to trigger
2253 ++ * faults based on the virtual value.
2254 ++ */
2255 ++ return pdev->is_virtfn || (cmd & PCI_COMMAND_MEMORY);
2256 ++}
2257 ++
2258 + /*
2259 + * Restore the *real* BARs after we detect a FLR or backdoor reset.
2260 + * (backdoor = some device specific technique that we didn't catch)
2261 +@@ -558,13 +572,18 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos,
2262 +
2263 + new_cmd = le32_to_cpu(val);
2264 +
2265 ++ phys_io = !!(phys_cmd & PCI_COMMAND_IO);
2266 ++ virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO);
2267 ++ new_io = !!(new_cmd & PCI_COMMAND_IO);
2268 ++
2269 + phys_mem = !!(phys_cmd & PCI_COMMAND_MEMORY);
2270 + virt_mem = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_MEMORY);
2271 + new_mem = !!(new_cmd & PCI_COMMAND_MEMORY);
2272 +
2273 +- phys_io = !!(phys_cmd & PCI_COMMAND_IO);
2274 +- virt_io = !!(le16_to_cpu(*virt_cmd) & PCI_COMMAND_IO);
2275 +- new_io = !!(new_cmd & PCI_COMMAND_IO);
2276 ++ if (!new_mem)
2277 ++ vfio_pci_zap_and_down_write_memory_lock(vdev);
2278 ++ else
2279 ++ down_write(&vdev->memory_lock);
2280 +
2281 + /*
2282 + * If the user is writing mem/io enable (new_mem/io) and we
2283 +@@ -581,8 +600,11 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos,
2284 + }
2285 +
2286 + count = vfio_default_config_write(vdev, pos, count, perm, offset, val);
2287 +- if (count < 0)
2288 ++ if (count < 0) {
2289 ++ if (offset == PCI_COMMAND)
2290 ++ up_write(&vdev->memory_lock);
2291 + return count;
2292 ++ }
2293 +
2294 + /*
2295 + * Save current memory/io enable bits in vconfig to allow for
2296 +@@ -593,6 +615,8 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos,
2297 +
2298 + *virt_cmd &= cpu_to_le16(~mask);
2299 + *virt_cmd |= cpu_to_le16(new_cmd & mask);
2300 ++
2301 ++ up_write(&vdev->memory_lock);
2302 + }
2303 +
2304 + /* Emulate INTx disable */
2305 +@@ -830,8 +854,11 @@ static int vfio_exp_config_write(struct vfio_pci_device *vdev, int pos,
2306 + pos - offset + PCI_EXP_DEVCAP,
2307 + &cap);
2308 +
2309 +- if (!ret && (cap & PCI_EXP_DEVCAP_FLR))
2310 ++ if (!ret && (cap & PCI_EXP_DEVCAP_FLR)) {
2311 ++ vfio_pci_zap_and_down_write_memory_lock(vdev);
2312 + pci_try_reset_function(vdev->pdev);
2313 ++ up_write(&vdev->memory_lock);
2314 ++ }
2315 + }
2316 +
2317 + /*
2318 +@@ -909,8 +936,11 @@ static int vfio_af_config_write(struct vfio_pci_device *vdev, int pos,
2319 + pos - offset + PCI_AF_CAP,
2320 + &cap);
2321 +
2322 +- if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP))
2323 ++ if (!ret && (cap & PCI_AF_CAP_FLR) && (cap & PCI_AF_CAP_TP)) {
2324 ++ vfio_pci_zap_and_down_write_memory_lock(vdev);
2325 + pci_try_reset_function(vdev->pdev);
2326 ++ up_write(&vdev->memory_lock);
2327 ++ }
2328 + }
2329 +
2330 + return count;
2331 +@@ -1708,6 +1738,15 @@ int vfio_config_init(struct vfio_pci_device *vdev)
2332 + vconfig[PCI_INTERRUPT_PIN]);
2333 +
2334 + vconfig[PCI_INTERRUPT_PIN] = 0; /* Gratuitous for good VFs */
2335 ++
2336 ++ /*
2337 ++ * VFs do no implement the memory enable bit of the COMMAND
2338 ++ * register therefore we'll not have it set in our initial
2339 ++ * copy of config space after pci_enable_device(). For
2340 ++ * consistency with PFs, set the virtual enable bit here.
2341 ++ */
2342 ++ *(__le16 *)&vconfig[PCI_COMMAND] |=
2343 ++ cpu_to_le16(PCI_COMMAND_MEMORY);
2344 + }
2345 +
2346 + if (!IS_ENABLED(CONFIG_VFIO_PCI_INTX) || vdev->nointx)
2347 +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
2348 +index 94594dc63c417..bdfdd506bc588 100644
2349 +--- a/drivers/vfio/pci/vfio_pci_intrs.c
2350 ++++ b/drivers/vfio/pci/vfio_pci_intrs.c
2351 +@@ -252,6 +252,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
2352 + struct pci_dev *pdev = vdev->pdev;
2353 + unsigned int flag = msix ? PCI_IRQ_MSIX : PCI_IRQ_MSI;
2354 + int ret;
2355 ++ u16 cmd;
2356 +
2357 + if (!is_irq_none(vdev))
2358 + return -EINVAL;
2359 +@@ -261,13 +262,16 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
2360 + return -ENOMEM;
2361 +
2362 + /* return the number of supported vectors if we can't get all: */
2363 ++ cmd = vfio_pci_memory_lock_and_enable(vdev);
2364 + ret = pci_alloc_irq_vectors(pdev, 1, nvec, flag);
2365 + if (ret < nvec) {
2366 + if (ret > 0)
2367 + pci_free_irq_vectors(pdev);
2368 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
2369 + kfree(vdev->ctx);
2370 + return ret;
2371 + }
2372 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
2373 +
2374 + vdev->num_ctx = nvec;
2375 + vdev->irq_type = msix ? VFIO_PCI_MSIX_IRQ_INDEX :
2376 +@@ -290,6 +294,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
2377 + struct pci_dev *pdev = vdev->pdev;
2378 + struct eventfd_ctx *trigger;
2379 + int irq, ret;
2380 ++ u16 cmd;
2381 +
2382 + if (vector < 0 || vector >= vdev->num_ctx)
2383 + return -EINVAL;
2384 +@@ -298,7 +303,11 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
2385 +
2386 + if (vdev->ctx[vector].trigger) {
2387 + irq_bypass_unregister_producer(&vdev->ctx[vector].producer);
2388 ++
2389 ++ cmd = vfio_pci_memory_lock_and_enable(vdev);
2390 + free_irq(irq, vdev->ctx[vector].trigger);
2391 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
2392 ++
2393 + kfree(vdev->ctx[vector].name);
2394 + eventfd_ctx_put(vdev->ctx[vector].trigger);
2395 + vdev->ctx[vector].trigger = NULL;
2396 +@@ -326,6 +335,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
2397 + * such a reset it would be unsuccessful. To avoid this, restore the
2398 + * cached value of the message prior to enabling.
2399 + */
2400 ++ cmd = vfio_pci_memory_lock_and_enable(vdev);
2401 + if (msix) {
2402 + struct msi_msg msg;
2403 +
2404 +@@ -335,6 +345,7 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
2405 +
2406 + ret = request_irq(irq, vfio_msihandler, 0,
2407 + vdev->ctx[vector].name, trigger);
2408 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
2409 + if (ret) {
2410 + kfree(vdev->ctx[vector].name);
2411 + eventfd_ctx_put(trigger);
2412 +@@ -379,6 +390,7 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix)
2413 + {
2414 + struct pci_dev *pdev = vdev->pdev;
2415 + int i;
2416 ++ u16 cmd;
2417 +
2418 + for (i = 0; i < vdev->num_ctx; i++) {
2419 + vfio_virqfd_disable(&vdev->ctx[i].unmask);
2420 +@@ -387,7 +399,9 @@ static void vfio_msi_disable(struct vfio_pci_device *vdev, bool msix)
2421 +
2422 + vfio_msi_set_block(vdev, 0, vdev->num_ctx, NULL, msix);
2423 +
2424 ++ cmd = vfio_pci_memory_lock_and_enable(vdev);
2425 + pci_free_irq_vectors(pdev);
2426 ++ vfio_pci_memory_unlock_and_restore(vdev, cmd);
2427 +
2428 + /*
2429 + * Both disable paths above use pci_intx_for_msi() to clear DisINTx
2430 +diff --git a/drivers/vfio/pci/vfio_pci_private.h b/drivers/vfio/pci/vfio_pci_private.h
2431 +index cde3b5d3441ad..17d2bae5b013c 100644
2432 +--- a/drivers/vfio/pci/vfio_pci_private.h
2433 ++++ b/drivers/vfio/pci/vfio_pci_private.h
2434 +@@ -76,6 +76,11 @@ struct vfio_pci_dummy_resource {
2435 + struct list_head res_next;
2436 + };
2437 +
2438 ++struct vfio_pci_mmap_vma {
2439 ++ struct vm_area_struct *vma;
2440 ++ struct list_head vma_next;
2441 ++};
2442 ++
2443 + struct vfio_pci_device {
2444 + struct pci_dev *pdev;
2445 + void __iomem *barmap[PCI_STD_RESOURCE_END + 1];
2446 +@@ -111,6 +116,9 @@ struct vfio_pci_device {
2447 + struct list_head dummy_resources_list;
2448 + struct mutex ioeventfds_lock;
2449 + struct list_head ioeventfds_list;
2450 ++ struct mutex vma_lock;
2451 ++ struct list_head vma_list;
2452 ++ struct rw_semaphore memory_lock;
2453 + };
2454 +
2455 + #define is_intx(vdev) (vdev->irq_type == VFIO_PCI_INTX_IRQ_INDEX)
2456 +@@ -149,6 +157,14 @@ extern int vfio_pci_register_dev_region(struct vfio_pci_device *vdev,
2457 + unsigned int type, unsigned int subtype,
2458 + const struct vfio_pci_regops *ops,
2459 + size_t size, u32 flags, void *data);
2460 ++
2461 ++extern bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev);
2462 ++extern void vfio_pci_zap_and_down_write_memory_lock(struct vfio_pci_device
2463 ++ *vdev);
2464 ++extern u16 vfio_pci_memory_lock_and_enable(struct vfio_pci_device *vdev);
2465 ++extern void vfio_pci_memory_unlock_and_restore(struct vfio_pci_device *vdev,
2466 ++ u16 cmd);
2467 ++
2468 + #ifdef CONFIG_VFIO_PCI_IGD
2469 + extern int vfio_pci_igd_init(struct vfio_pci_device *vdev);
2470 + #else
2471 +diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c
2472 +index a6029d0a55244..3d0ec2bbe131f 100644
2473 +--- a/drivers/vfio/pci/vfio_pci_rdwr.c
2474 ++++ b/drivers/vfio/pci/vfio_pci_rdwr.c
2475 +@@ -165,6 +165,7 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
2476 + size_t x_start = 0, x_end = 0;
2477 + resource_size_t end;
2478 + void __iomem *io;
2479 ++ struct resource *res = &vdev->pdev->resource[bar];
2480 + ssize_t done;
2481 +
2482 + if (pci_resource_start(pdev, bar))
2483 +@@ -180,6 +181,14 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
2484 +
2485 + count = min(count, (size_t)(end - pos));
2486 +
2487 ++ if (res->flags & IORESOURCE_MEM) {
2488 ++ down_read(&vdev->memory_lock);
2489 ++ if (!__vfio_pci_memory_enabled(vdev)) {
2490 ++ up_read(&vdev->memory_lock);
2491 ++ return -EIO;
2492 ++ }
2493 ++ }
2494 ++
2495 + if (bar == PCI_ROM_RESOURCE) {
2496 + /*
2497 + * The ROM can fill less space than the BAR, so we start the
2498 +@@ -187,13 +196,17 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
2499 + * filling large ROM BARs much faster.
2500 + */
2501 + io = pci_map_rom(pdev, &x_start);
2502 +- if (!io)
2503 +- return -ENOMEM;
2504 ++ if (!io) {
2505 ++ done = -ENOMEM;
2506 ++ goto out;
2507 ++ }
2508 + x_end = end;
2509 + } else {
2510 + int ret = vfio_pci_setup_barmap(vdev, bar);
2511 +- if (ret)
2512 +- return ret;
2513 ++ if (ret) {
2514 ++ done = ret;
2515 ++ goto out;
2516 ++ }
2517 +
2518 + io = vdev->barmap[bar];
2519 + }
2520 +@@ -210,6 +223,9 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_device *vdev, char __user *buf,
2521 +
2522 + if (bar == PCI_ROM_RESOURCE)
2523 + pci_unmap_rom(pdev, io);
2524 ++out:
2525 ++ if (res->flags & IORESOURCE_MEM)
2526 ++ up_read(&vdev->memory_lock);
2527 +
2528 + return done;
2529 + }
2530 +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
2531 +index 52083b710b87e..05d8553635ee7 100644
2532 +--- a/drivers/vfio/vfio_iommu_type1.c
2533 ++++ b/drivers/vfio/vfio_iommu_type1.c
2534 +@@ -343,6 +343,32 @@ static int put_pfn(unsigned long pfn, int prot)
2535 + return 0;
2536 + }
2537 +
2538 ++static int follow_fault_pfn(struct vm_area_struct *vma, struct mm_struct *mm,
2539 ++ unsigned long vaddr, unsigned long *pfn,
2540 ++ bool write_fault)
2541 ++{
2542 ++ int ret;
2543 ++
2544 ++ ret = follow_pfn(vma, vaddr, pfn);
2545 ++ if (ret) {
2546 ++ bool unlocked = false;
2547 ++
2548 ++ ret = fixup_user_fault(NULL, mm, vaddr,
2549 ++ FAULT_FLAG_REMOTE |
2550 ++ (write_fault ? FAULT_FLAG_WRITE : 0),
2551 ++ &unlocked);
2552 ++ if (unlocked)
2553 ++ return -EAGAIN;
2554 ++
2555 ++ if (ret)
2556 ++ return ret;
2557 ++
2558 ++ ret = follow_pfn(vma, vaddr, pfn);
2559 ++ }
2560 ++
2561 ++ return ret;
2562 ++}
2563 ++
2564 + static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr,
2565 + int prot, unsigned long *pfn)
2566 + {
2567 +@@ -382,12 +408,16 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr,
2568 +
2569 + down_read(&mm->mmap_sem);
2570 +
2571 ++retry:
2572 + vma = find_vma_intersection(mm, vaddr, vaddr + 1);
2573 +
2574 + if (vma && vma->vm_flags & VM_PFNMAP) {
2575 +- if (!follow_pfn(vma, vaddr, pfn) &&
2576 +- is_invalid_reserved_pfn(*pfn))
2577 +- ret = 0;
2578 ++ ret = follow_fault_pfn(vma, mm, vaddr, pfn, prot & IOMMU_WRITE);
2579 ++ if (ret == -EAGAIN)
2580 ++ goto retry;
2581 ++
2582 ++ if (!ret && !is_invalid_reserved_pfn(*pfn))
2583 ++ ret = -EFAULT;
2584 + }
2585 +
2586 + up_read(&mm->mmap_sem);
2587 +diff --git a/drivers/xen/xenbus/xenbus_client.c b/drivers/xen/xenbus/xenbus_client.c
2588 +index e94a61eaeceb0..f7b553faadb10 100644
2589 +--- a/drivers/xen/xenbus/xenbus_client.c
2590 ++++ b/drivers/xen/xenbus/xenbus_client.c
2591 +@@ -365,8 +365,14 @@ int xenbus_grant_ring(struct xenbus_device *dev, void *vaddr,
2592 + int i, j;
2593 +
2594 + for (i = 0; i < nr_pages; i++) {
2595 +- err = gnttab_grant_foreign_access(dev->otherend_id,
2596 +- virt_to_gfn(vaddr), 0);
2597 ++ unsigned long gfn;
2598 ++
2599 ++ if (is_vmalloc_addr(vaddr))
2600 ++ gfn = pfn_to_gfn(vmalloc_to_pfn(vaddr));
2601 ++ else
2602 ++ gfn = virt_to_gfn(vaddr);
2603 ++
2604 ++ err = gnttab_grant_foreign_access(dev->otherend_id, gfn, 0);
2605 + if (err < 0) {
2606 + xenbus_dev_fatal(dev, err,
2607 + "granting access to ring page");
2608 +diff --git a/fs/affs/amigaffs.c b/fs/affs/amigaffs.c
2609 +index 14a6c1b90c9fb..9a1e761b64a2b 100644
2610 +--- a/fs/affs/amigaffs.c
2611 ++++ b/fs/affs/amigaffs.c
2612 +@@ -420,24 +420,51 @@ affs_mode_to_prot(struct inode *inode)
2613 + u32 prot = AFFS_I(inode)->i_protect;
2614 + umode_t mode = inode->i_mode;
2615 +
2616 ++ /*
2617 ++ * First, clear all RWED bits for owner, group, other.
2618 ++ * Then, recalculate them afresh.
2619 ++ *
2620 ++ * We'll always clear the delete-inhibit bit for the owner, as that is
2621 ++ * the classic single-user mode AmigaOS protection bit and we need to
2622 ++ * stay compatible with all scenarios.
2623 ++ *
2624 ++ * Since multi-user AmigaOS is an extension, we'll only set the
2625 ++ * delete-allow bit if any of the other bits in the same user class
2626 ++ * (group/other) are used.
2627 ++ */
2628 ++ prot &= ~(FIBF_NOEXECUTE | FIBF_NOREAD
2629 ++ | FIBF_NOWRITE | FIBF_NODELETE
2630 ++ | FIBF_GRP_EXECUTE | FIBF_GRP_READ
2631 ++ | FIBF_GRP_WRITE | FIBF_GRP_DELETE
2632 ++ | FIBF_OTR_EXECUTE | FIBF_OTR_READ
2633 ++ | FIBF_OTR_WRITE | FIBF_OTR_DELETE);
2634 ++
2635 ++ /* Classic single-user AmigaOS flags. These are inverted. */
2636 + if (!(mode & 0100))
2637 + prot |= FIBF_NOEXECUTE;
2638 + if (!(mode & 0400))
2639 + prot |= FIBF_NOREAD;
2640 + if (!(mode & 0200))
2641 + prot |= FIBF_NOWRITE;
2642 ++
2643 ++ /* Multi-user extended flags. Not inverted. */
2644 + if (mode & 0010)
2645 + prot |= FIBF_GRP_EXECUTE;
2646 + if (mode & 0040)
2647 + prot |= FIBF_GRP_READ;
2648 + if (mode & 0020)
2649 + prot |= FIBF_GRP_WRITE;
2650 ++ if (mode & 0070)
2651 ++ prot |= FIBF_GRP_DELETE;
2652 ++
2653 + if (mode & 0001)
2654 + prot |= FIBF_OTR_EXECUTE;
2655 + if (mode & 0004)
2656 + prot |= FIBF_OTR_READ;
2657 + if (mode & 0002)
2658 + prot |= FIBF_OTR_WRITE;
2659 ++ if (mode & 0007)
2660 ++ prot |= FIBF_OTR_DELETE;
2661 +
2662 + AFFS_I(inode)->i_protect = prot;
2663 + }
2664 +diff --git a/fs/affs/file.c b/fs/affs/file.c
2665 +index a85817f54483f..ba084b0b214b9 100644
2666 +--- a/fs/affs/file.c
2667 ++++ b/fs/affs/file.c
2668 +@@ -428,6 +428,24 @@ static int affs_write_begin(struct file *file, struct address_space *mapping,
2669 + return ret;
2670 + }
2671 +
2672 ++static int affs_write_end(struct file *file, struct address_space *mapping,
2673 ++ loff_t pos, unsigned int len, unsigned int copied,
2674 ++ struct page *page, void *fsdata)
2675 ++{
2676 ++ struct inode *inode = mapping->host;
2677 ++ int ret;
2678 ++
2679 ++ ret = generic_write_end(file, mapping, pos, len, copied, page, fsdata);
2680 ++
2681 ++ /* Clear Archived bit on file writes, as AmigaOS would do */
2682 ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) {
2683 ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED;
2684 ++ mark_inode_dirty(inode);
2685 ++ }
2686 ++
2687 ++ return ret;
2688 ++}
2689 ++
2690 + static sector_t _affs_bmap(struct address_space *mapping, sector_t block)
2691 + {
2692 + return generic_block_bmap(mapping,block,affs_get_block);
2693 +@@ -437,7 +455,7 @@ const struct address_space_operations affs_aops = {
2694 + .readpage = affs_readpage,
2695 + .writepage = affs_writepage,
2696 + .write_begin = affs_write_begin,
2697 +- .write_end = generic_write_end,
2698 ++ .write_end = affs_write_end,
2699 + .direct_IO = affs_direct_IO,
2700 + .bmap = _affs_bmap
2701 + };
2702 +@@ -794,6 +812,12 @@ done:
2703 + if (tmp > inode->i_size)
2704 + inode->i_size = AFFS_I(inode)->mmu_private = tmp;
2705 +
2706 ++ /* Clear Archived bit on file writes, as AmigaOS would do */
2707 ++ if (AFFS_I(inode)->i_protect & FIBF_ARCHIVED) {
2708 ++ AFFS_I(inode)->i_protect &= ~FIBF_ARCHIVED;
2709 ++ mark_inode_dirty(inode);
2710 ++ }
2711 ++
2712 + err_first_bh:
2713 + unlock_page(page);
2714 + put_page(page);
2715 +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
2716 +index c9943d70e2cb2..8007b6aacec60 100644
2717 +--- a/fs/btrfs/ctree.c
2718 ++++ b/fs/btrfs/ctree.c
2719 +@@ -1347,7 +1347,8 @@ tree_mod_log_rewind(struct btrfs_fs_info *fs_info, struct btrfs_path *path,
2720 + btrfs_tree_read_unlock_blocking(eb);
2721 + free_extent_buffer(eb);
2722 +
2723 +- extent_buffer_get(eb_rewin);
2724 ++ btrfs_set_buffer_lockdep_class(btrfs_header_owner(eb_rewin),
2725 ++ eb_rewin, btrfs_header_level(eb_rewin));
2726 + btrfs_tree_read_lock(eb_rewin);
2727 + __tree_mod_log_rewind(fs_info, eb_rewin, time_seq, tm);
2728 + WARN_ON(btrfs_header_nritems(eb_rewin) >
2729 +@@ -1421,8 +1422,6 @@ get_old_root(struct btrfs_root *root, u64 time_seq)
2730 +
2731 + if (!eb)
2732 + return NULL;
2733 +- extent_buffer_get(eb);
2734 +- btrfs_tree_read_lock(eb);
2735 + if (old_root) {
2736 + btrfs_set_header_bytenr(eb, eb->start);
2737 + btrfs_set_header_backref_rev(eb, BTRFS_MIXED_BACKREF_REV);
2738 +@@ -1430,6 +1429,9 @@ get_old_root(struct btrfs_root *root, u64 time_seq)
2739 + btrfs_set_header_level(eb, old_root->level);
2740 + btrfs_set_header_generation(eb, old_generation);
2741 + }
2742 ++ btrfs_set_buffer_lockdep_class(btrfs_header_owner(eb), eb,
2743 ++ btrfs_header_level(eb));
2744 ++ btrfs_tree_read_lock(eb);
2745 + if (tm)
2746 + __tree_mod_log_rewind(fs_info, eb, time_seq, tm);
2747 + else
2748 +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
2749 +index fbcd18d96c524..82d597b16152c 100644
2750 +--- a/fs/btrfs/extent_io.c
2751 ++++ b/fs/btrfs/extent_io.c
2752 +@@ -5377,9 +5377,9 @@ void read_extent_buffer(const struct extent_buffer *eb, void *dstv,
2753 + }
2754 + }
2755 +
2756 +-int read_extent_buffer_to_user(const struct extent_buffer *eb,
2757 +- void __user *dstv,
2758 +- unsigned long start, unsigned long len)
2759 ++int read_extent_buffer_to_user_nofault(const struct extent_buffer *eb,
2760 ++ void __user *dstv,
2761 ++ unsigned long start, unsigned long len)
2762 + {
2763 + size_t cur;
2764 + size_t offset;
2765 +@@ -5400,7 +5400,7 @@ int read_extent_buffer_to_user(const struct extent_buffer *eb,
2766 +
2767 + cur = min(len, (PAGE_SIZE - offset));
2768 + kaddr = page_address(page);
2769 +- if (copy_to_user(dst, kaddr + offset, cur)) {
2770 ++ if (probe_user_write(dst, kaddr + offset, cur)) {
2771 + ret = -EFAULT;
2772 + break;
2773 + }
2774 +diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h
2775 +index a3598b24441e1..d5089cadd7c49 100644
2776 +--- a/fs/btrfs/extent_io.h
2777 ++++ b/fs/btrfs/extent_io.h
2778 +@@ -448,9 +448,9 @@ int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
2779 + void read_extent_buffer(const struct extent_buffer *eb, void *dst,
2780 + unsigned long start,
2781 + unsigned long len);
2782 +-int read_extent_buffer_to_user(const struct extent_buffer *eb,
2783 +- void __user *dst, unsigned long start,
2784 +- unsigned long len);
2785 ++int read_extent_buffer_to_user_nofault(const struct extent_buffer *eb,
2786 ++ void __user *dst, unsigned long start,
2787 ++ unsigned long len);
2788 + void write_extent_buffer_fsid(struct extent_buffer *eb, const void *src);
2789 + void write_extent_buffer_chunk_tree_uuid(struct extent_buffer *eb,
2790 + const void *src);
2791 +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
2792 +index a5ae02bf3652b..85990755edd90 100644
2793 +--- a/fs/btrfs/ioctl.c
2794 ++++ b/fs/btrfs/ioctl.c
2795 +@@ -2079,9 +2079,14 @@ static noinline int copy_to_sk(struct btrfs_path *path,
2796 + sh.len = item_len;
2797 + sh.transid = found_transid;
2798 +
2799 +- /* copy search result header */
2800 +- if (copy_to_user(ubuf + *sk_offset, &sh, sizeof(sh))) {
2801 +- ret = -EFAULT;
2802 ++ /*
2803 ++ * Copy search result header. If we fault then loop again so we
2804 ++ * can fault in the pages and -EFAULT there if there's a
2805 ++ * problem. Otherwise we'll fault and then copy the buffer in
2806 ++ * properly this next time through
2807 ++ */
2808 ++ if (probe_user_write(ubuf + *sk_offset, &sh, sizeof(sh))) {
2809 ++ ret = 0;
2810 + goto out;
2811 + }
2812 +
2813 +@@ -2089,10 +2094,14 @@ static noinline int copy_to_sk(struct btrfs_path *path,
2814 +
2815 + if (item_len) {
2816 + char __user *up = ubuf + *sk_offset;
2817 +- /* copy the item */
2818 +- if (read_extent_buffer_to_user(leaf, up,
2819 +- item_off, item_len)) {
2820 +- ret = -EFAULT;
2821 ++ /*
2822 ++ * Copy the item, same behavior as above, but reset the
2823 ++ * * sk_offset so we copy the full thing again.
2824 ++ */
2825 ++ if (read_extent_buffer_to_user_nofault(leaf, up,
2826 ++ item_off, item_len)) {
2827 ++ ret = 0;
2828 ++ *sk_offset -= sizeof(sh);
2829 + goto out;
2830 + }
2831 +
2832 +@@ -2180,6 +2189,10 @@ static noinline int search_ioctl(struct inode *inode,
2833 + key.offset = sk->min_offset;
2834 +
2835 + while (1) {
2836 ++ ret = fault_in_pages_writeable(ubuf, *buf_size - sk_offset);
2837 ++ if (ret)
2838 ++ break;
2839 ++
2840 + ret = btrfs_search_forward(root, &key, path, sk->min_transid);
2841 + if (ret != 0) {
2842 + if (ret > 0)
2843 +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
2844 +index 4abb2a155ac5b..498ec4b10e610 100644
2845 +--- a/fs/btrfs/volumes.c
2846 ++++ b/fs/btrfs/volumes.c
2847 +@@ -4172,6 +4172,7 @@ static int btrfs_uuid_scan_kthread(void *data)
2848 + goto skip;
2849 + }
2850 + update_tree:
2851 ++ btrfs_release_path(path);
2852 + if (!btrfs_is_empty_uuid(root_item.uuid)) {
2853 + ret = btrfs_uuid_tree_add(trans, root_item.uuid,
2854 + BTRFS_UUID_KEY_SUBVOL,
2855 +@@ -4196,6 +4197,7 @@ update_tree:
2856 + }
2857 +
2858 + skip:
2859 ++ btrfs_release_path(path);
2860 + if (trans) {
2861 + ret = btrfs_end_transaction(trans);
2862 + trans = NULL;
2863 +@@ -4203,7 +4205,6 @@ skip:
2864 + break;
2865 + }
2866 +
2867 +- btrfs_release_path(path);
2868 + if (key.offset < (u64)-1) {
2869 + key.offset++;
2870 + } else if (key.type < BTRFS_ROOT_ITEM_KEY) {
2871 +diff --git a/fs/ceph/file.c b/fs/ceph/file.c
2872 +index faca455bd3c69..4ce2752c8b71c 100644
2873 +--- a/fs/ceph/file.c
2874 ++++ b/fs/ceph/file.c
2875 +@@ -1819,6 +1819,7 @@ const struct file_operations ceph_file_fops = {
2876 + .mmap = ceph_mmap,
2877 + .fsync = ceph_fsync,
2878 + .lock = ceph_lock,
2879 ++ .setlease = simple_nosetlease,
2880 + .flock = ceph_flock,
2881 + .splice_read = generic_file_splice_read,
2882 + .splice_write = iter_file_splice_write,
2883 +diff --git a/fs/eventpoll.c b/fs/eventpoll.c
2884 +index f988ccd064a22..61a52bb26d127 100644
2885 +--- a/fs/eventpoll.c
2886 ++++ b/fs/eventpoll.c
2887 +@@ -1891,9 +1891,9 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests)
2888 + * during ep_insert().
2889 + */
2890 + if (list_empty(&epi->ffd.file->f_tfile_llink)) {
2891 +- get_file(epi->ffd.file);
2892 +- list_add(&epi->ffd.file->f_tfile_llink,
2893 +- &tfile_check_list);
2894 ++ if (get_file_rcu(epi->ffd.file))
2895 ++ list_add(&epi->ffd.file->f_tfile_llink,
2896 ++ &tfile_check_list);
2897 + }
2898 + }
2899 + }
2900 +diff --git a/fs/ext2/file.c b/fs/ext2/file.c
2901 +index 28b2609f25c1c..d39d90c1b6709 100644
2902 +--- a/fs/ext2/file.c
2903 ++++ b/fs/ext2/file.c
2904 +@@ -93,8 +93,10 @@ static vm_fault_t ext2_dax_fault(struct vm_fault *vmf)
2905 + struct inode *inode = file_inode(vmf->vma->vm_file);
2906 + struct ext2_inode_info *ei = EXT2_I(inode);
2907 + vm_fault_t ret;
2908 ++ bool write = (vmf->flags & FAULT_FLAG_WRITE) &&
2909 ++ (vmf->vma->vm_flags & VM_SHARED);
2910 +
2911 +- if (vmf->flags & FAULT_FLAG_WRITE) {
2912 ++ if (write) {
2913 + sb_start_pagefault(inode->i_sb);
2914 + file_update_time(vmf->vma->vm_file);
2915 + }
2916 +@@ -103,7 +105,7 @@ static vm_fault_t ext2_dax_fault(struct vm_fault *vmf)
2917 + ret = dax_iomap_fault(vmf, PE_SIZE_PTE, NULL, NULL, &ext2_iomap_ops);
2918 +
2919 + up_read(&ei->dax_sem);
2920 +- if (vmf->flags & FAULT_FLAG_WRITE)
2921 ++ if (write)
2922 + sb_end_pagefault(inode->i_sb);
2923 + return ret;
2924 + }
2925 +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
2926 +index 2652d00842d6b..087a5715cf20e 100644
2927 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c
2928 ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c
2929 +@@ -935,8 +935,10 @@ xfs_attr_shortform_verify(
2930 + * struct xfs_attr_sf_entry has a variable length.
2931 + * Check the fixed-offset parts of the structure are
2932 + * within the data buffer.
2933 ++ * xfs_attr_sf_entry is defined with a 1-byte variable
2934 ++ * array at the end, so we must subtract that off.
2935 + */
2936 +- if (((char *)sfep + sizeof(*sfep)) >= endp)
2937 ++ if (((char *)sfep + sizeof(*sfep) - 1) >= endp)
2938 + return __this_address;
2939 +
2940 + /* Don't allow names with known bad length. */
2941 +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
2942 +index 0b7145fdb8aa1..f35e1801f1c90 100644
2943 +--- a/fs/xfs/libxfs/xfs_bmap.c
2944 ++++ b/fs/xfs/libxfs/xfs_bmap.c
2945 +@@ -6130,7 +6130,7 @@ xfs_bmap_validate_extent(
2946 +
2947 + isrt = XFS_IS_REALTIME_INODE(ip);
2948 + endfsb = irec->br_startblock + irec->br_blockcount - 1;
2949 +- if (isrt) {
2950 ++ if (isrt && whichfork == XFS_DATA_FORK) {
2951 + if (!xfs_verify_rtbno(mp, irec->br_startblock))
2952 + return __this_address;
2953 + if (!xfs_verify_rtbno(mp, endfsb))
2954 +diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
2955 +index 259549698ba7e..f22acfd53850b 100644
2956 +--- a/fs/xfs/xfs_file.c
2957 ++++ b/fs/xfs/xfs_file.c
2958 +@@ -1095,6 +1095,14 @@ __xfs_filemap_fault(
2959 + return ret;
2960 + }
2961 +
2962 ++static inline bool
2963 ++xfs_is_write_fault(
2964 ++ struct vm_fault *vmf)
2965 ++{
2966 ++ return (vmf->flags & FAULT_FLAG_WRITE) &&
2967 ++ (vmf->vma->vm_flags & VM_SHARED);
2968 ++}
2969 ++
2970 + static vm_fault_t
2971 + xfs_filemap_fault(
2972 + struct vm_fault *vmf)
2973 +@@ -1102,7 +1110,7 @@ xfs_filemap_fault(
2974 + /* DAX can shortcut the normal fault path on write faults! */
2975 + return __xfs_filemap_fault(vmf, PE_SIZE_PTE,
2976 + IS_DAX(file_inode(vmf->vma->vm_file)) &&
2977 +- (vmf->flags & FAULT_FLAG_WRITE));
2978 ++ xfs_is_write_fault(vmf));
2979 + }
2980 +
2981 + static vm_fault_t
2982 +@@ -1115,7 +1123,7 @@ xfs_filemap_huge_fault(
2983 +
2984 + /* DAX can shortcut the normal fault path on write faults! */
2985 + return __xfs_filemap_fault(vmf, pe_size,
2986 +- (vmf->flags & FAULT_FLAG_WRITE));
2987 ++ xfs_is_write_fault(vmf));
2988 + }
2989 +
2990 + static vm_fault_t
2991 +diff --git a/include/linux/bvec.h b/include/linux/bvec.h
2992 +index fe7a22dd133b5..bc1f16e9f3f4d 100644
2993 +--- a/include/linux/bvec.h
2994 ++++ b/include/linux/bvec.h
2995 +@@ -119,11 +119,18 @@ static inline bool bvec_iter_rewind(const struct bio_vec *bv,
2996 + return true;
2997 + }
2998 +
2999 ++static inline void bvec_iter_skip_zero_bvec(struct bvec_iter *iter)
3000 ++{
3001 ++ iter->bi_bvec_done = 0;
3002 ++ iter->bi_idx++;
3003 ++}
3004 ++
3005 + #define for_each_bvec(bvl, bio_vec, iter, start) \
3006 + for (iter = (start); \
3007 + (iter).bi_size && \
3008 + ((bvl = bvec_iter_bvec((bio_vec), (iter))), 1); \
3009 +- bvec_iter_advance((bio_vec), &(iter), (bvl).bv_len))
3010 ++ (bvl).bv_len ? (void)bvec_iter_advance((bio_vec), &(iter), \
3011 ++ (bvl).bv_len) : bvec_iter_skip_zero_bvec(&(iter)))
3012 +
3013 + /* for iterating one bio from start to end */
3014 + #define BVEC_ITER_ALL_INIT (struct bvec_iter) \
3015 +diff --git a/include/linux/hid.h b/include/linux/hid.h
3016 +index 8506637f070d1..a46b6832b3733 100644
3017 +--- a/include/linux/hid.h
3018 ++++ b/include/linux/hid.h
3019 +@@ -956,34 +956,49 @@ static inline void hid_device_io_stop(struct hid_device *hid) {
3020 + * @max: maximal valid usage->code to consider later (out parameter)
3021 + * @type: input event type (EV_KEY, EV_REL, ...)
3022 + * @c: code which corresponds to this usage and type
3023 ++ *
3024 ++ * The value pointed to by @bit will be set to NULL if either @type is
3025 ++ * an unhandled event type, or if @c is out of range for @type. This
3026 ++ * can be used as an error condition.
3027 + */
3028 + static inline void hid_map_usage(struct hid_input *hidinput,
3029 + struct hid_usage *usage, unsigned long **bit, int *max,
3030 +- __u8 type, __u16 c)
3031 ++ __u8 type, unsigned int c)
3032 + {
3033 + struct input_dev *input = hidinput->input;
3034 +-
3035 +- usage->type = type;
3036 +- usage->code = c;
3037 ++ unsigned long *bmap = NULL;
3038 ++ unsigned int limit = 0;
3039 +
3040 + switch (type) {
3041 + case EV_ABS:
3042 +- *bit = input->absbit;
3043 +- *max = ABS_MAX;
3044 ++ bmap = input->absbit;
3045 ++ limit = ABS_MAX;
3046 + break;
3047 + case EV_REL:
3048 +- *bit = input->relbit;
3049 +- *max = REL_MAX;
3050 ++ bmap = input->relbit;
3051 ++ limit = REL_MAX;
3052 + break;
3053 + case EV_KEY:
3054 +- *bit = input->keybit;
3055 +- *max = KEY_MAX;
3056 ++ bmap = input->keybit;
3057 ++ limit = KEY_MAX;
3058 + break;
3059 + case EV_LED:
3060 +- *bit = input->ledbit;
3061 +- *max = LED_MAX;
3062 ++ bmap = input->ledbit;
3063 ++ limit = LED_MAX;
3064 + break;
3065 + }
3066 ++
3067 ++ if (unlikely(c > limit || !bmap)) {
3068 ++ pr_warn_ratelimited("%s: Invalid code %d type %d\n",
3069 ++ input->name, c, type);
3070 ++ *bit = NULL;
3071 ++ return;
3072 ++ }
3073 ++
3074 ++ usage->type = type;
3075 ++ usage->code = c;
3076 ++ *max = limit;
3077 ++ *bit = bmap;
3078 + }
3079 +
3080 + /**
3081 +@@ -997,7 +1012,8 @@ static inline void hid_map_usage_clear(struct hid_input *hidinput,
3082 + __u8 type, __u16 c)
3083 + {
3084 + hid_map_usage(hidinput, usage, bit, max, type, c);
3085 +- clear_bit(c, *bit);
3086 ++ if (*bit)
3087 ++ clear_bit(usage->code, *bit);
3088 + }
3089 +
3090 + /**
3091 +diff --git a/include/linux/libata.h b/include/linux/libata.h
3092 +index ed1453c15041d..afc1d72161ba5 100644
3093 +--- a/include/linux/libata.h
3094 ++++ b/include/linux/libata.h
3095 +@@ -439,6 +439,7 @@ enum {
3096 + ATA_HORKAGE_NO_DMA_LOG = (1 << 23), /* don't use DMA for log read */
3097 + ATA_HORKAGE_NOTRIM = (1 << 24), /* don't use TRIM */
3098 + ATA_HORKAGE_MAX_SEC_1024 = (1 << 25), /* Limit max sects to 1024 */
3099 ++ ATA_HORKAGE_MAX_TRIM_128M = (1 << 26), /* Limit max trim size to 128M */
3100 +
3101 + /* DMA mask for user DMA control: User visible values; DO NOT
3102 + renumber */
3103 +diff --git a/include/linux/log2.h b/include/linux/log2.h
3104 +index 2af7f77866d03..78496801cddf0 100644
3105 +--- a/include/linux/log2.h
3106 ++++ b/include/linux/log2.h
3107 +@@ -177,7 +177,7 @@ unsigned long __rounddown_pow_of_two(unsigned long n)
3108 + #define roundup_pow_of_two(n) \
3109 + ( \
3110 + __builtin_constant_p(n) ? ( \
3111 +- (n == 1) ? 1 : \
3112 ++ ((n) == 1) ? 1 : \
3113 + (1UL << (ilog2((n) - 1) + 1)) \
3114 + ) : \
3115 + __roundup_pow_of_two(n) \
3116 +diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
3117 +index cf09ab37b45b7..e713476ff29db 100644
3118 +--- a/include/linux/netfilter/nfnetlink.h
3119 ++++ b/include/linux/netfilter/nfnetlink.h
3120 +@@ -43,8 +43,7 @@ int nfnetlink_has_listeners(struct net *net, unsigned int group);
3121 + int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 portid,
3122 + unsigned int group, int echo, gfp_t flags);
3123 + int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error);
3124 +-int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid,
3125 +- int flags);
3126 ++int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid);
3127 +
3128 + static inline u16 nfnl_msg_type(u8 subsys, u8 msg_type)
3129 + {
3130 +diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
3131 +index d55b68b113de1..db9b0dd0a7a3b 100644
3132 +--- a/include/linux/uaccess.h
3133 ++++ b/include/linux/uaccess.h
3134 +@@ -242,6 +242,17 @@ static inline unsigned long __copy_from_user_inatomic_nocache(void *to,
3135 + extern long probe_kernel_read(void *dst, const void *src, size_t size);
3136 + extern long __probe_kernel_read(void *dst, const void *src, size_t size);
3137 +
3138 ++/*
3139 ++ * probe_user_read(): safely attempt to read from a location in user space
3140 ++ * @dst: pointer to the buffer that shall take the data
3141 ++ * @src: address to read from
3142 ++ * @size: size of the data chunk
3143 ++ *
3144 ++ * Safely read from address @src to the buffer at @dst. If a kernel fault
3145 ++ * happens, handle that and return -EFAULT.
3146 ++ */
3147 ++extern long probe_user_read(void *dst, const void __user *src, size_t size);
3148 ++
3149 + /*
3150 + * probe_kernel_write(): safely attempt to write to a location
3151 + * @dst: address to write to
3152 +@@ -254,7 +265,22 @@ extern long __probe_kernel_read(void *dst, const void *src, size_t size);
3153 + extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
3154 + extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
3155 +
3156 ++/*
3157 ++ * probe_user_write(): safely attempt to write to a location in user space
3158 ++ * @dst: address to write to
3159 ++ * @src: pointer to the data that shall be written
3160 ++ * @size: size of the data chunk
3161 ++ *
3162 ++ * Safely write to address @dst from the buffer at @src. If a kernel fault
3163 ++ * happens, handle that and return -EFAULT.
3164 ++ */
3165 ++extern long notrace probe_user_write(void __user *dst, const void *src, size_t size);
3166 ++extern long notrace __probe_user_write(void __user *dst, const void *src, size_t size);
3167 ++
3168 + extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count);
3169 ++extern long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr,
3170 ++ long count);
3171 ++extern long strnlen_unsafe_user(const void __user *unsafe_addr, long count);
3172 +
3173 + /**
3174 + * probe_kernel_address(): safely attempt to read from a location
3175 +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
3176 +index 024636c31adcf..93253ba1eeac3 100644
3177 +--- a/include/net/netfilter/nf_tables.h
3178 ++++ b/include/net/netfilter/nf_tables.h
3179 +@@ -130,6 +130,8 @@ static inline u8 nft_reg_load8(u32 *sreg)
3180 + static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
3181 + unsigned int len)
3182 + {
3183 ++ if (len % NFT_REG32_SIZE)
3184 ++ dst[len / NFT_REG32_SIZE] = 0;
3185 + memcpy(dst, src, len);
3186 + }
3187 +
3188 +diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
3189 +index 5eac62e1b68d5..cc00be102b9fb 100644
3190 +--- a/include/uapi/linux/netfilter/nf_tables.h
3191 ++++ b/include/uapi/linux/netfilter/nf_tables.h
3192 +@@ -132,7 +132,7 @@ enum nf_tables_msg_types {
3193 + * @NFTA_LIST_ELEM: list element (NLA_NESTED)
3194 + */
3195 + enum nft_list_attributes {
3196 +- NFTA_LIST_UNPEC,
3197 ++ NFTA_LIST_UNSPEC,
3198 + NFTA_LIST_ELEM,
3199 + __NFTA_LIST_MAX
3200 + };
3201 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
3202 +index 8a5708f31aa07..27e49c5ec2194 100644
3203 +--- a/mm/hugetlb.c
3204 ++++ b/mm/hugetlb.c
3205 +@@ -2918,6 +2918,22 @@ static unsigned int cpuset_mems_nr(unsigned int *array)
3206 + }
3207 +
3208 + #ifdef CONFIG_SYSCTL
3209 ++static int proc_hugetlb_doulongvec_minmax(struct ctl_table *table, int write,
3210 ++ void *buffer, size_t *length,
3211 ++ loff_t *ppos, unsigned long *out)
3212 ++{
3213 ++ struct ctl_table dup_table;
3214 ++
3215 ++ /*
3216 ++ * In order to avoid races with __do_proc_doulongvec_minmax(), we
3217 ++ * can duplicate the @table and alter the duplicate of it.
3218 ++ */
3219 ++ dup_table = *table;
3220 ++ dup_table.data = out;
3221 ++
3222 ++ return proc_doulongvec_minmax(&dup_table, write, buffer, length, ppos);
3223 ++}
3224 ++
3225 + static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
3226 + struct ctl_table *table, int write,
3227 + void __user *buffer, size_t *length, loff_t *ppos)
3228 +@@ -2929,9 +2945,8 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
3229 + if (!hugepages_supported())
3230 + return -EOPNOTSUPP;
3231 +
3232 +- table->data = &tmp;
3233 +- table->maxlen = sizeof(unsigned long);
3234 +- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
3235 ++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos,
3236 ++ &tmp);
3237 + if (ret)
3238 + goto out;
3239 +
3240 +@@ -2975,9 +2990,8 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
3241 + if (write && hstate_is_gigantic(h))
3242 + return -EINVAL;
3243 +
3244 +- table->data = &tmp;
3245 +- table->maxlen = sizeof(unsigned long);
3246 +- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
3247 ++ ret = proc_hugetlb_doulongvec_minmax(table, write, buffer, length, ppos,
3248 ++ &tmp);
3249 + if (ret)
3250 + goto out;
3251 +
3252 +diff --git a/mm/maccess.c b/mm/maccess.c
3253 +index ec00be51a24fd..6e41ba452e5e9 100644
3254 +--- a/mm/maccess.c
3255 ++++ b/mm/maccess.c
3256 +@@ -5,8 +5,32 @@
3257 + #include <linux/mm.h>
3258 + #include <linux/uaccess.h>
3259 +
3260 ++static __always_inline long
3261 ++probe_read_common(void *dst, const void __user *src, size_t size)
3262 ++{
3263 ++ long ret;
3264 ++
3265 ++ pagefault_disable();
3266 ++ ret = __copy_from_user_inatomic(dst, src, size);
3267 ++ pagefault_enable();
3268 ++
3269 ++ return ret ? -EFAULT : 0;
3270 ++}
3271 ++
3272 ++static __always_inline long
3273 ++probe_write_common(void __user *dst, const void *src, size_t size)
3274 ++{
3275 ++ long ret;
3276 ++
3277 ++ pagefault_disable();
3278 ++ ret = __copy_to_user_inatomic(dst, src, size);
3279 ++ pagefault_enable();
3280 ++
3281 ++ return ret ? -EFAULT : 0;
3282 ++}
3283 ++
3284 + /**
3285 +- * probe_kernel_read(): safely attempt to read from a location
3286 ++ * probe_kernel_read(): safely attempt to read from a kernel-space location
3287 + * @dst: pointer to the buffer that shall take the data
3288 + * @src: address to read from
3289 + * @size: size of the data chunk
3290 +@@ -29,16 +53,40 @@ long __probe_kernel_read(void *dst, const void *src, size_t size)
3291 + mm_segment_t old_fs = get_fs();
3292 +
3293 + set_fs(KERNEL_DS);
3294 +- pagefault_disable();
3295 +- ret = __copy_from_user_inatomic(dst,
3296 +- (__force const void __user *)src, size);
3297 +- pagefault_enable();
3298 ++ ret = probe_read_common(dst, (__force const void __user *)src, size);
3299 + set_fs(old_fs);
3300 +
3301 +- return ret ? -EFAULT : 0;
3302 ++ return ret;
3303 + }
3304 + EXPORT_SYMBOL_GPL(probe_kernel_read);
3305 +
3306 ++/**
3307 ++ * probe_user_read(): safely attempt to read from a user-space location
3308 ++ * @dst: pointer to the buffer that shall take the data
3309 ++ * @src: address to read from. This must be a user address.
3310 ++ * @size: size of the data chunk
3311 ++ *
3312 ++ * Safely read from user address @src to the buffer at @dst. If a kernel fault
3313 ++ * happens, handle that and return -EFAULT.
3314 ++ */
3315 ++
3316 ++long __weak probe_user_read(void *dst, const void __user *src, size_t size)
3317 ++ __attribute__((alias("__probe_user_read")));
3318 ++
3319 ++long __probe_user_read(void *dst, const void __user *src, size_t size)
3320 ++{
3321 ++ long ret = -EFAULT;
3322 ++ mm_segment_t old_fs = get_fs();
3323 ++
3324 ++ set_fs(USER_DS);
3325 ++ if (access_ok(VERIFY_READ, src, size))
3326 ++ ret = probe_read_common(dst, src, size);
3327 ++ set_fs(old_fs);
3328 ++
3329 ++ return ret;
3330 ++}
3331 ++EXPORT_SYMBOL_GPL(probe_user_read);
3332 ++
3333 + /**
3334 + * probe_kernel_write(): safely attempt to write to a location
3335 + * @dst: address to write to
3336 +@@ -48,6 +96,7 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
3337 + * Safely write to address @dst from the buffer at @src. If a kernel fault
3338 + * happens, handle that and return -EFAULT.
3339 + */
3340 ++
3341 + long __weak probe_kernel_write(void *dst, const void *src, size_t size)
3342 + __attribute__((alias("__probe_kernel_write")));
3343 +
3344 +@@ -57,15 +106,40 @@ long __probe_kernel_write(void *dst, const void *src, size_t size)
3345 + mm_segment_t old_fs = get_fs();
3346 +
3347 + set_fs(KERNEL_DS);
3348 +- pagefault_disable();
3349 +- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
3350 +- pagefault_enable();
3351 ++ ret = probe_write_common((__force void __user *)dst, src, size);
3352 + set_fs(old_fs);
3353 +
3354 +- return ret ? -EFAULT : 0;
3355 ++ return ret;
3356 + }
3357 + EXPORT_SYMBOL_GPL(probe_kernel_write);
3358 +
3359 ++/**
3360 ++ * probe_user_write(): safely attempt to write to a user-space location
3361 ++ * @dst: address to write to
3362 ++ * @src: pointer to the data that shall be written
3363 ++ * @size: size of the data chunk
3364 ++ *
3365 ++ * Safely write to address @dst from the buffer at @src. If a kernel fault
3366 ++ * happens, handle that and return -EFAULT.
3367 ++ */
3368 ++
3369 ++long __weak probe_user_write(void __user *dst, const void *src, size_t size)
3370 ++ __attribute__((alias("__probe_user_write")));
3371 ++
3372 ++long __probe_user_write(void __user *dst, const void *src, size_t size)
3373 ++{
3374 ++ long ret = -EFAULT;
3375 ++ mm_segment_t old_fs = get_fs();
3376 ++
3377 ++ set_fs(USER_DS);
3378 ++ if (access_ok(VERIFY_WRITE, dst, size))
3379 ++ ret = probe_write_common(dst, src, size);
3380 ++ set_fs(old_fs);
3381 ++
3382 ++ return ret;
3383 ++}
3384 ++EXPORT_SYMBOL_GPL(probe_user_write);
3385 ++
3386 + /**
3387 + * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
3388 + * @dst: Destination address, in kernel space. This buffer must be at
3389 +@@ -105,3 +179,76 @@ long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
3390 +
3391 + return ret ? -EFAULT : src - unsafe_addr;
3392 + }
3393 ++
3394 ++/**
3395 ++ * strncpy_from_unsafe_user: - Copy a NUL terminated string from unsafe user
3396 ++ * address.
3397 ++ * @dst: Destination address, in kernel space. This buffer must be at
3398 ++ * least @count bytes long.
3399 ++ * @unsafe_addr: Unsafe user address.
3400 ++ * @count: Maximum number of bytes to copy, including the trailing NUL.
3401 ++ *
3402 ++ * Copies a NUL-terminated string from unsafe user address to kernel buffer.
3403 ++ *
3404 ++ * On success, returns the length of the string INCLUDING the trailing NUL.
3405 ++ *
3406 ++ * If access fails, returns -EFAULT (some data may have been copied
3407 ++ * and the trailing NUL added).
3408 ++ *
3409 ++ * If @count is smaller than the length of the string, copies @count-1 bytes,
3410 ++ * sets the last byte of @dst buffer to NUL and returns @count.
3411 ++ */
3412 ++long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr,
3413 ++ long count)
3414 ++{
3415 ++ mm_segment_t old_fs = get_fs();
3416 ++ long ret;
3417 ++
3418 ++ if (unlikely(count <= 0))
3419 ++ return 0;
3420 ++
3421 ++ set_fs(USER_DS);
3422 ++ pagefault_disable();
3423 ++ ret = strncpy_from_user(dst, unsafe_addr, count);
3424 ++ pagefault_enable();
3425 ++ set_fs(old_fs);
3426 ++
3427 ++ if (ret >= count) {
3428 ++ ret = count;
3429 ++ dst[ret - 1] = '\0';
3430 ++ } else if (ret > 0) {
3431 ++ ret++;
3432 ++ }
3433 ++
3434 ++ return ret;
3435 ++}
3436 ++
3437 ++/**
3438 ++ * strnlen_unsafe_user: - Get the size of a user string INCLUDING final NUL.
3439 ++ * @unsafe_addr: The string to measure.
3440 ++ * @count: Maximum count (including NUL)
3441 ++ *
3442 ++ * Get the size of a NUL-terminated string in user space without pagefault.
3443 ++ *
3444 ++ * Returns the size of the string INCLUDING the terminating NUL.
3445 ++ *
3446 ++ * If the string is too long, returns a number larger than @count. User
3447 ++ * has to check the return value against "> count".
3448 ++ * On exception (or invalid count), returns 0.
3449 ++ *
3450 ++ * Unlike strnlen_user, this can be used from IRQ handler etc. because
3451 ++ * it disables pagefaults.
3452 ++ */
3453 ++long strnlen_unsafe_user(const void __user *unsafe_addr, long count)
3454 ++{
3455 ++ mm_segment_t old_fs = get_fs();
3456 ++ int ret;
3457 ++
3458 ++ set_fs(USER_DS);
3459 ++ pagefault_disable();
3460 ++ ret = strnlen_user(unsafe_addr, count);
3461 ++ pagefault_enable();
3462 ++ set_fs(old_fs);
3463 ++
3464 ++ return ret;
3465 ++}
3466 +diff --git a/mm/slub.c b/mm/slub.c
3467 +index 882a1e0ae89c8..dfc9b4267603e 100644
3468 +--- a/mm/slub.c
3469 ++++ b/mm/slub.c
3470 +@@ -646,12 +646,12 @@ static void slab_fix(struct kmem_cache *s, char *fmt, ...)
3471 + }
3472 +
3473 + static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
3474 +- void *freelist, void *nextfree)
3475 ++ void **freelist, void *nextfree)
3476 + {
3477 + if ((s->flags & SLAB_CONSISTENCY_CHECKS) &&
3478 +- !check_valid_pointer(s, page, nextfree)) {
3479 +- object_err(s, page, freelist, "Freechain corrupt");
3480 +- freelist = NULL;
3481 ++ !check_valid_pointer(s, page, nextfree) && freelist) {
3482 ++ object_err(s, page, *freelist, "Freechain corrupt");
3483 ++ *freelist = NULL;
3484 + slab_fix(s, "Isolate corrupted freechain");
3485 + return true;
3486 + }
3487 +@@ -1343,7 +1343,7 @@ static inline void dec_slabs_node(struct kmem_cache *s, int node,
3488 + int objects) {}
3489 +
3490 + static bool freelist_corrupted(struct kmem_cache *s, struct page *page,
3491 +- void *freelist, void *nextfree)
3492 ++ void **freelist, void *nextfree)
3493 + {
3494 + return false;
3495 + }
3496 +@@ -2037,7 +2037,7 @@ static void deactivate_slab(struct kmem_cache *s, struct page *page,
3497 + * 'freelist' is already corrupted. So isolate all objects
3498 + * starting at 'freelist'.
3499 + */
3500 +- if (freelist_corrupted(s, page, freelist, nextfree))
3501 ++ if (freelist_corrupted(s, page, &freelist, nextfree))
3502 + break;
3503 +
3504 + do {
3505 +diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
3506 +index 0458de53cb64b..04a620fd13014 100644
3507 +--- a/net/batman-adv/bat_v_ogm.c
3508 ++++ b/net/batman-adv/bat_v_ogm.c
3509 +@@ -716,6 +716,12 @@ static void batadv_v_ogm_process(const struct sk_buff *skb, int ogm_offset,
3510 + ntohl(ogm_packet->seqno), ogm_throughput, ogm_packet->ttl,
3511 + ogm_packet->version, ntohs(ogm_packet->tvlv_len));
3512 +
3513 ++ if (batadv_is_my_mac(bat_priv, ogm_packet->orig)) {
3514 ++ batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
3515 ++ "Drop packet: originator packet from ourself\n");
3516 ++ return;
3517 ++ }
3518 ++
3519 + /* If the throughput metric is 0, immediately drop the packet. No need
3520 + * to create orig_node / neigh_node for an unusable route.
3521 + */
3522 +@@ -843,11 +849,6 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb,
3523 + if (batadv_is_my_mac(bat_priv, ethhdr->h_source))
3524 + goto free_skb;
3525 +
3526 +- ogm_packet = (struct batadv_ogm2_packet *)skb->data;
3527 +-
3528 +- if (batadv_is_my_mac(bat_priv, ogm_packet->orig))
3529 +- goto free_skb;
3530 +-
3531 + batadv_inc_counter(bat_priv, BATADV_CNT_MGMT_RX);
3532 + batadv_add_counter(bat_priv, BATADV_CNT_MGMT_RX_BYTES,
3533 + skb->len + ETH_HLEN);
3534 +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
3535 +index 85faf25c29122..9b8bf06ccb613 100644
3536 +--- a/net/batman-adv/bridge_loop_avoidance.c
3537 ++++ b/net/batman-adv/bridge_loop_avoidance.c
3538 +@@ -450,7 +450,10 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, u8 *mac,
3539 + batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,
3540 + skb->len + ETH_HLEN);
3541 +
3542 +- netif_rx(skb);
3543 ++ if (in_interrupt())
3544 ++ netif_rx(skb);
3545 ++ else
3546 ++ netif_rx_ni(skb);
3547 + out:
3548 + if (primary_if)
3549 + batadv_hardif_put(primary_if);
3550 +diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
3551 +index 140c61a3f1ecf..0c59fefc13719 100644
3552 +--- a/net/batman-adv/gateway_client.c
3553 ++++ b/net/batman-adv/gateway_client.c
3554 +@@ -714,8 +714,10 @@ batadv_gw_dhcp_recipient_get(struct sk_buff *skb, unsigned int *header_len,
3555 +
3556 + chaddr_offset = *header_len + BATADV_DHCP_CHADDR_OFFSET;
3557 + /* store the client address if the message is going to a client */
3558 +- if (ret == BATADV_DHCP_TO_CLIENT &&
3559 +- pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) {
3560 ++ if (ret == BATADV_DHCP_TO_CLIENT) {
3561 ++ if (!pskb_may_pull(skb, chaddr_offset + ETH_ALEN))
3562 ++ return BATADV_DHCP_NO;
3563 ++
3564 + /* check if the DHCP packet carries an Ethernet DHCP */
3565 + p = skb->data + *header_len + BATADV_DHCP_HTYPE_OFFSET;
3566 + if (*p != BATADV_DHCP_HTYPE_ETHERNET)
3567 +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
3568 +index 1b8a53081632f..5b4632826dc66 100644
3569 +--- a/net/netfilter/nf_tables_api.c
3570 ++++ b/net/netfilter/nf_tables_api.c
3571 +@@ -718,11 +718,11 @@ static int nf_tables_gettable(struct net *net, struct sock *nlsk,
3572 + nlh->nlmsg_seq, NFT_MSG_NEWTABLE, 0,
3573 + family, table);
3574 + if (err < 0)
3575 +- goto err;
3576 ++ goto err_fill_table_info;
3577 +
3578 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3579 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3580 +
3581 +-err:
3582 ++err_fill_table_info:
3583 + kfree_skb(skb2);
3584 + return err;
3585 + }
3586 +@@ -1383,11 +1383,11 @@ static int nf_tables_getchain(struct net *net, struct sock *nlsk,
3587 + nlh->nlmsg_seq, NFT_MSG_NEWCHAIN, 0,
3588 + family, table, chain);
3589 + if (err < 0)
3590 +- goto err;
3591 ++ goto err_fill_chain_info;
3592 +
3593 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3594 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3595 +
3596 +-err:
3597 ++err_fill_chain_info:
3598 + kfree_skb(skb2);
3599 + return err;
3600 + }
3601 +@@ -2488,11 +2488,11 @@ static int nf_tables_getrule(struct net *net, struct sock *nlsk,
3602 + nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
3603 + family, table, chain, rule);
3604 + if (err < 0)
3605 +- goto err;
3606 ++ goto err_fill_rule_info;
3607 +
3608 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3609 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3610 +
3611 +-err:
3612 ++err_fill_rule_info:
3613 + kfree_skb(skb2);
3614 + return err;
3615 + }
3616 +@@ -3204,7 +3204,8 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
3617 + goto nla_put_failure;
3618 + }
3619 +
3620 +- if (nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3621 ++ if (set->udata &&
3622 ++ nla_put(skb, NFTA_SET_USERDATA, set->udlen, set->udata))
3623 + goto nla_put_failure;
3624 +
3625 + desc = nla_nest_start(skb, NFTA_SET_DESC);
3626 +@@ -3376,11 +3377,11 @@ static int nf_tables_getset(struct net *net, struct sock *nlsk,
3627 +
3628 + err = nf_tables_fill_set(skb2, &ctx, set, NFT_MSG_NEWSET, 0);
3629 + if (err < 0)
3630 +- goto err;
3631 ++ goto err_fill_set_info;
3632 +
3633 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3634 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3635 +
3636 +-err:
3637 ++err_fill_set_info:
3638 + kfree_skb(skb2);
3639 + return err;
3640 + }
3641 +@@ -4156,24 +4157,18 @@ static int nft_get_set_elem(struct nft_ctx *ctx, struct nft_set *set,
3642 + err = -ENOMEM;
3643 + skb = nlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
3644 + if (skb == NULL)
3645 +- goto err1;
3646 ++ return err;
3647 +
3648 + err = nf_tables_fill_setelem_info(skb, ctx, ctx->seq, ctx->portid,
3649 + NFT_MSG_NEWSETELEM, 0, set, &elem);
3650 + if (err < 0)
3651 +- goto err2;
3652 ++ goto err_fill_setelem;
3653 +
3654 +- err = nfnetlink_unicast(skb, ctx->net, ctx->portid, MSG_DONTWAIT);
3655 +- /* This avoids a loop in nfnetlink. */
3656 +- if (err < 0)
3657 +- goto err1;
3658 ++ return nfnetlink_unicast(skb, ctx->net, ctx->portid);
3659 +
3660 +- return 0;
3661 +-err2:
3662 ++err_fill_setelem:
3663 + kfree_skb(skb);
3664 +-err1:
3665 +- /* this avoids a loop in nfnetlink. */
3666 +- return err == -EAGAIN ? -ENOBUFS : err;
3667 ++ return err;
3668 + }
3669 +
3670 + /* called with rcu_read_lock held */
3671 +@@ -5272,10 +5267,11 @@ static int nf_tables_getobj(struct net *net, struct sock *nlsk,
3672 + nlh->nlmsg_seq, NFT_MSG_NEWOBJ, 0,
3673 + family, table, obj, reset);
3674 + if (err < 0)
3675 +- goto err;
3676 ++ goto err_fill_obj_info;
3677 +
3678 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3679 +-err:
3680 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3681 ++
3682 ++err_fill_obj_info:
3683 + kfree_skb(skb2);
3684 + return err;
3685 + }
3686 +@@ -5932,10 +5928,11 @@ static int nf_tables_getflowtable(struct net *net, struct sock *nlsk,
3687 + NFT_MSG_NEWFLOWTABLE, 0, family,
3688 + flowtable);
3689 + if (err < 0)
3690 +- goto err;
3691 ++ goto err_fill_flowtable_info;
3692 +
3693 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3694 +-err:
3695 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3696 ++
3697 ++err_fill_flowtable_info:
3698 + kfree_skb(skb2);
3699 + return err;
3700 + }
3701 +@@ -6096,10 +6093,11 @@ static int nf_tables_getgen(struct net *net, struct sock *nlsk,
3702 + err = nf_tables_fill_gen_info(skb2, net, NETLINK_CB(skb).portid,
3703 + nlh->nlmsg_seq);
3704 + if (err < 0)
3705 +- goto err;
3706 ++ goto err_fill_gen_info;
3707 +
3708 +- return nlmsg_unicast(nlsk, skb2, NETLINK_CB(skb).portid);
3709 +-err:
3710 ++ return nfnetlink_unicast(skb2, net, NETLINK_CB(skb).portid);
3711 ++
3712 ++err_fill_gen_info:
3713 + kfree_skb(skb2);
3714 + return err;
3715 + }
3716 +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
3717 +index 7f2c1915763f8..9bacddc761ba4 100644
3718 +--- a/net/netfilter/nfnetlink.c
3719 ++++ b/net/netfilter/nfnetlink.c
3720 +@@ -148,10 +148,15 @@ int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error)
3721 + }
3722 + EXPORT_SYMBOL_GPL(nfnetlink_set_err);
3723 +
3724 +-int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid,
3725 +- int flags)
3726 ++int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid)
3727 + {
3728 +- return netlink_unicast(net->nfnl, skb, portid, flags);
3729 ++ int err;
3730 ++
3731 ++ err = nlmsg_unicast(net->nfnl, skb, portid);
3732 ++ if (err == -EAGAIN)
3733 ++ err = -ENOBUFS;
3734 ++
3735 ++ return err;
3736 + }
3737 + EXPORT_SYMBOL_GPL(nfnetlink_unicast);
3738 +
3739 +diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
3740 +index 332c69d27b478..25298b3eb8546 100644
3741 +--- a/net/netfilter/nfnetlink_log.c
3742 ++++ b/net/netfilter/nfnetlink_log.c
3743 +@@ -359,8 +359,7 @@ __nfulnl_send(struct nfulnl_instance *inst)
3744 + goto out;
3745 + }
3746 + }
3747 +- nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid,
3748 +- MSG_DONTWAIT);
3749 ++ nfnetlink_unicast(inst->skb, inst->net, inst->peer_portid);
3750 + out:
3751 + inst->qlen = 0;
3752 + inst->skb = NULL;
3753 +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
3754 +index d33094f4ec41e..f81a3ce0fe48e 100644
3755 +--- a/net/netfilter/nfnetlink_queue.c
3756 ++++ b/net/netfilter/nfnetlink_queue.c
3757 +@@ -685,7 +685,7 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
3758 + *packet_id_ptr = htonl(entry->id);
3759 +
3760 + /* nfnetlink_unicast will either free the nskb or add it to a socket */
3761 +- err = nfnetlink_unicast(nskb, net, queue->peer_portid, MSG_DONTWAIT);
3762 ++ err = nfnetlink_unicast(nskb, net, queue->peer_portid);
3763 + if (err < 0) {
3764 + if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
3765 + failopen = 1;
3766 +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
3767 +index 19446a89a2a81..b1a9f330a51fe 100644
3768 +--- a/net/netfilter/nft_payload.c
3769 ++++ b/net/netfilter/nft_payload.c
3770 +@@ -79,7 +79,9 @@ static void nft_payload_eval(const struct nft_expr *expr,
3771 + u32 *dest = &regs->data[priv->dreg];
3772 + int offset;
3773 +
3774 +- dest[priv->len / NFT_REG32_SIZE] = 0;
3775 ++ if (priv->len % NFT_REG32_SIZE)
3776 ++ dest[priv->len / NFT_REG32_SIZE] = 0;
3777 ++
3778 + switch (priv->base) {
3779 + case NFT_PAYLOAD_LL_HEADER:
3780 + if (!skb_mac_header_was_set(skb))
3781 +diff --git a/net/wireless/reg.c b/net/wireless/reg.c
3782 +index 32f575857e415..935aebf150107 100644
3783 +--- a/net/wireless/reg.c
3784 ++++ b/net/wireless/reg.c
3785 +@@ -2936,6 +2936,9 @@ int regulatory_hint_user(const char *alpha2,
3786 + if (WARN_ON(!alpha2))
3787 + return -EINVAL;
3788 +
3789 ++ if (!is_world_regdom(alpha2) && !is_an_alpha2(alpha2))
3790 ++ return -EINVAL;
3791 ++
3792 + request = kzalloc(sizeof(struct regulatory_request), GFP_KERNEL);
3793 + if (!request)
3794 + return -ENOMEM;
3795 +diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
3796 +index 161b0224d6ae9..7eb944cbbaeab 100755
3797 +--- a/scripts/checkpatch.pl
3798 ++++ b/scripts/checkpatch.pl
3799 +@@ -2541,8 +2541,8 @@ sub process {
3800 +
3801 + # Check if the commit log has what seems like a diff which can confuse patch
3802 + if ($in_commit_log && !$commit_log_has_diff &&
3803 +- (($line =~ m@^\s+diff\b.*a/[\w/]+@ &&
3804 +- $line =~ m@^\s+diff\b.*a/([\w/]+)\s+b/$1\b@) ||
3805 ++ (($line =~ m@^\s+diff\b.*a/([\w/]+)@ &&
3806 ++ $line =~ m@^\s+diff\b.*a/[\w/]+\s+b/$1\b@) ||
3807 + $line =~ m@^\s*(?:\-\-\-\s+a/|\+\+\+\s+b/)@ ||
3808 + $line =~ m/^\s*\@\@ \-\d+,\d+ \+\d+,\d+ \@\@/)) {
3809 + ERROR("DIFF_IN_COMMIT_MSG",
3810 +diff --git a/sound/core/oss/mulaw.c b/sound/core/oss/mulaw.c
3811 +index 3788906421a73..fe27034f28460 100644
3812 +--- a/sound/core/oss/mulaw.c
3813 ++++ b/sound/core/oss/mulaw.c
3814 +@@ -329,8 +329,8 @@ int snd_pcm_plugin_build_mulaw(struct snd_pcm_substream *plug,
3815 + snd_BUG();
3816 + return -EINVAL;
3817 + }
3818 +- if (snd_BUG_ON(!snd_pcm_format_linear(format->format)))
3819 +- return -ENXIO;
3820 ++ if (!snd_pcm_format_linear(format->format))
3821 ++ return -EINVAL;
3822 +
3823 + err = snd_pcm_plugin_build(plug, "Mu-Law<->linear conversion",
3824 + src_format, dst_format,
3825 +diff --git a/sound/firewire/digi00x/digi00x.c b/sound/firewire/digi00x/digi00x.c
3826 +index ef689997d6a5b..bf53e342788e2 100644
3827 +--- a/sound/firewire/digi00x/digi00x.c
3828 ++++ b/sound/firewire/digi00x/digi00x.c
3829 +@@ -15,6 +15,7 @@ MODULE_LICENSE("GPL v2");
3830 + #define VENDOR_DIGIDESIGN 0x00a07e
3831 + #define MODEL_CONSOLE 0x000001
3832 + #define MODEL_RACK 0x000002
3833 ++#define SPEC_VERSION 0x000001
3834 +
3835 + static int name_card(struct snd_dg00x *dg00x)
3836 + {
3837 +@@ -185,14 +186,18 @@ static const struct ieee1394_device_id snd_dg00x_id_table[] = {
3838 + /* Both of 002/003 use the same ID. */
3839 + {
3840 + .match_flags = IEEE1394_MATCH_VENDOR_ID |
3841 ++ IEEE1394_MATCH_VERSION |
3842 + IEEE1394_MATCH_MODEL_ID,
3843 + .vendor_id = VENDOR_DIGIDESIGN,
3844 ++ .version = SPEC_VERSION,
3845 + .model_id = MODEL_CONSOLE,
3846 + },
3847 + {
3848 + .match_flags = IEEE1394_MATCH_VENDOR_ID |
3849 ++ IEEE1394_MATCH_VERSION |
3850 + IEEE1394_MATCH_MODEL_ID,
3851 + .vendor_id = VENDOR_DIGIDESIGN,
3852 ++ .version = SPEC_VERSION,
3853 + .model_id = MODEL_RACK,
3854 + },
3855 + {}
3856 +diff --git a/sound/pci/ca0106/ca0106_main.c b/sound/pci/ca0106/ca0106_main.c
3857 +index cd27b55366544..675b812e96d63 100644
3858 +--- a/sound/pci/ca0106/ca0106_main.c
3859 ++++ b/sound/pci/ca0106/ca0106_main.c
3860 +@@ -551,7 +551,8 @@ static int snd_ca0106_pcm_power_dac(struct snd_ca0106 *chip, int channel_id,
3861 + else
3862 + /* Power down */
3863 + chip->spi_dac_reg[reg] |= bit;
3864 +- return snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]);
3865 ++ if (snd_ca0106_spi_write(chip, chip->spi_dac_reg[reg]) != 0)
3866 ++ return -ENXIO;
3867 + }
3868 + return 0;
3869 + }
3870 +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
3871 +index 419d099b5582b..b8e5f2b19ff85 100644
3872 +--- a/sound/pci/hda/patch_hdmi.c
3873 ++++ b/sound/pci/hda/patch_hdmi.c
3874 +@@ -2574,6 +2574,7 @@ static void i915_pin_cvt_fixup(struct hda_codec *codec,
3875 + hda_nid_t cvt_nid)
3876 + {
3877 + if (per_pin) {
3878 ++ haswell_verify_D0(codec, per_pin->cvt_nid, per_pin->pin_nid);
3879 + snd_hda_set_dev_select(codec, per_pin->pin_nid,
3880 + per_pin->dev_id);
3881 + intel_verify_pin_cvt_connect(codec, per_pin);
3882 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
3883 +index 9c5b3d19bfa73..8092fd5617fa7 100644
3884 +--- a/sound/pci/hda/patch_realtek.c
3885 ++++ b/sound/pci/hda/patch_realtek.c
3886 +@@ -2452,6 +2452,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
3887 + SND_PCI_QUIRK(0x1462, 0x1276, "MSI-GL73", ALC1220_FIXUP_CLEVO_P950),
3888 + SND_PCI_QUIRK(0x1462, 0x1293, "MSI-GP65", ALC1220_FIXUP_CLEVO_P950),
3889 + SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD),
3890 ++ SND_PCI_QUIRK(0x1462, 0x9c37, "MSI X570-A PRO", ALC1220_FIXUP_CLEVO_P950),
3891 + SND_PCI_QUIRK(0x1462, 0xda57, "MSI Z270-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS),
3892 + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3),
3893 + SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX),
3894 +diff --git a/tools/include/uapi/linux/perf_event.h b/tools/include/uapi/linux/perf_event.h
3895 +index f35eb72739c09..a45e7b4f03163 100644
3896 +--- a/tools/include/uapi/linux/perf_event.h
3897 ++++ b/tools/include/uapi/linux/perf_event.h
3898 +@@ -1079,7 +1079,7 @@ union perf_mem_data_src {
3899 +
3900 + #define PERF_MEM_SNOOPX_FWD 0x01 /* forward */
3901 + /* 1 free */
3902 +-#define PERF_MEM_SNOOPX_SHIFT 37
3903 ++#define PERF_MEM_SNOOPX_SHIFT 38
3904 +
3905 + /* locked instruction */
3906 + #define PERF_MEM_LOCK_NA 0x01 /* not available */
3907 +diff --git a/tools/perf/Documentation/perf-record.txt b/tools/perf/Documentation/perf-record.txt
3908 +index 246dee081efda..edf2be251788f 100644
3909 +--- a/tools/perf/Documentation/perf-record.txt
3910 ++++ b/tools/perf/Documentation/perf-record.txt
3911 +@@ -33,6 +33,10 @@ OPTIONS
3912 + - a raw PMU event (eventsel+umask) in the form of rNNN where NNN is a
3913 + hexadecimal event descriptor.
3914 +
3915 ++ - a symbolic or raw PMU event followed by an optional colon
3916 ++ and a list of event modifiers, e.g., cpu-cycles:p. See the
3917 ++ linkperf:perf-list[1] man page for details on event modifiers.
3918 ++
3919 + - a symbolically formed PMU event like 'pmu/param1=0x3,param2/' where
3920 + 'param1', 'param2', etc are defined as formats for the PMU in
3921 + /sys/bus/event_source/devices/<pmu>/format/*.
3922 +diff --git a/tools/perf/Documentation/perf-stat.txt b/tools/perf/Documentation/perf-stat.txt
3923 +index b10a90b6a7181..239af8f71f79b 100644
3924 +--- a/tools/perf/Documentation/perf-stat.txt
3925 ++++ b/tools/perf/Documentation/perf-stat.txt
3926 +@@ -39,6 +39,10 @@ report::
3927 + - a raw PMU event (eventsel+umask) in the form of rNNN where NNN is a
3928 + hexadecimal event descriptor.
3929 +
3930 ++ - a symbolic or raw PMU event followed by an optional colon
3931 ++ and a list of event modifiers, e.g., cpu-cycles:p. See the
3932 ++ linkperf:perf-list[1] man page for details on event modifiers.
3933 ++
3934 + - a symbolically formed event like 'pmu/param1=0x3,param2/' where
3935 + param1 and param2 are defined as formats for the PMU in
3936 + /sys/bus/event_source/devices/<pmu>/format/*
3937 +diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c
3938 +index 38b5888ef7b38..c17e594041712 100644
3939 +--- a/tools/perf/pmu-events/jevents.c
3940 ++++ b/tools/perf/pmu-events/jevents.c
3941 +@@ -137,7 +137,7 @@ static char *fixregex(char *s)
3942 + return s;
3943 +
3944 + /* allocate space for a new string */
3945 +- fixed = (char *) malloc(len + 1);
3946 ++ fixed = (char *) malloc(len + esc_count + 1);
3947 + if (!fixed)
3948 + return NULL;
3949 +
3950 +diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c
3951 +index 9b552c0fc47db..4e202217fae10 100644
3952 +--- a/tools/testing/selftests/bpf/test_maps.c
3953 ++++ b/tools/testing/selftests/bpf/test_maps.c
3954 +@@ -1017,6 +1017,8 @@ static void __run_parallel(int tasks, void (*fn)(int task, void *data),
3955 + pid_t pid[tasks];
3956 + int i;
3957 +
3958 ++ fflush(stdout);
3959 ++
3960 + for (i = 0; i < tasks; i++) {
3961 + pid[i] = fork();
3962 + if (pid[i] == 0) {
Report Message
Find on MARC Find on Google Groups