Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.10 commit in: /
Date: Wed, 30 Jun 2021 14:23:38
Message-Id: 1625063001.82457685705b0a1d80b955f129f8502a94616833.mpagano@gentoo
1 commit: 82457685705b0a1d80b955f129f8502a94616833
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jun 30 14:23:21 2021 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Jun 30 14:23:21 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=82457685
7
8 Linuxpatch 5.10.47
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1046_linux-5.10.47.patch | 4107 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 4111 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 6abe7e2..9ae25ca 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -227,6 +227,10 @@ Patch: 1045_linux-5.10.46.patch
21 From: http://www.kernel.org
22 Desc: Linux 5.10.46
23
24 +Patch: 1046_linux-5.10.47.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 5.10.47
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1046_linux-5.10.47.patch b/1046_linux-5.10.47.patch
33 new file mode 100644
34 index 0000000..168bbc5
35 --- /dev/null
36 +++ b/1046_linux-5.10.47.patch
37 @@ -0,0 +1,4107 @@
38 +diff --git a/Makefile b/Makefile
39 +index 7ab22f105a032..fb2937bca41b3 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,7 +1,7 @@
43 + # SPDX-License-Identifier: GPL-2.0
44 + VERSION = 5
45 + PATCHLEVEL = 10
46 +-SUBLEVEL = 46
47 ++SUBLEVEL = 47
48 + EXTRAVERSION =
49 + NAME = Dare mighty things
50 +
51 +diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
52 +index f90479d8b50c8..b06602cea99c7 100644
53 +--- a/arch/arm/kernel/setup.c
54 ++++ b/arch/arm/kernel/setup.c
55 +@@ -544,9 +544,11 @@ void notrace cpu_init(void)
56 + * In Thumb-2, msr with an immediate value is not allowed.
57 + */
58 + #ifdef CONFIG_THUMB2_KERNEL
59 +-#define PLC "r"
60 ++#define PLC_l "l"
61 ++#define PLC_r "r"
62 + #else
63 +-#define PLC "I"
64 ++#define PLC_l "I"
65 ++#define PLC_r "I"
66 + #endif
67 +
68 + /*
69 +@@ -568,15 +570,15 @@ void notrace cpu_init(void)
70 + "msr cpsr_c, %9"
71 + :
72 + : "r" (stk),
73 +- PLC (PSR_F_BIT | PSR_I_BIT | IRQ_MODE),
74 ++ PLC_r (PSR_F_BIT | PSR_I_BIT | IRQ_MODE),
75 + "I" (offsetof(struct stack, irq[0])),
76 +- PLC (PSR_F_BIT | PSR_I_BIT | ABT_MODE),
77 ++ PLC_r (PSR_F_BIT | PSR_I_BIT | ABT_MODE),
78 + "I" (offsetof(struct stack, abt[0])),
79 +- PLC (PSR_F_BIT | PSR_I_BIT | UND_MODE),
80 ++ PLC_r (PSR_F_BIT | PSR_I_BIT | UND_MODE),
81 + "I" (offsetof(struct stack, und[0])),
82 +- PLC (PSR_F_BIT | PSR_I_BIT | FIQ_MODE),
83 ++ PLC_r (PSR_F_BIT | PSR_I_BIT | FIQ_MODE),
84 + "I" (offsetof(struct stack, fiq[0])),
85 +- PLC (PSR_F_BIT | PSR_I_BIT | SVC_MODE)
86 ++ PLC_l (PSR_F_BIT | PSR_I_BIT | SVC_MODE)
87 + : "r14");
88 + #endif
89 + }
90 +diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c
91 +index a985d292e8203..c0a7f0d90b39d 100644
92 +--- a/arch/arm64/mm/init.c
93 ++++ b/arch/arm64/mm/init.c
94 +@@ -174,14 +174,21 @@ static void __init reserve_elfcorehdr(void)
95 + #endif /* CONFIG_CRASH_DUMP */
96 +
97 + /*
98 +- * Return the maximum physical address for a zone with a given address size
99 +- * limit. It currently assumes that for memory starting above 4G, 32-bit
100 +- * devices will use a DMA offset.
101 ++ * Return the maximum physical address for a zone accessible by the given bits
102 ++ * limit. If DRAM starts above 32-bit, expand the zone to the maximum
103 ++ * available memory, otherwise cap it at 32-bit.
104 + */
105 + static phys_addr_t __init max_zone_phys(unsigned int zone_bits)
106 + {
107 +- phys_addr_t offset = memblock_start_of_DRAM() & GENMASK_ULL(63, zone_bits);
108 +- return min(offset + (1ULL << zone_bits), memblock_end_of_DRAM());
109 ++ phys_addr_t zone_mask = DMA_BIT_MASK(zone_bits);
110 ++ phys_addr_t phys_start = memblock_start_of_DRAM();
111 ++
112 ++ if (phys_start > U32_MAX)
113 ++ zone_mask = PHYS_ADDR_MAX;
114 ++ else if (phys_start > zone_mask)
115 ++ zone_mask = U32_MAX;
116 ++
117 ++ return min(zone_mask, memblock_end_of_DRAM() - 1) + 1;
118 + }
119 +
120 + static void __init zone_sizes_init(unsigned long min, unsigned long max)
121 +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
122 +index afdad76078506..58dc93e566179 100644
123 +--- a/arch/arm64/mm/mmu.c
124 ++++ b/arch/arm64/mm/mmu.c
125 +@@ -469,6 +469,21 @@ void __init mark_linear_text_alias_ro(void)
126 + PAGE_KERNEL_RO);
127 + }
128 +
129 ++static bool crash_mem_map __initdata;
130 ++
131 ++static int __init enable_crash_mem_map(char *arg)
132 ++{
133 ++ /*
134 ++ * Proper parameter parsing is done by reserve_crashkernel(). We only
135 ++ * need to know if the linear map has to avoid block mappings so that
136 ++ * the crashkernel reservations can be unmapped later.
137 ++ */
138 ++ crash_mem_map = true;
139 ++
140 ++ return 0;
141 ++}
142 ++early_param("crashkernel", enable_crash_mem_map);
143 ++
144 + static void __init map_mem(pgd_t *pgdp)
145 + {
146 + phys_addr_t kernel_start = __pa_symbol(_text);
147 +@@ -477,7 +492,7 @@ static void __init map_mem(pgd_t *pgdp)
148 + int flags = 0;
149 + u64 i;
150 +
151 +- if (rodata_full || debug_pagealloc_enabled())
152 ++ if (rodata_full || crash_mem_map || debug_pagealloc_enabled())
153 + flags = NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS;
154 +
155 + /*
156 +@@ -487,11 +502,6 @@ static void __init map_mem(pgd_t *pgdp)
157 + * the following for-loop
158 + */
159 + memblock_mark_nomap(kernel_start, kernel_end - kernel_start);
160 +-#ifdef CONFIG_KEXEC_CORE
161 +- if (crashk_res.end)
162 +- memblock_mark_nomap(crashk_res.start,
163 +- resource_size(&crashk_res));
164 +-#endif
165 +
166 + /* map all the memory banks */
167 + for_each_mem_range(i, &start, &end) {
168 +@@ -519,21 +529,6 @@ static void __init map_mem(pgd_t *pgdp)
169 + __map_memblock(pgdp, kernel_start, kernel_end,
170 + PAGE_KERNEL, NO_CONT_MAPPINGS);
171 + memblock_clear_nomap(kernel_start, kernel_end - kernel_start);
172 +-
173 +-#ifdef CONFIG_KEXEC_CORE
174 +- /*
175 +- * Use page-level mappings here so that we can shrink the region
176 +- * in page granularity and put back unused memory to buddy system
177 +- * through /sys/kernel/kexec_crash_size interface.
178 +- */
179 +- if (crashk_res.end) {
180 +- __map_memblock(pgdp, crashk_res.start, crashk_res.end + 1,
181 +- PAGE_KERNEL,
182 +- NO_BLOCK_MAPPINGS | NO_CONT_MAPPINGS);
183 +- memblock_clear_nomap(crashk_res.start,
184 +- resource_size(&crashk_res));
185 +- }
186 +-#endif
187 + }
188 +
189 + void mark_rodata_ro(void)
190 +diff --git a/arch/mips/generic/board-boston.its.S b/arch/mips/generic/board-boston.its.S
191 +index a7f51f97b9102..c45ad27594218 100644
192 +--- a/arch/mips/generic/board-boston.its.S
193 ++++ b/arch/mips/generic/board-boston.its.S
194 +@@ -1,22 +1,22 @@
195 + / {
196 + images {
197 +- fdt@boston {
198 ++ fdt-boston {
199 + description = "img,boston Device Tree";
200 + data = /incbin/("boot/dts/img/boston.dtb");
201 + type = "flat_dt";
202 + arch = "mips";
203 + compression = "none";
204 +- hash@0 {
205 ++ hash {
206 + algo = "sha1";
207 + };
208 + };
209 + };
210 +
211 + configurations {
212 +- conf@boston {
213 ++ conf-boston {
214 + description = "Boston Linux kernel";
215 +- kernel = "kernel@0";
216 +- fdt = "fdt@boston";
217 ++ kernel = "kernel";
218 ++ fdt = "fdt-boston";
219 + };
220 + };
221 + };
222 +diff --git a/arch/mips/generic/board-ni169445.its.S b/arch/mips/generic/board-ni169445.its.S
223 +index e4cb4f95a8cc1..0a2e8f7a8526f 100644
224 +--- a/arch/mips/generic/board-ni169445.its.S
225 ++++ b/arch/mips/generic/board-ni169445.its.S
226 +@@ -1,22 +1,22 @@
227 + / {
228 + images {
229 +- fdt@ni169445 {
230 ++ fdt-ni169445 {
231 + description = "NI 169445 device tree";
232 + data = /incbin/("boot/dts/ni/169445.dtb");
233 + type = "flat_dt";
234 + arch = "mips";
235 + compression = "none";
236 +- hash@0 {
237 ++ hash {
238 + algo = "sha1";
239 + };
240 + };
241 + };
242 +
243 + configurations {
244 +- conf@ni169445 {
245 ++ conf-ni169445 {
246 + description = "NI 169445 Linux Kernel";
247 +- kernel = "kernel@0";
248 +- fdt = "fdt@ni169445";
249 ++ kernel = "kernel";
250 ++ fdt = "fdt-ni169445";
251 + };
252 + };
253 + };
254 +diff --git a/arch/mips/generic/board-ocelot.its.S b/arch/mips/generic/board-ocelot.its.S
255 +index 3da23988149a6..8c7e3a1b68d3d 100644
256 +--- a/arch/mips/generic/board-ocelot.its.S
257 ++++ b/arch/mips/generic/board-ocelot.its.S
258 +@@ -1,40 +1,40 @@
259 + /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */
260 + / {
261 + images {
262 +- fdt@ocelot_pcb123 {
263 ++ fdt-ocelot_pcb123 {
264 + description = "MSCC Ocelot PCB123 Device Tree";
265 + data = /incbin/("boot/dts/mscc/ocelot_pcb123.dtb");
266 + type = "flat_dt";
267 + arch = "mips";
268 + compression = "none";
269 +- hash@0 {
270 ++ hash {
271 + algo = "sha1";
272 + };
273 + };
274 +
275 +- fdt@ocelot_pcb120 {
276 ++ fdt-ocelot_pcb120 {
277 + description = "MSCC Ocelot PCB120 Device Tree";
278 + data = /incbin/("boot/dts/mscc/ocelot_pcb120.dtb");
279 + type = "flat_dt";
280 + arch = "mips";
281 + compression = "none";
282 +- hash@0 {
283 ++ hash {
284 + algo = "sha1";
285 + };
286 + };
287 + };
288 +
289 + configurations {
290 +- conf@ocelot_pcb123 {
291 ++ conf-ocelot_pcb123 {
292 + description = "Ocelot Linux kernel";
293 +- kernel = "kernel@0";
294 +- fdt = "fdt@ocelot_pcb123";
295 ++ kernel = "kernel";
296 ++ fdt = "fdt-ocelot_pcb123";
297 + };
298 +
299 +- conf@ocelot_pcb120 {
300 ++ conf-ocelot_pcb120 {
301 + description = "Ocelot Linux kernel";
302 +- kernel = "kernel@0";
303 +- fdt = "fdt@ocelot_pcb120";
304 ++ kernel = "kernel";
305 ++ fdt = "fdt-ocelot_pcb120";
306 + };
307 + };
308 + };
309 +diff --git a/arch/mips/generic/board-xilfpga.its.S b/arch/mips/generic/board-xilfpga.its.S
310 +index a2e773d3f14f4..08c1e900eb4ed 100644
311 +--- a/arch/mips/generic/board-xilfpga.its.S
312 ++++ b/arch/mips/generic/board-xilfpga.its.S
313 +@@ -1,22 +1,22 @@
314 + / {
315 + images {
316 +- fdt@xilfpga {
317 ++ fdt-xilfpga {
318 + description = "MIPSfpga (xilfpga) Device Tree";
319 + data = /incbin/("boot/dts/xilfpga/nexys4ddr.dtb");
320 + type = "flat_dt";
321 + arch = "mips";
322 + compression = "none";
323 +- hash@0 {
324 ++ hash {
325 + algo = "sha1";
326 + };
327 + };
328 + };
329 +
330 + configurations {
331 +- conf@xilfpga {
332 ++ conf-xilfpga {
333 + description = "MIPSfpga Linux kernel";
334 +- kernel = "kernel@0";
335 +- fdt = "fdt@xilfpga";
336 ++ kernel = "kernel";
337 ++ fdt = "fdt-xilfpga";
338 + };
339 + };
340 + };
341 +diff --git a/arch/mips/generic/vmlinux.its.S b/arch/mips/generic/vmlinux.its.S
342 +index 1a08438fd8930..3e254676540f4 100644
343 +--- a/arch/mips/generic/vmlinux.its.S
344 ++++ b/arch/mips/generic/vmlinux.its.S
345 +@@ -6,7 +6,7 @@
346 + #address-cells = <ADDR_CELLS>;
347 +
348 + images {
349 +- kernel@0 {
350 ++ kernel {
351 + description = KERNEL_NAME;
352 + data = /incbin/(VMLINUX_BINARY);
353 + type = "kernel";
354 +@@ -15,18 +15,18 @@
355 + compression = VMLINUX_COMPRESSION;
356 + load = /bits/ ADDR_BITS <VMLINUX_LOAD_ADDRESS>;
357 + entry = /bits/ ADDR_BITS <VMLINUX_ENTRY_ADDRESS>;
358 +- hash@0 {
359 ++ hash {
360 + algo = "sha1";
361 + };
362 + };
363 + };
364 +
365 + configurations {
366 +- default = "conf@default";
367 ++ default = "conf-default";
368 +
369 +- conf@default {
370 ++ conf-default {
371 + description = "Generic Linux kernel";
372 +- kernel = "kernel@0";
373 ++ kernel = "kernel";
374 + };
375 + };
376 + };
377 +diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile
378 +index e241e0e85ac81..226c366072da3 100644
379 +--- a/arch/riscv/Makefile
380 ++++ b/arch/riscv/Makefile
381 +@@ -14,7 +14,7 @@ ifeq ($(CONFIG_DYNAMIC_FTRACE),y)
382 + LDFLAGS_vmlinux := --no-relax
383 + endif
384 +
385 +-ifeq ($(CONFIG_64BIT)$(CONFIG_CMODEL_MEDLOW),yy)
386 ++ifeq ($(CONFIG_CMODEL_MEDLOW),y)
387 + KBUILD_CFLAGS_MODULE += -mcmodel=medany
388 + endif
389 +
390 +diff --git a/arch/s390/include/asm/stacktrace.h b/arch/s390/include/asm/stacktrace.h
391 +index ee056f4a4fa30..ee582896b6a3f 100644
392 +--- a/arch/s390/include/asm/stacktrace.h
393 ++++ b/arch/s390/include/asm/stacktrace.h
394 +@@ -90,12 +90,16 @@ struct stack_frame {
395 + CALL_ARGS_4(arg1, arg2, arg3, arg4); \
396 + register unsigned long r4 asm("6") = (unsigned long)(arg5)
397 +
398 +-#define CALL_FMT_0 "=&d" (r2) :
399 +-#define CALL_FMT_1 "+&d" (r2) :
400 +-#define CALL_FMT_2 CALL_FMT_1 "d" (r3),
401 +-#define CALL_FMT_3 CALL_FMT_2 "d" (r4),
402 +-#define CALL_FMT_4 CALL_FMT_3 "d" (r5),
403 +-#define CALL_FMT_5 CALL_FMT_4 "d" (r6),
404 ++/*
405 ++ * To keep this simple mark register 2-6 as being changed (volatile)
406 ++ * by the called function, even though register 6 is saved/nonvolatile.
407 ++ */
408 ++#define CALL_FMT_0 "=&d" (r2)
409 ++#define CALL_FMT_1 "+&d" (r2)
410 ++#define CALL_FMT_2 CALL_FMT_1, "+&d" (r3)
411 ++#define CALL_FMT_3 CALL_FMT_2, "+&d" (r4)
412 ++#define CALL_FMT_4 CALL_FMT_3, "+&d" (r5)
413 ++#define CALL_FMT_5 CALL_FMT_4, "+&d" (r6)
414 +
415 + #define CALL_CLOBBER_5 "0", "1", "14", "cc", "memory"
416 + #define CALL_CLOBBER_4 CALL_CLOBBER_5
417 +@@ -117,7 +121,7 @@ struct stack_frame {
418 + " brasl 14,%[_fn]\n" \
419 + " la 15,0(%[_prev])\n" \
420 + : [_prev] "=&a" (prev), CALL_FMT_##nr \
421 +- [_stack] "R" (stack), \
422 ++ : [_stack] "R" (stack), \
423 + [_bc] "i" (offsetof(struct stack_frame, back_chain)), \
424 + [_frame] "d" (frame), \
425 + [_fn] "X" (fn) : CALL_CLOBBER_##nr); \
426 +diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
427 +index 2e4d91f3feea4..93a3122cd15ff 100644
428 +--- a/arch/x86/entry/common.c
429 ++++ b/arch/x86/entry/common.c
430 +@@ -127,8 +127,8 @@ static noinstr bool __do_fast_syscall_32(struct pt_regs *regs)
431 + /* User code screwed up. */
432 + regs->ax = -EFAULT;
433 +
434 +- instrumentation_end();
435 + local_irq_disable();
436 ++ instrumentation_end();
437 + irqentry_exit_to_user_mode(regs);
438 + return false;
439 + }
440 +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
441 +index a88c94d656931..e6db1a1f22d7d 100644
442 +--- a/arch/x86/events/core.c
443 ++++ b/arch/x86/events/core.c
444 +@@ -45,9 +45,11 @@
445 + #include "perf_event.h"
446 +
447 + struct x86_pmu x86_pmu __read_mostly;
448 ++static struct pmu pmu;
449 +
450 + DEFINE_PER_CPU(struct cpu_hw_events, cpu_hw_events) = {
451 + .enabled = 1,
452 ++ .pmu = &pmu,
453 + };
454 +
455 + DEFINE_STATIC_KEY_FALSE(rdpmc_never_available_key);
456 +@@ -372,10 +374,12 @@ int x86_reserve_hardware(void)
457 + if (!atomic_inc_not_zero(&pmc_refcount)) {
458 + mutex_lock(&pmc_reserve_mutex);
459 + if (atomic_read(&pmc_refcount) == 0) {
460 +- if (!reserve_pmc_hardware())
461 ++ if (!reserve_pmc_hardware()) {
462 + err = -EBUSY;
463 +- else
464 ++ } else {
465 + reserve_ds_buffers();
466 ++ reserve_lbr_buffers();
467 ++ }
468 + }
469 + if (!err)
470 + atomic_inc(&pmc_refcount);
471 +@@ -710,16 +714,23 @@ void x86_pmu_enable_all(int added)
472 + }
473 + }
474 +
475 +-static struct pmu pmu;
476 +-
477 + static inline int is_x86_event(struct perf_event *event)
478 + {
479 + return event->pmu == &pmu;
480 + }
481 +
482 +-struct pmu *x86_get_pmu(void)
483 ++struct pmu *x86_get_pmu(unsigned int cpu)
484 + {
485 +- return &pmu;
486 ++ struct cpu_hw_events *cpuc = &per_cpu(cpu_hw_events, cpu);
487 ++
488 ++ /*
489 ++ * All CPUs of the hybrid type have been offline.
490 ++ * The x86_get_pmu() should not be invoked.
491 ++ */
492 ++ if (WARN_ON_ONCE(!cpuc->pmu))
493 ++ return &pmu;
494 ++
495 ++ return cpuc->pmu;
496 + }
497 + /*
498 + * Event scheduler state:
499 +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
500 +index ee659b5faf714..3b8b8eede1a8a 100644
501 +--- a/arch/x86/events/intel/core.c
502 ++++ b/arch/x86/events/intel/core.c
503 +@@ -4747,7 +4747,7 @@ static void update_tfa_sched(void *ignored)
504 + * and if so force schedule out for all event types all contexts
505 + */
506 + if (test_bit(3, cpuc->active_mask))
507 +- perf_pmu_resched(x86_get_pmu());
508 ++ perf_pmu_resched(x86_get_pmu(smp_processor_id()));
509 + }
510 +
511 + static ssize_t show_sysctl_tfa(struct device *cdev,
512 +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c
513 +index 31a7a6566d077..945d470f62d0f 100644
514 +--- a/arch/x86/events/intel/ds.c
515 ++++ b/arch/x86/events/intel/ds.c
516 +@@ -2076,7 +2076,7 @@ void __init intel_ds_init(void)
517 + PERF_SAMPLE_TIME;
518 + x86_pmu.flags |= PMU_FL_PEBS_ALL;
519 + pebs_qual = "-baseline";
520 +- x86_get_pmu()->capabilities |= PERF_PMU_CAP_EXTENDED_REGS;
521 ++ x86_get_pmu(smp_processor_id())->capabilities |= PERF_PMU_CAP_EXTENDED_REGS;
522 + } else {
523 + /* Only basic record supported */
524 + x86_pmu.large_pebs_flags &=
525 +@@ -2091,7 +2091,7 @@ void __init intel_ds_init(void)
526 +
527 + if (x86_pmu.intel_cap.pebs_output_pt_available) {
528 + pr_cont("PEBS-via-PT, ");
529 +- x86_get_pmu()->capabilities |= PERF_PMU_CAP_AUX_OUTPUT;
530 ++ x86_get_pmu(smp_processor_id())->capabilities |= PERF_PMU_CAP_AUX_OUTPUT;
531 + }
532 +
533 + break;
534 +diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c
535 +index e2b0efcba1017..9c1a013d56822 100644
536 +--- a/arch/x86/events/intel/lbr.c
537 ++++ b/arch/x86/events/intel/lbr.c
538 +@@ -658,7 +658,6 @@ static inline bool branch_user_callstack(unsigned br_sel)
539 +
540 + void intel_pmu_lbr_add(struct perf_event *event)
541 + {
542 +- struct kmem_cache *kmem_cache = event->pmu->task_ctx_cache;
543 + struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events);
544 +
545 + if (!x86_pmu.lbr_nr)
546 +@@ -696,16 +695,11 @@ void intel_pmu_lbr_add(struct perf_event *event)
547 + perf_sched_cb_inc(event->ctx->pmu);
548 + if (!cpuc->lbr_users++ && !event->total_time_running)
549 + intel_pmu_lbr_reset();
550 +-
551 +- if (static_cpu_has(X86_FEATURE_ARCH_LBR) &&
552 +- kmem_cache && !cpuc->lbr_xsave &&
553 +- (cpuc->lbr_users != cpuc->lbr_pebs_users))
554 +- cpuc->lbr_xsave = kmem_cache_alloc(kmem_cache, GFP_KERNEL);
555 + }
556 +
557 + void release_lbr_buffers(void)
558 + {
559 +- struct kmem_cache *kmem_cache = x86_get_pmu()->task_ctx_cache;
560 ++ struct kmem_cache *kmem_cache;
561 + struct cpu_hw_events *cpuc;
562 + int cpu;
563 +
564 +@@ -714,6 +708,7 @@ void release_lbr_buffers(void)
565 +
566 + for_each_possible_cpu(cpu) {
567 + cpuc = per_cpu_ptr(&cpu_hw_events, cpu);
568 ++ kmem_cache = x86_get_pmu(cpu)->task_ctx_cache;
569 + if (kmem_cache && cpuc->lbr_xsave) {
570 + kmem_cache_free(kmem_cache, cpuc->lbr_xsave);
571 + cpuc->lbr_xsave = NULL;
572 +@@ -721,6 +716,27 @@ void release_lbr_buffers(void)
573 + }
574 + }
575 +
576 ++void reserve_lbr_buffers(void)
577 ++{
578 ++ struct kmem_cache *kmem_cache;
579 ++ struct cpu_hw_events *cpuc;
580 ++ int cpu;
581 ++
582 ++ if (!static_cpu_has(X86_FEATURE_ARCH_LBR))
583 ++ return;
584 ++
585 ++ for_each_possible_cpu(cpu) {
586 ++ cpuc = per_cpu_ptr(&cpu_hw_events, cpu);
587 ++ kmem_cache = x86_get_pmu(cpu)->task_ctx_cache;
588 ++ if (!kmem_cache || cpuc->lbr_xsave)
589 ++ continue;
590 ++
591 ++ cpuc->lbr_xsave = kmem_cache_alloc_node(kmem_cache,
592 ++ GFP_KERNEL | __GFP_ZERO,
593 ++ cpu_to_node(cpu));
594 ++ }
595 ++}
596 ++
597 + void intel_pmu_lbr_del(struct perf_event *event)
598 + {
599 + struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events);
600 +@@ -1609,7 +1625,7 @@ void intel_pmu_lbr_init_hsw(void)
601 + x86_pmu.lbr_sel_mask = LBR_SEL_MASK;
602 + x86_pmu.lbr_sel_map = hsw_lbr_sel_map;
603 +
604 +- x86_get_pmu()->task_ctx_cache = create_lbr_kmem_cache(size, 0);
605 ++ x86_get_pmu(smp_processor_id())->task_ctx_cache = create_lbr_kmem_cache(size, 0);
606 +
607 + if (lbr_from_signext_quirk_needed())
608 + static_branch_enable(&lbr_from_quirk_key);
609 +@@ -1629,7 +1645,7 @@ __init void intel_pmu_lbr_init_skl(void)
610 + x86_pmu.lbr_sel_mask = LBR_SEL_MASK;
611 + x86_pmu.lbr_sel_map = hsw_lbr_sel_map;
612 +
613 +- x86_get_pmu()->task_ctx_cache = create_lbr_kmem_cache(size, 0);
614 ++ x86_get_pmu(smp_processor_id())->task_ctx_cache = create_lbr_kmem_cache(size, 0);
615 +
616 + /*
617 + * SW branch filter usage:
618 +@@ -1726,7 +1742,7 @@ static bool is_arch_lbr_xsave_available(void)
619 +
620 + void __init intel_pmu_arch_lbr_init(void)
621 + {
622 +- struct pmu *pmu = x86_get_pmu();
623 ++ struct pmu *pmu = x86_get_pmu(smp_processor_id());
624 + union cpuid28_eax eax;
625 + union cpuid28_ebx ebx;
626 + union cpuid28_ecx ecx;
627 +diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h
628 +index 6a8edfe59b09c..f07d77cffb3c6 100644
629 +--- a/arch/x86/events/perf_event.h
630 ++++ b/arch/x86/events/perf_event.h
631 +@@ -326,6 +326,8 @@ struct cpu_hw_events {
632 + int n_pair; /* Large increment events */
633 +
634 + void *kfree_on_online[X86_PERF_KFREE_MAX];
635 ++
636 ++ struct pmu *pmu;
637 + };
638 +
639 + #define __EVENT_CONSTRAINT_RANGE(c, e, n, m, w, o, f) { \
640 +@@ -897,7 +899,7 @@ static struct perf_pmu_events_ht_attr event_attr_##v = { \
641 + .event_str_ht = ht, \
642 + }
643 +
644 +-struct pmu *x86_get_pmu(void);
645 ++struct pmu *x86_get_pmu(unsigned int cpu);
646 + extern struct x86_pmu x86_pmu __read_mostly;
647 +
648 + static __always_inline struct x86_perf_task_context_opt *task_context_opt(void *ctx)
649 +@@ -1122,6 +1124,8 @@ void reserve_ds_buffers(void);
650 +
651 + void release_lbr_buffers(void);
652 +
653 ++void reserve_lbr_buffers(void);
654 ++
655 + extern struct event_constraint bts_constraint;
656 + extern struct event_constraint vlbr_constraint;
657 +
658 +@@ -1267,6 +1271,10 @@ static inline void release_lbr_buffers(void)
659 + {
660 + }
661 +
662 ++static inline void reserve_lbr_buffers(void)
663 ++{
664 ++}
665 ++
666 + static inline int intel_pmu_init(void)
667 + {
668 + return 0;
669 +diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
670 +index fdee23ea4e173..16bf4d4a8159e 100644
671 +--- a/arch/x86/include/asm/fpu/internal.h
672 ++++ b/arch/x86/include/asm/fpu/internal.h
673 +@@ -204,6 +204,14 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
674 + asm volatile("fxsaveq %[fx]" : [fx] "=m" (fpu->state.fxsave));
675 + }
676 +
677 ++static inline void fxsave(struct fxregs_state *fx)
678 ++{
679 ++ if (IS_ENABLED(CONFIG_X86_32))
680 ++ asm volatile( "fxsave %[fx]" : [fx] "=m" (*fx));
681 ++ else
682 ++ asm volatile("fxsaveq %[fx]" : [fx] "=m" (*fx));
683 ++}
684 ++
685 + /* These macros all use (%edi)/(%rdi) as the single memory argument. */
686 + #define XSAVE ".byte " REX_PREFIX "0x0f,0xae,0x27"
687 + #define XSAVEOPT ".byte " REX_PREFIX "0x0f,0xae,0x37"
688 +@@ -268,28 +276,6 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
689 + : "D" (st), "m" (*st), "a" (lmask), "d" (hmask) \
690 + : "memory")
691 +
692 +-/*
693 +- * This function is called only during boot time when x86 caps are not set
694 +- * up and alternative can not be used yet.
695 +- */
696 +-static inline void copy_xregs_to_kernel_booting(struct xregs_state *xstate)
697 +-{
698 +- u64 mask = xfeatures_mask_all;
699 +- u32 lmask = mask;
700 +- u32 hmask = mask >> 32;
701 +- int err;
702 +-
703 +- WARN_ON(system_state != SYSTEM_BOOTING);
704 +-
705 +- if (boot_cpu_has(X86_FEATURE_XSAVES))
706 +- XSTATE_OP(XSAVES, xstate, lmask, hmask, err);
707 +- else
708 +- XSTATE_OP(XSAVE, xstate, lmask, hmask, err);
709 +-
710 +- /* We should never fault when copying to a kernel buffer: */
711 +- WARN_ON_FPU(err);
712 +-}
713 +-
714 + /*
715 + * This function is called only during boot time when x86 caps are not set
716 + * up and alternative can not be used yet.
717 +diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
718 +index ec3ae30547920..b7b92cdf3add4 100644
719 +--- a/arch/x86/kernel/fpu/signal.c
720 ++++ b/arch/x86/kernel/fpu/signal.c
721 +@@ -221,28 +221,18 @@ sanitize_restored_user_xstate(union fpregs_state *state,
722 +
723 + if (use_xsave()) {
724 + /*
725 +- * Note: we don't need to zero the reserved bits in the
726 +- * xstate_header here because we either didn't copy them at all,
727 +- * or we checked earlier that they aren't set.
728 ++ * Clear all feature bits which are not set in
729 ++ * user_xfeatures and clear all extended features
730 ++ * for fx_only mode.
731 + */
732 ++ u64 mask = fx_only ? XFEATURE_MASK_FPSSE : user_xfeatures;
733 +
734 + /*
735 +- * 'user_xfeatures' might have bits clear which are
736 +- * set in header->xfeatures. This represents features that
737 +- * were in init state prior to a signal delivery, and need
738 +- * to be reset back to the init state. Clear any user
739 +- * feature bits which are set in the kernel buffer to get
740 +- * them back to the init state.
741 +- *
742 +- * Supervisor state is unchanged by input from userspace.
743 +- * Ensure supervisor state bits stay set and supervisor
744 +- * state is not modified.
745 ++ * Supervisor state has to be preserved. The sigframe
746 ++ * restore can only modify user features, i.e. @mask
747 ++ * cannot contain them.
748 + */
749 +- if (fx_only)
750 +- header->xfeatures = XFEATURE_MASK_FPSSE;
751 +- else
752 +- header->xfeatures &= user_xfeatures |
753 +- xfeatures_mask_supervisor();
754 ++ header->xfeatures &= mask | xfeatures_mask_supervisor();
755 + }
756 +
757 + if (use_fxsr()) {
758 +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
759 +index 67f1a03b9b235..80dcf0417f30b 100644
760 +--- a/arch/x86/kernel/fpu/xstate.c
761 ++++ b/arch/x86/kernel/fpu/xstate.c
762 +@@ -440,6 +440,25 @@ static void __init print_xstate_offset_size(void)
763 + }
764 + }
765 +
766 ++/*
767 ++ * All supported features have either init state all zeros or are
768 ++ * handled in setup_init_fpu() individually. This is an explicit
769 ++ * feature list and does not use XFEATURE_MASK*SUPPORTED to catch
770 ++ * newly added supported features at build time and make people
771 ++ * actually look at the init state for the new feature.
772 ++ */
773 ++#define XFEATURES_INIT_FPSTATE_HANDLED \
774 ++ (XFEATURE_MASK_FP | \
775 ++ XFEATURE_MASK_SSE | \
776 ++ XFEATURE_MASK_YMM | \
777 ++ XFEATURE_MASK_OPMASK | \
778 ++ XFEATURE_MASK_ZMM_Hi256 | \
779 ++ XFEATURE_MASK_Hi16_ZMM | \
780 ++ XFEATURE_MASK_PKRU | \
781 ++ XFEATURE_MASK_BNDREGS | \
782 ++ XFEATURE_MASK_BNDCSR | \
783 ++ XFEATURE_MASK_PASID)
784 ++
785 + /*
786 + * setup the xstate image representing the init state
787 + */
788 +@@ -447,6 +466,10 @@ static void __init setup_init_fpu_buf(void)
789 + {
790 + static int on_boot_cpu __initdata = 1;
791 +
792 ++ BUILD_BUG_ON((XFEATURE_MASK_USER_SUPPORTED |
793 ++ XFEATURE_MASK_SUPERVISOR_SUPPORTED) !=
794 ++ XFEATURES_INIT_FPSTATE_HANDLED);
795 ++
796 + WARN_ON_FPU(!on_boot_cpu);
797 + on_boot_cpu = 0;
798 +
799 +@@ -466,10 +489,22 @@ static void __init setup_init_fpu_buf(void)
800 + copy_kernel_to_xregs_booting(&init_fpstate.xsave);
801 +
802 + /*
803 +- * Dump the init state again. This is to identify the init state
804 +- * of any feature which is not represented by all zero's.
805 ++ * All components are now in init state. Read the state back so
806 ++ * that init_fpstate contains all non-zero init state. This only
807 ++ * works with XSAVE, but not with XSAVEOPT and XSAVES because
808 ++ * those use the init optimization which skips writing data for
809 ++ * components in init state.
810 ++ *
811 ++ * XSAVE could be used, but that would require to reshuffle the
812 ++ * data when XSAVES is available because XSAVES uses xstate
813 ++ * compaction. But doing so is a pointless exercise because most
814 ++ * components have an all zeros init state except for the legacy
815 ++ * ones (FP and SSE). Those can be saved with FXSAVE into the
816 ++ * legacy area. Adding new features requires to ensure that init
817 ++ * state is all zeroes or if not to add the necessary handling
818 ++ * here.
819 + */
820 +- copy_xregs_to_kernel_booting(&init_fpstate.xsave);
821 ++ fxsave(&init_fpstate.fxsave);
822 + }
823 +
824 + static int xfeature_uncompacted_offset(int xfeature_nr)
825 +diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
826 +index 16b10b9436dc5..01547bdbfb061 100644
827 +--- a/arch/x86/kvm/svm/sev.c
828 ++++ b/arch/x86/kvm/svm/sev.c
829 +@@ -130,9 +130,25 @@ static void sev_asid_free(int asid)
830 + mutex_unlock(&sev_bitmap_lock);
831 + }
832 +
833 +-static void sev_unbind_asid(struct kvm *kvm, unsigned int handle)
834 ++static void sev_decommission(unsigned int handle)
835 + {
836 + struct sev_data_decommission *decommission;
837 ++
838 ++ if (!handle)
839 ++ return;
840 ++
841 ++ decommission = kzalloc(sizeof(*decommission), GFP_KERNEL);
842 ++ if (!decommission)
843 ++ return;
844 ++
845 ++ decommission->handle = handle;
846 ++ sev_guest_decommission(decommission, NULL);
847 ++
848 ++ kfree(decommission);
849 ++}
850 ++
851 ++static void sev_unbind_asid(struct kvm *kvm, unsigned int handle)
852 ++{
853 + struct sev_data_deactivate *data;
854 +
855 + if (!handle)
856 +@@ -152,15 +168,7 @@ static void sev_unbind_asid(struct kvm *kvm, unsigned int handle)
857 +
858 + kfree(data);
859 +
860 +- decommission = kzalloc(sizeof(*decommission), GFP_KERNEL);
861 +- if (!decommission)
862 +- return;
863 +-
864 +- /* decommission handle */
865 +- decommission->handle = handle;
866 +- sev_guest_decommission(decommission, NULL);
867 +-
868 +- kfree(decommission);
869 ++ sev_decommission(handle);
870 + }
871 +
872 + static int sev_guest_init(struct kvm *kvm, struct kvm_sev_cmd *argp)
873 +@@ -288,8 +296,10 @@ static int sev_launch_start(struct kvm *kvm, struct kvm_sev_cmd *argp)
874 +
875 + /* Bind ASID to this guest */
876 + ret = sev_bind_asid(kvm, start->handle, error);
877 +- if (ret)
878 ++ if (ret) {
879 ++ sev_decommission(start->handle);
880 + goto e_free_session;
881 ++ }
882 +
883 + /* return handle to userspace */
884 + params.handle = start->handle;
885 +diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
886 +index 0a0e168be1cbe..9b0e771302cee 100644
887 +--- a/arch/x86/pci/fixup.c
888 ++++ b/arch/x86/pci/fixup.c
889 +@@ -779,4 +779,48 @@ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1571, pci_amd_enable_64bit_bar);
890 + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x15b1, pci_amd_enable_64bit_bar);
891 + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1601, pci_amd_enable_64bit_bar);
892 +
893 ++#define RS690_LOWER_TOP_OF_DRAM2 0x30
894 ++#define RS690_LOWER_TOP_OF_DRAM2_VALID 0x1
895 ++#define RS690_UPPER_TOP_OF_DRAM2 0x31
896 ++#define RS690_HTIU_NB_INDEX 0xA8
897 ++#define RS690_HTIU_NB_INDEX_WR_ENABLE 0x100
898 ++#define RS690_HTIU_NB_DATA 0xAC
899 ++
900 ++/*
901 ++ * Some BIOS implementations support RAM above 4GB, but do not configure the
902 ++ * PCI host to respond to bus master accesses for these addresses. These
903 ++ * implementations set the TOP_OF_DRAM_SLOT1 register correctly, so PCI DMA
904 ++ * works as expected for addresses below 4GB.
905 ++ *
906 ++ * Reference: "AMD RS690 ASIC Family Register Reference Guide" (pg. 2-57)
907 ++ * https://www.amd.com/system/files/TechDocs/43372_rs690_rrg_3.00o.pdf
908 ++ */
909 ++static void rs690_fix_64bit_dma(struct pci_dev *pdev)
910 ++{
911 ++ u32 val = 0;
912 ++ phys_addr_t top_of_dram = __pa(high_memory - 1) + 1;
913 ++
914 ++ if (top_of_dram <= (1ULL << 32))
915 ++ return;
916 ++
917 ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX,
918 ++ RS690_LOWER_TOP_OF_DRAM2);
919 ++ pci_read_config_dword(pdev, RS690_HTIU_NB_DATA, &val);
920 ++
921 ++ if (val)
922 ++ return;
923 ++
924 ++ pci_info(pdev, "Adjusting top of DRAM to %pa for 64-bit DMA support\n", &top_of_dram);
925 ++
926 ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX,
927 ++ RS690_UPPER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE);
928 ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, top_of_dram >> 32);
929 ++
930 ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX,
931 ++ RS690_LOWER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE);
932 ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA,
933 ++ top_of_dram | RS690_LOWER_TOP_OF_DRAM2_VALID);
934 ++}
935 ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7910, rs690_fix_64bit_dma);
936 ++
937 + #endif
938 +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
939 +index 8064df6382227..d3cdf467d91fa 100644
940 +--- a/arch/x86/xen/enlighten_pv.c
941 ++++ b/arch/x86/xen/enlighten_pv.c
942 +@@ -586,8 +586,10 @@ DEFINE_IDTENTRY_RAW(xenpv_exc_debug)
943 + DEFINE_IDTENTRY_RAW(exc_xen_unknown_trap)
944 + {
945 + /* This should never happen and there is no way to handle it. */
946 ++ instrumentation_begin();
947 + pr_err("Unknown trap in Xen PV mode.");
948 + BUG();
949 ++ instrumentation_end();
950 + }
951 +
952 + struct trap_array_entry {
953 +diff --git a/certs/Kconfig b/certs/Kconfig
954 +index c94e93d8bccf0..ab88d2a7f3c7f 100644
955 +--- a/certs/Kconfig
956 ++++ b/certs/Kconfig
957 +@@ -83,4 +83,21 @@ config SYSTEM_BLACKLIST_HASH_LIST
958 + wrapper to incorporate the list into the kernel. Each <hash> should
959 + be a string of hex digits.
960 +
961 ++config SYSTEM_REVOCATION_LIST
962 ++ bool "Provide system-wide ring of revocation certificates"
963 ++ depends on SYSTEM_BLACKLIST_KEYRING
964 ++ depends on PKCS7_MESSAGE_PARSER=y
965 ++ help
966 ++ If set, this allows revocation certificates to be stored in the
967 ++ blacklist keyring and implements a hook whereby a PKCS#7 message can
968 ++ be checked to see if it matches such a certificate.
969 ++
970 ++config SYSTEM_REVOCATION_KEYS
971 ++ string "X.509 certificates to be preloaded into the system blacklist keyring"
972 ++ depends on SYSTEM_REVOCATION_LIST
973 ++ help
974 ++ If set, this option should be the filename of a PEM-formatted file
975 ++ containing X.509 certificates to be included in the default blacklist
976 ++ keyring.
977 ++
978 + endmenu
979 +diff --git a/certs/Makefile b/certs/Makefile
980 +index f4c25b67aad90..b6db52ebf0beb 100644
981 +--- a/certs/Makefile
982 ++++ b/certs/Makefile
983 +@@ -3,8 +3,9 @@
984 + # Makefile for the linux kernel signature checking certificates.
985 + #
986 +
987 +-obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
988 +-obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
989 ++obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
990 ++obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o
991 ++obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
992 + ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
993 + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
994 + else
995 +@@ -29,7 +30,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF
996 + $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))
997 + endif # CONFIG_SYSTEM_TRUSTED_KEYRING
998 +
999 +-clean-files := x509_certificate_list .x509.list
1000 ++clean-files := x509_certificate_list .x509.list x509_revocation_list
1001 +
1002 + ifeq ($(CONFIG_MODULE_SIG),y)
1003 + ###############################################################################
1004 +@@ -104,3 +105,17 @@ targets += signing_key.x509
1005 + $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
1006 + $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
1007 + endif # CONFIG_MODULE_SIG
1008 ++
1009 ++ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y)
1010 ++
1011 ++$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS))
1012 ++
1013 ++$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
1014 ++
1015 ++quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2))
1016 ++ cmd_extract_certs = scripts/extract-cert $(2) $@
1017 ++
1018 ++targets += x509_revocation_list
1019 ++$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE
1020 ++ $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS))
1021 ++endif
1022 +diff --git a/certs/blacklist.c b/certs/blacklist.c
1023 +index f1c434b04b5e4..c973de883cf02 100644
1024 +--- a/certs/blacklist.c
1025 ++++ b/certs/blacklist.c
1026 +@@ -16,9 +16,15 @@
1027 + #include <linux/seq_file.h>
1028 + #include <keys/system_keyring.h>
1029 + #include "blacklist.h"
1030 ++#include "common.h"
1031 +
1032 + static struct key *blacklist_keyring;
1033 +
1034 ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
1035 ++extern __initconst const u8 revocation_certificate_list[];
1036 ++extern __initconst const unsigned long revocation_certificate_list_size;
1037 ++#endif
1038 ++
1039 + /*
1040 + * The description must be a type prefix, a colon and then an even number of
1041 + * hex digits. The hash is kept in the description.
1042 +@@ -144,6 +150,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len)
1043 + }
1044 + EXPORT_SYMBOL_GPL(is_binary_blacklisted);
1045 +
1046 ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
1047 ++/**
1048 ++ * add_key_to_revocation_list - Add a revocation certificate to the blacklist
1049 ++ * @data: The data blob containing the certificate
1050 ++ * @size: The size of data blob
1051 ++ */
1052 ++int add_key_to_revocation_list(const char *data, size_t size)
1053 ++{
1054 ++ key_ref_t key;
1055 ++
1056 ++ key = key_create_or_update(make_key_ref(blacklist_keyring, true),
1057 ++ "asymmetric",
1058 ++ NULL,
1059 ++ data,
1060 ++ size,
1061 ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
1062 ++ KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
1063 ++
1064 ++ if (IS_ERR(key)) {
1065 ++ pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
1066 ++ return PTR_ERR(key);
1067 ++ }
1068 ++
1069 ++ return 0;
1070 ++}
1071 ++
1072 ++/**
1073 ++ * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
1074 ++ * @pkcs7: The PKCS#7 message to check
1075 ++ */
1076 ++int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
1077 ++{
1078 ++ int ret;
1079 ++
1080 ++ ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
1081 ++
1082 ++ if (ret == 0)
1083 ++ return -EKEYREJECTED;
1084 ++
1085 ++ return -ENOKEY;
1086 ++}
1087 ++#endif
1088 ++
1089 + /*
1090 + * Initialise the blacklist
1091 + */
1092 +@@ -177,3 +226,18 @@ static int __init blacklist_init(void)
1093 + * Must be initialised before we try and load the keys into the keyring.
1094 + */
1095 + device_initcall(blacklist_init);
1096 ++
1097 ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
1098 ++/*
1099 ++ * Load the compiled-in list of revocation X.509 certificates.
1100 ++ */
1101 ++static __init int load_revocation_certificate_list(void)
1102 ++{
1103 ++ if (revocation_certificate_list_size)
1104 ++ pr_notice("Loading compiled-in revocation X.509 certificates\n");
1105 ++
1106 ++ return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size,
1107 ++ blacklist_keyring);
1108 ++}
1109 ++late_initcall(load_revocation_certificate_list);
1110 ++#endif
1111 +diff --git a/certs/blacklist.h b/certs/blacklist.h
1112 +index 1efd6fa0dc608..51b320cf85749 100644
1113 +--- a/certs/blacklist.h
1114 ++++ b/certs/blacklist.h
1115 +@@ -1,3 +1,5 @@
1116 + #include <linux/kernel.h>
1117 ++#include <linux/errno.h>
1118 ++#include <crypto/pkcs7.h>
1119 +
1120 + extern const char __initconst *const blacklist_hashes[];
1121 +diff --git a/certs/common.c b/certs/common.c
1122 +new file mode 100644
1123 +index 0000000000000..16a220887a53e
1124 +--- /dev/null
1125 ++++ b/certs/common.c
1126 +@@ -0,0 +1,57 @@
1127 ++// SPDX-License-Identifier: GPL-2.0-or-later
1128 ++
1129 ++#include <linux/kernel.h>
1130 ++#include <linux/key.h>
1131 ++#include "common.h"
1132 ++
1133 ++int load_certificate_list(const u8 cert_list[],
1134 ++ const unsigned long list_size,
1135 ++ const struct key *keyring)
1136 ++{
1137 ++ key_ref_t key;
1138 ++ const u8 *p, *end;
1139 ++ size_t plen;
1140 ++
1141 ++ p = cert_list;
1142 ++ end = p + list_size;
1143 ++ while (p < end) {
1144 ++ /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
1145 ++ * than 256 bytes in size.
1146 ++ */
1147 ++ if (end - p < 4)
1148 ++ goto dodgy_cert;
1149 ++ if (p[0] != 0x30 &&
1150 ++ p[1] != 0x82)
1151 ++ goto dodgy_cert;
1152 ++ plen = (p[2] << 8) | p[3];
1153 ++ plen += 4;
1154 ++ if (plen > end - p)
1155 ++ goto dodgy_cert;
1156 ++
1157 ++ key = key_create_or_update(make_key_ref(keyring, 1),
1158 ++ "asymmetric",
1159 ++ NULL,
1160 ++ p,
1161 ++ plen,
1162 ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
1163 ++ KEY_USR_VIEW | KEY_USR_READ),
1164 ++ KEY_ALLOC_NOT_IN_QUOTA |
1165 ++ KEY_ALLOC_BUILT_IN |
1166 ++ KEY_ALLOC_BYPASS_RESTRICTION);
1167 ++ if (IS_ERR(key)) {
1168 ++ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
1169 ++ PTR_ERR(key));
1170 ++ } else {
1171 ++ pr_notice("Loaded X.509 cert '%s'\n",
1172 ++ key_ref_to_ptr(key)->description);
1173 ++ key_ref_put(key);
1174 ++ }
1175 ++ p += plen;
1176 ++ }
1177 ++
1178 ++ return 0;
1179 ++
1180 ++dodgy_cert:
1181 ++ pr_err("Problem parsing in-kernel X.509 certificate list\n");
1182 ++ return 0;
1183 ++}
1184 +diff --git a/certs/common.h b/certs/common.h
1185 +new file mode 100644
1186 +index 0000000000000..abdb5795936b7
1187 +--- /dev/null
1188 ++++ b/certs/common.h
1189 +@@ -0,0 +1,9 @@
1190 ++/* SPDX-License-Identifier: GPL-2.0-or-later */
1191 ++
1192 ++#ifndef _CERT_COMMON_H
1193 ++#define _CERT_COMMON_H
1194 ++
1195 ++int load_certificate_list(const u8 cert_list[], const unsigned long list_size,
1196 ++ const struct key *keyring);
1197 ++
1198 ++#endif
1199 +diff --git a/certs/revocation_certificates.S b/certs/revocation_certificates.S
1200 +new file mode 100644
1201 +index 0000000000000..f21aae8a8f0ef
1202 +--- /dev/null
1203 ++++ b/certs/revocation_certificates.S
1204 +@@ -0,0 +1,21 @@
1205 ++/* SPDX-License-Identifier: GPL-2.0 */
1206 ++#include <linux/export.h>
1207 ++#include <linux/init.h>
1208 ++
1209 ++ __INITRODATA
1210 ++
1211 ++ .align 8
1212 ++ .globl revocation_certificate_list
1213 ++revocation_certificate_list:
1214 ++__revocation_list_start:
1215 ++ .incbin "certs/x509_revocation_list"
1216 ++__revocation_list_end:
1217 ++
1218 ++ .align 8
1219 ++ .globl revocation_certificate_list_size
1220 ++revocation_certificate_list_size:
1221 ++#ifdef CONFIG_64BIT
1222 ++ .quad __revocation_list_end - __revocation_list_start
1223 ++#else
1224 ++ .long __revocation_list_end - __revocation_list_start
1225 ++#endif
1226 +diff --git a/certs/system_keyring.c b/certs/system_keyring.c
1227 +index 798291177186c..a44a8915c94cf 100644
1228 +--- a/certs/system_keyring.c
1229 ++++ b/certs/system_keyring.c
1230 +@@ -15,6 +15,7 @@
1231 + #include <keys/asymmetric-type.h>
1232 + #include <keys/system_keyring.h>
1233 + #include <crypto/pkcs7.h>
1234 ++#include "common.h"
1235 +
1236 + static struct key *builtin_trusted_keys;
1237 + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
1238 +@@ -136,54 +137,10 @@ device_initcall(system_trusted_keyring_init);
1239 + */
1240 + static __init int load_system_certificate_list(void)
1241 + {
1242 +- key_ref_t key;
1243 +- const u8 *p, *end;
1244 +- size_t plen;
1245 +-
1246 + pr_notice("Loading compiled-in X.509 certificates\n");
1247 +
1248 +- p = system_certificate_list;
1249 +- end = p + system_certificate_list_size;
1250 +- while (p < end) {
1251 +- /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
1252 +- * than 256 bytes in size.
1253 +- */
1254 +- if (end - p < 4)
1255 +- goto dodgy_cert;
1256 +- if (p[0] != 0x30 &&
1257 +- p[1] != 0x82)
1258 +- goto dodgy_cert;
1259 +- plen = (p[2] << 8) | p[3];
1260 +- plen += 4;
1261 +- if (plen > end - p)
1262 +- goto dodgy_cert;
1263 +-
1264 +- key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
1265 +- "asymmetric",
1266 +- NULL,
1267 +- p,
1268 +- plen,
1269 +- ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
1270 +- KEY_USR_VIEW | KEY_USR_READ),
1271 +- KEY_ALLOC_NOT_IN_QUOTA |
1272 +- KEY_ALLOC_BUILT_IN |
1273 +- KEY_ALLOC_BYPASS_RESTRICTION);
1274 +- if (IS_ERR(key)) {
1275 +- pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
1276 +- PTR_ERR(key));
1277 +- } else {
1278 +- pr_notice("Loaded X.509 cert '%s'\n",
1279 +- key_ref_to_ptr(key)->description);
1280 +- key_ref_put(key);
1281 +- }
1282 +- p += plen;
1283 +- }
1284 +-
1285 +- return 0;
1286 +-
1287 +-dodgy_cert:
1288 +- pr_err("Problem parsing in-kernel X.509 certificate list\n");
1289 +- return 0;
1290 ++ return load_certificate_list(system_certificate_list, system_certificate_list_size,
1291 ++ builtin_trusted_keys);
1292 + }
1293 + late_initcall(load_system_certificate_list);
1294 +
1295 +@@ -241,6 +198,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
1296 + pr_devel("PKCS#7 platform keyring is not available\n");
1297 + goto error;
1298 + }
1299 ++
1300 ++ ret = is_key_on_revocation_list(pkcs7);
1301 ++ if (ret != -ENOKEY) {
1302 ++ pr_devel("PKCS#7 platform key is on revocation list\n");
1303 ++ goto error;
1304 ++ }
1305 + }
1306 + ret = pkcs7_validate_trust(pkcs7, trusted_keys);
1307 + if (ret < 0) {
1308 +diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig
1309 +index f2db761ee5488..f28bb2334e747 100644
1310 +--- a/drivers/dma/Kconfig
1311 ++++ b/drivers/dma/Kconfig
1312 +@@ -693,6 +693,7 @@ config XILINX_ZYNQMP_DMA
1313 +
1314 + config XILINX_ZYNQMP_DPDMA
1315 + tristate "Xilinx DPDMA Engine"
1316 ++ depends on HAS_IOMEM && OF
1317 + select DMA_ENGINE
1318 + select DMA_VIRTUAL_CHANNELS
1319 + help
1320 +diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c
1321 +index 27c07350971dd..375e7e647df6b 100644
1322 +--- a/drivers/dma/mediatek/mtk-uart-apdma.c
1323 ++++ b/drivers/dma/mediatek/mtk-uart-apdma.c
1324 +@@ -131,10 +131,7 @@ static unsigned int mtk_uart_apdma_read(struct mtk_chan *c, unsigned int reg)
1325 +
1326 + static void mtk_uart_apdma_desc_free(struct virt_dma_desc *vd)
1327 + {
1328 +- struct dma_chan *chan = vd->tx.chan;
1329 +- struct mtk_chan *c = to_mtk_uart_apdma_chan(chan);
1330 +-
1331 +- kfree(c->desc);
1332 ++ kfree(container_of(vd, struct mtk_uart_apdma_desc, vd));
1333 + }
1334 +
1335 + static void mtk_uart_apdma_start_tx(struct mtk_chan *c)
1336 +@@ -207,14 +204,9 @@ static void mtk_uart_apdma_start_rx(struct mtk_chan *c)
1337 +
1338 + static void mtk_uart_apdma_tx_handler(struct mtk_chan *c)
1339 + {
1340 +- struct mtk_uart_apdma_desc *d = c->desc;
1341 +-
1342 + mtk_uart_apdma_write(c, VFF_INT_FLAG, VFF_TX_INT_CLR_B);
1343 + mtk_uart_apdma_write(c, VFF_INT_EN, VFF_INT_EN_CLR_B);
1344 + mtk_uart_apdma_write(c, VFF_EN, VFF_EN_CLR_B);
1345 +-
1346 +- list_del(&d->vd.node);
1347 +- vchan_cookie_complete(&d->vd);
1348 + }
1349 +
1350 + static void mtk_uart_apdma_rx_handler(struct mtk_chan *c)
1351 +@@ -245,9 +237,17 @@ static void mtk_uart_apdma_rx_handler(struct mtk_chan *c)
1352 +
1353 + c->rx_status = d->avail_len - cnt;
1354 + mtk_uart_apdma_write(c, VFF_RPT, wg);
1355 ++}
1356 +
1357 +- list_del(&d->vd.node);
1358 +- vchan_cookie_complete(&d->vd);
1359 ++static void mtk_uart_apdma_chan_complete_handler(struct mtk_chan *c)
1360 ++{
1361 ++ struct mtk_uart_apdma_desc *d = c->desc;
1362 ++
1363 ++ if (d) {
1364 ++ list_del(&d->vd.node);
1365 ++ vchan_cookie_complete(&d->vd);
1366 ++ c->desc = NULL;
1367 ++ }
1368 + }
1369 +
1370 + static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id)
1371 +@@ -261,6 +261,7 @@ static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id)
1372 + mtk_uart_apdma_rx_handler(c);
1373 + else if (c->dir == DMA_MEM_TO_DEV)
1374 + mtk_uart_apdma_tx_handler(c);
1375 ++ mtk_uart_apdma_chan_complete_handler(c);
1376 + spin_unlock_irqrestore(&c->vc.lock, flags);
1377 +
1378 + return IRQ_HANDLED;
1379 +@@ -348,7 +349,7 @@ static struct dma_async_tx_descriptor *mtk_uart_apdma_prep_slave_sg
1380 + return NULL;
1381 +
1382 + /* Now allocate and setup the descriptor */
1383 +- d = kzalloc(sizeof(*d), GFP_ATOMIC);
1384 ++ d = kzalloc(sizeof(*d), GFP_NOWAIT);
1385 + if (!d)
1386 + return NULL;
1387 +
1388 +@@ -366,7 +367,7 @@ static void mtk_uart_apdma_issue_pending(struct dma_chan *chan)
1389 + unsigned long flags;
1390 +
1391 + spin_lock_irqsave(&c->vc.lock, flags);
1392 +- if (vchan_issue_pending(&c->vc)) {
1393 ++ if (vchan_issue_pending(&c->vc) && !c->desc) {
1394 + vd = vchan_next_desc(&c->vc);
1395 + c->desc = to_mtk_uart_apdma_desc(&vd->tx);
1396 +
1397 +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c
1398 +index a57705356e8bb..991a7b5da29f0 100644
1399 +--- a/drivers/dma/sh/rcar-dmac.c
1400 ++++ b/drivers/dma/sh/rcar-dmac.c
1401 +@@ -1874,7 +1874,7 @@ static int rcar_dmac_probe(struct platform_device *pdev)
1402 +
1403 + /* Enable runtime PM and initialize the device. */
1404 + pm_runtime_enable(&pdev->dev);
1405 +- ret = pm_runtime_get_sync(&pdev->dev);
1406 ++ ret = pm_runtime_resume_and_get(&pdev->dev);
1407 + if (ret < 0) {
1408 + dev_err(&pdev->dev, "runtime PM get sync failed (%d)\n", ret);
1409 + return ret;
1410 +diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c
1411 +index 08cfbfab837bb..9d473923712ad 100644
1412 +--- a/drivers/dma/stm32-mdma.c
1413 ++++ b/drivers/dma/stm32-mdma.c
1414 +@@ -1448,7 +1448,7 @@ static int stm32_mdma_alloc_chan_resources(struct dma_chan *c)
1415 + return -ENOMEM;
1416 + }
1417 +
1418 +- ret = pm_runtime_get_sync(dmadev->ddev.dev);
1419 ++ ret = pm_runtime_resume_and_get(dmadev->ddev.dev);
1420 + if (ret < 0)
1421 + return ret;
1422 +
1423 +@@ -1714,7 +1714,7 @@ static int stm32_mdma_pm_suspend(struct device *dev)
1424 + u32 ccr, id;
1425 + int ret;
1426 +
1427 +- ret = pm_runtime_get_sync(dev);
1428 ++ ret = pm_runtime_resume_and_get(dev);
1429 + if (ret < 0)
1430 + return ret;
1431 +
1432 +diff --git a/drivers/dma/xilinx/xilinx_dpdma.c b/drivers/dma/xilinx/xilinx_dpdma.c
1433 +index ff7dfb3fdeb47..6c709803203ad 100644
1434 +--- a/drivers/dma/xilinx/xilinx_dpdma.c
1435 ++++ b/drivers/dma/xilinx/xilinx_dpdma.c
1436 +@@ -113,6 +113,7 @@
1437 + #define XILINX_DPDMA_CH_VDO 0x020
1438 + #define XILINX_DPDMA_CH_PYLD_SZ 0x024
1439 + #define XILINX_DPDMA_CH_DESC_ID 0x028
1440 ++#define XILINX_DPDMA_CH_DESC_ID_MASK GENMASK(15, 0)
1441 +
1442 + /* DPDMA descriptor fields */
1443 + #define XILINX_DPDMA_DESC_CONTROL_PREEMBLE 0xa5
1444 +@@ -866,7 +867,8 @@ static void xilinx_dpdma_chan_queue_transfer(struct xilinx_dpdma_chan *chan)
1445 + * will be used, but it should be enough.
1446 + */
1447 + list_for_each_entry(sw_desc, &desc->descriptors, node)
1448 +- sw_desc->hw.desc_id = desc->vdesc.tx.cookie;
1449 ++ sw_desc->hw.desc_id = desc->vdesc.tx.cookie
1450 ++ & XILINX_DPDMA_CH_DESC_ID_MASK;
1451 +
1452 + sw_desc = list_first_entry(&desc->descriptors,
1453 + struct xilinx_dpdma_sw_desc, node);
1454 +@@ -1086,7 +1088,8 @@ static void xilinx_dpdma_chan_vsync_irq(struct xilinx_dpdma_chan *chan)
1455 + if (!chan->running || !pending)
1456 + goto out;
1457 +
1458 +- desc_id = dpdma_read(chan->reg, XILINX_DPDMA_CH_DESC_ID);
1459 ++ desc_id = dpdma_read(chan->reg, XILINX_DPDMA_CH_DESC_ID)
1460 ++ & XILINX_DPDMA_CH_DESC_ID_MASK;
1461 +
1462 + /* If the retrigger raced with vsync, retry at the next frame. */
1463 + sw_desc = list_first_entry(&pending->descriptors,
1464 +diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c
1465 +index d8419565b92cc..5fecf5aa6e858 100644
1466 +--- a/drivers/dma/xilinx/zynqmp_dma.c
1467 ++++ b/drivers/dma/xilinx/zynqmp_dma.c
1468 +@@ -468,7 +468,7 @@ static int zynqmp_dma_alloc_chan_resources(struct dma_chan *dchan)
1469 + struct zynqmp_dma_desc_sw *desc;
1470 + int i, ret;
1471 +
1472 +- ret = pm_runtime_get_sync(chan->dev);
1473 ++ ret = pm_runtime_resume_and_get(chan->dev);
1474 + if (ret < 0)
1475 + return ret;
1476 +
1477 +diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
1478 +index ade3ecf2ee495..2613881a66e66 100644
1479 +--- a/drivers/gpio/gpiolib-cdev.c
1480 ++++ b/drivers/gpio/gpiolib-cdev.c
1481 +@@ -1865,6 +1865,7 @@ static void gpio_v2_line_info_changed_to_v1(
1482 + struct gpio_v2_line_info_changed *lic_v2,
1483 + struct gpioline_info_changed *lic_v1)
1484 + {
1485 ++ memset(lic_v1, 0, sizeof(*lic_v1));
1486 + gpio_v2_line_info_to_v1(&lic_v2->info, &lic_v1->info);
1487 + lic_v1->timestamp = lic_v2->timestamp_ns;
1488 + lic_v1->event_type = lic_v2->event_type;
1489 +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
1490 +index 1b56dbc1f304e..e93ccdc5faf4e 100644
1491 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
1492 ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
1493 +@@ -238,9 +238,21 @@ static int amdgpu_dma_buf_pin(struct dma_buf_attachment *attach)
1494 + {
1495 + struct drm_gem_object *obj = attach->dmabuf->priv;
1496 + struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj);
1497 ++ int r;
1498 +
1499 + /* pin buffer into GTT */
1500 +- return amdgpu_bo_pin(bo, AMDGPU_GEM_DOMAIN_GTT);
1501 ++ r = amdgpu_bo_pin(bo, AMDGPU_GEM_DOMAIN_GTT);
1502 ++ if (r)
1503 ++ return r;
1504 ++
1505 ++ if (bo->tbo.moving) {
1506 ++ r = dma_fence_wait(bo->tbo.moving, true);
1507 ++ if (r) {
1508 ++ amdgpu_bo_unpin(bo);
1509 ++ return r;
1510 ++ }
1511 ++ }
1512 ++ return 0;
1513 + }
1514 +
1515 + /**
1516 +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
1517 +index 3c92dacbc24ad..fc8da5fed779b 100644
1518 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
1519 ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
1520 +@@ -6590,12 +6590,8 @@ static int gfx_v10_0_kiq_init_register(struct amdgpu_ring *ring)
1521 + if (ring->use_doorbell) {
1522 + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER,
1523 + (adev->doorbell_index.kiq * 2) << 2);
1524 +- /* If GC has entered CGPG, ringing doorbell > first page doesn't
1525 +- * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround
1526 +- * this issue.
1527 +- */
1528 + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER,
1529 +- (adev->doorbell.size - 4));
1530 ++ (adev->doorbell_index.userqueue_end * 2) << 2);
1531 + }
1532 +
1533 + WREG32_SOC15(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL,
1534 +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
1535 +index 1859d293ef712..fb15e8b5af32f 100644
1536 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
1537 ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
1538 +@@ -3619,12 +3619,8 @@ static int gfx_v9_0_kiq_init_register(struct amdgpu_ring *ring)
1539 + if (ring->use_doorbell) {
1540 + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER,
1541 + (adev->doorbell_index.kiq * 2) << 2);
1542 +- /* If GC has entered CGPG, ringing doorbell > first page doesn't
1543 +- * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround
1544 +- * this issue.
1545 +- */
1546 + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER,
1547 +- (adev->doorbell.size - 4));
1548 ++ (adev->doorbell_index.userqueue_end * 2) << 2);
1549 + }
1550 +
1551 + WREG32_SOC15_RLC(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL,
1552 +diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c b/drivers/gpu/drm/nouveau/nouveau_prime.c
1553 +index b2ecb91f8ddc0..5f5b87f995468 100644
1554 +--- a/drivers/gpu/drm/nouveau/nouveau_prime.c
1555 ++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c
1556 +@@ -111,7 +111,22 @@ int nouveau_gem_prime_pin(struct drm_gem_object *obj)
1557 + if (ret)
1558 + return -EINVAL;
1559 +
1560 +- return 0;
1561 ++ ret = ttm_bo_reserve(&nvbo->bo, false, false, NULL);
1562 ++ if (ret)
1563 ++ goto error;
1564 ++
1565 ++ if (nvbo->bo.moving)
1566 ++ ret = dma_fence_wait(nvbo->bo.moving, true);
1567 ++
1568 ++ ttm_bo_unreserve(&nvbo->bo);
1569 ++ if (ret)
1570 ++ goto error;
1571 ++
1572 ++ return ret;
1573 ++
1574 ++error:
1575 ++ nouveau_bo_unpin(nvbo);
1576 ++ return ret;
1577 + }
1578 +
1579 + void nouveau_gem_prime_unpin(struct drm_gem_object *obj)
1580 +diff --git a/drivers/gpu/drm/radeon/radeon_prime.c b/drivers/gpu/drm/radeon/radeon_prime.c
1581 +index b9de0e51c0be9..cbad81578190f 100644
1582 +--- a/drivers/gpu/drm/radeon/radeon_prime.c
1583 ++++ b/drivers/gpu/drm/radeon/radeon_prime.c
1584 +@@ -94,9 +94,19 @@ int radeon_gem_prime_pin(struct drm_gem_object *obj)
1585 +
1586 + /* pin buffer into GTT */
1587 + ret = radeon_bo_pin(bo, RADEON_GEM_DOMAIN_GTT, NULL);
1588 +- if (likely(ret == 0))
1589 +- bo->prime_shared_count++;
1590 +-
1591 ++ if (unlikely(ret))
1592 ++ goto error;
1593 ++
1594 ++ if (bo->tbo.moving) {
1595 ++ ret = dma_fence_wait(bo->tbo.moving, false);
1596 ++ if (unlikely(ret)) {
1597 ++ radeon_bo_unpin(bo);
1598 ++ goto error;
1599 ++ }
1600 ++ }
1601 ++
1602 ++ bo->prime_shared_count++;
1603 ++error:
1604 + radeon_bo_unreserve(bo);
1605 + return ret;
1606 + }
1607 +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
1608 +index af5f01eff872c..88a8cb840cd54 100644
1609 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
1610 ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
1611 +@@ -146,6 +146,8 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force)
1612 + struct vc4_hdmi *vc4_hdmi = connector_to_vc4_hdmi(connector);
1613 + bool connected = false;
1614 +
1615 ++ WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev));
1616 ++
1617 + if (vc4_hdmi->hpd_gpio) {
1618 + if (gpio_get_value_cansleep(vc4_hdmi->hpd_gpio) ^
1619 + vc4_hdmi->hpd_active_low)
1620 +@@ -167,10 +169,12 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force)
1621 + }
1622 + }
1623 +
1624 ++ pm_runtime_put(&vc4_hdmi->pdev->dev);
1625 + return connector_status_connected;
1626 + }
1627 +
1628 + cec_phys_addr_invalidate(vc4_hdmi->cec_adap);
1629 ++ pm_runtime_put(&vc4_hdmi->pdev->dev);
1630 + return connector_status_disconnected;
1631 + }
1632 +
1633 +@@ -415,7 +419,6 @@ static void vc4_hdmi_encoder_post_crtc_powerdown(struct drm_encoder *encoder)
1634 + HDMI_READ(HDMI_VID_CTL) & ~VC4_HD_VID_CTL_ENABLE);
1635 +
1636 + clk_disable_unprepare(vc4_hdmi->pixel_bvb_clock);
1637 +- clk_disable_unprepare(vc4_hdmi->hsm_clock);
1638 + clk_disable_unprepare(vc4_hdmi->pixel_clock);
1639 +
1640 + ret = pm_runtime_put(&vc4_hdmi->pdev->dev);
1641 +@@ -666,13 +669,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder)
1642 + return;
1643 + }
1644 +
1645 +- ret = clk_prepare_enable(vc4_hdmi->hsm_clock);
1646 +- if (ret) {
1647 +- DRM_ERROR("Failed to turn on HSM clock: %d\n", ret);
1648 +- clk_disable_unprepare(vc4_hdmi->pixel_clock);
1649 +- return;
1650 +- }
1651 +-
1652 + vc4_hdmi_cec_update_clk_div(vc4_hdmi);
1653 +
1654 + /*
1655 +@@ -683,7 +679,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder)
1656 + (hsm_rate > VC4_HSM_MID_CLOCK ? 150000000 : 75000000));
1657 + if (ret) {
1658 + DRM_ERROR("Failed to set pixel bvb clock rate: %d\n", ret);
1659 +- clk_disable_unprepare(vc4_hdmi->hsm_clock);
1660 + clk_disable_unprepare(vc4_hdmi->pixel_clock);
1661 + return;
1662 + }
1663 +@@ -691,7 +686,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder)
1664 + ret = clk_prepare_enable(vc4_hdmi->pixel_bvb_clock);
1665 + if (ret) {
1666 + DRM_ERROR("Failed to turn on pixel bvb clock: %d\n", ret);
1667 +- clk_disable_unprepare(vc4_hdmi->hsm_clock);
1668 + clk_disable_unprepare(vc4_hdmi->pixel_clock);
1669 + return;
1670 + }
1671 +@@ -1724,6 +1718,29 @@ static int vc5_hdmi_init_resources(struct vc4_hdmi *vc4_hdmi)
1672 + return 0;
1673 + }
1674 +
1675 ++#ifdef CONFIG_PM
1676 ++static int vc4_hdmi_runtime_suspend(struct device *dev)
1677 ++{
1678 ++ struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev);
1679 ++
1680 ++ clk_disable_unprepare(vc4_hdmi->hsm_clock);
1681 ++
1682 ++ return 0;
1683 ++}
1684 ++
1685 ++static int vc4_hdmi_runtime_resume(struct device *dev)
1686 ++{
1687 ++ struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev);
1688 ++ int ret;
1689 ++
1690 ++ ret = clk_prepare_enable(vc4_hdmi->hsm_clock);
1691 ++ if (ret)
1692 ++ return ret;
1693 ++
1694 ++ return 0;
1695 ++}
1696 ++#endif
1697 ++
1698 + static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data)
1699 + {
1700 + const struct vc4_hdmi_variant *variant = of_device_get_match_data(dev);
1701 +@@ -1959,11 +1976,18 @@ static const struct of_device_id vc4_hdmi_dt_match[] = {
1702 + {}
1703 + };
1704 +
1705 ++static const struct dev_pm_ops vc4_hdmi_pm_ops = {
1706 ++ SET_RUNTIME_PM_OPS(vc4_hdmi_runtime_suspend,
1707 ++ vc4_hdmi_runtime_resume,
1708 ++ NULL)
1709 ++};
1710 ++
1711 + struct platform_driver vc4_hdmi_driver = {
1712 + .probe = vc4_hdmi_dev_probe,
1713 + .remove = vc4_hdmi_dev_remove,
1714 + .driver = {
1715 + .name = "vc4_hdmi",
1716 + .of_match_table = vc4_hdmi_dt_match,
1717 ++ .pm = &vc4_hdmi_pm_ops,
1718 + },
1719 + };
1720 +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
1721 +index e42b87e96f747..eab6fd6b890eb 100644
1722 +--- a/drivers/i2c/busses/i2c-i801.c
1723 ++++ b/drivers/i2c/busses/i2c-i801.c
1724 +@@ -974,6 +974,9 @@ static s32 i801_access(struct i2c_adapter *adap, u16 addr,
1725 + }
1726 +
1727 + out:
1728 ++ /* Unlock the SMBus device for use by BIOS/ACPI */
1729 ++ outb_p(SMBHSTSTS_INUSE_STS, SMBHSTSTS(priv));
1730 ++
1731 + pm_runtime_mark_last_busy(&priv->pci_dev->dev);
1732 + pm_runtime_put_autosuspend(&priv->pci_dev->dev);
1733 + mutex_unlock(&priv->acpi_lock);
1734 +diff --git a/drivers/i2c/busses/i2c-robotfuzz-osif.c b/drivers/i2c/busses/i2c-robotfuzz-osif.c
1735 +index a39f7d0927973..66dfa211e736b 100644
1736 +--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c
1737 ++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c
1738 +@@ -83,7 +83,7 @@ static int osif_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs,
1739 + }
1740 + }
1741 +
1742 +- ret = osif_usb_read(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);
1743 ++ ret = osif_usb_write(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);
1744 + if (ret) {
1745 + dev_err(&adapter->dev, "failure sending STOP\n");
1746 + return -EREMOTEIO;
1747 +@@ -153,7 +153,7 @@ static int osif_probe(struct usb_interface *interface,
1748 + * Set bus frequency. The frequency is:
1749 + * 120,000,000 / ( 16 + 2 * div * 4^prescale).
1750 + * Using dev = 52, prescale = 0 give 100KHz */
1751 +- ret = osif_usb_read(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,
1752 ++ ret = osif_usb_write(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,
1753 + NULL, 0);
1754 + if (ret) {
1755 + dev_err(&interface->dev, "failure sending bit rate");
1756 +diff --git a/drivers/mmc/host/meson-gx-mmc.c b/drivers/mmc/host/meson-gx-mmc.c
1757 +index 4ec41579940a3..d3f40c9a8c6c8 100644
1758 +--- a/drivers/mmc/host/meson-gx-mmc.c
1759 ++++ b/drivers/mmc/host/meson-gx-mmc.c
1760 +@@ -165,6 +165,7 @@ struct meson_host {
1761 +
1762 + unsigned int bounce_buf_size;
1763 + void *bounce_buf;
1764 ++ void __iomem *bounce_iomem_buf;
1765 + dma_addr_t bounce_dma_addr;
1766 + struct sd_emmc_desc *descs;
1767 + dma_addr_t descs_dma_addr;
1768 +@@ -734,6 +735,47 @@ static void meson_mmc_desc_chain_transfer(struct mmc_host *mmc, u32 cmd_cfg)
1769 + writel(start, host->regs + SD_EMMC_START);
1770 + }
1771 +
1772 ++/* local sg copy to buffer version with _to/fromio usage for dram_access_quirk */
1773 ++static void meson_mmc_copy_buffer(struct meson_host *host, struct mmc_data *data,
1774 ++ size_t buflen, bool to_buffer)
1775 ++{
1776 ++ unsigned int sg_flags = SG_MITER_ATOMIC;
1777 ++ struct scatterlist *sgl = data->sg;
1778 ++ unsigned int nents = data->sg_len;
1779 ++ struct sg_mapping_iter miter;
1780 ++ unsigned int offset = 0;
1781 ++
1782 ++ if (to_buffer)
1783 ++ sg_flags |= SG_MITER_FROM_SG;
1784 ++ else
1785 ++ sg_flags |= SG_MITER_TO_SG;
1786 ++
1787 ++ sg_miter_start(&miter, sgl, nents, sg_flags);
1788 ++
1789 ++ while ((offset < buflen) && sg_miter_next(&miter)) {
1790 ++ unsigned int len;
1791 ++
1792 ++ len = min(miter.length, buflen - offset);
1793 ++
1794 ++ /* When dram_access_quirk, the bounce buffer is a iomem mapping */
1795 ++ if (host->dram_access_quirk) {
1796 ++ if (to_buffer)
1797 ++ memcpy_toio(host->bounce_iomem_buf + offset, miter.addr, len);
1798 ++ else
1799 ++ memcpy_fromio(miter.addr, host->bounce_iomem_buf + offset, len);
1800 ++ } else {
1801 ++ if (to_buffer)
1802 ++ memcpy(host->bounce_buf + offset, miter.addr, len);
1803 ++ else
1804 ++ memcpy(miter.addr, host->bounce_buf + offset, len);
1805 ++ }
1806 ++
1807 ++ offset += len;
1808 ++ }
1809 ++
1810 ++ sg_miter_stop(&miter);
1811 ++}
1812 ++
1813 + static void meson_mmc_start_cmd(struct mmc_host *mmc, struct mmc_command *cmd)
1814 + {
1815 + struct meson_host *host = mmc_priv(mmc);
1816 +@@ -777,8 +819,7 @@ static void meson_mmc_start_cmd(struct mmc_host *mmc, struct mmc_command *cmd)
1817 + if (data->flags & MMC_DATA_WRITE) {
1818 + cmd_cfg |= CMD_CFG_DATA_WR;
1819 + WARN_ON(xfer_bytes > host->bounce_buf_size);
1820 +- sg_copy_to_buffer(data->sg, data->sg_len,
1821 +- host->bounce_buf, xfer_bytes);
1822 ++ meson_mmc_copy_buffer(host, data, xfer_bytes, true);
1823 + dma_wmb();
1824 + }
1825 +
1826 +@@ -947,8 +988,7 @@ static irqreturn_t meson_mmc_irq_thread(int irq, void *dev_id)
1827 + if (meson_mmc_bounce_buf_read(data)) {
1828 + xfer_bytes = data->blksz * data->blocks;
1829 + WARN_ON(xfer_bytes > host->bounce_buf_size);
1830 +- sg_copy_from_buffer(data->sg, data->sg_len,
1831 +- host->bounce_buf, xfer_bytes);
1832 ++ meson_mmc_copy_buffer(host, data, xfer_bytes, false);
1833 + }
1834 +
1835 + next_cmd = meson_mmc_get_next_command(cmd);
1836 +@@ -1168,7 +1208,7 @@ static int meson_mmc_probe(struct platform_device *pdev)
1837 + * instead of the DDR memory
1838 + */
1839 + host->bounce_buf_size = SD_EMMC_SRAM_DATA_BUF_LEN;
1840 +- host->bounce_buf = host->regs + SD_EMMC_SRAM_DATA_BUF_OFF;
1841 ++ host->bounce_iomem_buf = host->regs + SD_EMMC_SRAM_DATA_BUF_OFF;
1842 + host->bounce_dma_addr = res->start + SD_EMMC_SRAM_DATA_BUF_OFF;
1843 + } else {
1844 + /* data bounce buffer */
1845 +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
1846 +index d025ea4349339..39fbd0be179c2 100644
1847 +--- a/drivers/net/caif/caif_serial.c
1848 ++++ b/drivers/net/caif/caif_serial.c
1849 +@@ -351,6 +351,7 @@ static int ldisc_open(struct tty_struct *tty)
1850 + rtnl_lock();
1851 + result = register_netdevice(dev);
1852 + if (result) {
1853 ++ tty_kref_put(tty);
1854 + rtnl_unlock();
1855 + free_netdev(dev);
1856 + return -ENODEV;
1857 +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
1858 +index 17d5b649eb36b..e81dd34a3cac2 100644
1859 +--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
1860 ++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
1861 +@@ -1266,9 +1266,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn,
1862 + p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_STATIC;
1863 +
1864 + p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled;
1865 ++ BUILD_BUG_ON(sizeof(dcbx_info->operational.params) !=
1866 ++ sizeof(p_hwfn->p_dcbx_info->set.config.params));
1867 + memcpy(&p_hwfn->p_dcbx_info->set.config.params,
1868 + &dcbx_info->operational.params,
1869 +- sizeof(struct qed_dcbx_admin_params));
1870 ++ sizeof(p_hwfn->p_dcbx_info->set.config.params));
1871 + p_hwfn->p_dcbx_info->set.config.valid = true;
1872 +
1873 + memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set));
1874 +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
1875 +index 3bb36f4a984e8..a6bf80b529679 100644
1876 +--- a/drivers/net/ethernet/realtek/r8169_main.c
1877 ++++ b/drivers/net/ethernet/realtek/r8169_main.c
1878 +@@ -1673,7 +1673,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data)
1879 + {
1880 + switch(stringset) {
1881 + case ETH_SS_STATS:
1882 +- memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings));
1883 ++ memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings));
1884 + break;
1885 + }
1886 + }
1887 +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
1888 +index 6d84266c03caf..5cab2d3c00236 100644
1889 +--- a/drivers/net/ethernet/renesas/sh_eth.c
1890 ++++ b/drivers/net/ethernet/renesas/sh_eth.c
1891 +@@ -2287,7 +2287,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data)
1892 + {
1893 + switch (stringset) {
1894 + case ETH_SS_STATS:
1895 +- memcpy(data, *sh_eth_gstrings_stats,
1896 ++ memcpy(data, sh_eth_gstrings_stats,
1897 + sizeof(sh_eth_gstrings_stats));
1898 + break;
1899 + }
1900 +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
1901 +index 01bb36e7cff0a..6bd3a389d389c 100644
1902 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
1903 ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
1904 +@@ -774,12 +774,15 @@ static void temac_start_xmit_done(struct net_device *ndev)
1905 + stat = be32_to_cpu(cur_p->app0);
1906 +
1907 + while (stat & STS_CTRL_APP0_CMPLT) {
1908 ++ /* Make sure that the other fields are read after bd is
1909 ++ * released by dma
1910 ++ */
1911 ++ rmb();
1912 + dma_unmap_single(ndev->dev.parent, be32_to_cpu(cur_p->phys),
1913 + be32_to_cpu(cur_p->len), DMA_TO_DEVICE);
1914 + skb = (struct sk_buff *)ptr_from_txbd(cur_p);
1915 + if (skb)
1916 + dev_consume_skb_irq(skb);
1917 +- cur_p->app0 = 0;
1918 + cur_p->app1 = 0;
1919 + cur_p->app2 = 0;
1920 + cur_p->app3 = 0;
1921 +@@ -788,6 +791,12 @@ static void temac_start_xmit_done(struct net_device *ndev)
1922 + ndev->stats.tx_packets++;
1923 + ndev->stats.tx_bytes += be32_to_cpu(cur_p->len);
1924 +
1925 ++ /* app0 must be visible last, as it is used to flag
1926 ++ * availability of the bd
1927 ++ */
1928 ++ smp_mb();
1929 ++ cur_p->app0 = 0;
1930 ++
1931 + lp->tx_bd_ci++;
1932 + if (lp->tx_bd_ci >= lp->tx_bd_num)
1933 + lp->tx_bd_ci = 0;
1934 +@@ -814,6 +823,9 @@ static inline int temac_check_tx_bd_space(struct temac_local *lp, int num_frag)
1935 + if (cur_p->app0)
1936 + return NETDEV_TX_BUSY;
1937 +
1938 ++ /* Make sure to read next bd app0 after this one */
1939 ++ rmb();
1940 ++
1941 + tail++;
1942 + if (tail >= lp->tx_bd_num)
1943 + tail = 0;
1944 +@@ -930,6 +942,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
1945 + wmb();
1946 + lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */
1947 +
1948 ++ if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) {
1949 ++ netdev_info(ndev, "%s -> netif_stop_queue\n", __func__);
1950 ++ netif_stop_queue(ndev);
1951 ++ }
1952 ++
1953 + return NETDEV_TX_OK;
1954 + }
1955 +
1956 +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c
1957 +index 69d3eacc2b96c..c716074fdef0b 100644
1958 +--- a/drivers/net/phy/dp83867.c
1959 ++++ b/drivers/net/phy/dp83867.c
1960 +@@ -792,16 +792,12 @@ static int dp83867_phy_reset(struct phy_device *phydev)
1961 + {
1962 + int err;
1963 +
1964 +- err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESET);
1965 ++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART);
1966 + if (err < 0)
1967 + return err;
1968 +
1969 + usleep_range(10, 20);
1970 +
1971 +- /* After reset FORCE_LINK_GOOD bit is set. Although the
1972 +- * default value should be unset. Disable FORCE_LINK_GOOD
1973 +- * for the phy to work properly.
1974 +- */
1975 + return phy_modify(phydev, MII_DP83867_PHYCTRL,
1976 + DP83867_PHYCR_FORCE_LINK_GOOD, 0);
1977 + }
1978 +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
1979 +index f5010f8ac1ec7..95e27fb7d2c10 100644
1980 +--- a/drivers/net/usb/r8152.c
1981 ++++ b/drivers/net/usb/r8152.c
1982 +@@ -6054,7 +6054,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data)
1983 + {
1984 + switch (stringset) {
1985 + case ETH_SS_STATS:
1986 +- memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings));
1987 ++ memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings));
1988 + break;
1989 + }
1990 + }
1991 +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
1992 +index 3b3fc7c9c91dc..f147d4feedb91 100644
1993 +--- a/drivers/net/wireless/mac80211_hwsim.c
1994 ++++ b/drivers/net/wireless/mac80211_hwsim.c
1995 +@@ -1623,8 +1623,13 @@ static int mac80211_hwsim_start(struct ieee80211_hw *hw)
1996 + static void mac80211_hwsim_stop(struct ieee80211_hw *hw)
1997 + {
1998 + struct mac80211_hwsim_data *data = hw->priv;
1999 ++
2000 + data->started = false;
2001 + hrtimer_cancel(&data->beacon_timer);
2002 ++
2003 ++ while (!skb_queue_empty(&data->pending))
2004 ++ ieee80211_free_txskb(hw, skb_dequeue(&data->pending));
2005 ++
2006 + wiphy_dbg(hw->wiphy, "%s\n", __func__);
2007 + }
2008 +
2009 +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
2010 +index d5d9ea864fe66..9e971fffeb6a3 100644
2011 +--- a/drivers/pci/pci.c
2012 ++++ b/drivers/pci/pci.c
2013 +@@ -1874,11 +1874,21 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags)
2014 + int err;
2015 + int i, bars = 0;
2016 +
2017 +- if (atomic_inc_return(&dev->enable_cnt) > 1) {
2018 +- pci_update_current_state(dev, dev->current_state);
2019 +- return 0; /* already enabled */
2020 ++ /*
2021 ++ * Power state could be unknown at this point, either due to a fresh
2022 ++ * boot or a device removal call. So get the current power state
2023 ++ * so that things like MSI message writing will behave as expected
2024 ++ * (e.g. if the device really is in D0 at enable time).
2025 ++ */
2026 ++ if (dev->pm_cap) {
2027 ++ u16 pmcsr;
2028 ++ pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr);
2029 ++ dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK);
2030 + }
2031 +
2032 ++ if (atomic_inc_return(&dev->enable_cnt) > 1)
2033 ++ return 0; /* already enabled */
2034 ++
2035 + bridge = pci_upstream_bridge(dev);
2036 + if (bridge)
2037 + pci_enable_bridge(bridge);
2038 +diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
2039 +index 7d9bdedcd71bb..3af4430543dca 100644
2040 +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
2041 ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
2042 +@@ -1229,7 +1229,7 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl,
2043 + struct device *dev = pctl->dev;
2044 + struct resource res;
2045 + int npins = STM32_GPIO_PINS_PER_BANK;
2046 +- int bank_nr, err;
2047 ++ int bank_nr, err, i = 0;
2048 +
2049 + if (!IS_ERR(bank->rstc))
2050 + reset_control_deassert(bank->rstc);
2051 +@@ -1251,9 +1251,14 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl,
2052 +
2053 + of_property_read_string(np, "st,bank-name", &bank->gpio_chip.label);
2054 +
2055 +- if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, 0, &args)) {
2056 ++ if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, i, &args)) {
2057 + bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK;
2058 + bank->gpio_chip.base = args.args[1];
2059 ++
2060 ++ npins = args.args[2];
2061 ++ while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3,
2062 ++ ++i, &args))
2063 ++ npins += args.args[2];
2064 + } else {
2065 + bank_nr = pctl->nbanks;
2066 + bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK;
2067 +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
2068 +index 20a6564f87d9f..01f87bcab3dd1 100644
2069 +--- a/drivers/scsi/sd.c
2070 ++++ b/drivers/scsi/sd.c
2071 +@@ -1389,6 +1389,22 @@ static void sd_uninit_command(struct scsi_cmnd *SCpnt)
2072 + }
2073 + }
2074 +
2075 ++static bool sd_need_revalidate(struct block_device *bdev,
2076 ++ struct scsi_disk *sdkp)
2077 ++{
2078 ++ if (sdkp->device->removable || sdkp->write_prot) {
2079 ++ if (bdev_check_media_change(bdev))
2080 ++ return true;
2081 ++ }
2082 ++
2083 ++ /*
2084 ++ * Force a full rescan after ioctl(BLKRRPART). While the disk state has
2085 ++ * nothing to do with partitions, BLKRRPART is used to force a full
2086 ++ * revalidate after things like a format for historical reasons.
2087 ++ */
2088 ++ return test_bit(GD_NEED_PART_SCAN, &bdev->bd_disk->state);
2089 ++}
2090 ++
2091 + /**
2092 + * sd_open - open a scsi disk device
2093 + * @bdev: Block device of the scsi disk to open
2094 +@@ -1425,10 +1441,8 @@ static int sd_open(struct block_device *bdev, fmode_t mode)
2095 + if (!scsi_block_when_processing_errors(sdev))
2096 + goto error_out;
2097 +
2098 +- if (sdev->removable || sdkp->write_prot) {
2099 +- if (bdev_check_media_change(bdev))
2100 +- sd_revalidate_disk(bdev->bd_disk);
2101 +- }
2102 ++ if (sd_need_revalidate(bdev, sdkp))
2103 ++ sd_revalidate_disk(bdev->bd_disk);
2104 +
2105 + /*
2106 + * If the drive is empty, just let the open fail.
2107 +diff --git a/drivers/spi/spi-nxp-fspi.c b/drivers/spi/spi-nxp-fspi.c
2108 +index ab9035662717a..bcc0b5a3a459c 100644
2109 +--- a/drivers/spi/spi-nxp-fspi.c
2110 ++++ b/drivers/spi/spi-nxp-fspi.c
2111 +@@ -1033,12 +1033,6 @@ static int nxp_fspi_probe(struct platform_device *pdev)
2112 + goto err_put_ctrl;
2113 + }
2114 +
2115 +- /* Clear potential interrupts */
2116 +- reg = fspi_readl(f, f->iobase + FSPI_INTR);
2117 +- if (reg)
2118 +- fspi_writel(f, reg, f->iobase + FSPI_INTR);
2119 +-
2120 +-
2121 + /* find the resources - controller memory mapped space */
2122 + if (is_acpi_node(f->dev->fwnode))
2123 + res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
2124 +@@ -1076,6 +1070,11 @@ static int nxp_fspi_probe(struct platform_device *pdev)
2125 + }
2126 + }
2127 +
2128 ++ /* Clear potential interrupts */
2129 ++ reg = fspi_readl(f, f->iobase + FSPI_INTR);
2130 ++ if (reg)
2131 ++ fspi_writel(f, reg, f->iobase + FSPI_INTR);
2132 ++
2133 + /* find the irq */
2134 + ret = platform_get_irq(pdev, 0);
2135 + if (ret < 0)
2136 +diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
2137 +index 35c83f65475b2..8b0507f69c156 100644
2138 +--- a/fs/ceph/addr.c
2139 ++++ b/fs/ceph/addr.c
2140 +@@ -1302,6 +1302,45 @@ ceph_find_incompatible(struct page *page)
2141 + return NULL;
2142 + }
2143 +
2144 ++/**
2145 ++ * prep_noread_page - prep a page for writing without reading first
2146 ++ * @page: page being prepared
2147 ++ * @pos: starting position for the write
2148 ++ * @len: length of write
2149 ++ *
2150 ++ * In some cases, write_begin doesn't need to read at all:
2151 ++ * - full page write
2152 ++ * - file is currently zero-length
2153 ++ * - write that lies in a page that is completely beyond EOF
2154 ++ * - write that covers the the page from start to EOF or beyond it
2155 ++ *
2156 ++ * If any of these criteria are met, then zero out the unwritten parts
2157 ++ * of the page and return true. Otherwise, return false.
2158 ++ */
2159 ++static bool skip_page_read(struct page *page, loff_t pos, size_t len)
2160 ++{
2161 ++ struct inode *inode = page->mapping->host;
2162 ++ loff_t i_size = i_size_read(inode);
2163 ++ size_t offset = offset_in_page(pos);
2164 ++
2165 ++ /* Full page write */
2166 ++ if (offset == 0 && len >= PAGE_SIZE)
2167 ++ return true;
2168 ++
2169 ++ /* pos beyond last page in the file */
2170 ++ if (pos - offset >= i_size)
2171 ++ goto zero_out;
2172 ++
2173 ++ /* write that covers the whole page from start to EOF or beyond it */
2174 ++ if (offset == 0 && (pos + len) >= i_size)
2175 ++ goto zero_out;
2176 ++
2177 ++ return false;
2178 ++zero_out:
2179 ++ zero_user_segments(page, 0, offset, offset + len, PAGE_SIZE);
2180 ++ return true;
2181 ++}
2182 ++
2183 + /*
2184 + * We are only allowed to write into/dirty the page if the page is
2185 + * clean, or already dirty within the same snap context.
2186 +@@ -1315,7 +1354,6 @@ static int ceph_write_begin(struct file *file, struct address_space *mapping,
2187 + struct ceph_snap_context *snapc;
2188 + struct page *page = NULL;
2189 + pgoff_t index = pos >> PAGE_SHIFT;
2190 +- int pos_in_page = pos & ~PAGE_MASK;
2191 + int r = 0;
2192 +
2193 + dout("write_begin file %p inode %p page %p %d~%d\n", file, inode, page, (int)pos, (int)len);
2194 +@@ -1350,19 +1388,9 @@ static int ceph_write_begin(struct file *file, struct address_space *mapping,
2195 + break;
2196 + }
2197 +
2198 +- /*
2199 +- * In some cases we don't need to read at all:
2200 +- * - full page write
2201 +- * - write that lies completely beyond EOF
2202 +- * - write that covers the the page from start to EOF or beyond it
2203 +- */
2204 +- if ((pos_in_page == 0 && len == PAGE_SIZE) ||
2205 +- (pos >= i_size_read(inode)) ||
2206 +- (pos_in_page == 0 && (pos + len) >= i_size_read(inode))) {
2207 +- zero_user_segments(page, 0, pos_in_page,
2208 +- pos_in_page + len, PAGE_SIZE);
2209 ++ /* No need to read in some cases */
2210 ++ if (skip_page_read(page, pos, len))
2211 + break;
2212 +- }
2213 +
2214 + /*
2215 + * We need to read it. If we get back -EINPROGRESS, then the page was
2216 +diff --git a/fs/ceph/file.c b/fs/ceph/file.c
2217 +index 209535d5b8d38..3d2e3dd4ee01d 100644
2218 +--- a/fs/ceph/file.c
2219 ++++ b/fs/ceph/file.c
2220 +@@ -578,6 +578,7 @@ static int ceph_finish_async_create(struct inode *dir, struct dentry *dentry,
2221 + struct ceph_inode_info *ci = ceph_inode(dir);
2222 + struct inode *inode;
2223 + struct timespec64 now;
2224 ++ struct ceph_mds_client *mdsc = ceph_sb_to_mdsc(dir->i_sb);
2225 + struct ceph_vino vino = { .ino = req->r_deleg_ino,
2226 + .snap = CEPH_NOSNAP };
2227 +
2228 +@@ -615,8 +616,10 @@ static int ceph_finish_async_create(struct inode *dir, struct dentry *dentry,
2229 +
2230 + ceph_file_layout_to_legacy(lo, &in.layout);
2231 +
2232 ++ down_read(&mdsc->snap_rwsem);
2233 + ret = ceph_fill_inode(inode, NULL, &iinfo, NULL, req->r_session,
2234 + req->r_fmode, NULL);
2235 ++ up_read(&mdsc->snap_rwsem);
2236 + if (ret) {
2237 + dout("%s failed to fill inode: %d\n", __func__, ret);
2238 + ceph_dir_clear_complete(dir);
2239 +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
2240 +index 346fcdfcd3e91..57cd78e942c08 100644
2241 +--- a/fs/ceph/inode.c
2242 ++++ b/fs/ceph/inode.c
2243 +@@ -762,6 +762,8 @@ int ceph_fill_inode(struct inode *inode, struct page *locked_page,
2244 + bool new_version = false;
2245 + bool fill_inline = false;
2246 +
2247 ++ lockdep_assert_held(&mdsc->snap_rwsem);
2248 ++
2249 + dout("%s %p ino %llx.%llx v %llu had %llu\n", __func__,
2250 + inode, ceph_vinop(inode), le64_to_cpu(info->version),
2251 + ci->i_version);
2252 +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c
2253 +index 303d71430bdd1..9c6c0e2e5880a 100644
2254 +--- a/fs/nilfs2/sysfs.c
2255 ++++ b/fs/nilfs2/sysfs.c
2256 +@@ -1053,6 +1053,7 @@ void nilfs_sysfs_delete_device_group(struct the_nilfs *nilfs)
2257 + nilfs_sysfs_delete_superblock_group(nilfs);
2258 + nilfs_sysfs_delete_segctor_group(nilfs);
2259 + kobject_del(&nilfs->ns_dev_kobj);
2260 ++ kobject_put(&nilfs->ns_dev_kobj);
2261 + kfree(nilfs->ns_dev_subgroups);
2262 + }
2263 +
2264 +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
2265 +index fb8b07daa9d15..875e002a41804 100644
2266 +--- a/include/keys/system_keyring.h
2267 ++++ b/include/keys/system_keyring.h
2268 +@@ -31,6 +31,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
2269 + #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
2270 + #endif
2271 +
2272 ++extern struct pkcs7_message *pkcs7;
2273 + #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
2274 + extern int mark_hash_blacklisted(const char *hash);
2275 + extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
2276 +@@ -49,6 +50,20 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
2277 + }
2278 + #endif
2279 +
2280 ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
2281 ++extern int add_key_to_revocation_list(const char *data, size_t size);
2282 ++extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
2283 ++#else
2284 ++static inline int add_key_to_revocation_list(const char *data, size_t size)
2285 ++{
2286 ++ return 0;
2287 ++}
2288 ++static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
2289 ++{
2290 ++ return -ENOKEY;
2291 ++}
2292 ++#endif
2293 ++
2294 + #ifdef CONFIG_IMA_BLACKLIST_KEYRING
2295 + extern struct key *ima_blacklist_keyring;
2296 +
2297 +diff --git a/include/linux/debug_locks.h b/include/linux/debug_locks.h
2298 +index 2915f56ad4214..edb5c186b0b7a 100644
2299 +--- a/include/linux/debug_locks.h
2300 ++++ b/include/linux/debug_locks.h
2301 +@@ -27,8 +27,10 @@ extern int debug_locks_off(void);
2302 + int __ret = 0; \
2303 + \
2304 + if (!oops_in_progress && unlikely(c)) { \
2305 ++ instrumentation_begin(); \
2306 + if (debug_locks_off() && !debug_locks_silent) \
2307 + WARN(1, "DEBUG_LOCKS_WARN_ON(%s)", #c); \
2308 ++ instrumentation_end(); \
2309 + __ret = 1; \
2310 + } \
2311 + __ret; \
2312 +diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
2313 +index 0365aa97f8e73..ff55be0117397 100644
2314 +--- a/include/linux/huge_mm.h
2315 ++++ b/include/linux/huge_mm.h
2316 +@@ -297,6 +297,7 @@ struct page *follow_devmap_pud(struct vm_area_struct *vma, unsigned long addr,
2317 + extern vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf, pmd_t orig_pmd);
2318 +
2319 + extern struct page *huge_zero_page;
2320 ++extern unsigned long huge_zero_pfn;
2321 +
2322 + static inline bool is_huge_zero_page(struct page *page)
2323 + {
2324 +@@ -305,7 +306,7 @@ static inline bool is_huge_zero_page(struct page *page)
2325 +
2326 + static inline bool is_huge_zero_pmd(pmd_t pmd)
2327 + {
2328 +- return is_huge_zero_page(pmd_page(pmd));
2329 ++ return READ_ONCE(huge_zero_pfn) == pmd_pfn(pmd) && pmd_present(pmd);
2330 + }
2331 +
2332 + static inline bool is_huge_zero_pud(pud_t pud)
2333 +@@ -451,6 +452,11 @@ static inline bool is_huge_zero_page(struct page *page)
2334 + return false;
2335 + }
2336 +
2337 ++static inline bool is_huge_zero_pmd(pmd_t pmd)
2338 ++{
2339 ++ return false;
2340 ++}
2341 ++
2342 + static inline bool is_huge_zero_pud(pud_t pud)
2343 + {
2344 + return false;
2345 +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
2346 +index b5807f23caf80..5b68c9787f7c2 100644
2347 +--- a/include/linux/hugetlb.h
2348 ++++ b/include/linux/hugetlb.h
2349 +@@ -628,17 +628,6 @@ static inline int hstate_index(struct hstate *h)
2350 + return h - hstates;
2351 + }
2352 +
2353 +-pgoff_t __basepage_index(struct page *page);
2354 +-
2355 +-/* Return page->index in PAGE_SIZE units */
2356 +-static inline pgoff_t basepage_index(struct page *page)
2357 +-{
2358 +- if (!PageCompound(page))
2359 +- return page->index;
2360 +-
2361 +- return __basepage_index(page);
2362 +-}
2363 +-
2364 + extern int dissolve_free_huge_page(struct page *page);
2365 + extern int dissolve_free_huge_pages(unsigned long start_pfn,
2366 + unsigned long end_pfn);
2367 +@@ -871,11 +860,6 @@ static inline int hstate_index(struct hstate *h)
2368 + return 0;
2369 + }
2370 +
2371 +-static inline pgoff_t basepage_index(struct page *page)
2372 +-{
2373 +- return page->index;
2374 +-}
2375 +-
2376 + static inline int dissolve_free_huge_page(struct page *page)
2377 + {
2378 + return 0;
2379 +diff --git a/include/linux/mm.h b/include/linux/mm.h
2380 +index 5106db3ad1ce3..289c26f055cdd 100644
2381 +--- a/include/linux/mm.h
2382 ++++ b/include/linux/mm.h
2383 +@@ -1648,6 +1648,7 @@ struct zap_details {
2384 + struct address_space *check_mapping; /* Check page->mapping if set */
2385 + pgoff_t first_index; /* Lowest page->index to unmap */
2386 + pgoff_t last_index; /* Highest page->index to unmap */
2387 ++ struct page *single_page; /* Locked page to be unmapped */
2388 + };
2389 +
2390 + struct page *vm_normal_page(struct vm_area_struct *vma, unsigned long addr,
2391 +@@ -1695,6 +1696,7 @@ extern vm_fault_t handle_mm_fault(struct vm_area_struct *vma,
2392 + extern int fixup_user_fault(struct mm_struct *mm,
2393 + unsigned long address, unsigned int fault_flags,
2394 + bool *unlocked);
2395 ++void unmap_mapping_page(struct page *page);
2396 + void unmap_mapping_pages(struct address_space *mapping,
2397 + pgoff_t start, pgoff_t nr, bool even_cows);
2398 + void unmap_mapping_range(struct address_space *mapping,
2399 +@@ -1715,6 +1717,7 @@ static inline int fixup_user_fault(struct mm_struct *mm, unsigned long address,
2400 + BUG();
2401 + return -EFAULT;
2402 + }
2403 ++static inline void unmap_mapping_page(struct page *page) { }
2404 + static inline void unmap_mapping_pages(struct address_space *mapping,
2405 + pgoff_t start, pgoff_t nr, bool even_cows) { }
2406 + static inline void unmap_mapping_range(struct address_space *mapping,
2407 +diff --git a/include/linux/mmdebug.h b/include/linux/mmdebug.h
2408 +index 2ad72d2c8cc52..5d0767cb424aa 100644
2409 +--- a/include/linux/mmdebug.h
2410 ++++ b/include/linux/mmdebug.h
2411 +@@ -37,6 +37,18 @@ void dump_mm(const struct mm_struct *mm);
2412 + BUG(); \
2413 + } \
2414 + } while (0)
2415 ++#define VM_WARN_ON_ONCE_PAGE(cond, page) ({ \
2416 ++ static bool __section(".data.once") __warned; \
2417 ++ int __ret_warn_once = !!(cond); \
2418 ++ \
2419 ++ if (unlikely(__ret_warn_once && !__warned)) { \
2420 ++ dump_page(page, "VM_WARN_ON_ONCE_PAGE(" __stringify(cond)")");\
2421 ++ __warned = true; \
2422 ++ WARN_ON(1); \
2423 ++ } \
2424 ++ unlikely(__ret_warn_once); \
2425 ++})
2426 ++
2427 + #define VM_WARN_ON(cond) (void)WARN_ON(cond)
2428 + #define VM_WARN_ON_ONCE(cond) (void)WARN_ON_ONCE(cond)
2429 + #define VM_WARN_ONCE(cond, format...) (void)WARN_ONCE(cond, format)
2430 +@@ -48,6 +60,7 @@ void dump_mm(const struct mm_struct *mm);
2431 + #define VM_BUG_ON_MM(cond, mm) VM_BUG_ON(cond)
2432 + #define VM_WARN_ON(cond) BUILD_BUG_ON_INVALID(cond)
2433 + #define VM_WARN_ON_ONCE(cond) BUILD_BUG_ON_INVALID(cond)
2434 ++#define VM_WARN_ON_ONCE_PAGE(cond, page) BUILD_BUG_ON_INVALID(cond)
2435 + #define VM_WARN_ONCE(cond, format...) BUILD_BUG_ON_INVALID(cond)
2436 + #define VM_WARN(cond, format...) BUILD_BUG_ON_INVALID(cond)
2437 + #endif
2438 +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
2439 +index b032f094a7827..fcb3f040102af 100644
2440 +--- a/include/linux/pagemap.h
2441 ++++ b/include/linux/pagemap.h
2442 +@@ -501,7 +501,7 @@ static inline struct page *read_mapping_page(struct address_space *mapping,
2443 + }
2444 +
2445 + /*
2446 +- * Get index of the page with in radix-tree
2447 ++ * Get index of the page within radix-tree (but not for hugetlb pages).
2448 + * (TODO: remove once hugetlb pages will have ->index in PAGE_SIZE)
2449 + */
2450 + static inline pgoff_t page_to_index(struct page *page)
2451 +@@ -520,15 +520,16 @@ static inline pgoff_t page_to_index(struct page *page)
2452 + return pgoff;
2453 + }
2454 +
2455 ++extern pgoff_t hugetlb_basepage_index(struct page *page);
2456 ++
2457 + /*
2458 +- * Get the offset in PAGE_SIZE.
2459 +- * (TODO: hugepage should have ->index in PAGE_SIZE)
2460 ++ * Get the offset in PAGE_SIZE (even for hugetlb pages).
2461 ++ * (TODO: hugetlb pages should have ->index in PAGE_SIZE)
2462 + */
2463 + static inline pgoff_t page_to_pgoff(struct page *page)
2464 + {
2465 +- if (unlikely(PageHeadHuge(page)))
2466 +- return page->index << compound_order(page);
2467 +-
2468 ++ if (unlikely(PageHuge(page)))
2469 ++ return hugetlb_basepage_index(page);
2470 + return page_to_index(page);
2471 + }
2472 +
2473 +diff --git a/include/linux/rmap.h b/include/linux/rmap.h
2474 +index def5c62c93b3b..8d04e7deedc66 100644
2475 +--- a/include/linux/rmap.h
2476 ++++ b/include/linux/rmap.h
2477 +@@ -91,6 +91,7 @@ enum ttu_flags {
2478 +
2479 + TTU_SPLIT_HUGE_PMD = 0x4, /* split huge PMD if any */
2480 + TTU_IGNORE_MLOCK = 0x8, /* ignore mlock */
2481 ++ TTU_SYNC = 0x10, /* avoid racy checks with PVMW_SYNC */
2482 + TTU_IGNORE_HWPOISON = 0x20, /* corrupted page is recoverable */
2483 + TTU_BATCH_FLUSH = 0x40, /* Batch TLB flushes where possible
2484 + * and caller guarantees they will
2485 +diff --git a/include/net/sock.h b/include/net/sock.h
2486 +index f68184b8c0aa5..3c7addf951509 100644
2487 +--- a/include/net/sock.h
2488 ++++ b/include/net/sock.h
2489 +@@ -1900,7 +1900,8 @@ static inline u32 net_tx_rndhash(void)
2490 +
2491 + static inline void sk_set_txhash(struct sock *sk)
2492 + {
2493 +- sk->sk_txhash = net_tx_rndhash();
2494 ++ /* This pairs with READ_ONCE() in skb_set_hash_from_sk() */
2495 ++ WRITE_ONCE(sk->sk_txhash, net_tx_rndhash());
2496 + }
2497 +
2498 + static inline bool sk_rethink_txhash(struct sock *sk)
2499 +@@ -2172,9 +2173,12 @@ static inline void sock_poll_wait(struct file *filp, struct socket *sock,
2500 +
2501 + static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk)
2502 + {
2503 +- if (sk->sk_txhash) {
2504 ++ /* This pairs with WRITE_ONCE() in sk_set_txhash() */
2505 ++ u32 txhash = READ_ONCE(sk->sk_txhash);
2506 ++
2507 ++ if (txhash) {
2508 + skb->l4_hash = 1;
2509 +- skb->hash = sk->sk_txhash;
2510 ++ skb->hash = txhash;
2511 + }
2512 + }
2513 +
2514 +@@ -2232,8 +2236,13 @@ struct sk_buff *sock_dequeue_err_skb(struct sock *sk);
2515 + static inline int sock_error(struct sock *sk)
2516 + {
2517 + int err;
2518 +- if (likely(!sk->sk_err))
2519 ++
2520 ++ /* Avoid an atomic operation for the common case.
2521 ++ * This is racy since another cpu/thread can change sk_err under us.
2522 ++ */
2523 ++ if (likely(data_race(!sk->sk_err)))
2524 + return 0;
2525 ++
2526 + err = xchg(&sk->sk_err, 0);
2527 + return -err;
2528 + }
2529 +diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c
2530 +index 0f61b14b00995..0ed0e1f215c75 100644
2531 +--- a/kernel/dma/swiotlb.c
2532 ++++ b/kernel/dma/swiotlb.c
2533 +@@ -667,6 +667,9 @@ void swiotlb_tbl_sync_single(struct device *hwdev, phys_addr_t tlb_addr,
2534 + if (orig_addr == INVALID_PHYS_ADDR)
2535 + return;
2536 +
2537 ++ orig_addr += (tlb_addr & (IO_TLB_SIZE - 1)) -
2538 ++ swiotlb_align_offset(hwdev, orig_addr);
2539 ++
2540 + switch (target) {
2541 + case SYNC_FOR_CPU:
2542 + if (likely(dir == DMA_FROM_DEVICE || dir == DMA_BIDIRECTIONAL))
2543 +diff --git a/kernel/futex.c b/kernel/futex.c
2544 +index 3136aba177720..98a6e1b80bfe4 100644
2545 +--- a/kernel/futex.c
2546 ++++ b/kernel/futex.c
2547 +@@ -35,7 +35,6 @@
2548 + #include <linux/jhash.h>
2549 + #include <linux/pagemap.h>
2550 + #include <linux/syscalls.h>
2551 +-#include <linux/hugetlb.h>
2552 + #include <linux/freezer.h>
2553 + #include <linux/memblock.h>
2554 + #include <linux/fault-inject.h>
2555 +@@ -652,7 +651,7 @@ again:
2556 +
2557 + key->both.offset |= FUT_OFF_INODE; /* inode-based key */
2558 + key->shared.i_seq = get_inode_sequence_number(inode);
2559 +- key->shared.pgoff = basepage_index(tail);
2560 ++ key->shared.pgoff = page_to_pgoff(tail);
2561 + rcu_read_unlock();
2562 + }
2563 +
2564 +diff --git a/kernel/kthread.c b/kernel/kthread.c
2565 +index 5edf7e19ab262..36be4364b313a 100644
2566 +--- a/kernel/kthread.c
2567 ++++ b/kernel/kthread.c
2568 +@@ -1044,8 +1044,38 @@ void kthread_flush_work(struct kthread_work *work)
2569 + EXPORT_SYMBOL_GPL(kthread_flush_work);
2570 +
2571 + /*
2572 +- * This function removes the work from the worker queue. Also it makes sure
2573 +- * that it won't get queued later via the delayed work's timer.
2574 ++ * Make sure that the timer is neither set nor running and could
2575 ++ * not manipulate the work list_head any longer.
2576 ++ *
2577 ++ * The function is called under worker->lock. The lock is temporary
2578 ++ * released but the timer can't be set again in the meantime.
2579 ++ */
2580 ++static void kthread_cancel_delayed_work_timer(struct kthread_work *work,
2581 ++ unsigned long *flags)
2582 ++{
2583 ++ struct kthread_delayed_work *dwork =
2584 ++ container_of(work, struct kthread_delayed_work, work);
2585 ++ struct kthread_worker *worker = work->worker;
2586 ++
2587 ++ /*
2588 ++ * del_timer_sync() must be called to make sure that the timer
2589 ++ * callback is not running. The lock must be temporary released
2590 ++ * to avoid a deadlock with the callback. In the meantime,
2591 ++ * any queuing is blocked by setting the canceling counter.
2592 ++ */
2593 ++ work->canceling++;
2594 ++ raw_spin_unlock_irqrestore(&worker->lock, *flags);
2595 ++ del_timer_sync(&dwork->timer);
2596 ++ raw_spin_lock_irqsave(&worker->lock, *flags);
2597 ++ work->canceling--;
2598 ++}
2599 ++
2600 ++/*
2601 ++ * This function removes the work from the worker queue.
2602 ++ *
2603 ++ * It is called under worker->lock. The caller must make sure that
2604 ++ * the timer used by delayed work is not running, e.g. by calling
2605 ++ * kthread_cancel_delayed_work_timer().
2606 + *
2607 + * The work might still be in use when this function finishes. See the
2608 + * current_work proceed by the worker.
2609 +@@ -1053,28 +1083,8 @@ EXPORT_SYMBOL_GPL(kthread_flush_work);
2610 + * Return: %true if @work was pending and successfully canceled,
2611 + * %false if @work was not pending
2612 + */
2613 +-static bool __kthread_cancel_work(struct kthread_work *work, bool is_dwork,
2614 +- unsigned long *flags)
2615 ++static bool __kthread_cancel_work(struct kthread_work *work)
2616 + {
2617 +- /* Try to cancel the timer if exists. */
2618 +- if (is_dwork) {
2619 +- struct kthread_delayed_work *dwork =
2620 +- container_of(work, struct kthread_delayed_work, work);
2621 +- struct kthread_worker *worker = work->worker;
2622 +-
2623 +- /*
2624 +- * del_timer_sync() must be called to make sure that the timer
2625 +- * callback is not running. The lock must be temporary released
2626 +- * to avoid a deadlock with the callback. In the meantime,
2627 +- * any queuing is blocked by setting the canceling counter.
2628 +- */
2629 +- work->canceling++;
2630 +- raw_spin_unlock_irqrestore(&worker->lock, *flags);
2631 +- del_timer_sync(&dwork->timer);
2632 +- raw_spin_lock_irqsave(&worker->lock, *flags);
2633 +- work->canceling--;
2634 +- }
2635 +-
2636 + /*
2637 + * Try to remove the work from a worker list. It might either
2638 + * be from worker->work_list or from worker->delayed_work_list.
2639 +@@ -1127,11 +1137,23 @@ bool kthread_mod_delayed_work(struct kthread_worker *worker,
2640 + /* Work must not be used with >1 worker, see kthread_queue_work() */
2641 + WARN_ON_ONCE(work->worker != worker);
2642 +
2643 +- /* Do not fight with another command that is canceling this work. */
2644 ++ /*
2645 ++ * Temporary cancel the work but do not fight with another command
2646 ++ * that is canceling the work as well.
2647 ++ *
2648 ++ * It is a bit tricky because of possible races with another
2649 ++ * mod_delayed_work() and cancel_delayed_work() callers.
2650 ++ *
2651 ++ * The timer must be canceled first because worker->lock is released
2652 ++ * when doing so. But the work can be removed from the queue (list)
2653 ++ * only when it can be queued again so that the return value can
2654 ++ * be used for reference counting.
2655 ++ */
2656 ++ kthread_cancel_delayed_work_timer(work, &flags);
2657 + if (work->canceling)
2658 + goto out;
2659 ++ ret = __kthread_cancel_work(work);
2660 +
2661 +- ret = __kthread_cancel_work(work, true, &flags);
2662 + fast_queue:
2663 + __kthread_queue_delayed_work(worker, dwork, delay);
2664 + out:
2665 +@@ -1153,7 +1175,10 @@ static bool __kthread_cancel_work_sync(struct kthread_work *work, bool is_dwork)
2666 + /* Work must not be used with >1 worker, see kthread_queue_work(). */
2667 + WARN_ON_ONCE(work->worker != worker);
2668 +
2669 +- ret = __kthread_cancel_work(work, is_dwork, &flags);
2670 ++ if (is_dwork)
2671 ++ kthread_cancel_delayed_work_timer(work, &flags);
2672 ++
2673 ++ ret = __kthread_cancel_work(work);
2674 +
2675 + if (worker->current_work != work)
2676 + goto out_fast;
2677 +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
2678 +index 858b96b438cee..cdca007551e71 100644
2679 +--- a/kernel/locking/lockdep.c
2680 ++++ b/kernel/locking/lockdep.c
2681 +@@ -842,7 +842,7 @@ static int count_matching_names(struct lock_class *new_class)
2682 + }
2683 +
2684 + /* used from NMI context -- must be lockless */
2685 +-static __always_inline struct lock_class *
2686 ++static noinstr struct lock_class *
2687 + look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass)
2688 + {
2689 + struct lockdep_subclass_key *key;
2690 +@@ -850,12 +850,14 @@ look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass)
2691 + struct lock_class *class;
2692 +
2693 + if (unlikely(subclass >= MAX_LOCKDEP_SUBCLASSES)) {
2694 ++ instrumentation_begin();
2695 + debug_locks_off();
2696 + printk(KERN_ERR
2697 + "BUG: looking up invalid subclass: %u\n", subclass);
2698 + printk(KERN_ERR
2699 + "turning off the locking correctness validator.\n");
2700 + dump_stack();
2701 ++ instrumentation_end();
2702 + return NULL;
2703 + }
2704 +
2705 +diff --git a/kernel/module.c b/kernel/module.c
2706 +index 908d46abe1656..185b2655bc206 100644
2707 +--- a/kernel/module.c
2708 ++++ b/kernel/module.c
2709 +@@ -272,9 +272,18 @@ static void module_assert_mutex_or_preempt(void)
2710 + #endif
2711 + }
2712 +
2713 ++#ifdef CONFIG_MODULE_SIG
2714 + static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
2715 + module_param(sig_enforce, bool_enable_only, 0644);
2716 +
2717 ++void set_module_sig_enforced(void)
2718 ++{
2719 ++ sig_enforce = true;
2720 ++}
2721 ++#else
2722 ++#define sig_enforce false
2723 ++#endif
2724 ++
2725 + /*
2726 + * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
2727 + * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
2728 +@@ -285,11 +294,6 @@ bool is_module_sig_enforced(void)
2729 + }
2730 + EXPORT_SYMBOL(is_module_sig_enforced);
2731 +
2732 +-void set_module_sig_enforced(void)
2733 +-{
2734 +- sig_enforce = true;
2735 +-}
2736 +-
2737 + /* Block module loading/unloading? */
2738 + int modules_disabled = 0;
2739 + core_param(nomodule, modules_disabled, bint, 0);
2740 +diff --git a/lib/debug_locks.c b/lib/debug_locks.c
2741 +index 06d3135bd184c..a75ee30b77cb8 100644
2742 +--- a/lib/debug_locks.c
2743 ++++ b/lib/debug_locks.c
2744 +@@ -36,7 +36,7 @@ EXPORT_SYMBOL_GPL(debug_locks_silent);
2745 + /*
2746 + * Generic 'turn off all lock debugging' function:
2747 + */
2748 +-noinstr int debug_locks_off(void)
2749 ++int debug_locks_off(void)
2750 + {
2751 + if (debug_locks && __debug_locks_off()) {
2752 + if (!debug_locks_silent) {
2753 +diff --git a/mm/huge_memory.c b/mm/huge_memory.c
2754 +index d9ade23ac2b22..6301ecc1f679a 100644
2755 +--- a/mm/huge_memory.c
2756 ++++ b/mm/huge_memory.c
2757 +@@ -61,6 +61,7 @@ static struct shrinker deferred_split_shrinker;
2758 +
2759 + static atomic_t huge_zero_refcount;
2760 + struct page *huge_zero_page __read_mostly;
2761 ++unsigned long huge_zero_pfn __read_mostly = ~0UL;
2762 +
2763 + bool transparent_hugepage_enabled(struct vm_area_struct *vma)
2764 + {
2765 +@@ -97,6 +98,7 @@ retry:
2766 + __free_pages(zero_page, compound_order(zero_page));
2767 + goto retry;
2768 + }
2769 ++ WRITE_ONCE(huge_zero_pfn, page_to_pfn(zero_page));
2770 +
2771 + /* We take additional reference here. It will be put back by shrinker */
2772 + atomic_set(&huge_zero_refcount, 2);
2773 +@@ -146,6 +148,7 @@ static unsigned long shrink_huge_zero_page_scan(struct shrinker *shrink,
2774 + if (atomic_cmpxchg(&huge_zero_refcount, 1, 0) == 1) {
2775 + struct page *zero_page = xchg(&huge_zero_page, NULL);
2776 + BUG_ON(zero_page == NULL);
2777 ++ WRITE_ONCE(huge_zero_pfn, ~0UL);
2778 + __free_pages(zero_page, compound_order(zero_page));
2779 + return HPAGE_PMD_NR;
2780 + }
2781 +@@ -2031,7 +2034,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
2782 + count_vm_event(THP_SPLIT_PMD);
2783 +
2784 + if (!vma_is_anonymous(vma)) {
2785 +- _pmd = pmdp_huge_clear_flush_notify(vma, haddr, pmd);
2786 ++ old_pmd = pmdp_huge_clear_flush_notify(vma, haddr, pmd);
2787 + /*
2788 + * We are going to unmap this huge page. So
2789 + * just go ahead and zap it
2790 +@@ -2040,16 +2043,25 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
2791 + zap_deposited_table(mm, pmd);
2792 + if (vma_is_special_huge(vma))
2793 + return;
2794 +- page = pmd_page(_pmd);
2795 +- if (!PageDirty(page) && pmd_dirty(_pmd))
2796 +- set_page_dirty(page);
2797 +- if (!PageReferenced(page) && pmd_young(_pmd))
2798 +- SetPageReferenced(page);
2799 +- page_remove_rmap(page, true);
2800 +- put_page(page);
2801 ++ if (unlikely(is_pmd_migration_entry(old_pmd))) {
2802 ++ swp_entry_t entry;
2803 ++
2804 ++ entry = pmd_to_swp_entry(old_pmd);
2805 ++ page = migration_entry_to_page(entry);
2806 ++ } else {
2807 ++ page = pmd_page(old_pmd);
2808 ++ if (!PageDirty(page) && pmd_dirty(old_pmd))
2809 ++ set_page_dirty(page);
2810 ++ if (!PageReferenced(page) && pmd_young(old_pmd))
2811 ++ SetPageReferenced(page);
2812 ++ page_remove_rmap(page, true);
2813 ++ put_page(page);
2814 ++ }
2815 + add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR);
2816 + return;
2817 +- } else if (pmd_trans_huge(*pmd) && is_huge_zero_pmd(*pmd)) {
2818 ++ }
2819 ++
2820 ++ if (is_huge_zero_pmd(*pmd)) {
2821 + /*
2822 + * FIXME: Do we want to invalidate secondary mmu by calling
2823 + * mmu_notifier_invalidate_range() see comments below inside
2824 +@@ -2330,17 +2342,17 @@ void vma_adjust_trans_huge(struct vm_area_struct *vma,
2825 +
2826 + static void unmap_page(struct page *page)
2827 + {
2828 +- enum ttu_flags ttu_flags = TTU_IGNORE_MLOCK |
2829 ++ enum ttu_flags ttu_flags = TTU_IGNORE_MLOCK | TTU_SYNC |
2830 + TTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD;
2831 +- bool unmap_success;
2832 +
2833 + VM_BUG_ON_PAGE(!PageHead(page), page);
2834 +
2835 + if (PageAnon(page))
2836 + ttu_flags |= TTU_SPLIT_FREEZE;
2837 +
2838 +- unmap_success = try_to_unmap(page, ttu_flags);
2839 +- VM_BUG_ON_PAGE(!unmap_success, page);
2840 ++ try_to_unmap(page, ttu_flags);
2841 ++
2842 ++ VM_WARN_ON_ONCE_PAGE(page_mapped(page), page);
2843 + }
2844 +
2845 + static void remap_page(struct page *page, unsigned int nr)
2846 +@@ -2630,7 +2642,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
2847 + struct deferred_split *ds_queue = get_deferred_split_queue(head);
2848 + struct anon_vma *anon_vma = NULL;
2849 + struct address_space *mapping = NULL;
2850 +- int count, mapcount, extra_pins, ret;
2851 ++ int extra_pins, ret;
2852 + unsigned long flags;
2853 + pgoff_t end;
2854 +
2855 +@@ -2690,7 +2702,6 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
2856 + }
2857 +
2858 + unmap_page(head);
2859 +- VM_BUG_ON_PAGE(compound_mapcount(head), head);
2860 +
2861 + /* prevent PageLRU to go away from under us, and freeze lru stats */
2862 + spin_lock_irqsave(&pgdata->lru_lock, flags);
2863 +@@ -2709,9 +2720,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
2864 +
2865 + /* Prevent deferred_split_scan() touching ->_refcount */
2866 + spin_lock(&ds_queue->split_queue_lock);
2867 +- count = page_count(head);
2868 +- mapcount = total_mapcount(head);
2869 +- if (!mapcount && page_ref_freeze(head, 1 + extra_pins)) {
2870 ++ if (page_ref_freeze(head, 1 + extra_pins)) {
2871 + if (!list_empty(page_deferred_list(head))) {
2872 + ds_queue->split_queue_len--;
2873 + list_del(page_deferred_list(head));
2874 +@@ -2727,16 +2736,9 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
2875 + __split_huge_page(page, list, end, flags);
2876 + ret = 0;
2877 + } else {
2878 +- if (IS_ENABLED(CONFIG_DEBUG_VM) && mapcount) {
2879 +- pr_alert("total_mapcount: %u, page_count(): %u\n",
2880 +- mapcount, count);
2881 +- if (PageTail(page))
2882 +- dump_page(head, NULL);
2883 +- dump_page(page, "total_mapcount(head) > 0");
2884 +- BUG();
2885 +- }
2886 + spin_unlock(&ds_queue->split_queue_lock);
2887 +-fail: if (mapping)
2888 ++fail:
2889 ++ if (mapping)
2890 + xa_unlock(&mapping->i_pages);
2891 + spin_unlock_irqrestore(&pgdata->lru_lock, flags);
2892 + remap_page(head, thp_nr_pages(head));
2893 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
2894 +index bc1006a327338..d4f89c2f95446 100644
2895 +--- a/mm/hugetlb.c
2896 ++++ b/mm/hugetlb.c
2897 +@@ -1635,15 +1635,12 @@ struct address_space *hugetlb_page_mapping_lock_write(struct page *hpage)
2898 + return NULL;
2899 + }
2900 +
2901 +-pgoff_t __basepage_index(struct page *page)
2902 ++pgoff_t hugetlb_basepage_index(struct page *page)
2903 + {
2904 + struct page *page_head = compound_head(page);
2905 + pgoff_t index = page_index(page_head);
2906 + unsigned long compound_idx;
2907 +
2908 +- if (!PageHuge(page_head))
2909 +- return page_index(page);
2910 +-
2911 + if (compound_order(page_head) >= MAX_ORDER)
2912 + compound_idx = page_to_pfn(page) - page_to_pfn(page_head);
2913 + else
2914 +diff --git a/mm/internal.h b/mm/internal.h
2915 +index c43ccdddb0f6e..840b8a330b9ac 100644
2916 +--- a/mm/internal.h
2917 ++++ b/mm/internal.h
2918 +@@ -379,27 +379,52 @@ static inline void mlock_migrate_page(struct page *newpage, struct page *page)
2919 + extern pmd_t maybe_pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma);
2920 +
2921 + /*
2922 +- * At what user virtual address is page expected in @vma?
2923 ++ * At what user virtual address is page expected in vma?
2924 ++ * Returns -EFAULT if all of the page is outside the range of vma.
2925 ++ * If page is a compound head, the entire compound page is considered.
2926 + */
2927 + static inline unsigned long
2928 +-__vma_address(struct page *page, struct vm_area_struct *vma)
2929 ++vma_address(struct page *page, struct vm_area_struct *vma)
2930 + {
2931 +- pgoff_t pgoff = page_to_pgoff(page);
2932 +- return vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT);
2933 ++ pgoff_t pgoff;
2934 ++ unsigned long address;
2935 ++
2936 ++ VM_BUG_ON_PAGE(PageKsm(page), page); /* KSM page->index unusable */
2937 ++ pgoff = page_to_pgoff(page);
2938 ++ if (pgoff >= vma->vm_pgoff) {
2939 ++ address = vma->vm_start +
2940 ++ ((pgoff - vma->vm_pgoff) << PAGE_SHIFT);
2941 ++ /* Check for address beyond vma (or wrapped through 0?) */
2942 ++ if (address < vma->vm_start || address >= vma->vm_end)
2943 ++ address = -EFAULT;
2944 ++ } else if (PageHead(page) &&
2945 ++ pgoff + compound_nr(page) - 1 >= vma->vm_pgoff) {
2946 ++ /* Test above avoids possibility of wrap to 0 on 32-bit */
2947 ++ address = vma->vm_start;
2948 ++ } else {
2949 ++ address = -EFAULT;
2950 ++ }
2951 ++ return address;
2952 + }
2953 +
2954 ++/*
2955 ++ * Then at what user virtual address will none of the page be found in vma?
2956 ++ * Assumes that vma_address() already returned a good starting address.
2957 ++ * If page is a compound head, the entire compound page is considered.
2958 ++ */
2959 + static inline unsigned long
2960 +-vma_address(struct page *page, struct vm_area_struct *vma)
2961 ++vma_address_end(struct page *page, struct vm_area_struct *vma)
2962 + {
2963 +- unsigned long start, end;
2964 +-
2965 +- start = __vma_address(page, vma);
2966 +- end = start + thp_size(page) - PAGE_SIZE;
2967 +-
2968 +- /* page should be within @vma mapping range */
2969 +- VM_BUG_ON_VMA(end < vma->vm_start || start >= vma->vm_end, vma);
2970 +-
2971 +- return max(start, vma->vm_start);
2972 ++ pgoff_t pgoff;
2973 ++ unsigned long address;
2974 ++
2975 ++ VM_BUG_ON_PAGE(PageKsm(page), page); /* KSM page->index unusable */
2976 ++ pgoff = page_to_pgoff(page) + compound_nr(page);
2977 ++ address = vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT);
2978 ++ /* Check for address beyond vma (or wrapped through 0?) */
2979 ++ if (address < vma->vm_start || address > vma->vm_end)
2980 ++ address = vma->vm_end;
2981 ++ return address;
2982 + }
2983 +
2984 + static inline struct file *maybe_unlock_mmap_for_io(struct vm_fault *vmf,
2985 +diff --git a/mm/memory.c b/mm/memory.c
2986 +index b70bd3ba33888..eb31b3e4ef93b 100644
2987 +--- a/mm/memory.c
2988 ++++ b/mm/memory.c
2989 +@@ -1355,7 +1355,18 @@ static inline unsigned long zap_pmd_range(struct mmu_gather *tlb,
2990 + else if (zap_huge_pmd(tlb, vma, pmd, addr))
2991 + goto next;
2992 + /* fall through */
2993 ++ } else if (details && details->single_page &&
2994 ++ PageTransCompound(details->single_page) &&
2995 ++ next - addr == HPAGE_PMD_SIZE && pmd_none(*pmd)) {
2996 ++ spinlock_t *ptl = pmd_lock(tlb->mm, pmd);
2997 ++ /*
2998 ++ * Take and drop THP pmd lock so that we cannot return
2999 ++ * prematurely, while zap_huge_pmd() has cleared *pmd,
3000 ++ * but not yet decremented compound_mapcount().
3001 ++ */
3002 ++ spin_unlock(ptl);
3003 + }
3004 ++
3005 + /*
3006 + * Here there can be other concurrent MADV_DONTNEED or
3007 + * trans huge page faults running, and if the pmd is
3008 +@@ -3185,6 +3196,36 @@ static inline void unmap_mapping_range_tree(struct rb_root_cached *root,
3009 + }
3010 + }
3011 +
3012 ++/**
3013 ++ * unmap_mapping_page() - Unmap single page from processes.
3014 ++ * @page: The locked page to be unmapped.
3015 ++ *
3016 ++ * Unmap this page from any userspace process which still has it mmaped.
3017 ++ * Typically, for efficiency, the range of nearby pages has already been
3018 ++ * unmapped by unmap_mapping_pages() or unmap_mapping_range(). But once
3019 ++ * truncation or invalidation holds the lock on a page, it may find that
3020 ++ * the page has been remapped again: and then uses unmap_mapping_page()
3021 ++ * to unmap it finally.
3022 ++ */
3023 ++void unmap_mapping_page(struct page *page)
3024 ++{
3025 ++ struct address_space *mapping = page->mapping;
3026 ++ struct zap_details details = { };
3027 ++
3028 ++ VM_BUG_ON(!PageLocked(page));
3029 ++ VM_BUG_ON(PageTail(page));
3030 ++
3031 ++ details.check_mapping = mapping;
3032 ++ details.first_index = page->index;
3033 ++ details.last_index = page->index + thp_nr_pages(page) - 1;
3034 ++ details.single_page = page;
3035 ++
3036 ++ i_mmap_lock_write(mapping);
3037 ++ if (unlikely(!RB_EMPTY_ROOT(&mapping->i_mmap.rb_root)))
3038 ++ unmap_mapping_range_tree(&mapping->i_mmap, &details);
3039 ++ i_mmap_unlock_write(mapping);
3040 ++}
3041 ++
3042 + /**
3043 + * unmap_mapping_pages() - Unmap pages from processes.
3044 + * @mapping: The address space containing pages to be unmapped.
3045 +diff --git a/mm/migrate.c b/mm/migrate.c
3046 +index 7982256a51250..278e6f3fa62ce 100644
3047 +--- a/mm/migrate.c
3048 ++++ b/mm/migrate.c
3049 +@@ -326,6 +326,7 @@ void __migration_entry_wait(struct mm_struct *mm, pte_t *ptep,
3050 + goto out;
3051 +
3052 + page = migration_entry_to_page(entry);
3053 ++ page = compound_head(page);
3054 +
3055 + /*
3056 + * Once page cache replacement of page migration started, page_count
3057 +diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c
3058 +index 5e77b269c330a..610ebbee787cc 100644
3059 +--- a/mm/page_vma_mapped.c
3060 ++++ b/mm/page_vma_mapped.c
3061 +@@ -115,6 +115,13 @@ static bool check_pte(struct page_vma_mapped_walk *pvmw)
3062 + return pfn_is_match(pvmw->page, pfn);
3063 + }
3064 +
3065 ++static void step_forward(struct page_vma_mapped_walk *pvmw, unsigned long size)
3066 ++{
3067 ++ pvmw->address = (pvmw->address + size) & ~(size - 1);
3068 ++ if (!pvmw->address)
3069 ++ pvmw->address = ULONG_MAX;
3070 ++}
3071 ++
3072 + /**
3073 + * page_vma_mapped_walk - check if @pvmw->page is mapped in @pvmw->vma at
3074 + * @pvmw->address
3075 +@@ -143,6 +150,7 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw)
3076 + {
3077 + struct mm_struct *mm = pvmw->vma->vm_mm;
3078 + struct page *page = pvmw->page;
3079 ++ unsigned long end;
3080 + pgd_t *pgd;
3081 + p4d_t *p4d;
3082 + pud_t *pud;
3083 +@@ -152,10 +160,11 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw)
3084 + if (pvmw->pmd && !pvmw->pte)
3085 + return not_found(pvmw);
3086 +
3087 +- if (pvmw->pte)
3088 +- goto next_pte;
3089 ++ if (unlikely(PageHuge(page))) {
3090 ++ /* The only possible mapping was handled on last iteration */
3091 ++ if (pvmw->pte)
3092 ++ return not_found(pvmw);
3093 +
3094 +- if (unlikely(PageHuge(pvmw->page))) {
3095 + /* when pud is not present, pte will be NULL */
3096 + pvmw->pte = huge_pte_offset(mm, pvmw->address, page_size(page));
3097 + if (!pvmw->pte)
3098 +@@ -167,78 +176,108 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw)
3099 + return not_found(pvmw);
3100 + return true;
3101 + }
3102 +-restart:
3103 +- pgd = pgd_offset(mm, pvmw->address);
3104 +- if (!pgd_present(*pgd))
3105 +- return false;
3106 +- p4d = p4d_offset(pgd, pvmw->address);
3107 +- if (!p4d_present(*p4d))
3108 +- return false;
3109 +- pud = pud_offset(p4d, pvmw->address);
3110 +- if (!pud_present(*pud))
3111 +- return false;
3112 +- pvmw->pmd = pmd_offset(pud, pvmw->address);
3113 ++
3114 + /*
3115 +- * Make sure the pmd value isn't cached in a register by the
3116 +- * compiler and used as a stale value after we've observed a
3117 +- * subsequent update.
3118 ++ * Seek to next pte only makes sense for THP.
3119 ++ * But more important than that optimization, is to filter out
3120 ++ * any PageKsm page: whose page->index misleads vma_address()
3121 ++ * and vma_address_end() to disaster.
3122 + */
3123 +- pmde = READ_ONCE(*pvmw->pmd);
3124 +- if (pmd_trans_huge(pmde) || is_pmd_migration_entry(pmde)) {
3125 +- pvmw->ptl = pmd_lock(mm, pvmw->pmd);
3126 +- if (likely(pmd_trans_huge(*pvmw->pmd))) {
3127 +- if (pvmw->flags & PVMW_MIGRATION)
3128 +- return not_found(pvmw);
3129 +- if (pmd_page(*pvmw->pmd) != page)
3130 +- return not_found(pvmw);
3131 +- return true;
3132 +- } else if (!pmd_present(*pvmw->pmd)) {
3133 +- if (thp_migration_supported()) {
3134 +- if (!(pvmw->flags & PVMW_MIGRATION))
3135 ++ end = PageTransCompound(page) ?
3136 ++ vma_address_end(page, pvmw->vma) :
3137 ++ pvmw->address + PAGE_SIZE;
3138 ++ if (pvmw->pte)
3139 ++ goto next_pte;
3140 ++restart:
3141 ++ do {
3142 ++ pgd = pgd_offset(mm, pvmw->address);
3143 ++ if (!pgd_present(*pgd)) {
3144 ++ step_forward(pvmw, PGDIR_SIZE);
3145 ++ continue;
3146 ++ }
3147 ++ p4d = p4d_offset(pgd, pvmw->address);
3148 ++ if (!p4d_present(*p4d)) {
3149 ++ step_forward(pvmw, P4D_SIZE);
3150 ++ continue;
3151 ++ }
3152 ++ pud = pud_offset(p4d, pvmw->address);
3153 ++ if (!pud_present(*pud)) {
3154 ++ step_forward(pvmw, PUD_SIZE);
3155 ++ continue;
3156 ++ }
3157 ++
3158 ++ pvmw->pmd = pmd_offset(pud, pvmw->address);
3159 ++ /*
3160 ++ * Make sure the pmd value isn't cached in a register by the
3161 ++ * compiler and used as a stale value after we've observed a
3162 ++ * subsequent update.
3163 ++ */
3164 ++ pmde = READ_ONCE(*pvmw->pmd);
3165 ++
3166 ++ if (pmd_trans_huge(pmde) || is_pmd_migration_entry(pmde)) {
3167 ++ pvmw->ptl = pmd_lock(mm, pvmw->pmd);
3168 ++ pmde = *pvmw->pmd;
3169 ++ if (likely(pmd_trans_huge(pmde))) {
3170 ++ if (pvmw->flags & PVMW_MIGRATION)
3171 + return not_found(pvmw);
3172 +- if (is_migration_entry(pmd_to_swp_entry(*pvmw->pmd))) {
3173 +- swp_entry_t entry = pmd_to_swp_entry(*pvmw->pmd);
3174 ++ if (pmd_page(pmde) != page)
3175 ++ return not_found(pvmw);
3176 ++ return true;
3177 ++ }
3178 ++ if (!pmd_present(pmde)) {
3179 ++ swp_entry_t entry;
3180 +
3181 +- if (migration_entry_to_page(entry) != page)
3182 +- return not_found(pvmw);
3183 +- return true;
3184 +- }
3185 ++ if (!thp_migration_supported() ||
3186 ++ !(pvmw->flags & PVMW_MIGRATION))
3187 ++ return not_found(pvmw);
3188 ++ entry = pmd_to_swp_entry(pmde);
3189 ++ if (!is_migration_entry(entry) ||
3190 ++ migration_entry_to_page(entry) != page)
3191 ++ return not_found(pvmw);
3192 ++ return true;
3193 + }
3194 +- return not_found(pvmw);
3195 +- } else {
3196 + /* THP pmd was split under us: handle on pte level */
3197 + spin_unlock(pvmw->ptl);
3198 + pvmw->ptl = NULL;
3199 ++ } else if (!pmd_present(pmde)) {
3200 ++ /*
3201 ++ * If PVMW_SYNC, take and drop THP pmd lock so that we
3202 ++ * cannot return prematurely, while zap_huge_pmd() has
3203 ++ * cleared *pmd but not decremented compound_mapcount().
3204 ++ */
3205 ++ if ((pvmw->flags & PVMW_SYNC) &&
3206 ++ PageTransCompound(page)) {
3207 ++ spinlock_t *ptl = pmd_lock(mm, pvmw->pmd);
3208 ++
3209 ++ spin_unlock(ptl);
3210 ++ }
3211 ++ step_forward(pvmw, PMD_SIZE);
3212 ++ continue;
3213 + }
3214 +- } else if (!pmd_present(pmde)) {
3215 +- return false;
3216 +- }
3217 +- if (!map_pte(pvmw))
3218 +- goto next_pte;
3219 +- while (1) {
3220 ++ if (!map_pte(pvmw))
3221 ++ goto next_pte;
3222 ++this_pte:
3223 + if (check_pte(pvmw))
3224 + return true;
3225 + next_pte:
3226 +- /* Seek to next pte only makes sense for THP */
3227 +- if (!PageTransHuge(pvmw->page) || PageHuge(pvmw->page))
3228 +- return not_found(pvmw);
3229 + do {
3230 + pvmw->address += PAGE_SIZE;
3231 +- if (pvmw->address >= pvmw->vma->vm_end ||
3232 +- pvmw->address >=
3233 +- __vma_address(pvmw->page, pvmw->vma) +
3234 +- thp_size(pvmw->page))
3235 ++ if (pvmw->address >= end)
3236 + return not_found(pvmw);
3237 + /* Did we cross page table boundary? */
3238 +- if (pvmw->address % PMD_SIZE == 0) {
3239 +- pte_unmap(pvmw->pte);
3240 ++ if ((pvmw->address & (PMD_SIZE - PAGE_SIZE)) == 0) {
3241 + if (pvmw->ptl) {
3242 + spin_unlock(pvmw->ptl);
3243 + pvmw->ptl = NULL;
3244 + }
3245 ++ pte_unmap(pvmw->pte);
3246 ++ pvmw->pte = NULL;
3247 + goto restart;
3248 +- } else {
3249 +- pvmw->pte++;
3250 ++ }
3251 ++ pvmw->pte++;
3252 ++ if ((pvmw->flags & PVMW_SYNC) && !pvmw->ptl) {
3253 ++ pvmw->ptl = pte_lockptr(mm, pvmw->pmd);
3254 ++ spin_lock(pvmw->ptl);
3255 + }
3256 + } while (pte_none(*pvmw->pte));
3257 +
3258 +@@ -246,7 +285,10 @@ next_pte:
3259 + pvmw->ptl = pte_lockptr(mm, pvmw->pmd);
3260 + spin_lock(pvmw->ptl);
3261 + }
3262 +- }
3263 ++ goto this_pte;
3264 ++ } while (pvmw->address < end);
3265 ++
3266 ++ return false;
3267 + }
3268 +
3269 + /**
3270 +@@ -265,14 +307,10 @@ int page_mapped_in_vma(struct page *page, struct vm_area_struct *vma)
3271 + .vma = vma,
3272 + .flags = PVMW_SYNC,
3273 + };
3274 +- unsigned long start, end;
3275 +-
3276 +- start = __vma_address(page, vma);
3277 +- end = start + thp_size(page) - PAGE_SIZE;
3278 +
3279 +- if (unlikely(end < vma->vm_start || start >= vma->vm_end))
3280 ++ pvmw.address = vma_address(page, vma);
3281 ++ if (pvmw.address == -EFAULT)
3282 + return 0;
3283 +- pvmw.address = max(start, vma->vm_start);
3284 + if (!page_vma_mapped_walk(&pvmw))
3285 + return 0;
3286 + page_vma_mapped_walk_done(&pvmw);
3287 +diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c
3288 +index 9578db83e312f..4e640baf97948 100644
3289 +--- a/mm/pgtable-generic.c
3290 ++++ b/mm/pgtable-generic.c
3291 +@@ -135,8 +135,8 @@ pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, unsigned long address,
3292 + {
3293 + pmd_t pmd;
3294 + VM_BUG_ON(address & ~HPAGE_PMD_MASK);
3295 +- VM_BUG_ON((pmd_present(*pmdp) && !pmd_trans_huge(*pmdp) &&
3296 +- !pmd_devmap(*pmdp)) || !pmd_present(*pmdp));
3297 ++ VM_BUG_ON(pmd_present(*pmdp) && !pmd_trans_huge(*pmdp) &&
3298 ++ !pmd_devmap(*pmdp));
3299 + pmd = pmdp_huge_get_and_clear(vma->vm_mm, address, pmdp);
3300 + flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE);
3301 + return pmd;
3302 +diff --git a/mm/rmap.c b/mm/rmap.c
3303 +index 6657000b18d41..14f84f70c5571 100644
3304 +--- a/mm/rmap.c
3305 ++++ b/mm/rmap.c
3306 +@@ -700,7 +700,6 @@ static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags)
3307 + */
3308 + unsigned long page_address_in_vma(struct page *page, struct vm_area_struct *vma)
3309 + {
3310 +- unsigned long address;
3311 + if (PageAnon(page)) {
3312 + struct anon_vma *page__anon_vma = page_anon_vma(page);
3313 + /*
3314 +@@ -710,15 +709,13 @@ unsigned long page_address_in_vma(struct page *page, struct vm_area_struct *vma)
3315 + if (!vma->anon_vma || !page__anon_vma ||
3316 + vma->anon_vma->root != page__anon_vma->root)
3317 + return -EFAULT;
3318 +- } else if (page->mapping) {
3319 +- if (!vma->vm_file || vma->vm_file->f_mapping != page->mapping)
3320 +- return -EFAULT;
3321 +- } else
3322 ++ } else if (!vma->vm_file) {
3323 + return -EFAULT;
3324 +- address = __vma_address(page, vma);
3325 +- if (unlikely(address < vma->vm_start || address >= vma->vm_end))
3326 ++ } else if (vma->vm_file->f_mapping != compound_head(page)->mapping) {
3327 + return -EFAULT;
3328 +- return address;
3329 ++ }
3330 ++
3331 ++ return vma_address(page, vma);
3332 + }
3333 +
3334 + pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address)
3335 +@@ -912,7 +909,7 @@ static bool page_mkclean_one(struct page *page, struct vm_area_struct *vma,
3336 + */
3337 + mmu_notifier_range_init(&range, MMU_NOTIFY_PROTECTION_PAGE,
3338 + 0, vma, vma->vm_mm, address,
3339 +- min(vma->vm_end, address + page_size(page)));
3340 ++ vma_address_end(page, vma));
3341 + mmu_notifier_invalidate_range_start(&range);
3342 +
3343 + while (page_vma_mapped_walk(&pvmw)) {
3344 +@@ -1385,6 +1382,15 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma,
3345 + struct mmu_notifier_range range;
3346 + enum ttu_flags flags = (enum ttu_flags)(long)arg;
3347 +
3348 ++ /*
3349 ++ * When racing against e.g. zap_pte_range() on another cpu,
3350 ++ * in between its ptep_get_and_clear_full() and page_remove_rmap(),
3351 ++ * try_to_unmap() may return false when it is about to become true,
3352 ++ * if page table locking is skipped: use TTU_SYNC to wait for that.
3353 ++ */
3354 ++ if (flags & TTU_SYNC)
3355 ++ pvmw.flags = PVMW_SYNC;
3356 ++
3357 + /* munlock has nothing to gain from examining un-locked vmas */
3358 + if ((flags & TTU_MUNLOCK) && !(vma->vm_flags & VM_LOCKED))
3359 + return true;
3360 +@@ -1406,9 +1412,10 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma,
3361 + * Note that the page can not be free in this function as call of
3362 + * try_to_unmap() must hold a reference on the page.
3363 + */
3364 ++ range.end = PageKsm(page) ?
3365 ++ address + PAGE_SIZE : vma_address_end(page, vma);
3366 + mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm,
3367 +- address,
3368 +- min(vma->vm_end, address + page_size(page)));
3369 ++ address, range.end);
3370 + if (PageHuge(page)) {
3371 + /*
3372 + * If sharing is possible, start and end will be adjusted
3373 +@@ -1716,9 +1723,9 @@ static bool invalid_migration_vma(struct vm_area_struct *vma, void *arg)
3374 + return vma_is_temporary_stack(vma);
3375 + }
3376 +
3377 +-static int page_mapcount_is_zero(struct page *page)
3378 ++static int page_not_mapped(struct page *page)
3379 + {
3380 +- return !total_mapcount(page);
3381 ++ return !page_mapped(page);
3382 + }
3383 +
3384 + /**
3385 +@@ -1736,7 +1743,7 @@ bool try_to_unmap(struct page *page, enum ttu_flags flags)
3386 + struct rmap_walk_control rwc = {
3387 + .rmap_one = try_to_unmap_one,
3388 + .arg = (void *)flags,
3389 +- .done = page_mapcount_is_zero,
3390 ++ .done = page_not_mapped,
3391 + .anon_lock = page_lock_anon_vma_read,
3392 + };
3393 +
3394 +@@ -1757,14 +1764,15 @@ bool try_to_unmap(struct page *page, enum ttu_flags flags)
3395 + else
3396 + rmap_walk(page, &rwc);
3397 +
3398 +- return !page_mapcount(page) ? true : false;
3399 ++ /*
3400 ++ * When racing against e.g. zap_pte_range() on another cpu,
3401 ++ * in between its ptep_get_and_clear_full() and page_remove_rmap(),
3402 ++ * try_to_unmap() may return false when it is about to become true,
3403 ++ * if page table locking is skipped: use TTU_SYNC to wait for that.
3404 ++ */
3405 ++ return !page_mapcount(page);
3406 + }
3407 +
3408 +-static int page_not_mapped(struct page *page)
3409 +-{
3410 +- return !page_mapped(page);
3411 +-};
3412 +-
3413 + /**
3414 + * try_to_munlock - try to munlock a page
3415 + * @page: the page to be munlocked
3416 +@@ -1859,6 +1867,7 @@ static void rmap_walk_anon(struct page *page, struct rmap_walk_control *rwc,
3417 + struct vm_area_struct *vma = avc->vma;
3418 + unsigned long address = vma_address(page, vma);
3419 +
3420 ++ VM_BUG_ON_VMA(address == -EFAULT, vma);
3421 + cond_resched();
3422 +
3423 + if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
3424 +@@ -1913,6 +1922,7 @@ static void rmap_walk_file(struct page *page, struct rmap_walk_control *rwc,
3425 + pgoff_start, pgoff_end) {
3426 + unsigned long address = vma_address(page, vma);
3427 +
3428 ++ VM_BUG_ON_VMA(address == -EFAULT, vma);
3429 + cond_resched();
3430 +
3431 + if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
3432 +diff --git a/mm/truncate.c b/mm/truncate.c
3433 +index 960edf5803ca9..8914ca4ce4b1e 100644
3434 +--- a/mm/truncate.c
3435 ++++ b/mm/truncate.c
3436 +@@ -173,13 +173,10 @@ void do_invalidatepage(struct page *page, unsigned int offset,
3437 + * its lock, b) when a concurrent invalidate_mapping_pages got there first and
3438 + * c) when tmpfs swizzles a page between a tmpfs inode and swapper_space.
3439 + */
3440 +-static void
3441 +-truncate_cleanup_page(struct address_space *mapping, struct page *page)
3442 ++static void truncate_cleanup_page(struct page *page)
3443 + {
3444 +- if (page_mapped(page)) {
3445 +- unsigned int nr = thp_nr_pages(page);
3446 +- unmap_mapping_pages(mapping, page->index, nr, false);
3447 +- }
3448 ++ if (page_mapped(page))
3449 ++ unmap_mapping_page(page);
3450 +
3451 + if (page_has_private(page))
3452 + do_invalidatepage(page, 0, thp_size(page));
3453 +@@ -224,7 +221,7 @@ int truncate_inode_page(struct address_space *mapping, struct page *page)
3454 + if (page->mapping != mapping)
3455 + return -EIO;
3456 +
3457 +- truncate_cleanup_page(mapping, page);
3458 ++ truncate_cleanup_page(page);
3459 + delete_from_page_cache(page);
3460 + return 0;
3461 + }
3462 +@@ -362,7 +359,7 @@ void truncate_inode_pages_range(struct address_space *mapping,
3463 + pagevec_add(&locked_pvec, page);
3464 + }
3465 + for (i = 0; i < pagevec_count(&locked_pvec); i++)
3466 +- truncate_cleanup_page(mapping, locked_pvec.pages[i]);
3467 ++ truncate_cleanup_page(locked_pvec.pages[i]);
3468 + delete_from_page_cache_batch(mapping, &locked_pvec);
3469 + for (i = 0; i < pagevec_count(&locked_pvec); i++)
3470 + unlock_page(locked_pvec.pages[i]);
3471 +@@ -737,6 +734,16 @@ int invalidate_inode_pages2_range(struct address_space *mapping,
3472 + continue;
3473 + }
3474 +
3475 ++ if (!did_range_unmap && page_mapped(page)) {
3476 ++ /*
3477 ++ * If page is mapped, before taking its lock,
3478 ++ * zap the rest of the file in one hit.
3479 ++ */
3480 ++ unmap_mapping_pages(mapping, index,
3481 ++ (1 + end - index), false);
3482 ++ did_range_unmap = 1;
3483 ++ }
3484 ++
3485 + lock_page(page);
3486 + WARN_ON(page_to_index(page) != index);
3487 + if (page->mapping != mapping) {
3488 +@@ -744,23 +751,11 @@ int invalidate_inode_pages2_range(struct address_space *mapping,
3489 + continue;
3490 + }
3491 + wait_on_page_writeback(page);
3492 +- if (page_mapped(page)) {
3493 +- if (!did_range_unmap) {
3494 +- /*
3495 +- * Zap the rest of the file in one hit.
3496 +- */
3497 +- unmap_mapping_pages(mapping, index,
3498 +- (1 + end - index), false);
3499 +- did_range_unmap = 1;
3500 +- } else {
3501 +- /*
3502 +- * Just zap this page
3503 +- */
3504 +- unmap_mapping_pages(mapping, index,
3505 +- 1, false);
3506 +- }
3507 +- }
3508 ++
3509 ++ if (page_mapped(page))
3510 ++ unmap_mapping_page(page);
3511 + BUG_ON(page_mapped(page));
3512 ++
3513 + ret2 = do_launder_page(mapping, page);
3514 + if (ret2 == 0) {
3515 + if (!invalidate_complete_page2(mapping, page))
3516 +diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
3517 +index 2917af3f5ac19..68ff19af195c6 100644
3518 +--- a/net/ethtool/ioctl.c
3519 ++++ b/net/ethtool/ioctl.c
3520 +@@ -1421,7 +1421,7 @@ static int ethtool_get_any_eeprom(struct net_device *dev, void __user *useraddr,
3521 + if (eeprom.offset + eeprom.len > total_len)
3522 + return -EINVAL;
3523 +
3524 +- data = kmalloc(PAGE_SIZE, GFP_USER);
3525 ++ data = kzalloc(PAGE_SIZE, GFP_USER);
3526 + if (!data)
3527 + return -ENOMEM;
3528 +
3529 +@@ -1486,7 +1486,7 @@ static int ethtool_set_eeprom(struct net_device *dev, void __user *useraddr)
3530 + if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev))
3531 + return -EINVAL;
3532 +
3533 +- data = kmalloc(PAGE_SIZE, GFP_USER);
3534 ++ data = kzalloc(PAGE_SIZE, GFP_USER);
3535 + if (!data)
3536 + return -ENOMEM;
3537 +
3538 +@@ -1765,7 +1765,7 @@ static int ethtool_self_test(struct net_device *dev, char __user *useraddr)
3539 + return -EFAULT;
3540 +
3541 + test.len = test_len;
3542 +- data = kmalloc_array(test_len, sizeof(u64), GFP_USER);
3543 ++ data = kcalloc(test_len, sizeof(u64), GFP_USER);
3544 + if (!data)
3545 + return -ENOMEM;
3546 +
3547 +@@ -2281,7 +2281,7 @@ static int ethtool_get_tunable(struct net_device *dev, void __user *useraddr)
3548 + ret = ethtool_tunable_valid(&tuna);
3549 + if (ret)
3550 + return ret;
3551 +- data = kmalloc(tuna.len, GFP_USER);
3552 ++ data = kzalloc(tuna.len, GFP_USER);
3553 + if (!data)
3554 + return -ENOMEM;
3555 + ret = ops->get_tunable(dev, &tuna, data);
3556 +@@ -2473,7 +2473,7 @@ static int get_phy_tunable(struct net_device *dev, void __user *useraddr)
3557 + ret = ethtool_phy_tunable_valid(&tuna);
3558 + if (ret)
3559 + return ret;
3560 +- data = kmalloc(tuna.len, GFP_USER);
3561 ++ data = kzalloc(tuna.len, GFP_USER);
3562 + if (!data)
3563 + return -ENOMEM;
3564 + if (phy_drv_tunable) {
3565 +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
3566 +index b7260c8cef2e5..8267349afe231 100644
3567 +--- a/net/ipv4/af_inet.c
3568 ++++ b/net/ipv4/af_inet.c
3569 +@@ -572,7 +572,7 @@ int inet_dgram_connect(struct socket *sock, struct sockaddr *uaddr,
3570 + return err;
3571 + }
3572 +
3573 +- if (!inet_sk(sk)->inet_num && inet_autobind(sk))
3574 ++ if (data_race(!inet_sk(sk)->inet_num) && inet_autobind(sk))
3575 + return -EAGAIN;
3576 + return sk->sk_prot->connect(sk, uaddr, addr_len);
3577 + }
3578 +@@ -799,7 +799,7 @@ int inet_send_prepare(struct sock *sk)
3579 + sock_rps_record_flow(sk);
3580 +
3581 + /* We may need to bind the socket. */
3582 +- if (!inet_sk(sk)->inet_num && !sk->sk_prot->no_autobind &&
3583 ++ if (data_race(!inet_sk(sk)->inet_num) && !sk->sk_prot->no_autobind &&
3584 + inet_autobind(sk))
3585 + return -EAGAIN;
3586 +
3587 +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
3588 +index 123a6d39438f8..7c18597774297 100644
3589 +--- a/net/ipv4/devinet.c
3590 ++++ b/net/ipv4/devinet.c
3591 +@@ -1989,7 +1989,7 @@ static int inet_set_link_af(struct net_device *dev, const struct nlattr *nla)
3592 + return -EAFNOSUPPORT;
3593 +
3594 + if (nla_parse_nested_deprecated(tb, IFLA_INET_MAX, nla, NULL, NULL) < 0)
3595 +- BUG();
3596 ++ return -EINVAL;
3597 +
3598 + if (tb[IFLA_INET_CONF]) {
3599 + nla_for_each_nested(a, tb[IFLA_INET_CONF], rem)
3600 +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
3601 +index 248856b301c45..8ce8b7300b9d3 100644
3602 +--- a/net/ipv4/ping.c
3603 ++++ b/net/ipv4/ping.c
3604 +@@ -952,6 +952,7 @@ bool ping_rcv(struct sk_buff *skb)
3605 + struct sock *sk;
3606 + struct net *net = dev_net(skb->dev);
3607 + struct icmphdr *icmph = icmp_hdr(skb);
3608 ++ bool rc = false;
3609 +
3610 + /* We assume the packet has already been checked by icmp_rcv */
3611 +
3612 +@@ -966,14 +967,15 @@ bool ping_rcv(struct sk_buff *skb)
3613 + struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
3614 +
3615 + pr_debug("rcv on socket %p\n", sk);
3616 +- if (skb2)
3617 +- ping_queue_rcv_skb(sk, skb2);
3618 ++ if (skb2 && !ping_queue_rcv_skb(sk, skb2))
3619 ++ rc = true;
3620 + sock_put(sk);
3621 +- return true;
3622 + }
3623 +- pr_debug("no socket, dropping\n");
3624 +
3625 +- return false;
3626 ++ if (!rc)
3627 ++ pr_debug("no socket, dropping\n");
3628 ++
3629 ++ return rc;
3630 + }
3631 + EXPORT_SYMBOL_GPL(ping_rcv);
3632 +
3633 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
3634 +index 4c881f5d9080c..884d430e23cb3 100644
3635 +--- a/net/ipv6/addrconf.c
3636 ++++ b/net/ipv6/addrconf.c
3637 +@@ -5799,7 +5799,7 @@ static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla)
3638 + return -EAFNOSUPPORT;
3639 +
3640 + if (nla_parse_nested_deprecated(tb, IFLA_INET6_MAX, nla, NULL, NULL) < 0)
3641 +- BUG();
3642 ++ return -EINVAL;
3643 +
3644 + if (tb[IFLA_INET6_TOKEN]) {
3645 + err = inet6_set_iftoken(idev, nla_data(tb[IFLA_INET6_TOKEN]));
3646 +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
3647 +index be40f6b16199f..a83f0c2fcdf77 100644
3648 +--- a/net/mac80211/ieee80211_i.h
3649 ++++ b/net/mac80211/ieee80211_i.h
3650 +@@ -1445,7 +1445,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
3651 + rcu_read_lock();
3652 + chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
3653 +
3654 +- if (WARN_ON_ONCE(!chanctx_conf)) {
3655 ++ if (!chanctx_conf) {
3656 + rcu_read_unlock();
3657 + return NULL;
3658 + }
3659 +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
3660 +index 6d3220c66931a..fbe26e912300d 100644
3661 +--- a/net/mac80211/mlme.c
3662 ++++ b/net/mac80211/mlme.c
3663 +@@ -4019,10 +4019,14 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
3664 + if (elems.mbssid_config_ie)
3665 + bss_conf->profile_periodicity =
3666 + elems.mbssid_config_ie->profile_periodicity;
3667 ++ else
3668 ++ bss_conf->profile_periodicity = 0;
3669 +
3670 + if (elems.ext_capab_len >= 11 &&
3671 + (elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
3672 + bss_conf->ema_ap = true;
3673 ++ else
3674 ++ bss_conf->ema_ap = false;
3675 +
3676 + /* continue assoc process */
3677 + ifmgd->assoc_data->timeout = jiffies;
3678 +@@ -5749,12 +5753,16 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
3679 + beacon_ies->data, beacon_ies->len);
3680 + if (elem && elem->datalen >= 3)
3681 + sdata->vif.bss_conf.profile_periodicity = elem->data[2];
3682 ++ else
3683 ++ sdata->vif.bss_conf.profile_periodicity = 0;
3684 +
3685 + elem = cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY,
3686 + beacon_ies->data, beacon_ies->len);
3687 + if (elem && elem->datalen >= 11 &&
3688 + (elem->data[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
3689 + sdata->vif.bss_conf.ema_ap = true;
3690 ++ else
3691 ++ sdata->vif.bss_conf.ema_ap = false;
3692 + } else {
3693 + assoc_data->timeout = jiffies;
3694 + assoc_data->timeout_started = true;
3695 +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
3696 +index ef8ff0bc66f17..38b5695c2a0c8 100644
3697 +--- a/net/mac80211/rx.c
3698 ++++ b/net/mac80211/rx.c
3699 +@@ -2250,17 +2250,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
3700 + sc = le16_to_cpu(hdr->seq_ctrl);
3701 + frag = sc & IEEE80211_SCTL_FRAG;
3702 +
3703 +- if (is_multicast_ether_addr(hdr->addr1)) {
3704 +- I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
3705 +- goto out_no_led;
3706 +- }
3707 +-
3708 + if (rx->sta)
3709 + cache = &rx->sta->frags;
3710 +
3711 + if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
3712 + goto out;
3713 +
3714 ++ if (is_multicast_ether_addr(hdr->addr1))
3715 ++ return RX_DROP_MONITOR;
3716 ++
3717 + I802_DEBUG_INC(rx->local->rx_handlers_fragments);
3718 +
3719 + if (skb_linearize(rx->skb))
3720 +@@ -2386,7 +2384,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
3721 +
3722 + out:
3723 + ieee80211_led_rx(rx->local);
3724 +- out_no_led:
3725 + if (rx->sta)
3726 + rx->sta->rx_stats.packets++;
3727 + return RX_CONTINUE;
3728 +diff --git a/net/mac80211/util.c b/net/mac80211/util.c
3729 +index d8f9fb0646a4d..fbf56a203c0e8 100644
3730 +--- a/net/mac80211/util.c
3731 ++++ b/net/mac80211/util.c
3732 +@@ -954,7 +954,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
3733 +
3734 + switch (elem->data[0]) {
3735 + case WLAN_EID_EXT_HE_MU_EDCA:
3736 +- if (len == sizeof(*elems->mu_edca_param_set)) {
3737 ++ if (len >= sizeof(*elems->mu_edca_param_set)) {
3738 + elems->mu_edca_param_set = data;
3739 + if (crc)
3740 + *crc = crc32_be(*crc, (void *)elem,
3741 +@@ -975,7 +975,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
3742 + }
3743 + break;
3744 + case WLAN_EID_EXT_UORA:
3745 +- if (len == 1)
3746 ++ if (len >= 1)
3747 + elems->uora_element = data;
3748 + break;
3749 + case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
3750 +@@ -983,7 +983,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
3751 + elems->max_channel_switch_time = data;
3752 + break;
3753 + case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
3754 +- if (len == sizeof(*elems->mbssid_config_ie))
3755 ++ if (len >= sizeof(*elems->mbssid_config_ie))
3756 + elems->mbssid_config_ie = data;
3757 + break;
3758 + case WLAN_EID_EXT_HE_SPR:
3759 +@@ -992,7 +992,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
3760 + elems->he_spr = data;
3761 + break;
3762 + case WLAN_EID_EXT_HE_6GHZ_CAPA:
3763 +- if (len == sizeof(*elems->he_6ghz_capa))
3764 ++ if (len >= sizeof(*elems->he_6ghz_capa))
3765 + elems->he_6ghz_capa = data;
3766 + break;
3767 + }
3768 +@@ -1081,14 +1081,14 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
3769 +
3770 + switch (id) {
3771 + case WLAN_EID_LINK_ID:
3772 +- if (elen + 2 != sizeof(struct ieee80211_tdls_lnkie)) {
3773 ++ if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) {
3774 + elem_parse_failed = true;
3775 + break;
3776 + }
3777 + elems->lnk_id = (void *)(pos - 2);
3778 + break;
3779 + case WLAN_EID_CHAN_SWITCH_TIMING:
3780 +- if (elen != sizeof(struct ieee80211_ch_switch_timing)) {
3781 ++ if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
3782 + elem_parse_failed = true;
3783 + break;
3784 + }
3785 +@@ -1251,7 +1251,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
3786 + elems->sec_chan_offs = (void *)pos;
3787 + break;
3788 + case WLAN_EID_CHAN_SWITCH_PARAM:
3789 +- if (elen !=
3790 ++ if (elen <
3791 + sizeof(*elems->mesh_chansw_params_ie)) {
3792 + elem_parse_failed = true;
3793 + break;
3794 +@@ -1260,7 +1260,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
3795 + break;
3796 + case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
3797 + if (!action ||
3798 +- elen != sizeof(*elems->wide_bw_chansw_ie)) {
3799 ++ elen < sizeof(*elems->wide_bw_chansw_ie)) {
3800 + elem_parse_failed = true;
3801 + break;
3802 + }
3803 +@@ -1279,7 +1279,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
3804 + ie = cfg80211_find_ie(WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
3805 + pos, elen);
3806 + if (ie) {
3807 +- if (ie[1] == sizeof(*elems->wide_bw_chansw_ie))
3808 ++ if (ie[1] >= sizeof(*elems->wide_bw_chansw_ie))
3809 + elems->wide_bw_chansw_ie =
3810 + (void *)(ie + 2);
3811 + else
3812 +@@ -1323,7 +1323,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
3813 + elems->cisco_dtpc_elem = pos;
3814 + break;
3815 + case WLAN_EID_ADDBA_EXT:
3816 +- if (elen != sizeof(struct ieee80211_addba_ext_ie)) {
3817 ++ if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
3818 + elem_parse_failed = true;
3819 + break;
3820 + }
3821 +@@ -1349,7 +1349,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
3822 + elem, elems);
3823 + break;
3824 + case WLAN_EID_S1G_CAPABILITIES:
3825 +- if (elen == sizeof(*elems->s1g_capab))
3826 ++ if (elen >= sizeof(*elems->s1g_capab))
3827 + elems->s1g_capab = (void *)pos;
3828 + else
3829 + elem_parse_failed = true;
3830 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
3831 +index ddb68aa836f71..08144559eed56 100644
3832 +--- a/net/packet/af_packet.c
3833 ++++ b/net/packet/af_packet.c
3834 +@@ -2682,7 +2682,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
3835 + }
3836 + if (likely(saddr == NULL)) {
3837 + dev = packet_cached_dev_get(po);
3838 +- proto = po->num;
3839 ++ proto = READ_ONCE(po->num);
3840 + } else {
3841 + err = -EINVAL;
3842 + if (msg->msg_namelen < sizeof(struct sockaddr_ll))
3843 +@@ -2895,7 +2895,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
3844 +
3845 + if (likely(saddr == NULL)) {
3846 + dev = packet_cached_dev_get(po);
3847 +- proto = po->num;
3848 ++ proto = READ_ONCE(po->num);
3849 + } else {
3850 + err = -EINVAL;
3851 + if (msg->msg_namelen < sizeof(struct sockaddr_ll))
3852 +@@ -3033,10 +3033,13 @@ static int packet_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
3853 + struct sock *sk = sock->sk;
3854 + struct packet_sock *po = pkt_sk(sk);
3855 +
3856 +- if (po->tx_ring.pg_vec)
3857 ++ /* Reading tx_ring.pg_vec without holding pg_vec_lock is racy.
3858 ++ * tpacket_snd() will redo the check safely.
3859 ++ */
3860 ++ if (data_race(po->tx_ring.pg_vec))
3861 + return tpacket_snd(po, msg);
3862 +- else
3863 +- return packet_snd(sock, msg, len);
3864 ++
3865 ++ return packet_snd(sock, msg, len);
3866 + }
3867 +
3868 + /*
3869 +@@ -3167,7 +3170,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
3870 + /* prevents packet_notifier() from calling
3871 + * register_prot_hook()
3872 + */
3873 +- po->num = 0;
3874 ++ WRITE_ONCE(po->num, 0);
3875 + __unregister_prot_hook(sk, true);
3876 + rcu_read_lock();
3877 + dev_curr = po->prot_hook.dev;
3878 +@@ -3177,17 +3180,17 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
3879 + }
3880 +
3881 + BUG_ON(po->running);
3882 +- po->num = proto;
3883 ++ WRITE_ONCE(po->num, proto);
3884 + po->prot_hook.type = proto;
3885 +
3886 + if (unlikely(unlisted)) {
3887 + dev_put(dev);
3888 + po->prot_hook.dev = NULL;
3889 +- po->ifindex = -1;
3890 ++ WRITE_ONCE(po->ifindex, -1);
3891 + packet_cached_dev_reset(po);
3892 + } else {
3893 + po->prot_hook.dev = dev;
3894 +- po->ifindex = dev ? dev->ifindex : 0;
3895 ++ WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0);
3896 + packet_cached_dev_assign(po, dev);
3897 + }
3898 + }
3899 +@@ -3501,7 +3504,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
3900 + uaddr->sa_family = AF_PACKET;
3901 + memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
3902 + rcu_read_lock();
3903 +- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
3904 ++ dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex));
3905 + if (dev)
3906 + strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
3907 + rcu_read_unlock();
3908 +@@ -3516,16 +3519,18 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
3909 + struct sock *sk = sock->sk;
3910 + struct packet_sock *po = pkt_sk(sk);
3911 + DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr);
3912 ++ int ifindex;
3913 +
3914 + if (peer)
3915 + return -EOPNOTSUPP;
3916 +
3917 ++ ifindex = READ_ONCE(po->ifindex);
3918 + sll->sll_family = AF_PACKET;
3919 +- sll->sll_ifindex = po->ifindex;
3920 +- sll->sll_protocol = po->num;
3921 ++ sll->sll_ifindex = ifindex;
3922 ++ sll->sll_protocol = READ_ONCE(po->num);
3923 + sll->sll_pkttype = 0;
3924 + rcu_read_lock();
3925 +- dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
3926 ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
3927 + if (dev) {
3928 + sll->sll_hatype = dev->type;
3929 + sll->sll_halen = dev->addr_len;
3930 +@@ -4104,7 +4109,7 @@ static int packet_notifier(struct notifier_block *this,
3931 + }
3932 + if (msg == NETDEV_UNREGISTER) {
3933 + packet_cached_dev_reset(po);
3934 +- po->ifindex = -1;
3935 ++ WRITE_ONCE(po->ifindex, -1);
3936 + if (po->prot_hook.dev)
3937 + dev_put(po->prot_hook.dev);
3938 + po->prot_hook.dev = NULL;
3939 +@@ -4410,7 +4415,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
3940 + was_running = po->running;
3941 + num = po->num;
3942 + if (was_running) {
3943 +- po->num = 0;
3944 ++ WRITE_ONCE(po->num, 0);
3945 + __unregister_prot_hook(sk, false);
3946 + }
3947 + spin_unlock(&po->bind_lock);
3948 +@@ -4445,7 +4450,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
3949 +
3950 + spin_lock(&po->bind_lock);
3951 + if (was_running) {
3952 +- po->num = num;
3953 ++ WRITE_ONCE(po->num, num);
3954 + register_prot_hook(sk);
3955 + }
3956 + spin_unlock(&po->bind_lock);
3957 +@@ -4613,8 +4618,8 @@ static int packet_seq_show(struct seq_file *seq, void *v)
3958 + s,
3959 + refcount_read(&s->sk_refcnt),
3960 + s->sk_type,
3961 +- ntohs(po->num),
3962 +- po->ifindex,
3963 ++ ntohs(READ_ONCE(po->num)),
3964 ++ READ_ONCE(po->ifindex),
3965 + po->running,
3966 + atomic_read(&s->sk_rmem_alloc),
3967 + from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)),
3968 +diff --git a/net/wireless/util.c b/net/wireless/util.c
3969 +index 2731267fd0f9e..4fb8d1b14e76a 100644
3970 +--- a/net/wireless/util.c
3971 ++++ b/net/wireless/util.c
3972 +@@ -1059,6 +1059,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
3973 + case NL80211_IFTYPE_MESH_POINT:
3974 + /* mesh should be handled? */
3975 + break;
3976 ++ case NL80211_IFTYPE_OCB:
3977 ++ cfg80211_leave_ocb(rdev, dev);
3978 ++ break;
3979 + default:
3980 + break;
3981 + }
3982 +diff --git a/scripts/Makefile b/scripts/Makefile
3983 +index c36106bce80ee..9adb6d247818f 100644
3984 +--- a/scripts/Makefile
3985 ++++ b/scripts/Makefile
3986 +@@ -14,6 +14,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler
3987 + hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file
3988 + hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert
3989 + hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert
3990 ++hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert
3991 +
3992 + HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include
3993 + HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
3994 +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h
3995 +index f9b19524da112..1e9baa5c4fc6e 100644
3996 +--- a/scripts/recordmcount.h
3997 ++++ b/scripts/recordmcount.h
3998 +@@ -192,15 +192,20 @@ static unsigned int get_symindex(Elf_Sym const *sym, Elf32_Word const *symtab,
3999 + Elf32_Word const *symtab_shndx)
4000 + {
4001 + unsigned long offset;
4002 ++ unsigned short shndx = w2(sym->st_shndx);
4003 + int index;
4004 +
4005 +- if (sym->st_shndx != SHN_XINDEX)
4006 +- return w2(sym->st_shndx);
4007 ++ if (shndx > SHN_UNDEF && shndx < SHN_LORESERVE)
4008 ++ return shndx;
4009 +
4010 +- offset = (unsigned long)sym - (unsigned long)symtab;
4011 +- index = offset / sizeof(*sym);
4012 ++ if (shndx == SHN_XINDEX) {
4013 ++ offset = (unsigned long)sym - (unsigned long)symtab;
4014 ++ index = offset / sizeof(*sym);
4015 +
4016 +- return w(symtab_shndx[index]);
4017 ++ return w(symtab_shndx[index]);
4018 ++ }
4019 ++
4020 ++ return 0;
4021 + }
4022 +
4023 + static unsigned int get_shnum(Elf_Ehdr const *ehdr, Elf_Shdr const *shdr0)
4024 +diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
4025 +index c5ba695c10e3a..5604bd57c9907 100644
4026 +--- a/security/integrity/platform_certs/keyring_handler.c
4027 ++++ b/security/integrity/platform_certs/keyring_handler.c
4028 +@@ -55,6 +55,15 @@ static __init void uefi_blacklist_binary(const char *source,
4029 + uefi_blacklist_hash(source, data, len, "bin:", 4);
4030 + }
4031 +
4032 ++/*
4033 ++ * Add an X509 cert to the revocation list.
4034 ++ */
4035 ++static __init void uefi_revocation_list_x509(const char *source,
4036 ++ const void *data, size_t len)
4037 ++{
4038 ++ add_key_to_revocation_list(data, len);
4039 ++}
4040 ++
4041 + /*
4042 + * Return the appropriate handler for particular signature list types found in
4043 + * the UEFI db and MokListRT tables.
4044 +@@ -76,5 +85,7 @@ __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
4045 + return uefi_blacklist_x509_tbs;
4046 + if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
4047 + return uefi_blacklist_binary;
4048 ++ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
4049 ++ return uefi_revocation_list_x509;
4050 + return 0;
4051 + }
4052 +diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
4053 +index ee4b4c666854f..f290f78c3f301 100644
4054 +--- a/security/integrity/platform_certs/load_uefi.c
4055 ++++ b/security/integrity/platform_certs/load_uefi.c
4056 +@@ -132,8 +132,9 @@ static int __init load_moklist_certs(void)
4057 + static int __init load_uefi_certs(void)
4058 + {
4059 + efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
4060 +- void *db = NULL, *dbx = NULL;
4061 +- unsigned long dbsize = 0, dbxsize = 0;
4062 ++ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
4063 ++ void *db = NULL, *dbx = NULL, *mokx = NULL;
4064 ++ unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
4065 + efi_status_t status;
4066 + int rc = 0;
4067 +
4068 +@@ -175,6 +176,21 @@ static int __init load_uefi_certs(void)
4069 + kfree(dbx);
4070 + }
4071 +
4072 ++ mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
4073 ++ if (!mokx) {
4074 ++ if (status == EFI_NOT_FOUND)
4075 ++ pr_debug("mokx variable wasn't found\n");
4076 ++ else
4077 ++ pr_info("Couldn't get mokx list\n");
4078 ++ } else {
4079 ++ rc = parse_efi_signature_list("UEFI:MokListXRT",
4080 ++ mokx, mokxsize,
4081 ++ get_handler_for_dbx);
4082 ++ if (rc)
4083 ++ pr_err("Couldn't parse mokx signatures %d\n", rc);
4084 ++ kfree(mokx);
4085 ++ }
4086 ++
4087 + /* Load the MokListRT certs */
4088 + rc = load_moklist_certs();
4089 +
4090 +diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c
4091 +index 126c6727a6b09..49805fd16fdf5 100644
4092 +--- a/tools/testing/selftests/kvm/lib/kvm_util.c
4093 ++++ b/tools/testing/selftests/kvm/lib/kvm_util.c
4094 +@@ -55,7 +55,7 @@ int kvm_check_cap(long cap)
4095 + exit(KSFT_SKIP);
4096 +
4097 + ret = ioctl(kvm_fd, KVM_CHECK_EXTENSION, cap);
4098 +- TEST_ASSERT(ret != -1, "KVM_CHECK_EXTENSION IOCTL failed,\n"
4099 ++ TEST_ASSERT(ret >= 0, "KVM_CHECK_EXTENSION IOCTL failed,\n"
4100 + " rc: %i errno: %i", ret, errno);
4101 +
4102 + close(kvm_fd);
4103 +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
4104 +index f446c36f58003..1353439691cf7 100644
4105 +--- a/virt/kvm/kvm_main.c
4106 ++++ b/virt/kvm/kvm_main.c
4107 +@@ -1883,6 +1883,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault)
4108 + return true;
4109 + }
4110 +
4111 ++static int kvm_try_get_pfn(kvm_pfn_t pfn)
4112 ++{
4113 ++ if (kvm_is_reserved_pfn(pfn))
4114 ++ return 1;
4115 ++ return get_page_unless_zero(pfn_to_page(pfn));
4116 ++}
4117 ++
4118 + static int hva_to_pfn_remapped(struct vm_area_struct *vma,
4119 + unsigned long addr, bool *async,
4120 + bool write_fault, bool *writable,
4121 +@@ -1932,13 +1939,21 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
4122 + * Whoever called remap_pfn_range is also going to call e.g.
4123 + * unmap_mapping_range before the underlying pages are freed,
4124 + * causing a call to our MMU notifier.
4125 ++ *
4126 ++ * Certain IO or PFNMAP mappings can be backed with valid
4127 ++ * struct pages, but be allocated without refcounting e.g.,
4128 ++ * tail pages of non-compound higher order allocations, which
4129 ++ * would then underflow the refcount when the caller does the
4130 ++ * required put_page. Don't allow those pages here.
4131 + */
4132 +- kvm_get_pfn(pfn);
4133 ++ if (!kvm_try_get_pfn(pfn))
4134 ++ r = -EFAULT;
4135 +
4136 + out:
4137 + pte_unmap_unlock(ptep, ptl);
4138 + *p_pfn = pfn;
4139 +- return 0;
4140 ++
4141 ++ return r;
4142 + }
4143 +
4144 + /*
Report Message
Find on MARC Find on Google Groups