Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.4 commit in: /
Date: Wed, 30 Jun 2021 14:24:31
Message-Id: 1625063057.aad8672f9a4d60a64e628aaf62f88040cda97b4e.mpagano@gentoo
1 commit: aad8672f9a4d60a64e628aaf62f88040cda97b4e
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jun 30 14:24:17 2021 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Jun 30 14:24:17 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=aad8672f
7
8 Linux patch 5.4.129
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1128_linux-5.4.129.patch | 2952 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 2956 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index cb07352..bedf8ea 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -555,6 +555,10 @@ Patch: 1127_linux-5.4.128.patch
21 From: http://www.kernel.org
22 Desc: Linux 5.4.128
23
24 +Patch: 1128_linux-5.4.129.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 5.4.129
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1128_linux-5.4.129.patch b/1128_linux-5.4.129.patch
33 new file mode 100644
34 index 0000000..ff82b9f
35 --- /dev/null
36 +++ b/1128_linux-5.4.129.patch
37 @@ -0,0 +1,2952 @@
38 +diff --git a/Makefile b/Makefile
39 +index 5db87d8031f1e..802520ad08cca 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,7 +1,7 @@
43 + # SPDX-License-Identifier: GPL-2.0
44 + VERSION = 5
45 + PATCHLEVEL = 4
46 +-SUBLEVEL = 128
47 ++SUBLEVEL = 129
48 + EXTRAVERSION =
49 + NAME = Kleptomaniac Octopus
50 +
51 +diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
52 +index 924285d0bccd9..43d6a6085d862 100644
53 +--- a/arch/arm/kernel/setup.c
54 ++++ b/arch/arm/kernel/setup.c
55 +@@ -544,9 +544,11 @@ void notrace cpu_init(void)
56 + * In Thumb-2, msr with an immediate value is not allowed.
57 + */
58 + #ifdef CONFIG_THUMB2_KERNEL
59 +-#define PLC "r"
60 ++#define PLC_l "l"
61 ++#define PLC_r "r"
62 + #else
63 +-#define PLC "I"
64 ++#define PLC_l "I"
65 ++#define PLC_r "I"
66 + #endif
67 +
68 + /*
69 +@@ -568,15 +570,15 @@ void notrace cpu_init(void)
70 + "msr cpsr_c, %9"
71 + :
72 + : "r" (stk),
73 +- PLC (PSR_F_BIT | PSR_I_BIT | IRQ_MODE),
74 ++ PLC_r (PSR_F_BIT | PSR_I_BIT | IRQ_MODE),
75 + "I" (offsetof(struct stack, irq[0])),
76 +- PLC (PSR_F_BIT | PSR_I_BIT | ABT_MODE),
77 ++ PLC_r (PSR_F_BIT | PSR_I_BIT | ABT_MODE),
78 + "I" (offsetof(struct stack, abt[0])),
79 +- PLC (PSR_F_BIT | PSR_I_BIT | UND_MODE),
80 ++ PLC_r (PSR_F_BIT | PSR_I_BIT | UND_MODE),
81 + "I" (offsetof(struct stack, und[0])),
82 +- PLC (PSR_F_BIT | PSR_I_BIT | FIQ_MODE),
83 ++ PLC_r (PSR_F_BIT | PSR_I_BIT | FIQ_MODE),
84 + "I" (offsetof(struct stack, fiq[0])),
85 +- PLC (PSR_F_BIT | PSR_I_BIT | SVC_MODE)
86 ++ PLC_l (PSR_F_BIT | PSR_I_BIT | SVC_MODE)
87 + : "r14");
88 + #endif
89 + }
90 +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
91 +index cd8f3cdabfd07..d227cf87c48f3 100644
92 +--- a/arch/arm64/Makefile
93 ++++ b/arch/arm64/Makefile
94 +@@ -10,7 +10,7 @@
95 + #
96 + # Copyright (C) 1995-2001 by Russell King
97 +
98 +-LDFLAGS_vmlinux :=--no-undefined -X -z norelro
99 ++LDFLAGS_vmlinux :=--no-undefined -X
100 + CPPFLAGS_vmlinux.lds = -DTEXT_OFFSET=$(TEXT_OFFSET)
101 + GZFLAGS :=-9
102 +
103 +@@ -82,17 +82,21 @@ CHECKFLAGS += -D__AARCH64EB__
104 + AS += -EB
105 + # Prefer the baremetal ELF build target, but not all toolchains include
106 + # it so fall back to the standard linux version if needed.
107 +-KBUILD_LDFLAGS += -EB $(call ld-option, -maarch64elfb, -maarch64linuxb)
108 ++KBUILD_LDFLAGS += -EB $(call ld-option, -maarch64elfb, -maarch64linuxb -z norelro)
109 + UTS_MACHINE := aarch64_be
110 + else
111 + KBUILD_CPPFLAGS += -mlittle-endian
112 + CHECKFLAGS += -D__AARCH64EL__
113 + AS += -EL
114 + # Same as above, prefer ELF but fall back to linux target if needed.
115 +-KBUILD_LDFLAGS += -EL $(call ld-option, -maarch64elf, -maarch64linux)
116 ++KBUILD_LDFLAGS += -EL $(call ld-option, -maarch64elf, -maarch64linux -z norelro)
117 + UTS_MACHINE := aarch64
118 + endif
119 +
120 ++ifeq ($(CONFIG_LD_IS_LLD), y)
121 ++KBUILD_LDFLAGS += -z norelro
122 ++endif
123 ++
124 + CHECKFLAGS += -D__aarch64__
125 +
126 + ifeq ($(CONFIG_ARM64_MODULE_PLTS),y)
127 +diff --git a/arch/mips/generic/board-boston.its.S b/arch/mips/generic/board-boston.its.S
128 +index a7f51f97b9102..c45ad27594218 100644
129 +--- a/arch/mips/generic/board-boston.its.S
130 ++++ b/arch/mips/generic/board-boston.its.S
131 +@@ -1,22 +1,22 @@
132 + / {
133 + images {
134 +- fdt@boston {
135 ++ fdt-boston {
136 + description = "img,boston Device Tree";
137 + data = /incbin/("boot/dts/img/boston.dtb");
138 + type = "flat_dt";
139 + arch = "mips";
140 + compression = "none";
141 +- hash@0 {
142 ++ hash {
143 + algo = "sha1";
144 + };
145 + };
146 + };
147 +
148 + configurations {
149 +- conf@boston {
150 ++ conf-boston {
151 + description = "Boston Linux kernel";
152 +- kernel = "kernel@0";
153 +- fdt = "fdt@boston";
154 ++ kernel = "kernel";
155 ++ fdt = "fdt-boston";
156 + };
157 + };
158 + };
159 +diff --git a/arch/mips/generic/board-ni169445.its.S b/arch/mips/generic/board-ni169445.its.S
160 +index e4cb4f95a8cc1..0a2e8f7a8526f 100644
161 +--- a/arch/mips/generic/board-ni169445.its.S
162 ++++ b/arch/mips/generic/board-ni169445.its.S
163 +@@ -1,22 +1,22 @@
164 + / {
165 + images {
166 +- fdt@ni169445 {
167 ++ fdt-ni169445 {
168 + description = "NI 169445 device tree";
169 + data = /incbin/("boot/dts/ni/169445.dtb");
170 + type = "flat_dt";
171 + arch = "mips";
172 + compression = "none";
173 +- hash@0 {
174 ++ hash {
175 + algo = "sha1";
176 + };
177 + };
178 + };
179 +
180 + configurations {
181 +- conf@ni169445 {
182 ++ conf-ni169445 {
183 + description = "NI 169445 Linux Kernel";
184 +- kernel = "kernel@0";
185 +- fdt = "fdt@ni169445";
186 ++ kernel = "kernel";
187 ++ fdt = "fdt-ni169445";
188 + };
189 + };
190 + };
191 +diff --git a/arch/mips/generic/board-ocelot.its.S b/arch/mips/generic/board-ocelot.its.S
192 +index 3da23988149a6..8c7e3a1b68d3d 100644
193 +--- a/arch/mips/generic/board-ocelot.its.S
194 ++++ b/arch/mips/generic/board-ocelot.its.S
195 +@@ -1,40 +1,40 @@
196 + /* SPDX-License-Identifier: (GPL-2.0 OR MIT) */
197 + / {
198 + images {
199 +- fdt@ocelot_pcb123 {
200 ++ fdt-ocelot_pcb123 {
201 + description = "MSCC Ocelot PCB123 Device Tree";
202 + data = /incbin/("boot/dts/mscc/ocelot_pcb123.dtb");
203 + type = "flat_dt";
204 + arch = "mips";
205 + compression = "none";
206 +- hash@0 {
207 ++ hash {
208 + algo = "sha1";
209 + };
210 + };
211 +
212 +- fdt@ocelot_pcb120 {
213 ++ fdt-ocelot_pcb120 {
214 + description = "MSCC Ocelot PCB120 Device Tree";
215 + data = /incbin/("boot/dts/mscc/ocelot_pcb120.dtb");
216 + type = "flat_dt";
217 + arch = "mips";
218 + compression = "none";
219 +- hash@0 {
220 ++ hash {
221 + algo = "sha1";
222 + };
223 + };
224 + };
225 +
226 + configurations {
227 +- conf@ocelot_pcb123 {
228 ++ conf-ocelot_pcb123 {
229 + description = "Ocelot Linux kernel";
230 +- kernel = "kernel@0";
231 +- fdt = "fdt@ocelot_pcb123";
232 ++ kernel = "kernel";
233 ++ fdt = "fdt-ocelot_pcb123";
234 + };
235 +
236 +- conf@ocelot_pcb120 {
237 ++ conf-ocelot_pcb120 {
238 + description = "Ocelot Linux kernel";
239 +- kernel = "kernel@0";
240 +- fdt = "fdt@ocelot_pcb120";
241 ++ kernel = "kernel";
242 ++ fdt = "fdt-ocelot_pcb120";
243 + };
244 + };
245 + };
246 +diff --git a/arch/mips/generic/board-xilfpga.its.S b/arch/mips/generic/board-xilfpga.its.S
247 +index a2e773d3f14f4..08c1e900eb4ed 100644
248 +--- a/arch/mips/generic/board-xilfpga.its.S
249 ++++ b/arch/mips/generic/board-xilfpga.its.S
250 +@@ -1,22 +1,22 @@
251 + / {
252 + images {
253 +- fdt@xilfpga {
254 ++ fdt-xilfpga {
255 + description = "MIPSfpga (xilfpga) Device Tree";
256 + data = /incbin/("boot/dts/xilfpga/nexys4ddr.dtb");
257 + type = "flat_dt";
258 + arch = "mips";
259 + compression = "none";
260 +- hash@0 {
261 ++ hash {
262 + algo = "sha1";
263 + };
264 + };
265 + };
266 +
267 + configurations {
268 +- conf@xilfpga {
269 ++ conf-xilfpga {
270 + description = "MIPSfpga Linux kernel";
271 +- kernel = "kernel@0";
272 +- fdt = "fdt@xilfpga";
273 ++ kernel = "kernel";
274 ++ fdt = "fdt-xilfpga";
275 + };
276 + };
277 + };
278 +diff --git a/arch/mips/generic/vmlinux.its.S b/arch/mips/generic/vmlinux.its.S
279 +index 1a08438fd8930..3e254676540f4 100644
280 +--- a/arch/mips/generic/vmlinux.its.S
281 ++++ b/arch/mips/generic/vmlinux.its.S
282 +@@ -6,7 +6,7 @@
283 + #address-cells = <ADDR_CELLS>;
284 +
285 + images {
286 +- kernel@0 {
287 ++ kernel {
288 + description = KERNEL_NAME;
289 + data = /incbin/(VMLINUX_BINARY);
290 + type = "kernel";
291 +@@ -15,18 +15,18 @@
292 + compression = VMLINUX_COMPRESSION;
293 + load = /bits/ ADDR_BITS <VMLINUX_LOAD_ADDRESS>;
294 + entry = /bits/ ADDR_BITS <VMLINUX_ENTRY_ADDRESS>;
295 +- hash@0 {
296 ++ hash {
297 + algo = "sha1";
298 + };
299 + };
300 + };
301 +
302 + configurations {
303 +- default = "conf@default";
304 ++ default = "conf-default";
305 +
306 +- conf@default {
307 ++ conf-default {
308 + description = "Generic Linux kernel";
309 +- kernel = "kernel@0";
310 ++ kernel = "kernel";
311 + };
312 + };
313 + };
314 +diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
315 +index 0c67a5a94de30..76959a7d88c82 100644
316 +--- a/arch/x86/pci/fixup.c
317 ++++ b/arch/x86/pci/fixup.c
318 +@@ -779,4 +779,48 @@ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1571, pci_amd_enable_64bit_bar);
319 + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x15b1, pci_amd_enable_64bit_bar);
320 + DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1601, pci_amd_enable_64bit_bar);
321 +
322 ++#define RS690_LOWER_TOP_OF_DRAM2 0x30
323 ++#define RS690_LOWER_TOP_OF_DRAM2_VALID 0x1
324 ++#define RS690_UPPER_TOP_OF_DRAM2 0x31
325 ++#define RS690_HTIU_NB_INDEX 0xA8
326 ++#define RS690_HTIU_NB_INDEX_WR_ENABLE 0x100
327 ++#define RS690_HTIU_NB_DATA 0xAC
328 ++
329 ++/*
330 ++ * Some BIOS implementations support RAM above 4GB, but do not configure the
331 ++ * PCI host to respond to bus master accesses for these addresses. These
332 ++ * implementations set the TOP_OF_DRAM_SLOT1 register correctly, so PCI DMA
333 ++ * works as expected for addresses below 4GB.
334 ++ *
335 ++ * Reference: "AMD RS690 ASIC Family Register Reference Guide" (pg. 2-57)
336 ++ * https://www.amd.com/system/files/TechDocs/43372_rs690_rrg_3.00o.pdf
337 ++ */
338 ++static void rs690_fix_64bit_dma(struct pci_dev *pdev)
339 ++{
340 ++ u32 val = 0;
341 ++ phys_addr_t top_of_dram = __pa(high_memory - 1) + 1;
342 ++
343 ++ if (top_of_dram <= (1ULL << 32))
344 ++ return;
345 ++
346 ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX,
347 ++ RS690_LOWER_TOP_OF_DRAM2);
348 ++ pci_read_config_dword(pdev, RS690_HTIU_NB_DATA, &val);
349 ++
350 ++ if (val)
351 ++ return;
352 ++
353 ++ pci_info(pdev, "Adjusting top of DRAM to %pa for 64-bit DMA support\n", &top_of_dram);
354 ++
355 ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX,
356 ++ RS690_UPPER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE);
357 ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, top_of_dram >> 32);
358 ++
359 ++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX,
360 ++ RS690_LOWER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE);
361 ++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA,
362 ++ top_of_dram | RS690_LOWER_TOP_OF_DRAM2_VALID);
363 ++}
364 ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7910, rs690_fix_64bit_dma);
365 ++
366 + #endif
367 +diff --git a/certs/Kconfig b/certs/Kconfig
368 +index c94e93d8bccf0..76e469b56a773 100644
369 +--- a/certs/Kconfig
370 ++++ b/certs/Kconfig
371 +@@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST
372 + wrapper to incorporate the list into the kernel. Each <hash> should
373 + be a string of hex digits.
374 +
375 ++config SYSTEM_REVOCATION_LIST
376 ++ bool "Provide system-wide ring of revocation certificates"
377 ++ depends on SYSTEM_BLACKLIST_KEYRING
378 ++ depends on PKCS7_MESSAGE_PARSER=y
379 ++ help
380 ++ If set, this allows revocation certificates to be stored in the
381 ++ blacklist keyring and implements a hook whereby a PKCS#7 message can
382 ++ be checked to see if it matches such a certificate.
383 ++
384 + endmenu
385 +diff --git a/certs/Makefile b/certs/Makefile
386 +index f4c25b67aad90..f4b90bad8690a 100644
387 +--- a/certs/Makefile
388 ++++ b/certs/Makefile
389 +@@ -3,7 +3,7 @@
390 + # Makefile for the linux kernel signature checking certificates.
391 + #
392 +
393 +-obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
394 ++obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
395 + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
396 + ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
397 + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
398 +diff --git a/certs/blacklist.c b/certs/blacklist.c
399 +index 025a41de28fda..59b2f106b2940 100644
400 +--- a/certs/blacklist.c
401 ++++ b/certs/blacklist.c
402 +@@ -135,6 +135,58 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
403 + }
404 + EXPORT_SYMBOL_GPL(is_hash_blacklisted);
405 +
406 ++int is_binary_blacklisted(const u8 *hash, size_t hash_len)
407 ++{
408 ++ if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
409 ++ return -EPERM;
410 ++
411 ++ return 0;
412 ++}
413 ++EXPORT_SYMBOL_GPL(is_binary_blacklisted);
414 ++
415 ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
416 ++/**
417 ++ * add_key_to_revocation_list - Add a revocation certificate to the blacklist
418 ++ * @data: The data blob containing the certificate
419 ++ * @size: The size of data blob
420 ++ */
421 ++int add_key_to_revocation_list(const char *data, size_t size)
422 ++{
423 ++ key_ref_t key;
424 ++
425 ++ key = key_create_or_update(make_key_ref(blacklist_keyring, true),
426 ++ "asymmetric",
427 ++ NULL,
428 ++ data,
429 ++ size,
430 ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
431 ++ KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
432 ++
433 ++ if (IS_ERR(key)) {
434 ++ pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
435 ++ return PTR_ERR(key);
436 ++ }
437 ++
438 ++ return 0;
439 ++}
440 ++
441 ++/**
442 ++ * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
443 ++ * @pkcs7: The PKCS#7 message to check
444 ++ */
445 ++int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
446 ++{
447 ++ int ret;
448 ++
449 ++ ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
450 ++
451 ++ if (ret == 0)
452 ++ return -EKEYREJECTED;
453 ++
454 ++ return -ENOKEY;
455 ++}
456 ++#endif
457 ++
458 + /*
459 + * Initialise the blacklist
460 + */
461 +diff --git a/certs/blacklist.h b/certs/blacklist.h
462 +index 1efd6fa0dc608..51b320cf85749 100644
463 +--- a/certs/blacklist.h
464 ++++ b/certs/blacklist.h
465 +@@ -1,3 +1,5 @@
466 + #include <linux/kernel.h>
467 ++#include <linux/errno.h>
468 ++#include <crypto/pkcs7.h>
469 +
470 + extern const char __initconst *const blacklist_hashes[];
471 +diff --git a/certs/common.c b/certs/common.c
472 +new file mode 100644
473 +index 0000000000000..16a220887a53e
474 +--- /dev/null
475 ++++ b/certs/common.c
476 +@@ -0,0 +1,57 @@
477 ++// SPDX-License-Identifier: GPL-2.0-or-later
478 ++
479 ++#include <linux/kernel.h>
480 ++#include <linux/key.h>
481 ++#include "common.h"
482 ++
483 ++int load_certificate_list(const u8 cert_list[],
484 ++ const unsigned long list_size,
485 ++ const struct key *keyring)
486 ++{
487 ++ key_ref_t key;
488 ++ const u8 *p, *end;
489 ++ size_t plen;
490 ++
491 ++ p = cert_list;
492 ++ end = p + list_size;
493 ++ while (p < end) {
494 ++ /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
495 ++ * than 256 bytes in size.
496 ++ */
497 ++ if (end - p < 4)
498 ++ goto dodgy_cert;
499 ++ if (p[0] != 0x30 &&
500 ++ p[1] != 0x82)
501 ++ goto dodgy_cert;
502 ++ plen = (p[2] << 8) | p[3];
503 ++ plen += 4;
504 ++ if (plen > end - p)
505 ++ goto dodgy_cert;
506 ++
507 ++ key = key_create_or_update(make_key_ref(keyring, 1),
508 ++ "asymmetric",
509 ++ NULL,
510 ++ p,
511 ++ plen,
512 ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
513 ++ KEY_USR_VIEW | KEY_USR_READ),
514 ++ KEY_ALLOC_NOT_IN_QUOTA |
515 ++ KEY_ALLOC_BUILT_IN |
516 ++ KEY_ALLOC_BYPASS_RESTRICTION);
517 ++ if (IS_ERR(key)) {
518 ++ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
519 ++ PTR_ERR(key));
520 ++ } else {
521 ++ pr_notice("Loaded X.509 cert '%s'\n",
522 ++ key_ref_to_ptr(key)->description);
523 ++ key_ref_put(key);
524 ++ }
525 ++ p += plen;
526 ++ }
527 ++
528 ++ return 0;
529 ++
530 ++dodgy_cert:
531 ++ pr_err("Problem parsing in-kernel X.509 certificate list\n");
532 ++ return 0;
533 ++}
534 +diff --git a/certs/common.h b/certs/common.h
535 +new file mode 100644
536 +index 0000000000000..abdb5795936b7
537 +--- /dev/null
538 ++++ b/certs/common.h
539 +@@ -0,0 +1,9 @@
540 ++/* SPDX-License-Identifier: GPL-2.0-or-later */
541 ++
542 ++#ifndef _CERT_COMMON_H
543 ++#define _CERT_COMMON_H
544 ++
545 ++int load_certificate_list(const u8 cert_list[], const unsigned long list_size,
546 ++ const struct key *keyring);
547 ++
548 ++#endif
549 +diff --git a/certs/system_keyring.c b/certs/system_keyring.c
550 +index 798291177186c..a44a8915c94cf 100644
551 +--- a/certs/system_keyring.c
552 ++++ b/certs/system_keyring.c
553 +@@ -15,6 +15,7 @@
554 + #include <keys/asymmetric-type.h>
555 + #include <keys/system_keyring.h>
556 + #include <crypto/pkcs7.h>
557 ++#include "common.h"
558 +
559 + static struct key *builtin_trusted_keys;
560 + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
561 +@@ -136,54 +137,10 @@ device_initcall(system_trusted_keyring_init);
562 + */
563 + static __init int load_system_certificate_list(void)
564 + {
565 +- key_ref_t key;
566 +- const u8 *p, *end;
567 +- size_t plen;
568 +-
569 + pr_notice("Loading compiled-in X.509 certificates\n");
570 +
571 +- p = system_certificate_list;
572 +- end = p + system_certificate_list_size;
573 +- while (p < end) {
574 +- /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
575 +- * than 256 bytes in size.
576 +- */
577 +- if (end - p < 4)
578 +- goto dodgy_cert;
579 +- if (p[0] != 0x30 &&
580 +- p[1] != 0x82)
581 +- goto dodgy_cert;
582 +- plen = (p[2] << 8) | p[3];
583 +- plen += 4;
584 +- if (plen > end - p)
585 +- goto dodgy_cert;
586 +-
587 +- key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
588 +- "asymmetric",
589 +- NULL,
590 +- p,
591 +- plen,
592 +- ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
593 +- KEY_USR_VIEW | KEY_USR_READ),
594 +- KEY_ALLOC_NOT_IN_QUOTA |
595 +- KEY_ALLOC_BUILT_IN |
596 +- KEY_ALLOC_BYPASS_RESTRICTION);
597 +- if (IS_ERR(key)) {
598 +- pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
599 +- PTR_ERR(key));
600 +- } else {
601 +- pr_notice("Loaded X.509 cert '%s'\n",
602 +- key_ref_to_ptr(key)->description);
603 +- key_ref_put(key);
604 +- }
605 +- p += plen;
606 +- }
607 +-
608 +- return 0;
609 +-
610 +-dodgy_cert:
611 +- pr_err("Problem parsing in-kernel X.509 certificate list\n");
612 +- return 0;
613 ++ return load_certificate_list(system_certificate_list, system_certificate_list_size,
614 ++ builtin_trusted_keys);
615 + }
616 + late_initcall(load_system_certificate_list);
617 +
618 +@@ -241,6 +198,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
619 + pr_devel("PKCS#7 platform keyring is not available\n");
620 + goto error;
621 + }
622 ++
623 ++ ret = is_key_on_revocation_list(pkcs7);
624 ++ if (ret != -ENOKEY) {
625 ++ pr_devel("PKCS#7 platform key is on revocation list\n");
626 ++ goto error;
627 ++ }
628 + }
629 + ret = pkcs7_validate_trust(pkcs7, trusted_keys);
630 + if (ret < 0) {
631 +diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c
632 +index f40051d6aecbc..9c0ea13ca7883 100644
633 +--- a/drivers/dma/mediatek/mtk-uart-apdma.c
634 ++++ b/drivers/dma/mediatek/mtk-uart-apdma.c
635 +@@ -131,10 +131,7 @@ static unsigned int mtk_uart_apdma_read(struct mtk_chan *c, unsigned int reg)
636 +
637 + static void mtk_uart_apdma_desc_free(struct virt_dma_desc *vd)
638 + {
639 +- struct dma_chan *chan = vd->tx.chan;
640 +- struct mtk_chan *c = to_mtk_uart_apdma_chan(chan);
641 +-
642 +- kfree(c->desc);
643 ++ kfree(container_of(vd, struct mtk_uart_apdma_desc, vd));
644 + }
645 +
646 + static void mtk_uart_apdma_start_tx(struct mtk_chan *c)
647 +@@ -207,14 +204,9 @@ static void mtk_uart_apdma_start_rx(struct mtk_chan *c)
648 +
649 + static void mtk_uart_apdma_tx_handler(struct mtk_chan *c)
650 + {
651 +- struct mtk_uart_apdma_desc *d = c->desc;
652 +-
653 + mtk_uart_apdma_write(c, VFF_INT_FLAG, VFF_TX_INT_CLR_B);
654 + mtk_uart_apdma_write(c, VFF_INT_EN, VFF_INT_EN_CLR_B);
655 + mtk_uart_apdma_write(c, VFF_EN, VFF_EN_CLR_B);
656 +-
657 +- list_del(&d->vd.node);
658 +- vchan_cookie_complete(&d->vd);
659 + }
660 +
661 + static void mtk_uart_apdma_rx_handler(struct mtk_chan *c)
662 +@@ -245,9 +237,17 @@ static void mtk_uart_apdma_rx_handler(struct mtk_chan *c)
663 +
664 + c->rx_status = d->avail_len - cnt;
665 + mtk_uart_apdma_write(c, VFF_RPT, wg);
666 ++}
667 +
668 +- list_del(&d->vd.node);
669 +- vchan_cookie_complete(&d->vd);
670 ++static void mtk_uart_apdma_chan_complete_handler(struct mtk_chan *c)
671 ++{
672 ++ struct mtk_uart_apdma_desc *d = c->desc;
673 ++
674 ++ if (d) {
675 ++ list_del(&d->vd.node);
676 ++ vchan_cookie_complete(&d->vd);
677 ++ c->desc = NULL;
678 ++ }
679 + }
680 +
681 + static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id)
682 +@@ -261,6 +261,7 @@ static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id)
683 + mtk_uart_apdma_rx_handler(c);
684 + else if (c->dir == DMA_MEM_TO_DEV)
685 + mtk_uart_apdma_tx_handler(c);
686 ++ mtk_uart_apdma_chan_complete_handler(c);
687 + spin_unlock_irqrestore(&c->vc.lock, flags);
688 +
689 + return IRQ_HANDLED;
690 +@@ -348,7 +349,7 @@ static struct dma_async_tx_descriptor *mtk_uart_apdma_prep_slave_sg
691 + return NULL;
692 +
693 + /* Now allocate and setup the descriptor */
694 +- d = kzalloc(sizeof(*d), GFP_ATOMIC);
695 ++ d = kzalloc(sizeof(*d), GFP_NOWAIT);
696 + if (!d)
697 + return NULL;
698 +
699 +@@ -366,7 +367,7 @@ static void mtk_uart_apdma_issue_pending(struct dma_chan *chan)
700 + unsigned long flags;
701 +
702 + spin_lock_irqsave(&c->vc.lock, flags);
703 +- if (vchan_issue_pending(&c->vc)) {
704 ++ if (vchan_issue_pending(&c->vc) && !c->desc) {
705 + vd = vchan_next_desc(&c->vc);
706 + c->desc = to_mtk_uart_apdma_desc(&vd->tx);
707 +
708 +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c
709 +index 3993ab65c62cd..89eb9ea258149 100644
710 +--- a/drivers/dma/sh/rcar-dmac.c
711 ++++ b/drivers/dma/sh/rcar-dmac.c
712 +@@ -1855,7 +1855,7 @@ static int rcar_dmac_probe(struct platform_device *pdev)
713 +
714 + /* Enable runtime PM and initialize the device. */
715 + pm_runtime_enable(&pdev->dev);
716 +- ret = pm_runtime_get_sync(&pdev->dev);
717 ++ ret = pm_runtime_resume_and_get(&pdev->dev);
718 + if (ret < 0) {
719 + dev_err(&pdev->dev, "runtime PM get sync failed (%d)\n", ret);
720 + return ret;
721 +diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c
722 +index d47749a35863f..84009c5e0f330 100644
723 +--- a/drivers/dma/xilinx/zynqmp_dma.c
724 ++++ b/drivers/dma/xilinx/zynqmp_dma.c
725 +@@ -467,7 +467,7 @@ static int zynqmp_dma_alloc_chan_resources(struct dma_chan *dchan)
726 + struct zynqmp_dma_desc_sw *desc;
727 + int i, ret;
728 +
729 +- ret = pm_runtime_get_sync(chan->dev);
730 ++ ret = pm_runtime_resume_and_get(chan->dev);
731 + if (ret < 0)
732 + return ret;
733 +
734 +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
735 +index 9964ec0035ede..1d8739a4fbcad 100644
736 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
737 ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
738 +@@ -3416,12 +3416,8 @@ static int gfx_v10_0_kiq_init_register(struct amdgpu_ring *ring)
739 + if (ring->use_doorbell) {
740 + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER,
741 + (adev->doorbell_index.kiq * 2) << 2);
742 +- /* If GC has entered CGPG, ringing doorbell > first page doesn't
743 +- * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround
744 +- * this issue.
745 +- */
746 + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER,
747 +- (adev->doorbell.size - 4));
748 ++ (adev->doorbell_index.userqueue_end * 2) << 2);
749 + }
750 +
751 + WREG32_SOC15(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL,
752 +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
753 +index 354da41f52def..06cdc22b5501d 100644
754 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
755 ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
756 +@@ -3593,12 +3593,8 @@ static int gfx_v9_0_kiq_init_register(struct amdgpu_ring *ring)
757 + if (ring->use_doorbell) {
758 + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_LOWER,
759 + (adev->doorbell_index.kiq * 2) << 2);
760 +- /* If GC has entered CGPG, ringing doorbell > first page doesn't
761 +- * wakeup GC. Enlarge CP_MEC_DOORBELL_RANGE_UPPER to workaround
762 +- * this issue.
763 +- */
764 + WREG32_SOC15(GC, 0, mmCP_MEC_DOORBELL_RANGE_UPPER,
765 +- (adev->doorbell.size - 4));
766 ++ (adev->doorbell_index.userqueue_end * 2) << 2);
767 + }
768 +
769 + WREG32_SOC15_RLC(GC, 0, mmCP_HQD_PQ_DOORBELL_CONTROL,
770 +diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c b/drivers/gpu/drm/nouveau/nouveau_prime.c
771 +index bae6a3eccee0b..f9ee562f72d33 100644
772 +--- a/drivers/gpu/drm/nouveau/nouveau_prime.c
773 ++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c
774 +@@ -112,7 +112,22 @@ int nouveau_gem_prime_pin(struct drm_gem_object *obj)
775 + if (ret)
776 + return -EINVAL;
777 +
778 +- return 0;
779 ++ ret = ttm_bo_reserve(&nvbo->bo, false, false, NULL);
780 ++ if (ret)
781 ++ goto error;
782 ++
783 ++ if (nvbo->bo.moving)
784 ++ ret = dma_fence_wait(nvbo->bo.moving, true);
785 ++
786 ++ ttm_bo_unreserve(&nvbo->bo);
787 ++ if (ret)
788 ++ goto error;
789 ++
790 ++ return ret;
791 ++
792 ++error:
793 ++ nouveau_bo_unpin(nvbo);
794 ++ return ret;
795 + }
796 +
797 + void nouveau_gem_prime_unpin(struct drm_gem_object *obj)
798 +diff --git a/drivers/gpu/drm/radeon/radeon_prime.c b/drivers/gpu/drm/radeon/radeon_prime.c
799 +index b906e8fbd5f3a..7bc33a80934c4 100644
800 +--- a/drivers/gpu/drm/radeon/radeon_prime.c
801 ++++ b/drivers/gpu/drm/radeon/radeon_prime.c
802 +@@ -94,9 +94,19 @@ int radeon_gem_prime_pin(struct drm_gem_object *obj)
803 +
804 + /* pin buffer into GTT */
805 + ret = radeon_bo_pin(bo, RADEON_GEM_DOMAIN_GTT, NULL);
806 +- if (likely(ret == 0))
807 +- bo->prime_shared_count++;
808 +-
809 ++ if (unlikely(ret))
810 ++ goto error;
811 ++
812 ++ if (bo->tbo.moving) {
813 ++ ret = dma_fence_wait(bo->tbo.moving, false);
814 ++ if (unlikely(ret)) {
815 ++ radeon_bo_unpin(bo);
816 ++ goto error;
817 ++ }
818 ++ }
819 ++
820 ++ bo->prime_shared_count++;
821 ++error:
822 + radeon_bo_unreserve(bo);
823 + return ret;
824 + }
825 +diff --git a/drivers/i2c/busses/i2c-robotfuzz-osif.c b/drivers/i2c/busses/i2c-robotfuzz-osif.c
826 +index a39f7d0927973..66dfa211e736b 100644
827 +--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c
828 ++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c
829 +@@ -83,7 +83,7 @@ static int osif_xfer(struct i2c_adapter *adapter, struct i2c_msg *msgs,
830 + }
831 + }
832 +
833 +- ret = osif_usb_read(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);
834 ++ ret = osif_usb_write(adapter, OSIFI2C_STOP, 0, 0, NULL, 0);
835 + if (ret) {
836 + dev_err(&adapter->dev, "failure sending STOP\n");
837 + return -EREMOTEIO;
838 +@@ -153,7 +153,7 @@ static int osif_probe(struct usb_interface *interface,
839 + * Set bus frequency. The frequency is:
840 + * 120,000,000 / ( 16 + 2 * div * 4^prescale).
841 + * Using dev = 52, prescale = 0 give 100KHz */
842 +- ret = osif_usb_read(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,
843 ++ ret = osif_usb_write(&priv->adapter, OSIFI2C_SET_BIT_RATE, 52, 0,
844 + NULL, 0);
845 + if (ret) {
846 + dev_err(&interface->dev, "failure sending bit rate");
847 +diff --git a/drivers/mmc/host/meson-gx-mmc.c b/drivers/mmc/host/meson-gx-mmc.c
848 +index 545c3f2f8a06c..a3e3b274f0ea3 100644
849 +--- a/drivers/mmc/host/meson-gx-mmc.c
850 ++++ b/drivers/mmc/host/meson-gx-mmc.c
851 +@@ -166,6 +166,7 @@ struct meson_host {
852 +
853 + unsigned int bounce_buf_size;
854 + void *bounce_buf;
855 ++ void __iomem *bounce_iomem_buf;
856 + dma_addr_t bounce_dma_addr;
857 + struct sd_emmc_desc *descs;
858 + dma_addr_t descs_dma_addr;
859 +@@ -737,6 +738,47 @@ static void meson_mmc_desc_chain_transfer(struct mmc_host *mmc, u32 cmd_cfg)
860 + writel(start, host->regs + SD_EMMC_START);
861 + }
862 +
863 ++/* local sg copy to buffer version with _to/fromio usage for dram_access_quirk */
864 ++static void meson_mmc_copy_buffer(struct meson_host *host, struct mmc_data *data,
865 ++ size_t buflen, bool to_buffer)
866 ++{
867 ++ unsigned int sg_flags = SG_MITER_ATOMIC;
868 ++ struct scatterlist *sgl = data->sg;
869 ++ unsigned int nents = data->sg_len;
870 ++ struct sg_mapping_iter miter;
871 ++ unsigned int offset = 0;
872 ++
873 ++ if (to_buffer)
874 ++ sg_flags |= SG_MITER_FROM_SG;
875 ++ else
876 ++ sg_flags |= SG_MITER_TO_SG;
877 ++
878 ++ sg_miter_start(&miter, sgl, nents, sg_flags);
879 ++
880 ++ while ((offset < buflen) && sg_miter_next(&miter)) {
881 ++ unsigned int len;
882 ++
883 ++ len = min(miter.length, buflen - offset);
884 ++
885 ++ /* When dram_access_quirk, the bounce buffer is a iomem mapping */
886 ++ if (host->dram_access_quirk) {
887 ++ if (to_buffer)
888 ++ memcpy_toio(host->bounce_iomem_buf + offset, miter.addr, len);
889 ++ else
890 ++ memcpy_fromio(miter.addr, host->bounce_iomem_buf + offset, len);
891 ++ } else {
892 ++ if (to_buffer)
893 ++ memcpy(host->bounce_buf + offset, miter.addr, len);
894 ++ else
895 ++ memcpy(miter.addr, host->bounce_buf + offset, len);
896 ++ }
897 ++
898 ++ offset += len;
899 ++ }
900 ++
901 ++ sg_miter_stop(&miter);
902 ++}
903 ++
904 + static void meson_mmc_start_cmd(struct mmc_host *mmc, struct mmc_command *cmd)
905 + {
906 + struct meson_host *host = mmc_priv(mmc);
907 +@@ -780,8 +822,7 @@ static void meson_mmc_start_cmd(struct mmc_host *mmc, struct mmc_command *cmd)
908 + if (data->flags & MMC_DATA_WRITE) {
909 + cmd_cfg |= CMD_CFG_DATA_WR;
910 + WARN_ON(xfer_bytes > host->bounce_buf_size);
911 +- sg_copy_to_buffer(data->sg, data->sg_len,
912 +- host->bounce_buf, xfer_bytes);
913 ++ meson_mmc_copy_buffer(host, data, xfer_bytes, true);
914 + dma_wmb();
915 + }
916 +
917 +@@ -950,8 +991,7 @@ static irqreturn_t meson_mmc_irq_thread(int irq, void *dev_id)
918 + if (meson_mmc_bounce_buf_read(data)) {
919 + xfer_bytes = data->blksz * data->blocks;
920 + WARN_ON(xfer_bytes > host->bounce_buf_size);
921 +- sg_copy_from_buffer(data->sg, data->sg_len,
922 +- host->bounce_buf, xfer_bytes);
923 ++ meson_mmc_copy_buffer(host, data, xfer_bytes, false);
924 + }
925 +
926 + next_cmd = meson_mmc_get_next_command(cmd);
927 +@@ -1179,7 +1219,7 @@ static int meson_mmc_probe(struct platform_device *pdev)
928 + * instead of the DDR memory
929 + */
930 + host->bounce_buf_size = SD_EMMC_SRAM_DATA_BUF_LEN;
931 +- host->bounce_buf = host->regs + SD_EMMC_SRAM_DATA_BUF_OFF;
932 ++ host->bounce_iomem_buf = host->regs + SD_EMMC_SRAM_DATA_BUF_OFF;
933 + host->bounce_dma_addr = res->start + SD_EMMC_SRAM_DATA_BUF_OFF;
934 + } else {
935 + /* data bounce buffer */
936 +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
937 +index 0f2bee59a82b0..0bc7f6518fb32 100644
938 +--- a/drivers/net/caif/caif_serial.c
939 ++++ b/drivers/net/caif/caif_serial.c
940 +@@ -351,6 +351,7 @@ static int ldisc_open(struct tty_struct *tty)
941 + rtnl_lock();
942 + result = register_netdevice(dev);
943 + if (result) {
944 ++ tty_kref_put(tty);
945 + rtnl_unlock();
946 + free_netdev(dev);
947 + return -ENODEV;
948 +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
949 +index 5c6a276f69ac4..426b8098c50ee 100644
950 +--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
951 ++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
952 +@@ -1293,9 +1293,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn,
953 + p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_STATIC;
954 +
955 + p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled;
956 ++ BUILD_BUG_ON(sizeof(dcbx_info->operational.params) !=
957 ++ sizeof(p_hwfn->p_dcbx_info->set.config.params));
958 + memcpy(&p_hwfn->p_dcbx_info->set.config.params,
959 + &dcbx_info->operational.params,
960 +- sizeof(struct qed_dcbx_admin_params));
961 ++ sizeof(p_hwfn->p_dcbx_info->set.config.params));
962 + p_hwfn->p_dcbx_info->set.config.valid = true;
963 +
964 + memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set));
965 +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
966 +index 8ff178fc2670c..661202e854121 100644
967 +--- a/drivers/net/ethernet/realtek/r8169_main.c
968 ++++ b/drivers/net/ethernet/realtek/r8169_main.c
969 +@@ -1801,7 +1801,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data)
970 + {
971 + switch(stringset) {
972 + case ETH_SS_STATS:
973 +- memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings));
974 ++ memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings));
975 + break;
976 + }
977 + }
978 +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
979 +index a042f4607b0d0..931a44fe7afe8 100644
980 +--- a/drivers/net/ethernet/renesas/sh_eth.c
981 ++++ b/drivers/net/ethernet/renesas/sh_eth.c
982 +@@ -2322,7 +2322,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data)
983 + {
984 + switch (stringset) {
985 + case ETH_SS_STATS:
986 +- memcpy(data, *sh_eth_gstrings_stats,
987 ++ memcpy(data, sh_eth_gstrings_stats,
988 + sizeof(sh_eth_gstrings_stats));
989 + break;
990 + }
991 +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
992 +index 9b55fbdc3a7c6..9a7af7dda70dc 100644
993 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
994 ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
995 +@@ -770,12 +770,15 @@ static void temac_start_xmit_done(struct net_device *ndev)
996 + stat = be32_to_cpu(cur_p->app0);
997 +
998 + while (stat & STS_CTRL_APP0_CMPLT) {
999 ++ /* Make sure that the other fields are read after bd is
1000 ++ * released by dma
1001 ++ */
1002 ++ rmb();
1003 + dma_unmap_single(ndev->dev.parent, be32_to_cpu(cur_p->phys),
1004 + be32_to_cpu(cur_p->len), DMA_TO_DEVICE);
1005 + skb = (struct sk_buff *)ptr_from_txbd(cur_p);
1006 + if (skb)
1007 + dev_consume_skb_irq(skb);
1008 +- cur_p->app0 = 0;
1009 + cur_p->app1 = 0;
1010 + cur_p->app2 = 0;
1011 + cur_p->app3 = 0;
1012 +@@ -784,6 +787,12 @@ static void temac_start_xmit_done(struct net_device *ndev)
1013 + ndev->stats.tx_packets++;
1014 + ndev->stats.tx_bytes += be32_to_cpu(cur_p->len);
1015 +
1016 ++ /* app0 must be visible last, as it is used to flag
1017 ++ * availability of the bd
1018 ++ */
1019 ++ smp_mb();
1020 ++ cur_p->app0 = 0;
1021 ++
1022 + lp->tx_bd_ci++;
1023 + if (lp->tx_bd_ci >= TX_BD_NUM)
1024 + lp->tx_bd_ci = 0;
1025 +@@ -810,6 +819,9 @@ static inline int temac_check_tx_bd_space(struct temac_local *lp, int num_frag)
1026 + if (cur_p->app0)
1027 + return NETDEV_TX_BUSY;
1028 +
1029 ++ /* Make sure to read next bd app0 after this one */
1030 ++ rmb();
1031 ++
1032 + tail++;
1033 + if (tail >= TX_BD_NUM)
1034 + tail = 0;
1035 +@@ -927,6 +939,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
1036 + wmb();
1037 + lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */
1038 +
1039 ++ if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) {
1040 ++ netdev_info(ndev, "%s -> netif_stop_queue\n", __func__);
1041 ++ netif_stop_queue(ndev);
1042 ++ }
1043 ++
1044 + return NETDEV_TX_OK;
1045 + }
1046 +
1047 +diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c
1048 +index 31a5595133628..87c0cdbf262ae 100644
1049 +--- a/drivers/net/phy/dp83867.c
1050 ++++ b/drivers/net/phy/dp83867.c
1051 +@@ -468,16 +468,12 @@ static int dp83867_phy_reset(struct phy_device *phydev)
1052 + {
1053 + int err;
1054 +
1055 +- err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESET);
1056 ++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART);
1057 + if (err < 0)
1058 + return err;
1059 +
1060 + usleep_range(10, 20);
1061 +
1062 +- /* After reset FORCE_LINK_GOOD bit is set. Although the
1063 +- * default value should be unset. Disable FORCE_LINK_GOOD
1064 +- * for the phy to work properly.
1065 +- */
1066 + return phy_modify(phydev, MII_DP83867_PHYCTRL,
1067 + DP83867_PHYCR_FORCE_LINK_GOOD, 0);
1068 + }
1069 +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
1070 +index f6d643ecaf39b..24d1246330375 100644
1071 +--- a/drivers/net/usb/r8152.c
1072 ++++ b/drivers/net/usb/r8152.c
1073 +@@ -5065,7 +5065,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data)
1074 + {
1075 + switch (stringset) {
1076 + case ETH_SS_STATS:
1077 +- memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings));
1078 ++ memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings));
1079 + break;
1080 + }
1081 + }
1082 +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
1083 +index c48c68090d762..1033513d3d9de 100644
1084 +--- a/drivers/net/wireless/mac80211_hwsim.c
1085 ++++ b/drivers/net/wireless/mac80211_hwsim.c
1086 +@@ -1458,8 +1458,13 @@ static int mac80211_hwsim_start(struct ieee80211_hw *hw)
1087 + static void mac80211_hwsim_stop(struct ieee80211_hw *hw)
1088 + {
1089 + struct mac80211_hwsim_data *data = hw->priv;
1090 ++
1091 + data->started = false;
1092 + hrtimer_cancel(&data->beacon_timer);
1093 ++
1094 ++ while (!skb_queue_empty(&data->pending))
1095 ++ ieee80211_free_txskb(hw, skb_dequeue(&data->pending));
1096 ++
1097 + wiphy_dbg(hw->wiphy, "%s\n", __func__);
1098 + }
1099 +
1100 +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
1101 +index 34a06e89e176a..3c3bc9f584983 100644
1102 +--- a/drivers/pci/pci.c
1103 ++++ b/drivers/pci/pci.c
1104 +@@ -1666,11 +1666,21 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags)
1105 + int err;
1106 + int i, bars = 0;
1107 +
1108 +- if (atomic_inc_return(&dev->enable_cnt) > 1) {
1109 +- pci_update_current_state(dev, dev->current_state);
1110 +- return 0; /* already enabled */
1111 ++ /*
1112 ++ * Power state could be unknown at this point, either due to a fresh
1113 ++ * boot or a device removal call. So get the current power state
1114 ++ * so that things like MSI message writing will behave as expected
1115 ++ * (e.g. if the device really is in D0 at enable time).
1116 ++ */
1117 ++ if (dev->pm_cap) {
1118 ++ u16 pmcsr;
1119 ++ pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr);
1120 ++ dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK);
1121 + }
1122 +
1123 ++ if (atomic_inc_return(&dev->enable_cnt) > 1)
1124 ++ return 0; /* already enabled */
1125 ++
1126 + bridge = pci_upstream_bridge(dev);
1127 + if (bridge)
1128 + pci_enable_bridge(bridge);
1129 +diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
1130 +index 2d5e0435af0a4..bac1d040bacab 100644
1131 +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
1132 ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
1133 +@@ -1153,7 +1153,7 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl,
1134 + struct resource res;
1135 + struct reset_control *rstc;
1136 + int npins = STM32_GPIO_PINS_PER_BANK;
1137 +- int bank_nr, err;
1138 ++ int bank_nr, err, i = 0;
1139 +
1140 + rstc = of_reset_control_get_exclusive(np, NULL);
1141 + if (!IS_ERR(rstc))
1142 +@@ -1182,9 +1182,14 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl,
1143 +
1144 + of_property_read_string(np, "st,bank-name", &bank->gpio_chip.label);
1145 +
1146 +- if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, 0, &args)) {
1147 ++ if (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3, i, &args)) {
1148 + bank_nr = args.args[1] / STM32_GPIO_PINS_PER_BANK;
1149 + bank->gpio_chip.base = args.args[1];
1150 ++
1151 ++ npins = args.args[2];
1152 ++ while (!of_parse_phandle_with_fixed_args(np, "gpio-ranges", 3,
1153 ++ ++i, &args))
1154 ++ npins += args.args[2];
1155 + } else {
1156 + bank_nr = pctl->nbanks;
1157 + bank->gpio_chip.base = bank_nr * STM32_GPIO_PINS_PER_BANK;
1158 +diff --git a/drivers/spi/spi-nxp-fspi.c b/drivers/spi/spi-nxp-fspi.c
1159 +index efd9e908e2248..36a44a837031d 100644
1160 +--- a/drivers/spi/spi-nxp-fspi.c
1161 ++++ b/drivers/spi/spi-nxp-fspi.c
1162 +@@ -975,12 +975,6 @@ static int nxp_fspi_probe(struct platform_device *pdev)
1163 + goto err_put_ctrl;
1164 + }
1165 +
1166 +- /* Clear potential interrupts */
1167 +- reg = fspi_readl(f, f->iobase + FSPI_INTR);
1168 +- if (reg)
1169 +- fspi_writel(f, reg, f->iobase + FSPI_INTR);
1170 +-
1171 +-
1172 + /* find the resources - controller memory mapped space */
1173 + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "fspi_mmap");
1174 + f->ahb_addr = devm_ioremap_resource(dev, res);
1175 +@@ -1012,6 +1006,11 @@ static int nxp_fspi_probe(struct platform_device *pdev)
1176 + goto err_put_ctrl;
1177 + }
1178 +
1179 ++ /* Clear potential interrupts */
1180 ++ reg = fspi_readl(f, f->iobase + FSPI_INTR);
1181 ++ if (reg)
1182 ++ fspi_writel(f, reg, f->iobase + FSPI_INTR);
1183 ++
1184 + /* find the irq */
1185 + ret = platform_get_irq(pdev, 0);
1186 + if (ret < 0)
1187 +diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c
1188 +index e60be7bb55b0b..c6c8a33c81d5e 100644
1189 +--- a/fs/nilfs2/sysfs.c
1190 ++++ b/fs/nilfs2/sysfs.c
1191 +@@ -1054,6 +1054,7 @@ void nilfs_sysfs_delete_device_group(struct the_nilfs *nilfs)
1192 + nilfs_sysfs_delete_superblock_group(nilfs);
1193 + nilfs_sysfs_delete_segctor_group(nilfs);
1194 + kobject_del(&nilfs->ns_dev_kobj);
1195 ++ kobject_put(&nilfs->ns_dev_kobj);
1196 + kfree(nilfs->ns_dev_subgroups);
1197 + }
1198 +
1199 +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
1200 +index c1a96fdf598bc..875e002a41804 100644
1201 +--- a/include/keys/system_keyring.h
1202 ++++ b/include/keys/system_keyring.h
1203 +@@ -31,16 +31,37 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
1204 + #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
1205 + #endif
1206 +
1207 ++extern struct pkcs7_message *pkcs7;
1208 + #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
1209 + extern int mark_hash_blacklisted(const char *hash);
1210 + extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
1211 + const char *type);
1212 ++extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
1213 + #else
1214 + static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
1215 + const char *type)
1216 + {
1217 + return 0;
1218 + }
1219 ++
1220 ++static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
1221 ++{
1222 ++ return 0;
1223 ++}
1224 ++#endif
1225 ++
1226 ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
1227 ++extern int add_key_to_revocation_list(const char *data, size_t size);
1228 ++extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
1229 ++#else
1230 ++static inline int add_key_to_revocation_list(const char *data, size_t size)
1231 ++{
1232 ++ return 0;
1233 ++}
1234 ++static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
1235 ++{
1236 ++ return -ENOKEY;
1237 ++}
1238 + #endif
1239 +
1240 + #ifdef CONFIG_IMA_BLACKLIST_KEYRING
1241 +diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
1242 +index d8b86fd391134..d2dbe462efeef 100644
1243 +--- a/include/linux/huge_mm.h
1244 ++++ b/include/linux/huge_mm.h
1245 +@@ -259,6 +259,7 @@ struct page *follow_devmap_pud(struct vm_area_struct *vma, unsigned long addr,
1246 + extern vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf, pmd_t orig_pmd);
1247 +
1248 + extern struct page *huge_zero_page;
1249 ++extern unsigned long huge_zero_pfn;
1250 +
1251 + static inline bool is_huge_zero_page(struct page *page)
1252 + {
1253 +@@ -267,7 +268,7 @@ static inline bool is_huge_zero_page(struct page *page)
1254 +
1255 + static inline bool is_huge_zero_pmd(pmd_t pmd)
1256 + {
1257 +- return is_huge_zero_page(pmd_page(pmd));
1258 ++ return READ_ONCE(huge_zero_pfn) == pmd_pfn(pmd) && pmd_present(pmd);
1259 + }
1260 +
1261 + static inline bool is_huge_zero_pud(pud_t pud)
1262 +@@ -398,6 +399,11 @@ static inline bool is_huge_zero_page(struct page *page)
1263 + return false;
1264 + }
1265 +
1266 ++static inline bool is_huge_zero_pmd(pmd_t pmd)
1267 ++{
1268 ++ return false;
1269 ++}
1270 ++
1271 + static inline bool is_huge_zero_pud(pud_t pud)
1272 + {
1273 + return false;
1274 +diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
1275 +index fc717aeb2b3de..a0513c444446d 100644
1276 +--- a/include/linux/hugetlb.h
1277 ++++ b/include/linux/hugetlb.h
1278 +@@ -469,17 +469,6 @@ static inline int hstate_index(struct hstate *h)
1279 + return h - hstates;
1280 + }
1281 +
1282 +-pgoff_t __basepage_index(struct page *page);
1283 +-
1284 +-/* Return page->index in PAGE_SIZE units */
1285 +-static inline pgoff_t basepage_index(struct page *page)
1286 +-{
1287 +- if (!PageCompound(page))
1288 +- return page->index;
1289 +-
1290 +- return __basepage_index(page);
1291 +-}
1292 +-
1293 + extern int dissolve_free_huge_page(struct page *page);
1294 + extern int dissolve_free_huge_pages(unsigned long start_pfn,
1295 + unsigned long end_pfn);
1296 +@@ -695,11 +684,6 @@ static inline int hstate_index(struct hstate *h)
1297 + return 0;
1298 + }
1299 +
1300 +-static inline pgoff_t basepage_index(struct page *page)
1301 +-{
1302 +- return page->index;
1303 +-}
1304 +-
1305 + static inline int dissolve_free_huge_page(struct page *page)
1306 + {
1307 + return 0;
1308 +diff --git a/include/linux/mm.h b/include/linux/mm.h
1309 +index 5565d11f95429..a7d626b4cad1c 100644
1310 +--- a/include/linux/mm.h
1311 ++++ b/include/linux/mm.h
1312 +@@ -1459,6 +1459,7 @@ struct zap_details {
1313 + struct address_space *check_mapping; /* Check page->mapping if set */
1314 + pgoff_t first_index; /* Lowest page->index to unmap */
1315 + pgoff_t last_index; /* Highest page->index to unmap */
1316 ++ struct page *single_page; /* Locked page to be unmapped */
1317 + };
1318 +
1319 + struct page *vm_normal_page(struct vm_area_struct *vma, unsigned long addr,
1320 +@@ -1505,6 +1506,7 @@ extern vm_fault_t handle_mm_fault(struct vm_area_struct *vma,
1321 + extern int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
1322 + unsigned long address, unsigned int fault_flags,
1323 + bool *unlocked);
1324 ++void unmap_mapping_page(struct page *page);
1325 + void unmap_mapping_pages(struct address_space *mapping,
1326 + pgoff_t start, pgoff_t nr, bool even_cows);
1327 + void unmap_mapping_range(struct address_space *mapping,
1328 +@@ -1525,6 +1527,7 @@ static inline int fixup_user_fault(struct task_struct *tsk,
1329 + BUG();
1330 + return -EFAULT;
1331 + }
1332 ++static inline void unmap_mapping_page(struct page *page) { }
1333 + static inline void unmap_mapping_pages(struct address_space *mapping,
1334 + pgoff_t start, pgoff_t nr, bool even_cows) { }
1335 + static inline void unmap_mapping_range(struct address_space *mapping,
1336 +diff --git a/include/linux/mmdebug.h b/include/linux/mmdebug.h
1337 +index 2ad72d2c8cc52..5d0767cb424aa 100644
1338 +--- a/include/linux/mmdebug.h
1339 ++++ b/include/linux/mmdebug.h
1340 +@@ -37,6 +37,18 @@ void dump_mm(const struct mm_struct *mm);
1341 + BUG(); \
1342 + } \
1343 + } while (0)
1344 ++#define VM_WARN_ON_ONCE_PAGE(cond, page) ({ \
1345 ++ static bool __section(".data.once") __warned; \
1346 ++ int __ret_warn_once = !!(cond); \
1347 ++ \
1348 ++ if (unlikely(__ret_warn_once && !__warned)) { \
1349 ++ dump_page(page, "VM_WARN_ON_ONCE_PAGE(" __stringify(cond)")");\
1350 ++ __warned = true; \
1351 ++ WARN_ON(1); \
1352 ++ } \
1353 ++ unlikely(__ret_warn_once); \
1354 ++})
1355 ++
1356 + #define VM_WARN_ON(cond) (void)WARN_ON(cond)
1357 + #define VM_WARN_ON_ONCE(cond) (void)WARN_ON_ONCE(cond)
1358 + #define VM_WARN_ONCE(cond, format...) (void)WARN_ONCE(cond, format)
1359 +@@ -48,6 +60,7 @@ void dump_mm(const struct mm_struct *mm);
1360 + #define VM_BUG_ON_MM(cond, mm) VM_BUG_ON(cond)
1361 + #define VM_WARN_ON(cond) BUILD_BUG_ON_INVALID(cond)
1362 + #define VM_WARN_ON_ONCE(cond) BUILD_BUG_ON_INVALID(cond)
1363 ++#define VM_WARN_ON_ONCE_PAGE(cond, page) BUILD_BUG_ON_INVALID(cond)
1364 + #define VM_WARN_ONCE(cond, format...) BUILD_BUG_ON_INVALID(cond)
1365 + #define VM_WARN(cond, format...) BUILD_BUG_ON_INVALID(cond)
1366 + #endif
1367 +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
1368 +index 37a4d9e32cd3f..8543b1aaa5299 100644
1369 +--- a/include/linux/pagemap.h
1370 ++++ b/include/linux/pagemap.h
1371 +@@ -397,7 +397,7 @@ static inline struct page *read_mapping_page(struct address_space *mapping,
1372 + }
1373 +
1374 + /*
1375 +- * Get index of the page with in radix-tree
1376 ++ * Get index of the page within radix-tree (but not for hugetlb pages).
1377 + * (TODO: remove once hugetlb pages will have ->index in PAGE_SIZE)
1378 + */
1379 + static inline pgoff_t page_to_index(struct page *page)
1380 +@@ -416,15 +416,16 @@ static inline pgoff_t page_to_index(struct page *page)
1381 + return pgoff;
1382 + }
1383 +
1384 ++extern pgoff_t hugetlb_basepage_index(struct page *page);
1385 ++
1386 + /*
1387 +- * Get the offset in PAGE_SIZE.
1388 +- * (TODO: hugepage should have ->index in PAGE_SIZE)
1389 ++ * Get the offset in PAGE_SIZE (even for hugetlb pages).
1390 ++ * (TODO: hugetlb pages should have ->index in PAGE_SIZE)
1391 + */
1392 + static inline pgoff_t page_to_pgoff(struct page *page)
1393 + {
1394 +- if (unlikely(PageHeadHuge(page)))
1395 +- return page->index << compound_order(page);
1396 +-
1397 ++ if (unlikely(PageHuge(page)))
1398 ++ return hugetlb_basepage_index(page);
1399 + return page_to_index(page);
1400 + }
1401 +
1402 +diff --git a/include/linux/rmap.h b/include/linux/rmap.h
1403 +index d7d6d4eb17949..91ccae9467164 100644
1404 +--- a/include/linux/rmap.h
1405 ++++ b/include/linux/rmap.h
1406 +@@ -98,7 +98,8 @@ enum ttu_flags {
1407 + * do a final flush if necessary */
1408 + TTU_RMAP_LOCKED = 0x80, /* do not grab rmap lock:
1409 + * caller holds it */
1410 +- TTU_SPLIT_FREEZE = 0x100, /* freeze pte under splitting thp */
1411 ++ TTU_SPLIT_FREEZE = 0x100, /* freeze pte under splitting thp */
1412 ++ TTU_SYNC = 0x200, /* avoid racy checks with PVMW_SYNC */
1413 + };
1414 +
1415 + #ifdef CONFIG_MMU
1416 +diff --git a/include/net/sock.h b/include/net/sock.h
1417 +index a0728f24ecc53..d3dd89b6e2cba 100644
1418 +--- a/include/net/sock.h
1419 ++++ b/include/net/sock.h
1420 +@@ -1860,7 +1860,8 @@ static inline u32 net_tx_rndhash(void)
1421 +
1422 + static inline void sk_set_txhash(struct sock *sk)
1423 + {
1424 +- sk->sk_txhash = net_tx_rndhash();
1425 ++ /* This pairs with READ_ONCE() in skb_set_hash_from_sk() */
1426 ++ WRITE_ONCE(sk->sk_txhash, net_tx_rndhash());
1427 + }
1428 +
1429 + static inline void sk_rethink_txhash(struct sock *sk)
1430 +@@ -2125,9 +2126,12 @@ static inline void sock_poll_wait(struct file *filp, struct socket *sock,
1431 +
1432 + static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk)
1433 + {
1434 +- if (sk->sk_txhash) {
1435 ++ /* This pairs with WRITE_ONCE() in sk_set_txhash() */
1436 ++ u32 txhash = READ_ONCE(sk->sk_txhash);
1437 ++
1438 ++ if (txhash) {
1439 + skb->l4_hash = 1;
1440 +- skb->hash = sk->sk_txhash;
1441 ++ skb->hash = txhash;
1442 + }
1443 + }
1444 +
1445 +diff --git a/init/Kconfig b/init/Kconfig
1446 +index 4f9fd78e2200b..f23e90d9935f5 100644
1447 +--- a/init/Kconfig
1448 ++++ b/init/Kconfig
1449 +@@ -20,6 +20,9 @@ config GCC_VERSION
1450 + config CC_IS_CLANG
1451 + def_bool $(success,$(CC) --version | head -n 1 | grep -q clang)
1452 +
1453 ++config LD_IS_LLD
1454 ++ def_bool $(success,$(LD) -v | head -n 1 | grep -q LLD)
1455 ++
1456 + config CLANG_VERSION
1457 + int
1458 + default $(shell,$(srctree)/scripts/clang-version.sh $(CC))
1459 +diff --git a/kernel/futex.c b/kernel/futex.c
1460 +index 375e7e98e301f..f82879ae6577c 100644
1461 +--- a/kernel/futex.c
1462 ++++ b/kernel/futex.c
1463 +@@ -737,7 +737,7 @@ again:
1464 +
1465 + key->both.offset |= FUT_OFF_INODE; /* inode-based key */
1466 + key->shared.i_seq = get_inode_sequence_number(inode);
1467 +- key->shared.pgoff = basepage_index(tail);
1468 ++ key->shared.pgoff = page_to_pgoff(tail);
1469 + rcu_read_unlock();
1470 + }
1471 +
1472 +diff --git a/kernel/kthread.c b/kernel/kthread.c
1473 +index 1d4c98a19043f..2eb8d7550324b 100644
1474 +--- a/kernel/kthread.c
1475 ++++ b/kernel/kthread.c
1476 +@@ -1020,8 +1020,38 @@ void kthread_flush_work(struct kthread_work *work)
1477 + EXPORT_SYMBOL_GPL(kthread_flush_work);
1478 +
1479 + /*
1480 +- * This function removes the work from the worker queue. Also it makes sure
1481 +- * that it won't get queued later via the delayed work's timer.
1482 ++ * Make sure that the timer is neither set nor running and could
1483 ++ * not manipulate the work list_head any longer.
1484 ++ *
1485 ++ * The function is called under worker->lock. The lock is temporary
1486 ++ * released but the timer can't be set again in the meantime.
1487 ++ */
1488 ++static void kthread_cancel_delayed_work_timer(struct kthread_work *work,
1489 ++ unsigned long *flags)
1490 ++{
1491 ++ struct kthread_delayed_work *dwork =
1492 ++ container_of(work, struct kthread_delayed_work, work);
1493 ++ struct kthread_worker *worker = work->worker;
1494 ++
1495 ++ /*
1496 ++ * del_timer_sync() must be called to make sure that the timer
1497 ++ * callback is not running. The lock must be temporary released
1498 ++ * to avoid a deadlock with the callback. In the meantime,
1499 ++ * any queuing is blocked by setting the canceling counter.
1500 ++ */
1501 ++ work->canceling++;
1502 ++ raw_spin_unlock_irqrestore(&worker->lock, *flags);
1503 ++ del_timer_sync(&dwork->timer);
1504 ++ raw_spin_lock_irqsave(&worker->lock, *flags);
1505 ++ work->canceling--;
1506 ++}
1507 ++
1508 ++/*
1509 ++ * This function removes the work from the worker queue.
1510 ++ *
1511 ++ * It is called under worker->lock. The caller must make sure that
1512 ++ * the timer used by delayed work is not running, e.g. by calling
1513 ++ * kthread_cancel_delayed_work_timer().
1514 + *
1515 + * The work might still be in use when this function finishes. See the
1516 + * current_work proceed by the worker.
1517 +@@ -1029,28 +1059,8 @@ EXPORT_SYMBOL_GPL(kthread_flush_work);
1518 + * Return: %true if @work was pending and successfully canceled,
1519 + * %false if @work was not pending
1520 + */
1521 +-static bool __kthread_cancel_work(struct kthread_work *work, bool is_dwork,
1522 +- unsigned long *flags)
1523 ++static bool __kthread_cancel_work(struct kthread_work *work)
1524 + {
1525 +- /* Try to cancel the timer if exists. */
1526 +- if (is_dwork) {
1527 +- struct kthread_delayed_work *dwork =
1528 +- container_of(work, struct kthread_delayed_work, work);
1529 +- struct kthread_worker *worker = work->worker;
1530 +-
1531 +- /*
1532 +- * del_timer_sync() must be called to make sure that the timer
1533 +- * callback is not running. The lock must be temporary released
1534 +- * to avoid a deadlock with the callback. In the meantime,
1535 +- * any queuing is blocked by setting the canceling counter.
1536 +- */
1537 +- work->canceling++;
1538 +- raw_spin_unlock_irqrestore(&worker->lock, *flags);
1539 +- del_timer_sync(&dwork->timer);
1540 +- raw_spin_lock_irqsave(&worker->lock, *flags);
1541 +- work->canceling--;
1542 +- }
1543 +-
1544 + /*
1545 + * Try to remove the work from a worker list. It might either
1546 + * be from worker->work_list or from worker->delayed_work_list.
1547 +@@ -1103,11 +1113,23 @@ bool kthread_mod_delayed_work(struct kthread_worker *worker,
1548 + /* Work must not be used with >1 worker, see kthread_queue_work() */
1549 + WARN_ON_ONCE(work->worker != worker);
1550 +
1551 +- /* Do not fight with another command that is canceling this work. */
1552 ++ /*
1553 ++ * Temporary cancel the work but do not fight with another command
1554 ++ * that is canceling the work as well.
1555 ++ *
1556 ++ * It is a bit tricky because of possible races with another
1557 ++ * mod_delayed_work() and cancel_delayed_work() callers.
1558 ++ *
1559 ++ * The timer must be canceled first because worker->lock is released
1560 ++ * when doing so. But the work can be removed from the queue (list)
1561 ++ * only when it can be queued again so that the return value can
1562 ++ * be used for reference counting.
1563 ++ */
1564 ++ kthread_cancel_delayed_work_timer(work, &flags);
1565 + if (work->canceling)
1566 + goto out;
1567 ++ ret = __kthread_cancel_work(work);
1568 +
1569 +- ret = __kthread_cancel_work(work, true, &flags);
1570 + fast_queue:
1571 + __kthread_queue_delayed_work(worker, dwork, delay);
1572 + out:
1573 +@@ -1129,7 +1151,10 @@ static bool __kthread_cancel_work_sync(struct kthread_work *work, bool is_dwork)
1574 + /* Work must not be used with >1 worker, see kthread_queue_work(). */
1575 + WARN_ON_ONCE(work->worker != worker);
1576 +
1577 +- ret = __kthread_cancel_work(work, is_dwork, &flags);
1578 ++ if (is_dwork)
1579 ++ kthread_cancel_delayed_work_timer(work, &flags);
1580 ++
1581 ++ ret = __kthread_cancel_work(work);
1582 +
1583 + if (worker->current_work != work)
1584 + goto out_fast;
1585 +diff --git a/kernel/module.c b/kernel/module.c
1586 +index 88a6a9e04f8dc..59d487b8d8dad 100644
1587 +--- a/kernel/module.c
1588 ++++ b/kernel/module.c
1589 +@@ -268,9 +268,18 @@ static void module_assert_mutex_or_preempt(void)
1590 + #endif
1591 + }
1592 +
1593 ++#ifdef CONFIG_MODULE_SIG
1594 + static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
1595 + module_param(sig_enforce, bool_enable_only, 0644);
1596 +
1597 ++void set_module_sig_enforced(void)
1598 ++{
1599 ++ sig_enforce = true;
1600 ++}
1601 ++#else
1602 ++#define sig_enforce false
1603 ++#endif
1604 ++
1605 + /*
1606 + * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
1607 + * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
1608 +@@ -281,11 +290,6 @@ bool is_module_sig_enforced(void)
1609 + }
1610 + EXPORT_SYMBOL(is_module_sig_enforced);
1611 +
1612 +-void set_module_sig_enforced(void)
1613 +-{
1614 +- sig_enforce = true;
1615 +-}
1616 +-
1617 + /* Block module loading/unloading? */
1618 + int modules_disabled = 0;
1619 + core_param(nomodule, modules_disabled, bint, 0);
1620 +diff --git a/mm/huge_memory.c b/mm/huge_memory.c
1621 +index 7bbf419bb86d6..87a07aa61be0d 100644
1622 +--- a/mm/huge_memory.c
1623 ++++ b/mm/huge_memory.c
1624 +@@ -61,6 +61,7 @@ static struct shrinker deferred_split_shrinker;
1625 +
1626 + static atomic_t huge_zero_refcount;
1627 + struct page *huge_zero_page __read_mostly;
1628 ++unsigned long huge_zero_pfn __read_mostly = ~0UL;
1629 +
1630 + bool transparent_hugepage_enabled(struct vm_area_struct *vma)
1631 + {
1632 +@@ -97,6 +98,7 @@ retry:
1633 + __free_pages(zero_page, compound_order(zero_page));
1634 + goto retry;
1635 + }
1636 ++ WRITE_ONCE(huge_zero_pfn, page_to_pfn(zero_page));
1637 +
1638 + /* We take additional reference here. It will be put back by shrinker */
1639 + atomic_set(&huge_zero_refcount, 2);
1640 +@@ -146,6 +148,7 @@ static unsigned long shrink_huge_zero_page_scan(struct shrinker *shrink,
1641 + if (atomic_cmpxchg(&huge_zero_refcount, 1, 0) == 1) {
1642 + struct page *zero_page = xchg(&huge_zero_page, NULL);
1643 + BUG_ON(zero_page == NULL);
1644 ++ WRITE_ONCE(huge_zero_pfn, ~0UL);
1645 + __free_pages(zero_page, compound_order(zero_page));
1646 + return HPAGE_PMD_NR;
1647 + }
1648 +@@ -2155,7 +2158,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
1649 + count_vm_event(THP_SPLIT_PMD);
1650 +
1651 + if (!vma_is_anonymous(vma)) {
1652 +- _pmd = pmdp_huge_clear_flush_notify(vma, haddr, pmd);
1653 ++ old_pmd = pmdp_huge_clear_flush_notify(vma, haddr, pmd);
1654 + /*
1655 + * We are going to unmap this huge page. So
1656 + * just go ahead and zap it
1657 +@@ -2164,16 +2167,25 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
1658 + zap_deposited_table(mm, pmd);
1659 + if (vma_is_dax(vma))
1660 + return;
1661 +- page = pmd_page(_pmd);
1662 +- if (!PageDirty(page) && pmd_dirty(_pmd))
1663 +- set_page_dirty(page);
1664 +- if (!PageReferenced(page) && pmd_young(_pmd))
1665 +- SetPageReferenced(page);
1666 +- page_remove_rmap(page, true);
1667 +- put_page(page);
1668 ++ if (unlikely(is_pmd_migration_entry(old_pmd))) {
1669 ++ swp_entry_t entry;
1670 ++
1671 ++ entry = pmd_to_swp_entry(old_pmd);
1672 ++ page = migration_entry_to_page(entry);
1673 ++ } else {
1674 ++ page = pmd_page(old_pmd);
1675 ++ if (!PageDirty(page) && pmd_dirty(old_pmd))
1676 ++ set_page_dirty(page);
1677 ++ if (!PageReferenced(page) && pmd_young(old_pmd))
1678 ++ SetPageReferenced(page);
1679 ++ page_remove_rmap(page, true);
1680 ++ put_page(page);
1681 ++ }
1682 + add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR);
1683 + return;
1684 +- } else if (pmd_trans_huge(*pmd) && is_huge_zero_pmd(*pmd)) {
1685 ++ }
1686 ++
1687 ++ if (is_huge_zero_pmd(*pmd)) {
1688 + /*
1689 + * FIXME: Do we want to invalidate secondary mmu by calling
1690 + * mmu_notifier_invalidate_range() see comments below inside
1691 +@@ -2449,16 +2461,16 @@ void vma_adjust_trans_huge(struct vm_area_struct *vma,
1692 + static void unmap_page(struct page *page)
1693 + {
1694 + enum ttu_flags ttu_flags = TTU_IGNORE_MLOCK | TTU_IGNORE_ACCESS |
1695 +- TTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD;
1696 +- bool unmap_success;
1697 ++ TTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD | TTU_SYNC;
1698 +
1699 + VM_BUG_ON_PAGE(!PageHead(page), page);
1700 +
1701 + if (PageAnon(page))
1702 + ttu_flags |= TTU_SPLIT_FREEZE;
1703 +
1704 +- unmap_success = try_to_unmap(page, ttu_flags);
1705 +- VM_BUG_ON_PAGE(!unmap_success, page);
1706 ++ try_to_unmap(page, ttu_flags);
1707 ++
1708 ++ VM_WARN_ON_ONCE_PAGE(page_mapped(page), page);
1709 + }
1710 +
1711 + static void remap_page(struct page *page)
1712 +@@ -2737,7 +2749,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
1713 + struct deferred_split *ds_queue = get_deferred_split_queue(page);
1714 + struct anon_vma *anon_vma = NULL;
1715 + struct address_space *mapping = NULL;
1716 +- int count, mapcount, extra_pins, ret;
1717 ++ int extra_pins, ret;
1718 + bool mlocked;
1719 + unsigned long flags;
1720 + pgoff_t end;
1721 +@@ -2799,7 +2811,6 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
1722 +
1723 + mlocked = PageMlocked(page);
1724 + unmap_page(head);
1725 +- VM_BUG_ON_PAGE(compound_mapcount(head), head);
1726 +
1727 + /* Make sure the page is not on per-CPU pagevec as it takes pin */
1728 + if (mlocked)
1729 +@@ -2822,9 +2833,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
1730 +
1731 + /* Prevent deferred_split_scan() touching ->_refcount */
1732 + spin_lock(&ds_queue->split_queue_lock);
1733 +- count = page_count(head);
1734 +- mapcount = total_mapcount(head);
1735 +- if (!mapcount && page_ref_freeze(head, 1 + extra_pins)) {
1736 ++ if (page_ref_freeze(head, 1 + extra_pins)) {
1737 + if (!list_empty(page_deferred_list(head))) {
1738 + ds_queue->split_queue_len--;
1739 + list_del(page_deferred_list(head));
1740 +@@ -2845,16 +2854,9 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
1741 + } else
1742 + ret = 0;
1743 + } else {
1744 +- if (IS_ENABLED(CONFIG_DEBUG_VM) && mapcount) {
1745 +- pr_alert("total_mapcount: %u, page_count(): %u\n",
1746 +- mapcount, count);
1747 +- if (PageTail(page))
1748 +- dump_page(head, NULL);
1749 +- dump_page(page, "total_mapcount(head) > 0");
1750 +- BUG();
1751 +- }
1752 + spin_unlock(&ds_queue->split_queue_lock);
1753 +-fail: if (mapping)
1754 ++fail:
1755 ++ if (mapping)
1756 + xa_unlock(&mapping->i_pages);
1757 + spin_unlock_irqrestore(&pgdata->lru_lock, flags);
1758 + remap_page(head);
1759 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
1760 +index fe15e7d8220ab..95a32749af4da 100644
1761 +--- a/mm/hugetlb.c
1762 ++++ b/mm/hugetlb.c
1763 +@@ -1461,15 +1461,12 @@ int PageHeadHuge(struct page *page_head)
1764 + return get_compound_page_dtor(page_head) == free_huge_page;
1765 + }
1766 +
1767 +-pgoff_t __basepage_index(struct page *page)
1768 ++pgoff_t hugetlb_basepage_index(struct page *page)
1769 + {
1770 + struct page *page_head = compound_head(page);
1771 + pgoff_t index = page_index(page_head);
1772 + unsigned long compound_idx;
1773 +
1774 +- if (!PageHuge(page_head))
1775 +- return page_index(page);
1776 +-
1777 + if (compound_order(page_head) >= MAX_ORDER)
1778 + compound_idx = page_to_pfn(page) - page_to_pfn(page_head);
1779 + else
1780 +diff --git a/mm/internal.h b/mm/internal.h
1781 +index 7dd7fbb577a9a..cf382549dd702 100644
1782 +--- a/mm/internal.h
1783 ++++ b/mm/internal.h
1784 +@@ -339,27 +339,52 @@ static inline void mlock_migrate_page(struct page *newpage, struct page *page)
1785 + extern pmd_t maybe_pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma);
1786 +
1787 + /*
1788 +- * At what user virtual address is page expected in @vma?
1789 ++ * At what user virtual address is page expected in vma?
1790 ++ * Returns -EFAULT if all of the page is outside the range of vma.
1791 ++ * If page is a compound head, the entire compound page is considered.
1792 + */
1793 + static inline unsigned long
1794 +-__vma_address(struct page *page, struct vm_area_struct *vma)
1795 ++vma_address(struct page *page, struct vm_area_struct *vma)
1796 + {
1797 +- pgoff_t pgoff = page_to_pgoff(page);
1798 +- return vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT);
1799 ++ pgoff_t pgoff;
1800 ++ unsigned long address;
1801 ++
1802 ++ VM_BUG_ON_PAGE(PageKsm(page), page); /* KSM page->index unusable */
1803 ++ pgoff = page_to_pgoff(page);
1804 ++ if (pgoff >= vma->vm_pgoff) {
1805 ++ address = vma->vm_start +
1806 ++ ((pgoff - vma->vm_pgoff) << PAGE_SHIFT);
1807 ++ /* Check for address beyond vma (or wrapped through 0?) */
1808 ++ if (address < vma->vm_start || address >= vma->vm_end)
1809 ++ address = -EFAULT;
1810 ++ } else if (PageHead(page) &&
1811 ++ pgoff + compound_nr(page) - 1 >= vma->vm_pgoff) {
1812 ++ /* Test above avoids possibility of wrap to 0 on 32-bit */
1813 ++ address = vma->vm_start;
1814 ++ } else {
1815 ++ address = -EFAULT;
1816 ++ }
1817 ++ return address;
1818 + }
1819 +
1820 ++/*
1821 ++ * Then at what user virtual address will none of the page be found in vma?
1822 ++ * Assumes that vma_address() already returned a good starting address.
1823 ++ * If page is a compound head, the entire compound page is considered.
1824 ++ */
1825 + static inline unsigned long
1826 +-vma_address(struct page *page, struct vm_area_struct *vma)
1827 ++vma_address_end(struct page *page, struct vm_area_struct *vma)
1828 + {
1829 +- unsigned long start, end;
1830 +-
1831 +- start = __vma_address(page, vma);
1832 +- end = start + PAGE_SIZE * (hpage_nr_pages(page) - 1);
1833 +-
1834 +- /* page should be within @vma mapping range */
1835 +- VM_BUG_ON_VMA(end < vma->vm_start || start >= vma->vm_end, vma);
1836 +-
1837 +- return max(start, vma->vm_start);
1838 ++ pgoff_t pgoff;
1839 ++ unsigned long address;
1840 ++
1841 ++ VM_BUG_ON_PAGE(PageKsm(page), page); /* KSM page->index unusable */
1842 ++ pgoff = page_to_pgoff(page) + compound_nr(page);
1843 ++ address = vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT);
1844 ++ /* Check for address beyond vma (or wrapped through 0?) */
1845 ++ if (address < vma->vm_start || address > vma->vm_end)
1846 ++ address = vma->vm_end;
1847 ++ return address;
1848 + }
1849 +
1850 + static inline struct file *maybe_unlock_mmap_for_io(struct vm_fault *vmf,
1851 +diff --git a/mm/memory.c b/mm/memory.c
1852 +index 13a575ce2ec8f..4bb7c6a364c81 100644
1853 +--- a/mm/memory.c
1854 ++++ b/mm/memory.c
1855 +@@ -1165,7 +1165,18 @@ static inline unsigned long zap_pmd_range(struct mmu_gather *tlb,
1856 + else if (zap_huge_pmd(tlb, vma, pmd, addr))
1857 + goto next;
1858 + /* fall through */
1859 ++ } else if (details && details->single_page &&
1860 ++ PageTransCompound(details->single_page) &&
1861 ++ next - addr == HPAGE_PMD_SIZE && pmd_none(*pmd)) {
1862 ++ spinlock_t *ptl = pmd_lock(tlb->mm, pmd);
1863 ++ /*
1864 ++ * Take and drop THP pmd lock so that we cannot return
1865 ++ * prematurely, while zap_huge_pmd() has cleared *pmd,
1866 ++ * but not yet decremented compound_mapcount().
1867 ++ */
1868 ++ spin_unlock(ptl);
1869 + }
1870 ++
1871 + /*
1872 + * Here there can be other concurrent MADV_DONTNEED or
1873 + * trans huge page faults running, and if the pmd is
1874 +@@ -2769,6 +2780,36 @@ static inline void unmap_mapping_range_tree(struct rb_root_cached *root,
1875 + }
1876 + }
1877 +
1878 ++/**
1879 ++ * unmap_mapping_page() - Unmap single page from processes.
1880 ++ * @page: The locked page to be unmapped.
1881 ++ *
1882 ++ * Unmap this page from any userspace process which still has it mmaped.
1883 ++ * Typically, for efficiency, the range of nearby pages has already been
1884 ++ * unmapped by unmap_mapping_pages() or unmap_mapping_range(). But once
1885 ++ * truncation or invalidation holds the lock on a page, it may find that
1886 ++ * the page has been remapped again: and then uses unmap_mapping_page()
1887 ++ * to unmap it finally.
1888 ++ */
1889 ++void unmap_mapping_page(struct page *page)
1890 ++{
1891 ++ struct address_space *mapping = page->mapping;
1892 ++ struct zap_details details = { };
1893 ++
1894 ++ VM_BUG_ON(!PageLocked(page));
1895 ++ VM_BUG_ON(PageTail(page));
1896 ++
1897 ++ details.check_mapping = mapping;
1898 ++ details.first_index = page->index;
1899 ++ details.last_index = page->index + hpage_nr_pages(page) - 1;
1900 ++ details.single_page = page;
1901 ++
1902 ++ i_mmap_lock_write(mapping);
1903 ++ if (unlikely(!RB_EMPTY_ROOT(&mapping->i_mmap.rb_root)))
1904 ++ unmap_mapping_range_tree(&mapping->i_mmap, &details);
1905 ++ i_mmap_unlock_write(mapping);
1906 ++}
1907 ++
1908 + /**
1909 + * unmap_mapping_pages() - Unmap pages from processes.
1910 + * @mapping: The address space containing pages to be unmapped.
1911 +diff --git a/mm/migrate.c b/mm/migrate.c
1912 +index 00bbe57c1ce22..5092ef2aa8a1f 100644
1913 +--- a/mm/migrate.c
1914 ++++ b/mm/migrate.c
1915 +@@ -321,6 +321,7 @@ void __migration_entry_wait(struct mm_struct *mm, pte_t *ptep,
1916 + goto out;
1917 +
1918 + page = migration_entry_to_page(entry);
1919 ++ page = compound_head(page);
1920 +
1921 + /*
1922 + * Once page cache replacement of page migration started, page_count
1923 +diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c
1924 +index eff4b4520c8d5..029f5598251c2 100644
1925 +--- a/mm/page_vma_mapped.c
1926 ++++ b/mm/page_vma_mapped.c
1927 +@@ -111,6 +111,13 @@ static bool check_pte(struct page_vma_mapped_walk *pvmw)
1928 + return pfn_in_hpage(pvmw->page, pfn);
1929 + }
1930 +
1931 ++static void step_forward(struct page_vma_mapped_walk *pvmw, unsigned long size)
1932 ++{
1933 ++ pvmw->address = (pvmw->address + size) & ~(size - 1);
1934 ++ if (!pvmw->address)
1935 ++ pvmw->address = ULONG_MAX;
1936 ++}
1937 ++
1938 + /**
1939 + * page_vma_mapped_walk - check if @pvmw->page is mapped in @pvmw->vma at
1940 + * @pvmw->address
1941 +@@ -139,6 +146,7 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw)
1942 + {
1943 + struct mm_struct *mm = pvmw->vma->vm_mm;
1944 + struct page *page = pvmw->page;
1945 ++ unsigned long end;
1946 + pgd_t *pgd;
1947 + p4d_t *p4d;
1948 + pud_t *pud;
1949 +@@ -148,10 +156,11 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw)
1950 + if (pvmw->pmd && !pvmw->pte)
1951 + return not_found(pvmw);
1952 +
1953 +- if (pvmw->pte)
1954 +- goto next_pte;
1955 ++ if (unlikely(PageHuge(page))) {
1956 ++ /* The only possible mapping was handled on last iteration */
1957 ++ if (pvmw->pte)
1958 ++ return not_found(pvmw);
1959 +
1960 +- if (unlikely(PageHuge(pvmw->page))) {
1961 + /* when pud is not present, pte will be NULL */
1962 + pvmw->pte = huge_pte_offset(mm, pvmw->address, page_size(page));
1963 + if (!pvmw->pte)
1964 +@@ -163,78 +172,108 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw)
1965 + return not_found(pvmw);
1966 + return true;
1967 + }
1968 +-restart:
1969 +- pgd = pgd_offset(mm, pvmw->address);
1970 +- if (!pgd_present(*pgd))
1971 +- return false;
1972 +- p4d = p4d_offset(pgd, pvmw->address);
1973 +- if (!p4d_present(*p4d))
1974 +- return false;
1975 +- pud = pud_offset(p4d, pvmw->address);
1976 +- if (!pud_present(*pud))
1977 +- return false;
1978 +- pvmw->pmd = pmd_offset(pud, pvmw->address);
1979 ++
1980 + /*
1981 +- * Make sure the pmd value isn't cached in a register by the
1982 +- * compiler and used as a stale value after we've observed a
1983 +- * subsequent update.
1984 ++ * Seek to next pte only makes sense for THP.
1985 ++ * But more important than that optimization, is to filter out
1986 ++ * any PageKsm page: whose page->index misleads vma_address()
1987 ++ * and vma_address_end() to disaster.
1988 + */
1989 +- pmde = READ_ONCE(*pvmw->pmd);
1990 +- if (pmd_trans_huge(pmde) || is_pmd_migration_entry(pmde)) {
1991 +- pvmw->ptl = pmd_lock(mm, pvmw->pmd);
1992 +- if (likely(pmd_trans_huge(*pvmw->pmd))) {
1993 +- if (pvmw->flags & PVMW_MIGRATION)
1994 +- return not_found(pvmw);
1995 +- if (pmd_page(*pvmw->pmd) != page)
1996 +- return not_found(pvmw);
1997 +- return true;
1998 +- } else if (!pmd_present(*pvmw->pmd)) {
1999 +- if (thp_migration_supported()) {
2000 +- if (!(pvmw->flags & PVMW_MIGRATION))
2001 ++ end = PageTransCompound(page) ?
2002 ++ vma_address_end(page, pvmw->vma) :
2003 ++ pvmw->address + PAGE_SIZE;
2004 ++ if (pvmw->pte)
2005 ++ goto next_pte;
2006 ++restart:
2007 ++ do {
2008 ++ pgd = pgd_offset(mm, pvmw->address);
2009 ++ if (!pgd_present(*pgd)) {
2010 ++ step_forward(pvmw, PGDIR_SIZE);
2011 ++ continue;
2012 ++ }
2013 ++ p4d = p4d_offset(pgd, pvmw->address);
2014 ++ if (!p4d_present(*p4d)) {
2015 ++ step_forward(pvmw, P4D_SIZE);
2016 ++ continue;
2017 ++ }
2018 ++ pud = pud_offset(p4d, pvmw->address);
2019 ++ if (!pud_present(*pud)) {
2020 ++ step_forward(pvmw, PUD_SIZE);
2021 ++ continue;
2022 ++ }
2023 ++
2024 ++ pvmw->pmd = pmd_offset(pud, pvmw->address);
2025 ++ /*
2026 ++ * Make sure the pmd value isn't cached in a register by the
2027 ++ * compiler and used as a stale value after we've observed a
2028 ++ * subsequent update.
2029 ++ */
2030 ++ pmde = READ_ONCE(*pvmw->pmd);
2031 ++
2032 ++ if (pmd_trans_huge(pmde) || is_pmd_migration_entry(pmde)) {
2033 ++ pvmw->ptl = pmd_lock(mm, pvmw->pmd);
2034 ++ pmde = *pvmw->pmd;
2035 ++ if (likely(pmd_trans_huge(pmde))) {
2036 ++ if (pvmw->flags & PVMW_MIGRATION)
2037 + return not_found(pvmw);
2038 +- if (is_migration_entry(pmd_to_swp_entry(*pvmw->pmd))) {
2039 +- swp_entry_t entry = pmd_to_swp_entry(*pvmw->pmd);
2040 ++ if (pmd_page(pmde) != page)
2041 ++ return not_found(pvmw);
2042 ++ return true;
2043 ++ }
2044 ++ if (!pmd_present(pmde)) {
2045 ++ swp_entry_t entry;
2046 +
2047 +- if (migration_entry_to_page(entry) != page)
2048 +- return not_found(pvmw);
2049 +- return true;
2050 +- }
2051 ++ if (!thp_migration_supported() ||
2052 ++ !(pvmw->flags & PVMW_MIGRATION))
2053 ++ return not_found(pvmw);
2054 ++ entry = pmd_to_swp_entry(pmde);
2055 ++ if (!is_migration_entry(entry) ||
2056 ++ migration_entry_to_page(entry) != page)
2057 ++ return not_found(pvmw);
2058 ++ return true;
2059 + }
2060 +- return not_found(pvmw);
2061 +- } else {
2062 + /* THP pmd was split under us: handle on pte level */
2063 + spin_unlock(pvmw->ptl);
2064 + pvmw->ptl = NULL;
2065 ++ } else if (!pmd_present(pmde)) {
2066 ++ /*
2067 ++ * If PVMW_SYNC, take and drop THP pmd lock so that we
2068 ++ * cannot return prematurely, while zap_huge_pmd() has
2069 ++ * cleared *pmd but not decremented compound_mapcount().
2070 ++ */
2071 ++ if ((pvmw->flags & PVMW_SYNC) &&
2072 ++ PageTransCompound(page)) {
2073 ++ spinlock_t *ptl = pmd_lock(mm, pvmw->pmd);
2074 ++
2075 ++ spin_unlock(ptl);
2076 ++ }
2077 ++ step_forward(pvmw, PMD_SIZE);
2078 ++ continue;
2079 + }
2080 +- } else if (!pmd_present(pmde)) {
2081 +- return false;
2082 +- }
2083 +- if (!map_pte(pvmw))
2084 +- goto next_pte;
2085 +- while (1) {
2086 ++ if (!map_pte(pvmw))
2087 ++ goto next_pte;
2088 ++this_pte:
2089 + if (check_pte(pvmw))
2090 + return true;
2091 + next_pte:
2092 +- /* Seek to next pte only makes sense for THP */
2093 +- if (!PageTransHuge(pvmw->page) || PageHuge(pvmw->page))
2094 +- return not_found(pvmw);
2095 + do {
2096 + pvmw->address += PAGE_SIZE;
2097 +- if (pvmw->address >= pvmw->vma->vm_end ||
2098 +- pvmw->address >=
2099 +- __vma_address(pvmw->page, pvmw->vma) +
2100 +- hpage_nr_pages(pvmw->page) * PAGE_SIZE)
2101 ++ if (pvmw->address >= end)
2102 + return not_found(pvmw);
2103 + /* Did we cross page table boundary? */
2104 +- if (pvmw->address % PMD_SIZE == 0) {
2105 +- pte_unmap(pvmw->pte);
2106 ++ if ((pvmw->address & (PMD_SIZE - PAGE_SIZE)) == 0) {
2107 + if (pvmw->ptl) {
2108 + spin_unlock(pvmw->ptl);
2109 + pvmw->ptl = NULL;
2110 + }
2111 ++ pte_unmap(pvmw->pte);
2112 ++ pvmw->pte = NULL;
2113 + goto restart;
2114 +- } else {
2115 +- pvmw->pte++;
2116 ++ }
2117 ++ pvmw->pte++;
2118 ++ if ((pvmw->flags & PVMW_SYNC) && !pvmw->ptl) {
2119 ++ pvmw->ptl = pte_lockptr(mm, pvmw->pmd);
2120 ++ spin_lock(pvmw->ptl);
2121 + }
2122 + } while (pte_none(*pvmw->pte));
2123 +
2124 +@@ -242,7 +281,10 @@ next_pte:
2125 + pvmw->ptl = pte_lockptr(mm, pvmw->pmd);
2126 + spin_lock(pvmw->ptl);
2127 + }
2128 +- }
2129 ++ goto this_pte;
2130 ++ } while (pvmw->address < end);
2131 ++
2132 ++ return false;
2133 + }
2134 +
2135 + /**
2136 +@@ -261,14 +303,10 @@ int page_mapped_in_vma(struct page *page, struct vm_area_struct *vma)
2137 + .vma = vma,
2138 + .flags = PVMW_SYNC,
2139 + };
2140 +- unsigned long start, end;
2141 +-
2142 +- start = __vma_address(page, vma);
2143 +- end = start + PAGE_SIZE * (hpage_nr_pages(page) - 1);
2144 +
2145 +- if (unlikely(end < vma->vm_start || start >= vma->vm_end))
2146 ++ pvmw.address = vma_address(page, vma);
2147 ++ if (pvmw.address == -EFAULT)
2148 + return 0;
2149 +- pvmw.address = max(start, vma->vm_start);
2150 + if (!page_vma_mapped_walk(&pvmw))
2151 + return 0;
2152 + page_vma_mapped_walk_done(&pvmw);
2153 +diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c
2154 +index 532c29276fcee..49e8a4fbc2051 100644
2155 +--- a/mm/pgtable-generic.c
2156 ++++ b/mm/pgtable-generic.c
2157 +@@ -126,8 +126,8 @@ pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, unsigned long address,
2158 + {
2159 + pmd_t pmd;
2160 + VM_BUG_ON(address & ~HPAGE_PMD_MASK);
2161 +- VM_BUG_ON((pmd_present(*pmdp) && !pmd_trans_huge(*pmdp) &&
2162 +- !pmd_devmap(*pmdp)) || !pmd_present(*pmdp));
2163 ++ VM_BUG_ON(pmd_present(*pmdp) && !pmd_trans_huge(*pmdp) &&
2164 ++ !pmd_devmap(*pmdp));
2165 + pmd = pmdp_huge_get_and_clear(vma->vm_mm, address, pmdp);
2166 + flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE);
2167 + return pmd;
2168 +diff --git a/mm/rmap.c b/mm/rmap.c
2169 +index 0c7b2a9400d4a..45f2106852e84 100644
2170 +--- a/mm/rmap.c
2171 ++++ b/mm/rmap.c
2172 +@@ -687,7 +687,6 @@ static bool should_defer_flush(struct mm_struct *mm, enum ttu_flags flags)
2173 + */
2174 + unsigned long page_address_in_vma(struct page *page, struct vm_area_struct *vma)
2175 + {
2176 +- unsigned long address;
2177 + if (PageAnon(page)) {
2178 + struct anon_vma *page__anon_vma = page_anon_vma(page);
2179 + /*
2180 +@@ -697,15 +696,13 @@ unsigned long page_address_in_vma(struct page *page, struct vm_area_struct *vma)
2181 + if (!vma->anon_vma || !page__anon_vma ||
2182 + vma->anon_vma->root != page__anon_vma->root)
2183 + return -EFAULT;
2184 +- } else if (page->mapping) {
2185 +- if (!vma->vm_file || vma->vm_file->f_mapping != page->mapping)
2186 +- return -EFAULT;
2187 +- } else
2188 ++ } else if (!vma->vm_file) {
2189 + return -EFAULT;
2190 +- address = __vma_address(page, vma);
2191 +- if (unlikely(address < vma->vm_start || address >= vma->vm_end))
2192 ++ } else if (vma->vm_file->f_mapping != compound_head(page)->mapping) {
2193 + return -EFAULT;
2194 +- return address;
2195 ++ }
2196 ++
2197 ++ return vma_address(page, vma);
2198 + }
2199 +
2200 + pmd_t *mm_find_pmd(struct mm_struct *mm, unsigned long address)
2201 +@@ -899,7 +896,7 @@ static bool page_mkclean_one(struct page *page, struct vm_area_struct *vma,
2202 + */
2203 + mmu_notifier_range_init(&range, MMU_NOTIFY_PROTECTION_PAGE,
2204 + 0, vma, vma->vm_mm, address,
2205 +- min(vma->vm_end, address + page_size(page)));
2206 ++ vma_address_end(page, vma));
2207 + mmu_notifier_invalidate_range_start(&range);
2208 +
2209 + while (page_vma_mapped_walk(&pvmw)) {
2210 +@@ -1353,6 +1350,15 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma,
2211 + struct mmu_notifier_range range;
2212 + enum ttu_flags flags = (enum ttu_flags)arg;
2213 +
2214 ++ /*
2215 ++ * When racing against e.g. zap_pte_range() on another cpu,
2216 ++ * in between its ptep_get_and_clear_full() and page_remove_rmap(),
2217 ++ * try_to_unmap() may return false when it is about to become true,
2218 ++ * if page table locking is skipped: use TTU_SYNC to wait for that.
2219 ++ */
2220 ++ if (flags & TTU_SYNC)
2221 ++ pvmw.flags = PVMW_SYNC;
2222 ++
2223 + /* munlock has nothing to gain from examining un-locked vmas */
2224 + if ((flags & TTU_MUNLOCK) && !(vma->vm_flags & VM_LOCKED))
2225 + return true;
2226 +@@ -1374,9 +1380,10 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma,
2227 + * Note that the page can not be free in this function as call of
2228 + * try_to_unmap() must hold a reference on the page.
2229 + */
2230 ++ range.end = PageKsm(page) ?
2231 ++ address + PAGE_SIZE : vma_address_end(page, vma);
2232 + mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma, vma->vm_mm,
2233 +- address,
2234 +- min(vma->vm_end, address + page_size(page)));
2235 ++ address, range.end);
2236 + if (PageHuge(page)) {
2237 + /*
2238 + * If sharing is possible, start and end will be adjusted
2239 +@@ -1690,9 +1697,9 @@ static bool invalid_migration_vma(struct vm_area_struct *vma, void *arg)
2240 + return is_vma_temporary_stack(vma);
2241 + }
2242 +
2243 +-static int page_mapcount_is_zero(struct page *page)
2244 ++static int page_not_mapped(struct page *page)
2245 + {
2246 +- return !total_mapcount(page);
2247 ++ return !page_mapped(page);
2248 + }
2249 +
2250 + /**
2251 +@@ -1710,7 +1717,7 @@ bool try_to_unmap(struct page *page, enum ttu_flags flags)
2252 + struct rmap_walk_control rwc = {
2253 + .rmap_one = try_to_unmap_one,
2254 + .arg = (void *)flags,
2255 +- .done = page_mapcount_is_zero,
2256 ++ .done = page_not_mapped,
2257 + .anon_lock = page_lock_anon_vma_read,
2258 + };
2259 +
2260 +@@ -1731,14 +1738,15 @@ bool try_to_unmap(struct page *page, enum ttu_flags flags)
2261 + else
2262 + rmap_walk(page, &rwc);
2263 +
2264 +- return !page_mapcount(page) ? true : false;
2265 ++ /*
2266 ++ * When racing against e.g. zap_pte_range() on another cpu,
2267 ++ * in between its ptep_get_and_clear_full() and page_remove_rmap(),
2268 ++ * try_to_unmap() may return false when it is about to become true,
2269 ++ * if page table locking is skipped: use TTU_SYNC to wait for that.
2270 ++ */
2271 ++ return !page_mapcount(page);
2272 + }
2273 +
2274 +-static int page_not_mapped(struct page *page)
2275 +-{
2276 +- return !page_mapped(page);
2277 +-};
2278 +-
2279 + /**
2280 + * try_to_munlock - try to munlock a page
2281 + * @page: the page to be munlocked
2282 +@@ -1833,6 +1841,7 @@ static void rmap_walk_anon(struct page *page, struct rmap_walk_control *rwc,
2283 + struct vm_area_struct *vma = avc->vma;
2284 + unsigned long address = vma_address(page, vma);
2285 +
2286 ++ VM_BUG_ON_VMA(address == -EFAULT, vma);
2287 + cond_resched();
2288 +
2289 + if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
2290 +@@ -1887,6 +1896,7 @@ static void rmap_walk_file(struct page *page, struct rmap_walk_control *rwc,
2291 + pgoff_start, pgoff_end) {
2292 + unsigned long address = vma_address(page, vma);
2293 +
2294 ++ VM_BUG_ON_VMA(address == -EFAULT, vma);
2295 + cond_resched();
2296 +
2297 + if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
2298 +diff --git a/mm/truncate.c b/mm/truncate.c
2299 +index dd9ebc1da3566..4d5add7d8ab6d 100644
2300 +--- a/mm/truncate.c
2301 ++++ b/mm/truncate.c
2302 +@@ -173,13 +173,10 @@ void do_invalidatepage(struct page *page, unsigned int offset,
2303 + * its lock, b) when a concurrent invalidate_mapping_pages got there first and
2304 + * c) when tmpfs swizzles a page between a tmpfs inode and swapper_space.
2305 + */
2306 +-static void
2307 +-truncate_cleanup_page(struct address_space *mapping, struct page *page)
2308 ++static void truncate_cleanup_page(struct page *page)
2309 + {
2310 +- if (page_mapped(page)) {
2311 +- pgoff_t nr = PageTransHuge(page) ? HPAGE_PMD_NR : 1;
2312 +- unmap_mapping_pages(mapping, page->index, nr, false);
2313 +- }
2314 ++ if (page_mapped(page))
2315 ++ unmap_mapping_page(page);
2316 +
2317 + if (page_has_private(page))
2318 + do_invalidatepage(page, 0, PAGE_SIZE);
2319 +@@ -224,7 +221,7 @@ int truncate_inode_page(struct address_space *mapping, struct page *page)
2320 + if (page->mapping != mapping)
2321 + return -EIO;
2322 +
2323 +- truncate_cleanup_page(mapping, page);
2324 ++ truncate_cleanup_page(page);
2325 + delete_from_page_cache(page);
2326 + return 0;
2327 + }
2328 +@@ -362,7 +359,7 @@ void truncate_inode_pages_range(struct address_space *mapping,
2329 + pagevec_add(&locked_pvec, page);
2330 + }
2331 + for (i = 0; i < pagevec_count(&locked_pvec); i++)
2332 +- truncate_cleanup_page(mapping, locked_pvec.pages[i]);
2333 ++ truncate_cleanup_page(locked_pvec.pages[i]);
2334 + delete_from_page_cache_batch(mapping, &locked_pvec);
2335 + for (i = 0; i < pagevec_count(&locked_pvec); i++)
2336 + unlock_page(locked_pvec.pages[i]);
2337 +@@ -715,6 +712,16 @@ int invalidate_inode_pages2_range(struct address_space *mapping,
2338 + continue;
2339 + }
2340 +
2341 ++ if (!did_range_unmap && page_mapped(page)) {
2342 ++ /*
2343 ++ * If page is mapped, before taking its lock,
2344 ++ * zap the rest of the file in one hit.
2345 ++ */
2346 ++ unmap_mapping_pages(mapping, index,
2347 ++ (1 + end - index), false);
2348 ++ did_range_unmap = 1;
2349 ++ }
2350 ++
2351 + lock_page(page);
2352 + WARN_ON(page_to_index(page) != index);
2353 + if (page->mapping != mapping) {
2354 +@@ -722,23 +729,11 @@ int invalidate_inode_pages2_range(struct address_space *mapping,
2355 + continue;
2356 + }
2357 + wait_on_page_writeback(page);
2358 +- if (page_mapped(page)) {
2359 +- if (!did_range_unmap) {
2360 +- /*
2361 +- * Zap the rest of the file in one hit.
2362 +- */
2363 +- unmap_mapping_pages(mapping, index,
2364 +- (1 + end - index), false);
2365 +- did_range_unmap = 1;
2366 +- } else {
2367 +- /*
2368 +- * Just zap this page
2369 +- */
2370 +- unmap_mapping_pages(mapping, index,
2371 +- 1, false);
2372 +- }
2373 +- }
2374 ++
2375 ++ if (page_mapped(page))
2376 ++ unmap_mapping_page(page);
2377 + BUG_ON(page_mapped(page));
2378 ++
2379 + ret2 = do_launder_page(mapping, page);
2380 + if (ret2 == 0) {
2381 + if (!invalidate_complete_page2(mapping, page))
2382 +diff --git a/net/core/ethtool.c b/net/core/ethtool.c
2383 +index 76506975d59a5..cbd1885f24592 100644
2384 +--- a/net/core/ethtool.c
2385 ++++ b/net/core/ethtool.c
2386 +@@ -1508,7 +1508,7 @@ static int ethtool_get_any_eeprom(struct net_device *dev, void __user *useraddr,
2387 + if (eeprom.offset + eeprom.len > total_len)
2388 + return -EINVAL;
2389 +
2390 +- data = kmalloc(PAGE_SIZE, GFP_USER);
2391 ++ data = kzalloc(PAGE_SIZE, GFP_USER);
2392 + if (!data)
2393 + return -ENOMEM;
2394 +
2395 +@@ -1573,7 +1573,7 @@ static int ethtool_set_eeprom(struct net_device *dev, void __user *useraddr)
2396 + if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev))
2397 + return -EINVAL;
2398 +
2399 +- data = kmalloc(PAGE_SIZE, GFP_USER);
2400 ++ data = kzalloc(PAGE_SIZE, GFP_USER);
2401 + if (!data)
2402 + return -ENOMEM;
2403 +
2404 +@@ -1764,7 +1764,7 @@ static int ethtool_self_test(struct net_device *dev, char __user *useraddr)
2405 + return -EFAULT;
2406 +
2407 + test.len = test_len;
2408 +- data = kmalloc_array(test_len, sizeof(u64), GFP_USER);
2409 ++ data = kcalloc(test_len, sizeof(u64), GFP_USER);
2410 + if (!data)
2411 + return -ENOMEM;
2412 +
2413 +@@ -2295,7 +2295,7 @@ static int ethtool_get_tunable(struct net_device *dev, void __user *useraddr)
2414 + ret = ethtool_tunable_valid(&tuna);
2415 + if (ret)
2416 + return ret;
2417 +- data = kmalloc(tuna.len, GFP_USER);
2418 ++ data = kzalloc(tuna.len, GFP_USER);
2419 + if (!data)
2420 + return -ENOMEM;
2421 + ret = ops->get_tunable(dev, &tuna, data);
2422 +@@ -2481,7 +2481,7 @@ static int get_phy_tunable(struct net_device *dev, void __user *useraddr)
2423 + ret = ethtool_phy_tunable_valid(&tuna);
2424 + if (ret)
2425 + return ret;
2426 +- data = kmalloc(tuna.len, GFP_USER);
2427 ++ data = kzalloc(tuna.len, GFP_USER);
2428 + if (!data)
2429 + return -ENOMEM;
2430 + mutex_lock(&phydev->lock);
2431 +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
2432 +index a27d034c85ccb..603a3495afa62 100644
2433 +--- a/net/ipv4/devinet.c
2434 ++++ b/net/ipv4/devinet.c
2435 +@@ -1989,7 +1989,7 @@ static int inet_set_link_af(struct net_device *dev, const struct nlattr *nla)
2436 + return -EAFNOSUPPORT;
2437 +
2438 + if (nla_parse_nested_deprecated(tb, IFLA_INET_MAX, nla, NULL, NULL) < 0)
2439 +- BUG();
2440 ++ return -EINVAL;
2441 +
2442 + if (tb[IFLA_INET_CONF]) {
2443 + nla_for_each_nested(a, tb[IFLA_INET_CONF], rem)
2444 +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
2445 +index df6fbefe44d4b..1c3d5d3702a10 100644
2446 +--- a/net/ipv4/ping.c
2447 ++++ b/net/ipv4/ping.c
2448 +@@ -963,6 +963,7 @@ bool ping_rcv(struct sk_buff *skb)
2449 + struct sock *sk;
2450 + struct net *net = dev_net(skb->dev);
2451 + struct icmphdr *icmph = icmp_hdr(skb);
2452 ++ bool rc = false;
2453 +
2454 + /* We assume the packet has already been checked by icmp_rcv */
2455 +
2456 +@@ -977,14 +978,15 @@ bool ping_rcv(struct sk_buff *skb)
2457 + struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
2458 +
2459 + pr_debug("rcv on socket %p\n", sk);
2460 +- if (skb2)
2461 +- ping_queue_rcv_skb(sk, skb2);
2462 ++ if (skb2 && !ping_queue_rcv_skb(sk, skb2))
2463 ++ rc = true;
2464 + sock_put(sk);
2465 +- return true;
2466 + }
2467 +- pr_debug("no socket, dropping\n");
2468 +
2469 +- return false;
2470 ++ if (!rc)
2471 ++ pr_debug("no socket, dropping\n");
2472 ++
2473 ++ return rc;
2474 + }
2475 + EXPORT_SYMBOL_GPL(ping_rcv);
2476 +
2477 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
2478 +index 52feab2baeee5..366c3792b8604 100644
2479 +--- a/net/ipv6/addrconf.c
2480 ++++ b/net/ipv6/addrconf.c
2481 +@@ -5761,7 +5761,7 @@ static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla)
2482 + return -EAFNOSUPPORT;
2483 +
2484 + if (nla_parse_nested_deprecated(tb, IFLA_INET6_MAX, nla, NULL, NULL) < 0)
2485 +- BUG();
2486 ++ return -EINVAL;
2487 +
2488 + if (tb[IFLA_INET6_TOKEN]) {
2489 + err = inet6_set_iftoken(idev, nla_data(tb[IFLA_INET6_TOKEN]));
2490 +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
2491 +index a7933279a80b7..e574fbf6745a4 100644
2492 +--- a/net/mac80211/ieee80211_i.h
2493 ++++ b/net/mac80211/ieee80211_i.h
2494 +@@ -1420,7 +1420,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
2495 + rcu_read_lock();
2496 + chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
2497 +
2498 +- if (WARN_ON_ONCE(!chanctx_conf)) {
2499 ++ if (!chanctx_conf) {
2500 + rcu_read_unlock();
2501 + return NULL;
2502 + }
2503 +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
2504 +index 3d7a5c5e586a6..670d84e54db73 100644
2505 +--- a/net/mac80211/rx.c
2506 ++++ b/net/mac80211/rx.c
2507 +@@ -2200,17 +2200,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
2508 + sc = le16_to_cpu(hdr->seq_ctrl);
2509 + frag = sc & IEEE80211_SCTL_FRAG;
2510 +
2511 +- if (is_multicast_ether_addr(hdr->addr1)) {
2512 +- I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
2513 +- goto out_no_led;
2514 +- }
2515 +-
2516 + if (rx->sta)
2517 + cache = &rx->sta->frags;
2518 +
2519 + if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
2520 + goto out;
2521 +
2522 ++ if (is_multicast_ether_addr(hdr->addr1))
2523 ++ return RX_DROP_MONITOR;
2524 ++
2525 + I802_DEBUG_INC(rx->local->rx_handlers_fragments);
2526 +
2527 + if (skb_linearize(rx->skb))
2528 +@@ -2336,7 +2334,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
2529 +
2530 + out:
2531 + ieee80211_led_rx(rx->local);
2532 +- out_no_led:
2533 + if (rx->sta)
2534 + rx->sta->rx_stats.packets++;
2535 + return RX_CONTINUE;
2536 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
2537 +index fbc2d4dfddf0e..0ffbf3d17911a 100644
2538 +--- a/net/packet/af_packet.c
2539 ++++ b/net/packet/af_packet.c
2540 +@@ -2656,7 +2656,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
2541 + }
2542 + if (likely(saddr == NULL)) {
2543 + dev = packet_cached_dev_get(po);
2544 +- proto = po->num;
2545 ++ proto = READ_ONCE(po->num);
2546 + } else {
2547 + err = -EINVAL;
2548 + if (msg->msg_namelen < sizeof(struct sockaddr_ll))
2549 +@@ -2869,7 +2869,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
2550 +
2551 + if (likely(saddr == NULL)) {
2552 + dev = packet_cached_dev_get(po);
2553 +- proto = po->num;
2554 ++ proto = READ_ONCE(po->num);
2555 + } else {
2556 + err = -EINVAL;
2557 + if (msg->msg_namelen < sizeof(struct sockaddr_ll))
2558 +@@ -3141,7 +3141,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
2559 + /* prevents packet_notifier() from calling
2560 + * register_prot_hook()
2561 + */
2562 +- po->num = 0;
2563 ++ WRITE_ONCE(po->num, 0);
2564 + __unregister_prot_hook(sk, true);
2565 + rcu_read_lock();
2566 + dev_curr = po->prot_hook.dev;
2567 +@@ -3151,17 +3151,17 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
2568 + }
2569 +
2570 + BUG_ON(po->running);
2571 +- po->num = proto;
2572 ++ WRITE_ONCE(po->num, proto);
2573 + po->prot_hook.type = proto;
2574 +
2575 + if (unlikely(unlisted)) {
2576 + dev_put(dev);
2577 + po->prot_hook.dev = NULL;
2578 +- po->ifindex = -1;
2579 ++ WRITE_ONCE(po->ifindex, -1);
2580 + packet_cached_dev_reset(po);
2581 + } else {
2582 + po->prot_hook.dev = dev;
2583 +- po->ifindex = dev ? dev->ifindex : 0;
2584 ++ WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0);
2585 + packet_cached_dev_assign(po, dev);
2586 + }
2587 + }
2588 +@@ -3475,7 +3475,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
2589 + uaddr->sa_family = AF_PACKET;
2590 + memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
2591 + rcu_read_lock();
2592 +- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
2593 ++ dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex));
2594 + if (dev)
2595 + strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
2596 + rcu_read_unlock();
2597 +@@ -3490,16 +3490,18 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
2598 + struct sock *sk = sock->sk;
2599 + struct packet_sock *po = pkt_sk(sk);
2600 + DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr);
2601 ++ int ifindex;
2602 +
2603 + if (peer)
2604 + return -EOPNOTSUPP;
2605 +
2606 ++ ifindex = READ_ONCE(po->ifindex);
2607 + sll->sll_family = AF_PACKET;
2608 +- sll->sll_ifindex = po->ifindex;
2609 +- sll->sll_protocol = po->num;
2610 ++ sll->sll_ifindex = ifindex;
2611 ++ sll->sll_protocol = READ_ONCE(po->num);
2612 + sll->sll_pkttype = 0;
2613 + rcu_read_lock();
2614 +- dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
2615 ++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
2616 + if (dev) {
2617 + sll->sll_hatype = dev->type;
2618 + sll->sll_halen = dev->addr_len;
2619 +@@ -4099,7 +4101,7 @@ static int packet_notifier(struct notifier_block *this,
2620 + }
2621 + if (msg == NETDEV_UNREGISTER) {
2622 + packet_cached_dev_reset(po);
2623 +- po->ifindex = -1;
2624 ++ WRITE_ONCE(po->ifindex, -1);
2625 + if (po->prot_hook.dev)
2626 + dev_put(po->prot_hook.dev);
2627 + po->prot_hook.dev = NULL;
2628 +@@ -4405,7 +4407,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
2629 + was_running = po->running;
2630 + num = po->num;
2631 + if (was_running) {
2632 +- po->num = 0;
2633 ++ WRITE_ONCE(po->num, 0);
2634 + __unregister_prot_hook(sk, false);
2635 + }
2636 + spin_unlock(&po->bind_lock);
2637 +@@ -4440,7 +4442,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
2638 +
2639 + spin_lock(&po->bind_lock);
2640 + if (was_running) {
2641 +- po->num = num;
2642 ++ WRITE_ONCE(po->num, num);
2643 + register_prot_hook(sk);
2644 + }
2645 + spin_unlock(&po->bind_lock);
2646 +@@ -4613,8 +4615,8 @@ static int packet_seq_show(struct seq_file *seq, void *v)
2647 + s,
2648 + refcount_read(&s->sk_refcnt),
2649 + s->sk_type,
2650 +- ntohs(po->num),
2651 +- po->ifindex,
2652 ++ ntohs(READ_ONCE(po->num)),
2653 ++ READ_ONCE(po->ifindex),
2654 + po->running,
2655 + atomic_read(&s->sk_rmem_alloc),
2656 + from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)),
2657 +diff --git a/net/wireless/util.c b/net/wireless/util.c
2658 +index 4eae6ad328514..f0247eab5bc94 100644
2659 +--- a/net/wireless/util.c
2660 ++++ b/net/wireless/util.c
2661 +@@ -1006,6 +1006,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
2662 + case NL80211_IFTYPE_MESH_POINT:
2663 + /* mesh should be handled? */
2664 + break;
2665 ++ case NL80211_IFTYPE_OCB:
2666 ++ cfg80211_leave_ocb(rdev, dev);
2667 ++ break;
2668 + default:
2669 + break;
2670 + }
2671 +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h
2672 +index f9b19524da112..1e9baa5c4fc6e 100644
2673 +--- a/scripts/recordmcount.h
2674 ++++ b/scripts/recordmcount.h
2675 +@@ -192,15 +192,20 @@ static unsigned int get_symindex(Elf_Sym const *sym, Elf32_Word const *symtab,
2676 + Elf32_Word const *symtab_shndx)
2677 + {
2678 + unsigned long offset;
2679 ++ unsigned short shndx = w2(sym->st_shndx);
2680 + int index;
2681 +
2682 +- if (sym->st_shndx != SHN_XINDEX)
2683 +- return w2(sym->st_shndx);
2684 ++ if (shndx > SHN_UNDEF && shndx < SHN_LORESERVE)
2685 ++ return shndx;
2686 +
2687 +- offset = (unsigned long)sym - (unsigned long)symtab;
2688 +- index = offset / sizeof(*sym);
2689 ++ if (shndx == SHN_XINDEX) {
2690 ++ offset = (unsigned long)sym - (unsigned long)symtab;
2691 ++ index = offset / sizeof(*sym);
2692 +
2693 +- return w(symtab_shndx[index]);
2694 ++ return w(symtab_shndx[index]);
2695 ++ }
2696 ++
2697 ++ return 0;
2698 + }
2699 +
2700 + static unsigned int get_shnum(Elf_Ehdr const *ehdr, Elf_Shdr const *shdr0)
2701 +diff --git a/security/integrity/Makefile b/security/integrity/Makefile
2702 +index 35e6ca7737346..351c9662994b5 100644
2703 +--- a/security/integrity/Makefile
2704 ++++ b/security/integrity/Makefile
2705 +@@ -11,7 +11,8 @@ integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
2706 + integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
2707 + integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o
2708 + integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
2709 +- platform_certs/load_uefi.o
2710 ++ platform_certs/load_uefi.o \
2711 ++ platform_certs/keyring_handler.o
2712 + integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
2713 +
2714 + obj-$(CONFIG_IMA) += ima/
2715 +diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
2716 +new file mode 100644
2717 +index 0000000000000..5604bd57c9907
2718 +--- /dev/null
2719 ++++ b/security/integrity/platform_certs/keyring_handler.c
2720 +@@ -0,0 +1,91 @@
2721 ++// SPDX-License-Identifier: GPL-2.0
2722 ++
2723 ++#include <linux/kernel.h>
2724 ++#include <linux/sched.h>
2725 ++#include <linux/cred.h>
2726 ++#include <linux/err.h>
2727 ++#include <linux/efi.h>
2728 ++#include <linux/slab.h>
2729 ++#include <keys/asymmetric-type.h>
2730 ++#include <keys/system_keyring.h>
2731 ++#include "../integrity.h"
2732 ++
2733 ++static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
2734 ++static efi_guid_t efi_cert_x509_sha256_guid __initdata =
2735 ++ EFI_CERT_X509_SHA256_GUID;
2736 ++static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
2737 ++
2738 ++/*
2739 ++ * Blacklist a hash.
2740 ++ */
2741 ++static __init void uefi_blacklist_hash(const char *source, const void *data,
2742 ++ size_t len, const char *type,
2743 ++ size_t type_len)
2744 ++{
2745 ++ char *hash, *p;
2746 ++
2747 ++ hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
2748 ++ if (!hash)
2749 ++ return;
2750 ++ p = memcpy(hash, type, type_len);
2751 ++ p += type_len;
2752 ++ bin2hex(p, data, len);
2753 ++ p += len * 2;
2754 ++ *p = 0;
2755 ++
2756 ++ mark_hash_blacklisted(hash);
2757 ++ kfree(hash);
2758 ++}
2759 ++
2760 ++/*
2761 ++ * Blacklist an X509 TBS hash.
2762 ++ */
2763 ++static __init void uefi_blacklist_x509_tbs(const char *source,
2764 ++ const void *data, size_t len)
2765 ++{
2766 ++ uefi_blacklist_hash(source, data, len, "tbs:", 4);
2767 ++}
2768 ++
2769 ++/*
2770 ++ * Blacklist the hash of an executable.
2771 ++ */
2772 ++static __init void uefi_blacklist_binary(const char *source,
2773 ++ const void *data, size_t len)
2774 ++{
2775 ++ uefi_blacklist_hash(source, data, len, "bin:", 4);
2776 ++}
2777 ++
2778 ++/*
2779 ++ * Add an X509 cert to the revocation list.
2780 ++ */
2781 ++static __init void uefi_revocation_list_x509(const char *source,
2782 ++ const void *data, size_t len)
2783 ++{
2784 ++ add_key_to_revocation_list(data, len);
2785 ++}
2786 ++
2787 ++/*
2788 ++ * Return the appropriate handler for particular signature list types found in
2789 ++ * the UEFI db and MokListRT tables.
2790 ++ */
2791 ++__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
2792 ++{
2793 ++ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
2794 ++ return add_to_platform_keyring;
2795 ++ return 0;
2796 ++}
2797 ++
2798 ++/*
2799 ++ * Return the appropriate handler for particular signature list types found in
2800 ++ * the UEFI dbx and MokListXRT tables.
2801 ++ */
2802 ++__init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
2803 ++{
2804 ++ if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
2805 ++ return uefi_blacklist_x509_tbs;
2806 ++ if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
2807 ++ return uefi_blacklist_binary;
2808 ++ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
2809 ++ return uefi_revocation_list_x509;
2810 ++ return 0;
2811 ++}
2812 +diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
2813 +new file mode 100644
2814 +index 0000000000000..2462bfa08fe34
2815 +--- /dev/null
2816 ++++ b/security/integrity/platform_certs/keyring_handler.h
2817 +@@ -0,0 +1,32 @@
2818 ++/* SPDX-License-Identifier: GPL-2.0 */
2819 ++
2820 ++#ifndef PLATFORM_CERTS_INTERNAL_H
2821 ++#define PLATFORM_CERTS_INTERNAL_H
2822 ++
2823 ++#include <linux/efi.h>
2824 ++
2825 ++void blacklist_hash(const char *source, const void *data,
2826 ++ size_t len, const char *type,
2827 ++ size_t type_len);
2828 ++
2829 ++/*
2830 ++ * Blacklist an X509 TBS hash.
2831 ++ */
2832 ++void blacklist_x509_tbs(const char *source, const void *data, size_t len);
2833 ++
2834 ++/*
2835 ++ * Blacklist the hash of an executable.
2836 ++ */
2837 ++void blacklist_binary(const char *source, const void *data, size_t len);
2838 ++
2839 ++/*
2840 ++ * Return the handler for particular signature list types found in the db.
2841 ++ */
2842 ++efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
2843 ++
2844 ++/*
2845 ++ * Return the handler for particular signature list types found in the dbx.
2846 ++ */
2847 ++efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type);
2848 ++
2849 ++#endif
2850 +diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
2851 +index 020fc7a11ef0e..aa874d84e413e 100644
2852 +--- a/security/integrity/platform_certs/load_uefi.c
2853 ++++ b/security/integrity/platform_certs/load_uefi.c
2854 +@@ -9,6 +9,7 @@
2855 + #include <keys/asymmetric-type.h>
2856 + #include <keys/system_keyring.h>
2857 + #include "../integrity.h"
2858 ++#include "keyring_handler.h"
2859 +
2860 + static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
2861 + static efi_guid_t efi_cert_x509_sha256_guid __initdata =
2862 +@@ -69,72 +70,6 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
2863 + return db;
2864 + }
2865 +
2866 +-/*
2867 +- * Blacklist a hash.
2868 +- */
2869 +-static __init void uefi_blacklist_hash(const char *source, const void *data,
2870 +- size_t len, const char *type,
2871 +- size_t type_len)
2872 +-{
2873 +- char *hash, *p;
2874 +-
2875 +- hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
2876 +- if (!hash)
2877 +- return;
2878 +- p = memcpy(hash, type, type_len);
2879 +- p += type_len;
2880 +- bin2hex(p, data, len);
2881 +- p += len * 2;
2882 +- *p = 0;
2883 +-
2884 +- mark_hash_blacklisted(hash);
2885 +- kfree(hash);
2886 +-}
2887 +-
2888 +-/*
2889 +- * Blacklist an X509 TBS hash.
2890 +- */
2891 +-static __init void uefi_blacklist_x509_tbs(const char *source,
2892 +- const void *data, size_t len)
2893 +-{
2894 +- uefi_blacklist_hash(source, data, len, "tbs:", 4);
2895 +-}
2896 +-
2897 +-/*
2898 +- * Blacklist the hash of an executable.
2899 +- */
2900 +-static __init void uefi_blacklist_binary(const char *source,
2901 +- const void *data, size_t len)
2902 +-{
2903 +- uefi_blacklist_hash(source, data, len, "bin:", 4);
2904 +-}
2905 +-
2906 +-/*
2907 +- * Return the appropriate handler for particular signature list types found in
2908 +- * the UEFI db and MokListRT tables.
2909 +- */
2910 +-static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *
2911 +- sig_type)
2912 +-{
2913 +- if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
2914 +- return add_to_platform_keyring;
2915 +- return 0;
2916 +-}
2917 +-
2918 +-/*
2919 +- * Return the appropriate handler for particular signature list types found in
2920 +- * the UEFI dbx and MokListXRT tables.
2921 +- */
2922 +-static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *
2923 +- sig_type)
2924 +-{
2925 +- if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
2926 +- return uefi_blacklist_x509_tbs;
2927 +- if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
2928 +- return uefi_blacklist_binary;
2929 +- return 0;
2930 +-}
2931 +-
2932 + /*
2933 + * Load the certs contained in the UEFI databases into the platform trusted
2934 + * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
2935 +diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c
2936 +index 41cf45416060f..38de88e5ffbb2 100644
2937 +--- a/tools/testing/selftests/kvm/lib/kvm_util.c
2938 ++++ b/tools/testing/selftests/kvm/lib/kvm_util.c
2939 +@@ -54,7 +54,7 @@ int kvm_check_cap(long cap)
2940 + exit(KSFT_SKIP);
2941 +
2942 + ret = ioctl(kvm_fd, KVM_CHECK_EXTENSION, cap);
2943 +- TEST_ASSERT(ret != -1, "KVM_CHECK_EXTENSION IOCTL failed,\n"
2944 ++ TEST_ASSERT(ret >= 0, "KVM_CHECK_EXTENSION IOCTL failed,\n"
2945 + " rc: %i errno: %i", ret, errno);
2946 +
2947 + close(kvm_fd);
2948 +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
2949 +index f83fa0aeeb451..b2287e7d3ba4a 100644
2950 +--- a/virt/kvm/kvm_main.c
2951 ++++ b/virt/kvm/kvm_main.c
2952 +@@ -1593,6 +1593,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault)
2953 + return true;
2954 + }
2955 +
2956 ++static int kvm_try_get_pfn(kvm_pfn_t pfn)
2957 ++{
2958 ++ if (kvm_is_reserved_pfn(pfn))
2959 ++ return 1;
2960 ++ return get_page_unless_zero(pfn_to_page(pfn));
2961 ++}
2962 ++
2963 + static int hva_to_pfn_remapped(struct vm_area_struct *vma,
2964 + unsigned long addr, bool *async,
2965 + bool write_fault, bool *writable,
2966 +@@ -1642,13 +1649,21 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
2967 + * Whoever called remap_pfn_range is also going to call e.g.
2968 + * unmap_mapping_range before the underlying pages are freed,
2969 + * causing a call to our MMU notifier.
2970 ++ *
2971 ++ * Certain IO or PFNMAP mappings can be backed with valid
2972 ++ * struct pages, but be allocated without refcounting e.g.,
2973 ++ * tail pages of non-compound higher order allocations, which
2974 ++ * would then underflow the refcount when the caller does the
2975 ++ * required put_page. Don't allow those pages here.
2976 + */
2977 +- kvm_get_pfn(pfn);
2978 ++ if (!kvm_try_get_pfn(pfn))
2979 ++ r = -EFAULT;
2980 +
2981 + out:
2982 + pte_unmap_unlock(ptep, ptl);
2983 + *p_pfn = pfn;
2984 +- return 0;
2985 ++
2986 ++ return r;
2987 + }
2988 +
2989 + /*
Report Message
Find on MARC Find on Google Groups