Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.14 commit in: /
Date: Tue, 29 Oct 2019 14:00:23
Message-Id: 1572357542.c2f777431f1ea3ef9542c59135755ed220881237.mpagano@gentoo
1 commit: c2f777431f1ea3ef9542c59135755ed220881237
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Tue Aug 6 19:16:44 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Tue Oct 29 13:59:02 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=c2f77743
7
8 Linuxpatch 4.14.137
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1136_linux-4.14.137.patch | 1988 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1992 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 45bebaa..5aa7458 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -587,6 +587,10 @@ Patch: 1135_linux-4.14.136.patch
21 From: https://www.kernel.org
22 Desc: Linux 4.14.136
23
24 +Patch: 1136_linux-4.14.137.patch
25 +From: https://www.kernel.org
26 +Desc: Linux 4.14.137
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1136_linux-4.14.137.patch b/1136_linux-4.14.137.patch
33 new file mode 100644
34 index 0000000..eea0bc4
35 --- /dev/null
36 +++ b/1136_linux-4.14.137.patch
37 @@ -0,0 +1,1988 @@
38 +diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst
39 +index 25f3b2532198..e05e581af5cf 100644
40 +--- a/Documentation/admin-guide/hw-vuln/spectre.rst
41 ++++ b/Documentation/admin-guide/hw-vuln/spectre.rst
42 +@@ -41,10 +41,11 @@ Related CVEs
43 +
44 + The following CVE entries describe Spectre variants:
45 +
46 +- ============= ======================= =================
47 ++ ============= ======================= ==========================
48 + CVE-2017-5753 Bounds check bypass Spectre variant 1
49 + CVE-2017-5715 Branch target injection Spectre variant 2
50 +- ============= ======================= =================
51 ++ CVE-2019-1125 Spectre v1 swapgs Spectre variant 1 (swapgs)
52 ++ ============= ======================= ==========================
53 +
54 + Problem
55 + -------
56 +@@ -78,6 +79,13 @@ There are some extensions of Spectre variant 1 attacks for reading data
57 + over the network, see :ref:`[12] <spec_ref12>`. However such attacks
58 + are difficult, low bandwidth, fragile, and are considered low risk.
59 +
60 ++Note that, despite "Bounds Check Bypass" name, Spectre variant 1 is not
61 ++only about user-controlled array bounds checks. It can affect any
62 ++conditional checks. The kernel entry code interrupt, exception, and NMI
63 ++handlers all have conditional swapgs checks. Those may be problematic
64 ++in the context of Spectre v1, as kernel code can speculatively run with
65 ++a user GS.
66 ++
67 + Spectre variant 2 (Branch Target Injection)
68 + -------------------------------------------
69 +
70 +@@ -132,6 +140,9 @@ not cover all possible attack vectors.
71 + 1. A user process attacking the kernel
72 + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
73 +
74 ++Spectre variant 1
75 ++~~~~~~~~~~~~~~~~~
76 ++
77 + The attacker passes a parameter to the kernel via a register or
78 + via a known address in memory during a syscall. Such parameter may
79 + be used later by the kernel as an index to an array or to derive
80 +@@ -144,7 +155,40 @@ not cover all possible attack vectors.
81 + potentially be influenced for Spectre attacks, new "nospec" accessor
82 + macros are used to prevent speculative loading of data.
83 +
84 +- Spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch
85 ++Spectre variant 1 (swapgs)
86 ++~~~~~~~~~~~~~~~~~~~~~~~~~~
87 ++
88 ++ An attacker can train the branch predictor to speculatively skip the
89 ++ swapgs path for an interrupt or exception. If they initialize
90 ++ the GS register to a user-space value, if the swapgs is speculatively
91 ++ skipped, subsequent GS-related percpu accesses in the speculation
92 ++ window will be done with the attacker-controlled GS value. This
93 ++ could cause privileged memory to be accessed and leaked.
94 ++
95 ++ For example:
96 ++
97 ++ ::
98 ++
99 ++ if (coming from user space)
100 ++ swapgs
101 ++ mov %gs:<percpu_offset>, %reg
102 ++ mov (%reg), %reg1
103 ++
104 ++ When coming from user space, the CPU can speculatively skip the
105 ++ swapgs, and then do a speculative percpu load using the user GS
106 ++ value. So the user can speculatively force a read of any kernel
107 ++ value. If a gadget exists which uses the percpu value as an address
108 ++ in another load/store, then the contents of the kernel value may
109 ++ become visible via an L1 side channel attack.
110 ++
111 ++ A similar attack exists when coming from kernel space. The CPU can
112 ++ speculatively do the swapgs, causing the user GS to get used for the
113 ++ rest of the speculative window.
114 ++
115 ++Spectre variant 2
116 ++~~~~~~~~~~~~~~~~~
117 ++
118 ++ A spectre variant 2 attacker can :ref:`poison <poison_btb>` the branch
119 + target buffer (BTB) before issuing syscall to launch an attack.
120 + After entering the kernel, the kernel could use the poisoned branch
121 + target buffer on indirect jump and jump to gadget code in speculative
122 +@@ -280,11 +324,18 @@ The sysfs file showing Spectre variant 1 mitigation status is:
123 +
124 + The possible values in this file are:
125 +
126 +- ======================================= =================================
127 +- 'Mitigation: __user pointer sanitation' Protection in kernel on a case by
128 +- case base with explicit pointer
129 +- sanitation.
130 +- ======================================= =================================
131 ++ .. list-table::
132 ++
133 ++ * - 'Not affected'
134 ++ - The processor is not vulnerable.
135 ++ * - 'Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers'
136 ++ - The swapgs protections are disabled; otherwise it has
137 ++ protection in the kernel on a case by case base with explicit
138 ++ pointer sanitation and usercopy LFENCE barriers.
139 ++ * - 'Mitigation: usercopy/swapgs barriers and __user pointer sanitization'
140 ++ - Protection in the kernel on a case by case base with explicit
141 ++ pointer sanitation, usercopy LFENCE barriers, and swapgs LFENCE
142 ++ barriers.
143 +
144 + However, the protections are put in place on a case by case basis,
145 + and there is no guarantee that all possible attack vectors for Spectre
146 +@@ -366,12 +417,27 @@ Turning on mitigation for Spectre variant 1 and Spectre variant 2
147 + 1. Kernel mitigation
148 + ^^^^^^^^^^^^^^^^^^^^
149 +
150 ++Spectre variant 1
151 ++~~~~~~~~~~~~~~~~~
152 ++
153 + For the Spectre variant 1, vulnerable kernel code (as determined
154 + by code audit or scanning tools) is annotated on a case by case
155 + basis to use nospec accessor macros for bounds clipping :ref:`[2]
156 + <spec_ref2>` to avoid any usable disclosure gadgets. However, it may
157 + not cover all attack vectors for Spectre variant 1.
158 +
159 ++ Copy-from-user code has an LFENCE barrier to prevent the access_ok()
160 ++ check from being mis-speculated. The barrier is done by the
161 ++ barrier_nospec() macro.
162 ++
163 ++ For the swapgs variant of Spectre variant 1, LFENCE barriers are
164 ++ added to interrupt, exception and NMI entry where needed. These
165 ++ barriers are done by the FENCE_SWAPGS_KERNEL_ENTRY and
166 ++ FENCE_SWAPGS_USER_ENTRY macros.
167 ++
168 ++Spectre variant 2
169 ++~~~~~~~~~~~~~~~~~
170 ++
171 + For Spectre variant 2 mitigation, the compiler turns indirect calls or
172 + jumps in the kernel into equivalent return trampolines (retpolines)
173 + :ref:`[3] <spec_ref3>` :ref:`[9] <spec_ref9>` to go to the target
174 +@@ -473,6 +539,12 @@ Mitigation control on the kernel command line
175 + Spectre variant 2 mitigation can be disabled or force enabled at the
176 + kernel command line.
177 +
178 ++ nospectre_v1
179 ++
180 ++ [X86,PPC] Disable mitigations for Spectre Variant 1
181 ++ (bounds check bypass). With this option data leaks are
182 ++ possible in the system.
183 ++
184 + nospectre_v2
185 +
186 + [X86] Disable all mitigations for the Spectre variant 2
187 +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
188 +index 9240b2caa0b1..13d80111bc1f 100644
189 +--- a/Documentation/admin-guide/kernel-parameters.txt
190 ++++ b/Documentation/admin-guide/kernel-parameters.txt
191 +@@ -2401,6 +2401,7 @@
192 + Equivalent to: nopti [X86,PPC]
193 + nospectre_v1 [PPC]
194 + nobp=0 [S390]
195 ++ nospectre_v1 [X86]
196 + nospectre_v2 [X86,PPC,S390]
197 + spectre_v2_user=off [X86]
198 + spec_store_bypass_disable=off [X86,PPC]
199 +@@ -2740,9 +2741,9 @@
200 + nosmt=force: Force disable SMT, cannot be undone
201 + via the sysfs control file.
202 +
203 +- nospectre_v1 [PPC] Disable mitigations for Spectre Variant 1 (bounds
204 +- check bypass). With this option data leaks are possible
205 +- in the system.
206 ++ nospectre_v1 [X66, PPC] Disable mitigations for Spectre Variant 1
207 ++ (bounds check bypass). With this option data leaks
208 ++ are possible in the system.
209 +
210 + nospectre_v2 [X86,PPC_FSL_BOOK3E] Disable all mitigations for the Spectre variant 2
211 + (indirect branch prediction) vulnerability. System may
212 +diff --git a/Makefile b/Makefile
213 +index a798f4777ae2..ff604059b6a8 100644
214 +--- a/Makefile
215 ++++ b/Makefile
216 +@@ -1,7 +1,7 @@
217 + # SPDX-License-Identifier: GPL-2.0
218 + VERSION = 4
219 + PATCHLEVEL = 14
220 +-SUBLEVEL = 136
221 ++SUBLEVEL = 137
222 + EXTRAVERSION =
223 + NAME = Petit Gorille
224 +
225 +@@ -427,6 +427,7 @@ KBUILD_AFLAGS_MODULE := -DMODULE
226 + KBUILD_CFLAGS_MODULE := -DMODULE
227 + KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds
228 + GCC_PLUGINS_CFLAGS :=
229 ++CLANG_FLAGS :=
230 +
231 + export ARCH SRCARCH CONFIG_SHELL HOSTCC HOSTCFLAGS CROSS_COMPILE AS LD CC
232 + export CPP AR NM STRIP OBJCOPY OBJDUMP HOSTLDFLAGS HOST_LOADLIBES
233 +@@ -479,7 +480,7 @@ endif
234 +
235 + ifeq ($(cc-name),clang)
236 + ifneq ($(CROSS_COMPILE),)
237 +-CLANG_FLAGS := --target=$(notdir $(CROSS_COMPILE:%-=%))
238 ++CLANG_FLAGS += --target=$(notdir $(CROSS_COMPILE:%-=%))
239 + GCC_TOOLCHAIN_DIR := $(dir $(shell which $(CROSS_COMPILE)elfedit))
240 + CLANG_FLAGS += --prefix=$(GCC_TOOLCHAIN_DIR)
241 + GCC_TOOLCHAIN := $(realpath $(GCC_TOOLCHAIN_DIR)/..)
242 +diff --git a/arch/arm/boot/dts/rk3288-veyron-mickey.dts b/arch/arm/boot/dts/rk3288-veyron-mickey.dts
243 +index f0994f0e5774..d6ca67866bc0 100644
244 +--- a/arch/arm/boot/dts/rk3288-veyron-mickey.dts
245 ++++ b/arch/arm/boot/dts/rk3288-veyron-mickey.dts
246 +@@ -161,10 +161,6 @@
247 + };
248 + };
249 +
250 +-&emmc {
251 +- /delete-property/mmc-hs200-1_8v;
252 +-};
253 +-
254 + &i2c2 {
255 + status = "disabled";
256 + };
257 +diff --git a/arch/arm/boot/dts/rk3288-veyron-minnie.dts b/arch/arm/boot/dts/rk3288-veyron-minnie.dts
258 +index 544de6027aaa..6000dca1cf05 100644
259 +--- a/arch/arm/boot/dts/rk3288-veyron-minnie.dts
260 ++++ b/arch/arm/boot/dts/rk3288-veyron-minnie.dts
261 +@@ -125,10 +125,6 @@
262 + power-supply = <&backlight_regulator>;
263 + };
264 +
265 +-&emmc {
266 +- /delete-property/mmc-hs200-1_8v;
267 +-};
268 +-
269 + &gpio_keys {
270 + pinctrl-0 = <&pwr_key_l &ap_lid_int_l &volum_down_l &volum_up_l>;
271 +
272 +diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi
273 +index 5a7888581eea..23907d9ce89a 100644
274 +--- a/arch/arm/boot/dts/rk3288.dtsi
275 ++++ b/arch/arm/boot/dts/rk3288.dtsi
276 +@@ -213,6 +213,7 @@
277 + <GIC_PPI 11 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_LEVEL_HIGH)>,
278 + <GIC_PPI 10 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_LEVEL_HIGH)>;
279 + clock-frequency = <24000000>;
280 ++ arm,no-tick-in-suspend;
281 + };
282 +
283 + timer: timer@ff810000 {
284 +diff --git a/arch/arm/mach-rpc/dma.c b/arch/arm/mach-rpc/dma.c
285 +index fb48f3141fb4..c4c96661eb89 100644
286 +--- a/arch/arm/mach-rpc/dma.c
287 ++++ b/arch/arm/mach-rpc/dma.c
288 +@@ -131,7 +131,7 @@ static irqreturn_t iomd_dma_handle(int irq, void *dev_id)
289 + } while (1);
290 +
291 + idma->state = ~DMA_ST_AB;
292 +- disable_irq(irq);
293 ++ disable_irq_nosync(irq);
294 +
295 + return IRQ_HANDLED;
296 + }
297 +@@ -174,6 +174,9 @@ static void iomd_enable_dma(unsigned int chan, dma_t *dma)
298 + DMA_FROM_DEVICE : DMA_TO_DEVICE);
299 + }
300 +
301 ++ idma->dma_addr = idma->dma.sg->dma_address;
302 ++ idma->dma_len = idma->dma.sg->length;
303 ++
304 + iomd_writeb(DMA_CR_C, dma_base + CR);
305 + idma->state = DMA_ST_AB;
306 + }
307 +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c
308 +index c4ef1c31e0c4..37caeadb2964 100644
309 +--- a/arch/mips/lantiq/irq.c
310 ++++ b/arch/mips/lantiq/irq.c
311 +@@ -156,8 +156,9 @@ static int ltq_eiu_settype(struct irq_data *d, unsigned int type)
312 + if (edge)
313 + irq_set_handler(d->hwirq, handle_edge_irq);
314 +
315 +- ltq_eiu_w32(ltq_eiu_r32(LTQ_EIU_EXIN_C) |
316 +- (val << (i * 4)), LTQ_EIU_EXIN_C);
317 ++ ltq_eiu_w32((ltq_eiu_r32(LTQ_EIU_EXIN_C) &
318 ++ (~(7 << (i * 4)))) | (val << (i * 4)),
319 ++ LTQ_EIU_EXIN_C);
320 + }
321 + }
322 +
323 +diff --git a/arch/parisc/boot/compressed/vmlinux.lds.S b/arch/parisc/boot/compressed/vmlinux.lds.S
324 +index a4ce3314e78e..b658f77d6369 100644
325 +--- a/arch/parisc/boot/compressed/vmlinux.lds.S
326 ++++ b/arch/parisc/boot/compressed/vmlinux.lds.S
327 +@@ -40,8 +40,8 @@ SECTIONS
328 + #endif
329 + _startcode_end = .;
330 +
331 +- /* bootloader code and data starts behind area of extracted kernel */
332 +- . = (SZ_end - SZparisc_kernel_start + KERNEL_BINARY_TEXT_START);
333 ++ /* bootloader code and data starts at least behind area of extracted kernel */
334 ++ . = MAX(ABSOLUTE(.), (SZ_end - SZparisc_kernel_start + KERNEL_BINARY_TEXT_START));
335 +
336 + /* align on next page boundary */
337 + . = ALIGN(4096);
338 +diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
339 +index 252fee320816..fb07cfa3f2f9 100644
340 +--- a/arch/x86/boot/compressed/misc.c
341 ++++ b/arch/x86/boot/compressed/misc.c
342 +@@ -16,6 +16,7 @@
343 + #include "error.h"
344 + #include "../string.h"
345 + #include "../voffset.h"
346 ++#include <asm/bootparam_utils.h>
347 +
348 + /*
349 + * WARNING!!
350 +diff --git a/arch/x86/boot/compressed/misc.h b/arch/x86/boot/compressed/misc.h
351 +index 32d4ec2e0243..5380d45b1c6e 100644
352 +--- a/arch/x86/boot/compressed/misc.h
353 ++++ b/arch/x86/boot/compressed/misc.h
354 +@@ -19,7 +19,6 @@
355 + #include <asm/page.h>
356 + #include <asm/boot.h>
357 + #include <asm/bootparam.h>
358 +-#include <asm/bootparam_utils.h>
359 +
360 + #define BOOT_BOOT_H
361 + #include "../ctype.h"
362 +diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
363 +index 5d10b7a85cad..557c1bdda311 100644
364 +--- a/arch/x86/entry/calling.h
365 ++++ b/arch/x86/entry/calling.h
366 +@@ -332,6 +332,23 @@ For 32-bit we have the following conventions - kernel is built with
367 +
368 + #endif
369 +
370 ++/*
371 ++ * Mitigate Spectre v1 for conditional swapgs code paths.
372 ++ *
373 ++ * FENCE_SWAPGS_USER_ENTRY is used in the user entry swapgs code path, to
374 ++ * prevent a speculative swapgs when coming from kernel space.
375 ++ *
376 ++ * FENCE_SWAPGS_KERNEL_ENTRY is used in the kernel entry non-swapgs code path,
377 ++ * to prevent the swapgs from getting speculatively skipped when coming from
378 ++ * user space.
379 ++ */
380 ++.macro FENCE_SWAPGS_USER_ENTRY
381 ++ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_USER
382 ++.endm
383 ++.macro FENCE_SWAPGS_KERNEL_ENTRY
384 ++ ALTERNATIVE "", "lfence", X86_FEATURE_FENCE_SWAPGS_KERNEL
385 ++.endm
386 ++
387 + #endif /* CONFIG_X86_64 */
388 +
389 + /*
390 +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
391 +index e09ba4bc8b98..5ec66fafde4e 100644
392 +--- a/arch/x86/entry/entry_64.S
393 ++++ b/arch/x86/entry/entry_64.S
394 +@@ -531,9 +531,12 @@ END(irq_entries_start)
395 + testb $3, CS-ORIG_RAX(%rsp)
396 + jz 1f
397 + SWAPGS
398 ++ FENCE_SWAPGS_USER_ENTRY
399 + call switch_to_thread_stack
400 ++ jmp 2f
401 + 1:
402 +-
403 ++ FENCE_SWAPGS_KERNEL_ENTRY
404 ++2:
405 + PUSH_AND_CLEAR_REGS
406 + ENCODE_FRAME_POINTER
407 +
408 +@@ -1113,7 +1116,6 @@ idtentry stack_segment do_stack_segment has_error_code=1
409 + #ifdef CONFIG_XEN
410 + idtentry xennmi do_nmi has_error_code=0
411 + idtentry xendebug do_debug has_error_code=0
412 +-idtentry xenint3 do_int3 has_error_code=0
413 + #endif
414 +
415 + idtentry general_protection do_general_protection has_error_code=1
416 +@@ -1147,6 +1149,12 @@ ENTRY(paranoid_entry)
417 +
418 + 1:
419 + SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14
420 ++ /*
421 ++ * The above SAVE_AND_SWITCH_TO_KERNEL_CR3 macro doesn't do an
422 ++ * unconditional CR3 write, even in the PTI case. So do an lfence
423 ++ * to prevent GS speculation, regardless of whether PTI is enabled.
424 ++ */
425 ++ FENCE_SWAPGS_KERNEL_ENTRY
426 +
427 + ret
428 + END(paranoid_entry)
429 +@@ -1196,6 +1204,7 @@ ENTRY(error_entry)
430 + * from user mode due to an IRET fault.
431 + */
432 + SWAPGS
433 ++ FENCE_SWAPGS_USER_ENTRY
434 + /* We have user CR3. Change to kernel CR3. */
435 + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
436 +
437 +@@ -1217,6 +1226,8 @@ ENTRY(error_entry)
438 + CALL_enter_from_user_mode
439 + ret
440 +
441 ++.Lerror_entry_done_lfence:
442 ++ FENCE_SWAPGS_KERNEL_ENTRY
443 + .Lerror_entry_done:
444 + TRACE_IRQS_OFF
445 + ret
446 +@@ -1235,7 +1246,7 @@ ENTRY(error_entry)
447 + cmpq %rax, RIP+8(%rsp)
448 + je .Lbstep_iret
449 + cmpq $.Lgs_change, RIP+8(%rsp)
450 +- jne .Lerror_entry_done
451 ++ jne .Lerror_entry_done_lfence
452 +
453 + /*
454 + * hack: .Lgs_change can fail with user gsbase. If this happens, fix up
455 +@@ -1243,6 +1254,7 @@ ENTRY(error_entry)
456 + * .Lgs_change's error handler with kernel gsbase.
457 + */
458 + SWAPGS
459 ++ FENCE_SWAPGS_USER_ENTRY
460 + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
461 + jmp .Lerror_entry_done
462 +
463 +@@ -1257,6 +1269,7 @@ ENTRY(error_entry)
464 + * gsbase and CR3. Switch to kernel gsbase and CR3:
465 + */
466 + SWAPGS
467 ++ FENCE_SWAPGS_USER_ENTRY
468 + SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
469 +
470 + /*
471 +@@ -1348,6 +1361,7 @@ ENTRY(nmi)
472 +
473 + swapgs
474 + cld
475 ++ FENCE_SWAPGS_USER_ENTRY
476 + SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx
477 + movq %rsp, %rdx
478 + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
479 +diff --git a/arch/x86/entry/vdso/vclock_gettime.c b/arch/x86/entry/vdso/vclock_gettime.c
480 +index 9c35dc0a9d64..9f4b1081dee0 100644
481 +--- a/arch/x86/entry/vdso/vclock_gettime.c
482 ++++ b/arch/x86/entry/vdso/vclock_gettime.c
483 +@@ -29,12 +29,12 @@ extern int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz);
484 + extern time_t __vdso_time(time_t *t);
485 +
486 + #ifdef CONFIG_PARAVIRT_CLOCK
487 +-extern u8 pvclock_page
488 ++extern u8 pvclock_page[PAGE_SIZE]
489 + __attribute__((visibility("hidden")));
490 + #endif
491 +
492 + #ifdef CONFIG_HYPERV_TSCPAGE
493 +-extern u8 hvclock_page
494 ++extern u8 hvclock_page[PAGE_SIZE]
495 + __attribute__((visibility("hidden")));
496 + #endif
497 +
498 +@@ -191,13 +191,24 @@ notrace static inline u64 vgetsns(int *mode)
499 +
500 + if (gtod->vclock_mode == VCLOCK_TSC)
501 + cycles = vread_tsc();
502 ++
503 ++ /*
504 ++ * For any memory-mapped vclock type, we need to make sure that gcc
505 ++ * doesn't cleverly hoist a load before the mode check. Otherwise we
506 ++ * might end up touching the memory-mapped page even if the vclock in
507 ++ * question isn't enabled, which will segfault. Hence the barriers.
508 ++ */
509 + #ifdef CONFIG_PARAVIRT_CLOCK
510 +- else if (gtod->vclock_mode == VCLOCK_PVCLOCK)
511 ++ else if (gtod->vclock_mode == VCLOCK_PVCLOCK) {
512 ++ barrier();
513 + cycles = vread_pvclock(mode);
514 ++ }
515 + #endif
516 + #ifdef CONFIG_HYPERV_TSCPAGE
517 +- else if (gtod->vclock_mode == VCLOCK_HVCLOCK)
518 ++ else if (gtod->vclock_mode == VCLOCK_HVCLOCK) {
519 ++ barrier();
520 + cycles = vread_hvclock(mode);
521 ++ }
522 + #endif
523 + else
524 + return 0;
525 +diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
526 +index a1ed92aae12a..25a5a5c6ae90 100644
527 +--- a/arch/x86/include/asm/apic.h
528 ++++ b/arch/x86/include/asm/apic.h
529 +@@ -48,7 +48,7 @@ static inline void generic_apic_probe(void)
530 +
531 + #ifdef CONFIG_X86_LOCAL_APIC
532 +
533 +-extern unsigned int apic_verbosity;
534 ++extern int apic_verbosity;
535 + extern int local_apic_timer_c2_ok;
536 +
537 + extern int disable_apic;
538 +diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
539 +index 70eddb3922ff..4e2d03135854 100644
540 +--- a/arch/x86/include/asm/cpufeature.h
541 ++++ b/arch/x86/include/asm/cpufeature.h
542 +@@ -22,8 +22,8 @@ enum cpuid_leafs
543 + CPUID_LNX_3,
544 + CPUID_7_0_EBX,
545 + CPUID_D_1_EAX,
546 +- CPUID_F_0_EDX,
547 +- CPUID_F_1_EDX,
548 ++ CPUID_LNX_4,
549 ++ CPUID_DUMMY,
550 + CPUID_8000_0008_EBX,
551 + CPUID_6_EAX,
552 + CPUID_8000_000A_EDX,
553 +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
554 +index 4cb8315c521f..14357354cd28 100644
555 +--- a/arch/x86/include/asm/cpufeatures.h
556 ++++ b/arch/x86/include/asm/cpufeatures.h
557 +@@ -271,13 +271,18 @@
558 + #define X86_FEATURE_XGETBV1 (10*32+ 2) /* XGETBV with ECX = 1 instruction */
559 + #define X86_FEATURE_XSAVES (10*32+ 3) /* XSAVES/XRSTORS instructions */
560 +
561 +-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:0 (EDX), word 11 */
562 +-#define X86_FEATURE_CQM_LLC (11*32+ 1) /* LLC QoS if 1 */
563 +-
564 +-/* Intel-defined CPU QoS Sub-leaf, CPUID level 0x0000000F:1 (EDX), word 12 */
565 +-#define X86_FEATURE_CQM_OCCUP_LLC (12*32+ 0) /* LLC occupancy monitoring */
566 +-#define X86_FEATURE_CQM_MBM_TOTAL (12*32+ 1) /* LLC Total MBM monitoring */
567 +-#define X86_FEATURE_CQM_MBM_LOCAL (12*32+ 2) /* LLC Local MBM monitoring */
568 ++/*
569 ++ * Extended auxiliary flags: Linux defined - for features scattered in various
570 ++ * CPUID levels like 0xf, etc.
571 ++ *
572 ++ * Reuse free bits when adding new feature flags!
573 ++ */
574 ++#define X86_FEATURE_CQM_LLC (11*32+ 0) /* LLC QoS if 1 */
575 ++#define X86_FEATURE_CQM_OCCUP_LLC (11*32+ 1) /* LLC occupancy monitoring */
576 ++#define X86_FEATURE_CQM_MBM_TOTAL (11*32+ 2) /* LLC Total MBM monitoring */
577 ++#define X86_FEATURE_CQM_MBM_LOCAL (11*32+ 3) /* LLC Local MBM monitoring */
578 ++#define X86_FEATURE_FENCE_SWAPGS_USER (11*32+ 4) /* "" LFENCE in user entry SWAPGS path */
579 ++#define X86_FEATURE_FENCE_SWAPGS_KERNEL (11*32+ 5) /* "" LFENCE in kernel entry SWAPGS path */
580 +
581 + /* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 13 */
582 + #define X86_FEATURE_CLZERO (13*32+ 0) /* CLZERO instruction */
583 +@@ -382,5 +387,6 @@
584 + #define X86_BUG_L1TF X86_BUG(18) /* CPU is affected by L1 Terminal Fault */
585 + #define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */
586 + #define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */
587 ++#define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */
588 +
589 + #endif /* _ASM_X86_CPUFEATURES_H */
590 +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
591 +index f9a4b85d7309..9f3eb334c818 100644
592 +--- a/arch/x86/include/asm/kvm_host.h
593 ++++ b/arch/x86/include/asm/kvm_host.h
594 +@@ -1353,25 +1353,29 @@ enum {
595 + #define kvm_arch_vcpu_memslots_id(vcpu) ((vcpu)->arch.hflags & HF_SMM_MASK ? 1 : 0)
596 + #define kvm_memslots_for_spte_role(kvm, role) __kvm_memslots(kvm, (role).smm)
597 +
598 ++asmlinkage void __noreturn kvm_spurious_fault(void);
599 ++
600 + /*
601 + * Hardware virtualization extension instructions may fault if a
602 + * reboot turns off virtualization while processes are running.
603 +- * Trap the fault and ignore the instruction if that happens.
604 ++ * Usually after catching the fault we just panic; during reboot
605 ++ * instead the instruction is ignored.
606 + */
607 +-asmlinkage void kvm_spurious_fault(void);
608 +-
609 +-#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \
610 +- "666: " insn "\n\t" \
611 +- "668: \n\t" \
612 +- ".pushsection .fixup, \"ax\" \n" \
613 +- "667: \n\t" \
614 +- cleanup_insn "\n\t" \
615 +- "cmpb $0, kvm_rebooting \n\t" \
616 +- "jne 668b \n\t" \
617 +- __ASM_SIZE(push) " $666b \n\t" \
618 +- "jmp kvm_spurious_fault \n\t" \
619 +- ".popsection \n\t" \
620 +- _ASM_EXTABLE(666b, 667b)
621 ++#define ____kvm_handle_fault_on_reboot(insn, cleanup_insn) \
622 ++ "666: \n\t" \
623 ++ insn "\n\t" \
624 ++ "jmp 668f \n\t" \
625 ++ "667: \n\t" \
626 ++ "call kvm_spurious_fault \n\t" \
627 ++ "668: \n\t" \
628 ++ ".pushsection .fixup, \"ax\" \n\t" \
629 ++ "700: \n\t" \
630 ++ cleanup_insn "\n\t" \
631 ++ "cmpb $0, kvm_rebooting\n\t" \
632 ++ "je 667b \n\t" \
633 ++ "jmp 668b \n\t" \
634 ++ ".popsection \n\t" \
635 ++ _ASM_EXTABLE(666b, 700b)
636 +
637 + #define __kvm_handle_fault_on_reboot(insn) \
638 + ____kvm_handle_fault_on_reboot(insn, "")
639 +diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
640 +index c83a2f418cea..4471f0da6ed7 100644
641 +--- a/arch/x86/include/asm/paravirt.h
642 ++++ b/arch/x86/include/asm/paravirt.h
643 +@@ -758,6 +758,7 @@ static __always_inline bool pv_vcpu_is_preempted(long cpu)
644 + PV_RESTORE_ALL_CALLER_REGS \
645 + FRAME_END \
646 + "ret;" \
647 ++ ".size " PV_THUNK_NAME(func) ", .-" PV_THUNK_NAME(func) ";" \
648 + ".popsection")
649 +
650 + /* Get a reference to a callee-save function */
651 +diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h
652 +index afbc87206886..b771bb3d159b 100644
653 +--- a/arch/x86/include/asm/traps.h
654 ++++ b/arch/x86/include/asm/traps.h
655 +@@ -40,7 +40,7 @@ asmlinkage void simd_coprocessor_error(void);
656 + asmlinkage void xen_divide_error(void);
657 + asmlinkage void xen_xennmi(void);
658 + asmlinkage void xen_xendebug(void);
659 +-asmlinkage void xen_xenint3(void);
660 ++asmlinkage void xen_int3(void);
661 + asmlinkage void xen_overflow(void);
662 + asmlinkage void xen_bounds(void);
663 + asmlinkage void xen_invalid_op(void);
664 +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
665 +index 2e64178f284d..ae410f7585f1 100644
666 +--- a/arch/x86/kernel/apic/apic.c
667 ++++ b/arch/x86/kernel/apic/apic.c
668 +@@ -182,7 +182,7 @@ EXPORT_SYMBOL_GPL(local_apic_timer_c2_ok);
669 + /*
670 + * Debug level, exported for io_apic.c
671 + */
672 +-unsigned int apic_verbosity;
673 ++int apic_verbosity;
674 +
675 + int pic_mode;
676 +
677 +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
678 +index 64b6180ce162..8bf21bc7a190 100644
679 +--- a/arch/x86/kernel/cpu/bugs.c
680 ++++ b/arch/x86/kernel/cpu/bugs.c
681 +@@ -32,6 +32,7 @@
682 + #include <asm/intel-family.h>
683 + #include <asm/e820/api.h>
684 +
685 ++static void __init spectre_v1_select_mitigation(void);
686 + static void __init spectre_v2_select_mitigation(void);
687 + static void __init ssb_select_mitigation(void);
688 + static void __init l1tf_select_mitigation(void);
689 +@@ -96,17 +97,11 @@ void __init check_bugs(void)
690 + if (boot_cpu_has(X86_FEATURE_STIBP))
691 + x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
692 +
693 +- /* Select the proper spectre mitigation before patching alternatives */
694 ++ /* Select the proper CPU mitigations before patching alternatives: */
695 ++ spectre_v1_select_mitigation();
696 + spectre_v2_select_mitigation();
697 +-
698 +- /*
699 +- * Select proper mitigation for any exposure to the Speculative Store
700 +- * Bypass vulnerability.
701 +- */
702 + ssb_select_mitigation();
703 +-
704 + l1tf_select_mitigation();
705 +-
706 + mds_select_mitigation();
707 +
708 + arch_smt_update();
709 +@@ -271,6 +266,98 @@ static int __init mds_cmdline(char *str)
710 + }
711 + early_param("mds", mds_cmdline);
712 +
713 ++#undef pr_fmt
714 ++#define pr_fmt(fmt) "Spectre V1 : " fmt
715 ++
716 ++enum spectre_v1_mitigation {
717 ++ SPECTRE_V1_MITIGATION_NONE,
718 ++ SPECTRE_V1_MITIGATION_AUTO,
719 ++};
720 ++
721 ++static enum spectre_v1_mitigation spectre_v1_mitigation __ro_after_init =
722 ++ SPECTRE_V1_MITIGATION_AUTO;
723 ++
724 ++static const char * const spectre_v1_strings[] = {
725 ++ [SPECTRE_V1_MITIGATION_NONE] = "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers",
726 ++ [SPECTRE_V1_MITIGATION_AUTO] = "Mitigation: usercopy/swapgs barriers and __user pointer sanitization",
727 ++};
728 ++
729 ++/*
730 ++ * Does SMAP provide full mitigation against speculative kernel access to
731 ++ * userspace?
732 ++ */
733 ++static bool smap_works_speculatively(void)
734 ++{
735 ++ if (!boot_cpu_has(X86_FEATURE_SMAP))
736 ++ return false;
737 ++
738 ++ /*
739 ++ * On CPUs which are vulnerable to Meltdown, SMAP does not
740 ++ * prevent speculative access to user data in the L1 cache.
741 ++ * Consider SMAP to be non-functional as a mitigation on these
742 ++ * CPUs.
743 ++ */
744 ++ if (boot_cpu_has(X86_BUG_CPU_MELTDOWN))
745 ++ return false;
746 ++
747 ++ return true;
748 ++}
749 ++
750 ++static void __init spectre_v1_select_mitigation(void)
751 ++{
752 ++ if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1) || cpu_mitigations_off()) {
753 ++ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
754 ++ return;
755 ++ }
756 ++
757 ++ if (spectre_v1_mitigation == SPECTRE_V1_MITIGATION_AUTO) {
758 ++ /*
759 ++ * With Spectre v1, a user can speculatively control either
760 ++ * path of a conditional swapgs with a user-controlled GS
761 ++ * value. The mitigation is to add lfences to both code paths.
762 ++ *
763 ++ * If FSGSBASE is enabled, the user can put a kernel address in
764 ++ * GS, in which case SMAP provides no protection.
765 ++ *
766 ++ * [ NOTE: Don't check for X86_FEATURE_FSGSBASE until the
767 ++ * FSGSBASE enablement patches have been merged. ]
768 ++ *
769 ++ * If FSGSBASE is disabled, the user can only put a user space
770 ++ * address in GS. That makes an attack harder, but still
771 ++ * possible if there's no SMAP protection.
772 ++ */
773 ++ if (!smap_works_speculatively()) {
774 ++ /*
775 ++ * Mitigation can be provided from SWAPGS itself or
776 ++ * PTI as the CR3 write in the Meltdown mitigation
777 ++ * is serializing.
778 ++ *
779 ++ * If neither is there, mitigate with an LFENCE to
780 ++ * stop speculation through swapgs.
781 ++ */
782 ++ if (boot_cpu_has_bug(X86_BUG_SWAPGS) &&
783 ++ !boot_cpu_has(X86_FEATURE_PTI))
784 ++ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_USER);
785 ++
786 ++ /*
787 ++ * Enable lfences in the kernel entry (non-swapgs)
788 ++ * paths, to prevent user entry from speculatively
789 ++ * skipping swapgs.
790 ++ */
791 ++ setup_force_cpu_cap(X86_FEATURE_FENCE_SWAPGS_KERNEL);
792 ++ }
793 ++ }
794 ++
795 ++ pr_info("%s\n", spectre_v1_strings[spectre_v1_mitigation]);
796 ++}
797 ++
798 ++static int __init nospectre_v1_cmdline(char *str)
799 ++{
800 ++ spectre_v1_mitigation = SPECTRE_V1_MITIGATION_NONE;
801 ++ return 0;
802 ++}
803 ++early_param("nospectre_v1", nospectre_v1_cmdline);
804 ++
805 + #undef pr_fmt
806 + #define pr_fmt(fmt) "Spectre V2 : " fmt
807 +
808 +@@ -1255,7 +1342,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr
809 + break;
810 +
811 + case X86_BUG_SPECTRE_V1:
812 +- return sprintf(buf, "Mitigation: __user pointer sanitization\n");
813 ++ return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
814 +
815 + case X86_BUG_SPECTRE_V2:
816 + return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
817 +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
818 +index ebe547b1ffce..551c6bed7c8c 100644
819 +--- a/arch/x86/kernel/cpu/common.c
820 ++++ b/arch/x86/kernel/cpu/common.c
821 +@@ -768,6 +768,30 @@ static void init_speculation_control(struct cpuinfo_x86 *c)
822 + }
823 + }
824 +
825 ++static void init_cqm(struct cpuinfo_x86 *c)
826 ++{
827 ++ if (!cpu_has(c, X86_FEATURE_CQM_LLC)) {
828 ++ c->x86_cache_max_rmid = -1;
829 ++ c->x86_cache_occ_scale = -1;
830 ++ return;
831 ++ }
832 ++
833 ++ /* will be overridden if occupancy monitoring exists */
834 ++ c->x86_cache_max_rmid = cpuid_ebx(0xf);
835 ++
836 ++ if (cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC) ||
837 ++ cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL) ||
838 ++ cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)) {
839 ++ u32 eax, ebx, ecx, edx;
840 ++
841 ++ /* QoS sub-leaf, EAX=0Fh, ECX=1 */
842 ++ cpuid_count(0xf, 1, &eax, &ebx, &ecx, &edx);
843 ++
844 ++ c->x86_cache_max_rmid = ecx;
845 ++ c->x86_cache_occ_scale = ebx;
846 ++ }
847 ++}
848 ++
849 + void get_cpu_cap(struct cpuinfo_x86 *c)
850 + {
851 + u32 eax, ebx, ecx, edx;
852 +@@ -799,33 +823,6 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
853 + c->x86_capability[CPUID_D_1_EAX] = eax;
854 + }
855 +
856 +- /* Additional Intel-defined flags: level 0x0000000F */
857 +- if (c->cpuid_level >= 0x0000000F) {
858 +-
859 +- /* QoS sub-leaf, EAX=0Fh, ECX=0 */
860 +- cpuid_count(0x0000000F, 0, &eax, &ebx, &ecx, &edx);
861 +- c->x86_capability[CPUID_F_0_EDX] = edx;
862 +-
863 +- if (cpu_has(c, X86_FEATURE_CQM_LLC)) {
864 +- /* will be overridden if occupancy monitoring exists */
865 +- c->x86_cache_max_rmid = ebx;
866 +-
867 +- /* QoS sub-leaf, EAX=0Fh, ECX=1 */
868 +- cpuid_count(0x0000000F, 1, &eax, &ebx, &ecx, &edx);
869 +- c->x86_capability[CPUID_F_1_EDX] = edx;
870 +-
871 +- if ((cpu_has(c, X86_FEATURE_CQM_OCCUP_LLC)) ||
872 +- ((cpu_has(c, X86_FEATURE_CQM_MBM_TOTAL)) ||
873 +- (cpu_has(c, X86_FEATURE_CQM_MBM_LOCAL)))) {
874 +- c->x86_cache_max_rmid = ecx;
875 +- c->x86_cache_occ_scale = ebx;
876 +- }
877 +- } else {
878 +- c->x86_cache_max_rmid = -1;
879 +- c->x86_cache_occ_scale = -1;
880 +- }
881 +- }
882 +-
883 + /* AMD-defined flags: level 0x80000001 */
884 + eax = cpuid_eax(0x80000000);
885 + c->extended_cpuid_level = eax;
886 +@@ -863,6 +860,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
887 +
888 + init_scattered_cpuid_features(c);
889 + init_speculation_control(c);
890 ++ init_cqm(c);
891 +
892 + /*
893 + * Clear/Set all flags overridden by options, after probe.
894 +@@ -905,6 +903,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
895 + #define NO_L1TF BIT(3)
896 + #define NO_MDS BIT(4)
897 + #define MSBDS_ONLY BIT(5)
898 ++#define NO_SWAPGS BIT(6)
899 +
900 + #define VULNWL(_vendor, _family, _model, _whitelist) \
901 + { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist }
902 +@@ -928,29 +927,37 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
903 + VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION),
904 + VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION),
905 +
906 +- VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY),
907 +- VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY),
908 +- VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY),
909 +- VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY),
910 +- VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY),
911 +- VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY),
912 ++ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
913 ++ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
914 ++ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
915 ++ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
916 ++ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
917 ++ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
918 +
919 + VULNWL_INTEL(CORE_YONAH, NO_SSB),
920 +
921 +- VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY),
922 ++ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS),
923 +
924 +- VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF),
925 +- VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF),
926 +- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF),
927 ++ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS),
928 ++ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS),
929 ++ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS),
930 ++
931 ++ /*
932 ++ * Technically, swapgs isn't serializing on AMD (despite it previously
933 ++ * being documented as such in the APM). But according to AMD, %gs is
934 ++ * updated non-speculatively, and the issuing of %gs-relative memory
935 ++ * operands will be blocked until the %gs update completes, which is
936 ++ * good enough for our purposes.
937 ++ */
938 +
939 + /* AMD Family 0xf - 0x12 */
940 +- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
941 +- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
942 +- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
943 +- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS),
944 ++ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
945 ++ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
946 ++ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
947 ++ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS),
948 +
949 + /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */
950 +- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS),
951 ++ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS),
952 + {}
953 + };
954 +
955 +@@ -987,6 +994,9 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
956 + setup_force_cpu_bug(X86_BUG_MSBDS_ONLY);
957 + }
958 +
959 ++ if (!cpu_matches(NO_SWAPGS))
960 ++ setup_force_cpu_bug(X86_BUG_SWAPGS);
961 ++
962 + if (cpu_matches(NO_MELTDOWN))
963 + return;
964 +
965 +diff --git a/arch/x86/kernel/cpu/cpuid-deps.c b/arch/x86/kernel/cpu/cpuid-deps.c
966 +index 904b0a3c4e53..4c9fc6a4d1ea 100644
967 +--- a/arch/x86/kernel/cpu/cpuid-deps.c
968 ++++ b/arch/x86/kernel/cpu/cpuid-deps.c
969 +@@ -59,6 +59,9 @@ const static struct cpuid_dep cpuid_deps[] = {
970 + { X86_FEATURE_AVX512_4VNNIW, X86_FEATURE_AVX512F },
971 + { X86_FEATURE_AVX512_4FMAPS, X86_FEATURE_AVX512F },
972 + { X86_FEATURE_AVX512_VPOPCNTDQ, X86_FEATURE_AVX512F },
973 ++ { X86_FEATURE_CQM_OCCUP_LLC, X86_FEATURE_CQM_LLC },
974 ++ { X86_FEATURE_CQM_MBM_TOTAL, X86_FEATURE_CQM_LLC },
975 ++ { X86_FEATURE_CQM_MBM_LOCAL, X86_FEATURE_CQM_LLC },
976 + {}
977 + };
978 +
979 +diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c
980 +index df11f5d604be..ed7ce5184a77 100644
981 +--- a/arch/x86/kernel/cpu/scattered.c
982 ++++ b/arch/x86/kernel/cpu/scattered.c
983 +@@ -21,6 +21,10 @@ struct cpuid_bit {
984 + static const struct cpuid_bit cpuid_bits[] = {
985 + { X86_FEATURE_APERFMPERF, CPUID_ECX, 0, 0x00000006, 0 },
986 + { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 },
987 ++ { X86_FEATURE_CQM_LLC, CPUID_EDX, 1, 0x0000000f, 0 },
988 ++ { X86_FEATURE_CQM_OCCUP_LLC, CPUID_EDX, 0, 0x0000000f, 1 },
989 ++ { X86_FEATURE_CQM_MBM_TOTAL, CPUID_EDX, 1, 0x0000000f, 1 },
990 ++ { X86_FEATURE_CQM_MBM_LOCAL, CPUID_EDX, 2, 0x0000000f, 1 },
991 + { X86_FEATURE_CAT_L3, CPUID_EBX, 1, 0x00000010, 0 },
992 + { X86_FEATURE_CAT_L2, CPUID_EBX, 2, 0x00000010, 0 },
993 + { X86_FEATURE_CDP_L3, CPUID_ECX, 2, 0x00000010, 1 },
994 +diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c
995 +index 652bdd867782..5853eb50138e 100644
996 +--- a/arch/x86/kernel/kvm.c
997 ++++ b/arch/x86/kernel/kvm.c
998 +@@ -631,6 +631,7 @@ asm(
999 + "cmpb $0, " __stringify(KVM_STEAL_TIME_preempted) "+steal_time(%rax);"
1000 + "setne %al;"
1001 + "ret;"
1002 ++".size __raw_callee_save___kvm_vcpu_is_preempted, .-__raw_callee_save___kvm_vcpu_is_preempted;"
1003 + ".popsection");
1004 +
1005 + #endif
1006 +diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
1007 +index 9a327d5b6d1f..d78a61408243 100644
1008 +--- a/arch/x86/kvm/cpuid.h
1009 ++++ b/arch/x86/kvm/cpuid.h
1010 +@@ -47,8 +47,6 @@ static const struct cpuid_reg reverse_cpuid[] = {
1011 + [CPUID_8000_0001_ECX] = {0x80000001, 0, CPUID_ECX},
1012 + [CPUID_7_0_EBX] = { 7, 0, CPUID_EBX},
1013 + [CPUID_D_1_EAX] = { 0xd, 1, CPUID_EAX},
1014 +- [CPUID_F_0_EDX] = { 0xf, 0, CPUID_EDX},
1015 +- [CPUID_F_1_EDX] = { 0xf, 1, CPUID_EDX},
1016 + [CPUID_8000_0008_EBX] = {0x80000008, 0, CPUID_EBX},
1017 + [CPUID_6_EAX] = { 6, 0, CPUID_EAX},
1018 + [CPUID_8000_000A_EDX] = {0x8000000a, 0, CPUID_EDX},
1019 +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
1020 +index f97b533bc6e6..87a0601b1c20 100644
1021 +--- a/arch/x86/kvm/mmu.c
1022 ++++ b/arch/x86/kvm/mmu.c
1023 +@@ -4313,11 +4313,11 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu,
1024 + */
1025 +
1026 + /* Faults from writes to non-writable pages */
1027 +- u8 wf = (pfec & PFERR_WRITE_MASK) ? ~w : 0;
1028 ++ u8 wf = (pfec & PFERR_WRITE_MASK) ? (u8)~w : 0;
1029 + /* Faults from user mode accesses to supervisor pages */
1030 +- u8 uf = (pfec & PFERR_USER_MASK) ? ~u : 0;
1031 ++ u8 uf = (pfec & PFERR_USER_MASK) ? (u8)~u : 0;
1032 + /* Faults from fetches of non-executable pages*/
1033 +- u8 ff = (pfec & PFERR_FETCH_MASK) ? ~x : 0;
1034 ++ u8 ff = (pfec & PFERR_FETCH_MASK) ? (u8)~x : 0;
1035 + /* Faults from kernel mode fetches of user pages */
1036 + u8 smepf = 0;
1037 + /* Faults from kernel mode accesses of user pages */
1038 +diff --git a/arch/x86/math-emu/fpu_emu.h b/arch/x86/math-emu/fpu_emu.h
1039 +index a5a41ec58072..0c122226ca56 100644
1040 +--- a/arch/x86/math-emu/fpu_emu.h
1041 ++++ b/arch/x86/math-emu/fpu_emu.h
1042 +@@ -177,7 +177,7 @@ static inline void reg_copy(FPU_REG const *x, FPU_REG *y)
1043 + #define setexponentpos(x,y) { (*(short *)&((x)->exp)) = \
1044 + ((y) + EXTENDED_Ebias) & 0x7fff; }
1045 + #define exponent16(x) (*(short *)&((x)->exp))
1046 +-#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (y); }
1047 ++#define setexponent16(x,y) { (*(short *)&((x)->exp)) = (u16)(y); }
1048 + #define addexponent(x,y) { (*(short *)&((x)->exp)) += (y); }
1049 + #define stdexp(x) { (*(short *)&((x)->exp)) += EXTENDED_Ebias; }
1050 +
1051 +diff --git a/arch/x86/math-emu/reg_constant.c b/arch/x86/math-emu/reg_constant.c
1052 +index 8dc9095bab22..742619e94bdf 100644
1053 +--- a/arch/x86/math-emu/reg_constant.c
1054 ++++ b/arch/x86/math-emu/reg_constant.c
1055 +@@ -18,7 +18,7 @@
1056 + #include "control_w.h"
1057 +
1058 + #define MAKE_REG(s, e, l, h) { l, h, \
1059 +- ((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) }
1060 ++ (u16)((EXTENDED_Ebias+(e)) | ((SIGN_##s != 0)*0x8000)) }
1061 +
1062 + FPU_REG const CONST_1 = MAKE_REG(POS, 0, 0x00000000, 0x80000000);
1063 + #if 0
1064 +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
1065 +index 481d7920ea24..f79a0cdc6b4e 100644
1066 +--- a/arch/x86/xen/enlighten_pv.c
1067 ++++ b/arch/x86/xen/enlighten_pv.c
1068 +@@ -598,12 +598,12 @@ struct trap_array_entry {
1069 +
1070 + static struct trap_array_entry trap_array[] = {
1071 + { debug, xen_xendebug, true },
1072 +- { int3, xen_xenint3, true },
1073 + { double_fault, xen_double_fault, true },
1074 + #ifdef CONFIG_X86_MCE
1075 + { machine_check, xen_machine_check, true },
1076 + #endif
1077 + { nmi, xen_xennmi, true },
1078 ++ { int3, xen_int3, false },
1079 + { overflow, xen_overflow, false },
1080 + #ifdef CONFIG_IA32_EMULATION
1081 + { entry_INT80_compat, xen_entry_INT80_compat, false },
1082 +diff --git a/arch/x86/xen/xen-asm_64.S b/arch/x86/xen/xen-asm_64.S
1083 +index 417b339e5c8e..3a6feed76dfc 100644
1084 +--- a/arch/x86/xen/xen-asm_64.S
1085 ++++ b/arch/x86/xen/xen-asm_64.S
1086 +@@ -30,7 +30,6 @@ xen_pv_trap divide_error
1087 + xen_pv_trap debug
1088 + xen_pv_trap xendebug
1089 + xen_pv_trap int3
1090 +-xen_pv_trap xenint3
1091 + xen_pv_trap xennmi
1092 + xen_pv_trap overflow
1093 + xen_pv_trap bounds
1094 +diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
1095 +index 995c4d8922b1..761f0c19a451 100644
1096 +--- a/drivers/acpi/blacklist.c
1097 ++++ b/drivers/acpi/blacklist.c
1098 +@@ -30,7 +30,9 @@
1099 +
1100 + #include "internal.h"
1101 +
1102 ++#ifdef CONFIG_DMI
1103 + static const struct dmi_system_id acpi_rev_dmi_table[] __initconst;
1104 ++#endif
1105 +
1106 + /*
1107 + * POLICY: If *anything* doesn't work, put it on the blacklist.
1108 +@@ -74,7 +76,9 @@ int __init acpi_blacklisted(void)
1109 + }
1110 +
1111 + (void)early_acpi_osi_init();
1112 ++#ifdef CONFIG_DMI
1113 + dmi_check_system(acpi_rev_dmi_table);
1114 ++#endif
1115 +
1116 + return blacklisted;
1117 + }
1118 +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
1119 +index d32cd943dff2..b77e9281c039 100644
1120 +--- a/drivers/block/nbd.c
1121 ++++ b/drivers/block/nbd.c
1122 +@@ -1207,7 +1207,7 @@ static void nbd_clear_sock_ioctl(struct nbd_device *nbd,
1123 + struct block_device *bdev)
1124 + {
1125 + sock_shutdown(nbd);
1126 +- kill_bdev(bdev);
1127 ++ __invalidate_device(bdev, true);
1128 + nbd_bdev_reset(bdev);
1129 + if (test_and_clear_bit(NBD_HAS_CONFIG_REF,
1130 + &nbd->config->runtime_flags))
1131 +diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c
1132 +index b92867814e2d..cb2be154db3b 100644
1133 +--- a/drivers/clk/tegra/clk-tegra210.c
1134 ++++ b/drivers/clk/tegra/clk-tegra210.c
1135 +@@ -2057,9 +2057,9 @@ static struct div_nmp pllu_nmp = {
1136 + };
1137 +
1138 + static struct tegra_clk_pll_freq_table pll_u_freq_table[] = {
1139 +- { 12000000, 480000000, 40, 1, 0, 0 },
1140 +- { 13000000, 480000000, 36, 1, 0, 0 }, /* actual: 468.0 MHz */
1141 +- { 38400000, 480000000, 25, 2, 0, 0 },
1142 ++ { 12000000, 480000000, 40, 1, 1, 0 },
1143 ++ { 13000000, 480000000, 36, 1, 1, 0 }, /* actual: 468.0 MHz */
1144 ++ { 38400000, 480000000, 25, 2, 1, 0 },
1145 + { 0, 0, 0, 0, 0, 0 },
1146 + };
1147 +
1148 +@@ -2983,6 +2983,7 @@ static struct tegra_clk_init_table init_table[] __initdata = {
1149 + { TEGRA210_CLK_DFLL_REF, TEGRA210_CLK_PLL_P, 51000000, 1 },
1150 + { TEGRA210_CLK_SBC4, TEGRA210_CLK_PLL_P, 12000000, 1 },
1151 + { TEGRA210_CLK_PLL_RE_VCO, TEGRA210_CLK_CLK_MAX, 672000000, 1 },
1152 ++ { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 },
1153 + { TEGRA210_CLK_XUSB_GATE, TEGRA210_CLK_CLK_MAX, 0, 1 },
1154 + { TEGRA210_CLK_XUSB_SS_SRC, TEGRA210_CLK_PLL_U_480M, 120000000, 0 },
1155 + { TEGRA210_CLK_XUSB_FS_SRC, TEGRA210_CLK_PLL_U_48M, 48000000, 0 },
1156 +@@ -3008,7 +3009,6 @@ static struct tegra_clk_init_table init_table[] __initdata = {
1157 + { TEGRA210_CLK_PLL_DP, TEGRA210_CLK_CLK_MAX, 270000000, 0 },
1158 + { TEGRA210_CLK_SOC_THERM, TEGRA210_CLK_PLL_P, 51000000, 0 },
1159 + { TEGRA210_CLK_CCLK_G, TEGRA210_CLK_CLK_MAX, 0, 1 },
1160 +- { TEGRA210_CLK_PLL_U_OUT1, TEGRA210_CLK_CLK_MAX, 48000000, 1 },
1161 + { TEGRA210_CLK_PLL_U_OUT2, TEGRA210_CLK_CLK_MAX, 60000000, 1 },
1162 + /* This MUST be the last entry. */
1163 + { TEGRA210_CLK_CLK_MAX, TEGRA210_CLK_CLK_MAX, 0, 0 },
1164 +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c
1165 +index 77b126525dac..19c7433e8309 100644
1166 +--- a/drivers/dma/sh/rcar-dmac.c
1167 ++++ b/drivers/dma/sh/rcar-dmac.c
1168 +@@ -1129,7 +1129,7 @@ rcar_dmac_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
1169 + struct rcar_dmac_chan *rchan = to_rcar_dmac_chan(chan);
1170 +
1171 + /* Someone calling slave DMA on a generic channel? */
1172 +- if (rchan->mid_rid < 0 || !sg_len) {
1173 ++ if (rchan->mid_rid < 0 || !sg_len || !sg_dma_len(sgl)) {
1174 + dev_warn(chan->device->dev,
1175 + "%s: bad parameter: len=%d, id=%d\n",
1176 + __func__, sg_len, rchan->mid_rid);
1177 +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
1178 +index 3db0a9b0d259..25351b6b1e34 100644
1179 +--- a/drivers/gpio/gpiolib.c
1180 ++++ b/drivers/gpio/gpiolib.c
1181 +@@ -835,9 +835,11 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip)
1182 + }
1183 +
1184 + if (eflags & GPIOEVENT_REQUEST_RISING_EDGE)
1185 +- irqflags |= IRQF_TRIGGER_RISING;
1186 ++ irqflags |= test_bit(FLAG_ACTIVE_LOW, &desc->flags) ?
1187 ++ IRQF_TRIGGER_FALLING : IRQF_TRIGGER_RISING;
1188 + if (eflags & GPIOEVENT_REQUEST_FALLING_EDGE)
1189 +- irqflags |= IRQF_TRIGGER_FALLING;
1190 ++ irqflags |= test_bit(FLAG_ACTIVE_LOW, &desc->flags) ?
1191 ++ IRQF_TRIGGER_RISING : IRQF_TRIGGER_FALLING;
1192 + irqflags |= IRQF_ONESHOT;
1193 + irqflags |= IRQF_SHARED;
1194 +
1195 +diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
1196 +index 2c6d19683688..4a7d50a96d36 100644
1197 +--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
1198 ++++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
1199 +@@ -251,7 +251,7 @@ nouveau_conn_reset(struct drm_connector *connector)
1200 + return;
1201 +
1202 + if (connector->state)
1203 +- __drm_atomic_helper_connector_destroy_state(connector->state);
1204 ++ nouveau_conn_atomic_destroy_state(connector, connector->state);
1205 + __drm_atomic_helper_connector_reset(connector, &asyc->state);
1206 + asyc->dither.mode = DITHERING_MODE_AUTO;
1207 + asyc->dither.depth = DITHERING_DEPTH_AUTO;
1208 +diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c
1209 +index 69a79fdfa23e..9dcdc0a8685e 100644
1210 +--- a/drivers/infiniband/hw/hfi1/chip.c
1211 ++++ b/drivers/infiniband/hw/hfi1/chip.c
1212 +@@ -14566,7 +14566,7 @@ void hfi1_deinit_vnic_rsm(struct hfi1_devdata *dd)
1213 + clear_rcvctrl(dd, RCV_CTRL_RCV_RSM_ENABLE_SMASK);
1214 + }
1215 +
1216 +-static void init_rxe(struct hfi1_devdata *dd)
1217 ++static int init_rxe(struct hfi1_devdata *dd)
1218 + {
1219 + struct rsm_map_table *rmt;
1220 + u64 val;
1221 +@@ -14575,6 +14575,9 @@ static void init_rxe(struct hfi1_devdata *dd)
1222 + write_csr(dd, RCV_ERR_MASK, ~0ull);
1223 +
1224 + rmt = alloc_rsm_map_table(dd);
1225 ++ if (!rmt)
1226 ++ return -ENOMEM;
1227 ++
1228 + /* set up QOS, including the QPN map table */
1229 + init_qos(dd, rmt);
1230 + init_user_fecn_handling(dd, rmt);
1231 +@@ -14599,6 +14602,7 @@ static void init_rxe(struct hfi1_devdata *dd)
1232 + val = read_csr(dd, RCV_BYPASS);
1233 + val |= (4ull << 16);
1234 + write_csr(dd, RCV_BYPASS, val);
1235 ++ return 0;
1236 + }
1237 +
1238 + static void init_other(struct hfi1_devdata *dd)
1239 +@@ -15154,7 +15158,10 @@ struct hfi1_devdata *hfi1_init_dd(struct pci_dev *pdev,
1240 + goto bail_cleanup;
1241 +
1242 + /* set initial RXE CSRs */
1243 +- init_rxe(dd);
1244 ++ ret = init_rxe(dd);
1245 ++ if (ret)
1246 ++ goto bail_cleanup;
1247 ++
1248 + /* set initial TXE CSRs */
1249 + init_txe(dd);
1250 + /* set initial non-RXE, non-TXE CSRs */
1251 +diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c
1252 +index f4372afa0e81..ad78b471c112 100644
1253 +--- a/drivers/infiniband/hw/hfi1/verbs.c
1254 ++++ b/drivers/infiniband/hw/hfi1/verbs.c
1255 +@@ -54,6 +54,7 @@
1256 + #include <linux/mm.h>
1257 + #include <linux/vmalloc.h>
1258 + #include <rdma/opa_addr.h>
1259 ++#include <linux/nospec.h>
1260 +
1261 + #include "hfi.h"
1262 + #include "common.h"
1263 +@@ -1587,6 +1588,7 @@ static int hfi1_check_ah(struct ib_device *ibdev, struct rdma_ah_attr *ah_attr)
1264 + sl = rdma_ah_get_sl(ah_attr);
1265 + if (sl >= ARRAY_SIZE(ibp->sl_to_sc))
1266 + return -EINVAL;
1267 ++ sl = array_index_nospec(sl, ARRAY_SIZE(ibp->sl_to_sc));
1268 +
1269 + sc5 = ibp->sl_to_sc[sl];
1270 + if (sc_to_vlt(dd, sc5) > num_vls && sc_to_vlt(dd, sc5) != 0xf)
1271 +diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h
1272 +index 754103372faa..89c7e391a834 100644
1273 +--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h
1274 ++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h
1275 +@@ -427,6 +427,7 @@ struct mlx5_umr_wr {
1276 + u64 length;
1277 + int access_flags;
1278 + u32 mkey;
1279 ++ u8 ignore_free_state:1;
1280 + };
1281 +
1282 + static inline struct mlx5_umr_wr *umr_wr(struct ib_send_wr *wr)
1283 +diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
1284 +index e88bb71056cd..cfddca850cb4 100644
1285 +--- a/drivers/infiniband/hw/mlx5/mr.c
1286 ++++ b/drivers/infiniband/hw/mlx5/mr.c
1287 +@@ -538,14 +538,17 @@ void mlx5_mr_cache_free(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr)
1288 + int c;
1289 +
1290 + c = order2idx(dev, mr->order);
1291 +- if (c < 0 || c >= MAX_MR_CACHE_ENTRIES) {
1292 +- mlx5_ib_warn(dev, "order %d, cache index %d\n", mr->order, c);
1293 ++ WARN_ON(c < 0 || c >= MAX_MR_CACHE_ENTRIES);
1294 ++
1295 ++ if (unreg_umr(dev, mr)) {
1296 ++ mr->allocated_from_cache = false;
1297 ++ destroy_mkey(dev, mr);
1298 ++ ent = &cache->ent[c];
1299 ++ if (ent->cur < ent->limit)
1300 ++ queue_work(cache->wq, &ent->work);
1301 + return;
1302 + }
1303 +
1304 +- if (unreg_umr(dev, mr))
1305 +- return;
1306 +-
1307 + ent = &cache->ent[c];
1308 + spin_lock_irq(&ent->lock);
1309 + list_add_tail(&mr->list, &ent->head);
1310 +@@ -1303,9 +1306,11 @@ static int unreg_umr(struct mlx5_ib_dev *dev, struct mlx5_ib_mr *mr)
1311 + return 0;
1312 +
1313 + umrwr.wr.send_flags = MLX5_IB_SEND_UMR_DISABLE_MR |
1314 +- MLX5_IB_SEND_UMR_FAIL_IF_FREE;
1315 ++ MLX5_IB_SEND_UMR_UPDATE_PD_ACCESS;
1316 + umrwr.wr.opcode = MLX5_IB_WR_UMR;
1317 ++ umrwr.pd = dev->umrc.pd;
1318 + umrwr.mkey = mr->mmkey.key;
1319 ++ umrwr.ignore_free_state = 1;
1320 +
1321 + return mlx5_ib_post_send_wait(dev, &umrwr);
1322 + }
1323 +diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
1324 +index 964c3a0bbf16..5a7dcb5afe6e 100644
1325 +--- a/drivers/infiniband/hw/mlx5/qp.c
1326 ++++ b/drivers/infiniband/hw/mlx5/qp.c
1327 +@@ -1425,7 +1425,6 @@ static int create_rss_raw_qp_tir(struct mlx5_ib_dev *dev, struct mlx5_ib_qp *qp,
1328 + }
1329 +
1330 + MLX5_SET(tirc, tirc, rx_hash_fn, MLX5_RX_HASH_FN_TOEPLITZ);
1331 +- MLX5_SET(tirc, tirc, rx_hash_symmetric, 1);
1332 + memcpy(rss_key, ucmd.rx_hash_key, len);
1333 + break;
1334 + }
1335 +@@ -3265,10 +3264,14 @@ static void set_reg_umr_segment(struct mlx5_wqe_umr_ctrl_seg *umr,
1336 +
1337 + memset(umr, 0, sizeof(*umr));
1338 +
1339 +- if (wr->send_flags & MLX5_IB_SEND_UMR_FAIL_IF_FREE)
1340 +- umr->flags = MLX5_UMR_CHECK_FREE; /* fail if free */
1341 +- else
1342 +- umr->flags = MLX5_UMR_CHECK_NOT_FREE; /* fail if not free */
1343 ++ if (!umrwr->ignore_free_state) {
1344 ++ if (wr->send_flags & MLX5_IB_SEND_UMR_FAIL_IF_FREE)
1345 ++ /* fail if free */
1346 ++ umr->flags = MLX5_UMR_CHECK_FREE;
1347 ++ else
1348 ++ /* fail if not free */
1349 ++ umr->flags = MLX5_UMR_CHECK_NOT_FREE;
1350 ++ }
1351 +
1352 + umr->xlt_octowords = cpu_to_be16(get_xlt_octo(umrwr->xlt_size));
1353 + if (wr->send_flags & MLX5_IB_SEND_UMR_UPDATE_XLT) {
1354 +diff --git a/drivers/misc/eeprom/at24.c b/drivers/misc/eeprom/at24.c
1355 +index 6b58ee2e2a25..f8cfcd063649 100644
1356 +--- a/drivers/misc/eeprom/at24.c
1357 ++++ b/drivers/misc/eeprom/at24.c
1358 +@@ -834,7 +834,7 @@ static int at24_probe(struct i2c_client *client, const struct i2c_device_id *id)
1359 + at24->nvmem_config.name = dev_name(&client->dev);
1360 + at24->nvmem_config.dev = &client->dev;
1361 + at24->nvmem_config.read_only = !writable;
1362 +- at24->nvmem_config.root_only = true;
1363 ++ at24->nvmem_config.root_only = !(chip.flags & AT24_FLAG_IRUGO);
1364 + at24->nvmem_config.owner = THIS_MODULE;
1365 + at24->nvmem_config.compat = true;
1366 + at24->nvmem_config.base_dev = &client->dev;
1367 +diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c
1368 +index 5252885e5cda..32001d43e453 100644
1369 +--- a/drivers/mmc/host/dw_mmc.c
1370 ++++ b/drivers/mmc/host/dw_mmc.c
1371 +@@ -2046,8 +2046,7 @@ static void dw_mci_tasklet_func(unsigned long priv)
1372 + * delayed. Allowing the transfer to take place
1373 + * avoids races and keeps things simple.
1374 + */
1375 +- if ((err != -ETIMEDOUT) &&
1376 +- (cmd->opcode == MMC_SEND_TUNING_BLOCK)) {
1377 ++ if (err != -ETIMEDOUT) {
1378 + state = STATE_SENDING_DATA;
1379 + continue;
1380 + }
1381 +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
1382 +index 39f399741647..cabeb1790db7 100644
1383 +--- a/drivers/net/ethernet/emulex/benet/be_main.c
1384 ++++ b/drivers/net/ethernet/emulex/benet/be_main.c
1385 +@@ -4600,8 +4600,12 @@ int be_update_queues(struct be_adapter *adapter)
1386 + struct net_device *netdev = adapter->netdev;
1387 + int status;
1388 +
1389 +- if (netif_running(netdev))
1390 ++ if (netif_running(netdev)) {
1391 ++ /* device cannot transmit now, avoid dev_watchdog timeouts */
1392 ++ netif_carrier_off(netdev);
1393 ++
1394 + be_close(netdev);
1395 ++ }
1396 +
1397 + be_cancel_worker(adapter);
1398 +
1399 +diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c
1400 +index 5e06917b4cef..22e365fa440c 100644
1401 +--- a/drivers/perf/arm_pmu.c
1402 ++++ b/drivers/perf/arm_pmu.c
1403 +@@ -751,8 +751,8 @@ static int cpu_pm_pmu_notify(struct notifier_block *b, unsigned long cmd,
1404 + cpu_pm_pmu_setup(armpmu, cmd);
1405 + break;
1406 + case CPU_PM_EXIT:
1407 +- cpu_pm_pmu_setup(armpmu, cmd);
1408 + case CPU_PM_ENTER_FAILED:
1409 ++ cpu_pm_pmu_setup(armpmu, cmd);
1410 + armpmu->start(armpmu);
1411 + break;
1412 + default:
1413 +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
1414 +index 76afe1449cab..ecd71efe8ea0 100644
1415 +--- a/drivers/rapidio/devices/rio_mport_cdev.c
1416 ++++ b/drivers/rapidio/devices/rio_mport_cdev.c
1417 +@@ -1742,6 +1742,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
1418 +
1419 + if (copy_from_user(&dev_info, arg, sizeof(dev_info)))
1420 + return -EFAULT;
1421 ++ dev_info.name[sizeof(dev_info.name) - 1] = '\0';
1422 +
1423 + rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name,
1424 + dev_info.comptag, dev_info.destid, dev_info.hopcount);
1425 +@@ -1873,6 +1874,7 @@ static int rio_mport_del_riodev(struct mport_cdev_priv *priv, void __user *arg)
1426 +
1427 + if (copy_from_user(&dev_info, arg, sizeof(dev_info)))
1428 + return -EFAULT;
1429 ++ dev_info.name[sizeof(dev_info.name) - 1] = '\0';
1430 +
1431 + mport = priv->md->mport;
1432 +
1433 +diff --git a/drivers/s390/block/dasd_alias.c b/drivers/s390/block/dasd_alias.c
1434 +index 5e963fe0e38d..fd1dff2bed21 100644
1435 +--- a/drivers/s390/block/dasd_alias.c
1436 ++++ b/drivers/s390/block/dasd_alias.c
1437 +@@ -383,6 +383,20 @@ suborder_not_supported(struct dasd_ccw_req *cqr)
1438 + char msg_format;
1439 + char msg_no;
1440 +
1441 ++ /*
1442 ++ * intrc values ENODEV, ENOLINK and EPERM
1443 ++ * will be optained from sleep_on to indicate that no
1444 ++ * IO operation can be started
1445 ++ */
1446 ++ if (cqr->intrc == -ENODEV)
1447 ++ return 1;
1448 ++
1449 ++ if (cqr->intrc == -ENOLINK)
1450 ++ return 1;
1451 ++
1452 ++ if (cqr->intrc == -EPERM)
1453 ++ return 1;
1454 ++
1455 + sense = dasd_get_sense(&cqr->irb);
1456 + if (!sense)
1457 + return 0;
1458 +@@ -447,12 +461,8 @@ static int read_unit_address_configuration(struct dasd_device *device,
1459 + lcu->flags &= ~NEED_UAC_UPDATE;
1460 + spin_unlock_irqrestore(&lcu->lock, flags);
1461 +
1462 +- do {
1463 +- rc = dasd_sleep_on(cqr);
1464 +- if (rc && suborder_not_supported(cqr))
1465 +- return -EOPNOTSUPP;
1466 +- } while (rc && (cqr->retries > 0));
1467 +- if (rc) {
1468 ++ rc = dasd_sleep_on(cqr);
1469 ++ if (rc && !suborder_not_supported(cqr)) {
1470 + spin_lock_irqsave(&lcu->lock, flags);
1471 + lcu->flags |= NEED_UAC_UPDATE;
1472 + spin_unlock_irqrestore(&lcu->lock, flags);
1473 +diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
1474 +index 6d5065f679ac..64d70de98cdb 100644
1475 +--- a/drivers/s390/scsi/zfcp_erp.c
1476 ++++ b/drivers/s390/scsi/zfcp_erp.c
1477 +@@ -11,6 +11,7 @@
1478 + #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
1479 +
1480 + #include <linux/kthread.h>
1481 ++#include <linux/bug.h>
1482 + #include "zfcp_ext.h"
1483 + #include "zfcp_reqlist.h"
1484 +
1485 +@@ -245,6 +246,12 @@ static struct zfcp_erp_action *zfcp_erp_setup_act(int need, u32 act_status,
1486 + struct zfcp_erp_action *erp_action;
1487 + struct zfcp_scsi_dev *zfcp_sdev;
1488 +
1489 ++ if (WARN_ON_ONCE(need != ZFCP_ERP_ACTION_REOPEN_LUN &&
1490 ++ need != ZFCP_ERP_ACTION_REOPEN_PORT &&
1491 ++ need != ZFCP_ERP_ACTION_REOPEN_PORT_FORCED &&
1492 ++ need != ZFCP_ERP_ACTION_REOPEN_ADAPTER))
1493 ++ return NULL;
1494 ++
1495 + switch (need) {
1496 + case ZFCP_ERP_ACTION_REOPEN_LUN:
1497 + zfcp_sdev = sdev_to_zfcp(sdev);
1498 +diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
1499 +index 95dbee89b758..021b5e7f4b7a 100644
1500 +--- a/drivers/xen/swiotlb-xen.c
1501 ++++ b/drivers/xen/swiotlb-xen.c
1502 +@@ -371,8 +371,8 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
1503 + /* Convert the size to actually allocated. */
1504 + size = 1UL << (order + XEN_PAGE_SHIFT);
1505 +
1506 +- if (((dev_addr + size - 1 <= dma_mask)) ||
1507 +- range_straddles_page_boundary(phys, size))
1508 ++ if (!WARN_ON((dev_addr + size - 1 > dma_mask) ||
1509 ++ range_straddles_page_boundary(phys, size)))
1510 + xen_destroy_contiguous_region(phys, order);
1511 +
1512 + xen_free_coherent_pages(hwdev, size, vaddr, (dma_addr_t)phys, attrs);
1513 +diff --git a/fs/adfs/super.c b/fs/adfs/super.c
1514 +index c9fdfb112933..e42c30001509 100644
1515 +--- a/fs/adfs/super.c
1516 ++++ b/fs/adfs/super.c
1517 +@@ -368,6 +368,7 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
1518 + struct buffer_head *bh;
1519 + struct object_info root_obj;
1520 + unsigned char *b_data;
1521 ++ unsigned int blocksize;
1522 + struct adfs_sb_info *asb;
1523 + struct inode *root;
1524 + int ret = -EINVAL;
1525 +@@ -419,8 +420,10 @@ static int adfs_fill_super(struct super_block *sb, void *data, int silent)
1526 + goto error_free_bh;
1527 + }
1528 +
1529 ++ blocksize = 1 << dr->log2secsize;
1530 + brelse(bh);
1531 +- if (sb_set_blocksize(sb, 1 << dr->log2secsize)) {
1532 ++
1533 ++ if (sb_set_blocksize(sb, blocksize)) {
1534 + bh = sb_bread(sb, ADFS_DISCRECORD / sb->s_blocksize);
1535 + if (!bh) {
1536 + adfs_error(sb, "couldn't read superblock on "
1537 +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
1538 +index 14c4062a6e58..a5905f97b3db 100644
1539 +--- a/fs/btrfs/send.c
1540 ++++ b/fs/btrfs/send.c
1541 +@@ -6130,68 +6130,21 @@ static int changed_extent(struct send_ctx *sctx,
1542 + {
1543 + int ret = 0;
1544 +
1545 +- if (sctx->cur_ino != sctx->cmp_key->objectid) {
1546 +-
1547 +- if (result == BTRFS_COMPARE_TREE_CHANGED) {
1548 +- struct extent_buffer *leaf_l;
1549 +- struct extent_buffer *leaf_r;
1550 +- struct btrfs_file_extent_item *ei_l;
1551 +- struct btrfs_file_extent_item *ei_r;
1552 +-
1553 +- leaf_l = sctx->left_path->nodes[0];
1554 +- leaf_r = sctx->right_path->nodes[0];
1555 +- ei_l = btrfs_item_ptr(leaf_l,
1556 +- sctx->left_path->slots[0],
1557 +- struct btrfs_file_extent_item);
1558 +- ei_r = btrfs_item_ptr(leaf_r,
1559 +- sctx->right_path->slots[0],
1560 +- struct btrfs_file_extent_item);
1561 +-
1562 +- /*
1563 +- * We may have found an extent item that has changed
1564 +- * only its disk_bytenr field and the corresponding
1565 +- * inode item was not updated. This case happens due to
1566 +- * very specific timings during relocation when a leaf
1567 +- * that contains file extent items is COWed while
1568 +- * relocation is ongoing and its in the stage where it
1569 +- * updates data pointers. So when this happens we can
1570 +- * safely ignore it since we know it's the same extent,
1571 +- * but just at different logical and physical locations
1572 +- * (when an extent is fully replaced with a new one, we
1573 +- * know the generation number must have changed too,
1574 +- * since snapshot creation implies committing the current
1575 +- * transaction, and the inode item must have been updated
1576 +- * as well).
1577 +- * This replacement of the disk_bytenr happens at
1578 +- * relocation.c:replace_file_extents() through
1579 +- * relocation.c:btrfs_reloc_cow_block().
1580 +- */
1581 +- if (btrfs_file_extent_generation(leaf_l, ei_l) ==
1582 +- btrfs_file_extent_generation(leaf_r, ei_r) &&
1583 +- btrfs_file_extent_ram_bytes(leaf_l, ei_l) ==
1584 +- btrfs_file_extent_ram_bytes(leaf_r, ei_r) &&
1585 +- btrfs_file_extent_compression(leaf_l, ei_l) ==
1586 +- btrfs_file_extent_compression(leaf_r, ei_r) &&
1587 +- btrfs_file_extent_encryption(leaf_l, ei_l) ==
1588 +- btrfs_file_extent_encryption(leaf_r, ei_r) &&
1589 +- btrfs_file_extent_other_encoding(leaf_l, ei_l) ==
1590 +- btrfs_file_extent_other_encoding(leaf_r, ei_r) &&
1591 +- btrfs_file_extent_type(leaf_l, ei_l) ==
1592 +- btrfs_file_extent_type(leaf_r, ei_r) &&
1593 +- btrfs_file_extent_disk_bytenr(leaf_l, ei_l) !=
1594 +- btrfs_file_extent_disk_bytenr(leaf_r, ei_r) &&
1595 +- btrfs_file_extent_disk_num_bytes(leaf_l, ei_l) ==
1596 +- btrfs_file_extent_disk_num_bytes(leaf_r, ei_r) &&
1597 +- btrfs_file_extent_offset(leaf_l, ei_l) ==
1598 +- btrfs_file_extent_offset(leaf_r, ei_r) &&
1599 +- btrfs_file_extent_num_bytes(leaf_l, ei_l) ==
1600 +- btrfs_file_extent_num_bytes(leaf_r, ei_r))
1601 +- return 0;
1602 +- }
1603 +-
1604 +- inconsistent_snapshot_error(sctx, result, "extent");
1605 +- return -EIO;
1606 +- }
1607 ++ /*
1608 ++ * We have found an extent item that changed without the inode item
1609 ++ * having changed. This can happen either after relocation (where the
1610 ++ * disk_bytenr of an extent item is replaced at
1611 ++ * relocation.c:replace_file_extents()) or after deduplication into a
1612 ++ * file in both the parent and send snapshots (where an extent item can
1613 ++ * get modified or replaced with a new one). Note that deduplication
1614 ++ * updates the inode item, but it only changes the iversion (sequence
1615 ++ * field in the inode item) of the inode, so if a file is deduplicated
1616 ++ * the same amount of times in both the parent and send snapshots, its
1617 ++ * iversion becames the same in both snapshots, whence the inode item is
1618 ++ * the same on both snapshots.
1619 ++ */
1620 ++ if (sctx->cur_ino != sctx->cmp_key->objectid)
1621 ++ return 0;
1622 +
1623 + if (!sctx->cur_inode_new_gen && !sctx->cur_inode_deleted) {
1624 + if (result != BTRFS_COMPARE_TREE_DELETED)
1625 +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
1626 +index 73c1fbca0c35..fa8f56e6f665 100644
1627 +--- a/fs/btrfs/transaction.c
1628 ++++ b/fs/btrfs/transaction.c
1629 +@@ -2052,6 +2052,16 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
1630 + }
1631 + } else {
1632 + spin_unlock(&fs_info->trans_lock);
1633 ++ /*
1634 ++ * The previous transaction was aborted and was already removed
1635 ++ * from the list of transactions at fs_info->trans_list. So we
1636 ++ * abort to prevent writing a new superblock that reflects a
1637 ++ * corrupt state (pointing to trees with unwritten nodes/leafs).
1638 ++ */
1639 ++ if (test_bit(BTRFS_FS_STATE_TRANS_ABORTED, &fs_info->fs_state)) {
1640 ++ ret = -EROFS;
1641 ++ goto cleanup_transaction;
1642 ++ }
1643 + }
1644 +
1645 + extwriter_counter_dec(cur_trans, trans->type);
1646 +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
1647 +index 85294fef1051..358e930df4ac 100644
1648 +--- a/fs/btrfs/volumes.c
1649 ++++ b/fs/btrfs/volumes.c
1650 +@@ -5019,8 +5019,7 @@ static inline int btrfs_chunk_max_errors(struct map_lookup *map)
1651 +
1652 + if (map->type & (BTRFS_BLOCK_GROUP_RAID1 |
1653 + BTRFS_BLOCK_GROUP_RAID10 |
1654 +- BTRFS_BLOCK_GROUP_RAID5 |
1655 +- BTRFS_BLOCK_GROUP_DUP)) {
1656 ++ BTRFS_BLOCK_GROUP_RAID5)) {
1657 + max_errors = 1;
1658 + } else if (map->type & BTRFS_BLOCK_GROUP_RAID6) {
1659 + max_errors = 2;
1660 +diff --git a/fs/ceph/super.h b/fs/ceph/super.h
1661 +index 3e27a28aa44a..60b70f0985f6 100644
1662 +--- a/fs/ceph/super.h
1663 ++++ b/fs/ceph/super.h
1664 +@@ -517,7 +517,12 @@ static inline void __ceph_dir_set_complete(struct ceph_inode_info *ci,
1665 + long long release_count,
1666 + long long ordered_count)
1667 + {
1668 +- smp_mb__before_atomic();
1669 ++ /*
1670 ++ * Makes sure operations that setup readdir cache (update page
1671 ++ * cache and i_size) are strongly ordered w.r.t. the following
1672 ++ * atomic64_set() operations.
1673 ++ */
1674 ++ smp_mb();
1675 + atomic64_set(&ci->i_complete_seq[0], release_count);
1676 + atomic64_set(&ci->i_complete_seq[1], ordered_count);
1677 + }
1678 +diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
1679 +index e1c4e0b12b4c..0376db8a74f8 100644
1680 +--- a/fs/ceph/xattr.c
1681 ++++ b/fs/ceph/xattr.c
1682 +@@ -75,7 +75,7 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val,
1683 + const char *ns_field = " pool_namespace=";
1684 + char buf[128];
1685 + size_t len, total_len = 0;
1686 +- int ret;
1687 ++ ssize_t ret;
1688 +
1689 + pool_ns = ceph_try_get_string(ci->i_layout.pool_ns);
1690 +
1691 +@@ -99,11 +99,8 @@ static size_t ceph_vxattrcb_layout(struct ceph_inode_info *ci, char *val,
1692 + if (pool_ns)
1693 + total_len += strlen(ns_field) + pool_ns->len;
1694 +
1695 +- if (!size) {
1696 +- ret = total_len;
1697 +- } else if (total_len > size) {
1698 +- ret = -ERANGE;
1699 +- } else {
1700 ++ ret = total_len;
1701 ++ if (size >= total_len) {
1702 + memcpy(val, buf, len);
1703 + ret = len;
1704 + if (pool_name) {
1705 +@@ -761,8 +758,11 @@ ssize_t __ceph_getxattr(struct inode *inode, const char *name, void *value,
1706 + if (err)
1707 + return err;
1708 + err = -ENODATA;
1709 +- if (!(vxattr->exists_cb && !vxattr->exists_cb(ci)))
1710 ++ if (!(vxattr->exists_cb && !vxattr->exists_cb(ci))) {
1711 + err = vxattr->getxattr_cb(ci, value, size);
1712 ++ if (size && size < err)
1713 ++ err = -ERANGE;
1714 ++ }
1715 + return err;
1716 + }
1717 +
1718 +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
1719 +index 33cd844579ae..57c62ff4e8d6 100644
1720 +--- a/fs/cifs/connect.c
1721 ++++ b/fs/cifs/connect.c
1722 +@@ -554,10 +554,10 @@ static bool
1723 + server_unresponsive(struct TCP_Server_Info *server)
1724 + {
1725 + /*
1726 +- * We need to wait 2 echo intervals to make sure we handle such
1727 ++ * We need to wait 3 echo intervals to make sure we handle such
1728 + * situations right:
1729 + * 1s client sends a normal SMB request
1730 +- * 2s client gets a response
1731 ++ * 3s client gets a response
1732 + * 30s echo workqueue job pops, and decides we got a response recently
1733 + * and don't need to send another
1734 + * ...
1735 +@@ -566,9 +566,9 @@ server_unresponsive(struct TCP_Server_Info *server)
1736 + */
1737 + if ((server->tcpStatus == CifsGood ||
1738 + server->tcpStatus == CifsNeedNegotiate) &&
1739 +- time_after(jiffies, server->lstrp + 2 * server->echo_interval)) {
1740 ++ time_after(jiffies, server->lstrp + 3 * server->echo_interval)) {
1741 + cifs_dbg(VFS, "Server %s has not responded in %lu seconds. Reconnecting...\n",
1742 +- server->hostname, (2 * server->echo_interval) / HZ);
1743 ++ server->hostname, (3 * server->echo_interval) / HZ);
1744 + cifs_reconnect(server);
1745 + wake_up(&server->response_q);
1746 + return true;
1747 +diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c
1748 +index f40e3953e7fe..a6d9e841a375 100644
1749 +--- a/fs/coda/psdev.c
1750 ++++ b/fs/coda/psdev.c
1751 +@@ -187,8 +187,11 @@ static ssize_t coda_psdev_write(struct file *file, const char __user *buf,
1752 + if (req->uc_opcode == CODA_OPEN_BY_FD) {
1753 + struct coda_open_by_fd_out *outp =
1754 + (struct coda_open_by_fd_out *)req->uc_data;
1755 +- if (!outp->oh.result)
1756 ++ if (!outp->oh.result) {
1757 + outp->fh = fget(outp->fd);
1758 ++ if (!outp->fh)
1759 ++ return -EBADF;
1760 ++ }
1761 + }
1762 +
1763 + wake_up(&req->uc_sleep);
1764 +diff --git a/include/linux/acpi.h b/include/linux/acpi.h
1765 +index 13c105121a18..d7a9700b9333 100644
1766 +--- a/include/linux/acpi.h
1767 ++++ b/include/linux/acpi.h
1768 +@@ -324,7 +324,10 @@ void acpi_set_irq_model(enum acpi_irq_model_id model,
1769 + #ifdef CONFIG_X86_IO_APIC
1770 + extern int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity);
1771 + #else
1772 +-#define acpi_get_override_irq(gsi, trigger, polarity) (-1)
1773 ++static inline int acpi_get_override_irq(u32 gsi, int *trigger, int *polarity)
1774 ++{
1775 ++ return -1;
1776 ++}
1777 + #endif
1778 + /*
1779 + * This function undoes the effect of one call to acpi_register_gsi().
1780 +diff --git a/include/linux/coda.h b/include/linux/coda.h
1781 +index d30209b9cef8..0ca0c83fdb1c 100644
1782 +--- a/include/linux/coda.h
1783 ++++ b/include/linux/coda.h
1784 +@@ -58,8 +58,7 @@ Mellon the rights to redistribute these changes without encumbrance.
1785 + #ifndef _CODA_HEADER_
1786 + #define _CODA_HEADER_
1787 +
1788 +-#if defined(__linux__)
1789 + typedef unsigned long long u_quad_t;
1790 +-#endif
1791 ++
1792 + #include <uapi/linux/coda.h>
1793 + #endif
1794 +diff --git a/include/linux/coda_psdev.h b/include/linux/coda_psdev.h
1795 +index 15170954aa2b..57d2b2faf6a3 100644
1796 +--- a/include/linux/coda_psdev.h
1797 ++++ b/include/linux/coda_psdev.h
1798 +@@ -19,6 +19,17 @@ struct venus_comm {
1799 + struct mutex vc_mutex;
1800 + };
1801 +
1802 ++/* messages between coda filesystem in kernel and Venus */
1803 ++struct upc_req {
1804 ++ struct list_head uc_chain;
1805 ++ caddr_t uc_data;
1806 ++ u_short uc_flags;
1807 ++ u_short uc_inSize; /* Size is at most 5000 bytes */
1808 ++ u_short uc_outSize;
1809 ++ u_short uc_opcode; /* copied from data to save lookup */
1810 ++ int uc_unique;
1811 ++ wait_queue_head_t uc_sleep; /* process' wait queue */
1812 ++};
1813 +
1814 + static inline struct venus_comm *coda_vcp(struct super_block *sb)
1815 + {
1816 +diff --git a/include/uapi/linux/coda_psdev.h b/include/uapi/linux/coda_psdev.h
1817 +index aa6623efd2dd..d50d51a57fe4 100644
1818 +--- a/include/uapi/linux/coda_psdev.h
1819 ++++ b/include/uapi/linux/coda_psdev.h
1820 +@@ -7,19 +7,6 @@
1821 + #define CODA_PSDEV_MAJOR 67
1822 + #define MAX_CODADEVS 5 /* how many do we allow */
1823 +
1824 +-
1825 +-/* messages between coda filesystem in kernel and Venus */
1826 +-struct upc_req {
1827 +- struct list_head uc_chain;
1828 +- caddr_t uc_data;
1829 +- u_short uc_flags;
1830 +- u_short uc_inSize; /* Size is at most 5000 bytes */
1831 +- u_short uc_outSize;
1832 +- u_short uc_opcode; /* copied from data to save lookup */
1833 +- int uc_unique;
1834 +- wait_queue_head_t uc_sleep; /* process' wait queue */
1835 +-};
1836 +-
1837 + #define CODA_REQ_ASYNC 0x1
1838 + #define CODA_REQ_READ 0x2
1839 + #define CODA_REQ_WRITE 0x4
1840 +diff --git a/ipc/mqueue.c b/ipc/mqueue.c
1841 +index 5c0ae912f2f2..dccd4ecb786a 100644
1842 +--- a/ipc/mqueue.c
1843 ++++ b/ipc/mqueue.c
1844 +@@ -372,7 +372,6 @@ static void mqueue_evict_inode(struct inode *inode)
1845 + {
1846 + struct mqueue_inode_info *info;
1847 + struct user_struct *user;
1848 +- unsigned long mq_bytes, mq_treesize;
1849 + struct ipc_namespace *ipc_ns;
1850 + struct msg_msg *msg, *nmsg;
1851 + LIST_HEAD(tmp_msg);
1852 +@@ -395,16 +394,18 @@ static void mqueue_evict_inode(struct inode *inode)
1853 + free_msg(msg);
1854 + }
1855 +
1856 +- /* Total amount of bytes accounted for the mqueue */
1857 +- mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) +
1858 +- min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
1859 +- sizeof(struct posix_msg_tree_node);
1860 +-
1861 +- mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
1862 +- info->attr.mq_msgsize);
1863 +-
1864 + user = info->user;
1865 + if (user) {
1866 ++ unsigned long mq_bytes, mq_treesize;
1867 ++
1868 ++ /* Total amount of bytes accounted for the mqueue */
1869 ++ mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) +
1870 ++ min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
1871 ++ sizeof(struct posix_msg_tree_node);
1872 ++
1873 ++ mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
1874 ++ info->attr.mq_msgsize);
1875 ++
1876 + spin_lock(&mq_lock);
1877 + user->mq_bytes -= mq_bytes;
1878 + /*
1879 +diff --git a/kernel/module.c b/kernel/module.c
1880 +index 94528b891027..4b372c14d9a1 100644
1881 +--- a/kernel/module.c
1882 ++++ b/kernel/module.c
1883 +@@ -3391,8 +3391,7 @@ static bool finished_loading(const char *name)
1884 + sched_annotate_sleep();
1885 + mutex_lock(&module_mutex);
1886 + mod = find_module_all(name, strlen(name), true);
1887 +- ret = !mod || mod->state == MODULE_STATE_LIVE
1888 +- || mod->state == MODULE_STATE_GOING;
1889 ++ ret = !mod || mod->state == MODULE_STATE_LIVE;
1890 + mutex_unlock(&module_mutex);
1891 +
1892 + return ret;
1893 +@@ -3560,8 +3559,7 @@ again:
1894 + mutex_lock(&module_mutex);
1895 + old = find_module_all(mod->name, strlen(mod->name), true);
1896 + if (old != NULL) {
1897 +- if (old->state == MODULE_STATE_COMING
1898 +- || old->state == MODULE_STATE_UNFORMED) {
1899 ++ if (old->state != MODULE_STATE_LIVE) {
1900 + /* Wait in case it fails to load. */
1901 + mutex_unlock(&module_mutex);
1902 + err = wait_event_interruptible(module_wq,
1903 +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
1904 +index c4a0ad18c859..7420f5f36094 100644
1905 +--- a/kernel/trace/ftrace.c
1906 ++++ b/kernel/trace/ftrace.c
1907 +@@ -1712,6 +1712,11 @@ static bool test_rec_ops_needs_regs(struct dyn_ftrace *rec)
1908 + return keep_regs;
1909 + }
1910 +
1911 ++static struct ftrace_ops *
1912 ++ftrace_find_tramp_ops_any(struct dyn_ftrace *rec);
1913 ++static struct ftrace_ops *
1914 ++ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops);
1915 ++
1916 + static bool __ftrace_hash_rec_update(struct ftrace_ops *ops,
1917 + int filter_hash,
1918 + bool inc)
1919 +@@ -1840,15 +1845,17 @@ static bool __ftrace_hash_rec_update(struct ftrace_ops *ops,
1920 + }
1921 +
1922 + /*
1923 +- * If the rec had TRAMP enabled, then it needs to
1924 +- * be cleared. As TRAMP can only be enabled iff
1925 +- * there is only a single ops attached to it.
1926 +- * In otherwords, always disable it on decrementing.
1927 +- * In the future, we may set it if rec count is
1928 +- * decremented to one, and the ops that is left
1929 +- * has a trampoline.
1930 ++ * The TRAMP needs to be set only if rec count
1931 ++ * is decremented to one, and the ops that is
1932 ++ * left has a trampoline. As TRAMP can only be
1933 ++ * enabled if there is only a single ops attached
1934 ++ * to it.
1935 + */
1936 +- rec->flags &= ~FTRACE_FL_TRAMP;
1937 ++ if (ftrace_rec_count(rec) == 1 &&
1938 ++ ftrace_find_tramp_ops_any(rec))
1939 ++ rec->flags |= FTRACE_FL_TRAMP;
1940 ++ else
1941 ++ rec->flags &= ~FTRACE_FL_TRAMP;
1942 +
1943 + /*
1944 + * flags will be cleared in ftrace_check_record()
1945 +@@ -2041,11 +2048,6 @@ static void print_ip_ins(const char *fmt, const unsigned char *p)
1946 + printk(KERN_CONT "%s%02x", i ? ":" : "", p[i]);
1947 + }
1948 +
1949 +-static struct ftrace_ops *
1950 +-ftrace_find_tramp_ops_any(struct dyn_ftrace *rec);
1951 +-static struct ftrace_ops *
1952 +-ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops);
1953 +-
1954 + enum ftrace_bug_type ftrace_bug_type;
1955 + const void *ftrace_expected;
1956 +
1957 +diff --git a/mm/cma.c b/mm/cma.c
1958 +index 56761e40d191..c4a34c813d47 100644
1959 +--- a/mm/cma.c
1960 ++++ b/mm/cma.c
1961 +@@ -277,6 +277,12 @@ int __init cma_declare_contiguous(phys_addr_t base,
1962 + */
1963 + alignment = max(alignment, (phys_addr_t)PAGE_SIZE <<
1964 + max_t(unsigned long, MAX_ORDER - 1, pageblock_order));
1965 ++ if (fixed && base & (alignment - 1)) {
1966 ++ ret = -EINVAL;
1967 ++ pr_err("Region at %pa must be aligned to %pa bytes\n",
1968 ++ &base, &alignment);
1969 ++ goto err;
1970 ++ }
1971 + base = ALIGN(base, alignment);
1972 + size = ALIGN(size, alignment);
1973 + limit &= ~(alignment - 1);
1974 +@@ -307,6 +313,13 @@ int __init cma_declare_contiguous(phys_addr_t base,
1975 + if (limit == 0 || limit > memblock_end)
1976 + limit = memblock_end;
1977 +
1978 ++ if (base + size > limit) {
1979 ++ ret = -EINVAL;
1980 ++ pr_err("Size (%pa) of region at %pa exceeds limit (%pa)\n",
1981 ++ &size, &base, &limit);
1982 ++ goto err;
1983 ++ }
1984 ++
1985 + /* Reserve memory */
1986 + if (fixed) {
1987 + if (memblock_is_region_reserved(base, size) ||
1988 +diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
1989 +index 524068d71bc1..9d9f6bb1e56e 100644
1990 +--- a/security/selinux/ss/policydb.c
1991 ++++ b/security/selinux/ss/policydb.c
1992 +@@ -275,6 +275,8 @@ static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2)
1993 + return v;
1994 + }
1995 +
1996 ++static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap);
1997 ++
1998 + /*
1999 + * Initialize a policy database structure.
2000 + */
2001 +@@ -322,8 +324,10 @@ static int policydb_init(struct policydb *p)
2002 + out:
2003 + hashtab_destroy(p->filename_trans);
2004 + hashtab_destroy(p->range_tr);
2005 +- for (i = 0; i < SYM_NUM; i++)
2006 ++ for (i = 0; i < SYM_NUM; i++) {
2007 ++ hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
2008 + hashtab_destroy(p->symtab[i].table);
2009 ++ }
2010 + return rc;
2011 + }
2012 +
2013 +diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
2014 +index e6cef5a160e7..d089c711355a 100644
2015 +--- a/tools/objtool/elf.c
2016 ++++ b/tools/objtool/elf.c
2017 +@@ -305,7 +305,7 @@ static int read_symbols(struct elf *elf)
2018 + if (sym->type != STT_FUNC)
2019 + continue;
2020 + sym->pfunc = sym->cfunc = sym;
2021 +- coldstr = strstr(sym->name, ".cold.");
2022 ++ coldstr = strstr(sym->name, ".cold");
2023 + if (!coldstr)
2024 + continue;
2025 +
Report Message
Find on MARC Find on Google Groups