Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.14 commit in: /
Date: Thu, 31 Jan 2019 11:24:08
Message-Id: 1548933813.613bef45571bde8dff42f7f55d611b54193460ea.mpagano@gentoo
commit:     613bef45571bde8dff42f7f55d611b54193460ea
Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 31 11:23:33 2019 +0000
Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
CommitDate: Thu Jan 31 11:23:33 2019 +0000
URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=613bef45

proj/linux-patches: Linux patch 4.14.97

Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>

 0000_README              |    4 +
 1096_linux-4.14.97.patch | 3121 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 3125 insertions(+)

diff --git a/0000_README b/0000_README
index 628069f..c08af0d 100644
--- a/0000_README
+++ b/0000_README
@@ -427,6 +427,10 @@ Patch:  1095_4.14.96.patch
 From:   http://www.kernel.org
 Desc:   Linux 4.14.96
 
+Patch:  1096_4.14.97.patch
+From:   http://www.kernel.org
+Desc:   Linux 4.14.97
+
 Patch:  1500_XATTR_USER_PREFIX.patch
 From:   https://bugs.gentoo.org/show_bug.cgi?id=470644
 Desc:   Support for namespace user.pax.* on tmpfs.

diff --git a/1096_linux-4.14.97.patch b/1096_linux-4.14.97.patch
new file mode 100644
index 0000000..d0a307b
--- /dev/null
+++ b/1096_linux-4.14.97.patch
@@ -0,0 +1,3121 @@
+diff --git a/Makefile b/Makefile
+index 57b45169ed85..485afde0f1f1 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 4
+ PATCHLEVEL = 14
+-SUBLEVEL = 96
++SUBLEVEL = 97
+ EXTRAVERSION =
+ NAME = Petit Gorille
+ 
+diff --git a/arch/arc/include/asm/perf_event.h b/arch/arc/include/asm/perf_event.h
+index 9185541035cc..6958545390f0 100644
+--- a/arch/arc/include/asm/perf_event.h
++++ b/arch/arc/include/asm/perf_event.h
+@@ -103,7 +103,8 @@ static const char * const arc_pmu_ev_hw_map[] = {
+ 
+ 	/* counts condition */
+ 	[PERF_COUNT_HW_INSTRUCTIONS] = "iall",
+-	[PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = "ijmp", /* Excludes ZOL jumps */
++	/* All jump instructions that are taken */
++	[PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = "ijmptak",
+ 	[PERF_COUNT_ARC_BPOK]         = "bpok",	  /* NP-NT, PT-T, PNT-NT */
+ #ifdef CONFIG_ISA_ARCV2
+ 	[PERF_COUNT_HW_BRANCH_MISSES] = "bpmp",
+diff --git a/arch/arc/lib/memset-archs.S b/arch/arc/lib/memset-archs.S
+index 62ad4bcb841a..f230bb7092fd 100644
+--- a/arch/arc/lib/memset-archs.S
++++ b/arch/arc/lib/memset-archs.S
+@@ -7,11 +7,39 @@
+  */
+ 
+ #include <linux/linkage.h>
++#include <asm/cache.h>
+ 
+-#undef PREALLOC_NOT_AVAIL
++/*
++ * The memset implementation below is optimized to use prefetchw and prealloc
++ * instruction in case of CPU with 64B L1 data cache line (L1_CACHE_SHIFT == 6)
++ * If you want to implement optimized memset for other possible L1 data cache
++ * line lengths (32B and 128B) you should rewrite code carefully checking
++ * we don't call any prefetchw/prealloc instruction for L1 cache lines which
++ * don't belongs to memset area.
++ */
++
++#if L1_CACHE_SHIFT == 6
++
++.macro PREALLOC_INSTR	reg, off
++	prealloc	[\reg, \off]
++.endm
++
++.macro PREFETCHW_INSTR	reg, off
++	prefetchw	[\reg, \off]
++.endm
++
++#else
++
++.macro PREALLOC_INSTR
++.endm
++
++.macro PREFETCHW_INSTR
++.endm
++
++#endif
+ 
+ ENTRY_CFI(memset)
+-	prefetchw [r0]		; Prefetch the write location
++	PREFETCHW_INSTR	r0, 0	; Prefetch the first write location
+ 	mov.f	0, r2
+ ;;; if size is zero
+ 	jz.d	[blink]
+@@ -48,11 +76,8 @@ ENTRY_CFI(memset)
+ 
+ 	lpnz	@.Lset64bytes
+ 	;; LOOP START
+-#ifdef PREALLOC_NOT_AVAIL
+-	prefetchw [r3, 64]	;Prefetch the next write location
+-#else
+-	prealloc  [r3, 64]
+-#endif
++	PREALLOC_INSTR	r3, 64	; alloc next line w/o fetching
++
+ #ifdef CONFIG_ARC_HAS_LL64
+ 	std.ab	r4, [r3, 8]
+ 	std.ab	r4, [r3, 8]
+@@ -85,7 +110,6 @@ ENTRY_CFI(memset)
+ 	lsr.f	lp_count, r2, 5 ;Last remaining  max 124 bytes
+ 	lpnz	.Lset32bytes
+ 	;; LOOP START
+-	prefetchw   [r3, 32]	;Prefetch the next write location
+ #ifdef CONFIG_ARC_HAS_LL64
+ 	std.ab	r4, [r3, 8]
+ 	std.ab	r4, [r3, 8]
+diff --git a/arch/arc/mm/init.c b/arch/arc/mm/init.c
+index ba145065c579..f890b2f9f82f 100644
+--- a/arch/arc/mm/init.c
++++ b/arch/arc/mm/init.c
+@@ -138,7 +138,8 @@ void __init setup_arch_memory(void)
+ 	 */
+ 
+ 	memblock_add_node(low_mem_start, low_mem_sz, 0);
+-	memblock_reserve(low_mem_start, __pa(_end) - low_mem_start);
++	memblock_reserve(CONFIG_LINUX_LINK_BASE,
++			 __pa(_end) - CONFIG_LINUX_LINK_BASE);
+ 
+ #ifdef CONFIG_BLK_DEV_INITRD
+ 	if (initrd_start)
+diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c
+index a3219837fa70..4ba5ad44a21a 100644
+--- a/arch/s390/kernel/early.c
++++ b/arch/s390/kernel/early.c
+@@ -226,10 +226,10 @@ static noinline __init void detect_machine_type(void)
+ 	if (stsi(vmms, 3, 2, 2) || !vmms->count)
+ 		return;
+ 
+-	/* Running under KVM? If not we assume z/VM */
++	/* Detect known hypervisors */
+ 	if (!memcmp(vmms->vm[0].cpi, "\xd2\xe5\xd4", 3))
+ 		S390_lowcore.machine_flags |= MACHINE_FLAG_KVM;
+-	else
++	else if (!memcmp(vmms->vm[0].cpi, "\xa9\x61\xe5\xd4", 4))
+ 		S390_lowcore.machine_flags |= MACHINE_FLAG_VM;
+ }
+ 
+diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
+index 98c1f7941142..3cb71fc94995 100644
+--- a/arch/s390/kernel/setup.c
++++ b/arch/s390/kernel/setup.c
+@@ -884,6 +884,8 @@ void __init setup_arch(char **cmdline_p)
+ 		pr_info("Linux is running under KVM in 64-bit mode\n");
+ 	else if (MACHINE_IS_LPAR)
+ 		pr_info("Linux is running natively in 64-bit mode\n");
++	else
++		pr_info("Linux is running as a guest in 64-bit mode\n");
+ 
+ 	/* Have one command line that is parsed and saved in /proc/cmdline */
+ 	/* boot_command_line has been already set up in early.c */
+diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c
+index ae5df4177803..27258db640d7 100644
+--- a/arch/s390/kernel/smp.c
++++ b/arch/s390/kernel/smp.c
+@@ -387,9 +387,13 @@ void smp_call_online_cpu(void (*func)(void *), void *data)
+  */
+ void smp_call_ipl_cpu(void (*func)(void *), void *data)
+ {
++	struct lowcore *lc = pcpu_devices->lowcore;
++
++	if (pcpu_devices[0].address == stap())
++		lc = &S390_lowcore;
++
+ 	pcpu_delegate(&pcpu_devices[0], func, data,
+-		      pcpu_devices->lowcore->panic_stack -
+-		      PANIC_FRAME_OFFSET + PAGE_SIZE);
++		      lc->panic_stack - PANIC_FRAME_OFFSET + PAGE_SIZE);
+ }
+ 
+ int smp_find_processor_id(u16 address)
+@@ -1168,7 +1172,11 @@ static ssize_t __ref rescan_store(struct device *dev,
+ {
+ 	int rc;
+ 
++	rc = lock_device_hotplug_sysfs();
++	if (rc)
++		return rc;
+ 	rc = smp_rescan_cpus();
++	unlock_device_hotplug();
+ 	return rc ? rc : count;
+ }
+ static DEVICE_ATTR(rescan, 0200, NULL, rescan_store);
+diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
+index 1911310959f8..a77fd3c8d824 100644
+--- a/arch/x86/entry/vdso/vma.c
++++ b/arch/x86/entry/vdso/vma.c
+@@ -112,7 +112,7 @@ static int vvar_fault(const struct vm_special_mapping *sm,
+ 				    __pa_symbol(&__vvar_page) >> PAGE_SHIFT);
+ 	} else if (sym_offset == image->sym_pvclock_page) {
+ 		struct pvclock_vsyscall_time_info *pvti =
+-			pvclock_pvti_cpu0_va();
++			pvclock_get_pvti_cpu0_va();
+ 		if (pvti && vclock_was_used(VCLOCK_PVCLOCK)) {
+ 			ret = vm_insert_pfn(
+ 				vma,
+diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
+index ed97ef3b48a7..7ebcbd1d881d 100644
+--- a/arch/x86/include/asm/mmu_context.h
++++ b/arch/x86/include/asm/mmu_context.h
+@@ -182,6 +182,10 @@ static inline void switch_ldt(struct mm_struct *prev, struct mm_struct *next)
+ 
+ void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk);
+ 
++/*
++ * Init a new mm.  Used on mm copies, like at fork()
++ * and on mm's that are brand-new, like at execve().
++ */
+ static inline int init_new_context(struct task_struct *tsk,
+ 				   struct mm_struct *mm)
+ {
+@@ -232,8 +236,22 @@ do {						\
+ } while (0)
+ #endif
+ 
++static inline void arch_dup_pkeys(struct mm_struct *oldmm,
++				  struct mm_struct *mm)
++{
++#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
++	if (!cpu_feature_enabled(X86_FEATURE_OSPKE))
++		return;
++
++	/* Duplicate the oldmm pkey state in mm: */
++	mm->context.pkey_allocation_map = oldmm->context.pkey_allocation_map;
++	mm->context.execute_only_pkey   = oldmm->context.execute_only_pkey;
++#endif
++}
++
+ static inline int arch_dup_mmap(struct mm_struct *oldmm, struct mm_struct *mm)
+ {
++	arch_dup_pkeys(oldmm, mm);
+ 	paravirt_arch_dup_mmap(oldmm, mm);
+ 	return ldt_dup_context(oldmm, mm);
+ }
+diff --git a/arch/x86/include/asm/pvclock.h b/arch/x86/include/asm/pvclock.h
+index 3e4ed8fb5f91..a7471dcd2205 100644
+--- a/arch/x86/include/asm/pvclock.h
++++ b/arch/x86/include/asm/pvclock.h
+@@ -5,15 +5,6 @@
+ #include <linux/clocksource.h>
+ #include <asm/pvclock-abi.h>
+ 
+-#ifdef CONFIG_KVM_GUEST
+-extern struct pvclock_vsyscall_time_info *pvclock_pvti_cpu0_va(void);
+-#else
+-static inline struct pvclock_vsyscall_time_info *pvclock_pvti_cpu0_va(void)
+-{
+-	return NULL;
+-}
+-#endif
+-
+ /* some helper functions for xen and kvm pv clock sources */
+ u64 pvclock_clocksource_read(struct pvclock_vcpu_time_info *src);
+ u8 pvclock_read_flags(struct pvclock_vcpu_time_info *src);
+@@ -102,4 +93,14 @@ struct pvclock_vsyscall_time_info {
+ 
+ #define PVTI_SIZE sizeof(struct pvclock_vsyscall_time_info)
+ 
++#ifdef CONFIG_PARAVIRT_CLOCK
++void pvclock_set_pvti_cpu0_va(struct pvclock_vsyscall_time_info *pvti);
++struct pvclock_vsyscall_time_info *pvclock_get_pvti_cpu0_va(void);
++#else
++static inline struct pvclock_vsyscall_time_info *pvclock_get_pvti_cpu0_va(void)
++{
++	return NULL;
++}
++#endif
++
+ #endif /* _ASM_X86_PVCLOCK_H */
+diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
+index 48703d430a2f..08806d64eacd 100644
+--- a/arch/x86/kernel/kvmclock.c
++++ b/arch/x86/kernel/kvmclock.c
+@@ -47,12 +47,6 @@ early_param("no-kvmclock", parse_no_kvmclock);
+ static struct pvclock_vsyscall_time_info *hv_clock;
+ static struct pvclock_wall_clock wall_clock;
+ 
+-struct pvclock_vsyscall_time_info *pvclock_pvti_cpu0_va(void)
+-{
+-	return hv_clock;
+-}
+-EXPORT_SYMBOL_GPL(pvclock_pvti_cpu0_va);
+-
+ /*
+  * The wallclock is the time of day when we booted. Since then, some time may
+  * have elapsed since the hypervisor wrote the data. So we try to account for
+@@ -335,6 +329,7 @@ int __init kvm_setup_vsyscall_timeinfo(void)
+ 		return 1;
+ 	}
+ 
++	pvclock_set_pvti_cpu0_va(hv_clock);
+ 	put_cpu();
+ 
+ 	kvm_clock.archdata.vclock_mode = VCLOCK_PVCLOCK;
+diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
+index 5c3f6d6a5078..761f6af6efa5 100644
+--- a/arch/x86/kernel/pvclock.c
++++ b/arch/x86/kernel/pvclock.c
+@@ -25,8 +25,10 @@
+ 
+ #include <asm/fixmap.h>
+ #include <asm/pvclock.h>
++#include <asm/vgtod.h>
+ 
+ static u8 valid_flags __read_mostly = 0;
++static struct pvclock_vsyscall_time_info *pvti_cpu0_va __read_mostly;
+ 
+ void pvclock_set_flags(u8 flags)
+ {
+@@ -144,3 +146,15 @@ void pvclock_read_wallclock(struct pvclock_wall_clock *wall_clock,
+ 
+ 	set_normalized_timespec(ts, now.tv_sec, now.tv_nsec);
+ }
++
++void pvclock_set_pvti_cpu0_va(struct pvclock_vsyscall_time_info *pvti)
++{
++	WARN_ON(vclock_was_used(VCLOCK_PVCLOCK));
++	pvti_cpu0_va = pvti;
++}
++
++struct pvclock_vsyscall_time_info *pvclock_get_pvti_cpu0_va(void)
++{
++	return pvti_cpu0_va;
++}
++EXPORT_SYMBOL_GPL(pvclock_get_pvti_cpu0_va);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 130be2efafbe..867c22f8d59b 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5923,8 +5923,7 @@ restart:
+ 		toggle_interruptibility(vcpu, ctxt->interruptibility);
+ 		vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
+ 		kvm_rip_write(vcpu, ctxt->eip);
+-		if (r == EMULATE_DONE &&
+-		    (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP)))
++		if (r == EMULATE_DONE && ctxt->tf)
+ 			kvm_vcpu_do_singlestep(vcpu, &r);
+ 		if (!ctxt->have_exception ||
+ 		    exception_type(ctxt->exception.vector) == EXCPT_TRAP)
+@@ -7423,14 +7422,12 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+ 		}
+ 	}
+ 
+-	kvm_load_guest_fpu(vcpu);
+-
+ 	if (unlikely(vcpu->arch.complete_userspace_io)) {
+ 		int (*cui)(struct kvm_vcpu *) = vcpu->arch.complete_userspace_io;
+ 		vcpu->arch.complete_userspace_io = NULL;
+ 		r = cui(vcpu);
+ 		if (r <= 0)
+-			goto out_fpu;
++			goto out;
+ 	} else
+ 		WARN_ON(vcpu->arch.pio.count || vcpu->mmio_needed);
+ 
+@@ -7439,8 +7436,6 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
+ 	else
+ 		r = vcpu_run(vcpu);
+ 
+-out_fpu:
+-	kvm_put_guest_fpu(vcpu);
+ out:
+ 	kvm_put_guest_fpu(vcpu);
+ 	post_kvm_run_save(vcpu);
+diff --git a/arch/x86/lib/kaslr.c b/arch/x86/lib/kaslr.c
+index 79778ab200e4..a53665116458 100644
+--- a/arch/x86/lib/kaslr.c
++++ b/arch/x86/lib/kaslr.c
+@@ -36,8 +36,8 @@ static inline u16 i8254(void)
+ 	u16 status, timer;
+ 
+ 	do {
+-		outb(I8254_PORT_CONTROL,
+-		     I8254_CMD_READBACK | I8254_SELECT_COUNTER0);
++		outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0,
++		     I8254_PORT_CONTROL);
+ 		status = inb(I8254_PORT_COUNTER0);
+ 		timer  = inb(I8254_PORT_COUNTER0);
+ 		timer |= inb(I8254_PORT_COUNTER0) << 8;
+diff --git a/arch/x86/xen/suspend.c b/arch/x86/xen/suspend.c
+index 3e3a58ea669e..1d83152c761b 100644
+--- a/arch/x86/xen/suspend.c
++++ b/arch/x86/xen/suspend.c
+@@ -22,6 +22,8 @@ static DEFINE_PER_CPU(u64, spec_ctrl);
+ 
+ void xen_arch_pre_suspend(void)
+ {
++	xen_save_time_memory_area();
++
+ 	if (xen_pv_domain())
+ 		xen_pv_pre_suspend();
+ }
+@@ -32,6 +34,8 @@ void xen_arch_post_suspend(int cancelled)
+ 		xen_pv_post_suspend(cancelled);
+ 	else
+ 		xen_hvm_post_suspend(cancelled);
++
++	xen_restore_time_memory_area();
+ }
+ 
+ static void xen_vcpu_notify_restore(void *data)
+diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c
+index 80c2a4bdf230..03706331f567 100644
+--- a/arch/x86/xen/time.c
++++ b/arch/x86/xen/time.c
+@@ -31,6 +31,8 @@
+ /* Xen may fire a timer up to this many ns early */
+ #define TIMER_SLOP	100000
+ 
++static u64 xen_sched_clock_offset __read_mostly;
++
+ /* Get the TSC speed from Xen */
+ static unsigned long xen_tsc_khz(void)
+ {
+@@ -57,6 +59,11 @@ static u64 xen_clocksource_get_cycles(struct clocksource *cs)
+ 	return xen_clocksource_read();
+ }
+ 
++static u64 xen_sched_clock(void)
++{
++	return xen_clocksource_read() - xen_sched_clock_offset;
++}
++
+ static void xen_read_wallclock(struct timespec *ts)
+ {
+ 	struct shared_info *s = HYPERVISOR_shared_info;
+@@ -354,8 +361,6 @@ void xen_timer_resume(void)
+ {
+ 	int cpu;
+ 
+-	pvclock_resume();
+-
+ 	if (xen_clockevent != &xen_vcpuop_clockevent)
+ 		return;
+ 
+@@ -367,12 +372,107 @@ void xen_timer_resume(void)
+ }
+ 
+ static const struct pv_time_ops xen_time_ops __initconst = {
+-	.sched_clock = xen_clocksource_read,
++	.sched_clock = xen_sched_clock,
+ 	.steal_clock = xen_steal_clock,
+ };
+ 
++static struct pvclock_vsyscall_time_info *xen_clock __read_mostly;
++static u64 xen_clock_value_saved;
++
++void xen_save_time_memory_area(void)
++{
++	struct vcpu_register_time_memory_area t;
++	int ret;
++
++	xen_clock_value_saved = xen_clocksource_read() - xen_sched_clock_offset;
++
++	if (!xen_clock)
++		return;
++
++	t.addr.v = NULL;
++
++	ret = HYPERVISOR_vcpu_op(VCPUOP_register_vcpu_time_memory_area, 0, &t);
++	if (ret != 0)
++		pr_notice("Cannot save secondary vcpu_time_info (err %d)",
++			  ret);
++	else
++		clear_page(xen_clock);
++}
++
++void xen_restore_time_memory_area(void)
++{
++	struct vcpu_register_time_memory_area t;
++	int ret;
++
++	if (!xen_clock)
++		goto out;
++
++	t.addr.v = &xen_clock->pvti;
++
++	ret = HYPERVISOR_vcpu_op(VCPUOP_register_vcpu_time_memory_area, 0, &t);
++
++	/*
++	 * We don't disable VCLOCK_PVCLOCK entirely if it fails to register the
++	 * secondary time info with Xen or if we migrated to a host without the
++	 * necessary flags. On both of these cases what happens is either
++	 * process seeing a zeroed out pvti or seeing no PVCLOCK_TSC_STABLE_BIT
++	 * bit set. Userspace checks the latter and if 0, it discards the data
++	 * in pvti and fallbacks to a system call for a reliable timestamp.
++	 */
++	if (ret != 0)
++		pr_notice("Cannot restore secondary vcpu_time_info (err %d)",
++			  ret);
++
++out:
++	/* Need pvclock_resume() before using xen_clocksource_read(). */
++	pvclock_resume();
++	xen_sched_clock_offset = xen_clocksource_read() - xen_clock_value_saved;
++}
++
++static void xen_setup_vsyscall_time_info(void)
++{
++	struct vcpu_register_time_memory_area t;
++	struct pvclock_vsyscall_time_info *ti;
++	int ret;
++
++	ti = (struct pvclock_vsyscall_time_info *)get_zeroed_page(GFP_KERNEL);
++	if (!ti)
++		return;
++
++	t.addr.v = &ti->pvti;
++
++	ret = HYPERVISOR_vcpu_op(VCPUOP_register_vcpu_time_memory_area, 0, &t);
++	if (ret) {
++		pr_notice("xen: VCLOCK_PVCLOCK not supported (err %d)\n", ret);
++		free_page((unsigned long)ti);
++		return;
++	}
++
++	/*
++	 * If primary time info had this bit set, secondary should too since
++	 * it's the same data on both just different memory regions. But we
++	 * still check it in case hypervisor is buggy.
++	 */
++	if (!(ti->pvti.flags & PVCLOCK_TSC_STABLE_BIT)) {
++		t.addr.v = NULL;
++		ret = HYPERVISOR_vcpu_op(VCPUOP_register_vcpu_time_memory_area,
++					 0, &t);
++		if (!ret)
++			free_page((unsigned long)ti);
++
++		pr_notice("xen: VCLOCK_PVCLOCK not supported (tsc unstable)\n");
++		return;
++	}
++
++	xen_clock = ti;
++	pvclock_set_pvti_cpu0_va(xen_clock);
++
++	xen_clocksource.archdata.vclock_mode = VCLOCK_PVCLOCK;
++}
++
+ static void __init xen_time_init(void)
+ {
++	struct pvclock_vcpu_time_info *pvti;
+ 	int cpu = smp_processor_id();
+ 	struct timespec tp;
+ 
+@@ -396,6 +496,16 @@ static void __init xen_time_init(void)
+ 
+ 	setup_force_cpu_cap(X86_FEATURE_TSC);
+ 
++	/*
++	 * We check ahead on the primary time info if this
++	 * bit is supported hence speeding up Xen clocksource.
++	 */
++	pvti = &__this_cpu_read(xen_vcpu)->time;
++	if (pvti->flags & PVCLOCK_TSC_STABLE_BIT) {
++		pvclock_set_flags(PVCLOCK_TSC_STABLE_BIT);
++		xen_setup_vsyscall_time_info();
++	}
++
+ 	xen_setup_runstate_info(cpu);
+ 	xen_setup_timer(cpu);
+ 	xen_setup_cpu_clockevents();
+@@ -408,6 +518,7 @@ static void __init xen_time_init(void)
+ 
+ void __ref xen_init_time_ops(void)
+ {
++	xen_sched_clock_offset = xen_clocksource_read();
+ 	pv_time_ops = xen_time_ops;
+ 
+ 	x86_init.timers.timer_init = xen_time_init;
+@@ -450,6 +561,7 @@ void __init xen_hvm_init_time_ops(void)
+ 		return;
+ 	}
+ 
++	xen_sched_clock_offset = xen_clocksource_read();
+ 	pv_time_ops = xen_time_ops;
+ 	x86_init.timers.setup_percpu_clockev = xen_time_init;
+ 	x86_cpuinit.setup_percpu_clockev = xen_hvm_setup_cpu_clockevents;
+diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
+index f377e1820c6c..75011b80660f 100644
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -70,6 +70,8 @@ void xen_setup_runstate_info(int cpu);
+ void xen_teardown_timer(int cpu);
+ u64 xen_clocksource_read(void);
+ void xen_setup_cpu_clockevents(void);
++void xen_save_time_memory_area(void);
++void xen_restore_time_memory_area(void);
+ void __init xen_init_time_ops(void);
+ void __init xen_hvm_init_time_ops(void);
+ 
+diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
+index 8260b90eb64b..4a6c5e7b6835 100644
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -208,6 +208,32 @@ static int xlat_status(struct nvdimm *nvdimm, void *buf, unsigned int cmd,
+ 	return xlat_nvdimm_status(buf, cmd, status);
+ }
+ 
++static int cmd_to_func(struct nfit_mem *nfit_mem, unsigned int cmd,
++		struct nd_cmd_pkg *call_pkg)
++{
++	if (call_pkg) {
++		int i;
++
++		if (nfit_mem->family != call_pkg->nd_family)
++			return -ENOTTY;
++
++		for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++)
++			if (call_pkg->nd_reserved2[i])
++				return -EINVAL;
++		return call_pkg->nd_command;
++	}
++
++	/* Linux ND commands == NVDIMM_FAMILY_INTEL function numbers */
++	if (nfit_mem->family == NVDIMM_FAMILY_INTEL)
++		return cmd;
++
++	/*
++	 * Force function number validation to fail since 0 is never
++	 * published as a valid function in dsm_mask.
++	 */
++	return 0;
++}
++
+ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
+ 		unsigned int cmd, void *buf, unsigned int buf_len, int *cmd_rc)
+ {
+@@ -220,21 +246,11 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
+ 	unsigned long cmd_mask, dsm_mask;
+ 	u32 offset, fw_status = 0;
+ 	acpi_handle handle;
+-	unsigned int func;
+ 	const guid_t *guid;
+-	int rc, i;
++	int func, rc, i;
+ 
+ 	if (cmd_rc)
+ 		*cmd_rc = -EINVAL;
+-	func = cmd;
+-	if (cmd == ND_CMD_CALL) {
+-		call_pkg = buf;
+-		func = call_pkg->nd_command;
+-
+-		for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++)
+-			if (call_pkg->nd_reserved2[i])
+-				return -EINVAL;
+-	}
+ 
+ 	if (nvdimm) {
+ 		struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm);
+@@ -242,9 +258,12 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
+ 
+ 		if (!adev)
+ 			return -ENOTTY;
+-		if (call_pkg && nfit_mem->family != call_pkg->nd_family)
+-			return -ENOTTY;
+ 
++		if (cmd == ND_CMD_CALL)
++			call_pkg = buf;
++		func = cmd_to_func(nfit_mem, cmd, call_pkg);
++		if (func < 0)
++			return func;
+ 		dimm_name = nvdimm_name(nvdimm);
+ 		cmd_name = nvdimm_cmd_name(cmd);
+ 		cmd_mask = nvdimm_cmd_mask(nvdimm);
+@@ -255,6 +274,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
+ 	} else {
+ 		struct acpi_device *adev = to_acpi_dev(acpi_desc);
+ 
++		func = cmd;
+ 		cmd_name = nvdimm_bus_cmd_name(cmd);
+ 		cmd_mask = nd_desc->cmd_mask;
+ 		dsm_mask = cmd_mask;
+@@ -269,7 +289,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
+ 	if (!desc || (cmd && (desc->out_num + desc->in_num == 0)))
+ 		return -ENOTTY;
+ 
+-	if (!test_bit(cmd, &cmd_mask) || !test_bit(func, &dsm_mask))
++	/*
++	 * Check for a valid command.  For ND_CMD_CALL, we also have to
++	 * make sure that the DSM function is supported.
++	 */
++	if (cmd == ND_CMD_CALL && !test_bit(func, &dsm_mask))
++		return -ENOTTY;
++	else if (!test_bit(cmd, &cmd_mask))
+ 		return -ENOTTY;
+ 
+ 	in_obj.type = ACPI_TYPE_PACKAGE;
+@@ -1503,6 +1529,13 @@ static int acpi_nfit_add_dimm(struct acpi_nfit_desc *acpi_desc,
+ 		return 0;
+ 	}
+ 
++	/*
++	 * Function 0 is the command interrogation function, don't
++	 * export it to potential userspace use, and enable it to be
++	 * used as an error value in acpi_nfit_ctl().
++	 */
++	dsm_mask &= ~1UL;
++
+ 	guid = to_nfit_uuid(nfit_mem->family);
+ 	for_each_set_bit(i, &dsm_mask, BITS_PER_LONG)
+ 		if (acpi_check_dsm(adev_dimm->handle, guid, 1, 1ULL << i))
+diff --git a/drivers/char/mwave/mwavedd.c b/drivers/char/mwave/mwavedd.c
+index b5e3103c1175..e43c876a9223 100644
+--- a/drivers/char/mwave/mwavedd.c
++++ b/drivers/char/mwave/mwavedd.c
+@@ -59,6 +59,7 @@
+ #include <linux/mutex.h>
+ #include <linux/delay.h>
+ #include <linux/serial_8250.h>
++#include <linux/nospec.h>
+ #include "smapi.h"
+ #include "mwavedd.h"
+ #include "3780i.h"
+@@ -289,6 +290,8 @@ static long mwave_ioctl(struct file *file, unsigned int iocmd,
+ 						ipcnum);
+ 				return -EINVAL;
+ 			}
++			ipcnum = array_index_nospec(ipcnum,
++						    ARRAY_SIZE(pDrvData->IPCs));
+ 			PRINTK_3(TRACE_MWAVE,
+ 				"mwavedd::mwave_ioctl IOCTL_MW_REGISTER_IPC"
+ 				" ipcnum %x entry usIntCount %x\n",
+@@ -317,6 +320,8 @@ static long mwave_ioctl(struct file *file, unsigned int iocmd,
+ 						" Invalid ipcnum %x\n", ipcnum);
+ 				return -EINVAL;
+ 			}
++			ipcnum = array_index_nospec(ipcnum,
++						    ARRAY_SIZE(pDrvData->IPCs));
+ 			PRINTK_3(TRACE_MWAVE,
+ 				"mwavedd::mwave_ioctl IOCTL_MW_GET_IPC"
+ 				" ipcnum %x, usIntCount %x\n",
+@@ -383,6 +388,8 @@ static long mwave_ioctl(struct file *file, unsigned int iocmd,
+ 						ipcnum);
+ 				return -EINVAL;
+ 			}
++			ipcnum = array_index_nospec(ipcnum,
++						    ARRAY_SIZE(pDrvData->IPCs));
+ 			mutex_lock(&mwave_mutex);
+ 			if (pDrvData->IPCs[ipcnum].bIsEnabled == true) {
+ 				pDrvData->IPCs[ipcnum].bIsEnabled = false;
+diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
+index db0e6652d7ef..0824405f93fb 100644
+--- a/drivers/hv/hv_balloon.c
++++ b/drivers/hv/hv_balloon.c
+@@ -846,12 +846,14 @@ static unsigned long handle_pg_range(unsigned long pg_start,
+ 			pfn_cnt -= pgs_ol;
+ 			/*
+ 			 * Check if the corresponding memory block is already
+-			 * online by checking its last previously backed page.
+-			 * In case it is we need to bring rest (which was not
+-			 * backed previously) online too.
++			 * online. It is possible to observe struct pages still
++			 * being uninitialized here so check section instead.
++			 * In case the section is online we need to bring the
++			 * rest of pfns (which were not backed previously)
++			 * online too.
+ 			 */
+ 			if (start_pfn > has->start_pfn &&
+-			    !PageReserved(pfn_to_page(start_pfn - 1)))
++			    online_section_nr(pfn_to_section_nr(start_pfn)))
+ 				hv_bring_pgs_online(has, start_pfn, pgs_ol);
+ 
+ 		}
+diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
+index 3f8dde8d59ba..74c1dfb8183b 100644
+--- a/drivers/hv/ring_buffer.c
++++ b/drivers/hv/ring_buffer.c
+@@ -141,26 +141,25 @@ static u32 hv_copyto_ringbuffer(
+ }
+ 
+ /* Get various debug metrics for the specified ring buffer. */
+-void hv_ringbuffer_get_debuginfo(const struct hv_ring_buffer_info *ring_info,
+-				 struct hv_ring_buffer_debug_info *debug_info)
++int hv_ringbuffer_get_debuginfo(const struct hv_ring_buffer_info *ring_info,
++				struct hv_ring_buffer_debug_info *debug_info)
+ {
+ 	u32 bytes_avail_towrite;
+ 	u32 bytes_avail_toread;
+ 
+-	if (ring_info->ring_buffer) {
+-		hv_get_ringbuffer_availbytes(ring_info,
+-					&bytes_avail_toread,
+-					&bytes_avail_towrite);
+-
+-		debug_info->bytes_avail_toread = bytes_avail_toread;
+-		debug_info->bytes_avail_towrite = bytes_avail_towrite;
+-		debug_info->current_read_index =
+-			ring_info->ring_buffer->read_index;
+-		debug_info->current_write_index =
+-			ring_info->ring_buffer->write_index;
+-		debug_info->current_interrupt_mask =
+-			ring_info->ring_buffer->interrupt_mask;
+-	}
++	if (!ring_info->ring_buffer)
++		return -EINVAL;
++
++	hv_get_ringbuffer_availbytes(ring_info,
++				     &bytes_avail_toread,
++				     &bytes_avail_towrite);
++	debug_info->bytes_avail_toread = bytes_avail_toread;
++	debug_info->bytes_avail_towrite = bytes_avail_towrite;
++	debug_info->current_read_index = ring_info->ring_buffer->read_index;
++	debug_info->current_write_index = ring_info->ring_buffer->write_index;
++	debug_info->current_interrupt_mask
++		= ring_info->ring_buffer->interrupt_mask;
++	return 0;
+ }
+ EXPORT_SYMBOL_GPL(hv_ringbuffer_get_debuginfo);
+ 
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index 4218a616f1d3..1fd812ed679b 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -297,12 +297,16 @@ static ssize_t out_intr_mask_show(struct device *dev,
+ {
+ 	struct hv_device *hv_dev = device_to_hv_device(dev);
+ 	struct hv_ring_buffer_debug_info outbound;
++	int ret;
+ 
+ 	if (!hv_dev->channel)
+ 		return -ENODEV;
+-	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+-		return -EINVAL;
+-	hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
++
++	ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound,
++					  &outbound);
++	if (ret < 0)
++		return ret;
++
+ 	return sprintf(buf, "%d\n", outbound.current_interrupt_mask);
+ }
+ static DEVICE_ATTR_RO(out_intr_mask);
+@@ -312,12 +316,15 @@ static ssize_t out_read_index_show(struct device *dev,
+ {
+ 	struct hv_device *hv_dev = device_to_hv_device(dev);
+ 	struct hv_ring_buffer_debug_info outbound;
++	int ret;
+ 
+ 	if (!hv_dev->channel)
+ 		return -ENODEV;
+-	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+-		return -EINVAL;
+-	hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
++
++	ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound,
++					  &outbound);
++	if (ret < 0)
++		return ret;
+ 	return sprintf(buf, "%d\n", outbound.current_read_index);
+ }
+ static DEVICE_ATTR_RO(out_read_index);
+@@ -328,12 +335,15 @@ static ssize_t out_write_index_show(struct device *dev,
+ {
+ 	struct hv_device *hv_dev = device_to_hv_device(dev);
+ 	struct hv_ring_buffer_debug_info outbound;
++	int ret;
+ 
+ 	if (!hv_dev->channel)
+ 		return -ENODEV;
+-	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+-		return -EINVAL;
+-	hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
++
++	ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound,
++					  &outbound);
++	if (ret < 0)
++		return ret;
+ 	return sprintf(buf, "%d\n", outbound.current_write_index);
+ }
+ static DEVICE_ATTR_RO(out_write_index);
+@@ -344,12 +354,15 @@ static ssize_t out_read_bytes_avail_show(struct device *dev,
+ {
+ 	struct hv_device *hv_dev = device_to_hv_device(dev);
+ 	struct hv_ring_buffer_debug_info outbound;
++	int ret;
+ 
+ 	if (!hv_dev->channel)
+ 		return -ENODEV;
+-	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+-		return -EINVAL;
+-	hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
++
++	ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound,
++					  &outbound);
++	if (ret < 0)
++		return ret;
+ 	return sprintf(buf, "%d\n", outbound.bytes_avail_toread);
+ }
+ static DEVICE_ATTR_RO(out_read_bytes_avail);
+@@ -360,12 +373,15 @@ static ssize_t out_write_bytes_avail_show(struct device *dev,
+ {
+ 	struct hv_device *hv_dev = device_to_hv_device(dev);
+ 	struct hv_ring_buffer_debug_info outbound;
++	int ret;
+ 
+ 	if (!hv_dev->channel)
+ 		return -ENODEV;
+-	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+-		return -EINVAL;
+-	hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound);
++
++	ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound,
++					  &outbound);
++	if (ret < 0)
++		return ret;
+ 	return sprintf(buf, "%d\n", outbound.bytes_avail_towrite);
+ }
+ static DEVICE_ATTR_RO(out_write_bytes_avail);
+@@ -375,12 +391,15 @@ static ssize_t in_intr_mask_show(struct device *dev,
+ {
+ 	struct hv_device *hv_dev = device_to_hv_device(dev);
+ 	struct hv_ring_buffer_debug_info inbound;
++	int ret;
+ 
+ 	if (!hv_dev->channel)
+ 		return -ENODEV;
+-	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+-		return -EINVAL;
+-	hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
++
++	ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
++	if (ret < 0)
++		return ret;
++
+ 	return sprintf(buf, "%d\n", inbound.current_interrupt_mask);
+ }
+ static DEVICE_ATTR_RO(in_intr_mask);
+@@ -390,12 +409,15 @@ static ssize_t in_read_index_show(struct device *dev,
+ {
+ 	struct hv_device *hv_dev = device_to_hv_device(dev);
+ 	struct hv_ring_buffer_debug_info inbound;
++	int ret;
+ 
+ 	if (!hv_dev->channel)
+ 		return -ENODEV;
+-	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+-		return -EINVAL;
+-	hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
++
++	ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
++	if (ret < 0)
++		return ret;
++
+ 	return sprintf(buf, "%d\n", inbound.current_read_index);
+ }
+ static DEVICE_ATTR_RO(in_read_index);
+@@ -405,12 +427,15 @@ static ssize_t in_write_index_show(struct device *dev,
+ {
+ 	struct hv_device *hv_dev = device_to_hv_device(dev);
+ 	struct hv_ring_buffer_debug_info inbound;
++	int ret;
+ 
+ 	if (!hv_dev->channel)
+ 		return -ENODEV;
+-	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+-		return -EINVAL;
+-	hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
++
++	ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
++	if (ret < 0)
++		return ret;
++
+ 	return sprintf(buf, "%d\n", inbound.current_write_index);
+ }
+ static DEVICE_ATTR_RO(in_write_index);
+@@ -421,12 +446,15 @@ static ssize_t in_read_bytes_avail_show(struct device *dev,
+ {
+ 	struct hv_device *hv_dev = device_to_hv_device(dev);
+ 	struct hv_ring_buffer_debug_info inbound;
++	int ret;
+ 
+ 	if (!hv_dev->channel)
+ 		return -ENODEV;
+-	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+-		return -EINVAL;
+-	hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
++
++	ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
++	if (ret < 0)
++		return ret;
++
+ 	return sprintf(buf, "%d\n", inbound.bytes_avail_toread);
+ }
+ static DEVICE_ATTR_RO(in_read_bytes_avail);
+@@ -437,12 +465,15 @@ static ssize_t in_write_bytes_avail_show(struct device *dev,
+ {
+ 	struct hv_device *hv_dev = device_to_hv_device(dev);
+ 	struct hv_ring_buffer_debug_info inbound;
++	int ret;
+ 
+ 	if (!hv_dev->channel)
+ 		return -ENODEV;
+-	if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+-		return -EINVAL;
+-	hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
++
++	ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound);
++	if (ret < 0)
++		return ret;
++
+ 	return sprintf(buf, "%d\n", inbound.bytes_avail_towrite);
+ }
+ static DEVICE_ATTR_RO(in_write_bytes_avail);
+diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
+index f55dcdf99bc5..26476a64e663 100644
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -255,6 +255,8 @@ static const struct xpad_device {
+ 	{ 0x0f30, 0x0202, "Joytech Advanced Controller", 0, XTYPE_XBOX },
+ 	{ 0x0f30, 0x8888, "BigBen XBMiniPad Controller", 0, XTYPE_XBOX },
+ 	{ 0x102c, 0xff0c, "Joytech Wireless Advanced Controller", 0, XTYPE_XBOX },
++	{ 0x1038, 0x1430, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 },
++	{ 0x1038, 0x1431, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 },
+ 	{ 0x11c9, 0x55f0, "Nacon GC-100XF", 0, XTYPE_XBOX360 },
+ 	{ 0x12ab, 0x0004, "Honey Bee Xbox360 dancepad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360 },
+ 	{ 0x12ab, 0x0301, "PDP AFTERGLOW AX.1", 0, XTYPE_XBOX360 },
+@@ -431,6 +433,7 @@ static const struct usb_device_id xpad_table[] = {
+ 	XPAD_XBOXONE_VENDOR(0x0e6f),		/* 0x0e6f X-Box One controllers */
+ 	XPAD_XBOX360_VENDOR(0x0f0d),		/* Hori Controllers */
+ 	XPAD_XBOXONE_VENDOR(0x0f0d),		/* Hori Controllers */
++	XPAD_XBOX360_VENDOR(0x1038),		/* SteelSeries Controllers */
+ 	XPAD_XBOX360_VENDOR(0x11c9),		/* Nacon GC100XF */
+ 	XPAD_XBOX360_VENDOR(0x12ab),		/* X-Box 360 dance pads */
+ 	XPAD_XBOX360_VENDOR(0x1430),		/* RedOctane X-Box 360 controllers */
+diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
+index 443151de90c6..8c95d3f78072 100644
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -39,6 +39,7 @@
+ #include <linux/fs.h>
+ #include <linux/miscdevice.h>
+ #include <linux/uinput.h>
++#include <linux/overflow.h>
+ #include <linux/input/mt.h>
+ #include "../input-compat.h"
+ 
+@@ -356,7 +357,7 @@ static int uinput_open(struct inode *inode, struct file *file)
+ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
+ 				   const struct input_absinfo *abs)
+ {
+-	int min, max;
++	int min, max, range;
+ 
+ 	min = abs->minimum;
+ 	max = abs->maximum;
+@@ -368,7 +369,7 @@ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
+ 		return -EINVAL;
+ 	}
+ 
+-	if (abs->flat > max - min) {
++	if (!check_sub_overflow(max, min, &range) && abs->flat > range) {
+ 		printk(KERN_DEBUG
+ 		       "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n",
+ 		       UINPUT_NAME, code, abs->flat, min, max);
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index 2ea39a83737f..7638ca03fb1f 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -2086,13 +2086,14 @@ static void its_free_device(struct its_device *its_dev)
+ 	kfree(its_dev);
+ }
+ 
+-static int its_alloc_device_irq(struct its_device *dev, irq_hw_number_t *hwirq)
++static int its_alloc_device_irq(struct its_device *dev, int nvecs, irq_hw_number_t *hwirq)
+ {
+ 	int idx;
+ 
+-	idx = find_first_zero_bit(dev->event_map.lpi_map,
+-				  dev->event_map.nr_lpis);
+-	if (idx == dev->event_map.nr_lpis)
++	idx = bitmap_find_free_region(dev->event_map.lpi_map,
++				      dev->event_map.nr_lpis,
++				      get_count_order(nvecs));
++	if (idx < 0)
+ 		return -ENOSPC;
+ 
+ 	*hwirq = dev->event_map.lpi_base + idx;
+@@ -2188,21 +2189,21 @@ static int its_irq_domain_alloc(struct irq_domain *domain, unsigned int virq,
+ 	int err;
+ 	int i;
+ 
+-	for (i = 0; i < nr_irqs; i++) {
+-		err = its_alloc_device_irq(its_dev, &hwirq);
+-		if (err)
+-			return err;
++	err = its_alloc_device_irq(its_dev, nr_irqs, &hwirq);
++	if (err)
++		return err;
+ 
+-		err = its_irq_gic_domain_alloc(domain, virq + i, hwirq);
++	for (i = 0; i < nr_irqs; i++) {
++		err = its_irq_gic_domain_alloc(domain, virq + i, hwirq + i);
+ 		if (err)
+ 			return err;
+ 
+ 		irq_domain_set_hwirq_and_chip(domain, virq + i,
+-					      hwirq, &its_irq_chip, its_dev);
++					      hwirq + i, &its_irq_chip, its_dev);
+ 		irqd_set_single_target(irq_desc_get_irq_data(irq_to_desc(virq + i)));
+ 		pr_debug("ID:%d pID:%d vID:%d\n",
+-			 (int)(hwirq - its_dev->event_map.lpi_base),
+-			 (int) hwirq, virq + i);
++			 (int)(hwirq + i - its_dev->event_map.lpi_base),
++			 (int)(hwirq + i), virq + i);
+ 	}
+ 
+ 	return 0;
+diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
+index 2652ef68d58d..1f6d8b6be5c7 100644
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -2413,9 +2413,21 @@ static int crypt_ctr_cipher_new(struct dm_target *ti, char *cipher_in, char *key
+ 	 * capi:cipher_api_spec-iv:ivopts
+ 	 */
+ 	tmp = &cipher_in[strlen("capi:")];
+-	cipher_api = strsep(&tmp, "-");
+-	*ivmode = strsep(&tmp, ":");
+-	*ivopts = tmp;
++
++	/* Separate IV options if present, it can contain another '-' in hash name */
++	*ivopts = strrchr(tmp, ':');
++	if (*ivopts) {
++		**ivopts = '\0';
++		(*ivopts)++;
++	}
++	/* Parse IV mode */
++	*ivmode = strrchr(tmp, '-');
++	if (*ivmode) {
++		**ivmode = '\0';
++		(*ivmode)++;
++	}
++	/* The rest is crypto API spec */
++	cipher_api = tmp;
+ 
+ 	if (*ivmode && !strcmp(*ivmode, "lmk"))
+ 		cc->tfms_count = 64;
+@@ -2485,11 +2497,8 @@ static int crypt_ctr_cipher_old(struct dm_target *ti, char *cipher_in, char *key
+ 		goto bad_mem;
+ 
+ 	chainmode = strsep(&tmp, "-");
+-	*ivopts = strsep(&tmp, "-");
+-	*ivmode = strsep(&*ivopts, ":");
+-
+-	if (tmp)
+-		DMWARN("Ignoring unexpected additional cipher options");
++	*ivmode = strsep(&tmp, ":");
++	*ivopts = tmp;
+ 
+ 	/*
+ 	 * For compatibility with the original dm-crypt mapping format, if
+diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
+index 45ff8fd00248..b85a66f42814 100644
+--- a/drivers/md/dm-thin-metadata.c
++++ b/drivers/md/dm-thin-metadata.c
+@@ -1687,7 +1687,7 @@ int dm_thin_remove_range(struct dm_thin_device *td,
+ 	return r;
+ }
+ 
+-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result)
++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result)
+ {
+ 	int r;
+ 	uint32_t ref_count;
+@@ -1695,7 +1695,7 @@ int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *resu
+ 	down_read(&pmd->root_lock);
+ 	r = dm_sm_get_count(pmd->data_sm, b, &ref_count);
+ 	if (!r)
+-		*result = (ref_count != 0);
++		*result = (ref_count > 1);
+ 	up_read(&pmd->root_lock);
+ 
+ 	return r;
+diff --git a/drivers/md/dm-thin-metadata.h b/drivers/md/dm-thin-metadata.h
+index 35e954ea20a9..f6be0d733c20 100644
+--- a/drivers/md/dm-thin-metadata.h
++++ b/drivers/md/dm-thin-metadata.h
+@@ -195,7 +195,7 @@ int dm_pool_get_metadata_dev_size(struct dm_pool_metadata *pmd,
+ 
+ int dm_pool_get_data_dev_size(struct dm_pool_metadata *pmd, dm_block_t *result);
+ 
+-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result);
++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result);
+ 
+ int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e);
+ int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e);
+diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
+index da98fc7b995c..40b624d8255d 100644
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -1042,7 +1042,7 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m
+ 	 * passdown we have to check that these blocks are now unused.
+ 	 */
+ 	int r = 0;
+-	bool used = true;
++	bool shared = true;
+ 	struct thin_c *tc = m->tc;
+ 	struct pool *pool = tc->pool;
+ 	dm_block_t b = m->data_block, e, end = m->data_block + m->virt_end - m->virt_begin;
+@@ -1052,11 +1052,11 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m
+ 	while (b != end) {
+ 		/* find start of unmapped run */
+ 		for (; b < end; b++) {
+-			r = dm_pool_block_is_used(pool->pmd, b, &used);
++			r = dm_pool_block_is_shared(pool->pmd, b, &shared);
+ 			if (r)
+ 				goto out;
+ 
+-			if (!used)
++			if (!shared)
+ 				break;
+ 		}
+ 
+@@ -1065,11 +1065,11 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m
+ 
+ 		/* find end of run */
+ 		for (e = b + 1; e != end; e++) {
+-			r = dm_pool_block_is_used(pool->pmd, e, &used);
++			r = dm_pool_block_is_shared(pool->pmd, e, &shared);
+ 			if (r)
+ 				goto out;
+ 
+-			if (used)
++			if (shared)
+ 				break;
+ 		}
+ 
+diff --git a/drivers/misc/mei/hw-me-regs.h b/drivers/misc/mei/hw-me-regs.h
+index e4b10b2d1a08..23739a60517f 100644
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -127,6 +127,8 @@
+ #define MEI_DEV_ID_BXT_M      0x1A9A  /* Broxton M */
+ #define MEI_DEV_ID_APL_I      0x5A9A  /* Apollo Lake I */
+ 
++#define MEI_DEV_ID_DNV_IE     0x19E5  /* Denverton IE */
++
+ #define MEI_DEV_ID_GLK        0x319A  /* Gemini Lake */
+ 
+ #define MEI_DEV_ID_KBP        0xA2BA  /* Kaby Point */
+diff --git a/drivers/misc/mei/pci-me.c b/drivers/misc/mei/pci-me.c
+index c77e08cbbfd1..04bf2dd134d0 100644
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -93,6 +93,8 @@ static const struct pci_device_id mei_me_pci_tbl[] = {
+ 	{MEI_PCI_DEVICE(MEI_DEV_ID_BXT_M, MEI_ME_PCH8_CFG)},
+ 	{MEI_PCI_DEVICE(MEI_DEV_ID_APL_I, MEI_ME_PCH8_CFG)},
+ 
++	{MEI_PCI_DEVICE(MEI_DEV_ID_DNV_IE, MEI_ME_PCH8_CFG)},
++
+ 	{MEI_PCI_DEVICE(MEI_DEV_ID_GLK, MEI_ME_PCH8_CFG)},
+ 
+ 	{MEI_PCI_DEVICE(MEI_DEV_ID_KBP, MEI_ME_PCH8_CFG)},
+diff --git a/drivers/mmc/host/Kconfig b/drivers/mmc/host/Kconfig
+index 8c15637178ff..9ed786935a30 100644
+--- a/drivers/mmc/host/Kconfig
++++ b/drivers/mmc/host/Kconfig
+@@ -429,6 +429,7 @@ config MMC_SDHCI_MSM
+ 	tristate "Qualcomm SDHCI Controller Support"
+ 	depends on ARCH_QCOM || (ARM && COMPILE_TEST)
+ 	depends on MMC_SDHCI_PLTFM
++	select MMC_SDHCI_IO_ACCESSORS
+ 	help
+ 	  This selects the Secure Digital Host Controller Interface (SDHCI)
+ 	  support present in Qualcomm SOCs. The controller supports
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index 035daca63168..7d61d8801220 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -479,8 +479,6 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb);
+ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ {
+ 	struct can_priv *priv = netdev_priv(dev);
+-	struct sk_buff *skb = priv->echo_skb[idx];
+-	struct canfd_frame *cf;
+ 
+ 	if (idx >= priv->echo_skb_max) {
+ 		netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n",
+@@ -488,20 +486,21 @@ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8
+ 		return NULL;
+ 	}
+ 
+-	if (!skb) {
+-		netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n",
+-			   __func__, idx);
+-		return NULL;
+-	}
++	if (priv->echo_skb[idx]) {
++		/* Using "struct canfd_frame::len" for the frame
++		 * length is supported on both CAN and CANFD frames.
++		 */
++		struct sk_buff *skb = priv->echo_skb[idx];
++		struct canfd_frame *cf = (struct canfd_frame *)skb->data;
++		u8 len = cf->len;
+ 
+-	/* Using "struct canfd_frame::len" for the frame
+-	 * length is supported on both CAN and CANFD frames.
+-	 */
+-	cf = (struct canfd_frame *)skb->data;
+-	*len_ptr = cf->len;
+-	priv->echo_skb[idx] = NULL;
++		*len_ptr = len;
++		priv->echo_skb[idx] = NULL;
+ 
+-	return skb;
++		return skb;
++	}
++
++	return NULL;
+ }
+ 
+ /*
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+index d272dc6984ac..b40d4377cc71 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+@@ -431,8 +431,6 @@
+ #define MAC_MDIOSCAR_PA_WIDTH		5
+ #define MAC_MDIOSCAR_RA_INDEX		0
+ #define MAC_MDIOSCAR_RA_WIDTH		16
+-#define MAC_MDIOSCAR_REG_INDEX		0
+-#define MAC_MDIOSCAR_REG_WIDTH		21
+ #define MAC_MDIOSCCDR_BUSY_INDEX	22
+ #define MAC_MDIOSCCDR_BUSY_WIDTH	1
+ #define MAC_MDIOSCCDR_CMD_INDEX		16
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+index e107e180e2c8..1e4bb33925e6 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+@@ -1284,6 +1284,20 @@ static void xgbe_write_mmd_regs(struct xgbe_prv_data *pdata, int prtad,
+ 	}
+ }
+ 
++static unsigned int xgbe_create_mdio_sca(int port, int reg)
++{
++	unsigned int mdio_sca, da;
++
++	da = (reg & MII_ADDR_C45) ? reg >> 16 : 0;
++
++	mdio_sca = 0;
++	XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, RA, reg);
++	XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, PA, port);
++	XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, DA, da);
++
++	return mdio_sca;
++}
++
+ static int xgbe_write_ext_mii_regs(struct xgbe_prv_data *pdata, int addr,
+ 				   int reg, u16 val)
+ {
+@@ -1291,9 +1305,7 @@ static int xgbe_write_ext_mii_regs(struct xgbe_prv_data *pdata, int addr,
+ 
+ 	reinit_completion(&pdata->mdio_complete);
+ 
+-	mdio_sca = 0;
+-	XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, REG, reg);
+-	XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, DA, addr);
++	mdio_sca = xgbe_create_mdio_sca(addr, reg);
+ 	XGMAC_IOWRITE(pdata, MAC_MDIOSCAR, mdio_sca);
+ 
+ 	mdio_sccd = 0;
+@@ -1317,9 +1329,7 @@ static int xgbe_read_ext_mii_regs(struct xgbe_prv_data *pdata, int addr,
+ 
+ 	reinit_completion(&pdata->mdio_complete);
+ 
+-	mdio_sca = 0;
+-	XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, REG, reg);
+-	XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, DA, addr);
++	mdio_sca = xgbe_create_mdio_sca(addr, reg);
+ 	XGMAC_IOWRITE(pdata, MAC_MDIOSCAR, mdio_sca);
+ 
+ 	mdio_sccd = 0;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h
+index 8e2a19616bc9..c87bc0a5efa3 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/common.h
++++ b/drivers/net/ethernet/stmicro/stmmac/common.h
+@@ -444,7 +444,8 @@ struct stmmac_dma_ops {
+ 			 int rxfifosz);
+ 	void (*dma_rx_mode)(void __iomem *ioaddr, int mode, u32 channel,
+ 			    int fifosz);
+-	void (*dma_tx_mode)(void __iomem *ioaddr, int mode, u32 channel);
++	void (*dma_tx_mode)(void __iomem *ioaddr, int mode, u32 channel,
++			    int fifosz);
+ 	/* To track extra statistic (if supported) */
+ 	void (*dma_diagnostic_fr) (void *data, struct stmmac_extra_stats *x,
+ 				   void __iomem *ioaddr);
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
+index e84831e1b63b..898849bbc7d4 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
+@@ -271,9 +271,10 @@ static void dwmac4_dma_rx_chan_op_mode(void __iomem *ioaddr, int mode,
+ }
+ 
+ static void dwmac4_dma_tx_chan_op_mode(void __iomem *ioaddr, int mode,
+-				       u32 channel)
++				       u32 channel, int fifosz)
+ {
+ 	u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(channel));
++	unsigned int tqs = fifosz / 256 - 1;
+ 
+ 	if (mode == SF_DMA_MODE) {
+ 		pr_debug("GMAC: enable TX store and forward mode\n");
+@@ -306,12 +307,14 @@ static void dwmac4_dma_tx_chan_op_mode(void __iomem *ioaddr, int mode,
+ 	 * For an IP with DWC_EQOS_NUM_TXQ > 1, the fields TXQEN and TQS are R/W
+ 	 * with reset values: TXQEN off, TQS 256 bytes.
+ 	 *
+-	 * Write the bits in both cases, since it will have no effect when RO.
+-	 * For DWC_EQOS_NUM_TXQ > 1, the top bits in MTL_OP_MODE_TQS_MASK might
+-	 * be RO, however, writing the whole TQS field will result in a value
+-	 * equal to DWC_EQOS_TXFIFO_SIZE, just like for DWC_EQOS_NUM_TXQ == 1.
++	 * TXQEN must be written for multi-channel operation and TQS must
++	 * reflect the available fifo size per queue (total fifo size / number
++	 * of enabled queues).
+ 	 */
+-	mtl_tx_op |= MTL_OP_MODE_TXQEN | MTL_OP_MODE_TQS_MASK;
++	mtl_tx_op |= MTL_OP_MODE_TXQEN;
++	mtl_tx_op &= ~MTL_OP_MODE_TQS_MASK;
++	mtl_tx_op |= tqs << MTL_OP_MODE_TQS_SHIFT;
++
+ 	writel(mtl_tx_op, ioaddr +  MTL_CHAN_TX_OP_MODE(channel));
+ }
+ 
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index bafbebeb0e00..a901feaad4e1 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1765,12 +1765,19 @@ static void stmmac_dma_operation_mode(struct stmmac_priv *priv)
+ 	u32 rx_channels_count = priv->plat->rx_queues_to_use;
+ 	u32 tx_channels_count = priv->plat->tx_queues_to_use;
+ 	int rxfifosz = priv->plat->rx_fifo_size;
++	int txfifosz = priv->plat->tx_fifo_size;
+ 	u32 txmode = 0;
+ 	u32 rxmode = 0;
+ 	u32 chan = 0;
+ 
+ 	if (rxfifosz == 0)
+ 		rxfifosz = priv->dma_cap.rx_fifo_size;
++	if (txfifosz == 0)
++		txfifosz = priv->dma_cap.tx_fifo_size;
++
++	/* Adjust for real per queue fifo size */
++	rxfifosz /= rx_channels_count;
++	txfifosz /= tx_channels_count;
+ 
+ 	if (priv->plat->force_thresh_dma_mode) {
+ 		txmode = tc;
+@@ -1798,7 +1805,8 @@ static void stmmac_dma_operation_mode(struct stmmac_priv *priv)
+ 						   rxfifosz);
+ 
+ 		for (chan = 0; chan < tx_channels_count; chan++)
+-			priv->hw->dma->dma_tx_mode(priv->ioaddr, txmode, chan);
++			priv->hw->dma->dma_tx_mode(priv->ioaddr, txmode, chan,
++						   txfifosz);
+ 	} else {
+ 		priv->hw->dma->dma_mode(priv->ioaddr, txmode, rxmode,
+ 					rxfifosz);
+@@ -1967,15 +1975,25 @@ static void stmmac_tx_err(struct stmmac_priv *priv, u32 chan)
+ static void stmmac_set_dma_operation_mode(struct stmmac_priv *priv, u32 txmode,
+ 					  u32 rxmode, u32 chan)
+ {
++	u32 rx_channels_count = priv->plat->rx_queues_to_use;
++	u32 tx_channels_count = priv->plat->tx_queues_to_use;
+ 	int rxfifosz = priv->plat->rx_fifo_size;
++	int txfifosz = priv->plat->tx_fifo_size;
+ 
+ 	if (rxfifosz == 0)
+ 		rxfifosz = priv->dma_cap.rx_fifo_size;
++	if (txfifosz == 0)
++		txfifosz = priv->dma_cap.tx_fifo_size;
++
++	/* Adjust for real per queue fifo size */
++	rxfifosz /= rx_channels_count;
++	txfifosz /= tx_channels_count;
+ 
+ 	if (priv->synopsys_id >= DWMAC_CORE_4_00) {
+ 		priv->hw->dma->dma_rx_mode(priv->ioaddr, rxmode, chan,
+ 					   rxfifosz);
+-		priv->hw->dma->dma_tx_mode(priv->ioaddr, txmode, chan);
++		priv->hw->dma->dma_tx_mode(priv->ioaddr, txmode, chan,
++					   txfifosz);
+ 	} else {
+ 		priv->hw->dma->dma_mode(priv->ioaddr, txmode, rxmode,
+ 					rxfifosz);
+diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
+index 2df7b62c1a36..1ece41277993 100644
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -358,6 +358,7 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
+ 	if (IS_ERR(gpiod)) {
+ 		dev_err(&bus->dev, "mii_bus %s couldn't get reset GPIO\n",
+ 			bus->id);
++		device_del(&bus->dev);
+ 		return PTR_ERR(gpiod);
+ 	} else	if (gpiod) {
+ 		bus->reset_gpiod = gpiod;
+diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
+index 951892da3352..c37ef5287caa 100644
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -445,6 +445,7 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev,
+ 	if (pskb_trim_rcsum(skb, len))
+ 		goto drop;
+ 
++	ph = pppoe_hdr(skb);
+ 	pn = pppoe_pernet(dev_net(dev));
+ 
+ 	/* Note that get_item does a sock_hold(), so sk_pppox(po)
+diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
+index 5d8140e58f6f..da56cc277b71 100644
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -137,6 +137,10 @@ static void nvmet_rdma_recv_done(struct ib_cq *cq, struct ib_wc *wc);
+ static void nvmet_rdma_read_data_done(struct ib_cq *cq, struct ib_wc *wc);
+ static void nvmet_rdma_qp_event(struct ib_event *event, void *priv);
+ static void nvmet_rdma_queue_disconnect(struct nvmet_rdma_queue *queue);
++static void nvmet_rdma_free_rsp(struct nvmet_rdma_device *ndev,
++				struct nvmet_rdma_rsp *r);
++static int nvmet_rdma_alloc_rsp(struct nvmet_rdma_device *ndev,
++				struct nvmet_rdma_rsp *r);
+ 
+ static struct nvmet_fabrics_ops nvmet_rdma_ops;
+ 
+@@ -175,9 +179,17 @@ nvmet_rdma_get_rsp(struct nvmet_rdma_queue *queue)
+ 	spin_unlock_irqrestore(&queue->rsps_lock, flags);
+ 
+ 	if (unlikely(!rsp)) {
+-		rsp = kmalloc(sizeof(*rsp), GFP_KERNEL);
++		int ret;
++
++		rsp = kzalloc(sizeof(*rsp), GFP_KERNEL);
+ 		if (unlikely(!rsp))
+ 			return NULL;
++		ret = nvmet_rdma_alloc_rsp(queue->dev, rsp);
++		if (unlikely(ret)) {
++			kfree(rsp);
++			return NULL;
++		}
++
+ 		rsp->allocated = true;
+ 	}
+ 
+@@ -189,7 +201,8 @@ nvmet_rdma_put_rsp(struct nvmet_rdma_rsp *rsp)
+ {
+ 	unsigned long flags;
+ 
+-	if (rsp->allocated) {
++	if (unlikely(rsp->allocated)) {
++		nvmet_rdma_free_rsp(rsp->queue->dev, rsp);
+ 		kfree(rsp);
+ 		return;
+ 	}
+diff --git a/drivers/ptp/ptp_kvm.c b/drivers/ptp/ptp_kvm.c
+index 2b1b212c219e..c67dd11e08b1 100644
+--- a/drivers/ptp/ptp_kvm.c
++++ b/drivers/ptp/ptp_kvm.c
+@@ -178,8 +178,11 @@ static int __init ptp_kvm_init(void)
+ {
+ 	long ret;
+ 
++	if (!kvm_para_available())
++		return -ENODEV;
++
+ 	clock_pair_gpa = slow_virt_to_phys(&clock_pair);
+-	hv_clock = pvclock_pvti_cpu0_va();
++	hv_clock = pvclock_get_pvti_cpu0_va();
+ 
+ 	if (!hv_clock)
+ 		return -ENODEV;
+diff --git a/drivers/s390/char/sclp_config.c b/drivers/s390/char/sclp_config.c
+index 194ffd5c8580..039b2074db7e 100644
+--- a/drivers/s390/char/sclp_config.c
++++ b/drivers/s390/char/sclp_config.c
+@@ -60,7 +60,9 @@ static void sclp_cpu_capability_notify(struct work_struct *work)
+ 
+ static void __ref sclp_cpu_change_notify(struct work_struct *work)
+ {
++	lock_device_hotplug();
+ 	smp_rescan_cpus();
++	unlock_device_hotplug();
+ }
+ 
+ static void sclp_conf_receiver_fn(struct evbuf_header *evbuf)
+diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+index 32c7225a831e..2fc7056cbff7 100644
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -43,6 +43,7 @@ static const struct usb_device_id rtw_usb_id_tbl[] = {
+ 	{USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */
+ 	{USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */
+ 	{USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
++	{USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */
+ 	{USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
+ 	{USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
+ 	{USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
+diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
+index 7b2a466616d6..08bd6b965847 100644
+--- a/drivers/tty/n_hdlc.c
++++ b/drivers/tty/n_hdlc.c
+@@ -598,6 +598,7 @@ static ssize_t n_hdlc_tty_read(struct tty_struct *tty, struct file *file,
+ 				/* too large for caller's buffer */
+ 				ret = -EOVERFLOW;
+ 			} else {
++				__set_current_state(TASK_RUNNING);
+ 				if (copy_to_user(buf, rbuf->buf, rbuf->count))
+ 					ret = -EFAULT;
+ 				else
+diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
+index 543d0f95f094..94ac6c6e8fb8 100644
+--- a/drivers/tty/serial/serial_core.c
++++ b/drivers/tty/serial/serial_core.c
+@@ -563,10 +563,12 @@ static int uart_put_char(struct tty_struct *tty, unsigned char c)
+ 	int ret = 0;
+ 
+ 	circ = &state->xmit;
+-	if (!circ->buf)
++	port = uart_port_lock(state, flags);
++	if (!circ->buf) {
++		uart_port_unlock(port, flags);
+ 		return 0;
++	}
+ 
+-	port = uart_port_lock(state, flags);
+ 	if (port && uart_circ_chars_free(circ) != 0) {
+ 		circ->buf[circ->head] = c;
+ 		circ->head = (circ->head + 1) & (UART_XMIT_SIZE - 1);
+@@ -599,11 +601,13 @@ static int uart_write(struct tty_struct *tty,
+ 		return -EL3HLT;
+ 	}
+ 
++	port = uart_port_lock(state, flags);
+ 	circ = &state->xmit;
+-	if (!circ->buf)
++	if (!circ->buf) {
++		uart_port_unlock(port, flags);
+ 		return 0;
++	}
+ 
+-	port = uart_port_lock(state, flags);
+ 	while (port) {
+ 		c = CIRC_SPACE_TO_END(circ->head, circ->tail, UART_XMIT_SIZE);
+ 		if (count < c)
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 417b81c67fe9..7e351d205393 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -2180,7 +2180,8 @@ static int tiocsti(struct tty_struct *tty, char __user *p)
+ 	ld = tty_ldisc_ref_wait(tty);
+ 	if (!ld)
+ 		return -EIO;
+-	ld->ops->receive_buf(tty, &ch, &mbz, 1);
++	if (ld->ops->receive_buf)
++		ld->ops->receive_buf(tty, &ch, &mbz, 1);
+ 	tty_ldisc_deref(ld);
+ 	return 0;
+ }
+diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
+index e77421e7bf46..1fb5e7f409c4 100644
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -953,6 +953,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
+ 	if (con_is_visible(vc))
+ 		update_screen(vc);
+ 	vt_event_post(VT_EVENT_RESIZE, vc->vc_num, vc->vc_num);
++	notify_update(vc);
+ 	return err;
+ }
+ 
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index b8704c0678f9..727bf3c9f53b 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -182,6 +182,8 @@ void dwc3_gadget_del_and_unmap_request(struct dwc3_ep *dep,
+ 	req->started = false;
+ 	list_del(&req->list);
+ 	req->remaining = 0;
++	req->unaligned = false;
++	req->zero = false;
+ 
+ 	if (req->request.status == -EINPROGRESS)
+ 		req->request.status = status;
+diff --git a/drivers/usb/host/xhci-mtk.c b/drivers/usb/host/xhci-mtk.c
+index 510d28a9d190..35aecbcac6f7 100644
+--- a/drivers/usb/host/xhci-mtk.c
++++ b/drivers/usb/host/xhci-mtk.c
+@@ -724,14 +724,16 @@ static int xhci_mtk_remove(struct platform_device *dev)
+ 	struct xhci_hcd_mtk *mtk = platform_get_drvdata(dev);
+ 	struct usb_hcd	*hcd = mtk->hcd;
+ 	struct xhci_hcd	*xhci = hcd_to_xhci(hcd);
++	struct usb_hcd  *shared_hcd = xhci->shared_hcd;
+ 
+-	usb_remove_hcd(xhci->shared_hcd);
++	usb_remove_hcd(shared_hcd);
++	xhci->shared_hcd = NULL;
+ 	xhci_mtk_phy_power_off(mtk);
+ 	xhci_mtk_phy_exit(mtk);
+ 	device_init_wakeup(&dev->dev, false);
+ 
+ 	usb_remove_hcd(hcd);
+-	usb_put_hcd(xhci->shared_hcd);
++	usb_put_hcd(shared_hcd);
+ 	usb_put_hcd(hcd);
+ 	xhci_mtk_sch_exit(mtk);
+ 	xhci_mtk_clks_disable(mtk);
+diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
+index 0fbc549cc55c..1de006aebec5 100644
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -370,6 +370,7 @@ static void xhci_pci_remove(struct pci_dev *dev)
+ 	if (xhci->shared_hcd) {
+ 		usb_remove_hcd(xhci->shared_hcd);
+ 		usb_put_hcd(xhci->shared_hcd);
++		xhci->shared_hcd = NULL;
+ 	}
+ 
+ 	/* Workaround for spurious wakeups at shutdown with HSW */
+diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
+index 830dd0dbbce0..108a212294bf 100644
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -332,14 +332,16 @@ static int xhci_plat_remove(struct platform_device *dev)
+ 	struct usb_hcd	*hcd = platform_get_drvdata(dev);
+ 	struct xhci_hcd	*xhci = hcd_to_xhci(hcd);
+ 	struct clk *clk = xhci->clk;
++	struct usb_hcd *shared_hcd = xhci->shared_hcd;
+ 
+ 	xhci->xhc_state |= XHCI_STATE_REMOVING;
+ 
+-	usb_remove_hcd(xhci->shared_hcd);
++	usb_remove_hcd(shared_hcd);
++	xhci->shared_hcd = NULL;
+ 	usb_phy_shutdown(hcd->usb_phy);
+ 
+ 	usb_remove_hcd(hcd);
+-	usb_put_hcd(xhci->shared_hcd);
++	usb_put_hcd(shared_hcd);
+ 
+ 	if (!IS_ERR(clk))
+ 		clk_disable_unprepare(clk);
+diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c
+index 32ddafe7af87..28df32d85671 100644
+--- a/drivers/usb/host/xhci-tegra.c
++++ b/drivers/usb/host/xhci-tegra.c
+@@ -1178,6 +1178,7 @@ static int tegra_xusb_remove(struct platform_device *pdev)
+ 
+ 	usb_remove_hcd(xhci->shared_hcd);
+ 	usb_put_hcd(xhci->shared_hcd);
++	xhci->shared_hcd = NULL;
+ 	usb_remove_hcd(tegra->hcd);
+ 	usb_put_hcd(tegra->hcd);
+ 
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 930eecd86429..c78de07c4d00 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -669,8 +669,6 @@ static void xhci_stop(struct usb_hcd *hcd)
+ 
+ 	/* Only halt host and free memory after both hcds are removed */
+ 	if (!usb_hcd_is_primary_hcd(hcd)) {
+-		/* usb core will free this hcd shortly, unset pointer */
+-		xhci->shared_hcd = NULL;
+ 		mutex_unlock(&xhci->mutex);
+ 		return;
+ 	}
+diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
+index 5fa1e6fb49a6..5e86be81f4c9 100644
+--- a/drivers/usb/serial/pl2303.c
++++ b/drivers/usb/serial/pl2303.c
+@@ -49,6 +49,7 @@ static const struct usb_device_id id_table[] = {
+ 	{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_HCR331) },
+ 	{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_MOTOROLA) },
+ 	{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_ZTEK) },
++	{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_TB) },
+ 	{ USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID) },
+ 	{ USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID_RSAQ5) },
+ 	{ USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID),
+diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
+index b46e74a90af2..f21445acc486 100644
+--- a/drivers/usb/serial/pl2303.h
++++ b/drivers/usb/serial/pl2303.h
+@@ -13,6 +13,7 @@
+ 
+ #define PL2303_VENDOR_ID	0x067b
+ #define PL2303_PRODUCT_ID	0x2303
++#define PL2303_PRODUCT_ID_TB		0x2304
+ #define PL2303_PRODUCT_ID_RSAQ2		0x04bb
+ #define PL2303_PRODUCT_ID_DCU11		0x1234
+ #define PL2303_PRODUCT_ID_PHAROS	0xaaa0
+@@ -25,6 +26,7 @@
+ #define PL2303_PRODUCT_ID_MOTOROLA	0x0307
+ #define PL2303_PRODUCT_ID_ZTEK		0xe1f1
+ 
++
+ #define ATEN_VENDOR_ID		0x0557
+ #define ATEN_VENDOR_ID2		0x0547
+ #define ATEN_PRODUCT_ID		0x2008
+diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
+index 6d6acf2c07c3..511242111403 100644
+--- a/drivers/usb/serial/usb-serial-simple.c
++++ b/drivers/usb/serial/usb-serial-simple.c
+@@ -88,7 +88,8 @@ DEVICE(moto_modem, MOTO_IDS);
+ /* Motorola Tetra driver */
+ #define MOTOROLA_TETRA_IDS()			\
+ 	{ USB_DEVICE(0x0cad, 0x9011) },	/* Motorola Solutions TETRA PEI */ \
+-	{ USB_DEVICE(0x0cad, 0x9012) }	/* MTP6550 */
++	{ USB_DEVICE(0x0cad, 0x9012) },	/* MTP6550 */ \
++	{ USB_DEVICE(0x0cad, 0x9016) }	/* TPG2200 */
+ DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS);
+ 
+ /* Novatel Wireless GPS driver */
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index 6123b4dd8638..4eba9ee179e3 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -851,7 +851,8 @@ static void handle_rx(struct vhost_net *net)
+ 		vhost_add_used_and_signal_n(&net->dev, vq, vq->heads,
+ 					    headcount);
+ 		if (unlikely(vq_log))
+-			vhost_log_write(vq, vq_log, log, vhost_len);
++			vhost_log_write(vq, vq_log, log, vhost_len,
++					vq->iov, in);
+ 		total_len += vhost_len;
+ 		if (unlikely(total_len >= VHOST_NET_WEIGHT)) {
+ 			vhost_poll_queue(&vq->poll);
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 97518685ab58..37fcb3ca89f1 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1726,13 +1726,87 @@ static int log_write(void __user *log_base,
+ 	return r;
+ }
+ 
++static int log_write_hva(struct vhost_virtqueue *vq, u64 hva, u64 len)
++{
++	struct vhost_umem *umem = vq->umem;
++	struct vhost_umem_node *u;
++	u64 start, end, l, min;
++	int r;
++	bool hit = false;
++
++	while (len) {
++		min = len;
++		/* More than one GPAs can be mapped into a single HVA. So
++		 * iterate all possible umems here to be safe.
++		 */
++		list_for_each_entry(u, &umem->umem_list, link) {
++			if (u->userspace_addr > hva - 1 + len ||
++			    u->userspace_addr - 1 + u->size < hva)
++				continue;
++			start = max(u->userspace_addr, hva);
++			end = min(u->userspace_addr - 1 + u->size,
++				  hva - 1 + len);
++			l = end - start + 1;
++			r = log_write(vq->log_base,
++				      u->start + start - u->userspace_addr,
++				      l);
++			if (r < 0)
++				return r;
++			hit = true;
++			min = min(l, min);
++		}
++
++		if (!hit)
++			return -EFAULT;
++
++		len -= min;
++		hva += min;
++	}
++
++	return 0;
++}
++
++static int log_used(struct vhost_virtqueue *vq, u64 used_offset, u64 len)
++{
++	struct iovec iov[64];
++	int i, ret;
++
++	if (!vq->iotlb)
++		return log_write(vq->log_base, vq->log_addr + used_offset, len);
++
++	ret = translate_desc(vq, (uintptr_t)vq->used + used_offset,
++			     len, iov, 64, VHOST_ACCESS_WO);
++	if (ret)
++		return ret;
++
++	for (i = 0; i < ret; i++) {
++		ret = log_write_hva(vq,	(uintptr_t)iov[i].iov_base,
++				    iov[i].iov_len);
++		if (ret)
++			return ret;
++	}
++
++	return 0;
++}
++
+ int vhost_log_write(struct vhost_virtqueue *vq, struct vhost_log *log,
+-		    unsigned int log_num, u64 len)
++		    unsigned int log_num, u64 len, struct iovec *iov, int count)
+ {
+ 	int i, r;
+ 
+ 	/* Make sure data written is seen before log. */
+ 	smp_wmb();
++
++	if (vq->iotlb) {
++		for (i = 0; i < count; i++) {
++			r = log_write_hva(vq, (uintptr_t)iov[i].iov_base,
++					  iov[i].iov_len);
++			if (r < 0)
++				return r;
++		}
++		return 0;
++	}
++
+ 	for (i = 0; i < log_num; ++i) {
+ 		u64 l = min(log[i].len, len);
+ 		r = log_write(vq->log_base, log[i].addr, l);
+@@ -1762,9 +1836,8 @@ static int vhost_update_used_flags(struct vhost_virtqueue *vq)
+ 		smp_wmb();
+ 		/* Log used flag write. */
+ 		used = &vq->used->flags;
+-		log_write(vq->log_base, vq->log_addr +
+-			  (used - (void __user *)vq->used),
+-			  sizeof vq->used->flags);
++		log_used(vq, (used - (void __user *)vq->used),
++			 sizeof vq->used->flags);
+ 		if (vq->log_ctx)
+ 			eventfd_signal(vq->log_ctx, 1);
+ 	}
+@@ -1782,9 +1855,8 @@ static int vhost_update_avail_event(struct vhost_virtqueue *vq, u16 avail_event)
+ 		smp_wmb();
+ 		/* Log avail event write */
+ 		used = vhost_avail_event(vq);
+-		log_write(vq->log_base, vq->log_addr +
+-			  (used - (void __user *)vq->used),
+-			  sizeof *vhost_avail_event(vq));
++		log_used(vq, (used - (void __user *)vq->used),
++			 sizeof *vhost_avail_event(vq));
+ 		if (vq->log_ctx)
+ 			eventfd_signal(vq->log_ctx, 1);
+ 	}
+@@ -2189,10 +2261,8 @@ static int __vhost_add_used_n(struct vhost_virtqueue *vq,
+ 		/* Make sure data is seen before log. */
+ 		smp_wmb();
+ 		/* Log used ring entry write. */
+-		log_write(vq->log_base,
+-			  vq->log_addr +
+-			   ((void __user *)used - (void __user *)vq->used),
+-			  count * sizeof *used);
++		log_used(vq, ((void __user *)used - (void __user *)vq->used),
++			 count * sizeof *used);
+ 	}
+ 	old = vq->last_used_idx;
+ 	new = (vq->last_used_idx += count);
+@@ -2234,9 +2304,8 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
+ 		/* Make sure used idx is seen before log. */
+ 		smp_wmb();
+ 		/* Log used index update. */
+-		log_write(vq->log_base,
+-			  vq->log_addr + offsetof(struct vring_used, idx),
+-			  sizeof vq->used->idx);
++		log_used(vq, offsetof(struct vring_used, idx),
++			 sizeof vq->used->idx);
+ 		if (vq->log_ctx)
+ 			eventfd_signal(vq->log_ctx, 1);
+ 	}
+diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
+index 79c6e7a60a5e..75d21d4a8354 100644
+--- a/drivers/vhost/vhost.h
++++ b/drivers/vhost/vhost.h
+@@ -208,7 +208,8 @@ bool vhost_vq_avail_empty(struct vhost_dev *, struct vhost_virtqueue *);
+ bool vhost_enable_notify(struct vhost_dev *, struct vhost_virtqueue *);
+ 
+ int vhost_log_write(struct vhost_virtqueue *vq, struct vhost_log *log,
+-		    unsigned int log_num, u64 len);
++		    unsigned int log_num, u64 len,
++		    struct iovec *iov, int count);
+ int vq_iotlb_prefetch(struct vhost_virtqueue *vq);
+ 
+ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type);
+diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
+index e6c1934734b7..fe1f16351f94 100644
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -1650,7 +1650,7 @@ void xen_callback_vector(void)
+ 			xen_have_vector_callback = 0;
+ 			return;
+ 		}
+-		pr_info("Xen HVM callback vector for event delivery is enabled\n");
++		pr_info_once("Xen HVM callback vector for event delivery is enabled\n");
+ 		alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR,
+ 				xen_hvm_callback_vector);
+ 	}
+diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c
+index dd80a1bdf9e2..f86457713e60 100644
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -351,6 +351,7 @@ int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info,
+ 		break;
+ 	case BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED:
+ 	case BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED:
++		ASSERT(0);
+ 		ret = BTRFS_IOCTL_DEV_REPLACE_RESULT_ALREADY_STARTED;
+ 		goto leave;
+ 	}
+@@ -395,6 +396,10 @@ int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info,
+ 	if (IS_ERR(trans)) {
+ 		ret = PTR_ERR(trans);
+ 		btrfs_dev_replace_lock(dev_replace, 1);
++		dev_replace->replace_state =
++			BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED;
++		dev_replace->srcdev = NULL;
++		dev_replace->tgtdev = NULL;
+ 		goto leave;
+ 	}
+ 
+@@ -416,8 +421,6 @@ int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info,
+ 	return ret;
+ 
+ leave:
+-	dev_replace->srcdev = NULL;
+-	dev_replace->tgtdev = NULL;
+ 	btrfs_dev_replace_unlock(dev_replace, 1);
+ 	btrfs_destroy_dev_replace_tgtdev(fs_info, tgt_device);
+ 	return ret;
+@@ -801,6 +804,8 @@ int btrfs_resume_dev_replace_async(struct btrfs_fs_info *fs_info)
+ 			   "cannot continue dev_replace, tgtdev is missing");
+ 		btrfs_info(fs_info,
+ 			   "you may cancel the operation after 'mount -o degraded'");
++		dev_replace->replace_state =
++					BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED;
+ 		btrfs_dev_replace_unlock(dev_replace, 1);
+ 		return 0;
+ 	}
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index 2e936f94f102..905d0fa1a1cc 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -1445,18 +1445,26 @@ cifs_discard_remaining_data(struct TCP_Server_Info *server)
+ }
+ 
+ static int
+-cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid)
++__cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid,
++		     bool malformed)
+ {
+ 	int length;
+-	struct cifs_readdata *rdata = mid->callback_data;
+ 
+ 	length = cifs_discard_remaining_data(server);
+-	dequeue_mid(mid, rdata->result);
++	dequeue_mid(mid, malformed);
+ 	mid->resp_buf = server->smallbuf;
+ 	server->smallbuf = NULL;
+ 	return length;
+ }
+ 
++static int
++cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid)
++{
++	struct cifs_readdata *rdata = mid->callback_data;
++
++	return  __cifs_readv_discard(server, mid, rdata->result);
++}
++
+ int
+ cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid)
+ {
+@@ -1496,12 +1504,23 @@ cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid)
+ 		return -1;
+ 	}
+ 
++	/* set up first two iov for signature check and to get credits */
++	rdata->iov[0].iov_base = buf;
++	rdata->iov[0].iov_len = 4;
++	rdata->iov[1].iov_base = buf + 4;
++	rdata->iov[1].iov_len = server->total_read - 4;
++	cifs_dbg(FYI, "0: iov_base=%p iov_len=%zu\n",
++		 rdata->iov[0].iov_base, rdata->iov[0].iov_len);
++	cifs_dbg(FYI, "1: iov_base=%p iov_len=%zu\n",
++		 rdata->iov[1].iov_base, rdata->iov[1].iov_len);
++
+ 	/* Was the SMB read successful? */
+ 	rdata->result = server->ops->map_error(buf, false);
+ 	if (rdata->result != 0) {
+ 		cifs_dbg(FYI, "%s: server returned error %d\n",
+ 			 __func__, rdata->result);
+-		return cifs_readv_discard(server, mid);
++		/* normal error on read response */
++		return __cifs_readv_discard(server, mid, false);
+ 	}
+ 
+ 	/* Is there enough to get to the rest of the READ_RSP header? */
+@@ -1544,14 +1563,6 @@ cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid)
+ 		server->total_read += length;
+ 	}
+ 
+-	/* set up first iov for signature check */
+-	rdata->iov[0].iov_base = buf;
+-	rdata->iov[0].iov_len = 4;
+-	rdata->iov[1].iov_base = buf + 4;
+-	rdata->iov[1].iov_len = server->total_read - 4;
+-	cifs_dbg(FYI, "0: iov_base=%p iov_len=%u\n",
+-		 rdata->iov[0].iov_base, server->total_read);
+-
+ 	/* how much data is in the response? */
+ 	data_len = server->ops->read_data_length(buf);
+ 	if (data_offset + data_len > buflen) {
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index d6248137c219..000b7bfa8cf0 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -524,6 +524,21 @@ server_unresponsive(struct TCP_Server_Info *server)
+ 	return false;
+ }
+ 
++static inline bool
++zero_credits(struct TCP_Server_Info *server)
++{
++	int val;
++
++	spin_lock(&server->req_lock);
++	val = server->credits + server->echo_credits + server->oplock_credits;
++	if (server->in_flight == 0 && val == 0) {
++		spin_unlock(&server->req_lock);
++		return true;
++	}
++	spin_unlock(&server->req_lock);
++	return false;
++}
++
+ static int
+ cifs_readv_from_socket(struct TCP_Server_Info *server, struct msghdr *smb_msg)
+ {
+@@ -536,6 +551,12 @@ cifs_readv_from_socket(struct TCP_Server_Info *server, struct msghdr *smb_msg)
+ 	for (total_read = 0; msg_data_left(smb_msg); total_read += length) {
+ 		try_to_freeze();
+ 
++		/* reconnect if no credits and no requests in flight */
++		if (zero_credits(server)) {
++			cifs_reconnect(server);
++			return -ECONNABORTED;
++		}
++
+ 		if (server_unresponsive(server))
+ 			return -ECONNABORTED;
+ 
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 3372eedaa94d..fb1c65f93114 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -33,6 +33,7 @@
+ #include "smb2glob.h"
+ #include "cifs_ioctl.h"
+ 
++/* Change credits for different ops and return the total number of credits */
+ static int
+ change_conf(struct TCP_Server_Info *server)
+ {
+@@ -40,17 +41,15 @@ change_conf(struct TCP_Server_Info *server)
+ 	server->oplock_credits = server->echo_credits = 0;
+ 	switch (server->credits) {
+ 	case 0:
+-		return -1;
++		return 0;
+ 	case 1:
+ 		server->echoes = false;
+ 		server->oplocks = false;
+-		cifs_dbg(VFS, "disabling echoes and oplocks\n");
+ 		break;
+ 	case 2:
+ 		server->echoes = true;
+ 		server->oplocks = false;
+ 		server->echo_credits = 1;
+-		cifs_dbg(FYI, "disabling oplocks\n");
+ 		break;
+ 	default:
+ 		server->echoes = true;
+@@ -63,14 +62,15 @@ change_conf(struct TCP_Server_Info *server)
+ 		server->echo_credits = 1;
+ 	}
+ 	server->credits -= server->echo_credits + server->oplock_credits;
+-	return 0;
++	return server->credits + server->echo_credits + server->oplock_credits;
+ }
+ 
+ static void
+ smb2_add_credits(struct TCP_Server_Info *server, const unsigned int add,
+ 		 const int optype)
+ {
+-	int *val, rc = 0;
++	int *val, rc = -1;
++
+ 	spin_lock(&server->req_lock);
+ 	val = server->ops->get_credits_field(server, optype);
+ 	*val += add;
+@@ -94,8 +94,26 @@ smb2_add_credits(struct TCP_Server_Info *server, const unsigned int add,
+ 	}
+ 	spin_unlock(&server->req_lock);
+ 	wake_up(&server->request_q);
+-	if (rc)
+-		cifs_reconnect(server);
++
++	if (server->tcpStatus == CifsNeedReconnect)
++		return;
++
++	switch (rc) {
++	case -1:
++		/* change_conf hasn't been executed */
++		break;
++	case 0:
++		cifs_dbg(VFS, "Possible client or server bug - zero credits\n");
++		break;
++	case 1:
++		cifs_dbg(VFS, "disabling echoes and oplocks\n");
++		break;
++	case 2:
++		cifs_dbg(FYI, "disabling oplocks\n");
++		break;
++	default:
++		cifs_dbg(FYI, "add %u credits total=%d\n", add, rc);
++	}
+ }
+ 
+ static void
+@@ -153,14 +171,14 @@ smb2_wait_mtu_credits(struct TCP_Server_Info *server, unsigned int size,
+ 
+ 			scredits = server->credits;
+ 			/* can deadlock with reopen */
+-			if (scredits == 1) {
++			if (scredits <= 8) {
+ 				*num = SMB2_MAX_BUFFER_SIZE;
+ 				*credits = 0;
+ 				break;
+ 			}
+ 
+-			/* leave one credit for a possible reopen */
+-			scredits--;
++			/* leave some credits for reopen and other ops */
++			scredits -= 8;
+ 			*num = min_t(unsigned int, size,
+ 				     scredits * SMB2_MAX_BUFFER_SIZE);
+ 
+@@ -2531,11 +2549,23 @@ handle_read_data(struct TCP_Server_Info *server, struct mid_q_entry *mid,
+ 			server->ops->is_status_pending(buf, server, 0))
+ 		return -1;
+ 
+-	rdata->result = server->ops->map_error(buf, false);
++	/* set up first two iov to get credits */
++	rdata->iov[0].iov_base = buf;
++	rdata->iov[0].iov_len = 4;
++	rdata->iov[1].iov_base = buf + 4;
++	rdata->iov[1].iov_len =
++		min_t(unsigned int, buf_len, server->vals->read_rsp_size) - 4;
++	cifs_dbg(FYI, "0: iov_base=%p iov_len=%zu\n",
++		 rdata->iov[0].iov_base, rdata->iov[0].iov_len);
++	cifs_dbg(FYI, "1: iov_base=%p iov_len=%zu\n",
++		 rdata->iov[1].iov_base, rdata->iov[1].iov_len);
++
++	rdata->result = server->ops->map_error(buf, true);
+ 	if (rdata->result != 0) {
+ 		cifs_dbg(FYI, "%s: server returned error %d\n",
+ 			 __func__, rdata->result);
+-		dequeue_mid(mid, rdata->result);
++		/* normal error on read response */
++		dequeue_mid(mid, false);
+ 		return 0;
+ 	}
+ 
+@@ -2605,14 +2635,6 @@ handle_read_data(struct TCP_Server_Info *server, struct mid_q_entry *mid,
+ 		return 0;
+ 	}
+ 
+-	/* set up first iov for signature check */
+-	rdata->iov[0].iov_base = buf;
+-	rdata->iov[0].iov_len = 4;
+-	rdata->iov[1].iov_base = buf + 4;
+-	rdata->iov[1].iov_len = server->vals->read_rsp_size - 4;
+-	cifs_dbg(FYI, "0: iov_base=%p iov_len=%zu\n",
+-		 rdata->iov[0].iov_base, server->vals->read_rsp_size);
+-
+ 	length = rdata->copy_into_pages(server, rdata, &iter);
+ 
+ 	kfree(bvec);
+diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
+index 65de72d65562..12060fbfbb05 100644
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -694,6 +694,7 @@ static void truncate_node(struct dnode_of_data *dn)
+ {
+ 	struct f2fs_sb_info *sbi = F2FS_I_SB(dn->inode);
+ 	struct node_info ni;
++	pgoff_t index;
+ 
+ 	get_node_info(sbi, dn->nid, &ni);
+ 	f2fs_bug_on(sbi, ni.blk_addr == NULL_ADDR);
+@@ -712,10 +713,11 @@ static void truncate_node(struct dnode_of_data *dn)
+ 	clear_node_page_dirty(dn->node_page);
+ 	set_sbi_flag(sbi, SBI_IS_DIRTY);
+ 
++	index = dn->node_page->index;
+ 	f2fs_put_page(dn->node_page, 1);
+ 
+ 	invalidate_mapping_pages(NODE_MAPPING(sbi),
+-			dn->node_page->index, dn->node_page->index);
++			index, index);
+ 
+ 	dn->node_page = NULL;
+ 	trace_f2fs_truncate_node(dn->inode, dn->nid, ni.blk_addr);
+diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
+index 28b76f0894d4..673fa522a7ab 100644
+--- a/include/linux/compiler-clang.h
++++ b/include/linux/compiler-clang.h
+@@ -24,3 +24,17 @@
+ #ifdef __noretpoline
+ #undef __noretpoline
+ #endif
++
++/*
++ * Not all versions of clang implement the the type-generic versions
++ * of the builtin overflow checkers. Fortunately, clang implements
++ * __has_builtin allowing us to avoid awkward version
++ * checks. Unfortunately, we don't know which version of gcc clang
++ * pretends to be, so the macro may or may not be defined.
++ */
++#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
++#if __has_builtin(__builtin_mul_overflow) && \
++    __has_builtin(__builtin_add_overflow) && \
++    __has_builtin(__builtin_sub_overflow)
++#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
++#endif
+diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
+index 00b06d7efb83..4816355b9875 100644
+--- a/include/linux/compiler-gcc.h
++++ b/include/linux/compiler-gcc.h
+@@ -358,3 +358,7 @@
+  * code
+  */
+ #define uninitialized_var(x) x = x
++
++#if GCC_VERSION >= 50100
++#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
++#endif
+diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h
+index bfa08160db3a..547cdc920a3c 100644
+--- a/include/linux/compiler-intel.h
++++ b/include/linux/compiler-intel.h
+@@ -44,3 +44,7 @@
+ #define __builtin_bswap16 _bswap16
+ #endif
+ 
++/*
++ * icc defines __GNUC__, but does not implement the builtin overflow checkers.
++ */
++#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
+diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
+index d1324d3c72b0..8d3ca6da3342 100644
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -1130,8 +1130,9 @@ struct hv_ring_buffer_debug_info {
+ 	u32 bytes_avail_towrite;
+ };
+ 
+-void hv_ringbuffer_get_debuginfo(const struct hv_ring_buffer_info *ring_info,
+-			    struct hv_ring_buffer_debug_info *debug_info);
++
++int hv_ringbuffer_get_debuginfo(const struct hv_ring_buffer_info *ring_info,
++				struct hv_ring_buffer_debug_info *debug_info);
+ 
+ /* Vmbus interface */
+ #define vmbus_driver_register(driver)	\
+diff --git a/include/linux/overflow.h b/include/linux/overflow.h
+new file mode 100644
+index 000000000000..c8890ec358a7
+--- /dev/null
++++ b/include/linux/overflow.h
+@@ -0,0 +1,205 @@
++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
++#ifndef __LINUX_OVERFLOW_H
++#define __LINUX_OVERFLOW_H
++
++#include <linux/compiler.h>
++
++/*
++ * In the fallback code below, we need to compute the minimum and
++ * maximum values representable in a given type. These macros may also
++ * be useful elsewhere, so we provide them outside the
++ * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block.
++ *
++ * It would seem more obvious to do something like
++ *
++ * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
++ * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
++ *
++ * Unfortunately, the middle expressions, strictly speaking, have
++ * undefined behaviour, and at least some versions of gcc warn about
++ * the type_max expression (but not if -fsanitize=undefined is in
++ * effect; in that case, the warning is deferred to runtime...).
++ *
++ * The slightly excessive casting in type_min is to make sure the
++ * macros also produce sensible values for the exotic type _Bool. [The
++ * overflow checkers only almost work for _Bool, but that's
++ * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
++ * _Bools. Besides, the gcc builtins don't allow _Bool* as third
++ * argument.]
++ *
++ * Idea stolen from
++ * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
++ * credit to Christian Biere.
++ */
++#define is_signed_type(type)       (((type)(-1)) < (type)1)
++#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
++#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
++#define type_min(T) ((T)((T)-type_max(T)-(T)1))
++
++
++#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
++/*
++ * For simplicity and code hygiene, the fallback code below insists on
++ * a, b and *d having the same type (similar to the min() and max()
++ * macros), whereas gcc's type-generic overflow checkers accept
++ * different types. Hence we don't just make check_add_overflow an
++ * alias for __builtin_add_overflow, but add type checks similar to
++ * below.
++ */
++#define check_add_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	__builtin_add_overflow(__a, __b, __d);	\
++})
++
++#define check_sub_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	__builtin_sub_overflow(__a, __b, __d);	\
++})
++
++#define check_mul_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	__builtin_mul_overflow(__a, __b, __d);	\
++})
++
++#else
++
++
++/* Checking for unsigned overflow is relatively easy without causing UB. */
++#define __unsigned_add_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = __a + __b;			\
++	*__d < __a;				\
++})
++#define __unsigned_sub_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = __a - __b;			\
++	__a < __b;				\
++})
++/*
++ * If one of a or b is a compile-time constant, this avoids a division.
++ */
++#define __unsigned_mul_overflow(a, b, d) ({		\
++	typeof(a) __a = (a);				\
++	typeof(b) __b = (b);				\
++	typeof(d) __d = (d);				\
++	(void) (&__a == &__b);				\
++	(void) (&__a == __d);				\
++	*__d = __a * __b;				\
++	__builtin_constant_p(__b) ?			\
++	  __b > 0 && __a > type_max(typeof(__a)) / __b : \
++	  __a > 0 && __b > type_max(typeof(__b)) / __a;	 \
++})
++
++/*
++ * For signed types, detecting overflow is much harder, especially if
++ * we want to avoid UB. But the interface of these macros is such that
++ * we must provide a result in *d, and in fact we must produce the
++ * result promised by gcc's builtins, which is simply the possibly
++ * wrapped-around value. Fortunately, we can just formally do the
++ * operations in the widest relevant unsigned type (u64) and then
++ * truncate the result - gcc is smart enough to generate the same code
++ * with and without the (u64) casts.
++ */
++
++/*
++ * Adding two signed integers can overflow only if they have the same
++ * sign, and overflow has happened iff the result has the opposite
++ * sign.
++ */
++#define __signed_add_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = (u64)__a + (u64)__b;		\
++	(((~(__a ^ __b)) & (*__d ^ __a))	\
++		& type_min(typeof(__a))) != 0;	\
++})
++
++/*
++ * Subtraction is similar, except that overflow can now happen only
++ * when the signs are opposite. In this case, overflow has happened if
++ * the result has the opposite sign of a.
++ */
++#define __signed_sub_overflow(a, b, d) ({	\
++	typeof(a) __a = (a);			\
++	typeof(b) __b = (b);			\
++	typeof(d) __d = (d);			\
++	(void) (&__a == &__b);			\
++	(void) (&__a == __d);			\
++	*__d = (u64)__a - (u64)__b;		\
++	((((__a ^ __b)) & (*__d ^ __a))		\
++		& type_min(typeof(__a))) != 0;	\
++})
++
++/*
++ * Signed multiplication is rather hard. gcc always follows C99, so
++ * division is truncated towards 0. This means that we can write the
++ * overflow check like this:
++ *
++ * (a > 0 && (b > MAX/a || b < MIN/a)) ||
++ * (a < -1 && (b > MIN/a || b < MAX/a) ||
++ * (a == -1 && b == MIN)
++ *
++ * The redundant casts of -1 are to silence an annoying -Wtype-limits
++ * (included in -Wextra) warning: When the type is u8 or u16, the
++ * __b_c_e in check_mul_overflow obviously selects
++ * __unsigned_mul_overflow, but unfortunately gcc still parses this
++ * code and warns about the limited range of __b.
++ */
++
++#define __signed_mul_overflow(a, b, d) ({				\
++	typeof(a) __a = (a);						\
++	typeof(b) __b = (b);						\
++	typeof(d) __d = (d);						\
++	typeof(a) __tmax = type_max(typeof(a));				\
++	typeof(a) __tmin = type_min(typeof(a));				\
++	(void) (&__a == &__b);						\
++	(void) (&__a == __d);						\
++	*__d = (u64)__a * (u64)__b;					\
++	(__b > 0   && (__a > __tmax/__b || __a < __tmin/__b)) ||	\
++	(__b < (typeof(__b))-1  && (__a > __tmin/__b || __a < __tmax/__b)) || \
++	(__b == (typeof(__b))-1 && __a == __tmin);			\
++})
++
++
++#define check_add_overflow(a, b, d)					\
++	__builtin_choose_expr(is_signed_type(typeof(a)),		\
++			__signed_add_overflow(a, b, d),			\
++			__unsigned_add_overflow(a, b, d))
++
++#define check_sub_overflow(a, b, d)					\
++	__builtin_choose_expr(is_signed_type(typeof(a)),		\
++			__signed_sub_overflow(a, b, d),			\
++			__unsigned_sub_overflow(a, b, d))
++
++#define check_mul_overflow(a, b, d)					\
++	__builtin_choose_expr(is_signed_type(typeof(a)),		\
++			__signed_mul_overflow(a, b, d),			\
++			__unsigned_mul_overflow(a, b, d))
++
++
++#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
++
++#endif /* __LINUX_OVERFLOW_H */
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index f6250555ce7d..39c2570ddcf6 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3163,6 +3163,7 @@ int pskb_trim_rcsum_slow(struct sk_buff *skb, unsigned int len);
+  *
+  *	This is exactly the same as pskb_trim except that it ensures the
+  *	checksum of received packets are still valid after the operation.
++ *	It can change skb pointers.
+  */
+ 
+ static inline int pskb_trim_rcsum(struct sk_buff *skb, unsigned int len)
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index 32df52869a14..b711317a796c 100644
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -233,7 +233,7 @@ int fib_table_delete(struct net *, struct fib_table *, struct fib_config *,
+ 		     struct netlink_ext_ack *extack);
+ int fib_table_dump(struct fib_table *table, struct sk_buff *skb,
+ 		   struct netlink_callback *cb);
+-int fib_table_flush(struct net *net, struct fib_table *table);
++int fib_table_flush(struct net *net, struct fib_table *table, bool flush_all);
+ struct fib_table *fib_trie_unmerge(struct fib_table *main_tb);
+ void fib_table_flush_external(struct fib_table *table);
+ void fib_free_table(struct fib_table *tb);
+diff --git a/include/xen/interface/vcpu.h b/include/xen/interface/vcpu.h
+index 98188c87f5c1..504c71601511 100644
+--- a/include/xen/interface/vcpu.h
++++ b/include/xen/interface/vcpu.h
+@@ -178,4 +178,46 @@ DEFINE_GUEST_HANDLE_STRUCT(vcpu_register_vcpu_info);
+ 
+ /* Send an NMI to the specified VCPU. @extra_arg == NULL. */
+ #define VCPUOP_send_nmi             11
++
++/*
++ * Get the physical ID information for a pinned vcpu's underlying physical
++ * processor.  The physical ID informmation is architecture-specific.
++ * On x86: id[31:0]=apic_id, id[63:32]=acpi_id.
++ * This command returns -EINVAL if it is not a valid operation for this VCPU.
++ */
++#define VCPUOP_get_physid           12 /* arg == vcpu_get_physid_t */
++struct vcpu_get_physid {
++	uint64_t phys_id;
++};
++DEFINE_GUEST_HANDLE_STRUCT(vcpu_get_physid);
++#define xen_vcpu_physid_to_x86_apicid(physid) ((uint32_t)(physid))
++#define xen_vcpu_physid_to_x86_acpiid(physid) ((uint32_t)((physid) >> 32))
++
++/*
++ * Register a memory location to get a secondary copy of the vcpu time
++ * parameters.  The master copy still exists as part of the vcpu shared
++ * memory area, and this secondary copy is updated whenever the master copy
++ * is updated (and using the same versioning scheme for synchronisation).
++ *
++ * The intent is that this copy may be mapped (RO) into userspace so
++ * that usermode can compute system time using the time info and the
++ * tsc.  Usermode will see an array of vcpu_time_info structures, one
++ * for each vcpu, and choose the right one by an existing mechanism
++ * which allows it to get the current vcpu number (such as via a
++ * segment limit).  It can then apply the normal algorithm to compute
++ * system time from the tsc.
++ *
++ * @extra_arg == pointer to vcpu_register_time_info_memory_area structure.
++ */
++#define VCPUOP_register_vcpu_time_memory_area   13
++DEFINE_GUEST_HANDLE_STRUCT(vcpu_time_info);
++struct vcpu_register_time_memory_area {
++	union {
++		GUEST_HANDLE(vcpu_time_info) h;
++		struct pvclock_vcpu_time_info *v;
++		uint64_t p;
++	} addr;
++};
++DEFINE_GUEST_HANDLE_STRUCT(vcpu_register_time_memory_area);
++
+ #endif /* __XEN_PUBLIC_VCPU_H__ */
+diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c
+index 2da660d53a4b..6e8c230ca877 100644
+--- a/kernel/time/posix-cpu-timers.c
++++ b/kernel/time/posix-cpu-timers.c
+@@ -685,6 +685,7 @@ static int posix_cpu_timer_set(struct k_itimer *timer, int timer_flags,
+ 	 * set up the signal and overrun bookkeeping.
+ 	 */
+ 	timer->it.cpu.incr = timespec64_to_ns(&new->it_interval);
++	timer->it_interval = ns_to_ktime(timer->it.cpu.incr);
+ 
+ 	/*
+ 	 * This acts as a modification timestamp for the timer,
+diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
+index 48fb17417fac..57f69f31a2a2 100644
+--- a/net/bridge/br_forward.c
++++ b/net/bridge/br_forward.c
+@@ -35,10 +35,10 @@ static inline int should_deliver(const struct net_bridge_port *p,
+ 
+ int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
++	skb_push(skb, ETH_HLEN);
+ 	if (!is_skb_forwardable(skb->dev, skb))
+ 		goto drop;
+ 
+-	skb_push(skb, ETH_HLEN);
+ 	br_drop_fake_rtable(skb);
+ 
+ 	if (skb->ip_summed == CHECKSUM_PARTIAL &&
+@@ -96,12 +96,11 @@ static void __br_forward(const struct net_bridge_port *to,
+ 		net = dev_net(indev);
+ 	} else {
+ 		if (unlikely(netpoll_tx_running(to->br->dev))) {
+-			if (!is_skb_forwardable(skb->dev, skb)) {
++			skb_push(skb, ETH_HLEN);
++			if (!is_skb_forwardable(skb->dev, skb))
+ 				kfree_skb(skb);
+-			} else {
+-				skb_push(skb, ETH_HLEN);
++			else
+ 				br_netpoll_send_skb(to, skb);
+-			}
+ 			return;
+ 		}
+ 		br_hook = NF_BR_LOCAL_OUT;
+diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
+index 96c072e71ea2..5811208863b7 100644
+--- a/net/bridge/br_netfilter_ipv6.c
++++ b/net/bridge/br_netfilter_ipv6.c
+@@ -131,6 +131,7 @@ int br_validate_ipv6(struct net *net, struct sk_buff *skb)
+ 					IPSTATS_MIB_INDISCARDS);
+ 			goto drop;
+ 		}
++		hdr = ipv6_hdr(skb);
+ 	}
+ 	if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb))
+ 		goto drop;
+diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
+index eaf05de37f75..b09ec869c913 100644
+--- a/net/bridge/netfilter/nft_reject_bridge.c
++++ b/net/bridge/netfilter/nft_reject_bridge.c
+@@ -230,6 +230,7 @@ static bool reject6_br_csum_ok(struct sk_buff *skb, int hook)
+ 	    pskb_trim_rcsum(skb, ntohs(ip6h->payload_len) + sizeof(*ip6h)))
+ 		return false;
+ 
++	ip6h = ipv6_hdr(skb);
+ 	thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo);
+ 	if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0)
+ 		return false;
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 13690334efa3..12d851c4604d 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -67,6 +67,9 @@
+  */
+ #define MAX_NFRAMES 256
+ 
++/* limit timers to 400 days for sending/timeouts */
++#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60)
++
+ /* use of last_frames[index].flags */
+ #define RX_RECV    0x40 /* received data for this element */
+ #define RX_THR     0x80 /* element not been sent due to throttle feature */
+@@ -140,6 +143,22 @@ static inline ktime_t bcm_timeval_to_ktime(struct bcm_timeval tv)
+ 	return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC);
+ }
+ 
++/* check limitations for timeval provided by user */
++static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head)
++{
++	if ((msg_head->ival1.tv_sec < 0) ||
++	    (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||
++	    (msg_head->ival1.tv_usec < 0) ||
++	    (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||
++	    (msg_head->ival2.tv_sec < 0) ||
++	    (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||
++	    (msg_head->ival2.tv_usec < 0) ||
++	    (msg_head->ival2.tv_usec >= USEC_PER_SEC))
++		return true;
++
++	return false;
++}
++
+ #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU)
+ #define OPSIZ sizeof(struct bcm_op)
+ #define MHSIZ sizeof(struct bcm_msg_head)
+@@ -886,6 +905,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
+ 	if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
+ 		return -EINVAL;
+ 
++	/* check timeval limitations */
++	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
++		return -EINVAL;
++
+ 	/* check the given can_id */
+ 	op = bcm_find_op(&bo->tx_ops, msg_head, ifindex);
+ 	if (op) {
+@@ -1065,6 +1088,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
+ 	     (!(msg_head->can_id & CAN_RTR_FLAG))))
+ 		return -EINVAL;
+ 
++	/* check timeval limitations */
++	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
++		return -EINVAL;
++
+ 	/* check the given can_id */
+ 	op = bcm_find_op(&bo->rx_ops, msg_head, ifindex);
+ 	if (op) {
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index 1b3f860f7dcd..b5317b2b191d 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -193,7 +193,7 @@ static void fib_flush(struct net *net)
+ 		struct fib_table *tb;
+ 
+ 		hlist_for_each_entry_safe(tb, tmp, head, tb_hlist)
+-			flushed += fib_table_flush(net, tb);
++			flushed += fib_table_flush(net, tb, false);
+ 	}
+ 
+ 	if (flushed)
+@@ -1299,7 +1299,7 @@ static void ip_fib_net_exit(struct net *net)
+ 
+ 		hlist_for_each_entry_safe(tb, tmp, head, tb_hlist) {
+ 			hlist_del(&tb->tb_hlist);
+-			fib_table_flush(net, tb);
++			fib_table_flush(net, tb, true);
+ 			fib_free_table(tb);
+ 		}
+ 	}
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index c636650a6a70..bb847d280778 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1836,7 +1836,7 @@ void fib_table_flush_external(struct fib_table *tb)
+ }
+ 
+ /* Caller must hold RTNL. */
+-int fib_table_flush(struct net *net, struct fib_table *tb)
++int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
+ {
+ 	struct trie *t = (struct trie *)tb->tb_data;
+ 	struct key_vector *pn = t->kv;
+@@ -1884,8 +1884,17 @@ int fib_table_flush(struct net *net, struct fib_table *tb)
+ 		hlist_for_each_entry_safe(fa, tmp, &n->leaf, fa_list) {
+ 			struct fib_info *fi = fa->fa_info;
+ 
+-			if (!fi || !(fi->fib_flags & RTNH_F_DEAD) ||
+-			    tb->tb_id != fa->tb_id) {
++			if (!fi || tb->tb_id != fa->tb_id ||
++			    (!(fi->fib_flags & RTNH_F_DEAD) &&
++			     !fib_props[fa->fa_type].error)) {
++				slen = fa->fa_slen;
++				continue;
++			}
++
++			/* Do not flush error routes if network namespace is
++			 * not being dismantled
++			 */
++			if (!flush_all && fib_props[fa->fa_type].error) {
+ 				slen = fa->fa_slen;
+ 				continue;
+ 			}
+diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
+index 653be98fe3fb..6ffee9d2b0e5 100644
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -90,7 +90,7 @@ static void inet_frags_free_cb(void *ptr, void *arg)
+ 
+ void inet_frags_exit_net(struct netns_frags *nf)
+ {
+-	nf->low_thresh = 0; /* prevent creation of new frags */
++	nf->high_thresh = 0; /* prevent creation of new frags */
+ 
+ 	rhashtable_free_and_destroy(&nf->rhashtable, inet_frags_free_cb, NULL);
+ }
+diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
+index 57fc13c6ab2b..1b160378ea9c 100644
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -481,6 +481,7 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
+ 		goto drop;
+ 	}
+ 
++	iph = ip_hdr(skb);
+ 	skb->transport_header = skb->network_header + iph->ihl*4;
+ 
+ 	/* Remove any debris in the socket control block */
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 8109985e78a1..fd14501ac3af 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -1178,7 +1178,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
+ 	flags = msg->msg_flags;
+ 
+ 	if (flags & MSG_ZEROCOPY && size && sock_flag(sk, SOCK_ZEROCOPY)) {
+-		if (sk->sk_state != TCP_ESTABLISHED) {
++		if ((1 << sk->sk_state) & ~(TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) {
+ 			err = -EINVAL;
+ 			goto out_err;
+ 		}
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index f70e9cbf33d5..e687b89dafe6 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -459,7 +459,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
+ 			return -EINVAL;
+ 		}
+ 
+-		if (!nz || !is_all_zero(nla_data(nla), expected_len)) {
++		if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) {
+ 			attrs |= 1 << type;
+ 			a[type] = nla;
+ 		}
+diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
+index 04a70793c1fe..32819d1e2075 100644
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -318,7 +318,6 @@ EXPORT_SYMBOL(tcf_block_put);
+ int tcf_classify(struct sk_buff *skb, const struct tcf_proto *tp,
+ 		 struct tcf_result *res, bool compat_mode)
+ {
+-	__be16 protocol = tc_skb_protocol(skb);
+ #ifdef CONFIG_NET_CLS_ACT
+ 	const int max_reclassify_loop = 4;
+ 	const struct tcf_proto *orig_tp = tp;
+@@ -328,6 +327,7 @@ int tcf_classify(struct sk_buff *skb, const struct tcf_proto *tp,
+ reclassify:
+ #endif
+ 	for (; tp; tp = rcu_dereference_bh(tp->next)) {
++		__be16 protocol = tc_skb_protocol(skb);
+ 		int err;
+ 
+ 		if (tp->protocol != protocol &&
+@@ -359,7 +359,6 @@ reset:
+ 	}
+ 
+ 	tp = first_tp;
+-	protocol = tc_skb_protocol(skb);
+ 	goto reclassify;
+ #endif
+ }
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 0a225dc85044..fb1cec46380d 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -969,6 +969,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
+ 	SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO),
+ 	SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO),
+ 	SND_PCI_QUIRK(0x103c, 0x836e, "HP ProBook 455 G5", CXT_FIXUP_MUTE_LED_GPIO),
++	SND_PCI_QUIRK(0x103c, 0x837f, "HP ProBook 470 G5", CXT_FIXUP_MUTE_LED_GPIO),
+ 	SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+ 	SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+ 	SND_PCI_QUIRK(0x103c, 0x8455, "HP Z2 G4", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+diff --git a/sound/soc/codecs/rt5514-spi.c b/sound/soc/codecs/rt5514-spi.c
+index 12f2ecf3a4fe..662afc529060 100644
+--- a/sound/soc/codecs/rt5514-spi.c
++++ b/sound/soc/codecs/rt5514-spi.c
+@@ -265,6 +265,8 @@ static int rt5514_spi_pcm_probe(struct snd_soc_platform *platform)
+ 
+ 	rt5514_dsp = devm_kzalloc(platform->dev, sizeof(*rt5514_dsp),
+ 			GFP_KERNEL);
++	if (!rt5514_dsp)
++		return -ENOMEM;
+ 
+ 	rt5514_dsp->dev = &rt5514_spi->dev;
+ 	mutex_init(&rt5514_dsp->dma_lock);
+diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
+index 43e7fdd19f29..4558c8b93036 100644
+--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c
++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
+@@ -399,7 +399,13 @@ static int sst_media_hw_params(struct snd_pcm_substream *substream,
+ 				struct snd_pcm_hw_params *params,
+ 				struct snd_soc_dai *dai)
+ {
+-	snd_pcm_lib_malloc_pages(substream, params_buffer_bytes(params));
++	int ret;
++
++	ret =
++		snd_pcm_lib_malloc_pages(substream,
++				params_buffer_bytes(params));
++	if (ret)
++		return ret;
+ 	memset(substream->runtime->dma_area, 0, params_buffer_bytes(params));
+ 	return 0;
+ }
+diff --git a/tools/perf/util/unwind-libdw.c b/tools/perf/util/unwind-libdw.c
+index 1e9c974faf67..f1fe5acdbba4 100644
+--- a/tools/perf/util/unwind-libdw.c
++++ b/tools/perf/util/unwind-libdw.c
+@@ -44,13 +44,13 @@ static int __report_module(struct addr_location *al, u64 ip,
+ 		Dwarf_Addr s;
+ 
+ 		dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL);
+-		if (s != al->map->start)
++		if (s != al->map->start - al->map->pgoff)
+ 			mod = 0;
+ 	}
+ 
+ 	if (!mod)
+ 		mod = dwfl_report_elf(ui->dwfl, dso->short_name,
+-				      dso->long_name, -1, al->map->start,
++				      (dso->symsrc_filename ? dso->symsrc_filename : dso->long_name), -1, al->map->start - al->map->pgoff,
+ 				      false);
+ 
+ 	return mod && dwfl_addrmodule(ui->dwfl, ip) == mod ? 0 : -1;
+diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
+index e350cf3d4f90..194759ec9e70 100644
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -145,15 +145,6 @@ struct seccomp_data {
+ #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
+ #endif
+ 
+-#ifndef PTRACE_SECCOMP_GET_METADATA
+-#define PTRACE_SECCOMP_GET_METADATA	0x420d
+-
+-struct seccomp_metadata {
+-	__u64 filter_off;       /* Input: which filter */
+-	__u64 flags;             /* Output: filter's flags */
+-};
+-#endif
+-
+ #ifndef seccomp
+ int seccomp(unsigned int op, unsigned int flags, void *args)
+ {
+@@ -2870,58 +2861,6 @@ TEST(get_action_avail)
+ 	EXPECT_EQ(errno, EOPNOTSUPP);
+ }
+ 
+-TEST(get_metadata)
+-{
+-	pid_t pid;
+-	int pipefd[2];
+-	char buf;
+-	struct seccomp_metadata md;
+-
+-	ASSERT_EQ(0, pipe(pipefd));
+-
+-	pid = fork();
+-	ASSERT_GE(pid, 0);
+-	if (pid == 0) {
+-		struct sock_filter filter[] = {
+-			BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
+-		};
+-		struct sock_fprog prog = {
+-			.len = (unsigned short)ARRAY_SIZE(filter),
+-			.filter = filter,
+-		};
+-
+-		/* one with log, one without */
+-		ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER,
+-				     SECCOMP_FILTER_FLAG_LOG, &prog));
+-		ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog));
+-
+-		ASSERT_EQ(0, close(pipefd[0]));
+-		ASSERT_EQ(1, write(pipefd[1], "1", 1));
+-		ASSERT_EQ(0, close(pipefd[1]));
+-
+-		while (1)
+-			sleep(100);
+-	}
+-
+-	ASSERT_EQ(0, close(pipefd[1]));
+-	ASSERT_EQ(1, read(pipefd[0], &buf, 1));
+-
+-	ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid));
+-	ASSERT_EQ(pid, waitpid(pid, NULL, 0));
+-
+-	md.filter_off = 0;
+-	ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
+-	EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG);
+-	EXPECT_EQ(md.filter_off, 0);
+-
+-	md.filter_off = 1;
+-	ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md));
+-	EXPECT_EQ(md.flags, 0);
+-	EXPECT_EQ(md.filter_off, 1);
+-
+-	ASSERT_EQ(0, kill(pid, SIGKILL));
+-}
+-
+ /*
+  * TODO:
+  * - add microbenchmarks
+diff --git a/tools/testing/selftests/x86/protection_keys.c b/tools/testing/selftests/x86/protection_keys.c
+index 460b4bdf4c1e..5d546dcdbc80 100644
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -1133,6 +1133,21 @@ void test_pkey_syscalls_bad_args(int *ptr, u16 pkey)
+ 	pkey_assert(err);
+ }
+ 
++void become_child(void)
++{
++	pid_t forkret;
++
++	forkret = fork();
++	pkey_assert(forkret >= 0);
++	dprintf3("[%d] fork() ret: %d\n", getpid(), forkret);
++
++	if (!forkret) {
++		/* in the child */
++		return;
++	}
++	exit(0);
++}
++
+ /* Assumes that all pkeys other than 'pkey' are unallocated */
+ void test_pkey_alloc_exhaust(int *ptr, u16 pkey)
+ {
+@@ -1141,7 +1156,7 @@ void test_pkey_alloc_exhaust(int *ptr, u16 pkey)
+ 	int nr_allocated_pkeys = 0;
+ 	int i;
+ 
+-	for (i = 0; i < NR_PKEYS*2; i++) {
++	for (i = 0; i < NR_PKEYS*3; i++) {
+ 		int new_pkey;
+ 		dprintf1("%s() alloc loop: %d\n", __func__, i);
+ 		new_pkey = alloc_pkey();
+@@ -1152,20 +1167,26 @@ void test_pkey_alloc_exhaust(int *ptr, u16 pkey)
+ 		if ((new_pkey == -1) && (errno == ENOSPC)) {
+ 			dprintf2("%s() failed to allocate pkey after %d tries\n",
+ 				__func__, nr_allocated_pkeys);
+-			break;
++		} else {
++			/*
++			 * Ensure the number of successes never
++			 * exceeds the number of keys supported
++			 * in the hardware.
++			 */
++			pkey_assert(nr_allocated_pkeys < NR_PKEYS);
++			allocated_pkeys[nr_allocated_pkeys++] = new_pkey;
+ 		}
+-		pkey_assert(nr_allocated_pkeys < NR_PKEYS);
+-		allocated_pkeys[nr_allocated_pkeys++] = new_pkey;
++
++		/*
++		 * Make sure that allocation state is properly
++		 * preserved across fork().
++		 */
++		if (i == NR_PKEYS*2)
++			become_child();
+ 	}
+ 
+ 	dprintf3("%s()::%d\n", __func__, __LINE__);
+ 
+-	/*
+-	 * ensure it did not reach the end of the loop without
+-	 * failure:
+-	 */
+-	pkey_assert(i < NR_PKEYS*2);
+-
+ 	/*
+ 	 * There are 16 pkeys supported in hardware.  Three are
+ 	 * allocated by the time we get here: