Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.14 commit in: /
Date: Wed, 03 Apr 2019 10:58:12
Message-Id: 1554289074.86c7214cb6309544bbd293287019dfdcd331f87e.mpagano@gentoo
1 commit: 86c7214cb6309544bbd293287019dfdcd331f87e
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Apr 3 10:57:54 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Apr 3 10:57:54 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=86c7214c
7
8 Linux patch 4.14.110
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1109_linux-4.14.110.patch | 3409 +++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 3413 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index 4a5cbb0..a696c1c 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -479,6 +479,10 @@ Patch: 1108_4.14.109.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.14.109
23
24 +Patch: 1109_4.14.110.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.14.110
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1109_linux-4.14.110.patch b/1109_linux-4.14.110.patch
33 new file mode 100644
34 index 0000000..34378ef
35 --- /dev/null
36 +++ b/1109_linux-4.14.110.patch
37 @@ -0,0 +1,3409 @@
38 +diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
39 +index 5d12166bd66b..f67ed33d1054 100644
40 +--- a/Documentation/virtual/kvm/api.txt
41 ++++ b/Documentation/virtual/kvm/api.txt
42 +@@ -13,7 +13,7 @@ of a virtual machine. The ioctls belong to three classes
43 +
44 + - VM ioctls: These query and set attributes that affect an entire virtual
45 + machine, for example memory layout. In addition a VM ioctl is used to
46 +- create virtual cpus (vcpus).
47 ++ create virtual cpus (vcpus) and devices.
48 +
49 + Only run VM ioctls from the same process (address space) that was used
50 + to create the VM.
51 +@@ -24,6 +24,11 @@ of a virtual machine. The ioctls belong to three classes
52 + Only run vcpu ioctls from the same thread that was used to create the
53 + vcpu.
54 +
55 ++ - device ioctls: These query and set attributes that control the operation
56 ++ of a single device.
57 ++
58 ++ device ioctls must be issued from the same process (address space) that
59 ++ was used to create the VM.
60 +
61 + 2. File descriptors
62 + -------------------
63 +@@ -32,10 +37,11 @@ The kvm API is centered around file descriptors. An initial
64 + open("/dev/kvm") obtains a handle to the kvm subsystem; this handle
65 + can be used to issue system ioctls. A KVM_CREATE_VM ioctl on this
66 + handle will create a VM file descriptor which can be used to issue VM
67 +-ioctls. A KVM_CREATE_VCPU ioctl on a VM fd will create a virtual cpu
68 +-and return a file descriptor pointing to it. Finally, ioctls on a vcpu
69 +-fd can be used to control the vcpu, including the important task of
70 +-actually running guest code.
71 ++ioctls. A KVM_CREATE_VCPU or KVM_CREATE_DEVICE ioctl on a VM fd will
72 ++create a virtual cpu or device and return a file descriptor pointing to
73 ++the new resource. Finally, ioctls on a vcpu or device fd can be used
74 ++to control the vcpu or device. For vcpus, this includes the important
75 ++task of actually running guest code.
76 +
77 + In general file descriptors can be migrated among processes by means
78 + of fork() and the SCM_RIGHTS facility of unix domain socket. These
79 +diff --git a/Makefile b/Makefile
80 +index e02bced59a57..37bd0b40876d 100644
81 +--- a/Makefile
82 ++++ b/Makefile
83 +@@ -1,7 +1,7 @@
84 + # SPDX-License-Identifier: GPL-2.0
85 + VERSION = 4
86 + PATCHLEVEL = 14
87 +-SUBLEVEL = 109
88 ++SUBLEVEL = 110
89 + EXTRAVERSION =
90 + NAME = Petit Gorille
91 +
92 +diff --git a/arch/arm/mach-imx/cpuidle-imx6q.c b/arch/arm/mach-imx/cpuidle-imx6q.c
93 +index bfeb25aaf9a2..326e870d7123 100644
94 +--- a/arch/arm/mach-imx/cpuidle-imx6q.c
95 ++++ b/arch/arm/mach-imx/cpuidle-imx6q.c
96 +@@ -16,30 +16,23 @@
97 + #include "cpuidle.h"
98 + #include "hardware.h"
99 +
100 +-static atomic_t master = ATOMIC_INIT(0);
101 +-static DEFINE_SPINLOCK(master_lock);
102 ++static int num_idle_cpus = 0;
103 ++static DEFINE_SPINLOCK(cpuidle_lock);
104 +
105 + static int imx6q_enter_wait(struct cpuidle_device *dev,
106 + struct cpuidle_driver *drv, int index)
107 + {
108 +- if (atomic_inc_return(&master) == num_online_cpus()) {
109 +- /*
110 +- * With this lock, we prevent other cpu to exit and enter
111 +- * this function again and become the master.
112 +- */
113 +- if (!spin_trylock(&master_lock))
114 +- goto idle;
115 ++ spin_lock(&cpuidle_lock);
116 ++ if (++num_idle_cpus == num_online_cpus())
117 + imx6_set_lpm(WAIT_UNCLOCKED);
118 +- cpu_do_idle();
119 +- imx6_set_lpm(WAIT_CLOCKED);
120 +- spin_unlock(&master_lock);
121 +- goto done;
122 +- }
123 ++ spin_unlock(&cpuidle_lock);
124 +
125 +-idle:
126 + cpu_do_idle();
127 +-done:
128 +- atomic_dec(&master);
129 ++
130 ++ spin_lock(&cpuidle_lock);
131 ++ if (num_idle_cpus-- == num_online_cpus())
132 ++ imx6_set_lpm(WAIT_CLOCKED);
133 ++ spin_unlock(&cpuidle_lock);
134 +
135 + return index;
136 + }
137 +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
138 +index fe418226df7f..de3b07c7be30 100644
139 +--- a/arch/powerpc/Kconfig
140 ++++ b/arch/powerpc/Kconfig
141 +@@ -164,7 +164,7 @@ config PPC
142 + select GENERIC_CLOCKEVENTS_BROADCAST if SMP
143 + select GENERIC_CMOS_UPDATE
144 + select GENERIC_CPU_AUTOPROBE
145 +- select GENERIC_CPU_VULNERABILITIES if PPC_BOOK3S_64
146 ++ select GENERIC_CPU_VULNERABILITIES if PPC_BARRIER_NOSPEC
147 + select GENERIC_IRQ_SHOW
148 + select GENERIC_IRQ_SHOW_LEVEL
149 + select GENERIC_SMP_IDLE_THREAD
150 +@@ -236,6 +236,11 @@ config PPC
151 + # Please keep this list sorted alphabetically.
152 + #
153 +
154 ++config PPC_BARRIER_NOSPEC
155 ++ bool
156 ++ default y
157 ++ depends on PPC_BOOK3S_64 || PPC_FSL_BOOK3E
158 ++
159 + config GENERIC_CSUM
160 + def_bool n
161 +
162 +diff --git a/arch/powerpc/include/asm/asm-prototypes.h b/arch/powerpc/include/asm/asm-prototypes.h
163 +index 7330150bfe34..ba4c75062d49 100644
164 +--- a/arch/powerpc/include/asm/asm-prototypes.h
165 ++++ b/arch/powerpc/include/asm/asm-prototypes.h
166 +@@ -126,4 +126,10 @@ extern int __ucmpdi2(u64, u64);
167 + void _mcount(void);
168 + unsigned long prepare_ftrace_return(unsigned long parent, unsigned long ip);
169 +
170 ++/* Patch sites */
171 ++extern s32 patch__call_flush_count_cache;
172 ++extern s32 patch__flush_count_cache_return;
173 ++
174 ++extern long flush_count_cache;
175 ++
176 + #endif /* _ASM_POWERPC_ASM_PROTOTYPES_H */
177 +diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h
178 +index e582d2c88092..449474f667c4 100644
179 +--- a/arch/powerpc/include/asm/barrier.h
180 ++++ b/arch/powerpc/include/asm/barrier.h
181 +@@ -77,19 +77,25 @@ do { \
182 + })
183 +
184 + #ifdef CONFIG_PPC_BOOK3S_64
185 ++#define NOSPEC_BARRIER_SLOT nop
186 ++#elif defined(CONFIG_PPC_FSL_BOOK3E)
187 ++#define NOSPEC_BARRIER_SLOT nop; nop
188 ++#endif
189 ++
190 ++#ifdef CONFIG_PPC_BARRIER_NOSPEC
191 + /*
192 + * Prevent execution of subsequent instructions until preceding branches have
193 + * been fully resolved and are no longer executing speculatively.
194 + */
195 +-#define barrier_nospec_asm ori 31,31,0
196 ++#define barrier_nospec_asm NOSPEC_BARRIER_FIXUP_SECTION; NOSPEC_BARRIER_SLOT
197 +
198 + // This also acts as a compiler barrier due to the memory clobber.
199 + #define barrier_nospec() asm (stringify_in_c(barrier_nospec_asm) ::: "memory")
200 +
201 +-#else /* !CONFIG_PPC_BOOK3S_64 */
202 ++#else /* !CONFIG_PPC_BARRIER_NOSPEC */
203 + #define barrier_nospec_asm
204 + #define barrier_nospec()
205 +-#endif
206 ++#endif /* CONFIG_PPC_BARRIER_NOSPEC */
207 +
208 + #include <asm-generic/barrier.h>
209 +
210 +diff --git a/arch/powerpc/include/asm/code-patching-asm.h b/arch/powerpc/include/asm/code-patching-asm.h
211 +new file mode 100644
212 +index 000000000000..ed7b1448493a
213 +--- /dev/null
214 ++++ b/arch/powerpc/include/asm/code-patching-asm.h
215 +@@ -0,0 +1,18 @@
216 ++/* SPDX-License-Identifier: GPL-2.0+ */
217 ++/*
218 ++ * Copyright 2018, Michael Ellerman, IBM Corporation.
219 ++ */
220 ++#ifndef _ASM_POWERPC_CODE_PATCHING_ASM_H
221 ++#define _ASM_POWERPC_CODE_PATCHING_ASM_H
222 ++
223 ++/* Define a "site" that can be patched */
224 ++.macro patch_site label name
225 ++ .pushsection ".rodata"
226 ++ .balign 4
227 ++ .global \name
228 ++\name:
229 ++ .4byte \label - .
230 ++ .popsection
231 ++.endm
232 ++
233 ++#endif /* _ASM_POWERPC_CODE_PATCHING_ASM_H */
234 +diff --git a/arch/powerpc/include/asm/code-patching.h b/arch/powerpc/include/asm/code-patching.h
235 +index 812535f40124..b2051234ada8 100644
236 +--- a/arch/powerpc/include/asm/code-patching.h
237 ++++ b/arch/powerpc/include/asm/code-patching.h
238 +@@ -32,6 +32,8 @@ unsigned int create_cond_branch(const unsigned int *addr,
239 + int patch_branch(unsigned int *addr, unsigned long target, int flags);
240 + int patch_instruction(unsigned int *addr, unsigned int instr);
241 + int raw_patch_instruction(unsigned int *addr, unsigned int instr);
242 ++int patch_instruction_site(s32 *addr, unsigned int instr);
243 ++int patch_branch_site(s32 *site, unsigned long target, int flags);
244 +
245 + int instr_is_relative_branch(unsigned int instr);
246 + int instr_is_relative_link_branch(unsigned int instr);
247 +diff --git a/arch/powerpc/include/asm/feature-fixups.h b/arch/powerpc/include/asm/feature-fixups.h
248 +index a9b64df34e2a..b1d478acbaec 100644
249 +--- a/arch/powerpc/include/asm/feature-fixups.h
250 ++++ b/arch/powerpc/include/asm/feature-fixups.h
251 +@@ -211,6 +211,25 @@ label##3: \
252 + FTR_ENTRY_OFFSET 951b-952b; \
253 + .popsection;
254 +
255 ++#define NOSPEC_BARRIER_FIXUP_SECTION \
256 ++953: \
257 ++ .pushsection __barrier_nospec_fixup,"a"; \
258 ++ .align 2; \
259 ++954: \
260 ++ FTR_ENTRY_OFFSET 953b-954b; \
261 ++ .popsection;
262 ++
263 ++#define START_BTB_FLUSH_SECTION \
264 ++955: \
265 ++
266 ++#define END_BTB_FLUSH_SECTION \
267 ++956: \
268 ++ .pushsection __btb_flush_fixup,"a"; \
269 ++ .align 2; \
270 ++957: \
271 ++ FTR_ENTRY_OFFSET 955b-957b; \
272 ++ FTR_ENTRY_OFFSET 956b-957b; \
273 ++ .popsection;
274 +
275 + #ifndef __ASSEMBLY__
276 + #include <linux/types.h>
277 +@@ -219,6 +238,8 @@ extern long stf_barrier_fallback;
278 + extern long __start___stf_entry_barrier_fixup, __stop___stf_entry_barrier_fixup;
279 + extern long __start___stf_exit_barrier_fixup, __stop___stf_exit_barrier_fixup;
280 + extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup;
281 ++extern long __start___barrier_nospec_fixup, __stop___barrier_nospec_fixup;
282 ++extern long __start__btb_flush_fixup, __stop__btb_flush_fixup;
283 +
284 + void apply_feature_fixups(void);
285 + void setup_feature_keys(void);
286 +diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
287 +index 5a740feb7bd7..15cef59092c7 100644
288 +--- a/arch/powerpc/include/asm/hvcall.h
289 ++++ b/arch/powerpc/include/asm/hvcall.h
290 +@@ -340,10 +340,12 @@
291 + #define H_CPU_CHAR_BRANCH_HINTS_HONORED (1ull << 58) // IBM bit 5
292 + #define H_CPU_CHAR_THREAD_RECONFIG_CTRL (1ull << 57) // IBM bit 6
293 + #define H_CPU_CHAR_COUNT_CACHE_DISABLED (1ull << 56) // IBM bit 7
294 ++#define H_CPU_CHAR_BCCTR_FLUSH_ASSIST (1ull << 54) // IBM bit 9
295 +
296 + #define H_CPU_BEHAV_FAVOUR_SECURITY (1ull << 63) // IBM bit 0
297 + #define H_CPU_BEHAV_L1D_FLUSH_PR (1ull << 62) // IBM bit 1
298 + #define H_CPU_BEHAV_BNDS_CHK_SPEC_BAR (1ull << 61) // IBM bit 2
299 ++#define H_CPU_BEHAV_FLUSH_COUNT_CACHE (1ull << 58) // IBM bit 5
300 +
301 + /* Flag values used in H_REGISTER_PROC_TBL hcall */
302 + #define PROC_TABLE_OP_MASK 0x18
303 +diff --git a/arch/powerpc/include/asm/ppc-opcode.h b/arch/powerpc/include/asm/ppc-opcode.h
304 +index ce0930d68857..b991bd31b383 100644
305 +--- a/arch/powerpc/include/asm/ppc-opcode.h
306 ++++ b/arch/powerpc/include/asm/ppc-opcode.h
307 +@@ -288,6 +288,7 @@
308 + /* Misc instructions for BPF compiler */
309 + #define PPC_INST_LBZ 0x88000000
310 + #define PPC_INST_LD 0xe8000000
311 ++#define PPC_INST_LDX 0x7c00002a
312 + #define PPC_INST_LHZ 0xa0000000
313 + #define PPC_INST_LWZ 0x80000000
314 + #define PPC_INST_LHBRX 0x7c00062c
315 +@@ -295,6 +296,7 @@
316 + #define PPC_INST_STB 0x98000000
317 + #define PPC_INST_STH 0xb0000000
318 + #define PPC_INST_STD 0xf8000000
319 ++#define PPC_INST_STDX 0x7c00012a
320 + #define PPC_INST_STDU 0xf8000001
321 + #define PPC_INST_STW 0x90000000
322 + #define PPC_INST_STWU 0x94000000
323 +diff --git a/arch/powerpc/include/asm/ppc_asm.h b/arch/powerpc/include/asm/ppc_asm.h
324 +index 36f3e41c9fbe..3e1b8de72776 100644
325 +--- a/arch/powerpc/include/asm/ppc_asm.h
326 ++++ b/arch/powerpc/include/asm/ppc_asm.h
327 +@@ -802,4 +802,14 @@ END_FTR_SECTION_IFCLR(CPU_FTR_601)
328 + stringify_in_c(.long (_target) - . ;) \
329 + stringify_in_c(.previous)
330 +
331 ++#ifdef CONFIG_PPC_FSL_BOOK3E
332 ++#define BTB_FLUSH(reg) \
333 ++ lis reg,BUCSR_INIT@h; \
334 ++ ori reg,reg,BUCSR_INIT@l; \
335 ++ mtspr SPRN_BUCSR,reg; \
336 ++ isync;
337 ++#else
338 ++#define BTB_FLUSH(reg)
339 ++#endif /* CONFIG_PPC_FSL_BOOK3E */
340 ++
341 + #endif /* _ASM_POWERPC_PPC_ASM_H */
342 +diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h
343 +index 44989b22383c..759597bf0fd8 100644
344 +--- a/arch/powerpc/include/asm/security_features.h
345 ++++ b/arch/powerpc/include/asm/security_features.h
346 +@@ -22,6 +22,7 @@ enum stf_barrier_type {
347 +
348 + void setup_stf_barrier(void);
349 + void do_stf_barrier_fixups(enum stf_barrier_type types);
350 ++void setup_count_cache_flush(void);
351 +
352 + static inline void security_ftr_set(unsigned long feature)
353 + {
354 +@@ -59,6 +60,9 @@ static inline bool security_ftr_enabled(unsigned long feature)
355 + // Indirect branch prediction cache disabled
356 + #define SEC_FTR_COUNT_CACHE_DISABLED 0x0000000000000020ull
357 +
358 ++// bcctr 2,0,0 triggers a hardware assisted count cache flush
359 ++#define SEC_FTR_BCCTR_FLUSH_ASSIST 0x0000000000000800ull
360 ++
361 +
362 + // Features indicating need for Spectre/Meltdown mitigations
363 +
364 +@@ -74,6 +78,9 @@ static inline bool security_ftr_enabled(unsigned long feature)
365 + // Firmware configuration indicates user favours security over performance
366 + #define SEC_FTR_FAVOUR_SECURITY 0x0000000000000200ull
367 +
368 ++// Software required to flush count cache on context switch
369 ++#define SEC_FTR_FLUSH_COUNT_CACHE 0x0000000000000400ull
370 ++
371 +
372 + // Features enabled by default
373 + #define SEC_FTR_DEFAULT \
374 +diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h
375 +index a5e919e34c42..5ceab440ecb9 100644
376 +--- a/arch/powerpc/include/asm/setup.h
377 ++++ b/arch/powerpc/include/asm/setup.h
378 +@@ -52,6 +52,26 @@ enum l1d_flush_type {
379 +
380 + void setup_rfi_flush(enum l1d_flush_type, bool enable);
381 + void do_rfi_flush_fixups(enum l1d_flush_type types);
382 ++#ifdef CONFIG_PPC_BARRIER_NOSPEC
383 ++void setup_barrier_nospec(void);
384 ++#else
385 ++static inline void setup_barrier_nospec(void) { };
386 ++#endif
387 ++void do_barrier_nospec_fixups(bool enable);
388 ++extern bool barrier_nospec_enabled;
389 ++
390 ++#ifdef CONFIG_PPC_BARRIER_NOSPEC
391 ++void do_barrier_nospec_fixups_range(bool enable, void *start, void *end);
392 ++#else
393 ++static inline void do_barrier_nospec_fixups_range(bool enable, void *start, void *end) { };
394 ++#endif
395 ++
396 ++#ifdef CONFIG_PPC_FSL_BOOK3E
397 ++void setup_spectre_v2(void);
398 ++#else
399 ++static inline void setup_spectre_v2(void) {};
400 ++#endif
401 ++void do_btb_flush_fixups(void);
402 +
403 + #endif /* !__ASSEMBLY__ */
404 +
405 +diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
406 +index cf26e62b268d..bd6d0fb5be9f 100644
407 +--- a/arch/powerpc/include/asm/uaccess.h
408 ++++ b/arch/powerpc/include/asm/uaccess.h
409 +@@ -238,6 +238,7 @@ do { \
410 + __chk_user_ptr(ptr); \
411 + if (!is_kernel_addr((unsigned long)__gu_addr)) \
412 + might_fault(); \
413 ++ barrier_nospec(); \
414 + __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
415 + (x) = (__typeof__(*(ptr)))__gu_val; \
416 + __gu_err; \
417 +@@ -249,8 +250,10 @@ do { \
418 + __long_type(*(ptr)) __gu_val = 0; \
419 + const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
420 + might_fault(); \
421 +- if (access_ok(VERIFY_READ, __gu_addr, (size))) \
422 ++ if (access_ok(VERIFY_READ, __gu_addr, (size))) { \
423 ++ barrier_nospec(); \
424 + __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
425 ++ } \
426 + (x) = (__force __typeof__(*(ptr)))__gu_val; \
427 + __gu_err; \
428 + })
429 +@@ -261,6 +264,7 @@ do { \
430 + __long_type(*(ptr)) __gu_val; \
431 + const __typeof__(*(ptr)) __user *__gu_addr = (ptr); \
432 + __chk_user_ptr(ptr); \
433 ++ barrier_nospec(); \
434 + __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
435 + (x) = (__force __typeof__(*(ptr)))__gu_val; \
436 + __gu_err; \
437 +@@ -288,15 +292,19 @@ static inline unsigned long raw_copy_from_user(void *to,
438 +
439 + switch (n) {
440 + case 1:
441 ++ barrier_nospec();
442 + __get_user_size(*(u8 *)to, from, 1, ret);
443 + break;
444 + case 2:
445 ++ barrier_nospec();
446 + __get_user_size(*(u16 *)to, from, 2, ret);
447 + break;
448 + case 4:
449 ++ barrier_nospec();
450 + __get_user_size(*(u32 *)to, from, 4, ret);
451 + break;
452 + case 8:
453 ++ barrier_nospec();
454 + __get_user_size(*(u64 *)to, from, 8, ret);
455 + break;
456 + }
457 +@@ -304,6 +312,7 @@ static inline unsigned long raw_copy_from_user(void *to,
458 + return 0;
459 + }
460 +
461 ++ barrier_nospec();
462 + return __copy_tofrom_user((__force void __user *)to, from, n);
463 + }
464 +
465 +diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
466 +index a1089c9a9aa5..142b08d40642 100644
467 +--- a/arch/powerpc/kernel/Makefile
468 ++++ b/arch/powerpc/kernel/Makefile
469 +@@ -45,9 +45,10 @@ obj-$(CONFIG_VDSO32) += vdso32/
470 + obj-$(CONFIG_PPC_WATCHDOG) += watchdog.o
471 + obj-$(CONFIG_HAVE_HW_BREAKPOINT) += hw_breakpoint.o
472 + obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_ppc970.o cpu_setup_pa6t.o
473 +-obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_power.o security.o
474 ++obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_power.o
475 + obj-$(CONFIG_PPC_BOOK3S_64) += mce.o mce_power.o
476 + obj-$(CONFIG_PPC_BOOK3E_64) += exceptions-64e.o idle_book3e.o
477 ++obj-$(CONFIG_PPC_BARRIER_NOSPEC) += security.o
478 + obj-$(CONFIG_PPC64) += vdso64/
479 + obj-$(CONFIG_ALTIVEC) += vecemu.o
480 + obj-$(CONFIG_PPC_970_NAP) += idle_power4.o
481 +diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
482 +index 4ae464b9d490..a2999cd73a82 100644
483 +--- a/arch/powerpc/kernel/entry_32.S
484 ++++ b/arch/powerpc/kernel/entry_32.S
485 +@@ -33,6 +33,7 @@
486 + #include <asm/unistd.h>
487 + #include <asm/ptrace.h>
488 + #include <asm/export.h>
489 ++#include <asm/barrier.h>
490 +
491 + /*
492 + * MSR_KERNEL is > 0x10000 on 4xx/Book-E since it include MSR_CE.
493 +@@ -358,6 +359,15 @@ syscall_dotrace_cont:
494 + ori r10,r10,sys_call_table@l
495 + slwi r0,r0,2
496 + bge- 66f
497 ++
498 ++ barrier_nospec_asm
499 ++ /*
500 ++ * Prevent the load of the handler below (based on the user-passed
501 ++ * system call number) being speculatively executed until the test
502 ++ * against NR_syscalls and branch to .66f above has
503 ++ * committed.
504 ++ */
505 ++
506 + lwzx r10,r10,r0 /* Fetch system call handler [ptr] */
507 + mtlr r10
508 + addi r9,r1,STACK_FRAME_OVERHEAD
509 +diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
510 +index c194f4c8e66b..12395895b9aa 100644
511 +--- a/arch/powerpc/kernel/entry_64.S
512 ++++ b/arch/powerpc/kernel/entry_64.S
513 +@@ -25,6 +25,7 @@
514 + #include <asm/page.h>
515 + #include <asm/mmu.h>
516 + #include <asm/thread_info.h>
517 ++#include <asm/code-patching-asm.h>
518 + #include <asm/ppc_asm.h>
519 + #include <asm/asm-offsets.h>
520 + #include <asm/cputable.h>
521 +@@ -36,6 +37,7 @@
522 + #include <asm/context_tracking.h>
523 + #include <asm/tm.h>
524 + #include <asm/ppc-opcode.h>
525 ++#include <asm/barrier.h>
526 + #include <asm/export.h>
527 + #ifdef CONFIG_PPC_BOOK3S
528 + #include <asm/exception-64s.h>
529 +@@ -76,6 +78,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_TM)
530 + std r0,GPR0(r1)
531 + std r10,GPR1(r1)
532 + beq 2f /* if from kernel mode */
533 ++#ifdef CONFIG_PPC_FSL_BOOK3E
534 ++START_BTB_FLUSH_SECTION
535 ++ BTB_FLUSH(r10)
536 ++END_BTB_FLUSH_SECTION
537 ++#endif
538 + ACCOUNT_CPU_USER_ENTRY(r13, r10, r11)
539 + 2: std r2,GPR2(r1)
540 + std r3,GPR3(r1)
541 +@@ -179,6 +186,15 @@ system_call: /* label this so stack traces look sane */
542 + clrldi r8,r8,32
543 + 15:
544 + slwi r0,r0,4
545 ++
546 ++ barrier_nospec_asm
547 ++ /*
548 ++ * Prevent the load of the handler below (based on the user-passed
549 ++ * system call number) being speculatively executed until the test
550 ++ * against NR_syscalls and branch to .Lsyscall_enosys above has
551 ++ * committed.
552 ++ */
553 ++
554 + ldx r12,r11,r0 /* Fetch system call handler [ptr] */
555 + mtctr r12
556 + bctrl /* Call handler */
557 +@@ -487,6 +503,57 @@ _GLOBAL(ret_from_kernel_thread)
558 + li r3,0
559 + b .Lsyscall_exit
560 +
561 ++#ifdef CONFIG_PPC_BOOK3S_64
562 ++
563 ++#define FLUSH_COUNT_CACHE \
564 ++1: nop; \
565 ++ patch_site 1b, patch__call_flush_count_cache
566 ++
567 ++
568 ++#define BCCTR_FLUSH .long 0x4c400420
569 ++
570 ++.macro nops number
571 ++ .rept \number
572 ++ nop
573 ++ .endr
574 ++.endm
575 ++
576 ++.balign 32
577 ++.global flush_count_cache
578 ++flush_count_cache:
579 ++ /* Save LR into r9 */
580 ++ mflr r9
581 ++
582 ++ .rept 64
583 ++ bl .+4
584 ++ .endr
585 ++ b 1f
586 ++ nops 6
587 ++
588 ++ .balign 32
589 ++ /* Restore LR */
590 ++1: mtlr r9
591 ++ li r9,0x7fff
592 ++ mtctr r9
593 ++
594 ++ BCCTR_FLUSH
595 ++
596 ++2: nop
597 ++ patch_site 2b patch__flush_count_cache_return
598 ++
599 ++ nops 3
600 ++
601 ++ .rept 278
602 ++ .balign 32
603 ++ BCCTR_FLUSH
604 ++ nops 7
605 ++ .endr
606 ++
607 ++ blr
608 ++#else
609 ++#define FLUSH_COUNT_CACHE
610 ++#endif /* CONFIG_PPC_BOOK3S_64 */
611 ++
612 + /*
613 + * This routine switches between two different tasks. The process
614 + * state of one is saved on its kernel stack. Then the state
615 +@@ -518,6 +585,8 @@ _GLOBAL(_switch)
616 + std r23,_CCR(r1)
617 + std r1,KSP(r3) /* Set old stack pointer */
618 +
619 ++ FLUSH_COUNT_CACHE
620 ++
621 + /*
622 + * On SMP kernels, care must be taken because a task may be
623 + * scheduled off CPUx and on to CPUy. Memory ordering must be
624 +diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S
625 +index acd8ca76233e..2edc1b7b34cc 100644
626 +--- a/arch/powerpc/kernel/exceptions-64e.S
627 ++++ b/arch/powerpc/kernel/exceptions-64e.S
628 +@@ -295,7 +295,8 @@ ret_from_mc_except:
629 + andi. r10,r11,MSR_PR; /* save stack pointer */ \
630 + beq 1f; /* branch around if supervisor */ \
631 + ld r1,PACAKSAVE(r13); /* get kernel stack coming from usr */\
632 +-1: cmpdi cr1,r1,0; /* check if SP makes sense */ \
633 ++1: type##_BTB_FLUSH \
634 ++ cmpdi cr1,r1,0; /* check if SP makes sense */ \
635 + bge- cr1,exc_##n##_bad_stack;/* bad stack (TODO: out of line) */ \
636 + mfspr r10,SPRN_##type##_SRR0; /* read SRR0 before touching stack */
637 +
638 +@@ -327,6 +328,30 @@ ret_from_mc_except:
639 + #define SPRN_MC_SRR0 SPRN_MCSRR0
640 + #define SPRN_MC_SRR1 SPRN_MCSRR1
641 +
642 ++#ifdef CONFIG_PPC_FSL_BOOK3E
643 ++#define GEN_BTB_FLUSH \
644 ++ START_BTB_FLUSH_SECTION \
645 ++ beq 1f; \
646 ++ BTB_FLUSH(r10) \
647 ++ 1: \
648 ++ END_BTB_FLUSH_SECTION
649 ++
650 ++#define CRIT_BTB_FLUSH \
651 ++ START_BTB_FLUSH_SECTION \
652 ++ BTB_FLUSH(r10) \
653 ++ END_BTB_FLUSH_SECTION
654 ++
655 ++#define DBG_BTB_FLUSH CRIT_BTB_FLUSH
656 ++#define MC_BTB_FLUSH CRIT_BTB_FLUSH
657 ++#define GDBELL_BTB_FLUSH GEN_BTB_FLUSH
658 ++#else
659 ++#define GEN_BTB_FLUSH
660 ++#define CRIT_BTB_FLUSH
661 ++#define DBG_BTB_FLUSH
662 ++#define MC_BTB_FLUSH
663 ++#define GDBELL_BTB_FLUSH
664 ++#endif
665 ++
666 + #define NORMAL_EXCEPTION_PROLOG(n, intnum, addition) \
667 + EXCEPTION_PROLOG(n, intnum, GEN, addition##_GEN(n))
668 +
669 +diff --git a/arch/powerpc/kernel/head_booke.h b/arch/powerpc/kernel/head_booke.h
670 +index d0862a100d29..306e26c073a0 100644
671 +--- a/arch/powerpc/kernel/head_booke.h
672 ++++ b/arch/powerpc/kernel/head_booke.h
673 +@@ -32,6 +32,16 @@
674 + */
675 + #define THREAD_NORMSAVE(offset) (THREAD_NORMSAVES + (offset * 4))
676 +
677 ++#ifdef CONFIG_PPC_FSL_BOOK3E
678 ++#define BOOKE_CLEAR_BTB(reg) \
679 ++START_BTB_FLUSH_SECTION \
680 ++ BTB_FLUSH(reg) \
681 ++END_BTB_FLUSH_SECTION
682 ++#else
683 ++#define BOOKE_CLEAR_BTB(reg)
684 ++#endif
685 ++
686 ++
687 + #define NORMAL_EXCEPTION_PROLOG(intno) \
688 + mtspr SPRN_SPRG_WSCRATCH0, r10; /* save one register */ \
689 + mfspr r10, SPRN_SPRG_THREAD; \
690 +@@ -43,6 +53,7 @@
691 + andi. r11, r11, MSR_PR; /* check whether user or kernel */\
692 + mr r11, r1; \
693 + beq 1f; \
694 ++ BOOKE_CLEAR_BTB(r11) \
695 + /* if from user, start at top of this thread's kernel stack */ \
696 + lwz r11, THREAD_INFO-THREAD(r10); \
697 + ALLOC_STACK_FRAME(r11, THREAD_SIZE); \
698 +@@ -128,6 +139,7 @@
699 + stw r9,_CCR(r8); /* save CR on stack */\
700 + mfspr r11,exc_level_srr1; /* check whether user or kernel */\
701 + DO_KVM BOOKE_INTERRUPT_##intno exc_level_srr1; \
702 ++ BOOKE_CLEAR_BTB(r10) \
703 + andi. r11,r11,MSR_PR; \
704 + mfspr r11,SPRN_SPRG_THREAD; /* if from user, start at top of */\
705 + lwz r11,THREAD_INFO-THREAD(r11); /* this thread's kernel stack */\
706 +diff --git a/arch/powerpc/kernel/head_fsl_booke.S b/arch/powerpc/kernel/head_fsl_booke.S
707 +index bf4c6021515f..60a0aeefc4a7 100644
708 +--- a/arch/powerpc/kernel/head_fsl_booke.S
709 ++++ b/arch/powerpc/kernel/head_fsl_booke.S
710 +@@ -452,6 +452,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
711 + mfcr r13
712 + stw r13, THREAD_NORMSAVE(3)(r10)
713 + DO_KVM BOOKE_INTERRUPT_DTLB_MISS SPRN_SRR1
714 ++START_BTB_FLUSH_SECTION
715 ++ mfspr r11, SPRN_SRR1
716 ++ andi. r10,r11,MSR_PR
717 ++ beq 1f
718 ++ BTB_FLUSH(r10)
719 ++1:
720 ++END_BTB_FLUSH_SECTION
721 + mfspr r10, SPRN_DEAR /* Get faulting address */
722 +
723 + /* If we are faulting a kernel address, we have to use the
724 +@@ -546,6 +553,14 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
725 + mfcr r13
726 + stw r13, THREAD_NORMSAVE(3)(r10)
727 + DO_KVM BOOKE_INTERRUPT_ITLB_MISS SPRN_SRR1
728 ++START_BTB_FLUSH_SECTION
729 ++ mfspr r11, SPRN_SRR1
730 ++ andi. r10,r11,MSR_PR
731 ++ beq 1f
732 ++ BTB_FLUSH(r10)
733 ++1:
734 ++END_BTB_FLUSH_SECTION
735 ++
736 + mfspr r10, SPRN_SRR0 /* Get faulting address */
737 +
738 + /* If we are faulting a kernel address, we have to use the
739 +diff --git a/arch/powerpc/kernel/module.c b/arch/powerpc/kernel/module.c
740 +index 3f7ba0f5bf29..77371c9ef3d8 100644
741 +--- a/arch/powerpc/kernel/module.c
742 ++++ b/arch/powerpc/kernel/module.c
743 +@@ -72,7 +72,15 @@ int module_finalize(const Elf_Ehdr *hdr,
744 + do_feature_fixups(powerpc_firmware_features,
745 + (void *)sect->sh_addr,
746 + (void *)sect->sh_addr + sect->sh_size);
747 +-#endif
748 ++#endif /* CONFIG_PPC64 */
749 ++
750 ++#ifdef CONFIG_PPC_BARRIER_NOSPEC
751 ++ sect = find_section(hdr, sechdrs, "__spec_barrier_fixup");
752 ++ if (sect != NULL)
753 ++ do_barrier_nospec_fixups_range(barrier_nospec_enabled,
754 ++ (void *)sect->sh_addr,
755 ++ (void *)sect->sh_addr + sect->sh_size);
756 ++#endif /* CONFIG_PPC_BARRIER_NOSPEC */
757 +
758 + sect = find_section(hdr, sechdrs, "__lwsync_fixup");
759 + if (sect != NULL)
760 +diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
761 +index b98a722da915..48b50fb8dc4b 100644
762 +--- a/arch/powerpc/kernel/security.c
763 ++++ b/arch/powerpc/kernel/security.c
764 +@@ -9,11 +9,120 @@
765 + #include <linux/seq_buf.h>
766 +
767 + #include <asm/debugfs.h>
768 ++#include <asm/asm-prototypes.h>
769 ++#include <asm/code-patching.h>
770 + #include <asm/security_features.h>
771 ++#include <asm/setup.h>
772 +
773 +
774 + unsigned long powerpc_security_features __read_mostly = SEC_FTR_DEFAULT;
775 +
776 ++enum count_cache_flush_type {
777 ++ COUNT_CACHE_FLUSH_NONE = 0x1,
778 ++ COUNT_CACHE_FLUSH_SW = 0x2,
779 ++ COUNT_CACHE_FLUSH_HW = 0x4,
780 ++};
781 ++static enum count_cache_flush_type count_cache_flush_type = COUNT_CACHE_FLUSH_NONE;
782 ++
783 ++bool barrier_nospec_enabled;
784 ++static bool no_nospec;
785 ++static bool btb_flush_enabled;
786 ++#ifdef CONFIG_PPC_FSL_BOOK3E
787 ++static bool no_spectrev2;
788 ++#endif
789 ++
790 ++static void enable_barrier_nospec(bool enable)
791 ++{
792 ++ barrier_nospec_enabled = enable;
793 ++ do_barrier_nospec_fixups(enable);
794 ++}
795 ++
796 ++void setup_barrier_nospec(void)
797 ++{
798 ++ bool enable;
799 ++
800 ++ /*
801 ++ * It would make sense to check SEC_FTR_SPEC_BAR_ORI31 below as well.
802 ++ * But there's a good reason not to. The two flags we check below are
803 ++ * both are enabled by default in the kernel, so if the hcall is not
804 ++ * functional they will be enabled.
805 ++ * On a system where the host firmware has been updated (so the ori
806 ++ * functions as a barrier), but on which the hypervisor (KVM/Qemu) has
807 ++ * not been updated, we would like to enable the barrier. Dropping the
808 ++ * check for SEC_FTR_SPEC_BAR_ORI31 achieves that. The only downside is
809 ++ * we potentially enable the barrier on systems where the host firmware
810 ++ * is not updated, but that's harmless as it's a no-op.
811 ++ */
812 ++ enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
813 ++ security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR);
814 ++
815 ++ if (!no_nospec)
816 ++ enable_barrier_nospec(enable);
817 ++}
818 ++
819 ++static int __init handle_nospectre_v1(char *p)
820 ++{
821 ++ no_nospec = true;
822 ++
823 ++ return 0;
824 ++}
825 ++early_param("nospectre_v1", handle_nospectre_v1);
826 ++
827 ++#ifdef CONFIG_DEBUG_FS
828 ++static int barrier_nospec_set(void *data, u64 val)
829 ++{
830 ++ switch (val) {
831 ++ case 0:
832 ++ case 1:
833 ++ break;
834 ++ default:
835 ++ return -EINVAL;
836 ++ }
837 ++
838 ++ if (!!val == !!barrier_nospec_enabled)
839 ++ return 0;
840 ++
841 ++ enable_barrier_nospec(!!val);
842 ++
843 ++ return 0;
844 ++}
845 ++
846 ++static int barrier_nospec_get(void *data, u64 *val)
847 ++{
848 ++ *val = barrier_nospec_enabled ? 1 : 0;
849 ++ return 0;
850 ++}
851 ++
852 ++DEFINE_SIMPLE_ATTRIBUTE(fops_barrier_nospec,
853 ++ barrier_nospec_get, barrier_nospec_set, "%llu\n");
854 ++
855 ++static __init int barrier_nospec_debugfs_init(void)
856 ++{
857 ++ debugfs_create_file("barrier_nospec", 0600, powerpc_debugfs_root, NULL,
858 ++ &fops_barrier_nospec);
859 ++ return 0;
860 ++}
861 ++device_initcall(barrier_nospec_debugfs_init);
862 ++#endif /* CONFIG_DEBUG_FS */
863 ++
864 ++#ifdef CONFIG_PPC_FSL_BOOK3E
865 ++static int __init handle_nospectre_v2(char *p)
866 ++{
867 ++ no_spectrev2 = true;
868 ++
869 ++ return 0;
870 ++}
871 ++early_param("nospectre_v2", handle_nospectre_v2);
872 ++void setup_spectre_v2(void)
873 ++{
874 ++ if (no_spectrev2)
875 ++ do_btb_flush_fixups();
876 ++ else
877 ++ btb_flush_enabled = true;
878 ++}
879 ++#endif /* CONFIG_PPC_FSL_BOOK3E */
880 ++
881 ++#ifdef CONFIG_PPC_BOOK3S_64
882 + ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
883 + {
884 + bool thread_priv;
885 +@@ -46,25 +155,39 @@ ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, cha
886 +
887 + return sprintf(buf, "Vulnerable\n");
888 + }
889 ++#endif
890 +
891 + ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
892 + {
893 +- if (!security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR))
894 +- return sprintf(buf, "Not affected\n");
895 ++ struct seq_buf s;
896 +
897 +- return sprintf(buf, "Vulnerable\n");
898 ++ seq_buf_init(&s, buf, PAGE_SIZE - 1);
899 ++
900 ++ if (security_ftr_enabled(SEC_FTR_BNDS_CHK_SPEC_BAR)) {
901 ++ if (barrier_nospec_enabled)
902 ++ seq_buf_printf(&s, "Mitigation: __user pointer sanitization");
903 ++ else
904 ++ seq_buf_printf(&s, "Vulnerable");
905 ++
906 ++ if (security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31))
907 ++ seq_buf_printf(&s, ", ori31 speculation barrier enabled");
908 ++
909 ++ seq_buf_printf(&s, "\n");
910 ++ } else
911 ++ seq_buf_printf(&s, "Not affected\n");
912 ++
913 ++ return s.len;
914 + }
915 +
916 + ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
917 + {
918 +- bool bcs, ccd, ori;
919 + struct seq_buf s;
920 ++ bool bcs, ccd;
921 +
922 + seq_buf_init(&s, buf, PAGE_SIZE - 1);
923 +
924 + bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);
925 + ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);
926 +- ori = security_ftr_enabled(SEC_FTR_SPEC_BAR_ORI31);
927 +
928 + if (bcs || ccd) {
929 + seq_buf_printf(&s, "Mitigation: ");
930 +@@ -77,17 +200,23 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c
931 +
932 + if (ccd)
933 + seq_buf_printf(&s, "Indirect branch cache disabled");
934 +- } else
935 ++ } else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) {
936 ++ seq_buf_printf(&s, "Mitigation: Software count cache flush");
937 ++
938 ++ if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW)
939 ++ seq_buf_printf(&s, " (hardware accelerated)");
940 ++ } else if (btb_flush_enabled) {
941 ++ seq_buf_printf(&s, "Mitigation: Branch predictor state flush");
942 ++ } else {
943 + seq_buf_printf(&s, "Vulnerable");
944 +-
945 +- if (ori)
946 +- seq_buf_printf(&s, ", ori31 speculation barrier enabled");
947 ++ }
948 +
949 + seq_buf_printf(&s, "\n");
950 +
951 + return s.len;
952 + }
953 +
954 ++#ifdef CONFIG_PPC_BOOK3S_64
955 + /*
956 + * Store-forwarding barrier support.
957 + */
958 +@@ -235,3 +364,71 @@ static __init int stf_barrier_debugfs_init(void)
959 + }
960 + device_initcall(stf_barrier_debugfs_init);
961 + #endif /* CONFIG_DEBUG_FS */
962 ++
963 ++static void toggle_count_cache_flush(bool enable)
964 ++{
965 ++ if (!enable || !security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) {
966 ++ patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP);
967 ++ count_cache_flush_type = COUNT_CACHE_FLUSH_NONE;
968 ++ pr_info("count-cache-flush: software flush disabled.\n");
969 ++ return;
970 ++ }
971 ++
972 ++ patch_branch_site(&patch__call_flush_count_cache,
973 ++ (u64)&flush_count_cache, BRANCH_SET_LINK);
974 ++
975 ++ if (!security_ftr_enabled(SEC_FTR_BCCTR_FLUSH_ASSIST)) {
976 ++ count_cache_flush_type = COUNT_CACHE_FLUSH_SW;
977 ++ pr_info("count-cache-flush: full software flush sequence enabled.\n");
978 ++ return;
979 ++ }
980 ++
981 ++ patch_instruction_site(&patch__flush_count_cache_return, PPC_INST_BLR);
982 ++ count_cache_flush_type = COUNT_CACHE_FLUSH_HW;
983 ++ pr_info("count-cache-flush: hardware assisted flush sequence enabled\n");
984 ++}
985 ++
986 ++void setup_count_cache_flush(void)
987 ++{
988 ++ toggle_count_cache_flush(true);
989 ++}
990 ++
991 ++#ifdef CONFIG_DEBUG_FS
992 ++static int count_cache_flush_set(void *data, u64 val)
993 ++{
994 ++ bool enable;
995 ++
996 ++ if (val == 1)
997 ++ enable = true;
998 ++ else if (val == 0)
999 ++ enable = false;
1000 ++ else
1001 ++ return -EINVAL;
1002 ++
1003 ++ toggle_count_cache_flush(enable);
1004 ++
1005 ++ return 0;
1006 ++}
1007 ++
1008 ++static int count_cache_flush_get(void *data, u64 *val)
1009 ++{
1010 ++ if (count_cache_flush_type == COUNT_CACHE_FLUSH_NONE)
1011 ++ *val = 0;
1012 ++ else
1013 ++ *val = 1;
1014 ++
1015 ++ return 0;
1016 ++}
1017 ++
1018 ++DEFINE_SIMPLE_ATTRIBUTE(fops_count_cache_flush, count_cache_flush_get,
1019 ++ count_cache_flush_set, "%llu\n");
1020 ++
1021 ++static __init int count_cache_flush_debugfs_init(void)
1022 ++{
1023 ++ debugfs_create_file("count_cache_flush", 0600, powerpc_debugfs_root,
1024 ++ NULL, &fops_count_cache_flush);
1025 ++ return 0;
1026 ++}
1027 ++device_initcall(count_cache_flush_debugfs_init);
1028 ++#endif /* CONFIG_DEBUG_FS */
1029 ++#endif /* CONFIG_PPC_BOOK3S_64 */
1030 +diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c
1031 +index 008447664643..c58364c74dad 100644
1032 +--- a/arch/powerpc/kernel/setup-common.c
1033 ++++ b/arch/powerpc/kernel/setup-common.c
1034 +@@ -937,6 +937,9 @@ void __init setup_arch(char **cmdline_p)
1035 + if (ppc_md.setup_arch)
1036 + ppc_md.setup_arch();
1037 +
1038 ++ setup_barrier_nospec();
1039 ++ setup_spectre_v2();
1040 ++
1041 + paging_init();
1042 +
1043 + /* Initialize the MMU context management stuff. */
1044 +diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
1045 +index c89ffb88fa3b..b0cf4af7ba84 100644
1046 +--- a/arch/powerpc/kernel/vmlinux.lds.S
1047 ++++ b/arch/powerpc/kernel/vmlinux.lds.S
1048 +@@ -153,8 +153,25 @@ SECTIONS
1049 + *(__rfi_flush_fixup)
1050 + __stop___rfi_flush_fixup = .;
1051 + }
1052 +-#endif
1053 ++#endif /* CONFIG_PPC64 */
1054 ++
1055 ++#ifdef CONFIG_PPC_BARRIER_NOSPEC
1056 ++ . = ALIGN(8);
1057 ++ __spec_barrier_fixup : AT(ADDR(__spec_barrier_fixup) - LOAD_OFFSET) {
1058 ++ __start___barrier_nospec_fixup = .;
1059 ++ *(__barrier_nospec_fixup)
1060 ++ __stop___barrier_nospec_fixup = .;
1061 ++ }
1062 ++#endif /* CONFIG_PPC_BARRIER_NOSPEC */
1063 +
1064 ++#ifdef CONFIG_PPC_FSL_BOOK3E
1065 ++ . = ALIGN(8);
1066 ++ __spec_btb_flush_fixup : AT(ADDR(__spec_btb_flush_fixup) - LOAD_OFFSET) {
1067 ++ __start__btb_flush_fixup = .;
1068 ++ *(__btb_flush_fixup)
1069 ++ __stop__btb_flush_fixup = .;
1070 ++ }
1071 ++#endif
1072 + EXCEPTION_TABLE(0)
1073 +
1074 + NOTES :kernel :notes
1075 +diff --git a/arch/powerpc/kvm/bookehv_interrupts.S b/arch/powerpc/kvm/bookehv_interrupts.S
1076 +index 81bd8a07aa51..612b7f6a887f 100644
1077 +--- a/arch/powerpc/kvm/bookehv_interrupts.S
1078 ++++ b/arch/powerpc/kvm/bookehv_interrupts.S
1079 +@@ -75,6 +75,10 @@
1080 + PPC_LL r1, VCPU_HOST_STACK(r4)
1081 + PPC_LL r2, HOST_R2(r1)
1082 +
1083 ++START_BTB_FLUSH_SECTION
1084 ++ BTB_FLUSH(r10)
1085 ++END_BTB_FLUSH_SECTION
1086 ++
1087 + mfspr r10, SPRN_PID
1088 + lwz r8, VCPU_HOST_PID(r4)
1089 + PPC_LL r11, VCPU_SHARED(r4)
1090 +diff --git a/arch/powerpc/kvm/e500_emulate.c b/arch/powerpc/kvm/e500_emulate.c
1091 +index 990db69a1d0b..fa88f641ac03 100644
1092 +--- a/arch/powerpc/kvm/e500_emulate.c
1093 ++++ b/arch/powerpc/kvm/e500_emulate.c
1094 +@@ -277,6 +277,13 @@ int kvmppc_core_emulate_mtspr_e500(struct kvm_vcpu *vcpu, int sprn, ulong spr_va
1095 + vcpu->arch.pwrmgtcr0 = spr_val;
1096 + break;
1097 +
1098 ++ case SPRN_BUCSR:
1099 ++ /*
1100 ++ * If we are here, it means that we have already flushed the
1101 ++ * branch predictor, so just return to guest.
1102 ++ */
1103 ++ break;
1104 ++
1105 + /* extra exceptions */
1106 + #ifdef CONFIG_SPE_POSSIBLE
1107 + case SPRN_IVOR32:
1108 +diff --git a/arch/powerpc/lib/code-patching.c b/arch/powerpc/lib/code-patching.c
1109 +index 130405158afa..c5154817178b 100644
1110 +--- a/arch/powerpc/lib/code-patching.c
1111 ++++ b/arch/powerpc/lib/code-patching.c
1112 +@@ -206,6 +206,22 @@ int patch_branch(unsigned int *addr, unsigned long target, int flags)
1113 + return patch_instruction(addr, create_branch(addr, target, flags));
1114 + }
1115 +
1116 ++int patch_branch_site(s32 *site, unsigned long target, int flags)
1117 ++{
1118 ++ unsigned int *addr;
1119 ++
1120 ++ addr = (unsigned int *)((unsigned long)site + *site);
1121 ++ return patch_instruction(addr, create_branch(addr, target, flags));
1122 ++}
1123 ++
1124 ++int patch_instruction_site(s32 *site, unsigned int instr)
1125 ++{
1126 ++ unsigned int *addr;
1127 ++
1128 ++ addr = (unsigned int *)((unsigned long)site + *site);
1129 ++ return patch_instruction(addr, instr);
1130 ++}
1131 ++
1132 + bool is_offset_in_branch_range(long offset)
1133 + {
1134 + /*
1135 +diff --git a/arch/powerpc/lib/feature-fixups.c b/arch/powerpc/lib/feature-fixups.c
1136 +index e1bcdc32a851..de7861e09b41 100644
1137 +--- a/arch/powerpc/lib/feature-fixups.c
1138 ++++ b/arch/powerpc/lib/feature-fixups.c
1139 +@@ -277,8 +277,101 @@ void do_rfi_flush_fixups(enum l1d_flush_type types)
1140 + (types & L1D_FLUSH_MTTRIG) ? "mttrig type"
1141 + : "unknown");
1142 + }
1143 ++
1144 ++void do_barrier_nospec_fixups_range(bool enable, void *fixup_start, void *fixup_end)
1145 ++{
1146 ++ unsigned int instr, *dest;
1147 ++ long *start, *end;
1148 ++ int i;
1149 ++
1150 ++ start = fixup_start;
1151 ++ end = fixup_end;
1152 ++
1153 ++ instr = 0x60000000; /* nop */
1154 ++
1155 ++ if (enable) {
1156 ++ pr_info("barrier-nospec: using ORI speculation barrier\n");
1157 ++ instr = 0x63ff0000; /* ori 31,31,0 speculation barrier */
1158 ++ }
1159 ++
1160 ++ for (i = 0; start < end; start++, i++) {
1161 ++ dest = (void *)start + *start;
1162 ++
1163 ++ pr_devel("patching dest %lx\n", (unsigned long)dest);
1164 ++ patch_instruction(dest, instr);
1165 ++ }
1166 ++
1167 ++ printk(KERN_DEBUG "barrier-nospec: patched %d locations\n", i);
1168 ++}
1169 ++
1170 + #endif /* CONFIG_PPC_BOOK3S_64 */
1171 +
1172 ++#ifdef CONFIG_PPC_BARRIER_NOSPEC
1173 ++void do_barrier_nospec_fixups(bool enable)
1174 ++{
1175 ++ void *start, *end;
1176 ++
1177 ++ start = PTRRELOC(&__start___barrier_nospec_fixup),
1178 ++ end = PTRRELOC(&__stop___barrier_nospec_fixup);
1179 ++
1180 ++ do_barrier_nospec_fixups_range(enable, start, end);
1181 ++}
1182 ++#endif /* CONFIG_PPC_BARRIER_NOSPEC */
1183 ++
1184 ++#ifdef CONFIG_PPC_FSL_BOOK3E
1185 ++void do_barrier_nospec_fixups_range(bool enable, void *fixup_start, void *fixup_end)
1186 ++{
1187 ++ unsigned int instr[2], *dest;
1188 ++ long *start, *end;
1189 ++ int i;
1190 ++
1191 ++ start = fixup_start;
1192 ++ end = fixup_end;
1193 ++
1194 ++ instr[0] = PPC_INST_NOP;
1195 ++ instr[1] = PPC_INST_NOP;
1196 ++
1197 ++ if (enable) {
1198 ++ pr_info("barrier-nospec: using isync; sync as speculation barrier\n");
1199 ++ instr[0] = PPC_INST_ISYNC;
1200 ++ instr[1] = PPC_INST_SYNC;
1201 ++ }
1202 ++
1203 ++ for (i = 0; start < end; start++, i++) {
1204 ++ dest = (void *)start + *start;
1205 ++
1206 ++ pr_devel("patching dest %lx\n", (unsigned long)dest);
1207 ++ patch_instruction(dest, instr[0]);
1208 ++ patch_instruction(dest + 1, instr[1]);
1209 ++ }
1210 ++
1211 ++ printk(KERN_DEBUG "barrier-nospec: patched %d locations\n", i);
1212 ++}
1213 ++
1214 ++static void patch_btb_flush_section(long *curr)
1215 ++{
1216 ++ unsigned int *start, *end;
1217 ++
1218 ++ start = (void *)curr + *curr;
1219 ++ end = (void *)curr + *(curr + 1);
1220 ++ for (; start < end; start++) {
1221 ++ pr_devel("patching dest %lx\n", (unsigned long)start);
1222 ++ patch_instruction(start, PPC_INST_NOP);
1223 ++ }
1224 ++}
1225 ++
1226 ++void do_btb_flush_fixups(void)
1227 ++{
1228 ++ long *start, *end;
1229 ++
1230 ++ start = PTRRELOC(&__start__btb_flush_fixup);
1231 ++ end = PTRRELOC(&__stop__btb_flush_fixup);
1232 ++
1233 ++ for (; start < end; start += 2)
1234 ++ patch_btb_flush_section(start);
1235 ++}
1236 ++#endif /* CONFIG_PPC_FSL_BOOK3E */
1237 ++
1238 + void do_lwsync_fixups(unsigned long value, void *fixup_start, void *fixup_end)
1239 + {
1240 + long *start, *end;
1241 +diff --git a/arch/powerpc/mm/tlb_low_64e.S b/arch/powerpc/mm/tlb_low_64e.S
1242 +index eb82d787d99a..b7e9c09dfe19 100644
1243 +--- a/arch/powerpc/mm/tlb_low_64e.S
1244 ++++ b/arch/powerpc/mm/tlb_low_64e.S
1245 +@@ -69,6 +69,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_EMB_HV)
1246 + std r15,EX_TLB_R15(r12)
1247 + std r10,EX_TLB_CR(r12)
1248 + #ifdef CONFIG_PPC_FSL_BOOK3E
1249 ++START_BTB_FLUSH_SECTION
1250 ++ mfspr r11, SPRN_SRR1
1251 ++ andi. r10,r11,MSR_PR
1252 ++ beq 1f
1253 ++ BTB_FLUSH(r10)
1254 ++1:
1255 ++END_BTB_FLUSH_SECTION
1256 + std r7,EX_TLB_R7(r12)
1257 + #endif
1258 + TLB_MISS_PROLOG_STATS
1259 +diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h
1260 +index 47fc6660845d..68dece206048 100644
1261 +--- a/arch/powerpc/net/bpf_jit.h
1262 ++++ b/arch/powerpc/net/bpf_jit.h
1263 +@@ -51,6 +51,8 @@
1264 + #define PPC_LIS(r, i) PPC_ADDIS(r, 0, i)
1265 + #define PPC_STD(r, base, i) EMIT(PPC_INST_STD | ___PPC_RS(r) | \
1266 + ___PPC_RA(base) | ((i) & 0xfffc))
1267 ++#define PPC_STDX(r, base, b) EMIT(PPC_INST_STDX | ___PPC_RS(r) | \
1268 ++ ___PPC_RA(base) | ___PPC_RB(b))
1269 + #define PPC_STDU(r, base, i) EMIT(PPC_INST_STDU | ___PPC_RS(r) | \
1270 + ___PPC_RA(base) | ((i) & 0xfffc))
1271 + #define PPC_STW(r, base, i) EMIT(PPC_INST_STW | ___PPC_RS(r) | \
1272 +@@ -65,7 +67,9 @@
1273 + #define PPC_LBZ(r, base, i) EMIT(PPC_INST_LBZ | ___PPC_RT(r) | \
1274 + ___PPC_RA(base) | IMM_L(i))
1275 + #define PPC_LD(r, base, i) EMIT(PPC_INST_LD | ___PPC_RT(r) | \
1276 +- ___PPC_RA(base) | IMM_L(i))
1277 ++ ___PPC_RA(base) | ((i) & 0xfffc))
1278 ++#define PPC_LDX(r, base, b) EMIT(PPC_INST_LDX | ___PPC_RT(r) | \
1279 ++ ___PPC_RA(base) | ___PPC_RB(b))
1280 + #define PPC_LWZ(r, base, i) EMIT(PPC_INST_LWZ | ___PPC_RT(r) | \
1281 + ___PPC_RA(base) | IMM_L(i))
1282 + #define PPC_LHZ(r, base, i) EMIT(PPC_INST_LHZ | ___PPC_RT(r) | \
1283 +@@ -85,17 +89,6 @@
1284 + ___PPC_RA(a) | ___PPC_RB(b))
1285 + #define PPC_BPF_STDCX(s, a, b) EMIT(PPC_INST_STDCX | ___PPC_RS(s) | \
1286 + ___PPC_RA(a) | ___PPC_RB(b))
1287 +-
1288 +-#ifdef CONFIG_PPC64
1289 +-#define PPC_BPF_LL(r, base, i) do { PPC_LD(r, base, i); } while(0)
1290 +-#define PPC_BPF_STL(r, base, i) do { PPC_STD(r, base, i); } while(0)
1291 +-#define PPC_BPF_STLU(r, base, i) do { PPC_STDU(r, base, i); } while(0)
1292 +-#else
1293 +-#define PPC_BPF_LL(r, base, i) do { PPC_LWZ(r, base, i); } while(0)
1294 +-#define PPC_BPF_STL(r, base, i) do { PPC_STW(r, base, i); } while(0)
1295 +-#define PPC_BPF_STLU(r, base, i) do { PPC_STWU(r, base, i); } while(0)
1296 +-#endif
1297 +-
1298 + #define PPC_CMPWI(a, i) EMIT(PPC_INST_CMPWI | ___PPC_RA(a) | IMM_L(i))
1299 + #define PPC_CMPDI(a, i) EMIT(PPC_INST_CMPDI | ___PPC_RA(a) | IMM_L(i))
1300 + #define PPC_CMPW(a, b) EMIT(PPC_INST_CMPW | ___PPC_RA(a) | \
1301 +diff --git a/arch/powerpc/net/bpf_jit32.h b/arch/powerpc/net/bpf_jit32.h
1302 +index a8cd7e289ecd..81a9045d8410 100644
1303 +--- a/arch/powerpc/net/bpf_jit32.h
1304 ++++ b/arch/powerpc/net/bpf_jit32.h
1305 +@@ -122,6 +122,10 @@ DECLARE_LOAD_FUNC(sk_load_byte_msh);
1306 + #define PPC_NTOHS_OFFS(r, base, i) PPC_LHZ_OFFS(r, base, i)
1307 + #endif
1308 +
1309 ++#define PPC_BPF_LL(r, base, i) do { PPC_LWZ(r, base, i); } while(0)
1310 ++#define PPC_BPF_STL(r, base, i) do { PPC_STW(r, base, i); } while(0)
1311 ++#define PPC_BPF_STLU(r, base, i) do { PPC_STWU(r, base, i); } while(0)
1312 ++
1313 + #define SEEN_DATAREF 0x10000 /* might call external helpers */
1314 + #define SEEN_XREG 0x20000 /* X reg is used */
1315 + #define SEEN_MEM 0x40000 /* SEEN_MEM+(1<<n) = use mem[n] for temporary
1316 +diff --git a/arch/powerpc/net/bpf_jit64.h b/arch/powerpc/net/bpf_jit64.h
1317 +index 62fa7589db2b..bb944b6018d7 100644
1318 +--- a/arch/powerpc/net/bpf_jit64.h
1319 ++++ b/arch/powerpc/net/bpf_jit64.h
1320 +@@ -86,6 +86,26 @@ DECLARE_LOAD_FUNC(sk_load_byte);
1321 + (imm >= SKF_LL_OFF ? func##_negative_offset : func) : \
1322 + func##_positive_offset)
1323 +
1324 ++/*
1325 ++ * WARNING: These can use TMP_REG_2 if the offset is not at word boundary,
1326 ++ * so ensure that it isn't in use already.
1327 ++ */
1328 ++#define PPC_BPF_LL(r, base, i) do { \
1329 ++ if ((i) % 4) { \
1330 ++ PPC_LI(b2p[TMP_REG_2], (i)); \
1331 ++ PPC_LDX(r, base, b2p[TMP_REG_2]); \
1332 ++ } else \
1333 ++ PPC_LD(r, base, i); \
1334 ++ } while(0)
1335 ++#define PPC_BPF_STL(r, base, i) do { \
1336 ++ if ((i) % 4) { \
1337 ++ PPC_LI(b2p[TMP_REG_2], (i)); \
1338 ++ PPC_STDX(r, base, b2p[TMP_REG_2]); \
1339 ++ } else \
1340 ++ PPC_STD(r, base, i); \
1341 ++ } while(0)
1342 ++#define PPC_BPF_STLU(r, base, i) do { PPC_STDU(r, base, i); } while(0)
1343 ++
1344 + #define SEEN_FUNC 0x1000 /* might call external helpers */
1345 + #define SEEN_STACK 0x2000 /* uses BPF stack */
1346 + #define SEEN_SKB 0x4000 /* uses sk_buff */
1347 +diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
1348 +index fee1e1f8c9d3..3a21d3956ad4 100644
1349 +--- a/arch/powerpc/net/bpf_jit_comp64.c
1350 ++++ b/arch/powerpc/net/bpf_jit_comp64.c
1351 +@@ -261,7 +261,7 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32
1352 + * if (tail_call_cnt > MAX_TAIL_CALL_CNT)
1353 + * goto out;
1354 + */
1355 +- PPC_LD(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx));
1356 ++ PPC_BPF_LL(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx));
1357 + PPC_CMPLWI(b2p[TMP_REG_1], MAX_TAIL_CALL_CNT);
1358 + PPC_BCC(COND_GT, out);
1359 +
1360 +@@ -274,7 +274,7 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32
1361 + /* prog = array->ptrs[index]; */
1362 + PPC_MULI(b2p[TMP_REG_1], b2p_index, 8);
1363 + PPC_ADD(b2p[TMP_REG_1], b2p[TMP_REG_1], b2p_bpf_array);
1364 +- PPC_LD(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs));
1365 ++ PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs));
1366 +
1367 + /*
1368 + * if (prog == NULL)
1369 +@@ -284,7 +284,7 @@ static void bpf_jit_emit_tail_call(u32 *image, struct codegen_context *ctx, u32
1370 + PPC_BCC(COND_EQ, out);
1371 +
1372 + /* goto *(prog->bpf_func + prologue_size); */
1373 +- PPC_LD(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func));
1374 ++ PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func));
1375 + #ifdef PPC64_ELF_ABI_v1
1376 + /* skip past the function descriptor */
1377 + PPC_ADDI(b2p[TMP_REG_1], b2p[TMP_REG_1],
1378 +@@ -616,7 +616,7 @@ bpf_alu32_trunc:
1379 + * the instructions generated will remain the
1380 + * same across all passes
1381 + */
1382 +- PPC_STD(dst_reg, 1, bpf_jit_stack_local(ctx));
1383 ++ PPC_BPF_STL(dst_reg, 1, bpf_jit_stack_local(ctx));
1384 + PPC_ADDI(b2p[TMP_REG_1], 1, bpf_jit_stack_local(ctx));
1385 + PPC_LDBRX(dst_reg, 0, b2p[TMP_REG_1]);
1386 + break;
1387 +@@ -672,7 +672,7 @@ emit_clear:
1388 + PPC_LI32(b2p[TMP_REG_1], imm);
1389 + src_reg = b2p[TMP_REG_1];
1390 + }
1391 +- PPC_STD(src_reg, dst_reg, off);
1392 ++ PPC_BPF_STL(src_reg, dst_reg, off);
1393 + break;
1394 +
1395 + /*
1396 +@@ -719,7 +719,7 @@ emit_clear:
1397 + break;
1398 + /* dst = *(u64 *)(ul) (src + off) */
1399 + case BPF_LDX | BPF_MEM | BPF_DW:
1400 +- PPC_LD(dst_reg, src_reg, off);
1401 ++ PPC_BPF_LL(dst_reg, src_reg, off);
1402 + break;
1403 +
1404 + /*
1405 +diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c
1406 +index fd143c934768..888aa9584e94 100644
1407 +--- a/arch/powerpc/platforms/powernv/setup.c
1408 ++++ b/arch/powerpc/platforms/powernv/setup.c
1409 +@@ -77,6 +77,12 @@ static void init_fw_feat_flags(struct device_node *np)
1410 + if (fw_feature_is("enabled", "fw-count-cache-disabled", np))
1411 + security_ftr_set(SEC_FTR_COUNT_CACHE_DISABLED);
1412 +
1413 ++ if (fw_feature_is("enabled", "fw-count-cache-flush-bcctr2,0,0", np))
1414 ++ security_ftr_set(SEC_FTR_BCCTR_FLUSH_ASSIST);
1415 ++
1416 ++ if (fw_feature_is("enabled", "needs-count-cache-flush-on-context-switch", np))
1417 ++ security_ftr_set(SEC_FTR_FLUSH_COUNT_CACHE);
1418 ++
1419 + /*
1420 + * The features below are enabled by default, so we instead look to see
1421 + * if firmware has *disabled* them, and clear them if so.
1422 +@@ -123,6 +129,7 @@ static void pnv_setup_rfi_flush(void)
1423 + security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV));
1424 +
1425 + setup_rfi_flush(type, enable);
1426 ++ setup_count_cache_flush();
1427 + }
1428 +
1429 + static void __init pnv_setup_arch(void)
1430 +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
1431 +index 45f814041448..6a0ad56e89b9 100644
1432 +--- a/arch/powerpc/platforms/pseries/setup.c
1433 ++++ b/arch/powerpc/platforms/pseries/setup.c
1434 +@@ -484,6 +484,12 @@ static void init_cpu_char_feature_flags(struct h_cpu_char_result *result)
1435 + if (result->character & H_CPU_CHAR_COUNT_CACHE_DISABLED)
1436 + security_ftr_set(SEC_FTR_COUNT_CACHE_DISABLED);
1437 +
1438 ++ if (result->character & H_CPU_CHAR_BCCTR_FLUSH_ASSIST)
1439 ++ security_ftr_set(SEC_FTR_BCCTR_FLUSH_ASSIST);
1440 ++
1441 ++ if (result->behaviour & H_CPU_BEHAV_FLUSH_COUNT_CACHE)
1442 ++ security_ftr_set(SEC_FTR_FLUSH_COUNT_CACHE);
1443 ++
1444 + /*
1445 + * The features below are enabled by default, so we instead look to see
1446 + * if firmware has *disabled* them, and clear them if so.
1447 +@@ -534,6 +540,7 @@ void pseries_setup_rfi_flush(void)
1448 + security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR);
1449 +
1450 + setup_rfi_flush(types, enable);
1451 ++ setup_count_cache_flush();
1452 + }
1453 +
1454 + static void __init pSeries_setup_arch(void)
1455 +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
1456 +index 4f393eb9745f..8fec1585ac7a 100644
1457 +--- a/arch/x86/Kconfig
1458 ++++ b/arch/x86/Kconfig
1459 +@@ -2139,14 +2139,8 @@ config RANDOMIZE_MEMORY_PHYSICAL_PADDING
1460 + If unsure, leave at the default value.
1461 +
1462 + config HOTPLUG_CPU
1463 +- bool "Support for hot-pluggable CPUs"
1464 ++ def_bool y
1465 + depends on SMP
1466 +- ---help---
1467 +- Say Y here to allow turning CPUs off and on. CPUs can be
1468 +- controlled through /sys/devices/system/cpu.
1469 +- ( Note: power management support will enable this option
1470 +- automatically on SMP systems. )
1471 +- Say N if you want to disable CPU hotplug.
1472 +
1473 + config BOOTPARAM_HOTPLUG_CPU0
1474 + bool "Set default setting of cpu0_hotpluggable"
1475 +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
1476 +index d2ae93faafe8..f9a4b85d7309 100644
1477 +--- a/arch/x86/include/asm/kvm_host.h
1478 ++++ b/arch/x86/include/asm/kvm_host.h
1479 +@@ -509,6 +509,7 @@ struct kvm_vcpu_arch {
1480 + bool tpr_access_reporting;
1481 + u64 ia32_xss;
1482 + u64 microcode_version;
1483 ++ u64 arch_capabilities;
1484 +
1485 + /*
1486 + * Paging state of the vcpu
1487 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
1488 +index 229d5e39f5c0..4bd878c9f7d2 100644
1489 +--- a/arch/x86/kvm/vmx.c
1490 ++++ b/arch/x86/kvm/vmx.c
1491 +@@ -740,7 +740,6 @@ struct vcpu_vmx {
1492 + u64 msr_guest_kernel_gs_base;
1493 + #endif
1494 +
1495 +- u64 arch_capabilities;
1496 + u64 spec_ctrl;
1497 +
1498 + u32 vm_entry_controls_shadow;
1499 +@@ -3493,12 +3492,6 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
1500 +
1501 + msr_info->data = to_vmx(vcpu)->spec_ctrl;
1502 + break;
1503 +- case MSR_IA32_ARCH_CAPABILITIES:
1504 +- if (!msr_info->host_initiated &&
1505 +- !guest_cpuid_has(vcpu, X86_FEATURE_ARCH_CAPABILITIES))
1506 +- return 1;
1507 +- msr_info->data = to_vmx(vcpu)->arch_capabilities;
1508 +- break;
1509 + case MSR_IA32_SYSENTER_CS:
1510 + msr_info->data = vmcs_read32(GUEST_SYSENTER_CS);
1511 + break;
1512 +@@ -3663,11 +3656,6 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
1513 + vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD,
1514 + MSR_TYPE_W);
1515 + break;
1516 +- case MSR_IA32_ARCH_CAPABILITIES:
1517 +- if (!msr_info->host_initiated)
1518 +- return 1;
1519 +- vmx->arch_capabilities = data;
1520 +- break;
1521 + case MSR_IA32_CR_PAT:
1522 + if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
1523 + if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
1524 +@@ -5929,8 +5917,6 @@ static int vmx_vcpu_setup(struct vcpu_vmx *vmx)
1525 + ++vmx->nmsrs;
1526 + }
1527 +
1528 +- vmx->arch_capabilities = kvm_get_arch_capabilities();
1529 +-
1530 + vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl);
1531 +
1532 + /* 22.2.1, 20.8.1 */
1533 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
1534 +index ce5b3dc348ce..5f85f17ffb75 100644
1535 +--- a/arch/x86/kvm/x86.c
1536 ++++ b/arch/x86/kvm/x86.c
1537 +@@ -2234,6 +2234,11 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
1538 + if (msr_info->host_initiated)
1539 + vcpu->arch.microcode_version = data;
1540 + break;
1541 ++ case MSR_IA32_ARCH_CAPABILITIES:
1542 ++ if (!msr_info->host_initiated)
1543 ++ return 1;
1544 ++ vcpu->arch.arch_capabilities = data;
1545 ++ break;
1546 + case MSR_EFER:
1547 + return set_efer(vcpu, data);
1548 + case MSR_K7_HWCR:
1549 +@@ -2523,6 +2528,12 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
1550 + case MSR_IA32_UCODE_REV:
1551 + msr_info->data = vcpu->arch.microcode_version;
1552 + break;
1553 ++ case MSR_IA32_ARCH_CAPABILITIES:
1554 ++ if (!msr_info->host_initiated &&
1555 ++ !guest_cpuid_has(vcpu, X86_FEATURE_ARCH_CAPABILITIES))
1556 ++ return 1;
1557 ++ msr_info->data = vcpu->arch.arch_capabilities;
1558 ++ break;
1559 + case MSR_MTRRcap:
1560 + case 0x200 ... 0x2ff:
1561 + return kvm_mtrr_get_msr(vcpu, msr_info->index, &msr_info->data);
1562 +@@ -7918,6 +7929,7 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
1563 + {
1564 + int r;
1565 +
1566 ++ vcpu->arch.arch_capabilities = kvm_get_arch_capabilities();
1567 + kvm_vcpu_mtrr_init(vcpu);
1568 + r = vcpu_load(vcpu);
1569 + if (r)
1570 +diff --git a/drivers/gpio/gpio-adnp.c b/drivers/gpio/gpio-adnp.c
1571 +index 89863ea25de1..ee923b1b820c 100644
1572 +--- a/drivers/gpio/gpio-adnp.c
1573 ++++ b/drivers/gpio/gpio-adnp.c
1574 +@@ -132,8 +132,10 @@ static int adnp_gpio_direction_input(struct gpio_chip *chip, unsigned offset)
1575 + if (err < 0)
1576 + goto out;
1577 +
1578 +- if (err & BIT(pos))
1579 +- err = -EACCES;
1580 ++ if (value & BIT(pos)) {
1581 ++ err = -EPERM;
1582 ++ goto out;
1583 ++ }
1584 +
1585 + err = 0;
1586 +
1587 +diff --git a/drivers/gpio/gpio-exar.c b/drivers/gpio/gpio-exar.c
1588 +index 0ecd2369c2ca..a09d2f9ebacc 100644
1589 +--- a/drivers/gpio/gpio-exar.c
1590 ++++ b/drivers/gpio/gpio-exar.c
1591 +@@ -148,6 +148,8 @@ static int gpio_exar_probe(struct platform_device *pdev)
1592 + mutex_init(&exar_gpio->lock);
1593 +
1594 + index = ida_simple_get(&ida_index, 0, 0, GFP_KERNEL);
1595 ++ if (index < 0)
1596 ++ goto err_destroy;
1597 +
1598 + sprintf(exar_gpio->name, "exar_gpio%d", index);
1599 + exar_gpio->gpio_chip.label = exar_gpio->name;
1600 +diff --git a/drivers/gpu/drm/vgem/vgem_drv.c b/drivers/gpu/drm/vgem/vgem_drv.c
1601 +index 81c7ab10c083..aa592277d510 100644
1602 +--- a/drivers/gpu/drm/vgem/vgem_drv.c
1603 ++++ b/drivers/gpu/drm/vgem/vgem_drv.c
1604 +@@ -192,13 +192,9 @@ static struct drm_gem_object *vgem_gem_create(struct drm_device *dev,
1605 + ret = drm_gem_handle_create(file, &obj->base, handle);
1606 + drm_gem_object_put_unlocked(&obj->base);
1607 + if (ret)
1608 +- goto err;
1609 ++ return ERR_PTR(ret);
1610 +
1611 + return &obj->base;
1612 +-
1613 +-err:
1614 +- __vgem_gem_destroy(obj);
1615 +- return ERR_PTR(ret);
1616 + }
1617 +
1618 + static int vgem_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
1619 +diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c
1620 +index 3cf07b8ced1c..df01018acff1 100644
1621 +--- a/drivers/isdn/hardware/mISDN/hfcmulti.c
1622 ++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c
1623 +@@ -4367,7 +4367,8 @@ setup_pci(struct hfc_multi *hc, struct pci_dev *pdev,
1624 + if (m->clock2)
1625 + test_and_set_bit(HFC_CHIP_CLOCK2, &hc->chip);
1626 +
1627 +- if (ent->device == 0xB410) {
1628 ++ if (ent->vendor == PCI_VENDOR_ID_DIGIUM &&
1629 ++ ent->device == PCI_DEVICE_ID_DIGIUM_HFC4S) {
1630 + test_and_set_bit(HFC_CHIP_B410P, &hc->chip);
1631 + test_and_set_bit(HFC_CHIP_PCM_MASTER, &hc->chip);
1632 + test_and_clear_bit(HFC_CHIP_PCM_SLAVE, &hc->chip);
1633 +diff --git a/drivers/net/dsa/qca8k.c b/drivers/net/dsa/qca8k.c
1634 +index 9645c8f05c7f..c3c9d7e33bd6 100644
1635 +--- a/drivers/net/dsa/qca8k.c
1636 ++++ b/drivers/net/dsa/qca8k.c
1637 +@@ -629,22 +629,6 @@ qca8k_adjust_link(struct dsa_switch *ds, int port, struct phy_device *phy)
1638 + qca8k_port_set_status(priv, port, 1);
1639 + }
1640 +
1641 +-static int
1642 +-qca8k_phy_read(struct dsa_switch *ds, int phy, int regnum)
1643 +-{
1644 +- struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv;
1645 +-
1646 +- return mdiobus_read(priv->bus, phy, regnum);
1647 +-}
1648 +-
1649 +-static int
1650 +-qca8k_phy_write(struct dsa_switch *ds, int phy, int regnum, u16 val)
1651 +-{
1652 +- struct qca8k_priv *priv = (struct qca8k_priv *)ds->priv;
1653 +-
1654 +- return mdiobus_write(priv->bus, phy, regnum, val);
1655 +-}
1656 +-
1657 + static void
1658 + qca8k_get_strings(struct dsa_switch *ds, int port, uint8_t *data)
1659 + {
1660 +@@ -879,8 +863,6 @@ static const struct dsa_switch_ops qca8k_switch_ops = {
1661 + .setup = qca8k_setup,
1662 + .adjust_link = qca8k_adjust_link,
1663 + .get_strings = qca8k_get_strings,
1664 +- .phy_read = qca8k_phy_read,
1665 +- .phy_write = qca8k_phy_write,
1666 + .get_ethtool_stats = qca8k_get_ethtool_stats,
1667 + .get_sset_count = qca8k_get_sset_count,
1668 + .get_mac_eee = qca8k_get_mac_eee,
1669 +diff --git a/drivers/net/ethernet/8390/mac8390.c b/drivers/net/ethernet/8390/mac8390.c
1670 +index 9497f18eaba0..e95a7567bb23 100644
1671 +--- a/drivers/net/ethernet/8390/mac8390.c
1672 ++++ b/drivers/net/ethernet/8390/mac8390.c
1673 +@@ -156,8 +156,6 @@ static void dayna_block_output(struct net_device *dev, int count,
1674 + #define memcpy_fromio(a, b, c) memcpy((a), (void *)(b), (c))
1675 + #define memcpy_toio(a, b, c) memcpy((void *)(a), (b), (c))
1676 +
1677 +-#define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c))
1678 +-
1679 + /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */
1680 + static void slow_sane_get_8390_hdr(struct net_device *dev,
1681 + struct e8390_pkt_hdr *hdr, int ring_page);
1682 +@@ -237,19 +235,26 @@ static enum mac8390_type __init mac8390_ident(struct nubus_dev *dev)
1683 +
1684 + static enum mac8390_access __init mac8390_testio(volatile unsigned long membase)
1685 + {
1686 +- unsigned long outdata = 0xA5A0B5B0;
1687 +- unsigned long indata = 0x00000000;
1688 ++ u32 outdata = 0xA5A0B5B0;
1689 ++ u32 indata = 0;
1690 ++
1691 + /* Try writing 32 bits */
1692 +- memcpy_toio(membase, &outdata, 4);
1693 +- /* Now compare them */
1694 +- if (memcmp_withio(&outdata, membase, 4) == 0)
1695 ++ nubus_writel(outdata, membase);
1696 ++ /* Now read it back */
1697 ++ indata = nubus_readl(membase);
1698 ++ if (outdata == indata)
1699 + return ACCESS_32;
1700 ++
1701 ++ outdata = 0xC5C0D5D0;
1702 ++ indata = 0;
1703 ++
1704 + /* Write 16 bit output */
1705 + word_memcpy_tocard(membase, &outdata, 4);
1706 + /* Now read it back */
1707 + word_memcpy_fromcard(&indata, membase, 4);
1708 + if (outdata == indata)
1709 + return ACCESS_16;
1710 ++
1711 + return ACCESS_UNKNOWN;
1712 + }
1713 +
1714 +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
1715 +index 640babf752ea..784c3522aaa3 100644
1716 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
1717 ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
1718 +@@ -270,11 +270,12 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
1719 + } else {
1720 + if (buff->is_ip_cso) {
1721 + __skb_incr_checksum_unnecessary(skb);
1722 +- if (buff->is_udp_cso || buff->is_tcp_cso)
1723 +- __skb_incr_checksum_unnecessary(skb);
1724 + } else {
1725 + skb->ip_summed = CHECKSUM_NONE;
1726 + }
1727 ++
1728 ++ if (buff->is_udp_cso || buff->is_tcp_cso)
1729 ++ __skb_incr_checksum_unnecessary(skb);
1730 + }
1731 +
1732 + skb_set_hash(skb, buff->rss_hash,
1733 +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
1734 +index 09494e1c77c5..7ad1d56d8389 100644
1735 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
1736 ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
1737 +@@ -105,20 +105,19 @@ static inline struct pgcache *nicvf_alloc_page(struct nicvf *nic,
1738 + /* Check if page can be recycled */
1739 + if (page) {
1740 + ref_count = page_ref_count(page);
1741 +- /* Check if this page has been used once i.e 'put_page'
1742 +- * called after packet transmission i.e internal ref_count
1743 +- * and page's ref_count are equal i.e page can be recycled.
1744 ++ /* This page can be recycled if internal ref_count and page's
1745 ++ * ref_count are equal, indicating that the page has been used
1746 ++ * once for packet transmission. For non-XDP mode, internal
1747 ++ * ref_count is always '1'.
1748 + */
1749 +- if (rbdr->is_xdp && (ref_count == pgcache->ref_count))
1750 +- pgcache->ref_count--;
1751 +- else
1752 +- page = NULL;
1753 +-
1754 +- /* In non-XDP mode, page's ref_count needs to be '1' for it
1755 +- * to be recycled.
1756 +- */
1757 +- if (!rbdr->is_xdp && (ref_count != 1))
1758 ++ if (rbdr->is_xdp) {
1759 ++ if (ref_count == pgcache->ref_count)
1760 ++ pgcache->ref_count--;
1761 ++ else
1762 ++ page = NULL;
1763 ++ } else if (ref_count != 1) {
1764 + page = NULL;
1765 ++ }
1766 + }
1767 +
1768 + if (!page) {
1769 +@@ -365,11 +364,10 @@ static void nicvf_free_rbdr(struct nicvf *nic, struct rbdr *rbdr)
1770 + while (head < rbdr->pgcnt) {
1771 + pgcache = &rbdr->pgcache[head];
1772 + if (pgcache->page && page_ref_count(pgcache->page) != 0) {
1773 +- if (!rbdr->is_xdp) {
1774 +- put_page(pgcache->page);
1775 +- continue;
1776 ++ if (rbdr->is_xdp) {
1777 ++ page_ref_sub(pgcache->page,
1778 ++ pgcache->ref_count - 1);
1779 + }
1780 +- page_ref_sub(pgcache->page, pgcache->ref_count - 1);
1781 + put_page(pgcache->page);
1782 + }
1783 + head++;
1784 +diff --git a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
1785 +index 1af7b078b94d..d4c3bf78d928 100644
1786 +--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
1787 ++++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
1788 +@@ -114,10 +114,11 @@ static unsigned int stmmac_is_jumbo_frm(int len, int enh_desc)
1789 +
1790 + static void stmmac_refill_desc3(void *priv_ptr, struct dma_desc *p)
1791 + {
1792 +- struct stmmac_priv *priv = (struct stmmac_priv *)priv_ptr;
1793 ++ struct stmmac_rx_queue *rx_q = priv_ptr;
1794 ++ struct stmmac_priv *priv = rx_q->priv_data;
1795 +
1796 + /* Fill DES3 in case of RING mode */
1797 +- if (priv->dma_buf_sz >= BUF_SIZE_8KiB)
1798 ++ if (priv->dma_buf_sz == BUF_SIZE_16KiB)
1799 + p->des3 = cpu_to_le32(le32_to_cpu(p->des2) + BUF_SIZE_8KiB);
1800 + }
1801 +
1802 +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
1803 +index 0cc83e8417ef..4a9dbee6f054 100644
1804 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
1805 ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
1806 +@@ -3787,6 +3787,20 @@ static int stmmac_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
1807 + return ret;
1808 + }
1809 +
1810 ++static int stmmac_set_mac_address(struct net_device *ndev, void *addr)
1811 ++{
1812 ++ struct stmmac_priv *priv = netdev_priv(ndev);
1813 ++ int ret = 0;
1814 ++
1815 ++ ret = eth_mac_addr(ndev, addr);
1816 ++ if (ret)
1817 ++ return ret;
1818 ++
1819 ++ priv->hw->mac->set_umac_addr(priv->hw, ndev->dev_addr, 0);
1820 ++
1821 ++ return ret;
1822 ++}
1823 ++
1824 + #ifdef CONFIG_DEBUG_FS
1825 + static struct dentry *stmmac_fs_dir;
1826 +
1827 +@@ -4014,7 +4028,7 @@ static const struct net_device_ops stmmac_netdev_ops = {
1828 + #ifdef CONFIG_NET_POLL_CONTROLLER
1829 + .ndo_poll_controller = stmmac_poll_controller,
1830 + #endif
1831 +- .ndo_set_mac_address = eth_mac_addr,
1832 ++ .ndo_set_mac_address = stmmac_set_mac_address,
1833 + };
1834 +
1835 + /**
1836 +diff --git a/drivers/net/tun.c b/drivers/net/tun.c
1837 +index 4227ee33ef19..3b13d9e4030a 100644
1838 +--- a/drivers/net/tun.c
1839 ++++ b/drivers/net/tun.c
1840 +@@ -1403,9 +1403,6 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
1841 + u32 rxhash;
1842 + int skb_xdp = 1;
1843 +
1844 +- if (!(tun->dev->flags & IFF_UP))
1845 +- return -EIO;
1846 +-
1847 + if (!(tun->flags & IFF_NO_PI)) {
1848 + if (len < sizeof(pi))
1849 + return -EINVAL;
1850 +@@ -1493,9 +1490,11 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
1851 + err = skb_copy_datagram_from_iter(skb, 0, from, len);
1852 +
1853 + if (err) {
1854 ++ err = -EFAULT;
1855 ++drop:
1856 + this_cpu_inc(tun->pcpu_stats->rx_dropped);
1857 + kfree_skb(skb);
1858 +- return -EFAULT;
1859 ++ return err;
1860 + }
1861 + }
1862 +
1863 +@@ -1566,11 +1565,20 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
1864 + }
1865 +
1866 + rxhash = __skb_get_hash_symmetric(skb);
1867 ++
1868 ++ rcu_read_lock();
1869 ++ if (unlikely(!(tun->dev->flags & IFF_UP))) {
1870 ++ err = -EIO;
1871 ++ rcu_read_unlock();
1872 ++ goto drop;
1873 ++ }
1874 ++
1875 + #ifndef CONFIG_4KSTACKS
1876 + tun_rx_batched(tun, tfile, skb, more);
1877 + #else
1878 + netif_rx_ni(skb);
1879 + #endif
1880 ++ rcu_read_unlock();
1881 +
1882 + stats = get_cpu_ptr(tun->pcpu_stats);
1883 + u64_stats_update_begin(&stats->syncp);
1884 +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
1885 +index df48f65c4f90..2fbaa279988e 100644
1886 +--- a/drivers/net/vxlan.c
1887 ++++ b/drivers/net/vxlan.c
1888 +@@ -3793,10 +3793,8 @@ static void __net_exit vxlan_exit_net(struct net *net)
1889 + /* If vxlan->dev is in the same netns, it has already been added
1890 + * to the list by the previous loop.
1891 + */
1892 +- if (!net_eq(dev_net(vxlan->dev), net)) {
1893 +- gro_cells_destroy(&vxlan->gro_cells);
1894 ++ if (!net_eq(dev_net(vxlan->dev), net))
1895 + unregister_netdevice_queue(vxlan->dev, &list);
1896 +- }
1897 + }
1898 +
1899 + unregister_netdevice_many(&list);
1900 +diff --git a/drivers/phy/allwinner/phy-sun4i-usb.c b/drivers/phy/allwinner/phy-sun4i-usb.c
1901 +index d1ccff527756..4d34dfb64998 100644
1902 +--- a/drivers/phy/allwinner/phy-sun4i-usb.c
1903 ++++ b/drivers/phy/allwinner/phy-sun4i-usb.c
1904 +@@ -480,8 +480,11 @@ static int sun4i_usb_phy_set_mode(struct phy *_phy, enum phy_mode mode)
1905 + struct sun4i_usb_phy_data *data = to_sun4i_usb_phy_data(phy);
1906 + int new_mode;
1907 +
1908 +- if (phy->index != 0)
1909 ++ if (phy->index != 0) {
1910 ++ if (mode == PHY_MODE_USB_HOST)
1911 ++ return 0;
1912 + return -EINVAL;
1913 ++ }
1914 +
1915 + switch (mode) {
1916 + case PHY_MODE_USB_HOST:
1917 +diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c
1918 +index ae7a49ade414..d22759eb6640 100644
1919 +--- a/drivers/s390/cio/vfio_ccw_drv.c
1920 ++++ b/drivers/s390/cio/vfio_ccw_drv.c
1921 +@@ -70,20 +70,24 @@ static void vfio_ccw_sch_io_todo(struct work_struct *work)
1922 + {
1923 + struct vfio_ccw_private *private;
1924 + struct irb *irb;
1925 ++ bool is_final;
1926 +
1927 + private = container_of(work, struct vfio_ccw_private, io_work);
1928 + irb = &private->irb;
1929 +
1930 ++ is_final = !(scsw_actl(&irb->scsw) &
1931 ++ (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT));
1932 + if (scsw_is_solicited(&irb->scsw)) {
1933 + cp_update_scsw(&private->cp, &irb->scsw);
1934 +- cp_free(&private->cp);
1935 ++ if (is_final)
1936 ++ cp_free(&private->cp);
1937 + }
1938 + memcpy(private->io_region.irb_area, irb, sizeof(*irb));
1939 +
1940 + if (private->io_trigger)
1941 + eventfd_signal(private->io_trigger, 1);
1942 +
1943 +- if (private->mdev)
1944 ++ if (private->mdev && is_final)
1945 + private->state = VFIO_CCW_STATE_IDLE;
1946 + }
1947 +
1948 +diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
1949 +index 7aa243a6cdbf..6d5065f679ac 100644
1950 +--- a/drivers/s390/scsi/zfcp_erp.c
1951 ++++ b/drivers/s390/scsi/zfcp_erp.c
1952 +@@ -652,6 +652,20 @@ static void zfcp_erp_strategy_memwait(struct zfcp_erp_action *erp_action)
1953 + add_timer(&erp_action->timer);
1954 + }
1955 +
1956 ++void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
1957 ++ int clear, char *dbftag)
1958 ++{
1959 ++ unsigned long flags;
1960 ++ struct zfcp_port *port;
1961 ++
1962 ++ write_lock_irqsave(&adapter->erp_lock, flags);
1963 ++ read_lock(&adapter->port_list_lock);
1964 ++ list_for_each_entry(port, &adapter->port_list, list)
1965 ++ _zfcp_erp_port_forced_reopen(port, clear, dbftag);
1966 ++ read_unlock(&adapter->port_list_lock);
1967 ++ write_unlock_irqrestore(&adapter->erp_lock, flags);
1968 ++}
1969 ++
1970 + static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter,
1971 + int clear, char *id)
1972 + {
1973 +@@ -1306,6 +1320,9 @@ static void zfcp_erp_try_rport_unblock(struct zfcp_port *port)
1974 + struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
1975 + int lun_status;
1976 +
1977 ++ if (sdev->sdev_state == SDEV_DEL ||
1978 ++ sdev->sdev_state == SDEV_CANCEL)
1979 ++ continue;
1980 + if (zsdev->port != port)
1981 + continue;
1982 + /* LUN under port of interest */
1983 +diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
1984 +index c1092a11e728..1b2e2541b1de 100644
1985 +--- a/drivers/s390/scsi/zfcp_ext.h
1986 ++++ b/drivers/s390/scsi/zfcp_ext.h
1987 +@@ -68,6 +68,8 @@ extern void zfcp_erp_clear_port_status(struct zfcp_port *, u32);
1988 + extern int zfcp_erp_port_reopen(struct zfcp_port *, int, char *);
1989 + extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *);
1990 + extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *);
1991 ++extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter,
1992 ++ int clear, char *dbftag);
1993 + extern void zfcp_erp_set_lun_status(struct scsi_device *, u32);
1994 + extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32);
1995 + extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *);
1996 +diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
1997 +index 0b6f51424745..6f6bc73a3a10 100644
1998 +--- a/drivers/s390/scsi/zfcp_scsi.c
1999 ++++ b/drivers/s390/scsi/zfcp_scsi.c
2000 +@@ -327,6 +327,10 @@ static int zfcp_scsi_eh_host_reset_handler(struct scsi_cmnd *scpnt)
2001 + struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
2002 + int ret = SUCCESS, fc_ret;
2003 +
2004 ++ if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) {
2005 ++ zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p");
2006 ++ zfcp_erp_wait(adapter);
2007 ++ }
2008 + zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
2009 + zfcp_erp_wait(adapter);
2010 + fc_ret = fc_block_scsi_eh(scpnt);
2011 +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
2012 +index d0cc8fb40f63..e0c0fea227c1 100644
2013 +--- a/drivers/scsi/sd.c
2014 ++++ b/drivers/scsi/sd.c
2015 +@@ -1420,11 +1420,6 @@ static void sd_release(struct gendisk *disk, fmode_t mode)
2016 + scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW);
2017 + }
2018 +
2019 +- /*
2020 +- * XXX and what if there are packets in flight and this close()
2021 +- * XXX is followed by a "rmmod sd_mod"?
2022 +- */
2023 +-
2024 + scsi_disk_put(sdkp);
2025 + }
2026 +
2027 +@@ -3089,6 +3084,9 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp,
2028 + unsigned int opt_xfer_bytes =
2029 + logical_to_bytes(sdp, sdkp->opt_xfer_blocks);
2030 +
2031 ++ if (sdkp->opt_xfer_blocks == 0)
2032 ++ return false;
2033 ++
2034 + if (sdkp->opt_xfer_blocks > dev_max) {
2035 + sd_first_printk(KERN_WARNING, sdkp,
2036 + "Optimal transfer size %u logical blocks " \
2037 +@@ -3521,11 +3519,23 @@ static void scsi_disk_release(struct device *dev)
2038 + {
2039 + struct scsi_disk *sdkp = to_scsi_disk(dev);
2040 + struct gendisk *disk = sdkp->disk;
2041 +-
2042 ++ struct request_queue *q = disk->queue;
2043 ++
2044 + spin_lock(&sd_index_lock);
2045 + ida_remove(&sd_index_ida, sdkp->index);
2046 + spin_unlock(&sd_index_lock);
2047 +
2048 ++ /*
2049 ++ * Wait until all requests that are in progress have completed.
2050 ++ * This is necessary to avoid that e.g. scsi_end_request() crashes
2051 ++ * due to clearing the disk->private_data pointer. Wait from inside
2052 ++ * scsi_disk_release() instead of from sd_release() to avoid that
2053 ++ * freezing and unfreezing the request queue affects user space I/O
2054 ++ * in case multiple processes open a /dev/sd... node concurrently.
2055 ++ */
2056 ++ blk_mq_freeze_queue(q);
2057 ++ blk_mq_unfreeze_queue(q);
2058 ++
2059 + disk->private_data = NULL;
2060 + put_disk(disk);
2061 + put_device(&sdkp->device->sdev_gendev);
2062 +diff --git a/drivers/staging/comedi/comedidev.h b/drivers/staging/comedi/comedidev.h
2063 +index 1bb9986f865e..33f249af0063 100644
2064 +--- a/drivers/staging/comedi/comedidev.h
2065 ++++ b/drivers/staging/comedi/comedidev.h
2066 +@@ -992,6 +992,8 @@ int comedi_dio_insn_config(struct comedi_device *dev,
2067 + unsigned int mask);
2068 + unsigned int comedi_dio_update_state(struct comedi_subdevice *s,
2069 + unsigned int *data);
2070 ++unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s,
2071 ++ struct comedi_cmd *cmd);
2072 + unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s);
2073 + unsigned int comedi_nscans_left(struct comedi_subdevice *s,
2074 + unsigned int nscans);
2075 +diff --git a/drivers/staging/comedi/drivers.c b/drivers/staging/comedi/drivers.c
2076 +index c11c22bd6d13..2e532219f08b 100644
2077 +--- a/drivers/staging/comedi/drivers.c
2078 ++++ b/drivers/staging/comedi/drivers.c
2079 +@@ -390,11 +390,13 @@ unsigned int comedi_dio_update_state(struct comedi_subdevice *s,
2080 + EXPORT_SYMBOL_GPL(comedi_dio_update_state);
2081 +
2082 + /**
2083 +- * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes
2084 ++ * comedi_bytes_per_scan_cmd() - Get length of asynchronous command "scan" in
2085 ++ * bytes
2086 + * @s: COMEDI subdevice.
2087 ++ * @cmd: COMEDI command.
2088 + *
2089 + * Determines the overall scan length according to the subdevice type and the
2090 +- * number of channels in the scan.
2091 ++ * number of channels in the scan for the specified command.
2092 + *
2093 + * For digital input, output or input/output subdevices, samples for
2094 + * multiple channels are assumed to be packed into one or more unsigned
2095 +@@ -404,9 +406,9 @@ EXPORT_SYMBOL_GPL(comedi_dio_update_state);
2096 + *
2097 + * Returns the overall scan length in bytes.
2098 + */
2099 +-unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s)
2100 ++unsigned int comedi_bytes_per_scan_cmd(struct comedi_subdevice *s,
2101 ++ struct comedi_cmd *cmd)
2102 + {
2103 +- struct comedi_cmd *cmd = &s->async->cmd;
2104 + unsigned int num_samples;
2105 + unsigned int bits_per_sample;
2106 +
2107 +@@ -423,6 +425,29 @@ unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s)
2108 + }
2109 + return comedi_samples_to_bytes(s, num_samples);
2110 + }
2111 ++EXPORT_SYMBOL_GPL(comedi_bytes_per_scan_cmd);
2112 ++
2113 ++/**
2114 ++ * comedi_bytes_per_scan() - Get length of asynchronous command "scan" in bytes
2115 ++ * @s: COMEDI subdevice.
2116 ++ *
2117 ++ * Determines the overall scan length according to the subdevice type and the
2118 ++ * number of channels in the scan for the current command.
2119 ++ *
2120 ++ * For digital input, output or input/output subdevices, samples for
2121 ++ * multiple channels are assumed to be packed into one or more unsigned
2122 ++ * short or unsigned int values according to the subdevice's %SDF_LSAMPL
2123 ++ * flag. For other types of subdevice, samples are assumed to occupy a
2124 ++ * whole unsigned short or unsigned int according to the %SDF_LSAMPL flag.
2125 ++ *
2126 ++ * Returns the overall scan length in bytes.
2127 ++ */
2128 ++unsigned int comedi_bytes_per_scan(struct comedi_subdevice *s)
2129 ++{
2130 ++ struct comedi_cmd *cmd = &s->async->cmd;
2131 ++
2132 ++ return comedi_bytes_per_scan_cmd(s, cmd);
2133 ++}
2134 + EXPORT_SYMBOL_GPL(comedi_bytes_per_scan);
2135 +
2136 + static unsigned int __comedi_nscans_left(struct comedi_subdevice *s,
2137 +diff --git a/drivers/staging/comedi/drivers/ni_mio_common.c b/drivers/staging/comedi/drivers/ni_mio_common.c
2138 +index 158f3e83efb6..36361bdf934a 100644
2139 +--- a/drivers/staging/comedi/drivers/ni_mio_common.c
2140 ++++ b/drivers/staging/comedi/drivers/ni_mio_common.c
2141 +@@ -3523,6 +3523,7 @@ static int ni_cdio_check_chanlist(struct comedi_device *dev,
2142 + static int ni_cdio_cmdtest(struct comedi_device *dev,
2143 + struct comedi_subdevice *s, struct comedi_cmd *cmd)
2144 + {
2145 ++ unsigned int bytes_per_scan;
2146 + int err = 0;
2147 + int tmp;
2148 +
2149 +@@ -3552,9 +3553,12 @@ static int ni_cdio_cmdtest(struct comedi_device *dev,
2150 + err |= comedi_check_trigger_arg_is(&cmd->convert_arg, 0);
2151 + err |= comedi_check_trigger_arg_is(&cmd->scan_end_arg,
2152 + cmd->chanlist_len);
2153 +- err |= comedi_check_trigger_arg_max(&cmd->stop_arg,
2154 +- s->async->prealloc_bufsz /
2155 +- comedi_bytes_per_scan(s));
2156 ++ bytes_per_scan = comedi_bytes_per_scan_cmd(s, cmd);
2157 ++ if (bytes_per_scan) {
2158 ++ err |= comedi_check_trigger_arg_max(&cmd->stop_arg,
2159 ++ s->async->prealloc_bufsz /
2160 ++ bytes_per_scan);
2161 ++ }
2162 +
2163 + if (err)
2164 + return 3;
2165 +diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
2166 +index 1123b4f1e1d6..84a915199e64 100644
2167 +--- a/drivers/staging/vt6655/device_main.c
2168 ++++ b/drivers/staging/vt6655/device_main.c
2169 +@@ -973,8 +973,6 @@ static void vnt_interrupt_process(struct vnt_private *priv)
2170 + return;
2171 + }
2172 +
2173 +- MACvIntDisable(priv->PortOffset);
2174 +-
2175 + spin_lock_irqsave(&priv->lock, flags);
2176 +
2177 + /* Read low level stats */
2178 +@@ -1062,8 +1060,6 @@ static void vnt_interrupt_process(struct vnt_private *priv)
2179 + }
2180 +
2181 + spin_unlock_irqrestore(&priv->lock, flags);
2182 +-
2183 +- MACvIntEnable(priv->PortOffset, IMR_MASK_VALUE);
2184 + }
2185 +
2186 + static void vnt_interrupt_work(struct work_struct *work)
2187 +@@ -1073,14 +1069,17 @@ static void vnt_interrupt_work(struct work_struct *work)
2188 +
2189 + if (priv->vif)
2190 + vnt_interrupt_process(priv);
2191 ++
2192 ++ MACvIntEnable(priv->PortOffset, IMR_MASK_VALUE);
2193 + }
2194 +
2195 + static irqreturn_t vnt_interrupt(int irq, void *arg)
2196 + {
2197 + struct vnt_private *priv = arg;
2198 +
2199 +- if (priv->vif)
2200 +- schedule_work(&priv->interrupt_work);
2201 ++ schedule_work(&priv->interrupt_work);
2202 ++
2203 ++ MACvIntDisable(priv->PortOffset);
2204 +
2205 + return IRQ_HANDLED;
2206 + }
2207 +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
2208 +index 2286e9d73115..9f1cef59fa28 100644
2209 +--- a/drivers/tty/serial/atmel_serial.c
2210 ++++ b/drivers/tty/serial/atmel_serial.c
2211 +@@ -1163,6 +1163,10 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
2212 + sg_dma_len(&atmel_port->sg_rx)/2,
2213 + DMA_DEV_TO_MEM,
2214 + DMA_PREP_INTERRUPT);
2215 ++ if (!desc) {
2216 ++ dev_err(port->dev, "Preparing DMA cyclic failed\n");
2217 ++ goto chan_err;
2218 ++ }
2219 + desc->callback = atmel_complete_rx_dma;
2220 + desc->callback_param = port;
2221 + atmel_port->desc_rx = desc;
2222 +diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c
2223 +index f2b0d8cee8ef..0314e78e31ff 100644
2224 +--- a/drivers/tty/serial/kgdboc.c
2225 ++++ b/drivers/tty/serial/kgdboc.c
2226 +@@ -148,8 +148,10 @@ static int configure_kgdboc(void)
2227 + char *cptr = config;
2228 + struct console *cons;
2229 +
2230 +- if (!strlen(config) || isspace(config[0]))
2231 ++ if (!strlen(config) || isspace(config[0])) {
2232 ++ err = 0;
2233 + goto noconfig;
2234 ++ }
2235 +
2236 + kgdboc_io_ops.is_console = 0;
2237 + kgdb_tty_driver = NULL;
2238 +diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c
2239 +index 9dfedbe6c071..54660002271a 100644
2240 +--- a/drivers/tty/serial/max310x.c
2241 ++++ b/drivers/tty/serial/max310x.c
2242 +@@ -1323,6 +1323,8 @@ static int max310x_spi_probe(struct spi_device *spi)
2243 + if (spi->dev.of_node) {
2244 + const struct of_device_id *of_id =
2245 + of_match_device(max310x_dt_ids, &spi->dev);
2246 ++ if (!of_id)
2247 ++ return -ENODEV;
2248 +
2249 + devtype = (struct max310x_devtype *)of_id->data;
2250 + } else {
2251 +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
2252 +index 37dba940d898..d5f933ec153c 100644
2253 +--- a/drivers/tty/serial/sh-sci.c
2254 ++++ b/drivers/tty/serial/sh-sci.c
2255 +@@ -806,19 +806,9 @@ static void sci_transmit_chars(struct uart_port *port)
2256 +
2257 + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
2258 + uart_write_wakeup(port);
2259 +- if (uart_circ_empty(xmit)) {
2260 ++ if (uart_circ_empty(xmit))
2261 + sci_stop_tx(port);
2262 +- } else {
2263 +- ctrl = serial_port_in(port, SCSCR);
2264 +-
2265 +- if (port->type != PORT_SCI) {
2266 +- serial_port_in(port, SCxSR); /* Dummy read */
2267 +- sci_clear_SCxSR(port, SCxSR_TDxE_CLEAR(port));
2268 +- }
2269 +
2270 +- ctrl |= SCSCR_TIE;
2271 +- serial_port_out(port, SCSCR, ctrl);
2272 +- }
2273 + }
2274 +
2275 + /* On SH3, SCIF may read end-of-break as a space->mark char */
2276 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
2277 +index 8ab0195f8d32..f736c8895089 100644
2278 +--- a/drivers/usb/class/cdc-acm.c
2279 ++++ b/drivers/usb/class/cdc-acm.c
2280 +@@ -570,10 +570,8 @@ static void acm_softint(struct work_struct *work)
2281 + clear_bit(EVENT_RX_STALL, &acm->flags);
2282 + }
2283 +
2284 +- if (test_bit(EVENT_TTY_WAKEUP, &acm->flags)) {
2285 ++ if (test_and_clear_bit(EVENT_TTY_WAKEUP, &acm->flags))
2286 + tty_port_tty_wakeup(&acm->port);
2287 +- clear_bit(EVENT_TTY_WAKEUP, &acm->flags);
2288 +- }
2289 + }
2290 +
2291 + /*
2292 +diff --git a/drivers/usb/common/common.c b/drivers/usb/common/common.c
2293 +index 552ff7ac5a6b..c1ab14145f62 100644
2294 +--- a/drivers/usb/common/common.c
2295 ++++ b/drivers/usb/common/common.c
2296 +@@ -148,6 +148,8 @@ enum usb_dr_mode of_usb_get_dr_mode_by_phy(struct device_node *np, int arg0)
2297 +
2298 + do {
2299 + controller = of_find_node_with_property(controller, "phys");
2300 ++ if (!of_device_is_available(controller))
2301 ++ continue;
2302 + index = 0;
2303 + do {
2304 + if (arg0 == -1) {
2305 +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
2306 +index 1a6ccdd5a5fc..bd749e78df59 100644
2307 +--- a/drivers/usb/core/config.c
2308 ++++ b/drivers/usb/core/config.c
2309 +@@ -768,21 +768,18 @@ void usb_destroy_configuration(struct usb_device *dev)
2310 + return;
2311 +
2312 + if (dev->rawdescriptors) {
2313 +- for (i = 0; i < dev->descriptor.bNumConfigurations &&
2314 +- i < USB_MAXCONFIG; i++)
2315 ++ for (i = 0; i < dev->descriptor.bNumConfigurations; i++)
2316 + kfree(dev->rawdescriptors[i]);
2317 +
2318 + kfree(dev->rawdescriptors);
2319 + dev->rawdescriptors = NULL;
2320 + }
2321 +
2322 +- for (c = 0; c < dev->descriptor.bNumConfigurations &&
2323 +- c < USB_MAXCONFIG; c++) {
2324 ++ for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
2325 + struct usb_host_config *cf = &dev->config[c];
2326 +
2327 + kfree(cf->string);
2328 +- for (i = 0; i < cf->desc.bNumInterfaces &&
2329 +- i < USB_MAXINTERFACES; i++) {
2330 ++ for (i = 0; i < cf->desc.bNumInterfaces; i++) {
2331 + if (cf->intf_cache[i])
2332 + kref_put(&cf->intf_cache[i]->ref,
2333 + usb_release_interface_cache);
2334 +diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
2335 +index d8e359ef6eb1..63f6e344d5b0 100644
2336 +--- a/drivers/usb/gadget/function/f_hid.c
2337 ++++ b/drivers/usb/gadget/function/f_hid.c
2338 +@@ -395,20 +395,20 @@ try_again:
2339 + req->complete = f_hidg_req_complete;
2340 + req->context = hidg;
2341 +
2342 ++ spin_unlock_irqrestore(&hidg->write_spinlock, flags);
2343 ++
2344 + status = usb_ep_queue(hidg->in_ep, req, GFP_ATOMIC);
2345 + if (status < 0) {
2346 + ERROR(hidg->func.config->cdev,
2347 + "usb_ep_queue error on int endpoint %zd\n", status);
2348 +- goto release_write_pending_unlocked;
2349 ++ goto release_write_pending;
2350 + } else {
2351 + status = count;
2352 + }
2353 +- spin_unlock_irqrestore(&hidg->write_spinlock, flags);
2354 +
2355 + return status;
2356 + release_write_pending:
2357 + spin_lock_irqsave(&hidg->write_spinlock, flags);
2358 +-release_write_pending_unlocked:
2359 + hidg->write_pending = 0;
2360 + spin_unlock_irqrestore(&hidg->write_spinlock, flags);
2361 +
2362 +diff --git a/drivers/usb/host/xhci-rcar.c b/drivers/usb/host/xhci-rcar.c
2363 +index 97f23cc31f4c..425c2edfd6ea 100644
2364 +--- a/drivers/usb/host/xhci-rcar.c
2365 ++++ b/drivers/usb/host/xhci-rcar.c
2366 +@@ -236,6 +236,7 @@ int xhci_rcar_init_quirk(struct usb_hcd *hcd)
2367 + xhci_rcar_is_gen3(hcd->self.controller))
2368 + xhci->quirks |= XHCI_NO_64BIT_SUPPORT;
2369 +
2370 ++ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
2371 + return xhci_rcar_download_firmware(hcd);
2372 + }
2373 +
2374 +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
2375 +index aa230706b875..9a7e77a09080 100644
2376 +--- a/drivers/usb/host/xhci-ring.c
2377 ++++ b/drivers/usb/host/xhci-ring.c
2378 +@@ -1715,10 +1715,13 @@ static void handle_port_status(struct xhci_hcd *xhci,
2379 + }
2380 + }
2381 +
2382 +- if ((portsc & PORT_PLC) && (portsc & PORT_PLS_MASK) == XDEV_U0 &&
2383 +- DEV_SUPERSPEED_ANY(portsc)) {
2384 ++ if ((portsc & PORT_PLC) &&
2385 ++ DEV_SUPERSPEED_ANY(portsc) &&
2386 ++ ((portsc & PORT_PLS_MASK) == XDEV_U0 ||
2387 ++ (portsc & PORT_PLS_MASK) == XDEV_U1 ||
2388 ++ (portsc & PORT_PLS_MASK) == XDEV_U2)) {
2389 + xhci_dbg(xhci, "resume SS port %d finished\n", port_id);
2390 +- /* We've just brought the device into U0 through either the
2391 ++ /* We've just brought the device into U0/1/2 through either the
2392 + * Resume state after a device remote wakeup, or through the
2393 + * U3Exit state after a host-initiated resume. If it's a device
2394 + * initiated remote wake, don't pass up the link state change,
2395 +diff --git a/drivers/usb/mtu3/Kconfig b/drivers/usb/mtu3/Kconfig
2396 +index 25cd61947bee..a213ce94f6eb 100644
2397 +--- a/drivers/usb/mtu3/Kconfig
2398 ++++ b/drivers/usb/mtu3/Kconfig
2399 +@@ -4,6 +4,7 @@ config USB_MTU3
2400 + tristate "MediaTek USB3 Dual Role controller"
2401 + depends on EXTCON && (USB || USB_GADGET) && HAS_DMA
2402 + depends on ARCH_MEDIATEK || COMPILE_TEST
2403 ++ depends on EXTCON || !EXTCON
2404 + select USB_XHCI_MTK if USB_SUPPORT && USB_XHCI_HCD
2405 + help
2406 + Say Y or M here if your system runs on MediaTek SoCs with
2407 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
2408 +index d8e6790ccffe..98e466c3cfca 100644
2409 +--- a/drivers/usb/serial/cp210x.c
2410 ++++ b/drivers/usb/serial/cp210x.c
2411 +@@ -83,6 +83,7 @@ static const struct usb_device_id id_table[] = {
2412 + { USB_DEVICE(0x10C4, 0x804E) }, /* Software Bisque Paramount ME build-in converter */
2413 + { USB_DEVICE(0x10C4, 0x8053) }, /* Enfora EDG1228 */
2414 + { USB_DEVICE(0x10C4, 0x8054) }, /* Enfora GSM2228 */
2415 ++ { USB_DEVICE(0x10C4, 0x8056) }, /* Lorenz Messtechnik devices */
2416 + { USB_DEVICE(0x10C4, 0x8066) }, /* Argussoft In-System Programmer */
2417 + { USB_DEVICE(0x10C4, 0x806F) }, /* IMS USB to RS422 Converter Cable */
2418 + { USB_DEVICE(0x10C4, 0x807A) }, /* Crumb128 board */
2419 +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
2420 +index d45a2c352c98..e76395d7f17d 100644
2421 +--- a/drivers/usb/serial/ftdi_sio.c
2422 ++++ b/drivers/usb/serial/ftdi_sio.c
2423 +@@ -604,6 +604,8 @@ static const struct usb_device_id id_table_combined[] = {
2424 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
2425 + { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID),
2426 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
2427 ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
2428 ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
2429 + { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) },
2430 + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) },
2431 + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) },
2432 +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
2433 +index b863bedb55a1..5755f0df0025 100644
2434 +--- a/drivers/usb/serial/ftdi_sio_ids.h
2435 ++++ b/drivers/usb/serial/ftdi_sio_ids.h
2436 +@@ -567,7 +567,9 @@
2437 + /*
2438 + * NovaTech product ids (FTDI_VID)
2439 + */
2440 +-#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */
2441 ++#define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */
2442 ++#define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */
2443 ++#define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */
2444 +
2445 + /*
2446 + * Synapse Wireless product ids (FTDI_VID)
2447 +diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
2448 +index a453965f9e9a..393a91ab56ed 100644
2449 +--- a/drivers/usb/serial/mos7720.c
2450 ++++ b/drivers/usb/serial/mos7720.c
2451 +@@ -368,8 +368,6 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
2452 + if (!urbtrack)
2453 + return -ENOMEM;
2454 +
2455 +- kref_get(&mos_parport->ref_count);
2456 +- urbtrack->mos_parport = mos_parport;
2457 + urbtrack->urb = usb_alloc_urb(0, GFP_ATOMIC);
2458 + if (!urbtrack->urb) {
2459 + kfree(urbtrack);
2460 +@@ -390,6 +388,8 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
2461 + usb_sndctrlpipe(usbdev, 0),
2462 + (unsigned char *)urbtrack->setup,
2463 + NULL, 0, async_complete, urbtrack);
2464 ++ kref_get(&mos_parport->ref_count);
2465 ++ urbtrack->mos_parport = mos_parport;
2466 + kref_init(&urbtrack->ref_count);
2467 + INIT_LIST_HEAD(&urbtrack->urblist_entry);
2468 +
2469 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
2470 +index bf72245f1cea..3311f569aa17 100644
2471 +--- a/drivers/usb/serial/option.c
2472 ++++ b/drivers/usb/serial/option.c
2473 +@@ -249,6 +249,7 @@ static void option_instat_callback(struct urb *urb);
2474 + #define QUECTEL_PRODUCT_EC25 0x0125
2475 + #define QUECTEL_PRODUCT_BG96 0x0296
2476 + #define QUECTEL_PRODUCT_EP06 0x0306
2477 ++#define QUECTEL_PRODUCT_EM12 0x0512
2478 +
2479 + #define CMOTECH_VENDOR_ID 0x16d8
2480 + #define CMOTECH_PRODUCT_6001 0x6001
2481 +@@ -1069,7 +1070,8 @@ static const struct usb_device_id option_ids[] = {
2482 + .driver_info = RSVD(3) },
2483 + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */
2484 + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */
2485 +- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
2486 ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000), /* SIMCom SIM5218 */
2487 ++ .driver_info = NCTRL(0) | NCTRL(1) | NCTRL(2) | NCTRL(3) | RSVD(4) },
2488 + /* Quectel products using Qualcomm vendor ID */
2489 + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
2490 + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),
2491 +@@ -1090,6 +1092,9 @@ static const struct usb_device_id option_ids[] = {
2492 + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06, 0xff, 0xff, 0xff),
2493 + .driver_info = RSVD(1) | RSVD(2) | RSVD(3) | RSVD(4) | NUMEP2 },
2494 + { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06, 0xff, 0, 0) },
2495 ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0xff, 0xff),
2496 ++ .driver_info = RSVD(1) | RSVD(2) | RSVD(3) | RSVD(4) | NUMEP2 },
2497 ++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM12, 0xff, 0, 0) },
2498 + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
2499 + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
2500 + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6003),
2501 +@@ -1942,10 +1947,12 @@ static const struct usb_device_id option_ids[] = {
2502 + .driver_info = RSVD(4) },
2503 + { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e35, 0xff), /* D-Link DWM-222 */
2504 + .driver_info = RSVD(4) },
2505 +- { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
2506 +- { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
2507 +- { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */
2508 +- { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */
2509 ++ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
2510 ++ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
2511 ++ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */
2512 ++ { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2031, 0xff), /* Olicard 600 */
2513 ++ .driver_info = RSVD(4) },
2514 ++ { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */
2515 + { USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
2516 + { USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) },
2517 + { USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID, WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
2518 +diff --git a/drivers/video/fbdev/goldfishfb.c b/drivers/video/fbdev/goldfishfb.c
2519 +index 14a93cb21310..66d58e93bc32 100644
2520 +--- a/drivers/video/fbdev/goldfishfb.c
2521 ++++ b/drivers/video/fbdev/goldfishfb.c
2522 +@@ -234,7 +234,7 @@ static int goldfish_fb_probe(struct platform_device *pdev)
2523 + fb->fb.var.activate = FB_ACTIVATE_NOW;
2524 + fb->fb.var.height = readl(fb->reg_base + FB_GET_PHYS_HEIGHT);
2525 + fb->fb.var.width = readl(fb->reg_base + FB_GET_PHYS_WIDTH);
2526 +- fb->fb.var.pixclock = 10000;
2527 ++ fb->fb.var.pixclock = 0;
2528 +
2529 + fb->fb.var.red.offset = 11;
2530 + fb->fb.var.red.length = 5;
2531 +diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c
2532 +index 2e995e565633..1e35a2327478 100644
2533 +--- a/fs/btrfs/raid56.c
2534 ++++ b/fs/btrfs/raid56.c
2535 +@@ -2414,8 +2414,9 @@ static noinline void finish_parity_scrub(struct btrfs_raid_bio *rbio,
2536 + bitmap_clear(rbio->dbitmap, pagenr, 1);
2537 + kunmap(p);
2538 +
2539 +- for (stripe = 0; stripe < rbio->real_stripes; stripe++)
2540 ++ for (stripe = 0; stripe < nr_data; stripe++)
2541 + kunmap(page_in_rbio(rbio, stripe, pagenr, 0));
2542 ++ kunmap(p_page);
2543 + }
2544 +
2545 + __free_page(p_page);
2546 +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
2547 +index 179a383a4aaa..9d72882b0f72 100644
2548 +--- a/fs/btrfs/tree-log.c
2549 ++++ b/fs/btrfs/tree-log.c
2550 +@@ -3422,9 +3422,16 @@ static noinline int log_dir_items(struct btrfs_trans_handle *trans,
2551 + }
2552 + btrfs_release_path(path);
2553 +
2554 +- /* find the first key from this transaction again */
2555 ++ /*
2556 ++ * Find the first key from this transaction again. See the note for
2557 ++ * log_new_dir_dentries, if we're logging a directory recursively we
2558 ++ * won't be holding its i_mutex, which means we can modify the directory
2559 ++ * while we're logging it. If we remove an entry between our first
2560 ++ * search and this search we'll not find the key again and can just
2561 ++ * bail.
2562 ++ */
2563 + ret = btrfs_search_slot(NULL, root, &min_key, path, 0, 0);
2564 +- if (WARN_ON(ret != 0))
2565 ++ if (ret != 0)
2566 + goto done;
2567 +
2568 + /*
2569 +@@ -4501,6 +4508,19 @@ static int logged_inode_size(struct btrfs_root *log, struct btrfs_inode *inode,
2570 + item = btrfs_item_ptr(path->nodes[0], path->slots[0],
2571 + struct btrfs_inode_item);
2572 + *size_ret = btrfs_inode_size(path->nodes[0], item);
2573 ++ /*
2574 ++ * If the in-memory inode's i_size is smaller then the inode
2575 ++ * size stored in the btree, return the inode's i_size, so
2576 ++ * that we get a correct inode size after replaying the log
2577 ++ * when before a power failure we had a shrinking truncate
2578 ++ * followed by addition of a new name (rename / new hard link).
2579 ++ * Otherwise return the inode size from the btree, to avoid
2580 ++ * data loss when replaying a log due to previously doing a
2581 ++ * write that expands the inode's size and logging a new name
2582 ++ * immediately after.
2583 ++ */
2584 ++ if (*size_ret > inode->vfs_inode.i_size)
2585 ++ *size_ret = inode->vfs_inode.i_size;
2586 + }
2587 +
2588 + btrfs_release_path(path);
2589 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
2590 +index 9041a892701f..a225f98c9903 100644
2591 +--- a/fs/nfs/nfs4proc.c
2592 ++++ b/fs/nfs/nfs4proc.c
2593 +@@ -2746,7 +2746,8 @@ static int _nfs4_open_and_get_state(struct nfs4_opendata *opendata,
2594 + nfs4_schedule_stateid_recovery(server, state);
2595 + }
2596 + out:
2597 +- nfs4_sequence_free_slot(&opendata->o_res.seq_res);
2598 ++ if (!opendata->cancelled)
2599 ++ nfs4_sequence_free_slot(&opendata->o_res.seq_res);
2600 + return ret;
2601 + }
2602 +
2603 +diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
2604 +index 824f407df1db..3a4e1bca5e31 100644
2605 +--- a/fs/ocfs2/refcounttree.c
2606 ++++ b/fs/ocfs2/refcounttree.c
2607 +@@ -4716,22 +4716,23 @@ out:
2608 +
2609 + /* Lock an inode and grab a bh pointing to the inode. */
2610 + static int ocfs2_reflink_inodes_lock(struct inode *s_inode,
2611 +- struct buffer_head **bh1,
2612 ++ struct buffer_head **bh_s,
2613 + struct inode *t_inode,
2614 +- struct buffer_head **bh2)
2615 ++ struct buffer_head **bh_t)
2616 + {
2617 +- struct inode *inode1;
2618 +- struct inode *inode2;
2619 ++ struct inode *inode1 = s_inode;
2620 ++ struct inode *inode2 = t_inode;
2621 + struct ocfs2_inode_info *oi1;
2622 + struct ocfs2_inode_info *oi2;
2623 ++ struct buffer_head *bh1 = NULL;
2624 ++ struct buffer_head *bh2 = NULL;
2625 + bool same_inode = (s_inode == t_inode);
2626 ++ bool need_swap = (inode1->i_ino > inode2->i_ino);
2627 + int status;
2628 +
2629 + /* First grab the VFS and rw locks. */
2630 + lock_two_nondirectories(s_inode, t_inode);
2631 +- inode1 = s_inode;
2632 +- inode2 = t_inode;
2633 +- if (inode1->i_ino > inode2->i_ino)
2634 ++ if (need_swap)
2635 + swap(inode1, inode2);
2636 +
2637 + status = ocfs2_rw_lock(inode1, 1);
2638 +@@ -4754,17 +4755,13 @@ static int ocfs2_reflink_inodes_lock(struct inode *s_inode,
2639 + trace_ocfs2_double_lock((unsigned long long)oi1->ip_blkno,
2640 + (unsigned long long)oi2->ip_blkno);
2641 +
2642 +- if (*bh1)
2643 +- *bh1 = NULL;
2644 +- if (*bh2)
2645 +- *bh2 = NULL;
2646 +-
2647 + /* We always want to lock the one with the lower lockid first. */
2648 + if (oi1->ip_blkno > oi2->ip_blkno)
2649 + mlog_errno(-ENOLCK);
2650 +
2651 + /* lock id1 */
2652 +- status = ocfs2_inode_lock_nested(inode1, bh1, 1, OI_LS_REFLINK_TARGET);
2653 ++ status = ocfs2_inode_lock_nested(inode1, &bh1, 1,
2654 ++ OI_LS_REFLINK_TARGET);
2655 + if (status < 0) {
2656 + if (status != -ENOENT)
2657 + mlog_errno(status);
2658 +@@ -4773,15 +4770,25 @@ static int ocfs2_reflink_inodes_lock(struct inode *s_inode,
2659 +
2660 + /* lock id2 */
2661 + if (!same_inode) {
2662 +- status = ocfs2_inode_lock_nested(inode2, bh2, 1,
2663 ++ status = ocfs2_inode_lock_nested(inode2, &bh2, 1,
2664 + OI_LS_REFLINK_TARGET);
2665 + if (status < 0) {
2666 + if (status != -ENOENT)
2667 + mlog_errno(status);
2668 + goto out_cl1;
2669 + }
2670 +- } else
2671 +- *bh2 = *bh1;
2672 ++ } else {
2673 ++ bh2 = bh1;
2674 ++ }
2675 ++
2676 ++ /*
2677 ++ * If we swapped inode order above, we have to swap the buffer heads
2678 ++ * before passing them back to the caller.
2679 ++ */
2680 ++ if (need_swap)
2681 ++ swap(bh1, bh2);
2682 ++ *bh_s = bh1;
2683 ++ *bh_t = bh2;
2684 +
2685 + trace_ocfs2_double_lock_end(
2686 + (unsigned long long)OCFS2_I(inode1)->ip_blkno,
2687 +@@ -4791,8 +4798,7 @@ static int ocfs2_reflink_inodes_lock(struct inode *s_inode,
2688 +
2689 + out_cl1:
2690 + ocfs2_inode_unlock(inode1, 1);
2691 +- brelse(*bh1);
2692 +- *bh1 = NULL;
2693 ++ brelse(bh1);
2694 + out_rw2:
2695 + ocfs2_rw_unlock(inode2, 1);
2696 + out_i2:
2697 +diff --git a/fs/open.c b/fs/open.c
2698 +index 7ea118471dce..28a3956c4479 100644
2699 +--- a/fs/open.c
2700 ++++ b/fs/open.c
2701 +@@ -716,6 +716,12 @@ static int do_dentry_open(struct file *f,
2702 + return 0;
2703 + }
2704 +
2705 ++ /* Any file opened for execve()/uselib() has to be a regular file. */
2706 ++ if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) {
2707 ++ error = -EACCES;
2708 ++ goto cleanup_file;
2709 ++ }
2710 ++
2711 + if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
2712 + error = get_write_access(inode);
2713 + if (unlikely(error))
2714 +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
2715 +index f69c545f5868..8d5422bb9c1a 100644
2716 +--- a/fs/proc/proc_sysctl.c
2717 ++++ b/fs/proc/proc_sysctl.c
2718 +@@ -1620,7 +1620,8 @@ static void drop_sysctl_table(struct ctl_table_header *header)
2719 + if (--header->nreg)
2720 + return;
2721 +
2722 +- put_links(header);
2723 ++ if (parent)
2724 ++ put_links(header);
2725 + start_unregistering(header);
2726 + if (!--header->count)
2727 + kfree_rcu(header, rcu);
2728 +diff --git a/include/net/sctp/checksum.h b/include/net/sctp/checksum.h
2729 +index 4a5b9a306c69..803fc26ef0ba 100644
2730 +--- a/include/net/sctp/checksum.h
2731 ++++ b/include/net/sctp/checksum.h
2732 +@@ -60,7 +60,7 @@ static inline __wsum sctp_csum_combine(__wsum csum, __wsum csum2,
2733 + static inline __le32 sctp_compute_cksum(const struct sk_buff *skb,
2734 + unsigned int offset)
2735 + {
2736 +- struct sctphdr *sh = sctp_hdr(skb);
2737 ++ struct sctphdr *sh = (struct sctphdr *)(skb->data + offset);
2738 + __le32 ret, old = sh->checksum;
2739 + const struct skb_checksum_ops ops = {
2740 + .update = sctp_csum_update,
2741 +diff --git a/include/net/sock.h b/include/net/sock.h
2742 +index 4280e96d4b46..60eef7f1ac05 100644
2743 +--- a/include/net/sock.h
2744 ++++ b/include/net/sock.h
2745 +@@ -682,6 +682,12 @@ static inline void sk_add_node_rcu(struct sock *sk, struct hlist_head *list)
2746 + hlist_add_head_rcu(&sk->sk_node, list);
2747 + }
2748 +
2749 ++static inline void sk_add_node_tail_rcu(struct sock *sk, struct hlist_head *list)
2750 ++{
2751 ++ sock_hold(sk);
2752 ++ hlist_add_tail_rcu(&sk->sk_node, list);
2753 ++}
2754 ++
2755 + static inline void __sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list)
2756 + {
2757 + hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list);
2758 +diff --git a/kernel/cpu.c b/kernel/cpu.c
2759 +index 0171754db32b..32f0432f0c26 100644
2760 +--- a/kernel/cpu.c
2761 ++++ b/kernel/cpu.c
2762 +@@ -538,6 +538,20 @@ static void undo_cpu_up(unsigned int cpu, struct cpuhp_cpu_state *st)
2763 + }
2764 + }
2765 +
2766 ++static inline bool can_rollback_cpu(struct cpuhp_cpu_state *st)
2767 ++{
2768 ++ if (IS_ENABLED(CONFIG_HOTPLUG_CPU))
2769 ++ return true;
2770 ++ /*
2771 ++ * When CPU hotplug is disabled, then taking the CPU down is not
2772 ++ * possible because takedown_cpu() and the architecture and
2773 ++ * subsystem specific mechanisms are not available. So the CPU
2774 ++ * which would be completely unplugged again needs to stay around
2775 ++ * in the current state.
2776 ++ */
2777 ++ return st->state <= CPUHP_BRINGUP_CPU;
2778 ++}
2779 ++
2780 + static int cpuhp_up_callbacks(unsigned int cpu, struct cpuhp_cpu_state *st,
2781 + enum cpuhp_state target)
2782 + {
2783 +@@ -548,8 +562,10 @@ static int cpuhp_up_callbacks(unsigned int cpu, struct cpuhp_cpu_state *st,
2784 + st->state++;
2785 + ret = cpuhp_invoke_callback(cpu, st->state, true, NULL, NULL);
2786 + if (ret) {
2787 +- st->target = prev_state;
2788 +- undo_cpu_up(cpu, st);
2789 ++ if (can_rollback_cpu(st)) {
2790 ++ st->target = prev_state;
2791 ++ undo_cpu_up(cpu, st);
2792 ++ }
2793 + break;
2794 + }
2795 + }
2796 +diff --git a/lib/rhashtable.c b/lib/rhashtable.c
2797 +index cebbcec877d7..cb577ca65fa9 100644
2798 +--- a/lib/rhashtable.c
2799 ++++ b/lib/rhashtable.c
2800 +@@ -459,8 +459,12 @@ static void rht_deferred_worker(struct work_struct *work)
2801 + else if (tbl->nest)
2802 + err = rhashtable_rehash_alloc(ht, tbl, tbl->size);
2803 +
2804 +- if (!err)
2805 +- err = rhashtable_rehash_table(ht);
2806 ++ if (!err || err == -EEXIST) {
2807 ++ int nerr;
2808 ++
2809 ++ nerr = rhashtable_rehash_table(ht);
2810 ++ err = err ?: nerr;
2811 ++ }
2812 +
2813 + mutex_unlock(&ht->mutex);
2814 +
2815 +diff --git a/mm/migrate.c b/mm/migrate.c
2816 +index 877269339fa7..9a3ce8847308 100644
2817 +--- a/mm/migrate.c
2818 ++++ b/mm/migrate.c
2819 +@@ -247,10 +247,8 @@ static bool remove_migration_pte(struct page *page, struct vm_area_struct *vma,
2820 + pte = swp_entry_to_pte(entry);
2821 + } else if (is_device_public_page(new)) {
2822 + pte = pte_mkdevmap(pte);
2823 +- flush_dcache_page(new);
2824 + }
2825 +- } else
2826 +- flush_dcache_page(new);
2827 ++ }
2828 +
2829 + #ifdef CONFIG_HUGETLB_PAGE
2830 + if (PageHuge(new)) {
2831 +@@ -971,6 +969,13 @@ static int move_to_new_page(struct page *newpage, struct page *page,
2832 + */
2833 + if (!PageMappingFlags(page))
2834 + page->mapping = NULL;
2835 ++
2836 ++ if (unlikely(is_zone_device_page(newpage))) {
2837 ++ if (is_device_public_page(newpage))
2838 ++ flush_dcache_page(newpage);
2839 ++ } else
2840 ++ flush_dcache_page(newpage);
2841 ++
2842 + }
2843 + out:
2844 + return rc;
2845 +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
2846 +index 9b7907ebfa01..b510da76170e 100644
2847 +--- a/net/bluetooth/l2cap_core.c
2848 ++++ b/net/bluetooth/l2cap_core.c
2849 +@@ -3336,16 +3336,22 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
2850 +
2851 + while (len >= L2CAP_CONF_OPT_SIZE) {
2852 + len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
2853 ++ if (len < 0)
2854 ++ break;
2855 +
2856 + hint = type & L2CAP_CONF_HINT;
2857 + type &= L2CAP_CONF_MASK;
2858 +
2859 + switch (type) {
2860 + case L2CAP_CONF_MTU:
2861 ++ if (olen != 2)
2862 ++ break;
2863 + mtu = val;
2864 + break;
2865 +
2866 + case L2CAP_CONF_FLUSH_TO:
2867 ++ if (olen != 2)
2868 ++ break;
2869 + chan->flush_to = val;
2870 + break;
2871 +
2872 +@@ -3353,26 +3359,30 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
2873 + break;
2874 +
2875 + case L2CAP_CONF_RFC:
2876 +- if (olen == sizeof(rfc))
2877 +- memcpy(&rfc, (void *) val, olen);
2878 ++ if (olen != sizeof(rfc))
2879 ++ break;
2880 ++ memcpy(&rfc, (void *) val, olen);
2881 + break;
2882 +
2883 + case L2CAP_CONF_FCS:
2884 ++ if (olen != 1)
2885 ++ break;
2886 + if (val == L2CAP_FCS_NONE)
2887 + set_bit(CONF_RECV_NO_FCS, &chan->conf_state);
2888 + break;
2889 +
2890 + case L2CAP_CONF_EFS:
2891 +- if (olen == sizeof(efs)) {
2892 +- remote_efs = 1;
2893 +- memcpy(&efs, (void *) val, olen);
2894 +- }
2895 ++ if (olen != sizeof(efs))
2896 ++ break;
2897 ++ remote_efs = 1;
2898 ++ memcpy(&efs, (void *) val, olen);
2899 + break;
2900 +
2901 + case L2CAP_CONF_EWS:
2902 ++ if (olen != 2)
2903 ++ break;
2904 + if (!(chan->conn->local_fixed_chan & L2CAP_FC_A2MP))
2905 + return -ECONNREFUSED;
2906 +-
2907 + set_bit(FLAG_EXT_CTRL, &chan->flags);
2908 + set_bit(CONF_EWS_RECV, &chan->conf_state);
2909 + chan->tx_win_max = L2CAP_DEFAULT_EXT_WINDOW;
2910 +@@ -3382,7 +3392,6 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
2911 + default:
2912 + if (hint)
2913 + break;
2914 +-
2915 + result = L2CAP_CONF_UNKNOWN;
2916 + *((u8 *) ptr++) = type;
2917 + break;
2918 +@@ -3547,58 +3556,65 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
2919 +
2920 + while (len >= L2CAP_CONF_OPT_SIZE) {
2921 + len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
2922 ++ if (len < 0)
2923 ++ break;
2924 +
2925 + switch (type) {
2926 + case L2CAP_CONF_MTU:
2927 ++ if (olen != 2)
2928 ++ break;
2929 + if (val < L2CAP_DEFAULT_MIN_MTU) {
2930 + *result = L2CAP_CONF_UNACCEPT;
2931 + chan->imtu = L2CAP_DEFAULT_MIN_MTU;
2932 + } else
2933 + chan->imtu = val;
2934 +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
2935 ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu,
2936 ++ endptr - ptr);
2937 + break;
2938 +
2939 + case L2CAP_CONF_FLUSH_TO:
2940 ++ if (olen != 2)
2941 ++ break;
2942 + chan->flush_to = val;
2943 +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
2944 +- 2, chan->flush_to, endptr - ptr);
2945 ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2,
2946 ++ chan->flush_to, endptr - ptr);
2947 + break;
2948 +
2949 + case L2CAP_CONF_RFC:
2950 +- if (olen == sizeof(rfc))
2951 +- memcpy(&rfc, (void *)val, olen);
2952 +-
2953 ++ if (olen != sizeof(rfc))
2954 ++ break;
2955 ++ memcpy(&rfc, (void *)val, olen);
2956 + if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
2957 + rfc.mode != chan->mode)
2958 + return -ECONNREFUSED;
2959 +-
2960 + chan->fcs = 0;
2961 +-
2962 +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
2963 +- sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
2964 ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
2965 ++ (unsigned long) &rfc, endptr - ptr);
2966 + break;
2967 +
2968 + case L2CAP_CONF_EWS:
2969 ++ if (olen != 2)
2970 ++ break;
2971 + chan->ack_win = min_t(u16, val, chan->ack_win);
2972 + l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
2973 + chan->tx_win, endptr - ptr);
2974 + break;
2975 +
2976 + case L2CAP_CONF_EFS:
2977 +- if (olen == sizeof(efs)) {
2978 +- memcpy(&efs, (void *)val, olen);
2979 +-
2980 +- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2981 +- efs.stype != L2CAP_SERV_NOTRAFIC &&
2982 +- efs.stype != chan->local_stype)
2983 +- return -ECONNREFUSED;
2984 +-
2985 +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
2986 +- (unsigned long) &efs, endptr - ptr);
2987 +- }
2988 ++ if (olen != sizeof(efs))
2989 ++ break;
2990 ++ memcpy(&efs, (void *)val, olen);
2991 ++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
2992 ++ efs.stype != L2CAP_SERV_NOTRAFIC &&
2993 ++ efs.stype != chan->local_stype)
2994 ++ return -ECONNREFUSED;
2995 ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
2996 ++ (unsigned long) &efs, endptr - ptr);
2997 + break;
2998 +
2999 + case L2CAP_CONF_FCS:
3000 ++ if (olen != 1)
3001 ++ break;
3002 + if (*result == L2CAP_CONF_PENDING)
3003 + if (val == L2CAP_FCS_NONE)
3004 + set_bit(CONF_RECV_NO_FCS,
3005 +@@ -3727,13 +3743,18 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
3006 +
3007 + while (len >= L2CAP_CONF_OPT_SIZE) {
3008 + len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
3009 ++ if (len < 0)
3010 ++ break;
3011 +
3012 + switch (type) {
3013 + case L2CAP_CONF_RFC:
3014 +- if (olen == sizeof(rfc))
3015 +- memcpy(&rfc, (void *)val, olen);
3016 ++ if (olen != sizeof(rfc))
3017 ++ break;
3018 ++ memcpy(&rfc, (void *)val, olen);
3019 + break;
3020 + case L2CAP_CONF_EWS:
3021 ++ if (olen != 2)
3022 ++ break;
3023 + txwin_ext = val;
3024 + break;
3025 + }
3026 +diff --git a/net/core/datagram.c b/net/core/datagram.c
3027 +index d8a0774f7608..dcb333e95702 100644
3028 +--- a/net/core/datagram.c
3029 ++++ b/net/core/datagram.c
3030 +@@ -281,7 +281,7 @@ struct sk_buff *__skb_try_recv_datagram(struct sock *sk, unsigned int flags,
3031 + break;
3032 +
3033 + sk_busy_loop(sk, flags & MSG_DONTWAIT);
3034 +- } while (!skb_queue_empty(&sk->sk_receive_queue));
3035 ++ } while (sk->sk_receive_queue.prev != *last);
3036 +
3037 + error = -EAGAIN;
3038 +
3039 +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
3040 +index c6a2655cc28a..dee57c5ff738 100644
3041 +--- a/net/core/net-sysfs.c
3042 ++++ b/net/core/net-sysfs.c
3043 +@@ -917,6 +917,8 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
3044 + if (error)
3045 + return error;
3046 +
3047 ++ dev_hold(queue->dev);
3048 ++
3049 + if (dev->sysfs_rx_queue_group) {
3050 + error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
3051 + if (error) {
3052 +@@ -926,7 +928,6 @@ static int rx_queue_add_kobject(struct net_device *dev, int index)
3053 + }
3054 +
3055 + kobject_uevent(kobj, KOBJ_ADD);
3056 +- dev_hold(queue->dev);
3057 +
3058 + return error;
3059 + }
3060 +@@ -1327,6 +1328,8 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
3061 + if (error)
3062 + return error;
3063 +
3064 ++ dev_hold(queue->dev);
3065 ++
3066 + #ifdef CONFIG_BQL
3067 + error = sysfs_create_group(kobj, &dql_group);
3068 + if (error) {
3069 +@@ -1336,7 +1339,6 @@ static int netdev_queue_add_kobject(struct net_device *dev, int index)
3070 + #endif
3071 +
3072 + kobject_uevent(kobj, KOBJ_ADD);
3073 +- dev_hold(queue->dev);
3074 +
3075 + return 0;
3076 + }
3077 +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
3078 +index 6344f1b18a6a..58a401e9cf09 100644
3079 +--- a/net/dccp/ipv6.c
3080 ++++ b/net/dccp/ipv6.c
3081 +@@ -433,8 +433,8 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
3082 + newnp->ipv6_mc_list = NULL;
3083 + newnp->ipv6_ac_list = NULL;
3084 + newnp->ipv6_fl_list = NULL;
3085 +- newnp->mcast_oif = inet6_iif(skb);
3086 +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
3087 ++ newnp->mcast_oif = inet_iif(skb);
3088 ++ newnp->mcast_hops = ip_hdr(skb)->ttl;
3089 +
3090 + /*
3091 + * No need to charge this sock to the relevant IPv6 refcnt debug socks count
3092 +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
3093 +index ba8586aadffa..7b4ce3f9e2f4 100644
3094 +--- a/net/ipv6/tcp_ipv6.c
3095 ++++ b/net/ipv6/tcp_ipv6.c
3096 +@@ -1083,11 +1083,11 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
3097 + newnp->ipv6_fl_list = NULL;
3098 + newnp->pktoptions = NULL;
3099 + newnp->opt = NULL;
3100 +- newnp->mcast_oif = tcp_v6_iif(skb);
3101 +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
3102 +- newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
3103 ++ newnp->mcast_oif = inet_iif(skb);
3104 ++ newnp->mcast_hops = ip_hdr(skb)->ttl;
3105 ++ newnp->rcv_flowinfo = 0;
3106 + if (np->repflow)
3107 +- newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
3108 ++ newnp->flow_label = 0;
3109 +
3110 + /*
3111 + * No need to charge this sock to the relevant IPv6 refcnt debug socks count
3112 +diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
3113 +index b9ce82c9440f..e9b8b0b0ac43 100644
3114 +--- a/net/netlink/genetlink.c
3115 ++++ b/net/netlink/genetlink.c
3116 +@@ -365,7 +365,7 @@ int genl_register_family(struct genl_family *family)
3117 + start, end + 1, GFP_KERNEL);
3118 + if (family->id < 0) {
3119 + err = family->id;
3120 +- goto errout_locked;
3121 ++ goto errout_free;
3122 + }
3123 +
3124 + err = genl_validate_assign_mc_groups(family);
3125 +@@ -384,6 +384,7 @@ int genl_register_family(struct genl_family *family)
3126 +
3127 + errout_remove:
3128 + idr_remove(&genl_fam_idr, family->id);
3129 ++errout_free:
3130 + kfree(family->attrbuf);
3131 + errout_locked:
3132 + genl_unlock_all();
3133 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
3134 +index a2bd5917a2a9..e8ca6aa3a32f 100644
3135 +--- a/net/packet/af_packet.c
3136 ++++ b/net/packet/af_packet.c
3137 +@@ -3281,7 +3281,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
3138 + }
3139 +
3140 + mutex_lock(&net->packet.sklist_lock);
3141 +- sk_add_node_rcu(sk, &net->packet.sklist);
3142 ++ sk_add_node_tail_rcu(sk, &net->packet.sklist);
3143 + mutex_unlock(&net->packet.sklist_lock);
3144 +
3145 + preempt_disable();
3146 +@@ -4232,7 +4232,7 @@ static struct pgv *alloc_pg_vec(struct tpacket_req *req, int order)
3147 + struct pgv *pg_vec;
3148 + int i;
3149 +
3150 +- pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL);
3151 ++ pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL | __GFP_NOWARN);
3152 + if (unlikely(!pg_vec))
3153 + goto out;
3154 +
3155 +diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
3156 +index 7ca57741b2fb..7849f286bb93 100644
3157 +--- a/net/rose/rose_subr.c
3158 ++++ b/net/rose/rose_subr.c
3159 +@@ -105,16 +105,17 @@ void rose_write_internal(struct sock *sk, int frametype)
3160 + struct sk_buff *skb;
3161 + unsigned char *dptr;
3162 + unsigned char lci1, lci2;
3163 +- char buffer[100];
3164 +- int len, faclen = 0;
3165 ++ int maxfaclen = 0;
3166 ++ int len, faclen;
3167 ++ int reserve;
3168 +
3169 +- len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN + 1;
3170 ++ reserve = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1;
3171 ++ len = ROSE_MIN_LEN;
3172 +
3173 + switch (frametype) {
3174 + case ROSE_CALL_REQUEST:
3175 + len += 1 + ROSE_ADDR_LEN + ROSE_ADDR_LEN;
3176 +- faclen = rose_create_facilities(buffer, rose);
3177 +- len += faclen;
3178 ++ maxfaclen = 256;
3179 + break;
3180 + case ROSE_CALL_ACCEPTED:
3181 + case ROSE_CLEAR_REQUEST:
3182 +@@ -123,15 +124,16 @@ void rose_write_internal(struct sock *sk, int frametype)
3183 + break;
3184 + }
3185 +
3186 +- if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL)
3187 ++ skb = alloc_skb(reserve + len + maxfaclen, GFP_ATOMIC);
3188 ++ if (!skb)
3189 + return;
3190 +
3191 + /*
3192 + * Space for AX.25 header and PID.
3193 + */
3194 +- skb_reserve(skb, AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1);
3195 ++ skb_reserve(skb, reserve);
3196 +
3197 +- dptr = skb_put(skb, skb_tailroom(skb));
3198 ++ dptr = skb_put(skb, len);
3199 +
3200 + lci1 = (rose->lci >> 8) & 0x0F;
3201 + lci2 = (rose->lci >> 0) & 0xFF;
3202 +@@ -146,7 +148,8 @@ void rose_write_internal(struct sock *sk, int frametype)
3203 + dptr += ROSE_ADDR_LEN;
3204 + memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN);
3205 + dptr += ROSE_ADDR_LEN;
3206 +- memcpy(dptr, buffer, faclen);
3207 ++ faclen = rose_create_facilities(dptr, rose);
3208 ++ skb_put(skb, faclen);
3209 + dptr += faclen;
3210 + break;
3211 +
3212 +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
3213 +index e36a673833ae..c22041a4fc36 100644
3214 +--- a/scripts/mod/modpost.c
3215 ++++ b/scripts/mod/modpost.c
3216 +@@ -645,7 +645,7 @@ static void handle_modversions(struct module *mod, struct elf_info *info,
3217 + info->sechdrs[sym->st_shndx].sh_offset -
3218 + (info->hdr->e_type != ET_REL ?
3219 + info->sechdrs[sym->st_shndx].sh_addr : 0);
3220 +- crc = *crcp;
3221 ++ crc = TO_NATIVE(*crcp);
3222 + }
3223 + sym_update_crc(symname + strlen(CRC_PFX), mod, crc,
3224 + export);
3225 +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
3226 +index df358e838b5b..bb0ab0f6ce9d 100644
3227 +--- a/sound/core/oss/pcm_oss.c
3228 ++++ b/sound/core/oss/pcm_oss.c
3229 +@@ -940,6 +940,28 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
3230 + oss_frame_size = snd_pcm_format_physical_width(params_format(params)) *
3231 + params_channels(params) / 8;
3232 +
3233 ++ err = snd_pcm_oss_period_size(substream, params, sparams);
3234 ++ if (err < 0)
3235 ++ goto failure;
3236 ++
3237 ++ n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
3238 ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
3239 ++ if (err < 0)
3240 ++ goto failure;
3241 ++
3242 ++ err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
3243 ++ runtime->oss.periods, NULL);
3244 ++ if (err < 0)
3245 ++ goto failure;
3246 ++
3247 ++ snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
3248 ++
3249 ++ err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams);
3250 ++ if (err < 0) {
3251 ++ pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
3252 ++ goto failure;
3253 ++ }
3254 ++
3255 + #ifdef CONFIG_SND_PCM_OSS_PLUGINS
3256 + snd_pcm_oss_plugin_clear(substream);
3257 + if (!direct) {
3258 +@@ -974,27 +996,6 @@ static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream)
3259 + }
3260 + #endif
3261 +
3262 +- err = snd_pcm_oss_period_size(substream, params, sparams);
3263 +- if (err < 0)
3264 +- goto failure;
3265 +-
3266 +- n = snd_pcm_plug_slave_size(substream, runtime->oss.period_bytes / oss_frame_size);
3267 +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, n, NULL);
3268 +- if (err < 0)
3269 +- goto failure;
3270 +-
3271 +- err = snd_pcm_hw_param_near(substream, sparams, SNDRV_PCM_HW_PARAM_PERIODS,
3272 +- runtime->oss.periods, NULL);
3273 +- if (err < 0)
3274 +- goto failure;
3275 +-
3276 +- snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL);
3277 +-
3278 +- if ((err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_HW_PARAMS, sparams)) < 0) {
3279 +- pcm_dbg(substream->pcm, "HW_PARAMS failed: %i\n", err);
3280 +- goto failure;
3281 +- }
3282 +-
3283 + if (runtime->oss.trigger) {
3284 + sw_params->start_threshold = 1;
3285 + } else {
3286 +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
3287 +index 966ac384c3f4..1a63d456a3dc 100644
3288 +--- a/sound/core/pcm_native.c
3289 ++++ b/sound/core/pcm_native.c
3290 +@@ -1395,8 +1395,15 @@ static int snd_pcm_pause(struct snd_pcm_substream *substream, int push)
3291 + static int snd_pcm_pre_suspend(struct snd_pcm_substream *substream, int state)
3292 + {
3293 + struct snd_pcm_runtime *runtime = substream->runtime;
3294 +- if (runtime->status->state == SNDRV_PCM_STATE_SUSPENDED)
3295 ++ switch (runtime->status->state) {
3296 ++ case SNDRV_PCM_STATE_SUSPENDED:
3297 + return -EBUSY;
3298 ++ /* unresumable PCM state; return -EBUSY for skipping suspend */
3299 ++ case SNDRV_PCM_STATE_OPEN:
3300 ++ case SNDRV_PCM_STATE_SETUP:
3301 ++ case SNDRV_PCM_STATE_DISCONNECTED:
3302 ++ return -EBUSY;
3303 ++ }
3304 + runtime->trigger_master = substream;
3305 + return 0;
3306 + }
3307 +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
3308 +index abacbbc0b0e8..d22472ba211e 100644
3309 +--- a/sound/core/rawmidi.c
3310 ++++ b/sound/core/rawmidi.c
3311 +@@ -29,6 +29,7 @@
3312 + #include <linux/mutex.h>
3313 + #include <linux/module.h>
3314 + #include <linux/delay.h>
3315 ++#include <linux/nospec.h>
3316 + #include <sound/rawmidi.h>
3317 + #include <sound/info.h>
3318 + #include <sound/control.h>
3319 +@@ -591,6 +592,7 @@ static int __snd_rawmidi_info_select(struct snd_card *card,
3320 + return -ENXIO;
3321 + if (info->stream < 0 || info->stream > 1)
3322 + return -EINVAL;
3323 ++ info->stream = array_index_nospec(info->stream, 2);
3324 + pstr = &rmidi->streams[info->stream];
3325 + if (pstr->substream_count == 0)
3326 + return -ENOENT;
3327 +diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
3328 +index 278ebb993122..c93945917235 100644
3329 +--- a/sound/core/seq/oss/seq_oss_synth.c
3330 ++++ b/sound/core/seq/oss/seq_oss_synth.c
3331 +@@ -617,13 +617,14 @@ int
3332 + snd_seq_oss_synth_make_info(struct seq_oss_devinfo *dp, int dev, struct synth_info *inf)
3333 + {
3334 + struct seq_oss_synth *rec;
3335 ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);
3336 +
3337 +- if (dev < 0 || dev >= dp->max_synthdev)
3338 ++ if (!info)
3339 + return -ENXIO;
3340 +
3341 +- if (dp->synths[dev].is_midi) {
3342 ++ if (info->is_midi) {
3343 + struct midi_info minf;
3344 +- snd_seq_oss_midi_make_info(dp, dp->synths[dev].midi_mapped, &minf);
3345 ++ snd_seq_oss_midi_make_info(dp, info->midi_mapped, &minf);
3346 + inf->synth_type = SYNTH_TYPE_MIDI;
3347 + inf->synth_subtype = 0;
3348 + inf->nr_voices = 16;
3349 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
3350 +index 972fd95f08ca..9637d0bbdeb5 100644
3351 +--- a/sound/pci/hda/patch_realtek.c
3352 ++++ b/sound/pci/hda/patch_realtek.c
3353 +@@ -5436,6 +5436,9 @@ enum {
3354 + ALC298_FIXUP_TPT470_DOCK,
3355 + ALC255_FIXUP_DUMMY_LINEOUT_VERB,
3356 + ALC255_FIXUP_DELL_HEADSET_MIC,
3357 ++ ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE,
3358 ++ ALC225_FIXUP_WYSE_AUTO_MUTE,
3359 ++ ALC225_FIXUP_WYSE_DISABLE_MIC_VREF,
3360 + };
3361 +
3362 + static const struct hda_fixup alc269_fixups[] = {
3363 +@@ -6311,6 +6314,28 @@ static const struct hda_fixup alc269_fixups[] = {
3364 + .chained = true,
3365 + .chain_id = ALC269_FIXUP_HEADSET_MIC
3366 + },
3367 ++ [ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE] = {
3368 ++ .type = HDA_FIXUP_PINS,
3369 ++ .v.pins = (const struct hda_pintbl[]) {
3370 ++ { 0x16, 0x01011020 }, /* Rear Line out */
3371 ++ { 0x19, 0x01a1913c }, /* use as Front headset mic, without its own jack detect */
3372 ++ { }
3373 ++ },
3374 ++ .chained = true,
3375 ++ .chain_id = ALC225_FIXUP_WYSE_AUTO_MUTE
3376 ++ },
3377 ++ [ALC225_FIXUP_WYSE_AUTO_MUTE] = {
3378 ++ .type = HDA_FIXUP_FUNC,
3379 ++ .v.func = alc_fixup_auto_mute_via_amp,
3380 ++ .chained = true,
3381 ++ .chain_id = ALC225_FIXUP_WYSE_DISABLE_MIC_VREF
3382 ++ },
3383 ++ [ALC225_FIXUP_WYSE_DISABLE_MIC_VREF] = {
3384 ++ .type = HDA_FIXUP_FUNC,
3385 ++ .v.func = alc_fixup_disable_mic_vref,
3386 ++ .chained = true,
3387 ++ .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC
3388 ++ },
3389 + };
3390 +
3391 + static const struct snd_pci_quirk alc269_fixup_tbl[] = {
3392 +@@ -6369,6 +6394,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
3393 + SND_PCI_QUIRK(0x1028, 0x0871, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC),
3394 + SND_PCI_QUIRK(0x1028, 0x0872, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC),
3395 + SND_PCI_QUIRK(0x1028, 0x0873, "Dell Precision 3930", ALC255_FIXUP_DUMMY_LINEOUT_VERB),
3396 ++ SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE),
3397 ++ SND_PCI_QUIRK(0x1028, 0x08ae, "Dell WYSE NB", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE),
3398 + SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
3399 + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
3400 + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
3401 +diff --git a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
3402 +index f3db68abbd9a..0bc3e6e93c31 100644
3403 +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
3404 ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
3405 +@@ -251,19 +251,15 @@ struct intel_pt_decoder *intel_pt_decoder_new(struct intel_pt_params *params)
3406 + if (!(decoder->tsc_ctc_ratio_n % decoder->tsc_ctc_ratio_d))
3407 + decoder->tsc_ctc_mult = decoder->tsc_ctc_ratio_n /
3408 + decoder->tsc_ctc_ratio_d;
3409 +-
3410 +- /*
3411 +- * Allow for timestamps appearing to backwards because a TSC
3412 +- * packet has slipped past a MTC packet, so allow 2 MTC ticks
3413 +- * or ...
3414 +- */
3415 +- decoder->tsc_slip = multdiv(2 << decoder->mtc_shift,
3416 +- decoder->tsc_ctc_ratio_n,
3417 +- decoder->tsc_ctc_ratio_d);
3418 + }
3419 +- /* ... or 0x100 paranoia */
3420 +- if (decoder->tsc_slip < 0x100)
3421 +- decoder->tsc_slip = 0x100;
3422 ++
3423 ++ /*
3424 ++ * A TSC packet can slip past MTC packets so that the timestamp appears
3425 ++ * to go backwards. One estimate is that can be up to about 40 CPU
3426 ++ * cycles, which is certainly less than 0x1000 TSC ticks, but accept
3427 ++ * slippage an order of magnitude more to be on the safe side.
3428 ++ */
3429 ++ decoder->tsc_slip = 0x10000;
3430 +
3431 + intel_pt_log("timestamp: mtc_shift %u\n", decoder->mtc_shift);
3432 + intel_pt_log("timestamp: tsc_ctc_ratio_n %u\n", decoder->tsc_ctc_ratio_n);
3433 +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
3434 +index 66cc315efa6d..a373c60ef1c0 100644
3435 +--- a/virt/kvm/kvm_main.c
3436 ++++ b/virt/kvm/kvm_main.c
3437 +@@ -2812,6 +2812,9 @@ static long kvm_device_ioctl(struct file *filp, unsigned int ioctl,
3438 + {
3439 + struct kvm_device *dev = filp->private_data;
3440 +
3441 ++ if (dev->kvm->mm != current->mm)
3442 ++ return -EIO;
3443 ++
3444 + switch (ioctl) {
3445 + case KVM_SET_DEVICE_ATTR:
3446 + return kvm_device_ioctl_attr(dev, dev->ops->set_attr, arg);
Report Message
Find on MARC Find on Google Groups