Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.20 commit in: /
Date: Wed, 09 Jan 2019 17:56:58
Message-Id: 1547056578.5f91fe4492f9fdf817b7cff0b16433615057a289.mpagano@gentoo
1 commit: 5f91fe4492f9fdf817b7cff0b16433615057a289
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Jan 9 17:56:18 2019 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Jan 9 17:56:18 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=5f91fe44
7
8 proj/linux-patches: Linux patch 4.20.1
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1001_linux-4.20.1.patch | 6477 +++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 6481 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index f19e624..543d775 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -43,6 +43,10 @@ EXPERIMENTAL
21 Individual Patch Descriptions:
22 --------------------------------------------------------------------------
23
24 +Patch: 1000_linux-4.20.1.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.20.1
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1001_linux-4.20.1.patch b/1001_linux-4.20.1.patch
33 new file mode 100644
34 index 0000000..03f7422
35 --- /dev/null
36 +++ b/1001_linux-4.20.1.patch
37 @@ -0,0 +1,6477 @@
38 +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
39 +index aefd358a5ca3..bb5c9dc4d270 100644
40 +--- a/Documentation/admin-guide/kernel-parameters.txt
41 ++++ b/Documentation/admin-guide/kernel-parameters.txt
42 +@@ -2096,6 +2096,9 @@
43 + off
44 + Disables hypervisor mitigations and doesn't
45 + emit any warnings.
46 ++ It also drops the swap size and available
47 ++ RAM limit restriction on both hypervisor and
48 ++ bare metal.
49 +
50 + Default is 'flush'.
51 +
52 +diff --git a/Documentation/admin-guide/l1tf.rst b/Documentation/admin-guide/l1tf.rst
53 +index b85dd80510b0..9af977384168 100644
54 +--- a/Documentation/admin-guide/l1tf.rst
55 ++++ b/Documentation/admin-guide/l1tf.rst
56 +@@ -405,6 +405,9 @@ time with the option "l1tf=". The valid arguments for this option are:
57 +
58 + off Disables hypervisor mitigations and doesn't emit any
59 + warnings.
60 ++ It also drops the swap size and available RAM limit restrictions
61 ++ on both hypervisor and bare metal.
62 ++
63 + ============ =============================================================
64 +
65 + The default is 'flush'. For details about L1D flushing see :ref:`l1d_flush`.
66 +@@ -576,7 +579,8 @@ Default mitigations
67 + The kernel default mitigations for vulnerable processors are:
68 +
69 + - PTE inversion to protect against malicious user space. This is done
70 +- unconditionally and cannot be controlled.
71 ++ unconditionally and cannot be controlled. The swap storage is limited
72 ++ to ~16TB.
73 +
74 + - L1D conditional flushing on VMENTER when EPT is enabled for
75 + a guest.
76 +diff --git a/Makefile b/Makefile
77 +index 7a2a9a175756..84d2f8deea30 100644
78 +--- a/Makefile
79 ++++ b/Makefile
80 +@@ -1,7 +1,7 @@
81 + # SPDX-License-Identifier: GPL-2.0
82 + VERSION = 4
83 + PATCHLEVEL = 20
84 +-SUBLEVEL = 0
85 ++SUBLEVEL = 1
86 + EXTRAVERSION =
87 + NAME = Shy Crocodile
88 +
89 +diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig
90 +index 6dd783557330..dadb494d83fd 100644
91 +--- a/arch/arc/Kconfig
92 ++++ b/arch/arc/Kconfig
93 +@@ -26,6 +26,7 @@ config ARC
94 + select GENERIC_IRQ_SHOW
95 + select GENERIC_PCI_IOMAP
96 + select GENERIC_PENDING_IRQ if SMP
97 ++ select GENERIC_SCHED_CLOCK
98 + select GENERIC_SMP_IDLE_THREAD
99 + select HAVE_ARCH_KGDB
100 + select HAVE_ARCH_TRACEHOOK
101 +diff --git a/arch/arm/boot/dts/exynos5422-odroidxu3-audio.dtsi b/arch/arm/boot/dts/exynos5422-odroidxu3-audio.dtsi
102 +index 03611d50c5a9..e84544b220b9 100644
103 +--- a/arch/arm/boot/dts/exynos5422-odroidxu3-audio.dtsi
104 ++++ b/arch/arm/boot/dts/exynos5422-odroidxu3-audio.dtsi
105 +@@ -26,8 +26,7 @@
106 + "Speakers", "SPKL",
107 + "Speakers", "SPKR";
108 +
109 +- assigned-clocks = <&i2s0 CLK_I2S_RCLK_SRC>,
110 +- <&clock CLK_MOUT_EPLL>,
111 ++ assigned-clocks = <&clock CLK_MOUT_EPLL>,
112 + <&clock CLK_MOUT_MAU_EPLL>,
113 + <&clock CLK_MOUT_USER_MAU_EPLL>,
114 + <&clock_audss EXYNOS_MOUT_AUDSS>,
115 +@@ -36,15 +35,13 @@
116 + <&clock_audss EXYNOS_DOUT_AUD_BUS>,
117 + <&clock_audss EXYNOS_DOUT_I2S>;
118 +
119 +- assigned-clock-parents = <&clock_audss EXYNOS_SCLK_I2S>,
120 +- <&clock CLK_FOUT_EPLL>,
121 ++ assigned-clock-parents = <&clock CLK_FOUT_EPLL>,
122 + <&clock CLK_MOUT_EPLL>,
123 + <&clock CLK_MOUT_MAU_EPLL>,
124 + <&clock CLK_MAU_EPLL>,
125 + <&clock_audss EXYNOS_MOUT_AUDSS>;
126 +
127 + assigned-clock-rates = <0>,
128 +- <0>,
129 + <0>,
130 + <0>,
131 + <0>,
132 +@@ -84,4 +81,6 @@
133 +
134 + &i2s0 {
135 + status = "okay";
136 ++ assigned-clocks = <&i2s0 CLK_I2S_RCLK_SRC>;
137 ++ assigned-clock-parents = <&clock_audss EXYNOS_SCLK_I2S>;
138 + };
139 +diff --git a/arch/arm/boot/dts/exynos5422-odroidxu4.dts b/arch/arm/boot/dts/exynos5422-odroidxu4.dts
140 +index 4a30cc849b00..122174ea9e0a 100644
141 +--- a/arch/arm/boot/dts/exynos5422-odroidxu4.dts
142 ++++ b/arch/arm/boot/dts/exynos5422-odroidxu4.dts
143 +@@ -33,8 +33,7 @@
144 + compatible = "samsung,odroid-xu3-audio";
145 + model = "Odroid-XU4";
146 +
147 +- assigned-clocks = <&i2s0 CLK_I2S_RCLK_SRC>,
148 +- <&clock CLK_MOUT_EPLL>,
149 ++ assigned-clocks = <&clock CLK_MOUT_EPLL>,
150 + <&clock CLK_MOUT_MAU_EPLL>,
151 + <&clock CLK_MOUT_USER_MAU_EPLL>,
152 + <&clock_audss EXYNOS_MOUT_AUDSS>,
153 +@@ -43,15 +42,13 @@
154 + <&clock_audss EXYNOS_DOUT_AUD_BUS>,
155 + <&clock_audss EXYNOS_DOUT_I2S>;
156 +
157 +- assigned-clock-parents = <&clock_audss EXYNOS_SCLK_I2S>,
158 +- <&clock CLK_FOUT_EPLL>,
159 ++ assigned-clock-parents = <&clock CLK_FOUT_EPLL>,
160 + <&clock CLK_MOUT_EPLL>,
161 + <&clock CLK_MOUT_MAU_EPLL>,
162 + <&clock CLK_MAU_EPLL>,
163 + <&clock_audss EXYNOS_MOUT_AUDSS>;
164 +
165 + assigned-clock-rates = <0>,
166 +- <0>,
167 + <0>,
168 + <0>,
169 + <0>,
170 +@@ -79,6 +76,8 @@
171 +
172 + &i2s0 {
173 + status = "okay";
174 ++ assigned-clocks = <&i2s0 CLK_I2S_RCLK_SRC>;
175 ++ assigned-clock-parents = <&clock_audss EXYNOS_SCLK_I2S>;
176 + };
177 +
178 + &pwm {
179 +diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h
180 +index 6f602af5263c..2dafd936d84d 100644
181 +--- a/arch/arm64/include/asm/kvm_arm.h
182 ++++ b/arch/arm64/include/asm/kvm_arm.h
183 +@@ -104,7 +104,7 @@
184 + TCR_EL2_ORGN0_MASK | TCR_EL2_IRGN0_MASK | TCR_EL2_T0SZ_MASK)
185 +
186 + /* VTCR_EL2 Registers bits */
187 +-#define VTCR_EL2_RES1 (1 << 31)
188 ++#define VTCR_EL2_RES1 (1U << 31)
189 + #define VTCR_EL2_HD (1 << 22)
190 + #define VTCR_EL2_HA (1 << 21)
191 + #define VTCR_EL2_PS_SHIFT TCR_EL2_PS_SHIFT
192 +diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h
193 +index b13ca091f833..85d5c1026204 100644
194 +--- a/arch/arm64/include/asm/unistd.h
195 ++++ b/arch/arm64/include/asm/unistd.h
196 +@@ -40,8 +40,9 @@
197 + * The following SVCs are ARM private.
198 + */
199 + #define __ARM_NR_COMPAT_BASE 0x0f0000
200 +-#define __ARM_NR_compat_cacheflush (__ARM_NR_COMPAT_BASE+2)
201 +-#define __ARM_NR_compat_set_tls (__ARM_NR_COMPAT_BASE+5)
202 ++#define __ARM_NR_compat_cacheflush (__ARM_NR_COMPAT_BASE + 2)
203 ++#define __ARM_NR_compat_set_tls (__ARM_NR_COMPAT_BASE + 5)
204 ++#define __ARM_NR_COMPAT_END (__ARM_NR_COMPAT_BASE + 0x800)
205 +
206 + #define __NR_compat_syscalls 399
207 + #endif
208 +diff --git a/arch/arm64/kernel/sys_compat.c b/arch/arm64/kernel/sys_compat.c
209 +index 32653d156747..bc348ab3dd6b 100644
210 +--- a/arch/arm64/kernel/sys_compat.c
211 ++++ b/arch/arm64/kernel/sys_compat.c
212 +@@ -66,12 +66,11 @@ do_compat_cache_op(unsigned long start, unsigned long end, int flags)
213 + /*
214 + * Handle all unrecognised system calls.
215 + */
216 +-long compat_arm_syscall(struct pt_regs *regs)
217 ++long compat_arm_syscall(struct pt_regs *regs, int scno)
218 + {
219 +- unsigned int no = regs->regs[7];
220 + void __user *addr;
221 +
222 +- switch (no) {
223 ++ switch (scno) {
224 + /*
225 + * Flush a region from virtual address 'r0' to virtual address 'r1'
226 + * _exclusive_. There is no alignment requirement on either address;
227 +@@ -102,12 +101,12 @@ long compat_arm_syscall(struct pt_regs *regs)
228 +
229 + default:
230 + /*
231 +- * Calls 9f00xx..9f07ff are defined to return -ENOSYS
232 ++ * Calls 0xf0xxx..0xf07ff are defined to return -ENOSYS
233 + * if not implemented, rather than raising SIGILL. This
234 + * way the calling program can gracefully determine whether
235 + * a feature is supported.
236 + */
237 +- if ((no & 0xffff) <= 0x7ff)
238 ++ if (scno < __ARM_NR_COMPAT_END)
239 + return -ENOSYS;
240 + break;
241 + }
242 +@@ -116,6 +115,6 @@ long compat_arm_syscall(struct pt_regs *regs)
243 + (compat_thumb_mode(regs) ? 2 : 4);
244 +
245 + arm64_notify_die("Oops - bad compat syscall(2)", regs,
246 +- SIGILL, ILL_ILLTRP, addr, no);
247 ++ SIGILL, ILL_ILLTRP, addr, scno);
248 + return 0;
249 + }
250 +diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c
251 +index 032d22312881..5610ac01c1ec 100644
252 +--- a/arch/arm64/kernel/syscall.c
253 ++++ b/arch/arm64/kernel/syscall.c
254 +@@ -13,16 +13,15 @@
255 + #include <asm/thread_info.h>
256 + #include <asm/unistd.h>
257 +
258 +-long compat_arm_syscall(struct pt_regs *regs);
259 +-
260 ++long compat_arm_syscall(struct pt_regs *regs, int scno);
261 + long sys_ni_syscall(void);
262 +
263 +-asmlinkage long do_ni_syscall(struct pt_regs *regs)
264 ++static long do_ni_syscall(struct pt_regs *regs, int scno)
265 + {
266 + #ifdef CONFIG_COMPAT
267 + long ret;
268 + if (is_compat_task()) {
269 +- ret = compat_arm_syscall(regs);
270 ++ ret = compat_arm_syscall(regs, scno);
271 + if (ret != -ENOSYS)
272 + return ret;
273 + }
274 +@@ -47,7 +46,7 @@ static void invoke_syscall(struct pt_regs *regs, unsigned int scno,
275 + syscall_fn = syscall_table[array_index_nospec(scno, sc_nr)];
276 + ret = __invoke_syscall(regs, syscall_fn);
277 + } else {
278 +- ret = do_ni_syscall(regs);
279 ++ ret = do_ni_syscall(regs, scno);
280 + }
281 +
282 + regs->regs[0] = ret;
283 +diff --git a/arch/arm64/kvm/hyp/tlb.c b/arch/arm64/kvm/hyp/tlb.c
284 +index 4dbd9c69a96d..7fcc9c1a5f45 100644
285 +--- a/arch/arm64/kvm/hyp/tlb.c
286 ++++ b/arch/arm64/kvm/hyp/tlb.c
287 +@@ -15,14 +15,19 @@
288 + * along with this program. If not, see <http://www.gnu.org/licenses/>.
289 + */
290 +
291 ++#include <linux/irqflags.h>
292 ++
293 + #include <asm/kvm_hyp.h>
294 + #include <asm/kvm_mmu.h>
295 + #include <asm/tlbflush.h>
296 +
297 +-static void __hyp_text __tlb_switch_to_guest_vhe(struct kvm *kvm)
298 ++static void __hyp_text __tlb_switch_to_guest_vhe(struct kvm *kvm,
299 ++ unsigned long *flags)
300 + {
301 + u64 val;
302 +
303 ++ local_irq_save(*flags);
304 ++
305 + /*
306 + * With VHE enabled, we have HCR_EL2.{E2H,TGE} = {1,1}, and
307 + * most TLB operations target EL2/EL0. In order to affect the
308 +@@ -37,7 +42,8 @@ static void __hyp_text __tlb_switch_to_guest_vhe(struct kvm *kvm)
309 + isb();
310 + }
311 +
312 +-static void __hyp_text __tlb_switch_to_guest_nvhe(struct kvm *kvm)
313 ++static void __hyp_text __tlb_switch_to_guest_nvhe(struct kvm *kvm,
314 ++ unsigned long *flags)
315 + {
316 + __load_guest_stage2(kvm);
317 + isb();
318 +@@ -48,7 +54,8 @@ static hyp_alternate_select(__tlb_switch_to_guest,
319 + __tlb_switch_to_guest_vhe,
320 + ARM64_HAS_VIRT_HOST_EXTN);
321 +
322 +-static void __hyp_text __tlb_switch_to_host_vhe(struct kvm *kvm)
323 ++static void __hyp_text __tlb_switch_to_host_vhe(struct kvm *kvm,
324 ++ unsigned long flags)
325 + {
326 + /*
327 + * We're done with the TLB operation, let's restore the host's
328 +@@ -56,9 +63,12 @@ static void __hyp_text __tlb_switch_to_host_vhe(struct kvm *kvm)
329 + */
330 + write_sysreg(0, vttbr_el2);
331 + write_sysreg(HCR_HOST_VHE_FLAGS, hcr_el2);
332 ++ isb();
333 ++ local_irq_restore(flags);
334 + }
335 +
336 +-static void __hyp_text __tlb_switch_to_host_nvhe(struct kvm *kvm)
337 ++static void __hyp_text __tlb_switch_to_host_nvhe(struct kvm *kvm,
338 ++ unsigned long flags)
339 + {
340 + write_sysreg(0, vttbr_el2);
341 + }
342 +@@ -70,11 +80,13 @@ static hyp_alternate_select(__tlb_switch_to_host,
343 +
344 + void __hyp_text __kvm_tlb_flush_vmid_ipa(struct kvm *kvm, phys_addr_t ipa)
345 + {
346 ++ unsigned long flags;
347 ++
348 + dsb(ishst);
349 +
350 + /* Switch to requested VMID */
351 + kvm = kern_hyp_va(kvm);
352 +- __tlb_switch_to_guest()(kvm);
353 ++ __tlb_switch_to_guest()(kvm, &flags);
354 +
355 + /*
356 + * We could do so much better if we had the VA as well.
357 +@@ -117,36 +129,39 @@ void __hyp_text __kvm_tlb_flush_vmid_ipa(struct kvm *kvm, phys_addr_t ipa)
358 + if (!has_vhe() && icache_is_vpipt())
359 + __flush_icache_all();
360 +
361 +- __tlb_switch_to_host()(kvm);
362 ++ __tlb_switch_to_host()(kvm, flags);
363 + }
364 +
365 + void __hyp_text __kvm_tlb_flush_vmid(struct kvm *kvm)
366 + {
367 ++ unsigned long flags;
368 ++
369 + dsb(ishst);
370 +
371 + /* Switch to requested VMID */
372 + kvm = kern_hyp_va(kvm);
373 +- __tlb_switch_to_guest()(kvm);
374 ++ __tlb_switch_to_guest()(kvm, &flags);
375 +
376 + __tlbi(vmalls12e1is);
377 + dsb(ish);
378 + isb();
379 +
380 +- __tlb_switch_to_host()(kvm);
381 ++ __tlb_switch_to_host()(kvm, flags);
382 + }
383 +
384 + void __hyp_text __kvm_tlb_flush_local_vmid(struct kvm_vcpu *vcpu)
385 + {
386 + struct kvm *kvm = kern_hyp_va(kern_hyp_va(vcpu)->kvm);
387 ++ unsigned long flags;
388 +
389 + /* Switch to requested VMID */
390 +- __tlb_switch_to_guest()(kvm);
391 ++ __tlb_switch_to_guest()(kvm, &flags);
392 +
393 + __tlbi(vmalle1);
394 + dsb(nsh);
395 + isb();
396 +
397 +- __tlb_switch_to_host()(kvm);
398 ++ __tlb_switch_to_host()(kvm, flags);
399 + }
400 +
401 + void __hyp_text __kvm_flush_vm_context(void)
402 +diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
403 +index 37fe58c19a90..542c3ede9722 100644
404 +--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
405 ++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
406 +@@ -13,6 +13,7 @@
407 + #include <stdint.h>
408 + #include <stdio.h>
409 + #include <stdlib.h>
410 ++#include "../../../../include/linux/sizes.h"
411 +
412 + int main(int argc, char *argv[])
413 + {
414 +@@ -45,11 +46,11 @@ int main(int argc, char *argv[])
415 + vmlinuz_load_addr = vmlinux_load_addr + vmlinux_size;
416 +
417 + /*
418 +- * Align with 16 bytes: "greater than that used for any standard data
419 +- * types by a MIPS compiler." -- See MIPS Run Linux (Second Edition).
420 ++ * Align with 64KB: KEXEC needs load sections to be aligned to PAGE_SIZE,
421 ++ * which may be as large as 64KB depending on the kernel configuration.
422 + */
423 +
424 +- vmlinuz_load_addr += (16 - vmlinux_size % 16);
425 ++ vmlinuz_load_addr += (SZ_64K - vmlinux_size % SZ_64K);
426 +
427 + printf("0x%llx\n", vmlinuz_load_addr);
428 +
429 +diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper.c b/arch/mips/cavium-octeon/executive/cvmx-helper.c
430 +index 6c79e8a16a26..3ddbb98dff84 100644
431 +--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
432 ++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
433 +@@ -286,7 +286,8 @@ static cvmx_helper_interface_mode_t __cvmx_get_mode_cn7xxx(int interface)
434 + case 3:
435 + return CVMX_HELPER_INTERFACE_MODE_LOOP;
436 + case 4:
437 +- return CVMX_HELPER_INTERFACE_MODE_RGMII;
438 ++ /* TODO: Implement support for AGL (RGMII). */
439 ++ return CVMX_HELPER_INTERFACE_MODE_DISABLED;
440 + default:
441 + return CVMX_HELPER_INTERFACE_MODE_DISABLED;
442 + }
443 +diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
444 +index d4ea7a5b60cf..9e805317847d 100644
445 +--- a/arch/mips/include/asm/atomic.h
446 ++++ b/arch/mips/include/asm/atomic.h
447 +@@ -306,7 +306,7 @@ static __inline__ long atomic64_fetch_##op##_relaxed(long i, atomic64_t * v) \
448 + { \
449 + long result; \
450 + \
451 +- if (kernel_uses_llsc && R10000_LLSC_WAR) { \
452 ++ if (kernel_uses_llsc) { \
453 + long temp; \
454 + \
455 + __asm__ __volatile__( \
456 +diff --git a/arch/mips/include/asm/cpu-info.h b/arch/mips/include/asm/cpu-info.h
457 +index a41059d47d31..ed7ffe4e63a3 100644
458 +--- a/arch/mips/include/asm/cpu-info.h
459 ++++ b/arch/mips/include/asm/cpu-info.h
460 +@@ -50,7 +50,7 @@ struct guest_info {
461 + #define MIPS_CACHE_PINDEX 0x00000020 /* Physically indexed cache */
462 +
463 + struct cpuinfo_mips {
464 +- unsigned long asid_cache;
465 ++ u64 asid_cache;
466 + #ifdef CONFIG_MIPS_ASID_BITS_VARIABLE
467 + unsigned long asid_mask;
468 + #endif
469 +diff --git a/arch/mips/include/asm/mach-loongson64/mmzone.h b/arch/mips/include/asm/mach-loongson64/mmzone.h
470 +index c9f7e231e66b..59c8b11c090e 100644
471 +--- a/arch/mips/include/asm/mach-loongson64/mmzone.h
472 ++++ b/arch/mips/include/asm/mach-loongson64/mmzone.h
473 +@@ -21,6 +21,7 @@
474 + #define NODE3_ADDRSPACE_OFFSET 0x300000000000UL
475 +
476 + #define pa_to_nid(addr) (((addr) & 0xf00000000000) >> NODE_ADDRSPACE_SHIFT)
477 ++#define nid_to_addrbase(nid) ((nid) << NODE_ADDRSPACE_SHIFT)
478 +
479 + #define LEVELS_PER_SLICE 128
480 +
481 +diff --git a/arch/mips/include/asm/mmu.h b/arch/mips/include/asm/mmu.h
482 +index 0740be7d5d4a..24d6b42345fb 100644
483 +--- a/arch/mips/include/asm/mmu.h
484 ++++ b/arch/mips/include/asm/mmu.h
485 +@@ -7,7 +7,7 @@
486 + #include <linux/wait.h>
487 +
488 + typedef struct {
489 +- unsigned long asid[NR_CPUS];
490 ++ u64 asid[NR_CPUS];
491 + void *vdso;
492 + atomic_t fp_mode_switching;
493 +
494 +diff --git a/arch/mips/include/asm/mmu_context.h b/arch/mips/include/asm/mmu_context.h
495 +index 94414561de0e..a589585be21b 100644
496 +--- a/arch/mips/include/asm/mmu_context.h
497 ++++ b/arch/mips/include/asm/mmu_context.h
498 +@@ -76,14 +76,14 @@ extern unsigned long pgd_current[];
499 + * All unused by hardware upper bits will be considered
500 + * as a software asid extension.
501 + */
502 +-static unsigned long asid_version_mask(unsigned int cpu)
503 ++static inline u64 asid_version_mask(unsigned int cpu)
504 + {
505 + unsigned long asid_mask = cpu_asid_mask(&cpu_data[cpu]);
506 +
507 +- return ~(asid_mask | (asid_mask - 1));
508 ++ return ~(u64)(asid_mask | (asid_mask - 1));
509 + }
510 +
511 +-static unsigned long asid_first_version(unsigned int cpu)
512 ++static inline u64 asid_first_version(unsigned int cpu)
513 + {
514 + return ~asid_version_mask(cpu) + 1;
515 + }
516 +@@ -102,14 +102,12 @@ static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
517 + static inline void
518 + get_new_mmu_context(struct mm_struct *mm, unsigned long cpu)
519 + {
520 +- unsigned long asid = asid_cache(cpu);
521 ++ u64 asid = asid_cache(cpu);
522 +
523 + if (!((asid += cpu_asid_inc()) & cpu_asid_mask(&cpu_data[cpu]))) {
524 + if (cpu_has_vtag_icache)
525 + flush_icache_all();
526 + local_flush_tlb_all(); /* start new asid cycle */
527 +- if (!asid) /* fix version if needed */
528 +- asid = asid_first_version(cpu);
529 + }
530 +
531 + cpu_context(cpu, mm) = asid_cache(cpu) = asid;
532 +diff --git a/arch/mips/include/asm/mmzone.h b/arch/mips/include/asm/mmzone.h
533 +index f085fba41da5..b826b8473e95 100644
534 +--- a/arch/mips/include/asm/mmzone.h
535 ++++ b/arch/mips/include/asm/mmzone.h
536 +@@ -7,7 +7,18 @@
537 + #define _ASM_MMZONE_H_
538 +
539 + #include <asm/page.h>
540 +-#include <mmzone.h>
541 ++
542 ++#ifdef CONFIG_NEED_MULTIPLE_NODES
543 ++# include <mmzone.h>
544 ++#endif
545 ++
546 ++#ifndef pa_to_nid
547 ++#define pa_to_nid(addr) 0
548 ++#endif
549 ++
550 ++#ifndef nid_to_addrbase
551 ++#define nid_to_addrbase(nid) 0
552 ++#endif
553 +
554 + #ifdef CONFIG_DISCONTIGMEM
555 +
556 +diff --git a/arch/mips/include/asm/pgtable-64.h b/arch/mips/include/asm/pgtable-64.h
557 +index 0036ea0c7173..93a9dce31f25 100644
558 +--- a/arch/mips/include/asm/pgtable-64.h
559 ++++ b/arch/mips/include/asm/pgtable-64.h
560 +@@ -265,6 +265,11 @@ static inline int pmd_bad(pmd_t pmd)
561 +
562 + static inline int pmd_present(pmd_t pmd)
563 + {
564 ++#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
565 ++ if (unlikely(pmd_val(pmd) & _PAGE_HUGE))
566 ++ return pmd_val(pmd) & _PAGE_PRESENT;
567 ++#endif
568 ++
569 + return pmd_val(pmd) != (unsigned long) invalid_pte_table;
570 + }
571 +
572 +diff --git a/arch/mips/include/asm/r4kcache.h b/arch/mips/include/asm/r4kcache.h
573 +index d19b2d65336b..7f4a32d3345a 100644
574 +--- a/arch/mips/include/asm/r4kcache.h
575 ++++ b/arch/mips/include/asm/r4kcache.h
576 +@@ -20,6 +20,7 @@
577 + #include <asm/cpu-features.h>
578 + #include <asm/cpu-type.h>
579 + #include <asm/mipsmtregs.h>
580 ++#include <asm/mmzone.h>
581 + #include <linux/uaccess.h> /* for uaccess_kernel() */
582 +
583 + extern void (*r4k_blast_dcache)(void);
584 +@@ -674,4 +675,25 @@ __BUILD_BLAST_CACHE_RANGE(s, scache, Hit_Writeback_Inv_SD, , )
585 + __BUILD_BLAST_CACHE_RANGE(inv_d, dcache, Hit_Invalidate_D, , )
586 + __BUILD_BLAST_CACHE_RANGE(inv_s, scache, Hit_Invalidate_SD, , )
587 +
588 ++/* Currently, this is very specific to Loongson-3 */
589 ++#define __BUILD_BLAST_CACHE_NODE(pfx, desc, indexop, hitop, lsize) \
590 ++static inline void blast_##pfx##cache##lsize##_node(long node) \
591 ++{ \
592 ++ unsigned long start = CAC_BASE | nid_to_addrbase(node); \
593 ++ unsigned long end = start + current_cpu_data.desc.waysize; \
594 ++ unsigned long ws_inc = 1UL << current_cpu_data.desc.waybit; \
595 ++ unsigned long ws_end = current_cpu_data.desc.ways << \
596 ++ current_cpu_data.desc.waybit; \
597 ++ unsigned long ws, addr; \
598 ++ \
599 ++ for (ws = 0; ws < ws_end; ws += ws_inc) \
600 ++ for (addr = start; addr < end; addr += lsize * 32) \
601 ++ cache##lsize##_unroll32(addr|ws, indexop); \
602 ++}
603 ++
604 ++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 16)
605 ++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 32)
606 ++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 64)
607 ++__BUILD_BLAST_CACHE_NODE(s, scache, Index_Writeback_Inv_SD, Hit_Writeback_Inv_SD, 128)
608 ++
609 + #endif /* _ASM_R4KCACHE_H */
610 +diff --git a/arch/mips/kernel/vdso.c b/arch/mips/kernel/vdso.c
611 +index 48a9c6b90e07..9df3ebdc7b0f 100644
612 +--- a/arch/mips/kernel/vdso.c
613 ++++ b/arch/mips/kernel/vdso.c
614 +@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
615 +
616 + /* Map delay slot emulation page */
617 + base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
618 +- VM_READ|VM_WRITE|VM_EXEC|
619 +- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
620 ++ VM_READ | VM_EXEC |
621 ++ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
622 + 0, NULL);
623 + if (IS_ERR_VALUE(base)) {
624 + ret = base;
625 +diff --git a/arch/mips/math-emu/dsemul.c b/arch/mips/math-emu/dsemul.c
626 +index 5450f4d1c920..e2d46cb93ca9 100644
627 +--- a/arch/mips/math-emu/dsemul.c
628 ++++ b/arch/mips/math-emu/dsemul.c
629 +@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir,
630 + {
631 + int isa16 = get_isa16_mode(regs->cp0_epc);
632 + mips_instruction break_math;
633 +- struct emuframe __user *fr;
634 +- int err, fr_idx;
635 ++ unsigned long fr_uaddr;
636 ++ struct emuframe fr;
637 ++ int fr_idx, ret;
638 +
639 + /* NOP is easy */
640 + if (ir == 0)
641 +@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir,
642 + fr_idx = alloc_emuframe();
643 + if (fr_idx == BD_EMUFRAME_NONE)
644 + return SIGBUS;
645 +- fr = &dsemul_page()[fr_idx];
646 +
647 + /* Retrieve the appropriately encoded break instruction */
648 + break_math = BREAK_MATH(isa16);
649 +
650 + /* Write the instructions to the frame */
651 + if (isa16) {
652 +- err = __put_user(ir >> 16,
653 +- (u16 __user *)(&fr->emul));
654 +- err |= __put_user(ir & 0xffff,
655 +- (u16 __user *)((long)(&fr->emul) + 2));
656 +- err |= __put_user(break_math >> 16,
657 +- (u16 __user *)(&fr->badinst));
658 +- err |= __put_user(break_math & 0xffff,
659 +- (u16 __user *)((long)(&fr->badinst) + 2));
660 ++ union mips_instruction _emul = {
661 ++ .halfword = { ir >> 16, ir }
662 ++ };
663 ++ union mips_instruction _badinst = {
664 ++ .halfword = { break_math >> 16, break_math }
665 ++ };
666 ++
667 ++ fr.emul = _emul.word;
668 ++ fr.badinst = _badinst.word;
669 + } else {
670 +- err = __put_user(ir, &fr->emul);
671 +- err |= __put_user(break_math, &fr->badinst);
672 ++ fr.emul = ir;
673 ++ fr.badinst = break_math;
674 + }
675 +
676 +- if (unlikely(err)) {
677 ++ /* Write the frame to user memory */
678 ++ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
679 ++ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
680 ++ FOLL_FORCE | FOLL_WRITE);
681 ++ if (unlikely(ret != sizeof(fr))) {
682 + MIPS_FPU_EMU_INC_STATS(errors);
683 + free_emuframe(fr_idx, current->mm);
684 + return SIGBUS;
685 +@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir,
686 + atomic_set(&current->thread.bd_emu_frame, fr_idx);
687 +
688 + /* Change user register context to execute the frame */
689 +- regs->cp0_epc = (unsigned long)&fr->emul | isa16;
690 +-
691 +- /* Ensure the icache observes our newly written frame */
692 +- flush_cache_sigtramp((unsigned long)&fr->emul);
693 ++ regs->cp0_epc = fr_uaddr | isa16;
694 +
695 + return 0;
696 + }
697 +diff --git a/arch/mips/mm/c-r3k.c b/arch/mips/mm/c-r3k.c
698 +index 3466fcdae0ca..01848cdf2074 100644
699 +--- a/arch/mips/mm/c-r3k.c
700 ++++ b/arch/mips/mm/c-r3k.c
701 +@@ -245,7 +245,7 @@ static void r3k_flush_cache_page(struct vm_area_struct *vma,
702 + pmd_t *pmdp;
703 + pte_t *ptep;
704 +
705 +- pr_debug("cpage[%08lx,%08lx]\n",
706 ++ pr_debug("cpage[%08llx,%08lx]\n",
707 + cpu_context(smp_processor_id(), mm), addr);
708 +
709 + /* No ASID => no such page in the cache. */
710 +diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c
711 +index 05bd77727fb9..2a6ad461286f 100644
712 +--- a/arch/mips/mm/c-r4k.c
713 ++++ b/arch/mips/mm/c-r4k.c
714 +@@ -459,11 +459,28 @@ static void r4k_blast_scache_setup(void)
715 + r4k_blast_scache = blast_scache128;
716 + }
717 +
718 ++static void (*r4k_blast_scache_node)(long node);
719 ++
720 ++static void r4k_blast_scache_node_setup(void)
721 ++{
722 ++ unsigned long sc_lsize = cpu_scache_line_size();
723 ++
724 ++ if (current_cpu_type() != CPU_LOONGSON3)
725 ++ r4k_blast_scache_node = (void *)cache_noop;
726 ++ else if (sc_lsize == 16)
727 ++ r4k_blast_scache_node = blast_scache16_node;
728 ++ else if (sc_lsize == 32)
729 ++ r4k_blast_scache_node = blast_scache32_node;
730 ++ else if (sc_lsize == 64)
731 ++ r4k_blast_scache_node = blast_scache64_node;
732 ++ else if (sc_lsize == 128)
733 ++ r4k_blast_scache_node = blast_scache128_node;
734 ++}
735 ++
736 + static inline void local_r4k___flush_cache_all(void * args)
737 + {
738 + switch (current_cpu_type()) {
739 + case CPU_LOONGSON2:
740 +- case CPU_LOONGSON3:
741 + case CPU_R4000SC:
742 + case CPU_R4000MC:
743 + case CPU_R4400SC:
744 +@@ -480,6 +497,11 @@ static inline void local_r4k___flush_cache_all(void * args)
745 + r4k_blast_scache();
746 + break;
747 +
748 ++ case CPU_LOONGSON3:
749 ++ /* Use get_ebase_cpunum() for both NUMA=y/n */
750 ++ r4k_blast_scache_node(get_ebase_cpunum() >> 2);
751 ++ break;
752 ++
753 + case CPU_BMIPS5000:
754 + r4k_blast_scache();
755 + __sync();
756 +@@ -840,10 +862,14 @@ static void r4k_dma_cache_wback_inv(unsigned long addr, unsigned long size)
757 +
758 + preempt_disable();
759 + if (cpu_has_inclusive_pcaches) {
760 +- if (size >= scache_size)
761 +- r4k_blast_scache();
762 +- else
763 ++ if (size >= scache_size) {
764 ++ if (current_cpu_type() != CPU_LOONGSON3)
765 ++ r4k_blast_scache();
766 ++ else
767 ++ r4k_blast_scache_node(pa_to_nid(addr));
768 ++ } else {
769 + blast_scache_range(addr, addr + size);
770 ++ }
771 + preempt_enable();
772 + __sync();
773 + return;
774 +@@ -877,9 +903,12 @@ static void r4k_dma_cache_inv(unsigned long addr, unsigned long size)
775 +
776 + preempt_disable();
777 + if (cpu_has_inclusive_pcaches) {
778 +- if (size >= scache_size)
779 +- r4k_blast_scache();
780 +- else {
781 ++ if (size >= scache_size) {
782 ++ if (current_cpu_type() != CPU_LOONGSON3)
783 ++ r4k_blast_scache();
784 ++ else
785 ++ r4k_blast_scache_node(pa_to_nid(addr));
786 ++ } else {
787 + /*
788 + * There is no clearly documented alignment requirement
789 + * for the cache instruction on MIPS processors and
790 +@@ -1918,6 +1947,7 @@ void r4k_cache_init(void)
791 + r4k_blast_scache_page_setup();
792 + r4k_blast_scache_page_indexed_setup();
793 + r4k_blast_scache_setup();
794 ++ r4k_blast_scache_node_setup();
795 + #ifdef CONFIG_EVA
796 + r4k_blast_dcache_user_page_setup();
797 + r4k_blast_icache_user_page_setup();
798 +diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c
799 +index 2d7cffcaa476..059187a3ded7 100644
800 +--- a/arch/parisc/mm/init.c
801 ++++ b/arch/parisc/mm/init.c
802 +@@ -512,8 +512,8 @@ static void __init map_pages(unsigned long start_vaddr,
803 +
804 + void __init set_kernel_text_rw(int enable_read_write)
805 + {
806 +- unsigned long start = (unsigned long)__init_begin;
807 +- unsigned long end = (unsigned long)_etext;
808 ++ unsigned long start = (unsigned long) _text;
809 ++ unsigned long end = (unsigned long) &data_start;
810 +
811 + map_pages(start, __pa(start), end-start,
812 + PAGE_KERNEL_RWX, enable_read_write ? 1:0);
813 +diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
814 +index f6f469fc4073..1b395b85132b 100644
815 +--- a/arch/powerpc/kernel/security.c
816 ++++ b/arch/powerpc/kernel/security.c
817 +@@ -22,7 +22,7 @@ enum count_cache_flush_type {
818 + COUNT_CACHE_FLUSH_SW = 0x2,
819 + COUNT_CACHE_FLUSH_HW = 0x4,
820 + };
821 +-static enum count_cache_flush_type count_cache_flush_type;
822 ++static enum count_cache_flush_type count_cache_flush_type = COUNT_CACHE_FLUSH_NONE;
823 +
824 + bool barrier_nospec_enabled;
825 + static bool no_nospec;
826 +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
827 +index e6474a45cef5..6327fd79b0fb 100644
828 +--- a/arch/powerpc/kernel/signal_32.c
829 ++++ b/arch/powerpc/kernel/signal_32.c
830 +@@ -1140,11 +1140,11 @@ SYSCALL_DEFINE0(rt_sigreturn)
831 + {
832 + struct rt_sigframe __user *rt_sf;
833 + struct pt_regs *regs = current_pt_regs();
834 ++ int tm_restore = 0;
835 + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
836 + struct ucontext __user *uc_transact;
837 + unsigned long msr_hi;
838 + unsigned long tmp;
839 +- int tm_restore = 0;
840 + #endif
841 + /* Always make any pending restarted system calls return -EINTR */
842 + current->restart_block.fn = do_no_restart_syscall;
843 +@@ -1192,11 +1192,19 @@ SYSCALL_DEFINE0(rt_sigreturn)
844 + goto bad;
845 + }
846 + }
847 +- if (!tm_restore)
848 +- /* Fall through, for non-TM restore */
849 ++ if (!tm_restore) {
850 ++ /*
851 ++ * Unset regs->msr because ucontext MSR TS is not
852 ++ * set, and recheckpoint was not called. This avoid
853 ++ * hitting a TM Bad thing at RFID
854 ++ */
855 ++ regs->msr &= ~MSR_TS_MASK;
856 ++ }
857 ++ /* Fall through, for non-TM restore */
858 + #endif
859 +- if (do_setcontext(&rt_sf->uc, regs, 1))
860 +- goto bad;
861 ++ if (!tm_restore)
862 ++ if (do_setcontext(&rt_sf->uc, regs, 1))
863 ++ goto bad;
864 +
865 + /*
866 + * It's not clear whether or why it is desirable to save the
867 +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
868 +index 83d51bf586c7..daa28cb72272 100644
869 +--- a/arch/powerpc/kernel/signal_64.c
870 ++++ b/arch/powerpc/kernel/signal_64.c
871 +@@ -740,11 +740,23 @@ SYSCALL_DEFINE0(rt_sigreturn)
872 + &uc_transact->uc_mcontext))
873 + goto badframe;
874 + }
875 +- else
876 +- /* Fall through, for non-TM restore */
877 + #endif
878 +- if (restore_sigcontext(current, NULL, 1, &uc->uc_mcontext))
879 +- goto badframe;
880 ++ /* Fall through, for non-TM restore */
881 ++ if (!MSR_TM_ACTIVE(msr)) {
882 ++ /*
883 ++ * Unset MSR[TS] on the thread regs since MSR from user
884 ++ * context does not have MSR active, and recheckpoint was
885 ++ * not called since restore_tm_sigcontexts() was not called
886 ++ * also.
887 ++ *
888 ++ * If not unsetting it, the code can RFID to userspace with
889 ++ * MSR[TS] set, but without CPU in the proper state,
890 ++ * causing a TM bad thing.
891 ++ */
892 ++ current->thread.regs->msr &= ~MSR_TS_MASK;
893 ++ if (restore_sigcontext(current, NULL, 1, &uc->uc_mcontext))
894 ++ goto badframe;
895 ++ }
896 +
897 + if (restore_altstack(&uc->uc_stack))
898 + goto badframe;
899 +diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c
900 +index c615617e78ac..a18afda3d0f0 100644
901 +--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c
902 ++++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c
903 +@@ -743,12 +743,15 @@ void kvmppc_rmap_reset(struct kvm *kvm)
904 + srcu_idx = srcu_read_lock(&kvm->srcu);
905 + slots = kvm_memslots(kvm);
906 + kvm_for_each_memslot(memslot, slots) {
907 ++ /* Mutual exclusion with kvm_unmap_hva_range etc. */
908 ++ spin_lock(&kvm->mmu_lock);
909 + /*
910 + * This assumes it is acceptable to lose reference and
911 + * change bits across a reset.
912 + */
913 + memset(memslot->arch.rmap, 0,
914 + memslot->npages * sizeof(*memslot->arch.rmap));
915 ++ spin_unlock(&kvm->mmu_lock);
916 + }
917 + srcu_read_unlock(&kvm->srcu, srcu_idx);
918 + }
919 +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
920 +index a56f8413758a..ab43306c4ea1 100644
921 +--- a/arch/powerpc/kvm/book3s_hv.c
922 ++++ b/arch/powerpc/kvm/book3s_hv.c
923 +@@ -4532,12 +4532,15 @@ int kvmppc_switch_mmu_to_hpt(struct kvm *kvm)
924 + {
925 + if (nesting_enabled(kvm))
926 + kvmhv_release_all_nested(kvm);
927 ++ kvmppc_rmap_reset(kvm);
928 ++ kvm->arch.process_table = 0;
929 ++ /* Mutual exclusion with kvm_unmap_hva_range etc. */
930 ++ spin_lock(&kvm->mmu_lock);
931 ++ kvm->arch.radix = 0;
932 ++ spin_unlock(&kvm->mmu_lock);
933 + kvmppc_free_radix(kvm);
934 + kvmppc_update_lpcr(kvm, LPCR_VPM1,
935 + LPCR_VPM1 | LPCR_UPRT | LPCR_GTSE | LPCR_HR);
936 +- kvmppc_rmap_reset(kvm);
937 +- kvm->arch.radix = 0;
938 +- kvm->arch.process_table = 0;
939 + return 0;
940 + }
941 +
942 +@@ -4549,12 +4552,14 @@ int kvmppc_switch_mmu_to_radix(struct kvm *kvm)
943 + err = kvmppc_init_vm_radix(kvm);
944 + if (err)
945 + return err;
946 +-
947 ++ kvmppc_rmap_reset(kvm);
948 ++ /* Mutual exclusion with kvm_unmap_hva_range etc. */
949 ++ spin_lock(&kvm->mmu_lock);
950 ++ kvm->arch.radix = 1;
951 ++ spin_unlock(&kvm->mmu_lock);
952 + kvmppc_free_hpt(&kvm->arch.hpt);
953 + kvmppc_update_lpcr(kvm, LPCR_UPRT | LPCR_GTSE | LPCR_HR,
954 + LPCR_VPM1 | LPCR_UPRT | LPCR_GTSE | LPCR_HR);
955 +- kvmppc_rmap_reset(kvm);
956 +- kvm->arch.radix = 1;
957 + return 0;
958 + }
959 +
960 +diff --git a/arch/s390/pci/pci_clp.c b/arch/s390/pci/pci_clp.c
961 +index 19b2d2a9b43d..eeb7450db18c 100644
962 +--- a/arch/s390/pci/pci_clp.c
963 ++++ b/arch/s390/pci/pci_clp.c
964 +@@ -436,7 +436,7 @@ int clp_get_state(u32 fid, enum zpci_state *state)
965 + struct clp_state_data sd = {fid, ZPCI_FN_STATE_RESERVED};
966 + int rc;
967 +
968 +- rrb = clp_alloc_block(GFP_KERNEL);
969 ++ rrb = clp_alloc_block(GFP_ATOMIC);
970 + if (!rrb)
971 + return -ENOMEM;
972 +
973 +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
974 +index fbda5a917c5b..e5c0174e330e 100644
975 +--- a/arch/x86/include/asm/kvm_host.h
976 ++++ b/arch/x86/include/asm/kvm_host.h
977 +@@ -1492,7 +1492,7 @@ asmlinkage void kvm_spurious_fault(void);
978 + "cmpb $0, kvm_rebooting \n\t" \
979 + "jne 668b \n\t" \
980 + __ASM_SIZE(push) " $666b \n\t" \
981 +- "call kvm_spurious_fault \n\t" \
982 ++ "jmp kvm_spurious_fault \n\t" \
983 + ".popsection \n\t" \
984 + _ASM_EXTABLE(666b, 667b)
985 +
986 +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
987 +index 500278f5308e..362f3cde6a31 100644
988 +--- a/arch/x86/kernel/cpu/bugs.c
989 ++++ b/arch/x86/kernel/cpu/bugs.c
990 +@@ -1002,7 +1002,8 @@ static void __init l1tf_select_mitigation(void)
991 + #endif
992 +
993 + half_pa = (u64)l1tf_pfn_limit() << PAGE_SHIFT;
994 +- if (e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) {
995 ++ if (l1tf_mitigation != L1TF_MITIGATION_OFF &&
996 ++ e820__mapped_any(half_pa, ULLONG_MAX - half_pa, E820_TYPE_RAM)) {
997 + pr_warn("System has more than MAX_PA/2 memory. L1TF mitigation not effective.\n");
998 + pr_info("You may make it effective by booting the kernel with mem=%llu parameter.\n",
999 + half_pa);
1000 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
1001 +index 8d5d984541be..95784bc4a53c 100644
1002 +--- a/arch/x86/kvm/vmx.c
1003 ++++ b/arch/x86/kvm/vmx.c
1004 +@@ -8031,13 +8031,16 @@ static __init int hardware_setup(void)
1005 +
1006 + kvm_mce_cap_supported |= MCG_LMCE_P;
1007 +
1008 +- return alloc_kvm_area();
1009 ++ r = alloc_kvm_area();
1010 ++ if (r)
1011 ++ goto out;
1012 ++ return 0;
1013 +
1014 + out:
1015 + for (i = 0; i < VMX_BITMAP_NR; i++)
1016 + free_page((unsigned long)vmx_bitmap[i]);
1017 +
1018 +- return r;
1019 ++ return r;
1020 + }
1021 +
1022 + static __exit void hardware_unsetup(void)
1023 +diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
1024 +index ef99f3892e1f..427a955a2cf2 100644
1025 +--- a/arch/x86/mm/init.c
1026 ++++ b/arch/x86/mm/init.c
1027 +@@ -931,7 +931,7 @@ unsigned long max_swapfile_size(void)
1028 +
1029 + pages = generic_max_swapfile_size();
1030 +
1031 +- if (boot_cpu_has_bug(X86_BUG_L1TF)) {
1032 ++ if (boot_cpu_has_bug(X86_BUG_L1TF) && l1tf_mitigation != L1TF_MITIGATION_OFF) {
1033 + /* Limit the swap file size to MAX_PA/2 for L1TF workaround */
1034 + unsigned long long l1tf_limit = l1tf_pfn_limit();
1035 + /*
1036 +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
1037 +index 5fab264948c2..de95db8ac52f 100644
1038 +--- a/arch/x86/mm/init_64.c
1039 ++++ b/arch/x86/mm/init_64.c
1040 +@@ -584,7 +584,6 @@ phys_pud_init(pud_t *pud_page, unsigned long paddr, unsigned long paddr_end,
1041 + paddr_end,
1042 + page_size_mask,
1043 + prot);
1044 +- __flush_tlb_all();
1045 + continue;
1046 + }
1047 + /*
1048 +@@ -627,7 +626,6 @@ phys_pud_init(pud_t *pud_page, unsigned long paddr, unsigned long paddr_end,
1049 + pud_populate(&init_mm, pud, pmd);
1050 + spin_unlock(&init_mm.page_table_lock);
1051 + }
1052 +- __flush_tlb_all();
1053 +
1054 + update_page_count(PG_LEVEL_1G, pages);
1055 +
1056 +@@ -668,7 +666,6 @@ phys_p4d_init(p4d_t *p4d_page, unsigned long paddr, unsigned long paddr_end,
1057 + paddr_last = phys_pud_init(pud, paddr,
1058 + paddr_end,
1059 + page_size_mask);
1060 +- __flush_tlb_all();
1061 + continue;
1062 + }
1063 +
1064 +@@ -680,7 +677,6 @@ phys_p4d_init(p4d_t *p4d_page, unsigned long paddr, unsigned long paddr_end,
1065 + p4d_populate(&init_mm, p4d, pud);
1066 + spin_unlock(&init_mm.page_table_lock);
1067 + }
1068 +- __flush_tlb_all();
1069 +
1070 + return paddr_last;
1071 + }
1072 +@@ -733,8 +729,6 @@ kernel_physical_mapping_init(unsigned long paddr_start,
1073 + if (pgd_changed)
1074 + sync_global_pgds(vaddr_start, vaddr_end - 1);
1075 +
1076 +- __flush_tlb_all();
1077 +-
1078 + return paddr_last;
1079 + }
1080 +
1081 +diff --git a/crypto/cfb.c b/crypto/cfb.c
1082 +index 20987d0e09d8..e81e45673498 100644
1083 +--- a/crypto/cfb.c
1084 ++++ b/crypto/cfb.c
1085 +@@ -144,7 +144,7 @@ static int crypto_cfb_decrypt_segment(struct skcipher_walk *walk,
1086 +
1087 + do {
1088 + crypto_cfb_encrypt_one(tfm, iv, dst);
1089 +- crypto_xor(dst, iv, bsize);
1090 ++ crypto_xor(dst, src, bsize);
1091 + iv = src;
1092 +
1093 + src += bsize;
1094 +diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
1095 +index c20c9f5c18f2..1026173d721a 100644
1096 +--- a/crypto/tcrypt.c
1097 ++++ b/crypto/tcrypt.c
1098 +@@ -1736,6 +1736,7 @@ static int do_test(const char *alg, u32 type, u32 mask, int m, u32 num_mb)
1099 + ret += tcrypt_test("ctr(aes)");
1100 + ret += tcrypt_test("rfc3686(ctr(aes))");
1101 + ret += tcrypt_test("ofb(aes)");
1102 ++ ret += tcrypt_test("cfb(aes)");
1103 + break;
1104 +
1105 + case 11:
1106 +@@ -2060,6 +2061,10 @@ static int do_test(const char *alg, u32 type, u32 mask, int m, u32 num_mb)
1107 + speed_template_16_24_32);
1108 + test_cipher_speed("ctr(aes)", DECRYPT, sec, NULL, 0,
1109 + speed_template_16_24_32);
1110 ++ test_cipher_speed("cfb(aes)", ENCRYPT, sec, NULL, 0,
1111 ++ speed_template_16_24_32);
1112 ++ test_cipher_speed("cfb(aes)", DECRYPT, sec, NULL, 0,
1113 ++ speed_template_16_24_32);
1114 + break;
1115 +
1116 + case 201:
1117 +diff --git a/crypto/testmgr.c b/crypto/testmgr.c
1118 +index b1f79c6bf409..84937ceb4bd8 100644
1119 +--- a/crypto/testmgr.c
1120 ++++ b/crypto/testmgr.c
1121 +@@ -2690,6 +2690,13 @@ static const struct alg_test_desc alg_test_descs[] = {
1122 + .dec = __VECS(aes_ccm_dec_tv_template)
1123 + }
1124 + }
1125 ++ }, {
1126 ++ .alg = "cfb(aes)",
1127 ++ .test = alg_test_skcipher,
1128 ++ .fips_allowed = 1,
1129 ++ .suite = {
1130 ++ .cipher = __VECS(aes_cfb_tv_template)
1131 ++ },
1132 + }, {
1133 + .alg = "chacha20",
1134 + .test = alg_test_skcipher,
1135 +diff --git a/crypto/testmgr.h b/crypto/testmgr.h
1136 +index 1fe7b97ba03f..b5b0d29761ce 100644
1137 +--- a/crypto/testmgr.h
1138 ++++ b/crypto/testmgr.h
1139 +@@ -11449,6 +11449,82 @@ static const struct cipher_testvec aes_cbc_tv_template[] = {
1140 + },
1141 + };
1142 +
1143 ++static const struct cipher_testvec aes_cfb_tv_template[] = {
1144 ++ { /* From NIST SP800-38A */
1145 ++ .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
1146 ++ "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
1147 ++ .klen = 16,
1148 ++ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
1149 ++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
1150 ++ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
1151 ++ "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
1152 ++ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
1153 ++ "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
1154 ++ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
1155 ++ "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
1156 ++ "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
1157 ++ "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
1158 ++ .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20"
1159 ++ "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a"
1160 ++ "\xc8\xa6\x45\x37\xa0\xb3\xa9\x3f"
1161 ++ "\xcd\xe3\xcd\xad\x9f\x1c\xe5\x8b"
1162 ++ "\x26\x75\x1f\x67\xa3\xcb\xb1\x40"
1163 ++ "\xb1\x80\x8c\xf1\x87\xa4\xf4\xdf"
1164 ++ "\xc0\x4b\x05\x35\x7c\x5d\x1c\x0e"
1165 ++ "\xea\xc4\xc6\x6f\x9f\xf7\xf2\xe6",
1166 ++ .len = 64,
1167 ++ }, {
1168 ++ .key = "\x8e\x73\xb0\xf7\xda\x0e\x64\x52"
1169 ++ "\xc8\x10\xf3\x2b\x80\x90\x79\xe5"
1170 ++ "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b",
1171 ++ .klen = 24,
1172 ++ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
1173 ++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
1174 ++ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
1175 ++ "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
1176 ++ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
1177 ++ "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
1178 ++ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
1179 ++ "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
1180 ++ "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
1181 ++ "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
1182 ++ .ctext = "\xcd\xc8\x0d\x6f\xdd\xf1\x8c\xab"
1183 ++ "\x34\xc2\x59\x09\xc9\x9a\x41\x74"
1184 ++ "\x67\xce\x7f\x7f\x81\x17\x36\x21"
1185 ++ "\x96\x1a\x2b\x70\x17\x1d\x3d\x7a"
1186 ++ "\x2e\x1e\x8a\x1d\xd5\x9b\x88\xb1"
1187 ++ "\xc8\xe6\x0f\xed\x1e\xfa\xc4\xc9"
1188 ++ "\xc0\x5f\x9f\x9c\xa9\x83\x4f\xa0"
1189 ++ "\x42\xae\x8f\xba\x58\x4b\x09\xff",
1190 ++ .len = 64,
1191 ++ }, {
1192 ++ .key = "\x60\x3d\xeb\x10\x15\xca\x71\xbe"
1193 ++ "\x2b\x73\xae\xf0\x85\x7d\x77\x81"
1194 ++ "\x1f\x35\x2c\x07\x3b\x61\x08\xd7"
1195 ++ "\x2d\x98\x10\xa3\x09\x14\xdf\xf4",
1196 ++ .klen = 32,
1197 ++ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
1198 ++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
1199 ++ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
1200 ++ "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
1201 ++ "\xae\x2d\x8a\x57\x1e\x03\xac\x9c"
1202 ++ "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51"
1203 ++ "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11"
1204 ++ "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef"
1205 ++ "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17"
1206 ++ "\xad\x2b\x41\x7b\xe6\x6c\x37\x10",
1207 ++ .ctext = "\xdc\x7e\x84\xbf\xda\x79\x16\x4b"
1208 ++ "\x7e\xcd\x84\x86\x98\x5d\x38\x60"
1209 ++ "\x39\xff\xed\x14\x3b\x28\xb1\xc8"
1210 ++ "\x32\x11\x3c\x63\x31\xe5\x40\x7b"
1211 ++ "\xdf\x10\x13\x24\x15\xe5\x4b\x92"
1212 ++ "\xa1\x3e\xd0\xa8\x26\x7a\xe2\xf9"
1213 ++ "\x75\xa3\x85\x74\x1a\xb9\xce\xf8"
1214 ++ "\x20\x31\x62\x3d\x55\xb1\xe4\x71",
1215 ++ .len = 64,
1216 ++ },
1217 ++};
1218 ++
1219 + static const struct aead_testvec hmac_md5_ecb_cipher_null_enc_tv_template[] = {
1220 + { /* Input data from RFC 2410 Case 1 */
1221 + #ifdef __LITTLE_ENDIAN
1222 +diff --git a/drivers/android/binder.c b/drivers/android/binder.c
1223 +index 9f1000d2a40c..b834ee335d9a 100644
1224 +--- a/drivers/android/binder.c
1225 ++++ b/drivers/android/binder.c
1226 +@@ -72,6 +72,7 @@
1227 + #include <linux/spinlock.h>
1228 + #include <linux/ratelimit.h>
1229 + #include <linux/syscalls.h>
1230 ++#include <linux/task_work.h>
1231 +
1232 + #include <uapi/linux/android/binder.h>
1233 +
1234 +@@ -2160,6 +2161,64 @@ static bool binder_validate_fixup(struct binder_buffer *b,
1235 + return (fixup_offset >= last_min_offset);
1236 + }
1237 +
1238 ++/**
1239 ++ * struct binder_task_work_cb - for deferred close
1240 ++ *
1241 ++ * @twork: callback_head for task work
1242 ++ * @fd: fd to close
1243 ++ *
1244 ++ * Structure to pass task work to be handled after
1245 ++ * returning from binder_ioctl() via task_work_add().
1246 ++ */
1247 ++struct binder_task_work_cb {
1248 ++ struct callback_head twork;
1249 ++ struct file *file;
1250 ++};
1251 ++
1252 ++/**
1253 ++ * binder_do_fd_close() - close list of file descriptors
1254 ++ * @twork: callback head for task work
1255 ++ *
1256 ++ * It is not safe to call ksys_close() during the binder_ioctl()
1257 ++ * function if there is a chance that binder's own file descriptor
1258 ++ * might be closed. This is to meet the requirements for using
1259 ++ * fdget() (see comments for __fget_light()). Therefore use
1260 ++ * task_work_add() to schedule the close operation once we have
1261 ++ * returned from binder_ioctl(). This function is a callback
1262 ++ * for that mechanism and does the actual ksys_close() on the
1263 ++ * given file descriptor.
1264 ++ */
1265 ++static void binder_do_fd_close(struct callback_head *twork)
1266 ++{
1267 ++ struct binder_task_work_cb *twcb = container_of(twork,
1268 ++ struct binder_task_work_cb, twork);
1269 ++
1270 ++ fput(twcb->file);
1271 ++ kfree(twcb);
1272 ++}
1273 ++
1274 ++/**
1275 ++ * binder_deferred_fd_close() - schedule a close for the given file-descriptor
1276 ++ * @fd: file-descriptor to close
1277 ++ *
1278 ++ * See comments in binder_do_fd_close(). This function is used to schedule
1279 ++ * a file-descriptor to be closed after returning from binder_ioctl().
1280 ++ */
1281 ++static void binder_deferred_fd_close(int fd)
1282 ++{
1283 ++ struct binder_task_work_cb *twcb;
1284 ++
1285 ++ twcb = kzalloc(sizeof(*twcb), GFP_KERNEL);
1286 ++ if (!twcb)
1287 ++ return;
1288 ++ init_task_work(&twcb->twork, binder_do_fd_close);
1289 ++ __close_fd_get_file(fd, &twcb->file);
1290 ++ if (twcb->file)
1291 ++ task_work_add(current, &twcb->twork, true);
1292 ++ else
1293 ++ kfree(twcb);
1294 ++}
1295 ++
1296 + static void binder_transaction_buffer_release(struct binder_proc *proc,
1297 + struct binder_buffer *buffer,
1298 + binder_size_t *failed_at)
1299 +@@ -2299,7 +2358,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
1300 + }
1301 + fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset);
1302 + for (fd_index = 0; fd_index < fda->num_fds; fd_index++)
1303 +- ksys_close(fd_array[fd_index]);
1304 ++ binder_deferred_fd_close(fd_array[fd_index]);
1305 + } break;
1306 + default:
1307 + pr_err("transaction release %d bad object type %x\n",
1308 +@@ -3912,7 +3971,7 @@ static int binder_apply_fd_fixups(struct binder_transaction *t)
1309 + } else if (ret) {
1310 + u32 *fdp = (u32 *)(t->buffer->data + fixup->offset);
1311 +
1312 +- ksys_close(*fdp);
1313 ++ binder_deferred_fd_close(*fdp);
1314 + }
1315 + list_del(&fixup->fixup_entry);
1316 + kfree(fixup);
1317 +diff --git a/drivers/base/platform-msi.c b/drivers/base/platform-msi.c
1318 +index f39a920496fb..8da314b81eab 100644
1319 +--- a/drivers/base/platform-msi.c
1320 ++++ b/drivers/base/platform-msi.c
1321 +@@ -368,14 +368,16 @@ void platform_msi_domain_free(struct irq_domain *domain, unsigned int virq,
1322 + unsigned int nvec)
1323 + {
1324 + struct platform_msi_priv_data *data = domain->host_data;
1325 +- struct msi_desc *desc;
1326 +- for_each_msi_entry(desc, data->dev) {
1327 ++ struct msi_desc *desc, *tmp;
1328 ++ for_each_msi_entry_safe(desc, tmp, data->dev) {
1329 + if (WARN_ON(!desc->irq || desc->nvec_used != 1))
1330 + return;
1331 + if (!(desc->irq >= virq && desc->irq < (virq + nvec)))
1332 + continue;
1333 +
1334 + irq_domain_free_irqs_common(domain, desc->irq, 1);
1335 ++ list_del(&desc->list);
1336 ++ free_msi_entry(desc);
1337 + }
1338 + }
1339 +
1340 +diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
1341 +index 129f640424b7..95db630dd722 100644
1342 +--- a/drivers/char/tpm/tpm-interface.c
1343 ++++ b/drivers/char/tpm/tpm-interface.c
1344 +@@ -477,13 +477,15 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip,
1345 +
1346 + if (need_locality) {
1347 + rc = tpm_request_locality(chip, flags);
1348 +- if (rc < 0)
1349 +- goto out_no_locality;
1350 ++ if (rc < 0) {
1351 ++ need_locality = false;
1352 ++ goto out_locality;
1353 ++ }
1354 + }
1355 +
1356 + rc = tpm_cmd_ready(chip, flags);
1357 + if (rc)
1358 +- goto out;
1359 ++ goto out_locality;
1360 +
1361 + rc = tpm2_prepare_space(chip, space, ordinal, buf);
1362 + if (rc)
1363 +@@ -547,14 +549,13 @@ out_recv:
1364 + dev_err(&chip->dev, "tpm2_commit_space: error %d\n", rc);
1365 +
1366 + out:
1367 +- rc = tpm_go_idle(chip, flags);
1368 +- if (rc)
1369 +- goto out;
1370 ++ /* may fail but do not override previous error value in rc */
1371 ++ tpm_go_idle(chip, flags);
1372 +
1373 ++out_locality:
1374 + if (need_locality)
1375 + tpm_relinquish_locality(chip, flags);
1376 +
1377 +-out_no_locality:
1378 + if (chip->ops->clk_enable != NULL)
1379 + chip->ops->clk_enable(chip, false);
1380 +
1381 +diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c
1382 +index caa86b19c76d..f74f451baf6a 100644
1383 +--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
1384 ++++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
1385 +@@ -369,6 +369,7 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len)
1386 + struct device *dev = chip->dev.parent;
1387 + struct i2c_client *client = to_i2c_client(dev);
1388 + u32 ordinal;
1389 ++ unsigned long duration;
1390 + size_t count = 0;
1391 + int burst_count, bytes2write, retries, rc = -EIO;
1392 +
1393 +@@ -455,10 +456,12 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len)
1394 + return rc;
1395 + }
1396 + ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
1397 +- rc = i2c_nuvoton_wait_for_data_avail(chip,
1398 +- tpm_calc_ordinal_duration(chip,
1399 +- ordinal),
1400 +- &priv->read_queue);
1401 ++ if (chip->flags & TPM_CHIP_FLAG_TPM2)
1402 ++ duration = tpm2_calc_ordinal_duration(chip, ordinal);
1403 ++ else
1404 ++ duration = tpm_calc_ordinal_duration(chip, ordinal);
1405 ++
1406 ++ rc = i2c_nuvoton_wait_for_data_avail(chip, duration, &priv->read_queue);
1407 + if (rc) {
1408 + dev_err(dev, "%s() timeout command duration\n", __func__);
1409 + i2c_nuvoton_ready(chip);
1410 +diff --git a/drivers/clk/rockchip/clk-rk3188.c b/drivers/clk/rockchip/clk-rk3188.c
1411 +index fa25e35ce7d5..08b42b053fce 100644
1412 +--- a/drivers/clk/rockchip/clk-rk3188.c
1413 ++++ b/drivers/clk/rockchip/clk-rk3188.c
1414 +@@ -382,7 +382,7 @@ static struct rockchip_clk_branch common_clk_branches[] __initdata = {
1415 + COMPOSITE_NOMUX(0, "spdif_pre", "i2s_src", 0,
1416 + RK2928_CLKSEL_CON(5), 0, 7, DFLAGS,
1417 + RK2928_CLKGATE_CON(0), 13, GFLAGS),
1418 +- COMPOSITE_FRACMUX(0, "spdif_frac", "spdif_pll", CLK_SET_RATE_PARENT,
1419 ++ COMPOSITE_FRACMUX(0, "spdif_frac", "spdif_pre", CLK_SET_RATE_PARENT,
1420 + RK2928_CLKSEL_CON(9), 0,
1421 + RK2928_CLKGATE_CON(0), 14, GFLAGS,
1422 + &common_spdif_fracmux),
1423 +diff --git a/drivers/clk/sunxi-ng/ccu_nm.c b/drivers/clk/sunxi-ng/ccu_nm.c
1424 +index 6fe3c14f7b2d..424d8635b053 100644
1425 +--- a/drivers/clk/sunxi-ng/ccu_nm.c
1426 ++++ b/drivers/clk/sunxi-ng/ccu_nm.c
1427 +@@ -19,6 +19,17 @@ struct _ccu_nm {
1428 + unsigned long m, min_m, max_m;
1429 + };
1430 +
1431 ++static unsigned long ccu_nm_calc_rate(unsigned long parent,
1432 ++ unsigned long n, unsigned long m)
1433 ++{
1434 ++ u64 rate = parent;
1435 ++
1436 ++ rate *= n;
1437 ++ do_div(rate, m);
1438 ++
1439 ++ return rate;
1440 ++}
1441 ++
1442 + static void ccu_nm_find_best(unsigned long parent, unsigned long rate,
1443 + struct _ccu_nm *nm)
1444 + {
1445 +@@ -28,7 +39,8 @@ static void ccu_nm_find_best(unsigned long parent, unsigned long rate,
1446 +
1447 + for (_n = nm->min_n; _n <= nm->max_n; _n++) {
1448 + for (_m = nm->min_m; _m <= nm->max_m; _m++) {
1449 +- unsigned long tmp_rate = parent * _n / _m;
1450 ++ unsigned long tmp_rate = ccu_nm_calc_rate(parent,
1451 ++ _n, _m);
1452 +
1453 + if (tmp_rate > rate)
1454 + continue;
1455 +@@ -100,7 +112,7 @@ static unsigned long ccu_nm_recalc_rate(struct clk_hw *hw,
1456 + if (ccu_sdm_helper_is_enabled(&nm->common, &nm->sdm))
1457 + rate = ccu_sdm_helper_read_rate(&nm->common, &nm->sdm, m, n);
1458 + else
1459 +- rate = parent_rate * n / m;
1460 ++ rate = ccu_nm_calc_rate(parent_rate, n, m);
1461 +
1462 + if (nm->common.features & CCU_FEATURE_FIXED_POSTDIV)
1463 + rate /= nm->fixed_post_div;
1464 +@@ -149,7 +161,7 @@ static long ccu_nm_round_rate(struct clk_hw *hw, unsigned long rate,
1465 + _nm.max_m = nm->m.max ?: 1 << nm->m.width;
1466 +
1467 + ccu_nm_find_best(*parent_rate, rate, &_nm);
1468 +- rate = *parent_rate * _nm.n / _nm.m;
1469 ++ rate = ccu_nm_calc_rate(*parent_rate, _nm.n, _nm.m);
1470 +
1471 + if (nm->common.features & CCU_FEATURE_FIXED_POSTDIV)
1472 + rate /= nm->fixed_post_div;
1473 +diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig
1474 +index 55c77e44bb2d..d9c8a779dd7d 100644
1475 +--- a/drivers/clocksource/Kconfig
1476 ++++ b/drivers/clocksource/Kconfig
1477 +@@ -290,6 +290,7 @@ config CLKSRC_MPS2
1478 +
1479 + config ARC_TIMERS
1480 + bool "Support for 32-bit TIMERn counters in ARC Cores" if COMPILE_TEST
1481 ++ depends on GENERIC_SCHED_CLOCK
1482 + select TIMER_OF
1483 + help
1484 + These are legacy 32-bit TIMER0 and TIMER1 counters found on all ARC cores
1485 +diff --git a/drivers/clocksource/arc_timer.c b/drivers/clocksource/arc_timer.c
1486 +index 20da9b1d7f7d..b28970ca4a7a 100644
1487 +--- a/drivers/clocksource/arc_timer.c
1488 ++++ b/drivers/clocksource/arc_timer.c
1489 +@@ -23,6 +23,7 @@
1490 + #include <linux/cpu.h>
1491 + #include <linux/of.h>
1492 + #include <linux/of_irq.h>
1493 ++#include <linux/sched_clock.h>
1494 +
1495 + #include <soc/arc/timers.h>
1496 + #include <soc/arc/mcip.h>
1497 +@@ -88,6 +89,11 @@ static u64 arc_read_gfrc(struct clocksource *cs)
1498 + return (((u64)h) << 32) | l;
1499 + }
1500 +
1501 ++static notrace u64 arc_gfrc_clock_read(void)
1502 ++{
1503 ++ return arc_read_gfrc(NULL);
1504 ++}
1505 ++
1506 + static struct clocksource arc_counter_gfrc = {
1507 + .name = "ARConnect GFRC",
1508 + .rating = 400,
1509 +@@ -111,6 +117,8 @@ static int __init arc_cs_setup_gfrc(struct device_node *node)
1510 + if (ret)
1511 + return ret;
1512 +
1513 ++ sched_clock_register(arc_gfrc_clock_read, 64, arc_timer_freq);
1514 ++
1515 + return clocksource_register_hz(&arc_counter_gfrc, arc_timer_freq);
1516 + }
1517 + TIMER_OF_DECLARE(arc_gfrc, "snps,archs-timer-gfrc", arc_cs_setup_gfrc);
1518 +@@ -139,6 +147,11 @@ static u64 arc_read_rtc(struct clocksource *cs)
1519 + return (((u64)h) << 32) | l;
1520 + }
1521 +
1522 ++static notrace u64 arc_rtc_clock_read(void)
1523 ++{
1524 ++ return arc_read_rtc(NULL);
1525 ++}
1526 ++
1527 + static struct clocksource arc_counter_rtc = {
1528 + .name = "ARCv2 RTC",
1529 + .rating = 350,
1530 +@@ -170,6 +183,8 @@ static int __init arc_cs_setup_rtc(struct device_node *node)
1531 +
1532 + write_aux_reg(AUX_RTC_CTRL, 1);
1533 +
1534 ++ sched_clock_register(arc_rtc_clock_read, 64, arc_timer_freq);
1535 ++
1536 + return clocksource_register_hz(&arc_counter_rtc, arc_timer_freq);
1537 + }
1538 + TIMER_OF_DECLARE(arc_rtc, "snps,archs-timer-rtc", arc_cs_setup_rtc);
1539 +@@ -185,6 +200,11 @@ static u64 arc_read_timer1(struct clocksource *cs)
1540 + return (u64) read_aux_reg(ARC_REG_TIMER1_CNT);
1541 + }
1542 +
1543 ++static notrace u64 arc_timer1_clock_read(void)
1544 ++{
1545 ++ return arc_read_timer1(NULL);
1546 ++}
1547 ++
1548 + static struct clocksource arc_counter_timer1 = {
1549 + .name = "ARC Timer1",
1550 + .rating = 300,
1551 +@@ -209,6 +229,8 @@ static int __init arc_cs_setup_timer1(struct device_node *node)
1552 + write_aux_reg(ARC_REG_TIMER1_CNT, 0);
1553 + write_aux_reg(ARC_REG_TIMER1_CTRL, TIMER_CTRL_NH);
1554 +
1555 ++ sched_clock_register(arc_timer1_clock_read, 32, arc_timer_freq);
1556 ++
1557 + return clocksource_register_hz(&arc_counter_timer1, arc_timer_freq);
1558 + }
1559 +
1560 +diff --git a/drivers/crypto/cavium/nitrox/nitrox_algs.c b/drivers/crypto/cavium/nitrox/nitrox_algs.c
1561 +index 2ae6124e5da6..5d54ebc20cb3 100644
1562 +--- a/drivers/crypto/cavium/nitrox/nitrox_algs.c
1563 ++++ b/drivers/crypto/cavium/nitrox/nitrox_algs.c
1564 +@@ -73,7 +73,7 @@ static int flexi_aes_keylen(int keylen)
1565 + static int nitrox_skcipher_init(struct crypto_skcipher *tfm)
1566 + {
1567 + struct nitrox_crypto_ctx *nctx = crypto_skcipher_ctx(tfm);
1568 +- void *fctx;
1569 ++ struct crypto_ctx_hdr *chdr;
1570 +
1571 + /* get the first device */
1572 + nctx->ndev = nitrox_get_first_device();
1573 +@@ -81,12 +81,14 @@ static int nitrox_skcipher_init(struct crypto_skcipher *tfm)
1574 + return -ENODEV;
1575 +
1576 + /* allocate nitrox crypto context */
1577 +- fctx = crypto_alloc_context(nctx->ndev);
1578 +- if (!fctx) {
1579 ++ chdr = crypto_alloc_context(nctx->ndev);
1580 ++ if (!chdr) {
1581 + nitrox_put_device(nctx->ndev);
1582 + return -ENOMEM;
1583 + }
1584 +- nctx->u.ctx_handle = (uintptr_t)fctx;
1585 ++ nctx->chdr = chdr;
1586 ++ nctx->u.ctx_handle = (uintptr_t)((u8 *)chdr->vaddr +
1587 ++ sizeof(struct ctx_hdr));
1588 + crypto_skcipher_set_reqsize(tfm, crypto_skcipher_reqsize(tfm) +
1589 + sizeof(struct nitrox_kcrypt_request));
1590 + return 0;
1591 +@@ -102,7 +104,7 @@ static void nitrox_skcipher_exit(struct crypto_skcipher *tfm)
1592 +
1593 + memset(&fctx->crypto, 0, sizeof(struct crypto_keys));
1594 + memset(&fctx->auth, 0, sizeof(struct auth_keys));
1595 +- crypto_free_context((void *)fctx);
1596 ++ crypto_free_context((void *)nctx->chdr);
1597 + }
1598 + nitrox_put_device(nctx->ndev);
1599 +
1600 +diff --git a/drivers/crypto/cavium/nitrox/nitrox_lib.c b/drivers/crypto/cavium/nitrox/nitrox_lib.c
1601 +index 2260efa42308..9138bae12521 100644
1602 +--- a/drivers/crypto/cavium/nitrox/nitrox_lib.c
1603 ++++ b/drivers/crypto/cavium/nitrox/nitrox_lib.c
1604 +@@ -158,12 +158,19 @@ static void destroy_crypto_dma_pool(struct nitrox_device *ndev)
1605 + void *crypto_alloc_context(struct nitrox_device *ndev)
1606 + {
1607 + struct ctx_hdr *ctx;
1608 ++ struct crypto_ctx_hdr *chdr;
1609 + void *vaddr;
1610 + dma_addr_t dma;
1611 +
1612 ++ chdr = kmalloc(sizeof(*chdr), GFP_KERNEL);
1613 ++ if (!chdr)
1614 ++ return NULL;
1615 ++
1616 + vaddr = dma_pool_zalloc(ndev->ctx_pool, GFP_KERNEL, &dma);
1617 +- if (!vaddr)
1618 ++ if (!vaddr) {
1619 ++ kfree(chdr);
1620 + return NULL;
1621 ++ }
1622 +
1623 + /* fill meta data */
1624 + ctx = vaddr;
1625 +@@ -171,7 +178,11 @@ void *crypto_alloc_context(struct nitrox_device *ndev)
1626 + ctx->dma = dma;
1627 + ctx->ctx_dma = dma + sizeof(struct ctx_hdr);
1628 +
1629 +- return ((u8 *)vaddr + sizeof(struct ctx_hdr));
1630 ++ chdr->pool = ndev->ctx_pool;
1631 ++ chdr->dma = dma;
1632 ++ chdr->vaddr = vaddr;
1633 ++
1634 ++ return chdr;
1635 + }
1636 +
1637 + /**
1638 +@@ -180,13 +191,14 @@ void *crypto_alloc_context(struct nitrox_device *ndev)
1639 + */
1640 + void crypto_free_context(void *ctx)
1641 + {
1642 +- struct ctx_hdr *ctxp;
1643 ++ struct crypto_ctx_hdr *ctxp;
1644 +
1645 + if (!ctx)
1646 + return;
1647 +
1648 +- ctxp = (struct ctx_hdr *)((u8 *)ctx - sizeof(struct ctx_hdr));
1649 +- dma_pool_free(ctxp->pool, ctxp, ctxp->dma);
1650 ++ ctxp = ctx;
1651 ++ dma_pool_free(ctxp->pool, ctxp->vaddr, ctxp->dma);
1652 ++ kfree(ctxp);
1653 + }
1654 +
1655 + /**
1656 +diff --git a/drivers/crypto/cavium/nitrox/nitrox_req.h b/drivers/crypto/cavium/nitrox/nitrox_req.h
1657 +index d091b6f5f5dd..19f0a20e3bb3 100644
1658 +--- a/drivers/crypto/cavium/nitrox/nitrox_req.h
1659 ++++ b/drivers/crypto/cavium/nitrox/nitrox_req.h
1660 +@@ -181,12 +181,19 @@ struct flexi_crypto_context {
1661 + struct auth_keys auth;
1662 + };
1663 +
1664 ++struct crypto_ctx_hdr {
1665 ++ struct dma_pool *pool;
1666 ++ dma_addr_t dma;
1667 ++ void *vaddr;
1668 ++};
1669 ++
1670 + struct nitrox_crypto_ctx {
1671 + struct nitrox_device *ndev;
1672 + union {
1673 + u64 ctx_handle;
1674 + struct flexi_crypto_context *fctx;
1675 + } u;
1676 ++ struct crypto_ctx_hdr *chdr;
1677 + };
1678 +
1679 + struct nitrox_kcrypt_request {
1680 +diff --git a/drivers/crypto/chelsio/chcr_ipsec.c b/drivers/crypto/chelsio/chcr_ipsec.c
1681 +index 461b97e2f1fd..1ff8738631a3 100644
1682 +--- a/drivers/crypto/chelsio/chcr_ipsec.c
1683 ++++ b/drivers/crypto/chelsio/chcr_ipsec.c
1684 +@@ -303,7 +303,10 @@ static bool chcr_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
1685 +
1686 + static inline int is_eth_imm(const struct sk_buff *skb, unsigned int kctx_len)
1687 + {
1688 +- int hdrlen = sizeof(struct chcr_ipsec_req) + kctx_len;
1689 ++ int hdrlen;
1690 ++
1691 ++ hdrlen = sizeof(struct fw_ulptx_wr) +
1692 ++ sizeof(struct chcr_ipsec_req) + kctx_len;
1693 +
1694 + hdrlen += sizeof(struct cpl_tx_pkt);
1695 + if (skb->len <= MAX_IMM_TX_PKT_LEN - hdrlen)
1696 +diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
1697 +index 1aaccbe7e1de..c45711fd78e9 100644
1698 +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
1699 ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
1700 +@@ -1605,6 +1605,7 @@ static int eb_copy_relocations(const struct i915_execbuffer *eb)
1701 + (char __user *)urelocs + copied,
1702 + len)) {
1703 + end_user:
1704 ++ user_access_end();
1705 + kvfree(relocs);
1706 + err = -EFAULT;
1707 + goto err;
1708 +diff --git a/drivers/gpu/drm/udl/udl_main.c b/drivers/gpu/drm/udl/udl_main.c
1709 +index f455f095a146..1b014d92855b 100644
1710 +--- a/drivers/gpu/drm/udl/udl_main.c
1711 ++++ b/drivers/gpu/drm/udl/udl_main.c
1712 +@@ -350,15 +350,10 @@ int udl_driver_load(struct drm_device *dev, unsigned long flags)
1713 + if (ret)
1714 + goto err;
1715 +
1716 +- ret = drm_vblank_init(dev, 1);
1717 +- if (ret)
1718 +- goto err_fb;
1719 +-
1720 + drm_kms_helper_poll_init(dev);
1721 +
1722 + return 0;
1723 +-err_fb:
1724 +- udl_fbdev_cleanup(dev);
1725 ++
1726 + err:
1727 + if (udl->urbs.count)
1728 + udl_free_urb_list(dev);
1729 +diff --git a/drivers/gpu/drm/v3d/v3d_debugfs.c b/drivers/gpu/drm/v3d/v3d_debugfs.c
1730 +index 4db62c545748..26470c77eb6e 100644
1731 +--- a/drivers/gpu/drm/v3d/v3d_debugfs.c
1732 ++++ b/drivers/gpu/drm/v3d/v3d_debugfs.c
1733 +@@ -71,10 +71,13 @@ static int v3d_v3d_debugfs_regs(struct seq_file *m, void *unused)
1734 + V3D_READ(v3d_hub_reg_defs[i].reg));
1735 + }
1736 +
1737 +- for (i = 0; i < ARRAY_SIZE(v3d_gca_reg_defs); i++) {
1738 +- seq_printf(m, "%s (0x%04x): 0x%08x\n",
1739 +- v3d_gca_reg_defs[i].name, v3d_gca_reg_defs[i].reg,
1740 +- V3D_GCA_READ(v3d_gca_reg_defs[i].reg));
1741 ++ if (v3d->ver < 41) {
1742 ++ for (i = 0; i < ARRAY_SIZE(v3d_gca_reg_defs); i++) {
1743 ++ seq_printf(m, "%s (0x%04x): 0x%08x\n",
1744 ++ v3d_gca_reg_defs[i].name,
1745 ++ v3d_gca_reg_defs[i].reg,
1746 ++ V3D_GCA_READ(v3d_gca_reg_defs[i].reg));
1747 ++ }
1748 + }
1749 +
1750 + for (core = 0; core < v3d->cores; core++) {
1751 +diff --git a/drivers/infiniband/hw/hfi1/verbs.c b/drivers/infiniband/hw/hfi1/verbs.c
1752 +index a365089a9305..b7257d7dd925 100644
1753 +--- a/drivers/infiniband/hw/hfi1/verbs.c
1754 ++++ b/drivers/infiniband/hw/hfi1/verbs.c
1755 +@@ -919,6 +919,8 @@ int hfi1_verbs_send_pio(struct rvt_qp *qp, struct hfi1_pkt_state *ps,
1756 +
1757 + if (slen > len)
1758 + slen = len;
1759 ++ if (slen > ss->sge.sge_length)
1760 ++ slen = ss->sge.sge_length;
1761 + rvt_update_sge(ss, slen, false);
1762 + seg_pio_copy_mid(pbuf, addr, slen);
1763 + len -= slen;
1764 +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
1765 +index a94b6494e71a..f322a1768fbb 100644
1766 +--- a/drivers/input/mouse/elan_i2c_core.c
1767 ++++ b/drivers/input/mouse/elan_i2c_core.c
1768 +@@ -1336,6 +1336,7 @@ MODULE_DEVICE_TABLE(i2c, elan_id);
1769 + static const struct acpi_device_id elan_acpi_id[] = {
1770 + { "ELAN0000", 0 },
1771 + { "ELAN0100", 0 },
1772 ++ { "ELAN0501", 0 },
1773 + { "ELAN0600", 0 },
1774 + { "ELAN0602", 0 },
1775 + { "ELAN0605", 0 },
1776 +diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c
1777 +index d3aacd534e9c..5c63d25ce84e 100644
1778 +--- a/drivers/input/touchscreen/atmel_mxt_ts.c
1779 ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
1780 +@@ -1585,10 +1585,10 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw)
1781 + /* T7 config may have changed */
1782 + mxt_init_t7_power_cfg(data);
1783 +
1784 +-release_raw:
1785 +- kfree(cfg.raw);
1786 + release_mem:
1787 + kfree(cfg.mem);
1788 ++release_raw:
1789 ++ kfree(cfg.raw);
1790 + return ret;
1791 + }
1792 +
1793 +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
1794 +index 6947ccf26512..71eda422c926 100644
1795 +--- a/drivers/iommu/arm-smmu-v3.c
1796 ++++ b/drivers/iommu/arm-smmu-v3.c
1797 +@@ -828,7 +828,13 @@ static int arm_smmu_cmdq_build_cmd(u64 *cmd, struct arm_smmu_cmdq_ent *ent)
1798 + cmd[0] |= FIELD_PREP(CMDQ_SYNC_0_CS, CMDQ_SYNC_0_CS_SEV);
1799 + cmd[0] |= FIELD_PREP(CMDQ_SYNC_0_MSH, ARM_SMMU_SH_ISH);
1800 + cmd[0] |= FIELD_PREP(CMDQ_SYNC_0_MSIATTR, ARM_SMMU_MEMATTR_OIWB);
1801 +- cmd[0] |= FIELD_PREP(CMDQ_SYNC_0_MSIDATA, ent->sync.msidata);
1802 ++ /*
1803 ++ * Commands are written little-endian, but we want the SMMU to
1804 ++ * receive MSIData, and thus write it back to memory, in CPU
1805 ++ * byte order, so big-endian needs an extra byteswap here.
1806 ++ */
1807 ++ cmd[0] |= FIELD_PREP(CMDQ_SYNC_0_MSIDATA,
1808 ++ cpu_to_le32(ent->sync.msidata));
1809 + cmd[1] |= ent->sync.msiaddr & CMDQ_SYNC_1_MSIADDR_MASK;
1810 + break;
1811 + default:
1812 +diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
1813 +index 0ff517d3c98f..a4ceb61c5b60 100644
1814 +--- a/drivers/isdn/capi/kcapi.c
1815 ++++ b/drivers/isdn/capi/kcapi.c
1816 +@@ -852,7 +852,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
1817 + u16 ret;
1818 +
1819 + if (contr == 0) {
1820 +- strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
1821 ++ strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
1822 + return CAPI_NOERROR;
1823 + }
1824 +
1825 +@@ -860,7 +860,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
1826 +
1827 + ctr = get_capi_ctr_by_nr(contr);
1828 + if (ctr && ctr->state == CAPI_CTR_RUNNING) {
1829 +- strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
1830 ++ strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
1831 + ret = CAPI_NOERROR;
1832 + } else
1833 + ret = CAPI_REGNOTINSTALLED;
1834 +diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c
1835 +index 65a933a21e68..9a5334b726d6 100644
1836 +--- a/drivers/media/cec/cec-adap.c
1837 ++++ b/drivers/media/cec/cec-adap.c
1838 +@@ -455,7 +455,7 @@ int cec_thread_func(void *_adap)
1839 + (adap->needs_hpd &&
1840 + (!adap->is_configured && !adap->is_configuring)) ||
1841 + kthread_should_stop() ||
1842 +- (!adap->transmitting &&
1843 ++ (!adap->transmit_in_progress &&
1844 + !list_empty(&adap->transmit_queue)),
1845 + msecs_to_jiffies(CEC_XFER_TIMEOUT_MS));
1846 + timeout = err == 0;
1847 +@@ -463,7 +463,7 @@ int cec_thread_func(void *_adap)
1848 + /* Otherwise we just wait for something to happen. */
1849 + wait_event_interruptible(adap->kthread_waitq,
1850 + kthread_should_stop() ||
1851 +- (!adap->transmitting &&
1852 ++ (!adap->transmit_in_progress &&
1853 + !list_empty(&adap->transmit_queue)));
1854 + }
1855 +
1856 +@@ -488,6 +488,7 @@ int cec_thread_func(void *_adap)
1857 + pr_warn("cec-%s: message %*ph timed out\n", adap->name,
1858 + adap->transmitting->msg.len,
1859 + adap->transmitting->msg.msg);
1860 ++ adap->transmit_in_progress = false;
1861 + adap->tx_timeouts++;
1862 + /* Just give up on this. */
1863 + cec_data_cancel(adap->transmitting,
1864 +@@ -499,7 +500,7 @@ int cec_thread_func(void *_adap)
1865 + * If we are still transmitting, or there is nothing new to
1866 + * transmit, then just continue waiting.
1867 + */
1868 +- if (adap->transmitting || list_empty(&adap->transmit_queue))
1869 ++ if (adap->transmit_in_progress || list_empty(&adap->transmit_queue))
1870 + goto unlock;
1871 +
1872 + /* Get a new message to transmit */
1873 +@@ -545,6 +546,8 @@ int cec_thread_func(void *_adap)
1874 + if (adap->ops->adap_transmit(adap, data->attempts,
1875 + signal_free_time, &data->msg))
1876 + cec_data_cancel(data, CEC_TX_STATUS_ABORTED);
1877 ++ else
1878 ++ adap->transmit_in_progress = true;
1879 +
1880 + unlock:
1881 + mutex_unlock(&adap->lock);
1882 +@@ -575,14 +578,17 @@ void cec_transmit_done_ts(struct cec_adapter *adap, u8 status,
1883 + data = adap->transmitting;
1884 + if (!data) {
1885 + /*
1886 +- * This can happen if a transmit was issued and the cable is
1887 ++ * This might happen if a transmit was issued and the cable is
1888 + * unplugged while the transmit is ongoing. Ignore this
1889 + * transmit in that case.
1890 + */
1891 +- dprintk(1, "%s was called without an ongoing transmit!\n",
1892 +- __func__);
1893 +- goto unlock;
1894 ++ if (!adap->transmit_in_progress)
1895 ++ dprintk(1, "%s was called without an ongoing transmit!\n",
1896 ++ __func__);
1897 ++ adap->transmit_in_progress = false;
1898 ++ goto wake_thread;
1899 + }
1900 ++ adap->transmit_in_progress = false;
1901 +
1902 + msg = &data->msg;
1903 +
1904 +@@ -648,7 +654,6 @@ wake_thread:
1905 + * for transmitting or to retry the current message.
1906 + */
1907 + wake_up_interruptible(&adap->kthread_waitq);
1908 +-unlock:
1909 + mutex_unlock(&adap->lock);
1910 + }
1911 + EXPORT_SYMBOL_GPL(cec_transmit_done_ts);
1912 +@@ -1496,8 +1501,11 @@ void __cec_s_phys_addr(struct cec_adapter *adap, u16 phys_addr, bool block)
1913 + if (adap->monitor_all_cnt)
1914 + WARN_ON(call_op(adap, adap_monitor_all_enable, false));
1915 + mutex_lock(&adap->devnode.lock);
1916 +- if (adap->needs_hpd || list_empty(&adap->devnode.fhs))
1917 ++ if (adap->needs_hpd || list_empty(&adap->devnode.fhs)) {
1918 + WARN_ON(adap->ops->adap_enable(adap, false));
1919 ++ adap->transmit_in_progress = false;
1920 ++ wake_up_interruptible(&adap->kthread_waitq);
1921 ++ }
1922 + mutex_unlock(&adap->devnode.lock);
1923 + if (phys_addr == CEC_PHYS_ADDR_INVALID)
1924 + return;
1925 +@@ -1505,6 +1513,7 @@ void __cec_s_phys_addr(struct cec_adapter *adap, u16 phys_addr, bool block)
1926 +
1927 + mutex_lock(&adap->devnode.lock);
1928 + adap->last_initiator = 0xff;
1929 ++ adap->transmit_in_progress = false;
1930 +
1931 + if ((adap->needs_hpd || list_empty(&adap->devnode.fhs)) &&
1932 + adap->ops->adap_enable(adap, true)) {
1933 +diff --git a/drivers/media/cec/cec-pin.c b/drivers/media/cec/cec-pin.c
1934 +index 635db8e70ead..8f987bc0dd88 100644
1935 +--- a/drivers/media/cec/cec-pin.c
1936 ++++ b/drivers/media/cec/cec-pin.c
1937 +@@ -601,8 +601,9 @@ static void cec_pin_tx_states(struct cec_pin *pin, ktime_t ts)
1938 + break;
1939 + /* Was the message ACKed? */
1940 + ack = cec_msg_is_broadcast(&pin->tx_msg) ? v : !v;
1941 +- if (!ack && !pin->tx_ignore_nack_until_eom &&
1942 +- pin->tx_bit / 10 < pin->tx_msg.len && !pin->tx_post_eom) {
1943 ++ if (!ack && (!pin->tx_ignore_nack_until_eom ||
1944 ++ pin->tx_bit / 10 == pin->tx_msg.len - 1) &&
1945 ++ !pin->tx_post_eom) {
1946 + /*
1947 + * Note: the CEC spec is ambiguous regarding
1948 + * what action to take when a NACK appears
1949 +diff --git a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
1950 +index fa483b95bc5a..d9a590ae7545 100644
1951 +--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
1952 ++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
1953 +@@ -1769,7 +1769,7 @@ typedef struct { u16 __; u8 _; } __packed x24;
1954 + unsigned s; \
1955 + \
1956 + for (s = 0; s < len; s++) { \
1957 +- u8 chr = font8x16[text[s] * 16 + line]; \
1958 ++ u8 chr = font8x16[(u8)text[s] * 16 + line]; \
1959 + \
1960 + if (hdiv == 2 && tpg->hflip) { \
1961 + pos[3] = (chr & (0x01 << 6) ? fg : bg); \
1962 +diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
1963 +index 8ff8722cb6b1..99f736c81286 100644
1964 +--- a/drivers/media/common/videobuf2/videobuf2-core.c
1965 ++++ b/drivers/media/common/videobuf2/videobuf2-core.c
1966 +@@ -812,6 +812,9 @@ int vb2_core_create_bufs(struct vb2_queue *q, enum vb2_memory memory,
1967 + memset(q->alloc_devs, 0, sizeof(q->alloc_devs));
1968 + q->memory = memory;
1969 + q->waiting_for_buffers = !q->is_output;
1970 ++ } else if (q->memory != memory) {
1971 ++ dprintk(1, "memory model mismatch\n");
1972 ++ return -EINVAL;
1973 + }
1974 +
1975 + num_buffers = min(*count, VB2_MAX_FRAME - q->num_buffers);
1976 +diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c
1977 +index 11c69281692e..95a0e7d9851a 100644
1978 +--- a/drivers/media/i2c/imx274.c
1979 ++++ b/drivers/media/i2c/imx274.c
1980 +@@ -619,16 +619,19 @@ static int imx274_write_table(struct stimx274 *priv, const struct reg_8 table[])
1981 +
1982 + static inline int imx274_read_reg(struct stimx274 *priv, u16 addr, u8 *val)
1983 + {
1984 ++ unsigned int uint_val;
1985 + int err;
1986 +
1987 +- err = regmap_read(priv->regmap, addr, (unsigned int *)val);
1988 ++ err = regmap_read(priv->regmap, addr, &uint_val);
1989 + if (err)
1990 + dev_err(&priv->client->dev,
1991 + "%s : i2c read failed, addr = %x\n", __func__, addr);
1992 + else
1993 + dev_dbg(&priv->client->dev,
1994 + "%s : addr 0x%x, val=0x%x\n", __func__,
1995 +- addr, *val);
1996 ++ addr, uint_val);
1997 ++
1998 ++ *val = uint_val;
1999 + return err;
2000 + }
2001 +
2002 +diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
2003 +index eaefdb58653b..703d29abb363 100644
2004 +--- a/drivers/media/i2c/ov5640.c
2005 ++++ b/drivers/media/i2c/ov5640.c
2006 +@@ -2020,6 +2020,7 @@ static int ov5640_set_fmt(struct v4l2_subdev *sd,
2007 + struct ov5640_dev *sensor = to_ov5640_dev(sd);
2008 + const struct ov5640_mode_info *new_mode;
2009 + struct v4l2_mbus_framefmt *mbus_fmt = &format->format;
2010 ++ struct v4l2_mbus_framefmt *fmt;
2011 + int ret;
2012 +
2013 + if (format->pad != 0)
2014 +@@ -2037,22 +2038,20 @@ static int ov5640_set_fmt(struct v4l2_subdev *sd,
2015 + if (ret)
2016 + goto out;
2017 +
2018 +- if (format->which == V4L2_SUBDEV_FORMAT_TRY) {
2019 +- struct v4l2_mbus_framefmt *fmt =
2020 +- v4l2_subdev_get_try_format(sd, cfg, 0);
2021 ++ if (format->which == V4L2_SUBDEV_FORMAT_TRY)
2022 ++ fmt = v4l2_subdev_get_try_format(sd, cfg, 0);
2023 ++ else
2024 ++ fmt = &sensor->fmt;
2025 +
2026 +- *fmt = *mbus_fmt;
2027 +- goto out;
2028 +- }
2029 ++ *fmt = *mbus_fmt;
2030 +
2031 + if (new_mode != sensor->current_mode) {
2032 + sensor->current_mode = new_mode;
2033 + sensor->pending_mode_change = true;
2034 + }
2035 +- if (mbus_fmt->code != sensor->fmt.code) {
2036 +- sensor->fmt = *mbus_fmt;
2037 ++ if (mbus_fmt->code != sensor->fmt.code)
2038 + sensor->pending_fmt_change = true;
2039 +- }
2040 ++
2041 + out:
2042 + mutex_unlock(&sensor->lock);
2043 + return ret;
2044 +diff --git a/drivers/media/platform/vim2m.c b/drivers/media/platform/vim2m.c
2045 +index d82db738f174..f938a2c54314 100644
2046 +--- a/drivers/media/platform/vim2m.c
2047 ++++ b/drivers/media/platform/vim2m.c
2048 +@@ -805,10 +805,11 @@ static int vim2m_start_streaming(struct vb2_queue *q, unsigned count)
2049 + static void vim2m_stop_streaming(struct vb2_queue *q)
2050 + {
2051 + struct vim2m_ctx *ctx = vb2_get_drv_priv(q);
2052 ++ struct vim2m_dev *dev = ctx->dev;
2053 + struct vb2_v4l2_buffer *vbuf;
2054 + unsigned long flags;
2055 +
2056 +- flush_scheduled_work();
2057 ++ cancel_delayed_work_sync(&dev->work_run);
2058 + for (;;) {
2059 + if (V4L2_TYPE_IS_OUTPUT(q->type))
2060 + vbuf = v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx);
2061 +diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c
2062 +index 673772cd17d6..a88637a42f44 100644
2063 +--- a/drivers/media/platform/vivid/vivid-vid-cap.c
2064 ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c
2065 +@@ -449,6 +449,8 @@ void vivid_update_format_cap(struct vivid_dev *dev, bool keep_controls)
2066 + tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap));
2067 + break;
2068 + }
2069 ++ vfree(dev->bitmap_cap);
2070 ++ dev->bitmap_cap = NULL;
2071 + vivid_update_quality(dev);
2072 + tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap);
2073 + dev->crop_cap = dev->src_rect;
2074 +diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
2075 +index 552bbe82a160..877978dbd409 100644
2076 +--- a/drivers/media/rc/rc-main.c
2077 ++++ b/drivers/media/rc/rc-main.c
2078 +@@ -695,7 +695,8 @@ void rc_repeat(struct rc_dev *dev)
2079 + (dev->last_toggle ? LIRC_SCANCODE_FLAG_TOGGLE : 0)
2080 + };
2081 +
2082 +- ir_lirc_scancode_event(dev, &sc);
2083 ++ if (dev->allowed_protocols != RC_PROTO_BIT_CEC)
2084 ++ ir_lirc_scancode_event(dev, &sc);
2085 +
2086 + spin_lock_irqsave(&dev->keylock, flags);
2087 +
2088 +@@ -735,7 +736,8 @@ static void ir_do_keydown(struct rc_dev *dev, enum rc_proto protocol,
2089 + .keycode = keycode
2090 + };
2091 +
2092 +- ir_lirc_scancode_event(dev, &sc);
2093 ++ if (dev->allowed_protocols != RC_PROTO_BIT_CEC)
2094 ++ ir_lirc_scancode_event(dev, &sc);
2095 +
2096 + if (new_event && dev->keypressed)
2097 + ir_do_keyup(dev, false);
2098 +diff --git a/drivers/media/usb/dvb-usb-v2/usb_urb.c b/drivers/media/usb/dvb-usb-v2/usb_urb.c
2099 +index 024c751eb165..2ad2ddeaff51 100644
2100 +--- a/drivers/media/usb/dvb-usb-v2/usb_urb.c
2101 ++++ b/drivers/media/usb/dvb-usb-v2/usb_urb.c
2102 +@@ -155,7 +155,6 @@ static int usb_urb_alloc_bulk_urbs(struct usb_data_stream *stream)
2103 + stream->props.u.bulk.buffersize,
2104 + usb_urb_complete, stream);
2105 +
2106 +- stream->urb_list[i]->transfer_flags = URB_FREE_BUFFER;
2107 + stream->urbs_initialized++;
2108 + }
2109 + return 0;
2110 +@@ -186,7 +185,7 @@ static int usb_urb_alloc_isoc_urbs(struct usb_data_stream *stream)
2111 + urb->complete = usb_urb_complete;
2112 + urb->pipe = usb_rcvisocpipe(stream->udev,
2113 + stream->props.endpoint);
2114 +- urb->transfer_flags = URB_ISO_ASAP | URB_FREE_BUFFER;
2115 ++ urb->transfer_flags = URB_ISO_ASAP;
2116 + urb->interval = stream->props.u.isoc.interval;
2117 + urb->number_of_packets = stream->props.u.isoc.framesperurb;
2118 + urb->transfer_buffer_length = stream->props.u.isoc.framesize *
2119 +@@ -210,7 +209,7 @@ static int usb_free_stream_buffers(struct usb_data_stream *stream)
2120 + if (stream->state & USB_STATE_URB_BUF) {
2121 + while (stream->buf_num) {
2122 + stream->buf_num--;
2123 +- stream->buf_list[stream->buf_num] = NULL;
2124 ++ kfree(stream->buf_list[stream->buf_num]);
2125 + }
2126 + }
2127 +
2128 +diff --git a/drivers/media/v4l2-core/v4l2-fwnode.c b/drivers/media/v4l2-core/v4l2-fwnode.c
2129 +index 218f0da0ce76..edd34cf09cf8 100644
2130 +--- a/drivers/media/v4l2-core/v4l2-fwnode.c
2131 ++++ b/drivers/media/v4l2-core/v4l2-fwnode.c
2132 +@@ -310,8 +310,8 @@ v4l2_fwnode_endpoint_parse_parallel_bus(struct fwnode_handle *fwnode,
2133 + }
2134 +
2135 + if (!fwnode_property_read_u32(fwnode, "data-active", &v)) {
2136 +- flags &= ~(V4L2_MBUS_PCLK_SAMPLE_RISING |
2137 +- V4L2_MBUS_PCLK_SAMPLE_FALLING);
2138 ++ flags &= ~(V4L2_MBUS_DATA_ACTIVE_HIGH |
2139 ++ V4L2_MBUS_DATA_ACTIVE_LOW);
2140 + flags |= v ? V4L2_MBUS_DATA_ACTIVE_HIGH :
2141 + V4L2_MBUS_DATA_ACTIVE_LOW;
2142 + pr_debug("data-active %s\n", v ? "high" : "low");
2143 +diff --git a/drivers/misc/ocxl/config.c b/drivers/misc/ocxl/config.c
2144 +index 57a6bb1fd3c9..8f2c5d8bd2ee 100644
2145 +--- a/drivers/misc/ocxl/config.c
2146 ++++ b/drivers/misc/ocxl/config.c
2147 +@@ -318,7 +318,7 @@ static int read_afu_name(struct pci_dev *dev, struct ocxl_fn_config *fn,
2148 + if (rc)
2149 + return rc;
2150 + ptr = (u32 *) &afu->name[i];
2151 +- *ptr = val;
2152 ++ *ptr = le32_to_cpu((__force __le32) val);
2153 + }
2154 + afu->name[OCXL_AFU_NAME_SZ - 1] = '\0'; /* play safe */
2155 + return 0;
2156 +diff --git a/drivers/misc/ocxl/link.c b/drivers/misc/ocxl/link.c
2157 +index 31695a078485..646d16450066 100644
2158 +--- a/drivers/misc/ocxl/link.c
2159 ++++ b/drivers/misc/ocxl/link.c
2160 +@@ -566,7 +566,7 @@ int ocxl_link_update_pe(void *link_handle, int pasid, __u16 tid)
2161 +
2162 + mutex_lock(&spa->spa_lock);
2163 +
2164 +- pe->tid = tid;
2165 ++ pe->tid = cpu_to_be32(tid);
2166 +
2167 + /*
2168 + * The barrier makes sure the PE is updated
2169 +diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c
2170 +index 650f2b490a05..9dc16a23429a 100644
2171 +--- a/drivers/mtd/nand/raw/marvell_nand.c
2172 ++++ b/drivers/mtd/nand/raw/marvell_nand.c
2173 +@@ -514,9 +514,14 @@ static void marvell_nfc_enable_int(struct marvell_nfc *nfc, u32 int_mask)
2174 + writel_relaxed(reg & ~int_mask, nfc->regs + NDCR);
2175 + }
2176 +
2177 +-static void marvell_nfc_clear_int(struct marvell_nfc *nfc, u32 int_mask)
2178 ++static u32 marvell_nfc_clear_int(struct marvell_nfc *nfc, u32 int_mask)
2179 + {
2180 ++ u32 reg;
2181 ++
2182 ++ reg = readl_relaxed(nfc->regs + NDSR);
2183 + writel_relaxed(int_mask, nfc->regs + NDSR);
2184 ++
2185 ++ return reg & int_mask;
2186 + }
2187 +
2188 + static void marvell_nfc_force_byte_access(struct nand_chip *chip,
2189 +@@ -683,6 +688,7 @@ static int marvell_nfc_wait_cmdd(struct nand_chip *chip)
2190 + static int marvell_nfc_wait_op(struct nand_chip *chip, unsigned int timeout_ms)
2191 + {
2192 + struct marvell_nfc *nfc = to_marvell_nfc(chip->controller);
2193 ++ u32 pending;
2194 + int ret;
2195 +
2196 + /* Timeout is expressed in ms */
2197 +@@ -695,8 +701,13 @@ static int marvell_nfc_wait_op(struct nand_chip *chip, unsigned int timeout_ms)
2198 + ret = wait_for_completion_timeout(&nfc->complete,
2199 + msecs_to_jiffies(timeout_ms));
2200 + marvell_nfc_disable_int(nfc, NDCR_RDYM);
2201 +- marvell_nfc_clear_int(nfc, NDSR_RDY(0) | NDSR_RDY(1));
2202 +- if (!ret) {
2203 ++ pending = marvell_nfc_clear_int(nfc, NDSR_RDY(0) | NDSR_RDY(1));
2204 ++
2205 ++ /*
2206 ++ * In case the interrupt was not served in the required time frame,
2207 ++ * check if the ISR was not served or if something went actually wrong.
2208 ++ */
2209 ++ if (ret && !pending) {
2210 + dev_err(nfc->dev, "Timeout waiting for RB signal\n");
2211 + return -ETIMEDOUT;
2212 + }
2213 +diff --git a/drivers/mtd/nand/raw/nand_jedec.c b/drivers/mtd/nand/raw/nand_jedec.c
2214 +index 5c26492c841d..38b5dc22cb30 100644
2215 +--- a/drivers/mtd/nand/raw/nand_jedec.c
2216 ++++ b/drivers/mtd/nand/raw/nand_jedec.c
2217 +@@ -107,6 +107,8 @@ int nand_jedec_detect(struct nand_chip *chip)
2218 + pr_warn("Invalid codeword size\n");
2219 + }
2220 +
2221 ++ ret = 1;
2222 ++
2223 + free_jedec_param_page:
2224 + kfree(p);
2225 + return ret;
2226 +diff --git a/drivers/mtd/nand/raw/omap2.c b/drivers/mtd/nand/raw/omap2.c
2227 +index 886d05c391ef..68e8b9f7f372 100644
2228 +--- a/drivers/mtd/nand/raw/omap2.c
2229 ++++ b/drivers/mtd/nand/raw/omap2.c
2230 +@@ -1944,7 +1944,7 @@ static int omap_nand_attach_chip(struct nand_chip *chip)
2231 + case NAND_OMAP_PREFETCH_DMA:
2232 + dma_cap_zero(mask);
2233 + dma_cap_set(DMA_SLAVE, mask);
2234 +- info->dma = dma_request_chan(dev, "rxtx");
2235 ++ info->dma = dma_request_chan(dev->parent, "rxtx");
2236 +
2237 + if (IS_ERR(info->dma)) {
2238 + dev_err(dev, "DMA engine request failed\n");
2239 +diff --git a/drivers/mtd/spi-nor/Kconfig b/drivers/mtd/spi-nor/Kconfig
2240 +index 6cc9c929ff57..37775fc09e09 100644
2241 +--- a/drivers/mtd/spi-nor/Kconfig
2242 ++++ b/drivers/mtd/spi-nor/Kconfig
2243 +@@ -41,7 +41,7 @@ config SPI_ASPEED_SMC
2244 +
2245 + config SPI_ATMEL_QUADSPI
2246 + tristate "Atmel Quad SPI Controller"
2247 +- depends on ARCH_AT91 || (ARM && COMPILE_TEST)
2248 ++ depends on ARCH_AT91 || (ARM && COMPILE_TEST && !ARCH_EBSA110)
2249 + depends on OF && HAS_IOMEM
2250 + help
2251 + This enables support for the Quad SPI controller in master mode.
2252 +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
2253 +index b164f705709d..3b5b47e98c73 100644
2254 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
2255 ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
2256 +@@ -9360,10 +9360,16 @@ void bnx2x_chip_cleanup(struct bnx2x *bp, int unload_mode, bool keep_link)
2257 + BNX2X_ERR("Failed to schedule DEL commands for UC MACs list: %d\n",
2258 + rc);
2259 +
2260 +- /* Remove all currently configured VLANs */
2261 +- rc = bnx2x_del_all_vlans(bp);
2262 +- if (rc < 0)
2263 +- BNX2X_ERR("Failed to delete all VLANs\n");
2264 ++ /* The whole *vlan_obj structure may be not initialized if VLAN
2265 ++ * filtering offload is not supported by hardware. Currently this is
2266 ++ * true for all hardware covered by CHIP_IS_E1x().
2267 ++ */
2268 ++ if (!CHIP_IS_E1x(bp)) {
2269 ++ /* Remove all currently configured VLANs */
2270 ++ rc = bnx2x_del_all_vlans(bp);
2271 ++ if (rc < 0)
2272 ++ BNX2X_ERR("Failed to delete all VLANs\n");
2273 ++ }
2274 +
2275 + /* Disable LLH */
2276 + if (!CHIP_IS_E1(bp))
2277 +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
2278 +index a4681780a55d..098d8764c0ea 100644
2279 +--- a/drivers/net/ethernet/ibm/ibmveth.c
2280 ++++ b/drivers/net/ethernet/ibm/ibmveth.c
2281 +@@ -1171,11 +1171,15 @@ out:
2282 +
2283 + map_failed_frags:
2284 + last = i+1;
2285 +- for (i = 0; i < last; i++)
2286 ++ for (i = 1; i < last; i++)
2287 + dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address,
2288 + descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK,
2289 + DMA_TO_DEVICE);
2290 +
2291 ++ dma_unmap_single(&adapter->vdev->dev,
2292 ++ descs[0].fields.address,
2293 ++ descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK,
2294 ++ DMA_TO_DEVICE);
2295 + map_failed:
2296 + if (!firmware_has_feature(FW_FEATURE_CMO))
2297 + netdev_err(netdev, "tx: unable to map xmit buffer\n");
2298 +diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
2299 +index 17e6dcd2eb42..c99dd3f1e6a8 100644
2300 +--- a/drivers/net/hamradio/6pack.c
2301 ++++ b/drivers/net/hamradio/6pack.c
2302 +@@ -523,10 +523,7 @@ static void resync_tnc(struct timer_list *t)
2303 +
2304 +
2305 + /* Start resync timer again -- the TNC might be still absent */
2306 +-
2307 +- del_timer(&sp->resync_t);
2308 +- sp->resync_t.expires = jiffies + SIXP_RESYNC_TIMEOUT;
2309 +- add_timer(&sp->resync_t);
2310 ++ mod_timer(&sp->resync_t, jiffies + SIXP_RESYNC_TIMEOUT);
2311 + }
2312 +
2313 + static inline int tnc_init(struct sixpack *sp)
2314 +@@ -537,9 +534,7 @@ static inline int tnc_init(struct sixpack *sp)
2315 +
2316 + sp->tty->ops->write(sp->tty, &inbyte, 1);
2317 +
2318 +- del_timer(&sp->resync_t);
2319 +- sp->resync_t.expires = jiffies + SIXP_RESYNC_TIMEOUT;
2320 +- add_timer(&sp->resync_t);
2321 ++ mod_timer(&sp->resync_t, jiffies + SIXP_RESYNC_TIMEOUT);
2322 +
2323 + return 0;
2324 + }
2325 +@@ -897,11 +892,8 @@ static void decode_prio_command(struct sixpack *sp, unsigned char cmd)
2326 + /* if the state byte has been received, the TNC is present,
2327 + so the resync timer can be reset. */
2328 +
2329 +- if (sp->tnc_state == TNC_IN_SYNC) {
2330 +- del_timer(&sp->resync_t);
2331 +- sp->resync_t.expires = jiffies + SIXP_INIT_RESYNC_TIMEOUT;
2332 +- add_timer(&sp->resync_t);
2333 +- }
2334 ++ if (sp->tnc_state == TNC_IN_SYNC)
2335 ++ mod_timer(&sp->resync_t, jiffies + SIXP_INIT_RESYNC_TIMEOUT);
2336 +
2337 + sp->status1 = cmd & SIXP_PRIO_DATA_MASK;
2338 + }
2339 +diff --git a/drivers/net/tap.c b/drivers/net/tap.c
2340 +index f03004f37eca..276f800ed57f 100644
2341 +--- a/drivers/net/tap.c
2342 ++++ b/drivers/net/tap.c
2343 +@@ -1177,8 +1177,6 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
2344 + goto err_kfree;
2345 + }
2346 +
2347 +- skb_probe_transport_header(skb, ETH_HLEN);
2348 +-
2349 + /* Move network header to the right position for VLAN tagged packets */
2350 + if ((skb->protocol == htons(ETH_P_8021Q) ||
2351 + skb->protocol == htons(ETH_P_8021AD)) &&
2352 +@@ -1189,6 +1187,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
2353 + tap = rcu_dereference(q->tap);
2354 + if (tap) {
2355 + skb->dev = tap->dev;
2356 ++ skb_probe_transport_header(skb, ETH_HLEN);
2357 + dev_queue_xmit(skb);
2358 + } else {
2359 + kfree_skb(skb);
2360 +diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
2361 +index 1098263ab862..46c3d983b7b7 100644
2362 +--- a/drivers/net/wan/x25_asy.c
2363 ++++ b/drivers/net/wan/x25_asy.c
2364 +@@ -485,8 +485,10 @@ static int x25_asy_open(struct net_device *dev)
2365 +
2366 + /* Cleanup */
2367 + kfree(sl->xbuff);
2368 ++ sl->xbuff = NULL;
2369 + noxbuff:
2370 + kfree(sl->rbuff);
2371 ++ sl->rbuff = NULL;
2372 + norbuff:
2373 + return -ENOMEM;
2374 + }
2375 +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
2376 +index 7f0a5bade70a..c0e3ae7bf2ae 100644
2377 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
2378 ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
2379 +@@ -5196,10 +5196,17 @@ static struct cfg80211_ops brcmf_cfg80211_ops = {
2380 + .del_pmk = brcmf_cfg80211_del_pmk,
2381 + };
2382 +
2383 +-struct cfg80211_ops *brcmf_cfg80211_get_ops(void)
2384 ++struct cfg80211_ops *brcmf_cfg80211_get_ops(struct brcmf_mp_device *settings)
2385 + {
2386 +- return kmemdup(&brcmf_cfg80211_ops, sizeof(brcmf_cfg80211_ops),
2387 ++ struct cfg80211_ops *ops;
2388 ++
2389 ++ ops = kmemdup(&brcmf_cfg80211_ops, sizeof(brcmf_cfg80211_ops),
2390 + GFP_KERNEL);
2391 ++
2392 ++ if (ops && settings->roamoff)
2393 ++ ops->update_connect_params = NULL;
2394 ++
2395 ++ return ops;
2396 + }
2397 +
2398 + struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
2399 +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
2400 +index a4aec0004e4f..9a6287f084a9 100644
2401 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
2402 ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
2403 +@@ -404,7 +404,7 @@ struct brcmf_cfg80211_info *brcmf_cfg80211_attach(struct brcmf_pub *drvr,
2404 + void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg);
2405 + s32 brcmf_cfg80211_up(struct net_device *ndev);
2406 + s32 brcmf_cfg80211_down(struct net_device *ndev);
2407 +-struct cfg80211_ops *brcmf_cfg80211_get_ops(void);
2408 ++struct cfg80211_ops *brcmf_cfg80211_get_ops(struct brcmf_mp_device *settings);
2409 + enum nl80211_iftype brcmf_cfg80211_get_iftype(struct brcmf_if *ifp);
2410 +
2411 + struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
2412 +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
2413 +index b1f702faff4f..860a4372cb56 100644
2414 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
2415 ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
2416 +@@ -1130,7 +1130,7 @@ int brcmf_attach(struct device *dev, struct brcmf_mp_device *settings)
2417 +
2418 + brcmf_dbg(TRACE, "Enter\n");
2419 +
2420 +- ops = brcmf_cfg80211_get_ops();
2421 ++ ops = brcmf_cfg80211_get_ops(settings);
2422 + if (!ops)
2423 + return -ENOMEM;
2424 +
2425 +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
2426 +index 9095b830ae4d..9927079a9ace 100644
2427 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
2428 ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
2429 +@@ -641,8 +641,9 @@ brcmf_fw_alloc_request(u32 chip, u32 chiprev,
2430 + struct brcmf_fw_request *fwreq;
2431 + char chipname[12];
2432 + const char *mp_path;
2433 ++ size_t mp_path_len;
2434 + u32 i, j;
2435 +- char end;
2436 ++ char end = '\0';
2437 + size_t reqsz;
2438 +
2439 + for (i = 0; i < table_size; i++) {
2440 +@@ -667,7 +668,10 @@ brcmf_fw_alloc_request(u32 chip, u32 chiprev,
2441 + mapping_table[i].fw_base, chipname);
2442 +
2443 + mp_path = brcmf_mp_global.firmware_path;
2444 +- end = mp_path[strlen(mp_path) - 1];
2445 ++ mp_path_len = strnlen(mp_path, BRCMF_FW_ALTPATH_LEN);
2446 ++ if (mp_path_len)
2447 ++ end = mp_path[mp_path_len - 1];
2448 ++
2449 + fwreq->n_items = n_fwnames;
2450 +
2451 + for (j = 0; j < n_fwnames; j++) {
2452 +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
2453 +index 9e015212c2c0..8d4711590dfc 100644
2454 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
2455 ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
2456 +@@ -513,6 +513,56 @@ static const struct pci_device_id iwl_hw_card_ids[] = {
2457 + {IWL_PCI_DEVICE(0x24FD, 0x9074, iwl8265_2ac_cfg)},
2458 +
2459 + /* 9000 Series */
2460 ++ {IWL_PCI_DEVICE(0x02F0, 0x0030, iwl9560_2ac_cfg_soc)},
2461 ++ {IWL_PCI_DEVICE(0x02F0, 0x0034, iwl9560_2ac_cfg_soc)},
2462 ++ {IWL_PCI_DEVICE(0x02F0, 0x0038, iwl9560_2ac_cfg_soc)},
2463 ++ {IWL_PCI_DEVICE(0x02F0, 0x003C, iwl9560_2ac_cfg_soc)},
2464 ++ {IWL_PCI_DEVICE(0x02F0, 0x0060, iwl9461_2ac_cfg_soc)},
2465 ++ {IWL_PCI_DEVICE(0x02F0, 0x0064, iwl9461_2ac_cfg_soc)},
2466 ++ {IWL_PCI_DEVICE(0x02F0, 0x00A0, iwl9462_2ac_cfg_soc)},
2467 ++ {IWL_PCI_DEVICE(0x02F0, 0x00A4, iwl9462_2ac_cfg_soc)},
2468 ++ {IWL_PCI_DEVICE(0x02F0, 0x0230, iwl9560_2ac_cfg_soc)},
2469 ++ {IWL_PCI_DEVICE(0x02F0, 0x0234, iwl9560_2ac_cfg_soc)},
2470 ++ {IWL_PCI_DEVICE(0x02F0, 0x0238, iwl9560_2ac_cfg_soc)},
2471 ++ {IWL_PCI_DEVICE(0x02F0, 0x023C, iwl9560_2ac_cfg_soc)},
2472 ++ {IWL_PCI_DEVICE(0x02F0, 0x0260, iwl9461_2ac_cfg_soc)},
2473 ++ {IWL_PCI_DEVICE(0x02F0, 0x0264, iwl9461_2ac_cfg_soc)},
2474 ++ {IWL_PCI_DEVICE(0x02F0, 0x02A0, iwl9462_2ac_cfg_soc)},
2475 ++ {IWL_PCI_DEVICE(0x02F0, 0x02A4, iwl9462_2ac_cfg_soc)},
2476 ++ {IWL_PCI_DEVICE(0x02F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
2477 ++ {IWL_PCI_DEVICE(0x02F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
2478 ++ {IWL_PCI_DEVICE(0x02F0, 0x2030, iwl9560_2ac_cfg_soc)},
2479 ++ {IWL_PCI_DEVICE(0x02F0, 0x2034, iwl9560_2ac_cfg_soc)},
2480 ++ {IWL_PCI_DEVICE(0x02F0, 0x4030, iwl9560_2ac_cfg_soc)},
2481 ++ {IWL_PCI_DEVICE(0x02F0, 0x4034, iwl9560_2ac_cfg_soc)},
2482 ++ {IWL_PCI_DEVICE(0x02F0, 0x40A4, iwl9462_2ac_cfg_soc)},
2483 ++ {IWL_PCI_DEVICE(0x02F0, 0x4234, iwl9560_2ac_cfg_soc)},
2484 ++ {IWL_PCI_DEVICE(0x02F0, 0x42A4, iwl9462_2ac_cfg_soc)},
2485 ++ {IWL_PCI_DEVICE(0x06F0, 0x0030, iwl9560_2ac_cfg_soc)},
2486 ++ {IWL_PCI_DEVICE(0x06F0, 0x0034, iwl9560_2ac_cfg_soc)},
2487 ++ {IWL_PCI_DEVICE(0x06F0, 0x0038, iwl9560_2ac_cfg_soc)},
2488 ++ {IWL_PCI_DEVICE(0x06F0, 0x003C, iwl9560_2ac_cfg_soc)},
2489 ++ {IWL_PCI_DEVICE(0x06F0, 0x0060, iwl9461_2ac_cfg_soc)},
2490 ++ {IWL_PCI_DEVICE(0x06F0, 0x0064, iwl9461_2ac_cfg_soc)},
2491 ++ {IWL_PCI_DEVICE(0x06F0, 0x00A0, iwl9462_2ac_cfg_soc)},
2492 ++ {IWL_PCI_DEVICE(0x06F0, 0x00A4, iwl9462_2ac_cfg_soc)},
2493 ++ {IWL_PCI_DEVICE(0x06F0, 0x0230, iwl9560_2ac_cfg_soc)},
2494 ++ {IWL_PCI_DEVICE(0x06F0, 0x0234, iwl9560_2ac_cfg_soc)},
2495 ++ {IWL_PCI_DEVICE(0x06F0, 0x0238, iwl9560_2ac_cfg_soc)},
2496 ++ {IWL_PCI_DEVICE(0x06F0, 0x023C, iwl9560_2ac_cfg_soc)},
2497 ++ {IWL_PCI_DEVICE(0x06F0, 0x0260, iwl9461_2ac_cfg_soc)},
2498 ++ {IWL_PCI_DEVICE(0x06F0, 0x0264, iwl9461_2ac_cfg_soc)},
2499 ++ {IWL_PCI_DEVICE(0x06F0, 0x02A0, iwl9462_2ac_cfg_soc)},
2500 ++ {IWL_PCI_DEVICE(0x06F0, 0x02A4, iwl9462_2ac_cfg_soc)},
2501 ++ {IWL_PCI_DEVICE(0x06F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
2502 ++ {IWL_PCI_DEVICE(0x06F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
2503 ++ {IWL_PCI_DEVICE(0x06F0, 0x2030, iwl9560_2ac_cfg_soc)},
2504 ++ {IWL_PCI_DEVICE(0x06F0, 0x2034, iwl9560_2ac_cfg_soc)},
2505 ++ {IWL_PCI_DEVICE(0x06F0, 0x4030, iwl9560_2ac_cfg_soc)},
2506 ++ {IWL_PCI_DEVICE(0x06F0, 0x4034, iwl9560_2ac_cfg_soc)},
2507 ++ {IWL_PCI_DEVICE(0x06F0, 0x40A4, iwl9462_2ac_cfg_soc)},
2508 ++ {IWL_PCI_DEVICE(0x06F0, 0x4234, iwl9560_2ac_cfg_soc)},
2509 ++ {IWL_PCI_DEVICE(0x06F0, 0x42A4, iwl9462_2ac_cfg_soc)},
2510 + {IWL_PCI_DEVICE(0x2526, 0x0010, iwl9260_2ac_cfg)},
2511 + {IWL_PCI_DEVICE(0x2526, 0x0014, iwl9260_2ac_cfg)},
2512 + {IWL_PCI_DEVICE(0x2526, 0x0018, iwl9260_2ac_cfg)},
2513 +diff --git a/drivers/rtc/rtc-m41t80.c b/drivers/rtc/rtc-m41t80.c
2514 +index a3fb235fea0d..7431a795a624 100644
2515 +--- a/drivers/rtc/rtc-m41t80.c
2516 ++++ b/drivers/rtc/rtc-m41t80.c
2517 +@@ -393,7 +393,7 @@ static int m41t80_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
2518 + alrm->time.tm_min = bcd2bin(alarmvals[3] & 0x7f);
2519 + alrm->time.tm_hour = bcd2bin(alarmvals[2] & 0x3f);
2520 + alrm->time.tm_mday = bcd2bin(alarmvals[1] & 0x3f);
2521 +- alrm->time.tm_mon = bcd2bin(alarmvals[0] & 0x3f);
2522 ++ alrm->time.tm_mon = bcd2bin(alarmvals[0] & 0x3f) - 1;
2523 +
2524 + alrm->enabled = !!(alarmvals[0] & M41T80_ALMON_AFE);
2525 + alrm->pending = (flags & M41T80_FLAGS_AF) && alrm->enabled;
2526 +diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
2527 +index f35cc10772f6..25abf2d1732a 100644
2528 +--- a/drivers/spi/spi-bcm2835.c
2529 ++++ b/drivers/spi/spi-bcm2835.c
2530 +@@ -88,7 +88,7 @@ struct bcm2835_spi {
2531 + u8 *rx_buf;
2532 + int tx_len;
2533 + int rx_len;
2534 +- bool dma_pending;
2535 ++ unsigned int dma_pending;
2536 + };
2537 +
2538 + static inline u32 bcm2835_rd(struct bcm2835_spi *bs, unsigned reg)
2539 +@@ -155,8 +155,7 @@ static irqreturn_t bcm2835_spi_interrupt(int irq, void *dev_id)
2540 + /* Write as many bytes as possible to FIFO */
2541 + bcm2835_wr_fifo(bs);
2542 +
2543 +- /* based on flags decide if we can finish the transfer */
2544 +- if (bcm2835_rd(bs, BCM2835_SPI_CS) & BCM2835_SPI_CS_DONE) {
2545 ++ if (!bs->rx_len) {
2546 + /* Transfer complete - reset SPI HW */
2547 + bcm2835_spi_reset_hw(master);
2548 + /* wake up the framework */
2549 +@@ -233,10 +232,9 @@ static void bcm2835_spi_dma_done(void *data)
2550 + * is called the tx-dma must have finished - can't get to this
2551 + * situation otherwise...
2552 + */
2553 +- dmaengine_terminate_all(master->dma_tx);
2554 +-
2555 +- /* mark as no longer pending */
2556 +- bs->dma_pending = 0;
2557 ++ if (cmpxchg(&bs->dma_pending, true, false)) {
2558 ++ dmaengine_terminate_all(master->dma_tx);
2559 ++ }
2560 +
2561 + /* and mark as completed */;
2562 + complete(&master->xfer_completion);
2563 +@@ -342,6 +340,7 @@ static int bcm2835_spi_transfer_one_dma(struct spi_master *master,
2564 + if (ret) {
2565 + /* need to reset on errors */
2566 + dmaengine_terminate_all(master->dma_tx);
2567 ++ bs->dma_pending = false;
2568 + bcm2835_spi_reset_hw(master);
2569 + return ret;
2570 + }
2571 +@@ -617,10 +616,9 @@ static void bcm2835_spi_handle_err(struct spi_master *master,
2572 + struct bcm2835_spi *bs = spi_master_get_devdata(master);
2573 +
2574 + /* if an error occurred and we have an active dma, then terminate */
2575 +- if (bs->dma_pending) {
2576 ++ if (cmpxchg(&bs->dma_pending, true, false)) {
2577 + dmaengine_terminate_all(master->dma_tx);
2578 + dmaengine_terminate_all(master->dma_rx);
2579 +- bs->dma_pending = 0;
2580 + }
2581 + /* and reset */
2582 + bcm2835_spi_reset_hw(master);
2583 +diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c
2584 +index 781754f36da7..8da66e996d23 100644
2585 +--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c
2586 ++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c
2587 +@@ -143,7 +143,6 @@ vc_vchi_audio_init(VCHI_INSTANCE_T vchi_instance,
2588 + dev_err(instance->dev,
2589 + "failed to open VCHI service connection (status=%d)\n",
2590 + status);
2591 +- kfree(instance);
2592 + return -EPERM;
2593 + }
2594 +
2595 +diff --git a/drivers/staging/wilc1000/wilc_sdio.c b/drivers/staging/wilc1000/wilc_sdio.c
2596 +index ca351c950344..5c3e4df804eb 100644
2597 +--- a/drivers/staging/wilc1000/wilc_sdio.c
2598 ++++ b/drivers/staging/wilc1000/wilc_sdio.c
2599 +@@ -841,6 +841,7 @@ static int sdio_read_int(struct wilc *wilc, u32 *int_status)
2600 + if (!sdio_priv->irq_gpio) {
2601 + int i;
2602 +
2603 ++ cmd.read_write = 0;
2604 + cmd.function = 1;
2605 + cmd.address = 0x04;
2606 + cmd.data = 0;
2607 +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
2608 +index 57c66d2c3471..5413a04023f9 100644
2609 +--- a/drivers/tty/serial/xilinx_uartps.c
2610 ++++ b/drivers/tty/serial/xilinx_uartps.c
2611 +@@ -123,7 +123,7 @@ MODULE_PARM_DESC(rx_timeout, "Rx timeout, 1-255");
2612 + #define CDNS_UART_IXR_RXTRIG 0x00000001 /* RX FIFO trigger interrupt */
2613 + #define CDNS_UART_IXR_RXFULL 0x00000004 /* RX FIFO full interrupt. */
2614 + #define CDNS_UART_IXR_RXEMPTY 0x00000002 /* RX FIFO empty interrupt. */
2615 +-#define CDNS_UART_IXR_MASK 0x00001FFF /* Valid bit mask */
2616 ++#define CDNS_UART_IXR_RXMASK 0x000021e7 /* Valid RX bit mask */
2617 +
2618 + /*
2619 + * Do not enable parity error interrupt for the following
2620 +@@ -364,7 +364,7 @@ static irqreturn_t cdns_uart_isr(int irq, void *dev_id)
2621 + cdns_uart_handle_tx(dev_id);
2622 + isrstatus &= ~CDNS_UART_IXR_TXEMPTY;
2623 + }
2624 +- if (isrstatus & CDNS_UART_IXR_MASK)
2625 ++ if (isrstatus & CDNS_UART_IXR_RXMASK)
2626 + cdns_uart_handle_rx(dev_id, isrstatus);
2627 +
2628 + spin_unlock(&port->lock);
2629 +diff --git a/drivers/usb/Kconfig b/drivers/usb/Kconfig
2630 +index 987fc5ba6321..70e6c956c23c 100644
2631 +--- a/drivers/usb/Kconfig
2632 ++++ b/drivers/usb/Kconfig
2633 +@@ -205,8 +205,4 @@ config USB_ULPI_BUS
2634 + To compile this driver as a module, choose M here: the module will
2635 + be called ulpi.
2636 +
2637 +-config USB_ROLE_SWITCH
2638 +- tristate
2639 +- select USB_COMMON
2640 +-
2641 + endif # USB_SUPPORT
2642 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
2643 +index 1b68fed464cb..ed8c62b2d9d1 100644
2644 +--- a/drivers/usb/class/cdc-acm.c
2645 ++++ b/drivers/usb/class/cdc-acm.c
2646 +@@ -581,6 +581,13 @@ static int acm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
2647 + if (retval)
2648 + goto error_init_termios;
2649 +
2650 ++ /*
2651 ++ * Suppress initial echoing for some devices which might send data
2652 ++ * immediately after acm driver has been installed.
2653 ++ */
2654 ++ if (acm->quirks & DISABLE_ECHO)
2655 ++ tty->termios.c_lflag &= ~ECHO;
2656 ++
2657 + tty->driver_data = acm;
2658 +
2659 + return 0;
2660 +@@ -1657,6 +1664,9 @@ static const struct usb_device_id acm_ids[] = {
2661 + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@×××××.com */
2662 + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
2663 + },
2664 ++ { USB_DEVICE(0x0e8d, 0x2000), /* MediaTek Inc Preloader */
2665 ++ .driver_info = DISABLE_ECHO, /* DISABLE ECHO in termios flag */
2666 ++ },
2667 + { USB_DEVICE(0x0e8d, 0x3329), /* MediaTek Inc GPS */
2668 + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
2669 + },
2670 +diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
2671 +index ca06b20d7af9..515aad0847ee 100644
2672 +--- a/drivers/usb/class/cdc-acm.h
2673 ++++ b/drivers/usb/class/cdc-acm.h
2674 +@@ -140,3 +140,4 @@ struct acm {
2675 + #define QUIRK_CONTROL_LINE_STATE BIT(6)
2676 + #define CLEAR_HALT_CONDITIONS BIT(7)
2677 + #define SEND_ZERO_PACKET BIT(8)
2678 ++#define DISABLE_ECHO BIT(9)
2679 +diff --git a/drivers/usb/common/Makefile b/drivers/usb/common/Makefile
2680 +index fb4d5ef4165c..0a7c45e85481 100644
2681 +--- a/drivers/usb/common/Makefile
2682 ++++ b/drivers/usb/common/Makefile
2683 +@@ -9,4 +9,3 @@ usb-common-$(CONFIG_USB_LED_TRIG) += led.o
2684 +
2685 + obj-$(CONFIG_USB_OTG_FSM) += usb-otg-fsm.o
2686 + obj-$(CONFIG_USB_ULPI_BUS) += ulpi.o
2687 +-obj-$(CONFIG_USB_ROLE_SWITCH) += roles.o
2688 +diff --git a/drivers/usb/common/roles.c b/drivers/usb/common/roles.c
2689 +deleted file mode 100644
2690 +index 99116af07f1d..000000000000
2691 +--- a/drivers/usb/common/roles.c
2692 ++++ /dev/null
2693 +@@ -1,314 +0,0 @@
2694 +-// SPDX-License-Identifier: GPL-2.0
2695 +-/*
2696 +- * USB Role Switch Support
2697 +- *
2698 +- * Copyright (C) 2018 Intel Corporation
2699 +- * Author: Heikki Krogerus <heikki.krogerus@×××××××××××.com>
2700 +- * Hans de Goede <hdegoede@××××××.com>
2701 +- */
2702 +-
2703 +-#include <linux/usb/role.h>
2704 +-#include <linux/device.h>
2705 +-#include <linux/module.h>
2706 +-#include <linux/mutex.h>
2707 +-#include <linux/slab.h>
2708 +-
2709 +-static struct class *role_class;
2710 +-
2711 +-struct usb_role_switch {
2712 +- struct device dev;
2713 +- struct mutex lock; /* device lock*/
2714 +- enum usb_role role;
2715 +-
2716 +- /* From descriptor */
2717 +- struct device *usb2_port;
2718 +- struct device *usb3_port;
2719 +- struct device *udc;
2720 +- usb_role_switch_set_t set;
2721 +- usb_role_switch_get_t get;
2722 +- bool allow_userspace_control;
2723 +-};
2724 +-
2725 +-#define to_role_switch(d) container_of(d, struct usb_role_switch, dev)
2726 +-
2727 +-/**
2728 +- * usb_role_switch_set_role - Set USB role for a switch
2729 +- * @sw: USB role switch
2730 +- * @role: USB role to be switched to
2731 +- *
2732 +- * Set USB role @role for @sw.
2733 +- */
2734 +-int usb_role_switch_set_role(struct usb_role_switch *sw, enum usb_role role)
2735 +-{
2736 +- int ret;
2737 +-
2738 +- if (IS_ERR_OR_NULL(sw))
2739 +- return 0;
2740 +-
2741 +- mutex_lock(&sw->lock);
2742 +-
2743 +- ret = sw->set(sw->dev.parent, role);
2744 +- if (!ret)
2745 +- sw->role = role;
2746 +-
2747 +- mutex_unlock(&sw->lock);
2748 +-
2749 +- return ret;
2750 +-}
2751 +-EXPORT_SYMBOL_GPL(usb_role_switch_set_role);
2752 +-
2753 +-/**
2754 +- * usb_role_switch_get_role - Get the USB role for a switch
2755 +- * @sw: USB role switch
2756 +- *
2757 +- * Depending on the role-switch-driver this function returns either a cached
2758 +- * value of the last set role, or reads back the actual value from the hardware.
2759 +- */
2760 +-enum usb_role usb_role_switch_get_role(struct usb_role_switch *sw)
2761 +-{
2762 +- enum usb_role role;
2763 +-
2764 +- if (IS_ERR_OR_NULL(sw))
2765 +- return USB_ROLE_NONE;
2766 +-
2767 +- mutex_lock(&sw->lock);
2768 +-
2769 +- if (sw->get)
2770 +- role = sw->get(sw->dev.parent);
2771 +- else
2772 +- role = sw->role;
2773 +-
2774 +- mutex_unlock(&sw->lock);
2775 +-
2776 +- return role;
2777 +-}
2778 +-EXPORT_SYMBOL_GPL(usb_role_switch_get_role);
2779 +-
2780 +-static int __switch_match(struct device *dev, const void *name)
2781 +-{
2782 +- return !strcmp((const char *)name, dev_name(dev));
2783 +-}
2784 +-
2785 +-static void *usb_role_switch_match(struct device_connection *con, int ep,
2786 +- void *data)
2787 +-{
2788 +- struct device *dev;
2789 +-
2790 +- dev = class_find_device(role_class, NULL, con->endpoint[ep],
2791 +- __switch_match);
2792 +-
2793 +- return dev ? to_role_switch(dev) : ERR_PTR(-EPROBE_DEFER);
2794 +-}
2795 +-
2796 +-/**
2797 +- * usb_role_switch_get - Find USB role switch linked with the caller
2798 +- * @dev: The caller device
2799 +- *
2800 +- * Finds and returns role switch linked with @dev. The reference count for the
2801 +- * found switch is incremented.
2802 +- */
2803 +-struct usb_role_switch *usb_role_switch_get(struct device *dev)
2804 +-{
2805 +- struct usb_role_switch *sw;
2806 +-
2807 +- sw = device_connection_find_match(dev, "usb-role-switch", NULL,
2808 +- usb_role_switch_match);
2809 +-
2810 +- if (!IS_ERR_OR_NULL(sw))
2811 +- WARN_ON(!try_module_get(sw->dev.parent->driver->owner));
2812 +-
2813 +- return sw;
2814 +-}
2815 +-EXPORT_SYMBOL_GPL(usb_role_switch_get);
2816 +-
2817 +-/**
2818 +- * usb_role_switch_put - Release handle to a switch
2819 +- * @sw: USB Role Switch
2820 +- *
2821 +- * Decrement reference count for @sw.
2822 +- */
2823 +-void usb_role_switch_put(struct usb_role_switch *sw)
2824 +-{
2825 +- if (!IS_ERR_OR_NULL(sw)) {
2826 +- put_device(&sw->dev);
2827 +- module_put(sw->dev.parent->driver->owner);
2828 +- }
2829 +-}
2830 +-EXPORT_SYMBOL_GPL(usb_role_switch_put);
2831 +-
2832 +-static umode_t
2833 +-usb_role_switch_is_visible(struct kobject *kobj, struct attribute *attr, int n)
2834 +-{
2835 +- struct device *dev = container_of(kobj, typeof(*dev), kobj);
2836 +- struct usb_role_switch *sw = to_role_switch(dev);
2837 +-
2838 +- if (sw->allow_userspace_control)
2839 +- return attr->mode;
2840 +-
2841 +- return 0;
2842 +-}
2843 +-
2844 +-static const char * const usb_roles[] = {
2845 +- [USB_ROLE_NONE] = "none",
2846 +- [USB_ROLE_HOST] = "host",
2847 +- [USB_ROLE_DEVICE] = "device",
2848 +-};
2849 +-
2850 +-static ssize_t
2851 +-role_show(struct device *dev, struct device_attribute *attr, char *buf)
2852 +-{
2853 +- struct usb_role_switch *sw = to_role_switch(dev);
2854 +- enum usb_role role = usb_role_switch_get_role(sw);
2855 +-
2856 +- return sprintf(buf, "%s\n", usb_roles[role]);
2857 +-}
2858 +-
2859 +-static ssize_t role_store(struct device *dev, struct device_attribute *attr,
2860 +- const char *buf, size_t size)
2861 +-{
2862 +- struct usb_role_switch *sw = to_role_switch(dev);
2863 +- int ret;
2864 +-
2865 +- ret = sysfs_match_string(usb_roles, buf);
2866 +- if (ret < 0) {
2867 +- bool res;
2868 +-
2869 +- /* Extra check if the user wants to disable the switch */
2870 +- ret = kstrtobool(buf, &res);
2871 +- if (ret || res)
2872 +- return -EINVAL;
2873 +- }
2874 +-
2875 +- ret = usb_role_switch_set_role(sw, ret);
2876 +- if (ret)
2877 +- return ret;
2878 +-
2879 +- return size;
2880 +-}
2881 +-static DEVICE_ATTR_RW(role);
2882 +-
2883 +-static struct attribute *usb_role_switch_attrs[] = {
2884 +- &dev_attr_role.attr,
2885 +- NULL,
2886 +-};
2887 +-
2888 +-static const struct attribute_group usb_role_switch_group = {
2889 +- .is_visible = usb_role_switch_is_visible,
2890 +- .attrs = usb_role_switch_attrs,
2891 +-};
2892 +-
2893 +-static const struct attribute_group *usb_role_switch_groups[] = {
2894 +- &usb_role_switch_group,
2895 +- NULL,
2896 +-};
2897 +-
2898 +-static int
2899 +-usb_role_switch_uevent(struct device *dev, struct kobj_uevent_env *env)
2900 +-{
2901 +- int ret;
2902 +-
2903 +- ret = add_uevent_var(env, "USB_ROLE_SWITCH=%s", dev_name(dev));
2904 +- if (ret)
2905 +- dev_err(dev, "failed to add uevent USB_ROLE_SWITCH\n");
2906 +-
2907 +- return ret;
2908 +-}
2909 +-
2910 +-static void usb_role_switch_release(struct device *dev)
2911 +-{
2912 +- struct usb_role_switch *sw = to_role_switch(dev);
2913 +-
2914 +- kfree(sw);
2915 +-}
2916 +-
2917 +-static const struct device_type usb_role_dev_type = {
2918 +- .name = "usb_role_switch",
2919 +- .groups = usb_role_switch_groups,
2920 +- .uevent = usb_role_switch_uevent,
2921 +- .release = usb_role_switch_release,
2922 +-};
2923 +-
2924 +-/**
2925 +- * usb_role_switch_register - Register USB Role Switch
2926 +- * @parent: Parent device for the switch
2927 +- * @desc: Description of the switch
2928 +- *
2929 +- * USB Role Switch is a device capable or choosing the role for USB connector.
2930 +- * On platforms where the USB controller is dual-role capable, the controller
2931 +- * driver will need to register the switch. On platforms where the USB host and
2932 +- * USB device controllers behind the connector are separate, there will be a
2933 +- * mux, and the driver for that mux will need to register the switch.
2934 +- *
2935 +- * Returns handle to a new role switch or ERR_PTR. The content of @desc is
2936 +- * copied.
2937 +- */
2938 +-struct usb_role_switch *
2939 +-usb_role_switch_register(struct device *parent,
2940 +- const struct usb_role_switch_desc *desc)
2941 +-{
2942 +- struct usb_role_switch *sw;
2943 +- int ret;
2944 +-
2945 +- if (!desc || !desc->set)
2946 +- return ERR_PTR(-EINVAL);
2947 +-
2948 +- sw = kzalloc(sizeof(*sw), GFP_KERNEL);
2949 +- if (!sw)
2950 +- return ERR_PTR(-ENOMEM);
2951 +-
2952 +- mutex_init(&sw->lock);
2953 +-
2954 +- sw->allow_userspace_control = desc->allow_userspace_control;
2955 +- sw->usb2_port = desc->usb2_port;
2956 +- sw->usb3_port = desc->usb3_port;
2957 +- sw->udc = desc->udc;
2958 +- sw->set = desc->set;
2959 +- sw->get = desc->get;
2960 +-
2961 +- sw->dev.parent = parent;
2962 +- sw->dev.class = role_class;
2963 +- sw->dev.type = &usb_role_dev_type;
2964 +- dev_set_name(&sw->dev, "%s-role-switch", dev_name(parent));
2965 +-
2966 +- ret = device_register(&sw->dev);
2967 +- if (ret) {
2968 +- put_device(&sw->dev);
2969 +- return ERR_PTR(ret);
2970 +- }
2971 +-
2972 +- /* TODO: Symlinks for the host port and the device controller. */
2973 +-
2974 +- return sw;
2975 +-}
2976 +-EXPORT_SYMBOL_GPL(usb_role_switch_register);
2977 +-
2978 +-/**
2979 +- * usb_role_switch_unregister - Unregsiter USB Role Switch
2980 +- * @sw: USB Role Switch
2981 +- *
2982 +- * Unregister switch that was registered with usb_role_switch_register().
2983 +- */
2984 +-void usb_role_switch_unregister(struct usb_role_switch *sw)
2985 +-{
2986 +- if (!IS_ERR_OR_NULL(sw))
2987 +- device_unregister(&sw->dev);
2988 +-}
2989 +-EXPORT_SYMBOL_GPL(usb_role_switch_unregister);
2990 +-
2991 +-static int __init usb_roles_init(void)
2992 +-{
2993 +- role_class = class_create(THIS_MODULE, "usb_role");
2994 +- return PTR_ERR_OR_ZERO(role_class);
2995 +-}
2996 +-subsys_initcall(usb_roles_init);
2997 +-
2998 +-static void __exit usb_roles_exit(void)
2999 +-{
3000 +- class_destroy(role_class);
3001 +-}
3002 +-module_exit(usb_roles_exit);
3003 +-
3004 +-MODULE_AUTHOR("Heikki Krogerus <heikki.krogerus@×××××××××××.com>");
3005 +-MODULE_AUTHOR("Hans de Goede <hdegoede@××××××.com>");
3006 +-MODULE_LICENSE("GPL v2");
3007 +-MODULE_DESCRIPTION("USB Role Class");
3008 +diff --git a/drivers/usb/dwc2/hcd.h b/drivers/usb/dwc2/hcd.h
3009 +index 3f9bccc95add..c089ffa1f0a8 100644
3010 +--- a/drivers/usb/dwc2/hcd.h
3011 ++++ b/drivers/usb/dwc2/hcd.h
3012 +@@ -366,7 +366,7 @@ struct dwc2_qh {
3013 + u32 desc_list_sz;
3014 + u32 *n_bytes;
3015 + struct timer_list unreserve_timer;
3016 +- struct timer_list wait_timer;
3017 ++ struct hrtimer wait_timer;
3018 + struct dwc2_tt *dwc_tt;
3019 + int ttport;
3020 + unsigned tt_buffer_dirty:1;
3021 +diff --git a/drivers/usb/dwc2/hcd_queue.c b/drivers/usb/dwc2/hcd_queue.c
3022 +index 40839591d2ec..ea3aa640c15c 100644
3023 +--- a/drivers/usb/dwc2/hcd_queue.c
3024 ++++ b/drivers/usb/dwc2/hcd_queue.c
3025 +@@ -59,7 +59,7 @@
3026 + #define DWC2_UNRESERVE_DELAY (msecs_to_jiffies(5))
3027 +
3028 + /* If we get a NAK, wait this long before retrying */
3029 +-#define DWC2_RETRY_WAIT_DELAY (msecs_to_jiffies(1))
3030 ++#define DWC2_RETRY_WAIT_DELAY 1*1E6L
3031 +
3032 + /**
3033 + * dwc2_periodic_channel_available() - Checks that a channel is available for a
3034 +@@ -1464,10 +1464,12 @@ static void dwc2_deschedule_periodic(struct dwc2_hsotg *hsotg,
3035 + * qh back to the "inactive" list, then queues transactions.
3036 + *
3037 + * @t: Pointer to wait_timer in a qh.
3038 ++ *
3039 ++ * Return: HRTIMER_NORESTART to not automatically restart this timer.
3040 + */
3041 +-static void dwc2_wait_timer_fn(struct timer_list *t)
3042 ++static enum hrtimer_restart dwc2_wait_timer_fn(struct hrtimer *t)
3043 + {
3044 +- struct dwc2_qh *qh = from_timer(qh, t, wait_timer);
3045 ++ struct dwc2_qh *qh = container_of(t, struct dwc2_qh, wait_timer);
3046 + struct dwc2_hsotg *hsotg = qh->hsotg;
3047 + unsigned long flags;
3048 +
3049 +@@ -1491,6 +1493,7 @@ static void dwc2_wait_timer_fn(struct timer_list *t)
3050 + }
3051 +
3052 + spin_unlock_irqrestore(&hsotg->lock, flags);
3053 ++ return HRTIMER_NORESTART;
3054 + }
3055 +
3056 + /**
3057 +@@ -1521,7 +1524,8 @@ static void dwc2_qh_init(struct dwc2_hsotg *hsotg, struct dwc2_qh *qh,
3058 + /* Initialize QH */
3059 + qh->hsotg = hsotg;
3060 + timer_setup(&qh->unreserve_timer, dwc2_unreserve_timer_fn, 0);
3061 +- timer_setup(&qh->wait_timer, dwc2_wait_timer_fn, 0);
3062 ++ hrtimer_init(&qh->wait_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
3063 ++ qh->wait_timer.function = &dwc2_wait_timer_fn;
3064 + qh->ep_type = ep_type;
3065 + qh->ep_is_in = ep_is_in;
3066 +
3067 +@@ -1690,7 +1694,7 @@ void dwc2_hcd_qh_free(struct dwc2_hsotg *hsotg, struct dwc2_qh *qh)
3068 + * won't do anything anyway, but we want it to finish before we free
3069 + * memory.
3070 + */
3071 +- del_timer_sync(&qh->wait_timer);
3072 ++ hrtimer_cancel(&qh->wait_timer);
3073 +
3074 + dwc2_host_put_tt_info(hsotg, qh->dwc_tt);
3075 +
3076 +@@ -1716,6 +1720,7 @@ int dwc2_hcd_qh_add(struct dwc2_hsotg *hsotg, struct dwc2_qh *qh)
3077 + {
3078 + int status;
3079 + u32 intr_mask;
3080 ++ ktime_t delay;
3081 +
3082 + if (dbg_qh(qh))
3083 + dev_vdbg(hsotg->dev, "%s()\n", __func__);
3084 +@@ -1734,8 +1739,8 @@ int dwc2_hcd_qh_add(struct dwc2_hsotg *hsotg, struct dwc2_qh *qh)
3085 + list_add_tail(&qh->qh_list_entry,
3086 + &hsotg->non_periodic_sched_waiting);
3087 + qh->wait_timer_cancel = false;
3088 +- mod_timer(&qh->wait_timer,
3089 +- jiffies + DWC2_RETRY_WAIT_DELAY + 1);
3090 ++ delay = ktime_set(0, DWC2_RETRY_WAIT_DELAY);
3091 ++ hrtimer_start(&qh->wait_timer, delay, HRTIMER_MODE_REL);
3092 + } else {
3093 + list_add_tail(&qh->qh_list_entry,
3094 + &hsotg->non_periodic_sched_inactive);
3095 +diff --git a/drivers/usb/dwc2/params.c b/drivers/usb/dwc2/params.c
3096 +index 7c1b6938f212..38c813b1d203 100644
3097 +--- a/drivers/usb/dwc2/params.c
3098 ++++ b/drivers/usb/dwc2/params.c
3099 +@@ -111,6 +111,7 @@ static void dwc2_set_amlogic_params(struct dwc2_hsotg *hsotg)
3100 + p->phy_type = DWC2_PHY_TYPE_PARAM_UTMI;
3101 + p->ahbcfg = GAHBCFG_HBSTLEN_INCR8 <<
3102 + GAHBCFG_HBSTLEN_SHIFT;
3103 ++ p->power_down = DWC2_POWER_DOWN_PARAM_NONE;
3104 + }
3105 +
3106 + static void dwc2_set_amcc_params(struct dwc2_hsotg *hsotg)
3107 +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
3108 +index 842795856bf4..fdc6e4e403e8 100644
3109 +--- a/drivers/usb/dwc3/dwc3-pci.c
3110 ++++ b/drivers/usb/dwc3/dwc3-pci.c
3111 +@@ -170,20 +170,20 @@ static int dwc3_pci_quirks(struct dwc3_pci *dwc)
3112 + * put the gpio descriptors again here because the phy driver
3113 + * might want to grab them, too.
3114 + */
3115 +- gpio = devm_gpiod_get_optional(&pdev->dev, "cs",
3116 +- GPIOD_OUT_LOW);
3117 ++ gpio = gpiod_get_optional(&pdev->dev, "cs", GPIOD_OUT_LOW);
3118 + if (IS_ERR(gpio))
3119 + return PTR_ERR(gpio);
3120 +
3121 + gpiod_set_value_cansleep(gpio, 1);
3122 ++ gpiod_put(gpio);
3123 +
3124 +- gpio = devm_gpiod_get_optional(&pdev->dev, "reset",
3125 +- GPIOD_OUT_LOW);
3126 ++ gpio = gpiod_get_optional(&pdev->dev, "reset", GPIOD_OUT_LOW);
3127 + if (IS_ERR(gpio))
3128 + return PTR_ERR(gpio);
3129 +
3130 + if (gpio) {
3131 + gpiod_set_value_cansleep(gpio, 1);
3132 ++ gpiod_put(gpio);
3133 + usleep_range(10000, 11000);
3134 + }
3135 + }
3136 +diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c
3137 +index 984892dd72f5..42668aeca57c 100644
3138 +--- a/drivers/usb/host/r8a66597-hcd.c
3139 ++++ b/drivers/usb/host/r8a66597-hcd.c
3140 +@@ -1979,6 +1979,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb,
3141 +
3142 + static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
3143 + struct usb_host_endpoint *hep)
3144 ++__acquires(r8a66597->lock)
3145 ++__releases(r8a66597->lock)
3146 + {
3147 + struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd);
3148 + struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv;
3149 +@@ -1991,13 +1993,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
3150 + return;
3151 + pipenum = pipe->info.pipenum;
3152 +
3153 ++ spin_lock_irqsave(&r8a66597->lock, flags);
3154 + if (pipenum == 0) {
3155 + kfree(hep->hcpriv);
3156 + hep->hcpriv = NULL;
3157 ++ spin_unlock_irqrestore(&r8a66597->lock, flags);
3158 + return;
3159 + }
3160 +
3161 +- spin_lock_irqsave(&r8a66597->lock, flags);
3162 + pipe_stop(r8a66597, pipe);
3163 + pipe_irq_disable(r8a66597, pipenum);
3164 + disable_irq_empty(r8a66597, pipenum);
3165 +diff --git a/drivers/usb/roles/Kconfig b/drivers/usb/roles/Kconfig
3166 +index f5a5e6f79f1b..e4194ac94510 100644
3167 +--- a/drivers/usb/roles/Kconfig
3168 ++++ b/drivers/usb/roles/Kconfig
3169 +@@ -1,3 +1,16 @@
3170 ++config USB_ROLE_SWITCH
3171 ++ tristate "USB Role Switch Support"
3172 ++ help
3173 ++ USB Role Switch is a device that can select the USB role - host or
3174 ++ device - for a USB port (connector). In most cases dual-role capable
3175 ++ USB controller will also represent the switch, but on some platforms
3176 ++ multiplexer/demultiplexer switch is used to route the data lines on
3177 ++ the USB connector between separate USB host and device controllers.
3178 ++
3179 ++ Say Y here if your USB connectors support both device and host roles.
3180 ++ To compile the driver as module, choose M here: the module will be
3181 ++ called roles.ko.
3182 ++
3183 + if USB_ROLE_SWITCH
3184 +
3185 + config USB_ROLES_INTEL_XHCI
3186 +diff --git a/drivers/usb/roles/Makefile b/drivers/usb/roles/Makefile
3187 +index e44b179ba275..c02873206fc1 100644
3188 +--- a/drivers/usb/roles/Makefile
3189 ++++ b/drivers/usb/roles/Makefile
3190 +@@ -1 +1,3 @@
3191 +-obj-$(CONFIG_USB_ROLES_INTEL_XHCI) += intel-xhci-usb-role-switch.o
3192 ++obj-$(CONFIG_USB_ROLE_SWITCH) += roles.o
3193 ++roles-y := class.o
3194 ++obj-$(CONFIG_USB_ROLES_INTEL_XHCI) += intel-xhci-usb-role-switch.o
3195 +diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c
3196 +new file mode 100644
3197 +index 000000000000..99116af07f1d
3198 +--- /dev/null
3199 ++++ b/drivers/usb/roles/class.c
3200 +@@ -0,0 +1,314 @@
3201 ++// SPDX-License-Identifier: GPL-2.0
3202 ++/*
3203 ++ * USB Role Switch Support
3204 ++ *
3205 ++ * Copyright (C) 2018 Intel Corporation
3206 ++ * Author: Heikki Krogerus <heikki.krogerus@×××××××××××.com>
3207 ++ * Hans de Goede <hdegoede@××××××.com>
3208 ++ */
3209 ++
3210 ++#include <linux/usb/role.h>
3211 ++#include <linux/device.h>
3212 ++#include <linux/module.h>
3213 ++#include <linux/mutex.h>
3214 ++#include <linux/slab.h>
3215 ++
3216 ++static struct class *role_class;
3217 ++
3218 ++struct usb_role_switch {
3219 ++ struct device dev;
3220 ++ struct mutex lock; /* device lock*/
3221 ++ enum usb_role role;
3222 ++
3223 ++ /* From descriptor */
3224 ++ struct device *usb2_port;
3225 ++ struct device *usb3_port;
3226 ++ struct device *udc;
3227 ++ usb_role_switch_set_t set;
3228 ++ usb_role_switch_get_t get;
3229 ++ bool allow_userspace_control;
3230 ++};
3231 ++
3232 ++#define to_role_switch(d) container_of(d, struct usb_role_switch, dev)
3233 ++
3234 ++/**
3235 ++ * usb_role_switch_set_role - Set USB role for a switch
3236 ++ * @sw: USB role switch
3237 ++ * @role: USB role to be switched to
3238 ++ *
3239 ++ * Set USB role @role for @sw.
3240 ++ */
3241 ++int usb_role_switch_set_role(struct usb_role_switch *sw, enum usb_role role)
3242 ++{
3243 ++ int ret;
3244 ++
3245 ++ if (IS_ERR_OR_NULL(sw))
3246 ++ return 0;
3247 ++
3248 ++ mutex_lock(&sw->lock);
3249 ++
3250 ++ ret = sw->set(sw->dev.parent, role);
3251 ++ if (!ret)
3252 ++ sw->role = role;
3253 ++
3254 ++ mutex_unlock(&sw->lock);
3255 ++
3256 ++ return ret;
3257 ++}
3258 ++EXPORT_SYMBOL_GPL(usb_role_switch_set_role);
3259 ++
3260 ++/**
3261 ++ * usb_role_switch_get_role - Get the USB role for a switch
3262 ++ * @sw: USB role switch
3263 ++ *
3264 ++ * Depending on the role-switch-driver this function returns either a cached
3265 ++ * value of the last set role, or reads back the actual value from the hardware.
3266 ++ */
3267 ++enum usb_role usb_role_switch_get_role(struct usb_role_switch *sw)
3268 ++{
3269 ++ enum usb_role role;
3270 ++
3271 ++ if (IS_ERR_OR_NULL(sw))
3272 ++ return USB_ROLE_NONE;
3273 ++
3274 ++ mutex_lock(&sw->lock);
3275 ++
3276 ++ if (sw->get)
3277 ++ role = sw->get(sw->dev.parent);
3278 ++ else
3279 ++ role = sw->role;
3280 ++
3281 ++ mutex_unlock(&sw->lock);
3282 ++
3283 ++ return role;
3284 ++}
3285 ++EXPORT_SYMBOL_GPL(usb_role_switch_get_role);
3286 ++
3287 ++static int __switch_match(struct device *dev, const void *name)
3288 ++{
3289 ++ return !strcmp((const char *)name, dev_name(dev));
3290 ++}
3291 ++
3292 ++static void *usb_role_switch_match(struct device_connection *con, int ep,
3293 ++ void *data)
3294 ++{
3295 ++ struct device *dev;
3296 ++
3297 ++ dev = class_find_device(role_class, NULL, con->endpoint[ep],
3298 ++ __switch_match);
3299 ++
3300 ++ return dev ? to_role_switch(dev) : ERR_PTR(-EPROBE_DEFER);
3301 ++}
3302 ++
3303 ++/**
3304 ++ * usb_role_switch_get - Find USB role switch linked with the caller
3305 ++ * @dev: The caller device
3306 ++ *
3307 ++ * Finds and returns role switch linked with @dev. The reference count for the
3308 ++ * found switch is incremented.
3309 ++ */
3310 ++struct usb_role_switch *usb_role_switch_get(struct device *dev)
3311 ++{
3312 ++ struct usb_role_switch *sw;
3313 ++
3314 ++ sw = device_connection_find_match(dev, "usb-role-switch", NULL,
3315 ++ usb_role_switch_match);
3316 ++
3317 ++ if (!IS_ERR_OR_NULL(sw))
3318 ++ WARN_ON(!try_module_get(sw->dev.parent->driver->owner));
3319 ++
3320 ++ return sw;
3321 ++}
3322 ++EXPORT_SYMBOL_GPL(usb_role_switch_get);
3323 ++
3324 ++/**
3325 ++ * usb_role_switch_put - Release handle to a switch
3326 ++ * @sw: USB Role Switch
3327 ++ *
3328 ++ * Decrement reference count for @sw.
3329 ++ */
3330 ++void usb_role_switch_put(struct usb_role_switch *sw)
3331 ++{
3332 ++ if (!IS_ERR_OR_NULL(sw)) {
3333 ++ put_device(&sw->dev);
3334 ++ module_put(sw->dev.parent->driver->owner);
3335 ++ }
3336 ++}
3337 ++EXPORT_SYMBOL_GPL(usb_role_switch_put);
3338 ++
3339 ++static umode_t
3340 ++usb_role_switch_is_visible(struct kobject *kobj, struct attribute *attr, int n)
3341 ++{
3342 ++ struct device *dev = container_of(kobj, typeof(*dev), kobj);
3343 ++ struct usb_role_switch *sw = to_role_switch(dev);
3344 ++
3345 ++ if (sw->allow_userspace_control)
3346 ++ return attr->mode;
3347 ++
3348 ++ return 0;
3349 ++}
3350 ++
3351 ++static const char * const usb_roles[] = {
3352 ++ [USB_ROLE_NONE] = "none",
3353 ++ [USB_ROLE_HOST] = "host",
3354 ++ [USB_ROLE_DEVICE] = "device",
3355 ++};
3356 ++
3357 ++static ssize_t
3358 ++role_show(struct device *dev, struct device_attribute *attr, char *buf)
3359 ++{
3360 ++ struct usb_role_switch *sw = to_role_switch(dev);
3361 ++ enum usb_role role = usb_role_switch_get_role(sw);
3362 ++
3363 ++ return sprintf(buf, "%s\n", usb_roles[role]);
3364 ++}
3365 ++
3366 ++static ssize_t role_store(struct device *dev, struct device_attribute *attr,
3367 ++ const char *buf, size_t size)
3368 ++{
3369 ++ struct usb_role_switch *sw = to_role_switch(dev);
3370 ++ int ret;
3371 ++
3372 ++ ret = sysfs_match_string(usb_roles, buf);
3373 ++ if (ret < 0) {
3374 ++ bool res;
3375 ++
3376 ++ /* Extra check if the user wants to disable the switch */
3377 ++ ret = kstrtobool(buf, &res);
3378 ++ if (ret || res)
3379 ++ return -EINVAL;
3380 ++ }
3381 ++
3382 ++ ret = usb_role_switch_set_role(sw, ret);
3383 ++ if (ret)
3384 ++ return ret;
3385 ++
3386 ++ return size;
3387 ++}
3388 ++static DEVICE_ATTR_RW(role);
3389 ++
3390 ++static struct attribute *usb_role_switch_attrs[] = {
3391 ++ &dev_attr_role.attr,
3392 ++ NULL,
3393 ++};
3394 ++
3395 ++static const struct attribute_group usb_role_switch_group = {
3396 ++ .is_visible = usb_role_switch_is_visible,
3397 ++ .attrs = usb_role_switch_attrs,
3398 ++};
3399 ++
3400 ++static const struct attribute_group *usb_role_switch_groups[] = {
3401 ++ &usb_role_switch_group,
3402 ++ NULL,
3403 ++};
3404 ++
3405 ++static int
3406 ++usb_role_switch_uevent(struct device *dev, struct kobj_uevent_env *env)
3407 ++{
3408 ++ int ret;
3409 ++
3410 ++ ret = add_uevent_var(env, "USB_ROLE_SWITCH=%s", dev_name(dev));
3411 ++ if (ret)
3412 ++ dev_err(dev, "failed to add uevent USB_ROLE_SWITCH\n");
3413 ++
3414 ++ return ret;
3415 ++}
3416 ++
3417 ++static void usb_role_switch_release(struct device *dev)
3418 ++{
3419 ++ struct usb_role_switch *sw = to_role_switch(dev);
3420 ++
3421 ++ kfree(sw);
3422 ++}
3423 ++
3424 ++static const struct device_type usb_role_dev_type = {
3425 ++ .name = "usb_role_switch",
3426 ++ .groups = usb_role_switch_groups,
3427 ++ .uevent = usb_role_switch_uevent,
3428 ++ .release = usb_role_switch_release,
3429 ++};
3430 ++
3431 ++/**
3432 ++ * usb_role_switch_register - Register USB Role Switch
3433 ++ * @parent: Parent device for the switch
3434 ++ * @desc: Description of the switch
3435 ++ *
3436 ++ * USB Role Switch is a device capable or choosing the role for USB connector.
3437 ++ * On platforms where the USB controller is dual-role capable, the controller
3438 ++ * driver will need to register the switch. On platforms where the USB host and
3439 ++ * USB device controllers behind the connector are separate, there will be a
3440 ++ * mux, and the driver for that mux will need to register the switch.
3441 ++ *
3442 ++ * Returns handle to a new role switch or ERR_PTR. The content of @desc is
3443 ++ * copied.
3444 ++ */
3445 ++struct usb_role_switch *
3446 ++usb_role_switch_register(struct device *parent,
3447 ++ const struct usb_role_switch_desc *desc)
3448 ++{
3449 ++ struct usb_role_switch *sw;
3450 ++ int ret;
3451 ++
3452 ++ if (!desc || !desc->set)
3453 ++ return ERR_PTR(-EINVAL);
3454 ++
3455 ++ sw = kzalloc(sizeof(*sw), GFP_KERNEL);
3456 ++ if (!sw)
3457 ++ return ERR_PTR(-ENOMEM);
3458 ++
3459 ++ mutex_init(&sw->lock);
3460 ++
3461 ++ sw->allow_userspace_control = desc->allow_userspace_control;
3462 ++ sw->usb2_port = desc->usb2_port;
3463 ++ sw->usb3_port = desc->usb3_port;
3464 ++ sw->udc = desc->udc;
3465 ++ sw->set = desc->set;
3466 ++ sw->get = desc->get;
3467 ++
3468 ++ sw->dev.parent = parent;
3469 ++ sw->dev.class = role_class;
3470 ++ sw->dev.type = &usb_role_dev_type;
3471 ++ dev_set_name(&sw->dev, "%s-role-switch", dev_name(parent));
3472 ++
3473 ++ ret = device_register(&sw->dev);
3474 ++ if (ret) {
3475 ++ put_device(&sw->dev);
3476 ++ return ERR_PTR(ret);
3477 ++ }
3478 ++
3479 ++ /* TODO: Symlinks for the host port and the device controller. */
3480 ++
3481 ++ return sw;
3482 ++}
3483 ++EXPORT_SYMBOL_GPL(usb_role_switch_register);
3484 ++
3485 ++/**
3486 ++ * usb_role_switch_unregister - Unregsiter USB Role Switch
3487 ++ * @sw: USB Role Switch
3488 ++ *
3489 ++ * Unregister switch that was registered with usb_role_switch_register().
3490 ++ */
3491 ++void usb_role_switch_unregister(struct usb_role_switch *sw)
3492 ++{
3493 ++ if (!IS_ERR_OR_NULL(sw))
3494 ++ device_unregister(&sw->dev);
3495 ++}
3496 ++EXPORT_SYMBOL_GPL(usb_role_switch_unregister);
3497 ++
3498 ++static int __init usb_roles_init(void)
3499 ++{
3500 ++ role_class = class_create(THIS_MODULE, "usb_role");
3501 ++ return PTR_ERR_OR_ZERO(role_class);
3502 ++}
3503 ++subsys_initcall(usb_roles_init);
3504 ++
3505 ++static void __exit usb_roles_exit(void)
3506 ++{
3507 ++ class_destroy(role_class);
3508 ++}
3509 ++module_exit(usb_roles_exit);
3510 ++
3511 ++MODULE_AUTHOR("Heikki Krogerus <heikki.krogerus@×××××××××××.com>");
3512 ++MODULE_AUTHOR("Hans de Goede <hdegoede@××××××.com>");
3513 ++MODULE_LICENSE("GPL v2");
3514 ++MODULE_DESCRIPTION("USB Role Class");
3515 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
3516 +index 1ce27f3ff7a7..aef15497ff31 100644
3517 +--- a/drivers/usb/serial/option.c
3518 ++++ b/drivers/usb/serial/option.c
3519 +@@ -1955,6 +1955,10 @@ static const struct usb_device_id option_ids[] = {
3520 + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
3521 + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */
3522 + .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
3523 ++ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */
3524 ++ .driver_info = RSVD(4) | RSVD(5) },
3525 ++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */
3526 ++ .driver_info = RSVD(6) },
3527 + { } /* Terminating entry */
3528 + };
3529 + MODULE_DEVICE_TABLE(usb, option_ids);
3530 +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
3531 +index a4e0d13fc121..98e7a5df0f6d 100644
3532 +--- a/drivers/usb/serial/pl2303.c
3533 ++++ b/drivers/usb/serial/pl2303.c
3534 +@@ -91,9 +91,14 @@ static const struct usb_device_id id_table[] = {
3535 + { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) },
3536 + { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) },
3537 + { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) },
3538 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) },
3539 + { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) },
3540 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) },
3541 + { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) },
3542 + { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) },
3543 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) },
3544 ++ { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) },
3545 ++ { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) },
3546 + { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) },
3547 + { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) },
3548 + { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) },
3549 +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
3550 +index 26965cc23c17..4e2554d55362 100644
3551 +--- a/drivers/usb/serial/pl2303.h
3552 ++++ b/drivers/usb/serial/pl2303.h
3553 +@@ -119,10 +119,15 @@
3554 +
3555 + /* Hewlett-Packard POS Pole Displays */
3556 + #define HP_VENDOR_ID 0x03f0
3557 ++#define HP_LM920_PRODUCT_ID 0x026b
3558 ++#define HP_TD620_PRODUCT_ID 0x0956
3559 + #define HP_LD960_PRODUCT_ID 0x0b39
3560 + #define HP_LCM220_PRODUCT_ID 0x3139
3561 + #define HP_LCM960_PRODUCT_ID 0x3239
3562 + #define HP_LD220_PRODUCT_ID 0x3524
3563 ++#define HP_LD220TA_PRODUCT_ID 0x4349
3564 ++#define HP_LD960TA_PRODUCT_ID 0x4439
3565 ++#define HP_LM940_PRODUCT_ID 0x5039
3566 +
3567 + /* Cressi Edy (diving computer) PC interface */
3568 + #define CRESSI_VENDOR_ID 0x04b8
3569 +diff --git a/fs/btrfs/btrfs_inode.h b/fs/btrfs/btrfs_inode.h
3570 +index 97d91e55b70a..a0e230b31a88 100644
3571 +--- a/fs/btrfs/btrfs_inode.h
3572 ++++ b/fs/btrfs/btrfs_inode.h
3573 +@@ -146,6 +146,12 @@ struct btrfs_inode {
3574 + */
3575 + u64 last_unlink_trans;
3576 +
3577 ++ /*
3578 ++ * Track the transaction id of the last transaction used to create a
3579 ++ * hard link for the inode. This is used by the log tree (fsync).
3580 ++ */
3581 ++ u64 last_link_trans;
3582 ++
3583 + /*
3584 + * Number of bytes outstanding that are going to need csums. This is
3585 + * used in ENOSPC accounting.
3586 +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
3587 +index 539901fb5165..99e7645ad94e 100644
3588 +--- a/fs/btrfs/ctree.c
3589 ++++ b/fs/btrfs/ctree.c
3590 +@@ -2584,14 +2584,27 @@ static struct extent_buffer *btrfs_search_slot_get_root(struct btrfs_root *root,
3591 + root_lock = BTRFS_READ_LOCK;
3592 +
3593 + if (p->search_commit_root) {
3594 +- /* The commit roots are read only so we always do read locks */
3595 +- if (p->need_commit_sem)
3596 ++ /*
3597 ++ * The commit roots are read only so we always do read locks,
3598 ++ * and we always must hold the commit_root_sem when doing
3599 ++ * searches on them, the only exception is send where we don't
3600 ++ * want to block transaction commits for a long time, so
3601 ++ * we need to clone the commit root in order to avoid races
3602 ++ * with transaction commits that create a snapshot of one of
3603 ++ * the roots used by a send operation.
3604 ++ */
3605 ++ if (p->need_commit_sem) {
3606 + down_read(&fs_info->commit_root_sem);
3607 +- b = root->commit_root;
3608 +- extent_buffer_get(b);
3609 +- level = btrfs_header_level(b);
3610 +- if (p->need_commit_sem)
3611 ++ b = btrfs_clone_extent_buffer(root->commit_root);
3612 + up_read(&fs_info->commit_root_sem);
3613 ++ if (!b)
3614 ++ return ERR_PTR(-ENOMEM);
3615 ++
3616 ++ } else {
3617 ++ b = root->commit_root;
3618 ++ extent_buffer_get(b);
3619 ++ }
3620 ++ level = btrfs_header_level(b);
3621 + /*
3622 + * Ensure that all callers have set skip_locking when
3623 + * p->search_commit_root = 1.
3624 +@@ -2717,6 +2730,10 @@ int btrfs_search_slot(struct btrfs_trans_handle *trans, struct btrfs_root *root,
3625 + again:
3626 + prev_cmp = -1;
3627 + b = btrfs_search_slot_get_root(root, p, write_lock_level);
3628 ++ if (IS_ERR(b)) {
3629 ++ ret = PTR_ERR(b);
3630 ++ goto done;
3631 ++ }
3632 +
3633 + while (b) {
3634 + level = btrfs_header_level(b);
3635 +diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c
3636 +index 2aa48aecc52b..329d3afcf304 100644
3637 +--- a/fs/btrfs/dev-replace.c
3638 ++++ b/fs/btrfs/dev-replace.c
3639 +@@ -884,6 +884,8 @@ int btrfs_resume_dev_replace_async(struct btrfs_fs_info *fs_info)
3640 + "cannot continue dev_replace, tgtdev is missing");
3641 + btrfs_info(fs_info,
3642 + "you may cancel the operation after 'mount -o degraded'");
3643 ++ dev_replace->replace_state =
3644 ++ BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED;
3645 + btrfs_dev_replace_write_unlock(dev_replace);
3646 + return 0;
3647 + }
3648 +@@ -895,6 +897,10 @@ int btrfs_resume_dev_replace_async(struct btrfs_fs_info *fs_info)
3649 + * dev-replace to start anyway.
3650 + */
3651 + if (test_and_set_bit(BTRFS_FS_EXCL_OP, &fs_info->flags)) {
3652 ++ btrfs_dev_replace_write_lock(dev_replace);
3653 ++ dev_replace->replace_state =
3654 ++ BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED;
3655 ++ btrfs_dev_replace_write_unlock(dev_replace);
3656 + btrfs_info(fs_info,
3657 + "cannot resume dev-replace, other exclusive operation running");
3658 + return 0;
3659 +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
3660 +index a1febf155747..fe1fef3d7eed 100644
3661 +--- a/fs/btrfs/extent-tree.c
3662 ++++ b/fs/btrfs/extent-tree.c
3663 +@@ -8944,6 +8944,10 @@ int btrfs_drop_snapshot(struct btrfs_root *root,
3664 + goto out_free;
3665 + }
3666 +
3667 ++ err = btrfs_run_delayed_items(trans);
3668 ++ if (err)
3669 ++ goto out_end_trans;
3670 ++
3671 + if (block_rsv)
3672 + trans->block_rsv = block_rsv;
3673 +
3674 +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
3675 +index 9ea4c6f0352f..423281c19fad 100644
3676 +--- a/fs/btrfs/inode.c
3677 ++++ b/fs/btrfs/inode.c
3678 +@@ -1372,7 +1372,8 @@ next_slot:
3679 + * Do the same check as in btrfs_cross_ref_exist but
3680 + * without the unnecessary search.
3681 + */
3682 +- if (btrfs_file_extent_generation(leaf, fi) <=
3683 ++ if (!nolock &&
3684 ++ btrfs_file_extent_generation(leaf, fi) <=
3685 + btrfs_root_last_snapshot(&root->root_item))
3686 + goto out_check;
3687 + if (extent_type == BTRFS_FILE_EXTENT_REG && !force)
3688 +@@ -3686,6 +3687,21 @@ cache_index:
3689 + * inode is not a directory, logging its parent unnecessarily.
3690 + */
3691 + BTRFS_I(inode)->last_unlink_trans = BTRFS_I(inode)->last_trans;
3692 ++ /*
3693 ++ * Similar reasoning for last_link_trans, needs to be set otherwise
3694 ++ * for a case like the following:
3695 ++ *
3696 ++ * mkdir A
3697 ++ * touch foo
3698 ++ * ln foo A/bar
3699 ++ * echo 2 > /proc/sys/vm/drop_caches
3700 ++ * fsync foo
3701 ++ * <power failure>
3702 ++ *
3703 ++ * Would result in link bar and directory A not existing after the power
3704 ++ * failure.
3705 ++ */
3706 ++ BTRFS_I(inode)->last_link_trans = BTRFS_I(inode)->last_trans;
3707 +
3708 + path->slots[0]++;
3709 + if (inode->i_nlink != 1 ||
3710 +@@ -6625,6 +6641,7 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
3711 + if (err)
3712 + goto fail;
3713 + }
3714 ++ BTRFS_I(inode)->last_link_trans = trans->transid;
3715 + d_instantiate(dentry, inode);
3716 + ret = btrfs_log_new_name(trans, BTRFS_I(inode), NULL, parent,
3717 + true, NULL);
3718 +@@ -9157,6 +9174,7 @@ struct inode *btrfs_alloc_inode(struct super_block *sb)
3719 + ei->index_cnt = (u64)-1;
3720 + ei->dir_index = 0;
3721 + ei->last_unlink_trans = 0;
3722 ++ ei->last_link_trans = 0;
3723 + ei->last_log_commit = 0;
3724 +
3725 + spin_lock_init(&ei->lock);
3726 +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
3727 +index 902819d3cf41..bbd1b36f4918 100644
3728 +--- a/fs/btrfs/scrub.c
3729 ++++ b/fs/btrfs/scrub.c
3730 +@@ -322,6 +322,7 @@ static struct full_stripe_lock *insert_full_stripe_lock(
3731 + struct rb_node *parent = NULL;
3732 + struct full_stripe_lock *entry;
3733 + struct full_stripe_lock *ret;
3734 ++ unsigned int nofs_flag;
3735 +
3736 + lockdep_assert_held(&locks_root->lock);
3737 +
3738 +@@ -339,8 +340,17 @@ static struct full_stripe_lock *insert_full_stripe_lock(
3739 + }
3740 + }
3741 +
3742 +- /* Insert new lock */
3743 ++ /*
3744 ++ * Insert new lock.
3745 ++ *
3746 ++ * We must use GFP_NOFS because the scrub task might be waiting for a
3747 ++ * worker task executing this function and in turn a transaction commit
3748 ++ * might be waiting the scrub task to pause (which needs to wait for all
3749 ++ * the worker tasks to complete before pausing).
3750 ++ */
3751 ++ nofs_flag = memalloc_nofs_save();
3752 + ret = kmalloc(sizeof(*ret), GFP_KERNEL);
3753 ++ memalloc_nofs_restore(nofs_flag);
3754 + if (!ret)
3755 + return ERR_PTR(-ENOMEM);
3756 + ret->logical = fstripe_logical;
3757 +@@ -1620,8 +1630,19 @@ static int scrub_add_page_to_wr_bio(struct scrub_ctx *sctx,
3758 + mutex_lock(&sctx->wr_lock);
3759 + again:
3760 + if (!sctx->wr_curr_bio) {
3761 ++ unsigned int nofs_flag;
3762 ++
3763 ++ /*
3764 ++ * We must use GFP_NOFS because the scrub task might be waiting
3765 ++ * for a worker task executing this function and in turn a
3766 ++ * transaction commit might be waiting the scrub task to pause
3767 ++ * (which needs to wait for all the worker tasks to complete
3768 ++ * before pausing).
3769 ++ */
3770 ++ nofs_flag = memalloc_nofs_save();
3771 + sctx->wr_curr_bio = kzalloc(sizeof(*sctx->wr_curr_bio),
3772 + GFP_KERNEL);
3773 ++ memalloc_nofs_restore(nofs_flag);
3774 + if (!sctx->wr_curr_bio) {
3775 + mutex_unlock(&sctx->wr_lock);
3776 + return -ENOMEM;
3777 +@@ -3772,6 +3793,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
3778 + struct scrub_ctx *sctx;
3779 + int ret;
3780 + struct btrfs_device *dev;
3781 ++ unsigned int nofs_flag;
3782 +
3783 + if (btrfs_fs_closing(fs_info))
3784 + return -EINVAL;
3785 +@@ -3875,6 +3897,16 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
3786 + atomic_inc(&fs_info->scrubs_running);
3787 + mutex_unlock(&fs_info->scrub_lock);
3788 +
3789 ++ /*
3790 ++ * In order to avoid deadlock with reclaim when there is a transaction
3791 ++ * trying to pause scrub, make sure we use GFP_NOFS for all the
3792 ++ * allocations done at btrfs_scrub_pages() and scrub_pages_for_parity()
3793 ++ * invoked by our callees. The pausing request is done when the
3794 ++ * transaction commit starts, and it blocks the transaction until scrub
3795 ++ * is paused (done at specific points at scrub_stripe() or right above
3796 ++ * before incrementing fs_info->scrubs_running).
3797 ++ */
3798 ++ nofs_flag = memalloc_nofs_save();
3799 + if (!is_dev_replace) {
3800 + /*
3801 + * by holding device list mutex, we can
3802 +@@ -3887,6 +3919,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
3803 +
3804 + if (!ret)
3805 + ret = scrub_enumerate_chunks(sctx, dev, start, end);
3806 ++ memalloc_nofs_restore(nofs_flag);
3807 +
3808 + wait_event(sctx->list_wait, atomic_read(&sctx->bios_in_flight) == 0);
3809 + atomic_dec(&fs_info->scrubs_running);
3810 +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
3811 +index a5ce99a6c936..15d2914f0a67 100644
3812 +--- a/fs/btrfs/tree-log.c
3813 ++++ b/fs/btrfs/tree-log.c
3814 +@@ -5778,6 +5778,22 @@ static int btrfs_log_inode_parent(struct btrfs_trans_handle *trans,
3815 + goto end_trans;
3816 + }
3817 +
3818 ++ /*
3819 ++ * If a new hard link was added to the inode in the current transaction
3820 ++ * and its link count is now greater than 1, we need to fallback to a
3821 ++ * transaction commit, otherwise we can end up not logging all its new
3822 ++ * parents for all the hard links. Here just from the dentry used to
3823 ++ * fsync, we can not visit the ancestor inodes for all the other hard
3824 ++ * links to figure out if any is new, so we fallback to a transaction
3825 ++ * commit (instead of adding a lot of complexity of scanning a btree,
3826 ++ * since this scenario is not a common use case).
3827 ++ */
3828 ++ if (inode->vfs_inode.i_nlink > 1 &&
3829 ++ inode->last_link_trans > last_committed) {
3830 ++ ret = -EMLINK;
3831 ++ goto end_trans;
3832 ++ }
3833 ++
3834 + while (1) {
3835 + if (!parent || d_really_is_negative(parent) || sb != parent->d_sb)
3836 + break;
3837 +diff --git a/fs/cifs/file.c b/fs/cifs/file.c
3838 +index c9bc56b1baac..c23bf9da93d2 100644
3839 +--- a/fs/cifs/file.c
3840 ++++ b/fs/cifs/file.c
3841 +@@ -2617,11 +2617,13 @@ cifs_write_from_iter(loff_t offset, size_t len, struct iov_iter *from,
3842 + if (rc)
3843 + break;
3844 +
3845 ++ cur_len = min_t(const size_t, len, wsize);
3846 ++
3847 + if (ctx->direct_io) {
3848 + ssize_t result;
3849 +
3850 + result = iov_iter_get_pages_alloc(
3851 +- from, &pagevec, wsize, &start);
3852 ++ from, &pagevec, cur_len, &start);
3853 + if (result < 0) {
3854 + cifs_dbg(VFS,
3855 + "direct_writev couldn't get user pages "
3856 +@@ -2630,6 +2632,9 @@ cifs_write_from_iter(loff_t offset, size_t len, struct iov_iter *from,
3857 + result, from->type,
3858 + from->iov_offset, from->count);
3859 + dump_stack();
3860 ++
3861 ++ rc = result;
3862 ++ add_credits_and_wake_if(server, credits, 0);
3863 + break;
3864 + }
3865 + cur_len = (size_t)result;
3866 +@@ -3313,13 +3318,16 @@ cifs_send_async_read(loff_t offset, size_t len, struct cifsFileInfo *open_file,
3867 + cur_len, &start);
3868 + if (result < 0) {
3869 + cifs_dbg(VFS,
3870 +- "couldn't get user pages (cur_len=%zd)"
3871 ++ "couldn't get user pages (rc=%zd)"
3872 + " iter type %d"
3873 + " iov_offset %zd count %zd\n",
3874 + result, direct_iov.type,
3875 + direct_iov.iov_offset,
3876 + direct_iov.count);
3877 + dump_stack();
3878 ++
3879 ++ rc = result;
3880 ++ add_credits_and_wake_if(server, credits, 0);
3881 + break;
3882 + }
3883 + cur_len = (size_t)result;
3884 +diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c
3885 +index d47b7f5dfa6c..924269cec135 100644
3886 +--- a/fs/cifs/smb2maperror.c
3887 ++++ b/fs/cifs/smb2maperror.c
3888 +@@ -379,8 +379,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = {
3889 + {STATUS_NONEXISTENT_EA_ENTRY, -EIO, "STATUS_NONEXISTENT_EA_ENTRY"},
3890 + {STATUS_NO_EAS_ON_FILE, -ENODATA, "STATUS_NO_EAS_ON_FILE"},
3891 + {STATUS_EA_CORRUPT_ERROR, -EIO, "STATUS_EA_CORRUPT_ERROR"},
3892 +- {STATUS_FILE_LOCK_CONFLICT, -EIO, "STATUS_FILE_LOCK_CONFLICT"},
3893 +- {STATUS_LOCK_NOT_GRANTED, -EIO, "STATUS_LOCK_NOT_GRANTED"},
3894 ++ {STATUS_FILE_LOCK_CONFLICT, -EACCES, "STATUS_FILE_LOCK_CONFLICT"},
3895 ++ {STATUS_LOCK_NOT_GRANTED, -EACCES, "STATUS_LOCK_NOT_GRANTED"},
3896 + {STATUS_DELETE_PENDING, -ENOENT, "STATUS_DELETE_PENDING"},
3897 + {STATUS_CTL_FILE_NOT_SUPPORTED, -ENOSYS,
3898 + "STATUS_CTL_FILE_NOT_SUPPORTED"},
3899 +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
3900 +index e25c7aade98a..391b40e91910 100644
3901 +--- a/fs/cifs/smb2ops.c
3902 ++++ b/fs/cifs/smb2ops.c
3903 +@@ -3384,8 +3384,10 @@ smb3_receive_transform(struct TCP_Server_Info *server,
3904 + }
3905 +
3906 + /* TODO: add support for compounds containing READ. */
3907 +- if (pdu_length > CIFSMaxBufSize + MAX_HEADER_SIZE(server))
3908 ++ if (pdu_length > CIFSMaxBufSize + MAX_HEADER_SIZE(server)) {
3909 ++ *num_mids = 1;
3910 + return receive_encrypted_read(server, &mids[0]);
3911 ++ }
3912 +
3913 + return receive_encrypted_standard(server, mids, bufs, num_mids);
3914 + }
3915 +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
3916 +index 3f89d0ab08fc..185a05d3257e 100644
3917 +--- a/fs/ext4/ext4.h
3918 ++++ b/fs/ext4/ext4.h
3919 +@@ -2454,8 +2454,19 @@ int do_journal_get_write_access(handle_t *handle,
3920 + #define FALL_BACK_TO_NONDELALLOC 1
3921 + #define CONVERT_INLINE_DATA 2
3922 +
3923 +-extern struct inode *ext4_iget(struct super_block *, unsigned long);
3924 +-extern struct inode *ext4_iget_normal(struct super_block *, unsigned long);
3925 ++typedef enum {
3926 ++ EXT4_IGET_NORMAL = 0,
3927 ++ EXT4_IGET_SPECIAL = 0x0001, /* OK to iget a system inode */
3928 ++ EXT4_IGET_HANDLE = 0x0002 /* Inode # is from a handle */
3929 ++} ext4_iget_flags;
3930 ++
3931 ++extern struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
3932 ++ ext4_iget_flags flags, const char *function,
3933 ++ unsigned int line);
3934 ++
3935 ++#define ext4_iget(sb, ino, flags) \
3936 ++ __ext4_iget((sb), (ino), (flags), __func__, __LINE__)
3937 ++
3938 + extern int ext4_write_inode(struct inode *, struct writeback_control *);
3939 + extern int ext4_setattr(struct dentry *, struct iattr *);
3940 + extern int ext4_getattr(const struct path *, struct kstat *, u32, unsigned int);
3941 +@@ -2538,6 +2549,8 @@ extern int ext4_group_extend(struct super_block *sb,
3942 + extern int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count);
3943 +
3944 + /* super.c */
3945 ++extern struct buffer_head *ext4_sb_bread(struct super_block *sb,
3946 ++ sector_t block, int op_flags);
3947 + extern int ext4_seq_options_show(struct seq_file *seq, void *offset);
3948 + extern int ext4_calculate_overhead(struct super_block *sb);
3949 + extern void ext4_superblock_csum_set(struct super_block *sb);
3950 +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
3951 +index 014f6a698cb7..7ff14a1adba3 100644
3952 +--- a/fs/ext4/ialloc.c
3953 ++++ b/fs/ext4/ialloc.c
3954 +@@ -1225,7 +1225,7 @@ struct inode *ext4_orphan_get(struct super_block *sb, unsigned long ino)
3955 + if (!ext4_test_bit(bit, bitmap_bh->b_data))
3956 + goto bad_orphan;
3957 +
3958 +- inode = ext4_iget(sb, ino);
3959 ++ inode = ext4_iget(sb, ino, EXT4_IGET_NORMAL);
3960 + if (IS_ERR(inode)) {
3961 + err = PTR_ERR(inode);
3962 + ext4_error(sb, "couldn't read orphan inode %lu (err %d)",
3963 +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
3964 +index 9c4bac18cc6c..27373d88b5f0 100644
3965 +--- a/fs/ext4/inline.c
3966 ++++ b/fs/ext4/inline.c
3967 +@@ -705,8 +705,11 @@ int ext4_try_to_write_inline_data(struct address_space *mapping,
3968 +
3969 + if (!PageUptodate(page)) {
3970 + ret = ext4_read_inline_page(inode, page);
3971 +- if (ret < 0)
3972 ++ if (ret < 0) {
3973 ++ unlock_page(page);
3974 ++ put_page(page);
3975 + goto out_up_read;
3976 ++ }
3977 + }
3978 +
3979 + ret = 1;
3980 +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
3981 +index 22a9d8159720..9affabd07682 100644
3982 +--- a/fs/ext4/inode.c
3983 ++++ b/fs/ext4/inode.c
3984 +@@ -4817,7 +4817,9 @@ static inline u64 ext4_inode_peek_iversion(const struct inode *inode)
3985 + return inode_peek_iversion(inode);
3986 + }
3987 +
3988 +-struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
3989 ++struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
3990 ++ ext4_iget_flags flags, const char *function,
3991 ++ unsigned int line)
3992 + {
3993 + struct ext4_iloc iloc;
3994 + struct ext4_inode *raw_inode;
3995 +@@ -4831,6 +4833,18 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
3996 + gid_t i_gid;
3997 + projid_t i_projid;
3998 +
3999 ++ if (((flags & EXT4_IGET_NORMAL) &&
4000 ++ (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO)) ||
4001 ++ (ino < EXT4_ROOT_INO) ||
4002 ++ (ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))) {
4003 ++ if (flags & EXT4_IGET_HANDLE)
4004 ++ return ERR_PTR(-ESTALE);
4005 ++ __ext4_error(sb, function, line,
4006 ++ "inode #%lu: comm %s: iget: illegal inode #",
4007 ++ ino, current->comm);
4008 ++ return ERR_PTR(-EFSCORRUPTED);
4009 ++ }
4010 ++
4011 + inode = iget_locked(sb, ino);
4012 + if (!inode)
4013 + return ERR_PTR(-ENOMEM);
4014 +@@ -4846,18 +4860,26 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
4015 + raw_inode = ext4_raw_inode(&iloc);
4016 +
4017 + if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) {
4018 +- EXT4_ERROR_INODE(inode, "root inode unallocated");
4019 ++ ext4_error_inode(inode, function, line, 0,
4020 ++ "iget: root inode unallocated");
4021 + ret = -EFSCORRUPTED;
4022 + goto bad_inode;
4023 + }
4024 +
4025 ++ if ((flags & EXT4_IGET_HANDLE) &&
4026 ++ (raw_inode->i_links_count == 0) && (raw_inode->i_mode == 0)) {
4027 ++ ret = -ESTALE;
4028 ++ goto bad_inode;
4029 ++ }
4030 ++
4031 + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
4032 + ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize);
4033 + if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize >
4034 + EXT4_INODE_SIZE(inode->i_sb) ||
4035 + (ei->i_extra_isize & 3)) {
4036 +- EXT4_ERROR_INODE(inode,
4037 +- "bad extra_isize %u (inode size %u)",
4038 ++ ext4_error_inode(inode, function, line, 0,
4039 ++ "iget: bad extra_isize %u "
4040 ++ "(inode size %u)",
4041 + ei->i_extra_isize,
4042 + EXT4_INODE_SIZE(inode->i_sb));
4043 + ret = -EFSCORRUPTED;
4044 +@@ -4879,7 +4901,8 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
4045 + }
4046 +
4047 + if (!ext4_inode_csum_verify(inode, raw_inode, ei)) {
4048 +- EXT4_ERROR_INODE(inode, "checksum invalid");
4049 ++ ext4_error_inode(inode, function, line, 0,
4050 ++ "iget: checksum invalid");
4051 + ret = -EFSBADCRC;
4052 + goto bad_inode;
4053 + }
4054 +@@ -4936,7 +4959,8 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
4055 + ((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32;
4056 + inode->i_size = ext4_isize(sb, raw_inode);
4057 + if ((size = i_size_read(inode)) < 0) {
4058 +- EXT4_ERROR_INODE(inode, "bad i_size value: %lld", size);
4059 ++ ext4_error_inode(inode, function, line, 0,
4060 ++ "iget: bad i_size value: %lld", size);
4061 + ret = -EFSCORRUPTED;
4062 + goto bad_inode;
4063 + }
4064 +@@ -5012,7 +5036,8 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
4065 + ret = 0;
4066 + if (ei->i_file_acl &&
4067 + !ext4_data_block_valid(EXT4_SB(sb), ei->i_file_acl, 1)) {
4068 +- EXT4_ERROR_INODE(inode, "bad extended attribute block %llu",
4069 ++ ext4_error_inode(inode, function, line, 0,
4070 ++ "iget: bad extended attribute block %llu",
4071 + ei->i_file_acl);
4072 + ret = -EFSCORRUPTED;
4073 + goto bad_inode;
4074 +@@ -5040,8 +5065,9 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
4075 + } else if (S_ISLNK(inode->i_mode)) {
4076 + /* VFS does not allow setting these so must be corruption */
4077 + if (IS_APPEND(inode) || IS_IMMUTABLE(inode)) {
4078 +- EXT4_ERROR_INODE(inode,
4079 +- "immutable or append flags not allowed on symlinks");
4080 ++ ext4_error_inode(inode, function, line, 0,
4081 ++ "iget: immutable or append flags "
4082 ++ "not allowed on symlinks");
4083 + ret = -EFSCORRUPTED;
4084 + goto bad_inode;
4085 + }
4086 +@@ -5071,7 +5097,8 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
4087 + make_bad_inode(inode);
4088 + } else {
4089 + ret = -EFSCORRUPTED;
4090 +- EXT4_ERROR_INODE(inode, "bogus i_mode (%o)", inode->i_mode);
4091 ++ ext4_error_inode(inode, function, line, 0,
4092 ++ "iget: bogus i_mode (%o)", inode->i_mode);
4093 + goto bad_inode;
4094 + }
4095 + brelse(iloc.bh);
4096 +@@ -5085,13 +5112,6 @@ bad_inode:
4097 + return ERR_PTR(ret);
4098 + }
4099 +
4100 +-struct inode *ext4_iget_normal(struct super_block *sb, unsigned long ino)
4101 +-{
4102 +- if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO)
4103 +- return ERR_PTR(-EFSCORRUPTED);
4104 +- return ext4_iget(sb, ino);
4105 +-}
4106 +-
4107 + static int ext4_inode_blocks_set(handle_t *handle,
4108 + struct ext4_inode *raw_inode,
4109 + struct ext4_inode_info *ei)
4110 +@@ -5380,9 +5400,13 @@ int ext4_write_inode(struct inode *inode, struct writeback_control *wbc)
4111 + {
4112 + int err;
4113 +
4114 +- if (WARN_ON_ONCE(current->flags & PF_MEMALLOC))
4115 ++ if (WARN_ON_ONCE(current->flags & PF_MEMALLOC) ||
4116 ++ sb_rdonly(inode->i_sb))
4117 + return 0;
4118 +
4119 ++ if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb))))
4120 ++ return -EIO;
4121 ++
4122 + if (EXT4_SB(inode->i_sb)->s_journal) {
4123 + if (ext4_journal_current_handle()) {
4124 + jbd_debug(1, "called recursively, non-PF_MEMALLOC!\n");
4125 +@@ -5398,7 +5422,8 @@ int ext4_write_inode(struct inode *inode, struct writeback_control *wbc)
4126 + if (wbc->sync_mode != WB_SYNC_ALL || wbc->for_sync)
4127 + return 0;
4128 +
4129 +- err = ext4_force_commit(inode->i_sb);
4130 ++ err = jbd2_complete_transaction(EXT4_SB(inode->i_sb)->s_journal,
4131 ++ EXT4_I(inode)->i_sync_tid);
4132 + } else {
4133 + struct ext4_iloc iloc;
4134 +
4135 +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
4136 +index 0edee31913d1..d37dafa1d133 100644
4137 +--- a/fs/ext4/ioctl.c
4138 ++++ b/fs/ext4/ioctl.c
4139 +@@ -125,7 +125,7 @@ static long swap_inode_boot_loader(struct super_block *sb,
4140 + !inode_owner_or_capable(inode) || !capable(CAP_SYS_ADMIN))
4141 + return -EPERM;
4142 +
4143 +- inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO);
4144 ++ inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL);
4145 + if (IS_ERR(inode_bl))
4146 + return PTR_ERR(inode_bl);
4147 + ei_bl = EXT4_I(inode_bl);
4148 +diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c
4149 +index 61a9d1927817..a98bfca9c463 100644
4150 +--- a/fs/ext4/migrate.c
4151 ++++ b/fs/ext4/migrate.c
4152 +@@ -116,9 +116,9 @@ static int update_ind_extent_range(handle_t *handle, struct inode *inode,
4153 + int i, retval = 0;
4154 + unsigned long max_entries = inode->i_sb->s_blocksize >> 2;
4155 +
4156 +- bh = sb_bread(inode->i_sb, pblock);
4157 +- if (!bh)
4158 +- return -EIO;
4159 ++ bh = ext4_sb_bread(inode->i_sb, pblock, 0);
4160 ++ if (IS_ERR(bh))
4161 ++ return PTR_ERR(bh);
4162 +
4163 + i_data = (__le32 *)bh->b_data;
4164 + for (i = 0; i < max_entries; i++) {
4165 +@@ -145,9 +145,9 @@ static int update_dind_extent_range(handle_t *handle, struct inode *inode,
4166 + int i, retval = 0;
4167 + unsigned long max_entries = inode->i_sb->s_blocksize >> 2;
4168 +
4169 +- bh = sb_bread(inode->i_sb, pblock);
4170 +- if (!bh)
4171 +- return -EIO;
4172 ++ bh = ext4_sb_bread(inode->i_sb, pblock, 0);
4173 ++ if (IS_ERR(bh))
4174 ++ return PTR_ERR(bh);
4175 +
4176 + i_data = (__le32 *)bh->b_data;
4177 + for (i = 0; i < max_entries; i++) {
4178 +@@ -175,9 +175,9 @@ static int update_tind_extent_range(handle_t *handle, struct inode *inode,
4179 + int i, retval = 0;
4180 + unsigned long max_entries = inode->i_sb->s_blocksize >> 2;
4181 +
4182 +- bh = sb_bread(inode->i_sb, pblock);
4183 +- if (!bh)
4184 +- return -EIO;
4185 ++ bh = ext4_sb_bread(inode->i_sb, pblock, 0);
4186 ++ if (IS_ERR(bh))
4187 ++ return PTR_ERR(bh);
4188 +
4189 + i_data = (__le32 *)bh->b_data;
4190 + for (i = 0; i < max_entries; i++) {
4191 +@@ -224,9 +224,9 @@ static int free_dind_blocks(handle_t *handle,
4192 + struct buffer_head *bh;
4193 + unsigned long max_entries = inode->i_sb->s_blocksize >> 2;
4194 +
4195 +- bh = sb_bread(inode->i_sb, le32_to_cpu(i_data));
4196 +- if (!bh)
4197 +- return -EIO;
4198 ++ bh = ext4_sb_bread(inode->i_sb, le32_to_cpu(i_data), 0);
4199 ++ if (IS_ERR(bh))
4200 ++ return PTR_ERR(bh);
4201 +
4202 + tmp_idata = (__le32 *)bh->b_data;
4203 + for (i = 0; i < max_entries; i++) {
4204 +@@ -254,9 +254,9 @@ static int free_tind_blocks(handle_t *handle,
4205 + struct buffer_head *bh;
4206 + unsigned long max_entries = inode->i_sb->s_blocksize >> 2;
4207 +
4208 +- bh = sb_bread(inode->i_sb, le32_to_cpu(i_data));
4209 +- if (!bh)
4210 +- return -EIO;
4211 ++ bh = ext4_sb_bread(inode->i_sb, le32_to_cpu(i_data), 0);
4212 ++ if (IS_ERR(bh))
4213 ++ return PTR_ERR(bh);
4214 +
4215 + tmp_idata = (__le32 *)bh->b_data;
4216 + for (i = 0; i < max_entries; i++) {
4217 +@@ -382,9 +382,9 @@ static int free_ext_idx(handle_t *handle, struct inode *inode,
4218 + struct ext4_extent_header *eh;
4219 +
4220 + block = ext4_idx_pblock(ix);
4221 +- bh = sb_bread(inode->i_sb, block);
4222 +- if (!bh)
4223 +- return -EIO;
4224 ++ bh = ext4_sb_bread(inode->i_sb, block, 0);
4225 ++ if (IS_ERR(bh))
4226 ++ return PTR_ERR(bh);
4227 +
4228 + eh = (struct ext4_extent_header *)bh->b_data;
4229 + if (eh->eh_depth != 0) {
4230 +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
4231 +index 437f71fe83ae..2b928eb07fa2 100644
4232 +--- a/fs/ext4/namei.c
4233 ++++ b/fs/ext4/namei.c
4234 +@@ -1571,7 +1571,7 @@ static struct dentry *ext4_lookup(struct inode *dir, struct dentry *dentry, unsi
4235 + dentry);
4236 + return ERR_PTR(-EFSCORRUPTED);
4237 + }
4238 +- inode = ext4_iget_normal(dir->i_sb, ino);
4239 ++ inode = ext4_iget(dir->i_sb, ino, EXT4_IGET_NORMAL);
4240 + if (inode == ERR_PTR(-ESTALE)) {
4241 + EXT4_ERROR_INODE(dir,
4242 + "deleted inode referenced: %u",
4243 +@@ -1613,7 +1613,7 @@ struct dentry *ext4_get_parent(struct dentry *child)
4244 + return ERR_PTR(-EFSCORRUPTED);
4245 + }
4246 +
4247 +- return d_obtain_alias(ext4_iget_normal(child->d_sb, ino));
4248 ++ return d_obtain_alias(ext4_iget(child->d_sb, ino, EXT4_IGET_NORMAL));
4249 + }
4250 +
4251 + /*
4252 +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
4253 +index a5efee34415f..48421de803b7 100644
4254 +--- a/fs/ext4/resize.c
4255 ++++ b/fs/ext4/resize.c
4256 +@@ -127,10 +127,12 @@ static int verify_group_input(struct super_block *sb,
4257 + else if (free_blocks_count < 0)
4258 + ext4_warning(sb, "Bad blocks count %u",
4259 + input->blocks_count);
4260 +- else if (!(bh = sb_bread(sb, end - 1)))
4261 ++ else if (IS_ERR(bh = ext4_sb_bread(sb, end - 1, 0))) {
4262 ++ err = PTR_ERR(bh);
4263 ++ bh = NULL;
4264 + ext4_warning(sb, "Cannot read last block (%llu)",
4265 + end - 1);
4266 +- else if (outside(input->block_bitmap, start, end))
4267 ++ } else if (outside(input->block_bitmap, start, end))
4268 + ext4_warning(sb, "Block bitmap not in group (block %llu)",
4269 + (unsigned long long)input->block_bitmap);
4270 + else if (outside(input->inode_bitmap, start, end))
4271 +@@ -781,11 +783,11 @@ static int add_new_gdb(handle_t *handle, struct inode *inode,
4272 + struct ext4_super_block *es = EXT4_SB(sb)->s_es;
4273 + unsigned long gdb_num = group / EXT4_DESC_PER_BLOCK(sb);
4274 + ext4_fsblk_t gdblock = EXT4_SB(sb)->s_sbh->b_blocknr + 1 + gdb_num;
4275 +- struct buffer_head **o_group_desc, **n_group_desc;
4276 +- struct buffer_head *dind;
4277 +- struct buffer_head *gdb_bh;
4278 ++ struct buffer_head **o_group_desc, **n_group_desc = NULL;
4279 ++ struct buffer_head *dind = NULL;
4280 ++ struct buffer_head *gdb_bh = NULL;
4281 + int gdbackups;
4282 +- struct ext4_iloc iloc;
4283 ++ struct ext4_iloc iloc = { .bh = NULL };
4284 + __le32 *data;
4285 + int err;
4286 +
4287 +@@ -794,21 +796,22 @@ static int add_new_gdb(handle_t *handle, struct inode *inode,
4288 + "EXT4-fs: ext4_add_new_gdb: adding group block %lu\n",
4289 + gdb_num);
4290 +
4291 +- gdb_bh = sb_bread(sb, gdblock);
4292 +- if (!gdb_bh)
4293 +- return -EIO;
4294 ++ gdb_bh = ext4_sb_bread(sb, gdblock, 0);
4295 ++ if (IS_ERR(gdb_bh))
4296 ++ return PTR_ERR(gdb_bh);
4297 +
4298 + gdbackups = verify_reserved_gdb(sb, group, gdb_bh);
4299 + if (gdbackups < 0) {
4300 + err = gdbackups;
4301 +- goto exit_bh;
4302 ++ goto errout;
4303 + }
4304 +
4305 + data = EXT4_I(inode)->i_data + EXT4_DIND_BLOCK;
4306 +- dind = sb_bread(sb, le32_to_cpu(*data));
4307 +- if (!dind) {
4308 +- err = -EIO;
4309 +- goto exit_bh;
4310 ++ dind = ext4_sb_bread(sb, le32_to_cpu(*data), 0);
4311 ++ if (IS_ERR(dind)) {
4312 ++ err = PTR_ERR(dind);
4313 ++ dind = NULL;
4314 ++ goto errout;
4315 + }
4316 +
4317 + data = (__le32 *)dind->b_data;
4318 +@@ -816,18 +819,18 @@ static int add_new_gdb(handle_t *handle, struct inode *inode,
4319 + ext4_warning(sb, "new group %u GDT block %llu not reserved",
4320 + group, gdblock);
4321 + err = -EINVAL;
4322 +- goto exit_dind;
4323 ++ goto errout;
4324 + }
4325 +
4326 + BUFFER_TRACE(EXT4_SB(sb)->s_sbh, "get_write_access");
4327 + err = ext4_journal_get_write_access(handle, EXT4_SB(sb)->s_sbh);
4328 + if (unlikely(err))
4329 +- goto exit_dind;
4330 ++ goto errout;
4331 +
4332 + BUFFER_TRACE(gdb_bh, "get_write_access");
4333 + err = ext4_journal_get_write_access(handle, gdb_bh);
4334 + if (unlikely(err))
4335 +- goto exit_dind;
4336 ++ goto errout;
4337 +
4338 + BUFFER_TRACE(dind, "get_write_access");
4339 + err = ext4_journal_get_write_access(handle, dind);
4340 +@@ -837,7 +840,7 @@ static int add_new_gdb(handle_t *handle, struct inode *inode,
4341 + /* ext4_reserve_inode_write() gets a reference on the iloc */
4342 + err = ext4_reserve_inode_write(handle, inode, &iloc);
4343 + if (unlikely(err))
4344 +- goto exit_dind;
4345 ++ goto errout;
4346 +
4347 + n_group_desc = ext4_kvmalloc((gdb_num + 1) *
4348 + sizeof(struct buffer_head *),
4349 +@@ -846,7 +849,7 @@ static int add_new_gdb(handle_t *handle, struct inode *inode,
4350 + err = -ENOMEM;
4351 + ext4_warning(sb, "not enough memory for %lu groups",
4352 + gdb_num + 1);
4353 +- goto exit_inode;
4354 ++ goto errout;
4355 + }
4356 +
4357 + /*
4358 +@@ -862,7 +865,7 @@ static int add_new_gdb(handle_t *handle, struct inode *inode,
4359 + err = ext4_handle_dirty_metadata(handle, NULL, dind);
4360 + if (unlikely(err)) {
4361 + ext4_std_error(sb, err);
4362 +- goto exit_inode;
4363 ++ goto errout;
4364 + }
4365 + inode->i_blocks -= (gdbackups + 1) * sb->s_blocksize >>
4366 + (9 - EXT4_SB(sb)->s_cluster_bits);
4367 +@@ -871,8 +874,7 @@ static int add_new_gdb(handle_t *handle, struct inode *inode,
4368 + err = ext4_handle_dirty_metadata(handle, NULL, gdb_bh);
4369 + if (unlikely(err)) {
4370 + ext4_std_error(sb, err);
4371 +- iloc.bh = NULL;
4372 +- goto exit_inode;
4373 ++ goto errout;
4374 + }
4375 + brelse(dind);
4376 +
4377 +@@ -888,15 +890,11 @@ static int add_new_gdb(handle_t *handle, struct inode *inode,
4378 + err = ext4_handle_dirty_super(handle, sb);
4379 + if (err)
4380 + ext4_std_error(sb, err);
4381 +-
4382 + return err;
4383 +-
4384 +-exit_inode:
4385 ++errout:
4386 + kvfree(n_group_desc);
4387 + brelse(iloc.bh);
4388 +-exit_dind:
4389 + brelse(dind);
4390 +-exit_bh:
4391 + brelse(gdb_bh);
4392 +
4393 + ext4_debug("leaving with error %d\n", err);
4394 +@@ -916,9 +914,9 @@ static int add_new_gdb_meta_bg(struct super_block *sb,
4395 +
4396 + gdblock = ext4_meta_bg_first_block_no(sb, group) +
4397 + ext4_bg_has_super(sb, group);
4398 +- gdb_bh = sb_bread(sb, gdblock);
4399 +- if (!gdb_bh)
4400 +- return -EIO;
4401 ++ gdb_bh = ext4_sb_bread(sb, gdblock, 0);
4402 ++ if (IS_ERR(gdb_bh))
4403 ++ return PTR_ERR(gdb_bh);
4404 + n_group_desc = ext4_kvmalloc((gdb_num + 1) *
4405 + sizeof(struct buffer_head *),
4406 + GFP_NOFS);
4407 +@@ -975,9 +973,10 @@ static int reserve_backup_gdb(handle_t *handle, struct inode *inode,
4408 + return -ENOMEM;
4409 +
4410 + data = EXT4_I(inode)->i_data + EXT4_DIND_BLOCK;
4411 +- dind = sb_bread(sb, le32_to_cpu(*data));
4412 +- if (!dind) {
4413 +- err = -EIO;
4414 ++ dind = ext4_sb_bread(sb, le32_to_cpu(*data), 0);
4415 ++ if (IS_ERR(dind)) {
4416 ++ err = PTR_ERR(dind);
4417 ++ dind = NULL;
4418 + goto exit_free;
4419 + }
4420 +
4421 +@@ -996,9 +995,10 @@ static int reserve_backup_gdb(handle_t *handle, struct inode *inode,
4422 + err = -EINVAL;
4423 + goto exit_bh;
4424 + }
4425 +- primary[res] = sb_bread(sb, blk);
4426 +- if (!primary[res]) {
4427 +- err = -EIO;
4428 ++ primary[res] = ext4_sb_bread(sb, blk, 0);
4429 ++ if (IS_ERR(primary[res])) {
4430 ++ err = PTR_ERR(primary[res]);
4431 ++ primary[res] = NULL;
4432 + goto exit_bh;
4433 + }
4434 + gdbackups = verify_reserved_gdb(sb, group, primary[res]);
4435 +@@ -1631,13 +1631,13 @@ int ext4_group_add(struct super_block *sb, struct ext4_new_group_data *input)
4436 + }
4437 +
4438 + if (reserved_gdb || gdb_off == 0) {
4439 +- if (ext4_has_feature_resize_inode(sb) ||
4440 ++ if (!ext4_has_feature_resize_inode(sb) ||
4441 + !le16_to_cpu(es->s_reserved_gdt_blocks)) {
4442 + ext4_warning(sb,
4443 + "No reserved GDT blocks, can't resize");
4444 + return -EPERM;
4445 + }
4446 +- inode = ext4_iget(sb, EXT4_RESIZE_INO);
4447 ++ inode = ext4_iget(sb, EXT4_RESIZE_INO, EXT4_IGET_SPECIAL);
4448 + if (IS_ERR(inode)) {
4449 + ext4_warning(sb, "Error opening resize inode");
4450 + return PTR_ERR(inode);
4451 +@@ -1965,7 +1965,8 @@ retry:
4452 + }
4453 +
4454 + if (!resize_inode)
4455 +- resize_inode = ext4_iget(sb, EXT4_RESIZE_INO);
4456 ++ resize_inode = ext4_iget(sb, EXT4_RESIZE_INO,
4457 ++ EXT4_IGET_SPECIAL);
4458 + if (IS_ERR(resize_inode)) {
4459 + ext4_warning(sb, "Error opening resize inode");
4460 + return PTR_ERR(resize_inode);
4461 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
4462 +index 53ff6c2a26ed..6641a1b8a6a5 100644
4463 +--- a/fs/ext4/super.c
4464 ++++ b/fs/ext4/super.c
4465 +@@ -140,6 +140,29 @@ MODULE_ALIAS_FS("ext3");
4466 + MODULE_ALIAS("ext3");
4467 + #define IS_EXT3_SB(sb) ((sb)->s_bdev->bd_holder == &ext3_fs_type)
4468 +
4469 ++/*
4470 ++ * This works like sb_bread() except it uses ERR_PTR for error
4471 ++ * returns. Currently with sb_bread it's impossible to distinguish
4472 ++ * between ENOMEM and EIO situations (since both result in a NULL
4473 ++ * return.
4474 ++ */
4475 ++struct buffer_head *
4476 ++ext4_sb_bread(struct super_block *sb, sector_t block, int op_flags)
4477 ++{
4478 ++ struct buffer_head *bh = sb_getblk(sb, block);
4479 ++
4480 ++ if (bh == NULL)
4481 ++ return ERR_PTR(-ENOMEM);
4482 ++ if (buffer_uptodate(bh))
4483 ++ return bh;
4484 ++ ll_rw_block(REQ_OP_READ, REQ_META | op_flags, 1, &bh);
4485 ++ wait_on_buffer(bh);
4486 ++ if (buffer_uptodate(bh))
4487 ++ return bh;
4488 ++ put_bh(bh);
4489 ++ return ERR_PTR(-EIO);
4490 ++}
4491 ++
4492 + static int ext4_verify_csum_type(struct super_block *sb,
4493 + struct ext4_super_block *es)
4494 + {
4495 +@@ -1151,20 +1174,11 @@ static struct inode *ext4_nfs_get_inode(struct super_block *sb,
4496 + {
4497 + struct inode *inode;
4498 +
4499 +- if (ino < EXT4_FIRST_INO(sb) && ino != EXT4_ROOT_INO)
4500 +- return ERR_PTR(-ESTALE);
4501 +- if (ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))
4502 +- return ERR_PTR(-ESTALE);
4503 +-
4504 +- /* iget isn't really right if the inode is currently unallocated!!
4505 +- *
4506 +- * ext4_read_inode will return a bad_inode if the inode had been
4507 +- * deleted, so we should be safe.
4508 +- *
4509 ++ /*
4510 + * Currently we don't know the generation for parent directory, so
4511 + * a generation of 0 means "accept any"
4512 + */
4513 +- inode = ext4_iget_normal(sb, ino);
4514 ++ inode = ext4_iget(sb, ino, EXT4_IGET_HANDLE);
4515 + if (IS_ERR(inode))
4516 + return ERR_CAST(inode);
4517 + if (generation && inode->i_generation != generation) {
4518 +@@ -1189,6 +1203,16 @@ static struct dentry *ext4_fh_to_parent(struct super_block *sb, struct fid *fid,
4519 + ext4_nfs_get_inode);
4520 + }
4521 +
4522 ++static int ext4_nfs_commit_metadata(struct inode *inode)
4523 ++{
4524 ++ struct writeback_control wbc = {
4525 ++ .sync_mode = WB_SYNC_ALL
4526 ++ };
4527 ++
4528 ++ trace_ext4_nfs_commit_metadata(inode);
4529 ++ return ext4_write_inode(inode, &wbc);
4530 ++}
4531 ++
4532 + /*
4533 + * Try to release metadata pages (indirect blocks, directories) which are
4534 + * mapped via the block device. Since these pages could have journal heads
4535 +@@ -1393,6 +1417,7 @@ static const struct export_operations ext4_export_ops = {
4536 + .fh_to_dentry = ext4_fh_to_dentry,
4537 + .fh_to_parent = ext4_fh_to_parent,
4538 + .get_parent = ext4_get_parent,
4539 ++ .commit_metadata = ext4_nfs_commit_metadata,
4540 + };
4541 +
4542 + enum {
4543 +@@ -4328,7 +4353,7 @@ no_journal:
4544 + * so we can safely mount the rest of the filesystem now.
4545 + */
4546 +
4547 +- root = ext4_iget(sb, EXT4_ROOT_INO);
4548 ++ root = ext4_iget(sb, EXT4_ROOT_INO, EXT4_IGET_SPECIAL);
4549 + if (IS_ERR(root)) {
4550 + ext4_msg(sb, KERN_ERR, "get root inode failed");
4551 + ret = PTR_ERR(root);
4552 +@@ -4598,7 +4623,7 @@ static struct inode *ext4_get_journal_inode(struct super_block *sb,
4553 + * happen if we iget() an unused inode, as the subsequent iput()
4554 + * will try to delete it.
4555 + */
4556 +- journal_inode = ext4_iget(sb, journal_inum);
4557 ++ journal_inode = ext4_iget(sb, journal_inum, EXT4_IGET_SPECIAL);
4558 + if (IS_ERR(journal_inode)) {
4559 + ext4_msg(sb, KERN_ERR, "no journal found");
4560 + return NULL;
4561 +@@ -5680,7 +5705,7 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id,
4562 + if (!qf_inums[type])
4563 + return -EPERM;
4564 +
4565 +- qf_inode = ext4_iget(sb, qf_inums[type]);
4566 ++ qf_inode = ext4_iget(sb, qf_inums[type], EXT4_IGET_SPECIAL);
4567 + if (IS_ERR(qf_inode)) {
4568 + ext4_error(sb, "Bad quota inode # %lu", qf_inums[type]);
4569 + return PTR_ERR(qf_inode);
4570 +@@ -5690,9 +5715,9 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id,
4571 + qf_inode->i_flags |= S_NOQUOTA;
4572 + lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA);
4573 + err = dquot_enable(qf_inode, type, format_id, flags);
4574 +- iput(qf_inode);
4575 + if (err)
4576 + lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL);
4577 ++ iput(qf_inode);
4578 +
4579 + return err;
4580 + }
4581 +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
4582 +index 7643d52c776c..86ed9c686249 100644
4583 +--- a/fs/ext4/xattr.c
4584 ++++ b/fs/ext4/xattr.c
4585 +@@ -384,7 +384,7 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino,
4586 + struct inode *inode;
4587 + int err;
4588 +
4589 +- inode = ext4_iget(parent->i_sb, ea_ino);
4590 ++ inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_NORMAL);
4591 + if (IS_ERR(inode)) {
4592 + err = PTR_ERR(inode);
4593 + ext4_error(parent->i_sb,
4594 +@@ -522,14 +522,13 @@ ext4_xattr_block_get(struct inode *inode, int name_index, const char *name,
4595 + ea_idebug(inode, "name=%d.%s, buffer=%p, buffer_size=%ld",
4596 + name_index, name, buffer, (long)buffer_size);
4597 +
4598 +- error = -ENODATA;
4599 + if (!EXT4_I(inode)->i_file_acl)
4600 +- goto cleanup;
4601 ++ return -ENODATA;
4602 + ea_idebug(inode, "reading block %llu",
4603 + (unsigned long long)EXT4_I(inode)->i_file_acl);
4604 +- bh = sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl);
4605 +- if (!bh)
4606 +- goto cleanup;
4607 ++ bh = ext4_sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl, REQ_PRIO);
4608 ++ if (IS_ERR(bh))
4609 ++ return PTR_ERR(bh);
4610 + ea_bdebug(bh, "b_count=%d, refcount=%d",
4611 + atomic_read(&(bh->b_count)), le32_to_cpu(BHDR(bh)->h_refcount));
4612 + error = ext4_xattr_check_block(inode, bh);
4613 +@@ -696,26 +695,23 @@ ext4_xattr_block_list(struct dentry *dentry, char *buffer, size_t buffer_size)
4614 + ea_idebug(inode, "buffer=%p, buffer_size=%ld",
4615 + buffer, (long)buffer_size);
4616 +
4617 +- error = 0;
4618 + if (!EXT4_I(inode)->i_file_acl)
4619 +- goto cleanup;
4620 ++ return 0;
4621 + ea_idebug(inode, "reading block %llu",
4622 + (unsigned long long)EXT4_I(inode)->i_file_acl);
4623 +- bh = sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl);
4624 +- error = -EIO;
4625 +- if (!bh)
4626 +- goto cleanup;
4627 ++ bh = ext4_sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl, REQ_PRIO);
4628 ++ if (IS_ERR(bh))
4629 ++ return PTR_ERR(bh);
4630 + ea_bdebug(bh, "b_count=%d, refcount=%d",
4631 + atomic_read(&(bh->b_count)), le32_to_cpu(BHDR(bh)->h_refcount));
4632 + error = ext4_xattr_check_block(inode, bh);
4633 + if (error)
4634 + goto cleanup;
4635 + ext4_xattr_block_cache_insert(EA_BLOCK_CACHE(inode), bh);
4636 +- error = ext4_xattr_list_entries(dentry, BFIRST(bh), buffer, buffer_size);
4637 +-
4638 ++ error = ext4_xattr_list_entries(dentry, BFIRST(bh), buffer,
4639 ++ buffer_size);
4640 + cleanup:
4641 + brelse(bh);
4642 +-
4643 + return error;
4644 + }
4645 +
4646 +@@ -830,9 +826,9 @@ int ext4_get_inode_usage(struct inode *inode, qsize_t *usage)
4647 + }
4648 +
4649 + if (EXT4_I(inode)->i_file_acl) {
4650 +- bh = sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl);
4651 +- if (!bh) {
4652 +- ret = -EIO;
4653 ++ bh = ext4_sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl, REQ_PRIO);
4654 ++ if (IS_ERR(bh)) {
4655 ++ ret = PTR_ERR(bh);
4656 + goto out;
4657 + }
4658 +
4659 +@@ -1486,7 +1482,8 @@ ext4_xattr_inode_cache_find(struct inode *inode, const void *value,
4660 + }
4661 +
4662 + while (ce) {
4663 +- ea_inode = ext4_iget(inode->i_sb, ce->e_value);
4664 ++ ea_inode = ext4_iget(inode->i_sb, ce->e_value,
4665 ++ EXT4_IGET_NORMAL);
4666 + if (!IS_ERR(ea_inode) &&
4667 + !is_bad_inode(ea_inode) &&
4668 + (EXT4_I(ea_inode)->i_flags & EXT4_EA_INODE_FL) &&
4669 +@@ -1821,16 +1818,15 @@ ext4_xattr_block_find(struct inode *inode, struct ext4_xattr_info *i,
4670 +
4671 + if (EXT4_I(inode)->i_file_acl) {
4672 + /* The inode already has an extended attribute block. */
4673 +- bs->bh = sb_bread(sb, EXT4_I(inode)->i_file_acl);
4674 +- error = -EIO;
4675 +- if (!bs->bh)
4676 +- goto cleanup;
4677 ++ bs->bh = ext4_sb_bread(sb, EXT4_I(inode)->i_file_acl, REQ_PRIO);
4678 ++ if (IS_ERR(bs->bh))
4679 ++ return PTR_ERR(bs->bh);
4680 + ea_bdebug(bs->bh, "b_count=%d, refcount=%d",
4681 + atomic_read(&(bs->bh->b_count)),
4682 + le32_to_cpu(BHDR(bs->bh)->h_refcount));
4683 + error = ext4_xattr_check_block(inode, bs->bh);
4684 + if (error)
4685 +- goto cleanup;
4686 ++ return error;
4687 + /* Find the named attribute. */
4688 + bs->s.base = BHDR(bs->bh);
4689 + bs->s.first = BFIRST(bs->bh);
4690 +@@ -1839,13 +1835,10 @@ ext4_xattr_block_find(struct inode *inode, struct ext4_xattr_info *i,
4691 + error = xattr_find_entry(inode, &bs->s.here, bs->s.end,
4692 + i->name_index, i->name, 1);
4693 + if (error && error != -ENODATA)
4694 +- goto cleanup;
4695 ++ return error;
4696 + bs->s.not_found = error;
4697 + }
4698 +- error = 0;
4699 +-
4700 +-cleanup:
4701 +- return error;
4702 ++ return 0;
4703 + }
4704 +
4705 + static int
4706 +@@ -2274,9 +2267,9 @@ static struct buffer_head *ext4_xattr_get_block(struct inode *inode)
4707 +
4708 + if (!EXT4_I(inode)->i_file_acl)
4709 + return NULL;
4710 +- bh = sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl);
4711 +- if (!bh)
4712 +- return ERR_PTR(-EIO);
4713 ++ bh = ext4_sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl, REQ_PRIO);
4714 ++ if (IS_ERR(bh))
4715 ++ return bh;
4716 + error = ext4_xattr_check_block(inode, bh);
4717 + if (error) {
4718 + brelse(bh);
4719 +@@ -2729,7 +2722,7 @@ retry:
4720 + base = IFIRST(header);
4721 + end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
4722 + min_offs = end - base;
4723 +- total_ino = sizeof(struct ext4_xattr_ibody_header);
4724 ++ total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
4725 +
4726 + error = xattr_check_inode(inode, header, end);
4727 + if (error)
4728 +@@ -2746,10 +2739,11 @@ retry:
4729 + if (EXT4_I(inode)->i_file_acl) {
4730 + struct buffer_head *bh;
4731 +
4732 +- bh = sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl);
4733 +- error = -EIO;
4734 +- if (!bh)
4735 ++ bh = ext4_sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl, REQ_PRIO);
4736 ++ if (IS_ERR(bh)) {
4737 ++ error = PTR_ERR(bh);
4738 + goto cleanup;
4739 ++ }
4740 + error = ext4_xattr_check_block(inode, bh);
4741 + if (error) {
4742 + brelse(bh);
4743 +@@ -2903,11 +2897,12 @@ int ext4_xattr_delete_inode(handle_t *handle, struct inode *inode,
4744 + }
4745 +
4746 + if (EXT4_I(inode)->i_file_acl) {
4747 +- bh = sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl);
4748 +- if (!bh) {
4749 +- EXT4_ERROR_INODE(inode, "block %llu read error",
4750 +- EXT4_I(inode)->i_file_acl);
4751 +- error = -EIO;
4752 ++ bh = ext4_sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl, REQ_PRIO);
4753 ++ if (IS_ERR(bh)) {
4754 ++ error = PTR_ERR(bh);
4755 ++ if (error == -EIO)
4756 ++ EXT4_ERROR_INODE(inode, "block %llu read error",
4757 ++ EXT4_I(inode)->i_file_acl);
4758 + goto cleanup;
4759 + }
4760 + error = ext4_xattr_check_block(inode, bh);
4761 +@@ -3060,8 +3055,10 @@ ext4_xattr_block_cache_find(struct inode *inode,
4762 + while (ce) {
4763 + struct buffer_head *bh;
4764 +
4765 +- bh = sb_bread(inode->i_sb, ce->e_value);
4766 +- if (!bh) {
4767 ++ bh = ext4_sb_bread(inode->i_sb, ce->e_value, REQ_PRIO);
4768 ++ if (IS_ERR(bh)) {
4769 ++ if (PTR_ERR(bh) == -ENOMEM)
4770 ++ return NULL;
4771 + EXT4_ERROR_INODE(inode, "block %lu read error",
4772 + (unsigned long)ce->e_value);
4773 + } else if (ext4_xattr_cmp(header, BHDR(bh)) == 0) {
4774 +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
4775 +index b293cb3e27a2..17049b030b6c 100644
4776 +--- a/fs/f2fs/data.c
4777 ++++ b/fs/f2fs/data.c
4778 +@@ -1102,8 +1102,10 @@ next_block:
4779 + if (test_opt(sbi, LFS) && create &&
4780 + flag == F2FS_GET_BLOCK_DIO) {
4781 + err = __allocate_data_block(&dn, map->m_seg_type);
4782 +- if (!err)
4783 ++ if (!err) {
4784 ++ blkaddr = dn.data_blkaddr;
4785 + set_inode_flag(inode, FI_APPEND_WRITE);
4786 ++ }
4787 + }
4788 + } else {
4789 + if (create) {
4790 +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
4791 +index d338740d0fda..88be946dedd4 100644
4792 +--- a/fs/f2fs/node.c
4793 ++++ b/fs/f2fs/node.c
4794 +@@ -826,6 +826,7 @@ static int truncate_node(struct dnode_of_data *dn)
4795 + struct f2fs_sb_info *sbi = F2FS_I_SB(dn->inode);
4796 + struct node_info ni;
4797 + int err;
4798 ++ pgoff_t index;
4799 +
4800 + err = f2fs_get_node_info(sbi, dn->nid, &ni);
4801 + if (err)
4802 +@@ -845,10 +846,11 @@ static int truncate_node(struct dnode_of_data *dn)
4803 + clear_node_page_dirty(dn->node_page);
4804 + set_sbi_flag(sbi, SBI_IS_DIRTY);
4805 +
4806 ++ index = dn->node_page->index;
4807 + f2fs_put_page(dn->node_page, 1);
4808 +
4809 + invalidate_mapping_pages(NODE_MAPPING(sbi),
4810 +- dn->node_page->index, dn->node_page->index);
4811 ++ index, index);
4812 +
4813 + dn->node_page = NULL;
4814 + trace_f2fs_truncate_node(dn->inode, dn->nid, ni.blk_addr);
4815 +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
4816 +index af58b2cc21b8..855a622fb052 100644
4817 +--- a/fs/f2fs/super.c
4818 ++++ b/fs/f2fs/super.c
4819 +@@ -1457,19 +1457,16 @@ static int f2fs_disable_checkpoint(struct f2fs_sb_info *sbi)
4820 +
4821 + sbi->sb->s_flags |= SB_ACTIVE;
4822 +
4823 +- mutex_lock(&sbi->gc_mutex);
4824 + f2fs_update_time(sbi, DISABLE_TIME);
4825 +
4826 + while (!f2fs_time_over(sbi, DISABLE_TIME)) {
4827 ++ mutex_lock(&sbi->gc_mutex);
4828 + err = f2fs_gc(sbi, true, false, NULL_SEGNO);
4829 + if (err == -ENODATA)
4830 + break;
4831 +- if (err && err != -EAGAIN) {
4832 +- mutex_unlock(&sbi->gc_mutex);
4833 ++ if (err && err != -EAGAIN)
4834 + return err;
4835 +- }
4836 + }
4837 +- mutex_unlock(&sbi->gc_mutex);
4838 +
4839 + err = sync_filesystem(sbi->sb);
4840 + if (err)
4841 +@@ -2496,10 +2493,10 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
4842 + return 1;
4843 + }
4844 +
4845 +- if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) {
4846 ++ if (segment_count > (le64_to_cpu(raw_super->block_count) >> 9)) {
4847 + f2fs_msg(sb, KERN_INFO,
4848 +- "Wrong segment_count / block_count (%u > %u)",
4849 +- segment_count, le32_to_cpu(raw_super->block_count));
4850 ++ "Wrong segment_count / block_count (%u > %llu)",
4851 ++ segment_count, le64_to_cpu(raw_super->block_count));
4852 + return 1;
4853 + }
4854 +
4855 +diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
4856 +index 7261245c208d..ecd2cf2fc584 100644
4857 +--- a/fs/f2fs/xattr.c
4858 ++++ b/fs/f2fs/xattr.c
4859 +@@ -288,7 +288,7 @@ static int read_xattr_block(struct inode *inode, void *txattr_addr)
4860 + static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
4861 + unsigned int index, unsigned int len,
4862 + const char *name, struct f2fs_xattr_entry **xe,
4863 +- void **base_addr)
4864 ++ void **base_addr, int *base_size)
4865 + {
4866 + void *cur_addr, *txattr_addr, *last_addr = NULL;
4867 + nid_t xnid = F2FS_I(inode)->i_xattr_nid;
4868 +@@ -299,8 +299,8 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
4869 + if (!size && !inline_size)
4870 + return -ENODATA;
4871 +
4872 +- txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode),
4873 +- inline_size + size + XATTR_PADDING_SIZE, GFP_NOFS);
4874 ++ *base_size = inline_size + size + XATTR_PADDING_SIZE;
4875 ++ txattr_addr = f2fs_kzalloc(F2FS_I_SB(inode), *base_size, GFP_NOFS);
4876 + if (!txattr_addr)
4877 + return -ENOMEM;
4878 +
4879 +@@ -312,8 +312,10 @@ static int lookup_all_xattrs(struct inode *inode, struct page *ipage,
4880 +
4881 + *xe = __find_inline_xattr(inode, txattr_addr, &last_addr,
4882 + index, len, name);
4883 +- if (*xe)
4884 ++ if (*xe) {
4885 ++ *base_size = inline_size;
4886 + goto check;
4887 ++ }
4888 + }
4889 +
4890 + /* read from xattr node block */
4891 +@@ -474,6 +476,7 @@ int f2fs_getxattr(struct inode *inode, int index, const char *name,
4892 + int error = 0;
4893 + unsigned int size, len;
4894 + void *base_addr = NULL;
4895 ++ int base_size;
4896 +
4897 + if (name == NULL)
4898 + return -EINVAL;
4899 +@@ -484,7 +487,7 @@ int f2fs_getxattr(struct inode *inode, int index, const char *name,
4900 +
4901 + down_read(&F2FS_I(inode)->i_xattr_sem);
4902 + error = lookup_all_xattrs(inode, ipage, index, len, name,
4903 +- &entry, &base_addr);
4904 ++ &entry, &base_addr, &base_size);
4905 + up_read(&F2FS_I(inode)->i_xattr_sem);
4906 + if (error)
4907 + return error;
4908 +@@ -498,6 +501,11 @@ int f2fs_getxattr(struct inode *inode, int index, const char *name,
4909 +
4910 + if (buffer) {
4911 + char *pval = entry->e_name + entry->e_name_len;
4912 ++
4913 ++ if (base_size - (pval - (char *)base_addr) < size) {
4914 ++ error = -ERANGE;
4915 ++ goto out;
4916 ++ }
4917 + memcpy(buffer, pval, size);
4918 + }
4919 + error = size;
4920 +diff --git a/fs/file.c b/fs/file.c
4921 +index 7ffd6e9d103d..8d059d8973e9 100644
4922 +--- a/fs/file.c
4923 ++++ b/fs/file.c
4924 +@@ -640,6 +640,35 @@ out_unlock:
4925 + }
4926 + EXPORT_SYMBOL(__close_fd); /* for ksys_close() */
4927 +
4928 ++/*
4929 ++ * variant of __close_fd that gets a ref on the file for later fput
4930 ++ */
4931 ++int __close_fd_get_file(unsigned int fd, struct file **res)
4932 ++{
4933 ++ struct files_struct *files = current->files;
4934 ++ struct file *file;
4935 ++ struct fdtable *fdt;
4936 ++
4937 ++ spin_lock(&files->file_lock);
4938 ++ fdt = files_fdtable(files);
4939 ++ if (fd >= fdt->max_fds)
4940 ++ goto out_unlock;
4941 ++ file = fdt->fd[fd];
4942 ++ if (!file)
4943 ++ goto out_unlock;
4944 ++ rcu_assign_pointer(fdt->fd[fd], NULL);
4945 ++ __put_unused_fd(files, fd);
4946 ++ spin_unlock(&files->file_lock);
4947 ++ get_file(file);
4948 ++ *res = file;
4949 ++ return filp_close(file, files);
4950 ++
4951 ++out_unlock:
4952 ++ spin_unlock(&files->file_lock);
4953 ++ *res = NULL;
4954 ++ return -ENOENT;
4955 ++}
4956 ++
4957 + void do_close_on_exec(struct files_struct *files)
4958 + {
4959 + unsigned i;
4960 +diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h
4961 +index 41615f38bcff..f07c55ea0c22 100644
4962 +--- a/include/linux/fdtable.h
4963 ++++ b/include/linux/fdtable.h
4964 +@@ -121,6 +121,7 @@ extern void __fd_install(struct files_struct *files,
4965 + unsigned int fd, struct file *file);
4966 + extern int __close_fd(struct files_struct *files,
4967 + unsigned int fd);
4968 ++extern int __close_fd_get_file(unsigned int fd, struct file **res);
4969 +
4970 + extern struct kmem_cache *files_cachep;
4971 +
4972 +diff --git a/include/linux/msi.h b/include/linux/msi.h
4973 +index 0e9c50052ff3..eb213b87617c 100644
4974 +--- a/include/linux/msi.h
4975 ++++ b/include/linux/msi.h
4976 +@@ -116,6 +116,8 @@ struct msi_desc {
4977 + list_first_entry(dev_to_msi_list((dev)), struct msi_desc, list)
4978 + #define for_each_msi_entry(desc, dev) \
4979 + list_for_each_entry((desc), dev_to_msi_list((dev)), list)
4980 ++#define for_each_msi_entry_safe(desc, tmp, dev) \
4981 ++ list_for_each_entry_safe((desc), (tmp), dev_to_msi_list((dev)), list)
4982 +
4983 + #ifdef CONFIG_PCI_MSI
4984 + #define first_pci_msi_entry(pdev) first_msi_entry(&(pdev)->dev)
4985 +diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
4986 +index 6894976b54e3..186cd8e970c7 100644
4987 +--- a/include/linux/ptr_ring.h
4988 ++++ b/include/linux/ptr_ring.h
4989 +@@ -573,6 +573,8 @@ static inline void **__ptr_ring_swap_queue(struct ptr_ring *r, void **queue,
4990 + else if (destroy)
4991 + destroy(ptr);
4992 +
4993 ++ if (producer >= size)
4994 ++ producer = 0;
4995 + __ptr_ring_set_size(r, size);
4996 + r->producer = producer;
4997 + r->consumer_head = 0;
4998 +diff --git a/include/media/cec.h b/include/media/cec.h
4999 +index 3fe5e5d2bb7e..707411ef8ba2 100644
5000 +--- a/include/media/cec.h
5001 ++++ b/include/media/cec.h
5002 +@@ -155,6 +155,7 @@ struct cec_adapter {
5003 + unsigned int transmit_queue_sz;
5004 + struct list_head wait_queue;
5005 + struct cec_data *transmitting;
5006 ++ bool transmit_in_progress;
5007 +
5008 + struct task_struct *kthread_config;
5009 + struct completion config_completion;
5010 +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
5011 +index 5ce926701bd0..5f67efbb77e8 100644
5012 +--- a/include/net/ip_tunnels.h
5013 ++++ b/include/net/ip_tunnels.h
5014 +@@ -307,6 +307,26 @@ int ip_tunnel_encap_del_ops(const struct ip_tunnel_encap_ops *op,
5015 + int ip_tunnel_encap_setup(struct ip_tunnel *t,
5016 + struct ip_tunnel_encap *ipencap);
5017 +
5018 ++static inline bool pskb_inet_may_pull(struct sk_buff *skb)
5019 ++{
5020 ++ int nhlen;
5021 ++
5022 ++ switch (skb->protocol) {
5023 ++#if IS_ENABLED(CONFIG_IPV6)
5024 ++ case htons(ETH_P_IPV6):
5025 ++ nhlen = sizeof(struct ipv6hdr);
5026 ++ break;
5027 ++#endif
5028 ++ case htons(ETH_P_IP):
5029 ++ nhlen = sizeof(struct iphdr);
5030 ++ break;
5031 ++ default:
5032 ++ nhlen = 0;
5033 ++ }
5034 ++
5035 ++ return pskb_network_may_pull(skb, nhlen);
5036 ++}
5037 ++
5038 + static inline int ip_encap_hlen(struct ip_tunnel_encap *e)
5039 + {
5040 + const struct ip_tunnel_encap_ops *ops;
5041 +diff --git a/include/net/sock.h b/include/net/sock.h
5042 +index 0e3a09380655..13f11e905a00 100644
5043 +--- a/include/net/sock.h
5044 ++++ b/include/net/sock.h
5045 +@@ -298,6 +298,7 @@ struct sock_common {
5046 + * @sk_filter: socket filtering instructions
5047 + * @sk_timer: sock cleanup timer
5048 + * @sk_stamp: time stamp of last packet received
5049 ++ * @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only
5050 + * @sk_tsflags: SO_TIMESTAMPING socket options
5051 + * @sk_tskey: counter to disambiguate concurrent tstamp requests
5052 + * @sk_zckey: counter to order MSG_ZEROCOPY notifications
5053 +@@ -474,6 +475,9 @@ struct sock {
5054 + const struct cred *sk_peer_cred;
5055 + long sk_rcvtimeo;
5056 + ktime_t sk_stamp;
5057 ++#if BITS_PER_LONG==32
5058 ++ seqlock_t sk_stamp_seq;
5059 ++#endif
5060 + u16 sk_tsflags;
5061 + u8 sk_shutdown;
5062 + u32 sk_tskey;
5063 +@@ -2287,6 +2291,34 @@ static inline void sk_drops_add(struct sock *sk, const struct sk_buff *skb)
5064 + atomic_add(segs, &sk->sk_drops);
5065 + }
5066 +
5067 ++static inline ktime_t sock_read_timestamp(struct sock *sk)
5068 ++{
5069 ++#if BITS_PER_LONG==32
5070 ++ unsigned int seq;
5071 ++ ktime_t kt;
5072 ++
5073 ++ do {
5074 ++ seq = read_seqbegin(&sk->sk_stamp_seq);
5075 ++ kt = sk->sk_stamp;
5076 ++ } while (read_seqretry(&sk->sk_stamp_seq, seq));
5077 ++
5078 ++ return kt;
5079 ++#else
5080 ++ return sk->sk_stamp;
5081 ++#endif
5082 ++}
5083 ++
5084 ++static inline void sock_write_timestamp(struct sock *sk, ktime_t kt)
5085 ++{
5086 ++#if BITS_PER_LONG==32
5087 ++ write_seqlock(&sk->sk_stamp_seq);
5088 ++ sk->sk_stamp = kt;
5089 ++ write_sequnlock(&sk->sk_stamp_seq);
5090 ++#else
5091 ++ sk->sk_stamp = kt;
5092 ++#endif
5093 ++}
5094 ++
5095 + void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
5096 + struct sk_buff *skb);
5097 + void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
5098 +@@ -2311,7 +2343,7 @@ sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb)
5099 + (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)))
5100 + __sock_recv_timestamp(msg, sk, skb);
5101 + else
5102 +- sk->sk_stamp = kt;
5103 ++ sock_write_timestamp(sk, kt);
5104 +
5105 + if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid)
5106 + __sock_recv_wifi_status(msg, sk, skb);
5107 +@@ -2332,9 +2364,9 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,
5108 + if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY)
5109 + __sock_recv_ts_and_drops(msg, sk, skb);
5110 + else if (unlikely(sock_flag(sk, SOCK_TIMESTAMP)))
5111 +- sk->sk_stamp = skb->tstamp;
5112 ++ sock_write_timestamp(sk, skb->tstamp);
5113 + else if (unlikely(sk->sk_stamp == SK_DEFAULT_STAMP))
5114 +- sk->sk_stamp = 0;
5115 ++ sock_write_timestamp(sk, 0);
5116 + }
5117 +
5118 + void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags);
5119 +diff --git a/include/trace/events/ext4.h b/include/trace/events/ext4.h
5120 +index 698e0d8a5ca4..d68e9e536814 100644
5121 +--- a/include/trace/events/ext4.h
5122 ++++ b/include/trace/events/ext4.h
5123 +@@ -226,6 +226,26 @@ TRACE_EVENT(ext4_drop_inode,
5124 + (unsigned long) __entry->ino, __entry->drop)
5125 + );
5126 +
5127 ++TRACE_EVENT(ext4_nfs_commit_metadata,
5128 ++ TP_PROTO(struct inode *inode),
5129 ++
5130 ++ TP_ARGS(inode),
5131 ++
5132 ++ TP_STRUCT__entry(
5133 ++ __field( dev_t, dev )
5134 ++ __field( ino_t, ino )
5135 ++ ),
5136 ++
5137 ++ TP_fast_assign(
5138 ++ __entry->dev = inode->i_sb->s_dev;
5139 ++ __entry->ino = inode->i_ino;
5140 ++ ),
5141 ++
5142 ++ TP_printk("dev %d,%d ino %lu",
5143 ++ MAJOR(__entry->dev), MINOR(__entry->dev),
5144 ++ (unsigned long) __entry->ino)
5145 ++);
5146 ++
5147 + TRACE_EVENT(ext4_mark_inode_dirty,
5148 + TP_PROTO(struct inode *inode, unsigned long IP),
5149 +
5150 +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
5151 +index 6aaf5dd5383b..1f84977fab47 100644
5152 +--- a/kernel/cgroup/cgroup.c
5153 ++++ b/kernel/cgroup/cgroup.c
5154 +@@ -4202,20 +4202,25 @@ static void css_task_iter_advance(struct css_task_iter *it)
5155 +
5156 + lockdep_assert_held(&css_set_lock);
5157 + repeat:
5158 +- /*
5159 +- * Advance iterator to find next entry. cset->tasks is consumed
5160 +- * first and then ->mg_tasks. After ->mg_tasks, we move onto the
5161 +- * next cset.
5162 +- */
5163 +- next = it->task_pos->next;
5164 ++ if (it->task_pos) {
5165 ++ /*
5166 ++ * Advance iterator to find next entry. cset->tasks is
5167 ++ * consumed first and then ->mg_tasks. After ->mg_tasks,
5168 ++ * we move onto the next cset.
5169 ++ */
5170 ++ next = it->task_pos->next;
5171 +
5172 +- if (next == it->tasks_head)
5173 +- next = it->mg_tasks_head->next;
5174 ++ if (next == it->tasks_head)
5175 ++ next = it->mg_tasks_head->next;
5176 +
5177 +- if (next == it->mg_tasks_head)
5178 ++ if (next == it->mg_tasks_head)
5179 ++ css_task_iter_advance_css_set(it);
5180 ++ else
5181 ++ it->task_pos = next;
5182 ++ } else {
5183 ++ /* called from start, proceed to the first cset */
5184 + css_task_iter_advance_css_set(it);
5185 +- else
5186 +- it->task_pos = next;
5187 ++ }
5188 +
5189 + /* if PROCS, skip over tasks which aren't group leaders */
5190 + if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
5191 +@@ -4255,7 +4260,7 @@ void css_task_iter_start(struct cgroup_subsys_state *css, unsigned int flags,
5192 +
5193 + it->cset_head = it->cset_pos;
5194 +
5195 +- css_task_iter_advance_css_set(it);
5196 ++ css_task_iter_advance(it);
5197 +
5198 + spin_unlock_irq(&css_set_lock);
5199 + }
5200 +diff --git a/kernel/panic.c b/kernel/panic.c
5201 +index f6d549a29a5c..d10c340c43b0 100644
5202 +--- a/kernel/panic.c
5203 ++++ b/kernel/panic.c
5204 +@@ -14,6 +14,7 @@
5205 + #include <linux/kmsg_dump.h>
5206 + #include <linux/kallsyms.h>
5207 + #include <linux/notifier.h>
5208 ++#include <linux/vt_kern.h>
5209 + #include <linux/module.h>
5210 + #include <linux/random.h>
5211 + #include <linux/ftrace.h>
5212 +@@ -237,7 +238,10 @@ void panic(const char *fmt, ...)
5213 + if (_crash_kexec_post_notifiers)
5214 + __crash_kexec(NULL);
5215 +
5216 +- bust_spinlocks(0);
5217 ++#ifdef CONFIG_VT
5218 ++ unblank_screen();
5219 ++#endif
5220 ++ console_unblank();
5221 +
5222 + /*
5223 + * We may have ended up stopping the CPU holding the lock (in
5224 +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
5225 +index c603d33d5410..5d01edf8d819 100644
5226 +--- a/net/ax25/af_ax25.c
5227 ++++ b/net/ax25/af_ax25.c
5228 +@@ -653,15 +653,22 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
5229 + break;
5230 + }
5231 +
5232 +- dev = dev_get_by_name(&init_net, devname);
5233 ++ rtnl_lock();
5234 ++ dev = __dev_get_by_name(&init_net, devname);
5235 + if (!dev) {
5236 ++ rtnl_unlock();
5237 + res = -ENODEV;
5238 + break;
5239 + }
5240 +
5241 + ax25->ax25_dev = ax25_dev_ax25dev(dev);
5242 ++ if (!ax25->ax25_dev) {
5243 ++ rtnl_unlock();
5244 ++ res = -ENODEV;
5245 ++ break;
5246 ++ }
5247 + ax25_fillin_cb(ax25, ax25->ax25_dev);
5248 +- dev_put(dev);
5249 ++ rtnl_unlock();
5250 + break;
5251 +
5252 + default:
5253 +diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
5254 +index 9a3a301e1e2f..d92195cd7834 100644
5255 +--- a/net/ax25/ax25_dev.c
5256 ++++ b/net/ax25/ax25_dev.c
5257 +@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_device *dev)
5258 + if ((s = ax25_dev_list) == ax25_dev) {
5259 + ax25_dev_list = s->next;
5260 + spin_unlock_bh(&ax25_dev_lock);
5261 ++ dev->ax25_ptr = NULL;
5262 + dev_put(dev);
5263 + kfree(ax25_dev);
5264 + return;
5265 +@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_device *dev)
5266 + if (s->next == ax25_dev) {
5267 + s->next = ax25_dev->next;
5268 + spin_unlock_bh(&ax25_dev_lock);
5269 ++ dev->ax25_ptr = NULL;
5270 + dev_put(dev);
5271 + kfree(ax25_dev);
5272 + return;
5273 +diff --git a/net/compat.c b/net/compat.c
5274 +index 47a614b370cd..d1f3a8a0b3ef 100644
5275 +--- a/net/compat.c
5276 ++++ b/net/compat.c
5277 +@@ -467,12 +467,14 @@ int compat_sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
5278 + ctv = (struct compat_timeval __user *) userstamp;
5279 + err = -ENOENT;
5280 + sock_enable_timestamp(sk, SOCK_TIMESTAMP);
5281 +- tv = ktime_to_timeval(sk->sk_stamp);
5282 ++ tv = ktime_to_timeval(sock_read_timestamp(sk));
5283 ++
5284 + if (tv.tv_sec == -1)
5285 + return err;
5286 + if (tv.tv_sec == 0) {
5287 +- sk->sk_stamp = ktime_get_real();
5288 +- tv = ktime_to_timeval(sk->sk_stamp);
5289 ++ ktime_t kt = ktime_get_real();
5290 ++ sock_write_timestamp(sk, kt);
5291 ++ tv = ktime_to_timeval(kt);
5292 + }
5293 + err = 0;
5294 + if (put_user(tv.tv_sec, &ctv->tv_sec) ||
5295 +@@ -494,12 +496,13 @@ int compat_sock_get_timestampns(struct sock *sk, struct timespec __user *usersta
5296 + ctv = (struct compat_timespec __user *) userstamp;
5297 + err = -ENOENT;
5298 + sock_enable_timestamp(sk, SOCK_TIMESTAMP);
5299 +- ts = ktime_to_timespec(sk->sk_stamp);
5300 ++ ts = ktime_to_timespec(sock_read_timestamp(sk));
5301 + if (ts.tv_sec == -1)
5302 + return err;
5303 + if (ts.tv_sec == 0) {
5304 +- sk->sk_stamp = ktime_get_real();
5305 +- ts = ktime_to_timespec(sk->sk_stamp);
5306 ++ ktime_t kt = ktime_get_real();
5307 ++ sock_write_timestamp(sk, kt);
5308 ++ ts = ktime_to_timespec(kt);
5309 + }
5310 + err = 0;
5311 + if (put_user(ts.tv_sec, &ctv->tv_sec) ||
5312 +diff --git a/net/core/sock.c b/net/core/sock.c
5313 +index 080a880a1761..98659fb6e9fb 100644
5314 +--- a/net/core/sock.c
5315 ++++ b/net/core/sock.c
5316 +@@ -2743,6 +2743,9 @@ void sock_init_data(struct socket *sock, struct sock *sk)
5317 + sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
5318 +
5319 + sk->sk_stamp = SK_DEFAULT_STAMP;
5320 ++#if BITS_PER_LONG==32
5321 ++ seqlock_init(&sk->sk_stamp_seq);
5322 ++#endif
5323 + atomic_set(&sk->sk_zckey, 0);
5324 +
5325 + #ifdef CONFIG_NET_RX_BUSY_POLL
5326 +@@ -2842,12 +2845,13 @@ int sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
5327 + struct timeval tv;
5328 +
5329 + sock_enable_timestamp(sk, SOCK_TIMESTAMP);
5330 +- tv = ktime_to_timeval(sk->sk_stamp);
5331 ++ tv = ktime_to_timeval(sock_read_timestamp(sk));
5332 + if (tv.tv_sec == -1)
5333 + return -ENOENT;
5334 + if (tv.tv_sec == 0) {
5335 +- sk->sk_stamp = ktime_get_real();
5336 +- tv = ktime_to_timeval(sk->sk_stamp);
5337 ++ ktime_t kt = ktime_get_real();
5338 ++ sock_write_timestamp(sk, kt);
5339 ++ tv = ktime_to_timeval(kt);
5340 + }
5341 + return copy_to_user(userstamp, &tv, sizeof(tv)) ? -EFAULT : 0;
5342 + }
5343 +@@ -2858,11 +2862,12 @@ int sock_get_timestampns(struct sock *sk, struct timespec __user *userstamp)
5344 + struct timespec ts;
5345 +
5346 + sock_enable_timestamp(sk, SOCK_TIMESTAMP);
5347 +- ts = ktime_to_timespec(sk->sk_stamp);
5348 ++ ts = ktime_to_timespec(sock_read_timestamp(sk));
5349 + if (ts.tv_sec == -1)
5350 + return -ENOENT;
5351 + if (ts.tv_sec == 0) {
5352 +- sk->sk_stamp = ktime_get_real();
5353 ++ ktime_t kt = ktime_get_real();
5354 ++ sock_write_timestamp(sk, kt);
5355 + ts = ktime_to_timespec(sk->sk_stamp);
5356 + }
5357 + return copy_to_user(userstamp, &ts, sizeof(ts)) ? -EFAULT : 0;
5358 +diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c
5359 +index ca53efa17be1..8bec827081cd 100644
5360 +--- a/net/ieee802154/6lowpan/tx.c
5361 ++++ b/net/ieee802154/6lowpan/tx.c
5362 +@@ -48,6 +48,9 @@ int lowpan_header_create(struct sk_buff *skb, struct net_device *ldev,
5363 + const struct ipv6hdr *hdr = ipv6_hdr(skb);
5364 + struct neighbour *n;
5365 +
5366 ++ if (!daddr)
5367 ++ return -EINVAL;
5368 ++
5369 + /* TODO:
5370 + * if this package isn't ipv6 one, where should it be routed?
5371 + */
5372 +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
5373 +index 38befe829caf..0fe9419bd12b 100644
5374 +--- a/net/ipv4/ip_gre.c
5375 ++++ b/net/ipv4/ip_gre.c
5376 +@@ -674,6 +674,9 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
5377 + struct ip_tunnel *tunnel = netdev_priv(dev);
5378 + const struct iphdr *tnl_params;
5379 +
5380 ++ if (!pskb_inet_may_pull(skb))
5381 ++ goto free_skb;
5382 ++
5383 + if (tunnel->collect_md) {
5384 + gre_fb_xmit(skb, dev, skb->protocol);
5385 + return NETDEV_TX_OK;
5386 +@@ -717,6 +720,9 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
5387 + struct ip_tunnel *tunnel = netdev_priv(dev);
5388 + bool truncate = false;
5389 +
5390 ++ if (!pskb_inet_may_pull(skb))
5391 ++ goto free_skb;
5392 ++
5393 + if (tunnel->collect_md) {
5394 + erspan_fb_xmit(skb, dev, skb->protocol);
5395 + return NETDEV_TX_OK;
5396 +@@ -760,6 +766,9 @@ static netdev_tx_t gre_tap_xmit(struct sk_buff *skb,
5397 + {
5398 + struct ip_tunnel *tunnel = netdev_priv(dev);
5399 +
5400 ++ if (!pskb_inet_may_pull(skb))
5401 ++ goto free_skb;
5402 ++
5403 + if (tunnel->collect_md) {
5404 + gre_fb_xmit(skb, dev, htons(ETH_P_TEB));
5405 + return NETDEV_TX_OK;
5406 +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
5407 +index 284a22154b4e..c4f5602308ed 100644
5408 +--- a/net/ipv4/ip_tunnel.c
5409 ++++ b/net/ipv4/ip_tunnel.c
5410 +@@ -627,7 +627,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
5411 + const struct iphdr *tnl_params, u8 protocol)
5412 + {
5413 + struct ip_tunnel *tunnel = netdev_priv(dev);
5414 +- unsigned int inner_nhdr_len = 0;
5415 + const struct iphdr *inner_iph;
5416 + struct flowi4 fl4;
5417 + u8 tos, ttl;
5418 +@@ -637,14 +636,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
5419 + __be32 dst;
5420 + bool connected;
5421 +
5422 +- /* ensure we can access the inner net header, for several users below */
5423 +- if (skb->protocol == htons(ETH_P_IP))
5424 +- inner_nhdr_len = sizeof(struct iphdr);
5425 +- else if (skb->protocol == htons(ETH_P_IPV6))
5426 +- inner_nhdr_len = sizeof(struct ipv6hdr);
5427 +- if (unlikely(!pskb_may_pull(skb, inner_nhdr_len)))
5428 +- goto tx_error;
5429 +-
5430 + inner_iph = (const struct iphdr *)skb_inner_network_header(skb);
5431 + connected = (tunnel->parms.iph.daddr != 0);
5432 +
5433 +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
5434 +index de31b302d69c..d7b43e700023 100644
5435 +--- a/net/ipv4/ip_vti.c
5436 ++++ b/net/ipv4/ip_vti.c
5437 +@@ -241,6 +241,9 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
5438 + struct ip_tunnel *tunnel = netdev_priv(dev);
5439 + struct flowi fl;
5440 +
5441 ++ if (!pskb_inet_may_pull(skb))
5442 ++ goto tx_err;
5443 ++
5444 + memset(&fl, 0, sizeof(fl));
5445 +
5446 + switch (skb->protocol) {
5447 +@@ -253,15 +256,18 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
5448 + memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
5449 + break;
5450 + default:
5451 +- dev->stats.tx_errors++;
5452 +- dev_kfree_skb(skb);
5453 +- return NETDEV_TX_OK;
5454 ++ goto tx_err;
5455 + }
5456 +
5457 + /* override mark with tunnel output key */
5458 + fl.flowi_mark = be32_to_cpu(tunnel->parms.o_key);
5459 +
5460 + return vti_xmit(skb, dev, &fl);
5461 ++
5462 ++tx_err:
5463 ++ dev->stats.tx_errors++;
5464 ++ kfree_skb(skb);
5465 ++ return NETDEV_TX_OK;
5466 + }
5467 +
5468 + static int vti4_err(struct sk_buff *skb, u32 info)
5469 +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
5470 +index 515adbdba1d2..0f7d434c1eed 100644
5471 +--- a/net/ipv6/ip6_gre.c
5472 ++++ b/net/ipv6/ip6_gre.c
5473 +@@ -879,6 +879,9 @@ static netdev_tx_t ip6gre_tunnel_xmit(struct sk_buff *skb,
5474 + struct net_device_stats *stats = &t->dev->stats;
5475 + int ret;
5476 +
5477 ++ if (!pskb_inet_may_pull(skb))
5478 ++ goto tx_err;
5479 ++
5480 + if (!ip6_tnl_xmit_ctl(t, &t->parms.laddr, &t->parms.raddr))
5481 + goto tx_err;
5482 +
5483 +@@ -921,6 +924,9 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
5484 + int nhoff;
5485 + int thoff;
5486 +
5487 ++ if (!pskb_inet_may_pull(skb))
5488 ++ goto tx_err;
5489 ++
5490 + if (!ip6_tnl_xmit_ctl(t, &t->parms.laddr, &t->parms.raddr))
5491 + goto tx_err;
5492 +
5493 +@@ -993,8 +999,6 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
5494 + goto tx_err;
5495 + }
5496 + } else {
5497 +- struct ipv6hdr *ipv6h = ipv6_hdr(skb);
5498 +-
5499 + switch (skb->protocol) {
5500 + case htons(ETH_P_IP):
5501 + memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
5502 +@@ -1002,7 +1006,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
5503 + &dsfield, &encap_limit);
5504 + break;
5505 + case htons(ETH_P_IPV6):
5506 +- if (ipv6_addr_equal(&t->parms.raddr, &ipv6h->saddr))
5507 ++ if (ipv6_addr_equal(&t->parms.raddr, &ipv6_hdr(skb)->saddr))
5508 + goto tx_err;
5509 + if (prepare_ip6gre_xmit_ipv6(skb, dev, &fl6,
5510 + &dsfield, &encap_limit))
5511 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
5512 +index 99179b9c8384..0c6403cf8b52 100644
5513 +--- a/net/ipv6/ip6_tunnel.c
5514 ++++ b/net/ipv6/ip6_tunnel.c
5515 +@@ -1243,10 +1243,6 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
5516 + u8 tproto;
5517 + int err;
5518 +
5519 +- /* ensure we can access the full inner ip header */
5520 +- if (!pskb_may_pull(skb, sizeof(struct iphdr)))
5521 +- return -1;
5522 +-
5523 + iph = ip_hdr(skb);
5524 + memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
5525 +
5526 +@@ -1321,9 +1317,6 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
5527 + u8 tproto;
5528 + int err;
5529 +
5530 +- if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
5531 +- return -1;
5532 +-
5533 + ipv6h = ipv6_hdr(skb);
5534 + tproto = READ_ONCE(t->parms.proto);
5535 + if ((tproto != IPPROTO_IPV6 && tproto != 0) ||
5536 +@@ -1405,6 +1398,9 @@ ip6_tnl_start_xmit(struct sk_buff *skb, struct net_device *dev)
5537 + struct net_device_stats *stats = &t->dev->stats;
5538 + int ret;
5539 +
5540 ++ if (!pskb_inet_may_pull(skb))
5541 ++ goto tx_err;
5542 ++
5543 + switch (skb->protocol) {
5544 + case htons(ETH_P_IP):
5545 + ret = ip4ip6_tnl_xmit(skb, dev);
5546 +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
5547 +index 706fe42e4928..8b6eefff2f7e 100644
5548 +--- a/net/ipv6/ip6_vti.c
5549 ++++ b/net/ipv6/ip6_vti.c
5550 +@@ -522,18 +522,18 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
5551 + {
5552 + struct ip6_tnl *t = netdev_priv(dev);
5553 + struct net_device_stats *stats = &t->dev->stats;
5554 +- struct ipv6hdr *ipv6h;
5555 + struct flowi fl;
5556 + int ret;
5557 +
5558 ++ if (!pskb_inet_may_pull(skb))
5559 ++ goto tx_err;
5560 ++
5561 + memset(&fl, 0, sizeof(fl));
5562 +
5563 + switch (skb->protocol) {
5564 + case htons(ETH_P_IPV6):
5565 +- ipv6h = ipv6_hdr(skb);
5566 +-
5567 + if ((t->parms.proto != IPPROTO_IPV6 && t->parms.proto != 0) ||
5568 +- vti6_addr_conflict(t, ipv6h))
5569 ++ vti6_addr_conflict(t, ipv6_hdr(skb)))
5570 + goto tx_err;
5571 +
5572 + xfrm_decode_session(skb, &fl, AF_INET6);
5573 +diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
5574 +index 377a2ee5d9ad..eb3220812b56 100644
5575 +--- a/net/ipv6/ip6mr.c
5576 ++++ b/net/ipv6/ip6mr.c
5577 +@@ -51,6 +51,7 @@
5578 + #include <linux/export.h>
5579 + #include <net/ip6_checksum.h>
5580 + #include <linux/netconf.h>
5581 ++#include <net/ip_tunnels.h>
5582 +
5583 + #include <linux/nospec.h>
5584 +
5585 +@@ -599,13 +600,12 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
5586 + .flowi6_iif = skb->skb_iif ? : LOOPBACK_IFINDEX,
5587 + .flowi6_mark = skb->mark,
5588 + };
5589 +- int err;
5590 +
5591 +- err = ip6mr_fib_lookup(net, &fl6, &mrt);
5592 +- if (err < 0) {
5593 +- kfree_skb(skb);
5594 +- return err;
5595 +- }
5596 ++ if (!pskb_inet_may_pull(skb))
5597 ++ goto tx_err;
5598 ++
5599 ++ if (ip6mr_fib_lookup(net, &fl6, &mrt) < 0)
5600 ++ goto tx_err;
5601 +
5602 + read_lock(&mrt_lock);
5603 + dev->stats.tx_bytes += skb->len;
5604 +@@ -614,6 +614,11 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
5605 + read_unlock(&mrt_lock);
5606 + kfree_skb(skb);
5607 + return NETDEV_TX_OK;
5608 ++
5609 ++tx_err:
5610 ++ dev->stats.tx_errors++;
5611 ++ kfree_skb(skb);
5612 ++ return NETDEV_TX_OK;
5613 + }
5614 +
5615 + static int reg_vif_get_iflink(const struct net_device *dev)
5616 +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
5617 +index 51c9f75f34b9..1e03305c0549 100644
5618 +--- a/net/ipv6/sit.c
5619 ++++ b/net/ipv6/sit.c
5620 +@@ -1021,6 +1021,9 @@ tx_error:
5621 + static netdev_tx_t sit_tunnel_xmit(struct sk_buff *skb,
5622 + struct net_device *dev)
5623 + {
5624 ++ if (!pskb_inet_may_pull(skb))
5625 ++ goto tx_err;
5626 ++
5627 + switch (skb->protocol) {
5628 + case htons(ETH_P_IP):
5629 + sit_tunnel_xmit__(skb, dev, IPPROTO_IPIP);
5630 +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
5631 +index 03f37c4e64fe..1d3144d19903 100644
5632 +--- a/net/netrom/af_netrom.c
5633 ++++ b/net/netrom/af_netrom.c
5634 +@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax25_address *addr)
5635 + sk_for_each(s, &nr_list)
5636 + if (!ax25cmp(&nr_sk(s)->source_addr, addr) &&
5637 + s->sk_state == TCP_LISTEN) {
5638 +- bh_lock_sock(s);
5639 ++ sock_hold(s);
5640 + goto found;
5641 + }
5642 + s = NULL;
5643 +@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsigned char index, unsigned char id)
5644 + struct nr_sock *nr = nr_sk(s);
5645 +
5646 + if (nr->my_index == index && nr->my_id == id) {
5647 +- bh_lock_sock(s);
5648 ++ sock_hold(s);
5649 + goto found;
5650 + }
5651 + }
5652 +@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigned char index, unsigned char id,
5653 +
5654 + if (nr->your_index == index && nr->your_id == id &&
5655 + !ax25cmp(&nr->dest_addr, dest)) {
5656 +- bh_lock_sock(s);
5657 ++ sock_hold(s);
5658 + goto found;
5659 + }
5660 + }
5661 +@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circuit(void)
5662 + if (i != 0 && j != 0) {
5663 + if ((sk=nr_find_socket(i, j)) == NULL)
5664 + break;
5665 +- bh_unlock_sock(sk);
5666 ++ sock_put(sk);
5667 + }
5668 +
5669 + id++;
5670 +@@ -920,6 +920,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
5671 + }
5672 +
5673 + if (sk != NULL) {
5674 ++ bh_lock_sock(sk);
5675 + skb_reset_transport_header(skb);
5676 +
5677 + if (frametype == NR_CONNACK && skb->len == 22)
5678 +@@ -929,6 +930,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
5679 +
5680 + ret = nr_process_rx_frame(sk, skb);
5681 + bh_unlock_sock(sk);
5682 ++ sock_put(sk);
5683 + return ret;
5684 + }
5685 +
5686 +@@ -960,10 +962,12 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
5687 + (make = nr_make_new(sk)) == NULL) {
5688 + nr_transmit_refusal(skb, 0);
5689 + if (sk)
5690 +- bh_unlock_sock(sk);
5691 ++ sock_put(sk);
5692 + return 0;
5693 + }
5694 +
5695 ++ bh_lock_sock(sk);
5696 ++
5697 + window = skb->data[20];
5698 +
5699 + skb->sk = make;
5700 +@@ -1016,6 +1020,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
5701 + sk->sk_data_ready(sk);
5702 +
5703 + bh_unlock_sock(sk);
5704 ++ sock_put(sk);
5705 +
5706 + nr_insert_socket(make);
5707 +
5708 +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
5709 +index 5dda263b4a0a..eedacdebcd4c 100644
5710 +--- a/net/packet/af_packet.c
5711 ++++ b/net/packet/af_packet.c
5712 +@@ -2625,7 +2625,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
5713 + sll_addr)))
5714 + goto out;
5715 + proto = saddr->sll_protocol;
5716 +- addr = saddr->sll_addr;
5717 ++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
5718 + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
5719 + if (addr && dev && saddr->sll_halen < dev->addr_len)
5720 + goto out;
5721 +@@ -2825,7 +2825,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
5722 + if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
5723 + goto out;
5724 + proto = saddr->sll_protocol;
5725 +- addr = saddr->sll_addr;
5726 ++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
5727 + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
5728 + if (addr && dev && saddr->sll_halen < dev->addr_len)
5729 + goto out;
5730 +diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
5731 +index 986f3ed7d1a2..b7e67310ec37 100644
5732 +--- a/net/sunrpc/svcsock.c
5733 ++++ b/net/sunrpc/svcsock.c
5734 +@@ -549,7 +549,7 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp)
5735 + /* Don't enable netstamp, sunrpc doesn't
5736 + need that much accuracy */
5737 + }
5738 +- svsk->sk_sk->sk_stamp = skb->tstamp;
5739 ++ sock_write_timestamp(svsk->sk_sk, skb->tstamp);
5740 + set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */
5741 +
5742 + len = skb->len;
5743 +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
5744 +index e65c3a8551e4..040153ffc357 100644
5745 +--- a/net/tipc/bearer.c
5746 ++++ b/net/tipc/bearer.c
5747 +@@ -317,7 +317,6 @@ static int tipc_enable_bearer(struct net *net, const char *name,
5748 + res = tipc_disc_create(net, b, &b->bcast_addr, &skb);
5749 + if (res) {
5750 + bearer_disable(net, b);
5751 +- kfree(b);
5752 + errstr = "failed to create discoverer";
5753 + goto rejected;
5754 + }
5755 +diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
5756 +index 70e65a2ff207..8bdea5abad11 100644
5757 +--- a/security/keys/keyctl_pkey.c
5758 ++++ b/security/keys/keyctl_pkey.c
5759 +@@ -50,6 +50,8 @@ static int keyctl_pkey_params_parse(struct kernel_pkey_params *params)
5760 + if (*p == '\0' || *p == ' ' || *p == '\t')
5761 + continue;
5762 + token = match_token(p, param_keys, args);
5763 ++ if (token == Opt_err)
5764 ++ return -EINVAL;
5765 + if (__test_and_set_bit(token, &token_mask))
5766 + return -EINVAL;
5767 + q = args[0].from;
5768 +diff --git a/sound/core/pcm.c b/sound/core/pcm.c
5769 +index fdb9b92fc8d6..01b9d62eef14 100644
5770 +--- a/sound/core/pcm.c
5771 ++++ b/sound/core/pcm.c
5772 +@@ -25,6 +25,7 @@
5773 + #include <linux/time.h>
5774 + #include <linux/mutex.h>
5775 + #include <linux/device.h>
5776 ++#include <linux/nospec.h>
5777 + #include <sound/core.h>
5778 + #include <sound/minors.h>
5779 + #include <sound/pcm.h>
5780 +@@ -129,6 +130,7 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
5781 + return -EFAULT;
5782 + if (stream < 0 || stream > 1)
5783 + return -EINVAL;
5784 ++ stream = array_index_nospec(stream, 2);
5785 + if (get_user(subdevice, &info->subdevice))
5786 + return -EFAULT;
5787 + mutex_lock(&register_mutex);
5788 +diff --git a/sound/firewire/amdtp-stream-trace.h b/sound/firewire/amdtp-stream-trace.h
5789 +index 54cdd4ffa9ce..ac20acf48fc6 100644
5790 +--- a/sound/firewire/amdtp-stream-trace.h
5791 ++++ b/sound/firewire/amdtp-stream-trace.h
5792 +@@ -131,7 +131,7 @@ TRACE_EVENT(in_packet_without_header,
5793 + __entry->index = index;
5794 + ),
5795 + TP_printk(
5796 +- "%02u %04u %04x %04x %02d %03u %3u %3u %02u %01u %02u",
5797 ++ "%02u %04u %04x %04x %02d %03u %02u %03u %02u %01u %02u",
5798 + __entry->second,
5799 + __entry->cycle,
5800 + __entry->src,
5801 +@@ -169,7 +169,7 @@ TRACE_EVENT(out_packet_without_header,
5802 + __entry->dest = fw_parent_device(s->unit)->node_id;
5803 + __entry->payload_quadlets = payload_length / 4;
5804 + __entry->data_blocks = data_blocks,
5805 +- __entry->data_blocks = s->data_block_counter,
5806 ++ __entry->data_block_counter = s->data_block_counter,
5807 + __entry->packet_index = s->packet_index;
5808 + __entry->irq = !!in_interrupt();
5809 + __entry->index = index;
5810 +diff --git a/sound/firewire/amdtp-stream.c b/sound/firewire/amdtp-stream.c
5811 +index 9be76c808fcc..3ada55ed5381 100644
5812 +--- a/sound/firewire/amdtp-stream.c
5813 ++++ b/sound/firewire/amdtp-stream.c
5814 +@@ -654,15 +654,17 @@ end:
5815 + }
5816 +
5817 + static int handle_in_packet_without_header(struct amdtp_stream *s,
5818 +- unsigned int payload_quadlets, unsigned int cycle,
5819 ++ unsigned int payload_length, unsigned int cycle,
5820 + unsigned int index)
5821 + {
5822 + __be32 *buffer;
5823 ++ unsigned int payload_quadlets;
5824 + unsigned int data_blocks;
5825 + struct snd_pcm_substream *pcm;
5826 + unsigned int pcm_frames;
5827 +
5828 + buffer = s->buffer.packets[s->packet_index].buffer;
5829 ++ payload_quadlets = payload_length / 4;
5830 + data_blocks = payload_quadlets / s->data_block_quadlets;
5831 +
5832 + trace_in_packet_without_header(s, cycle, payload_quadlets, data_blocks,
5833 +diff --git a/sound/firewire/fireface/ff-protocol-ff400.c b/sound/firewire/fireface/ff-protocol-ff400.c
5834 +index 654a50319198..4d191172fe3f 100644
5835 +--- a/sound/firewire/fireface/ff-protocol-ff400.c
5836 ++++ b/sound/firewire/fireface/ff-protocol-ff400.c
5837 +@@ -152,7 +152,7 @@ static int ff400_switch_fetching_mode(struct snd_ff *ff, bool enable)
5838 + if (reg == NULL)
5839 + return -ENOMEM;
5840 +
5841 +- if (enable) {
5842 ++ if (!enable) {
5843 + /*
5844 + * Each quadlet is corresponding to data channels in a data
5845 + * blocks in reverse order. Precisely, quadlets for available
5846 +diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c
5847 +index 6ebe817801ea..1f25e6d029d8 100644
5848 +--- a/sound/pci/emu10k1/emufx.c
5849 ++++ b/sound/pci/emu10k1/emufx.c
5850 +@@ -36,6 +36,7 @@
5851 + #include <linux/init.h>
5852 + #include <linux/mutex.h>
5853 + #include <linux/moduleparam.h>
5854 ++#include <linux/nospec.h>
5855 +
5856 + #include <sound/core.h>
5857 + #include <sound/tlv.h>
5858 +@@ -1026,6 +1027,8 @@ static int snd_emu10k1_ipcm_poke(struct snd_emu10k1 *emu,
5859 +
5860 + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
5861 + return -EINVAL;
5862 ++ ipcm->substream = array_index_nospec(ipcm->substream,
5863 ++ EMU10K1_FX8010_PCM_COUNT);
5864 + if (ipcm->channels > 32)
5865 + return -EINVAL;
5866 + pcm = &emu->fx8010.pcm[ipcm->substream];
5867 +@@ -1072,6 +1075,8 @@ static int snd_emu10k1_ipcm_peek(struct snd_emu10k1 *emu,
5868 +
5869 + if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
5870 + return -EINVAL;
5871 ++ ipcm->substream = array_index_nospec(ipcm->substream,
5872 ++ EMU10K1_FX8010_PCM_COUNT);
5873 + pcm = &emu->fx8010.pcm[ipcm->substream];
5874 + mutex_lock(&emu->fx8010.lock);
5875 + spin_lock_irq(&emu->reg_lock);
5876 +diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
5877 +index dd7d4242d6d2..86841d46a8fc 100644
5878 +--- a/sound/pci/hda/hda_tegra.c
5879 ++++ b/sound/pci/hda/hda_tegra.c
5880 +@@ -233,10 +233,12 @@ static int hda_tegra_suspend(struct device *dev)
5881 + struct snd_card *card = dev_get_drvdata(dev);
5882 + struct azx *chip = card->private_data;
5883 + struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip);
5884 ++ struct hdac_bus *bus = azx_bus(chip);
5885 +
5886 + snd_power_change_state(card, SNDRV_CTL_POWER_D3hot);
5887 +
5888 + azx_stop_chip(chip);
5889 ++ synchronize_irq(bus->irq);
5890 + azx_enter_link_reset(chip);
5891 + hda_tegra_disable_clocks(hda);
5892 +
5893 +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
5894 +index 950e02e71766..51cc6589443f 100644
5895 +--- a/sound/pci/hda/patch_conexant.c
5896 ++++ b/sound/pci/hda/patch_conexant.c
5897 +@@ -923,6 +923,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
5898 + SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
5899 + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
5900 + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
5901 ++ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
5902 + SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
5903 + SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
5904 + SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
5905 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
5906 +index 15021c839372..54fc9c0f07de 100644
5907 +--- a/sound/pci/hda/patch_realtek.c
5908 ++++ b/sound/pci/hda/patch_realtek.c
5909 +@@ -6424,7 +6424,7 @@ static const struct hda_fixup alc269_fixups[] = {
5910 + [ALC294_FIXUP_ASUS_HEADSET_MIC] = {
5911 + .type = HDA_FIXUP_PINS,
5912 + .v.pins = (const struct hda_pintbl[]) {
5913 +- { 0x19, 0x01a1113c }, /* use as headset mic, without its own jack detect */
5914 ++ { 0x19, 0x01a1103c }, /* use as headset mic */
5915 + { }
5916 + },
5917 + .chained = true,
5918 +@@ -6573,6 +6573,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
5919 + SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
5920 + SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
5921 + SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
5922 ++ SND_PCI_QUIRK(0x1043, 0x10a1, "ASUS UX391UA", ALC294_FIXUP_ASUS_SPK),
5923 + SND_PCI_QUIRK(0x1043, 0x10c0, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
5924 + SND_PCI_QUIRK(0x1043, 0x10d0, "ASUS X540LA/X540LJ", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
5925 + SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
5926 +diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
5927 +index 1bff4b1b39cd..ba99ff0e93e0 100644
5928 +--- a/sound/pci/rme9652/hdsp.c
5929 ++++ b/sound/pci/rme9652/hdsp.c
5930 +@@ -30,6 +30,7 @@
5931 + #include <linux/math64.h>
5932 + #include <linux/vmalloc.h>
5933 + #include <linux/io.h>
5934 ++#include <linux/nospec.h>
5935 +
5936 + #include <sound/core.h>
5937 + #include <sound/control.h>
5938 +@@ -4092,15 +4093,16 @@ static int snd_hdsp_channel_info(struct snd_pcm_substream *substream,
5939 + struct snd_pcm_channel_info *info)
5940 + {
5941 + struct hdsp *hdsp = snd_pcm_substream_chip(substream);
5942 +- int mapped_channel;
5943 ++ unsigned int channel = info->channel;
5944 +
5945 +- if (snd_BUG_ON(info->channel >= hdsp->max_channels))
5946 ++ if (snd_BUG_ON(channel >= hdsp->max_channels))
5947 + return -EINVAL;
5948 ++ channel = array_index_nospec(channel, hdsp->max_channels);
5949 +
5950 +- if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
5951 ++ if (hdsp->channel_map[channel] < 0)
5952 + return -EINVAL;
5953 +
5954 +- info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES;
5955 ++ info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES;
5956 + info->first = 0;
5957 + info->step = 32;
5958 + return 0;
5959 +diff --git a/sound/soc/intel/boards/cht_bsw_max98090_ti.c b/sound/soc/intel/boards/cht_bsw_max98090_ti.c
5960 +index 9d9f6e41d81c..08a5152e635a 100644
5961 +--- a/sound/soc/intel/boards/cht_bsw_max98090_ti.c
5962 ++++ b/sound/soc/intel/boards/cht_bsw_max98090_ti.c
5963 +@@ -389,6 +389,20 @@ static struct snd_soc_card snd_soc_card_cht = {
5964 + };
5965 +
5966 + static const struct dmi_system_id cht_max98090_quirk_table[] = {
5967 ++ {
5968 ++ /* Clapper model Chromebook */
5969 ++ .matches = {
5970 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Clapper"),
5971 ++ },
5972 ++ .driver_data = (void *)QUIRK_PMC_PLT_CLK_0,
5973 ++ },
5974 ++ {
5975 ++ /* Gnawty model Chromebook (Acer Chromebook CB3-111) */
5976 ++ .matches = {
5977 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Gnawty"),
5978 ++ },
5979 ++ .driver_data = (void *)QUIRK_PMC_PLT_CLK_0,
5980 ++ },
5981 + {
5982 + /* Swanky model Chromebook (Toshiba Chromebook 2) */
5983 + .matches = {
5984 +diff --git a/sound/synth/emux/emux_hwdep.c b/sound/synth/emux/emux_hwdep.c
5985 +index e557946718a9..d9fcae071b47 100644
5986 +--- a/sound/synth/emux/emux_hwdep.c
5987 ++++ b/sound/synth/emux/emux_hwdep.c
5988 +@@ -22,9 +22,9 @@
5989 + #include <sound/core.h>
5990 + #include <sound/hwdep.h>
5991 + #include <linux/uaccess.h>
5992 ++#include <linux/nospec.h>
5993 + #include "emux_voice.h"
5994 +
5995 +-
5996 + #define TMP_CLIENT_ID 0x1001
5997 +
5998 + /*
5999 +@@ -66,13 +66,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux *emu, void __user *arg)
6000 + return -EFAULT;
6001 + if (info.mode < 0 || info.mode >= EMUX_MD_END)
6002 + return -EINVAL;
6003 ++ info.mode = array_index_nospec(info.mode, EMUX_MD_END);
6004 +
6005 + if (info.port < 0) {
6006 + for (i = 0; i < emu->num_ports; i++)
6007 + emu->portptrs[i]->ctrls[info.mode] = info.value;
6008 + } else {
6009 +- if (info.port < emu->num_ports)
6010 ++ if (info.port < emu->num_ports) {
6011 ++ info.port = array_index_nospec(info.port, emu->num_ports);
6012 + emu->portptrs[info.port]->ctrls[info.mode] = info.value;
6013 ++ }
6014 + }
6015 + return 0;
6016 + }
6017 +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
6018 +index 3692f29fee46..70144b98141c 100644
6019 +--- a/tools/lib/traceevent/event-parse.c
6020 ++++ b/tools/lib/traceevent/event-parse.c
6021 +@@ -4970,6 +4970,7 @@ static void pretty_print(struct trace_seq *s, void *data, int size, struct tep_e
6022 +
6023 + if (arg->type == TEP_PRINT_BSTRING) {
6024 + trace_seq_puts(s, arg->string.string);
6025 ++ arg = arg->next;
6026 + break;
6027 + }
6028 +
6029 +diff --git a/tools/perf/arch/common.c b/tools/perf/arch/common.c
6030 +index 82657c01a3b8..5f69fd0b745a 100644
6031 +--- a/tools/perf/arch/common.c
6032 ++++ b/tools/perf/arch/common.c
6033 +@@ -200,3 +200,13 @@ int perf_env__lookup_objdump(struct perf_env *env, const char **path)
6034 +
6035 + return perf_env__lookup_binutils_path(env, "objdump", path);
6036 + }
6037 ++
6038 ++/*
6039 ++ * Some architectures have a single address space for kernel and user addresses,
6040 ++ * which makes it possible to determine if an address is in kernel space or user
6041 ++ * space.
6042 ++ */
6043 ++bool perf_env__single_address_space(struct perf_env *env)
6044 ++{
6045 ++ return strcmp(perf_env__arch(env), "sparc");
6046 ++}
6047 +diff --git a/tools/perf/arch/common.h b/tools/perf/arch/common.h
6048 +index 2167001b18c5..c298a446d1f6 100644
6049 +--- a/tools/perf/arch/common.h
6050 ++++ b/tools/perf/arch/common.h
6051 +@@ -5,5 +5,6 @@
6052 + #include "../util/env.h"
6053 +
6054 + int perf_env__lookup_objdump(struct perf_env *env, const char **path);
6055 ++bool perf_env__single_address_space(struct perf_env *env);
6056 +
6057 + #endif /* ARCH_PERF_COMMON_H */
6058 +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
6059 +index b5bc85bd0bbe..a7b4d3f611c5 100644
6060 +--- a/tools/perf/builtin-script.c
6061 ++++ b/tools/perf/builtin-script.c
6062 +@@ -728,8 +728,8 @@ static int perf_sample__fprintf_brstack(struct perf_sample *sample,
6063 + if (PRINT_FIELD(DSO)) {
6064 + memset(&alf, 0, sizeof(alf));
6065 + memset(&alt, 0, sizeof(alt));
6066 +- thread__find_map(thread, sample->cpumode, from, &alf);
6067 +- thread__find_map(thread, sample->cpumode, to, &alt);
6068 ++ thread__find_map_fb(thread, sample->cpumode, from, &alf);
6069 ++ thread__find_map_fb(thread, sample->cpumode, to, &alt);
6070 + }
6071 +
6072 + printed += fprintf(fp, " 0x%"PRIx64, from);
6073 +@@ -775,8 +775,8 @@ static int perf_sample__fprintf_brstacksym(struct perf_sample *sample,
6074 + from = br->entries[i].from;
6075 + to = br->entries[i].to;
6076 +
6077 +- thread__find_symbol(thread, sample->cpumode, from, &alf);
6078 +- thread__find_symbol(thread, sample->cpumode, to, &alt);
6079 ++ thread__find_symbol_fb(thread, sample->cpumode, from, &alf);
6080 ++ thread__find_symbol_fb(thread, sample->cpumode, to, &alt);
6081 +
6082 + printed += symbol__fprintf_symname_offs(alf.sym, &alf, fp);
6083 + if (PRINT_FIELD(DSO)) {
6084 +@@ -820,11 +820,11 @@ static int perf_sample__fprintf_brstackoff(struct perf_sample *sample,
6085 + from = br->entries[i].from;
6086 + to = br->entries[i].to;
6087 +
6088 +- if (thread__find_map(thread, sample->cpumode, from, &alf) &&
6089 ++ if (thread__find_map_fb(thread, sample->cpumode, from, &alf) &&
6090 + !alf.map->dso->adjust_symbols)
6091 + from = map__map_ip(alf.map, from);
6092 +
6093 +- if (thread__find_map(thread, sample->cpumode, to, &alt) &&
6094 ++ if (thread__find_map_fb(thread, sample->cpumode, to, &alt) &&
6095 + !alt.map->dso->adjust_symbols)
6096 + to = map__map_ip(alt.map, to);
6097 +
6098 +diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
6099 +index 59f38c7693f8..4c23779e271a 100644
6100 +--- a/tools/perf/util/env.c
6101 ++++ b/tools/perf/util/env.c
6102 +@@ -166,7 +166,7 @@ const char *perf_env__arch(struct perf_env *env)
6103 + struct utsname uts;
6104 + char *arch_name;
6105 +
6106 +- if (!env) { /* Assume local operation */
6107 ++ if (!env || !env->arch) { /* Assume local operation */
6108 + if (uname(&uts) < 0)
6109 + return NULL;
6110 + arch_name = uts.machine;
6111 +diff --git a/tools/perf/util/event.c b/tools/perf/util/event.c
6112 +index e9c108a6b1c3..24493200cf80 100644
6113 +--- a/tools/perf/util/event.c
6114 ++++ b/tools/perf/util/event.c
6115 +@@ -1577,6 +1577,24 @@ struct map *thread__find_map(struct thread *thread, u8 cpumode, u64 addr,
6116 + return al->map;
6117 + }
6118 +
6119 ++/*
6120 ++ * For branch stacks or branch samples, the sample cpumode might not be correct
6121 ++ * because it applies only to the sample 'ip' and not necessary to 'addr' or
6122 ++ * branch stack addresses. If possible, use a fallback to deal with those cases.
6123 ++ */
6124 ++struct map *thread__find_map_fb(struct thread *thread, u8 cpumode, u64 addr,
6125 ++ struct addr_location *al)
6126 ++{
6127 ++ struct map *map = thread__find_map(thread, cpumode, addr, al);
6128 ++ struct machine *machine = thread->mg->machine;
6129 ++ u8 addr_cpumode = machine__addr_cpumode(machine, cpumode, addr);
6130 ++
6131 ++ if (map || addr_cpumode == cpumode)
6132 ++ return map;
6133 ++
6134 ++ return thread__find_map(thread, addr_cpumode, addr, al);
6135 ++}
6136 ++
6137 + struct symbol *thread__find_symbol(struct thread *thread, u8 cpumode,
6138 + u64 addr, struct addr_location *al)
6139 + {
6140 +@@ -1586,6 +1604,15 @@ struct symbol *thread__find_symbol(struct thread *thread, u8 cpumode,
6141 + return al->sym;
6142 + }
6143 +
6144 ++struct symbol *thread__find_symbol_fb(struct thread *thread, u8 cpumode,
6145 ++ u64 addr, struct addr_location *al)
6146 ++{
6147 ++ al->sym = NULL;
6148 ++ if (thread__find_map_fb(thread, cpumode, addr, al))
6149 ++ al->sym = map__find_symbol(al->map, al->addr);
6150 ++ return al->sym;
6151 ++}
6152 ++
6153 + /*
6154 + * Callers need to drop the reference to al->thread, obtained in
6155 + * machine__findnew_thread()
6156 +@@ -1679,7 +1706,7 @@ bool sample_addr_correlates_sym(struct perf_event_attr *attr)
6157 + void thread__resolve(struct thread *thread, struct addr_location *al,
6158 + struct perf_sample *sample)
6159 + {
6160 +- thread__find_map(thread, sample->cpumode, sample->addr, al);
6161 ++ thread__find_map_fb(thread, sample->cpumode, sample->addr, al);
6162 +
6163 + al->cpu = sample->cpu;
6164 + al->sym = NULL;
6165 +diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
6166 +index 8f36ce813bc5..9397e3f2444d 100644
6167 +--- a/tools/perf/util/machine.c
6168 ++++ b/tools/perf/util/machine.c
6169 +@@ -2592,6 +2592,33 @@ int machine__get_kernel_start(struct machine *machine)
6170 + return err;
6171 + }
6172 +
6173 ++u8 machine__addr_cpumode(struct machine *machine, u8 cpumode, u64 addr)
6174 ++{
6175 ++ u8 addr_cpumode = cpumode;
6176 ++ bool kernel_ip;
6177 ++
6178 ++ if (!machine->single_address_space)
6179 ++ goto out;
6180 ++
6181 ++ kernel_ip = machine__kernel_ip(machine, addr);
6182 ++ switch (cpumode) {
6183 ++ case PERF_RECORD_MISC_KERNEL:
6184 ++ case PERF_RECORD_MISC_USER:
6185 ++ addr_cpumode = kernel_ip ? PERF_RECORD_MISC_KERNEL :
6186 ++ PERF_RECORD_MISC_USER;
6187 ++ break;
6188 ++ case PERF_RECORD_MISC_GUEST_KERNEL:
6189 ++ case PERF_RECORD_MISC_GUEST_USER:
6190 ++ addr_cpumode = kernel_ip ? PERF_RECORD_MISC_GUEST_KERNEL :
6191 ++ PERF_RECORD_MISC_GUEST_USER;
6192 ++ break;
6193 ++ default:
6194 ++ break;
6195 ++ }
6196 ++out:
6197 ++ return addr_cpumode;
6198 ++}
6199 ++
6200 + struct dso *machine__findnew_dso(struct machine *machine, const char *filename)
6201 + {
6202 + return dsos__findnew(&machine->dsos, filename);
6203 +diff --git a/tools/perf/util/machine.h b/tools/perf/util/machine.h
6204 +index d856b85862e2..ebde3ea70225 100644
6205 +--- a/tools/perf/util/machine.h
6206 ++++ b/tools/perf/util/machine.h
6207 +@@ -42,6 +42,7 @@ struct machine {
6208 + u16 id_hdr_size;
6209 + bool comm_exec;
6210 + bool kptr_restrict_warned;
6211 ++ bool single_address_space;
6212 + char *root_dir;
6213 + char *mmap_name;
6214 + struct threads threads[THREADS__TABLE_SIZE];
6215 +@@ -99,6 +100,8 @@ static inline bool machine__kernel_ip(struct machine *machine, u64 ip)
6216 + return ip >= kernel_start;
6217 + }
6218 +
6219 ++u8 machine__addr_cpumode(struct machine *machine, u8 cpumode, u64 addr);
6220 ++
6221 + struct thread *machine__find_thread(struct machine *machine, pid_t pid,
6222 + pid_t tid);
6223 + struct comm *machine__thread_exec_comm(struct machine *machine,
6224 +diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
6225 +index 7e49baad304d..7348eea0248f 100644
6226 +--- a/tools/perf/util/pmu.c
6227 ++++ b/tools/perf/util/pmu.c
6228 +@@ -145,7 +145,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char *
6229 + int fd, ret = -1;
6230 + char path[PATH_MAX];
6231 +
6232 +- snprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
6233 ++ scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
6234 +
6235 + fd = open(path, O_RDONLY);
6236 + if (fd == -1)
6237 +@@ -175,7 +175,7 @@ static int perf_pmu__parse_unit(struct perf_pmu_alias *alias, char *dir, char *n
6238 + ssize_t sret;
6239 + int fd;
6240 +
6241 +- snprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
6242 ++ scnprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
6243 +
6244 + fd = open(path, O_RDONLY);
6245 + if (fd == -1)
6246 +@@ -205,7 +205,7 @@ perf_pmu__parse_per_pkg(struct perf_pmu_alias *alias, char *dir, char *name)
6247 + char path[PATH_MAX];
6248 + int fd;
6249 +
6250 +- snprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name);
6251 ++ scnprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name);
6252 +
6253 + fd = open(path, O_RDONLY);
6254 + if (fd == -1)
6255 +@@ -223,7 +223,7 @@ static int perf_pmu__parse_snapshot(struct perf_pmu_alias *alias,
6256 + char path[PATH_MAX];
6257 + int fd;
6258 +
6259 +- snprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name);
6260 ++ scnprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name);
6261 +
6262 + fd = open(path, O_RDONLY);
6263 + if (fd == -1)
6264 +diff --git a/tools/perf/util/scripting-engines/trace-event-python.c b/tools/perf/util/scripting-engines/trace-event-python.c
6265 +index 69aa93d4ee99..0c4b050f6fc2 100644
6266 +--- a/tools/perf/util/scripting-engines/trace-event-python.c
6267 ++++ b/tools/perf/util/scripting-engines/trace-event-python.c
6268 +@@ -494,14 +494,14 @@ static PyObject *python_process_brstack(struct perf_sample *sample,
6269 + pydict_set_item_string_decref(pyelem, "cycles",
6270 + PyLong_FromUnsignedLongLong(br->entries[i].flags.cycles));
6271 +
6272 +- thread__find_map(thread, sample->cpumode,
6273 +- br->entries[i].from, &al);
6274 ++ thread__find_map_fb(thread, sample->cpumode,
6275 ++ br->entries[i].from, &al);
6276 + dsoname = get_dsoname(al.map);
6277 + pydict_set_item_string_decref(pyelem, "from_dsoname",
6278 + _PyUnicode_FromString(dsoname));
6279 +
6280 +- thread__find_map(thread, sample->cpumode,
6281 +- br->entries[i].to, &al);
6282 ++ thread__find_map_fb(thread, sample->cpumode,
6283 ++ br->entries[i].to, &al);
6284 + dsoname = get_dsoname(al.map);
6285 + pydict_set_item_string_decref(pyelem, "to_dsoname",
6286 + _PyUnicode_FromString(dsoname));
6287 +@@ -576,14 +576,14 @@ static PyObject *python_process_brstacksym(struct perf_sample *sample,
6288 + if (!pyelem)
6289 + Py_FatalError("couldn't create Python dictionary");
6290 +
6291 +- thread__find_symbol(thread, sample->cpumode,
6292 +- br->entries[i].from, &al);
6293 ++ thread__find_symbol_fb(thread, sample->cpumode,
6294 ++ br->entries[i].from, &al);
6295 + get_symoff(al.sym, &al, true, bf, sizeof(bf));
6296 + pydict_set_item_string_decref(pyelem, "from",
6297 + _PyUnicode_FromString(bf));
6298 +
6299 +- thread__find_symbol(thread, sample->cpumode,
6300 +- br->entries[i].to, &al);
6301 ++ thread__find_symbol_fb(thread, sample->cpumode,
6302 ++ br->entries[i].to, &al);
6303 + get_symoff(al.sym, &al, true, bf, sizeof(bf));
6304 + pydict_set_item_string_decref(pyelem, "to",
6305 + _PyUnicode_FromString(bf));
6306 +diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
6307 +index 7d2c8ce6cfad..f8eab197f35c 100644
6308 +--- a/tools/perf/util/session.c
6309 ++++ b/tools/perf/util/session.c
6310 +@@ -24,6 +24,7 @@
6311 + #include "thread.h"
6312 + #include "thread-stack.h"
6313 + #include "stat.h"
6314 ++#include "arch/common.h"
6315 +
6316 + static int perf_session__deliver_event(struct perf_session *session,
6317 + union perf_event *event,
6318 +@@ -150,6 +151,9 @@ struct perf_session *perf_session__new(struct perf_data *data,
6319 + session->machines.host.env = &perf_env;
6320 + }
6321 +
6322 ++ session->machines.host.single_address_space =
6323 ++ perf_env__single_address_space(session->machines.host.env);
6324 ++
6325 + if (!data || perf_data__is_write(data)) {
6326 + /*
6327 + * In O_RDONLY mode this will be performed when reading the
6328 +diff --git a/tools/perf/util/thread.h b/tools/perf/util/thread.h
6329 +index 30e2b4c165fe..5920c3bb8ffe 100644
6330 +--- a/tools/perf/util/thread.h
6331 ++++ b/tools/perf/util/thread.h
6332 +@@ -96,9 +96,13 @@ struct thread *thread__main_thread(struct machine *machine, struct thread *threa
6333 +
6334 + struct map *thread__find_map(struct thread *thread, u8 cpumode, u64 addr,
6335 + struct addr_location *al);
6336 ++struct map *thread__find_map_fb(struct thread *thread, u8 cpumode, u64 addr,
6337 ++ struct addr_location *al);
6338 +
6339 + struct symbol *thread__find_symbol(struct thread *thread, u8 cpumode,
6340 + u64 addr, struct addr_location *al);
6341 ++struct symbol *thread__find_symbol_fb(struct thread *thread, u8 cpumode,
6342 ++ u64 addr, struct addr_location *al);
6343 +
6344 + void thread__find_cpumode_addr_location(struct thread *thread, u64 addr,
6345 + struct addr_location *al);
6346 +diff --git a/virt/kvm/arm/arm.c b/virt/kvm/arm/arm.c
6347 +index 23774970c9df..abcd29db2d7a 100644
6348 +--- a/virt/kvm/arm/arm.c
6349 ++++ b/virt/kvm/arm/arm.c
6350 +@@ -66,7 +66,7 @@ static DEFINE_PER_CPU(struct kvm_vcpu *, kvm_arm_running_vcpu);
6351 + static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1);
6352 + static u32 kvm_next_vmid;
6353 + static unsigned int kvm_vmid_bits __read_mostly;
6354 +-static DEFINE_RWLOCK(kvm_vmid_lock);
6355 ++static DEFINE_SPINLOCK(kvm_vmid_lock);
6356 +
6357 + static bool vgic_present;
6358 +
6359 +@@ -484,7 +484,9 @@ void force_vm_exit(const cpumask_t *mask)
6360 + */
6361 + static bool need_new_vmid_gen(struct kvm *kvm)
6362 + {
6363 +- return unlikely(kvm->arch.vmid_gen != atomic64_read(&kvm_vmid_gen));
6364 ++ u64 current_vmid_gen = atomic64_read(&kvm_vmid_gen);
6365 ++ smp_rmb(); /* Orders read of kvm_vmid_gen and kvm->arch.vmid */
6366 ++ return unlikely(READ_ONCE(kvm->arch.vmid_gen) != current_vmid_gen);
6367 + }
6368 +
6369 + /**
6370 +@@ -499,16 +501,11 @@ static void update_vttbr(struct kvm *kvm)
6371 + {
6372 + phys_addr_t pgd_phys;
6373 + u64 vmid, cnp = kvm_cpu_has_cnp() ? VTTBR_CNP_BIT : 0;
6374 +- bool new_gen;
6375 +
6376 +- read_lock(&kvm_vmid_lock);
6377 +- new_gen = need_new_vmid_gen(kvm);
6378 +- read_unlock(&kvm_vmid_lock);
6379 +-
6380 +- if (!new_gen)
6381 ++ if (!need_new_vmid_gen(kvm))
6382 + return;
6383 +
6384 +- write_lock(&kvm_vmid_lock);
6385 ++ spin_lock(&kvm_vmid_lock);
6386 +
6387 + /*
6388 + * We need to re-check the vmid_gen here to ensure that if another vcpu
6389 +@@ -516,7 +513,7 @@ static void update_vttbr(struct kvm *kvm)
6390 + * use the same vmid.
6391 + */
6392 + if (!need_new_vmid_gen(kvm)) {
6393 +- write_unlock(&kvm_vmid_lock);
6394 ++ spin_unlock(&kvm_vmid_lock);
6395 + return;
6396 + }
6397 +
6398 +@@ -539,7 +536,6 @@ static void update_vttbr(struct kvm *kvm)
6399 + kvm_call_hyp(__kvm_flush_vm_context);
6400 + }
6401 +
6402 +- kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
6403 + kvm->arch.vmid = kvm_next_vmid;
6404 + kvm_next_vmid++;
6405 + kvm_next_vmid &= (1 << kvm_vmid_bits) - 1;
6406 +@@ -550,7 +546,10 @@ static void update_vttbr(struct kvm *kvm)
6407 + vmid = ((u64)(kvm->arch.vmid) << VTTBR_VMID_SHIFT) & VTTBR_VMID_MASK(kvm_vmid_bits);
6408 + kvm->arch.vttbr = kvm_phys_to_vttbr(pgd_phys) | vmid | cnp;
6409 +
6410 +- write_unlock(&kvm_vmid_lock);
6411 ++ smp_wmb();
6412 ++ WRITE_ONCE(kvm->arch.vmid_gen, atomic64_read(&kvm_vmid_gen));
6413 ++
6414 ++ spin_unlock(&kvm_vmid_lock);
6415 + }
6416 +
6417 + static int kvm_vcpu_first_run_init(struct kvm_vcpu *vcpu)
6418 +diff --git a/virt/kvm/arm/vgic/vgic-mmio.c b/virt/kvm/arm/vgic/vgic-mmio.c
6419 +index f56ff1cf52ec..ceeda7e04a4d 100644
6420 +--- a/virt/kvm/arm/vgic/vgic-mmio.c
6421 ++++ b/virt/kvm/arm/vgic/vgic-mmio.c
6422 +@@ -313,36 +313,30 @@ static void vgic_mmio_change_active(struct kvm_vcpu *vcpu, struct vgic_irq *irq,
6423 +
6424 + spin_lock_irqsave(&irq->irq_lock, flags);
6425 +
6426 +- /*
6427 +- * If this virtual IRQ was written into a list register, we
6428 +- * have to make sure the CPU that runs the VCPU thread has
6429 +- * synced back the LR state to the struct vgic_irq.
6430 +- *
6431 +- * As long as the conditions below are true, we know the VCPU thread
6432 +- * may be on its way back from the guest (we kicked the VCPU thread in
6433 +- * vgic_change_active_prepare) and still has to sync back this IRQ,
6434 +- * so we release and re-acquire the spin_lock to let the other thread
6435 +- * sync back the IRQ.
6436 +- *
6437 +- * When accessing VGIC state from user space, requester_vcpu is
6438 +- * NULL, which is fine, because we guarantee that no VCPUs are running
6439 +- * when accessing VGIC state from user space so irq->vcpu->cpu is
6440 +- * always -1.
6441 +- */
6442 +- while (irq->vcpu && /* IRQ may have state in an LR somewhere */
6443 +- irq->vcpu != requester_vcpu && /* Current thread is not the VCPU thread */
6444 +- irq->vcpu->cpu != -1) /* VCPU thread is running */
6445 +- cond_resched_lock(&irq->irq_lock);
6446 +-
6447 + if (irq->hw) {
6448 + vgic_hw_irq_change_active(vcpu, irq, active, !requester_vcpu);
6449 + } else {
6450 + u32 model = vcpu->kvm->arch.vgic.vgic_model;
6451 ++ u8 active_source;
6452 +
6453 + irq->active = active;
6454 ++
6455 ++ /*
6456 ++ * The GICv2 architecture indicates that the source CPUID for
6457 ++ * an SGI should be provided during an EOI which implies that
6458 ++ * the active state is stored somewhere, but at the same time
6459 ++ * this state is not architecturally exposed anywhere and we
6460 ++ * have no way of knowing the right source.
6461 ++ *
6462 ++ * This may lead to a VCPU not being able to receive
6463 ++ * additional instances of a particular SGI after migration
6464 ++ * for a GICv2 VM on some GIC implementations. Oh well.
6465 ++ */
6466 ++ active_source = (requester_vcpu) ? requester_vcpu->vcpu_id : 0;
6467 ++
6468 + if (model == KVM_DEV_TYPE_ARM_VGIC_V2 &&
6469 + active && vgic_irq_is_sgi(irq->intid))
6470 +- irq->active_source = requester_vcpu->vcpu_id;
6471 ++ irq->active_source = active_source;
6472 + }
6473 +
6474 + if (irq->active)
6475 +@@ -368,14 +362,16 @@ static void vgic_mmio_change_active(struct kvm_vcpu *vcpu, struct vgic_irq *irq,
6476 + */
6477 + static void vgic_change_active_prepare(struct kvm_vcpu *vcpu, u32 intid)
6478 + {
6479 +- if (intid > VGIC_NR_PRIVATE_IRQS)
6480 ++ if (vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3 ||
6481 ++ intid > VGIC_NR_PRIVATE_IRQS)
6482 + kvm_arm_halt_guest(vcpu->kvm);
6483 + }
6484 +
6485 + /* See vgic_change_active_prepare */
6486 + static void vgic_change_active_finish(struct kvm_vcpu *vcpu, u32 intid)
6487 + {
6488 +- if (intid > VGIC_NR_PRIVATE_IRQS)
6489 ++ if (vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3 ||
6490 ++ intid > VGIC_NR_PRIVATE_IRQS)
6491 + kvm_arm_resume_guest(vcpu->kvm);
6492 + }
6493 +
6494 +diff --git a/virt/kvm/arm/vgic/vgic.c b/virt/kvm/arm/vgic/vgic.c
6495 +index 7cfdfbc910e0..f884a54b2601 100644
6496 +--- a/virt/kvm/arm/vgic/vgic.c
6497 ++++ b/virt/kvm/arm/vgic/vgic.c
6498 +@@ -103,13 +103,13 @@ struct vgic_irq *vgic_get_irq(struct kvm *kvm, struct kvm_vcpu *vcpu,
6499 + {
6500 + /* SGIs and PPIs */
6501 + if (intid <= VGIC_MAX_PRIVATE) {
6502 +- intid = array_index_nospec(intid, VGIC_MAX_PRIVATE);
6503 ++ intid = array_index_nospec(intid, VGIC_MAX_PRIVATE + 1);
6504 + return &vcpu->arch.vgic_cpu.private_irqs[intid];
6505 + }
6506 +
6507 + /* SPIs */
6508 +- if (intid <= VGIC_MAX_SPI) {
6509 +- intid = array_index_nospec(intid, VGIC_MAX_SPI);
6510 ++ if (intid < (kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS)) {
6511 ++ intid = array_index_nospec(intid, kvm->arch.vgic.nr_spis + VGIC_NR_PRIVATE_IRQS);
6512 + return &kvm->arch.vgic.spis[intid - VGIC_NR_PRIVATE_IRQS];
6513 + }
6514 +
Report Message
Find on MARC Find on Google Groups