Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.14 commit in: /
Date: Tue, 02 Jan 2018 20:14:57
Message-Id: 1514924083.042e4ad420014bdd293720b69e29f4e6be0dda65.mpagano@gentoo
1 commit: 042e4ad420014bdd293720b69e29f4e6be0dda65
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Tue Jan 2 20:14:43 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Tue Jan 2 20:14:43 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=042e4ad4
7
8 Linux patch 4.14.11
9
10 0000_README | 4 +
11 1010_linux-4.14.11.patch | 7283 ++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 7287 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 86c72af..c1861d7 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -83,6 +83,10 @@ Patch: 1009_linux-4.14.10.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.14.10
21
22 +Patch: 1010_linux-4.14.11.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.14.11
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1010_linux-4.14.11.patch b/1010_linux-4.14.11.patch
31 new file mode 100644
32 index 0000000..9febb2b
33 --- /dev/null
34 +++ b/1010_linux-4.14.11.patch
35 @@ -0,0 +1,7283 @@
36 +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
37 +index 05496622b4ef..520fdec15bbb 100644
38 +--- a/Documentation/admin-guide/kernel-parameters.txt
39 ++++ b/Documentation/admin-guide/kernel-parameters.txt
40 +@@ -2685,6 +2685,8 @@
41 + steal time is computed, but won't influence scheduler
42 + behaviour
43 +
44 ++ nopti [X86-64] Disable kernel page table isolation
45 ++
46 + nolapic [X86-32,APIC] Do not enable or use the local APIC.
47 +
48 + nolapic_timer [X86-32,APIC] Do not use the local APIC timer.
49 +@@ -3253,6 +3255,12 @@
50 + pt. [PARIDE]
51 + See Documentation/blockdev/paride.txt.
52 +
53 ++ pti= [X86_64]
54 ++ Control user/kernel address space isolation:
55 ++ on - enable
56 ++ off - disable
57 ++ auto - default setting
58 ++
59 + pty.legacy_count=
60 + [KNL] Number of legacy pty's. Overwrites compiled-in
61 + default number.
62 +diff --git a/Documentation/x86/x86_64/mm.txt b/Documentation/x86/x86_64/mm.txt
63 +index 51101708a03a..ad41b3813f0a 100644
64 +--- a/Documentation/x86/x86_64/mm.txt
65 ++++ b/Documentation/x86/x86_64/mm.txt
66 +@@ -12,6 +12,7 @@ ffffea0000000000 - ffffeaffffffffff (=40 bits) virtual memory map (1TB)
67 + ... unused hole ...
68 + ffffec0000000000 - fffffbffffffffff (=44 bits) kasan shadow memory (16TB)
69 + ... unused hole ...
70 ++fffffe0000000000 - fffffe7fffffffff (=39 bits) LDT remap for PTI
71 + fffffe8000000000 - fffffeffffffffff (=39 bits) cpu_entry_area mapping
72 + ffffff0000000000 - ffffff7fffffffff (=39 bits) %esp fixup stacks
73 + ... unused hole ...
74 +@@ -29,8 +30,8 @@ Virtual memory map with 5 level page tables:
75 + hole caused by [56:63] sign extension
76 + ff00000000000000 - ff0fffffffffffff (=52 bits) guard hole, reserved for hypervisor
77 + ff10000000000000 - ff8fffffffffffff (=55 bits) direct mapping of all phys. memory
78 +-ff90000000000000 - ff91ffffffffffff (=49 bits) hole
79 +-ff92000000000000 - ffd1ffffffffffff (=54 bits) vmalloc/ioremap space
80 ++ff90000000000000 - ff9fffffffffffff (=52 bits) LDT remap for PTI
81 ++ffa0000000000000 - ffd1ffffffffffff (=54 bits) vmalloc/ioremap space (12800 TB)
82 + ffd2000000000000 - ffd3ffffffffffff (=49 bits) hole
83 + ffd4000000000000 - ffd5ffffffffffff (=49 bits) virtual memory map (512TB)
84 + ... unused hole ...
85 +diff --git a/Makefile b/Makefile
86 +index 9edfb78836a9..655887067dc7 100644
87 +--- a/Makefile
88 ++++ b/Makefile
89 +@@ -1,7 +1,7 @@
90 + # SPDX-License-Identifier: GPL-2.0
91 + VERSION = 4
92 + PATCHLEVEL = 14
93 +-SUBLEVEL = 10
94 ++SUBLEVEL = 11
95 + EXTRAVERSION =
96 + NAME = Petit Gorille
97 +
98 +@@ -802,6 +802,9 @@ KBUILD_CFLAGS += $(call cc-disable-warning, pointer-sign)
99 + # disable invalid "can't wrap" optimizations for signed / pointers
100 + KBUILD_CFLAGS += $(call cc-option,-fno-strict-overflow)
101 +
102 ++# Make sure -fstack-check isn't enabled (like gentoo apparently did)
103 ++KBUILD_CFLAGS += $(call cc-option,-fno-stack-check,)
104 ++
105 + # conserve stack if available
106 + KBUILD_CFLAGS += $(call cc-option,-fconserve-stack)
107 +
108 +diff --git a/arch/sparc/lib/hweight.S b/arch/sparc/lib/hweight.S
109 +index e5547b22cd18..0ddbbb031822 100644
110 +--- a/arch/sparc/lib/hweight.S
111 ++++ b/arch/sparc/lib/hweight.S
112 +@@ -44,8 +44,8 @@ EXPORT_SYMBOL(__arch_hweight32)
113 + .previous
114 +
115 + ENTRY(__arch_hweight64)
116 +- sethi %hi(__sw_hweight16), %g1
117 +- jmpl %g1 + %lo(__sw_hweight16), %g0
118 ++ sethi %hi(__sw_hweight64), %g1
119 ++ jmpl %g1 + %lo(__sw_hweight64), %g0
120 + nop
121 + ENDPROC(__arch_hweight64)
122 + EXPORT_SYMBOL(__arch_hweight64)
123 +diff --git a/arch/x86/boot/compressed/pagetable.c b/arch/x86/boot/compressed/pagetable.c
124 +index 972319ff5b01..e691ff734cb5 100644
125 +--- a/arch/x86/boot/compressed/pagetable.c
126 ++++ b/arch/x86/boot/compressed/pagetable.c
127 +@@ -23,6 +23,9 @@
128 + */
129 + #undef CONFIG_AMD_MEM_ENCRYPT
130 +
131 ++/* No PAGE_TABLE_ISOLATION support needed either: */
132 ++#undef CONFIG_PAGE_TABLE_ISOLATION
133 ++
134 + #include "misc.h"
135 +
136 + /* These actually do the work of building the kernel identity maps. */
137 +diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
138 +index 3fd8bc560fae..45a63e00a6af 100644
139 +--- a/arch/x86/entry/calling.h
140 ++++ b/arch/x86/entry/calling.h
141 +@@ -1,6 +1,11 @@
142 + /* SPDX-License-Identifier: GPL-2.0 */
143 + #include <linux/jump_label.h>
144 + #include <asm/unwind_hints.h>
145 ++#include <asm/cpufeatures.h>
146 ++#include <asm/page_types.h>
147 ++#include <asm/percpu.h>
148 ++#include <asm/asm-offsets.h>
149 ++#include <asm/processor-flags.h>
150 +
151 + /*
152 +
153 +@@ -187,6 +192,146 @@ For 32-bit we have the following conventions - kernel is built with
154 + #endif
155 + .endm
156 +
157 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
158 ++
159 ++/*
160 ++ * PAGE_TABLE_ISOLATION PGDs are 8k. Flip bit 12 to switch between the two
161 ++ * halves:
162 ++ */
163 ++#define PTI_SWITCH_PGTABLES_MASK (1<<PAGE_SHIFT)
164 ++#define PTI_SWITCH_MASK (PTI_SWITCH_PGTABLES_MASK|(1<<X86_CR3_PTI_SWITCH_BIT))
165 ++
166 ++.macro SET_NOFLUSH_BIT reg:req
167 ++ bts $X86_CR3_PCID_NOFLUSH_BIT, \reg
168 ++.endm
169 ++
170 ++.macro ADJUST_KERNEL_CR3 reg:req
171 ++ ALTERNATIVE "", "SET_NOFLUSH_BIT \reg", X86_FEATURE_PCID
172 ++ /* Clear PCID and "PAGE_TABLE_ISOLATION bit", point CR3 at kernel pagetables: */
173 ++ andq $(~PTI_SWITCH_MASK), \reg
174 ++.endm
175 ++
176 ++.macro SWITCH_TO_KERNEL_CR3 scratch_reg:req
177 ++ ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_PTI
178 ++ mov %cr3, \scratch_reg
179 ++ ADJUST_KERNEL_CR3 \scratch_reg
180 ++ mov \scratch_reg, %cr3
181 ++.Lend_\@:
182 ++.endm
183 ++
184 ++#define THIS_CPU_user_pcid_flush_mask \
185 ++ PER_CPU_VAR(cpu_tlbstate) + TLB_STATE_user_pcid_flush_mask
186 ++
187 ++.macro SWITCH_TO_USER_CR3_NOSTACK scratch_reg:req scratch_reg2:req
188 ++ ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_PTI
189 ++ mov %cr3, \scratch_reg
190 ++
191 ++ ALTERNATIVE "jmp .Lwrcr3_\@", "", X86_FEATURE_PCID
192 ++
193 ++ /*
194 ++ * Test if the ASID needs a flush.
195 ++ */
196 ++ movq \scratch_reg, \scratch_reg2
197 ++ andq $(0x7FF), \scratch_reg /* mask ASID */
198 ++ bt \scratch_reg, THIS_CPU_user_pcid_flush_mask
199 ++ jnc .Lnoflush_\@
200 ++
201 ++ /* Flush needed, clear the bit */
202 ++ btr \scratch_reg, THIS_CPU_user_pcid_flush_mask
203 ++ movq \scratch_reg2, \scratch_reg
204 ++ jmp .Lwrcr3_\@
205 ++
206 ++.Lnoflush_\@:
207 ++ movq \scratch_reg2, \scratch_reg
208 ++ SET_NOFLUSH_BIT \scratch_reg
209 ++
210 ++.Lwrcr3_\@:
211 ++ /* Flip the PGD and ASID to the user version */
212 ++ orq $(PTI_SWITCH_MASK), \scratch_reg
213 ++ mov \scratch_reg, %cr3
214 ++.Lend_\@:
215 ++.endm
216 ++
217 ++.macro SWITCH_TO_USER_CR3_STACK scratch_reg:req
218 ++ pushq %rax
219 ++ SWITCH_TO_USER_CR3_NOSTACK scratch_reg=\scratch_reg scratch_reg2=%rax
220 ++ popq %rax
221 ++.endm
222 ++
223 ++.macro SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg:req save_reg:req
224 ++ ALTERNATIVE "jmp .Ldone_\@", "", X86_FEATURE_PTI
225 ++ movq %cr3, \scratch_reg
226 ++ movq \scratch_reg, \save_reg
227 ++ /*
228 ++ * Is the "switch mask" all zero? That means that both of
229 ++ * these are zero:
230 ++ *
231 ++ * 1. The user/kernel PCID bit, and
232 ++ * 2. The user/kernel "bit" that points CR3 to the
233 ++ * bottom half of the 8k PGD
234 ++ *
235 ++ * That indicates a kernel CR3 value, not a user CR3.
236 ++ */
237 ++ testq $(PTI_SWITCH_MASK), \scratch_reg
238 ++ jz .Ldone_\@
239 ++
240 ++ ADJUST_KERNEL_CR3 \scratch_reg
241 ++ movq \scratch_reg, %cr3
242 ++
243 ++.Ldone_\@:
244 ++.endm
245 ++
246 ++.macro RESTORE_CR3 scratch_reg:req save_reg:req
247 ++ ALTERNATIVE "jmp .Lend_\@", "", X86_FEATURE_PTI
248 ++
249 ++ ALTERNATIVE "jmp .Lwrcr3_\@", "", X86_FEATURE_PCID
250 ++
251 ++ /*
252 ++ * KERNEL pages can always resume with NOFLUSH as we do
253 ++ * explicit flushes.
254 ++ */
255 ++ bt $X86_CR3_PTI_SWITCH_BIT, \save_reg
256 ++ jnc .Lnoflush_\@
257 ++
258 ++ /*
259 ++ * Check if there's a pending flush for the user ASID we're
260 ++ * about to set.
261 ++ */
262 ++ movq \save_reg, \scratch_reg
263 ++ andq $(0x7FF), \scratch_reg
264 ++ bt \scratch_reg, THIS_CPU_user_pcid_flush_mask
265 ++ jnc .Lnoflush_\@
266 ++
267 ++ btr \scratch_reg, THIS_CPU_user_pcid_flush_mask
268 ++ jmp .Lwrcr3_\@
269 ++
270 ++.Lnoflush_\@:
271 ++ SET_NOFLUSH_BIT \save_reg
272 ++
273 ++.Lwrcr3_\@:
274 ++ /*
275 ++ * The CR3 write could be avoided when not changing its value,
276 ++ * but would require a CR3 read *and* a scratch register.
277 ++ */
278 ++ movq \save_reg, %cr3
279 ++.Lend_\@:
280 ++.endm
281 ++
282 ++#else /* CONFIG_PAGE_TABLE_ISOLATION=n: */
283 ++
284 ++.macro SWITCH_TO_KERNEL_CR3 scratch_reg:req
285 ++.endm
286 ++.macro SWITCH_TO_USER_CR3_NOSTACK scratch_reg:req scratch_reg2:req
287 ++.endm
288 ++.macro SWITCH_TO_USER_CR3_STACK scratch_reg:req
289 ++.endm
290 ++.macro SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg:req save_reg:req
291 ++.endm
292 ++.macro RESTORE_CR3 scratch_reg:req save_reg:req
293 ++.endm
294 ++
295 ++#endif
296 ++
297 + #endif /* CONFIG_X86_64 */
298 +
299 + /*
300 +diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
301 +index 22c891c3b78d..dd696b966e58 100644
302 +--- a/arch/x86/entry/entry_64.S
303 ++++ b/arch/x86/entry/entry_64.S
304 +@@ -23,7 +23,6 @@
305 + #include <asm/segment.h>
306 + #include <asm/cache.h>
307 + #include <asm/errno.h>
308 +-#include "calling.h"
309 + #include <asm/asm-offsets.h>
310 + #include <asm/msr.h>
311 + #include <asm/unistd.h>
312 +@@ -40,6 +39,8 @@
313 + #include <asm/frame.h>
314 + #include <linux/err.h>
315 +
316 ++#include "calling.h"
317 ++
318 + .code64
319 + .section .entry.text, "ax"
320 +
321 +@@ -164,6 +165,9 @@ ENTRY(entry_SYSCALL_64_trampoline)
322 + /* Stash the user RSP. */
323 + movq %rsp, RSP_SCRATCH
324 +
325 ++ /* Note: using %rsp as a scratch reg. */
326 ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
327 ++
328 + /* Load the top of the task stack into RSP */
329 + movq CPU_ENTRY_AREA_tss + TSS_sp1 + CPU_ENTRY_AREA, %rsp
330 +
331 +@@ -203,6 +207,10 @@ ENTRY(entry_SYSCALL_64)
332 + */
333 +
334 + swapgs
335 ++ /*
336 ++ * This path is not taken when PAGE_TABLE_ISOLATION is disabled so it
337 ++ * is not required to switch CR3.
338 ++ */
339 + movq %rsp, PER_CPU_VAR(rsp_scratch)
340 + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
341 +
342 +@@ -399,6 +407,7 @@ syscall_return_via_sysret:
343 + * We are on the trampoline stack. All regs except RDI are live.
344 + * We can do future final exit work right here.
345 + */
346 ++ SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
347 +
348 + popq %rdi
349 + popq %rsp
350 +@@ -736,6 +745,8 @@ GLOBAL(swapgs_restore_regs_and_return_to_usermode)
351 + * We can do future final exit work right here.
352 + */
353 +
354 ++ SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
355 ++
356 + /* Restore RDI. */
357 + popq %rdi
358 + SWAPGS
359 +@@ -818,7 +829,9 @@ native_irq_return_ldt:
360 + */
361 +
362 + pushq %rdi /* Stash user RDI */
363 +- SWAPGS
364 ++ SWAPGS /* to kernel GS */
365 ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi /* to kernel CR3 */
366 ++
367 + movq PER_CPU_VAR(espfix_waddr), %rdi
368 + movq %rax, (0*8)(%rdi) /* user RAX */
369 + movq (1*8)(%rsp), %rax /* user RIP */
370 +@@ -834,7 +847,6 @@ native_irq_return_ldt:
371 + /* Now RAX == RSP. */
372 +
373 + andl $0xffff0000, %eax /* RAX = (RSP & 0xffff0000) */
374 +- popq %rdi /* Restore user RDI */
375 +
376 + /*
377 + * espfix_stack[31:16] == 0. The page tables are set up such that
378 +@@ -845,7 +857,11 @@ native_irq_return_ldt:
379 + * still points to an RO alias of the ESPFIX stack.
380 + */
381 + orq PER_CPU_VAR(espfix_stack), %rax
382 +- SWAPGS
383 ++
384 ++ SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
385 ++ SWAPGS /* to user GS */
386 ++ popq %rdi /* Restore user RDI */
387 ++
388 + movq %rax, %rsp
389 + UNWIND_HINT_IRET_REGS offset=8
390 +
391 +@@ -945,6 +961,8 @@ ENTRY(switch_to_thread_stack)
392 + UNWIND_HINT_FUNC
393 +
394 + pushq %rdi
395 ++ /* Need to switch before accessing the thread stack. */
396 ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
397 + movq %rsp, %rdi
398 + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
399 + UNWIND_HINT sp_offset=16 sp_reg=ORC_REG_DI
400 +@@ -1244,7 +1262,11 @@ ENTRY(paranoid_entry)
401 + js 1f /* negative -> in kernel */
402 + SWAPGS
403 + xorl %ebx, %ebx
404 +-1: ret
405 ++
406 ++1:
407 ++ SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14
408 ++
409 ++ ret
410 + END(paranoid_entry)
411 +
412 + /*
413 +@@ -1266,6 +1288,7 @@ ENTRY(paranoid_exit)
414 + testl %ebx, %ebx /* swapgs needed? */
415 + jnz .Lparanoid_exit_no_swapgs
416 + TRACE_IRQS_IRETQ
417 ++ RESTORE_CR3 scratch_reg=%rbx save_reg=%r14
418 + SWAPGS_UNSAFE_STACK
419 + jmp .Lparanoid_exit_restore
420 + .Lparanoid_exit_no_swapgs:
421 +@@ -1293,6 +1316,8 @@ ENTRY(error_entry)
422 + * from user mode due to an IRET fault.
423 + */
424 + SWAPGS
425 ++ /* We have user CR3. Change to kernel CR3. */
426 ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
427 +
428 + .Lerror_entry_from_usermode_after_swapgs:
429 + /* Put us onto the real thread stack. */
430 +@@ -1339,6 +1364,7 @@ ENTRY(error_entry)
431 + * .Lgs_change's error handler with kernel gsbase.
432 + */
433 + SWAPGS
434 ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
435 + jmp .Lerror_entry_done
436 +
437 + .Lbstep_iret:
438 +@@ -1348,10 +1374,11 @@ ENTRY(error_entry)
439 +
440 + .Lerror_bad_iret:
441 + /*
442 +- * We came from an IRET to user mode, so we have user gsbase.
443 +- * Switch to kernel gsbase:
444 ++ * We came from an IRET to user mode, so we have user
445 ++ * gsbase and CR3. Switch to kernel gsbase and CR3:
446 + */
447 + SWAPGS
448 ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rax
449 +
450 + /*
451 + * Pretend that the exception came from user mode: set up pt_regs
452 +@@ -1383,6 +1410,10 @@ END(error_exit)
453 + /*
454 + * Runs on exception stack. Xen PV does not go through this path at all,
455 + * so we can use real assembly here.
456 ++ *
457 ++ * Registers:
458 ++ * %r14: Used to save/restore the CR3 of the interrupted context
459 ++ * when PAGE_TABLE_ISOLATION is in use. Do not clobber.
460 + */
461 + ENTRY(nmi)
462 + UNWIND_HINT_IRET_REGS
463 +@@ -1446,6 +1477,7 @@ ENTRY(nmi)
464 +
465 + swapgs
466 + cld
467 ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdx
468 + movq %rsp, %rdx
469 + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
470 + UNWIND_HINT_IRET_REGS base=%rdx offset=8
471 +@@ -1698,6 +1730,8 @@ end_repeat_nmi:
472 + movq $-1, %rsi
473 + call do_nmi
474 +
475 ++ RESTORE_CR3 scratch_reg=%r15 save_reg=%r14
476 ++
477 + testl %ebx, %ebx /* swapgs needed? */
478 + jnz nmi_restore
479 + nmi_swapgs:
480 +diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
481 +index 95ad40eb7eff..40f17009ec20 100644
482 +--- a/arch/x86/entry/entry_64_compat.S
483 ++++ b/arch/x86/entry/entry_64_compat.S
484 +@@ -49,6 +49,10 @@
485 + ENTRY(entry_SYSENTER_compat)
486 + /* Interrupts are off on entry. */
487 + SWAPGS
488 ++
489 ++ /* We are about to clobber %rsp anyway, clobbering here is OK */
490 ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rsp
491 ++
492 + movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
493 +
494 + /*
495 +@@ -215,6 +219,12 @@ GLOBAL(entry_SYSCALL_compat_after_hwframe)
496 + pushq $0 /* pt_regs->r14 = 0 */
497 + pushq $0 /* pt_regs->r15 = 0 */
498 +
499 ++ /*
500 ++ * We just saved %rdi so it is safe to clobber. It is not
501 ++ * preserved during the C calls inside TRACE_IRQS_OFF anyway.
502 ++ */
503 ++ SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi
504 ++
505 + /*
506 + * User mode is traced as though IRQs are on, and SYSENTER
507 + * turned them off.
508 +@@ -256,10 +266,22 @@ sysret32_from_system_call:
509 + * when the system call started, which is already known to user
510 + * code. We zero R8-R10 to avoid info leaks.
511 + */
512 ++ movq RSP-ORIG_RAX(%rsp), %rsp
513 ++
514 ++ /*
515 ++ * The original userspace %rsp (RSP-ORIG_RAX(%rsp)) is stored
516 ++ * on the process stack which is not mapped to userspace and
517 ++ * not readable after we SWITCH_TO_USER_CR3. Delay the CR3
518 ++ * switch until after after the last reference to the process
519 ++ * stack.
520 ++ *
521 ++ * %r8/%r9 are zeroed before the sysret, thus safe to clobber.
522 ++ */
523 ++ SWITCH_TO_USER_CR3_NOSTACK scratch_reg=%r8 scratch_reg2=%r9
524 ++
525 + xorq %r8, %r8
526 + xorq %r9, %r9
527 + xorq %r10, %r10
528 +- movq RSP-ORIG_RAX(%rsp), %rsp
529 + swapgs
530 + sysretl
531 + END(entry_SYSCALL_compat)
532 +diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
533 +index 1faf40f2dda9..577fa8adb785 100644
534 +--- a/arch/x86/entry/vsyscall/vsyscall_64.c
535 ++++ b/arch/x86/entry/vsyscall/vsyscall_64.c
536 +@@ -344,14 +344,14 @@ int in_gate_area_no_mm(unsigned long addr)
537 + * vsyscalls but leave the page not present. If so, we skip calling
538 + * this.
539 + */
540 +-static void __init set_vsyscall_pgtable_user_bits(void)
541 ++void __init set_vsyscall_pgtable_user_bits(pgd_t *root)
542 + {
543 + pgd_t *pgd;
544 + p4d_t *p4d;
545 + pud_t *pud;
546 + pmd_t *pmd;
547 +
548 +- pgd = pgd_offset_k(VSYSCALL_ADDR);
549 ++ pgd = pgd_offset_pgd(root, VSYSCALL_ADDR);
550 + set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER));
551 + p4d = p4d_offset(pgd, VSYSCALL_ADDR);
552 + #if CONFIG_PGTABLE_LEVELS >= 5
553 +@@ -373,7 +373,7 @@ void __init map_vsyscall(void)
554 + vsyscall_mode == NATIVE
555 + ? PAGE_KERNEL_VSYSCALL
556 + : PAGE_KERNEL_VVAR);
557 +- set_vsyscall_pgtable_user_bits();
558 ++ set_vsyscall_pgtable_user_bits(swapper_pg_dir);
559 + }
560 +
561 + BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_PAGE) !=
562 +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c
563 +index 3674a4b6f8bd..8f0aace08b87 100644
564 +--- a/arch/x86/events/intel/ds.c
565 ++++ b/arch/x86/events/intel/ds.c
566 +@@ -3,16 +3,18 @@
567 + #include <linux/types.h>
568 + #include <linux/slab.h>
569 +
570 ++#include <asm/cpu_entry_area.h>
571 + #include <asm/perf_event.h>
572 + #include <asm/insn.h>
573 +
574 + #include "../perf_event.h"
575 +
576 ++/* Waste a full page so it can be mapped into the cpu_entry_area */
577 ++DEFINE_PER_CPU_PAGE_ALIGNED(struct debug_store, cpu_debug_store);
578 ++
579 + /* The size of a BTS record in bytes: */
580 + #define BTS_RECORD_SIZE 24
581 +
582 +-#define BTS_BUFFER_SIZE (PAGE_SIZE << 4)
583 +-#define PEBS_BUFFER_SIZE (PAGE_SIZE << 4)
584 + #define PEBS_FIXUP_SIZE PAGE_SIZE
585 +
586 + /*
587 +@@ -279,17 +281,52 @@ void fini_debug_store_on_cpu(int cpu)
588 +
589 + static DEFINE_PER_CPU(void *, insn_buffer);
590 +
591 +-static int alloc_pebs_buffer(int cpu)
592 ++static void ds_update_cea(void *cea, void *addr, size_t size, pgprot_t prot)
593 + {
594 +- struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
595 ++ phys_addr_t pa;
596 ++ size_t msz = 0;
597 ++
598 ++ pa = virt_to_phys(addr);
599 ++ for (; msz < size; msz += PAGE_SIZE, pa += PAGE_SIZE, cea += PAGE_SIZE)
600 ++ cea_set_pte(cea, pa, prot);
601 ++}
602 ++
603 ++static void ds_clear_cea(void *cea, size_t size)
604 ++{
605 ++ size_t msz = 0;
606 ++
607 ++ for (; msz < size; msz += PAGE_SIZE, cea += PAGE_SIZE)
608 ++ cea_set_pte(cea, 0, PAGE_NONE);
609 ++}
610 ++
611 ++static void *dsalloc_pages(size_t size, gfp_t flags, int cpu)
612 ++{
613 ++ unsigned int order = get_order(size);
614 + int node = cpu_to_node(cpu);
615 +- int max;
616 +- void *buffer, *ibuffer;
617 ++ struct page *page;
618 ++
619 ++ page = __alloc_pages_node(node, flags | __GFP_ZERO, order);
620 ++ return page ? page_address(page) : NULL;
621 ++}
622 ++
623 ++static void dsfree_pages(const void *buffer, size_t size)
624 ++{
625 ++ if (buffer)
626 ++ free_pages((unsigned long)buffer, get_order(size));
627 ++}
628 ++
629 ++static int alloc_pebs_buffer(int cpu)
630 ++{
631 ++ struct cpu_hw_events *hwev = per_cpu_ptr(&cpu_hw_events, cpu);
632 ++ struct debug_store *ds = hwev->ds;
633 ++ size_t bsiz = x86_pmu.pebs_buffer_size;
634 ++ int max, node = cpu_to_node(cpu);
635 ++ void *buffer, *ibuffer, *cea;
636 +
637 + if (!x86_pmu.pebs)
638 + return 0;
639 +
640 +- buffer = kzalloc_node(x86_pmu.pebs_buffer_size, GFP_KERNEL, node);
641 ++ buffer = dsalloc_pages(bsiz, GFP_KERNEL, cpu);
642 + if (unlikely(!buffer))
643 + return -ENOMEM;
644 +
645 +@@ -300,25 +337,27 @@ static int alloc_pebs_buffer(int cpu)
646 + if (x86_pmu.intel_cap.pebs_format < 2) {
647 + ibuffer = kzalloc_node(PEBS_FIXUP_SIZE, GFP_KERNEL, node);
648 + if (!ibuffer) {
649 +- kfree(buffer);
650 ++ dsfree_pages(buffer, bsiz);
651 + return -ENOMEM;
652 + }
653 + per_cpu(insn_buffer, cpu) = ibuffer;
654 + }
655 +-
656 +- max = x86_pmu.pebs_buffer_size / x86_pmu.pebs_record_size;
657 +-
658 +- ds->pebs_buffer_base = (u64)(unsigned long)buffer;
659 ++ hwev->ds_pebs_vaddr = buffer;
660 ++ /* Update the cpu entry area mapping */
661 ++ cea = &get_cpu_entry_area(cpu)->cpu_debug_buffers.pebs_buffer;
662 ++ ds->pebs_buffer_base = (unsigned long) cea;
663 ++ ds_update_cea(cea, buffer, bsiz, PAGE_KERNEL);
664 + ds->pebs_index = ds->pebs_buffer_base;
665 +- ds->pebs_absolute_maximum = ds->pebs_buffer_base +
666 +- max * x86_pmu.pebs_record_size;
667 +-
668 ++ max = x86_pmu.pebs_record_size * (bsiz / x86_pmu.pebs_record_size);
669 ++ ds->pebs_absolute_maximum = ds->pebs_buffer_base + max;
670 + return 0;
671 + }
672 +
673 + static void release_pebs_buffer(int cpu)
674 + {
675 +- struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
676 ++ struct cpu_hw_events *hwev = per_cpu_ptr(&cpu_hw_events, cpu);
677 ++ struct debug_store *ds = hwev->ds;
678 ++ void *cea;
679 +
680 + if (!ds || !x86_pmu.pebs)
681 + return;
682 +@@ -326,73 +365,70 @@ static void release_pebs_buffer(int cpu)
683 + kfree(per_cpu(insn_buffer, cpu));
684 + per_cpu(insn_buffer, cpu) = NULL;
685 +
686 +- kfree((void *)(unsigned long)ds->pebs_buffer_base);
687 ++ /* Clear the fixmap */
688 ++ cea = &get_cpu_entry_area(cpu)->cpu_debug_buffers.pebs_buffer;
689 ++ ds_clear_cea(cea, x86_pmu.pebs_buffer_size);
690 + ds->pebs_buffer_base = 0;
691 ++ dsfree_pages(hwev->ds_pebs_vaddr, x86_pmu.pebs_buffer_size);
692 ++ hwev->ds_pebs_vaddr = NULL;
693 + }
694 +
695 + static int alloc_bts_buffer(int cpu)
696 + {
697 +- struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
698 +- int node = cpu_to_node(cpu);
699 +- int max, thresh;
700 +- void *buffer;
701 ++ struct cpu_hw_events *hwev = per_cpu_ptr(&cpu_hw_events, cpu);
702 ++ struct debug_store *ds = hwev->ds;
703 ++ void *buffer, *cea;
704 ++ int max;
705 +
706 + if (!x86_pmu.bts)
707 + return 0;
708 +
709 +- buffer = kzalloc_node(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, node);
710 ++ buffer = dsalloc_pages(BTS_BUFFER_SIZE, GFP_KERNEL | __GFP_NOWARN, cpu);
711 + if (unlikely(!buffer)) {
712 + WARN_ONCE(1, "%s: BTS buffer allocation failure\n", __func__);
713 + return -ENOMEM;
714 + }
715 +-
716 +- max = BTS_BUFFER_SIZE / BTS_RECORD_SIZE;
717 +- thresh = max / 16;
718 +-
719 +- ds->bts_buffer_base = (u64)(unsigned long)buffer;
720 ++ hwev->ds_bts_vaddr = buffer;
721 ++ /* Update the fixmap */
722 ++ cea = &get_cpu_entry_area(cpu)->cpu_debug_buffers.bts_buffer;
723 ++ ds->bts_buffer_base = (unsigned long) cea;
724 ++ ds_update_cea(cea, buffer, BTS_BUFFER_SIZE, PAGE_KERNEL);
725 + ds->bts_index = ds->bts_buffer_base;
726 +- ds->bts_absolute_maximum = ds->bts_buffer_base +
727 +- max * BTS_RECORD_SIZE;
728 +- ds->bts_interrupt_threshold = ds->bts_absolute_maximum -
729 +- thresh * BTS_RECORD_SIZE;
730 +-
731 ++ max = BTS_RECORD_SIZE * (BTS_BUFFER_SIZE / BTS_RECORD_SIZE);
732 ++ ds->bts_absolute_maximum = ds->bts_buffer_base + max;
733 ++ ds->bts_interrupt_threshold = ds->bts_absolute_maximum - (max / 16);
734 + return 0;
735 + }
736 +
737 + static void release_bts_buffer(int cpu)
738 + {
739 +- struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
740 ++ struct cpu_hw_events *hwev = per_cpu_ptr(&cpu_hw_events, cpu);
741 ++ struct debug_store *ds = hwev->ds;
742 ++ void *cea;
743 +
744 + if (!ds || !x86_pmu.bts)
745 + return;
746 +
747 +- kfree((void *)(unsigned long)ds->bts_buffer_base);
748 ++ /* Clear the fixmap */
749 ++ cea = &get_cpu_entry_area(cpu)->cpu_debug_buffers.bts_buffer;
750 ++ ds_clear_cea(cea, BTS_BUFFER_SIZE);
751 + ds->bts_buffer_base = 0;
752 ++ dsfree_pages(hwev->ds_bts_vaddr, BTS_BUFFER_SIZE);
753 ++ hwev->ds_bts_vaddr = NULL;
754 + }
755 +
756 + static int alloc_ds_buffer(int cpu)
757 + {
758 +- int node = cpu_to_node(cpu);
759 +- struct debug_store *ds;
760 +-
761 +- ds = kzalloc_node(sizeof(*ds), GFP_KERNEL, node);
762 +- if (unlikely(!ds))
763 +- return -ENOMEM;
764 ++ struct debug_store *ds = &get_cpu_entry_area(cpu)->cpu_debug_store;
765 +
766 ++ memset(ds, 0, sizeof(*ds));
767 + per_cpu(cpu_hw_events, cpu).ds = ds;
768 +-
769 + return 0;
770 + }
771 +
772 + static void release_ds_buffer(int cpu)
773 + {
774 +- struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
775 +-
776 +- if (!ds)
777 +- return;
778 +-
779 + per_cpu(cpu_hw_events, cpu).ds = NULL;
780 +- kfree(ds);
781 + }
782 +
783 + void release_ds_buffers(void)
784 +diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h
785 +index f7aaadf9331f..8e4ea143ed96 100644
786 +--- a/arch/x86/events/perf_event.h
787 ++++ b/arch/x86/events/perf_event.h
788 +@@ -14,6 +14,8 @@
789 +
790 + #include <linux/perf_event.h>
791 +
792 ++#include <asm/intel_ds.h>
793 ++
794 + /* To enable MSR tracing please use the generic trace points. */
795 +
796 + /*
797 +@@ -77,8 +79,6 @@ struct amd_nb {
798 + struct event_constraint event_constraints[X86_PMC_IDX_MAX];
799 + };
800 +
801 +-/* The maximal number of PEBS events: */
802 +-#define MAX_PEBS_EVENTS 8
803 + #define PEBS_COUNTER_MASK ((1ULL << MAX_PEBS_EVENTS) - 1)
804 +
805 + /*
806 +@@ -95,23 +95,6 @@ struct amd_nb {
807 + PERF_SAMPLE_TRANSACTION | PERF_SAMPLE_PHYS_ADDR | \
808 + PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER)
809 +
810 +-/*
811 +- * A debug store configuration.
812 +- *
813 +- * We only support architectures that use 64bit fields.
814 +- */
815 +-struct debug_store {
816 +- u64 bts_buffer_base;
817 +- u64 bts_index;
818 +- u64 bts_absolute_maximum;
819 +- u64 bts_interrupt_threshold;
820 +- u64 pebs_buffer_base;
821 +- u64 pebs_index;
822 +- u64 pebs_absolute_maximum;
823 +- u64 pebs_interrupt_threshold;
824 +- u64 pebs_event_reset[MAX_PEBS_EVENTS];
825 +-};
826 +-
827 + #define PEBS_REGS \
828 + (PERF_REG_X86_AX | \
829 + PERF_REG_X86_BX | \
830 +@@ -216,6 +199,8 @@ struct cpu_hw_events {
831 + * Intel DebugStore bits
832 + */
833 + struct debug_store *ds;
834 ++ void *ds_pebs_vaddr;
835 ++ void *ds_bts_vaddr;
836 + u64 pebs_enabled;
837 + int n_pebs;
838 + int n_large_pebs;
839 +diff --git a/arch/x86/include/asm/cpu_entry_area.h b/arch/x86/include/asm/cpu_entry_area.h
840 +index 2fbc69a0916e..4a7884b8dca5 100644
841 +--- a/arch/x86/include/asm/cpu_entry_area.h
842 ++++ b/arch/x86/include/asm/cpu_entry_area.h
843 +@@ -5,6 +5,7 @@
844 +
845 + #include <linux/percpu-defs.h>
846 + #include <asm/processor.h>
847 ++#include <asm/intel_ds.h>
848 +
849 + /*
850 + * cpu_entry_area is a percpu region that contains things needed by the CPU
851 +@@ -40,6 +41,18 @@ struct cpu_entry_area {
852 + */
853 + char exception_stacks[(N_EXCEPTION_STACKS - 1) * EXCEPTION_STKSZ + DEBUG_STKSZ];
854 + #endif
855 ++#ifdef CONFIG_CPU_SUP_INTEL
856 ++ /*
857 ++ * Per CPU debug store for Intel performance monitoring. Wastes a
858 ++ * full page at the moment.
859 ++ */
860 ++ struct debug_store cpu_debug_store;
861 ++ /*
862 ++ * The actual PEBS/BTS buffers must be mapped to user space
863 ++ * Reserve enough fixmap PTEs.
864 ++ */
865 ++ struct debug_store_buffers cpu_debug_buffers;
866 ++#endif
867 + };
868 +
869 + #define CPU_ENTRY_AREA_SIZE (sizeof(struct cpu_entry_area))
870 +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
871 +index 800104c8a3ed..07cdd1715705 100644
872 +--- a/arch/x86/include/asm/cpufeatures.h
873 ++++ b/arch/x86/include/asm/cpufeatures.h
874 +@@ -197,11 +197,12 @@
875 + #define X86_FEATURE_CAT_L3 ( 7*32+ 4) /* Cache Allocation Technology L3 */
876 + #define X86_FEATURE_CAT_L2 ( 7*32+ 5) /* Cache Allocation Technology L2 */
877 + #define X86_FEATURE_CDP_L3 ( 7*32+ 6) /* Code and Data Prioritization L3 */
878 ++#define X86_FEATURE_INVPCID_SINGLE ( 7*32+ 7) /* Effectively INVPCID && CR4.PCIDE=1 */
879 +
880 + #define X86_FEATURE_HW_PSTATE ( 7*32+ 8) /* AMD HW-PState */
881 + #define X86_FEATURE_PROC_FEEDBACK ( 7*32+ 9) /* AMD ProcFeedbackInterface */
882 + #define X86_FEATURE_SME ( 7*32+10) /* AMD Secure Memory Encryption */
883 +-
884 ++#define X86_FEATURE_PTI ( 7*32+11) /* Kernel Page Table Isolation enabled */
885 + #define X86_FEATURE_INTEL_PPIN ( 7*32+14) /* Intel Processor Inventory Number */
886 + #define X86_FEATURE_INTEL_PT ( 7*32+15) /* Intel Processor Trace */
887 + #define X86_FEATURE_AVX512_4VNNIW ( 7*32+16) /* AVX-512 Neural Network Instructions */
888 +@@ -340,5 +341,6 @@
889 + #define X86_BUG_SWAPGS_FENCE X86_BUG(11) /* SWAPGS without input dep on GS */
890 + #define X86_BUG_MONITOR X86_BUG(12) /* IPI required to wake up remote CPU */
891 + #define X86_BUG_AMD_E400 X86_BUG(13) /* CPU is among the affected by Erratum 400 */
892 ++#define X86_BUG_CPU_INSECURE X86_BUG(14) /* CPU is insecure and needs kernel page table isolation */
893 +
894 + #endif /* _ASM_X86_CPUFEATURES_H */
895 +diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
896 +index bc359dd2f7f6..85e23bb7b34e 100644
897 +--- a/arch/x86/include/asm/desc.h
898 ++++ b/arch/x86/include/asm/desc.h
899 +@@ -21,6 +21,8 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in
900 +
901 + desc->type = (info->read_exec_only ^ 1) << 1;
902 + desc->type |= info->contents << 2;
903 ++ /* Set the ACCESS bit so it can be mapped RO */
904 ++ desc->type |= 1;
905 +
906 + desc->s = 1;
907 + desc->dpl = 0x3;
908 +diff --git a/arch/x86/include/asm/disabled-features.h b/arch/x86/include/asm/disabled-features.h
909 +index c10c9128f54e..e428e16dd822 100644
910 +--- a/arch/x86/include/asm/disabled-features.h
911 ++++ b/arch/x86/include/asm/disabled-features.h
912 +@@ -44,6 +44,12 @@
913 + # define DISABLE_LA57 (1<<(X86_FEATURE_LA57 & 31))
914 + #endif
915 +
916 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
917 ++# define DISABLE_PTI 0
918 ++#else
919 ++# define DISABLE_PTI (1 << (X86_FEATURE_PTI & 31))
920 ++#endif
921 ++
922 + /*
923 + * Make sure to add features to the correct mask
924 + */
925 +@@ -54,7 +60,7 @@
926 + #define DISABLED_MASK4 (DISABLE_PCID)
927 + #define DISABLED_MASK5 0
928 + #define DISABLED_MASK6 0
929 +-#define DISABLED_MASK7 0
930 ++#define DISABLED_MASK7 (DISABLE_PTI)
931 + #define DISABLED_MASK8 0
932 + #define DISABLED_MASK9 (DISABLE_MPX)
933 + #define DISABLED_MASK10 0
934 +diff --git a/arch/x86/include/asm/intel_ds.h b/arch/x86/include/asm/intel_ds.h
935 +new file mode 100644
936 +index 000000000000..62a9f4966b42
937 +--- /dev/null
938 ++++ b/arch/x86/include/asm/intel_ds.h
939 +@@ -0,0 +1,36 @@
940 ++#ifndef _ASM_INTEL_DS_H
941 ++#define _ASM_INTEL_DS_H
942 ++
943 ++#include <linux/percpu-defs.h>
944 ++
945 ++#define BTS_BUFFER_SIZE (PAGE_SIZE << 4)
946 ++#define PEBS_BUFFER_SIZE (PAGE_SIZE << 4)
947 ++
948 ++/* The maximal number of PEBS events: */
949 ++#define MAX_PEBS_EVENTS 8
950 ++
951 ++/*
952 ++ * A debug store configuration.
953 ++ *
954 ++ * We only support architectures that use 64bit fields.
955 ++ */
956 ++struct debug_store {
957 ++ u64 bts_buffer_base;
958 ++ u64 bts_index;
959 ++ u64 bts_absolute_maximum;
960 ++ u64 bts_interrupt_threshold;
961 ++ u64 pebs_buffer_base;
962 ++ u64 pebs_index;
963 ++ u64 pebs_absolute_maximum;
964 ++ u64 pebs_interrupt_threshold;
965 ++ u64 pebs_event_reset[MAX_PEBS_EVENTS];
966 ++} __aligned(PAGE_SIZE);
967 ++
968 ++DECLARE_PER_CPU_PAGE_ALIGNED(struct debug_store, cpu_debug_store);
969 ++
970 ++struct debug_store_buffers {
971 ++ char bts_buffer[BTS_BUFFER_SIZE];
972 ++ char pebs_buffer[PEBS_BUFFER_SIZE];
973 ++};
974 ++
975 ++#endif
976 +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
977 +index 5ede7cae1d67..c931b88982a0 100644
978 +--- a/arch/x86/include/asm/mmu_context.h
979 ++++ b/arch/x86/include/asm/mmu_context.h
980 +@@ -50,10 +50,33 @@ struct ldt_struct {
981 + * call gates. On native, we could merge the ldt_struct and LDT
982 + * allocations, but it's not worth trying to optimize.
983 + */
984 +- struct desc_struct *entries;
985 +- unsigned int nr_entries;
986 ++ struct desc_struct *entries;
987 ++ unsigned int nr_entries;
988 ++
989 ++ /*
990 ++ * If PTI is in use, then the entries array is not mapped while we're
991 ++ * in user mode. The whole array will be aliased at the addressed
992 ++ * given by ldt_slot_va(slot). We use two slots so that we can allocate
993 ++ * and map, and enable a new LDT without invalidating the mapping
994 ++ * of an older, still-in-use LDT.
995 ++ *
996 ++ * slot will be -1 if this LDT doesn't have an alias mapping.
997 ++ */
998 ++ int slot;
999 + };
1000 +
1001 ++/* This is a multiple of PAGE_SIZE. */
1002 ++#define LDT_SLOT_STRIDE (LDT_ENTRIES * LDT_ENTRY_SIZE)
1003 ++
1004 ++static inline void *ldt_slot_va(int slot)
1005 ++{
1006 ++#ifdef CONFIG_X86_64
1007 ++ return (void *)(LDT_BASE_ADDR + LDT_SLOT_STRIDE * slot);
1008 ++#else
1009 ++ BUG();
1010 ++#endif
1011 ++}
1012 ++
1013 + /*
1014 + * Used for LDT copy/destruction.
1015 + */
1016 +@@ -64,6 +87,7 @@ static inline void init_new_context_ldt(struct mm_struct *mm)
1017 + }
1018 + int ldt_dup_context(struct mm_struct *oldmm, struct mm_struct *mm);
1019 + void destroy_context_ldt(struct mm_struct *mm);
1020 ++void ldt_arch_exit_mmap(struct mm_struct *mm);
1021 + #else /* CONFIG_MODIFY_LDT_SYSCALL */
1022 + static inline void init_new_context_ldt(struct mm_struct *mm) { }
1023 + static inline int ldt_dup_context(struct mm_struct *oldmm,
1024 +@@ -71,7 +95,8 @@ static inline int ldt_dup_context(struct mm_struct *oldmm,
1025 + {
1026 + return 0;
1027 + }
1028 +-static inline void destroy_context_ldt(struct mm_struct *mm) {}
1029 ++static inline void destroy_context_ldt(struct mm_struct *mm) { }
1030 ++static inline void ldt_arch_exit_mmap(struct mm_struct *mm) { }
1031 + #endif
1032 +
1033 + static inline void load_mm_ldt(struct mm_struct *mm)
1034 +@@ -96,10 +121,31 @@ static inline void load_mm_ldt(struct mm_struct *mm)
1035 + * that we can see.
1036 + */
1037 +
1038 +- if (unlikely(ldt))
1039 +- set_ldt(ldt->entries, ldt->nr_entries);
1040 +- else
1041 ++ if (unlikely(ldt)) {
1042 ++ if (static_cpu_has(X86_FEATURE_PTI)) {
1043 ++ if (WARN_ON_ONCE((unsigned long)ldt->slot > 1)) {
1044 ++ /*
1045 ++ * Whoops -- either the new LDT isn't mapped
1046 ++ * (if slot == -1) or is mapped into a bogus
1047 ++ * slot (if slot > 1).
1048 ++ */
1049 ++ clear_LDT();
1050 ++ return;
1051 ++ }
1052 ++
1053 ++ /*
1054 ++ * If page table isolation is enabled, ldt->entries
1055 ++ * will not be mapped in the userspace pagetables.
1056 ++ * Tell the CPU to access the LDT through the alias
1057 ++ * at ldt_slot_va(ldt->slot).
1058 ++ */
1059 ++ set_ldt(ldt_slot_va(ldt->slot), ldt->nr_entries);
1060 ++ } else {
1061 ++ set_ldt(ldt->entries, ldt->nr_entries);
1062 ++ }
1063 ++ } else {
1064 + clear_LDT();
1065 ++ }
1066 + #else
1067 + clear_LDT();
1068 + #endif
1069 +@@ -194,6 +240,7 @@ static inline int arch_dup_mmap(struct mm_struct *oldmm, struct mm_struct *mm)
1070 + static inline void arch_exit_mmap(struct mm_struct *mm)
1071 + {
1072 + paravirt_arch_exit_mmap(mm);
1073 ++ ldt_arch_exit_mmap(mm);
1074 + }
1075 +
1076 + #ifdef CONFIG_X86_64
1077 +diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h
1078 +index 4b5e1eafada7..aff42e1da6ee 100644
1079 +--- a/arch/x86/include/asm/pgalloc.h
1080 ++++ b/arch/x86/include/asm/pgalloc.h
1081 +@@ -30,6 +30,17 @@ static inline void paravirt_release_p4d(unsigned long pfn) {}
1082 + */
1083 + extern gfp_t __userpte_alloc_gfp;
1084 +
1085 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1086 ++/*
1087 ++ * Instead of one PGD, we acquire two PGDs. Being order-1, it is
1088 ++ * both 8k in size and 8k-aligned. That lets us just flip bit 12
1089 ++ * in a pointer to swap between the two 4k halves.
1090 ++ */
1091 ++#define PGD_ALLOCATION_ORDER 1
1092 ++#else
1093 ++#define PGD_ALLOCATION_ORDER 0
1094 ++#endif
1095 ++
1096 + /*
1097 + * Allocate and free page tables.
1098 + */
1099 +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
1100 +index f02de8bc1f72..211368922cad 100644
1101 +--- a/arch/x86/include/asm/pgtable.h
1102 ++++ b/arch/x86/include/asm/pgtable.h
1103 +@@ -28,6 +28,7 @@ extern pgd_t early_top_pgt[PTRS_PER_PGD];
1104 + int __init __early_make_pgtable(unsigned long address, pmdval_t pmd);
1105 +
1106 + void ptdump_walk_pgd_level(struct seq_file *m, pgd_t *pgd);
1107 ++void ptdump_walk_pgd_level_debugfs(struct seq_file *m, pgd_t *pgd, bool user);
1108 + void ptdump_walk_pgd_level_checkwx(void);
1109 +
1110 + #ifdef CONFIG_DEBUG_WX
1111 +@@ -846,7 +847,12 @@ static inline pud_t *pud_offset(p4d_t *p4d, unsigned long address)
1112 +
1113 + static inline int p4d_bad(p4d_t p4d)
1114 + {
1115 +- return (p4d_flags(p4d) & ~(_KERNPG_TABLE | _PAGE_USER)) != 0;
1116 ++ unsigned long ignore_flags = _KERNPG_TABLE | _PAGE_USER;
1117 ++
1118 ++ if (IS_ENABLED(CONFIG_PAGE_TABLE_ISOLATION))
1119 ++ ignore_flags |= _PAGE_NX;
1120 ++
1121 ++ return (p4d_flags(p4d) & ~ignore_flags) != 0;
1122 + }
1123 + #endif /* CONFIG_PGTABLE_LEVELS > 3 */
1124 +
1125 +@@ -880,7 +886,12 @@ static inline p4d_t *p4d_offset(pgd_t *pgd, unsigned long address)
1126 +
1127 + static inline int pgd_bad(pgd_t pgd)
1128 + {
1129 +- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
1130 ++ unsigned long ignore_flags = _PAGE_USER;
1131 ++
1132 ++ if (IS_ENABLED(CONFIG_PAGE_TABLE_ISOLATION))
1133 ++ ignore_flags |= _PAGE_NX;
1134 ++
1135 ++ return (pgd_flags(pgd) & ~ignore_flags) != _KERNPG_TABLE;
1136 + }
1137 +
1138 + static inline int pgd_none(pgd_t pgd)
1139 +@@ -909,7 +920,11 @@ static inline int pgd_none(pgd_t pgd)
1140 + * pgd_offset() returns a (pgd_t *)
1141 + * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
1142 + */
1143 +-#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
1144 ++#define pgd_offset_pgd(pgd, address) (pgd + pgd_index((address)))
1145 ++/*
1146 ++ * a shortcut to get a pgd_t in a given mm
1147 ++ */
1148 ++#define pgd_offset(mm, address) pgd_offset_pgd((mm)->pgd, (address))
1149 + /*
1150 + * a shortcut which implies the use of the kernel's pgd, instead
1151 + * of a process's
1152 +@@ -1111,7 +1126,14 @@ static inline int pud_write(pud_t pud)
1153 + */
1154 + static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
1155 + {
1156 +- memcpy(dst, src, count * sizeof(pgd_t));
1157 ++ memcpy(dst, src, count * sizeof(pgd_t));
1158 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1159 ++ if (!static_cpu_has(X86_FEATURE_PTI))
1160 ++ return;
1161 ++ /* Clone the user space pgd as well */
1162 ++ memcpy(kernel_to_user_pgdp(dst), kernel_to_user_pgdp(src),
1163 ++ count * sizeof(pgd_t));
1164 ++#endif
1165 + }
1166 +
1167 + #define PTE_SHIFT ilog2(PTRS_PER_PTE)
1168 +diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
1169 +index e9f05331e732..81462e9a34f6 100644
1170 +--- a/arch/x86/include/asm/pgtable_64.h
1171 ++++ b/arch/x86/include/asm/pgtable_64.h
1172 +@@ -131,9 +131,97 @@ static inline pud_t native_pudp_get_and_clear(pud_t *xp)
1173 + #endif
1174 + }
1175 +
1176 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1177 ++/*
1178 ++ * All top-level PAGE_TABLE_ISOLATION page tables are order-1 pages
1179 ++ * (8k-aligned and 8k in size). The kernel one is at the beginning 4k and
1180 ++ * the user one is in the last 4k. To switch between them, you
1181 ++ * just need to flip the 12th bit in their addresses.
1182 ++ */
1183 ++#define PTI_PGTABLE_SWITCH_BIT PAGE_SHIFT
1184 ++
1185 ++/*
1186 ++ * This generates better code than the inline assembly in
1187 ++ * __set_bit().
1188 ++ */
1189 ++static inline void *ptr_set_bit(void *ptr, int bit)
1190 ++{
1191 ++ unsigned long __ptr = (unsigned long)ptr;
1192 ++
1193 ++ __ptr |= BIT(bit);
1194 ++ return (void *)__ptr;
1195 ++}
1196 ++static inline void *ptr_clear_bit(void *ptr, int bit)
1197 ++{
1198 ++ unsigned long __ptr = (unsigned long)ptr;
1199 ++
1200 ++ __ptr &= ~BIT(bit);
1201 ++ return (void *)__ptr;
1202 ++}
1203 ++
1204 ++static inline pgd_t *kernel_to_user_pgdp(pgd_t *pgdp)
1205 ++{
1206 ++ return ptr_set_bit(pgdp, PTI_PGTABLE_SWITCH_BIT);
1207 ++}
1208 ++
1209 ++static inline pgd_t *user_to_kernel_pgdp(pgd_t *pgdp)
1210 ++{
1211 ++ return ptr_clear_bit(pgdp, PTI_PGTABLE_SWITCH_BIT);
1212 ++}
1213 ++
1214 ++static inline p4d_t *kernel_to_user_p4dp(p4d_t *p4dp)
1215 ++{
1216 ++ return ptr_set_bit(p4dp, PTI_PGTABLE_SWITCH_BIT);
1217 ++}
1218 ++
1219 ++static inline p4d_t *user_to_kernel_p4dp(p4d_t *p4dp)
1220 ++{
1221 ++ return ptr_clear_bit(p4dp, PTI_PGTABLE_SWITCH_BIT);
1222 ++}
1223 ++#endif /* CONFIG_PAGE_TABLE_ISOLATION */
1224 ++
1225 ++/*
1226 ++ * Page table pages are page-aligned. The lower half of the top
1227 ++ * level is used for userspace and the top half for the kernel.
1228 ++ *
1229 ++ * Returns true for parts of the PGD that map userspace and
1230 ++ * false for the parts that map the kernel.
1231 ++ */
1232 ++static inline bool pgdp_maps_userspace(void *__ptr)
1233 ++{
1234 ++ unsigned long ptr = (unsigned long)__ptr;
1235 ++
1236 ++ return (ptr & ~PAGE_MASK) < (PAGE_SIZE / 2);
1237 ++}
1238 ++
1239 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1240 ++pgd_t __pti_set_user_pgd(pgd_t *pgdp, pgd_t pgd);
1241 ++
1242 ++/*
1243 ++ * Take a PGD location (pgdp) and a pgd value that needs to be set there.
1244 ++ * Populates the user and returns the resulting PGD that must be set in
1245 ++ * the kernel copy of the page tables.
1246 ++ */
1247 ++static inline pgd_t pti_set_user_pgd(pgd_t *pgdp, pgd_t pgd)
1248 ++{
1249 ++ if (!static_cpu_has(X86_FEATURE_PTI))
1250 ++ return pgd;
1251 ++ return __pti_set_user_pgd(pgdp, pgd);
1252 ++}
1253 ++#else
1254 ++static inline pgd_t pti_set_user_pgd(pgd_t *pgdp, pgd_t pgd)
1255 ++{
1256 ++ return pgd;
1257 ++}
1258 ++#endif
1259 ++
1260 + static inline void native_set_p4d(p4d_t *p4dp, p4d_t p4d)
1261 + {
1262 ++#if defined(CONFIG_PAGE_TABLE_ISOLATION) && !defined(CONFIG_X86_5LEVEL)
1263 ++ p4dp->pgd = pti_set_user_pgd(&p4dp->pgd, p4d.pgd);
1264 ++#else
1265 + *p4dp = p4d;
1266 ++#endif
1267 + }
1268 +
1269 + static inline void native_p4d_clear(p4d_t *p4d)
1270 +@@ -147,7 +235,11 @@ static inline void native_p4d_clear(p4d_t *p4d)
1271 +
1272 + static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
1273 + {
1274 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1275 ++ *pgdp = pti_set_user_pgd(pgdp, pgd);
1276 ++#else
1277 + *pgdp = pgd;
1278 ++#endif
1279 + }
1280 +
1281 + static inline void native_pgd_clear(pgd_t *pgd)
1282 +diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h
1283 +index 3d27831bc58d..b97a539bcdee 100644
1284 +--- a/arch/x86/include/asm/pgtable_64_types.h
1285 ++++ b/arch/x86/include/asm/pgtable_64_types.h
1286 +@@ -79,13 +79,17 @@ typedef struct { pteval_t pte; } pte_t;
1287 + #define MAXMEM _AC(__AC(1, UL) << MAX_PHYSMEM_BITS, UL)
1288 +
1289 + #ifdef CONFIG_X86_5LEVEL
1290 +-# define VMALLOC_SIZE_TB _AC(16384, UL)
1291 +-# define __VMALLOC_BASE _AC(0xff92000000000000, UL)
1292 ++# define VMALLOC_SIZE_TB _AC(12800, UL)
1293 ++# define __VMALLOC_BASE _AC(0xffa0000000000000, UL)
1294 + # define __VMEMMAP_BASE _AC(0xffd4000000000000, UL)
1295 ++# define LDT_PGD_ENTRY _AC(-112, UL)
1296 ++# define LDT_BASE_ADDR (LDT_PGD_ENTRY << PGDIR_SHIFT)
1297 + #else
1298 + # define VMALLOC_SIZE_TB _AC(32, UL)
1299 + # define __VMALLOC_BASE _AC(0xffffc90000000000, UL)
1300 + # define __VMEMMAP_BASE _AC(0xffffea0000000000, UL)
1301 ++# define LDT_PGD_ENTRY _AC(-4, UL)
1302 ++# define LDT_BASE_ADDR (LDT_PGD_ENTRY << PGDIR_SHIFT)
1303 + #endif
1304 +
1305 + #ifdef CONFIG_RANDOMIZE_MEMORY
1306 +diff --git a/arch/x86/include/asm/processor-flags.h b/arch/x86/include/asm/processor-flags.h
1307 +index 43212a43ee69..6a60fea90b9d 100644
1308 +--- a/arch/x86/include/asm/processor-flags.h
1309 ++++ b/arch/x86/include/asm/processor-flags.h
1310 +@@ -38,6 +38,11 @@
1311 + #define CR3_ADDR_MASK __sme_clr(0x7FFFFFFFFFFFF000ull)
1312 + #define CR3_PCID_MASK 0xFFFull
1313 + #define CR3_NOFLUSH BIT_ULL(63)
1314 ++
1315 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1316 ++# define X86_CR3_PTI_SWITCH_BIT 11
1317 ++#endif
1318 ++
1319 + #else
1320 + /*
1321 + * CR3_ADDR_MASK needs at least bits 31:5 set on PAE systems, and we save
1322 +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
1323 +index 9e482d8b0b97..9c18da64daa9 100644
1324 +--- a/arch/x86/include/asm/processor.h
1325 ++++ b/arch/x86/include/asm/processor.h
1326 +@@ -851,13 +851,22 @@ static inline void spin_lock_prefetch(const void *x)
1327 +
1328 + #else
1329 + /*
1330 +- * User space process size. 47bits minus one guard page. The guard
1331 +- * page is necessary on Intel CPUs: if a SYSCALL instruction is at
1332 +- * the highest possible canonical userspace address, then that
1333 +- * syscall will enter the kernel with a non-canonical return
1334 +- * address, and SYSRET will explode dangerously. We avoid this
1335 +- * particular problem by preventing anything from being mapped
1336 +- * at the maximum canonical address.
1337 ++ * User space process size. This is the first address outside the user range.
1338 ++ * There are a few constraints that determine this:
1339 ++ *
1340 ++ * On Intel CPUs, if a SYSCALL instruction is at the highest canonical
1341 ++ * address, then that syscall will enter the kernel with a
1342 ++ * non-canonical return address, and SYSRET will explode dangerously.
1343 ++ * We avoid this particular problem by preventing anything executable
1344 ++ * from being mapped at the maximum canonical address.
1345 ++ *
1346 ++ * On AMD CPUs in the Ryzen family, there's a nasty bug in which the
1347 ++ * CPUs malfunction if they execute code from the highest canonical page.
1348 ++ * They'll speculate right off the end of the canonical space, and
1349 ++ * bad things happen. This is worked around in the same way as the
1350 ++ * Intel problem.
1351 ++ *
1352 ++ * With page table isolation enabled, we map the LDT in ... [stay tuned]
1353 + */
1354 + #define TASK_SIZE_MAX ((1UL << __VIRTUAL_MASK_SHIFT) - PAGE_SIZE)
1355 +
1356 +diff --git a/arch/x86/include/asm/pti.h b/arch/x86/include/asm/pti.h
1357 +new file mode 100644
1358 +index 000000000000..0b5ef05b2d2d
1359 +--- /dev/null
1360 ++++ b/arch/x86/include/asm/pti.h
1361 +@@ -0,0 +1,14 @@
1362 ++// SPDX-License-Identifier: GPL-2.0
1363 ++#ifndef _ASM_X86_PTI_H
1364 ++#define _ASM_X86_PTI_H
1365 ++#ifndef __ASSEMBLY__
1366 ++
1367 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1368 ++extern void pti_init(void);
1369 ++extern void pti_check_boottime_disable(void);
1370 ++#else
1371 ++static inline void pti_check_boottime_disable(void) { }
1372 ++#endif
1373 ++
1374 ++#endif /* __ASSEMBLY__ */
1375 ++#endif /* _ASM_X86_PTI_H */
1376 +diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
1377 +index 171b429f43a2..f9b48ce152eb 100644
1378 +--- a/arch/x86/include/asm/tlbflush.h
1379 ++++ b/arch/x86/include/asm/tlbflush.h
1380 +@@ -10,38 +10,90 @@
1381 + #include <asm/special_insns.h>
1382 + #include <asm/smp.h>
1383 + #include <asm/invpcid.h>
1384 ++#include <asm/pti.h>
1385 ++#include <asm/processor-flags.h>
1386 +
1387 +-static inline u64 inc_mm_tlb_gen(struct mm_struct *mm)
1388 +-{
1389 +- /*
1390 +- * Bump the generation count. This also serves as a full barrier
1391 +- * that synchronizes with switch_mm(): callers are required to order
1392 +- * their read of mm_cpumask after their writes to the paging
1393 +- * structures.
1394 +- */
1395 +- return atomic64_inc_return(&mm->context.tlb_gen);
1396 +-}
1397 ++/*
1398 ++ * The x86 feature is called PCID (Process Context IDentifier). It is similar
1399 ++ * to what is traditionally called ASID on the RISC processors.
1400 ++ *
1401 ++ * We don't use the traditional ASID implementation, where each process/mm gets
1402 ++ * its own ASID and flush/restart when we run out of ASID space.
1403 ++ *
1404 ++ * Instead we have a small per-cpu array of ASIDs and cache the last few mm's
1405 ++ * that came by on this CPU, allowing cheaper switch_mm between processes on
1406 ++ * this CPU.
1407 ++ *
1408 ++ * We end up with different spaces for different things. To avoid confusion we
1409 ++ * use different names for each of them:
1410 ++ *
1411 ++ * ASID - [0, TLB_NR_DYN_ASIDS-1]
1412 ++ * the canonical identifier for an mm
1413 ++ *
1414 ++ * kPCID - [1, TLB_NR_DYN_ASIDS]
1415 ++ * the value we write into the PCID part of CR3; corresponds to the
1416 ++ * ASID+1, because PCID 0 is special.
1417 ++ *
1418 ++ * uPCID - [2048 + 1, 2048 + TLB_NR_DYN_ASIDS]
1419 ++ * for KPTI each mm has two address spaces and thus needs two
1420 ++ * PCID values, but we can still do with a single ASID denomination
1421 ++ * for each mm. Corresponds to kPCID + 2048.
1422 ++ *
1423 ++ */
1424 +
1425 + /* There are 12 bits of space for ASIDS in CR3 */
1426 + #define CR3_HW_ASID_BITS 12
1427 ++
1428 + /*
1429 + * When enabled, PAGE_TABLE_ISOLATION consumes a single bit for
1430 + * user/kernel switches
1431 + */
1432 +-#define PTI_CONSUMED_ASID_BITS 0
1433 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1434 ++# define PTI_CONSUMED_PCID_BITS 1
1435 ++#else
1436 ++# define PTI_CONSUMED_PCID_BITS 0
1437 ++#endif
1438 ++
1439 ++#define CR3_AVAIL_PCID_BITS (X86_CR3_PCID_BITS - PTI_CONSUMED_PCID_BITS)
1440 +
1441 +-#define CR3_AVAIL_ASID_BITS (CR3_HW_ASID_BITS - PTI_CONSUMED_ASID_BITS)
1442 + /*
1443 + * ASIDs are zero-based: 0->MAX_AVAIL_ASID are valid. -1 below to account
1444 +- * for them being zero-based. Another -1 is because ASID 0 is reserved for
1445 ++ * for them being zero-based. Another -1 is because PCID 0 is reserved for
1446 + * use by non-PCID-aware users.
1447 + */
1448 +-#define MAX_ASID_AVAILABLE ((1 << CR3_AVAIL_ASID_BITS) - 2)
1449 ++#define MAX_ASID_AVAILABLE ((1 << CR3_AVAIL_PCID_BITS) - 2)
1450 ++
1451 ++/*
1452 ++ * 6 because 6 should be plenty and struct tlb_state will fit in two cache
1453 ++ * lines.
1454 ++ */
1455 ++#define TLB_NR_DYN_ASIDS 6
1456 +
1457 ++/*
1458 ++ * Given @asid, compute kPCID
1459 ++ */
1460 + static inline u16 kern_pcid(u16 asid)
1461 + {
1462 + VM_WARN_ON_ONCE(asid > MAX_ASID_AVAILABLE);
1463 ++
1464 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1465 ++ /*
1466 ++ * Make sure that the dynamic ASID space does not confict with the
1467 ++ * bit we are using to switch between user and kernel ASIDs.
1468 ++ */
1469 ++ BUILD_BUG_ON(TLB_NR_DYN_ASIDS >= (1 << X86_CR3_PTI_SWITCH_BIT));
1470 ++
1471 + /*
1472 ++ * The ASID being passed in here should have respected the
1473 ++ * MAX_ASID_AVAILABLE and thus never have the switch bit set.
1474 ++ */
1475 ++ VM_WARN_ON_ONCE(asid & (1 << X86_CR3_PTI_SWITCH_BIT));
1476 ++#endif
1477 ++ /*
1478 ++ * The dynamically-assigned ASIDs that get passed in are small
1479 ++ * (<TLB_NR_DYN_ASIDS). They never have the high switch bit set,
1480 ++ * so do not bother to clear it.
1481 ++ *
1482 + * If PCID is on, ASID-aware code paths put the ASID+1 into the
1483 + * PCID bits. This serves two purposes. It prevents a nasty
1484 + * situation in which PCID-unaware code saves CR3, loads some other
1485 +@@ -53,6 +105,18 @@ static inline u16 kern_pcid(u16 asid)
1486 + return asid + 1;
1487 + }
1488 +
1489 ++/*
1490 ++ * Given @asid, compute uPCID
1491 ++ */
1492 ++static inline u16 user_pcid(u16 asid)
1493 ++{
1494 ++ u16 ret = kern_pcid(asid);
1495 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1496 ++ ret |= 1 << X86_CR3_PTI_SWITCH_BIT;
1497 ++#endif
1498 ++ return ret;
1499 ++}
1500 ++
1501 + struct pgd_t;
1502 + static inline unsigned long build_cr3(pgd_t *pgd, u16 asid)
1503 + {
1504 +@@ -95,12 +159,6 @@ static inline bool tlb_defer_switch_to_init_mm(void)
1505 + return !static_cpu_has(X86_FEATURE_PCID);
1506 + }
1507 +
1508 +-/*
1509 +- * 6 because 6 should be plenty and struct tlb_state will fit in
1510 +- * two cache lines.
1511 +- */
1512 +-#define TLB_NR_DYN_ASIDS 6
1513 +-
1514 + struct tlb_context {
1515 + u64 ctx_id;
1516 + u64 tlb_gen;
1517 +@@ -134,6 +192,24 @@ struct tlb_state {
1518 + */
1519 + bool is_lazy;
1520 +
1521 ++ /*
1522 ++ * If set we changed the page tables in such a way that we
1523 ++ * needed an invalidation of all contexts (aka. PCIDs / ASIDs).
1524 ++ * This tells us to go invalidate all the non-loaded ctxs[]
1525 ++ * on the next context switch.
1526 ++ *
1527 ++ * The current ctx was kept up-to-date as it ran and does not
1528 ++ * need to be invalidated.
1529 ++ */
1530 ++ bool invalidate_other;
1531 ++
1532 ++ /*
1533 ++ * Mask that contains TLB_NR_DYN_ASIDS+1 bits to indicate
1534 ++ * the corresponding user PCID needs a flush next time we
1535 ++ * switch to it; see SWITCH_TO_USER_CR3.
1536 ++ */
1537 ++ unsigned short user_pcid_flush_mask;
1538 ++
1539 + /*
1540 + * Access to this CR4 shadow and to H/W CR4 is protected by
1541 + * disabling interrupts when modifying either one.
1542 +@@ -211,6 +287,14 @@ static inline unsigned long cr4_read_shadow(void)
1543 + return this_cpu_read(cpu_tlbstate.cr4);
1544 + }
1545 +
1546 ++/*
1547 ++ * Mark all other ASIDs as invalid, preserves the current.
1548 ++ */
1549 ++static inline void invalidate_other_asid(void)
1550 ++{
1551 ++ this_cpu_write(cpu_tlbstate.invalidate_other, true);
1552 ++}
1553 ++
1554 + /*
1555 + * Save some of cr4 feature set we're using (e.g. Pentium 4MB
1556 + * enable and PPro Global page enable), so that any CPU's that boot
1557 +@@ -230,19 +314,48 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask)
1558 +
1559 + extern void initialize_tlbstate_and_flush(void);
1560 +
1561 ++/*
1562 ++ * Given an ASID, flush the corresponding user ASID. We can delay this
1563 ++ * until the next time we switch to it.
1564 ++ *
1565 ++ * See SWITCH_TO_USER_CR3.
1566 ++ */
1567 ++static inline void invalidate_user_asid(u16 asid)
1568 ++{
1569 ++ /* There is no user ASID if address space separation is off */
1570 ++ if (!IS_ENABLED(CONFIG_PAGE_TABLE_ISOLATION))
1571 ++ return;
1572 ++
1573 ++ /*
1574 ++ * We only have a single ASID if PCID is off and the CR3
1575 ++ * write will have flushed it.
1576 ++ */
1577 ++ if (!cpu_feature_enabled(X86_FEATURE_PCID))
1578 ++ return;
1579 ++
1580 ++ if (!static_cpu_has(X86_FEATURE_PTI))
1581 ++ return;
1582 ++
1583 ++ __set_bit(kern_pcid(asid),
1584 ++ (unsigned long *)this_cpu_ptr(&cpu_tlbstate.user_pcid_flush_mask));
1585 ++}
1586 ++
1587 + /*
1588 + * flush the entire current user mapping
1589 + */
1590 + static inline void __native_flush_tlb(void)
1591 + {
1592 + /*
1593 +- * If current->mm == NULL then we borrow a mm which may change during a
1594 +- * task switch and therefore we must not be preempted while we write CR3
1595 +- * back:
1596 ++ * Preemption or interrupts must be disabled to protect the access
1597 ++ * to the per CPU variable and to prevent being preempted between
1598 ++ * read_cr3() and write_cr3().
1599 + */
1600 +- preempt_disable();
1601 ++ WARN_ON_ONCE(preemptible());
1602 ++
1603 ++ invalidate_user_asid(this_cpu_read(cpu_tlbstate.loaded_mm_asid));
1604 ++
1605 ++ /* If current->mm == NULL then the read_cr3() "borrows" an mm */
1606 + native_write_cr3(__native_read_cr3());
1607 +- preempt_enable();
1608 + }
1609 +
1610 + /*
1611 +@@ -256,6 +369,8 @@ static inline void __native_flush_tlb_global(void)
1612 + /*
1613 + * Using INVPCID is considerably faster than a pair of writes
1614 + * to CR4 sandwiched inside an IRQ flag save/restore.
1615 ++ *
1616 ++ * Note, this works with CR4.PCIDE=0 or 1.
1617 + */
1618 + invpcid_flush_all();
1619 + return;
1620 +@@ -282,7 +397,21 @@ static inline void __native_flush_tlb_global(void)
1621 + */
1622 + static inline void __native_flush_tlb_single(unsigned long addr)
1623 + {
1624 ++ u32 loaded_mm_asid = this_cpu_read(cpu_tlbstate.loaded_mm_asid);
1625 ++
1626 + asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
1627 ++
1628 ++ if (!static_cpu_has(X86_FEATURE_PTI))
1629 ++ return;
1630 ++
1631 ++ /*
1632 ++ * Some platforms #GP if we call invpcid(type=1/2) before CR4.PCIDE=1.
1633 ++ * Just use invalidate_user_asid() in case we are called early.
1634 ++ */
1635 ++ if (!this_cpu_has(X86_FEATURE_INVPCID_SINGLE))
1636 ++ invalidate_user_asid(loaded_mm_asid);
1637 ++ else
1638 ++ invpcid_flush_one(user_pcid(loaded_mm_asid), addr);
1639 + }
1640 +
1641 + /*
1642 +@@ -298,14 +427,6 @@ static inline void __flush_tlb_all(void)
1643 + */
1644 + __flush_tlb();
1645 + }
1646 +-
1647 +- /*
1648 +- * Note: if we somehow had PCID but not PGE, then this wouldn't work --
1649 +- * we'd end up flushing kernel translations for the current ASID but
1650 +- * we might fail to flush kernel translations for other cached ASIDs.
1651 +- *
1652 +- * To avoid this issue, we force PCID off if PGE is off.
1653 +- */
1654 + }
1655 +
1656 + /*
1657 +@@ -315,6 +436,16 @@ static inline void __flush_tlb_one(unsigned long addr)
1658 + {
1659 + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ONE);
1660 + __flush_tlb_single(addr);
1661 ++
1662 ++ if (!static_cpu_has(X86_FEATURE_PTI))
1663 ++ return;
1664 ++
1665 ++ /*
1666 ++ * __flush_tlb_single() will have cleared the TLB entry for this ASID,
1667 ++ * but since kernel space is replicated across all, we must also
1668 ++ * invalidate all others.
1669 ++ */
1670 ++ invalidate_other_asid();
1671 + }
1672 +
1673 + #define TLB_FLUSH_ALL -1UL
1674 +@@ -375,6 +506,17 @@ static inline void flush_tlb_page(struct vm_area_struct *vma, unsigned long a)
1675 + void native_flush_tlb_others(const struct cpumask *cpumask,
1676 + const struct flush_tlb_info *info);
1677 +
1678 ++static inline u64 inc_mm_tlb_gen(struct mm_struct *mm)
1679 ++{
1680 ++ /*
1681 ++ * Bump the generation count. This also serves as a full barrier
1682 ++ * that synchronizes with switch_mm(): callers are required to order
1683 ++ * their read of mm_cpumask after their writes to the paging
1684 ++ * structures.
1685 ++ */
1686 ++ return atomic64_inc_return(&mm->context.tlb_gen);
1687 ++}
1688 ++
1689 + static inline void arch_tlbbatch_add_mm(struct arch_tlbflush_unmap_batch *batch,
1690 + struct mm_struct *mm)
1691 + {
1692 +diff --git a/arch/x86/include/asm/vsyscall.h b/arch/x86/include/asm/vsyscall.h
1693 +index d9a7c659009c..b986b2ca688a 100644
1694 +--- a/arch/x86/include/asm/vsyscall.h
1695 ++++ b/arch/x86/include/asm/vsyscall.h
1696 +@@ -7,6 +7,7 @@
1697 +
1698 + #ifdef CONFIG_X86_VSYSCALL_EMULATION
1699 + extern void map_vsyscall(void);
1700 ++extern void set_vsyscall_pgtable_user_bits(pgd_t *root);
1701 +
1702 + /*
1703 + * Called on instruction fetch fault in vsyscall page.
1704 +diff --git a/arch/x86/include/uapi/asm/processor-flags.h b/arch/x86/include/uapi/asm/processor-flags.h
1705 +index 53b4ca55ebb6..97abdaab9535 100644
1706 +--- a/arch/x86/include/uapi/asm/processor-flags.h
1707 ++++ b/arch/x86/include/uapi/asm/processor-flags.h
1708 +@@ -78,7 +78,12 @@
1709 + #define X86_CR3_PWT _BITUL(X86_CR3_PWT_BIT)
1710 + #define X86_CR3_PCD_BIT 4 /* Page Cache Disable */
1711 + #define X86_CR3_PCD _BITUL(X86_CR3_PCD_BIT)
1712 +-#define X86_CR3_PCID_MASK _AC(0x00000fff,UL) /* PCID Mask */
1713 ++
1714 ++#define X86_CR3_PCID_BITS 12
1715 ++#define X86_CR3_PCID_MASK (_AC((1UL << X86_CR3_PCID_BITS) - 1, UL))
1716 ++
1717 ++#define X86_CR3_PCID_NOFLUSH_BIT 63 /* Preserve old PCID */
1718 ++#define X86_CR3_PCID_NOFLUSH _BITULL(X86_CR3_PCID_NOFLUSH_BIT)
1719 +
1720 + /*
1721 + * Intel CPU features in CR4
1722 +diff --git a/arch/x86/kernel/asm-offsets.c b/arch/x86/kernel/asm-offsets.c
1723 +index 676b7cf4b62b..76417a9aab73 100644
1724 +--- a/arch/x86/kernel/asm-offsets.c
1725 ++++ b/arch/x86/kernel/asm-offsets.c
1726 +@@ -17,6 +17,7 @@
1727 + #include <asm/sigframe.h>
1728 + #include <asm/bootparam.h>
1729 + #include <asm/suspend.h>
1730 ++#include <asm/tlbflush.h>
1731 +
1732 + #ifdef CONFIG_XEN
1733 + #include <xen/interface/xen.h>
1734 +@@ -94,6 +95,9 @@ void common(void) {
1735 + BLANK();
1736 + DEFINE(PTREGS_SIZE, sizeof(struct pt_regs));
1737 +
1738 ++ /* TLB state for the entry code */
1739 ++ OFFSET(TLB_STATE_user_pcid_flush_mask, tlb_state, user_pcid_flush_mask);
1740 ++
1741 + /* Layout info for cpu_entry_area */
1742 + OFFSET(CPU_ENTRY_AREA_tss, cpu_entry_area, tss);
1743 + OFFSET(CPU_ENTRY_AREA_entry_trampoline, cpu_entry_area, entry_trampoline);
1744 +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
1745 +index 8ddcfa4d4165..f2a94dfb434e 100644
1746 +--- a/arch/x86/kernel/cpu/common.c
1747 ++++ b/arch/x86/kernel/cpu/common.c
1748 +@@ -898,6 +898,10 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
1749 + }
1750 +
1751 + setup_force_cpu_cap(X86_FEATURE_ALWAYS);
1752 ++
1753 ++ /* Assume for now that ALL x86 CPUs are insecure */
1754 ++ setup_force_cpu_bug(X86_BUG_CPU_INSECURE);
1755 ++
1756 + fpu__init_system(c);
1757 +
1758 + #ifdef CONFIG_X86_32
1759 +@@ -1335,7 +1339,10 @@ void syscall_init(void)
1760 + (entry_SYSCALL_64_trampoline - _entry_trampoline);
1761 +
1762 + wrmsr(MSR_STAR, 0, (__USER32_CS << 16) | __KERNEL_CS);
1763 +- wrmsrl(MSR_LSTAR, SYSCALL64_entry_trampoline);
1764 ++ if (static_cpu_has(X86_FEATURE_PTI))
1765 ++ wrmsrl(MSR_LSTAR, SYSCALL64_entry_trampoline);
1766 ++ else
1767 ++ wrmsrl(MSR_LSTAR, (unsigned long)entry_SYSCALL_64);
1768 +
1769 + #ifdef CONFIG_IA32_EMULATION
1770 + wrmsrl(MSR_CSTAR, (unsigned long)entry_SYSCALL_compat);
1771 +diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
1772 +index 36b17e0febe8..5fa110699ed2 100644
1773 +--- a/arch/x86/kernel/dumpstack.c
1774 ++++ b/arch/x86/kernel/dumpstack.c
1775 +@@ -297,11 +297,13 @@ int __die(const char *str, struct pt_regs *regs, long err)
1776 + unsigned long sp;
1777 + #endif
1778 + printk(KERN_DEFAULT
1779 +- "%s: %04lx [#%d]%s%s%s%s\n", str, err & 0xffff, ++die_counter,
1780 ++ "%s: %04lx [#%d]%s%s%s%s%s\n", str, err & 0xffff, ++die_counter,
1781 + IS_ENABLED(CONFIG_PREEMPT) ? " PREEMPT" : "",
1782 + IS_ENABLED(CONFIG_SMP) ? " SMP" : "",
1783 + debug_pagealloc_enabled() ? " DEBUG_PAGEALLOC" : "",
1784 +- IS_ENABLED(CONFIG_KASAN) ? " KASAN" : "");
1785 ++ IS_ENABLED(CONFIG_KASAN) ? " KASAN" : "",
1786 ++ IS_ENABLED(CONFIG_PAGE_TABLE_ISOLATION) ?
1787 ++ (boot_cpu_has(X86_FEATURE_PTI) ? " PTI" : " NOPTI") : "");
1788 +
1789 + if (notify_die(DIE_OOPS, str, regs, err,
1790 + current->thread.trap_nr, SIGSEGV) == NOTIFY_STOP)
1791 +diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
1792 +index 7dca675fe78d..04a625f0fcda 100644
1793 +--- a/arch/x86/kernel/head_64.S
1794 ++++ b/arch/x86/kernel/head_64.S
1795 +@@ -341,6 +341,27 @@ GLOBAL(early_recursion_flag)
1796 + .balign PAGE_SIZE; \
1797 + GLOBAL(name)
1798 +
1799 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1800 ++/*
1801 ++ * Each PGD needs to be 8k long and 8k aligned. We do not
1802 ++ * ever go out to userspace with these, so we do not
1803 ++ * strictly *need* the second page, but this allows us to
1804 ++ * have a single set_pgd() implementation that does not
1805 ++ * need to worry about whether it has 4k or 8k to work
1806 ++ * with.
1807 ++ *
1808 ++ * This ensures PGDs are 8k long:
1809 ++ */
1810 ++#define PTI_USER_PGD_FILL 512
1811 ++/* This ensures they are 8k-aligned: */
1812 ++#define NEXT_PGD_PAGE(name) \
1813 ++ .balign 2 * PAGE_SIZE; \
1814 ++GLOBAL(name)
1815 ++#else
1816 ++#define NEXT_PGD_PAGE(name) NEXT_PAGE(name)
1817 ++#define PTI_USER_PGD_FILL 0
1818 ++#endif
1819 ++
1820 + /* Automate the creation of 1 to 1 mapping pmd entries */
1821 + #define PMDS(START, PERM, COUNT) \
1822 + i = 0 ; \
1823 +@@ -350,13 +371,14 @@ GLOBAL(name)
1824 + .endr
1825 +
1826 + __INITDATA
1827 +-NEXT_PAGE(early_top_pgt)
1828 ++NEXT_PGD_PAGE(early_top_pgt)
1829 + .fill 511,8,0
1830 + #ifdef CONFIG_X86_5LEVEL
1831 + .quad level4_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE_NOENC
1832 + #else
1833 + .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE_NOENC
1834 + #endif
1835 ++ .fill PTI_USER_PGD_FILL,8,0
1836 +
1837 + NEXT_PAGE(early_dynamic_pgts)
1838 + .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0
1839 +@@ -364,13 +386,14 @@ NEXT_PAGE(early_dynamic_pgts)
1840 + .data
1841 +
1842 + #if defined(CONFIG_XEN_PV) || defined(CONFIG_XEN_PVH)
1843 +-NEXT_PAGE(init_top_pgt)
1844 ++NEXT_PGD_PAGE(init_top_pgt)
1845 + .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE_NOENC
1846 + .org init_top_pgt + PGD_PAGE_OFFSET*8, 0
1847 + .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE_NOENC
1848 + .org init_top_pgt + PGD_START_KERNEL*8, 0
1849 + /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
1850 + .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE_NOENC
1851 ++ .fill PTI_USER_PGD_FILL,8,0
1852 +
1853 + NEXT_PAGE(level3_ident_pgt)
1854 + .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE_NOENC
1855 +@@ -381,8 +404,9 @@ NEXT_PAGE(level2_ident_pgt)
1856 + */
1857 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
1858 + #else
1859 +-NEXT_PAGE(init_top_pgt)
1860 ++NEXT_PGD_PAGE(init_top_pgt)
1861 + .fill 512,8,0
1862 ++ .fill PTI_USER_PGD_FILL,8,0
1863 + #endif
1864 +
1865 + #ifdef CONFIG_X86_5LEVEL
1866 +diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
1867 +index a6b5d62f45a7..26d713ecad34 100644
1868 +--- a/arch/x86/kernel/ldt.c
1869 ++++ b/arch/x86/kernel/ldt.c
1870 +@@ -24,6 +24,7 @@
1871 + #include <linux/uaccess.h>
1872 +
1873 + #include <asm/ldt.h>
1874 ++#include <asm/tlb.h>
1875 + #include <asm/desc.h>
1876 + #include <asm/mmu_context.h>
1877 + #include <asm/syscalls.h>
1878 +@@ -51,13 +52,11 @@ static void refresh_ldt_segments(void)
1879 + static void flush_ldt(void *__mm)
1880 + {
1881 + struct mm_struct *mm = __mm;
1882 +- mm_context_t *pc;
1883 +
1884 + if (this_cpu_read(cpu_tlbstate.loaded_mm) != mm)
1885 + return;
1886 +
1887 +- pc = &mm->context;
1888 +- set_ldt(pc->ldt->entries, pc->ldt->nr_entries);
1889 ++ load_mm_ldt(mm);
1890 +
1891 + refresh_ldt_segments();
1892 + }
1893 +@@ -94,10 +93,126 @@ static struct ldt_struct *alloc_ldt_struct(unsigned int num_entries)
1894 + return NULL;
1895 + }
1896 +
1897 ++ /* The new LDT isn't aliased for PTI yet. */
1898 ++ new_ldt->slot = -1;
1899 ++
1900 + new_ldt->nr_entries = num_entries;
1901 + return new_ldt;
1902 + }
1903 +
1904 ++/*
1905 ++ * If PTI is enabled, this maps the LDT into the kernelmode and
1906 ++ * usermode tables for the given mm.
1907 ++ *
1908 ++ * There is no corresponding unmap function. Even if the LDT is freed, we
1909 ++ * leave the PTEs around until the slot is reused or the mm is destroyed.
1910 ++ * This is harmless: the LDT is always in ordinary memory, and no one will
1911 ++ * access the freed slot.
1912 ++ *
1913 ++ * If we wanted to unmap freed LDTs, we'd also need to do a flush to make
1914 ++ * it useful, and the flush would slow down modify_ldt().
1915 ++ */
1916 ++static int
1917 ++map_ldt_struct(struct mm_struct *mm, struct ldt_struct *ldt, int slot)
1918 ++{
1919 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
1920 ++ bool is_vmalloc, had_top_level_entry;
1921 ++ unsigned long va;
1922 ++ spinlock_t *ptl;
1923 ++ pgd_t *pgd;
1924 ++ int i;
1925 ++
1926 ++ if (!static_cpu_has(X86_FEATURE_PTI))
1927 ++ return 0;
1928 ++
1929 ++ /*
1930 ++ * Any given ldt_struct should have map_ldt_struct() called at most
1931 ++ * once.
1932 ++ */
1933 ++ WARN_ON(ldt->slot != -1);
1934 ++
1935 ++ /*
1936 ++ * Did we already have the top level entry allocated? We can't
1937 ++ * use pgd_none() for this because it doens't do anything on
1938 ++ * 4-level page table kernels.
1939 ++ */
1940 ++ pgd = pgd_offset(mm, LDT_BASE_ADDR);
1941 ++ had_top_level_entry = (pgd->pgd != 0);
1942 ++
1943 ++ is_vmalloc = is_vmalloc_addr(ldt->entries);
1944 ++
1945 ++ for (i = 0; i * PAGE_SIZE < ldt->nr_entries * LDT_ENTRY_SIZE; i++) {
1946 ++ unsigned long offset = i << PAGE_SHIFT;
1947 ++ const void *src = (char *)ldt->entries + offset;
1948 ++ unsigned long pfn;
1949 ++ pte_t pte, *ptep;
1950 ++
1951 ++ va = (unsigned long)ldt_slot_va(slot) + offset;
1952 ++ pfn = is_vmalloc ? vmalloc_to_pfn(src) :
1953 ++ page_to_pfn(virt_to_page(src));
1954 ++ /*
1955 ++ * Treat the PTI LDT range as a *userspace* range.
1956 ++ * get_locked_pte() will allocate all needed pagetables
1957 ++ * and account for them in this mm.
1958 ++ */
1959 ++ ptep = get_locked_pte(mm, va, &ptl);
1960 ++ if (!ptep)
1961 ++ return -ENOMEM;
1962 ++ /*
1963 ++ * Map it RO so the easy to find address is not a primary
1964 ++ * target via some kernel interface which misses a
1965 ++ * permission check.
1966 ++ */
1967 ++ pte = pfn_pte(pfn, __pgprot(__PAGE_KERNEL_RO & ~_PAGE_GLOBAL));
1968 ++ set_pte_at(mm, va, ptep, pte);
1969 ++ pte_unmap_unlock(ptep, ptl);
1970 ++ }
1971 ++
1972 ++ if (mm->context.ldt) {
1973 ++ /*
1974 ++ * We already had an LDT. The top-level entry should already
1975 ++ * have been allocated and synchronized with the usermode
1976 ++ * tables.
1977 ++ */
1978 ++ WARN_ON(!had_top_level_entry);
1979 ++ if (static_cpu_has(X86_FEATURE_PTI))
1980 ++ WARN_ON(!kernel_to_user_pgdp(pgd)->pgd);
1981 ++ } else {
1982 ++ /*
1983 ++ * This is the first time we're mapping an LDT for this process.
1984 ++ * Sync the pgd to the usermode tables.
1985 ++ */
1986 ++ WARN_ON(had_top_level_entry);
1987 ++ if (static_cpu_has(X86_FEATURE_PTI)) {
1988 ++ WARN_ON(kernel_to_user_pgdp(pgd)->pgd);
1989 ++ set_pgd(kernel_to_user_pgdp(pgd), *pgd);
1990 ++ }
1991 ++ }
1992 ++
1993 ++ va = (unsigned long)ldt_slot_va(slot);
1994 ++ flush_tlb_mm_range(mm, va, va + LDT_SLOT_STRIDE, 0);
1995 ++
1996 ++ ldt->slot = slot;
1997 ++#endif
1998 ++ return 0;
1999 ++}
2000 ++
2001 ++static void free_ldt_pgtables(struct mm_struct *mm)
2002 ++{
2003 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
2004 ++ struct mmu_gather tlb;
2005 ++ unsigned long start = LDT_BASE_ADDR;
2006 ++ unsigned long end = start + (1UL << PGDIR_SHIFT);
2007 ++
2008 ++ if (!static_cpu_has(X86_FEATURE_PTI))
2009 ++ return;
2010 ++
2011 ++ tlb_gather_mmu(&tlb, mm, start, end);
2012 ++ free_pgd_range(&tlb, start, end, start, end);
2013 ++ tlb_finish_mmu(&tlb, start, end);
2014 ++#endif
2015 ++}
2016 ++
2017 + /* After calling this, the LDT is immutable. */
2018 + static void finalize_ldt_struct(struct ldt_struct *ldt)
2019 + {
2020 +@@ -156,6 +271,12 @@ int ldt_dup_context(struct mm_struct *old_mm, struct mm_struct *mm)
2021 + new_ldt->nr_entries * LDT_ENTRY_SIZE);
2022 + finalize_ldt_struct(new_ldt);
2023 +
2024 ++ retval = map_ldt_struct(mm, new_ldt, 0);
2025 ++ if (retval) {
2026 ++ free_ldt_pgtables(mm);
2027 ++ free_ldt_struct(new_ldt);
2028 ++ goto out_unlock;
2029 ++ }
2030 + mm->context.ldt = new_ldt;
2031 +
2032 + out_unlock:
2033 +@@ -174,6 +295,11 @@ void destroy_context_ldt(struct mm_struct *mm)
2034 + mm->context.ldt = NULL;
2035 + }
2036 +
2037 ++void ldt_arch_exit_mmap(struct mm_struct *mm)
2038 ++{
2039 ++ free_ldt_pgtables(mm);
2040 ++}
2041 ++
2042 + static int read_ldt(void __user *ptr, unsigned long bytecount)
2043 + {
2044 + struct mm_struct *mm = current->mm;
2045 +@@ -287,6 +413,25 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
2046 + new_ldt->entries[ldt_info.entry_number] = ldt;
2047 + finalize_ldt_struct(new_ldt);
2048 +
2049 ++ /*
2050 ++ * If we are using PTI, map the new LDT into the userspace pagetables.
2051 ++ * If there is already an LDT, use the other slot so that other CPUs
2052 ++ * will continue to use the old LDT until install_ldt() switches
2053 ++ * them over to the new LDT.
2054 ++ */
2055 ++ error = map_ldt_struct(mm, new_ldt, old_ldt ? !old_ldt->slot : 0);
2056 ++ if (error) {
2057 ++ /*
2058 ++ * This only can fail for the first LDT setup. If an LDT is
2059 ++ * already installed then the PTE page is already
2060 ++ * populated. Mop up a half populated page table.
2061 ++ */
2062 ++ if (!WARN_ON_ONCE(old_ldt))
2063 ++ free_ldt_pgtables(mm);
2064 ++ free_ldt_struct(new_ldt);
2065 ++ goto out_unlock;
2066 ++ }
2067 ++
2068 + install_ldt(mm, new_ldt);
2069 + free_ldt_struct(old_ldt);
2070 + error = 0;
2071 +diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c
2072 +index 00bc751c861c..edfede768688 100644
2073 +--- a/arch/x86/kernel/machine_kexec_32.c
2074 ++++ b/arch/x86/kernel/machine_kexec_32.c
2075 +@@ -48,8 +48,6 @@ static void load_segments(void)
2076 + "\tmovl $"STR(__KERNEL_DS)",%%eax\n"
2077 + "\tmovl %%eax,%%ds\n"
2078 + "\tmovl %%eax,%%es\n"
2079 +- "\tmovl %%eax,%%fs\n"
2080 +- "\tmovl %%eax,%%gs\n"
2081 + "\tmovl %%eax,%%ss\n"
2082 + : : : "eax", "memory");
2083 + #undef STR
2084 +@@ -232,8 +230,8 @@ void machine_kexec(struct kimage *image)
2085 + * The gdt & idt are now invalid.
2086 + * If you want to load them you must set up your own idt & gdt.
2087 + */
2088 +- set_gdt(phys_to_virt(0), 0);
2089 + idt_invalidate(phys_to_virt(0));
2090 ++ set_gdt(phys_to_virt(0), 0);
2091 +
2092 + /* now call it */
2093 + image->start = relocate_kernel_ptr((unsigned long)image->head,
2094 +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
2095 +index 12bf07d44dfe..2651ca2112c4 100644
2096 +--- a/arch/x86/kernel/smpboot.c
2097 ++++ b/arch/x86/kernel/smpboot.c
2098 +@@ -128,25 +128,16 @@ static inline void smpboot_setup_warm_reset_vector(unsigned long start_eip)
2099 + spin_lock_irqsave(&rtc_lock, flags);
2100 + CMOS_WRITE(0xa, 0xf);
2101 + spin_unlock_irqrestore(&rtc_lock, flags);
2102 +- local_flush_tlb();
2103 +- pr_debug("1.\n");
2104 + *((volatile unsigned short *)phys_to_virt(TRAMPOLINE_PHYS_HIGH)) =
2105 + start_eip >> 4;
2106 +- pr_debug("2.\n");
2107 + *((volatile unsigned short *)phys_to_virt(TRAMPOLINE_PHYS_LOW)) =
2108 + start_eip & 0xf;
2109 +- pr_debug("3.\n");
2110 + }
2111 +
2112 + static inline void smpboot_restore_warm_reset_vector(void)
2113 + {
2114 + unsigned long flags;
2115 +
2116 +- /*
2117 +- * Install writable page 0 entry to set BIOS data area.
2118 +- */
2119 +- local_flush_tlb();
2120 +-
2121 + /*
2122 + * Paranoid: Set warm reset code and vector here back
2123 + * to default values.
2124 +diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
2125 +index 9a9c9b076955..a5b802a12212 100644
2126 +--- a/arch/x86/kernel/tls.c
2127 ++++ b/arch/x86/kernel/tls.c
2128 +@@ -93,17 +93,10 @@ static void set_tls_desc(struct task_struct *p, int idx,
2129 + cpu = get_cpu();
2130 +
2131 + while (n-- > 0) {
2132 +- if (LDT_empty(info) || LDT_zero(info)) {
2133 ++ if (LDT_empty(info) || LDT_zero(info))
2134 + memset(desc, 0, sizeof(*desc));
2135 +- } else {
2136 ++ else
2137 + fill_ldt(desc, info);
2138 +-
2139 +- /*
2140 +- * Always set the accessed bit so that the CPU
2141 +- * doesn't try to write to the (read-only) GDT.
2142 +- */
2143 +- desc->type |= 1;
2144 +- }
2145 + ++info;
2146 + ++desc;
2147 + }
2148 +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
2149 +index 7c16fe0b60c2..b33e860d32fe 100644
2150 +--- a/arch/x86/kernel/traps.c
2151 ++++ b/arch/x86/kernel/traps.c
2152 +@@ -361,7 +361,7 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
2153 + *
2154 + * No need for ist_enter here because we don't use RCU.
2155 + */
2156 +- if (((long)regs->sp >> PGDIR_SHIFT) == ESPFIX_PGD_ENTRY &&
2157 ++ if (((long)regs->sp >> P4D_SHIFT) == ESPFIX_PGD_ENTRY &&
2158 + regs->cs == __KERNEL_CS &&
2159 + regs->ip == (unsigned long)native_irq_return_iret)
2160 + {
2161 +diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
2162 +index d2a8b5a24a44..1e413a9326aa 100644
2163 +--- a/arch/x86/kernel/vmlinux.lds.S
2164 ++++ b/arch/x86/kernel/vmlinux.lds.S
2165 +@@ -61,11 +61,17 @@ jiffies_64 = jiffies;
2166 + . = ALIGN(HPAGE_SIZE); \
2167 + __end_rodata_hpage_align = .;
2168 +
2169 ++#define ALIGN_ENTRY_TEXT_BEGIN . = ALIGN(PMD_SIZE);
2170 ++#define ALIGN_ENTRY_TEXT_END . = ALIGN(PMD_SIZE);
2171 ++
2172 + #else
2173 +
2174 + #define X64_ALIGN_RODATA_BEGIN
2175 + #define X64_ALIGN_RODATA_END
2176 +
2177 ++#define ALIGN_ENTRY_TEXT_BEGIN
2178 ++#define ALIGN_ENTRY_TEXT_END
2179 ++
2180 + #endif
2181 +
2182 + PHDRS {
2183 +@@ -102,8 +108,10 @@ SECTIONS
2184 + CPUIDLE_TEXT
2185 + LOCK_TEXT
2186 + KPROBES_TEXT
2187 ++ ALIGN_ENTRY_TEXT_BEGIN
2188 + ENTRY_TEXT
2189 + IRQENTRY_TEXT
2190 ++ ALIGN_ENTRY_TEXT_END
2191 + SOFTIRQENTRY_TEXT
2192 + *(.fixup)
2193 + *(.gnu.warning)
2194 +diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
2195 +index 2e0017af8f9b..52906808e277 100644
2196 +--- a/arch/x86/mm/Makefile
2197 ++++ b/arch/x86/mm/Makefile
2198 +@@ -43,9 +43,10 @@ obj-$(CONFIG_AMD_NUMA) += amdtopology.o
2199 + obj-$(CONFIG_ACPI_NUMA) += srat.o
2200 + obj-$(CONFIG_NUMA_EMU) += numa_emulation.o
2201 +
2202 +-obj-$(CONFIG_X86_INTEL_MPX) += mpx.o
2203 +-obj-$(CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS) += pkeys.o
2204 +-obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o
2205 ++obj-$(CONFIG_X86_INTEL_MPX) += mpx.o
2206 ++obj-$(CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS) += pkeys.o
2207 ++obj-$(CONFIG_RANDOMIZE_MEMORY) += kaslr.o
2208 ++obj-$(CONFIG_PAGE_TABLE_ISOLATION) += pti.o
2209 +
2210 + obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt.o
2211 + obj-$(CONFIG_AMD_MEM_ENCRYPT) += mem_encrypt_boot.o
2212 +diff --git a/arch/x86/mm/cpu_entry_area.c b/arch/x86/mm/cpu_entry_area.c
2213 +index fe814fd5e014..b9283cc27622 100644
2214 +--- a/arch/x86/mm/cpu_entry_area.c
2215 ++++ b/arch/x86/mm/cpu_entry_area.c
2216 +@@ -38,6 +38,32 @@ cea_map_percpu_pages(void *cea_vaddr, void *ptr, int pages, pgprot_t prot)
2217 + cea_set_pte(cea_vaddr, per_cpu_ptr_to_phys(ptr), prot);
2218 + }
2219 +
2220 ++static void percpu_setup_debug_store(int cpu)
2221 ++{
2222 ++#ifdef CONFIG_CPU_SUP_INTEL
2223 ++ int npages;
2224 ++ void *cea;
2225 ++
2226 ++ if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
2227 ++ return;
2228 ++
2229 ++ cea = &get_cpu_entry_area(cpu)->cpu_debug_store;
2230 ++ npages = sizeof(struct debug_store) / PAGE_SIZE;
2231 ++ BUILD_BUG_ON(sizeof(struct debug_store) % PAGE_SIZE != 0);
2232 ++ cea_map_percpu_pages(cea, &per_cpu(cpu_debug_store, cpu), npages,
2233 ++ PAGE_KERNEL);
2234 ++
2235 ++ cea = &get_cpu_entry_area(cpu)->cpu_debug_buffers;
2236 ++ /*
2237 ++ * Force the population of PMDs for not yet allocated per cpu
2238 ++ * memory like debug store buffers.
2239 ++ */
2240 ++ npages = sizeof(struct debug_store_buffers) / PAGE_SIZE;
2241 ++ for (; npages; npages--, cea += PAGE_SIZE)
2242 ++ cea_set_pte(cea, 0, PAGE_NONE);
2243 ++#endif
2244 ++}
2245 ++
2246 + /* Setup the fixmap mappings only once per-processor */
2247 + static void __init setup_cpu_entry_area(int cpu)
2248 + {
2249 +@@ -109,6 +135,7 @@ static void __init setup_cpu_entry_area(int cpu)
2250 + cea_set_pte(&get_cpu_entry_area(cpu)->entry_trampoline,
2251 + __pa_symbol(_entry_trampoline), PAGE_KERNEL_RX);
2252 + #endif
2253 ++ percpu_setup_debug_store(cpu);
2254 + }
2255 +
2256 + static __init void setup_cpu_entry_area_ptes(void)
2257 +diff --git a/arch/x86/mm/debug_pagetables.c b/arch/x86/mm/debug_pagetables.c
2258 +index bfcffdf6c577..421f2664ffa0 100644
2259 +--- a/arch/x86/mm/debug_pagetables.c
2260 ++++ b/arch/x86/mm/debug_pagetables.c
2261 +@@ -5,7 +5,7 @@
2262 +
2263 + static int ptdump_show(struct seq_file *m, void *v)
2264 + {
2265 +- ptdump_walk_pgd_level(m, NULL);
2266 ++ ptdump_walk_pgd_level_debugfs(m, NULL, false);
2267 + return 0;
2268 + }
2269 +
2270 +@@ -22,21 +22,89 @@ static const struct file_operations ptdump_fops = {
2271 + .release = single_release,
2272 + };
2273 +
2274 +-static struct dentry *pe;
2275 ++static int ptdump_show_curknl(struct seq_file *m, void *v)
2276 ++{
2277 ++ if (current->mm->pgd) {
2278 ++ down_read(&current->mm->mmap_sem);
2279 ++ ptdump_walk_pgd_level_debugfs(m, current->mm->pgd, false);
2280 ++ up_read(&current->mm->mmap_sem);
2281 ++ }
2282 ++ return 0;
2283 ++}
2284 ++
2285 ++static int ptdump_open_curknl(struct inode *inode, struct file *filp)
2286 ++{
2287 ++ return single_open(filp, ptdump_show_curknl, NULL);
2288 ++}
2289 ++
2290 ++static const struct file_operations ptdump_curknl_fops = {
2291 ++ .owner = THIS_MODULE,
2292 ++ .open = ptdump_open_curknl,
2293 ++ .read = seq_read,
2294 ++ .llseek = seq_lseek,
2295 ++ .release = single_release,
2296 ++};
2297 ++
2298 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
2299 ++static struct dentry *pe_curusr;
2300 ++
2301 ++static int ptdump_show_curusr(struct seq_file *m, void *v)
2302 ++{
2303 ++ if (current->mm->pgd) {
2304 ++ down_read(&current->mm->mmap_sem);
2305 ++ ptdump_walk_pgd_level_debugfs(m, current->mm->pgd, true);
2306 ++ up_read(&current->mm->mmap_sem);
2307 ++ }
2308 ++ return 0;
2309 ++}
2310 ++
2311 ++static int ptdump_open_curusr(struct inode *inode, struct file *filp)
2312 ++{
2313 ++ return single_open(filp, ptdump_show_curusr, NULL);
2314 ++}
2315 ++
2316 ++static const struct file_operations ptdump_curusr_fops = {
2317 ++ .owner = THIS_MODULE,
2318 ++ .open = ptdump_open_curusr,
2319 ++ .read = seq_read,
2320 ++ .llseek = seq_lseek,
2321 ++ .release = single_release,
2322 ++};
2323 ++#endif
2324 ++
2325 ++static struct dentry *dir, *pe_knl, *pe_curknl;
2326 +
2327 + static int __init pt_dump_debug_init(void)
2328 + {
2329 +- pe = debugfs_create_file("kernel_page_tables", S_IRUSR, NULL, NULL,
2330 +- &ptdump_fops);
2331 +- if (!pe)
2332 ++ dir = debugfs_create_dir("page_tables", NULL);
2333 ++ if (!dir)
2334 + return -ENOMEM;
2335 +
2336 ++ pe_knl = debugfs_create_file("kernel", 0400, dir, NULL,
2337 ++ &ptdump_fops);
2338 ++ if (!pe_knl)
2339 ++ goto err;
2340 ++
2341 ++ pe_curknl = debugfs_create_file("current_kernel", 0400,
2342 ++ dir, NULL, &ptdump_curknl_fops);
2343 ++ if (!pe_curknl)
2344 ++ goto err;
2345 ++
2346 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
2347 ++ pe_curusr = debugfs_create_file("current_user", 0400,
2348 ++ dir, NULL, &ptdump_curusr_fops);
2349 ++ if (!pe_curusr)
2350 ++ goto err;
2351 ++#endif
2352 + return 0;
2353 ++err:
2354 ++ debugfs_remove_recursive(dir);
2355 ++ return -ENOMEM;
2356 + }
2357 +
2358 + static void __exit pt_dump_debug_exit(void)
2359 + {
2360 +- debugfs_remove_recursive(pe);
2361 ++ debugfs_remove_recursive(dir);
2362 + }
2363 +
2364 + module_init(pt_dump_debug_init);
2365 +diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c
2366 +index 43dedbfb7257..f56902c1f04b 100644
2367 +--- a/arch/x86/mm/dump_pagetables.c
2368 ++++ b/arch/x86/mm/dump_pagetables.c
2369 +@@ -52,11 +52,17 @@ enum address_markers_idx {
2370 + USER_SPACE_NR = 0,
2371 + KERNEL_SPACE_NR,
2372 + LOW_KERNEL_NR,
2373 ++#if defined(CONFIG_MODIFY_LDT_SYSCALL) && defined(CONFIG_X86_5LEVEL)
2374 ++ LDT_NR,
2375 ++#endif
2376 + VMALLOC_START_NR,
2377 + VMEMMAP_START_NR,
2378 + #ifdef CONFIG_KASAN
2379 + KASAN_SHADOW_START_NR,
2380 + KASAN_SHADOW_END_NR,
2381 ++#endif
2382 ++#if defined(CONFIG_MODIFY_LDT_SYSCALL) && !defined(CONFIG_X86_5LEVEL)
2383 ++ LDT_NR,
2384 + #endif
2385 + CPU_ENTRY_AREA_NR,
2386 + #ifdef CONFIG_X86_ESPFIX64
2387 +@@ -81,6 +87,9 @@ static struct addr_marker address_markers[] = {
2388 + #ifdef CONFIG_KASAN
2389 + [KASAN_SHADOW_START_NR] = { KASAN_SHADOW_START, "KASAN shadow" },
2390 + [KASAN_SHADOW_END_NR] = { KASAN_SHADOW_END, "KASAN shadow end" },
2391 ++#endif
2392 ++#ifdef CONFIG_MODIFY_LDT_SYSCALL
2393 ++ [LDT_NR] = { LDT_BASE_ADDR, "LDT remap" },
2394 + #endif
2395 + [CPU_ENTRY_AREA_NR] = { CPU_ENTRY_AREA_BASE,"CPU entry Area" },
2396 + #ifdef CONFIG_X86_ESPFIX64
2397 +@@ -467,7 +476,7 @@ static inline bool is_hypervisor_range(int idx)
2398 + }
2399 +
2400 + static void ptdump_walk_pgd_level_core(struct seq_file *m, pgd_t *pgd,
2401 +- bool checkwx)
2402 ++ bool checkwx, bool dmesg)
2403 + {
2404 + #ifdef CONFIG_X86_64
2405 + pgd_t *start = (pgd_t *) &init_top_pgt;
2406 +@@ -480,7 +489,7 @@ static void ptdump_walk_pgd_level_core(struct seq_file *m, pgd_t *pgd,
2407 +
2408 + if (pgd) {
2409 + start = pgd;
2410 +- st.to_dmesg = true;
2411 ++ st.to_dmesg = dmesg;
2412 + }
2413 +
2414 + st.check_wx = checkwx;
2415 +@@ -518,13 +527,37 @@ static void ptdump_walk_pgd_level_core(struct seq_file *m, pgd_t *pgd,
2416 +
2417 + void ptdump_walk_pgd_level(struct seq_file *m, pgd_t *pgd)
2418 + {
2419 +- ptdump_walk_pgd_level_core(m, pgd, false);
2420 ++ ptdump_walk_pgd_level_core(m, pgd, false, true);
2421 ++}
2422 ++
2423 ++void ptdump_walk_pgd_level_debugfs(struct seq_file *m, pgd_t *pgd, bool user)
2424 ++{
2425 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
2426 ++ if (user && static_cpu_has(X86_FEATURE_PTI))
2427 ++ pgd = kernel_to_user_pgdp(pgd);
2428 ++#endif
2429 ++ ptdump_walk_pgd_level_core(m, pgd, false, false);
2430 ++}
2431 ++EXPORT_SYMBOL_GPL(ptdump_walk_pgd_level_debugfs);
2432 ++
2433 ++static void ptdump_walk_user_pgd_level_checkwx(void)
2434 ++{
2435 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
2436 ++ pgd_t *pgd = (pgd_t *) &init_top_pgt;
2437 ++
2438 ++ if (!static_cpu_has(X86_FEATURE_PTI))
2439 ++ return;
2440 ++
2441 ++ pr_info("x86/mm: Checking user space page tables\n");
2442 ++ pgd = kernel_to_user_pgdp(pgd);
2443 ++ ptdump_walk_pgd_level_core(NULL, pgd, true, false);
2444 ++#endif
2445 + }
2446 +-EXPORT_SYMBOL_GPL(ptdump_walk_pgd_level);
2447 +
2448 + void ptdump_walk_pgd_level_checkwx(void)
2449 + {
2450 +- ptdump_walk_pgd_level_core(NULL, NULL, true);
2451 ++ ptdump_walk_pgd_level_core(NULL, NULL, true, false);
2452 ++ ptdump_walk_user_pgd_level_checkwx();
2453 + }
2454 +
2455 + static int __init pt_dump_init(void)
2456 +diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
2457 +index a22c2b95e513..80259ad8c386 100644
2458 +--- a/arch/x86/mm/init.c
2459 ++++ b/arch/x86/mm/init.c
2460 +@@ -20,6 +20,7 @@
2461 + #include <asm/kaslr.h>
2462 + #include <asm/hypervisor.h>
2463 + #include <asm/cpufeature.h>
2464 ++#include <asm/pti.h>
2465 +
2466 + /*
2467 + * We need to define the tracepoints somewhere, and tlb.c
2468 +@@ -161,6 +162,12 @@ struct map_range {
2469 +
2470 + static int page_size_mask;
2471 +
2472 ++static void enable_global_pages(void)
2473 ++{
2474 ++ if (!static_cpu_has(X86_FEATURE_PTI))
2475 ++ __supported_pte_mask |= _PAGE_GLOBAL;
2476 ++}
2477 ++
2478 + static void __init probe_page_size_mask(void)
2479 + {
2480 + /*
2481 +@@ -179,11 +186,11 @@ static void __init probe_page_size_mask(void)
2482 + cr4_set_bits_and_update_boot(X86_CR4_PSE);
2483 +
2484 + /* Enable PGE if available */
2485 ++ __supported_pte_mask &= ~_PAGE_GLOBAL;
2486 + if (boot_cpu_has(X86_FEATURE_PGE)) {
2487 + cr4_set_bits_and_update_boot(X86_CR4_PGE);
2488 +- __supported_pte_mask |= _PAGE_GLOBAL;
2489 +- } else
2490 +- __supported_pte_mask &= ~_PAGE_GLOBAL;
2491 ++ enable_global_pages();
2492 ++ }
2493 +
2494 + /* Enable 1 GB linear kernel mappings if available: */
2495 + if (direct_gbpages && boot_cpu_has(X86_FEATURE_GBPAGES)) {
2496 +@@ -196,34 +203,44 @@ static void __init probe_page_size_mask(void)
2497 +
2498 + static void setup_pcid(void)
2499 + {
2500 +-#ifdef CONFIG_X86_64
2501 +- if (boot_cpu_has(X86_FEATURE_PCID)) {
2502 +- if (boot_cpu_has(X86_FEATURE_PGE)) {
2503 +- /*
2504 +- * This can't be cr4_set_bits_and_update_boot() --
2505 +- * the trampoline code can't handle CR4.PCIDE and
2506 +- * it wouldn't do any good anyway. Despite the name,
2507 +- * cr4_set_bits_and_update_boot() doesn't actually
2508 +- * cause the bits in question to remain set all the
2509 +- * way through the secondary boot asm.
2510 +- *
2511 +- * Instead, we brute-force it and set CR4.PCIDE
2512 +- * manually in start_secondary().
2513 +- */
2514 +- cr4_set_bits(X86_CR4_PCIDE);
2515 +- } else {
2516 +- /*
2517 +- * flush_tlb_all(), as currently implemented, won't
2518 +- * work if PCID is on but PGE is not. Since that
2519 +- * combination doesn't exist on real hardware, there's
2520 +- * no reason to try to fully support it, but it's
2521 +- * polite to avoid corrupting data if we're on
2522 +- * an improperly configured VM.
2523 +- */
2524 +- setup_clear_cpu_cap(X86_FEATURE_PCID);
2525 +- }
2526 ++ if (!IS_ENABLED(CONFIG_X86_64))
2527 ++ return;
2528 ++
2529 ++ if (!boot_cpu_has(X86_FEATURE_PCID))
2530 ++ return;
2531 ++
2532 ++ if (boot_cpu_has(X86_FEATURE_PGE)) {
2533 ++ /*
2534 ++ * This can't be cr4_set_bits_and_update_boot() -- the
2535 ++ * trampoline code can't handle CR4.PCIDE and it wouldn't
2536 ++ * do any good anyway. Despite the name,
2537 ++ * cr4_set_bits_and_update_boot() doesn't actually cause
2538 ++ * the bits in question to remain set all the way through
2539 ++ * the secondary boot asm.
2540 ++ *
2541 ++ * Instead, we brute-force it and set CR4.PCIDE manually in
2542 ++ * start_secondary().
2543 ++ */
2544 ++ cr4_set_bits(X86_CR4_PCIDE);
2545 ++
2546 ++ /*
2547 ++ * INVPCID's single-context modes (2/3) only work if we set
2548 ++ * X86_CR4_PCIDE, *and* we INVPCID support. It's unusable
2549 ++ * on systems that have X86_CR4_PCIDE clear, or that have
2550 ++ * no INVPCID support at all.
2551 ++ */
2552 ++ if (boot_cpu_has(X86_FEATURE_INVPCID))
2553 ++ setup_force_cpu_cap(X86_FEATURE_INVPCID_SINGLE);
2554 ++ } else {
2555 ++ /*
2556 ++ * flush_tlb_all(), as currently implemented, won't work if
2557 ++ * PCID is on but PGE is not. Since that combination
2558 ++ * doesn't exist on real hardware, there's no reason to try
2559 ++ * to fully support it, but it's polite to avoid corrupting
2560 ++ * data if we're on an improperly configured VM.
2561 ++ */
2562 ++ setup_clear_cpu_cap(X86_FEATURE_PCID);
2563 + }
2564 +-#endif
2565 + }
2566 +
2567 + #ifdef CONFIG_X86_32
2568 +@@ -624,6 +641,7 @@ void __init init_mem_mapping(void)
2569 + {
2570 + unsigned long end;
2571 +
2572 ++ pti_check_boottime_disable();
2573 + probe_page_size_mask();
2574 + setup_pcid();
2575 +
2576 +@@ -847,7 +865,7 @@ void __init zone_sizes_init(void)
2577 + free_area_init_nodes(max_zone_pfns);
2578 + }
2579 +
2580 +-DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate) = {
2581 ++__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate) = {
2582 + .loaded_mm = &init_mm,
2583 + .next_asid = 1,
2584 + .cr4 = ~0UL, /* fail hard if we screw up cr4 shadow initialization */
2585 +diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
2586 +index 17ebc5a978cc..9b7bcbd33cc2 100644
2587 +--- a/arch/x86/mm/pgtable.c
2588 ++++ b/arch/x86/mm/pgtable.c
2589 +@@ -355,14 +355,15 @@ static inline void _pgd_free(pgd_t *pgd)
2590 + kmem_cache_free(pgd_cache, pgd);
2591 + }
2592 + #else
2593 ++
2594 + static inline pgd_t *_pgd_alloc(void)
2595 + {
2596 +- return (pgd_t *)__get_free_page(PGALLOC_GFP);
2597 ++ return (pgd_t *)__get_free_pages(PGALLOC_GFP, PGD_ALLOCATION_ORDER);
2598 + }
2599 +
2600 + static inline void _pgd_free(pgd_t *pgd)
2601 + {
2602 +- free_page((unsigned long)pgd);
2603 ++ free_pages((unsigned long)pgd, PGD_ALLOCATION_ORDER);
2604 + }
2605 + #endif /* CONFIG_X86_PAE */
2606 +
2607 +diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
2608 +new file mode 100644
2609 +index 000000000000..bce8aea65606
2610 +--- /dev/null
2611 ++++ b/arch/x86/mm/pti.c
2612 +@@ -0,0 +1,387 @@
2613 ++/*
2614 ++ * Copyright(c) 2017 Intel Corporation. All rights reserved.
2615 ++ *
2616 ++ * This program is free software; you can redistribute it and/or modify
2617 ++ * it under the terms of version 2 of the GNU General Public License as
2618 ++ * published by the Free Software Foundation.
2619 ++ *
2620 ++ * This program is distributed in the hope that it will be useful, but
2621 ++ * WITHOUT ANY WARRANTY; without even the implied warranty of
2622 ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
2623 ++ * General Public License for more details.
2624 ++ *
2625 ++ * This code is based in part on work published here:
2626 ++ *
2627 ++ * https://github.com/IAIK/KAISER
2628 ++ *
2629 ++ * The original work was written by and and signed off by for the Linux
2630 ++ * kernel by:
2631 ++ *
2632 ++ * Signed-off-by: Richard Fellner <richard.fellner@××××××××××××××.at>
2633 ++ * Signed-off-by: Moritz Lipp <moritz.lipp@×××××××××××.at>
2634 ++ * Signed-off-by: Daniel Gruss <daniel.gruss@×××××××××××.at>
2635 ++ * Signed-off-by: Michael Schwarz <michael.schwarz@×××××××××××.at>
2636 ++ *
2637 ++ * Major changes to the original code by: Dave Hansen <dave.hansen@×××××.com>
2638 ++ * Mostly rewritten by Thomas Gleixner <tglx@××××××××××.de> and
2639 ++ * Andy Lutomirsky <luto@××××××××××.net>
2640 ++ */
2641 ++#include <linux/kernel.h>
2642 ++#include <linux/errno.h>
2643 ++#include <linux/string.h>
2644 ++#include <linux/types.h>
2645 ++#include <linux/bug.h>
2646 ++#include <linux/init.h>
2647 ++#include <linux/spinlock.h>
2648 ++#include <linux/mm.h>
2649 ++#include <linux/uaccess.h>
2650 ++
2651 ++#include <asm/cpufeature.h>
2652 ++#include <asm/hypervisor.h>
2653 ++#include <asm/vsyscall.h>
2654 ++#include <asm/cmdline.h>
2655 ++#include <asm/pti.h>
2656 ++#include <asm/pgtable.h>
2657 ++#include <asm/pgalloc.h>
2658 ++#include <asm/tlbflush.h>
2659 ++#include <asm/desc.h>
2660 ++
2661 ++#undef pr_fmt
2662 ++#define pr_fmt(fmt) "Kernel/User page tables isolation: " fmt
2663 ++
2664 ++/* Backporting helper */
2665 ++#ifndef __GFP_NOTRACK
2666 ++#define __GFP_NOTRACK 0
2667 ++#endif
2668 ++
2669 ++static void __init pti_print_if_insecure(const char *reason)
2670 ++{
2671 ++ if (boot_cpu_has_bug(X86_BUG_CPU_INSECURE))
2672 ++ pr_info("%s\n", reason);
2673 ++}
2674 ++
2675 ++static void __init pti_print_if_secure(const char *reason)
2676 ++{
2677 ++ if (!boot_cpu_has_bug(X86_BUG_CPU_INSECURE))
2678 ++ pr_info("%s\n", reason);
2679 ++}
2680 ++
2681 ++void __init pti_check_boottime_disable(void)
2682 ++{
2683 ++ char arg[5];
2684 ++ int ret;
2685 ++
2686 ++ if (hypervisor_is_type(X86_HYPER_XEN_PV)) {
2687 ++ pti_print_if_insecure("disabled on XEN PV.");
2688 ++ return;
2689 ++ }
2690 ++
2691 ++ ret = cmdline_find_option(boot_command_line, "pti", arg, sizeof(arg));
2692 ++ if (ret > 0) {
2693 ++ if (ret == 3 && !strncmp(arg, "off", 3)) {
2694 ++ pti_print_if_insecure("disabled on command line.");
2695 ++ return;
2696 ++ }
2697 ++ if (ret == 2 && !strncmp(arg, "on", 2)) {
2698 ++ pti_print_if_secure("force enabled on command line.");
2699 ++ goto enable;
2700 ++ }
2701 ++ if (ret == 4 && !strncmp(arg, "auto", 4))
2702 ++ goto autosel;
2703 ++ }
2704 ++
2705 ++ if (cmdline_find_option_bool(boot_command_line, "nopti")) {
2706 ++ pti_print_if_insecure("disabled on command line.");
2707 ++ return;
2708 ++ }
2709 ++
2710 ++autosel:
2711 ++ if (!boot_cpu_has_bug(X86_BUG_CPU_INSECURE))
2712 ++ return;
2713 ++enable:
2714 ++ setup_force_cpu_cap(X86_FEATURE_PTI);
2715 ++}
2716 ++
2717 ++pgd_t __pti_set_user_pgd(pgd_t *pgdp, pgd_t pgd)
2718 ++{
2719 ++ /*
2720 ++ * Changes to the high (kernel) portion of the kernelmode page
2721 ++ * tables are not automatically propagated to the usermode tables.
2722 ++ *
2723 ++ * Users should keep in mind that, unlike the kernelmode tables,
2724 ++ * there is no vmalloc_fault equivalent for the usermode tables.
2725 ++ * Top-level entries added to init_mm's usermode pgd after boot
2726 ++ * will not be automatically propagated to other mms.
2727 ++ */
2728 ++ if (!pgdp_maps_userspace(pgdp))
2729 ++ return pgd;
2730 ++
2731 ++ /*
2732 ++ * The user page tables get the full PGD, accessible from
2733 ++ * userspace:
2734 ++ */
2735 ++ kernel_to_user_pgdp(pgdp)->pgd = pgd.pgd;
2736 ++
2737 ++ /*
2738 ++ * If this is normal user memory, make it NX in the kernel
2739 ++ * pagetables so that, if we somehow screw up and return to
2740 ++ * usermode with the kernel CR3 loaded, we'll get a page fault
2741 ++ * instead of allowing user code to execute with the wrong CR3.
2742 ++ *
2743 ++ * As exceptions, we don't set NX if:
2744 ++ * - _PAGE_USER is not set. This could be an executable
2745 ++ * EFI runtime mapping or something similar, and the kernel
2746 ++ * may execute from it
2747 ++ * - we don't have NX support
2748 ++ * - we're clearing the PGD (i.e. the new pgd is not present).
2749 ++ */
2750 ++ if ((pgd.pgd & (_PAGE_USER|_PAGE_PRESENT)) == (_PAGE_USER|_PAGE_PRESENT) &&
2751 ++ (__supported_pte_mask & _PAGE_NX))
2752 ++ pgd.pgd |= _PAGE_NX;
2753 ++
2754 ++ /* return the copy of the PGD we want the kernel to use: */
2755 ++ return pgd;
2756 ++}
2757 ++
2758 ++/*
2759 ++ * Walk the user copy of the page tables (optionally) trying to allocate
2760 ++ * page table pages on the way down.
2761 ++ *
2762 ++ * Returns a pointer to a P4D on success, or NULL on failure.
2763 ++ */
2764 ++static p4d_t *pti_user_pagetable_walk_p4d(unsigned long address)
2765 ++{
2766 ++ pgd_t *pgd = kernel_to_user_pgdp(pgd_offset_k(address));
2767 ++ gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
2768 ++
2769 ++ if (address < PAGE_OFFSET) {
2770 ++ WARN_ONCE(1, "attempt to walk user address\n");
2771 ++ return NULL;
2772 ++ }
2773 ++
2774 ++ if (pgd_none(*pgd)) {
2775 ++ unsigned long new_p4d_page = __get_free_page(gfp);
2776 ++ if (!new_p4d_page)
2777 ++ return NULL;
2778 ++
2779 ++ if (pgd_none(*pgd)) {
2780 ++ set_pgd(pgd, __pgd(_KERNPG_TABLE | __pa(new_p4d_page)));
2781 ++ new_p4d_page = 0;
2782 ++ }
2783 ++ if (new_p4d_page)
2784 ++ free_page(new_p4d_page);
2785 ++ }
2786 ++ BUILD_BUG_ON(pgd_large(*pgd) != 0);
2787 ++
2788 ++ return p4d_offset(pgd, address);
2789 ++}
2790 ++
2791 ++/*
2792 ++ * Walk the user copy of the page tables (optionally) trying to allocate
2793 ++ * page table pages on the way down.
2794 ++ *
2795 ++ * Returns a pointer to a PMD on success, or NULL on failure.
2796 ++ */
2797 ++static pmd_t *pti_user_pagetable_walk_pmd(unsigned long address)
2798 ++{
2799 ++ gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
2800 ++ p4d_t *p4d = pti_user_pagetable_walk_p4d(address);
2801 ++ pud_t *pud;
2802 ++
2803 ++ BUILD_BUG_ON(p4d_large(*p4d) != 0);
2804 ++ if (p4d_none(*p4d)) {
2805 ++ unsigned long new_pud_page = __get_free_page(gfp);
2806 ++ if (!new_pud_page)
2807 ++ return NULL;
2808 ++
2809 ++ if (p4d_none(*p4d)) {
2810 ++ set_p4d(p4d, __p4d(_KERNPG_TABLE | __pa(new_pud_page)));
2811 ++ new_pud_page = 0;
2812 ++ }
2813 ++ if (new_pud_page)
2814 ++ free_page(new_pud_page);
2815 ++ }
2816 ++
2817 ++ pud = pud_offset(p4d, address);
2818 ++ /* The user page tables do not use large mappings: */
2819 ++ if (pud_large(*pud)) {
2820 ++ WARN_ON(1);
2821 ++ return NULL;
2822 ++ }
2823 ++ if (pud_none(*pud)) {
2824 ++ unsigned long new_pmd_page = __get_free_page(gfp);
2825 ++ if (!new_pmd_page)
2826 ++ return NULL;
2827 ++
2828 ++ if (pud_none(*pud)) {
2829 ++ set_pud(pud, __pud(_KERNPG_TABLE | __pa(new_pmd_page)));
2830 ++ new_pmd_page = 0;
2831 ++ }
2832 ++ if (new_pmd_page)
2833 ++ free_page(new_pmd_page);
2834 ++ }
2835 ++
2836 ++ return pmd_offset(pud, address);
2837 ++}
2838 ++
2839 ++#ifdef CONFIG_X86_VSYSCALL_EMULATION
2840 ++/*
2841 ++ * Walk the shadow copy of the page tables (optionally) trying to allocate
2842 ++ * page table pages on the way down. Does not support large pages.
2843 ++ *
2844 ++ * Note: this is only used when mapping *new* kernel data into the
2845 ++ * user/shadow page tables. It is never used for userspace data.
2846 ++ *
2847 ++ * Returns a pointer to a PTE on success, or NULL on failure.
2848 ++ */
2849 ++static __init pte_t *pti_user_pagetable_walk_pte(unsigned long address)
2850 ++{
2851 ++ gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
2852 ++ pmd_t *pmd = pti_user_pagetable_walk_pmd(address);
2853 ++ pte_t *pte;
2854 ++
2855 ++ /* We can't do anything sensible if we hit a large mapping. */
2856 ++ if (pmd_large(*pmd)) {
2857 ++ WARN_ON(1);
2858 ++ return NULL;
2859 ++ }
2860 ++
2861 ++ if (pmd_none(*pmd)) {
2862 ++ unsigned long new_pte_page = __get_free_page(gfp);
2863 ++ if (!new_pte_page)
2864 ++ return NULL;
2865 ++
2866 ++ if (pmd_none(*pmd)) {
2867 ++ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(new_pte_page)));
2868 ++ new_pte_page = 0;
2869 ++ }
2870 ++ if (new_pte_page)
2871 ++ free_page(new_pte_page);
2872 ++ }
2873 ++
2874 ++ pte = pte_offset_kernel(pmd, address);
2875 ++ if (pte_flags(*pte) & _PAGE_USER) {
2876 ++ WARN_ONCE(1, "attempt to walk to user pte\n");
2877 ++ return NULL;
2878 ++ }
2879 ++ return pte;
2880 ++}
2881 ++
2882 ++static void __init pti_setup_vsyscall(void)
2883 ++{
2884 ++ pte_t *pte, *target_pte;
2885 ++ unsigned int level;
2886 ++
2887 ++ pte = lookup_address(VSYSCALL_ADDR, &level);
2888 ++ if (!pte || WARN_ON(level != PG_LEVEL_4K) || pte_none(*pte))
2889 ++ return;
2890 ++
2891 ++ target_pte = pti_user_pagetable_walk_pte(VSYSCALL_ADDR);
2892 ++ if (WARN_ON(!target_pte))
2893 ++ return;
2894 ++
2895 ++ *target_pte = *pte;
2896 ++ set_vsyscall_pgtable_user_bits(kernel_to_user_pgdp(swapper_pg_dir));
2897 ++}
2898 ++#else
2899 ++static void __init pti_setup_vsyscall(void) { }
2900 ++#endif
2901 ++
2902 ++static void __init
2903 ++pti_clone_pmds(unsigned long start, unsigned long end, pmdval_t clear)
2904 ++{
2905 ++ unsigned long addr;
2906 ++
2907 ++ /*
2908 ++ * Clone the populated PMDs which cover start to end. These PMD areas
2909 ++ * can have holes.
2910 ++ */
2911 ++ for (addr = start; addr < end; addr += PMD_SIZE) {
2912 ++ pmd_t *pmd, *target_pmd;
2913 ++ pgd_t *pgd;
2914 ++ p4d_t *p4d;
2915 ++ pud_t *pud;
2916 ++
2917 ++ pgd = pgd_offset_k(addr);
2918 ++ if (WARN_ON(pgd_none(*pgd)))
2919 ++ return;
2920 ++ p4d = p4d_offset(pgd, addr);
2921 ++ if (WARN_ON(p4d_none(*p4d)))
2922 ++ return;
2923 ++ pud = pud_offset(p4d, addr);
2924 ++ if (pud_none(*pud))
2925 ++ continue;
2926 ++ pmd = pmd_offset(pud, addr);
2927 ++ if (pmd_none(*pmd))
2928 ++ continue;
2929 ++
2930 ++ target_pmd = pti_user_pagetable_walk_pmd(addr);
2931 ++ if (WARN_ON(!target_pmd))
2932 ++ return;
2933 ++
2934 ++ /*
2935 ++ * Copy the PMD. That is, the kernelmode and usermode
2936 ++ * tables will share the last-level page tables of this
2937 ++ * address range
2938 ++ */
2939 ++ *target_pmd = pmd_clear_flags(*pmd, clear);
2940 ++ }
2941 ++}
2942 ++
2943 ++/*
2944 ++ * Clone a single p4d (i.e. a top-level entry on 4-level systems and a
2945 ++ * next-level entry on 5-level systems.
2946 ++ */
2947 ++static void __init pti_clone_p4d(unsigned long addr)
2948 ++{
2949 ++ p4d_t *kernel_p4d, *user_p4d;
2950 ++ pgd_t *kernel_pgd;
2951 ++
2952 ++ user_p4d = pti_user_pagetable_walk_p4d(addr);
2953 ++ kernel_pgd = pgd_offset_k(addr);
2954 ++ kernel_p4d = p4d_offset(kernel_pgd, addr);
2955 ++ *user_p4d = *kernel_p4d;
2956 ++}
2957 ++
2958 ++/*
2959 ++ * Clone the CPU_ENTRY_AREA into the user space visible page table.
2960 ++ */
2961 ++static void __init pti_clone_user_shared(void)
2962 ++{
2963 ++ pti_clone_p4d(CPU_ENTRY_AREA_BASE);
2964 ++}
2965 ++
2966 ++/*
2967 ++ * Clone the ESPFIX P4D into the user space visinble page table
2968 ++ */
2969 ++static void __init pti_setup_espfix64(void)
2970 ++{
2971 ++#ifdef CONFIG_X86_ESPFIX64
2972 ++ pti_clone_p4d(ESPFIX_BASE_ADDR);
2973 ++#endif
2974 ++}
2975 ++
2976 ++/*
2977 ++ * Clone the populated PMDs of the entry and irqentry text and force it RO.
2978 ++ */
2979 ++static void __init pti_clone_entry_text(void)
2980 ++{
2981 ++ pti_clone_pmds((unsigned long) __entry_text_start,
2982 ++ (unsigned long) __irqentry_text_end, _PAGE_RW);
2983 ++}
2984 ++
2985 ++/*
2986 ++ * Initialize kernel page table isolation
2987 ++ */
2988 ++void __init pti_init(void)
2989 ++{
2990 ++ if (!static_cpu_has(X86_FEATURE_PTI))
2991 ++ return;
2992 ++
2993 ++ pr_info("enabled\n");
2994 ++
2995 ++ pti_clone_user_shared();
2996 ++ pti_clone_entry_text();
2997 ++ pti_setup_espfix64();
2998 ++ pti_setup_vsyscall();
2999 ++}
3000 +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
3001 +index 0a1be3adc97e..a1561957dccb 100644
3002 +--- a/arch/x86/mm/tlb.c
3003 ++++ b/arch/x86/mm/tlb.c
3004 +@@ -28,6 +28,38 @@
3005 + * Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
3006 + */
3007 +
3008 ++/*
3009 ++ * We get here when we do something requiring a TLB invalidation
3010 ++ * but could not go invalidate all of the contexts. We do the
3011 ++ * necessary invalidation by clearing out the 'ctx_id' which
3012 ++ * forces a TLB flush when the context is loaded.
3013 ++ */
3014 ++void clear_asid_other(void)
3015 ++{
3016 ++ u16 asid;
3017 ++
3018 ++ /*
3019 ++ * This is only expected to be set if we have disabled
3020 ++ * kernel _PAGE_GLOBAL pages.
3021 ++ */
3022 ++ if (!static_cpu_has(X86_FEATURE_PTI)) {
3023 ++ WARN_ON_ONCE(1);
3024 ++ return;
3025 ++ }
3026 ++
3027 ++ for (asid = 0; asid < TLB_NR_DYN_ASIDS; asid++) {
3028 ++ /* Do not need to flush the current asid */
3029 ++ if (asid == this_cpu_read(cpu_tlbstate.loaded_mm_asid))
3030 ++ continue;
3031 ++ /*
3032 ++ * Make sure the next time we go to switch to
3033 ++ * this asid, we do a flush:
3034 ++ */
3035 ++ this_cpu_write(cpu_tlbstate.ctxs[asid].ctx_id, 0);
3036 ++ }
3037 ++ this_cpu_write(cpu_tlbstate.invalidate_other, false);
3038 ++}
3039 ++
3040 + atomic64_t last_mm_ctx_id = ATOMIC64_INIT(1);
3041 +
3042 +
3043 +@@ -42,6 +74,9 @@ static void choose_new_asid(struct mm_struct *next, u64 next_tlb_gen,
3044 + return;
3045 + }
3046 +
3047 ++ if (this_cpu_read(cpu_tlbstate.invalidate_other))
3048 ++ clear_asid_other();
3049 ++
3050 + for (asid = 0; asid < TLB_NR_DYN_ASIDS; asid++) {
3051 + if (this_cpu_read(cpu_tlbstate.ctxs[asid].ctx_id) !=
3052 + next->context.ctx_id)
3053 +@@ -65,6 +100,25 @@ static void choose_new_asid(struct mm_struct *next, u64 next_tlb_gen,
3054 + *need_flush = true;
3055 + }
3056 +
3057 ++static void load_new_mm_cr3(pgd_t *pgdir, u16 new_asid, bool need_flush)
3058 ++{
3059 ++ unsigned long new_mm_cr3;
3060 ++
3061 ++ if (need_flush) {
3062 ++ invalidate_user_asid(new_asid);
3063 ++ new_mm_cr3 = build_cr3(pgdir, new_asid);
3064 ++ } else {
3065 ++ new_mm_cr3 = build_cr3_noflush(pgdir, new_asid);
3066 ++ }
3067 ++
3068 ++ /*
3069 ++ * Caution: many callers of this function expect
3070 ++ * that load_cr3() is serializing and orders TLB
3071 ++ * fills with respect to the mm_cpumask writes.
3072 ++ */
3073 ++ write_cr3(new_mm_cr3);
3074 ++}
3075 ++
3076 + void leave_mm(int cpu)
3077 + {
3078 + struct mm_struct *loaded_mm = this_cpu_read(cpu_tlbstate.loaded_mm);
3079 +@@ -195,7 +249,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
3080 + if (need_flush) {
3081 + this_cpu_write(cpu_tlbstate.ctxs[new_asid].ctx_id, next->context.ctx_id);
3082 + this_cpu_write(cpu_tlbstate.ctxs[new_asid].tlb_gen, next_tlb_gen);
3083 +- write_cr3(build_cr3(next->pgd, new_asid));
3084 ++ load_new_mm_cr3(next->pgd, new_asid, true);
3085 +
3086 + /*
3087 + * NB: This gets called via leave_mm() in the idle path
3088 +@@ -208,7 +262,7 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
3089 + trace_tlb_flush_rcuidle(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
3090 + } else {
3091 + /* The new ASID is already up to date. */
3092 +- write_cr3(build_cr3_noflush(next->pgd, new_asid));
3093 ++ load_new_mm_cr3(next->pgd, new_asid, false);
3094 +
3095 + /* See above wrt _rcuidle. */
3096 + trace_tlb_flush_rcuidle(TLB_FLUSH_ON_TASK_SWITCH, 0);
3097 +diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
3098 +index 20fb31579b69..39c4b35ac7a4 100644
3099 +--- a/arch/x86/platform/efi/efi_64.c
3100 ++++ b/arch/x86/platform/efi/efi_64.c
3101 +@@ -195,6 +195,9 @@ static pgd_t *efi_pgd;
3102 + * because we want to avoid inserting EFI region mappings (EFI_VA_END
3103 + * to EFI_VA_START) into the standard kernel page tables. Everything
3104 + * else can be shared, see efi_sync_low_kernel_mappings().
3105 ++ *
3106 ++ * We don't want the pgd on the pgd_list and cannot use pgd_alloc() for the
3107 ++ * allocation.
3108 + */
3109 + int __init efi_alloc_page_tables(void)
3110 + {
3111 +@@ -207,7 +210,7 @@ int __init efi_alloc_page_tables(void)
3112 + return 0;
3113 +
3114 + gfp_mask = GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO;
3115 +- efi_pgd = (pgd_t *)__get_free_page(gfp_mask);
3116 ++ efi_pgd = (pgd_t *)__get_free_pages(gfp_mask, PGD_ALLOCATION_ORDER);
3117 + if (!efi_pgd)
3118 + return -ENOMEM;
3119 +
3120 +diff --git a/block/blk-map.c b/block/blk-map.c
3121 +index d5251edcc0dd..368daa02714e 100644
3122 +--- a/block/blk-map.c
3123 ++++ b/block/blk-map.c
3124 +@@ -12,22 +12,29 @@
3125 + #include "blk.h"
3126 +
3127 + /*
3128 +- * Append a bio to a passthrough request. Only works can be merged into
3129 +- * the request based on the driver constraints.
3130 ++ * Append a bio to a passthrough request. Only works if the bio can be merged
3131 ++ * into the request based on the driver constraints.
3132 + */
3133 +-int blk_rq_append_bio(struct request *rq, struct bio *bio)
3134 ++int blk_rq_append_bio(struct request *rq, struct bio **bio)
3135 + {
3136 +- blk_queue_bounce(rq->q, &bio);
3137 ++ struct bio *orig_bio = *bio;
3138 ++
3139 ++ blk_queue_bounce(rq->q, bio);
3140 +
3141 + if (!rq->bio) {
3142 +- blk_rq_bio_prep(rq->q, rq, bio);
3143 ++ blk_rq_bio_prep(rq->q, rq, *bio);
3144 + } else {
3145 +- if (!ll_back_merge_fn(rq->q, rq, bio))
3146 ++ if (!ll_back_merge_fn(rq->q, rq, *bio)) {
3147 ++ if (orig_bio != *bio) {
3148 ++ bio_put(*bio);
3149 ++ *bio = orig_bio;
3150 ++ }
3151 + return -EINVAL;
3152 ++ }
3153 +
3154 +- rq->biotail->bi_next = bio;
3155 +- rq->biotail = bio;
3156 +- rq->__data_len += bio->bi_iter.bi_size;
3157 ++ rq->biotail->bi_next = *bio;
3158 ++ rq->biotail = *bio;
3159 ++ rq->__data_len += (*bio)->bi_iter.bi_size;
3160 + }
3161 +
3162 + return 0;
3163 +@@ -80,14 +87,12 @@ static int __blk_rq_map_user_iov(struct request *rq,
3164 + * We link the bounce buffer in and could have to traverse it
3165 + * later so we have to get a ref to prevent it from being freed
3166 + */
3167 +- ret = blk_rq_append_bio(rq, bio);
3168 +- bio_get(bio);
3169 ++ ret = blk_rq_append_bio(rq, &bio);
3170 + if (ret) {
3171 +- bio_endio(bio);
3172 + __blk_rq_unmap_user(orig_bio);
3173 +- bio_put(bio);
3174 + return ret;
3175 + }
3176 ++ bio_get(bio);
3177 +
3178 + return 0;
3179 + }
3180 +@@ -220,7 +225,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
3181 + int reading = rq_data_dir(rq) == READ;
3182 + unsigned long addr = (unsigned long) kbuf;
3183 + int do_copy = 0;
3184 +- struct bio *bio;
3185 ++ struct bio *bio, *orig_bio;
3186 + int ret;
3187 +
3188 + if (len > (queue_max_hw_sectors(q) << 9))
3189 +@@ -243,10 +248,11 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
3190 + if (do_copy)
3191 + rq->rq_flags |= RQF_COPY_USER;
3192 +
3193 +- ret = blk_rq_append_bio(rq, bio);
3194 ++ orig_bio = bio;
3195 ++ ret = blk_rq_append_bio(rq, &bio);
3196 + if (unlikely(ret)) {
3197 + /* request is too big */
3198 +- bio_put(bio);
3199 ++ bio_put(orig_bio);
3200 + return ret;
3201 + }
3202 +
3203 +diff --git a/block/bounce.c b/block/bounce.c
3204 +index fceb1a96480b..1d05c422c932 100644
3205 +--- a/block/bounce.c
3206 ++++ b/block/bounce.c
3207 +@@ -200,6 +200,7 @@ static void __blk_queue_bounce(struct request_queue *q, struct bio **bio_orig,
3208 + unsigned i = 0;
3209 + bool bounce = false;
3210 + int sectors = 0;
3211 ++ bool passthrough = bio_is_passthrough(*bio_orig);
3212 +
3213 + bio_for_each_segment(from, *bio_orig, iter) {
3214 + if (i++ < BIO_MAX_PAGES)
3215 +@@ -210,13 +211,14 @@ static void __blk_queue_bounce(struct request_queue *q, struct bio **bio_orig,
3216 + if (!bounce)
3217 + return;
3218 +
3219 +- if (sectors < bio_sectors(*bio_orig)) {
3220 ++ if (!passthrough && sectors < bio_sectors(*bio_orig)) {
3221 + bio = bio_split(*bio_orig, sectors, GFP_NOIO, bounce_bio_split);
3222 + bio_chain(bio, *bio_orig);
3223 + generic_make_request(*bio_orig);
3224 + *bio_orig = bio;
3225 + }
3226 +- bio = bio_clone_bioset(*bio_orig, GFP_NOIO, bounce_bio_set);
3227 ++ bio = bio_clone_bioset(*bio_orig, GFP_NOIO, passthrough ? NULL :
3228 ++ bounce_bio_set);
3229 +
3230 + bio_for_each_segment_all(to, bio, i) {
3231 + struct page *page = to->bv_page;
3232 +diff --git a/drivers/android/binder.c b/drivers/android/binder.c
3233 +index 88b4bbe58100..a340766b51fe 100644
3234 +--- a/drivers/android/binder.c
3235 ++++ b/drivers/android/binder.c
3236 +@@ -482,7 +482,8 @@ enum binder_deferred_state {
3237 + * @tsk task_struct for group_leader of process
3238 + * (invariant after initialized)
3239 + * @files files_struct for process
3240 +- * (invariant after initialized)
3241 ++ * (protected by @files_lock)
3242 ++ * @files_lock mutex to protect @files
3243 + * @deferred_work_node: element for binder_deferred_list
3244 + * (protected by binder_deferred_lock)
3245 + * @deferred_work: bitmap of deferred work to perform
3246 +@@ -530,6 +531,7 @@ struct binder_proc {
3247 + int pid;
3248 + struct task_struct *tsk;
3249 + struct files_struct *files;
3250 ++ struct mutex files_lock;
3251 + struct hlist_node deferred_work_node;
3252 + int deferred_work;
3253 + bool is_dead;
3254 +@@ -877,20 +879,26 @@ static void binder_inc_node_tmpref_ilocked(struct binder_node *node);
3255 +
3256 + static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
3257 + {
3258 +- struct files_struct *files = proc->files;
3259 + unsigned long rlim_cur;
3260 + unsigned long irqs;
3261 ++ int ret;
3262 +
3263 +- if (files == NULL)
3264 +- return -ESRCH;
3265 +-
3266 +- if (!lock_task_sighand(proc->tsk, &irqs))
3267 +- return -EMFILE;
3268 +-
3269 ++ mutex_lock(&proc->files_lock);
3270 ++ if (proc->files == NULL) {
3271 ++ ret = -ESRCH;
3272 ++ goto err;
3273 ++ }
3274 ++ if (!lock_task_sighand(proc->tsk, &irqs)) {
3275 ++ ret = -EMFILE;
3276 ++ goto err;
3277 ++ }
3278 + rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE);
3279 + unlock_task_sighand(proc->tsk, &irqs);
3280 +
3281 +- return __alloc_fd(files, 0, rlim_cur, flags);
3282 ++ ret = __alloc_fd(proc->files, 0, rlim_cur, flags);
3283 ++err:
3284 ++ mutex_unlock(&proc->files_lock);
3285 ++ return ret;
3286 + }
3287 +
3288 + /*
3289 +@@ -899,8 +907,10 @@ static int task_get_unused_fd_flags(struct binder_proc *proc, int flags)
3290 + static void task_fd_install(
3291 + struct binder_proc *proc, unsigned int fd, struct file *file)
3292 + {
3293 ++ mutex_lock(&proc->files_lock);
3294 + if (proc->files)
3295 + __fd_install(proc->files, fd, file);
3296 ++ mutex_unlock(&proc->files_lock);
3297 + }
3298 +
3299 + /*
3300 +@@ -910,9 +920,11 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd)
3301 + {
3302 + int retval;
3303 +
3304 +- if (proc->files == NULL)
3305 +- return -ESRCH;
3306 +-
3307 ++ mutex_lock(&proc->files_lock);
3308 ++ if (proc->files == NULL) {
3309 ++ retval = -ESRCH;
3310 ++ goto err;
3311 ++ }
3312 + retval = __close_fd(proc->files, fd);
3313 + /* can't restart close syscall because file table entry was cleared */
3314 + if (unlikely(retval == -ERESTARTSYS ||
3315 +@@ -920,7 +932,8 @@ static long task_close_fd(struct binder_proc *proc, unsigned int fd)
3316 + retval == -ERESTARTNOHAND ||
3317 + retval == -ERESTART_RESTARTBLOCK))
3318 + retval = -EINTR;
3319 +-
3320 ++err:
3321 ++ mutex_unlock(&proc->files_lock);
3322 + return retval;
3323 + }
3324 +
3325 +@@ -4627,7 +4640,9 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma)
3326 + ret = binder_alloc_mmap_handler(&proc->alloc, vma);
3327 + if (ret)
3328 + return ret;
3329 ++ mutex_lock(&proc->files_lock);
3330 + proc->files = get_files_struct(current);
3331 ++ mutex_unlock(&proc->files_lock);
3332 + return 0;
3333 +
3334 + err_bad_arg:
3335 +@@ -4651,6 +4666,7 @@ static int binder_open(struct inode *nodp, struct file *filp)
3336 + spin_lock_init(&proc->outer_lock);
3337 + get_task_struct(current->group_leader);
3338 + proc->tsk = current->group_leader;
3339 ++ mutex_init(&proc->files_lock);
3340 + INIT_LIST_HEAD(&proc->todo);
3341 + proc->default_priority = task_nice(current);
3342 + binder_dev = container_of(filp->private_data, struct binder_device,
3343 +@@ -4903,9 +4919,11 @@ static void binder_deferred_func(struct work_struct *work)
3344 +
3345 + files = NULL;
3346 + if (defer & BINDER_DEFERRED_PUT_FILES) {
3347 ++ mutex_lock(&proc->files_lock);
3348 + files = proc->files;
3349 + if (files)
3350 + proc->files = NULL;
3351 ++ mutex_unlock(&proc->files_lock);
3352 + }
3353 +
3354 + if (defer & BINDER_DEFERRED_FLUSH)
3355 +diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c
3356 +index eb3af2739537..07532d83be0b 100644
3357 +--- a/drivers/base/cacheinfo.c
3358 ++++ b/drivers/base/cacheinfo.c
3359 +@@ -186,6 +186,11 @@ static void cache_associativity(struct cacheinfo *this_leaf)
3360 + this_leaf->ways_of_associativity = (size / nr_sets) / line_size;
3361 + }
3362 +
3363 ++static bool cache_node_is_unified(struct cacheinfo *this_leaf)
3364 ++{
3365 ++ return of_property_read_bool(this_leaf->of_node, "cache-unified");
3366 ++}
3367 ++
3368 + static void cache_of_override_properties(unsigned int cpu)
3369 + {
3370 + int index;
3371 +@@ -194,6 +199,14 @@ static void cache_of_override_properties(unsigned int cpu)
3372 +
3373 + for (index = 0; index < cache_leaves(cpu); index++) {
3374 + this_leaf = this_cpu_ci->info_list + index;
3375 ++ /*
3376 ++ * init_cache_level must setup the cache level correctly
3377 ++ * overriding the architecturally specified levels, so
3378 ++ * if type is NONE at this stage, it should be unified
3379 ++ */
3380 ++ if (this_leaf->type == CACHE_TYPE_NOCACHE &&
3381 ++ cache_node_is_unified(this_leaf))
3382 ++ this_leaf->type = CACHE_TYPE_UNIFIED;
3383 + cache_size(this_leaf);
3384 + cache_get_line_size(this_leaf);
3385 + cache_nr_sets(this_leaf);
3386 +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c
3387 +index eb4528c87c0b..d6f3d9ee1350 100644
3388 +--- a/drivers/gpio/gpiolib-acpi.c
3389 ++++ b/drivers/gpio/gpiolib-acpi.c
3390 +@@ -1074,7 +1074,7 @@ void acpi_gpiochip_add(struct gpio_chip *chip)
3391 + }
3392 +
3393 + if (!chip->names)
3394 +- devprop_gpiochip_set_names(chip);
3395 ++ devprop_gpiochip_set_names(chip, dev_fwnode(chip->parent));
3396 +
3397 + acpi_gpiochip_request_regions(acpi_gpio);
3398 + acpi_gpiochip_scan_gpios(acpi_gpio);
3399 +diff --git a/drivers/gpio/gpiolib-devprop.c b/drivers/gpio/gpiolib-devprop.c
3400 +index 27f383bda7d9..f748aa3e77f7 100644
3401 +--- a/drivers/gpio/gpiolib-devprop.c
3402 ++++ b/drivers/gpio/gpiolib-devprop.c
3403 +@@ -19,30 +19,27 @@
3404 + /**
3405 + * devprop_gpiochip_set_names - Set GPIO line names using device properties
3406 + * @chip: GPIO chip whose lines should be named, if possible
3407 ++ * @fwnode: Property Node containing the gpio-line-names property
3408 + *
3409 + * Looks for device property "gpio-line-names" and if it exists assigns
3410 + * GPIO line names for the chip. The memory allocated for the assigned
3411 + * names belong to the underlying firmware node and should not be released
3412 + * by the caller.
3413 + */
3414 +-void devprop_gpiochip_set_names(struct gpio_chip *chip)
3415 ++void devprop_gpiochip_set_names(struct gpio_chip *chip,
3416 ++ const struct fwnode_handle *fwnode)
3417 + {
3418 + struct gpio_device *gdev = chip->gpiodev;
3419 + const char **names;
3420 + int ret, i;
3421 +
3422 +- if (!chip->parent) {
3423 +- dev_warn(&gdev->dev, "GPIO chip parent is NULL\n");
3424 +- return;
3425 +- }
3426 +-
3427 +- ret = device_property_read_string_array(chip->parent, "gpio-line-names",
3428 ++ ret = fwnode_property_read_string_array(fwnode, "gpio-line-names",
3429 + NULL, 0);
3430 + if (ret < 0)
3431 + return;
3432 +
3433 + if (ret != gdev->ngpio) {
3434 +- dev_warn(chip->parent,
3435 ++ dev_warn(&gdev->dev,
3436 + "names %d do not match number of GPIOs %d\n", ret,
3437 + gdev->ngpio);
3438 + return;
3439 +@@ -52,10 +49,10 @@ void devprop_gpiochip_set_names(struct gpio_chip *chip)
3440 + if (!names)
3441 + return;
3442 +
3443 +- ret = device_property_read_string_array(chip->parent, "gpio-line-names",
3444 ++ ret = fwnode_property_read_string_array(fwnode, "gpio-line-names",
3445 + names, gdev->ngpio);
3446 + if (ret < 0) {
3447 +- dev_warn(chip->parent, "failed to read GPIO line names\n");
3448 ++ dev_warn(&gdev->dev, "failed to read GPIO line names\n");
3449 + kfree(names);
3450 + return;
3451 + }
3452 +diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c
3453 +index bfcd20699ec8..ba38f530e403 100644
3454 +--- a/drivers/gpio/gpiolib-of.c
3455 ++++ b/drivers/gpio/gpiolib-of.c
3456 +@@ -493,7 +493,8 @@ int of_gpiochip_add(struct gpio_chip *chip)
3457 +
3458 + /* If the chip defines names itself, these take precedence */
3459 + if (!chip->names)
3460 +- devprop_gpiochip_set_names(chip);
3461 ++ devprop_gpiochip_set_names(chip,
3462 ++ of_fwnode_handle(chip->of_node));
3463 +
3464 + of_node_get(chip->of_node);
3465 +
3466 +diff --git a/drivers/gpio/gpiolib.h b/drivers/gpio/gpiolib.h
3467 +index d003ccb12781..3d4d0634c9dd 100644
3468 +--- a/drivers/gpio/gpiolib.h
3469 ++++ b/drivers/gpio/gpiolib.h
3470 +@@ -224,7 +224,8 @@ static inline int gpio_chip_hwgpio(const struct gpio_desc *desc)
3471 + return desc - &desc->gdev->descs[0];
3472 + }
3473 +
3474 +-void devprop_gpiochip_set_names(struct gpio_chip *chip);
3475 ++void devprop_gpiochip_set_names(struct gpio_chip *chip,
3476 ++ const struct fwnode_handle *fwnode);
3477 +
3478 + /* With descriptor prefix */
3479 +
3480 +diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c
3481 +index feafdb961c48..59b2f96d986a 100644
3482 +--- a/drivers/infiniband/core/security.c
3483 ++++ b/drivers/infiniband/core/security.c
3484 +@@ -386,6 +386,9 @@ int ib_open_shared_qp_security(struct ib_qp *qp, struct ib_device *dev)
3485 + if (ret)
3486 + return ret;
3487 +
3488 ++ if (!qp->qp_sec)
3489 ++ return 0;
3490 ++
3491 + mutex_lock(&real_qp->qp_sec->mutex);
3492 + ret = check_qp_port_pkey_settings(real_qp->qp_sec->ports_pkeys,
3493 + qp->qp_sec);
3494 +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
3495 +index d8f540054392..93c1a57dbff1 100644
3496 +--- a/drivers/infiniband/core/uverbs_cmd.c
3497 ++++ b/drivers/infiniband/core/uverbs_cmd.c
3498 +@@ -2085,8 +2085,8 @@ int ib_uverbs_ex_modify_qp(struct ib_uverbs_file *file,
3499 + return -EOPNOTSUPP;
3500 +
3501 + if (ucore->inlen > sizeof(cmd)) {
3502 +- if (ib_is_udata_cleared(ucore, sizeof(cmd),
3503 +- ucore->inlen - sizeof(cmd)))
3504 ++ if (!ib_is_udata_cleared(ucore, sizeof(cmd),
3505 ++ ucore->inlen - sizeof(cmd)))
3506 + return -EOPNOTSUPP;
3507 + }
3508 +
3509 +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
3510 +index de57d6c11a25..9032f77cc38d 100644
3511 +--- a/drivers/infiniband/core/verbs.c
3512 ++++ b/drivers/infiniband/core/verbs.c
3513 +@@ -1400,7 +1400,8 @@ int ib_close_qp(struct ib_qp *qp)
3514 + spin_unlock_irqrestore(&real_qp->device->event_handler_lock, flags);
3515 +
3516 + atomic_dec(&real_qp->usecnt);
3517 +- ib_close_shared_qp_security(qp->qp_sec);
3518 ++ if (qp->qp_sec)
3519 ++ ib_close_shared_qp_security(qp->qp_sec);
3520 + kfree(qp);
3521 +
3522 + return 0;
3523 +diff --git a/drivers/infiniband/hw/cxgb4/cq.c b/drivers/infiniband/hw/cxgb4/cq.c
3524 +index eae8ea81c6e2..514c1000ded1 100644
3525 +--- a/drivers/infiniband/hw/cxgb4/cq.c
3526 ++++ b/drivers/infiniband/hw/cxgb4/cq.c
3527 +@@ -586,10 +586,10 @@ static int poll_cq(struct t4_wq *wq, struct t4_cq *cq, struct t4_cqe *cqe,
3528 + ret = -EAGAIN;
3529 + goto skip_cqe;
3530 + }
3531 +- if (unlikely((CQE_WRID_MSN(hw_cqe) != (wq->rq.msn)))) {
3532 ++ if (unlikely(!CQE_STATUS(hw_cqe) &&
3533 ++ CQE_WRID_MSN(hw_cqe) != wq->rq.msn)) {
3534 + t4_set_wq_in_error(wq);
3535 +- hw_cqe->header |= htonl(CQE_STATUS_V(T4_ERR_MSN));
3536 +- goto proc_cqe;
3537 ++ hw_cqe->header |= cpu_to_be32(CQE_STATUS_V(T4_ERR_MSN));
3538 + }
3539 + goto proc_cqe;
3540 + }
3541 +diff --git a/drivers/infiniband/hw/hfi1/hfi.h b/drivers/infiniband/hw/hfi1/hfi.h
3542 +index 6ff44dc606eb..3409eee16092 100644
3543 +--- a/drivers/infiniband/hw/hfi1/hfi.h
3544 ++++ b/drivers/infiniband/hw/hfi1/hfi.h
3545 +@@ -1129,7 +1129,6 @@ struct hfi1_devdata {
3546 + u16 pcie_lnkctl;
3547 + u16 pcie_devctl2;
3548 + u32 pci_msix0;
3549 +- u32 pci_lnkctl3;
3550 + u32 pci_tph2;
3551 +
3552 + /*
3553 +diff --git a/drivers/infiniband/hw/hfi1/pcie.c b/drivers/infiniband/hw/hfi1/pcie.c
3554 +index 09e50fd2a08f..8c7e7a60b715 100644
3555 +--- a/drivers/infiniband/hw/hfi1/pcie.c
3556 ++++ b/drivers/infiniband/hw/hfi1/pcie.c
3557 +@@ -411,15 +411,12 @@ int restore_pci_variables(struct hfi1_devdata *dd)
3558 + if (ret)
3559 + goto error;
3560 +
3561 +- ret = pci_write_config_dword(dd->pcidev, PCIE_CFG_SPCIE1,
3562 +- dd->pci_lnkctl3);
3563 +- if (ret)
3564 +- goto error;
3565 +-
3566 +- ret = pci_write_config_dword(dd->pcidev, PCIE_CFG_TPH2, dd->pci_tph2);
3567 +- if (ret)
3568 +- goto error;
3569 +-
3570 ++ if (pci_find_ext_capability(dd->pcidev, PCI_EXT_CAP_ID_TPH)) {
3571 ++ ret = pci_write_config_dword(dd->pcidev, PCIE_CFG_TPH2,
3572 ++ dd->pci_tph2);
3573 ++ if (ret)
3574 ++ goto error;
3575 ++ }
3576 + return 0;
3577 +
3578 + error:
3579 +@@ -469,15 +466,12 @@ int save_pci_variables(struct hfi1_devdata *dd)
3580 + if (ret)
3581 + goto error;
3582 +
3583 +- ret = pci_read_config_dword(dd->pcidev, PCIE_CFG_SPCIE1,
3584 +- &dd->pci_lnkctl3);
3585 +- if (ret)
3586 +- goto error;
3587 +-
3588 +- ret = pci_read_config_dword(dd->pcidev, PCIE_CFG_TPH2, &dd->pci_tph2);
3589 +- if (ret)
3590 +- goto error;
3591 +-
3592 ++ if (pci_find_ext_capability(dd->pcidev, PCI_EXT_CAP_ID_TPH)) {
3593 ++ ret = pci_read_config_dword(dd->pcidev, PCIE_CFG_TPH2,
3594 ++ &dd->pci_tph2);
3595 ++ if (ret)
3596 ++ goto error;
3597 ++ }
3598 + return 0;
3599 +
3600 + error:
3601 +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
3602 +index 5aff1e33d984..30d479f87cb8 100644
3603 +--- a/drivers/infiniband/hw/mlx5/main.c
3604 ++++ b/drivers/infiniband/hw/mlx5/main.c
3605 +@@ -1415,6 +1415,7 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev,
3606 + }
3607 +
3608 + INIT_LIST_HEAD(&context->vma_private_list);
3609 ++ mutex_init(&context->vma_private_list_mutex);
3610 + INIT_LIST_HEAD(&context->db_page_list);
3611 + mutex_init(&context->db_page_mutex);
3612 +
3613 +@@ -1576,7 +1577,9 @@ static void mlx5_ib_vma_close(struct vm_area_struct *area)
3614 + * mlx5_ib_disassociate_ucontext().
3615 + */
3616 + mlx5_ib_vma_priv_data->vma = NULL;
3617 ++ mutex_lock(mlx5_ib_vma_priv_data->vma_private_list_mutex);
3618 + list_del(&mlx5_ib_vma_priv_data->list);
3619 ++ mutex_unlock(mlx5_ib_vma_priv_data->vma_private_list_mutex);
3620 + kfree(mlx5_ib_vma_priv_data);
3621 + }
3622 +
3623 +@@ -1596,10 +1599,13 @@ static int mlx5_ib_set_vma_data(struct vm_area_struct *vma,
3624 + return -ENOMEM;
3625 +
3626 + vma_prv->vma = vma;
3627 ++ vma_prv->vma_private_list_mutex = &ctx->vma_private_list_mutex;
3628 + vma->vm_private_data = vma_prv;
3629 + vma->vm_ops = &mlx5_ib_vm_ops;
3630 +
3631 ++ mutex_lock(&ctx->vma_private_list_mutex);
3632 + list_add(&vma_prv->list, vma_head);
3633 ++ mutex_unlock(&ctx->vma_private_list_mutex);
3634 +
3635 + return 0;
3636 + }
3637 +@@ -1642,6 +1648,7 @@ static void mlx5_ib_disassociate_ucontext(struct ib_ucontext *ibcontext)
3638 + * mlx5_ib_vma_close.
3639 + */
3640 + down_write(&owning_mm->mmap_sem);
3641 ++ mutex_lock(&context->vma_private_list_mutex);
3642 + list_for_each_entry_safe(vma_private, n, &context->vma_private_list,
3643 + list) {
3644 + vma = vma_private->vma;
3645 +@@ -1656,6 +1663,7 @@ static void mlx5_ib_disassociate_ucontext(struct ib_ucontext *ibcontext)
3646 + list_del(&vma_private->list);
3647 + kfree(vma_private);
3648 + }
3649 ++ mutex_unlock(&context->vma_private_list_mutex);
3650 + up_write(&owning_mm->mmap_sem);
3651 + mmput(owning_mm);
3652 + put_task_struct(owning_process);
3653 +diff --git a/drivers/infiniband/hw/mlx5/mlx5_ib.h b/drivers/infiniband/hw/mlx5/mlx5_ib.h
3654 +index 189e80cd6b2f..754103372faa 100644
3655 +--- a/drivers/infiniband/hw/mlx5/mlx5_ib.h
3656 ++++ b/drivers/infiniband/hw/mlx5/mlx5_ib.h
3657 +@@ -115,6 +115,8 @@ enum {
3658 + struct mlx5_ib_vma_private_data {
3659 + struct list_head list;
3660 + struct vm_area_struct *vma;
3661 ++ /* protect vma_private_list add/del */
3662 ++ struct mutex *vma_private_list_mutex;
3663 + };
3664 +
3665 + struct mlx5_ib_ucontext {
3666 +@@ -129,6 +131,8 @@ struct mlx5_ib_ucontext {
3667 + /* Transport Domain number */
3668 + u32 tdn;
3669 + struct list_head vma_private_list;
3670 ++ /* protect vma_private_list add/del */
3671 ++ struct mutex vma_private_list_mutex;
3672 +
3673 + unsigned long upd_xlt_page;
3674 + /* protect ODP/KSM */
3675 +diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
3676 +index d7b53d53c116..72d6ffbfd638 100644
3677 +--- a/drivers/net/dsa/bcm_sf2.c
3678 ++++ b/drivers/net/dsa/bcm_sf2.c
3679 +@@ -167,7 +167,7 @@ static void bcm_sf2_gphy_enable_set(struct dsa_switch *ds, bool enable)
3680 + reg = reg_readl(priv, REG_SPHY_CNTRL);
3681 + if (enable) {
3682 + reg |= PHY_RESET;
3683 +- reg &= ~(EXT_PWR_DOWN | IDDQ_BIAS | CK25_DIS);
3684 ++ reg &= ~(EXT_PWR_DOWN | IDDQ_BIAS | IDDQ_GLOBAL_PWR | CK25_DIS);
3685 + reg_writel(priv, reg, REG_SPHY_CNTRL);
3686 + udelay(21);
3687 + reg = reg_readl(priv, REG_SPHY_CNTRL);
3688 +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
3689 +index dc5de275352a..aa764c5e3c6b 100644
3690 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
3691 ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
3692 +@@ -1875,7 +1875,7 @@ static int bnxt_poll_work(struct bnxt *bp, struct bnxt_napi *bnapi, int budget)
3693 + * here forever if we consistently cannot allocate
3694 + * buffers.
3695 + */
3696 +- else if (rc == -ENOMEM)
3697 ++ else if (rc == -ENOMEM && budget)
3698 + rx_pkts++;
3699 + else if (rc == -EBUSY) /* partial completion */
3700 + break;
3701 +@@ -1961,7 +1961,7 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget)
3702 + cpu_to_le32(RX_CMPL_ERRORS_CRC_ERROR);
3703 +
3704 + rc = bnxt_rx_pkt(bp, bnapi, &raw_cons, &event);
3705 +- if (likely(rc == -EIO))
3706 ++ if (likely(rc == -EIO) && budget)
3707 + rx_pkts++;
3708 + else if (rc == -EBUSY) /* partial completion */
3709 + break;
3710 +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
3711 +index 656e6af70f0a..aef3fcf2f5b9 100644
3712 +--- a/drivers/net/ethernet/broadcom/tg3.c
3713 ++++ b/drivers/net/ethernet/broadcom/tg3.c
3714 +@@ -14227,7 +14227,9 @@ static int tg3_change_mtu(struct net_device *dev, int new_mtu)
3715 + /* Reset PHY, otherwise the read DMA engine will be in a mode that
3716 + * breaks all requests to 256 bytes.
3717 + */
3718 +- if (tg3_asic_rev(tp) == ASIC_REV_57766)
3719 ++ if (tg3_asic_rev(tp) == ASIC_REV_57766 ||
3720 ++ tg3_asic_rev(tp) == ASIC_REV_5717 ||
3721 ++ tg3_asic_rev(tp) == ASIC_REV_5719)
3722 + reset_phy = true;
3723 +
3724 + err = tg3_restart_hw(tp, reset_phy);
3725 +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
3726 +index 3dc2d771a222..faf7cdc97ebf 100644
3727 +--- a/drivers/net/ethernet/freescale/fec_main.c
3728 ++++ b/drivers/net/ethernet/freescale/fec_main.c
3729 +@@ -818,6 +818,12 @@ static void fec_enet_bd_init(struct net_device *dev)
3730 + for (i = 0; i < txq->bd.ring_size; i++) {
3731 + /* Initialize the BD for every fragment in the page. */
3732 + bdp->cbd_sc = cpu_to_fec16(0);
3733 ++ if (bdp->cbd_bufaddr &&
3734 ++ !IS_TSO_HEADER(txq, fec32_to_cpu(bdp->cbd_bufaddr)))
3735 ++ dma_unmap_single(&fep->pdev->dev,
3736 ++ fec32_to_cpu(bdp->cbd_bufaddr),
3737 ++ fec16_to_cpu(bdp->cbd_datlen),
3738 ++ DMA_TO_DEVICE);
3739 + if (txq->tx_skbuff[i]) {
3740 + dev_kfree_skb_any(txq->tx_skbuff[i]);
3741 + txq->tx_skbuff[i] = NULL;
3742 +diff --git a/drivers/net/ethernet/marvell/mvmdio.c b/drivers/net/ethernet/marvell/mvmdio.c
3743 +index c9798210fa0f..0495487f7b42 100644
3744 +--- a/drivers/net/ethernet/marvell/mvmdio.c
3745 ++++ b/drivers/net/ethernet/marvell/mvmdio.c
3746 +@@ -344,7 +344,8 @@ static int orion_mdio_probe(struct platform_device *pdev)
3747 + dev->regs + MVMDIO_ERR_INT_MASK);
3748 +
3749 + } else if (dev->err_interrupt == -EPROBE_DEFER) {
3750 +- return -EPROBE_DEFER;
3751 ++ ret = -EPROBE_DEFER;
3752 ++ goto out_mdio;
3753 + }
3754 +
3755 + if (pdev->dev.of_node)
3756 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
3757 +index 1fffdebbc9e8..e9a1fbcc4adf 100644
3758 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
3759 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
3760 +@@ -362,7 +362,7 @@ static int mlx5_internal_err_ret_value(struct mlx5_core_dev *dev, u16 op,
3761 + case MLX5_CMD_OP_QUERY_VPORT_COUNTER:
3762 + case MLX5_CMD_OP_ALLOC_Q_COUNTER:
3763 + case MLX5_CMD_OP_QUERY_Q_COUNTER:
3764 +- case MLX5_CMD_OP_SET_RATE_LIMIT:
3765 ++ case MLX5_CMD_OP_SET_PP_RATE_LIMIT:
3766 + case MLX5_CMD_OP_QUERY_RATE_LIMIT:
3767 + case MLX5_CMD_OP_CREATE_SCHEDULING_ELEMENT:
3768 + case MLX5_CMD_OP_QUERY_SCHEDULING_ELEMENT:
3769 +@@ -505,7 +505,7 @@ const char *mlx5_command_str(int command)
3770 + MLX5_COMMAND_STR_CASE(ALLOC_Q_COUNTER);
3771 + MLX5_COMMAND_STR_CASE(DEALLOC_Q_COUNTER);
3772 + MLX5_COMMAND_STR_CASE(QUERY_Q_COUNTER);
3773 +- MLX5_COMMAND_STR_CASE(SET_RATE_LIMIT);
3774 ++ MLX5_COMMAND_STR_CASE(SET_PP_RATE_LIMIT);
3775 + MLX5_COMMAND_STR_CASE(QUERY_RATE_LIMIT);
3776 + MLX5_COMMAND_STR_CASE(CREATE_SCHEDULING_ELEMENT);
3777 + MLX5_COMMAND_STR_CASE(DESTROY_SCHEDULING_ELEMENT);
3778 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
3779 +index 13b5ef9d8703..5fa071620104 100644
3780 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
3781 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
3782 +@@ -590,6 +590,7 @@ struct mlx5e_channel {
3783 + struct mlx5_core_dev *mdev;
3784 + struct mlx5e_tstamp *tstamp;
3785 + int ix;
3786 ++ int cpu;
3787 + };
3788 +
3789 + struct mlx5e_channels {
3790 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
3791 +index cc11bbbd0309..3cdb932cae76 100644
3792 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
3793 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
3794 +@@ -71,11 +71,6 @@ struct mlx5e_channel_param {
3795 + struct mlx5e_cq_param icosq_cq;
3796 + };
3797 +
3798 +-static int mlx5e_get_node(struct mlx5e_priv *priv, int ix)
3799 +-{
3800 +- return pci_irq_get_node(priv->mdev->pdev, MLX5_EQ_VEC_COMP_BASE + ix);
3801 +-}
3802 +-
3803 + static bool mlx5e_check_fragmented_striding_rq_cap(struct mlx5_core_dev *mdev)
3804 + {
3805 + return MLX5_CAP_GEN(mdev, striding_rq) &&
3806 +@@ -452,17 +447,16 @@ static int mlx5e_rq_alloc_mpwqe_info(struct mlx5e_rq *rq,
3807 + int wq_sz = mlx5_wq_ll_get_size(&rq->wq);
3808 + int mtt_sz = mlx5e_get_wqe_mtt_sz();
3809 + int mtt_alloc = mtt_sz + MLX5_UMR_ALIGN - 1;
3810 +- int node = mlx5e_get_node(c->priv, c->ix);
3811 + int i;
3812 +
3813 + rq->mpwqe.info = kzalloc_node(wq_sz * sizeof(*rq->mpwqe.info),
3814 +- GFP_KERNEL, node);
3815 ++ GFP_KERNEL, cpu_to_node(c->cpu));
3816 + if (!rq->mpwqe.info)
3817 + goto err_out;
3818 +
3819 + /* We allocate more than mtt_sz as we will align the pointer */
3820 +- rq->mpwqe.mtt_no_align = kzalloc_node(mtt_alloc * wq_sz,
3821 +- GFP_KERNEL, node);
3822 ++ rq->mpwqe.mtt_no_align = kzalloc_node(mtt_alloc * wq_sz, GFP_KERNEL,
3823 ++ cpu_to_node(c->cpu));
3824 + if (unlikely(!rq->mpwqe.mtt_no_align))
3825 + goto err_free_wqe_info;
3826 +
3827 +@@ -570,7 +564,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
3828 + int err;
3829 + int i;
3830 +
3831 +- rqp->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix);
3832 ++ rqp->wq.db_numa_node = cpu_to_node(c->cpu);
3833 +
3834 + err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->wq,
3835 + &rq->wq_ctrl);
3836 +@@ -636,8 +630,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
3837 + default: /* MLX5_WQ_TYPE_LINKED_LIST */
3838 + rq->wqe.frag_info =
3839 + kzalloc_node(wq_sz * sizeof(*rq->wqe.frag_info),
3840 +- GFP_KERNEL,
3841 +- mlx5e_get_node(c->priv, c->ix));
3842 ++ GFP_KERNEL, cpu_to_node(c->cpu));
3843 + if (!rq->wqe.frag_info) {
3844 + err = -ENOMEM;
3845 + goto err_rq_wq_destroy;
3846 +@@ -1007,13 +1000,13 @@ static int mlx5e_alloc_xdpsq(struct mlx5e_channel *c,
3847 + sq->uar_map = mdev->mlx5e_res.bfreg.map;
3848 + sq->min_inline_mode = params->tx_min_inline_mode;
3849 +
3850 +- param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix);
3851 ++ param->wq.db_numa_node = cpu_to_node(c->cpu);
3852 + err = mlx5_wq_cyc_create(mdev, &param->wq, sqc_wq, &sq->wq, &sq->wq_ctrl);
3853 + if (err)
3854 + return err;
3855 + sq->wq.db = &sq->wq.db[MLX5_SND_DBR];
3856 +
3857 +- err = mlx5e_alloc_xdpsq_db(sq, mlx5e_get_node(c->priv, c->ix));
3858 ++ err = mlx5e_alloc_xdpsq_db(sq, cpu_to_node(c->cpu));
3859 + if (err)
3860 + goto err_sq_wq_destroy;
3861 +
3862 +@@ -1060,13 +1053,13 @@ static int mlx5e_alloc_icosq(struct mlx5e_channel *c,
3863 + sq->channel = c;
3864 + sq->uar_map = mdev->mlx5e_res.bfreg.map;
3865 +
3866 +- param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix);
3867 ++ param->wq.db_numa_node = cpu_to_node(c->cpu);
3868 + err = mlx5_wq_cyc_create(mdev, &param->wq, sqc_wq, &sq->wq, &sq->wq_ctrl);
3869 + if (err)
3870 + return err;
3871 + sq->wq.db = &sq->wq.db[MLX5_SND_DBR];
3872 +
3873 +- err = mlx5e_alloc_icosq_db(sq, mlx5e_get_node(c->priv, c->ix));
3874 ++ err = mlx5e_alloc_icosq_db(sq, cpu_to_node(c->cpu));
3875 + if (err)
3876 + goto err_sq_wq_destroy;
3877 +
3878 +@@ -1132,13 +1125,13 @@ static int mlx5e_alloc_txqsq(struct mlx5e_channel *c,
3879 + if (MLX5_IPSEC_DEV(c->priv->mdev))
3880 + set_bit(MLX5E_SQ_STATE_IPSEC, &sq->state);
3881 +
3882 +- param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix);
3883 ++ param->wq.db_numa_node = cpu_to_node(c->cpu);
3884 + err = mlx5_wq_cyc_create(mdev, &param->wq, sqc_wq, &sq->wq, &sq->wq_ctrl);
3885 + if (err)
3886 + return err;
3887 + sq->wq.db = &sq->wq.db[MLX5_SND_DBR];
3888 +
3889 +- err = mlx5e_alloc_txqsq_db(sq, mlx5e_get_node(c->priv, c->ix));
3890 ++ err = mlx5e_alloc_txqsq_db(sq, cpu_to_node(c->cpu));
3891 + if (err)
3892 + goto err_sq_wq_destroy;
3893 +
3894 +@@ -1510,8 +1503,8 @@ static int mlx5e_alloc_cq(struct mlx5e_channel *c,
3895 + struct mlx5_core_dev *mdev = c->priv->mdev;
3896 + int err;
3897 +
3898 +- param->wq.buf_numa_node = mlx5e_get_node(c->priv, c->ix);
3899 +- param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix);
3900 ++ param->wq.buf_numa_node = cpu_to_node(c->cpu);
3901 ++ param->wq.db_numa_node = cpu_to_node(c->cpu);
3902 + param->eq_ix = c->ix;
3903 +
3904 + err = mlx5e_alloc_cq_common(mdev, param, cq);
3905 +@@ -1610,6 +1603,11 @@ static void mlx5e_close_cq(struct mlx5e_cq *cq)
3906 + mlx5e_free_cq(cq);
3907 + }
3908 +
3909 ++static int mlx5e_get_cpu(struct mlx5e_priv *priv, int ix)
3910 ++{
3911 ++ return cpumask_first(priv->mdev->priv.irq_info[ix].mask);
3912 ++}
3913 ++
3914 + static int mlx5e_open_tx_cqs(struct mlx5e_channel *c,
3915 + struct mlx5e_params *params,
3916 + struct mlx5e_channel_param *cparam)
3917 +@@ -1758,12 +1756,13 @@ static int mlx5e_open_channel(struct mlx5e_priv *priv, int ix,
3918 + {
3919 + struct mlx5e_cq_moder icocq_moder = {0, 0};
3920 + struct net_device *netdev = priv->netdev;
3921 ++ int cpu = mlx5e_get_cpu(priv, ix);
3922 + struct mlx5e_channel *c;
3923 + unsigned int irq;
3924 + int err;
3925 + int eqn;
3926 +
3927 +- c = kzalloc_node(sizeof(*c), GFP_KERNEL, mlx5e_get_node(priv, ix));
3928 ++ c = kzalloc_node(sizeof(*c), GFP_KERNEL, cpu_to_node(cpu));
3929 + if (!c)
3930 + return -ENOMEM;
3931 +
3932 +@@ -1771,6 +1770,7 @@ static int mlx5e_open_channel(struct mlx5e_priv *priv, int ix,
3933 + c->mdev = priv->mdev;
3934 + c->tstamp = &priv->tstamp;
3935 + c->ix = ix;
3936 ++ c->cpu = cpu;
3937 + c->pdev = &priv->mdev->pdev->dev;
3938 + c->netdev = priv->netdev;
3939 + c->mkey_be = cpu_to_be32(priv->mdev->mlx5e_res.mkey.key);
3940 +@@ -1859,8 +1859,7 @@ static void mlx5e_activate_channel(struct mlx5e_channel *c)
3941 + for (tc = 0; tc < c->num_tc; tc++)
3942 + mlx5e_activate_txqsq(&c->sq[tc]);
3943 + mlx5e_activate_rq(&c->rq);
3944 +- netif_set_xps_queue(c->netdev,
3945 +- mlx5_get_vector_affinity(c->priv->mdev, c->ix), c->ix);
3946 ++ netif_set_xps_queue(c->netdev, get_cpu_mask(c->cpu), c->ix);
3947 + }
3948 +
3949 + static void mlx5e_deactivate_channel(struct mlx5e_channel *c)
3950 +@@ -3554,6 +3553,7 @@ static netdev_features_t mlx5e_tunnel_features_check(struct mlx5e_priv *priv,
3951 + struct sk_buff *skb,
3952 + netdev_features_t features)
3953 + {
3954 ++ unsigned int offset = 0;
3955 + struct udphdr *udph;
3956 + u8 proto;
3957 + u16 port;
3958 +@@ -3563,7 +3563,7 @@ static netdev_features_t mlx5e_tunnel_features_check(struct mlx5e_priv *priv,
3959 + proto = ip_hdr(skb)->protocol;
3960 + break;
3961 + case htons(ETH_P_IPV6):
3962 +- proto = ipv6_hdr(skb)->nexthdr;
3963 ++ proto = ipv6_find_hdr(skb, &offset, -1, NULL, NULL);
3964 + break;
3965 + default:
3966 + goto out;
3967 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c
3968 +index 3c11d6e2160a..14962969c5ba 100644
3969 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c
3970 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c
3971 +@@ -66,6 +66,9 @@ static int mlx5_fpga_mem_read_i2c(struct mlx5_fpga_device *fdev, size_t size,
3972 + u8 actual_size;
3973 + int err;
3974 +
3975 ++ if (!size)
3976 ++ return -EINVAL;
3977 ++
3978 + if (!fdev->mdev)
3979 + return -ENOTCONN;
3980 +
3981 +@@ -95,6 +98,9 @@ static int mlx5_fpga_mem_write_i2c(struct mlx5_fpga_device *fdev, size_t size,
3982 + u8 actual_size;
3983 + int err;
3984 +
3985 ++ if (!size)
3986 ++ return -EINVAL;
3987 ++
3988 + if (!fdev->mdev)
3989 + return -ENOTCONN;
3990 +
3991 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
3992 +index 06562c9a6b9c..8bfc37e4ec87 100644
3993 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
3994 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
3995 +@@ -316,9 +316,6 @@ static int mlx5_alloc_irq_vectors(struct mlx5_core_dev *dev)
3996 + {
3997 + struct mlx5_priv *priv = &dev->priv;
3998 + struct mlx5_eq_table *table = &priv->eq_table;
3999 +- struct irq_affinity irqdesc = {
4000 +- .pre_vectors = MLX5_EQ_VEC_COMP_BASE,
4001 +- };
4002 + int num_eqs = 1 << MLX5_CAP_GEN(dev, log_max_eq);
4003 + int nvec;
4004 +
4005 +@@ -332,10 +329,9 @@ static int mlx5_alloc_irq_vectors(struct mlx5_core_dev *dev)
4006 + if (!priv->irq_info)
4007 + goto err_free_msix;
4008 +
4009 +- nvec = pci_alloc_irq_vectors_affinity(dev->pdev,
4010 ++ nvec = pci_alloc_irq_vectors(dev->pdev,
4011 + MLX5_EQ_VEC_COMP_BASE + 1, nvec,
4012 +- PCI_IRQ_MSIX | PCI_IRQ_AFFINITY,
4013 +- &irqdesc);
4014 ++ PCI_IRQ_MSIX);
4015 + if (nvec < 0)
4016 + return nvec;
4017 +
4018 +@@ -621,6 +617,63 @@ u64 mlx5_read_internal_timer(struct mlx5_core_dev *dev)
4019 + return (u64)timer_l | (u64)timer_h1 << 32;
4020 + }
4021 +
4022 ++static int mlx5_irq_set_affinity_hint(struct mlx5_core_dev *mdev, int i)
4023 ++{
4024 ++ struct mlx5_priv *priv = &mdev->priv;
4025 ++ int irq = pci_irq_vector(mdev->pdev, MLX5_EQ_VEC_COMP_BASE + i);
4026 ++
4027 ++ if (!zalloc_cpumask_var(&priv->irq_info[i].mask, GFP_KERNEL)) {
4028 ++ mlx5_core_warn(mdev, "zalloc_cpumask_var failed");
4029 ++ return -ENOMEM;
4030 ++ }
4031 ++
4032 ++ cpumask_set_cpu(cpumask_local_spread(i, priv->numa_node),
4033 ++ priv->irq_info[i].mask);
4034 ++
4035 ++ if (IS_ENABLED(CONFIG_SMP) &&
4036 ++ irq_set_affinity_hint(irq, priv->irq_info[i].mask))
4037 ++ mlx5_core_warn(mdev, "irq_set_affinity_hint failed, irq 0x%.4x", irq);
4038 ++
4039 ++ return 0;
4040 ++}
4041 ++
4042 ++static void mlx5_irq_clear_affinity_hint(struct mlx5_core_dev *mdev, int i)
4043 ++{
4044 ++ struct mlx5_priv *priv = &mdev->priv;
4045 ++ int irq = pci_irq_vector(mdev->pdev, MLX5_EQ_VEC_COMP_BASE + i);
4046 ++
4047 ++ irq_set_affinity_hint(irq, NULL);
4048 ++ free_cpumask_var(priv->irq_info[i].mask);
4049 ++}
4050 ++
4051 ++static int mlx5_irq_set_affinity_hints(struct mlx5_core_dev *mdev)
4052 ++{
4053 ++ int err;
4054 ++ int i;
4055 ++
4056 ++ for (i = 0; i < mdev->priv.eq_table.num_comp_vectors; i++) {
4057 ++ err = mlx5_irq_set_affinity_hint(mdev, i);
4058 ++ if (err)
4059 ++ goto err_out;
4060 ++ }
4061 ++
4062 ++ return 0;
4063 ++
4064 ++err_out:
4065 ++ for (i--; i >= 0; i--)
4066 ++ mlx5_irq_clear_affinity_hint(mdev, i);
4067 ++
4068 ++ return err;
4069 ++}
4070 ++
4071 ++static void mlx5_irq_clear_affinity_hints(struct mlx5_core_dev *mdev)
4072 ++{
4073 ++ int i;
4074 ++
4075 ++ for (i = 0; i < mdev->priv.eq_table.num_comp_vectors; i++)
4076 ++ mlx5_irq_clear_affinity_hint(mdev, i);
4077 ++}
4078 ++
4079 + int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
4080 + unsigned int *irqn)
4081 + {
4082 +@@ -1093,6 +1146,12 @@ static int mlx5_load_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv,
4083 + goto err_stop_eqs;
4084 + }
4085 +
4086 ++ err = mlx5_irq_set_affinity_hints(dev);
4087 ++ if (err) {
4088 ++ dev_err(&pdev->dev, "Failed to alloc affinity hint cpumask\n");
4089 ++ goto err_affinity_hints;
4090 ++ }
4091 ++
4092 + err = mlx5_init_fs(dev);
4093 + if (err) {
4094 + dev_err(&pdev->dev, "Failed to init flow steering\n");
4095 +@@ -1150,6 +1209,9 @@ static int mlx5_load_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv,
4096 + mlx5_cleanup_fs(dev);
4097 +
4098 + err_fs:
4099 ++ mlx5_irq_clear_affinity_hints(dev);
4100 ++
4101 ++err_affinity_hints:
4102 + free_comp_eqs(dev);
4103 +
4104 + err_stop_eqs:
4105 +@@ -1218,6 +1280,7 @@ static int mlx5_unload_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv,
4106 +
4107 + mlx5_sriov_detach(dev);
4108 + mlx5_cleanup_fs(dev);
4109 ++ mlx5_irq_clear_affinity_hints(dev);
4110 + free_comp_eqs(dev);
4111 + mlx5_stop_eqs(dev);
4112 + mlx5_put_uars_page(dev, priv->uar);
4113 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/qp.c b/drivers/net/ethernet/mellanox/mlx5/core/qp.c
4114 +index db9e665ab104..889130edb715 100644
4115 +--- a/drivers/net/ethernet/mellanox/mlx5/core/qp.c
4116 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/qp.c
4117 +@@ -213,8 +213,8 @@ int mlx5_core_create_qp(struct mlx5_core_dev *dev,
4118 + err_cmd:
4119 + memset(din, 0, sizeof(din));
4120 + memset(dout, 0, sizeof(dout));
4121 +- MLX5_SET(destroy_qp_in, in, opcode, MLX5_CMD_OP_DESTROY_QP);
4122 +- MLX5_SET(destroy_qp_in, in, qpn, qp->qpn);
4123 ++ MLX5_SET(destroy_qp_in, din, opcode, MLX5_CMD_OP_DESTROY_QP);
4124 ++ MLX5_SET(destroy_qp_in, din, qpn, qp->qpn);
4125 + mlx5_cmd_exec(dev, din, sizeof(din), dout, sizeof(dout));
4126 + return err;
4127 + }
4128 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/rl.c b/drivers/net/ethernet/mellanox/mlx5/core/rl.c
4129 +index e651e4c02867..d3c33e9eea72 100644
4130 +--- a/drivers/net/ethernet/mellanox/mlx5/core/rl.c
4131 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/rl.c
4132 +@@ -125,16 +125,16 @@ static struct mlx5_rl_entry *find_rl_entry(struct mlx5_rl_table *table,
4133 + return ret_entry;
4134 + }
4135 +
4136 +-static int mlx5_set_rate_limit_cmd(struct mlx5_core_dev *dev,
4137 ++static int mlx5_set_pp_rate_limit_cmd(struct mlx5_core_dev *dev,
4138 + u32 rate, u16 index)
4139 + {
4140 +- u32 in[MLX5_ST_SZ_DW(set_rate_limit_in)] = {0};
4141 +- u32 out[MLX5_ST_SZ_DW(set_rate_limit_out)] = {0};
4142 ++ u32 in[MLX5_ST_SZ_DW(set_pp_rate_limit_in)] = {0};
4143 ++ u32 out[MLX5_ST_SZ_DW(set_pp_rate_limit_out)] = {0};
4144 +
4145 +- MLX5_SET(set_rate_limit_in, in, opcode,
4146 +- MLX5_CMD_OP_SET_RATE_LIMIT);
4147 +- MLX5_SET(set_rate_limit_in, in, rate_limit_index, index);
4148 +- MLX5_SET(set_rate_limit_in, in, rate_limit, rate);
4149 ++ MLX5_SET(set_pp_rate_limit_in, in, opcode,
4150 ++ MLX5_CMD_OP_SET_PP_RATE_LIMIT);
4151 ++ MLX5_SET(set_pp_rate_limit_in, in, rate_limit_index, index);
4152 ++ MLX5_SET(set_pp_rate_limit_in, in, rate_limit, rate);
4153 + return mlx5_cmd_exec(dev, in, sizeof(in), out, sizeof(out));
4154 + }
4155 +
4156 +@@ -173,7 +173,7 @@ int mlx5_rl_add_rate(struct mlx5_core_dev *dev, u32 rate, u16 *index)
4157 + entry->refcount++;
4158 + } else {
4159 + /* new rate limit */
4160 +- err = mlx5_set_rate_limit_cmd(dev, rate, entry->index);
4161 ++ err = mlx5_set_pp_rate_limit_cmd(dev, rate, entry->index);
4162 + if (err) {
4163 + mlx5_core_err(dev, "Failed configuring rate: %u (%d)\n",
4164 + rate, err);
4165 +@@ -209,7 +209,7 @@ void mlx5_rl_remove_rate(struct mlx5_core_dev *dev, u32 rate)
4166 + entry->refcount--;
4167 + if (!entry->refcount) {
4168 + /* need to remove rate */
4169 +- mlx5_set_rate_limit_cmd(dev, 0, entry->index);
4170 ++ mlx5_set_pp_rate_limit_cmd(dev, 0, entry->index);
4171 + entry->rate = 0;
4172 + }
4173 +
4174 +@@ -262,8 +262,8 @@ void mlx5_cleanup_rl_table(struct mlx5_core_dev *dev)
4175 + /* Clear all configured rates */
4176 + for (i = 0; i < table->max_size; i++)
4177 + if (table->rl_entry[i].rate)
4178 +- mlx5_set_rate_limit_cmd(dev, 0,
4179 +- table->rl_entry[i].index);
4180 ++ mlx5_set_pp_rate_limit_cmd(dev, 0,
4181 ++ table->rl_entry[i].index);
4182 +
4183 + kfree(dev->priv.rl_table.rl_entry);
4184 + }
4185 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c
4186 +index 07a9ba6cfc70..2f74953e4561 100644
4187 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c
4188 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c
4189 +@@ -71,9 +71,9 @@ struct mlx5e_vxlan *mlx5e_vxlan_lookup_port(struct mlx5e_priv *priv, u16 port)
4190 + struct mlx5e_vxlan_db *vxlan_db = &priv->vxlan;
4191 + struct mlx5e_vxlan *vxlan;
4192 +
4193 +- spin_lock(&vxlan_db->lock);
4194 ++ spin_lock_bh(&vxlan_db->lock);
4195 + vxlan = radix_tree_lookup(&vxlan_db->tree, port);
4196 +- spin_unlock(&vxlan_db->lock);
4197 ++ spin_unlock_bh(&vxlan_db->lock);
4198 +
4199 + return vxlan;
4200 + }
4201 +@@ -88,8 +88,12 @@ static void mlx5e_vxlan_add_port(struct work_struct *work)
4202 + struct mlx5e_vxlan *vxlan;
4203 + int err;
4204 +
4205 +- if (mlx5e_vxlan_lookup_port(priv, port))
4206 ++ mutex_lock(&priv->state_lock);
4207 ++ vxlan = mlx5e_vxlan_lookup_port(priv, port);
4208 ++ if (vxlan) {
4209 ++ atomic_inc(&vxlan->refcount);
4210 + goto free_work;
4211 ++ }
4212 +
4213 + if (mlx5e_vxlan_core_add_port_cmd(priv->mdev, port))
4214 + goto free_work;
4215 +@@ -99,10 +103,11 @@ static void mlx5e_vxlan_add_port(struct work_struct *work)
4216 + goto err_delete_port;
4217 +
4218 + vxlan->udp_port = port;
4219 ++ atomic_set(&vxlan->refcount, 1);
4220 +
4221 +- spin_lock_irq(&vxlan_db->lock);
4222 ++ spin_lock_bh(&vxlan_db->lock);
4223 + err = radix_tree_insert(&vxlan_db->tree, vxlan->udp_port, vxlan);
4224 +- spin_unlock_irq(&vxlan_db->lock);
4225 ++ spin_unlock_bh(&vxlan_db->lock);
4226 + if (err)
4227 + goto err_free;
4228 +
4229 +@@ -113,35 +118,39 @@ static void mlx5e_vxlan_add_port(struct work_struct *work)
4230 + err_delete_port:
4231 + mlx5e_vxlan_core_del_port_cmd(priv->mdev, port);
4232 + free_work:
4233 ++ mutex_unlock(&priv->state_lock);
4234 + kfree(vxlan_work);
4235 + }
4236 +
4237 +-static void __mlx5e_vxlan_core_del_port(struct mlx5e_priv *priv, u16 port)
4238 ++static void mlx5e_vxlan_del_port(struct work_struct *work)
4239 + {
4240 ++ struct mlx5e_vxlan_work *vxlan_work =
4241 ++ container_of(work, struct mlx5e_vxlan_work, work);
4242 ++ struct mlx5e_priv *priv = vxlan_work->priv;
4243 + struct mlx5e_vxlan_db *vxlan_db = &priv->vxlan;
4244 ++ u16 port = vxlan_work->port;
4245 + struct mlx5e_vxlan *vxlan;
4246 ++ bool remove = false;
4247 +
4248 +- spin_lock_irq(&vxlan_db->lock);
4249 +- vxlan = radix_tree_delete(&vxlan_db->tree, port);
4250 +- spin_unlock_irq(&vxlan_db->lock);
4251 +-
4252 ++ mutex_lock(&priv->state_lock);
4253 ++ spin_lock_bh(&vxlan_db->lock);
4254 ++ vxlan = radix_tree_lookup(&vxlan_db->tree, port);
4255 + if (!vxlan)
4256 +- return;
4257 +-
4258 +- mlx5e_vxlan_core_del_port_cmd(priv->mdev, vxlan->udp_port);
4259 +-
4260 +- kfree(vxlan);
4261 +-}
4262 ++ goto out_unlock;
4263 +
4264 +-static void mlx5e_vxlan_del_port(struct work_struct *work)
4265 +-{
4266 +- struct mlx5e_vxlan_work *vxlan_work =
4267 +- container_of(work, struct mlx5e_vxlan_work, work);
4268 +- struct mlx5e_priv *priv = vxlan_work->priv;
4269 +- u16 port = vxlan_work->port;
4270 ++ if (atomic_dec_and_test(&vxlan->refcount)) {
4271 ++ radix_tree_delete(&vxlan_db->tree, port);
4272 ++ remove = true;
4273 ++ }
4274 +
4275 +- __mlx5e_vxlan_core_del_port(priv, port);
4276 ++out_unlock:
4277 ++ spin_unlock_bh(&vxlan_db->lock);
4278 +
4279 ++ if (remove) {
4280 ++ mlx5e_vxlan_core_del_port_cmd(priv->mdev, port);
4281 ++ kfree(vxlan);
4282 ++ }
4283 ++ mutex_unlock(&priv->state_lock);
4284 + kfree(vxlan_work);
4285 + }
4286 +
4287 +@@ -171,12 +180,11 @@ void mlx5e_vxlan_cleanup(struct mlx5e_priv *priv)
4288 + struct mlx5e_vxlan *vxlan;
4289 + unsigned int port = 0;
4290 +
4291 +- spin_lock_irq(&vxlan_db->lock);
4292 ++ /* Lockless since we are the only radix-tree consumers, wq is disabled */
4293 + while (radix_tree_gang_lookup(&vxlan_db->tree, (void **)&vxlan, port, 1)) {
4294 + port = vxlan->udp_port;
4295 +- spin_unlock_irq(&vxlan_db->lock);
4296 +- __mlx5e_vxlan_core_del_port(priv, (u16)port);
4297 +- spin_lock_irq(&vxlan_db->lock);
4298 ++ radix_tree_delete(&vxlan_db->tree, port);
4299 ++ mlx5e_vxlan_core_del_port_cmd(priv->mdev, port);
4300 ++ kfree(vxlan);
4301 + }
4302 +- spin_unlock_irq(&vxlan_db->lock);
4303 + }
4304 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h
4305 +index 5def12c048e3..5ef6ae7d568a 100644
4306 +--- a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h
4307 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h
4308 +@@ -36,6 +36,7 @@
4309 + #include "en.h"
4310 +
4311 + struct mlx5e_vxlan {
4312 ++ atomic_t refcount;
4313 + u16 udp_port;
4314 + };
4315 +
4316 +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
4317 +index db38880f54b4..3ead7439821c 100644
4318 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
4319 ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
4320 +@@ -4164,6 +4164,7 @@ static int mlxsw_sp_port_stp_set(struct mlxsw_sp_port *mlxsw_sp_port,
4321 +
4322 + static int mlxsw_sp_port_ovs_join(struct mlxsw_sp_port *mlxsw_sp_port)
4323 + {
4324 ++ u16 vid = 1;
4325 + int err;
4326 +
4327 + err = mlxsw_sp_port_vp_mode_set(mlxsw_sp_port, true);
4328 +@@ -4176,8 +4177,19 @@ static int mlxsw_sp_port_ovs_join(struct mlxsw_sp_port *mlxsw_sp_port)
4329 + true, false);
4330 + if (err)
4331 + goto err_port_vlan_set;
4332 ++
4333 ++ for (; vid <= VLAN_N_VID - 1; vid++) {
4334 ++ err = mlxsw_sp_port_vid_learning_set(mlxsw_sp_port,
4335 ++ vid, false);
4336 ++ if (err)
4337 ++ goto err_vid_learning_set;
4338 ++ }
4339 ++
4340 + return 0;
4341 +
4342 ++err_vid_learning_set:
4343 ++ for (vid--; vid >= 1; vid--)
4344 ++ mlxsw_sp_port_vid_learning_set(mlxsw_sp_port, vid, true);
4345 + err_port_vlan_set:
4346 + mlxsw_sp_port_stp_set(mlxsw_sp_port, false);
4347 + err_port_stp_set:
4348 +@@ -4187,6 +4199,12 @@ static int mlxsw_sp_port_ovs_join(struct mlxsw_sp_port *mlxsw_sp_port)
4349 +
4350 + static void mlxsw_sp_port_ovs_leave(struct mlxsw_sp_port *mlxsw_sp_port)
4351 + {
4352 ++ u16 vid;
4353 ++
4354 ++ for (vid = VLAN_N_VID - 1; vid >= 1; vid--)
4355 ++ mlxsw_sp_port_vid_learning_set(mlxsw_sp_port,
4356 ++ vid, true);
4357 ++
4358 + mlxsw_sp_port_vlan_set(mlxsw_sp_port, 2, VLAN_N_VID - 1,
4359 + false, false);
4360 + mlxsw_sp_port_stp_set(mlxsw_sp_port, false);
4361 +diff --git a/drivers/net/ethernet/sfc/tx.c b/drivers/net/ethernet/sfc/tx.c
4362 +index 32bf1fecf864..9b85cbd5a231 100644
4363 +--- a/drivers/net/ethernet/sfc/tx.c
4364 ++++ b/drivers/net/ethernet/sfc/tx.c
4365 +@@ -77,6 +77,7 @@ static void efx_dequeue_buffer(struct efx_tx_queue *tx_queue,
4366 + }
4367 +
4368 + if (buffer->flags & EFX_TX_BUF_SKB) {
4369 ++ EFX_WARN_ON_PARANOID(!pkts_compl || !bytes_compl);
4370 + (*pkts_compl)++;
4371 + (*bytes_compl) += buffer->skb->len;
4372 + dev_consume_skb_any((struct sk_buff *)buffer->skb);
4373 +@@ -426,12 +427,14 @@ static int efx_tx_map_data(struct efx_tx_queue *tx_queue, struct sk_buff *skb,
4374 + static void efx_enqueue_unwind(struct efx_tx_queue *tx_queue)
4375 + {
4376 + struct efx_tx_buffer *buffer;
4377 ++ unsigned int bytes_compl = 0;
4378 ++ unsigned int pkts_compl = 0;
4379 +
4380 + /* Work backwards until we hit the original insert pointer value */
4381 + while (tx_queue->insert_count != tx_queue->write_count) {
4382 + --tx_queue->insert_count;
4383 + buffer = __efx_tx_queue_get_insert_buffer(tx_queue);
4384 +- efx_dequeue_buffer(tx_queue, buffer, NULL, NULL);
4385 ++ efx_dequeue_buffer(tx_queue, buffer, &pkts_compl, &bytes_compl);
4386 + }
4387 + }
4388 +
4389 +diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c
4390 +index 4d02b27df044..a3f456b91c99 100644
4391 +--- a/drivers/net/phy/marvell.c
4392 ++++ b/drivers/net/phy/marvell.c
4393 +@@ -2069,7 +2069,7 @@ static struct phy_driver marvell_drivers[] = {
4394 + .flags = PHY_HAS_INTERRUPT,
4395 + .probe = marvell_probe,
4396 + .config_init = &m88e1145_config_init,
4397 +- .config_aneg = &marvell_config_aneg,
4398 ++ .config_aneg = &m88e1101_config_aneg,
4399 + .read_status = &genphy_read_status,
4400 + .ack_interrupt = &marvell_ack_interrupt,
4401 + .config_intr = &marvell_config_intr,
4402 +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
4403 +index fdb43dd9b5cd..6c45ff650ec7 100644
4404 +--- a/drivers/net/phy/micrel.c
4405 ++++ b/drivers/net/phy/micrel.c
4406 +@@ -622,6 +622,7 @@ static int ksz9031_read_status(struct phy_device *phydev)
4407 + phydev->link = 0;
4408 + if (phydev->drv->config_intr && phy_interrupt_is_valid(phydev))
4409 + phydev->drv->config_intr(phydev);
4410 ++ return genphy_config_aneg(phydev);
4411 + }
4412 +
4413 + return 0;
4414 +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
4415 +index bcb4755bcd95..4b377b978a0b 100644
4416 +--- a/drivers/net/phy/phylink.c
4417 ++++ b/drivers/net/phy/phylink.c
4418 +@@ -525,6 +525,7 @@ struct phylink *phylink_create(struct net_device *ndev, struct device_node *np,
4419 + pl->link_config.pause = MLO_PAUSE_AN;
4420 + pl->link_config.speed = SPEED_UNKNOWN;
4421 + pl->link_config.duplex = DUPLEX_UNKNOWN;
4422 ++ pl->link_config.an_enabled = true;
4423 + pl->ops = ops;
4424 + __set_bit(PHYLINK_DISABLE_STOPPED, &pl->phylink_disable_state);
4425 +
4426 +@@ -948,6 +949,7 @@ int phylink_ethtool_ksettings_set(struct phylink *pl,
4427 + mutex_lock(&pl->state_mutex);
4428 + /* Configure the MAC to match the new settings */
4429 + linkmode_copy(pl->link_config.advertising, our_kset.link_modes.advertising);
4430 ++ pl->link_config.interface = config.interface;
4431 + pl->link_config.speed = our_kset.base.speed;
4432 + pl->link_config.duplex = our_kset.base.duplex;
4433 + pl->link_config.an_enabled = our_kset.base.autoneg != AUTONEG_DISABLE;
4434 +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
4435 +index 81394a4b2803..2092febfcb42 100644
4436 +--- a/drivers/net/usb/qmi_wwan.c
4437 ++++ b/drivers/net/usb/qmi_wwan.c
4438 +@@ -1204,6 +1204,7 @@ static const struct usb_device_id products[] = {
4439 + {QMI_FIXED_INTF(0x1199, 0x9079, 10)}, /* Sierra Wireless EM74xx */
4440 + {QMI_FIXED_INTF(0x1199, 0x907b, 8)}, /* Sierra Wireless EM74xx */
4441 + {QMI_FIXED_INTF(0x1199, 0x907b, 10)}, /* Sierra Wireless EM74xx */
4442 ++ {QMI_FIXED_INTF(0x1199, 0x9091, 8)}, /* Sierra Wireless EM7565 */
4443 + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */
4444 + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
4445 + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
4446 +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
4447 +index a2f4e52fadb5..9e9202b50e73 100644
4448 +--- a/drivers/net/vxlan.c
4449 ++++ b/drivers/net/vxlan.c
4450 +@@ -3105,6 +3105,11 @@ static void vxlan_config_apply(struct net_device *dev,
4451 +
4452 + max_mtu = lowerdev->mtu - (use_ipv6 ? VXLAN6_HEADROOM :
4453 + VXLAN_HEADROOM);
4454 ++ if (max_mtu < ETH_MIN_MTU)
4455 ++ max_mtu = ETH_MIN_MTU;
4456 ++
4457 ++ if (!changelink && !conf->mtu)
4458 ++ dev->mtu = max_mtu;
4459 + }
4460 +
4461 + if (dev->mtu > max_mtu)
4462 +diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
4463 +index 4307bf0013e1..63e916d4d069 100644
4464 +--- a/drivers/phy/tegra/xusb.c
4465 ++++ b/drivers/phy/tegra/xusb.c
4466 +@@ -75,14 +75,14 @@ MODULE_DEVICE_TABLE(of, tegra_xusb_padctl_of_match);
4467 + static struct device_node *
4468 + tegra_xusb_find_pad_node(struct tegra_xusb_padctl *padctl, const char *name)
4469 + {
4470 +- /*
4471 +- * of_find_node_by_name() drops a reference, so make sure to grab one.
4472 +- */
4473 +- struct device_node *np = of_node_get(padctl->dev->of_node);
4474 ++ struct device_node *pads, *np;
4475 ++
4476 ++ pads = of_get_child_by_name(padctl->dev->of_node, "pads");
4477 ++ if (!pads)
4478 ++ return NULL;
4479 +
4480 +- np = of_find_node_by_name(np, "pads");
4481 +- if (np)
4482 +- np = of_find_node_by_name(np, name);
4483 ++ np = of_get_child_by_name(pads, name);
4484 ++ of_node_put(pads);
4485 +
4486 + return np;
4487 + }
4488 +@@ -90,16 +90,16 @@ tegra_xusb_find_pad_node(struct tegra_xusb_padctl *padctl, const char *name)
4489 + static struct device_node *
4490 + tegra_xusb_pad_find_phy_node(struct tegra_xusb_pad *pad, unsigned int index)
4491 + {
4492 +- /*
4493 +- * of_find_node_by_name() drops a reference, so make sure to grab one.
4494 +- */
4495 +- struct device_node *np = of_node_get(pad->dev.of_node);
4496 ++ struct device_node *np, *lanes;
4497 +
4498 +- np = of_find_node_by_name(np, "lanes");
4499 +- if (!np)
4500 ++ lanes = of_get_child_by_name(pad->dev.of_node, "lanes");
4501 ++ if (!lanes)
4502 + return NULL;
4503 +
4504 +- return of_find_node_by_name(np, pad->soc->lanes[index].name);
4505 ++ np = of_get_child_by_name(lanes, pad->soc->lanes[index].name);
4506 ++ of_node_put(lanes);
4507 ++
4508 ++ return np;
4509 + }
4510 +
4511 + static int
4512 +@@ -195,7 +195,7 @@ int tegra_xusb_pad_register(struct tegra_xusb_pad *pad,
4513 + unsigned int i;
4514 + int err;
4515 +
4516 +- children = of_find_node_by_name(pad->dev.of_node, "lanes");
4517 ++ children = of_get_child_by_name(pad->dev.of_node, "lanes");
4518 + if (!children)
4519 + return -ENODEV;
4520 +
4521 +@@ -444,21 +444,21 @@ static struct device_node *
4522 + tegra_xusb_find_port_node(struct tegra_xusb_padctl *padctl, const char *type,
4523 + unsigned int index)
4524 + {
4525 +- /*
4526 +- * of_find_node_by_name() drops a reference, so make sure to grab one.
4527 +- */
4528 +- struct device_node *np = of_node_get(padctl->dev->of_node);
4529 ++ struct device_node *ports, *np;
4530 ++ char *name;
4531 +
4532 +- np = of_find_node_by_name(np, "ports");
4533 +- if (np) {
4534 +- char *name;
4535 ++ ports = of_get_child_by_name(padctl->dev->of_node, "ports");
4536 ++ if (!ports)
4537 ++ return NULL;
4538 +
4539 +- name = kasprintf(GFP_KERNEL, "%s-%u", type, index);
4540 +- if (!name)
4541 +- return ERR_PTR(-ENOMEM);
4542 +- np = of_find_node_by_name(np, name);
4543 +- kfree(name);
4544 ++ name = kasprintf(GFP_KERNEL, "%s-%u", type, index);
4545 ++ if (!name) {
4546 ++ of_node_put(ports);
4547 ++ return ERR_PTR(-ENOMEM);
4548 + }
4549 ++ np = of_get_child_by_name(ports, name);
4550 ++ kfree(name);
4551 ++ of_node_put(ports);
4552 +
4553 + return np;
4554 + }
4555 +@@ -847,7 +847,7 @@ static void tegra_xusb_remove_ports(struct tegra_xusb_padctl *padctl)
4556 +
4557 + static int tegra_xusb_padctl_probe(struct platform_device *pdev)
4558 + {
4559 +- struct device_node *np = of_node_get(pdev->dev.of_node);
4560 ++ struct device_node *np = pdev->dev.of_node;
4561 + const struct tegra_xusb_padctl_soc *soc;
4562 + struct tegra_xusb_padctl *padctl;
4563 + const struct of_device_id *match;
4564 +@@ -855,7 +855,7 @@ static int tegra_xusb_padctl_probe(struct platform_device *pdev)
4565 + int err;
4566 +
4567 + /* for backwards compatibility with old device trees */
4568 +- np = of_find_node_by_name(np, "pads");
4569 ++ np = of_get_child_by_name(np, "pads");
4570 + if (!np) {
4571 + dev_warn(&pdev->dev, "deprecated DT, using legacy driver\n");
4572 + return tegra_xusb_padctl_legacy_probe(pdev);
4573 +diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h
4574 +index 5340efc673a9..92dd4aef21a3 100644
4575 +--- a/drivers/s390/net/qeth_core.h
4576 ++++ b/drivers/s390/net/qeth_core.h
4577 +@@ -564,9 +564,9 @@ enum qeth_cq {
4578 + };
4579 +
4580 + struct qeth_ipato {
4581 +- int enabled;
4582 +- int invert4;
4583 +- int invert6;
4584 ++ bool enabled;
4585 ++ bool invert4;
4586 ++ bool invert6;
4587 + struct list_head entries;
4588 + };
4589 +
4590 +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
4591 +index 330e5d3dadf3..7c7a244b6684 100644
4592 +--- a/drivers/s390/net/qeth_core_main.c
4593 ++++ b/drivers/s390/net/qeth_core_main.c
4594 +@@ -1479,9 +1479,9 @@ static int qeth_setup_card(struct qeth_card *card)
4595 + qeth_set_intial_options(card);
4596 + /* IP address takeover */
4597 + INIT_LIST_HEAD(&card->ipato.entries);
4598 +- card->ipato.enabled = 0;
4599 +- card->ipato.invert4 = 0;
4600 +- card->ipato.invert6 = 0;
4601 ++ card->ipato.enabled = false;
4602 ++ card->ipato.invert4 = false;
4603 ++ card->ipato.invert6 = false;
4604 + /* init QDIO stuff */
4605 + qeth_init_qdio_info(card);
4606 + INIT_DELAYED_WORK(&card->buffer_reclaim_work, qeth_buffer_reclaim_work);
4607 +@@ -5445,6 +5445,13 @@ int qeth_poll(struct napi_struct *napi, int budget)
4608 + }
4609 + EXPORT_SYMBOL_GPL(qeth_poll);
4610 +
4611 ++static int qeth_setassparms_inspect_rc(struct qeth_ipa_cmd *cmd)
4612 ++{
4613 ++ if (!cmd->hdr.return_code)
4614 ++ cmd->hdr.return_code = cmd->data.setassparms.hdr.return_code;
4615 ++ return cmd->hdr.return_code;
4616 ++}
4617 ++
4618 + int qeth_setassparms_cb(struct qeth_card *card,
4619 + struct qeth_reply *reply, unsigned long data)
4620 + {
4621 +@@ -6304,7 +6311,7 @@ static int qeth_ipa_checksum_run_cmd_cb(struct qeth_card *card,
4622 + (struct qeth_checksum_cmd *)reply->param;
4623 +
4624 + QETH_CARD_TEXT(card, 4, "chkdoccb");
4625 +- if (cmd->hdr.return_code)
4626 ++ if (qeth_setassparms_inspect_rc(cmd))
4627 + return 0;
4628 +
4629 + memset(chksum_cb, 0, sizeof(*chksum_cb));
4630 +diff --git a/drivers/s390/net/qeth_l3.h b/drivers/s390/net/qeth_l3.h
4631 +index 194ae9b577cc..e5833837b799 100644
4632 +--- a/drivers/s390/net/qeth_l3.h
4633 ++++ b/drivers/s390/net/qeth_l3.h
4634 +@@ -82,7 +82,7 @@ void qeth_l3_del_vipa(struct qeth_card *, enum qeth_prot_versions, const u8 *);
4635 + int qeth_l3_add_rxip(struct qeth_card *, enum qeth_prot_versions, const u8 *);
4636 + void qeth_l3_del_rxip(struct qeth_card *card, enum qeth_prot_versions,
4637 + const u8 *);
4638 +-int qeth_l3_is_addr_covered_by_ipato(struct qeth_card *, struct qeth_ipaddr *);
4639 ++void qeth_l3_update_ipato(struct qeth_card *card);
4640 + struct qeth_ipaddr *qeth_l3_get_addr_buffer(enum qeth_prot_versions);
4641 + int qeth_l3_add_ip(struct qeth_card *, struct qeth_ipaddr *);
4642 + int qeth_l3_delete_ip(struct qeth_card *, struct qeth_ipaddr *);
4643 +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
4644 +index 27185ab38136..36dee176f8e2 100644
4645 +--- a/drivers/s390/net/qeth_l3_main.c
4646 ++++ b/drivers/s390/net/qeth_l3_main.c
4647 +@@ -163,8 +163,8 @@ static void qeth_l3_convert_addr_to_bits(u8 *addr, u8 *bits, int len)
4648 + }
4649 + }
4650 +
4651 +-int qeth_l3_is_addr_covered_by_ipato(struct qeth_card *card,
4652 +- struct qeth_ipaddr *addr)
4653 ++static bool qeth_l3_is_addr_covered_by_ipato(struct qeth_card *card,
4654 ++ struct qeth_ipaddr *addr)
4655 + {
4656 + struct qeth_ipato_entry *ipatoe;
4657 + u8 addr_bits[128] = {0, };
4658 +@@ -173,6 +173,8 @@ int qeth_l3_is_addr_covered_by_ipato(struct qeth_card *card,
4659 +
4660 + if (!card->ipato.enabled)
4661 + return 0;
4662 ++ if (addr->type != QETH_IP_TYPE_NORMAL)
4663 ++ return 0;
4664 +
4665 + qeth_l3_convert_addr_to_bits((u8 *) &addr->u, addr_bits,
4666 + (addr->proto == QETH_PROT_IPV4)? 4:16);
4667 +@@ -289,8 +291,7 @@ int qeth_l3_add_ip(struct qeth_card *card, struct qeth_ipaddr *tmp_addr)
4668 + memcpy(addr, tmp_addr, sizeof(struct qeth_ipaddr));
4669 + addr->ref_counter = 1;
4670 +
4671 +- if (addr->type == QETH_IP_TYPE_NORMAL &&
4672 +- qeth_l3_is_addr_covered_by_ipato(card, addr)) {
4673 ++ if (qeth_l3_is_addr_covered_by_ipato(card, addr)) {
4674 + QETH_CARD_TEXT(card, 2, "tkovaddr");
4675 + addr->set_flags |= QETH_IPA_SETIP_TAKEOVER_FLAG;
4676 + }
4677 +@@ -604,6 +605,27 @@ int qeth_l3_setrouting_v6(struct qeth_card *card)
4678 + /*
4679 + * IP address takeover related functions
4680 + */
4681 ++
4682 ++/**
4683 ++ * qeth_l3_update_ipato() - Update 'takeover' property, for all NORMAL IPs.
4684 ++ *
4685 ++ * Caller must hold ip_lock.
4686 ++ */
4687 ++void qeth_l3_update_ipato(struct qeth_card *card)
4688 ++{
4689 ++ struct qeth_ipaddr *addr;
4690 ++ unsigned int i;
4691 ++
4692 ++ hash_for_each(card->ip_htable, i, addr, hnode) {
4693 ++ if (addr->type != QETH_IP_TYPE_NORMAL)
4694 ++ continue;
4695 ++ if (qeth_l3_is_addr_covered_by_ipato(card, addr))
4696 ++ addr->set_flags |= QETH_IPA_SETIP_TAKEOVER_FLAG;
4697 ++ else
4698 ++ addr->set_flags &= ~QETH_IPA_SETIP_TAKEOVER_FLAG;
4699 ++ }
4700 ++}
4701 ++
4702 + static void qeth_l3_clear_ipato_list(struct qeth_card *card)
4703 + {
4704 + struct qeth_ipato_entry *ipatoe, *tmp;
4705 +@@ -615,6 +637,7 @@ static void qeth_l3_clear_ipato_list(struct qeth_card *card)
4706 + kfree(ipatoe);
4707 + }
4708 +
4709 ++ qeth_l3_update_ipato(card);
4710 + spin_unlock_bh(&card->ip_lock);
4711 + }
4712 +
4713 +@@ -639,8 +662,10 @@ int qeth_l3_add_ipato_entry(struct qeth_card *card,
4714 + }
4715 + }
4716 +
4717 +- if (!rc)
4718 ++ if (!rc) {
4719 + list_add_tail(&new->entry, &card->ipato.entries);
4720 ++ qeth_l3_update_ipato(card);
4721 ++ }
4722 +
4723 + spin_unlock_bh(&card->ip_lock);
4724 +
4725 +@@ -663,6 +688,7 @@ void qeth_l3_del_ipato_entry(struct qeth_card *card,
4726 + (proto == QETH_PROT_IPV4)? 4:16) &&
4727 + (ipatoe->mask_bits == mask_bits)) {
4728 + list_del(&ipatoe->entry);
4729 ++ qeth_l3_update_ipato(card);
4730 + kfree(ipatoe);
4731 + }
4732 + }
4733 +diff --git a/drivers/s390/net/qeth_l3_sys.c b/drivers/s390/net/qeth_l3_sys.c
4734 +index 7a829ad77783..1295dd8ec849 100644
4735 +--- a/drivers/s390/net/qeth_l3_sys.c
4736 ++++ b/drivers/s390/net/qeth_l3_sys.c
4737 +@@ -370,8 +370,8 @@ static ssize_t qeth_l3_dev_ipato_enable_store(struct device *dev,
4738 + struct device_attribute *attr, const char *buf, size_t count)
4739 + {
4740 + struct qeth_card *card = dev_get_drvdata(dev);
4741 +- struct qeth_ipaddr *addr;
4742 +- int i, rc = 0;
4743 ++ bool enable;
4744 ++ int rc = 0;
4745 +
4746 + if (!card)
4747 + return -EINVAL;
4748 +@@ -384,25 +384,18 @@ static ssize_t qeth_l3_dev_ipato_enable_store(struct device *dev,
4749 + }
4750 +
4751 + if (sysfs_streq(buf, "toggle")) {
4752 +- card->ipato.enabled = (card->ipato.enabled)? 0 : 1;
4753 +- } else if (sysfs_streq(buf, "1")) {
4754 +- card->ipato.enabled = 1;
4755 +- hash_for_each(card->ip_htable, i, addr, hnode) {
4756 +- if ((addr->type == QETH_IP_TYPE_NORMAL) &&
4757 +- qeth_l3_is_addr_covered_by_ipato(card, addr))
4758 +- addr->set_flags |=
4759 +- QETH_IPA_SETIP_TAKEOVER_FLAG;
4760 +- }
4761 +- } else if (sysfs_streq(buf, "0")) {
4762 +- card->ipato.enabled = 0;
4763 +- hash_for_each(card->ip_htable, i, addr, hnode) {
4764 +- if (addr->set_flags &
4765 +- QETH_IPA_SETIP_TAKEOVER_FLAG)
4766 +- addr->set_flags &=
4767 +- ~QETH_IPA_SETIP_TAKEOVER_FLAG;
4768 +- }
4769 +- } else
4770 ++ enable = !card->ipato.enabled;
4771 ++ } else if (kstrtobool(buf, &enable)) {
4772 + rc = -EINVAL;
4773 ++ goto out;
4774 ++ }
4775 ++
4776 ++ if (card->ipato.enabled != enable) {
4777 ++ card->ipato.enabled = enable;
4778 ++ spin_lock_bh(&card->ip_lock);
4779 ++ qeth_l3_update_ipato(card);
4780 ++ spin_unlock_bh(&card->ip_lock);
4781 ++ }
4782 + out:
4783 + mutex_unlock(&card->conf_mutex);
4784 + return rc ? rc : count;
4785 +@@ -428,20 +421,27 @@ static ssize_t qeth_l3_dev_ipato_invert4_store(struct device *dev,
4786 + const char *buf, size_t count)
4787 + {
4788 + struct qeth_card *card = dev_get_drvdata(dev);
4789 ++ bool invert;
4790 + int rc = 0;
4791 +
4792 + if (!card)
4793 + return -EINVAL;
4794 +
4795 + mutex_lock(&card->conf_mutex);
4796 +- if (sysfs_streq(buf, "toggle"))
4797 +- card->ipato.invert4 = (card->ipato.invert4)? 0 : 1;
4798 +- else if (sysfs_streq(buf, "1"))
4799 +- card->ipato.invert4 = 1;
4800 +- else if (sysfs_streq(buf, "0"))
4801 +- card->ipato.invert4 = 0;
4802 +- else
4803 ++ if (sysfs_streq(buf, "toggle")) {
4804 ++ invert = !card->ipato.invert4;
4805 ++ } else if (kstrtobool(buf, &invert)) {
4806 + rc = -EINVAL;
4807 ++ goto out;
4808 ++ }
4809 ++
4810 ++ if (card->ipato.invert4 != invert) {
4811 ++ card->ipato.invert4 = invert;
4812 ++ spin_lock_bh(&card->ip_lock);
4813 ++ qeth_l3_update_ipato(card);
4814 ++ spin_unlock_bh(&card->ip_lock);
4815 ++ }
4816 ++out:
4817 + mutex_unlock(&card->conf_mutex);
4818 + return rc ? rc : count;
4819 + }
4820 +@@ -607,20 +607,27 @@ static ssize_t qeth_l3_dev_ipato_invert6_store(struct device *dev,
4821 + struct device_attribute *attr, const char *buf, size_t count)
4822 + {
4823 + struct qeth_card *card = dev_get_drvdata(dev);
4824 ++ bool invert;
4825 + int rc = 0;
4826 +
4827 + if (!card)
4828 + return -EINVAL;
4829 +
4830 + mutex_lock(&card->conf_mutex);
4831 +- if (sysfs_streq(buf, "toggle"))
4832 +- card->ipato.invert6 = (card->ipato.invert6)? 0 : 1;
4833 +- else if (sysfs_streq(buf, "1"))
4834 +- card->ipato.invert6 = 1;
4835 +- else if (sysfs_streq(buf, "0"))
4836 +- card->ipato.invert6 = 0;
4837 +- else
4838 ++ if (sysfs_streq(buf, "toggle")) {
4839 ++ invert = !card->ipato.invert6;
4840 ++ } else if (kstrtobool(buf, &invert)) {
4841 + rc = -EINVAL;
4842 ++ goto out;
4843 ++ }
4844 ++
4845 ++ if (card->ipato.invert6 != invert) {
4846 ++ card->ipato.invert6 = invert;
4847 ++ spin_lock_bh(&card->ip_lock);
4848 ++ qeth_l3_update_ipato(card);
4849 ++ spin_unlock_bh(&card->ip_lock);
4850 ++ }
4851 ++out:
4852 + mutex_unlock(&card->conf_mutex);
4853 + return rc ? rc : count;
4854 + }
4855 +diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c
4856 +index a4f28b7e4c65..e18877177f1b 100644
4857 +--- a/drivers/scsi/osd/osd_initiator.c
4858 ++++ b/drivers/scsi/osd/osd_initiator.c
4859 +@@ -1576,7 +1576,9 @@ static struct request *_make_request(struct request_queue *q, bool has_write,
4860 + return req;
4861 +
4862 + for_each_bio(bio) {
4863 +- ret = blk_rq_append_bio(req, bio);
4864 ++ struct bio *bounce_bio = bio;
4865 ++
4866 ++ ret = blk_rq_append_bio(req, &bounce_bio);
4867 + if (ret)
4868 + return ERR_PTR(ret);
4869 + }
4870 +diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
4871 +index 93e2c90fa77d..83dc3292e9ab 100644
4872 +--- a/drivers/staging/android/ion/ion.c
4873 ++++ b/drivers/staging/android/ion/ion.c
4874 +@@ -348,7 +348,7 @@ static int ion_dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
4875 + mutex_lock(&buffer->lock);
4876 + list_for_each_entry(a, &buffer->attachments, list) {
4877 + dma_sync_sg_for_cpu(a->dev, a->table->sgl, a->table->nents,
4878 +- DMA_BIDIRECTIONAL);
4879 ++ direction);
4880 + }
4881 + mutex_unlock(&buffer->lock);
4882 +
4883 +@@ -370,7 +370,7 @@ static int ion_dma_buf_end_cpu_access(struct dma_buf *dmabuf,
4884 + mutex_lock(&buffer->lock);
4885 + list_for_each_entry(a, &buffer->attachments, list) {
4886 + dma_sync_sg_for_device(a->dev, a->table->sgl, a->table->nents,
4887 +- DMA_BIDIRECTIONAL);
4888 ++ direction);
4889 + }
4890 + mutex_unlock(&buffer->lock);
4891 +
4892 +diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
4893 +index 7c69b4a9694d..0d99b242e82e 100644
4894 +--- a/drivers/target/target_core_pscsi.c
4895 ++++ b/drivers/target/target_core_pscsi.c
4896 +@@ -920,7 +920,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
4897 + " %d i: %d bio: %p, allocating another"
4898 + " bio\n", bio->bi_vcnt, i, bio);
4899 +
4900 +- rc = blk_rq_append_bio(req, bio);
4901 ++ rc = blk_rq_append_bio(req, &bio);
4902 + if (rc) {
4903 + pr_err("pSCSI: failed to append bio\n");
4904 + goto fail;
4905 +@@ -938,7 +938,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
4906 + }
4907 +
4908 + if (bio) {
4909 +- rc = blk_rq_append_bio(req, bio);
4910 ++ rc = blk_rq_append_bio(req, &bio);
4911 + if (rc) {
4912 + pr_err("pSCSI: failed to append bio\n");
4913 + goto fail;
4914 +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
4915 +index bdf0e6e89991..faf50df81622 100644
4916 +--- a/drivers/tty/n_tty.c
4917 ++++ b/drivers/tty/n_tty.c
4918 +@@ -1764,7 +1764,7 @@ static void n_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
4919 + {
4920 + struct n_tty_data *ldata = tty->disc_data;
4921 +
4922 +- if (!old || (old->c_lflag ^ tty->termios.c_lflag) & ICANON) {
4923 ++ if (!old || (old->c_lflag ^ tty->termios.c_lflag) & (ICANON | EXTPROC)) {
4924 + bitmap_zero(ldata->read_flags, N_TTY_BUF_SIZE);
4925 + ldata->line_start = ldata->read_tail;
4926 + if (!L_ICANON(tty) || !read_cnt(ldata)) {
4927 +@@ -2427,7 +2427,7 @@ static int n_tty_ioctl(struct tty_struct *tty, struct file *file,
4928 + return put_user(tty_chars_in_buffer(tty), (int __user *) arg);
4929 + case TIOCINQ:
4930 + down_write(&tty->termios_rwsem);
4931 +- if (L_ICANON(tty))
4932 ++ if (L_ICANON(tty) && !L_EXTPROC(tty))
4933 + retval = inq_canon(ldata);
4934 + else
4935 + retval = read_cnt(ldata);
4936 +diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
4937 +index f8eba1c5412f..677fa99b7747 100644
4938 +--- a/drivers/tty/tty_buffer.c
4939 ++++ b/drivers/tty/tty_buffer.c
4940 +@@ -446,7 +446,7 @@ EXPORT_SYMBOL_GPL(tty_prepare_flip_string);
4941 + * Callers other than flush_to_ldisc() need to exclude the kworker
4942 + * from concurrent use of the line discipline, see paste_selection().
4943 + *
4944 +- * Returns the number of bytes not processed
4945 ++ * Returns the number of bytes processed
4946 + */
4947 + int tty_ldisc_receive_buf(struct tty_ldisc *ld, const unsigned char *p,
4948 + char *f, int count)
4949 +diff --git a/drivers/usb/chipidea/ci_hdrc_msm.c b/drivers/usb/chipidea/ci_hdrc_msm.c
4950 +index bb626120296f..53f3bf459dd1 100644
4951 +--- a/drivers/usb/chipidea/ci_hdrc_msm.c
4952 ++++ b/drivers/usb/chipidea/ci_hdrc_msm.c
4953 +@@ -251,7 +251,7 @@ static int ci_hdrc_msm_probe(struct platform_device *pdev)
4954 + if (ret)
4955 + goto err_mux;
4956 +
4957 +- ulpi_node = of_find_node_by_name(of_node_get(pdev->dev.of_node), "ulpi");
4958 ++ ulpi_node = of_get_child_by_name(pdev->dev.of_node, "ulpi");
4959 + if (ulpi_node) {
4960 + phy_node = of_get_next_available_child(ulpi_node, NULL);
4961 + ci->hsic = of_device_is_compatible(phy_node, "qcom,usb-hsic-phy");
4962 +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
4963 +index 843ef46d2537..9e3355b97396 100644
4964 +--- a/drivers/usb/core/config.c
4965 ++++ b/drivers/usb/core/config.c
4966 +@@ -1007,7 +1007,7 @@ int usb_get_bos_descriptor(struct usb_device *dev)
4967 + case USB_SSP_CAP_TYPE:
4968 + ssp_cap = (struct usb_ssp_cap_descriptor *)buffer;
4969 + ssac = (le32_to_cpu(ssp_cap->bmAttributes) &
4970 +- USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1;
4971 ++ USB_SSP_SUBLINK_SPEED_ATTRIBS);
4972 + if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac))
4973 + dev->bos->ssp_cap = ssp_cap;
4974 + break;
4975 +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
4976 +index 50010282c010..c05c4f877750 100644
4977 +--- a/drivers/usb/core/quirks.c
4978 ++++ b/drivers/usb/core/quirks.c
4979 +@@ -57,10 +57,11 @@ static const struct usb_device_id usb_quirk_list[] = {
4980 + /* Microsoft LifeCam-VX700 v2.0 */
4981 + { USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
4982 +
4983 +- /* Logitech HD Pro Webcams C920, C920-C and C930e */
4984 ++ /* Logitech HD Pro Webcams C920, C920-C, C925e and C930e */
4985 + { USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT },
4986 + { USB_DEVICE(0x046d, 0x0841), .driver_info = USB_QUIRK_DELAY_INIT },
4987 + { USB_DEVICE(0x046d, 0x0843), .driver_info = USB_QUIRK_DELAY_INIT },
4988 ++ { USB_DEVICE(0x046d, 0x085b), .driver_info = USB_QUIRK_DELAY_INIT },
4989 +
4990 + /* Logitech ConferenceCam CC3000e */
4991 + { USB_DEVICE(0x046d, 0x0847), .driver_info = USB_QUIRK_DELAY_INIT },
4992 +@@ -154,6 +155,9 @@ static const struct usb_device_id usb_quirk_list[] = {
4993 + /* Genesys Logic hub, internally used by KY-688 USB 3.1 Type-C Hub */
4994 + { USB_DEVICE(0x05e3, 0x0612), .driver_info = USB_QUIRK_NO_LPM },
4995 +
4996 ++ /* ELSA MicroLink 56K */
4997 ++ { USB_DEVICE(0x05cc, 0x2267), .driver_info = USB_QUIRK_RESET_RESUME },
4998 ++
4999 + /* Genesys Logic hub, internally used by Moshi USB to Ethernet Adapter */
5000 + { USB_DEVICE(0x05e3, 0x0616), .driver_info = USB_QUIRK_NO_LPM },
5001 +
5002 +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
5003 +index 76f392954733..abb8f19ae40f 100644
5004 +--- a/drivers/usb/host/xhci-pci.c
5005 ++++ b/drivers/usb/host/xhci-pci.c
5006 +@@ -189,6 +189,9 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
5007 + xhci->quirks |= XHCI_TRUST_TX_LENGTH;
5008 + xhci->quirks |= XHCI_BROKEN_STREAMS;
5009 + }
5010 ++ if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
5011 ++ pdev->device == 0x0014)
5012 ++ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
5013 + if (pdev->vendor == PCI_VENDOR_ID_RENESAS &&
5014 + pdev->device == 0x0015)
5015 + xhci->quirks |= XHCI_RESET_ON_RESUME;
5016 +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
5017 +index 49d1b2d4606d..d038e543c246 100644
5018 +--- a/drivers/usb/serial/ftdi_sio.c
5019 ++++ b/drivers/usb/serial/ftdi_sio.c
5020 +@@ -1017,6 +1017,7 @@ static const struct usb_device_id id_table_combined[] = {
5021 + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
5022 + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
5023 + { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
5024 ++ { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) },
5025 + { } /* Terminating entry */
5026 + };
5027 +
5028 +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
5029 +index 4faa09fe308c..8b4ecd2bd297 100644
5030 +--- a/drivers/usb/serial/ftdi_sio_ids.h
5031 ++++ b/drivers/usb/serial/ftdi_sio_ids.h
5032 +@@ -914,6 +914,12 @@
5033 + #define ICPDAS_I7561U_PID 0x0104
5034 + #define ICPDAS_I7563U_PID 0x0105
5035 +
5036 ++/*
5037 ++ * Airbus Defence and Space
5038 ++ */
5039 ++#define AIRBUS_DS_VID 0x1e8e /* Vendor ID */
5040 ++#define AIRBUS_DS_P8GR 0x6001 /* Tetra P8GR */
5041 ++
5042 + /*
5043 + * RT Systems programming cables for various ham radios
5044 + */
5045 +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
5046 +index 54e316b1892d..a9400458ccea 100644
5047 +--- a/drivers/usb/serial/option.c
5048 ++++ b/drivers/usb/serial/option.c
5049 +@@ -236,6 +236,8 @@ static void option_instat_callback(struct urb *urb);
5050 + /* These Quectel products use Qualcomm's vendor ID */
5051 + #define QUECTEL_PRODUCT_UC20 0x9003
5052 + #define QUECTEL_PRODUCT_UC15 0x9090
5053 ++/* These Yuga products use Qualcomm's vendor ID */
5054 ++#define YUGA_PRODUCT_CLM920_NC5 0x9625
5055 +
5056 + #define QUECTEL_VENDOR_ID 0x2c7c
5057 + /* These Quectel products use Quectel's vendor ID */
5058 +@@ -283,6 +285,7 @@ static void option_instat_callback(struct urb *urb);
5059 + #define TELIT_PRODUCT_LE922_USBCFG3 0x1043
5060 + #define TELIT_PRODUCT_LE922_USBCFG5 0x1045
5061 + #define TELIT_PRODUCT_ME910 0x1100
5062 ++#define TELIT_PRODUCT_ME910_DUAL_MODEM 0x1101
5063 + #define TELIT_PRODUCT_LE920 0x1200
5064 + #define TELIT_PRODUCT_LE910 0x1201
5065 + #define TELIT_PRODUCT_LE910_USBCFG4 0x1206
5066 +@@ -648,6 +651,11 @@ static const struct option_blacklist_info telit_me910_blacklist = {
5067 + .reserved = BIT(1) | BIT(3),
5068 + };
5069 +
5070 ++static const struct option_blacklist_info telit_me910_dual_modem_blacklist = {
5071 ++ .sendsetup = BIT(0),
5072 ++ .reserved = BIT(3),
5073 ++};
5074 ++
5075 + static const struct option_blacklist_info telit_le910_blacklist = {
5076 + .sendsetup = BIT(0),
5077 + .reserved = BIT(1) | BIT(2),
5078 +@@ -677,6 +685,10 @@ static const struct option_blacklist_info cinterion_rmnet2_blacklist = {
5079 + .reserved = BIT(4) | BIT(5),
5080 + };
5081 +
5082 ++static const struct option_blacklist_info yuga_clm920_nc5_blacklist = {
5083 ++ .reserved = BIT(1) | BIT(4),
5084 ++};
5085 ++
5086 + static const struct usb_device_id option_ids[] = {
5087 + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) },
5088 + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) },
5089 +@@ -1181,6 +1193,9 @@ static const struct usb_device_id option_ids[] = {
5090 + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
5091 + { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),
5092 + .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
5093 ++ /* Yuga products use Qualcomm vendor ID */
5094 ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, YUGA_PRODUCT_CLM920_NC5),
5095 ++ .driver_info = (kernel_ulong_t)&yuga_clm920_nc5_blacklist },
5096 + /* Quectel products using Quectel vendor ID */
5097 + { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21),
5098 + .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
5099 +@@ -1247,6 +1262,8 @@ static const struct usb_device_id option_ids[] = {
5100 + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
5101 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
5102 + .driver_info = (kernel_ulong_t)&telit_me910_blacklist },
5103 ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
5104 ++ .driver_info = (kernel_ulong_t)&telit_me910_dual_modem_blacklist },
5105 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
5106 + .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
5107 + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
5108 +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
5109 +index 9f9d3a904464..55a8fb25ce2b 100644
5110 +--- a/drivers/usb/serial/qcserial.c
5111 ++++ b/drivers/usb/serial/qcserial.c
5112 +@@ -166,6 +166,8 @@ static const struct usb_device_id id_table[] = {
5113 + {DEVICE_SWI(0x1199, 0x9079)}, /* Sierra Wireless EM74xx */
5114 + {DEVICE_SWI(0x1199, 0x907a)}, /* Sierra Wireless EM74xx QDL */
5115 + {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */
5116 ++ {DEVICE_SWI(0x1199, 0x9090)}, /* Sierra Wireless EM7565 QDL */
5117 ++ {DEVICE_SWI(0x1199, 0x9091)}, /* Sierra Wireless EM7565 */
5118 + {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
5119 + {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */
5120 + {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
5121 +@@ -346,6 +348,7 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id)
5122 + break;
5123 + case 2:
5124 + dev_dbg(dev, "NMEA GPS interface found\n");
5125 ++ sendsetup = true;
5126 + break;
5127 + case 3:
5128 + dev_dbg(dev, "Modem port found\n");
5129 +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
5130 +index c653ce533430..720408d39f11 100644
5131 +--- a/drivers/usb/usbip/stub_dev.c
5132 ++++ b/drivers/usb/usbip/stub_dev.c
5133 +@@ -163,8 +163,7 @@ static void stub_shutdown_connection(struct usbip_device *ud)
5134 + * step 1?
5135 + */
5136 + if (ud->tcp_socket) {
5137 +- dev_dbg(&sdev->udev->dev, "shutdown tcp_socket %p\n",
5138 +- ud->tcp_socket);
5139 ++ dev_dbg(&sdev->udev->dev, "shutdown sockfd %d\n", ud->sockfd);
5140 + kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
5141 + }
5142 +
5143 +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c
5144 +index 7170404e8979..6968c906fa29 100644
5145 +--- a/drivers/usb/usbip/stub_main.c
5146 ++++ b/drivers/usb/usbip/stub_main.c
5147 +@@ -251,11 +251,12 @@ void stub_device_cleanup_urbs(struct stub_device *sdev)
5148 + struct stub_priv *priv;
5149 + struct urb *urb;
5150 +
5151 +- dev_dbg(&sdev->udev->dev, "free sdev %p\n", sdev);
5152 ++ dev_dbg(&sdev->udev->dev, "Stub device cleaning up urbs\n");
5153 +
5154 + while ((priv = stub_priv_pop(sdev))) {
5155 + urb = priv->urb;
5156 +- dev_dbg(&sdev->udev->dev, "free urb %p\n", urb);
5157 ++ dev_dbg(&sdev->udev->dev, "free urb seqnum %lu\n",
5158 ++ priv->seqnum);
5159 + usb_kill_urb(urb);
5160 +
5161 + kmem_cache_free(stub_priv_cache, priv);
5162 +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c
5163 +index 283a9be77a22..5b807185f79e 100644
5164 +--- a/drivers/usb/usbip/stub_rx.c
5165 ++++ b/drivers/usb/usbip/stub_rx.c
5166 +@@ -225,9 +225,6 @@ static int stub_recv_cmd_unlink(struct stub_device *sdev,
5167 + if (priv->seqnum != pdu->u.cmd_unlink.seqnum)
5168 + continue;
5169 +
5170 +- dev_info(&priv->urb->dev->dev, "unlink urb %p\n",
5171 +- priv->urb);
5172 +-
5173 + /*
5174 + * This matched urb is not completed yet (i.e., be in
5175 + * flight in usb hcd hardware/driver). Now we are
5176 +@@ -266,8 +263,8 @@ static int stub_recv_cmd_unlink(struct stub_device *sdev,
5177 + ret = usb_unlink_urb(priv->urb);
5178 + if (ret != -EINPROGRESS)
5179 + dev_err(&priv->urb->dev->dev,
5180 +- "failed to unlink a urb %p, ret %d\n",
5181 +- priv->urb, ret);
5182 ++ "failed to unlink a urb # %lu, ret %d\n",
5183 ++ priv->seqnum, ret);
5184 +
5185 + return 0;
5186 + }
5187 +diff --git a/drivers/usb/usbip/stub_tx.c b/drivers/usb/usbip/stub_tx.c
5188 +index 87ff94be4235..96aa375b80d9 100644
5189 +--- a/drivers/usb/usbip/stub_tx.c
5190 ++++ b/drivers/usb/usbip/stub_tx.c
5191 +@@ -102,7 +102,7 @@ void stub_complete(struct urb *urb)
5192 + /* link a urb to the queue of tx. */
5193 + spin_lock_irqsave(&sdev->priv_lock, flags);
5194 + if (sdev->ud.tcp_socket == NULL) {
5195 +- usbip_dbg_stub_tx("ignore urb for closed connection %p", urb);
5196 ++ usbip_dbg_stub_tx("ignore urb for closed connection\n");
5197 + /* It will be freed in stub_device_cleanup_urbs(). */
5198 + } else if (priv->unlinking) {
5199 + stub_enqueue_ret_unlink(sdev, priv->seqnum, urb->status);
5200 +@@ -204,8 +204,8 @@ static int stub_send_ret_submit(struct stub_device *sdev)
5201 +
5202 + /* 1. setup usbip_header */
5203 + setup_ret_submit_pdu(&pdu_header, urb);
5204 +- usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n",
5205 +- pdu_header.base.seqnum, urb);
5206 ++ usbip_dbg_stub_tx("setup txdata seqnum: %d\n",
5207 ++ pdu_header.base.seqnum);
5208 + usbip_header_correct_endian(&pdu_header, 1);
5209 +
5210 + iov[iovnum].iov_base = &pdu_header;
5211 +diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
5212 +index 2281f3562870..17b599b923f3 100644
5213 +--- a/drivers/usb/usbip/usbip_common.c
5214 ++++ b/drivers/usb/usbip/usbip_common.c
5215 +@@ -331,26 +331,20 @@ int usbip_recv(struct socket *sock, void *buf, int size)
5216 + struct msghdr msg = {.msg_flags = MSG_NOSIGNAL};
5217 + int total = 0;
5218 +
5219 ++ if (!sock || !buf || !size)
5220 ++ return -EINVAL;
5221 ++
5222 + iov_iter_kvec(&msg.msg_iter, READ|ITER_KVEC, &iov, 1, size);
5223 +
5224 + usbip_dbg_xmit("enter\n");
5225 +
5226 +- if (!sock || !buf || !size) {
5227 +- pr_err("invalid arg, sock %p buff %p size %d\n", sock, buf,
5228 +- size);
5229 +- return -EINVAL;
5230 +- }
5231 +-
5232 + do {
5233 +- int sz = msg_data_left(&msg);
5234 ++ msg_data_left(&msg);
5235 + sock->sk->sk_allocation = GFP_NOIO;
5236 +
5237 + result = sock_recvmsg(sock, &msg, MSG_WAITALL);
5238 +- if (result <= 0) {
5239 +- pr_debug("receive sock %p buf %p size %u ret %d total %d\n",
5240 +- sock, buf + total, sz, result, total);
5241 ++ if (result <= 0)
5242 + goto err;
5243 +- }
5244 +
5245 + total += result;
5246 + } while (msg_data_left(&msg));
5247 +diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
5248 +index 1f0cf81cc145..692cfdef667e 100644
5249 +--- a/drivers/usb/usbip/vhci_hcd.c
5250 ++++ b/drivers/usb/usbip/vhci_hcd.c
5251 +@@ -670,9 +670,6 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
5252 + struct vhci_device *vdev;
5253 + unsigned long flags;
5254 +
5255 +- usbip_dbg_vhci_hc("enter, usb_hcd %p urb %p mem_flags %d\n",
5256 +- hcd, urb, mem_flags);
5257 +-
5258 + if (portnum > VHCI_HC_PORTS) {
5259 + pr_err("invalid port number %d\n", portnum);
5260 + return -ENODEV;
5261 +@@ -836,8 +833,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
5262 + struct vhci_device *vdev;
5263 + unsigned long flags;
5264 +
5265 +- pr_info("dequeue a urb %p\n", urb);
5266 +-
5267 + spin_lock_irqsave(&vhci->lock, flags);
5268 +
5269 + priv = urb->hcpriv;
5270 +@@ -865,7 +860,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
5271 + /* tcp connection is closed */
5272 + spin_lock(&vdev->priv_lock);
5273 +
5274 +- pr_info("device %p seems to be disconnected\n", vdev);
5275 + list_del(&priv->list);
5276 + kfree(priv);
5277 + urb->hcpriv = NULL;
5278 +@@ -877,8 +871,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
5279 + * vhci_rx will receive RET_UNLINK and give back the URB.
5280 + * Otherwise, we give back it here.
5281 + */
5282 +- pr_info("gives back urb %p\n", urb);
5283 +-
5284 + usb_hcd_unlink_urb_from_ep(hcd, urb);
5285 +
5286 + spin_unlock_irqrestore(&vhci->lock, flags);
5287 +@@ -906,8 +898,6 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
5288 +
5289 + unlink->unlink_seqnum = priv->seqnum;
5290 +
5291 +- pr_info("device %p seems to be still connected\n", vdev);
5292 +-
5293 + /* send cmd_unlink and try to cancel the pending URB in the
5294 + * peer */
5295 + list_add_tail(&unlink->list, &vdev->unlink_tx);
5296 +@@ -989,7 +979,7 @@ static void vhci_shutdown_connection(struct usbip_device *ud)
5297 +
5298 + /* need this? see stub_dev.c */
5299 + if (ud->tcp_socket) {
5300 +- pr_debug("shutdown tcp_socket %p\n", ud->tcp_socket);
5301 ++ pr_debug("shutdown tcp_socket %d\n", ud->sockfd);
5302 + kernel_sock_shutdown(ud->tcp_socket, SHUT_RDWR);
5303 + }
5304 +
5305 +diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c
5306 +index ef2f2d5ca6b2..1343037d00f9 100644
5307 +--- a/drivers/usb/usbip/vhci_rx.c
5308 ++++ b/drivers/usb/usbip/vhci_rx.c
5309 +@@ -37,24 +37,23 @@ struct urb *pickup_urb_and_free_priv(struct vhci_device *vdev, __u32 seqnum)
5310 + urb = priv->urb;
5311 + status = urb->status;
5312 +
5313 +- usbip_dbg_vhci_rx("find urb %p vurb %p seqnum %u\n",
5314 +- urb, priv, seqnum);
5315 ++ usbip_dbg_vhci_rx("find urb seqnum %u\n", seqnum);
5316 +
5317 + switch (status) {
5318 + case -ENOENT:
5319 + /* fall through */
5320 + case -ECONNRESET:
5321 +- dev_info(&urb->dev->dev,
5322 +- "urb %p was unlinked %ssynchronuously.\n", urb,
5323 +- status == -ENOENT ? "" : "a");
5324 ++ dev_dbg(&urb->dev->dev,
5325 ++ "urb seq# %u was unlinked %ssynchronuously\n",
5326 ++ seqnum, status == -ENOENT ? "" : "a");
5327 + break;
5328 + case -EINPROGRESS:
5329 + /* no info output */
5330 + break;
5331 + default:
5332 +- dev_info(&urb->dev->dev,
5333 +- "urb %p may be in a error, status %d\n", urb,
5334 +- status);
5335 ++ dev_dbg(&urb->dev->dev,
5336 ++ "urb seq# %u may be in a error, status %d\n",
5337 ++ seqnum, status);
5338 + }
5339 +
5340 + list_del(&priv->list);
5341 +@@ -81,8 +80,8 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
5342 + spin_unlock_irqrestore(&vdev->priv_lock, flags);
5343 +
5344 + if (!urb) {
5345 +- pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
5346 +- pr_info("max seqnum %d\n",
5347 ++ pr_err("cannot find a urb of seqnum %u max seqnum %d\n",
5348 ++ pdu->base.seqnum,
5349 + atomic_read(&vhci_hcd->seqnum));
5350 + usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
5351 + return;
5352 +@@ -105,7 +104,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
5353 + if (usbip_dbg_flag_vhci_rx)
5354 + usbip_dump_urb(urb);
5355 +
5356 +- usbip_dbg_vhci_rx("now giveback urb %p\n", urb);
5357 ++ usbip_dbg_vhci_rx("now giveback urb %u\n", pdu->base.seqnum);
5358 +
5359 + spin_lock_irqsave(&vhci->lock, flags);
5360 + usb_hcd_unlink_urb_from_ep(vhci_hcd_to_hcd(vhci_hcd), urb);
5361 +@@ -172,7 +171,7 @@ static void vhci_recv_ret_unlink(struct vhci_device *vdev,
5362 + pr_info("the urb (seqnum %d) was already given back\n",
5363 + pdu->base.seqnum);
5364 + } else {
5365 +- usbip_dbg_vhci_rx("now giveback urb %p\n", urb);
5366 ++ usbip_dbg_vhci_rx("now giveback urb %d\n", pdu->base.seqnum);
5367 +
5368 + /* If unlink is successful, status is -ECONNRESET */
5369 + urb->status = pdu->u.ret_unlink.status;
5370 +diff --git a/drivers/usb/usbip/vhci_tx.c b/drivers/usb/usbip/vhci_tx.c
5371 +index 3e7878fe2fd4..a9a663a578b6 100644
5372 +--- a/drivers/usb/usbip/vhci_tx.c
5373 ++++ b/drivers/usb/usbip/vhci_tx.c
5374 +@@ -83,7 +83,8 @@ static int vhci_send_cmd_submit(struct vhci_device *vdev)
5375 + memset(&msg, 0, sizeof(msg));
5376 + memset(&iov, 0, sizeof(iov));
5377 +
5378 +- usbip_dbg_vhci_tx("setup txdata urb %p\n", urb);
5379 ++ usbip_dbg_vhci_tx("setup txdata urb seqnum %lu\n",
5380 ++ priv->seqnum);
5381 +
5382 + /* 1. setup usbip_header */
5383 + setup_cmd_submit_pdu(&pdu_header, urb);
5384 +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
5385 +index fd47bd96b5d3..6362e3606aa5 100644
5386 +--- a/include/linux/blkdev.h
5387 ++++ b/include/linux/blkdev.h
5388 +@@ -241,14 +241,24 @@ struct request {
5389 + struct request *next_rq;
5390 + };
5391 +
5392 ++static inline bool blk_op_is_scsi(unsigned int op)
5393 ++{
5394 ++ return op == REQ_OP_SCSI_IN || op == REQ_OP_SCSI_OUT;
5395 ++}
5396 ++
5397 ++static inline bool blk_op_is_private(unsigned int op)
5398 ++{
5399 ++ return op == REQ_OP_DRV_IN || op == REQ_OP_DRV_OUT;
5400 ++}
5401 ++
5402 + static inline bool blk_rq_is_scsi(struct request *rq)
5403 + {
5404 +- return req_op(rq) == REQ_OP_SCSI_IN || req_op(rq) == REQ_OP_SCSI_OUT;
5405 ++ return blk_op_is_scsi(req_op(rq));
5406 + }
5407 +
5408 + static inline bool blk_rq_is_private(struct request *rq)
5409 + {
5410 +- return req_op(rq) == REQ_OP_DRV_IN || req_op(rq) == REQ_OP_DRV_OUT;
5411 ++ return blk_op_is_private(req_op(rq));
5412 + }
5413 +
5414 + static inline bool blk_rq_is_passthrough(struct request *rq)
5415 +@@ -256,6 +266,13 @@ static inline bool blk_rq_is_passthrough(struct request *rq)
5416 + return blk_rq_is_scsi(rq) || blk_rq_is_private(rq);
5417 + }
5418 +
5419 ++static inline bool bio_is_passthrough(struct bio *bio)
5420 ++{
5421 ++ unsigned op = bio_op(bio);
5422 ++
5423 ++ return blk_op_is_scsi(op) || blk_op_is_private(op);
5424 ++}
5425 ++
5426 + static inline unsigned short req_get_ioprio(struct request *req)
5427 + {
5428 + return req->ioprio;
5429 +@@ -952,7 +969,7 @@ extern int blk_rq_prep_clone(struct request *rq, struct request *rq_src,
5430 + extern void blk_rq_unprep_clone(struct request *rq);
5431 + extern blk_status_t blk_insert_cloned_request(struct request_queue *q,
5432 + struct request *rq);
5433 +-extern int blk_rq_append_bio(struct request *rq, struct bio *bio);
5434 ++extern int blk_rq_append_bio(struct request *rq, struct bio **bio);
5435 + extern void blk_delay_queue(struct request_queue *, unsigned long);
5436 + extern void blk_queue_split(struct request_queue *, struct bio **);
5437 + extern void blk_recount_segments(struct request_queue *, struct bio *);
5438 +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
5439 +index 2477a5cb5bd5..fb83dee528a1 100644
5440 +--- a/include/linux/cpuhotplug.h
5441 ++++ b/include/linux/cpuhotplug.h
5442 +@@ -86,7 +86,7 @@ enum cpuhp_state {
5443 + CPUHP_MM_ZSWP_POOL_PREPARE,
5444 + CPUHP_KVM_PPC_BOOK3S_PREPARE,
5445 + CPUHP_ZCOMP_PREPARE,
5446 +- CPUHP_TIMERS_DEAD,
5447 ++ CPUHP_TIMERS_PREPARE,
5448 + CPUHP_MIPS_SOC_PREPARE,
5449 + CPUHP_BP_PREPARE_DYN,
5450 + CPUHP_BP_PREPARE_DYN_END = CPUHP_BP_PREPARE_DYN + 20,
5451 +diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
5452 +index ea04ca024f0d..067a6fa675ed 100644
5453 +--- a/include/linux/ipv6.h
5454 ++++ b/include/linux/ipv6.h
5455 +@@ -272,7 +272,8 @@ struct ipv6_pinfo {
5456 + * 100: prefer care-of address
5457 + */
5458 + dontfrag:1,
5459 +- autoflowlabel:1;
5460 ++ autoflowlabel:1,
5461 ++ autoflowlabel_set:1;
5462 + __u8 min_hopcount;
5463 + __u8 tclass;
5464 + __be32 rcv_flowinfo;
5465 +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
5466 +index 401c8972cc3a..8b3d0103c03a 100644
5467 +--- a/include/linux/mlx5/driver.h
5468 ++++ b/include/linux/mlx5/driver.h
5469 +@@ -546,6 +546,7 @@ struct mlx5_core_sriov {
5470 + };
5471 +
5472 + struct mlx5_irq_info {
5473 ++ cpumask_var_t mask;
5474 + char name[MLX5_MAX_IRQ_NAME];
5475 + };
5476 +
5477 +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
5478 +index 69772347f866..c8091f06eaa4 100644
5479 +--- a/include/linux/mlx5/mlx5_ifc.h
5480 ++++ b/include/linux/mlx5/mlx5_ifc.h
5481 +@@ -147,7 +147,7 @@ enum {
5482 + MLX5_CMD_OP_ALLOC_Q_COUNTER = 0x771,
5483 + MLX5_CMD_OP_DEALLOC_Q_COUNTER = 0x772,
5484 + MLX5_CMD_OP_QUERY_Q_COUNTER = 0x773,
5485 +- MLX5_CMD_OP_SET_RATE_LIMIT = 0x780,
5486 ++ MLX5_CMD_OP_SET_PP_RATE_LIMIT = 0x780,
5487 + MLX5_CMD_OP_QUERY_RATE_LIMIT = 0x781,
5488 + MLX5_CMD_OP_CREATE_SCHEDULING_ELEMENT = 0x782,
5489 + MLX5_CMD_OP_DESTROY_SCHEDULING_ELEMENT = 0x783,
5490 +@@ -7233,7 +7233,7 @@ struct mlx5_ifc_add_vxlan_udp_dport_in_bits {
5491 + u8 vxlan_udp_port[0x10];
5492 + };
5493 +
5494 +-struct mlx5_ifc_set_rate_limit_out_bits {
5495 ++struct mlx5_ifc_set_pp_rate_limit_out_bits {
5496 + u8 status[0x8];
5497 + u8 reserved_at_8[0x18];
5498 +
5499 +@@ -7242,7 +7242,7 @@ struct mlx5_ifc_set_rate_limit_out_bits {
5500 + u8 reserved_at_40[0x40];
5501 + };
5502 +
5503 +-struct mlx5_ifc_set_rate_limit_in_bits {
5504 ++struct mlx5_ifc_set_pp_rate_limit_in_bits {
5505 + u8 opcode[0x10];
5506 + u8 reserved_at_10[0x10];
5507 +
5508 +@@ -7255,6 +7255,8 @@ struct mlx5_ifc_set_rate_limit_in_bits {
5509 + u8 reserved_at_60[0x20];
5510 +
5511 + u8 rate_limit[0x20];
5512 ++
5513 ++ u8 reserved_at_a0[0x160];
5514 + };
5515 +
5516 + struct mlx5_ifc_access_register_out_bits {
5517 +diff --git a/include/linux/pti.h b/include/linux/pti.h
5518 +new file mode 100644
5519 +index 000000000000..0174883a935a
5520 +--- /dev/null
5521 ++++ b/include/linux/pti.h
5522 +@@ -0,0 +1,11 @@
5523 ++// SPDX-License-Identifier: GPL-2.0
5524 ++#ifndef _INCLUDE_PTI_H
5525 ++#define _INCLUDE_PTI_H
5526 ++
5527 ++#ifdef CONFIG_PAGE_TABLE_ISOLATION
5528 ++#include <asm/pti.h>
5529 ++#else
5530 ++static inline void pti_init(void) { }
5531 ++#endif
5532 ++
5533 ++#endif
5534 +diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
5535 +index 37b4bb2545b3..6866df4f31b5 100644
5536 +--- a/include/linux/ptr_ring.h
5537 ++++ b/include/linux/ptr_ring.h
5538 +@@ -101,12 +101,18 @@ static inline bool ptr_ring_full_bh(struct ptr_ring *r)
5539 +
5540 + /* Note: callers invoking this in a loop must use a compiler barrier,
5541 + * for example cpu_relax(). Callers must hold producer_lock.
5542 ++ * Callers are responsible for making sure pointer that is being queued
5543 ++ * points to a valid data.
5544 + */
5545 + static inline int __ptr_ring_produce(struct ptr_ring *r, void *ptr)
5546 + {
5547 + if (unlikely(!r->size) || r->queue[r->producer])
5548 + return -ENOSPC;
5549 +
5550 ++ /* Make sure the pointer we are storing points to a valid data. */
5551 ++ /* Pairs with smp_read_barrier_depends in __ptr_ring_consume. */
5552 ++ smp_wmb();
5553 ++
5554 + r->queue[r->producer++] = ptr;
5555 + if (unlikely(r->producer >= r->size))
5556 + r->producer = 0;
5557 +@@ -275,6 +281,9 @@ static inline void *__ptr_ring_consume(struct ptr_ring *r)
5558 + if (ptr)
5559 + __ptr_ring_discard_one(r);
5560 +
5561 ++ /* Make sure anyone accessing data through the pointer is up to date. */
5562 ++ /* Pairs with smp_wmb in __ptr_ring_produce. */
5563 ++ smp_read_barrier_depends();
5564 + return ptr;
5565 + }
5566 +
5567 +diff --git a/include/linux/tcp.h b/include/linux/tcp.h
5568 +index 4aa40ef02d32..e8418fc77a43 100644
5569 +--- a/include/linux/tcp.h
5570 ++++ b/include/linux/tcp.h
5571 +@@ -214,7 +214,8 @@ struct tcp_sock {
5572 + u8 chrono_type:2, /* current chronograph type */
5573 + rate_app_limited:1, /* rate_{delivered,interval_us} limited? */
5574 + fastopen_connect:1, /* FASTOPEN_CONNECT sockopt */
5575 +- unused:4;
5576 ++ is_sack_reneg:1, /* in recovery from loss with SACK reneg? */
5577 ++ unused:3;
5578 + u8 nonagle : 4,/* Disable Nagle algorithm? */
5579 + thin_lto : 1,/* Use linear timeouts for thin streams */
5580 + unused1 : 1,
5581 +diff --git a/include/linux/tick.h b/include/linux/tick.h
5582 +index cf413b344ddb..5cdac11dd317 100644
5583 +--- a/include/linux/tick.h
5584 ++++ b/include/linux/tick.h
5585 +@@ -119,6 +119,7 @@ extern void tick_nohz_idle_exit(void);
5586 + extern void tick_nohz_irq_exit(void);
5587 + extern ktime_t tick_nohz_get_sleep_length(void);
5588 + extern unsigned long tick_nohz_get_idle_calls(void);
5589 ++extern unsigned long tick_nohz_get_idle_calls_cpu(int cpu);
5590 + extern u64 get_cpu_idle_time_us(int cpu, u64 *last_update_time);
5591 + extern u64 get_cpu_iowait_time_us(int cpu, u64 *last_update_time);
5592 + #else /* !CONFIG_NO_HZ_COMMON */
5593 +diff --git a/include/linux/timer.h b/include/linux/timer.h
5594 +index ac66f29c6916..e0ea1fe87572 100644
5595 +--- a/include/linux/timer.h
5596 ++++ b/include/linux/timer.h
5597 +@@ -246,9 +246,11 @@ unsigned long round_jiffies_up(unsigned long j);
5598 + unsigned long round_jiffies_up_relative(unsigned long j);
5599 +
5600 + #ifdef CONFIG_HOTPLUG_CPU
5601 ++int timers_prepare_cpu(unsigned int cpu);
5602 + int timers_dead_cpu(unsigned int cpu);
5603 + #else
5604 +-#define timers_dead_cpu NULL
5605 ++#define timers_prepare_cpu NULL
5606 ++#define timers_dead_cpu NULL
5607 + #endif
5608 +
5609 + #endif
5610 +diff --git a/include/net/ip.h b/include/net/ip.h
5611 +index 9896f46cbbf1..af8addbaa3c1 100644
5612 +--- a/include/net/ip.h
5613 ++++ b/include/net/ip.h
5614 +@@ -34,6 +34,7 @@
5615 + #include <net/flow_dissector.h>
5616 +
5617 + #define IPV4_MAX_PMTU 65535U /* RFC 2675, Section 5.1 */
5618 ++#define IPV4_MIN_MTU 68 /* RFC 791 */
5619 +
5620 + struct sock;
5621 +
5622 +diff --git a/include/net/tcp.h b/include/net/tcp.h
5623 +index 6ced69940f5c..0a13574134b8 100644
5624 +--- a/include/net/tcp.h
5625 ++++ b/include/net/tcp.h
5626 +@@ -1085,7 +1085,7 @@ void tcp_rate_skb_sent(struct sock *sk, struct sk_buff *skb);
5627 + void tcp_rate_skb_delivered(struct sock *sk, struct sk_buff *skb,
5628 + struct rate_sample *rs);
5629 + void tcp_rate_gen(struct sock *sk, u32 delivered, u32 lost,
5630 +- struct rate_sample *rs);
5631 ++ bool is_sack_reneg, struct rate_sample *rs);
5632 + void tcp_rate_check_app_limited(struct sock *sk);
5633 +
5634 + /* These functions determine how the current flow behaves in respect of SACK
5635 +diff --git a/init/main.c b/init/main.c
5636 +index 8a390f60ec81..b32ec72cdf3d 100644
5637 +--- a/init/main.c
5638 ++++ b/init/main.c
5639 +@@ -75,6 +75,7 @@
5640 + #include <linux/slab.h>
5641 + #include <linux/perf_event.h>
5642 + #include <linux/ptrace.h>
5643 ++#include <linux/pti.h>
5644 + #include <linux/blkdev.h>
5645 + #include <linux/elevator.h>
5646 + #include <linux/sched_clock.h>
5647 +@@ -506,6 +507,8 @@ static void __init mm_init(void)
5648 + ioremap_huge_init();
5649 + /* Should be run before the first non-init thread is created */
5650 + init_espfix_bsp();
5651 ++ /* Should be run after espfix64 is set up. */
5652 ++ pti_init();
5653 + }
5654 +
5655 + asmlinkage __visible void __init start_kernel(void)
5656 +diff --git a/kernel/cpu.c b/kernel/cpu.c
5657 +index 7891aecc6aec..f21bfa3172d8 100644
5658 +--- a/kernel/cpu.c
5659 ++++ b/kernel/cpu.c
5660 +@@ -1277,9 +1277,9 @@ static struct cpuhp_step cpuhp_bp_states[] = {
5661 + * before blk_mq_queue_reinit_notify() from notify_dead(),
5662 + * otherwise a RCU stall occurs.
5663 + */
5664 +- [CPUHP_TIMERS_DEAD] = {
5665 ++ [CPUHP_TIMERS_PREPARE] = {
5666 + .name = "timers:dead",
5667 +- .startup.single = NULL,
5668 ++ .startup.single = timers_prepare_cpu,
5669 + .teardown.single = timers_dead_cpu,
5670 + },
5671 + /* Kicks the plugged cpu into life */
5672 +diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
5673 +index 2f52ec0f1539..d6717a3331a1 100644
5674 +--- a/kernel/sched/cpufreq_schedutil.c
5675 ++++ b/kernel/sched/cpufreq_schedutil.c
5676 +@@ -244,7 +244,7 @@ static void sugov_iowait_boost(struct sugov_cpu *sg_cpu, unsigned long *util,
5677 + #ifdef CONFIG_NO_HZ_COMMON
5678 + static bool sugov_cpu_is_busy(struct sugov_cpu *sg_cpu)
5679 + {
5680 +- unsigned long idle_calls = tick_nohz_get_idle_calls();
5681 ++ unsigned long idle_calls = tick_nohz_get_idle_calls_cpu(sg_cpu->cpu);
5682 + bool ret = idle_calls == sg_cpu->saved_idle_calls;
5683 +
5684 + sg_cpu->saved_idle_calls = idle_calls;
5685 +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
5686 +index c7a899c5ce64..dfa4a117fee3 100644
5687 +--- a/kernel/time/tick-sched.c
5688 ++++ b/kernel/time/tick-sched.c
5689 +@@ -674,6 +674,11 @@ static void tick_nohz_restart(struct tick_sched *ts, ktime_t now)
5690 + ts->next_tick = 0;
5691 + }
5692 +
5693 ++static inline bool local_timer_softirq_pending(void)
5694 ++{
5695 ++ return local_softirq_pending() & TIMER_SOFTIRQ;
5696 ++}
5697 ++
5698 + static ktime_t tick_nohz_stop_sched_tick(struct tick_sched *ts,
5699 + ktime_t now, int cpu)
5700 + {
5701 +@@ -690,8 +695,18 @@ static ktime_t tick_nohz_stop_sched_tick(struct tick_sched *ts,
5702 + } while (read_seqretry(&jiffies_lock, seq));
5703 + ts->last_jiffies = basejiff;
5704 +
5705 +- if (rcu_needs_cpu(basemono, &next_rcu) ||
5706 +- arch_needs_cpu() || irq_work_needs_cpu()) {
5707 ++ /*
5708 ++ * Keep the periodic tick, when RCU, architecture or irq_work
5709 ++ * requests it.
5710 ++ * Aside of that check whether the local timer softirq is
5711 ++ * pending. If so its a bad idea to call get_next_timer_interrupt()
5712 ++ * because there is an already expired timer, so it will request
5713 ++ * immeditate expiry, which rearms the hardware timer with a
5714 ++ * minimal delta which brings us back to this place
5715 ++ * immediately. Lather, rinse and repeat...
5716 ++ */
5717 ++ if (rcu_needs_cpu(basemono, &next_rcu) || arch_needs_cpu() ||
5718 ++ irq_work_needs_cpu() || local_timer_softirq_pending()) {
5719 + next_tick = basemono + TICK_NSEC;
5720 + } else {
5721 + /*
5722 +@@ -1009,6 +1024,19 @@ ktime_t tick_nohz_get_sleep_length(void)
5723 + return ts->sleep_length;
5724 + }
5725 +
5726 ++/**
5727 ++ * tick_nohz_get_idle_calls_cpu - return the current idle calls counter value
5728 ++ * for a particular CPU.
5729 ++ *
5730 ++ * Called from the schedutil frequency scaling governor in scheduler context.
5731 ++ */
5732 ++unsigned long tick_nohz_get_idle_calls_cpu(int cpu)
5733 ++{
5734 ++ struct tick_sched *ts = tick_get_tick_sched(cpu);
5735 ++
5736 ++ return ts->idle_calls;
5737 ++}
5738 ++
5739 + /**
5740 + * tick_nohz_get_idle_calls - return the current idle calls counter value
5741 + *
5742 +diff --git a/kernel/time/timer.c b/kernel/time/timer.c
5743 +index f2674a056c26..73e3cdbc61f1 100644
5744 +--- a/kernel/time/timer.c
5745 ++++ b/kernel/time/timer.c
5746 +@@ -814,11 +814,10 @@ static inline struct timer_base *get_timer_cpu_base(u32 tflags, u32 cpu)
5747 + struct timer_base *base = per_cpu_ptr(&timer_bases[BASE_STD], cpu);
5748 +
5749 + /*
5750 +- * If the timer is deferrable and nohz is active then we need to use
5751 +- * the deferrable base.
5752 ++ * If the timer is deferrable and NO_HZ_COMMON is set then we need
5753 ++ * to use the deferrable base.
5754 + */
5755 +- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active &&
5756 +- (tflags & TIMER_DEFERRABLE))
5757 ++ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE))
5758 + base = per_cpu_ptr(&timer_bases[BASE_DEF], cpu);
5759 + return base;
5760 + }
5761 +@@ -828,11 +827,10 @@ static inline struct timer_base *get_timer_this_cpu_base(u32 tflags)
5762 + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
5763 +
5764 + /*
5765 +- * If the timer is deferrable and nohz is active then we need to use
5766 +- * the deferrable base.
5767 ++ * If the timer is deferrable and NO_HZ_COMMON is set then we need
5768 ++ * to use the deferrable base.
5769 + */
5770 +- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active &&
5771 +- (tflags & TIMER_DEFERRABLE))
5772 ++ if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && (tflags & TIMER_DEFERRABLE))
5773 + base = this_cpu_ptr(&timer_bases[BASE_DEF]);
5774 + return base;
5775 + }
5776 +@@ -984,8 +982,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
5777 + if (!ret && pending_only)
5778 + goto out_unlock;
5779 +
5780 +- debug_activate(timer, expires);
5781 +-
5782 + new_base = get_target_base(base, timer->flags);
5783 +
5784 + if (base != new_base) {
5785 +@@ -1009,6 +1005,8 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
5786 + }
5787 + }
5788 +
5789 ++ debug_activate(timer, expires);
5790 ++
5791 + timer->expires = expires;
5792 + /*
5793 + * If 'idx' was calculated above and the base time did not advance
5794 +@@ -1644,7 +1642,7 @@ static __latent_entropy void run_timer_softirq(struct softirq_action *h)
5795 + base->must_forward_clk = false;
5796 +
5797 + __run_timers(base);
5798 +- if (IS_ENABLED(CONFIG_NO_HZ_COMMON) && base->nohz_active)
5799 ++ if (IS_ENABLED(CONFIG_NO_HZ_COMMON))
5800 + __run_timers(this_cpu_ptr(&timer_bases[BASE_DEF]));
5801 + }
5802 +
5803 +@@ -1803,6 +1801,21 @@ static void migrate_timer_list(struct timer_base *new_base, struct hlist_head *h
5804 + }
5805 + }
5806 +
5807 ++int timers_prepare_cpu(unsigned int cpu)
5808 ++{
5809 ++ struct timer_base *base;
5810 ++ int b;
5811 ++
5812 ++ for (b = 0; b < NR_BASES; b++) {
5813 ++ base = per_cpu_ptr(&timer_bases[b], cpu);
5814 ++ base->clk = jiffies;
5815 ++ base->next_expiry = base->clk + NEXT_TIMER_MAX_DELTA;
5816 ++ base->is_idle = false;
5817 ++ base->must_forward_clk = true;
5818 ++ }
5819 ++ return 0;
5820 ++}
5821 ++
5822 + int timers_dead_cpu(unsigned int cpu)
5823 + {
5824 + struct timer_base *old_base;
5825 +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
5826 +index 81279c6602ff..0476a9372014 100644
5827 +--- a/kernel/trace/ring_buffer.c
5828 ++++ b/kernel/trace/ring_buffer.c
5829 +@@ -281,6 +281,8 @@ EXPORT_SYMBOL_GPL(ring_buffer_event_data);
5830 + /* Missed count stored at end */
5831 + #define RB_MISSED_STORED (1 << 30)
5832 +
5833 ++#define RB_MISSED_FLAGS (RB_MISSED_EVENTS|RB_MISSED_STORED)
5834 ++
5835 + struct buffer_data_page {
5836 + u64 time_stamp; /* page time stamp */
5837 + local_t commit; /* write committed index */
5838 +@@ -332,7 +334,9 @@ static void rb_init_page(struct buffer_data_page *bpage)
5839 + */
5840 + size_t ring_buffer_page_len(void *page)
5841 + {
5842 +- return local_read(&((struct buffer_data_page *)page)->commit)
5843 ++ struct buffer_data_page *bpage = page;
5844 ++
5845 ++ return (local_read(&bpage->commit) & ~RB_MISSED_FLAGS)
5846 + + BUF_PAGE_HDR_SIZE;
5847 + }
5848 +
5849 +@@ -4439,8 +4443,13 @@ void ring_buffer_free_read_page(struct ring_buffer *buffer, int cpu, void *data)
5850 + {
5851 + struct ring_buffer_per_cpu *cpu_buffer = buffer->buffers[cpu];
5852 + struct buffer_data_page *bpage = data;
5853 ++ struct page *page = virt_to_page(bpage);
5854 + unsigned long flags;
5855 +
5856 ++ /* If the page is still in use someplace else, we can't reuse it */
5857 ++ if (page_ref_count(page) > 1)
5858 ++ goto out;
5859 ++
5860 + local_irq_save(flags);
5861 + arch_spin_lock(&cpu_buffer->lock);
5862 +
5863 +@@ -4452,6 +4461,7 @@ void ring_buffer_free_read_page(struct ring_buffer *buffer, int cpu, void *data)
5864 + arch_spin_unlock(&cpu_buffer->lock);
5865 + local_irq_restore(flags);
5866 +
5867 ++ out:
5868 + free_page((unsigned long)bpage);
5869 + }
5870 + EXPORT_SYMBOL_GPL(ring_buffer_free_read_page);
5871 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
5872 +index 80de14973b42..76bcc80b893e 100644
5873 +--- a/kernel/trace/trace.c
5874 ++++ b/kernel/trace/trace.c
5875 +@@ -6769,7 +6769,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
5876 + .spd_release = buffer_spd_release,
5877 + };
5878 + struct buffer_ref *ref;
5879 +- int entries, size, i;
5880 ++ int entries, i;
5881 + ssize_t ret = 0;
5882 +
5883 + #ifdef CONFIG_TRACER_MAX_TRACE
5884 +@@ -6823,14 +6823,6 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
5885 + break;
5886 + }
5887 +
5888 +- /*
5889 +- * zero out any left over data, this is going to
5890 +- * user land.
5891 +- */
5892 +- size = ring_buffer_page_len(ref->page);
5893 +- if (size < PAGE_SIZE)
5894 +- memset(ref->page + size, 0, PAGE_SIZE - size);
5895 +-
5896 + page = virt_to_page(ref->page);
5897 +
5898 + spd.pages[i] = page;
5899 +@@ -7588,6 +7580,7 @@ allocate_trace_buffer(struct trace_array *tr, struct trace_buffer *buf, int size
5900 + buf->data = alloc_percpu(struct trace_array_cpu);
5901 + if (!buf->data) {
5902 + ring_buffer_free(buf->buffer);
5903 ++ buf->buffer = NULL;
5904 + return -ENOMEM;
5905 + }
5906 +
5907 +@@ -7611,7 +7604,9 @@ static int allocate_trace_buffers(struct trace_array *tr, int size)
5908 + allocate_snapshot ? size : 1);
5909 + if (WARN_ON(ret)) {
5910 + ring_buffer_free(tr->trace_buffer.buffer);
5911 ++ tr->trace_buffer.buffer = NULL;
5912 + free_percpu(tr->trace_buffer.data);
5913 ++ tr->trace_buffer.data = NULL;
5914 + return -ENOMEM;
5915 + }
5916 + tr->allocated_snapshot = allocate_snapshot;
5917 +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
5918 +index de2152730809..08190db0a2dc 100644
5919 +--- a/net/bridge/br_netlink.c
5920 ++++ b/net/bridge/br_netlink.c
5921 +@@ -1223,19 +1223,20 @@ static int br_dev_newlink(struct net *src_net, struct net_device *dev,
5922 + struct net_bridge *br = netdev_priv(dev);
5923 + int err;
5924 +
5925 ++ err = register_netdevice(dev);
5926 ++ if (err)
5927 ++ return err;
5928 ++
5929 + if (tb[IFLA_ADDRESS]) {
5930 + spin_lock_bh(&br->lock);
5931 + br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS]));
5932 + spin_unlock_bh(&br->lock);
5933 + }
5934 +
5935 +- err = register_netdevice(dev);
5936 +- if (err)
5937 +- return err;
5938 +-
5939 + err = br_changelink(dev, tb, data, extack);
5940 + if (err)
5941 +- unregister_netdevice(dev);
5942 ++ br_dev_delete(dev, NULL);
5943 ++
5944 + return err;
5945 + }
5946 +
5947 +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
5948 +index 6cfdc7c84c48..0dd6359e5924 100644
5949 +--- a/net/core/net_namespace.c
5950 ++++ b/net/core/net_namespace.c
5951 +@@ -266,7 +266,7 @@ struct net *get_net_ns_by_id(struct net *net, int id)
5952 + spin_lock_bh(&net->nsid_lock);
5953 + peer = idr_find(&net->netns_ids, id);
5954 + if (peer)
5955 +- get_net(peer);
5956 ++ peer = maybe_get_net(peer);
5957 + spin_unlock_bh(&net->nsid_lock);
5958 + rcu_read_unlock();
5959 +
5960 +diff --git a/net/core/skbuff.c b/net/core/skbuff.c
5961 +index e140ba49b30a..15fa5baa8fae 100644
5962 +--- a/net/core/skbuff.c
5963 ++++ b/net/core/skbuff.c
5964 +@@ -1181,12 +1181,12 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
5965 + int i, new_frags;
5966 + u32 d_off;
5967 +
5968 +- if (!num_frags)
5969 +- return 0;
5970 +-
5971 + if (skb_shared(skb) || skb_unclone(skb, gfp_mask))
5972 + return -EINVAL;
5973 +
5974 ++ if (!num_frags)
5975 ++ goto release;
5976 ++
5977 + new_frags = (__skb_pagelen(skb) + PAGE_SIZE - 1) >> PAGE_SHIFT;
5978 + for (i = 0; i < new_frags; i++) {
5979 + page = alloc_page(gfp_mask);
5980 +@@ -1242,6 +1242,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
5981 + __skb_fill_page_desc(skb, new_frags - 1, head, 0, d_off);
5982 + skb_shinfo(skb)->nr_frags = new_frags;
5983 +
5984 ++release:
5985 + skb_zcopy_clear(skb, false);
5986 + return 0;
5987 + }
5988 +@@ -3657,8 +3658,6 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
5989 +
5990 + skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
5991 + SKBTX_SHARED_FRAG;
5992 +- if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC))
5993 +- goto err;
5994 +
5995 + while (pos < offset + len) {
5996 + if (i >= nfrags) {
5997 +@@ -3684,6 +3683,8 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb,
5998 +
5999 + if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC)))
6000 + goto err;
6001 ++ if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
6002 ++ goto err;
6003 +
6004 + *nskb_frag = *frag;
6005 + __skb_frag_ref(nskb_frag);
6006 +@@ -4296,7 +4297,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
6007 + struct sock *sk = skb->sk;
6008 +
6009 + if (!skb_may_tx_timestamp(sk, false))
6010 +- return;
6011 ++ goto err;
6012 +
6013 + /* Take a reference to prevent skb_orphan() from freeing the socket,
6014 + * but only if the socket refcount is not zero.
6015 +@@ -4305,7 +4306,11 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
6016 + *skb_hwtstamps(skb) = *hwtstamps;
6017 + __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
6018 + sock_put(sk);
6019 ++ return;
6020 + }
6021 ++
6022 ++err:
6023 ++ kfree_skb(skb);
6024 + }
6025 + EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp);
6026 +
6027 +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
6028 +index d7adc0616599..bffa88ecc534 100644
6029 +--- a/net/ipv4/devinet.c
6030 ++++ b/net/ipv4/devinet.c
6031 +@@ -1420,7 +1420,7 @@ static void inetdev_changename(struct net_device *dev, struct in_device *in_dev)
6032 +
6033 + static bool inetdev_valid_mtu(unsigned int mtu)
6034 + {
6035 +- return mtu >= 68;
6036 ++ return mtu >= IPV4_MIN_MTU;
6037 + }
6038 +
6039 + static void inetdev_send_gratuitous_arp(struct net_device *dev,
6040 +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
6041 +index 37819ab4cc74..d72874150905 100644
6042 +--- a/net/ipv4/fib_frontend.c
6043 ++++ b/net/ipv4/fib_frontend.c
6044 +@@ -1274,14 +1274,19 @@ static int __net_init ip_fib_net_init(struct net *net)
6045 +
6046 + static void ip_fib_net_exit(struct net *net)
6047 + {
6048 +- unsigned int i;
6049 ++ int i;
6050 +
6051 + rtnl_lock();
6052 + #ifdef CONFIG_IP_MULTIPLE_TABLES
6053 + RCU_INIT_POINTER(net->ipv4.fib_main, NULL);
6054 + RCU_INIT_POINTER(net->ipv4.fib_default, NULL);
6055 + #endif
6056 +- for (i = 0; i < FIB_TABLE_HASHSZ; i++) {
6057 ++ /* Destroy the tables in reverse order to guarantee that the
6058 ++ * local table, ID 255, is destroyed before the main table, ID
6059 ++ * 254. This is necessary as the local table may contain
6060 ++ * references to data contained in the main table.
6061 ++ */
6062 ++ for (i = FIB_TABLE_HASHSZ - 1; i >= 0; i--) {
6063 + struct hlist_head *head = &net->ipv4.fib_table_hash[i];
6064 + struct hlist_node *tmp;
6065 + struct fib_table *tb;
6066 +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
6067 +index 01ed22139ac2..aff3751df950 100644
6068 +--- a/net/ipv4/fib_semantics.c
6069 ++++ b/net/ipv4/fib_semantics.c
6070 +@@ -706,7 +706,7 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi)
6071 +
6072 + nla_for_each_attr(nla, cfg->fc_mx, cfg->fc_mx_len, remaining) {
6073 + int type = nla_type(nla);
6074 +- u32 val;
6075 ++ u32 fi_val, val;
6076 +
6077 + if (!type)
6078 + continue;
6079 +@@ -723,7 +723,11 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi)
6080 + val = nla_get_u32(nla);
6081 + }
6082 +
6083 +- if (fi->fib_metrics->metrics[type - 1] != val)
6084 ++ fi_val = fi->fib_metrics->metrics[type - 1];
6085 ++ if (type == RTAX_FEATURES)
6086 ++ fi_val &= ~DST_FEATURE_ECN_CA;
6087 ++
6088 ++ if (fi_val != val)
6089 + return false;
6090 + }
6091 +
6092 +diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
6093 +index ab183af0b5b6..c621266e0306 100644
6094 +--- a/net/ipv4/igmp.c
6095 ++++ b/net/ipv4/igmp.c
6096 +@@ -89,6 +89,7 @@
6097 + #include <linux/rtnetlink.h>
6098 + #include <linux/times.h>
6099 + #include <linux/pkt_sched.h>
6100 ++#include <linux/byteorder/generic.h>
6101 +
6102 + #include <net/net_namespace.h>
6103 + #include <net/arp.h>
6104 +@@ -321,6 +322,23 @@ igmp_scount(struct ip_mc_list *pmc, int type, int gdeleted, int sdeleted)
6105 + return scount;
6106 + }
6107 +
6108 ++/* source address selection per RFC 3376 section 4.2.13 */
6109 ++static __be32 igmpv3_get_srcaddr(struct net_device *dev,
6110 ++ const struct flowi4 *fl4)
6111 ++{
6112 ++ struct in_device *in_dev = __in_dev_get_rcu(dev);
6113 ++
6114 ++ if (!in_dev)
6115 ++ return htonl(INADDR_ANY);
6116 ++
6117 ++ for_ifa(in_dev) {
6118 ++ if (inet_ifa_match(fl4->saddr, ifa))
6119 ++ return fl4->saddr;
6120 ++ } endfor_ifa(in_dev);
6121 ++
6122 ++ return htonl(INADDR_ANY);
6123 ++}
6124 ++
6125 + static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
6126 + {
6127 + struct sk_buff *skb;
6128 +@@ -368,7 +386,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
6129 + pip->frag_off = htons(IP_DF);
6130 + pip->ttl = 1;
6131 + pip->daddr = fl4.daddr;
6132 +- pip->saddr = fl4.saddr;
6133 ++ pip->saddr = igmpv3_get_srcaddr(dev, &fl4);
6134 + pip->protocol = IPPROTO_IGMP;
6135 + pip->tot_len = 0; /* filled in later */
6136 + ip_select_ident(net, skb, NULL);
6137 +@@ -404,16 +422,17 @@ static int grec_size(struct ip_mc_list *pmc, int type, int gdel, int sdel)
6138 + }
6139 +
6140 + static struct sk_buff *add_grhead(struct sk_buff *skb, struct ip_mc_list *pmc,
6141 +- int type, struct igmpv3_grec **ppgr)
6142 ++ int type, struct igmpv3_grec **ppgr, unsigned int mtu)
6143 + {
6144 + struct net_device *dev = pmc->interface->dev;
6145 + struct igmpv3_report *pih;
6146 + struct igmpv3_grec *pgr;
6147 +
6148 +- if (!skb)
6149 +- skb = igmpv3_newpack(dev, dev->mtu);
6150 +- if (!skb)
6151 +- return NULL;
6152 ++ if (!skb) {
6153 ++ skb = igmpv3_newpack(dev, mtu);
6154 ++ if (!skb)
6155 ++ return NULL;
6156 ++ }
6157 + pgr = skb_put(skb, sizeof(struct igmpv3_grec));
6158 + pgr->grec_type = type;
6159 + pgr->grec_auxwords = 0;
6160 +@@ -436,12 +455,17 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
6161 + struct igmpv3_grec *pgr = NULL;
6162 + struct ip_sf_list *psf, *psf_next, *psf_prev, **psf_list;
6163 + int scount, stotal, first, isquery, truncate;
6164 ++ unsigned int mtu;
6165 +
6166 + if (pmc->multiaddr == IGMP_ALL_HOSTS)
6167 + return skb;
6168 + if (ipv4_is_local_multicast(pmc->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports)
6169 + return skb;
6170 +
6171 ++ mtu = READ_ONCE(dev->mtu);
6172 ++ if (mtu < IPV4_MIN_MTU)
6173 ++ return skb;
6174 ++
6175 + isquery = type == IGMPV3_MODE_IS_INCLUDE ||
6176 + type == IGMPV3_MODE_IS_EXCLUDE;
6177 + truncate = type == IGMPV3_MODE_IS_EXCLUDE ||
6178 +@@ -462,7 +486,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
6179 + AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) {
6180 + if (skb)
6181 + igmpv3_sendpack(skb);
6182 +- skb = igmpv3_newpack(dev, dev->mtu);
6183 ++ skb = igmpv3_newpack(dev, mtu);
6184 + }
6185 + }
6186 + first = 1;
6187 +@@ -498,12 +522,12 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
6188 + pgr->grec_nsrcs = htons(scount);
6189 + if (skb)
6190 + igmpv3_sendpack(skb);
6191 +- skb = igmpv3_newpack(dev, dev->mtu);
6192 ++ skb = igmpv3_newpack(dev, mtu);
6193 + first = 1;
6194 + scount = 0;
6195 + }
6196 + if (first) {
6197 +- skb = add_grhead(skb, pmc, type, &pgr);
6198 ++ skb = add_grhead(skb, pmc, type, &pgr, mtu);
6199 + first = 0;
6200 + }
6201 + if (!skb)
6202 +@@ -538,7 +562,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
6203 + igmpv3_sendpack(skb);
6204 + skb = NULL; /* add_grhead will get a new one */
6205 + }
6206 +- skb = add_grhead(skb, pmc, type, &pgr);
6207 ++ skb = add_grhead(skb, pmc, type, &pgr, mtu);
6208 + }
6209 + }
6210 + if (pgr)
6211 +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
6212 +index e9805ad664ac..4e90082b23a6 100644
6213 +--- a/net/ipv4/ip_tunnel.c
6214 ++++ b/net/ipv4/ip_tunnel.c
6215 +@@ -349,8 +349,8 @@ static int ip_tunnel_bind_dev(struct net_device *dev)
6216 + dev->needed_headroom = t_hlen + hlen;
6217 + mtu -= (dev->hard_header_len + t_hlen);
6218 +
6219 +- if (mtu < 68)
6220 +- mtu = 68;
6221 ++ if (mtu < IPV4_MIN_MTU)
6222 ++ mtu = IPV4_MIN_MTU;
6223 +
6224 + return mtu;
6225 + }
6226 +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
6227 +index 33b70bfd1122..125c1eab3eaa 100644
6228 +--- a/net/ipv4/raw.c
6229 ++++ b/net/ipv4/raw.c
6230 +@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
6231 + int err;
6232 + struct ip_options_data opt_copy;
6233 + struct raw_frag_vec rfv;
6234 ++ int hdrincl;
6235 +
6236 + err = -EMSGSIZE;
6237 + if (len > 0xFFFF)
6238 + goto out;
6239 +
6240 ++ /* hdrincl should be READ_ONCE(inet->hdrincl)
6241 ++ * but READ_ONCE() doesn't work with bit fields
6242 ++ */
6243 ++ hdrincl = inet->hdrincl;
6244 + /*
6245 + * Check the flags.
6246 + */
6247 +@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
6248 + /* Linux does not mangle headers on raw sockets,
6249 + * so that IP options + IP_HDRINCL is non-sense.
6250 + */
6251 +- if (inet->hdrincl)
6252 ++ if (hdrincl)
6253 + goto done;
6254 + if (ipc.opt->opt.srr) {
6255 + if (!daddr)
6256 +@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
6257 +
6258 + flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
6259 + RT_SCOPE_UNIVERSE,
6260 +- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
6261 ++ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
6262 + inet_sk_flowi_flags(sk) |
6263 +- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
6264 ++ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
6265 + daddr, saddr, 0, 0, sk->sk_uid);
6266 +
6267 +- if (!inet->hdrincl) {
6268 ++ if (!hdrincl) {
6269 + rfv.msg = msg;
6270 + rfv.hlen = 0;
6271 +
6272 +@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
6273 + goto do_confirm;
6274 + back_from_confirm:
6275 +
6276 +- if (inet->hdrincl)
6277 ++ if (hdrincl)
6278 + err = raw_send_hdrinc(sk, &fl4, msg, len,
6279 + &rt, msg->msg_flags, &ipc.sockc);
6280 +
6281 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
6282 +index 5091402720ab..a0c72b09cefc 100644
6283 +--- a/net/ipv4/tcp.c
6284 ++++ b/net/ipv4/tcp.c
6285 +@@ -2356,6 +2356,7 @@ int tcp_disconnect(struct sock *sk, int flags)
6286 + tp->snd_cwnd_cnt = 0;
6287 + tp->window_clamp = 0;
6288 + tcp_set_ca_state(sk, TCP_CA_Open);
6289 ++ tp->is_sack_reneg = 0;
6290 + tcp_clear_retrans(tp);
6291 + inet_csk_delack_init(sk);
6292 + /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
6293 +diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c
6294 +index 69ee877574d0..8322f26e770e 100644
6295 +--- a/net/ipv4/tcp_bbr.c
6296 ++++ b/net/ipv4/tcp_bbr.c
6297 +@@ -110,7 +110,8 @@ struct bbr {
6298 + u32 lt_last_lost; /* LT intvl start: tp->lost */
6299 + u32 pacing_gain:10, /* current gain for setting pacing rate */
6300 + cwnd_gain:10, /* current gain for setting cwnd */
6301 +- full_bw_cnt:3, /* number of rounds without large bw gains */
6302 ++ full_bw_reached:1, /* reached full bw in Startup? */
6303 ++ full_bw_cnt:2, /* number of rounds without large bw gains */
6304 + cycle_idx:3, /* current index in pacing_gain cycle array */
6305 + has_seen_rtt:1, /* have we seen an RTT sample yet? */
6306 + unused_b:5;
6307 +@@ -180,7 +181,7 @@ static bool bbr_full_bw_reached(const struct sock *sk)
6308 + {
6309 + const struct bbr *bbr = inet_csk_ca(sk);
6310 +
6311 +- return bbr->full_bw_cnt >= bbr_full_bw_cnt;
6312 ++ return bbr->full_bw_reached;
6313 + }
6314 +
6315 + /* Return the windowed max recent bandwidth sample, in pkts/uS << BW_SCALE. */
6316 +@@ -717,6 +718,7 @@ static void bbr_check_full_bw_reached(struct sock *sk,
6317 + return;
6318 + }
6319 + ++bbr->full_bw_cnt;
6320 ++ bbr->full_bw_reached = bbr->full_bw_cnt >= bbr_full_bw_cnt;
6321 + }
6322 +
6323 + /* If pipe is probably full, drain the queue and then enter steady-state. */
6324 +@@ -850,6 +852,7 @@ static void bbr_init(struct sock *sk)
6325 + bbr->restore_cwnd = 0;
6326 + bbr->round_start = 0;
6327 + bbr->idle_restart = 0;
6328 ++ bbr->full_bw_reached = 0;
6329 + bbr->full_bw = 0;
6330 + bbr->full_bw_cnt = 0;
6331 + bbr->cycle_mstamp = 0;
6332 +@@ -871,6 +874,11 @@ static u32 bbr_sndbuf_expand(struct sock *sk)
6333 + */
6334 + static u32 bbr_undo_cwnd(struct sock *sk)
6335 + {
6336 ++ struct bbr *bbr = inet_csk_ca(sk);
6337 ++
6338 ++ bbr->full_bw = 0; /* spurious slow-down; reset full pipe detection */
6339 ++ bbr->full_bw_cnt = 0;
6340 ++ bbr_reset_lt_bw_sampling(sk);
6341 + return tcp_sk(sk)->snd_cwnd;
6342 + }
6343 +
6344 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
6345 +index c5447b9f8517..ff48ac654e5a 100644
6346 +--- a/net/ipv4/tcp_input.c
6347 ++++ b/net/ipv4/tcp_input.c
6348 +@@ -521,9 +521,6 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep)
6349 + u32 new_sample = tp->rcv_rtt_est.rtt_us;
6350 + long m = sample;
6351 +
6352 +- if (m == 0)
6353 +- m = 1;
6354 +-
6355 + if (new_sample != 0) {
6356 + /* If we sample in larger samples in the non-timestamp
6357 + * case, we could grossly overestimate the RTT especially
6358 +@@ -560,6 +557,8 @@ static inline void tcp_rcv_rtt_measure(struct tcp_sock *tp)
6359 + if (before(tp->rcv_nxt, tp->rcv_rtt_est.seq))
6360 + return;
6361 + delta_us = tcp_stamp_us_delta(tp->tcp_mstamp, tp->rcv_rtt_est.time);
6362 ++ if (!delta_us)
6363 ++ delta_us = 1;
6364 + tcp_rcv_rtt_update(tp, delta_us, 1);
6365 +
6366 + new_measure:
6367 +@@ -576,8 +575,11 @@ static inline void tcp_rcv_rtt_measure_ts(struct sock *sk,
6368 + (TCP_SKB_CB(skb)->end_seq -
6369 + TCP_SKB_CB(skb)->seq >= inet_csk(sk)->icsk_ack.rcv_mss)) {
6370 + u32 delta = tcp_time_stamp(tp) - tp->rx_opt.rcv_tsecr;
6371 +- u32 delta_us = delta * (USEC_PER_SEC / TCP_TS_HZ);
6372 ++ u32 delta_us;
6373 +
6374 ++ if (!delta)
6375 ++ delta = 1;
6376 ++ delta_us = delta * (USEC_PER_SEC / TCP_TS_HZ);
6377 + tcp_rcv_rtt_update(tp, delta_us, 0);
6378 + }
6379 + }
6380 +@@ -1975,6 +1977,8 @@ void tcp_enter_loss(struct sock *sk)
6381 + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSACKRENEGING);
6382 + tp->sacked_out = 0;
6383 + tp->fackets_out = 0;
6384 ++ /* Mark SACK reneging until we recover from this loss event. */
6385 ++ tp->is_sack_reneg = 1;
6386 + }
6387 + tcp_clear_all_retrans_hints(tp);
6388 +
6389 +@@ -2428,6 +2432,7 @@ static bool tcp_try_undo_recovery(struct sock *sk)
6390 + return true;
6391 + }
6392 + tcp_set_ca_state(sk, TCP_CA_Open);
6393 ++ tp->is_sack_reneg = 0;
6394 + return false;
6395 + }
6396 +
6397 +@@ -2459,8 +2464,10 @@ static bool tcp_try_undo_loss(struct sock *sk, bool frto_undo)
6398 + NET_INC_STATS(sock_net(sk),
6399 + LINUX_MIB_TCPSPURIOUSRTOS);
6400 + inet_csk(sk)->icsk_retransmits = 0;
6401 +- if (frto_undo || tcp_is_sack(tp))
6402 ++ if (frto_undo || tcp_is_sack(tp)) {
6403 + tcp_set_ca_state(sk, TCP_CA_Open);
6404 ++ tp->is_sack_reneg = 0;
6405 ++ }
6406 + return true;
6407 + }
6408 + return false;
6409 +@@ -3551,6 +3558,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
6410 + struct tcp_sacktag_state sack_state;
6411 + struct rate_sample rs = { .prior_delivered = 0 };
6412 + u32 prior_snd_una = tp->snd_una;
6413 ++ bool is_sack_reneg = tp->is_sack_reneg;
6414 + u32 ack_seq = TCP_SKB_CB(skb)->seq;
6415 + u32 ack = TCP_SKB_CB(skb)->ack_seq;
6416 + bool is_dupack = false;
6417 +@@ -3666,7 +3674,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
6418 +
6419 + delivered = tp->delivered - delivered; /* freshly ACKed or SACKed */
6420 + lost = tp->lost - lost; /* freshly marked lost */
6421 +- tcp_rate_gen(sk, delivered, lost, sack_state.rate);
6422 ++ tcp_rate_gen(sk, delivered, lost, is_sack_reneg, sack_state.rate);
6423 + tcp_cong_control(sk, ack, delivered, flag, sack_state.rate);
6424 + tcp_xmit_recovery(sk, rexmit);
6425 + return 1;
6426 +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
6427 +index 5a5ed4f14678..cab4b935e474 100644
6428 +--- a/net/ipv4/tcp_ipv4.c
6429 ++++ b/net/ipv4/tcp_ipv4.c
6430 +@@ -844,7 +844,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
6431 + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off,
6432 + req->ts_recent,
6433 + 0,
6434 +- tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->daddr,
6435 ++ tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->saddr,
6436 + AF_INET),
6437 + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0,
6438 + ip_hdr(skb)->tos);
6439 +diff --git a/net/ipv4/tcp_rate.c b/net/ipv4/tcp_rate.c
6440 +index 3330a370d306..c61240e43923 100644
6441 +--- a/net/ipv4/tcp_rate.c
6442 ++++ b/net/ipv4/tcp_rate.c
6443 +@@ -106,7 +106,7 @@ void tcp_rate_skb_delivered(struct sock *sk, struct sk_buff *skb,
6444 +
6445 + /* Update the connection delivery information and generate a rate sample. */
6446 + void tcp_rate_gen(struct sock *sk, u32 delivered, u32 lost,
6447 +- struct rate_sample *rs)
6448 ++ bool is_sack_reneg, struct rate_sample *rs)
6449 + {
6450 + struct tcp_sock *tp = tcp_sk(sk);
6451 + u32 snd_us, ack_us;
6452 +@@ -124,8 +124,12 @@ void tcp_rate_gen(struct sock *sk, u32 delivered, u32 lost,
6453 +
6454 + rs->acked_sacked = delivered; /* freshly ACKed or SACKed */
6455 + rs->losses = lost; /* freshly marked lost */
6456 +- /* Return an invalid sample if no timing information is available. */
6457 +- if (!rs->prior_mstamp) {
6458 ++ /* Return an invalid sample if no timing information is available or
6459 ++ * in recovery from loss with SACK reneging. Rate samples taken during
6460 ++ * a SACK reneging event may overestimate bw by including packets that
6461 ++ * were SACKed before the reneg.
6462 ++ */
6463 ++ if (!rs->prior_mstamp || is_sack_reneg) {
6464 + rs->delivered = -1;
6465 + rs->interval_us = -1;
6466 + return;
6467 +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
6468 +index 655dd8d7f064..e9af1879cd53 100644
6469 +--- a/net/ipv4/tcp_timer.c
6470 ++++ b/net/ipv4/tcp_timer.c
6471 +@@ -264,6 +264,7 @@ void tcp_delack_timer_handler(struct sock *sk)
6472 + icsk->icsk_ack.pingpong = 0;
6473 + icsk->icsk_ack.ato = TCP_ATO_MIN;
6474 + }
6475 ++ tcp_mstamp_refresh(tcp_sk(sk));
6476 + tcp_send_ack(sk);
6477 + __NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKS);
6478 + }
6479 +@@ -627,6 +628,7 @@ static void tcp_keepalive_timer (unsigned long data)
6480 + goto out;
6481 + }
6482 +
6483 ++ tcp_mstamp_refresh(tp);
6484 + if (sk->sk_state == TCP_FIN_WAIT2 && sock_flag(sk, SOCK_DEAD)) {
6485 + if (tp->linger2 >= 0) {
6486 + const int tmo = tcp_fin_time(sk) - TCP_TIMEWAIT_LEN;
6487 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
6488 +index 2ec39404c449..c5318f5f6a14 100644
6489 +--- a/net/ipv6/addrconf.c
6490 ++++ b/net/ipv6/addrconf.c
6491 +@@ -231,7 +231,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
6492 + .proxy_ndp = 0,
6493 + .accept_source_route = 0, /* we do not accept RH0 by default. */
6494 + .disable_ipv6 = 0,
6495 +- .accept_dad = 1,
6496 ++ .accept_dad = 0,
6497 + .suppress_frag_ndisc = 1,
6498 + .accept_ra_mtu = 1,
6499 + .stable_secret = {
6500 +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
6501 +index fe5262fd6aa5..bcbd5f3bf8bd 100644
6502 +--- a/net/ipv6/af_inet6.c
6503 ++++ b/net/ipv6/af_inet6.c
6504 +@@ -210,7 +210,6 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
6505 + np->mcast_hops = IPV6_DEFAULT_MCASTHOPS;
6506 + np->mc_loop = 1;
6507 + np->pmtudisc = IPV6_PMTUDISC_WANT;
6508 +- np->autoflowlabel = ip6_default_np_autolabel(net);
6509 + np->repflow = net->ipv6.sysctl.flowlabel_reflect;
6510 + sk->sk_ipv6only = net->ipv6.sysctl.bindv6only;
6511 +
6512 +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
6513 +index 5d6bee070871..7a2df6646486 100644
6514 +--- a/net/ipv6/ip6_gre.c
6515 ++++ b/net/ipv6/ip6_gre.c
6516 +@@ -1020,6 +1020,36 @@ static void ip6gre_tunnel_setup(struct net_device *dev)
6517 + eth_random_addr(dev->perm_addr);
6518 + }
6519 +
6520 ++#define GRE6_FEATURES (NETIF_F_SG | \
6521 ++ NETIF_F_FRAGLIST | \
6522 ++ NETIF_F_HIGHDMA | \
6523 ++ NETIF_F_HW_CSUM)
6524 ++
6525 ++static void ip6gre_tnl_init_features(struct net_device *dev)
6526 ++{
6527 ++ struct ip6_tnl *nt = netdev_priv(dev);
6528 ++
6529 ++ dev->features |= GRE6_FEATURES;
6530 ++ dev->hw_features |= GRE6_FEATURES;
6531 ++
6532 ++ if (!(nt->parms.o_flags & TUNNEL_SEQ)) {
6533 ++ /* TCP offload with GRE SEQ is not supported, nor
6534 ++ * can we support 2 levels of outer headers requiring
6535 ++ * an update.
6536 ++ */
6537 ++ if (!(nt->parms.o_flags & TUNNEL_CSUM) ||
6538 ++ nt->encap.type == TUNNEL_ENCAP_NONE) {
6539 ++ dev->features |= NETIF_F_GSO_SOFTWARE;
6540 ++ dev->hw_features |= NETIF_F_GSO_SOFTWARE;
6541 ++ }
6542 ++
6543 ++ /* Can use a lockless transmit, unless we generate
6544 ++ * output sequences
6545 ++ */
6546 ++ dev->features |= NETIF_F_LLTX;
6547 ++ }
6548 ++}
6549 ++
6550 + static int ip6gre_tunnel_init_common(struct net_device *dev)
6551 + {
6552 + struct ip6_tnl *tunnel;
6553 +@@ -1054,6 +1084,8 @@ static int ip6gre_tunnel_init_common(struct net_device *dev)
6554 + if (!(tunnel->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
6555 + dev->mtu -= 8;
6556 +
6557 ++ ip6gre_tnl_init_features(dev);
6558 ++
6559 + return 0;
6560 + }
6561 +
6562 +@@ -1302,11 +1334,6 @@ static const struct net_device_ops ip6gre_tap_netdev_ops = {
6563 + .ndo_get_iflink = ip6_tnl_get_iflink,
6564 + };
6565 +
6566 +-#define GRE6_FEATURES (NETIF_F_SG | \
6567 +- NETIF_F_FRAGLIST | \
6568 +- NETIF_F_HIGHDMA | \
6569 +- NETIF_F_HW_CSUM)
6570 +-
6571 + static void ip6gre_tap_setup(struct net_device *dev)
6572 + {
6573 +
6574 +@@ -1386,26 +1413,6 @@ static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
6575 + nt->net = dev_net(dev);
6576 + ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
6577 +
6578 +- dev->features |= GRE6_FEATURES;
6579 +- dev->hw_features |= GRE6_FEATURES;
6580 +-
6581 +- if (!(nt->parms.o_flags & TUNNEL_SEQ)) {
6582 +- /* TCP offload with GRE SEQ is not supported, nor
6583 +- * can we support 2 levels of outer headers requiring
6584 +- * an update.
6585 +- */
6586 +- if (!(nt->parms.o_flags & TUNNEL_CSUM) ||
6587 +- (nt->encap.type == TUNNEL_ENCAP_NONE)) {
6588 +- dev->features |= NETIF_F_GSO_SOFTWARE;
6589 +- dev->hw_features |= NETIF_F_GSO_SOFTWARE;
6590 +- }
6591 +-
6592 +- /* Can use a lockless transmit, unless we generate
6593 +- * output sequences
6594 +- */
6595 +- dev->features |= NETIF_F_LLTX;
6596 +- }
6597 +-
6598 + err = register_netdevice(dev);
6599 + if (err)
6600 + goto out;
6601 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
6602 +index 5110a418cc4d..f7dd51c42314 100644
6603 +--- a/net/ipv6/ip6_output.c
6604 ++++ b/net/ipv6/ip6_output.c
6605 +@@ -166,6 +166,14 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
6606 + !(IP6CB(skb)->flags & IP6SKB_REROUTED));
6607 + }
6608 +
6609 ++static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
6610 ++{
6611 ++ if (!np->autoflowlabel_set)
6612 ++ return ip6_default_np_autolabel(net);
6613 ++ else
6614 ++ return np->autoflowlabel;
6615 ++}
6616 ++
6617 + /*
6618 + * xmit an sk_buff (used by TCP, SCTP and DCCP)
6619 + * Note : socket lock is not held for SYNACK packets, but might be modified
6620 +@@ -230,7 +238,7 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
6621 + hlimit = ip6_dst_hoplimit(dst);
6622 +
6623 + ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel,
6624 +- np->autoflowlabel, fl6));
6625 ++ ip6_autoflowlabel(net, np), fl6));
6626 +
6627 + hdr->payload_len = htons(seg_len);
6628 + hdr->nexthdr = proto;
6629 +@@ -1626,7 +1634,7 @@ struct sk_buff *__ip6_make_skb(struct sock *sk,
6630 +
6631 + ip6_flow_hdr(hdr, v6_cork->tclass,
6632 + ip6_make_flowlabel(net, skb, fl6->flowlabel,
6633 +- np->autoflowlabel, fl6));
6634 ++ ip6_autoflowlabel(net, np), fl6));
6635 + hdr->hop_limit = v6_cork->hop_limit;
6636 + hdr->nexthdr = proto;
6637 + hdr->saddr = fl6->saddr;
6638 +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
6639 +index a1c24443cd9e..ef958d50746b 100644
6640 +--- a/net/ipv6/ip6_tunnel.c
6641 ++++ b/net/ipv6/ip6_tunnel.c
6642 +@@ -912,7 +912,7 @@ static int ipxip6_rcv(struct sk_buff *skb, u8 ipproto,
6643 + if (t->parms.collect_md) {
6644 + tun_dst = ipv6_tun_rx_dst(skb, 0, 0, 0);
6645 + if (!tun_dst)
6646 +- return 0;
6647 ++ goto drop;
6648 + }
6649 + ret = __ip6_tnl_rcv(t, skb, tpi, tun_dst, dscp_ecn_decapsulate,
6650 + log_ecn_error);
6651 +diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
6652 +index a5e466d4e093..90dbfa78a390 100644
6653 +--- a/net/ipv6/ipv6_sockglue.c
6654 ++++ b/net/ipv6/ipv6_sockglue.c
6655 +@@ -878,6 +878,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
6656 + break;
6657 + case IPV6_AUTOFLOWLABEL:
6658 + np->autoflowlabel = valbool;
6659 ++ np->autoflowlabel_set = 1;
6660 + retv = 0;
6661 + break;
6662 + case IPV6_RECVFRAGSIZE:
6663 +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
6664 +index 12b7c27ce5ce..9a38a2c641fa 100644
6665 +--- a/net/ipv6/mcast.c
6666 ++++ b/net/ipv6/mcast.c
6667 +@@ -1682,16 +1682,16 @@ static int grec_size(struct ifmcaddr6 *pmc, int type, int gdel, int sdel)
6668 + }
6669 +
6670 + static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc,
6671 +- int type, struct mld2_grec **ppgr)
6672 ++ int type, struct mld2_grec **ppgr, unsigned int mtu)
6673 + {
6674 +- struct net_device *dev = pmc->idev->dev;
6675 + struct mld2_report *pmr;
6676 + struct mld2_grec *pgr;
6677 +
6678 +- if (!skb)
6679 +- skb = mld_newpack(pmc->idev, dev->mtu);
6680 +- if (!skb)
6681 +- return NULL;
6682 ++ if (!skb) {
6683 ++ skb = mld_newpack(pmc->idev, mtu);
6684 ++ if (!skb)
6685 ++ return NULL;
6686 ++ }
6687 + pgr = skb_put(skb, sizeof(struct mld2_grec));
6688 + pgr->grec_type = type;
6689 + pgr->grec_auxwords = 0;
6690 +@@ -1714,10 +1714,15 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
6691 + struct mld2_grec *pgr = NULL;
6692 + struct ip6_sf_list *psf, *psf_next, *psf_prev, **psf_list;
6693 + int scount, stotal, first, isquery, truncate;
6694 ++ unsigned int mtu;
6695 +
6696 + if (pmc->mca_flags & MAF_NOREPORT)
6697 + return skb;
6698 +
6699 ++ mtu = READ_ONCE(dev->mtu);
6700 ++ if (mtu < IPV6_MIN_MTU)
6701 ++ return skb;
6702 ++
6703 + isquery = type == MLD2_MODE_IS_INCLUDE ||
6704 + type == MLD2_MODE_IS_EXCLUDE;
6705 + truncate = type == MLD2_MODE_IS_EXCLUDE ||
6706 +@@ -1738,7 +1743,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
6707 + AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) {
6708 + if (skb)
6709 + mld_sendpack(skb);
6710 +- skb = mld_newpack(idev, dev->mtu);
6711 ++ skb = mld_newpack(idev, mtu);
6712 + }
6713 + }
6714 + first = 1;
6715 +@@ -1774,12 +1779,12 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
6716 + pgr->grec_nsrcs = htons(scount);
6717 + if (skb)
6718 + mld_sendpack(skb);
6719 +- skb = mld_newpack(idev, dev->mtu);
6720 ++ skb = mld_newpack(idev, mtu);
6721 + first = 1;
6722 + scount = 0;
6723 + }
6724 + if (first) {
6725 +- skb = add_grhead(skb, pmc, type, &pgr);
6726 ++ skb = add_grhead(skb, pmc, type, &pgr, mtu);
6727 + first = 0;
6728 + }
6729 + if (!skb)
6730 +@@ -1814,7 +1819,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
6731 + mld_sendpack(skb);
6732 + skb = NULL; /* add_grhead will get a new one */
6733 + }
6734 +- skb = add_grhead(skb, pmc, type, &pgr);
6735 ++ skb = add_grhead(skb, pmc, type, &pgr, mtu);
6736 + }
6737 + }
6738 + if (pgr)
6739 +diff --git a/net/ipv6/route.c b/net/ipv6/route.c
6740 +index 598efa8cfe25..ca8d3266e92e 100644
6741 +--- a/net/ipv6/route.c
6742 ++++ b/net/ipv6/route.c
6743 +@@ -3700,19 +3700,13 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
6744 + if (!ipv6_addr_any(&fl6.saddr))
6745 + flags |= RT6_LOOKUP_F_HAS_SADDR;
6746 +
6747 +- if (!fibmatch)
6748 +- dst = ip6_route_input_lookup(net, dev, &fl6, flags);
6749 +- else
6750 +- dst = ip6_route_lookup(net, &fl6, 0);
6751 ++ dst = ip6_route_input_lookup(net, dev, &fl6, flags);
6752 +
6753 + rcu_read_unlock();
6754 + } else {
6755 + fl6.flowi6_oif = oif;
6756 +
6757 +- if (!fibmatch)
6758 +- dst = ip6_route_output(net, NULL, &fl6);
6759 +- else
6760 +- dst = ip6_route_lookup(net, &fl6, 0);
6761 ++ dst = ip6_route_output(net, NULL, &fl6);
6762 + }
6763 +
6764 +
6765 +@@ -3729,6 +3723,15 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
6766 + goto errout;
6767 + }
6768 +
6769 ++ if (fibmatch && rt->dst.from) {
6770 ++ struct rt6_info *ort = container_of(rt->dst.from,
6771 ++ struct rt6_info, dst);
6772 ++
6773 ++ dst_hold(&ort->dst);
6774 ++ ip6_rt_put(rt);
6775 ++ rt = ort;
6776 ++ }
6777 ++
6778 + skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
6779 + if (!skb) {
6780 + ip6_rt_put(rt);
6781 +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
6782 +index 32ded300633d..237cc6187c5a 100644
6783 +--- a/net/ipv6/tcp_ipv6.c
6784 ++++ b/net/ipv6/tcp_ipv6.c
6785 +@@ -988,7 +988,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
6786 + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale,
6787 + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off,
6788 + req->ts_recent, sk->sk_bound_dev_if,
6789 +- tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),
6790 ++ tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr),
6791 + 0, 0);
6792 + }
6793 +
6794 +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
6795 +index 15c99dfa3d72..aac9d68b4636 100644
6796 +--- a/net/netlink/af_netlink.c
6797 ++++ b/net/netlink/af_netlink.c
6798 +@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
6799 + struct sock *sk = skb->sk;
6800 + int ret = -ENOMEM;
6801 +
6802 ++ if (!net_eq(dev_net(dev), sock_net(sk)))
6803 ++ return 0;
6804 ++
6805 + dev_hold(dev);
6806 +
6807 + if (is_vmalloc_addr(skb->head))
6808 +diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
6809 +index cfb652a4e007..dbe1079a1651 100644
6810 +--- a/net/openvswitch/flow.c
6811 ++++ b/net/openvswitch/flow.c
6812 +@@ -532,6 +532,7 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
6813 + return -EINVAL;
6814 +
6815 + skb_reset_network_header(skb);
6816 ++ key->eth.type = skb->protocol;
6817 + } else {
6818 + eth = eth_hdr(skb);
6819 + ether_addr_copy(key->eth.src, eth->h_source);
6820 +@@ -545,15 +546,23 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
6821 + if (unlikely(parse_vlan(skb, key)))
6822 + return -ENOMEM;
6823 +
6824 +- skb->protocol = parse_ethertype(skb);
6825 +- if (unlikely(skb->protocol == htons(0)))
6826 ++ key->eth.type = parse_ethertype(skb);
6827 ++ if (unlikely(key->eth.type == htons(0)))
6828 + return -ENOMEM;
6829 +
6830 ++ /* Multiple tagged packets need to retain TPID to satisfy
6831 ++ * skb_vlan_pop(), which will later shift the ethertype into
6832 ++ * skb->protocol.
6833 ++ */
6834 ++ if (key->eth.cvlan.tci & htons(VLAN_TAG_PRESENT))
6835 ++ skb->protocol = key->eth.cvlan.tpid;
6836 ++ else
6837 ++ skb->protocol = key->eth.type;
6838 ++
6839 + skb_reset_network_header(skb);
6840 + __skb_push(skb, skb->data - skb_mac_header(skb));
6841 + }
6842 + skb_reset_mac_len(skb);
6843 +- key->eth.type = skb->protocol;
6844 +
6845 + /* Network layer. */
6846 + if (key->eth.type == htons(ETH_P_IP)) {
6847 +diff --git a/net/rds/send.c b/net/rds/send.c
6848 +index b52cdc8ae428..f72466c63f0c 100644
6849 +--- a/net/rds/send.c
6850 ++++ b/net/rds/send.c
6851 +@@ -1009,6 +1009,9 @@ static int rds_rdma_bytes(struct msghdr *msg, size_t *rdma_bytes)
6852 + continue;
6853 +
6854 + if (cmsg->cmsg_type == RDS_CMSG_RDMA_ARGS) {
6855 ++ if (cmsg->cmsg_len <
6856 ++ CMSG_LEN(sizeof(struct rds_rdma_args)))
6857 ++ return -EINVAL;
6858 + args = CMSG_DATA(cmsg);
6859 + *rdma_bytes += args->remote_vec.bytes;
6860 + }
6861 +diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
6862 +index 44de4ee51ce9..a08a32fa0949 100644
6863 +--- a/net/sched/sch_ingress.c
6864 ++++ b/net/sched/sch_ingress.c
6865 +@@ -59,11 +59,12 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt)
6866 + struct net_device *dev = qdisc_dev(sch);
6867 + int err;
6868 +
6869 ++ net_inc_ingress_queue();
6870 ++
6871 + err = tcf_block_get(&q->block, &dev->ingress_cl_list);
6872 + if (err)
6873 + return err;
6874 +
6875 +- net_inc_ingress_queue();
6876 + sch->flags |= TCQ_F_CPUSTATS;
6877 +
6878 + return 0;
6879 +@@ -153,6 +154,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt)
6880 + struct net_device *dev = qdisc_dev(sch);
6881 + int err;
6882 +
6883 ++ net_inc_ingress_queue();
6884 ++ net_inc_egress_queue();
6885 ++
6886 + err = tcf_block_get(&q->ingress_block, &dev->ingress_cl_list);
6887 + if (err)
6888 + return err;
6889 +@@ -161,9 +165,6 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt)
6890 + if (err)
6891 + return err;
6892 +
6893 +- net_inc_ingress_queue();
6894 +- net_inc_egress_queue();
6895 +-
6896 + sch->flags |= TCQ_F_CPUSTATS;
6897 +
6898 + return 0;
6899 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
6900 +index d6163f7aefb1..df806b8819aa 100644
6901 +--- a/net/sctp/socket.c
6902 ++++ b/net/sctp/socket.c
6903 +@@ -3874,13 +3874,17 @@ static int sctp_setsockopt_reset_streams(struct sock *sk,
6904 + struct sctp_association *asoc;
6905 + int retval = -EINVAL;
6906 +
6907 +- if (optlen < sizeof(struct sctp_reset_streams))
6908 ++ if (optlen < sizeof(*params))
6909 + return -EINVAL;
6910 +
6911 + params = memdup_user(optval, optlen);
6912 + if (IS_ERR(params))
6913 + return PTR_ERR(params);
6914 +
6915 ++ if (params->srs_number_streams * sizeof(__u16) >
6916 ++ optlen - sizeof(*params))
6917 ++ goto out;
6918 ++
6919 + asoc = sctp_id2assoc(sk, params->srs_assoc_id);
6920 + if (!asoc)
6921 + goto out;
6922 +@@ -4413,7 +4417,7 @@ static int sctp_init_sock(struct sock *sk)
6923 + SCTP_DBG_OBJCNT_INC(sock);
6924 +
6925 + local_bh_disable();
6926 +- percpu_counter_inc(&sctp_sockets_allocated);
6927 ++ sk_sockets_allocated_inc(sk);
6928 + sock_prot_inuse_add(net, sk->sk_prot, 1);
6929 +
6930 + /* Nothing can fail after this block, otherwise
6931 +@@ -4457,7 +4461,7 @@ static void sctp_destroy_sock(struct sock *sk)
6932 + }
6933 + sctp_endpoint_free(sp->ep);
6934 + local_bh_disable();
6935 +- percpu_counter_dec(&sctp_sockets_allocated);
6936 ++ sk_sockets_allocated_dec(sk);
6937 + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
6938 + local_bh_enable();
6939 + }
6940 +diff --git a/net/tipc/socket.c b/net/tipc/socket.c
6941 +index d50edd6e0019..98a44ecb11e7 100644
6942 +--- a/net/tipc/socket.c
6943 ++++ b/net/tipc/socket.c
6944 +@@ -709,11 +709,11 @@ static unsigned int tipc_poll(struct file *file, struct socket *sock,
6945 +
6946 + switch (sk->sk_state) {
6947 + case TIPC_ESTABLISHED:
6948 ++ case TIPC_CONNECTING:
6949 + if (!tsk->cong_link_cnt && !tsk_conn_cong(tsk))
6950 + mask |= POLLOUT;
6951 + /* fall thru' */
6952 + case TIPC_LISTEN:
6953 +- case TIPC_CONNECTING:
6954 + if (!skb_queue_empty(&sk->sk_receive_queue))
6955 + mask |= (POLLIN | POLLRDNORM);
6956 + break;
6957 +diff --git a/security/Kconfig b/security/Kconfig
6958 +index e8e449444e65..6614b9312b45 100644
6959 +--- a/security/Kconfig
6960 ++++ b/security/Kconfig
6961 +@@ -54,6 +54,17 @@ config SECURITY_NETWORK
6962 + implement socket and networking access controls.
6963 + If you are unsure how to answer this question, answer N.
6964 +
6965 ++config PAGE_TABLE_ISOLATION
6966 ++ bool "Remove the kernel mapping in user mode"
6967 ++ depends on X86_64 && !UML
6968 ++ default y
6969 ++ help
6970 ++ This feature reduces the number of hardware side channels by
6971 ++ ensuring that the majority of kernel addresses are not mapped
6972 ++ into userspace.
6973 ++
6974 ++ See Documentation/x86/pagetable-isolation.txt for more details.
6975 ++
6976 + config SECURITY_INFINIBAND
6977 + bool "Infiniband Security Hooks"
6978 + depends on SECURITY && INFINIBAND
6979 +diff --git a/sound/hda/hdac_i915.c b/sound/hda/hdac_i915.c
6980 +index 038a180d3f81..cbe818eda336 100644
6981 +--- a/sound/hda/hdac_i915.c
6982 ++++ b/sound/hda/hdac_i915.c
6983 +@@ -325,7 +325,7 @@ static int hdac_component_master_match(struct device *dev, void *data)
6984 + */
6985 + int snd_hdac_i915_register_notifier(const struct i915_audio_component_audio_ops *aops)
6986 + {
6987 +- if (WARN_ON(!hdac_acomp))
6988 ++ if (!hdac_acomp)
6989 + return -ENODEV;
6990 +
6991 + hdac_acomp->audio_ops = aops;
6992 +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
6993 +index a81aacf684b2..37e1cf8218ff 100644
6994 +--- a/sound/pci/hda/patch_conexant.c
6995 ++++ b/sound/pci/hda/patch_conexant.c
6996 +@@ -271,6 +271,8 @@ enum {
6997 + CXT_FIXUP_HP_SPECTRE,
6998 + CXT_FIXUP_HP_GATE_MIC,
6999 + CXT_FIXUP_MUTE_LED_GPIO,
7000 ++ CXT_FIXUP_HEADSET_MIC,
7001 ++ CXT_FIXUP_HP_MIC_NO_PRESENCE,
7002 + };
7003 +
7004 + /* for hda_fixup_thinkpad_acpi() */
7005 +@@ -350,6 +352,18 @@ static void cxt_fixup_headphone_mic(struct hda_codec *codec,
7006 + }
7007 + }
7008 +
7009 ++static void cxt_fixup_headset_mic(struct hda_codec *codec,
7010 ++ const struct hda_fixup *fix, int action)
7011 ++{
7012 ++ struct conexant_spec *spec = codec->spec;
7013 ++
7014 ++ switch (action) {
7015 ++ case HDA_FIXUP_ACT_PRE_PROBE:
7016 ++ spec->parse_flags |= HDA_PINCFG_HEADSET_MIC;
7017 ++ break;
7018 ++ }
7019 ++}
7020 ++
7021 + /* OPLC XO 1.5 fixup */
7022 +
7023 + /* OLPC XO-1.5 supports DC input mode (e.g. for use with analog sensors)
7024 +@@ -880,6 +894,19 @@ static const struct hda_fixup cxt_fixups[] = {
7025 + .type = HDA_FIXUP_FUNC,
7026 + .v.func = cxt_fixup_mute_led_gpio,
7027 + },
7028 ++ [CXT_FIXUP_HEADSET_MIC] = {
7029 ++ .type = HDA_FIXUP_FUNC,
7030 ++ .v.func = cxt_fixup_headset_mic,
7031 ++ },
7032 ++ [CXT_FIXUP_HP_MIC_NO_PRESENCE] = {
7033 ++ .type = HDA_FIXUP_PINS,
7034 ++ .v.pins = (const struct hda_pintbl[]) {
7035 ++ { 0x1a, 0x02a1113c },
7036 ++ { }
7037 ++ },
7038 ++ .chained = true,
7039 ++ .chain_id = CXT_FIXUP_HEADSET_MIC,
7040 ++ },
7041 + };
7042 +
7043 + static const struct snd_pci_quirk cxt5045_fixups[] = {
7044 +@@ -934,6 +961,8 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
7045 + SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
7046 + SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO),
7047 + SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO),
7048 ++ SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
7049 ++ SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
7050 + SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
7051 + SND_PCI_QUIRK(0x152d, 0x0833, "OLPC XO-1.5", CXT_FIXUP_OLPC_XO),
7052 + SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
7053 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
7054 +index 9ac4b9076ee2..acdb196ddb44 100644
7055 +--- a/sound/pci/hda/patch_realtek.c
7056 ++++ b/sound/pci/hda/patch_realtek.c
7057 +@@ -324,8 +324,12 @@ static void alc_fill_eapd_coef(struct hda_codec *codec)
7058 + case 0x10ec0292:
7059 + alc_update_coef_idx(codec, 0x4, 1<<15, 0);
7060 + break;
7061 +- case 0x10ec0215:
7062 + case 0x10ec0225:
7063 ++ case 0x10ec0295:
7064 ++ case 0x10ec0299:
7065 ++ alc_update_coef_idx(codec, 0x67, 0xf000, 0x3000);
7066 ++ /* fallthrough */
7067 ++ case 0x10ec0215:
7068 + case 0x10ec0233:
7069 + case 0x10ec0236:
7070 + case 0x10ec0255:
7071 +@@ -336,10 +340,8 @@ static void alc_fill_eapd_coef(struct hda_codec *codec)
7072 + case 0x10ec0286:
7073 + case 0x10ec0288:
7074 + case 0x10ec0285:
7075 +- case 0x10ec0295:
7076 + case 0x10ec0298:
7077 + case 0x10ec0289:
7078 +- case 0x10ec0299:
7079 + alc_update_coef_idx(codec, 0x10, 1<<9, 0);
7080 + break;
7081 + case 0x10ec0275:
7082 +@@ -6305,6 +6307,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
7083 + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
7084 + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
7085 + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
7086 ++ SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
7087 + SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
7088 + SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
7089 + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
7090 +@@ -6557,6 +6560,11 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
7091 + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
7092 + {0x1b, 0x01011020},
7093 + {0x21, 0x02211010}),
7094 ++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
7095 ++ {0x12, 0x90a60130},
7096 ++ {0x14, 0x90170110},
7097 ++ {0x1b, 0x01011020},
7098 ++ {0x21, 0x0221101f}),
7099 + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
7100 + {0x12, 0x90a60160},
7101 + {0x14, 0x90170120},
7102 +diff --git a/sound/soc/codecs/da7218.c b/sound/soc/codecs/da7218.c
7103 +index b2d42ec1dcd9..56564ce90cb6 100644
7104 +--- a/sound/soc/codecs/da7218.c
7105 ++++ b/sound/soc/codecs/da7218.c
7106 +@@ -2520,7 +2520,7 @@ static struct da7218_pdata *da7218_of_to_pdata(struct snd_soc_codec *codec)
7107 + }
7108 +
7109 + if (da7218->dev_id == DA7218_DEV_ID) {
7110 +- hpldet_np = of_find_node_by_name(np, "da7218_hpldet");
7111 ++ hpldet_np = of_get_child_by_name(np, "da7218_hpldet");
7112 + if (!hpldet_np)
7113 + return pdata;
7114 +
7115 +diff --git a/sound/soc/codecs/msm8916-wcd-analog.c b/sound/soc/codecs/msm8916-wcd-analog.c
7116 +index 18933bf6473f..8c7063e1aa46 100644
7117 +--- a/sound/soc/codecs/msm8916-wcd-analog.c
7118 ++++ b/sound/soc/codecs/msm8916-wcd-analog.c
7119 +@@ -267,7 +267,7 @@
7120 + #define MSM8916_WCD_ANALOG_RATES (SNDRV_PCM_RATE_8000 | SNDRV_PCM_RATE_16000 |\
7121 + SNDRV_PCM_RATE_32000 | SNDRV_PCM_RATE_48000)
7122 + #define MSM8916_WCD_ANALOG_FORMATS (SNDRV_PCM_FMTBIT_S16_LE |\
7123 +- SNDRV_PCM_FMTBIT_S24_LE)
7124 ++ SNDRV_PCM_FMTBIT_S32_LE)
7125 +
7126 + static int btn_mask = SND_JACK_BTN_0 | SND_JACK_BTN_1 |
7127 + SND_JACK_BTN_2 | SND_JACK_BTN_3 | SND_JACK_BTN_4;
7128 +diff --git a/sound/soc/codecs/msm8916-wcd-digital.c b/sound/soc/codecs/msm8916-wcd-digital.c
7129 +index 66df8f810f0d..694db27b11fa 100644
7130 +--- a/sound/soc/codecs/msm8916-wcd-digital.c
7131 ++++ b/sound/soc/codecs/msm8916-wcd-digital.c
7132 +@@ -194,7 +194,7 @@
7133 + SNDRV_PCM_RATE_32000 | \
7134 + SNDRV_PCM_RATE_48000)
7135 + #define MSM8916_WCD_DIGITAL_FORMATS (SNDRV_PCM_FMTBIT_S16_LE |\
7136 +- SNDRV_PCM_FMTBIT_S24_LE)
7137 ++ SNDRV_PCM_FMTBIT_S32_LE)
7138 +
7139 + struct msm8916_wcd_digital_priv {
7140 + struct clk *ahbclk, *mclk;
7141 +@@ -645,7 +645,7 @@ static int msm8916_wcd_digital_hw_params(struct snd_pcm_substream *substream,
7142 + RX_I2S_CTL_RX_I2S_MODE_MASK,
7143 + RX_I2S_CTL_RX_I2S_MODE_16);
7144 + break;
7145 +- case SNDRV_PCM_FORMAT_S24_LE:
7146 ++ case SNDRV_PCM_FORMAT_S32_LE:
7147 + snd_soc_update_bits(dai->codec, LPASS_CDC_CLK_TX_I2S_CTL,
7148 + TX_I2S_CTL_TX_I2S_MODE_MASK,
7149 + TX_I2S_CTL_TX_I2S_MODE_32);
7150 +diff --git a/sound/soc/codecs/tlv320aic31xx.h b/sound/soc/codecs/tlv320aic31xx.h
7151 +index 730fb2058869..1ff3edb7bbb6 100644
7152 +--- a/sound/soc/codecs/tlv320aic31xx.h
7153 ++++ b/sound/soc/codecs/tlv320aic31xx.h
7154 +@@ -116,7 +116,7 @@ struct aic31xx_pdata {
7155 + /* INT2 interrupt control */
7156 + #define AIC31XX_INT2CTRL AIC31XX_REG(0, 49)
7157 + /* GPIO1 control */
7158 +-#define AIC31XX_GPIO1 AIC31XX_REG(0, 50)
7159 ++#define AIC31XX_GPIO1 AIC31XX_REG(0, 51)
7160 +
7161 + #define AIC31XX_DACPRB AIC31XX_REG(0, 60)
7162 + /* ADC Instruction Set Register */
7163 +diff --git a/sound/soc/codecs/twl4030.c b/sound/soc/codecs/twl4030.c
7164 +index c482b2e7a7d2..cfe72b9d4356 100644
7165 +--- a/sound/soc/codecs/twl4030.c
7166 ++++ b/sound/soc/codecs/twl4030.c
7167 +@@ -232,7 +232,7 @@ static struct twl4030_codec_data *twl4030_get_pdata(struct snd_soc_codec *codec)
7168 + struct twl4030_codec_data *pdata = dev_get_platdata(codec->dev);
7169 + struct device_node *twl4030_codec_node = NULL;
7170 +
7171 +- twl4030_codec_node = of_find_node_by_name(codec->dev->parent->of_node,
7172 ++ twl4030_codec_node = of_get_child_by_name(codec->dev->parent->of_node,
7173 + "codec");
7174 +
7175 + if (!pdata && twl4030_codec_node) {
7176 +@@ -241,9 +241,11 @@ static struct twl4030_codec_data *twl4030_get_pdata(struct snd_soc_codec *codec)
7177 + GFP_KERNEL);
7178 + if (!pdata) {
7179 + dev_err(codec->dev, "Can not allocate memory\n");
7180 ++ of_node_put(twl4030_codec_node);
7181 + return NULL;
7182 + }
7183 + twl4030_setup_pdata_of(pdata, twl4030_codec_node);
7184 ++ of_node_put(twl4030_codec_node);
7185 + }
7186 +
7187 + return pdata;
7188 +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
7189 +index 65c059b5ffd7..66e32f5d2917 100644
7190 +--- a/sound/soc/codecs/wm_adsp.c
7191 ++++ b/sound/soc/codecs/wm_adsp.c
7192 +@@ -1733,7 +1733,7 @@ static int wm_adsp_load(struct wm_adsp *dsp)
7193 + le64_to_cpu(footer->timestamp));
7194 +
7195 + while (pos < firmware->size &&
7196 +- pos - firmware->size > sizeof(*region)) {
7197 ++ sizeof(*region) < firmware->size - pos) {
7198 + region = (void *)&(firmware->data[pos]);
7199 + region_name = "Unknown";
7200 + reg = 0;
7201 +@@ -1782,8 +1782,8 @@ static int wm_adsp_load(struct wm_adsp *dsp)
7202 + regions, le32_to_cpu(region->len), offset,
7203 + region_name);
7204 +
7205 +- if ((pos + le32_to_cpu(region->len) + sizeof(*region)) >
7206 +- firmware->size) {
7207 ++ if (le32_to_cpu(region->len) >
7208 ++ firmware->size - pos - sizeof(*region)) {
7209 + adsp_err(dsp,
7210 + "%s.%d: %s region len %d bytes exceeds file length %zu\n",
7211 + file, regions, region_name,
7212 +@@ -2253,7 +2253,7 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp)
7213 +
7214 + blocks = 0;
7215 + while (pos < firmware->size &&
7216 +- pos - firmware->size > sizeof(*blk)) {
7217 ++ sizeof(*blk) < firmware->size - pos) {
7218 + blk = (void *)(&firmware->data[pos]);
7219 +
7220 + type = le16_to_cpu(blk->type);
7221 +@@ -2327,8 +2327,8 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp)
7222 + }
7223 +
7224 + if (reg) {
7225 +- if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) >
7226 +- firmware->size) {
7227 ++ if (le32_to_cpu(blk->len) >
7228 ++ firmware->size - pos - sizeof(*blk)) {
7229 + adsp_err(dsp,
7230 + "%s.%d: %s region len %d bytes exceeds file length %zu\n",
7231 + file, blocks, region_name,
7232 +diff --git a/sound/soc/fsl/fsl_ssi.c b/sound/soc/fsl/fsl_ssi.c
7233 +index 64598d1183f8..3ffbb498cc70 100644
7234 +--- a/sound/soc/fsl/fsl_ssi.c
7235 ++++ b/sound/soc/fsl/fsl_ssi.c
7236 +@@ -1452,12 +1452,6 @@ static int fsl_ssi_probe(struct platform_device *pdev)
7237 + sizeof(fsl_ssi_ac97_dai));
7238 +
7239 + fsl_ac97_data = ssi_private;
7240 +-
7241 +- ret = snd_soc_set_ac97_ops_of_reset(&fsl_ssi_ac97_ops, pdev);
7242 +- if (ret) {
7243 +- dev_err(&pdev->dev, "could not set AC'97 ops\n");
7244 +- return ret;
7245 +- }
7246 + } else {
7247 + /* Initialize this copy of the CPU DAI driver structure */
7248 + memcpy(&ssi_private->cpu_dai_drv, &fsl_ssi_dai_template,
7249 +@@ -1568,6 +1562,14 @@ static int fsl_ssi_probe(struct platform_device *pdev)
7250 + return ret;
7251 + }
7252 +
7253 ++ if (fsl_ssi_is_ac97(ssi_private)) {
7254 ++ ret = snd_soc_set_ac97_ops_of_reset(&fsl_ssi_ac97_ops, pdev);
7255 ++ if (ret) {
7256 ++ dev_err(&pdev->dev, "could not set AC'97 ops\n");
7257 ++ goto error_ac97_ops;
7258 ++ }
7259 ++ }
7260 ++
7261 + ret = devm_snd_soc_register_component(&pdev->dev, &fsl_ssi_component,
7262 + &ssi_private->cpu_dai_drv, 1);
7263 + if (ret) {
7264 +@@ -1651,6 +1653,10 @@ static int fsl_ssi_probe(struct platform_device *pdev)
7265 + fsl_ssi_debugfs_remove(&ssi_private->dbg_stats);
7266 +
7267 + error_asoc_register:
7268 ++ if (fsl_ssi_is_ac97(ssi_private))
7269 ++ snd_soc_set_ac97_ops(NULL);
7270 ++
7271 ++error_ac97_ops:
7272 + if (ssi_private->soc->imx)
7273 + fsl_ssi_imx_clean(pdev, ssi_private);
7274 +
7275 +diff --git a/tools/testing/selftests/x86/ldt_gdt.c b/tools/testing/selftests/x86/ldt_gdt.c
7276 +index 0304ffb714f2..1aef72df20a1 100644
7277 +--- a/tools/testing/selftests/x86/ldt_gdt.c
7278 ++++ b/tools/testing/selftests/x86/ldt_gdt.c
7279 +@@ -122,8 +122,7 @@ static void check_valid_segment(uint16_t index, int ldt,
7280 + * NB: Different Linux versions do different things with the
7281 + * accessed bit in set_thread_area().
7282 + */
7283 +- if (ar != expected_ar &&
7284 +- (ldt || ar != (expected_ar | AR_ACCESSED))) {
7285 ++ if (ar != expected_ar && ar != (expected_ar | AR_ACCESSED)) {
7286 + printf("[FAIL]\t%s entry %hu has AR 0x%08X but expected 0x%08X\n",
7287 + (ldt ? "LDT" : "GDT"), index, ar, expected_ar);
7288 + nerrs++;
7289 +diff --git a/tools/usb/usbip/src/utils.c b/tools/usb/usbip/src/utils.c
7290 +index 2b3d6d235015..3d7b42e77299 100644
7291 +--- a/tools/usb/usbip/src/utils.c
7292 ++++ b/tools/usb/usbip/src/utils.c
7293 +@@ -30,6 +30,7 @@ int modify_match_busid(char *busid, int add)
7294 + char command[SYSFS_BUS_ID_SIZE + 4];
7295 + char match_busid_attr_path[SYSFS_PATH_MAX];
7296 + int rc;
7297 ++ int cmd_size;
7298 +
7299 + snprintf(match_busid_attr_path, sizeof(match_busid_attr_path),
7300 + "%s/%s/%s/%s/%s/%s", SYSFS_MNT_PATH, SYSFS_BUS_NAME,
7301 +@@ -37,12 +38,14 @@ int modify_match_busid(char *busid, int add)
7302 + attr_name);
7303 +
7304 + if (add)
7305 +- snprintf(command, SYSFS_BUS_ID_SIZE + 4, "add %s", busid);
7306 ++ cmd_size = snprintf(command, SYSFS_BUS_ID_SIZE + 4, "add %s",
7307 ++ busid);
7308 + else
7309 +- snprintf(command, SYSFS_BUS_ID_SIZE + 4, "del %s", busid);
7310 ++ cmd_size = snprintf(command, SYSFS_BUS_ID_SIZE + 4, "del %s",
7311 ++ busid);
7312 +
7313 + rc = write_sysfs_attribute(match_busid_attr_path, command,
7314 +- sizeof(command));
7315 ++ cmd_size);
7316 + if (rc < 0) {
7317 + dbg("failed to write match_busid: %s", strerror(errno));
7318 + return -1;
Report Message
Find on MARC Find on Google Groups