diff --git a/patch/kernel/sunxi-next/patch-4.19.36-37.patch b/patch/kernel/sunxi-next/patch-4.19.36-37.patch new file mode 100644 index 000000000..0a0d611f5 --- /dev/null +++ b/patch/kernel/sunxi-next/patch-4.19.36-37.patch @@ -0,0 +1,5470 @@ +diff --git a/Makefile b/Makefile +index 3fac08f6a11e..7b495cad8c2e 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 19 +-SUBLEVEL = 36 ++SUBLEVEL = 37 + EXTRAVERSION = + NAME = "People's Front" + +@@ -661,8 +661,7 @@ KBUILD_CFLAGS += $(call cc-disable-warning, format-overflow) + KBUILD_CFLAGS += $(call cc-disable-warning, int-in-bool-context) + + ifdef CONFIG_CC_OPTIMIZE_FOR_SIZE +-KBUILD_CFLAGS += $(call cc-option,-Oz,-Os) +-KBUILD_CFLAGS += $(call cc-disable-warning,maybe-uninitialized,) ++KBUILD_CFLAGS += -Os $(call cc-disable-warning,maybe-uninitialized,) + else + ifdef CONFIG_PROFILE_ALL_BRANCHES + KBUILD_CFLAGS += -O2 $(call cc-disable-warning,maybe-uninitialized,) +diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h +index b447b4db423a..fd1e722f3821 100644 +--- a/arch/arm64/include/asm/futex.h ++++ b/arch/arm64/include/asm/futex.h +@@ -50,7 +50,7 @@ do { \ + static inline int + arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *_uaddr) + { +- int oldval, ret, tmp; ++ int oldval = 0, ret, tmp; + u32 __user *uaddr = __uaccess_mask_ptr(_uaddr); + + pagefault_disable(); +diff --git a/arch/x86/crypto/poly1305-avx2-x86_64.S b/arch/x86/crypto/poly1305-avx2-x86_64.S +index 3b6e70d085da..8457cdd47f75 100644 +--- a/arch/x86/crypto/poly1305-avx2-x86_64.S ++++ b/arch/x86/crypto/poly1305-avx2-x86_64.S +@@ -323,6 +323,12 @@ ENTRY(poly1305_4block_avx2) + vpaddq t2,t1,t1 + vmovq t1x,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -361,16 +367,16 @@ ENTRY(poly1305_4block_avx2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +diff --git a/arch/x86/crypto/poly1305-sse2-x86_64.S b/arch/x86/crypto/poly1305-sse2-x86_64.S +index c88c670cb5fc..5851c7418fb7 100644 +--- a/arch/x86/crypto/poly1305-sse2-x86_64.S ++++ b/arch/x86/crypto/poly1305-sse2-x86_64.S +@@ -253,16 +253,16 @@ ENTRY(poly1305_block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +@@ -520,6 +520,12 @@ ENTRY(poly1305_2block_sse2) + paddq t2,t1 + movq t1,d4 + ++ # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 -> ++ # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small ++ # amount. Careful: we must not assume the carry bits 'd0 >> 26', ++ # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit ++ # integers. It's true in a single-block implementation, but not here. ++ + # d1 += d0 >> 26 + mov d0,%rax + shr $26,%rax +@@ -558,16 +564,16 @@ ENTRY(poly1305_2block_sse2) + # h0 += (d4 >> 26) * 5 + mov d4,%rax + shr $26,%rax +- lea (%eax,%eax,4),%eax +- add %eax,%ebx ++ lea (%rax,%rax,4),%rax ++ add %rax,%rbx + # h4 = d4 & 0x3ffffff + mov d4,%rax + and $0x3ffffff,%eax + mov %eax,h4 + + # h1 += h0 >> 26 +- mov %ebx,%eax +- shr $26,%eax ++ mov %rbx,%rax ++ shr $26,%rax + add %eax,h1 + # h0 = h0 & 0x3ffffff + andl $0x3ffffff,%ebx +diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c +index 3e5dd85b019a..263af6312329 100644 +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -117,22 +117,39 @@ static __initconst const u64 amd_hw_cache_event_ids + }; + + /* +- * AMD Performance Monitor K7 and later. ++ * AMD Performance Monitor K7 and later, up to and including Family 16h: + */ + static const u64 amd_perfmon_event_map[PERF_COUNT_HW_MAX] = + { +- [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, +- [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, +- [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d, +- [PERF_COUNT_HW_CACHE_MISSES] = 0x077e, +- [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, +- [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, +- [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */ +- [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */ ++ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, ++ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, ++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0x077d, ++ [PERF_COUNT_HW_CACHE_MISSES] = 0x077e, ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, ++ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, ++ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x00d0, /* "Decoder empty" event */ ++ [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x00d1, /* "Dispatch stalls" event */ ++}; ++ ++/* ++ * AMD Performance Monitor Family 17h and later: ++ */ ++static const u64 amd_f17h_perfmon_event_map[PERF_COUNT_HW_MAX] = ++{ ++ [PERF_COUNT_HW_CPU_CYCLES] = 0x0076, ++ [PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0, ++ [PERF_COUNT_HW_CACHE_REFERENCES] = 0xff60, ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = 0x00c2, ++ [PERF_COUNT_HW_BRANCH_MISSES] = 0x00c3, ++ [PERF_COUNT_HW_STALLED_CYCLES_FRONTEND] = 0x0287, ++ [PERF_COUNT_HW_STALLED_CYCLES_BACKEND] = 0x0187, + }; + + static u64 amd_pmu_event_map(int hw_event) + { ++ if (boot_cpu_data.x86 >= 0x17) ++ return amd_f17h_perfmon_event_map[hw_event]; ++ + return amd_perfmon_event_map[hw_event]; + } + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index 12453cf7c11b..3dd204d1dd19 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3014,7 +3014,7 @@ static unsigned long intel_pmu_large_pebs_flags(struct perf_event *event) + flags &= ~PERF_SAMPLE_TIME; + if (!event->attr.exclude_kernel) + flags &= ~PERF_SAMPLE_REGS_USER; +- if (event->attr.sample_regs_user & ~PEBS_REGS) ++ if (event->attr.sample_regs_user & ~PEBS_GP_REGS) + flags &= ~(PERF_SAMPLE_REGS_USER | PERF_SAMPLE_REGS_INTR); + return flags; + } +diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h +index 42a36280d168..05659c7b43d4 100644 +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -96,25 +96,25 @@ struct amd_nb { + PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER | \ + PERF_SAMPLE_PERIOD) + +-#define PEBS_REGS \ +- (PERF_REG_X86_AX | \ +- PERF_REG_X86_BX | \ +- PERF_REG_X86_CX | \ +- PERF_REG_X86_DX | \ +- PERF_REG_X86_DI | \ +- PERF_REG_X86_SI | \ +- PERF_REG_X86_SP | \ +- PERF_REG_X86_BP | \ +- PERF_REG_X86_IP | \ +- PERF_REG_X86_FLAGS | \ +- PERF_REG_X86_R8 | \ +- PERF_REG_X86_R9 | \ +- PERF_REG_X86_R10 | \ +- PERF_REG_X86_R11 | \ +- PERF_REG_X86_R12 | \ +- PERF_REG_X86_R13 | \ +- PERF_REG_X86_R14 | \ +- PERF_REG_X86_R15) ++#define PEBS_GP_REGS \ ++ ((1ULL << PERF_REG_X86_AX) | \ ++ (1ULL << PERF_REG_X86_BX) | \ ++ (1ULL << PERF_REG_X86_CX) | \ ++ (1ULL << PERF_REG_X86_DX) | \ ++ (1ULL << PERF_REG_X86_DI) | \ ++ (1ULL << PERF_REG_X86_SI) | \ ++ (1ULL << PERF_REG_X86_SP) | \ ++ (1ULL << PERF_REG_X86_BP) | \ ++ (1ULL << PERF_REG_X86_IP) | \ ++ (1ULL << PERF_REG_X86_FLAGS) | \ ++ (1ULL << PERF_REG_X86_R8) | \ ++ (1ULL << PERF_REG_X86_R9) | \ ++ (1ULL << PERF_REG_X86_R10) | \ ++ (1ULL << PERF_REG_X86_R11) | \ ++ (1ULL << PERF_REG_X86_R12) | \ ++ (1ULL << PERF_REG_X86_R13) | \ ++ (1ULL << PERF_REG_X86_R14) | \ ++ (1ULL << PERF_REG_X86_R15)) + + /* + * Per register state. +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 1e0c4c74195c..e5258bd64200 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -272,7 +272,7 @@ static const struct { + const char *option; + enum spectre_v2_user_cmd cmd; + bool secure; +-} v2_user_options[] __initdata = { ++} v2_user_options[] __initconst = { + { "auto", SPECTRE_V2_USER_CMD_AUTO, false }, + { "off", SPECTRE_V2_USER_CMD_NONE, false }, + { "on", SPECTRE_V2_USER_CMD_FORCE, true }, +@@ -407,7 +407,7 @@ static const struct { + const char *option; + enum spectre_v2_mitigation_cmd cmd; + bool secure; +-} mitigation_options[] __initdata = { ++} mitigation_options[] __initconst = { + { "off", SPECTRE_V2_CMD_NONE, false }, + { "on", SPECTRE_V2_CMD_FORCE, true }, + { "retpoline", SPECTRE_V2_CMD_RETPOLINE, false }, +@@ -643,7 +643,7 @@ static const char * const ssb_strings[] = { + static const struct { + const char *option; + enum ssb_mitigation_cmd cmd; +-} ssb_mitigation_options[] __initdata = { ++} ssb_mitigation_options[] __initconst = { + { "auto", SPEC_STORE_BYPASS_CMD_AUTO }, /* Platform decides */ + { "on", SPEC_STORE_BYPASS_CMD_ON }, /* Disable Speculative Store Bypass */ + { "off", SPEC_STORE_BYPASS_CMD_NONE }, /* Don't touch Speculative Store Bypass */ +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c +index b0d1e81c96bb..acb901b43ce4 100644 +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -569,6 +569,7 @@ void arch_prepare_kretprobe(struct kretprobe_instance *ri, struct pt_regs *regs) + unsigned long *sara = stack_addr(regs); + + ri->ret_addr = (kprobe_opcode_t *) *sara; ++ ri->fp = sara; + + /* Replace the return addr with trampoline addr */ + *sara = (unsigned long) &kretprobe_trampoline; +@@ -759,15 +760,21 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + unsigned long flags, orig_ret_address = 0; + unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline; + kprobe_opcode_t *correct_ret_addr = NULL; ++ void *frame_pointer; ++ bool skipped = false; + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); + /* fixup registers */ + #ifdef CONFIG_X86_64 + regs->cs = __KERNEL_CS; ++ /* On x86-64, we use pt_regs->sp for return address holder. */ ++ frame_pointer = ®s->sp; + #else + regs->cs = __KERNEL_CS | get_kernel_rpl(); + regs->gs = 0; ++ /* On x86-32, we use pt_regs->flags for return address holder. */ ++ frame_pointer = ®s->flags; + #endif + regs->ip = trampoline_address; + regs->orig_ax = ~0UL; +@@ -789,8 +796,25 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ /* ++ * Return probes must be pushed on this hash list correct ++ * order (same as return order) so that it can be poped ++ * correctly. However, if we find it is pushed it incorrect ++ * order, this means we find a function which should not be ++ * probed, because the wrong order entry is pushed on the ++ * path of processing other kretprobe itself. ++ */ ++ if (ri->fp != frame_pointer) { ++ if (!skipped) ++ pr_warn("kretprobe is stacked incorrectly. Trying to fixup.\n"); ++ skipped = true; ++ continue; ++ } + + orig_ret_address = (unsigned long)ri->ret_addr; ++ if (skipped) ++ pr_warn("%ps must be blacklisted because of incorrect kretprobe order\n", ++ ri->rp->kp.addr); + + if (orig_ret_address != trampoline_address) + /* +@@ -808,6 +832,8 @@ __visible __used void *trampoline_handler(struct pt_regs *regs) + if (ri->task != current) + /* another task is sharing our hash bucket */ + continue; ++ if (ri->fp != frame_pointer) ++ continue; + + orig_ret_address = (unsigned long)ri->ret_addr; + if (ri->rp && ri->rp->handler) { +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 7d31192296a8..b8b08e61ac73 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -411,6 +411,8 @@ static __always_inline void __speculation_ctrl_update(unsigned long tifp, + u64 msr = x86_spec_ctrl_base; + bool updmsr = false; + ++ lockdep_assert_irqs_disabled(); ++ + /* + * If TIF_SSBD is different, select the proper mitigation + * method. Note that if SSBD mitigation is disabled or permanentely +@@ -462,10 +464,12 @@ static unsigned long speculation_ctrl_update_tif(struct task_struct *tsk) + + void speculation_ctrl_update(unsigned long tif) + { ++ unsigned long flags; ++ + /* Forced update. Make sure all relevant TIF flags are different */ +- preempt_disable(); ++ local_irq_save(flags); + __speculation_ctrl_update(~tif, tif); +- preempt_enable(); ++ local_irq_restore(flags); + } + + /* Called from seccomp/prctl update */ +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 106482da6388..860bd271619d 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -2575,15 +2575,13 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + * CR0/CR3/CR4/EFER. It's all a bit more complicated if the vCPU + * supports long mode. + */ +- cr4 = ctxt->ops->get_cr(ctxt, 4); + if (emulator_has_longmode(ctxt)) { + struct desc_struct cs_desc; + + /* Zero CR4.PCIDE before CR0.PG. */ +- if (cr4 & X86_CR4_PCIDE) { ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PCIDE) + ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PCIDE); +- cr4 &= ~X86_CR4_PCIDE; +- } + + /* A 32-bit code segment is required to clear EFER.LMA. */ + memset(&cs_desc, 0, sizeof(cs_desc)); +@@ -2597,13 +2595,16 @@ static int em_rsm(struct x86_emulate_ctxt *ctxt) + if (cr0 & X86_CR0_PE) + ctxt->ops->set_cr(ctxt, 0, cr0 & ~(X86_CR0_PG | X86_CR0_PE)); + +- /* Now clear CR4.PAE (which must be done before clearing EFER.LME). */ +- if (cr4 & X86_CR4_PAE) +- ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); ++ if (emulator_has_longmode(ctxt)) { ++ /* Clear CR4.PAE before clearing EFER.LME. */ ++ cr4 = ctxt->ops->get_cr(ctxt, 4); ++ if (cr4 & X86_CR4_PAE) ++ ctxt->ops->set_cr(ctxt, 4, cr4 & ~X86_CR4_PAE); + +- /* And finally go back to 32-bit mode. */ +- efer = 0; +- ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ /* And finally go back to 32-bit mode. */ ++ efer = 0; ++ ctxt->ops->set_msr(ctxt, MSR_EFER, efer); ++ } + + smbase = ctxt->ops->get_smbase(ctxt); + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 6dc72804fe6e..813cb60eb401 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -2679,6 +2679,7 @@ static int npf_interception(struct vcpu_svm *svm) + static int db_interception(struct vcpu_svm *svm) + { + struct kvm_run *kvm_run = svm->vcpu.run; ++ struct kvm_vcpu *vcpu = &svm->vcpu; + + if (!(svm->vcpu.guest_debug & + (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) && +@@ -2689,6 +2690,8 @@ static int db_interception(struct vcpu_svm *svm) + + if (svm->nmi_singlestep) { + disable_nmi_singlestep(svm); ++ /* Make sure we check for pending NMIs upon entry */ ++ kvm_make_request(KVM_REQ_EVENT, vcpu); + } + + if (svm->vcpu.guest_debug & +@@ -4493,14 +4496,25 @@ static int avic_incomplete_ipi_interception(struct vcpu_svm *svm) + kvm_lapic_reg_write(apic, APIC_ICR, icrl); + break; + case AVIC_IPI_FAILURE_TARGET_NOT_RUNNING: { ++ int i; ++ struct kvm_vcpu *vcpu; ++ struct kvm *kvm = svm->vcpu.kvm; + struct kvm_lapic *apic = svm->vcpu.arch.apic; + + /* +- * Update ICR high and low, then emulate sending IPI, +- * which is handled when writing APIC_ICR. ++ * At this point, we expect that the AVIC HW has already ++ * set the appropriate IRR bits on the valid target ++ * vcpus. So, we just need to kick the appropriate vcpu. + */ +- kvm_lapic_reg_write(apic, APIC_ICR2, icrh); +- kvm_lapic_reg_write(apic, APIC_ICR, icrl); ++ kvm_for_each_vcpu(i, vcpu, kvm) { ++ bool m = kvm_apic_match_dest(vcpu, apic, ++ icrl & KVM_APIC_SHORT_MASK, ++ GET_APIC_DEST_FIELD(icrh), ++ icrl & KVM_APIC_DEST_MASK); ++ ++ if (m && !avic_vcpu_is_running(vcpu)) ++ kvm_vcpu_wake_up(vcpu); ++ } + break; + } + case AVIC_IPI_FAILURE_INVALID_TARGET: +diff --git a/crypto/testmgr.h b/crypto/testmgr.h +index 862ee1d04263..74e1454cae1e 100644 +--- a/crypto/testmgr.h ++++ b/crypto/testmgr.h +@@ -5592,7 +5592,49 @@ static const struct hash_testvec poly1305_tv_template[] = { + .psize = 80, + .digest = "\x13\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00", +- }, ++ }, { /* Regression test for overflow in AVX2 implementation */ ++ .plaintext = "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff\xff\xff\xff\xff" ++ "\xff\xff\xff\xff", ++ .psize = 300, ++ .digest = "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8" ++ "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1", ++ } + }; + + /* +diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c +index df2175b1169a..925dbc751322 100644 +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -1298,19 +1298,30 @@ static ssize_t scrub_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct nvdimm_bus_descriptor *nd_desc; ++ struct acpi_nfit_desc *acpi_desc; + ssize_t rc = -ENXIO; ++ bool busy; + + device_lock(dev); + nd_desc = dev_get_drvdata(dev); +- if (nd_desc) { +- struct acpi_nfit_desc *acpi_desc = to_acpi_desc(nd_desc); ++ if (!nd_desc) { ++ device_unlock(dev); ++ return rc; ++ } ++ acpi_desc = to_acpi_desc(nd_desc); + +- mutex_lock(&acpi_desc->init_mutex); +- rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, +- acpi_desc->scrub_busy +- && !acpi_desc->cancel ? "+\n" : "\n"); +- mutex_unlock(&acpi_desc->init_mutex); ++ mutex_lock(&acpi_desc->init_mutex); ++ busy = test_bit(ARS_BUSY, &acpi_desc->scrub_flags) ++ && !test_bit(ARS_CANCEL, &acpi_desc->scrub_flags); ++ rc = sprintf(buf, "%d%s", acpi_desc->scrub_count, busy ? "+\n" : "\n"); ++ /* Allow an admin to poll the busy state at a higher rate */ ++ if (busy && capable(CAP_SYS_RAWIO) && !test_and_set_bit(ARS_POLL, ++ &acpi_desc->scrub_flags)) { ++ acpi_desc->scrub_tmo = 1; ++ mod_delayed_work(nfit_wq, &acpi_desc->dwork, HZ); + } ++ ++ mutex_unlock(&acpi_desc->init_mutex); + device_unlock(dev); + return rc; + } +@@ -2529,7 +2540,10 @@ static int ars_start(struct acpi_nfit_desc *acpi_desc, + + if (rc < 0) + return rc; +- return cmd_rc; ++ if (cmd_rc < 0) ++ return cmd_rc; ++ set_bit(ARS_VALID, &acpi_desc->scrub_flags); ++ return 0; + } + + static int ars_continue(struct acpi_nfit_desc *acpi_desc) +@@ -2539,11 +2553,11 @@ static int ars_continue(struct acpi_nfit_desc *acpi_desc) + struct nvdimm_bus_descriptor *nd_desc = &acpi_desc->nd_desc; + struct nd_cmd_ars_status *ars_status = acpi_desc->ars_status; + +- memset(&ars_start, 0, sizeof(ars_start)); +- ars_start.address = ars_status->restart_address; +- ars_start.length = ars_status->restart_length; +- ars_start.type = ars_status->type; +- ars_start.flags = acpi_desc->ars_start_flags; ++ ars_start = (struct nd_cmd_ars_start) { ++ .address = ars_status->restart_address, ++ .length = ars_status->restart_length, ++ .type = ars_status->type, ++ }; + rc = nd_desc->ndctl(nd_desc, NULL, ND_CMD_ARS_START, &ars_start, + sizeof(ars_start), &cmd_rc); + if (rc < 0) +@@ -2622,6 +2636,17 @@ static int ars_status_process_records(struct acpi_nfit_desc *acpi_desc) + */ + if (ars_status->out_length < 44) + return 0; ++ ++ /* ++ * Ignore potentially stale results that are only refreshed ++ * after a start-ARS event. ++ */ ++ if (!test_and_clear_bit(ARS_VALID, &acpi_desc->scrub_flags)) { ++ dev_dbg(acpi_desc->dev, "skip %d stale records\n", ++ ars_status->num_records); ++ return 0; ++ } ++ + for (i = 0; i < ars_status->num_records; i++) { + /* only process full records */ + if (ars_status->out_length +@@ -2960,7 +2985,7 @@ static unsigned int __acpi_nfit_scrub(struct acpi_nfit_desc *acpi_desc, + + lockdep_assert_held(&acpi_desc->init_mutex); + +- if (acpi_desc->cancel) ++ if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags)) + return 0; + + if (query_rc == -EBUSY) { +@@ -3034,7 +3059,7 @@ static void __sched_ars(struct acpi_nfit_desc *acpi_desc, unsigned int tmo) + { + lockdep_assert_held(&acpi_desc->init_mutex); + +- acpi_desc->scrub_busy = 1; ++ set_bit(ARS_BUSY, &acpi_desc->scrub_flags); + /* note this should only be set from within the workqueue */ + if (tmo) + acpi_desc->scrub_tmo = tmo; +@@ -3050,7 +3075,7 @@ static void notify_ars_done(struct acpi_nfit_desc *acpi_desc) + { + lockdep_assert_held(&acpi_desc->init_mutex); + +- acpi_desc->scrub_busy = 0; ++ clear_bit(ARS_BUSY, &acpi_desc->scrub_flags); + acpi_desc->scrub_count++; + if (acpi_desc->scrub_count_state) + sysfs_notify_dirent(acpi_desc->scrub_count_state); +@@ -3071,6 +3096,7 @@ static void acpi_nfit_scrub(struct work_struct *work) + else + notify_ars_done(acpi_desc); + memset(acpi_desc->ars_status, 0, acpi_desc->max_ars); ++ clear_bit(ARS_POLL, &acpi_desc->scrub_flags); + mutex_unlock(&acpi_desc->init_mutex); + } + +@@ -3105,6 +3131,7 @@ static int acpi_nfit_register_regions(struct acpi_nfit_desc *acpi_desc) + struct nfit_spa *nfit_spa; + int rc; + ++ set_bit(ARS_VALID, &acpi_desc->scrub_flags); + list_for_each_entry(nfit_spa, &acpi_desc->spas, list) { + switch (nfit_spa_type(nfit_spa->spa)) { + case NFIT_SPA_VOLATILE: +@@ -3322,7 +3349,7 @@ int acpi_nfit_ars_rescan(struct acpi_nfit_desc *acpi_desc, + struct nfit_spa *nfit_spa; + + mutex_lock(&acpi_desc->init_mutex); +- if (acpi_desc->cancel) { ++ if (test_bit(ARS_CANCEL, &acpi_desc->scrub_flags)) { + mutex_unlock(&acpi_desc->init_mutex); + return 0; + } +@@ -3401,7 +3428,7 @@ void acpi_nfit_shutdown(void *data) + mutex_unlock(&acpi_desc_lock); + + mutex_lock(&acpi_desc->init_mutex); +- acpi_desc->cancel = 1; ++ set_bit(ARS_CANCEL, &acpi_desc->scrub_flags); + cancel_delayed_work_sync(&acpi_desc->dwork); + mutex_unlock(&acpi_desc->init_mutex); + +diff --git a/drivers/acpi/nfit/nfit.h b/drivers/acpi/nfit/nfit.h +index 02c10de50386..68848fc4b7c9 100644 +--- a/drivers/acpi/nfit/nfit.h ++++ b/drivers/acpi/nfit/nfit.h +@@ -181,6 +181,13 @@ struct nfit_mem { + bool has_lsw; + }; + ++enum scrub_flags { ++ ARS_BUSY, ++ ARS_CANCEL, ++ ARS_VALID, ++ ARS_POLL, ++}; ++ + struct acpi_nfit_desc { + struct nvdimm_bus_descriptor nd_desc; + struct acpi_table_header acpi_header; +@@ -194,7 +201,6 @@ struct acpi_nfit_desc { + struct list_head idts; + struct nvdimm_bus *nvdimm_bus; + struct device *dev; +- u8 ars_start_flags; + struct nd_cmd_ars_status *ars_status; + struct nfit_spa *scrub_spa; + struct delayed_work dwork; +@@ -203,8 +209,7 @@ struct acpi_nfit_desc { + unsigned int max_ars; + unsigned int scrub_count; + unsigned int scrub_mode; +- unsigned int scrub_busy:1; +- unsigned int cancel:1; ++ unsigned long scrub_flags; + unsigned long dimm_cmd_force_en; + unsigned long bus_cmd_force_en; + unsigned long bus_nfit_cmd_force_en; +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index d5f7a12e350e..3fb297b5fb17 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -213,6 +213,9 @@ struct ipmi_user { + + /* Does this interface receive IPMI events? */ + bool gets_events; ++ ++ /* Free must run in process context for RCU cleanup. */ ++ struct work_struct remove_work; + }; + + static struct ipmi_user *acquire_ipmi_user(struct ipmi_user *user, int *index) +@@ -1078,6 +1081,15 @@ static int intf_err_seq(struct ipmi_smi *intf, + } + + ++static void free_user_work(struct work_struct *work) ++{ ++ struct ipmi_user *user = container_of(work, struct ipmi_user, ++ remove_work); ++ ++ cleanup_srcu_struct(&user->release_barrier); ++ kfree(user); ++} ++ + int ipmi_create_user(unsigned int if_num, + const struct ipmi_user_hndl *handler, + void *handler_data, +@@ -1121,6 +1133,8 @@ int ipmi_create_user(unsigned int if_num, + goto out_kfree; + + found: ++ INIT_WORK(&new_user->remove_work, free_user_work); ++ + rv = init_srcu_struct(&new_user->release_barrier); + if (rv) + goto out_kfree; +@@ -1183,8 +1197,9 @@ EXPORT_SYMBOL(ipmi_get_smi_info); + static void free_user(struct kref *ref) + { + struct ipmi_user *user = container_of(ref, struct ipmi_user, refcount); +- cleanup_srcu_struct(&user->release_barrier); +- kfree(user); ++ ++ /* SRCU cleanup must happen in task context. */ ++ schedule_work(&user->remove_work); + } + + static void _ipmi_destroy_user(struct ipmi_user *user) +diff --git a/drivers/char/tpm/eventlog/tpm2.c b/drivers/char/tpm/eventlog/tpm2.c +index 1b8fa9de2cac..41b9f6c92da7 100644 +--- a/drivers/char/tpm/eventlog/tpm2.c ++++ b/drivers/char/tpm/eventlog/tpm2.c +@@ -37,8 +37,8 @@ + * + * Returns size of the event. If it is an invalid event, returns 0. + */ +-static int calc_tpm2_event_size(struct tcg_pcr_event2 *event, +- struct tcg_pcr_event *event_header) ++static size_t calc_tpm2_event_size(struct tcg_pcr_event2 *event, ++ struct tcg_pcr_event *event_header) + { + struct tcg_efi_specid_event *efispecid; + struct tcg_event_field *event_field; +diff --git a/drivers/char/tpm/tpm_i2c_atmel.c b/drivers/char/tpm/tpm_i2c_atmel.c +index 32a8e27c5382..cc4e642d3180 100644 +--- a/drivers/char/tpm/tpm_i2c_atmel.c ++++ b/drivers/char/tpm/tpm_i2c_atmel.c +@@ -69,6 +69,10 @@ static int i2c_atmel_send(struct tpm_chip *chip, u8 *buf, size_t len) + if (status < 0) + return status; + ++ /* The upper layer does not support incomplete sends. */ ++ if (status != len) ++ return -E2BIG; ++ + return 0; + } + +diff --git a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c +index e70a0d4d6db4..c963eec58c70 100644 +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c +@@ -164,6 +164,7 @@ static void mmhub_v1_0_init_cache_regs(struct amdgpu_device *adev) + tmp = REG_SET_FIELD(tmp, VM_L2_CNTL3, + L2_CACHE_BIGK_FRAGMENT_SIZE, 6); + } ++ WREG32_SOC15(MMHUB, 0, mmVM_L2_CNTL3, tmp); + + tmp = mmVM_L2_CNTL4_DEFAULT; + tmp = REG_SET_FIELD(tmp, VM_L2_CNTL4, VMC_TAP_PDE_REQUEST_PHYSICAL, 0); +diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c +index f841accc2c00..f77c81db161b 100644 +--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c ++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c +@@ -730,7 +730,8 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, + } + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +- if (!(flags & TTM_PAGE_FLAG_DMA32)) { ++ if (!(flags & TTM_PAGE_FLAG_DMA32) && ++ (npages - i) >= HPAGE_PMD_NR) { + for (j = 0; j < HPAGE_PMD_NR; ++j) + if (p++ != pages[i + j]) + break; +@@ -759,7 +760,7 @@ static void ttm_put_pages(struct page **pages, unsigned npages, int flags, + unsigned max_size, n2free; + + spin_lock_irqsave(&huge->lock, irq_flags); +- while (i < npages) { ++ while ((npages - i) >= HPAGE_PMD_NR) { + struct page *p = pages[i]; + unsigned j; + +diff --git a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +index 1d645c9ab417..cac262a912c1 100644 +--- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c ++++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +@@ -337,7 +337,8 @@ static const struct dmi_system_id i2c_hid_dmi_desc_override_table[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "FlexBook edge11 - M-FBE11"), + }, + .driver_data = (void *)&sipodev_desc +- } ++ }, ++ { } /* Terminate list */ + }; + + +diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c +index 471caa5323e4..e5fdca74a630 100644 +--- a/drivers/iio/accel/kxcjk-1013.c ++++ b/drivers/iio/accel/kxcjk-1013.c +@@ -1437,6 +1437,8 @@ static int kxcjk1013_resume(struct device *dev) + + mutex_lock(&data->mutex); + ret = kxcjk1013_set_mode(data, OPERATION); ++ if (ret == 0) ++ ret = kxcjk1013_set_range(data, data->range); + mutex_unlock(&data->mutex); + + return ret; +diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c +index fc9510716ac7..ae2a5097f449 100644 +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -121,6 +121,7 @@ static int ad_sd_read_reg_raw(struct ad_sigma_delta *sigma_delta, + if (sigma_delta->info->has_registers) { + data[0] = reg << sigma_delta->info->addr_shift; + data[0] |= sigma_delta->info->read_mask; ++ data[0] |= sigma_delta->comm; + spi_message_add_tail(&t[0], &m); + } + spi_message_add_tail(&t[1], &m); +diff --git a/drivers/iio/adc/at91_adc.c b/drivers/iio/adc/at91_adc.c +index 75d2f73582a3..596841a3c4db 100644 +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -704,23 +704,29 @@ static int at91_adc_read_raw(struct iio_dev *idev, + ret = wait_event_interruptible_timeout(st->wq_data_avail, + st->done, + msecs_to_jiffies(1000)); +- if (ret == 0) +- ret = -ETIMEDOUT; +- if (ret < 0) { +- mutex_unlock(&st->lock); +- return ret; +- } +- +- *val = st->last_value; + ++ /* Disable interrupts, regardless if adc conversion was ++ * successful or not ++ */ + at91_adc_writel(st, AT91_ADC_CHDR, + AT91_ADC_CH(chan->channel)); + at91_adc_writel(st, AT91_ADC_IDR, BIT(chan->channel)); + +- st->last_value = 0; +- st->done = false; ++ if (ret > 0) { ++ /* a valid conversion took place */ ++ *val = st->last_value; ++ st->last_value = 0; ++ st->done = false; ++ ret = IIO_VAL_INT; ++ } else if (ret == 0) { ++ /* conversion timeout */ ++ dev_err(&idev->dev, "ADC Channel %d timeout.\n", ++ chan->channel); ++ ret = -ETIMEDOUT; ++ } ++ + mutex_unlock(&st->lock); +- return IIO_VAL_INT; ++ return ret; + + case IIO_CHAN_INFO_SCALE: + *val = st->vref_mv; +diff --git a/drivers/iio/chemical/bme680.h b/drivers/iio/chemical/bme680.h +index e049323f209a..71dd635fce2d 100644 +--- a/drivers/iio/chemical/bme680.h ++++ b/drivers/iio/chemical/bme680.h +@@ -2,11 +2,9 @@ + #ifndef BME680_H_ + #define BME680_H_ + +-#define BME680_REG_CHIP_I2C_ID 0xD0 +-#define BME680_REG_CHIP_SPI_ID 0x50 ++#define BME680_REG_CHIP_ID 0xD0 + #define BME680_CHIP_ID_VAL 0x61 +-#define BME680_REG_SOFT_RESET_I2C 0xE0 +-#define BME680_REG_SOFT_RESET_SPI 0x60 ++#define BME680_REG_SOFT_RESET 0xE0 + #define BME680_CMD_SOFTRESET 0xB6 + #define BME680_REG_STATUS 0x73 + #define BME680_SPI_MEM_PAGE_BIT BIT(4) +diff --git a/drivers/iio/chemical/bme680_core.c b/drivers/iio/chemical/bme680_core.c +index 7d9bb62baa3f..b2db59812755 100644 +--- a/drivers/iio/chemical/bme680_core.c ++++ b/drivers/iio/chemical/bme680_core.c +@@ -63,9 +63,23 @@ struct bme680_data { + s32 t_fine; + }; + ++static const struct regmap_range bme680_volatile_ranges[] = { ++ regmap_reg_range(BME680_REG_MEAS_STAT_0, BME680_REG_GAS_R_LSB), ++ regmap_reg_range(BME680_REG_STATUS, BME680_REG_STATUS), ++ regmap_reg_range(BME680_T2_LSB_REG, BME680_GH3_REG), ++}; ++ ++static const struct regmap_access_table bme680_volatile_table = { ++ .yes_ranges = bme680_volatile_ranges, ++ .n_yes_ranges = ARRAY_SIZE(bme680_volatile_ranges), ++}; ++ + const struct regmap_config bme680_regmap_config = { + .reg_bits = 8, + .val_bits = 8, ++ .max_register = 0xef, ++ .volatile_table = &bme680_volatile_table, ++ .cache_type = REGCACHE_RBTREE, + }; + EXPORT_SYMBOL(bme680_regmap_config); + +@@ -330,6 +344,10 @@ static s16 bme680_compensate_temp(struct bme680_data *data, + s64 var1, var2, var3; + s16 calc_temp; + ++ /* If the calibration is invalid, attempt to reload it */ ++ if (!calib->par_t2) ++ bme680_read_calib(data, calib); ++ + var1 = (adc_temp >> 3) - (calib->par_t1 << 1); + var2 = (var1 * calib->par_t2) >> 11; + var3 = ((var1 >> 1) * (var1 >> 1)) >> 12; +@@ -591,8 +609,7 @@ static int bme680_gas_config(struct bme680_data *data) + return ret; + } + +-static int bme680_read_temp(struct bme680_data *data, +- int *val, int *val2) ++static int bme680_read_temp(struct bme680_data *data, int *val) + { + struct device *dev = regmap_get_device(data->regmap); + int ret; +@@ -625,10 +642,9 @@ static int bme680_read_temp(struct bme680_data *data, + * compensate_press/compensate_humid to get compensated + * pressure/humidity readings. + */ +- if (val && val2) { +- *val = comp_temp; +- *val2 = 100; +- return IIO_VAL_FRACTIONAL; ++ if (val) { ++ *val = comp_temp * 10; /* Centidegrees to millidegrees */ ++ return IIO_VAL_INT; + } + + return ret; +@@ -643,7 +659,7 @@ static int bme680_read_press(struct bme680_data *data, + s32 adc_press; + + /* Read and compensate temperature to get a reading of t_fine */ +- ret = bme680_read_temp(data, NULL, NULL); ++ ret = bme680_read_temp(data, NULL); + if (ret < 0) + return ret; + +@@ -676,7 +692,7 @@ static int bme680_read_humid(struct bme680_data *data, + u32 comp_humidity; + + /* Read and compensate temperature to get a reading of t_fine */ +- ret = bme680_read_temp(data, NULL, NULL); ++ ret = bme680_read_temp(data, NULL); + if (ret < 0) + return ret; + +@@ -769,7 +785,7 @@ static int bme680_read_raw(struct iio_dev *indio_dev, + case IIO_CHAN_INFO_PROCESSED: + switch (chan->type) { + case IIO_TEMP: +- return bme680_read_temp(data, val, val2); ++ return bme680_read_temp(data, val); + case IIO_PRESSURE: + return bme680_read_press(data, val, val2); + case IIO_HUMIDITYRELATIVE: +@@ -905,8 +921,28 @@ int bme680_core_probe(struct device *dev, struct regmap *regmap, + { + struct iio_dev *indio_dev; + struct bme680_data *data; ++ unsigned int val; + int ret; + ++ ret = regmap_write(regmap, BME680_REG_SOFT_RESET, ++ BME680_CMD_SOFTRESET); ++ if (ret < 0) { ++ dev_err(dev, "Failed to reset chip\n"); ++ return ret; ++ } ++ ++ ret = regmap_read(regmap, BME680_REG_CHIP_ID, &val); ++ if (ret < 0) { ++ dev_err(dev, "Error reading chip ID\n"); ++ return ret; ++ } ++ ++ if (val != BME680_CHIP_ID_VAL) { ++ dev_err(dev, "Wrong chip ID, got %x expected %x\n", ++ val, BME680_CHIP_ID_VAL); ++ return -ENODEV; ++ } ++ + indio_dev = devm_iio_device_alloc(dev, sizeof(*data)); + if (!indio_dev) + return -ENOMEM; +diff --git a/drivers/iio/chemical/bme680_i2c.c b/drivers/iio/chemical/bme680_i2c.c +index 06d4be539d2e..cfc4449edf1b 100644 +--- a/drivers/iio/chemical/bme680_i2c.c ++++ b/drivers/iio/chemical/bme680_i2c.c +@@ -23,8 +23,6 @@ static int bme680_i2c_probe(struct i2c_client *client, + { + struct regmap *regmap; + const char *name = NULL; +- unsigned int val; +- int ret; + + regmap = devm_regmap_init_i2c(client, &bme680_regmap_config); + if (IS_ERR(regmap)) { +@@ -33,25 +31,6 @@ static int bme680_i2c_probe(struct i2c_client *client, + return PTR_ERR(regmap); + } + +- ret = regmap_write(regmap, BME680_REG_SOFT_RESET_I2C, +- BME680_CMD_SOFTRESET); +- if (ret < 0) { +- dev_err(&client->dev, "Failed to reset chip\n"); +- return ret; +- } +- +- ret = regmap_read(regmap, BME680_REG_CHIP_I2C_ID, &val); +- if (ret < 0) { +- dev_err(&client->dev, "Error reading I2C chip ID\n"); +- return ret; +- } +- +- if (val != BME680_CHIP_ID_VAL) { +- dev_err(&client->dev, "Wrong chip ID, got %x expected %x\n", +- val, BME680_CHIP_ID_VAL); +- return -ENODEV; +- } +- + if (id) + name = id->name; + +diff --git a/drivers/iio/chemical/bme680_spi.c b/drivers/iio/chemical/bme680_spi.c +index c9fb05e8d0b9..881778e55d38 100644 +--- a/drivers/iio/chemical/bme680_spi.c ++++ b/drivers/iio/chemical/bme680_spi.c +@@ -11,28 +11,93 @@ + + #include "bme680.h" + ++struct bme680_spi_bus_context { ++ struct spi_device *spi; ++ u8 current_page; ++}; ++ ++/* ++ * In SPI mode there are only 7 address bits, a "page" register determines ++ * which part of the 8-bit range is active. This function looks at the address ++ * and writes the page selection bit if needed ++ */ ++static int bme680_regmap_spi_select_page( ++ struct bme680_spi_bus_context *ctx, u8 reg) ++{ ++ struct spi_device *spi = ctx->spi; ++ int ret; ++ u8 buf[2]; ++ u8 page = (reg & 0x80) ? 0 : 1; /* Page "1" is low range */ ++ ++ if (page == ctx->current_page) ++ return 0; ++ ++ /* ++ * Data sheet claims we're only allowed to change bit 4, so we must do ++ * a read-modify-write on each and every page select ++ */ ++ buf[0] = BME680_REG_STATUS; ++ ret = spi_write_then_read(spi, buf, 1, buf + 1, 1); ++ if (ret < 0) { ++ dev_err(&spi->dev, "failed to set page %u\n", page); ++ return ret; ++ } ++ ++ buf[0] = BME680_REG_STATUS; ++ if (page) ++ buf[1] |= BME680_SPI_MEM_PAGE_BIT; ++ else ++ buf[1] &= ~BME680_SPI_MEM_PAGE_BIT; ++ ++ ret = spi_write(spi, buf, 2); ++ if (ret < 0) { ++ dev_err(&spi->dev, "failed to set page %u\n", page); ++ return ret; ++ } ++ ++ ctx->current_page = page; ++ ++ return 0; ++} ++ + static int bme680_regmap_spi_write(void *context, const void *data, + size_t count) + { +- struct spi_device *spi = context; ++ struct bme680_spi_bus_context *ctx = context; ++ struct spi_device *spi = ctx->spi; ++ int ret; + u8 buf[2]; + + memcpy(buf, data, 2); ++ ++ ret = bme680_regmap_spi_select_page(ctx, buf[0]); ++ if (ret) ++ return ret; ++ + /* + * The SPI register address (= full register address without bit 7) + * and the write command (bit7 = RW = '0') + */ + buf[0] &= ~0x80; + +- return spi_write_then_read(spi, buf, 2, NULL, 0); ++ return spi_write(spi, buf, 2); + } + + static int bme680_regmap_spi_read(void *context, const void *reg, + size_t reg_size, void *val, size_t val_size) + { +- struct spi_device *spi = context; ++ struct bme680_spi_bus_context *ctx = context; ++ struct spi_device *spi = ctx->spi; ++ int ret; ++ u8 addr = *(const u8 *)reg; ++ ++ ret = bme680_regmap_spi_select_page(ctx, addr); ++ if (ret) ++ return ret; + +- return spi_write_then_read(spi, reg, reg_size, val, val_size); ++ addr |= 0x80; /* bit7 = RW = '1' */ ++ ++ return spi_write_then_read(spi, &addr, 1, val, val_size); + } + + static struct regmap_bus bme680_regmap_bus = { +@@ -45,8 +110,8 @@ static struct regmap_bus bme680_regmap_bus = { + static int bme680_spi_probe(struct spi_device *spi) + { + const struct spi_device_id *id = spi_get_device_id(spi); ++ struct bme680_spi_bus_context *bus_context; + struct regmap *regmap; +- unsigned int val; + int ret; + + spi->bits_per_word = 8; +@@ -56,45 +121,21 @@ static int bme680_spi_probe(struct spi_device *spi) + return ret; + } + ++ bus_context = devm_kzalloc(&spi->dev, sizeof(*bus_context), GFP_KERNEL); ++ if (!bus_context) ++ return -ENOMEM; ++ ++ bus_context->spi = spi; ++ bus_context->current_page = 0xff; /* Undefined on warm boot */ ++ + regmap = devm_regmap_init(&spi->dev, &bme680_regmap_bus, +- &spi->dev, &bme680_regmap_config); ++ bus_context, &bme680_regmap_config); + if (IS_ERR(regmap)) { + dev_err(&spi->dev, "Failed to register spi regmap %d\n", + (int)PTR_ERR(regmap)); + return PTR_ERR(regmap); + } + +- ret = regmap_write(regmap, BME680_REG_SOFT_RESET_SPI, +- BME680_CMD_SOFTRESET); +- if (ret < 0) { +- dev_err(&spi->dev, "Failed to reset chip\n"); +- return ret; +- } +- +- /* after power-on reset, Page 0(0x80-0xFF) of spi_mem_page is active */ +- ret = regmap_read(regmap, BME680_REG_CHIP_SPI_ID, &val); +- if (ret < 0) { +- dev_err(&spi->dev, "Error reading SPI chip ID\n"); +- return ret; +- } +- +- if (val != BME680_CHIP_ID_VAL) { +- dev_err(&spi->dev, "Wrong chip ID, got %x expected %x\n", +- val, BME680_CHIP_ID_VAL); +- return -ENODEV; +- } +- /* +- * select Page 1 of spi_mem_page to enable access to +- * to registers from address 0x00 to 0x7F. +- */ +- ret = regmap_write_bits(regmap, BME680_REG_STATUS, +- BME680_SPI_MEM_PAGE_BIT, +- BME680_SPI_MEM_PAGE_1_VAL); +- if (ret < 0) { +- dev_err(&spi->dev, "failed to set page 1 of spi_mem_page\n"); +- return ret; +- } +- + return bme680_core_probe(&spi->dev, regmap, id->name); + } + +diff --git a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c +index 89cb0066a6e0..8d76afb87d87 100644 +--- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c ++++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors.c +@@ -103,9 +103,10 @@ static int cros_ec_sensors_read(struct iio_dev *indio_dev, + * Do not use IIO_DEGREE_TO_RAD to avoid precision + * loss. Round to the nearest integer. + */ +- *val = div_s64(val64 * 314159 + 9000000ULL, 1000); +- *val2 = 18000 << (CROS_EC_SENSOR_BITS - 1); +- ret = IIO_VAL_FRACTIONAL; ++ *val = 0; ++ *val2 = div_s64(val64 * 3141592653ULL, ++ 180 << (CROS_EC_SENSOR_BITS - 1)); ++ ret = IIO_VAL_INT_PLUS_NANO; + break; + case MOTIONSENSE_TYPE_MAG: + /* +diff --git a/drivers/iio/dac/mcp4725.c b/drivers/iio/dac/mcp4725.c +index 8b5aad4c32d9..30dc2775cbfb 100644 +--- a/drivers/iio/dac/mcp4725.c ++++ b/drivers/iio/dac/mcp4725.c +@@ -98,6 +98,7 @@ static ssize_t mcp4725_store_eeprom(struct device *dev, + + inoutbuf[0] = 0x60; /* write EEPROM */ + inoutbuf[0] |= data->ref_mode << 3; ++ inoutbuf[0] |= data->powerdown ? ((data->powerdown_mode + 1) << 1) : 0; + inoutbuf[1] = data->dac_value >> 4; + inoutbuf[2] = (data->dac_value & 0xf) << 4; + +diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c +index 63ca31628a93..92c07ab826eb 100644 +--- a/drivers/iio/gyro/bmg160_core.c ++++ b/drivers/iio/gyro/bmg160_core.c +@@ -582,11 +582,10 @@ static int bmg160_read_raw(struct iio_dev *indio_dev, + case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY: + return bmg160_get_filter(data, val); + case IIO_CHAN_INFO_SCALE: +- *val = 0; + switch (chan->type) { + case IIO_TEMP: +- *val2 = 500000; +- return IIO_VAL_INT_PLUS_MICRO; ++ *val = 500; ++ return IIO_VAL_INT; + case IIO_ANGL_VEL: + { + int i; +@@ -594,6 +593,7 @@ static int bmg160_read_raw(struct iio_dev *indio_dev, + for (i = 0; i < ARRAY_SIZE(bmg160_scale_table); ++i) { + if (bmg160_scale_table[i].dps_range == + data->dps_range) { ++ *val = 0; + *val2 = bmg160_scale_table[i].scale; + return IIO_VAL_INT_PLUS_MICRO; + } +diff --git a/drivers/iio/gyro/mpu3050-core.c b/drivers/iio/gyro/mpu3050-core.c +index 77fac81a3adc..5ddebede31a6 100644 +--- a/drivers/iio/gyro/mpu3050-core.c ++++ b/drivers/iio/gyro/mpu3050-core.c +@@ -29,7 +29,8 @@ + + #include "mpu3050.h" + +-#define MPU3050_CHIP_ID 0x69 ++#define MPU3050_CHIP_ID 0x68 ++#define MPU3050_CHIP_ID_MASK 0x7E + + /* + * Register map: anything suffixed *_H is a big-endian high byte and always +@@ -1176,8 +1177,9 @@ int mpu3050_common_probe(struct device *dev, + goto err_power_down; + } + +- if (val != MPU3050_CHIP_ID) { +- dev_err(dev, "unsupported chip id %02x\n", (u8)val); ++ if ((val & MPU3050_CHIP_ID_MASK) != MPU3050_CHIP_ID) { ++ dev_err(dev, "unsupported chip id %02x\n", ++ (u8)(val & MPU3050_CHIP_ID_MASK)); + ret = -ENODEV; + goto err_power_down; + } +diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c +index cd5bfe39591b..dadd921a4a30 100644 +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -320,9 +320,8 @@ static int iio_scan_mask_set(struct iio_dev *indio_dev, + const unsigned long *mask; + unsigned long *trialmask; + +- trialmask = kmalloc_array(BITS_TO_LONGS(indio_dev->masklength), +- sizeof(*trialmask), +- GFP_KERNEL); ++ trialmask = kcalloc(BITS_TO_LONGS(indio_dev->masklength), ++ sizeof(*trialmask), GFP_KERNEL); + if (trialmask == NULL) + return -ENOMEM; + if (!indio_dev->masklength) { +diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c +index a062cfddc5af..49d4b4f1a457 100644 +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -1735,10 +1735,10 @@ EXPORT_SYMBOL(__iio_device_register); + **/ + void iio_device_unregister(struct iio_dev *indio_dev) + { +- mutex_lock(&indio_dev->info_exist_lock); +- + cdev_device_del(&indio_dev->chrdev, &indio_dev->dev); + ++ mutex_lock(&indio_dev->info_exist_lock); ++ + iio_device_unregister_debugfs(indio_dev); + + iio_disable_all_buffers(indio_dev); +diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c +index 628ef617bb2f..f9525d6f0bfe 100644 +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1339,21 +1339,46 @@ static const struct acpi_device_id elan_acpi_id[] = { + { "ELAN0600", 0 }, + { "ELAN0601", 0 }, + { "ELAN0602", 0 }, ++ { "ELAN0603", 0 }, ++ { "ELAN0604", 0 }, + { "ELAN0605", 0 }, ++ { "ELAN0606", 0 }, ++ { "ELAN0607", 0 }, + { "ELAN0608", 0 }, + { "ELAN0609", 0 }, + { "ELAN060B", 0 }, + { "ELAN060C", 0 }, ++ { "ELAN060F", 0 }, ++ { "ELAN0610", 0 }, + { "ELAN0611", 0 }, + { "ELAN0612", 0 }, ++ { "ELAN0615", 0 }, ++ { "ELAN0616", 0 }, + { "ELAN0617", 0 }, + { "ELAN0618", 0 }, ++ { "ELAN0619", 0 }, ++ { "ELAN061A", 0 }, ++ { "ELAN061B", 0 }, + { "ELAN061C", 0 }, + { "ELAN061D", 0 }, + { "ELAN061E", 0 }, ++ { "ELAN061F", 0 }, + { "ELAN0620", 0 }, + { "ELAN0621", 0 }, + { "ELAN0622", 0 }, ++ { "ELAN0623", 0 }, ++ { "ELAN0624", 0 }, ++ { "ELAN0625", 0 }, ++ { "ELAN0626", 0 }, ++ { "ELAN0627", 0 }, ++ { "ELAN0628", 0 }, ++ { "ELAN0629", 0 }, ++ { "ELAN062A", 0 }, ++ { "ELAN062B", 0 }, ++ { "ELAN062C", 0 }, ++ { "ELAN062D", 0 }, ++ { "ELAN0631", 0 }, ++ { "ELAN0632", 0 }, + { "ELAN1000", 0 }, + { } + }; +diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c +index 8dae12b841b3..629860f7327c 100644 +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -429,7 +429,7 @@ static u16 esdhc_readw_le(struct sdhci_host *host, int reg) + val = readl(host->ioaddr + ESDHC_MIX_CTRL); + else if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) + /* the std tuning bits is in ACMD12_ERR for imx6sl */ +- val = readl(host->ioaddr + SDHCI_ACMD12_ERR); ++ val = readl(host->ioaddr + SDHCI_AUTO_CMD_STATUS); + } + + if (val & ESDHC_MIX_CTRL_EXE_TUNE) +@@ -494,7 +494,7 @@ static void esdhc_writew_le(struct sdhci_host *host, u16 val, int reg) + } + writel(new_val , host->ioaddr + ESDHC_MIX_CTRL); + } else if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) { +- u32 v = readl(host->ioaddr + SDHCI_ACMD12_ERR); ++ u32 v = readl(host->ioaddr + SDHCI_AUTO_CMD_STATUS); + u32 m = readl(host->ioaddr + ESDHC_MIX_CTRL); + if (val & SDHCI_CTRL_TUNED_CLK) { + v |= ESDHC_MIX_CTRL_SMPCLK_SEL; +@@ -512,7 +512,7 @@ static void esdhc_writew_le(struct sdhci_host *host, u16 val, int reg) + v &= ~ESDHC_MIX_CTRL_EXE_TUNE; + } + +- writel(v, host->ioaddr + SDHCI_ACMD12_ERR); ++ writel(v, host->ioaddr + SDHCI_AUTO_CMD_STATUS); + writel(m, host->ioaddr + ESDHC_MIX_CTRL); + } + return; +@@ -957,9 +957,9 @@ static void esdhc_reset_tuning(struct sdhci_host *host) + writel(ctrl, host->ioaddr + ESDHC_MIX_CTRL); + writel(0, host->ioaddr + ESDHC_TUNE_CTRL_STATUS); + } else if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) { +- ctrl = readl(host->ioaddr + SDHCI_ACMD12_ERR); ++ ctrl = readl(host->ioaddr + SDHCI_AUTO_CMD_STATUS); + ctrl &= ~ESDHC_MIX_CTRL_SMPCLK_SEL; +- writel(ctrl, host->ioaddr + SDHCI_ACMD12_ERR); ++ writel(ctrl, host->ioaddr + SDHCI_AUTO_CMD_STATUS); + } + } + } +@@ -1319,7 +1319,7 @@ static int sdhci_esdhc_imx_probe(struct platform_device *pdev) + + /* clear tuning bits in case ROM has set it already */ + writel(0x0, host->ioaddr + ESDHC_MIX_CTRL); +- writel(0x0, host->ioaddr + SDHCI_ACMD12_ERR); ++ writel(0x0, host->ioaddr + SDHCI_AUTO_CMD_STATUS); + writel(0x0, host->ioaddr + ESDHC_TUNE_CTRL_STATUS); + } + +diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c +index 654051e00117..c749d3dc1d36 100644 +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -82,8 +82,8 @@ void sdhci_dumpregs(struct sdhci_host *host) + SDHCI_DUMP("Int enab: 0x%08x | Sig enab: 0x%08x\n", + sdhci_readl(host, SDHCI_INT_ENABLE), + sdhci_readl(host, SDHCI_SIGNAL_ENABLE)); +- SDHCI_DUMP("AC12 err: 0x%08x | Slot int: 0x%08x\n", +- sdhci_readw(host, SDHCI_ACMD12_ERR), ++ SDHCI_DUMP("ACmd stat: 0x%08x | Slot int: 0x%08x\n", ++ sdhci_readw(host, SDHCI_AUTO_CMD_STATUS), + sdhci_readw(host, SDHCI_SLOT_INT_STATUS)); + SDHCI_DUMP("Caps: 0x%08x | Caps_1: 0x%08x\n", + sdhci_readl(host, SDHCI_CAPABILITIES), +@@ -841,6 +841,11 @@ static void sdhci_set_transfer_irqs(struct sdhci_host *host) + else + host->ier = (host->ier & ~dma_irqs) | pio_irqs; + ++ if (host->flags & (SDHCI_AUTO_CMD23 | SDHCI_AUTO_CMD12)) ++ host->ier |= SDHCI_INT_AUTO_CMD_ERR; ++ else ++ host->ier &= ~SDHCI_INT_AUTO_CMD_ERR; ++ + sdhci_writel(host, host->ier, SDHCI_INT_ENABLE); + sdhci_writel(host, host->ier, SDHCI_SIGNAL_ENABLE); + } +@@ -1078,8 +1083,7 @@ static bool sdhci_needs_reset(struct sdhci_host *host, struct mmc_request *mrq) + return (!(host->flags & SDHCI_DEVICE_DEAD) && + ((mrq->cmd && mrq->cmd->error) || + (mrq->sbc && mrq->sbc->error) || +- (mrq->data && ((mrq->data->error && !mrq->data->stop) || +- (mrq->data->stop && mrq->data->stop->error))) || ++ (mrq->data && mrq->data->stop && mrq->data->stop->error) || + (host->quirks & SDHCI_QUIRK_RESET_AFTER_REQUEST))); + } + +@@ -1131,6 +1135,16 @@ static void sdhci_finish_data(struct sdhci_host *host) + host->data = NULL; + host->data_cmd = NULL; + ++ /* ++ * The controller needs a reset of internal state machines upon error ++ * conditions. ++ */ ++ if (data->error) { ++ if (!host->cmd || host->cmd == data_cmd) ++ sdhci_do_reset(host, SDHCI_RESET_CMD); ++ sdhci_do_reset(host, SDHCI_RESET_DATA); ++ } ++ + if ((host->flags & (SDHCI_REQ_USE_DMA | SDHCI_USE_ADMA)) == + (SDHCI_REQ_USE_DMA | SDHCI_USE_ADMA)) + sdhci_adma_table_post(host, data); +@@ -1155,17 +1169,6 @@ static void sdhci_finish_data(struct sdhci_host *host) + if (data->stop && + (data->error || + !data->mrq->sbc)) { +- +- /* +- * The controller needs a reset of internal state machines +- * upon error conditions. +- */ +- if (data->error) { +- if (!host->cmd || host->cmd == data_cmd) +- sdhci_do_reset(host, SDHCI_RESET_CMD); +- sdhci_do_reset(host, SDHCI_RESET_DATA); +- } +- + /* + * 'cap_cmd_during_tfr' request must not use the command line + * after mmc_command_done() has been called. It is upper layer's +@@ -2642,8 +2645,23 @@ static void sdhci_timeout_data_timer(struct timer_list *t) + * * + \*****************************************************************************/ + +-static void sdhci_cmd_irq(struct sdhci_host *host, u32 intmask) ++static void sdhci_cmd_irq(struct sdhci_host *host, u32 intmask, u32 *intmask_p) + { ++ /* Handle auto-CMD12 error */ ++ if (intmask & SDHCI_INT_AUTO_CMD_ERR && host->data_cmd) { ++ struct mmc_request *mrq = host->data_cmd->mrq; ++ u16 auto_cmd_status = sdhci_readw(host, SDHCI_AUTO_CMD_STATUS); ++ int data_err_bit = (auto_cmd_status & SDHCI_AUTO_CMD_TIMEOUT) ? ++ SDHCI_INT_DATA_TIMEOUT : ++ SDHCI_INT_DATA_CRC; ++ ++ /* Treat auto-CMD12 error the same as data error */ ++ if (!mrq->sbc && (host->flags & SDHCI_AUTO_CMD12)) { ++ *intmask_p |= data_err_bit; ++ return; ++ } ++ } ++ + if (!host->cmd) { + /* + * SDHCI recovers from errors by resetting the cmd and data +@@ -2665,20 +2683,12 @@ static void sdhci_cmd_irq(struct sdhci_host *host, u32 intmask) + else + host->cmd->error = -EILSEQ; + +- /* +- * If this command initiates a data phase and a response +- * CRC error is signalled, the card can start transferring +- * data - the card may have received the command without +- * error. We must not terminate the mmc_request early. +- * +- * If the card did not receive the command or returned an +- * error which prevented it sending data, the data phase +- * will time out. +- */ ++ /* Treat data command CRC error the same as data CRC error */ + if (host->cmd->data && + (intmask & (SDHCI_INT_CRC | SDHCI_INT_TIMEOUT)) == + SDHCI_INT_CRC) { + host->cmd = NULL; ++ *intmask_p |= SDHCI_INT_DATA_CRC; + return; + } + +@@ -2686,6 +2696,21 @@ static void sdhci_cmd_irq(struct sdhci_host *host, u32 intmask) + return; + } + ++ /* Handle auto-CMD23 error */ ++ if (intmask & SDHCI_INT_AUTO_CMD_ERR) { ++ struct mmc_request *mrq = host->cmd->mrq; ++ u16 auto_cmd_status = sdhci_readw(host, SDHCI_AUTO_CMD_STATUS); ++ int err = (auto_cmd_status & SDHCI_AUTO_CMD_TIMEOUT) ? ++ -ETIMEDOUT : ++ -EILSEQ; ++ ++ if (mrq->sbc && (host->flags & SDHCI_AUTO_CMD23)) { ++ mrq->sbc->error = err; ++ sdhci_finish_mrq(host, mrq); ++ return; ++ } ++ } ++ + if (intmask & SDHCI_INT_RESPONSE) + sdhci_finish_command(host); + } +@@ -2906,7 +2931,7 @@ static irqreturn_t sdhci_irq(int irq, void *dev_id) + } + + if (intmask & SDHCI_INT_CMD_MASK) +- sdhci_cmd_irq(host, intmask & SDHCI_INT_CMD_MASK); ++ sdhci_cmd_irq(host, intmask & SDHCI_INT_CMD_MASK, &intmask); + + if (intmask & SDHCI_INT_DATA_MASK) + sdhci_data_irq(host, intmask & SDHCI_INT_DATA_MASK); +diff --git a/drivers/mmc/host/sdhci.h b/drivers/mmc/host/sdhci.h +index f0bd36ce3817..0f8c4f3ccafc 100644 +--- a/drivers/mmc/host/sdhci.h ++++ b/drivers/mmc/host/sdhci.h +@@ -144,14 +144,15 @@ + #define SDHCI_INT_DATA_CRC 0x00200000 + #define SDHCI_INT_DATA_END_BIT 0x00400000 + #define SDHCI_INT_BUS_POWER 0x00800000 +-#define SDHCI_INT_ACMD12ERR 0x01000000 ++#define SDHCI_INT_AUTO_CMD_ERR 0x01000000 + #define SDHCI_INT_ADMA_ERROR 0x02000000 + + #define SDHCI_INT_NORMAL_MASK 0x00007FFF + #define SDHCI_INT_ERROR_MASK 0xFFFF8000 + + #define SDHCI_INT_CMD_MASK (SDHCI_INT_RESPONSE | SDHCI_INT_TIMEOUT | \ +- SDHCI_INT_CRC | SDHCI_INT_END_BIT | SDHCI_INT_INDEX) ++ SDHCI_INT_CRC | SDHCI_INT_END_BIT | SDHCI_INT_INDEX | \ ++ SDHCI_INT_AUTO_CMD_ERR) + #define SDHCI_INT_DATA_MASK (SDHCI_INT_DATA_END | SDHCI_INT_DMA_END | \ + SDHCI_INT_DATA_AVAIL | SDHCI_INT_SPACE_AVAIL | \ + SDHCI_INT_DATA_TIMEOUT | SDHCI_INT_DATA_CRC | \ +@@ -166,7 +167,11 @@ + + #define SDHCI_CQE_INT_MASK (SDHCI_CQE_INT_ERR_MASK | SDHCI_INT_CQE) + +-#define SDHCI_ACMD12_ERR 0x3C ++#define SDHCI_AUTO_CMD_STATUS 0x3C ++#define SDHCI_AUTO_CMD_TIMEOUT 0x00000002 ++#define SDHCI_AUTO_CMD_CRC 0x00000004 ++#define SDHCI_AUTO_CMD_END_BIT 0x00000008 ++#define SDHCI_AUTO_CMD_INDEX 0x00000010 + + #define SDHCI_HOST_CONTROL2 0x3E + #define SDHCI_CTRL_UHS_MASK 0x0007 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index b2c42cae3081..091b454e83fc 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3198,8 +3198,12 @@ static int bond_netdev_event(struct notifier_block *this, + return NOTIFY_DONE; + + if (event_dev->flags & IFF_MASTER) { ++ int ret; ++ + netdev_dbg(event_dev, "IFF_MASTER\n"); +- return bond_master_netdev_event(event, event_dev); ++ ret = bond_master_netdev_event(event, event_dev); ++ if (ret != NOTIFY_DONE) ++ return ret; + } + + if (event_dev->flags & IFF_SLAVE) { +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index 9800738448ec..dca02b35c231 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -32,6 +32,13 @@ + #define DRV_NAME "nicvf" + #define DRV_VERSION "1.0" + ++/* NOTE: Packets bigger than 1530 are split across multiple pages and XDP needs ++ * the buffer to be contiguous. Allow XDP to be set up only if we don't exceed ++ * this value, keeping headroom for the 14 byte Ethernet header and two ++ * VLAN tags (for QinQ) ++ */ ++#define MAX_XDP_MTU (1530 - ETH_HLEN - VLAN_HLEN * 2) ++ + /* Supported devices */ + static const struct pci_device_id nicvf_id_table[] = { + { PCI_DEVICE_SUB(PCI_VENDOR_ID_CAVIUM, +@@ -1547,6 +1554,15 @@ static int nicvf_change_mtu(struct net_device *netdev, int new_mtu) + struct nicvf *nic = netdev_priv(netdev); + int orig_mtu = netdev->mtu; + ++ /* For now just support only the usual MTU sized frames, ++ * plus some headroom for VLAN, QinQ. ++ */ ++ if (nic->xdp_prog && new_mtu > MAX_XDP_MTU) { ++ netdev_warn(netdev, "Jumbo frames not yet supported with XDP, current MTU %d.\n", ++ netdev->mtu); ++ return -EINVAL; ++ } ++ + netdev->mtu = new_mtu; + + if (!netif_running(netdev)) +@@ -1795,8 +1811,10 @@ static int nicvf_xdp_setup(struct nicvf *nic, struct bpf_prog *prog) + bool bpf_attached = false; + int ret = 0; + +- /* For now just support only the usual MTU sized frames */ +- if (prog && (dev->mtu > 1500)) { ++ /* For now just support only the usual MTU sized frames, ++ * plus some headroom for VLAN, QinQ. ++ */ ++ if (prog && dev->mtu > MAX_XDP_MTU) { + netdev_warn(dev, "Jumbo frames not yet supported with XDP, current MTU %d.\n", + dev->mtu); + return -EOPNOTSUPP; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c +index 8de64e88c670..22a2ef111514 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c +@@ -148,14 +148,16 @@ static int mlx5_fpga_tls_alloc_swid(struct idr *idr, spinlock_t *idr_spinlock, + return ret; + } + +-static void mlx5_fpga_tls_release_swid(struct idr *idr, +- spinlock_t *idr_spinlock, u32 swid) ++static void *mlx5_fpga_tls_release_swid(struct idr *idr, ++ spinlock_t *idr_spinlock, u32 swid) + { + unsigned long flags; ++ void *ptr; + + spin_lock_irqsave(idr_spinlock, flags); +- idr_remove(idr, swid); ++ ptr = idr_remove(idr, swid); + spin_unlock_irqrestore(idr_spinlock, flags); ++ return ptr; + } + + static void mlx_tls_kfree_complete(struct mlx5_fpga_conn *conn, +@@ -165,20 +167,12 @@ static void mlx_tls_kfree_complete(struct mlx5_fpga_conn *conn, + kfree(buf); + } + +-struct mlx5_teardown_stream_context { +- struct mlx5_fpga_tls_command_context cmd; +- u32 swid; +-}; +- + static void + mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_conn *conn, + struct mlx5_fpga_device *fdev, + struct mlx5_fpga_tls_command_context *cmd, + struct mlx5_fpga_dma_buf *resp) + { +- struct mlx5_teardown_stream_context *ctx = +- container_of(cmd, struct mlx5_teardown_stream_context, cmd); +- + if (resp) { + u32 syndrome = MLX5_GET(tls_resp, resp->sg[0].data, syndrome); + +@@ -186,14 +180,6 @@ mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_conn *conn, + mlx5_fpga_err(fdev, + "Teardown stream failed with syndrome = %d", + syndrome); +- else if (MLX5_GET(tls_cmd, cmd->buf.sg[0].data, direction_sx)) +- mlx5_fpga_tls_release_swid(&fdev->tls->tx_idr, +- &fdev->tls->tx_idr_spinlock, +- ctx->swid); +- else +- mlx5_fpga_tls_release_swid(&fdev->tls->rx_idr, +- &fdev->tls->rx_idr_spinlock, +- ctx->swid); + } + mlx5_fpga_tls_put_command_ctx(cmd); + } +@@ -217,22 +203,22 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, + void *cmd; + int ret; + +- rcu_read_lock(); +- flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); +- rcu_read_unlock(); +- +- if (!flow) { +- WARN_ONCE(1, "Received NULL pointer for handle\n"); +- return -EINVAL; +- } +- + buf = kzalloc(size, GFP_ATOMIC); + if (!buf) + return -ENOMEM; + + cmd = (buf + 1); + ++ rcu_read_lock(); ++ flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle)); ++ if (unlikely(!flow)) { ++ rcu_read_unlock(); ++ WARN_ONCE(1, "Received NULL pointer for handle\n"); ++ kfree(buf); ++ return -EINVAL; ++ } + mlx5_fpga_tls_flow_to_cmd(flow, cmd); ++ rcu_read_unlock(); + + MLX5_SET(tls_cmd, cmd, swid, ntohl(handle)); + MLX5_SET64(tls_cmd, cmd, tls_rcd_sn, be64_to_cpu(rcd_sn)); +@@ -253,7 +239,7 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_core_dev *mdev, u32 handle, u32 seq, + static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev, + void *flow, u32 swid, gfp_t flags) + { +- struct mlx5_teardown_stream_context *ctx; ++ struct mlx5_fpga_tls_command_context *ctx; + struct mlx5_fpga_dma_buf *buf; + void *cmd; + +@@ -261,7 +247,7 @@ static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev, + if (!ctx) + return; + +- buf = &ctx->cmd.buf; ++ buf = &ctx->buf; + cmd = (ctx + 1); + MLX5_SET(tls_cmd, cmd, command_type, CMD_TEARDOWN_STREAM); + MLX5_SET(tls_cmd, cmd, swid, swid); +@@ -272,8 +258,7 @@ static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev, + buf->sg[0].data = cmd; + buf->sg[0].size = MLX5_TLS_COMMAND_SIZE; + +- ctx->swid = swid; +- mlx5_fpga_tls_cmd_send(mdev->fpga, &ctx->cmd, ++ mlx5_fpga_tls_cmd_send(mdev->fpga, ctx, + mlx5_fpga_tls_teardown_completion); + } + +@@ -283,13 +268,14 @@ void mlx5_fpga_tls_del_flow(struct mlx5_core_dev *mdev, u32 swid, + struct mlx5_fpga_tls *tls = mdev->fpga->tls; + void *flow; + +- rcu_read_lock(); + if (direction_sx) +- flow = idr_find(&tls->tx_idr, swid); ++ flow = mlx5_fpga_tls_release_swid(&tls->tx_idr, ++ &tls->tx_idr_spinlock, ++ swid); + else +- flow = idr_find(&tls->rx_idr, swid); +- +- rcu_read_unlock(); ++ flow = mlx5_fpga_tls_release_swid(&tls->rx_idr, ++ &tls->rx_idr_spinlock, ++ swid); + + if (!flow) { + mlx5_fpga_err(mdev->fpga, "No flow information for swid %u\n", +@@ -297,6 +283,7 @@ void mlx5_fpga_tls_del_flow(struct mlx5_core_dev *mdev, u32 swid, + return; + } + ++ synchronize_rcu(); /* before kfree(flow) */ + mlx5_fpga_tls_send_teardown_cmd(mdev, flow, swid, flags); + } + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/action.c b/drivers/net/ethernet/netronome/nfp/flower/action.c +index 7a1e9cd9cc62..777b99416062 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/action.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/action.c +@@ -80,8 +80,7 @@ nfp_fl_push_vlan(struct nfp_fl_push_vlan *push_vlan, + + tmp_push_vlan_tci = + FIELD_PREP(NFP_FL_PUSH_VLAN_PRIO, tcf_vlan_push_prio(action)) | +- FIELD_PREP(NFP_FL_PUSH_VLAN_VID, tcf_vlan_push_vid(action)) | +- NFP_FL_PUSH_VLAN_CFI; ++ FIELD_PREP(NFP_FL_PUSH_VLAN_VID, tcf_vlan_push_vid(action)); + push_vlan->vlan_tci = cpu_to_be16(tmp_push_vlan_tci); + } + +diff --git a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h +index 325954b829c8..9b018321e24e 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h ++++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h +@@ -55,7 +55,7 @@ + #define NFP_FLOWER_LAYER2_GENEVE_OP BIT(6) + + #define NFP_FLOWER_MASK_VLAN_PRIO GENMASK(15, 13) +-#define NFP_FLOWER_MASK_VLAN_CFI BIT(12) ++#define NFP_FLOWER_MASK_VLAN_PRESENT BIT(12) + #define NFP_FLOWER_MASK_VLAN_VID GENMASK(11, 0) + + #define NFP_FLOWER_MASK_MPLS_LB GENMASK(31, 12) +@@ -109,7 +109,6 @@ + #define NFP_FL_OUT_FLAGS_TYPE_IDX GENMASK(2, 0) + + #define NFP_FL_PUSH_VLAN_PRIO GENMASK(15, 13) +-#define NFP_FL_PUSH_VLAN_CFI BIT(12) + #define NFP_FL_PUSH_VLAN_VID GENMASK(11, 0) + + /* LAG ports */ +diff --git a/drivers/net/ethernet/netronome/nfp/flower/match.c b/drivers/net/ethernet/netronome/nfp/flower/match.c +index 17acb8cc6044..b99d55cf81f1 100644 +--- a/drivers/net/ethernet/netronome/nfp/flower/match.c ++++ b/drivers/net/ethernet/netronome/nfp/flower/match.c +@@ -56,14 +56,12 @@ nfp_flower_compile_meta_tci(struct nfp_flower_meta_tci *frame, + FLOW_DISSECTOR_KEY_VLAN, + target); + /* Populate the tci field. */ +- if (flow_vlan->vlan_id || flow_vlan->vlan_priority) { +- tmp_tci = FIELD_PREP(NFP_FLOWER_MASK_VLAN_PRIO, +- flow_vlan->vlan_priority) | +- FIELD_PREP(NFP_FLOWER_MASK_VLAN_VID, +- flow_vlan->vlan_id) | +- NFP_FLOWER_MASK_VLAN_CFI; +- frame->tci = cpu_to_be16(tmp_tci); +- } ++ tmp_tci = NFP_FLOWER_MASK_VLAN_PRESENT; ++ tmp_tci |= FIELD_PREP(NFP_FLOWER_MASK_VLAN_PRIO, ++ flow_vlan->vlan_priority) | ++ FIELD_PREP(NFP_FLOWER_MASK_VLAN_VID, ++ flow_vlan->vlan_id); ++ frame->tci = cpu_to_be16(tmp_tci); + } + } + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 95ee9d815d76..e23eaf3f6d03 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1250,6 +1250,23 @@ static int team_port_add(struct team *team, struct net_device *port_dev, + goto err_option_port_add; + } + ++ /* set promiscuity level to new slave */ ++ if (dev->flags & IFF_PROMISC) { ++ err = dev_set_promiscuity(port_dev, 1); ++ if (err) ++ goto err_set_slave_promisc; ++ } ++ ++ /* set allmulti level to new slave */ ++ if (dev->flags & IFF_ALLMULTI) { ++ err = dev_set_allmulti(port_dev, 1); ++ if (err) { ++ if (dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(port_dev, -1); ++ goto err_set_slave_promisc; ++ } ++ } ++ + netif_addr_lock_bh(dev); + dev_uc_sync_multiple(port_dev, dev); + dev_mc_sync_multiple(port_dev, dev); +@@ -1266,6 +1283,9 @@ static int team_port_add(struct team *team, struct net_device *port_dev, + + return 0; + ++err_set_slave_promisc: ++ __team_option_inst_del_port(team, port); ++ + err_option_port_add: + team_upper_dev_unlink(team, port); + +@@ -1311,6 +1331,12 @@ static int team_port_del(struct team *team, struct net_device *port_dev) + + team_port_disable(team, port); + list_del_rcu(&port->list); ++ ++ if (dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(port_dev, -1); ++ if (dev->flags & IFF_ALLMULTI) ++ dev_set_allmulti(port_dev, -1); ++ + team_upper_dev_unlink(team, port); + netdev_rx_handler_unregister(port_dev); + team_port_disable_netpoll(port); +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00.h b/drivers/net/wireless/ralink/rt2x00/rt2x00.h +index a279a4363bc1..1d21424eae8a 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h +@@ -672,7 +672,6 @@ enum rt2x00_state_flags { + CONFIG_CHANNEL_HT40, + CONFIG_POWERSAVING, + CONFIG_HT_DISABLED, +- CONFIG_QOS_DISABLED, + CONFIG_MONITORING, + + /* +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +index fa2fd64084ac..da526684596f 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +@@ -642,18 +642,8 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw, + rt2x00dev->intf_associated--; + + rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated); +- +- clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); + } + +- /* +- * Check for access point which do not support 802.11e . We have to +- * generate data frames sequence number in S/W for such AP, because +- * of H/W bug. +- */ +- if (changes & BSS_CHANGED_QOS && !bss_conf->qos) +- set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags); +- + /* + * When the erp information has changed, we should perform + * additional configuration steps. For all other changes we are done. +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c +index 710e9641552e..85e320178a0e 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c +@@ -200,15 +200,18 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev, + if (!rt2x00_has_cap_flag(rt2x00dev, REQUIRE_SW_SEQNO)) { + /* + * rt2800 has a H/W (or F/W) bug, device incorrectly increase +- * seqno on retransmited data (non-QOS) frames. To workaround +- * the problem let's generate seqno in software if QOS is +- * disabled. ++ * seqno on retransmitted data (non-QOS) and management frames. ++ * To workaround the problem let's generate seqno in software. ++ * Except for beacons which are transmitted periodically by H/W ++ * hence hardware has to assign seqno for them. + */ +- if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags)) +- __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); +- else ++ if (ieee80211_is_beacon(hdr->frame_control)) { ++ __set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); + /* H/W will generate sequence number */ + return; ++ } ++ ++ __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags); + } + + /* +diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c +index 1797e47fab38..3d51a936f6d5 100644 +--- a/drivers/scsi/libfc/fc_rport.c ++++ b/drivers/scsi/libfc/fc_rport.c +@@ -2153,7 +2153,6 @@ static void fc_rport_recv_logo_req(struct fc_lport *lport, struct fc_frame *fp) + FC_RPORT_DBG(rdata, "Received LOGO request while in state %s\n", + fc_rport_state(rdata)); + +- rdata->flags &= ~FC_RP_STARTED; + fc_rport_enter_delete(rdata, RPORT_EV_STOP); + mutex_unlock(&rdata->rp_mutex); + kref_put(&rdata->kref, fc_rport_destroy); +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 655790f30434..1fc832751a4f 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -2149,8 +2149,12 @@ out_put_budget: + ret = BLK_STS_DEV_RESOURCE; + break; + default: ++ if (unlikely(!scsi_device_online(sdev))) ++ scsi_req(req)->result = DID_NO_CONNECT << 16; ++ else ++ scsi_req(req)->result = DID_ERROR << 16; + /* +- * Make sure to release all allocated ressources when ++ * Make sure to release all allocated resources when + * we hit an error, as we will never see this command + * again. + */ +diff --git a/drivers/staging/comedi/drivers/ni_usb6501.c b/drivers/staging/comedi/drivers/ni_usb6501.c +index 808ed92ed66f..1bb1cb651349 100644 +--- a/drivers/staging/comedi/drivers/ni_usb6501.c ++++ b/drivers/staging/comedi/drivers/ni_usb6501.c +@@ -463,10 +463,8 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev) + + size = usb_endpoint_maxp(devpriv->ep_tx); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } +@@ -518,6 +516,9 @@ static int ni6501_auto_attach(struct comedi_device *dev, + if (!devpriv) + return -ENOMEM; + ++ mutex_init(&devpriv->mut); ++ usb_set_intfdata(intf, devpriv); ++ + ret = ni6501_find_endpoints(dev); + if (ret) + return ret; +@@ -526,9 +527,6 @@ static int ni6501_auto_attach(struct comedi_device *dev, + if (ret) + return ret; + +- mutex_init(&devpriv->mut); +- usb_set_intfdata(intf, devpriv); +- + ret = comedi_alloc_subdevices(dev, 2); + if (ret) + return ret; +diff --git a/drivers/staging/comedi/drivers/vmk80xx.c b/drivers/staging/comedi/drivers/vmk80xx.c +index 6234b649d887..65dc6c51037e 100644 +--- a/drivers/staging/comedi/drivers/vmk80xx.c ++++ b/drivers/staging/comedi/drivers/vmk80xx.c +@@ -682,10 +682,8 @@ static int vmk80xx_alloc_usb_buffers(struct comedi_device *dev) + + size = usb_endpoint_maxp(devpriv->ep_tx); + devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL); +- if (!devpriv->usb_tx_buf) { +- kfree(devpriv->usb_rx_buf); ++ if (!devpriv->usb_tx_buf) + return -ENOMEM; +- } + + return 0; + } +@@ -800,6 +798,8 @@ static int vmk80xx_auto_attach(struct comedi_device *dev, + + devpriv->model = board->model; + ++ sema_init(&devpriv->limit_sem, 8); ++ + ret = vmk80xx_find_usb_endpoints(dev); + if (ret) + return ret; +@@ -808,8 +808,6 @@ static int vmk80xx_auto_attach(struct comedi_device *dev, + if (ret) + return ret; + +- sema_init(&devpriv->limit_sem, 8); +- + usb_set_intfdata(intf, devpriv); + + if (devpriv->model == VMK8055_MODEL) +diff --git a/drivers/staging/iio/adc/ad7192.c b/drivers/staging/iio/adc/ad7192.c +index df0499fc4802..6857a4bf7297 100644 +--- a/drivers/staging/iio/adc/ad7192.c ++++ b/drivers/staging/iio/adc/ad7192.c +@@ -109,10 +109,10 @@ + #define AD7192_CH_AIN3 BIT(6) /* AIN3 - AINCOM */ + #define AD7192_CH_AIN4 BIT(7) /* AIN4 - AINCOM */ + +-#define AD7193_CH_AIN1P_AIN2M 0x000 /* AIN1(+) - AIN2(-) */ +-#define AD7193_CH_AIN3P_AIN4M 0x001 /* AIN3(+) - AIN4(-) */ +-#define AD7193_CH_AIN5P_AIN6M 0x002 /* AIN5(+) - AIN6(-) */ +-#define AD7193_CH_AIN7P_AIN8M 0x004 /* AIN7(+) - AIN8(-) */ ++#define AD7193_CH_AIN1P_AIN2M 0x001 /* AIN1(+) - AIN2(-) */ ++#define AD7193_CH_AIN3P_AIN4M 0x002 /* AIN3(+) - AIN4(-) */ ++#define AD7193_CH_AIN5P_AIN6M 0x004 /* AIN5(+) - AIN6(-) */ ++#define AD7193_CH_AIN7P_AIN8M 0x008 /* AIN7(+) - AIN8(-) */ + #define AD7193_CH_TEMP 0x100 /* Temp senseor */ + #define AD7193_CH_AIN2P_AIN2M 0x200 /* AIN2(+) - AIN2(-) */ + #define AD7193_CH_AIN1 0x401 /* AIN1 - AINCOM */ +diff --git a/drivers/staging/iio/meter/ade7854.c b/drivers/staging/iio/meter/ade7854.c +index 029c3bf42d4d..07774c000c5a 100644 +--- a/drivers/staging/iio/meter/ade7854.c ++++ b/drivers/staging/iio/meter/ade7854.c +@@ -269,7 +269,7 @@ static IIO_DEV_ATTR_VPEAK(0644, + static IIO_DEV_ATTR_IPEAK(0644, + ade7854_read_32bit, + ade7854_write_32bit, +- ADE7854_VPEAK); ++ ADE7854_IPEAK); + static IIO_DEV_ATTR_APHCAL(0644, + ade7854_read_16bit, + ade7854_write_16bit, +diff --git a/drivers/staging/most/core.c b/drivers/staging/most/core.c +index 52ad62722996..25a077f4ea94 100644 +--- a/drivers/staging/most/core.c ++++ b/drivers/staging/most/core.c +@@ -1412,7 +1412,7 @@ int most_register_interface(struct most_interface *iface) + + INIT_LIST_HEAD(&iface->p->channel_list); + iface->p->dev_id = id; +- snprintf(iface->p->name, STRING_SIZE, "mdev%d", id); ++ strcpy(iface->p->name, iface->description); + iface->dev.init_name = iface->p->name; + iface->dev.bus = &mc.bus; + iface->dev.parent = &mc.dev; +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index cbbf239aea0f..03fe3fb4bff6 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -2497,14 +2497,16 @@ done: + * center of the last stop bit in sampling clocks. + */ + int last_stop = bits * 2 - 1; +- int deviation = min_err * srr * last_stop / 2 / baud; ++ int deviation = DIV_ROUND_CLOSEST(min_err * last_stop * ++ (int)(srr + 1), ++ 2 * (int)baud); + + if (abs(deviation) >= 2) { + /* At least two sampling clocks off at the + * last stop bit; we can increase the error + * margin by shifting the sampling point. + */ +- int shift = min(-8, max(7, deviation / 2)); ++ int shift = clamp(deviation / 2, -8, 7); + + hssrr |= (shift << HSCIF_SRHP_SHIFT) & + HSCIF_SRHP_MASK; +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index b9a9a07f1ee9..3e5ec1cee059 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -1521,7 +1521,8 @@ static void csi_J(struct vc_data *vc, int vpar) + return; + } + scr_memsetw(start, vc->vc_video_erase_char, 2 * count); +- update_region(vc, (unsigned long) start, count); ++ if (con_should_update(vc)) ++ do_update_region(vc, (unsigned long) start, count); + vc->vc_need_wrap = 0; + } + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index b214a72d5caa..c163bc15976a 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -911,8 +911,12 @@ static int vhost_new_umem_range(struct vhost_umem *umem, + u64 start, u64 size, u64 end, + u64 userspace_addr, int perm) + { +- struct vhost_umem_node *tmp, *node = kmalloc(sizeof(*node), GFP_ATOMIC); ++ struct vhost_umem_node *tmp, *node; + ++ if (!size) ++ return -EFAULT; ++ ++ node = kmalloc(sizeof(*node), GFP_ATOMIC); + if (!node) + return -ENOMEM; + +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index 80f33582059e..6f227cc781e5 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1263,6 +1263,7 @@ cifsFileInfo_get_locked(struct cifsFileInfo *cifs_file) + } + + struct cifsFileInfo *cifsFileInfo_get(struct cifsFileInfo *cifs_file); ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_hdlr); + void cifsFileInfo_put(struct cifsFileInfo *cifs_file); + + #define CIFS_CACHE_READ_FLG 1 +@@ -1763,6 +1764,7 @@ GLOBAL_EXTERN spinlock_t gidsidlock; + #endif /* CONFIG_CIFS_ACL */ + + void cifs_oplock_break(struct work_struct *work); ++void cifs_queue_oplock_break(struct cifsFileInfo *cfile); + + extern const struct slow_work_ops cifs_oplock_break_ops; + extern struct workqueue_struct *cifsiod_wq; +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index d847132ab027..d6b45682833b 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -358,12 +358,30 @@ cifsFileInfo_get(struct cifsFileInfo *cifs_file) + return cifs_file; + } + +-/* +- * Release a reference on the file private data. This may involve closing +- * the filehandle out on the server. Must be called without holding +- * tcon->open_file_lock and cifs_file->file_info_lock. ++/** ++ * cifsFileInfo_put - release a reference of file priv data ++ * ++ * Always potentially wait for oplock handler. See _cifsFileInfo_put(). + */ + void cifsFileInfo_put(struct cifsFileInfo *cifs_file) ++{ ++ _cifsFileInfo_put(cifs_file, true); ++} ++ ++/** ++ * _cifsFileInfo_put - release a reference of file priv data ++ * ++ * This may involve closing the filehandle @cifs_file out on the ++ * server. Must be called without holding tcon->open_file_lock and ++ * cifs_file->file_info_lock. ++ * ++ * If @wait_for_oplock_handler is true and we are releasing the last ++ * reference, wait for any running oplock break handler of the file ++ * and cancel any pending one. If calling this function from the ++ * oplock break handler, you need to pass false. ++ * ++ */ ++void _cifsFileInfo_put(struct cifsFileInfo *cifs_file, bool wait_oplock_handler) + { + struct inode *inode = d_inode(cifs_file->dentry); + struct cifs_tcon *tcon = tlink_tcon(cifs_file->tlink); +@@ -411,7 +429,8 @@ void cifsFileInfo_put(struct cifsFileInfo *cifs_file) + + spin_unlock(&tcon->open_file_lock); + +- oplock_break_cancelled = cancel_work_sync(&cifs_file->oplock_break); ++ oplock_break_cancelled = wait_oplock_handler ? ++ cancel_work_sync(&cifs_file->oplock_break) : false; + + if (!tcon->need_reconnect && !cifs_file->invalidHandle) { + struct TCP_Server_Info *server = tcon->ses->server; +@@ -4170,6 +4189,7 @@ void cifs_oplock_break(struct work_struct *work) + cinode); + cifs_dbg(FYI, "Oplock release rc = %d\n", rc); + } ++ _cifsFileInfo_put(cfile, false /* do not wait for ourself */); + cifs_done_oplock_break(cinode); + } + +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c +index 6926685e513c..facc94e159a1 100644 +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -490,8 +490,7 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv) + CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &pCifsInode->flags); + +- queue_work(cifsoplockd_wq, +- &netfile->oplock_break); ++ cifs_queue_oplock_break(netfile); + netfile->oplock_break_cancelled = false; + + spin_unlock(&tcon->open_file_lock); +@@ -588,6 +587,28 @@ void cifs_put_writer(struct cifsInodeInfo *cinode) + spin_unlock(&cinode->writers_lock); + } + ++/** ++ * cifs_queue_oplock_break - queue the oplock break handler for cfile ++ * ++ * This function is called from the demultiplex thread when it ++ * receives an oplock break for @cfile. ++ * ++ * Assumes the tcon->open_file_lock is held. ++ * Assumes cfile->file_info_lock is NOT held. ++ */ ++void cifs_queue_oplock_break(struct cifsFileInfo *cfile) ++{ ++ /* ++ * Bump the handle refcount now while we hold the ++ * open_file_lock to enforce the validity of it for the oplock ++ * break handler. The matching put is done at the end of the ++ * handler. ++ */ ++ cifsFileInfo_get(cfile); ++ ++ queue_work(cifsoplockd_wq, &cfile->oplock_break); ++} ++ + void cifs_done_oplock_break(struct cifsInodeInfo *cinode) + { + clear_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); +diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c +index 58700d2ba8cd..0a7ed2e3ad4f 100644 +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -555,7 +555,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp, + clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &cinode->flags); + +- queue_work(cifsoplockd_wq, &cfile->oplock_break); ++ cifs_queue_oplock_break(cfile); + kfree(lw); + return true; + } +@@ -719,8 +719,8 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) + CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, + &cinode->flags); + spin_unlock(&cfile->file_info_lock); +- queue_work(cifsoplockd_wq, +- &cfile->oplock_break); ++ ++ cifs_queue_oplock_break(cfile); + + spin_unlock(&tcon->open_file_lock); + spin_unlock(&cifs_tcp_ses_lock); +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index d4d7d61a6fe2..2001184afe70 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1906,6 +1906,8 @@ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon, + + rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, &err_iov, + &resp_buftype); ++ if (!rc) ++ SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); + if (!rc || !err_iov.iov_base) { + rc = -ENOENT; + goto free_path; +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 71f32d983384..c6fd3acc5560 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3273,8 +3273,6 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, + rqst.rq_nvec = 1; + + rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags, &rsp_iov); +- cifs_small_buf_release(req); +- + rsp = (struct smb2_read_rsp *)rsp_iov.iov_base; + + if (rc) { +@@ -3293,6 +3291,8 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, + io_parms->tcon->tid, ses->Suid, + io_parms->offset, io_parms->length); + ++ cifs_small_buf_release(req); ++ + *nbytes = le32_to_cpu(rsp->DataLength); + if ((*nbytes > CIFS_MAX_MSGSIZE) || + (*nbytes > io_parms->length)) { +@@ -3591,7 +3591,6 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms, + + rc = cifs_send_recv(xid, io_parms->tcon->ses, &rqst, + &resp_buftype, flags, &rsp_iov); +- cifs_small_buf_release(req); + rsp = (struct smb2_write_rsp *)rsp_iov.iov_base; + + if (rc) { +@@ -3609,6 +3608,7 @@ SMB2_write(const unsigned int xid, struct cifs_io_parms *io_parms, + io_parms->offset, *nbytes); + } + ++ cifs_small_buf_release(req); + free_rsp_buf(resp_buftype, rsp); + return rc; + } +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index d76fe166f6ce..c5819baee35c 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1138,6 +1138,24 @@ static ssize_t clear_refs_write(struct file *file, const char __user *buf, + count = -EINTR; + goto out_mm; + } ++ /* ++ * Avoid to modify vma->vm_flags ++ * without locked ops while the ++ * coredump reads the vm_flags. ++ */ ++ if (!mmget_still_valid(mm)) { ++ /* ++ * Silently return "count" ++ * like if get_task_mm() ++ * failed. FIXME: should this ++ * function have returned ++ * -ESRCH if get_task_mm() ++ * failed like if ++ * get_proc_task() fails? ++ */ ++ up_write(&mm->mmap_sem); ++ goto out_mm; ++ } + for (vma = mm->mmap; vma; vma = vma->vm_next) { + vma->vm_flags &= ~VM_SOFTDIRTY; + vma_set_page_prot(vma); +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index d8b8323e80f4..aaca81b5e119 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -630,6 +630,8 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx, + + /* the various vma->vm_userfaultfd_ctx still points to it */ + down_write(&mm->mmap_sem); ++ /* no task can run (and in turn coredump) yet */ ++ VM_WARN_ON(!mmget_still_valid(mm)); + for (vma = mm->mmap; vma; vma = vma->vm_next) + if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) { + vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; +@@ -884,6 +886,8 @@ static int userfaultfd_release(struct inode *inode, struct file *file) + * taking the mmap_sem for writing. + */ + down_write(&mm->mmap_sem); ++ if (!mmget_still_valid(mm)) ++ goto skip_mm; + prev = NULL; + for (vma = mm->mmap; vma; vma = vma->vm_next) { + cond_resched(); +@@ -906,6 +910,7 @@ static int userfaultfd_release(struct inode *inode, struct file *file) + vma->vm_flags = new_flags; + vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX; + } ++skip_mm: + up_write(&mm->mmap_sem); + mmput(mm); + wakeup: +@@ -1334,6 +1339,8 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, + goto out; + + down_write(&mm->mmap_sem); ++ if (!mmget_still_valid(mm)) ++ goto out_unlock; + vma = find_vma_prev(mm, start, &prev); + if (!vma) + goto out_unlock; +@@ -1521,6 +1528,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, + goto out; + + down_write(&mm->mmap_sem); ++ if (!mmget_still_valid(mm)) ++ goto out_unlock; + vma = find_vma_prev(mm, start, &prev); + if (!vma) + goto out_unlock; +diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h +index e909413e4e38..32cae0f35b9d 100644 +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -173,6 +173,7 @@ struct kretprobe_instance { + struct kretprobe *rp; + kprobe_opcode_t *ret_addr; + struct task_struct *task; ++ void *fp; + char data[0]; + }; + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 21fef8c5eca7..8c2fec0bcb26 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1456,6 +1456,7 @@ struct net_device_ops { + * @IFF_FAILOVER: device is a failover master device + * @IFF_FAILOVER_SLAVE: device is lower dev of a failover master device + * @IFF_L3MDEV_RX_HANDLER: only invoke the rx handler of L3 master device ++ * @IFF_LIVE_RENAME_OK: rename is allowed while device is up and running + */ + enum netdev_priv_flags { + IFF_802_1Q_VLAN = 1<<0, +@@ -1488,6 +1489,7 @@ enum netdev_priv_flags { + IFF_FAILOVER = 1<<27, + IFF_FAILOVER_SLAVE = 1<<28, + IFF_L3MDEV_RX_HANDLER = 1<<29, ++ IFF_LIVE_RENAME_OK = 1<<30, + }; + + #define IFF_802_1Q_VLAN IFF_802_1Q_VLAN +@@ -1519,6 +1521,7 @@ enum netdev_priv_flags { + #define IFF_FAILOVER IFF_FAILOVER + #define IFF_FAILOVER_SLAVE IFF_FAILOVER_SLAVE + #define IFF_L3MDEV_RX_HANDLER IFF_L3MDEV_RX_HANDLER ++#define IFF_LIVE_RENAME_OK IFF_LIVE_RENAME_OK + + /** + * struct net_device - The DEVICE structure. +diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h +index aebb370a0006..cebb79fe2c72 100644 +--- a/include/linux/sched/mm.h ++++ b/include/linux/sched/mm.h +@@ -49,6 +49,27 @@ static inline void mmdrop(struct mm_struct *mm) + __mmdrop(mm); + } + ++/* ++ * This has to be called after a get_task_mm()/mmget_not_zero() ++ * followed by taking the mmap_sem for writing before modifying the ++ * vmas or anything the coredump pretends not to change from under it. ++ * ++ * NOTE: find_extend_vma() called from GUP context is the only place ++ * that can modify the "mm" (notably the vm_start/end) under mmap_sem ++ * for reading and outside the context of the process, so it is also ++ * the only case that holds the mmap_sem for reading that must call ++ * this function. Generally if the mmap_sem is hold for reading ++ * there's no need of this check after get_task_mm()/mmget_not_zero(). ++ * ++ * This function can be obsoleted and the check can be removed, after ++ * the coredump code will hold the mmap_sem for writing before ++ * invoking the ->core_dump methods. ++ */ ++static inline bool mmget_still_valid(struct mm_struct *mm) ++{ ++ return likely(!mm->core_state); ++} ++ + /** + * mmget() - Pin the address space associated with a &struct mm_struct. + * @mm: The address space to pin. +diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h +index 1662cbc0b46b..b02bf737d019 100644 +--- a/include/net/inet_frag.h ++++ b/include/net/inet_frag.h +@@ -77,8 +77,8 @@ struct inet_frag_queue { + struct timer_list timer; + spinlock_t lock; + refcount_t refcnt; +- struct sk_buff *fragments; /* Used in IPv6. */ +- struct rb_root rb_fragments; /* Used in IPv4. */ ++ struct sk_buff *fragments; /* used in 6lopwpan IPv6. */ ++ struct rb_root rb_fragments; /* Used in IPv4/IPv6. */ + struct sk_buff *fragments_tail; + struct sk_buff *last_run_head; + ktime_t stamp; +@@ -153,4 +153,16 @@ static inline void add_frag_mem_limit(struct netns_frags *nf, long val) + + extern const u8 ip_frag_ecn_table[16]; + ++/* Return values of inet_frag_queue_insert() */ ++#define IPFRAG_OK 0 ++#define IPFRAG_DUP 1 ++#define IPFRAG_OVERLAP 2 ++int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, ++ int offset, int end); ++void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, ++ struct sk_buff *parent); ++void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, ++ void *reasm_data); ++struct sk_buff *inet_frag_pull_head(struct inet_frag_queue *q); ++ + #endif +diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h +index 6ced1e6899b6..28aa9b30aece 100644 +--- a/include/net/ipv6_frag.h ++++ b/include/net/ipv6_frag.h +@@ -82,8 +82,15 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq) + __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMTIMEOUT); + + /* Don't send error if the first segment did not arrive. */ +- head = fq->q.fragments; +- if (!(fq->q.flags & INET_FRAG_FIRST_IN) || !head) ++ if (!(fq->q.flags & INET_FRAG_FIRST_IN)) ++ goto out; ++ ++ /* sk_buff::dev and sk_buff::rbnode are unionized. So we ++ * pull the head out of the tree in order to be able to ++ * deal with head->dev. ++ */ ++ head = inet_frag_pull_head(&fq->q); ++ if (!head) + goto out; + + head->dev = dev; +diff --git a/include/net/tls.h b/include/net/tls.h +index 0a769cf2f5f3..c423b7d0b6ab 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -317,7 +317,7 @@ tls_validate_xmit_skb(struct sock *sk, struct net_device *dev, + static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk) + { + #ifdef CONFIG_SOCK_VALIDATE_XMIT +- return sk_fullsock(sk) & ++ return sk_fullsock(sk) && + (smp_load_acquire(&sk->sk_validate_xmit_skb) == + &tls_validate_xmit_skb); + #else +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 4344381664cc..29ff6635d259 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -703,7 +703,6 @@ static void unoptimize_kprobe(struct kprobe *p, bool force) + static int reuse_unused_kprobe(struct kprobe *ap) + { + struct optimized_kprobe *op; +- int ret; + + BUG_ON(!kprobe_unused(ap)); + /* +@@ -715,9 +714,8 @@ static int reuse_unused_kprobe(struct kprobe *ap) + /* Enable the probe again */ + ap->flags &= ~KPROBE_FLAG_DISABLED; + /* Optimize it again (remove from op->list) */ +- ret = kprobe_optready(ap); +- if (ret) +- return ret; ++ if (!kprobe_optready(ap)) ++ return -EINVAL; + + optimize_kprobe(ap); + return 0; +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 0cbdbbb0729f..26b57e24476f 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -3567,9 +3567,6 @@ __lock_set_class(struct lockdep_map *lock, const char *name, + unsigned int depth; + int i; + +- if (unlikely(!debug_locks)) +- return 0; +- + depth = curr->lockdep_depth; + /* + * This function is about (re)setting the class of a held lock, +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 640094391169..4aa8e7d90c25 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -4847,12 +4847,15 @@ static enum hrtimer_restart sched_cfs_slack_timer(struct hrtimer *timer) + return HRTIMER_NORESTART; + } + ++extern const u64 max_cfs_quota_period; ++ + static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer) + { + struct cfs_bandwidth *cfs_b = + container_of(timer, struct cfs_bandwidth, period_timer); + int overrun; + int idle = 0; ++ int count = 0; + + raw_spin_lock(&cfs_b->lock); + for (;;) { +@@ -4860,6 +4863,28 @@ static enum hrtimer_restart sched_cfs_period_timer(struct hrtimer *timer) + if (!overrun) + break; + ++ if (++count > 3) { ++ u64 new, old = ktime_to_ns(cfs_b->period); ++ ++ new = (old * 147) / 128; /* ~115% */ ++ new = min(new, max_cfs_quota_period); ++ ++ cfs_b->period = ns_to_ktime(new); ++ ++ /* since max is 1s, this is limited to 1e9^2, which fits in u64 */ ++ cfs_b->quota *= new; ++ cfs_b->quota = div64_u64(cfs_b->quota, old); ++ ++ pr_warn_ratelimited( ++ "cfs_period_timer[cpu%d]: period too short, scaling up (new cfs_period_us %lld, cfs_quota_us = %lld)\n", ++ smp_processor_id(), ++ div_u64(new, NSEC_PER_USEC), ++ div_u64(cfs_b->quota, NSEC_PER_USEC)); ++ ++ /* reset count so we don't come right back in here */ ++ count = 0; ++ } ++ + idle = do_sched_cfs_period_timer(cfs_b, overrun); + } + if (idle) +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 9e22660153ff..9a85c7ae7362 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -125,6 +125,7 @@ static int zero; + static int __maybe_unused one = 1; + static int __maybe_unused two = 2; + static int __maybe_unused four = 4; ++static unsigned long zero_ul; + static unsigned long one_ul = 1; + static unsigned long long_max = LONG_MAX; + static int one_hundred = 100; +@@ -1696,7 +1697,7 @@ static struct ctl_table fs_table[] = { + .maxlen = sizeof(files_stat.max_files), + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, +- .extra1 = &zero, ++ .extra1 = &zero_ul, + .extra2 = &long_max, + }, + { +diff --git a/kernel/time/sched_clock.c b/kernel/time/sched_clock.c +index cbc72c2c1fca..78eb05aa8003 100644 +--- a/kernel/time/sched_clock.c ++++ b/kernel/time/sched_clock.c +@@ -275,7 +275,7 @@ static u64 notrace suspended_sched_clock_read(void) + return cd.read_data[seq & 1].epoch_cyc; + } + +-static int sched_clock_suspend(void) ++int sched_clock_suspend(void) + { + struct clock_read_data *rd = &cd.read_data[0]; + +@@ -286,7 +286,7 @@ static int sched_clock_suspend(void) + return 0; + } + +-static void sched_clock_resume(void) ++void sched_clock_resume(void) + { + struct clock_read_data *rd = &cd.read_data[0]; + +diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c +index 14de3727b18e..a02e0f6b287c 100644 +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -491,6 +491,7 @@ void tick_freeze(void) + trace_suspend_resume(TPS("timekeeping_freeze"), + smp_processor_id(), true); + system_state = SYSTEM_SUSPEND; ++ sched_clock_suspend(); + timekeeping_suspend(); + } else { + tick_suspend_local(); +@@ -514,6 +515,7 @@ void tick_unfreeze(void) + + if (tick_freeze_depth == num_online_cpus()) { + timekeeping_resume(); ++ sched_clock_resume(); + system_state = SYSTEM_RUNNING; + trace_suspend_resume(TPS("timekeeping_freeze"), + smp_processor_id(), false); +diff --git a/kernel/time/timekeeping.h b/kernel/time/timekeeping.h +index 7a9b4eb7a1d5..141ab3ab0354 100644 +--- a/kernel/time/timekeeping.h ++++ b/kernel/time/timekeeping.h +@@ -14,6 +14,13 @@ extern u64 timekeeping_max_deferment(void); + extern void timekeeping_warp_clock(void); + extern int timekeeping_suspend(void); + extern void timekeeping_resume(void); ++#ifdef CONFIG_GENERIC_SCHED_CLOCK ++extern int sched_clock_suspend(void); ++extern void sched_clock_resume(void); ++#else ++static inline int sched_clock_suspend(void) { return 0; } ++static inline void sched_clock_resume(void) { } ++#endif + + extern void do_timer(unsigned long ticks); + extern void update_wall_time(void); +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index e23eb9fc77aa..1688782f3dfb 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + #include + +@@ -6250,7 +6251,7 @@ void ftrace_reset_array_ops(struct trace_array *tr) + tr->ops->func = ftrace_stub; + } + +-static inline void ++static nokprobe_inline void + __ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + struct ftrace_ops *ignored, struct pt_regs *regs) + { +@@ -6310,11 +6311,13 @@ static void ftrace_ops_list_func(unsigned long ip, unsigned long parent_ip, + { + __ftrace_ops_list_func(ip, parent_ip, NULL, regs); + } ++NOKPROBE_SYMBOL(ftrace_ops_list_func); + #else + static void ftrace_ops_no_ops(unsigned long ip, unsigned long parent_ip) + { + __ftrace_ops_list_func(ip, parent_ip, NULL, NULL); + } ++NOKPROBE_SYMBOL(ftrace_ops_no_ops); + #endif + + /* +@@ -6341,6 +6344,7 @@ static void ftrace_ops_assist_func(unsigned long ip, unsigned long parent_ip, + preempt_enable_notrace(); + trace_clear_recursion(bit); + } ++NOKPROBE_SYMBOL(ftrace_ops_assist_func); + + /** + * ftrace_ops_get_func - get the function a trampoline should call +diff --git a/mm/mmap.c b/mm/mmap.c +index 43507f7e66b4..1480880ff814 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2491,7 +2492,8 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) + vma = find_vma_prev(mm, addr, &prev); + if (vma && (vma->vm_start <= addr)) + return vma; +- if (!prev || expand_stack(prev, addr)) ++ /* don't alter vm_end if the coredump is running */ ++ if (!prev || !mmget_still_valid(mm) || expand_stack(prev, addr)) + return NULL; + if (prev->vm_flags & VM_LOCKED) + populate_vma_page_range(prev, addr, prev->vm_end, NULL); +@@ -2517,6 +2519,9 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr) + return vma; + if (!(vma->vm_flags & VM_GROWSDOWN)) + return NULL; ++ /* don't alter vm_start if the coredump is running */ ++ if (!mmget_still_valid(mm)) ++ return NULL; + start = vma->vm_start; + if (expand_stack(vma, addr)) + return NULL; +diff --git a/mm/percpu.c b/mm/percpu.c +index 4b90682623e9..41e58f3d8fbf 100644 +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -2529,8 +2529,8 @@ int __init pcpu_embed_first_chunk(size_t reserved_size, size_t dyn_size, + ai->groups[group].base_offset = areas[group] - base; + } + +- pr_info("Embedded %zu pages/cpu @%p s%zu r%zu d%zu u%zu\n", +- PFN_DOWN(size_sum), base, ai->static_size, ai->reserved_size, ++ pr_info("Embedded %zu pages/cpu s%zu r%zu d%zu u%zu\n", ++ PFN_DOWN(size_sum), ai->static_size, ai->reserved_size, + ai->dyn_size, ai->unit_size); + + rc = pcpu_setup_first_chunk(ai, base); +@@ -2651,8 +2651,8 @@ int __init pcpu_page_first_chunk(size_t reserved_size, + } + + /* we're ready, commit */ +- pr_info("%d %s pages/cpu @%p s%zu r%zu d%zu\n", +- unit_pages, psize_str, vm.addr, ai->static_size, ++ pr_info("%d %s pages/cpu s%zu r%zu d%zu\n", ++ unit_pages, psize_str, ai->static_size, + ai->reserved_size, ai->dyn_size); + + rc = pcpu_setup_first_chunk(ai, vm.addr); +diff --git a/mm/vmstat.c b/mm/vmstat.c +index 2878dc4e9af6..4a387937f9f5 100644 +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1272,13 +1272,8 @@ const char * const vmstat_text[] = { + #endif + #endif /* CONFIG_MEMORY_BALLOON */ + #ifdef CONFIG_DEBUG_TLBFLUSH +-#ifdef CONFIG_SMP + "nr_tlb_remote_flush", + "nr_tlb_remote_flush_received", +-#else +- "", /* nr_tlb_remote_flush */ +- "", /* nr_tlb_remote_flush_received */ +-#endif /* CONFIG_SMP */ + "nr_tlb_local_flush_all", + "nr_tlb_local_flush_one", + #endif /* CONFIG_DEBUG_TLBFLUSH */ +diff --git a/net/atm/lec.c b/net/atm/lec.c +index d7f5cf5b7594..ad4f829193f0 100644 +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -710,7 +710,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg) + + static int lec_mcast_attach(struct atm_vcc *vcc, int arg) + { +- if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg]) ++ if (arg < 0 || arg >= MAX_LEC_ITF) ++ return -EINVAL; ++ arg = array_index_nospec(arg, MAX_LEC_ITF); ++ if (!dev_lec[arg]) + return -EINVAL; + vcc->proto_data = dev_lec[arg]; + return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc); +@@ -728,6 +731,7 @@ static int lecd_attach(struct atm_vcc *vcc, int arg) + i = arg; + if (arg >= MAX_LEC_ITF) + return -EINVAL; ++ i = array_index_nospec(arg, MAX_LEC_ITF); + if (!dev_lec[i]) { + int size; + +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 72074276c088..fed0ff446abb 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -195,13 +195,10 @@ static void __br_handle_local_finish(struct sk_buff *skb) + /* note: already called with rcu_read_lock */ + static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb) + { +- struct net_bridge_port *p = br_port_get_rcu(skb->dev); +- + __br_handle_local_finish(skb); + +- BR_INPUT_SKB_CB(skb)->brdev = p->br->dev; +- br_pass_frame_up(skb); +- return 0; ++ /* return 1 to signal the okfn() was called so it's ok to use the skb */ ++ return 1; + } + + /* +@@ -278,10 +275,18 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb) + goto forward; + } + +- /* Deliver packet to local host only */ +- NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, dev_net(skb->dev), +- NULL, skb, skb->dev, NULL, br_handle_local_finish); +- return RX_HANDLER_CONSUMED; ++ /* The else clause should be hit when nf_hook(): ++ * - returns < 0 (drop/error) ++ * - returns = 0 (stolen/nf_queue) ++ * Thus return 1 from the okfn() to signal the skb is ok to pass ++ */ ++ if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, ++ dev_net(skb->dev), NULL, skb, skb->dev, NULL, ++ br_handle_local_finish) == 1) { ++ return RX_HANDLER_PASS; ++ } else { ++ return RX_HANDLER_CONSUMED; ++ } + } + + forward: +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 20ed7adcf1cc..75901c4641b1 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -2152,7 +2152,8 @@ static void br_multicast_start_querier(struct net_bridge *br, + + __br_multicast_open(br, query); + +- list_for_each_entry(port, &br->port_list, list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(port, &br->port_list, list) { + if (port->state == BR_STATE_DISABLED || + port->state == BR_STATE_BLOCKING) + continue; +@@ -2164,6 +2165,7 @@ static void br_multicast_start_querier(struct net_bridge *br, + br_multicast_enable(&port->ip6_own_query); + #endif + } ++ rcu_read_unlock(); + } + + int br_multicast_toggle(struct net_bridge *br, unsigned long val) +diff --git a/net/core/dev.c b/net/core/dev.c +index d47554307a6d..3bcec116a5f2 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1180,7 +1180,21 @@ int dev_change_name(struct net_device *dev, const char *newname) + BUG_ON(!dev_net(dev)); + + net = dev_net(dev); +- if (dev->flags & IFF_UP) ++ ++ /* Some auto-enslaved devices e.g. failover slaves are ++ * special, as userspace might rename the device after ++ * the interface had been brought up and running since ++ * the point kernel initiated auto-enslavement. Allow ++ * live name change even when these slave devices are ++ * up and running. ++ * ++ * Typically, users of these auto-enslaving devices ++ * don't actually care about slave name change, as ++ * they are supposed to operate on master interface ++ * directly. ++ */ ++ if (dev->flags & IFF_UP && ++ likely(!(dev->priv_flags & IFF_LIVE_RENAME_OK))) + return -EBUSY; + + write_seqcount_begin(&devnet_rename_seq); +diff --git a/net/core/failover.c b/net/core/failover.c +index 4a92a98ccce9..b5cd3c727285 100644 +--- a/net/core/failover.c ++++ b/net/core/failover.c +@@ -80,14 +80,14 @@ static int failover_slave_register(struct net_device *slave_dev) + goto err_upper_link; + } + +- slave_dev->priv_flags |= IFF_FAILOVER_SLAVE; ++ slave_dev->priv_flags |= (IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK); + + if (fops && fops->slave_register && + !fops->slave_register(slave_dev, failover_dev)) + return NOTIFY_OK; + + netdev_upper_dev_unlink(slave_dev, failover_dev); +- slave_dev->priv_flags &= ~IFF_FAILOVER_SLAVE; ++ slave_dev->priv_flags &= ~(IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK); + err_upper_link: + netdev_rx_handler_unregister(slave_dev); + done: +@@ -121,7 +121,7 @@ int failover_slave_unregister(struct net_device *slave_dev) + + netdev_rx_handler_unregister(slave_dev); + netdev_upper_dev_unlink(slave_dev, failover_dev); +- slave_dev->priv_flags &= ~IFF_FAILOVER_SLAVE; ++ slave_dev->priv_flags &= ~(IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK); + + if (fops && fops->slave_unregister && + !fops->slave_unregister(slave_dev, failover_dev)) +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index ceee28e184af..8b5768113acd 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -5071,7 +5071,8 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len); + + static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + { +- int mac_len; ++ int mac_len, meta_len; ++ void *meta; + + if (skb_cow(skb, skb_headroom(skb)) < 0) { + kfree_skb(skb); +@@ -5083,6 +5084,13 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), + mac_len - VLAN_HLEN - ETH_TLEN); + } ++ ++ meta_len = skb_metadata_len(skb); ++ if (meta_len) { ++ meta = skb_metadata_end(skb) - meta_len; ++ memmove(meta + VLAN_HLEN, meta, meta_len); ++ } ++ + skb->mac_header += VLAN_HLEN; + return skb; + } +diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c +index 500a59906b87..854ff1e4c41f 100644 +--- a/net/ipv4/fou.c ++++ b/net/ipv4/fou.c +@@ -120,6 +120,7 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + struct guehdr *guehdr; + void *data; + u16 doffset = 0; ++ u8 proto_ctype; + + if (!fou) + return 1; +@@ -211,13 +212,14 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb) + if (unlikely(guehdr->control)) + return gue_control_message(skb, guehdr); + ++ proto_ctype = guehdr->proto_ctype; + __skb_pull(skb, sizeof(struct udphdr) + hdrlen); + skb_reset_transport_header(skb); + + if (iptunnel_pull_offloads(skb)) + goto drop; + +- return -guehdr->proto_ctype; ++ return -proto_ctype; + + drop: + kfree_skb(skb); +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c +index 760a9e52e02b..9f69411251d0 100644 +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -25,6 +25,62 @@ + #include + #include + #include ++#include ++#include ++ ++/* Use skb->cb to track consecutive/adjacent fragments coming at ++ * the end of the queue. Nodes in the rb-tree queue will ++ * contain "runs" of one or more adjacent fragments. ++ * ++ * Invariants: ++ * - next_frag is NULL at the tail of a "run"; ++ * - the head of a "run" has the sum of all fragment lengths in frag_run_len. ++ */ ++struct ipfrag_skb_cb { ++ union { ++ struct inet_skb_parm h4; ++ struct inet6_skb_parm h6; ++ }; ++ struct sk_buff *next_frag; ++ int frag_run_len; ++}; ++ ++#define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb)) ++ ++static void fragcb_clear(struct sk_buff *skb) ++{ ++ RB_CLEAR_NODE(&skb->rbnode); ++ FRAG_CB(skb)->next_frag = NULL; ++ FRAG_CB(skb)->frag_run_len = skb->len; ++} ++ ++/* Append skb to the last "run". */ ++static void fragrun_append_to_last(struct inet_frag_queue *q, ++ struct sk_buff *skb) ++{ ++ fragcb_clear(skb); ++ ++ FRAG_CB(q->last_run_head)->frag_run_len += skb->len; ++ FRAG_CB(q->fragments_tail)->next_frag = skb; ++ q->fragments_tail = skb; ++} ++ ++/* Create a new "run" with the skb. */ ++static void fragrun_create(struct inet_frag_queue *q, struct sk_buff *skb) ++{ ++ BUILD_BUG_ON(sizeof(struct ipfrag_skb_cb) > sizeof(skb->cb)); ++ fragcb_clear(skb); ++ ++ if (q->last_run_head) ++ rb_link_node(&skb->rbnode, &q->last_run_head->rbnode, ++ &q->last_run_head->rbnode.rb_right); ++ else ++ rb_link_node(&skb->rbnode, NULL, &q->rb_fragments.rb_node); ++ rb_insert_color(&skb->rbnode, &q->rb_fragments); ++ ++ q->fragments_tail = skb; ++ q->last_run_head = skb; ++} + + /* Given the OR values of all fragments, apply RFC 3168 5.3 requirements + * Value : 0xff if frame should be dropped. +@@ -123,6 +179,28 @@ static void inet_frag_destroy_rcu(struct rcu_head *head) + kmem_cache_free(f->frags_cachep, q); + } + ++unsigned int inet_frag_rbtree_purge(struct rb_root *root) ++{ ++ struct rb_node *p = rb_first(root); ++ unsigned int sum = 0; ++ ++ while (p) { ++ struct sk_buff *skb = rb_entry(p, struct sk_buff, rbnode); ++ ++ p = rb_next(p); ++ rb_erase(&skb->rbnode, root); ++ while (skb) { ++ struct sk_buff *next = FRAG_CB(skb)->next_frag; ++ ++ sum += skb->truesize; ++ kfree_skb(skb); ++ skb = next; ++ } ++ } ++ return sum; ++} ++EXPORT_SYMBOL(inet_frag_rbtree_purge); ++ + void inet_frag_destroy(struct inet_frag_queue *q) + { + struct sk_buff *fp; +@@ -224,3 +302,218 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, void *key) + return fq; + } + EXPORT_SYMBOL(inet_frag_find); ++ ++int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, ++ int offset, int end) ++{ ++ struct sk_buff *last = q->fragments_tail; ++ ++ /* RFC5722, Section 4, amended by Errata ID : 3089 ++ * When reassembling an IPv6 datagram, if ++ * one or more its constituent fragments is determined to be an ++ * overlapping fragment, the entire datagram (and any constituent ++ * fragments) MUST be silently discarded. ++ * ++ * Duplicates, however, should be ignored (i.e. skb dropped, but the ++ * queue/fragments kept for later reassembly). ++ */ ++ if (!last) ++ fragrun_create(q, skb); /* First fragment. */ ++ else if (last->ip_defrag_offset + last->len < end) { ++ /* This is the common case: skb goes to the end. */ ++ /* Detect and discard overlaps. */ ++ if (offset < last->ip_defrag_offset + last->len) ++ return IPFRAG_OVERLAP; ++ if (offset == last->ip_defrag_offset + last->len) ++ fragrun_append_to_last(q, skb); ++ else ++ fragrun_create(q, skb); ++ } else { ++ /* Binary search. Note that skb can become the first fragment, ++ * but not the last (covered above). ++ */ ++ struct rb_node **rbn, *parent; ++ ++ rbn = &q->rb_fragments.rb_node; ++ do { ++ struct sk_buff *curr; ++ int curr_run_end; ++ ++ parent = *rbn; ++ curr = rb_to_skb(parent); ++ curr_run_end = curr->ip_defrag_offset + ++ FRAG_CB(curr)->frag_run_len; ++ if (end <= curr->ip_defrag_offset) ++ rbn = &parent->rb_left; ++ else if (offset >= curr_run_end) ++ rbn = &parent->rb_right; ++ else if (offset >= curr->ip_defrag_offset && ++ end <= curr_run_end) ++ return IPFRAG_DUP; ++ else ++ return IPFRAG_OVERLAP; ++ } while (*rbn); ++ /* Here we have parent properly set, and rbn pointing to ++ * one of its NULL left/right children. Insert skb. ++ */ ++ fragcb_clear(skb); ++ rb_link_node(&skb->rbnode, parent, rbn); ++ rb_insert_color(&skb->rbnode, &q->rb_fragments); ++ } ++ ++ skb->ip_defrag_offset = offset; ++ ++ return IPFRAG_OK; ++} ++EXPORT_SYMBOL(inet_frag_queue_insert); ++ ++void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, ++ struct sk_buff *parent) ++{ ++ struct sk_buff *fp, *head = skb_rb_first(&q->rb_fragments); ++ struct sk_buff **nextp; ++ int delta; ++ ++ if (head != skb) { ++ fp = skb_clone(skb, GFP_ATOMIC); ++ if (!fp) ++ return NULL; ++ FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag; ++ if (RB_EMPTY_NODE(&skb->rbnode)) ++ FRAG_CB(parent)->next_frag = fp; ++ else ++ rb_replace_node(&skb->rbnode, &fp->rbnode, ++ &q->rb_fragments); ++ if (q->fragments_tail == skb) ++ q->fragments_tail = fp; ++ skb_morph(skb, head); ++ FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag; ++ rb_replace_node(&head->rbnode, &skb->rbnode, ++ &q->rb_fragments); ++ consume_skb(head); ++ head = skb; ++ } ++ WARN_ON(head->ip_defrag_offset != 0); ++ ++ delta = -head->truesize; ++ ++ /* Head of list must not be cloned. */ ++ if (skb_unclone(head, GFP_ATOMIC)) ++ return NULL; ++ ++ delta += head->truesize; ++ if (delta) ++ add_frag_mem_limit(q->net, delta); ++ ++ /* If the first fragment is fragmented itself, we split ++ * it to two chunks: the first with data and paged part ++ * and the second, holding only fragments. ++ */ ++ if (skb_has_frag_list(head)) { ++ struct sk_buff *clone; ++ int i, plen = 0; ++ ++ clone = alloc_skb(0, GFP_ATOMIC); ++ if (!clone) ++ return NULL; ++ skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; ++ skb_frag_list_init(head); ++ for (i = 0; i < skb_shinfo(head)->nr_frags; i++) ++ plen += skb_frag_size(&skb_shinfo(head)->frags[i]); ++ clone->data_len = head->data_len - plen; ++ clone->len = clone->data_len; ++ head->truesize += clone->truesize; ++ clone->csum = 0; ++ clone->ip_summed = head->ip_summed; ++ add_frag_mem_limit(q->net, clone->truesize); ++ skb_shinfo(head)->frag_list = clone; ++ nextp = &clone->next; ++ } else { ++ nextp = &skb_shinfo(head)->frag_list; ++ } ++ ++ return nextp; ++} ++EXPORT_SYMBOL(inet_frag_reasm_prepare); ++ ++void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, ++ void *reasm_data) ++{ ++ struct sk_buff **nextp = (struct sk_buff **)reasm_data; ++ struct rb_node *rbn; ++ struct sk_buff *fp; ++ ++ skb_push(head, head->data - skb_network_header(head)); ++ ++ /* Traverse the tree in order, to build frag_list. */ ++ fp = FRAG_CB(head)->next_frag; ++ rbn = rb_next(&head->rbnode); ++ rb_erase(&head->rbnode, &q->rb_fragments); ++ while (rbn || fp) { ++ /* fp points to the next sk_buff in the current run; ++ * rbn points to the next run. ++ */ ++ /* Go through the current run. */ ++ while (fp) { ++ *nextp = fp; ++ nextp = &fp->next; ++ fp->prev = NULL; ++ memset(&fp->rbnode, 0, sizeof(fp->rbnode)); ++ fp->sk = NULL; ++ head->data_len += fp->len; ++ head->len += fp->len; ++ if (head->ip_summed != fp->ip_summed) ++ head->ip_summed = CHECKSUM_NONE; ++ else if (head->ip_summed == CHECKSUM_COMPLETE) ++ head->csum = csum_add(head->csum, fp->csum); ++ head->truesize += fp->truesize; ++ fp = FRAG_CB(fp)->next_frag; ++ } ++ /* Move to the next run. */ ++ if (rbn) { ++ struct rb_node *rbnext = rb_next(rbn); ++ ++ fp = rb_to_skb(rbn); ++ rb_erase(rbn, &q->rb_fragments); ++ rbn = rbnext; ++ } ++ } ++ sub_frag_mem_limit(q->net, head->truesize); ++ ++ *nextp = NULL; ++ skb_mark_not_on_list(head); ++ head->prev = NULL; ++ head->tstamp = q->stamp; ++} ++EXPORT_SYMBOL(inet_frag_reasm_finish); ++ ++struct sk_buff *inet_frag_pull_head(struct inet_frag_queue *q) ++{ ++ struct sk_buff *head; ++ ++ if (q->fragments) { ++ head = q->fragments; ++ q->fragments = head->next; ++ } else { ++ struct sk_buff *skb; ++ ++ head = skb_rb_first(&q->rb_fragments); ++ if (!head) ++ return NULL; ++ skb = FRAG_CB(head)->next_frag; ++ if (skb) ++ rb_replace_node(&head->rbnode, &skb->rbnode, ++ &q->rb_fragments); ++ else ++ rb_erase(&head->rbnode, &q->rb_fragments); ++ memset(&head->rbnode, 0, sizeof(head->rbnode)); ++ barrier(); ++ } ++ if (head == q->fragments_tail) ++ q->fragments_tail = NULL; ++ ++ sub_frag_mem_limit(q->net, head->truesize); ++ ++ return head; ++} ++EXPORT_SYMBOL(inet_frag_pull_head); +diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c +index d95b32af4a0e..5a1d39e32196 100644 +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -57,57 +57,6 @@ + */ + static const char ip_frag_cache_name[] = "ip4-frags"; + +-/* Use skb->cb to track consecutive/adjacent fragments coming at +- * the end of the queue. Nodes in the rb-tree queue will +- * contain "runs" of one or more adjacent fragments. +- * +- * Invariants: +- * - next_frag is NULL at the tail of a "run"; +- * - the head of a "run" has the sum of all fragment lengths in frag_run_len. +- */ +-struct ipfrag_skb_cb { +- struct inet_skb_parm h; +- struct sk_buff *next_frag; +- int frag_run_len; +-}; +- +-#define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb)) +- +-static void ip4_frag_init_run(struct sk_buff *skb) +-{ +- BUILD_BUG_ON(sizeof(struct ipfrag_skb_cb) > sizeof(skb->cb)); +- +- FRAG_CB(skb)->next_frag = NULL; +- FRAG_CB(skb)->frag_run_len = skb->len; +-} +- +-/* Append skb to the last "run". */ +-static void ip4_frag_append_to_last_run(struct inet_frag_queue *q, +- struct sk_buff *skb) +-{ +- RB_CLEAR_NODE(&skb->rbnode); +- FRAG_CB(skb)->next_frag = NULL; +- +- FRAG_CB(q->last_run_head)->frag_run_len += skb->len; +- FRAG_CB(q->fragments_tail)->next_frag = skb; +- q->fragments_tail = skb; +-} +- +-/* Create a new "run" with the skb. */ +-static void ip4_frag_create_run(struct inet_frag_queue *q, struct sk_buff *skb) +-{ +- if (q->last_run_head) +- rb_link_node(&skb->rbnode, &q->last_run_head->rbnode, +- &q->last_run_head->rbnode.rb_right); +- else +- rb_link_node(&skb->rbnode, NULL, &q->rb_fragments.rb_node); +- rb_insert_color(&skb->rbnode, &q->rb_fragments); +- +- ip4_frag_init_run(skb); +- q->fragments_tail = skb; +- q->last_run_head = skb; +-} +- + /* Describe an entry in the "incomplete datagrams" queue. */ + struct ipq { + struct inet_frag_queue q; +@@ -212,27 +161,9 @@ static void ip_expire(struct timer_list *t) + * pull the head out of the tree in order to be able to + * deal with head->dev. + */ +- if (qp->q.fragments) { +- head = qp->q.fragments; +- qp->q.fragments = head->next; +- } else { +- head = skb_rb_first(&qp->q.rb_fragments); +- if (!head) +- goto out; +- if (FRAG_CB(head)->next_frag) +- rb_replace_node(&head->rbnode, +- &FRAG_CB(head)->next_frag->rbnode, +- &qp->q.rb_fragments); +- else +- rb_erase(&head->rbnode, &qp->q.rb_fragments); +- memset(&head->rbnode, 0, sizeof(head->rbnode)); +- barrier(); +- } +- if (head == qp->q.fragments_tail) +- qp->q.fragments_tail = NULL; +- +- sub_frag_mem_limit(qp->q.net, head->truesize); +- ++ head = inet_frag_pull_head(&qp->q); ++ if (!head) ++ goto out; + head->dev = dev_get_by_index_rcu(net, qp->iif); + if (!head->dev) + goto out; +@@ -345,12 +276,10 @@ static int ip_frag_reinit(struct ipq *qp) + static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) + { + struct net *net = container_of(qp->q.net, struct net, ipv4.frags); +- struct rb_node **rbn, *parent; +- struct sk_buff *skb1, *prev_tail; +- int ihl, end, skb1_run_end; ++ int ihl, end, flags, offset; ++ struct sk_buff *prev_tail; + struct net_device *dev; + unsigned int fragsize; +- int flags, offset; + int err = -ENOENT; + u8 ecn; + +@@ -382,7 +311,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) + */ + if (end < qp->q.len || + ((qp->q.flags & INET_FRAG_LAST_IN) && end != qp->q.len)) +- goto err; ++ goto discard_qp; + qp->q.flags |= INET_FRAG_LAST_IN; + qp->q.len = end; + } else { +@@ -394,82 +323,33 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) + if (end > qp->q.len) { + /* Some bits beyond end -> corruption. */ + if (qp->q.flags & INET_FRAG_LAST_IN) +- goto err; ++ goto discard_qp; + qp->q.len = end; + } + } + if (end == offset) +- goto err; ++ goto discard_qp; + + err = -ENOMEM; + if (!pskb_pull(skb, skb_network_offset(skb) + ihl)) +- goto err; ++ goto discard_qp; + + err = pskb_trim_rcsum(skb, end - offset); + if (err) +- goto err; ++ goto discard_qp; + + /* Note : skb->rbnode and skb->dev share the same location. */ + dev = skb->dev; + /* Makes sure compiler wont do silly aliasing games */ + barrier(); + +- /* RFC5722, Section 4, amended by Errata ID : 3089 +- * When reassembling an IPv6 datagram, if +- * one or more its constituent fragments is determined to be an +- * overlapping fragment, the entire datagram (and any constituent +- * fragments) MUST be silently discarded. +- * +- * We do the same here for IPv4 (and increment an snmp counter) but +- * we do not want to drop the whole queue in response to a duplicate +- * fragment. +- */ +- +- err = -EINVAL; +- /* Find out where to put this fragment. */ + prev_tail = qp->q.fragments_tail; +- if (!prev_tail) +- ip4_frag_create_run(&qp->q, skb); /* First fragment. */ +- else if (prev_tail->ip_defrag_offset + prev_tail->len < end) { +- /* This is the common case: skb goes to the end. */ +- /* Detect and discard overlaps. */ +- if (offset < prev_tail->ip_defrag_offset + prev_tail->len) +- goto discard_qp; +- if (offset == prev_tail->ip_defrag_offset + prev_tail->len) +- ip4_frag_append_to_last_run(&qp->q, skb); +- else +- ip4_frag_create_run(&qp->q, skb); +- } else { +- /* Binary search. Note that skb can become the first fragment, +- * but not the last (covered above). +- */ +- rbn = &qp->q.rb_fragments.rb_node; +- do { +- parent = *rbn; +- skb1 = rb_to_skb(parent); +- skb1_run_end = skb1->ip_defrag_offset + +- FRAG_CB(skb1)->frag_run_len; +- if (end <= skb1->ip_defrag_offset) +- rbn = &parent->rb_left; +- else if (offset >= skb1_run_end) +- rbn = &parent->rb_right; +- else if (offset >= skb1->ip_defrag_offset && +- end <= skb1_run_end) +- goto err; /* No new data, potential duplicate */ +- else +- goto discard_qp; /* Found an overlap */ +- } while (*rbn); +- /* Here we have parent properly set, and rbn pointing to +- * one of its NULL left/right children. Insert skb. +- */ +- ip4_frag_init_run(skb); +- rb_link_node(&skb->rbnode, parent, rbn); +- rb_insert_color(&skb->rbnode, &qp->q.rb_fragments); +- } ++ err = inet_frag_queue_insert(&qp->q, skb, offset, end); ++ if (err) ++ goto insert_error; + + if (dev) + qp->iif = dev->ifindex; +- skb->ip_defrag_offset = offset; + + qp->q.stamp = skb->tstamp; + qp->q.meat += skb->len; +@@ -494,15 +374,24 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) + skb->_skb_refdst = 0UL; + err = ip_frag_reasm(qp, skb, prev_tail, dev); + skb->_skb_refdst = orefdst; ++ if (err) ++ inet_frag_kill(&qp->q); + return err; + } + + skb_dst_drop(skb); + return -EINPROGRESS; + ++insert_error: ++ if (err == IPFRAG_DUP) { ++ kfree_skb(skb); ++ return -EINVAL; ++ } ++ err = -EINVAL; ++ __IP_INC_STATS(net, IPSTATS_MIB_REASM_OVERLAPS); + discard_qp: + inet_frag_kill(&qp->q); +- __IP_INC_STATS(net, IPSTATS_MIB_REASM_OVERLAPS); ++ __IP_INC_STATS(net, IPSTATS_MIB_REASMFAILS); + err: + kfree_skb(skb); + return err; +@@ -514,13 +403,8 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb, + { + struct net *net = container_of(qp->q.net, struct net, ipv4.frags); + struct iphdr *iph; +- struct sk_buff *fp, *head = skb_rb_first(&qp->q.rb_fragments); +- struct sk_buff **nextp; /* To build frag_list. */ +- struct rb_node *rbn; +- int len; +- int ihlen; +- int delta; +- int err; ++ void *reasm_data; ++ int len, err; + u8 ecn; + + ipq_kill(qp); +@@ -530,117 +414,23 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb, + err = -EINVAL; + goto out_fail; + } +- /* Make the one we just received the head. */ +- if (head != skb) { +- fp = skb_clone(skb, GFP_ATOMIC); +- if (!fp) +- goto out_nomem; +- FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag; +- if (RB_EMPTY_NODE(&skb->rbnode)) +- FRAG_CB(prev_tail)->next_frag = fp; +- else +- rb_replace_node(&skb->rbnode, &fp->rbnode, +- &qp->q.rb_fragments); +- if (qp->q.fragments_tail == skb) +- qp->q.fragments_tail = fp; +- skb_morph(skb, head); +- FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag; +- rb_replace_node(&head->rbnode, &skb->rbnode, +- &qp->q.rb_fragments); +- consume_skb(head); +- head = skb; +- } + +- WARN_ON(head->ip_defrag_offset != 0); +- +- /* Allocate a new buffer for the datagram. */ +- ihlen = ip_hdrlen(head); +- len = ihlen + qp->q.len; ++ /* Make the one we just received the head. */ ++ reasm_data = inet_frag_reasm_prepare(&qp->q, skb, prev_tail); ++ if (!reasm_data) ++ goto out_nomem; + ++ len = ip_hdrlen(skb) + qp->q.len; + err = -E2BIG; + if (len > 65535) + goto out_oversize; + +- delta = - head->truesize; +- +- /* Head of list must not be cloned. */ +- if (skb_unclone(head, GFP_ATOMIC)) +- goto out_nomem; +- +- delta += head->truesize; +- if (delta) +- add_frag_mem_limit(qp->q.net, delta); +- +- /* If the first fragment is fragmented itself, we split +- * it to two chunks: the first with data and paged part +- * and the second, holding only fragments. */ +- if (skb_has_frag_list(head)) { +- struct sk_buff *clone; +- int i, plen = 0; +- +- clone = alloc_skb(0, GFP_ATOMIC); +- if (!clone) +- goto out_nomem; +- skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; +- skb_frag_list_init(head); +- for (i = 0; i < skb_shinfo(head)->nr_frags; i++) +- plen += skb_frag_size(&skb_shinfo(head)->frags[i]); +- clone->len = clone->data_len = head->data_len - plen; +- head->truesize += clone->truesize; +- clone->csum = 0; +- clone->ip_summed = head->ip_summed; +- add_frag_mem_limit(qp->q.net, clone->truesize); +- skb_shinfo(head)->frag_list = clone; +- nextp = &clone->next; +- } else { +- nextp = &skb_shinfo(head)->frag_list; +- } ++ inet_frag_reasm_finish(&qp->q, skb, reasm_data); + +- skb_push(head, head->data - skb_network_header(head)); ++ skb->dev = dev; ++ IPCB(skb)->frag_max_size = max(qp->max_df_size, qp->q.max_size); + +- /* Traverse the tree in order, to build frag_list. */ +- fp = FRAG_CB(head)->next_frag; +- rbn = rb_next(&head->rbnode); +- rb_erase(&head->rbnode, &qp->q.rb_fragments); +- while (rbn || fp) { +- /* fp points to the next sk_buff in the current run; +- * rbn points to the next run. +- */ +- /* Go through the current run. */ +- while (fp) { +- *nextp = fp; +- nextp = &fp->next; +- fp->prev = NULL; +- memset(&fp->rbnode, 0, sizeof(fp->rbnode)); +- fp->sk = NULL; +- head->data_len += fp->len; +- head->len += fp->len; +- if (head->ip_summed != fp->ip_summed) +- head->ip_summed = CHECKSUM_NONE; +- else if (head->ip_summed == CHECKSUM_COMPLETE) +- head->csum = csum_add(head->csum, fp->csum); +- head->truesize += fp->truesize; +- fp = FRAG_CB(fp)->next_frag; +- } +- /* Move to the next run. */ +- if (rbn) { +- struct rb_node *rbnext = rb_next(rbn); +- +- fp = rb_to_skb(rbn); +- rb_erase(rbn, &qp->q.rb_fragments); +- rbn = rbnext; +- } +- } +- sub_frag_mem_limit(qp->q.net, head->truesize); +- +- *nextp = NULL; +- head->next = NULL; +- head->prev = NULL; +- head->dev = dev; +- head->tstamp = qp->q.stamp; +- IPCB(head)->frag_max_size = max(qp->max_df_size, qp->q.max_size); +- +- iph = ip_hdr(head); ++ iph = ip_hdr(skb); + iph->tot_len = htons(len); + iph->tos |= ecn; + +@@ -653,7 +443,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb, + * from one very small df-fragment and one large non-df frag. + */ + if (qp->max_df_size == qp->q.max_size) { +- IPCB(head)->flags |= IPSKB_FRAG_PMTU; ++ IPCB(skb)->flags |= IPSKB_FRAG_PMTU; + iph->frag_off = htons(IP_DF); + } else { + iph->frag_off = 0; +@@ -751,28 +541,6 @@ struct sk_buff *ip_check_defrag(struct net *net, struct sk_buff *skb, u32 user) + } + EXPORT_SYMBOL(ip_check_defrag); + +-unsigned int inet_frag_rbtree_purge(struct rb_root *root) +-{ +- struct rb_node *p = rb_first(root); +- unsigned int sum = 0; +- +- while (p) { +- struct sk_buff *skb = rb_entry(p, struct sk_buff, rbnode); +- +- p = rb_next(p); +- rb_erase(&skb->rbnode, root); +- while (skb) { +- struct sk_buff *next = FRAG_CB(skb)->next_frag; +- +- sum += skb->truesize; +- kfree_skb(skb); +- skb = next; +- } +- } +- return sum; +-} +-EXPORT_SYMBOL(inet_frag_rbtree_purge); +- + #ifdef CONFIG_SYSCTL + static int dist_min; + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 7a556e459375..98c81c21b753 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1187,9 +1187,23 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie) + + static void ipv4_link_failure(struct sk_buff *skb) + { ++ struct ip_options opt; + struct rtable *rt; ++ int res; + +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); ++ /* Recompile ip options since IPCB may not be valid anymore. ++ */ ++ memset(&opt, 0, sizeof(opt)); ++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); ++ ++ if (res) ++ return; ++ ++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); + + rt = skb_rtable(skb); + if (rt) +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 572f79abd393..cfdd70e32755 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -402,11 +402,12 @@ static int __tcp_grow_window(const struct sock *sk, const struct sk_buff *skb) + static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + { + struct tcp_sock *tp = tcp_sk(sk); ++ int room; ++ ++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh; + + /* Check #1 */ +- if (tp->rcv_ssthresh < tp->window_clamp && +- (int)tp->rcv_ssthresh < tcp_space(sk) && +- !tcp_under_memory_pressure(sk)) { ++ if (room > 0 && !tcp_under_memory_pressure(sk)) { + int incr; + + /* Check #2. Increase window, if skb with such overhead +@@ -419,8 +420,7 @@ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb) + + if (incr) { + incr = max_t(int, incr, 2 * skb->len); +- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr, +- tp->window_clamp); ++ tp->rcv_ssthresh += min(room, incr); + inet_csk(sk)->icsk_ack.quick |= 1; + } + } +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c +index 043ed8eb0ab9..cb1b4772dac0 100644 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -136,6 +136,9 @@ static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net) + } + #endif + ++static int nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *skb, ++ struct sk_buff *prev_tail, struct net_device *dev); ++ + static inline u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h) + { + return 1 << (ipv6_get_dsfield(ipv6h) & INET_ECN_MASK); +@@ -177,9 +180,10 @@ static struct frag_queue *fq_find(struct net *net, __be32 id, u32 user, + static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, + const struct frag_hdr *fhdr, int nhoff) + { +- struct sk_buff *prev, *next; + unsigned int payload_len; +- int offset, end; ++ struct net_device *dev; ++ struct sk_buff *prev; ++ int offset, end, err; + u8 ecn; + + if (fq->q.flags & INET_FRAG_COMPLETE) { +@@ -254,55 +258,18 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, + goto err; + } + +- /* Find out which fragments are in front and at the back of us +- * in the chain of fragments so far. We must know where to put +- * this fragment, right? +- */ +- prev = fq->q.fragments_tail; +- if (!prev || prev->ip_defrag_offset < offset) { +- next = NULL; +- goto found; +- } +- prev = NULL; +- for (next = fq->q.fragments; next != NULL; next = next->next) { +- if (next->ip_defrag_offset >= offset) +- break; /* bingo! */ +- prev = next; +- } +- +-found: +- /* RFC5722, Section 4: +- * When reassembling an IPv6 datagram, if +- * one or more its constituent fragments is determined to be an +- * overlapping fragment, the entire datagram (and any constituent +- * fragments, including those not yet received) MUST be silently +- * discarded. +- */ +- +- /* Check for overlap with preceding fragment. */ +- if (prev && +- (prev->ip_defrag_offset + prev->len) > offset) +- goto discard_fq; +- +- /* Look for overlap with succeeding segment. */ +- if (next && next->ip_defrag_offset < end) +- goto discard_fq; +- +- /* Note : skb->ip_defrag_offset and skb->dev share the same location */ +- if (skb->dev) +- fq->iif = skb->dev->ifindex; ++ /* Note : skb->rbnode and skb->dev share the same location. */ ++ dev = skb->dev; + /* Makes sure compiler wont do silly aliasing games */ + barrier(); +- skb->ip_defrag_offset = offset; + +- /* Insert this fragment in the chain of fragments. */ +- skb->next = next; +- if (!next) +- fq->q.fragments_tail = skb; +- if (prev) +- prev->next = skb; +- else +- fq->q.fragments = skb; ++ prev = fq->q.fragments_tail; ++ err = inet_frag_queue_insert(&fq->q, skb, offset, end); ++ if (err) ++ goto insert_error; ++ ++ if (dev) ++ fq->iif = dev->ifindex; + + fq->q.stamp = skb->tstamp; + fq->q.meat += skb->len; +@@ -319,11 +286,25 @@ found: + fq->q.flags |= INET_FRAG_FIRST_IN; + } + +- return 0; ++ if (fq->q.flags == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) && ++ fq->q.meat == fq->q.len) { ++ unsigned long orefdst = skb->_skb_refdst; ++ ++ skb->_skb_refdst = 0UL; ++ err = nf_ct_frag6_reasm(fq, skb, prev, dev); ++ skb->_skb_refdst = orefdst; ++ return err; ++ } ++ ++ skb_dst_drop(skb); ++ return -EINPROGRESS; + +-discard_fq: ++insert_error: ++ if (err == IPFRAG_DUP) ++ goto err; + inet_frag_kill(&fq->q); + err: ++ skb_dst_drop(skb); + return -EINVAL; + } + +@@ -333,147 +314,67 @@ err: + * It is called with locked fq, and caller must check that + * queue is eligible for reassembly i.e. it is not COMPLETE, + * the last and the first frames arrived and all the bits are here. +- * +- * returns true if *prev skb has been transformed into the reassembled +- * skb, false otherwise. + */ +-static bool +-nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev, struct net_device *dev) ++static int nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *skb, ++ struct sk_buff *prev_tail, struct net_device *dev) + { +- struct sk_buff *fp, *head = fq->q.fragments; +- int payload_len, delta; ++ void *reasm_data; ++ int payload_len; + u8 ecn; + + inet_frag_kill(&fq->q); + +- WARN_ON(head == NULL); +- WARN_ON(head->ip_defrag_offset != 0); +- + ecn = ip_frag_ecn_table[fq->ecn]; + if (unlikely(ecn == 0xff)) +- return false; ++ goto err; ++ ++ reasm_data = inet_frag_reasm_prepare(&fq->q, skb, prev_tail); ++ if (!reasm_data) ++ goto err; + +- /* Unfragmented part is taken from the first segment. */ +- payload_len = ((head->data - skb_network_header(head)) - ++ payload_len = ((skb->data - skb_network_header(skb)) - + sizeof(struct ipv6hdr) + fq->q.len - + sizeof(struct frag_hdr)); + if (payload_len > IPV6_MAXPLEN) { + net_dbg_ratelimited("nf_ct_frag6_reasm: payload len = %d\n", + payload_len); +- return false; +- } +- +- delta = - head->truesize; +- +- /* Head of list must not be cloned. */ +- if (skb_unclone(head, GFP_ATOMIC)) +- return false; +- +- delta += head->truesize; +- if (delta) +- add_frag_mem_limit(fq->q.net, delta); +- +- /* If the first fragment is fragmented itself, we split +- * it to two chunks: the first with data and paged part +- * and the second, holding only fragments. */ +- if (skb_has_frag_list(head)) { +- struct sk_buff *clone; +- int i, plen = 0; +- +- clone = alloc_skb(0, GFP_ATOMIC); +- if (clone == NULL) +- return false; +- +- clone->next = head->next; +- head->next = clone; +- skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; +- skb_frag_list_init(head); +- for (i = 0; i < skb_shinfo(head)->nr_frags; i++) +- plen += skb_frag_size(&skb_shinfo(head)->frags[i]); +- clone->len = clone->data_len = head->data_len - plen; +- head->data_len -= clone->len; +- head->len -= clone->len; +- clone->csum = 0; +- clone->ip_summed = head->ip_summed; +- +- add_frag_mem_limit(fq->q.net, clone->truesize); +- } +- +- /* morph head into last received skb: prev. +- * +- * This allows callers of ipv6 conntrack defrag to continue +- * to use the last skb(frag) passed into the reasm engine. +- * The last skb frag 'silently' turns into the full reassembled skb. +- * +- * Since prev is also part of q->fragments we have to clone it first. +- */ +- if (head != prev) { +- struct sk_buff *iter; +- +- fp = skb_clone(prev, GFP_ATOMIC); +- if (!fp) +- return false; +- +- fp->next = prev->next; +- +- iter = head; +- while (iter) { +- if (iter->next == prev) { +- iter->next = fp; +- break; +- } +- iter = iter->next; +- } +- +- skb_morph(prev, head); +- prev->next = head->next; +- consume_skb(head); +- head = prev; ++ goto err; + } + + /* We have to remove fragment header from datagram and to relocate + * header in order to calculate ICV correctly. */ +- skb_network_header(head)[fq->nhoffset] = skb_transport_header(head)[0]; +- memmove(head->head + sizeof(struct frag_hdr), head->head, +- (head->data - head->head) - sizeof(struct frag_hdr)); +- head->mac_header += sizeof(struct frag_hdr); +- head->network_header += sizeof(struct frag_hdr); +- +- skb_shinfo(head)->frag_list = head->next; +- skb_reset_transport_header(head); +- skb_push(head, head->data - skb_network_header(head)); +- +- for (fp = head->next; fp; fp = fp->next) { +- head->data_len += fp->len; +- head->len += fp->len; +- if (head->ip_summed != fp->ip_summed) +- head->ip_summed = CHECKSUM_NONE; +- else if (head->ip_summed == CHECKSUM_COMPLETE) +- head->csum = csum_add(head->csum, fp->csum); +- head->truesize += fp->truesize; +- fp->sk = NULL; +- } +- sub_frag_mem_limit(fq->q.net, head->truesize); ++ skb_network_header(skb)[fq->nhoffset] = skb_transport_header(skb)[0]; ++ memmove(skb->head + sizeof(struct frag_hdr), skb->head, ++ (skb->data - skb->head) - sizeof(struct frag_hdr)); ++ skb->mac_header += sizeof(struct frag_hdr); ++ skb->network_header += sizeof(struct frag_hdr); ++ ++ skb_reset_transport_header(skb); ++ ++ inet_frag_reasm_finish(&fq->q, skb, reasm_data); + +- head->ignore_df = 1; +- head->next = NULL; +- head->dev = dev; +- head->tstamp = fq->q.stamp; +- ipv6_hdr(head)->payload_len = htons(payload_len); +- ipv6_change_dsfield(ipv6_hdr(head), 0xff, ecn); +- IP6CB(head)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size; ++ skb->ignore_df = 1; ++ skb->dev = dev; ++ ipv6_hdr(skb)->payload_len = htons(payload_len); ++ ipv6_change_dsfield(ipv6_hdr(skb), 0xff, ecn); ++ IP6CB(skb)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size; + + /* Yes, and fold redundant checksum back. 8) */ +- if (head->ip_summed == CHECKSUM_COMPLETE) +- head->csum = csum_partial(skb_network_header(head), +- skb_network_header_len(head), +- head->csum); ++ if (skb->ip_summed == CHECKSUM_COMPLETE) ++ skb->csum = csum_partial(skb_network_header(skb), ++ skb_network_header_len(skb), ++ skb->csum); + + fq->q.fragments = NULL; + fq->q.rb_fragments = RB_ROOT; + fq->q.fragments_tail = NULL; ++ fq->q.last_run_head = NULL; + +- return true; ++ return 0; ++ ++err: ++ inet_frag_kill(&fq->q); ++ return -EINVAL; + } + + /* +@@ -542,7 +443,6 @@ find_prev_fhdr(struct sk_buff *skb, u8 *prevhdrp, int *prevhoff, int *fhoff) + int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) + { + u16 savethdr = skb->transport_header; +- struct net_device *dev = skb->dev; + int fhoff, nhoff, ret; + struct frag_hdr *fhdr; + struct frag_queue *fq; +@@ -565,10 +465,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) + hdr = ipv6_hdr(skb); + fhdr = (struct frag_hdr *)skb_transport_header(skb); + +- if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU && +- fhdr->frag_off & htons(IP6_MF)) +- return -EINVAL; +- + skb_orphan(skb); + fq = fq_find(net, fhdr->identification, user, hdr, + skb->dev ? skb->dev->ifindex : 0); +@@ -580,31 +476,17 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) + spin_lock_bh(&fq->q.lock); + + ret = nf_ct_frag6_queue(fq, skb, fhdr, nhoff); +- if (ret < 0) { +- if (ret == -EPROTO) { +- skb->transport_header = savethdr; +- ret = 0; +- } +- goto out_unlock; ++ if (ret == -EPROTO) { ++ skb->transport_header = savethdr; ++ ret = 0; + } + + /* after queue has assumed skb ownership, only 0 or -EINPROGRESS + * must be returned. + */ +- ret = -EINPROGRESS; +- if (fq->q.flags == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) && +- fq->q.meat == fq->q.len) { +- unsigned long orefdst = skb->_skb_refdst; +- +- skb->_skb_refdst = 0UL; +- if (nf_ct_frag6_reasm(fq, skb, dev)) +- ret = 0; +- skb->_skb_refdst = orefdst; +- } else { +- skb_dst_drop(skb); +- } ++ if (ret) ++ ret = -EINPROGRESS; + +-out_unlock: + spin_unlock_bh(&fq->q.lock); + inet_frag_put(&fq->q); + return ret; +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c +index 7c943392c128..095825f964e2 100644 +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -69,8 +69,8 @@ static u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h) + + static struct inet_frags ip6_frags; + +-static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev, +- struct net_device *dev); ++static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb, ++ struct sk_buff *prev_tail, struct net_device *dev); + + static void ip6_frag_expire(struct timer_list *t) + { +@@ -111,21 +111,26 @@ static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb, + struct frag_hdr *fhdr, int nhoff, + u32 *prob_offset) + { +- struct sk_buff *prev, *next; +- struct net_device *dev; +- int offset, end, fragsize; + struct net *net = dev_net(skb_dst(skb)->dev); ++ int offset, end, fragsize; ++ struct sk_buff *prev_tail; ++ struct net_device *dev; ++ int err = -ENOENT; + u8 ecn; + + if (fq->q.flags & INET_FRAG_COMPLETE) + goto err; + ++ err = -EINVAL; + offset = ntohs(fhdr->frag_off) & ~0x7; + end = offset + (ntohs(ipv6_hdr(skb)->payload_len) - + ((u8 *)(fhdr + 1) - (u8 *)(ipv6_hdr(skb) + 1))); + + if ((unsigned int)end > IPV6_MAXPLEN) { + *prob_offset = (u8 *)&fhdr->frag_off - skb_network_header(skb); ++ /* note that if prob_offset is set, the skb is freed elsewhere, ++ * we do not free it here. ++ */ + return -1; + } + +@@ -145,7 +150,7 @@ static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb, + */ + if (end < fq->q.len || + ((fq->q.flags & INET_FRAG_LAST_IN) && end != fq->q.len)) +- goto err; ++ goto discard_fq; + fq->q.flags |= INET_FRAG_LAST_IN; + fq->q.len = end; + } else { +@@ -162,70 +167,35 @@ static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb, + if (end > fq->q.len) { + /* Some bits beyond end -> corruption. */ + if (fq->q.flags & INET_FRAG_LAST_IN) +- goto err; ++ goto discard_fq; + fq->q.len = end; + } + } + + if (end == offset) +- goto err; ++ goto discard_fq; + ++ err = -ENOMEM; + /* Point into the IP datagram 'data' part. */ + if (!pskb_pull(skb, (u8 *) (fhdr + 1) - skb->data)) +- goto err; +- +- if (pskb_trim_rcsum(skb, end - offset)) +- goto err; +- +- /* Find out which fragments are in front and at the back of us +- * in the chain of fragments so far. We must know where to put +- * this fragment, right? +- */ +- prev = fq->q.fragments_tail; +- if (!prev || prev->ip_defrag_offset < offset) { +- next = NULL; +- goto found; +- } +- prev = NULL; +- for (next = fq->q.fragments; next != NULL; next = next->next) { +- if (next->ip_defrag_offset >= offset) +- break; /* bingo! */ +- prev = next; +- } +- +-found: +- /* RFC5722, Section 4, amended by Errata ID : 3089 +- * When reassembling an IPv6 datagram, if +- * one or more its constituent fragments is determined to be an +- * overlapping fragment, the entire datagram (and any constituent +- * fragments) MUST be silently discarded. +- */ +- +- /* Check for overlap with preceding fragment. */ +- if (prev && +- (prev->ip_defrag_offset + prev->len) > offset) + goto discard_fq; + +- /* Look for overlap with succeeding segment. */ +- if (next && next->ip_defrag_offset < end) ++ err = pskb_trim_rcsum(skb, end - offset); ++ if (err) + goto discard_fq; + +- /* Note : skb->ip_defrag_offset and skb->dev share the same location */ ++ /* Note : skb->rbnode and skb->dev share the same location. */ + dev = skb->dev; +- if (dev) +- fq->iif = dev->ifindex; + /* Makes sure compiler wont do silly aliasing games */ + barrier(); +- skb->ip_defrag_offset = offset; + +- /* Insert this fragment in the chain of fragments. */ +- skb->next = next; +- if (!next) +- fq->q.fragments_tail = skb; +- if (prev) +- prev->next = skb; +- else +- fq->q.fragments = skb; ++ prev_tail = fq->q.fragments_tail; ++ err = inet_frag_queue_insert(&fq->q, skb, offset, end); ++ if (err) ++ goto insert_error; ++ ++ if (dev) ++ fq->iif = dev->ifindex; + + fq->q.stamp = skb->tstamp; + fq->q.meat += skb->len; +@@ -246,44 +216,48 @@ found: + + if (fq->q.flags == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) && + fq->q.meat == fq->q.len) { +- int res; + unsigned long orefdst = skb->_skb_refdst; + + skb->_skb_refdst = 0UL; +- res = ip6_frag_reasm(fq, prev, dev); ++ err = ip6_frag_reasm(fq, skb, prev_tail, dev); + skb->_skb_refdst = orefdst; +- return res; ++ return err; + } + + skb_dst_drop(skb); +- return -1; ++ return -EINPROGRESS; + ++insert_error: ++ if (err == IPFRAG_DUP) { ++ kfree_skb(skb); ++ return -EINVAL; ++ } ++ err = -EINVAL; ++ __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), ++ IPSTATS_MIB_REASM_OVERLAPS); + discard_fq: + inet_frag_kill(&fq->q); +-err: + __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), + IPSTATS_MIB_REASMFAILS); ++err: + kfree_skb(skb); +- return -1; ++ return err; + } + + /* + * Check if this packet is complete. +- * Returns NULL on failure by any reason, and pointer +- * to current nexthdr field in reassembled frame. + * + * It is called with locked fq, and caller must check that + * queue is eligible for reassembly i.e. it is not COMPLETE, + * the last and the first frames arrived and all the bits are here. + */ +-static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev, +- struct net_device *dev) ++static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb, ++ struct sk_buff *prev_tail, struct net_device *dev) + { + struct net *net = container_of(fq->q.net, struct net, ipv6.frags); +- struct sk_buff *fp, *head = fq->q.fragments; +- int payload_len, delta; + unsigned int nhoff; +- int sum_truesize; ++ void *reasm_data; ++ int payload_len; + u8 ecn; + + inet_frag_kill(&fq->q); +@@ -292,121 +266,40 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev, + if (unlikely(ecn == 0xff)) + goto out_fail; + +- /* Make the one we just received the head. */ +- if (prev) { +- head = prev->next; +- fp = skb_clone(head, GFP_ATOMIC); +- +- if (!fp) +- goto out_oom; +- +- fp->next = head->next; +- if (!fp->next) +- fq->q.fragments_tail = fp; +- prev->next = fp; +- +- skb_morph(head, fq->q.fragments); +- head->next = fq->q.fragments->next; +- +- consume_skb(fq->q.fragments); +- fq->q.fragments = head; +- } +- +- WARN_ON(head == NULL); +- WARN_ON(head->ip_defrag_offset != 0); ++ reasm_data = inet_frag_reasm_prepare(&fq->q, skb, prev_tail); ++ if (!reasm_data) ++ goto out_oom; + +- /* Unfragmented part is taken from the first segment. */ +- payload_len = ((head->data - skb_network_header(head)) - ++ payload_len = ((skb->data - skb_network_header(skb)) - + sizeof(struct ipv6hdr) + fq->q.len - + sizeof(struct frag_hdr)); + if (payload_len > IPV6_MAXPLEN) + goto out_oversize; + +- delta = - head->truesize; +- +- /* Head of list must not be cloned. */ +- if (skb_unclone(head, GFP_ATOMIC)) +- goto out_oom; +- +- delta += head->truesize; +- if (delta) +- add_frag_mem_limit(fq->q.net, delta); +- +- /* If the first fragment is fragmented itself, we split +- * it to two chunks: the first with data and paged part +- * and the second, holding only fragments. */ +- if (skb_has_frag_list(head)) { +- struct sk_buff *clone; +- int i, plen = 0; +- +- clone = alloc_skb(0, GFP_ATOMIC); +- if (!clone) +- goto out_oom; +- clone->next = head->next; +- head->next = clone; +- skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; +- skb_frag_list_init(head); +- for (i = 0; i < skb_shinfo(head)->nr_frags; i++) +- plen += skb_frag_size(&skb_shinfo(head)->frags[i]); +- clone->len = clone->data_len = head->data_len - plen; +- head->data_len -= clone->len; +- head->len -= clone->len; +- clone->csum = 0; +- clone->ip_summed = head->ip_summed; +- add_frag_mem_limit(fq->q.net, clone->truesize); +- } +- + /* We have to remove fragment header from datagram and to relocate + * header in order to calculate ICV correctly. */ + nhoff = fq->nhoffset; +- skb_network_header(head)[nhoff] = skb_transport_header(head)[0]; +- memmove(head->head + sizeof(struct frag_hdr), head->head, +- (head->data - head->head) - sizeof(struct frag_hdr)); +- if (skb_mac_header_was_set(head)) +- head->mac_header += sizeof(struct frag_hdr); +- head->network_header += sizeof(struct frag_hdr); +- +- skb_reset_transport_header(head); +- skb_push(head, head->data - skb_network_header(head)); +- +- sum_truesize = head->truesize; +- for (fp = head->next; fp;) { +- bool headstolen; +- int delta; +- struct sk_buff *next = fp->next; +- +- sum_truesize += fp->truesize; +- if (head->ip_summed != fp->ip_summed) +- head->ip_summed = CHECKSUM_NONE; +- else if (head->ip_summed == CHECKSUM_COMPLETE) +- head->csum = csum_add(head->csum, fp->csum); +- +- if (skb_try_coalesce(head, fp, &headstolen, &delta)) { +- kfree_skb_partial(fp, headstolen); +- } else { +- fp->sk = NULL; +- if (!skb_shinfo(head)->frag_list) +- skb_shinfo(head)->frag_list = fp; +- head->data_len += fp->len; +- head->len += fp->len; +- head->truesize += fp->truesize; +- } +- fp = next; +- } +- sub_frag_mem_limit(fq->q.net, sum_truesize); ++ skb_network_header(skb)[nhoff] = skb_transport_header(skb)[0]; ++ memmove(skb->head + sizeof(struct frag_hdr), skb->head, ++ (skb->data - skb->head) - sizeof(struct frag_hdr)); ++ if (skb_mac_header_was_set(skb)) ++ skb->mac_header += sizeof(struct frag_hdr); ++ skb->network_header += sizeof(struct frag_hdr); ++ ++ skb_reset_transport_header(skb); ++ ++ inet_frag_reasm_finish(&fq->q, skb, reasm_data); + +- head->next = NULL; +- head->dev = dev; +- head->tstamp = fq->q.stamp; +- ipv6_hdr(head)->payload_len = htons(payload_len); +- ipv6_change_dsfield(ipv6_hdr(head), 0xff, ecn); +- IP6CB(head)->nhoff = nhoff; +- IP6CB(head)->flags |= IP6SKB_FRAGMENTED; +- IP6CB(head)->frag_max_size = fq->q.max_size; ++ skb->dev = dev; ++ ipv6_hdr(skb)->payload_len = htons(payload_len); ++ ipv6_change_dsfield(ipv6_hdr(skb), 0xff, ecn); ++ IP6CB(skb)->nhoff = nhoff; ++ IP6CB(skb)->flags |= IP6SKB_FRAGMENTED; ++ IP6CB(skb)->frag_max_size = fq->q.max_size; + + /* Yes, and fold redundant checksum back. 8) */ +- skb_postpush_rcsum(head, skb_network_header(head), +- skb_network_header_len(head)); ++ skb_postpush_rcsum(skb, skb_network_header(skb), ++ skb_network_header_len(skb)); + + rcu_read_lock(); + __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS); +@@ -414,6 +307,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev, + fq->q.fragments = NULL; + fq->q.rb_fragments = RB_ROOT; + fq->q.fragments_tail = NULL; ++ fq->q.last_run_head = NULL; + return 1; + + out_oversize: +@@ -425,6 +319,7 @@ out_fail: + rcu_read_lock(); + __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS); + rcu_read_unlock(); ++ inet_frag_kill(&fq->q); + return -1; + } + +@@ -463,10 +358,6 @@ static int ipv6_frag_rcv(struct sk_buff *skb) + return 1; + } + +- if (skb->len - skb_network_offset(skb) < IPV6_MIN_MTU && +- fhdr->frag_off & htons(IP6_MF)) +- goto fail_hdr; +- + iif = skb->dev ? skb->dev->ifindex : 0; + fq = fq_find(net, fhdr->identification, hdr, iif); + if (fq) { +@@ -484,6 +375,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb) + if (prob_offset) { + __IP6_INC_STATS(net, __in6_dev_get_safely(skb->dev), + IPSTATS_MIB_INHDRERRORS); ++ /* icmpv6_param_prob() calls kfree_skb(skb) */ + icmpv6_param_prob(skb, ICMPV6_HDR_FIELD, prob_offset); + } + return ret; +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 9006bb3c9e72..06fa8425d82c 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -2367,6 +2367,10 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk, + + rcu_read_lock(); + from = rcu_dereference(rt6->from); ++ if (!from) { ++ rcu_read_unlock(); ++ return; ++ } + nrt6 = ip6_rt_cache_alloc(from, daddr, saddr); + if (nrt6) { + rt6_do_update_pmtu(nrt6, mtu); +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index 8f6998091d26..2123f6e90fc0 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1166,6 +1166,9 @@ static inline void drv_wake_tx_queue(struct ieee80211_local *local, + { + struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif); + ++ if (local->in_reconfig) ++ return; ++ + if (!check_sdata_in_driver(sdata)) + return; + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index 793016d722ec..9fd37d91b5ed 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -1508,32 +1508,29 @@ static unsigned int cake_drop(struct Qdisc *sch, struct sk_buff **to_free) + return idx + (tin << 16); + } + +-static void cake_wash_diffserv(struct sk_buff *skb) +-{ +- switch (skb->protocol) { +- case htons(ETH_P_IP): +- ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0); +- break; +- case htons(ETH_P_IPV6): +- ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0); +- break; +- default: +- break; +- } +-} +- + static u8 cake_handle_diffserv(struct sk_buff *skb, u16 wash) + { ++ int wlen = skb_network_offset(skb); + u8 dscp; + +- switch (skb->protocol) { ++ switch (tc_skb_protocol(skb)) { + case htons(ETH_P_IP): ++ wlen += sizeof(struct iphdr); ++ if (!pskb_may_pull(skb, wlen) || ++ skb_try_make_writable(skb, wlen)) ++ return 0; ++ + dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2; + if (wash && dscp) + ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0); + return dscp; + + case htons(ETH_P_IPV6): ++ wlen += sizeof(struct ipv6hdr); ++ if (!pskb_may_pull(skb, wlen) || ++ skb_try_make_writable(skb, wlen)) ++ return 0; ++ + dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> 2; + if (wash && dscp) + ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0); +@@ -1553,25 +1550,27 @@ static struct cake_tin_data *cake_select_tin(struct Qdisc *sch, + { + struct cake_sched_data *q = qdisc_priv(sch); + u32 tin; ++ u8 dscp; ++ ++ /* Tin selection: Default to diffserv-based selection, allow overriding ++ * using firewall marks or skb->priority. ++ */ ++ dscp = cake_handle_diffserv(skb, ++ q->rate_flags & CAKE_FLAG_WASH); + +- if (TC_H_MAJ(skb->priority) == sch->handle && +- TC_H_MIN(skb->priority) > 0 && +- TC_H_MIN(skb->priority) <= q->tin_cnt) { ++ if (q->tin_mode == CAKE_DIFFSERV_BESTEFFORT) ++ tin = 0; ++ ++ else if (TC_H_MAJ(skb->priority) == sch->handle && ++ TC_H_MIN(skb->priority) > 0 && ++ TC_H_MIN(skb->priority) <= q->tin_cnt) + tin = q->tin_order[TC_H_MIN(skb->priority) - 1]; + +- if (q->rate_flags & CAKE_FLAG_WASH) +- cake_wash_diffserv(skb); +- } else if (q->tin_mode != CAKE_DIFFSERV_BESTEFFORT) { +- /* extract the Diffserv Precedence field, if it exists */ +- /* and clear DSCP bits if washing */ +- tin = q->tin_index[cake_handle_diffserv(skb, +- q->rate_flags & CAKE_FLAG_WASH)]; ++ else { ++ tin = q->tin_index[dscp]; ++ + if (unlikely(tin >= q->tin_cnt)) + tin = 0; +- } else { +- tin = 0; +- if (q->rate_flags & CAKE_FLAG_WASH) +- cake_wash_diffserv(skb); + } + + return &q->tins[tin]; +diff --git a/net/tipc/name_table.c b/net/tipc/name_table.c +index 66d5b2c5987a..d72985ca1d55 100644 +--- a/net/tipc/name_table.c ++++ b/net/tipc/name_table.c +@@ -908,7 +908,8 @@ static int tipc_nl_service_list(struct net *net, struct tipc_nl_msg *msg, + for (; i < TIPC_NAMETBL_SIZE; i++) { + head = &tn->nametbl->services[i]; + +- if (*last_type) { ++ if (*last_type || ++ (!i && *last_key && (*last_lower == *last_key))) { + service = tipc_service_find(net, *last_type); + if (!service) + return -EPIPE; +diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c +index 7be43697ff84..7f40b6aab689 100644 +--- a/scripts/mod/file2alias.c ++++ b/scripts/mod/file2alias.c +@@ -47,49 +47,9 @@ typedef struct { + struct devtable { + const char *device_id; /* name of table, __mod___*_device_table. */ + unsigned long id_size; +- void *function; ++ int (*do_entry)(const char *filename, void *symval, char *alias); + }; + +-#define ___cat(a,b) a ## b +-#define __cat(a,b) ___cat(a,b) +- +-/* we need some special handling for this host tool running eventually on +- * Darwin. The Mach-O section handling is a bit different than ELF section +- * handling. The differnces in detail are: +- * a) we have segments which have sections +- * b) we need a API call to get the respective section symbols */ +-#if defined(__MACH__) +-#include +- +-#define INIT_SECTION(name) do { \ +- unsigned long name ## _len; \ +- char *__cat(pstart_,name) = getsectdata("__TEXT", \ +- #name, &__cat(name,_len)); \ +- char *__cat(pstop_,name) = __cat(pstart_,name) + \ +- __cat(name, _len); \ +- __cat(__start_,name) = (void *)__cat(pstart_,name); \ +- __cat(__stop_,name) = (void *)__cat(pstop_,name); \ +- } while (0) +-#define SECTION(name) __attribute__((section("__TEXT, " #name))) +- +-struct devtable **__start___devtable, **__stop___devtable; +-#else +-#define INIT_SECTION(name) /* no-op for ELF */ +-#define SECTION(name) __attribute__((section(#name))) +- +-/* We construct a table of pointers in an ELF section (pointers generally +- * go unpadded by gcc). ld creates boundary syms for us. */ +-extern struct devtable *__start___devtable[], *__stop___devtable[]; +-#endif /* __MACH__ */ +- +-#if !defined(__used) +-# if __GNUC__ == 3 && __GNUC_MINOR__ < 3 +-# define __used __attribute__((__unused__)) +-# else +-# define __used __attribute__((__used__)) +-# endif +-#endif +- + /* Define a variable f that holds the value of field f of struct devid + * based at address m. + */ +@@ -102,16 +62,6 @@ extern struct devtable *__start___devtable[], *__stop___devtable[]; + #define DEF_FIELD_ADDR(m, devid, f) \ + typeof(((struct devid *)0)->f) *f = ((m) + OFF_##devid##_##f) + +-/* Add a table entry. We test function type matches while we're here. */ +-#define ADD_TO_DEVTABLE(device_id, type, function) \ +- static struct devtable __cat(devtable,__LINE__) = { \ +- device_id + 0*sizeof((function)((const char *)NULL, \ +- (void *)NULL, \ +- (char *)NULL)), \ +- SIZE_##type, (function) }; \ +- static struct devtable *SECTION(__devtable) __used \ +- __cat(devtable_ptr,__LINE__) = &__cat(devtable,__LINE__) +- + #define ADD(str, sep, cond, field) \ + do { \ + strcat(str, sep); \ +@@ -431,7 +381,6 @@ static int do_hid_entry(const char *filename, + + return 1; + } +-ADD_TO_DEVTABLE("hid", hid_device_id, do_hid_entry); + + /* Looks like: ieee1394:venNmoNspNverN */ + static int do_ieee1394_entry(const char *filename, +@@ -456,7 +405,6 @@ static int do_ieee1394_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ieee1394", ieee1394_device_id, do_ieee1394_entry); + + /* Looks like: pci:vNdNsvNsdNbcNscNiN. */ + static int do_pci_entry(const char *filename, +@@ -500,7 +448,6 @@ static int do_pci_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("pci", pci_device_id, do_pci_entry); + + /* looks like: "ccw:tNmNdtNdmN" */ + static int do_ccw_entry(const char *filename, +@@ -524,7 +471,6 @@ static int do_ccw_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ccw", ccw_device_id, do_ccw_entry); + + /* looks like: "ap:tN" */ + static int do_ap_entry(const char *filename, +@@ -535,7 +481,6 @@ static int do_ap_entry(const char *filename, + sprintf(alias, "ap:t%02X*", dev_type); + return 1; + } +-ADD_TO_DEVTABLE("ap", ap_device_id, do_ap_entry); + + /* looks like: "css:tN" */ + static int do_css_entry(const char *filename, +@@ -546,7 +491,6 @@ static int do_css_entry(const char *filename, + sprintf(alias, "css:t%01X", type); + return 1; + } +-ADD_TO_DEVTABLE("css", css_device_id, do_css_entry); + + /* Looks like: "serio:tyNprNidNexN" */ + static int do_serio_entry(const char *filename, +@@ -566,7 +510,6 @@ static int do_serio_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("serio", serio_device_id, do_serio_entry); + + /* looks like: "acpi:ACPI0003" or "acpi:PNP0C0B" or "acpi:LNXVIDEO" or + * "acpi:bbsspp" (bb=base-class, ss=sub-class, pp=prog-if) +@@ -604,7 +547,6 @@ static int do_acpi_entry(const char *filename, + } + return 1; + } +-ADD_TO_DEVTABLE("acpi", acpi_device_id, do_acpi_entry); + + /* looks like: "pnp:dD" */ + static void do_pnp_device_entry(void *symval, unsigned long size, +@@ -725,7 +667,6 @@ static int do_pcmcia_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("pcmcia", pcmcia_device_id, do_pcmcia_entry); + + static int do_vio_entry(const char *filename, void *symval, + char *alias) +@@ -745,7 +686,6 @@ static int do_vio_entry(const char *filename, void *symval, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("vio", vio_device_id, do_vio_entry); + + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + +@@ -818,7 +758,6 @@ static int do_input_entry(const char *filename, void *symval, + do_input(alias, *swbit, 0, INPUT_DEVICE_ID_SW_MAX); + return 1; + } +-ADD_TO_DEVTABLE("input", input_device_id, do_input_entry); + + static int do_eisa_entry(const char *filename, void *symval, + char *alias) +@@ -830,7 +769,6 @@ static int do_eisa_entry(const char *filename, void *symval, + strcat(alias, "*"); + return 1; + } +-ADD_TO_DEVTABLE("eisa", eisa_device_id, do_eisa_entry); + + /* Looks like: parisc:tNhvNrevNsvN */ + static int do_parisc_entry(const char *filename, void *symval, +@@ -850,7 +788,6 @@ static int do_parisc_entry(const char *filename, void *symval, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("parisc", parisc_device_id, do_parisc_entry); + + /* Looks like: sdio:cNvNdN. */ + static int do_sdio_entry(const char *filename, +@@ -867,7 +804,6 @@ static int do_sdio_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("sdio", sdio_device_id, do_sdio_entry); + + /* Looks like: ssb:vNidNrevN. */ + static int do_ssb_entry(const char *filename, +@@ -884,7 +820,6 @@ static int do_ssb_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ssb", ssb_device_id, do_ssb_entry); + + /* Looks like: bcma:mNidNrevNclN. */ + static int do_bcma_entry(const char *filename, +@@ -903,7 +838,6 @@ static int do_bcma_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("bcma", bcma_device_id, do_bcma_entry); + + /* Looks like: virtio:dNvN */ + static int do_virtio_entry(const char *filename, void *symval, +@@ -919,7 +853,6 @@ static int do_virtio_entry(const char *filename, void *symval, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("virtio", virtio_device_id, do_virtio_entry); + + /* + * Looks like: vmbus:guid +@@ -942,7 +875,6 @@ static int do_vmbus_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("vmbus", hv_vmbus_device_id, do_vmbus_entry); + + /* Looks like: rpmsg:S */ + static int do_rpmsg_entry(const char *filename, void *symval, +@@ -953,7 +885,6 @@ static int do_rpmsg_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("rpmsg", rpmsg_device_id, do_rpmsg_entry); + + /* Looks like: i2c:S */ + static int do_i2c_entry(const char *filename, void *symval, +@@ -964,7 +895,6 @@ static int do_i2c_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("i2c", i2c_device_id, do_i2c_entry); + + /* Looks like: spi:S */ + static int do_spi_entry(const char *filename, void *symval, +@@ -975,7 +905,6 @@ static int do_spi_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("spi", spi_device_id, do_spi_entry); + + static const struct dmifield { + const char *prefix; +@@ -1030,7 +959,6 @@ static int do_dmi_entry(const char *filename, void *symval, + strcat(alias, ":"); + return 1; + } +-ADD_TO_DEVTABLE("dmi", dmi_system_id, do_dmi_entry); + + static int do_platform_entry(const char *filename, + void *symval, char *alias) +@@ -1039,7 +967,6 @@ static int do_platform_entry(const char *filename, + sprintf(alias, PLATFORM_MODULE_PREFIX "%s", *name); + return 1; + } +-ADD_TO_DEVTABLE("platform", platform_device_id, do_platform_entry); + + static int do_mdio_entry(const char *filename, + void *symval, char *alias) +@@ -1064,7 +991,6 @@ static int do_mdio_entry(const char *filename, + + return 1; + } +-ADD_TO_DEVTABLE("mdio", mdio_device_id, do_mdio_entry); + + /* Looks like: zorro:iN. */ + static int do_zorro_entry(const char *filename, void *symval, +@@ -1075,7 +1001,6 @@ static int do_zorro_entry(const char *filename, void *symval, + ADD(alias, "i", id != ZORRO_WILDCARD, id); + return 1; + } +-ADD_TO_DEVTABLE("zorro", zorro_device_id, do_zorro_entry); + + /* looks like: "pnp:dD" */ + static int do_isapnp_entry(const char *filename, +@@ -1091,7 +1016,6 @@ static int do_isapnp_entry(const char *filename, + (function >> 12) & 0x0f, (function >> 8) & 0x0f); + return 1; + } +-ADD_TO_DEVTABLE("isapnp", isapnp_device_id, do_isapnp_entry); + + /* Looks like: "ipack:fNvNdN". */ + static int do_ipack_entry(const char *filename, +@@ -1107,7 +1031,6 @@ static int do_ipack_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("ipack", ipack_device_id, do_ipack_entry); + + /* + * Append a match expression for a single masked hex digit. +@@ -1178,7 +1101,6 @@ static int do_amba_entry(const char *filename, + + return 1; + } +-ADD_TO_DEVTABLE("amba", amba_id, do_amba_entry); + + /* + * looks like: "mipscdmm:tN" +@@ -1194,7 +1116,6 @@ static int do_mips_cdmm_entry(const char *filename, + sprintf(alias, "mipscdmm:t%02X*", type); + return 1; + } +-ADD_TO_DEVTABLE("mipscdmm", mips_cdmm_device_id, do_mips_cdmm_entry); + + /* LOOKS like cpu:type:x86,venVVVVfamFFFFmodMMMM:feature:*,FEAT,* + * All fields are numbers. It would be nicer to use strings for vendor +@@ -1219,7 +1140,6 @@ static int do_x86cpu_entry(const char *filename, void *symval, + sprintf(alias + strlen(alias), "%04X*", feature); + return 1; + } +-ADD_TO_DEVTABLE("x86cpu", x86_cpu_id, do_x86cpu_entry); + + /* LOOKS like cpu:type:*:feature:*FEAT* */ + static int do_cpu_entry(const char *filename, void *symval, char *alias) +@@ -1229,7 +1149,6 @@ static int do_cpu_entry(const char *filename, void *symval, char *alias) + sprintf(alias, "cpu:type:*:feature:*%04X*", feature); + return 1; + } +-ADD_TO_DEVTABLE("cpu", cpu_feature, do_cpu_entry); + + /* Looks like: mei:S:uuid:N:* */ + static int do_mei_entry(const char *filename, void *symval, +@@ -1248,7 +1167,6 @@ static int do_mei_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("mei", mei_cl_device_id, do_mei_entry); + + /* Looks like: rapidio:vNdNavNadN */ + static int do_rio_entry(const char *filename, +@@ -1268,7 +1186,6 @@ static int do_rio_entry(const char *filename, + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("rapidio", rio_device_id, do_rio_entry); + + /* Looks like: ulpi:vNpN */ + static int do_ulpi_entry(const char *filename, void *symval, +@@ -1281,7 +1198,6 @@ static int do_ulpi_entry(const char *filename, void *symval, + + return 1; + } +-ADD_TO_DEVTABLE("ulpi", ulpi_device_id, do_ulpi_entry); + + /* Looks like: hdaudio:vNrNaN */ + static int do_hda_entry(const char *filename, void *symval, char *alias) +@@ -1298,7 +1214,6 @@ static int do_hda_entry(const char *filename, void *symval, char *alias) + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("hdaudio", hda_device_id, do_hda_entry); + + /* Looks like: sdw:mNpN */ + static int do_sdw_entry(const char *filename, void *symval, char *alias) +@@ -1313,7 +1228,6 @@ static int do_sdw_entry(const char *filename, void *symval, char *alias) + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("sdw", sdw_device_id, do_sdw_entry); + + /* Looks like: fsl-mc:vNdN */ + static int do_fsl_mc_entry(const char *filename, void *symval, +@@ -1325,7 +1239,6 @@ static int do_fsl_mc_entry(const char *filename, void *symval, + sprintf(alias, "fsl-mc:v%08Xd%s", vendor, *obj_type); + return 1; + } +-ADD_TO_DEVTABLE("fslmc", fsl_mc_device_id, do_fsl_mc_entry); + + /* Looks like: tbsvc:kSpNvNrN */ + static int do_tbsvc_entry(const char *filename, void *symval, char *alias) +@@ -1350,7 +1263,6 @@ static int do_tbsvc_entry(const char *filename, void *symval, char *alias) + add_wildcard(alias); + return 1; + } +-ADD_TO_DEVTABLE("tbsvc", tb_service_id, do_tbsvc_entry); + + /* Looks like: typec:idNmN */ + static int do_typec_entry(const char *filename, void *symval, char *alias) +@@ -1363,7 +1275,6 @@ static int do_typec_entry(const char *filename, void *symval, char *alias) + + return 1; + } +-ADD_TO_DEVTABLE("typec", typec_device_id, do_typec_entry); + + /* Does namelen bytes of name exactly match the symbol? */ + static bool sym_is(const char *name, unsigned namelen, const char *symbol) +@@ -1377,12 +1288,11 @@ static bool sym_is(const char *name, unsigned namelen, const char *symbol) + static void do_table(void *symval, unsigned long size, + unsigned long id_size, + const char *device_id, +- void *function, ++ int (*do_entry)(const char *filename, void *symval, char *alias), + struct module *mod) + { + unsigned int i; + char alias[500]; +- int (*do_entry)(const char *, void *entry, char *alias) = function; + + device_id_check(mod->name, device_id, size, id_size, symval); + /* Leave last one: it's the terminator. */ +@@ -1396,6 +1306,48 @@ static void do_table(void *symval, unsigned long size, + } + } + ++static const struct devtable devtable[] = { ++ {"hid", SIZE_hid_device_id, do_hid_entry}, ++ {"ieee1394", SIZE_ieee1394_device_id, do_ieee1394_entry}, ++ {"pci", SIZE_pci_device_id, do_pci_entry}, ++ {"ccw", SIZE_ccw_device_id, do_ccw_entry}, ++ {"ap", SIZE_ap_device_id, do_ap_entry}, ++ {"css", SIZE_css_device_id, do_css_entry}, ++ {"serio", SIZE_serio_device_id, do_serio_entry}, ++ {"acpi", SIZE_acpi_device_id, do_acpi_entry}, ++ {"pcmcia", SIZE_pcmcia_device_id, do_pcmcia_entry}, ++ {"vio", SIZE_vio_device_id, do_vio_entry}, ++ {"input", SIZE_input_device_id, do_input_entry}, ++ {"eisa", SIZE_eisa_device_id, do_eisa_entry}, ++ {"parisc", SIZE_parisc_device_id, do_parisc_entry}, ++ {"sdio", SIZE_sdio_device_id, do_sdio_entry}, ++ {"ssb", SIZE_ssb_device_id, do_ssb_entry}, ++ {"bcma", SIZE_bcma_device_id, do_bcma_entry}, ++ {"virtio", SIZE_virtio_device_id, do_virtio_entry}, ++ {"vmbus", SIZE_hv_vmbus_device_id, do_vmbus_entry}, ++ {"rpmsg", SIZE_rpmsg_device_id, do_rpmsg_entry}, ++ {"i2c", SIZE_i2c_device_id, do_i2c_entry}, ++ {"spi", SIZE_spi_device_id, do_spi_entry}, ++ {"dmi", SIZE_dmi_system_id, do_dmi_entry}, ++ {"platform", SIZE_platform_device_id, do_platform_entry}, ++ {"mdio", SIZE_mdio_device_id, do_mdio_entry}, ++ {"zorro", SIZE_zorro_device_id, do_zorro_entry}, ++ {"isapnp", SIZE_isapnp_device_id, do_isapnp_entry}, ++ {"ipack", SIZE_ipack_device_id, do_ipack_entry}, ++ {"amba", SIZE_amba_id, do_amba_entry}, ++ {"mipscdmm", SIZE_mips_cdmm_device_id, do_mips_cdmm_entry}, ++ {"x86cpu", SIZE_x86_cpu_id, do_x86cpu_entry}, ++ {"cpu", SIZE_cpu_feature, do_cpu_entry}, ++ {"mei", SIZE_mei_cl_device_id, do_mei_entry}, ++ {"rapidio", SIZE_rio_device_id, do_rio_entry}, ++ {"ulpi", SIZE_ulpi_device_id, do_ulpi_entry}, ++ {"hdaudio", SIZE_hda_device_id, do_hda_entry}, ++ {"sdw", SIZE_sdw_device_id, do_sdw_entry}, ++ {"fslmc", SIZE_fsl_mc_device_id, do_fsl_mc_entry}, ++ {"tbsvc", SIZE_tb_service_id, do_tbsvc_entry}, ++ {"typec", SIZE_typec_device_id, do_typec_entry}, ++}; ++ + /* Create MODULE_ALIAS() statements. + * At this time, we cannot write the actual output C source yet, + * so we write into the mod->dev_table_buf buffer. */ +@@ -1450,13 +1402,14 @@ void handle_moddevtable(struct module *mod, struct elf_info *info, + else if (sym_is(name, namelen, "pnp_card")) + do_pnp_card_entries(symval, sym->st_size, mod); + else { +- struct devtable **p; +- INIT_SECTION(__devtable); ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(devtable); i++) { ++ const struct devtable *p = &devtable[i]; + +- for (p = __start___devtable; p < __stop___devtable; p++) { +- if (sym_is(name, namelen, (*p)->device_id)) { +- do_table(symval, sym->st_size, (*p)->id_size, +- (*p)->device_id, (*p)->function, mod); ++ if (sym_is(name, namelen, p->device_id)) { ++ do_table(symval, sym->st_size, p->id_size, ++ p->device_id, p->do_entry, mod); + break; + } + } +diff --git a/security/device_cgroup.c b/security/device_cgroup.c +index cd97929fac66..dc28914fa72e 100644 +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -560,7 +560,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root, + devcg->behavior == DEVCG_DEFAULT_ALLOW) { + rc = dev_exception_add(devcg, ex); + if (rc) +- break; ++ return rc; + } else { + /* + * in the other possible cases: +diff --git a/sound/core/info.c b/sound/core/info.c +index fe502bc5e6d2..679136fba730 100644 +--- a/sound/core/info.c ++++ b/sound/core/info.c +@@ -722,8 +722,11 @@ snd_info_create_entry(const char *name, struct snd_info_entry *parent) + INIT_LIST_HEAD(&entry->children); + INIT_LIST_HEAD(&entry->list); + entry->parent = parent; +- if (parent) ++ if (parent) { ++ mutex_lock(&parent->access); + list_add_tail(&entry->list, &parent->children); ++ mutex_unlock(&parent->access); ++ } + return entry; + } + +@@ -805,7 +808,12 @@ void snd_info_free_entry(struct snd_info_entry * entry) + list_for_each_entry_safe(p, n, &entry->children, list) + snd_info_free_entry(p); + +- list_del(&entry->list); ++ p = entry->parent; ++ if (p) { ++ mutex_lock(&p->access); ++ list_del(&entry->list); ++ mutex_unlock(&p->access); ++ } + kfree(entry->name); + if (entry->private_free) + entry->private_free(entry); +diff --git a/sound/core/init.c b/sound/core/init.c +index 4849c611c0fe..16b7cc7aa66b 100644 +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -407,14 +407,7 @@ int snd_card_disconnect(struct snd_card *card) + card->shutdown = 1; + spin_unlock(&card->files_lock); + +- /* phase 1: disable fops (user space) operations for ALSA API */ +- mutex_lock(&snd_card_mutex); +- snd_cards[card->number] = NULL; +- clear_bit(card->number, snd_cards_lock); +- mutex_unlock(&snd_card_mutex); +- +- /* phase 2: replace file->f_op with special dummy operations */ +- ++ /* replace file->f_op with special dummy operations */ + spin_lock(&card->files_lock); + list_for_each_entry(mfile, &card->files_list, list) { + /* it's critical part, use endless loop */ +@@ -430,7 +423,7 @@ int snd_card_disconnect(struct snd_card *card) + } + spin_unlock(&card->files_lock); + +- /* phase 3: notify all connected devices about disconnection */ ++ /* notify all connected devices about disconnection */ + /* at this point, they cannot respond to any calls except release() */ + + #if IS_ENABLED(CONFIG_SND_MIXER_OSS) +@@ -446,6 +439,13 @@ int snd_card_disconnect(struct snd_card *card) + device_del(&card->card_dev); + card->registered = false; + } ++ ++ /* disable fops (user space) operations for ALSA API */ ++ mutex_lock(&snd_card_mutex); ++ snd_cards[card->number] = NULL; ++ clear_bit(card->number, snd_cards_lock); ++ mutex_unlock(&snd_card_mutex); ++ + #ifdef CONFIG_PM + wake_up(&card->power_sleep); + #endif +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index bd60eb7168fa..0a745d677b1c 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7170,6 +7170,8 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x12, 0x90a60140}, + {0x14, 0x90170150}, + {0x21, 0x02211020}), ++ SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x21, 0x02211020}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL2_MIC_NO_PRESENCE, + {0x14, 0x90170110}, + {0x21, 0x02211020}), +@@ -7280,6 +7282,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x21, 0x0221101f}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC256_STANDARD_PINS), ++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x14, 0x90170110}, ++ {0x1b, 0x01011020}, ++ {0x21, 0x0221101f}), + SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC256_FIXUP_ASUS_MIC, + {0x14, 0x90170110}, + {0x1b, 0x90a70130}, +diff --git a/sound/soc/rockchip/rockchip_pcm.c b/sound/soc/rockchip/rockchip_pcm.c +index 7029e0b85f9e..4ac78d7a4b2d 100644 +--- a/sound/soc/rockchip/rockchip_pcm.c ++++ b/sound/soc/rockchip/rockchip_pcm.c +@@ -21,7 +21,8 @@ static const struct snd_pcm_hardware snd_rockchip_hardware = { + .info = SNDRV_PCM_INFO_MMAP | + SNDRV_PCM_INFO_MMAP_VALID | + SNDRV_PCM_INFO_PAUSE | +- SNDRV_PCM_INFO_RESUME, ++ SNDRV_PCM_INFO_RESUME | ++ SNDRV_PCM_INFO_INTERLEAVED, + .period_bytes_min = 32, + .period_bytes_max = 8192, + .periods_min = 1, +diff --git a/tools/include/linux/bitops.h b/tools/include/linux/bitops.h +index acc704bd3998..0b0ef3abc966 100644 +--- a/tools/include/linux/bitops.h ++++ b/tools/include/linux/bitops.h +@@ -3,8 +3,6 @@ + #define _TOOLS_LINUX_BITOPS_H_ + + #include +-#include +- + #ifndef __WORDSIZE + #define __WORDSIZE (__SIZEOF_LONG__ * 8) + #endif +@@ -12,10 +10,9 @@ + #ifndef BITS_PER_LONG + # define BITS_PER_LONG __WORDSIZE + #endif ++#include ++#include + +-#define BIT_MASK(nr) (1UL << ((nr) % BITS_PER_LONG)) +-#define BIT_WORD(nr) ((nr) / BITS_PER_LONG) +-#define BITS_PER_BYTE 8 + #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(long)) + #define BITS_TO_U64(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(u64)) + #define BITS_TO_U32(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(u32)) +diff --git a/tools/include/linux/bits.h b/tools/include/linux/bits.h +new file mode 100644 +index 000000000000..2b7b532c1d51 +--- /dev/null ++++ b/tools/include/linux/bits.h +@@ -0,0 +1,26 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef __LINUX_BITS_H ++#define __LINUX_BITS_H ++#include ++ ++#define BIT(nr) (1UL << (nr)) ++#define BIT_ULL(nr) (1ULL << (nr)) ++#define BIT_MASK(nr) (1UL << ((nr) % BITS_PER_LONG)) ++#define BIT_WORD(nr) ((nr) / BITS_PER_LONG) ++#define BIT_ULL_MASK(nr) (1ULL << ((nr) % BITS_PER_LONG_LONG)) ++#define BIT_ULL_WORD(nr) ((nr) / BITS_PER_LONG_LONG) ++#define BITS_PER_BYTE 8 ++ ++/* ++ * Create a contiguous bitmask starting at bit position @l and ending at ++ * position @h. For example ++ * GENMASK_ULL(39, 21) gives us the 64bit vector 0x000000ffffe00000. ++ */ ++#define GENMASK(h, l) \ ++ (((~0UL) - (1UL << (l)) + 1) & (~0UL >> (BITS_PER_LONG - 1 - (h)))) ++ ++#define GENMASK_ULL(h, l) \ ++ (((~0ULL) - (1ULL << (l)) + 1) & \ ++ (~0ULL >> (BITS_PER_LONG_LONG - 1 - (h)))) ++ ++#endif /* __LINUX_BITS_H */ +diff --git a/tools/perf/check-headers.sh b/tools/perf/check-headers.sh +index 466540ee8ea7..c72cc73a6b09 100755 +--- a/tools/perf/check-headers.sh ++++ b/tools/perf/check-headers.sh +@@ -14,6 +14,7 @@ include/uapi/linux/sched.h + include/uapi/linux/stat.h + include/uapi/linux/vhost.h + include/uapi/sound/asound.h ++include/linux/bits.h + include/linux/hash.h + include/uapi/linux/hw_breakpoint.h + arch/x86/include/asm/disabled-features.h diff --git a/patch/kernel/sunxi-next/patch-4.19.37-38.patch b/patch/kernel/sunxi-next/patch-4.19.37-38.patch new file mode 100644 index 000000000..71a6d7dc6 --- /dev/null +++ b/patch/kernel/sunxi-next/patch-4.19.37-38.patch @@ -0,0 +1,4023 @@ +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f5acf35c712f..8b6567f7cb9b 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2805,7 +2805,7 @@ + check bypass). With this option data leaks are possible + in the system. + +- nospectre_v2 [X86] Disable all mitigations for the Spectre variant 2 ++ nospectre_v2 [X86,PPC_FSL_BOOK3E] Disable all mitigations for the Spectre variant 2 + (indirect branch prediction) vulnerability. System may + allow data leaks with this option, which is equivalent + to spectre_v2=off. +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index 960de8fe3f40..2c31208528d5 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -410,6 +410,7 @@ tcp_min_rtt_wlen - INTEGER + minimum RTT when it is moved to a longer path (e.g., due to traffic + engineering). A longer window makes the filter more resistant to RTT + inflations such as transient congestion. The unit is seconds. ++ Possible values: 0 - 86400 (1 day) + Default: 300 + + tcp_moderate_rcvbuf - BOOLEAN +diff --git a/Makefile b/Makefile +index 7b495cad8c2e..14d4aeb48907 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 19 +-SUBLEVEL = 37 ++SUBLEVEL = 38 + EXTRAVERSION = + NAME = "People's Front" + +diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S +index 517e0e18f0b8..e205bbbe2794 100644 +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -1395,7 +1395,21 @@ ENTRY(efi_stub_entry) + + @ Preserve return value of efi_entry() in r4 + mov r4, r0 +- bl cache_clean_flush ++ ++ @ our cache maintenance code relies on CP15 barrier instructions ++ @ but since we arrived here with the MMU and caches configured ++ @ by UEFI, we must check that the CP15BEN bit is set in SCTLR. ++ @ Note that this bit is RAO/WI on v6 and earlier, so the ISB in ++ @ the enable path will be executed on v7+ only. ++ mrc p15, 0, r1, c1, c0, 0 @ read SCTLR ++ tst r1, #(1 << 5) @ CP15BEN bit set? ++ bne 0f ++ orr r1, r1, #(1 << 5) @ CP15 barrier instructions ++ mcr p15, 0, r1, c1, c0, 0 @ write SCTLR ++ ARM( .inst 0xf57ff06f @ v7+ isb ) ++ THUMB( isb ) ++ ++0: bl cache_clean_flush + bl cache_off + + @ Set parameters for booting zImage according to boot protocol +diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S +index 73913f072e39..579608342ac6 100644 +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -125,7 +125,7 @@ trace_a_syscall: + subu t1, v0, __NR_O32_Linux + move a1, v0 + bnez t1, 1f /* __NR_syscall at offset 0 */ +- lw a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ ++ ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */ + .set pop + + 1: jal syscall_trace_enter +diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig +index 6bd5e7261335..ffeaed63675b 100644 +--- a/arch/powerpc/configs/skiroot_defconfig ++++ b/arch/powerpc/configs/skiroot_defconfig +@@ -195,6 +195,7 @@ CONFIG_UDF_FS=m + CONFIG_MSDOS_FS=m + CONFIG_VFAT_FS=m + CONFIG_PROC_KCORE=y ++CONFIG_HUGETLBFS=y + CONFIG_TMPFS=y + CONFIG_TMPFS_POSIX_ACL=y + # CONFIG_MISC_FILESYSTEMS is not set +diff --git a/arch/powerpc/kernel/vdso32/gettimeofday.S b/arch/powerpc/kernel/vdso32/gettimeofday.S +index 769c2624e0a6..75cff3f336b3 100644 +--- a/arch/powerpc/kernel/vdso32/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso32/gettimeofday.S +@@ -98,7 +98,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime) + * can be used, r7 contains NSEC_PER_SEC. + */ + +- lwz r5,WTOM_CLOCK_SEC(r9) ++ lwz r5,(WTOM_CLOCK_SEC+LOPART)(r9) + lwz r6,WTOM_CLOCK_NSEC(r9) + + /* We now have our offset in r5,r6. We create a fake dependency +diff --git a/arch/powerpc/platforms/Kconfig.cputype b/arch/powerpc/platforms/Kconfig.cputype +index 6c6a7c72cae4..ad0216c41d2c 100644 +--- a/arch/powerpc/platforms/Kconfig.cputype ++++ b/arch/powerpc/platforms/Kconfig.cputype +@@ -330,7 +330,7 @@ config ARCH_ENABLE_SPLIT_PMD_PTLOCK + + config PPC_RADIX_MMU + bool "Radix MMU Support" +- depends on PPC_BOOK3S_64 ++ depends on PPC_BOOK3S_64 && HUGETLB_PAGE + select ARCH_HAS_GIGANTIC_PAGE if (MEMORY_ISOLATION && COMPACTION) || CMA + default y + help +diff --git a/arch/x86/Makefile b/arch/x86/Makefile +index b84f61bc5e7a..ffc823a8312f 100644 +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -224,6 +224,15 @@ KBUILD_CFLAGS += -fno-asynchronous-unwind-tables + # Avoid indirect branches in kernel to deal with Spectre + ifdef CONFIG_RETPOLINE + KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) ++ # Additionally, avoid generating expensive indirect jumps which ++ # are subject to retpolines for small number of switch cases. ++ # clang turns off jump table generation by default when under ++ # retpoline builds, however, gcc does not for x86. This has ++ # only been fixed starting from gcc stable version 8.4.0 and ++ # onwards, but not for older ones. See gcc bug #86952. ++ ifndef CONFIG_CC_IS_CLANG ++ KBUILD_CFLAGS += $(call cc-option,-fno-jump-tables) ++ endif + endif + + archscripts: scripts_basic +diff --git a/arch/x86/events/intel/cstate.c b/arch/x86/events/intel/cstate.c +index 9f8084f18d58..6eb76106c469 100644 +--- a/arch/x86/events/intel/cstate.c ++++ b/arch/x86/events/intel/cstate.c +@@ -76,15 +76,15 @@ + * Scope: Package (physical package) + * MSR_PKG_C8_RESIDENCY: Package C8 Residency Counter. + * perf code: 0x04 +- * Available model: HSW ULT,CNL ++ * Available model: HSW ULT,KBL,CNL + * Scope: Package (physical package) + * MSR_PKG_C9_RESIDENCY: Package C9 Residency Counter. + * perf code: 0x05 +- * Available model: HSW ULT,CNL ++ * Available model: HSW ULT,KBL,CNL + * Scope: Package (physical package) + * MSR_PKG_C10_RESIDENCY: Package C10 Residency Counter. + * perf code: 0x06 +- * Available model: HSW ULT,GLM,CNL ++ * Available model: HSW ULT,KBL,GLM,CNL + * Scope: Package (physical package) + * + */ +@@ -572,8 +572,8 @@ static const struct x86_cpu_id intel_cstates_match[] __initconst = { + X86_CSTATES_MODEL(INTEL_FAM6_SKYLAKE_DESKTOP, snb_cstates), + X86_CSTATES_MODEL(INTEL_FAM6_SKYLAKE_X, snb_cstates), + +- X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_MOBILE, snb_cstates), +- X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_DESKTOP, snb_cstates), ++ X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_MOBILE, hswult_cstates), ++ X86_CSTATES_MODEL(INTEL_FAM6_KABYLAKE_DESKTOP, hswult_cstates), + + X86_CSTATES_MODEL(INTEL_FAM6_CANNONLAKE_MOBILE, cnl_cstates), + +diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h +index cec5fae23eb3..baa549f8e918 100644 +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -82,8 +82,7 @@ struct efi_scratch { + #define arch_efi_call_virt_setup() \ + ({ \ + efi_sync_low_kernel_mappings(); \ +- preempt_disable(); \ +- __kernel_fpu_begin(); \ ++ kernel_fpu_begin(); \ + firmware_restrict_branch_speculation_start(); \ + \ + if (!efi_enabled(EFI_OLD_MEMMAP)) \ +@@ -99,8 +98,7 @@ struct efi_scratch { + efi_switch_mm(efi_scratch.prev_mm); \ + \ + firmware_restrict_branch_speculation_end(); \ +- __kernel_fpu_end(); \ +- preempt_enable(); \ ++ kernel_fpu_end(); \ + }) + + extern void __iomem *__init efi_ioremap(unsigned long addr, unsigned long size, +diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h +index a9caac9d4a72..b56d504af654 100644 +--- a/arch/x86/include/asm/fpu/api.h ++++ b/arch/x86/include/asm/fpu/api.h +@@ -12,17 +12,12 @@ + #define _ASM_X86_FPU_API_H + + /* +- * Careful: __kernel_fpu_begin/end() must be called with preempt disabled +- * and they don't touch the preempt state on their own. +- * If you enable preemption after __kernel_fpu_begin(), preempt notifier +- * should call the __kernel_fpu_end() to prevent the kernel/user FPU +- * state from getting corrupted. KVM for example uses this model. +- * +- * All other cases use kernel_fpu_begin/end() which disable preemption +- * during kernel FPU usage. ++ * Use kernel_fpu_begin/end() if you intend to use FPU in kernel context. It ++ * disables preemption so be careful if you intend to use it for long periods ++ * of time. ++ * If you intend to use the FPU in softirq you need to check first with ++ * irq_fpu_usable() if it is possible. + */ +-extern void __kernel_fpu_begin(void); +-extern void __kernel_fpu_end(void); + extern void kernel_fpu_begin(void); + extern void kernel_fpu_end(void); + extern bool irq_fpu_usable(void); +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index 2ea85b32421a..2e5003fef51a 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -93,7 +93,7 @@ bool irq_fpu_usable(void) + } + EXPORT_SYMBOL(irq_fpu_usable); + +-void __kernel_fpu_begin(void) ++static void __kernel_fpu_begin(void) + { + struct fpu *fpu = ¤t->thread.fpu; + +@@ -111,9 +111,8 @@ void __kernel_fpu_begin(void) + __cpu_invalidate_fpregs_state(); + } + } +-EXPORT_SYMBOL(__kernel_fpu_begin); + +-void __kernel_fpu_end(void) ++static void __kernel_fpu_end(void) + { + struct fpu *fpu = ¤t->thread.fpu; + +@@ -122,7 +121,6 @@ void __kernel_fpu_end(void) + + kernel_fpu_enable(); + } +-EXPORT_SYMBOL(__kernel_fpu_end); + + void kernel_fpu_begin(void) + { +diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c +index 030c98f35cca..a654ccfd1a22 100644 +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -958,14 +958,13 @@ enum lru_status binder_alloc_free_page(struct list_head *item, + + index = page - alloc->pages; + page_addr = (uintptr_t)alloc->buffer + index * PAGE_SIZE; ++ ++ mm = alloc->vma_vm_mm; ++ if (!mmget_not_zero(mm)) ++ goto err_mmget; ++ if (!down_write_trylock(&mm->mmap_sem)) ++ goto err_down_write_mmap_sem_failed; + vma = binder_alloc_get_vma(alloc); +- if (vma) { +- if (!mmget_not_zero(alloc->vma_vm_mm)) +- goto err_mmget; +- mm = alloc->vma_vm_mm; +- if (!down_write_trylock(&mm->mmap_sem)) +- goto err_down_write_mmap_sem_failed; +- } + + list_lru_isolate(lru, item); + spin_unlock(lock); +@@ -978,10 +977,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item, + PAGE_SIZE); + + trace_binder_unmap_user_end(alloc, index); +- +- up_write(&mm->mmap_sem); +- mmput(mm); + } ++ up_write(&mm->mmap_sem); ++ mmput(mm); + + trace_binder_unmap_kernel_start(alloc, index); + +diff --git a/drivers/block/loop.c b/drivers/block/loop.c +index a63da9e07341..f1e63eb7cbca 100644 +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1112,8 +1112,9 @@ out_unlock: + err = __blkdev_reread_part(bdev); + else + err = blkdev_reread_part(bdev); +- pr_warn("%s: partition scan of loop%d failed (rc=%d)\n", +- __func__, lo_number, err); ++ if (err) ++ pr_warn("%s: partition scan of loop%d failed (rc=%d)\n", ++ __func__, lo_number, err); + /* Device is gone, no point in returning error */ + err = 0; + } +diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c +index a65505db09e5..70cbd0ee1b07 100644 +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -515,18 +515,18 @@ struct zram_work { + struct zram *zram; + unsigned long entry; + struct bio *bio; ++ struct bio_vec bvec; + }; + + #if PAGE_SIZE != 4096 + static void zram_sync_read(struct work_struct *work) + { +- struct bio_vec bvec; + struct zram_work *zw = container_of(work, struct zram_work, work); + struct zram *zram = zw->zram; + unsigned long entry = zw->entry; + struct bio *bio = zw->bio; + +- read_from_bdev_async(zram, &bvec, entry, bio); ++ read_from_bdev_async(zram, &zw->bvec, entry, bio); + } + + /* +@@ -539,6 +539,7 @@ static int read_from_bdev_sync(struct zram *zram, struct bio_vec *bvec, + { + struct zram_work work; + ++ work.bvec = *bvec; + work.zram = zram; + work.entry = entry; + work.bio = bio; +diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c +index 48ee35e2bce6..0b05a1e08d21 100644 +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1281,6 +1281,9 @@ static unsigned int rcar_dmac_chan_get_residue(struct rcar_dmac_chan *chan, + enum dma_status status; + unsigned int residue = 0; + unsigned int dptr = 0; ++ unsigned int chcrb; ++ unsigned int tcrb; ++ unsigned int i; + + if (!desc) + return 0; +@@ -1328,6 +1331,24 @@ static unsigned int rcar_dmac_chan_get_residue(struct rcar_dmac_chan *chan, + return 0; + } + ++ /* ++ * We need to read two registers. ++ * Make sure the control register does not skip to next chunk ++ * while reading the counter. ++ * Trying it 3 times should be enough: Initial read, retry, retry ++ * for the paranoid. ++ */ ++ for (i = 0; i < 3; i++) { ++ chcrb = rcar_dmac_chan_read(chan, RCAR_DMACHCRB) & ++ RCAR_DMACHCRB_DPTR_MASK; ++ tcrb = rcar_dmac_chan_read(chan, RCAR_DMATCRB); ++ /* Still the same? */ ++ if (chcrb == (rcar_dmac_chan_read(chan, RCAR_DMACHCRB) & ++ RCAR_DMACHCRB_DPTR_MASK)) ++ break; ++ } ++ WARN_ONCE(i >= 3, "residue might be not continuous!"); ++ + /* + * In descriptor mode the descriptor running pointer is not maintained + * by the interrupt handler, find the running descriptor from the +@@ -1335,8 +1356,7 @@ static unsigned int rcar_dmac_chan_get_residue(struct rcar_dmac_chan *chan, + * mode just use the running descriptor pointer. + */ + if (desc->hwdescs.use) { +- dptr = (rcar_dmac_chan_read(chan, RCAR_DMACHCRB) & +- RCAR_DMACHCRB_DPTR_MASK) >> RCAR_DMACHCRB_DPTR_SHIFT; ++ dptr = chcrb >> RCAR_DMACHCRB_DPTR_SHIFT; + if (dptr == 0) + dptr = desc->nchunks; + dptr--; +@@ -1354,7 +1374,7 @@ static unsigned int rcar_dmac_chan_get_residue(struct rcar_dmac_chan *chan, + } + + /* Add the residue for the current chunk. */ +- residue += rcar_dmac_chan_read(chan, RCAR_DMATCRB) << desc->xfer_shift; ++ residue += tcrb << desc->xfer_shift; + + return residue; + } +@@ -1367,6 +1387,7 @@ static enum dma_status rcar_dmac_tx_status(struct dma_chan *chan, + enum dma_status status; + unsigned long flags; + unsigned int residue; ++ bool cyclic; + + status = dma_cookie_status(chan, cookie, txstate); + if (status == DMA_COMPLETE || !txstate) +@@ -1374,10 +1395,11 @@ static enum dma_status rcar_dmac_tx_status(struct dma_chan *chan, + + spin_lock_irqsave(&rchan->lock, flags); + residue = rcar_dmac_chan_get_residue(rchan, cookie); ++ cyclic = rchan->desc.running ? rchan->desc.running->cyclic : false; + spin_unlock_irqrestore(&rchan->lock, flags); + + /* if there's no residue, the cookie is complete */ +- if (!residue) ++ if (!residue && !cyclic) + return DMA_COMPLETE; + + dma_set_residue(txstate, residue); +diff --git a/drivers/gpio/gpio-eic-sprd.c b/drivers/gpio/gpio-eic-sprd.c +index e41223c05f6e..6cf2e2ce4093 100644 +--- a/drivers/gpio/gpio-eic-sprd.c ++++ b/drivers/gpio/gpio-eic-sprd.c +@@ -414,6 +414,7 @@ static int sprd_eic_irq_set_type(struct irq_data *data, unsigned int flow_type) + irq_set_handler_locked(data, handle_edge_irq); + break; + case IRQ_TYPE_EDGE_BOTH: ++ sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTMODE, 0); + sprd_eic_update(chip, offset, SPRD_EIC_SYNC_INTBOTH, 1); + irq_set_handler_locked(data, handle_edge_irq); + break; +diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c +index 6f91634880aa..2d6506c08bf7 100644 +--- a/drivers/gpu/drm/i915/intel_fbdev.c ++++ b/drivers/gpu/drm/i915/intel_fbdev.c +@@ -334,8 +334,8 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, + bool *enabled, int width, int height) + { + struct drm_i915_private *dev_priv = to_i915(fb_helper->dev); ++ unsigned long conn_configured, conn_seq, mask; + unsigned int count = min(fb_helper->connector_count, BITS_PER_LONG); +- unsigned long conn_configured, conn_seq; + int i, j; + bool *save_enabled; + bool fallback = true, ret = true; +@@ -353,9 +353,10 @@ static bool intel_fb_initial_config(struct drm_fb_helper *fb_helper, + drm_modeset_backoff(&ctx); + + memcpy(save_enabled, enabled, count); +- conn_seq = GENMASK(count - 1, 0); ++ mask = GENMASK(count - 1, 0); + conn_configured = 0; + retry: ++ conn_seq = conn_configured; + for (i = 0; i < count; i++) { + struct drm_fb_helper_connector *fb_conn; + struct drm_connector *connector; +@@ -368,8 +369,7 @@ retry: + if (conn_configured & BIT(i)) + continue; + +- /* First pass, only consider tiled connectors */ +- if (conn_seq == GENMASK(count - 1, 0) && !connector->has_tile) ++ if (conn_seq == 0 && !connector->has_tile) + continue; + + if (connector->status == connector_status_connected) +@@ -473,10 +473,8 @@ retry: + conn_configured |= BIT(i); + } + +- if (conn_configured != conn_seq) { /* repeat until no more are found */ +- conn_seq = conn_configured; ++ if ((conn_configured & mask) != mask && conn_configured != conn_seq) + goto retry; +- } + + /* + * If the BIOS didn't enable everything it could, fall back to have the +diff --git a/drivers/gpu/drm/rockchip/cdn-dp-reg.c b/drivers/gpu/drm/rockchip/cdn-dp-reg.c +index 5a485489a1e2..6c8b14fb1d2f 100644 +--- a/drivers/gpu/drm/rockchip/cdn-dp-reg.c ++++ b/drivers/gpu/drm/rockchip/cdn-dp-reg.c +@@ -113,7 +113,7 @@ static int cdp_dp_mailbox_write(struct cdn_dp_device *dp, u8 val) + + static int cdn_dp_mailbox_validate_receive(struct cdn_dp_device *dp, + u8 module_id, u8 opcode, +- u8 req_size) ++ u16 req_size) + { + u32 mbox_size, i; + u8 header[4]; +diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c +index 0e6a121858d1..5615ceb15708 100644 +--- a/drivers/gpu/drm/vc4/vc4_crtc.c ++++ b/drivers/gpu/drm/vc4/vc4_crtc.c +@@ -998,7 +998,7 @@ static void + vc4_crtc_reset(struct drm_crtc *crtc) + { + if (crtc->state) +- __drm_atomic_helper_crtc_destroy_state(crtc->state); ++ vc4_crtc_destroy_state(crtc, crtc->state); + + crtc->state = kzalloc(sizeof(struct vc4_crtc_state), GFP_KERNEL); + if (crtc->state) +diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c +index cc287cf6eb29..edc52d75e6bd 100644 +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -616,7 +616,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev, + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; +- for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++) ++ for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++) + if (gth->master[master] == port) + gth->master[master] = -1; + spin_unlock(>h->gth_lock); +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 50be240df331..8cc4da62f050 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -2014,6 +2014,7 @@ static int mlx5_ib_mmap_clock_info_page(struct mlx5_ib_dev *dev, + + if (vma->vm_flags & VM_WRITE) + return -EPERM; ++ vma->vm_flags &= ~VM_MAYWRITE; + + if (!dev->mdev->clock_info_page) + return -EOPNOTSUPP; +@@ -2197,6 +2198,7 @@ static int mlx5_ib_mmap(struct ib_ucontext *ibcontext, struct vm_area_struct *vm + + if (vma->vm_flags & VM_WRITE) + return -EPERM; ++ vma->vm_flags &= ~VM_MAYWRITE; + + /* Don't expose to user-space information it shouldn't have */ + if (PAGE_SIZE > 4096) +diff --git a/drivers/infiniband/sw/rdmavt/mr.c b/drivers/infiniband/sw/rdmavt/mr.c +index 49c9541050d4..5819c9d6ffdc 100644 +--- a/drivers/infiniband/sw/rdmavt/mr.c ++++ b/drivers/infiniband/sw/rdmavt/mr.c +@@ -611,11 +611,6 @@ static int rvt_set_page(struct ib_mr *ibmr, u64 addr) + if (unlikely(mapped_segs == mr->mr.max_segs)) + return -ENOMEM; + +- if (mr->mr.length == 0) { +- mr->mr.user_base = addr; +- mr->mr.iova = addr; +- } +- + m = mapped_segs / RVT_SEGSZ; + n = mapped_segs % RVT_SEGSZ; + mr->mr.map[m]->segs[n].vaddr = (void *)addr; +@@ -633,17 +628,24 @@ static int rvt_set_page(struct ib_mr *ibmr, u64 addr) + * @sg_nents: number of entries in sg + * @sg_offset: offset in bytes into sg + * ++ * Overwrite rvt_mr length with mr length calculated by ib_sg_to_pages. ++ * + * Return: number of sg elements mapped to the memory region + */ + int rvt_map_mr_sg(struct ib_mr *ibmr, struct scatterlist *sg, + int sg_nents, unsigned int *sg_offset) + { + struct rvt_mr *mr = to_imr(ibmr); ++ int ret; + + mr->mr.length = 0; + mr->mr.page_shift = PAGE_SHIFT; +- return ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, +- rvt_set_page); ++ ret = ib_sg_to_pages(ibmr, sg, sg_nents, sg_offset, rvt_set_page); ++ mr->mr.user_base = ibmr->iova; ++ mr->mr.iova = ibmr->iova; ++ mr->mr.offset = ibmr->iova - (u64)mr->mr.map[0]->segs[0].vaddr; ++ mr->mr.length = (size_t)ibmr->length; ++ return ret; + } + + /** +@@ -674,6 +676,7 @@ int rvt_fast_reg_mr(struct rvt_qp *qp, struct ib_mr *ibmr, u32 key, + ibmr->rkey = key; + mr->mr.lkey = key; + mr->mr.access_flags = access; ++ mr->mr.iova = ibmr->iova; + atomic_set(&mr->mr.lkey_invalid, 0); + + return 0; +diff --git a/drivers/input/rmi4/rmi_f11.c b/drivers/input/rmi4/rmi_f11.c +index df64d6aed4f7..93901ebd122a 100644 +--- a/drivers/input/rmi4/rmi_f11.c ++++ b/drivers/input/rmi4/rmi_f11.c +@@ -1230,7 +1230,7 @@ static int rmi_f11_initialize(struct rmi_function *fn) + } + + rc = f11_write_control_regs(fn, &f11->sens_query, +- &f11->dev_controls, fn->fd.query_base_addr); ++ &f11->dev_controls, fn->fd.control_base_addr); + if (rc) + dev_warn(&fn->dev, "Failed to write control registers\n"); + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index dabe89968a78..2caa5c0c2bc4 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -4821,6 +4821,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev) + if (err) + goto out; + ++ mv88e6xxx_ports_cmode_init(chip); + mv88e6xxx_phy_init(chip); + + if (chip->info->ops->get_eeprom) { +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +index b043370c2685..cc84133c184d 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -1169,6 +1169,12 @@ int hns_nic_init_phy(struct net_device *ndev, struct hnae_handle *h) + if (!h->phy_dev) + return 0; + ++ phy_dev->supported &= h->if_support; ++ phy_dev->advertising = phy_dev->supported; ++ ++ if (h->phy_if == PHY_INTERFACE_MODE_XGMII) ++ phy_dev->autoneg = false; ++ + if (h->phy_if != PHY_INTERFACE_MODE_XGMII) { + phy_dev->dev_flags = 0; + +@@ -1180,15 +1186,6 @@ int hns_nic_init_phy(struct net_device *ndev, struct hnae_handle *h) + if (unlikely(ret)) + return -ENODEV; + +- phy_dev->supported &= h->if_support; +- phy_dev->advertising = phy_dev->supported; +- +- if (h->phy_if == PHY_INTERFACE_MODE_XGMII) +- phy_dev->autoneg = false; +- +- if (h->phy_if == PHY_INTERFACE_MODE_SGMII) +- phy_stop(phy_dev); +- + return 0; + } + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index a475f36ddf8c..426789e2c23d 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1859,7 +1859,7 @@ static int do_reset(struct ibmvnic_adapter *adapter, + + if (adapter->reset_reason != VNIC_RESET_FAILOVER && + adapter->reset_reason != VNIC_RESET_CHANGE_PARAM) +- netdev_notify_peers(netdev); ++ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, netdev); + + netif_carrier_on(netdev); + +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_main.c b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +index 3f536541f45f..78a43d688cb1 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c +@@ -41,6 +41,8 @@ static int __init fm10k_init_module(void) + /* create driver workqueue */ + fm10k_workqueue = alloc_workqueue("%s", WQ_MEM_RECLAIM, 0, + fm10k_driver_name); ++ if (!fm10k_workqueue) ++ return -ENOMEM; + + fm10k_dbg_init(); + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 9988c89ed9fd..9b10abb604cb 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -4272,7 +4272,7 @@ static void mvpp2_phylink_validate(struct net_device *dev, + case PHY_INTERFACE_MODE_RGMII_ID: + case PHY_INTERFACE_MODE_RGMII_RXID: + case PHY_INTERFACE_MODE_RGMII_TXID: +- if (port->gop_id == 0) ++ if (port->priv->hw_version == MVPP22 && port->gop_id == 0) + goto empty_set; + break; + default: +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c +index 4a33c9a7cac7..599114ab7821 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c +@@ -33,6 +33,26 @@ + #include + #include "en/xdp.h" + ++int mlx5e_xdp_max_mtu(struct mlx5e_params *params) ++{ ++ int hr = NET_IP_ALIGN + XDP_PACKET_HEADROOM; ++ ++ /* Let S := SKB_DATA_ALIGN(sizeof(struct skb_shared_info)). ++ * The condition checked in mlx5e_rx_is_linear_skb is: ++ * SKB_DATA_ALIGN(sw_mtu + hard_mtu + hr) + S <= PAGE_SIZE (1) ++ * (Note that hw_mtu == sw_mtu + hard_mtu.) ++ * What is returned from this function is: ++ * max_mtu = PAGE_SIZE - S - hr - hard_mtu (2) ++ * After assigning sw_mtu := max_mtu, the left side of (1) turns to ++ * SKB_DATA_ALIGN(PAGE_SIZE - S) + S, which is equal to PAGE_SIZE, ++ * because both PAGE_SIZE and S are already aligned. Any number greater ++ * than max_mtu would make the left side of (1) greater than PAGE_SIZE, ++ * so max_mtu is the maximum MTU allowed. ++ */ ++ ++ return MLX5E_HW2SW_MTU(params, SKB_MAX_HEAD(hr)); ++} ++ + static inline bool + mlx5e_xmit_xdp_buff(struct mlx5e_xdpsq *sq, struct mlx5e_dma_info *di, + struct xdp_buff *xdp) +@@ -207,9 +227,9 @@ bool mlx5e_poll_xdpsq_cq(struct mlx5e_cq *cq) + sqcc++; + + if (is_redirect) { +- xdp_return_frame(xdpi->xdpf); + dma_unmap_single(sq->pdev, xdpi->dma_addr, + xdpi->xdpf->len, DMA_TO_DEVICE); ++ xdp_return_frame(xdpi->xdpf); + } else { + /* Recycle RX page */ + mlx5e_page_release(rq, &xdpi->di, true); +@@ -243,9 +263,9 @@ void mlx5e_free_xdpsq_descs(struct mlx5e_xdpsq *sq) + sq->cc++; + + if (is_redirect) { +- xdp_return_frame(xdpi->xdpf); + dma_unmap_single(sq->pdev, xdpi->dma_addr, + xdpi->xdpf->len, DMA_TO_DEVICE); ++ xdp_return_frame(xdpi->xdpf); + } else { + /* Recycle RX page */ + mlx5e_page_release(rq, &xdpi->di, false); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h +index 4d096623178b..827ceef5fa93 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.h +@@ -34,12 +34,11 @@ + + #include "en.h" + +-#define MLX5E_XDP_MAX_MTU ((int)(PAGE_SIZE - \ +- MLX5_SKB_FRAG_SZ(XDP_PACKET_HEADROOM))) + #define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN) + #define MLX5E_XDP_TX_DS_COUNT \ + ((sizeof(struct mlx5e_tx_wqe) / MLX5_SEND_WQE_DS) + 1 /* SG DS */) + ++int mlx5e_xdp_max_mtu(struct mlx5e_params *params); + bool mlx5e_xdp_handle(struct mlx5e_rq *rq, struct mlx5e_dma_info *di, + void *va, u16 *rx_headroom, u32 *len); + bool mlx5e_poll_xdpsq_cq(struct mlx5e_cq *cq); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index 5e5423076b03..9ca4f88d7cf6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -1317,7 +1317,7 @@ static int mlx5e_get_module_info(struct net_device *netdev, + break; + case MLX5_MODULE_ID_SFP: + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; ++ modinfo->eeprom_len = MLX5_EEPROM_PAGE_LENGTH; + break; + default: + netdev_err(priv->netdev, "%s: cable type not recognized:0x%x\n", +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 637d59c01fe5..b190c447aeb0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3761,7 +3761,7 @@ int mlx5e_change_mtu(struct net_device *netdev, int new_mtu, + if (params->xdp_prog && + !mlx5e_rx_is_linear_skb(priv->mdev, &new_channels.params)) { + netdev_err(netdev, "MTU(%d) > %d is not allowed while XDP enabled\n", +- new_mtu, MLX5E_XDP_MAX_MTU); ++ new_mtu, mlx5e_xdp_max_mtu(params)); + err = -EINVAL; + goto out; + } +@@ -4227,7 +4227,8 @@ static int mlx5e_xdp_allowed(struct mlx5e_priv *priv, struct bpf_prog *prog) + + if (!mlx5e_rx_is_linear_skb(priv->mdev, &new_channels.params)) { + netdev_warn(netdev, "XDP is not allowed with MTU(%d) > %d\n", +- new_channels.params.sw_mtu, MLX5E_XDP_MAX_MTU); ++ new_channels.params.sw_mtu, ++ mlx5e_xdp_max_mtu(&new_channels.params)); + return -EINVAL; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c +index 31a9cbd85689..09b6b1bfbfa8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -404,10 +404,6 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev, + size -= offset + size - MLX5_EEPROM_PAGE_LENGTH; + + i2c_addr = MLX5_I2C_ADDR_LOW; +- if (offset >= MLX5_EEPROM_PAGE_LENGTH) { +- i2c_addr = MLX5_I2C_ADDR_HIGH; +- offset -= MLX5_EEPROM_PAGE_LENGTH; +- } + + MLX5_SET(mcia_reg, in, l, 0); + MLX5_SET(mcia_reg, in, module, module_num); +diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h b/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h +index 72cdaa01d56d..100618531021 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h +@@ -27,7 +27,7 @@ + + #define MLXSW_PCI_SW_RESET 0xF0010 + #define MLXSW_PCI_SW_RESET_RST_BIT BIT(0) +-#define MLXSW_PCI_SW_RESET_TIMEOUT_MSECS 13000 ++#define MLXSW_PCI_SW_RESET_TIMEOUT_MSECS 20000 + #define MLXSW_PCI_SW_RESET_WAIT_MSECS 100 + #define MLXSW_PCI_FW_READY 0xA1844 + #define MLXSW_PCI_FW_READY_MASK 0xFFFF +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +index f9bef030ee05..c5b82e283d13 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -2504,11 +2504,11 @@ mlxsw_sp_port_set_link_ksettings(struct net_device *dev, + if (err) + return err; + ++ mlxsw_sp_port->link.autoneg = autoneg; ++ + if (!netif_running(dev)) + return 0; + +- mlxsw_sp_port->link.autoneg = autoneg; +- + mlxsw_sp_port_admin_status_set(mlxsw_sp_port, false); + mlxsw_sp_port_admin_status_set(mlxsw_sp_port, true); + +@@ -2783,7 +2783,7 @@ static int mlxsw_sp_port_ets_init(struct mlxsw_sp_port *mlxsw_sp_port) + err = mlxsw_sp_port_ets_set(mlxsw_sp_port, + MLXSW_REG_QEEC_HIERARCY_TC, + i + 8, i, +- false, 0); ++ true, 100); + if (err) + return err; + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 886176be818e..62460a5b4ad9 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2595,8 +2595,6 @@ static int stmmac_open(struct net_device *dev) + u32 chan; + int ret; + +- stmmac_check_ether_addr(priv); +- + if (priv->hw->pcs != STMMAC_PCS_RGMII && + priv->hw->pcs != STMMAC_PCS_TBI && + priv->hw->pcs != STMMAC_PCS_RTBI) { +@@ -4296,6 +4294,8 @@ int stmmac_dvr_probe(struct device *device, + if (ret) + goto error_hw_init; + ++ stmmac_check_ether_addr(priv); ++ + /* Configure real RX and TX queues */ + netif_set_real_num_rx_queues(ndev, priv->plat->rx_queues_to_use); + netif_set_real_num_tx_queues(ndev, priv->plat->tx_queues_to_use); +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +index d819e8eaba12..cc1e887e47b5 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -159,6 +159,12 @@ static const struct dmi_system_id quark_pci_dmi[] = { + }, + .driver_data = (void *)&galileo_stmmac_dmi_data, + }, ++ /* ++ * There are 2 types of SIMATIC IOT2000: IOT20202 and IOT2040. ++ * The asset tag "6ES7647-0AA00-0YA2" is only for IOT2020 which ++ * has only one pci network device while other asset tags are ++ * for IOT2040 which has two. ++ */ + { + .matches = { + DMI_EXACT_MATCH(DMI_BOARD_NAME, "SIMATIC IOT2000"), +@@ -170,8 +176,6 @@ static const struct dmi_system_id quark_pci_dmi[] = { + { + .matches = { + DMI_EXACT_MATCH(DMI_BOARD_NAME, "SIMATIC IOT2000"), +- DMI_EXACT_MATCH(DMI_BOARD_ASSET_TAG, +- "6ES7647-0AA00-1YA2"), + }, + .driver_data = (void *)&iot2040_stmmac_dmi_data, + }, +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c +index f4e93f5fc204..ea90db3c7705 100644 +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -153,7 +153,7 @@ out_fail: + void + slhc_free(struct slcompress *comp) + { +- if ( comp == NULLSLCOMPR ) ++ if ( IS_ERR_OR_NULL(comp) ) + return; + + if ( comp->tstate != NULLSLSTATE ) +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index e23eaf3f6d03..6c6230b44bcd 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1160,6 +1160,13 @@ static int team_port_add(struct team *team, struct net_device *port_dev, + return -EINVAL; + } + ++ if (netdev_has_upper_dev(dev, port_dev)) { ++ NL_SET_ERR_MSG(extack, "Device is already an upper device of the team interface"); ++ netdev_err(dev, "Device %s is already an upper device of the team interface\n", ++ portname); ++ return -EBUSY; ++ } ++ + if (port_dev->features & NETIF_F_VLAN_CHALLENGED && + vlan_uses_dev(dev)) { + NL_SET_ERR_MSG(extack, "Device is VLAN challenged and team device has VLAN set up"); +diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c +index a1f225f077cd..ef47c226e1d2 100644 +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -1899,14 +1899,11 @@ int usb_runtime_idle(struct device *dev) + return -EBUSY; + } + +-int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) ++static int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) + { + struct usb_hcd *hcd = bus_to_hcd(udev->bus); + int ret = -EPERM; + +- if (enable && !udev->usb2_hw_lpm_allowed) +- return 0; +- + if (hcd->driver->set_usb2_hw_lpm) { + ret = hcd->driver->set_usb2_hw_lpm(hcd, udev, enable); + if (!ret) +@@ -1916,6 +1913,24 @@ int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) + return ret; + } + ++int usb_enable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ if (!udev->usb2_hw_lpm_capable || ++ !udev->usb2_hw_lpm_allowed || ++ udev->usb2_hw_lpm_enabled) ++ return 0; ++ ++ return usb_set_usb2_hardware_lpm(udev, 1); ++} ++ ++int usb_disable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ if (!udev->usb2_hw_lpm_enabled) ++ return 0; ++ ++ return usb_set_usb2_hardware_lpm(udev, 0); ++} ++ + #endif /* CONFIG_PM */ + + struct bus_type usb_bus_type = { +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 3adff4da2ee1..bbcfa63d0233 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3217,8 +3217,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) + } + + /* disable USB2 hardware LPM */ +- if (udev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(udev, 0); ++ usb_disable_usb2_hardware_lpm(udev); + + if (usb_disable_ltm(udev)) { + dev_err(&udev->dev, "Failed to disable LTM before suspend\n"); +@@ -3256,8 +3255,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg) + usb_enable_ltm(udev); + err_ltm: + /* Try to enable USB2 hardware LPM again */ +- if (udev->usb2_hw_lpm_capable == 1) +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + + if (udev->do_remote_wakeup) + (void) usb_disable_remote_wakeup(udev); +@@ -3540,8 +3538,7 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg) + hub_port_logical_disconnect(hub, port1); + } else { + /* Try to enable USB2 hardware LPM */ +- if (udev->usb2_hw_lpm_capable == 1) +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + + /* Try to enable USB3 LTM */ + usb_enable_ltm(udev); +@@ -4432,7 +4429,7 @@ static void hub_set_initial_usb2_lpm_policy(struct usb_device *udev) + if ((udev->bos->ext_cap->bmAttributes & cpu_to_le32(USB_BESL_SUPPORT)) || + connect_type == USB_PORT_CONNECT_TYPE_HARD_WIRED) { + udev->usb2_hw_lpm_allowed = 1; +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + } + } + +@@ -5608,8 +5605,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + /* Disable USB2 hardware LPM. + * It will be re-enabled by the enumeration process. + */ +- if (udev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(udev, 0); ++ usb_disable_usb2_hardware_lpm(udev); + + /* Disable LPM while we reset the device and reinstall the alt settings. + * Device-initiated LPM, and system exit latency settings are cleared +@@ -5712,7 +5708,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + + done: + /* Now that the alt settings are re-installed, enable LTM and LPM. */ +- usb_set_usb2_hardware_lpm(udev, 1); ++ usb_enable_usb2_hardware_lpm(udev); + usb_unlocked_enable_lpm(udev); + usb_enable_ltm(udev); + usb_release_bos_descriptor(udev); +diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c +index bfa5eda0cc26..4f33eb632a88 100644 +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -1243,8 +1243,7 @@ void usb_disable_device(struct usb_device *dev, int skip_ep0) + dev->actconfig->interface[i] = NULL; + } + +- if (dev->usb2_hw_lpm_enabled == 1) +- usb_set_usb2_hardware_lpm(dev, 0); ++ usb_disable_usb2_hardware_lpm(dev); + usb_unlocked_disable_lpm(dev); + usb_disable_ltm(dev); + +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c +index ea18284dfa9a..7e88fdfe3cf5 100644 +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -528,7 +528,10 @@ static ssize_t usb2_hardware_lpm_store(struct device *dev, + + if (!ret) { + udev->usb2_hw_lpm_allowed = value; +- ret = usb_set_usb2_hardware_lpm(udev, value); ++ if (value) ++ ret = usb_enable_usb2_hardware_lpm(udev); ++ else ++ ret = usb_disable_usb2_hardware_lpm(udev); + } + + usb_unlock_device(udev); +diff --git a/drivers/usb/core/usb.h b/drivers/usb/core/usb.h +index 546a2219454b..d95a5358f73d 100644 +--- a/drivers/usb/core/usb.h ++++ b/drivers/usb/core/usb.h +@@ -92,7 +92,8 @@ extern int usb_remote_wakeup(struct usb_device *dev); + extern int usb_runtime_suspend(struct device *dev); + extern int usb_runtime_resume(struct device *dev); + extern int usb_runtime_idle(struct device *dev); +-extern int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable); ++extern int usb_enable_usb2_hardware_lpm(struct usb_device *udev); ++extern int usb_disable_usb2_hardware_lpm(struct usb_device *udev); + + #else + +@@ -112,7 +113,12 @@ static inline int usb_autoresume_device(struct usb_device *udev) + return 0; + } + +-static inline int usb_set_usb2_hardware_lpm(struct usb_device *udev, int enable) ++static inline int usb_enable_usb2_hardware_lpm(struct usb_device *udev) ++{ ++ return 0; ++} ++ ++static inline int usb_disable_usb2_hardware_lpm(struct usb_device *udev) + { + return 0; + } +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 64cbc2d007c9..c36275754086 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -58,12 +58,18 @@ module_param_named(disable_hugepages, + MODULE_PARM_DESC(disable_hugepages, + "Disable VFIO IOMMU support for IOMMU hugepages."); + ++static unsigned int dma_entry_limit __read_mostly = U16_MAX; ++module_param_named(dma_entry_limit, dma_entry_limit, uint, 0644); ++MODULE_PARM_DESC(dma_entry_limit, ++ "Maximum number of user DMA mappings per container (65535)."); ++ + struct vfio_iommu { + struct list_head domain_list; + struct vfio_domain *external_domain; /* domain for external user */ + struct mutex lock; + struct rb_root dma_list; + struct blocking_notifier_head notifier; ++ unsigned int dma_avail; + bool v2; + bool nesting; + }; +@@ -836,6 +842,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma) + vfio_unlink_dma(iommu, dma); + put_task_struct(dma->task); + kfree(dma); ++ iommu->dma_avail++; + } + + static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu) +@@ -1110,12 +1117,18 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu, + goto out_unlock; + } + ++ if (!iommu->dma_avail) { ++ ret = -ENOSPC; ++ goto out_unlock; ++ } ++ + dma = kzalloc(sizeof(*dma), GFP_KERNEL); + if (!dma) { + ret = -ENOMEM; + goto out_unlock; + } + ++ iommu->dma_avail--; + dma->iova = iova; + dma->vaddr = vaddr; + dma->prot = prot; +@@ -1612,6 +1625,7 @@ static void *vfio_iommu_type1_open(unsigned long arg) + + INIT_LIST_HEAD(&iommu->domain_list); + iommu->dma_list = RB_ROOT; ++ iommu->dma_avail = dma_entry_limit; + mutex_init(&iommu->lock); + BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier); + +diff --git a/fs/aio.c b/fs/aio.c +index 45d5ef8dd0a8..911e23087dfb 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -161,9 +161,13 @@ struct kioctx { + unsigned id; + }; + ++/* ++ * First field must be the file pointer in all the ++ * iocb unions! See also 'struct kiocb' in ++ */ + struct fsync_iocb { +- struct work_struct work; + struct file *file; ++ struct work_struct work; + bool datasync; + }; + +@@ -171,14 +175,21 @@ struct poll_iocb { + struct file *file; + struct wait_queue_head *head; + __poll_t events; +- bool woken; ++ bool done; + bool cancelled; + struct wait_queue_entry wait; + struct work_struct work; + }; + ++/* ++ * NOTE! Each of the iocb union members has the file pointer ++ * as the first entry in their struct definition. So you can ++ * access the file pointer through any of the sub-structs, ++ * or directly as just 'ki_filp' in this struct. ++ */ + struct aio_kiocb { + union { ++ struct file *ki_filp; + struct kiocb rw; + struct fsync_iocb fsync; + struct poll_iocb poll; +@@ -187,8 +198,7 @@ struct aio_kiocb { + struct kioctx *ki_ctx; + kiocb_cancel_fn *ki_cancel; + +- struct iocb __user *ki_user_iocb; /* user's aiocb */ +- __u64 ki_user_data; /* user's data for completion */ ++ struct io_event ki_res; + + struct list_head ki_list; /* the aio core uses this + * for cancellation */ +@@ -902,7 +912,7 @@ static void put_reqs_available(struct kioctx *ctx, unsigned nr) + local_irq_restore(flags); + } + +-static bool get_reqs_available(struct kioctx *ctx) ++static bool __get_reqs_available(struct kioctx *ctx) + { + struct kioctx_cpu *kcpu; + bool ret = false; +@@ -994,32 +1004,35 @@ static void user_refill_reqs_available(struct kioctx *ctx) + spin_unlock_irq(&ctx->completion_lock); + } + ++static bool get_reqs_available(struct kioctx *ctx) ++{ ++ if (__get_reqs_available(ctx)) ++ return true; ++ user_refill_reqs_available(ctx); ++ return __get_reqs_available(ctx); ++} ++ + /* aio_get_req + * Allocate a slot for an aio request. + * Returns NULL if no requests are free. ++ * ++ * The refcount is initialized to 2 - one for the async op completion, ++ * one for the synchronous code that does this. + */ + static inline struct aio_kiocb *aio_get_req(struct kioctx *ctx) + { + struct aio_kiocb *req; + +- if (!get_reqs_available(ctx)) { +- user_refill_reqs_available(ctx); +- if (!get_reqs_available(ctx)) +- return NULL; +- } +- +- req = kmem_cache_alloc(kiocb_cachep, GFP_KERNEL|__GFP_ZERO); ++ req = kmem_cache_alloc(kiocb_cachep, GFP_KERNEL); + if (unlikely(!req)) +- goto out_put; ++ return NULL; + + percpu_ref_get(&ctx->reqs); +- INIT_LIST_HEAD(&req->ki_list); +- refcount_set(&req->ki_refcnt, 0); + req->ki_ctx = ctx; ++ INIT_LIST_HEAD(&req->ki_list); ++ refcount_set(&req->ki_refcnt, 2); ++ req->ki_eventfd = NULL; + return req; +-out_put: +- put_reqs_available(ctx, 1); +- return NULL; + } + + static struct kioctx *lookup_ioctx(unsigned long ctx_id) +@@ -1050,19 +1063,18 @@ out: + return ret; + } + +-static inline void iocb_put(struct aio_kiocb *iocb) ++static inline void iocb_destroy(struct aio_kiocb *iocb) + { +- if (refcount_read(&iocb->ki_refcnt) == 0 || +- refcount_dec_and_test(&iocb->ki_refcnt)) { +- percpu_ref_put(&iocb->ki_ctx->reqs); +- kmem_cache_free(kiocb_cachep, iocb); +- } ++ if (iocb->ki_filp) ++ fput(iocb->ki_filp); ++ percpu_ref_put(&iocb->ki_ctx->reqs); ++ kmem_cache_free(kiocb_cachep, iocb); + } + + /* aio_complete + * Called when the io request on the given iocb is complete. + */ +-static void aio_complete(struct aio_kiocb *iocb, long res, long res2) ++static void aio_complete(struct aio_kiocb *iocb) + { + struct kioctx *ctx = iocb->ki_ctx; + struct aio_ring *ring; +@@ -1086,17 +1098,14 @@ static void aio_complete(struct aio_kiocb *iocb, long res, long res2) + ev_page = kmap_atomic(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]); + event = ev_page + pos % AIO_EVENTS_PER_PAGE; + +- event->obj = (u64)(unsigned long)iocb->ki_user_iocb; +- event->data = iocb->ki_user_data; +- event->res = res; +- event->res2 = res2; ++ *event = iocb->ki_res; + + kunmap_atomic(ev_page); + flush_dcache_page(ctx->ring_pages[pos / AIO_EVENTS_PER_PAGE]); + +- pr_debug("%p[%u]: %p: %p %Lx %lx %lx\n", +- ctx, tail, iocb, iocb->ki_user_iocb, iocb->ki_user_data, +- res, res2); ++ pr_debug("%p[%u]: %p: %p %Lx %Lx %Lx\n", ctx, tail, iocb, ++ (void __user *)(unsigned long)iocb->ki_res.obj, ++ iocb->ki_res.data, iocb->ki_res.res, iocb->ki_res.res2); + + /* after flagging the request as done, we + * must never even look at it again +@@ -1138,7 +1147,14 @@ static void aio_complete(struct aio_kiocb *iocb, long res, long res2) + + if (waitqueue_active(&ctx->wait)) + wake_up(&ctx->wait); +- iocb_put(iocb); ++} ++ ++static inline void iocb_put(struct aio_kiocb *iocb) ++{ ++ if (refcount_dec_and_test(&iocb->ki_refcnt)) { ++ aio_complete(iocb); ++ iocb_destroy(iocb); ++ } + } + + /* aio_read_events_ring +@@ -1412,18 +1428,17 @@ static void aio_complete_rw(struct kiocb *kiocb, long res, long res2) + file_end_write(kiocb->ki_filp); + } + +- fput(kiocb->ki_filp); +- aio_complete(iocb, res, res2); ++ iocb->ki_res.res = res; ++ iocb->ki_res.res2 = res2; ++ iocb_put(iocb); + } + +-static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) ++static int aio_prep_rw(struct kiocb *req, const struct iocb *iocb) + { + int ret; + +- req->ki_filp = fget(iocb->aio_fildes); +- if (unlikely(!req->ki_filp)) +- return -EBADF; + req->ki_complete = aio_complete_rw; ++ req->private = NULL; + req->ki_pos = iocb->aio_offset; + req->ki_flags = iocb_flags(req->ki_filp); + if (iocb->aio_flags & IOCB_FLAG_RESFD) +@@ -1438,7 +1453,6 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) + ret = ioprio_check_cap(iocb->aio_reqprio); + if (ret) { + pr_debug("aio ioprio check cap error: %d\n", ret); +- fput(req->ki_filp); + return ret; + } + +@@ -1448,11 +1462,13 @@ static int aio_prep_rw(struct kiocb *req, struct iocb *iocb) + + ret = kiocb_set_rw_flags(req, iocb->aio_rw_flags); + if (unlikely(ret)) +- fput(req->ki_filp); +- return ret; ++ return ret; ++ ++ req->ki_flags &= ~IOCB_HIPRI; /* no one is going to poll for this I/O */ ++ return 0; + } + +-static int aio_setup_rw(int rw, struct iocb *iocb, struct iovec **iovec, ++static int aio_setup_rw(int rw, const struct iocb *iocb, struct iovec **iovec, + bool vectored, bool compat, struct iov_iter *iter) + { + void __user *buf = (void __user *)(uintptr_t)iocb->aio_buf; +@@ -1487,12 +1503,12 @@ static inline void aio_rw_done(struct kiocb *req, ssize_t ret) + ret = -EINTR; + /*FALLTHRU*/ + default: +- aio_complete_rw(req, ret, 0); ++ req->ki_complete(req, ret, 0); + } + } + +-static ssize_t aio_read(struct kiocb *req, struct iocb *iocb, bool vectored, +- bool compat) ++static ssize_t aio_read(struct kiocb *req, const struct iocb *iocb, ++ bool vectored, bool compat) + { + struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs; + struct iov_iter iter; +@@ -1503,29 +1519,24 @@ static ssize_t aio_read(struct kiocb *req, struct iocb *iocb, bool vectored, + if (ret) + return ret; + file = req->ki_filp; +- +- ret = -EBADF; + if (unlikely(!(file->f_mode & FMODE_READ))) +- goto out_fput; ++ return -EBADF; + ret = -EINVAL; + if (unlikely(!file->f_op->read_iter)) +- goto out_fput; ++ return -EINVAL; + + ret = aio_setup_rw(READ, iocb, &iovec, vectored, compat, &iter); + if (ret) +- goto out_fput; ++ return ret; + ret = rw_verify_area(READ, file, &req->ki_pos, iov_iter_count(&iter)); + if (!ret) + aio_rw_done(req, call_read_iter(file, req, &iter)); + kfree(iovec); +-out_fput: +- if (unlikely(ret)) +- fput(file); + return ret; + } + +-static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored, +- bool compat) ++static ssize_t aio_write(struct kiocb *req, const struct iocb *iocb, ++ bool vectored, bool compat) + { + struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs; + struct iov_iter iter; +@@ -1537,16 +1548,14 @@ static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored, + return ret; + file = req->ki_filp; + +- ret = -EBADF; + if (unlikely(!(file->f_mode & FMODE_WRITE))) +- goto out_fput; +- ret = -EINVAL; ++ return -EBADF; + if (unlikely(!file->f_op->write_iter)) +- goto out_fput; ++ return -EINVAL; + + ret = aio_setup_rw(WRITE, iocb, &iovec, vectored, compat, &iter); + if (ret) +- goto out_fput; ++ return ret; + ret = rw_verify_area(WRITE, file, &req->ki_pos, iov_iter_count(&iter)); + if (!ret) { + /* +@@ -1564,35 +1573,26 @@ static ssize_t aio_write(struct kiocb *req, struct iocb *iocb, bool vectored, + aio_rw_done(req, call_write_iter(file, req, &iter)); + } + kfree(iovec); +-out_fput: +- if (unlikely(ret)) +- fput(file); + return ret; + } + + static void aio_fsync_work(struct work_struct *work) + { +- struct fsync_iocb *req = container_of(work, struct fsync_iocb, work); +- int ret; ++ struct aio_kiocb *iocb = container_of(work, struct aio_kiocb, fsync.work); + +- ret = vfs_fsync(req->file, req->datasync); +- fput(req->file); +- aio_complete(container_of(req, struct aio_kiocb, fsync), ret, 0); ++ iocb->ki_res.res = vfs_fsync(iocb->fsync.file, iocb->fsync.datasync); ++ iocb_put(iocb); + } + +-static int aio_fsync(struct fsync_iocb *req, struct iocb *iocb, bool datasync) ++static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb, ++ bool datasync) + { + if (unlikely(iocb->aio_buf || iocb->aio_offset || iocb->aio_nbytes || + iocb->aio_rw_flags)) + return -EINVAL; + +- req->file = fget(iocb->aio_fildes); +- if (unlikely(!req->file)) +- return -EBADF; +- if (unlikely(!req->file->f_op->fsync)) { +- fput(req->file); ++ if (unlikely(!req->file->f_op->fsync)) + return -EINVAL; +- } + + req->datasync = datasync; + INIT_WORK(&req->work, aio_fsync_work); +@@ -1600,14 +1600,6 @@ static int aio_fsync(struct fsync_iocb *req, struct iocb *iocb, bool datasync) + return 0; + } + +-static inline void aio_poll_complete(struct aio_kiocb *iocb, __poll_t mask) +-{ +- struct file *file = iocb->poll.file; +- +- aio_complete(iocb, mangle_poll(mask), 0); +- fput(file); +-} +- + static void aio_poll_complete_work(struct work_struct *work) + { + struct poll_iocb *req = container_of(work, struct poll_iocb, work); +@@ -1633,9 +1625,11 @@ static void aio_poll_complete_work(struct work_struct *work) + return; + } + list_del_init(&iocb->ki_list); ++ iocb->ki_res.res = mangle_poll(mask); ++ req->done = true; + spin_unlock_irq(&ctx->ctx_lock); + +- aio_poll_complete(iocb, mask); ++ iocb_put(iocb); + } + + /* assumes we are called with irqs disabled */ +@@ -1663,31 +1657,27 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync, + __poll_t mask = key_to_poll(key); + unsigned long flags; + +- req->woken = true; +- + /* for instances that support it check for an event match first: */ +- if (mask) { +- if (!(mask & req->events)) +- return 0; ++ if (mask && !(mask & req->events)) ++ return 0; ++ ++ list_del_init(&req->wait.entry); + ++ if (mask && spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) { + /* + * Try to complete the iocb inline if we can. Use + * irqsave/irqrestore because not all filesystems (e.g. fuse) + * call this function with IRQs disabled and because IRQs + * have to be disabled before ctx_lock is obtained. + */ +- if (spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) { +- list_del(&iocb->ki_list); +- spin_unlock_irqrestore(&iocb->ki_ctx->ctx_lock, flags); +- +- list_del_init(&req->wait.entry); +- aio_poll_complete(iocb, mask); +- return 1; +- } ++ list_del(&iocb->ki_list); ++ iocb->ki_res.res = mangle_poll(mask); ++ req->done = true; ++ spin_unlock_irqrestore(&iocb->ki_ctx->ctx_lock, flags); ++ iocb_put(iocb); ++ } else { ++ schedule_work(&req->work); + } +- +- list_del_init(&req->wait.entry); +- schedule_work(&req->work); + return 1; + } + +@@ -1714,11 +1704,12 @@ aio_poll_queue_proc(struct file *file, struct wait_queue_head *head, + add_wait_queue(head, &pt->iocb->poll.wait); + } + +-static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb) ++static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) + { + struct kioctx *ctx = aiocb->ki_ctx; + struct poll_iocb *req = &aiocb->poll; + struct aio_poll_table apt; ++ bool cancel = false; + __poll_t mask; + + /* reject any unknown events outside the normal event mask. */ +@@ -1730,9 +1721,10 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb) + + INIT_WORK(&req->work, aio_poll_complete_work); + req->events = demangle_poll(iocb->aio_buf) | EPOLLERR | EPOLLHUP; +- req->file = fget(iocb->aio_fildes); +- if (unlikely(!req->file)) +- return -EBADF; ++ ++ req->head = NULL; ++ req->done = false; ++ req->cancelled = false; + + apt.pt._qproc = aio_poll_queue_proc; + apt.pt._key = req->events; +@@ -1743,83 +1735,79 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, struct iocb *iocb) + INIT_LIST_HEAD(&req->wait.entry); + init_waitqueue_func_entry(&req->wait, aio_poll_wake); + +- /* one for removal from waitqueue, one for this function */ +- refcount_set(&aiocb->ki_refcnt, 2); +- + mask = vfs_poll(req->file, &apt.pt) & req->events; +- if (unlikely(!req->head)) { +- /* we did not manage to set up a waitqueue, done */ +- goto out; +- } +- + spin_lock_irq(&ctx->ctx_lock); +- spin_lock(&req->head->lock); +- if (req->woken) { +- /* wake_up context handles the rest */ +- mask = 0; ++ if (likely(req->head)) { ++ spin_lock(&req->head->lock); ++ if (unlikely(list_empty(&req->wait.entry))) { ++ if (apt.error) ++ cancel = true; ++ apt.error = 0; ++ mask = 0; ++ } ++ if (mask || apt.error) { ++ list_del_init(&req->wait.entry); ++ } else if (cancel) { ++ WRITE_ONCE(req->cancelled, true); ++ } else if (!req->done) { /* actually waiting for an event */ ++ list_add_tail(&aiocb->ki_list, &ctx->active_reqs); ++ aiocb->ki_cancel = aio_poll_cancel; ++ } ++ spin_unlock(&req->head->lock); ++ } ++ if (mask) { /* no async, we'd stolen it */ ++ aiocb->ki_res.res = mangle_poll(mask); + apt.error = 0; +- } else if (mask || apt.error) { +- /* if we get an error or a mask we are done */ +- WARN_ON_ONCE(list_empty(&req->wait.entry)); +- list_del_init(&req->wait.entry); +- } else { +- /* actually waiting for an event */ +- list_add_tail(&aiocb->ki_list, &ctx->active_reqs); +- aiocb->ki_cancel = aio_poll_cancel; + } +- spin_unlock(&req->head->lock); + spin_unlock_irq(&ctx->ctx_lock); +- +-out: +- if (unlikely(apt.error)) { +- fput(req->file); +- return apt.error; +- } +- + if (mask) +- aio_poll_complete(aiocb, mask); +- iocb_put(aiocb); +- return 0; ++ iocb_put(aiocb); ++ return apt.error; + } + +-static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, +- bool compat) ++static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb, ++ struct iocb __user *user_iocb, bool compat) + { + struct aio_kiocb *req; +- struct iocb iocb; + ssize_t ret; + +- if (unlikely(copy_from_user(&iocb, user_iocb, sizeof(iocb)))) +- return -EFAULT; +- + /* enforce forwards compatibility on users */ +- if (unlikely(iocb.aio_reserved2)) { ++ if (unlikely(iocb->aio_reserved2)) { + pr_debug("EINVAL: reserve field set\n"); + return -EINVAL; + } + + /* prevent overflows */ + if (unlikely( +- (iocb.aio_buf != (unsigned long)iocb.aio_buf) || +- (iocb.aio_nbytes != (size_t)iocb.aio_nbytes) || +- ((ssize_t)iocb.aio_nbytes < 0) ++ (iocb->aio_buf != (unsigned long)iocb->aio_buf) || ++ (iocb->aio_nbytes != (size_t)iocb->aio_nbytes) || ++ ((ssize_t)iocb->aio_nbytes < 0) + )) { + pr_debug("EINVAL: overflow check\n"); + return -EINVAL; + } + ++ if (!get_reqs_available(ctx)) ++ return -EAGAIN; ++ ++ ret = -EAGAIN; + req = aio_get_req(ctx); + if (unlikely(!req)) +- return -EAGAIN; ++ goto out_put_reqs_available; ++ ++ req->ki_filp = fget(iocb->aio_fildes); ++ ret = -EBADF; ++ if (unlikely(!req->ki_filp)) ++ goto out_put_req; + +- if (iocb.aio_flags & IOCB_FLAG_RESFD) { ++ if (iocb->aio_flags & IOCB_FLAG_RESFD) { + /* + * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an + * instance of the file* now. The file descriptor must be + * an eventfd() fd, and will be signaled for each completed + * event using the eventfd_signal() function. + */ +- req->ki_eventfd = eventfd_ctx_fdget((int) iocb.aio_resfd); ++ req->ki_eventfd = eventfd_ctx_fdget((int) iocb->aio_resfd); + if (IS_ERR(req->ki_eventfd)) { + ret = PTR_ERR(req->ki_eventfd); + req->ki_eventfd = NULL; +@@ -1833,54 +1821,70 @@ static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, + goto out_put_req; + } + +- req->ki_user_iocb = user_iocb; +- req->ki_user_data = iocb.aio_data; ++ req->ki_res.obj = (u64)(unsigned long)user_iocb; ++ req->ki_res.data = iocb->aio_data; ++ req->ki_res.res = 0; ++ req->ki_res.res2 = 0; + +- switch (iocb.aio_lio_opcode) { ++ switch (iocb->aio_lio_opcode) { + case IOCB_CMD_PREAD: +- ret = aio_read(&req->rw, &iocb, false, compat); ++ ret = aio_read(&req->rw, iocb, false, compat); + break; + case IOCB_CMD_PWRITE: +- ret = aio_write(&req->rw, &iocb, false, compat); ++ ret = aio_write(&req->rw, iocb, false, compat); + break; + case IOCB_CMD_PREADV: +- ret = aio_read(&req->rw, &iocb, true, compat); ++ ret = aio_read(&req->rw, iocb, true, compat); + break; + case IOCB_CMD_PWRITEV: +- ret = aio_write(&req->rw, &iocb, true, compat); ++ ret = aio_write(&req->rw, iocb, true, compat); + break; + case IOCB_CMD_FSYNC: +- ret = aio_fsync(&req->fsync, &iocb, false); ++ ret = aio_fsync(&req->fsync, iocb, false); + break; + case IOCB_CMD_FDSYNC: +- ret = aio_fsync(&req->fsync, &iocb, true); ++ ret = aio_fsync(&req->fsync, iocb, true); + break; + case IOCB_CMD_POLL: +- ret = aio_poll(req, &iocb); ++ ret = aio_poll(req, iocb); + break; + default: +- pr_debug("invalid aio operation %d\n", iocb.aio_lio_opcode); ++ pr_debug("invalid aio operation %d\n", iocb->aio_lio_opcode); + ret = -EINVAL; + break; + } + ++ /* Done with the synchronous reference */ ++ iocb_put(req); ++ + /* + * If ret is 0, we'd either done aio_complete() ourselves or have + * arranged for that to be done asynchronously. Anything non-zero + * means that we need to destroy req ourselves. + */ +- if (ret) +- goto out_put_req; +- return 0; ++ if (!ret) ++ return 0; ++ + out_put_req: +- put_reqs_available(ctx, 1); +- percpu_ref_put(&ctx->reqs); + if (req->ki_eventfd) + eventfd_ctx_put(req->ki_eventfd); +- kmem_cache_free(kiocb_cachep, req); ++ iocb_destroy(req); ++out_put_reqs_available: ++ put_reqs_available(ctx, 1); + return ret; + } + ++static int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, ++ bool compat) ++{ ++ struct iocb iocb; ++ ++ if (unlikely(copy_from_user(&iocb, user_iocb, sizeof(iocb)))) ++ return -EFAULT; ++ ++ return __io_submit_one(ctx, &iocb, user_iocb, compat); ++} ++ + /* sys_io_submit: + * Queue the nr iocbs pointed to by iocbpp for processing. Returns + * the number of iocbs queued. May return -EINVAL if the aio_context +@@ -1973,24 +1977,6 @@ COMPAT_SYSCALL_DEFINE3(io_submit, compat_aio_context_t, ctx_id, + } + #endif + +-/* lookup_kiocb +- * Finds a given iocb for cancellation. +- */ +-static struct aio_kiocb * +-lookup_kiocb(struct kioctx *ctx, struct iocb __user *iocb) +-{ +- struct aio_kiocb *kiocb; +- +- assert_spin_locked(&ctx->ctx_lock); +- +- /* TODO: use a hash or array, this sucks. */ +- list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) { +- if (kiocb->ki_user_iocb == iocb) +- return kiocb; +- } +- return NULL; +-} +- + /* sys_io_cancel: + * Attempts to cancel an iocb previously passed to io_submit. If + * the operation is successfully cancelled, the resulting event is +@@ -2008,6 +1994,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb, + struct aio_kiocb *kiocb; + int ret = -EINVAL; + u32 key; ++ u64 obj = (u64)(unsigned long)iocb; + + if (unlikely(get_user(key, &iocb->aio_key))) + return -EFAULT; +@@ -2019,10 +2006,13 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb, + return -EINVAL; + + spin_lock_irq(&ctx->ctx_lock); +- kiocb = lookup_kiocb(ctx, iocb); +- if (kiocb) { +- ret = kiocb->ki_cancel(&kiocb->rw); +- list_del_init(&kiocb->ki_list); ++ /* TODO: use a hash or array, this sucks. */ ++ list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) { ++ if (kiocb->ki_res.obj == obj) { ++ ret = kiocb->ki_cancel(&kiocb->rw); ++ list_del_init(&kiocb->ki_list); ++ break; ++ } + } + spin_unlock_irq(&ctx->ctx_lock); + +diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c +index 82928cea0209..7f3f64ba464f 100644 +--- a/fs/ceph/dir.c ++++ b/fs/ceph/dir.c +@@ -1470,6 +1470,7 @@ void ceph_dentry_lru_del(struct dentry *dn) + unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn) + { + struct ceph_inode_info *dci = ceph_inode(dir); ++ unsigned hash; + + switch (dci->i_dir_layout.dl_dir_hash) { + case 0: /* for backward compat */ +@@ -1477,8 +1478,11 @@ unsigned ceph_dentry_hash(struct inode *dir, struct dentry *dn) + return dn->d_name.hash; + + default: +- return ceph_str_hash(dci->i_dir_layout.dl_dir_hash, ++ spin_lock(&dn->d_lock); ++ hash = ceph_str_hash(dci->i_dir_layout.dl_dir_hash, + dn->d_name.name, dn->d_name.len); ++ spin_unlock(&dn->d_lock); ++ return hash; + } + } + +diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c +index bc43c822426a..bfcf11c70bfa 100644 +--- a/fs/ceph/mds_client.c ++++ b/fs/ceph/mds_client.c +@@ -1290,6 +1290,15 @@ static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap, + list_add(&ci->i_prealloc_cap_flush->i_list, &to_remove); + ci->i_prealloc_cap_flush = NULL; + } ++ ++ if (drop && ++ ci->i_wrbuffer_ref_head == 0 && ++ ci->i_wr_ref == 0 && ++ ci->i_dirty_caps == 0 && ++ ci->i_flushing_caps == 0) { ++ ceph_put_snap_context(ci->i_head_snapc); ++ ci->i_head_snapc = NULL; ++ } + } + spin_unlock(&ci->i_ceph_lock); + while (!list_empty(&to_remove)) { +@@ -1945,10 +1954,39 @@ retry: + return path; + } + ++/* Duplicate the dentry->d_name.name safely */ ++static int clone_dentry_name(struct dentry *dentry, const char **ppath, ++ int *ppathlen) ++{ ++ u32 len; ++ char *name; ++ ++retry: ++ len = READ_ONCE(dentry->d_name.len); ++ name = kmalloc(len + 1, GFP_NOFS); ++ if (!name) ++ return -ENOMEM; ++ ++ spin_lock(&dentry->d_lock); ++ if (dentry->d_name.len != len) { ++ spin_unlock(&dentry->d_lock); ++ kfree(name); ++ goto retry; ++ } ++ memcpy(name, dentry->d_name.name, len); ++ spin_unlock(&dentry->d_lock); ++ ++ name[len] = '\0'; ++ *ppath = name; ++ *ppathlen = len; ++ return 0; ++} ++ + static int build_dentry_path(struct dentry *dentry, struct inode *dir, + const char **ppath, int *ppathlen, u64 *pino, +- int *pfreepath) ++ bool *pfreepath, bool parent_locked) + { ++ int ret; + char *path; + + rcu_read_lock(); +@@ -1957,8 +1995,15 @@ static int build_dentry_path(struct dentry *dentry, struct inode *dir, + if (dir && ceph_snap(dir) == CEPH_NOSNAP) { + *pino = ceph_ino(dir); + rcu_read_unlock(); +- *ppath = dentry->d_name.name; +- *ppathlen = dentry->d_name.len; ++ if (parent_locked) { ++ *ppath = dentry->d_name.name; ++ *ppathlen = dentry->d_name.len; ++ } else { ++ ret = clone_dentry_name(dentry, ppath, ppathlen); ++ if (ret) ++ return ret; ++ *pfreepath = true; ++ } + return 0; + } + rcu_read_unlock(); +@@ -1966,13 +2011,13 @@ static int build_dentry_path(struct dentry *dentry, struct inode *dir, + if (IS_ERR(path)) + return PTR_ERR(path); + *ppath = path; +- *pfreepath = 1; ++ *pfreepath = true; + return 0; + } + + static int build_inode_path(struct inode *inode, + const char **ppath, int *ppathlen, u64 *pino, +- int *pfreepath) ++ bool *pfreepath) + { + struct dentry *dentry; + char *path; +@@ -1988,7 +2033,7 @@ static int build_inode_path(struct inode *inode, + if (IS_ERR(path)) + return PTR_ERR(path); + *ppath = path; +- *pfreepath = 1; ++ *pfreepath = true; + return 0; + } + +@@ -1999,7 +2044,7 @@ static int build_inode_path(struct inode *inode, + static int set_request_path_attr(struct inode *rinode, struct dentry *rdentry, + struct inode *rdiri, const char *rpath, + u64 rino, const char **ppath, int *pathlen, +- u64 *ino, int *freepath) ++ u64 *ino, bool *freepath, bool parent_locked) + { + int r = 0; + +@@ -2009,7 +2054,7 @@ static int set_request_path_attr(struct inode *rinode, struct dentry *rdentry, + ceph_snap(rinode)); + } else if (rdentry) { + r = build_dentry_path(rdentry, rdiri, ppath, pathlen, ino, +- freepath); ++ freepath, parent_locked); + dout(" dentry %p %llx/%.*s\n", rdentry, *ino, *pathlen, + *ppath); + } else if (rpath || rino) { +@@ -2035,7 +2080,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc, + const char *path2 = NULL; + u64 ino1 = 0, ino2 = 0; + int pathlen1 = 0, pathlen2 = 0; +- int freepath1 = 0, freepath2 = 0; ++ bool freepath1 = false, freepath2 = false; + int len; + u16 releases; + void *p, *end; +@@ -2043,16 +2088,19 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc, + + ret = set_request_path_attr(req->r_inode, req->r_dentry, + req->r_parent, req->r_path1, req->r_ino1.ino, +- &path1, &pathlen1, &ino1, &freepath1); ++ &path1, &pathlen1, &ino1, &freepath1, ++ test_bit(CEPH_MDS_R_PARENT_LOCKED, ++ &req->r_req_flags)); + if (ret < 0) { + msg = ERR_PTR(ret); + goto out; + } + ++ /* If r_old_dentry is set, then assume that its parent is locked */ + ret = set_request_path_attr(NULL, req->r_old_dentry, + req->r_old_dentry_dir, + req->r_path2, req->r_ino2.ino, +- &path2, &pathlen2, &ino2, &freepath2); ++ &path2, &pathlen2, &ino2, &freepath2, true); + if (ret < 0) { + msg = ERR_PTR(ret); + goto out_free1; +diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c +index f74193da0e09..1f46b02f7314 100644 +--- a/fs/ceph/snap.c ++++ b/fs/ceph/snap.c +@@ -568,7 +568,12 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci) + old_snapc = NULL; + + update_snapc: +- if (ci->i_head_snapc) { ++ if (ci->i_wrbuffer_ref_head == 0 && ++ ci->i_wr_ref == 0 && ++ ci->i_dirty_caps == 0 && ++ ci->i_flushing_caps == 0) { ++ ci->i_head_snapc = NULL; ++ } else { + ci->i_head_snapc = ceph_get_snap_context(new_snapc); + dout(" new snapc is %p\n", new_snapc); + } +diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c +index b59ebed4f615..1fadd314ae7f 100644 +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -1735,6 +1735,10 @@ cifs_do_rename(const unsigned int xid, struct dentry *from_dentry, + if (rc == 0 || rc != -EBUSY) + goto do_rename_exit; + ++ /* Don't fall back to using SMB on SMB 2+ mount */ ++ if (server->vals->protocol_id != 0) ++ goto do_rename_exit; ++ + /* open-file renames don't work across directories */ + if (to_dentry->d_parent != from_dentry->d_parent) + goto do_rename_exit; +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index c6fd3acc5560..33afb637e6f8 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3285,6 +3285,7 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, + rc); + } + free_rsp_buf(resp_buftype, rsp_iov.iov_base); ++ cifs_small_buf_release(req); + return rc == -ENODATA ? 0 : rc; + } else + trace_smb3_read_done(xid, req->PersistentFileId, +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index c0ba5206cd9d..006c277dc22e 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -829,6 +829,7 @@ int ext4_get_inode_usage(struct inode *inode, qsize_t *usage) + bh = ext4_sb_bread(inode->i_sb, EXT4_I(inode)->i_file_acl, REQ_PRIO); + if (IS_ERR(bh)) { + ret = PTR_ERR(bh); ++ bh = NULL; + goto out; + } + +@@ -2907,6 +2908,7 @@ int ext4_xattr_delete_inode(handle_t *handle, struct inode *inode, + if (error == -EIO) + EXT4_ERROR_INODE(inode, "block %llu read error", + EXT4_I(inode)->i_file_acl); ++ bh = NULL; + goto cleanup; + } + error = ext4_xattr_check_block(inode, bh); +@@ -3063,6 +3065,7 @@ ext4_xattr_block_cache_find(struct inode *inode, + if (IS_ERR(bh)) { + if (PTR_ERR(bh) == -ENOMEM) + return NULL; ++ bh = NULL; + EXT4_ERROR_INODE(inode, "block %lu read error", + (unsigned long)ce->e_value); + } else if (ext4_xattr_cmp(header, BHDR(bh)) == 0) { +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 6b666d187907..6df9b85caf20 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2052,7 +2052,8 @@ static int nfs23_validate_mount_data(void *options, + memcpy(sap, &data->addr, sizeof(data->addr)); + args->nfs_server.addrlen = sizeof(data->addr); + args->nfs_server.port = ntohs(data->addr.sin_port); +- if (!nfs_verify_server_address(sap)) ++ if (sap->sa_family != AF_INET || ++ !nfs_verify_server_address(sap)) + goto out_no_address; + + if (!(data->flags & NFS_MOUNT_TCP)) +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index 601bf33c26a0..ebbb0285addb 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -926,8 +926,9 @@ static void nfsd4_cb_prepare(struct rpc_task *task, void *calldata) + cb->cb_seq_status = 1; + cb->cb_status = 0; + if (minorversion) { +- if (!nfsd41_cb_get_slot(clp, task)) ++ if (!cb->cb_holds_slot && !nfsd41_cb_get_slot(clp, task)) + return; ++ cb->cb_holds_slot = true; + } + rpc_call_start(task); + } +@@ -954,6 +955,9 @@ static bool nfsd4_cb_sequence_done(struct rpc_task *task, struct nfsd4_callback + return true; + } + ++ if (!cb->cb_holds_slot) ++ goto need_restart; ++ + switch (cb->cb_seq_status) { + case 0: + /* +@@ -992,6 +996,7 @@ static bool nfsd4_cb_sequence_done(struct rpc_task *task, struct nfsd4_callback + cb->cb_seq_status); + } + ++ cb->cb_holds_slot = false; + clear_bit(0, &clp->cl_cb_slot_busy); + rpc_wake_up_next(&clp->cl_cb_waitq); + dprintk("%s: freed slot, new seqid=%d\n", __func__, +@@ -1199,6 +1204,7 @@ void nfsd4_init_cb(struct nfsd4_callback *cb, struct nfs4_client *clp, + cb->cb_seq_status = 1; + cb->cb_status = 0; + cb->cb_need_restart = false; ++ cb->cb_holds_slot = false; + } + + void nfsd4_run_cb(struct nfsd4_callback *cb) +diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h +index 0b15dac7e609..0f07ad6dc1ef 100644 +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -70,6 +70,7 @@ struct nfsd4_callback { + int cb_seq_status; + int cb_status; + bool cb_need_restart; ++ bool cb_holds_slot; + }; + + struct nfsd4_callback_ops { +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index d65390727541..7325baa8f9d4 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1626,9 +1626,11 @@ static void drop_sysctl_table(struct ctl_table_header *header) + if (--header->nreg) + return; + +- if (parent) ++ if (parent) { + put_links(header); +- start_unregistering(header); ++ start_unregistering(header); ++ } ++ + if (!--header->count) + kfree_rcu(header, rcu); + +diff --git a/fs/splice.c b/fs/splice.c +index 29e92b506394..c78e0e3ff6c4 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -333,8 +333,8 @@ const struct pipe_buf_operations default_pipe_buf_ops = { + .get = generic_pipe_buf_get, + }; + +-static int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe, +- struct pipe_buffer *buf) ++int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe, ++ struct pipe_buffer *buf) + { + return 1; + } +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 7b6084854bfe..111c94c4baa1 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -304,13 +304,19 @@ enum rw_hint { + + struct kiocb { + struct file *ki_filp; ++ ++ /* The 'ki_filp' pointer is shared in a union for aio */ ++ randomized_struct_fields_start ++ + loff_t ki_pos; + void (*ki_complete)(struct kiocb *iocb, long ret, long ret2); + void *private; + int ki_flags; + u16 ki_hint; + u16 ki_ioprio; /* See linux/ioprio.h */ +-} __randomize_layout; ++ ++ randomized_struct_fields_end ++}; + + static inline bool is_sync_kiocb(struct kiocb *kiocb) + { +diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h +index 3ecd7ea212ae..66ee63cd5968 100644 +--- a/include/linux/pipe_fs_i.h ++++ b/include/linux/pipe_fs_i.h +@@ -181,6 +181,7 @@ void free_pipe_info(struct pipe_inode_info *); + void generic_pipe_buf_get(struct pipe_inode_info *, struct pipe_buffer *); + int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *); + int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *); ++int generic_pipe_buf_nosteal(struct pipe_inode_info *, struct pipe_buffer *); + void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *); + void pipe_buf_mark_unmergeable(struct pipe_buffer *buf); + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 0f39ac487012..f2be5d041ba3 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -382,6 +382,7 @@ void nft_unregister_set(struct nft_set_type *type); + * @dtype: data type (verdict or numeric type defined by userspace) + * @objtype: object type (see NFT_OBJECT_* definitions) + * @size: maximum set size ++ * @use: number of rules references to this set + * @nelems: number of elements + * @ndeact: number of deactivated elements queued for removal + * @timeout: default timeout value in jiffies +@@ -407,6 +408,7 @@ struct nft_set { + u32 dtype; + u32 objtype; + u32 size; ++ u32 use; + atomic_t nelems; + u32 ndeact; + u64 timeout; +@@ -416,7 +418,8 @@ struct nft_set { + unsigned char *udata; + /* runtime data below here */ + const struct nft_set_ops *ops ____cacheline_aligned; +- u16 flags:14, ++ u16 flags:13, ++ bound:1, + genmask:2; + u8 klen; + u8 dlen; +@@ -466,10 +469,15 @@ struct nft_set_binding { + u32 flags; + }; + ++enum nft_trans_phase; ++void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, ++ struct nft_set_binding *binding, ++ enum nft_trans_phase phase); + int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding); + void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, +- struct nft_set_binding *binding); ++ struct nft_set_binding *binding, bool commit); ++void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set); + + /** + * enum nft_set_extensions - set extension type IDs +@@ -689,10 +697,12 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb, + gcb->elems[gcb->head.cnt++] = elem; + } + ++struct nft_expr_ops; + /** + * struct nft_expr_type - nf_tables expression type + * + * @select_ops: function to select nft_expr_ops ++ * @release_ops: release nft_expr_ops + * @ops: default ops, used when no select_ops functions is present + * @list: used internally + * @name: Identifier +@@ -705,6 +715,7 @@ static inline void nft_set_gc_batch_add(struct nft_set_gc_batch *gcb, + struct nft_expr_type { + const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, + const struct nlattr * const tb[]); ++ void (*release_ops)(const struct nft_expr_ops *ops); + const struct nft_expr_ops *ops; + struct list_head list; + const char *name; +@@ -718,13 +729,22 @@ struct nft_expr_type { + #define NFT_EXPR_STATEFUL 0x1 + #define NFT_EXPR_GC 0x2 + ++enum nft_trans_phase { ++ NFT_TRANS_PREPARE, ++ NFT_TRANS_ABORT, ++ NFT_TRANS_COMMIT, ++ NFT_TRANS_RELEASE ++}; ++ + /** + * struct nft_expr_ops - nf_tables expression operations + * + * @eval: Expression evaluation function + * @size: full expression size, including private data size + * @init: initialization function +- * @destroy: destruction function ++ * @activate: activate expression in the next generation ++ * @deactivate: deactivate expression in next generation ++ * @destroy: destruction function, called after synchronize_rcu + * @dump: function to dump parameters + * @type: expression type + * @validate: validate expression, called during loop detection +@@ -745,7 +765,8 @@ struct nft_expr_ops { + void (*activate)(const struct nft_ctx *ctx, + const struct nft_expr *expr); + void (*deactivate)(const struct nft_ctx *ctx, +- const struct nft_expr *expr); ++ const struct nft_expr *expr, ++ enum nft_trans_phase phase); + void (*destroy)(const struct nft_ctx *ctx, + const struct nft_expr *expr); + void (*destroy_clone)(const struct nft_ctx *ctx, +diff --git a/include/net/netrom.h b/include/net/netrom.h +index 5a0714ff500f..80f15b1c1a48 100644 +--- a/include/net/netrom.h ++++ b/include/net/netrom.h +@@ -266,7 +266,7 @@ void nr_stop_idletimer(struct sock *); + int nr_t1timer_running(struct sock *); + + /* sysctl_net_netrom.c */ +-void nr_register_sysctl(void); ++int nr_register_sysctl(void); + void nr_unregister_sysctl(void); + + #endif +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index 91e4202b0634..72c07059ef37 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -252,7 +252,6 @@ static void task_non_contending(struct task_struct *p) + if (dl_entity_is_special(dl_se)) + return; + +- WARN_ON(hrtimer_active(&dl_se->inactive_timer)); + WARN_ON(dl_se->dl_non_contending); + + zerolag_time = dl_se->deadline - +@@ -269,7 +268,7 @@ static void task_non_contending(struct task_struct *p) + * If the "0-lag time" already passed, decrease the active + * utilization now, instead of starting a timer + */ +- if (zerolag_time < 0) { ++ if ((zerolag_time < 0) || hrtimer_active(&dl_se->inactive_timer)) { + if (dl_task(p)) + sub_running_bw(dl_se, dl_rq); + if (!dl_task(p) || p->state == TASK_DEAD) { +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 4aa8e7d90c25..d31916366d39 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -2016,6 +2016,10 @@ static u64 numa_get_avg_runtime(struct task_struct *p, u64 *period) + if (p->last_task_numa_placement) { + delta = runtime - p->last_sum_exec_runtime; + *period = now - p->last_task_numa_placement; ++ ++ /* Avoid time going backwards, prevent potential divide error: */ ++ if (unlikely((s64)*period < 0)) ++ *period = 0; + } else { + delta = p->se.avg.load_sum; + *period = LOAD_AVG_MAX; +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 34b4c32b0692..805aef83b5cf 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -730,7 +730,7 @@ u64 ring_buffer_time_stamp(struct ring_buffer *buffer, int cpu) + + preempt_disable_notrace(); + time = rb_time_stamp(buffer); +- preempt_enable_no_resched_notrace(); ++ preempt_enable_notrace(); + + return time; + } +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index c65cea71d1ee..5455ee05bc3b 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -496,8 +496,10 @@ int trace_pid_write(struct trace_pid_list *filtered_pids, + * not modified. + */ + pid_list = kmalloc(sizeof(*pid_list), GFP_KERNEL); +- if (!pid_list) ++ if (!pid_list) { ++ trace_parser_put(&parser); + return -ENOMEM; ++ } + + pid_list->pid_max = READ_ONCE(pid_max); + +@@ -507,6 +509,7 @@ int trace_pid_write(struct trace_pid_list *filtered_pids, + + pid_list->pids = vzalloc((pid_list->pid_max + 7) >> 3); + if (!pid_list->pids) { ++ trace_parser_put(&parser); + kfree(pid_list); + return -ENOMEM; + } +@@ -6800,19 +6803,23 @@ struct buffer_ref { + struct ring_buffer *buffer; + void *page; + int cpu; +- int ref; ++ refcount_t refcount; + }; + ++static void buffer_ref_release(struct buffer_ref *ref) ++{ ++ if (!refcount_dec_and_test(&ref->refcount)) ++ return; ++ ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page); ++ kfree(ref); ++} ++ + static void buffer_pipe_buf_release(struct pipe_inode_info *pipe, + struct pipe_buffer *buf) + { + struct buffer_ref *ref = (struct buffer_ref *)buf->private; + +- if (--ref->ref) +- return; +- +- ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page); +- kfree(ref); ++ buffer_ref_release(ref); + buf->private = 0; + } + +@@ -6821,7 +6828,7 @@ static void buffer_pipe_buf_get(struct pipe_inode_info *pipe, + { + struct buffer_ref *ref = (struct buffer_ref *)buf->private; + +- ref->ref++; ++ refcount_inc(&ref->refcount); + } + + /* Pipe buffer operations for a buffer. */ +@@ -6829,7 +6836,7 @@ static const struct pipe_buf_operations buffer_pipe_buf_ops = { + .can_merge = 0, + .confirm = generic_pipe_buf_confirm, + .release = buffer_pipe_buf_release, +- .steal = generic_pipe_buf_steal, ++ .steal = generic_pipe_buf_nosteal, + .get = buffer_pipe_buf_get, + }; + +@@ -6842,11 +6849,7 @@ static void buffer_spd_release(struct splice_pipe_desc *spd, unsigned int i) + struct buffer_ref *ref = + (struct buffer_ref *)spd->partial[i].private; + +- if (--ref->ref) +- return; +- +- ring_buffer_free_read_page(ref->buffer, ref->cpu, ref->page); +- kfree(ref); ++ buffer_ref_release(ref); + spd->partial[i].private = 0; + } + +@@ -6901,7 +6904,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, + break; + } + +- ref->ref = 1; ++ refcount_set(&ref->refcount, 1); + ref->buffer = iter->trace_buffer->buffer; + ref->page = ring_buffer_alloc_read_page(ref->buffer, iter->cpu_file); + if (IS_ERR(ref->page)) { +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 0280deac392e..cd8b61bded78 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -2908,6 +2908,9 @@ static bool __flush_work(struct work_struct *work, bool from_cancel) + if (WARN_ON(!wq_online)) + return false; + ++ if (WARN_ON(!work->func)) ++ return false; ++ + if (!from_cancel) { + lock_map_acquire(&work->lockdep_map); + lock_map_release(&work->lockdep_map); +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 4966c4fbe7f7..3dea52f7be9c 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1934,6 +1934,7 @@ config TEST_KMOD + depends on m + depends on BLOCK && (64BIT || LBDAF) # for XFS, BTRFS + depends on NETDEVICES && NET_CORE && INET # for TUN ++ depends on BLOCK + select TEST_LKM + select XFS_FS + select TUN +diff --git a/mm/memory.c b/mm/memory.c +index 5b3f71bcd1ae..9c69278173b7 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1787,10 +1787,15 @@ static int insert_pfn(struct vm_area_struct *vma, unsigned long addr, + * in may not match the PFN we have mapped if the + * mapped PFN is a writeable COW page. In the mkwrite + * case we are creating a writable PTE for a shared +- * mapping and we expect the PFNs to match. ++ * mapping and we expect the PFNs to match. If they ++ * don't match, we are likely racing with block ++ * allocation and mapping invalidation so just skip the ++ * update. + */ +- if (WARN_ON_ONCE(pte_pfn(*pte) != pfn_t_to_pfn(pfn))) ++ if (pte_pfn(*pte) != pfn_t_to_pfn(pfn)) { ++ WARN_ON_ONCE(!is_zero_pfn(pte_pfn(*pte))); + goto out_unlock; ++ } + entry = *pte; + goto out_mkwrite; + } else +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index f77888ec93f1..0bb4d712b80c 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2032,7 +2032,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, + if (match_kern) + match_kern->match_size = ret; + +- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) ++ /* rule should have no remaining data after target */ ++ if (type == EBT_COMPAT_TARGET && size_left) + return -EINVAL; + + match32 = (struct compat_ebt_entry_mwt *) buf; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 98c81c21b753..8bacbcd2db90 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1185,25 +1185,39 @@ static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie) + return dst; + } + +-static void ipv4_link_failure(struct sk_buff *skb) ++static void ipv4_send_dest_unreach(struct sk_buff *skb) + { + struct ip_options opt; +- struct rtable *rt; + int res; + + /* Recompile ip options since IPCB may not be valid anymore. ++ * Also check we have a reasonable ipv4 header. + */ +- memset(&opt, 0, sizeof(opt)); +- opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr); ++ if (!pskb_network_may_pull(skb, sizeof(struct iphdr)) || ++ ip_hdr(skb)->version != 4 || ip_hdr(skb)->ihl < 5) ++ return; + +- rcu_read_lock(); +- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); +- rcu_read_unlock(); ++ memset(&opt, 0, sizeof(opt)); ++ if (ip_hdr(skb)->ihl > 5) { ++ if (!pskb_network_may_pull(skb, ip_hdr(skb)->ihl * 4)) ++ return; ++ opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr); + +- if (res) +- return; ++ rcu_read_lock(); ++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ rcu_read_unlock(); + ++ if (res) ++ return; ++ } + __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt); ++} ++ ++static void ipv4_link_failure(struct sk_buff *skb) ++{ ++ struct rtable *rt; ++ ++ ipv4_send_dest_unreach(skb); + + rt = skb_rtable(skb); + if (rt) +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 891ed2f91467..ce64453d337d 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -49,6 +49,7 @@ static int ip_ping_group_range_min[] = { 0, 0 }; + static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; + static int comp_sack_nr_max = 255; + static u32 u32_max_div_HZ = UINT_MAX / HZ; ++static int one_day_secs = 24 * 3600; + + /* obsolete */ + static int sysctl_tcp_low_latency __read_mostly; +@@ -1140,7 +1141,9 @@ static struct ctl_table ipv4_net_table[] = { + .data = &init_net.ipv4.sysctl_tcp_min_rtt_wlen, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &one_day_secs + }, + { + .procname = "tcp_autocorking", +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index 8fd8d06454d6..2d4e048762f6 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -896,12 +896,13 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest, + { + struct ip_vs_dest *dest; + unsigned int atype, i; +- int ret = 0; + + EnterFunction(2); + + #ifdef CONFIG_IP_VS_IPV6 + if (udest->af == AF_INET6) { ++ int ret; ++ + atype = ipv6_addr_type(&udest->addr.in6); + if ((!(atype & IPV6_ADDR_UNICAST) || + atype & IPV6_ADDR_LINKLOCAL) && +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c06393fc716d..1af54119bafc 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -112,6 +112,23 @@ static void nft_trans_destroy(struct nft_trans *trans) + kfree(trans); + } + ++static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ struct net *net = ctx->net; ++ struct nft_trans *trans; ++ ++ if (!nft_set_is_anonymous(set)) ++ return; ++ ++ list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { ++ if (trans->msg_type == NFT_MSG_NEWSET && ++ nft_trans_set(trans) == set) { ++ set->bound = true; ++ break; ++ } ++ } ++} ++ + static int nf_tables_register_hook(struct net *net, + const struct nft_table *table, + struct nft_chain *chain) +@@ -222,14 +239,15 @@ static void nft_rule_expr_activate(const struct nft_ctx *ctx, + } + + static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, +- struct nft_rule *rule) ++ struct nft_rule *rule, ++ enum nft_trans_phase phase) + { + struct nft_expr *expr; + + expr = nft_expr_first(rule); + while (expr != nft_expr_last(rule) && expr->ops) { + if (expr->ops->deactivate) +- expr->ops->deactivate(ctx, expr); ++ expr->ops->deactivate(ctx, expr, phase); + + expr = nft_expr_next(expr); + } +@@ -280,7 +298,7 @@ static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule) + nft_trans_destroy(trans); + return err; + } +- nft_rule_expr_deactivate(ctx, rule); ++ nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE); + + return 0; + } +@@ -301,7 +319,7 @@ static int nft_delrule_by_chain(struct nft_ctx *ctx) + return 0; + } + +-static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type, ++static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type, + struct nft_set *set) + { + struct nft_trans *trans; +@@ -321,7 +339,7 @@ static int nft_trans_set_add(struct nft_ctx *ctx, int msg_type, + return 0; + } + +-static int nft_delset(struct nft_ctx *ctx, struct nft_set *set) ++static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) + { + int err; + +@@ -2105,6 +2123,7 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, + { + struct nft_expr_info info; + struct nft_expr *expr; ++ struct module *owner; + int err; + + err = nf_tables_expr_parse(ctx, nla, &info); +@@ -2124,7 +2143,11 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, + err3: + kfree(expr); + err2: +- module_put(info.ops->type->owner); ++ owner = info.ops->type->owner; ++ if (info.ops->type->release_ops) ++ info.ops->type->release_ops(info.ops); ++ ++ module_put(owner); + err1: + return ERR_PTR(err); + } +@@ -2458,7 +2481,7 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx, + static void nf_tables_rule_release(const struct nft_ctx *ctx, + struct nft_rule *rule) + { +- nft_rule_expr_deactivate(ctx, rule); ++ nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); + nf_tables_rule_destroy(ctx, rule); + } + +@@ -3562,19 +3585,15 @@ err1: + + static void nft_set_destroy(struct nft_set *set) + { ++ if (WARN_ON(set->use > 0)) ++ return; ++ + set->ops->destroy(set); + module_put(to_set_type(set->ops)->owner); + kfree(set->name); + kvfree(set); + } + +-static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set) +-{ +- list_del_rcu(&set->list); +- nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC); +- nft_set_destroy(set); +-} +- + static int nf_tables_delset(struct net *net, struct sock *nlsk, + struct sk_buff *skb, const struct nlmsghdr *nlh, + const struct nlattr * const nla[], +@@ -3609,7 +3628,7 @@ static int nf_tables_delset(struct net *net, struct sock *nlsk, + NL_SET_BAD_ATTR(extack, attr); + return PTR_ERR(set); + } +- if (!list_empty(&set->bindings) || ++ if (set->use || + (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) { + NL_SET_BAD_ATTR(extack, attr); + return -EBUSY; +@@ -3639,6 +3658,9 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *i; + struct nft_set_iter iter; + ++ if (set->use == UINT_MAX) ++ return -EOVERFLOW; ++ + if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) + return -EBUSY; + +@@ -3665,21 +3687,53 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, + bind: + binding->chain = ctx->chain; + list_add_tail_rcu(&binding->list, &set->bindings); ++ nft_set_trans_bind(ctx, set); ++ set->use++; ++ + return 0; + } + EXPORT_SYMBOL_GPL(nf_tables_bind_set); + + void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, +- struct nft_set_binding *binding) ++ struct nft_set_binding *binding, bool event) + { + list_del_rcu(&binding->list); + +- if (list_empty(&set->bindings) && nft_set_is_anonymous(set) && +- nft_is_active(ctx->net, set)) +- nf_tables_set_destroy(ctx, set); ++ if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) { ++ list_del_rcu(&set->list); ++ if (event) ++ nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, ++ GFP_KERNEL); ++ } + } + EXPORT_SYMBOL_GPL(nf_tables_unbind_set); + ++void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, ++ struct nft_set_binding *binding, ++ enum nft_trans_phase phase) ++{ ++ switch (phase) { ++ case NFT_TRANS_PREPARE: ++ set->use--; ++ return; ++ case NFT_TRANS_ABORT: ++ case NFT_TRANS_RELEASE: ++ set->use--; ++ /* fall through */ ++ default: ++ nf_tables_unbind_set(ctx, set, binding, ++ phase == NFT_TRANS_COMMIT); ++ } ++} ++EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); ++ ++void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) ++ nft_set_destroy(set); ++} ++EXPORT_SYMBOL_GPL(nf_tables_destroy_set); ++ + const struct nft_set_ext_type nft_set_ext_types[] = { + [NFT_SET_EXT_KEY] = { + .align = __alignof__(u32), +@@ -6429,6 +6483,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) + nf_tables_rule_notify(&trans->ctx, + nft_trans_rule(trans), + NFT_MSG_DELRULE); ++ nft_rule_expr_deactivate(&trans->ctx, ++ nft_trans_rule(trans), ++ NFT_TRANS_COMMIT); + break; + case NFT_MSG_NEWSET: + nft_clear(net, nft_trans_set(trans)); +@@ -6577,7 +6634,9 @@ static int __nf_tables_abort(struct net *net) + case NFT_MSG_NEWRULE: + trans->ctx.chain->use--; + list_del_rcu(&nft_trans_rule(trans)->list); +- nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans)); ++ nft_rule_expr_deactivate(&trans->ctx, ++ nft_trans_rule(trans), ++ NFT_TRANS_ABORT); + break; + case NFT_MSG_DELRULE: + trans->ctx.chain->use++; +@@ -6587,6 +6646,10 @@ static int __nf_tables_abort(struct net *net) + break; + case NFT_MSG_NEWSET: + trans->ctx.table->use--; ++ if (nft_trans_set(trans)->bound) { ++ nft_trans_destroy(trans); ++ break; ++ } + list_del_rcu(&nft_trans_set(trans)->list); + break; + case NFT_MSG_DELSET: +@@ -6595,8 +6658,11 @@ static int __nf_tables_abort(struct net *net) + nft_trans_destroy(trans); + break; + case NFT_MSG_NEWSETELEM: ++ if (nft_trans_elem_set(trans)->bound) { ++ nft_trans_destroy(trans); ++ break; ++ } + te = (struct nft_trans_elem *)trans->data; +- + te->set->ops->remove(net, te->set, &te->elem); + atomic_dec(&te->set->nelems); + break; +diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c +index 38da1f5436b4..1245e02239d9 100644 +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -23,19 +23,6 @@ + #include + #include + +-struct nft_xt { +- struct list_head head; +- struct nft_expr_ops ops; +- unsigned int refcnt; +- +- /* Unlike other expressions, ops doesn't have static storage duration. +- * nft core assumes they do. We use kfree_rcu so that nft core can +- * can check expr->ops->size even after nft_compat->destroy() frees +- * the nft_xt struct that holds the ops structure. +- */ +- struct rcu_head rcu_head; +-}; +- + /* Used for matches where *info is larger than X byte */ + #define NFT_MATCH_LARGE_THRESH 192 + +@@ -43,17 +30,6 @@ struct nft_xt_match_priv { + void *info; + }; + +-static bool nft_xt_put(struct nft_xt *xt) +-{ +- if (--xt->refcnt == 0) { +- list_del(&xt->head); +- kfree_rcu(xt, rcu_head); +- return true; +- } +- +- return false; +-} +- + static int nft_compat_chain_validate_dependency(const struct nft_ctx *ctx, + const char *tablename) + { +@@ -248,7 +224,6 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + struct xt_target *target = expr->ops->data; + struct xt_tgchk_param par; + size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO])); +- struct nft_xt *nft_xt; + u16 proto = 0; + bool inv = false; + union nft_entry e = {}; +@@ -272,8 +247,6 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + if (!target->target) + return -EINVAL; + +- nft_xt = container_of(expr->ops, struct nft_xt, ops); +- nft_xt->refcnt++; + return 0; + } + +@@ -292,8 +265,8 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr) + if (par.target->destroy != NULL) + par.target->destroy(&par); + +- if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops))) +- module_put(me); ++ module_put(me); ++ kfree(expr->ops); + } + + static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr) +@@ -447,7 +420,6 @@ __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + struct xt_match *match = expr->ops->data; + struct xt_mtchk_param par; + size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO])); +- struct nft_xt *nft_xt; + u16 proto = 0; + bool inv = false; + union nft_entry e = {}; +@@ -463,13 +435,7 @@ __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr, + + nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv); + +- ret = xt_check_match(&par, size, proto, inv); +- if (ret < 0) +- return ret; +- +- nft_xt = container_of(expr->ops, struct nft_xt, ops); +- nft_xt->refcnt++; +- return 0; ++ return xt_check_match(&par, size, proto, inv); + } + + static int +@@ -512,8 +478,8 @@ __nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr, + if (par.match->destroy != NULL) + par.match->destroy(&par); + +- if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops))) +- module_put(me); ++ module_put(me); ++ kfree(expr->ops); + } + + static void +@@ -715,22 +681,13 @@ static const struct nfnetlink_subsystem nfnl_compat_subsys = { + .cb = nfnl_nft_compat_cb, + }; + +-static LIST_HEAD(nft_match_list); +- + static struct nft_expr_type nft_match_type; + +-static bool nft_match_cmp(const struct xt_match *match, +- const char *name, u32 rev, u32 family) +-{ +- return strcmp(match->name, name) == 0 && match->revision == rev && +- (match->family == NFPROTO_UNSPEC || match->family == family); +-} +- + static const struct nft_expr_ops * + nft_match_select_ops(const struct nft_ctx *ctx, + const struct nlattr * const tb[]) + { +- struct nft_xt *nft_match; ++ struct nft_expr_ops *ops; + struct xt_match *match; + unsigned int matchsize; + char *mt_name; +@@ -746,14 +703,6 @@ nft_match_select_ops(const struct nft_ctx *ctx, + rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV])); + family = ctx->family; + +- /* Re-use the existing match if it's already loaded. */ +- list_for_each_entry(nft_match, &nft_match_list, head) { +- struct xt_match *match = nft_match->ops.data; +- +- if (nft_match_cmp(match, mt_name, rev, family)) +- return &nft_match->ops; +- } +- + match = xt_request_find_match(family, mt_name, rev); + if (IS_ERR(match)) + return ERR_PTR(-ENOENT); +@@ -763,66 +712,62 @@ nft_match_select_ops(const struct nft_ctx *ctx, + goto err; + } + +- /* This is the first time we use this match, allocate operations */ +- nft_match = kzalloc(sizeof(struct nft_xt), GFP_KERNEL); +- if (nft_match == NULL) { ++ ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL); ++ if (!ops) { + err = -ENOMEM; + goto err; + } + +- nft_match->refcnt = 0; +- nft_match->ops.type = &nft_match_type; +- nft_match->ops.eval = nft_match_eval; +- nft_match->ops.init = nft_match_init; +- nft_match->ops.destroy = nft_match_destroy; +- nft_match->ops.dump = nft_match_dump; +- nft_match->ops.validate = nft_match_validate; +- nft_match->ops.data = match; ++ ops->type = &nft_match_type; ++ ops->eval = nft_match_eval; ++ ops->init = nft_match_init; ++ ops->destroy = nft_match_destroy; ++ ops->dump = nft_match_dump; ++ ops->validate = nft_match_validate; ++ ops->data = match; + + matchsize = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize)); + if (matchsize > NFT_MATCH_LARGE_THRESH) { + matchsize = NFT_EXPR_SIZE(sizeof(struct nft_xt_match_priv)); + +- nft_match->ops.eval = nft_match_large_eval; +- nft_match->ops.init = nft_match_large_init; +- nft_match->ops.destroy = nft_match_large_destroy; +- nft_match->ops.dump = nft_match_large_dump; ++ ops->eval = nft_match_large_eval; ++ ops->init = nft_match_large_init; ++ ops->destroy = nft_match_large_destroy; ++ ops->dump = nft_match_large_dump; + } + +- nft_match->ops.size = matchsize; +- +- list_add(&nft_match->head, &nft_match_list); ++ ops->size = matchsize; + +- return &nft_match->ops; ++ return ops; + err: + module_put(match->me); + return ERR_PTR(err); + } + ++static void nft_match_release_ops(const struct nft_expr_ops *ops) ++{ ++ struct xt_match *match = ops->data; ++ ++ module_put(match->me); ++ kfree(ops); ++} ++ + static struct nft_expr_type nft_match_type __read_mostly = { + .name = "match", + .select_ops = nft_match_select_ops, ++ .release_ops = nft_match_release_ops, + .policy = nft_match_policy, + .maxattr = NFTA_MATCH_MAX, + .owner = THIS_MODULE, + }; + +-static LIST_HEAD(nft_target_list); +- + static struct nft_expr_type nft_target_type; + +-static bool nft_target_cmp(const struct xt_target *tg, +- const char *name, u32 rev, u32 family) +-{ +- return strcmp(tg->name, name) == 0 && tg->revision == rev && +- (tg->family == NFPROTO_UNSPEC || tg->family == family); +-} +- + static const struct nft_expr_ops * + nft_target_select_ops(const struct nft_ctx *ctx, + const struct nlattr * const tb[]) + { +- struct nft_xt *nft_target; ++ struct nft_expr_ops *ops; + struct xt_target *target; + char *tg_name; + u32 rev, family; +@@ -842,17 +787,6 @@ nft_target_select_ops(const struct nft_ctx *ctx, + strcmp(tg_name, "standard") == 0) + return ERR_PTR(-EINVAL); + +- /* Re-use the existing target if it's already loaded. */ +- list_for_each_entry(nft_target, &nft_target_list, head) { +- struct xt_target *target = nft_target->ops.data; +- +- if (!target->target) +- continue; +- +- if (nft_target_cmp(target, tg_name, rev, family)) +- return &nft_target->ops; +- } +- + target = xt_request_find_target(family, tg_name, rev); + if (IS_ERR(target)) + return ERR_PTR(-ENOENT); +@@ -867,38 +801,43 @@ nft_target_select_ops(const struct nft_ctx *ctx, + goto err; + } + +- /* This is the first time we use this target, allocate operations */ +- nft_target = kzalloc(sizeof(struct nft_xt), GFP_KERNEL); +- if (nft_target == NULL) { ++ ops = kzalloc(sizeof(struct nft_expr_ops), GFP_KERNEL); ++ if (!ops) { + err = -ENOMEM; + goto err; + } + +- nft_target->refcnt = 0; +- nft_target->ops.type = &nft_target_type; +- nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize)); +- nft_target->ops.init = nft_target_init; +- nft_target->ops.destroy = nft_target_destroy; +- nft_target->ops.dump = nft_target_dump; +- nft_target->ops.validate = nft_target_validate; +- nft_target->ops.data = target; ++ ops->type = &nft_target_type; ++ ops->size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize)); ++ ops->init = nft_target_init; ++ ops->destroy = nft_target_destroy; ++ ops->dump = nft_target_dump; ++ ops->validate = nft_target_validate; ++ ops->data = target; + + if (family == NFPROTO_BRIDGE) +- nft_target->ops.eval = nft_target_eval_bridge; ++ ops->eval = nft_target_eval_bridge; + else +- nft_target->ops.eval = nft_target_eval_xt; +- +- list_add(&nft_target->head, &nft_target_list); ++ ops->eval = nft_target_eval_xt; + +- return &nft_target->ops; ++ return ops; + err: + module_put(target->me); + return ERR_PTR(err); + } + ++static void nft_target_release_ops(const struct nft_expr_ops *ops) ++{ ++ struct xt_target *target = ops->data; ++ ++ module_put(target->me); ++ kfree(ops); ++} ++ + static struct nft_expr_type nft_target_type __read_mostly = { + .name = "target", + .select_ops = nft_target_select_ops, ++ .release_ops = nft_target_release_ops, + .policy = nft_target_policy, + .maxattr = NFTA_TARGET_MAX, + .owner = THIS_MODULE, +@@ -923,7 +862,6 @@ static int __init nft_compat_module_init(void) + } + + return ret; +- + err_target: + nft_unregister_expr(&nft_target_type); + err_match: +@@ -933,32 +871,6 @@ err_match: + + static void __exit nft_compat_module_exit(void) + { +- struct nft_xt *xt, *next; +- +- /* list should be empty here, it can be non-empty only in case there +- * was an error that caused nft_xt expr to not be initialized fully +- * and noone else requested the same expression later. +- * +- * In this case, the lists contain 0-refcount entries that still +- * hold module reference. +- */ +- list_for_each_entry_safe(xt, next, &nft_target_list, head) { +- struct xt_target *target = xt->ops.data; +- +- if (WARN_ON_ONCE(xt->refcnt)) +- continue; +- module_put(target->me); +- kfree(xt); +- } +- +- list_for_each_entry_safe(xt, next, &nft_match_list, head) { +- struct xt_match *match = xt->ops.data; +- +- if (WARN_ON_ONCE(xt->refcnt)) +- continue; +- module_put(match->me); +- kfree(xt); +- } + nfnetlink_subsys_unregister(&nfnl_compat_subsys); + nft_unregister_expr(&nft_target_type); + nft_unregister_expr(&nft_match_type); +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 6e91a37d57f2..eb7f9a5f2aeb 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -235,14 +235,32 @@ err1: + return err; + } + ++static void nft_dynset_deactivate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ enum nft_trans_phase phase) ++{ ++ struct nft_dynset *priv = nft_expr_priv(expr); ++ ++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase); ++} ++ ++static void nft_dynset_activate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr) ++{ ++ struct nft_dynset *priv = nft_expr_priv(expr); ++ ++ priv->set->use++; ++} ++ + static void nft_dynset_destroy(const struct nft_ctx *ctx, + const struct nft_expr *expr) + { + struct nft_dynset *priv = nft_expr_priv(expr); + +- nf_tables_unbind_set(ctx, priv->set, &priv->binding); + if (priv->expr != NULL) + nft_expr_destroy(ctx, priv->expr); ++ ++ nf_tables_destroy_set(ctx, priv->set); + } + + static int nft_dynset_dump(struct sk_buff *skb, const struct nft_expr *expr) +@@ -279,6 +297,8 @@ static const struct nft_expr_ops nft_dynset_ops = { + .eval = nft_dynset_eval, + .init = nft_dynset_init, + .destroy = nft_dynset_destroy, ++ .activate = nft_dynset_activate, ++ .deactivate = nft_dynset_deactivate, + .dump = nft_dynset_dump, + }; + +diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c +index 0777a93211e2..3f6d1d2a6281 100644 +--- a/net/netfilter/nft_immediate.c ++++ b/net/netfilter/nft_immediate.c +@@ -72,10 +72,14 @@ static void nft_immediate_activate(const struct nft_ctx *ctx, + } + + static void nft_immediate_deactivate(const struct nft_ctx *ctx, +- const struct nft_expr *expr) ++ const struct nft_expr *expr, ++ enum nft_trans_phase phase) + { + const struct nft_immediate_expr *priv = nft_expr_priv(expr); + ++ if (phase == NFT_TRANS_COMMIT) ++ return; ++ + return nft_data_release(&priv->data, nft_dreg_to_type(priv->dreg)); + } + +diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c +index ad13e8643599..161c3451a747 100644 +--- a/net/netfilter/nft_lookup.c ++++ b/net/netfilter/nft_lookup.c +@@ -121,12 +121,29 @@ static int nft_lookup_init(const struct nft_ctx *ctx, + return 0; + } + ++static void nft_lookup_deactivate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ enum nft_trans_phase phase) ++{ ++ struct nft_lookup *priv = nft_expr_priv(expr); ++ ++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase); ++} ++ ++static void nft_lookup_activate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr) ++{ ++ struct nft_lookup *priv = nft_expr_priv(expr); ++ ++ priv->set->use++; ++} ++ + static void nft_lookup_destroy(const struct nft_ctx *ctx, + const struct nft_expr *expr) + { + struct nft_lookup *priv = nft_expr_priv(expr); + +- nf_tables_unbind_set(ctx, priv->set, &priv->binding); ++ nf_tables_destroy_set(ctx, priv->set); + } + + static int nft_lookup_dump(struct sk_buff *skb, const struct nft_expr *expr) +@@ -209,6 +226,8 @@ static const struct nft_expr_ops nft_lookup_ops = { + .size = NFT_EXPR_SIZE(sizeof(struct nft_lookup)), + .eval = nft_lookup_eval, + .init = nft_lookup_init, ++ .activate = nft_lookup_activate, ++ .deactivate = nft_lookup_deactivate, + .destroy = nft_lookup_destroy, + .dump = nft_lookup_dump, + .validate = nft_lookup_validate, +diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c +index cdf348f751ec..bf92a40dd1b2 100644 +--- a/net/netfilter/nft_objref.c ++++ b/net/netfilter/nft_objref.c +@@ -64,21 +64,34 @@ nla_put_failure: + return -1; + } + +-static void nft_objref_destroy(const struct nft_ctx *ctx, +- const struct nft_expr *expr) ++static void nft_objref_deactivate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ enum nft_trans_phase phase) + { + struct nft_object *obj = nft_objref_priv(expr); + ++ if (phase == NFT_TRANS_COMMIT) ++ return; ++ + obj->use--; + } + ++static void nft_objref_activate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr) ++{ ++ struct nft_object *obj = nft_objref_priv(expr); ++ ++ obj->use++; ++} ++ + static struct nft_expr_type nft_objref_type; + static const struct nft_expr_ops nft_objref_ops = { + .type = &nft_objref_type, + .size = NFT_EXPR_SIZE(sizeof(struct nft_object *)), + .eval = nft_objref_eval, + .init = nft_objref_init, +- .destroy = nft_objref_destroy, ++ .activate = nft_objref_activate, ++ .deactivate = nft_objref_deactivate, + .dump = nft_objref_dump, + }; + +@@ -155,12 +168,29 @@ nla_put_failure: + return -1; + } + ++static void nft_objref_map_deactivate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ enum nft_trans_phase phase) ++{ ++ struct nft_objref_map *priv = nft_expr_priv(expr); ++ ++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase); ++} ++ ++static void nft_objref_map_activate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr) ++{ ++ struct nft_objref_map *priv = nft_expr_priv(expr); ++ ++ priv->set->use++; ++} ++ + static void nft_objref_map_destroy(const struct nft_ctx *ctx, + const struct nft_expr *expr) + { + struct nft_objref_map *priv = nft_expr_priv(expr); + +- nf_tables_unbind_set(ctx, priv->set, &priv->binding); ++ nf_tables_destroy_set(ctx, priv->set); + } + + static struct nft_expr_type nft_objref_type; +@@ -169,6 +199,8 @@ static const struct nft_expr_ops nft_objref_map_ops = { + .size = NFT_EXPR_SIZE(sizeof(struct nft_objref_map)), + .eval = nft_objref_map_eval, + .init = nft_objref_map_init, ++ .activate = nft_objref_map_activate, ++ .deactivate = nft_objref_map_deactivate, + .destroy = nft_objref_map_destroy, + .dump = nft_objref_map_dump, + }; +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 1d3144d19903..71ffd1a6dc7c 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1392,18 +1392,22 @@ static int __init nr_proto_init(void) + int i; + int rc = proto_register(&nr_proto, 0); + +- if (rc != 0) +- goto out; ++ if (rc) ++ return rc; + + if (nr_ndevs > 0x7fffffff/sizeof(struct net_device *)) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - nr_ndevs parameter to large\n"); +- return -1; ++ pr_err("NET/ROM: %s - nr_ndevs parameter too large\n", ++ __func__); ++ rc = -EINVAL; ++ goto unregister_proto; + } + + dev_nr = kcalloc(nr_ndevs, sizeof(struct net_device *), GFP_KERNEL); +- if (dev_nr == NULL) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device array\n"); +- return -1; ++ if (!dev_nr) { ++ pr_err("NET/ROM: %s - unable to allocate device array\n", ++ __func__); ++ rc = -ENOMEM; ++ goto unregister_proto; + } + + for (i = 0; i < nr_ndevs; i++) { +@@ -1413,13 +1417,13 @@ static int __init nr_proto_init(void) + sprintf(name, "nr%d", i); + dev = alloc_netdev(0, name, NET_NAME_UNKNOWN, nr_setup); + if (!dev) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to allocate device structure\n"); ++ rc = -ENOMEM; + goto fail; + } + + dev->base_addr = i; +- if (register_netdev(dev)) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to register network device\n"); ++ rc = register_netdev(dev); ++ if (rc) { + free_netdev(dev); + goto fail; + } +@@ -1427,36 +1431,64 @@ static int __init nr_proto_init(void) + dev_nr[i] = dev; + } + +- if (sock_register(&nr_family_ops)) { +- printk(KERN_ERR "NET/ROM: nr_proto_init - unable to register socket family\n"); ++ rc = sock_register(&nr_family_ops); ++ if (rc) + goto fail; +- } + +- register_netdevice_notifier(&nr_dev_notifier); ++ rc = register_netdevice_notifier(&nr_dev_notifier); ++ if (rc) ++ goto out_sock; + + ax25_register_pid(&nr_pid); + ax25_linkfail_register(&nr_linkfail_notifier); + + #ifdef CONFIG_SYSCTL +- nr_register_sysctl(); ++ rc = nr_register_sysctl(); ++ if (rc) ++ goto out_sysctl; + #endif + + nr_loopback_init(); + +- proc_create_seq("nr", 0444, init_net.proc_net, &nr_info_seqops); +- proc_create_seq("nr_neigh", 0444, init_net.proc_net, &nr_neigh_seqops); +- proc_create_seq("nr_nodes", 0444, init_net.proc_net, &nr_node_seqops); +-out: +- return rc; ++ rc = -ENOMEM; ++ if (!proc_create_seq("nr", 0444, init_net.proc_net, &nr_info_seqops)) ++ goto proc_remove1; ++ if (!proc_create_seq("nr_neigh", 0444, init_net.proc_net, ++ &nr_neigh_seqops)) ++ goto proc_remove2; ++ if (!proc_create_seq("nr_nodes", 0444, init_net.proc_net, ++ &nr_node_seqops)) ++ goto proc_remove3; ++ ++ return 0; ++ ++proc_remove3: ++ remove_proc_entry("nr_neigh", init_net.proc_net); ++proc_remove2: ++ remove_proc_entry("nr", init_net.proc_net); ++proc_remove1: ++ ++ nr_loopback_clear(); ++ nr_rt_free(); ++ ++#ifdef CONFIG_SYSCTL ++ nr_unregister_sysctl(); ++out_sysctl: ++#endif ++ ax25_linkfail_release(&nr_linkfail_notifier); ++ ax25_protocol_release(AX25_P_NETROM); ++ unregister_netdevice_notifier(&nr_dev_notifier); ++out_sock: ++ sock_unregister(PF_NETROM); + fail: + while (--i >= 0) { + unregister_netdev(dev_nr[i]); + free_netdev(dev_nr[i]); + } + kfree(dev_nr); ++unregister_proto: + proto_unregister(&nr_proto); +- rc = -1; +- goto out; ++ return rc; + } + + module_init(nr_proto_init); +diff --git a/net/netrom/nr_loopback.c b/net/netrom/nr_loopback.c +index 215ad22a9647..93d13f019981 100644 +--- a/net/netrom/nr_loopback.c ++++ b/net/netrom/nr_loopback.c +@@ -70,7 +70,7 @@ static void nr_loopback_timer(struct timer_list *unused) + } + } + +-void __exit nr_loopback_clear(void) ++void nr_loopback_clear(void) + { + del_timer_sync(&loopback_timer); + skb_queue_purge(&loopback_queue); +diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c +index 6485f593e2f0..b76aa668a94b 100644 +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -953,7 +953,7 @@ const struct seq_operations nr_neigh_seqops = { + /* + * Free all memory associated with the nodes and routes lists. + */ +-void __exit nr_rt_free(void) ++void nr_rt_free(void) + { + struct nr_neigh *s = NULL; + struct nr_node *t = NULL; +diff --git a/net/netrom/sysctl_net_netrom.c b/net/netrom/sysctl_net_netrom.c +index ba1c368b3f18..771011b84270 100644 +--- a/net/netrom/sysctl_net_netrom.c ++++ b/net/netrom/sysctl_net_netrom.c +@@ -146,9 +146,12 @@ static struct ctl_table nr_table[] = { + { } + }; + +-void __init nr_register_sysctl(void) ++int __init nr_register_sysctl(void) + { + nr_table_header = register_net_sysctl(&init_net, "net/netrom", nr_table); ++ if (!nr_table_header) ++ return -ENOMEM; ++ return 0; + } + + void nr_unregister_sysctl(void) +diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c +index 65387e1e6964..cd7e01ea8144 100644 +--- a/net/rds/af_rds.c ++++ b/net/rds/af_rds.c +@@ -506,6 +506,9 @@ static int rds_connect(struct socket *sock, struct sockaddr *uaddr, + struct rds_sock *rs = rds_sk_to_rs(sk); + int ret = 0; + ++ if (addr_len < offsetofend(struct sockaddr, sa_family)) ++ return -EINVAL; ++ + lock_sock(sk); + + switch (uaddr->sa_family) { +diff --git a/net/rds/bind.c b/net/rds/bind.c +index 17c9d9f0c848..0f4398e7f2a7 100644 +--- a/net/rds/bind.c ++++ b/net/rds/bind.c +@@ -173,6 +173,8 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + /* We allow an RDS socket to be bound to either IPv4 or IPv6 + * address. + */ ++ if (addr_len < offsetofend(struct sockaddr, sa_family)) ++ return -EINVAL; + if (uaddr->sa_family == AF_INET) { + struct sockaddr_in *sin = (struct sockaddr_in *)uaddr; + +diff --git a/net/rds/ib_fmr.c b/net/rds/ib_fmr.c +index e0f70c4051b6..01e764f8f224 100644 +--- a/net/rds/ib_fmr.c ++++ b/net/rds/ib_fmr.c +@@ -44,6 +44,17 @@ struct rds_ib_mr *rds_ib_alloc_fmr(struct rds_ib_device *rds_ibdev, int npages) + else + pool = rds_ibdev->mr_1m_pool; + ++ if (atomic_read(&pool->dirty_count) >= pool->max_items / 10) ++ queue_delayed_work(rds_ib_mr_wq, &pool->flush_worker, 10); ++ ++ /* Switch pools if one of the pool is reaching upper limit */ ++ if (atomic_read(&pool->dirty_count) >= pool->max_items * 9 / 10) { ++ if (pool->pool_type == RDS_IB_MR_8K_POOL) ++ pool = rds_ibdev->mr_1m_pool; ++ else ++ pool = rds_ibdev->mr_8k_pool; ++ } ++ + ibmr = rds_ib_try_reuse_ibmr(pool); + if (ibmr) + return ibmr; +diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c +index 63c8d107adcf..d664e9ade74d 100644 +--- a/net/rds/ib_rdma.c ++++ b/net/rds/ib_rdma.c +@@ -454,9 +454,6 @@ struct rds_ib_mr *rds_ib_try_reuse_ibmr(struct rds_ib_mr_pool *pool) + struct rds_ib_mr *ibmr = NULL; + int iter = 0; + +- if (atomic_read(&pool->dirty_count) >= pool->max_items_soft / 10) +- queue_delayed_work(rds_ib_mr_wq, &pool->flush_worker, 10); +- + while (1) { + ibmr = rds_ib_reuse_mr(pool); + if (ibmr) +diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c +index 7af4f99c4a93..094a6621f8e8 100644 +--- a/net/rose/rose_loopback.c ++++ b/net/rose/rose_loopback.c +@@ -16,6 +16,7 @@ + #include + + static struct sk_buff_head loopback_queue; ++#define ROSE_LOOPBACK_LIMIT 1000 + static struct timer_list loopback_timer; + + static void rose_set_loopback_timer(void); +@@ -35,29 +36,27 @@ static int rose_loopback_running(void) + + int rose_loopback_queue(struct sk_buff *skb, struct rose_neigh *neigh) + { +- struct sk_buff *skbn; ++ struct sk_buff *skbn = NULL; + +- skbn = skb_clone(skb, GFP_ATOMIC); ++ if (skb_queue_len(&loopback_queue) < ROSE_LOOPBACK_LIMIT) ++ skbn = skb_clone(skb, GFP_ATOMIC); + +- kfree_skb(skb); +- +- if (skbn != NULL) { ++ if (skbn) { ++ consume_skb(skb); + skb_queue_tail(&loopback_queue, skbn); + + if (!rose_loopback_running()) + rose_set_loopback_timer(); ++ } else { ++ kfree_skb(skb); + } + + return 1; + } + +- + static void rose_set_loopback_timer(void) + { +- del_timer(&loopback_timer); +- +- loopback_timer.expires = jiffies + 10; +- add_timer(&loopback_timer); ++ mod_timer(&loopback_timer, jiffies + 10); + } + + static void rose_loopback_timer(struct timer_list *unused) +@@ -68,8 +67,12 @@ static void rose_loopback_timer(struct timer_list *unused) + struct sock *sk; + unsigned short frametype; + unsigned int lci_i, lci_o; ++ int count; + +- while ((skb = skb_dequeue(&loopback_queue)) != NULL) { ++ for (count = 0; count < ROSE_LOOPBACK_LIMIT; count++) { ++ skb = skb_dequeue(&loopback_queue); ++ if (!skb) ++ return; + if (skb->len < ROSE_MIN_LEN) { + kfree_skb(skb); + continue; +@@ -106,6 +109,8 @@ static void rose_loopback_timer(struct timer_list *unused) + kfree_skb(skb); + } + } ++ if (!skb_queue_empty(&loopback_queue)) ++ mod_timer(&loopback_timer, jiffies + 1); + } + + void __exit rose_loopback_clear(void) +diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c +index 570b49d2da42..d591f54cb91f 100644 +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -1155,19 +1155,19 @@ int rxrpc_extract_header(struct rxrpc_skb_priv *sp, struct sk_buff *skb) + * handle data received on the local endpoint + * - may be called in interrupt context + * +- * The socket is locked by the caller and this prevents the socket from being +- * shut down and the local endpoint from going away, thus sk_user_data will not +- * be cleared until this function returns. ++ * [!] Note that as this is called from the encap_rcv hook, the socket is not ++ * held locked by the caller and nothing prevents sk_user_data on the UDP from ++ * being cleared in the middle of processing this function. + * + * Called with the RCU read lock held from the IP layer via UDP. + */ + int rxrpc_input_packet(struct sock *udp_sk, struct sk_buff *skb) + { ++ struct rxrpc_local *local = rcu_dereference_sk_user_data(udp_sk); + struct rxrpc_connection *conn; + struct rxrpc_channel *chan; + struct rxrpc_call *call = NULL; + struct rxrpc_skb_priv *sp; +- struct rxrpc_local *local = udp_sk->sk_user_data; + struct rxrpc_peer *peer = NULL; + struct rxrpc_sock *rx = NULL; + unsigned int channel; +@@ -1175,6 +1175,10 @@ int rxrpc_input_packet(struct sock *udp_sk, struct sk_buff *skb) + + _enter("%p", udp_sk); + ++ if (unlikely(!local)) { ++ kfree_skb(skb); ++ return 0; ++ } + if (skb->tstamp == 0) + skb->tstamp = ktime_get_real(); + +diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c +index 0906e51d3cfb..10317dbdab5f 100644 +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -304,7 +304,8 @@ nomem: + ret = -ENOMEM; + sock_error: + mutex_unlock(&rxnet->local_mutex); +- kfree(local); ++ if (local) ++ call_rcu(&local->rcu, rxrpc_local_rcu); + _leave(" = %d", ret); + return ERR_PTR(ret); + +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index b6e8eccf2a52..214440c5b14e 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -54,6 +54,7 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail) + h->last_refresh = now; + } + ++static inline int cache_is_valid(struct cache_head *h); + static void cache_fresh_locked(struct cache_head *head, time_t expiry, + struct cache_detail *detail); + static void cache_fresh_unlocked(struct cache_head *head, +@@ -100,6 +101,8 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail, + if (cache_is_expired(detail, tmp)) { + hlist_del_init(&tmp->cache_list); + detail->entries --; ++ if (cache_is_valid(tmp) == -EAGAIN) ++ set_bit(CACHE_NEGATIVE, &tmp->flags); + cache_fresh_locked(tmp, 0, detail); + freeme = tmp; + break; +diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c +index 0b21187d74df..588d5aa14c41 100644 +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -267,8 +267,14 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, + if (msg->rep_type) + tipc_tlv_init(msg->rep, msg->rep_type); + +- if (cmd->header) +- (*cmd->header)(msg); ++ if (cmd->header) { ++ err = (*cmd->header)(msg); ++ if (err) { ++ kfree_skb(msg->rep); ++ msg->rep = NULL; ++ return err; ++ } ++ } + + arg = nlmsg_new(0, GFP_KERNEL); + if (!arg) { +@@ -397,7 +403,12 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, + if (!bearer) + return -EMSGSIZE; + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_bearer_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_BEARER_NAME); + if (!string_is_valid(b->name, len)) + return -EINVAL; + +@@ -766,7 +777,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd, + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_link_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_LINK_NAME); + if (!string_is_valid(lc->name, len)) + return -EINVAL; + +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 961b07d4d41c..c9588b682db4 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -874,7 +874,9 @@ int tls_set_device_offload_rx(struct sock *sk, struct tls_context *ctx) + goto release_netdev; + + free_sw_resources: ++ up_read(&device_offload_lock); + tls_sw_free_resources_rx(sk); ++ down_read(&device_offload_lock); + release_ctx: + ctx->priv_ctx_rx = NULL; + release_netdev: +@@ -909,8 +911,6 @@ void tls_device_offload_cleanup_rx(struct sock *sk) + } + out: + up_read(&device_offload_lock); +- kfree(tls_ctx->rx.rec_seq); +- kfree(tls_ctx->rx.iv); + tls_sw_release_resources_rx(sk); + } + +diff --git a/net/tls/tls_device_fallback.c b/net/tls/tls_device_fallback.c +index 450a6dbc5a88..ef8934fd8698 100644 +--- a/net/tls/tls_device_fallback.c ++++ b/net/tls/tls_device_fallback.c +@@ -193,6 +193,9 @@ static void update_chksum(struct sk_buff *skb, int headln) + + static void complete_skb(struct sk_buff *nskb, struct sk_buff *skb, int headln) + { ++ struct sock *sk = skb->sk; ++ int delta; ++ + skb_copy_header(nskb, skb); + + skb_put(nskb, skb->len); +@@ -200,11 +203,15 @@ static void complete_skb(struct sk_buff *nskb, struct sk_buff *skb, int headln) + update_chksum(nskb, headln); + + nskb->destructor = skb->destructor; +- nskb->sk = skb->sk; ++ nskb->sk = sk; + skb->destructor = NULL; + skb->sk = NULL; +- refcount_add(nskb->truesize - skb->truesize, +- &nskb->sk->sk_wmem_alloc); ++ ++ delta = nskb->truesize - skb->truesize; ++ if (likely(delta < 0)) ++ WARN_ON_ONCE(refcount_sub_and_test(-delta, &sk->sk_wmem_alloc)); ++ else if (delta) ++ refcount_add(delta, &sk->sk_wmem_alloc); + } + + /* This function may be called after the user socket is already +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index a091c03abcb2..25b3fb585777 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -290,11 +290,8 @@ static void tls_sk_proto_close(struct sock *sk, long timeout) + tls_sw_free_resources_tx(sk); + } + +- if (ctx->rx_conf == TLS_SW) { +- kfree(ctx->rx.rec_seq); +- kfree(ctx->rx.iv); ++ if (ctx->rx_conf == TLS_SW) + tls_sw_free_resources_rx(sk); +- } + + #ifdef CONFIG_TLS_DEVICE + if (ctx->rx_conf == TLS_HW) +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index b9c6ecfbcfea..6848a8196711 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -1118,6 +1118,9 @@ void tls_sw_release_resources_rx(struct sock *sk) + struct tls_context *tls_ctx = tls_get_ctx(sk); + struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); + ++ kfree(tls_ctx->rx.rec_seq); ++ kfree(tls_ctx->rx.iv); ++ + if (ctx->aead_recv) { + kfree_skb(ctx->recv_pkt); + ctx->recv_pkt = NULL; +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 3ae3a33da70b..602715fc9a75 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -662,6 +662,8 @@ static int virtio_transport_reset(struct vsock_sock *vsk, + */ + static int virtio_transport_reset_no_sock(struct virtio_vsock_pkt *pkt) + { ++ const struct virtio_transport *t; ++ struct virtio_vsock_pkt *reply; + struct virtio_vsock_pkt_info info = { + .op = VIRTIO_VSOCK_OP_RST, + .type = le16_to_cpu(pkt->hdr.type), +@@ -672,15 +674,21 @@ static int virtio_transport_reset_no_sock(struct virtio_vsock_pkt *pkt) + if (le16_to_cpu(pkt->hdr.op) == VIRTIO_VSOCK_OP_RST) + return 0; + +- pkt = virtio_transport_alloc_pkt(&info, 0, +- le64_to_cpu(pkt->hdr.dst_cid), +- le32_to_cpu(pkt->hdr.dst_port), +- le64_to_cpu(pkt->hdr.src_cid), +- le32_to_cpu(pkt->hdr.src_port)); +- if (!pkt) ++ reply = virtio_transport_alloc_pkt(&info, 0, ++ le64_to_cpu(pkt->hdr.dst_cid), ++ le32_to_cpu(pkt->hdr.dst_port), ++ le64_to_cpu(pkt->hdr.src_cid), ++ le32_to_cpu(pkt->hdr.src_port)); ++ if (!reply) + return -ENOMEM; + +- return virtio_transport_get_ops()->send_pkt(pkt); ++ t = virtio_transport_get_ops(); ++ if (!t) { ++ virtio_transport_free_pkt(reply); ++ return -ENOTCONN; ++ } ++ ++ return t->send_pkt(reply); + } + + static void virtio_transport_wait_close(struct sock *sk, long timeout) +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 80f73810b21b..0436789e7cd8 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -7394,8 +7394,10 @@ static void ca0132_free(struct hda_codec *codec) + ca0132_exit_chip(codec); + + snd_hda_power_down(codec); +- if (IS_ENABLED(CONFIG_PCI) && spec->mem_base) ++#ifdef CONFIG_PCI ++ if (spec->mem_base) + pci_iounmap(codec->bus->pci, spec->mem_base); ++#endif + kfree(spec->spec_init_verbs); + kfree(codec->spec); + }