diff options
author | Mike Pagano <mpagano@gentoo.org> | 2019-01-31 06:23:33 -0500 |
---|---|---|
committer | Mike Pagano <mpagano@gentoo.org> | 2019-01-31 06:23:33 -0500 |
commit | 613bef45571bde8dff42f7f55d611b54193460ea (patch) | |
tree | 9b28239ba76aa367ca771deb76e643bafdabfb9e | |
parent | proj/linux-patches: Linux patch 4.14.96 (diff) | |
download | linux-patches-613bef45571bde8dff42f7f55d611b54193460ea.tar.gz linux-patches-613bef45571bde8dff42f7f55d611b54193460ea.tar.bz2 linux-patches-613bef45571bde8dff42f7f55d611b54193460ea.zip |
proj/linux-patches: Linux patch 4.14.974.14-104
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
-rw-r--r-- | 0000_README | 4 | ||||
-rw-r--r-- | 1096_linux-4.14.97.patch | 3121 |
2 files changed, 3125 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 628069fc..c08af0da 100644 --- a/0000_README +++ b/0000_README @@ -427,6 +427,10 @@ Patch: 1095_4.14.96.patch From: http://www.kernel.org Desc: Linux 4.14.96 +Patch: 1096_4.14.97.patch +From: http://www.kernel.org +Desc: Linux 4.14.97 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1096_linux-4.14.97.patch b/1096_linux-4.14.97.patch new file mode 100644 index 00000000..d0a307b6 --- /dev/null +++ b/1096_linux-4.14.97.patch @@ -0,0 +1,3121 @@ +diff --git a/Makefile b/Makefile +index 57b45169ed85..485afde0f1f1 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 14 +-SUBLEVEL = 96 ++SUBLEVEL = 97 + EXTRAVERSION = + NAME = Petit Gorille + +diff --git a/arch/arc/include/asm/perf_event.h b/arch/arc/include/asm/perf_event.h +index 9185541035cc..6958545390f0 100644 +--- a/arch/arc/include/asm/perf_event.h ++++ b/arch/arc/include/asm/perf_event.h +@@ -103,7 +103,8 @@ static const char * const arc_pmu_ev_hw_map[] = { + + /* counts condition */ + [PERF_COUNT_HW_INSTRUCTIONS] = "iall", +- [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = "ijmp", /* Excludes ZOL jumps */ ++ /* All jump instructions that are taken */ ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = "ijmptak", + [PERF_COUNT_ARC_BPOK] = "bpok", /* NP-NT, PT-T, PNT-NT */ + #ifdef CONFIG_ISA_ARCV2 + [PERF_COUNT_HW_BRANCH_MISSES] = "bpmp", +diff --git a/arch/arc/lib/memset-archs.S b/arch/arc/lib/memset-archs.S +index 62ad4bcb841a..f230bb7092fd 100644 +--- a/arch/arc/lib/memset-archs.S ++++ b/arch/arc/lib/memset-archs.S +@@ -7,11 +7,39 @@ + */ + + #include <linux/linkage.h> ++#include <asm/cache.h> + +-#undef PREALLOC_NOT_AVAIL ++/* ++ * The memset implementation below is optimized to use prefetchw and prealloc ++ * instruction in case of CPU with 64B L1 data cache line (L1_CACHE_SHIFT == 6) ++ * If you want to implement optimized memset for other possible L1 data cache ++ * line lengths (32B and 128B) you should rewrite code carefully checking ++ * we don't call any prefetchw/prealloc instruction for L1 cache lines which ++ * don't belongs to memset area. ++ */ ++ ++#if L1_CACHE_SHIFT == 6 ++ ++.macro PREALLOC_INSTR reg, off ++ prealloc [\reg, \off] ++.endm ++ ++.macro PREFETCHW_INSTR reg, off ++ prefetchw [\reg, \off] ++.endm ++ ++#else ++ ++.macro PREALLOC_INSTR ++.endm ++ ++.macro PREFETCHW_INSTR ++.endm ++ ++#endif + + ENTRY_CFI(memset) +- prefetchw [r0] ; Prefetch the write location ++ PREFETCHW_INSTR r0, 0 ; Prefetch the first write location + mov.f 0, r2 + ;;; if size is zero + jz.d [blink] +@@ -48,11 +76,8 @@ ENTRY_CFI(memset) + + lpnz @.Lset64bytes + ;; LOOP START +-#ifdef PREALLOC_NOT_AVAIL +- prefetchw [r3, 64] ;Prefetch the next write location +-#else +- prealloc [r3, 64] +-#endif ++ PREALLOC_INSTR r3, 64 ; alloc next line w/o fetching ++ + #ifdef CONFIG_ARC_HAS_LL64 + std.ab r4, [r3, 8] + std.ab r4, [r3, 8] +@@ -85,7 +110,6 @@ ENTRY_CFI(memset) + lsr.f lp_count, r2, 5 ;Last remaining max 124 bytes + lpnz .Lset32bytes + ;; LOOP START +- prefetchw [r3, 32] ;Prefetch the next write location + #ifdef CONFIG_ARC_HAS_LL64 + std.ab r4, [r3, 8] + std.ab r4, [r3, 8] +diff --git a/arch/arc/mm/init.c b/arch/arc/mm/init.c +index ba145065c579..f890b2f9f82f 100644 +--- a/arch/arc/mm/init.c ++++ b/arch/arc/mm/init.c +@@ -138,7 +138,8 @@ void __init setup_arch_memory(void) + */ + + memblock_add_node(low_mem_start, low_mem_sz, 0); +- memblock_reserve(low_mem_start, __pa(_end) - low_mem_start); ++ memblock_reserve(CONFIG_LINUX_LINK_BASE, ++ __pa(_end) - CONFIG_LINUX_LINK_BASE); + + #ifdef CONFIG_BLK_DEV_INITRD + if (initrd_start) +diff --git a/arch/s390/kernel/early.c b/arch/s390/kernel/early.c +index a3219837fa70..4ba5ad44a21a 100644 +--- a/arch/s390/kernel/early.c ++++ b/arch/s390/kernel/early.c +@@ -226,10 +226,10 @@ static noinline __init void detect_machine_type(void) + if (stsi(vmms, 3, 2, 2) || !vmms->count) + return; + +- /* Running under KVM? If not we assume z/VM */ ++ /* Detect known hypervisors */ + if (!memcmp(vmms->vm[0].cpi, "\xd2\xe5\xd4", 3)) + S390_lowcore.machine_flags |= MACHINE_FLAG_KVM; +- else ++ else if (!memcmp(vmms->vm[0].cpi, "\xa9\x61\xe5\xd4", 4)) + S390_lowcore.machine_flags |= MACHINE_FLAG_VM; + } + +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c +index 98c1f7941142..3cb71fc94995 100644 +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -884,6 +884,8 @@ void __init setup_arch(char **cmdline_p) + pr_info("Linux is running under KVM in 64-bit mode\n"); + else if (MACHINE_IS_LPAR) + pr_info("Linux is running natively in 64-bit mode\n"); ++ else ++ pr_info("Linux is running as a guest in 64-bit mode\n"); + + /* Have one command line that is parsed and saved in /proc/cmdline */ + /* boot_command_line has been already set up in early.c */ +diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c +index ae5df4177803..27258db640d7 100644 +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -387,9 +387,13 @@ void smp_call_online_cpu(void (*func)(void *), void *data) + */ + void smp_call_ipl_cpu(void (*func)(void *), void *data) + { ++ struct lowcore *lc = pcpu_devices->lowcore; ++ ++ if (pcpu_devices[0].address == stap()) ++ lc = &S390_lowcore; ++ + pcpu_delegate(&pcpu_devices[0], func, data, +- pcpu_devices->lowcore->panic_stack - +- PANIC_FRAME_OFFSET + PAGE_SIZE); ++ lc->panic_stack - PANIC_FRAME_OFFSET + PAGE_SIZE); + } + + int smp_find_processor_id(u16 address) +@@ -1168,7 +1172,11 @@ static ssize_t __ref rescan_store(struct device *dev, + { + int rc; + ++ rc = lock_device_hotplug_sysfs(); ++ if (rc) ++ return rc; + rc = smp_rescan_cpus(); ++ unlock_device_hotplug(); + return rc ? rc : count; + } + static DEVICE_ATTR(rescan, 0200, NULL, rescan_store); +diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c +index 1911310959f8..a77fd3c8d824 100644 +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -112,7 +112,7 @@ static int vvar_fault(const struct vm_special_mapping *sm, + __pa_symbol(&__vvar_page) >> PAGE_SHIFT); + } else if (sym_offset == image->sym_pvclock_page) { + struct pvclock_vsyscall_time_info *pvti = +- pvclock_pvti_cpu0_va(); ++ pvclock_get_pvti_cpu0_va(); + if (pvti && vclock_was_used(VCLOCK_PVCLOCK)) { + ret = vm_insert_pfn( + vma, +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h +index ed97ef3b48a7..7ebcbd1d881d 100644 +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -182,6 +182,10 @@ static inline void switch_ldt(struct mm_struct *prev, struct mm_struct *next) + + void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk); + ++/* ++ * Init a new mm. Used on mm copies, like at fork() ++ * and on mm's that are brand-new, like at execve(). ++ */ + static inline int init_new_context(struct task_struct *tsk, + struct mm_struct *mm) + { +@@ -232,8 +236,22 @@ do { \ + } while (0) + #endif + ++static inline void arch_dup_pkeys(struct mm_struct *oldmm, ++ struct mm_struct *mm) ++{ ++#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS ++ if (!cpu_feature_enabled(X86_FEATURE_OSPKE)) ++ return; ++ ++ /* Duplicate the oldmm pkey state in mm: */ ++ mm->context.pkey_allocation_map = oldmm->context.pkey_allocation_map; ++ mm->context.execute_only_pkey = oldmm->context.execute_only_pkey; ++#endif ++} ++ + static inline int arch_dup_mmap(struct mm_struct *oldmm, struct mm_struct *mm) + { ++ arch_dup_pkeys(oldmm, mm); + paravirt_arch_dup_mmap(oldmm, mm); + return ldt_dup_context(oldmm, mm); + } +diff --git a/arch/x86/include/asm/pvclock.h b/arch/x86/include/asm/pvclock.h +index 3e4ed8fb5f91..a7471dcd2205 100644 +--- a/arch/x86/include/asm/pvclock.h ++++ b/arch/x86/include/asm/pvclock.h +@@ -5,15 +5,6 @@ + #include <linux/clocksource.h> + #include <asm/pvclock-abi.h> + +-#ifdef CONFIG_KVM_GUEST +-extern struct pvclock_vsyscall_time_info *pvclock_pvti_cpu0_va(void); +-#else +-static inline struct pvclock_vsyscall_time_info *pvclock_pvti_cpu0_va(void) +-{ +- return NULL; +-} +-#endif +- + /* some helper functions for xen and kvm pv clock sources */ + u64 pvclock_clocksource_read(struct pvclock_vcpu_time_info *src); + u8 pvclock_read_flags(struct pvclock_vcpu_time_info *src); +@@ -102,4 +93,14 @@ struct pvclock_vsyscall_time_info { + + #define PVTI_SIZE sizeof(struct pvclock_vsyscall_time_info) + ++#ifdef CONFIG_PARAVIRT_CLOCK ++void pvclock_set_pvti_cpu0_va(struct pvclock_vsyscall_time_info *pvti); ++struct pvclock_vsyscall_time_info *pvclock_get_pvti_cpu0_va(void); ++#else ++static inline struct pvclock_vsyscall_time_info *pvclock_get_pvti_cpu0_va(void) ++{ ++ return NULL; ++} ++#endif ++ + #endif /* _ASM_X86_PVCLOCK_H */ +diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c +index 48703d430a2f..08806d64eacd 100644 +--- a/arch/x86/kernel/kvmclock.c ++++ b/arch/x86/kernel/kvmclock.c +@@ -47,12 +47,6 @@ early_param("no-kvmclock", parse_no_kvmclock); + static struct pvclock_vsyscall_time_info *hv_clock; + static struct pvclock_wall_clock wall_clock; + +-struct pvclock_vsyscall_time_info *pvclock_pvti_cpu0_va(void) +-{ +- return hv_clock; +-} +-EXPORT_SYMBOL_GPL(pvclock_pvti_cpu0_va); +- + /* + * The wallclock is the time of day when we booted. Since then, some time may + * have elapsed since the hypervisor wrote the data. So we try to account for +@@ -335,6 +329,7 @@ int __init kvm_setup_vsyscall_timeinfo(void) + return 1; + } + ++ pvclock_set_pvti_cpu0_va(hv_clock); + put_cpu(); + + kvm_clock.archdata.vclock_mode = VCLOCK_PVCLOCK; +diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c +index 5c3f6d6a5078..761f6af6efa5 100644 +--- a/arch/x86/kernel/pvclock.c ++++ b/arch/x86/kernel/pvclock.c +@@ -25,8 +25,10 @@ + + #include <asm/fixmap.h> + #include <asm/pvclock.h> ++#include <asm/vgtod.h> + + static u8 valid_flags __read_mostly = 0; ++static struct pvclock_vsyscall_time_info *pvti_cpu0_va __read_mostly; + + void pvclock_set_flags(u8 flags) + { +@@ -144,3 +146,15 @@ void pvclock_read_wallclock(struct pvclock_wall_clock *wall_clock, + + set_normalized_timespec(ts, now.tv_sec, now.tv_nsec); + } ++ ++void pvclock_set_pvti_cpu0_va(struct pvclock_vsyscall_time_info *pvti) ++{ ++ WARN_ON(vclock_was_used(VCLOCK_PVCLOCK)); ++ pvti_cpu0_va = pvti; ++} ++ ++struct pvclock_vsyscall_time_info *pvclock_get_pvti_cpu0_va(void) ++{ ++ return pvti_cpu0_va; ++} ++EXPORT_SYMBOL_GPL(pvclock_get_pvti_cpu0_va); +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 130be2efafbe..867c22f8d59b 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5923,8 +5923,7 @@ restart: + toggle_interruptibility(vcpu, ctxt->interruptibility); + vcpu->arch.emulate_regs_need_sync_to_vcpu = false; + kvm_rip_write(vcpu, ctxt->eip); +- if (r == EMULATE_DONE && +- (ctxt->tf || (vcpu->guest_debug & KVM_GUESTDBG_SINGLESTEP))) ++ if (r == EMULATE_DONE && ctxt->tf) + kvm_vcpu_do_singlestep(vcpu, &r); + if (!ctxt->have_exception || + exception_type(ctxt->exception.vector) == EXCPT_TRAP) +@@ -7423,14 +7422,12 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run) + } + } + +- kvm_load_guest_fpu(vcpu); +- + if (unlikely(vcpu->arch.complete_userspace_io)) { + int (*cui)(struct kvm_vcpu *) = vcpu->arch.complete_userspace_io; + vcpu->arch.complete_userspace_io = NULL; + r = cui(vcpu); + if (r <= 0) +- goto out_fpu; ++ goto out; + } else + WARN_ON(vcpu->arch.pio.count || vcpu->mmio_needed); + +@@ -7439,8 +7436,6 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run) + else + r = vcpu_run(vcpu); + +-out_fpu: +- kvm_put_guest_fpu(vcpu); + out: + kvm_put_guest_fpu(vcpu); + post_kvm_run_save(vcpu); +diff --git a/arch/x86/lib/kaslr.c b/arch/x86/lib/kaslr.c +index 79778ab200e4..a53665116458 100644 +--- a/arch/x86/lib/kaslr.c ++++ b/arch/x86/lib/kaslr.c +@@ -36,8 +36,8 @@ static inline u16 i8254(void) + u16 status, timer; + + do { +- outb(I8254_PORT_CONTROL, +- I8254_CMD_READBACK | I8254_SELECT_COUNTER0); ++ outb(I8254_CMD_READBACK | I8254_SELECT_COUNTER0, ++ I8254_PORT_CONTROL); + status = inb(I8254_PORT_COUNTER0); + timer = inb(I8254_PORT_COUNTER0); + timer |= inb(I8254_PORT_COUNTER0) << 8; +diff --git a/arch/x86/xen/suspend.c b/arch/x86/xen/suspend.c +index 3e3a58ea669e..1d83152c761b 100644 +--- a/arch/x86/xen/suspend.c ++++ b/arch/x86/xen/suspend.c +@@ -22,6 +22,8 @@ static DEFINE_PER_CPU(u64, spec_ctrl); + + void xen_arch_pre_suspend(void) + { ++ xen_save_time_memory_area(); ++ + if (xen_pv_domain()) + xen_pv_pre_suspend(); + } +@@ -32,6 +34,8 @@ void xen_arch_post_suspend(int cancelled) + xen_pv_post_suspend(cancelled); + else + xen_hvm_post_suspend(cancelled); ++ ++ xen_restore_time_memory_area(); + } + + static void xen_vcpu_notify_restore(void *data) +diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c +index 80c2a4bdf230..03706331f567 100644 +--- a/arch/x86/xen/time.c ++++ b/arch/x86/xen/time.c +@@ -31,6 +31,8 @@ + /* Xen may fire a timer up to this many ns early */ + #define TIMER_SLOP 100000 + ++static u64 xen_sched_clock_offset __read_mostly; ++ + /* Get the TSC speed from Xen */ + static unsigned long xen_tsc_khz(void) + { +@@ -57,6 +59,11 @@ static u64 xen_clocksource_get_cycles(struct clocksource *cs) + return xen_clocksource_read(); + } + ++static u64 xen_sched_clock(void) ++{ ++ return xen_clocksource_read() - xen_sched_clock_offset; ++} ++ + static void xen_read_wallclock(struct timespec *ts) + { + struct shared_info *s = HYPERVISOR_shared_info; +@@ -354,8 +361,6 @@ void xen_timer_resume(void) + { + int cpu; + +- pvclock_resume(); +- + if (xen_clockevent != &xen_vcpuop_clockevent) + return; + +@@ -367,12 +372,107 @@ void xen_timer_resume(void) + } + + static const struct pv_time_ops xen_time_ops __initconst = { +- .sched_clock = xen_clocksource_read, ++ .sched_clock = xen_sched_clock, + .steal_clock = xen_steal_clock, + }; + ++static struct pvclock_vsyscall_time_info *xen_clock __read_mostly; ++static u64 xen_clock_value_saved; ++ ++void xen_save_time_memory_area(void) ++{ ++ struct vcpu_register_time_memory_area t; ++ int ret; ++ ++ xen_clock_value_saved = xen_clocksource_read() - xen_sched_clock_offset; ++ ++ if (!xen_clock) ++ return; ++ ++ t.addr.v = NULL; ++ ++ ret = HYPERVISOR_vcpu_op(VCPUOP_register_vcpu_time_memory_area, 0, &t); ++ if (ret != 0) ++ pr_notice("Cannot save secondary vcpu_time_info (err %d)", ++ ret); ++ else ++ clear_page(xen_clock); ++} ++ ++void xen_restore_time_memory_area(void) ++{ ++ struct vcpu_register_time_memory_area t; ++ int ret; ++ ++ if (!xen_clock) ++ goto out; ++ ++ t.addr.v = &xen_clock->pvti; ++ ++ ret = HYPERVISOR_vcpu_op(VCPUOP_register_vcpu_time_memory_area, 0, &t); ++ ++ /* ++ * We don't disable VCLOCK_PVCLOCK entirely if it fails to register the ++ * secondary time info with Xen or if we migrated to a host without the ++ * necessary flags. On both of these cases what happens is either ++ * process seeing a zeroed out pvti or seeing no PVCLOCK_TSC_STABLE_BIT ++ * bit set. Userspace checks the latter and if 0, it discards the data ++ * in pvti and fallbacks to a system call for a reliable timestamp. ++ */ ++ if (ret != 0) ++ pr_notice("Cannot restore secondary vcpu_time_info (err %d)", ++ ret); ++ ++out: ++ /* Need pvclock_resume() before using xen_clocksource_read(). */ ++ pvclock_resume(); ++ xen_sched_clock_offset = xen_clocksource_read() - xen_clock_value_saved; ++} ++ ++static void xen_setup_vsyscall_time_info(void) ++{ ++ struct vcpu_register_time_memory_area t; ++ struct pvclock_vsyscall_time_info *ti; ++ int ret; ++ ++ ti = (struct pvclock_vsyscall_time_info *)get_zeroed_page(GFP_KERNEL); ++ if (!ti) ++ return; ++ ++ t.addr.v = &ti->pvti; ++ ++ ret = HYPERVISOR_vcpu_op(VCPUOP_register_vcpu_time_memory_area, 0, &t); ++ if (ret) { ++ pr_notice("xen: VCLOCK_PVCLOCK not supported (err %d)\n", ret); ++ free_page((unsigned long)ti); ++ return; ++ } ++ ++ /* ++ * If primary time info had this bit set, secondary should too since ++ * it's the same data on both just different memory regions. But we ++ * still check it in case hypervisor is buggy. ++ */ ++ if (!(ti->pvti.flags & PVCLOCK_TSC_STABLE_BIT)) { ++ t.addr.v = NULL; ++ ret = HYPERVISOR_vcpu_op(VCPUOP_register_vcpu_time_memory_area, ++ 0, &t); ++ if (!ret) ++ free_page((unsigned long)ti); ++ ++ pr_notice("xen: VCLOCK_PVCLOCK not supported (tsc unstable)\n"); ++ return; ++ } ++ ++ xen_clock = ti; ++ pvclock_set_pvti_cpu0_va(xen_clock); ++ ++ xen_clocksource.archdata.vclock_mode = VCLOCK_PVCLOCK; ++} ++ + static void __init xen_time_init(void) + { ++ struct pvclock_vcpu_time_info *pvti; + int cpu = smp_processor_id(); + struct timespec tp; + +@@ -396,6 +496,16 @@ static void __init xen_time_init(void) + + setup_force_cpu_cap(X86_FEATURE_TSC); + ++ /* ++ * We check ahead on the primary time info if this ++ * bit is supported hence speeding up Xen clocksource. ++ */ ++ pvti = &__this_cpu_read(xen_vcpu)->time; ++ if (pvti->flags & PVCLOCK_TSC_STABLE_BIT) { ++ pvclock_set_flags(PVCLOCK_TSC_STABLE_BIT); ++ xen_setup_vsyscall_time_info(); ++ } ++ + xen_setup_runstate_info(cpu); + xen_setup_timer(cpu); + xen_setup_cpu_clockevents(); +@@ -408,6 +518,7 @@ static void __init xen_time_init(void) + + void __ref xen_init_time_ops(void) + { ++ xen_sched_clock_offset = xen_clocksource_read(); + pv_time_ops = xen_time_ops; + + x86_init.timers.timer_init = xen_time_init; +@@ -450,6 +561,7 @@ void __init xen_hvm_init_time_ops(void) + return; + } + ++ xen_sched_clock_offset = xen_clocksource_read(); + pv_time_ops = xen_time_ops; + x86_init.timers.setup_percpu_clockev = xen_time_init; + x86_cpuinit.setup_percpu_clockev = xen_hvm_setup_cpu_clockevents; +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index f377e1820c6c..75011b80660f 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -70,6 +70,8 @@ void xen_setup_runstate_info(int cpu); + void xen_teardown_timer(int cpu); + u64 xen_clocksource_read(void); + void xen_setup_cpu_clockevents(void); ++void xen_save_time_memory_area(void); ++void xen_restore_time_memory_area(void); + void __init xen_init_time_ops(void); + void __init xen_hvm_init_time_ops(void); + +diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c +index 8260b90eb64b..4a6c5e7b6835 100644 +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -208,6 +208,32 @@ static int xlat_status(struct nvdimm *nvdimm, void *buf, unsigned int cmd, + return xlat_nvdimm_status(buf, cmd, status); + } + ++static int cmd_to_func(struct nfit_mem *nfit_mem, unsigned int cmd, ++ struct nd_cmd_pkg *call_pkg) ++{ ++ if (call_pkg) { ++ int i; ++ ++ if (nfit_mem->family != call_pkg->nd_family) ++ return -ENOTTY; ++ ++ for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++) ++ if (call_pkg->nd_reserved2[i]) ++ return -EINVAL; ++ return call_pkg->nd_command; ++ } ++ ++ /* Linux ND commands == NVDIMM_FAMILY_INTEL function numbers */ ++ if (nfit_mem->family == NVDIMM_FAMILY_INTEL) ++ return cmd; ++ ++ /* ++ * Force function number validation to fail since 0 is never ++ * published as a valid function in dsm_mask. ++ */ ++ return 0; ++} ++ + int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + unsigned int cmd, void *buf, unsigned int buf_len, int *cmd_rc) + { +@@ -220,21 +246,11 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + unsigned long cmd_mask, dsm_mask; + u32 offset, fw_status = 0; + acpi_handle handle; +- unsigned int func; + const guid_t *guid; +- int rc, i; ++ int func, rc, i; + + if (cmd_rc) + *cmd_rc = -EINVAL; +- func = cmd; +- if (cmd == ND_CMD_CALL) { +- call_pkg = buf; +- func = call_pkg->nd_command; +- +- for (i = 0; i < ARRAY_SIZE(call_pkg->nd_reserved2); i++) +- if (call_pkg->nd_reserved2[i]) +- return -EINVAL; +- } + + if (nvdimm) { + struct nfit_mem *nfit_mem = nvdimm_provider_data(nvdimm); +@@ -242,9 +258,12 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + + if (!adev) + return -ENOTTY; +- if (call_pkg && nfit_mem->family != call_pkg->nd_family) +- return -ENOTTY; + ++ if (cmd == ND_CMD_CALL) ++ call_pkg = buf; ++ func = cmd_to_func(nfit_mem, cmd, call_pkg); ++ if (func < 0) ++ return func; + dimm_name = nvdimm_name(nvdimm); + cmd_name = nvdimm_cmd_name(cmd); + cmd_mask = nvdimm_cmd_mask(nvdimm); +@@ -255,6 +274,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + } else { + struct acpi_device *adev = to_acpi_dev(acpi_desc); + ++ func = cmd; + cmd_name = nvdimm_bus_cmd_name(cmd); + cmd_mask = nd_desc->cmd_mask; + dsm_mask = cmd_mask; +@@ -269,7 +289,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, + if (!desc || (cmd && (desc->out_num + desc->in_num == 0))) + return -ENOTTY; + +- if (!test_bit(cmd, &cmd_mask) || !test_bit(func, &dsm_mask)) ++ /* ++ * Check for a valid command. For ND_CMD_CALL, we also have to ++ * make sure that the DSM function is supported. ++ */ ++ if (cmd == ND_CMD_CALL && !test_bit(func, &dsm_mask)) ++ return -ENOTTY; ++ else if (!test_bit(cmd, &cmd_mask)) + return -ENOTTY; + + in_obj.type = ACPI_TYPE_PACKAGE; +@@ -1503,6 +1529,13 @@ static int acpi_nfit_add_dimm(struct acpi_nfit_desc *acpi_desc, + return 0; + } + ++ /* ++ * Function 0 is the command interrogation function, don't ++ * export it to potential userspace use, and enable it to be ++ * used as an error value in acpi_nfit_ctl(). ++ */ ++ dsm_mask &= ~1UL; ++ + guid = to_nfit_uuid(nfit_mem->family); + for_each_set_bit(i, &dsm_mask, BITS_PER_LONG) + if (acpi_check_dsm(adev_dimm->handle, guid, 1, 1ULL << i)) +diff --git a/drivers/char/mwave/mwavedd.c b/drivers/char/mwave/mwavedd.c +index b5e3103c1175..e43c876a9223 100644 +--- a/drivers/char/mwave/mwavedd.c ++++ b/drivers/char/mwave/mwavedd.c +@@ -59,6 +59,7 @@ + #include <linux/mutex.h> + #include <linux/delay.h> + #include <linux/serial_8250.h> ++#include <linux/nospec.h> + #include "smapi.h" + #include "mwavedd.h" + #include "3780i.h" +@@ -289,6 +290,8 @@ static long mwave_ioctl(struct file *file, unsigned int iocmd, + ipcnum); + return -EINVAL; + } ++ ipcnum = array_index_nospec(ipcnum, ++ ARRAY_SIZE(pDrvData->IPCs)); + PRINTK_3(TRACE_MWAVE, + "mwavedd::mwave_ioctl IOCTL_MW_REGISTER_IPC" + " ipcnum %x entry usIntCount %x\n", +@@ -317,6 +320,8 @@ static long mwave_ioctl(struct file *file, unsigned int iocmd, + " Invalid ipcnum %x\n", ipcnum); + return -EINVAL; + } ++ ipcnum = array_index_nospec(ipcnum, ++ ARRAY_SIZE(pDrvData->IPCs)); + PRINTK_3(TRACE_MWAVE, + "mwavedd::mwave_ioctl IOCTL_MW_GET_IPC" + " ipcnum %x, usIntCount %x\n", +@@ -383,6 +388,8 @@ static long mwave_ioctl(struct file *file, unsigned int iocmd, + ipcnum); + return -EINVAL; + } ++ ipcnum = array_index_nospec(ipcnum, ++ ARRAY_SIZE(pDrvData->IPCs)); + mutex_lock(&mwave_mutex); + if (pDrvData->IPCs[ipcnum].bIsEnabled == true) { + pDrvData->IPCs[ipcnum].bIsEnabled = false; +diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c +index db0e6652d7ef..0824405f93fb 100644 +--- a/drivers/hv/hv_balloon.c ++++ b/drivers/hv/hv_balloon.c +@@ -846,12 +846,14 @@ static unsigned long handle_pg_range(unsigned long pg_start, + pfn_cnt -= pgs_ol; + /* + * Check if the corresponding memory block is already +- * online by checking its last previously backed page. +- * In case it is we need to bring rest (which was not +- * backed previously) online too. ++ * online. It is possible to observe struct pages still ++ * being uninitialized here so check section instead. ++ * In case the section is online we need to bring the ++ * rest of pfns (which were not backed previously) ++ * online too. + */ + if (start_pfn > has->start_pfn && +- !PageReserved(pfn_to_page(start_pfn - 1))) ++ online_section_nr(pfn_to_section_nr(start_pfn))) + hv_bring_pgs_online(has, start_pfn, pgs_ol); + + } +diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c +index 3f8dde8d59ba..74c1dfb8183b 100644 +--- a/drivers/hv/ring_buffer.c ++++ b/drivers/hv/ring_buffer.c +@@ -141,26 +141,25 @@ static u32 hv_copyto_ringbuffer( + } + + /* Get various debug metrics for the specified ring buffer. */ +-void hv_ringbuffer_get_debuginfo(const struct hv_ring_buffer_info *ring_info, +- struct hv_ring_buffer_debug_info *debug_info) ++int hv_ringbuffer_get_debuginfo(const struct hv_ring_buffer_info *ring_info, ++ struct hv_ring_buffer_debug_info *debug_info) + { + u32 bytes_avail_towrite; + u32 bytes_avail_toread; + +- if (ring_info->ring_buffer) { +- hv_get_ringbuffer_availbytes(ring_info, +- &bytes_avail_toread, +- &bytes_avail_towrite); +- +- debug_info->bytes_avail_toread = bytes_avail_toread; +- debug_info->bytes_avail_towrite = bytes_avail_towrite; +- debug_info->current_read_index = +- ring_info->ring_buffer->read_index; +- debug_info->current_write_index = +- ring_info->ring_buffer->write_index; +- debug_info->current_interrupt_mask = +- ring_info->ring_buffer->interrupt_mask; +- } ++ if (!ring_info->ring_buffer) ++ return -EINVAL; ++ ++ hv_get_ringbuffer_availbytes(ring_info, ++ &bytes_avail_toread, ++ &bytes_avail_towrite); ++ debug_info->bytes_avail_toread = bytes_avail_toread; ++ debug_info->bytes_avail_towrite = bytes_avail_towrite; ++ debug_info->current_read_index = ring_info->ring_buffer->read_index; ++ debug_info->current_write_index = ring_info->ring_buffer->write_index; ++ debug_info->current_interrupt_mask ++ = ring_info->ring_buffer->interrupt_mask; ++ return 0; + } + EXPORT_SYMBOL_GPL(hv_ringbuffer_get_debuginfo); + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 4218a616f1d3..1fd812ed679b 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -297,12 +297,16 @@ static ssize_t out_intr_mask_show(struct device *dev, + { + struct hv_device *hv_dev = device_to_hv_device(dev); + struct hv_ring_buffer_debug_info outbound; ++ int ret; + + if (!hv_dev->channel) + return -ENODEV; +- if (hv_dev->channel->state != CHANNEL_OPENED_STATE) +- return -EINVAL; +- hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); ++ ++ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, ++ &outbound); ++ if (ret < 0) ++ return ret; ++ + return sprintf(buf, "%d\n", outbound.current_interrupt_mask); + } + static DEVICE_ATTR_RO(out_intr_mask); +@@ -312,12 +316,15 @@ static ssize_t out_read_index_show(struct device *dev, + { + struct hv_device *hv_dev = device_to_hv_device(dev); + struct hv_ring_buffer_debug_info outbound; ++ int ret; + + if (!hv_dev->channel) + return -ENODEV; +- if (hv_dev->channel->state != CHANNEL_OPENED_STATE) +- return -EINVAL; +- hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); ++ ++ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, ++ &outbound); ++ if (ret < 0) ++ return ret; + return sprintf(buf, "%d\n", outbound.current_read_index); + } + static DEVICE_ATTR_RO(out_read_index); +@@ -328,12 +335,15 @@ static ssize_t out_write_index_show(struct device *dev, + { + struct hv_device *hv_dev = device_to_hv_device(dev); + struct hv_ring_buffer_debug_info outbound; ++ int ret; + + if (!hv_dev->channel) + return -ENODEV; +- if (hv_dev->channel->state != CHANNEL_OPENED_STATE) +- return -EINVAL; +- hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); ++ ++ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, ++ &outbound); ++ if (ret < 0) ++ return ret; + return sprintf(buf, "%d\n", outbound.current_write_index); + } + static DEVICE_ATTR_RO(out_write_index); +@@ -344,12 +354,15 @@ static ssize_t out_read_bytes_avail_show(struct device *dev, + { + struct hv_device *hv_dev = device_to_hv_device(dev); + struct hv_ring_buffer_debug_info outbound; ++ int ret; + + if (!hv_dev->channel) + return -ENODEV; +- if (hv_dev->channel->state != CHANNEL_OPENED_STATE) +- return -EINVAL; +- hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); ++ ++ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, ++ &outbound); ++ if (ret < 0) ++ return ret; + return sprintf(buf, "%d\n", outbound.bytes_avail_toread); + } + static DEVICE_ATTR_RO(out_read_bytes_avail); +@@ -360,12 +373,15 @@ static ssize_t out_write_bytes_avail_show(struct device *dev, + { + struct hv_device *hv_dev = device_to_hv_device(dev); + struct hv_ring_buffer_debug_info outbound; ++ int ret; + + if (!hv_dev->channel) + return -ENODEV; +- if (hv_dev->channel->state != CHANNEL_OPENED_STATE) +- return -EINVAL; +- hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, &outbound); ++ ++ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->outbound, ++ &outbound); ++ if (ret < 0) ++ return ret; + return sprintf(buf, "%d\n", outbound.bytes_avail_towrite); + } + static DEVICE_ATTR_RO(out_write_bytes_avail); +@@ -375,12 +391,15 @@ static ssize_t in_intr_mask_show(struct device *dev, + { + struct hv_device *hv_dev = device_to_hv_device(dev); + struct hv_ring_buffer_debug_info inbound; ++ int ret; + + if (!hv_dev->channel) + return -ENODEV; +- if (hv_dev->channel->state != CHANNEL_OPENED_STATE) +- return -EINVAL; +- hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); ++ ++ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); ++ if (ret < 0) ++ return ret; ++ + return sprintf(buf, "%d\n", inbound.current_interrupt_mask); + } + static DEVICE_ATTR_RO(in_intr_mask); +@@ -390,12 +409,15 @@ static ssize_t in_read_index_show(struct device *dev, + { + struct hv_device *hv_dev = device_to_hv_device(dev); + struct hv_ring_buffer_debug_info inbound; ++ int ret; + + if (!hv_dev->channel) + return -ENODEV; +- if (hv_dev->channel->state != CHANNEL_OPENED_STATE) +- return -EINVAL; +- hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); ++ ++ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); ++ if (ret < 0) ++ return ret; ++ + return sprintf(buf, "%d\n", inbound.current_read_index); + } + static DEVICE_ATTR_RO(in_read_index); +@@ -405,12 +427,15 @@ static ssize_t in_write_index_show(struct device *dev, + { + struct hv_device *hv_dev = device_to_hv_device(dev); + struct hv_ring_buffer_debug_info inbound; ++ int ret; + + if (!hv_dev->channel) + return -ENODEV; +- if (hv_dev->channel->state != CHANNEL_OPENED_STATE) +- return -EINVAL; +- hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); ++ ++ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); ++ if (ret < 0) ++ return ret; ++ + return sprintf(buf, "%d\n", inbound.current_write_index); + } + static DEVICE_ATTR_RO(in_write_index); +@@ -421,12 +446,15 @@ static ssize_t in_read_bytes_avail_show(struct device *dev, + { + struct hv_device *hv_dev = device_to_hv_device(dev); + struct hv_ring_buffer_debug_info inbound; ++ int ret; + + if (!hv_dev->channel) + return -ENODEV; +- if (hv_dev->channel->state != CHANNEL_OPENED_STATE) +- return -EINVAL; +- hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); ++ ++ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); ++ if (ret < 0) ++ return ret; ++ + return sprintf(buf, "%d\n", inbound.bytes_avail_toread); + } + static DEVICE_ATTR_RO(in_read_bytes_avail); +@@ -437,12 +465,15 @@ static ssize_t in_write_bytes_avail_show(struct device *dev, + { + struct hv_device *hv_dev = device_to_hv_device(dev); + struct hv_ring_buffer_debug_info inbound; ++ int ret; + + if (!hv_dev->channel) + return -ENODEV; +- if (hv_dev->channel->state != CHANNEL_OPENED_STATE) +- return -EINVAL; +- hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); ++ ++ ret = hv_ringbuffer_get_debuginfo(&hv_dev->channel->inbound, &inbound); ++ if (ret < 0) ++ return ret; ++ + return sprintf(buf, "%d\n", inbound.bytes_avail_towrite); + } + static DEVICE_ATTR_RO(in_write_bytes_avail); +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index f55dcdf99bc5..26476a64e663 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -255,6 +255,8 @@ static const struct xpad_device { + { 0x0f30, 0x0202, "Joytech Advanced Controller", 0, XTYPE_XBOX }, + { 0x0f30, 0x8888, "BigBen XBMiniPad Controller", 0, XTYPE_XBOX }, + { 0x102c, 0xff0c, "Joytech Wireless Advanced Controller", 0, XTYPE_XBOX }, ++ { 0x1038, 0x1430, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 }, ++ { 0x1038, 0x1431, "SteelSeries Stratus Duo", 0, XTYPE_XBOX360 }, + { 0x11c9, 0x55f0, "Nacon GC-100XF", 0, XTYPE_XBOX360 }, + { 0x12ab, 0x0004, "Honey Bee Xbox360 dancepad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX360 }, + { 0x12ab, 0x0301, "PDP AFTERGLOW AX.1", 0, XTYPE_XBOX360 }, +@@ -431,6 +433,7 @@ static const struct usb_device_id xpad_table[] = { + XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f X-Box One controllers */ + XPAD_XBOX360_VENDOR(0x0f0d), /* Hori Controllers */ + XPAD_XBOXONE_VENDOR(0x0f0d), /* Hori Controllers */ ++ XPAD_XBOX360_VENDOR(0x1038), /* SteelSeries Controllers */ + XPAD_XBOX360_VENDOR(0x11c9), /* Nacon GC100XF */ + XPAD_XBOX360_VENDOR(0x12ab), /* X-Box 360 dance pads */ + XPAD_XBOX360_VENDOR(0x1430), /* RedOctane X-Box 360 controllers */ +diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c +index 443151de90c6..8c95d3f78072 100644 +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -39,6 +39,7 @@ + #include <linux/fs.h> + #include <linux/miscdevice.h> + #include <linux/uinput.h> ++#include <linux/overflow.h> + #include <linux/input/mt.h> + #include "../input-compat.h" + +@@ -356,7 +357,7 @@ static int uinput_open(struct inode *inode, struct file *file) + static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code, + const struct input_absinfo *abs) + { +- int min, max; ++ int min, max, range; + + min = abs->minimum; + max = abs->maximum; +@@ -368,7 +369,7 @@ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code, + return -EINVAL; + } + +- if (abs->flat > max - min) { ++ if (!check_sub_overflow(max, min, &range) && abs->flat > range) { + printk(KERN_DEBUG + "%s: abs_flat #%02x out of range: %d (min:%d/max:%d)\n", + UINPUT_NAME, code, abs->flat, min, max); +diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c +index 2ea39a83737f..7638ca03fb1f 100644 +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -2086,13 +2086,14 @@ static void its_free_device(struct its_device *its_dev) + kfree(its_dev); + } + +-static int its_alloc_device_irq(struct its_device *dev, irq_hw_number_t *hwirq) ++static int its_alloc_device_irq(struct its_device *dev, int nvecs, irq_hw_number_t *hwirq) + { + int idx; + +- idx = find_first_zero_bit(dev->event_map.lpi_map, +- dev->event_map.nr_lpis); +- if (idx == dev->event_map.nr_lpis) ++ idx = bitmap_find_free_region(dev->event_map.lpi_map, ++ dev->event_map.nr_lpis, ++ get_count_order(nvecs)); ++ if (idx < 0) + return -ENOSPC; + + *hwirq = dev->event_map.lpi_base + idx; +@@ -2188,21 +2189,21 @@ static int its_irq_domain_alloc(struct irq_domain *domain, unsigned int virq, + int err; + int i; + +- for (i = 0; i < nr_irqs; i++) { +- err = its_alloc_device_irq(its_dev, &hwirq); +- if (err) +- return err; ++ err = its_alloc_device_irq(its_dev, nr_irqs, &hwirq); ++ if (err) ++ return err; + +- err = its_irq_gic_domain_alloc(domain, virq + i, hwirq); ++ for (i = 0; i < nr_irqs; i++) { ++ err = its_irq_gic_domain_alloc(domain, virq + i, hwirq + i); + if (err) + return err; + + irq_domain_set_hwirq_and_chip(domain, virq + i, +- hwirq, &its_irq_chip, its_dev); ++ hwirq + i, &its_irq_chip, its_dev); + irqd_set_single_target(irq_desc_get_irq_data(irq_to_desc(virq + i))); + pr_debug("ID:%d pID:%d vID:%d\n", +- (int)(hwirq - its_dev->event_map.lpi_base), +- (int) hwirq, virq + i); ++ (int)(hwirq + i - its_dev->event_map.lpi_base), ++ (int)(hwirq + i), virq + i); + } + + return 0; +diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c +index 2652ef68d58d..1f6d8b6be5c7 100644 +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2413,9 +2413,21 @@ static int crypt_ctr_cipher_new(struct dm_target *ti, char *cipher_in, char *key + * capi:cipher_api_spec-iv:ivopts + */ + tmp = &cipher_in[strlen("capi:")]; +- cipher_api = strsep(&tmp, "-"); +- *ivmode = strsep(&tmp, ":"); +- *ivopts = tmp; ++ ++ /* Separate IV options if present, it can contain another '-' in hash name */ ++ *ivopts = strrchr(tmp, ':'); ++ if (*ivopts) { ++ **ivopts = '\0'; ++ (*ivopts)++; ++ } ++ /* Parse IV mode */ ++ *ivmode = strrchr(tmp, '-'); ++ if (*ivmode) { ++ **ivmode = '\0'; ++ (*ivmode)++; ++ } ++ /* The rest is crypto API spec */ ++ cipher_api = tmp; + + if (*ivmode && !strcmp(*ivmode, "lmk")) + cc->tfms_count = 64; +@@ -2485,11 +2497,8 @@ static int crypt_ctr_cipher_old(struct dm_target *ti, char *cipher_in, char *key + goto bad_mem; + + chainmode = strsep(&tmp, "-"); +- *ivopts = strsep(&tmp, "-"); +- *ivmode = strsep(&*ivopts, ":"); +- +- if (tmp) +- DMWARN("Ignoring unexpected additional cipher options"); ++ *ivmode = strsep(&tmp, ":"); ++ *ivopts = tmp; + + /* + * For compatibility with the original dm-crypt mapping format, if +diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c +index 45ff8fd00248..b85a66f42814 100644 +--- a/drivers/md/dm-thin-metadata.c ++++ b/drivers/md/dm-thin-metadata.c +@@ -1687,7 +1687,7 @@ int dm_thin_remove_range(struct dm_thin_device *td, + return r; + } + +-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result) ++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result) + { + int r; + uint32_t ref_count; +@@ -1695,7 +1695,7 @@ int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *resu + down_read(&pmd->root_lock); + r = dm_sm_get_count(pmd->data_sm, b, &ref_count); + if (!r) +- *result = (ref_count != 0); ++ *result = (ref_count > 1); + up_read(&pmd->root_lock); + + return r; +diff --git a/drivers/md/dm-thin-metadata.h b/drivers/md/dm-thin-metadata.h +index 35e954ea20a9..f6be0d733c20 100644 +--- a/drivers/md/dm-thin-metadata.h ++++ b/drivers/md/dm-thin-metadata.h +@@ -195,7 +195,7 @@ int dm_pool_get_metadata_dev_size(struct dm_pool_metadata *pmd, + + int dm_pool_get_data_dev_size(struct dm_pool_metadata *pmd, dm_block_t *result); + +-int dm_pool_block_is_used(struct dm_pool_metadata *pmd, dm_block_t b, bool *result); ++int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result); + + int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e); + int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e); +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index da98fc7b995c..40b624d8255d 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -1042,7 +1042,7 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m + * passdown we have to check that these blocks are now unused. + */ + int r = 0; +- bool used = true; ++ bool shared = true; + struct thin_c *tc = m->tc; + struct pool *pool = tc->pool; + dm_block_t b = m->data_block, e, end = m->data_block + m->virt_end - m->virt_begin; +@@ -1052,11 +1052,11 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m + while (b != end) { + /* find start of unmapped run */ + for (; b < end; b++) { +- r = dm_pool_block_is_used(pool->pmd, b, &used); ++ r = dm_pool_block_is_shared(pool->pmd, b, &shared); + if (r) + goto out; + +- if (!used) ++ if (!shared) + break; + } + +@@ -1065,11 +1065,11 @@ static void passdown_double_checking_shared_status(struct dm_thin_new_mapping *m + + /* find end of run */ + for (e = b + 1; e != end; e++) { +- r = dm_pool_block_is_used(pool->pmd, e, &used); ++ r = dm_pool_block_is_shared(pool->pmd, e, &shared); + if (r) + goto out; + +- if (used) ++ if (shared) + break; + } + +diff --git a/drivers/misc/mei/hw-me-regs.h b/drivers/misc/mei/hw-me-regs.h +index e4b10b2d1a08..23739a60517f 100644 +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -127,6 +127,8 @@ + #define MEI_DEV_ID_BXT_M 0x1A9A /* Broxton M */ + #define MEI_DEV_ID_APL_I 0x5A9A /* Apollo Lake I */ + ++#define MEI_DEV_ID_DNV_IE 0x19E5 /* Denverton IE */ ++ + #define MEI_DEV_ID_GLK 0x319A /* Gemini Lake */ + + #define MEI_DEV_ID_KBP 0xA2BA /* Kaby Point */ +diff --git a/drivers/misc/mei/pci-me.c b/drivers/misc/mei/pci-me.c +index c77e08cbbfd1..04bf2dd134d0 100644 +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -93,6 +93,8 @@ static const struct pci_device_id mei_me_pci_tbl[] = { + {MEI_PCI_DEVICE(MEI_DEV_ID_BXT_M, MEI_ME_PCH8_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_APL_I, MEI_ME_PCH8_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_DNV_IE, MEI_ME_PCH8_CFG)}, ++ + {MEI_PCI_DEVICE(MEI_DEV_ID_GLK, MEI_ME_PCH8_CFG)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_KBP, MEI_ME_PCH8_CFG)}, +diff --git a/drivers/mmc/host/Kconfig b/drivers/mmc/host/Kconfig +index 8c15637178ff..9ed786935a30 100644 +--- a/drivers/mmc/host/Kconfig ++++ b/drivers/mmc/host/Kconfig +@@ -429,6 +429,7 @@ config MMC_SDHCI_MSM + tristate "Qualcomm SDHCI Controller Support" + depends on ARCH_QCOM || (ARM && COMPILE_TEST) + depends on MMC_SDHCI_PLTFM ++ select MMC_SDHCI_IO_ACCESSORS + help + This selects the Secure Digital Host Controller Interface (SDHCI) + support present in Qualcomm SOCs. The controller supports +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 035daca63168..7d61d8801220 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -479,8 +479,6 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb); + struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr) + { + struct can_priv *priv = netdev_priv(dev); +- struct sk_buff *skb = priv->echo_skb[idx]; +- struct canfd_frame *cf; + + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", +@@ -488,20 +486,21 @@ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 + return NULL; + } + +- if (!skb) { +- netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n", +- __func__, idx); +- return NULL; +- } ++ if (priv->echo_skb[idx]) { ++ /* Using "struct canfd_frame::len" for the frame ++ * length is supported on both CAN and CANFD frames. ++ */ ++ struct sk_buff *skb = priv->echo_skb[idx]; ++ struct canfd_frame *cf = (struct canfd_frame *)skb->data; ++ u8 len = cf->len; + +- /* Using "struct canfd_frame::len" for the frame +- * length is supported on both CAN and CANFD frames. +- */ +- cf = (struct canfd_frame *)skb->data; +- *len_ptr = cf->len; +- priv->echo_skb[idx] = NULL; ++ *len_ptr = len; ++ priv->echo_skb[idx] = NULL; + +- return skb; ++ return skb; ++ } ++ ++ return NULL; + } + + /* +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +index d272dc6984ac..b40d4377cc71 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +@@ -431,8 +431,6 @@ + #define MAC_MDIOSCAR_PA_WIDTH 5 + #define MAC_MDIOSCAR_RA_INDEX 0 + #define MAC_MDIOSCAR_RA_WIDTH 16 +-#define MAC_MDIOSCAR_REG_INDEX 0 +-#define MAC_MDIOSCAR_REG_WIDTH 21 + #define MAC_MDIOSCCDR_BUSY_INDEX 22 + #define MAC_MDIOSCCDR_BUSY_WIDTH 1 + #define MAC_MDIOSCCDR_CMD_INDEX 16 +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +index e107e180e2c8..1e4bb33925e6 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -1284,6 +1284,20 @@ static void xgbe_write_mmd_regs(struct xgbe_prv_data *pdata, int prtad, + } + } + ++static unsigned int xgbe_create_mdio_sca(int port, int reg) ++{ ++ unsigned int mdio_sca, da; ++ ++ da = (reg & MII_ADDR_C45) ? reg >> 16 : 0; ++ ++ mdio_sca = 0; ++ XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, RA, reg); ++ XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, PA, port); ++ XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, DA, da); ++ ++ return mdio_sca; ++} ++ + static int xgbe_write_ext_mii_regs(struct xgbe_prv_data *pdata, int addr, + int reg, u16 val) + { +@@ -1291,9 +1305,7 @@ static int xgbe_write_ext_mii_regs(struct xgbe_prv_data *pdata, int addr, + + reinit_completion(&pdata->mdio_complete); + +- mdio_sca = 0; +- XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, REG, reg); +- XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, DA, addr); ++ mdio_sca = xgbe_create_mdio_sca(addr, reg); + XGMAC_IOWRITE(pdata, MAC_MDIOSCAR, mdio_sca); + + mdio_sccd = 0; +@@ -1317,9 +1329,7 @@ static int xgbe_read_ext_mii_regs(struct xgbe_prv_data *pdata, int addr, + + reinit_completion(&pdata->mdio_complete); + +- mdio_sca = 0; +- XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, REG, reg); +- XGMAC_SET_BITS(mdio_sca, MAC_MDIOSCAR, DA, addr); ++ mdio_sca = xgbe_create_mdio_sca(addr, reg); + XGMAC_IOWRITE(pdata, MAC_MDIOSCAR, mdio_sca); + + mdio_sccd = 0; +diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h +index 8e2a19616bc9..c87bc0a5efa3 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/common.h ++++ b/drivers/net/ethernet/stmicro/stmmac/common.h +@@ -444,7 +444,8 @@ struct stmmac_dma_ops { + int rxfifosz); + void (*dma_rx_mode)(void __iomem *ioaddr, int mode, u32 channel, + int fifosz); +- void (*dma_tx_mode)(void __iomem *ioaddr, int mode, u32 channel); ++ void (*dma_tx_mode)(void __iomem *ioaddr, int mode, u32 channel, ++ int fifosz); + /* To track extra statistic (if supported) */ + void (*dma_diagnostic_fr) (void *data, struct stmmac_extra_stats *x, + void __iomem *ioaddr); +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c +index e84831e1b63b..898849bbc7d4 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c +@@ -271,9 +271,10 @@ static void dwmac4_dma_rx_chan_op_mode(void __iomem *ioaddr, int mode, + } + + static void dwmac4_dma_tx_chan_op_mode(void __iomem *ioaddr, int mode, +- u32 channel) ++ u32 channel, int fifosz) + { + u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(channel)); ++ unsigned int tqs = fifosz / 256 - 1; + + if (mode == SF_DMA_MODE) { + pr_debug("GMAC: enable TX store and forward mode\n"); +@@ -306,12 +307,14 @@ static void dwmac4_dma_tx_chan_op_mode(void __iomem *ioaddr, int mode, + * For an IP with DWC_EQOS_NUM_TXQ > 1, the fields TXQEN and TQS are R/W + * with reset values: TXQEN off, TQS 256 bytes. + * +- * Write the bits in both cases, since it will have no effect when RO. +- * For DWC_EQOS_NUM_TXQ > 1, the top bits in MTL_OP_MODE_TQS_MASK might +- * be RO, however, writing the whole TQS field will result in a value +- * equal to DWC_EQOS_TXFIFO_SIZE, just like for DWC_EQOS_NUM_TXQ == 1. ++ * TXQEN must be written for multi-channel operation and TQS must ++ * reflect the available fifo size per queue (total fifo size / number ++ * of enabled queues). + */ +- mtl_tx_op |= MTL_OP_MODE_TXQEN | MTL_OP_MODE_TQS_MASK; ++ mtl_tx_op |= MTL_OP_MODE_TXQEN; ++ mtl_tx_op &= ~MTL_OP_MODE_TQS_MASK; ++ mtl_tx_op |= tqs << MTL_OP_MODE_TQS_SHIFT; ++ + writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(channel)); + } + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index bafbebeb0e00..a901feaad4e1 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1765,12 +1765,19 @@ static void stmmac_dma_operation_mode(struct stmmac_priv *priv) + u32 rx_channels_count = priv->plat->rx_queues_to_use; + u32 tx_channels_count = priv->plat->tx_queues_to_use; + int rxfifosz = priv->plat->rx_fifo_size; ++ int txfifosz = priv->plat->tx_fifo_size; + u32 txmode = 0; + u32 rxmode = 0; + u32 chan = 0; + + if (rxfifosz == 0) + rxfifosz = priv->dma_cap.rx_fifo_size; ++ if (txfifosz == 0) ++ txfifosz = priv->dma_cap.tx_fifo_size; ++ ++ /* Adjust for real per queue fifo size */ ++ rxfifosz /= rx_channels_count; ++ txfifosz /= tx_channels_count; + + if (priv->plat->force_thresh_dma_mode) { + txmode = tc; +@@ -1798,7 +1805,8 @@ static void stmmac_dma_operation_mode(struct stmmac_priv *priv) + rxfifosz); + + for (chan = 0; chan < tx_channels_count; chan++) +- priv->hw->dma->dma_tx_mode(priv->ioaddr, txmode, chan); ++ priv->hw->dma->dma_tx_mode(priv->ioaddr, txmode, chan, ++ txfifosz); + } else { + priv->hw->dma->dma_mode(priv->ioaddr, txmode, rxmode, + rxfifosz); +@@ -1967,15 +1975,25 @@ static void stmmac_tx_err(struct stmmac_priv *priv, u32 chan) + static void stmmac_set_dma_operation_mode(struct stmmac_priv *priv, u32 txmode, + u32 rxmode, u32 chan) + { ++ u32 rx_channels_count = priv->plat->rx_queues_to_use; ++ u32 tx_channels_count = priv->plat->tx_queues_to_use; + int rxfifosz = priv->plat->rx_fifo_size; ++ int txfifosz = priv->plat->tx_fifo_size; + + if (rxfifosz == 0) + rxfifosz = priv->dma_cap.rx_fifo_size; ++ if (txfifosz == 0) ++ txfifosz = priv->dma_cap.tx_fifo_size; ++ ++ /* Adjust for real per queue fifo size */ ++ rxfifosz /= rx_channels_count; ++ txfifosz /= tx_channels_count; + + if (priv->synopsys_id >= DWMAC_CORE_4_00) { + priv->hw->dma->dma_rx_mode(priv->ioaddr, rxmode, chan, + rxfifosz); +- priv->hw->dma->dma_tx_mode(priv->ioaddr, txmode, chan); ++ priv->hw->dma->dma_tx_mode(priv->ioaddr, txmode, chan, ++ txfifosz); + } else { + priv->hw->dma->dma_mode(priv->ioaddr, txmode, rxmode, + rxfifosz); +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 2df7b62c1a36..1ece41277993 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -358,6 +358,7 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner) + if (IS_ERR(gpiod)) { + dev_err(&bus->dev, "mii_bus %s couldn't get reset GPIO\n", + bus->id); ++ device_del(&bus->dev); + return PTR_ERR(gpiod); + } else if (gpiod) { + bus->reset_gpiod = gpiod; +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index 951892da3352..c37ef5287caa 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -445,6 +445,7 @@ static int pppoe_rcv(struct sk_buff *skb, struct net_device *dev, + if (pskb_trim_rcsum(skb, len)) + goto drop; + ++ ph = pppoe_hdr(skb); + pn = pppoe_pernet(dev_net(dev)); + + /* Note that get_item does a sock_hold(), so sk_pppox(po) +diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c +index 5d8140e58f6f..da56cc277b71 100644 +--- a/drivers/nvme/target/rdma.c ++++ b/drivers/nvme/target/rdma.c +@@ -137,6 +137,10 @@ static void nvmet_rdma_recv_done(struct ib_cq *cq, struct ib_wc *wc); + static void nvmet_rdma_read_data_done(struct ib_cq *cq, struct ib_wc *wc); + static void nvmet_rdma_qp_event(struct ib_event *event, void *priv); + static void nvmet_rdma_queue_disconnect(struct nvmet_rdma_queue *queue); ++static void nvmet_rdma_free_rsp(struct nvmet_rdma_device *ndev, ++ struct nvmet_rdma_rsp *r); ++static int nvmet_rdma_alloc_rsp(struct nvmet_rdma_device *ndev, ++ struct nvmet_rdma_rsp *r); + + static struct nvmet_fabrics_ops nvmet_rdma_ops; + +@@ -175,9 +179,17 @@ nvmet_rdma_get_rsp(struct nvmet_rdma_queue *queue) + spin_unlock_irqrestore(&queue->rsps_lock, flags); + + if (unlikely(!rsp)) { +- rsp = kmalloc(sizeof(*rsp), GFP_KERNEL); ++ int ret; ++ ++ rsp = kzalloc(sizeof(*rsp), GFP_KERNEL); + if (unlikely(!rsp)) + return NULL; ++ ret = nvmet_rdma_alloc_rsp(queue->dev, rsp); ++ if (unlikely(ret)) { ++ kfree(rsp); ++ return NULL; ++ } ++ + rsp->allocated = true; + } + +@@ -189,7 +201,8 @@ nvmet_rdma_put_rsp(struct nvmet_rdma_rsp *rsp) + { + unsigned long flags; + +- if (rsp->allocated) { ++ if (unlikely(rsp->allocated)) { ++ nvmet_rdma_free_rsp(rsp->queue->dev, rsp); + kfree(rsp); + return; + } +diff --git a/drivers/ptp/ptp_kvm.c b/drivers/ptp/ptp_kvm.c +index 2b1b212c219e..c67dd11e08b1 100644 +--- a/drivers/ptp/ptp_kvm.c ++++ b/drivers/ptp/ptp_kvm.c +@@ -178,8 +178,11 @@ static int __init ptp_kvm_init(void) + { + long ret; + ++ if (!kvm_para_available()) ++ return -ENODEV; ++ + clock_pair_gpa = slow_virt_to_phys(&clock_pair); +- hv_clock = pvclock_pvti_cpu0_va(); ++ hv_clock = pvclock_get_pvti_cpu0_va(); + + if (!hv_clock) + return -ENODEV; +diff --git a/drivers/s390/char/sclp_config.c b/drivers/s390/char/sclp_config.c +index 194ffd5c8580..039b2074db7e 100644 +--- a/drivers/s390/char/sclp_config.c ++++ b/drivers/s390/char/sclp_config.c +@@ -60,7 +60,9 @@ static void sclp_cpu_capability_notify(struct work_struct *work) + + static void __ref sclp_cpu_change_notify(struct work_struct *work) + { ++ lock_device_hotplug(); + smp_rescan_cpus(); ++ unlock_device_hotplug(); + } + + static void sclp_conf_receiver_fn(struct evbuf_header *evbuf) +diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +index 32c7225a831e..2fc7056cbff7 100644 +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -43,6 +43,7 @@ static const struct usb_device_id rtw_usb_id_tbl[] = { + {USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */ + {USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */ + {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */ ++ {USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */ + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ + {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ +diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c +index 7b2a466616d6..08bd6b965847 100644 +--- a/drivers/tty/n_hdlc.c ++++ b/drivers/tty/n_hdlc.c +@@ -598,6 +598,7 @@ static ssize_t n_hdlc_tty_read(struct tty_struct *tty, struct file *file, + /* too large for caller's buffer */ + ret = -EOVERFLOW; + } else { ++ __set_current_state(TASK_RUNNING); + if (copy_to_user(buf, rbuf->buf, rbuf->count)) + ret = -EFAULT; + else +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 543d0f95f094..94ac6c6e8fb8 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -563,10 +563,12 @@ static int uart_put_char(struct tty_struct *tty, unsigned char c) + int ret = 0; + + circ = &state->xmit; +- if (!circ->buf) ++ port = uart_port_lock(state, flags); ++ if (!circ->buf) { ++ uart_port_unlock(port, flags); + return 0; ++ } + +- port = uart_port_lock(state, flags); + if (port && uart_circ_chars_free(circ) != 0) { + circ->buf[circ->head] = c; + circ->head = (circ->head + 1) & (UART_XMIT_SIZE - 1); +@@ -599,11 +601,13 @@ static int uart_write(struct tty_struct *tty, + return -EL3HLT; + } + ++ port = uart_port_lock(state, flags); + circ = &state->xmit; +- if (!circ->buf) ++ if (!circ->buf) { ++ uart_port_unlock(port, flags); + return 0; ++ } + +- port = uart_port_lock(state, flags); + while (port) { + c = CIRC_SPACE_TO_END(circ->head, circ->tail, UART_XMIT_SIZE); + if (count < c) +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 417b81c67fe9..7e351d205393 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2180,7 +2180,8 @@ static int tiocsti(struct tty_struct *tty, char __user *p) + ld = tty_ldisc_ref_wait(tty); + if (!ld) + return -EIO; +- ld->ops->receive_buf(tty, &ch, &mbz, 1); ++ if (ld->ops->receive_buf) ++ ld->ops->receive_buf(tty, &ch, &mbz, 1); + tty_ldisc_deref(ld); + return 0; + } +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index e77421e7bf46..1fb5e7f409c4 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -953,6 +953,7 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, + if (con_is_visible(vc)) + update_screen(vc); + vt_event_post(VT_EVENT_RESIZE, vc->vc_num, vc->vc_num); ++ notify_update(vc); + return err; + } + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index b8704c0678f9..727bf3c9f53b 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -182,6 +182,8 @@ void dwc3_gadget_del_and_unmap_request(struct dwc3_ep *dep, + req->started = false; + list_del(&req->list); + req->remaining = 0; ++ req->unaligned = false; ++ req->zero = false; + + if (req->request.status == -EINPROGRESS) + req->request.status = status; +diff --git a/drivers/usb/host/xhci-mtk.c b/drivers/usb/host/xhci-mtk.c +index 510d28a9d190..35aecbcac6f7 100644 +--- a/drivers/usb/host/xhci-mtk.c ++++ b/drivers/usb/host/xhci-mtk.c +@@ -724,14 +724,16 @@ static int xhci_mtk_remove(struct platform_device *dev) + struct xhci_hcd_mtk *mtk = platform_get_drvdata(dev); + struct usb_hcd *hcd = mtk->hcd; + struct xhci_hcd *xhci = hcd_to_xhci(hcd); ++ struct usb_hcd *shared_hcd = xhci->shared_hcd; + +- usb_remove_hcd(xhci->shared_hcd); ++ usb_remove_hcd(shared_hcd); ++ xhci->shared_hcd = NULL; + xhci_mtk_phy_power_off(mtk); + xhci_mtk_phy_exit(mtk); + device_init_wakeup(&dev->dev, false); + + usb_remove_hcd(hcd); +- usb_put_hcd(xhci->shared_hcd); ++ usb_put_hcd(shared_hcd); + usb_put_hcd(hcd); + xhci_mtk_sch_exit(mtk); + xhci_mtk_clks_disable(mtk); +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 0fbc549cc55c..1de006aebec5 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -370,6 +370,7 @@ static void xhci_pci_remove(struct pci_dev *dev) + if (xhci->shared_hcd) { + usb_remove_hcd(xhci->shared_hcd); + usb_put_hcd(xhci->shared_hcd); ++ xhci->shared_hcd = NULL; + } + + /* Workaround for spurious wakeups at shutdown with HSW */ +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index 830dd0dbbce0..108a212294bf 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -332,14 +332,16 @@ static int xhci_plat_remove(struct platform_device *dev) + struct usb_hcd *hcd = platform_get_drvdata(dev); + struct xhci_hcd *xhci = hcd_to_xhci(hcd); + struct clk *clk = xhci->clk; ++ struct usb_hcd *shared_hcd = xhci->shared_hcd; + + xhci->xhc_state |= XHCI_STATE_REMOVING; + +- usb_remove_hcd(xhci->shared_hcd); ++ usb_remove_hcd(shared_hcd); ++ xhci->shared_hcd = NULL; + usb_phy_shutdown(hcd->usb_phy); + + usb_remove_hcd(hcd); +- usb_put_hcd(xhci->shared_hcd); ++ usb_put_hcd(shared_hcd); + + if (!IS_ERR(clk)) + clk_disable_unprepare(clk); +diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c +index 32ddafe7af87..28df32d85671 100644 +--- a/drivers/usb/host/xhci-tegra.c ++++ b/drivers/usb/host/xhci-tegra.c +@@ -1178,6 +1178,7 @@ static int tegra_xusb_remove(struct platform_device *pdev) + + usb_remove_hcd(xhci->shared_hcd); + usb_put_hcd(xhci->shared_hcd); ++ xhci->shared_hcd = NULL; + usb_remove_hcd(tegra->hcd); + usb_put_hcd(tegra->hcd); + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 930eecd86429..c78de07c4d00 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -669,8 +669,6 @@ static void xhci_stop(struct usb_hcd *hcd) + + /* Only halt host and free memory after both hcds are removed */ + if (!usb_hcd_is_primary_hcd(hcd)) { +- /* usb core will free this hcd shortly, unset pointer */ +- xhci->shared_hcd = NULL; + mutex_unlock(&xhci->mutex); + return; + } +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c +index 5fa1e6fb49a6..5e86be81f4c9 100644 +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -49,6 +49,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_HCR331) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_MOTOROLA) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_ZTEK) }, ++ { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_TB) }, + { USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID) }, + { USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID_RSAQ5) }, + { USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID), +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h +index b46e74a90af2..f21445acc486 100644 +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -13,6 +13,7 @@ + + #define PL2303_VENDOR_ID 0x067b + #define PL2303_PRODUCT_ID 0x2303 ++#define PL2303_PRODUCT_ID_TB 0x2304 + #define PL2303_PRODUCT_ID_RSAQ2 0x04bb + #define PL2303_PRODUCT_ID_DCU11 0x1234 + #define PL2303_PRODUCT_ID_PHAROS 0xaaa0 +@@ -25,6 +26,7 @@ + #define PL2303_PRODUCT_ID_MOTOROLA 0x0307 + #define PL2303_PRODUCT_ID_ZTEK 0xe1f1 + ++ + #define ATEN_VENDOR_ID 0x0557 + #define ATEN_VENDOR_ID2 0x0547 + #define ATEN_PRODUCT_ID 0x2008 +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c +index 6d6acf2c07c3..511242111403 100644 +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -88,7 +88,8 @@ DEVICE(moto_modem, MOTO_IDS); + /* Motorola Tetra driver */ + #define MOTOROLA_TETRA_IDS() \ + { USB_DEVICE(0x0cad, 0x9011) }, /* Motorola Solutions TETRA PEI */ \ +- { USB_DEVICE(0x0cad, 0x9012) } /* MTP6550 */ ++ { USB_DEVICE(0x0cad, 0x9012) }, /* MTP6550 */ \ ++ { USB_DEVICE(0x0cad, 0x9016) } /* TPG2200 */ + DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS); + + /* Novatel Wireless GPS driver */ +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index 6123b4dd8638..4eba9ee179e3 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -851,7 +851,8 @@ static void handle_rx(struct vhost_net *net) + vhost_add_used_and_signal_n(&net->dev, vq, vq->heads, + headcount); + if (unlikely(vq_log)) +- vhost_log_write(vq, vq_log, log, vhost_len); ++ vhost_log_write(vq, vq_log, log, vhost_len, ++ vq->iov, in); + total_len += vhost_len; + if (unlikely(total_len >= VHOST_NET_WEIGHT)) { + vhost_poll_queue(&vq->poll); +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 97518685ab58..37fcb3ca89f1 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1726,13 +1726,87 @@ static int log_write(void __user *log_base, + return r; + } + ++static int log_write_hva(struct vhost_virtqueue *vq, u64 hva, u64 len) ++{ ++ struct vhost_umem *umem = vq->umem; ++ struct vhost_umem_node *u; ++ u64 start, end, l, min; ++ int r; ++ bool hit = false; ++ ++ while (len) { ++ min = len; ++ /* More than one GPAs can be mapped into a single HVA. So ++ * iterate all possible umems here to be safe. ++ */ ++ list_for_each_entry(u, &umem->umem_list, link) { ++ if (u->userspace_addr > hva - 1 + len || ++ u->userspace_addr - 1 + u->size < hva) ++ continue; ++ start = max(u->userspace_addr, hva); ++ end = min(u->userspace_addr - 1 + u->size, ++ hva - 1 + len); ++ l = end - start + 1; ++ r = log_write(vq->log_base, ++ u->start + start - u->userspace_addr, ++ l); ++ if (r < 0) ++ return r; ++ hit = true; ++ min = min(l, min); ++ } ++ ++ if (!hit) ++ return -EFAULT; ++ ++ len -= min; ++ hva += min; ++ } ++ ++ return 0; ++} ++ ++static int log_used(struct vhost_virtqueue *vq, u64 used_offset, u64 len) ++{ ++ struct iovec iov[64]; ++ int i, ret; ++ ++ if (!vq->iotlb) ++ return log_write(vq->log_base, vq->log_addr + used_offset, len); ++ ++ ret = translate_desc(vq, (uintptr_t)vq->used + used_offset, ++ len, iov, 64, VHOST_ACCESS_WO); ++ if (ret) ++ return ret; ++ ++ for (i = 0; i < ret; i++) { ++ ret = log_write_hva(vq, (uintptr_t)iov[i].iov_base, ++ iov[i].iov_len); ++ if (ret) ++ return ret; ++ } ++ ++ return 0; ++} ++ + int vhost_log_write(struct vhost_virtqueue *vq, struct vhost_log *log, +- unsigned int log_num, u64 len) ++ unsigned int log_num, u64 len, struct iovec *iov, int count) + { + int i, r; + + /* Make sure data written is seen before log. */ + smp_wmb(); ++ ++ if (vq->iotlb) { ++ for (i = 0; i < count; i++) { ++ r = log_write_hva(vq, (uintptr_t)iov[i].iov_base, ++ iov[i].iov_len); ++ if (r < 0) ++ return r; ++ } ++ return 0; ++ } ++ + for (i = 0; i < log_num; ++i) { + u64 l = min(log[i].len, len); + r = log_write(vq->log_base, log[i].addr, l); +@@ -1762,9 +1836,8 @@ static int vhost_update_used_flags(struct vhost_virtqueue *vq) + smp_wmb(); + /* Log used flag write. */ + used = &vq->used->flags; +- log_write(vq->log_base, vq->log_addr + +- (used - (void __user *)vq->used), +- sizeof vq->used->flags); ++ log_used(vq, (used - (void __user *)vq->used), ++ sizeof vq->used->flags); + if (vq->log_ctx) + eventfd_signal(vq->log_ctx, 1); + } +@@ -1782,9 +1855,8 @@ static int vhost_update_avail_event(struct vhost_virtqueue *vq, u16 avail_event) + smp_wmb(); + /* Log avail event write */ + used = vhost_avail_event(vq); +- log_write(vq->log_base, vq->log_addr + +- (used - (void __user *)vq->used), +- sizeof *vhost_avail_event(vq)); ++ log_used(vq, (used - (void __user *)vq->used), ++ sizeof *vhost_avail_event(vq)); + if (vq->log_ctx) + eventfd_signal(vq->log_ctx, 1); + } +@@ -2189,10 +2261,8 @@ static int __vhost_add_used_n(struct vhost_virtqueue *vq, + /* Make sure data is seen before log. */ + smp_wmb(); + /* Log used ring entry write. */ +- log_write(vq->log_base, +- vq->log_addr + +- ((void __user *)used - (void __user *)vq->used), +- count * sizeof *used); ++ log_used(vq, ((void __user *)used - (void __user *)vq->used), ++ count * sizeof *used); + } + old = vq->last_used_idx; + new = (vq->last_used_idx += count); +@@ -2234,9 +2304,8 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads, + /* Make sure used idx is seen before log. */ + smp_wmb(); + /* Log used index update. */ +- log_write(vq->log_base, +- vq->log_addr + offsetof(struct vring_used, idx), +- sizeof vq->used->idx); ++ log_used(vq, offsetof(struct vring_used, idx), ++ sizeof vq->used->idx); + if (vq->log_ctx) + eventfd_signal(vq->log_ctx, 1); + } +diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h +index 79c6e7a60a5e..75d21d4a8354 100644 +--- a/drivers/vhost/vhost.h ++++ b/drivers/vhost/vhost.h +@@ -208,7 +208,8 @@ bool vhost_vq_avail_empty(struct vhost_dev *, struct vhost_virtqueue *); + bool vhost_enable_notify(struct vhost_dev *, struct vhost_virtqueue *); + + int vhost_log_write(struct vhost_virtqueue *vq, struct vhost_log *log, +- unsigned int log_num, u64 len); ++ unsigned int log_num, u64 len, ++ struct iovec *iov, int count); + int vq_iotlb_prefetch(struct vhost_virtqueue *vq); + + struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type); +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index e6c1934734b7..fe1f16351f94 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -1650,7 +1650,7 @@ void xen_callback_vector(void) + xen_have_vector_callback = 0; + return; + } +- pr_info("Xen HVM callback vector for event delivery is enabled\n"); ++ pr_info_once("Xen HVM callback vector for event delivery is enabled\n"); + alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR, + xen_hvm_callback_vector); + } +diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c +index dd80a1bdf9e2..f86457713e60 100644 +--- a/fs/btrfs/dev-replace.c ++++ b/fs/btrfs/dev-replace.c +@@ -351,6 +351,7 @@ int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, + break; + case BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED: + case BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED: ++ ASSERT(0); + ret = BTRFS_IOCTL_DEV_REPLACE_RESULT_ALREADY_STARTED; + goto leave; + } +@@ -395,6 +396,10 @@ int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, + if (IS_ERR(trans)) { + ret = PTR_ERR(trans); + btrfs_dev_replace_lock(dev_replace, 1); ++ dev_replace->replace_state = ++ BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED; ++ dev_replace->srcdev = NULL; ++ dev_replace->tgtdev = NULL; + goto leave; + } + +@@ -416,8 +421,6 @@ int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, + return ret; + + leave: +- dev_replace->srcdev = NULL; +- dev_replace->tgtdev = NULL; + btrfs_dev_replace_unlock(dev_replace, 1); + btrfs_destroy_dev_replace_tgtdev(fs_info, tgt_device); + return ret; +@@ -801,6 +804,8 @@ int btrfs_resume_dev_replace_async(struct btrfs_fs_info *fs_info) + "cannot continue dev_replace, tgtdev is missing"); + btrfs_info(fs_info, + "you may cancel the operation after 'mount -o degraded'"); ++ dev_replace->replace_state = ++ BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED; + btrfs_dev_replace_unlock(dev_replace, 1); + return 0; + } +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index 2e936f94f102..905d0fa1a1cc 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -1445,18 +1445,26 @@ cifs_discard_remaining_data(struct TCP_Server_Info *server) + } + + static int +-cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) ++__cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid, ++ bool malformed) + { + int length; +- struct cifs_readdata *rdata = mid->callback_data; + + length = cifs_discard_remaining_data(server); +- dequeue_mid(mid, rdata->result); ++ dequeue_mid(mid, malformed); + mid->resp_buf = server->smallbuf; + server->smallbuf = NULL; + return length; + } + ++static int ++cifs_readv_discard(struct TCP_Server_Info *server, struct mid_q_entry *mid) ++{ ++ struct cifs_readdata *rdata = mid->callback_data; ++ ++ return __cifs_readv_discard(server, mid, rdata->result); ++} ++ + int + cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) + { +@@ -1496,12 +1504,23 @@ cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) + return -1; + } + ++ /* set up first two iov for signature check and to get credits */ ++ rdata->iov[0].iov_base = buf; ++ rdata->iov[0].iov_len = 4; ++ rdata->iov[1].iov_base = buf + 4; ++ rdata->iov[1].iov_len = server->total_read - 4; ++ cifs_dbg(FYI, "0: iov_base=%p iov_len=%zu\n", ++ rdata->iov[0].iov_base, rdata->iov[0].iov_len); ++ cifs_dbg(FYI, "1: iov_base=%p iov_len=%zu\n", ++ rdata->iov[1].iov_base, rdata->iov[1].iov_len); ++ + /* Was the SMB read successful? */ + rdata->result = server->ops->map_error(buf, false); + if (rdata->result != 0) { + cifs_dbg(FYI, "%s: server returned error %d\n", + __func__, rdata->result); +- return cifs_readv_discard(server, mid); ++ /* normal error on read response */ ++ return __cifs_readv_discard(server, mid, false); + } + + /* Is there enough to get to the rest of the READ_RSP header? */ +@@ -1544,14 +1563,6 @@ cifs_readv_receive(struct TCP_Server_Info *server, struct mid_q_entry *mid) + server->total_read += length; + } + +- /* set up first iov for signature check */ +- rdata->iov[0].iov_base = buf; +- rdata->iov[0].iov_len = 4; +- rdata->iov[1].iov_base = buf + 4; +- rdata->iov[1].iov_len = server->total_read - 4; +- cifs_dbg(FYI, "0: iov_base=%p iov_len=%u\n", +- rdata->iov[0].iov_base, server->total_read); +- + /* how much data is in the response? */ + data_len = server->ops->read_data_length(buf); + if (data_offset + data_len > buflen) { +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index d6248137c219..000b7bfa8cf0 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -524,6 +524,21 @@ server_unresponsive(struct TCP_Server_Info *server) + return false; + } + ++static inline bool ++zero_credits(struct TCP_Server_Info *server) ++{ ++ int val; ++ ++ spin_lock(&server->req_lock); ++ val = server->credits + server->echo_credits + server->oplock_credits; ++ if (server->in_flight == 0 && val == 0) { ++ spin_unlock(&server->req_lock); ++ return true; ++ } ++ spin_unlock(&server->req_lock); ++ return false; ++} ++ + static int + cifs_readv_from_socket(struct TCP_Server_Info *server, struct msghdr *smb_msg) + { +@@ -536,6 +551,12 @@ cifs_readv_from_socket(struct TCP_Server_Info *server, struct msghdr *smb_msg) + for (total_read = 0; msg_data_left(smb_msg); total_read += length) { + try_to_freeze(); + ++ /* reconnect if no credits and no requests in flight */ ++ if (zero_credits(server)) { ++ cifs_reconnect(server); ++ return -ECONNABORTED; ++ } ++ + if (server_unresponsive(server)) + return -ECONNABORTED; + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 3372eedaa94d..fb1c65f93114 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -33,6 +33,7 @@ + #include "smb2glob.h" + #include "cifs_ioctl.h" + ++/* Change credits for different ops and return the total number of credits */ + static int + change_conf(struct TCP_Server_Info *server) + { +@@ -40,17 +41,15 @@ change_conf(struct TCP_Server_Info *server) + server->oplock_credits = server->echo_credits = 0; + switch (server->credits) { + case 0: +- return -1; ++ return 0; + case 1: + server->echoes = false; + server->oplocks = false; +- cifs_dbg(VFS, "disabling echoes and oplocks\n"); + break; + case 2: + server->echoes = true; + server->oplocks = false; + server->echo_credits = 1; +- cifs_dbg(FYI, "disabling oplocks\n"); + break; + default: + server->echoes = true; +@@ -63,14 +62,15 @@ change_conf(struct TCP_Server_Info *server) + server->echo_credits = 1; + } + server->credits -= server->echo_credits + server->oplock_credits; +- return 0; ++ return server->credits + server->echo_credits + server->oplock_credits; + } + + static void + smb2_add_credits(struct TCP_Server_Info *server, const unsigned int add, + const int optype) + { +- int *val, rc = 0; ++ int *val, rc = -1; ++ + spin_lock(&server->req_lock); + val = server->ops->get_credits_field(server, optype); + *val += add; +@@ -94,8 +94,26 @@ smb2_add_credits(struct TCP_Server_Info *server, const unsigned int add, + } + spin_unlock(&server->req_lock); + wake_up(&server->request_q); +- if (rc) +- cifs_reconnect(server); ++ ++ if (server->tcpStatus == CifsNeedReconnect) ++ return; ++ ++ switch (rc) { ++ case -1: ++ /* change_conf hasn't been executed */ ++ break; ++ case 0: ++ cifs_dbg(VFS, "Possible client or server bug - zero credits\n"); ++ break; ++ case 1: ++ cifs_dbg(VFS, "disabling echoes and oplocks\n"); ++ break; ++ case 2: ++ cifs_dbg(FYI, "disabling oplocks\n"); ++ break; ++ default: ++ cifs_dbg(FYI, "add %u credits total=%d\n", add, rc); ++ } + } + + static void +@@ -153,14 +171,14 @@ smb2_wait_mtu_credits(struct TCP_Server_Info *server, unsigned int size, + + scredits = server->credits; + /* can deadlock with reopen */ +- if (scredits == 1) { ++ if (scredits <= 8) { + *num = SMB2_MAX_BUFFER_SIZE; + *credits = 0; + break; + } + +- /* leave one credit for a possible reopen */ +- scredits--; ++ /* leave some credits for reopen and other ops */ ++ scredits -= 8; + *num = min_t(unsigned int, size, + scredits * SMB2_MAX_BUFFER_SIZE); + +@@ -2531,11 +2549,23 @@ handle_read_data(struct TCP_Server_Info *server, struct mid_q_entry *mid, + server->ops->is_status_pending(buf, server, 0)) + return -1; + +- rdata->result = server->ops->map_error(buf, false); ++ /* set up first two iov to get credits */ ++ rdata->iov[0].iov_base = buf; ++ rdata->iov[0].iov_len = 4; ++ rdata->iov[1].iov_base = buf + 4; ++ rdata->iov[1].iov_len = ++ min_t(unsigned int, buf_len, server->vals->read_rsp_size) - 4; ++ cifs_dbg(FYI, "0: iov_base=%p iov_len=%zu\n", ++ rdata->iov[0].iov_base, rdata->iov[0].iov_len); ++ cifs_dbg(FYI, "1: iov_base=%p iov_len=%zu\n", ++ rdata->iov[1].iov_base, rdata->iov[1].iov_len); ++ ++ rdata->result = server->ops->map_error(buf, true); + if (rdata->result != 0) { + cifs_dbg(FYI, "%s: server returned error %d\n", + __func__, rdata->result); +- dequeue_mid(mid, rdata->result); ++ /* normal error on read response */ ++ dequeue_mid(mid, false); + return 0; + } + +@@ -2605,14 +2635,6 @@ handle_read_data(struct TCP_Server_Info *server, struct mid_q_entry *mid, + return 0; + } + +- /* set up first iov for signature check */ +- rdata->iov[0].iov_base = buf; +- rdata->iov[0].iov_len = 4; +- rdata->iov[1].iov_base = buf + 4; +- rdata->iov[1].iov_len = server->vals->read_rsp_size - 4; +- cifs_dbg(FYI, "0: iov_base=%p iov_len=%zu\n", +- rdata->iov[0].iov_base, server->vals->read_rsp_size); +- + length = rdata->copy_into_pages(server, rdata, &iter); + + kfree(bvec); +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 65de72d65562..12060fbfbb05 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -694,6 +694,7 @@ static void truncate_node(struct dnode_of_data *dn) + { + struct f2fs_sb_info *sbi = F2FS_I_SB(dn->inode); + struct node_info ni; ++ pgoff_t index; + + get_node_info(sbi, dn->nid, &ni); + f2fs_bug_on(sbi, ni.blk_addr == NULL_ADDR); +@@ -712,10 +713,11 @@ static void truncate_node(struct dnode_of_data *dn) + clear_node_page_dirty(dn->node_page); + set_sbi_flag(sbi, SBI_IS_DIRTY); + ++ index = dn->node_page->index; + f2fs_put_page(dn->node_page, 1); + + invalidate_mapping_pages(NODE_MAPPING(sbi), +- dn->node_page->index, dn->node_page->index); ++ index, index); + + dn->node_page = NULL; + trace_f2fs_truncate_node(dn->inode, dn->nid, ni.blk_addr); +diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h +index 28b76f0894d4..673fa522a7ab 100644 +--- a/include/linux/compiler-clang.h ++++ b/include/linux/compiler-clang.h +@@ -24,3 +24,17 @@ + #ifdef __noretpoline + #undef __noretpoline + #endif ++ ++/* ++ * Not all versions of clang implement the the type-generic versions ++ * of the builtin overflow checkers. Fortunately, clang implements ++ * __has_builtin allowing us to avoid awkward version ++ * checks. Unfortunately, we don't know which version of gcc clang ++ * pretends to be, so the macro may or may not be defined. ++ */ ++#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW ++#if __has_builtin(__builtin_mul_overflow) && \ ++ __has_builtin(__builtin_add_overflow) && \ ++ __has_builtin(__builtin_sub_overflow) ++#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 ++#endif +diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h +index 00b06d7efb83..4816355b9875 100644 +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -358,3 +358,7 @@ + * code + */ + #define uninitialized_var(x) x = x ++ ++#if GCC_VERSION >= 50100 ++#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 ++#endif +diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h +index bfa08160db3a..547cdc920a3c 100644 +--- a/include/linux/compiler-intel.h ++++ b/include/linux/compiler-intel.h +@@ -44,3 +44,7 @@ + #define __builtin_bswap16 _bswap16 + #endif + ++/* ++ * icc defines __GNUC__, but does not implement the builtin overflow checkers. ++ */ ++#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index d1324d3c72b0..8d3ca6da3342 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -1130,8 +1130,9 @@ struct hv_ring_buffer_debug_info { + u32 bytes_avail_towrite; + }; + +-void hv_ringbuffer_get_debuginfo(const struct hv_ring_buffer_info *ring_info, +- struct hv_ring_buffer_debug_info *debug_info); ++ ++int hv_ringbuffer_get_debuginfo(const struct hv_ring_buffer_info *ring_info, ++ struct hv_ring_buffer_debug_info *debug_info); + + /* Vmbus interface */ + #define vmbus_driver_register(driver) \ +diff --git a/include/linux/overflow.h b/include/linux/overflow.h +new file mode 100644 +index 000000000000..c8890ec358a7 +--- /dev/null ++++ b/include/linux/overflow.h +@@ -0,0 +1,205 @@ ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */ ++#ifndef __LINUX_OVERFLOW_H ++#define __LINUX_OVERFLOW_H ++ ++#include <linux/compiler.h> ++ ++/* ++ * In the fallback code below, we need to compute the minimum and ++ * maximum values representable in a given type. These macros may also ++ * be useful elsewhere, so we provide them outside the ++ * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block. ++ * ++ * It would seem more obvious to do something like ++ * ++ * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0) ++ * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0) ++ * ++ * Unfortunately, the middle expressions, strictly speaking, have ++ * undefined behaviour, and at least some versions of gcc warn about ++ * the type_max expression (but not if -fsanitize=undefined is in ++ * effect; in that case, the warning is deferred to runtime...). ++ * ++ * The slightly excessive casting in type_min is to make sure the ++ * macros also produce sensible values for the exotic type _Bool. [The ++ * overflow checkers only almost work for _Bool, but that's ++ * a-feature-not-a-bug, since people shouldn't be doing arithmetic on ++ * _Bools. Besides, the gcc builtins don't allow _Bool* as third ++ * argument.] ++ * ++ * Idea stolen from ++ * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html - ++ * credit to Christian Biere. ++ */ ++#define is_signed_type(type) (((type)(-1)) < (type)1) ++#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type))) ++#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T))) ++#define type_min(T) ((T)((T)-type_max(T)-(T)1)) ++ ++ ++#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW ++/* ++ * For simplicity and code hygiene, the fallback code below insists on ++ * a, b and *d having the same type (similar to the min() and max() ++ * macros), whereas gcc's type-generic overflow checkers accept ++ * different types. Hence we don't just make check_add_overflow an ++ * alias for __builtin_add_overflow, but add type checks similar to ++ * below. ++ */ ++#define check_add_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ __builtin_add_overflow(__a, __b, __d); \ ++}) ++ ++#define check_sub_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ __builtin_sub_overflow(__a, __b, __d); \ ++}) ++ ++#define check_mul_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ __builtin_mul_overflow(__a, __b, __d); \ ++}) ++ ++#else ++ ++ ++/* Checking for unsigned overflow is relatively easy without causing UB. */ ++#define __unsigned_add_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = __a + __b; \ ++ *__d < __a; \ ++}) ++#define __unsigned_sub_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = __a - __b; \ ++ __a < __b; \ ++}) ++/* ++ * If one of a or b is a compile-time constant, this avoids a division. ++ */ ++#define __unsigned_mul_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = __a * __b; \ ++ __builtin_constant_p(__b) ? \ ++ __b > 0 && __a > type_max(typeof(__a)) / __b : \ ++ __a > 0 && __b > type_max(typeof(__b)) / __a; \ ++}) ++ ++/* ++ * For signed types, detecting overflow is much harder, especially if ++ * we want to avoid UB. But the interface of these macros is such that ++ * we must provide a result in *d, and in fact we must produce the ++ * result promised by gcc's builtins, which is simply the possibly ++ * wrapped-around value. Fortunately, we can just formally do the ++ * operations in the widest relevant unsigned type (u64) and then ++ * truncate the result - gcc is smart enough to generate the same code ++ * with and without the (u64) casts. ++ */ ++ ++/* ++ * Adding two signed integers can overflow only if they have the same ++ * sign, and overflow has happened iff the result has the opposite ++ * sign. ++ */ ++#define __signed_add_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = (u64)__a + (u64)__b; \ ++ (((~(__a ^ __b)) & (*__d ^ __a)) \ ++ & type_min(typeof(__a))) != 0; \ ++}) ++ ++/* ++ * Subtraction is similar, except that overflow can now happen only ++ * when the signs are opposite. In this case, overflow has happened if ++ * the result has the opposite sign of a. ++ */ ++#define __signed_sub_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = (u64)__a - (u64)__b; \ ++ ((((__a ^ __b)) & (*__d ^ __a)) \ ++ & type_min(typeof(__a))) != 0; \ ++}) ++ ++/* ++ * Signed multiplication is rather hard. gcc always follows C99, so ++ * division is truncated towards 0. This means that we can write the ++ * overflow check like this: ++ * ++ * (a > 0 && (b > MAX/a || b < MIN/a)) || ++ * (a < -1 && (b > MIN/a || b < MAX/a) || ++ * (a == -1 && b == MIN) ++ * ++ * The redundant casts of -1 are to silence an annoying -Wtype-limits ++ * (included in -Wextra) warning: When the type is u8 or u16, the ++ * __b_c_e in check_mul_overflow obviously selects ++ * __unsigned_mul_overflow, but unfortunately gcc still parses this ++ * code and warns about the limited range of __b. ++ */ ++ ++#define __signed_mul_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ typeof(a) __tmax = type_max(typeof(a)); \ ++ typeof(a) __tmin = type_min(typeof(a)); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = (u64)__a * (u64)__b; \ ++ (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \ ++ (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \ ++ (__b == (typeof(__b))-1 && __a == __tmin); \ ++}) ++ ++ ++#define check_add_overflow(a, b, d) \ ++ __builtin_choose_expr(is_signed_type(typeof(a)), \ ++ __signed_add_overflow(a, b, d), \ ++ __unsigned_add_overflow(a, b, d)) ++ ++#define check_sub_overflow(a, b, d) \ ++ __builtin_choose_expr(is_signed_type(typeof(a)), \ ++ __signed_sub_overflow(a, b, d), \ ++ __unsigned_sub_overflow(a, b, d)) ++ ++#define check_mul_overflow(a, b, d) \ ++ __builtin_choose_expr(is_signed_type(typeof(a)), \ ++ __signed_mul_overflow(a, b, d), \ ++ __unsigned_mul_overflow(a, b, d)) ++ ++ ++#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ ++ ++#endif /* __LINUX_OVERFLOW_H */ +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index f6250555ce7d..39c2570ddcf6 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3163,6 +3163,7 @@ int pskb_trim_rcsum_slow(struct sk_buff *skb, unsigned int len); + * + * This is exactly the same as pskb_trim except that it ensures the + * checksum of received packets are still valid after the operation. ++ * It can change skb pointers. + */ + + static inline int pskb_trim_rcsum(struct sk_buff *skb, unsigned int len) +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h +index 32df52869a14..b711317a796c 100644 +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -233,7 +233,7 @@ int fib_table_delete(struct net *, struct fib_table *, struct fib_config *, + struct netlink_ext_ack *extack); + int fib_table_dump(struct fib_table *table, struct sk_buff *skb, + struct netlink_callback *cb); +-int fib_table_flush(struct net *net, struct fib_table *table); ++int fib_table_flush(struct net *net, struct fib_table *table, bool flush_all); + struct fib_table *fib_trie_unmerge(struct fib_table *main_tb); + void fib_table_flush_external(struct fib_table *table); + void fib_free_table(struct fib_table *tb); +diff --git a/include/xen/interface/vcpu.h b/include/xen/interface/vcpu.h +index 98188c87f5c1..504c71601511 100644 +--- a/include/xen/interface/vcpu.h ++++ b/include/xen/interface/vcpu.h +@@ -178,4 +178,46 @@ DEFINE_GUEST_HANDLE_STRUCT(vcpu_register_vcpu_info); + + /* Send an NMI to the specified VCPU. @extra_arg == NULL. */ + #define VCPUOP_send_nmi 11 ++ ++/* ++ * Get the physical ID information for a pinned vcpu's underlying physical ++ * processor. The physical ID informmation is architecture-specific. ++ * On x86: id[31:0]=apic_id, id[63:32]=acpi_id. ++ * This command returns -EINVAL if it is not a valid operation for this VCPU. ++ */ ++#define VCPUOP_get_physid 12 /* arg == vcpu_get_physid_t */ ++struct vcpu_get_physid { ++ uint64_t phys_id; ++}; ++DEFINE_GUEST_HANDLE_STRUCT(vcpu_get_physid); ++#define xen_vcpu_physid_to_x86_apicid(physid) ((uint32_t)(physid)) ++#define xen_vcpu_physid_to_x86_acpiid(physid) ((uint32_t)((physid) >> 32)) ++ ++/* ++ * Register a memory location to get a secondary copy of the vcpu time ++ * parameters. The master copy still exists as part of the vcpu shared ++ * memory area, and this secondary copy is updated whenever the master copy ++ * is updated (and using the same versioning scheme for synchronisation). ++ * ++ * The intent is that this copy may be mapped (RO) into userspace so ++ * that usermode can compute system time using the time info and the ++ * tsc. Usermode will see an array of vcpu_time_info structures, one ++ * for each vcpu, and choose the right one by an existing mechanism ++ * which allows it to get the current vcpu number (such as via a ++ * segment limit). It can then apply the normal algorithm to compute ++ * system time from the tsc. ++ * ++ * @extra_arg == pointer to vcpu_register_time_info_memory_area structure. ++ */ ++#define VCPUOP_register_vcpu_time_memory_area 13 ++DEFINE_GUEST_HANDLE_STRUCT(vcpu_time_info); ++struct vcpu_register_time_memory_area { ++ union { ++ GUEST_HANDLE(vcpu_time_info) h; ++ struct pvclock_vcpu_time_info *v; ++ uint64_t p; ++ } addr; ++}; ++DEFINE_GUEST_HANDLE_STRUCT(vcpu_register_time_memory_area); ++ + #endif /* __XEN_PUBLIC_VCPU_H__ */ +diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c +index 2da660d53a4b..6e8c230ca877 100644 +--- a/kernel/time/posix-cpu-timers.c ++++ b/kernel/time/posix-cpu-timers.c +@@ -685,6 +685,7 @@ static int posix_cpu_timer_set(struct k_itimer *timer, int timer_flags, + * set up the signal and overrun bookkeeping. + */ + timer->it.cpu.incr = timespec64_to_ns(&new->it_interval); ++ timer->it_interval = ns_to_ktime(timer->it.cpu.incr); + + /* + * This acts as a modification timestamp for the timer, +diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c +index 48fb17417fac..57f69f31a2a2 100644 +--- a/net/bridge/br_forward.c ++++ b/net/bridge/br_forward.c +@@ -35,10 +35,10 @@ static inline int should_deliver(const struct net_bridge_port *p, + + int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb) + { ++ skb_push(skb, ETH_HLEN); + if (!is_skb_forwardable(skb->dev, skb)) + goto drop; + +- skb_push(skb, ETH_HLEN); + br_drop_fake_rtable(skb); + + if (skb->ip_summed == CHECKSUM_PARTIAL && +@@ -96,12 +96,11 @@ static void __br_forward(const struct net_bridge_port *to, + net = dev_net(indev); + } else { + if (unlikely(netpoll_tx_running(to->br->dev))) { +- if (!is_skb_forwardable(skb->dev, skb)) { ++ skb_push(skb, ETH_HLEN); ++ if (!is_skb_forwardable(skb->dev, skb)) + kfree_skb(skb); +- } else { +- skb_push(skb, ETH_HLEN); ++ else + br_netpoll_send_skb(to, skb); +- } + return; + } + br_hook = NF_BR_LOCAL_OUT; +diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c +index 96c072e71ea2..5811208863b7 100644 +--- a/net/bridge/br_netfilter_ipv6.c ++++ b/net/bridge/br_netfilter_ipv6.c +@@ -131,6 +131,7 @@ int br_validate_ipv6(struct net *net, struct sk_buff *skb) + IPSTATS_MIB_INDISCARDS); + goto drop; + } ++ hdr = ipv6_hdr(skb); + } + if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb)) + goto drop; +diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c +index eaf05de37f75..b09ec869c913 100644 +--- a/net/bridge/netfilter/nft_reject_bridge.c ++++ b/net/bridge/netfilter/nft_reject_bridge.c +@@ -230,6 +230,7 @@ static bool reject6_br_csum_ok(struct sk_buff *skb, int hook) + pskb_trim_rcsum(skb, ntohs(ip6h->payload_len) + sizeof(*ip6h))) + return false; + ++ ip6h = ipv6_hdr(skb); + thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo); + if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0) + return false; +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 13690334efa3..12d851c4604d 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -67,6 +67,9 @@ + */ + #define MAX_NFRAMES 256 + ++/* limit timers to 400 days for sending/timeouts */ ++#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60) ++ + /* use of last_frames[index].flags */ + #define RX_RECV 0x40 /* received data for this element */ + #define RX_THR 0x80 /* element not been sent due to throttle feature */ +@@ -140,6 +143,22 @@ static inline ktime_t bcm_timeval_to_ktime(struct bcm_timeval tv) + return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC); + } + ++/* check limitations for timeval provided by user */ ++static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head) ++{ ++ if ((msg_head->ival1.tv_sec < 0) || ++ (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) || ++ (msg_head->ival1.tv_usec < 0) || ++ (msg_head->ival1.tv_usec >= USEC_PER_SEC) || ++ (msg_head->ival2.tv_sec < 0) || ++ (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) || ++ (msg_head->ival2.tv_usec < 0) || ++ (msg_head->ival2.tv_usec >= USEC_PER_SEC)) ++ return true; ++ ++ return false; ++} ++ + #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU) + #define OPSIZ sizeof(struct bcm_op) + #define MHSIZ sizeof(struct bcm_msg_head) +@@ -886,6 +905,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES) + return -EINVAL; + ++ /* check timeval limitations */ ++ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head)) ++ return -EINVAL; ++ + /* check the given can_id */ + op = bcm_find_op(&bo->tx_ops, msg_head, ifindex); + if (op) { +@@ -1065,6 +1088,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + (!(msg_head->can_id & CAN_RTR_FLAG)))) + return -EINVAL; + ++ /* check timeval limitations */ ++ if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head)) ++ return -EINVAL; ++ + /* check the given can_id */ + op = bcm_find_op(&bo->rx_ops, msg_head, ifindex); + if (op) { +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 1b3f860f7dcd..b5317b2b191d 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -193,7 +193,7 @@ static void fib_flush(struct net *net) + struct fib_table *tb; + + hlist_for_each_entry_safe(tb, tmp, head, tb_hlist) +- flushed += fib_table_flush(net, tb); ++ flushed += fib_table_flush(net, tb, false); + } + + if (flushed) +@@ -1299,7 +1299,7 @@ static void ip_fib_net_exit(struct net *net) + + hlist_for_each_entry_safe(tb, tmp, head, tb_hlist) { + hlist_del(&tb->tb_hlist); +- fib_table_flush(net, tb); ++ fib_table_flush(net, tb, true); + fib_free_table(tb); + } + } +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index c636650a6a70..bb847d280778 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -1836,7 +1836,7 @@ void fib_table_flush_external(struct fib_table *tb) + } + + /* Caller must hold RTNL. */ +-int fib_table_flush(struct net *net, struct fib_table *tb) ++int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all) + { + struct trie *t = (struct trie *)tb->tb_data; + struct key_vector *pn = t->kv; +@@ -1884,8 +1884,17 @@ int fib_table_flush(struct net *net, struct fib_table *tb) + hlist_for_each_entry_safe(fa, tmp, &n->leaf, fa_list) { + struct fib_info *fi = fa->fa_info; + +- if (!fi || !(fi->fib_flags & RTNH_F_DEAD) || +- tb->tb_id != fa->tb_id) { ++ if (!fi || tb->tb_id != fa->tb_id || ++ (!(fi->fib_flags & RTNH_F_DEAD) && ++ !fib_props[fa->fa_type].error)) { ++ slen = fa->fa_slen; ++ continue; ++ } ++ ++ /* Do not flush error routes if network namespace is ++ * not being dismantled ++ */ ++ if (!flush_all && fib_props[fa->fa_type].error) { + slen = fa->fa_slen; + continue; + } +diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c +index 653be98fe3fb..6ffee9d2b0e5 100644 +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -90,7 +90,7 @@ static void inet_frags_free_cb(void *ptr, void *arg) + + void inet_frags_exit_net(struct netns_frags *nf) + { +- nf->low_thresh = 0; /* prevent creation of new frags */ ++ nf->high_thresh = 0; /* prevent creation of new frags */ + + rhashtable_free_and_destroy(&nf->rhashtable, inet_frags_free_cb, NULL); + } +diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c +index 57fc13c6ab2b..1b160378ea9c 100644 +--- a/net/ipv4/ip_input.c ++++ b/net/ipv4/ip_input.c +@@ -481,6 +481,7 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, + goto drop; + } + ++ iph = ip_hdr(skb); + skb->transport_header = skb->network_header + iph->ihl*4; + + /* Remove any debris in the socket control block */ +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 8109985e78a1..fd14501ac3af 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1178,7 +1178,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size) + flags = msg->msg_flags; + + if (flags & MSG_ZEROCOPY && size && sock_flag(sk, SOCK_ZEROCOPY)) { +- if (sk->sk_state != TCP_ESTABLISHED) { ++ if ((1 << sk->sk_state) & ~(TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) { + err = -EINVAL; + goto out_err; + } +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index f70e9cbf33d5..e687b89dafe6 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -459,7 +459,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr, + return -EINVAL; + } + +- if (!nz || !is_all_zero(nla_data(nla), expected_len)) { ++ if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { + attrs |= 1 << type; + a[type] = nla; + } +diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c +index 04a70793c1fe..32819d1e2075 100644 +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -318,7 +318,6 @@ EXPORT_SYMBOL(tcf_block_put); + int tcf_classify(struct sk_buff *skb, const struct tcf_proto *tp, + struct tcf_result *res, bool compat_mode) + { +- __be16 protocol = tc_skb_protocol(skb); + #ifdef CONFIG_NET_CLS_ACT + const int max_reclassify_loop = 4; + const struct tcf_proto *orig_tp = tp; +@@ -328,6 +327,7 @@ int tcf_classify(struct sk_buff *skb, const struct tcf_proto *tp, + reclassify: + #endif + for (; tp; tp = rcu_dereference_bh(tp->next)) { ++ __be16 protocol = tc_skb_protocol(skb); + int err; + + if (tp->protocol != protocol && +@@ -359,7 +359,6 @@ reset: + } + + tp = first_tp; +- protocol = tc_skb_protocol(skb); + goto reclassify; + #endif + } +diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c +index 0a225dc85044..fb1cec46380d 100644 +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -969,6 +969,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = { + SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x836e, "HP ProBook 455 G5", CXT_FIXUP_MUTE_LED_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x837f, "HP ProBook 470 G5", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x8455, "HP Z2 G4", CXT_FIXUP_HP_MIC_NO_PRESENCE), +diff --git a/sound/soc/codecs/rt5514-spi.c b/sound/soc/codecs/rt5514-spi.c +index 12f2ecf3a4fe..662afc529060 100644 +--- a/sound/soc/codecs/rt5514-spi.c ++++ b/sound/soc/codecs/rt5514-spi.c +@@ -265,6 +265,8 @@ static int rt5514_spi_pcm_probe(struct snd_soc_platform *platform) + + rt5514_dsp = devm_kzalloc(platform->dev, sizeof(*rt5514_dsp), + GFP_KERNEL); ++ if (!rt5514_dsp) ++ return -ENOMEM; + + rt5514_dsp->dev = &rt5514_spi->dev; + mutex_init(&rt5514_dsp->dma_lock); +diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +index 43e7fdd19f29..4558c8b93036 100644 +--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c ++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +@@ -399,7 +399,13 @@ static int sst_media_hw_params(struct snd_pcm_substream *substream, + struct snd_pcm_hw_params *params, + struct snd_soc_dai *dai) + { +- snd_pcm_lib_malloc_pages(substream, params_buffer_bytes(params)); ++ int ret; ++ ++ ret = ++ snd_pcm_lib_malloc_pages(substream, ++ params_buffer_bytes(params)); ++ if (ret) ++ return ret; + memset(substream->runtime->dma_area, 0, params_buffer_bytes(params)); + return 0; + } +diff --git a/tools/perf/util/unwind-libdw.c b/tools/perf/util/unwind-libdw.c +index 1e9c974faf67..f1fe5acdbba4 100644 +--- a/tools/perf/util/unwind-libdw.c ++++ b/tools/perf/util/unwind-libdw.c +@@ -44,13 +44,13 @@ static int __report_module(struct addr_location *al, u64 ip, + Dwarf_Addr s; + + dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL); +- if (s != al->map->start) ++ if (s != al->map->start - al->map->pgoff) + mod = 0; + } + + if (!mod) + mod = dwfl_report_elf(ui->dwfl, dso->short_name, +- dso->long_name, -1, al->map->start, ++ (dso->symsrc_filename ? dso->symsrc_filename : dso->long_name), -1, al->map->start - al->map->pgoff, + false); + + return mod && dwfl_addrmodule(ui->dwfl, ip) == mod ? 0 : -1; +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index e350cf3d4f90..194759ec9e70 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -145,15 +145,6 @@ struct seccomp_data { + #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) + #endif + +-#ifndef PTRACE_SECCOMP_GET_METADATA +-#define PTRACE_SECCOMP_GET_METADATA 0x420d +- +-struct seccomp_metadata { +- __u64 filter_off; /* Input: which filter */ +- __u64 flags; /* Output: filter's flags */ +-}; +-#endif +- + #ifndef seccomp + int seccomp(unsigned int op, unsigned int flags, void *args) + { +@@ -2870,58 +2861,6 @@ TEST(get_action_avail) + EXPECT_EQ(errno, EOPNOTSUPP); + } + +-TEST(get_metadata) +-{ +- pid_t pid; +- int pipefd[2]; +- char buf; +- struct seccomp_metadata md; +- +- ASSERT_EQ(0, pipe(pipefd)); +- +- pid = fork(); +- ASSERT_GE(pid, 0); +- if (pid == 0) { +- struct sock_filter filter[] = { +- BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), +- }; +- struct sock_fprog prog = { +- .len = (unsigned short)ARRAY_SIZE(filter), +- .filter = filter, +- }; +- +- /* one with log, one without */ +- ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, +- SECCOMP_FILTER_FLAG_LOG, &prog)); +- ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)); +- +- ASSERT_EQ(0, close(pipefd[0])); +- ASSERT_EQ(1, write(pipefd[1], "1", 1)); +- ASSERT_EQ(0, close(pipefd[1])); +- +- while (1) +- sleep(100); +- } +- +- ASSERT_EQ(0, close(pipefd[1])); +- ASSERT_EQ(1, read(pipefd[0], &buf, 1)); +- +- ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid)); +- ASSERT_EQ(pid, waitpid(pid, NULL, 0)); +- +- md.filter_off = 0; +- ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md)); +- EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG); +- EXPECT_EQ(md.filter_off, 0); +- +- md.filter_off = 1; +- ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md)); +- EXPECT_EQ(md.flags, 0); +- EXPECT_EQ(md.filter_off, 1); +- +- ASSERT_EQ(0, kill(pid, SIGKILL)); +-} +- + /* + * TODO: + * - add microbenchmarks +diff --git a/tools/testing/selftests/x86/protection_keys.c b/tools/testing/selftests/x86/protection_keys.c +index 460b4bdf4c1e..5d546dcdbc80 100644 +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1133,6 +1133,21 @@ void test_pkey_syscalls_bad_args(int *ptr, u16 pkey) + pkey_assert(err); + } + ++void become_child(void) ++{ ++ pid_t forkret; ++ ++ forkret = fork(); ++ pkey_assert(forkret >= 0); ++ dprintf3("[%d] fork() ret: %d\n", getpid(), forkret); ++ ++ if (!forkret) { ++ /* in the child */ ++ return; ++ } ++ exit(0); ++} ++ + /* Assumes that all pkeys other than 'pkey' are unallocated */ + void test_pkey_alloc_exhaust(int *ptr, u16 pkey) + { +@@ -1141,7 +1156,7 @@ void test_pkey_alloc_exhaust(int *ptr, u16 pkey) + int nr_allocated_pkeys = 0; + int i; + +- for (i = 0; i < NR_PKEYS*2; i++) { ++ for (i = 0; i < NR_PKEYS*3; i++) { + int new_pkey; + dprintf1("%s() alloc loop: %d\n", __func__, i); + new_pkey = alloc_pkey(); +@@ -1152,20 +1167,26 @@ void test_pkey_alloc_exhaust(int *ptr, u16 pkey) + if ((new_pkey == -1) && (errno == ENOSPC)) { + dprintf2("%s() failed to allocate pkey after %d tries\n", + __func__, nr_allocated_pkeys); +- break; ++ } else { ++ /* ++ * Ensure the number of successes never ++ * exceeds the number of keys supported ++ * in the hardware. ++ */ ++ pkey_assert(nr_allocated_pkeys < NR_PKEYS); ++ allocated_pkeys[nr_allocated_pkeys++] = new_pkey; + } +- pkey_assert(nr_allocated_pkeys < NR_PKEYS); +- allocated_pkeys[nr_allocated_pkeys++] = new_pkey; ++ ++ /* ++ * Make sure that allocation state is properly ++ * preserved across fork(). ++ */ ++ if (i == NR_PKEYS*2) ++ become_child(); + } + + dprintf3("%s()::%d\n", __func__, __LINE__); + +- /* +- * ensure it did not reach the end of the loop without +- * failure: +- */ +- pkey_assert(i < NR_PKEYS*2); +- + /* + * There are 16 pkeys supported in hardware. Three are + * allocated by the time we get here: |