diff options
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1243_linux-4.4.244.patch | 3736 |
2 files changed, 3740 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 9911219d..ddfda262 100644 --- a/0000_README +++ b/0000_README @@ -1015,6 +1015,10 @@ Patch: 1242_linux-4.4.243.patch From: http://www.kernel.org Desc: Linux 4.4.243 +Patch: 1243_linux-4.4.244.patch +From: http://www.kernel.org +Desc: Linux 4.4.244 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1243_linux-4.4.244.patch b/1243_linux-4.4.244.patch new file mode 100644 index 00000000..1e1d2708 --- /dev/null +++ b/1243_linux-4.4.244.patch @@ -0,0 +1,3736 @@ +diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt +index b19d872feb569..17747dcd0e779 100644 +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -4488,6 +4488,14 @@ bytes respectively. Such letter suffixes can also be entirely omitted. + Disables the PV optimizations forcing the HVM guest to + run as generic HVM guest with no PV drivers. + ++ xen.event_eoi_delay= [XEN] ++ How long to delay EOI handling in case of event ++ storms (jiffies). Default is 10. ++ ++ xen.event_loop_timeout= [XEN] ++ After which time (jiffies) the event handling loop ++ should start to delay EOI handling. Default is 2. ++ + xirc2ps_cs= [NET,PCMCIA] + Format: + <irq>,<irq_mask>,<io>,<full_duplex>,<do_sound>,<lockup_hack>[,<irq2>[,<irq3>[,<irq4>]]] +diff --git a/Makefile b/Makefile +index 99badda272d74..f8b9fd688781c 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 243 ++SUBLEVEL = 244 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 2d2631f9a519f..2c9a2992863b0 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1223,6 +1223,14 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl) + return 0; + } + ++static bool is_spec_ib_user_controlled(void) ++{ ++ return spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL || ++ spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP || ++ spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL || ++ spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP; ++} ++ + static int ib_prctl_set(struct task_struct *task, unsigned long ctrl) + { + switch (ctrl) { +@@ -1230,17 +1238,26 @@ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && + spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) + return 0; +- /* +- * Indirect branch speculation is always disabled in strict +- * mode. It can neither be enabled if it was force-disabled +- * by a previous prctl call. + ++ /* ++ * With strict mode for both IBPB and STIBP, the instruction ++ * code paths avoid checking this task flag and instead, ++ * unconditionally run the instruction. However, STIBP and IBPB ++ * are independent and either can be set to conditionally ++ * enabled regardless of the mode of the other. ++ * ++ * If either is set to conditional, allow the task flag to be ++ * updated, unless it was force-disabled by a previous prctl ++ * call. Currently, this is possible on an AMD CPU which has the ++ * feature X86_FEATURE_AMD_STIBP_ALWAYS_ON. In this case, if the ++ * kernel is booted with 'spectre_v2_user=seccomp', then ++ * spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP and ++ * spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED. + */ +- if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED || ++ if (!is_spec_ib_user_controlled() || + task_spec_ib_force_disable(task)) + return -EPERM; ++ + task_clear_spec_ib_disable(task); + task_update_spec_tif(task); + break; +@@ -1253,10 +1270,10 @@ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && + spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) + return -EPERM; +- if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED) ++ ++ if (!is_spec_ib_user_controlled()) + return 0; ++ + task_set_spec_ib_disable(task); + if (ctrl == PR_SPEC_FORCE_DISABLE) + task_set_spec_ib_force_disable(task); +@@ -1319,20 +1336,17 @@ static int ib_prctl_get(struct task_struct *task) + if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE && + spectre_v2_user_stibp == SPECTRE_V2_USER_NONE) + return PR_SPEC_ENABLE; +- else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || +- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED) +- return PR_SPEC_DISABLE; +- else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL || +- spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP || +- spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL || +- spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP) { ++ else if (is_spec_ib_user_controlled()) { + if (task_spec_ib_force_disable(task)) + return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE; + if (task_spec_ib_disable(task)) + return PR_SPEC_PRCTL | PR_SPEC_DISABLE; + return PR_SPEC_PRCTL | PR_SPEC_ENABLE; +- } else ++ } else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT || ++ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT || ++ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED) ++ return PR_SPEC_DISABLE; ++ else + return PR_SPEC_NOT_AFFECTED; + } + +diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c +index a295ad6a1674f..8dbdd156e0d3e 100644 +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -173,7 +173,7 @@ static inline void shrink_free_pagepool(struct xen_blkif *blkif, int num) + + #define vaddr(page) ((unsigned long)pfn_to_kaddr(page_to_pfn(page))) + +-static int do_block_io_op(struct xen_blkif *blkif); ++static int do_block_io_op(struct xen_blkif *blkif, unsigned int *eoi_flags); + static int dispatch_rw_block_io(struct xen_blkif *blkif, + struct blkif_request *req, + struct pending_req *pending_req); +@@ -594,6 +594,8 @@ int xen_blkif_schedule(void *arg) + struct xen_vbd *vbd = &blkif->vbd; + unsigned long timeout; + int ret; ++ bool do_eoi; ++ unsigned int eoi_flags = XEN_EOI_FLAG_SPURIOUS; + + while (!kthread_should_stop()) { + if (try_to_freeze()) +@@ -617,16 +619,23 @@ int xen_blkif_schedule(void *arg) + if (timeout == 0) + goto purge_gnt_list; + ++ do_eoi = blkif->waiting_reqs; ++ + blkif->waiting_reqs = 0; + smp_mb(); /* clear flag *before* checking for work */ + +- ret = do_block_io_op(blkif); ++ ret = do_block_io_op(blkif, &eoi_flags); + if (ret > 0) + blkif->waiting_reqs = 1; + if (ret == -EACCES) + wait_event_interruptible(blkif->shutdown_wq, + kthread_should_stop()); + ++ if (do_eoi && !blkif->waiting_reqs) { ++ xen_irq_lateeoi(blkif->irq, eoi_flags); ++ eoi_flags |= XEN_EOI_FLAG_SPURIOUS; ++ } ++ + purge_gnt_list: + if (blkif->vbd.feature_gnt_persistent && + time_after(jiffies, blkif->next_lru)) { +@@ -1094,7 +1103,7 @@ static void end_block_io_op(struct bio *bio) + * and transmute it to the block API to hand it over to the proper block disk. + */ + static int +-__do_block_io_op(struct xen_blkif *blkif) ++__do_block_io_op(struct xen_blkif *blkif, unsigned int *eoi_flags) + { + union blkif_back_rings *blk_rings = &blkif->blk_rings; + struct blkif_request req; +@@ -1117,6 +1126,9 @@ __do_block_io_op(struct xen_blkif *blkif) + if (RING_REQUEST_CONS_OVERFLOW(&blk_rings->common, rc)) + break; + ++ /* We've seen a request, so clear spurious eoi flag. */ ++ *eoi_flags &= ~XEN_EOI_FLAG_SPURIOUS; ++ + if (kthread_should_stop()) { + more_to_do = 1; + break; +@@ -1175,13 +1187,13 @@ done: + } + + static int +-do_block_io_op(struct xen_blkif *blkif) ++do_block_io_op(struct xen_blkif *blkif, unsigned int *eoi_flags) + { + union blkif_back_rings *blk_rings = &blkif->blk_rings; + int more_to_do; + + do { +- more_to_do = __do_block_io_op(blkif); ++ more_to_do = __do_block_io_op(blkif, eoi_flags); + if (more_to_do) + break; + +diff --git a/drivers/block/xen-blkback/xenbus.c b/drivers/block/xen-blkback/xenbus.c +index 9233082013755..0ec257e69e95a 100644 +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -200,9 +200,8 @@ static int xen_blkif_map(struct xen_blkif *blkif, grant_ref_t *gref, + BUG(); + } + +- err = bind_interdomain_evtchn_to_irqhandler(blkif->domid, evtchn, +- xen_blkif_be_int, 0, +- "blkif-backend", blkif); ++ err = bind_interdomain_evtchn_to_irqhandler_lateeoi(blkif->domid, ++ evtchn, xen_blkif_be_int, 0, "blkif-backend", blkif); + if (err < 0) { + xenbus_unmap_ring_vfree(blkif->be->dev, blkif->blk_ring); + blkif->blk_rings.common.sring = NULL; +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 7bb1e423eb190..08d96d58f1f2f 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -678,7 +678,6 @@ retry: + r->initialized = 1; + r->entropy_total = 0; + if (r == &nonblocking_pool) { +- prandom_reseed_late(); + process_random_ready_list(); + wake_up_all(&urandom_init_wait); + pr_notice("random: %s pool is initialized\n", r->name); +@@ -923,7 +922,6 @@ void add_interrupt_randomness(int irq, int irq_flags) + + fast_mix(fast_pool); + add_interrupt_bench(cycles); +- this_cpu_add(net_rand_state.s1, fast_pool->pool[cycles & 3]); + + if ((fast_pool->count < 64) && + !time_after(now, fast_pool->last + HZ)) +diff --git a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c +index c568293cb6c1a..f1745c5cdf7b3 100644 +--- a/drivers/gpu/drm/amd/amdgpu/cik_sdma.c ++++ b/drivers/gpu/drm/amd/amdgpu/cik_sdma.c +@@ -1118,22 +1118,19 @@ static int cik_sdma_soft_reset(void *handle) + { + u32 srbm_soft_reset = 0; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- u32 tmp = RREG32(mmSRBM_STATUS2); ++ u32 tmp; + +- if (tmp & SRBM_STATUS2__SDMA_BUSY_MASK) { +- /* sdma0 */ +- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET); +- tmp |= SDMA0_F32_CNTL__HALT_MASK; +- WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp); +- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK; +- } +- if (tmp & SRBM_STATUS2__SDMA1_BUSY_MASK) { +- /* sdma1 */ +- tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET); +- tmp |= SDMA0_F32_CNTL__HALT_MASK; +- WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp); +- srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK; +- } ++ /* sdma0 */ ++ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET); ++ tmp |= SDMA0_F32_CNTL__HALT_MASK; ++ WREG32(mmSDMA0_F32_CNTL + SDMA0_REGISTER_OFFSET, tmp); ++ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA_MASK; ++ ++ /* sdma1 */ ++ tmp = RREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET); ++ tmp |= SDMA0_F32_CNTL__HALT_MASK; ++ WREG32(mmSDMA0_F32_CNTL + SDMA1_REGISTER_OFFSET, tmp); ++ srbm_soft_reset |= SRBM_SOFT_RESET__SOFT_RESET_SDMA1_MASK; + + if (srbm_soft_reset) { + cik_sdma_print_status((void *)adev); +diff --git a/drivers/gpu/drm/gma500/psb_irq.c b/drivers/gpu/drm/gma500/psb_irq.c +index 78eb109028091..076b6da44f461 100644 +--- a/drivers/gpu/drm/gma500/psb_irq.c ++++ b/drivers/gpu/drm/gma500/psb_irq.c +@@ -350,6 +350,7 @@ int psb_irq_postinstall(struct drm_device *dev) + { + struct drm_psb_private *dev_priv = dev->dev_private; + unsigned long irqflags; ++ unsigned int i; + + spin_lock_irqsave(&dev_priv->irqmask_lock, irqflags); + +@@ -362,20 +363,12 @@ int psb_irq_postinstall(struct drm_device *dev) + PSB_WVDC32(dev_priv->vdc_irq_mask, PSB_INT_ENABLE_R); + PSB_WVDC32(0xFFFFFFFF, PSB_HWSTAM); + +- if (dev->vblank[0].enabled) +- psb_enable_pipestat(dev_priv, 0, PIPE_VBLANK_INTERRUPT_ENABLE); +- else +- psb_disable_pipestat(dev_priv, 0, PIPE_VBLANK_INTERRUPT_ENABLE); +- +- if (dev->vblank[1].enabled) +- psb_enable_pipestat(dev_priv, 1, PIPE_VBLANK_INTERRUPT_ENABLE); +- else +- psb_disable_pipestat(dev_priv, 1, PIPE_VBLANK_INTERRUPT_ENABLE); +- +- if (dev->vblank[2].enabled) +- psb_enable_pipestat(dev_priv, 2, PIPE_VBLANK_INTERRUPT_ENABLE); +- else +- psb_disable_pipestat(dev_priv, 2, PIPE_VBLANK_INTERRUPT_ENABLE); ++ for (i = 0; i < dev->num_crtcs; ++i) { ++ if (dev->vblank[i].enabled) ++ psb_enable_pipestat(dev_priv, i, PIPE_VBLANK_INTERRUPT_ENABLE); ++ else ++ psb_disable_pipestat(dev_priv, i, PIPE_VBLANK_INTERRUPT_ENABLE); ++ } + + if (dev_priv->ops->hotplug_enable) + dev_priv->ops->hotplug_enable(dev, true); +@@ -388,6 +381,7 @@ void psb_irq_uninstall(struct drm_device *dev) + { + struct drm_psb_private *dev_priv = dev->dev_private; + unsigned long irqflags; ++ unsigned int i; + + spin_lock_irqsave(&dev_priv->irqmask_lock, irqflags); + +@@ -396,14 +390,10 @@ void psb_irq_uninstall(struct drm_device *dev) + + PSB_WVDC32(0xFFFFFFFF, PSB_HWSTAM); + +- if (dev->vblank[0].enabled) +- psb_disable_pipestat(dev_priv, 0, PIPE_VBLANK_INTERRUPT_ENABLE); +- +- if (dev->vblank[1].enabled) +- psb_disable_pipestat(dev_priv, 1, PIPE_VBLANK_INTERRUPT_ENABLE); +- +- if (dev->vblank[2].enabled) +- psb_disable_pipestat(dev_priv, 2, PIPE_VBLANK_INTERRUPT_ENABLE); ++ for (i = 0; i < dev->num_crtcs; ++i) { ++ if (dev->vblank[i].enabled) ++ psb_disable_pipestat(dev_priv, i, PIPE_VBLANK_INTERRUPT_ENABLE); ++ } + + dev_priv->vdc_irq_mask &= _PSB_IRQ_SGX_FLAG | + _PSB_IRQ_MSVDX_FLAG | +diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h +index 695d4e235438c..90832bf00538e 100644 +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -351,7 +351,11 @@ extern bool amd_iommu_np_cache; + /* Only true if all IOMMUs support device IOTLBs */ + extern bool amd_iommu_iotlb_sup; + +-#define MAX_IRQS_PER_TABLE 256 ++/* ++ * AMD IOMMU hardware only support 512 IRTEs despite ++ * the architectural limitation of 2048 entries. ++ */ ++#define MAX_IRQS_PER_TABLE 512 + #define IRQ_TABLE_ALIGNMENT 128 + + struct irq_remap_table { +diff --git a/drivers/misc/mei/client.h b/drivers/misc/mei/client.h +index 04e1aa39243f7..993d8f3e51d4e 100644 +--- a/drivers/misc/mei/client.h ++++ b/drivers/misc/mei/client.h +@@ -156,11 +156,11 @@ static inline u8 mei_cl_me_id(const struct mei_cl *cl) + * + * @cl: host client + * +- * Return: mtu ++ * Return: mtu or 0 if client is not connected + */ + static inline size_t mei_cl_mtu(const struct mei_cl *cl) + { +- return cl->me_cl->props.max_msg_length; ++ return cl->me_cl ? cl->me_cl->props.max_msg_length : 0; + } + + /** +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index 9dd968ee792e0..9579dae54af29 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -439,9 +439,13 @@ struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 + */ + struct sk_buff *skb = priv->echo_skb[idx]; + struct canfd_frame *cf = (struct canfd_frame *)skb->data; +- u8 len = cf->len; + +- *len_ptr = len; ++ /* get the real payload length for netdev statistics */ ++ if (cf->can_id & CAN_RTR_FLAG) ++ *len_ptr = 0; ++ else ++ *len_ptr = cf->len; ++ + priv->echo_skb[idx] = NULL; + + return skb; +@@ -466,7 +470,11 @@ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx) + if (!skb) + return 0; + +- netif_rx(skb); ++ skb_get(skb); ++ if (netif_rx(skb) == NET_RX_SUCCESS) ++ dev_consume_skb_any(skb); ++ else ++ dev_kfree_skb_any(skb); + + return len; + } +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +index 8c47cc8dc8965..22deddb2dbf5a 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c +@@ -150,14 +150,55 @@ void peak_usb_get_ts_tv(struct peak_time_ref *time_ref, u32 ts, + /* protect from getting timeval before setting now */ + if (time_ref->tv_host.tv_sec > 0) { + u64 delta_us; ++ s64 delta_ts = 0; ++ ++ /* General case: dev_ts_1 < dev_ts_2 < ts, with: ++ * ++ * - dev_ts_1 = previous sync timestamp ++ * - dev_ts_2 = last sync timestamp ++ * - ts = event timestamp ++ * - ts_period = known sync period (theoretical) ++ * ~ dev_ts2 - dev_ts1 ++ * *but*: ++ * ++ * - time counters wrap (see adapter->ts_used_bits) ++ * - sometimes, dev_ts_1 < ts < dev_ts2 ++ * ++ * "normal" case (sync time counters increase): ++ * must take into account case when ts wraps (tsw) ++ * ++ * < ts_period > < > ++ * | | | ++ * ---+--------+----+-------0-+--+--> ++ * ts_dev_1 | ts_dev_2 | ++ * ts tsw ++ */ ++ if (time_ref->ts_dev_1 < time_ref->ts_dev_2) { ++ /* case when event time (tsw) wraps */ ++ if (ts < time_ref->ts_dev_1) ++ delta_ts = 1 << time_ref->adapter->ts_used_bits; ++ ++ /* Otherwise, sync time counter (ts_dev_2) has wrapped: ++ * handle case when event time (tsn) hasn't. ++ * ++ * < ts_period > < > ++ * | | | ++ * ---+--------+--0-+---------+--+--> ++ * ts_dev_1 | ts_dev_2 | ++ * tsn ts ++ */ ++ } else if (time_ref->ts_dev_1 < ts) { ++ delta_ts = -(1 << time_ref->adapter->ts_used_bits); ++ } + +- delta_us = ts - time_ref->ts_dev_2; +- if (ts < time_ref->ts_dev_2) +- delta_us &= (1 << time_ref->adapter->ts_used_bits) - 1; ++ /* add delay between last sync and event timestamps */ ++ delta_ts += (signed int)(ts - time_ref->ts_dev_2); + +- delta_us += time_ref->ts_total; ++ /* add time from beginning to last sync */ ++ delta_ts += time_ref->ts_total; + +- delta_us *= time_ref->adapter->us_per_ts_scale; ++ /* convert ticks number into microseconds */ ++ delta_us = delta_ts * time_ref->adapter->us_per_ts_scale; + delta_us >>= time_ref->adapter->us_per_ts_shift; + + *tv = time_ref->tv_host_0; +diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +index 1b75d5304a2c1..2e62cdc7ec7ab 100644 +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -475,12 +475,18 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pucan_rx_msg *rm = (struct pucan_rx_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pucan_msg_get_channel(rm)]; +- struct net_device *netdev = dev->netdev; ++ struct peak_usb_device *dev; ++ struct net_device *netdev; + struct canfd_frame *cfd; + struct sk_buff *skb; + const u16 rx_msg_flags = le16_to_cpu(rm->flags); + ++ if (pucan_msg_get_channel(rm) >= ARRAY_SIZE(usb_if->dev)) ++ return -ENOMEM; ++ ++ dev = usb_if->dev[pucan_msg_get_channel(rm)]; ++ netdev = dev->netdev; ++ + if (rx_msg_flags & PUCAN_MSG_EXT_DATA_LEN) { + /* CANFD frame case */ + skb = alloc_canfd_skb(netdev, &cfd); +@@ -527,15 +533,21 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pucan_status_msg *sm = (struct pucan_status_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pucan_stmsg_get_channel(sm)]; +- struct pcan_usb_fd_device *pdev = +- container_of(dev, struct pcan_usb_fd_device, dev); ++ struct pcan_usb_fd_device *pdev; + enum can_state new_state = CAN_STATE_ERROR_ACTIVE; + enum can_state rx_state, tx_state; +- struct net_device *netdev = dev->netdev; ++ struct peak_usb_device *dev; ++ struct net_device *netdev; + struct can_frame *cf; + struct sk_buff *skb; + ++ if (pucan_stmsg_get_channel(sm) >= ARRAY_SIZE(usb_if->dev)) ++ return -ENOMEM; ++ ++ dev = usb_if->dev[pucan_stmsg_get_channel(sm)]; ++ pdev = container_of(dev, struct pcan_usb_fd_device, dev); ++ netdev = dev->netdev; ++ + /* nothing should be sent while in BUS_OFF state */ + if (dev->can.state == CAN_STATE_BUS_OFF) + return 0; +@@ -588,9 +600,14 @@ static int pcan_usb_fd_decode_error(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pucan_error_msg *er = (struct pucan_error_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pucan_ermsg_get_channel(er)]; +- struct pcan_usb_fd_device *pdev = +- container_of(dev, struct pcan_usb_fd_device, dev); ++ struct pcan_usb_fd_device *pdev; ++ struct peak_usb_device *dev; ++ ++ if (pucan_ermsg_get_channel(er) >= ARRAY_SIZE(usb_if->dev)) ++ return -EINVAL; ++ ++ dev = usb_if->dev[pucan_ermsg_get_channel(er)]; ++ pdev = container_of(dev, struct pcan_usb_fd_device, dev); + + /* keep a trace of tx and rx error counters for later use */ + pdev->bec.txerr = er->tx_err_cnt; +@@ -604,11 +621,17 @@ static int pcan_usb_fd_decode_overrun(struct pcan_usb_fd_if *usb_if, + struct pucan_msg *rx_msg) + { + struct pcan_ufd_ovr_msg *ov = (struct pcan_ufd_ovr_msg *)rx_msg; +- struct peak_usb_device *dev = usb_if->dev[pufd_omsg_get_channel(ov)]; +- struct net_device *netdev = dev->netdev; ++ struct peak_usb_device *dev; ++ struct net_device *netdev; + struct can_frame *cf; + struct sk_buff *skb; + ++ if (pufd_omsg_get_channel(ov) >= ARRAY_SIZE(usb_if->dev)) ++ return -EINVAL; ++ ++ dev = usb_if->dev[pufd_omsg_get_channel(ov)]; ++ netdev = dev->netdev; ++ + /* allocate an skb to store the error frame */ + skb = alloc_can_err_skb(netdev, &cf); + if (!skb) +@@ -726,6 +749,9 @@ static int pcan_usb_fd_encode_msg(struct peak_usb_device *dev, + u16 tx_msg_size, tx_msg_flags; + u8 can_dlc; + ++ if (cfd->len > CANFD_MAX_DLEN) ++ return -EINVAL; ++ + tx_msg_size = ALIGN(sizeof(struct pucan_tx_msg) + cfd->len, 4); + tx_msg->size = cpu_to_le16(tx_msg_size); + tx_msg->type = cpu_to_le16(PUCAN_MSG_CAN_TX); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index cdb263875efb3..b4b4d46da1734 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -188,7 +188,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct i40e_vf *vf, u16 vsi_id) + * check for the valid queue id + **/ + static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id, +- u8 qid) ++ u16 qid) + { + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id); +@@ -203,7 +203,7 @@ static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id, + * + * check for the valid vector id + **/ +-static inline bool i40e_vc_isvalid_vector_id(struct i40e_vf *vf, u8 vector_id) ++static inline bool i40e_vc_isvalid_vector_id(struct i40e_vf *vf, u32 vector_id) + { + struct i40e_pf *pf = vf->pf; + +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index ec13e2ae6d16e..ee38299f9c578 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -711,7 +711,8 @@ free_dst: + static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, + struct net_device *dev, + struct flowi4 *fl4, +- struct ip_tunnel_info *info) ++ struct ip_tunnel_info *info, ++ __be16 dport, __be16 sport) + { + struct geneve_dev *geneve = netdev_priv(dev); + struct rtable *rt = NULL; +@@ -720,6 +721,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, + memset(fl4, 0, sizeof(*fl4)); + fl4->flowi4_mark = skb->mark; + fl4->flowi4_proto = IPPROTO_UDP; ++ fl4->fl4_dport = dport; ++ fl4->fl4_sport = sport; + + if (info) { + fl4->daddr = info->key.u.ipv4.dst; +@@ -754,7 +757,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, + static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, + struct net_device *dev, + struct flowi6 *fl6, +- struct ip_tunnel_info *info) ++ struct ip_tunnel_info *info, ++ __be16 dport, __be16 sport) + { + struct geneve_dev *geneve = netdev_priv(dev); + struct geneve_sock *gs6 = geneve->sock6; +@@ -764,6 +768,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, + memset(fl6, 0, sizeof(*fl6)); + fl6->flowi6_mark = skb->mark; + fl6->flowi6_proto = IPPROTO_UDP; ++ fl6->fl6_dport = dport; ++ fl6->fl6_sport = sport; + + if (info) { + fl6->daddr = info->key.u.ipv6.dst; +@@ -834,13 +840,14 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, + goto tx_error; + } + +- rt = geneve_get_v4_rt(skb, dev, &fl4, info); ++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); ++ rt = geneve_get_v4_rt(skb, dev, &fl4, info, ++ geneve->dst_port, sport); + if (IS_ERR(rt)) { + err = PTR_ERR(rt); + goto tx_error; + } + +- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + skb_reset_mac_header(skb); + + if (info) { +@@ -916,13 +923,14 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, + } + } + +- dst = geneve_get_v6_dst(skb, dev, &fl6, info); ++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); ++ dst = geneve_get_v6_dst(skb, dev, &fl6, info, ++ geneve->dst_port, sport); + if (IS_ERR(dst)) { + err = PTR_ERR(dst); + goto tx_error; + } + +- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + skb_reset_mac_header(skb); + + if (info) { +@@ -1011,9 +1019,14 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) + struct dst_entry *dst; + struct flowi6 fl6; + #endif ++ __be16 sport; + + if (ip_tunnel_info_af(info) == AF_INET) { +- rt = geneve_get_v4_rt(skb, dev, &fl4, info); ++ sport = udp_flow_src_port(geneve->net, skb, ++ 1, USHRT_MAX, true); ++ ++ rt = geneve_get_v4_rt(skb, dev, &fl4, info, ++ geneve->dst_port, sport); + if (IS_ERR(rt)) + return PTR_ERR(rt); + +@@ -1021,7 +1034,11 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) + info->key.u.ipv4.src = fl4.saddr; + #if IS_ENABLED(CONFIG_IPV6) + } else if (ip_tunnel_info_af(info) == AF_INET6) { +- dst = geneve_get_v6_dst(skb, dev, &fl6, info); ++ sport = udp_flow_src_port(geneve->net, skb, ++ 1, USHRT_MAX, true); ++ ++ dst = geneve_get_v6_dst(skb, dev, &fl6, info, ++ geneve->dst_port, sport); + if (IS_ERR(dst)) + return PTR_ERR(dst); + +@@ -1032,8 +1049,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) + return -EINVAL; + } + +- info->key.tp_src = udp_flow_src_port(geneve->net, skb, +- 1, USHRT_MAX, true); ++ info->key.tp_src = sport; + info->key.tp_dst = geneve->dst_port; + return 0; + } +diff --git a/drivers/net/wan/cosa.c b/drivers/net/wan/cosa.c +index 848ea6a399f23..cbda69e58e084 100644 +--- a/drivers/net/wan/cosa.c ++++ b/drivers/net/wan/cosa.c +@@ -903,6 +903,7 @@ static ssize_t cosa_write(struct file *file, + chan->tx_status = 1; + spin_unlock_irqrestore(&cosa->lock, flags); + up(&chan->wsem); ++ kfree(kbuf); + return -ERESTARTSYS; + } + } +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index 91d199481a37c..64ff52eed9f53 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -972,7 +972,7 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv, + struct ath_htc_rx_status *rxstatus; + struct ath_rx_status rx_stats; + bool decrypt_error = false; +- __be16 rs_datalen; ++ u16 rs_datalen; + bool is_phyerr; + + if (skb->len < HTC_RX_FRAME_HEADER_SIZE) { +diff --git a/drivers/net/xen-netback/common.h b/drivers/net/xen-netback/common.h +index 34173b5e886fb..53c2fa244c64b 100644 +--- a/drivers/net/xen-netback/common.h ++++ b/drivers/net/xen-netback/common.h +@@ -137,6 +137,20 @@ struct xenvif_queue { /* Per-queue data for xenvif */ + char name[QUEUE_NAME_SIZE]; /* DEVNAME-qN */ + struct xenvif *vif; /* Parent VIF */ + ++ /* ++ * TX/RX common EOI handling. ++ * When feature-split-event-channels = 0, interrupt handler sets ++ * NETBK_COMMON_EOI, otherwise NETBK_RX_EOI and NETBK_TX_EOI are set ++ * by the RX and TX interrupt handlers. ++ * RX and TX handler threads will issue an EOI when either ++ * NETBK_COMMON_EOI or their specific bits (NETBK_RX_EOI or ++ * NETBK_TX_EOI) are set and they will reset those bits. ++ */ ++ atomic_t eoi_pending; ++#define NETBK_RX_EOI 0x01 ++#define NETBK_TX_EOI 0x02 ++#define NETBK_COMMON_EOI 0x04 ++ + /* Use NAPI for guest TX */ + struct napi_struct napi; + /* When feature-split-event-channels = 0, tx_irq = rx_irq. */ +@@ -317,6 +331,7 @@ void xenvif_kick_thread(struct xenvif_queue *queue); + + int xenvif_dealloc_kthread(void *data); + ++bool xenvif_have_rx_work(struct xenvif_queue *queue, bool test_kthread); + void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb); + + void xenvif_carrier_on(struct xenvif *vif); +@@ -353,4 +368,28 @@ void xenvif_skb_zerocopy_complete(struct xenvif_queue *queue); + bool xenvif_mcast_match(struct xenvif *vif, const u8 *addr); + void xenvif_mcast_addr_list_free(struct xenvif *vif); + ++#include <linux/atomic.h> ++ ++static inline int xenvif_atomic_fetch_or(int i, atomic_t *v) ++{ ++ int c, old; ++ ++ c = v->counter; ++ while ((old = cmpxchg(&v->counter, c, c | i)) != c) ++ c = old; ++ ++ return c; ++} ++ ++static inline int xenvif_atomic_fetch_andnot(int i, atomic_t *v) ++{ ++ int c, old; ++ ++ c = v->counter; ++ while ((old = cmpxchg(&v->counter, c, c & ~i)) != c) ++ c = old; ++ ++ return c; ++} ++ + #endif /* __XEN_NETBACK__COMMON_H__ */ +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index 2008c6a02b8a7..66260ea74d7dd 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -76,12 +76,28 @@ int xenvif_schedulable(struct xenvif *vif) + !vif->disabled; + } + ++static bool xenvif_handle_tx_interrupt(struct xenvif_queue *queue) ++{ ++ bool rc; ++ ++ rc = RING_HAS_UNCONSUMED_REQUESTS(&queue->tx); ++ if (rc) ++ napi_schedule(&queue->napi); ++ return rc; ++} ++ + static irqreturn_t xenvif_tx_interrupt(int irq, void *dev_id) + { + struct xenvif_queue *queue = dev_id; ++ int old; + +- if (RING_HAS_UNCONSUMED_REQUESTS(&queue->tx)) +- napi_schedule(&queue->napi); ++ old = xenvif_atomic_fetch_or(NETBK_TX_EOI, &queue->eoi_pending); ++ WARN(old & NETBK_TX_EOI, "Interrupt while EOI pending\n"); ++ ++ if (!xenvif_handle_tx_interrupt(queue)) { ++ atomic_andnot(NETBK_TX_EOI, &queue->eoi_pending); ++ xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS); ++ } + + return IRQ_HANDLED; + } +@@ -115,19 +131,46 @@ static int xenvif_poll(struct napi_struct *napi, int budget) + return work_done; + } + ++static bool xenvif_handle_rx_interrupt(struct xenvif_queue *queue) ++{ ++ bool rc; ++ ++ rc = xenvif_have_rx_work(queue, false); ++ if (rc) ++ xenvif_kick_thread(queue); ++ return rc; ++} ++ + static irqreturn_t xenvif_rx_interrupt(int irq, void *dev_id) + { + struct xenvif_queue *queue = dev_id; ++ int old; + +- xenvif_kick_thread(queue); ++ old = xenvif_atomic_fetch_or(NETBK_RX_EOI, &queue->eoi_pending); ++ WARN(old & NETBK_RX_EOI, "Interrupt while EOI pending\n"); ++ ++ if (!xenvif_handle_rx_interrupt(queue)) { ++ atomic_andnot(NETBK_RX_EOI, &queue->eoi_pending); ++ xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS); ++ } + + return IRQ_HANDLED; + } + + irqreturn_t xenvif_interrupt(int irq, void *dev_id) + { +- xenvif_tx_interrupt(irq, dev_id); +- xenvif_rx_interrupt(irq, dev_id); ++ struct xenvif_queue *queue = dev_id; ++ int old; ++ ++ old = xenvif_atomic_fetch_or(NETBK_COMMON_EOI, &queue->eoi_pending); ++ WARN(old, "Interrupt while EOI pending\n"); ++ ++ /* Use bitwise or as we need to call both functions. */ ++ if ((!xenvif_handle_tx_interrupt(queue) | ++ !xenvif_handle_rx_interrupt(queue))) { ++ atomic_andnot(NETBK_COMMON_EOI, &queue->eoi_pending); ++ xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS); ++ } + + return IRQ_HANDLED; + } +@@ -555,7 +598,7 @@ int xenvif_connect(struct xenvif_queue *queue, unsigned long tx_ring_ref, + + if (tx_evtchn == rx_evtchn) { + /* feature-split-event-channels == 0 */ +- err = bind_interdomain_evtchn_to_irqhandler( ++ err = bind_interdomain_evtchn_to_irqhandler_lateeoi( + queue->vif->domid, tx_evtchn, xenvif_interrupt, 0, + queue->name, queue); + if (err < 0) +@@ -566,7 +609,7 @@ int xenvif_connect(struct xenvif_queue *queue, unsigned long tx_ring_ref, + /* feature-split-event-channels == 1 */ + snprintf(queue->tx_irq_name, sizeof(queue->tx_irq_name), + "%s-tx", queue->name); +- err = bind_interdomain_evtchn_to_irqhandler( ++ err = bind_interdomain_evtchn_to_irqhandler_lateeoi( + queue->vif->domid, tx_evtchn, xenvif_tx_interrupt, 0, + queue->tx_irq_name, queue); + if (err < 0) +@@ -576,7 +619,7 @@ int xenvif_connect(struct xenvif_queue *queue, unsigned long tx_ring_ref, + + snprintf(queue->rx_irq_name, sizeof(queue->rx_irq_name), + "%s-rx", queue->name); +- err = bind_interdomain_evtchn_to_irqhandler( ++ err = bind_interdomain_evtchn_to_irqhandler_lateeoi( + queue->vif->domid, rx_evtchn, xenvif_rx_interrupt, 0, + queue->rx_irq_name, queue); + if (err < 0) +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 65d37257e033b..ee7a800c16d54 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -670,6 +670,10 @@ void xenvif_napi_schedule_or_enable_events(struct xenvif_queue *queue) + + if (more_to_do) + napi_schedule(&queue->napi); ++ else if (xenvif_atomic_fetch_andnot(NETBK_TX_EOI | NETBK_COMMON_EOI, ++ &queue->eoi_pending) & ++ (NETBK_TX_EOI | NETBK_COMMON_EOI)) ++ xen_irq_lateeoi(queue->tx_irq, 0); + } + + static void tx_add_credit(struct xenvif_queue *queue) +@@ -2010,14 +2014,14 @@ static bool xenvif_rx_queue_ready(struct xenvif_queue *queue) + return queue->stalled && prod - cons >= 1; + } + +-static bool xenvif_have_rx_work(struct xenvif_queue *queue) ++bool xenvif_have_rx_work(struct xenvif_queue *queue, bool test_kthread) + { + return (!skb_queue_empty(&queue->rx_queue) + && xenvif_rx_ring_slots_available(queue)) + || (queue->vif->stall_timeout && + (xenvif_rx_queue_stalled(queue) + || xenvif_rx_queue_ready(queue))) +- || kthread_should_stop() ++ || (test_kthread && kthread_should_stop()) + || queue->vif->disabled; + } + +@@ -2048,15 +2052,20 @@ static void xenvif_wait_for_rx_work(struct xenvif_queue *queue) + { + DEFINE_WAIT(wait); + +- if (xenvif_have_rx_work(queue)) ++ if (xenvif_have_rx_work(queue, true)) + return; + + for (;;) { + long ret; + + prepare_to_wait(&queue->wq, &wait, TASK_INTERRUPTIBLE); +- if (xenvif_have_rx_work(queue)) ++ if (xenvif_have_rx_work(queue, true)) + break; ++ if (xenvif_atomic_fetch_andnot(NETBK_RX_EOI | NETBK_COMMON_EOI, ++ &queue->eoi_pending) & ++ (NETBK_RX_EOI | NETBK_COMMON_EOI)) ++ xen_irq_lateeoi(queue->rx_irq, 0); ++ + ret = schedule_timeout(xenvif_rx_queue_timeout(queue)); + if (!ret) + break; +diff --git a/drivers/of/address.c b/drivers/of/address.c +index b3bf8762f4e8c..77881432dd404 100644 +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -1014,11 +1014,13 @@ EXPORT_SYMBOL_GPL(of_dma_get_range); + */ + bool of_dma_is_coherent(struct device_node *np) + { +- struct device_node *node = of_node_get(np); ++ struct device_node *node; + + if (IS_ENABLED(CONFIG_OF_DMA_DEFAULT_COHERENT)) + return true; + ++ node = of_node_get(np); ++ + while (node) { + if (of_property_read_bool(node, "dma-coherent")) { + of_node_put(node); +diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c +index fe04e748dfe4b..eb8c29f3e16ef 100644 +--- a/drivers/pinctrl/devicetree.c ++++ b/drivers/pinctrl/devicetree.c +@@ -40,6 +40,13 @@ struct pinctrl_dt_map { + static void dt_free_map(struct pinctrl_dev *pctldev, + struct pinctrl_map *map, unsigned num_maps) + { ++ int i; ++ ++ for (i = 0; i < num_maps; ++i) { ++ kfree_const(map[i].dev_name); ++ map[i].dev_name = NULL; ++ } ++ + if (pctldev) { + const struct pinctrl_ops *ops = pctldev->desc->pctlops; + ops->dt_free_map(pctldev, map, num_maps); +@@ -73,7 +80,13 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename, + + /* Initialize common mapping table entry fields */ + for (i = 0; i < num_maps; i++) { +- map[i].dev_name = dev_name(p->dev); ++ const char *devname; ++ ++ devname = kstrdup_const(dev_name(p->dev), GFP_KERNEL); ++ if (!devname) ++ goto err_free_map; ++ ++ map[i].dev_name = devname; + map[i].name = statename; + if (pctldev) + map[i].ctrl_dev_name = dev_name(pctldev->dev); +@@ -81,11 +94,8 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename, + + /* Remember the converted mapping table entries */ + dt_map = kzalloc(sizeof(*dt_map), GFP_KERNEL); +- if (!dt_map) { +- dev_err(p->dev, "failed to alloc struct pinctrl_dt_map\n"); +- dt_free_map(pctldev, map, num_maps); +- return -ENOMEM; +- } ++ if (!dt_map) ++ goto err_free_map; + + dt_map->pctldev = pctldev; + dt_map->map = map; +@@ -93,6 +103,10 @@ static int dt_remember_or_free_map(struct pinctrl *p, const char *statename, + list_add_tail(&dt_map->node, &p->dt_maps); + + return pinctrl_register_map(map, num_maps, false); ++ ++err_free_map: ++ dt_free_map(pctldev, map, num_maps); ++ return -ENOMEM; + } + + struct pinctrl_dev *of_pinctrl_get(struct device_node *np) +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c +index 7340ff78839a3..a3b27856b9e97 100644 +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -144,7 +144,7 @@ static int amd_gpio_set_debounce(struct gpio_chip *gc, unsigned offset, + pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF); + pin_reg &= ~BIT(DB_TMR_LARGE_OFF); + } else if (debounce < 250000) { +- time = debounce / 15600; ++ time = debounce / 15625; + pin_reg |= time & DB_TMR_OUT_MASK; + pin_reg &= ~BIT(DB_TMR_OUT_UNIT_OFF); + pin_reg |= BIT(DB_TMR_LARGE_OFF); +@@ -154,14 +154,14 @@ static int amd_gpio_set_debounce(struct gpio_chip *gc, unsigned offset, + pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF); + pin_reg |= BIT(DB_TMR_LARGE_OFF); + } else { +- pin_reg &= ~DB_CNTRl_MASK; ++ pin_reg &= ~(DB_CNTRl_MASK << DB_CNTRL_OFF); + ret = -EINVAL; + } + } else { + pin_reg &= ~BIT(DB_TMR_OUT_UNIT_OFF); + pin_reg &= ~BIT(DB_TMR_LARGE_OFF); + pin_reg &= ~DB_TMR_OUT_MASK; +- pin_reg &= ~DB_CNTRl_MASK; ++ pin_reg &= ~(DB_CNTRl_MASK << DB_CNTRL_OFF); + } + writel(pin_reg, gpio_dev->base + offset * 4); + spin_unlock_irqrestore(&gpio_dev->lock, flags); +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index fb7e56fad41c8..a74a5c0eba6e4 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1693,6 +1693,15 @@ static const struct usb_device_id acm_ids[] = { + { USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, ++ { USB_DEVICE(0x045b, 0x023c), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, ++ { USB_DEVICE(0x045b, 0x0248), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, ++ { USB_DEVICE(0x045b, 0x024D), /* Renesas USB Download mode */ ++ .driver_info = DISABLE_ECHO, /* Don't echo banner */ ++ }, + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, +diff --git a/drivers/usb/gadget/udc/goku_udc.c b/drivers/usb/gadget/udc/goku_udc.c +index 1fdfec14a3ba1..5d4616061309e 100644 +--- a/drivers/usb/gadget/udc/goku_udc.c ++++ b/drivers/usb/gadget/udc/goku_udc.c +@@ -1773,6 +1773,7 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id) + goto err; + } + ++ pci_set_drvdata(pdev, dev); + spin_lock_init(&dev->lock); + dev->pdev = pdev; + dev->gadget.ops = &goku_ops; +@@ -1806,7 +1807,6 @@ static int goku_probe(struct pci_dev *pdev, const struct pci_device_id *id) + } + dev->regs = (struct goku_udc_regs __iomem *) base; + +- pci_set_drvdata(pdev, dev); + INFO(dev, "%s\n", driver_desc); + INFO(dev, "version: " DRIVER_VERSION " %s\n", dmastr()); + INFO(dev, "irq %d, pci mem %p\n", pdev->irq, base); +diff --git a/drivers/xen/events/events_2l.c b/drivers/xen/events/events_2l.c +index 7dd46312c1802..e902512fcfb50 100644 +--- a/drivers/xen/events/events_2l.c ++++ b/drivers/xen/events/events_2l.c +@@ -90,6 +90,8 @@ static void evtchn_2l_unmask(unsigned port) + + BUG_ON(!irqs_disabled()); + ++ smp_wmb(); /* All writes before unmask must be visible. */ ++ + if (unlikely((cpu != cpu_from_evtchn(port)))) + do_hypercall = 1; + else { +@@ -158,7 +160,7 @@ static inline xen_ulong_t active_evtchns(unsigned int cpu, + * a bitset of words which contain pending event bits. The second + * level is a bitset of pending events themselves. + */ +-static void evtchn_2l_handle_events(unsigned cpu) ++static void evtchn_2l_handle_events(unsigned cpu, struct evtchn_loop_ctrl *ctrl) + { + int irq; + xen_ulong_t pending_words; +@@ -239,10 +241,7 @@ static void evtchn_2l_handle_events(unsigned cpu) + + /* Process port. */ + port = (word_idx * BITS_PER_EVTCHN_WORD) + bit_idx; +- irq = get_evtchn_to_irq(port); +- +- if (irq != -1) +- generic_handle_irq(irq); ++ handle_irq_for_port(port, ctrl); + + bit_idx = (bit_idx + 1) % BITS_PER_EVTCHN_WORD; + +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 9a126732d5d9c..ec4074c66d9db 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -32,6 +32,10 @@ + #include <linux/slab.h> + #include <linux/irqnr.h> + #include <linux/pci.h> ++#include <linux/spinlock.h> ++#include <linux/cpu.h> ++#include <linux/atomic.h> ++#include <linux/ktime.h> + + #ifdef CONFIG_X86 + #include <asm/desc.h> +@@ -62,6 +66,15 @@ + + #include "events_internal.h" + ++#undef MODULE_PARAM_PREFIX ++#define MODULE_PARAM_PREFIX "xen." ++ ++static uint __read_mostly event_loop_timeout = 2; ++module_param(event_loop_timeout, uint, 0644); ++ ++static uint __read_mostly event_eoi_delay = 10; ++module_param(event_eoi_delay, uint, 0644); ++ + const struct evtchn_ops *evtchn_ops; + + /* +@@ -70,6 +83,24 @@ const struct evtchn_ops *evtchn_ops; + */ + static DEFINE_MUTEX(irq_mapping_update_lock); + ++/* ++ * Lock protecting event handling loop against removing event channels. ++ * Adding of event channels is no issue as the associated IRQ becomes active ++ * only after everything is setup (before request_[threaded_]irq() the handler ++ * can't be entered for an event, as the event channel will be unmasked only ++ * then). ++ */ ++static DEFINE_RWLOCK(evtchn_rwlock); ++ ++/* ++ * Lock hierarchy: ++ * ++ * irq_mapping_update_lock ++ * evtchn_rwlock ++ * IRQ-desc lock ++ * percpu eoi_list_lock ++ */ ++ + static LIST_HEAD(xen_irq_list_head); + + /* IRQ <-> VIRQ mapping. */ +@@ -94,17 +125,20 @@ static bool (*pirq_needs_eoi)(unsigned irq); + static struct irq_info *legacy_info_ptrs[NR_IRQS_LEGACY]; + + static struct irq_chip xen_dynamic_chip; ++static struct irq_chip xen_lateeoi_chip; + static struct irq_chip xen_percpu_chip; + static struct irq_chip xen_pirq_chip; + static void enable_dynirq(struct irq_data *data); + static void disable_dynirq(struct irq_data *data); + ++static DEFINE_PER_CPU(unsigned int, irq_epoch); ++ + static void clear_evtchn_to_irq_row(unsigned row) + { + unsigned col; + + for (col = 0; col < EVTCHN_PER_ROW; col++) +- evtchn_to_irq[row][col] = -1; ++ WRITE_ONCE(evtchn_to_irq[row][col], -1); + } + + static void clear_evtchn_to_irq_all(void) +@@ -141,7 +175,7 @@ static int set_evtchn_to_irq(unsigned evtchn, unsigned irq) + clear_evtchn_to_irq_row(row); + } + +- evtchn_to_irq[row][col] = irq; ++ WRITE_ONCE(evtchn_to_irq[row][col], irq); + return 0; + } + +@@ -151,7 +185,7 @@ int get_evtchn_to_irq(unsigned evtchn) + return -1; + if (evtchn_to_irq[EVTCHN_ROW(evtchn)] == NULL) + return -1; +- return evtchn_to_irq[EVTCHN_ROW(evtchn)][EVTCHN_COL(evtchn)]; ++ return READ_ONCE(evtchn_to_irq[EVTCHN_ROW(evtchn)][EVTCHN_COL(evtchn)]); + } + + /* Get info for IRQ */ +@@ -260,10 +294,14 @@ static void xen_irq_info_cleanup(struct irq_info *info) + */ + unsigned int evtchn_from_irq(unsigned irq) + { +- if (unlikely(WARN(irq >= nr_irqs, "Invalid irq %d!\n", irq))) ++ const struct irq_info *info = NULL; ++ ++ if (likely(irq < nr_irqs)) ++ info = info_for_irq(irq); ++ if (!info) + return 0; + +- return info_for_irq(irq)->evtchn; ++ return info->evtchn; + } + + unsigned irq_from_evtchn(unsigned int evtchn) +@@ -382,9 +420,157 @@ void notify_remote_via_irq(int irq) + } + EXPORT_SYMBOL_GPL(notify_remote_via_irq); + ++struct lateeoi_work { ++ struct delayed_work delayed; ++ spinlock_t eoi_list_lock; ++ struct list_head eoi_list; ++}; ++ ++static DEFINE_PER_CPU(struct lateeoi_work, lateeoi); ++ ++static void lateeoi_list_del(struct irq_info *info) ++{ ++ struct lateeoi_work *eoi = &per_cpu(lateeoi, info->eoi_cpu); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&eoi->eoi_list_lock, flags); ++ list_del_init(&info->eoi_list); ++ spin_unlock_irqrestore(&eoi->eoi_list_lock, flags); ++} ++ ++static void lateeoi_list_add(struct irq_info *info) ++{ ++ struct lateeoi_work *eoi = &per_cpu(lateeoi, info->eoi_cpu); ++ struct irq_info *elem; ++ u64 now = get_jiffies_64(); ++ unsigned long delay; ++ unsigned long flags; ++ ++ if (now < info->eoi_time) ++ delay = info->eoi_time - now; ++ else ++ delay = 1; ++ ++ spin_lock_irqsave(&eoi->eoi_list_lock, flags); ++ ++ if (list_empty(&eoi->eoi_list)) { ++ list_add(&info->eoi_list, &eoi->eoi_list); ++ mod_delayed_work_on(info->eoi_cpu, system_wq, ++ &eoi->delayed, delay); ++ } else { ++ list_for_each_entry_reverse(elem, &eoi->eoi_list, eoi_list) { ++ if (elem->eoi_time <= info->eoi_time) ++ break; ++ } ++ list_add(&info->eoi_list, &elem->eoi_list); ++ } ++ ++ spin_unlock_irqrestore(&eoi->eoi_list_lock, flags); ++} ++ ++static void xen_irq_lateeoi_locked(struct irq_info *info, bool spurious) ++{ ++ evtchn_port_t evtchn; ++ unsigned int cpu; ++ unsigned int delay = 0; ++ ++ evtchn = info->evtchn; ++ if (!VALID_EVTCHN(evtchn) || !list_empty(&info->eoi_list)) ++ return; ++ ++ if (spurious) { ++ if ((1 << info->spurious_cnt) < (HZ << 2)) ++ info->spurious_cnt++; ++ if (info->spurious_cnt > 1) { ++ delay = 1 << (info->spurious_cnt - 2); ++ if (delay > HZ) ++ delay = HZ; ++ if (!info->eoi_time) ++ info->eoi_cpu = smp_processor_id(); ++ info->eoi_time = get_jiffies_64() + delay; ++ } ++ } else { ++ info->spurious_cnt = 0; ++ } ++ ++ cpu = info->eoi_cpu; ++ if (info->eoi_time && ++ (info->irq_epoch == per_cpu(irq_epoch, cpu) || delay)) { ++ lateeoi_list_add(info); ++ return; ++ } ++ ++ info->eoi_time = 0; ++ unmask_evtchn(evtchn); ++} ++ ++static void xen_irq_lateeoi_worker(struct work_struct *work) ++{ ++ struct lateeoi_work *eoi; ++ struct irq_info *info; ++ u64 now = get_jiffies_64(); ++ unsigned long flags; ++ ++ eoi = container_of(to_delayed_work(work), struct lateeoi_work, delayed); ++ ++ read_lock_irqsave(&evtchn_rwlock, flags); ++ ++ while (true) { ++ spin_lock(&eoi->eoi_list_lock); ++ ++ info = list_first_entry_or_null(&eoi->eoi_list, struct irq_info, ++ eoi_list); ++ ++ if (info == NULL || now < info->eoi_time) { ++ spin_unlock(&eoi->eoi_list_lock); ++ break; ++ } ++ ++ list_del_init(&info->eoi_list); ++ ++ spin_unlock(&eoi->eoi_list_lock); ++ ++ info->eoi_time = 0; ++ ++ xen_irq_lateeoi_locked(info, false); ++ } ++ ++ if (info) ++ mod_delayed_work_on(info->eoi_cpu, system_wq, ++ &eoi->delayed, info->eoi_time - now); ++ ++ read_unlock_irqrestore(&evtchn_rwlock, flags); ++} ++ ++static void xen_cpu_init_eoi(unsigned int cpu) ++{ ++ struct lateeoi_work *eoi = &per_cpu(lateeoi, cpu); ++ ++ INIT_DELAYED_WORK(&eoi->delayed, xen_irq_lateeoi_worker); ++ spin_lock_init(&eoi->eoi_list_lock); ++ INIT_LIST_HEAD(&eoi->eoi_list); ++} ++ ++void xen_irq_lateeoi(unsigned int irq, unsigned int eoi_flags) ++{ ++ struct irq_info *info; ++ unsigned long flags; ++ ++ read_lock_irqsave(&evtchn_rwlock, flags); ++ ++ info = info_for_irq(irq); ++ ++ if (info) ++ xen_irq_lateeoi_locked(info, eoi_flags & XEN_EOI_FLAG_SPURIOUS); ++ ++ read_unlock_irqrestore(&evtchn_rwlock, flags); ++} ++EXPORT_SYMBOL_GPL(xen_irq_lateeoi); ++ + static void xen_irq_init(unsigned irq) + { + struct irq_info *info; ++ + #ifdef CONFIG_SMP + /* By default all event channels notify CPU#0. */ + cpumask_copy(irq_get_affinity_mask(irq), cpumask_of(0)); +@@ -399,6 +585,7 @@ static void xen_irq_init(unsigned irq) + + set_info_for_irq(irq, info); + ++ INIT_LIST_HEAD(&info->eoi_list); + list_add_tail(&info->list, &xen_irq_list_head); + } + +@@ -447,16 +634,24 @@ static int __must_check xen_allocate_irq_gsi(unsigned gsi) + static void xen_free_irq(unsigned irq) + { + struct irq_info *info = info_for_irq(irq); ++ unsigned long flags; + + if (WARN_ON(!info)) + return; + ++ write_lock_irqsave(&evtchn_rwlock, flags); ++ ++ if (!list_empty(&info->eoi_list)) ++ lateeoi_list_del(info); ++ + list_del(&info->list); + + set_info_for_irq(irq, NULL); + + WARN_ON(info->refcnt > 0); + ++ write_unlock_irqrestore(&evtchn_rwlock, flags); ++ + kfree(info); + + /* Legacy IRQ descriptors are managed by the arch. */ +@@ -848,7 +1043,7 @@ int xen_pirq_from_irq(unsigned irq) + } + EXPORT_SYMBOL_GPL(xen_pirq_from_irq); + +-int bind_evtchn_to_irq(unsigned int evtchn) ++static int bind_evtchn_to_irq_chip(evtchn_port_t evtchn, struct irq_chip *chip) + { + int irq; + int ret; +@@ -865,7 +1060,7 @@ int bind_evtchn_to_irq(unsigned int evtchn) + if (irq < 0) + goto out; + +- irq_set_chip_and_handler_name(irq, &xen_dynamic_chip, ++ irq_set_chip_and_handler_name(irq, chip, + handle_edge_irq, "event"); + + ret = xen_irq_info_evtchn_setup(irq, evtchn); +@@ -886,8 +1081,19 @@ out: + + return irq; + } ++ ++int bind_evtchn_to_irq(evtchn_port_t evtchn) ++{ ++ return bind_evtchn_to_irq_chip(evtchn, &xen_dynamic_chip); ++} + EXPORT_SYMBOL_GPL(bind_evtchn_to_irq); + ++int bind_evtchn_to_irq_lateeoi(evtchn_port_t evtchn) ++{ ++ return bind_evtchn_to_irq_chip(evtchn, &xen_lateeoi_chip); ++} ++EXPORT_SYMBOL_GPL(bind_evtchn_to_irq_lateeoi); ++ + static int bind_ipi_to_irq(unsigned int ipi, unsigned int cpu) + { + struct evtchn_bind_ipi bind_ipi; +@@ -929,8 +1135,9 @@ static int bind_ipi_to_irq(unsigned int ipi, unsigned int cpu) + return irq; + } + +-int bind_interdomain_evtchn_to_irq(unsigned int remote_domain, +- unsigned int remote_port) ++static int bind_interdomain_evtchn_to_irq_chip(unsigned int remote_domain, ++ evtchn_port_t remote_port, ++ struct irq_chip *chip) + { + struct evtchn_bind_interdomain bind_interdomain; + int err; +@@ -941,10 +1148,26 @@ int bind_interdomain_evtchn_to_irq(unsigned int remote_domain, + err = HYPERVISOR_event_channel_op(EVTCHNOP_bind_interdomain, + &bind_interdomain); + +- return err ? : bind_evtchn_to_irq(bind_interdomain.local_port); ++ return err ? : bind_evtchn_to_irq_chip(bind_interdomain.local_port, ++ chip); ++} ++ ++int bind_interdomain_evtchn_to_irq(unsigned int remote_domain, ++ evtchn_port_t remote_port) ++{ ++ return bind_interdomain_evtchn_to_irq_chip(remote_domain, remote_port, ++ &xen_dynamic_chip); + } + EXPORT_SYMBOL_GPL(bind_interdomain_evtchn_to_irq); + ++int bind_interdomain_evtchn_to_irq_lateeoi(unsigned int remote_domain, ++ evtchn_port_t remote_port) ++{ ++ return bind_interdomain_evtchn_to_irq_chip(remote_domain, remote_port, ++ &xen_lateeoi_chip); ++} ++EXPORT_SYMBOL_GPL(bind_interdomain_evtchn_to_irq_lateeoi); ++ + static int find_virq(unsigned int virq, unsigned int cpu) + { + struct evtchn_status status; +@@ -1040,14 +1263,15 @@ static void unbind_from_irq(unsigned int irq) + mutex_unlock(&irq_mapping_update_lock); + } + +-int bind_evtchn_to_irqhandler(unsigned int evtchn, +- irq_handler_t handler, +- unsigned long irqflags, +- const char *devname, void *dev_id) ++static int bind_evtchn_to_irqhandler_chip(evtchn_port_t evtchn, ++ irq_handler_t handler, ++ unsigned long irqflags, ++ const char *devname, void *dev_id, ++ struct irq_chip *chip) + { + int irq, retval; + +- irq = bind_evtchn_to_irq(evtchn); ++ irq = bind_evtchn_to_irq_chip(evtchn, chip); + if (irq < 0) + return irq; + retval = request_irq(irq, handler, irqflags, devname, dev_id); +@@ -1058,18 +1282,38 @@ int bind_evtchn_to_irqhandler(unsigned int evtchn, + + return irq; + } ++ ++int bind_evtchn_to_irqhandler(evtchn_port_t evtchn, ++ irq_handler_t handler, ++ unsigned long irqflags, ++ const char *devname, void *dev_id) ++{ ++ return bind_evtchn_to_irqhandler_chip(evtchn, handler, irqflags, ++ devname, dev_id, ++ &xen_dynamic_chip); ++} + EXPORT_SYMBOL_GPL(bind_evtchn_to_irqhandler); + +-int bind_interdomain_evtchn_to_irqhandler(unsigned int remote_domain, +- unsigned int remote_port, +- irq_handler_t handler, +- unsigned long irqflags, +- const char *devname, +- void *dev_id) ++int bind_evtchn_to_irqhandler_lateeoi(evtchn_port_t evtchn, ++ irq_handler_t handler, ++ unsigned long irqflags, ++ const char *devname, void *dev_id) ++{ ++ return bind_evtchn_to_irqhandler_chip(evtchn, handler, irqflags, ++ devname, dev_id, ++ &xen_lateeoi_chip); ++} ++EXPORT_SYMBOL_GPL(bind_evtchn_to_irqhandler_lateeoi); ++ ++static int bind_interdomain_evtchn_to_irqhandler_chip( ++ unsigned int remote_domain, evtchn_port_t remote_port, ++ irq_handler_t handler, unsigned long irqflags, ++ const char *devname, void *dev_id, struct irq_chip *chip) + { + int irq, retval; + +- irq = bind_interdomain_evtchn_to_irq(remote_domain, remote_port); ++ irq = bind_interdomain_evtchn_to_irq_chip(remote_domain, remote_port, ++ chip); + if (irq < 0) + return irq; + +@@ -1081,8 +1325,33 @@ int bind_interdomain_evtchn_to_irqhandler(unsigned int remote_domain, + + return irq; + } ++ ++int bind_interdomain_evtchn_to_irqhandler(unsigned int remote_domain, ++ evtchn_port_t remote_port, ++ irq_handler_t handler, ++ unsigned long irqflags, ++ const char *devname, ++ void *dev_id) ++{ ++ return bind_interdomain_evtchn_to_irqhandler_chip(remote_domain, ++ remote_port, handler, irqflags, devname, ++ dev_id, &xen_dynamic_chip); ++} + EXPORT_SYMBOL_GPL(bind_interdomain_evtchn_to_irqhandler); + ++int bind_interdomain_evtchn_to_irqhandler_lateeoi(unsigned int remote_domain, ++ evtchn_port_t remote_port, ++ irq_handler_t handler, ++ unsigned long irqflags, ++ const char *devname, ++ void *dev_id) ++{ ++ return bind_interdomain_evtchn_to_irqhandler_chip(remote_domain, ++ remote_port, handler, irqflags, devname, ++ dev_id, &xen_lateeoi_chip); ++} ++EXPORT_SYMBOL_GPL(bind_interdomain_evtchn_to_irqhandler_lateeoi); ++ + int bind_virq_to_irqhandler(unsigned int virq, unsigned int cpu, + irq_handler_t handler, + unsigned long irqflags, const char *devname, void *dev_id) +@@ -1195,7 +1464,7 @@ int evtchn_get(unsigned int evtchn) + goto done; + + err = -EINVAL; +- if (info->refcnt <= 0) ++ if (info->refcnt <= 0 || info->refcnt == SHRT_MAX) + goto done; + + info->refcnt++; +@@ -1233,6 +1502,54 @@ void xen_send_IPI_one(unsigned int cpu, enum ipi_vector vector) + notify_remote_via_irq(irq); + } + ++struct evtchn_loop_ctrl { ++ ktime_t timeout; ++ unsigned count; ++ bool defer_eoi; ++}; ++ ++void handle_irq_for_port(evtchn_port_t port, struct evtchn_loop_ctrl *ctrl) ++{ ++ int irq; ++ struct irq_info *info; ++ ++ irq = get_evtchn_to_irq(port); ++ if (irq == -1) ++ return; ++ ++ /* ++ * Check for timeout every 256 events. ++ * We are setting the timeout value only after the first 256 ++ * events in order to not hurt the common case of few loop ++ * iterations. The 256 is basically an arbitrary value. ++ * ++ * In case we are hitting the timeout we need to defer all further ++ * EOIs in order to ensure to leave the event handling loop rather ++ * sooner than later. ++ */ ++ if (!ctrl->defer_eoi && !(++ctrl->count & 0xff)) { ++ ktime_t kt = ktime_get(); ++ ++ if (!ctrl->timeout.tv64) { ++ kt = ktime_add_ms(kt, ++ jiffies_to_msecs(event_loop_timeout)); ++ ctrl->timeout = kt; ++ } else if (kt.tv64 > ctrl->timeout.tv64) { ++ ctrl->defer_eoi = true; ++ } ++ } ++ ++ info = info_for_irq(irq); ++ ++ if (ctrl->defer_eoi) { ++ info->eoi_cpu = smp_processor_id(); ++ info->irq_epoch = __this_cpu_read(irq_epoch); ++ info->eoi_time = get_jiffies_64() + event_eoi_delay; ++ } ++ ++ generic_handle_irq(irq); ++} ++ + static DEFINE_PER_CPU(unsigned, xed_nesting_count); + + static void __xen_evtchn_do_upcall(void) +@@ -1240,6 +1557,9 @@ static void __xen_evtchn_do_upcall(void) + struct vcpu_info *vcpu_info = __this_cpu_read(xen_vcpu); + int cpu = get_cpu(); + unsigned count; ++ struct evtchn_loop_ctrl ctrl = { 0 }; ++ ++ read_lock(&evtchn_rwlock); + + do { + vcpu_info->evtchn_upcall_pending = 0; +@@ -1247,7 +1567,7 @@ static void __xen_evtchn_do_upcall(void) + if (__this_cpu_inc_return(xed_nesting_count) - 1) + goto out; + +- xen_evtchn_handle_events(cpu); ++ xen_evtchn_handle_events(cpu, &ctrl); + + BUG_ON(!irqs_disabled()); + +@@ -1256,6 +1576,14 @@ static void __xen_evtchn_do_upcall(void) + } while (count != 1 || vcpu_info->evtchn_upcall_pending); + + out: ++ read_unlock(&evtchn_rwlock); ++ ++ /* ++ * Increment irq_epoch only now to defer EOIs only for ++ * xen_irq_lateeoi() invocations occurring from inside the loop ++ * above. ++ */ ++ __this_cpu_inc(irq_epoch); + + put_cpu(); + } +@@ -1612,6 +1940,21 @@ static struct irq_chip xen_dynamic_chip __read_mostly = { + .irq_retrigger = retrigger_dynirq, + }; + ++static struct irq_chip xen_lateeoi_chip __read_mostly = { ++ /* The chip name needs to contain "xen-dyn" for irqbalance to work. */ ++ .name = "xen-dyn-lateeoi", ++ ++ .irq_disable = disable_dynirq, ++ .irq_mask = disable_dynirq, ++ .irq_unmask = enable_dynirq, ++ ++ .irq_ack = mask_ack_dynirq, ++ .irq_mask_ack = mask_ack_dynirq, ++ ++ .irq_set_affinity = set_affinity_irq, ++ .irq_retrigger = retrigger_dynirq, ++}; ++ + static struct irq_chip xen_pirq_chip __read_mostly = { + .name = "xen-pirq", + +@@ -1679,12 +2022,55 @@ void xen_callback_vector(void) + void xen_callback_vector(void) {} + #endif + +-#undef MODULE_PARAM_PREFIX +-#define MODULE_PARAM_PREFIX "xen." +- + static bool fifo_events = true; + module_param(fifo_events, bool, 0); + ++static int xen_evtchn_cpu_prepare(unsigned int cpu) ++{ ++ int ret = 0; ++ ++ xen_cpu_init_eoi(cpu); ++ ++ if (evtchn_ops->percpu_init) ++ ret = evtchn_ops->percpu_init(cpu); ++ ++ return ret; ++} ++ ++static int xen_evtchn_cpu_dead(unsigned int cpu) ++{ ++ int ret = 0; ++ ++ if (evtchn_ops->percpu_deinit) ++ ret = evtchn_ops->percpu_deinit(cpu); ++ ++ return ret; ++} ++ ++static int evtchn_cpu_notification(struct notifier_block *self, ++ unsigned long action, void *hcpu) ++{ ++ int cpu = (long)hcpu; ++ int ret = 0; ++ ++ switch (action) { ++ case CPU_UP_PREPARE: ++ ret = xen_evtchn_cpu_prepare(cpu); ++ break; ++ case CPU_DEAD: ++ ret = xen_evtchn_cpu_dead(cpu); ++ break; ++ default: ++ break; ++ } ++ ++ return ret < 0 ? NOTIFY_BAD : NOTIFY_OK; ++} ++ ++static struct notifier_block evtchn_cpu_notifier = { ++ .notifier_call = evtchn_cpu_notification, ++}; ++ + void __init xen_init_IRQ(void) + { + int ret = -EINVAL; +@@ -1694,6 +2080,10 @@ void __init xen_init_IRQ(void) + if (ret < 0) + xen_evtchn_2l_init(); + ++ xen_cpu_init_eoi(smp_processor_id()); ++ ++ register_cpu_notifier(&evtchn_cpu_notifier); ++ + evtchn_to_irq = kcalloc(EVTCHN_ROW(xen_evtchn_max_channels()), + sizeof(*evtchn_to_irq), GFP_KERNEL); + BUG_ON(!evtchn_to_irq); +diff --git a/drivers/xen/events/events_fifo.c b/drivers/xen/events/events_fifo.c +index 96a1b8da53715..7addca0d8d26b 100644 +--- a/drivers/xen/events/events_fifo.c ++++ b/drivers/xen/events/events_fifo.c +@@ -227,19 +227,25 @@ static bool evtchn_fifo_is_masked(unsigned port) + return sync_test_bit(EVTCHN_FIFO_BIT(MASKED, word), BM(word)); + } + /* +- * Clear MASKED, spinning if BUSY is set. ++ * Clear MASKED if not PENDING, spinning if BUSY is set. ++ * Return true if mask was cleared. + */ +-static void clear_masked(volatile event_word_t *word) ++static bool clear_masked_cond(volatile event_word_t *word) + { + event_word_t new, old, w; + + w = *word; + + do { ++ if (w & (1 << EVTCHN_FIFO_PENDING)) ++ return false; ++ + old = w & ~(1 << EVTCHN_FIFO_BUSY); + new = old & ~(1 << EVTCHN_FIFO_MASKED); + w = sync_cmpxchg(word, old, new); + } while (w != old); ++ ++ return true; + } + + static void evtchn_fifo_unmask(unsigned port) +@@ -248,8 +254,7 @@ static void evtchn_fifo_unmask(unsigned port) + + BUG_ON(!irqs_disabled()); + +- clear_masked(word); +- if (evtchn_fifo_is_pending(port)) { ++ if (!clear_masked_cond(word)) { + struct evtchn_unmask unmask = { .port = port }; + (void)HYPERVISOR_event_channel_op(EVTCHNOP_unmask, &unmask); + } +@@ -270,19 +275,9 @@ static uint32_t clear_linked(volatile event_word_t *word) + return w & EVTCHN_FIFO_LINK_MASK; + } + +-static void handle_irq_for_port(unsigned port) +-{ +- int irq; +- +- irq = get_evtchn_to_irq(port); +- if (irq != -1) +- generic_handle_irq(irq); +-} +- +-static void consume_one_event(unsigned cpu, ++static void consume_one_event(unsigned cpu, struct evtchn_loop_ctrl *ctrl, + struct evtchn_fifo_control_block *control_block, +- unsigned priority, unsigned long *ready, +- bool drop) ++ unsigned priority, unsigned long *ready) + { + struct evtchn_fifo_queue *q = &per_cpu(cpu_queue, cpu); + uint32_t head; +@@ -315,16 +310,17 @@ static void consume_one_event(unsigned cpu, + clear_bit(priority, ready); + + if (evtchn_fifo_is_pending(port) && !evtchn_fifo_is_masked(port)) { +- if (unlikely(drop)) ++ if (unlikely(!ctrl)) + pr_warn("Dropping pending event for port %u\n", port); + else +- handle_irq_for_port(port); ++ handle_irq_for_port(port, ctrl); + } + + q->head[priority] = head; + } + +-static void __evtchn_fifo_handle_events(unsigned cpu, bool drop) ++static void __evtchn_fifo_handle_events(unsigned cpu, ++ struct evtchn_loop_ctrl *ctrl) + { + struct evtchn_fifo_control_block *control_block; + unsigned long ready; +@@ -336,14 +332,15 @@ static void __evtchn_fifo_handle_events(unsigned cpu, bool drop) + + while (ready) { + q = find_first_bit(&ready, EVTCHN_FIFO_MAX_QUEUES); +- consume_one_event(cpu, control_block, q, &ready, drop); ++ consume_one_event(cpu, ctrl, control_block, q, &ready); + ready |= xchg(&control_block->ready, 0); + } + } + +-static void evtchn_fifo_handle_events(unsigned cpu) ++static void evtchn_fifo_handle_events(unsigned cpu, ++ struct evtchn_loop_ctrl *ctrl) + { +- __evtchn_fifo_handle_events(cpu, false); ++ __evtchn_fifo_handle_events(cpu, ctrl); + } + + static void evtchn_fifo_resume(void) +@@ -381,21 +378,6 @@ static void evtchn_fifo_resume(void) + event_array_pages = 0; + } + +-static const struct evtchn_ops evtchn_ops_fifo = { +- .max_channels = evtchn_fifo_max_channels, +- .nr_channels = evtchn_fifo_nr_channels, +- .setup = evtchn_fifo_setup, +- .bind_to_cpu = evtchn_fifo_bind_to_cpu, +- .clear_pending = evtchn_fifo_clear_pending, +- .set_pending = evtchn_fifo_set_pending, +- .is_pending = evtchn_fifo_is_pending, +- .test_and_set_mask = evtchn_fifo_test_and_set_mask, +- .mask = evtchn_fifo_mask, +- .unmask = evtchn_fifo_unmask, +- .handle_events = evtchn_fifo_handle_events, +- .resume = evtchn_fifo_resume, +-}; +- + static int evtchn_fifo_alloc_control_block(unsigned cpu) + { + void *control_block = NULL; +@@ -418,29 +400,34 @@ static int evtchn_fifo_alloc_control_block(unsigned cpu) + return ret; + } + +-static int evtchn_fifo_cpu_notification(struct notifier_block *self, +- unsigned long action, +- void *hcpu) ++static int evtchn_fifo_percpu_init(unsigned int cpu) + { +- int cpu = (long)hcpu; +- int ret = 0; +- +- switch (action) { +- case CPU_UP_PREPARE: +- if (!per_cpu(cpu_control_block, cpu)) +- ret = evtchn_fifo_alloc_control_block(cpu); +- break; +- case CPU_DEAD: +- __evtchn_fifo_handle_events(cpu, true); +- break; +- default: +- break; +- } +- return ret < 0 ? NOTIFY_BAD : NOTIFY_OK; ++ if (!per_cpu(cpu_control_block, cpu)) ++ return evtchn_fifo_alloc_control_block(cpu); ++ return 0; ++} ++ ++static int evtchn_fifo_percpu_deinit(unsigned int cpu) ++{ ++ __evtchn_fifo_handle_events(cpu, NULL); ++ return 0; + } + +-static struct notifier_block evtchn_fifo_cpu_notifier = { +- .notifier_call = evtchn_fifo_cpu_notification, ++static const struct evtchn_ops evtchn_ops_fifo = { ++ .max_channels = evtchn_fifo_max_channels, ++ .nr_channels = evtchn_fifo_nr_channels, ++ .setup = evtchn_fifo_setup, ++ .bind_to_cpu = evtchn_fifo_bind_to_cpu, ++ .clear_pending = evtchn_fifo_clear_pending, ++ .set_pending = evtchn_fifo_set_pending, ++ .is_pending = evtchn_fifo_is_pending, ++ .test_and_set_mask = evtchn_fifo_test_and_set_mask, ++ .mask = evtchn_fifo_mask, ++ .unmask = evtchn_fifo_unmask, ++ .handle_events = evtchn_fifo_handle_events, ++ .resume = evtchn_fifo_resume, ++ .percpu_init = evtchn_fifo_percpu_init, ++ .percpu_deinit = evtchn_fifo_percpu_deinit, + }; + + int __init xen_evtchn_fifo_init(void) +@@ -456,7 +443,6 @@ int __init xen_evtchn_fifo_init(void) + + evtchn_ops = &evtchn_ops_fifo; + +- register_cpu_notifier(&evtchn_fifo_cpu_notifier); + out: + put_cpu(); + return ret; +diff --git a/drivers/xen/events/events_internal.h b/drivers/xen/events/events_internal.h +index 50c2050a1e320..b9b4f59198930 100644 +--- a/drivers/xen/events/events_internal.h ++++ b/drivers/xen/events/events_internal.h +@@ -32,11 +32,16 @@ enum xen_irq_type { + */ + struct irq_info { + struct list_head list; +- int refcnt; ++ struct list_head eoi_list; ++ short refcnt; ++ short spurious_cnt; + enum xen_irq_type type; /* type */ + unsigned irq; + unsigned int evtchn; /* event channel */ + unsigned short cpu; /* cpu bound */ ++ unsigned short eoi_cpu; /* EOI must happen on this cpu */ ++ unsigned int irq_epoch; /* If eoi_cpu valid: irq_epoch of event */ ++ u64 eoi_time; /* Time in jiffies when to EOI. */ + + union { + unsigned short virq; +@@ -55,6 +60,8 @@ struct irq_info { + #define PIRQ_SHAREABLE (1 << 1) + #define PIRQ_MSI_GROUP (1 << 2) + ++struct evtchn_loop_ctrl; ++ + struct evtchn_ops { + unsigned (*max_channels)(void); + unsigned (*nr_channels)(void); +@@ -69,14 +76,18 @@ struct evtchn_ops { + void (*mask)(unsigned port); + void (*unmask)(unsigned port); + +- void (*handle_events)(unsigned cpu); ++ void (*handle_events)(unsigned cpu, struct evtchn_loop_ctrl *ctrl); + void (*resume)(void); ++ ++ int (*percpu_init)(unsigned int cpu); ++ int (*percpu_deinit)(unsigned int cpu); + }; + + extern const struct evtchn_ops *evtchn_ops; + + extern int **evtchn_to_irq; + int get_evtchn_to_irq(unsigned int evtchn); ++void handle_irq_for_port(evtchn_port_t port, struct evtchn_loop_ctrl *ctrl); + + struct irq_info *info_for_irq(unsigned irq); + unsigned cpu_from_irq(unsigned irq); +@@ -134,9 +145,10 @@ static inline void unmask_evtchn(unsigned port) + return evtchn_ops->unmask(port); + } + +-static inline void xen_evtchn_handle_events(unsigned cpu) ++static inline void xen_evtchn_handle_events(unsigned cpu, ++ struct evtchn_loop_ctrl *ctrl) + { +- return evtchn_ops->handle_events(cpu); ++ return evtchn_ops->handle_events(cpu, ctrl); + } + + static inline void xen_evtchn_resume(void) +diff --git a/drivers/xen/evtchn.c b/drivers/xen/evtchn.c +index f4edd6df3df23..96c3007576b62 100644 +--- a/drivers/xen/evtchn.c ++++ b/drivers/xen/evtchn.c +@@ -173,7 +173,6 @@ static irqreturn_t evtchn_interrupt(int irq, void *data) + "Interrupt for port %d, but apparently not enabled; per-user %p\n", + evtchn->port, u); + +- disable_irq_nosync(irq); + evtchn->enabled = false; + + spin_lock(&u->ring_prod_lock); +@@ -299,7 +298,7 @@ static ssize_t evtchn_write(struct file *file, const char __user *buf, + evtchn = find_evtchn(u, port); + if (evtchn && !evtchn->enabled) { + evtchn->enabled = true; +- enable_irq(irq_from_evtchn(port)); ++ xen_irq_lateeoi(irq_from_evtchn(port), 0); + } + } + +@@ -399,8 +398,8 @@ static int evtchn_bind_to_user(struct per_user_data *u, int port) + if (rc < 0) + goto err; + +- rc = bind_evtchn_to_irqhandler(port, evtchn_interrupt, 0, +- u->name, evtchn); ++ rc = bind_evtchn_to_irqhandler_lateeoi(port, evtchn_interrupt, 0, ++ u->name, evtchn); + if (rc < 0) + goto err; + +diff --git a/drivers/xen/xen-pciback/pci_stub.c b/drivers/xen/xen-pciback/pci_stub.c +index 47c6df53cabfb..e21b82921c335 100644 +--- a/drivers/xen/xen-pciback/pci_stub.c ++++ b/drivers/xen/xen-pciback/pci_stub.c +@@ -681,10 +681,17 @@ static pci_ers_result_t common_process(struct pcistub_device *psdev, + wmb(); + notify_remote_via_irq(pdev->evtchn_irq); + ++ /* Enable IRQ to signal "request done". */ ++ xen_pcibk_lateeoi(pdev, 0); ++ + ret = wait_event_timeout(xen_pcibk_aer_wait_queue, + !(test_bit(_XEN_PCIB_active, (unsigned long *) + &sh_info->flags)), 300*HZ); + ++ /* Enable IRQ for pcifront request if not already active. */ ++ if (!test_bit(_PDEVF_op_active, &pdev->flags)) ++ xen_pcibk_lateeoi(pdev, 0); ++ + if (!ret) { + if (test_bit(_XEN_PCIB_active, + (unsigned long *)&sh_info->flags)) { +@@ -698,13 +705,6 @@ static pci_ers_result_t common_process(struct pcistub_device *psdev, + } + clear_bit(_PCIB_op_pending, (unsigned long *)&pdev->flags); + +- if (test_bit(_XEN_PCIF_active, +- (unsigned long *)&sh_info->flags)) { +- dev_dbg(&psdev->dev->dev, +- "schedule pci_conf service in " DRV_NAME "\n"); +- xen_pcibk_test_and_schedule_op(psdev->pdev); +- } +- + res = (pci_ers_result_t)aer_op->err; + return res; + } +diff --git a/drivers/xen/xen-pciback/pciback.h b/drivers/xen/xen-pciback/pciback.h +index 4d529f3e40df9..f44a425d1a5a1 100644 +--- a/drivers/xen/xen-pciback/pciback.h ++++ b/drivers/xen/xen-pciback/pciback.h +@@ -13,6 +13,7 @@ + #include <linux/spinlock.h> + #include <linux/workqueue.h> + #include <linux/atomic.h> ++#include <xen/events.h> + #include <xen/interface/io/pciif.h> + + #define DRV_NAME "xen-pciback" +@@ -26,6 +27,8 @@ struct pci_dev_entry { + #define PDEVF_op_active (1<<(_PDEVF_op_active)) + #define _PCIB_op_pending (1) + #define PCIB_op_pending (1<<(_PCIB_op_pending)) ++#define _EOI_pending (2) ++#define EOI_pending (1<<(_EOI_pending)) + + struct xen_pcibk_device { + void *pci_dev_data; +@@ -182,12 +185,17 @@ static inline void xen_pcibk_release_devices(struct xen_pcibk_device *pdev) + irqreturn_t xen_pcibk_handle_event(int irq, void *dev_id); + void xen_pcibk_do_op(struct work_struct *data); + ++static inline void xen_pcibk_lateeoi(struct xen_pcibk_device *pdev, ++ unsigned int eoi_flag) ++{ ++ if (test_and_clear_bit(_EOI_pending, &pdev->flags)) ++ xen_irq_lateeoi(pdev->evtchn_irq, eoi_flag); ++} ++ + int xen_pcibk_xenbus_register(void); + void xen_pcibk_xenbus_unregister(void); + + extern int verbose_request; +- +-void xen_pcibk_test_and_schedule_op(struct xen_pcibk_device *pdev); + #endif + + /* Handles shared IRQs that can to device domain and control domain. */ +diff --git a/drivers/xen/xen-pciback/pciback_ops.c b/drivers/xen/xen-pciback/pciback_ops.c +index 49c5f0e9600aa..232db7fcc5236 100644 +--- a/drivers/xen/xen-pciback/pciback_ops.c ++++ b/drivers/xen/xen-pciback/pciback_ops.c +@@ -296,26 +296,41 @@ int xen_pcibk_disable_msix(struct xen_pcibk_device *pdev, + return 0; + } + #endif ++ ++static inline bool xen_pcibk_test_op_pending(struct xen_pcibk_device *pdev) ++{ ++ return test_bit(_XEN_PCIF_active, ++ (unsigned long *)&pdev->sh_info->flags) && ++ !test_and_set_bit(_PDEVF_op_active, &pdev->flags); ++} ++ + /* + * Now the same evtchn is used for both pcifront conf_read_write request + * as well as pcie aer front end ack. We use a new work_queue to schedule + * xen_pcibk conf_read_write service for avoiding confict with aer_core + * do_recovery job which also use the system default work_queue + */ +-void xen_pcibk_test_and_schedule_op(struct xen_pcibk_device *pdev) ++static void xen_pcibk_test_and_schedule_op(struct xen_pcibk_device *pdev) + { ++ bool eoi = true; ++ + /* Check that frontend is requesting an operation and that we are not + * already processing a request */ +- if (test_bit(_XEN_PCIF_active, (unsigned long *)&pdev->sh_info->flags) +- && !test_and_set_bit(_PDEVF_op_active, &pdev->flags)) { ++ if (xen_pcibk_test_op_pending(pdev)) { + queue_work(xen_pcibk_wq, &pdev->op_work); ++ eoi = false; + } + /*_XEN_PCIB_active should have been cleared by pcifront. And also make + sure xen_pcibk is waiting for ack by checking _PCIB_op_pending*/ + if (!test_bit(_XEN_PCIB_active, (unsigned long *)&pdev->sh_info->flags) + && test_bit(_PCIB_op_pending, &pdev->flags)) { + wake_up(&xen_pcibk_aer_wait_queue); ++ eoi = false; + } ++ ++ /* EOI if there was nothing to do. */ ++ if (eoi) ++ xen_pcibk_lateeoi(pdev, XEN_EOI_FLAG_SPURIOUS); + } + + /* Performing the configuration space reads/writes must not be done in atomic +@@ -323,10 +338,8 @@ void xen_pcibk_test_and_schedule_op(struct xen_pcibk_device *pdev) + * use of semaphores). This function is intended to be called from a work + * queue in process context taking a struct xen_pcibk_device as a parameter */ + +-void xen_pcibk_do_op(struct work_struct *data) ++static void xen_pcibk_do_one_op(struct xen_pcibk_device *pdev) + { +- struct xen_pcibk_device *pdev = +- container_of(data, struct xen_pcibk_device, op_work); + struct pci_dev *dev; + struct xen_pcibk_dev_data *dev_data = NULL; + struct xen_pci_op *op = &pdev->op; +@@ -399,16 +412,31 @@ void xen_pcibk_do_op(struct work_struct *data) + smp_mb__before_atomic(); /* /after/ clearing PCIF_active */ + clear_bit(_PDEVF_op_active, &pdev->flags); + smp_mb__after_atomic(); /* /before/ final check for work */ ++} + +- /* Check to see if the driver domain tried to start another request in +- * between clearing _XEN_PCIF_active and clearing _PDEVF_op_active. +- */ +- xen_pcibk_test_and_schedule_op(pdev); ++void xen_pcibk_do_op(struct work_struct *data) ++{ ++ struct xen_pcibk_device *pdev = ++ container_of(data, struct xen_pcibk_device, op_work); ++ ++ do { ++ xen_pcibk_do_one_op(pdev); ++ } while (xen_pcibk_test_op_pending(pdev)); ++ ++ xen_pcibk_lateeoi(pdev, 0); + } + + irqreturn_t xen_pcibk_handle_event(int irq, void *dev_id) + { + struct xen_pcibk_device *pdev = dev_id; ++ bool eoi; ++ ++ /* IRQs might come in before pdev->evtchn_irq is written. */ ++ if (unlikely(pdev->evtchn_irq != irq)) ++ pdev->evtchn_irq = irq; ++ ++ eoi = test_and_set_bit(_EOI_pending, &pdev->flags); ++ WARN(eoi, "IRQ while EOI pending\n"); + + xen_pcibk_test_and_schedule_op(pdev); + +diff --git a/drivers/xen/xen-pciback/xenbus.c b/drivers/xen/xen-pciback/xenbus.c +index 4843741e703a3..48196347f2f94 100644 +--- a/drivers/xen/xen-pciback/xenbus.c ++++ b/drivers/xen/xen-pciback/xenbus.c +@@ -124,7 +124,7 @@ static int xen_pcibk_do_attach(struct xen_pcibk_device *pdev, int gnt_ref, + + pdev->sh_info = vaddr; + +- err = bind_interdomain_evtchn_to_irqhandler( ++ err = bind_interdomain_evtchn_to_irqhandler_lateeoi( + pdev->xdev->otherend_id, remote_evtchn, xen_pcibk_handle_event, + 0, DRV_NAME, pdev); + if (err < 0) { +diff --git a/drivers/xen/xen-scsiback.c b/drivers/xen/xen-scsiback.c +index 51387d75c7bf1..29a1b8054a4dc 100644 +--- a/drivers/xen/xen-scsiback.c ++++ b/drivers/xen/xen-scsiback.c +@@ -91,7 +91,6 @@ struct vscsibk_info { + unsigned int irq; + + struct vscsiif_back_ring ring; +- int ring_error; + + spinlock_t ring_lock; + atomic_t nr_unreplied_reqs; +@@ -698,7 +697,8 @@ static int prepare_pending_reqs(struct vscsibk_info *info, + return 0; + } + +-static int scsiback_do_cmd_fn(struct vscsibk_info *info) ++static int scsiback_do_cmd_fn(struct vscsibk_info *info, ++ unsigned int *eoi_flags) + { + struct vscsiif_back_ring *ring = &info->ring; + struct vscsiif_request ring_req; +@@ -715,11 +715,12 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info) + rc = ring->rsp_prod_pvt; + pr_warn("Dom%d provided bogus ring requests (%#x - %#x = %u). Halting ring processing\n", + info->domid, rp, rc, rp - rc); +- info->ring_error = 1; +- return 0; ++ return -EINVAL; + } + + while ((rc != rp)) { ++ *eoi_flags &= ~XEN_EOI_FLAG_SPURIOUS; ++ + if (RING_REQUEST_CONS_OVERFLOW(ring, rc)) + break; + pending_req = kmem_cache_alloc(scsiback_cachep, GFP_KERNEL); +@@ -782,13 +783,16 @@ static int scsiback_do_cmd_fn(struct vscsibk_info *info) + static irqreturn_t scsiback_irq_fn(int irq, void *dev_id) + { + struct vscsibk_info *info = dev_id; ++ int rc; ++ unsigned int eoi_flags = XEN_EOI_FLAG_SPURIOUS; + +- if (info->ring_error) +- return IRQ_HANDLED; +- +- while (scsiback_do_cmd_fn(info)) ++ while ((rc = scsiback_do_cmd_fn(info, &eoi_flags)) > 0) + cond_resched(); + ++ /* In case of a ring error we keep the event channel masked. */ ++ if (!rc) ++ xen_irq_lateeoi(irq, eoi_flags); ++ + return IRQ_HANDLED; + } + +@@ -809,7 +813,7 @@ static int scsiback_init_sring(struct vscsibk_info *info, grant_ref_t ring_ref, + sring = (struct vscsiif_sring *)area; + BACK_RING_INIT(&info->ring, sring, PAGE_SIZE); + +- err = bind_interdomain_evtchn_to_irq(info->domid, evtchn); ++ err = bind_interdomain_evtchn_to_irq_lateeoi(info->domid, evtchn); + if (err < 0) + goto unmap_page; + +@@ -1210,7 +1214,6 @@ static int scsiback_probe(struct xenbus_device *dev, + + info->domid = dev->otherend_id; + spin_lock_init(&info->ring_lock); +- info->ring_error = 0; + atomic_set(&info->nr_unreplied_reqs, 0); + init_waitqueue_head(&info->waiting_to_free); + info->dev = dev; +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index 97a80238fdee3..b28bc7690d4b3 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4000,6 +4000,10 @@ retry: + if (!ret) { + free_extent_buffer(eb); + continue; ++ } else if (ret < 0) { ++ done = 1; ++ free_extent_buffer(eb); ++ break; + } + + ret = write_one_eb(eb, fs_info, wbc, &epd); +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 67366515a29d2..f35e18e76f160 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3856,6 +3856,8 @@ process_slot: + ret = -EINTR; + goto out; + } ++ ++ cond_resched(); + } + ret = 0; + +diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c +index 211ac472cb9dc..942874257a092 100644 +--- a/fs/cifs/cifs_unicode.c ++++ b/fs/cifs/cifs_unicode.c +@@ -493,7 +493,13 @@ cifsConvertToUTF16(__le16 *target, const char *source, int srclen, + else if (map_chars == SFM_MAP_UNI_RSVD) { + bool end_of_string; + +- if (i == srclen - 1) ++ /** ++ * Remap spaces and periods found at the end of every ++ * component of the path. The special cases of '.' and ++ * '..' do not need to be dealt with explicitly because ++ * they are addressed in namei.c:link_path_walk(). ++ **/ ++ if ((i == srclen - 1) || (source[i+1] == '\\')) + end_of_string = true; + else + end_of_string = false; +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 00f9433eea23a..df585267d3c25 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1892,6 +1892,7 @@ void ext4_inline_data_truncate(struct inode *inode, int *has_inline) + + ext4_write_lock_xattr(inode, &no_expand); + if (!ext4_has_inline_data(inode)) { ++ ext4_write_unlock_xattr(inode, &no_expand); + *has_inline = 0; + ext4_journal_stop(handle); + return; +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 6350971852e19..7a5a1602ee01d 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1452,8 +1452,8 @@ static const struct mount_opts { + MOPT_SET | MOPT_Q}, + {Opt_noquota, (EXT4_MOUNT_QUOTA | EXT4_MOUNT_USRQUOTA | + EXT4_MOUNT_GRPQUOTA), MOPT_CLEAR | MOPT_Q}, +- {Opt_usrjquota, 0, MOPT_Q}, +- {Opt_grpjquota, 0, MOPT_Q}, ++ {Opt_usrjquota, 0, MOPT_Q | MOPT_STRING}, ++ {Opt_grpjquota, 0, MOPT_Q | MOPT_STRING}, + {Opt_offusrjquota, 0, MOPT_Q}, + {Opt_offgrpjquota, 0, MOPT_Q}, + {Opt_jqfmt_vfsold, QFMT_VFS_OLD, MOPT_QFMT}, +@@ -4168,6 +4168,7 @@ cantfind_ext4: + #ifdef CONFIG_QUOTA + failed_mount8: + ext4_unregister_sysfs(sb); ++ kobject_put(&sbi->s_kobj); + #endif + failed_mount7: + ext4_unregister_li_request(sb); +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 1eb737c466ddc..8e8695eb652af 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -751,7 +751,8 @@ again: + } + kfree(gl->gl_lksb.sb_lvbptr); + kmem_cache_free(cachep, gl); +- atomic_dec(&sdp->sd_glock_disposal); ++ if (atomic_dec_and_test(&sdp->sd_glock_disposal)) ++ wake_up(&sdp->sd_glock_wait); + *glp = tmp; + + return ret; +diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c +index 2736e9cfc2ee9..faa5e0e2c4493 100644 +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -747,9 +747,9 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp) + } + + gfs2_free_clones(rgd); ++ return_all_reservations(rgd); + kfree(rgd->rd_bits); + rgd->rd_bits = NULL; +- return_all_reservations(rgd); + kmem_cache_free(gfs2_rgrpd_cachep, rgd); + } + } +@@ -1388,6 +1388,9 @@ int gfs2_fitrim(struct file *filp, void __user *argp) + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + ++ if (!test_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags)) ++ return -EROFS; ++ + if (!blk_queue_discard(q)) + return -EOPNOTSUPP; + +diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c +index d97403bb36226..0ee1f088bace8 100644 +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -1751,6 +1751,7 @@ static void ocfs2_inode_init_once(void *data) + + oi->ip_blkno = 0ULL; + oi->ip_clusters = 0; ++ oi->ip_next_orphan = NULL; + + ocfs2_resv_init_once(&oi->ip_la_data_resv); + +diff --git a/fs/xfs/xfs_pnfs.c b/fs/xfs/xfs_pnfs.c +index dc6221942b85f..ab66ea0a72bfb 100644 +--- a/fs/xfs/xfs_pnfs.c ++++ b/fs/xfs/xfs_pnfs.c +@@ -162,7 +162,7 @@ xfs_fs_map_blocks( + goto out_unlock; + error = invalidate_inode_pages2(inode->i_mapping); + if (WARN_ON_ONCE(error)) +- return error; ++ goto out_unlock; + + end_fsb = XFS_B_TO_FSB(mp, (xfs_ufsize_t)offset + length); + offset_fsb = XFS_B_TO_FSBT(mp, offset); +diff --git a/include/linux/can/skb.h b/include/linux/can/skb.h +index 51bb6532785c3..1a2111c775ae1 100644 +--- a/include/linux/can/skb.h ++++ b/include/linux/can/skb.h +@@ -60,21 +60,17 @@ static inline void can_skb_set_owner(struct sk_buff *skb, struct sock *sk) + */ + static inline struct sk_buff *can_create_echo_skb(struct sk_buff *skb) + { +- if (skb_shared(skb)) { +- struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); ++ struct sk_buff *nskb; + +- if (likely(nskb)) { +- can_skb_set_owner(nskb, skb->sk); +- consume_skb(skb); +- return nskb; +- } else { +- kfree_skb(skb); +- return NULL; +- } ++ nskb = skb_clone(skb, GFP_ATOMIC); ++ if (unlikely(!nskb)) { ++ kfree_skb(skb); ++ return NULL; + } + +- /* we can assume to have an unshared skb with proper owner */ +- return skb; ++ can_skb_set_owner(nskb, skb->sk); ++ consume_skb(skb); ++ return nskb; + } + + #endif /* !_CAN_SKB_H */ +diff --git a/include/linux/prandom.h b/include/linux/prandom.h +index aa16e6468f91e..cc1e71334e53c 100644 +--- a/include/linux/prandom.h ++++ b/include/linux/prandom.h +@@ -16,12 +16,44 @@ void prandom_bytes(void *buf, size_t nbytes); + void prandom_seed(u32 seed); + void prandom_reseed_late(void); + ++#if BITS_PER_LONG == 64 ++/* ++ * The core SipHash round function. Each line can be executed in ++ * parallel given enough CPU resources. ++ */ ++#define PRND_SIPROUND(v0, v1, v2, v3) ( \ ++ v0 += v1, v1 = rol64(v1, 13), v2 += v3, v3 = rol64(v3, 16), \ ++ v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \ ++ v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \ ++ v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) \ ++) ++ ++#define PRND_K0 (0x736f6d6570736575 ^ 0x6c7967656e657261) ++#define PRND_K1 (0x646f72616e646f6d ^ 0x7465646279746573) ++ ++#elif BITS_PER_LONG == 32 ++/* ++ * On 32-bit machines, we use HSipHash, a reduced-width version of SipHash. ++ * This is weaker, but 32-bit machines are not used for high-traffic ++ * applications, so there is less output for an attacker to analyze. ++ */ ++#define PRND_SIPROUND(v0, v1, v2, v3) ( \ ++ v0 += v1, v1 = rol32(v1, 5), v2 += v3, v3 = rol32(v3, 8), \ ++ v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \ ++ v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \ ++ v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) \ ++) ++#define PRND_K0 0x6c796765 ++#define PRND_K1 0x74656462 ++ ++#else ++#error Unsupported BITS_PER_LONG ++#endif ++ + struct rnd_state { + __u32 s1, s2, s3, s4; + }; + +-DECLARE_PER_CPU(struct rnd_state, net_rand_state); +- + u32 prandom_u32_state(struct rnd_state *state); + void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes); + void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state); +diff --git a/include/linux/time64.h b/include/linux/time64.h +index 367d5af899e81..10239cffd70f8 100644 +--- a/include/linux/time64.h ++++ b/include/linux/time64.h +@@ -197,6 +197,10 @@ static inline bool timespec64_valid_strict(const struct timespec64 *ts) + */ + static inline s64 timespec64_to_ns(const struct timespec64 *ts) + { ++ /* Prevent multiplication overflow */ ++ if ((unsigned long long)ts->tv_sec >= KTIME_SEC_MAX) ++ return KTIME_MAX; ++ + return ((s64) ts->tv_sec * NSEC_PER_SEC) + ts->tv_nsec; + } + +diff --git a/include/xen/events.h b/include/xen/events.h +index 88da2abaf5359..ad0c61cf399be 100644 +--- a/include/xen/events.h ++++ b/include/xen/events.h +@@ -12,11 +12,16 @@ + + unsigned xen_evtchn_nr_channels(void); + +-int bind_evtchn_to_irq(unsigned int evtchn); +-int bind_evtchn_to_irqhandler(unsigned int evtchn, ++int bind_evtchn_to_irq(evtchn_port_t evtchn); ++int bind_evtchn_to_irq_lateeoi(evtchn_port_t evtchn); ++int bind_evtchn_to_irqhandler(evtchn_port_t evtchn, + irq_handler_t handler, + unsigned long irqflags, const char *devname, + void *dev_id); ++int bind_evtchn_to_irqhandler_lateeoi(evtchn_port_t evtchn, ++ irq_handler_t handler, ++ unsigned long irqflags, const char *devname, ++ void *dev_id); + int bind_virq_to_irq(unsigned int virq, unsigned int cpu, bool percpu); + int bind_virq_to_irqhandler(unsigned int virq, unsigned int cpu, + irq_handler_t handler, +@@ -29,13 +34,21 @@ int bind_ipi_to_irqhandler(enum ipi_vector ipi, + const char *devname, + void *dev_id); + int bind_interdomain_evtchn_to_irq(unsigned int remote_domain, +- unsigned int remote_port); ++ evtchn_port_t remote_port); ++int bind_interdomain_evtchn_to_irq_lateeoi(unsigned int remote_domain, ++ evtchn_port_t remote_port); + int bind_interdomain_evtchn_to_irqhandler(unsigned int remote_domain, +- unsigned int remote_port, ++ evtchn_port_t remote_port, + irq_handler_t handler, + unsigned long irqflags, + const char *devname, + void *dev_id); ++int bind_interdomain_evtchn_to_irqhandler_lateeoi(unsigned int remote_domain, ++ evtchn_port_t remote_port, ++ irq_handler_t handler, ++ unsigned long irqflags, ++ const char *devname, ++ void *dev_id); + + /* + * Common unbind function for all event sources. Takes IRQ to unbind from. +@@ -44,6 +57,14 @@ int bind_interdomain_evtchn_to_irqhandler(unsigned int remote_domain, + */ + void unbind_from_irqhandler(unsigned int irq, void *dev_id); + ++/* ++ * Send late EOI for an IRQ bound to an event channel via one of the *_lateeoi ++ * functions above. ++ */ ++void xen_irq_lateeoi(unsigned int irq, unsigned int eoi_flags); ++/* Signal an event was spurious, i.e. there was no action resulting from it. */ ++#define XEN_EOI_FLAG_SPURIOUS 0x00000001 ++ + #define XEN_IRQ_PRIORITY_MAX EVTCHN_FIFO_PRIORITY_MAX + #define XEN_IRQ_PRIORITY_DEFAULT EVTCHN_FIFO_PRIORITY_DEFAULT + #define XEN_IRQ_PRIORITY_MIN EVTCHN_FIFO_PRIORITY_MIN +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 388ce03155b40..d399748ea86b5 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -4664,11 +4664,11 @@ static void perf_mmap_open(struct vm_area_struct *vma) + static void perf_mmap_close(struct vm_area_struct *vma) + { + struct perf_event *event = vma->vm_file->private_data; +- + struct ring_buffer *rb = ring_buffer_get(event); + struct user_struct *mmap_user = rb->mmap_user; + int mmap_locked = rb->mmap_locked; + unsigned long size = perf_data_size(rb); ++ bool detach_rest = false; + + if (event->pmu->event_unmapped) + event->pmu->event_unmapped(event); +@@ -4687,7 +4687,8 @@ static void perf_mmap_close(struct vm_area_struct *vma) + mutex_unlock(&event->mmap_mutex); + } + +- atomic_dec(&rb->mmap_count); ++ if (atomic_dec_and_test(&rb->mmap_count)) ++ detach_rest = true; + + if (!atomic_dec_and_mutex_lock(&event->mmap_count, &event->mmap_mutex)) + goto out_put; +@@ -4696,7 +4697,7 @@ static void perf_mmap_close(struct vm_area_struct *vma) + mutex_unlock(&event->mmap_mutex); + + /* If there's still other mmap()s of this buffer, we're done. */ +- if (atomic_read(&rb->mmap_count)) ++ if (!detach_rest) + goto out_put; + + /* +diff --git a/kernel/events/internal.h b/kernel/events/internal.h +index 2bbad9c1274c3..8baa3121e7a6b 100644 +--- a/kernel/events/internal.h ++++ b/kernel/events/internal.h +@@ -193,7 +193,7 @@ static inline int get_recursion_context(int *recursion) + rctx = 3; + else if (in_irq()) + rctx = 2; +- else if (in_softirq()) ++ else if (in_serving_softirq()) + rctx = 1; + else + rctx = 0; +diff --git a/kernel/exit.c b/kernel/exit.c +index 03f6722302b54..5c20a32c95392 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -408,7 +408,10 @@ static void exit_mm(struct task_struct *tsk) + up_read(&mm->mmap_sem); + + self.task = tsk; +- self.next = xchg(&core_state->dumper.next, &self); ++ if (self.task->flags & PF_SIGNALED) ++ self.next = xchg(&core_state->dumper.next, &self); ++ else ++ self.task = NULL; + /* + * Implies mb(), the result of xchg() must be visible + * to core_state->dumper. +diff --git a/kernel/reboot.c b/kernel/reboot.c +index bd30a973fe946..2946ed1d99d4d 100644 +--- a/kernel/reboot.c ++++ b/kernel/reboot.c +@@ -512,22 +512,22 @@ static int __init reboot_setup(char *str) + break; + + case 's': +- { +- int rc; +- +- if (isdigit(*(str+1))) { +- rc = kstrtoint(str+1, 0, &reboot_cpu); +- if (rc) +- return rc; +- } else if (str[1] == 'm' && str[2] == 'p' && +- isdigit(*(str+3))) { +- rc = kstrtoint(str+3, 0, &reboot_cpu); +- if (rc) +- return rc; +- } else ++ if (isdigit(*(str+1))) ++ reboot_cpu = simple_strtoul(str+1, NULL, 0); ++ else if (str[1] == 'm' && str[2] == 'p' && ++ isdigit(*(str+3))) ++ reboot_cpu = simple_strtoul(str+3, NULL, 0); ++ else + reboot_mode = REBOOT_SOFT; ++ if (reboot_cpu >= num_possible_cpus()) { ++ pr_err("Ignoring the CPU number in reboot= option. " ++ "CPU %d exceeds possible cpu number %d\n", ++ reboot_cpu, num_possible_cpus()); ++ reboot_cpu = 0; ++ break; ++ } + break; +- } ++ + case 'g': + reboot_mode = REBOOT_GPIO; + break; +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index 43bee4993187c..6ca409a460308 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1432,13 +1432,6 @@ void update_process_times(int user_tick) + #endif + scheduler_tick(); + run_posix_cpu_timers(p); +- +- /* The current CPU might make use of net randoms without receiving IRQs +- * to renew them often enough. Let's update the net_rand_state from a +- * non-constant value that's not affine to the number of calls to make +- * sure it's updated when there's some activity (we don't care in idle). +- */ +- this_cpu_add(net_rand_state.s1, rol32(jiffies, 24) + user_tick); + } + + /* +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 1c1ecc1d49ad2..547a3a5ac57b5 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -416,14 +416,16 @@ struct rb_event_info { + + /* + * Used for which event context the event is in. +- * NMI = 0 +- * IRQ = 1 +- * SOFTIRQ = 2 +- * NORMAL = 3 ++ * TRANSITION = 0 ++ * NMI = 1 ++ * IRQ = 2 ++ * SOFTIRQ = 3 ++ * NORMAL = 4 + * + * See trace_recursive_lock() comment below for more details. + */ + enum { ++ RB_CTX_TRANSITION, + RB_CTX_NMI, + RB_CTX_IRQ, + RB_CTX_SOFTIRQ, +@@ -2585,10 +2587,10 @@ rb_wakeups(struct ring_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer) + * a bit of overhead in something as critical as function tracing, + * we use a bitmask trick. + * +- * bit 0 = NMI context +- * bit 1 = IRQ context +- * bit 2 = SoftIRQ context +- * bit 3 = normal context. ++ * bit 1 = NMI context ++ * bit 2 = IRQ context ++ * bit 3 = SoftIRQ context ++ * bit 4 = normal context. + * + * This works because this is the order of contexts that can + * preempt other contexts. A SoftIRQ never preempts an IRQ +@@ -2611,6 +2613,30 @@ rb_wakeups(struct ring_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer) + * The least significant bit can be cleared this way, and it + * just so happens that it is the same bit corresponding to + * the current context. ++ * ++ * Now the TRANSITION bit breaks the above slightly. The TRANSITION bit ++ * is set when a recursion is detected at the current context, and if ++ * the TRANSITION bit is already set, it will fail the recursion. ++ * This is needed because there's a lag between the changing of ++ * interrupt context and updating the preempt count. In this case, ++ * a false positive will be found. To handle this, one extra recursion ++ * is allowed, and this is done by the TRANSITION bit. If the TRANSITION ++ * bit is already set, then it is considered a recursion and the function ++ * ends. Otherwise, the TRANSITION bit is set, and that bit is returned. ++ * ++ * On the trace_recursive_unlock(), the TRANSITION bit will be the first ++ * to be cleared. Even if it wasn't the context that set it. That is, ++ * if an interrupt comes in while NORMAL bit is set and the ring buffer ++ * is called before preempt_count() is updated, since the check will ++ * be on the NORMAL bit, the TRANSITION bit will then be set. If an ++ * NMI then comes in, it will set the NMI bit, but when the NMI code ++ * does the trace_recursive_unlock() it will clear the TRANSTION bit ++ * and leave the NMI bit set. But this is fine, because the interrupt ++ * code that set the TRANSITION bit will then clear the NMI bit when it ++ * calls trace_recursive_unlock(). If another NMI comes in, it will ++ * set the TRANSITION bit and continue. ++ * ++ * Note: The TRANSITION bit only handles a single transition between context. + */ + + static __always_inline int +@@ -2629,8 +2655,16 @@ trace_recursive_lock(struct ring_buffer_per_cpu *cpu_buffer) + } else + bit = RB_CTX_NORMAL; + +- if (unlikely(val & (1 << bit))) +- return 1; ++ if (unlikely(val & (1 << bit))) { ++ /* ++ * It is possible that this was called by transitioning ++ * between interrupt context, and preempt_count() has not ++ * been updated yet. In this case, use the TRANSITION bit. ++ */ ++ bit = RB_CTX_TRANSITION; ++ if (val & (1 << bit)) ++ return 1; ++ } + + val |= (1 << bit); + cpu_buffer->current_context = val; +diff --git a/lib/random32.c b/lib/random32.c +index 8072ccd9eed58..17e5780eebd72 100644 +--- a/lib/random32.c ++++ b/lib/random32.c +@@ -39,16 +39,6 @@ + #include <linux/sched.h> + #include <asm/unaligned.h> + +-#ifdef CONFIG_RANDOM32_SELFTEST +-static void __init prandom_state_selftest(void); +-#else +-static inline void prandom_state_selftest(void) +-{ +-} +-#endif +- +-DEFINE_PER_CPU(struct rnd_state, net_rand_state); +- + /** + * prandom_u32_state - seeded pseudo-random number generator. + * @state: pointer to state structure holding seeded state. +@@ -68,25 +58,6 @@ u32 prandom_u32_state(struct rnd_state *state) + } + EXPORT_SYMBOL(prandom_u32_state); + +-/** +- * prandom_u32 - pseudo random number generator +- * +- * A 32 bit pseudo-random number is generated using a fast +- * algorithm suitable for simulation. This algorithm is NOT +- * considered safe for cryptographic use. +- */ +-u32 prandom_u32(void) +-{ +- struct rnd_state *state = &get_cpu_var(net_rand_state); +- u32 res; +- +- res = prandom_u32_state(state); +- put_cpu_var(state); +- +- return res; +-} +-EXPORT_SYMBOL(prandom_u32); +- + /** + * prandom_bytes_state - get the requested number of pseudo-random bytes + * +@@ -118,20 +89,6 @@ void prandom_bytes_state(struct rnd_state *state, void *buf, size_t bytes) + } + EXPORT_SYMBOL(prandom_bytes_state); + +-/** +- * prandom_bytes - get the requested number of pseudo-random bytes +- * @buf: where to copy the pseudo-random bytes to +- * @bytes: the requested number of bytes +- */ +-void prandom_bytes(void *buf, size_t bytes) +-{ +- struct rnd_state *state = &get_cpu_var(net_rand_state); +- +- prandom_bytes_state(state, buf, bytes); +- put_cpu_var(state); +-} +-EXPORT_SYMBOL(prandom_bytes); +- + static void prandom_warmup(struct rnd_state *state) + { + /* Calling RNG ten times to satisfy recurrence condition */ +@@ -147,97 +104,6 @@ static void prandom_warmup(struct rnd_state *state) + prandom_u32_state(state); + } + +-static u32 __extract_hwseed(void) +-{ +- unsigned int val = 0; +- +- (void)(arch_get_random_seed_int(&val) || +- arch_get_random_int(&val)); +- +- return val; +-} +- +-static void prandom_seed_early(struct rnd_state *state, u32 seed, +- bool mix_with_hwseed) +-{ +-#define LCG(x) ((x) * 69069U) /* super-duper LCG */ +-#define HWSEED() (mix_with_hwseed ? __extract_hwseed() : 0) +- state->s1 = __seed(HWSEED() ^ LCG(seed), 2U); +- state->s2 = __seed(HWSEED() ^ LCG(state->s1), 8U); +- state->s3 = __seed(HWSEED() ^ LCG(state->s2), 16U); +- state->s4 = __seed(HWSEED() ^ LCG(state->s3), 128U); +-} +- +-/** +- * prandom_seed - add entropy to pseudo random number generator +- * @seed: seed value +- * +- * Add some additional seeding to the prandom pool. +- */ +-void prandom_seed(u32 entropy) +-{ +- int i; +- /* +- * No locking on the CPUs, but then somewhat random results are, well, +- * expected. +- */ +- for_each_possible_cpu(i) { +- struct rnd_state *state = &per_cpu(net_rand_state, i); +- +- state->s1 = __seed(state->s1 ^ entropy, 2U); +- prandom_warmup(state); +- } +-} +-EXPORT_SYMBOL(prandom_seed); +- +-/* +- * Generate some initially weak seeding values to allow +- * to start the prandom_u32() engine. +- */ +-static int __init prandom_init(void) +-{ +- int i; +- +- prandom_state_selftest(); +- +- for_each_possible_cpu(i) { +- struct rnd_state *state = &per_cpu(net_rand_state, i); +- u32 weak_seed = (i + jiffies) ^ random_get_entropy(); +- +- prandom_seed_early(state, weak_seed, true); +- prandom_warmup(state); +- } +- +- return 0; +-} +-core_initcall(prandom_init); +- +-static void __prandom_timer(unsigned long dontcare); +- +-static DEFINE_TIMER(seed_timer, __prandom_timer, 0, 0); +- +-static void __prandom_timer(unsigned long dontcare) +-{ +- u32 entropy; +- unsigned long expires; +- +- get_random_bytes(&entropy, sizeof(entropy)); +- prandom_seed(entropy); +- +- /* reseed every ~60 seconds, in [40 .. 80) interval with slack */ +- expires = 40 + prandom_u32_max(40); +- seed_timer.expires = jiffies + msecs_to_jiffies(expires * MSEC_PER_SEC); +- +- add_timer(&seed_timer); +-} +- +-static void __init __prandom_start_seed_timer(void) +-{ +- set_timer_slack(&seed_timer, HZ); +- seed_timer.expires = jiffies + msecs_to_jiffies(40 * MSEC_PER_SEC); +- add_timer(&seed_timer); +-} +- + void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state) + { + int i; +@@ -256,51 +122,6 @@ void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state) + } + } + +-/* +- * Generate better values after random number generator +- * is fully initialized. +- */ +-static void __prandom_reseed(bool late) +-{ +- unsigned long flags; +- static bool latch = false; +- static DEFINE_SPINLOCK(lock); +- +- /* Asking for random bytes might result in bytes getting +- * moved into the nonblocking pool and thus marking it +- * as initialized. In this case we would double back into +- * this function and attempt to do a late reseed. +- * Ignore the pointless attempt to reseed again if we're +- * already waiting for bytes when the nonblocking pool +- * got initialized. +- */ +- +- /* only allow initial seeding (late == false) once */ +- if (!spin_trylock_irqsave(&lock, flags)) +- return; +- +- if (latch && !late) +- goto out; +- +- latch = true; +- prandom_seed_full_state(&net_rand_state); +-out: +- spin_unlock_irqrestore(&lock, flags); +-} +- +-void prandom_reseed_late(void) +-{ +- __prandom_reseed(true); +-} +- +-static int __init prandom_reseed(void) +-{ +- __prandom_reseed(false); +- __prandom_start_seed_timer(); +- return 0; +-} +-late_initcall(prandom_reseed); +- + #ifdef CONFIG_RANDOM32_SELFTEST + static struct prandom_test1 { + u32 seed; +@@ -420,7 +241,28 @@ static struct prandom_test2 { + { 407983964U, 921U, 728767059U }, + }; + +-static void __init prandom_state_selftest(void) ++static u32 __extract_hwseed(void) ++{ ++ unsigned int val = 0; ++ ++ (void)(arch_get_random_seed_int(&val) || ++ arch_get_random_int(&val)); ++ ++ return val; ++} ++ ++static void prandom_seed_early(struct rnd_state *state, u32 seed, ++ bool mix_with_hwseed) ++{ ++#define LCG(x) ((x) * 69069U) /* super-duper LCG */ ++#define HWSEED() (mix_with_hwseed ? __extract_hwseed() : 0) ++ state->s1 = __seed(HWSEED() ^ LCG(seed), 2U); ++ state->s2 = __seed(HWSEED() ^ LCG(state->s1), 8U); ++ state->s3 = __seed(HWSEED() ^ LCG(state->s2), 16U); ++ state->s4 = __seed(HWSEED() ^ LCG(state->s3), 128U); ++} ++ ++static int __init prandom_state_selftest(void) + { + int i, j, errors = 0, runs = 0; + bool error = false; +@@ -460,5 +302,266 @@ static void __init prandom_state_selftest(void) + pr_warn("prandom: %d/%d self tests failed\n", errors, runs); + else + pr_info("prandom: %d self tests passed\n", runs); ++ return 0; + } ++core_initcall(prandom_state_selftest); + #endif ++ ++/* ++ * The prandom_u32() implementation is now completely separate from the ++ * prandom_state() functions, which are retained (for now) for compatibility. ++ * ++ * Because of (ab)use in the networking code for choosing random TCP/UDP port ++ * numbers, which open DoS possibilities if guessable, we want something ++ * stronger than a standard PRNG. But the performance requirements of ++ * the network code do not allow robust crypto for this application. ++ * ++ * So this is a homebrew Junior Spaceman implementation, based on the ++ * lowest-latency trustworthy crypto primitive available, SipHash. ++ * (The authors of SipHash have not been consulted about this abuse of ++ * their work.) ++ * ++ * Standard SipHash-2-4 uses 2n+4 rounds to hash n words of input to ++ * one word of output. This abbreviated version uses 2 rounds per word ++ * of output. ++ */ ++ ++struct siprand_state { ++ unsigned long v0; ++ unsigned long v1; ++ unsigned long v2; ++ unsigned long v3; ++}; ++ ++static DEFINE_PER_CPU(struct siprand_state, net_rand_state); ++ ++/* ++ * This is the core CPRNG function. As "pseudorandom", this is not used ++ * for truly valuable things, just intended to be a PITA to guess. ++ * For maximum speed, we do just two SipHash rounds per word. This is ++ * the same rate as 4 rounds per 64 bits that SipHash normally uses, ++ * so hopefully it's reasonably secure. ++ * ++ * There are two changes from the official SipHash finalization: ++ * - We omit some constants XORed with v2 in the SipHash spec as irrelevant; ++ * they are there only to make the output rounds distinct from the input ++ * rounds, and this application has no input rounds. ++ * - Rather than returning v0^v1^v2^v3, return v1+v3. ++ * If you look at the SipHash round, the last operation on v3 is ++ * "v3 ^= v0", so "v0 ^ v3" just undoes that, a waste of time. ++ * Likewise "v1 ^= v2". (The rotate of v2 makes a difference, but ++ * it still cancels out half of the bits in v2 for no benefit.) ++ * Second, since the last combining operation was xor, continue the ++ * pattern of alternating xor/add for a tiny bit of extra non-linearity. ++ */ ++static inline u32 siprand_u32(struct siprand_state *s) ++{ ++ unsigned long v0 = s->v0, v1 = s->v1, v2 = s->v2, v3 = s->v3; ++ ++ PRND_SIPROUND(v0, v1, v2, v3); ++ PRND_SIPROUND(v0, v1, v2, v3); ++ s->v0 = v0; s->v1 = v1; s->v2 = v2; s->v3 = v3; ++ return v1 + v3; ++} ++ ++ ++/** ++ * prandom_u32 - pseudo random number generator ++ * ++ * A 32 bit pseudo-random number is generated using a fast ++ * algorithm suitable for simulation. This algorithm is NOT ++ * considered safe for cryptographic use. ++ */ ++u32 prandom_u32(void) ++{ ++ struct siprand_state *state = get_cpu_ptr(&net_rand_state); ++ u32 res = siprand_u32(state); ++ ++ put_cpu_ptr(&net_rand_state); ++ return res; ++} ++EXPORT_SYMBOL(prandom_u32); ++ ++/** ++ * prandom_bytes - get the requested number of pseudo-random bytes ++ * @buf: where to copy the pseudo-random bytes to ++ * @bytes: the requested number of bytes ++ */ ++void prandom_bytes(void *buf, size_t bytes) ++{ ++ struct siprand_state *state = get_cpu_ptr(&net_rand_state); ++ u8 *ptr = buf; ++ ++ while (bytes >= sizeof(u32)) { ++ put_unaligned(siprand_u32(state), (u32 *)ptr); ++ ptr += sizeof(u32); ++ bytes -= sizeof(u32); ++ } ++ ++ if (bytes > 0) { ++ u32 rem = siprand_u32(state); ++ ++ do { ++ *ptr++ = (u8)rem; ++ rem >>= BITS_PER_BYTE; ++ } while (--bytes > 0); ++ } ++ put_cpu_ptr(&net_rand_state); ++} ++EXPORT_SYMBOL(prandom_bytes); ++ ++/** ++ * prandom_seed - add entropy to pseudo random number generator ++ * @entropy: entropy value ++ * ++ * Add some additional seed material to the prandom pool. ++ * The "entropy" is actually our IP address (the only caller is ++ * the network code), not for unpredictability, but to ensure that ++ * different machines are initialized differently. ++ */ ++void prandom_seed(u32 entropy) ++{ ++ int i; ++ ++ add_device_randomness(&entropy, sizeof(entropy)); ++ ++ for_each_possible_cpu(i) { ++ struct siprand_state *state = per_cpu_ptr(&net_rand_state, i); ++ unsigned long v0 = state->v0, v1 = state->v1; ++ unsigned long v2 = state->v2, v3 = state->v3; ++ ++ do { ++ v3 ^= entropy; ++ PRND_SIPROUND(v0, v1, v2, v3); ++ PRND_SIPROUND(v0, v1, v2, v3); ++ v0 ^= entropy; ++ } while (unlikely(!v0 || !v1 || !v2 || !v3)); ++ ++ WRITE_ONCE(state->v0, v0); ++ WRITE_ONCE(state->v1, v1); ++ WRITE_ONCE(state->v2, v2); ++ WRITE_ONCE(state->v3, v3); ++ } ++} ++EXPORT_SYMBOL(prandom_seed); ++ ++/* ++ * Generate some initially weak seeding values to allow ++ * the prandom_u32() engine to be started. ++ */ ++static int __init prandom_init_early(void) ++{ ++ int i; ++ unsigned long v0, v1, v2, v3; ++ ++ if (!arch_get_random_long(&v0)) ++ v0 = jiffies; ++ if (!arch_get_random_long(&v1)) ++ v1 = random_get_entropy(); ++ v2 = v0 ^ PRND_K0; ++ v3 = v1 ^ PRND_K1; ++ ++ for_each_possible_cpu(i) { ++ struct siprand_state *state; ++ ++ v3 ^= i; ++ PRND_SIPROUND(v0, v1, v2, v3); ++ PRND_SIPROUND(v0, v1, v2, v3); ++ v0 ^= i; ++ ++ state = per_cpu_ptr(&net_rand_state, i); ++ state->v0 = v0; state->v1 = v1; ++ state->v2 = v2; state->v3 = v3; ++ } ++ ++ return 0; ++} ++core_initcall(prandom_init_early); ++ ++ ++/* Stronger reseeding when available, and periodically thereafter. */ ++static void prandom_reseed(unsigned long dontcare); ++ ++static DEFINE_TIMER(seed_timer, prandom_reseed, 0, 0); ++ ++static void prandom_reseed(unsigned long dontcare) ++{ ++ unsigned long expires; ++ int i; ++ ++ /* ++ * Reinitialize each CPU's PRNG with 128 bits of key. ++ * No locking on the CPUs, but then somewhat random results are, ++ * well, expected. ++ */ ++ for_each_possible_cpu(i) { ++ struct siprand_state *state; ++ unsigned long v0 = get_random_long(), v2 = v0 ^ PRND_K0; ++ unsigned long v1 = get_random_long(), v3 = v1 ^ PRND_K1; ++#if BITS_PER_LONG == 32 ++ int j; ++ ++ /* ++ * On 32-bit machines, hash in two extra words to ++ * approximate 128-bit key length. Not that the hash ++ * has that much security, but this prevents a trivial ++ * 64-bit brute force. ++ */ ++ for (j = 0; j < 2; j++) { ++ unsigned long m = get_random_long(); ++ ++ v3 ^= m; ++ PRND_SIPROUND(v0, v1, v2, v3); ++ PRND_SIPROUND(v0, v1, v2, v3); ++ v0 ^= m; ++ } ++#endif ++ /* ++ * Probably impossible in practice, but there is a ++ * theoretical risk that a race between this reseeding ++ * and the target CPU writing its state back could ++ * create the all-zero SipHash fixed point. ++ * ++ * To ensure that never happens, ensure the state ++ * we write contains no zero words. ++ */ ++ state = per_cpu_ptr(&net_rand_state, i); ++ WRITE_ONCE(state->v0, v0 ? v0 : -1ul); ++ WRITE_ONCE(state->v1, v1 ? v1 : -1ul); ++ WRITE_ONCE(state->v2, v2 ? v2 : -1ul); ++ WRITE_ONCE(state->v3, v3 ? v3 : -1ul); ++ } ++ ++ /* reseed every ~60 seconds, in [40 .. 80) interval with slack */ ++ expires = round_jiffies(jiffies + 40 * HZ + prandom_u32_max(40 * HZ)); ++ mod_timer(&seed_timer, expires); ++} ++ ++/* ++ * The random ready callback can be called from almost any interrupt. ++ * To avoid worrying about whether it's safe to delay that interrupt ++ * long enough to seed all CPUs, just schedule an immediate timer event. ++ */ ++static void prandom_timer_start(struct random_ready_callback *unused) ++{ ++ mod_timer(&seed_timer, jiffies); ++} ++ ++/* ++ * Start periodic full reseeding as soon as strong ++ * random numbers are available. ++ */ ++static int __init prandom_init_late(void) ++{ ++ static struct random_ready_callback random_ready = { ++ .func = prandom_timer_start ++ }; ++ int ret = add_random_ready_callback(&random_ready); ++ ++ if (ret == -EALREADY) { ++ prandom_timer_start(&random_ready); ++ ret = 0; ++ } ++ return ret; ++} ++late_initcall(prandom_init_late); +diff --git a/lib/swiotlb.c b/lib/swiotlb.c +index 6bc452b33b76f..7ccc45c3fdd7f 100644 +--- a/lib/swiotlb.c ++++ b/lib/swiotlb.c +@@ -195,6 +195,7 @@ int __init swiotlb_init_with_tbl(char *tlb, unsigned long nslabs, int verbose) + io_tlb_orig_addr[i] = INVALID_PHYS_ADDR; + } + io_tlb_index = 0; ++ no_iotlb_memory = false; + + if (verbose) + swiotlb_print_info(); +@@ -225,9 +226,11 @@ swiotlb_init(int verbose) + if (vstart && !swiotlb_init_with_tbl(vstart, io_tlb_nslabs, verbose)) + return; + +- if (io_tlb_start) ++ if (io_tlb_start) { + memblock_free_early(io_tlb_start, + PAGE_ALIGN(io_tlb_nslabs << IO_TLB_SHIFT)); ++ io_tlb_start = 0; ++ } + pr_warn("Cannot allocate buffer"); + no_iotlb_memory = true; + } +@@ -326,6 +329,7 @@ swiotlb_late_init_with_tbl(char *tlb, unsigned long nslabs) + io_tlb_orig_addr[i] = INVALID_PHYS_ADDR; + } + io_tlb_index = 0; ++ no_iotlb_memory = false; + + swiotlb_print_info(); + +diff --git a/mm/mempolicy.c b/mm/mempolicy.c +index e101cac3d4a63..9ab7969ee7e30 100644 +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -490,14 +490,14 @@ static int queue_pages_pte_range(pmd_t *pmd, unsigned long addr, + struct queue_pages *qp = walk->private; + unsigned long flags = qp->flags; + int nid; +- pte_t *pte; ++ pte_t *pte, *mapped_pte; + spinlock_t *ptl; + + split_huge_page_pmd(vma, addr, pmd); + if (pmd_trans_unstable(pmd)) + return 0; + +- pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl); ++ mapped_pte = pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl); + for (; addr != end; pte++, addr += PAGE_SIZE) { + if (!pte_present(*pte)) + continue; +@@ -521,7 +521,7 @@ static int queue_pages_pte_range(pmd_t *pmd, unsigned long addr, + } else + break; + } +- pte_unmap_unlock(pte - 1, ptl); ++ pte_unmap_unlock(mapped_pte, ptl); + cond_resched(); + return addr != end ? -EIO : 0; + } +diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c +index f3d3ac5c23d59..d9e7d61a0197e 100644 +--- a/net/ipv4/syncookies.c ++++ b/net/ipv4/syncookies.c +@@ -307,7 +307,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) + __u32 cookie = ntohl(th->ack_seq) - 1; + struct sock *ret = sk; + struct request_sock *req; +- int mss; ++ int full_space, mss; + struct rtable *rt; + __u8 rcv_wscale; + struct flowi4 fl4; +@@ -391,8 +391,13 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) + + /* Try to redo what tcp_v4_send_synack did. */ + req->rsk_window_clamp = tp->window_clamp ? :dst_metric(&rt->dst, RTAX_WINDOW); ++ /* limit the window selection if the user enforce a smaller rx buffer */ ++ full_space = tcp_full_space(sk); ++ if (sk->sk_userlocks & SOCK_RCVBUF_LOCK && ++ (req->rsk_window_clamp > full_space || req->rsk_window_clamp == 0)) ++ req->rsk_window_clamp = full_space; + +- tcp_select_initial_window(tcp_full_space(sk), req->mss, ++ tcp_select_initial_window(full_space, req->mss, + &req->rsk_rcv_wnd, &req->rsk_window_clamp, + ireq->wscale_ok, &rcv_wscale, + dst_metric(&rt->dst, RTAX_INITRWND)); +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 5039486c4f86b..8bab7e64ffcfb 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1079,7 +1079,6 @@ static void ipip6_tunnel_bind_dev(struct net_device *dev) + if (tdev && !netif_is_l3_master(tdev)) { + int t_hlen = tunnel->hlen + sizeof(struct iphdr); + +- dev->hard_header_len = tdev->hard_header_len + sizeof(struct iphdr); + dev->mtu = tdev->mtu - t_hlen; + if (dev->mtu < IPV6_MIN_MTU) + dev->mtu = IPV6_MIN_MTU; +@@ -1371,7 +1370,6 @@ static void ipip6_tunnel_setup(struct net_device *dev) + dev->destructor = ipip6_dev_free; + + dev->type = ARPHRD_SIT; +- dev->hard_header_len = LL_MAX_HEADER + t_hlen; + dev->mtu = ETH_DATA_LEN - t_hlen; + dev->flags = IFF_NOARP; + netif_keep_dst(dev); +diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c +index fb3ba2a511196..d2792580b1124 100644 +--- a/net/ipv6/syncookies.c ++++ b/net/ipv6/syncookies.c +@@ -144,7 +144,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) + __u32 cookie = ntohl(th->ack_seq) - 1; + struct sock *ret = sk; + struct request_sock *req; +- int mss; ++ int full_space, mss; + struct dst_entry *dst; + __u8 rcv_wscale; + +@@ -237,7 +237,13 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) + } + + req->rsk_window_clamp = tp->window_clamp ? :dst_metric(dst, RTAX_WINDOW); +- tcp_select_initial_window(tcp_full_space(sk), req->mss, ++ /* limit the window selection if the user enforce a smaller rx buffer */ ++ full_space = tcp_full_space(sk); ++ if (sk->sk_userlocks & SOCK_RCVBUF_LOCK && ++ (req->rsk_window_clamp > full_space || req->rsk_window_clamp == 0)) ++ req->rsk_window_clamp = full_space; ++ ++ tcp_select_initial_window(full_space, req->mss, + &req->rsk_rcv_wnd, &req->rsk_window_clamp, + ireq->wscale_ok, &rcv_wscale, + dst_metric(dst, RTAX_INITRWND)); +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c +index 3edffb7bf2a46..f94107e27b5ed 100644 +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -1513,7 +1513,8 @@ static int iucv_sock_shutdown(struct socket *sock, int how) + break; + } + +- if (how == SEND_SHUTDOWN || how == SHUTDOWN_MASK) { ++ if ((how == SEND_SHUTDOWN || how == SHUTDOWN_MASK) && ++ sk->sk_state == IUCV_CONNECTED) { + if (iucv->transport == AF_IUCV_TRANS_IUCV) { + txmsg.class = 0; + txmsg.tag = 0; +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 98c34c3adf392..4466413c5eecc 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1594,19 +1594,24 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata, + + /* device xmit handlers */ + ++enum ieee80211_encrypt { ++ ENCRYPT_NO, ++ ENCRYPT_MGMT, ++ ENCRYPT_DATA, ++}; ++ + static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb, +- int head_need, bool may_encrypt) ++ int head_need, ++ enum ieee80211_encrypt encrypt) + { + struct ieee80211_local *local = sdata->local; +- struct ieee80211_hdr *hdr; + bool enc_tailroom; + int tail_need = 0; + +- hdr = (struct ieee80211_hdr *) skb->data; +- enc_tailroom = may_encrypt && +- (sdata->crypto_tx_tailroom_needed_cnt || +- ieee80211_is_mgmt(hdr->frame_control)); ++ enc_tailroom = encrypt == ENCRYPT_MGMT || ++ (encrypt == ENCRYPT_DATA && ++ sdata->crypto_tx_tailroom_needed_cnt); + + if (enc_tailroom) { + tail_need = IEEE80211_ENCRYPT_TAILROOM; +@@ -1639,21 +1644,27 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; + int headroom; +- bool may_encrypt; ++ enum ieee80211_encrypt encrypt; + +- may_encrypt = !(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT); ++ if (info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT) ++ encrypt = ENCRYPT_NO; ++ else if (ieee80211_is_mgmt(hdr->frame_control)) ++ encrypt = ENCRYPT_MGMT; ++ else ++ encrypt = ENCRYPT_DATA; + + headroom = local->tx_headroom; +- if (may_encrypt) ++ if (encrypt != ENCRYPT_NO) + headroom += sdata->encrypt_headroom; + headroom -= skb_headroom(skb); + headroom = max_t(int, 0, headroom); + +- if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) { ++ if (ieee80211_skb_resize(sdata, skb, headroom, encrypt)) { + ieee80211_free_txskb(&local->hw, skb); + return; + } + ++ /* reload after potential resize */ + hdr = (struct ieee80211_hdr *) skb->data; + info->control.vif = &sdata->vif; + +@@ -2346,7 +2357,7 @@ static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata, + head_need += sdata->encrypt_headroom; + head_need += local->tx_headroom; + head_need = max_t(int, 0, head_need); +- if (ieee80211_skb_resize(sdata, skb, head_need, true)) { ++ if (ieee80211_skb_resize(sdata, skb, head_need, ENCRYPT_DATA)) { + ieee80211_free_txskb(&local->hw, skb); + skb = NULL; + return ERR_PTR(-ENOMEM); +@@ -2756,7 +2767,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata, + if (unlikely(ieee80211_skb_resize(sdata, skb, + max_t(int, extra_head + hw_headroom - + skb_headroom(skb), 0), +- false))) { ++ ENCRYPT_NO))) { + kfree_skb(skb); + return true; + } +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 474923175b108..dcbf5cd44bb37 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2775,7 +2775,7 @@ static void print_rd_rules(const struct ieee80211_regdomain *rd) + power_rule = ®_rule->power_rule; + + if (reg_rule->flags & NL80211_RRF_AUTO_BW) +- snprintf(bw, sizeof(bw), "%d KHz, %d KHz AUTO", ++ snprintf(bw, sizeof(bw), "%d KHz, %u KHz AUTO", + freq_range->max_bandwidth_khz, + reg_get_max_bandwidth(rd, reg_rule)); + else +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index f9fb8613fb287..e39bb38eedf30 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -823,7 +823,7 @@ static int x25_connect(struct socket *sock, struct sockaddr *uaddr, + sock->state = SS_CONNECTED; + rc = 0; + out_put_neigh: +- if (rc) { ++ if (rc && x25->neighbour) { + read_lock_bh(&x25_list_lock); + x25_neigh_put(x25->neighbour); + x25->neighbour = NULL; +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 5bb5950d6276b..ed05cd7a4ef2c 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1554,6 +1554,7 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) + int err = -ENOENT; + __be32 minspi = htonl(low); + __be32 maxspi = htonl(high); ++ __be32 newspi = 0; + u32 mark = x->mark.v & x->mark.m; + + spin_lock_bh(&x->lock); +@@ -1572,21 +1573,22 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) + xfrm_state_put(x0); + goto unlock; + } +- x->id.spi = minspi; ++ newspi = minspi; + } else { + u32 spi = 0; + for (h = 0; h < high-low+1; h++) { + spi = low + prandom_u32()%(high-low+1); + x0 = xfrm_state_lookup(net, mark, &x->id.daddr, htonl(spi), x->id.proto, x->props.family); + if (x0 == NULL) { +- x->id.spi = htonl(spi); ++ newspi = htonl(spi); + break; + } + xfrm_state_put(x0); + } + } +- if (x->id.spi) { ++ if (newspi) { + spin_lock_bh(&net->xfrm.xfrm_state_lock); ++ x->id.spi = newspi; + h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family); + hlist_add_head(&x->byspi, net->xfrm.state_byspi+h); + spin_unlock_bh(&net->xfrm.xfrm_state_lock); +diff --git a/sound/hda/ext/hdac_ext_controller.c b/sound/hda/ext/hdac_ext_controller.c +index 63215b17247c8..379250dd0668e 100644 +--- a/sound/hda/ext/hdac_ext_controller.c ++++ b/sound/hda/ext/hdac_ext_controller.c +@@ -221,6 +221,8 @@ struct hdac_ext_link *snd_hdac_ext_bus_get_link(struct hdac_ext_bus *ebus, + return NULL; + if (ebus->idx != bus_idx) + return NULL; ++ if (addr < 0 || addr > 31) ++ return NULL; + + list_for_each_entry(hlink, &ebus->hlink_list, list) { + for (i = 0; i < HDA_MAX_CODECS; i++) { +diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c +index 0ae4f73dc8eb5..5b392662d100b 100644 +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -415,6 +415,7 @@ static void perf_event__mmap2_swap(union perf_event *event, + event->mmap2.maj = bswap_32(event->mmap2.maj); + event->mmap2.min = bswap_32(event->mmap2.min); + event->mmap2.ino = bswap_64(event->mmap2.ino); ++ event->mmap2.ino_generation = bswap_64(event->mmap2.ino_generation); + + if (sample_id_all) { + void *data = &event->mmap2.filename; |