summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Pagano <mpagano@gentoo.org>2020-02-11 10:36:46 -0500
committerMike Pagano <mpagano@gentoo.org>2020-02-11 10:36:46 -0500
commitb7d9a44dcd512076aef3e022da4da423d023d8a4 (patch)
treedac8db3a3fd5efa2134000c0879e93c781dff491
parentiwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices (diff)
downloadlinux-patches-b7d9a44dcd512076aef3e022da4da423d023d8a4.tar.gz
linux-patches-b7d9a44dcd512076aef3e022da4da423d023d8a4.tar.bz2
linux-patches-b7d9a44dcd512076aef3e022da4da423d023d8a4.zip
Linux patch 5.5.35.5-5
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
-rw-r--r--0000_README4
-rw-r--r--1002_linux-5.5.3.patch18721
2 files changed, 18725 insertions, 0 deletions
diff --git a/0000_README b/0000_README
index ead5c5eb..d7385d1a 100644
--- a/0000_README
+++ b/0000_README
@@ -51,6 +51,10 @@ Patch: 1001_linux-5.5.2.patch
From: http://www.kernel.org
Desc: Linux 5.5.2
+Patch: 1002_linux-5.5.3.patch
+From: http://www.kernel.org
+Desc: Linux 5.5.3
+
Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
diff --git a/1002_linux-5.5.3.patch b/1002_linux-5.5.3.patch
new file mode 100644
index 00000000..1464da0d
--- /dev/null
+++ b/1002_linux-5.5.3.patch
@@ -0,0 +1,18721 @@
+diff --git a/MAINTAINERS b/MAINTAINERS
+index 56765f542244..44bc9d7f04a4 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -8808,8 +8808,10 @@ L: isdn4linux@listserv.isdn4linux.de (subscribers-only)
+ L: netdev@vger.kernel.org
+ W: http://www.isdn4linux.de
+ S: Maintained
+-F: drivers/isdn/mISDN
+-F: drivers/isdn/hardware
++F: drivers/isdn/mISDN/
++F: drivers/isdn/hardware/
++F: drivers/isdn/Kconfig
++F: drivers/isdn/Makefile
+
+ ISDN/CAPI SUBSYSTEM
+ M: Karsten Keil <isdn@linux-pingi.de>
+diff --git a/Makefile b/Makefile
+index cfbdf5f920fd..fdaa1e262320 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 5
+ PATCHLEVEL = 5
+-SUBLEVEL = 2
++SUBLEVEL = 3
+ EXTRAVERSION =
+ NAME = Kleptomaniac Octopus
+
+diff --git a/arch/Kconfig b/arch/Kconfig
+index 48b5e103bdb0..208aad121630 100644
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -396,9 +396,6 @@ config HAVE_ARCH_JUMP_LABEL_RELATIVE
+ config HAVE_RCU_TABLE_FREE
+ bool
+
+-config HAVE_RCU_TABLE_NO_INVALIDATE
+- bool
+-
+ config HAVE_MMU_GATHER_PAGE_SIZE
+ bool
+
+diff --git a/arch/arm/include/asm/kvm_emulate.h b/arch/arm/include/asm/kvm_emulate.h
+index 9b118516d2db..08d9805f613b 100644
+--- a/arch/arm/include/asm/kvm_emulate.h
++++ b/arch/arm/include/asm/kvm_emulate.h
+@@ -14,13 +14,25 @@
+ #include <asm/cputype.h>
+
+ /* arm64 compatibility macros */
++#define PSR_AA32_MODE_FIQ FIQ_MODE
++#define PSR_AA32_MODE_SVC SVC_MODE
+ #define PSR_AA32_MODE_ABT ABT_MODE
+ #define PSR_AA32_MODE_UND UND_MODE
+ #define PSR_AA32_T_BIT PSR_T_BIT
++#define PSR_AA32_F_BIT PSR_F_BIT
+ #define PSR_AA32_I_BIT PSR_I_BIT
+ #define PSR_AA32_A_BIT PSR_A_BIT
+ #define PSR_AA32_E_BIT PSR_E_BIT
+ #define PSR_AA32_IT_MASK PSR_IT_MASK
++#define PSR_AA32_GE_MASK 0x000f0000
++#define PSR_AA32_DIT_BIT 0x00200000
++#define PSR_AA32_PAN_BIT 0x00400000
++#define PSR_AA32_SSBS_BIT 0x00800000
++#define PSR_AA32_Q_BIT PSR_Q_BIT
++#define PSR_AA32_V_BIT PSR_V_BIT
++#define PSR_AA32_C_BIT PSR_C_BIT
++#define PSR_AA32_Z_BIT PSR_Z_BIT
++#define PSR_AA32_N_BIT PSR_N_BIT
+
+ unsigned long *vcpu_reg(struct kvm_vcpu *vcpu, u8 reg_num);
+
+@@ -41,6 +53,11 @@ static inline void vcpu_write_spsr(struct kvm_vcpu *vcpu, unsigned long v)
+ *__vcpu_spsr(vcpu) = v;
+ }
+
++static inline unsigned long host_spsr_to_spsr32(unsigned long spsr)
++{
++ return spsr;
++}
++
+ static inline unsigned long vcpu_get_reg(struct kvm_vcpu *vcpu,
+ u8 reg_num)
+ {
+@@ -182,6 +199,11 @@ static inline bool kvm_vcpu_dabt_issext(struct kvm_vcpu *vcpu)
+ return kvm_vcpu_get_hsr(vcpu) & HSR_SSE;
+ }
+
++static inline bool kvm_vcpu_dabt_issf(const struct kvm_vcpu *vcpu)
++{
++ return false;
++}
++
+ static inline int kvm_vcpu_dabt_get_rd(struct kvm_vcpu *vcpu)
+ {
+ return (kvm_vcpu_get_hsr(vcpu) & HSR_SRT_MASK) >> HSR_SRT_SHIFT;
+diff --git a/arch/arm/include/asm/kvm_mmio.h b/arch/arm/include/asm/kvm_mmio.h
+index 7c0eddb0adb2..32fbf82e3ebc 100644
+--- a/arch/arm/include/asm/kvm_mmio.h
++++ b/arch/arm/include/asm/kvm_mmio.h
+@@ -14,6 +14,8 @@
+ struct kvm_decode {
+ unsigned long rt;
+ bool sign_extend;
++ /* Not used on 32-bit arm */
++ bool sixty_four;
+ };
+
+ void kvm_mmio_write_buf(void *buf, unsigned int len, unsigned long data);
+diff --git a/arch/arm/mach-tegra/sleep-tegra30.S b/arch/arm/mach-tegra/sleep-tegra30.S
+index 3341a12bbb9c..c796a97194ac 100644
+--- a/arch/arm/mach-tegra/sleep-tegra30.S
++++ b/arch/arm/mach-tegra/sleep-tegra30.S
+@@ -370,6 +370,14 @@ _pll_m_c_x_done:
+ pll_locked r1, r0, CLK_RESET_PLLC_BASE
+ pll_locked r1, r0, CLK_RESET_PLLX_BASE
+
++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1
++ cmp r1, #TEGRA30
++ beq 1f
++ ldr r1, [r0, #CLK_RESET_PLLP_BASE]
++ bic r1, r1, #(1<<31) @ disable PllP bypass
++ str r1, [r0, #CLK_RESET_PLLP_BASE]
++1:
++
+ mov32 r7, TEGRA_TMRUS_BASE
+ ldr r1, [r7]
+ add r1, r1, #LOCK_DELAY
+@@ -630,7 +638,10 @@ tegra30_switch_cpu_to_clk32k:
+ str r0, [r4, #PMC_PLLP_WB0_OVERRIDE]
+
+ /* disable PLLP, PLLA, PLLC and PLLX */
++ tegra_get_soc_id TEGRA_APB_MISC_BASE, r1
++ cmp r1, #TEGRA30
+ ldr r0, [r5, #CLK_RESET_PLLP_BASE]
++ orrne r0, r0, #(1 << 31) @ enable PllP bypass on fast cluster
+ bic r0, r0, #(1 << 30)
+ str r0, [r5, #CLK_RESET_PLLP_BASE]
+ ldr r0, [r5, #CLK_RESET_PLLA_BASE]
+diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
+index e822af0d9219..9414d72f664b 100644
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -221,7 +221,7 @@ EXPORT_SYMBOL(arm_coherent_dma_ops);
+
+ static int __dma_supported(struct device *dev, u64 mask, bool warn)
+ {
+- unsigned long max_dma_pfn = min(max_pfn, arm_dma_pfn_limit);
++ unsigned long max_dma_pfn = min(max_pfn - 1, arm_dma_pfn_limit);
+
+ /*
+ * Translate the device's DMA mask to a PFN limit. This
+diff --git a/arch/arm64/boot/dts/qcom/qcs404-evb.dtsi b/arch/arm64/boot/dts/qcom/qcs404-evb.dtsi
+index 501a7330dbc8..522d3ef72df5 100644
+--- a/arch/arm64/boot/dts/qcom/qcs404-evb.dtsi
++++ b/arch/arm64/boot/dts/qcom/qcs404-evb.dtsi
+@@ -73,6 +73,7 @@
+ regulator-always-on;
+ regulator-boot-on;
+ regulator-name = "vdd_apc";
++ regulator-initial-mode = <1>;
+ regulator-min-microvolt = <1048000>;
+ regulator-max-microvolt = <1384000>;
+ };
+diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c
+index 522cf004ce65..196aedd0c20c 100644
+--- a/arch/arm64/crypto/ghash-ce-glue.c
++++ b/arch/arm64/crypto/ghash-ce-glue.c
+@@ -259,7 +259,7 @@ static int ghash_setkey(struct crypto_shash *tfm,
+ static struct shash_alg ghash_alg[] = {{
+ .base.cra_name = "ghash",
+ .base.cra_driver_name = "ghash-neon",
+- .base.cra_priority = 100,
++ .base.cra_priority = 150,
+ .base.cra_blocksize = GHASH_BLOCK_SIZE,
+ .base.cra_ctxsize = sizeof(struct ghash_key),
+ .base.cra_module = THIS_MODULE,
+diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h
+index b0d53a265f1d..7b4172ce497c 100644
+--- a/arch/arm64/include/asm/compat.h
++++ b/arch/arm64/include/asm/compat.h
+@@ -4,6 +4,9 @@
+ */
+ #ifndef __ASM_COMPAT_H
+ #define __ASM_COMPAT_H
++
++#include <asm-generic/compat.h>
++
+ #ifdef CONFIG_COMPAT
+
+ /*
+@@ -13,8 +16,6 @@
+ #include <linux/sched.h>
+ #include <linux/sched/task_stack.h>
+
+-#include <asm-generic/compat.h>
+-
+ #define COMPAT_USER_HZ 100
+ #ifdef __AARCH64EB__
+ #define COMPAT_UTS_MACHINE "armv8b\0\0"
+diff --git a/arch/arm64/include/asm/daifflags.h b/arch/arm64/include/asm/daifflags.h
+index 72acd2db167f..ec213b4a1650 100644
+--- a/arch/arm64/include/asm/daifflags.h
++++ b/arch/arm64/include/asm/daifflags.h
+@@ -38,7 +38,7 @@ static inline void local_daif_mask(void)
+ trace_hardirqs_off();
+ }
+
+-static inline unsigned long local_daif_save(void)
++static inline unsigned long local_daif_save_flags(void)
+ {
+ unsigned long flags;
+
+@@ -50,6 +50,15 @@ static inline unsigned long local_daif_save(void)
+ flags |= PSR_I_BIT;
+ }
+
++ return flags;
++}
++
++static inline unsigned long local_daif_save(void)
++{
++ unsigned long flags;
++
++ flags = local_daif_save_flags();
++
+ local_daif_mask();
+
+ return flags;
+diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h
+index 5efe5ca8fecf..53ea7637b7b2 100644
+--- a/arch/arm64/include/asm/kvm_emulate.h
++++ b/arch/arm64/include/asm/kvm_emulate.h
+@@ -219,6 +219,38 @@ static inline void vcpu_write_spsr(struct kvm_vcpu *vcpu, unsigned long v)
+ vcpu_gp_regs(vcpu)->spsr[KVM_SPSR_EL1] = v;
+ }
+
++/*
++ * The layout of SPSR for an AArch32 state is different when observed from an
++ * AArch64 SPSR_ELx or an AArch32 SPSR_*. This function generates the AArch32
++ * view given an AArch64 view.
++ *
++ * In ARM DDI 0487E.a see:
++ *
++ * - The AArch64 view (SPSR_EL2) in section C5.2.18, page C5-426
++ * - The AArch32 view (SPSR_abt) in section G8.2.126, page G8-6256
++ * - The AArch32 view (SPSR_und) in section G8.2.132, page G8-6280
++ *
++ * Which show the following differences:
++ *
++ * | Bit | AA64 | AA32 | Notes |
++ * +-----+------+------+-----------------------------|
++ * | 24 | DIT | J | J is RES0 in ARMv8 |
++ * | 21 | SS | DIT | SS doesn't exist in AArch32 |
++ *
++ * ... and all other bits are (currently) common.
++ */
++static inline unsigned long host_spsr_to_spsr32(unsigned long spsr)
++{
++ const unsigned long overlap = BIT(24) | BIT(21);
++ unsigned long dit = !!(spsr & PSR_AA32_DIT_BIT);
++
++ spsr &= ~overlap;
++
++ spsr |= dit << 21;
++
++ return spsr;
++}
++
+ static inline bool vcpu_mode_priv(const struct kvm_vcpu *vcpu)
+ {
+ u32 mode;
+@@ -283,6 +315,11 @@ static inline bool kvm_vcpu_dabt_issext(const struct kvm_vcpu *vcpu)
+ return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_SSE);
+ }
+
++static inline bool kvm_vcpu_dabt_issf(const struct kvm_vcpu *vcpu)
++{
++ return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_SF);
++}
++
+ static inline int kvm_vcpu_dabt_get_rd(const struct kvm_vcpu *vcpu)
+ {
+ return (kvm_vcpu_get_hsr(vcpu) & ESR_ELx_SRT_MASK) >> ESR_ELx_SRT_SHIFT;
+diff --git a/arch/arm64/include/asm/kvm_mmio.h b/arch/arm64/include/asm/kvm_mmio.h
+index 02b5c48fd467..b204501a0c39 100644
+--- a/arch/arm64/include/asm/kvm_mmio.h
++++ b/arch/arm64/include/asm/kvm_mmio.h
+@@ -10,13 +10,11 @@
+ #include <linux/kvm_host.h>
+ #include <asm/kvm_arm.h>
+
+-/*
+- * This is annoying. The mmio code requires this, even if we don't
+- * need any decoding. To be fixed.
+- */
+ struct kvm_decode {
+ unsigned long rt;
+ bool sign_extend;
++ /* Witdth of the register accessed by the faulting instruction is 64-bits */
++ bool sixty_four;
+ };
+
+ void kvm_mmio_write_buf(void *buf, unsigned int len, unsigned long data);
+diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
+index fbebb411ae20..bf57308fcd63 100644
+--- a/arch/arm64/include/asm/ptrace.h
++++ b/arch/arm64/include/asm/ptrace.h
+@@ -62,6 +62,7 @@
+ #define PSR_AA32_I_BIT 0x00000080
+ #define PSR_AA32_A_BIT 0x00000100
+ #define PSR_AA32_E_BIT 0x00000200
++#define PSR_AA32_PAN_BIT 0x00400000
+ #define PSR_AA32_SSBS_BIT 0x00800000
+ #define PSR_AA32_DIT_BIT 0x01000000
+ #define PSR_AA32_Q_BIT 0x08000000
+diff --git a/arch/arm64/include/uapi/asm/ptrace.h b/arch/arm64/include/uapi/asm/ptrace.h
+index 7ed9294e2004..d1bb5b69f1ce 100644
+--- a/arch/arm64/include/uapi/asm/ptrace.h
++++ b/arch/arm64/include/uapi/asm/ptrace.h
+@@ -49,6 +49,7 @@
+ #define PSR_SSBS_BIT 0x00001000
+ #define PSR_PAN_BIT 0x00400000
+ #define PSR_UAO_BIT 0x00800000
++#define PSR_DIT_BIT 0x01000000
+ #define PSR_V_BIT 0x10000000
+ #define PSR_C_BIT 0x20000000
+ #define PSR_Z_BIT 0x40000000
+diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c
+index 3a58e9db5cfe..a100483b47c4 100644
+--- a/arch/arm64/kernel/acpi.c
++++ b/arch/arm64/kernel/acpi.c
+@@ -274,7 +274,7 @@ int apei_claim_sea(struct pt_regs *regs)
+ if (!IS_ENABLED(CONFIG_ACPI_APEI_GHES))
+ return err;
+
+- current_flags = arch_local_save_flags();
++ current_flags = local_daif_save_flags();
+
+ /*
+ * SEA can interrupt SError, mask it and describe this as an NMI so
+diff --git a/arch/arm64/kvm/inject_fault.c b/arch/arm64/kvm/inject_fault.c
+index ccdb6a051ab2..6aafc2825c1c 100644
+--- a/arch/arm64/kvm/inject_fault.c
++++ b/arch/arm64/kvm/inject_fault.c
+@@ -14,9 +14,6 @@
+ #include <asm/kvm_emulate.h>
+ #include <asm/esr.h>
+
+-#define PSTATE_FAULT_BITS_64 (PSR_MODE_EL1h | PSR_A_BIT | PSR_F_BIT | \
+- PSR_I_BIT | PSR_D_BIT)
+-
+ #define CURRENT_EL_SP_EL0_VECTOR 0x0
+ #define CURRENT_EL_SP_ELx_VECTOR 0x200
+ #define LOWER_EL_AArch64_VECTOR 0x400
+@@ -50,6 +47,69 @@ static u64 get_except_vector(struct kvm_vcpu *vcpu, enum exception_type type)
+ return vcpu_read_sys_reg(vcpu, VBAR_EL1) + exc_offset + type;
+ }
+
++/*
++ * When an exception is taken, most PSTATE fields are left unchanged in the
++ * handler. However, some are explicitly overridden (e.g. M[4:0]). Luckily all
++ * of the inherited bits have the same position in the AArch64/AArch32 SPSR_ELx
++ * layouts, so we don't need to shuffle these for exceptions from AArch32 EL0.
++ *
++ * For the SPSR_ELx layout for AArch64, see ARM DDI 0487E.a page C5-429.
++ * For the SPSR_ELx layout for AArch32, see ARM DDI 0487E.a page C5-426.
++ *
++ * Here we manipulate the fields in order of the AArch64 SPSR_ELx layout, from
++ * MSB to LSB.
++ */
++static unsigned long get_except64_pstate(struct kvm_vcpu *vcpu)
++{
++ unsigned long sctlr = vcpu_read_sys_reg(vcpu, SCTLR_EL1);
++ unsigned long old, new;
++
++ old = *vcpu_cpsr(vcpu);
++ new = 0;
++
++ new |= (old & PSR_N_BIT);
++ new |= (old & PSR_Z_BIT);
++ new |= (old & PSR_C_BIT);
++ new |= (old & PSR_V_BIT);
++
++ // TODO: TCO (if/when ARMv8.5-MemTag is exposed to guests)
++
++ new |= (old & PSR_DIT_BIT);
++
++ // PSTATE.UAO is set to zero upon any exception to AArch64
++ // See ARM DDI 0487E.a, page D5-2579.
++
++ // PSTATE.PAN is unchanged unless SCTLR_ELx.SPAN == 0b0
++ // SCTLR_ELx.SPAN is RES1 when ARMv8.1-PAN is not implemented
++ // See ARM DDI 0487E.a, page D5-2578.
++ new |= (old & PSR_PAN_BIT);
++ if (!(sctlr & SCTLR_EL1_SPAN))
++ new |= PSR_PAN_BIT;
++
++ // PSTATE.SS is set to zero upon any exception to AArch64
++ // See ARM DDI 0487E.a, page D2-2452.
++
++ // PSTATE.IL is set to zero upon any exception to AArch64
++ // See ARM DDI 0487E.a, page D1-2306.
++
++ // PSTATE.SSBS is set to SCTLR_ELx.DSSBS upon any exception to AArch64
++ // See ARM DDI 0487E.a, page D13-3258
++ if (sctlr & SCTLR_ELx_DSSBS)
++ new |= PSR_SSBS_BIT;
++
++ // PSTATE.BTYPE is set to zero upon any exception to AArch64
++ // See ARM DDI 0487E.a, pages D1-2293 to D1-2294.
++
++ new |= PSR_D_BIT;
++ new |= PSR_A_BIT;
++ new |= PSR_I_BIT;
++ new |= PSR_F_BIT;
++
++ new |= PSR_MODE_EL1h;
++
++ return new;
++}
++
+ static void inject_abt64(struct kvm_vcpu *vcpu, bool is_iabt, unsigned long addr)
+ {
+ unsigned long cpsr = *vcpu_cpsr(vcpu);
+@@ -59,7 +119,7 @@ static void inject_abt64(struct kvm_vcpu *vcpu, bool is_iabt, unsigned long addr
+ vcpu_write_elr_el1(vcpu, *vcpu_pc(vcpu));
+ *vcpu_pc(vcpu) = get_except_vector(vcpu, except_type_sync);
+
+- *vcpu_cpsr(vcpu) = PSTATE_FAULT_BITS_64;
++ *vcpu_cpsr(vcpu) = get_except64_pstate(vcpu);
+ vcpu_write_spsr(vcpu, cpsr);
+
+ vcpu_write_sys_reg(vcpu, addr, FAR_EL1);
+@@ -94,7 +154,7 @@ static void inject_undef64(struct kvm_vcpu *vcpu)
+ vcpu_write_elr_el1(vcpu, *vcpu_pc(vcpu));
+ *vcpu_pc(vcpu) = get_except_vector(vcpu, except_type_sync);
+
+- *vcpu_cpsr(vcpu) = PSTATE_FAULT_BITS_64;
++ *vcpu_cpsr(vcpu) = get_except64_pstate(vcpu);
+ vcpu_write_spsr(vcpu, cpsr);
+
+ /*
+diff --git a/arch/mips/Makefile.postlink b/arch/mips/Makefile.postlink
+index f03fdc95143e..4b1d3ba3a8a2 100644
+--- a/arch/mips/Makefile.postlink
++++ b/arch/mips/Makefile.postlink
+@@ -17,7 +17,7 @@ quiet_cmd_ls3_llsc = LLSCCHK $@
+ cmd_ls3_llsc = $(CMD_LS3_LLSC) $@
+
+ CMD_RELOCS = arch/mips/boot/tools/relocs
+-quiet_cmd_relocs = RELOCS $@
++quiet_cmd_relocs = RELOCS $@
+ cmd_relocs = $(CMD_RELOCS) $@
+
+ # `@true` prevents complaint when there is nothing to be done
+diff --git a/arch/mips/boot/Makefile b/arch/mips/boot/Makefile
+index 528bd73d530a..4ed45ade32a1 100644
+--- a/arch/mips/boot/Makefile
++++ b/arch/mips/boot/Makefile
+@@ -123,7 +123,7 @@ $(obj)/vmlinux.its.S: $(addprefix $(srctree)/arch/mips/$(PLATFORM)/,$(ITS_INPUTS
+ targets += vmlinux.its
+ targets += vmlinux.gz.its
+ targets += vmlinux.bz2.its
+-targets += vmlinux.lzmo.its
++targets += vmlinux.lzma.its
+ targets += vmlinux.lzo.its
+
+ quiet_cmd_cpp_its_S = ITS $@
+diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h
+index 02783e141c32..fef0fda8f82f 100644
+--- a/arch/mips/include/asm/local.h
++++ b/arch/mips/include/asm/local.h
+@@ -37,6 +37,7 @@ static __inline__ long local_add_return(long i, local_t * l)
+ __asm__ __volatile__(
+ " .set push \n"
+ " .set arch=r4000 \n"
++ __SYNC(full, loongson3_war) " \n"
+ "1:" __LL "%1, %2 # local_add_return \n"
+ " addu %0, %1, %3 \n"
+ __SC "%0, %2 \n"
+@@ -52,6 +53,7 @@ static __inline__ long local_add_return(long i, local_t * l)
+ __asm__ __volatile__(
+ " .set push \n"
+ " .set "MIPS_ISA_ARCH_LEVEL" \n"
++ __SYNC(full, loongson3_war) " \n"
+ "1:" __LL "%1, %2 # local_add_return \n"
+ " addu %0, %1, %3 \n"
+ __SC "%0, %2 \n"
+@@ -84,6 +86,7 @@ static __inline__ long local_sub_return(long i, local_t * l)
+ __asm__ __volatile__(
+ " .set push \n"
+ " .set arch=r4000 \n"
++ __SYNC(full, loongson3_war) " \n"
+ "1:" __LL "%1, %2 # local_sub_return \n"
+ " subu %0, %1, %3 \n"
+ __SC "%0, %2 \n"
+@@ -99,6 +102,7 @@ static __inline__ long local_sub_return(long i, local_t * l)
+ __asm__ __volatile__(
+ " .set push \n"
+ " .set "MIPS_ISA_ARCH_LEVEL" \n"
++ __SYNC(full, loongson3_war) " \n"
+ "1:" __LL "%1, %2 # local_sub_return \n"
+ " subu %0, %1, %3 \n"
+ __SC "%0, %2 \n"
+diff --git a/arch/mips/kernel/syscalls/Makefile b/arch/mips/kernel/syscalls/Makefile
+index a3d4bec695c6..6efb2f6889a7 100644
+--- a/arch/mips/kernel/syscalls/Makefile
++++ b/arch/mips/kernel/syscalls/Makefile
+@@ -18,7 +18,7 @@ quiet_cmd_syshdr = SYSHDR $@
+ '$(syshdr_pfx_$(basetarget))' \
+ '$(syshdr_offset_$(basetarget))'
+
+-quiet_cmd_sysnr = SYSNR $@
++quiet_cmd_sysnr = SYSNR $@
+ cmd_sysnr = $(CONFIG_SHELL) '$(sysnr)' '$<' '$@' \
+ '$(sysnr_abis_$(basetarget))' \
+ '$(sysnr_pfx_$(basetarget))' \
+diff --git a/arch/mips/sgi-ip30/ip30-irq.c b/arch/mips/sgi-ip30/ip30-irq.c
+index d46655b914f1..c2ffcb920250 100644
+--- a/arch/mips/sgi-ip30/ip30-irq.c
++++ b/arch/mips/sgi-ip30/ip30-irq.c
+@@ -232,9 +232,10 @@ static void heart_domain_free(struct irq_domain *domain,
+ return;
+
+ irqd = irq_domain_get_irq_data(domain, virq);
+- clear_bit(irqd->hwirq, heart_irq_map);
+- if (irqd && irqd->chip_data)
++ if (irqd) {
++ clear_bit(irqd->hwirq, heart_irq_map);
+ kfree(irqd->chip_data);
++ }
+ }
+
+ static const struct irq_domain_ops heart_domain_ops = {
+diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
+index e2a412113359..f765385925e1 100644
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -222,8 +222,7 @@ config PPC
+ select HAVE_HARDLOCKUP_DETECTOR_PERF if PERF_EVENTS && HAVE_PERF_EVENTS_NMI && !HAVE_HARDLOCKUP_DETECTOR_ARCH
+ select HAVE_PERF_REGS
+ select HAVE_PERF_USER_STACK_DUMP
+- select HAVE_RCU_TABLE_FREE if SMP
+- select HAVE_RCU_TABLE_NO_INVALIDATE if HAVE_RCU_TABLE_FREE
++ select HAVE_RCU_TABLE_FREE
+ select HAVE_MMU_GATHER_PAGE_SIZE
+ select HAVE_REGS_AND_STACK_ACCESS_API
+ select HAVE_RELIABLE_STACKTRACE if PPC_BOOK3S_64 && CPU_LITTLE_ENDIAN
+@@ -238,6 +237,7 @@ config PPC
+ select NEED_DMA_MAP_STATE if PPC64 || NOT_COHERENT_CACHE
+ select NEED_SG_DMA_LENGTH
+ select OF
++ select OF_DMA_DEFAULT_COHERENT if !NOT_COHERENT_CACHE
+ select OF_EARLY_FLATTREE
+ select OLD_SIGACTION if PPC32
+ select OLD_SIGSUSPEND
+diff --git a/arch/powerpc/boot/4xx.c b/arch/powerpc/boot/4xx.c
+index 1699e9531552..00c4d843a023 100644
+--- a/arch/powerpc/boot/4xx.c
++++ b/arch/powerpc/boot/4xx.c
+@@ -228,7 +228,7 @@ void ibm4xx_denali_fixup_memsize(void)
+ dpath = 8; /* 64 bits */
+
+ /* get address pins (rows) */
+- val = SDRAM0_READ(DDR0_42);
++ val = SDRAM0_READ(DDR0_42);
+
+ row = DDR_GET_VAL(val, DDR_APIN, DDR_APIN_SHIFT);
+ if (row > max_row)
+diff --git a/arch/powerpc/include/asm/book3s/32/kup.h b/arch/powerpc/include/asm/book3s/32/kup.h
+index f9dc597b0b86..91c8f1d9bcee 100644
+--- a/arch/powerpc/include/asm/book3s/32/kup.h
++++ b/arch/powerpc/include/asm/book3s/32/kup.h
+@@ -102,11 +102,13 @@ static inline void kuap_update_sr(u32 sr, u32 addr, u32 end)
+ isync(); /* Context sync required after mtsrin() */
+ }
+
+-static inline void allow_user_access(void __user *to, const void __user *from, u32 size)
++static __always_inline void allow_user_access(void __user *to, const void __user *from,
++ u32 size, unsigned long dir)
+ {
+ u32 addr, end;
+
+- if (__builtin_constant_p(to) && to == NULL)
++ BUILD_BUG_ON(!__builtin_constant_p(dir));
++ if (!(dir & KUAP_WRITE))
+ return;
+
+ addr = (__force u32)to;
+@@ -119,11 +121,16 @@ static inline void allow_user_access(void __user *to, const void __user *from, u
+ kuap_update_sr(mfsrin(addr) & ~SR_KS, addr, end); /* Clear Ks */
+ }
+
+-static inline void prevent_user_access(void __user *to, const void __user *from, u32 size)
++static __always_inline void prevent_user_access(void __user *to, const void __user *from,
++ u32 size, unsigned long dir)
+ {
+ u32 addr = (__force u32)to;
+ u32 end = min(addr + size, TASK_SIZE);
+
++ BUILD_BUG_ON(!__builtin_constant_p(dir));
++ if (!(dir & KUAP_WRITE))
++ return;
++
+ if (!addr || addr >= TASK_SIZE || !size)
+ return;
+
+@@ -131,12 +138,17 @@ static inline void prevent_user_access(void __user *to, const void __user *from,
+ kuap_update_sr(mfsrin(addr) | SR_KS, addr, end); /* set Ks */
+ }
+
+-static inline bool bad_kuap_fault(struct pt_regs *regs, bool is_write)
++static inline bool
++bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)
+ {
++ unsigned long begin = regs->kuap & 0xf0000000;
++ unsigned long end = regs->kuap << 28;
++
+ if (!is_write)
+ return false;
+
+- return WARN(!regs->kuap, "Bug: write fault blocked by segment registers !");
++ return WARN(address < begin || address >= end,
++ "Bug: write fault blocked by segment registers !");
+ }
+
+ #endif /* CONFIG_PPC_KUAP */
+diff --git a/arch/powerpc/include/asm/book3s/32/pgalloc.h b/arch/powerpc/include/asm/book3s/32/pgalloc.h
+index 998317702630..dc5c039eb28e 100644
+--- a/arch/powerpc/include/asm/book3s/32/pgalloc.h
++++ b/arch/powerpc/include/asm/book3s/32/pgalloc.h
+@@ -49,7 +49,6 @@ static inline void pgtable_free(void *table, unsigned index_size)
+
+ #define get_hugepd_cache_index(x) (x)
+
+-#ifdef CONFIG_SMP
+ static inline void pgtable_free_tlb(struct mmu_gather *tlb,
+ void *table, int shift)
+ {
+@@ -66,13 +65,6 @@ static inline void __tlb_remove_table(void *_table)
+
+ pgtable_free(table, shift);
+ }
+-#else
+-static inline void pgtable_free_tlb(struct mmu_gather *tlb,
+- void *table, int shift)
+-{
+- pgtable_free(table, shift);
+-}
+-#endif
+
+ static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t table,
+ unsigned long address)
+diff --git a/arch/powerpc/include/asm/book3s/64/kup-radix.h b/arch/powerpc/include/asm/book3s/64/kup-radix.h
+index f254de956d6a..c8d1076e0ebb 100644
+--- a/arch/powerpc/include/asm/book3s/64/kup-radix.h
++++ b/arch/powerpc/include/asm/book3s/64/kup-radix.h
+@@ -77,25 +77,27 @@ static inline void set_kuap(unsigned long value)
+ isync();
+ }
+
+-static inline void allow_user_access(void __user *to, const void __user *from,
+- unsigned long size)
++static __always_inline void allow_user_access(void __user *to, const void __user *from,
++ unsigned long size, unsigned long dir)
+ {
+ // This is written so we can resolve to a single case at build time
+- if (__builtin_constant_p(to) && to == NULL)
++ BUILD_BUG_ON(!__builtin_constant_p(dir));
++ if (dir == KUAP_READ)
+ set_kuap(AMR_KUAP_BLOCK_WRITE);
+- else if (__builtin_constant_p(from) && from == NULL)
++ else if (dir == KUAP_WRITE)
+ set_kuap(AMR_KUAP_BLOCK_READ);
+ else
+ set_kuap(0);
+ }
+
+ static inline void prevent_user_access(void __user *to, const void __user *from,
+- unsigned long size)
++ unsigned long size, unsigned long dir)
+ {
+ set_kuap(AMR_KUAP_BLOCKED);
+ }
+
+-static inline bool bad_kuap_fault(struct pt_regs *regs, bool is_write)
++static inline bool
++bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)
+ {
+ return WARN(mmu_has_feature(MMU_FTR_RADIX_KUAP) &&
+ (regs->kuap & (is_write ? AMR_KUAP_BLOCK_WRITE : AMR_KUAP_BLOCK_READ)),
+diff --git a/arch/powerpc/include/asm/book3s/64/pgalloc.h b/arch/powerpc/include/asm/book3s/64/pgalloc.h
+index f6968c811026..a41e91bd0580 100644
+--- a/arch/powerpc/include/asm/book3s/64/pgalloc.h
++++ b/arch/powerpc/include/asm/book3s/64/pgalloc.h
+@@ -19,9 +19,7 @@ extern struct vmemmap_backing *vmemmap_list;
+ extern pmd_t *pmd_fragment_alloc(struct mm_struct *, unsigned long);
+ extern void pmd_fragment_free(unsigned long *);
+ extern void pgtable_free_tlb(struct mmu_gather *tlb, void *table, int shift);
+-#ifdef CONFIG_SMP
+ extern void __tlb_remove_table(void *_table);
+-#endif
+ void pte_frag_destroy(void *pte_frag);
+
+ static inline pgd_t *radix__pgd_alloc(struct mm_struct *mm)
+diff --git a/arch/powerpc/include/asm/futex.h b/arch/powerpc/include/asm/futex.h
+index eea28ca679db..bc7d9d06a6d9 100644
+--- a/arch/powerpc/include/asm/futex.h
++++ b/arch/powerpc/include/asm/futex.h
+@@ -35,7 +35,7 @@ static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+ {
+ int oldval = 0, ret;
+
+- allow_write_to_user(uaddr, sizeof(*uaddr));
++ allow_read_write_user(uaddr, uaddr, sizeof(*uaddr));
+ pagefault_disable();
+
+ switch (op) {
+@@ -62,7 +62,7 @@ static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+
+ *oval = oldval;
+
+- prevent_write_to_user(uaddr, sizeof(*uaddr));
++ prevent_read_write_user(uaddr, uaddr, sizeof(*uaddr));
+ return ret;
+ }
+
+@@ -76,7 +76,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+ if (!access_ok(uaddr, sizeof(u32)))
+ return -EFAULT;
+
+- allow_write_to_user(uaddr, sizeof(*uaddr));
++ allow_read_write_user(uaddr, uaddr, sizeof(*uaddr));
++
+ __asm__ __volatile__ (
+ PPC_ATOMIC_ENTRY_BARRIER
+ "1: lwarx %1,0,%3 # futex_atomic_cmpxchg_inatomic\n\
+@@ -97,7 +98,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
+ : "cc", "memory");
+
+ *uval = prev;
+- prevent_write_to_user(uaddr, sizeof(*uaddr));
++ prevent_read_write_user(uaddr, uaddr, sizeof(*uaddr));
++
+ return ret;
+ }
+
+diff --git a/arch/powerpc/include/asm/kup.h b/arch/powerpc/include/asm/kup.h
+index 5b5e39643a27..94f24928916a 100644
+--- a/arch/powerpc/include/asm/kup.h
++++ b/arch/powerpc/include/asm/kup.h
+@@ -2,6 +2,10 @@
+ #ifndef _ASM_POWERPC_KUP_H_
+ #define _ASM_POWERPC_KUP_H_
+
++#define KUAP_READ 1
++#define KUAP_WRITE 2
++#define KUAP_READ_WRITE (KUAP_READ | KUAP_WRITE)
++
+ #ifdef CONFIG_PPC64
+ #include <asm/book3s/64/kup-radix.h>
+ #endif
+@@ -42,32 +46,48 @@ void setup_kuap(bool disabled);
+ #else
+ static inline void setup_kuap(bool disabled) { }
+ static inline void allow_user_access(void __user *to, const void __user *from,
+- unsigned long size) { }
++ unsigned long size, unsigned long dir) { }
+ static inline void prevent_user_access(void __user *to, const void __user *from,
+- unsigned long size) { }
+-static inline bool bad_kuap_fault(struct pt_regs *regs, bool is_write) { return false; }
++ unsigned long size, unsigned long dir) { }
++static inline bool
++bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)
++{
++ return false;
++}
+ #endif /* CONFIG_PPC_KUAP */
+
+ static inline void allow_read_from_user(const void __user *from, unsigned long size)
+ {
+- allow_user_access(NULL, from, size);
++ allow_user_access(NULL, from, size, KUAP_READ);
+ }
+
+ static inline void allow_write_to_user(void __user *to, unsigned long size)
+ {
+- allow_user_access(to, NULL, size);
++ allow_user_access(to, NULL, size, KUAP_WRITE);
++}
++
++static inline void allow_read_write_user(void __user *to, const void __user *from,
++ unsigned long size)
++{
++ allow_user_access(to, from, size, KUAP_READ_WRITE);
+ }
+
+ static inline void prevent_read_from_user(const void __user *from, unsigned long size)
+ {
+- prevent_user_access(NULL, from, size);
++ prevent_user_access(NULL, from, size, KUAP_READ);
+ }
+
+ static inline void prevent_write_to_user(void __user *to, unsigned long size)
+ {
+- prevent_user_access(to, NULL, size);
++ prevent_user_access(to, NULL, size, KUAP_WRITE);
++}
++
++static inline void prevent_read_write_user(void __user *to, const void __user *from,
++ unsigned long size)
++{
++ prevent_user_access(to, from, size, KUAP_READ_WRITE);
+ }
+
+ #endif /* !__ASSEMBLY__ */
+
+-#endif /* _ASM_POWERPC_KUP_H_ */
++#endif /* _ASM_POWERPC_KUAP_H_ */
+diff --git a/arch/powerpc/include/asm/nohash/32/kup-8xx.h b/arch/powerpc/include/asm/nohash/32/kup-8xx.h
+index 1006a427e99c..1d70c80366fd 100644
+--- a/arch/powerpc/include/asm/nohash/32/kup-8xx.h
++++ b/arch/powerpc/include/asm/nohash/32/kup-8xx.h
+@@ -35,18 +35,19 @@
+ #include <asm/reg.h>
+
+ static inline void allow_user_access(void __user *to, const void __user *from,
+- unsigned long size)
++ unsigned long size, unsigned long dir)
+ {
+ mtspr(SPRN_MD_AP, MD_APG_INIT);
+ }
+
+ static inline void prevent_user_access(void __user *to, const void __user *from,
+- unsigned long size)
++ unsigned long size, unsigned long dir)
+ {
+ mtspr(SPRN_MD_AP, MD_APG_KUAP);
+ }
+
+-static inline bool bad_kuap_fault(struct pt_regs *regs, bool is_write)
++static inline bool
++bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)
+ {
+ return WARN(!((regs->kuap ^ MD_APG_KUAP) & 0xf0000000),
+ "Bug: fault blocked by AP register !");
+diff --git a/arch/powerpc/include/asm/nohash/pgalloc.h b/arch/powerpc/include/asm/nohash/pgalloc.h
+index 332b13b4ecdb..29c43665a753 100644
+--- a/arch/powerpc/include/asm/nohash/pgalloc.h
++++ b/arch/powerpc/include/asm/nohash/pgalloc.h
+@@ -46,7 +46,6 @@ static inline void pgtable_free(void *table, int shift)
+
+ #define get_hugepd_cache_index(x) (x)
+
+-#ifdef CONFIG_SMP
+ static inline void pgtable_free_tlb(struct mmu_gather *tlb, void *table, int shift)
+ {
+ unsigned long pgf = (unsigned long)table;
+@@ -64,13 +63,6 @@ static inline void __tlb_remove_table(void *_table)
+ pgtable_free(table, shift);
+ }
+
+-#else
+-static inline void pgtable_free_tlb(struct mmu_gather *tlb, void *table, int shift)
+-{
+- pgtable_free(table, shift);
+-}
+-#endif
+-
+ static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t table,
+ unsigned long address)
+ {
+diff --git a/arch/powerpc/include/asm/tlb.h b/arch/powerpc/include/asm/tlb.h
+index b2c0be93929d..7f3a8b902325 100644
+--- a/arch/powerpc/include/asm/tlb.h
++++ b/arch/powerpc/include/asm/tlb.h
+@@ -26,6 +26,17 @@
+
+ #define tlb_flush tlb_flush
+ extern void tlb_flush(struct mmu_gather *tlb);
++/*
++ * book3s:
++ * Hash does not use the linux page-tables, so we can avoid
++ * the TLB invalidate for page-table freeing, Radix otoh does use the
++ * page-tables and needs the TLBI.
++ *
++ * nohash:
++ * We still do TLB invalidate in the __pte_free_tlb routine before we
++ * add the page table pages to mmu gather table batch.
++ */
++#define tlb_needs_table_invalidate() radix_enabled()
+
+ /* Get the generic bits... */
+ #include <asm-generic/tlb.h>
+diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
+index c92fe7fe9692..cafad1960e76 100644
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -313,9 +313,9 @@ raw_copy_in_user(void __user *to, const void __user *from, unsigned long n)
+ unsigned long ret;
+
+ barrier_nospec();
+- allow_user_access(to, from, n);
++ allow_read_write_user(to, from, n);
+ ret = __copy_tofrom_user(to, from, n);
+- prevent_user_access(to, from, n);
++ prevent_read_write_user(to, from, n);
+ return ret;
+ }
+ #endif /* __powerpc64__ */
+diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
+index d60908ea37fb..59bb4f4ae316 100644
+--- a/arch/powerpc/kernel/entry_32.S
++++ b/arch/powerpc/kernel/entry_32.S
+@@ -179,7 +179,7 @@ transfer_to_handler:
+ 2: /* if from kernel, check interrupted DOZE/NAP mode and
+ * check for stack overflow
+ */
+- kuap_save_and_lock r11, r12, r9, r2, r0
++ kuap_save_and_lock r11, r12, r9, r2, r6
+ addi r2, r12, -THREAD
+ lwz r9,KSP_LIMIT(r12)
+ cmplw r1,r9 /* if r1 <= ksp_limit */
+@@ -284,6 +284,7 @@ reenable_mmu:
+ rlwinm r9,r9,0,~MSR_EE
+ lwz r12,_LINK(r11) /* and return to address in LR */
+ kuap_restore r11, r2, r3, r4, r5
++ lwz r2, GPR2(r11)
+ b fast_exception_return
+ #endif
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 6ff3f896d908..ef6aa63b071b 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -2368,7 +2368,7 @@ static struct kvm_vcpu *kvmppc_core_vcpu_create_hv(struct kvm *kvm,
+ mutex_unlock(&kvm->lock);
+
+ if (!vcore)
+- goto free_vcpu;
++ goto uninit_vcpu;
+
+ spin_lock(&vcore->lock);
+ ++vcore->num_threads;
+@@ -2385,6 +2385,8 @@ static struct kvm_vcpu *kvmppc_core_vcpu_create_hv(struct kvm *kvm,
+
+ return vcpu;
+
++uninit_vcpu:
++ kvm_vcpu_uninit(vcpu);
+ free_vcpu:
+ kmem_cache_free(kvm_vcpu_cache, vcpu);
+ out:
+diff --git a/arch/powerpc/kvm/book3s_pr.c b/arch/powerpc/kvm/book3s_pr.c
+index eb86a2f26986..04512b4bb417 100644
+--- a/arch/powerpc/kvm/book3s_pr.c
++++ b/arch/powerpc/kvm/book3s_pr.c
+@@ -1806,10 +1806,12 @@ static struct kvm_vcpu *kvmppc_core_vcpu_create_pr(struct kvm *kvm,
+
+ err = kvmppc_mmu_init(vcpu);
+ if (err < 0)
+- goto uninit_vcpu;
++ goto free_shared_page;
+
+ return vcpu;
+
++free_shared_page:
++ free_page((unsigned long)vcpu->arch.shared);
+ uninit_vcpu:
+ kvm_vcpu_uninit(vcpu);
+ free_shadow_vcpu:
+diff --git a/arch/powerpc/kvm/book3s_xive_native.c b/arch/powerpc/kvm/book3s_xive_native.c
+index d83adb1e1490..6ef0151ff70a 100644
+--- a/arch/powerpc/kvm/book3s_xive_native.c
++++ b/arch/powerpc/kvm/book3s_xive_native.c
+@@ -631,7 +631,7 @@ static int kvmppc_xive_native_set_queue_config(struct kvmppc_xive *xive,
+ srcu_idx = srcu_read_lock(&kvm->srcu);
+ gfn = gpa_to_gfn(kvm_eq.qaddr);
+
+- page_size = kvm_host_page_size(kvm, gfn);
++ page_size = kvm_host_page_size(vcpu, gfn);
+ if (1ull << kvm_eq.qshift > page_size) {
+ srcu_read_unlock(&kvm->srcu, srcu_idx);
+ pr_warn("Incompatible host page size %lx!\n", page_size);
+diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c
+index 75483b40fcb1..2bf7e1b4fd82 100644
+--- a/arch/powerpc/mm/book3s64/pgtable.c
++++ b/arch/powerpc/mm/book3s64/pgtable.c
+@@ -378,7 +378,6 @@ static inline void pgtable_free(void *table, int index)
+ }
+ }
+
+-#ifdef CONFIG_SMP
+ void pgtable_free_tlb(struct mmu_gather *tlb, void *table, int index)
+ {
+ unsigned long pgf = (unsigned long)table;
+@@ -395,12 +394,6 @@ void __tlb_remove_table(void *_table)
+
+ return pgtable_free(table, index);
+ }
+-#else
+-void pgtable_free_tlb(struct mmu_gather *tlb, void *table, int index)
+-{
+- return pgtable_free(table, index);
+-}
+-#endif
+
+ #ifdef CONFIG_PROC_FS
+ atomic_long_t direct_pages_count[MMU_PAGE_COUNT];
+diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
+index b5047f9b5dec..1baeb045f7f4 100644
+--- a/arch/powerpc/mm/fault.c
++++ b/arch/powerpc/mm/fault.c
+@@ -233,7 +233,7 @@ static bool bad_kernel_fault(struct pt_regs *regs, unsigned long error_code,
+
+ // Read/write fault in a valid region (the exception table search passed
+ // above), but blocked by KUAP is bad, it can never succeed.
+- if (bad_kuap_fault(regs, is_write))
++ if (bad_kuap_fault(regs, address, is_write))
+ return true;
+
+ // What's left? Kernel fault on user in well defined regions (extable
+diff --git a/arch/powerpc/mm/ptdump/ptdump.c b/arch/powerpc/mm/ptdump/ptdump.c
+index 2f9ddc29c535..c73205172447 100644
+--- a/arch/powerpc/mm/ptdump/ptdump.c
++++ b/arch/powerpc/mm/ptdump/ptdump.c
+@@ -173,10 +173,12 @@ static void dump_addr(struct pg_state *st, unsigned long addr)
+
+ static void note_prot_wx(struct pg_state *st, unsigned long addr)
+ {
++ pte_t pte = __pte(st->current_flags);
++
+ if (!IS_ENABLED(CONFIG_PPC_DEBUG_WX) || !st->check_wx)
+ return;
+
+- if (!((st->current_flags & pgprot_val(PAGE_KERNEL_X)) == pgprot_val(PAGE_KERNEL_X)))
++ if (!pte_write(pte) || !pte_exec(pte))
+ return;
+
+ WARN_ONCE(1, "powerpc/mm: Found insecure W+X mapping at address %p/%pS\n",
+diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c
+index c126b94d1943..a4d40a3ceea3 100644
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -360,8 +360,10 @@ static bool lmb_is_removable(struct drmem_lmb *lmb)
+
+ for (i = 0; i < scns_per_block; i++) {
+ pfn = PFN_DOWN(phys_addr);
+- if (!pfn_present(pfn))
++ if (!pfn_present(pfn)) {
++ phys_addr += MIN_MEMORY_BLOCK_SIZE;
+ continue;
++ }
+
+ rc = rc && is_mem_section_removable(pfn, PAGES_PER_SECTION);
+ phys_addr += MIN_MEMORY_BLOCK_SIZE;
+diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
+index a7056049709e..03d23075ac43 100644
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -1949,15 +1949,14 @@ static void dump_300_sprs(void)
+
+ printf("pidr = %.16lx tidr = %.16lx\n",
+ mfspr(SPRN_PID), mfspr(SPRN_TIDR));
+- printf("asdr = %.16lx psscr = %.16lx\n",
+- mfspr(SPRN_ASDR), hv ? mfspr(SPRN_PSSCR)
+- : mfspr(SPRN_PSSCR_PR));
++ printf("psscr = %.16lx\n",
++ hv ? mfspr(SPRN_PSSCR) : mfspr(SPRN_PSSCR_PR));
+
+ if (!hv)
+ return;
+
+- printf("ptcr = %.16lx\n",
+- mfspr(SPRN_PTCR));
++ printf("ptcr = %.16lx asdr = %.16lx\n",
++ mfspr(SPRN_PTCR), mfspr(SPRN_ASDR));
+ #endif
+ }
+
+diff --git a/arch/riscv/net/bpf_jit_comp.c b/arch/riscv/net/bpf_jit_comp.c
+index 7fbf56aab661..e2279fed8f56 100644
+--- a/arch/riscv/net/bpf_jit_comp.c
++++ b/arch/riscv/net/bpf_jit_comp.c
+@@ -120,6 +120,11 @@ static bool seen_reg(int reg, struct rv_jit_context *ctx)
+ return false;
+ }
+
++static void mark_fp(struct rv_jit_context *ctx)
++{
++ __set_bit(RV_CTX_F_SEEN_S5, &ctx->flags);
++}
++
+ static void mark_call(struct rv_jit_context *ctx)
+ {
+ __set_bit(RV_CTX_F_SEEN_CALL, &ctx->flags);
+@@ -596,7 +601,8 @@ static void __build_epilogue(u8 reg, struct rv_jit_context *ctx)
+
+ emit(rv_addi(RV_REG_SP, RV_REG_SP, stack_adjust), ctx);
+ /* Set return value. */
+- emit(rv_addi(RV_REG_A0, RV_REG_A5, 0), ctx);
++ if (reg == RV_REG_RA)
++ emit(rv_addi(RV_REG_A0, RV_REG_A5, 0), ctx);
+ emit(rv_jalr(RV_REG_ZERO, reg, 0), ctx);
+ }
+
+@@ -1426,6 +1432,10 @@ static void build_prologue(struct rv_jit_context *ctx)
+ {
+ int stack_adjust = 0, store_offset, bpf_stack_adjust;
+
++ bpf_stack_adjust = round_up(ctx->prog->aux->stack_depth, 16);
++ if (bpf_stack_adjust)
++ mark_fp(ctx);
++
+ if (seen_reg(RV_REG_RA, ctx))
+ stack_adjust += 8;
+ stack_adjust += 8; /* RV_REG_FP */
+@@ -1443,7 +1453,6 @@ static void build_prologue(struct rv_jit_context *ctx)
+ stack_adjust += 8;
+
+ stack_adjust = round_up(stack_adjust, 16);
+- bpf_stack_adjust = round_up(ctx->prog->aux->stack_depth, 16);
+ stack_adjust += bpf_stack_adjust;
+
+ store_offset = stack_adjust - 8;
+diff --git a/arch/s390/include/asm/page.h b/arch/s390/include/asm/page.h
+index a4d38092530a..85e944f04c70 100644
+--- a/arch/s390/include/asm/page.h
++++ b/arch/s390/include/asm/page.h
+@@ -33,6 +33,8 @@
+ #define ARCH_HAS_PREPARE_HUGEPAGE
+ #define ARCH_HAS_HUGEPAGE_CLEAR_FLUSH
+
++#define HAVE_ARCH_HUGETLB_UNMAPPED_AREA
++
+ #include <asm/setup.h>
+ #ifndef __ASSEMBLY__
+
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index d9e6bf3d54f0..876802894b35 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -2860,9 +2860,7 @@ static void kvm_s390_vcpu_initial_reset(struct kvm_vcpu *vcpu)
+ vcpu->arch.sie_block->gcr[14] = CR14_UNUSED_32 |
+ CR14_UNUSED_33 |
+ CR14_EXTERNAL_DAMAGE_SUBMASK;
+- /* make sure the new fpc will be lazily loaded */
+- save_fpu_regs();
+- current->thread.fpu.fpc = 0;
++ vcpu->run->s.regs.fpc = 0;
+ vcpu->arch.sie_block->gbea = 1;
+ vcpu->arch.sie_block->pp = 0;
+ vcpu->arch.sie_block->fpf &= ~FPF_BPBC;
+@@ -4351,7 +4349,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+ switch (ioctl) {
+ case KVM_S390_STORE_STATUS:
+ idx = srcu_read_lock(&vcpu->kvm->srcu);
+- r = kvm_s390_vcpu_store_status(vcpu, arg);
++ r = kvm_s390_store_status_unloaded(vcpu, arg);
+ srcu_read_unlock(&vcpu->kvm->srcu, idx);
+ break;
+ case KVM_S390_SET_INITIAL_PSW: {
+diff --git a/arch/s390/mm/hugetlbpage.c b/arch/s390/mm/hugetlbpage.c
+index b0246c705a19..5674710a4841 100644
+--- a/arch/s390/mm/hugetlbpage.c
++++ b/arch/s390/mm/hugetlbpage.c
+@@ -2,7 +2,7 @@
+ /*
+ * IBM System z Huge TLB Page Support for Kernel.
+ *
+- * Copyright IBM Corp. 2007,2016
++ * Copyright IBM Corp. 2007,2020
+ * Author(s): Gerald Schaefer <gerald.schaefer@de.ibm.com>
+ */
+
+@@ -11,6 +11,9 @@
+
+ #include <linux/mm.h>
+ #include <linux/hugetlb.h>
++#include <linux/mman.h>
++#include <linux/sched/mm.h>
++#include <linux/security.h>
+
+ /*
+ * If the bit selected by single-bit bitmask "a" is set within "x", move
+@@ -267,3 +270,98 @@ static __init int setup_hugepagesz(char *opt)
+ return 1;
+ }
+ __setup("hugepagesz=", setup_hugepagesz);
++
++static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
++ unsigned long addr, unsigned long len,
++ unsigned long pgoff, unsigned long flags)
++{
++ struct hstate *h = hstate_file(file);
++ struct vm_unmapped_area_info info;
++
++ info.flags = 0;
++ info.length = len;
++ info.low_limit = current->mm->mmap_base;
++ info.high_limit = TASK_SIZE;
++ info.align_mask = PAGE_MASK & ~huge_page_mask(h);
++ info.align_offset = 0;
++ return vm_unmapped_area(&info);
++}
++
++static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
++ unsigned long addr0, unsigned long len,
++ unsigned long pgoff, unsigned long flags)
++{
++ struct hstate *h = hstate_file(file);
++ struct vm_unmapped_area_info info;
++ unsigned long addr;
++
++ info.flags = VM_UNMAPPED_AREA_TOPDOWN;
++ info.length = len;
++ info.low_limit = max(PAGE_SIZE, mmap_min_addr);
++ info.high_limit = current->mm->mmap_base;
++ info.align_mask = PAGE_MASK & ~huge_page_mask(h);
++ info.align_offset = 0;
++ addr = vm_unmapped_area(&info);
++
++ /*
++ * A failed mmap() very likely causes application failure,
++ * so fall back to the bottom-up function here. This scenario
++ * can happen with large stack limits and large mmap()
++ * allocations.
++ */
++ if (addr & ~PAGE_MASK) {
++ VM_BUG_ON(addr != -ENOMEM);
++ info.flags = 0;
++ info.low_limit = TASK_UNMAPPED_BASE;
++ info.high_limit = TASK_SIZE;
++ addr = vm_unmapped_area(&info);
++ }
++
++ return addr;
++}
++
++unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
++ unsigned long len, unsigned long pgoff, unsigned long flags)
++{
++ struct hstate *h = hstate_file(file);
++ struct mm_struct *mm = current->mm;
++ struct vm_area_struct *vma;
++ int rc;
++
++ if (len & ~huge_page_mask(h))
++ return -EINVAL;
++ if (len > TASK_SIZE - mmap_min_addr)
++ return -ENOMEM;
++
++ if (flags & MAP_FIXED) {
++ if (prepare_hugepage_range(file, addr, len))
++ return -EINVAL;
++ goto check_asce_limit;
++ }
++
++ if (addr) {
++ addr = ALIGN(addr, huge_page_size(h));
++ vma = find_vma(mm, addr);
++ if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
++ (!vma || addr + len <= vm_start_gap(vma)))
++ goto check_asce_limit;
++ }
++
++ if (mm->get_unmapped_area == arch_get_unmapped_area)
++ addr = hugetlb_get_unmapped_area_bottomup(file, addr, len,
++ pgoff, flags);
++ else
++ addr = hugetlb_get_unmapped_area_topdown(file, addr, len,
++ pgoff, flags);
++ if (addr & ~PAGE_MASK)
++ return addr;
++
++check_asce_limit:
++ if (addr + len > current->mm->context.asce_limit &&
++ addr + len <= TASK_SIZE) {
++ rc = crst_table_upgrade(mm, addr + len);
++ if (rc)
++ return (unsigned long) rc;
++ }
++ return addr;
++}
+diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
+index eb24cb1afc11..18e9fb6fcf1b 100644
+--- a/arch/sparc/Kconfig
++++ b/arch/sparc/Kconfig
+@@ -65,7 +65,6 @@ config SPARC64
+ select HAVE_KRETPROBES
+ select HAVE_KPROBES
+ select HAVE_RCU_TABLE_FREE if SMP
+- select HAVE_RCU_TABLE_NO_INVALIDATE if HAVE_RCU_TABLE_FREE
+ select HAVE_MEMBLOCK_NODE_MAP
+ select HAVE_ARCH_TRANSPARENT_HUGEPAGE
+ select HAVE_DYNAMIC_FTRACE
+diff --git a/arch/sparc/include/asm/tlb_64.h b/arch/sparc/include/asm/tlb_64.h
+index a2f3fa61ee36..8cb8f3833239 100644
+--- a/arch/sparc/include/asm/tlb_64.h
++++ b/arch/sparc/include/asm/tlb_64.h
+@@ -28,6 +28,15 @@ void flush_tlb_pending(void);
+ #define __tlb_remove_tlb_entry(tlb, ptep, address) do { } while (0)
+ #define tlb_flush(tlb) flush_tlb_pending()
+
++/*
++ * SPARC64's hardware TLB fill does not use the Linux page-tables
++ * and therefore we don't need a TLBI when freeing page-table pages.
++ */
++
++#ifdef CONFIG_HAVE_RCU_TABLE_FREE
++#define tlb_needs_table_invalidate() (false)
++#endif
++
+ #include <asm-generic/tlb.h>
+
+ #endif /* _SPARC64_TLB_H */
+diff --git a/arch/sparc/include/uapi/asm/ipcbuf.h b/arch/sparc/include/uapi/asm/ipcbuf.h
+index 5b933a598a33..0ea1240d2ea1 100644
+--- a/arch/sparc/include/uapi/asm/ipcbuf.h
++++ b/arch/sparc/include/uapi/asm/ipcbuf.h
+@@ -17,19 +17,19 @@
+
+ struct ipc64_perm
+ {
+- __kernel_key_t key;
+- __kernel_uid_t uid;
+- __kernel_gid_t gid;
+- __kernel_uid_t cuid;
+- __kernel_gid_t cgid;
++ __kernel_key_t key;
++ __kernel_uid32_t uid;
++ __kernel_gid32_t gid;
++ __kernel_uid32_t cuid;
++ __kernel_gid32_t cgid;
+ #ifndef __arch64__
+- unsigned short __pad0;
++ unsigned short __pad0;
+ #endif
+- __kernel_mode_t mode;
+- unsigned short __pad1;
+- unsigned short seq;
+- unsigned long long __unused1;
+- unsigned long long __unused2;
++ __kernel_mode_t mode;
++ unsigned short __pad1;
++ unsigned short seq;
++ unsigned long long __unused1;
++ unsigned long long __unused2;
+ };
+
+ #endif /* __SPARC_IPCBUF_H */
+diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
+index 2ebc17d9c72c..19e94af9cc5d 100644
+--- a/arch/x86/include/asm/apic.h
++++ b/arch/x86/include/asm/apic.h
+@@ -140,6 +140,7 @@ extern void apic_soft_disable(void);
+ extern void lapic_shutdown(void);
+ extern void sync_Arb_IDs(void);
+ extern void init_bsp_APIC(void);
++extern void apic_intr_mode_select(void);
+ extern void apic_intr_mode_init(void);
+ extern void init_apic_mappings(void);
+ void register_lapic_address(unsigned long address);
+@@ -188,6 +189,7 @@ static inline void disable_local_APIC(void) { }
+ # define setup_secondary_APIC_clock x86_init_noop
+ static inline void lapic_update_tsc_freq(void) { }
+ static inline void init_bsp_APIC(void) { }
++static inline void apic_intr_mode_select(void) { }
+ static inline void apic_intr_mode_init(void) { }
+ static inline void lapic_assign_system_vectors(void) { }
+ static inline void lapic_assign_legacy_vector(unsigned int i, bool r) { }
+@@ -452,6 +454,14 @@ static inline void ack_APIC_irq(void)
+ apic_eoi();
+ }
+
++
++static inline bool lapic_vector_set_in_irr(unsigned int vector)
++{
++ u32 irr = apic_read(APIC_IRR + (vector / 32 * 0x10));
++
++ return !!(irr & (1U << (vector % 32)));
++}
++
+ static inline unsigned default_get_apic_id(unsigned long x)
+ {
+ unsigned int ver = GET_APIC_VERSION(apic_read(APIC_LVR));
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index b79cd6aa4075..178e4e1a47f5 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -378,12 +378,12 @@ struct kvm_mmu {
+ void (*set_cr3)(struct kvm_vcpu *vcpu, unsigned long root);
+ unsigned long (*get_cr3)(struct kvm_vcpu *vcpu);
+ u64 (*get_pdptr)(struct kvm_vcpu *vcpu, int index);
+- int (*page_fault)(struct kvm_vcpu *vcpu, gva_t gva, u32 err,
++ int (*page_fault)(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u32 err,
+ bool prefault);
+ void (*inject_page_fault)(struct kvm_vcpu *vcpu,
+ struct x86_exception *fault);
+- gpa_t (*gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t gva, u32 access,
+- struct x86_exception *exception);
++ gpa_t (*gva_to_gpa)(struct kvm_vcpu *vcpu, gpa_t gva_or_gpa,
++ u32 access, struct x86_exception *exception);
+ gpa_t (*translate_gpa)(struct kvm_vcpu *vcpu, gpa_t gpa, u32 access,
+ struct x86_exception *exception);
+ int (*sync_page)(struct kvm_vcpu *vcpu,
+@@ -685,10 +685,10 @@ struct kvm_vcpu_arch {
+ bool pvclock_set_guest_stopped_request;
+
+ struct {
++ u8 preempted;
+ u64 msr_val;
+ u64 last_steal;
+- struct gfn_to_hva_cache stime;
+- struct kvm_steal_time steal;
++ struct gfn_to_pfn_cache cache;
+ } st;
+
+ u64 tsc_offset;
+@@ -1145,6 +1145,7 @@ struct kvm_x86_ops {
+ bool (*xsaves_supported)(void);
+ bool (*umip_emulated)(void);
+ bool (*pt_supported)(void);
++ bool (*pku_supported)(void);
+
+ int (*check_nested_events)(struct kvm_vcpu *vcpu, bool external_intr);
+ void (*request_immediate_exit)(struct kvm_vcpu *vcpu);
+@@ -1468,7 +1469,7 @@ void kvm_vcpu_deactivate_apicv(struct kvm_vcpu *vcpu);
+
+ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu);
+
+-int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t gva, u64 error_code,
++int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 error_code,
+ void *insn, int insn_len);
+ void kvm_mmu_invlpg(struct kvm_vcpu *vcpu, gva_t gva);
+ void kvm_mmu_invpcid_gva(struct kvm_vcpu *vcpu, gva_t gva, unsigned long pcid);
+diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h
+index 19435858df5f..96d9cd208610 100644
+--- a/arch/x86/include/asm/x86_init.h
++++ b/arch/x86/include/asm/x86_init.h
+@@ -51,12 +51,14 @@ struct x86_init_resources {
+ * are set up.
+ * @intr_init: interrupt init code
+ * @trap_init: platform specific trap setup
++ * @intr_mode_select: interrupt delivery mode selection
+ * @intr_mode_init: interrupt delivery mode setup
+ */
+ struct x86_init_irqs {
+ void (*pre_vector_init)(void);
+ void (*intr_init)(void);
+ void (*trap_init)(void);
++ void (*intr_mode_select)(void);
+ void (*intr_mode_init)(void);
+ };
+
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index 28446fa6bf18..4b0f9117e1cd 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -830,8 +830,17 @@ bool __init apic_needs_pit(void)
+ if (!tsc_khz || !cpu_khz)
+ return true;
+
+- /* Is there an APIC at all? */
+- if (!boot_cpu_has(X86_FEATURE_APIC))
++ /* Is there an APIC at all or is it disabled? */
++ if (!boot_cpu_has(X86_FEATURE_APIC) || disable_apic)
++ return true;
++
++ /*
++ * If interrupt delivery mode is legacy PIC or virtual wire without
++ * configuration, the local APIC timer wont be set up. Make sure
++ * that the PIT is initialized.
++ */
++ if (apic_intr_mode == APIC_PIC ||
++ apic_intr_mode == APIC_VIRTUAL_WIRE_NO_CONFIG)
+ return true;
+
+ /* Virt guests may lack ARAT, but still have DEADLINE */
+@@ -1322,7 +1331,7 @@ void __init sync_Arb_IDs(void)
+
+ enum apic_intr_mode_id apic_intr_mode __ro_after_init;
+
+-static int __init apic_intr_mode_select(void)
++static int __init __apic_intr_mode_select(void)
+ {
+ /* Check kernel option */
+ if (disable_apic) {
+@@ -1384,6 +1393,12 @@ static int __init apic_intr_mode_select(void)
+ return APIC_SYMMETRIC_IO;
+ }
+
++/* Select the interrupt delivery mode for the BSP */
++void __init apic_intr_mode_select(void)
++{
++ apic_intr_mode = __apic_intr_mode_select();
++}
++
+ /*
+ * An initial setup of the virtual wire mode.
+ */
+@@ -1440,8 +1455,6 @@ void __init apic_intr_mode_init(void)
+ {
+ bool upmode = IS_ENABLED(CONFIG_UP_LATE_INIT);
+
+- apic_intr_mode = apic_intr_mode_select();
+-
+ switch (apic_intr_mode) {
+ case APIC_PIC:
+ pr_info("APIC: Keep in PIC mode(8259)\n");
+diff --git a/arch/x86/kernel/apic/msi.c b/arch/x86/kernel/apic/msi.c
+index 7f7533462474..159bd0cb8548 100644
+--- a/arch/x86/kernel/apic/msi.c
++++ b/arch/x86/kernel/apic/msi.c
+@@ -23,10 +23,8 @@
+
+ static struct irq_domain *msi_default_domain;
+
+-static void irq_msi_compose_msg(struct irq_data *data, struct msi_msg *msg)
++static void __irq_msi_compose_msg(struct irq_cfg *cfg, struct msi_msg *msg)
+ {
+- struct irq_cfg *cfg = irqd_cfg(data);
+-
+ msg->address_hi = MSI_ADDR_BASE_HI;
+
+ if (x2apic_enabled())
+@@ -47,6 +45,127 @@ static void irq_msi_compose_msg(struct irq_data *data, struct msi_msg *msg)
+ MSI_DATA_VECTOR(cfg->vector);
+ }
+
++static void irq_msi_compose_msg(struct irq_data *data, struct msi_msg *msg)
++{
++ __irq_msi_compose_msg(irqd_cfg(data), msg);
++}
++
++static void irq_msi_update_msg(struct irq_data *irqd, struct irq_cfg *cfg)
++{
++ struct msi_msg msg[2] = { [1] = { }, };
++
++ __irq_msi_compose_msg(cfg, msg);
++ irq_data_get_irq_chip(irqd)->irq_write_msi_msg(irqd, msg);
++}
++
++static int
++msi_set_affinity(struct irq_data *irqd, const struct cpumask *mask, bool force)
++{
++ struct irq_cfg old_cfg, *cfg = irqd_cfg(irqd);
++ struct irq_data *parent = irqd->parent_data;
++ unsigned int cpu;
++ int ret;
++
++ /* Save the current configuration */
++ cpu = cpumask_first(irq_data_get_effective_affinity_mask(irqd));
++ old_cfg = *cfg;
++
++ /* Allocate a new target vector */
++ ret = parent->chip->irq_set_affinity(parent, mask, force);
++ if (ret < 0 || ret == IRQ_SET_MASK_OK_DONE)
++ return ret;
++
++ /*
++ * For non-maskable and non-remapped MSI interrupts the migration
++ * to a different destination CPU and a different vector has to be
++ * done careful to handle the possible stray interrupt which can be
++ * caused by the non-atomic update of the address/data pair.
++ *
++ * Direct update is possible when:
++ * - The MSI is maskable (remapped MSI does not use this code path)).
++ * The quirk bit is not set in this case.
++ * - The new vector is the same as the old vector
++ * - The old vector is MANAGED_IRQ_SHUTDOWN_VECTOR (interrupt starts up)
++ * - The new destination CPU is the same as the old destination CPU
++ */
++ if (!irqd_msi_nomask_quirk(irqd) ||
++ cfg->vector == old_cfg.vector ||
++ old_cfg.vector == MANAGED_IRQ_SHUTDOWN_VECTOR ||
++ cfg->dest_apicid == old_cfg.dest_apicid) {
++ irq_msi_update_msg(irqd, cfg);
++ return ret;
++ }
++
++ /*
++ * Paranoia: Validate that the interrupt target is the local
++ * CPU.
++ */
++ if (WARN_ON_ONCE(cpu != smp_processor_id())) {
++ irq_msi_update_msg(irqd, cfg);
++ return ret;
++ }
++
++ /*
++ * Redirect the interrupt to the new vector on the current CPU
++ * first. This might cause a spurious interrupt on this vector if
++ * the device raises an interrupt right between this update and the
++ * update to the final destination CPU.
++ *
++ * If the vector is in use then the installed device handler will
++ * denote it as spurious which is no harm as this is a rare event
++ * and interrupt handlers have to cope with spurious interrupts
++ * anyway. If the vector is unused, then it is marked so it won't
++ * trigger the 'No irq handler for vector' warning in do_IRQ().
++ *
++ * This requires to hold vector lock to prevent concurrent updates to
++ * the affected vector.
++ */
++ lock_vector_lock();
++
++ /*
++ * Mark the new target vector on the local CPU if it is currently
++ * unused. Reuse the VECTOR_RETRIGGERED state which is also used in
++ * the CPU hotplug path for a similar purpose. This cannot be
++ * undone here as the current CPU has interrupts disabled and
++ * cannot handle the interrupt before the whole set_affinity()
++ * section is done. In the CPU unplug case, the current CPU is
++ * about to vanish and will not handle any interrupts anymore. The
++ * vector is cleaned up when the CPU comes online again.
++ */
++ if (IS_ERR_OR_NULL(this_cpu_read(vector_irq[cfg->vector])))
++ this_cpu_write(vector_irq[cfg->vector], VECTOR_RETRIGGERED);
++
++ /* Redirect it to the new vector on the local CPU temporarily */
++ old_cfg.vector = cfg->vector;
++ irq_msi_update_msg(irqd, &old_cfg);
++
++ /* Now transition it to the target CPU */
++ irq_msi_update_msg(irqd, cfg);
++
++ /*
++ * All interrupts after this point are now targeted at the new
++ * vector/CPU.
++ *
++ * Drop vector lock before testing whether the temporary assignment
++ * to the local CPU was hit by an interrupt raised in the device,
++ * because the retrigger function acquires vector lock again.
++ */
++ unlock_vector_lock();
++
++ /*
++ * Check whether the transition raced with a device interrupt and
++ * is pending in the local APICs IRR. It is safe to do this outside
++ * of vector lock as the irq_desc::lock of this interrupt is still
++ * held and interrupts are disabled: The check is not accessing the
++ * underlying vector store. It's just checking the local APIC's
++ * IRR.
++ */
++ if (lapic_vector_set_in_irr(cfg->vector))
++ irq_data_get_irq_chip(irqd)->irq_retrigger(irqd);
++
++ return ret;
++}
++
+ /*
+ * IRQ Chip for MSI PCI/PCI-X/PCI-Express Devices,
+ * which implement the MSI or MSI-X Capability Structure.
+@@ -58,6 +177,7 @@ static struct irq_chip pci_msi_controller = {
+ .irq_ack = irq_chip_ack_parent,
+ .irq_retrigger = irq_chip_retrigger_hierarchy,
+ .irq_compose_msi_msg = irq_msi_compose_msg,
++ .irq_set_affinity = msi_set_affinity,
+ .flags = IRQCHIP_SKIP_SET_WAKE,
+ };
+
+@@ -146,6 +266,8 @@ void __init arch_init_msi_domain(struct irq_domain *parent)
+ }
+ if (!msi_default_domain)
+ pr_warn("failed to initialize irqdomain for MSI/MSI-x.\n");
++ else
++ msi_default_domain->flags |= IRQ_DOMAIN_MSI_NOMASK_QUIRK;
+ }
+
+ #ifdef CONFIG_IRQ_REMAP
+diff --git a/arch/x86/kernel/cpu/tsx.c b/arch/x86/kernel/cpu/tsx.c
+index 3e20d322bc98..032509adf9de 100644
+--- a/arch/x86/kernel/cpu/tsx.c
++++ b/arch/x86/kernel/cpu/tsx.c
+@@ -115,11 +115,12 @@ void __init tsx_init(void)
+ tsx_disable();
+
+ /*
+- * tsx_disable() will change the state of the
+- * RTM CPUID bit. Clear it here since it is now
+- * expected to be not set.
++ * tsx_disable() will change the state of the RTM and HLE CPUID
++ * bits. Clear them here since they are now expected to be not
++ * set.
+ */
+ setup_clear_cpu_cap(X86_FEATURE_RTM);
++ setup_clear_cpu_cap(X86_FEATURE_HLE);
+ } else if (tsx_ctrl_state == TSX_CTRL_ENABLE) {
+
+ /*
+@@ -131,10 +132,10 @@ void __init tsx_init(void)
+ tsx_enable();
+
+ /*
+- * tsx_enable() will change the state of the
+- * RTM CPUID bit. Force it here since it is now
+- * expected to be set.
++ * tsx_enable() will change the state of the RTM and HLE CPUID
++ * bits. Force them here since they are now expected to be set.
+ */
+ setup_force_cpu_cap(X86_FEATURE_RTM);
++ setup_force_cpu_cap(X86_FEATURE_HLE);
+ }
+ }
+diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
+index 7ce29cee9f9e..d8673d8a779b 100644
+--- a/arch/x86/kernel/time.c
++++ b/arch/x86/kernel/time.c
+@@ -91,10 +91,18 @@ void __init hpet_time_init(void)
+
+ static __init void x86_late_time_init(void)
+ {
++ /*
++ * Before PIT/HPET init, select the interrupt mode. This is required
++ * to make the decision whether PIT should be initialized correct.
++ */
++ x86_init.irqs.intr_mode_select();
++
++ /* Setup the legacy timers */
+ x86_init.timers.timer_init();
++
+ /*
+- * After PIT/HPET timers init, select and setup
+- * the final interrupt mode for delivering IRQs.
++ * After PIT/HPET timers init, set up the final interrupt mode for
++ * delivering IRQs.
+ */
+ x86_init.irqs.intr_mode_init();
+ tsc_init();
+diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c
+index ce89430a7f80..9a89261dcd2a 100644
+--- a/arch/x86/kernel/x86_init.c
++++ b/arch/x86/kernel/x86_init.c
+@@ -80,6 +80,7 @@ struct x86_init_ops x86_init __initdata = {
+ .pre_vector_init = init_ISA_irqs,
+ .intr_init = native_init_IRQ,
+ .trap_init = x86_init_noop,
++ .intr_mode_select = apic_intr_mode_select,
+ .intr_mode_init = apic_intr_mode_init
+ },
+
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
+index cf55629ff0ff..50678fe6a504 100644
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -352,6 +352,7 @@ static inline void do_cpuid_7_mask(struct kvm_cpuid_entry2 *entry, int index)
+ unsigned f_umip = kvm_x86_ops->umip_emulated() ? F(UMIP) : 0;
+ unsigned f_intel_pt = kvm_x86_ops->pt_supported() ? F(INTEL_PT) : 0;
+ unsigned f_la57;
++ unsigned f_pku = kvm_x86_ops->pku_supported() ? F(PKU) : 0;
+
+ /* cpuid 7.0.ebx */
+ const u32 kvm_cpuid_7_0_ebx_x86_features =
+@@ -363,7 +364,7 @@ static inline void do_cpuid_7_mask(struct kvm_cpuid_entry2 *entry, int index)
+
+ /* cpuid 7.0.ecx*/
+ const u32 kvm_cpuid_7_0_ecx_x86_features =
+- F(AVX512VBMI) | F(LA57) | F(PKU) | 0 /*OSPKE*/ | F(RDPID) |
++ F(AVX512VBMI) | F(LA57) | 0 /*PKU*/ | 0 /*OSPKE*/ | F(RDPID) |
+ F(AVX512_VPOPCNTDQ) | F(UMIP) | F(AVX512_VBMI2) | F(GFNI) |
+ F(VAES) | F(VPCLMULQDQ) | F(AVX512_VNNI) | F(AVX512_BITALG) |
+ F(CLDEMOTE) | F(MOVDIRI) | F(MOVDIR64B) | 0 /*WAITPKG*/;
+@@ -392,6 +393,7 @@ static inline void do_cpuid_7_mask(struct kvm_cpuid_entry2 *entry, int index)
+ /* Set LA57 based on hardware capability. */
+ entry->ecx |= f_la57;
+ entry->ecx |= f_umip;
++ entry->ecx |= f_pku;
+ /* PKU is not yet implemented for shadow paging. */
+ if (!tdp_enabled || !boot_cpu_has(X86_FEATURE_OSPKE))
+ entry->ecx &= ~F(PKU);
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index 952d1a4f4d7e..3dc25ff95c46 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -22,6 +22,7 @@
+ #include "kvm_cache_regs.h"
+ #include <asm/kvm_emulate.h>
+ #include <linux/stringify.h>
++#include <asm/fpu/api.h>
+ #include <asm/debugreg.h>
+ #include <asm/nospec-branch.h>
+
+@@ -1075,8 +1076,23 @@ static void fetch_register_operand(struct operand *op)
+ }
+ }
+
++static void emulator_get_fpu(void)
++{
++ fpregs_lock();
++
++ fpregs_assert_state_consistent();
++ if (test_thread_flag(TIF_NEED_FPU_LOAD))
++ switch_fpu_return();
++}
++
++static void emulator_put_fpu(void)
++{
++ fpregs_unlock();
++}
++
+ static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
+ {
++ emulator_get_fpu();
+ switch (reg) {
+ case 0: asm("movdqa %%xmm0, %0" : "=m"(*data)); break;
+ case 1: asm("movdqa %%xmm1, %0" : "=m"(*data)); break;
+@@ -1098,11 +1114,13 @@ static void read_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data, int reg)
+ #endif
+ default: BUG();
+ }
++ emulator_put_fpu();
+ }
+
+ static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
+ int reg)
+ {
++ emulator_get_fpu();
+ switch (reg) {
+ case 0: asm("movdqa %0, %%xmm0" : : "m"(*data)); break;
+ case 1: asm("movdqa %0, %%xmm1" : : "m"(*data)); break;
+@@ -1124,10 +1142,12 @@ static void write_sse_reg(struct x86_emulate_ctxt *ctxt, sse128_t *data,
+ #endif
+ default: BUG();
+ }
++ emulator_put_fpu();
+ }
+
+ static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
+ {
++ emulator_get_fpu();
+ switch (reg) {
+ case 0: asm("movq %%mm0, %0" : "=m"(*data)); break;
+ case 1: asm("movq %%mm1, %0" : "=m"(*data)); break;
+@@ -1139,10 +1159,12 @@ static void read_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
+ case 7: asm("movq %%mm7, %0" : "=m"(*data)); break;
+ default: BUG();
+ }
++ emulator_put_fpu();
+ }
+
+ static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
+ {
++ emulator_get_fpu();
+ switch (reg) {
+ case 0: asm("movq %0, %%mm0" : : "m"(*data)); break;
+ case 1: asm("movq %0, %%mm1" : : "m"(*data)); break;
+@@ -1154,6 +1176,7 @@ static void write_mmx_reg(struct x86_emulate_ctxt *ctxt, u64 *data, int reg)
+ case 7: asm("movq %0, %%mm7" : : "m"(*data)); break;
+ default: BUG();
+ }
++ emulator_put_fpu();
+ }
+
+ static int em_fninit(struct x86_emulate_ctxt *ctxt)
+@@ -1161,7 +1184,9 @@ static int em_fninit(struct x86_emulate_ctxt *ctxt)
+ if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
+ return emulate_nm(ctxt);
+
++ emulator_get_fpu();
+ asm volatile("fninit");
++ emulator_put_fpu();
+ return X86EMUL_CONTINUE;
+ }
+
+@@ -1172,7 +1197,9 @@ static int em_fnstcw(struct x86_emulate_ctxt *ctxt)
+ if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
+ return emulate_nm(ctxt);
+
++ emulator_get_fpu();
+ asm volatile("fnstcw %0": "+m"(fcw));
++ emulator_put_fpu();
+
+ ctxt->dst.val = fcw;
+
+@@ -1186,7 +1213,9 @@ static int em_fnstsw(struct x86_emulate_ctxt *ctxt)
+ if (ctxt->ops->get_cr(ctxt, 0) & (X86_CR0_TS | X86_CR0_EM))
+ return emulate_nm(ctxt);
+
++ emulator_get_fpu();
+ asm volatile("fnstsw %0": "+m"(fsw));
++ emulator_put_fpu();
+
+ ctxt->dst.val = fsw;
+
+@@ -4092,8 +4121,12 @@ static int em_fxsave(struct x86_emulate_ctxt *ctxt)
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
++ emulator_get_fpu();
++
+ rc = asm_safe("fxsave %[fx]", , [fx] "+m"(fx_state));
+
++ emulator_put_fpu();
++
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
+@@ -4136,6 +4169,8 @@ static int em_fxrstor(struct x86_emulate_ctxt *ctxt)
+ if (rc != X86EMUL_CONTINUE)
+ return rc;
+
++ emulator_get_fpu();
++
+ if (size < __fxstate_size(16)) {
+ rc = fxregs_fixup(&fx_state, size);
+ if (rc != X86EMUL_CONTINUE)
+@@ -4151,6 +4186,8 @@ static int em_fxrstor(struct x86_emulate_ctxt *ctxt)
+ rc = asm_safe("fxrstor %[fx]", : [fx] "m"(fx_state));
+
+ out:
++ emulator_put_fpu();
++
+ return rc;
+ }
+
+@@ -5210,16 +5247,28 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len)
+ ctxt->ad_bytes = def_ad_bytes ^ 6;
+ break;
+ case 0x26: /* ES override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_ES;
++ break;
+ case 0x2e: /* CS override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_CS;
++ break;
+ case 0x36: /* SS override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_SS;
++ break;
+ case 0x3e: /* DS override */
+ has_seg_override = true;
+- ctxt->seg_override = (ctxt->b >> 3) & 3;
++ ctxt->seg_override = VCPU_SREG_DS;
+ break;
+ case 0x64: /* FS override */
++ has_seg_override = true;
++ ctxt->seg_override = VCPU_SREG_FS;
++ break;
+ case 0x65: /* GS override */
+ has_seg_override = true;
+- ctxt->seg_override = ctxt->b & 7;
++ ctxt->seg_override = VCPU_SREG_GS;
+ break;
+ case 0x40 ... 0x4f: /* REX */
+ if (mode != X86EMUL_MODE_PROT64)
+@@ -5303,10 +5352,15 @@ done_prefixes:
+ }
+ break;
+ case Escape:
+- if (ctxt->modrm > 0xbf)
+- opcode = opcode.u.esc->high[ctxt->modrm - 0xc0];
+- else
++ if (ctxt->modrm > 0xbf) {
++ size_t size = ARRAY_SIZE(opcode.u.esc->high);
++ u32 index = array_index_nospec(
++ ctxt->modrm - 0xc0, size);
++
++ opcode = opcode.u.esc->high[index];
++ } else {
+ opcode = opcode.u.esc->op[(ctxt->modrm >> 3) & 7];
++ }
+ break;
+ case InstrDual:
+ if ((ctxt->modrm >> 6) == 3)
+@@ -5448,7 +5502,9 @@ static int flush_pending_x87_faults(struct x86_emulate_ctxt *ctxt)
+ {
+ int rc;
+
++ emulator_get_fpu();
+ rc = asm_safe("fwait");
++ emulator_put_fpu();
+
+ if (unlikely(rc != X86EMUL_CONTINUE))
+ return emulate_exception(ctxt, MF_VECTOR, 0, false);
+diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
+index 23ff65504d7e..26408434b9bc 100644
+--- a/arch/x86/kvm/hyperv.c
++++ b/arch/x86/kvm/hyperv.c
+@@ -809,11 +809,12 @@ static int kvm_hv_msr_get_crash_data(struct kvm_vcpu *vcpu,
+ u32 index, u64 *pdata)
+ {
+ struct kvm_hv *hv = &vcpu->kvm->arch.hyperv;
++ size_t size = ARRAY_SIZE(hv->hv_crash_param);
+
+- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param)))
++ if (WARN_ON_ONCE(index >= size))
+ return -EINVAL;
+
+- *pdata = hv->hv_crash_param[index];
++ *pdata = hv->hv_crash_param[array_index_nospec(index, size)];
+ return 0;
+ }
+
+@@ -852,11 +853,12 @@ static int kvm_hv_msr_set_crash_data(struct kvm_vcpu *vcpu,
+ u32 index, u64 data)
+ {
+ struct kvm_hv *hv = &vcpu->kvm->arch.hyperv;
++ size_t size = ARRAY_SIZE(hv->hv_crash_param);
+
+- if (WARN_ON_ONCE(index >= ARRAY_SIZE(hv->hv_crash_param)))
++ if (WARN_ON_ONCE(index >= size))
+ return -EINVAL;
+
+- hv->hv_crash_param[index] = data;
++ hv->hv_crash_param[array_index_nospec(index, size)] = data;
+ return 0;
+ }
+
+diff --git a/arch/x86/kvm/i8259.c b/arch/x86/kvm/i8259.c
+index 8b38bb4868a6..629a09ca9860 100644
+--- a/arch/x86/kvm/i8259.c
++++ b/arch/x86/kvm/i8259.c
+@@ -460,10 +460,14 @@ static int picdev_write(struct kvm_pic *s,
+ switch (addr) {
+ case 0x20:
+ case 0x21:
++ pic_lock(s);
++ pic_ioport_write(&s->pics[0], addr, data);
++ pic_unlock(s);
++ break;
+ case 0xa0:
+ case 0xa1:
+ pic_lock(s);
+- pic_ioport_write(&s->pics[addr >> 7], addr, data);
++ pic_ioport_write(&s->pics[1], addr, data);
+ pic_unlock(s);
+ break;
+ case 0x4d0:
+diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
+index 9fd2dd89a1c5..8aa58727045e 100644
+--- a/arch/x86/kvm/ioapic.c
++++ b/arch/x86/kvm/ioapic.c
+@@ -36,6 +36,7 @@
+ #include <linux/io.h>
+ #include <linux/slab.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+ #include <asm/processor.h>
+ #include <asm/page.h>
+ #include <asm/current.h>
+@@ -68,13 +69,14 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
+ default:
+ {
+ u32 redir_index = (ioapic->ioregsel - 0x10) >> 1;
+- u64 redir_content;
++ u64 redir_content = ~0ULL;
+
+- if (redir_index < IOAPIC_NUM_PINS)
+- redir_content =
+- ioapic->redirtbl[redir_index].bits;
+- else
+- redir_content = ~0ULL;
++ if (redir_index < IOAPIC_NUM_PINS) {
++ u32 index = array_index_nospec(
++ redir_index, IOAPIC_NUM_PINS);
++
++ redir_content = ioapic->redirtbl[index].bits;
++ }
+
+ result = (ioapic->ioregsel & 0x1) ?
+ (redir_content >> 32) & 0xffffffff :
+@@ -292,6 +294,7 @@ static void ioapic_write_indirect(struct kvm_ioapic *ioapic, u32 val)
+
+ if (index >= IOAPIC_NUM_PINS)
+ return;
++ index = array_index_nospec(index, IOAPIC_NUM_PINS);
+ e = &ioapic->redirtbl[index];
+ mask_before = e->fields.mask;
+ /* Preserve read-only fields */
+diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
+index cf9177b4a07f..3323115f52d5 100644
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1963,15 +1963,20 @@ int kvm_lapic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val)
+ case APIC_LVTTHMR:
+ case APIC_LVTPC:
+ case APIC_LVT1:
+- case APIC_LVTERR:
++ case APIC_LVTERR: {
+ /* TODO: Check vector */
++ size_t size;
++ u32 index;
++
+ if (!kvm_apic_sw_enabled(apic))
+ val |= APIC_LVT_MASKED;
+-
+- val &= apic_lvt_mask[(reg - APIC_LVTT) >> 4];
++ size = ARRAY_SIZE(apic_lvt_mask);
++ index = array_index_nospec(
++ (reg - APIC_LVTT) >> 4, size);
++ val &= apic_lvt_mask[index];
+ kvm_lapic_set_reg(apic, reg, val);
+-
+ break;
++ }
+
+ case APIC_LVTT:
+ if (!kvm_apic_sw_enabled(apic))
+diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
+index 6f92b40d798c..d21b69bbd6f4 100644
+--- a/arch/x86/kvm/mmu/mmu.c
++++ b/arch/x86/kvm/mmu/mmu.c
+@@ -418,22 +418,24 @@ static inline bool is_access_track_spte(u64 spte)
+ * requires a full MMU zap). The flag is instead explicitly queried when
+ * checking for MMIO spte cache hits.
+ */
+-#define MMIO_SPTE_GEN_MASK GENMASK_ULL(18, 0)
++#define MMIO_SPTE_GEN_MASK GENMASK_ULL(17, 0)
+
+ #define MMIO_SPTE_GEN_LOW_START 3
+ #define MMIO_SPTE_GEN_LOW_END 11
+ #define MMIO_SPTE_GEN_LOW_MASK GENMASK_ULL(MMIO_SPTE_GEN_LOW_END, \
+ MMIO_SPTE_GEN_LOW_START)
+
+-#define MMIO_SPTE_GEN_HIGH_START 52
+-#define MMIO_SPTE_GEN_HIGH_END 61
++#define MMIO_SPTE_GEN_HIGH_START PT64_SECOND_AVAIL_BITS_SHIFT
++#define MMIO_SPTE_GEN_HIGH_END 62
+ #define MMIO_SPTE_GEN_HIGH_MASK GENMASK_ULL(MMIO_SPTE_GEN_HIGH_END, \
+ MMIO_SPTE_GEN_HIGH_START)
++
+ static u64 generation_mmio_spte_mask(u64 gen)
+ {
+ u64 mask;
+
+ WARN_ON(gen & ~MMIO_SPTE_GEN_MASK);
++ BUILD_BUG_ON((MMIO_SPTE_GEN_HIGH_MASK | MMIO_SPTE_GEN_LOW_MASK) & SPTE_SPECIAL_MASK);
+
+ mask = (gen << MMIO_SPTE_GEN_LOW_START) & MMIO_SPTE_GEN_LOW_MASK;
+ mask |= (gen << MMIO_SPTE_GEN_HIGH_START) & MMIO_SPTE_GEN_HIGH_MASK;
+@@ -444,8 +446,6 @@ static u64 get_mmio_spte_generation(u64 spte)
+ {
+ u64 gen;
+
+- spte &= ~shadow_mmio_mask;
+-
+ gen = (spte & MMIO_SPTE_GEN_LOW_MASK) >> MMIO_SPTE_GEN_LOW_START;
+ gen |= (spte & MMIO_SPTE_GEN_HIGH_MASK) >> MMIO_SPTE_GEN_HIGH_START;
+ return gen;
+@@ -538,16 +538,20 @@ EXPORT_SYMBOL_GPL(kvm_mmu_set_mask_ptes);
+ static u8 kvm_get_shadow_phys_bits(void)
+ {
+ /*
+- * boot_cpu_data.x86_phys_bits is reduced when MKTME is detected
+- * in CPU detection code, but MKTME treats those reduced bits as
+- * 'keyID' thus they are not reserved bits. Therefore for MKTME
+- * we should still return physical address bits reported by CPUID.
++ * boot_cpu_data.x86_phys_bits is reduced when MKTME or SME are detected
++ * in CPU detection code, but the processor treats those reduced bits as
++ * 'keyID' thus they are not reserved bits. Therefore KVM needs to look at
++ * the physical address bits reported by CPUID.
+ */
+- if (!boot_cpu_has(X86_FEATURE_TME) ||
+- WARN_ON_ONCE(boot_cpu_data.extended_cpuid_level < 0x80000008))
+- return boot_cpu_data.x86_phys_bits;
++ if (likely(boot_cpu_data.extended_cpuid_level >= 0x80000008))
++ return cpuid_eax(0x80000008) & 0xff;
+
+- return cpuid_eax(0x80000008) & 0xff;
++ /*
++ * Quite weird to have VMX or SVM but not MAXPHYADDR; probably a VM with
++ * custom CPUID. Proceed with whatever the kernel found since these features
++ * aren't virtualizable (SME/SEV also require CPUIDs higher than 0x80000008).
++ */
++ return boot_cpu_data.x86_phys_bits;
+ }
+
+ static void kvm_mmu_reset_all_pte_masks(void)
+@@ -1282,12 +1286,12 @@ static bool mmu_gfn_lpage_is_disallowed(struct kvm_vcpu *vcpu, gfn_t gfn,
+ return __mmu_gfn_lpage_is_disallowed(gfn, level, slot);
+ }
+
+-static int host_mapping_level(struct kvm *kvm, gfn_t gfn)
++static int host_mapping_level(struct kvm_vcpu *vcpu, gfn_t gfn)
+ {
+ unsigned long page_size;
+ int i, ret = 0;
+
+- page_size = kvm_host_page_size(kvm, gfn);
++ page_size = kvm_host_page_size(vcpu, gfn);
+
+ for (i = PT_PAGE_TABLE_LEVEL; i <= PT_MAX_HUGEPAGE_LEVEL; ++i) {
+ if (page_size >= KVM_HPAGE_SIZE(i))
+@@ -1337,7 +1341,7 @@ static int mapping_level(struct kvm_vcpu *vcpu, gfn_t large_gfn,
+ if (unlikely(*force_pt_level))
+ return PT_PAGE_TABLE_LEVEL;
+
+- host_level = host_mapping_level(vcpu->kvm, large_gfn);
++ host_level = host_mapping_level(vcpu, large_gfn);
+
+ if (host_level == PT_PAGE_TABLE_LEVEL)
+ return host_level;
+@@ -3528,7 +3532,7 @@ static bool is_access_allowed(u32 fault_err_code, u64 spte)
+ * - true: let the vcpu to access on the same address again.
+ * - false: let the real page fault path to fix it.
+ */
+-static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
++static bool fast_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, int level,
+ u32 error_code)
+ {
+ struct kvm_shadow_walk_iterator iterator;
+@@ -3548,7 +3552,7 @@ static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
+ do {
+ u64 new_spte;
+
+- for_each_shadow_entry_lockless(vcpu, gva, iterator, spte)
++ for_each_shadow_entry_lockless(vcpu, cr2_or_gpa, iterator, spte)
+ if (!is_shadow_present_pte(spte) ||
+ iterator.level < level)
+ break;
+@@ -3626,7 +3630,7 @@ static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
+
+ } while (true);
+
+- trace_fast_page_fault(vcpu, gva, error_code, iterator.sptep,
++ trace_fast_page_fault(vcpu, cr2_or_gpa, error_code, iterator.sptep,
+ spte, fault_handled);
+ walk_shadow_page_lockless_end(vcpu);
+
+@@ -3634,10 +3638,11 @@ static bool fast_page_fault(struct kvm_vcpu *vcpu, gva_t gva, int level,
+ }
+
+ static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
+- gva_t gva, kvm_pfn_t *pfn, bool write, bool *writable);
++ gpa_t cr2_or_gpa, kvm_pfn_t *pfn, bool write,
++ bool *writable);
+ static int make_mmu_pages_available(struct kvm_vcpu *vcpu);
+
+-static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
++static int nonpaging_map(struct kvm_vcpu *vcpu, gpa_t gpa, u32 error_code,
+ gfn_t gfn, bool prefault)
+ {
+ int r;
+@@ -3663,16 +3668,16 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
+ gfn &= ~(KVM_PAGES_PER_HPAGE(level) - 1);
+ }
+
+- if (fast_page_fault(vcpu, v, level, error_code))
++ if (fast_page_fault(vcpu, gpa, level, error_code))
+ return RET_PF_RETRY;
+
+ mmu_seq = vcpu->kvm->mmu_notifier_seq;
+ smp_rmb();
+
+- if (try_async_pf(vcpu, prefault, gfn, v, &pfn, write, &map_writable))
++ if (try_async_pf(vcpu, prefault, gfn, gpa, &pfn, write, &map_writable))
+ return RET_PF_RETRY;
+
+- if (handle_abnormal_pfn(vcpu, v, gfn, pfn, ACC_ALL, &r))
++ if (handle_abnormal_pfn(vcpu, gpa, gfn, pfn, ACC_ALL, &r))
+ return r;
+
+ r = RET_PF_RETRY;
+@@ -3683,7 +3688,7 @@ static int nonpaging_map(struct kvm_vcpu *vcpu, gva_t v, u32 error_code,
+ goto out_unlock;
+ if (likely(!force_pt_level))
+ transparent_hugepage_adjust(vcpu, gfn, &pfn, &level);
+- r = __direct_map(vcpu, v, write, map_writable, level, pfn,
++ r = __direct_map(vcpu, gpa, write, map_writable, level, pfn,
+ prefault, false);
+ out_unlock:
+ spin_unlock(&vcpu->kvm->mmu_lock);
+@@ -3981,7 +3986,7 @@ void kvm_mmu_sync_roots(struct kvm_vcpu *vcpu)
+ }
+ EXPORT_SYMBOL_GPL(kvm_mmu_sync_roots);
+
+-static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gva_t vaddr,
++static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gpa_t vaddr,
+ u32 access, struct x86_exception *exception)
+ {
+ if (exception)
+@@ -3989,7 +3994,7 @@ static gpa_t nonpaging_gva_to_gpa(struct kvm_vcpu *vcpu, gva_t vaddr,
+ return vaddr;
+ }
+
+-static gpa_t nonpaging_gva_to_gpa_nested(struct kvm_vcpu *vcpu, gva_t vaddr,
++static gpa_t nonpaging_gva_to_gpa_nested(struct kvm_vcpu *vcpu, gpa_t vaddr,
+ u32 access,
+ struct x86_exception *exception)
+ {
+@@ -4149,13 +4154,14 @@ static void shadow_page_table_clear_flood(struct kvm_vcpu *vcpu, gva_t addr)
+ walk_shadow_page_lockless_end(vcpu);
+ }
+
+-static int nonpaging_page_fault(struct kvm_vcpu *vcpu, gva_t gva,
++static int nonpaging_page_fault(struct kvm_vcpu *vcpu, gpa_t gpa,
+ u32 error_code, bool prefault)
+ {
+- gfn_t gfn = gva >> PAGE_SHIFT;
++ gfn_t gfn = gpa >> PAGE_SHIFT;
+ int r;
+
+- pgprintk("%s: gva %lx error %x\n", __func__, gva, error_code);
++ /* Note, paging is disabled, ergo gva == gpa. */
++ pgprintk("%s: gva %lx error %x\n", __func__, gpa, error_code);
+
+ if (page_fault_handle_page_track(vcpu, error_code, gfn))
+ return RET_PF_EMULATE;
+@@ -4167,11 +4173,12 @@ static int nonpaging_page_fault(struct kvm_vcpu *vcpu, gva_t gva,
+ MMU_WARN_ON(!VALID_PAGE(vcpu->arch.mmu->root_hpa));
+
+
+- return nonpaging_map(vcpu, gva & PAGE_MASK,
++ return nonpaging_map(vcpu, gpa & PAGE_MASK,
+ error_code, gfn, prefault);
+ }
+
+-static int kvm_arch_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn)
++static int kvm_arch_setup_async_pf(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
++ gfn_t gfn)
+ {
+ struct kvm_arch_async_pf arch;
+
+@@ -4180,11 +4187,13 @@ static int kvm_arch_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn)
+ arch.direct_map = vcpu->arch.mmu->direct_map;
+ arch.cr3 = vcpu->arch.mmu->get_cr3(vcpu);
+
+- return kvm_setup_async_pf(vcpu, gva, kvm_vcpu_gfn_to_hva(vcpu, gfn), &arch);
++ return kvm_setup_async_pf(vcpu, cr2_or_gpa,
++ kvm_vcpu_gfn_to_hva(vcpu, gfn), &arch);
+ }
+
+ static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
+- gva_t gva, kvm_pfn_t *pfn, bool write, bool *writable)
++ gpa_t cr2_or_gpa, kvm_pfn_t *pfn, bool write,
++ bool *writable)
+ {
+ struct kvm_memory_slot *slot;
+ bool async;
+@@ -4204,12 +4213,12 @@ static bool try_async_pf(struct kvm_vcpu *vcpu, bool prefault, gfn_t gfn,
+ return false; /* *pfn has correct page already */
+
+ if (!prefault && kvm_can_do_async_pf(vcpu)) {
+- trace_kvm_try_async_get_page(gva, gfn);
++ trace_kvm_try_async_get_page(cr2_or_gpa, gfn);
+ if (kvm_find_async_pf_gfn(vcpu, gfn)) {
+- trace_kvm_async_pf_doublefault(gva, gfn);
++ trace_kvm_async_pf_doublefault(cr2_or_gpa, gfn);
+ kvm_make_request(KVM_REQ_APF_HALT, vcpu);
+ return true;
+- } else if (kvm_arch_setup_async_pf(vcpu, gva, gfn))
++ } else if (kvm_arch_setup_async_pf(vcpu, cr2_or_gpa, gfn))
+ return true;
+ }
+
+@@ -4222,6 +4231,12 @@ int kvm_handle_page_fault(struct kvm_vcpu *vcpu, u64 error_code,
+ {
+ int r = 1;
+
++#ifndef CONFIG_X86_64
++ /* A 64-bit CR2 should be impossible on 32-bit KVM. */
++ if (WARN_ON_ONCE(fault_address >> 32))
++ return -EFAULT;
++#endif
++
+ vcpu->arch.l1tf_flush_l1d = true;
+ switch (vcpu->arch.apf.host_apf_reason) {
+ default:
+@@ -4259,7 +4274,7 @@ check_hugepage_cache_consistency(struct kvm_vcpu *vcpu, gfn_t gfn, int level)
+ return kvm_mtrr_check_gfn_range_consistency(vcpu, gfn, page_num);
+ }
+
+-static int tdp_page_fault(struct kvm_vcpu *vcpu, gva_t gpa, u32 error_code,
++static int tdp_page_fault(struct kvm_vcpu *vcpu, gpa_t gpa, u32 error_code,
+ bool prefault)
+ {
+ kvm_pfn_t pfn;
+@@ -5516,7 +5531,7 @@ static int make_mmu_pages_available(struct kvm_vcpu *vcpu)
+ return 0;
+ }
+
+-int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
++int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 error_code,
+ void *insn, int insn_len)
+ {
+ int r, emulation_type = 0;
+@@ -5525,18 +5540,18 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
+ /* With shadow page tables, fault_address contains a GVA or nGPA. */
+ if (vcpu->arch.mmu->direct_map) {
+ vcpu->arch.gpa_available = true;
+- vcpu->arch.gpa_val = cr2;
++ vcpu->arch.gpa_val = cr2_or_gpa;
+ }
+
+ r = RET_PF_INVALID;
+ if (unlikely(error_code & PFERR_RSVD_MASK)) {
+- r = handle_mmio_page_fault(vcpu, cr2, direct);
++ r = handle_mmio_page_fault(vcpu, cr2_or_gpa, direct);
+ if (r == RET_PF_EMULATE)
+ goto emulate;
+ }
+
+ if (r == RET_PF_INVALID) {
+- r = vcpu->arch.mmu->page_fault(vcpu, cr2,
++ r = vcpu->arch.mmu->page_fault(vcpu, cr2_or_gpa,
+ lower_32_bits(error_code),
+ false);
+ WARN_ON(r == RET_PF_INVALID);
+@@ -5556,7 +5571,7 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
+ */
+ if (vcpu->arch.mmu->direct_map &&
+ (error_code & PFERR_NESTED_GUEST_PAGE) == PFERR_NESTED_GUEST_PAGE) {
+- kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(cr2));
++ kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(cr2_or_gpa));
+ return 1;
+ }
+
+@@ -5571,7 +5586,7 @@ int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gva_t cr2, u64 error_code,
+ * explicitly shadowing L1's page tables, i.e. unprotecting something
+ * for L1 isn't going to magically fix whatever issue cause L2 to fail.
+ */
+- if (!mmio_info_in_cache(vcpu, cr2, direct) && !is_guest_mode(vcpu))
++ if (!mmio_info_in_cache(vcpu, cr2_or_gpa, direct) && !is_guest_mode(vcpu))
+ emulation_type = EMULTYPE_ALLOW_RETRY;
+ emulate:
+ /*
+@@ -5586,7 +5601,7 @@ emulate:
+ return 1;
+ }
+
+- return x86_emulate_instruction(vcpu, cr2, emulation_type, insn,
++ return x86_emulate_instruction(vcpu, cr2_or_gpa, emulation_type, insn,
+ insn_len);
+ }
+ EXPORT_SYMBOL_GPL(kvm_mmu_page_fault);
+@@ -6249,7 +6264,7 @@ static void kvm_set_mmio_spte_mask(void)
+ * If reserved bit is not supported, clear the present bit to disable
+ * mmio page fault.
+ */
+- if (IS_ENABLED(CONFIG_X86_64) && shadow_phys_bits == 52)
++ if (shadow_phys_bits == 52)
+ mask &= ~1ull;
+
+ kvm_mmu_set_mmio_spte_mask(mask, mask, ACC_WRITE_MASK | ACC_USER_MASK);
+diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h
+index 97b21e7fd013..c1d7b866a03f 100644
+--- a/arch/x86/kvm/mmu/paging_tmpl.h
++++ b/arch/x86/kvm/mmu/paging_tmpl.h
+@@ -291,11 +291,11 @@ static inline unsigned FNAME(gpte_pkeys)(struct kvm_vcpu *vcpu, u64 gpte)
+ }
+
+ /*
+- * Fetch a guest pte for a guest virtual address
++ * Fetch a guest pte for a guest virtual address, or for an L2's GPA.
+ */
+ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
+ struct kvm_vcpu *vcpu, struct kvm_mmu *mmu,
+- gva_t addr, u32 access)
++ gpa_t addr, u32 access)
+ {
+ int ret;
+ pt_element_t pte;
+@@ -496,7 +496,7 @@ error:
+ }
+
+ static int FNAME(walk_addr)(struct guest_walker *walker,
+- struct kvm_vcpu *vcpu, gva_t addr, u32 access)
++ struct kvm_vcpu *vcpu, gpa_t addr, u32 access)
+ {
+ return FNAME(walk_addr_generic)(walker, vcpu, vcpu->arch.mmu, addr,
+ access);
+@@ -611,7 +611,7 @@ static void FNAME(pte_prefetch)(struct kvm_vcpu *vcpu, struct guest_walker *gw,
+ * If the guest tries to write a write-protected page, we need to
+ * emulate this operation, return 1 to indicate this case.
+ */
+-static int FNAME(fetch)(struct kvm_vcpu *vcpu, gva_t addr,
++static int FNAME(fetch)(struct kvm_vcpu *vcpu, gpa_t addr,
+ struct guest_walker *gw,
+ int write_fault, int hlevel,
+ kvm_pfn_t pfn, bool map_writable, bool prefault,
+@@ -765,7 +765,7 @@ FNAME(is_self_change_mapping)(struct kvm_vcpu *vcpu,
+ * Returns: 1 if we need to emulate the instruction, 0 otherwise, or
+ * a negative value on error.
+ */
+-static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gva_t addr, u32 error_code,
++static int FNAME(page_fault)(struct kvm_vcpu *vcpu, gpa_t addr, u32 error_code,
+ bool prefault)
+ {
+ int write_fault = error_code & PFERR_WRITE_MASK;
+@@ -945,18 +945,19 @@ static void FNAME(invlpg)(struct kvm_vcpu *vcpu, gva_t gva, hpa_t root_hpa)
+ spin_unlock(&vcpu->kvm->mmu_lock);
+ }
+
+-static gpa_t FNAME(gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t vaddr, u32 access,
++/* Note, @addr is a GPA when gva_to_gpa() translates an L2 GPA to an L1 GPA. */
++static gpa_t FNAME(gva_to_gpa)(struct kvm_vcpu *vcpu, gpa_t addr, u32 access,
+ struct x86_exception *exception)
+ {
+ struct guest_walker walker;
+ gpa_t gpa = UNMAPPED_GVA;
+ int r;
+
+- r = FNAME(walk_addr)(&walker, vcpu, vaddr, access);
++ r = FNAME(walk_addr)(&walker, vcpu, addr, access);
+
+ if (r) {
+ gpa = gfn_to_gpa(walker.gfn);
+- gpa |= vaddr & ~PAGE_MASK;
++ gpa |= addr & ~PAGE_MASK;
+ } else if (exception)
+ *exception = walker.fault;
+
+@@ -964,7 +965,8 @@ static gpa_t FNAME(gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t vaddr, u32 access,
+ }
+
+ #if PTTYPE != PTTYPE_EPT
+-static gpa_t FNAME(gva_to_gpa_nested)(struct kvm_vcpu *vcpu, gva_t vaddr,
++/* Note, gva_to_gpa_nested() is only used to translate L2 GVAs. */
++static gpa_t FNAME(gva_to_gpa_nested)(struct kvm_vcpu *vcpu, gpa_t vaddr,
+ u32 access,
+ struct x86_exception *exception)
+ {
+@@ -972,6 +974,11 @@ static gpa_t FNAME(gva_to_gpa_nested)(struct kvm_vcpu *vcpu, gva_t vaddr,
+ gpa_t gpa = UNMAPPED_GVA;
+ int r;
+
++#ifndef CONFIG_X86_64
++ /* A 64-bit GVA should be impossible on 32-bit KVM. */
++ WARN_ON_ONCE(vaddr >> 32);
++#endif
++
+ r = FNAME(walk_addr_nested)(&walker, vcpu, vaddr, access);
+
+ if (r) {
+diff --git a/arch/x86/kvm/mmutrace.h b/arch/x86/kvm/mmutrace.h
+index 7ca8831c7d1a..3c6522b84ff1 100644
+--- a/arch/x86/kvm/mmutrace.h
++++ b/arch/x86/kvm/mmutrace.h
+@@ -249,13 +249,13 @@ TRACE_EVENT(
+
+ TRACE_EVENT(
+ fast_page_fault,
+- TP_PROTO(struct kvm_vcpu *vcpu, gva_t gva, u32 error_code,
++ TP_PROTO(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u32 error_code,
+ u64 *sptep, u64 old_spte, bool retry),
+- TP_ARGS(vcpu, gva, error_code, sptep, old_spte, retry),
++ TP_ARGS(vcpu, cr2_or_gpa, error_code, sptep, old_spte, retry),
+
+ TP_STRUCT__entry(
+ __field(int, vcpu_id)
+- __field(gva_t, gva)
++ __field(gpa_t, cr2_or_gpa)
+ __field(u32, error_code)
+ __field(u64 *, sptep)
+ __field(u64, old_spte)
+@@ -265,7 +265,7 @@ TRACE_EVENT(
+
+ TP_fast_assign(
+ __entry->vcpu_id = vcpu->vcpu_id;
+- __entry->gva = gva;
++ __entry->cr2_or_gpa = cr2_or_gpa;
+ __entry->error_code = error_code;
+ __entry->sptep = sptep;
+ __entry->old_spte = old_spte;
+@@ -273,9 +273,9 @@ TRACE_EVENT(
+ __entry->retry = retry;
+ ),
+
+- TP_printk("vcpu %d gva %lx error_code %s sptep %p old %#llx"
++ TP_printk("vcpu %d gva %llx error_code %s sptep %p old %#llx"
+ " new %llx spurious %d fixed %d", __entry->vcpu_id,
+- __entry->gva, __print_flags(__entry->error_code, "|",
++ __entry->cr2_or_gpa, __print_flags(__entry->error_code, "|",
+ kvm_mmu_trace_pferr_flags), __entry->sptep,
+ __entry->old_spte, __entry->new_spte,
+ __spte_satisfied(old_spte), __spte_satisfied(new_spte)
+diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
+index 25ce3edd1872..7f0059aa30e1 100644
+--- a/arch/x86/kvm/mtrr.c
++++ b/arch/x86/kvm/mtrr.c
+@@ -192,11 +192,15 @@ static bool fixed_msr_to_seg_unit(u32 msr, int *seg, int *unit)
+ break;
+ case MSR_MTRRfix16K_80000 ... MSR_MTRRfix16K_A0000:
+ *seg = 1;
+- *unit = msr - MSR_MTRRfix16K_80000;
++ *unit = array_index_nospec(
++ msr - MSR_MTRRfix16K_80000,
++ MSR_MTRRfix16K_A0000 - MSR_MTRRfix16K_80000 + 1);
+ break;
+ case MSR_MTRRfix4K_C0000 ... MSR_MTRRfix4K_F8000:
+ *seg = 2;
+- *unit = msr - MSR_MTRRfix4K_C0000;
++ *unit = array_index_nospec(
++ msr - MSR_MTRRfix4K_C0000,
++ MSR_MTRRfix4K_F8000 - MSR_MTRRfix4K_C0000 + 1);
+ break;
+ default:
+ return false;
+diff --git a/arch/x86/kvm/pmu.h b/arch/x86/kvm/pmu.h
+index 7ebb62326c14..13332984b6d5 100644
+--- a/arch/x86/kvm/pmu.h
++++ b/arch/x86/kvm/pmu.h
+@@ -2,6 +2,8 @@
+ #ifndef __KVM_X86_PMU_H
+ #define __KVM_X86_PMU_H
+
++#include <linux/nospec.h>
++
+ #define vcpu_to_pmu(vcpu) (&(vcpu)->arch.pmu)
+ #define pmu_to_vcpu(pmu) (container_of((pmu), struct kvm_vcpu, arch.pmu))
+ #define pmc_to_pmu(pmc) (&(pmc)->vcpu->arch.pmu)
+@@ -102,8 +104,12 @@ static inline bool kvm_valid_perf_global_ctrl(struct kvm_pmu *pmu,
+ static inline struct kvm_pmc *get_gp_pmc(struct kvm_pmu *pmu, u32 msr,
+ u32 base)
+ {
+- if (msr >= base && msr < base + pmu->nr_arch_gp_counters)
+- return &pmu->gp_counters[msr - base];
++ if (msr >= base && msr < base + pmu->nr_arch_gp_counters) {
++ u32 index = array_index_nospec(msr - base,
++ pmu->nr_arch_gp_counters);
++
++ return &pmu->gp_counters[index];
++ }
+
+ return NULL;
+ }
+@@ -113,8 +119,12 @@ static inline struct kvm_pmc *get_fixed_pmc(struct kvm_pmu *pmu, u32 msr)
+ {
+ int base = MSR_CORE_PERF_FIXED_CTR0;
+
+- if (msr >= base && msr < base + pmu->nr_arch_fixed_counters)
+- return &pmu->fixed_counters[msr - base];
++ if (msr >= base && msr < base + pmu->nr_arch_fixed_counters) {
++ u32 index = array_index_nospec(msr - base,
++ pmu->nr_arch_fixed_counters);
++
++ return &pmu->fixed_counters[index];
++ }
+
+ return NULL;
+ }
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 122d4ce3b1ab..8b0620f3aed6 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -6001,6 +6001,11 @@ static bool svm_has_wbinvd_exit(void)
+ return true;
+ }
+
++static bool svm_pku_supported(void)
++{
++ return false;
++}
++
+ #define PRE_EX(exit) { .exit_code = (exit), \
+ .stage = X86_ICPT_PRE_EXCEPT, }
+ #define POST_EX(exit) { .exit_code = (exit), \
+@@ -7341,6 +7346,7 @@ static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
+ .xsaves_supported = svm_xsaves_supported,
+ .umip_emulated = svm_umip_emulated,
+ .pt_supported = svm_pt_supported,
++ .pku_supported = svm_pku_supported,
+
+ .set_supported_cpuid = svm_set_supported_cpuid,
+
+diff --git a/arch/x86/kvm/vmx/capabilities.h b/arch/x86/kvm/vmx/capabilities.h
+index 7aa69716d516..283bdb7071af 100644
+--- a/arch/x86/kvm/vmx/capabilities.h
++++ b/arch/x86/kvm/vmx/capabilities.h
+@@ -145,6 +145,11 @@ static inline bool vmx_umip_emulated(void)
+ SECONDARY_EXEC_DESC;
+ }
+
++static inline bool vmx_pku_supported(void)
++{
++ return boot_cpu_has(X86_FEATURE_PKU);
++}
++
+ static inline bool cpu_has_vmx_rdtscp(void)
+ {
+ return vmcs_config.cpu_based_2nd_exec_ctrl &
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 4aea7d304beb..5bfa8228f0c7 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -4807,8 +4807,10 @@ static int handle_vmread(struct kvm_vcpu *vcpu)
+ vmx_instruction_info, true, len, &gva))
+ return 1;
+ /* _system ok, nested_vmx_check_permission has verified cpl=0 */
+- if (kvm_write_guest_virt_system(vcpu, gva, &field_value, len, &e))
++ if (kvm_write_guest_virt_system(vcpu, gva, &field_value, len, &e)) {
+ kvm_inject_page_fault(vcpu, &e);
++ return 1;
++ }
+ }
+
+ return nested_vmx_succeed(vcpu);
+diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c
+index 7023138b1cb0..34a3a17bb6d7 100644
+--- a/arch/x86/kvm/vmx/pmu_intel.c
++++ b/arch/x86/kvm/vmx/pmu_intel.c
+@@ -86,10 +86,14 @@ static unsigned intel_find_arch_event(struct kvm_pmu *pmu,
+
+ static unsigned intel_find_fixed_event(int idx)
+ {
+- if (idx >= ARRAY_SIZE(fixed_pmc_events))
++ u32 event;
++ size_t size = ARRAY_SIZE(fixed_pmc_events);
++
++ if (idx >= size)
+ return PERF_COUNT_HW_MAX;
+
+- return intel_arch_events[fixed_pmc_events[idx]].event_type;
++ event = fixed_pmc_events[array_index_nospec(idx, size)];
++ return intel_arch_events[event].event_type;
+ }
+
+ /* check if a PMC is enabled by comparing it with globl_ctrl bits. */
+@@ -130,16 +134,20 @@ static struct kvm_pmc *intel_rdpmc_ecx_to_pmc(struct kvm_vcpu *vcpu,
+ struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
+ bool fixed = idx & (1u << 30);
+ struct kvm_pmc *counters;
++ unsigned int num_counters;
+
+ idx &= ~(3u << 30);
+- if (!fixed && idx >= pmu->nr_arch_gp_counters)
+- return NULL;
+- if (fixed && idx >= pmu->nr_arch_fixed_counters)
++ if (fixed) {
++ counters = pmu->fixed_counters;
++ num_counters = pmu->nr_arch_fixed_counters;
++ } else {
++ counters = pmu->gp_counters;
++ num_counters = pmu->nr_arch_gp_counters;
++ }
++ if (idx >= num_counters)
+ return NULL;
+- counters = fixed ? pmu->fixed_counters : pmu->gp_counters;
+ *mask &= pmu->counter_bitmask[fixed ? KVM_PMC_FIXED : KVM_PMC_GP];
+-
+- return &counters[idx];
++ return &counters[array_index_nospec(idx, num_counters)];
+ }
+
+ static bool intel_is_valid_msr(struct kvm_vcpu *vcpu, u32 msr)
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index e3394c839dea..78e01e2524bc 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -2146,6 +2146,8 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ (index >= 2 * intel_pt_validate_cap(vmx->pt_desc.caps,
+ PT_CAP_num_address_ranges)))
+ return 1;
++ if (is_noncanonical_address(data, vcpu))
++ return 1;
+ if (index % 2)
+ vmx->pt_desc.guest.addr_b[index / 2] = data;
+ else
+@@ -5902,34 +5904,39 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
+ }
+ }
+
+- if (exit_reason < kvm_vmx_max_exit_handlers
+- && kvm_vmx_exit_handlers[exit_reason]) {
++ if (exit_reason >= kvm_vmx_max_exit_handlers)
++ goto unexpected_vmexit;
+ #ifdef CONFIG_RETPOLINE
+- if (exit_reason == EXIT_REASON_MSR_WRITE)
+- return kvm_emulate_wrmsr(vcpu);
+- else if (exit_reason == EXIT_REASON_PREEMPTION_TIMER)
+- return handle_preemption_timer(vcpu);
+- else if (exit_reason == EXIT_REASON_PENDING_INTERRUPT)
+- return handle_interrupt_window(vcpu);
+- else if (exit_reason == EXIT_REASON_EXTERNAL_INTERRUPT)
+- return handle_external_interrupt(vcpu);
+- else if (exit_reason == EXIT_REASON_HLT)
+- return kvm_emulate_halt(vcpu);
+- else if (exit_reason == EXIT_REASON_EPT_MISCONFIG)
+- return handle_ept_misconfig(vcpu);
++ if (exit_reason == EXIT_REASON_MSR_WRITE)
++ return kvm_emulate_wrmsr(vcpu);
++ else if (exit_reason == EXIT_REASON_PREEMPTION_TIMER)
++ return handle_preemption_timer(vcpu);
++ else if (exit_reason == EXIT_REASON_PENDING_INTERRUPT)
++ return handle_interrupt_window(vcpu);
++ else if (exit_reason == EXIT_REASON_EXTERNAL_INTERRUPT)
++ return handle_external_interrupt(vcpu);
++ else if (exit_reason == EXIT_REASON_HLT)
++ return kvm_emulate_halt(vcpu);
++ else if (exit_reason == EXIT_REASON_EPT_MISCONFIG)
++ return handle_ept_misconfig(vcpu);
+ #endif
+- return kvm_vmx_exit_handlers[exit_reason](vcpu);
+- } else {
+- vcpu_unimpl(vcpu, "vmx: unexpected exit reason 0x%x\n",
+- exit_reason);
+- dump_vmcs();
+- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
+- vcpu->run->internal.suberror =
++
++ exit_reason = array_index_nospec(exit_reason,
++ kvm_vmx_max_exit_handlers);
++ if (!kvm_vmx_exit_handlers[exit_reason])
++ goto unexpected_vmexit;
++
++ return kvm_vmx_exit_handlers[exit_reason](vcpu);
++
++unexpected_vmexit:
++ vcpu_unimpl(vcpu, "vmx: unexpected exit reason 0x%x\n", exit_reason);
++ dump_vmcs();
++ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
++ vcpu->run->internal.suberror =
+ KVM_INTERNAL_ERROR_UNEXPECTED_EXIT_REASON;
+- vcpu->run->internal.ndata = 1;
+- vcpu->run->internal.data[0] = exit_reason;
+- return 0;
+- }
++ vcpu->run->internal.ndata = 1;
++ vcpu->run->internal.data[0] = exit_reason;
++ return 0;
+ }
+
+ /*
+@@ -7870,6 +7877,7 @@ static struct kvm_x86_ops vmx_x86_ops __ro_after_init = {
+ .xsaves_supported = vmx_xsaves_supported,
+ .umip_emulated = vmx_umip_emulated,
+ .pt_supported = vmx_pt_supported,
++ .pku_supported = vmx_pku_supported,
+
+ .request_immediate_exit = vmx_request_immediate_exit,
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index cf917139de6b..d744c1bf4dc8 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -93,6 +93,8 @@ u64 __read_mostly efer_reserved_bits = ~((u64)(EFER_SCE | EFER_LME | EFER_LMA));
+ static u64 __read_mostly efer_reserved_bits = ~((u64)EFER_SCE);
+ #endif
+
++static u64 __read_mostly cr4_reserved_bits = CR4_RESERVED_BITS;
++
+ #define VM_STAT(x, ...) offsetof(struct kvm, stat.x), KVM_STAT_VM, ## __VA_ARGS__
+ #define VCPU_STAT(x, ...) offsetof(struct kvm_vcpu, stat.x), KVM_STAT_VCPU, ## __VA_ARGS__
+
+@@ -879,9 +881,38 @@ int kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr)
+ }
+ EXPORT_SYMBOL_GPL(kvm_set_xcr);
+
++static u64 kvm_host_cr4_reserved_bits(struct cpuinfo_x86 *c)
++{
++ u64 reserved_bits = CR4_RESERVED_BITS;
++
++ if (!cpu_has(c, X86_FEATURE_XSAVE))
++ reserved_bits |= X86_CR4_OSXSAVE;
++
++ if (!cpu_has(c, X86_FEATURE_SMEP))
++ reserved_bits |= X86_CR4_SMEP;
++
++ if (!cpu_has(c, X86_FEATURE_SMAP))
++ reserved_bits |= X86_CR4_SMAP;
++
++ if (!cpu_has(c, X86_FEATURE_FSGSBASE))
++ reserved_bits |= X86_CR4_FSGSBASE;
++
++ if (!cpu_has(c, X86_FEATURE_PKU))
++ reserved_bits |= X86_CR4_PKE;
++
++ if (!cpu_has(c, X86_FEATURE_LA57) &&
++ !(cpuid_ecx(0x7) & bit(X86_FEATURE_LA57)))
++ reserved_bits |= X86_CR4_LA57;
++
++ if (!cpu_has(c, X86_FEATURE_UMIP) && !kvm_x86_ops->umip_emulated())
++ reserved_bits |= X86_CR4_UMIP;
++
++ return reserved_bits;
++}
++
+ static int kvm_valid_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+ {
+- if (cr4 & CR4_RESERVED_BITS)
++ if (cr4 & cr4_reserved_bits)
+ return -EINVAL;
+
+ if (!guest_cpuid_has(vcpu, X86_FEATURE_XSAVE) && (cr4 & X86_CR4_OSXSAVE))
+@@ -1047,9 +1078,11 @@ static u64 kvm_dr6_fixed(struct kvm_vcpu *vcpu)
+
+ static int __kvm_set_dr(struct kvm_vcpu *vcpu, int dr, unsigned long val)
+ {
++ size_t size = ARRAY_SIZE(vcpu->arch.db);
++
+ switch (dr) {
+ case 0 ... 3:
+- vcpu->arch.db[dr] = val;
++ vcpu->arch.db[array_index_nospec(dr, size)] = val;
+ if (!(vcpu->guest_debug & KVM_GUESTDBG_USE_HW_BP))
+ vcpu->arch.eff_db[dr] = val;
+ break;
+@@ -1086,9 +1119,11 @@ EXPORT_SYMBOL_GPL(kvm_set_dr);
+
+ int kvm_get_dr(struct kvm_vcpu *vcpu, int dr, unsigned long *val)
+ {
++ size_t size = ARRAY_SIZE(vcpu->arch.db);
++
+ switch (dr) {
+ case 0 ... 3:
+- *val = vcpu->arch.db[dr];
++ *val = vcpu->arch.db[array_index_nospec(dr, size)];
+ break;
+ case 4:
+ /* fall through */
+@@ -1545,6 +1580,8 @@ struct pvclock_clock {
+ u64 mask;
+ u32 mult;
+ u32 shift;
++ u64 base_cycles;
++ u64 offset;
+ };
+
+ struct pvclock_gtod_data {
+@@ -1553,11 +1590,8 @@ struct pvclock_gtod_data {
+ struct pvclock_clock clock; /* extract of a clocksource struct */
+ struct pvclock_clock raw_clock; /* extract of a clocksource struct */
+
+- u64 boot_ns_raw;
+- u64 boot_ns;
+- u64 nsec_base;
++ ktime_t offs_boot;
+ u64 wall_time_sec;
+- u64 monotonic_raw_nsec;
+ };
+
+ static struct pvclock_gtod_data pvclock_gtod_data;
+@@ -1565,10 +1599,6 @@ static struct pvclock_gtod_data pvclock_gtod_data;
+ static void update_pvclock_gtod(struct timekeeper *tk)
+ {
+ struct pvclock_gtod_data *vdata = &pvclock_gtod_data;
+- u64 boot_ns, boot_ns_raw;
+-
+- boot_ns = ktime_to_ns(ktime_add(tk->tkr_mono.base, tk->offs_boot));
+- boot_ns_raw = ktime_to_ns(ktime_add(tk->tkr_raw.base, tk->offs_boot));
+
+ write_seqcount_begin(&vdata->seq);
+
+@@ -1578,23 +1608,35 @@ static void update_pvclock_gtod(struct timekeeper *tk)
+ vdata->clock.mask = tk->tkr_mono.mask;
+ vdata->clock.mult = tk->tkr_mono.mult;
+ vdata->clock.shift = tk->tkr_mono.shift;
++ vdata->clock.base_cycles = tk->tkr_mono.xtime_nsec;
++ vdata->clock.offset = tk->tkr_mono.base;
+
+ vdata->raw_clock.vclock_mode = tk->tkr_raw.clock->archdata.vclock_mode;
+ vdata->raw_clock.cycle_last = tk->tkr_raw.cycle_last;
+ vdata->raw_clock.mask = tk->tkr_raw.mask;
+ vdata->raw_clock.mult = tk->tkr_raw.mult;
+ vdata->raw_clock.shift = tk->tkr_raw.shift;
+-
+- vdata->boot_ns = boot_ns;
+- vdata->nsec_base = tk->tkr_mono.xtime_nsec;
++ vdata->raw_clock.base_cycles = tk->tkr_raw.xtime_nsec;
++ vdata->raw_clock.offset = tk->tkr_raw.base;
+
+ vdata->wall_time_sec = tk->xtime_sec;
+
+- vdata->boot_ns_raw = boot_ns_raw;
+- vdata->monotonic_raw_nsec = tk->tkr_raw.xtime_nsec;
++ vdata->offs_boot = tk->offs_boot;
+
+ write_seqcount_end(&vdata->seq);
+ }
++
++static s64 get_kvmclock_base_ns(void)
++{
++ /* Count up from boot time, but with the frequency of the raw clock. */
++ return ktime_to_ns(ktime_add(ktime_get_raw(), pvclock_gtod_data.offs_boot));
++}
++#else
++static s64 get_kvmclock_base_ns(void)
++{
++ /* Master clock not used, so we can just use CLOCK_BOOTTIME. */
++ return ktime_get_boottime_ns();
++}
+ #endif
+
+ void kvm_set_pending_timer(struct kvm_vcpu *vcpu)
+@@ -1608,7 +1650,7 @@ static void kvm_write_wall_clock(struct kvm *kvm, gpa_t wall_clock)
+ int version;
+ int r;
+ struct pvclock_wall_clock wc;
+- struct timespec64 boot;
++ u64 wall_nsec;
+
+ if (!wall_clock)
+ return;
+@@ -1628,17 +1670,12 @@ static void kvm_write_wall_clock(struct kvm *kvm, gpa_t wall_clock)
+ /*
+ * The guest calculates current wall clock time by adding
+ * system time (updated by kvm_guest_time_update below) to the
+- * wall clock specified here. guest system time equals host
+- * system time for us, thus we must fill in host boot time here.
++ * wall clock specified here. We do the reverse here.
+ */
+- getboottime64(&boot);
++ wall_nsec = ktime_get_real_ns() - get_kvmclock_ns(kvm);
+
+- if (kvm->arch.kvmclock_offset) {
+- struct timespec64 ts = ns_to_timespec64(kvm->arch.kvmclock_offset);
+- boot = timespec64_sub(boot, ts);
+- }
+- wc.sec = (u32)boot.tv_sec; /* overflow in 2106 guest time */
+- wc.nsec = boot.tv_nsec;
++ wc.nsec = do_div(wall_nsec, 1000000000);
++ wc.sec = (u32)wall_nsec; /* overflow in 2106 guest time */
+ wc.version = version;
+
+ kvm_write_guest(kvm, wall_clock, &wc, sizeof(wc));
+@@ -1886,7 +1923,7 @@ void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr)
+
+ raw_spin_lock_irqsave(&kvm->arch.tsc_write_lock, flags);
+ offset = kvm_compute_tsc_offset(vcpu, data);
+- ns = ktime_get_boottime_ns();
++ ns = get_kvmclock_base_ns();
+ elapsed = ns - kvm->arch.last_tsc_nsec;
+
+ if (vcpu->arch.virtual_tsc_khz) {
+@@ -2061,10 +2098,10 @@ static int do_monotonic_raw(s64 *t, u64 *tsc_timestamp)
+
+ do {
+ seq = read_seqcount_begin(&gtod->seq);
+- ns = gtod->monotonic_raw_nsec;
++ ns = gtod->raw_clock.base_cycles;
+ ns += vgettsc(&gtod->raw_clock, tsc_timestamp, &mode);
+- ns >>= gtod->clock.shift;
+- ns += gtod->boot_ns_raw;
++ ns >>= gtod->raw_clock.shift;
++ ns += ktime_to_ns(ktime_add(gtod->raw_clock.offset, gtod->offs_boot));
+ } while (unlikely(read_seqcount_retry(&gtod->seq, seq)));
+ *t = ns;
+
+@@ -2081,7 +2118,7 @@ static int do_realtime(struct timespec64 *ts, u64 *tsc_timestamp)
+ do {
+ seq = read_seqcount_begin(&gtod->seq);
+ ts->tv_sec = gtod->wall_time_sec;
+- ns = gtod->nsec_base;
++ ns = gtod->clock.base_cycles;
+ ns += vgettsc(&gtod->clock, tsc_timestamp, &mode);
+ ns >>= gtod->clock.shift;
+ } while (unlikely(read_seqcount_retry(&gtod->seq, seq)));
+@@ -2224,7 +2261,7 @@ u64 get_kvmclock_ns(struct kvm *kvm)
+ spin_lock(&ka->pvclock_gtod_sync_lock);
+ if (!ka->use_master_clock) {
+ spin_unlock(&ka->pvclock_gtod_sync_lock);
+- return ktime_get_boottime_ns() + ka->kvmclock_offset;
++ return get_kvmclock_base_ns() + ka->kvmclock_offset;
+ }
+
+ hv_clock.tsc_timestamp = ka->master_cycle_now;
+@@ -2240,7 +2277,7 @@ u64 get_kvmclock_ns(struct kvm *kvm)
+ &hv_clock.tsc_to_system_mul);
+ ret = __pvclock_read_cycles(&hv_clock, rdtsc());
+ } else
+- ret = ktime_get_boottime_ns() + ka->kvmclock_offset;
++ ret = get_kvmclock_base_ns() + ka->kvmclock_offset;
+
+ put_cpu();
+
+@@ -2339,7 +2376,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
+ }
+ if (!use_master_clock) {
+ host_tsc = rdtsc();
+- kernel_ns = ktime_get_boottime_ns();
++ kernel_ns = get_kvmclock_base_ns();
+ }
+
+ tsc_timestamp = kvm_read_l1_tsc(v, host_tsc);
+@@ -2379,6 +2416,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
+ vcpu->hv_clock.tsc_timestamp = tsc_timestamp;
+ vcpu->hv_clock.system_time = kernel_ns + v->kvm->arch.kvmclock_offset;
+ vcpu->last_guest_tsc = tsc_timestamp;
++ WARN_ON(vcpu->hv_clock.system_time < 0);
+
+ /* If the host uses TSC clocksource, then it is stable */
+ pvclock_flags = 0;
+@@ -2485,7 +2523,10 @@ static int set_msr_mce(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ default:
+ if (msr >= MSR_IA32_MC0_CTL &&
+ msr < MSR_IA32_MCx_CTL(bank_num)) {
+- u32 offset = msr - MSR_IA32_MC0_CTL;
++ u32 offset = array_index_nospec(
++ msr - MSR_IA32_MC0_CTL,
++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL);
++
+ /* only 0 or all 1s can be written to IA32_MCi_CTL
+ * some Linux kernels though clear bit 10 in bank 4 to
+ * workaround a BIOS/GART TBL issue on AMD K8s, ignore
+@@ -2581,45 +2622,47 @@ static void kvm_vcpu_flush_tlb(struct kvm_vcpu *vcpu, bool invalidate_gpa)
+
+ static void record_steal_time(struct kvm_vcpu *vcpu)
+ {
++ struct kvm_host_map map;
++ struct kvm_steal_time *st;
++
+ if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED))
+ return;
+
+- if (unlikely(kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.st.stime,
+- &vcpu->arch.st.steal, sizeof(struct kvm_steal_time))))
++ /* -EAGAIN is returned in atomic context so we can just return. */
++ if (kvm_map_gfn(vcpu, vcpu->arch.st.msr_val >> PAGE_SHIFT,
++ &map, &vcpu->arch.st.cache, false))
+ return;
+
++ st = map.hva +
++ offset_in_page(vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS);
++
+ /*
+ * Doing a TLB flush here, on the guest's behalf, can avoid
+ * expensive IPIs.
+ */
+ trace_kvm_pv_tlb_flush(vcpu->vcpu_id,
+- vcpu->arch.st.steal.preempted & KVM_VCPU_FLUSH_TLB);
+- if (xchg(&vcpu->arch.st.steal.preempted, 0) & KVM_VCPU_FLUSH_TLB)
++ st->preempted & KVM_VCPU_FLUSH_TLB);
++ if (xchg(&st->preempted, 0) & KVM_VCPU_FLUSH_TLB)
+ kvm_vcpu_flush_tlb(vcpu, false);
+
+- if (vcpu->arch.st.steal.version & 1)
+- vcpu->arch.st.steal.version += 1; /* first time write, random junk */
++ vcpu->arch.st.preempted = 0;
+
+- vcpu->arch.st.steal.version += 1;
++ if (st->version & 1)
++ st->version += 1; /* first time write, random junk */
+
+- kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.st.stime,
+- &vcpu->arch.st.steal, sizeof(struct kvm_steal_time));
++ st->version += 1;
+
+ smp_wmb();
+
+- vcpu->arch.st.steal.steal += current->sched_info.run_delay -
++ st->steal += current->sched_info.run_delay -
+ vcpu->arch.st.last_steal;
+ vcpu->arch.st.last_steal = current->sched_info.run_delay;
+
+- kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.st.stime,
+- &vcpu->arch.st.steal, sizeof(struct kvm_steal_time));
+-
+ smp_wmb();
+
+- vcpu->arch.st.steal.version += 1;
++ st->version += 1;
+
+- kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.st.stime,
+- &vcpu->arch.st.steal, sizeof(struct kvm_steal_time));
++ kvm_unmap_gfn(vcpu, &map, &vcpu->arch.st.cache, true, false);
+ }
+
+ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+@@ -2786,11 +2829,6 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ if (data & KVM_STEAL_RESERVED_MASK)
+ return 1;
+
+- if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.st.stime,
+- data & KVM_STEAL_VALID_BITS,
+- sizeof(struct kvm_steal_time)))
+- return 1;
+-
+ vcpu->arch.st.msr_val = data;
+
+ if (!(data & KVM_MSR_ENABLED))
+@@ -2926,7 +2964,10 @@ static int get_msr_mce(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host)
+ default:
+ if (msr >= MSR_IA32_MC0_CTL &&
+ msr < MSR_IA32_MCx_CTL(bank_num)) {
+- u32 offset = msr - MSR_IA32_MC0_CTL;
++ u32 offset = array_index_nospec(
++ msr - MSR_IA32_MC0_CTL,
++ MSR_IA32_MCx_CTL(bank_num) - MSR_IA32_MC0_CTL);
++
+ data = vcpu->arch.mce_banks[offset];
+ break;
+ }
+@@ -3458,10 +3499,6 @@ void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
+
+ kvm_x86_ops->vcpu_load(vcpu, cpu);
+
+- fpregs_assert_state_consistent();
+- if (test_thread_flag(TIF_NEED_FPU_LOAD))
+- switch_fpu_return();
+-
+ /* Apply any externally detected TSC adjustments (due to suspend) */
+ if (unlikely(vcpu->arch.tsc_offset_adjustment)) {
+ adjust_tsc_offset_host(vcpu, vcpu->arch.tsc_offset_adjustment);
+@@ -3501,15 +3538,25 @@ void kvm_arch_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
+
+ static void kvm_steal_time_set_preempted(struct kvm_vcpu *vcpu)
+ {
++ struct kvm_host_map map;
++ struct kvm_steal_time *st;
++
+ if (!(vcpu->arch.st.msr_val & KVM_MSR_ENABLED))
+ return;
+
+- vcpu->arch.st.steal.preempted = KVM_VCPU_PREEMPTED;
++ if (vcpu->arch.st.preempted)
++ return;
++
++ if (kvm_map_gfn(vcpu, vcpu->arch.st.msr_val >> PAGE_SHIFT, &map,
++ &vcpu->arch.st.cache, true))
++ return;
++
++ st = map.hva +
++ offset_in_page(vcpu->arch.st.msr_val & KVM_STEAL_VALID_BITS);
+
+- kvm_write_guest_offset_cached(vcpu->kvm, &vcpu->arch.st.stime,
+- &vcpu->arch.st.steal.preempted,
+- offsetof(struct kvm_steal_time, preempted),
+- sizeof(vcpu->arch.st.steal.preempted));
++ st->preempted = vcpu->arch.st.preempted = KVM_VCPU_PREEMPTED;
++
++ kvm_unmap_gfn(vcpu, &map, &vcpu->arch.st.cache, true, true);
+ }
+
+ void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)
+@@ -6379,11 +6426,11 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu, int emulation_type)
+ return 1;
+ }
+
+-static bool reexecute_instruction(struct kvm_vcpu *vcpu, gva_t cr2,
++static bool reexecute_instruction(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
+ bool write_fault_to_shadow_pgtable,
+ int emulation_type)
+ {
+- gpa_t gpa = cr2;
++ gpa_t gpa = cr2_or_gpa;
+ kvm_pfn_t pfn;
+
+ if (!(emulation_type & EMULTYPE_ALLOW_RETRY))
+@@ -6397,7 +6444,7 @@ static bool reexecute_instruction(struct kvm_vcpu *vcpu, gva_t cr2,
+ * Write permission should be allowed since only
+ * write access need to be emulated.
+ */
+- gpa = kvm_mmu_gva_to_gpa_write(vcpu, cr2, NULL);
++ gpa = kvm_mmu_gva_to_gpa_write(vcpu, cr2_or_gpa, NULL);
+
+ /*
+ * If the mapping is invalid in guest, let cpu retry
+@@ -6454,10 +6501,10 @@ static bool reexecute_instruction(struct kvm_vcpu *vcpu, gva_t cr2,
+ }
+
+ static bool retry_instruction(struct x86_emulate_ctxt *ctxt,
+- unsigned long cr2, int emulation_type)
++ gpa_t cr2_or_gpa, int emulation_type)
+ {
+ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+- unsigned long last_retry_eip, last_retry_addr, gpa = cr2;
++ unsigned long last_retry_eip, last_retry_addr, gpa = cr2_or_gpa;
+
+ last_retry_eip = vcpu->arch.last_retry_eip;
+ last_retry_addr = vcpu->arch.last_retry_addr;
+@@ -6486,14 +6533,14 @@ static bool retry_instruction(struct x86_emulate_ctxt *ctxt,
+ if (x86_page_table_writing_insn(ctxt))
+ return false;
+
+- if (ctxt->eip == last_retry_eip && last_retry_addr == cr2)
++ if (ctxt->eip == last_retry_eip && last_retry_addr == cr2_or_gpa)
+ return false;
+
+ vcpu->arch.last_retry_eip = ctxt->eip;
+- vcpu->arch.last_retry_addr = cr2;
++ vcpu->arch.last_retry_addr = cr2_or_gpa;
+
+ if (!vcpu->arch.mmu->direct_map)
+- gpa = kvm_mmu_gva_to_gpa_write(vcpu, cr2, NULL);
++ gpa = kvm_mmu_gva_to_gpa_write(vcpu, cr2_or_gpa, NULL);
+
+ kvm_mmu_unprotect_page(vcpu->kvm, gpa_to_gfn(gpa));
+
+@@ -6639,11 +6686,8 @@ static bool is_vmware_backdoor_opcode(struct x86_emulate_ctxt *ctxt)
+ return false;
+ }
+
+-int x86_emulate_instruction(struct kvm_vcpu *vcpu,
+- unsigned long cr2,
+- int emulation_type,
+- void *insn,
+- int insn_len)
++int x86_emulate_instruction(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
++ int emulation_type, void *insn, int insn_len)
+ {
+ int r;
+ struct x86_emulate_ctxt *ctxt = &vcpu->arch.emulate_ctxt;
+@@ -6689,8 +6733,9 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu,
+ kvm_queue_exception(vcpu, UD_VECTOR);
+ return 1;
+ }
+- if (reexecute_instruction(vcpu, cr2, write_fault_to_spt,
+- emulation_type))
++ if (reexecute_instruction(vcpu, cr2_or_gpa,
++ write_fault_to_spt,
++ emulation_type))
+ return 1;
+ if (ctxt->have_exception) {
+ /*
+@@ -6724,7 +6769,7 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu,
+ return 1;
+ }
+
+- if (retry_instruction(ctxt, cr2, emulation_type))
++ if (retry_instruction(ctxt, cr2_or_gpa, emulation_type))
+ return 1;
+
+ /* this is needed for vmware backdoor interface to work since it
+@@ -6736,7 +6781,7 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu,
+
+ restart:
+ /* Save the faulting GPA (cr2) in the address field */
+- ctxt->exception.address = cr2;
++ ctxt->exception.address = cr2_or_gpa;
+
+ r = x86_emulate_insn(ctxt);
+
+@@ -6744,7 +6789,7 @@ restart:
+ return 1;
+
+ if (r == EMULATION_FAILED) {
+- if (reexecute_instruction(vcpu, cr2, write_fault_to_spt,
++ if (reexecute_instruction(vcpu, cr2_or_gpa, write_fault_to_spt,
+ emulation_type))
+ return 1;
+
+@@ -8198,8 +8243,9 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu)
+ trace_kvm_entry(vcpu->vcpu_id);
+ guest_enter_irqoff();
+
+- /* The preempt notifier should have taken care of the FPU already. */
+- WARN_ON_ONCE(test_thread_flag(TIF_NEED_FPU_LOAD));
++ fpregs_assert_state_consistent();
++ if (test_thread_flag(TIF_NEED_FPU_LOAD))
++ switch_fpu_return();
+
+ if (unlikely(vcpu->arch.switch_db_regs)) {
+ set_debugreg(0, 7);
+@@ -8471,12 +8517,26 @@ static int complete_emulated_mmio(struct kvm_vcpu *vcpu)
+ return 0;
+ }
+
++static void kvm_save_current_fpu(struct fpu *fpu)
++{
++ /*
++ * If the target FPU state is not resident in the CPU registers, just
++ * memcpy() from current, else save CPU state directly to the target.
++ */
++ if (test_thread_flag(TIF_NEED_FPU_LOAD))
++ memcpy(&fpu->state, &current->thread.fpu.state,
++ fpu_kernel_xstate_size);
++ else
++ copy_fpregs_to_fpstate(fpu);
++}
++
+ /* Swap (qemu) user FPU context for the guest FPU context. */
+ static void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
+ {
+ fpregs_lock();
+
+- copy_fpregs_to_fpstate(vcpu->arch.user_fpu);
++ kvm_save_current_fpu(vcpu->arch.user_fpu);
++
+ /* PKRU is separately restored in kvm_x86_ops->run. */
+ __copy_kernel_to_fpregs(&vcpu->arch.guest_fpu->state,
+ ~XFEATURE_MASK_PKRU);
+@@ -8492,7 +8552,8 @@ static void kvm_put_guest_fpu(struct kvm_vcpu *vcpu)
+ {
+ fpregs_lock();
+
+- copy_fpregs_to_fpstate(vcpu->arch.guest_fpu);
++ kvm_save_current_fpu(vcpu->arch.guest_fpu);
++
+ copy_kernel_to_fpregs(&vcpu->arch.user_fpu->state);
+
+ fpregs_mark_activate();
+@@ -8714,6 +8775,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu,
+ struct kvm_mp_state *mp_state)
+ {
+ vcpu_load(vcpu);
++ if (kvm_mpx_supported())
++ kvm_load_guest_fpu(vcpu);
+
+ kvm_apic_accept_events(vcpu);
+ if (vcpu->arch.mp_state == KVM_MP_STATE_HALTED &&
+@@ -8722,6 +8785,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu,
+ else
+ mp_state->mp_state = vcpu->arch.mp_state;
+
++ if (kvm_mpx_supported())
++ kvm_put_guest_fpu(vcpu);
+ vcpu_put(vcpu);
+ return 0;
+ }
+@@ -9085,6 +9150,9 @@ static void fx_init(struct kvm_vcpu *vcpu)
+ void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu)
+ {
+ void *wbinvd_dirty_mask = vcpu->arch.wbinvd_dirty_mask;
++ struct gfn_to_pfn_cache *cache = &vcpu->arch.st.cache;
++
++ kvm_release_pfn(cache->pfn, cache->dirty, cache);
+
+ kvmclock_reset(vcpu);
+
+@@ -9155,7 +9223,7 @@ void kvm_arch_vcpu_destroy(struct kvm_vcpu *vcpu)
+ kvm_mmu_unload(vcpu);
+ vcpu_put(vcpu);
+
+- kvm_x86_ops->vcpu_free(vcpu);
++ kvm_arch_vcpu_free(vcpu);
+ }
+
+ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
+@@ -9347,6 +9415,8 @@ int kvm_arch_hardware_setup(void)
+ if (r != 0)
+ return r;
+
++ cr4_reserved_bits = kvm_host_cr4_reserved_bits(&boot_cpu_data);
++
+ if (kvm_has_tsc_control) {
+ /*
+ * Make sure the user can only configure tsc_khz values that
+@@ -9518,7 +9588,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
+ mutex_init(&kvm->arch.apic_map_lock);
+ spin_lock_init(&kvm->arch.pvclock_gtod_sync_lock);
+
+- kvm->arch.kvmclock_offset = -ktime_get_boottime_ns();
++ kvm->arch.kvmclock_offset = -get_kvmclock_base_ns();
+ pvclock_update_vm_gtod_copy(kvm);
+
+ kvm->arch.guest_can_read_msr_platform_info = true;
+@@ -9758,11 +9828,18 @@ out_free:
+
+ void kvm_arch_memslots_updated(struct kvm *kvm, u64 gen)
+ {
++ struct kvm_vcpu *vcpu;
++ int i;
++
+ /*
+ * memslots->generation has been incremented.
+ * mmio generation may have reached its maximum value.
+ */
+ kvm_mmu_invalidate_mmio_sptes(kvm, gen);
++
++ /* Force re-initialization of steal_time cache */
++ kvm_for_each_vcpu(i, vcpu, kvm)
++ kvm_vcpu_kick(vcpu);
+ }
+
+ int kvm_arch_prepare_memory_region(struct kvm *kvm,
+@@ -10014,7 +10091,7 @@ void kvm_arch_async_page_ready(struct kvm_vcpu *vcpu, struct kvm_async_pf *work)
+ work->arch.cr3 != vcpu->arch.mmu->get_cr3(vcpu))
+ return;
+
+- vcpu->arch.mmu->page_fault(vcpu, work->gva, 0, true);
++ vcpu->arch.mmu->page_fault(vcpu, work->cr2_or_gpa, 0, true);
+ }
+
+ static inline u32 kvm_async_pf_hash_fn(gfn_t gfn)
+@@ -10127,7 +10204,7 @@ void kvm_arch_async_page_not_present(struct kvm_vcpu *vcpu,
+ {
+ struct x86_exception fault;
+
+- trace_kvm_async_pf_not_present(work->arch.token, work->gva);
++ trace_kvm_async_pf_not_present(work->arch.token, work->cr2_or_gpa);
+ kvm_add_async_pf_gfn(vcpu, work->arch.gfn);
+
+ if (kvm_can_deliver_async_pf(vcpu) &&
+@@ -10162,7 +10239,7 @@ void kvm_arch_async_page_present(struct kvm_vcpu *vcpu,
+ work->arch.token = ~0; /* broadcast wakeup */
+ else
+ kvm_del_async_pf_gfn(vcpu, work->arch.gfn);
+- trace_kvm_async_pf_ready(work->arch.token, work->gva);
++ trace_kvm_async_pf_ready(work->arch.token, work->cr2_or_gpa);
+
+ if (vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED &&
+ !apf_get_user(vcpu, &val)) {
+diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
+index 29391af8871d..cab5e71f0f0f 100644
+--- a/arch/x86/kvm/x86.h
++++ b/arch/x86/kvm/x86.h
+@@ -289,7 +289,7 @@ int kvm_mtrr_get_msr(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata);
+ bool kvm_mtrr_check_gfn_range_consistency(struct kvm_vcpu *vcpu, gfn_t gfn,
+ int page_num);
+ bool kvm_vector_hashing_enabled(void);
+-int x86_emulate_instruction(struct kvm_vcpu *vcpu, unsigned long cr2,
++int x86_emulate_instruction(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
+ int emulation_type, void *insn, int insn_len);
+
+ #define KVM_SUPPORTED_XCR0 (XFEATURE_MASK_FP | XFEATURE_MASK_SSE \
+diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
+index ae4a41ca19f6..1f756ffffe8b 100644
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -1205,6 +1205,7 @@ asmlinkage __visible void __init xen_start_kernel(void)
+ x86_platform.get_nmi_reason = xen_get_nmi_reason;
+
+ x86_init.resources.memory_setup = xen_memory_setup;
++ x86_init.irqs.intr_mode_select = x86_init_noop;
+ x86_init.irqs.intr_mode_init = x86_init_noop;
+ x86_init.oem.arch_setup = xen_arch_setup;
+ x86_init.oem.banner = xen_banner;
+diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
+index 650bade5ea5a..b61dbf4d8443 100644
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -20,6 +20,7 @@
+ #include <scsi/scsi.h>
+ #include <scsi/scsi_ioctl.h>
+ #include <scsi/scsi_cmnd.h>
++#include <scsi/sg.h>
+
+ struct blk_cmd_filter {
+ unsigned long read_ok[BLK_SCSI_CMD_PER_LONG];
+@@ -550,34 +551,6 @@ static inline int blk_send_start_stop(struct request_queue *q,
+ return __blk_send_generic(q, bd_disk, GPCMD_START_STOP_UNIT, data);
+ }
+
+-#ifdef CONFIG_COMPAT
+-struct compat_sg_io_hdr {
+- compat_int_t interface_id; /* [i] 'S' for SCSI generic (required) */
+- compat_int_t dxfer_direction; /* [i] data transfer direction */
+- unsigned char cmd_len; /* [i] SCSI command length ( <= 16 bytes) */
+- unsigned char mx_sb_len; /* [i] max length to write to sbp */
+- unsigned short iovec_count; /* [i] 0 implies no scatter gather */
+- compat_uint_t dxfer_len; /* [i] byte count of data transfer */
+- compat_uint_t dxferp; /* [i], [*io] points to data transfer memory
+- or scatter gather list */
+- compat_uptr_t cmdp; /* [i], [*i] points to command to perform */
+- compat_uptr_t sbp; /* [i], [*o] points to sense_buffer memory */
+- compat_uint_t timeout; /* [i] MAX_UINT->no timeout (unit: millisec) */
+- compat_uint_t flags; /* [i] 0 -> default, see SG_FLAG... */
+- compat_int_t pack_id; /* [i->o] unused internally (normally) */
+- compat_uptr_t usr_ptr; /* [i->o] unused internally */
+- unsigned char status; /* [o] scsi status */
+- unsigned char masked_status; /* [o] shifted, masked scsi status */
+- unsigned char msg_status; /* [o] messaging level data (optional) */
+- unsigned char sb_len_wr; /* [o] byte count actually written to sbp */
+- unsigned short host_status; /* [o] errors from host adapter */
+- unsigned short driver_status; /* [o] errors from software driver */
+- compat_int_t resid; /* [o] dxfer_len - actual_transferred */
+- compat_uint_t duration; /* [o] time taken by cmd (unit: millisec) */
+- compat_uint_t info; /* [o] auxiliary information */
+-};
+-#endif
+-
+ int put_sg_io_hdr(const struct sg_io_hdr *hdr, void __user *argp)
+ {
+ #ifdef CONFIG_COMPAT
+diff --git a/crypto/algapi.c b/crypto/algapi.c
+index b052f38edba6..5566650b2091 100644
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -257,6 +257,7 @@ void crypto_alg_tested(const char *name, int err)
+ struct crypto_alg *alg;
+ struct crypto_alg *q;
+ LIST_HEAD(list);
++ bool best;
+
+ down_write(&crypto_alg_sem);
+ list_for_each_entry(q, &crypto_alg_list, cra_list) {
+@@ -280,6 +281,21 @@ found:
+
+ alg->cra_flags |= CRYPTO_ALG_TESTED;
+
++ /* Only satisfy larval waiters if we are the best. */
++ best = true;
++ list_for_each_entry(q, &crypto_alg_list, cra_list) {
++ if (crypto_is_moribund(q) || !crypto_is_larval(q))
++ continue;
++
++ if (strcmp(alg->cra_name, q->cra_name))
++ continue;
++
++ if (q->cra_priority > alg->cra_priority) {
++ best = false;
++ break;
++ }
++ }
++
+ list_for_each_entry(q, &crypto_alg_list, cra_list) {
+ if (q == alg)
+ continue;
+@@ -303,10 +319,12 @@ found:
+ continue;
+ if ((q->cra_flags ^ alg->cra_flags) & larval->mask)
+ continue;
+- if (!crypto_mod_get(alg))
+- continue;
+
+- larval->adult = alg;
++ if (best && crypto_mod_get(alg))
++ larval->adult = alg;
++ else
++ larval->adult = ERR_PTR(-EAGAIN);
++
+ continue;
+ }
+
+@@ -669,11 +687,9 @@ EXPORT_SYMBOL_GPL(crypto_grab_spawn);
+
+ void crypto_drop_spawn(struct crypto_spawn *spawn)
+ {
+- if (!spawn->alg)
+- return;
+-
+ down_write(&crypto_alg_sem);
+- list_del(&spawn->list);
++ if (spawn->alg)
++ list_del(&spawn->list);
+ up_write(&crypto_alg_sem);
+ }
+ EXPORT_SYMBOL_GPL(crypto_drop_spawn);
+@@ -681,22 +697,16 @@ EXPORT_SYMBOL_GPL(crypto_drop_spawn);
+ static struct crypto_alg *crypto_spawn_alg(struct crypto_spawn *spawn)
+ {
+ struct crypto_alg *alg;
+- struct crypto_alg *alg2;
+
+ down_read(&crypto_alg_sem);
+ alg = spawn->alg;
+- alg2 = alg;
+- if (alg2)
+- alg2 = crypto_mod_get(alg2);
+- up_read(&crypto_alg_sem);
+-
+- if (!alg2) {
+- if (alg)
+- crypto_shoot_alg(alg);
+- return ERR_PTR(-EAGAIN);
++ if (alg && !crypto_mod_get(alg)) {
++ alg->cra_flags |= CRYPTO_ALG_DYING;
++ alg = NULL;
+ }
++ up_read(&crypto_alg_sem);
+
+- return alg;
++ return alg ?: ERR_PTR(-EAGAIN);
+ }
+
+ struct crypto_tfm *crypto_spawn_tfm(struct crypto_spawn *spawn, u32 type,
+diff --git a/crypto/api.c b/crypto/api.c
+index 55bca28df92d..c00af5ad1b16 100644
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -97,7 +97,7 @@ static void crypto_larval_destroy(struct crypto_alg *alg)
+ struct crypto_larval *larval = (void *)alg;
+
+ BUG_ON(!crypto_is_larval(alg));
+- if (larval->adult)
++ if (!IS_ERR_OR_NULL(larval->adult))
+ crypto_mod_put(larval->adult);
+ kfree(larval);
+ }
+@@ -178,6 +178,8 @@ static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg)
+ alg = ERR_PTR(-ETIMEDOUT);
+ else if (!alg)
+ alg = ERR_PTR(-ENOENT);
++ else if (IS_ERR(alg))
++ ;
+ else if (crypto_is_test_larval(larval) &&
+ !(alg->cra_flags & CRYPTO_ALG_TESTED))
+ alg = ERR_PTR(-EAGAIN);
+@@ -344,13 +346,12 @@ static unsigned int crypto_ctxsize(struct crypto_alg *alg, u32 type, u32 mask)
+ return len;
+ }
+
+-void crypto_shoot_alg(struct crypto_alg *alg)
++static void crypto_shoot_alg(struct crypto_alg *alg)
+ {
+ down_write(&crypto_alg_sem);
+ alg->cra_flags |= CRYPTO_ALG_DYING;
+ up_write(&crypto_alg_sem);
+ }
+-EXPORT_SYMBOL_GPL(crypto_shoot_alg);
+
+ struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
+ u32 mask)
+diff --git a/crypto/internal.h b/crypto/internal.h
+index 93df7bec844a..e506a57e2243 100644
+--- a/crypto/internal.h
++++ b/crypto/internal.h
+@@ -68,7 +68,6 @@ void crypto_alg_tested(const char *name, int err);
+ void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list,
+ struct crypto_alg *nalg);
+ void crypto_remove_final(struct list_head *list);
+-void crypto_shoot_alg(struct crypto_alg *alg);
+ struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
+ u32 mask);
+ void *crypto_create_tfm(struct crypto_alg *alg,
+diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
+index 81bbea7f2ba6..a4f3b3f342c8 100644
+--- a/crypto/pcrypt.c
++++ b/crypto/pcrypt.c
+@@ -24,6 +24,8 @@ static struct kset *pcrypt_kset;
+
+ struct pcrypt_instance_ctx {
+ struct crypto_aead_spawn spawn;
++ struct padata_shell *psenc;
++ struct padata_shell *psdec;
+ atomic_t tfm_count;
+ };
+
+@@ -32,6 +34,12 @@ struct pcrypt_aead_ctx {
+ unsigned int cb_cpu;
+ };
+
++static inline struct pcrypt_instance_ctx *pcrypt_tfm_ictx(
++ struct crypto_aead *tfm)
++{
++ return aead_instance_ctx(aead_alg_instance(tfm));
++}
++
+ static int pcrypt_aead_setkey(struct crypto_aead *parent,
+ const u8 *key, unsigned int keylen)
+ {
+@@ -63,7 +71,6 @@ static void pcrypt_aead_done(struct crypto_async_request *areq, int err)
+ struct padata_priv *padata = pcrypt_request_padata(preq);
+
+ padata->info = err;
+- req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
+
+ padata_do_serial(padata);
+ }
+@@ -90,6 +97,9 @@ static int pcrypt_aead_encrypt(struct aead_request *req)
+ struct crypto_aead *aead = crypto_aead_reqtfm(req);
+ struct pcrypt_aead_ctx *ctx = crypto_aead_ctx(aead);
+ u32 flags = aead_request_flags(req);
++ struct pcrypt_instance_ctx *ictx;
++
++ ictx = pcrypt_tfm_ictx(aead);
+
+ memset(padata, 0, sizeof(struct padata_priv));
+
+@@ -103,7 +113,7 @@ static int pcrypt_aead_encrypt(struct aead_request *req)
+ req->cryptlen, req->iv);
+ aead_request_set_ad(creq, req->assoclen);
+
+- err = padata_do_parallel(pencrypt, padata, &ctx->cb_cpu);
++ err = padata_do_parallel(ictx->psenc, padata, &ctx->cb_cpu);
+ if (!err)
+ return -EINPROGRESS;
+
+@@ -132,6 +142,9 @@ static int pcrypt_aead_decrypt(struct aead_request *req)
+ struct crypto_aead *aead = crypto_aead_reqtfm(req);
+ struct pcrypt_aead_ctx *ctx = crypto_aead_ctx(aead);
+ u32 flags = aead_request_flags(req);
++ struct pcrypt_instance_ctx *ictx;
++
++ ictx = pcrypt_tfm_ictx(aead);
+
+ memset(padata, 0, sizeof(struct padata_priv));
+
+@@ -145,7 +158,7 @@ static int pcrypt_aead_decrypt(struct aead_request *req)
+ req->cryptlen, req->iv);
+ aead_request_set_ad(creq, req->assoclen);
+
+- err = padata_do_parallel(pdecrypt, padata, &ctx->cb_cpu);
++ err = padata_do_parallel(ictx->psdec, padata, &ctx->cb_cpu);
+ if (!err)
+ return -EINPROGRESS;
+
+@@ -192,6 +205,8 @@ static void pcrypt_free(struct aead_instance *inst)
+ struct pcrypt_instance_ctx *ctx = aead_instance_ctx(inst);
+
+ crypto_drop_aead(&ctx->spawn);
++ padata_free_shell(ctx->psdec);
++ padata_free_shell(ctx->psenc);
+ kfree(inst);
+ }
+
+@@ -233,12 +248,22 @@ static int pcrypt_create_aead(struct crypto_template *tmpl, struct rtattr **tb,
+ if (!inst)
+ return -ENOMEM;
+
++ err = -ENOMEM;
++
+ ctx = aead_instance_ctx(inst);
++ ctx->psenc = padata_alloc_shell(pencrypt);
++ if (!ctx->psenc)
++ goto out_free_inst;
++
++ ctx->psdec = padata_alloc_shell(pdecrypt);
++ if (!ctx->psdec)
++ goto out_free_psenc;
++
+ crypto_set_aead_spawn(&ctx->spawn, aead_crypto_instance(inst));
+
+ err = crypto_grab_aead(&ctx->spawn, name, 0, 0);
+ if (err)
+- goto out_free_inst;
++ goto out_free_psdec;
+
+ alg = crypto_spawn_aead_alg(&ctx->spawn);
+ err = pcrypt_init_instance(aead_crypto_instance(inst), &alg->base);
+@@ -271,6 +296,10 @@ out:
+
+ out_drop_aead:
+ crypto_drop_aead(&ctx->spawn);
++out_free_psdec:
++ padata_free_shell(ctx->psdec);
++out_free_psenc:
++ padata_free_shell(ctx->psenc);
+ out_free_inst:
+ kfree(inst);
+ goto out;
+diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
+index 8f0e0c8d8c3d..15cc7d5a6185 100644
+--- a/drivers/acpi/battery.c
++++ b/drivers/acpi/battery.c
+@@ -38,6 +38,8 @@
+ #define PREFIX "ACPI: "
+
+ #define ACPI_BATTERY_VALUE_UNKNOWN 0xFFFFFFFF
++#define ACPI_BATTERY_CAPACITY_VALID(capacity) \
++ ((capacity) != 0 && (capacity) != ACPI_BATTERY_VALUE_UNKNOWN)
+
+ #define ACPI_BATTERY_DEVICE_NAME "Battery"
+
+@@ -192,7 +194,8 @@ static int acpi_battery_is_charged(struct acpi_battery *battery)
+
+ static bool acpi_battery_is_degraded(struct acpi_battery *battery)
+ {
+- return battery->full_charge_capacity && battery->design_capacity &&
++ return ACPI_BATTERY_CAPACITY_VALID(battery->full_charge_capacity) &&
++ ACPI_BATTERY_CAPACITY_VALID(battery->design_capacity) &&
+ battery->full_charge_capacity < battery->design_capacity;
+ }
+
+@@ -214,7 +217,7 @@ static int acpi_battery_get_property(struct power_supply *psy,
+ enum power_supply_property psp,
+ union power_supply_propval *val)
+ {
+- int ret = 0;
++ int full_capacity = ACPI_BATTERY_VALUE_UNKNOWN, ret = 0;
+ struct acpi_battery *battery = to_acpi_battery(psy);
+
+ if (acpi_battery_present(battery)) {
+@@ -263,14 +266,14 @@ static int acpi_battery_get_property(struct power_supply *psy,
+ break;
+ case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN:
+ case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN:
+- if (battery->design_capacity == ACPI_BATTERY_VALUE_UNKNOWN)
++ if (!ACPI_BATTERY_CAPACITY_VALID(battery->design_capacity))
+ ret = -ENODEV;
+ else
+ val->intval = battery->design_capacity * 1000;
+ break;
+ case POWER_SUPPLY_PROP_CHARGE_FULL:
+ case POWER_SUPPLY_PROP_ENERGY_FULL:
+- if (battery->full_charge_capacity == ACPI_BATTERY_VALUE_UNKNOWN)
++ if (!ACPI_BATTERY_CAPACITY_VALID(battery->full_charge_capacity))
+ ret = -ENODEV;
+ else
+ val->intval = battery->full_charge_capacity * 1000;
+@@ -283,11 +286,17 @@ static int acpi_battery_get_property(struct power_supply *psy,
+ val->intval = battery->capacity_now * 1000;
+ break;
+ case POWER_SUPPLY_PROP_CAPACITY:
+- if (battery->capacity_now && battery->full_charge_capacity)
+- val->intval = battery->capacity_now * 100/
+- battery->full_charge_capacity;
++ if (ACPI_BATTERY_CAPACITY_VALID(battery->full_charge_capacity))
++ full_capacity = battery->full_charge_capacity;
++ else if (ACPI_BATTERY_CAPACITY_VALID(battery->design_capacity))
++ full_capacity = battery->design_capacity;
++
++ if (battery->capacity_now == ACPI_BATTERY_VALUE_UNKNOWN ||
++ full_capacity == ACPI_BATTERY_VALUE_UNKNOWN)
++ ret = -ENODEV;
+ else
+- val->intval = 0;
++ val->intval = battery->capacity_now * 100/
++ full_capacity;
+ break;
+ case POWER_SUPPLY_PROP_CAPACITY_LEVEL:
+ if (battery->state & ACPI_BATTERY_STATE_CRITICAL)
+@@ -333,6 +342,20 @@ static enum power_supply_property charge_battery_props[] = {
+ POWER_SUPPLY_PROP_SERIAL_NUMBER,
+ };
+
++static enum power_supply_property charge_battery_full_cap_broken_props[] = {
++ POWER_SUPPLY_PROP_STATUS,
++ POWER_SUPPLY_PROP_PRESENT,
++ POWER_SUPPLY_PROP_TECHNOLOGY,
++ POWER_SUPPLY_PROP_CYCLE_COUNT,
++ POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN,
++ POWER_SUPPLY_PROP_VOLTAGE_NOW,
++ POWER_SUPPLY_PROP_CURRENT_NOW,
++ POWER_SUPPLY_PROP_CHARGE_NOW,
++ POWER_SUPPLY_PROP_MODEL_NAME,
++ POWER_SUPPLY_PROP_MANUFACTURER,
++ POWER_SUPPLY_PROP_SERIAL_NUMBER,
++};
++
+ static enum power_supply_property energy_battery_props[] = {
+ POWER_SUPPLY_PROP_STATUS,
+ POWER_SUPPLY_PROP_PRESENT,
+@@ -794,20 +817,34 @@ static void __exit battery_hook_exit(void)
+ static int sysfs_add_battery(struct acpi_battery *battery)
+ {
+ struct power_supply_config psy_cfg = { .drv_data = battery, };
++ bool full_cap_broken = false;
++
++ if (!ACPI_BATTERY_CAPACITY_VALID(battery->full_charge_capacity) &&
++ !ACPI_BATTERY_CAPACITY_VALID(battery->design_capacity))
++ full_cap_broken = true;
+
+ if (battery->power_unit == ACPI_BATTERY_POWER_UNIT_MA) {
+- battery->bat_desc.properties = charge_battery_props;
+- battery->bat_desc.num_properties =
+- ARRAY_SIZE(charge_battery_props);
+- } else if (battery->full_charge_capacity == 0) {
+- battery->bat_desc.properties =
+- energy_battery_full_cap_broken_props;
+- battery->bat_desc.num_properties =
+- ARRAY_SIZE(energy_battery_full_cap_broken_props);
++ if (full_cap_broken) {
++ battery->bat_desc.properties =
++ charge_battery_full_cap_broken_props;
++ battery->bat_desc.num_properties =
++ ARRAY_SIZE(charge_battery_full_cap_broken_props);
++ } else {
++ battery->bat_desc.properties = charge_battery_props;
++ battery->bat_desc.num_properties =
++ ARRAY_SIZE(charge_battery_props);
++ }
+ } else {
+- battery->bat_desc.properties = energy_battery_props;
+- battery->bat_desc.num_properties =
+- ARRAY_SIZE(energy_battery_props);
++ if (full_cap_broken) {
++ battery->bat_desc.properties =
++ energy_battery_full_cap_broken_props;
++ battery->bat_desc.num_properties =
++ ARRAY_SIZE(energy_battery_full_cap_broken_props);
++ } else {
++ battery->bat_desc.properties = energy_battery_props;
++ battery->bat_desc.num_properties =
++ ARRAY_SIZE(energy_battery_props);
++ }
+ }
+
+ battery->bat_desc.name = acpi_device_bid(battery->device);
+diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
+index 31014c7d3793..e63fd7bfd3a5 100644
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -336,6 +336,11 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Precision 7510"),
+ },
+ },
++
++ /*
++ * Desktops which falsely report a backlight and which our heuristics
++ * for this do not catch.
++ */
+ {
+ .callback = video_detect_force_none,
+ .ident = "Dell OptiPlex 9020M",
+@@ -344,6 +349,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 9020M"),
+ },
+ },
++ {
++ .callback = video_detect_force_none,
++ .ident = "MSI MS-7721",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "MSI"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "MS-7721"),
++ },
++ },
+ { },
+ };
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index 134a8af51511..0e99a760aebd 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -273,10 +273,38 @@ static void dpm_wait_for_suppliers(struct device *dev, bool async)
+ device_links_read_unlock(idx);
+ }
+
+-static void dpm_wait_for_superior(struct device *dev, bool async)
++static bool dpm_wait_for_superior(struct device *dev, bool async)
+ {
+- dpm_wait(dev->parent, async);
++ struct device *parent;
++
++ /*
++ * If the device is resumed asynchronously and the parent's callback
++ * deletes both the device and the parent itself, the parent object may
++ * be freed while this function is running, so avoid that by reference
++ * counting the parent once more unless the device has been deleted
++ * already (in which case return right away).
++ */
++ mutex_lock(&dpm_list_mtx);
++
++ if (!device_pm_initialized(dev)) {
++ mutex_unlock(&dpm_list_mtx);
++ return false;
++ }
++
++ parent = get_device(dev->parent);
++
++ mutex_unlock(&dpm_list_mtx);
++
++ dpm_wait(parent, async);
++ put_device(parent);
++
+ dpm_wait_for_suppliers(dev, async);
++
++ /*
++ * If the parent's callback has deleted the device, attempting to resume
++ * it would be invalid, so avoid doing that then.
++ */
++ return device_pm_initialized(dev);
+ }
+
+ static void dpm_wait_for_consumers(struct device *dev, bool async)
+@@ -621,7 +649,8 @@ static int device_resume_noirq(struct device *dev, pm_message_t state, bool asyn
+ if (!dev->power.is_noirq_suspended)
+ goto Out;
+
+- dpm_wait_for_superior(dev, async);
++ if (!dpm_wait_for_superior(dev, async))
++ goto Out;
+
+ skip_resume = dev_pm_may_skip_resume(dev);
+
+@@ -829,7 +858,8 @@ static int device_resume_early(struct device *dev, pm_message_t state, bool asyn
+ if (!dev->power.is_late_suspended)
+ goto Out;
+
+- dpm_wait_for_superior(dev, async);
++ if (!dpm_wait_for_superior(dev, async))
++ goto Out;
+
+ callback = dpm_subsys_resume_early_cb(dev, state, &info);
+
+@@ -944,7 +974,9 @@ static int device_resume(struct device *dev, pm_message_t state, bool async)
+ goto Complete;
+ }
+
+- dpm_wait_for_superior(dev, async);
++ if (!dpm_wait_for_superior(dev, async))
++ goto Complete;
++
+ dpm_watchdog_set(&wd, dev);
+ device_lock(dev);
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index b6bf5c195d94..a6dad2f6995a 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2867,7 +2867,7 @@ static int btusb_mtk_setup_firmware(struct hci_dev *hdev, const char *fwname)
+ err = btusb_mtk_hci_wmt_sync(hdev, &wmt_params);
+ if (err < 0) {
+ bt_dev_err(hdev, "Failed to send wmt rst (%d)", err);
+- return err;
++ goto err_release_fw;
+ }
+
+ /* Wait a few moments for firmware activation done */
+@@ -3832,6 +3832,10 @@ static int btusb_probe(struct usb_interface *intf,
+ * (DEVICE_REMOTE_WAKEUP)
+ */
+ set_bit(BTUSB_WAKEUP_DISABLE, &data->flags);
++
++ err = usb_autopm_get_interface(intf);
++ if (err < 0)
++ goto out_free_dev;
+ }
+
+ if (id->driver_info & BTUSB_AMP) {
+diff --git a/drivers/clk/tegra/clk-tegra-periph.c b/drivers/clk/tegra/clk-tegra-periph.c
+index 0d07c0ba49b6..2b2a3b81c16b 100644
+--- a/drivers/clk/tegra/clk-tegra-periph.c
++++ b/drivers/clk/tegra/clk-tegra-periph.c
+@@ -777,7 +777,11 @@ static struct tegra_periph_init_data gate_clks[] = {
+ GATE("ahbdma", "hclk", 33, 0, tegra_clk_ahbdma, 0),
+ GATE("apbdma", "pclk", 34, 0, tegra_clk_apbdma, 0),
+ GATE("kbc", "clk_32k", 36, TEGRA_PERIPH_ON_APB | TEGRA_PERIPH_NO_RESET, tegra_clk_kbc, 0),
+- GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, 0),
++ /*
++ * Critical for RAM re-repair operation, which must occur on resume
++ * from LP1 system suspend and as part of CCPLEX cluster switching.
++ */
++ GATE("fuse", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse, CLK_IS_CRITICAL),
+ GATE("fuse_burn", "clk_m", 39, TEGRA_PERIPH_ON_APB, tegra_clk_fuse_burn, 0),
+ GATE("kfuse", "clk_m", 40, TEGRA_PERIPH_ON_APB, tegra_clk_kfuse, 0),
+ GATE("apbif", "clk_m", 107, TEGRA_PERIPH_ON_APB, tegra_clk_apbif, 0),
+diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c
+index 8d8da763adc5..8910fd1ae3c6 100644
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -217,7 +217,7 @@ static int cppc_cpufreq_set_target(struct cpufreq_policy *policy,
+ return ret;
+ }
+
+-static int cppc_verify_policy(struct cpufreq_policy *policy)
++static int cppc_verify_policy(struct cpufreq_policy_data *policy)
+ {
+ cpufreq_verify_within_cpu_limits(policy);
+ return 0;
+diff --git a/drivers/cpufreq/cpufreq-nforce2.c b/drivers/cpufreq/cpufreq-nforce2.c
+index cd53272e2fa2..f7a7bcf6f52e 100644
+--- a/drivers/cpufreq/cpufreq-nforce2.c
++++ b/drivers/cpufreq/cpufreq-nforce2.c
+@@ -291,7 +291,7 @@ static int nforce2_target(struct cpufreq_policy *policy,
+ * nforce2_verify - verifies a new CPUFreq policy
+ * @policy: new policy
+ */
+-static int nforce2_verify(struct cpufreq_policy *policy)
++static int nforce2_verify(struct cpufreq_policy_data *policy)
+ {
+ unsigned int fsb_pol_max;
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 77114a3897fb..4adac3a8c265 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -74,6 +74,9 @@ static void cpufreq_exit_governor(struct cpufreq_policy *policy);
+ static int cpufreq_start_governor(struct cpufreq_policy *policy);
+ static void cpufreq_stop_governor(struct cpufreq_policy *policy);
+ static void cpufreq_governor_limits(struct cpufreq_policy *policy);
++static int cpufreq_set_policy(struct cpufreq_policy *policy,
++ struct cpufreq_governor *new_gov,
++ unsigned int new_pol);
+
+ /**
+ * Two notifier lists: the "policy" list is involved in the
+@@ -616,25 +619,22 @@ static struct cpufreq_governor *find_governor(const char *str_governor)
+ return NULL;
+ }
+
+-static int cpufreq_parse_policy(char *str_governor,
+- struct cpufreq_policy *policy)
++static unsigned int cpufreq_parse_policy(char *str_governor)
+ {
+- if (!strncasecmp(str_governor, "performance", CPUFREQ_NAME_LEN)) {
+- policy->policy = CPUFREQ_POLICY_PERFORMANCE;
+- return 0;
+- }
+- if (!strncasecmp(str_governor, "powersave", CPUFREQ_NAME_LEN)) {
+- policy->policy = CPUFREQ_POLICY_POWERSAVE;
+- return 0;
+- }
+- return -EINVAL;
++ if (!strncasecmp(str_governor, "performance", CPUFREQ_NAME_LEN))
++ return CPUFREQ_POLICY_PERFORMANCE;
++
++ if (!strncasecmp(str_governor, "powersave", CPUFREQ_NAME_LEN))
++ return CPUFREQ_POLICY_POWERSAVE;
++
++ return CPUFREQ_POLICY_UNKNOWN;
+ }
+
+ /**
+ * cpufreq_parse_governor - parse a governor string only for has_target()
++ * @str_governor: Governor name.
+ */
+-static int cpufreq_parse_governor(char *str_governor,
+- struct cpufreq_policy *policy)
++static struct cpufreq_governor *cpufreq_parse_governor(char *str_governor)
+ {
+ struct cpufreq_governor *t;
+
+@@ -648,7 +648,7 @@ static int cpufreq_parse_governor(char *str_governor,
+
+ ret = request_module("cpufreq_%s", str_governor);
+ if (ret)
+- return -EINVAL;
++ return NULL;
+
+ mutex_lock(&cpufreq_governor_mutex);
+
+@@ -659,12 +659,7 @@ static int cpufreq_parse_governor(char *str_governor,
+
+ mutex_unlock(&cpufreq_governor_mutex);
+
+- if (t) {
+- policy->governor = t;
+- return 0;
+- }
+-
+- return -EINVAL;
++ return t;
+ }
+
+ /**
+@@ -765,28 +760,33 @@ static ssize_t show_scaling_governor(struct cpufreq_policy *policy, char *buf)
+ static ssize_t store_scaling_governor(struct cpufreq_policy *policy,
+ const char *buf, size_t count)
+ {
++ char str_governor[16];
+ int ret;
+- char str_governor[16];
+- struct cpufreq_policy new_policy;
+-
+- memcpy(&new_policy, policy, sizeof(*policy));
+
+ ret = sscanf(buf, "%15s", str_governor);
+ if (ret != 1)
+ return -EINVAL;
+
+ if (cpufreq_driver->setpolicy) {
+- if (cpufreq_parse_policy(str_governor, &new_policy))
++ unsigned int new_pol;
++
++ new_pol = cpufreq_parse_policy(str_governor);
++ if (!new_pol)
+ return -EINVAL;
++
++ ret = cpufreq_set_policy(policy, NULL, new_pol);
+ } else {
+- if (cpufreq_parse_governor(str_governor, &new_policy))
++ struct cpufreq_governor *new_gov;
++
++ new_gov = cpufreq_parse_governor(str_governor);
++ if (!new_gov)
+ return -EINVAL;
+- }
+
+- ret = cpufreq_set_policy(policy, &new_policy);
++ ret = cpufreq_set_policy(policy, new_gov,
++ CPUFREQ_POLICY_UNKNOWN);
+
+- if (new_policy.governor)
+- module_put(new_policy.governor->owner);
++ module_put(new_gov->owner);
++ }
+
+ return ret ? ret : count;
+ }
+@@ -1053,40 +1053,33 @@ __weak struct cpufreq_governor *cpufreq_default_governor(void)
+
+ static int cpufreq_init_policy(struct cpufreq_policy *policy)
+ {
+- struct cpufreq_governor *gov = NULL, *def_gov = NULL;
+- struct cpufreq_policy new_policy;
+-
+- memcpy(&new_policy, policy, sizeof(*policy));
+-
+- def_gov = cpufreq_default_governor();
++ struct cpufreq_governor *def_gov = cpufreq_default_governor();
++ struct cpufreq_governor *gov = NULL;
++ unsigned int pol = CPUFREQ_POLICY_UNKNOWN;
+
+ if (has_target()) {
+- /*
+- * Update governor of new_policy to the governor used before
+- * hotplug
+- */
++ /* Update policy governor to the one used before hotplug. */
+ gov = find_governor(policy->last_governor);
+ if (gov) {
+ pr_debug("Restoring governor %s for cpu %d\n",
+- policy->governor->name, policy->cpu);
+- } else {
+- if (!def_gov)
+- return -ENODATA;
++ policy->governor->name, policy->cpu);
++ } else if (def_gov) {
+ gov = def_gov;
++ } else {
++ return -ENODATA;
+ }
+- new_policy.governor = gov;
+ } else {
+ /* Use the default policy if there is no last_policy. */
+ if (policy->last_policy) {
+- new_policy.policy = policy->last_policy;
++ pol = policy->last_policy;
++ } else if (def_gov) {
++ pol = cpufreq_parse_policy(def_gov->name);
+ } else {
+- if (!def_gov)
+- return -ENODATA;
+- cpufreq_parse_policy(def_gov->name, &new_policy);
++ return -ENODATA;
+ }
+ }
+
+- return cpufreq_set_policy(policy, &new_policy);
++ return cpufreq_set_policy(policy, gov, pol);
+ }
+
+ static int cpufreq_add_policy_cpu(struct cpufreq_policy *policy, unsigned int cpu)
+@@ -1114,13 +1107,10 @@ static int cpufreq_add_policy_cpu(struct cpufreq_policy *policy, unsigned int cp
+
+ void refresh_frequency_limits(struct cpufreq_policy *policy)
+ {
+- struct cpufreq_policy new_policy;
+-
+ if (!policy_is_inactive(policy)) {
+- new_policy = *policy;
+ pr_debug("updating policy for CPU %u\n", policy->cpu);
+
+- cpufreq_set_policy(policy, &new_policy);
++ cpufreq_set_policy(policy, policy->governor, policy->policy);
+ }
+ }
+ EXPORT_SYMBOL(refresh_frequency_limits);
+@@ -2364,46 +2354,49 @@ EXPORT_SYMBOL(cpufreq_get_policy);
+ /**
+ * cpufreq_set_policy - Modify cpufreq policy parameters.
+ * @policy: Policy object to modify.
+- * @new_policy: New policy data.
++ * @new_gov: Policy governor pointer.
++ * @new_pol: Policy value (for drivers with built-in governors).
+ *
+- * Pass @new_policy to the cpufreq driver's ->verify() callback. Next, copy the
+- * min and max parameters of @new_policy to @policy and either invoke the
+- * driver's ->setpolicy() callback (if present) or carry out a governor update
+- * for @policy. That is, run the current governor's ->limits() callback (if the
+- * governor field in @new_policy points to the same object as the one in
+- * @policy) or replace the governor for @policy with the new one stored in
+- * @new_policy.
++ * Invoke the cpufreq driver's ->verify() callback to sanity-check the frequency
++ * limits to be set for the policy, update @policy with the verified limits
++ * values and either invoke the driver's ->setpolicy() callback (if present) or
++ * carry out a governor update for @policy. That is, run the current governor's
++ * ->limits() callback (if @new_gov points to the same object as the one in
++ * @policy) or replace the governor for @policy with @new_gov.
+ *
+ * The cpuinfo part of @policy is not updated by this function.
+ */
+-int cpufreq_set_policy(struct cpufreq_policy *policy,
+- struct cpufreq_policy *new_policy)
++static int cpufreq_set_policy(struct cpufreq_policy *policy,
++ struct cpufreq_governor *new_gov,
++ unsigned int new_pol)
+ {
++ struct cpufreq_policy_data new_data;
+ struct cpufreq_governor *old_gov;
+ int ret;
+
+- pr_debug("setting new policy for CPU %u: %u - %u kHz\n",
+- new_policy->cpu, new_policy->min, new_policy->max);
+-
+- memcpy(&new_policy->cpuinfo, &policy->cpuinfo, sizeof(policy->cpuinfo));
+-
++ memcpy(&new_data.cpuinfo, &policy->cpuinfo, sizeof(policy->cpuinfo));
++ new_data.freq_table = policy->freq_table;
++ new_data.cpu = policy->cpu;
+ /*
+ * PM QoS framework collects all the requests from users and provide us
+ * the final aggregated value here.
+ */
+- new_policy->min = freq_qos_read_value(&policy->constraints, FREQ_QOS_MIN);
+- new_policy->max = freq_qos_read_value(&policy->constraints, FREQ_QOS_MAX);
++ new_data.min = freq_qos_read_value(&policy->constraints, FREQ_QOS_MIN);
++ new_data.max = freq_qos_read_value(&policy->constraints, FREQ_QOS_MAX);
++
++ pr_debug("setting new policy for CPU %u: %u - %u kHz\n",
++ new_data.cpu, new_data.min, new_data.max);
+
+ /*
+ * Verify that the CPU speed can be set within these limits and make sure
+ * that min <= max.
+ */
+- ret = cpufreq_driver->verify(new_policy);
++ ret = cpufreq_driver->verify(&new_data);
+ if (ret)
+ return ret;
+
+- policy->min = new_policy->min;
+- policy->max = new_policy->max;
++ policy->min = new_data.min;
++ policy->max = new_data.max;
+ trace_cpu_frequency_limits(policy);
+
+ policy->cached_target_freq = UINT_MAX;
+@@ -2412,12 +2405,12 @@ int cpufreq_set_policy(struct cpufreq_policy *policy,
+ policy->min, policy->max);
+
+ if (cpufreq_driver->setpolicy) {
+- policy->policy = new_policy->policy;
++ policy->policy = new_pol;
+ pr_debug("setting range\n");
+ return cpufreq_driver->setpolicy(policy);
+ }
+
+- if (new_policy->governor == policy->governor) {
++ if (new_gov == policy->governor) {
+ pr_debug("governor limits update\n");
+ cpufreq_governor_limits(policy);
+ return 0;
+@@ -2434,7 +2427,7 @@ int cpufreq_set_policy(struct cpufreq_policy *policy,
+ }
+
+ /* start new governor */
+- policy->governor = new_policy->governor;
++ policy->governor = new_gov;
+ ret = cpufreq_init_governor(policy);
+ if (!ret) {
+ ret = cpufreq_start_governor(policy);
+diff --git a/drivers/cpufreq/freq_table.c b/drivers/cpufreq/freq_table.c
+index ded427e0a488..e117b0059123 100644
+--- a/drivers/cpufreq/freq_table.c
++++ b/drivers/cpufreq/freq_table.c
+@@ -60,7 +60,7 @@ int cpufreq_frequency_table_cpuinfo(struct cpufreq_policy *policy,
+ return 0;
+ }
+
+-int cpufreq_frequency_table_verify(struct cpufreq_policy *policy,
++int cpufreq_frequency_table_verify(struct cpufreq_policy_data *policy,
+ struct cpufreq_frequency_table *table)
+ {
+ struct cpufreq_frequency_table *pos;
+@@ -100,7 +100,7 @@ EXPORT_SYMBOL_GPL(cpufreq_frequency_table_verify);
+ * Generic routine to verify policy & frequency table, requires driver to set
+ * policy->freq_table prior to it.
+ */
+-int cpufreq_generic_frequency_table_verify(struct cpufreq_policy *policy)
++int cpufreq_generic_frequency_table_verify(struct cpufreq_policy_data *policy)
+ {
+ if (!policy->freq_table)
+ return -ENODEV;
+diff --git a/drivers/cpufreq/gx-suspmod.c b/drivers/cpufreq/gx-suspmod.c
+index e97b5733aa24..75b3ef7ec679 100644
+--- a/drivers/cpufreq/gx-suspmod.c
++++ b/drivers/cpufreq/gx-suspmod.c
+@@ -328,7 +328,7 @@ static void gx_set_cpuspeed(struct cpufreq_policy *policy, unsigned int khz)
+ * for the hardware supported by the driver.
+ */
+
+-static int cpufreq_gx_verify(struct cpufreq_policy *policy)
++static int cpufreq_gx_verify(struct cpufreq_policy_data *policy)
+ {
+ unsigned int tmp_freq = 0;
+ u8 tmp1, tmp2;
+diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
+index d2fa3e9ccd97..e23e51230b89 100644
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -2036,8 +2036,9 @@ static int intel_pstate_get_max_freq(struct cpudata *cpu)
+ cpu->pstate.max_freq : cpu->pstate.turbo_freq;
+ }
+
+-static void intel_pstate_update_perf_limits(struct cpufreq_policy *policy,
+- struct cpudata *cpu)
++static void intel_pstate_update_perf_limits(struct cpudata *cpu,
++ unsigned int policy_min,
++ unsigned int policy_max)
+ {
+ int max_freq = intel_pstate_get_max_freq(cpu);
+ int32_t max_policy_perf, min_policy_perf;
+@@ -2056,18 +2057,17 @@ static void intel_pstate_update_perf_limits(struct cpufreq_policy *policy,
+ turbo_max = cpu->pstate.turbo_pstate;
+ }
+
+- max_policy_perf = max_state * policy->max / max_freq;
+- if (policy->max == policy->min) {
++ max_policy_perf = max_state * policy_max / max_freq;
++ if (policy_max == policy_min) {
+ min_policy_perf = max_policy_perf;
+ } else {
+- min_policy_perf = max_state * policy->min / max_freq;
++ min_policy_perf = max_state * policy_min / max_freq;
+ min_policy_perf = clamp_t(int32_t, min_policy_perf,
+ 0, max_policy_perf);
+ }
+
+ pr_debug("cpu:%d max_state %d min_policy_perf:%d max_policy_perf:%d\n",
+- policy->cpu, max_state,
+- min_policy_perf, max_policy_perf);
++ cpu->cpu, max_state, min_policy_perf, max_policy_perf);
+
+ /* Normalize user input to [min_perf, max_perf] */
+ if (per_cpu_limits) {
+@@ -2081,7 +2081,7 @@ static void intel_pstate_update_perf_limits(struct cpufreq_policy *policy,
+ global_min = DIV_ROUND_UP(turbo_max * global.min_perf_pct, 100);
+ global_min = clamp_t(int32_t, global_min, 0, global_max);
+
+- pr_debug("cpu:%d global_min:%d global_max:%d\n", policy->cpu,
++ pr_debug("cpu:%d global_min:%d global_max:%d\n", cpu->cpu,
+ global_min, global_max);
+
+ cpu->min_perf_ratio = max(min_policy_perf, global_min);
+@@ -2094,7 +2094,7 @@ static void intel_pstate_update_perf_limits(struct cpufreq_policy *policy,
+ cpu->max_perf_ratio);
+
+ }
+- pr_debug("cpu:%d max_perf_ratio:%d min_perf_ratio:%d\n", policy->cpu,
++ pr_debug("cpu:%d max_perf_ratio:%d min_perf_ratio:%d\n", cpu->cpu,
+ cpu->max_perf_ratio,
+ cpu->min_perf_ratio);
+ }
+@@ -2114,7 +2114,7 @@ static int intel_pstate_set_policy(struct cpufreq_policy *policy)
+
+ mutex_lock(&intel_pstate_limits_lock);
+
+- intel_pstate_update_perf_limits(policy, cpu);
++ intel_pstate_update_perf_limits(cpu, policy->min, policy->max);
+
+ if (cpu->policy == CPUFREQ_POLICY_PERFORMANCE) {
+ /*
+@@ -2143,8 +2143,8 @@ static int intel_pstate_set_policy(struct cpufreq_policy *policy)
+ return 0;
+ }
+
+-static void intel_pstate_adjust_policy_max(struct cpufreq_policy *policy,
+- struct cpudata *cpu)
++static void intel_pstate_adjust_policy_max(struct cpudata *cpu,
++ struct cpufreq_policy_data *policy)
+ {
+ if (!hwp_active &&
+ cpu->pstate.max_pstate_physical > cpu->pstate.max_pstate &&
+@@ -2155,7 +2155,7 @@ static void intel_pstate_adjust_policy_max(struct cpufreq_policy *policy,
+ }
+ }
+
+-static int intel_pstate_verify_policy(struct cpufreq_policy *policy)
++static int intel_pstate_verify_policy(struct cpufreq_policy_data *policy)
+ {
+ struct cpudata *cpu = all_cpu_data[policy->cpu];
+
+@@ -2163,11 +2163,7 @@ static int intel_pstate_verify_policy(struct cpufreq_policy *policy)
+ cpufreq_verify_within_limits(policy, policy->cpuinfo.min_freq,
+ intel_pstate_get_max_freq(cpu));
+
+- if (policy->policy != CPUFREQ_POLICY_POWERSAVE &&
+- policy->policy != CPUFREQ_POLICY_PERFORMANCE)
+- return -EINVAL;
+-
+- intel_pstate_adjust_policy_max(policy, cpu);
++ intel_pstate_adjust_policy_max(cpu, policy);
+
+ return 0;
+ }
+@@ -2268,7 +2264,7 @@ static struct cpufreq_driver intel_pstate = {
+ .name = "intel_pstate",
+ };
+
+-static int intel_cpufreq_verify_policy(struct cpufreq_policy *policy)
++static int intel_cpufreq_verify_policy(struct cpufreq_policy_data *policy)
+ {
+ struct cpudata *cpu = all_cpu_data[policy->cpu];
+
+@@ -2276,9 +2272,9 @@ static int intel_cpufreq_verify_policy(struct cpufreq_policy *policy)
+ cpufreq_verify_within_limits(policy, policy->cpuinfo.min_freq,
+ intel_pstate_get_max_freq(cpu));
+
+- intel_pstate_adjust_policy_max(policy, cpu);
++ intel_pstate_adjust_policy_max(cpu, policy);
+
+- intel_pstate_update_perf_limits(policy, cpu);
++ intel_pstate_update_perf_limits(cpu, policy->min, policy->max);
+
+ return 0;
+ }
+diff --git a/drivers/cpufreq/longrun.c b/drivers/cpufreq/longrun.c
+index 64b8689f7a4a..0b08be8bff76 100644
+--- a/drivers/cpufreq/longrun.c
++++ b/drivers/cpufreq/longrun.c
+@@ -122,7 +122,7 @@ static int longrun_set_policy(struct cpufreq_policy *policy)
+ * Validates a new CPUFreq policy. This function has to be called with
+ * cpufreq_driver locked.
+ */
+-static int longrun_verify_policy(struct cpufreq_policy *policy)
++static int longrun_verify_policy(struct cpufreq_policy_data *policy)
+ {
+ if (!policy)
+ return -EINVAL;
+@@ -130,10 +130,6 @@ static int longrun_verify_policy(struct cpufreq_policy *policy)
+ policy->cpu = 0;
+ cpufreq_verify_within_cpu_limits(policy);
+
+- if ((policy->policy != CPUFREQ_POLICY_POWERSAVE) &&
+- (policy->policy != CPUFREQ_POLICY_PERFORMANCE))
+- return -EINVAL;
+-
+ return 0;
+ }
+
+diff --git a/drivers/cpufreq/pcc-cpufreq.c b/drivers/cpufreq/pcc-cpufreq.c
+index fdc767fdbe6a..f90273006553 100644
+--- a/drivers/cpufreq/pcc-cpufreq.c
++++ b/drivers/cpufreq/pcc-cpufreq.c
+@@ -109,7 +109,7 @@ struct pcc_cpu {
+
+ static struct pcc_cpu __percpu *pcc_cpu_info;
+
+-static int pcc_cpufreq_verify(struct cpufreq_policy *policy)
++static int pcc_cpufreq_verify(struct cpufreq_policy_data *policy)
+ {
+ cpufreq_verify_within_cpu_limits(policy);
+ return 0;
+diff --git a/drivers/cpufreq/sh-cpufreq.c b/drivers/cpufreq/sh-cpufreq.c
+index 5096c0ab781b..0ac265d47ef0 100644
+--- a/drivers/cpufreq/sh-cpufreq.c
++++ b/drivers/cpufreq/sh-cpufreq.c
+@@ -87,7 +87,7 @@ static int sh_cpufreq_target(struct cpufreq_policy *policy,
+ return work_on_cpu(policy->cpu, __sh_cpufreq_target, &data);
+ }
+
+-static int sh_cpufreq_verify(struct cpufreq_policy *policy)
++static int sh_cpufreq_verify(struct cpufreq_policy_data *policy)
+ {
+ struct clk *cpuclk = &per_cpu(sh_cpuclk, policy->cpu);
+ struct cpufreq_frequency_table *freq_table;
+diff --git a/drivers/cpufreq/unicore2-cpufreq.c b/drivers/cpufreq/unicore2-cpufreq.c
+index 707dbc1b7ac8..98d392196df2 100644
+--- a/drivers/cpufreq/unicore2-cpufreq.c
++++ b/drivers/cpufreq/unicore2-cpufreq.c
+@@ -22,7 +22,7 @@ static struct cpufreq_driver ucv2_driver;
+ /* make sure that only the "userspace" governor is run
+ * -- anything else wouldn't make sense on this platform, anyway.
+ */
+-static int ucv2_verify_speed(struct cpufreq_policy *policy)
++static int ucv2_verify_speed(struct cpufreq_policy_data *policy)
+ {
+ if (policy->cpu)
+ return -EINVAL;
+diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c
+index 73a7649f915d..9e8b8dede920 100644
+--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c
++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c
+@@ -624,7 +624,7 @@ error_alg:
+ error_irq:
+ sun8i_ce_pm_exit(ce);
+ error_pm:
+- sun8i_ce_free_chanlist(ce, MAXFLOW);
++ sun8i_ce_free_chanlist(ce, MAXFLOW - 1);
+ return err;
+ }
+
+@@ -638,7 +638,7 @@ static int sun8i_ce_remove(struct platform_device *pdev)
+ debugfs_remove_recursive(ce->dbgfs_dir);
+ #endif
+
+- sun8i_ce_free_chanlist(ce, MAXFLOW);
++ sun8i_ce_free_chanlist(ce, MAXFLOW - 1);
+
+ sun8i_ce_pm_exit(ce);
+ return 0;
+diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c
+index 90997cc509b8..6b301afffd11 100644
+--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c
++++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c
+@@ -595,7 +595,7 @@ error_alg:
+ error_irq:
+ sun8i_ss_pm_exit(ss);
+ error_pm:
+- sun8i_ss_free_flows(ss, MAXFLOW);
++ sun8i_ss_free_flows(ss, MAXFLOW - 1);
+ return err;
+ }
+
+@@ -609,7 +609,7 @@ static int sun8i_ss_remove(struct platform_device *pdev)
+ debugfs_remove_recursive(ss->dbgfs_dir);
+ #endif
+
+- sun8i_ss_free_flows(ss, MAXFLOW);
++ sun8i_ss_free_flows(ss, MAXFLOW - 1);
+
+ sun8i_ss_pm_exit(ss);
+
+diff --git a/drivers/crypto/amlogic/amlogic-gxl-core.c b/drivers/crypto/amlogic/amlogic-gxl-core.c
+index fa05fce1c0de..9d4ead2f7ebb 100644
+--- a/drivers/crypto/amlogic/amlogic-gxl-core.c
++++ b/drivers/crypto/amlogic/amlogic-gxl-core.c
+@@ -289,7 +289,7 @@ static int meson_crypto_probe(struct platform_device *pdev)
+ error_alg:
+ meson_unregister_algs(mc);
+ error_flow:
+- meson_free_chanlist(mc, MAXFLOW);
++ meson_free_chanlist(mc, MAXFLOW - 1);
+ clk_disable_unprepare(mc->busclk);
+ return err;
+ }
+@@ -304,7 +304,7 @@ static int meson_crypto_remove(struct platform_device *pdev)
+
+ meson_unregister_algs(mc);
+
+- meson_free_chanlist(mc, MAXFLOW);
++ meson_free_chanlist(mc, MAXFLOW - 1);
+
+ clk_disable_unprepare(mc->busclk);
+ return 0;
+diff --git a/drivers/crypto/atmel-aes.c b/drivers/crypto/atmel-aes.c
+index 91092504bc96..b4dee726b253 100644
+--- a/drivers/crypto/atmel-aes.c
++++ b/drivers/crypto/atmel-aes.c
+@@ -89,7 +89,6 @@
+ struct atmel_aes_caps {
+ bool has_dualbuff;
+ bool has_cfb64;
+- bool has_ctr32;
+ bool has_gcm;
+ bool has_xts;
+ bool has_authenc;
+@@ -122,6 +121,7 @@ struct atmel_aes_ctr_ctx {
+ size_t offset;
+ struct scatterlist src[2];
+ struct scatterlist dst[2];
++ u32 blocks;
+ };
+
+ struct atmel_aes_gcm_ctx {
+@@ -514,8 +514,37 @@ static void atmel_aes_set_iv_as_last_ciphertext_block(struct atmel_aes_dev *dd)
+ }
+ }
+
++static inline struct atmel_aes_ctr_ctx *
++atmel_aes_ctr_ctx_cast(struct atmel_aes_base_ctx *ctx)
++{
++ return container_of(ctx, struct atmel_aes_ctr_ctx, base);
++}
++
++static void atmel_aes_ctr_update_req_iv(struct atmel_aes_dev *dd)
++{
++ struct atmel_aes_ctr_ctx *ctx = atmel_aes_ctr_ctx_cast(dd->ctx);
++ struct skcipher_request *req = skcipher_request_cast(dd->areq);
++ struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req);
++ unsigned int ivsize = crypto_skcipher_ivsize(skcipher);
++ int i;
++
++ /*
++ * The CTR transfer works in fragments of data of maximum 1 MByte
++ * because of the 16 bit CTR counter embedded in the IP. When reaching
++ * here, ctx->blocks contains the number of blocks of the last fragment
++ * processed, there is no need to explicit cast it to u16.
++ */
++ for (i = 0; i < ctx->blocks; i++)
++ crypto_inc((u8 *)ctx->iv, AES_BLOCK_SIZE);
++
++ memcpy(req->iv, ctx->iv, ivsize);
++}
++
+ static inline int atmel_aes_complete(struct atmel_aes_dev *dd, int err)
+ {
++ struct skcipher_request *req = skcipher_request_cast(dd->areq);
++ struct atmel_aes_reqctx *rctx = skcipher_request_ctx(req);
++
+ #if IS_ENABLED(CONFIG_CRYPTO_DEV_ATMEL_AUTHENC)
+ if (dd->ctx->is_aead)
+ atmel_aes_authenc_complete(dd, err);
+@@ -524,8 +553,13 @@ static inline int atmel_aes_complete(struct atmel_aes_dev *dd, int err)
+ clk_disable(dd->iclk);
+ dd->flags &= ~AES_FLAGS_BUSY;
+
+- if (!dd->ctx->is_aead)
+- atmel_aes_set_iv_as_last_ciphertext_block(dd);
++ if (!dd->ctx->is_aead &&
++ (rctx->mode & AES_FLAGS_OPMODE_MASK) != AES_FLAGS_ECB) {
++ if ((rctx->mode & AES_FLAGS_OPMODE_MASK) != AES_FLAGS_CTR)
++ atmel_aes_set_iv_as_last_ciphertext_block(dd);
++ else
++ atmel_aes_ctr_update_req_iv(dd);
++ }
+
+ if (dd->is_async)
+ dd->areq->complete(dd->areq, err);
+@@ -1004,19 +1038,14 @@ static int atmel_aes_start(struct atmel_aes_dev *dd)
+ atmel_aes_transfer_complete);
+ }
+
+-static inline struct atmel_aes_ctr_ctx *
+-atmel_aes_ctr_ctx_cast(struct atmel_aes_base_ctx *ctx)
+-{
+- return container_of(ctx, struct atmel_aes_ctr_ctx, base);
+-}
+-
+ static int atmel_aes_ctr_transfer(struct atmel_aes_dev *dd)
+ {
+ struct atmel_aes_ctr_ctx *ctx = atmel_aes_ctr_ctx_cast(dd->ctx);
+ struct skcipher_request *req = skcipher_request_cast(dd->areq);
+ struct scatterlist *src, *dst;
+- u32 ctr, blocks;
+ size_t datalen;
++ u32 ctr;
++ u16 start, end;
+ bool use_dma, fragmented = false;
+
+ /* Check for transfer completion. */
+@@ -1026,29 +1055,19 @@ static int atmel_aes_ctr_transfer(struct atmel_aes_dev *dd)
+
+ /* Compute data length. */
+ datalen = req->cryptlen - ctx->offset;
+- blocks = DIV_ROUND_UP(datalen, AES_BLOCK_SIZE);
++ ctx->blocks = DIV_ROUND_UP(datalen, AES_BLOCK_SIZE);
+ ctr = be32_to_cpu(ctx->iv[3]);
+- if (dd->caps.has_ctr32) {
+- /* Check 32bit counter overflow. */
+- u32 start = ctr;
+- u32 end = start + blocks - 1;
+-
+- if (end < start) {
+- ctr |= 0xffffffff;
+- datalen = AES_BLOCK_SIZE * -start;
+- fragmented = true;
+- }
+- } else {
+- /* Check 16bit counter overflow. */
+- u16 start = ctr & 0xffff;
+- u16 end = start + (u16)blocks - 1;
+-
+- if (blocks >> 16 || end < start) {
+- ctr |= 0xffff;
+- datalen = AES_BLOCK_SIZE * (0x10000-start);
+- fragmented = true;
+- }
++
++ /* Check 16bit counter overflow. */
++ start = ctr & 0xffff;
++ end = start + ctx->blocks - 1;
++
++ if (ctx->blocks >> 16 || end < start) {
++ ctr |= 0xffff;
++ datalen = AES_BLOCK_SIZE * (0x10000 - start);
++ fragmented = true;
+ }
++
+ use_dma = (datalen >= ATMEL_AES_DMA_THRESHOLD);
+
+ /* Jump to offset. */
+@@ -1131,7 +1150,8 @@ static int atmel_aes_crypt(struct skcipher_request *req, unsigned long mode)
+ rctx = skcipher_request_ctx(req);
+ rctx->mode = mode;
+
+- if (!(mode & AES_FLAGS_ENCRYPT) && (req->src == req->dst)) {
++ if ((mode & AES_FLAGS_OPMODE_MASK) != AES_FLAGS_ECB &&
++ !(mode & AES_FLAGS_ENCRYPT) && req->src == req->dst) {
+ unsigned int ivsize = crypto_skcipher_ivsize(skcipher);
+
+ if (req->cryptlen >= ivsize)
+@@ -2533,7 +2553,6 @@ static void atmel_aes_get_cap(struct atmel_aes_dev *dd)
+ {
+ dd->caps.has_dualbuff = 0;
+ dd->caps.has_cfb64 = 0;
+- dd->caps.has_ctr32 = 0;
+ dd->caps.has_gcm = 0;
+ dd->caps.has_xts = 0;
+ dd->caps.has_authenc = 0;
+@@ -2544,7 +2563,6 @@ static void atmel_aes_get_cap(struct atmel_aes_dev *dd)
+ case 0x500:
+ dd->caps.has_dualbuff = 1;
+ dd->caps.has_cfb64 = 1;
+- dd->caps.has_ctr32 = 1;
+ dd->caps.has_gcm = 1;
+ dd->caps.has_xts = 1;
+ dd->caps.has_authenc = 1;
+@@ -2553,7 +2571,6 @@ static void atmel_aes_get_cap(struct atmel_aes_dev *dd)
+ case 0x200:
+ dd->caps.has_dualbuff = 1;
+ dd->caps.has_cfb64 = 1;
+- dd->caps.has_ctr32 = 1;
+ dd->caps.has_gcm = 1;
+ dd->caps.max_burst_size = 4;
+ break;
+diff --git a/drivers/crypto/atmel-tdes.c b/drivers/crypto/atmel-tdes.c
+index 0c1f79b30fc1..fde34846b017 100644
+--- a/drivers/crypto/atmel-tdes.c
++++ b/drivers/crypto/atmel-tdes.c
+@@ -41,20 +41,23 @@
+ #include "atmel-tdes-regs.h"
+
+ /* TDES flags */
+-#define TDES_FLAGS_MODE_MASK 0x00ff
+-#define TDES_FLAGS_ENCRYPT BIT(0)
+-#define TDES_FLAGS_CBC BIT(1)
+-#define TDES_FLAGS_CFB BIT(2)
+-#define TDES_FLAGS_CFB8 BIT(3)
+-#define TDES_FLAGS_CFB16 BIT(4)
+-#define TDES_FLAGS_CFB32 BIT(5)
+-#define TDES_FLAGS_CFB64 BIT(6)
+-#define TDES_FLAGS_OFB BIT(7)
+-
+-#define TDES_FLAGS_INIT BIT(16)
+-#define TDES_FLAGS_FAST BIT(17)
+-#define TDES_FLAGS_BUSY BIT(18)
+-#define TDES_FLAGS_DMA BIT(19)
++/* Reserve bits [17:16], [13:12], [2:0] for AES Mode Register */
++#define TDES_FLAGS_ENCRYPT TDES_MR_CYPHER_ENC
++#define TDES_FLAGS_OPMODE_MASK (TDES_MR_OPMOD_MASK | TDES_MR_CFBS_MASK)
++#define TDES_FLAGS_ECB TDES_MR_OPMOD_ECB
++#define TDES_FLAGS_CBC TDES_MR_OPMOD_CBC
++#define TDES_FLAGS_OFB TDES_MR_OPMOD_OFB
++#define TDES_FLAGS_CFB64 (TDES_MR_OPMOD_CFB | TDES_MR_CFBS_64b)
++#define TDES_FLAGS_CFB32 (TDES_MR_OPMOD_CFB | TDES_MR_CFBS_32b)
++#define TDES_FLAGS_CFB16 (TDES_MR_OPMOD_CFB | TDES_MR_CFBS_16b)
++#define TDES_FLAGS_CFB8 (TDES_MR_OPMOD_CFB | TDES_MR_CFBS_8b)
++
++#define TDES_FLAGS_MODE_MASK (TDES_FLAGS_OPMODE_MASK | TDES_FLAGS_ENCRYPT)
++
++#define TDES_FLAGS_INIT BIT(3)
++#define TDES_FLAGS_FAST BIT(4)
++#define TDES_FLAGS_BUSY BIT(5)
++#define TDES_FLAGS_DMA BIT(6)
+
+ #define ATMEL_TDES_QUEUE_LENGTH 50
+
+@@ -282,25 +285,7 @@ static int atmel_tdes_write_ctrl(struct atmel_tdes_dev *dd)
+ valmr |= TDES_MR_TDESMOD_DES;
+ }
+
+- if (dd->flags & TDES_FLAGS_CBC) {
+- valmr |= TDES_MR_OPMOD_CBC;
+- } else if (dd->flags & TDES_FLAGS_CFB) {
+- valmr |= TDES_MR_OPMOD_CFB;
+-
+- if (dd->flags & TDES_FLAGS_CFB8)
+- valmr |= TDES_MR_CFBS_8b;
+- else if (dd->flags & TDES_FLAGS_CFB16)
+- valmr |= TDES_MR_CFBS_16b;
+- else if (dd->flags & TDES_FLAGS_CFB32)
+- valmr |= TDES_MR_CFBS_32b;
+- else if (dd->flags & TDES_FLAGS_CFB64)
+- valmr |= TDES_MR_CFBS_64b;
+- } else if (dd->flags & TDES_FLAGS_OFB) {
+- valmr |= TDES_MR_OPMOD_OFB;
+- }
+-
+- if ((dd->flags & TDES_FLAGS_ENCRYPT) || (dd->flags & TDES_FLAGS_OFB))
+- valmr |= TDES_MR_CYPHER_ENC;
++ valmr |= dd->flags & TDES_FLAGS_MODE_MASK;
+
+ atmel_tdes_write(dd, TDES_CR, valcr);
+ atmel_tdes_write(dd, TDES_MR, valmr);
+@@ -308,10 +293,8 @@ static int atmel_tdes_write_ctrl(struct atmel_tdes_dev *dd)
+ atmel_tdes_write_n(dd, TDES_KEY1W1R, dd->ctx->key,
+ dd->ctx->keylen >> 2);
+
+- if (((dd->flags & TDES_FLAGS_CBC) || (dd->flags & TDES_FLAGS_CFB) ||
+- (dd->flags & TDES_FLAGS_OFB)) && dd->req->iv) {
++ if (dd->req->iv && (valmr & TDES_MR_OPMOD_MASK) != TDES_MR_OPMOD_ECB)
+ atmel_tdes_write_n(dd, TDES_IV1R, (void *)dd->req->iv, 2);
+- }
+
+ return 0;
+ }
+@@ -402,6 +385,7 @@ static int atmel_tdes_crypt_pdc(struct crypto_tfm *tfm, dma_addr_t dma_addr_in,
+ {
+ struct atmel_tdes_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct atmel_tdes_dev *dd = ctx->dd;
++ struct atmel_tdes_reqctx *rctx = skcipher_request_ctx(dd->req);
+ int len32;
+
+ dd->dma_size = length;
+@@ -411,12 +395,19 @@ static int atmel_tdes_crypt_pdc(struct crypto_tfm *tfm, dma_addr_t dma_addr_in,
+ DMA_TO_DEVICE);
+ }
+
+- if ((dd->flags & TDES_FLAGS_CFB) && (dd->flags & TDES_FLAGS_CFB8))
++ switch (rctx->mode & TDES_FLAGS_OPMODE_MASK) {
++ case TDES_FLAGS_CFB8:
+ len32 = DIV_ROUND_UP(length, sizeof(u8));
+- else if ((dd->flags & TDES_FLAGS_CFB) && (dd->flags & TDES_FLAGS_CFB16))
++ break;
++
++ case TDES_FLAGS_CFB16:
+ len32 = DIV_ROUND_UP(length, sizeof(u16));
+- else
++ break;
++
++ default:
+ len32 = DIV_ROUND_UP(length, sizeof(u32));
++ break;
++ }
+
+ atmel_tdes_write(dd, TDES_PTCR, TDES_PTCR_TXTDIS|TDES_PTCR_RXTDIS);
+ atmel_tdes_write(dd, TDES_TPR, dma_addr_in);
+@@ -438,8 +429,10 @@ static int atmel_tdes_crypt_dma(struct crypto_tfm *tfm, dma_addr_t dma_addr_in,
+ {
+ struct atmel_tdes_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct atmel_tdes_dev *dd = ctx->dd;
++ struct atmel_tdes_reqctx *rctx = skcipher_request_ctx(dd->req);
+ struct scatterlist sg[2];
+ struct dma_async_tx_descriptor *in_desc, *out_desc;
++ enum dma_slave_buswidth addr_width;
+
+ dd->dma_size = length;
+
+@@ -448,23 +441,23 @@ static int atmel_tdes_crypt_dma(struct crypto_tfm *tfm, dma_addr_t dma_addr_in,
+ DMA_TO_DEVICE);
+ }
+
+- if (dd->flags & TDES_FLAGS_CFB8) {
+- dd->dma_lch_in.dma_conf.dst_addr_width =
+- DMA_SLAVE_BUSWIDTH_1_BYTE;
+- dd->dma_lch_out.dma_conf.src_addr_width =
+- DMA_SLAVE_BUSWIDTH_1_BYTE;
+- } else if (dd->flags & TDES_FLAGS_CFB16) {
+- dd->dma_lch_in.dma_conf.dst_addr_width =
+- DMA_SLAVE_BUSWIDTH_2_BYTES;
+- dd->dma_lch_out.dma_conf.src_addr_width =
+- DMA_SLAVE_BUSWIDTH_2_BYTES;
+- } else {
+- dd->dma_lch_in.dma_conf.dst_addr_width =
+- DMA_SLAVE_BUSWIDTH_4_BYTES;
+- dd->dma_lch_out.dma_conf.src_addr_width =
+- DMA_SLAVE_BUSWIDTH_4_BYTES;
++ switch (rctx->mode & TDES_FLAGS_OPMODE_MASK) {
++ case TDES_FLAGS_CFB8:
++ addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE;
++ break;
++
++ case TDES_FLAGS_CFB16:
++ addr_width = DMA_SLAVE_BUSWIDTH_2_BYTES;
++ break;
++
++ default:
++ addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
++ break;
+ }
+
++ dd->dma_lch_in.dma_conf.dst_addr_width = addr_width;
++ dd->dma_lch_out.dma_conf.src_addr_width = addr_width;
++
+ dmaengine_slave_config(dd->dma_lch_in.chan, &dd->dma_lch_in.dma_conf);
+ dmaengine_slave_config(dd->dma_lch_out.chan, &dd->dma_lch_out.dma_conf);
+
+@@ -600,12 +593,14 @@ atmel_tdes_set_iv_as_last_ciphertext_block(struct atmel_tdes_dev *dd)
+ static void atmel_tdes_finish_req(struct atmel_tdes_dev *dd, int err)
+ {
+ struct skcipher_request *req = dd->req;
++ struct atmel_tdes_reqctx *rctx = skcipher_request_ctx(req);
+
+ clk_disable_unprepare(dd->iclk);
+
+ dd->flags &= ~TDES_FLAGS_BUSY;
+
+- atmel_tdes_set_iv_as_last_ciphertext_block(dd);
++ if ((rctx->mode & TDES_FLAGS_OPMODE_MASK) != TDES_FLAGS_ECB)
++ atmel_tdes_set_iv_as_last_ciphertext_block(dd);
+
+ req->base.complete(&req->base, err);
+ }
+@@ -699,35 +694,44 @@ static int atmel_tdes_crypt(struct skcipher_request *req, unsigned long mode)
+ struct atmel_tdes_ctx *ctx = crypto_skcipher_ctx(skcipher);
+ struct atmel_tdes_reqctx *rctx = skcipher_request_ctx(req);
+
+- if (mode & TDES_FLAGS_CFB8) {
++ switch (mode & TDES_FLAGS_OPMODE_MASK) {
++ case TDES_FLAGS_CFB8:
+ if (!IS_ALIGNED(req->cryptlen, CFB8_BLOCK_SIZE)) {
+ pr_err("request size is not exact amount of CFB8 blocks\n");
+ return -EINVAL;
+ }
+ ctx->block_size = CFB8_BLOCK_SIZE;
+- } else if (mode & TDES_FLAGS_CFB16) {
++ break;
++
++ case TDES_FLAGS_CFB16:
+ if (!IS_ALIGNED(req->cryptlen, CFB16_BLOCK_SIZE)) {
+ pr_err("request size is not exact amount of CFB16 blocks\n");
+ return -EINVAL;
+ }
+ ctx->block_size = CFB16_BLOCK_SIZE;
+- } else if (mode & TDES_FLAGS_CFB32) {
++ break;
++
++ case TDES_FLAGS_CFB32:
+ if (!IS_ALIGNED(req->cryptlen, CFB32_BLOCK_SIZE)) {
+ pr_err("request size is not exact amount of CFB32 blocks\n");
+ return -EINVAL;
+ }
+ ctx->block_size = CFB32_BLOCK_SIZE;
+- } else {
++ break;
++
++ default:
+ if (!IS_ALIGNED(req->cryptlen, DES_BLOCK_SIZE)) {
+ pr_err("request size is not exact amount of DES blocks\n");
+ return -EINVAL;
+ }
+ ctx->block_size = DES_BLOCK_SIZE;
++ break;
+ }
+
+ rctx->mode = mode;
+
+- if (!(mode & TDES_FLAGS_ENCRYPT) && req->src == req->dst) {
++ if ((mode & TDES_FLAGS_OPMODE_MASK) != TDES_FLAGS_ECB &&
++ !(mode & TDES_FLAGS_ENCRYPT) && req->src == req->dst) {
+ unsigned int ivsize = crypto_skcipher_ivsize(skcipher);
+
+ if (req->cryptlen >= ivsize)
+@@ -841,17 +845,17 @@ static int atmel_tdes_setkey(struct crypto_skcipher *tfm, const u8 *key,
+
+ static int atmel_tdes_ecb_encrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_ENCRYPT);
++ return atmel_tdes_crypt(req, TDES_FLAGS_ECB | TDES_FLAGS_ENCRYPT);
+ }
+
+ static int atmel_tdes_ecb_decrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, 0);
++ return atmel_tdes_crypt(req, TDES_FLAGS_ECB);
+ }
+
+ static int atmel_tdes_cbc_encrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_ENCRYPT | TDES_FLAGS_CBC);
++ return atmel_tdes_crypt(req, TDES_FLAGS_CBC | TDES_FLAGS_ENCRYPT);
+ }
+
+ static int atmel_tdes_cbc_decrypt(struct skcipher_request *req)
+@@ -860,50 +864,47 @@ static int atmel_tdes_cbc_decrypt(struct skcipher_request *req)
+ }
+ static int atmel_tdes_cfb_encrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_ENCRYPT | TDES_FLAGS_CFB);
++ return atmel_tdes_crypt(req, TDES_FLAGS_CFB64 | TDES_FLAGS_ENCRYPT);
+ }
+
+ static int atmel_tdes_cfb_decrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_CFB);
++ return atmel_tdes_crypt(req, TDES_FLAGS_CFB64);
+ }
+
+ static int atmel_tdes_cfb8_encrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_ENCRYPT | TDES_FLAGS_CFB |
+- TDES_FLAGS_CFB8);
++ return atmel_tdes_crypt(req, TDES_FLAGS_CFB8 | TDES_FLAGS_ENCRYPT);
+ }
+
+ static int atmel_tdes_cfb8_decrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_CFB | TDES_FLAGS_CFB8);
++ return atmel_tdes_crypt(req, TDES_FLAGS_CFB8);
+ }
+
+ static int atmel_tdes_cfb16_encrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_ENCRYPT | TDES_FLAGS_CFB |
+- TDES_FLAGS_CFB16);
++ return atmel_tdes_crypt(req, TDES_FLAGS_CFB16 | TDES_FLAGS_ENCRYPT);
+ }
+
+ static int atmel_tdes_cfb16_decrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_CFB | TDES_FLAGS_CFB16);
++ return atmel_tdes_crypt(req, TDES_FLAGS_CFB16);
+ }
+
+ static int atmel_tdes_cfb32_encrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_ENCRYPT | TDES_FLAGS_CFB |
+- TDES_FLAGS_CFB32);
++ return atmel_tdes_crypt(req, TDES_FLAGS_CFB32 | TDES_FLAGS_ENCRYPT);
+ }
+
+ static int atmel_tdes_cfb32_decrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_CFB | TDES_FLAGS_CFB32);
++ return atmel_tdes_crypt(req, TDES_FLAGS_CFB32);
+ }
+
+ static int atmel_tdes_ofb_encrypt(struct skcipher_request *req)
+ {
+- return atmel_tdes_crypt(req, TDES_FLAGS_ENCRYPT | TDES_FLAGS_OFB);
++ return atmel_tdes_crypt(req, TDES_FLAGS_OFB | TDES_FLAGS_ENCRYPT);
+ }
+
+ static int atmel_tdes_ofb_decrypt(struct skcipher_request *req)
+diff --git a/drivers/crypto/ccp/ccp-dev-v3.c b/drivers/crypto/ccp/ccp-dev-v3.c
+index 0186b3df4c87..0d5576f6ad21 100644
+--- a/drivers/crypto/ccp/ccp-dev-v3.c
++++ b/drivers/crypto/ccp/ccp-dev-v3.c
+@@ -586,6 +586,7 @@ const struct ccp_vdata ccpv3_platform = {
+ .setup = NULL,
+ .perform = &ccp3_actions,
+ .offset = 0,
++ .rsamax = CCP_RSA_MAX_WIDTH,
+ };
+
+ const struct ccp_vdata ccpv3 = {
+diff --git a/drivers/crypto/ccree/cc_aead.c b/drivers/crypto/ccree/cc_aead.c
+index 64d318dc0d47..22d3e0e8b68c 100644
+--- a/drivers/crypto/ccree/cc_aead.c
++++ b/drivers/crypto/ccree/cc_aead.c
+@@ -237,7 +237,7 @@ static void cc_aead_complete(struct device *dev, void *cc_req, int err)
+ * revealed the decrypted message --> zero its memory.
+ */
+ sg_zero_buffer(areq->dst, sg_nents(areq->dst),
+- areq->cryptlen, 0);
++ areq->cryptlen, areq->assoclen);
+ err = -EBADMSG;
+ }
+ /*ENCRYPT*/
+diff --git a/drivers/crypto/ccree/cc_cipher.c b/drivers/crypto/ccree/cc_cipher.c
+index 3112b58d0bb1..56c9a8f26435 100644
+--- a/drivers/crypto/ccree/cc_cipher.c
++++ b/drivers/crypto/ccree/cc_cipher.c
+@@ -523,6 +523,7 @@ static void cc_setup_readiv_desc(struct crypto_tfm *tfm,
+ }
+ }
+
++
+ static void cc_setup_state_desc(struct crypto_tfm *tfm,
+ struct cipher_req_ctx *req_ctx,
+ unsigned int ivsize, unsigned int nbytes,
+@@ -534,8 +535,6 @@ static void cc_setup_state_desc(struct crypto_tfm *tfm,
+ int cipher_mode = ctx_p->cipher_mode;
+ int flow_mode = ctx_p->flow_mode;
+ int direction = req_ctx->gen_ctx.op_type;
+- dma_addr_t key_dma_addr = ctx_p->user.key_dma_addr;
+- unsigned int key_len = ctx_p->keylen;
+ dma_addr_t iv_dma_addr = req_ctx->gen_ctx.iv_dma_addr;
+ unsigned int du_size = nbytes;
+
+@@ -570,6 +569,47 @@ static void cc_setup_state_desc(struct crypto_tfm *tfm,
+ break;
+ case DRV_CIPHER_XTS:
+ case DRV_CIPHER_ESSIV:
++ case DRV_CIPHER_BITLOCKER:
++ break;
++ default:
++ dev_err(dev, "Unsupported cipher mode (%d)\n", cipher_mode);
++ }
++}
++
++
++static void cc_setup_xex_state_desc(struct crypto_tfm *tfm,
++ struct cipher_req_ctx *req_ctx,
++ unsigned int ivsize, unsigned int nbytes,
++ struct cc_hw_desc desc[],
++ unsigned int *seq_size)
++{
++ struct cc_cipher_ctx *ctx_p = crypto_tfm_ctx(tfm);
++ struct device *dev = drvdata_to_dev(ctx_p->drvdata);
++ int cipher_mode = ctx_p->cipher_mode;
++ int flow_mode = ctx_p->flow_mode;
++ int direction = req_ctx->gen_ctx.op_type;
++ dma_addr_t key_dma_addr = ctx_p->user.key_dma_addr;
++ unsigned int key_len = ctx_p->keylen;
++ dma_addr_t iv_dma_addr = req_ctx->gen_ctx.iv_dma_addr;
++ unsigned int du_size = nbytes;
++
++ struct cc_crypto_alg *cc_alg =
++ container_of(tfm->__crt_alg, struct cc_crypto_alg,
++ skcipher_alg.base);
++
++ if (cc_alg->data_unit)
++ du_size = cc_alg->data_unit;
++
++ switch (cipher_mode) {
++ case DRV_CIPHER_ECB:
++ break;
++ case DRV_CIPHER_CBC:
++ case DRV_CIPHER_CBC_CTS:
++ case DRV_CIPHER_CTR:
++ case DRV_CIPHER_OFB:
++ break;
++ case DRV_CIPHER_XTS:
++ case DRV_CIPHER_ESSIV:
+ case DRV_CIPHER_BITLOCKER:
+ /* load XEX key */
+ hw_desc_init(&desc[*seq_size]);
+@@ -881,12 +921,14 @@ static int cc_cipher_process(struct skcipher_request *req,
+
+ /* STAT_PHASE_2: Create sequence */
+
+- /* Setup IV and XEX key used */
++ /* Setup state (IV) */
+ cc_setup_state_desc(tfm, req_ctx, ivsize, nbytes, desc, &seq_len);
+ /* Setup MLLI line, if needed */
+ cc_setup_mlli_desc(tfm, req_ctx, dst, src, nbytes, req, desc, &seq_len);
+ /* Setup key */
+ cc_setup_key_desc(tfm, req_ctx, nbytes, desc, &seq_len);
++ /* Setup state (IV and XEX key) */
++ cc_setup_xex_state_desc(tfm, req_ctx, ivsize, nbytes, desc, &seq_len);
+ /* Data processing */
+ cc_setup_flow_desc(tfm, req_ctx, dst, src, nbytes, desc, &seq_len);
+ /* Read next IV */
+diff --git a/drivers/crypto/ccree/cc_driver.h b/drivers/crypto/ccree/cc_driver.h
+index ab31d4a68c80..7d2f7e2c0bb5 100644
+--- a/drivers/crypto/ccree/cc_driver.h
++++ b/drivers/crypto/ccree/cc_driver.h
+@@ -161,6 +161,7 @@ struct cc_drvdata {
+ int std_bodies;
+ bool sec_disabled;
+ u32 comp_mask;
++ bool pm_on;
+ };
+
+ struct cc_crypto_alg {
+diff --git a/drivers/crypto/ccree/cc_pm.c b/drivers/crypto/ccree/cc_pm.c
+index dbc508fb719b..452bd77a9ba0 100644
+--- a/drivers/crypto/ccree/cc_pm.c
++++ b/drivers/crypto/ccree/cc_pm.c
+@@ -22,14 +22,8 @@ const struct dev_pm_ops ccree_pm = {
+ int cc_pm_suspend(struct device *dev)
+ {
+ struct cc_drvdata *drvdata = dev_get_drvdata(dev);
+- int rc;
+
+ dev_dbg(dev, "set HOST_POWER_DOWN_EN\n");
+- rc = cc_suspend_req_queue(drvdata);
+- if (rc) {
+- dev_err(dev, "cc_suspend_req_queue (%x)\n", rc);
+- return rc;
+- }
+ fini_cc_regs(drvdata);
+ cc_iowrite(drvdata, CC_REG(HOST_POWER_DOWN_EN), POWER_DOWN_ENABLE);
+ cc_clk_off(drvdata);
+@@ -63,13 +57,6 @@ int cc_pm_resume(struct device *dev)
+ /* check if tee fips error occurred during power down */
+ cc_tee_handle_fips_error(drvdata);
+
+- rc = cc_resume_req_queue(drvdata);
+- if (rc) {
+- dev_err(dev, "cc_resume_req_queue (%x)\n", rc);
+- return rc;
+- }
+-
+- /* must be after the queue resuming as it uses the HW queue*/
+ cc_init_hash_sram(drvdata);
+
+ return 0;
+@@ -80,12 +67,10 @@ int cc_pm_get(struct device *dev)
+ int rc = 0;
+ struct cc_drvdata *drvdata = dev_get_drvdata(dev);
+
+- if (cc_req_queue_suspended(drvdata))
++ if (drvdata->pm_on)
+ rc = pm_runtime_get_sync(dev);
+- else
+- pm_runtime_get_noresume(dev);
+
+- return rc;
++ return (rc == 1 ? 0 : rc);
+ }
+
+ int cc_pm_put_suspend(struct device *dev)
+@@ -93,14 +78,11 @@ int cc_pm_put_suspend(struct device *dev)
+ int rc = 0;
+ struct cc_drvdata *drvdata = dev_get_drvdata(dev);
+
+- if (!cc_req_queue_suspended(drvdata)) {
++ if (drvdata->pm_on) {
+ pm_runtime_mark_last_busy(dev);
+ rc = pm_runtime_put_autosuspend(dev);
+- } else {
+- /* Something wrong happens*/
+- dev_err(dev, "request to suspend already suspended queue");
+- rc = -EBUSY;
+ }
++
+ return rc;
+ }
+
+@@ -117,7 +99,7 @@ int cc_pm_init(struct cc_drvdata *drvdata)
+ /* must be before the enabling to avoid resdundent suspending */
+ pm_runtime_set_autosuspend_delay(dev, CC_SUSPEND_TIMEOUT);
+ pm_runtime_use_autosuspend(dev);
+- /* activate the PM module */
++ /* set us as active - note we won't do PM ops until cc_pm_go()! */
+ return pm_runtime_set_active(dev);
+ }
+
+@@ -125,9 +107,11 @@ int cc_pm_init(struct cc_drvdata *drvdata)
+ void cc_pm_go(struct cc_drvdata *drvdata)
+ {
+ pm_runtime_enable(drvdata_to_dev(drvdata));
++ drvdata->pm_on = true;
+ }
+
+ void cc_pm_fini(struct cc_drvdata *drvdata)
+ {
+ pm_runtime_disable(drvdata_to_dev(drvdata));
++ drvdata->pm_on = false;
+ }
+diff --git a/drivers/crypto/ccree/cc_request_mgr.c b/drivers/crypto/ccree/cc_request_mgr.c
+index a947d5a2cf35..37e6fee37b13 100644
+--- a/drivers/crypto/ccree/cc_request_mgr.c
++++ b/drivers/crypto/ccree/cc_request_mgr.c
+@@ -41,7 +41,6 @@ struct cc_req_mgr_handle {
+ #else
+ struct tasklet_struct comptask;
+ #endif
+- bool is_runtime_suspended;
+ };
+
+ struct cc_bl_item {
+@@ -404,6 +403,7 @@ static void cc_proc_backlog(struct cc_drvdata *drvdata)
+ spin_lock(&mgr->bl_lock);
+ list_del(&bli->list);
+ --mgr->bl_len;
++ kfree(bli);
+ }
+
+ spin_unlock(&mgr->bl_lock);
+@@ -677,52 +677,3 @@ static void comp_handler(unsigned long devarg)
+ cc_proc_backlog(drvdata);
+ dev_dbg(dev, "Comp. handler done.\n");
+ }
+-
+-/*
+- * resume the queue configuration - no need to take the lock as this happens
+- * inside the spin lock protection
+- */
+-#if defined(CONFIG_PM)
+-int cc_resume_req_queue(struct cc_drvdata *drvdata)
+-{
+- struct cc_req_mgr_handle *request_mgr_handle =
+- drvdata->request_mgr_handle;
+-
+- spin_lock_bh(&request_mgr_handle->hw_lock);
+- request_mgr_handle->is_runtime_suspended = false;
+- spin_unlock_bh(&request_mgr_handle->hw_lock);
+-
+- return 0;
+-}
+-
+-/*
+- * suspend the queue configuration. Since it is used for the runtime suspend
+- * only verify that the queue can be suspended.
+- */
+-int cc_suspend_req_queue(struct cc_drvdata *drvdata)
+-{
+- struct cc_req_mgr_handle *request_mgr_handle =
+- drvdata->request_mgr_handle;
+-
+- /* lock the send_request */
+- spin_lock_bh(&request_mgr_handle->hw_lock);
+- if (request_mgr_handle->req_queue_head !=
+- request_mgr_handle->req_queue_tail) {
+- spin_unlock_bh(&request_mgr_handle->hw_lock);
+- return -EBUSY;
+- }
+- request_mgr_handle->is_runtime_suspended = true;
+- spin_unlock_bh(&request_mgr_handle->hw_lock);
+-
+- return 0;
+-}
+-
+-bool cc_req_queue_suspended(struct cc_drvdata *drvdata)
+-{
+- struct cc_req_mgr_handle *request_mgr_handle =
+- drvdata->request_mgr_handle;
+-
+- return request_mgr_handle->is_runtime_suspended;
+-}
+-
+-#endif
+diff --git a/drivers/crypto/ccree/cc_request_mgr.h b/drivers/crypto/ccree/cc_request_mgr.h
+index f46cf766fe4d..ff7746aaaf35 100644
+--- a/drivers/crypto/ccree/cc_request_mgr.h
++++ b/drivers/crypto/ccree/cc_request_mgr.h
+@@ -40,12 +40,4 @@ void complete_request(struct cc_drvdata *drvdata);
+
+ void cc_req_mgr_fini(struct cc_drvdata *drvdata);
+
+-#if defined(CONFIG_PM)
+-int cc_resume_req_queue(struct cc_drvdata *drvdata);
+-
+-int cc_suspend_req_queue(struct cc_drvdata *drvdata);
+-
+-bool cc_req_queue_suspended(struct cc_drvdata *drvdata);
+-#endif
+-
+ #endif /*__REQUEST_MGR_H__*/
+diff --git a/drivers/crypto/hisilicon/Kconfig b/drivers/crypto/hisilicon/Kconfig
+index c0e7a85fe129..6e7c7573dc0c 100644
+--- a/drivers/crypto/hisilicon/Kconfig
++++ b/drivers/crypto/hisilicon/Kconfig
+@@ -16,7 +16,7 @@ config CRYPTO_DEV_HISI_SEC
+
+ config CRYPTO_DEV_HISI_SEC2
+ tristate "Support for HiSilicon SEC2 crypto block cipher accelerator"
+- select CRYPTO_BLKCIPHER
++ select CRYPTO_SKCIPHER
+ select CRYPTO_ALGAPI
+ select CRYPTO_LIB_DES
+ select CRYPTO_DEV_HISI_QM
+@@ -44,7 +44,6 @@ config CRYPTO_DEV_HISI_ZIP
+ depends on ARM64 || (COMPILE_TEST && 64BIT)
+ depends on !CPU_BIG_ENDIAN || COMPILE_TEST
+ select CRYPTO_DEV_HISI_QM
+- select SG_SPLIT
+ help
+ Support for HiSilicon ZIP Driver
+
+diff --git a/drivers/crypto/hisilicon/sgl.c b/drivers/crypto/hisilicon/sgl.c
+index 012023c347b1..1e153a0d7c10 100644
+--- a/drivers/crypto/hisilicon/sgl.c
++++ b/drivers/crypto/hisilicon/sgl.c
+@@ -202,18 +202,21 @@ hisi_acc_sg_buf_map_to_hw_sgl(struct device *dev,
+ dma_addr_t curr_sgl_dma = 0;
+ struct acc_hw_sge *curr_hw_sge;
+ struct scatterlist *sg;
+- int i, ret, sg_n;
++ int i, sg_n, sg_n_mapped;
+
+ if (!dev || !sgl || !pool || !hw_sgl_dma)
+ return ERR_PTR(-EINVAL);
+
+ sg_n = sg_nents(sgl);
+- if (sg_n > pool->sge_nr)
++
++ sg_n_mapped = dma_map_sg(dev, sgl, sg_n, DMA_BIDIRECTIONAL);
++ if (!sg_n_mapped)
+ return ERR_PTR(-EINVAL);
+
+- ret = dma_map_sg(dev, sgl, sg_n, DMA_BIDIRECTIONAL);
+- if (!ret)
++ if (sg_n_mapped > pool->sge_nr) {
++ dma_unmap_sg(dev, sgl, sg_n, DMA_BIDIRECTIONAL);
+ return ERR_PTR(-EINVAL);
++ }
+
+ curr_hw_sgl = acc_get_sgl(pool, index, &curr_sgl_dma);
+ if (IS_ERR(curr_hw_sgl)) {
+@@ -224,7 +227,7 @@ hisi_acc_sg_buf_map_to_hw_sgl(struct device *dev,
+ curr_hw_sgl->entry_length_in_sgl = cpu_to_le16(pool->sge_nr);
+ curr_hw_sge = curr_hw_sgl->sge_entries;
+
+- for_each_sg(sgl, sg, sg_n, i) {
++ for_each_sg(sgl, sg, sg_n_mapped, i) {
+ sg_map_to_hw_sg(sg, curr_hw_sge);
+ inc_hw_sgl_sge(curr_hw_sgl);
+ curr_hw_sge++;
+diff --git a/drivers/crypto/hisilicon/zip/zip.h b/drivers/crypto/hisilicon/zip/zip.h
+index 79fc4dd3fe00..bc1db26598bb 100644
+--- a/drivers/crypto/hisilicon/zip/zip.h
++++ b/drivers/crypto/hisilicon/zip/zip.h
+@@ -11,6 +11,10 @@
+
+ /* hisi_zip_sqe dw3 */
+ #define HZIP_BD_STATUS_M GENMASK(7, 0)
++/* hisi_zip_sqe dw7 */
++#define HZIP_IN_SGE_DATA_OFFSET_M GENMASK(23, 0)
++/* hisi_zip_sqe dw8 */
++#define HZIP_OUT_SGE_DATA_OFFSET_M GENMASK(23, 0)
+ /* hisi_zip_sqe dw9 */
+ #define HZIP_REQ_TYPE_M GENMASK(7, 0)
+ #define HZIP_ALG_TYPE_ZLIB 0x02
+diff --git a/drivers/crypto/hisilicon/zip/zip_crypto.c b/drivers/crypto/hisilicon/zip/zip_crypto.c
+index 795428c1d07e..9815d5e3ccd0 100644
+--- a/drivers/crypto/hisilicon/zip/zip_crypto.c
++++ b/drivers/crypto/hisilicon/zip/zip_crypto.c
+@@ -46,10 +46,8 @@ enum hisi_zip_alg_type {
+
+ struct hisi_zip_req {
+ struct acomp_req *req;
+- struct scatterlist *src;
+- struct scatterlist *dst;
+- size_t slen;
+- size_t dlen;
++ int sskip;
++ int dskip;
+ struct hisi_acc_hw_sgl *hw_src;
+ struct hisi_acc_hw_sgl *hw_dst;
+ dma_addr_t dma_src;
+@@ -119,13 +117,15 @@ static void hisi_zip_config_tag(struct hisi_zip_sqe *sqe, u32 tag)
+
+ static void hisi_zip_fill_sqe(struct hisi_zip_sqe *sqe, u8 req_type,
+ dma_addr_t s_addr, dma_addr_t d_addr, u32 slen,
+- u32 dlen)
++ u32 dlen, int sskip, int dskip)
+ {
+ memset(sqe, 0, sizeof(struct hisi_zip_sqe));
+
+- sqe->input_data_length = slen;
++ sqe->input_data_length = slen - sskip;
++ sqe->dw7 = FIELD_PREP(HZIP_IN_SGE_DATA_OFFSET_M, sskip);
++ sqe->dw8 = FIELD_PREP(HZIP_OUT_SGE_DATA_OFFSET_M, dskip);
+ sqe->dw9 = FIELD_PREP(HZIP_REQ_TYPE_M, req_type);
+- sqe->dest_avail_out = dlen;
++ sqe->dest_avail_out = dlen - dskip;
+ sqe->source_addr_l = lower_32_bits(s_addr);
+ sqe->source_addr_h = upper_32_bits(s_addr);
+ sqe->dest_addr_l = lower_32_bits(d_addr);
+@@ -327,11 +327,6 @@ static void hisi_zip_remove_req(struct hisi_zip_qp_ctx *qp_ctx,
+ {
+ struct hisi_zip_req_q *req_q = &qp_ctx->req_q;
+
+- if (qp_ctx->qp->alg_type == HZIP_ALG_TYPE_COMP)
+- kfree(req->dst);
+- else
+- kfree(req->src);
+-
+ write_lock(&req_q->req_lock);
+ clear_bit(req->req_id, req_q->req_bitmap);
+ memset(req, 0, sizeof(struct hisi_zip_req));
+@@ -359,8 +354,8 @@ static void hisi_zip_acomp_cb(struct hisi_qp *qp, void *data)
+ }
+ dlen = sqe->produced;
+
+- hisi_acc_sg_buf_unmap(dev, req->src, req->hw_src);
+- hisi_acc_sg_buf_unmap(dev, req->dst, req->hw_dst);
++ hisi_acc_sg_buf_unmap(dev, acomp_req->src, req->hw_src);
++ hisi_acc_sg_buf_unmap(dev, acomp_req->dst, req->hw_dst);
+
+ head_size = (qp->alg_type == 0) ? TO_HEAD_SIZE(qp->req_type) : 0;
+ acomp_req->dlen = dlen + head_size;
+@@ -454,20 +449,6 @@ static size_t get_comp_head_size(struct scatterlist *src, u8 req_type)
+ }
+ }
+
+-static int get_sg_skip_bytes(struct scatterlist *sgl, size_t bytes,
+- size_t remains, struct scatterlist **out)
+-{
+-#define SPLIT_NUM 2
+- size_t split_sizes[SPLIT_NUM];
+- int out_mapped_nents[SPLIT_NUM];
+-
+- split_sizes[0] = bytes;
+- split_sizes[1] = remains;
+-
+- return sg_split(sgl, 0, 0, SPLIT_NUM, split_sizes, out,
+- out_mapped_nents, GFP_KERNEL);
+-}
+-
+ static struct hisi_zip_req *hisi_zip_create_req(struct acomp_req *req,
+ struct hisi_zip_qp_ctx *qp_ctx,
+ size_t head_size, bool is_comp)
+@@ -475,31 +456,7 @@ static struct hisi_zip_req *hisi_zip_create_req(struct acomp_req *req,
+ struct hisi_zip_req_q *req_q = &qp_ctx->req_q;
+ struct hisi_zip_req *q = req_q->q;
+ struct hisi_zip_req *req_cache;
+- struct scatterlist *out[2];
+- struct scatterlist *sgl;
+- size_t len;
+- int ret, req_id;
+-
+- /*
+- * remove/add zlib/gzip head, as hardware operations do not include
+- * comp head. so split req->src to get sgl without heads in acomp, or
+- * add comp head to req->dst ahead of that hardware output compressed
+- * data in sgl splited from req->dst without comp head.
+- */
+- if (is_comp) {
+- sgl = req->dst;
+- len = req->dlen - head_size;
+- } else {
+- sgl = req->src;
+- len = req->slen - head_size;
+- }
+-
+- ret = get_sg_skip_bytes(sgl, head_size, len, out);
+- if (ret)
+- return ERR_PTR(ret);
+-
+- /* sgl for comp head is useless, so free it now */
+- kfree(out[0]);
++ int req_id;
+
+ write_lock(&req_q->req_lock);
+
+@@ -507,7 +464,6 @@ static struct hisi_zip_req *hisi_zip_create_req(struct acomp_req *req,
+ if (req_id >= req_q->size) {
+ write_unlock(&req_q->req_lock);
+ dev_dbg(&qp_ctx->qp->qm->pdev->dev, "req cache is full!\n");
+- kfree(out[1]);
+ return ERR_PTR(-EBUSY);
+ }
+ set_bit(req_id, req_q->req_bitmap);
+@@ -515,16 +471,13 @@ static struct hisi_zip_req *hisi_zip_create_req(struct acomp_req *req,
+ req_cache = q + req_id;
+ req_cache->req_id = req_id;
+ req_cache->req = req;
++
+ if (is_comp) {
+- req_cache->src = req->src;
+- req_cache->dst = out[1];
+- req_cache->slen = req->slen;
+- req_cache->dlen = req->dlen - head_size;
++ req_cache->sskip = 0;
++ req_cache->dskip = head_size;
+ } else {
+- req_cache->src = out[1];
+- req_cache->dst = req->dst;
+- req_cache->slen = req->slen - head_size;
+- req_cache->dlen = req->dlen;
++ req_cache->sskip = head_size;
++ req_cache->dskip = 0;
+ }
+
+ write_unlock(&req_q->req_lock);
+@@ -536,6 +489,7 @@ static int hisi_zip_do_work(struct hisi_zip_req *req,
+ struct hisi_zip_qp_ctx *qp_ctx)
+ {
+ struct hisi_zip_sqe *zip_sqe = &qp_ctx->zip_sqe;
++ struct acomp_req *a_req = req->req;
+ struct hisi_qp *qp = qp_ctx->qp;
+ struct device *dev = &qp->qm->pdev->dev;
+ struct hisi_acc_sgl_pool *pool = qp_ctx->sgl_pool;
+@@ -543,16 +497,16 @@ static int hisi_zip_do_work(struct hisi_zip_req *req,
+ dma_addr_t output;
+ int ret;
+
+- if (!req->src || !req->slen || !req->dst || !req->dlen)
++ if (!a_req->src || !a_req->slen || !a_req->dst || !a_req->dlen)
+ return -EINVAL;
+
+- req->hw_src = hisi_acc_sg_buf_map_to_hw_sgl(dev, req->src, pool,
++ req->hw_src = hisi_acc_sg_buf_map_to_hw_sgl(dev, a_req->src, pool,
+ req->req_id << 1, &input);
+ if (IS_ERR(req->hw_src))
+ return PTR_ERR(req->hw_src);
+ req->dma_src = input;
+
+- req->hw_dst = hisi_acc_sg_buf_map_to_hw_sgl(dev, req->dst, pool,
++ req->hw_dst = hisi_acc_sg_buf_map_to_hw_sgl(dev, a_req->dst, pool,
+ (req->req_id << 1) + 1,
+ &output);
+ if (IS_ERR(req->hw_dst)) {
+@@ -561,8 +515,8 @@ static int hisi_zip_do_work(struct hisi_zip_req *req,
+ }
+ req->dma_dst = output;
+
+- hisi_zip_fill_sqe(zip_sqe, qp->req_type, input, output, req->slen,
+- req->dlen);
++ hisi_zip_fill_sqe(zip_sqe, qp->req_type, input, output, a_req->slen,
++ a_req->dlen, req->sskip, req->dskip);
+ hisi_zip_config_buf_type(zip_sqe, HZIP_SGL);
+ hisi_zip_config_tag(zip_sqe, req->req_id);
+
+@@ -574,9 +528,9 @@ static int hisi_zip_do_work(struct hisi_zip_req *req,
+ return -EINPROGRESS;
+
+ err_unmap_output:
+- hisi_acc_sg_buf_unmap(dev, req->dst, req->hw_dst);
++ hisi_acc_sg_buf_unmap(dev, a_req->dst, req->hw_dst);
+ err_unmap_input:
+- hisi_acc_sg_buf_unmap(dev, req->src, req->hw_src);
++ hisi_acc_sg_buf_unmap(dev, a_req->src, req->hw_src);
+ return ret;
+ }
+
+diff --git a/drivers/crypto/picoxcell_crypto.c b/drivers/crypto/picoxcell_crypto.c
+index 29da449b3e9e..d187312b9864 100644
+--- a/drivers/crypto/picoxcell_crypto.c
++++ b/drivers/crypto/picoxcell_crypto.c
+@@ -1595,6 +1595,11 @@ static const struct of_device_id spacc_of_id_table[] = {
+ MODULE_DEVICE_TABLE(of, spacc_of_id_table);
+ #endif /* CONFIG_OF */
+
++static void spacc_tasklet_kill(void *data)
++{
++ tasklet_kill(data);
++}
++
+ static int spacc_probe(struct platform_device *pdev)
+ {
+ int i, err, ret;
+@@ -1637,6 +1642,14 @@ static int spacc_probe(struct platform_device *pdev)
+ return -ENXIO;
+ }
+
++ tasklet_init(&engine->complete, spacc_spacc_complete,
++ (unsigned long)engine);
++
++ ret = devm_add_action(&pdev->dev, spacc_tasklet_kill,
++ &engine->complete);
++ if (ret)
++ return ret;
++
+ if (devm_request_irq(&pdev->dev, irq->start, spacc_spacc_irq, 0,
+ engine->name, engine)) {
+ dev_err(engine->dev, "failed to request IRQ\n");
+@@ -1694,8 +1707,6 @@ static int spacc_probe(struct platform_device *pdev)
+ INIT_LIST_HEAD(&engine->completed);
+ INIT_LIST_HEAD(&engine->in_progress);
+ engine->in_flight = 0;
+- tasklet_init(&engine->complete, spacc_spacc_complete,
+- (unsigned long)engine);
+
+ platform_set_drvdata(pdev, engine);
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
+index 11e5784aa62a..0b401dfbe98a 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
+@@ -246,7 +246,8 @@ bool dm_helpers_dp_mst_write_payload_allocation_table(
+ drm_dp_mst_reset_vcpi_slots(mst_mgr, mst_port);
+ }
+
+- ret = drm_dp_update_payload_part1(mst_mgr);
++ /* It's OK for this to fail */
++ drm_dp_update_payload_part1(mst_mgr);
+
+ /* mst_mgr->->payloads are VC payload notify MST branch using DPCD or
+ * AUX message. The sequence is slot 1-63 allocated sequence for each
+@@ -255,9 +256,6 @@ bool dm_helpers_dp_mst_write_payload_allocation_table(
+
+ get_payload_table(aconnector, proposed_table);
+
+- if (ret)
+- return false;
+-
+ return true;
+ }
+
+@@ -315,7 +313,6 @@ bool dm_helpers_dp_mst_send_payload_allocation(
+ struct amdgpu_dm_connector *aconnector;
+ struct drm_dp_mst_topology_mgr *mst_mgr;
+ struct drm_dp_mst_port *mst_port;
+- int ret;
+
+ aconnector = (struct amdgpu_dm_connector *)stream->dm_stream_context;
+
+@@ -329,10 +326,8 @@ bool dm_helpers_dp_mst_send_payload_allocation(
+ if (!mst_mgr->mst_state)
+ return false;
+
+- ret = drm_dp_update_payload_part2(mst_mgr);
+-
+- if (ret)
+- return false;
++ /* It's OK for this to fail */
++ drm_dp_update_payload_part2(mst_mgr);
+
+ if (!enable)
+ drm_dp_mst_deallocate_vcpi(mst_mgr, mst_port);
+diff --git a/drivers/gpu/drm/amd/powerplay/amdgpu_smu.c b/drivers/gpu/drm/amd/powerplay/amdgpu_smu.c
+index a23729d3174b..9b415f6569a2 100644
+--- a/drivers/gpu/drm/amd/powerplay/amdgpu_smu.c
++++ b/drivers/gpu/drm/amd/powerplay/amdgpu_smu.c
+@@ -21,6 +21,7 @@
+ */
+
+ #include <linux/firmware.h>
++#include <linux/pci.h>
+
+ #include "pp_debug.h"
+ #include "amdgpu.h"
+@@ -1125,6 +1126,23 @@ static int smu_smc_table_hw_init(struct smu_context *smu,
+ ret = smu_get_power_limit(smu, &smu->default_power_limit, false, false);
+ if (ret)
+ return ret;
++
++ if (adev->asic_type == CHIP_NAVI10) {
++ if ((adev->pdev->device == 0x731f && (adev->pdev->revision == 0xc2 ||
++ adev->pdev->revision == 0xc3 ||
++ adev->pdev->revision == 0xca ||
++ adev->pdev->revision == 0xcb)) ||
++ (adev->pdev->device == 0x66af && (adev->pdev->revision == 0xf3 ||
++ adev->pdev->revision == 0xf4 ||
++ adev->pdev->revision == 0xf5 ||
++ adev->pdev->revision == 0xf6))) {
++ ret = smu_disable_umc_cdr_12gbps_workaround(smu);
++ if (ret) {
++ pr_err("Workaround failed to disable UMC CDR feature on 12Gbps SKU!\n");
++ return ret;
++ }
++ }
++ }
+ }
+
+ /*
+diff --git a/drivers/gpu/drm/amd/powerplay/inc/amdgpu_smu.h b/drivers/gpu/drm/amd/powerplay/inc/amdgpu_smu.h
+index 41fce75b263f..d005dea4a3bf 100644
+--- a/drivers/gpu/drm/amd/powerplay/inc/amdgpu_smu.h
++++ b/drivers/gpu/drm/amd/powerplay/inc/amdgpu_smu.h
+@@ -263,6 +263,7 @@ struct smu_table_context
+ uint8_t thermal_controller_type;
+
+ void *overdrive_table;
++ void *boot_overdrive_table;
+ };
+
+ struct smu_dpm_context {
+@@ -550,6 +551,7 @@ struct pptable_funcs {
+ int (*set_soft_freq_limited_range)(struct smu_context *smu, enum smu_clk_type clk_type, uint32_t min, uint32_t max);
+ int (*override_pcie_parameters)(struct smu_context *smu);
+ uint32_t (*get_pptable_power_limit)(struct smu_context *smu);
++ int (*disable_umc_cdr_12gbps_workaround)(struct smu_context *smu);
+ };
+
+ int smu_load_microcode(struct smu_context *smu);
+diff --git a/drivers/gpu/drm/amd/powerplay/inc/smu_types.h b/drivers/gpu/drm/amd/powerplay/inc/smu_types.h
+index d8c9b7f91fcc..a5b4df146713 100644
+--- a/drivers/gpu/drm/amd/powerplay/inc/smu_types.h
++++ b/drivers/gpu/drm/amd/powerplay/inc/smu_types.h
+@@ -170,6 +170,8 @@
+ __SMU_DUMMY_MAP(SetSoftMinJpeg), \
+ __SMU_DUMMY_MAP(SetHardMinFclkByFreq), \
+ __SMU_DUMMY_MAP(DFCstateControl), \
++ __SMU_DUMMY_MAP(DAL_DISABLE_DUMMY_PSTATE_CHANGE), \
++ __SMU_DUMMY_MAP(DAL_ENABLE_DUMMY_PSTATE_CHANGE), \
+
+ #undef __SMU_DUMMY_MAP
+ #define __SMU_DUMMY_MAP(type) SMU_MSG_##type
+diff --git a/drivers/gpu/drm/amd/powerplay/inc/smu_v11_0_ppsmc.h b/drivers/gpu/drm/amd/powerplay/inc/smu_v11_0_ppsmc.h
+index 373861ddccd0..406bfd187ce8 100644
+--- a/drivers/gpu/drm/amd/powerplay/inc/smu_v11_0_ppsmc.h
++++ b/drivers/gpu/drm/amd/powerplay/inc/smu_v11_0_ppsmc.h
+@@ -120,7 +120,10 @@
+ #define PPSMC_MSG_GetVoltageByDpmOverdrive 0x45
+ #define PPSMC_MSG_BacoAudioD3PME 0x48
+
+-#define PPSMC_Message_Count 0x49
++#define PPSMC_MSG_DALDisableDummyPstateChange 0x49
++#define PPSMC_MSG_DALEnableDummyPstateChange 0x4A
++
++#define PPSMC_Message_Count 0x4B
+
+ typedef uint32_t PPSMC_Result;
+ typedef uint32_t PPSMC_Msg;
+diff --git a/drivers/gpu/drm/amd/powerplay/navi10_ppt.c b/drivers/gpu/drm/amd/powerplay/navi10_ppt.c
+index ca62e92e5a4f..e3f8c45e7467 100644
+--- a/drivers/gpu/drm/amd/powerplay/navi10_ppt.c
++++ b/drivers/gpu/drm/amd/powerplay/navi10_ppt.c
+@@ -119,6 +119,10 @@ static struct smu_11_0_cmn2aisc_mapping navi10_message_map[SMU_MSG_MAX_COUNT] =
+ MSG_MAP(PowerDownJpeg, PPSMC_MSG_PowerDownJpeg),
+ MSG_MAP(BacoAudioD3PME, PPSMC_MSG_BacoAudioD3PME),
+ MSG_MAP(ArmD3, PPSMC_MSG_ArmD3),
++ MSG_MAP(DAL_DISABLE_DUMMY_PSTATE_CHANGE,PPSMC_MSG_DALDisableDummyPstateChange),
++ MSG_MAP(DAL_ENABLE_DUMMY_PSTATE_CHANGE, PPSMC_MSG_DALEnableDummyPstateChange),
++ MSG_MAP(GetVoltageByDpm, PPSMC_MSG_GetVoltageByDpm),
++ MSG_MAP(GetVoltageByDpmOverdrive, PPSMC_MSG_GetVoltageByDpmOverdrive),
+ };
+
+ static struct smu_11_0_cmn2aisc_mapping navi10_clk_map[SMU_CLK_COUNT] = {
+@@ -706,6 +710,15 @@ static inline bool navi10_od_feature_is_supported(struct smu_11_0_overdrive_tabl
+ return od_table->cap[feature];
+ }
+
++static void navi10_od_setting_get_range(struct smu_11_0_overdrive_table *od_table,
++ enum SMU_11_0_ODSETTING_ID setting,
++ uint32_t *min, uint32_t *max)
++{
++ if (min)
++ *min = od_table->min[setting];
++ if (max)
++ *max = od_table->max[setting];
++}
+
+ static int navi10_print_clk_levels(struct smu_context *smu,
+ enum smu_clk_type clk_type, char *buf)
+@@ -724,6 +737,7 @@ static int navi10_print_clk_levels(struct smu_context *smu,
+ OverDriveTable_t *od_table =
+ (OverDriveTable_t *)table_context->overdrive_table;
+ struct smu_11_0_overdrive_table *od_settings = smu->od_settings;
++ uint32_t min_value, max_value;
+
+ switch (clk_type) {
+ case SMU_GFXCLK:
+@@ -812,7 +826,7 @@ static int navi10_print_clk_levels(struct smu_context *smu,
+ if (!navi10_od_feature_is_supported(od_settings, SMU_11_0_ODFEATURE_UCLK_MAX))
+ break;
+ size += sprintf(buf + size, "OD_MCLK:\n");
+- size += sprintf(buf + size, "0: %uMHz\n", od_table->UclkFmax);
++ size += sprintf(buf + size, "1: %uMHz\n", od_table->UclkFmax);
+ break;
+ case SMU_OD_VDDC_CURVE:
+ if (!smu->od_enabled || !od_table || !od_settings)
+@@ -836,6 +850,55 @@ static int navi10_print_clk_levels(struct smu_context *smu,
+ }
+ size += sprintf(buf + size, "%d: %uMHz @ %umV\n", i, curve_settings[0], curve_settings[1] / NAVI10_VOLTAGE_SCALE);
+ }
++ break;
++ case SMU_OD_RANGE:
++ if (!smu->od_enabled || !od_table || !od_settings)
++ break;
++ size = sprintf(buf, "%s:\n", "OD_RANGE");
++
++ if (navi10_od_feature_is_supported(od_settings, SMU_11_0_ODFEATURE_GFXCLK_LIMITS)) {
++ navi10_od_setting_get_range(od_settings, SMU_11_0_ODSETTING_GFXCLKFMIN,
++ &min_value, NULL);
++ navi10_od_setting_get_range(od_settings, SMU_11_0_ODSETTING_GFXCLKFMAX,
++ NULL, &max_value);
++ size += sprintf(buf + size, "SCLK: %7uMhz %10uMhz\n",
++ min_value, max_value);
++ }
++
++ if (navi10_od_feature_is_supported(od_settings, SMU_11_0_ODFEATURE_UCLK_MAX)) {
++ navi10_od_setting_get_range(od_settings, SMU_11_0_ODSETTING_UCLKFMAX,
++ &min_value, &max_value);
++ size += sprintf(buf + size, "MCLK: %7uMhz %10uMhz\n",
++ min_value, max_value);
++ }
++
++ if (navi10_od_feature_is_supported(od_settings, SMU_11_0_ODFEATURE_GFXCLK_CURVE)) {
++ navi10_od_setting_get_range(od_settings, SMU_11_0_ODSETTING_VDDGFXCURVEFREQ_P1,
++ &min_value, &max_value);
++ size += sprintf(buf + size, "VDDC_CURVE_SCLK[0]: %7uMhz %10uMhz\n",
++ min_value, max_value);
++ navi10_od_setting_get_range(od_settings, SMU_11_0_ODSETTING_VDDGFXCURVEVOLTAGE_P1,
++ &min_value, &max_value);
++ size += sprintf(buf + size, "VDDC_CURVE_VOLT[0]: %7dmV %11dmV\n",
++ min_value, max_value);
++ navi10_od_setting_get_range(od_settings, SMU_11_0_ODSETTING_VDDGFXCURVEFREQ_P2,
++ &min_value, &max_value);
++ size += sprintf(buf + size, "VDDC_CURVE_SCLK[1]: %7uMhz %10uMhz\n",
++ min_value, max_value);
++ navi10_od_setting_get_range(od_settings, SMU_11_0_ODSETTING_VDDGFXCURVEVOLTAGE_P2,
++ &min_value, &max_value);
++ size += sprintf(buf + size, "VDDC_CURVE_VOLT[1]: %7dmV %11dmV\n",
++ min_value, max_value);
++ navi10_od_setting_get_range(od_settings, SMU_11_0_ODSETTING_VDDGFXCURVEFREQ_P3,
++ &min_value, &max_value);
++ size += sprintf(buf + size, "VDDC_CURVE_SCLK[2]: %7uMhz %10uMhz\n",
++ min_value, max_value);
++ navi10_od_setting_get_range(od_settings, SMU_11_0_ODSETTING_VDDGFXCURVEVOLTAGE_P3,
++ &min_value, &max_value);
++ size += sprintf(buf + size, "VDDC_CURVE_VOLT[2]: %7dmV %11dmV\n",
++ min_value, max_value);
++ }
++
+ break;
+ default:
+ break;
+@@ -1780,6 +1843,28 @@ static int navi10_od_setting_check_range(struct smu_11_0_overdrive_table *od_tab
+ return 0;
+ }
+
++static int navi10_overdrive_get_gfx_clk_base_voltage(struct smu_context *smu,
++ uint16_t *voltage,
++ uint32_t freq)
++{
++ uint32_t param = (freq & 0xFFFF) | (PPCLK_GFXCLK << 16);
++ uint32_t value = 0;
++ int ret;
++
++ ret = smu_send_smc_msg_with_param(smu,
++ SMU_MSG_GetVoltageByDpm,
++ param);
++ if (ret) {
++ pr_err("[GetBaseVoltage] failed to get GFXCLK AVFS voltage from SMU!");
++ return ret;
++ }
++
++ smu_read_smc_arg(smu, &value);
++ *voltage = (uint16_t)value;
++
++ return 0;
++}
++
+ static int navi10_setup_od_limits(struct smu_context *smu) {
+ struct smu_11_0_overdrive_table *overdrive_table = NULL;
+ struct smu_11_0_powerplay_table *powerplay_table = NULL;
+@@ -1806,16 +1891,40 @@ static int navi10_set_default_od_settings(struct smu_context *smu, bool initiali
+ if (ret)
+ return ret;
+
++ od_table = (OverDriveTable_t *)smu->smu_table.overdrive_table;
+ if (initialize) {
+ ret = navi10_setup_od_limits(smu);
+ if (ret) {
+ pr_err("Failed to retrieve board OD limits\n");
+ return ret;
+ }
++ if (od_table) {
++ if (!od_table->GfxclkVolt1) {
++ ret = navi10_overdrive_get_gfx_clk_base_voltage(smu,
++ &od_table->GfxclkVolt1,
++ od_table->GfxclkFreq1);
++ if (ret)
++ od_table->GfxclkVolt1 = 0;
++ }
++
++ if (!od_table->GfxclkVolt2) {
++ ret = navi10_overdrive_get_gfx_clk_base_voltage(smu,
++ &od_table->GfxclkVolt2,
++ od_table->GfxclkFreq2);
++ if (ret)
++ od_table->GfxclkVolt2 = 0;
++ }
+
++ if (!od_table->GfxclkVolt3) {
++ ret = navi10_overdrive_get_gfx_clk_base_voltage(smu,
++ &od_table->GfxclkVolt3,
++ od_table->GfxclkFreq3);
++ if (ret)
++ od_table->GfxclkVolt3 = 0;
++ }
++ }
+ }
+
+- od_table = (OverDriveTable_t *)smu->smu_table.overdrive_table;
+ if (od_table) {
+ navi10_dump_od_table(od_table);
+ }
+@@ -1911,6 +2020,13 @@ static int navi10_od_edit_dpm_table(struct smu_context *smu, enum PP_OD_DPM_TABL
+ return ret;
+ od_table->UclkFmax = input[1];
+ break;
++ case PP_OD_RESTORE_DEFAULT_TABLE:
++ if (!(table_context->overdrive_table && table_context->boot_overdrive_table)) {
++ pr_err("Overdrive table was not initialized!\n");
++ return -EINVAL;
++ }
++ memcpy(table_context->overdrive_table, table_context->boot_overdrive_table, sizeof(OverDriveTable_t));
++ break;
+ case PP_OD_COMMIT_DPM_TABLE:
+ navi10_dump_od_table(od_table);
+ ret = smu_update_table(smu, SMU_TABLE_OVERDRIVE, 0, (void *)od_table, true);
+@@ -2000,6 +2116,61 @@ static int navi10_run_btc(struct smu_context *smu)
+ return ret;
+ }
+
++static int navi10_dummy_pstate_control(struct smu_context *smu, bool enable)
++{
++ int result = 0;
++
++ if (!enable)
++ result = smu_send_smc_msg(smu, SMU_MSG_DAL_DISABLE_DUMMY_PSTATE_CHANGE);
++ else
++ result = smu_send_smc_msg(smu, SMU_MSG_DAL_ENABLE_DUMMY_PSTATE_CHANGE);
++
++ return result;
++}
++
++static int navi10_disable_umc_cdr_12gbps_workaround(struct smu_context *smu)
++{
++ uint32_t uclk_count, uclk_min, uclk_max;
++ uint32_t smu_version;
++ int ret = 0;
++
++ ret = smu_get_smc_version(smu, NULL, &smu_version);
++ if (ret)
++ return ret;
++
++ /* This workaround is available only for 42.50 or later SMC firmwares */
++ if (smu_version < 0x2A3200)
++ return 0;
++
++ ret = smu_get_dpm_level_count(smu, SMU_UCLK, &uclk_count);
++ if (ret)
++ return ret;
++
++ ret = smu_get_dpm_freq_by_index(smu, SMU_UCLK, (uint16_t)0, &uclk_min);
++ if (ret)
++ return ret;
++
++ ret = smu_get_dpm_freq_by_index(smu, SMU_UCLK, (uint16_t)(uclk_count - 1), &uclk_max);
++ if (ret)
++ return ret;
++
++ /* Force UCLK out of the highest DPM */
++ ret = smu_set_hard_freq_range(smu, SMU_UCLK, 0, uclk_min);
++ if (ret)
++ return ret;
++
++ /* Revert the UCLK Hardmax */
++ ret = smu_set_hard_freq_range(smu, SMU_UCLK, 0, uclk_max);
++ if (ret)
++ return ret;
++
++ /*
++ * In this case, SMU already disabled dummy pstate during enablement
++ * of UCLK DPM, we have to re-enabled it.
++ * */
++ return navi10_dummy_pstate_control(smu, true);
++}
++
+ static const struct pptable_funcs navi10_ppt_funcs = {
+ .tables_init = navi10_tables_init,
+ .alloc_dpm_context = navi10_allocate_dpm_context,
+@@ -2091,6 +2262,7 @@ static const struct pptable_funcs navi10_ppt_funcs = {
+ .od_edit_dpm_table = navi10_od_edit_dpm_table,
+ .get_pptable_power_limit = navi10_get_pptable_power_limit,
+ .run_btc = navi10_run_btc,
++ .disable_umc_cdr_12gbps_workaround = navi10_disable_umc_cdr_12gbps_workaround,
+ };
+
+ void navi10_set_ppt_funcs(struct smu_context *smu)
+diff --git a/drivers/gpu/drm/amd/powerplay/smu_internal.h b/drivers/gpu/drm/amd/powerplay/smu_internal.h
+index 8872f8b2d502..593271685a98 100644
+--- a/drivers/gpu/drm/amd/powerplay/smu_internal.h
++++ b/drivers/gpu/drm/amd/powerplay/smu_internal.h
+@@ -201,4 +201,7 @@ int smu_send_smc_msg(struct smu_context *smu, enum smu_message_type msg);
+ #define smu_update_pcie_parameters(smu, pcie_gen_cap, pcie_width_cap) \
+ ((smu)->ppt_funcs->update_pcie_parameters ? (smu)->ppt_funcs->update_pcie_parameters((smu), (pcie_gen_cap), (pcie_width_cap)) : 0)
+
++#define smu_disable_umc_cdr_12gbps_workaround(smu) \
++ ((smu)->ppt_funcs->disable_umc_cdr_12gbps_workaround ? (smu)->ppt_funcs->disable_umc_cdr_12gbps_workaround((smu)) : 0)
++
+ #endif
+diff --git a/drivers/gpu/drm/amd/powerplay/smu_v11_0.c b/drivers/gpu/drm/amd/powerplay/smu_v11_0.c
+index e4268a627eff..8b13d18c6414 100644
+--- a/drivers/gpu/drm/amd/powerplay/smu_v11_0.c
++++ b/drivers/gpu/drm/amd/powerplay/smu_v11_0.c
+@@ -1807,6 +1807,12 @@ int smu_v11_0_set_default_od_settings(struct smu_context *smu, bool initialize,
+ pr_err("Failed to export overdrive table!\n");
+ return ret;
+ }
++ if (!table_context->boot_overdrive_table) {
++ table_context->boot_overdrive_table = kmemdup(table_context->overdrive_table, overdrive_table_size, GFP_KERNEL);
++ if (!table_context->boot_overdrive_table) {
++ return -ENOMEM;
++ }
++ }
+ }
+ ret = smu_update_table(smu, SMU_TABLE_OVERDRIVE, 0, table_context->overdrive_table, true);
+ if (ret) {
+diff --git a/drivers/gpu/drm/amd/powerplay/vega20_ppt.c b/drivers/gpu/drm/amd/powerplay/vega20_ppt.c
+index 0d3a3b0a934e..a9c41cd111ce 100644
+--- a/drivers/gpu/drm/amd/powerplay/vega20_ppt.c
++++ b/drivers/gpu/drm/amd/powerplay/vega20_ppt.c
+@@ -1702,22 +1702,11 @@ static int vega20_set_default_od_settings(struct smu_context *smu,
+ struct smu_table_context *table_context = &smu->smu_table;
+ int ret;
+
+- if (initialize) {
+- if (table_context->overdrive_table)
+- return -EINVAL;
+-
+- table_context->overdrive_table = kzalloc(sizeof(OverDriveTable_t), GFP_KERNEL);
+-
+- if (!table_context->overdrive_table)
+- return -ENOMEM;
+-
+- ret = smu_update_table(smu, SMU_TABLE_OVERDRIVE, 0,
+- table_context->overdrive_table, false);
+- if (ret) {
+- pr_err("Failed to export over drive table!\n");
+- return ret;
+- }
++ ret = smu_v11_0_set_default_od_settings(smu, initialize, sizeof(OverDriveTable_t));
++ if (ret)
++ return ret;
+
++ if (initialize) {
+ ret = vega20_set_default_od8_setttings(smu);
+ if (ret)
+ return ret;
+@@ -2774,12 +2763,11 @@ static int vega20_odn_edit_dpm_table(struct smu_context *smu,
+ break;
+
+ case PP_OD_RESTORE_DEFAULT_TABLE:
+- ret = smu_update_table(smu, SMU_TABLE_OVERDRIVE, 0, table_context->overdrive_table, false);
+- if (ret) {
+- pr_err("Failed to export over drive table!\n");
+- return ret;
++ if (!(table_context->overdrive_table && table_context->boot_overdrive_table)) {
++ pr_err("Overdrive table was not initialized!\n");
++ return -EINVAL;
+ }
+-
++ memcpy(table_context->overdrive_table, table_context->boot_overdrive_table, sizeof(OverDriveTable_t));
+ break;
+
+ case PP_OD_COMMIT_DPM_TABLE:
+diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c
+index f2e73e6d46b8..10985134ce0b 100644
+--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c
++++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c
+@@ -73,7 +73,11 @@ static void atmel_hlcdc_crtc_mode_set_nofb(struct drm_crtc *c)
+ unsigned long prate;
+ unsigned int mask = ATMEL_HLCDC_CLKDIV_MASK | ATMEL_HLCDC_CLKPOL;
+ unsigned int cfg = 0;
+- int div;
++ int div, ret;
++
++ ret = clk_prepare_enable(crtc->dc->hlcdc->sys_clk);
++ if (ret)
++ return;
+
+ vm.vfront_porch = adj->crtc_vsync_start - adj->crtc_vdisplay;
+ vm.vback_porch = adj->crtc_vtotal - adj->crtc_vsync_end;
+@@ -95,14 +99,14 @@ static void atmel_hlcdc_crtc_mode_set_nofb(struct drm_crtc *c)
+ (adj->crtc_hdisplay - 1) |
+ ((adj->crtc_vdisplay - 1) << 16));
+
++ prate = clk_get_rate(crtc->dc->hlcdc->sys_clk);
++ mode_rate = adj->crtc_clock * 1000;
+ if (!crtc->dc->desc->fixed_clksrc) {
++ prate *= 2;
+ cfg |= ATMEL_HLCDC_CLKSEL;
+ mask |= ATMEL_HLCDC_CLKSEL;
+ }
+
+- prate = 2 * clk_get_rate(crtc->dc->hlcdc->sys_clk);
+- mode_rate = adj->crtc_clock * 1000;
+-
+ div = DIV_ROUND_UP(prate, mode_rate);
+ if (div < 2) {
+ div = 2;
+@@ -117,8 +121,8 @@ static void atmel_hlcdc_crtc_mode_set_nofb(struct drm_crtc *c)
+ int div_low = prate / mode_rate;
+
+ if (div_low >= 2 &&
+- ((prate / div_low - mode_rate) <
+- 10 * (mode_rate - prate / div)))
++ (10 * (prate / div_low - mode_rate) <
++ (mode_rate - prate / div)))
+ /*
+ * At least 10 times better when using a higher
+ * frequency than requested, instead of a lower.
+@@ -147,6 +151,8 @@ static void atmel_hlcdc_crtc_mode_set_nofb(struct drm_crtc *c)
+ ATMEL_HLCDC_VSPSU | ATMEL_HLCDC_VSPHO |
+ ATMEL_HLCDC_GUARDTIME_MASK | ATMEL_HLCDC_MODE_MASK,
+ cfg);
++
++ clk_disable_unprepare(crtc->dc->hlcdc->sys_clk);
+ }
+
+ static enum drm_mode_status
+diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
+index e6afe4faeca6..141ba31cf548 100644
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -3435,6 +3435,7 @@ static int drm_dp_get_vc_payload_bw(u8 dp_link_bw, u8 dp_link_count)
+ int drm_dp_mst_topology_mgr_set_mst(struct drm_dp_mst_topology_mgr *mgr, bool mst_state)
+ {
+ int ret = 0;
++ int i = 0;
+ struct drm_dp_mst_branch *mstb = NULL;
+
+ mutex_lock(&mgr->lock);
+@@ -3495,10 +3496,21 @@ int drm_dp_mst_topology_mgr_set_mst(struct drm_dp_mst_topology_mgr *mgr, bool ms
+ /* this can fail if the device is gone */
+ drm_dp_dpcd_writeb(mgr->aux, DP_MSTM_CTRL, 0);
+ ret = 0;
++ mutex_lock(&mgr->payload_lock);
+ memset(mgr->payloads, 0, mgr->max_payloads * sizeof(struct drm_dp_payload));
+ mgr->payload_mask = 0;
+ set_bit(0, &mgr->payload_mask);
++ for (i = 0; i < mgr->max_payloads; i++) {
++ struct drm_dp_vcpi *vcpi = mgr->proposed_vcpis[i];
++
++ if (vcpi) {
++ vcpi->vcpi = 0;
++ vcpi->num_slots = 0;
++ }
++ mgr->proposed_vcpis[i] = NULL;
++ }
+ mgr->vcpi_mask = 0;
++ mutex_unlock(&mgr->payload_lock);
+ }
+
+ out_unlock:
+diff --git a/drivers/gpu/drm/drm_rect.c b/drivers/gpu/drm/drm_rect.c
+index b8363aaa9032..818738e83d06 100644
+--- a/drivers/gpu/drm/drm_rect.c
++++ b/drivers/gpu/drm/drm_rect.c
+@@ -54,7 +54,12 @@ EXPORT_SYMBOL(drm_rect_intersect);
+
+ static u32 clip_scaled(u32 src, u32 dst, u32 clip)
+ {
+- u64 tmp = mul_u32_u32(src, dst - clip);
++ u64 tmp;
++
++ if (dst == 0)
++ return 0;
++
++ tmp = mul_u32_u32(src, dst - clip);
+
+ /*
+ * Round toward 1.0 when clipping so that we don't accidentally
+diff --git a/drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c b/drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c
+index 772f0753ed38..aaf2f26f8505 100644
+--- a/drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c
++++ b/drivers/gpu/drm/msm/disp/mdp4/mdp4_dsi_encoder.c
+@@ -121,7 +121,7 @@ static void mdp4_dsi_encoder_enable(struct drm_encoder *encoder)
+ if (mdp4_dsi_encoder->enabled)
+ return;
+
+- mdp4_crtc_set_config(encoder->crtc,
++ mdp4_crtc_set_config(encoder->crtc,
+ MDP4_DMA_CONFIG_PACK_ALIGN_MSB |
+ MDP4_DMA_CONFIG_DEFLKR_EN |
+ MDP4_DMA_CONFIG_DITHER_EN |
+diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
+index f455ce71e85d..b6aba7507043 100644
+--- a/drivers/gpu/drm/tegra/drm.c
++++ b/drivers/gpu/drm/tegra/drm.c
+@@ -1037,23 +1037,9 @@ void tegra_drm_free(struct tegra_drm *tegra, size_t size, void *virt,
+ free_pages((unsigned long)virt, get_order(size));
+ }
+
+-static int host1x_drm_probe(struct host1x_device *dev)
++static bool host1x_drm_wants_iommu(struct host1x_device *dev)
+ {
+- struct drm_driver *driver = &tegra_drm_driver;
+ struct iommu_domain *domain;
+- struct tegra_drm *tegra;
+- struct drm_device *drm;
+- int err;
+-
+- drm = drm_dev_alloc(driver, &dev->dev);
+- if (IS_ERR(drm))
+- return PTR_ERR(drm);
+-
+- tegra = kzalloc(sizeof(*tegra), GFP_KERNEL);
+- if (!tegra) {
+- err = -ENOMEM;
+- goto put;
+- }
+
+ /*
+ * If the Tegra DRM clients are backed by an IOMMU, push buffers are
+@@ -1082,9 +1068,38 @@ static int host1x_drm_probe(struct host1x_device *dev)
+ * up the device tree appropriately. This is considered an problem
+ * of integration, so care must be taken for the DT to be consistent.
+ */
+- domain = iommu_get_domain_for_dev(drm->dev->parent);
++ domain = iommu_get_domain_for_dev(dev->dev.parent);
++
++ /*
++ * Tegra20 and Tegra30 don't support addressing memory beyond the
++ * 32-bit boundary, so the regular GATHER opcodes will always be
++ * sufficient and whether or not the host1x is attached to an IOMMU
++ * doesn't matter.
++ */
++ if (!domain && dma_get_mask(dev->dev.parent) <= DMA_BIT_MASK(32))
++ return true;
++
++ return domain != NULL;
++}
++
++static int host1x_drm_probe(struct host1x_device *dev)
++{
++ struct drm_driver *driver = &tegra_drm_driver;
++ struct tegra_drm *tegra;
++ struct drm_device *drm;
++ int err;
++
++ drm = drm_dev_alloc(driver, &dev->dev);
++ if (IS_ERR(drm))
++ return PTR_ERR(drm);
++
++ tegra = kzalloc(sizeof(*tegra), GFP_KERNEL);
++ if (!tegra) {
++ err = -ENOMEM;
++ goto put;
++ }
+
+- if (domain && iommu_present(&platform_bus_type)) {
++ if (host1x_drm_wants_iommu(dev) && iommu_present(&platform_bus_type)) {
+ tegra->domain = iommu_domain_alloc(&platform_bus_type);
+ if (!tegra->domain) {
+ err = -ENOMEM;
+diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
+index bc15b430156d..c46b4d4190ac 100644
+--- a/drivers/gpu/drm/tegra/gem.c
++++ b/drivers/gpu/drm/tegra/gem.c
+@@ -60,8 +60,16 @@ static struct sg_table *tegra_bo_pin(struct device *dev, struct host1x_bo *bo,
+ /*
+ * If we've manually mapped the buffer object through the IOMMU, make
+ * sure to return the IOVA address of our mapping.
++ *
++ * Similarly, for buffers that have been allocated by the DMA API the
++ * physical address can be used for devices that are not attached to
++ * an IOMMU. For these devices, callers must pass a valid pointer via
++ * the @phys argument.
++ *
++ * Imported buffers were also already mapped at import time, so the
++ * existing mapping can be reused.
+ */
+- if (phys && obj->mm) {
++ if (phys) {
+ *phys = obj->iova;
+ return NULL;
+ }
+diff --git a/drivers/gpu/drm/tegra/plane.c b/drivers/gpu/drm/tegra/plane.c
+index cadcdd9ea427..9ccfb56e9b01 100644
+--- a/drivers/gpu/drm/tegra/plane.c
++++ b/drivers/gpu/drm/tegra/plane.c
+@@ -3,6 +3,8 @@
+ * Copyright (C) 2017 NVIDIA CORPORATION. All rights reserved.
+ */
+
++#include <linux/iommu.h>
++
+ #include <drm/drm_atomic.h>
+ #include <drm/drm_atomic_helper.h>
+ #include <drm/drm_fourcc.h>
+@@ -107,21 +109,27 @@ const struct drm_plane_funcs tegra_plane_funcs = {
+
+ static int tegra_dc_pin(struct tegra_dc *dc, struct tegra_plane_state *state)
+ {
++ struct iommu_domain *domain = iommu_get_domain_for_dev(dc->dev);
+ unsigned int i;
+ int err;
+
+ for (i = 0; i < state->base.fb->format->num_planes; i++) {
+ struct tegra_bo *bo = tegra_fb_get_plane(state->base.fb, i);
++ dma_addr_t phys_addr, *phys;
++ struct sg_table *sgt;
+
+- if (!dc->client.group) {
+- struct sg_table *sgt;
++ if (!domain || dc->client.group)
++ phys = &phys_addr;
++ else
++ phys = NULL;
+
+- sgt = host1x_bo_pin(dc->dev, &bo->base, NULL);
+- if (IS_ERR(sgt)) {
+- err = PTR_ERR(sgt);
+- goto unpin;
+- }
++ sgt = host1x_bo_pin(dc->dev, &bo->base, phys);
++ if (IS_ERR(sgt)) {
++ err = PTR_ERR(sgt);
++ goto unpin;
++ }
+
++ if (sgt) {
+ err = dma_map_sg(dc->dev, sgt->sgl, sgt->nents,
+ DMA_TO_DEVICE);
+ if (err == 0) {
+@@ -143,7 +151,7 @@ static int tegra_dc_pin(struct tegra_dc *dc, struct tegra_plane_state *state)
+ state->iova[i] = sg_dma_address(sgt->sgl);
+ state->sgt[i] = sgt;
+ } else {
+- state->iova[i] = bo->iova;
++ state->iova[i] = phys_addr;
+ }
+ }
+
+@@ -156,9 +164,11 @@ unpin:
+ struct tegra_bo *bo = tegra_fb_get_plane(state->base.fb, i);
+ struct sg_table *sgt = state->sgt[i];
+
+- dma_unmap_sg(dc->dev, sgt->sgl, sgt->nents, DMA_TO_DEVICE);
+- host1x_bo_unpin(dc->dev, &bo->base, sgt);
++ if (sgt)
++ dma_unmap_sg(dc->dev, sgt->sgl, sgt->nents,
++ DMA_TO_DEVICE);
+
++ host1x_bo_unpin(dc->dev, &bo->base, sgt);
+ state->iova[i] = DMA_MAPPING_ERROR;
+ state->sgt[i] = NULL;
+ }
+@@ -172,17 +182,13 @@ static void tegra_dc_unpin(struct tegra_dc *dc, struct tegra_plane_state *state)
+
+ for (i = 0; i < state->base.fb->format->num_planes; i++) {
+ struct tegra_bo *bo = tegra_fb_get_plane(state->base.fb, i);
++ struct sg_table *sgt = state->sgt[i];
+
+- if (!dc->client.group) {
+- struct sg_table *sgt = state->sgt[i];
+-
+- if (sgt) {
+- dma_unmap_sg(dc->dev, sgt->sgl, sgt->nents,
+- DMA_TO_DEVICE);
+- host1x_bo_unpin(dc->dev, &bo->base, sgt);
+- }
+- }
++ if (sgt)
++ dma_unmap_sg(dc->dev, sgt->sgl, sgt->nents,
++ DMA_TO_DEVICE);
+
++ host1x_bo_unpin(dc->dev, &bo->base, sgt);
+ state->iova[i] = DMA_MAPPING_ERROR;
+ state->sgt[i] = NULL;
+ }
+diff --git a/drivers/gpu/host1x/job.c b/drivers/gpu/host1x/job.c
+index 25ca54de8fc5..0d53c08e9972 100644
+--- a/drivers/gpu/host1x/job.c
++++ b/drivers/gpu/host1x/job.c
+@@ -8,6 +8,7 @@
+ #include <linux/dma-mapping.h>
+ #include <linux/err.h>
+ #include <linux/host1x.h>
++#include <linux/iommu.h>
+ #include <linux/kref.h>
+ #include <linux/module.h>
+ #include <linux/scatterlist.h>
+@@ -101,9 +102,11 @@ static unsigned int pin_job(struct host1x *host, struct host1x_job *job)
+ {
+ struct host1x_client *client = job->client;
+ struct device *dev = client->dev;
++ struct iommu_domain *domain;
+ unsigned int i;
+ int err;
+
++ domain = iommu_get_domain_for_dev(dev);
+ job->num_unpins = 0;
+
+ for (i = 0; i < job->num_relocs; i++) {
+@@ -117,7 +120,19 @@ static unsigned int pin_job(struct host1x *host, struct host1x_job *job)
+ goto unpin;
+ }
+
+- if (client->group)
++ /*
++ * If the client device is not attached to an IOMMU, the
++ * physical address of the buffer object can be used.
++ *
++ * Similarly, when an IOMMU domain is shared between all
++ * host1x clients, the IOVA is already available, so no
++ * need to map the buffer object again.
++ *
++ * XXX Note that this isn't always safe to do because it
++ * relies on an assumption that no cache maintenance is
++ * needed on the buffer objects.
++ */
++ if (!domain || client->group)
+ phys = &phys_addr;
+ else
+ phys = NULL;
+@@ -176,6 +191,7 @@ static unsigned int pin_job(struct host1x *host, struct host1x_job *job)
+ dma_addr_t phys_addr;
+ unsigned long shift;
+ struct iova *alloc;
++ dma_addr_t *phys;
+ unsigned int j;
+
+ g->bo = host1x_bo_get(g->bo);
+@@ -184,7 +200,17 @@ static unsigned int pin_job(struct host1x *host, struct host1x_job *job)
+ goto unpin;
+ }
+
+- sgt = host1x_bo_pin(host->dev, g->bo, NULL);
++ /**
++ * If the host1x is not attached to an IOMMU, there is no need
++ * to map the buffer object for the host1x, since the physical
++ * address can simply be used.
++ */
++ if (!iommu_get_domain_for_dev(host->dev))
++ phys = &phys_addr;
++ else
++ phys = NULL;
++
++ sgt = host1x_bo_pin(host->dev, g->bo, phys);
+ if (IS_ERR(sgt)) {
+ err = PTR_ERR(sgt);
+ goto unpin;
+@@ -214,7 +240,7 @@ static unsigned int pin_job(struct host1x *host, struct host1x_job *job)
+
+ job->unpins[job->num_unpins].size = gather_size;
+ phys_addr = iova_dma_addr(&host->iova, alloc);
+- } else {
++ } else if (sgt) {
+ err = dma_map_sg(host->dev, sgt->sgl, sgt->nents,
+ DMA_TO_DEVICE);
+ if (!err) {
+diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
+index b155d0052981..a02ce43d778d 100644
+--- a/drivers/hv/hv_balloon.c
++++ b/drivers/hv/hv_balloon.c
+@@ -1217,10 +1217,7 @@ static unsigned int alloc_balloon_pages(struct hv_dynmem_device *dm,
+ unsigned int i, j;
+ struct page *pg;
+
+- if (num_pages < alloc_unit)
+- return 0;
+-
+- for (i = 0; (i * alloc_unit) < num_pages; i++) {
++ for (i = 0; i < num_pages / alloc_unit; i++) {
+ if (bl_resp->hdr.size + sizeof(union dm_mem_page_range) >
+ HV_HYP_PAGE_SIZE)
+ return i * alloc_unit;
+@@ -1258,7 +1255,7 @@ static unsigned int alloc_balloon_pages(struct hv_dynmem_device *dm,
+
+ }
+
+- return num_pages;
++ return i * alloc_unit;
+ }
+
+ static void balloon_up(struct work_struct *dummy)
+@@ -1273,9 +1270,6 @@ static void balloon_up(struct work_struct *dummy)
+ long avail_pages;
+ unsigned long floor;
+
+- /* The host balloons pages in 2M granularity. */
+- WARN_ON_ONCE(num_pages % PAGES_IN_2M != 0);
+-
+ /*
+ * We will attempt 2M allocations. However, if we fail to
+ * allocate 2M chunks, we will go back to PAGE_SIZE allocations.
+@@ -1285,14 +1279,13 @@ static void balloon_up(struct work_struct *dummy)
+ avail_pages = si_mem_available();
+ floor = compute_balloon_floor();
+
+- /* Refuse to balloon below the floor, keep the 2M granularity. */
++ /* Refuse to balloon below the floor. */
+ if (avail_pages < num_pages || avail_pages - num_pages < floor) {
+ pr_warn("Balloon request will be partially fulfilled. %s\n",
+ avail_pages < num_pages ? "Not enough memory." :
+ "Balloon floor reached.");
+
+ num_pages = avail_pages > floor ? (avail_pages - floor) : 0;
+- num_pages -= num_pages % PAGES_IN_2M;
+ }
+
+ while (!done) {
+diff --git a/drivers/infiniband/core/umem_odp.c b/drivers/infiniband/core/umem_odp.c
+index e42d44e501fd..b9baf7d0a5cb 100644
+--- a/drivers/infiniband/core/umem_odp.c
++++ b/drivers/infiniband/core/umem_odp.c
+@@ -242,21 +242,10 @@ struct ib_umem_odp *ib_umem_odp_get(struct ib_udata *udata, unsigned long addr,
+ umem_odp->notifier.ops = ops;
+
+ umem_odp->page_shift = PAGE_SHIFT;
+- if (access & IB_ACCESS_HUGETLB) {
+- struct vm_area_struct *vma;
+- struct hstate *h;
+-
+- down_read(&mm->mmap_sem);
+- vma = find_vma(mm, ib_umem_start(umem_odp));
+- if (!vma || !is_vm_hugetlb_page(vma)) {
+- up_read(&mm->mmap_sem);
+- ret = -EINVAL;
+- goto err_free;
+- }
+- h = hstate_vma(vma);
+- umem_odp->page_shift = huge_page_shift(h);
+- up_read(&mm->mmap_sem);
+- }
++#ifdef CONFIG_HUGETLB_PAGE
++ if (access & IB_ACCESS_HUGETLB)
++ umem_odp->page_shift = HPAGE_SHIFT;
++#endif
+
+ umem_odp->tgid = get_task_pid(current->group_leader, PIDTYPE_PID);
+ ret = ib_init_umem_odp(umem_odp, ops);
+@@ -266,7 +255,6 @@ struct ib_umem_odp *ib_umem_odp_get(struct ib_udata *udata, unsigned long addr,
+
+ err_put_pid:
+ put_pid(umem_odp->tgid);
+-err_free:
+ kfree(umem_odp);
+ return ERR_PTR(ret);
+ }
+@@ -440,7 +428,7 @@ int ib_umem_odp_map_dma_pages(struct ib_umem_odp *umem_odp, u64 user_virt,
+
+ while (bcnt > 0) {
+ const size_t gup_num_pages = min_t(size_t,
+- (bcnt + BIT(page_shift) - 1) >> page_shift,
++ ALIGN(bcnt, PAGE_SIZE) / PAGE_SIZE,
+ PAGE_SIZE / sizeof(struct page *));
+
+ down_read(&owning_mm->mmap_sem);
+diff --git a/drivers/infiniband/hw/mlx5/gsi.c b/drivers/infiniband/hw/mlx5/gsi.c
+index ac4d8d1b9a07..1ae6fd95acaa 100644
+--- a/drivers/infiniband/hw/mlx5/gsi.c
++++ b/drivers/infiniband/hw/mlx5/gsi.c
+@@ -507,8 +507,7 @@ int mlx5_ib_gsi_post_send(struct ib_qp *qp, const struct ib_send_wr *wr,
+ ret = ib_post_send(tx_qp, &cur_wr.wr, bad_wr);
+ if (ret) {
+ /* Undo the effect of adding the outstanding wr */
+- gsi->outstanding_pi = (gsi->outstanding_pi - 1) %
+- gsi->cap.max_send_wr;
++ gsi->outstanding_pi--;
+ goto err;
+ }
+ spin_unlock_irqrestore(&gsi->lock, flags);
+diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h
+index 9198c1b480d9..78d1067e9e17 100644
+--- a/drivers/md/bcache/bcache.h
++++ b/drivers/md/bcache/bcache.h
+@@ -329,6 +329,9 @@ struct cached_dev {
+ */
+ atomic_t has_dirty;
+
++#define BCH_CACHE_READA_ALL 0
++#define BCH_CACHE_READA_META_ONLY 1
++ unsigned int cache_readahead_policy;
+ struct bch_ratelimit writeback_rate;
+ struct delayed_work writeback_rate_update;
+
+diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c
+index 73478a91a342..820d8402a1dc 100644
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -379,13 +379,20 @@ static bool check_should_bypass(struct cached_dev *dc, struct bio *bio)
+ goto skip;
+
+ /*
+- * Flag for bypass if the IO is for read-ahead or background,
+- * unless the read-ahead request is for metadata
++ * If the bio is for read-ahead or background IO, bypass it or
++ * not depends on the following situations,
++ * - If the IO is for meta data, always cache it and no bypass
++ * - If the IO is not meta data, check dc->cache_reada_policy,
++ * BCH_CACHE_READA_ALL: cache it and not bypass
++ * BCH_CACHE_READA_META_ONLY: not cache it and bypass
++ * That is, read-ahead request for metadata always get cached
+ * (eg, for gfs2 or xfs).
+ */
+- if (bio->bi_opf & (REQ_RAHEAD|REQ_BACKGROUND) &&
+- !(bio->bi_opf & (REQ_META|REQ_PRIO)))
+- goto skip;
++ if ((bio->bi_opf & (REQ_RAHEAD|REQ_BACKGROUND))) {
++ if (!(bio->bi_opf & (REQ_META|REQ_PRIO)) &&
++ (dc->cache_readahead_policy != BCH_CACHE_READA_ALL))
++ goto skip;
++ }
+
+ if (bio->bi_iter.bi_sector & (c->sb.block_size - 1) ||
+ bio_sectors(bio) & (c->sb.block_size - 1)) {
+diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c
+index 733e2ddf3c78..3470fae4eabc 100644
+--- a/drivers/md/bcache/sysfs.c
++++ b/drivers/md/bcache/sysfs.c
+@@ -27,6 +27,12 @@ static const char * const bch_cache_modes[] = {
+ NULL
+ };
+
++static const char * const bch_reada_cache_policies[] = {
++ "all",
++ "meta-only",
++ NULL
++};
++
+ /* Default is 0 ("auto") */
+ static const char * const bch_stop_on_failure_modes[] = {
+ "auto",
+@@ -100,6 +106,7 @@ rw_attribute(congested_write_threshold_us);
+ rw_attribute(sequential_cutoff);
+ rw_attribute(data_csum);
+ rw_attribute(cache_mode);
++rw_attribute(readahead_cache_policy);
+ rw_attribute(stop_when_cache_set_failed);
+ rw_attribute(writeback_metadata);
+ rw_attribute(writeback_running);
+@@ -168,6 +175,11 @@ SHOW(__bch_cached_dev)
+ bch_cache_modes,
+ BDEV_CACHE_MODE(&dc->sb));
+
++ if (attr == &sysfs_readahead_cache_policy)
++ return bch_snprint_string_list(buf, PAGE_SIZE,
++ bch_reada_cache_policies,
++ dc->cache_readahead_policy);
++
+ if (attr == &sysfs_stop_when_cache_set_failed)
+ return bch_snprint_string_list(buf, PAGE_SIZE,
+ bch_stop_on_failure_modes,
+@@ -353,6 +365,15 @@ STORE(__cached_dev)
+ }
+ }
+
++ if (attr == &sysfs_readahead_cache_policy) {
++ v = __sysfs_match_string(bch_reada_cache_policies, -1, buf);
++ if (v < 0)
++ return v;
++
++ if ((unsigned int) v != dc->cache_readahead_policy)
++ dc->cache_readahead_policy = v;
++ }
++
+ if (attr == &sysfs_stop_when_cache_set_failed) {
+ v = __sysfs_match_string(bch_stop_on_failure_modes, -1, buf);
+ if (v < 0)
+@@ -467,6 +488,7 @@ static struct attribute *bch_cached_dev_files[] = {
+ &sysfs_data_csum,
+ #endif
+ &sysfs_cache_mode,
++ &sysfs_readahead_cache_policy,
+ &sysfs_stop_when_cache_set_failed,
+ &sysfs_writeback_metadata,
+ &sysfs_writeback_running,
+diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
+index eb9782fc93fe..492bbe0584d9 100644
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -331,8 +331,14 @@ static int crypt_iv_essiv_gen(struct crypt_config *cc, u8 *iv,
+ static int crypt_iv_benbi_ctr(struct crypt_config *cc, struct dm_target *ti,
+ const char *opts)
+ {
+- unsigned bs = crypto_skcipher_blocksize(any_tfm(cc));
+- int log = ilog2(bs);
++ unsigned bs;
++ int log;
++
++ if (test_bit(CRYPT_MODE_INTEGRITY_AEAD, &cc->cipher_flags))
++ bs = crypto_aead_blocksize(any_tfm_aead(cc));
++ else
++ bs = crypto_skcipher_blocksize(any_tfm(cc));
++ log = ilog2(bs);
+
+ /* we need to calculate how far we must shift the sector count
+ * to get the cipher block count, we use this shift in _gen */
+@@ -717,7 +723,7 @@ static int crypt_iv_eboiv_gen(struct crypt_config *cc, u8 *iv,
+ struct crypto_wait wait;
+ int err;
+
+- req = skcipher_request_alloc(any_tfm(cc), GFP_KERNEL | GFP_NOFS);
++ req = skcipher_request_alloc(any_tfm(cc), GFP_NOIO);
+ if (!req)
+ return -ENOMEM;
+
+diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
+index b88d6d701f5b..8bb723f1a569 100644
+--- a/drivers/md/dm-thin-metadata.c
++++ b/drivers/md/dm-thin-metadata.c
+@@ -387,16 +387,15 @@ static int subtree_equal(void *context, const void *value1_le, const void *value
+ * Variant that is used for in-core only changes or code that
+ * shouldn't put the pool in service on its own (e.g. commit).
+ */
+-static inline void __pmd_write_lock(struct dm_pool_metadata *pmd)
++static inline void pmd_write_lock_in_core(struct dm_pool_metadata *pmd)
+ __acquires(pmd->root_lock)
+ {
+ down_write(&pmd->root_lock);
+ }
+-#define pmd_write_lock_in_core(pmd) __pmd_write_lock((pmd))
+
+ static inline void pmd_write_lock(struct dm_pool_metadata *pmd)
+ {
+- __pmd_write_lock(pmd);
++ pmd_write_lock_in_core(pmd);
+ if (unlikely(!pmd->in_service))
+ pmd->in_service = true;
+ }
+@@ -831,6 +830,7 @@ static int __commit_transaction(struct dm_pool_metadata *pmd)
+ * We need to know if the thin_disk_superblock exceeds a 512-byte sector.
+ */
+ BUILD_BUG_ON(sizeof(struct thin_disk_superblock) > 512);
++ BUG_ON(!rwsem_is_locked(&pmd->root_lock));
+
+ if (unlikely(!pmd->in_service))
+ return 0;
+@@ -953,6 +953,7 @@ int dm_pool_metadata_close(struct dm_pool_metadata *pmd)
+ return -EBUSY;
+ }
+
++ pmd_write_lock_in_core(pmd);
+ if (!dm_bm_is_read_only(pmd->bm) && !pmd->fail_io) {
+ r = __commit_transaction(pmd);
+ if (r < 0)
+@@ -961,6 +962,7 @@ int dm_pool_metadata_close(struct dm_pool_metadata *pmd)
+ }
+ if (!pmd->fail_io)
+ __destroy_persistent_data_objects(pmd);
++ pmd_write_unlock(pmd);
+
+ kfree(pmd);
+ return 0;
+@@ -1841,7 +1843,7 @@ int dm_pool_commit_metadata(struct dm_pool_metadata *pmd)
+ * Care is taken to not have commit be what
+ * triggers putting the thin-pool in-service.
+ */
+- __pmd_write_lock(pmd);
++ pmd_write_lock_in_core(pmd);
+ if (pmd->fail_io)
+ goto out;
+
+diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
+index 57626c27a54b..a2bb2622cdbd 100644
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -3408,10 +3408,6 @@ static int pool_ctr(struct dm_target *ti, unsigned argc, char **argv)
+ if (r)
+ goto out_flags_changed;
+
+- dm_pool_register_pre_commit_callback(pt->pool->pmd,
+- metadata_pre_commit_callback,
+- pt);
+-
+ pt->callbacks.congested_fn = pool_is_congested;
+ dm_table_add_target_callbacks(ti->table, &pt->callbacks);
+
+@@ -3574,6 +3570,9 @@ static int pool_preresume(struct dm_target *ti)
+ if (r)
+ return r;
+
++ dm_pool_register_pre_commit_callback(pool->pmd,
++ metadata_pre_commit_callback, pt);
++
+ r = maybe_resize_data_dev(ti, &need_commit1);
+ if (r)
+ return r;
+diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c
+index 7d727a72aa13..9b0a3bf6a4a1 100644
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -442,7 +442,13 @@ static void writecache_notify_io(unsigned long error, void *context)
+ complete(&endio->c);
+ }
+
+-static void ssd_commit_flushed(struct dm_writecache *wc)
++static void writecache_wait_for_ios(struct dm_writecache *wc, int direction)
++{
++ wait_event(wc->bio_in_progress_wait[direction],
++ !atomic_read(&wc->bio_in_progress[direction]));
++}
++
++static void ssd_commit_flushed(struct dm_writecache *wc, bool wait_for_ios)
+ {
+ struct dm_io_region region;
+ struct dm_io_request req;
+@@ -488,17 +494,20 @@ static void ssd_commit_flushed(struct dm_writecache *wc)
+ writecache_notify_io(0, &endio);
+ wait_for_completion_io(&endio.c);
+
++ if (wait_for_ios)
++ writecache_wait_for_ios(wc, WRITE);
++
+ writecache_disk_flush(wc, wc->ssd_dev);
+
+ memset(wc->dirty_bitmap, 0, wc->dirty_bitmap_size);
+ }
+
+-static void writecache_commit_flushed(struct dm_writecache *wc)
++static void writecache_commit_flushed(struct dm_writecache *wc, bool wait_for_ios)
+ {
+ if (WC_MODE_PMEM(wc))
+ wmb();
+ else
+- ssd_commit_flushed(wc);
++ ssd_commit_flushed(wc, wait_for_ios);
+ }
+
+ static void writecache_disk_flush(struct dm_writecache *wc, struct dm_dev *dev)
+@@ -522,12 +531,6 @@ static void writecache_disk_flush(struct dm_writecache *wc, struct dm_dev *dev)
+ writecache_error(wc, r, "error flushing metadata: %d", r);
+ }
+
+-static void writecache_wait_for_ios(struct dm_writecache *wc, int direction)
+-{
+- wait_event(wc->bio_in_progress_wait[direction],
+- !atomic_read(&wc->bio_in_progress[direction]));
+-}
+-
+ #define WFE_RETURN_FOLLOWING 1
+ #define WFE_LOWEST_SEQ 2
+
+@@ -724,15 +727,12 @@ static void writecache_flush(struct dm_writecache *wc)
+ e = e2;
+ cond_resched();
+ }
+- writecache_commit_flushed(wc);
+-
+- if (!WC_MODE_PMEM(wc))
+- writecache_wait_for_ios(wc, WRITE);
++ writecache_commit_flushed(wc, true);
+
+ wc->seq_count++;
+ pmem_assign(sb(wc)->seq_count, cpu_to_le64(wc->seq_count));
+ writecache_flush_region(wc, &sb(wc)->seq_count, sizeof sb(wc)->seq_count);
+- writecache_commit_flushed(wc);
++ writecache_commit_flushed(wc, false);
+
+ wc->overwrote_committed = false;
+
+@@ -756,7 +756,7 @@ static void writecache_flush(struct dm_writecache *wc)
+ }
+
+ if (need_flush_after_free)
+- writecache_commit_flushed(wc);
++ writecache_commit_flushed(wc, false);
+ }
+
+ static void writecache_flush_work(struct work_struct *work)
+@@ -809,7 +809,7 @@ static void writecache_discard(struct dm_writecache *wc, sector_t start, sector_
+ }
+
+ if (discarded_something)
+- writecache_commit_flushed(wc);
++ writecache_commit_flushed(wc, false);
+ }
+
+ static bool writecache_wait_for_writeback(struct dm_writecache *wc)
+@@ -958,7 +958,7 @@ erase_this:
+
+ if (need_flush) {
+ writecache_flush_all_metadata(wc);
+- writecache_commit_flushed(wc);
++ writecache_commit_flushed(wc, false);
+ }
+
+ wc_unlock(wc);
+@@ -1342,7 +1342,7 @@ static void __writecache_endio_pmem(struct dm_writecache *wc, struct list_head *
+ wc->writeback_size--;
+ n_walked++;
+ if (unlikely(n_walked >= ENDIO_LATENCY)) {
+- writecache_commit_flushed(wc);
++ writecache_commit_flushed(wc, false);
+ wc_unlock(wc);
+ wc_lock(wc);
+ n_walked = 0;
+@@ -1423,7 +1423,7 @@ pop_from_list:
+ writecache_wait_for_ios(wc, READ);
+ }
+
+- writecache_commit_flushed(wc);
++ writecache_commit_flushed(wc, false);
+
+ wc_unlock(wc);
+ }
+@@ -1766,10 +1766,10 @@ static int init_memory(struct dm_writecache *wc)
+ write_original_sector_seq_count(wc, &wc->entries[b], -1, -1);
+
+ writecache_flush_all_metadata(wc);
+- writecache_commit_flushed(wc);
++ writecache_commit_flushed(wc, false);
+ pmem_assign(sb(wc)->magic, cpu_to_le32(MEMORY_SUPERBLOCK_MAGIC));
+ writecache_flush_region(wc, &sb(wc)->magic, sizeof sb(wc)->magic);
+- writecache_commit_flushed(wc);
++ writecache_commit_flushed(wc, false);
+
+ return 0;
+ }
+diff --git a/drivers/md/dm-zoned-metadata.c b/drivers/md/dm-zoned-metadata.c
+index 22b3cb0050a7..516c7b671d25 100644
+--- a/drivers/md/dm-zoned-metadata.c
++++ b/drivers/md/dm-zoned-metadata.c
+@@ -134,6 +134,7 @@ struct dmz_metadata {
+
+ sector_t zone_bitmap_size;
+ unsigned int zone_nr_bitmap_blocks;
++ unsigned int zone_bits_per_mblk;
+
+ unsigned int nr_bitmap_blocks;
+ unsigned int nr_map_blocks;
+@@ -1161,7 +1162,10 @@ static int dmz_init_zones(struct dmz_metadata *zmd)
+
+ /* Init */
+ zmd->zone_bitmap_size = dev->zone_nr_blocks >> 3;
+- zmd->zone_nr_bitmap_blocks = zmd->zone_bitmap_size >> DMZ_BLOCK_SHIFT;
++ zmd->zone_nr_bitmap_blocks =
++ max_t(sector_t, 1, zmd->zone_bitmap_size >> DMZ_BLOCK_SHIFT);
++ zmd->zone_bits_per_mblk = min_t(sector_t, dev->zone_nr_blocks,
++ DMZ_BLOCK_SIZE_BITS);
+
+ /* Allocate zone array */
+ zmd->zones = kcalloc(dev->nr_zones, sizeof(struct dm_zone), GFP_KERNEL);
+@@ -1956,7 +1960,7 @@ int dmz_copy_valid_blocks(struct dmz_metadata *zmd, struct dm_zone *from_zone,
+ dmz_release_mblock(zmd, to_mblk);
+ dmz_release_mblock(zmd, from_mblk);
+
+- chunk_block += DMZ_BLOCK_SIZE_BITS;
++ chunk_block += zmd->zone_bits_per_mblk;
+ }
+
+ to_zone->weight = from_zone->weight;
+@@ -2017,7 +2021,7 @@ int dmz_validate_blocks(struct dmz_metadata *zmd, struct dm_zone *zone,
+
+ /* Set bits */
+ bit = chunk_block & DMZ_BLOCK_MASK_BITS;
+- nr_bits = min(nr_blocks, DMZ_BLOCK_SIZE_BITS - bit);
++ nr_bits = min(nr_blocks, zmd->zone_bits_per_mblk - bit);
+
+ count = dmz_set_bits((unsigned long *)mblk->data, bit, nr_bits);
+ if (count) {
+@@ -2096,7 +2100,7 @@ int dmz_invalidate_blocks(struct dmz_metadata *zmd, struct dm_zone *zone,
+
+ /* Clear bits */
+ bit = chunk_block & DMZ_BLOCK_MASK_BITS;
+- nr_bits = min(nr_blocks, DMZ_BLOCK_SIZE_BITS - bit);
++ nr_bits = min(nr_blocks, zmd->zone_bits_per_mblk - bit);
+
+ count = dmz_clear_bits((unsigned long *)mblk->data,
+ bit, nr_bits);
+@@ -2156,6 +2160,7 @@ static int dmz_to_next_set_block(struct dmz_metadata *zmd, struct dm_zone *zone,
+ {
+ struct dmz_mblock *mblk;
+ unsigned int bit, set_bit, nr_bits;
++ unsigned int zone_bits = zmd->zone_bits_per_mblk;
+ unsigned long *bitmap;
+ int n = 0;
+
+@@ -2170,15 +2175,15 @@ static int dmz_to_next_set_block(struct dmz_metadata *zmd, struct dm_zone *zone,
+ /* Get offset */
+ bitmap = (unsigned long *) mblk->data;
+ bit = chunk_block & DMZ_BLOCK_MASK_BITS;
+- nr_bits = min(nr_blocks, DMZ_BLOCK_SIZE_BITS - bit);
++ nr_bits = min(nr_blocks, zone_bits - bit);
+ if (set)
+- set_bit = find_next_bit(bitmap, DMZ_BLOCK_SIZE_BITS, bit);
++ set_bit = find_next_bit(bitmap, zone_bits, bit);
+ else
+- set_bit = find_next_zero_bit(bitmap, DMZ_BLOCK_SIZE_BITS, bit);
++ set_bit = find_next_zero_bit(bitmap, zone_bits, bit);
+ dmz_release_mblock(zmd, mblk);
+
+ n += set_bit - bit;
+- if (set_bit < DMZ_BLOCK_SIZE_BITS)
++ if (set_bit < zone_bits)
+ break;
+
+ nr_blocks -= nr_bits;
+@@ -2281,7 +2286,7 @@ static void dmz_get_zone_weight(struct dmz_metadata *zmd, struct dm_zone *zone)
+ /* Count bits in this block */
+ bitmap = mblk->data;
+ bit = chunk_block & DMZ_BLOCK_MASK_BITS;
+- nr_bits = min(nr_blocks, DMZ_BLOCK_SIZE_BITS - bit);
++ nr_bits = min(nr_blocks, zmd->zone_bits_per_mblk - bit);
+ n += dmz_count_bits(bitmap, bit, nr_bits);
+
+ dmz_release_mblock(zmd, mblk);
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index e8f9661a10a1..b89f07ee2eff 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1859,6 +1859,7 @@ static void dm_init_normal_md_queue(struct mapped_device *md)
+ /*
+ * Initialize aspects of queue that aren't relevant for blk-mq
+ */
++ md->queue->backing_dev_info->congested_data = md;
+ md->queue->backing_dev_info->congested_fn = dm_any_congested;
+ }
+
+@@ -1949,7 +1950,12 @@ static struct mapped_device *alloc_dev(int minor)
+ if (!md->queue)
+ goto bad;
+ md->queue->queuedata = md;
+- md->queue->backing_dev_info->congested_data = md;
++ /*
++ * default to bio-based required ->make_request_fn until DM
++ * table is loaded and md->type established. If request-based
++ * table is loaded: blk-mq will override accordingly.
++ */
++ blk_queue_make_request(md->queue, dm_make_request);
+
+ md->disk = alloc_disk_node(1, md->numa_node_id);
+ if (!md->disk)
+@@ -2264,7 +2270,6 @@ int dm_setup_md_queue(struct mapped_device *md, struct dm_table *t)
+ case DM_TYPE_DAX_BIO_BASED:
+ case DM_TYPE_NVME_BIO_BASED:
+ dm_init_normal_md_queue(md);
+- blk_queue_make_request(md->queue, dm_make_request);
+ break;
+ case DM_TYPE_NONE:
+ WARN_ON_ONCE(true);
+diff --git a/drivers/md/persistent-data/dm-space-map-common.c b/drivers/md/persistent-data/dm-space-map-common.c
+index bd68f6fef694..d8b4125e338c 100644
+--- a/drivers/md/persistent-data/dm-space-map-common.c
++++ b/drivers/md/persistent-data/dm-space-map-common.c
+@@ -380,6 +380,33 @@ int sm_ll_find_free_block(struct ll_disk *ll, dm_block_t begin,
+ return -ENOSPC;
+ }
+
++int sm_ll_find_common_free_block(struct ll_disk *old_ll, struct ll_disk *new_ll,
++ dm_block_t begin, dm_block_t end, dm_block_t *b)
++{
++ int r;
++ uint32_t count;
++
++ do {
++ r = sm_ll_find_free_block(new_ll, begin, new_ll->nr_blocks, b);
++ if (r)
++ break;
++
++ /* double check this block wasn't used in the old transaction */
++ if (*b >= old_ll->nr_blocks)
++ count = 0;
++ else {
++ r = sm_ll_lookup(old_ll, *b, &count);
++ if (r)
++ break;
++
++ if (count)
++ begin = *b + 1;
++ }
++ } while (count);
++
++ return r;
++}
++
+ static int sm_ll_mutate(struct ll_disk *ll, dm_block_t b,
+ int (*mutator)(void *context, uint32_t old, uint32_t *new),
+ void *context, enum allocation_event *ev)
+diff --git a/drivers/md/persistent-data/dm-space-map-common.h b/drivers/md/persistent-data/dm-space-map-common.h
+index b3078d5eda0c..8de63ce39bdd 100644
+--- a/drivers/md/persistent-data/dm-space-map-common.h
++++ b/drivers/md/persistent-data/dm-space-map-common.h
+@@ -109,6 +109,8 @@ int sm_ll_lookup_bitmap(struct ll_disk *ll, dm_block_t b, uint32_t *result);
+ int sm_ll_lookup(struct ll_disk *ll, dm_block_t b, uint32_t *result);
+ int sm_ll_find_free_block(struct ll_disk *ll, dm_block_t begin,
+ dm_block_t end, dm_block_t *result);
++int sm_ll_find_common_free_block(struct ll_disk *old_ll, struct ll_disk *new_ll,
++ dm_block_t begin, dm_block_t end, dm_block_t *result);
+ int sm_ll_insert(struct ll_disk *ll, dm_block_t b, uint32_t ref_count, enum allocation_event *ev);
+ int sm_ll_inc(struct ll_disk *ll, dm_block_t b, enum allocation_event *ev);
+ int sm_ll_dec(struct ll_disk *ll, dm_block_t b, enum allocation_event *ev);
+diff --git a/drivers/md/persistent-data/dm-space-map-disk.c b/drivers/md/persistent-data/dm-space-map-disk.c
+index 32adf6b4a9c7..bf4c5e2ccb6f 100644
+--- a/drivers/md/persistent-data/dm-space-map-disk.c
++++ b/drivers/md/persistent-data/dm-space-map-disk.c
+@@ -167,8 +167,10 @@ static int sm_disk_new_block(struct dm_space_map *sm, dm_block_t *b)
+ enum allocation_event ev;
+ struct sm_disk *smd = container_of(sm, struct sm_disk, sm);
+
+- /* FIXME: we should loop round a couple of times */
+- r = sm_ll_find_free_block(&smd->old_ll, smd->begin, smd->old_ll.nr_blocks, b);
++ /*
++ * Any block we allocate has to be free in both the old and current ll.
++ */
++ r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, smd->begin, smd->ll.nr_blocks, b);
+ if (r)
+ return r;
+
+diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
+index 25328582cc48..9e3c64ec2026 100644
+--- a/drivers/md/persistent-data/dm-space-map-metadata.c
++++ b/drivers/md/persistent-data/dm-space-map-metadata.c
+@@ -448,7 +448,10 @@ static int sm_metadata_new_block_(struct dm_space_map *sm, dm_block_t *b)
+ enum allocation_event ev;
+ struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm);
+
+- r = sm_ll_find_free_block(&smm->old_ll, smm->begin, smm->old_ll.nr_blocks, b);
++ /*
++ * Any block we allocate has to be free in both the old and current ll.
++ */
++ r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, smm->begin, smm->ll.nr_blocks, b);
+ if (r)
+ return r;
+
+diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c
+index 872d6441e512..a7deca1fefb7 100644
+--- a/drivers/media/rc/iguanair.c
++++ b/drivers/media/rc/iguanair.c
+@@ -413,7 +413,7 @@ static int iguanair_probe(struct usb_interface *intf,
+ int ret, pipein, pipeout;
+ struct usb_host_interface *idesc;
+
+- idesc = intf->altsetting;
++ idesc = intf->cur_altsetting;
+ if (idesc->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
+diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
+index 7741151606ef..6f80c251f641 100644
+--- a/drivers/media/rc/rc-main.c
++++ b/drivers/media/rc/rc-main.c
+@@ -1891,23 +1891,28 @@ int rc_register_device(struct rc_dev *dev)
+
+ dev->registered = true;
+
+- if (dev->driver_type != RC_DRIVER_IR_RAW_TX) {
+- rc = rc_setup_rx_device(dev);
+- if (rc)
+- goto out_dev;
+- }
+-
+- /* Ensure that the lirc kfifo is setup before we start the thread */
++ /*
++ * once the the input device is registered in rc_setup_rx_device,
++ * userspace can open the input device and rc_open() will be called
++ * as a result. This results in driver code being allowed to submit
++ * keycodes with rc_keydown, so lirc must be registered first.
++ */
+ if (dev->allowed_protocols != RC_PROTO_BIT_CEC) {
+ rc = ir_lirc_register(dev);
+ if (rc < 0)
+- goto out_rx;
++ goto out_dev;
++ }
++
++ if (dev->driver_type != RC_DRIVER_IR_RAW_TX) {
++ rc = rc_setup_rx_device(dev);
++ if (rc)
++ goto out_lirc;
+ }
+
+ if (dev->driver_type == RC_DRIVER_IR_RAW) {
+ rc = ir_raw_event_register(dev);
+ if (rc < 0)
+- goto out_lirc;
++ goto out_rx;
+ }
+
+ dev_dbg(&dev->dev, "Registered rc%u (driver: %s)\n", dev->minor,
+@@ -1915,11 +1920,11 @@ int rc_register_device(struct rc_dev *dev)
+
+ return 0;
+
++out_rx:
++ rc_free_rx_device(dev);
+ out_lirc:
+ if (dev->allowed_protocols != RC_PROTO_BIT_CEC)
+ ir_lirc_unregister(dev);
+-out_rx:
+- rc_free_rx_device(dev);
+ out_dev:
+ device_del(&dev->dev);
+ out_rx_free:
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index 428235ca2635..2b688cc39bb8 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -1493,6 +1493,11 @@ static int uvc_scan_chain_forward(struct uvc_video_chain *chain,
+ break;
+ if (forward == prev)
+ continue;
++ if (forward->chain.next || forward->chain.prev) {
++ uvc_trace(UVC_TRACE_DESCR, "Found reference to "
++ "entity %d already in chain.\n", forward->id);
++ return -EINVAL;
++ }
+
+ switch (UVC_ENTITY_TYPE(forward)) {
+ case UVC_VC_EXTENSION_UNIT:
+@@ -1574,6 +1579,13 @@ static int uvc_scan_chain_backward(struct uvc_video_chain *chain,
+ return -1;
+ }
+
++ if (term->chain.next || term->chain.prev) {
++ uvc_trace(UVC_TRACE_DESCR, "Found reference to "
++ "entity %d already in chain.\n",
++ term->id);
++ return -EINVAL;
++ }
++
+ if (uvc_trace_param & UVC_TRACE_PROBE)
+ printk(KERN_CONT " %d", term->id);
+
+diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+index e1eaf1135c7f..7ad6db8dd9f6 100644
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+@@ -1183,36 +1183,38 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ u32 aux_space;
+ int compatible_arg = 1;
+ long err = 0;
++ unsigned int ncmd;
+
+ /*
+ * 1. When struct size is different, converts the command.
+ */
+ switch (cmd) {
+- case VIDIOC_G_FMT32: cmd = VIDIOC_G_FMT; break;
+- case VIDIOC_S_FMT32: cmd = VIDIOC_S_FMT; break;
+- case VIDIOC_QUERYBUF32: cmd = VIDIOC_QUERYBUF; break;
+- case VIDIOC_G_FBUF32: cmd = VIDIOC_G_FBUF; break;
+- case VIDIOC_S_FBUF32: cmd = VIDIOC_S_FBUF; break;
+- case VIDIOC_QBUF32: cmd = VIDIOC_QBUF; break;
+- case VIDIOC_DQBUF32: cmd = VIDIOC_DQBUF; break;
+- case VIDIOC_ENUMSTD32: cmd = VIDIOC_ENUMSTD; break;
+- case VIDIOC_ENUMINPUT32: cmd = VIDIOC_ENUMINPUT; break;
+- case VIDIOC_TRY_FMT32: cmd = VIDIOC_TRY_FMT; break;
+- case VIDIOC_G_EXT_CTRLS32: cmd = VIDIOC_G_EXT_CTRLS; break;
+- case VIDIOC_S_EXT_CTRLS32: cmd = VIDIOC_S_EXT_CTRLS; break;
+- case VIDIOC_TRY_EXT_CTRLS32: cmd = VIDIOC_TRY_EXT_CTRLS; break;
+- case VIDIOC_DQEVENT32: cmd = VIDIOC_DQEVENT; break;
+- case VIDIOC_OVERLAY32: cmd = VIDIOC_OVERLAY; break;
+- case VIDIOC_STREAMON32: cmd = VIDIOC_STREAMON; break;
+- case VIDIOC_STREAMOFF32: cmd = VIDIOC_STREAMOFF; break;
+- case VIDIOC_G_INPUT32: cmd = VIDIOC_G_INPUT; break;
+- case VIDIOC_S_INPUT32: cmd = VIDIOC_S_INPUT; break;
+- case VIDIOC_G_OUTPUT32: cmd = VIDIOC_G_OUTPUT; break;
+- case VIDIOC_S_OUTPUT32: cmd = VIDIOC_S_OUTPUT; break;
+- case VIDIOC_CREATE_BUFS32: cmd = VIDIOC_CREATE_BUFS; break;
+- case VIDIOC_PREPARE_BUF32: cmd = VIDIOC_PREPARE_BUF; break;
+- case VIDIOC_G_EDID32: cmd = VIDIOC_G_EDID; break;
+- case VIDIOC_S_EDID32: cmd = VIDIOC_S_EDID; break;
++ case VIDIOC_G_FMT32: ncmd = VIDIOC_G_FMT; break;
++ case VIDIOC_S_FMT32: ncmd = VIDIOC_S_FMT; break;
++ case VIDIOC_QUERYBUF32: ncmd = VIDIOC_QUERYBUF; break;
++ case VIDIOC_G_FBUF32: ncmd = VIDIOC_G_FBUF; break;
++ case VIDIOC_S_FBUF32: ncmd = VIDIOC_S_FBUF; break;
++ case VIDIOC_QBUF32: ncmd = VIDIOC_QBUF; break;
++ case VIDIOC_DQBUF32: ncmd = VIDIOC_DQBUF; break;
++ case VIDIOC_ENUMSTD32: ncmd = VIDIOC_ENUMSTD; break;
++ case VIDIOC_ENUMINPUT32: ncmd = VIDIOC_ENUMINPUT; break;
++ case VIDIOC_TRY_FMT32: ncmd = VIDIOC_TRY_FMT; break;
++ case VIDIOC_G_EXT_CTRLS32: ncmd = VIDIOC_G_EXT_CTRLS; break;
++ case VIDIOC_S_EXT_CTRLS32: ncmd = VIDIOC_S_EXT_CTRLS; break;
++ case VIDIOC_TRY_EXT_CTRLS32: ncmd = VIDIOC_TRY_EXT_CTRLS; break;
++ case VIDIOC_DQEVENT32: ncmd = VIDIOC_DQEVENT; break;
++ case VIDIOC_OVERLAY32: ncmd = VIDIOC_OVERLAY; break;
++ case VIDIOC_STREAMON32: ncmd = VIDIOC_STREAMON; break;
++ case VIDIOC_STREAMOFF32: ncmd = VIDIOC_STREAMOFF; break;
++ case VIDIOC_G_INPUT32: ncmd = VIDIOC_G_INPUT; break;
++ case VIDIOC_S_INPUT32: ncmd = VIDIOC_S_INPUT; break;
++ case VIDIOC_G_OUTPUT32: ncmd = VIDIOC_G_OUTPUT; break;
++ case VIDIOC_S_OUTPUT32: ncmd = VIDIOC_S_OUTPUT; break;
++ case VIDIOC_CREATE_BUFS32: ncmd = VIDIOC_CREATE_BUFS; break;
++ case VIDIOC_PREPARE_BUF32: ncmd = VIDIOC_PREPARE_BUF; break;
++ case VIDIOC_G_EDID32: ncmd = VIDIOC_G_EDID; break;
++ case VIDIOC_S_EDID32: ncmd = VIDIOC_S_EDID; break;
++ default: ncmd = cmd; break;
+ }
+
+ /*
+@@ -1221,11 +1223,11 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ * argument into it.
+ */
+ switch (cmd) {
+- case VIDIOC_OVERLAY:
+- case VIDIOC_STREAMON:
+- case VIDIOC_STREAMOFF:
+- case VIDIOC_S_INPUT:
+- case VIDIOC_S_OUTPUT:
++ case VIDIOC_OVERLAY32:
++ case VIDIOC_STREAMON32:
++ case VIDIOC_STREAMOFF32:
++ case VIDIOC_S_INPUT32:
++ case VIDIOC_S_OUTPUT32:
+ err = alloc_userspace(sizeof(unsigned int), 0, &new_p64);
+ if (!err && assign_in_user((unsigned int __user *)new_p64,
+ (compat_uint_t __user *)p32))
+@@ -1233,23 +1235,23 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_G_INPUT:
+- case VIDIOC_G_OUTPUT:
++ case VIDIOC_G_INPUT32:
++ case VIDIOC_G_OUTPUT32:
+ err = alloc_userspace(sizeof(unsigned int), 0, &new_p64);
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_G_EDID:
+- case VIDIOC_S_EDID:
++ case VIDIOC_G_EDID32:
++ case VIDIOC_S_EDID32:
+ err = alloc_userspace(sizeof(struct v4l2_edid), 0, &new_p64);
+ if (!err)
+ err = get_v4l2_edid32(new_p64, p32);
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_G_FMT:
+- case VIDIOC_S_FMT:
+- case VIDIOC_TRY_FMT:
++ case VIDIOC_G_FMT32:
++ case VIDIOC_S_FMT32:
++ case VIDIOC_TRY_FMT32:
+ err = bufsize_v4l2_format(p32, &aux_space);
+ if (!err)
+ err = alloc_userspace(sizeof(struct v4l2_format),
+@@ -1262,7 +1264,7 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_CREATE_BUFS:
++ case VIDIOC_CREATE_BUFS32:
+ err = bufsize_v4l2_create(p32, &aux_space);
+ if (!err)
+ err = alloc_userspace(sizeof(struct v4l2_create_buffers),
+@@ -1275,10 +1277,10 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_PREPARE_BUF:
+- case VIDIOC_QUERYBUF:
+- case VIDIOC_QBUF:
+- case VIDIOC_DQBUF:
++ case VIDIOC_PREPARE_BUF32:
++ case VIDIOC_QUERYBUF32:
++ case VIDIOC_QBUF32:
++ case VIDIOC_DQBUF32:
+ err = bufsize_v4l2_buffer(p32, &aux_space);
+ if (!err)
+ err = alloc_userspace(sizeof(struct v4l2_buffer),
+@@ -1291,7 +1293,7 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_S_FBUF:
++ case VIDIOC_S_FBUF32:
+ err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0,
+ &new_p64);
+ if (!err)
+@@ -1299,13 +1301,13 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_G_FBUF:
++ case VIDIOC_G_FBUF32:
+ err = alloc_userspace(sizeof(struct v4l2_framebuffer), 0,
+ &new_p64);
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_ENUMSTD:
++ case VIDIOC_ENUMSTD32:
+ err = alloc_userspace(sizeof(struct v4l2_standard), 0,
+ &new_p64);
+ if (!err)
+@@ -1313,16 +1315,16 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_ENUMINPUT:
++ case VIDIOC_ENUMINPUT32:
+ err = alloc_userspace(sizeof(struct v4l2_input), 0, &new_p64);
+ if (!err)
+ err = get_v4l2_input32(new_p64, p32);
+ compatible_arg = 0;
+ break;
+
+- case VIDIOC_G_EXT_CTRLS:
+- case VIDIOC_S_EXT_CTRLS:
+- case VIDIOC_TRY_EXT_CTRLS:
++ case VIDIOC_G_EXT_CTRLS32:
++ case VIDIOC_S_EXT_CTRLS32:
++ case VIDIOC_TRY_EXT_CTRLS32:
+ err = bufsize_v4l2_ext_controls(p32, &aux_space);
+ if (!err)
+ err = alloc_userspace(sizeof(struct v4l2_ext_controls),
+@@ -1334,7 +1336,7 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ }
+ compatible_arg = 0;
+ break;
+- case VIDIOC_DQEVENT:
++ case VIDIOC_DQEVENT32:
+ err = alloc_userspace(sizeof(struct v4l2_event), 0, &new_p64);
+ compatible_arg = 0;
+ break;
+@@ -1352,9 +1354,9 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ * Otherwise, it will pass the newly allocated @new_p64 argument.
+ */
+ if (compatible_arg)
+- err = native_ioctl(file, cmd, (unsigned long)p32);
++ err = native_ioctl(file, ncmd, (unsigned long)p32);
+ else
+- err = native_ioctl(file, cmd, (unsigned long)new_p64);
++ err = native_ioctl(file, ncmd, (unsigned long)new_p64);
+
+ if (err == -ENOTTY)
+ return err;
+@@ -1370,13 +1372,13 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ * the blocks to maximum allowed value.
+ */
+ switch (cmd) {
+- case VIDIOC_G_EXT_CTRLS:
+- case VIDIOC_S_EXT_CTRLS:
+- case VIDIOC_TRY_EXT_CTRLS:
++ case VIDIOC_G_EXT_CTRLS32:
++ case VIDIOC_S_EXT_CTRLS32:
++ case VIDIOC_TRY_EXT_CTRLS32:
+ if (put_v4l2_ext_controls32(file, new_p64, p32))
+ err = -EFAULT;
+ break;
+- case VIDIOC_S_EDID:
++ case VIDIOC_S_EDID32:
+ if (put_v4l2_edid32(new_p64, p32))
+ err = -EFAULT;
+ break;
+@@ -1389,49 +1391,49 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ * the original 32 bits structure.
+ */
+ switch (cmd) {
+- case VIDIOC_S_INPUT:
+- case VIDIOC_S_OUTPUT:
+- case VIDIOC_G_INPUT:
+- case VIDIOC_G_OUTPUT:
++ case VIDIOC_S_INPUT32:
++ case VIDIOC_S_OUTPUT32:
++ case VIDIOC_G_INPUT32:
++ case VIDIOC_G_OUTPUT32:
+ if (assign_in_user((compat_uint_t __user *)p32,
+ ((unsigned int __user *)new_p64)))
+ err = -EFAULT;
+ break;
+
+- case VIDIOC_G_FBUF:
++ case VIDIOC_G_FBUF32:
+ err = put_v4l2_framebuffer32(new_p64, p32);
+ break;
+
+- case VIDIOC_DQEVENT:
++ case VIDIOC_DQEVENT32:
+ err = put_v4l2_event32(new_p64, p32);
+ break;
+
+- case VIDIOC_G_EDID:
++ case VIDIOC_G_EDID32:
+ err = put_v4l2_edid32(new_p64, p32);
+ break;
+
+- case VIDIOC_G_FMT:
+- case VIDIOC_S_FMT:
+- case VIDIOC_TRY_FMT:
++ case VIDIOC_G_FMT32:
++ case VIDIOC_S_FMT32:
++ case VIDIOC_TRY_FMT32:
+ err = put_v4l2_format32(new_p64, p32);
+ break;
+
+- case VIDIOC_CREATE_BUFS:
++ case VIDIOC_CREATE_BUFS32:
+ err = put_v4l2_create32(new_p64, p32);
+ break;
+
+- case VIDIOC_PREPARE_BUF:
+- case VIDIOC_QUERYBUF:
+- case VIDIOC_QBUF:
+- case VIDIOC_DQBUF:
++ case VIDIOC_PREPARE_BUF32:
++ case VIDIOC_QUERYBUF32:
++ case VIDIOC_QBUF32:
++ case VIDIOC_DQBUF32:
+ err = put_v4l2_buffer32(new_p64, p32);
+ break;
+
+- case VIDIOC_ENUMSTD:
++ case VIDIOC_ENUMSTD32:
+ err = put_v4l2_standard32(new_p64, p32);
+ break;
+
+- case VIDIOC_ENUMINPUT:
++ case VIDIOC_ENUMINPUT32:
+ err = put_v4l2_input32(new_p64, p32);
+ break;
+ }
+diff --git a/drivers/media/v4l2-core/videobuf-dma-sg.c b/drivers/media/v4l2-core/videobuf-dma-sg.c
+index 66a6c6c236a7..28262190c3ab 100644
+--- a/drivers/media/v4l2-core/videobuf-dma-sg.c
++++ b/drivers/media/v4l2-core/videobuf-dma-sg.c
+@@ -349,8 +349,11 @@ int videobuf_dma_free(struct videobuf_dmabuf *dma)
+ BUG_ON(dma->sglen);
+
+ if (dma->pages) {
+- for (i = 0; i < dma->nr_pages; i++)
++ for (i = 0; i < dma->nr_pages; i++) {
++ if (dma->direction == DMA_FROM_DEVICE)
++ set_page_dirty_lock(dma->pages[i]);
+ put_page(dma->pages[i]);
++ }
+ kfree(dma->pages);
+ dma->pages = NULL;
+ }
+diff --git a/drivers/mfd/ab8500-core.c b/drivers/mfd/ab8500-core.c
+index bafc729fc434..3c6fda68e6bc 100644
+--- a/drivers/mfd/ab8500-core.c
++++ b/drivers/mfd/ab8500-core.c
+@@ -631,8 +631,8 @@ static const struct mfd_cell ab8500_devs[] = {
+ NULL, NULL, 0, 0, "stericsson,ab8500-ext-regulator"),
+ OF_MFD_CELL("ab8500-regulator",
+ NULL, NULL, 0, 0, "stericsson,ab8500-regulator"),
+- OF_MFD_CELL("abx500-clk",
+- NULL, NULL, 0, 0, "stericsson,abx500-clk"),
++ OF_MFD_CELL("ab8500-clk",
++ NULL, NULL, 0, 0, "stericsson,ab8500-clk"),
+ OF_MFD_CELL("ab8500-gpadc",
+ NULL, NULL, 0, 0, "stericsson,ab8500-gpadc"),
+ OF_MFD_CELL("ab8500-rtc",
+diff --git a/drivers/mfd/axp20x.c b/drivers/mfd/axp20x.c
+index a4aaadaa0cb0..aa59496e4376 100644
+--- a/drivers/mfd/axp20x.c
++++ b/drivers/mfd/axp20x.c
+@@ -126,7 +126,7 @@ static const struct regmap_range axp288_writeable_ranges[] = {
+ static const struct regmap_range axp288_volatile_ranges[] = {
+ regmap_reg_range(AXP20X_PWR_INPUT_STATUS, AXP288_POWER_REASON),
+ regmap_reg_range(AXP288_BC_GLOBAL, AXP288_BC_GLOBAL),
+- regmap_reg_range(AXP288_BC_DET_STAT, AXP288_BC_DET_STAT),
++ regmap_reg_range(AXP288_BC_DET_STAT, AXP20X_VBUS_IPSOUT_MGMT),
+ regmap_reg_range(AXP20X_CHRG_BAK_CTRL, AXP20X_CHRG_BAK_CTRL),
+ regmap_reg_range(AXP20X_IRQ1_EN, AXP20X_IPSOUT_V_HIGH_L),
+ regmap_reg_range(AXP20X_TIMER_CTRL, AXP20X_TIMER_CTRL),
+diff --git a/drivers/mfd/da9062-core.c b/drivers/mfd/da9062-core.c
+index e69626867c26..9143de7b77b8 100644
+--- a/drivers/mfd/da9062-core.c
++++ b/drivers/mfd/da9062-core.c
+@@ -248,7 +248,7 @@ static const struct mfd_cell da9062_devs[] = {
+ .name = "da9062-watchdog",
+ .num_resources = ARRAY_SIZE(da9062_wdt_resources),
+ .resources = da9062_wdt_resources,
+- .of_compatible = "dlg,da9062-wdt",
++ .of_compatible = "dlg,da9062-watchdog",
+ },
+ {
+ .name = "da9062-thermal",
+diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c
+index 381593fbe50f..7841c11411d0 100644
+--- a/drivers/mfd/dln2.c
++++ b/drivers/mfd/dln2.c
+@@ -722,6 +722,8 @@ static int dln2_probe(struct usb_interface *interface,
+ const struct usb_device_id *usb_id)
+ {
+ struct usb_host_interface *hostif = interface->cur_altsetting;
++ struct usb_endpoint_descriptor *epin;
++ struct usb_endpoint_descriptor *epout;
+ struct device *dev = &interface->dev;
+ struct dln2_dev *dln2;
+ int ret;
+@@ -731,12 +733,19 @@ static int dln2_probe(struct usb_interface *interface,
+ hostif->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
++ epin = &hostif->endpoint[0].desc;
++ epout = &hostif->endpoint[1].desc;
++ if (!usb_endpoint_is_bulk_out(epout))
++ return -ENODEV;
++ if (!usb_endpoint_is_bulk_in(epin))
++ return -ENODEV;
++
+ dln2 = kzalloc(sizeof(*dln2), GFP_KERNEL);
+ if (!dln2)
+ return -ENOMEM;
+
+- dln2->ep_out = hostif->endpoint[0].desc.bEndpointAddress;
+- dln2->ep_in = hostif->endpoint[1].desc.bEndpointAddress;
++ dln2->ep_out = epout->bEndpointAddress;
++ dln2->ep_in = epin->bEndpointAddress;
+ dln2->usb_dev = usb_get_dev(interface_to_usbdev(interface));
+ dln2->interface = interface;
+ usb_set_intfdata(interface, dln2);
+diff --git a/drivers/mfd/rn5t618.c b/drivers/mfd/rn5t618.c
+index da5cd9c92a59..ead2e79036a9 100644
+--- a/drivers/mfd/rn5t618.c
++++ b/drivers/mfd/rn5t618.c
+@@ -26,6 +26,7 @@ static bool rn5t618_volatile_reg(struct device *dev, unsigned int reg)
+ case RN5T618_WATCHDOGCNT:
+ case RN5T618_DCIRQ:
+ case RN5T618_ILIMDATAH ... RN5T618_AIN0DATAL:
++ case RN5T618_ADCCNT3:
+ case RN5T618_IR_ADC1 ... RN5T618_IR_ADC3:
+ case RN5T618_IR_GPR:
+ case RN5T618_IR_GPF:
+diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c
+index 74c6cfbf9172..1f02f54f09c0 100644
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -1134,17 +1134,22 @@ static void mmc_spi_initsequence(struct mmc_spi_host *host)
+ * SPI protocol. Another is that when chipselect is released while
+ * the card returns BUSY status, the clock must issue several cycles
+ * with chipselect high before the card will stop driving its output.
++ *
++ * SPI_CS_HIGH means "asserted" here. In some cases like when using
++ * GPIOs for chip select, SPI_CS_HIGH is set but this will be logically
++ * inverted by gpiolib, so if we want to ascertain to drive it high
++ * we should toggle the default with an XOR as we do here.
+ */
+- host->spi->mode |= SPI_CS_HIGH;
++ host->spi->mode ^= SPI_CS_HIGH;
+ if (spi_setup(host->spi) != 0) {
+ /* Just warn; most cards work without it. */
+ dev_warn(&host->spi->dev,
+ "can't change chip-select polarity\n");
+- host->spi->mode &= ~SPI_CS_HIGH;
++ host->spi->mode ^= SPI_CS_HIGH;
+ } else {
+ mmc_spi_readbytes(host, 18);
+
+- host->spi->mode &= ~SPI_CS_HIGH;
++ host->spi->mode ^= SPI_CS_HIGH;
+ if (spi_setup(host->spi) != 0) {
+ /* Wot, we can't get the same setup we had before? */
+ dev_err(&host->spi->dev,
+diff --git a/drivers/mmc/host/sdhci-of-at91.c b/drivers/mmc/host/sdhci-of-at91.c
+index 5959e394b416..99d82c1874d6 100644
+--- a/drivers/mmc/host/sdhci-of-at91.c
++++ b/drivers/mmc/host/sdhci-of-at91.c
+@@ -335,19 +335,22 @@ static int sdhci_at91_probe(struct platform_device *pdev)
+ priv->mainck = devm_clk_get(&pdev->dev, "baseclk");
+ if (IS_ERR(priv->mainck)) {
+ dev_err(&pdev->dev, "failed to get baseclk\n");
+- return PTR_ERR(priv->mainck);
++ ret = PTR_ERR(priv->mainck);
++ goto sdhci_pltfm_free;
+ }
+
+ priv->hclock = devm_clk_get(&pdev->dev, "hclock");
+ if (IS_ERR(priv->hclock)) {
+ dev_err(&pdev->dev, "failed to get hclock\n");
+- return PTR_ERR(priv->hclock);
++ ret = PTR_ERR(priv->hclock);
++ goto sdhci_pltfm_free;
+ }
+
+ priv->gck = devm_clk_get(&pdev->dev, "multclk");
+ if (IS_ERR(priv->gck)) {
+ dev_err(&pdev->dev, "failed to get multclk\n");
+- return PTR_ERR(priv->gck);
++ ret = PTR_ERR(priv->gck);
++ goto sdhci_pltfm_free;
+ }
+
+ ret = sdhci_at91_set_clks_presets(&pdev->dev);
+diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
+index b0cd443dd758..70e55fe61b99 100644
+--- a/drivers/mtd/spi-nor/spi-nor.c
++++ b/drivers/mtd/spi-nor/spi-nor.c
+@@ -2461,15 +2461,16 @@ static const struct flash_info spi_nor_ids[] = {
+ { "n25q256a", INFO(0x20ba19, 0, 64 * 1024, 512, SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ) },
+ { "n25q256ax1", INFO(0x20bb19, 0, 64 * 1024, 512, SECT_4K | SPI_NOR_QUAD_READ) },
+ { "n25q512ax3", INFO(0x20ba20, 0, 64 * 1024, 1024, SECT_4K | USE_FSR | SPI_NOR_QUAD_READ) },
++ { "mt25qu512a", INFO6(0x20bb20, 0x104400, 64 * 1024, 1024,
++ SECT_4K | USE_FSR | SPI_NOR_DUAL_READ |
++ SPI_NOR_QUAD_READ | SPI_NOR_4B_OPCODES) },
++ { "n25q512a", INFO(0x20bb20, 0, 64 * 1024, 1024, SECT_4K |
++ SPI_NOR_QUAD_READ) },
+ { "n25q00", INFO(0x20ba21, 0, 64 * 1024, 2048, SECT_4K | USE_FSR | SPI_NOR_QUAD_READ | NO_CHIP_ERASE) },
+ { "n25q00a", INFO(0x20bb21, 0, 64 * 1024, 2048, SECT_4K | USE_FSR | SPI_NOR_QUAD_READ | NO_CHIP_ERASE) },
+ { "mt25ql02g", INFO(0x20ba22, 0, 64 * 1024, 4096,
+ SECT_4K | USE_FSR | SPI_NOR_QUAD_READ |
+ NO_CHIP_ERASE) },
+- { "mt25qu512a (n25q512a)", INFO(0x20bb20, 0, 64 * 1024, 1024,
+- SECT_4K | USE_FSR | SPI_NOR_DUAL_READ |
+- SPI_NOR_QUAD_READ |
+- SPI_NOR_4B_OPCODES) },
+ { "mt25qu02g", INFO(0x20bb22, 0, 64 * 1024, 4096, SECT_4K | USE_FSR | SPI_NOR_QUAD_READ | NO_CHIP_ERASE) },
+
+ /* Micron */
+diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c
+index 1c7be4eb3ba6..53f448e7433a 100644
+--- a/drivers/mtd/ubi/fastmap.c
++++ b/drivers/mtd/ubi/fastmap.c
+@@ -64,7 +64,7 @@ static int self_check_seen(struct ubi_device *ubi, unsigned long *seen)
+ return 0;
+
+ for (pnum = 0; pnum < ubi->peb_count; pnum++) {
+- if (test_bit(pnum, seen) && ubi->lookuptbl[pnum]) {
++ if (!test_bit(pnum, seen) && ubi->lookuptbl[pnum]) {
+ ubi_err(ubi, "self-check failed for PEB %d, fastmap didn't see it", pnum);
+ ret = -EINVAL;
+ }
+@@ -1137,7 +1137,7 @@ static int ubi_write_fastmap(struct ubi_device *ubi,
+ struct rb_node *tmp_rb;
+ int ret, i, j, free_peb_count, used_peb_count, vol_count;
+ int scrub_peb_count, erase_peb_count;
+- unsigned long *seen_pebs = NULL;
++ unsigned long *seen_pebs;
+
+ fm_raw = ubi->fm_buf;
+ memset(ubi->fm_buf, 0, ubi->fm_size);
+@@ -1151,7 +1151,7 @@ static int ubi_write_fastmap(struct ubi_device *ubi,
+ dvbuf = new_fm_vbuf(ubi, UBI_FM_DATA_VOLUME_ID);
+ if (!dvbuf) {
+ ret = -ENOMEM;
+- goto out_kfree;
++ goto out_free_avbuf;
+ }
+
+ avhdr = ubi_get_vid_hdr(avbuf);
+@@ -1160,7 +1160,7 @@ static int ubi_write_fastmap(struct ubi_device *ubi,
+ seen_pebs = init_seen(ubi);
+ if (IS_ERR(seen_pebs)) {
+ ret = PTR_ERR(seen_pebs);
+- goto out_kfree;
++ goto out_free_dvbuf;
+ }
+
+ spin_lock(&ubi->volumes_lock);
+@@ -1328,7 +1328,7 @@ static int ubi_write_fastmap(struct ubi_device *ubi,
+ ret = ubi_io_write_vid_hdr(ubi, new_fm->e[0]->pnum, avbuf);
+ if (ret) {
+ ubi_err(ubi, "unable to write vid_hdr to fastmap SB!");
+- goto out_kfree;
++ goto out_free_seen;
+ }
+
+ for (i = 0; i < new_fm->used_blocks; i++) {
+@@ -1350,7 +1350,7 @@ static int ubi_write_fastmap(struct ubi_device *ubi,
+ if (ret) {
+ ubi_err(ubi, "unable to write vid_hdr to PEB %i!",
+ new_fm->e[i]->pnum);
+- goto out_kfree;
++ goto out_free_seen;
+ }
+ }
+
+@@ -1360,7 +1360,7 @@ static int ubi_write_fastmap(struct ubi_device *ubi,
+ if (ret) {
+ ubi_err(ubi, "unable to write fastmap to PEB %i!",
+ new_fm->e[i]->pnum);
+- goto out_kfree;
++ goto out_free_seen;
+ }
+ }
+
+@@ -1370,10 +1370,13 @@ static int ubi_write_fastmap(struct ubi_device *ubi,
+ ret = self_check_seen(ubi, seen_pebs);
+ dbg_bld("fastmap written!");
+
+-out_kfree:
+- ubi_free_vid_buf(avbuf);
+- ubi_free_vid_buf(dvbuf);
++out_free_seen:
+ free_seen(seen_pebs);
++out_free_dvbuf:
++ ubi_free_vid_buf(dvbuf);
++out_free_avbuf:
++ ubi_free_vid_buf(avbuf);
++
+ out:
+ return ret;
+ }
+diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c
+index 4f2e6910c623..1cc2cd894f87 100644
+--- a/drivers/net/bonding/bond_alb.c
++++ b/drivers/net/bonding/bond_alb.c
+@@ -1383,26 +1383,31 @@ netdev_tx_t bond_alb_xmit(struct sk_buff *skb, struct net_device *bond_dev)
+ bool do_tx_balance = true;
+ u32 hash_index = 0;
+ const u8 *hash_start = NULL;
+- struct ipv6hdr *ip6hdr;
+
+ skb_reset_mac_header(skb);
+ eth_data = eth_hdr(skb);
+
+ switch (ntohs(skb->protocol)) {
+ case ETH_P_IP: {
+- const struct iphdr *iph = ip_hdr(skb);
++ const struct iphdr *iph;
+
+ if (is_broadcast_ether_addr(eth_data->h_dest) ||
+- iph->daddr == ip_bcast ||
+- iph->protocol == IPPROTO_IGMP) {
++ !pskb_network_may_pull(skb, sizeof(*iph))) {
++ do_tx_balance = false;
++ break;
++ }
++ iph = ip_hdr(skb);
++ if (iph->daddr == ip_bcast || iph->protocol == IPPROTO_IGMP) {
+ do_tx_balance = false;
+ break;
+ }
+ hash_start = (char *)&(iph->daddr);
+ hash_size = sizeof(iph->daddr);
+- }
+ break;
+- case ETH_P_IPV6:
++ }
++ case ETH_P_IPV6: {
++ const struct ipv6hdr *ip6hdr;
++
+ /* IPv6 doesn't really use broadcast mac address, but leave
+ * that here just in case.
+ */
+@@ -1419,7 +1424,11 @@ netdev_tx_t bond_alb_xmit(struct sk_buff *skb, struct net_device *bond_dev)
+ break;
+ }
+
+- /* Additianally, DAD probes should not be tx-balanced as that
++ if (!pskb_network_may_pull(skb, sizeof(*ip6hdr))) {
++ do_tx_balance = false;
++ break;
++ }
++ /* Additionally, DAD probes should not be tx-balanced as that
+ * will lead to false positives for duplicate addresses and
+ * prevent address configuration from working.
+ */
+@@ -1429,17 +1438,26 @@ netdev_tx_t bond_alb_xmit(struct sk_buff *skb, struct net_device *bond_dev)
+ break;
+ }
+
+- hash_start = (char *)&(ipv6_hdr(skb)->daddr);
+- hash_size = sizeof(ipv6_hdr(skb)->daddr);
++ hash_start = (char *)&ip6hdr->daddr;
++ hash_size = sizeof(ip6hdr->daddr);
+ break;
+- case ETH_P_IPX:
+- if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) {
++ }
++ case ETH_P_IPX: {
++ const struct ipxhdr *ipxhdr;
++
++ if (pskb_network_may_pull(skb, sizeof(*ipxhdr))) {
++ do_tx_balance = false;
++ break;
++ }
++ ipxhdr = (struct ipxhdr *)skb_network_header(skb);
++
++ if (ipxhdr->ipx_checksum != IPX_NO_CHECKSUM) {
+ /* something is wrong with this packet */
+ do_tx_balance = false;
+ break;
+ }
+
+- if (ipx_hdr(skb)->ipx_type != IPX_TYPE_NCP) {
++ if (ipxhdr->ipx_type != IPX_TYPE_NCP) {
+ /* The only protocol worth balancing in
+ * this family since it has an "ARP" like
+ * mechanism
+@@ -1448,9 +1466,11 @@ netdev_tx_t bond_alb_xmit(struct sk_buff *skb, struct net_device *bond_dev)
+ break;
+ }
+
++ eth_data = eth_hdr(skb);
+ hash_start = (char *)eth_data->h_dest;
+ hash_size = ETH_ALEN;
+ break;
++ }
+ case ETH_P_ARP:
+ do_tx_balance = false;
+ if (bond_info->rlb_enabled)
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index edacacfc9365..6a1ff4d43e3a 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -680,7 +680,7 @@ int b53_configure_vlan(struct dsa_switch *ds)
+ b53_do_vlan_op(dev, VTA_CMD_CLEAR);
+ }
+
+- b53_enable_vlan(dev, false, ds->vlan_filtering);
++ b53_enable_vlan(dev, dev->vlan_enabled, ds->vlan_filtering);
+
+ b53_for_each_port(dev, i)
+ b53_write16(dev, B53_VLAN_PAGE,
+diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
+index 3e8635311d0d..d1955543acd1 100644
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -68,7 +68,9 @@ static void bcm_sf2_imp_setup(struct dsa_switch *ds, int port)
+
+ /* Force link status for IMP port */
+ reg = core_readl(priv, offset);
+- reg |= (MII_SW_OR | LINK_STS | GMII_SPEED_UP_2G);
++ reg |= (MII_SW_OR | LINK_STS);
++ if (priv->type == BCM7278_DEVICE_ID)
++ reg |= GMII_SPEED_UP_2G;
+ core_writel(priv, reg, offset);
+
+ /* Enable Broadcast, Multicast, Unicast forwarding to IMP port */
+diff --git a/drivers/net/dsa/microchip/ksz9477_spi.c b/drivers/net/dsa/microchip/ksz9477_spi.c
+index c5f64959a184..1142768969c2 100644
+--- a/drivers/net/dsa/microchip/ksz9477_spi.c
++++ b/drivers/net/dsa/microchip/ksz9477_spi.c
+@@ -101,6 +101,12 @@ static struct spi_driver ksz9477_spi_driver = {
+
+ module_spi_driver(ksz9477_spi_driver);
+
++MODULE_ALIAS("spi:ksz9477");
++MODULE_ALIAS("spi:ksz9897");
++MODULE_ALIAS("spi:ksz9893");
++MODULE_ALIAS("spi:ksz9563");
++MODULE_ALIAS("spi:ksz8563");
++MODULE_ALIAS("spi:ksz9567");
+ MODULE_AUTHOR("Woojung Huh <Woojung.Huh@microchip.com>");
+ MODULE_DESCRIPTION("Microchip KSZ9477 Series Switch SPI access Driver");
+ MODULE_LICENSE("GPL");
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index d6b1a153f9df..c1ae42244f02 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -2728,6 +2728,9 @@ static int __maybe_unused bcm_sysport_resume(struct device *d)
+
+ umac_reset(priv);
+
++ /* Disable the UniMAC RX/TX */
++ umac_enable_set(priv, CMD_RX_EN | CMD_TX_EN, 0);
++
+ /* We may have been suspended and never received a WOL event that
+ * would turn off MPD detection, take care of that now
+ */
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index e6f18f6070ef..01b603c5e76a 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -7892,7 +7892,7 @@ static void bnxt_setup_msix(struct bnxt *bp)
+ int tcs, i;
+
+ tcs = netdev_get_num_tc(dev);
+- if (tcs > 1) {
++ if (tcs) {
+ int i, off, count;
+
+ for (i = 0; i < tcs; i++) {
+@@ -9240,6 +9240,17 @@ void bnxt_half_close_nic(struct bnxt *bp)
+ bnxt_free_mem(bp, false);
+ }
+
++static void bnxt_reenable_sriov(struct bnxt *bp)
++{
++ if (BNXT_PF(bp)) {
++ struct bnxt_pf_info *pf = &bp->pf;
++ int n = pf->active_vfs;
++
++ if (n)
++ bnxt_cfg_hw_sriov(bp, &n, true);
++ }
++}
++
+ static int bnxt_open(struct net_device *dev)
+ {
+ struct bnxt *bp = netdev_priv(dev);
+@@ -9258,15 +9269,10 @@ static int bnxt_open(struct net_device *dev)
+ bnxt_hwrm_if_change(bp, false);
+ } else {
+ if (test_and_clear_bit(BNXT_STATE_FW_RESET_DET, &bp->state)) {
+- if (BNXT_PF(bp)) {
+- struct bnxt_pf_info *pf = &bp->pf;
+- int n = pf->active_vfs;
+-
+- if (n)
+- bnxt_cfg_hw_sriov(bp, &n, true);
+- }
+- if (!test_bit(BNXT_STATE_IN_FW_RESET, &bp->state))
++ if (!test_bit(BNXT_STATE_IN_FW_RESET, &bp->state)) {
+ bnxt_ulp_start(bp, 0);
++ bnxt_reenable_sriov(bp);
++ }
+ }
+ bnxt_hwmon_open(bp);
+ }
+@@ -9306,10 +9312,6 @@ static void __bnxt_close_nic(struct bnxt *bp, bool irq_re_init,
+ bnxt_debug_dev_exit(bp);
+ bnxt_disable_napi(bp);
+ del_timer_sync(&bp->timer);
+- if (test_bit(BNXT_STATE_IN_FW_RESET, &bp->state) &&
+- pci_is_enabled(bp->pdev))
+- pci_disable_device(bp->pdev);
+-
+ bnxt_free_skbs(bp);
+
+ /* Save ring stats before shutdown */
+@@ -10087,9 +10089,16 @@ static void bnxt_reset(struct bnxt *bp, bool silent)
+ static void bnxt_fw_reset_close(struct bnxt *bp)
+ {
+ bnxt_ulp_stop(bp);
++ /* When firmware is fatal state, disable PCI device to prevent
++ * any potential bad DMAs before freeing kernel memory.
++ */
++ if (test_bit(BNXT_STATE_FW_FATAL_COND, &bp->state))
++ pci_disable_device(bp->pdev);
+ __bnxt_close_nic(bp, true, false);
+ bnxt_clear_int_mode(bp);
+ bnxt_hwrm_func_drv_unrgtr(bp);
++ if (pci_is_enabled(bp->pdev))
++ pci_disable_device(bp->pdev);
+ bnxt_free_ctx_mem(bp);
+ kfree(bp->ctx);
+ bp->ctx = NULL;
+@@ -10822,6 +10831,8 @@ static void bnxt_fw_reset_task(struct work_struct *work)
+ smp_mb__before_atomic();
+ clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state);
+ bnxt_ulp_start(bp, rc);
++ if (!rc)
++ bnxt_reenable_sriov(bp);
+ bnxt_dl_health_status_update(bp, true);
+ rtnl_unlock();
+ break;
+@@ -11433,9 +11444,9 @@ static void bnxt_remove_one(struct pci_dev *pdev)
+ bnxt_sriov_disable(bp);
+
+ bnxt_dl_fw_reporters_destroy(bp, true);
+- bnxt_dl_unregister(bp);
+ pci_disable_pcie_error_reporting(pdev);
+ unregister_netdev(dev);
++ bnxt_dl_unregister(bp);
+ bnxt_shutdown_tc(bp);
+ bnxt_cancel_sp_work(bp);
+ bp->sp_event = 0;
+@@ -11905,11 +11916,14 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ bnxt_init_tc(bp);
+ }
+
++ bnxt_dl_register(bp);
++
+ rc = register_netdev(dev);
+ if (rc)
+- goto init_err_cleanup_tc;
++ goto init_err_cleanup;
+
+- bnxt_dl_register(bp);
++ if (BNXT_PF(bp))
++ devlink_port_type_eth_set(&bp->dl_port, bp->dev);
+ bnxt_dl_fw_reporters_create(bp);
+
+ netdev_info(dev, "%s found at mem %lx, node addr %pM\n",
+@@ -11919,7 +11933,8 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ return 0;
+
+-init_err_cleanup_tc:
++init_err_cleanup:
++ bnxt_dl_unregister(bp);
+ bnxt_shutdown_tc(bp);
+ bnxt_clear_int_mode(bp);
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
+index 3eedd4477218..8fcaa2398344 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
+@@ -526,7 +526,6 @@ int bnxt_dl_register(struct bnxt *bp)
+ netdev_err(bp->dev, "devlink_port_register failed");
+ goto err_dl_param_unreg;
+ }
+- devlink_port_type_eth_set(&bp->dl_port, bp->dev);
+
+ rc = devlink_port_params_register(&bp->dl_port, bnxt_dl_port_params,
+ ARRAY_SIZE(bnxt_dl_port_params));
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index f7d87c71aaa9..71bb0d56533a 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -73,7 +73,11 @@ struct sifive_fu540_macb_mgmt {
+ /* Max length of transmit frame must be a multiple of 8 bytes */
+ #define MACB_TX_LEN_ALIGN 8
+ #define MACB_MAX_TX_LEN ((unsigned int)((1 << MACB_TX_FRMLEN_SIZE) - 1) & ~((unsigned int)(MACB_TX_LEN_ALIGN - 1)))
+-#define GEM_MAX_TX_LEN ((unsigned int)((1 << GEM_TX_FRMLEN_SIZE) - 1) & ~((unsigned int)(MACB_TX_LEN_ALIGN - 1)))
++/* Limit maximum TX length as per Cadence TSO errata. This is to avoid a
++ * false amba_error in TX path from the DMA assuming there is not enough
++ * space in the SRAM (16KB) even when there is.
++ */
++#define GEM_MAX_TX_LEN (unsigned int)(0x3FC0)
+
+ #define GEM_MTU_MIN_SIZE ETH_MIN_MTU
+ #define MACB_NETIF_LSO NETIF_F_TSO
+@@ -1752,16 +1756,14 @@ static netdev_features_t macb_features_check(struct sk_buff *skb,
+
+ /* Validate LSO compatibility */
+
+- /* there is only one buffer */
+- if (!skb_is_nonlinear(skb))
++ /* there is only one buffer or protocol is not UDP */
++ if (!skb_is_nonlinear(skb) || (ip_hdr(skb)->protocol != IPPROTO_UDP))
+ return features;
+
+ /* length of header */
+ hdrlen = skb_transport_offset(skb);
+- if (ip_hdr(skb)->protocol == IPPROTO_TCP)
+- hdrlen += tcp_hdrlen(skb);
+
+- /* For LSO:
++ /* For UFO only:
+ * When software supplies two or more payload buffers all payload buffers
+ * apart from the last must be a multiple of 8 bytes in size.
+ */
+diff --git a/drivers/net/ethernet/dec/tulip/dmfe.c b/drivers/net/ethernet/dec/tulip/dmfe.c
+index 0efdbd1a4a6f..32d470d4122a 100644
+--- a/drivers/net/ethernet/dec/tulip/dmfe.c
++++ b/drivers/net/ethernet/dec/tulip/dmfe.c
+@@ -2214,15 +2214,16 @@ static int __init dmfe_init_module(void)
+ if (cr6set)
+ dmfe_cr6_user_set = cr6set;
+
+- switch(mode) {
+- case DMFE_10MHF:
++ switch (mode) {
++ case DMFE_10MHF:
+ case DMFE_100MHF:
+ case DMFE_10MFD:
+ case DMFE_100MFD:
+ case DMFE_1M_HPNA:
+ dmfe_media_mode = mode;
+ break;
+- default:dmfe_media_mode = DMFE_AUTO;
++ default:
++ dmfe_media_mode = DMFE_AUTO;
+ break;
+ }
+
+diff --git a/drivers/net/ethernet/dec/tulip/uli526x.c b/drivers/net/ethernet/dec/tulip/uli526x.c
+index b1f30b194300..117ffe08800d 100644
+--- a/drivers/net/ethernet/dec/tulip/uli526x.c
++++ b/drivers/net/ethernet/dec/tulip/uli526x.c
+@@ -1809,8 +1809,8 @@ static int __init uli526x_init_module(void)
+ if (cr6set)
+ uli526x_cr6_user_set = cr6set;
+
+- switch (mode) {
+- case ULI526X_10MHF:
++ switch (mode) {
++ case ULI526X_10MHF:
+ case ULI526X_100MHF:
+ case ULI526X_10MFD:
+ case ULI526X_100MFD:
+diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+index a301f0095223..f827daf09b72 100644
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+@@ -2453,6 +2453,9 @@ static void dpaa_adjust_link(struct net_device *net_dev)
+ mac_dev->adjust_link(mac_dev);
+ }
+
++/* The Aquantia PHYs are capable of performing rate adaptation */
++#define PHY_VEND_AQUANTIA 0x03a1b400
++
+ static int dpaa_phy_init(struct net_device *net_dev)
+ {
+ __ETHTOOL_DECLARE_LINK_MODE_MASK(mask) = { 0, };
+@@ -2471,9 +2474,14 @@ static int dpaa_phy_init(struct net_device *net_dev)
+ return -ENODEV;
+ }
+
+- /* Remove any features not supported by the controller */
+- ethtool_convert_legacy_u32_to_link_mode(mask, mac_dev->if_support);
+- linkmode_and(phy_dev->supported, phy_dev->supported, mask);
++ /* Unless the PHY is capable of rate adaptation */
++ if (mac_dev->phy_if != PHY_INTERFACE_MODE_XGMII ||
++ ((phy_dev->drv->phy_id & GENMASK(31, 10)) != PHY_VEND_AQUANTIA)) {
++ /* remove any features not supported by the controller */
++ ethtool_convert_legacy_u32_to_link_mode(mask,
++ mac_dev->if_support);
++ linkmode_and(phy_dev->supported, phy_dev->supported, mask);
++ }
+
+ phy_support_asym_pause(phy_dev);
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index 8bad5b864682..e540f78e38a3 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -324,8 +324,7 @@
+ ETH_HLEN + ETH_FCS_LEN, \
+ cache_line_size())
+
+-#define MVNETA_SKB_HEADROOM (max(XDP_PACKET_HEADROOM, NET_SKB_PAD) + \
+- NET_IP_ALIGN)
++#define MVNETA_SKB_HEADROOM max(XDP_PACKET_HEADROOM, NET_SKB_PAD)
+ #define MVNETA_SKB_PAD (SKB_DATA_ALIGN(sizeof(struct skb_shared_info) + \
+ MVNETA_SKB_HEADROOM))
+ #define MVNETA_SKB_SIZE(len) (SKB_DATA_ALIGN(len) + MVNETA_SKB_PAD)
+@@ -402,6 +401,8 @@ struct mvneta_pcpu_stats {
+ struct u64_stats_sync syncp;
+ u64 rx_packets;
+ u64 rx_bytes;
++ u64 rx_dropped;
++ u64 rx_errors;
+ u64 tx_packets;
+ u64 tx_bytes;
+ };
+@@ -739,6 +740,8 @@ mvneta_get_stats64(struct net_device *dev,
+ struct mvneta_pcpu_stats *cpu_stats;
+ u64 rx_packets;
+ u64 rx_bytes;
++ u64 rx_dropped;
++ u64 rx_errors;
+ u64 tx_packets;
+ u64 tx_bytes;
+
+@@ -747,19 +750,20 @@ mvneta_get_stats64(struct net_device *dev,
+ start = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
+ rx_packets = cpu_stats->rx_packets;
+ rx_bytes = cpu_stats->rx_bytes;
++ rx_dropped = cpu_stats->rx_dropped;
++ rx_errors = cpu_stats->rx_errors;
+ tx_packets = cpu_stats->tx_packets;
+ tx_bytes = cpu_stats->tx_bytes;
+ } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, start));
+
+ stats->rx_packets += rx_packets;
+ stats->rx_bytes += rx_bytes;
++ stats->rx_dropped += rx_dropped;
++ stats->rx_errors += rx_errors;
+ stats->tx_packets += tx_packets;
+ stats->tx_bytes += tx_bytes;
+ }
+
+- stats->rx_errors = dev->stats.rx_errors;
+- stats->rx_dropped = dev->stats.rx_dropped;
+-
+ stats->tx_dropped = dev->stats.tx_dropped;
+ }
+
+@@ -1167,6 +1171,7 @@ bm_mtu_err:
+ mvneta_bm_pool_destroy(pp->bm_priv, pp->pool_short, 1 << pp->id);
+
+ pp->bm_priv = NULL;
++ pp->rx_offset_correction = MVNETA_SKB_HEADROOM;
+ mvreg_write(pp, MVNETA_ACC_MODE, MVNETA_ACC_MODE_EXT1);
+ netdev_info(pp->dev, "fail to update MTU, fall back to software BM\n");
+ }
+@@ -1736,8 +1741,14 @@ static u32 mvneta_txq_desc_csum(int l3_offs, int l3_proto,
+ static void mvneta_rx_error(struct mvneta_port *pp,
+ struct mvneta_rx_desc *rx_desc)
+ {
++ struct mvneta_pcpu_stats *stats = this_cpu_ptr(pp->stats);
+ u32 status = rx_desc->status;
+
++ /* update per-cpu counter */
++ u64_stats_update_begin(&stats->syncp);
++ stats->rx_errors++;
++ u64_stats_update_end(&stats->syncp);
++
+ switch (status & MVNETA_RXD_ERR_CODE_MASK) {
+ case MVNETA_RXD_ERR_CRC:
+ netdev_err(pp->dev, "bad rx status %08x (crc error), size=%d\n",
+@@ -2179,11 +2190,15 @@ mvneta_swbm_rx_frame(struct mvneta_port *pp,
+
+ rxq->skb = build_skb(xdp->data_hard_start, PAGE_SIZE);
+ if (unlikely(!rxq->skb)) {
+- netdev_err(dev,
+- "Can't allocate skb on queue %d\n",
+- rxq->id);
+- dev->stats.rx_dropped++;
++ struct mvneta_pcpu_stats *stats = this_cpu_ptr(pp->stats);
++
++ netdev_err(dev, "Can't allocate skb on queue %d\n", rxq->id);
+ rxq->skb_alloc_err++;
++
++ u64_stats_update_begin(&stats->syncp);
++ stats->rx_dropped++;
++ u64_stats_update_end(&stats->syncp);
++
+ return -ENOMEM;
+ }
+ page_pool_release_page(rxq->page_pool, page);
+@@ -2270,7 +2285,6 @@ static int mvneta_rx_swbm(struct napi_struct *napi,
+ /* Check errors only for FIRST descriptor */
+ if (rx_status & MVNETA_RXD_ERR_SUMMARY) {
+ mvneta_rx_error(pp, rx_desc);
+- dev->stats.rx_errors++;
+ /* leave the descriptor untouched */
+ continue;
+ }
+@@ -2372,7 +2386,6 @@ err_drop_frame_ret_pool:
+ mvneta_bm_pool_put_bp(pp->bm_priv, bm_pool,
+ rx_desc->buf_phys_addr);
+ err_drop_frame:
+- dev->stats.rx_errors++;
+ mvneta_rx_error(pp, rx_desc);
+ /* leave the descriptor untouched */
+ continue;
+@@ -4948,7 +4961,6 @@ static int mvneta_probe(struct platform_device *pdev)
+ SET_NETDEV_DEV(dev, &pdev->dev);
+
+ pp->id = global_port_id++;
+- pp->rx_offset_correction = MVNETA_SKB_HEADROOM;
+
+ /* Obtain access to BM resources if enabled and already initialized */
+ bm_node = of_parse_phandle(dn, "buffer-manager", 0);
+@@ -4973,6 +4985,10 @@ static int mvneta_probe(struct platform_device *pdev)
+ }
+ of_node_put(bm_node);
+
++ /* sw buffer management */
++ if (!pp->bm_priv)
++ pp->rx_offset_correction = MVNETA_SKB_HEADROOM;
++
+ err = mvneta_init(&pdev->dev, pp);
+ if (err < 0)
+ goto err_netdev;
+@@ -5130,6 +5146,7 @@ static int mvneta_resume(struct device *device)
+ err = mvneta_bm_port_init(pdev, pp);
+ if (err < 0) {
+ dev_info(&pdev->dev, "use SW buffer management\n");
++ pp->rx_offset_correction = MVNETA_SKB_HEADROOM;
+ pp->bm_priv = NULL;
+ }
+ }
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/accel/tls.h b/drivers/net/ethernet/mellanox/mlx5/core/accel/tls.h
+index d787bc0a4155..e09bc3858d57 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/accel/tls.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/accel/tls.h
+@@ -45,7 +45,7 @@ void mlx5_ktls_destroy_key(struct mlx5_core_dev *mdev, u32 key_id);
+
+ static inline bool mlx5_accel_is_ktls_device(struct mlx5_core_dev *mdev)
+ {
+- if (!MLX5_CAP_GEN(mdev, tls))
++ if (!MLX5_CAP_GEN(mdev, tls_tx))
+ return false;
+
+ if (!MLX5_CAP_GEN(mdev, log_max_dek))
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls_rxtx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls_rxtx.c
+index 71384ad1a443..ef1ed15a53b4 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls_rxtx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/tls_rxtx.c
+@@ -269,7 +269,7 @@ struct sk_buff *mlx5e_tls_handle_tx_skb(struct net_device *netdev,
+ int datalen;
+ u32 skb_seq;
+
+- if (MLX5_CAP_GEN(sq->channel->mdev, tls)) {
++ if (MLX5_CAP_GEN(sq->channel->mdev, tls_tx)) {
+ skb = mlx5e_ktls_handle_tx_skb(netdev, sq, skb, wqe, pi);
+ goto out;
+ }
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+index 9e9960146e5b..1c3ab69cbd96 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -613,13 +613,6 @@ void mlx5e_poll_ico_cq(struct mlx5e_cq *cq)
+
+ wqe_counter = be16_to_cpu(cqe->wqe_counter);
+
+- if (unlikely(get_cqe_opcode(cqe) != MLX5_CQE_REQ)) {
+- netdev_WARN_ONCE(cq->channel->netdev,
+- "Bad OP in ICOSQ CQE: 0x%x\n", get_cqe_opcode(cqe));
+- if (!test_and_set_bit(MLX5E_SQ_STATE_RECOVERING, &sq->state))
+- queue_work(cq->channel->priv->wq, &sq->recover_work);
+- break;
+- }
+ do {
+ struct mlx5e_sq_wqe_info *wi;
+ u16 ci;
+@@ -629,6 +622,15 @@ void mlx5e_poll_ico_cq(struct mlx5e_cq *cq)
+ ci = mlx5_wq_cyc_ctr2ix(&sq->wq, sqcc);
+ wi = &sq->db.ico_wqe[ci];
+
++ if (last_wqe && unlikely(get_cqe_opcode(cqe) != MLX5_CQE_REQ)) {
++ netdev_WARN_ONCE(cq->channel->netdev,
++ "Bad OP in ICOSQ CQE: 0x%x\n",
++ get_cqe_opcode(cqe));
++ if (!test_and_set_bit(MLX5E_SQ_STATE_RECOVERING, &sq->state))
++ queue_work(cq->channel->priv->wq, &sq->recover_work);
++ break;
++ }
++
+ if (likely(wi->opcode == MLX5_OPCODE_UMR)) {
+ sqcc += MLX5E_UMR_WQEBBS;
+ wi->umr.rq->mpwqe.umr_completed++;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+index 2565ba8692d9..ee60383adc5b 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+@@ -451,34 +451,17 @@ bool mlx5e_poll_tx_cq(struct mlx5e_cq *cq, int napi_budget)
+
+ i = 0;
+ do {
++ struct mlx5e_tx_wqe_info *wi;
+ u16 wqe_counter;
+ bool last_wqe;
++ u16 ci;
+
+ mlx5_cqwq_pop(&cq->wq);
+
+ wqe_counter = be16_to_cpu(cqe->wqe_counter);
+
+- if (unlikely(get_cqe_opcode(cqe) == MLX5_CQE_REQ_ERR)) {
+- if (!test_and_set_bit(MLX5E_SQ_STATE_RECOVERING,
+- &sq->state)) {
+- struct mlx5e_tx_wqe_info *wi;
+- u16 ci;
+-
+- ci = mlx5_wq_cyc_ctr2ix(&sq->wq, sqcc);
+- wi = &sq->db.wqe_info[ci];
+- mlx5e_dump_error_cqe(sq,
+- (struct mlx5_err_cqe *)cqe);
+- mlx5_wq_cyc_wqe_dump(&sq->wq, ci, wi->num_wqebbs);
+- queue_work(cq->channel->priv->wq,
+- &sq->recover_work);
+- }
+- stats->cqe_err++;
+- }
+-
+ do {
+- struct mlx5e_tx_wqe_info *wi;
+ struct sk_buff *skb;
+- u16 ci;
+ int j;
+
+ last_wqe = (sqcc == wqe_counter);
+@@ -516,6 +499,18 @@ bool mlx5e_poll_tx_cq(struct mlx5e_cq *cq, int napi_budget)
+ napi_consume_skb(skb, napi_budget);
+ } while (!last_wqe);
+
++ if (unlikely(get_cqe_opcode(cqe) == MLX5_CQE_REQ_ERR)) {
++ if (!test_and_set_bit(MLX5E_SQ_STATE_RECOVERING,
++ &sq->state)) {
++ mlx5e_dump_error_cqe(sq,
++ (struct mlx5_err_cqe *)cqe);
++ mlx5_wq_cyc_wqe_dump(&sq->wq, ci, wi->num_wqebbs);
++ queue_work(cq->channel->priv->wq,
++ &sq->recover_work);
++ }
++ stats->cqe_err++;
++ }
++
+ } while ((++i < MLX5E_TX_CQ_POLL_BUDGET) && (cqe = mlx5_cqwq_get_cqe(&cq->wq)));
+
+ stats->cqes += i;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
+index e4ec0e03c289..4c61d25d2e88 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
+@@ -850,6 +850,7 @@ void mlx5_fpga_ipsec_delete_sa_ctx(void *context)
+ mutex_lock(&fpga_xfrm->lock);
+ if (!--fpga_xfrm->num_rules) {
+ mlx5_fpga_ipsec_release_sa_ctx(fpga_xfrm->sa_ctx);
++ kfree(fpga_xfrm->sa_ctx);
+ fpga_xfrm->sa_ctx = NULL;
+ }
+ mutex_unlock(&fpga_xfrm->lock);
+@@ -1478,7 +1479,7 @@ int mlx5_fpga_esp_modify_xfrm(struct mlx5_accel_esp_xfrm *xfrm,
+ if (!memcmp(&xfrm->attrs, attrs, sizeof(xfrm->attrs)))
+ return 0;
+
+- if (!mlx5_fpga_esp_validate_xfrm_attrs(mdev, attrs)) {
++ if (mlx5_fpga_esp_validate_xfrm_attrs(mdev, attrs)) {
+ mlx5_core_warn(mdev, "Tried to create an esp with unsupported attrs\n");
+ return -EOPNOTSUPP;
+ }
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+index 8c5df6c7d7b6..8af87f922fb6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -1555,16 +1555,16 @@ struct match_list_head {
+ struct match_list first;
+ };
+
+-static void free_match_list(struct match_list_head *head)
++static void free_match_list(struct match_list_head *head, bool ft_locked)
+ {
+ if (!list_empty(&head->list)) {
+ struct match_list *iter, *match_tmp;
+
+ list_del(&head->first.list);
+- tree_put_node(&head->first.g->node, false);
++ tree_put_node(&head->first.g->node, ft_locked);
+ list_for_each_entry_safe(iter, match_tmp, &head->list,
+ list) {
+- tree_put_node(&iter->g->node, false);
++ tree_put_node(&iter->g->node, ft_locked);
+ list_del(&iter->list);
+ kfree(iter);
+ }
+@@ -1573,7 +1573,8 @@ static void free_match_list(struct match_list_head *head)
+
+ static int build_match_list(struct match_list_head *match_head,
+ struct mlx5_flow_table *ft,
+- const struct mlx5_flow_spec *spec)
++ const struct mlx5_flow_spec *spec,
++ bool ft_locked)
+ {
+ struct rhlist_head *tmp, *list;
+ struct mlx5_flow_group *g;
+@@ -1598,7 +1599,7 @@ static int build_match_list(struct match_list_head *match_head,
+
+ curr_match = kmalloc(sizeof(*curr_match), GFP_ATOMIC);
+ if (!curr_match) {
+- free_match_list(match_head);
++ free_match_list(match_head, ft_locked);
+ err = -ENOMEM;
+ goto out;
+ }
+@@ -1778,7 +1779,7 @@ search_again_locked:
+ version = atomic_read(&ft->node.version);
+
+ /* Collect all fgs which has a matching match_criteria */
+- err = build_match_list(&match_head, ft, spec);
++ err = build_match_list(&match_head, ft, spec, take_write);
+ if (err) {
+ if (take_write)
+ up_write_ref_node(&ft->node, false);
+@@ -1792,7 +1793,7 @@ search_again_locked:
+
+ rule = try_add_to_existing_fg(ft, &match_head.list, spec, flow_act, dest,
+ dest_num, version);
+- free_match_list(&match_head);
++ free_match_list(&match_head, take_write);
+ if (!IS_ERR(rule) ||
+ (PTR_ERR(rule) != -ENOENT && PTR_ERR(rule) != -EAGAIN)) {
+ if (take_write)
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw.c b/drivers/net/ethernet/mellanox/mlx5/core/fw.c
+index a19790dee7b2..13e86f0b42f5 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fw.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw.c
+@@ -239,7 +239,7 @@ int mlx5_query_hca_caps(struct mlx5_core_dev *dev)
+ return err;
+ }
+
+- if (MLX5_CAP_GEN(dev, tls)) {
++ if (MLX5_CAP_GEN(dev, tls_tx)) {
+ err = mlx5_core_get_caps(dev, MLX5_CAP_TLS);
+ if (err)
+ return err;
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_if.h b/drivers/net/ethernet/pensando/ionic/ionic_if.h
+index 39317cdfa6cf..ed23a05f2642 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_if.h
++++ b/drivers/net/ethernet/pensando/ionic/ionic_if.h
+@@ -862,7 +862,7 @@ struct ionic_rxq_comp {
+ #define IONIC_RXQ_COMP_CSUM_F_VLAN 0x40
+ #define IONIC_RXQ_COMP_CSUM_F_CALC 0x80
+ u8 pkt_type_color;
+-#define IONIC_RXQ_COMP_PKT_TYPE_MASK 0x0f
++#define IONIC_RXQ_COMP_PKT_TYPE_MASK 0x7f
+ };
+
+ enum ionic_pkt_type {
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_ptp.c b/drivers/net/ethernet/qlogic/qed/qed_ptp.c
+index 0dacf2c18c09..3e613058e225 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_ptp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_ptp.c
+@@ -44,8 +44,8 @@
+ /* Add/subtract the Adjustment_Value when making a Drift adjustment */
+ #define QED_DRIFT_CNTR_DIRECTION_SHIFT 31
+ #define QED_TIMESTAMP_MASK BIT(16)
+-/* Param mask for Hardware to detect/timestamp the unicast PTP packets */
+-#define QED_PTP_UCAST_PARAM_MASK 0xF
++/* Param mask for Hardware to detect/timestamp the L2/L4 unicast PTP packets */
++#define QED_PTP_UCAST_PARAM_MASK 0x70F
+
+ static enum qed_resc_lock qed_ptcdev_to_resc(struct qed_hwfn *p_hwfn)
+ {
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 67a4d5d45e3a..92a590154bb9 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -3865,15 +3865,18 @@ static void rtl_hw_jumbo_enable(struct rtl8169_private *tp)
+ switch (tp->mac_version) {
+ case RTL_GIGA_MAC_VER_12:
+ case RTL_GIGA_MAC_VER_17:
++ pcie_set_readrq(tp->pci_dev, 512);
+ r8168b_1_hw_jumbo_enable(tp);
+ break;
+ case RTL_GIGA_MAC_VER_18 ... RTL_GIGA_MAC_VER_26:
++ pcie_set_readrq(tp->pci_dev, 512);
+ r8168c_hw_jumbo_enable(tp);
+ break;
+ case RTL_GIGA_MAC_VER_27 ... RTL_GIGA_MAC_VER_28:
+ r8168dp_hw_jumbo_enable(tp);
+ break;
+ case RTL_GIGA_MAC_VER_31 ... RTL_GIGA_MAC_VER_33:
++ pcie_set_readrq(tp->pci_dev, 512);
+ r8168e_hw_jumbo_enable(tp);
+ break;
+ default:
+@@ -3903,6 +3906,9 @@ static void rtl_hw_jumbo_disable(struct rtl8169_private *tp)
+ break;
+ }
+ rtl_lock_config_regs(tp);
++
++ if (pci_is_pcie(tp->pci_dev) && tp->supports_gmii)
++ pcie_set_readrq(tp->pci_dev, 4096);
+ }
+
+ static void rtl_jumbo_config(struct rtl8169_private *tp, int mtu)
+diff --git a/drivers/net/ethernet/smsc/smc911x.c b/drivers/net/ethernet/smsc/smc911x.c
+index 8d88e4083456..7b65e79d6ae9 100644
+--- a/drivers/net/ethernet/smsc/smc911x.c
++++ b/drivers/net/ethernet/smsc/smc911x.c
+@@ -936,7 +936,7 @@ static void smc911x_phy_configure(struct work_struct *work)
+ if (lp->ctl_rspeed != 100)
+ my_ad_caps &= ~(ADVERTISE_100BASE4|ADVERTISE_100FULL|ADVERTISE_100HALF);
+
+- if (!lp->ctl_rfduplx)
++ if (!lp->ctl_rfduplx)
+ my_ad_caps &= ~(ADVERTISE_100FULL|ADVERTISE_10FULL);
+
+ /* Update our Auto-Neg Advertisement Register */
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c
+index 7ec895407d23..e0a5fe83d8e0 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c
+@@ -413,6 +413,7 @@ static int ethqos_configure(struct qcom_ethqos *ethqos)
+ dll_lock = rgmii_readl(ethqos, SDC4_STATUS);
+ if (dll_lock & SDC4_STATUS_DLL_LOCK)
+ break;
++ retry--;
+ } while (retry > 0);
+ if (!retry)
+ dev_err(&ethqos->pdev->dev,
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+index 40ca00e596dd..53be936137d0 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -420,7 +420,7 @@ static void dwmac4_set_filter(struct mac_device_info *hw,
+ value |= GMAC_PACKET_FILTER_PM;
+ /* Set all the bits of the HASH tab */
+ memset(mc_filter, 0xff, sizeof(mc_filter));
+- } else if (!netdev_mc_empty(dev)) {
++ } else if (!netdev_mc_empty(dev) && (dev->flags & IFF_MULTICAST)) {
+ struct netdev_hw_addr *ha;
+
+ /* Hash filter for multicast */
+@@ -736,11 +736,14 @@ static void dwmac4_update_vlan_hash(struct mac_device_info *hw, u32 hash,
+ __le16 perfect_match, bool is_double)
+ {
+ void __iomem *ioaddr = hw->pcsr;
++ u32 value;
+
+ writel(hash, ioaddr + GMAC_VLAN_HASH_TABLE);
+
++ value = readl(ioaddr + GMAC_VLAN_TAG);
++
+ if (hash) {
+- u32 value = GMAC_VLAN_VTHM | GMAC_VLAN_ETV;
++ value |= GMAC_VLAN_VTHM | GMAC_VLAN_ETV;
+ if (is_double) {
+ value |= GMAC_VLAN_EDVLP;
+ value |= GMAC_VLAN_ESVL;
+@@ -759,8 +762,6 @@ static void dwmac4_update_vlan_hash(struct mac_device_info *hw, u32 hash,
+
+ writel(value | perfect_match, ioaddr + GMAC_VLAN_TAG);
+ } else {
+- u32 value = readl(ioaddr + GMAC_VLAN_TAG);
+-
+ value &= ~(GMAC_VLAN_VTHM | GMAC_VLAN_ETV);
+ value &= ~(GMAC_VLAN_EDVLP | GMAC_VLAN_ESVL);
+ value &= ~GMAC_VLAN_DOVLTC;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+index 082f5ee9e525..e9bf54a579df 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+@@ -458,7 +458,7 @@ static void dwxgmac2_set_filter(struct mac_device_info *hw,
+
+ for (i = 0; i < XGMAC_MAX_HASH_TABLE; i++)
+ writel(~0x0, ioaddr + XGMAC_HASH_TABLE(i));
+- } else if (!netdev_mc_empty(dev)) {
++ } else if (!netdev_mc_empty(dev) && (dev->flags & IFF_MULTICAST)) {
+ struct netdev_hw_addr *ha;
+
+ value |= XGMAC_FILTER_HMC;
+@@ -569,7 +569,9 @@ static void dwxgmac2_update_vlan_hash(struct mac_device_info *hw, u32 hash,
+
+ writel(value, ioaddr + XGMAC_PACKET_FILTER);
+
+- value = XGMAC_VLAN_VTHM | XGMAC_VLAN_ETV;
++ value = readl(ioaddr + XGMAC_VLAN_TAG);
++
++ value |= XGMAC_VLAN_VTHM | XGMAC_VLAN_ETV;
+ if (is_double) {
+ value |= XGMAC_VLAN_EDVLP;
+ value |= XGMAC_VLAN_ESVL;
+@@ -584,7 +586,9 @@ static void dwxgmac2_update_vlan_hash(struct mac_device_info *hw, u32 hash,
+
+ writel(value, ioaddr + XGMAC_PACKET_FILTER);
+
+- value = XGMAC_VLAN_ETV;
++ value = readl(ioaddr + XGMAC_VLAN_TAG);
++
++ value |= XGMAC_VLAN_ETV;
+ if (is_double) {
+ value |= XGMAC_VLAN_EDVLP;
+ value |= XGMAC_VLAN_ESVL;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 80d59b775907..6bc1bdb137ae 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -4860,6 +4860,7 @@ int stmmac_suspend(struct device *dev)
+ {
+ struct net_device *ndev = dev_get_drvdata(dev);
+ struct stmmac_priv *priv = netdev_priv(ndev);
++ u32 chan;
+
+ if (!ndev || !netif_running(ndev))
+ return 0;
+@@ -4873,6 +4874,9 @@ int stmmac_suspend(struct device *dev)
+
+ stmmac_disable_all_queues(priv);
+
++ for (chan = 0; chan < priv->plat->tx_queues_to_use; chan++)
++ del_timer_sync(&priv->tx_queue[chan].txtimer);
++
+ /* Stop TX/RX DMA */
+ stmmac_stop_all_dma(priv);
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+index 8237dbc3e991..d2bc04dedd7c 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+@@ -96,7 +96,7 @@ static int stmmac_default_data(struct pci_dev *pdev,
+
+ plat->bus_id = 1;
+ plat->phy_addr = 0;
+- plat->interface = PHY_INTERFACE_MODE_GMII;
++ plat->phy_interface = PHY_INTERFACE_MODE_GMII;
+
+ plat->dma_cfg->pbl = 32;
+ plat->dma_cfg->pblx8 = true;
+@@ -220,7 +220,8 @@ static int ehl_sgmii_data(struct pci_dev *pdev,
+ {
+ plat->bus_id = 1;
+ plat->phy_addr = 0;
+- plat->interface = PHY_INTERFACE_MODE_SGMII;
++ plat->phy_interface = PHY_INTERFACE_MODE_SGMII;
++
+ return ehl_common_data(pdev, plat);
+ }
+
+@@ -233,7 +234,8 @@ static int ehl_rgmii_data(struct pci_dev *pdev,
+ {
+ plat->bus_id = 1;
+ plat->phy_addr = 0;
+- plat->interface = PHY_INTERFACE_MODE_RGMII;
++ plat->phy_interface = PHY_INTERFACE_MODE_RGMII;
++
+ return ehl_common_data(pdev, plat);
+ }
+
+@@ -261,7 +263,7 @@ static int tgl_sgmii_data(struct pci_dev *pdev,
+ {
+ plat->bus_id = 1;
+ plat->phy_addr = 0;
+- plat->interface = PHY_INTERFACE_MODE_SGMII;
++ plat->phy_interface = PHY_INTERFACE_MODE_SGMII;
+ return tgl_common_data(pdev, plat);
+ }
+
+@@ -361,7 +363,7 @@ static int quark_default_data(struct pci_dev *pdev,
+
+ plat->bus_id = pci_dev_id(pdev);
+ plat->phy_addr = ret;
+- plat->interface = PHY_INTERFACE_MODE_RMII;
++ plat->phy_interface = PHY_INTERFACE_MODE_RMII;
+
+ plat->dma_cfg->pbl = 16;
+ plat->dma_cfg->pblx8 = true;
+@@ -418,7 +420,7 @@ static int snps_gmac5_default_data(struct pci_dev *pdev,
+
+ plat->bus_id = 1;
+ plat->phy_addr = -1;
+- plat->interface = PHY_INTERFACE_MODE_GMII;
++ plat->phy_interface = PHY_INTERFACE_MODE_GMII;
+
+ plat->dma_cfg->pbl = 32;
+ plat->dma_cfg->pblx8 = true;
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 9b3ba98726d7..3a53d222bfcc 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -767,12 +767,12 @@ static int gtp_hashtable_new(struct gtp_dev *gtp, int hsize)
+ int i;
+
+ gtp->addr_hash = kmalloc_array(hsize, sizeof(struct hlist_head),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (gtp->addr_hash == NULL)
+ return -ENOMEM;
+
+ gtp->tid_hash = kmalloc_array(hsize, sizeof(struct hlist_head),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (gtp->tid_hash == NULL)
+ goto err1;
+
+diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
+index 4b39aba2e9c4..2a945b3c7c76 100644
+--- a/drivers/net/netdevsim/dev.c
++++ b/drivers/net/netdevsim/dev.c
+@@ -73,7 +73,7 @@ static const struct file_operations nsim_dev_take_snapshot_fops = {
+
+ static int nsim_dev_debugfs_init(struct nsim_dev *nsim_dev)
+ {
+- char dev_ddir_name[16];
++ char dev_ddir_name[sizeof(DRV_NAME) + 10];
+
+ sprintf(dev_ddir_name, DRV_NAME "%u", nsim_dev->nsim_bus_dev->dev.id);
+ nsim_dev->ddir = debugfs_create_dir(dev_ddir_name, nsim_dev_ddir);
+diff --git a/drivers/net/phy/at803x.c b/drivers/net/phy/at803x.c
+index aee62610bade..481cf48c9b9e 100644
+--- a/drivers/net/phy/at803x.c
++++ b/drivers/net/phy/at803x.c
+@@ -489,6 +489,14 @@ static int at803x_probe(struct phy_device *phydev)
+ return at803x_parse_dt(phydev);
+ }
+
++static void at803x_remove(struct phy_device *phydev)
++{
++ struct at803x_priv *priv = phydev->priv;
++
++ if (priv->vddio)
++ regulator_disable(priv->vddio);
++}
++
+ static int at803x_clk_out_config(struct phy_device *phydev)
+ {
+ struct at803x_priv *priv = phydev->priv;
+@@ -711,6 +719,7 @@ static struct phy_driver at803x_driver[] = {
+ .name = "Qualcomm Atheros AR8035",
+ .phy_id_mask = AT803X_PHY_ID_MASK,
+ .probe = at803x_probe,
++ .remove = at803x_remove,
+ .config_init = at803x_config_init,
+ .set_wol = at803x_set_wol,
+ .get_wol = at803x_get_wol,
+@@ -726,6 +735,7 @@ static struct phy_driver at803x_driver[] = {
+ .name = "Qualcomm Atheros AR8030",
+ .phy_id_mask = AT803X_PHY_ID_MASK,
+ .probe = at803x_probe,
++ .remove = at803x_remove,
+ .config_init = at803x_config_init,
+ .link_change_notify = at803x_link_change_notify,
+ .set_wol = at803x_set_wol,
+@@ -741,6 +751,7 @@ static struct phy_driver at803x_driver[] = {
+ .name = "Qualcomm Atheros AR8031/AR8033",
+ .phy_id_mask = AT803X_PHY_ID_MASK,
+ .probe = at803x_probe,
++ .remove = at803x_remove,
+ .config_init = at803x_config_init,
+ .set_wol = at803x_set_wol,
+ .get_wol = at803x_get_wol,
+diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c
+index a7b9cf3269bf..29a0917a81e6 100644
+--- a/drivers/net/ppp/ppp_async.c
++++ b/drivers/net/ppp/ppp_async.c
+@@ -874,15 +874,15 @@ ppp_async_input(struct asyncppp *ap, const unsigned char *buf,
+ skb = dev_alloc_skb(ap->mru + PPP_HDRLEN + 2);
+ if (!skb)
+ goto nomem;
+- ap->rpkt = skb;
+- }
+- if (skb->len == 0) {
+- /* Try to get the payload 4-byte aligned.
+- * This should match the
+- * PPP_ALLSTATIONS/PPP_UI/compressed tests in
+- * process_input_packet, but we do not have
+- * enough chars here to test buf[1] and buf[2].
+- */
++ ap->rpkt = skb;
++ }
++ if (skb->len == 0) {
++ /* Try to get the payload 4-byte aligned.
++ * This should match the
++ * PPP_ALLSTATIONS/PPP_UI/compressed tests in
++ * process_input_packet, but we do not have
++ * enough chars here to test buf[1] and buf[2].
++ */
+ if (buf[0] != PPP_ALLSTATIONS)
+ skb_reserve(skb, 2 + (buf[0] & 1));
+ }
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+index 7cdfde9b3dea..575ed19e9195 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -430,6 +430,7 @@ fail:
+ usb_free_urb(req->urb);
+ list_del(q->next);
+ }
++ kfree(reqs);
+ return NULL;
+
+ }
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+index 7b35f416404c..64ef3f3ba23b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -3320,6 +3320,10 @@ static int iwl_mvm_send_sta_igtk(struct iwl_mvm *mvm,
+ igtk_cmd.sta_id = cpu_to_le32(sta_id);
+
+ if (remove_key) {
++ /* This is a valid situation for IGTK */
++ if (sta_id == IWL_MVM_INVALID_STA)
++ return 0;
++
+ igtk_cmd.ctrl_flags |= cpu_to_le32(STA_KEY_NOT_VALID);
+ } else {
+ struct ieee80211_key_seq seq;
+@@ -3574,9 +3578,9 @@ int iwl_mvm_remove_sta_key(struct iwl_mvm *mvm,
+ IWL_DEBUG_WEP(mvm, "mvm remove dynamic key: idx=%d sta=%d\n",
+ keyconf->keyidx, sta_id);
+
+- if (mvm_sta && (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC ||
+- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 ||
+- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256))
++ if (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC ||
++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 ||
++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256)
+ return iwl_mvm_send_sta_igtk(mvm, keyconf, sta_id, true);
+
+ if (!__test_and_clear_bit(keyconf->hw_key_idx, mvm->fw_key_table)) {
+diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+index 6dd835f1efc2..fbfa0b15d0c8 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+@@ -232,6 +232,7 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
+
+ if (country_ie_len >
+ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
++ rcu_read_unlock();
+ mwifiex_dbg(priv->adapter, ERROR,
+ "11D: country_ie_len overflow!, deauth AP\n");
+ return -EINVAL;
+diff --git a/drivers/nfc/pn544/pn544.c b/drivers/nfc/pn544/pn544.c
+index cda996f6954e..2b83156efe3f 100644
+--- a/drivers/nfc/pn544/pn544.c
++++ b/drivers/nfc/pn544/pn544.c
+@@ -693,7 +693,7 @@ static int pn544_hci_check_presence(struct nfc_hci_dev *hdev,
+ target->nfcid1_len != 10)
+ return -EOPNOTSUPP;
+
+- return nfc_hci_send_cmd(hdev, NFC_HCI_RF_READER_A_GATE,
++ return nfc_hci_send_cmd(hdev, NFC_HCI_RF_READER_A_GATE,
+ PN544_RF_READER_CMD_ACTIVATE_NEXT,
+ target->nfcid1, target->nfcid1_len, NULL);
+ } else if (target->supported_protocols & (NFC_PROTO_JEWEL_MASK |
+diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c
+index f7297473d9eb..feef15c38ec9 100644
+--- a/drivers/nvme/target/fabrics-cmd.c
++++ b/drivers/nvme/target/fabrics-cmd.c
+@@ -109,6 +109,7 @@ static u16 nvmet_install_queue(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
+ u16 qid = le16_to_cpu(c->qid);
+ u16 sqsize = le16_to_cpu(c->sqsize);
+ struct nvmet_ctrl *old;
++ u16 ret;
+
+ old = cmpxchg(&req->sq->ctrl, NULL, ctrl);
+ if (old) {
+@@ -119,7 +120,8 @@ static u16 nvmet_install_queue(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
+ if (!sqsize) {
+ pr_warn("queue size zero!\n");
+ req->error_loc = offsetof(struct nvmf_connect_command, sqsize);
+- return NVME_SC_CONNECT_INVALID_PARAM | NVME_SC_DNR;
++ ret = NVME_SC_CONNECT_INVALID_PARAM | NVME_SC_DNR;
++ goto err;
+ }
+
+ /* note: convert queue size from 0's-based value to 1's-based value */
+@@ -132,16 +134,19 @@ static u16 nvmet_install_queue(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
+ }
+
+ if (ctrl->ops->install_queue) {
+- u16 ret = ctrl->ops->install_queue(req->sq);
+-
++ ret = ctrl->ops->install_queue(req->sq);
+ if (ret) {
+ pr_err("failed to install queue %d cntlid %d ret %x\n",
+- qid, ret, ctrl->cntlid);
+- return ret;
++ qid, ctrl->cntlid, ret);
++ goto err;
+ }
+ }
+
+ return 0;
++
++err:
++ req->sq->ctrl = NULL;
++ return ret;
+ }
+
+ static void nvmet_execute_admin_connect(struct nvmet_req *req)
+diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
+index 9f1ee9c766ec..1e4a798dce6e 100644
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -83,7 +83,7 @@ static void nvmem_cell_drop(struct nvmem_cell *cell)
+ list_del(&cell->node);
+ mutex_unlock(&nvmem_mutex);
+ of_node_put(cell->np);
+- kfree(cell->name);
++ kfree_const(cell->name);
+ kfree(cell);
+ }
+
+@@ -110,7 +110,9 @@ static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem,
+ cell->nvmem = nvmem;
+ cell->offset = info->offset;
+ cell->bytes = info->bytes;
+- cell->name = info->name;
++ cell->name = kstrdup_const(info->name, GFP_KERNEL);
++ if (!cell->name)
++ return -ENOMEM;
+
+ cell->bit_offset = info->bit_offset;
+ cell->nbits = info->nbits;
+@@ -300,7 +302,7 @@ static int nvmem_add_cells_from_of(struct nvmem_device *nvmem)
+ dev_err(dev, "cell %s unaligned to nvmem stride %d\n",
+ cell->name, nvmem->stride);
+ /* Cells already added will be freed later. */
+- kfree(cell->name);
++ kfree_const(cell->name);
+ kfree(cell);
+ return -EINVAL;
+ }
+diff --git a/drivers/nvmem/imx-ocotp-scu.c b/drivers/nvmem/imx-ocotp-scu.c
+index 03f1ab23ad51..455675dd8efe 100644
+--- a/drivers/nvmem/imx-ocotp-scu.c
++++ b/drivers/nvmem/imx-ocotp-scu.c
+@@ -15,8 +15,7 @@
+ #include <linux/platform_device.h>
+ #include <linux/slab.h>
+
+-#define IMX_SIP_OTP 0xC200000A
+-#define IMX_SIP_OTP_WRITE 0x2
++#define IMX_SIP_OTP_WRITE 0xc200000B
+
+ enum ocotp_devtype {
+ IMX8QXP,
+@@ -212,8 +211,7 @@ static int imx_scu_ocotp_write(void *context, unsigned int offset,
+
+ mutex_lock(&scu_ocotp_mutex);
+
+- arm_smccc_smc(IMX_SIP_OTP, IMX_SIP_OTP_WRITE, index, *buf,
+- 0, 0, 0, 0, &res);
++ arm_smccc_smc(IMX_SIP_OTP_WRITE, index, *buf, 0, 0, 0, 0, 0, &res);
+
+ mutex_unlock(&scu_ocotp_mutex);
+
+diff --git a/drivers/of/Kconfig b/drivers/of/Kconfig
+index 37c2ccbefecd..d91618641be6 100644
+--- a/drivers/of/Kconfig
++++ b/drivers/of/Kconfig
+@@ -103,4 +103,8 @@ config OF_OVERLAY
+ config OF_NUMA
+ bool
+
++config OF_DMA_DEFAULT_COHERENT
++ # arches should select this if DMA is coherent by default for OF devices
++ bool
++
+ endif # OF
+diff --git a/drivers/of/address.c b/drivers/of/address.c
+index 99c1b8058559..e8a39c3ec4d4 100644
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -995,12 +995,16 @@ out:
+ * @np: device node
+ *
+ * It returns true if "dma-coherent" property was found
+- * for this device in DT.
++ * for this device in the DT, or if DMA is coherent by
++ * default for OF devices on the current platform.
+ */
+ bool of_dma_is_coherent(struct device_node *np)
+ {
+ struct device_node *node = of_node_get(np);
+
++ if (IS_ENABLED(CONFIG_OF_DMA_DEFAULT_COHERENT))
++ return true;
++
+ while (node) {
+ if (of_property_read_bool(node, "dma-coherent")) {
+ of_node_put(node);
+diff --git a/drivers/pci/ats.c b/drivers/pci/ats.c
+index 982b46f0a54d..b6f064c885c3 100644
+--- a/drivers/pci/ats.c
++++ b/drivers/pci/ats.c
+@@ -424,11 +424,12 @@ void pci_restore_pasid_state(struct pci_dev *pdev)
+ int pci_pasid_features(struct pci_dev *pdev)
+ {
+ u16 supported;
+- int pasid = pdev->pasid_cap;
++ int pasid;
+
+ if (pdev->is_virtfn)
+ pdev = pci_physfn(pdev);
+
++ pasid = pdev->pasid_cap;
+ if (!pasid)
+ return -EINVAL;
+
+@@ -451,11 +452,12 @@ int pci_pasid_features(struct pci_dev *pdev)
+ int pci_max_pasids(struct pci_dev *pdev)
+ {
+ u16 supported;
+- int pasid = pdev->pasid_cap;
++ int pasid;
+
+ if (pdev->is_virtfn)
+ pdev = pci_physfn(pdev);
+
++ pasid = pdev->pasid_cap;
+ if (!pasid)
+ return -EINVAL;
+
+diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
+index af677254a072..c8c702c494a2 100644
+--- a/drivers/pci/controller/dwc/pci-keystone.c
++++ b/drivers/pci/controller/dwc/pci-keystone.c
+@@ -422,7 +422,7 @@ static void ks_pcie_setup_rc_app_regs(struct keystone_pcie *ks_pcie)
+ lower_32_bits(start) | OB_ENABLEN);
+ ks_pcie_app_writel(ks_pcie, OB_OFFSET_HI(i),
+ upper_32_bits(start));
+- start += OB_WIN_SIZE;
++ start += OB_WIN_SIZE * SZ_1M;
+ }
+
+ val = ks_pcie_app_readl(ks_pcie, CMD_STATUS);
+@@ -510,7 +510,7 @@ static void ks_pcie_stop_link(struct dw_pcie *pci)
+ /* Disable Link training */
+ val = ks_pcie_app_readl(ks_pcie, CMD_STATUS);
+ val &= ~LTSSM_EN_VAL;
+- ks_pcie_app_writel(ks_pcie, CMD_STATUS, LTSSM_EN_VAL | val);
++ ks_pcie_app_writel(ks_pcie, CMD_STATUS, val);
+ }
+
+ static int ks_pcie_start_link(struct dw_pcie *pci)
+@@ -1354,7 +1354,7 @@ static int __init ks_pcie_probe(struct platform_device *pdev)
+ ret = of_property_read_u32(np, "num-viewport", &num_viewport);
+ if (ret < 0) {
+ dev_err(dev, "unable to read *num-viewport* property\n");
+- return ret;
++ goto err_get_sync;
+ }
+
+ /*
+diff --git a/drivers/pci/controller/pci-tegra.c b/drivers/pci/controller/pci-tegra.c
+index 673a1725ef38..090b632965e2 100644
+--- a/drivers/pci/controller/pci-tegra.c
++++ b/drivers/pci/controller/pci-tegra.c
+@@ -2798,7 +2798,7 @@ static int tegra_pcie_probe(struct platform_device *pdev)
+
+ pm_runtime_enable(pcie->dev);
+ err = pm_runtime_get_sync(pcie->dev);
+- if (err) {
++ if (err < 0) {
+ dev_err(dev, "fail to enable pcie controller: %d\n", err);
+ goto teardown_msi;
+ }
+diff --git a/drivers/phy/qualcomm/phy-qcom-apq8064-sata.c b/drivers/phy/qualcomm/phy-qcom-apq8064-sata.c
+index 42bc5150dd92..febe0aef68d4 100644
+--- a/drivers/phy/qualcomm/phy-qcom-apq8064-sata.c
++++ b/drivers/phy/qualcomm/phy-qcom-apq8064-sata.c
+@@ -80,7 +80,7 @@ static int read_poll_timeout(void __iomem *addr, u32 mask)
+ if (readl_relaxed(addr) & mask)
+ return 0;
+
+- usleep_range(DELAY_INTERVAL_US, DELAY_INTERVAL_US + 50);
++ usleep_range(DELAY_INTERVAL_US, DELAY_INTERVAL_US + 50);
+ } while (!time_after(jiffies, timeout));
+
+ return (readl_relaxed(addr) & mask) ? 0 : -ETIMEDOUT;
+diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
+index cdab916fbf92..e330ec73c465 100644
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -67,26 +67,22 @@
+ struct intel_scu_ipc_pdata_t {
+ u32 i2c_base;
+ u32 i2c_len;
+- u8 irq_mode;
+ };
+
+ static const struct intel_scu_ipc_pdata_t intel_scu_ipc_lincroft_pdata = {
+ .i2c_base = 0xff12b000,
+ .i2c_len = 0x10,
+- .irq_mode = 0,
+ };
+
+ /* Penwell and Cloverview */
+ static const struct intel_scu_ipc_pdata_t intel_scu_ipc_penwell_pdata = {
+ .i2c_base = 0xff12b000,
+ .i2c_len = 0x10,
+- .irq_mode = 1,
+ };
+
+ static const struct intel_scu_ipc_pdata_t intel_scu_ipc_tangier_pdata = {
+ .i2c_base = 0xff00d000,
+ .i2c_len = 0x10,
+- .irq_mode = 0,
+ };
+
+ struct intel_scu_ipc_dev {
+@@ -99,6 +95,9 @@ struct intel_scu_ipc_dev {
+
+ static struct intel_scu_ipc_dev ipcdev; /* Only one for now */
+
++#define IPC_STATUS 0x04
++#define IPC_STATUS_IRQ BIT(2)
++
+ /*
+ * IPC Read Buffer (Read Only):
+ * 16 byte buffer for receiving data from SCU, if IPC command
+@@ -120,11 +119,8 @@ static DEFINE_MUTEX(ipclock); /* lock used to prevent multiple call to SCU */
+ */
+ static inline void ipc_command(struct intel_scu_ipc_dev *scu, u32 cmd)
+ {
+- if (scu->irq_mode) {
+- reinit_completion(&scu->cmd_complete);
+- writel(cmd | IPC_IOC, scu->ipc_base);
+- }
+- writel(cmd, scu->ipc_base);
++ reinit_completion(&scu->cmd_complete);
++ writel(cmd | IPC_IOC, scu->ipc_base);
+ }
+
+ /*
+@@ -610,9 +606,10 @@ EXPORT_SYMBOL(intel_scu_ipc_i2c_cntrl);
+ static irqreturn_t ioc(int irq, void *dev_id)
+ {
+ struct intel_scu_ipc_dev *scu = dev_id;
++ int status = ipc_read_status(scu);
+
+- if (scu->irq_mode)
+- complete(&scu->cmd_complete);
++ writel(status | IPC_STATUS_IRQ, scu->ipc_base + IPC_STATUS);
++ complete(&scu->cmd_complete);
+
+ return IRQ_HANDLED;
+ }
+@@ -638,8 +635,6 @@ static int ipc_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ if (!pdata)
+ return -ENODEV;
+
+- scu->irq_mode = pdata->irq_mode;
+-
+ err = pcim_enable_device(pdev);
+ if (err)
+ return err;
+diff --git a/drivers/power/supply/axp20x_ac_power.c b/drivers/power/supply/axp20x_ac_power.c
+index 0d34a932b6d5..f74b0556bb6b 100644
+--- a/drivers/power/supply/axp20x_ac_power.c
++++ b/drivers/power/supply/axp20x_ac_power.c
+@@ -23,6 +23,8 @@
+ #define AXP20X_PWR_STATUS_ACIN_PRESENT BIT(7)
+ #define AXP20X_PWR_STATUS_ACIN_AVAIL BIT(6)
+
++#define AXP813_ACIN_PATH_SEL BIT(7)
++
+ #define AXP813_VHOLD_MASK GENMASK(5, 3)
+ #define AXP813_VHOLD_UV_TO_BIT(x) ((((x) / 100000) - 40) << 3)
+ #define AXP813_VHOLD_REG_TO_UV(x) \
+@@ -40,6 +42,7 @@ struct axp20x_ac_power {
+ struct power_supply *supply;
+ struct iio_channel *acin_v;
+ struct iio_channel *acin_i;
++ bool has_acin_path_sel;
+ };
+
+ static irqreturn_t axp20x_ac_power_irq(int irq, void *devid)
+@@ -86,6 +89,17 @@ static int axp20x_ac_power_get_property(struct power_supply *psy,
+ return ret;
+
+ val->intval = !!(reg & AXP20X_PWR_STATUS_ACIN_AVAIL);
++
++ /* ACIN_PATH_SEL disables ACIN even if ACIN_AVAIL is set. */
++ if (val->intval && power->has_acin_path_sel) {
++ ret = regmap_read(power->regmap, AXP813_ACIN_PATH_CTRL,
++ &reg);
++ if (ret)
++ return ret;
++
++ val->intval = !!(reg & AXP813_ACIN_PATH_SEL);
++ }
++
+ return 0;
+
+ case POWER_SUPPLY_PROP_VOLTAGE_NOW:
+@@ -224,21 +238,25 @@ static const struct power_supply_desc axp813_ac_power_desc = {
+ struct axp_data {
+ const struct power_supply_desc *power_desc;
+ bool acin_adc;
++ bool acin_path_sel;
+ };
+
+ static const struct axp_data axp20x_data = {
+- .power_desc = &axp20x_ac_power_desc,
+- .acin_adc = true,
++ .power_desc = &axp20x_ac_power_desc,
++ .acin_adc = true,
++ .acin_path_sel = false,
+ };
+
+ static const struct axp_data axp22x_data = {
+- .power_desc = &axp22x_ac_power_desc,
+- .acin_adc = false,
++ .power_desc = &axp22x_ac_power_desc,
++ .acin_adc = false,
++ .acin_path_sel = false,
+ };
+
+ static const struct axp_data axp813_data = {
+- .power_desc = &axp813_ac_power_desc,
+- .acin_adc = false,
++ .power_desc = &axp813_ac_power_desc,
++ .acin_adc = false,
++ .acin_path_sel = true,
+ };
+
+ static int axp20x_ac_power_probe(struct platform_device *pdev)
+@@ -282,6 +300,7 @@ static int axp20x_ac_power_probe(struct platform_device *pdev)
+ }
+
+ power->regmap = dev_get_regmap(pdev->dev.parent, NULL);
++ power->has_acin_path_sel = axp_data->acin_path_sel;
+
+ platform_set_drvdata(pdev, power);
+
+diff --git a/drivers/power/supply/ltc2941-battery-gauge.c b/drivers/power/supply/ltc2941-battery-gauge.c
+index da49436176cd..30a9014b2f95 100644
+--- a/drivers/power/supply/ltc2941-battery-gauge.c
++++ b/drivers/power/supply/ltc2941-battery-gauge.c
+@@ -449,7 +449,7 @@ static int ltc294x_i2c_remove(struct i2c_client *client)
+ {
+ struct ltc294x_info *info = i2c_get_clientdata(client);
+
+- cancel_delayed_work(&info->work);
++ cancel_delayed_work_sync(&info->work);
+ power_supply_unregister(info->supply);
+ return 0;
+ }
+diff --git a/drivers/regulator/helpers.c b/drivers/regulator/helpers.c
+index ca3dc3f3bb29..bb16c465426e 100644
+--- a/drivers/regulator/helpers.c
++++ b/drivers/regulator/helpers.c
+@@ -13,6 +13,8 @@
+ #include <linux/regulator/driver.h>
+ #include <linux/module.h>
+
++#include "internal.h"
++
+ /**
+ * regulator_is_enabled_regmap - standard is_enabled() for regmap users
+ *
+@@ -881,3 +883,15 @@ void regulator_bulk_set_supply_names(struct regulator_bulk_data *consumers,
+ consumers[i].supply = supply_names[i];
+ }
+ EXPORT_SYMBOL_GPL(regulator_bulk_set_supply_names);
++
++/**
++ * regulator_is_equal - test whether two regulators are the same
++ *
++ * @reg1: first regulator to operate on
++ * @reg2: second regulator to operate on
++ */
++bool regulator_is_equal(struct regulator *reg1, struct regulator *reg2)
++{
++ return reg1->rdev == reg2->rdev;
++}
++EXPORT_SYMBOL_GPL(regulator_is_equal);
+diff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c
+index 469d0bc9f5fe..00cf33573136 100644
+--- a/drivers/scsi/csiostor/csio_scsi.c
++++ b/drivers/scsi/csiostor/csio_scsi.c
+@@ -1383,7 +1383,7 @@ csio_device_reset(struct device *dev,
+ return -EINVAL;
+
+ /* Delete NPIV lnodes */
+- csio_lnodes_exit(hw, 1);
++ csio_lnodes_exit(hw, 1);
+
+ /* Block upper IOs */
+ csio_lnodes_block_request(hw);
+diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
+index a4bc81479284..15b3d9050804 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -4392,7 +4392,8 @@ dcmd_timeout_ocr_possible(struct megasas_instance *instance) {
+ if (instance->adapter_type == MFI_SERIES)
+ return KILL_ADAPTER;
+ else if (instance->unload ||
+- test_bit(MEGASAS_FUSION_IN_RESET, &instance->reset_flags))
++ test_bit(MEGASAS_FUSION_OCR_NOT_POSSIBLE,
++ &instance->reset_flags))
+ return IGNORE_TIMEOUT;
+ else
+ return INITIATE_OCR;
+diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+index e301458bcbae..46bc062d873e 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -4847,6 +4847,7 @@ int megasas_reset_fusion(struct Scsi_Host *shost, int reason)
+ if (instance->requestorId && !instance->skip_heartbeat_timer_del)
+ del_timer_sync(&instance->sriov_heartbeat_timer);
+ set_bit(MEGASAS_FUSION_IN_RESET, &instance->reset_flags);
++ set_bit(MEGASAS_FUSION_OCR_NOT_POSSIBLE, &instance->reset_flags);
+ atomic_set(&instance->adprecovery, MEGASAS_ADPRESET_SM_POLLING);
+ instance->instancet->disable_intr(instance);
+ megasas_sync_irqs((unsigned long)instance);
+@@ -5046,7 +5047,7 @@ kill_hba:
+ instance->skip_heartbeat_timer_del = 1;
+ retval = FAILED;
+ out:
+- clear_bit(MEGASAS_FUSION_IN_RESET, &instance->reset_flags);
++ clear_bit(MEGASAS_FUSION_OCR_NOT_POSSIBLE, &instance->reset_flags);
+ mutex_unlock(&instance->reset_mutex);
+ return retval;
+ }
+diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.h b/drivers/scsi/megaraid/megaraid_sas_fusion.h
+index c013c80fe4e6..dd2e37e40d6b 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.h
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.h
+@@ -89,6 +89,7 @@ enum MR_RAID_FLAGS_IO_SUB_TYPE {
+
+ #define MEGASAS_FP_CMD_LEN 16
+ #define MEGASAS_FUSION_IN_RESET 0
++#define MEGASAS_FUSION_OCR_NOT_POSSIBLE 1
+ #define RAID_1_PEER_CMDS 2
+ #define JBOD_MAPS_COUNT 2
+ #define MEGASAS_REDUCE_QD_COUNT 64
+diff --git a/drivers/scsi/qla2xxx/qla_dbg.c b/drivers/scsi/qla2xxx/qla_dbg.c
+index 30afc59c1870..7bbff91f8883 100644
+--- a/drivers/scsi/qla2xxx/qla_dbg.c
++++ b/drivers/scsi/qla2xxx/qla_dbg.c
+@@ -2519,12 +2519,6 @@ qla83xx_fw_dump_failed:
+ /* Driver Debug Functions. */
+ /****************************************************************************/
+
+-static inline int
+-ql_mask_match(uint level)
+-{
+- return (level & ql2xextended_error_logging) == level;
+-}
+-
+ /*
+ * This function is for formatting and logging debug information.
+ * It is to be used when vha is available. It formats the message
+diff --git a/drivers/scsi/qla2xxx/qla_dbg.h b/drivers/scsi/qla2xxx/qla_dbg.h
+index bb01b680ce9f..433e95502808 100644
+--- a/drivers/scsi/qla2xxx/qla_dbg.h
++++ b/drivers/scsi/qla2xxx/qla_dbg.h
+@@ -374,3 +374,9 @@ extern int qla24xx_dump_ram(struct qla_hw_data *, uint32_t, uint32_t *,
+ extern void qla24xx_pause_risc(struct device_reg_24xx __iomem *,
+ struct qla_hw_data *);
+ extern int qla24xx_soft_reset(struct qla_hw_data *);
++
++static inline int
++ql_mask_match(uint level)
++{
++ return (level & ql2xextended_error_logging) == level;
++}
+diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
+index 2edd9f7b3074..c18e2864de3a 100644
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -2402,6 +2402,7 @@ typedef struct fc_port {
+ unsigned int scan_needed:1;
+ unsigned int n2n_flag:1;
+ unsigned int explicit_logout:1;
++ unsigned int prli_pend_timer:1;
+
+ struct completion nvme_del_done;
+ uint32_t nvme_prli_service_param;
+@@ -2428,6 +2429,7 @@ typedef struct fc_port {
+ struct work_struct free_work;
+ struct work_struct reg_work;
+ uint64_t jiffies_at_registration;
++ unsigned long prli_expired;
+ struct qlt_plogi_ack_t *plogi_link[QLT_PLOGI_LINK_MAX];
+
+ uint16_t tgt_id;
+@@ -4845,6 +4847,9 @@ struct sff_8247_a0 {
+ (ha->fc4_type_priority == FC4_PRIORITY_NVME)) || \
+ NVME_ONLY_TARGET(fcport)) \
+
++#define PRLI_PHASE(_cls) \
++ ((_cls == DSC_LS_PRLI_PEND) || (_cls == DSC_LS_PRLI_COMP))
++
+ #include "qla_target.h"
+ #include "qla_gbl.h"
+ #include "qla_dbg.h"
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index aa5204163bec..1841d4ad2cb2 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -685,7 +685,7 @@ static void qla24xx_handle_gnl_done_event(scsi_qla_host_t *vha,
+ port_id_t id;
+ u64 wwn;
+ u16 data[2];
+- u8 current_login_state;
++ u8 current_login_state, nvme_cls;
+
+ fcport = ea->fcport;
+ ql_dbg(ql_dbg_disc, vha, 0xffff,
+@@ -744,10 +744,17 @@ static void qla24xx_handle_gnl_done_event(scsi_qla_host_t *vha,
+
+ loop_id = le16_to_cpu(e->nport_handle);
+ loop_id = (loop_id & 0x7fff);
+- if (NVME_TARGET(vha->hw, fcport))
+- current_login_state = e->current_login_state >> 4;
+- else
+- current_login_state = e->current_login_state & 0xf;
++ nvme_cls = e->current_login_state >> 4;
++ current_login_state = e->current_login_state & 0xf;
++
++ if (PRLI_PHASE(nvme_cls)) {
++ current_login_state = nvme_cls;
++ fcport->fc4_type &= ~FS_FC4TYPE_FCP;
++ fcport->fc4_type |= FS_FC4TYPE_NVME;
++ } else if (PRLI_PHASE(current_login_state)) {
++ fcport->fc4_type |= FS_FC4TYPE_FCP;
++ fcport->fc4_type &= ~FS_FC4TYPE_NVME;
++ }
+
+ ql_dbg(ql_dbg_disc, vha, 0x20e2,
+ "%s found %8phC CLS [%x|%x] fc4_type %d ID[%06x|%06x] lid[%d|%d]\n",
+@@ -1216,12 +1223,19 @@ qla24xx_async_prli(struct scsi_qla_host *vha, fc_port_t *fcport)
+ struct srb_iocb *lio;
+ int rval = QLA_FUNCTION_FAILED;
+
+- if (!vha->flags.online)
++ if (!vha->flags.online) {
++ ql_dbg(ql_dbg_disc, vha, 0xffff, "%s %d %8phC exit\n",
++ __func__, __LINE__, fcport->port_name);
+ return rval;
++ }
+
+- if (fcport->fw_login_state == DSC_LS_PLOGI_PEND ||
+- fcport->fw_login_state == DSC_LS_PRLI_PEND)
++ if ((fcport->fw_login_state == DSC_LS_PLOGI_PEND ||
++ fcport->fw_login_state == DSC_LS_PRLI_PEND) &&
++ qla_dual_mode_enabled(vha)) {
++ ql_dbg(ql_dbg_disc, vha, 0xffff, "%s %d %8phC exit\n",
++ __func__, __LINE__, fcport->port_name);
+ return rval;
++ }
+
+ sp = qla2x00_get_sp(vha, fcport, GFP_KERNEL);
+ if (!sp)
+@@ -1600,6 +1614,10 @@ int qla24xx_fcport_handle_login(struct scsi_qla_host *vha, fc_port_t *fcport)
+ break;
+ default:
+ if (fcport->login_pause) {
++ ql_dbg(ql_dbg_disc, vha, 0x20d8,
++ "%s %d %8phC exit\n",
++ __func__, __LINE__,
++ fcport->port_name);
+ fcport->last_rscn_gen = fcport->rscn_gen;
+ fcport->last_login_gen = fcport->login_gen;
+ set_bit(RELOGIN_NEEDED, &vha->dpc_flags);
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index 7b8a6bfcf08d..9f9124550415 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -1918,6 +1918,18 @@ static void qla24xx_nvme_iocb_entry(scsi_qla_host_t *vha, struct req_que *req,
+ inbuf = (uint32_t *)&sts->nvme_ersp_data;
+ outbuf = (uint32_t *)fd->rspaddr;
+ iocb->u.nvme.rsp_pyld_len = le16_to_cpu(sts->nvme_rsp_pyld_len);
++ if (unlikely(iocb->u.nvme.rsp_pyld_len >
++ sizeof(struct nvme_fc_ersp_iu))) {
++ if (ql_mask_match(ql_dbg_io)) {
++ WARN_ONCE(1, "Unexpected response payload length %u.\n",
++ iocb->u.nvme.rsp_pyld_len);
++ ql_log(ql_log_warn, fcport->vha, 0x5100,
++ "Unexpected response payload length %u.\n",
++ iocb->u.nvme.rsp_pyld_len);
++ }
++ iocb->u.nvme.rsp_pyld_len =
++ sizeof(struct nvme_fc_ersp_iu);
++ }
+ iter = iocb->u.nvme.rsp_pyld_len >> 2;
+ for (; iter; iter--)
+ *outbuf++ = swab32(*inbuf++);
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index b7c1108c48e2..9e09964f5c0e 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -6152,9 +6152,8 @@ qla2x00_dump_mctp_data(scsi_qla_host_t *vha, dma_addr_t req_dma, uint32_t addr,
+ mcp->mb[7] = LSW(MSD(req_dma));
+ mcp->mb[8] = MSW(addr);
+ /* Setting RAM ID to valid */
+- mcp->mb[10] |= BIT_7;
+ /* For MCTP RAM ID is 0x40 */
+- mcp->mb[10] |= 0x40;
++ mcp->mb[10] = BIT_7 | 0x40;
+
+ mcp->out_mb |= MBX_10|MBX_8|MBX_7|MBX_6|MBX_5|MBX_4|MBX_3|MBX_2|MBX_1|
+ MBX_0;
+diff --git a/drivers/scsi/qla2xxx/qla_nx.c b/drivers/scsi/qla2xxx/qla_nx.c
+index 2b2028f2383e..c855d013ba8a 100644
+--- a/drivers/scsi/qla2xxx/qla_nx.c
++++ b/drivers/scsi/qla2xxx/qla_nx.c
+@@ -1612,8 +1612,7 @@ qla82xx_get_bootld_offset(struct qla_hw_data *ha)
+ return (u8 *)&ha->hablob->fw->data[offset];
+ }
+
+-static __le32
+-qla82xx_get_fw_size(struct qla_hw_data *ha)
++static u32 qla82xx_get_fw_size(struct qla_hw_data *ha)
+ {
+ struct qla82xx_uri_data_desc *uri_desc = NULL;
+
+@@ -1624,7 +1623,7 @@ qla82xx_get_fw_size(struct qla_hw_data *ha)
+ return cpu_to_le32(uri_desc->size);
+ }
+
+- return cpu_to_le32(*(u32 *)&ha->hablob->fw->data[FW_SIZE_OFFSET]);
++ return get_unaligned_le32(&ha->hablob->fw->data[FW_SIZE_OFFSET]);
+ }
+
+ static u8 *
+@@ -1816,7 +1815,7 @@ qla82xx_fw_load_from_blob(struct qla_hw_data *ha)
+ }
+
+ flashaddr = FLASH_ADDR_START;
+- size = (__force u32)qla82xx_get_fw_size(ha) / 8;
++ size = qla82xx_get_fw_size(ha) / 8;
+ ptr64 = (u64 *)qla82xx_get_fw_offs(ha);
+
+ for (i = 0; i < size; i++) {
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index 68c14143e50e..f67a5c4dacd0 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -1257,6 +1257,7 @@ void qlt_schedule_sess_for_deletion(struct fc_port *sess)
+ sess->deleted = QLA_SESS_DELETION_IN_PROGRESS;
+ spin_unlock_irqrestore(&sess->vha->work_lock, flags);
+
++ sess->prli_pend_timer = 0;
+ sess->disc_state = DSC_DELETE_PEND;
+
+ qla24xx_chk_fcp_state(sess);
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 2323432a0edb..5504ab11decc 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -4145,7 +4145,7 @@ static void qla4xxx_mem_free(struct scsi_qla_host *ha)
+ dma_free_coherent(&ha->pdev->dev, ha->queues_len, ha->queues,
+ ha->queues_dma);
+
+- if (ha->fw_dump)
++ if (ha->fw_dump)
+ vfree(ha->fw_dump);
+
+ ha->queues_len = 0;
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 160748ad9c0f..eace8886d95a 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -405,6 +405,38 @@ sg_release(struct inode *inode, struct file *filp)
+ return 0;
+ }
+
++static int get_sg_io_pack_id(int *pack_id, void __user *buf, size_t count)
++{
++ struct sg_header __user *old_hdr = buf;
++ int reply_len;
++
++ if (count >= SZ_SG_HEADER) {
++ /* negative reply_len means v3 format, otherwise v1/v2 */
++ if (get_user(reply_len, &old_hdr->reply_len))
++ return -EFAULT;
++
++ if (reply_len >= 0)
++ return get_user(*pack_id, &old_hdr->pack_id);
++
++ if (in_compat_syscall() &&
++ count >= sizeof(struct compat_sg_io_hdr)) {
++ struct compat_sg_io_hdr __user *hp = buf;
++
++ return get_user(*pack_id, &hp->pack_id);
++ }
++
++ if (count >= sizeof(struct sg_io_hdr)) {
++ struct sg_io_hdr __user *hp = buf;
++
++ return get_user(*pack_id, &hp->pack_id);
++ }
++ }
++
++ /* no valid header was passed, so ignore the pack_id */
++ *pack_id = -1;
++ return 0;
++}
++
+ static ssize_t
+ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
+ {
+@@ -413,8 +445,8 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
+ Sg_request *srp;
+ int req_pack_id = -1;
+ sg_io_hdr_t *hp;
+- struct sg_header *old_hdr = NULL;
+- int retval = 0;
++ struct sg_header *old_hdr;
++ int retval;
+
+ /*
+ * This could cause a response to be stranded. Close the associated
+@@ -429,79 +461,34 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
+ SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
+ "sg_read: count=%d\n", (int) count));
+
+- if (sfp->force_packid && (count >= SZ_SG_HEADER)) {
+- old_hdr = memdup_user(buf, SZ_SG_HEADER);
+- if (IS_ERR(old_hdr))
+- return PTR_ERR(old_hdr);
+- if (old_hdr->reply_len < 0) {
+- if (count >= SZ_SG_IO_HDR) {
+- /*
+- * This is stupid.
+- *
+- * We're copying the whole sg_io_hdr_t from user
+- * space just to get the 'pack_id' field. But the
+- * field is at different offsets for the compat
+- * case, so we'll use "get_sg_io_hdr()" to copy
+- * the whole thing and convert it.
+- *
+- * We could do something like just calculating the
+- * offset based of 'in_compat_syscall()', but the
+- * 'compat_sg_io_hdr' definition is in the wrong
+- * place for that.
+- */
+- sg_io_hdr_t *new_hdr;
+- new_hdr = kmalloc(SZ_SG_IO_HDR, GFP_KERNEL);
+- if (!new_hdr) {
+- retval = -ENOMEM;
+- goto free_old_hdr;
+- }
+- retval = get_sg_io_hdr(new_hdr, buf);
+- req_pack_id = new_hdr->pack_id;
+- kfree(new_hdr);
+- if (retval) {
+- retval = -EFAULT;
+- goto free_old_hdr;
+- }
+- }
+- } else
+- req_pack_id = old_hdr->pack_id;
+- }
++ if (sfp->force_packid)
++ retval = get_sg_io_pack_id(&req_pack_id, buf, count);
++ if (retval)
++ return retval;
++
+ srp = sg_get_rq_mark(sfp, req_pack_id);
+ if (!srp) { /* now wait on packet to arrive */
+- if (atomic_read(&sdp->detaching)) {
+- retval = -ENODEV;
+- goto free_old_hdr;
+- }
+- if (filp->f_flags & O_NONBLOCK) {
+- retval = -EAGAIN;
+- goto free_old_hdr;
+- }
++ if (atomic_read(&sdp->detaching))
++ return -ENODEV;
++ if (filp->f_flags & O_NONBLOCK)
++ return -EAGAIN;
+ retval = wait_event_interruptible(sfp->read_wait,
+ (atomic_read(&sdp->detaching) ||
+ (srp = sg_get_rq_mark(sfp, req_pack_id))));
+- if (atomic_read(&sdp->detaching)) {
+- retval = -ENODEV;
+- goto free_old_hdr;
+- }
+- if (retval) {
++ if (atomic_read(&sdp->detaching))
++ return -ENODEV;
++ if (retval)
+ /* -ERESTARTSYS as signal hit process */
+- goto free_old_hdr;
+- }
+- }
+- if (srp->header.interface_id != '\0') {
+- retval = sg_new_read(sfp, buf, count, srp);
+- goto free_old_hdr;
++ return retval;
+ }
++ if (srp->header.interface_id != '\0')
++ return sg_new_read(sfp, buf, count, srp);
+
+ hp = &srp->header;
+- if (old_hdr == NULL) {
+- old_hdr = kmalloc(SZ_SG_HEADER, GFP_KERNEL);
+- if (! old_hdr) {
+- retval = -ENOMEM;
+- goto free_old_hdr;
+- }
+- }
+- memset(old_hdr, 0, SZ_SG_HEADER);
++ old_hdr = kzalloc(SZ_SG_HEADER, GFP_KERNEL);
++ if (!old_hdr)
++ return -ENOMEM;
++
+ old_hdr->reply_len = (int) hp->timeout;
+ old_hdr->pack_len = old_hdr->reply_len; /* old, strange behaviour */
+ old_hdr->pack_id = hp->pack_id;
+@@ -575,7 +562,12 @@ sg_new_read(Sg_fd * sfp, char __user *buf, size_t count, Sg_request * srp)
+ int err = 0, err2;
+ int len;
+
+- if (count < SZ_SG_IO_HDR) {
++ if (in_compat_syscall()) {
++ if (count < sizeof(struct compat_sg_io_hdr)) {
++ err = -EINVAL;
++ goto err_out;
++ }
++ } else if (count < SZ_SG_IO_HDR) {
+ err = -EINVAL;
+ goto err_out;
+ }
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index b5966faf3e98..03173f06ab96 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -5053,6 +5053,7 @@ static int ufshcd_disable_auto_bkops(struct ufs_hba *hba)
+
+ hba->auto_bkops_enabled = false;
+ trace_ufshcd_auto_bkops_state(dev_name(hba->dev), "Disabled");
++ hba->is_urgent_bkops_lvl_checked = false;
+ out:
+ return err;
+ }
+@@ -5077,6 +5078,7 @@ static void ufshcd_force_reset_auto_bkops(struct ufs_hba *hba)
+ hba->ee_ctrl_mask &= ~MASK_EE_URGENT_BKOPS;
+ ufshcd_disable_auto_bkops(hba);
+ }
++ hba->is_urgent_bkops_lvl_checked = false;
+ }
+
+ static inline int ufshcd_get_bkops_status(struct ufs_hba *hba, u32 *status)
+@@ -5123,6 +5125,7 @@ static int ufshcd_bkops_ctrl(struct ufs_hba *hba,
+ err = ufshcd_enable_auto_bkops(hba);
+ else
+ err = ufshcd_disable_auto_bkops(hba);
++ hba->urgent_bkops_lvl = curr_status;
+ out:
+ return err;
+ }
+diff --git a/drivers/staging/wfx/debug.c b/drivers/staging/wfx/debug.c
+index d17a75242365..1164aba118a1 100644
+--- a/drivers/staging/wfx/debug.c
++++ b/drivers/staging/wfx/debug.c
+@@ -145,7 +145,7 @@ static int wfx_rx_stats_show(struct seq_file *seq, void *v)
+ st->pwr_clk_freq,
+ st->is_ext_pwr_clk ? "yes" : "no");
+ seq_printf(seq,
+- "N. of frames: %d, PER (x10e4): %d, Throughput: %dKbps/s\n",
++ "Num. of frames: %d, PER (x10e4): %d, Throughput: %dKbps/s\n",
+ st->nb_rx_frame, st->per_total, st->throughput);
+ seq_puts(seq, " Num. of PER RSSI SNR CFO\n");
+ seq_puts(seq, " frames (x10e4) (dBm) (dB) (kHz)\n");
+diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
+index 1c8b349379af..77c4a9abe365 100644
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -688,7 +688,9 @@ struct dwc3_ep {
+ #define DWC3_EP_STALL BIT(1)
+ #define DWC3_EP_WEDGE BIT(2)
+ #define DWC3_EP_TRANSFER_STARTED BIT(3)
++#define DWC3_EP_END_TRANSFER_PENDING BIT(4)
+ #define DWC3_EP_PENDING_REQUEST BIT(5)
++#define DWC3_EP_DELAY_START BIT(6)
+
+ /* This last one is specific to EP0 */
+ #define DWC3_EP0_DIR_IN BIT(31)
+diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c
+index fd1b100d2927..6dee4dabc0a4 100644
+--- a/drivers/usb/dwc3/ep0.c
++++ b/drivers/usb/dwc3/ep0.c
+@@ -1136,8 +1136,10 @@ void dwc3_ep0_interrupt(struct dwc3 *dwc,
+ case DWC3_DEPEVT_EPCMDCMPLT:
+ cmd = DEPEVT_PARAMETER_CMD(event->parameters);
+
+- if (cmd == DWC3_DEPCMD_ENDTRANSFER)
++ if (cmd == DWC3_DEPCMD_ENDTRANSFER) {
++ dep->flags &= ~DWC3_EP_END_TRANSFER_PENDING;
+ dep->flags &= ~DWC3_EP_TRANSFER_STARTED;
++ }
+ break;
+ }
+ }
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 154f3f3e8cff..8b95be897078 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1447,6 +1447,12 @@ static int __dwc3_gadget_ep_queue(struct dwc3_ep *dep, struct dwc3_request *req)
+ list_add_tail(&req->list, &dep->pending_list);
+ req->status = DWC3_REQUEST_STATUS_QUEUED;
+
++ /* Start the transfer only after the END_TRANSFER is completed */
++ if (dep->flags & DWC3_EP_END_TRANSFER_PENDING) {
++ dep->flags |= DWC3_EP_DELAY_START;
++ return 0;
++ }
++
+ /*
+ * NOTICE: Isochronous endpoints should NEVER be prestarted. We must
+ * wait for a XferNotReady event so we will know what's the current
+@@ -2625,8 +2631,14 @@ static void dwc3_endpoint_interrupt(struct dwc3 *dwc,
+ cmd = DEPEVT_PARAMETER_CMD(event->parameters);
+
+ if (cmd == DWC3_DEPCMD_ENDTRANSFER) {
++ dep->flags &= ~DWC3_EP_END_TRANSFER_PENDING;
+ dep->flags &= ~DWC3_EP_TRANSFER_STARTED;
+ dwc3_gadget_ep_cleanup_cancelled_requests(dep);
++ if ((dep->flags & DWC3_EP_DELAY_START) &&
++ !usb_endpoint_xfer_isoc(dep->endpoint.desc))
++ __dwc3_gadget_kick_transfer(dep);
++
++ dep->flags &= ~DWC3_EP_DELAY_START;
+ }
+ break;
+ case DWC3_DEPEVT_STREAMEVT:
+@@ -2683,7 +2695,8 @@ static void dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force,
+ u32 cmd;
+ int ret;
+
+- if (!(dep->flags & DWC3_EP_TRANSFER_STARTED))
++ if (!(dep->flags & DWC3_EP_TRANSFER_STARTED) ||
++ (dep->flags & DWC3_EP_END_TRANSFER_PENDING))
+ return;
+
+ /*
+@@ -2728,6 +2741,8 @@ static void dwc3_stop_active_transfer(struct dwc3_ep *dep, bool force,
+
+ if (!interrupt)
+ dep->flags &= ~DWC3_EP_TRANSFER_STARTED;
++ else
++ dep->flags |= DWC3_EP_END_TRANSFER_PENDING;
+
+ if (dwc3_is_usb31(dwc) || dwc->revision < DWC3_REVISION_310A)
+ udelay(100);
+diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/function/f_ecm.c
+index 460d5d7c984f..7f5cf488b2b1 100644
+--- a/drivers/usb/gadget/function/f_ecm.c
++++ b/drivers/usb/gadget/function/f_ecm.c
+@@ -52,6 +52,7 @@ struct f_ecm {
+ struct usb_ep *notify;
+ struct usb_request *notify_req;
+ u8 notify_state;
++ atomic_t notify_count;
+ bool is_open;
+
+ /* FIXME is_open needs some irq-ish locking
+@@ -380,7 +381,7 @@ static void ecm_do_notify(struct f_ecm *ecm)
+ int status;
+
+ /* notification already in flight? */
+- if (!req)
++ if (atomic_read(&ecm->notify_count))
+ return;
+
+ event = req->buf;
+@@ -420,10 +421,10 @@ static void ecm_do_notify(struct f_ecm *ecm)
+ event->bmRequestType = 0xA1;
+ event->wIndex = cpu_to_le16(ecm->ctrl_id);
+
+- ecm->notify_req = NULL;
++ atomic_inc(&ecm->notify_count);
+ status = usb_ep_queue(ecm->notify, req, GFP_ATOMIC);
+ if (status < 0) {
+- ecm->notify_req = req;
++ atomic_dec(&ecm->notify_count);
+ DBG(cdev, "notify --> %d\n", status);
+ }
+ }
+@@ -448,17 +449,19 @@ static void ecm_notify_complete(struct usb_ep *ep, struct usb_request *req)
+ switch (req->status) {
+ case 0:
+ /* no fault */
++ atomic_dec(&ecm->notify_count);
+ break;
+ case -ECONNRESET:
+ case -ESHUTDOWN:
++ atomic_set(&ecm->notify_count, 0);
+ ecm->notify_state = ECM_NOTIFY_NONE;
+ break;
+ default:
+ DBG(cdev, "event %02x --> %d\n",
+ event->bNotificationType, req->status);
++ atomic_dec(&ecm->notify_count);
+ break;
+ }
+- ecm->notify_req = req;
+ ecm_do_notify(ecm);
+ }
+
+@@ -907,6 +910,11 @@ static void ecm_unbind(struct usb_configuration *c, struct usb_function *f)
+
+ usb_free_all_descriptors(f);
+
++ if (atomic_read(&ecm->notify_count)) {
++ usb_ep_dequeue(ecm->notify, ecm->notify_req);
++ atomic_set(&ecm->notify_count, 0);
++ }
++
+ kfree(ecm->notify_req->buf);
+ usb_ep_free_request(ecm->notify, ecm->notify_req);
+ }
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 0bbccac94d6c..6f8b67e61771 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1062,6 +1062,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
+ req->num_sgs = io_data->sgt.nents;
+ } else {
+ req->buf = data;
++ req->num_sgs = 0;
+ }
+ req->length = data_len;
+
+@@ -1105,6 +1106,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
+ req->num_sgs = io_data->sgt.nents;
+ } else {
+ req->buf = data;
++ req->num_sgs = 0;
+ }
+ req->length = data_len;
+
+diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c
+index 2d6e76e4cffa..1d900081b1f0 100644
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -53,6 +53,7 @@ struct f_ncm {
+ struct usb_ep *notify;
+ struct usb_request *notify_req;
+ u8 notify_state;
++ atomic_t notify_count;
+ bool is_open;
+
+ const struct ndp_parser_opts *parser_opts;
+@@ -547,7 +548,7 @@ static void ncm_do_notify(struct f_ncm *ncm)
+ int status;
+
+ /* notification already in flight? */
+- if (!req)
++ if (atomic_read(&ncm->notify_count))
+ return;
+
+ event = req->buf;
+@@ -587,7 +588,8 @@ static void ncm_do_notify(struct f_ncm *ncm)
+ event->bmRequestType = 0xA1;
+ event->wIndex = cpu_to_le16(ncm->ctrl_id);
+
+- ncm->notify_req = NULL;
++ atomic_inc(&ncm->notify_count);
++
+ /*
+ * In double buffering if there is a space in FIFO,
+ * completion callback can be called right after the call,
+@@ -597,7 +599,7 @@ static void ncm_do_notify(struct f_ncm *ncm)
+ status = usb_ep_queue(ncm->notify, req, GFP_ATOMIC);
+ spin_lock(&ncm->lock);
+ if (status < 0) {
+- ncm->notify_req = req;
++ atomic_dec(&ncm->notify_count);
+ DBG(cdev, "notify --> %d\n", status);
+ }
+ }
+@@ -632,17 +634,19 @@ static void ncm_notify_complete(struct usb_ep *ep, struct usb_request *req)
+ case 0:
+ VDBG(cdev, "Notification %02x sent\n",
+ event->bNotificationType);
++ atomic_dec(&ncm->notify_count);
+ break;
+ case -ECONNRESET:
+ case -ESHUTDOWN:
++ atomic_set(&ncm->notify_count, 0);
+ ncm->notify_state = NCM_NOTIFY_NONE;
+ break;
+ default:
+ DBG(cdev, "event %02x --> %d\n",
+ event->bNotificationType, req->status);
++ atomic_dec(&ncm->notify_count);
+ break;
+ }
+- ncm->notify_req = req;
+ ncm_do_notify(ncm);
+ spin_unlock(&ncm->lock);
+ }
+@@ -1649,6 +1653,11 @@ static void ncm_unbind(struct usb_configuration *c, struct usb_function *f)
+ ncm_string_defs[0].id = 0;
+ usb_free_all_descriptors(f);
+
++ if (atomic_read(&ncm->notify_count)) {
++ usb_ep_dequeue(ncm->notify, ncm->notify_req);
++ atomic_set(&ncm->notify_count, 0);
++ }
++
+ kfree(ncm->notify_req->buf);
+ usb_ep_free_request(ncm->notify, ncm->notify_req);
+ }
+diff --git a/drivers/usb/gadget/legacy/cdc2.c b/drivers/usb/gadget/legacy/cdc2.c
+index da1c37933ca1..8d7a556ece30 100644
+--- a/drivers/usb/gadget/legacy/cdc2.c
++++ b/drivers/usb/gadget/legacy/cdc2.c
+@@ -225,7 +225,7 @@ static struct usb_composite_driver cdc_driver = {
+ .name = "g_cdc",
+ .dev = &device_desc,
+ .strings = dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = cdc_bind,
+ .unbind = cdc_unbind,
+ };
+diff --git a/drivers/usb/gadget/legacy/g_ffs.c b/drivers/usb/gadget/legacy/g_ffs.c
+index b640ed3fcf70..ae6d8f7092b8 100644
+--- a/drivers/usb/gadget/legacy/g_ffs.c
++++ b/drivers/usb/gadget/legacy/g_ffs.c
+@@ -149,7 +149,7 @@ static struct usb_composite_driver gfs_driver = {
+ .name = DRIVER_NAME,
+ .dev = &gfs_dev_desc,
+ .strings = gfs_dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = gfs_bind,
+ .unbind = gfs_unbind,
+ };
+diff --git a/drivers/usb/gadget/legacy/multi.c b/drivers/usb/gadget/legacy/multi.c
+index 50515f9e1022..ec9749845660 100644
+--- a/drivers/usb/gadget/legacy/multi.c
++++ b/drivers/usb/gadget/legacy/multi.c
+@@ -482,7 +482,7 @@ static struct usb_composite_driver multi_driver = {
+ .name = "g_multi",
+ .dev = &device_desc,
+ .strings = dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = multi_bind,
+ .unbind = multi_unbind,
+ .needs_serial = 1,
+diff --git a/drivers/usb/gadget/legacy/ncm.c b/drivers/usb/gadget/legacy/ncm.c
+index 8465f081e921..c61e71ba7045 100644
+--- a/drivers/usb/gadget/legacy/ncm.c
++++ b/drivers/usb/gadget/legacy/ncm.c
+@@ -197,7 +197,7 @@ static struct usb_composite_driver ncm_driver = {
+ .name = "g_ncm",
+ .dev = &device_desc,
+ .strings = dev_strings,
+- .max_speed = USB_SPEED_HIGH,
++ .max_speed = USB_SPEED_SUPER,
+ .bind = gncm_bind,
+ .unbind = gncm_unbind,
+ };
+diff --git a/drivers/usb/typec/tcpm/tcpci.c b/drivers/usb/typec/tcpm/tcpci.c
+index 8b4ff9fff340..753645bb2527 100644
+--- a/drivers/usb/typec/tcpm/tcpci.c
++++ b/drivers/usb/typec/tcpm/tcpci.c
+@@ -591,6 +591,12 @@ static int tcpci_probe(struct i2c_client *client,
+ static int tcpci_remove(struct i2c_client *client)
+ {
+ struct tcpci_chip *chip = i2c_get_clientdata(client);
++ int err;
++
++ /* Disable chip interrupts before unregistering port */
++ err = tcpci_write16(chip->tcpci, TCPC_ALERT_MASK, 0);
++ if (err < 0)
++ return err;
+
+ tcpci_unregister_port(chip->tcpci);
+
+diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
+index 93f995f6cf36..7e5d84caeb94 100644
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -475,7 +475,9 @@ static int init_vqs(struct virtio_balloon *vb)
+ names[VIRTIO_BALLOON_VQ_INFLATE] = "inflate";
+ callbacks[VIRTIO_BALLOON_VQ_DEFLATE] = balloon_ack;
+ names[VIRTIO_BALLOON_VQ_DEFLATE] = "deflate";
++ callbacks[VIRTIO_BALLOON_VQ_STATS] = NULL;
+ names[VIRTIO_BALLOON_VQ_STATS] = NULL;
++ callbacks[VIRTIO_BALLOON_VQ_FREE_PAGE] = NULL;
+ names[VIRTIO_BALLOON_VQ_FREE_PAGE] = NULL;
+
+ if (virtio_has_feature(vb->vdev, VIRTIO_BALLOON_F_STATS_VQ)) {
+@@ -899,8 +901,7 @@ static int virtballoon_probe(struct virtio_device *vdev)
+ vb->vb_dev_info.inode = alloc_anon_inode(balloon_mnt->mnt_sb);
+ if (IS_ERR(vb->vb_dev_info.inode)) {
+ err = PTR_ERR(vb->vb_dev_info.inode);
+- kern_unmount(balloon_mnt);
+- goto out_del_vqs;
++ goto out_kern_unmount;
+ }
+ vb->vb_dev_info.inode->i_mapping->a_ops = &balloon_aops;
+ #endif
+@@ -911,13 +912,13 @@ static int virtballoon_probe(struct virtio_device *vdev)
+ */
+ if (virtqueue_get_vring_size(vb->free_page_vq) < 2) {
+ err = -ENOSPC;
+- goto out_del_vqs;
++ goto out_iput;
+ }
+ vb->balloon_wq = alloc_workqueue("balloon-wq",
+ WQ_FREEZABLE | WQ_CPU_INTENSIVE, 0);
+ if (!vb->balloon_wq) {
+ err = -ENOMEM;
+- goto out_del_vqs;
++ goto out_iput;
+ }
+ INIT_WORK(&vb->report_free_page_work, report_free_page_func);
+ vb->cmd_id_received_cache = VIRTIO_BALLOON_CMD_ID_STOP;
+@@ -951,6 +952,12 @@ static int virtballoon_probe(struct virtio_device *vdev)
+ out_del_balloon_wq:
+ if (virtio_has_feature(vdev, VIRTIO_BALLOON_F_FREE_PAGE_HINT))
+ destroy_workqueue(vb->balloon_wq);
++out_iput:
++#ifdef CONFIG_BALLOON_COMPACTION
++ iput(vb->vb_dev_info.inode);
++out_kern_unmount:
++ kern_unmount(balloon_mnt);
++#endif
+ out_del_vqs:
+ vdev->config->del_vqs(vdev);
+ out_free_vb:
+@@ -966,6 +973,10 @@ static void remove_common(struct virtio_balloon *vb)
+ leak_balloon(vb, vb->num_pages);
+ update_balloon_size(vb);
+
++ /* There might be free pages that are being reported: release them. */
++ if (virtio_has_feature(vb->vdev, VIRTIO_BALLOON_F_FREE_PAGE_HINT))
++ return_free_pages_to_mm(vb, ULONG_MAX);
++
+ /* Now we reset the device so we can clean up the queues. */
+ vb->vdev->config->reset(vb->vdev);
+
+diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
+index f2862f66c2ac..222d630c41fc 100644
+--- a/drivers/virtio/virtio_pci_common.c
++++ b/drivers/virtio/virtio_pci_common.c
+@@ -294,7 +294,7 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs,
+ /* Best option: one for change interrupt, one per vq. */
+ nvectors = 1;
+ for (i = 0; i < nvqs; ++i)
+- if (callbacks[i])
++ if (names[i] && callbacks[i])
+ ++nvectors;
+ } else {
+ /* Second best: one for change, shared for all vqs. */
+diff --git a/drivers/watchdog/watchdog_core.c b/drivers/watchdog/watchdog_core.c
+index 21e8085b848b..861daf4f37b2 100644
+--- a/drivers/watchdog/watchdog_core.c
++++ b/drivers/watchdog/watchdog_core.c
+@@ -147,6 +147,25 @@ int watchdog_init_timeout(struct watchdog_device *wdd,
+ }
+ EXPORT_SYMBOL_GPL(watchdog_init_timeout);
+
++static int watchdog_reboot_notifier(struct notifier_block *nb,
++ unsigned long code, void *data)
++{
++ struct watchdog_device *wdd;
++
++ wdd = container_of(nb, struct watchdog_device, reboot_nb);
++ if (code == SYS_DOWN || code == SYS_HALT) {
++ if (watchdog_active(wdd)) {
++ int ret;
++
++ ret = wdd->ops->stop(wdd);
++ if (ret)
++ return NOTIFY_BAD;
++ }
++ }
++
++ return NOTIFY_DONE;
++}
++
+ static int watchdog_restart_notifier(struct notifier_block *nb,
+ unsigned long action, void *data)
+ {
+@@ -235,6 +254,19 @@ static int __watchdog_register_device(struct watchdog_device *wdd)
+ }
+ }
+
++ if (test_bit(WDOG_STOP_ON_REBOOT, &wdd->status)) {
++ wdd->reboot_nb.notifier_call = watchdog_reboot_notifier;
++
++ ret = register_reboot_notifier(&wdd->reboot_nb);
++ if (ret) {
++ pr_err("watchdog%d: Cannot register reboot notifier (%d)\n",
++ wdd->id, ret);
++ watchdog_dev_unregister(wdd);
++ ida_simple_remove(&watchdog_ida, id);
++ return ret;
++ }
++ }
++
+ if (wdd->ops->restart) {
+ wdd->restart_nb.notifier_call = watchdog_restart_notifier;
+
+@@ -289,6 +321,9 @@ static void __watchdog_unregister_device(struct watchdog_device *wdd)
+ if (wdd->ops->restart)
+ unregister_restart_handler(&wdd->restart_nb);
+
++ if (test_bit(WDOG_STOP_ON_REBOOT, &wdd->status))
++ unregister_reboot_notifier(&wdd->reboot_nb);
++
+ watchdog_dev_unregister(wdd);
+ ida_simple_remove(&watchdog_ida, wdd->id);
+ }
+diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
+index 4b2a85438478..8b5c742f24e8 100644
+--- a/drivers/watchdog/watchdog_dev.c
++++ b/drivers/watchdog/watchdog_dev.c
+@@ -38,7 +38,6 @@
+ #include <linux/miscdevice.h> /* For handling misc devices */
+ #include <linux/module.h> /* For module stuff/... */
+ #include <linux/mutex.h> /* For mutexes */
+-#include <linux/reboot.h> /* For reboot notifier */
+ #include <linux/slab.h> /* For memory functions */
+ #include <linux/types.h> /* For standard types (like size_t) */
+ #include <linux/watchdog.h> /* For watchdog specific items */
+@@ -1097,25 +1096,6 @@ static void watchdog_cdev_unregister(struct watchdog_device *wdd)
+ put_device(&wd_data->dev);
+ }
+
+-static int watchdog_reboot_notifier(struct notifier_block *nb,
+- unsigned long code, void *data)
+-{
+- struct watchdog_device *wdd;
+-
+- wdd = container_of(nb, struct watchdog_device, reboot_nb);
+- if (code == SYS_DOWN || code == SYS_HALT) {
+- if (watchdog_active(wdd)) {
+- int ret;
+-
+- ret = wdd->ops->stop(wdd);
+- if (ret)
+- return NOTIFY_BAD;
+- }
+- }
+-
+- return NOTIFY_DONE;
+-}
+-
+ /*
+ * watchdog_dev_register: register a watchdog device
+ * @wdd: watchdog device
+@@ -1134,22 +1114,8 @@ int watchdog_dev_register(struct watchdog_device *wdd)
+ return ret;
+
+ ret = watchdog_register_pretimeout(wdd);
+- if (ret) {
++ if (ret)
+ watchdog_cdev_unregister(wdd);
+- return ret;
+- }
+-
+- if (test_bit(WDOG_STOP_ON_REBOOT, &wdd->status)) {
+- wdd->reboot_nb.notifier_call = watchdog_reboot_notifier;
+-
+- ret = devm_register_reboot_notifier(&wdd->wd_data->dev,
+- &wdd->reboot_nb);
+- if (ret) {
+- pr_err("watchdog%d: Cannot register reboot notifier (%d)\n",
+- wdd->id, ret);
+- watchdog_dev_unregister(wdd);
+- }
+- }
+
+ return ret;
+ }
+diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
+index 4fc83e3f5ad3..0258415ca0b2 100644
+--- a/drivers/xen/gntdev.c
++++ b/drivers/xen/gntdev.c
+@@ -1006,19 +1006,19 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
+ }
+ mutex_unlock(&priv->lock);
+
+- /*
+- * gntdev takes the address of the PTE in find_grant_ptes() and passes
+- * it to the hypervisor in gntdev_map_grant_pages(). The purpose of
+- * the notifier is to prevent the hypervisor pointer to the PTE from
+- * going stale.
+- *
+- * Since this vma's mappings can't be touched without the mmap_sem,
+- * and we are holding it now, there is no need for the notifier_range
+- * locking pattern.
+- */
+- mmu_interval_read_begin(&map->notifier);
+-
+ if (use_ptemod) {
++ /*
++ * gntdev takes the address of the PTE in find_grant_ptes() and
++ * passes it to the hypervisor in gntdev_map_grant_pages(). The
++ * purpose of the notifier is to prevent the hypervisor pointer
++ * to the PTE from going stale.
++ *
++ * Since this vma's mappings can't be touched without the
++ * mmap_sem, and we are holding it now, there is no need for
++ * the notifier_range locking pattern.
++ */
++ mmu_interval_read_begin(&map->notifier);
++
+ map->pages_vm_start = vma->vm_start;
+ err = apply_to_page_range(vma->vm_mm, vma->vm_start,
+ vma->vm_end - vma->vm_start,
+diff --git a/drivers/xen/xen-balloon.c b/drivers/xen/xen-balloon.c
+index 6d12fc368210..a8d24433c8e9 100644
+--- a/drivers/xen/xen-balloon.c
++++ b/drivers/xen/xen-balloon.c
+@@ -94,7 +94,7 @@ static void watch_target(struct xenbus_watch *watch,
+ "%llu", &static_max) == 1))
+ static_max >>= PAGE_SHIFT - 10;
+ else
+- static_max = new_target;
++ static_max = balloon_stats.current_pages;
+
+ target_diff = (xen_pv_domain() || xen_initial_domain()) ? 0
+ : static_max - balloon_stats.target_pages;
+diff --git a/fs/aio.c b/fs/aio.c
+index a9fbad2ce5e6..5f3d3d814928 100644
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -1610,6 +1610,14 @@ static int aio_fsync(struct fsync_iocb *req, const struct iocb *iocb,
+ return 0;
+ }
+
++static void aio_poll_put_work(struct work_struct *work)
++{
++ struct poll_iocb *req = container_of(work, struct poll_iocb, work);
++ struct aio_kiocb *iocb = container_of(req, struct aio_kiocb, poll);
++
++ iocb_put(iocb);
++}
++
+ static void aio_poll_complete_work(struct work_struct *work)
+ {
+ struct poll_iocb *req = container_of(work, struct poll_iocb, work);
+@@ -1674,6 +1682,8 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
+ list_del_init(&req->wait.entry);
+
+ if (mask && spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) {
++ struct kioctx *ctx = iocb->ki_ctx;
++
+ /*
+ * Try to complete the iocb inline if we can. Use
+ * irqsave/irqrestore because not all filesystems (e.g. fuse)
+@@ -1683,8 +1693,14 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
+ list_del(&iocb->ki_list);
+ iocb->ki_res.res = mangle_poll(mask);
+ req->done = true;
+- spin_unlock_irqrestore(&iocb->ki_ctx->ctx_lock, flags);
+- iocb_put(iocb);
++ if (iocb->ki_eventfd && eventfd_signal_count()) {
++ iocb = NULL;
++ INIT_WORK(&req->work, aio_poll_put_work);
++ schedule_work(&req->work);
++ }
++ spin_unlock_irqrestore(&ctx->ctx_lock, flags);
++ if (iocb)
++ iocb_put(iocb);
+ } else {
+ schedule_work(&req->work);
+ }
+diff --git a/fs/attr.c b/fs/attr.c
+index df28035aa23e..b4bbdbd4c8ca 100644
+--- a/fs/attr.c
++++ b/fs/attr.c
+@@ -183,18 +183,12 @@ void setattr_copy(struct inode *inode, const struct iattr *attr)
+ inode->i_uid = attr->ia_uid;
+ if (ia_valid & ATTR_GID)
+ inode->i_gid = attr->ia_gid;
+- if (ia_valid & ATTR_ATIME) {
+- inode->i_atime = timestamp_truncate(attr->ia_atime,
+- inode);
+- }
+- if (ia_valid & ATTR_MTIME) {
+- inode->i_mtime = timestamp_truncate(attr->ia_mtime,
+- inode);
+- }
+- if (ia_valid & ATTR_CTIME) {
+- inode->i_ctime = timestamp_truncate(attr->ia_ctime,
+- inode);
+- }
++ if (ia_valid & ATTR_ATIME)
++ inode->i_atime = attr->ia_atime;
++ if (ia_valid & ATTR_MTIME)
++ inode->i_mtime = attr->ia_mtime;
++ if (ia_valid & ATTR_CTIME)
++ inode->i_ctime = attr->ia_ctime;
+ if (ia_valid & ATTR_MODE) {
+ umode_t mode = attr->ia_mode;
+
+@@ -268,8 +262,13 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de
+ attr->ia_ctime = now;
+ if (!(ia_valid & ATTR_ATIME_SET))
+ attr->ia_atime = now;
++ else
++ attr->ia_atime = timestamp_truncate(attr->ia_atime, inode);
+ if (!(ia_valid & ATTR_MTIME_SET))
+ attr->ia_mtime = now;
++ else
++ attr->ia_mtime = timestamp_truncate(attr->ia_mtime, inode);
++
+ if (ia_valid & ATTR_KILL_PRIV) {
+ error = security_inode_need_killpriv(dentry);
+ if (error < 0)
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index 24658b5a5787..f2ec1a9bae28 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -326,12 +326,10 @@ u64 btrfs_get_tree_mod_seq(struct btrfs_fs_info *fs_info,
+ struct seq_list *elem)
+ {
+ write_lock(&fs_info->tree_mod_log_lock);
+- spin_lock(&fs_info->tree_mod_seq_lock);
+ if (!elem->seq) {
+ elem->seq = btrfs_inc_tree_mod_seq(fs_info);
+ list_add_tail(&elem->list, &fs_info->tree_mod_seq_list);
+ }
+- spin_unlock(&fs_info->tree_mod_seq_lock);
+ write_unlock(&fs_info->tree_mod_log_lock);
+
+ return elem->seq;
+@@ -351,7 +349,7 @@ void btrfs_put_tree_mod_seq(struct btrfs_fs_info *fs_info,
+ if (!seq_putting)
+ return;
+
+- spin_lock(&fs_info->tree_mod_seq_lock);
++ write_lock(&fs_info->tree_mod_log_lock);
+ list_del(&elem->list);
+ elem->seq = 0;
+
+@@ -362,19 +360,17 @@ void btrfs_put_tree_mod_seq(struct btrfs_fs_info *fs_info,
+ * blocker with lower sequence number exists, we
+ * cannot remove anything from the log
+ */
+- spin_unlock(&fs_info->tree_mod_seq_lock);
++ write_unlock(&fs_info->tree_mod_log_lock);
+ return;
+ }
+ min_seq = cur_elem->seq;
+ }
+ }
+- spin_unlock(&fs_info->tree_mod_seq_lock);
+
+ /*
+ * anything that's lower than the lowest existing (read: blocked)
+ * sequence number can be removed from the tree.
+ */
+- write_lock(&fs_info->tree_mod_log_lock);
+ tm_root = &fs_info->tree_mod_log;
+ for (node = rb_first(tm_root); node; node = next) {
+ next = rb_next(node);
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 54efb21c2727..ba7292435c14 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -673,14 +673,12 @@ struct btrfs_fs_info {
+ atomic_t nr_delayed_iputs;
+ wait_queue_head_t delayed_iputs_wait;
+
+- /* this protects tree_mod_seq_list */
+- spinlock_t tree_mod_seq_lock;
+ atomic64_t tree_mod_seq;
+- struct list_head tree_mod_seq_list;
+
+- /* this protects tree_mod_log */
++ /* this protects tree_mod_log and tree_mod_seq_list */
+ rwlock_t tree_mod_log_lock;
+ struct rb_root tree_mod_log;
++ struct list_head tree_mod_seq_list;
+
+ atomic_t async_delalloc_pages;
+
+diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c
+index df3bd880061d..dfdb7d4f8406 100644
+--- a/fs/btrfs/delayed-ref.c
++++ b/fs/btrfs/delayed-ref.c
+@@ -492,7 +492,7 @@ void btrfs_merge_delayed_refs(struct btrfs_trans_handle *trans,
+ if (head->is_data)
+ return;
+
+- spin_lock(&fs_info->tree_mod_seq_lock);
++ read_lock(&fs_info->tree_mod_log_lock);
+ if (!list_empty(&fs_info->tree_mod_seq_list)) {
+ struct seq_list *elem;
+
+@@ -500,7 +500,7 @@ void btrfs_merge_delayed_refs(struct btrfs_trans_handle *trans,
+ struct seq_list, list);
+ seq = elem->seq;
+ }
+- spin_unlock(&fs_info->tree_mod_seq_lock);
++ read_unlock(&fs_info->tree_mod_log_lock);
+
+ again:
+ for (node = rb_first_cached(&head->ref_tree); node;
+@@ -518,7 +518,7 @@ int btrfs_check_delayed_seq(struct btrfs_fs_info *fs_info, u64 seq)
+ struct seq_list *elem;
+ int ret = 0;
+
+- spin_lock(&fs_info->tree_mod_seq_lock);
++ read_lock(&fs_info->tree_mod_log_lock);
+ if (!list_empty(&fs_info->tree_mod_seq_list)) {
+ elem = list_first_entry(&fs_info->tree_mod_seq_list,
+ struct seq_list, list);
+@@ -531,7 +531,7 @@ int btrfs_check_delayed_seq(struct btrfs_fs_info *fs_info, u64 seq)
+ }
+ }
+
+- spin_unlock(&fs_info->tree_mod_seq_lock);
++ read_unlock(&fs_info->tree_mod_log_lock);
+ return ret;
+ }
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index e0edfdc9c82b..0c3c6450d1df 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2691,7 +2691,6 @@ int __cold open_ctree(struct super_block *sb,
+ spin_lock_init(&fs_info->fs_roots_radix_lock);
+ spin_lock_init(&fs_info->delayed_iput_lock);
+ spin_lock_init(&fs_info->defrag_inodes_lock);
+- spin_lock_init(&fs_info->tree_mod_seq_lock);
+ spin_lock_init(&fs_info->super_lock);
+ spin_lock_init(&fs_info->buffer_lock);
+ spin_lock_init(&fs_info->unused_bgs_lock);
+@@ -4026,11 +4025,18 @@ void __cold close_ctree(struct btrfs_fs_info *fs_info)
+ invalidate_inode_pages2(fs_info->btree_inode->i_mapping);
+ btrfs_stop_all_workers(fs_info);
+
+- btrfs_free_block_groups(fs_info);
+-
+ clear_bit(BTRFS_FS_OPEN, &fs_info->flags);
+ free_root_pointers(fs_info, true);
+
++ /*
++ * We must free the block groups after dropping the fs_roots as we could
++ * have had an IO error and have left over tree log blocks that aren't
++ * cleaned up until the fs roots are freed. This makes the block group
++ * accounting appear to be wrong because there's pending reserved bytes,
++ * so make sure we do the block group cleanup afterwards.
++ */
++ btrfs_free_block_groups(fs_info);
++
+ iput(fs_info->btree_inode);
+
+ #ifdef CONFIG_BTRFS_FS_CHECK_INTEGRITY
+diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
+index 2f4802f405a2..5e7d6e3463ab 100644
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -1593,21 +1593,25 @@ void find_first_clear_extent_bit(struct extent_io_tree *tree, u64 start,
+ /* Find first extent with bits cleared */
+ while (1) {
+ node = __etree_search(tree, start, &next, &prev, NULL, NULL);
+- if (!node) {
++ if (!node && !next && !prev) {
++ /*
++ * Tree is completely empty, send full range and let
++ * caller deal with it
++ */
++ *start_ret = 0;
++ *end_ret = -1;
++ goto out;
++ } else if (!node && !next) {
++ /*
++ * We are past the last allocated chunk, set start at
++ * the end of the last extent.
++ */
++ state = rb_entry(prev, struct extent_state, rb_node);
++ *start_ret = state->end + 1;
++ *end_ret = -1;
++ goto out;
++ } else if (!node) {
+ node = next;
+- if (!node) {
+- /*
+- * We are past the last allocated chunk,
+- * set start at the end of the last extent. The
+- * device alloc tree should never be empty so
+- * prev is always set.
+- */
+- ASSERT(prev);
+- state = rb_entry(prev, struct extent_state, rb_node);
+- *start_ret = state->end + 1;
+- *end_ret = -1;
+- goto out;
+- }
+ }
+ /*
+ * At this point 'node' either contains 'start' or start is
+@@ -3941,6 +3945,11 @@ int btree_write_cache_pages(struct address_space *mapping,
+ if (wbc->range_cyclic) {
+ index = mapping->writeback_index; /* Start from prev offset */
+ end = -1;
++ /*
++ * Start from the beginning does not need to cycle over the
++ * range, mark it as scanned.
++ */
++ scanned = (index == 0);
+ } else {
+ index = wbc->range_start >> PAGE_SHIFT;
+ end = wbc->range_end >> PAGE_SHIFT;
+@@ -3958,7 +3967,6 @@ retry:
+ tag))) {
+ unsigned i;
+
+- scanned = 1;
+ for (i = 0; i < nr_pages; i++) {
+ struct page *page = pvec.pages[i];
+
+@@ -4087,6 +4095,11 @@ static int extent_write_cache_pages(struct address_space *mapping,
+ if (wbc->range_cyclic) {
+ index = mapping->writeback_index; /* Start from prev offset */
+ end = -1;
++ /*
++ * Start from the beginning does not need to cycle over the
++ * range, mark it as scanned.
++ */
++ scanned = (index == 0);
+ } else {
+ index = wbc->range_start >> PAGE_SHIFT;
+ end = wbc->range_end >> PAGE_SHIFT;
+@@ -4120,7 +4133,6 @@ retry:
+ &index, end, tag))) {
+ unsigned i;
+
+- scanned = 1;
+ for (i = 0; i < nr_pages; i++) {
+ struct page *page = pvec.pages[i];
+
+@@ -4180,7 +4192,16 @@ retry:
+ */
+ scanned = 1;
+ index = 0;
+- goto retry;
++
++ /*
++ * If we're looping we could run into a page that is locked by a
++ * writer and that writer could be waiting on writeback for a
++ * page in our current bio, and thus deadlock, so flush the
++ * write bio here.
++ */
++ ret = flush_write_bio(epd);
++ if (!ret)
++ goto retry;
+ }
+
+ if (wbc->range_cyclic || (wbc->nr_to_write > 0 && range_whole))
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 12ae31e1813e..173758d86feb 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3243,6 +3243,7 @@ static void btrfs_double_extent_lock(struct inode *inode1, u64 loff1,
+ static int btrfs_extent_same_range(struct inode *src, u64 loff, u64 len,
+ struct inode *dst, u64 dst_loff)
+ {
++ const u64 bs = BTRFS_I(src)->root->fs_info->sb->s_blocksize;
+ int ret;
+
+ /*
+@@ -3250,7 +3251,7 @@ static int btrfs_extent_same_range(struct inode *src, u64 loff, u64 len,
+ * source range to serialize with relocation.
+ */
+ btrfs_double_extent_lock(src, loff, dst, dst_loff, len);
+- ret = btrfs_clone(src, dst, loff, len, len, dst_loff, 1);
++ ret = btrfs_clone(src, dst, loff, len, ALIGN(len, bs), dst_loff, 1);
+ btrfs_double_extent_unlock(src, loff, dst, dst_loff, len);
+
+ return ret;
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index 091e5bc8c7ea..a055b657cb85 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -1269,7 +1269,8 @@ static int __iterate_backrefs(u64 ino, u64 offset, u64 root, void *ctx_)
+ * destination of the stream.
+ */
+ if (ino == bctx->cur_objectid &&
+- offset >= bctx->sctx->cur_inode_next_write_offset)
++ offset + bctx->extent_len >
++ bctx->sctx->cur_inode_next_write_offset)
+ return 0;
+ }
+
+diff --git a/fs/btrfs/tests/btrfs-tests.c b/fs/btrfs/tests/btrfs-tests.c
+index a7aca4141788..fa3d49d8e503 100644
+--- a/fs/btrfs/tests/btrfs-tests.c
++++ b/fs/btrfs/tests/btrfs-tests.c
+@@ -121,7 +121,6 @@ struct btrfs_fs_info *btrfs_alloc_dummy_fs_info(u32 nodesize, u32 sectorsize)
+ spin_lock_init(&fs_info->qgroup_lock);
+ spin_lock_init(&fs_info->super_lock);
+ spin_lock_init(&fs_info->fs_roots_radix_lock);
+- spin_lock_init(&fs_info->tree_mod_seq_lock);
+ mutex_init(&fs_info->qgroup_ioctl_lock);
+ mutex_init(&fs_info->qgroup_rescan_lock);
+ rwlock_init(&fs_info->tree_mod_log_lock);
+diff --git a/fs/btrfs/tests/extent-io-tests.c b/fs/btrfs/tests/extent-io-tests.c
+index 123d9a614357..df7ce874a74b 100644
+--- a/fs/btrfs/tests/extent-io-tests.c
++++ b/fs/btrfs/tests/extent-io-tests.c
+@@ -441,8 +441,17 @@ static int test_find_first_clear_extent_bit(void)
+ int ret = -EINVAL;
+
+ test_msg("running find_first_clear_extent_bit test");
++
+ extent_io_tree_init(NULL, &tree, IO_TREE_SELFTEST, NULL);
+
++ /* Test correct handling of empty tree */
++ find_first_clear_extent_bit(&tree, 0, &start, &end, CHUNK_TRIMMED);
++ if (start != 0 || end != -1) {
++ test_err(
++ "error getting a range from completely empty tree: start %llu end %llu",
++ start, end);
++ goto out;
++ }
+ /*
+ * Set 1M-4M alloc/discard and 32M-64M thus leaving a hole between
+ * 4M-32M
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index cfc08ef9b876..33dcc88b428a 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -147,13 +147,14 @@ void btrfs_put_transaction(struct btrfs_transaction *transaction)
+ }
+ }
+
+-static noinline void switch_commit_roots(struct btrfs_transaction *trans)
++static noinline void switch_commit_roots(struct btrfs_trans_handle *trans)
+ {
++ struct btrfs_transaction *cur_trans = trans->transaction;
+ struct btrfs_fs_info *fs_info = trans->fs_info;
+ struct btrfs_root *root, *tmp;
+
+ down_write(&fs_info->commit_root_sem);
+- list_for_each_entry_safe(root, tmp, &trans->switch_commits,
++ list_for_each_entry_safe(root, tmp, &cur_trans->switch_commits,
+ dirty_list) {
+ list_del_init(&root->dirty_list);
+ free_extent_buffer(root->commit_root);
+@@ -165,16 +166,17 @@ static noinline void switch_commit_roots(struct btrfs_transaction *trans)
+ }
+
+ /* We can free old roots now. */
+- spin_lock(&trans->dropped_roots_lock);
+- while (!list_empty(&trans->dropped_roots)) {
+- root = list_first_entry(&trans->dropped_roots,
++ spin_lock(&cur_trans->dropped_roots_lock);
++ while (!list_empty(&cur_trans->dropped_roots)) {
++ root = list_first_entry(&cur_trans->dropped_roots,
+ struct btrfs_root, root_list);
+ list_del_init(&root->root_list);
+- spin_unlock(&trans->dropped_roots_lock);
++ spin_unlock(&cur_trans->dropped_roots_lock);
++ btrfs_free_log(trans, root);
+ btrfs_drop_and_free_fs_root(fs_info, root);
+- spin_lock(&trans->dropped_roots_lock);
++ spin_lock(&cur_trans->dropped_roots_lock);
+ }
+- spin_unlock(&trans->dropped_roots_lock);
++ spin_unlock(&cur_trans->dropped_roots_lock);
+ up_write(&fs_info->commit_root_sem);
+ }
+
+@@ -1421,7 +1423,7 @@ static int qgroup_account_snapshot(struct btrfs_trans_handle *trans,
+ ret = commit_cowonly_roots(trans);
+ if (ret)
+ goto out;
+- switch_commit_roots(trans->transaction);
++ switch_commit_roots(trans);
+ ret = btrfs_write_and_wait_transaction(trans);
+ if (ret)
+ btrfs_handle_fs_error(fs_info, ret,
+@@ -2013,6 +2015,14 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+
+ ASSERT(refcount_read(&trans->use_count) == 1);
+
++ /*
++ * Some places just start a transaction to commit it. We need to make
++ * sure that if this commit fails that the abort code actually marks the
++ * transaction as failed, so set trans->dirty to make the abort code do
++ * the right thing.
++ */
++ trans->dirty = true;
++
+ /* Stop the commit early if ->aborted is set */
+ if (unlikely(READ_ONCE(cur_trans->aborted))) {
+ ret = cur_trans->aborted;
+@@ -2301,7 +2311,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ list_add_tail(&fs_info->chunk_root->dirty_list,
+ &cur_trans->switch_commits);
+
+- switch_commit_roots(cur_trans);
++ switch_commit_roots(trans);
+
+ ASSERT(list_empty(&cur_trans->dirty_bgs));
+ ASSERT(list_empty(&cur_trans->io_bgs));
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index d3f115909ff0..f5bb59470957 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3935,7 +3935,7 @@ static int log_csums(struct btrfs_trans_handle *trans,
+ static noinline int copy_items(struct btrfs_trans_handle *trans,
+ struct btrfs_inode *inode,
+ struct btrfs_path *dst_path,
+- struct btrfs_path *src_path, u64 *last_extent,
++ struct btrfs_path *src_path,
+ int start_slot, int nr, int inode_only,
+ u64 logged_isize)
+ {
+@@ -3946,7 +3946,6 @@ static noinline int copy_items(struct btrfs_trans_handle *trans,
+ struct btrfs_file_extent_item *extent;
+ struct btrfs_inode_item *inode_item;
+ struct extent_buffer *src = src_path->nodes[0];
+- struct btrfs_key first_key, last_key, key;
+ int ret;
+ struct btrfs_key *ins_keys;
+ u32 *ins_sizes;
+@@ -3954,9 +3953,6 @@ static noinline int copy_items(struct btrfs_trans_handle *trans,
+ int i;
+ struct list_head ordered_sums;
+ int skip_csum = inode->flags & BTRFS_INODE_NODATASUM;
+- bool has_extents = false;
+- bool need_find_last_extent = true;
+- bool done = false;
+
+ INIT_LIST_HEAD(&ordered_sums);
+
+@@ -3965,8 +3961,6 @@ static noinline int copy_items(struct btrfs_trans_handle *trans,
+ if (!ins_data)
+ return -ENOMEM;
+
+- first_key.objectid = (u64)-1;
+-
+ ins_sizes = (u32 *)ins_data;
+ ins_keys = (struct btrfs_key *)(ins_data + nr * sizeof(u32));
+
+@@ -3987,9 +3981,6 @@ static noinline int copy_items(struct btrfs_trans_handle *trans,
+
+ src_offset = btrfs_item_ptr_offset(src, start_slot + i);
+
+- if (i == nr - 1)
+- last_key = ins_keys[i];
+-
+ if (ins_keys[i].type == BTRFS_INODE_ITEM_KEY) {
+ inode_item = btrfs_item_ptr(dst_path->nodes[0],
+ dst_path->slots[0],
+@@ -4003,20 +3994,6 @@ static noinline int copy_items(struct btrfs_trans_handle *trans,
+ src_offset, ins_sizes[i]);
+ }
+
+- /*
+- * We set need_find_last_extent here in case we know we were
+- * processing other items and then walk into the first extent in
+- * the inode. If we don't hit an extent then nothing changes,
+- * we'll do the last search the next time around.
+- */
+- if (ins_keys[i].type == BTRFS_EXTENT_DATA_KEY) {
+- has_extents = true;
+- if (first_key.objectid == (u64)-1)
+- first_key = ins_keys[i];
+- } else {
+- need_find_last_extent = false;
+- }
+-
+ /* take a reference on file data extents so that truncates
+ * or deletes of this inode don't have to relog the inode
+ * again
+@@ -4082,167 +4059,6 @@ static noinline int copy_items(struct btrfs_trans_handle *trans,
+ kfree(sums);
+ }
+
+- if (!has_extents)
+- return ret;
+-
+- if (need_find_last_extent && *last_extent == first_key.offset) {
+- /*
+- * We don't have any leafs between our current one and the one
+- * we processed before that can have file extent items for our
+- * inode (and have a generation number smaller than our current
+- * transaction id).
+- */
+- need_find_last_extent = false;
+- }
+-
+- /*
+- * Because we use btrfs_search_forward we could skip leaves that were
+- * not modified and then assume *last_extent is valid when it really
+- * isn't. So back up to the previous leaf and read the end of the last
+- * extent before we go and fill in holes.
+- */
+- if (need_find_last_extent) {
+- u64 len;
+-
+- ret = btrfs_prev_leaf(inode->root, src_path);
+- if (ret < 0)
+- return ret;
+- if (ret)
+- goto fill_holes;
+- if (src_path->slots[0])
+- src_path->slots[0]--;
+- src = src_path->nodes[0];
+- btrfs_item_key_to_cpu(src, &key, src_path->slots[0]);
+- if (key.objectid != btrfs_ino(inode) ||
+- key.type != BTRFS_EXTENT_DATA_KEY)
+- goto fill_holes;
+- extent = btrfs_item_ptr(src, src_path->slots[0],
+- struct btrfs_file_extent_item);
+- if (btrfs_file_extent_type(src, extent) ==
+- BTRFS_FILE_EXTENT_INLINE) {
+- len = btrfs_file_extent_ram_bytes(src, extent);
+- *last_extent = ALIGN(key.offset + len,
+- fs_info->sectorsize);
+- } else {
+- len = btrfs_file_extent_num_bytes(src, extent);
+- *last_extent = key.offset + len;
+- }
+- }
+-fill_holes:
+- /* So we did prev_leaf, now we need to move to the next leaf, but a few
+- * things could have happened
+- *
+- * 1) A merge could have happened, so we could currently be on a leaf
+- * that holds what we were copying in the first place.
+- * 2) A split could have happened, and now not all of the items we want
+- * are on the same leaf.
+- *
+- * So we need to adjust how we search for holes, we need to drop the
+- * path and re-search for the first extent key we found, and then walk
+- * forward until we hit the last one we copied.
+- */
+- if (need_find_last_extent) {
+- /* btrfs_prev_leaf could return 1 without releasing the path */
+- btrfs_release_path(src_path);
+- ret = btrfs_search_slot(NULL, inode->root, &first_key,
+- src_path, 0, 0);
+- if (ret < 0)
+- return ret;
+- ASSERT(ret == 0);
+- src = src_path->nodes[0];
+- i = src_path->slots[0];
+- } else {
+- i = start_slot;
+- }
+-
+- /*
+- * Ok so here we need to go through and fill in any holes we may have
+- * to make sure that holes are punched for those areas in case they had
+- * extents previously.
+- */
+- while (!done) {
+- u64 offset, len;
+- u64 extent_end;
+-
+- if (i >= btrfs_header_nritems(src_path->nodes[0])) {
+- ret = btrfs_next_leaf(inode->root, src_path);
+- if (ret < 0)
+- return ret;
+- ASSERT(ret == 0);
+- src = src_path->nodes[0];
+- i = 0;
+- need_find_last_extent = true;
+- }
+-
+- btrfs_item_key_to_cpu(src, &key, i);
+- if (!btrfs_comp_cpu_keys(&key, &last_key))
+- done = true;
+- if (key.objectid != btrfs_ino(inode) ||
+- key.type != BTRFS_EXTENT_DATA_KEY) {
+- i++;
+- continue;
+- }
+- extent = btrfs_item_ptr(src, i, struct btrfs_file_extent_item);
+- if (btrfs_file_extent_type(src, extent) ==
+- BTRFS_FILE_EXTENT_INLINE) {
+- len = btrfs_file_extent_ram_bytes(src, extent);
+- extent_end = ALIGN(key.offset + len,
+- fs_info->sectorsize);
+- } else {
+- len = btrfs_file_extent_num_bytes(src, extent);
+- extent_end = key.offset + len;
+- }
+- i++;
+-
+- if (*last_extent == key.offset) {
+- *last_extent = extent_end;
+- continue;
+- }
+- offset = *last_extent;
+- len = key.offset - *last_extent;
+- ret = btrfs_insert_file_extent(trans, log, btrfs_ino(inode),
+- offset, 0, 0, len, 0, len, 0, 0, 0);
+- if (ret)
+- break;
+- *last_extent = extent_end;
+- }
+-
+- /*
+- * Check if there is a hole between the last extent found in our leaf
+- * and the first extent in the next leaf. If there is one, we need to
+- * log an explicit hole so that at replay time we can punch the hole.
+- */
+- if (ret == 0 &&
+- key.objectid == btrfs_ino(inode) &&
+- key.type == BTRFS_EXTENT_DATA_KEY &&
+- i == btrfs_header_nritems(src_path->nodes[0])) {
+- ret = btrfs_next_leaf(inode->root, src_path);
+- need_find_last_extent = true;
+- if (ret > 0) {
+- ret = 0;
+- } else if (ret == 0) {
+- btrfs_item_key_to_cpu(src_path->nodes[0], &key,
+- src_path->slots[0]);
+- if (key.objectid == btrfs_ino(inode) &&
+- key.type == BTRFS_EXTENT_DATA_KEY &&
+- *last_extent < key.offset) {
+- const u64 len = key.offset - *last_extent;
+-
+- ret = btrfs_insert_file_extent(trans, log,
+- btrfs_ino(inode),
+- *last_extent, 0,
+- 0, len, 0, len,
+- 0, 0, 0);
+- *last_extent += len;
+- }
+- }
+- }
+- /*
+- * Need to let the callers know we dropped the path so they should
+- * re-search.
+- */
+- if (!ret && need_find_last_extent)
+- ret = 1;
+ return ret;
+ }
+
+@@ -4407,7 +4223,7 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans,
+ const u64 i_size = i_size_read(&inode->vfs_inode);
+ const u64 ino = btrfs_ino(inode);
+ struct btrfs_path *dst_path = NULL;
+- u64 last_extent = (u64)-1;
++ bool dropped_extents = false;
+ int ins_nr = 0;
+ int start_slot;
+ int ret;
+@@ -4429,8 +4245,7 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans,
+ if (slot >= btrfs_header_nritems(leaf)) {
+ if (ins_nr > 0) {
+ ret = copy_items(trans, inode, dst_path, path,
+- &last_extent, start_slot,
+- ins_nr, 1, 0);
++ start_slot, ins_nr, 1, 0);
+ if (ret < 0)
+ goto out;
+ ins_nr = 0;
+@@ -4454,8 +4269,7 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans,
+ path->slots[0]++;
+ continue;
+ }
+- if (last_extent == (u64)-1) {
+- last_extent = key.offset;
++ if (!dropped_extents) {
+ /*
+ * Avoid logging extent items logged in past fsync calls
+ * and leading to duplicate keys in the log tree.
+@@ -4469,6 +4283,7 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans,
+ } while (ret == -EAGAIN);
+ if (ret)
+ goto out;
++ dropped_extents = true;
+ }
+ if (ins_nr == 0)
+ start_slot = slot;
+@@ -4483,7 +4298,7 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans,
+ }
+ }
+ if (ins_nr > 0) {
+- ret = copy_items(trans, inode, dst_path, path, &last_extent,
++ ret = copy_items(trans, inode, dst_path, path,
+ start_slot, ins_nr, 1, 0);
+ if (ret > 0)
+ ret = 0;
+@@ -4670,13 +4485,8 @@ static int btrfs_log_all_xattrs(struct btrfs_trans_handle *trans,
+
+ if (slot >= nritems) {
+ if (ins_nr > 0) {
+- u64 last_extent = 0;
+-
+ ret = copy_items(trans, inode, dst_path, path,
+- &last_extent, start_slot,
+- ins_nr, 1, 0);
+- /* can't be 1, extent items aren't processed */
+- ASSERT(ret <= 0);
++ start_slot, ins_nr, 1, 0);
+ if (ret < 0)
+ return ret;
+ ins_nr = 0;
+@@ -4700,13 +4510,8 @@ static int btrfs_log_all_xattrs(struct btrfs_trans_handle *trans,
+ cond_resched();
+ }
+ if (ins_nr > 0) {
+- u64 last_extent = 0;
+-
+ ret = copy_items(trans, inode, dst_path, path,
+- &last_extent, start_slot,
+- ins_nr, 1, 0);
+- /* can't be 1, extent items aren't processed */
+- ASSERT(ret <= 0);
++ start_slot, ins_nr, 1, 0);
+ if (ret < 0)
+ return ret;
+ }
+@@ -4715,100 +4520,119 @@ static int btrfs_log_all_xattrs(struct btrfs_trans_handle *trans,
+ }
+
+ /*
+- * If the no holes feature is enabled we need to make sure any hole between the
+- * last extent and the i_size of our inode is explicitly marked in the log. This
+- * is to make sure that doing something like:
+- *
+- * 1) create file with 128Kb of data
+- * 2) truncate file to 64Kb
+- * 3) truncate file to 256Kb
+- * 4) fsync file
+- * 5) <crash/power failure>
+- * 6) mount fs and trigger log replay
+- *
+- * Will give us a file with a size of 256Kb, the first 64Kb of data match what
+- * the file had in its first 64Kb of data at step 1 and the last 192Kb of the
+- * file correspond to a hole. The presence of explicit holes in a log tree is
+- * what guarantees that log replay will remove/adjust file extent items in the
+- * fs/subvol tree.
+- *
+- * Here we do not need to care about holes between extents, that is already done
+- * by copy_items(). We also only need to do this in the full sync path, where we
+- * lookup for extents from the fs/subvol tree only. In the fast path case, we
+- * lookup the list of modified extent maps and if any represents a hole, we
+- * insert a corresponding extent representing a hole in the log tree.
++ * When using the NO_HOLES feature if we punched a hole that causes the
++ * deletion of entire leafs or all the extent items of the first leaf (the one
++ * that contains the inode item and references) we may end up not processing
++ * any extents, because there are no leafs with a generation matching the
++ * current transaction that have extent items for our inode. So we need to find
++ * if any holes exist and then log them. We also need to log holes after any
++ * truncate operation that changes the inode's size.
+ */
+-static int btrfs_log_trailing_hole(struct btrfs_trans_handle *trans,
+- struct btrfs_root *root,
+- struct btrfs_inode *inode,
+- struct btrfs_path *path)
++static int btrfs_log_holes(struct btrfs_trans_handle *trans,
++ struct btrfs_root *root,
++ struct btrfs_inode *inode,
++ struct btrfs_path *path)
+ {
+ struct btrfs_fs_info *fs_info = root->fs_info;
+- int ret;
+ struct btrfs_key key;
+- u64 hole_start;
+- u64 hole_size;
+- struct extent_buffer *leaf;
+- struct btrfs_root *log = root->log_root;
+ const u64 ino = btrfs_ino(inode);
+ const u64 i_size = i_size_read(&inode->vfs_inode);
++ u64 prev_extent_end = 0;
++ int ret;
+
+- if (!btrfs_fs_incompat(fs_info, NO_HOLES))
++ if (!btrfs_fs_incompat(fs_info, NO_HOLES) || i_size == 0)
+ return 0;
+
+ key.objectid = ino;
+ key.type = BTRFS_EXTENT_DATA_KEY;
+- key.offset = (u64)-1;
++ key.offset = 0;
+
+ ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
+- ASSERT(ret != 0);
+ if (ret < 0)
+ return ret;
+
+- ASSERT(path->slots[0] > 0);
+- path->slots[0]--;
+- leaf = path->nodes[0];
+- btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
+-
+- if (key.objectid != ino || key.type != BTRFS_EXTENT_DATA_KEY) {
+- /* inode does not have any extents */
+- hole_start = 0;
+- hole_size = i_size;
+- } else {
++ while (true) {
+ struct btrfs_file_extent_item *extent;
++ struct extent_buffer *leaf = path->nodes[0];
+ u64 len;
+
+- /*
+- * If there's an extent beyond i_size, an explicit hole was
+- * already inserted by copy_items().
+- */
+- if (key.offset >= i_size)
+- return 0;
++ if (path->slots[0] >= btrfs_header_nritems(path->nodes[0])) {
++ ret = btrfs_next_leaf(root, path);
++ if (ret < 0)
++ return ret;
++ if (ret > 0) {
++ ret = 0;
++ break;
++ }
++ leaf = path->nodes[0];
++ }
++
++ btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
++ if (key.objectid != ino || key.type != BTRFS_EXTENT_DATA_KEY)
++ break;
++
++ /* We have a hole, log it. */
++ if (prev_extent_end < key.offset) {
++ const u64 hole_len = key.offset - prev_extent_end;
++
++ /*
++ * Release the path to avoid deadlocks with other code
++ * paths that search the root while holding locks on
++ * leafs from the log root.
++ */
++ btrfs_release_path(path);
++ ret = btrfs_insert_file_extent(trans, root->log_root,
++ ino, prev_extent_end, 0,
++ 0, hole_len, 0, hole_len,
++ 0, 0, 0);
++ if (ret < 0)
++ return ret;
++
++ /*
++ * Search for the same key again in the root. Since it's
++ * an extent item and we are holding the inode lock, the
++ * key must still exist. If it doesn't just emit warning
++ * and return an error to fall back to a transaction
++ * commit.
++ */
++ ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
++ if (ret < 0)
++ return ret;
++ if (WARN_ON(ret > 0))
++ return -ENOENT;
++ leaf = path->nodes[0];
++ }
+
+ extent = btrfs_item_ptr(leaf, path->slots[0],
+ struct btrfs_file_extent_item);
+-
+ if (btrfs_file_extent_type(leaf, extent) ==
+- BTRFS_FILE_EXTENT_INLINE)
+- return 0;
++ BTRFS_FILE_EXTENT_INLINE) {
++ len = btrfs_file_extent_ram_bytes(leaf, extent);
++ prev_extent_end = ALIGN(key.offset + len,
++ fs_info->sectorsize);
++ } else {
++ len = btrfs_file_extent_num_bytes(leaf, extent);
++ prev_extent_end = key.offset + len;
++ }
+
+- len = btrfs_file_extent_num_bytes(leaf, extent);
+- /* Last extent goes beyond i_size, no need to log a hole. */
+- if (key.offset + len > i_size)
+- return 0;
+- hole_start = key.offset + len;
+- hole_size = i_size - hole_start;
++ path->slots[0]++;
++ cond_resched();
+ }
+- btrfs_release_path(path);
+
+- /* Last extent ends at i_size. */
+- if (hole_size == 0)
+- return 0;
++ if (prev_extent_end < i_size) {
++ u64 hole_len;
+
+- hole_size = ALIGN(hole_size, fs_info->sectorsize);
+- ret = btrfs_insert_file_extent(trans, log, ino, hole_start, 0, 0,
+- hole_size, 0, hole_size, 0, 0, 0);
+- return ret;
++ btrfs_release_path(path);
++ hole_len = ALIGN(i_size - prev_extent_end, fs_info->sectorsize);
++ ret = btrfs_insert_file_extent(trans, root->log_root,
++ ino, prev_extent_end, 0, 0,
++ hole_len, 0, hole_len,
++ 0, 0, 0);
++ if (ret < 0)
++ return ret;
++ }
++
++ return 0;
+ }
+
+ /*
+@@ -5011,6 +4835,50 @@ static int log_conflicting_inodes(struct btrfs_trans_handle *trans,
+ }
+ continue;
+ }
++ /*
++ * If the inode was already logged skip it - otherwise we can
++ * hit an infinite loop. Example:
++ *
++ * From the commit root (previous transaction) we have the
++ * following inodes:
++ *
++ * inode 257 a directory
++ * inode 258 with references "zz" and "zz_link" on inode 257
++ * inode 259 with reference "a" on inode 257
++ *
++ * And in the current (uncommitted) transaction we have:
++ *
++ * inode 257 a directory, unchanged
++ * inode 258 with references "a" and "a2" on inode 257
++ * inode 259 with reference "zz_link" on inode 257
++ * inode 261 with reference "zz" on inode 257
++ *
++ * When logging inode 261 the following infinite loop could
++ * happen if we don't skip already logged inodes:
++ *
++ * - we detect inode 258 as a conflicting inode, with inode 261
++ * on reference "zz", and log it;
++ *
++ * - we detect inode 259 as a conflicting inode, with inode 258
++ * on reference "a", and log it;
++ *
++ * - we detect inode 258 as a conflicting inode, with inode 259
++ * on reference "zz_link", and log it - again! After this we
++ * repeat the above steps forever.
++ */
++ spin_lock(&BTRFS_I(inode)->lock);
++ /*
++ * Check the inode's logged_trans only instead of
++ * btrfs_inode_in_log(). This is because the last_log_commit of
++ * the inode is not updated when we only log that it exists and
++ * and it has the full sync bit set (see btrfs_log_inode()).
++ */
++ if (BTRFS_I(inode)->logged_trans == trans->transid) {
++ spin_unlock(&BTRFS_I(inode)->lock);
++ btrfs_add_delayed_iput(inode);
++ continue;
++ }
++ spin_unlock(&BTRFS_I(inode)->lock);
+ /*
+ * We are safe logging the other inode without acquiring its
+ * lock as long as we log with the LOG_INODE_EXISTS mode. We
+@@ -5110,7 +4978,6 @@ static int btrfs_log_inode(struct btrfs_trans_handle *trans,
+ struct btrfs_key min_key;
+ struct btrfs_key max_key;
+ struct btrfs_root *log = root->log_root;
+- u64 last_extent = 0;
+ int err = 0;
+ int ret;
+ int nritems;
+@@ -5288,7 +5155,7 @@ again:
+ ins_start_slot = path->slots[0];
+ }
+ ret = copy_items(trans, inode, dst_path, path,
+- &last_extent, ins_start_slot,
++ ins_start_slot,
+ ins_nr, inode_only,
+ logged_isize);
+ if (ret < 0) {
+@@ -5311,17 +5178,13 @@ again:
+ if (ins_nr == 0)
+ goto next_slot;
+ ret = copy_items(trans, inode, dst_path, path,
+- &last_extent, ins_start_slot,
++ ins_start_slot,
+ ins_nr, inode_only, logged_isize);
+ if (ret < 0) {
+ err = ret;
+ goto out_unlock;
+ }
+ ins_nr = 0;
+- if (ret) {
+- btrfs_release_path(path);
+- continue;
+- }
+ goto next_slot;
+ }
+
+@@ -5334,18 +5197,13 @@ again:
+ goto next_slot;
+ }
+
+- ret = copy_items(trans, inode, dst_path, path, &last_extent,
++ ret = copy_items(trans, inode, dst_path, path,
+ ins_start_slot, ins_nr, inode_only,
+ logged_isize);
+ if (ret < 0) {
+ err = ret;
+ goto out_unlock;
+ }
+- if (ret) {
+- ins_nr = 0;
+- btrfs_release_path(path);
+- continue;
+- }
+ ins_nr = 1;
+ ins_start_slot = path->slots[0];
+ next_slot:
+@@ -5359,13 +5217,12 @@ next_slot:
+ }
+ if (ins_nr) {
+ ret = copy_items(trans, inode, dst_path, path,
+- &last_extent, ins_start_slot,
++ ins_start_slot,
+ ins_nr, inode_only, logged_isize);
+ if (ret < 0) {
+ err = ret;
+ goto out_unlock;
+ }
+- ret = 0;
+ ins_nr = 0;
+ }
+ btrfs_release_path(path);
+@@ -5380,14 +5237,13 @@ next_key:
+ }
+ }
+ if (ins_nr) {
+- ret = copy_items(trans, inode, dst_path, path, &last_extent,
++ ret = copy_items(trans, inode, dst_path, path,
+ ins_start_slot, ins_nr, inode_only,
+ logged_isize);
+ if (ret < 0) {
+ err = ret;
+ goto out_unlock;
+ }
+- ret = 0;
+ ins_nr = 0;
+ }
+
+@@ -5400,7 +5256,7 @@ next_key:
+ if (max_key.type >= BTRFS_EXTENT_DATA_KEY && !fast_search) {
+ btrfs_release_path(path);
+ btrfs_release_path(dst_path);
+- err = btrfs_log_trailing_hole(trans, root, inode, path);
++ err = btrfs_log_holes(trans, root, inode, path);
+ if (err)
+ goto out_unlock;
+ }
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
+index 9b78e720c697..72ff80f7f24c 100644
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -697,17 +697,28 @@ static struct btrfs_fs_devices *find_fsid_changed(
+ /*
+ * Handles the case where scanned device is part of an fs that had
+ * multiple successful changes of FSID but curently device didn't
+- * observe it. Meaning our fsid will be different than theirs.
++ * observe it. Meaning our fsid will be different than theirs. We need
++ * to handle two subcases :
++ * 1 - The fs still continues to have different METADATA/FSID uuids.
++ * 2 - The fs is switched back to its original FSID (METADATA/FSID
++ * are equal).
+ */
+ list_for_each_entry(fs_devices, &fs_uuids, fs_list) {
++ /* Changed UUIDs */
+ if (memcmp(fs_devices->metadata_uuid, fs_devices->fsid,
+ BTRFS_FSID_SIZE) != 0 &&
+ memcmp(fs_devices->metadata_uuid, disk_super->metadata_uuid,
+ BTRFS_FSID_SIZE) == 0 &&
+ memcmp(fs_devices->fsid, disk_super->fsid,
+- BTRFS_FSID_SIZE) != 0) {
++ BTRFS_FSID_SIZE) != 0)
++ return fs_devices;
++
++ /* Unchanged UUIDs */
++ if (memcmp(fs_devices->metadata_uuid, fs_devices->fsid,
++ BTRFS_FSID_SIZE) == 0 &&
++ memcmp(fs_devices->fsid, disk_super->metadata_uuid,
++ BTRFS_FSID_SIZE) == 0)
+ return fs_devices;
+- }
+ }
+
+ return NULL;
+diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
+index 96ae72b556ac..fb41e51dd574 100644
+--- a/fs/cifs/cifsacl.c
++++ b/fs/cifs/cifsacl.c
+@@ -802,6 +802,26 @@ static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
+ return;
+ }
+
++unsigned int setup_authusers_ACE(struct cifs_ace *pntace)
++{
++ int i;
++ unsigned int ace_size = 20;
++
++ pntace->type = ACCESS_ALLOWED_ACE_TYPE;
++ pntace->flags = 0x0;
++ pntace->access_req = cpu_to_le32(GENERIC_ALL);
++ pntace->sid.num_subauth = 1;
++ pntace->sid.revision = 1;
++ for (i = 0; i < NUM_AUTHS; i++)
++ pntace->sid.authority[i] = sid_authusers.authority[i];
++
++ pntace->sid.sub_auth[0] = sid_authusers.sub_auth[0];
++
++ /* size = 1 + 1 + 2 + 4 + 1 + 1 + 6 + (psid->num_subauth*4) */
++ pntace->size = cpu_to_le16(ace_size);
++ return ace_size;
++}
++
+ /*
+ * Fill in the special SID based on the mode. See
+ * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
+diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
+index 9c229408a251..d6100299458a 100644
+--- a/fs/cifs/cifsproto.h
++++ b/fs/cifs/cifsproto.h
+@@ -213,6 +213,7 @@ extern struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *,
+ const struct cifs_fid *, u32 *);
+ extern int set_cifs_acl(struct cifs_ntsd *, __u32, struct inode *,
+ const char *, int);
++extern unsigned int setup_authusers_ACE(struct cifs_ace *pace);
+ extern unsigned int setup_special_mode_ACE(struct cifs_ace *pace, __u64 nmode);
+
+ extern void dequeue_mid(struct mid_q_entry *mid, bool malformed);
+diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
+index d17587c2c4ab..ba9dadf3be24 100644
+--- a/fs/cifs/readdir.c
++++ b/fs/cifs/readdir.c
+@@ -196,7 +196,8 @@ cifs_fill_common_info(struct cifs_fattr *fattr, struct cifs_sb_info *cifs_sb)
+ * may look wrong since the inodes may not have timed out by the time
+ * "ls" does a stat() call on them.
+ */
+- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_CIFS_ACL)
++ if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_CIFS_ACL) ||
++ (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MODE_FROM_SID))
+ fattr->cf_flags |= CIFS_FATTR_NEED_REVAL;
+
+ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL &&
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index de254369c554..0a3b37abc5e1 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -350,9 +350,14 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
+ }
+
+ rc = cifs_negotiate_protocol(0, tcon->ses);
+- if (!rc && tcon->ses->need_reconnect)
++ if (!rc && tcon->ses->need_reconnect) {
+ rc = cifs_setup_session(0, tcon->ses, nls_codepage);
+-
++ if ((rc == -EACCES) && !tcon->retry) {
++ rc = -EHOSTDOWN;
++ mutex_unlock(&tcon->ses->session_mutex);
++ goto failed;
++ }
++ }
+ if (rc || !tcon->need_reconnect) {
+ mutex_unlock(&tcon->ses->session_mutex);
+ goto out;
+@@ -397,6 +402,7 @@ out:
+ case SMB2_SET_INFO:
+ rc = -EAGAIN;
+ }
++failed:
+ unload_nls(nls_codepage);
+ return rc;
+ }
+@@ -2199,13 +2205,14 @@ create_sd_buf(umode_t mode, unsigned int *len)
+ struct cifs_ace *pace;
+ unsigned int sdlen, acelen;
+
+- *len = roundup(sizeof(struct crt_sd_ctxt) + sizeof(struct cifs_ace), 8);
++ *len = roundup(sizeof(struct crt_sd_ctxt) + sizeof(struct cifs_ace) * 2,
++ 8);
+ buf = kzalloc(*len, GFP_KERNEL);
+ if (buf == NULL)
+ return buf;
+
+ sdlen = sizeof(struct smb3_sd) + sizeof(struct smb3_acl) +
+- sizeof(struct cifs_ace);
++ 2 * sizeof(struct cifs_ace);
+
+ buf->ccontext.DataOffset = cpu_to_le16(offsetof
+ (struct crt_sd_ctxt, sd));
+@@ -2232,8 +2239,12 @@ create_sd_buf(umode_t mode, unsigned int *len)
+ /* create one ACE to hold the mode embedded in reserved special SID */
+ pace = (struct cifs_ace *)(sizeof(struct crt_sd_ctxt) + (char *)buf);
+ acelen = setup_special_mode_ACE(pace, (__u64)mode);
++ /* and one more ACE to allow access for authenticated users */
++ pace = (struct cifs_ace *)(acelen + (sizeof(struct crt_sd_ctxt) +
++ (char *)buf));
++ acelen += setup_authusers_ACE(pace);
+ buf->acl.AclSize = cpu_to_le16(sizeof(struct cifs_acl) + acelen);
+- buf->acl.AceCount = cpu_to_le16(1);
++ buf->acl.AceCount = cpu_to_le16(2);
+ return buf;
+ }
+
+diff --git a/fs/configfs/inode.c b/fs/configfs/inode.c
+index 680aba9c00d5..fd0b5dd68f9e 100644
+--- a/fs/configfs/inode.c
++++ b/fs/configfs/inode.c
+@@ -76,14 +76,11 @@ int configfs_setattr(struct dentry * dentry, struct iattr * iattr)
+ if (ia_valid & ATTR_GID)
+ sd_iattr->ia_gid = iattr->ia_gid;
+ if (ia_valid & ATTR_ATIME)
+- sd_iattr->ia_atime = timestamp_truncate(iattr->ia_atime,
+- inode);
++ sd_iattr->ia_atime = iattr->ia_atime;
+ if (ia_valid & ATTR_MTIME)
+- sd_iattr->ia_mtime = timestamp_truncate(iattr->ia_mtime,
+- inode);
++ sd_iattr->ia_mtime = iattr->ia_mtime;
+ if (ia_valid & ATTR_CTIME)
+- sd_iattr->ia_ctime = timestamp_truncate(iattr->ia_ctime,
+- inode);
++ sd_iattr->ia_ctime = iattr->ia_ctime;
+ if (ia_valid & ATTR_MODE) {
+ umode_t mode = iattr->ia_mode;
+
+diff --git a/fs/crypto/keyring.c b/fs/crypto/keyring.c
+index 40cca351273f..f09cb4cfae4d 100644
+--- a/fs/crypto/keyring.c
++++ b/fs/crypto/keyring.c
+@@ -666,9 +666,6 @@ static int check_for_busy_inodes(struct super_block *sb,
+ struct list_head *pos;
+ size_t busy_count = 0;
+ unsigned long ino;
+- struct dentry *dentry;
+- char _path[256];
+- char *path = NULL;
+
+ spin_lock(&mk->mk_decrypted_inodes_lock);
+
+@@ -687,22 +684,14 @@ static int check_for_busy_inodes(struct super_block *sb,
+ struct fscrypt_info,
+ ci_master_key_link)->ci_inode;
+ ino = inode->i_ino;
+- dentry = d_find_alias(inode);
+ }
+ spin_unlock(&mk->mk_decrypted_inodes_lock);
+
+- if (dentry) {
+- path = dentry_path(dentry, _path, sizeof(_path));
+- dput(dentry);
+- }
+- if (IS_ERR_OR_NULL(path))
+- path = "(unknown)";
+-
+ fscrypt_warn(NULL,
+- "%s: %zu inode(s) still busy after removing key with %s %*phN, including ino %lu (%s)",
++ "%s: %zu inode(s) still busy after removing key with %s %*phN, including ino %lu",
+ sb->s_id, busy_count, master_key_spec_type(&mk->mk_spec),
+ master_key_spec_len(&mk->mk_spec), (u8 *)&mk->mk_spec.u,
+- ino, path);
++ ino);
+ return -EBUSY;
+ }
+
+diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c
+index 2890a67a1ded..5779a15c2cd6 100644
+--- a/fs/erofs/decompressor.c
++++ b/fs/erofs/decompressor.c
+@@ -306,24 +306,22 @@ static int z_erofs_shifted_transform(const struct z_erofs_decompress_req *rq,
+ }
+
+ src = kmap_atomic(*rq->in);
+- if (!rq->out[0]) {
+- dst = NULL;
+- } else {
++ if (rq->out[0]) {
+ dst = kmap_atomic(rq->out[0]);
+ memcpy(dst + rq->pageofs_out, src, righthalf);
++ kunmap_atomic(dst);
+ }
+
+- if (rq->out[1] == *rq->in) {
+- memmove(src, src + righthalf, rq->pageofs_out);
+- } else if (nrpages_out == 2) {
+- if (dst)
+- kunmap_atomic(dst);
++ if (nrpages_out == 2) {
+ DBG_BUGON(!rq->out[1]);
+- dst = kmap_atomic(rq->out[1]);
+- memcpy(dst, src + righthalf, rq->pageofs_out);
++ if (rq->out[1] == *rq->in) {
++ memmove(src, src + righthalf, rq->pageofs_out);
++ } else {
++ dst = kmap_atomic(rq->out[1]);
++ memcpy(dst, src + righthalf, rq->pageofs_out);
++ kunmap_atomic(dst);
++ }
+ }
+- if (dst)
+- kunmap_atomic(dst);
+ kunmap_atomic(src);
+ return 0;
+ }
+diff --git a/fs/eventfd.c b/fs/eventfd.c
+index 8aa0ea8c55e8..78e41c7c3d05 100644
+--- a/fs/eventfd.c
++++ b/fs/eventfd.c
+@@ -24,6 +24,8 @@
+ #include <linux/seq_file.h>
+ #include <linux/idr.h>
+
++DEFINE_PER_CPU(int, eventfd_wake_count);
++
+ static DEFINE_IDA(eventfd_ida);
+
+ struct eventfd_ctx {
+@@ -60,12 +62,25 @@ __u64 eventfd_signal(struct eventfd_ctx *ctx, __u64 n)
+ {
+ unsigned long flags;
+
++ /*
++ * Deadlock or stack overflow issues can happen if we recurse here
++ * through waitqueue wakeup handlers. If the caller users potentially
++ * nested waitqueues with custom wakeup handlers, then it should
++ * check eventfd_signal_count() before calling this function. If
++ * it returns true, the eventfd_signal() call should be deferred to a
++ * safe context.
++ */
++ if (WARN_ON_ONCE(this_cpu_read(eventfd_wake_count)))
++ return 0;
++
+ spin_lock_irqsave(&ctx->wqh.lock, flags);
++ this_cpu_inc(eventfd_wake_count);
+ if (ULLONG_MAX - ctx->count < n)
+ n = ULLONG_MAX - ctx->count;
+ ctx->count += n;
+ if (waitqueue_active(&ctx->wqh))
+ wake_up_locked_poll(&ctx->wqh, EPOLLIN);
++ this_cpu_dec(eventfd_wake_count);
+ spin_unlock_irqrestore(&ctx->wqh.lock, flags);
+
+ return n;
+diff --git a/fs/ext2/super.c b/fs/ext2/super.c
+index bcffe25da2f0..0e76db275e23 100644
+--- a/fs/ext2/super.c
++++ b/fs/ext2/super.c
+@@ -1073,9 +1073,9 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
+
+ if (EXT2_BLOCKS_PER_GROUP(sb) == 0)
+ goto cantfind_ext2;
+- sbi->s_groups_count = ((le32_to_cpu(es->s_blocks_count) -
+- le32_to_cpu(es->s_first_data_block) - 1)
+- / EXT2_BLOCKS_PER_GROUP(sb)) + 1;
++ sbi->s_groups_count = ((le32_to_cpu(es->s_blocks_count) -
++ le32_to_cpu(es->s_first_data_block) - 1)
++ / EXT2_BLOCKS_PER_GROUP(sb)) + 1;
+ db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) /
+ EXT2_DESC_PER_BLOCK(sb);
+ sbi->s_group_desc = kmalloc_array (db_count,
+diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c
+index 9f00fc0bf21d..060f8a6a5da9 100644
+--- a/fs/ext4/dir.c
++++ b/fs/ext4/dir.c
+@@ -672,9 +672,11 @@ static int ext4_d_compare(const struct dentry *dentry, unsigned int len,
+ const char *str, const struct qstr *name)
+ {
+ struct qstr qstr = {.name = str, .len = len };
+- struct inode *inode = dentry->d_parent->d_inode;
++ const struct dentry *parent = READ_ONCE(dentry->d_parent);
++ const struct inode *inode = READ_ONCE(parent->d_inode);
+
+- if (!IS_CASEFOLDED(inode) || !EXT4_SB(inode->i_sb)->s_encoding) {
++ if (!inode || !IS_CASEFOLDED(inode) ||
++ !EXT4_SB(inode->i_sb)->s_encoding) {
+ if (len != name->len)
+ return -1;
+ return memcmp(str, name->name, len);
+@@ -687,10 +689,11 @@ static int ext4_d_hash(const struct dentry *dentry, struct qstr *str)
+ {
+ const struct ext4_sb_info *sbi = EXT4_SB(dentry->d_sb);
+ const struct unicode_map *um = sbi->s_encoding;
++ const struct inode *inode = READ_ONCE(dentry->d_inode);
+ unsigned char *norm;
+ int len, ret = 0;
+
+- if (!IS_CASEFOLDED(dentry->d_inode) || !um)
++ if (!inode || !IS_CASEFOLDED(inode) || !um)
+ return 0;
+
+ norm = kmalloc(PATH_MAX, GFP_ATOMIC);
+diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
+index 24aeedb8fc75..68b39e75446a 100644
+--- a/fs/ext4/page-io.c
++++ b/fs/ext4/page-io.c
+@@ -512,17 +512,26 @@ int ext4_bio_write_page(struct ext4_io_submit *io,
+ gfp_t gfp_flags = GFP_NOFS;
+ unsigned int enc_bytes = round_up(len, i_blocksize(inode));
+
++ /*
++ * Since bounce page allocation uses a mempool, we can only use
++ * a waiting mask (i.e. request guaranteed allocation) on the
++ * first page of the bio. Otherwise it can deadlock.
++ */
++ if (io->io_bio)
++ gfp_flags = GFP_NOWAIT | __GFP_NOWARN;
+ retry_encrypt:
+ bounce_page = fscrypt_encrypt_pagecache_blocks(page, enc_bytes,
+ 0, gfp_flags);
+ if (IS_ERR(bounce_page)) {
+ ret = PTR_ERR(bounce_page);
+- if (ret == -ENOMEM && wbc->sync_mode == WB_SYNC_ALL) {
+- if (io->io_bio) {
++ if (ret == -ENOMEM &&
++ (io->io_bio || wbc->sync_mode == WB_SYNC_ALL)) {
++ gfp_flags = GFP_NOFS;
++ if (io->io_bio)
+ ext4_io_submit(io);
+- congestion_wait(BLK_RW_ASYNC, HZ/50);
+- }
+- gfp_flags |= __GFP_NOFAIL;
++ else
++ gfp_flags |= __GFP_NOFAIL;
++ congestion_wait(BLK_RW_ASYNC, HZ/50);
+ goto retry_encrypt;
+ }
+
+diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c
+index c967cacf979e..93b6572cc6bd 100644
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -1069,24 +1069,27 @@ static int f2fs_d_compare(const struct dentry *dentry, unsigned int len,
+ const char *str, const struct qstr *name)
+ {
+ struct qstr qstr = {.name = str, .len = len };
++ const struct dentry *parent = READ_ONCE(dentry->d_parent);
++ const struct inode *inode = READ_ONCE(parent->d_inode);
+
+- if (!IS_CASEFOLDED(dentry->d_parent->d_inode)) {
++ if (!inode || !IS_CASEFOLDED(inode)) {
+ if (len != name->len)
+ return -1;
+- return memcmp(str, name, len);
++ return memcmp(str, name->name, len);
+ }
+
+- return f2fs_ci_compare(dentry->d_parent->d_inode, name, &qstr, false);
++ return f2fs_ci_compare(inode, name, &qstr, false);
+ }
+
+ static int f2fs_d_hash(const struct dentry *dentry, struct qstr *str)
+ {
+ struct f2fs_sb_info *sbi = F2FS_SB(dentry->d_sb);
+ const struct unicode_map *um = sbi->s_encoding;
++ const struct inode *inode = READ_ONCE(dentry->d_inode);
+ unsigned char *norm;
+ int len, ret = 0;
+
+- if (!IS_CASEFOLDED(dentry->d_inode))
++ if (!inode || !IS_CASEFOLDED(inode))
+ return 0;
+
+ norm = f2fs_kmalloc(sbi, PATH_MAX, GFP_ATOMIC);
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 85af112e868d..13aef5f28fa8 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -754,18 +754,12 @@ static void __setattr_copy(struct inode *inode, const struct iattr *attr)
+ inode->i_uid = attr->ia_uid;
+ if (ia_valid & ATTR_GID)
+ inode->i_gid = attr->ia_gid;
+- if (ia_valid & ATTR_ATIME) {
+- inode->i_atime = timestamp_truncate(attr->ia_atime,
+- inode);
+- }
+- if (ia_valid & ATTR_MTIME) {
+- inode->i_mtime = timestamp_truncate(attr->ia_mtime,
+- inode);
+- }
+- if (ia_valid & ATTR_CTIME) {
+- inode->i_ctime = timestamp_truncate(attr->ia_ctime,
+- inode);
+- }
++ if (ia_valid & ATTR_ATIME)
++ inode->i_atime = attr->ia_atime;
++ if (ia_valid & ATTR_MTIME)
++ inode->i_mtime = attr->ia_mtime;
++ if (ia_valid & ATTR_CTIME)
++ inode->i_ctime = attr->ia_ctime;
+ if (ia_valid & ATTR_MODE) {
+ umode_t mode = attr->ia_mode;
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 5111e1ffe58a..ac01c3f8863d 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1213,12 +1213,10 @@ static int f2fs_statfs_project(struct super_block *sb,
+ return PTR_ERR(dquot);
+ spin_lock(&dquot->dq_dqb_lock);
+
+- limit = 0;
+- if (dquot->dq_dqb.dqb_bsoftlimit)
+- limit = dquot->dq_dqb.dqb_bsoftlimit;
+- if (dquot->dq_dqb.dqb_bhardlimit &&
+- (!limit || dquot->dq_dqb.dqb_bhardlimit < limit))
+- limit = dquot->dq_dqb.dqb_bhardlimit;
++ limit = min_not_zero(dquot->dq_dqb.dqb_bsoftlimit,
++ dquot->dq_dqb.dqb_bhardlimit);
++ if (limit)
++ limit >>= sb->s_blocksize_bits;
+
+ if (limit && buf->f_blocks > limit) {
+ curblock = dquot->dq_dqb.dqb_curspace >> sb->s_blocksize_bits;
+@@ -1228,12 +1226,8 @@ static int f2fs_statfs_project(struct super_block *sb,
+ (buf->f_blocks - curblock) : 0;
+ }
+
+- limit = 0;
+- if (dquot->dq_dqb.dqb_isoftlimit)
+- limit = dquot->dq_dqb.dqb_isoftlimit;
+- if (dquot->dq_dqb.dqb_ihardlimit &&
+- (!limit || dquot->dq_dqb.dqb_ihardlimit < limit))
+- limit = dquot->dq_dqb.dqb_ihardlimit;
++ limit = min_not_zero(dquot->dq_dqb.dqb_isoftlimit,
++ dquot->dq_dqb.dqb_ihardlimit);
+
+ if (limit && buf->f_files > limit) {
+ buf->f_files = limit;
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index 335607b8c5c0..76ac9c7d32ec 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -2063,7 +2063,7 @@ void wb_workfn(struct work_struct *work)
+ struct bdi_writeback, dwork);
+ long pages_written;
+
+- set_worker_desc("flush-%s", dev_name(wb->bdi->dev));
++ set_worker_desc("flush-%s", bdi_dev_name(wb->bdi));
+ current->flags |= PF_SWAPWRITE;
+
+ if (likely(!current_is_workqueue_rescuer() ||
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index ce715380143c..695369f46f92 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1465,6 +1465,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
+ }
+ ia = NULL;
+ if (nres < 0) {
++ iov_iter_revert(iter, nbytes);
+ err = nres;
+ break;
+ }
+@@ -1473,8 +1474,10 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
+ count -= nres;
+ res += nres;
+ pos += nres;
+- if (nres != nbytes)
++ if (nres != nbytes) {
++ iov_iter_revert(iter, nbytes - nres);
+ break;
++ }
+ if (count) {
+ max_pages = iov_iter_npages(iter, fc->max_pages);
+ ia = fuse_io_alloc(io, max_pages);
+diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c
+index 9d58295ccf7a..cb26be6f4351 100644
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -847,7 +847,7 @@ static ssize_t gfs2_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ struct file *file = iocb->ki_filp;
+ struct inode *inode = file_inode(file);
+ struct gfs2_inode *ip = GFS2_I(inode);
+- ssize_t written = 0, ret;
++ ssize_t ret;
+
+ ret = gfs2_rsqa_alloc(ip);
+ if (ret)
+@@ -867,68 +867,58 @@ static ssize_t gfs2_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ inode_lock(inode);
+ ret = generic_write_checks(iocb, from);
+ if (ret <= 0)
+- goto out;
+-
+- /* We can write back this queue in page reclaim */
+- current->backing_dev_info = inode_to_bdi(inode);
++ goto out_unlock;
+
+ ret = file_remove_privs(file);
+ if (ret)
+- goto out2;
++ goto out_unlock;
+
+ ret = file_update_time(file);
+ if (ret)
+- goto out2;
++ goto out_unlock;
+
+ if (iocb->ki_flags & IOCB_DIRECT) {
+ struct address_space *mapping = file->f_mapping;
+- loff_t pos, endbyte;
+- ssize_t buffered;
++ ssize_t buffered, ret2;
+
+- written = gfs2_file_direct_write(iocb, from);
+- if (written < 0 || !iov_iter_count(from))
+- goto out2;
++ ret = gfs2_file_direct_write(iocb, from);
++ if (ret < 0 || !iov_iter_count(from))
++ goto out_unlock;
+
+- ret = iomap_file_buffered_write(iocb, from, &gfs2_iomap_ops);
+- if (unlikely(ret < 0))
+- goto out2;
+- buffered = ret;
++ iocb->ki_flags |= IOCB_DSYNC;
++ current->backing_dev_info = inode_to_bdi(inode);
++ buffered = iomap_file_buffered_write(iocb, from, &gfs2_iomap_ops);
++ current->backing_dev_info = NULL;
++ if (unlikely(buffered <= 0))
++ goto out_unlock;
+
+ /*
+ * We need to ensure that the page cache pages are written to
+ * disk and invalidated to preserve the expected O_DIRECT
+- * semantics.
++ * semantics. If the writeback or invalidate fails, only report
++ * the direct I/O range as we don't know if the buffered pages
++ * made it to disk.
+ */
+- pos = iocb->ki_pos;
+- endbyte = pos + buffered - 1;
+- ret = filemap_write_and_wait_range(mapping, pos, endbyte);
+- if (!ret) {
+- iocb->ki_pos += buffered;
+- written += buffered;
+- invalidate_mapping_pages(mapping,
+- pos >> PAGE_SHIFT,
+- endbyte >> PAGE_SHIFT);
+- } else {
+- /*
+- * We don't know how much we wrote, so just return
+- * the number of bytes which were direct-written
+- */
+- }
++ iocb->ki_pos += buffered;
++ ret2 = generic_write_sync(iocb, buffered);
++ invalidate_mapping_pages(mapping,
++ (iocb->ki_pos - buffered) >> PAGE_SHIFT,
++ (iocb->ki_pos - 1) >> PAGE_SHIFT);
++ if (!ret || ret2 > 0)
++ ret += ret2;
+ } else {
++ current->backing_dev_info = inode_to_bdi(inode);
+ ret = iomap_file_buffered_write(iocb, from, &gfs2_iomap_ops);
+- if (likely(ret > 0))
++ current->backing_dev_info = NULL;
++ if (likely(ret > 0)) {
+ iocb->ki_pos += ret;
++ ret = generic_write_sync(iocb, ret);
++ }
+ }
+
+-out2:
+- current->backing_dev_info = NULL;
+-out:
++out_unlock:
+ inode_unlock(inode);
+- if (likely(ret > 0)) {
+- /* Handle various SYNC-type writes */
+- ret = generic_write_sync(iocb, ret);
+- }
+- return written ? written : ret;
++ return ret;
+ }
+
+ static int fallocate_chunk(struct inode *inode, loff_t offset, loff_t len,
+diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
+index aa0359b7e2ac..b5cf50719006 100644
+--- a/fs/gfs2/lops.c
++++ b/fs/gfs2/lops.c
+@@ -422,7 +422,7 @@ static bool gfs2_jhead_pg_srch(struct gfs2_jdesc *jd,
+
+ for (offset = 0; offset < PAGE_SIZE; offset += sdp->sd_sb.sb_bsize) {
+ if (!__get_log_header(sdp, kaddr + offset, 0, &lh)) {
+- if (lh.lh_sequence > head->lh_sequence)
++ if (lh.lh_sequence >= head->lh_sequence)
+ *head = lh;
+ else {
+ ret = true;
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index e54556b0fcc6..f470fb21467e 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -188,6 +188,7 @@ struct io_ring_ctx {
+ bool account_mem;
+ bool cq_overflow_flushed;
+ bool drain_next;
++ bool eventfd_async;
+
+ /*
+ * Ring buffer of indices into array of io_uring_sqe, which is
+@@ -735,16 +736,30 @@ static struct io_uring_cqe *io_get_cqring(struct io_ring_ctx *ctx)
+ return &rings->cqes[tail & ctx->cq_mask];
+ }
+
+-static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
++static inline bool io_should_trigger_evfd(struct io_ring_ctx *ctx)
++{
++ if (!ctx->cq_ev_fd)
++ return false;
++ if (!ctx->eventfd_async)
++ return true;
++ return io_wq_current_is_worker() || in_interrupt();
++}
++
++static void __io_cqring_ev_posted(struct io_ring_ctx *ctx, bool trigger_ev)
+ {
+ if (waitqueue_active(&ctx->wait))
+ wake_up(&ctx->wait);
+ if (waitqueue_active(&ctx->sqo_wait))
+ wake_up(&ctx->sqo_wait);
+- if (ctx->cq_ev_fd)
++ if (trigger_ev)
+ eventfd_signal(ctx->cq_ev_fd, 1);
+ }
+
++static void io_cqring_ev_posted(struct io_ring_ctx *ctx)
++{
++ __io_cqring_ev_posted(ctx, io_should_trigger_evfd(ctx));
++}
++
+ /* Returns true if there are no backlogged entries after the flush */
+ static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
+ {
+@@ -1789,10 +1804,12 @@ static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
+ if (req->opcode == IORING_OP_READ_FIXED ||
+ req->opcode == IORING_OP_WRITE_FIXED)
+ return 0;
+- if (!req->io && io_alloc_async_ctx(req))
+- return -ENOMEM;
++ if (!req->io) {
++ if (io_alloc_async_ctx(req))
++ return -ENOMEM;
+
+- io_req_map_rw(req, io_size, iovec, fast_iov, iter);
++ io_req_map_rw(req, io_size, iovec, fast_iov, iter);
++ }
+ req->work.func = io_rw_async;
+ return 0;
+ }
+@@ -2635,6 +2652,14 @@ static void io_poll_complete_work(struct io_wq_work **workptr)
+ io_wq_assign_next(workptr, nxt);
+ }
+
++static void io_poll_trigger_evfd(struct io_wq_work **workptr)
++{
++ struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work);
++
++ eventfd_signal(req->ctx->cq_ev_fd, 1);
++ io_put_req(req);
++}
++
+ static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
+ void *key)
+ {
+@@ -2657,13 +2682,21 @@ static int io_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
+ * for finalizing the request, mark us as having grabbed that already.
+ */
+ if (mask && spin_trylock_irqsave(&ctx->completion_lock, flags)) {
++ bool trigger_ev;
++
+ hash_del(&req->hash_node);
+ io_poll_complete(req, mask, 0);
+- req->flags |= REQ_F_COMP_LOCKED;
+- io_put_req(req);
++ trigger_ev = io_should_trigger_evfd(ctx);
++ if (trigger_ev && eventfd_signal_count()) {
++ trigger_ev = false;
++ req->work.func = io_poll_trigger_evfd;
++ } else {
++ req->flags |= REQ_F_COMP_LOCKED;
++ io_put_req(req);
++ req = NULL;
++ }
+ spin_unlock_irqrestore(&ctx->completion_lock, flags);
+-
+- io_cqring_ev_posted(ctx);
++ __io_cqring_ev_posted(ctx, trigger_ev);
+ } else {
+ io_queue_async_work(req);
+ }
+@@ -3900,7 +3933,8 @@ static int io_sq_thread(void *data)
+ * reap events and wake us up.
+ */
+ if (inflight ||
+- (!time_after(jiffies, timeout) && ret != -EBUSY)) {
++ (!time_after(jiffies, timeout) && ret != -EBUSY &&
++ !percpu_ref_is_dying(&ctx->refs))) {
+ cond_resched();
+ continue;
+ }
+@@ -4981,6 +5015,16 @@ static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
+ percpu_ref_kill(&ctx->refs);
+ mutex_unlock(&ctx->uring_lock);
+
++ /*
++ * Wait for sq thread to idle, if we have one. It won't spin on new
++ * work after we've killed the ctx ref above. This is important to do
++ * before we cancel existing commands, as the thread could otherwise
++ * be queueing new work post that. If that's work we need to cancel,
++ * it could cause shutdown to hang.
++ */
++ while (ctx->sqo_thread && !wq_has_sleeper(&ctx->sqo_wait))
++ cpu_relax();
++
+ io_kill_timeouts(ctx);
+ io_poll_remove_all(ctx);
+
+@@ -5473,10 +5517,17 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
+ ret = io_sqe_files_update(ctx, arg, nr_args);
+ break;
+ case IORING_REGISTER_EVENTFD:
++ case IORING_REGISTER_EVENTFD_ASYNC:
+ ret = -EINVAL;
+ if (nr_args != 1)
+ break;
+ ret = io_eventfd_register(ctx, arg);
++ if (ret)
++ break;
++ if (opcode == IORING_REGISTER_EVENTFD_ASYNC)
++ ctx->eventfd_async = 1;
++ else
++ ctx->eventfd_async = 0;
+ break;
+ case IORING_UNREGISTER_EVENTFD:
+ ret = -EINVAL;
+diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
+index 5e408ee24a1a..b3e2433f94fe 100644
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -982,6 +982,7 @@ static void *jbd2_seq_info_start(struct seq_file *seq, loff_t *pos)
+
+ static void *jbd2_seq_info_next(struct seq_file *seq, void *v, loff_t *pos)
+ {
++ (*pos)++;
+ return NULL;
+ }
+
+diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
+index e180033e35cf..05ed7be8a634 100644
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -162,6 +162,17 @@ typedef struct {
+ bool eof;
+ } nfs_readdir_descriptor_t;
+
++static
++void nfs_readdir_init_array(struct page *page)
++{
++ struct nfs_cache_array *array;
++
++ array = kmap_atomic(page);
++ memset(array, 0, sizeof(struct nfs_cache_array));
++ array->eof_index = -1;
++ kunmap_atomic(array);
++}
++
+ /*
+ * we are freeing strings created by nfs_add_to_readdir_array()
+ */
+@@ -174,6 +185,7 @@ void nfs_readdir_clear_array(struct page *page)
+ array = kmap_atomic(page);
+ for (i = 0; i < array->size; i++)
+ kfree(array->array[i].string.name);
++ array->size = 0;
+ kunmap_atomic(array);
+ }
+
+@@ -610,6 +622,8 @@ int nfs_readdir_xdr_to_array(nfs_readdir_descriptor_t *desc, struct page *page,
+ int status = -ENOMEM;
+ unsigned int array_size = ARRAY_SIZE(pages);
+
++ nfs_readdir_init_array(page);
++
+ entry.prev_cookie = 0;
+ entry.cookie = desc->last_cookie;
+ entry.eof = 0;
+@@ -626,8 +640,6 @@ int nfs_readdir_xdr_to_array(nfs_readdir_descriptor_t *desc, struct page *page,
+ }
+
+ array = kmap(page);
+- memset(array, 0, sizeof(struct nfs_cache_array));
+- array->eof_index = -1;
+
+ status = nfs_readdir_alloc_pages(pages, array_size);
+ if (status < 0)
+@@ -682,6 +694,7 @@ int nfs_readdir_filler(void *data, struct page* page)
+ unlock_page(page);
+ return 0;
+ error:
++ nfs_readdir_clear_array(page);
+ unlock_page(page);
+ return ret;
+ }
+@@ -689,8 +702,6 @@ int nfs_readdir_filler(void *data, struct page* page)
+ static
+ void cache_page_release(nfs_readdir_descriptor_t *desc)
+ {
+- if (!desc->page->mapping)
+- nfs_readdir_clear_array(desc->page);
+ put_page(desc->page);
+ desc->page = NULL;
+ }
+@@ -704,19 +715,28 @@ struct page *get_cache_page(nfs_readdir_descriptor_t *desc)
+
+ /*
+ * Returns 0 if desc->dir_cookie was found on page desc->page_index
++ * and locks the page to prevent removal from the page cache.
+ */
+ static
+-int find_cache_page(nfs_readdir_descriptor_t *desc)
++int find_and_lock_cache_page(nfs_readdir_descriptor_t *desc)
+ {
+ int res;
+
+ desc->page = get_cache_page(desc);
+ if (IS_ERR(desc->page))
+ return PTR_ERR(desc->page);
+-
+- res = nfs_readdir_search_array(desc);
++ res = lock_page_killable(desc->page);
+ if (res != 0)
+- cache_page_release(desc);
++ goto error;
++ res = -EAGAIN;
++ if (desc->page->mapping != NULL) {
++ res = nfs_readdir_search_array(desc);
++ if (res == 0)
++ return 0;
++ }
++ unlock_page(desc->page);
++error:
++ cache_page_release(desc);
+ return res;
+ }
+
+@@ -731,7 +751,7 @@ int readdir_search_pagecache(nfs_readdir_descriptor_t *desc)
+ desc->last_cookie = 0;
+ }
+ do {
+- res = find_cache_page(desc);
++ res = find_and_lock_cache_page(desc);
+ } while (res == -EAGAIN);
+ return res;
+ }
+@@ -770,7 +790,6 @@ int nfs_do_filldir(nfs_readdir_descriptor_t *desc)
+ desc->eof = true;
+
+ kunmap(desc->page);
+- cache_page_release(desc);
+ dfprintk(DIRCACHE, "NFS: nfs_do_filldir() filling ended @ cookie %Lu; returning = %d\n",
+ (unsigned long long)*desc->dir_cookie, res);
+ return res;
+@@ -816,13 +835,13 @@ int uncached_readdir(nfs_readdir_descriptor_t *desc)
+
+ status = nfs_do_filldir(desc);
+
++ out_release:
++ nfs_readdir_clear_array(desc->page);
++ cache_page_release(desc);
+ out:
+ dfprintk(DIRCACHE, "NFS: %s: returns %d\n",
+ __func__, status);
+ return status;
+- out_release:
+- cache_page_release(desc);
+- goto out;
+ }
+
+ /* The file offset position represents the dirent entry number. A
+@@ -887,6 +906,8 @@ static int nfs_readdir(struct file *file, struct dir_context *ctx)
+ break;
+
+ res = nfs_do_filldir(desc);
++ unlock_page(desc->page);
++ cache_page_release(desc);
+ if (res < 0)
+ break;
+ } while (!desc->eof);
+diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
+index 32a9bf22ac08..0a3e5c2aac4b 100644
+--- a/fs/nfsd/filecache.c
++++ b/fs/nfsd/filecache.c
+@@ -789,6 +789,7 @@ nfsd_file_acquire(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ struct nfsd_file *nf, *new;
+ struct inode *inode;
+ unsigned int hashval;
++ bool retry = true;
+
+ /* FIXME: skip this if fh_dentry is already set? */
+ status = fh_verify(rqstp, fhp, S_IFREG,
+@@ -824,6 +825,11 @@ wait_for_construction:
+
+ /* Did construction of this file fail? */
+ if (!test_bit(NFSD_FILE_HASHED, &nf->nf_flags)) {
++ if (!retry) {
++ status = nfserr_jukebox;
++ goto out;
++ }
++ retry = false;
+ nfsd_file_put_noref(nf);
+ goto retry;
+ }
+diff --git a/fs/nfsd/nfs4layouts.c b/fs/nfsd/nfs4layouts.c
+index 2681c70283ce..e12409eca7cc 100644
+--- a/fs/nfsd/nfs4layouts.c
++++ b/fs/nfsd/nfs4layouts.c
+@@ -675,7 +675,7 @@ nfsd4_cb_layout_done(struct nfsd4_callback *cb, struct rpc_task *task)
+
+ /* Client gets 2 lease periods to return it */
+ cutoff = ktime_add_ns(task->tk_start,
+- nn->nfsd4_lease * NSEC_PER_SEC * 2);
++ (u64)nn->nfsd4_lease * NSEC_PER_SEC * 2);
+
+ if (ktime_before(now, cutoff)) {
+ rpc_delay(task, HZ/100); /* 10 mili-seconds */
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index 369e574c5092..e909ca36c255 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -6550,7 +6550,7 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+ }
+
+ if (fl_flags & FL_SLEEP) {
+- nbl->nbl_time = jiffies;
++ nbl->nbl_time = get_seconds();
+ spin_lock(&nn->blocked_locks_lock);
+ list_add_tail(&nbl->nbl_list, &lock_sop->lo_blocked);
+ list_add_tail(&nbl->nbl_lru, &nn->blocked_locks_lru);
+diff --git a/fs/nfsd/state.h b/fs/nfsd/state.h
+index d61b83b9654c..6bd915e4295e 100644
+--- a/fs/nfsd/state.h
++++ b/fs/nfsd/state.h
+@@ -606,7 +606,7 @@ static inline bool nfsd4_stateid_generation_after(stateid_t *a, stateid_t *b)
+ struct nfsd4_blocked_lock {
+ struct list_head nbl_list;
+ struct list_head nbl_lru;
+- unsigned long nbl_time;
++ time_t nbl_time;
+ struct file_lock nbl_lock;
+ struct knfsd_fh nbl_fh;
+ struct nfsd4_callback nbl_cb;
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index c0dc491537a6..f0bca0e87d0c 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -975,6 +975,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
+ host_err = vfs_iter_write(file, &iter, &pos, flags);
+ if (host_err < 0)
+ goto out_nfserr;
++ *cnt = host_err;
+ nfsdstats.io_write += *cnt;
+ fsnotify_modify(file);
+
+diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
+index 6c7388430ad3..d4359a1df3d5 100644
+--- a/fs/ntfs/inode.c
++++ b/fs/ntfs/inode.c
+@@ -2899,18 +2899,12 @@ int ntfs_setattr(struct dentry *dentry, struct iattr *attr)
+ ia_valid |= ATTR_MTIME | ATTR_CTIME;
+ }
+ }
+- if (ia_valid & ATTR_ATIME) {
+- vi->i_atime = timestamp_truncate(attr->ia_atime,
+- vi);
+- }
+- if (ia_valid & ATTR_MTIME) {
+- vi->i_mtime = timestamp_truncate(attr->ia_mtime,
+- vi);
+- }
+- if (ia_valid & ATTR_CTIME) {
+- vi->i_ctime = timestamp_truncate(attr->ia_ctime,
+- vi);
+- }
++ if (ia_valid & ATTR_ATIME)
++ vi->i_atime = attr->ia_atime;
++ if (ia_valid & ATTR_MTIME)
++ vi->i_mtime = attr->ia_mtime;
++ if (ia_valid & ATTR_CTIME)
++ vi->i_ctime = attr->ia_ctime;
+ mark_inode_dirty(vi);
+ out:
+ return err;
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index 9876db52913a..6cd5e4924e4d 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2101,17 +2101,15 @@ static int ocfs2_is_io_unaligned(struct inode *inode, size_t count, loff_t pos)
+ static int ocfs2_inode_lock_for_extent_tree(struct inode *inode,
+ struct buffer_head **di_bh,
+ int meta_level,
+- int overwrite_io,
+ int write_sem,
+ int wait)
+ {
+ int ret = 0;
+
+ if (wait)
+- ret = ocfs2_inode_lock(inode, NULL, meta_level);
++ ret = ocfs2_inode_lock(inode, di_bh, meta_level);
+ else
+- ret = ocfs2_try_inode_lock(inode,
+- overwrite_io ? NULL : di_bh, meta_level);
++ ret = ocfs2_try_inode_lock(inode, di_bh, meta_level);
+ if (ret < 0)
+ goto out;
+
+@@ -2136,6 +2134,7 @@ static int ocfs2_inode_lock_for_extent_tree(struct inode *inode,
+
+ out_unlock:
+ brelse(*di_bh);
++ *di_bh = NULL;
+ ocfs2_inode_unlock(inode, meta_level);
+ out:
+ return ret;
+@@ -2177,7 +2176,6 @@ static int ocfs2_prepare_inode_for_write(struct file *file,
+ ret = ocfs2_inode_lock_for_extent_tree(inode,
+ &di_bh,
+ meta_level,
+- overwrite_io,
+ write_sem,
+ wait);
+ if (ret < 0) {
+@@ -2233,13 +2231,13 @@ static int ocfs2_prepare_inode_for_write(struct file *file,
+ &di_bh,
+ meta_level,
+ write_sem);
++ meta_level = 1;
++ write_sem = 1;
+ ret = ocfs2_inode_lock_for_extent_tree(inode,
+ &di_bh,
+ meta_level,
+- overwrite_io,
+- 1,
++ write_sem,
+ wait);
+- write_sem = 1;
+ if (ret < 0) {
+ if (ret != -EAGAIN)
+ mlog_errno(ret);
+diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
+index e235a635d9ec..15e4fa288475 100644
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -146,7 +146,7 @@ static loff_t ovl_llseek(struct file *file, loff_t offset, int whence)
+ struct inode *inode = file_inode(file);
+ struct fd real;
+ const struct cred *old_cred;
+- ssize_t ret;
++ loff_t ret;
+
+ /*
+ * The two special cases below do not need to involve real fs,
+diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
+index 47a91c9733a5..7255e6a5838f 100644
+--- a/fs/overlayfs/readdir.c
++++ b/fs/overlayfs/readdir.c
+@@ -504,7 +504,13 @@ get:
+ if (err)
+ goto fail;
+
+- WARN_ON_ONCE(dir->d_sb->s_dev != stat.dev);
++ /*
++ * Directory inode is always on overlay st_dev.
++ * Non-dir with ovl_same_dev() could be on pseudo st_dev in case
++ * of xino bits overflow.
++ */
++ WARN_ON_ONCE(S_ISDIR(stat.mode) &&
++ dir->d_sb->s_dev != stat.dev);
+ ino = stat.ino;
+ } else if (xinobits && !OVL_TYPE_UPPER(type)) {
+ ino = ovl_remap_lower_ino(ino, xinobits,
+diff --git a/fs/read_write.c b/fs/read_write.c
+index 5bbf587f5bc1..7458fccc59e1 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -1777,10 +1777,9 @@ static int remap_verify_area(struct file *file, loff_t pos, loff_t len,
+ * else. Assume that the offsets have already been checked for block
+ * alignment.
+ *
+- * For deduplication we always scale down to the previous block because we
+- * can't meaningfully compare post-EOF contents.
+- *
+- * For clone we only link a partial EOF block above the destination file's EOF.
++ * For clone we only link a partial EOF block above or at the destination file's
++ * EOF. For deduplication we accept a partial EOF block only if it ends at the
++ * destination file's EOF (can not link it into the middle of a file).
+ *
+ * Shorten the request if possible.
+ */
+@@ -1796,8 +1795,7 @@ static int generic_remap_check_len(struct inode *inode_in,
+ if ((*len & blkmask) == 0)
+ return 0;
+
+- if ((remap_flags & REMAP_FILE_DEDUP) ||
+- pos_out + *len < i_size_read(inode_out))
++ if (pos_out + *len < i_size_read(inode_out))
+ new_len &= ~blkmask;
+
+ if (new_len == *len)
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index 0b98e3c8b461..6c0e19f7a21f 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -228,6 +228,8 @@ static struct dentry *ubifs_lookup(struct inode *dir, struct dentry *dentry,
+ if (nm.hash) {
+ ubifs_assert(c, fname_len(&nm) == 0);
+ ubifs_assert(c, fname_name(&nm) == NULL);
++ if (nm.hash & ~UBIFS_S_KEY_HASH_MASK)
++ goto done; /* ENOENT */
+ dent_key_init_hash(c, &key, dir->i_ino, nm.hash);
+ err = ubifs_tnc_lookup_dh(c, &key, dent, nm.minor_hash);
+ } else {
+diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c
+index cd52585c8f4f..a771273fba7e 100644
+--- a/fs/ubifs/file.c
++++ b/fs/ubifs/file.c
+@@ -786,7 +786,9 @@ static int ubifs_do_bulk_read(struct ubifs_info *c, struct bu_info *bu,
+
+ if (page_offset > end_index)
+ break;
+- page = find_or_create_page(mapping, page_offset, ra_gfp_mask);
++ page = pagecache_get_page(mapping, page_offset,
++ FGP_LOCK|FGP_ACCESSED|FGP_CREAT|FGP_NOWAIT,
++ ra_gfp_mask);
+ if (!page)
+ break;
+ if (!PageUptodate(page))
+@@ -1078,18 +1080,12 @@ static void do_attr_changes(struct inode *inode, const struct iattr *attr)
+ inode->i_uid = attr->ia_uid;
+ if (attr->ia_valid & ATTR_GID)
+ inode->i_gid = attr->ia_gid;
+- if (attr->ia_valid & ATTR_ATIME) {
+- inode->i_atime = timestamp_truncate(attr->ia_atime,
+- inode);
+- }
+- if (attr->ia_valid & ATTR_MTIME) {
+- inode->i_mtime = timestamp_truncate(attr->ia_mtime,
+- inode);
+- }
+- if (attr->ia_valid & ATTR_CTIME) {
+- inode->i_ctime = timestamp_truncate(attr->ia_ctime,
+- inode);
+- }
++ if (attr->ia_valid & ATTR_ATIME)
++ inode->i_atime = attr->ia_atime;
++ if (attr->ia_valid & ATTR_MTIME)
++ inode->i_mtime = attr->ia_mtime;
++ if (attr->ia_valid & ATTR_CTIME)
++ inode->i_ctime = attr->ia_ctime;
+ if (attr->ia_valid & ATTR_MODE) {
+ umode_t mode = attr->ia_mode;
+
+diff --git a/fs/ubifs/ioctl.c b/fs/ubifs/ioctl.c
+index 5dc5abca11c7..eeb1be259888 100644
+--- a/fs/ubifs/ioctl.c
++++ b/fs/ubifs/ioctl.c
+@@ -113,7 +113,8 @@ static int setflags(struct inode *inode, int flags)
+ if (err)
+ goto out_unlock;
+
+- ui->flags = ioctl2ubifs(flags);
++ ui->flags &= ~ioctl2ubifs(UBIFS_SUPPORTED_IOCTL_FLAGS);
++ ui->flags |= ioctl2ubifs(flags);
+ ubifs_set_inode_flags(inode);
+ inode->i_ctime = current_time(inode);
+ release = ui->dirty;
+diff --git a/fs/ubifs/sb.c b/fs/ubifs/sb.c
+index 2b7c04bf8983..17c90dff7266 100644
+--- a/fs/ubifs/sb.c
++++ b/fs/ubifs/sb.c
+@@ -161,7 +161,7 @@ static int create_default_filesystem(struct ubifs_info *c)
+ sup = kzalloc(ALIGN(UBIFS_SB_NODE_SZ, c->min_io_size), GFP_KERNEL);
+ mst = kzalloc(c->mst_node_alsz, GFP_KERNEL);
+ idx_node_size = ubifs_idx_node_sz(c, 1);
+- idx = kzalloc(ALIGN(tmp, c->min_io_size), GFP_KERNEL);
++ idx = kzalloc(ALIGN(idx_node_size, c->min_io_size), GFP_KERNEL);
+ ino = kzalloc(ALIGN(UBIFS_INO_NODE_SZ, c->min_io_size), GFP_KERNEL);
+ cs = kzalloc(ALIGN(UBIFS_CS_NODE_SZ, c->min_io_size), GFP_KERNEL);
+
+diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
+index 5e1e8ec0589e..7fc2f3f07c16 100644
+--- a/fs/ubifs/super.c
++++ b/fs/ubifs/super.c
+@@ -1599,6 +1599,7 @@ out_free:
+ vfree(c->ileb_buf);
+ vfree(c->sbuf);
+ kfree(c->bottom_up_buf);
++ kfree(c->sup_node);
+ ubifs_debugging_exit(c);
+ return err;
+ }
+@@ -1641,6 +1642,7 @@ static void ubifs_umount(struct ubifs_info *c)
+ vfree(c->ileb_buf);
+ vfree(c->sbuf);
+ kfree(c->bottom_up_buf);
++ kfree(c->sup_node);
+ ubifs_debugging_exit(c);
+ }
+
+diff --git a/fs/utimes.c b/fs/utimes.c
+index c952b6b3d8a0..1d17ce98cb80 100644
+--- a/fs/utimes.c
++++ b/fs/utimes.c
+@@ -36,14 +36,14 @@ static int utimes_common(const struct path *path, struct timespec64 *times)
+ if (times[0].tv_nsec == UTIME_OMIT)
+ newattrs.ia_valid &= ~ATTR_ATIME;
+ else if (times[0].tv_nsec != UTIME_NOW) {
+- newattrs.ia_atime = timestamp_truncate(times[0], inode);
++ newattrs.ia_atime = times[0];
+ newattrs.ia_valid |= ATTR_ATIME_SET;
+ }
+
+ if (times[1].tv_nsec == UTIME_OMIT)
+ newattrs.ia_valid &= ~ATTR_MTIME;
+ else if (times[1].tv_nsec != UTIME_NOW) {
+- newattrs.ia_mtime = timestamp_truncate(times[1], inode);
++ newattrs.ia_mtime = times[1];
+ newattrs.ia_valid |= ATTR_MTIME_SET;
+ }
+ /*
+diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h
+index 2b10036fefd0..9e22ac369d1d 100644
+--- a/include/asm-generic/tlb.h
++++ b/include/asm-generic/tlb.h
+@@ -137,13 +137,6 @@
+ * When used, an architecture is expected to provide __tlb_remove_table()
+ * which does the actual freeing of these pages.
+ *
+- * HAVE_RCU_TABLE_NO_INVALIDATE
+- *
+- * This makes HAVE_RCU_TABLE_FREE avoid calling tlb_flush_mmu_tlbonly() before
+- * freeing the page-table pages. This can be avoided if you use
+- * HAVE_RCU_TABLE_FREE and your architecture does _NOT_ use the Linux
+- * page-tables natively.
+- *
+ * MMU_GATHER_NO_RANGE
+ *
+ * Use this if your architecture lacks an efficient flush_tlb_range().
+@@ -189,8 +182,23 @@ struct mmu_table_batch {
+
+ extern void tlb_remove_table(struct mmu_gather *tlb, void *table);
+
++/*
++ * This allows an architecture that does not use the linux page-tables for
++ * hardware to skip the TLBI when freeing page tables.
++ */
++#ifndef tlb_needs_table_invalidate
++#define tlb_needs_table_invalidate() (true)
++#endif
++
++#else
++
++#ifdef tlb_needs_table_invalidate
++#error tlb_needs_table_invalidate() requires HAVE_RCU_TABLE_FREE
+ #endif
+
++#endif /* CONFIG_HAVE_RCU_TABLE_FREE */
++
++
+ #ifndef CONFIG_HAVE_MMU_GATHER_NO_GATHER
+ /*
+ * If we can't allocate a page to make a big batch of page pointers
+diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h
+index 97967ce06de3..f88197c1ffc2 100644
+--- a/include/linux/backing-dev.h
++++ b/include/linux/backing-dev.h
+@@ -13,6 +13,7 @@
+ #include <linux/fs.h>
+ #include <linux/sched.h>
+ #include <linux/blkdev.h>
++#include <linux/device.h>
+ #include <linux/writeback.h>
+ #include <linux/blk-cgroup.h>
+ #include <linux/backing-dev-defs.h>
+@@ -504,4 +505,13 @@ static inline int bdi_rw_congested(struct backing_dev_info *bdi)
+ (1 << WB_async_congested));
+ }
+
++extern const char *bdi_unknown_name;
++
++static inline const char *bdi_dev_name(struct backing_dev_info *bdi)
++{
++ if (!bdi || !bdi->dev)
++ return bdi_unknown_name;
++ return dev_name(bdi->dev);
++}
++
+ #endif /* _LINUX_BACKING_DEV_H */
+diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h
+index 31b1b0e03df8..018dce868de6 100644
+--- a/include/linux/cpufreq.h
++++ b/include/linux/cpufreq.h
+@@ -148,6 +148,20 @@ struct cpufreq_policy {
+ struct notifier_block nb_max;
+ };
+
++/*
++ * Used for passing new cpufreq policy data to the cpufreq driver's ->verify()
++ * callback for sanitization. That callback is only expected to modify the min
++ * and max values, if necessary, and specifically it must not update the
++ * frequency table.
++ */
++struct cpufreq_policy_data {
++ struct cpufreq_cpuinfo cpuinfo;
++ struct cpufreq_frequency_table *freq_table;
++ unsigned int cpu;
++ unsigned int min; /* in kHz */
++ unsigned int max; /* in kHz */
++};
++
+ struct cpufreq_freqs {
+ struct cpufreq_policy *policy;
+ unsigned int old;
+@@ -201,8 +215,6 @@ u64 get_cpu_idle_time(unsigned int cpu, u64 *wall, int io_busy);
+ struct cpufreq_policy *cpufreq_cpu_acquire(unsigned int cpu);
+ void cpufreq_cpu_release(struct cpufreq_policy *policy);
+ int cpufreq_get_policy(struct cpufreq_policy *policy, unsigned int cpu);
+-int cpufreq_set_policy(struct cpufreq_policy *policy,
+- struct cpufreq_policy *new_policy);
+ void refresh_frequency_limits(struct cpufreq_policy *policy);
+ void cpufreq_update_policy(unsigned int cpu);
+ void cpufreq_update_limits(unsigned int cpu);
+@@ -284,7 +296,7 @@ struct cpufreq_driver {
+
+ /* needed by all drivers */
+ int (*init)(struct cpufreq_policy *policy);
+- int (*verify)(struct cpufreq_policy *policy);
++ int (*verify)(struct cpufreq_policy_data *policy);
+
+ /* define one out of two */
+ int (*setpolicy)(struct cpufreq_policy *policy);
+@@ -415,8 +427,9 @@ static inline int cpufreq_thermal_control_enabled(struct cpufreq_driver *drv)
+ (drv->flags & CPUFREQ_IS_COOLING_DEV);
+ }
+
+-static inline void cpufreq_verify_within_limits(struct cpufreq_policy *policy,
+- unsigned int min, unsigned int max)
++static inline void cpufreq_verify_within_limits(struct cpufreq_policy_data *policy,
++ unsigned int min,
++ unsigned int max)
+ {
+ if (policy->min < min)
+ policy->min = min;
+@@ -432,10 +445,10 @@ static inline void cpufreq_verify_within_limits(struct cpufreq_policy *policy,
+ }
+
+ static inline void
+-cpufreq_verify_within_cpu_limits(struct cpufreq_policy *policy)
++cpufreq_verify_within_cpu_limits(struct cpufreq_policy_data *policy)
+ {
+ cpufreq_verify_within_limits(policy, policy->cpuinfo.min_freq,
+- policy->cpuinfo.max_freq);
++ policy->cpuinfo.max_freq);
+ }
+
+ #ifdef CONFIG_CPU_FREQ
+@@ -513,6 +526,7 @@ static inline unsigned long cpufreq_scale(unsigned long old, u_int div,
+ * CPUFREQ GOVERNORS *
+ *********************************************************************/
+
++#define CPUFREQ_POLICY_UNKNOWN (0)
+ /*
+ * If (cpufreq_driver->target) exists, the ->governor decides what frequency
+ * within the limits is used. If (cpufreq_driver->setpolicy> exists, these
+@@ -684,9 +698,9 @@ static inline void dev_pm_opp_free_cpufreq_table(struct device *dev,
+ int cpufreq_frequency_table_cpuinfo(struct cpufreq_policy *policy,
+ struct cpufreq_frequency_table *table);
+
+-int cpufreq_frequency_table_verify(struct cpufreq_policy *policy,
++int cpufreq_frequency_table_verify(struct cpufreq_policy_data *policy,
+ struct cpufreq_frequency_table *table);
+-int cpufreq_generic_frequency_table_verify(struct cpufreq_policy *policy);
++int cpufreq_generic_frequency_table_verify(struct cpufreq_policy_data *policy);
+
+ int cpufreq_table_index_unsorted(struct cpufreq_policy *policy,
+ unsigned int target_freq,
+diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h
+index ffcc7724ca21..dc4fd8a6644d 100644
+--- a/include/linux/eventfd.h
++++ b/include/linux/eventfd.h
+@@ -12,6 +12,8 @@
+ #include <linux/fcntl.h>
+ #include <linux/wait.h>
+ #include <linux/err.h>
++#include <linux/percpu-defs.h>
++#include <linux/percpu.h>
+
+ /*
+ * CAREFUL: Check include/uapi/asm-generic/fcntl.h when defining
+@@ -40,6 +42,13 @@ __u64 eventfd_signal(struct eventfd_ctx *ctx, __u64 n);
+ int eventfd_ctx_remove_wait_queue(struct eventfd_ctx *ctx, wait_queue_entry_t *wait,
+ __u64 *cnt);
+
++DECLARE_PER_CPU(int, eventfd_wake_count);
++
++static inline bool eventfd_signal_count(void)
++{
++ return this_cpu_read(eventfd_wake_count);
++}
++
+ #else /* CONFIG_EVENTFD */
+
+ /*
+@@ -68,6 +77,11 @@ static inline int eventfd_ctx_remove_wait_queue(struct eventfd_ctx *ctx,
+ return -ENOSYS;
+ }
+
++static inline bool eventfd_signal_count(void)
++{
++ return false;
++}
++
+ #endif
+
+ #endif /* _LINUX_EVENTFD_H */
+diff --git a/include/linux/irq.h b/include/linux/irq.h
+index 7853eb9301f2..3ed5a055b5f4 100644
+--- a/include/linux/irq.h
++++ b/include/linux/irq.h
+@@ -209,6 +209,8 @@ struct irq_data {
+ * IRQD_SINGLE_TARGET - IRQ allows only a single affinity target
+ * IRQD_DEFAULT_TRIGGER_SET - Expected trigger already been set
+ * IRQD_CAN_RESERVE - Can use reservation mode
++ * IRQD_MSI_NOMASK_QUIRK - Non-maskable MSI quirk for affinity change
++ * required
+ */
+ enum {
+ IRQD_TRIGGER_MASK = 0xf,
+@@ -231,6 +233,7 @@ enum {
+ IRQD_SINGLE_TARGET = (1 << 24),
+ IRQD_DEFAULT_TRIGGER_SET = (1 << 25),
+ IRQD_CAN_RESERVE = (1 << 26),
++ IRQD_MSI_NOMASK_QUIRK = (1 << 27),
+ };
+
+ #define __irqd_to_state(d) ACCESS_PRIVATE((d)->common, state_use_accessors)
+@@ -390,6 +393,21 @@ static inline bool irqd_can_reserve(struct irq_data *d)
+ return __irqd_to_state(d) & IRQD_CAN_RESERVE;
+ }
+
++static inline void irqd_set_msi_nomask_quirk(struct irq_data *d)
++{
++ __irqd_to_state(d) |= IRQD_MSI_NOMASK_QUIRK;
++}
++
++static inline void irqd_clr_msi_nomask_quirk(struct irq_data *d)
++{
++ __irqd_to_state(d) &= ~IRQD_MSI_NOMASK_QUIRK;
++}
++
++static inline bool irqd_msi_nomask_quirk(struct irq_data *d)
++{
++ return __irqd_to_state(d) & IRQD_MSI_NOMASK_QUIRK;
++}
++
+ #undef __irqd_to_state
+
+ static inline irq_hw_number_t irqd_to_hwirq(struct irq_data *d)
+diff --git a/include/linux/irqdomain.h b/include/linux/irqdomain.h
+index 3c340dbc5a1f..4da8df57618a 100644
+--- a/include/linux/irqdomain.h
++++ b/include/linux/irqdomain.h
+@@ -206,6 +206,13 @@ enum {
+ /* Irq domain implements MSI remapping */
+ IRQ_DOMAIN_FLAG_MSI_REMAP = (1 << 5),
+
++ /*
++ * Quirk to handle MSI implementations which do not provide
++ * masking. Currently known to affect x86, but partially
++ * handled in core code.
++ */
++ IRQ_DOMAIN_MSI_NOMASK_QUIRK = (1 << 6),
++
+ /*
+ * Flags starting from IRQ_DOMAIN_FLAG_NONCORE are reserved
+ * for implementation specific purposes and ignored by the
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index 538c25e778c0..eacb8c48e768 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -204,7 +204,7 @@ struct kvm_async_pf {
+ struct list_head queue;
+ struct kvm_vcpu *vcpu;
+ struct mm_struct *mm;
+- gva_t gva;
++ gpa_t cr2_or_gpa;
+ unsigned long addr;
+ struct kvm_arch_async_pf arch;
+ bool wakeup_all;
+@@ -212,8 +212,8 @@ struct kvm_async_pf {
+
+ void kvm_clear_async_pf_completion_queue(struct kvm_vcpu *vcpu);
+ void kvm_check_async_pf_completion(struct kvm_vcpu *vcpu);
+-int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, unsigned long hva,
+- struct kvm_arch_async_pf *arch);
++int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
++ unsigned long hva, struct kvm_arch_async_pf *arch);
+ int kvm_async_pf_wakeup_all(struct kvm_vcpu *vcpu);
+ #endif
+
+@@ -723,6 +723,7 @@ void kvm_set_pfn_dirty(kvm_pfn_t pfn);
+ void kvm_set_pfn_accessed(kvm_pfn_t pfn);
+ void kvm_get_pfn(kvm_pfn_t pfn);
+
++void kvm_release_pfn(kvm_pfn_t pfn, bool dirty, struct gfn_to_pfn_cache *cache);
+ int kvm_read_guest_page(struct kvm *kvm, gfn_t gfn, void *data, int offset,
+ int len);
+ int kvm_read_guest_atomic(struct kvm *kvm, gpa_t gpa, void *data,
+@@ -767,7 +768,7 @@ int kvm_clear_guest_page(struct kvm *kvm, gfn_t gfn, int offset, int len);
+ int kvm_clear_guest(struct kvm *kvm, gpa_t gpa, unsigned long len);
+ struct kvm_memory_slot *gfn_to_memslot(struct kvm *kvm, gfn_t gfn);
+ bool kvm_is_visible_gfn(struct kvm *kvm, gfn_t gfn);
+-unsigned long kvm_host_page_size(struct kvm *kvm, gfn_t gfn);
++unsigned long kvm_host_page_size(struct kvm_vcpu *vcpu, gfn_t gfn);
+ void mark_page_dirty(struct kvm *kvm, gfn_t gfn);
+
+ struct kvm_memslots *kvm_vcpu_memslots(struct kvm_vcpu *vcpu);
+@@ -775,8 +776,12 @@ struct kvm_memory_slot *kvm_vcpu_gfn_to_memslot(struct kvm_vcpu *vcpu, gfn_t gfn
+ kvm_pfn_t kvm_vcpu_gfn_to_pfn_atomic(struct kvm_vcpu *vcpu, gfn_t gfn);
+ kvm_pfn_t kvm_vcpu_gfn_to_pfn(struct kvm_vcpu *vcpu, gfn_t gfn);
+ int kvm_vcpu_map(struct kvm_vcpu *vcpu, gpa_t gpa, struct kvm_host_map *map);
++int kvm_map_gfn(struct kvm_vcpu *vcpu, gfn_t gfn, struct kvm_host_map *map,
++ struct gfn_to_pfn_cache *cache, bool atomic);
+ struct page *kvm_vcpu_gfn_to_page(struct kvm_vcpu *vcpu, gfn_t gfn);
+ void kvm_vcpu_unmap(struct kvm_vcpu *vcpu, struct kvm_host_map *map, bool dirty);
++int kvm_unmap_gfn(struct kvm_vcpu *vcpu, struct kvm_host_map *map,
++ struct gfn_to_pfn_cache *cache, bool dirty, bool atomic);
+ unsigned long kvm_vcpu_gfn_to_hva(struct kvm_vcpu *vcpu, gfn_t gfn);
+ unsigned long kvm_vcpu_gfn_to_hva_prot(struct kvm_vcpu *vcpu, gfn_t gfn, bool *writable);
+ int kvm_vcpu_read_guest_page(struct kvm_vcpu *vcpu, gfn_t gfn, void *data, int offset,
+diff --git a/include/linux/kvm_types.h b/include/linux/kvm_types.h
+index 1c88e69db3d9..68e84cf42a3f 100644
+--- a/include/linux/kvm_types.h
++++ b/include/linux/kvm_types.h
+@@ -18,7 +18,7 @@ struct kvm_memslots;
+
+ enum kvm_mr_change;
+
+-#include <asm/types.h>
++#include <linux/types.h>
+
+ /*
+ * Address types:
+@@ -51,4 +51,11 @@ struct gfn_to_hva_cache {
+ struct kvm_memory_slot *memslot;
+ };
+
++struct gfn_to_pfn_cache {
++ u64 generation;
++ gfn_t gfn;
++ kvm_pfn_t pfn;
++ bool dirty;
++};
++
+ #endif /* __KVM_TYPES_H__ */
+diff --git a/include/linux/mfd/rohm-bd70528.h b/include/linux/mfd/rohm-bd70528.h
+index 1013e60c5b25..b0109ee6dae2 100644
+--- a/include/linux/mfd/rohm-bd70528.h
++++ b/include/linux/mfd/rohm-bd70528.h
+@@ -317,7 +317,7 @@ enum {
+ #define BD70528_MASK_RTC_MINUTE 0x7f
+ #define BD70528_MASK_RTC_HOUR_24H 0x80
+ #define BD70528_MASK_RTC_HOUR_PM 0x20
+-#define BD70528_MASK_RTC_HOUR 0x1f
++#define BD70528_MASK_RTC_HOUR 0x3f
+ #define BD70528_MASK_RTC_DAY 0x3f
+ #define BD70528_MASK_RTC_WEEK 0x07
+ #define BD70528_MASK_RTC_MONTH 0x1f
+diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
+index 5d54fccf87fc..56f124a6eccb 100644
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -1418,14 +1418,15 @@ struct mlx5_ifc_cmd_hca_cap_bits {
+
+ u8 reserved_at_440[0x20];
+
+- u8 tls[0x1];
+- u8 reserved_at_461[0x2];
++ u8 reserved_at_460[0x3];
+ u8 log_max_uctx[0x5];
+ u8 reserved_at_468[0x3];
+ u8 log_max_umem[0x5];
+ u8 max_num_eqs[0x10];
+
+- u8 reserved_at_480[0x3];
++ u8 reserved_at_480[0x1];
++ u8 tls_tx[0x1];
++ u8 reserved_at_482[0x1];
+ u8 log_max_l2_table[0x5];
+ u8 reserved_at_488[0x8];
+ u8 log_uar_page_sz[0x10];
+diff --git a/include/linux/padata.h b/include/linux/padata.h
+index 23717eeaad23..cccab7a59787 100644
+--- a/include/linux/padata.h
++++ b/include/linux/padata.h
+@@ -9,6 +9,7 @@
+ #ifndef PADATA_H
+ #define PADATA_H
+
++#include <linux/compiler_types.h>
+ #include <linux/workqueue.h>
+ #include <linux/spinlock.h>
+ #include <linux/list.h>
+@@ -98,7 +99,7 @@ struct padata_cpumask {
+ * struct parallel_data - Internal control structure, covers everything
+ * that depends on the cpumask in use.
+ *
+- * @pinst: padata instance.
++ * @sh: padata_shell object.
+ * @pqueue: percpu padata queues used for parallelization.
+ * @squeue: percpu padata queues used for serialuzation.
+ * @reorder_objects: Number of objects waiting in the reorder queues.
+@@ -111,7 +112,7 @@ struct padata_cpumask {
+ * @lock: Reorder lock.
+ */
+ struct parallel_data {
+- struct padata_instance *pinst;
++ struct padata_shell *ps;
+ struct padata_parallel_queue __percpu *pqueue;
+ struct padata_serial_queue __percpu *squeue;
+ atomic_t reorder_objects;
+@@ -124,14 +125,33 @@ struct parallel_data {
+ spinlock_t lock ____cacheline_aligned;
+ };
+
++/**
++ * struct padata_shell - Wrapper around struct parallel_data, its
++ * purpose is to allow the underlying control structure to be replaced
++ * on the fly using RCU.
++ *
++ * @pinst: padat instance.
++ * @pd: Actual parallel_data structure which may be substituted on the fly.
++ * @opd: Pointer to old pd to be freed by padata_replace.
++ * @list: List entry in padata_instance list.
++ */
++struct padata_shell {
++ struct padata_instance *pinst;
++ struct parallel_data __rcu *pd;
++ struct parallel_data *opd;
++ struct list_head list;
++};
++
+ /**
+ * struct padata_instance - The overall control structure.
+ *
+ * @cpu_notifier: cpu hotplug notifier.
+ * @parallel_wq: The workqueue used for parallel work.
+ * @serial_wq: The workqueue used for serial work.
+- * @pd: The internal control structure.
++ * @pslist: List of padata_shell objects attached to this instance.
+ * @cpumask: User supplied cpumasks for parallel and serial works.
++ * @rcpumask: Actual cpumasks based on user cpumask and cpu_online_mask.
++ * @omask: Temporary storage used to compute the notification mask.
+ * @cpumask_change_notifier: Notifiers chain for user-defined notify
+ * callbacks that will be called when either @pcpu or @cbcpu
+ * or both cpumasks change.
+@@ -143,8 +163,10 @@ struct padata_instance {
+ struct hlist_node node;
+ struct workqueue_struct *parallel_wq;
+ struct workqueue_struct *serial_wq;
+- struct parallel_data *pd;
++ struct list_head pslist;
+ struct padata_cpumask cpumask;
++ struct padata_cpumask rcpumask;
++ cpumask_var_t omask;
+ struct blocking_notifier_head cpumask_change_notifier;
+ struct kobject kobj;
+ struct mutex lock;
+@@ -156,7 +178,9 @@ struct padata_instance {
+
+ extern struct padata_instance *padata_alloc_possible(const char *name);
+ extern void padata_free(struct padata_instance *pinst);
+-extern int padata_do_parallel(struct padata_instance *pinst,
++extern struct padata_shell *padata_alloc_shell(struct padata_instance *pinst);
++extern void padata_free_shell(struct padata_shell *ps);
++extern int padata_do_parallel(struct padata_shell *ps,
+ struct padata_priv *padata, int *cb_cpu);
+ extern void padata_do_serial(struct padata_priv *padata);
+ extern int padata_set_cpumask(struct padata_instance *pinst, int cpumask_type,
+diff --git a/include/linux/percpu-defs.h b/include/linux/percpu-defs.h
+index a6fabd865211..176bfbd52d97 100644
+--- a/include/linux/percpu-defs.h
++++ b/include/linux/percpu-defs.h
+@@ -175,8 +175,7 @@
+ * Declaration/definition used for per-CPU variables that should be accessed
+ * as decrypted when memory encryption is enabled in the guest.
+ */
+-#if defined(CONFIG_VIRTUALIZATION) && defined(CONFIG_AMD_MEM_ENCRYPT)
+-
++#ifdef CONFIG_AMD_MEM_ENCRYPT
+ #define DECLARE_PER_CPU_DECRYPTED(type, name) \
+ DECLARE_PER_CPU_SECTION(type, name, "..decrypted")
+
+diff --git a/include/linux/regulator/consumer.h b/include/linux/regulator/consumer.h
+index 337a46391527..6a92fd3105a3 100644
+--- a/include/linux/regulator/consumer.h
++++ b/include/linux/regulator/consumer.h
+@@ -287,6 +287,8 @@ void regulator_bulk_set_supply_names(struct regulator_bulk_data *consumers,
+ const char *const *supply_names,
+ unsigned int num_supplies);
+
++bool regulator_is_equal(struct regulator *reg1, struct regulator *reg2);
++
+ #else
+
+ /*
+@@ -593,6 +595,11 @@ regulator_bulk_set_supply_names(struct regulator_bulk_data *consumers,
+ {
+ }
+
++static inline bool
++regulator_is_equal(struct regulator *reg1, struct regulator *reg2)
++{
++ return false;
++}
+ #endif
+
+ static inline int regulator_set_voltage_triplet(struct regulator *regulator,
+diff --git a/include/media/v4l2-rect.h b/include/media/v4l2-rect.h
+index c86474dc7b55..8800a640c224 100644
+--- a/include/media/v4l2-rect.h
++++ b/include/media/v4l2-rect.h
+@@ -63,10 +63,10 @@ static inline void v4l2_rect_map_inside(struct v4l2_rect *r,
+ r->left = boundary->left;
+ if (r->top < boundary->top)
+ r->top = boundary->top;
+- if (r->left + r->width > boundary->width)
+- r->left = boundary->width - r->width;
+- if (r->top + r->height > boundary->height)
+- r->top = boundary->height - r->height;
++ if (r->left + r->width > boundary->left + boundary->width)
++ r->left = boundary->left + boundary->width - r->width;
++ if (r->top + r->height > boundary->top + boundary->height)
++ r->top = boundary->top + boundary->height - r->height;
+ }
+
+ /**
+diff --git a/include/net/ipx.h b/include/net/ipx.h
+index baf090390998..9d1342807b59 100644
+--- a/include/net/ipx.h
++++ b/include/net/ipx.h
+@@ -47,11 +47,6 @@ struct ipxhdr {
+ /* From af_ipx.c */
+ extern int sysctl_ipx_pprop_broadcasting;
+
+-static __inline__ struct ipxhdr *ipx_hdr(struct sk_buff *skb)
+-{
+- return (struct ipxhdr *)skb_transport_header(skb);
+-}
+-
+ struct ipx_interface {
+ /* IPX address */
+ __be32 if_netnum;
+diff --git a/include/scsi/sg.h b/include/scsi/sg.h
+index f91bcca604e4..29c7ad04d2e2 100644
+--- a/include/scsi/sg.h
++++ b/include/scsi/sg.h
+@@ -68,6 +68,36 @@ typedef struct sg_io_hdr
+ unsigned int info; /* [o] auxiliary information */
+ } sg_io_hdr_t; /* 64 bytes long (on i386) */
+
++#if defined(__KERNEL__)
++#include <linux/compat.h>
++
++struct compat_sg_io_hdr {
++ compat_int_t interface_id; /* [i] 'S' for SCSI generic (required) */
++ compat_int_t dxfer_direction; /* [i] data transfer direction */
++ unsigned char cmd_len; /* [i] SCSI command length ( <= 16 bytes) */
++ unsigned char mx_sb_len; /* [i] max length to write to sbp */
++ unsigned short iovec_count; /* [i] 0 implies no scatter gather */
++ compat_uint_t dxfer_len; /* [i] byte count of data transfer */
++ compat_uint_t dxferp; /* [i], [*io] points to data transfer memory
++ or scatter gather list */
++ compat_uptr_t cmdp; /* [i], [*i] points to command to perform */
++ compat_uptr_t sbp; /* [i], [*o] points to sense_buffer memory */
++ compat_uint_t timeout; /* [i] MAX_UINT->no timeout (unit: millisec) */
++ compat_uint_t flags; /* [i] 0 -> default, see SG_FLAG... */
++ compat_int_t pack_id; /* [i->o] unused internally (normally) */
++ compat_uptr_t usr_ptr; /* [i->o] unused internally */
++ unsigned char status; /* [o] scsi status */
++ unsigned char masked_status; /* [o] shifted, masked scsi status */
++ unsigned char msg_status; /* [o] messaging level data (optional) */
++ unsigned char sb_len_wr; /* [o] byte count actually written to sbp */
++ unsigned short host_status; /* [o] errors from host adapter */
++ unsigned short driver_status; /* [o] errors from software driver */
++ compat_int_t resid; /* [o] dxfer_len - actual_transferred */
++ compat_uint_t duration; /* [o] time taken by cmd (unit: millisec) */
++ compat_uint_t info; /* [o] auxiliary information */
++};
++#endif
++
+ #define SG_INTERFACE_ID_ORIG 'S'
+
+ /* Use negative values to flag difference from original sg_header structure */
+diff --git a/include/sound/hdaudio.h b/include/sound/hdaudio.h
+index e05b95e83d5a..fb9dce4c6928 100644
+--- a/include/sound/hdaudio.h
++++ b/include/sound/hdaudio.h
+@@ -8,6 +8,7 @@
+
+ #include <linux/device.h>
+ #include <linux/interrupt.h>
++#include <linux/io.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/timecounter.h>
+ #include <sound/core.h>
+@@ -330,6 +331,7 @@ struct hdac_bus {
+ bool chip_init:1; /* h/w initialized */
+
+ /* behavior flags */
++ bool aligned_mmio:1; /* aligned MMIO access */
+ bool sync_write:1; /* sync after verb write */
+ bool use_posbuf:1; /* use position buffer */
+ bool snoop:1; /* enable snooping */
+@@ -405,34 +407,61 @@ void snd_hdac_bus_free_stream_pages(struct hdac_bus *bus);
+ unsigned int snd_hdac_aligned_read(void __iomem *addr, unsigned int mask);
+ void snd_hdac_aligned_write(unsigned int val, void __iomem *addr,
+ unsigned int mask);
+-#define snd_hdac_reg_writeb(v, addr) snd_hdac_aligned_write(v, addr, 0xff)
+-#define snd_hdac_reg_writew(v, addr) snd_hdac_aligned_write(v, addr, 0xffff)
+-#define snd_hdac_reg_readb(addr) snd_hdac_aligned_read(addr, 0xff)
+-#define snd_hdac_reg_readw(addr) snd_hdac_aligned_read(addr, 0xffff)
+-#else /* CONFIG_SND_HDA_ALIGNED_MMIO */
+-#define snd_hdac_reg_writeb(val, addr) writeb(val, addr)
+-#define snd_hdac_reg_writew(val, addr) writew(val, addr)
+-#define snd_hdac_reg_readb(addr) readb(addr)
+-#define snd_hdac_reg_readw(addr) readw(addr)
+-#endif /* CONFIG_SND_HDA_ALIGNED_MMIO */
+-#define snd_hdac_reg_writel(val, addr) writel(val, addr)
+-#define snd_hdac_reg_readl(addr) readl(addr)
++#define snd_hdac_aligned_mmio(bus) (bus)->aligned_mmio
++#else
++#define snd_hdac_aligned_mmio(bus) false
++#define snd_hdac_aligned_read(addr, mask) 0
++#define snd_hdac_aligned_write(val, addr, mask) do {} while (0)
++#endif
++
++static inline void snd_hdac_reg_writeb(struct hdac_bus *bus, void __iomem *addr,
++ u8 val)
++{
++ if (snd_hdac_aligned_mmio(bus))
++ snd_hdac_aligned_write(val, addr, 0xff);
++ else
++ writeb(val, addr);
++}
++
++static inline void snd_hdac_reg_writew(struct hdac_bus *bus, void __iomem *addr,
++ u16 val)
++{
++ if (snd_hdac_aligned_mmio(bus))
++ snd_hdac_aligned_write(val, addr, 0xffff);
++ else
++ writew(val, addr);
++}
++
++static inline u8 snd_hdac_reg_readb(struct hdac_bus *bus, void __iomem *addr)
++{
++ return snd_hdac_aligned_mmio(bus) ?
++ snd_hdac_aligned_read(addr, 0xff) : readb(addr);
++}
++
++static inline u16 snd_hdac_reg_readw(struct hdac_bus *bus, void __iomem *addr)
++{
++ return snd_hdac_aligned_mmio(bus) ?
++ snd_hdac_aligned_read(addr, 0xffff) : readw(addr);
++}
++
++#define snd_hdac_reg_writel(bus, addr, val) writel(val, addr)
++#define snd_hdac_reg_readl(bus, addr) readl(addr)
+
+ /*
+ * macros for easy use
+ */
+ #define _snd_hdac_chip_writeb(chip, reg, value) \
+- snd_hdac_reg_writeb(value, (chip)->remap_addr + (reg))
++ snd_hdac_reg_writeb(chip, (chip)->remap_addr + (reg), value)
+ #define _snd_hdac_chip_readb(chip, reg) \
+- snd_hdac_reg_readb((chip)->remap_addr + (reg))
++ snd_hdac_reg_readb(chip, (chip)->remap_addr + (reg))
+ #define _snd_hdac_chip_writew(chip, reg, value) \
+- snd_hdac_reg_writew(value, (chip)->remap_addr + (reg))
++ snd_hdac_reg_writew(chip, (chip)->remap_addr + (reg), value)
+ #define _snd_hdac_chip_readw(chip, reg) \
+- snd_hdac_reg_readw((chip)->remap_addr + (reg))
++ snd_hdac_reg_readw(chip, (chip)->remap_addr + (reg))
+ #define _snd_hdac_chip_writel(chip, reg, value) \
+- snd_hdac_reg_writel(value, (chip)->remap_addr + (reg))
++ snd_hdac_reg_writel(chip, (chip)->remap_addr + (reg), value)
+ #define _snd_hdac_chip_readl(chip, reg) \
+- snd_hdac_reg_readl((chip)->remap_addr + (reg))
++ snd_hdac_reg_readl(chip, (chip)->remap_addr + (reg))
+
+ /* read/write a register, pass without AZX_REG_ prefix */
+ #define snd_hdac_chip_writel(chip, reg, value) \
+@@ -540,17 +569,17 @@ int snd_hdac_get_stream_stripe_ctl(struct hdac_bus *bus,
+ */
+ /* read/write a register, pass without AZX_REG_ prefix */
+ #define snd_hdac_stream_writel(dev, reg, value) \
+- snd_hdac_reg_writel(value, (dev)->sd_addr + AZX_REG_ ## reg)
++ snd_hdac_reg_writel((dev)->bus, (dev)->sd_addr + AZX_REG_ ## reg, value)
+ #define snd_hdac_stream_writew(dev, reg, value) \
+- snd_hdac_reg_writew(value, (dev)->sd_addr + AZX_REG_ ## reg)
++ snd_hdac_reg_writew((dev)->bus, (dev)->sd_addr + AZX_REG_ ## reg, value)
+ #define snd_hdac_stream_writeb(dev, reg, value) \
+- snd_hdac_reg_writeb(value, (dev)->sd_addr + AZX_REG_ ## reg)
++ snd_hdac_reg_writeb((dev)->bus, (dev)->sd_addr + AZX_REG_ ## reg, value)
+ #define snd_hdac_stream_readl(dev, reg) \
+- snd_hdac_reg_readl((dev)->sd_addr + AZX_REG_ ## reg)
++ snd_hdac_reg_readl((dev)->bus, (dev)->sd_addr + AZX_REG_ ## reg)
+ #define snd_hdac_stream_readw(dev, reg) \
+- snd_hdac_reg_readw((dev)->sd_addr + AZX_REG_ ## reg)
++ snd_hdac_reg_readw((dev)->bus, (dev)->sd_addr + AZX_REG_ ## reg)
+ #define snd_hdac_stream_readb(dev, reg) \
+- snd_hdac_reg_readb((dev)->sd_addr + AZX_REG_ ## reg)
++ snd_hdac_reg_readb((dev)->bus, (dev)->sd_addr + AZX_REG_ ## reg)
+
+ /* update a register, pass without AZX_REG_ prefix */
+ #define snd_hdac_stream_updatel(dev, reg, mask, val) \
+diff --git a/include/trace/events/writeback.h b/include/trace/events/writeback.h
+index ef50be4e5e6c..d94def25e4dc 100644
+--- a/include/trace/events/writeback.h
++++ b/include/trace/events/writeback.h
+@@ -67,8 +67,8 @@ DECLARE_EVENT_CLASS(writeback_page_template,
+
+ TP_fast_assign(
+ strscpy_pad(__entry->name,
+- mapping ? dev_name(inode_to_bdi(mapping->host)->dev) : "(unknown)",
+- 32);
++ bdi_dev_name(mapping ? inode_to_bdi(mapping->host) :
++ NULL), 32);
+ __entry->ino = mapping ? mapping->host->i_ino : 0;
+ __entry->index = page->index;
+ ),
+@@ -111,8 +111,7 @@ DECLARE_EVENT_CLASS(writeback_dirty_inode_template,
+ struct backing_dev_info *bdi = inode_to_bdi(inode);
+
+ /* may be called for files on pseudo FSes w/ unregistered bdi */
+- strscpy_pad(__entry->name,
+- bdi->dev ? dev_name(bdi->dev) : "(unknown)", 32);
++ strscpy_pad(__entry->name, bdi_dev_name(bdi), 32);
+ __entry->ino = inode->i_ino;
+ __entry->state = inode->i_state;
+ __entry->flags = flags;
+@@ -193,7 +192,7 @@ TRACE_EVENT(inode_foreign_history,
+ ),
+
+ TP_fast_assign(
+- strncpy(__entry->name, dev_name(inode_to_bdi(inode)->dev), 32);
++ strncpy(__entry->name, bdi_dev_name(inode_to_bdi(inode)), 32);
+ __entry->ino = inode->i_ino;
+ __entry->cgroup_ino = __trace_wbc_assign_cgroup(wbc);
+ __entry->history = history;
+@@ -222,7 +221,7 @@ TRACE_EVENT(inode_switch_wbs,
+ ),
+
+ TP_fast_assign(
+- strncpy(__entry->name, dev_name(old_wb->bdi->dev), 32);
++ strncpy(__entry->name, bdi_dev_name(old_wb->bdi), 32);
+ __entry->ino = inode->i_ino;
+ __entry->old_cgroup_ino = __trace_wb_assign_cgroup(old_wb);
+ __entry->new_cgroup_ino = __trace_wb_assign_cgroup(new_wb);
+@@ -255,7 +254,7 @@ TRACE_EVENT(track_foreign_dirty,
+ struct address_space *mapping = page_mapping(page);
+ struct inode *inode = mapping ? mapping->host : NULL;
+
+- strncpy(__entry->name, dev_name(wb->bdi->dev), 32);
++ strncpy(__entry->name, bdi_dev_name(wb->bdi), 32);
+ __entry->bdi_id = wb->bdi->id;
+ __entry->ino = inode ? inode->i_ino : 0;
+ __entry->memcg_id = wb->memcg_css->id;
+@@ -288,7 +287,7 @@ TRACE_EVENT(flush_foreign,
+ ),
+
+ TP_fast_assign(
+- strncpy(__entry->name, dev_name(wb->bdi->dev), 32);
++ strncpy(__entry->name, bdi_dev_name(wb->bdi), 32);
+ __entry->cgroup_ino = __trace_wb_assign_cgroup(wb);
+ __entry->frn_bdi_id = frn_bdi_id;
+ __entry->frn_memcg_id = frn_memcg_id;
+@@ -318,7 +317,7 @@ DECLARE_EVENT_CLASS(writeback_write_inode_template,
+
+ TP_fast_assign(
+ strscpy_pad(__entry->name,
+- dev_name(inode_to_bdi(inode)->dev), 32);
++ bdi_dev_name(inode_to_bdi(inode)), 32);
+ __entry->ino = inode->i_ino;
+ __entry->sync_mode = wbc->sync_mode;
+ __entry->cgroup_ino = __trace_wbc_assign_cgroup(wbc);
+@@ -361,9 +360,7 @@ DECLARE_EVENT_CLASS(writeback_work_class,
+ __field(ino_t, cgroup_ino)
+ ),
+ TP_fast_assign(
+- strscpy_pad(__entry->name,
+- wb->bdi->dev ? dev_name(wb->bdi->dev) :
+- "(unknown)", 32);
++ strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32);
+ __entry->nr_pages = work->nr_pages;
+ __entry->sb_dev = work->sb ? work->sb->s_dev : 0;
+ __entry->sync_mode = work->sync_mode;
+@@ -416,7 +413,7 @@ DECLARE_EVENT_CLASS(writeback_class,
+ __field(ino_t, cgroup_ino)
+ ),
+ TP_fast_assign(
+- strscpy_pad(__entry->name, dev_name(wb->bdi->dev), 32);
++ strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32);
+ __entry->cgroup_ino = __trace_wb_assign_cgroup(wb);
+ ),
+ TP_printk("bdi %s: cgroup_ino=%lu",
+@@ -438,7 +435,7 @@ TRACE_EVENT(writeback_bdi_register,
+ __array(char, name, 32)
+ ),
+ TP_fast_assign(
+- strscpy_pad(__entry->name, dev_name(bdi->dev), 32);
++ strscpy_pad(__entry->name, bdi_dev_name(bdi), 32);
+ ),
+ TP_printk("bdi %s",
+ __entry->name
+@@ -463,7 +460,7 @@ DECLARE_EVENT_CLASS(wbc_class,
+ ),
+
+ TP_fast_assign(
+- strscpy_pad(__entry->name, dev_name(bdi->dev), 32);
++ strscpy_pad(__entry->name, bdi_dev_name(bdi), 32);
+ __entry->nr_to_write = wbc->nr_to_write;
+ __entry->pages_skipped = wbc->pages_skipped;
+ __entry->sync_mode = wbc->sync_mode;
+@@ -514,7 +511,7 @@ TRACE_EVENT(writeback_queue_io,
+ ),
+ TP_fast_assign(
+ unsigned long *older_than_this = work->older_than_this;
+- strscpy_pad(__entry->name, dev_name(wb->bdi->dev), 32);
++ strscpy_pad(__entry->name, bdi_dev_name(wb->bdi), 32);
+ __entry->older = older_than_this ? *older_than_this : 0;
+ __entry->age = older_than_this ?
+ (jiffies - *older_than_this) * 1000 / HZ : -1;
+@@ -600,7 +597,7 @@ TRACE_EVENT(bdi_dirty_ratelimit,
+ ),
+
+ TP_fast_assign(
+- strscpy_pad(__entry->bdi, dev_name(wb->bdi->dev), 32);
++ strscpy_pad(__entry->bdi, bdi_dev_name(wb->bdi), 32);
+ __entry->write_bw = KBps(wb->write_bandwidth);
+ __entry->avg_write_bw = KBps(wb->avg_write_bandwidth);
+ __entry->dirty_rate = KBps(dirty_rate);
+@@ -665,7 +662,7 @@ TRACE_EVENT(balance_dirty_pages,
+
+ TP_fast_assign(
+ unsigned long freerun = (thresh + bg_thresh) / 2;
+- strscpy_pad(__entry->bdi, dev_name(wb->bdi->dev), 32);
++ strscpy_pad(__entry->bdi, bdi_dev_name(wb->bdi), 32);
+
+ __entry->limit = global_wb_domain.dirty_limit;
+ __entry->setpoint = (global_wb_domain.dirty_limit +
+@@ -726,7 +723,7 @@ TRACE_EVENT(writeback_sb_inodes_requeue,
+
+ TP_fast_assign(
+ strscpy_pad(__entry->name,
+- dev_name(inode_to_bdi(inode)->dev), 32);
++ bdi_dev_name(inode_to_bdi(inode)), 32);
+ __entry->ino = inode->i_ino;
+ __entry->state = inode->i_state;
+ __entry->dirtied_when = inode->dirtied_when;
+@@ -800,7 +797,7 @@ DECLARE_EVENT_CLASS(writeback_single_inode_template,
+
+ TP_fast_assign(
+ strscpy_pad(__entry->name,
+- dev_name(inode_to_bdi(inode)->dev), 32);
++ bdi_dev_name(inode_to_bdi(inode)), 32);
+ __entry->ino = inode->i_ino;
+ __entry->state = inode->i_state;
+ __entry->dirtied_when = inode->dirtied_when;
+diff --git a/include/uapi/linux/io_uring.h b/include/uapi/linux/io_uring.h
+index 55cfcb71606d..88693fed2c4b 100644
+--- a/include/uapi/linux/io_uring.h
++++ b/include/uapi/linux/io_uring.h
+@@ -175,6 +175,7 @@ struct io_uring_params {
+ #define IORING_REGISTER_EVENTFD 4
+ #define IORING_UNREGISTER_EVENTFD 5
+ #define IORING_REGISTER_FILES_UPDATE 6
++#define IORING_REGISTER_EVENTFD_ASYNC 7
+
+ struct io_uring_files_update {
+ __u32 offset;
+diff --git a/ipc/msg.c b/ipc/msg.c
+index 8dec945fa030..767587ab45a3 100644
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -377,7 +377,7 @@ copy_msqid_from_user(struct msqid64_ds *out, void __user *buf, int version)
+ * NOTE: no locks must be held, the rwsem is taken inside this function.
+ */
+ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
+- struct msqid64_ds *msqid64)
++ struct ipc64_perm *perm, int msg_qbytes)
+ {
+ struct kern_ipc_perm *ipcp;
+ struct msg_queue *msq;
+@@ -387,7 +387,7 @@ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
+ rcu_read_lock();
+
+ ipcp = ipcctl_obtain_check(ns, &msg_ids(ns), msqid, cmd,
+- &msqid64->msg_perm, msqid64->msg_qbytes);
++ perm, msg_qbytes);
+ if (IS_ERR(ipcp)) {
+ err = PTR_ERR(ipcp);
+ goto out_unlock1;
+@@ -409,18 +409,18 @@ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
+ {
+ DEFINE_WAKE_Q(wake_q);
+
+- if (msqid64->msg_qbytes > ns->msg_ctlmnb &&
++ if (msg_qbytes > ns->msg_ctlmnb &&
+ !capable(CAP_SYS_RESOURCE)) {
+ err = -EPERM;
+ goto out_unlock1;
+ }
+
+ ipc_lock_object(&msq->q_perm);
+- err = ipc_update_perm(&msqid64->msg_perm, ipcp);
++ err = ipc_update_perm(perm, ipcp);
+ if (err)
+ goto out_unlock0;
+
+- msq->q_qbytes = msqid64->msg_qbytes;
++ msq->q_qbytes = msg_qbytes;
+
+ msq->q_ctime = ktime_get_real_seconds();
+ /*
+@@ -601,9 +601,10 @@ static long ksys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf, int ver
+ case IPC_SET:
+ if (copy_msqid_from_user(&msqid64, buf, version))
+ return -EFAULT;
+- /* fallthru */
++ return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm,
++ msqid64.msg_qbytes);
+ case IPC_RMID:
+- return msgctl_down(ns, msqid, cmd, &msqid64);
++ return msgctl_down(ns, msqid, cmd, NULL, 0);
+ default:
+ return -EINVAL;
+ }
+@@ -735,9 +736,9 @@ static long compat_ksys_msgctl(int msqid, int cmd, void __user *uptr, int versio
+ case IPC_SET:
+ if (copy_compat_msqid_from_user(&msqid64, uptr, version))
+ return -EFAULT;
+- /* fallthru */
++ return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm, msqid64.msg_qbytes);
+ case IPC_RMID:
+- return msgctl_down(ns, msqid, cmd, &msqid64);
++ return msgctl_down(ns, msqid, cmd, NULL, 0);
+ default:
+ return -EINVAL;
+ }
+diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
+index 3d3d61b5985b..b4b6b77f309c 100644
+--- a/kernel/bpf/devmap.c
++++ b/kernel/bpf/devmap.c
+@@ -293,7 +293,8 @@ struct bpf_dtab_netdev *__dev_map_hash_lookup_elem(struct bpf_map *map, u32 key)
+ struct hlist_head *head = dev_map_index_hash(dtab, key);
+ struct bpf_dtab_netdev *dev;
+
+- hlist_for_each_entry_rcu(dev, head, index_hlist)
++ hlist_for_each_entry_rcu(dev, head, index_hlist,
++ lockdep_is_held(&dtab->index_lock))
+ if (dev->idx == key)
+ return dev;
+
+diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
+index 23b0d5cfd47e..88dee4b09f53 100644
+--- a/kernel/bpf/trampoline.c
++++ b/kernel/bpf/trampoline.c
+@@ -150,6 +150,14 @@ static int bpf_trampoline_update(struct bpf_trampoline *tr)
+ if (fexit_cnt)
+ flags = BPF_TRAMP_F_CALL_ORIG | BPF_TRAMP_F_SKIP_FRAME;
+
++ /* Though the second half of trampoline page is unused a task could be
++ * preempted in the middle of the first half of trampoline and two
++ * updates to trampoline would change the code from underneath the
++ * preempted task. Hence wait for tasks to voluntarily schedule or go
++ * to userspace.
++ */
++ synchronize_rcu_tasks();
++
+ err = arch_prepare_bpf_trampoline(new_image, &tr->func.model, flags,
+ fentry, fentry_cnt,
+ fexit, fexit_cnt,
+@@ -240,6 +248,8 @@ void bpf_trampoline_put(struct bpf_trampoline *tr)
+ goto out;
+ if (WARN_ON_ONCE(!hlist_empty(&tr->progs_hlist[BPF_TRAMP_FEXIT])))
+ goto out;
++ /* wait for tasks to get out of trampoline before freeing it */
++ synchronize_rcu_tasks();
+ bpf_jit_free_exec(tr->image);
+ hlist_del(&tr->hlist);
+ kfree(tr);
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 2173c23c25b4..fdb7f7ef380c 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -951,9 +951,9 @@ list_update_cgroup_event(struct perf_event *event,
+
+ /*
+ * Because cgroup events are always per-cpu events,
+- * this will always be called from the right CPU.
++ * @ctx == &cpuctx->ctx.
+ */
+- cpuctx = __get_cpu_context(ctx);
++ cpuctx = container_of(ctx, struct perf_cpu_context, ctx);
+
+ /*
+ * Since setting cpuctx->cgrp is conditional on the current @cgrp
+@@ -979,7 +979,8 @@ list_update_cgroup_event(struct perf_event *event,
+
+ cpuctx_entry = &cpuctx->cgrp_cpuctx_entry;
+ if (add)
+- list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list));
++ list_add(cpuctx_entry,
++ per_cpu_ptr(&cgrp_cpuctx_list, event->cpu));
+ else
+ list_del(cpuctx_entry);
+ }
+@@ -5916,7 +5917,15 @@ accounting:
+ */
+ user_lock_limit *= num_online_cpus();
+
+- user_locked = atomic_long_read(&user->locked_vm) + user_extra;
++ user_locked = atomic_long_read(&user->locked_vm);
++
++ /*
++ * sysctl_perf_event_mlock may have changed, so that
++ * user->locked_vm > user_lock_limit
++ */
++ if (user_locked > user_lock_limit)
++ user_locked = user_lock_limit;
++ user_locked += user_extra;
+
+ if (user_locked > user_lock_limit) {
+ /*
+diff --git a/kernel/irq/debugfs.c b/kernel/irq/debugfs.c
+index c1eccd4f6520..a949bd39e343 100644
+--- a/kernel/irq/debugfs.c
++++ b/kernel/irq/debugfs.c
+@@ -114,6 +114,7 @@ static const struct irq_bit_descr irqdata_states[] = {
+ BIT_MASK_DESCR(IRQD_AFFINITY_MANAGED),
+ BIT_MASK_DESCR(IRQD_MANAGED_SHUTDOWN),
+ BIT_MASK_DESCR(IRQD_CAN_RESERVE),
++ BIT_MASK_DESCR(IRQD_MSI_NOMASK_QUIRK),
+
+ BIT_MASK_DESCR(IRQD_FORWARDED_TO_VCPU),
+
+diff --git a/kernel/irq/irqdomain.c b/kernel/irq/irqdomain.c
+index dd822fd8a7d5..480df3659720 100644
+--- a/kernel/irq/irqdomain.c
++++ b/kernel/irq/irqdomain.c
+@@ -1459,6 +1459,7 @@ int irq_domain_push_irq(struct irq_domain *domain, int virq, void *arg)
+ if (rv) {
+ /* Restore the original irq_data. */
+ *root_irq_data = *child_irq_data;
++ kfree(child_irq_data);
+ goto error;
+ }
+
+diff --git a/kernel/irq/msi.c b/kernel/irq/msi.c
+index ad26fbcfbfc8..eb95f6106a1e 100644
+--- a/kernel/irq/msi.c
++++ b/kernel/irq/msi.c
+@@ -453,8 +453,11 @@ int msi_domain_alloc_irqs(struct irq_domain *domain, struct device *dev,
+ continue;
+
+ irq_data = irq_domain_get_irq_data(domain, desc->irq);
+- if (!can_reserve)
++ if (!can_reserve) {
+ irqd_clr_can_reserve(irq_data);
++ if (domain->flags & IRQ_DOMAIN_MSI_NOMASK_QUIRK)
++ irqd_set_msi_nomask_quirk(irq_data);
++ }
+ ret = irq_domain_activate_irq(irq_data, can_reserve);
+ if (ret)
+ goto cleanup;
+diff --git a/kernel/padata.c b/kernel/padata.c
+index c3fec1413295..9c82ee4a9732 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -35,6 +35,8 @@
+
+ #define MAX_OBJ_NUM 1000
+
++static void padata_free_pd(struct parallel_data *pd);
++
+ static int padata_index_to_cpu(struct parallel_data *pd, int cpu_index)
+ {
+ int cpu, target_cpu;
+@@ -87,7 +89,7 @@ static void padata_parallel_worker(struct work_struct *parallel_work)
+ /**
+ * padata_do_parallel - padata parallelization function
+ *
+- * @pinst: padata instance
++ * @ps: padatashell
+ * @padata: object to be parallelized
+ * @cb_cpu: pointer to the CPU that the serialization callback function should
+ * run on. If it's not in the serial cpumask of @pinst
+@@ -98,16 +100,17 @@ static void padata_parallel_worker(struct work_struct *parallel_work)
+ * Note: Every object which is parallelized by padata_do_parallel
+ * must be seen by padata_do_serial.
+ */
+-int padata_do_parallel(struct padata_instance *pinst,
++int padata_do_parallel(struct padata_shell *ps,
+ struct padata_priv *padata, int *cb_cpu)
+ {
++ struct padata_instance *pinst = ps->pinst;
+ int i, cpu, cpu_index, target_cpu, err;
+ struct padata_parallel_queue *queue;
+ struct parallel_data *pd;
+
+ rcu_read_lock_bh();
+
+- pd = rcu_dereference_bh(pinst->pd);
++ pd = rcu_dereference_bh(ps->pd);
+
+ err = -EINVAL;
+ if (!(pinst->flags & PADATA_INIT) || pinst->flags & PADATA_INVALID)
+@@ -210,10 +213,10 @@ static struct padata_priv *padata_find_next(struct parallel_data *pd,
+
+ static void padata_reorder(struct parallel_data *pd)
+ {
++ struct padata_instance *pinst = pd->ps->pinst;
+ int cb_cpu;
+ struct padata_priv *padata;
+ struct padata_serial_queue *squeue;
+- struct padata_instance *pinst = pd->pinst;
+ struct padata_parallel_queue *next_queue;
+
+ /*
+@@ -283,6 +286,7 @@ static void padata_serial_worker(struct work_struct *serial_work)
+ struct padata_serial_queue *squeue;
+ struct parallel_data *pd;
+ LIST_HEAD(local_list);
++ int cnt;
+
+ local_bh_disable();
+ squeue = container_of(serial_work, struct padata_serial_queue, work);
+@@ -292,6 +296,8 @@ static void padata_serial_worker(struct work_struct *serial_work)
+ list_replace_init(&squeue->serial.list, &local_list);
+ spin_unlock(&squeue->serial.lock);
+
++ cnt = 0;
++
+ while (!list_empty(&local_list)) {
+ struct padata_priv *padata;
+
+@@ -301,9 +307,12 @@ static void padata_serial_worker(struct work_struct *serial_work)
+ list_del_init(&padata->list);
+
+ padata->serial(padata);
+- atomic_dec(&pd->refcnt);
++ cnt++;
+ }
+ local_bh_enable();
++
++ if (atomic_sub_and_test(cnt, &pd->refcnt))
++ padata_free_pd(pd);
+ }
+
+ /**
+@@ -341,36 +350,39 @@ void padata_do_serial(struct padata_priv *padata)
+ }
+ EXPORT_SYMBOL(padata_do_serial);
+
+-static int padata_setup_cpumasks(struct parallel_data *pd,
+- const struct cpumask *pcpumask,
+- const struct cpumask *cbcpumask)
++static int padata_setup_cpumasks(struct padata_instance *pinst)
+ {
+ struct workqueue_attrs *attrs;
++ int err;
++
++ attrs = alloc_workqueue_attrs();
++ if (!attrs)
++ return -ENOMEM;
++
++ /* Restrict parallel_wq workers to pd->cpumask.pcpu. */
++ cpumask_copy(attrs->cpumask, pinst->cpumask.pcpu);
++ err = apply_workqueue_attrs(pinst->parallel_wq, attrs);
++ free_workqueue_attrs(attrs);
++
++ return err;
++}
++
++static int pd_setup_cpumasks(struct parallel_data *pd,
++ const struct cpumask *pcpumask,
++ const struct cpumask *cbcpumask)
++{
+ int err = -ENOMEM;
+
+ if (!alloc_cpumask_var(&pd->cpumask.pcpu, GFP_KERNEL))
+ goto out;
+- cpumask_and(pd->cpumask.pcpu, pcpumask, cpu_online_mask);
+-
+ if (!alloc_cpumask_var(&pd->cpumask.cbcpu, GFP_KERNEL))
+ goto free_pcpu_mask;
+- cpumask_and(pd->cpumask.cbcpu, cbcpumask, cpu_online_mask);
+-
+- attrs = alloc_workqueue_attrs();
+- if (!attrs)
+- goto free_cbcpu_mask;
+
+- /* Restrict parallel_wq workers to pd->cpumask.pcpu. */
+- cpumask_copy(attrs->cpumask, pd->cpumask.pcpu);
+- err = apply_workqueue_attrs(pd->pinst->parallel_wq, attrs);
+- free_workqueue_attrs(attrs);
+- if (err < 0)
+- goto free_cbcpu_mask;
++ cpumask_copy(pd->cpumask.pcpu, pcpumask);
++ cpumask_copy(pd->cpumask.cbcpu, cbcpumask);
+
+ return 0;
+
+-free_cbcpu_mask:
+- free_cpumask_var(pd->cpumask.cbcpu);
+ free_pcpu_mask:
+ free_cpumask_var(pd->cpumask.pcpu);
+ out:
+@@ -414,12 +426,16 @@ static void padata_init_pqueues(struct parallel_data *pd)
+ }
+
+ /* Allocate and initialize the internal cpumask dependend resources. */
+-static struct parallel_data *padata_alloc_pd(struct padata_instance *pinst,
+- const struct cpumask *pcpumask,
+- const struct cpumask *cbcpumask)
++static struct parallel_data *padata_alloc_pd(struct padata_shell *ps)
+ {
++ struct padata_instance *pinst = ps->pinst;
++ const struct cpumask *cbcpumask;
++ const struct cpumask *pcpumask;
+ struct parallel_data *pd;
+
++ cbcpumask = pinst->rcpumask.cbcpu;
++ pcpumask = pinst->rcpumask.pcpu;
++
+ pd = kzalloc(sizeof(struct parallel_data), GFP_KERNEL);
+ if (!pd)
+ goto err;
+@@ -432,15 +448,15 @@ static struct parallel_data *padata_alloc_pd(struct padata_instance *pinst,
+ if (!pd->squeue)
+ goto err_free_pqueue;
+
+- pd->pinst = pinst;
+- if (padata_setup_cpumasks(pd, pcpumask, cbcpumask) < 0)
++ pd->ps = ps;
++ if (pd_setup_cpumasks(pd, pcpumask, cbcpumask))
+ goto err_free_squeue;
+
+ padata_init_pqueues(pd);
+ padata_init_squeues(pd);
+ atomic_set(&pd->seq_nr, -1);
+ atomic_set(&pd->reorder_objects, 0);
+- atomic_set(&pd->refcnt, 0);
++ atomic_set(&pd->refcnt, 1);
+ spin_lock_init(&pd->lock);
+ pd->cpu = cpumask_first(pd->cpumask.pcpu);
+ INIT_WORK(&pd->reorder_work, invoke_padata_reorder);
+@@ -466,29 +482,6 @@ static void padata_free_pd(struct parallel_data *pd)
+ kfree(pd);
+ }
+
+-/* Flush all objects out of the padata queues. */
+-static void padata_flush_queues(struct parallel_data *pd)
+-{
+- int cpu;
+- struct padata_parallel_queue *pqueue;
+- struct padata_serial_queue *squeue;
+-
+- for_each_cpu(cpu, pd->cpumask.pcpu) {
+- pqueue = per_cpu_ptr(pd->pqueue, cpu);
+- flush_work(&pqueue->work);
+- }
+-
+- if (atomic_read(&pd->reorder_objects))
+- padata_reorder(pd);
+-
+- for_each_cpu(cpu, pd->cpumask.cbcpu) {
+- squeue = per_cpu_ptr(pd->squeue, cpu);
+- flush_work(&squeue->work);
+- }
+-
+- BUG_ON(atomic_read(&pd->refcnt) != 0);
+-}
+-
+ static void __padata_start(struct padata_instance *pinst)
+ {
+ pinst->flags |= PADATA_INIT;
+@@ -502,39 +495,67 @@ static void __padata_stop(struct padata_instance *pinst)
+ pinst->flags &= ~PADATA_INIT;
+
+ synchronize_rcu();
+-
+- get_online_cpus();
+- padata_flush_queues(pinst->pd);
+- put_online_cpus();
+ }
+
+ /* Replace the internal control structure with a new one. */
+-static void padata_replace(struct padata_instance *pinst,
+- struct parallel_data *pd_new)
++static int padata_replace_one(struct padata_shell *ps)
+ {
+- struct parallel_data *pd_old = pinst->pd;
+- int notification_mask = 0;
++ struct parallel_data *pd_new;
+
+- pinst->flags |= PADATA_RESET;
++ pd_new = padata_alloc_pd(ps);
++ if (!pd_new)
++ return -ENOMEM;
+
+- rcu_assign_pointer(pinst->pd, pd_new);
++ ps->opd = rcu_dereference_protected(ps->pd, 1);
++ rcu_assign_pointer(ps->pd, pd_new);
+
+- synchronize_rcu();
++ return 0;
++}
++
++static int padata_replace(struct padata_instance *pinst, int cpu)
++{
++ int notification_mask = 0;
++ struct padata_shell *ps;
++ int err;
++
++ pinst->flags |= PADATA_RESET;
+
+- if (!cpumask_equal(pd_old->cpumask.pcpu, pd_new->cpumask.pcpu))
++ cpumask_copy(pinst->omask, pinst->rcpumask.pcpu);
++ cpumask_and(pinst->rcpumask.pcpu, pinst->cpumask.pcpu,
++ cpu_online_mask);
++ if (cpu >= 0)
++ cpumask_clear_cpu(cpu, pinst->rcpumask.pcpu);
++ if (!cpumask_equal(pinst->omask, pinst->rcpumask.pcpu))
+ notification_mask |= PADATA_CPU_PARALLEL;
+- if (!cpumask_equal(pd_old->cpumask.cbcpu, pd_new->cpumask.cbcpu))
++
++ cpumask_copy(pinst->omask, pinst->rcpumask.cbcpu);
++ cpumask_and(pinst->rcpumask.cbcpu, pinst->cpumask.cbcpu,
++ cpu_online_mask);
++ if (cpu >= 0)
++ cpumask_clear_cpu(cpu, pinst->rcpumask.cbcpu);
++ if (!cpumask_equal(pinst->omask, pinst->rcpumask.cbcpu))
+ notification_mask |= PADATA_CPU_SERIAL;
+
+- padata_flush_queues(pd_old);
+- padata_free_pd(pd_old);
++ list_for_each_entry(ps, &pinst->pslist, list) {
++ err = padata_replace_one(ps);
++ if (err)
++ break;
++ }
++
++ synchronize_rcu();
++
++ list_for_each_entry_continue_reverse(ps, &pinst->pslist, list)
++ if (atomic_dec_and_test(&ps->opd->refcnt))
++ padata_free_pd(ps->opd);
+
+ if (notification_mask)
+ blocking_notifier_call_chain(&pinst->cpumask_change_notifier,
+ notification_mask,
+- &pd_new->cpumask);
++ &pinst->cpumask);
+
+ pinst->flags &= ~PADATA_RESET;
++
++ return err;
+ }
+
+ /**
+@@ -587,7 +608,7 @@ static int __padata_set_cpumasks(struct padata_instance *pinst,
+ cpumask_var_t cbcpumask)
+ {
+ int valid;
+- struct parallel_data *pd;
++ int err;
+
+ valid = padata_validate_cpumask(pinst, pcpumask);
+ if (!valid) {
+@@ -600,19 +621,15 @@ static int __padata_set_cpumasks(struct padata_instance *pinst,
+ __padata_stop(pinst);
+
+ out_replace:
+- pd = padata_alloc_pd(pinst, pcpumask, cbcpumask);
+- if (!pd)
+- return -ENOMEM;
+-
+ cpumask_copy(pinst->cpumask.pcpu, pcpumask);
+ cpumask_copy(pinst->cpumask.cbcpu, cbcpumask);
+
+- padata_replace(pinst, pd);
++ err = padata_setup_cpumasks(pinst) ?: padata_replace(pinst, -1);
+
+ if (valid)
+ __padata_start(pinst);
+
+- return 0;
++ return err;
+ }
+
+ /**
+@@ -695,46 +712,32 @@ EXPORT_SYMBOL(padata_stop);
+
+ static int __padata_add_cpu(struct padata_instance *pinst, int cpu)
+ {
+- struct parallel_data *pd;
++ int err = 0;
+
+ if (cpumask_test_cpu(cpu, cpu_online_mask)) {
+- pd = padata_alloc_pd(pinst, pinst->cpumask.pcpu,
+- pinst->cpumask.cbcpu);
+- if (!pd)
+- return -ENOMEM;
+-
+- padata_replace(pinst, pd);
++ err = padata_replace(pinst, -1);
+
+ if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
+ padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
+ __padata_start(pinst);
+ }
+
+- return 0;
++ return err;
+ }
+
+ static int __padata_remove_cpu(struct padata_instance *pinst, int cpu)
+ {
+- struct parallel_data *pd = NULL;
++ int err = 0;
+
+ if (cpumask_test_cpu(cpu, cpu_online_mask)) {
+-
+ if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
+ !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
+ __padata_stop(pinst);
+
+- pd = padata_alloc_pd(pinst, pinst->cpumask.pcpu,
+- pinst->cpumask.cbcpu);
+- if (!pd)
+- return -ENOMEM;
+-
+- padata_replace(pinst, pd);
+-
+- cpumask_clear_cpu(cpu, pd->cpumask.cbcpu);
+- cpumask_clear_cpu(cpu, pd->cpumask.pcpu);
++ err = padata_replace(pinst, cpu);
+ }
+
+- return 0;
++ return err;
+ }
+
+ /**
+@@ -817,8 +820,12 @@ static void __padata_free(struct padata_instance *pinst)
+ cpuhp_state_remove_instance_nocalls(hp_online, &pinst->node);
+ #endif
+
++ WARN_ON(!list_empty(&pinst->pslist));
++
+ padata_stop(pinst);
+- padata_free_pd(pinst->pd);
++ free_cpumask_var(pinst->omask);
++ free_cpumask_var(pinst->rcpumask.cbcpu);
++ free_cpumask_var(pinst->rcpumask.pcpu);
+ free_cpumask_var(pinst->cpumask.pcpu);
+ free_cpumask_var(pinst->cpumask.cbcpu);
+ destroy_workqueue(pinst->serial_wq);
+@@ -965,7 +972,6 @@ static struct padata_instance *padata_alloc(const char *name,
+ const struct cpumask *cbcpumask)
+ {
+ struct padata_instance *pinst;
+- struct parallel_data *pd = NULL;
+
+ pinst = kzalloc(sizeof(struct padata_instance), GFP_KERNEL);
+ if (!pinst)
+@@ -993,14 +999,22 @@ static struct padata_instance *padata_alloc(const char *name,
+ !padata_validate_cpumask(pinst, cbcpumask))
+ goto err_free_masks;
+
+- pd = padata_alloc_pd(pinst, pcpumask, cbcpumask);
+- if (!pd)
++ if (!alloc_cpumask_var(&pinst->rcpumask.pcpu, GFP_KERNEL))
+ goto err_free_masks;
++ if (!alloc_cpumask_var(&pinst->rcpumask.cbcpu, GFP_KERNEL))
++ goto err_free_rcpumask_pcpu;
++ if (!alloc_cpumask_var(&pinst->omask, GFP_KERNEL))
++ goto err_free_rcpumask_cbcpu;
+
+- rcu_assign_pointer(pinst->pd, pd);
++ INIT_LIST_HEAD(&pinst->pslist);
+
+ cpumask_copy(pinst->cpumask.pcpu, pcpumask);
+ cpumask_copy(pinst->cpumask.cbcpu, cbcpumask);
++ cpumask_and(pinst->rcpumask.pcpu, pcpumask, cpu_online_mask);
++ cpumask_and(pinst->rcpumask.cbcpu, cbcpumask, cpu_online_mask);
++
++ if (padata_setup_cpumasks(pinst))
++ goto err_free_omask;
+
+ pinst->flags = 0;
+
+@@ -1016,6 +1030,12 @@ static struct padata_instance *padata_alloc(const char *name,
+
+ return pinst;
+
++err_free_omask:
++ free_cpumask_var(pinst->omask);
++err_free_rcpumask_cbcpu:
++ free_cpumask_var(pinst->rcpumask.cbcpu);
++err_free_rcpumask_pcpu:
++ free_cpumask_var(pinst->rcpumask.pcpu);
+ err_free_masks:
+ free_cpumask_var(pinst->cpumask.pcpu);
+ free_cpumask_var(pinst->cpumask.cbcpu);
+@@ -1054,6 +1074,61 @@ void padata_free(struct padata_instance *pinst)
+ }
+ EXPORT_SYMBOL(padata_free);
+
++/**
++ * padata_alloc_shell - Allocate and initialize padata shell.
++ *
++ * @pinst: Parent padata_instance object.
++ */
++struct padata_shell *padata_alloc_shell(struct padata_instance *pinst)
++{
++ struct parallel_data *pd;
++ struct padata_shell *ps;
++
++ ps = kzalloc(sizeof(*ps), GFP_KERNEL);
++ if (!ps)
++ goto out;
++
++ ps->pinst = pinst;
++
++ get_online_cpus();
++ pd = padata_alloc_pd(ps);
++ put_online_cpus();
++
++ if (!pd)
++ goto out_free_ps;
++
++ mutex_lock(&pinst->lock);
++ RCU_INIT_POINTER(ps->pd, pd);
++ list_add(&ps->list, &pinst->pslist);
++ mutex_unlock(&pinst->lock);
++
++ return ps;
++
++out_free_ps:
++ kfree(ps);
++out:
++ return NULL;
++}
++EXPORT_SYMBOL(padata_alloc_shell);
++
++/**
++ * padata_free_shell - free a padata shell
++ *
++ * @ps: padata shell to free
++ */
++void padata_free_shell(struct padata_shell *ps)
++{
++ struct padata_instance *pinst = ps->pinst;
++
++ mutex_lock(&pinst->lock);
++ list_del(&ps->list);
++ padata_free_pd(rcu_dereference_protected(ps->pd, 1));
++ mutex_unlock(&pinst->lock);
++
++ kfree(ps);
++}
++EXPORT_SYMBOL(padata_free_shell);
++
+ #ifdef CONFIG_HOTPLUG_CPU
+
+ static __init int padata_driver_init(void)
+diff --git a/kernel/rcu/srcutree.c b/kernel/rcu/srcutree.c
+index 5dffade2d7cd..21acdff3bd27 100644
+--- a/kernel/rcu/srcutree.c
++++ b/kernel/rcu/srcutree.c
+@@ -530,7 +530,7 @@ static void srcu_gp_end(struct srcu_struct *ssp)
+ idx = rcu_seq_state(ssp->srcu_gp_seq);
+ WARN_ON_ONCE(idx != SRCU_STATE_SCAN2);
+ cbdelay = srcu_get_delay(ssp);
+- ssp->srcu_last_gp_end = ktime_get_mono_fast_ns();
++ WRITE_ONCE(ssp->srcu_last_gp_end, ktime_get_mono_fast_ns());
+ rcu_seq_end(&ssp->srcu_gp_seq);
+ gpseq = rcu_seq_current(&ssp->srcu_gp_seq);
+ if (ULONG_CMP_LT(ssp->srcu_gp_seq_needed_exp, gpseq))
+@@ -762,6 +762,7 @@ static bool srcu_might_be_idle(struct srcu_struct *ssp)
+ unsigned long flags;
+ struct srcu_data *sdp;
+ unsigned long t;
++ unsigned long tlast;
+
+ /* If the local srcu_data structure has callbacks, not idle. */
+ local_irq_save(flags);
+@@ -780,9 +781,9 @@ static bool srcu_might_be_idle(struct srcu_struct *ssp)
+
+ /* First, see if enough time has passed since the last GP. */
+ t = ktime_get_mono_fast_ns();
++ tlast = READ_ONCE(ssp->srcu_last_gp_end);
+ if (exp_holdoff == 0 ||
+- time_in_range_open(t, ssp->srcu_last_gp_end,
+- ssp->srcu_last_gp_end + exp_holdoff))
++ time_in_range_open(t, tlast, tlast + exp_holdoff))
+ return false; /* Too soon after last GP. */
+
+ /* Next, check for probable idleness. */
+diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h
+index d632cd019597..69c5aa64fcfd 100644
+--- a/kernel/rcu/tree_exp.h
++++ b/kernel/rcu/tree_exp.h
+@@ -134,7 +134,7 @@ static void __maybe_unused sync_exp_reset_tree(void)
+ rcu_for_each_node_breadth_first(rnp) {
+ raw_spin_lock_irqsave_rcu_node(rnp, flags);
+ WARN_ON_ONCE(rnp->expmask);
+- rnp->expmask = rnp->expmaskinit;
++ WRITE_ONCE(rnp->expmask, rnp->expmaskinit);
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
+ }
+ }
+@@ -211,7 +211,7 @@ static void __rcu_report_exp_rnp(struct rcu_node *rnp,
+ rnp = rnp->parent;
+ raw_spin_lock_rcu_node(rnp); /* irqs already disabled */
+ WARN_ON_ONCE(!(rnp->expmask & mask));
+- rnp->expmask &= ~mask;
++ WRITE_ONCE(rnp->expmask, rnp->expmask & ~mask);
+ }
+ }
+
+@@ -241,7 +241,7 @@ static void rcu_report_exp_cpu_mult(struct rcu_node *rnp,
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
+ return;
+ }
+- rnp->expmask &= ~mask;
++ WRITE_ONCE(rnp->expmask, rnp->expmask & ~mask);
+ __rcu_report_exp_rnp(rnp, wake, flags); /* Releases rnp->lock. */
+ }
+
+@@ -372,12 +372,10 @@ static void sync_rcu_exp_select_node_cpus(struct work_struct *wp)
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
+
+ /* IPI the remaining CPUs for expedited quiescent state. */
+- for_each_leaf_node_cpu_mask(rnp, cpu, rnp->expmask) {
++ for_each_leaf_node_cpu_mask(rnp, cpu, mask_ofl_ipi) {
+ unsigned long mask = leaf_node_cpu_bit(rnp, cpu);
+ struct rcu_data *rdp = per_cpu_ptr(&rcu_data, cpu);
+
+- if (!(mask_ofl_ipi & mask))
+- continue;
+ retry_ipi:
+ if (rcu_dynticks_in_eqs_since(rdp, rdp->exp_dynticks_snap)) {
+ mask_ofl_test |= mask;
+@@ -491,7 +489,7 @@ static void synchronize_sched_expedited_wait(void)
+ struct rcu_data *rdp;
+
+ mask = leaf_node_cpu_bit(rnp, cpu);
+- if (!(rnp->expmask & mask))
++ if (!(READ_ONCE(rnp->expmask) & mask))
+ continue;
+ ndetected++;
+ rdp = per_cpu_ptr(&rcu_data, cpu);
+@@ -503,7 +501,8 @@ static void synchronize_sched_expedited_wait(void)
+ }
+ pr_cont(" } %lu jiffies s: %lu root: %#lx/%c\n",
+ jiffies - jiffies_start, rcu_state.expedited_sequence,
+- rnp_root->expmask, ".T"[!!rnp_root->exp_tasks]);
++ READ_ONCE(rnp_root->expmask),
++ ".T"[!!rnp_root->exp_tasks]);
+ if (ndetected) {
+ pr_err("blocking rcu_node structures:");
+ rcu_for_each_node_breadth_first(rnp) {
+@@ -513,7 +512,7 @@ static void synchronize_sched_expedited_wait(void)
+ continue;
+ pr_cont(" l=%u:%d-%d:%#lx/%c",
+ rnp->level, rnp->grplo, rnp->grphi,
+- rnp->expmask,
++ READ_ONCE(rnp->expmask),
+ ".T"[!!rnp->exp_tasks]);
+ }
+ pr_cont("\n");
+@@ -521,7 +520,7 @@ static void synchronize_sched_expedited_wait(void)
+ rcu_for_each_leaf_node(rnp) {
+ for_each_leaf_node_possible_cpu(rnp, cpu) {
+ mask = leaf_node_cpu_bit(rnp, cpu);
+- if (!(rnp->expmask & mask))
++ if (!(READ_ONCE(rnp->expmask) & mask))
+ continue;
+ dump_cpu_task(cpu);
+ }
+diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
+index fa08d55f7040..f849e7429816 100644
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -220,7 +220,7 @@ static void rcu_preempt_ctxt_queue(struct rcu_node *rnp, struct rcu_data *rdp)
+ * blocked tasks.
+ */
+ if (!rnp->gp_tasks && (blkd_state & RCU_GP_BLKD)) {
+- rnp->gp_tasks = &t->rcu_node_entry;
++ WRITE_ONCE(rnp->gp_tasks, &t->rcu_node_entry);
+ WARN_ON_ONCE(rnp->completedqs == rnp->gp_seq);
+ }
+ if (!rnp->exp_tasks && (blkd_state & RCU_EXP_BLKD))
+@@ -340,7 +340,7 @@ EXPORT_SYMBOL_GPL(rcu_note_context_switch);
+ */
+ static int rcu_preempt_blocked_readers_cgp(struct rcu_node *rnp)
+ {
+- return rnp->gp_tasks != NULL;
++ return READ_ONCE(rnp->gp_tasks) != NULL;
+ }
+
+ /* Bias and limit values for ->rcu_read_lock_nesting. */
+@@ -493,7 +493,7 @@ rcu_preempt_deferred_qs_irqrestore(struct task_struct *t, unsigned long flags)
+ trace_rcu_unlock_preempted_task(TPS("rcu_preempt"),
+ rnp->gp_seq, t->pid);
+ if (&t->rcu_node_entry == rnp->gp_tasks)
+- rnp->gp_tasks = np;
++ WRITE_ONCE(rnp->gp_tasks, np);
+ if (&t->rcu_node_entry == rnp->exp_tasks)
+ rnp->exp_tasks = np;
+ if (IS_ENABLED(CONFIG_RCU_BOOST)) {
+@@ -612,7 +612,7 @@ static void rcu_read_unlock_special(struct task_struct *t)
+
+ t->rcu_read_unlock_special.b.exp_hint = false;
+ exp = (t->rcu_blocked_node && t->rcu_blocked_node->exp_tasks) ||
+- (rdp->grpmask & rnp->expmask) ||
++ (rdp->grpmask & READ_ONCE(rnp->expmask)) ||
+ tick_nohz_full_cpu(rdp->cpu);
+ // Need to defer quiescent state until everything is enabled.
+ if (irqs_were_disabled && use_softirq &&
+@@ -663,7 +663,7 @@ static void rcu_preempt_check_blocked_tasks(struct rcu_node *rnp)
+ dump_blkd_tasks(rnp, 10);
+ if (rcu_preempt_has_tasks(rnp) &&
+ (rnp->qsmaskinit || rnp->wait_blkd_tasks)) {
+- rnp->gp_tasks = rnp->blkd_tasks.next;
++ WRITE_ONCE(rnp->gp_tasks, rnp->blkd_tasks.next);
+ t = container_of(rnp->gp_tasks, struct task_struct,
+ rcu_node_entry);
+ trace_rcu_unlock_preempted_task(TPS("rcu_preempt-GPS"),
+@@ -757,7 +757,8 @@ dump_blkd_tasks(struct rcu_node *rnp, int ncheck)
+ pr_info("%s: %d:%d ->qsmask %#lx ->qsmaskinit %#lx ->qsmaskinitnext %#lx\n",
+ __func__, rnp1->grplo, rnp1->grphi, rnp1->qsmask, rnp1->qsmaskinit, rnp1->qsmaskinitnext);
+ pr_info("%s: ->gp_tasks %p ->boost_tasks %p ->exp_tasks %p\n",
+- __func__, rnp->gp_tasks, rnp->boost_tasks, rnp->exp_tasks);
++ __func__, READ_ONCE(rnp->gp_tasks), rnp->boost_tasks,
++ rnp->exp_tasks);
+ pr_info("%s: ->blkd_tasks", __func__);
+ i = 0;
+ list_for_each(lhp, &rnp->blkd_tasks) {
+diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
+index 451f9d05ccfe..4b11f0309eee 100644
+--- a/kernel/time/alarmtimer.c
++++ b/kernel/time/alarmtimer.c
+@@ -88,6 +88,7 @@ static int alarmtimer_rtc_add_device(struct device *dev,
+ unsigned long flags;
+ struct rtc_device *rtc = to_rtc_device(dev);
+ struct wakeup_source *__ws;
++ int ret = 0;
+
+ if (rtcdev)
+ return -EBUSY;
+@@ -102,8 +103,8 @@ static int alarmtimer_rtc_add_device(struct device *dev,
+ spin_lock_irqsave(&rtcdev_lock, flags);
+ if (!rtcdev) {
+ if (!try_module_get(rtc->owner)) {
+- spin_unlock_irqrestore(&rtcdev_lock, flags);
+- return -1;
++ ret = -1;
++ goto unlock;
+ }
+
+ rtcdev = rtc;
+@@ -112,11 +113,12 @@ static int alarmtimer_rtc_add_device(struct device *dev,
+ ws = __ws;
+ __ws = NULL;
+ }
++unlock:
+ spin_unlock_irqrestore(&rtcdev_lock, flags);
+
+ wakeup_source_unregister(__ws);
+
+- return 0;
++ return ret;
+ }
+
+ static inline void alarmtimer_rtc_timer_init(void)
+diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
+index fff5f64981c6..428beb69426a 100644
+--- a/kernel/time/clocksource.c
++++ b/kernel/time/clocksource.c
+@@ -293,8 +293,15 @@ static void clocksource_watchdog(struct timer_list *unused)
+ next_cpu = cpumask_next(raw_smp_processor_id(), cpu_online_mask);
+ if (next_cpu >= nr_cpu_ids)
+ next_cpu = cpumask_first(cpu_online_mask);
+- watchdog_timer.expires += WATCHDOG_INTERVAL;
+- add_timer_on(&watchdog_timer, next_cpu);
++
++ /*
++ * Arm timer if not already pending: could race with concurrent
++ * pair clocksource_stop_watchdog() clocksource_start_watchdog().
++ */
++ if (!timer_pending(&watchdog_timer)) {
++ watchdog_timer.expires += WATCHDOG_INTERVAL;
++ add_timer_on(&watchdog_timer, next_cpu);
++ }
+ out:
+ spin_unlock(&watchdog_lock);
+ }
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 9bf1f2cd515e..3581bd96d6eb 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5596,8 +5596,8 @@ static const struct file_operations ftrace_notrace_fops = {
+
+ static DEFINE_MUTEX(graph_lock);
+
+-struct ftrace_hash *ftrace_graph_hash = EMPTY_HASH;
+-struct ftrace_hash *ftrace_graph_notrace_hash = EMPTY_HASH;
++struct ftrace_hash __rcu *ftrace_graph_hash = EMPTY_HASH;
++struct ftrace_hash __rcu *ftrace_graph_notrace_hash = EMPTY_HASH;
+
+ enum graph_filter_type {
+ GRAPH_FILTER_NOTRACE = 0,
+@@ -5872,8 +5872,15 @@ ftrace_graph_release(struct inode *inode, struct file *file)
+
+ mutex_unlock(&graph_lock);
+
+- /* Wait till all users are no longer using the old hash */
+- synchronize_rcu();
++ /*
++ * We need to do a hard force of sched synchronization.
++ * This is because we use preempt_disable() to do RCU, but
++ * the function tracers can be called where RCU is not watching
++ * (like before user_exit()). We can not rely on the RCU
++ * infrastructure to do the synchronization, thus we must do it
++ * ourselves.
++ */
++ schedule_on_each_cpu(ftrace_sync);
+
+ free_ftrace_hash(old_hash);
+ }
+diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
+index 63bf60f79398..85f475bb4823 100644
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -950,22 +950,31 @@ extern void __trace_graph_return(struct trace_array *tr,
+ unsigned long flags, int pc);
+
+ #ifdef CONFIG_DYNAMIC_FTRACE
+-extern struct ftrace_hash *ftrace_graph_hash;
+-extern struct ftrace_hash *ftrace_graph_notrace_hash;
++extern struct ftrace_hash __rcu *ftrace_graph_hash;
++extern struct ftrace_hash __rcu *ftrace_graph_notrace_hash;
+
+ static inline int ftrace_graph_addr(struct ftrace_graph_ent *trace)
+ {
+ unsigned long addr = trace->func;
+ int ret = 0;
++ struct ftrace_hash *hash;
+
+ preempt_disable_notrace();
+
+- if (ftrace_hash_empty(ftrace_graph_hash)) {
++ /*
++ * Have to open code "rcu_dereference_sched()" because the
++ * function graph tracer can be called when RCU is not
++ * "watching".
++ * Protected with schedule_on_each_cpu(ftrace_sync)
++ */
++ hash = rcu_dereference_protected(ftrace_graph_hash, !preemptible());
++
++ if (ftrace_hash_empty(hash)) {
+ ret = 1;
+ goto out;
+ }
+
+- if (ftrace_lookup_ip(ftrace_graph_hash, addr)) {
++ if (ftrace_lookup_ip(hash, addr)) {
+
+ /*
+ * This needs to be cleared on the return functions
+@@ -1001,10 +1010,20 @@ static inline void ftrace_graph_addr_finish(struct ftrace_graph_ret *trace)
+ static inline int ftrace_graph_notrace_addr(unsigned long addr)
+ {
+ int ret = 0;
++ struct ftrace_hash *notrace_hash;
+
+ preempt_disable_notrace();
+
+- if (ftrace_lookup_ip(ftrace_graph_notrace_hash, addr))
++ /*
++ * Have to open code "rcu_dereference_sched()" because the
++ * function graph tracer can be called when RCU is not
++ * "watching".
++ * Protected with schedule_on_each_cpu(ftrace_sync)
++ */
++ notrace_hash = rcu_dereference_protected(ftrace_graph_notrace_hash,
++ !preemptible());
++
++ if (ftrace_lookup_ip(notrace_hash, addr))
+ ret = 1;
+
+ preempt_enable_notrace();
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 9ae87be422f2..ab8b6436d53f 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -876,7 +876,8 @@ static int __set_print_fmt(struct trace_probe *tp, char *buf, int len,
+ for (i = 0; i < tp->nr_args; i++) {
+ parg = tp->args + i;
+ if (parg->count) {
+- if (strcmp(parg->type->name, "string") == 0)
++ if ((strcmp(parg->type->name, "string") == 0) ||
++ (strcmp(parg->type->name, "ustring") == 0))
+ fmt = ", __get_str(%s[%d])";
+ else
+ fmt = ", REC->%s[%d]";
+@@ -884,7 +885,8 @@ static int __set_print_fmt(struct trace_probe *tp, char *buf, int len,
+ pos += snprintf(buf + pos, LEN_OR_ZERO,
+ fmt, parg->name, j);
+ } else {
+- if (strcmp(parg->type->name, "string") == 0)
++ if ((strcmp(parg->type->name, "string") == 0) ||
++ (strcmp(parg->type->name, "ustring") == 0))
+ fmt = ", __get_str(%s)";
+ else
+ fmt = ", REC->%s";
+diff --git a/kernel/trace/trace_sched_switch.c b/kernel/trace/trace_sched_switch.c
+index e288168661e1..e304196d7c28 100644
+--- a/kernel/trace/trace_sched_switch.c
++++ b/kernel/trace/trace_sched_switch.c
+@@ -89,8 +89,10 @@ static void tracing_sched_unregister(void)
+
+ static void tracing_start_sched_switch(int ops)
+ {
+- bool sched_register = (!sched_cmdline_ref && !sched_tgid_ref);
++ bool sched_register;
++
+ mutex_lock(&sched_register_mutex);
++ sched_register = (!sched_cmdline_ref && !sched_tgid_ref);
+
+ switch (ops) {
+ case RECORD_CMDLINE:
+diff --git a/lib/test_kasan.c b/lib/test_kasan.c
+index 328d33beae36..3872d250ed2c 100644
+--- a/lib/test_kasan.c
++++ b/lib/test_kasan.c
+@@ -158,6 +158,7 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
+ if (!ptr1 || !ptr2) {
+ pr_err("Allocation failed\n");
+ kfree(ptr1);
++ kfree(ptr2);
+ return;
+ }
+
+diff --git a/mm/backing-dev.c b/mm/backing-dev.c
+index c360f6a6c844..62f05f605fb5 100644
+--- a/mm/backing-dev.c
++++ b/mm/backing-dev.c
+@@ -21,6 +21,7 @@ struct backing_dev_info noop_backing_dev_info = {
+ EXPORT_SYMBOL_GPL(noop_backing_dev_info);
+
+ static struct class *bdi_class;
++const char *bdi_unknown_name = "(unknown)";
+
+ /*
+ * bdi_lock protects bdi_tree and updates to bdi_list. bdi_list has RCU
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index 6c83cf4ed970..27c231bf4565 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -5340,14 +5340,6 @@ static int mem_cgroup_move_account(struct page *page,
+ __mod_lruvec_state(to_vec, NR_WRITEBACK, nr_pages);
+ }
+
+-#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+- if (compound && !list_empty(page_deferred_list(page))) {
+- spin_lock(&from->deferred_split_queue.split_queue_lock);
+- list_del_init(page_deferred_list(page));
+- from->deferred_split_queue.split_queue_len--;
+- spin_unlock(&from->deferred_split_queue.split_queue_lock);
+- }
+-#endif
+ /*
+ * It is safe to change page->mem_cgroup here because the page
+ * is referenced, charged, and isolated - we can't race with
+@@ -5357,16 +5349,6 @@ static int mem_cgroup_move_account(struct page *page,
+ /* caller should have done css_get */
+ page->mem_cgroup = to;
+
+-#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+- if (compound && list_empty(page_deferred_list(page))) {
+- spin_lock(&to->deferred_split_queue.split_queue_lock);
+- list_add_tail(page_deferred_list(page),
+- &to->deferred_split_queue.split_queue);
+- to->deferred_split_queue.split_queue_len++;
+- spin_unlock(&to->deferred_split_queue.split_queue_lock);
+- }
+-#endif
+-
+ spin_unlock_irqrestore(&from->move_lock, flags);
+
+ ret = 0;
+diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
+index a91a072f2b2c..0ddff29079c3 100644
+--- a/mm/memory_hotplug.c
++++ b/mm/memory_hotplug.c
+@@ -1764,8 +1764,6 @@ static int __ref try_remove_memory(int nid, u64 start, u64 size)
+
+ BUG_ON(check_hotplug_memory_range(start, size));
+
+- mem_hotplug_begin();
+-
+ /*
+ * All memory blocks must be offlined before removing memory. Check
+ * whether all memory blocks in question are offline and return error
+@@ -1778,9 +1776,14 @@ static int __ref try_remove_memory(int nid, u64 start, u64 size)
+ /* remove memmap entry */
+ firmware_map_remove(start, start + size, "System RAM");
+
+- /* remove memory block devices before removing memory */
++ /*
++ * Memory block device removal under the device_hotplug_lock is
++ * a barrier against racing online attempts.
++ */
+ remove_memory_block_devices(start, size);
+
++ mem_hotplug_begin();
++
+ arch_remove_memory(nid, start, size, NULL);
+ memblock_free(start, size);
+ memblock_remove(start, size);
+diff --git a/mm/migrate.c b/mm/migrate.c
+index 86873b6f38a7..b3b5d3bf0aab 100644
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -1627,8 +1627,19 @@ static int do_pages_move(struct mm_struct *mm, nodemask_t task_nodes,
+ start = i;
+ } else if (node != current_node) {
+ err = do_move_pages_to_node(mm, &pagelist, current_node);
+- if (err)
++ if (err) {
++ /*
++ * Positive err means the number of failed
++ * pages to migrate. Since we are going to
++ * abort and return the number of non-migrated
++ * pages, so need to incude the rest of the
++ * nr_pages that have not been attempted as
++ * well.
++ */
++ if (err > 0)
++ err += nr_pages - i - 1;
+ goto out;
++ }
+ err = store_status(status, start, current_node, i - start);
+ if (err)
+ goto out;
+@@ -1659,8 +1670,11 @@ static int do_pages_move(struct mm_struct *mm, nodemask_t task_nodes,
+ goto out_flush;
+
+ err = do_move_pages_to_node(mm, &pagelist, current_node);
+- if (err)
++ if (err) {
++ if (err > 0)
++ err += nr_pages - i - 1;
+ goto out;
++ }
+ if (i > start) {
+ err = store_status(status, start, current_node, i - start);
+ if (err)
+@@ -1674,9 +1688,16 @@ out_flush:
+
+ /* Make sure we do not overwrite the existing error */
+ err1 = do_move_pages_to_node(mm, &pagelist, current_node);
++ /*
++ * Don't have to report non-attempted pages here since:
++ * - If the above loop is done gracefully all pages have been
++ * attempted.
++ * - If the above loop is aborted it means a fatal error
++ * happened, should return ret.
++ */
+ if (!err1)
+ err1 = store_status(status, start, current_node, i - start);
+- if (!err)
++ if (err >= 0)
+ err = err1;
+ out:
+ return err;
+diff --git a/mm/mmu_gather.c b/mm/mmu_gather.c
+index 7d70e5c78f97..7c1b8f67af7b 100644
+--- a/mm/mmu_gather.c
++++ b/mm/mmu_gather.c
+@@ -102,14 +102,14 @@ bool __tlb_remove_page_size(struct mmu_gather *tlb, struct page *page, int page_
+ */
+ static inline void tlb_table_invalidate(struct mmu_gather *tlb)
+ {
+-#ifndef CONFIG_HAVE_RCU_TABLE_NO_INVALIDATE
+- /*
+- * Invalidate page-table caches used by hardware walkers. Then we still
+- * need to RCU-sched wait while freeing the pages because software
+- * walkers can still be in-flight.
+- */
+- tlb_flush_mmu_tlbonly(tlb);
+-#endif
++ if (tlb_needs_table_invalidate()) {
++ /*
++ * Invalidate page-table caches used by hardware walkers. Then
++ * we still need to RCU-sched wait while freeing the pages
++ * because software walkers can still be in-flight.
++ */
++ tlb_flush_mmu_tlbonly(tlb);
++ }
+ }
+
+ static void tlb_remove_table_smp_sync(void *arg)
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index d047bf7d8fd4..627f1eba6df7 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -6921,7 +6921,8 @@ static u64 zero_pfn_range(unsigned long spfn, unsigned long epfn)
+ * This function also addresses a similar issue where struct pages are left
+ * uninitialized because the physical address range is not covered by
+ * memblock.memory or memblock.reserved. That could happen when memblock
+- * layout is manually configured via memmap=.
++ * layout is manually configured via memmap=, or when the highest physical
++ * address (max_pfn) does not end on a section boundary.
+ */
+ void __init zero_resv_unavail(void)
+ {
+@@ -6939,7 +6940,16 @@ void __init zero_resv_unavail(void)
+ pgcnt += zero_pfn_range(PFN_DOWN(next), PFN_UP(start));
+ next = end;
+ }
+- pgcnt += zero_pfn_range(PFN_DOWN(next), max_pfn);
++
++ /*
++ * Early sections always have a fully populated memmap for the whole
++ * section - see pfn_valid(). If the last section has holes at the
++ * end and that section is marked "online", the memmap will be
++ * considered initialized. Make sure that memmap has a well defined
++ * state.
++ */
++ pgcnt += zero_pfn_range(PFN_DOWN(next),
++ round_up(max_pfn, PAGES_PER_SECTION));
+
+ /*
+ * Struct pages that do not have backing memory. This could be because
+diff --git a/mm/sparse.c b/mm/sparse.c
+index 3822ecbd8a1f..3918fc3eaef1 100644
+--- a/mm/sparse.c
++++ b/mm/sparse.c
+@@ -789,7 +789,7 @@ static void section_deactivate(unsigned long pfn, unsigned long nr_pages,
+ ms->usage = NULL;
+ }
+ memmap = sparse_decode_mem_map(ms->section_mem_map, section_nr);
+- ms->section_mem_map = sparse_encode_mem_map(NULL, section_nr);
++ ms->section_mem_map = (unsigned long)NULL;
+ }
+
+ if (section_is_early && memmap)
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index f76219bf0c21..42370702d0e0 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -3986,6 +3986,12 @@ static int devlink_nl_cmd_region_read_dumpit(struct sk_buff *skb,
+ goto out_unlock;
+ }
+
++ /* return 0 if there is no further data to read */
++ if (start_offset >= region->size) {
++ err = 0;
++ goto out_unlock;
++ }
++
+ hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
+ &devlink_nl_family, NLM_F_ACK | NLM_F_MULTI,
+ DEVLINK_CMD_REGION_READ);
+diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
+index 536e032d95c8..246a258b1fac 100644
+--- a/net/core/drop_monitor.c
++++ b/net/core/drop_monitor.c
+@@ -1004,8 +1004,10 @@ static void net_dm_hw_monitor_stop(struct netlink_ext_ack *extack)
+ {
+ int cpu;
+
+- if (!monitor_hw)
++ if (!monitor_hw) {
+ NL_SET_ERR_MSG_MOD(extack, "Hardware monitoring already disabled");
++ return;
++ }
+
+ monitor_hw = false;
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index 2dbbb030fbed..cc32d1dd78c3 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -834,10 +834,10 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys,
+ struct flow_dissector *flow_dissector,
+ void *target_container)
+ {
++ struct flow_dissector_key_ports *key_ports = NULL;
+ struct flow_dissector_key_control *key_control;
+ struct flow_dissector_key_basic *key_basic;
+ struct flow_dissector_key_addrs *key_addrs;
+- struct flow_dissector_key_ports *key_ports;
+ struct flow_dissector_key_tags *key_tags;
+
+ key_control = skb_flow_dissector_target(flow_dissector,
+@@ -876,10 +876,17 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys,
+ key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
+ }
+
+- if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) {
++ if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS))
+ key_ports = skb_flow_dissector_target(flow_dissector,
+ FLOW_DISSECTOR_KEY_PORTS,
+ target_container);
++ else if (dissector_uses_key(flow_dissector,
++ FLOW_DISSECTOR_KEY_PORTS_RANGE))
++ key_ports = skb_flow_dissector_target(flow_dissector,
++ FLOW_DISSECTOR_KEY_PORTS_RANGE,
++ target_container);
++
++ if (key_ports) {
+ key_ports->src = flow_keys->sport;
+ key_ports->dst = flow_keys->dport;
+ }
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index d9001b5c48eb..f02705ff0e5e 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1241,6 +1241,8 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
+ return 0;
+
+ memset(&vf_vlan_info, 0, sizeof(vf_vlan_info));
++ memset(&node_guid, 0, sizeof(node_guid));
++ memset(&port_guid, 0, sizeof(port_guid));
+
+ vf_mac.vf =
+ vf_vlan.vf =
+@@ -1289,8 +1291,6 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
+ sizeof(vf_trust), &vf_trust))
+ goto nla_put_vf_failure;
+
+- memset(&node_guid, 0, sizeof(node_guid));
+- memset(&port_guid, 0, sizeof(port_guid));
+ if (dev->netdev_ops->ndo_get_vf_guid &&
+ !dev->netdev_ops->ndo_get_vf_guid(dev, vfs_num, &node_guid,
+ &port_guid)) {
+diff --git a/net/hsr/hsr_slave.c b/net/hsr/hsr_slave.c
+index ee561297d8a7..fbfd0db182b7 100644
+--- a/net/hsr/hsr_slave.c
++++ b/net/hsr/hsr_slave.c
+@@ -27,6 +27,8 @@ static rx_handler_result_t hsr_handle_frame(struct sk_buff **pskb)
+
+ rcu_read_lock(); /* hsr->node_db, hsr->ports */
+ port = hsr_port_get_rcu(skb->dev);
++ if (!port)
++ goto finish_pass;
+
+ if (hsr_addr_is_self(port->hsr, eth_hdr(skb)->h_source)) {
+ /* Directly kill frames sent by ourselves */
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index a7d766e6390e..94e137f7aa9f 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2621,10 +2621,12 @@ int tcp_disconnect(struct sock *sk, int flags)
+ tp->snd_cwnd = TCP_INIT_CWND;
+ tp->snd_cwnd_cnt = 0;
+ tp->window_clamp = 0;
++ tp->delivered = 0;
+ tp->delivered_ce = 0;
+ tcp_set_ca_state(sk, TCP_CA_Open);
+ tp->is_sack_reneg = 0;
+ tcp_clear_retrans(tp);
++ tp->total_retrans = 0;
+ inet_csk_delack_init(sk);
+ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
+ * issue in __tcp_select_window()
+@@ -2636,10 +2638,14 @@ int tcp_disconnect(struct sock *sk, int flags)
+ sk->sk_rx_dst = NULL;
+ tcp_saved_syn_free(tp);
+ tp->compressed_ack = 0;
++ tp->segs_in = 0;
++ tp->segs_out = 0;
+ tp->bytes_sent = 0;
+ tp->bytes_acked = 0;
+ tp->bytes_received = 0;
+ tp->bytes_retrans = 0;
++ tp->data_segs_in = 0;
++ tp->data_segs_out = 0;
+ tp->duplicate_sack[0].start_seq = 0;
+ tp->duplicate_sack[0].end_seq = 0;
+ tp->dsack_dups = 0;
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 39d861d00377..cb493e15959c 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5718,6 +5718,9 @@ static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla)
+ struct nlattr *tb[IFLA_INET6_MAX + 1];
+ int err;
+
++ if (!idev)
++ return -EAFNOSUPPORT;
++
+ if (nla_parse_nested_deprecated(tb, IFLA_INET6_MAX, nla, NULL, NULL) < 0)
+ BUG();
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index f82ea12bac37..425b95eb7e87 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -322,8 +322,13 @@ int l2tp_session_register(struct l2tp_session *session,
+
+ spin_lock_bh(&pn->l2tp_session_hlist_lock);
+
++ /* IP encap expects session IDs to be globally unique, while
++ * UDP encap doesn't.
++ */
+ hlist_for_each_entry(session_walk, g_head, global_hlist)
+- if (session_walk->session_id == session->session_id) {
++ if (session_walk->session_id == session->session_id &&
++ (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP ||
++ tunnel->encap == L2TP_ENCAPTYPE_IP)) {
+ err = -EEXIST;
+ goto err_tlock_pnlock;
+ }
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index cf895bc80871..69c107f9ba8d 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1483,31 +1483,34 @@ ip_set_dump_policy[IPSET_ATTR_CMD_MAX + 1] = {
+ };
+
+ static int
+-dump_init(struct netlink_callback *cb, struct ip_set_net *inst)
++ip_set_dump_start(struct netlink_callback *cb)
+ {
+ struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
+ int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));
+ struct nlattr *cda[IPSET_ATTR_CMD_MAX + 1];
+ struct nlattr *attr = (void *)nlh + min_len;
++ struct sk_buff *skb = cb->skb;
++ struct ip_set_net *inst = ip_set_pernet(sock_net(skb->sk));
+ u32 dump_type;
+- ip_set_id_t index;
+ int ret;
+
+ ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, attr,
+ nlh->nlmsg_len - min_len,
+ ip_set_dump_policy, NULL);
+ if (ret)
+- return ret;
++ goto error;
+
+ cb->args[IPSET_CB_PROTO] = nla_get_u8(cda[IPSET_ATTR_PROTOCOL]);
+ if (cda[IPSET_ATTR_SETNAME]) {
++ ip_set_id_t index;
+ struct ip_set *set;
+
+ set = find_set_and_id(inst, nla_data(cda[IPSET_ATTR_SETNAME]),
+ &index);
+- if (!set)
+- return -ENOENT;
+-
++ if (!set) {
++ ret = -ENOENT;
++ goto error;
++ }
+ dump_type = DUMP_ONE;
+ cb->args[IPSET_CB_INDEX] = index;
+ } else {
+@@ -1523,10 +1526,17 @@ dump_init(struct netlink_callback *cb, struct ip_set_net *inst)
+ cb->args[IPSET_CB_DUMP] = dump_type;
+
+ return 0;
++
++error:
++ /* We have to create and send the error message manually :-( */
++ if (nlh->nlmsg_flags & NLM_F_ACK) {
++ netlink_ack(cb->skb, nlh, ret, NULL);
++ }
++ return ret;
+ }
+
+ static int
+-ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
++ip_set_dump_do(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ ip_set_id_t index = IPSET_INVALID_ID, max;
+ struct ip_set *set = NULL;
+@@ -1537,18 +1547,8 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
+ bool is_destroyed;
+ int ret = 0;
+
+- if (!cb->args[IPSET_CB_DUMP]) {
+- ret = dump_init(cb, inst);
+- if (ret < 0) {
+- nlh = nlmsg_hdr(cb->skb);
+- /* We have to create and send the error message
+- * manually :-(
+- */
+- if (nlh->nlmsg_flags & NLM_F_ACK)
+- netlink_ack(cb->skb, nlh, ret, NULL);
+- return ret;
+- }
+- }
++ if (!cb->args[IPSET_CB_DUMP])
++ return -EINVAL;
+
+ if (cb->args[IPSET_CB_INDEX] >= inst->ip_set_max)
+ goto out;
+@@ -1684,7 +1684,8 @@ static int ip_set_dump(struct net *net, struct sock *ctnl, struct sk_buff *skb,
+
+ {
+ struct netlink_dump_control c = {
+- .dump = ip_set_dump_start,
++ .start = ip_set_dump_start,
++ .dump = ip_set_dump_do,
+ .done = ip_set_dump_done,
+ };
+ return netlink_dump_start(ctnl, skb, nlh, &c);
+diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
+index 9d3c4d2d893a..fe42f986cd94 100644
+--- a/net/rxrpc/af_rxrpc.c
++++ b/net/rxrpc/af_rxrpc.c
+@@ -194,6 +194,7 @@ static int rxrpc_bind(struct socket *sock, struct sockaddr *saddr, int len)
+ service_in_use:
+ write_unlock(&local->services_lock);
+ rxrpc_unuse_local(local);
++ rxrpc_put_local(local);
+ ret = -EADDRINUSE;
+ error_unlock:
+ release_sock(&rx->sk);
+@@ -899,6 +900,7 @@ static int rxrpc_release_sock(struct sock *sk)
+ rxrpc_purge_queue(&sk->sk_receive_queue);
+
+ rxrpc_unuse_local(rx->local);
++ rxrpc_put_local(rx->local);
+ rx->local = NULL;
+ key_put(rx->key);
+ rx->key = NULL;
+diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
+index 5e99df80e80a..7d730c438404 100644
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -490,6 +490,7 @@ enum rxrpc_call_flag {
+ RXRPC_CALL_RX_HEARD, /* The peer responded at least once to this call */
+ RXRPC_CALL_RX_UNDERRUN, /* Got data underrun */
+ RXRPC_CALL_IS_INTR, /* The call is interruptible */
++ RXRPC_CALL_DISCONNECTED, /* The call has been disconnected */
+ };
+
+ /*
+@@ -1021,6 +1022,16 @@ void rxrpc_unuse_local(struct rxrpc_local *);
+ void rxrpc_queue_local(struct rxrpc_local *);
+ void rxrpc_destroy_all_locals(struct rxrpc_net *);
+
++static inline bool __rxrpc_unuse_local(struct rxrpc_local *local)
++{
++ return atomic_dec_return(&local->active_users) == 0;
++}
++
++static inline bool __rxrpc_use_local(struct rxrpc_local *local)
++{
++ return atomic_fetch_add_unless(&local->active_users, 1, 0) != 0;
++}
++
+ /*
+ * misc.c
+ */
+diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
+index a31c18c09894..dbdbc4f18b5e 100644
+--- a/net/rxrpc/call_object.c
++++ b/net/rxrpc/call_object.c
+@@ -493,7 +493,7 @@ void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call)
+
+ _debug("RELEASE CALL %p (%d CONN %p)", call, call->debug_id, conn);
+
+- if (conn)
++ if (conn && !test_bit(RXRPC_CALL_DISCONNECTED, &call->flags))
+ rxrpc_disconnect_call(call);
+ if (call->security)
+ call->security->free_call_crypto(call);
+@@ -569,6 +569,7 @@ static void rxrpc_rcu_destroy_call(struct rcu_head *rcu)
+ struct rxrpc_call *call = container_of(rcu, struct rxrpc_call, rcu);
+ struct rxrpc_net *rxnet = call->rxnet;
+
++ rxrpc_put_connection(call->conn);
+ rxrpc_put_peer(call->peer);
+ kfree(call->rxtx_buffer);
+ kfree(call->rxtx_annotations);
+@@ -590,7 +591,6 @@ void rxrpc_cleanup_call(struct rxrpc_call *call)
+
+ ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE);
+ ASSERT(test_bit(RXRPC_CALL_RELEASED, &call->flags));
+- ASSERTCMP(call->conn, ==, NULL);
+
+ rxrpc_cleanup_ring(call);
+ rxrpc_free_skb(call->tx_pending, rxrpc_skb_cleaned);
+diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c
+index 376370cd9285..ea7d4c21f889 100644
+--- a/net/rxrpc/conn_client.c
++++ b/net/rxrpc/conn_client.c
+@@ -785,6 +785,7 @@ void rxrpc_disconnect_client_call(struct rxrpc_call *call)
+ u32 cid;
+
+ spin_lock(&conn->channel_lock);
++ set_bit(RXRPC_CALL_DISCONNECTED, &call->flags);
+
+ cid = call->cid;
+ if (cid) {
+@@ -792,7 +793,6 @@ void rxrpc_disconnect_client_call(struct rxrpc_call *call)
+ chan = &conn->channels[channel];
+ }
+ trace_rxrpc_client(conn, channel, rxrpc_client_chan_disconnect);
+- call->conn = NULL;
+
+ /* Calls that have never actually been assigned a channel can simply be
+ * discarded. If the conn didn't get used either, it will follow
+@@ -908,7 +908,6 @@ out:
+ spin_unlock(&rxnet->client_conn_cache_lock);
+ out_2:
+ spin_unlock(&conn->channel_lock);
+- rxrpc_put_connection(conn);
+ _leave("");
+ return;
+
+diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
+index 808a4723f868..06fcff2ebbba 100644
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -438,16 +438,12 @@ again:
+ /*
+ * connection-level event processor
+ */
+-void rxrpc_process_connection(struct work_struct *work)
++static void rxrpc_do_process_connection(struct rxrpc_connection *conn)
+ {
+- struct rxrpc_connection *conn =
+- container_of(work, struct rxrpc_connection, processor);
+ struct sk_buff *skb;
+ u32 abort_code = RX_PROTOCOL_ERROR;
+ int ret;
+
+- rxrpc_see_connection(conn);
+-
+ if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events))
+ rxrpc_secure_connection(conn);
+
+@@ -475,18 +471,32 @@ void rxrpc_process_connection(struct work_struct *work)
+ }
+ }
+
+-out:
+- rxrpc_put_connection(conn);
+- _leave("");
+ return;
+
+ requeue_and_leave:
+ skb_queue_head(&conn->rx_queue, skb);
+- goto out;
++ return;
+
+ protocol_error:
+ if (rxrpc_abort_connection(conn, ret, abort_code) < 0)
+ goto requeue_and_leave;
+ rxrpc_free_skb(skb, rxrpc_skb_freed);
+- goto out;
++ return;
++}
++
++void rxrpc_process_connection(struct work_struct *work)
++{
++ struct rxrpc_connection *conn =
++ container_of(work, struct rxrpc_connection, processor);
++
++ rxrpc_see_connection(conn);
++
++ if (__rxrpc_use_local(conn->params.local)) {
++ rxrpc_do_process_connection(conn);
++ rxrpc_unuse_local(conn->params.local);
++ }
++
++ rxrpc_put_connection(conn);
++ _leave("");
++ return;
+ }
+diff --git a/net/rxrpc/conn_object.c b/net/rxrpc/conn_object.c
+index 38d718e90dc6..19e141eeed17 100644
+--- a/net/rxrpc/conn_object.c
++++ b/net/rxrpc/conn_object.c
+@@ -223,9 +223,8 @@ void rxrpc_disconnect_call(struct rxrpc_call *call)
+ __rxrpc_disconnect_call(conn, call);
+ spin_unlock(&conn->channel_lock);
+
+- call->conn = NULL;
++ set_bit(RXRPC_CALL_DISCONNECTED, &call->flags);
+ conn->idle_timestamp = jiffies;
+- rxrpc_put_connection(conn);
+ }
+
+ /*
+diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
+index 96d54e5bf7bc..ef10fbf71b15 100644
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -599,10 +599,8 @@ ack:
+ false, true,
+ rxrpc_propose_ack_input_data);
+
+- if (seq0 == READ_ONCE(call->rx_hard_ack) + 1) {
+- trace_rxrpc_notify_socket(call->debug_id, serial);
+- rxrpc_notify_socket(call);
+- }
++ trace_rxrpc_notify_socket(call->debug_id, serial);
++ rxrpc_notify_socket(call);
+
+ unlock:
+ spin_unlock(&call->input_lock);
+diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
+index 36587260cabd..a6c1349e965d 100644
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -364,11 +364,14 @@ void rxrpc_queue_local(struct rxrpc_local *local)
+ void rxrpc_put_local(struct rxrpc_local *local)
+ {
+ const void *here = __builtin_return_address(0);
++ unsigned int debug_id;
+ int n;
+
+ if (local) {
++ debug_id = local->debug_id;
++
+ n = atomic_dec_return(&local->usage);
+- trace_rxrpc_local(local->debug_id, rxrpc_local_put, n, here);
++ trace_rxrpc_local(debug_id, rxrpc_local_put, n, here);
+
+ if (n == 0)
+ call_rcu(&local->rcu, rxrpc_local_rcu);
+@@ -380,14 +383,11 @@ void rxrpc_put_local(struct rxrpc_local *local)
+ */
+ struct rxrpc_local *rxrpc_use_local(struct rxrpc_local *local)
+ {
+- unsigned int au;
+-
+ local = rxrpc_get_local_maybe(local);
+ if (!local)
+ return NULL;
+
+- au = atomic_fetch_add_unless(&local->active_users, 1, 0);
+- if (au == 0) {
++ if (!__rxrpc_use_local(local)) {
+ rxrpc_put_local(local);
+ return NULL;
+ }
+@@ -401,14 +401,11 @@ struct rxrpc_local *rxrpc_use_local(struct rxrpc_local *local)
+ */
+ void rxrpc_unuse_local(struct rxrpc_local *local)
+ {
+- unsigned int au;
+-
+ if (local) {
+- au = atomic_dec_return(&local->active_users);
+- if (au == 0)
++ if (__rxrpc_unuse_local(local)) {
++ rxrpc_get_local(local);
+ rxrpc_queue_local(local);
+- else
+- rxrpc_put_local(local);
++ }
+ }
+ }
+
+@@ -465,7 +462,7 @@ static void rxrpc_local_processor(struct work_struct *work)
+
+ do {
+ again = false;
+- if (atomic_read(&local->active_users) == 0) {
++ if (!__rxrpc_use_local(local)) {
+ rxrpc_local_destroyer(local);
+ break;
+ }
+@@ -479,6 +476,8 @@ static void rxrpc_local_processor(struct work_struct *work)
+ rxrpc_process_local_events(local);
+ again = true;
+ }
++
++ __rxrpc_unuse_local(local);
+ } while (again);
+
+ rxrpc_put_local(local);
+diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c
+index 935bb60fff56..bad3d2420344 100644
+--- a/net/rxrpc/output.c
++++ b/net/rxrpc/output.c
+@@ -129,7 +129,7 @@ static size_t rxrpc_fill_out_ack(struct rxrpc_connection *conn,
+ int rxrpc_send_ack_packet(struct rxrpc_call *call, bool ping,
+ rxrpc_serial_t *_serial)
+ {
+- struct rxrpc_connection *conn = NULL;
++ struct rxrpc_connection *conn;
+ struct rxrpc_ack_buffer *pkt;
+ struct msghdr msg;
+ struct kvec iov[2];
+@@ -139,18 +139,14 @@ int rxrpc_send_ack_packet(struct rxrpc_call *call, bool ping,
+ int ret;
+ u8 reason;
+
+- spin_lock_bh(&call->lock);
+- if (call->conn)
+- conn = rxrpc_get_connection_maybe(call->conn);
+- spin_unlock_bh(&call->lock);
+- if (!conn)
++ if (test_bit(RXRPC_CALL_DISCONNECTED, &call->flags))
+ return -ECONNRESET;
+
+ pkt = kzalloc(sizeof(*pkt), GFP_KERNEL);
+- if (!pkt) {
+- rxrpc_put_connection(conn);
++ if (!pkt)
+ return -ENOMEM;
+- }
++
++ conn = call->conn;
+
+ msg.msg_name = &call->peer->srx.transport;
+ msg.msg_namelen = call->peer->srx.transport_len;
+@@ -244,7 +240,6 @@ int rxrpc_send_ack_packet(struct rxrpc_call *call, bool ping,
+ }
+
+ out:
+- rxrpc_put_connection(conn);
+ kfree(pkt);
+ return ret;
+ }
+@@ -254,7 +249,7 @@ out:
+ */
+ int rxrpc_send_abort_packet(struct rxrpc_call *call)
+ {
+- struct rxrpc_connection *conn = NULL;
++ struct rxrpc_connection *conn;
+ struct rxrpc_abort_buffer pkt;
+ struct msghdr msg;
+ struct kvec iov[1];
+@@ -271,13 +266,11 @@ int rxrpc_send_abort_packet(struct rxrpc_call *call)
+ test_bit(RXRPC_CALL_TX_LAST, &call->flags))
+ return 0;
+
+- spin_lock_bh(&call->lock);
+- if (call->conn)
+- conn = rxrpc_get_connection_maybe(call->conn);
+- spin_unlock_bh(&call->lock);
+- if (!conn)
++ if (test_bit(RXRPC_CALL_DISCONNECTED, &call->flags))
+ return -ECONNRESET;
+
++ conn = call->conn;
++
+ msg.msg_name = &call->peer->srx.transport;
+ msg.msg_namelen = call->peer->srx.transport_len;
+ msg.msg_control = NULL;
+@@ -312,8 +305,6 @@ int rxrpc_send_abort_packet(struct rxrpc_call *call)
+ trace_rxrpc_tx_packet(call->debug_id, &pkt.whdr,
+ rxrpc_tx_point_call_abort);
+ rxrpc_tx_backoff(call, ret);
+-
+- rxrpc_put_connection(conn);
+ return ret;
+ }
+
+diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
+index 48f67a9b1037..923b263c401b 100644
+--- a/net/rxrpc/peer_event.c
++++ b/net/rxrpc/peer_event.c
+@@ -364,27 +364,31 @@ static void rxrpc_peer_keepalive_dispatch(struct rxrpc_net *rxnet,
+ if (!rxrpc_get_peer_maybe(peer))
+ continue;
+
+- spin_unlock_bh(&rxnet->peer_hash_lock);
+-
+- keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
+- slot = keepalive_at - base;
+- _debug("%02x peer %u t=%d {%pISp}",
+- cursor, peer->debug_id, slot, &peer->srx.transport);
++ if (__rxrpc_use_local(peer->local)) {
++ spin_unlock_bh(&rxnet->peer_hash_lock);
++
++ keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
++ slot = keepalive_at - base;
++ _debug("%02x peer %u t=%d {%pISp}",
++ cursor, peer->debug_id, slot, &peer->srx.transport);
++
++ if (keepalive_at <= base ||
++ keepalive_at > base + RXRPC_KEEPALIVE_TIME) {
++ rxrpc_send_keepalive(peer);
++ slot = RXRPC_KEEPALIVE_TIME;
++ }
+
+- if (keepalive_at <= base ||
+- keepalive_at > base + RXRPC_KEEPALIVE_TIME) {
+- rxrpc_send_keepalive(peer);
+- slot = RXRPC_KEEPALIVE_TIME;
++ /* A transmission to this peer occurred since last we
++ * examined it so put it into the appropriate future
++ * bucket.
++ */
++ slot += cursor;
++ slot &= mask;
++ spin_lock_bh(&rxnet->peer_hash_lock);
++ list_add_tail(&peer->keepalive_link,
++ &rxnet->peer_keepalive[slot & mask]);
++ rxrpc_unuse_local(peer->local);
+ }
+-
+- /* A transmission to this peer occurred since last we examined
+- * it so put it into the appropriate future bucket.
+- */
+- slot += cursor;
+- slot &= mask;
+- spin_lock_bh(&rxnet->peer_hash_lock);
+- list_add_tail(&peer->keepalive_link,
+- &rxnet->peer_keepalive[slot & mask]);
+ rxrpc_put_peer_locked(peer);
+ }
+
+diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
+index c22624131949..d36949d9382c 100644
+--- a/net/sched/cls_rsvp.h
++++ b/net/sched/cls_rsvp.h
+@@ -463,10 +463,8 @@ static u32 gen_tunnel(struct rsvp_head *data)
+
+ static const struct nla_policy rsvp_policy[TCA_RSVP_MAX + 1] = {
+ [TCA_RSVP_CLASSID] = { .type = NLA_U32 },
+- [TCA_RSVP_DST] = { .type = NLA_BINARY,
+- .len = RSVP_DST_LEN * sizeof(u32) },
+- [TCA_RSVP_SRC] = { .type = NLA_BINARY,
+- .len = RSVP_DST_LEN * sizeof(u32) },
++ [TCA_RSVP_DST] = { .len = RSVP_DST_LEN * sizeof(u32) },
++ [TCA_RSVP_SRC] = { .len = RSVP_DST_LEN * sizeof(u32) },
+ [TCA_RSVP_PINFO] = { .len = sizeof(struct tc_rsvp_pinfo) },
+ };
+
+diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
+index 3d4a1280352f..09b7dc5fe7e0 100644
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -333,12 +333,31 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
+ cp->fall_through = p->fall_through;
+ cp->tp = tp;
+
++ if (tb[TCA_TCINDEX_HASH])
++ cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]);
++
++ if (tb[TCA_TCINDEX_MASK])
++ cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
++
++ if (tb[TCA_TCINDEX_SHIFT])
++ cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
++
++ if (!cp->hash) {
++ /* Hash not specified, use perfect hash if the upper limit
++ * of the hashing index is below the threshold.
++ */
++ if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD)
++ cp->hash = (cp->mask >> cp->shift) + 1;
++ else
++ cp->hash = DEFAULT_HASH_SIZE;
++ }
++
+ if (p->perfect) {
+ int i;
+
+ if (tcindex_alloc_perfect_hash(net, cp) < 0)
+ goto errout;
+- for (i = 0; i < cp->hash; i++)
++ for (i = 0; i < min(cp->hash, p->hash); i++)
+ cp->perfect[i].res = p->perfect[i].res;
+ balloc = 1;
+ }
+@@ -346,19 +365,10 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
+
+ err = tcindex_filter_result_init(&new_filter_result, net);
+ if (err < 0)
+- goto errout1;
++ goto errout_alloc;
+ if (old_r)
+ cr = r->res;
+
+- if (tb[TCA_TCINDEX_HASH])
+- cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]);
+-
+- if (tb[TCA_TCINDEX_MASK])
+- cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
+-
+- if (tb[TCA_TCINDEX_SHIFT])
+- cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
+-
+ err = -EBUSY;
+
+ /* Hash already allocated, make sure that we still meet the
+@@ -376,16 +386,6 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
+ if (tb[TCA_TCINDEX_FALL_THROUGH])
+ cp->fall_through = nla_get_u32(tb[TCA_TCINDEX_FALL_THROUGH]);
+
+- if (!cp->hash) {
+- /* Hash not specified, use perfect hash if the upper limit
+- * of the hashing index is below the threshold.
+- */
+- if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD)
+- cp->hash = (cp->mask >> cp->shift) + 1;
+- else
+- cp->hash = DEFAULT_HASH_SIZE;
+- }
+-
+ if (!cp->perfect && !cp->h)
+ cp->alloc_hash = cp->hash;
+
+@@ -484,7 +484,6 @@ errout_alloc:
+ tcindex_free_perfect_hash(cp);
+ else if (balloc == 2)
+ kfree(cp->h);
+-errout1:
+ tcf_exts_destroy(&new_filter_result.exts);
+ errout:
+ kfree(cp);
+diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
+index c609373c8661..660fc45ee40f 100644
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -31,6 +31,7 @@ static DEFINE_SPINLOCK(taprio_list_lock);
+
+ #define TXTIME_ASSIST_IS_ENABLED(flags) ((flags) & TCA_TAPRIO_ATTR_FLAG_TXTIME_ASSIST)
+ #define FULL_OFFLOAD_IS_ENABLED(flags) ((flags) & TCA_TAPRIO_ATTR_FLAG_FULL_OFFLOAD)
++#define TAPRIO_FLAGS_INVALID U32_MAX
+
+ struct sched_entry {
+ struct list_head list;
+@@ -766,6 +767,7 @@ static const struct nla_policy taprio_policy[TCA_TAPRIO_ATTR_MAX + 1] = {
+ [TCA_TAPRIO_ATTR_SCHED_CLOCKID] = { .type = NLA_S32 },
+ [TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME] = { .type = NLA_S64 },
+ [TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME_EXTENSION] = { .type = NLA_S64 },
++ [TCA_TAPRIO_ATTR_FLAGS] = { .type = NLA_U32 },
+ };
+
+ static int fill_sched_entry(struct nlattr **tb, struct sched_entry *entry,
+@@ -1367,6 +1369,33 @@ static int taprio_mqprio_cmp(const struct net_device *dev,
+ return 0;
+ }
+
++/* The semantics of the 'flags' argument in relation to 'change()'
++ * requests, are interpreted following two rules (which are applied in
++ * this order): (1) an omitted 'flags' argument is interpreted as
++ * zero; (2) the 'flags' of a "running" taprio instance cannot be
++ * changed.
++ */
++static int taprio_new_flags(const struct nlattr *attr, u32 old,
++ struct netlink_ext_ack *extack)
++{
++ u32 new = 0;
++
++ if (attr)
++ new = nla_get_u32(attr);
++
++ if (old != TAPRIO_FLAGS_INVALID && old != new) {
++ NL_SET_ERR_MSG_MOD(extack, "Changing 'flags' of a running schedule is not supported");
++ return -EOPNOTSUPP;
++ }
++
++ if (!taprio_flags_valid(new)) {
++ NL_SET_ERR_MSG_MOD(extack, "Specified 'flags' are not valid");
++ return -EINVAL;
++ }
++
++ return new;
++}
++
+ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
+ struct netlink_ext_ack *extack)
+ {
+@@ -1375,7 +1404,6 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
+ struct taprio_sched *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+ struct tc_mqprio_qopt *mqprio = NULL;
+- u32 taprio_flags = 0;
+ unsigned long flags;
+ ktime_t start;
+ int i, err;
+@@ -1388,21 +1416,14 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
+ if (tb[TCA_TAPRIO_ATTR_PRIOMAP])
+ mqprio = nla_data(tb[TCA_TAPRIO_ATTR_PRIOMAP]);
+
+- if (tb[TCA_TAPRIO_ATTR_FLAGS]) {
+- taprio_flags = nla_get_u32(tb[TCA_TAPRIO_ATTR_FLAGS]);
+-
+- if (q->flags != 0 && q->flags != taprio_flags) {
+- NL_SET_ERR_MSG_MOD(extack, "Changing 'flags' of a running schedule is not supported");
+- return -EOPNOTSUPP;
+- } else if (!taprio_flags_valid(taprio_flags)) {
+- NL_SET_ERR_MSG_MOD(extack, "Specified 'flags' are not valid");
+- return -EINVAL;
+- }
++ err = taprio_new_flags(tb[TCA_TAPRIO_ATTR_FLAGS],
++ q->flags, extack);
++ if (err < 0)
++ return err;
+
+- q->flags = taprio_flags;
+- }
++ q->flags = err;
+
+- err = taprio_parse_mqprio_opt(dev, mqprio, extack, taprio_flags);
++ err = taprio_parse_mqprio_opt(dev, mqprio, extack, q->flags);
+ if (err < 0)
+ return err;
+
+@@ -1444,7 +1465,20 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
+
+ taprio_set_picos_per_byte(dev, q);
+
+- if (FULL_OFFLOAD_IS_ENABLED(taprio_flags))
++ if (mqprio) {
++ netdev_set_num_tc(dev, mqprio->num_tc);
++ for (i = 0; i < mqprio->num_tc; i++)
++ netdev_set_tc_queue(dev, i,
++ mqprio->count[i],
++ mqprio->offset[i]);
++
++ /* Always use supplied priority mappings */
++ for (i = 0; i <= TC_BITMASK; i++)
++ netdev_set_prio_tc_map(dev, i,
++ mqprio->prio_tc_map[i]);
++ }
++
++ if (FULL_OFFLOAD_IS_ENABLED(q->flags))
+ err = taprio_enable_offload(dev, mqprio, q, new_admin, extack);
+ else
+ err = taprio_disable_offload(dev, q, extack);
+@@ -1464,27 +1498,14 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
+ q->txtime_delay = nla_get_u32(tb[TCA_TAPRIO_ATTR_TXTIME_DELAY]);
+ }
+
+- if (!TXTIME_ASSIST_IS_ENABLED(taprio_flags) &&
+- !FULL_OFFLOAD_IS_ENABLED(taprio_flags) &&
++ if (!TXTIME_ASSIST_IS_ENABLED(q->flags) &&
++ !FULL_OFFLOAD_IS_ENABLED(q->flags) &&
+ !hrtimer_active(&q->advance_timer)) {
+ hrtimer_init(&q->advance_timer, q->clockid, HRTIMER_MODE_ABS);
+ q->advance_timer.function = advance_sched;
+ }
+
+- if (mqprio) {
+- netdev_set_num_tc(dev, mqprio->num_tc);
+- for (i = 0; i < mqprio->num_tc; i++)
+- netdev_set_tc_queue(dev, i,
+- mqprio->count[i],
+- mqprio->offset[i]);
+-
+- /* Always use supplied priority mappings */
+- for (i = 0; i <= TC_BITMASK; i++)
+- netdev_set_prio_tc_map(dev, i,
+- mqprio->prio_tc_map[i]);
+- }
+-
+- if (FULL_OFFLOAD_IS_ENABLED(taprio_flags)) {
++ if (FULL_OFFLOAD_IS_ENABLED(q->flags)) {
+ q->dequeue = taprio_dequeue_offload;
+ q->peek = taprio_peek_offload;
+ } else {
+@@ -1501,9 +1522,9 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
+ goto unlock;
+ }
+
+- if (TXTIME_ASSIST_IS_ENABLED(taprio_flags)) {
+- setup_txtime(q, new_admin, start);
++ setup_txtime(q, new_admin, start);
+
++ if (TXTIME_ASSIST_IS_ENABLED(q->flags)) {
+ if (!oper) {
+ rcu_assign_pointer(q->oper_sched, new_admin);
+ err = 0;
+@@ -1528,7 +1549,7 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
+
+ spin_unlock_irqrestore(&q->current_entry_lock, flags);
+
+- if (FULL_OFFLOAD_IS_ENABLED(taprio_flags))
++ if (FULL_OFFLOAD_IS_ENABLED(q->flags))
+ taprio_offload_config_changed(q);
+ }
+
+@@ -1567,7 +1588,7 @@ static void taprio_destroy(struct Qdisc *sch)
+ }
+ q->qdiscs = NULL;
+
+- netdev_set_num_tc(dev, 0);
++ netdev_reset_tc(dev);
+
+ if (q->oper_sched)
+ call_rcu(&q->oper_sched->rcu, taprio_free_sched_cb);
+@@ -1597,6 +1618,7 @@ static int taprio_init(struct Qdisc *sch, struct nlattr *opt,
+ * and get the valid one on taprio_change().
+ */
+ q->clockid = -1;
++ q->flags = TAPRIO_FLAGS_INVALID;
+
+ spin_lock(&taprio_list_lock);
+ list_add(&q->taprio_list, &taprio_list);
+diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
+index c62d1f10978b..cff77f096647 100644
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1248,6 +1248,7 @@ static int gss_proxy_save_rsc(struct cache_detail *cd,
+ dprintk("RPC: No creds found!\n");
+ goto out;
+ } else {
++ struct timespec64 boot;
+
+ /* steal creds */
+ rsci.cred = ud->creds;
+@@ -1268,6 +1269,9 @@ static int gss_proxy_save_rsc(struct cache_detail *cd,
+ &expiry, GFP_KERNEL);
+ if (status)
+ goto out;
++
++ getboottime64(&boot);
++ expiry -= boot.tv_sec;
+ }
+
+ rsci.h.expiry_time = expiry;
+diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
+index 1fc42ad8ff49..c0147a8cf188 100644
+--- a/samples/bpf/Makefile
++++ b/samples/bpf/Makefile
+@@ -38,6 +38,8 @@ tprogs-y += tc_l2_redirect
+ tprogs-y += lwt_len_hist
+ tprogs-y += xdp_tx_iptunnel
+ tprogs-y += test_map_in_map
++tprogs-y += per_socket_stats_example
++tprogs-y += xdp_redirect
+ tprogs-y += xdp_redirect_map
+ tprogs-y += xdp_redirect_cpu
+ tprogs-y += xdp_monitor
+@@ -251,7 +253,7 @@ all:
+
+ clean:
+ $(MAKE) -C ../../ M=$(CURDIR) clean
+- @rm -f *~
++ @find $(CURDIR) -type f -name '*~' -delete
+
+ $(LIBBPF): FORCE
+ # Fix up variables inherited from Kbuild that tools/ build system won't like
+diff --git a/samples/bpf/xdp_redirect_cpu_user.c b/samples/bpf/xdp_redirect_cpu_user.c
+index 0da6e9e7132e..8b862a7a6c6a 100644
+--- a/samples/bpf/xdp_redirect_cpu_user.c
++++ b/samples/bpf/xdp_redirect_cpu_user.c
+@@ -16,6 +16,10 @@ static const char *__doc__ =
+ #include <getopt.h>
+ #include <net/if.h>
+ #include <time.h>
++#include <linux/limits.h>
++
++#define __must_check
++#include <linux/err.h>
+
+ #include <arpa/inet.h>
+ #include <linux/if_link.h>
+@@ -46,6 +50,10 @@ static int cpus_count_map_fd;
+ static int cpus_iterator_map_fd;
+ static int exception_cnt_map_fd;
+
++#define NUM_TP 5
++struct bpf_link *tp_links[NUM_TP] = { 0 };
++static int tp_cnt = 0;
++
+ /* Exit return codes */
+ #define EXIT_OK 0
+ #define EXIT_FAIL 1
+@@ -88,6 +96,10 @@ static void int_exit(int sig)
+ printf("program on interface changed, not removing\n");
+ }
+ }
++ /* Detach tracepoints */
++ while (tp_cnt)
++ bpf_link__destroy(tp_links[--tp_cnt]);
++
+ exit(EXIT_OK);
+ }
+
+@@ -588,23 +600,61 @@ static void stats_poll(int interval, bool use_separators, char *prog_name,
+ free_stats_record(prev);
+ }
+
++static struct bpf_link * attach_tp(struct bpf_object *obj,
++ const char *tp_category,
++ const char* tp_name)
++{
++ struct bpf_program *prog;
++ struct bpf_link *link;
++ char sec_name[PATH_MAX];
++ int len;
++
++ len = snprintf(sec_name, PATH_MAX, "tracepoint/%s/%s",
++ tp_category, tp_name);
++ if (len < 0)
++ exit(EXIT_FAIL);
++
++ prog = bpf_object__find_program_by_title(obj, sec_name);
++ if (!prog) {
++ fprintf(stderr, "ERR: finding progsec: %s\n", sec_name);
++ exit(EXIT_FAIL_BPF);
++ }
++
++ link = bpf_program__attach_tracepoint(prog, tp_category, tp_name);
++ if (IS_ERR(link))
++ exit(EXIT_FAIL_BPF);
++
++ return link;
++}
++
++static void init_tracepoints(struct bpf_object *obj) {
++ tp_links[tp_cnt++] = attach_tp(obj, "xdp", "xdp_redirect_err");
++ tp_links[tp_cnt++] = attach_tp(obj, "xdp", "xdp_redirect_map_err");
++ tp_links[tp_cnt++] = attach_tp(obj, "xdp", "xdp_exception");
++ tp_links[tp_cnt++] = attach_tp(obj, "xdp", "xdp_cpumap_enqueue");
++ tp_links[tp_cnt++] = attach_tp(obj, "xdp", "xdp_cpumap_kthread");
++}
++
+ static int init_map_fds(struct bpf_object *obj)
+ {
+- cpu_map_fd = bpf_object__find_map_fd_by_name(obj, "cpu_map");
+- rx_cnt_map_fd = bpf_object__find_map_fd_by_name(obj, "rx_cnt");
++ /* Maps updated by tracepoints */
+ redirect_err_cnt_map_fd =
+ bpf_object__find_map_fd_by_name(obj, "redirect_err_cnt");
++ exception_cnt_map_fd =
++ bpf_object__find_map_fd_by_name(obj, "exception_cnt");
+ cpumap_enqueue_cnt_map_fd =
+ bpf_object__find_map_fd_by_name(obj, "cpumap_enqueue_cnt");
+ cpumap_kthread_cnt_map_fd =
+ bpf_object__find_map_fd_by_name(obj, "cpumap_kthread_cnt");
++
++ /* Maps used by XDP */
++ rx_cnt_map_fd = bpf_object__find_map_fd_by_name(obj, "rx_cnt");
++ cpu_map_fd = bpf_object__find_map_fd_by_name(obj, "cpu_map");
+ cpus_available_map_fd =
+ bpf_object__find_map_fd_by_name(obj, "cpus_available");
+ cpus_count_map_fd = bpf_object__find_map_fd_by_name(obj, "cpus_count");
+ cpus_iterator_map_fd =
+ bpf_object__find_map_fd_by_name(obj, "cpus_iterator");
+- exception_cnt_map_fd =
+- bpf_object__find_map_fd_by_name(obj, "exception_cnt");
+
+ if (cpu_map_fd < 0 || rx_cnt_map_fd < 0 ||
+ redirect_err_cnt_map_fd < 0 || cpumap_enqueue_cnt_map_fd < 0 ||
+@@ -662,6 +712,7 @@ int main(int argc, char **argv)
+ strerror(errno));
+ return EXIT_FAIL;
+ }
++ init_tracepoints(obj);
+ if (init_map_fds(obj) < 0) {
+ fprintf(stderr, "bpf_object__find_map_fd_by_name failed\n");
+ return EXIT_FAIL;
+diff --git a/scripts/find-unused-docs.sh b/scripts/find-unused-docs.sh
+index 3f46f8977dc4..ee6a50e33aba 100755
+--- a/scripts/find-unused-docs.sh
++++ b/scripts/find-unused-docs.sh
+@@ -54,7 +54,7 @@ for file in `find $1 -name '*.c'`; do
+ if [[ ${FILES_INCLUDED[$file]+_} ]]; then
+ continue;
+ fi
+- str=$(scripts/kernel-doc -text -export "$file" 2>/dev/null)
++ str=$(scripts/kernel-doc -export "$file" 2>/dev/null)
+ if [[ -n "$str" ]]; then
+ echo "$file"
+ fi
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index ecea41ce919b..8bc7b04769a8 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2831,42 +2831,39 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
+ int addrlen)
+ {
+ int rc = 0;
+-#if IS_ENABLED(CONFIG_IPV6)
+- struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
+-#endif
+-#ifdef SMACK_IPV6_SECMARK_LABELING
+- struct smack_known *rsp;
+- struct socket_smack *ssp;
+-#endif
+
+ if (sock->sk == NULL)
+ return 0;
+-
++ if (sock->sk->sk_family != PF_INET &&
++ (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6))
++ return 0;
++ if (addrlen < offsetofend(struct sockaddr, sa_family))
++ return 0;
++ if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) {
++ struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
+ #ifdef SMACK_IPV6_SECMARK_LABELING
+- ssp = sock->sk->sk_security;
++ struct smack_known *rsp;
+ #endif
+
+- switch (sock->sk->sk_family) {
+- case PF_INET:
+- if (addrlen < sizeof(struct sockaddr_in) ||
+- sap->sa_family != AF_INET)
+- return -EINVAL;
+- rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap);
+- break;
+- case PF_INET6:
+- if (addrlen < SIN6_LEN_RFC2133 || sap->sa_family != AF_INET6)
+- return -EINVAL;
++ if (addrlen < SIN6_LEN_RFC2133)
++ return 0;
+ #ifdef SMACK_IPV6_SECMARK_LABELING
+ rsp = smack_ipv6host_label(sip);
+- if (rsp != NULL)
++ if (rsp != NULL) {
++ struct socket_smack *ssp = sock->sk->sk_security;
++
+ rc = smk_ipv6_check(ssp->smk_out, rsp, sip,
+- SMK_CONNECTING);
++ SMK_CONNECTING);
++ }
+ #endif
+ #ifdef SMACK_IPV6_PORT_LABELING
+ rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);
+ #endif
+- break;
++ return rc;
+ }
++ if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in))
++ return 0;
++ rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap);
+ return rc;
+ }
+
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index d083225344a0..c9b7e1a073ee 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -785,10 +785,22 @@ end:
+ return err;
+ }
+
++static int do_hw_free(struct snd_pcm_substream *substream)
++{
++ int result = 0;
++
++ snd_pcm_sync_stop(substream);
++ if (substream->ops->hw_free)
++ result = substream->ops->hw_free(substream);
++ if (substream->managed_buffer_alloc)
++ snd_pcm_lib_free_pages(substream);
++ return result;
++}
++
+ static int snd_pcm_hw_free(struct snd_pcm_substream *substream)
+ {
+ struct snd_pcm_runtime *runtime;
+- int result = 0;
++ int result;
+
+ if (PCM_RUNTIME_CHECK(substream))
+ return -ENXIO;
+@@ -805,11 +817,7 @@ static int snd_pcm_hw_free(struct snd_pcm_substream *substream)
+ snd_pcm_stream_unlock_irq(substream);
+ if (atomic_read(&substream->mmap_count))
+ return -EBADFD;
+- snd_pcm_sync_stop(substream);
+- if (substream->ops->hw_free)
+- result = substream->ops->hw_free(substream);
+- if (substream->managed_buffer_alloc)
+- snd_pcm_lib_free_pages(substream);
++ result = do_hw_free(substream);
+ snd_pcm_set_state(substream, SNDRV_PCM_STATE_OPEN);
+ pm_qos_remove_request(&substream->latency_pm_qos_req);
+ return result;
+@@ -2466,9 +2474,7 @@ void snd_pcm_release_substream(struct snd_pcm_substream *substream)
+
+ snd_pcm_drop(substream);
+ if (substream->hw_opened) {
+- if (substream->ops->hw_free &&
+- substream->runtime->status->state != SNDRV_PCM_STATE_OPEN)
+- substream->ops->hw_free(substream);
++ do_hw_free(substream);
+ substream->ops->close(substream);
+ substream->hw_opened = 0;
+ }
+diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c
+index 022a0db692e0..3a2839f44f5c 100644
+--- a/sound/drivers/dummy.c
++++ b/sound/drivers/dummy.c
+@@ -915,7 +915,7 @@ static void print_formats(struct snd_dummy *dummy,
+ {
+ int i;
+
+- for (i = 0; i < SNDRV_PCM_FORMAT_LAST; i++) {
++ for (i = 0; i <= SNDRV_PCM_FORMAT_LAST; i++) {
+ if (dummy->pcm_hw.formats & (1ULL << i))
+ snd_iprintf(buffer, " %s", snd_pcm_format_name(i));
+ }
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 8ef223aa1e37..9d3b28bcba9b 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2188,6 +2188,8 @@ static struct snd_pci_quirk power_save_blacklist[] = {
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1581607 */
+ SND_PCI_QUIRK(0x1558, 0x3501, "Clevo W35xSS_370SS", 0),
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
++ SND_PCI_QUIRK(0x1558, 0x6504, "Clevo W65_67SB", 0),
++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
+ SND_PCI_QUIRK(0x1028, 0x0497, "Dell Precision T3600", 0),
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */
+ /* Note the P55A-UD3 and Z87-D3HP share the subsys id for the HDA dev */
+@@ -2447,6 +2449,8 @@ static const struct pci_device_id azx_ids[] = {
+ /* Jasperlake */
+ { PCI_DEVICE(0x8086, 0x38c8),
+ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
++ { PCI_DEVICE(0x8086, 0x4dc8),
++ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
+ /* Tigerlake */
+ { PCI_DEVICE(0x8086, 0xa0c8),
+ .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
+diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
+index 8350954b7986..e5191584638a 100644
+--- a/sound/pci/hda/hda_tegra.c
++++ b/sound/pci/hda/hda_tegra.c
+@@ -398,6 +398,7 @@ static int hda_tegra_create(struct snd_card *card,
+ return err;
+
+ chip->bus.needs_damn_long_delay = 1;
++ chip->bus.core.aligned_mmio = 1;
+
+ err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops);
+ if (err < 0) {
+diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
+index 630b1f5c276d..bde50414029d 100644
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -1547,6 +1547,34 @@ static bool update_eld(struct hda_codec *codec,
+ return eld_changed;
+ }
+
++static struct snd_jack *pin_idx_to_pcm_jack(struct hda_codec *codec,
++ struct hdmi_spec_per_pin *per_pin)
++{
++ struct hdmi_spec *spec = codec->spec;
++ struct snd_jack *jack = NULL;
++ struct hda_jack_tbl *jack_tbl;
++
++ /* if !dyn_pcm_assign, get jack from hda_jack_tbl
++ * in !dyn_pcm_assign case, spec->pcm_rec[].jack is not
++ * NULL even after snd_hda_jack_tbl_clear() is called to
++ * free snd_jack. This may cause access invalid memory
++ * when calling snd_jack_report
++ */
++ if (per_pin->pcm_idx >= 0 && spec->dyn_pcm_assign) {
++ jack = spec->pcm_rec[per_pin->pcm_idx].jack;
++ } else if (!spec->dyn_pcm_assign) {
++ /*
++ * jack tbl doesn't support DP MST
++ * DP MST will use dyn_pcm_assign,
++ * so DP MST will never come here
++ */
++ jack_tbl = snd_hda_jack_tbl_get_mst(codec, per_pin->pin_nid,
++ per_pin->dev_id);
++ if (jack_tbl)
++ jack = jack_tbl->jack;
++ }
++ return jack;
++}
+ /* update ELD and jack state via HD-audio verbs */
+ static bool hdmi_present_sense_via_verbs(struct hdmi_spec_per_pin *per_pin,
+ int repoll)
+@@ -1568,6 +1596,7 @@ static bool hdmi_present_sense_via_verbs(struct hdmi_spec_per_pin *per_pin,
+ int present;
+ bool ret;
+ bool do_repoll = false;
++ struct snd_jack *pcm_jack = NULL;
+
+ present = snd_hda_jack_pin_sense(codec, pin_nid, dev_id);
+
+@@ -1595,10 +1624,19 @@ static bool hdmi_present_sense_via_verbs(struct hdmi_spec_per_pin *per_pin,
+ do_repoll = true;
+ }
+
+- if (do_repoll)
++ if (do_repoll) {
+ schedule_delayed_work(&per_pin->work, msecs_to_jiffies(300));
+- else
++ } else {
++ /*
++ * pcm_idx >=0 before update_eld() means it is in monitor
++ * disconnected event. Jack must be fetched before
++ * update_eld().
++ */
++ pcm_jack = pin_idx_to_pcm_jack(codec, per_pin);
+ update_eld(codec, per_pin, eld);
++ if (!pcm_jack)
++ pcm_jack = pin_idx_to_pcm_jack(codec, per_pin);
++ }
+
+ ret = !repoll || !eld->monitor_present || eld->eld_valid;
+
+@@ -1607,38 +1645,32 @@ static bool hdmi_present_sense_via_verbs(struct hdmi_spec_per_pin *per_pin,
+ jack->block_report = !ret;
+ jack->pin_sense = (eld->monitor_present && eld->eld_valid) ?
+ AC_PINSENSE_PRESENCE : 0;
+- }
+- mutex_unlock(&per_pin->lock);
+- return ret;
+-}
+
+-static struct snd_jack *pin_idx_to_jack(struct hda_codec *codec,
+- struct hdmi_spec_per_pin *per_pin)
+-{
+- struct hdmi_spec *spec = codec->spec;
+- struct snd_jack *jack = NULL;
+- struct hda_jack_tbl *jack_tbl;
++ if (spec->dyn_pcm_assign && pcm_jack && !do_repoll) {
++ int state = 0;
++
++ if (jack->pin_sense & AC_PINSENSE_PRESENCE)
++ state = SND_JACK_AVOUT;
++ snd_jack_report(pcm_jack, state);
++ }
+
+- /* if !dyn_pcm_assign, get jack from hda_jack_tbl
+- * in !dyn_pcm_assign case, spec->pcm_rec[].jack is not
+- * NULL even after snd_hda_jack_tbl_clear() is called to
+- * free snd_jack. This may cause access invalid memory
+- * when calling snd_jack_report
+- */
+- if (per_pin->pcm_idx >= 0 && spec->dyn_pcm_assign)
+- jack = spec->pcm_rec[per_pin->pcm_idx].jack;
+- else if (!spec->dyn_pcm_assign) {
+ /*
+- * jack tbl doesn't support DP MST
+- * DP MST will use dyn_pcm_assign,
+- * so DP MST will never come here
++ * snd_hda_jack_pin_sense() call at the beginning of this
++ * function, updates jack->pins_sense and clears
++ * jack->jack_dirty, therefore snd_hda_jack_report_sync() will
++ * not override the jack->pin_sense.
++ *
++ * snd_hda_jack_report_sync() is superfluous for dyn_pcm_assign
++ * case. The jack->pin_sense update was already performed, and
++ * hda_jack->jack is NULL for dyn_pcm_assign.
++ *
++ * Don't call snd_hda_jack_report_sync() for
++ * dyn_pcm_assign.
+ */
+- jack_tbl = snd_hda_jack_tbl_get_mst(codec, per_pin->pin_nid,
+- per_pin->dev_id);
+- if (jack_tbl)
+- jack = jack_tbl->jack;
++ ret = ret && !spec->dyn_pcm_assign;
+ }
+- return jack;
++ mutex_unlock(&per_pin->lock);
++ return ret;
+ }
+
+ /* update ELD and jack state via audio component */
+@@ -1674,10 +1706,10 @@ static void sync_eld_via_acomp(struct hda_codec *codec,
+ /* pcm_idx >=0 before update_eld() means it is in monitor
+ * disconnected event. Jack must be fetched before update_eld()
+ */
+- jack = pin_idx_to_jack(codec, per_pin);
++ jack = pin_idx_to_pcm_jack(codec, per_pin);
+ changed = update_eld(codec, per_pin, eld);
+ if (jack == NULL)
+- jack = pin_idx_to_jack(codec, per_pin);
++ jack = pin_idx_to_pcm_jack(codec, per_pin);
+ if (changed && jack)
+ snd_jack_report(jack,
+ (eld->monitor_present && eld->eld_valid) ?
+@@ -4250,6 +4282,7 @@ HDA_CODEC_ENTRY(0x8086280c, "Cannonlake HDMI", patch_i915_glk_hdmi),
+ HDA_CODEC_ENTRY(0x8086280d, "Geminilake HDMI", patch_i915_glk_hdmi),
+ HDA_CODEC_ENTRY(0x8086280f, "Icelake HDMI", patch_i915_icl_hdmi),
+ HDA_CODEC_ENTRY(0x80862812, "Tigerlake HDMI", patch_i915_tgl_hdmi),
++HDA_CODEC_ENTRY(0x8086281a, "Jasperlake HDMI", patch_i915_icl_hdmi),
+ HDA_CODEC_ENTRY(0x80862880, "CedarTrail HDMI", patch_generic_hdmi),
+ HDA_CODEC_ENTRY(0x80862882, "Valleyview2 HDMI", patch_i915_byt_hdmi),
+ HDA_CODEC_ENTRY(0x80862883, "Braswell HDMI", patch_i915_byt_hdmi),
+diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c
+index aa1f9637d895..e949b372cead 100644
+--- a/sound/soc/codecs/sgtl5000.c
++++ b/sound/soc/codecs/sgtl5000.c
+@@ -1344,7 +1344,8 @@ static int sgtl5000_set_power_regs(struct snd_soc_component *component)
+ * if vddio == vdda the source of charge pump should be
+ * assigned manually to VDDIO
+ */
+- if (vddio == vdda) {
++ if (regulator_is_equal(sgtl5000->supplies[VDDA].consumer,
++ sgtl5000->supplies[VDDIO].consumer)) {
+ lreg_ctrl |= SGTL5000_VDDC_ASSN_OVRD;
+ lreg_ctrl |= SGTL5000_VDDC_MAN_ASSN_VDDIO <<
+ SGTL5000_VDDC_MAN_ASSN_SHIFT;
+diff --git a/sound/soc/intel/boards/skl_hda_dsp_common.c b/sound/soc/intel/boards/skl_hda_dsp_common.c
+index eb419e1ec42b..78ff5f24c40e 100644
+--- a/sound/soc/intel/boards/skl_hda_dsp_common.c
++++ b/sound/soc/intel/boards/skl_hda_dsp_common.c
+@@ -41,16 +41,19 @@ int skl_hda_hdmi_add_pcm(struct snd_soc_card *card, int device)
+ return 0;
+ }
+
+-SND_SOC_DAILINK_DEFS(idisp1,
+- DAILINK_COMP_ARRAY(COMP_CPU("iDisp1 Pin")),
++SND_SOC_DAILINK_DEF(idisp1_cpu,
++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp1 Pin")));
++SND_SOC_DAILINK_DEF(idisp1_codec,
+ DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi1")));
+
+-SND_SOC_DAILINK_DEFS(idisp2,
+- DAILINK_COMP_ARRAY(COMP_CPU("iDisp2 Pin")),
++SND_SOC_DAILINK_DEF(idisp2_cpu,
++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp2 Pin")));
++SND_SOC_DAILINK_DEF(idisp2_codec,
+ DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi2")));
+
+-SND_SOC_DAILINK_DEFS(idisp3,
+- DAILINK_COMP_ARRAY(COMP_CPU("iDisp3 Pin")),
++SND_SOC_DAILINK_DEF(idisp3_cpu,
++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp3 Pin")));
++SND_SOC_DAILINK_DEF(idisp3_codec,
+ DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi3")));
+
+ SND_SOC_DAILINK_DEF(analog_cpu,
+@@ -83,21 +86,21 @@ struct snd_soc_dai_link skl_hda_be_dai_links[HDA_DSP_MAX_BE_DAI_LINKS] = {
+ .id = 1,
+ .dpcm_playback = 1,
+ .no_pcm = 1,
+- SND_SOC_DAILINK_REG(idisp1),
++ SND_SOC_DAILINK_REG(idisp1_cpu, idisp1_codec, platform),
+ },
+ {
+ .name = "iDisp2",
+ .id = 2,
+ .dpcm_playback = 1,
+ .no_pcm = 1,
+- SND_SOC_DAILINK_REG(idisp2),
++ SND_SOC_DAILINK_REG(idisp2_cpu, idisp2_codec, platform),
+ },
+ {
+ .name = "iDisp3",
+ .id = 3,
+ .dpcm_playback = 1,
+ .no_pcm = 1,
+- SND_SOC_DAILINK_REG(idisp3),
++ SND_SOC_DAILINK_REG(idisp3_cpu, idisp3_codec, platform),
+ },
+ {
+ .name = "Analog Playback and Capture",
+diff --git a/sound/soc/meson/axg-fifo.c b/sound/soc/meson/axg-fifo.c
+index d6f3eefb8f09..200bddf159a2 100644
+--- a/sound/soc/meson/axg-fifo.c
++++ b/sound/soc/meson/axg-fifo.c
+@@ -113,10 +113,12 @@ int axg_fifo_pcm_hw_params(struct snd_soc_component *component,
+ {
+ struct snd_pcm_runtime *runtime = ss->runtime;
+ struct axg_fifo *fifo = axg_fifo_data(ss);
++ unsigned int burst_num, period, threshold;
+ dma_addr_t end_ptr;
+- unsigned int burst_num;
+ int ret;
+
++ period = params_period_bytes(params);
++
+ ret = snd_pcm_lib_malloc_pages(ss, params_buffer_bytes(params));
+ if (ret < 0)
+ return ret;
+@@ -127,9 +129,25 @@ int axg_fifo_pcm_hw_params(struct snd_soc_component *component,
+ regmap_write(fifo->map, FIFO_FINISH_ADDR, end_ptr);
+
+ /* Setup interrupt periodicity */
+- burst_num = params_period_bytes(params) / AXG_FIFO_BURST;
++ burst_num = period / AXG_FIFO_BURST;
+ regmap_write(fifo->map, FIFO_INT_ADDR, burst_num);
+
++ /*
++ * Start the fifo request on the smallest of the following:
++ * - Half the fifo size
++ * - Half the period size
++ */
++ threshold = min(period / 2,
++ (unsigned int)AXG_FIFO_MIN_DEPTH / 2);
++
++ /*
++ * With the threshold in bytes, register value is:
++ * V = (threshold / burst) - 1
++ */
++ threshold /= AXG_FIFO_BURST;
++ regmap_field_write(fifo->field_threshold,
++ threshold ? threshold - 1 : 0);
++
+ /* Enable block count irq */
+ regmap_update_bits(fifo->map, FIFO_CTRL0,
+ CTRL0_INT_EN(FIFO_INT_COUNT_REPEAT),
+@@ -352,6 +370,11 @@ int axg_fifo_probe(struct platform_device *pdev)
+ return fifo->irq;
+ }
+
++ fifo->field_threshold =
++ devm_regmap_field_alloc(dev, fifo->map, data->field_threshold);
++ if (IS_ERR(fifo->field_threshold))
++ return PTR_ERR(fifo->field_threshold);
++
+ return devm_snd_soc_register_component(dev, data->component_drv,
+ data->dai_drv, 1);
+ }
+diff --git a/sound/soc/meson/axg-fifo.h b/sound/soc/meson/axg-fifo.h
+index cf928d43b558..c442195ba191 100644
+--- a/sound/soc/meson/axg-fifo.h
++++ b/sound/soc/meson/axg-fifo.h
+@@ -9,7 +9,9 @@
+
+ struct clk;
+ struct platform_device;
++struct reg_field;
+ struct regmap;
++struct regmap_field;
+ struct reset_control;
+
+ struct snd_soc_component_driver;
+@@ -50,8 +52,6 @@ struct snd_soc_pcm_runtime;
+ #define CTRL1_STATUS2_SEL_MASK GENMASK(11, 8)
+ #define CTRL1_STATUS2_SEL(x) ((x) << 8)
+ #define STATUS2_SEL_DDR_READ 0
+-#define CTRL1_THRESHOLD_MASK GENMASK(23, 16)
+-#define CTRL1_THRESHOLD(x) ((x) << 16)
+ #define CTRL1_FRDDR_DEPTH_MASK GENMASK(31, 24)
+ #define CTRL1_FRDDR_DEPTH(x) ((x) << 24)
+ #define FIFO_START_ADDR 0x08
+@@ -67,12 +67,14 @@ struct axg_fifo {
+ struct regmap *map;
+ struct clk *pclk;
+ struct reset_control *arb;
++ struct regmap_field *field_threshold;
+ int irq;
+ };
+
+ struct axg_fifo_match_data {
+ const struct snd_soc_component_driver *component_drv;
+ struct snd_soc_dai_driver *dai_drv;
++ struct reg_field field_threshold;
+ };
+
+ int axg_fifo_pcm_open(struct snd_soc_component *component,
+diff --git a/sound/soc/meson/axg-frddr.c b/sound/soc/meson/axg-frddr.c
+index 665d75d49d7b..657b05c739b5 100644
+--- a/sound/soc/meson/axg-frddr.c
++++ b/sound/soc/meson/axg-frddr.c
+@@ -50,7 +50,7 @@ static int axg_frddr_dai_startup(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+ {
+ struct axg_fifo *fifo = snd_soc_dai_get_drvdata(dai);
+- unsigned int fifo_depth, fifo_threshold;
++ unsigned int fifo_depth;
+ int ret;
+
+ /* Enable pclk to access registers and clock the fifo ip */
+@@ -68,11 +68,8 @@ static int axg_frddr_dai_startup(struct snd_pcm_substream *substream,
+ * Depth and threshold are zero based.
+ */
+ fifo_depth = AXG_FIFO_MIN_CNT - 1;
+- fifo_threshold = (AXG_FIFO_MIN_CNT / 2) - 1;
+- regmap_update_bits(fifo->map, FIFO_CTRL1,
+- CTRL1_FRDDR_DEPTH_MASK | CTRL1_THRESHOLD_MASK,
+- CTRL1_FRDDR_DEPTH(fifo_depth) |
+- CTRL1_THRESHOLD(fifo_threshold));
++ regmap_update_bits(fifo->map, FIFO_CTRL1, CTRL1_FRDDR_DEPTH_MASK,
++ CTRL1_FRDDR_DEPTH(fifo_depth));
+
+ return 0;
+ }
+@@ -159,8 +156,9 @@ static const struct snd_soc_component_driver axg_frddr_component_drv = {
+ };
+
+ static const struct axg_fifo_match_data axg_frddr_match_data = {
+- .component_drv = &axg_frddr_component_drv,
+- .dai_drv = &axg_frddr_dai_drv
++ .field_threshold = REG_FIELD(FIFO_CTRL1, 16, 23),
++ .component_drv = &axg_frddr_component_drv,
++ .dai_drv = &axg_frddr_dai_drv
+ };
+
+ static const struct snd_soc_dai_ops g12a_frddr_ops = {
+@@ -283,8 +281,9 @@ static const struct snd_soc_component_driver g12a_frddr_component_drv = {
+ };
+
+ static const struct axg_fifo_match_data g12a_frddr_match_data = {
+- .component_drv = &g12a_frddr_component_drv,
+- .dai_drv = &g12a_frddr_dai_drv
++ .field_threshold = REG_FIELD(FIFO_CTRL1, 16, 23),
++ .component_drv = &g12a_frddr_component_drv,
++ .dai_drv = &g12a_frddr_dai_drv
+ };
+
+ /* On SM1, the output selection in on CTRL2 */
+@@ -353,8 +352,9 @@ static const struct snd_soc_component_driver sm1_frddr_component_drv = {
+ };
+
+ static const struct axg_fifo_match_data sm1_frddr_match_data = {
+- .component_drv = &sm1_frddr_component_drv,
+- .dai_drv = &g12a_frddr_dai_drv
++ .field_threshold = REG_FIELD(FIFO_CTRL1, 16, 23),
++ .component_drv = &sm1_frddr_component_drv,
++ .dai_drv = &g12a_frddr_dai_drv
+ };
+
+ static const struct of_device_id axg_frddr_of_match[] = {
+diff --git a/sound/soc/meson/axg-toddr.c b/sound/soc/meson/axg-toddr.c
+index 7fef0b961496..e90f1b3198ee 100644
+--- a/sound/soc/meson/axg-toddr.c
++++ b/sound/soc/meson/axg-toddr.c
+@@ -89,7 +89,6 @@ static int axg_toddr_dai_startup(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+ {
+ struct axg_fifo *fifo = snd_soc_dai_get_drvdata(dai);
+- unsigned int fifo_threshold;
+ int ret;
+
+ /* Enable pclk to access registers and clock the fifo ip */
+@@ -107,11 +106,6 @@ static int axg_toddr_dai_startup(struct snd_pcm_substream *substream,
+ /* Apply single buffer mode to the interface */
+ regmap_update_bits(fifo->map, FIFO_CTRL0, CTRL0_TODDR_PP_MODE, 0);
+
+- /* TODDR does not have a configurable fifo depth */
+- fifo_threshold = AXG_FIFO_MIN_CNT - 1;
+- regmap_update_bits(fifo->map, FIFO_CTRL1, CTRL1_THRESHOLD_MASK,
+- CTRL1_THRESHOLD(fifo_threshold));
+-
+ return 0;
+ }
+
+@@ -191,8 +185,9 @@ static const struct snd_soc_component_driver axg_toddr_component_drv = {
+ };
+
+ static const struct axg_fifo_match_data axg_toddr_match_data = {
+- .component_drv = &axg_toddr_component_drv,
+- .dai_drv = &axg_toddr_dai_drv
++ .field_threshold = REG_FIELD(FIFO_CTRL1, 16, 23),
++ .component_drv = &axg_toddr_component_drv,
++ .dai_drv = &axg_toddr_dai_drv
+ };
+
+ static const struct snd_soc_dai_ops g12a_toddr_ops = {
+@@ -230,8 +225,9 @@ static const struct snd_soc_component_driver g12a_toddr_component_drv = {
+ };
+
+ static const struct axg_fifo_match_data g12a_toddr_match_data = {
+- .component_drv = &g12a_toddr_component_drv,
+- .dai_drv = &g12a_toddr_dai_drv
++ .field_threshold = REG_FIELD(FIFO_CTRL1, 16, 23),
++ .component_drv = &g12a_toddr_component_drv,
++ .dai_drv = &g12a_toddr_dai_drv
+ };
+
+ static const char * const sm1_toddr_sel_texts[] = {
+@@ -300,8 +296,9 @@ static const struct snd_soc_component_driver sm1_toddr_component_drv = {
+ };
+
+ static const struct axg_fifo_match_data sm1_toddr_match_data = {
+- .component_drv = &sm1_toddr_component_drv,
+- .dai_drv = &g12a_toddr_dai_drv
++ .field_threshold = REG_FIELD(FIFO_CTRL1, 12, 23),
++ .component_drv = &sm1_toddr_component_drv,
++ .dai_drv = &g12a_toddr_dai_drv
+ };
+
+ static const struct of_device_id axg_toddr_of_match[] = {
+diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
+index 92e4f4d08bfa..4e1fe623c390 100644
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -1906,6 +1906,10 @@ static int soc_tplg_fe_link_create(struct soc_tplg *tplg,
+ link->num_codecs = 1;
+ link->num_platforms = 1;
+
++ link->dobj.index = tplg->index;
++ link->dobj.ops = tplg->ops;
++ link->dobj.type = SND_SOC_DOBJ_DAI_LINK;
++
+ if (strlen(pcm->pcm_name)) {
+ link->name = kstrdup(pcm->pcm_name, GFP_KERNEL);
+ link->stream_name = kstrdup(pcm->pcm_name, GFP_KERNEL);
+@@ -1942,9 +1946,6 @@ static int soc_tplg_fe_link_create(struct soc_tplg *tplg,
+ goto err;
+ }
+
+- link->dobj.index = tplg->index;
+- link->dobj.ops = tplg->ops;
+- link->dobj.type = SND_SOC_DOBJ_DAI_LINK;
+ list_add(&link->dobj.list, &tplg->comp->dobj_list);
+
+ return 0;
+diff --git a/sound/soc/sof/core.c b/sound/soc/sof/core.c
+index 805918d3bcc0..a06a54f423dd 100644
+--- a/sound/soc/sof/core.c
++++ b/sound/soc/sof/core.c
+@@ -306,6 +306,46 @@ static int sof_machine_check(struct snd_sof_dev *sdev)
+ #endif
+ }
+
++/*
++ * FW Boot State Transition Diagram
++ *
++ * +-----------------------------------------------------------------------+
++ * | |
++ * ------------------ ------------------ |
++ * | | | | |
++ * | BOOT_FAILED | | READY_FAILED |-------------------------+ |
++ * | | | | | |
++ * ------------------ ------------------ | |
++ * ^ ^ | |
++ * | | | |
++ * (FW Boot Timeout) (FW_READY FAIL) | |
++ * | | | |
++ * | | | |
++ * ------------------ | ------------------ | |
++ * | | | | | | |
++ * | IN_PROGRESS |---------------+------------->| COMPLETE | | |
++ * | | (FW Boot OK) (FW_READY OK) | | | |
++ * ------------------ ------------------ | |
++ * ^ | | |
++ * | | | |
++ * (FW Loading OK) (System Suspend/Runtime Suspend)
++ * | | | |
++ * | | | |
++ * ------------------ ------------------ | | |
++ * | | | |<-----+ | |
++ * | PREPARE | | NOT_STARTED |<---------------------+ |
++ * | | | |<---------------------------+
++ * ------------------ ------------------
++ * | ^ | ^
++ * | | | |
++ * | +-----------------------+ |
++ * | (DSP Probe OK) |
++ * | |
++ * | |
++ * +------------------------------------+
++ * (System Suspend/Runtime Suspend)
++ */
++
+ static int sof_probe_continue(struct snd_sof_dev *sdev)
+ {
+ struct snd_sof_pdata *plat_data = sdev->pdata;
+@@ -321,6 +361,8 @@ static int sof_probe_continue(struct snd_sof_dev *sdev)
+ return ret;
+ }
+
++ sdev->fw_state = SOF_FW_BOOT_PREPARE;
++
+ /* check machine info */
+ ret = sof_machine_check(sdev);
+ if (ret < 0) {
+@@ -360,7 +402,12 @@ static int sof_probe_continue(struct snd_sof_dev *sdev)
+ goto fw_load_err;
+ }
+
+- /* boot the firmware */
++ sdev->fw_state = SOF_FW_BOOT_IN_PROGRESS;
++
++ /*
++ * Boot the firmware. The FW boot status will be modified
++ * in snd_sof_run_firmware() depending on the outcome.
++ */
+ ret = snd_sof_run_firmware(sdev);
+ if (ret < 0) {
+ dev_err(sdev->dev, "error: failed to boot DSP firmware %d\n",
+@@ -394,7 +441,7 @@ static int sof_probe_continue(struct snd_sof_dev *sdev)
+ if (ret < 0) {
+ dev_err(sdev->dev,
+ "error: failed to register DSP DAI driver %d\n", ret);
+- goto fw_run_err;
++ goto fw_trace_err;
+ }
+
+ drv_name = plat_data->machine->drv_name;
+@@ -408,7 +455,7 @@ static int sof_probe_continue(struct snd_sof_dev *sdev)
+
+ if (IS_ERR(plat_data->pdev_mach)) {
+ ret = PTR_ERR(plat_data->pdev_mach);
+- goto fw_run_err;
++ goto fw_trace_err;
+ }
+
+ dev_dbg(sdev->dev, "created machine %s\n",
+@@ -419,7 +466,8 @@ static int sof_probe_continue(struct snd_sof_dev *sdev)
+
+ return 0;
+
+-#if !IS_ENABLED(CONFIG_SND_SOC_SOF_PROBE_WORK_QUEUE)
++fw_trace_err:
++ snd_sof_free_trace(sdev);
+ fw_run_err:
+ snd_sof_fw_unload(sdev);
+ fw_load_err:
+@@ -428,21 +476,10 @@ ipc_err:
+ snd_sof_free_debug(sdev);
+ dbg_err:
+ snd_sof_remove(sdev);
+-#else
+-
+- /*
+- * when the probe_continue is handled in a work queue, the
+- * probe does not fail so we don't release resources here.
+- * They will be released with an explicit call to
+- * snd_sof_device_remove() when the PCI/ACPI device is removed
+- */
+
+-fw_run_err:
+-fw_load_err:
+-ipc_err:
+-dbg_err:
+-
+-#endif
++ /* all resources freed, update state to match */
++ sdev->fw_state = SOF_FW_BOOT_NOT_STARTED;
++ sdev->first_boot = true;
+
+ return ret;
+ }
+@@ -476,6 +513,7 @@ int snd_sof_device_probe(struct device *dev, struct snd_sof_pdata *plat_data)
+
+ sdev->pdata = plat_data;
+ sdev->first_boot = true;
++ sdev->fw_state = SOF_FW_BOOT_NOT_STARTED;
+ dev_set_drvdata(dev, sdev);
+
+ /* check all mandatory ops */
+@@ -524,10 +562,12 @@ int snd_sof_device_remove(struct device *dev)
+ if (IS_ENABLED(CONFIG_SND_SOC_SOF_PROBE_WORK_QUEUE))
+ cancel_work_sync(&sdev->probe_work);
+
+- snd_sof_fw_unload(sdev);
+- snd_sof_ipc_free(sdev);
+- snd_sof_free_debug(sdev);
+- snd_sof_free_trace(sdev);
++ if (sdev->fw_state > SOF_FW_BOOT_NOT_STARTED) {
++ snd_sof_fw_unload(sdev);
++ snd_sof_ipc_free(sdev);
++ snd_sof_free_debug(sdev);
++ snd_sof_free_trace(sdev);
++ }
+
+ /*
+ * Unregister machine driver. This will unbind the snd_card which
+@@ -543,7 +583,8 @@ int snd_sof_device_remove(struct device *dev)
+ * scheduled on, when they are unloaded. Therefore, the DSP must be
+ * removed only after the topology has been unloaded.
+ */
+- snd_sof_remove(sdev);
++ if (sdev->fw_state > SOF_FW_BOOT_NOT_STARTED)
++ snd_sof_remove(sdev);
+
+ /* release firmware */
+ release_firmware(pdata->fw);
+diff --git a/sound/soc/sof/intel/hda-loader.c b/sound/soc/sof/intel/hda-loader.c
+index bae7ac3581e5..8852184a2569 100644
+--- a/sound/soc/sof/intel/hda-loader.c
++++ b/sound/soc/sof/intel/hda-loader.c
+@@ -295,7 +295,6 @@ int hda_dsp_cl_boot_firmware(struct snd_sof_dev *sdev)
+
+ /* init for booting wait */
+ init_waitqueue_head(&sdev->boot_wait);
+- sdev->boot_complete = false;
+
+ /* prepare DMA for code loader stream */
+ tag = cl_stream_prepare(sdev, 0x40, stripped_firmware.size,
+diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c
+index 91bd88fddac7..fb17b87b684b 100644
+--- a/sound/soc/sof/intel/hda.c
++++ b/sound/soc/sof/intel/hda.c
+@@ -168,7 +168,7 @@ void hda_dsp_dump_skl(struct snd_sof_dev *sdev, u32 flags)
+ panic = snd_sof_dsp_read(sdev, HDA_DSP_BAR,
+ HDA_ADSP_ERROR_CODE_SKL + 0x4);
+
+- if (sdev->boot_complete) {
++ if (sdev->fw_state == SOF_FW_BOOT_COMPLETE) {
+ hda_dsp_get_registers(sdev, &xoops, &panic_info, stack,
+ HDA_DSP_STACK_DUMP_SIZE);
+ snd_sof_get_status(sdev, status, panic, &xoops, &panic_info,
+@@ -195,7 +195,7 @@ void hda_dsp_dump(struct snd_sof_dev *sdev, u32 flags)
+ HDA_DSP_SRAM_REG_FW_STATUS);
+ panic = snd_sof_dsp_read(sdev, HDA_DSP_BAR, HDA_DSP_SRAM_REG_FW_TRACEP);
+
+- if (sdev->boot_complete) {
++ if (sdev->fw_state == SOF_FW_BOOT_COMPLETE) {
+ hda_dsp_get_registers(sdev, &xoops, &panic_info, stack,
+ HDA_DSP_STACK_DUMP_SIZE);
+ snd_sof_get_status(sdev, status, panic, &xoops, &panic_info,
+diff --git a/sound/soc/sof/ipc.c b/sound/soc/sof/ipc.c
+index 5fdfbaa8c4ed..dfe429f9e33f 100644
+--- a/sound/soc/sof/ipc.c
++++ b/sound/soc/sof/ipc.c
+@@ -346,19 +346,12 @@ void snd_sof_ipc_msgs_rx(struct snd_sof_dev *sdev)
+ break;
+ case SOF_IPC_FW_READY:
+ /* check for FW boot completion */
+- if (!sdev->boot_complete) {
++ if (sdev->fw_state == SOF_FW_BOOT_IN_PROGRESS) {
+ err = sof_ops(sdev)->fw_ready(sdev, cmd);
+- if (err < 0) {
+- /*
+- * this indicates a mismatch in ABI
+- * between the driver and fw
+- */
+- dev_err(sdev->dev, "error: ABI mismatch %d\n",
+- err);
+- } else {
+- /* firmware boot completed OK */
+- sdev->boot_complete = true;
+- }
++ if (err < 0)
++ sdev->fw_state = SOF_FW_BOOT_READY_FAILED;
++ else
++ sdev->fw_state = SOF_FW_BOOT_COMPLETE;
+
+ /* wake up firmware loader */
+ wake_up(&sdev->boot_wait);
+diff --git a/sound/soc/sof/loader.c b/sound/soc/sof/loader.c
+index 432d12bd4937..31847aa3975d 100644
+--- a/sound/soc/sof/loader.c
++++ b/sound/soc/sof/loader.c
+@@ -512,7 +512,6 @@ int snd_sof_run_firmware(struct snd_sof_dev *sdev)
+ int init_core_mask;
+
+ init_waitqueue_head(&sdev->boot_wait);
+- sdev->boot_complete = false;
+
+ /* create read-only fw_version debugfs to store boot version info */
+ if (sdev->first_boot) {
+@@ -544,19 +543,27 @@ int snd_sof_run_firmware(struct snd_sof_dev *sdev)
+
+ init_core_mask = ret;
+
+- /* now wait for the DSP to boot */
+- ret = wait_event_timeout(sdev->boot_wait, sdev->boot_complete,
++ /*
++ * now wait for the DSP to boot. There are 3 possible outcomes:
++ * 1. Boot wait times out indicating FW boot failure.
++ * 2. FW boots successfully and fw_ready op succeeds.
++ * 3. FW boots but fw_ready op fails.
++ */
++ ret = wait_event_timeout(sdev->boot_wait,
++ sdev->fw_state > SOF_FW_BOOT_IN_PROGRESS,
+ msecs_to_jiffies(sdev->boot_timeout));
+ if (ret == 0) {
+ dev_err(sdev->dev, "error: firmware boot failure\n");
+ snd_sof_dsp_dbg_dump(sdev, SOF_DBG_REGS | SOF_DBG_MBOX |
+ SOF_DBG_TEXT | SOF_DBG_PCI);
+- /* after this point FW_READY msg should be ignored */
+- sdev->boot_complete = true;
++ sdev->fw_state = SOF_FW_BOOT_FAILED;
+ return -EIO;
+ }
+
+- dev_info(sdev->dev, "firmware boot complete\n");
++ if (sdev->fw_state == SOF_FW_BOOT_COMPLETE)
++ dev_info(sdev->dev, "firmware boot complete\n");
++ else
++ return -EIO; /* FW boots but fw_ready op failed */
+
+ /* perform post fw run operations */
+ ret = snd_sof_dsp_post_fw_run(sdev);
+diff --git a/sound/soc/sof/pm.c b/sound/soc/sof/pm.c
+index 0fd5567237a8..bc09cb5f458b 100644
+--- a/sound/soc/sof/pm.c
++++ b/sound/soc/sof/pm.c
+@@ -269,6 +269,10 @@ static int sof_resume(struct device *dev, bool runtime_resume)
+ if (!sof_ops(sdev)->resume || !sof_ops(sdev)->runtime_resume)
+ return 0;
+
++ /* DSP was never successfully started, nothing to resume */
++ if (sdev->first_boot)
++ return 0;
++
+ /*
+ * if the runtime_resume flag is set, call the runtime_resume routine
+ * or else call the system resume routine
+@@ -283,6 +287,8 @@ static int sof_resume(struct device *dev, bool runtime_resume)
+ return ret;
+ }
+
++ sdev->fw_state = SOF_FW_BOOT_PREPARE;
++
+ /* load the firmware */
+ ret = snd_sof_load_firmware(sdev);
+ if (ret < 0) {
+@@ -292,7 +298,12 @@ static int sof_resume(struct device *dev, bool runtime_resume)
+ return ret;
+ }
+
+- /* boot the firmware */
++ sdev->fw_state = SOF_FW_BOOT_IN_PROGRESS;
++
++ /*
++ * Boot the firmware. The FW boot status will be modified
++ * in snd_sof_run_firmware() depending on the outcome.
++ */
+ ret = snd_sof_run_firmware(sdev);
+ if (ret < 0) {
+ dev_err(sdev->dev,
+@@ -341,6 +352,9 @@ static int sof_suspend(struct device *dev, bool runtime_suspend)
+ if (!sof_ops(sdev)->suspend)
+ return 0;
+
++ if (sdev->fw_state != SOF_FW_BOOT_COMPLETE)
++ goto power_down;
++
+ /* release trace */
+ snd_sof_release_trace(sdev);
+
+@@ -378,6 +392,12 @@ static int sof_suspend(struct device *dev, bool runtime_suspend)
+ ret);
+ }
+
++power_down:
++
++ /* return if the DSP was not probed successfully */
++ if (sdev->fw_state == SOF_FW_BOOT_NOT_STARTED)
++ return 0;
++
+ /* power down all DSP cores */
+ if (runtime_suspend)
+ ret = snd_sof_dsp_runtime_suspend(sdev);
+@@ -388,6 +408,9 @@ static int sof_suspend(struct device *dev, bool runtime_suspend)
+ "error: failed to power down DSP during suspend %d\n",
+ ret);
+
++ /* reset FW state */
++ sdev->fw_state = SOF_FW_BOOT_NOT_STARTED;
++
+ return ret;
+ }
+
+diff --git a/sound/soc/sof/sof-priv.h b/sound/soc/sof/sof-priv.h
+index c7c2c70ee4d0..59cc711e99ff 100644
+--- a/sound/soc/sof/sof-priv.h
++++ b/sound/soc/sof/sof-priv.h
+@@ -387,6 +387,15 @@ struct snd_sof_dai {
+ struct list_head list; /* list in sdev dai list */
+ };
+
++enum snd_sof_fw_state {
++ SOF_FW_BOOT_NOT_STARTED = 0,
++ SOF_FW_BOOT_PREPARE,
++ SOF_FW_BOOT_IN_PROGRESS,
++ SOF_FW_BOOT_FAILED,
++ SOF_FW_BOOT_READY_FAILED, /* firmware booted but fw_ready op failed */
++ SOF_FW_BOOT_COMPLETE,
++};
++
+ /*
+ * SOF Device Level.
+ */
+@@ -408,7 +417,7 @@ struct snd_sof_dev {
+
+ /* DSP firmware boot */
+ wait_queue_head_t boot_wait;
+- u32 boot_complete;
++ enum snd_sof_fw_state fw_state;
+ u32 first_boot;
+
+ /* work queue in case the probe is implemented in two steps */
+diff --git a/sound/soc/tegra/tegra30_i2s.c b/sound/soc/tegra/tegra30_i2s.c
+index dbed3c5408e7..d59882ec48f1 100644
+--- a/sound/soc/tegra/tegra30_i2s.c
++++ b/sound/soc/tegra/tegra30_i2s.c
+@@ -127,7 +127,7 @@ static int tegra30_i2s_hw_params(struct snd_pcm_substream *substream,
+ struct device *dev = dai->dev;
+ struct tegra30_i2s *i2s = snd_soc_dai_get_drvdata(dai);
+ unsigned int mask, val, reg;
+- int ret, sample_size, srate, i2sclock, bitcnt, audio_bits;
++ int ret, sample_size, srate, i2sclock, bitcnt;
+ struct tegra30_ahub_cif_conf cif_conf;
+
+ if (params_channels(params) != 2)
+@@ -137,19 +137,8 @@ static int tegra30_i2s_hw_params(struct snd_pcm_substream *substream,
+ switch (params_format(params)) {
+ case SNDRV_PCM_FORMAT_S16_LE:
+ val = TEGRA30_I2S_CTRL_BIT_SIZE_16;
+- audio_bits = TEGRA30_AUDIOCIF_BITS_16;
+ sample_size = 16;
+ break;
+- case SNDRV_PCM_FORMAT_S24_LE:
+- val = TEGRA30_I2S_CTRL_BIT_SIZE_24;
+- audio_bits = TEGRA30_AUDIOCIF_BITS_24;
+- sample_size = 24;
+- break;
+- case SNDRV_PCM_FORMAT_S32_LE:
+- val = TEGRA30_I2S_CTRL_BIT_SIZE_32;
+- audio_bits = TEGRA30_AUDIOCIF_BITS_32;
+- sample_size = 32;
+- break;
+ default:
+ return -EINVAL;
+ }
+@@ -181,8 +170,8 @@ static int tegra30_i2s_hw_params(struct snd_pcm_substream *substream,
+ cif_conf.threshold = 0;
+ cif_conf.audio_channels = 2;
+ cif_conf.client_channels = 2;
+- cif_conf.audio_bits = audio_bits;
+- cif_conf.client_bits = audio_bits;
++ cif_conf.audio_bits = TEGRA30_AUDIOCIF_BITS_16;
++ cif_conf.client_bits = TEGRA30_AUDIOCIF_BITS_16;
+ cif_conf.expand = 0;
+ cif_conf.stereo_conv = 0;
+ cif_conf.replicate = 0;
+@@ -317,18 +306,14 @@ static const struct snd_soc_dai_driver tegra30_i2s_dai_template = {
+ .channels_min = 2,
+ .channels_max = 2,
+ .rates = SNDRV_PCM_RATE_8000_96000,
+- .formats = SNDRV_PCM_FMTBIT_S32_LE |
+- SNDRV_PCM_FMTBIT_S24_LE |
+- SNDRV_PCM_FMTBIT_S16_LE,
++ .formats = SNDRV_PCM_FMTBIT_S16_LE,
+ },
+ .capture = {
+ .stream_name = "Capture",
+ .channels_min = 2,
+ .channels_max = 2,
+ .rates = SNDRV_PCM_RATE_8000_96000,
+- .formats = SNDRV_PCM_FMTBIT_S32_LE |
+- SNDRV_PCM_FMTBIT_S24_LE |
+- SNDRV_PCM_FMTBIT_S16_LE,
++ .formats = SNDRV_PCM_FMTBIT_S16_LE,
+ },
+ .ops = &tegra30_i2s_dai_ops,
+ .symmetric_rates = 1,
+diff --git a/sound/usb/mixer_scarlett_gen2.c b/sound/usb/mixer_scarlett_gen2.c
+index 94b903d95afa..74c00c905d24 100644
+--- a/sound/usb/mixer_scarlett_gen2.c
++++ b/sound/usb/mixer_scarlett_gen2.c
+@@ -558,11 +558,11 @@ static const struct scarlett2_config
+
+ /* proprietary request/response format */
+ struct scarlett2_usb_packet {
+- u32 cmd;
+- u16 size;
+- u16 seq;
+- u32 error;
+- u32 pad;
++ __le32 cmd;
++ __le16 size;
++ __le16 seq;
++ __le32 error;
++ __le32 pad;
+ u8 data[];
+ };
+
+@@ -664,11 +664,11 @@ static int scarlett2_usb(
+ "Scarlett Gen 2 USB invalid response; "
+ "cmd tx/rx %d/%d seq %d/%d size %d/%d "
+ "error %d pad %d\n",
+- le16_to_cpu(req->cmd), le16_to_cpu(resp->cmd),
++ le32_to_cpu(req->cmd), le32_to_cpu(resp->cmd),
+ le16_to_cpu(req->seq), le16_to_cpu(resp->seq),
+ resp_size, le16_to_cpu(resp->size),
+- le16_to_cpu(resp->error),
+- le16_to_cpu(resp->pad));
++ le32_to_cpu(resp->error),
++ le32_to_cpu(resp->pad));
+ err = -EINVAL;
+ goto unlock;
+ }
+@@ -687,7 +687,7 @@ error:
+ /* Send SCARLETT2_USB_DATA_CMD SCARLETT2_USB_CONFIG_SAVE */
+ static void scarlett2_config_save(struct usb_mixer_interface *mixer)
+ {
+- u32 req = cpu_to_le32(SCARLETT2_USB_CONFIG_SAVE);
++ __le32 req = cpu_to_le32(SCARLETT2_USB_CONFIG_SAVE);
+
+ scarlett2_usb(mixer, SCARLETT2_USB_DATA_CMD,
+ &req, sizeof(u32),
+@@ -713,11 +713,11 @@ static int scarlett2_usb_set_config(
+ const struct scarlett2_config config_item =
+ scarlett2_config_items[config_item_num];
+ struct {
+- u32 offset;
+- u32 bytes;
+- s32 value;
++ __le32 offset;
++ __le32 bytes;
++ __le32 value;
+ } __packed req;
+- u32 req2;
++ __le32 req2;
+ int err;
+ struct scarlett2_mixer_data *private = mixer->private_data;
+
+@@ -753,8 +753,8 @@ static int scarlett2_usb_get(
+ int offset, void *buf, int size)
+ {
+ struct {
+- u32 offset;
+- u32 size;
++ __le32 offset;
++ __le32 size;
+ } __packed req;
+
+ req.offset = cpu_to_le32(offset);
+@@ -794,8 +794,8 @@ static int scarlett2_usb_set_mix(struct usb_mixer_interface *mixer,
+ const struct scarlett2_device_info *info = private->info;
+
+ struct {
+- u16 mix_num;
+- u16 data[SCARLETT2_INPUT_MIX_MAX];
++ __le16 mix_num;
++ __le16 data[SCARLETT2_INPUT_MIX_MAX];
+ } __packed req;
+
+ int i, j;
+@@ -850,9 +850,9 @@ static int scarlett2_usb_set_mux(struct usb_mixer_interface *mixer)
+ };
+
+ struct {
+- u16 pad;
+- u16 num;
+- u32 data[SCARLETT2_MUX_MAX];
++ __le16 pad;
++ __le16 num;
++ __le32 data[SCARLETT2_MUX_MAX];
+ } __packed req;
+
+ req.pad = 0;
+@@ -911,9 +911,9 @@ static int scarlett2_usb_get_meter_levels(struct usb_mixer_interface *mixer,
+ u16 *levels)
+ {
+ struct {
+- u16 pad;
+- u16 num_meters;
+- u32 magic;
++ __le16 pad;
++ __le16 num_meters;
++ __le32 magic;
+ } __packed req;
+ u32 resp[SCARLETT2_NUM_METERS];
+ int i, err;
+diff --git a/sound/usb/validate.c b/sound/usb/validate.c
+index 36ae78c3da3d..c43d8c3895a9 100644
+--- a/sound/usb/validate.c
++++ b/sound/usb/validate.c
+@@ -110,7 +110,7 @@ static bool validate_processing_unit(const void *p,
+ default:
+ if (v->type == UAC1_EXTENSION_UNIT)
+ return true; /* OK */
+- switch (d->wProcessType) {
++ switch (le16_to_cpu(d->wProcessType)) {
+ case UAC_PROCESS_UP_DOWNMIX:
+ case UAC_PROCESS_DOLBY_PROLOGIC:
+ if (d->bLength < len + 1) /* bNrModes */
+@@ -125,7 +125,7 @@ static bool validate_processing_unit(const void *p,
+ case UAC_VERSION_2:
+ if (v->type == UAC2_EXTENSION_UNIT_V2)
+ return true; /* OK */
+- switch (d->wProcessType) {
++ switch (le16_to_cpu(d->wProcessType)) {
+ case UAC2_PROCESS_UP_DOWNMIX:
+ case UAC2_PROCESS_DOLBY_PROLOCIC: /* SiC! */
+ if (d->bLength < len + 1) /* bNrModes */
+@@ -142,7 +142,7 @@ static bool validate_processing_unit(const void *p,
+ len += 2; /* wClusterDescrID */
+ break;
+ }
+- switch (d->wProcessType) {
++ switch (le16_to_cpu(d->wProcessType)) {
+ case UAC3_PROCESS_UP_DOWNMIX:
+ if (d->bLength < len + 1) /* bNrModes */
+ return false;
+diff --git a/tools/kvm/kvm_stat/kvm_stat b/tools/kvm/kvm_stat/kvm_stat
+index ad1b9e646c49..4cf93110c259 100755
+--- a/tools/kvm/kvm_stat/kvm_stat
++++ b/tools/kvm/kvm_stat/kvm_stat
+@@ -270,6 +270,7 @@ class ArchX86(Arch):
+ def __init__(self, exit_reasons):
+ self.sc_perf_evt_open = 298
+ self.ioctl_numbers = IOCTL_NUMBERS
++ self.exit_reason_field = 'exit_reason'
+ self.exit_reasons = exit_reasons
+
+ def debugfs_is_child(self, field):
+@@ -289,6 +290,7 @@ class ArchPPC(Arch):
+ # numbers depend on the wordsize.
+ char_ptr_size = ctypes.sizeof(ctypes.c_char_p)
+ self.ioctl_numbers['SET_FILTER'] = 0x80002406 | char_ptr_size << 16
++ self.exit_reason_field = 'exit_nr'
+ self.exit_reasons = {}
+
+ def debugfs_is_child(self, field):
+@@ -300,6 +302,7 @@ class ArchA64(Arch):
+ def __init__(self):
+ self.sc_perf_evt_open = 241
+ self.ioctl_numbers = IOCTL_NUMBERS
++ self.exit_reason_field = 'esr_ec'
+ self.exit_reasons = AARCH64_EXIT_REASONS
+
+ def debugfs_is_child(self, field):
+@@ -311,6 +314,7 @@ class ArchS390(Arch):
+ def __init__(self):
+ self.sc_perf_evt_open = 331
+ self.ioctl_numbers = IOCTL_NUMBERS
++ self.exit_reason_field = None
+ self.exit_reasons = None
+
+ def debugfs_is_child(self, field):
+@@ -541,8 +545,8 @@ class TracepointProvider(Provider):
+ """
+ filters = {}
+ filters['kvm_userspace_exit'] = ('reason', USERSPACE_EXIT_REASONS)
+- if ARCH.exit_reasons:
+- filters['kvm_exit'] = ('exit_reason', ARCH.exit_reasons)
++ if ARCH.exit_reason_field and ARCH.exit_reasons:
++ filters['kvm_exit'] = (ARCH.exit_reason_field, ARCH.exit_reasons)
+ return filters
+
+ def _get_available_fields(self):
+diff --git a/tools/lib/bpf/Makefile b/tools/lib/bpf/Makefile
+index 97830e46d1a0..68e8702f6f10 100644
+--- a/tools/lib/bpf/Makefile
++++ b/tools/lib/bpf/Makefile
+@@ -148,6 +148,7 @@ TAGS_PROG := $(if $(shell which etags 2>/dev/null),etags,ctags)
+
+ GLOBAL_SYM_COUNT = $(shell readelf -s --wide $(BPF_IN_SHARED) | \
+ cut -d "@" -f1 | sed 's/_v[0-9]_[0-9]_[0-9].*//' | \
++ sed 's/\[.*\]//' | \
+ awk '/GLOBAL/ && /DEFAULT/ && !/UND/ {print $$NF}' | \
+ sort -u | wc -l)
+ VERSIONED_SYM_COUNT = $(shell readelf -s --wide $(OUTPUT)libbpf.so | \
+@@ -214,6 +215,7 @@ check_abi: $(OUTPUT)libbpf.so
+ "versioned in $(VERSION_SCRIPT)." >&2; \
+ readelf -s --wide $(BPF_IN_SHARED) | \
+ cut -d "@" -f1 | sed 's/_v[0-9]_[0-9]_[0-9].*//' | \
++ sed 's/\[.*\]//' | \
+ awk '/GLOBAL/ && /DEFAULT/ && !/UND/ {print $$NF}'| \
+ sort -u > $(OUTPUT)libbpf_global_syms.tmp; \
+ readelf -s --wide $(OUTPUT)libbpf.so | \
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 3f09772192f1..6d1bb761a544 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -1242,15 +1242,15 @@ static int bpf_object__init_user_btf_map(struct bpf_object *obj,
+ }
+ sz = btf__resolve_size(obj->btf, t->type);
+ if (sz < 0) {
+- pr_warn("map '%s': can't determine key size for type [%u]: %lld.\n",
+- map_name, t->type, sz);
++ pr_warn("map '%s': can't determine key size for type [%u]: %zd.\n",
++ map_name, t->type, (ssize_t)sz);
+ return sz;
+ }
+- pr_debug("map '%s': found key [%u], sz = %lld.\n",
+- map_name, t->type, sz);
++ pr_debug("map '%s': found key [%u], sz = %zd.\n",
++ map_name, t->type, (ssize_t)sz);
+ if (map->def.key_size && map->def.key_size != sz) {
+- pr_warn("map '%s': conflicting key size %u != %lld.\n",
+- map_name, map->def.key_size, sz);
++ pr_warn("map '%s': conflicting key size %u != %zd.\n",
++ map_name, map->def.key_size, (ssize_t)sz);
+ return -EINVAL;
+ }
+ map->def.key_size = sz;
+@@ -1285,15 +1285,15 @@ static int bpf_object__init_user_btf_map(struct bpf_object *obj,
+ }
+ sz = btf__resolve_size(obj->btf, t->type);
+ if (sz < 0) {
+- pr_warn("map '%s': can't determine value size for type [%u]: %lld.\n",
+- map_name, t->type, sz);
++ pr_warn("map '%s': can't determine value size for type [%u]: %zd.\n",
++ map_name, t->type, (ssize_t)sz);
+ return sz;
+ }
+- pr_debug("map '%s': found value [%u], sz = %lld.\n",
+- map_name, t->type, sz);
++ pr_debug("map '%s': found value [%u], sz = %zd.\n",
++ map_name, t->type, (ssize_t)sz);
+ if (map->def.value_size && map->def.value_size != sz) {
+- pr_warn("map '%s': conflicting value size %u != %lld.\n",
+- map_name, map->def.value_size, sz);
++ pr_warn("map '%s': conflicting value size %u != %zd.\n",
++ map_name, map->def.value_size, (ssize_t)sz);
+ return -EINVAL;
+ }
+ map->def.value_size = sz;
+@@ -1817,7 +1817,8 @@ static int bpf_program__record_reloc(struct bpf_program *prog,
+ return -LIBBPF_ERRNO__RELOC;
+ }
+ if (sym->st_value % 8) {
+- pr_warn("bad call relo offset: %llu\n", (__u64)sym->st_value);
++ pr_warn("bad call relo offset: %zu\n",
++ (size_t)sym->st_value);
+ return -LIBBPF_ERRNO__RELOC;
+ }
+ reloc_desc->type = RELO_CALL;
+@@ -1859,8 +1860,8 @@ static int bpf_program__record_reloc(struct bpf_program *prog,
+ break;
+ }
+ if (map_idx >= nr_maps) {
+- pr_warn("map relo failed to find map for sec %u, off %llu\n",
+- shdr_idx, (__u64)sym->st_value);
++ pr_warn("map relo failed to find map for sec %u, off %zu\n",
++ shdr_idx, (size_t)sym->st_value);
+ return -LIBBPF_ERRNO__RELOC;
+ }
+ reloc_desc->type = RELO_LD64;
+@@ -1941,9 +1942,9 @@ bpf_program__collect_reloc(struct bpf_program *prog, GElf_Shdr *shdr,
+ name = elf_strptr(obj->efile.elf, obj->efile.strtabidx,
+ sym.st_name) ? : "<?>";
+
+- pr_debug("relo for shdr %u, symb %llu, value %llu, type %d, bind %d, name %d (\'%s\'), insn %u\n",
+- (__u32)sym.st_shndx, (__u64)GELF_R_SYM(rel.r_info),
+- (__u64)sym.st_value, GELF_ST_TYPE(sym.st_info),
++ pr_debug("relo for shdr %u, symb %zu, value %zu, type %d, bind %d, name %d (\'%s\'), insn %u\n",
++ (__u32)sym.st_shndx, (size_t)GELF_R_SYM(rel.r_info),
++ (size_t)sym.st_value, GELF_ST_TYPE(sym.st_info),
+ GELF_ST_BIND(sym.st_info), sym.st_name, name,
+ insn_idx);
+
+@@ -2743,7 +2744,9 @@ static struct ids_vec *bpf_core_find_cands(const struct btf *local_btf,
+ if (strncmp(local_name, targ_name, local_essent_len) == 0) {
+ pr_debug("[%d] %s: found candidate [%d] %s\n",
+ local_type_id, local_name, i, targ_name);
+- new_ids = realloc(cand_ids->data, cand_ids->len + 1);
++ new_ids = reallocarray(cand_ids->data,
++ cand_ids->len + 1,
++ sizeof(*cand_ids->data));
+ if (!new_ids) {
+ err = -ENOMEM;
+ goto err_out;
+@@ -5944,7 +5947,7 @@ struct perf_buffer {
+ size_t mmap_size;
+ struct perf_cpu_buf **cpu_bufs;
+ struct epoll_event *events;
+- int cpu_cnt;
++ int cpu_cnt; /* number of allocated CPU buffers */
+ int epoll_fd; /* perf event FD */
+ int map_fd; /* BPF_MAP_TYPE_PERF_EVENT_ARRAY BPF map FD */
+ };
+@@ -6078,11 +6081,13 @@ perf_buffer__new_raw(int map_fd, size_t page_cnt,
+ static struct perf_buffer *__perf_buffer__new(int map_fd, size_t page_cnt,
+ struct perf_buffer_params *p)
+ {
++ const char *online_cpus_file = "/sys/devices/system/cpu/online";
+ struct bpf_map_info map = {};
+ char msg[STRERR_BUFSIZE];
+ struct perf_buffer *pb;
++ bool *online = NULL;
+ __u32 map_info_len;
+- int err, i;
++ int err, i, j, n;
+
+ if (page_cnt & (page_cnt - 1)) {
+ pr_warn("page count should be power of two, but is %zu\n",
+@@ -6151,20 +6156,32 @@ static struct perf_buffer *__perf_buffer__new(int map_fd, size_t page_cnt,
+ goto error;
+ }
+
+- for (i = 0; i < pb->cpu_cnt; i++) {
++ err = parse_cpu_mask_file(online_cpus_file, &online, &n);
++ if (err) {
++ pr_warn("failed to get online CPU mask: %d\n", err);
++ goto error;
++ }
++
++ for (i = 0, j = 0; i < pb->cpu_cnt; i++) {
+ struct perf_cpu_buf *cpu_buf;
+ int cpu, map_key;
+
+ cpu = p->cpu_cnt > 0 ? p->cpus[i] : i;
+ map_key = p->cpu_cnt > 0 ? p->map_keys[i] : i;
+
++ /* in case user didn't explicitly requested particular CPUs to
++ * be attached to, skip offline/not present CPUs
++ */
++ if (p->cpu_cnt <= 0 && (cpu >= n || !online[cpu]))
++ continue;
++
+ cpu_buf = perf_buffer__open_cpu_buf(pb, p->attr, cpu, map_key);
+ if (IS_ERR(cpu_buf)) {
+ err = PTR_ERR(cpu_buf);
+ goto error;
+ }
+
+- pb->cpu_bufs[i] = cpu_buf;
++ pb->cpu_bufs[j] = cpu_buf;
+
+ err = bpf_map_update_elem(pb->map_fd, &map_key,
+ &cpu_buf->fd, 0);
+@@ -6176,21 +6193,25 @@ static struct perf_buffer *__perf_buffer__new(int map_fd, size_t page_cnt,
+ goto error;
+ }
+
+- pb->events[i].events = EPOLLIN;
+- pb->events[i].data.ptr = cpu_buf;
++ pb->events[j].events = EPOLLIN;
++ pb->events[j].data.ptr = cpu_buf;
+ if (epoll_ctl(pb->epoll_fd, EPOLL_CTL_ADD, cpu_buf->fd,
+- &pb->events[i]) < 0) {
++ &pb->events[j]) < 0) {
+ err = -errno;
+ pr_warn("failed to epoll_ctl cpu #%d perf FD %d: %s\n",
+ cpu, cpu_buf->fd,
+ libbpf_strerror_r(err, msg, sizeof(msg)));
+ goto error;
+ }
++ j++;
+ }
++ pb->cpu_cnt = j;
++ free(online);
+
+ return pb;
+
+ error:
++ free(online);
+ if (pb)
+ perf_buffer__free(pb);
+ return ERR_PTR(err);
+@@ -6521,61 +6542,104 @@ void bpf_program__bpil_offs_to_addr(struct bpf_prog_info_linear *info_linear)
+ }
+ }
+
+-int libbpf_num_possible_cpus(void)
++int parse_cpu_mask_str(const char *s, bool **mask, int *mask_sz)
+ {
+- static const char *fcpu = "/sys/devices/system/cpu/possible";
+- int len = 0, n = 0, il = 0, ir = 0;
+- unsigned int start = 0, end = 0;
+- int tmp_cpus = 0;
+- static int cpus;
+- char buf[128];
+- int error = 0;
+- int fd = -1;
++ int err = 0, n, len, start, end = -1;
++ bool *tmp;
+
+- tmp_cpus = READ_ONCE(cpus);
+- if (tmp_cpus > 0)
+- return tmp_cpus;
++ *mask = NULL;
++ *mask_sz = 0;
++
++ /* Each sub string separated by ',' has format \d+-\d+ or \d+ */
++ while (*s) {
++ if (*s == ',' || *s == '\n') {
++ s++;
++ continue;
++ }
++ n = sscanf(s, "%d%n-%d%n", &start, &len, &end, &len);
++ if (n <= 0 || n > 2) {
++ pr_warn("Failed to get CPU range %s: %d\n", s, n);
++ err = -EINVAL;
++ goto cleanup;
++ } else if (n == 1) {
++ end = start;
++ }
++ if (start < 0 || start > end) {
++ pr_warn("Invalid CPU range [%d,%d] in %s\n",
++ start, end, s);
++ err = -EINVAL;
++ goto cleanup;
++ }
++ tmp = realloc(*mask, end + 1);
++ if (!tmp) {
++ err = -ENOMEM;
++ goto cleanup;
++ }
++ *mask = tmp;
++ memset(tmp + *mask_sz, 0, start - *mask_sz);
++ memset(tmp + start, 1, end - start + 1);
++ *mask_sz = end + 1;
++ s += len;
++ }
++ if (!*mask_sz) {
++ pr_warn("Empty CPU range\n");
++ return -EINVAL;
++ }
++ return 0;
++cleanup:
++ free(*mask);
++ *mask = NULL;
++ return err;
++}
++
++int parse_cpu_mask_file(const char *fcpu, bool **mask, int *mask_sz)
++{
++ int fd, err = 0, len;
++ char buf[128];
+
+ fd = open(fcpu, O_RDONLY);
+ if (fd < 0) {
+- error = errno;
+- pr_warn("Failed to open file %s: %s\n", fcpu, strerror(error));
+- return -error;
++ err = -errno;
++ pr_warn("Failed to open cpu mask file %s: %d\n", fcpu, err);
++ return err;
+ }
+ len = read(fd, buf, sizeof(buf));
+ close(fd);
+ if (len <= 0) {
+- error = len ? errno : EINVAL;
+- pr_warn("Failed to read # of possible cpus from %s: %s\n",
+- fcpu, strerror(error));
+- return -error;
++ err = len ? -errno : -EINVAL;
++ pr_warn("Failed to read cpu mask from %s: %d\n", fcpu, err);
++ return err;
+ }
+- if (len == sizeof(buf)) {
+- pr_warn("File %s size overflow\n", fcpu);
+- return -EOVERFLOW;
++ if (len >= sizeof(buf)) {
++ pr_warn("CPU mask is too big in file %s\n", fcpu);
++ return -E2BIG;
+ }
+ buf[len] = '\0';
+
+- for (ir = 0, tmp_cpus = 0; ir <= len; ir++) {
+- /* Each sub string separated by ',' has format \d+-\d+ or \d+ */
+- if (buf[ir] == ',' || buf[ir] == '\0') {
+- buf[ir] = '\0';
+- n = sscanf(&buf[il], "%u-%u", &start, &end);
+- if (n <= 0) {
+- pr_warn("Failed to get # CPUs from %s\n",
+- &buf[il]);
+- return -EINVAL;
+- } else if (n == 1) {
+- end = start;
+- }
+- tmp_cpus += end - start + 1;
+- il = ir + 1;
+- }
+- }
+- if (tmp_cpus <= 0) {
+- pr_warn("Invalid #CPUs %d from %s\n", tmp_cpus, fcpu);
+- return -EINVAL;
++ return parse_cpu_mask_str(buf, mask, mask_sz);
++}
++
++int libbpf_num_possible_cpus(void)
++{
++ static const char *fcpu = "/sys/devices/system/cpu/possible";
++ static int cpus;
++ int err, n, i, tmp_cpus;
++ bool *mask;
++
++ tmp_cpus = READ_ONCE(cpus);
++ if (tmp_cpus > 0)
++ return tmp_cpus;
++
++ err = parse_cpu_mask_file(fcpu, &mask, &n);
++ if (err)
++ return err;
++
++ tmp_cpus = 0;
++ for (i = 0; i < n; i++) {
++ if (mask[i])
++ tmp_cpus++;
+ }
++ free(mask);
+
+ WRITE_ONCE(cpus, tmp_cpus);
+ return tmp_cpus;
+diff --git a/tools/lib/bpf/libbpf_internal.h b/tools/lib/bpf/libbpf_internal.h
+index 97ac17a64a58..3683af9dc23e 100644
+--- a/tools/lib/bpf/libbpf_internal.h
++++ b/tools/lib/bpf/libbpf_internal.h
+@@ -76,7 +76,7 @@ static inline bool libbpf_validate_opts(const char *opts,
+
+ for (i = opts_sz; i < user_sz; i++) {
+ if (opts[i]) {
+- pr_warn("%s has non-zero extra bytes",
++ pr_warn("%s has non-zero extra bytes\n",
+ type_name);
+ return false;
+ }
+@@ -95,6 +95,8 @@ static inline bool libbpf_validate_opts(const char *opts,
+ #define OPTS_GET(opts, field, fallback_value) \
+ (OPTS_HAS(opts, field) ? (opts)->field : fallback_value)
+
++int parse_cpu_mask_str(const char *s, bool **mask, int *mask_sz);
++int parse_cpu_mask_file(const char *fcpu, bool **mask, int *mask_sz);
+ int libbpf__load_raw_btf(const char *raw_types, size_t types_len,
+ const char *str_sec, size_t str_len);
+
+diff --git a/tools/objtool/sync-check.sh b/tools/objtool/sync-check.sh
+index 9bd04bbed01e..2a1261bfbb62 100755
+--- a/tools/objtool/sync-check.sh
++++ b/tools/objtool/sync-check.sh
+@@ -48,5 +48,3 @@ check arch/x86/include/asm/inat.h '-I "^#include [\"<]\(asm/\)*inat_types.h[
+ check arch/x86/include/asm/insn.h '-I "^#include [\"<]\(asm/\)*inat.h[\">]"'
+ check arch/x86/lib/inat.c '-I "^#include [\"<]\(../include/\)*asm/insn.h[\">]"'
+ check arch/x86/lib/insn.c '-I "^#include [\"<]\(../include/\)*asm/in\(at\|sn\).h[\">]" -I "^#include [\"<]\(../include/\)*asm/emulate_prefix.h[\">]"'
+-
+-cd -
+diff --git a/tools/power/cpupower/lib/cpufreq.c b/tools/power/cpupower/lib/cpufreq.c
+index 2f55d4d23446..6e04304560ca 100644
+--- a/tools/power/cpupower/lib/cpufreq.c
++++ b/tools/power/cpupower/lib/cpufreq.c
+@@ -332,21 +332,74 @@ void cpufreq_put_available_governors(struct cpufreq_available_governors *any)
+ }
+
+
+-struct cpufreq_frequencies
+-*cpufreq_get_frequencies(const char *type, unsigned int cpu)
++struct cpufreq_available_frequencies
++*cpufreq_get_available_frequencies(unsigned int cpu)
+ {
+- struct cpufreq_frequencies *first = NULL;
+- struct cpufreq_frequencies *current = NULL;
++ struct cpufreq_available_frequencies *first = NULL;
++ struct cpufreq_available_frequencies *current = NULL;
+ char one_value[SYSFS_PATH_MAX];
+ char linebuf[MAX_LINE_LEN];
+- char fname[MAX_LINE_LEN];
+ unsigned int pos, i;
+ unsigned int len;
+
+- snprintf(fname, MAX_LINE_LEN, "scaling_%s_frequencies", type);
++ len = sysfs_cpufreq_read_file(cpu, "scaling_available_frequencies",
++ linebuf, sizeof(linebuf));
++ if (len == 0)
++ return NULL;
+
+- len = sysfs_cpufreq_read_file(cpu, fname,
+- linebuf, sizeof(linebuf));
++ pos = 0;
++ for (i = 0; i < len; i++) {
++ if (linebuf[i] == ' ' || linebuf[i] == '\n') {
++ if (i - pos < 2)
++ continue;
++ if (i - pos >= SYSFS_PATH_MAX)
++ goto error_out;
++ if (current) {
++ current->next = malloc(sizeof(*current));
++ if (!current->next)
++ goto error_out;
++ current = current->next;
++ } else {
++ first = malloc(sizeof(*first));
++ if (!first)
++ goto error_out;
++ current = first;
++ }
++ current->first = first;
++ current->next = NULL;
++
++ memcpy(one_value, linebuf + pos, i - pos);
++ one_value[i - pos] = '\0';
++ if (sscanf(one_value, "%lu", &current->frequency) != 1)
++ goto error_out;
++
++ pos = i + 1;
++ }
++ }
++
++ return first;
++
++ error_out:
++ while (first) {
++ current = first->next;
++ free(first);
++ first = current;
++ }
++ return NULL;
++}
++
++struct cpufreq_available_frequencies
++*cpufreq_get_boost_frequencies(unsigned int cpu)
++{
++ struct cpufreq_available_frequencies *first = NULL;
++ struct cpufreq_available_frequencies *current = NULL;
++ char one_value[SYSFS_PATH_MAX];
++ char linebuf[MAX_LINE_LEN];
++ unsigned int pos, i;
++ unsigned int len;
++
++ len = sysfs_cpufreq_read_file(cpu, "scaling_boost_frequencies",
++ linebuf, sizeof(linebuf));
+ if (len == 0)
+ return NULL;
+
+@@ -391,9 +444,9 @@ struct cpufreq_frequencies
+ return NULL;
+ }
+
+-void cpufreq_put_frequencies(struct cpufreq_frequencies *any)
++void cpufreq_put_available_frequencies(struct cpufreq_available_frequencies *any)
+ {
+- struct cpufreq_frequencies *tmp, *next;
++ struct cpufreq_available_frequencies *tmp, *next;
+
+ if (!any)
+ return;
+@@ -406,6 +459,11 @@ void cpufreq_put_frequencies(struct cpufreq_frequencies *any)
+ }
+ }
+
++void cpufreq_put_boost_frequencies(struct cpufreq_available_frequencies *any)
++{
++ cpufreq_put_available_frequencies(any);
++}
++
+ static struct cpufreq_affected_cpus *sysfs_get_cpu_list(unsigned int cpu,
+ const char *file)
+ {
+diff --git a/tools/power/cpupower/lib/cpufreq.h b/tools/power/cpupower/lib/cpufreq.h
+index a55f0d19215b..95f4fd9e2656 100644
+--- a/tools/power/cpupower/lib/cpufreq.h
++++ b/tools/power/cpupower/lib/cpufreq.h
+@@ -20,10 +20,10 @@ struct cpufreq_available_governors {
+ struct cpufreq_available_governors *first;
+ };
+
+-struct cpufreq_frequencies {
++struct cpufreq_available_frequencies {
+ unsigned long frequency;
+- struct cpufreq_frequencies *next;
+- struct cpufreq_frequencies *first;
++ struct cpufreq_available_frequencies *next;
++ struct cpufreq_available_frequencies *first;
+ };
+
+
+@@ -124,11 +124,17 @@ void cpufreq_put_available_governors(
+ * cpufreq_put_frequencies after use.
+ */
+
+-struct cpufreq_frequencies
+-*cpufreq_get_frequencies(const char *type, unsigned int cpu);
++struct cpufreq_available_frequencies
++*cpufreq_get_available_frequencies(unsigned int cpu);
+
+-void cpufreq_put_frequencies(
+- struct cpufreq_frequencies *first);
++void cpufreq_put_available_frequencies(
++ struct cpufreq_available_frequencies *first);
++
++struct cpufreq_available_frequencies
++*cpufreq_get_boost_frequencies(unsigned int cpu);
++
++void cpufreq_put_boost_frequencies(
++ struct cpufreq_available_frequencies *first);
+
+
+ /* determine affected CPUs
+diff --git a/tools/power/cpupower/utils/cpufreq-info.c b/tools/power/cpupower/utils/cpufreq-info.c
+index e63cf55f81cf..6efc0f6b1b11 100644
+--- a/tools/power/cpupower/utils/cpufreq-info.c
++++ b/tools/power/cpupower/utils/cpufreq-info.c
+@@ -244,14 +244,14 @@ static int get_boost_mode_x86(unsigned int cpu)
+
+ static int get_boost_mode(unsigned int cpu)
+ {
+- struct cpufreq_frequencies *freqs;
++ struct cpufreq_available_frequencies *freqs;
+
+ if (cpupower_cpu_info.vendor == X86_VENDOR_AMD ||
+ cpupower_cpu_info.vendor == X86_VENDOR_HYGON ||
+ cpupower_cpu_info.vendor == X86_VENDOR_INTEL)
+ return get_boost_mode_x86(cpu);
+
+- freqs = cpufreq_get_frequencies("boost", cpu);
++ freqs = cpufreq_get_boost_frequencies(cpu);
+ if (freqs) {
+ printf(_(" boost frequency steps: "));
+ while (freqs->next) {
+@@ -261,7 +261,7 @@ static int get_boost_mode(unsigned int cpu)
+ }
+ print_speed(freqs->frequency);
+ printf("\n");
+- cpufreq_put_frequencies(freqs);
++ cpufreq_put_available_frequencies(freqs);
+ }
+
+ return 0;
+@@ -475,7 +475,7 @@ static int get_latency(unsigned int cpu, unsigned int human)
+
+ static void debug_output_one(unsigned int cpu)
+ {
+- struct cpufreq_frequencies *freqs;
++ struct cpufreq_available_frequencies *freqs;
+
+ get_driver(cpu);
+ get_related_cpus(cpu);
+@@ -483,7 +483,7 @@ static void debug_output_one(unsigned int cpu)
+ get_latency(cpu, 1);
+ get_hardware_limits(cpu, 1);
+
+- freqs = cpufreq_get_frequencies("available", cpu);
++ freqs = cpufreq_get_available_frequencies(cpu);
+ if (freqs) {
+ printf(_(" available frequency steps: "));
+ while (freqs->next) {
+@@ -493,7 +493,7 @@ static void debug_output_one(unsigned int cpu)
+ }
+ print_speed(freqs->frequency);
+ printf("\n");
+- cpufreq_put_frequencies(freqs);
++ cpufreq_put_available_frequencies(freqs);
+ }
+
+ get_available_governors(cpu);
+diff --git a/tools/testing/selftests/bpf/prog_tests/attach_probe.c b/tools/testing/selftests/bpf/prog_tests/attach_probe.c
+index a83111a32d4a..41ec274633c2 100644
+--- a/tools/testing/selftests/bpf/prog_tests/attach_probe.c
++++ b/tools/testing/selftests/bpf/prog_tests/attach_probe.c
+@@ -20,7 +20,7 @@ extern char NAME##_data[]; \
+ extern int NAME##_size;
+
+ ssize_t get_base_addr() {
+- size_t start;
++ size_t start, offset;
+ char buf[256];
+ FILE *f;
+
+@@ -28,10 +28,11 @@ ssize_t get_base_addr() {
+ if (!f)
+ return -errno;
+
+- while (fscanf(f, "%zx-%*x %s %*s\n", &start, buf) == 2) {
++ while (fscanf(f, "%zx-%*x %s %zx %*[^\n]\n",
++ &start, buf, &offset) == 3) {
+ if (strcmp(buf, "r-xp") == 0) {
+ fclose(f);
+- return start;
++ return start - offset;
+ }
+ }
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/perf_buffer.c b/tools/testing/selftests/bpf/prog_tests/perf_buffer.c
+index 3003fddc0613..cf6c87936c69 100644
+--- a/tools/testing/selftests/bpf/prog_tests/perf_buffer.c
++++ b/tools/testing/selftests/bpf/prog_tests/perf_buffer.c
+@@ -4,6 +4,7 @@
+ #include <sched.h>
+ #include <sys/socket.h>
+ #include <test_progs.h>
++#include "libbpf_internal.h"
+
+ static void on_sample(void *ctx, int cpu, void *data, __u32 size)
+ {
+@@ -19,7 +20,7 @@ static void on_sample(void *ctx, int cpu, void *data, __u32 size)
+
+ void test_perf_buffer(void)
+ {
+- int err, prog_fd, nr_cpus, i, duration = 0;
++ int err, prog_fd, on_len, nr_on_cpus = 0, nr_cpus, i, duration = 0;
+ const char *prog_name = "kprobe/sys_nanosleep";
+ const char *file = "./test_perf_buffer.o";
+ struct perf_buffer_opts pb_opts = {};
+@@ -29,15 +30,27 @@ void test_perf_buffer(void)
+ struct bpf_object *obj;
+ struct perf_buffer *pb;
+ struct bpf_link *link;
++ bool *online;
+
+ nr_cpus = libbpf_num_possible_cpus();
+ if (CHECK(nr_cpus < 0, "nr_cpus", "err %d\n", nr_cpus))
+ return;
+
++ err = parse_cpu_mask_file("/sys/devices/system/cpu/online",
++ &online, &on_len);
++ if (CHECK(err, "nr_on_cpus", "err %d\n", err))
++ return;
++
++ for (i = 0; i < on_len; i++)
++ if (online[i])
++ nr_on_cpus++;
++
+ /* load program */
+ err = bpf_prog_load(file, BPF_PROG_TYPE_KPROBE, &obj, &prog_fd);
+- if (CHECK(err, "obj_load", "err %d errno %d\n", err, errno))
+- return;
++ if (CHECK(err, "obj_load", "err %d errno %d\n", err, errno)) {
++ obj = NULL;
++ goto out_close;
++ }
+
+ prog = bpf_object__find_program_by_title(obj, prog_name);
+ if (CHECK(!prog, "find_probe", "prog '%s' not found\n", prog_name))
+@@ -64,6 +77,11 @@ void test_perf_buffer(void)
+ /* trigger kprobe on every CPU */
+ CPU_ZERO(&cpu_seen);
+ for (i = 0; i < nr_cpus; i++) {
++ if (i >= on_len || !online[i]) {
++ printf("skipping offline CPU #%d\n", i);
++ continue;
++ }
++
+ CPU_ZERO(&cpu_set);
+ CPU_SET(i, &cpu_set);
+
+@@ -81,8 +99,8 @@ void test_perf_buffer(void)
+ if (CHECK(err < 0, "perf_buffer__poll", "err %d\n", err))
+ goto out_free_pb;
+
+- if (CHECK(CPU_COUNT(&cpu_seen) != nr_cpus, "seen_cpu_cnt",
+- "expect %d, seen %d\n", nr_cpus, CPU_COUNT(&cpu_seen)))
++ if (CHECK(CPU_COUNT(&cpu_seen) != nr_on_cpus, "seen_cpu_cnt",
++ "expect %d, seen %d\n", nr_on_cpus, CPU_COUNT(&cpu_seen)))
+ goto out_free_pb;
+
+ out_free_pb:
+@@ -91,4 +109,5 @@ out_detach:
+ bpf_link__destroy(link);
+ out_close:
+ bpf_object__close(obj);
++ free(online);
+ }
+diff --git a/tools/testing/selftests/bpf/prog_tests/stacktrace_build_id_nmi.c b/tools/testing/selftests/bpf/prog_tests/stacktrace_build_id_nmi.c
+index f62aa0eb959b..1735faf17536 100644
+--- a/tools/testing/selftests/bpf/prog_tests/stacktrace_build_id_nmi.c
++++ b/tools/testing/selftests/bpf/prog_tests/stacktrace_build_id_nmi.c
+@@ -49,8 +49,12 @@ retry:
+ pmu_fd = syscall(__NR_perf_event_open, &attr, -1 /* pid */,
+ 0 /* cpu 0 */, -1 /* group id */,
+ 0 /* flags */);
+- if (CHECK(pmu_fd < 0, "perf_event_open",
+- "err %d errno %d. Does the test host support PERF_COUNT_HW_CPU_CYCLES?\n",
++ if (pmu_fd < 0 && errno == ENOENT) {
++ printf("%s:SKIP:no PERF_COUNT_HW_CPU_CYCLES\n", __func__);
++ test__skip();
++ goto cleanup;
++ }
++ if (CHECK(pmu_fd < 0, "perf_event_open", "err %d errno %d\n",
+ pmu_fd, errno))
+ goto close_prog;
+
+diff --git a/tools/testing/selftests/bpf/progs/test_select_reuseport_kern.c b/tools/testing/selftests/bpf/progs/test_select_reuseport_kern.c
+index ea7d84f01235..e6be383a003f 100644
+--- a/tools/testing/selftests/bpf/progs/test_select_reuseport_kern.c
++++ b/tools/testing/selftests/bpf/progs/test_select_reuseport_kern.c
+@@ -113,6 +113,12 @@ int _select_by_skb_data(struct sk_reuseport_md *reuse_md)
+ data_check.skb_ports[0] = th->source;
+ data_check.skb_ports[1] = th->dest;
+
++ if (th->fin)
++ /* The connection is being torn down at the end of a
++ * test. It can't contain a cmd, so return early.
++ */
++ return SK_PASS;
++
+ if ((th->doff << 2) + sizeof(*cmd) > data_check.len)
+ GOTO_DONE(DROP_ERR_SKB_DATA);
+ if (bpf_skb_load_bytes(reuse_md, th->doff << 2, &cmd_copy,
+diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
+index 4a851513c842..779e11da979c 100644
+--- a/tools/testing/selftests/bpf/test_sockmap.c
++++ b/tools/testing/selftests/bpf/test_sockmap.c
+@@ -331,7 +331,7 @@ static int msg_loop_sendpage(int fd, int iov_length, int cnt,
+ FILE *file;
+ int i, fp;
+
+- file = fopen(".sendpage_tst.tmp", "w+");
++ file = tmpfile();
+ if (!file) {
+ perror("create file for sendpage");
+ return 1;
+@@ -340,13 +340,8 @@ static int msg_loop_sendpage(int fd, int iov_length, int cnt,
+ fwrite(&k, sizeof(char), 1, file);
+ fflush(file);
+ fseek(file, 0, SEEK_SET);
+- fclose(file);
+
+- fp = open(".sendpage_tst.tmp", O_RDONLY);
+- if (fp < 0) {
+- perror("reopen file for sendpage");
+- return 1;
+- }
++ fp = fileno(file);
+
+ clock_gettime(CLOCK_MONOTONIC, &s->start);
+ for (i = 0; i < cnt; i++) {
+@@ -354,11 +349,11 @@ static int msg_loop_sendpage(int fd, int iov_length, int cnt,
+
+ if (!drop && sent < 0) {
+ perror("send loop error");
+- close(fp);
++ fclose(file);
+ return sent;
+ } else if (drop && sent >= 0) {
+ printf("sendpage loop error expected: %i\n", sent);
+- close(fp);
++ fclose(file);
+ return -EIO;
+ }
+
+@@ -366,7 +361,7 @@ static int msg_loop_sendpage(int fd, int iov_length, int cnt,
+ s->bytes_sent += sent;
+ }
+ clock_gettime(CLOCK_MONOTONIC, &s->end);
+- close(fp);
++ fclose(file);
+ return 0;
+ }
+
+diff --git a/tools/testing/selftests/tc-testing/plugin-lib/buildebpfPlugin.py b/tools/testing/selftests/tc-testing/plugin-lib/buildebpfPlugin.py
+index e98c36750fae..d34fe06268d2 100644
+--- a/tools/testing/selftests/tc-testing/plugin-lib/buildebpfPlugin.py
++++ b/tools/testing/selftests/tc-testing/plugin-lib/buildebpfPlugin.py
+@@ -54,7 +54,7 @@ class SubPlugin(TdcPlugin):
+ shell=True,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE,
+- env=ENVIR)
++ env=os.environ.copy())
+ (rawout, serr) = proc.communicate()
+
+ if proc.returncode != 0 and len(serr) > 0:
+diff --git a/virt/kvm/arm/aarch32.c b/virt/kvm/arm/aarch32.c
+index c4c57ba99e90..631d397ac81b 100644
+--- a/virt/kvm/arm/aarch32.c
++++ b/virt/kvm/arm/aarch32.c
+@@ -10,6 +10,7 @@
+ * Author: Christoffer Dall <c.dall@virtualopensystems.com>
+ */
+
++#include <linux/bits.h>
+ #include <linux/kvm_host.h>
+ #include <asm/kvm_emulate.h>
+ #include <asm/kvm_hyp.h>
+@@ -28,25 +29,115 @@ static const u8 return_offsets[8][2] = {
+ [7] = { 4, 4 }, /* FIQ, unused */
+ };
+
++/*
++ * When an exception is taken, most CPSR fields are left unchanged in the
++ * handler. However, some are explicitly overridden (e.g. M[4:0]).
++ *
++ * The SPSR/SPSR_ELx layouts differ, and the below is intended to work with
++ * either format. Note: SPSR.J bit doesn't exist in SPSR_ELx, but this bit was
++ * obsoleted by the ARMv7 virtualization extensions and is RES0.
++ *
++ * For the SPSR layout seen from AArch32, see:
++ * - ARM DDI 0406C.d, page B1-1148
++ * - ARM DDI 0487E.a, page G8-6264
++ *
++ * For the SPSR_ELx layout for AArch32 seen from AArch64, see:
++ * - ARM DDI 0487E.a, page C5-426
++ *
++ * Here we manipulate the fields in order of the AArch32 SPSR_ELx layout, from
++ * MSB to LSB.
++ */
++static unsigned long get_except32_cpsr(struct kvm_vcpu *vcpu, u32 mode)
++{
++ u32 sctlr = vcpu_cp15(vcpu, c1_SCTLR);
++ unsigned long old, new;
++
++ old = *vcpu_cpsr(vcpu);
++ new = 0;
++
++ new |= (old & PSR_AA32_N_BIT);
++ new |= (old & PSR_AA32_Z_BIT);
++ new |= (old & PSR_AA32_C_BIT);
++ new |= (old & PSR_AA32_V_BIT);
++ new |= (old & PSR_AA32_Q_BIT);
++
++ // CPSR.IT[7:0] are set to zero upon any exception
++ // See ARM DDI 0487E.a, section G1.12.3
++ // See ARM DDI 0406C.d, section B1.8.3
++
++ new |= (old & PSR_AA32_DIT_BIT);
++
++ // CPSR.SSBS is set to SCTLR.DSSBS upon any exception
++ // See ARM DDI 0487E.a, page G8-6244
++ if (sctlr & BIT(31))
++ new |= PSR_AA32_SSBS_BIT;
++
++ // CPSR.PAN is unchanged unless SCTLR.SPAN == 0b0
++ // SCTLR.SPAN is RES1 when ARMv8.1-PAN is not implemented
++ // See ARM DDI 0487E.a, page G8-6246
++ new |= (old & PSR_AA32_PAN_BIT);
++ if (!(sctlr & BIT(23)))
++ new |= PSR_AA32_PAN_BIT;
++
++ // SS does not exist in AArch32, so ignore
++
++ // CPSR.IL is set to zero upon any exception
++ // See ARM DDI 0487E.a, page G1-5527
++
++ new |= (old & PSR_AA32_GE_MASK);
++
++ // CPSR.IT[7:0] are set to zero upon any exception
++ // See prior comment above
++
++ // CPSR.E is set to SCTLR.EE upon any exception
++ // See ARM DDI 0487E.a, page G8-6245
++ // See ARM DDI 0406C.d, page B4-1701
++ if (sctlr & BIT(25))
++ new |= PSR_AA32_E_BIT;
++
++ // CPSR.A is unchanged upon an exception to Undefined, Supervisor
++ // CPSR.A is set upon an exception to other modes
++ // See ARM DDI 0487E.a, pages G1-5515 to G1-5516
++ // See ARM DDI 0406C.d, page B1-1182
++ new |= (old & PSR_AA32_A_BIT);
++ if (mode != PSR_AA32_MODE_UND && mode != PSR_AA32_MODE_SVC)
++ new |= PSR_AA32_A_BIT;
++
++ // CPSR.I is set upon any exception
++ // See ARM DDI 0487E.a, pages G1-5515 to G1-5516
++ // See ARM DDI 0406C.d, page B1-1182
++ new |= PSR_AA32_I_BIT;
++
++ // CPSR.F is set upon an exception to FIQ
++ // CPSR.F is unchanged upon an exception to other modes
++ // See ARM DDI 0487E.a, pages G1-5515 to G1-5516
++ // See ARM DDI 0406C.d, page B1-1182
++ new |= (old & PSR_AA32_F_BIT);
++ if (mode == PSR_AA32_MODE_FIQ)
++ new |= PSR_AA32_F_BIT;
++
++ // CPSR.T is set to SCTLR.TE upon any exception
++ // See ARM DDI 0487E.a, page G8-5514
++ // See ARM DDI 0406C.d, page B1-1181
++ if (sctlr & BIT(30))
++ new |= PSR_AA32_T_BIT;
++
++ new |= mode;
++
++ return new;
++}
++
+ static void prepare_fault32(struct kvm_vcpu *vcpu, u32 mode, u32 vect_offset)
+ {
+- unsigned long cpsr;
+- unsigned long new_spsr_value = *vcpu_cpsr(vcpu);
+- bool is_thumb = (new_spsr_value & PSR_AA32_T_BIT);
++ unsigned long spsr = *vcpu_cpsr(vcpu);
++ bool is_thumb = (spsr & PSR_AA32_T_BIT);
+ u32 return_offset = return_offsets[vect_offset >> 2][is_thumb];
+ u32 sctlr = vcpu_cp15(vcpu, c1_SCTLR);
+
+- cpsr = mode | PSR_AA32_I_BIT;
+-
+- if (sctlr & (1 << 30))
+- cpsr |= PSR_AA32_T_BIT;
+- if (sctlr & (1 << 25))
+- cpsr |= PSR_AA32_E_BIT;
+-
+- *vcpu_cpsr(vcpu) = cpsr;
++ *vcpu_cpsr(vcpu) = get_except32_cpsr(vcpu, mode);
+
+ /* Note: These now point to the banked copies */
+- vcpu_write_spsr(vcpu, new_spsr_value);
++ vcpu_write_spsr(vcpu, host_spsr_to_spsr32(spsr));
+ *vcpu_reg32(vcpu, 14) = *vcpu_pc(vcpu) + return_offset;
+
+ /* Branch to exception vector */
+@@ -84,7 +175,7 @@ static void inject_abt32(struct kvm_vcpu *vcpu, bool is_pabt,
+ fsr = &vcpu_cp15(vcpu, c5_DFSR);
+ }
+
+- prepare_fault32(vcpu, PSR_AA32_MODE_ABT | PSR_AA32_A_BIT, vect_offset);
++ prepare_fault32(vcpu, PSR_AA32_MODE_ABT, vect_offset);
+
+ *far = addr;
+
+diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c
+index 70d3b449692c..1bb71acd53f2 100644
+--- a/virt/kvm/arm/mmio.c
++++ b/virt/kvm/arm/mmio.c
+@@ -105,6 +105,9 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
+ data = (data ^ mask) - mask;
+ }
+
++ if (!vcpu->arch.mmio_decode.sixty_four)
++ data = data & 0xffffffff;
++
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
+ &data);
+ data = vcpu_data_host_to_guest(vcpu, data, len);
+@@ -125,6 +128,7 @@ static int decode_hsr(struct kvm_vcpu *vcpu, bool *is_write, int *len)
+ unsigned long rt;
+ int access_size;
+ bool sign_extend;
++ bool sixty_four;
+
+ if (kvm_vcpu_dabt_iss1tw(vcpu)) {
+ /* page table accesses IO mem: tell guest to fix its TTBR */
+@@ -138,11 +142,13 @@ static int decode_hsr(struct kvm_vcpu *vcpu, bool *is_write, int *len)
+
+ *is_write = kvm_vcpu_dabt_iswrite(vcpu);
+ sign_extend = kvm_vcpu_dabt_issext(vcpu);
++ sixty_four = kvm_vcpu_dabt_issf(vcpu);
+ rt = kvm_vcpu_dabt_get_rd(vcpu);
+
+ *len = access_size;
+ vcpu->arch.mmio_decode.sign_extend = sign_extend;
+ vcpu->arch.mmio_decode.rt = rt;
++ vcpu->arch.mmio_decode.sixty_four = sixty_four;
+
+ return 0;
+ }
+diff --git a/virt/kvm/async_pf.c b/virt/kvm/async_pf.c
+index 35305d6e68cc..d8ef708a2ef6 100644
+--- a/virt/kvm/async_pf.c
++++ b/virt/kvm/async_pf.c
+@@ -64,7 +64,7 @@ static void async_pf_execute(struct work_struct *work)
+ struct mm_struct *mm = apf->mm;
+ struct kvm_vcpu *vcpu = apf->vcpu;
+ unsigned long addr = apf->addr;
+- gva_t gva = apf->gva;
++ gpa_t cr2_or_gpa = apf->cr2_or_gpa;
+ int locked = 1;
+
+ might_sleep();
+@@ -92,7 +92,7 @@ static void async_pf_execute(struct work_struct *work)
+ * this point
+ */
+
+- trace_kvm_async_pf_completed(addr, gva);
++ trace_kvm_async_pf_completed(addr, cr2_or_gpa);
+
+ if (swq_has_sleeper(&vcpu->wq))
+ swake_up_one(&vcpu->wq);
+@@ -165,8 +165,8 @@ void kvm_check_async_pf_completion(struct kvm_vcpu *vcpu)
+ }
+ }
+
+-int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, unsigned long hva,
+- struct kvm_arch_async_pf *arch)
++int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
++ unsigned long hva, struct kvm_arch_async_pf *arch)
+ {
+ struct kvm_async_pf *work;
+
+@@ -185,7 +185,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, unsigned long hva,
+
+ work->wakeup_all = false;
+ work->vcpu = vcpu;
+- work->gva = gva;
++ work->cr2_or_gpa = cr2_or_gpa;
+ work->addr = hva;
+ work->arch = *arch;
+ work->mm = current->mm;
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 00268290dcbd..2b3f36df3d85 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1406,14 +1406,14 @@ bool kvm_is_visible_gfn(struct kvm *kvm, gfn_t gfn)
+ }
+ EXPORT_SYMBOL_GPL(kvm_is_visible_gfn);
+
+-unsigned long kvm_host_page_size(struct kvm *kvm, gfn_t gfn)
++unsigned long kvm_host_page_size(struct kvm_vcpu *vcpu, gfn_t gfn)
+ {
+ struct vm_area_struct *vma;
+ unsigned long addr, size;
+
+ size = PAGE_SIZE;
+
+- addr = gfn_to_hva(kvm, gfn);
++ addr = kvm_vcpu_gfn_to_hva_prot(vcpu, gfn, NULL);
+ if (kvm_is_error_hva(addr))
+ return PAGE_SIZE;
+
+@@ -1821,26 +1821,72 @@ struct page *gfn_to_page(struct kvm *kvm, gfn_t gfn)
+ }
+ EXPORT_SYMBOL_GPL(gfn_to_page);
+
+-static int __kvm_map_gfn(struct kvm_memory_slot *slot, gfn_t gfn,
+- struct kvm_host_map *map)
++void kvm_release_pfn(kvm_pfn_t pfn, bool dirty, struct gfn_to_pfn_cache *cache)
++{
++ if (pfn == 0)
++ return;
++
++ if (cache)
++ cache->pfn = cache->gfn = 0;
++
++ if (dirty)
++ kvm_release_pfn_dirty(pfn);
++ else
++ kvm_release_pfn_clean(pfn);
++}
++
++static void kvm_cache_gfn_to_pfn(struct kvm_memory_slot *slot, gfn_t gfn,
++ struct gfn_to_pfn_cache *cache, u64 gen)
++{
++ kvm_release_pfn(cache->pfn, cache->dirty, cache);
++
++ cache->pfn = gfn_to_pfn_memslot(slot, gfn);
++ cache->gfn = gfn;
++ cache->dirty = false;
++ cache->generation = gen;
++}
++
++static int __kvm_map_gfn(struct kvm_memslots *slots, gfn_t gfn,
++ struct kvm_host_map *map,
++ struct gfn_to_pfn_cache *cache,
++ bool atomic)
+ {
+ kvm_pfn_t pfn;
+ void *hva = NULL;
+ struct page *page = KVM_UNMAPPED_PAGE;
++ struct kvm_memory_slot *slot = __gfn_to_memslot(slots, gfn);
++ u64 gen = slots->generation;
+
+ if (!map)
+ return -EINVAL;
+
+- pfn = gfn_to_pfn_memslot(slot, gfn);
++ if (cache) {
++ if (!cache->pfn || cache->gfn != gfn ||
++ cache->generation != gen) {
++ if (atomic)
++ return -EAGAIN;
++ kvm_cache_gfn_to_pfn(slot, gfn, cache, gen);
++ }
++ pfn = cache->pfn;
++ } else {
++ if (atomic)
++ return -EAGAIN;
++ pfn = gfn_to_pfn_memslot(slot, gfn);
++ }
+ if (is_error_noslot_pfn(pfn))
+ return -EINVAL;
+
+ if (pfn_valid(pfn)) {
+ page = pfn_to_page(pfn);
+- hva = kmap(page);
++ if (atomic)
++ hva = kmap_atomic(page);
++ else
++ hva = kmap(page);
+ #ifdef CONFIG_HAS_IOMEM
+- } else {
++ } else if (!atomic) {
+ hva = memremap(pfn_to_hpa(pfn), PAGE_SIZE, MEMREMAP_WB);
++ } else {
++ return -EINVAL;
+ #endif
+ }
+
+@@ -1855,14 +1901,25 @@ static int __kvm_map_gfn(struct kvm_memory_slot *slot, gfn_t gfn,
+ return 0;
+ }
+
++int kvm_map_gfn(struct kvm_vcpu *vcpu, gfn_t gfn, struct kvm_host_map *map,
++ struct gfn_to_pfn_cache *cache, bool atomic)
++{
++ return __kvm_map_gfn(kvm_memslots(vcpu->kvm), gfn, map,
++ cache, atomic);
++}
++EXPORT_SYMBOL_GPL(kvm_map_gfn);
++
+ int kvm_vcpu_map(struct kvm_vcpu *vcpu, gfn_t gfn, struct kvm_host_map *map)
+ {
+- return __kvm_map_gfn(kvm_vcpu_gfn_to_memslot(vcpu, gfn), gfn, map);
++ return __kvm_map_gfn(kvm_vcpu_memslots(vcpu), gfn, map,
++ NULL, false);
+ }
+ EXPORT_SYMBOL_GPL(kvm_vcpu_map);
+
+-void kvm_vcpu_unmap(struct kvm_vcpu *vcpu, struct kvm_host_map *map,
+- bool dirty)
++static void __kvm_unmap_gfn(struct kvm_memory_slot *memslot,
++ struct kvm_host_map *map,
++ struct gfn_to_pfn_cache *cache,
++ bool dirty, bool atomic)
+ {
+ if (!map)
+ return;
+@@ -1870,23 +1927,45 @@ void kvm_vcpu_unmap(struct kvm_vcpu *vcpu, struct kvm_host_map *map,
+ if (!map->hva)
+ return;
+
+- if (map->page != KVM_UNMAPPED_PAGE)
+- kunmap(map->page);
++ if (map->page != KVM_UNMAPPED_PAGE) {
++ if (atomic)
++ kunmap_atomic(map->hva);
++ else
++ kunmap(map->page);
++ }
+ #ifdef CONFIG_HAS_IOMEM
+- else
++ else if (!atomic)
+ memunmap(map->hva);
++ else
++ WARN_ONCE(1, "Unexpected unmapping in atomic context");
+ #endif
+
+- if (dirty) {
+- kvm_vcpu_mark_page_dirty(vcpu, map->gfn);
+- kvm_release_pfn_dirty(map->pfn);
+- } else {
+- kvm_release_pfn_clean(map->pfn);
+- }
++ if (dirty)
++ mark_page_dirty_in_slot(memslot, map->gfn);
++
++ if (cache)
++ cache->dirty |= dirty;
++ else
++ kvm_release_pfn(map->pfn, dirty, NULL);
+
+ map->hva = NULL;
+ map->page = NULL;
+ }
++
++int kvm_unmap_gfn(struct kvm_vcpu *vcpu, struct kvm_host_map *map,
++ struct gfn_to_pfn_cache *cache, bool dirty, bool atomic)
++{
++ __kvm_unmap_gfn(gfn_to_memslot(vcpu->kvm, map->gfn), map,
++ cache, dirty, atomic);
++ return 0;
++}
++EXPORT_SYMBOL_GPL(kvm_unmap_gfn);
++
++void kvm_vcpu_unmap(struct kvm_vcpu *vcpu, struct kvm_host_map *map, bool dirty)
++{
++ __kvm_unmap_gfn(kvm_vcpu_gfn_to_memslot(vcpu, map->gfn), map, NULL,
++ dirty, false);
++}
+ EXPORT_SYMBOL_GPL(kvm_vcpu_unmap);
+
+ struct page *kvm_vcpu_gfn_to_page(struct kvm_vcpu *vcpu, gfn_t gfn)