Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlice Ferrazzi <alicef@gentoo.org>2021-04-28 21:03:18 +0900
committerAlice Ferrazzi <alicef@gentoo.org>2021-04-28 21:03:29 +0900
commitcd69f153f5510bc0fb2d5ce2698e8fdc5784e61c (patch)
tree569407cb0ce966ff3962b1a4606543bce094a47f
parentLinux patch 5.10.32 (diff)
downloadlinux-patches-cd69f153.tar.gz
linux-patches-cd69f153.tar.bz2
linux-patches-cd69f153.zip
Linux patch 5.10.335.10-36
Signed-off-by: Alice Ferrazzi <alicef@gentoo.org>
Diffstat
-rw-r--r--0000_README4
-rw-r--r--1032_linux-5.10.33.patch1964
2 files changed, 1968 insertions, 0 deletions
diff --git a/0000_README b/0000_README
index 68ff733b..acf61dde 100644
--- a/0000_README
+++ b/0000_README
@@ -171,6 +171,10 @@ Patch: 1031_linux-5.10.32.patch
From: http://www.kernel.org
Desc: Linux 5.10.32
+Patch: 1032_linux-5.10.33.patch
+From: http://www.kernel.org
+Desc: Linux 5.10.33
+
Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
diff --git a/1032_linux-5.10.33.patch b/1032_linux-5.10.33.patch
new file mode 100644
index 00000000..ace1cc0d
--- /dev/null
+++ b/1032_linux-5.10.33.patch
@@ -0,0 +1,1964 @@
+diff --git a/Makefile b/Makefile
+index cad90171b4b9b..fd5c8b5c013bf 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,7 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
+ VERSION = 5
+ PATCHLEVEL = 10
+-SUBLEVEL = 32
++SUBLEVEL = 33
+ EXTRAVERSION =
+ NAME = Dare mighty things
+
+diff --git a/arch/arm/boot/dts/omap3.dtsi b/arch/arm/boot/dts/omap3.dtsi
+index 9dcae1f2bc99f..c5b9da0d7e6ce 100644
+--- a/arch/arm/boot/dts/omap3.dtsi
++++ b/arch/arm/boot/dts/omap3.dtsi
+@@ -24,6 +24,9 @@
+ i2c0 = &i2c1;
+ i2c1 = &i2c2;
+ i2c2 = &i2c3;
++ mmc0 = &mmc1;
++ mmc1 = &mmc2;
++ mmc2 = &mmc3;
+ serial0 = &uart1;
+ serial1 = &uart2;
+ serial2 = &uart3;
+diff --git a/arch/arm64/boot/dts/allwinner/sun50i-a64-pine64-lts.dts b/arch/arm64/boot/dts/allwinner/sun50i-a64-pine64-lts.dts
+index a1f621b388fe7..358df6d926aff 100644
+--- a/arch/arm64/boot/dts/allwinner/sun50i-a64-pine64-lts.dts
++++ b/arch/arm64/boot/dts/allwinner/sun50i-a64-pine64-lts.dts
+@@ -10,5 +10,5 @@
+ };
+
+ &mmc0 {
+- cd-gpios = <&pio 5 6 GPIO_ACTIVE_LOW>; /* PF6 push-push switch */
++ broken-cd; /* card detect is broken on *some* boards */
+ };
+diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c
+index f11a1a1f70261..798c3e78b84bb 100644
+--- a/arch/arm64/kernel/probes/kprobes.c
++++ b/arch/arm64/kernel/probes/kprobes.c
+@@ -286,10 +286,12 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
+ if (!instruction_pointer(regs))
+ BUG();
+
+- if (kcb->kprobe_status == KPROBE_REENTER)
++ if (kcb->kprobe_status == KPROBE_REENTER) {
+ restore_previous_kprobe(kcb);
+- else
++ } else {
++ kprobes_restore_local_irqflag(kcb, regs);
+ reset_current_kprobe();
++ }
+
+ break;
+ case KPROBE_HIT_ACTIVE:
+diff --git a/arch/csky/Kconfig b/arch/csky/Kconfig
+index 268fad5f51cf4..7bf0a617e94c3 100644
+--- a/arch/csky/Kconfig
++++ b/arch/csky/Kconfig
+@@ -292,7 +292,7 @@ config FORCE_MAX_ZONEORDER
+ int "Maximum zone order"
+ default "11"
+
+-config RAM_BASE
++config DRAM_BASE
+ hex "DRAM start addr (the same with memory-section in dts)"
+ default 0x0
+
+diff --git a/arch/csky/include/asm/page.h b/arch/csky/include/asm/page.h
+index 9b98bf31d57ce..16878240ef9ac 100644
+--- a/arch/csky/include/asm/page.h
++++ b/arch/csky/include/asm/page.h
+@@ -28,7 +28,7 @@
+ #define SSEG_SIZE 0x20000000
+ #define LOWMEM_LIMIT (SSEG_SIZE * 2)
+
+-#define PHYS_OFFSET_OFFSET (CONFIG_RAM_BASE & (SSEG_SIZE - 1))
++#define PHYS_OFFSET_OFFSET (CONFIG_DRAM_BASE & (SSEG_SIZE - 1))
+
+ #ifndef __ASSEMBLY__
+
+diff --git a/arch/ia64/mm/discontig.c b/arch/ia64/mm/discontig.c
+index dbe829fc52980..4d08134190134 100644
+--- a/arch/ia64/mm/discontig.c
++++ b/arch/ia64/mm/discontig.c
+@@ -94,7 +94,7 @@ static int __init build_node_maps(unsigned long start, unsigned long len,
+ * acpi_boot_init() (which builds the node_to_cpu_mask array) hasn't been
+ * called yet. Note that node 0 will also count all non-existent cpus.
+ */
+-static int __meminit early_nr_cpus_node(int node)
++static int early_nr_cpus_node(int node)
+ {
+ int cpu, n = 0;
+
+@@ -109,7 +109,7 @@ static int __meminit early_nr_cpus_node(int node)
+ * compute_pernodesize - compute size of pernode data
+ * @node: the node id.
+ */
+-static unsigned long __meminit compute_pernodesize(int node)
++static unsigned long compute_pernodesize(int node)
+ {
+ unsigned long pernodesize = 0, cpus;
+
+@@ -366,7 +366,7 @@ static void __init reserve_pernode_space(void)
+ }
+ }
+
+-static void __meminit scatter_node_data(void)
++static void scatter_node_data(void)
+ {
+ pg_data_t **dst;
+ int node;
+diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S
+index 71203324ff42b..81c458e996d9b 100644
+--- a/arch/s390/kernel/entry.S
++++ b/arch/s390/kernel/entry.S
+@@ -994,6 +994,7 @@ ENDPROC(ext_int_handler)
+ * Load idle PSW.
+ */
+ ENTRY(psw_idle)
++ stg %r14,(__SF_GPRS+8*8)(%r15)
+ stg %r3,__SF_EMPTY(%r15)
+ larl %r1,.Lpsw_idle_exit
+ stg %r1,__SF_EMPTY+8(%r15)
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index e7dc13fe5e29f..0b9975200ae35 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -4387,7 +4387,7 @@ static const struct x86_cpu_desc isolation_ucodes[] = {
+ INTEL_CPU_DESC(INTEL_FAM6_BROADWELL_D, 3, 0x07000009),
+ INTEL_CPU_DESC(INTEL_FAM6_BROADWELL_D, 4, 0x0f000009),
+ INTEL_CPU_DESC(INTEL_FAM6_BROADWELL_D, 5, 0x0e000002),
+- INTEL_CPU_DESC(INTEL_FAM6_BROADWELL_X, 2, 0x0b000014),
++ INTEL_CPU_DESC(INTEL_FAM6_BROADWELL_X, 1, 0x0b000014),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 3, 0x00000021),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 4, 0x00000000),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 5, 0x00000000),
+diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
+index 7bdb1821215db..3112186a4f4b2 100644
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -1159,7 +1159,6 @@ enum {
+ SNBEP_PCI_QPI_PORT0_FILTER,
+ SNBEP_PCI_QPI_PORT1_FILTER,
+ BDX_PCI_QPI_PORT2_FILTER,
+- HSWEP_PCI_PCU_3,
+ };
+
+ static int snbep_qpi_hw_config(struct intel_uncore_box *box, struct perf_event *event)
+@@ -2816,22 +2815,33 @@ static struct intel_uncore_type *hswep_msr_uncores[] = {
+ NULL,
+ };
+
+-void hswep_uncore_cpu_init(void)
++#define HSWEP_PCU_DID 0x2fc0
++#define HSWEP_PCU_CAPID4_OFFET 0x94
++#define hswep_get_chop(_cap) (((_cap) >> 6) & 0x3)
++
++static bool hswep_has_limit_sbox(unsigned int device)
+ {
+- int pkg = boot_cpu_data.logical_proc_id;
++ struct pci_dev *dev = pci_get_device(PCI_VENDOR_ID_INTEL, device, NULL);
++ u32 capid4;
++
++ if (!dev)
++ return false;
++
++ pci_read_config_dword(dev, HSWEP_PCU_CAPID4_OFFET, &capid4);
++ if (!hswep_get_chop(capid4))
++ return true;
+
++ return false;
++}
++
++void hswep_uncore_cpu_init(void)
++{
+ if (hswep_uncore_cbox.num_boxes > boot_cpu_data.x86_max_cores)
+ hswep_uncore_cbox.num_boxes = boot_cpu_data.x86_max_cores;
+
+ /* Detect 6-8 core systems with only two SBOXes */
+- if (uncore_extra_pci_dev[pkg].dev[HSWEP_PCI_PCU_3]) {
+- u32 capid4;
+-
+- pci_read_config_dword(uncore_extra_pci_dev[pkg].dev[HSWEP_PCI_PCU_3],
+- 0x94, &capid4);
+- if (((capid4 >> 6) & 0x3) == 0)
+- hswep_uncore_sbox.num_boxes = 2;
+- }
++ if (hswep_has_limit_sbox(HSWEP_PCU_DID))
++ hswep_uncore_sbox.num_boxes = 2;
+
+ uncore_msr_uncores = hswep_msr_uncores;
+ }
+@@ -3094,11 +3104,6 @@ static const struct pci_device_id hswep_uncore_pci_ids[] = {
+ .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV,
+ SNBEP_PCI_QPI_PORT1_FILTER),
+ },
+- { /* PCU.3 (for Capability registers) */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x2fc0),
+- .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV,
+- HSWEP_PCI_PCU_3),
+- },
+ { /* end: all zeroes */ }
+ };
+
+@@ -3190,27 +3195,18 @@ static struct event_constraint bdx_uncore_pcu_constraints[] = {
+ EVENT_CONSTRAINT_END
+ };
+
++#define BDX_PCU_DID 0x6fc0
++
+ void bdx_uncore_cpu_init(void)
+ {
+- int pkg = topology_phys_to_logical_pkg(boot_cpu_data.phys_proc_id);
+-
+ if (bdx_uncore_cbox.num_boxes > boot_cpu_data.x86_max_cores)
+ bdx_uncore_cbox.num_boxes = boot_cpu_data.x86_max_cores;
+ uncore_msr_uncores = bdx_msr_uncores;
+
+- /* BDX-DE doesn't have SBOX */
+- if (boot_cpu_data.x86_model == 86) {
+- uncore_msr_uncores[BDX_MSR_UNCORE_SBOX] = NULL;
+ /* Detect systems with no SBOXes */
+- } else if (uncore_extra_pci_dev[pkg].dev[HSWEP_PCI_PCU_3]) {
+- struct pci_dev *pdev;
+- u32 capid4;
+-
+- pdev = uncore_extra_pci_dev[pkg].dev[HSWEP_PCI_PCU_3];
+- pci_read_config_dword(pdev, 0x94, &capid4);
+- if (((capid4 >> 6) & 0x3) == 0)
+- bdx_msr_uncores[BDX_MSR_UNCORE_SBOX] = NULL;
+- }
++ if ((boot_cpu_data.x86_model == 86) || hswep_has_limit_sbox(BDX_PCU_DID))
++ uncore_msr_uncores[BDX_MSR_UNCORE_SBOX] = NULL;
++
+ hswep_uncore_pcu.constraints = bdx_uncore_pcu_constraints;
+ }
+
+@@ -3431,11 +3427,6 @@ static const struct pci_device_id bdx_uncore_pci_ids[] = {
+ .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV,
+ BDX_PCI_QPI_PORT2_FILTER),
+ },
+- { /* PCU.3 (for Capability registers) */
+- PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x6fc0),
+- .driver_data = UNCORE_PCI_DEV_DATA(UNCORE_EXTRA_PCI_DEV,
+- HSWEP_PCI_PCU_3),
+- },
+ { /* end: all zeroes */ }
+ };
+
+diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c
+index a8f3af257e26c..b1deacbeb2669 100644
+--- a/arch/x86/kernel/crash.c
++++ b/arch/x86/kernel/crash.c
+@@ -337,7 +337,7 @@ int crash_setup_memmap_entries(struct kimage *image, struct boot_params *params)
+ struct crash_memmap_data cmd;
+ struct crash_mem *cmem;
+
+- cmem = vzalloc(sizeof(struct crash_mem));
++ cmem = vzalloc(struct_size(cmem, ranges, 1));
+ if (!cmem)
+ return -ENOMEM;
+
+diff --git a/block/ioctl.c b/block/ioctl.c
+index 3be4d0e2a96c3..ed240e170e148 100644
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -98,6 +98,8 @@ static int blkdev_reread_part(struct block_device *bdev, fmode_t mode)
+ return -EINVAL;
+ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
++ if (bdev->bd_part_count)
++ return -EBUSY;
+
+ /*
+ * Reopen the device to revalidate the driver state and force a
+diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c
+index 71827d9b0aa19..b7260749e8eee 100644
+--- a/drivers/dma/tegra20-apb-dma.c
++++ b/drivers/dma/tegra20-apb-dma.c
+@@ -723,7 +723,7 @@ static void tegra_dma_issue_pending(struct dma_chan *dc)
+ goto end;
+ }
+ if (!tdc->busy) {
+- err = pm_runtime_get_sync(tdc->tdma->dev);
++ err = pm_runtime_resume_and_get(tdc->tdma->dev);
+ if (err < 0) {
+ dev_err(tdc2dev(tdc), "Failed to enable DMA\n");
+ goto end;
+@@ -818,7 +818,7 @@ static void tegra_dma_synchronize(struct dma_chan *dc)
+ struct tegra_dma_channel *tdc = to_tegra_dma_chan(dc);
+ int err;
+
+- err = pm_runtime_get_sync(tdc->tdma->dev);
++ err = pm_runtime_resume_and_get(tdc->tdma->dev);
+ if (err < 0) {
+ dev_err(tdc2dev(tdc), "Failed to synchronize DMA: %d\n", err);
+ return;
+diff --git a/drivers/dma/xilinx/xilinx_dpdma.c b/drivers/dma/xilinx/xilinx_dpdma.c
+index 55df63dead8d3..70b29bd079c9f 100644
+--- a/drivers/dma/xilinx/xilinx_dpdma.c
++++ b/drivers/dma/xilinx/xilinx_dpdma.c
+@@ -839,6 +839,7 @@ static void xilinx_dpdma_chan_queue_transfer(struct xilinx_dpdma_chan *chan)
+ struct xilinx_dpdma_tx_desc *desc;
+ struct virt_dma_desc *vdesc;
+ u32 reg, channels;
++ bool first_frame;
+
+ lockdep_assert_held(&chan->lock);
+
+@@ -852,14 +853,6 @@ static void xilinx_dpdma_chan_queue_transfer(struct xilinx_dpdma_chan *chan)
+ chan->running = true;
+ }
+
+- if (chan->video_group)
+- channels = xilinx_dpdma_chan_video_group_ready(chan);
+- else
+- channels = BIT(chan->id);
+-
+- if (!channels)
+- return;
+-
+ vdesc = vchan_next_desc(&chan->vchan);
+ if (!vdesc)
+ return;
+@@ -884,13 +877,26 @@ static void xilinx_dpdma_chan_queue_transfer(struct xilinx_dpdma_chan *chan)
+ FIELD_PREP(XILINX_DPDMA_CH_DESC_START_ADDRE_MASK,
+ upper_32_bits(sw_desc->dma_addr)));
+
+- if (chan->first_frame)
++ first_frame = chan->first_frame;
++ chan->first_frame = false;
++
++ if (chan->video_group) {
++ channels = xilinx_dpdma_chan_video_group_ready(chan);
++ /*
++ * Trigger the transfer only when all channels in the group are
++ * ready.
++ */
++ if (!channels)
++ return;
++ } else {
++ channels = BIT(chan->id);
++ }
++
++ if (first_frame)
+ reg = XILINX_DPDMA_GBL_TRIG_MASK(channels);
+ else
+ reg = XILINX_DPDMA_GBL_RETRIG_MASK(channels);
+
+- chan->first_frame = false;
+-
+ dpdma_write(xdev->reg, XILINX_DPDMA_GBL, reg);
+ }
+
+@@ -1042,13 +1048,14 @@ static int xilinx_dpdma_chan_stop(struct xilinx_dpdma_chan *chan)
+ */
+ static void xilinx_dpdma_chan_done_irq(struct xilinx_dpdma_chan *chan)
+ {
+- struct xilinx_dpdma_tx_desc *active = chan->desc.active;
++ struct xilinx_dpdma_tx_desc *active;
+ unsigned long flags;
+
+ spin_lock_irqsave(&chan->lock, flags);
+
+ xilinx_dpdma_debugfs_desc_done_irq(chan);
+
++ active = chan->desc.active;
+ if (active)
+ vchan_cyclic_callback(&active->vdesc);
+ else
+diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
+index f7ceb2b11afc5..a7e8ed5191a8e 100644
+--- a/drivers/gpio/gpio-omap.c
++++ b/drivers/gpio/gpio-omap.c
+@@ -29,6 +29,7 @@
+ #define OMAP4_GPIO_DEBOUNCINGTIME_MASK 0xFF
+
+ struct gpio_regs {
++ u32 sysconfig;
+ u32 irqenable1;
+ u32 irqenable2;
+ u32 wake_en;
+@@ -1072,6 +1073,7 @@ static void omap_gpio_init_context(struct gpio_bank *p)
+ const struct omap_gpio_reg_offs *regs = p->regs;
+ void __iomem *base = p->base;
+
++ p->context.sysconfig = readl_relaxed(base + regs->sysconfig);
+ p->context.ctrl = readl_relaxed(base + regs->ctrl);
+ p->context.oe = readl_relaxed(base + regs->direction);
+ p->context.wake_en = readl_relaxed(base + regs->wkup_en);
+@@ -1091,6 +1093,7 @@ static void omap_gpio_restore_context(struct gpio_bank *bank)
+ const struct omap_gpio_reg_offs *regs = bank->regs;
+ void __iomem *base = bank->base;
+
++ writel_relaxed(bank->context.sysconfig, base + regs->sysconfig);
+ writel_relaxed(bank->context.wake_en, base + regs->wkup_en);
+ writel_relaxed(bank->context.ctrl, base + regs->ctrl);
+ writel_relaxed(bank->context.leveldetect0, base + regs->leveldetect0);
+@@ -1118,6 +1121,10 @@ static void omap_gpio_idle(struct gpio_bank *bank, bool may_lose_context)
+
+ bank->saved_datain = readl_relaxed(base + bank->regs->datain);
+
++ /* Save syconfig, it's runtime value can be different from init value */
++ if (bank->loses_context)
++ bank->context.sysconfig = readl_relaxed(base + bank->regs->sysconfig);
++
+ if (!bank->enabled_non_wakeup_gpios)
+ goto update_gpio_context_count;
+
+@@ -1282,6 +1289,7 @@ out_unlock:
+
+ static const struct omap_gpio_reg_offs omap2_gpio_regs = {
+ .revision = OMAP24XX_GPIO_REVISION,
++ .sysconfig = OMAP24XX_GPIO_SYSCONFIG,
+ .direction = OMAP24XX_GPIO_OE,
+ .datain = OMAP24XX_GPIO_DATAIN,
+ .dataout = OMAP24XX_GPIO_DATAOUT,
+@@ -1305,6 +1313,7 @@ static const struct omap_gpio_reg_offs omap2_gpio_regs = {
+
+ static const struct omap_gpio_reg_offs omap4_gpio_regs = {
+ .revision = OMAP4_GPIO_REVISION,
++ .sysconfig = OMAP4_GPIO_SYSCONFIG,
+ .direction = OMAP4_GPIO_OE,
+ .datain = OMAP4_GPIO_DATAIN,
+ .dataout = OMAP4_GPIO_DATAOUT,
+diff --git a/drivers/hid/hid-alps.c b/drivers/hid/hid-alps.c
+index 3feaece13ade0..6b665931147df 100644
+--- a/drivers/hid/hid-alps.c
++++ b/drivers/hid/hid-alps.c
+@@ -761,6 +761,7 @@ static int alps_input_configured(struct hid_device *hdev, struct hid_input *hi)
+
+ if (input_register_device(data->input2)) {
+ input_free_device(input2);
++ ret = -ENOENT;
+ goto exit;
+ }
+ }
+diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
+index 21e15627a4614..477baa30889cc 100644
+--- a/drivers/hid/hid-cp2112.c
++++ b/drivers/hid/hid-cp2112.c
+@@ -161,6 +161,7 @@ struct cp2112_device {
+ atomic_t read_avail;
+ atomic_t xfer_avail;
+ struct gpio_chip gc;
++ struct irq_chip irq;
+ u8 *in_out_buffer;
+ struct mutex lock;
+
+@@ -1175,16 +1176,6 @@ static int cp2112_gpio_irq_type(struct irq_data *d, unsigned int type)
+ return 0;
+ }
+
+-static struct irq_chip cp2112_gpio_irqchip = {
+- .name = "cp2112-gpio",
+- .irq_startup = cp2112_gpio_irq_startup,
+- .irq_shutdown = cp2112_gpio_irq_shutdown,
+- .irq_ack = cp2112_gpio_irq_ack,
+- .irq_mask = cp2112_gpio_irq_mask,
+- .irq_unmask = cp2112_gpio_irq_unmask,
+- .irq_set_type = cp2112_gpio_irq_type,
+-};
+-
+ static int __maybe_unused cp2112_allocate_irq(struct cp2112_device *dev,
+ int pin)
+ {
+@@ -1339,8 +1330,17 @@ static int cp2112_probe(struct hid_device *hdev, const struct hid_device_id *id)
+ dev->gc.can_sleep = 1;
+ dev->gc.parent = &hdev->dev;
+
++ dev->irq.name = "cp2112-gpio";
++ dev->irq.irq_startup = cp2112_gpio_irq_startup;
++ dev->irq.irq_shutdown = cp2112_gpio_irq_shutdown;
++ dev->irq.irq_ack = cp2112_gpio_irq_ack;
++ dev->irq.irq_mask = cp2112_gpio_irq_mask;
++ dev->irq.irq_unmask = cp2112_gpio_irq_unmask;
++ dev->irq.irq_set_type = cp2112_gpio_irq_type;
++ dev->irq.flags = IRQCHIP_MASK_ON_SUSPEND;
++
+ girq = &dev->gc.irq;
+- girq->chip = &cp2112_gpio_irqchip;
++ girq->chip = &dev->irq;
+ /* The event comes from the outside so no parent handler */
+ girq->parent_handler = NULL;
+ girq->num_parents = 0;
+diff --git a/drivers/hid/hid-google-hammer.c b/drivers/hid/hid-google-hammer.c
+index 85a054f1ce389..2a176f77b32e9 100644
+--- a/drivers/hid/hid-google-hammer.c
++++ b/drivers/hid/hid-google-hammer.c
+@@ -526,6 +526,8 @@ static void hammer_remove(struct hid_device *hdev)
+ }
+
+ static const struct hid_device_id hammer_devices[] = {
++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
++ USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_DON) },
+ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+ USB_VENDOR_ID_GOOGLE, USB_DEVICE_ID_GOOGLE_HAMMER) },
+ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 06813f297dcca..b93ce0d475e09 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -486,6 +486,7 @@
+ #define USB_DEVICE_ID_GOOGLE_MASTERBALL 0x503c
+ #define USB_DEVICE_ID_GOOGLE_MAGNEMITE 0x503d
+ #define USB_DEVICE_ID_GOOGLE_MOONBALL 0x5044
++#define USB_DEVICE_ID_GOOGLE_DON 0x5050
+
+ #define USB_VENDOR_ID_GOTOP 0x08f2
+ #define USB_DEVICE_ID_SUPER_Q2 0x007f
+diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
+index 6cda5935fc09c..2d70dc4bea654 100644
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2533,7 +2533,7 @@ static void wacom_wac_finger_slot(struct wacom_wac *wacom_wac,
+ !wacom_wac->shared->is_touch_on) {
+ if (!wacom_wac->shared->touch_down)
+ return;
+- prox = 0;
++ prox = false;
+ }
+
+ wacom_wac->hid_data.num_received++;
+diff --git a/drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h b/drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h
+index b248966837b4c..7aad40b2aa736 100644
+--- a/drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h
++++ b/drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h
+@@ -412,7 +412,7 @@
+ | CN6XXX_INTR_M0UNWI_ERR \
+ | CN6XXX_INTR_M1UPB0_ERR \
+ | CN6XXX_INTR_M1UPWI_ERR \
+- | CN6XXX_INTR_M1UPB0_ERR \
++ | CN6XXX_INTR_M1UNB0_ERR \
+ | CN6XXX_INTR_M1UNWI_ERR \
+ | CN6XXX_INTR_INSTR_DB_OF_ERR \
+ | CN6XXX_INTR_SLIST_DB_OF_ERR \
+diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
+index abd37f26af682..11864ac101b8d 100644
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -890,6 +890,9 @@ static int geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev,
+ __be16 sport;
+ int err;
+
++ if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
++ return -EINVAL;
++
+ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info,
+ geneve->cfg.info.key.tp_dst, sport);
+@@ -984,6 +987,9 @@ static int geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
+ __be16 sport;
+ int err;
+
++ if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))
++ return -EINVAL;
++
+ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info,
+ geneve->cfg.info.key.tp_dst, sport);
+diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
+index d18642a8144cf..4909405803d57 100644
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -3104,7 +3104,7 @@ static void hso_free_interface(struct usb_interface *interface)
+ cancel_work_sync(&serial_table[i]->async_put_intf);
+ cancel_work_sync(&serial_table[i]->async_get_intf);
+ hso_serial_tty_unregister(serial);
+- kref_put(&serial_table[i]->ref, hso_serial_ref_free);
++ kref_put(&serial->parent->ref, hso_serial_ref_free);
+ }
+ }
+
+diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c
+index 6f10e0998f1ce..94d19158efc18 100644
+--- a/drivers/net/xen-netback/xenbus.c
++++ b/drivers/net/xen-netback/xenbus.c
+@@ -824,11 +824,15 @@ static void connect(struct backend_info *be)
+ xenvif_carrier_on(be->vif);
+
+ unregister_hotplug_status_watch(be);
+- err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, NULL,
+- hotplug_status_changed,
+- "%s/%s", dev->nodename, "hotplug-status");
+- if (!err)
++ if (xenbus_exists(XBT_NIL, dev->nodename, "hotplug-status")) {
++ err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch,
++ NULL, hotplug_status_changed,
++ "%s/%s", dev->nodename,
++ "hotplug-status");
++ if (err)
++ goto err;
+ be->have_hotplug_status_watch = 1;
++ }
+
+ netif_tx_wake_all_queues(be->vif->dev);
+
+diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c
+index 9fc4433fece4f..20b477cd5a30a 100644
+--- a/drivers/pinctrl/core.c
++++ b/drivers/pinctrl/core.c
+@@ -1604,8 +1604,8 @@ static int pinctrl_pins_show(struct seq_file *s, void *what)
+ unsigned i, pin;
+ #ifdef CONFIG_GPIOLIB
+ struct pinctrl_gpio_range *range;
+- unsigned int gpio_num;
+ struct gpio_chip *chip;
++ int gpio_num;
+ #endif
+
+ seq_printf(s, "registered pins: %d\n", pctldev->desc->npins);
+@@ -1625,7 +1625,7 @@ static int pinctrl_pins_show(struct seq_file *s, void *what)
+ seq_printf(s, "pin %d (%s) ", pin, desc->name);
+
+ #ifdef CONFIG_GPIOLIB
+- gpio_num = 0;
++ gpio_num = -1;
+ list_for_each_entry(range, &pctldev->gpio_ranges, node) {
+ if ((pin >= range->pin_base) &&
+ (pin < (range->pin_base + range->npins))) {
+@@ -1633,10 +1633,12 @@ static int pinctrl_pins_show(struct seq_file *s, void *what)
+ break;
+ }
+ }
+- chip = gpio_to_chip(gpio_num);
+- if (chip && chip->gpiodev && chip->gpiodev->base)
+- seq_printf(s, "%u:%s ", gpio_num -
+- chip->gpiodev->base, chip->label);
++ if (gpio_num >= 0)
++ chip = gpio_to_chip(gpio_num);
++ else
++ chip = NULL;
++ if (chip)
++ seq_printf(s, "%u:%s ", gpio_num - chip->gpiodev->base, chip->label);
+ else
+ seq_puts(s, "0:? ");
+ #endif
+diff --git a/drivers/pinctrl/intel/pinctrl-lewisburg.c b/drivers/pinctrl/intel/pinctrl-lewisburg.c
+index 7fdf4257df1ed..ad4b446d588e6 100644
+--- a/drivers/pinctrl/intel/pinctrl-lewisburg.c
++++ b/drivers/pinctrl/intel/pinctrl-lewisburg.c
+@@ -299,9 +299,9 @@ static const struct pinctrl_pin_desc lbg_pins[] = {
+ static const struct intel_community lbg_communities[] = {
+ LBG_COMMUNITY(0, 0, 71),
+ LBG_COMMUNITY(1, 72, 132),
+- LBG_COMMUNITY(3, 133, 144),
+- LBG_COMMUNITY(4, 145, 180),
+- LBG_COMMUNITY(5, 181, 246),
++ LBG_COMMUNITY(3, 133, 143),
++ LBG_COMMUNITY(4, 144, 178),
++ LBG_COMMUNITY(5, 179, 246),
+ };
+
+ static const struct intel_pinctrl_soc_data lbg_soc_data = {
+diff --git a/drivers/soc/qcom/qcom-geni-se.c b/drivers/soc/qcom/qcom-geni-se.c
+index be76fddbf524b..0dbca679bd32f 100644
+--- a/drivers/soc/qcom/qcom-geni-se.c
++++ b/drivers/soc/qcom/qcom-geni-se.c
+@@ -741,6 +741,9 @@ int geni_icc_get(struct geni_se *se, const char *icc_ddr)
+ int i, err;
+ const char *icc_names[] = {"qup-core", "qup-config", icc_ddr};
+
++ if (has_acpi_companion(se->dev))
++ return 0;
++
+ for (i = 0; i < ARRAY_SIZE(se->icc_paths); i++) {
+ if (!icc_names[i])
+ continue;
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index e79359326411a..bc035ba6e0105 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1637,12 +1637,13 @@ static int acm_resume(struct usb_interface *intf)
+ struct urb *urb;
+ int rv = 0;
+
+- acm_unpoison_urbs(acm);
+ spin_lock_irq(&acm->write_lock);
+
+ if (--acm->susp_count)
+ goto out;
+
++ acm_unpoison_urbs(acm);
++
+ if (tty_port_initialized(&acm->port)) {
+ rv = usb_submit_urb(acm->ctrlurb, GFP_ATOMIC);
+
+diff --git a/drivers/vdpa/mlx5/core/mr.c b/drivers/vdpa/mlx5/core/mr.c
+index d300f799efcd1..aa656f57bf5b7 100644
+--- a/drivers/vdpa/mlx5/core/mr.c
++++ b/drivers/vdpa/mlx5/core/mr.c
+@@ -273,8 +273,10 @@ done:
+ mr->log_size = log_entity_size;
+ mr->nsg = nsg;
+ mr->nent = dma_map_sg_attrs(dma, mr->sg_head.sgl, mr->nsg, DMA_BIDIRECTIONAL, 0);
+- if (!mr->nent)
++ if (!mr->nent) {
++ err = -ENOMEM;
+ goto err_map;
++ }
+
+ err = create_direct_mr(mvdev, mr);
+ if (err)
+diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
+index fc5707ada024e..84e5949bc8617 100644
+--- a/drivers/vhost/vdpa.c
++++ b/drivers/vhost/vdpa.c
+@@ -749,9 +749,11 @@ static int vhost_vdpa_process_iotlb_msg(struct vhost_dev *dev,
+ const struct vdpa_config_ops *ops = vdpa->config;
+ int r = 0;
+
++ mutex_lock(&dev->mutex);
++
+ r = vhost_dev_check_owner(dev);
+ if (r)
+- return r;
++ goto unlock;
+
+ switch (msg->type) {
+ case VHOST_IOTLB_UPDATE:
+@@ -772,6 +774,8 @@ static int vhost_vdpa_process_iotlb_msg(struct vhost_dev *dev,
+ r = -EINVAL;
+ break;
+ }
++unlock:
++ mutex_unlock(&dev->mutex);
+
+ return r;
+ }
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index b416bba3a62b5..8ad819132dde3 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -1259,6 +1259,11 @@ static inline bool bpf_allow_ptr_leaks(void)
+ return perfmon_capable();
+ }
+
++static inline bool bpf_allow_uninit_stack(void)
++{
++ return perfmon_capable();
++}
++
+ static inline bool bpf_allow_ptr_to_map_access(void)
+ {
+ return perfmon_capable();
+diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
+index e83ef6f6bf43a..85bac3191e127 100644
+--- a/include/linux/bpf_verifier.h
++++ b/include/linux/bpf_verifier.h
+@@ -187,7 +187,7 @@ struct bpf_func_state {
+ * 0 = main function, 1 = first callee.
+ */
+ u32 frameno;
+- /* subprog number == index within subprog_stack_depth
++ /* subprog number == index within subprog_info
+ * zero == main subprog
+ */
+ u32 subprogno;
+@@ -390,6 +390,7 @@ struct bpf_verifier_env {
+ u32 used_map_cnt; /* number of used maps */
+ u32 id_gen; /* used to generate unique reg IDs */
+ bool allow_ptr_leaks;
++ bool allow_uninit_stack;
+ bool allow_ptr_to_map_access;
+ bool bpf_capable;
+ bool bypass_spec_v1;
+diff --git a/include/linux/platform_data/gpio-omap.h b/include/linux/platform_data/gpio-omap.h
+index 8b30b14b47d3f..f377817ce75c1 100644
+--- a/include/linux/platform_data/gpio-omap.h
++++ b/include/linux/platform_data/gpio-omap.h
+@@ -85,6 +85,7 @@
+ * omap2+ specific GPIO registers
+ */
+ #define OMAP24XX_GPIO_REVISION 0x0000
++#define OMAP24XX_GPIO_SYSCONFIG 0x0010
+ #define OMAP24XX_GPIO_IRQSTATUS1 0x0018
+ #define OMAP24XX_GPIO_IRQSTATUS2 0x0028
+ #define OMAP24XX_GPIO_IRQENABLE2 0x002c
+@@ -108,6 +109,7 @@
+ #define OMAP24XX_GPIO_SETDATAOUT 0x0094
+
+ #define OMAP4_GPIO_REVISION 0x0000
++#define OMAP4_GPIO_SYSCONFIG 0x0010
+ #define OMAP4_GPIO_EOI 0x0020
+ #define OMAP4_GPIO_IRQSTATUSRAW0 0x0024
+ #define OMAP4_GPIO_IRQSTATUSRAW1 0x0028
+@@ -148,6 +150,7 @@
+ #ifndef __ASSEMBLER__
+ struct omap_gpio_reg_offs {
+ u16 revision;
++ u16 sysconfig;
+ u16 direction;
+ u16 datain;
+ u16 dataout;
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 3370f0d476e97..b9180509917e3 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2268,12 +2268,14 @@ static void save_register_state(struct bpf_func_state *state,
+ state->stack[spi].slot_type[i] = STACK_SPILL;
+ }
+
+-/* check_stack_read/write functions track spill/fill of registers,
++/* check_stack_{read,write}_fixed_off functions track spill/fill of registers,
+ * stack boundary and alignment are checked in check_mem_access()
+ */
+-static int check_stack_write(struct bpf_verifier_env *env,
+- struct bpf_func_state *state, /* func where register points to */
+- int off, int size, int value_regno, int insn_idx)
++static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
++ /* stack frame we're writing to */
++ struct bpf_func_state *state,
++ int off, int size, int value_regno,
++ int insn_idx)
+ {
+ struct bpf_func_state *cur; /* state of the current function */
+ int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
+@@ -2399,9 +2401,175 @@ static int check_stack_write(struct bpf_verifier_env *env,
+ return 0;
+ }
+
+-static int check_stack_read(struct bpf_verifier_env *env,
+- struct bpf_func_state *reg_state /* func where register points to */,
+- int off, int size, int value_regno)
++/* Write the stack: 'stack[ptr_regno + off] = value_regno'. 'ptr_regno' is
++ * known to contain a variable offset.
++ * This function checks whether the write is permitted and conservatively
++ * tracks the effects of the write, considering that each stack slot in the
++ * dynamic range is potentially written to.
++ *
++ * 'off' includes 'regno->off'.
++ * 'value_regno' can be -1, meaning that an unknown value is being written to
++ * the stack.
++ *
++ * Spilled pointers in range are not marked as written because we don't know
++ * what's going to be actually written. This means that read propagation for
++ * future reads cannot be terminated by this write.
++ *
++ * For privileged programs, uninitialized stack slots are considered
++ * initialized by this write (even though we don't know exactly what offsets
++ * are going to be written to). The idea is that we don't want the verifier to
++ * reject future reads that access slots written to through variable offsets.
++ */
++static int check_stack_write_var_off(struct bpf_verifier_env *env,
++ /* func where register points to */
++ struct bpf_func_state *state,
++ int ptr_regno, int off, int size,
++ int value_regno, int insn_idx)
++{
++ struct bpf_func_state *cur; /* state of the current function */
++ int min_off, max_off;
++ int i, err;
++ struct bpf_reg_state *ptr_reg = NULL, *value_reg = NULL;
++ bool writing_zero = false;
++ /* set if the fact that we're writing a zero is used to let any
++ * stack slots remain STACK_ZERO
++ */
++ bool zero_used = false;
++
++ cur = env->cur_state->frame[env->cur_state->curframe];
++ ptr_reg = &cur->regs[ptr_regno];
++ min_off = ptr_reg->smin_value + off;
++ max_off = ptr_reg->smax_value + off + size;
++ if (value_regno >= 0)
++ value_reg = &cur->regs[value_regno];
++ if (value_reg && register_is_null(value_reg))
++ writing_zero = true;
++
++ err = realloc_func_state(state, round_up(-min_off, BPF_REG_SIZE),
++ state->acquired_refs, true);
++ if (err)
++ return err;
++
++
++ /* Variable offset writes destroy any spilled pointers in range. */
++ for (i = min_off; i < max_off; i++) {
++ u8 new_type, *stype;
++ int slot, spi;
++
++ slot = -i - 1;
++ spi = slot / BPF_REG_SIZE;
++ stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];
++
++ if (!env->allow_ptr_leaks
++ && *stype != NOT_INIT
++ && *stype != SCALAR_VALUE) {
++ /* Reject the write if there's are spilled pointers in
++ * range. If we didn't reject here, the ptr status
++ * would be erased below (even though not all slots are
++ * actually overwritten), possibly opening the door to
++ * leaks.
++ */
++ verbose(env, "spilled ptr in range of var-offset stack write; insn %d, ptr off: %d",
++ insn_idx, i);
++ return -EINVAL;
++ }
++
++ /* Erase all spilled pointers. */
++ state->stack[spi].spilled_ptr.type = NOT_INIT;
++
++ /* Update the slot type. */
++ new_type = STACK_MISC;
++ if (writing_zero && *stype == STACK_ZERO) {
++ new_type = STACK_ZERO;
++ zero_used = true;
++ }
++ /* If the slot is STACK_INVALID, we check whether it's OK to
++ * pretend that it will be initialized by this write. The slot
++ * might not actually be written to, and so if we mark it as
++ * initialized future reads might leak uninitialized memory.
++ * For privileged programs, we will accept such reads to slots
++ * that may or may not be written because, if we're reject
++ * them, the error would be too confusing.
++ */
++ if (*stype == STACK_INVALID && !env->allow_uninit_stack) {
++ verbose(env, "uninit stack in range of var-offset write prohibited for !root; insn %d, off: %d",
++ insn_idx, i);
++ return -EINVAL;
++ }
++ *stype = new_type;
++ }
++ if (zero_used) {
++ /* backtracking doesn't work for STACK_ZERO yet. */
++ err = mark_chain_precision(env, value_regno);
++ if (err)
++ return err;
++ }
++ return 0;
++}
++
++/* When register 'dst_regno' is assigned some values from stack[min_off,
++ * max_off), we set the register's type according to the types of the
++ * respective stack slots. If all the stack values are known to be zeros, then
++ * so is the destination reg. Otherwise, the register is considered to be
++ * SCALAR. This function does not deal with register filling; the caller must
++ * ensure that all spilled registers in the stack range have been marked as
++ * read.
++ */
++static void mark_reg_stack_read(struct bpf_verifier_env *env,
++ /* func where src register points to */
++ struct bpf_func_state *ptr_state,
++ int min_off, int max_off, int dst_regno)
++{
++ struct bpf_verifier_state *vstate = env->cur_state;
++ struct bpf_func_state *state = vstate->frame[vstate->curframe];
++ int i, slot, spi;
++ u8 *stype;
++ int zeros = 0;
++
++ for (i = min_off; i < max_off; i++) {
++ slot = -i - 1;
++ spi = slot / BPF_REG_SIZE;
++ stype = ptr_state->stack[spi].slot_type;
++ if (stype[slot % BPF_REG_SIZE] != STACK_ZERO)
++ break;
++ zeros++;
++ }
++ if (zeros == max_off - min_off) {
++ /* any access_size read into register is zero extended,
++ * so the whole register == const_zero
++ */
++ __mark_reg_const_zero(&state->regs[dst_regno]);
++ /* backtracking doesn't support STACK_ZERO yet,
++ * so mark it precise here, so that later
++ * backtracking can stop here.
++ * Backtracking may not need this if this register
++ * doesn't participate in pointer adjustment.
++ * Forward propagation of precise flag is not
++ * necessary either. This mark is only to stop
++ * backtracking. Any register that contributed
++ * to const 0 was marked precise before spill.
++ */
++ state->regs[dst_regno].precise = true;
++ } else {
++ /* have read misc data from the stack */
++ mark_reg_unknown(env, state->regs, dst_regno);
++ }
++ state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
++}
++
++/* Read the stack at 'off' and put the results into the register indicated by
++ * 'dst_regno'. It handles reg filling if the addressed stack slot is a
++ * spilled reg.
++ *
++ * 'dst_regno' can be -1, meaning that the read value is not going to a
++ * register.
++ *
++ * The access is assumed to be within the current stack bounds.
++ */
++static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
++ /* func where src register points to */
++ struct bpf_func_state *reg_state,
++ int off, int size, int dst_regno)
+ {
+ struct bpf_verifier_state *vstate = env->cur_state;
+ struct bpf_func_state *state = vstate->frame[vstate->curframe];
+@@ -2409,11 +2577,6 @@ static int check_stack_read(struct bpf_verifier_env *env,
+ struct bpf_reg_state *reg;
+ u8 *stype;
+
+- if (reg_state->allocated_stack <= slot) {
+- verbose(env, "invalid read from stack off %d+0 size %d\n",
+- off, size);
+- return -EACCES;
+- }
+ stype = reg_state->stack[spi].slot_type;
+ reg = &reg_state->stack[spi].spilled_ptr;
+
+@@ -2424,9 +2587,9 @@ static int check_stack_read(struct bpf_verifier_env *env,
+ verbose(env, "invalid size of register fill\n");
+ return -EACCES;
+ }
+- if (value_regno >= 0) {
+- mark_reg_unknown(env, state->regs, value_regno);
+- state->regs[value_regno].live |= REG_LIVE_WRITTEN;
++ if (dst_regno >= 0) {
++ mark_reg_unknown(env, state->regs, dst_regno);
++ state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
+ }
+ mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
+ return 0;
+@@ -2438,16 +2601,16 @@ static int check_stack_read(struct bpf_verifier_env *env,
+ }
+ }
+
+- if (value_regno >= 0) {
++ if (dst_regno >= 0) {
+ /* restore register state from stack */
+- state->regs[value_regno] = *reg;
++ state->regs[dst_regno] = *reg;
+ /* mark reg as written since spilled pointer state likely
+ * has its liveness marks cleared by is_state_visited()
+ * which resets stack/reg liveness for state transitions
+ */
+- state->regs[value_regno].live |= REG_LIVE_WRITTEN;
++ state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
+ } else if (__is_pointer_value(env->allow_ptr_leaks, reg)) {
+- /* If value_regno==-1, the caller is asking us whether
++ /* If dst_regno==-1, the caller is asking us whether
+ * it is acceptable to use this value as a SCALAR_VALUE
+ * (e.g. for XADD).
+ * We must not allow unprivileged callers to do that
+@@ -2459,70 +2622,167 @@ static int check_stack_read(struct bpf_verifier_env *env,
+ }
+ mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
+ } else {
+- int zeros = 0;
++ u8 type;
+
+ for (i = 0; i < size; i++) {
+- if (stype[(slot - i) % BPF_REG_SIZE] == STACK_MISC)
++ type = stype[(slot - i) % BPF_REG_SIZE];
++ if (type == STACK_MISC)
+ continue;
+- if (stype[(slot - i) % BPF_REG_SIZE] == STACK_ZERO) {
+- zeros++;
++ if (type == STACK_ZERO)
+ continue;
+- }
+ verbose(env, "invalid read from stack off %d+%d size %d\n",
+ off, i, size);
+ return -EACCES;
+ }
+ mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
+- if (value_regno >= 0) {
+- if (zeros == size) {
+- /* any size read into register is zero extended,
+- * so the whole register == const_zero
+- */
+- __mark_reg_const_zero(&state->regs[value_regno]);
+- /* backtracking doesn't support STACK_ZERO yet,
+- * so mark it precise here, so that later
+- * backtracking can stop here.
+- * Backtracking may not need this if this register
+- * doesn't participate in pointer adjustment.
+- * Forward propagation of precise flag is not
+- * necessary either. This mark is only to stop
+- * backtracking. Any register that contributed
+- * to const 0 was marked precise before spill.
+- */
+- state->regs[value_regno].precise = true;
+- } else {
+- /* have read misc data from the stack */
+- mark_reg_unknown(env, state->regs, value_regno);
+- }
+- state->regs[value_regno].live |= REG_LIVE_WRITTEN;
+- }
++ if (dst_regno >= 0)
++ mark_reg_stack_read(env, reg_state, off, off + size, dst_regno);
+ }
+ return 0;
+ }
+
+-static int check_stack_access(struct bpf_verifier_env *env,
+- const struct bpf_reg_state *reg,
+- int off, int size)
++enum stack_access_src {
++ ACCESS_DIRECT = 1, /* the access is performed by an instruction */
++ ACCESS_HELPER = 2, /* the access is performed by a helper */
++};
++
++static int check_stack_range_initialized(struct bpf_verifier_env *env,
++ int regno, int off, int access_size,
++ bool zero_size_allowed,
++ enum stack_access_src type,
++ struct bpf_call_arg_meta *meta);
++
++static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno)
++{
++ return cur_regs(env) + regno;
++}
++
++/* Read the stack at 'ptr_regno + off' and put the result into the register
++ * 'dst_regno'.
++ * 'off' includes the pointer register's fixed offset(i.e. 'ptr_regno.off'),
++ * but not its variable offset.
++ * 'size' is assumed to be <= reg size and the access is assumed to be aligned.
++ *
++ * As opposed to check_stack_read_fixed_off, this function doesn't deal with
++ * filling registers (i.e. reads of spilled register cannot be detected when
++ * the offset is not fixed). We conservatively mark 'dst_regno' as containing
++ * SCALAR_VALUE. That's why we assert that the 'ptr_regno' has a variable
++ * offset; for a fixed offset check_stack_read_fixed_off should be used
++ * instead.
++ */
++static int check_stack_read_var_off(struct bpf_verifier_env *env,
++ int ptr_regno, int off, int size, int dst_regno)
++{
++ /* The state of the source register. */
++ struct bpf_reg_state *reg = reg_state(env, ptr_regno);
++ struct bpf_func_state *ptr_state = func(env, reg);
++ int err;
++ int min_off, max_off;
++
++ /* Note that we pass a NULL meta, so raw access will not be permitted.
++ */
++ err = check_stack_range_initialized(env, ptr_regno, off, size,
++ false, ACCESS_DIRECT, NULL);
++ if (err)
++ return err;
++
++ min_off = reg->smin_value + off;
++ max_off = reg->smax_value + off;
++ mark_reg_stack_read(env, ptr_state, min_off, max_off + size, dst_regno);
++ return 0;
++}
++
++/* check_stack_read dispatches to check_stack_read_fixed_off or
++ * check_stack_read_var_off.
++ *
++ * The caller must ensure that the offset falls within the allocated stack
++ * bounds.
++ *
++ * 'dst_regno' is a register which will receive the value from the stack. It
++ * can be -1, meaning that the read value is not going to a register.
++ */
++static int check_stack_read(struct bpf_verifier_env *env,
++ int ptr_regno, int off, int size,
++ int dst_regno)
+ {
+- /* Stack accesses must be at a fixed offset, so that we
+- * can determine what type of data were returned. See
+- * check_stack_read().
++ struct bpf_reg_state *reg = reg_state(env, ptr_regno);
++ struct bpf_func_state *state = func(env, reg);
++ int err;
++ /* Some accesses are only permitted with a static offset. */
++ bool var_off = !tnum_is_const(reg->var_off);
++
++ /* The offset is required to be static when reads don't go to a
++ * register, in order to not leak pointers (see
++ * check_stack_read_fixed_off).
+ */
+- if (!tnum_is_const(reg->var_off)) {
++ if (dst_regno < 0 && var_off) {
+ char tn_buf[48];
+
+ tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
+- verbose(env, "variable stack access var_off=%s off=%d size=%d\n",
++ verbose(env, "variable offset stack pointer cannot be passed into helper function; var_off=%s off=%d size=%d\n",
+ tn_buf, off, size);
+ return -EACCES;
+ }
++ /* Variable offset is prohibited for unprivileged mode for simplicity
++ * since it requires corresponding support in Spectre masking for stack
++ * ALU. See also retrieve_ptr_limit().
++ */
++ if (!env->bypass_spec_v1 && var_off) {
++ char tn_buf[48];
+
+- if (off >= 0 || off < -MAX_BPF_STACK) {
+- verbose(env, "invalid stack off=%d size=%d\n", off, size);
++ tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
++ verbose(env, "R%d variable offset stack access prohibited for !root, var_off=%s\n",
++ ptr_regno, tn_buf);
+ return -EACCES;
+ }
+
+- return 0;
++ if (!var_off) {
++ off += reg->var_off.value;
++ err = check_stack_read_fixed_off(env, state, off, size,
++ dst_regno);
++ } else {
++ /* Variable offset stack reads need more conservative handling
++ * than fixed offset ones. Note that dst_regno >= 0 on this
++ * branch.
++ */
++ err = check_stack_read_var_off(env, ptr_regno, off, size,
++ dst_regno);
++ }
++ return err;
++}
++
++
++/* check_stack_write dispatches to check_stack_write_fixed_off or
++ * check_stack_write_var_off.
++ *
++ * 'ptr_regno' is the register used as a pointer into the stack.
++ * 'off' includes 'ptr_regno->off', but not its variable offset (if any).
++ * 'value_regno' is the register whose value we're writing to the stack. It can
++ * be -1, meaning that we're not writing from a register.
++ *
++ * The caller must ensure that the offset falls within the maximum stack size.
++ */
++static int check_stack_write(struct bpf_verifier_env *env,
++ int ptr_regno, int off, int size,
++ int value_regno, int insn_idx)
++{
++ struct bpf_reg_state *reg = reg_state(env, ptr_regno);
++ struct bpf_func_state *state = func(env, reg);
++ int err;
++
++ if (tnum_is_const(reg->var_off)) {
++ off += reg->var_off.value;
++ err = check_stack_write_fixed_off(env, state, off, size,
++ value_regno, insn_idx);
++ } else {
++ /* Variable offset stack reads need more conservative handling
++ * than fixed offset ones.
++ */
++ err = check_stack_write_var_off(env, state,
++ ptr_regno, off, size,
++ value_regno, insn_idx);
++ }
++ return err;
+ }
+
+ static int check_map_access_type(struct bpf_verifier_env *env, u32 regno,
+@@ -2851,11 +3111,6 @@ static int check_sock_access(struct bpf_verifier_env *env, int insn_idx,
+ return -EACCES;
+ }
+
+-static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno)
+-{
+- return cur_regs(env) + regno;
+-}
+-
+ static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
+ {
+ return __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno));
+@@ -2974,8 +3229,8 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
+ break;
+ case PTR_TO_STACK:
+ pointer_desc = "stack ";
+- /* The stack spill tracking logic in check_stack_write()
+- * and check_stack_read() relies on stack accesses being
++ /* The stack spill tracking logic in check_stack_write_fixed_off()
++ * and check_stack_read_fixed_off() relies on stack accesses being
+ * aligned.
+ */
+ strict = true;
+@@ -3393,6 +3648,91 @@ static int check_ptr_to_map_access(struct bpf_verifier_env *env,
+ return 0;
+ }
+
++/* Check that the stack access at the given offset is within bounds. The
++ * maximum valid offset is -1.
++ *
++ * The minimum valid offset is -MAX_BPF_STACK for writes, and
++ * -state->allocated_stack for reads.
++ */
++static int check_stack_slot_within_bounds(int off,
++ struct bpf_func_state *state,
++ enum bpf_access_type t)
++{
++ int min_valid_off;
++
++ if (t == BPF_WRITE)
++ min_valid_off = -MAX_BPF_STACK;
++ else
++ min_valid_off = -state->allocated_stack;
++
++ if (off < min_valid_off || off > -1)
++ return -EACCES;
++ return 0;
++}
++
++/* Check that the stack access at 'regno + off' falls within the maximum stack
++ * bounds.
++ *
++ * 'off' includes `regno->offset`, but not its dynamic part (if any).
++ */
++static int check_stack_access_within_bounds(
++ struct bpf_verifier_env *env,
++ int regno, int off, int access_size,
++ enum stack_access_src src, enum bpf_access_type type)
++{
++ struct bpf_reg_state *regs = cur_regs(env);
++ struct bpf_reg_state *reg = regs + regno;
++ struct bpf_func_state *state = func(env, reg);
++ int min_off, max_off;
++ int err;
++ char *err_extra;
++
++ if (src == ACCESS_HELPER)
++ /* We don't know if helpers are reading or writing (or both). */
++ err_extra = " indirect access to";
++ else if (type == BPF_READ)
++ err_extra = " read from";
++ else
++ err_extra = " write to";
++
++ if (tnum_is_const(reg->var_off)) {
++ min_off = reg->var_off.value + off;
++ if (access_size > 0)
++ max_off = min_off + access_size - 1;
++ else
++ max_off = min_off;
++ } else {
++ if (reg->smax_value >= BPF_MAX_VAR_OFF ||
++ reg->smin_value <= -BPF_MAX_VAR_OFF) {
++ verbose(env, "invalid unbounded variable-offset%s stack R%d\n",
++ err_extra, regno);
++ return -EACCES;
++ }
++ min_off = reg->smin_value + off;
++ if (access_size > 0)
++ max_off = reg->smax_value + off + access_size - 1;
++ else
++ max_off = min_off;
++ }
++
++ err = check_stack_slot_within_bounds(min_off, state, type);
++ if (!err)
++ err = check_stack_slot_within_bounds(max_off, state, type);
++
++ if (err) {
++ if (tnum_is_const(reg->var_off)) {
++ verbose(env, "invalid%s stack R%d off=%d size=%d\n",
++ err_extra, regno, off, access_size);
++ } else {
++ char tn_buf[48];
++
++ tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
++ verbose(env, "invalid variable-offset%s stack R%d var_off=%s size=%d\n",
++ err_extra, regno, tn_buf, access_size);
++ }
++ }
++ return err;
++}
+
+ /* check whether memory at (regno + off) is accessible for t = (read | write)
+ * if t==write, value_regno is a register which value is stored into memory
+@@ -3505,8 +3845,8 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
+ }
+
+ } else if (reg->type == PTR_TO_STACK) {
+- off += reg->var_off.value;
+- err = check_stack_access(env, reg, off, size);
++ /* Basic bounds checks. */
++ err = check_stack_access_within_bounds(env, regno, off, size, ACCESS_DIRECT, t);
+ if (err)
+ return err;
+
+@@ -3515,12 +3855,12 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
+ if (err)
+ return err;
+
+- if (t == BPF_WRITE)
+- err = check_stack_write(env, state, off, size,
+- value_regno, insn_idx);
+- else
+- err = check_stack_read(env, state, off, size,
++ if (t == BPF_READ)
++ err = check_stack_read(env, regno, off, size,
+ value_regno);
++ else
++ err = check_stack_write(env, regno, off, size,
++ value_regno, insn_idx);
+ } else if (reg_is_pkt_pointer(reg)) {
+ if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) {
+ verbose(env, "cannot write into packet\n");
+@@ -3642,49 +3982,53 @@ static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_ins
+ BPF_SIZE(insn->code), BPF_WRITE, -1, true);
+ }
+
+-static int __check_stack_boundary(struct bpf_verifier_env *env, u32 regno,
+- int off, int access_size,
+- bool zero_size_allowed)
++/* When register 'regno' is used to read the stack (either directly or through
++ * a helper function) make sure that it's within stack boundary and, depending
++ * on the access type, that all elements of the stack are initialized.
++ *
++ * 'off' includes 'regno->off', but not its dynamic part (if any).
++ *
++ * All registers that have been spilled on the stack in the slots within the
++ * read offsets are marked as read.
++ */
++static int check_stack_range_initialized(
++ struct bpf_verifier_env *env, int regno, int off,
++ int access_size, bool zero_size_allowed,
++ enum stack_access_src type, struct bpf_call_arg_meta *meta)
+ {
+ struct bpf_reg_state *reg = reg_state(env, regno);
++ struct bpf_func_state *state = func(env, reg);
++ int err, min_off, max_off, i, j, slot, spi;
++ char *err_extra = type == ACCESS_HELPER ? " indirect" : "";
++ enum bpf_access_type bounds_check_type;
++ /* Some accesses can write anything into the stack, others are
++ * read-only.
++ */
++ bool clobber = false;
+
+- if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
+- access_size < 0 || (access_size == 0 && !zero_size_allowed)) {
+- if (tnum_is_const(reg->var_off)) {
+- verbose(env, "invalid stack type R%d off=%d access_size=%d\n",
+- regno, off, access_size);
+- } else {
+- char tn_buf[48];
+-
+- tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
+- verbose(env, "invalid stack type R%d var_off=%s access_size=%d\n",
+- regno, tn_buf, access_size);
+- }
++ if (access_size == 0 && !zero_size_allowed) {
++ verbose(env, "invalid zero-sized read\n");
+ return -EACCES;
+ }
+- return 0;
+-}
+
+-/* when register 'regno' is passed into function that will read 'access_size'
+- * bytes from that pointer, make sure that it's within stack boundary
+- * and all elements of stack are initialized.
+- * Unlike most pointer bounds-checking functions, this one doesn't take an
+- * 'off' argument, so it has to add in reg->off itself.
+- */
+-static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
+- int access_size, bool zero_size_allowed,
+- struct bpf_call_arg_meta *meta)
+-{
+- struct bpf_reg_state *reg = reg_state(env, regno);
+- struct bpf_func_state *state = func(env, reg);
+- int err, min_off, max_off, i, j, slot, spi;
++ if (type == ACCESS_HELPER) {
++ /* The bounds checks for writes are more permissive than for
++ * reads. However, if raw_mode is not set, we'll do extra
++ * checks below.
++ */
++ bounds_check_type = BPF_WRITE;
++ clobber = true;
++ } else {
++ bounds_check_type = BPF_READ;
++ }
++ err = check_stack_access_within_bounds(env, regno, off, access_size,
++ type, bounds_check_type);
++ if (err)
++ return err;
++
+
+ if (tnum_is_const(reg->var_off)) {
+- min_off = max_off = reg->var_off.value + reg->off;
+- err = __check_stack_boundary(env, regno, min_off, access_size,
+- zero_size_allowed);
+- if (err)
+- return err;
++ min_off = max_off = reg->var_off.value + off;
+ } else {
+ /* Variable offset is prohibited for unprivileged mode for
+ * simplicity since it requires corresponding support in
+@@ -3695,8 +4039,8 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
+ char tn_buf[48];
+
+ tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
+- verbose(env, "R%d indirect variable offset stack access prohibited for !root, var_off=%s\n",
+- regno, tn_buf);
++ verbose(env, "R%d%s variable offset stack access prohibited for !root, var_off=%s\n",
++ regno, err_extra, tn_buf);
+ return -EACCES;
+ }
+ /* Only initialized buffer on stack is allowed to be accessed
+@@ -3708,28 +4052,8 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
+ if (meta && meta->raw_mode)
+ meta = NULL;
+
+- if (reg->smax_value >= BPF_MAX_VAR_OFF ||
+- reg->smax_value <= -BPF_MAX_VAR_OFF) {
+- verbose(env, "R%d unbounded indirect variable offset stack access\n",
+- regno);
+- return -EACCES;
+- }
+- min_off = reg->smin_value + reg->off;
+- max_off = reg->smax_value + reg->off;
+- err = __check_stack_boundary(env, regno, min_off, access_size,
+- zero_size_allowed);
+- if (err) {
+- verbose(env, "R%d min value is outside of stack bound\n",
+- regno);
+- return err;
+- }
+- err = __check_stack_boundary(env, regno, max_off, access_size,
+- zero_size_allowed);
+- if (err) {
+- verbose(env, "R%d max value is outside of stack bound\n",
+- regno);
+- return err;
+- }
++ min_off = reg->smin_value + off;
++ max_off = reg->smax_value + off;
+ }
+
+ if (meta && meta->raw_mode) {
+@@ -3749,8 +4073,10 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
+ if (*stype == STACK_MISC)
+ goto mark;
+ if (*stype == STACK_ZERO) {
+- /* helper can write anything into the stack */
+- *stype = STACK_MISC;
++ if (clobber) {
++ /* helper can write anything into the stack */
++ *stype = STACK_MISC;
++ }
+ goto mark;
+ }
+
+@@ -3759,23 +4085,26 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
+ goto mark;
+
+ if (state->stack[spi].slot_type[0] == STACK_SPILL &&
+- state->stack[spi].spilled_ptr.type == SCALAR_VALUE) {
+- __mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
+- for (j = 0; j < BPF_REG_SIZE; j++)
+- state->stack[spi].slot_type[j] = STACK_MISC;
++ (state->stack[spi].spilled_ptr.type == SCALAR_VALUE ||
++ env->allow_ptr_leaks)) {
++ if (clobber) {
++ __mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
++ for (j = 0; j < BPF_REG_SIZE; j++)
++ state->stack[spi].slot_type[j] = STACK_MISC;
++ }
+ goto mark;
+ }
+
+ err:
+ if (tnum_is_const(reg->var_off)) {
+- verbose(env, "invalid indirect read from stack off %d+%d size %d\n",
+- min_off, i - min_off, access_size);
++ verbose(env, "invalid%s read from stack R%d off %d+%d size %d\n",
++ err_extra, regno, min_off, i - min_off, access_size);
+ } else {
+ char tn_buf[48];
+
+ tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
+- verbose(env, "invalid indirect read from stack var_off %s+%d size %d\n",
+- tn_buf, i - min_off, access_size);
++ verbose(env, "invalid%s read from stack R%d var_off %s+%d size %d\n",
++ err_extra, regno, tn_buf, i - min_off, access_size);
+ }
+ return -EACCES;
+ mark:
+@@ -3824,8 +4153,10 @@ static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,
+ "rdwr",
+ &env->prog->aux->max_rdwr_access);
+ case PTR_TO_STACK:
+- return check_stack_boundary(env, regno, access_size,
+- zero_size_allowed, meta);
++ return check_stack_range_initialized(
++ env,
++ regno, reg->off, access_size,
++ zero_size_allowed, ACCESS_HELPER, meta);
+ default: /* scalar_value or invalid ptr */
+ /* Allow zero-byte read from NULL, regardless of pointer type */
+ if (zero_size_allowed && access_size == 0 &&
+@@ -5343,7 +5674,7 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
+ bool off_is_neg = off_reg->smin_value < 0;
+ bool mask_to_left = (opcode == BPF_ADD && off_is_neg) ||
+ (opcode == BPF_SUB && !off_is_neg);
+- u32 off, max = 0, ptr_limit = 0;
++ u32 max = 0, ptr_limit = 0;
+
+ if (!tnum_is_const(off_reg->var_off) &&
+ (off_reg->smin_value < 0) != (off_reg->smax_value < 0))
+@@ -5352,26 +5683,18 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
+ switch (ptr_reg->type) {
+ case PTR_TO_STACK:
+ /* Offset 0 is out-of-bounds, but acceptable start for the
+- * left direction, see BPF_REG_FP.
++ * left direction, see BPF_REG_FP. Also, unknown scalar
++ * offset where we would need to deal with min/max bounds is
++ * currently prohibited for unprivileged.
+ */
+ max = MAX_BPF_STACK + mask_to_left;
+- /* Indirect variable offset stack access is prohibited in
+- * unprivileged mode so it's not handled here.
+- */
+- off = ptr_reg->off + ptr_reg->var_off.value;
+- if (mask_to_left)
+- ptr_limit = MAX_BPF_STACK + off;
+- else
+- ptr_limit = -off - 1;
++ ptr_limit = -(ptr_reg->var_off.value + ptr_reg->off);
+ break;
+ case PTR_TO_MAP_VALUE:
+ max = ptr_reg->map_ptr->value_size;
+- if (mask_to_left) {
+- ptr_limit = ptr_reg->umax_value + ptr_reg->off;
+- } else {
+- off = ptr_reg->smin_value + ptr_reg->off;
+- ptr_limit = ptr_reg->map_ptr->value_size - off - 1;
+- }
++ ptr_limit = (mask_to_left ?
++ ptr_reg->smin_value :
++ ptr_reg->umax_value) + ptr_reg->off;
+ break;
+ default:
+ return REASON_TYPE;
+@@ -5426,10 +5749,12 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
+ struct bpf_insn *insn,
+ const struct bpf_reg_state *ptr_reg,
+ const struct bpf_reg_state *off_reg,
+- struct bpf_reg_state *dst_reg)
++ struct bpf_reg_state *dst_reg,
++ struct bpf_insn_aux_data *tmp_aux,
++ const bool commit_window)
+ {
++ struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : tmp_aux;
+ struct bpf_verifier_state *vstate = env->cur_state;
+- struct bpf_insn_aux_data *aux = cur_aux(env);
+ bool off_is_neg = off_reg->smin_value < 0;
+ bool ptr_is_dst_reg = ptr_reg == dst_reg;
+ u8 opcode = BPF_OP(insn->code);
+@@ -5448,18 +5773,33 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
+ if (vstate->speculative)
+ goto do_sim;
+
+- alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0;
+- alu_state |= ptr_is_dst_reg ?
+- BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;
+-
+ err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode);
+ if (err < 0)
+ return err;
+
++ if (commit_window) {
++ /* In commit phase we narrow the masking window based on
++ * the observed pointer move after the simulated operation.
++ */
++ alu_state = tmp_aux->alu_state;
++ alu_limit = abs(tmp_aux->alu_limit - alu_limit);
++ } else {
++ alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0;
++ alu_state |= ptr_is_dst_reg ?
++ BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;
++ }
++
+ err = update_alu_sanitation_state(aux, alu_state, alu_limit);
+ if (err < 0)
+ return err;
+ do_sim:
++ /* If we're in commit phase, we're done here given we already
++ * pushed the truncated dst_reg into the speculative verification
++ * stack.
++ */
++ if (commit_window)
++ return 0;
++
+ /* Simulate and find potential out-of-bounds access under
+ * speculative execution from truncation as a result of
+ * masking when off was not within expected range. If off
+@@ -5518,6 +5858,72 @@ static int sanitize_err(struct bpf_verifier_env *env,
+ return -EACCES;
+ }
+
++/* check that stack access falls within stack limits and that 'reg' doesn't
++ * have a variable offset.
++ *
++ * Variable offset is prohibited for unprivileged mode for simplicity since it
++ * requires corresponding support in Spectre masking for stack ALU. See also
++ * retrieve_ptr_limit().
++ *
++ *
++ * 'off' includes 'reg->off'.
++ */
++static int check_stack_access_for_ptr_arithmetic(
++ struct bpf_verifier_env *env,
++ int regno,
++ const struct bpf_reg_state *reg,
++ int off)
++{
++ if (!tnum_is_const(reg->var_off)) {
++ char tn_buf[48];
++
++ tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
++ verbose(env, "R%d variable stack access prohibited for !root, var_off=%s off=%d\n",
++ regno, tn_buf, off);
++ return -EACCES;
++ }
++
++ if (off >= 0 || off < -MAX_BPF_STACK) {
++ verbose(env, "R%d stack pointer arithmetic goes out of range, "
++ "prohibited for !root; off=%d\n", regno, off);
++ return -EACCES;
++ }
++
++ return 0;
++}
++
++static int sanitize_check_bounds(struct bpf_verifier_env *env,
++ const struct bpf_insn *insn,
++ const struct bpf_reg_state *dst_reg)
++{
++ u32 dst = insn->dst_reg;
++
++ /* For unprivileged we require that resulting offset must be in bounds
++ * in order to be able to sanitize access later on.
++ */
++ if (env->bypass_spec_v1)
++ return 0;
++
++ switch (dst_reg->type) {
++ case PTR_TO_STACK:
++ if (check_stack_access_for_ptr_arithmetic(env, dst, dst_reg,
++ dst_reg->off + dst_reg->var_off.value))
++ return -EACCES;
++ break;
++ case PTR_TO_MAP_VALUE:
++ if (check_map_access(env, dst, dst_reg->off, 1, false)) {
++ verbose(env, "R%d pointer arithmetic of map value goes out of range, "
++ "prohibited for !root\n", dst);
++ return -EACCES;
++ }
++ break;
++ default:
++ break;
++ }
++
++ return 0;
++}
++
+ /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
+ * Caller should also handle BPF_MOV case separately.
+ * If we return -EACCES, caller may want to try again treating pointer as a
+@@ -5536,6 +5942,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
+ smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;
+ u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,
+ umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;
++ struct bpf_insn_aux_data tmp_aux = {};
+ u8 opcode = BPF_OP(insn->code);
+ u32 dst = insn->dst_reg;
+ int ret;
+@@ -5602,12 +6009,15 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
+ /* pointer types do not carry 32-bit bounds at the moment. */
+ __mark_reg32_unbounded(dst_reg);
+
+- switch (opcode) {
+- case BPF_ADD:
+- ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg);
++ if (sanitize_needed(opcode)) {
++ ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg,
++ &tmp_aux, false);
+ if (ret < 0)
+ return sanitize_err(env, insn, ret, off_reg, dst_reg);
++ }
+
++ switch (opcode) {
++ case BPF_ADD:
+ /* We can take a fixed offset as long as it doesn't overflow
+ * the s32 'off' field
+ */
+@@ -5658,10 +6068,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
+ }
+ break;
+ case BPF_SUB:
+- ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg);
+- if (ret < 0)
+- return sanitize_err(env, insn, ret, off_reg, dst_reg);
+-
+ if (dst_reg == off_reg) {
+ /* scalar -= pointer. Creates an unknown scalar */
+ verbose(env, "R%d tried to subtract pointer from scalar\n",
+@@ -5742,22 +6148,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
+ __reg_deduce_bounds(dst_reg);
+ __reg_bound_offset(dst_reg);
+
+- /* For unprivileged we require that resulting offset must be in bounds
+- * in order to be able to sanitize access later on.
+- */
+- if (!env->bypass_spec_v1) {
+- if (dst_reg->type == PTR_TO_MAP_VALUE &&
+- check_map_access(env, dst, dst_reg->off, 1, false)) {
+- verbose(env, "R%d pointer arithmetic of map value goes out of range, "
+- "prohibited for !root\n", dst);
+- return -EACCES;
+- } else if (dst_reg->type == PTR_TO_STACK &&
+- check_stack_access(env, dst_reg, dst_reg->off +
+- dst_reg->var_off.value, 1)) {
+- verbose(env, "R%d stack pointer arithmetic goes out of range, "
+- "prohibited for !root\n", dst);
+- return -EACCES;
+- }
++ if (sanitize_check_bounds(env, insn, dst_reg) < 0)
++ return -EACCES;
++ if (sanitize_needed(opcode)) {
++ ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg,
++ &tmp_aux, true);
++ if (ret < 0)
++ return sanitize_err(env, insn, ret, off_reg, dst_reg);
+ }
+
+ return 0;
+@@ -11951,6 +12348,7 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr,
+ env->strict_alignment = false;
+
+ env->allow_ptr_leaks = bpf_allow_ptr_leaks();
++ env->allow_uninit_stack = bpf_allow_uninit_stack();
+ env->allow_ptr_to_map_access = bpf_allow_ptr_to_map_access();
+ env->bypass_spec_v1 = bpf_bypass_spec_v1();
+ env->bypass_spec_v4 = bpf_bypass_spec_v4();
+diff --git a/kernel/locking/qrwlock.c b/kernel/locking/qrwlock.c
+index fe9ca92faa2a7..909b0bf22a1ec 100644
+--- a/kernel/locking/qrwlock.c
++++ b/kernel/locking/qrwlock.c
+@@ -61,6 +61,8 @@ EXPORT_SYMBOL(queued_read_lock_slowpath);
+ */
+ void queued_write_lock_slowpath(struct qrwlock *lock)
+ {
++ int cnts;
++
+ /* Put the writer into the wait queue */
+ arch_spin_lock(&lock->wait_lock);
+
+@@ -74,9 +76,8 @@ void queued_write_lock_slowpath(struct qrwlock *lock)
+
+ /* When no more readers or writers, set the locked flag */
+ do {
+- atomic_cond_read_acquire(&lock->cnts, VAL == _QW_WAITING);
+- } while (atomic_cmpxchg_relaxed(&lock->cnts, _QW_WAITING,
+- _QW_LOCKED) != _QW_WAITING);
++ cnts = atomic_cond_read_relaxed(&lock->cnts, VAL == _QW_WAITING);
++ } while (!atomic_try_cmpxchg_acquire(&lock->cnts, &cnts, _QW_LOCKED));
+ unlock:
+ arch_spin_unlock(&lock->wait_lock);
+ }
+diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
+index 1e000cc2e7b4b..127012f45166e 100644
+--- a/scripts/Makefile.kasan
++++ b/scripts/Makefile.kasan
+@@ -2,6 +2,8 @@
+ CFLAGS_KASAN_NOSANITIZE := -fno-builtin
+ KASAN_SHADOW_OFFSET ?= $(CONFIG_KASAN_SHADOW_OFFSET)
+
++cc-param = $(call cc-option, -mllvm -$(1), $(call cc-option, --param $(1)))
++
+ ifdef CONFIG_KASAN_GENERIC
+
+ ifdef CONFIG_KASAN_INLINE
+@@ -12,8 +14,6 @@ endif
+
+ CFLAGS_KASAN_MINIMAL := -fsanitize=kernel-address
+
+-cc-param = $(call cc-option, -mllvm -$(1), $(call cc-option, --param $(1)))
+-
+ # -fasan-shadow-offset fails without -fsanitize
+ CFLAGS_KASAN_SHADOW := $(call cc-option, -fsanitize=kernel-address \
+ -fasan-shadow-offset=$(KASAN_SHADOW_OFFSET), \
+@@ -36,14 +36,14 @@ endif # CONFIG_KASAN_GENERIC
+ ifdef CONFIG_KASAN_SW_TAGS
+
+ ifdef CONFIG_KASAN_INLINE
+- instrumentation_flags := -mllvm -hwasan-mapping-offset=$(KASAN_SHADOW_OFFSET)
++ instrumentation_flags := $(call cc-param,hwasan-mapping-offset=$(KASAN_SHADOW_OFFSET))
+ else
+- instrumentation_flags := -mllvm -hwasan-instrument-with-calls=1
++ instrumentation_flags := $(call cc-param,hwasan-instrument-with-calls=1)
+ endif
+
+ CFLAGS_KASAN := -fsanitize=kernel-hwaddress \
+- -mllvm -hwasan-instrument-stack=$(CONFIG_KASAN_STACK) \
+- -mllvm -hwasan-use-short-granules=0 \
++ $(call cc-param,hwasan-instrument-stack=$(CONFIG_KASAN_STACK)) \
++ $(call cc-param,hwasan-use-short-granules=0) \
+ $(instrumentation_flags)
+
+ endif # CONFIG_KASAN_SW_TAGS
+diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c
+index e2a0ed5d02f01..c87c4df8703d4 100644
+--- a/security/keys/trusted-keys/trusted_tpm2.c
++++ b/security/keys/trusted-keys/trusted_tpm2.c
+@@ -79,7 +79,7 @@ int tpm2_seal_trusted(struct tpm_chip *chip,
+ if (i == ARRAY_SIZE(tpm2_hash_map))
+ return -EINVAL;
+
+- rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE);
++ rc = tpm_try_get_ops(chip);
+ if (rc)
+ return rc;
+
+diff --git a/tools/arch/ia64/include/asm/barrier.h b/tools/arch/ia64/include/asm/barrier.h
+index 4d471d9511a54..6fffe56827134 100644
+--- a/tools/arch/ia64/include/asm/barrier.h
++++ b/tools/arch/ia64/include/asm/barrier.h
+@@ -39,9 +39,6 @@
+ * sequential memory pages only.
+ */
+
+-/* XXX From arch/ia64/include/uapi/asm/gcc_intrin.h */
+-#define ia64_mf() asm volatile ("mf" ::: "memory")
+-
+ #define mb() ia64_mf()
+ #define rmb() mb()
+ #define wmb() mb()
+diff --git a/tools/perf/util/auxtrace.c b/tools/perf/util/auxtrace.c
+index d8ada6a3c555a..d3c15b53495d6 100644
+--- a/tools/perf/util/auxtrace.c
++++ b/tools/perf/util/auxtrace.c
+@@ -636,7 +636,7 @@ int auxtrace_parse_snapshot_options(struct auxtrace_record *itr,
+ break;
+ }
+
+- if (itr)
++ if (itr && itr->parse_snapshot_options)
+ return itr->parse_snapshot_options(itr, opts, str);
+
+ pr_err("No AUX area tracing to snapshot\n");
+diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c
+index e2537d5acab09..f4d44f75ba152 100644
+--- a/tools/perf/util/map.c
++++ b/tools/perf/util/map.c
+@@ -836,15 +836,18 @@ out:
+ int maps__clone(struct thread *thread, struct maps *parent)
+ {
+ struct maps *maps = thread->maps;
+- int err = -ENOMEM;
++ int err;
+ struct map *map;
+
+ down_read(&parent->lock);
+
+ maps__for_each_entry(parent, map) {
+ struct map *new = map__clone(map);
+- if (new == NULL)
++
++ if (new == NULL) {
++ err = -ENOMEM;
+ goto out_unlock;
++ }
+
+ err = unwind__prepare_access(maps, new, NULL);
+ if (err)