diff options
| author |   Mike Pagano <mpagano@gentoo.org> | 2020-10-01 08:49:47 -0400 |
|---|---|---|
| committer | Mike Pagano <mpagano@gentoo.org> | 2020-10-01 08:49:47 -0400 |
| commit | 1056ff1007ac01709819b73a4d2f3e1e7b7d6ba8 (patch) | |
| tree | c7c8c5cb12d1374dca19aa4551970881f8257574 | |
| parent | Linux patch 5.4.68 (diff) | |
| download | linux-patches-1056ff1007ac01709819b73a4d2f3e1e7b7d6ba8.tar.gz linux-patches-1056ff1007ac01709819b73a4d2f3e1e7b7d6ba8.tar.bz2 linux-patches-1056ff1007ac01709819b73a4d2f3e1e7b7d6ba8.zip | |
Linux patch 5.4.695.4-70
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1068_linux-5.4.69.patch | 18773 |
2 files changed, 18777 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 83f469d3..dd45626b 100644 --- a/0000_README +++ b/0000_README @@ -315,6 +315,10 @@ Patch: 1067_linux-5.4.68.patch From: http://www.kernel.org Desc: Linux 5.4.68 +Patch: 1068_linux-5.4.69.patch +From: http://www.kernel.org +Desc: Linux 5.4.69 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1068_linux-5.4.69.patch b/1068_linux-5.4.69.patch new file mode 100644 index 00000000..c9154d16 --- /dev/null +++ b/1068_linux-5.4.69.patch @@ -0,0 +1,18773 @@ +diff --git a/Documentation/devicetree/bindings/sound/wm8994.txt b/Documentation/devicetree/bindings/sound/wm8994.txt +index 68cccc4653ba3..367b58ce1bb92 100644 +--- a/Documentation/devicetree/bindings/sound/wm8994.txt ++++ b/Documentation/devicetree/bindings/sound/wm8994.txt +@@ -14,9 +14,15 @@ Required properties: + - #gpio-cells : Must be 2. The first cell is the pin number and the + second cell is used to specify optional parameters (currently unused). + +- - AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, CPVDD-supply, +- SPKVDD1-supply, SPKVDD2-supply : power supplies for the device, as covered +- in Documentation/devicetree/bindings/regulator/regulator.txt ++ - power supplies for the device, as covered in ++ Documentation/devicetree/bindings/regulator/regulator.txt, depending ++ on compatible: ++ - for wlf,wm1811 and wlf,wm8958: ++ AVDD1-supply, AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, ++ DCVDD-supply, CPVDD-supply, SPKVDD1-supply, SPKVDD2-supply ++ - for wlf,wm8994: ++ AVDD1-supply, AVDD2-supply, DBVDD-supply, DCVDD-supply, CPVDD-supply, ++ SPKVDD1-supply, SPKVDD2-supply + + Optional properties: + +@@ -73,11 +79,11 @@ wm8994: codec@1a { + + lineout1-se; + ++ AVDD1-supply = <®ulator>; + AVDD2-supply = <®ulator>; + CPVDD-supply = <®ulator>; +- DBVDD1-supply = <®ulator>; +- DBVDD2-supply = <®ulator>; +- DBVDD3-supply = <®ulator>; ++ DBVDD-supply = <®ulator>; ++ DCVDD-supply = <®ulator>; + SPKVDD1-supply = <®ulator>; + SPKVDD2-supply = <®ulator>; + }; +diff --git a/Documentation/driver-api/libata.rst b/Documentation/driver-api/libata.rst +index 70e180e6b93dc..9f3e5dc311840 100644 +--- a/Documentation/driver-api/libata.rst ++++ b/Documentation/driver-api/libata.rst +@@ -250,7 +250,7 @@ High-level taskfile hooks + + :: + +- void (*qc_prep) (struct ata_queued_cmd *qc); ++ enum ata_completion_errors (*qc_prep) (struct ata_queued_cmd *qc); + int (*qc_issue) (struct ata_queued_cmd *qc); + + +diff --git a/Makefile b/Makefile +index acb2499d9b053..adf3847106775 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 5 + PATCHLEVEL = 4 +-SUBLEVEL = 68 ++SUBLEVEL = 69 + EXTRAVERSION = + NAME = Kleptomaniac Octopus + +diff --git a/arch/arm/include/asm/kvm_emulate.h b/arch/arm/include/asm/kvm_emulate.h +index cbde9fa15792b..c1747fcb86d36 100644 +--- a/arch/arm/include/asm/kvm_emulate.h ++++ b/arch/arm/include/asm/kvm_emulate.h +@@ -204,7 +204,7 @@ static inline int kvm_vcpu_dabt_get_rd(struct kvm_vcpu *vcpu) + return (kvm_vcpu_get_hsr(vcpu) & HSR_SRT_MASK) >> HSR_SRT_SHIFT; + } + +-static inline bool kvm_vcpu_dabt_iss1tw(struct kvm_vcpu *vcpu) ++static inline bool kvm_vcpu_abt_iss1tw(const struct kvm_vcpu *vcpu) + { + return kvm_vcpu_get_hsr(vcpu) & HSR_DABT_S1PTW; + } +@@ -236,16 +236,21 @@ static inline bool kvm_vcpu_trap_il_is32bit(struct kvm_vcpu *vcpu) + return kvm_vcpu_get_hsr(vcpu) & HSR_IL; + } + +-static inline u8 kvm_vcpu_trap_get_class(struct kvm_vcpu *vcpu) ++static inline u8 kvm_vcpu_trap_get_class(const struct kvm_vcpu *vcpu) + { + return kvm_vcpu_get_hsr(vcpu) >> HSR_EC_SHIFT; + } + +-static inline bool kvm_vcpu_trap_is_iabt(struct kvm_vcpu *vcpu) ++static inline bool kvm_vcpu_trap_is_iabt(const struct kvm_vcpu *vcpu) + { + return kvm_vcpu_trap_get_class(vcpu) == HSR_EC_IABT; + } + ++static inline bool kvm_vcpu_trap_is_exec_fault(const struct kvm_vcpu *vcpu) ++{ ++ return kvm_vcpu_trap_is_iabt(vcpu) && !kvm_vcpu_abt_iss1tw(vcpu); ++} ++ + static inline u8 kvm_vcpu_trap_get_fault(struct kvm_vcpu *vcpu) + { + return kvm_vcpu_get_hsr(vcpu) & HSR_FSC; +diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c +index a082f6e4f0f4a..76ea4178a55cb 100644 +--- a/arch/arm/kernel/stacktrace.c ++++ b/arch/arm/kernel/stacktrace.c +@@ -116,6 +116,8 @@ static int save_trace(struct stackframe *frame, void *d) + return 0; + + regs = (struct pt_regs *)frame->sp; ++ if ((unsigned long)®s[1] > ALIGN(frame->sp, THREAD_SIZE)) ++ return 0; + + trace->entries[trace->nr_entries++] = regs->ARM_pc; + +diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c +index c053abd1fb539..97a512551b217 100644 +--- a/arch/arm/kernel/traps.c ++++ b/arch/arm/kernel/traps.c +@@ -64,14 +64,16 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long); + + void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame) + { ++ unsigned long end = frame + 4 + sizeof(struct pt_regs); ++ + #ifdef CONFIG_KALLSYMS + printk("[<%08lx>] (%ps) from [<%08lx>] (%pS)\n", where, (void *)where, from, (void *)from); + #else + printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from); + #endif + +- if (in_entry_text(from)) +- dump_mem("", "Exception stack", frame + 4, frame + 4 + sizeof(struct pt_regs)); ++ if (in_entry_text(from) && end <= ALIGN(frame, THREAD_SIZE)) ++ dump_mem("", "Exception stack", frame + 4, end); + } + + void dump_backtrace_stm(u32 *stack, u32 instruction) +diff --git a/arch/arm/mach-omap2/cpuidle34xx.c b/arch/arm/mach-omap2/cpuidle34xx.c +index 532a3e4b98c6f..090a8aafb25e1 100644 +--- a/arch/arm/mach-omap2/cpuidle34xx.c ++++ b/arch/arm/mach-omap2/cpuidle34xx.c +@@ -109,6 +109,7 @@ static int omap3_enter_idle(struct cpuidle_device *dev, + int index) + { + struct omap3_idle_statedata *cx = &omap3_idle_data[index]; ++ int error; + + if (omap_irq_pending() || need_resched()) + goto return_sleep_time; +@@ -125,8 +126,11 @@ static int omap3_enter_idle(struct cpuidle_device *dev, + * Call idle CPU PM enter notifier chain so that + * VFP context is saved. + */ +- if (cx->mpu_state == PWRDM_POWER_OFF) +- cpu_pm_enter(); ++ if (cx->mpu_state == PWRDM_POWER_OFF) { ++ error = cpu_pm_enter(); ++ if (error) ++ goto out_clkdm_set; ++ } + + /* Execute ARM wfi */ + omap_sram_idle(); +@@ -139,6 +143,7 @@ static int omap3_enter_idle(struct cpuidle_device *dev, + pwrdm_read_prev_pwrst(mpu_pd) == PWRDM_POWER_OFF) + cpu_pm_exit(); + ++out_clkdm_set: + /* Re-allow idle for C1 */ + if (cx->flags & OMAP_CPUIDLE_CX_NO_CLKDM_IDLE) + clkdm_allow_idle(mpu_pd->pwrdm_clkdms[0]); +diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c +index fe75d4fa60738..6f5f89711f256 100644 +--- a/arch/arm/mach-omap2/cpuidle44xx.c ++++ b/arch/arm/mach-omap2/cpuidle44xx.c +@@ -122,6 +122,7 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev, + { + struct idle_statedata *cx = state_ptr + index; + u32 mpuss_can_lose_context = 0; ++ int error; + + /* + * CPU0 has to wait and stay ON until CPU1 is OFF state. +@@ -159,7 +160,9 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev, + * Call idle CPU PM enter notifier chain so that + * VFP and per CPU interrupt context is saved. + */ +- cpu_pm_enter(); ++ error = cpu_pm_enter(); ++ if (error) ++ goto cpu_pm_out; + + if (dev->cpu == 0) { + pwrdm_set_logic_retst(mpu_pd, cx->mpu_logic_state); +@@ -169,13 +172,17 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev, + * Call idle CPU cluster PM enter notifier chain + * to save GIC and wakeupgen context. + */ +- if (mpuss_can_lose_context) +- cpu_cluster_pm_enter(); ++ if (mpuss_can_lose_context) { ++ error = cpu_cluster_pm_enter(); ++ if (error) ++ goto cpu_cluster_pm_out; ++ } + } + + omap4_enter_lowpower(dev->cpu, cx->cpu_state); + cpu_done[dev->cpu] = true; + ++cpu_cluster_pm_out: + /* Wakeup CPU1 only if it is not offlined */ + if (dev->cpu == 0 && cpumask_test_cpu(1, cpu_online_mask)) { + +@@ -197,12 +204,6 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev, + } + } + +- /* +- * Call idle CPU PM exit notifier chain to restore +- * VFP and per CPU IRQ context. +- */ +- cpu_pm_exit(); +- + /* + * Call idle CPU cluster PM exit notifier chain + * to restore GIC and wakeupgen context. +@@ -210,6 +211,13 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev, + if (dev->cpu == 0 && mpuss_can_lose_context) + cpu_cluster_pm_exit(); + ++ /* ++ * Call idle CPU PM exit notifier chain to restore ++ * VFP and per CPU IRQ context. ++ */ ++ cpu_pm_exit(); ++ ++cpu_pm_out: + tick_broadcast_exit(); + + fail: +diff --git a/arch/arm/mach-omap2/pm34xx.c b/arch/arm/mach-omap2/pm34xx.c +index 54254fc92c2ed..fa66534a7ae22 100644 +--- a/arch/arm/mach-omap2/pm34xx.c ++++ b/arch/arm/mach-omap2/pm34xx.c +@@ -194,6 +194,7 @@ void omap_sram_idle(void) + int per_next_state = PWRDM_POWER_ON; + int core_next_state = PWRDM_POWER_ON; + u32 sdrc_pwr = 0; ++ int error; + + mpu_next_state = pwrdm_read_next_pwrst(mpu_pwrdm); + switch (mpu_next_state) { +@@ -222,8 +223,11 @@ void omap_sram_idle(void) + pwrdm_pre_transition(NULL); + + /* PER */ +- if (per_next_state == PWRDM_POWER_OFF) +- cpu_cluster_pm_enter(); ++ if (per_next_state == PWRDM_POWER_OFF) { ++ error = cpu_cluster_pm_enter(); ++ if (error) ++ return; ++ } + + /* CORE */ + if (core_next_state < PWRDM_POWER_ON) { +diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h +index f47081b40523e..f65ff6b90f4a9 100644 +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -299,7 +299,7 @@ static inline int kvm_vcpu_dabt_get_rd(const struct kvm_vcpu *vcpu) + return (kvm_vcpu_get_hsr(vcpu) & ESR_ELx_SRT_MASK) >> ESR_ELx_SRT_SHIFT; + } + +-static inline bool kvm_vcpu_dabt_iss1tw(const struct kvm_vcpu *vcpu) ++static __always_inline bool kvm_vcpu_abt_iss1tw(const struct kvm_vcpu *vcpu) + { + return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_S1PTW); + } +@@ -307,7 +307,7 @@ static inline bool kvm_vcpu_dabt_iss1tw(const struct kvm_vcpu *vcpu) + static inline bool kvm_vcpu_dabt_iswrite(const struct kvm_vcpu *vcpu) + { + return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_WNR) || +- kvm_vcpu_dabt_iss1tw(vcpu); /* AF/DBM update */ ++ kvm_vcpu_abt_iss1tw(vcpu); /* AF/DBM update */ + } + + static inline bool kvm_vcpu_dabt_is_cm(const struct kvm_vcpu *vcpu) +@@ -336,6 +336,11 @@ static inline bool kvm_vcpu_trap_is_iabt(const struct kvm_vcpu *vcpu) + return kvm_vcpu_trap_get_class(vcpu) == ESR_ELx_EC_IABT_LOW; + } + ++static inline bool kvm_vcpu_trap_is_exec_fault(const struct kvm_vcpu *vcpu) ++{ ++ return kvm_vcpu_trap_is_iabt(vcpu) && !kvm_vcpu_abt_iss1tw(vcpu); ++} ++ + static inline u8 kvm_vcpu_trap_get_fault(const struct kvm_vcpu *vcpu) + { + return kvm_vcpu_get_hsr(vcpu) & ESR_ELx_FSC; +@@ -373,6 +378,9 @@ static inline int kvm_vcpu_sys_get_rt(struct kvm_vcpu *vcpu) + + static inline bool kvm_is_write_fault(struct kvm_vcpu *vcpu) + { ++ if (kvm_vcpu_abt_iss1tw(vcpu)) ++ return true; ++ + if (kvm_vcpu_trap_is_iabt(vcpu)) + return false; + +diff --git a/arch/arm64/include/asm/sections.h b/arch/arm64/include/asm/sections.h +index 788ae971f11c1..25a73aab438f9 100644 +--- a/arch/arm64/include/asm/sections.h ++++ b/arch/arm64/include/asm/sections.h +@@ -15,6 +15,7 @@ extern char __hyp_text_start[], __hyp_text_end[]; + extern char __idmap_text_start[], __idmap_text_end[]; + extern char __initdata_begin[], __initdata_end[]; + extern char __inittext_begin[], __inittext_end[]; ++extern char __exittext_begin[], __exittext_end[]; + extern char __irqentry_text_start[], __irqentry_text_end[]; + extern char __mmuoff_data_start[], __mmuoff_data_end[]; + extern char __entry_tramp_text_start[], __entry_tramp_text_end[]; +diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c +index a100483b47c42..46ec402e97edc 100644 +--- a/arch/arm64/kernel/acpi.c ++++ b/arch/arm64/kernel/acpi.c +@@ -19,6 +19,7 @@ + #include <linux/init.h> + #include <linux/irq.h> + #include <linux/irqdomain.h> ++#include <linux/irq_work.h> + #include <linux/memblock.h> + #include <linux/of_fdt.h> + #include <linux/smp.h> +@@ -269,6 +270,7 @@ pgprot_t __acpi_get_mem_attribute(phys_addr_t addr) + int apei_claim_sea(struct pt_regs *regs) + { + int err = -ENOENT; ++ bool return_to_irqs_enabled; + unsigned long current_flags; + + if (!IS_ENABLED(CONFIG_ACPI_APEI_GHES)) +@@ -276,6 +278,12 @@ int apei_claim_sea(struct pt_regs *regs) + + current_flags = local_daif_save_flags(); + ++ /* current_flags isn't useful here as daif doesn't tell us about pNMI */ ++ return_to_irqs_enabled = !irqs_disabled_flags(arch_local_save_flags()); ++ ++ if (regs) ++ return_to_irqs_enabled = interrupts_enabled(regs); ++ + /* + * SEA can interrupt SError, mask it and describe this as an NMI so + * that APEI defers the handling. +@@ -284,6 +292,23 @@ int apei_claim_sea(struct pt_regs *regs) + nmi_enter(); + err = ghes_notify_sea(); + nmi_exit(); ++ ++ /* ++ * APEI NMI-like notifications are deferred to irq_work. Unless ++ * we interrupted irqs-masked code, we can do that now. ++ */ ++ if (!err) { ++ if (return_to_irqs_enabled) { ++ local_daif_restore(DAIF_PROCCTX_NOIRQ); ++ __irq_enter(); ++ irq_work_run(); ++ __irq_exit(); ++ } else { ++ pr_warn_ratelimited("APEI work queued but not completed"); ++ err = -EINPROGRESS; ++ } ++ } ++ + local_daif_restore(current_flags); + + return err; +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +index f400cb29b811a..f2ec845404149 100644 +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -160,11 +160,10 @@ static const struct arm64_ftr_bits ftr_id_aa64pfr0[] = { + ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_GIC_SHIFT, 4, 0), + S_ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_ASIMD_SHIFT, 4, ID_AA64PFR0_ASIMD_NI), + S_ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_FP_SHIFT, 4, ID_AA64PFR0_FP_NI), +- /* Linux doesn't care about the EL3 */ + ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL3_SHIFT, 4, 0), +- ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL2_SHIFT, 4, 0), +- ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL1_SHIFT, 4, ID_AA64PFR0_EL1_64BIT_ONLY), +- ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL0_SHIFT, 4, ID_AA64PFR0_EL0_64BIT_ONLY), ++ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL2_SHIFT, 4, 0), ++ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL1_SHIFT, 4, ID_AA64PFR0_EL1_64BIT_ONLY), ++ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL0_SHIFT, 4, ID_AA64PFR0_EL0_64BIT_ONLY), + ARM64_FTR_END, + }; + +@@ -320,7 +319,7 @@ static const struct arm64_ftr_bits ftr_id_pfr0[] = { + }; + + static const struct arm64_ftr_bits ftr_id_dfr0[] = { +- ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, 28, 4, 0), ++ /* [31:28] TraceFilt */ + S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, 24, 4, 0xf), /* PerfMon */ + ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, 20, 4, 0), + ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, 16, 4, 0), +@@ -719,9 +718,6 @@ void update_cpu_features(int cpu, + taint |= check_update_ftr_reg(SYS_ID_AA64MMFR2_EL1, cpu, + info->reg_id_aa64mmfr2, boot->reg_id_aa64mmfr2); + +- /* +- * EL3 is not our concern. +- */ + taint |= check_update_ftr_reg(SYS_ID_AA64PFR0_EL1, cpu, + info->reg_id_aa64pfr0, boot->reg_id_aa64pfr0); + taint |= check_update_ftr_reg(SYS_ID_AA64PFR1_EL1, cpu, +diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c +index a612da533ea20..53bcf5386907f 100644 +--- a/arch/arm64/kernel/insn.c ++++ b/arch/arm64/kernel/insn.c +@@ -21,6 +21,7 @@ + #include <asm/fixmap.h> + #include <asm/insn.h> + #include <asm/kprobes.h> ++#include <asm/sections.h> + + #define AARCH64_INSN_SF_BIT BIT(31) + #define AARCH64_INSN_N_BIT BIT(22) +@@ -78,16 +79,29 @@ bool aarch64_insn_is_branch_imm(u32 insn) + + static DEFINE_RAW_SPINLOCK(patch_lock); + ++static bool is_exit_text(unsigned long addr) ++{ ++ /* discarded with init text/data */ ++ return system_state < SYSTEM_RUNNING && ++ addr >= (unsigned long)__exittext_begin && ++ addr < (unsigned long)__exittext_end; ++} ++ ++static bool is_image_text(unsigned long addr) ++{ ++ return core_kernel_text(addr) || is_exit_text(addr); ++} ++ + static void __kprobes *patch_map(void *addr, int fixmap) + { + unsigned long uintaddr = (uintptr_t) addr; +- bool module = !core_kernel_text(uintaddr); ++ bool image = is_image_text(uintaddr); + struct page *page; + +- if (module && IS_ENABLED(CONFIG_STRICT_MODULE_RWX)) +- page = vmalloc_to_page(addr); +- else if (!module) ++ if (image) + page = phys_to_page(__pa_symbol(addr)); ++ else if (IS_ENABLED(CONFIG_STRICT_MODULE_RWX)) ++ page = vmalloc_to_page(addr); + else + return addr; + +diff --git a/arch/arm64/kernel/vmlinux.lds.S b/arch/arm64/kernel/vmlinux.lds.S +index 4f77de8ce1384..0bab37b1acbe9 100644 +--- a/arch/arm64/kernel/vmlinux.lds.S ++++ b/arch/arm64/kernel/vmlinux.lds.S +@@ -170,9 +170,12 @@ SECTIONS + __inittext_begin = .; + + INIT_TEXT_SECTION(8) ++ ++ __exittext_begin = .; + .exit.text : { + ARM_EXIT_KEEP(EXIT_TEXT) + } ++ __exittext_end = .; + + . = ALIGN(4); + .altinstructions : { +diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c +index 65660b6144740..84964983198e2 100644 +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -496,7 +496,7 @@ static bool __hyp_text fixup_guest_exit(struct kvm_vcpu *vcpu, u64 *exit_code) + kvm_vcpu_trap_get_fault_type(vcpu) == FSC_FAULT && + kvm_vcpu_dabt_isvalid(vcpu) && + !kvm_vcpu_dabt_isextabt(vcpu) && +- !kvm_vcpu_dabt_iss1tw(vcpu); ++ !kvm_vcpu_abt_iss1tw(vcpu); + + if (valid) { + int ret = __vgic_v2_perform_cpuif_access(vcpu); +diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c +index d26e6cd289539..2a7339aeb1ad4 100644 +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -654,11 +654,13 @@ static int do_sea(unsigned long addr, unsigned int esr, struct pt_regs *regs) + + inf = esr_to_fault_info(esr); + +- /* +- * Return value ignored as we rely on signal merging. +- * Future patches will make this more robust. +- */ +- apei_claim_sea(regs); ++ if (user_mode(regs) && apei_claim_sea(regs) == 0) { ++ /* ++ * APEI claimed this as a firmware-first notification. ++ * Some processing deferred to task_work before ret_to_user(). ++ */ ++ return 0; ++ } + + if (esr & ESR_ELx_FnV) + siaddr = NULL; +diff --git a/arch/m68k/q40/config.c b/arch/m68k/q40/config.c +index e63eb5f069995..f31890078197e 100644 +--- a/arch/m68k/q40/config.c ++++ b/arch/m68k/q40/config.c +@@ -264,6 +264,7 @@ static int q40_get_rtc_pll(struct rtc_pll_info *pll) + { + int tmp = Q40_RTC_CTRL; + ++ pll->pll_ctrl = 0; + pll->pll_value = tmp & Q40_RTC_PLL_MASK; + if (tmp & Q40_RTC_PLL_SIGN) + pll->pll_value = -pll->pll_value; +diff --git a/arch/mips/include/asm/cpu-type.h b/arch/mips/include/asm/cpu-type.h +index 7bbb66760a07c..1809c408736b0 100644 +--- a/arch/mips/include/asm/cpu-type.h ++++ b/arch/mips/include/asm/cpu-type.h +@@ -47,6 +47,7 @@ static inline int __pure __get_cpu_type(const int cpu_type) + case CPU_34K: + case CPU_1004K: + case CPU_74K: ++ case CPU_1074K: + case CPU_M14KC: + case CPU_M14KEC: + case CPU_INTERAPTIV: +diff --git a/arch/powerpc/include/asm/kvm_asm.h b/arch/powerpc/include/asm/kvm_asm.h +index 635fb154b33f9..a3633560493be 100644 +--- a/arch/powerpc/include/asm/kvm_asm.h ++++ b/arch/powerpc/include/asm/kvm_asm.h +@@ -150,4 +150,7 @@ + + #define KVM_INST_FETCH_FAILED -1 + ++/* Extract PO and XOP opcode fields */ ++#define PO_XOP_OPCODE_MASK 0xfc0007fe ++ + #endif /* __POWERPC_KVM_ASM_H__ */ +diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile +index dc0780f930d5b..59260eb962916 100644 +--- a/arch/powerpc/kernel/Makefile ++++ b/arch/powerpc/kernel/Makefile +@@ -19,6 +19,7 @@ CFLAGS_btext.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) + CFLAGS_prom.o += $(DISABLE_LATENT_ENTROPY_PLUGIN) + + CFLAGS_prom_init.o += $(call cc-option, -fno-stack-protector) ++CFLAGS_prom_init.o += -DDISABLE_BRANCH_PROFILING + + ifdef CONFIG_FUNCTION_TRACER + # Do not trace early boot code +@@ -36,7 +37,6 @@ KASAN_SANITIZE_btext.o := n + ifdef CONFIG_KASAN + CFLAGS_early_32.o += -DDISABLE_BRANCH_PROFILING + CFLAGS_cputable.o += -DDISABLE_BRANCH_PROFILING +-CFLAGS_prom_init.o += -DDISABLE_BRANCH_PROFILING + CFLAGS_btext.o += -DDISABLE_BRANCH_PROFILING + endif + +diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c +index bc8a551013be9..c35069294ecfb 100644 +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -503,7 +503,7 @@ int eeh_dev_check_failure(struct eeh_dev *edev) + rc = 1; + if (pe->state & EEH_PE_ISOLATED) { + pe->check_count++; +- if (pe->check_count % EEH_MAX_FAILS == 0) { ++ if (pe->check_count == EEH_MAX_FAILS) { + dn = pci_device_to_OF_node(dev); + if (dn) + location = of_get_property(dn, "ibm,loc-code", +diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c +index 014ff0701f245..9432fc6af28a5 100644 +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -510,11 +510,11 @@ out: + #ifdef CONFIG_PPC_BOOK3S_64 + BUG_ON(get_paca()->in_nmi == 0); + if (get_paca()->in_nmi > 1) +- nmi_panic(regs, "Unrecoverable nested System Reset"); ++ die("Unrecoverable nested System Reset", regs, SIGABRT); + #endif + /* Must die if the interrupt is not recoverable */ + if (!(regs->msr & MSR_RI)) +- nmi_panic(regs, "Unrecoverable System Reset"); ++ die("Unrecoverable System Reset", regs, SIGABRT); + + if (saved_hsrrs) { + mtspr(SPRN_HSRR0, hsrr0); +@@ -858,7 +858,7 @@ void machine_check_exception(struct pt_regs *regs) + + /* Must die if the interrupt is not recoverable */ + if (!(regs->msr & MSR_RI)) +- nmi_panic(regs, "Unrecoverable Machine check"); ++ die("Unrecoverable Machine check", regs, SIGBUS); + + return; + +diff --git a/arch/powerpc/kvm/book3s_64_mmu_radix.c b/arch/powerpc/kvm/book3s_64_mmu_radix.c +index da8375437d161..9d73448354698 100644 +--- a/arch/powerpc/kvm/book3s_64_mmu_radix.c ++++ b/arch/powerpc/kvm/book3s_64_mmu_radix.c +@@ -1104,6 +1104,11 @@ void kvmppc_radix_flush_memslot(struct kvm *kvm, + kvm->arch.lpid); + gpa += PAGE_SIZE; + } ++ /* ++ * Increase the mmu notifier sequence number to prevent any page ++ * fault that read the memslot earlier from writing a PTE. ++ */ ++ kvm->mmu_notifier_seq++; + spin_unlock(&kvm->mmu_lock); + } + +diff --git a/arch/powerpc/kvm/book3s_hv_tm.c b/arch/powerpc/kvm/book3s_hv_tm.c +index 0db9374971697..cc90b8b823291 100644 +--- a/arch/powerpc/kvm/book3s_hv_tm.c ++++ b/arch/powerpc/kvm/book3s_hv_tm.c +@@ -3,6 +3,8 @@ + * Copyright 2017 Paul Mackerras, IBM Corp. <paulus@au1.ibm.com> + */ + ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ + #include <linux/kvm_host.h> + + #include <asm/kvm_ppc.h> +@@ -44,7 +46,18 @@ int kvmhv_p9_tm_emulation(struct kvm_vcpu *vcpu) + u64 newmsr, bescr; + int ra, rs; + +- switch (instr & 0xfc0007ff) { ++ /* ++ * rfid, rfebb, and mtmsrd encode bit 31 = 0 since it's a reserved bit ++ * in these instructions, so masking bit 31 out doesn't change these ++ * instructions. For treclaim., tsr., and trechkpt. instructions if bit ++ * 31 = 0 then they are per ISA invalid forms, however P9 UM, in section ++ * 4.6.10 Book II Invalid Forms, informs specifically that ignoring bit ++ * 31 is an acceptable way to handle these invalid forms that have ++ * bit 31 = 0. Moreover, for emulation purposes both forms (w/ and wo/ ++ * bit 31 set) can generate a softpatch interrupt. Hence both forms ++ * are handled below for these instructions so they behave the same way. ++ */ ++ switch (instr & PO_XOP_OPCODE_MASK) { + case PPC_INST_RFID: + /* XXX do we need to check for PR=0 here? */ + newmsr = vcpu->arch.shregs.srr1; +@@ -105,7 +118,8 @@ int kvmhv_p9_tm_emulation(struct kvm_vcpu *vcpu) + vcpu->arch.shregs.msr = newmsr; + return RESUME_GUEST; + +- case PPC_INST_TSR: ++ /* ignore bit 31, see comment above */ ++ case (PPC_INST_TSR & PO_XOP_OPCODE_MASK): + /* check for PR=1 and arch 2.06 bit set in PCR */ + if ((msr & MSR_PR) && (vcpu->arch.vcore->pcr & PCR_ARCH_206)) { + /* generate an illegal instruction interrupt */ +@@ -140,7 +154,8 @@ int kvmhv_p9_tm_emulation(struct kvm_vcpu *vcpu) + vcpu->arch.shregs.msr = msr; + return RESUME_GUEST; + +- case PPC_INST_TRECLAIM: ++ /* ignore bit 31, see comment above */ ++ case (PPC_INST_TRECLAIM & PO_XOP_OPCODE_MASK): + /* check for TM disabled in the HFSCR or MSR */ + if (!(vcpu->arch.hfscr & HFSCR_TM)) { + /* generate an illegal instruction interrupt */ +@@ -176,7 +191,8 @@ int kvmhv_p9_tm_emulation(struct kvm_vcpu *vcpu) + vcpu->arch.shregs.msr &= ~MSR_TS_MASK; + return RESUME_GUEST; + +- case PPC_INST_TRECHKPT: ++ /* ignore bit 31, see comment above */ ++ case (PPC_INST_TRECHKPT & PO_XOP_OPCODE_MASK): + /* XXX do we need to check for PR=0 here? */ + /* check for TM disabled in the HFSCR or MSR */ + if (!(vcpu->arch.hfscr & HFSCR_TM)) { +@@ -208,6 +224,8 @@ int kvmhv_p9_tm_emulation(struct kvm_vcpu *vcpu) + } + + /* What should we do here? We didn't recognize the instruction */ +- WARN_ON_ONCE(1); ++ kvmppc_core_queue_program(vcpu, SRR1_PROGILL); ++ pr_warn_ratelimited("Unrecognized TM-related instruction %#x for emulation", instr); ++ + return RESUME_GUEST; + } +diff --git a/arch/powerpc/kvm/book3s_hv_tm_builtin.c b/arch/powerpc/kvm/book3s_hv_tm_builtin.c +index 217246279dfae..fad931f224efd 100644 +--- a/arch/powerpc/kvm/book3s_hv_tm_builtin.c ++++ b/arch/powerpc/kvm/book3s_hv_tm_builtin.c +@@ -23,7 +23,18 @@ int kvmhv_p9_tm_emulation_early(struct kvm_vcpu *vcpu) + u64 newmsr, msr, bescr; + int rs; + +- switch (instr & 0xfc0007ff) { ++ /* ++ * rfid, rfebb, and mtmsrd encode bit 31 = 0 since it's a reserved bit ++ * in these instructions, so masking bit 31 out doesn't change these ++ * instructions. For the tsr. instruction if bit 31 = 0 then it is per ++ * ISA an invalid form, however P9 UM, in section 4.6.10 Book II Invalid ++ * Forms, informs specifically that ignoring bit 31 is an acceptable way ++ * to handle TM-related invalid forms that have bit 31 = 0. Moreover, ++ * for emulation purposes both forms (w/ and wo/ bit 31 set) can ++ * generate a softpatch interrupt. Hence both forms are handled below ++ * for tsr. to make them behave the same way. ++ */ ++ switch (instr & PO_XOP_OPCODE_MASK) { + case PPC_INST_RFID: + /* XXX do we need to check for PR=0 here? */ + newmsr = vcpu->arch.shregs.srr1; +@@ -73,7 +84,8 @@ int kvmhv_p9_tm_emulation_early(struct kvm_vcpu *vcpu) + vcpu->arch.shregs.msr = newmsr; + return 1; + +- case PPC_INST_TSR: ++ /* ignore bit 31, see comment above */ ++ case (PPC_INST_TSR & PO_XOP_OPCODE_MASK): + /* we know the MSR has the TS field = S (0b01) here */ + msr = vcpu->arch.shregs.msr; + /* check for PR=1 and arch 2.06 bit set in PCR */ +diff --git a/arch/powerpc/mm/book3s64/iommu_api.c b/arch/powerpc/mm/book3s64/iommu_api.c +index 56cc845205779..ef164851738b8 100644 +--- a/arch/powerpc/mm/book3s64/iommu_api.c ++++ b/arch/powerpc/mm/book3s64/iommu_api.c +@@ -121,24 +121,6 @@ static long mm_iommu_do_alloc(struct mm_struct *mm, unsigned long ua, + goto free_exit; + } + +- pageshift = PAGE_SHIFT; +- for (i = 0; i < entries; ++i) { +- struct page *page = mem->hpages[i]; +- +- /* +- * Allow to use larger than 64k IOMMU pages. Only do that +- * if we are backed by hugetlb. +- */ +- if ((mem->pageshift > PAGE_SHIFT) && PageHuge(page)) +- pageshift = page_shift(compound_head(page)); +- mem->pageshift = min(mem->pageshift, pageshift); +- /* +- * We don't need struct page reference any more, switch +- * to physical address. +- */ +- mem->hpas[i] = page_to_pfn(page) << PAGE_SHIFT; +- } +- + good_exit: + atomic64_set(&mem->mapped, 1); + mem->used = 1; +@@ -158,6 +140,27 @@ good_exit: + } + } + ++ if (mem->dev_hpa == MM_IOMMU_TABLE_INVALID_HPA) { ++ /* ++ * Allow to use larger than 64k IOMMU pages. Only do that ++ * if we are backed by hugetlb. Skip device memory as it is not ++ * backed with page structs. ++ */ ++ pageshift = PAGE_SHIFT; ++ for (i = 0; i < entries; ++i) { ++ struct page *page = mem->hpages[i]; ++ ++ if ((mem->pageshift > PAGE_SHIFT) && PageHuge(page)) ++ pageshift = page_shift(compound_head(page)); ++ mem->pageshift = min(mem->pageshift, pageshift); ++ /* ++ * We don't need struct page reference any more, switch ++ * to physical address. ++ */ ++ mem->hpas[i] = page_to_pfn(page) << PAGE_SHIFT; ++ } ++ } ++ + list_add_rcu(&mem->next, &mm->context.iommu_group_mem_list); + + mutex_unlock(&mem_list_mutex); +diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c +index cb50a9e1fd2d7..eb82dda884e51 100644 +--- a/arch/powerpc/perf/imc-pmu.c ++++ b/arch/powerpc/perf/imc-pmu.c +@@ -44,6 +44,16 @@ static DEFINE_PER_CPU(u64 *, trace_imc_mem); + static struct imc_pmu_ref *trace_imc_refc; + static int trace_imc_mem_size; + ++/* ++ * Global data structure used to avoid races between thread, ++ * core and trace-imc ++ */ ++static struct imc_pmu_ref imc_global_refc = { ++ .lock = __MUTEX_INITIALIZER(imc_global_refc.lock), ++ .id = 0, ++ .refc = 0, ++}; ++ + static struct imc_pmu *imc_event_to_pmu(struct perf_event *event) + { + return container_of(event->pmu, struct imc_pmu, pmu); +@@ -698,6 +708,16 @@ static int ppc_core_imc_cpu_offline(unsigned int cpu) + return -EINVAL; + + ref->refc = 0; ++ /* ++ * Reduce the global reference count, if this is the ++ * last cpu in this core and core-imc event running ++ * in this cpu. ++ */ ++ mutex_lock(&imc_global_refc.lock); ++ if (imc_global_refc.id == IMC_DOMAIN_CORE) ++ imc_global_refc.refc--; ++ ++ mutex_unlock(&imc_global_refc.lock); + } + return 0; + } +@@ -710,6 +730,23 @@ static int core_imc_pmu_cpumask_init(void) + ppc_core_imc_cpu_offline); + } + ++static void reset_global_refc(struct perf_event *event) ++{ ++ mutex_lock(&imc_global_refc.lock); ++ imc_global_refc.refc--; ++ ++ /* ++ * If no other thread is running any ++ * event for this domain(thread/core/trace), ++ * set the global id to zero. ++ */ ++ if (imc_global_refc.refc <= 0) { ++ imc_global_refc.refc = 0; ++ imc_global_refc.id = 0; ++ } ++ mutex_unlock(&imc_global_refc.lock); ++} ++ + static void core_imc_counters_release(struct perf_event *event) + { + int rc, core_id; +@@ -759,6 +796,8 @@ static void core_imc_counters_release(struct perf_event *event) + ref->refc = 0; + } + mutex_unlock(&ref->lock); ++ ++ reset_global_refc(event); + } + + static int core_imc_event_init(struct perf_event *event) +@@ -819,6 +858,29 @@ static int core_imc_event_init(struct perf_event *event) + ++ref->refc; + mutex_unlock(&ref->lock); + ++ /* ++ * Since the system can run either in accumulation or trace-mode ++ * of IMC at a time, core-imc events are allowed only if no other ++ * trace/thread imc events are enabled/monitored. ++ * ++ * Take the global lock, and check the refc.id ++ * to know whether any other trace/thread imc ++ * events are running. ++ */ ++ mutex_lock(&imc_global_refc.lock); ++ if (imc_global_refc.id == 0 || imc_global_refc.id == IMC_DOMAIN_CORE) { ++ /* ++ * No other trace/thread imc events are running in ++ * the system, so set the refc.id to core-imc. ++ */ ++ imc_global_refc.id = IMC_DOMAIN_CORE; ++ imc_global_refc.refc++; ++ } else { ++ mutex_unlock(&imc_global_refc.lock); ++ return -EBUSY; ++ } ++ mutex_unlock(&imc_global_refc.lock); ++ + event->hw.event_base = (u64)pcmi->vbase + (config & IMC_EVENT_OFFSET_MASK); + event->destroy = core_imc_counters_release; + return 0; +@@ -877,7 +939,23 @@ static int ppc_thread_imc_cpu_online(unsigned int cpu) + + static int ppc_thread_imc_cpu_offline(unsigned int cpu) + { +- mtspr(SPRN_LDBAR, 0); ++ /* ++ * Set the bit 0 of LDBAR to zero. ++ * ++ * If bit 0 of LDBAR is unset, it will stop posting ++ * the counter data to memory. ++ * For thread-imc, bit 0 of LDBAR will be set to 1 in the ++ * event_add function. So reset this bit here, to stop the updates ++ * to memory in the cpu_offline path. ++ */ ++ mtspr(SPRN_LDBAR, (mfspr(SPRN_LDBAR) & (~(1UL << 63)))); ++ ++ /* Reduce the refc if thread-imc event running on this cpu */ ++ mutex_lock(&imc_global_refc.lock); ++ if (imc_global_refc.id == IMC_DOMAIN_THREAD) ++ imc_global_refc.refc--; ++ mutex_unlock(&imc_global_refc.lock); ++ + return 0; + } + +@@ -916,7 +994,22 @@ static int thread_imc_event_init(struct perf_event *event) + if (!target) + return -EINVAL; + ++ mutex_lock(&imc_global_refc.lock); ++ /* ++ * Check if any other trace/core imc events are running in the ++ * system, if not set the global id to thread-imc. ++ */ ++ if (imc_global_refc.id == 0 || imc_global_refc.id == IMC_DOMAIN_THREAD) { ++ imc_global_refc.id = IMC_DOMAIN_THREAD; ++ imc_global_refc.refc++; ++ } else { ++ mutex_unlock(&imc_global_refc.lock); ++ return -EBUSY; ++ } ++ mutex_unlock(&imc_global_refc.lock); ++ + event->pmu->task_ctx_nr = perf_sw_context; ++ event->destroy = reset_global_refc; + return 0; + } + +@@ -1063,10 +1156,12 @@ static void thread_imc_event_del(struct perf_event *event, int flags) + int core_id; + struct imc_pmu_ref *ref; + +- mtspr(SPRN_LDBAR, 0); +- + core_id = smp_processor_id() / threads_per_core; + ref = &core_imc_refc[core_id]; ++ if (!ref) { ++ pr_debug("imc: Failed to get event reference count\n"); ++ return; ++ } + + mutex_lock(&ref->lock); + ref->refc--; +@@ -1082,6 +1177,10 @@ static void thread_imc_event_del(struct perf_event *event, int flags) + ref->refc = 0; + } + mutex_unlock(&ref->lock); ++ ++ /* Set bit 0 of LDBAR to zero, to stop posting updates to memory */ ++ mtspr(SPRN_LDBAR, (mfspr(SPRN_LDBAR) & (~(1UL << 63)))); ++ + /* + * Take a snapshot and calculate the delta and update + * the event counter values. +@@ -1133,7 +1232,18 @@ static int ppc_trace_imc_cpu_online(unsigned int cpu) + + static int ppc_trace_imc_cpu_offline(unsigned int cpu) + { +- mtspr(SPRN_LDBAR, 0); ++ /* ++ * No need to set bit 0 of LDBAR to zero, as ++ * it is set to zero for imc trace-mode ++ * ++ * Reduce the refc if any trace-imc event running ++ * on this cpu. ++ */ ++ mutex_lock(&imc_global_refc.lock); ++ if (imc_global_refc.id == IMC_DOMAIN_TRACE) ++ imc_global_refc.refc--; ++ mutex_unlock(&imc_global_refc.lock); ++ + return 0; + } + +@@ -1226,15 +1336,14 @@ static int trace_imc_event_add(struct perf_event *event, int flags) + local_mem = get_trace_imc_event_base_addr(); + ldbar_value = ((u64)local_mem & THREAD_IMC_LDBAR_MASK) | TRACE_IMC_ENABLE; + +- if (core_imc_refc) +- ref = &core_imc_refc[core_id]; ++ /* trace-imc reference count */ ++ if (trace_imc_refc) ++ ref = &trace_imc_refc[core_id]; + if (!ref) { +- /* If core-imc is not enabled, use trace-imc reference count */ +- if (trace_imc_refc) +- ref = &trace_imc_refc[core_id]; +- if (!ref) +- return -EINVAL; ++ pr_debug("imc: Failed to get the event reference count\n"); ++ return -EINVAL; + } ++ + mtspr(SPRN_LDBAR, ldbar_value); + mutex_lock(&ref->lock); + if (ref->refc == 0) { +@@ -1242,13 +1351,11 @@ static int trace_imc_event_add(struct perf_event *event, int flags) + get_hard_smp_processor_id(smp_processor_id()))) { + mutex_unlock(&ref->lock); + pr_err("trace-imc: Unable to start the counters for core %d\n", core_id); +- mtspr(SPRN_LDBAR, 0); + return -EINVAL; + } + } + ++ref->refc; + mutex_unlock(&ref->lock); +- + return 0; + } + +@@ -1274,16 +1381,13 @@ static void trace_imc_event_del(struct perf_event *event, int flags) + int core_id = smp_processor_id() / threads_per_core; + struct imc_pmu_ref *ref = NULL; + +- if (core_imc_refc) +- ref = &core_imc_refc[core_id]; ++ if (trace_imc_refc) ++ ref = &trace_imc_refc[core_id]; + if (!ref) { +- /* If core-imc is not enabled, use trace-imc reference count */ +- if (trace_imc_refc) +- ref = &trace_imc_refc[core_id]; +- if (!ref) +- return; ++ pr_debug("imc: Failed to get event reference count\n"); ++ return; + } +- mtspr(SPRN_LDBAR, 0); ++ + mutex_lock(&ref->lock); + ref->refc--; + if (ref->refc == 0) { +@@ -1297,6 +1401,7 @@ static void trace_imc_event_del(struct perf_event *event, int flags) + ref->refc = 0; + } + mutex_unlock(&ref->lock); ++ + trace_imc_event_stop(event, flags); + } + +@@ -1314,10 +1419,30 @@ static int trace_imc_event_init(struct perf_event *event) + if (event->attr.sample_period == 0) + return -ENOENT; + ++ /* ++ * Take the global lock, and make sure ++ * no other thread is running any core/thread imc ++ * events ++ */ ++ mutex_lock(&imc_global_refc.lock); ++ if (imc_global_refc.id == 0 || imc_global_refc.id == IMC_DOMAIN_TRACE) { ++ /* ++ * No core/thread imc events are running in the ++ * system, so set the refc.id to trace-imc. ++ */ ++ imc_global_refc.id = IMC_DOMAIN_TRACE; ++ imc_global_refc.refc++; ++ } else { ++ mutex_unlock(&imc_global_refc.lock); ++ return -EBUSY; ++ } ++ mutex_unlock(&imc_global_refc.lock); ++ + event->hw.idx = -1; + target = event->hw.target; + + event->pmu->task_ctx_nr = perf_hw_context; ++ event->destroy = reset_global_refc; + return 0; + } + +@@ -1429,10 +1554,10 @@ static void cleanup_all_core_imc_memory(void) + static void thread_imc_ldbar_disable(void *dummy) + { + /* +- * By Zeroing LDBAR, we disable thread-imc +- * updates. ++ * By setting 0th bit of LDBAR to zero, we disable thread-imc ++ * updates to memory. + */ +- mtspr(SPRN_LDBAR, 0); ++ mtspr(SPRN_LDBAR, (mfspr(SPRN_LDBAR) & (~(1UL << 63)))); + } + + void thread_imc_disable(void) +diff --git a/arch/riscv/include/asm/ftrace.h b/arch/riscv/include/asm/ftrace.h +index c6dcc5291f972..02fbc175142e2 100644 +--- a/arch/riscv/include/asm/ftrace.h ++++ b/arch/riscv/include/asm/ftrace.h +@@ -63,4 +63,11 @@ do { \ + * Let auipc+jalr be the basic *mcount unit*, so we make it 8 bytes here. + */ + #define MCOUNT_INSN_SIZE 8 ++ ++#ifndef __ASSEMBLY__ ++struct dyn_ftrace; ++int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec); ++#define ftrace_init_nop ftrace_init_nop ++#endif ++ + #endif +diff --git a/arch/riscv/kernel/ftrace.c b/arch/riscv/kernel/ftrace.c +index c40fdcdeb950a..291c579e12457 100644 +--- a/arch/riscv/kernel/ftrace.c ++++ b/arch/riscv/kernel/ftrace.c +@@ -88,6 +88,25 @@ int ftrace_make_nop(struct module *mod, struct dyn_ftrace *rec, + return __ftrace_modify_call(rec->ip, addr, false); + } + ++ ++/* ++ * This is called early on, and isn't wrapped by ++ * ftrace_arch_code_modify_{prepare,post_process}() and therefor doesn't hold ++ * text_mutex, which triggers a lockdep failure. SMP isn't running so we could ++ * just directly poke the text, but it's simpler to just take the lock ++ * ourselves. ++ */ ++int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec) ++{ ++ int out; ++ ++ ftrace_arch_code_modify_prepare(); ++ out = ftrace_make_nop(mod, rec, MCOUNT_ADDR); ++ ftrace_arch_code_modify_post_process(); ++ ++ return out; ++} ++ + int ftrace_update_ftrace_func(ftrace_func_t func) + { + int ret = __ftrace_modify_call((unsigned long)&ftrace_call, +diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h +index 34a655ad71234..5ce586948d926 100644 +--- a/arch/s390/include/asm/pgtable.h ++++ b/arch/s390/include/asm/pgtable.h +@@ -1247,26 +1247,46 @@ static inline pgd_t *pgd_offset_raw(pgd_t *pgd, unsigned long address) + #define pgd_offset(mm, address) pgd_offset_raw(READ_ONCE((mm)->pgd), address) + #define pgd_offset_k(address) pgd_offset(&init_mm, address) + +-static inline p4d_t *p4d_offset(pgd_t *pgd, unsigned long address) ++static inline p4d_t *p4d_offset_lockless(pgd_t *pgdp, pgd_t pgd, unsigned long address) + { +- if ((pgd_val(*pgd) & _REGION_ENTRY_TYPE_MASK) >= _REGION_ENTRY_TYPE_R1) +- return (p4d_t *) pgd_deref(*pgd) + p4d_index(address); +- return (p4d_t *) pgd; ++ if ((pgd_val(pgd) & _REGION_ENTRY_TYPE_MASK) >= _REGION_ENTRY_TYPE_R1) ++ return (p4d_t *) pgd_deref(pgd) + p4d_index(address); ++ return (p4d_t *) pgdp; + } ++#define p4d_offset_lockless p4d_offset_lockless + +-static inline pud_t *pud_offset(p4d_t *p4d, unsigned long address) ++static inline p4d_t *p4d_offset(pgd_t *pgdp, unsigned long address) + { +- if ((p4d_val(*p4d) & _REGION_ENTRY_TYPE_MASK) >= _REGION_ENTRY_TYPE_R2) +- return (pud_t *) p4d_deref(*p4d) + pud_index(address); +- return (pud_t *) p4d; ++ return p4d_offset_lockless(pgdp, *pgdp, address); + } + +-static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address) ++static inline pud_t *pud_offset_lockless(p4d_t *p4dp, p4d_t p4d, unsigned long address) + { +- if ((pud_val(*pud) & _REGION_ENTRY_TYPE_MASK) >= _REGION_ENTRY_TYPE_R3) +- return (pmd_t *) pud_deref(*pud) + pmd_index(address); +- return (pmd_t *) pud; ++ if ((p4d_val(p4d) & _REGION_ENTRY_TYPE_MASK) >= _REGION_ENTRY_TYPE_R2) ++ return (pud_t *) p4d_deref(p4d) + pud_index(address); ++ return (pud_t *) p4dp; + } ++#define pud_offset_lockless pud_offset_lockless ++ ++static inline pud_t *pud_offset(p4d_t *p4dp, unsigned long address) ++{ ++ return pud_offset_lockless(p4dp, *p4dp, address); ++} ++#define pud_offset pud_offset ++ ++static inline pmd_t *pmd_offset_lockless(pud_t *pudp, pud_t pud, unsigned long address) ++{ ++ if ((pud_val(pud) & _REGION_ENTRY_TYPE_MASK) >= _REGION_ENTRY_TYPE_R3) ++ return (pmd_t *) pud_deref(pud) + pmd_index(address); ++ return (pmd_t *) pudp; ++} ++#define pmd_offset_lockless pmd_offset_lockless ++ ++static inline pmd_t *pmd_offset(pud_t *pudp, unsigned long address) ++{ ++ return pmd_offset_lockless(pudp, *pudp, address); ++} ++#define pmd_offset pmd_offset + + static inline pte_t *pte_offset(pmd_t *pmd, unsigned long address) + { +diff --git a/arch/s390/include/asm/stacktrace.h b/arch/s390/include/asm/stacktrace.h +index 0ae4bbf7779c8..3679d224fd3c5 100644 +--- a/arch/s390/include/asm/stacktrace.h ++++ b/arch/s390/include/asm/stacktrace.h +@@ -111,4 +111,15 @@ struct stack_frame { + r2; \ + }) + ++#define CALL_ON_STACK_NORETURN(fn, stack) \ ++({ \ ++ asm volatile( \ ++ " la 15,0(%[_stack])\n" \ ++ " xc %[_bc](8,15),%[_bc](15)\n" \ ++ " brasl 14,%[_fn]\n" \ ++ ::[_bc] "i" (offsetof(struct stack_frame, back_chain)), \ ++ [_stack] "a" (stack), [_fn] "X" (fn)); \ ++ BUG(); \ ++}) ++ + #endif /* _ASM_S390_STACKTRACE_H */ +diff --git a/arch/s390/kernel/irq.c b/arch/s390/kernel/irq.c +index 8371855042dc2..da550cb8b31bd 100644 +--- a/arch/s390/kernel/irq.c ++++ b/arch/s390/kernel/irq.c +@@ -294,11 +294,6 @@ static irqreturn_t do_ext_interrupt(int irq, void *dummy) + return IRQ_HANDLED; + } + +-static struct irqaction external_interrupt = { +- .name = "EXT", +- .handler = do_ext_interrupt, +-}; +- + void __init init_ext_interrupts(void) + { + int idx; +@@ -308,7 +303,8 @@ void __init init_ext_interrupts(void) + + irq_set_chip_and_handler(EXT_INTERRUPT, + &dummy_irq_chip, handle_percpu_irq); +- setup_irq(EXT_INTERRUPT, &external_interrupt); ++ if (request_irq(EXT_INTERRUPT, do_ext_interrupt, 0, "EXT", NULL)) ++ panic("Failed to register EXT interrupt\n"); + } + + static DEFINE_SPINLOCK(irq_subclass_lock); +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 229e1e2f8253a..996e447ead3a6 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1429,8 +1429,8 @@ static int aux_output_begin(struct perf_output_handle *handle, + idx = aux->empty_mark + 1; + for (i = 0; i < range_scan; i++, idx++) { + te = aux_sdb_trailer(aux, idx); +- te->flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK; +- te->flags = te->flags & ~SDB_TE_ALERT_REQ_MASK; ++ te->flags &= ~(SDB_TE_BUFFER_FULL_MASK | ++ SDB_TE_ALERT_REQ_MASK); + te->overflow = 0; + } + /* Save the position of empty SDBs */ +@@ -1477,8 +1477,7 @@ static bool aux_set_alert(struct aux_buffer *aux, unsigned long alert_index, + te = aux_sdb_trailer(aux, alert_index); + do { + orig_flags = te->flags; +- orig_overflow = te->overflow; +- *overflow = orig_overflow; ++ *overflow = orig_overflow = te->overflow; + if (orig_flags & SDB_TE_BUFFER_FULL_MASK) { + /* + * SDB is already set by hardware. +@@ -1712,7 +1711,7 @@ static void *aux_buffer_setup(struct perf_event *event, void **pages, + } + + /* Allocate aux_buffer struct for the event */ +- aux = kmalloc(sizeof(struct aux_buffer), GFP_KERNEL); ++ aux = kzalloc(sizeof(struct aux_buffer), GFP_KERNEL); + if (!aux) + goto no_aux; + sfb = &aux->sfb; +diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c +index 07b2b61a0289f..61c02a162d378 100644 +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -356,7 +356,6 @@ early_initcall(async_stack_realloc); + + void __init arch_call_rest_init(void) + { +- struct stack_frame *frame; + unsigned long stack; + + stack = stack_alloc(); +@@ -369,13 +368,7 @@ void __init arch_call_rest_init(void) + set_task_stack_end_magic(current); + stack += STACK_INIT_OFFSET; + S390_lowcore.kernel_stack = stack; +- frame = (struct stack_frame *) stack; +- memset(frame, 0, sizeof(*frame)); +- /* Branch to rest_init on the new stack, never returns */ +- asm volatile( +- " la 15,0(%[_frame])\n" +- " jg rest_init\n" +- : : [_frame] "a" (frame)); ++ CALL_ON_STACK_NORETURN(rest_init, stack); + } + + static void __init setup_lowcore_dat_off(void) +@@ -634,7 +627,7 @@ static struct notifier_block kdump_mem_nb = { + /* + * Make sure that the area behind memory_end is protected + */ +-static void reserve_memory_end(void) ++static void __init reserve_memory_end(void) + { + if (memory_end_set) + memblock_reserve(memory_end, ULONG_MAX); +@@ -643,7 +636,7 @@ static void reserve_memory_end(void) + /* + * Make sure that oldmem, where the dump is stored, is protected + */ +-static void reserve_oldmem(void) ++static void __init reserve_oldmem(void) + { + #ifdef CONFIG_CRASH_DUMP + if (OLDMEM_BASE) +@@ -655,7 +648,7 @@ static void reserve_oldmem(void) + /* + * Make sure that oldmem, where the dump is stored, is protected + */ +-static void remove_oldmem(void) ++static void __init remove_oldmem(void) + { + #ifdef CONFIG_CRASH_DUMP + if (OLDMEM_BASE) +diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c +index 66bf050d785cf..ad426cc656e56 100644 +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -878,7 +878,7 @@ static void __no_sanitize_address smp_start_secondary(void *cpuvoid) + S390_lowcore.restart_source = -1UL; + __ctl_load(S390_lowcore.cregs_save_area, 0, 15); + __load_psw_mask(PSW_KERNEL_BITS | PSW_MASK_DAT); +- CALL_ON_STACK(smp_init_secondary, S390_lowcore.kernel_stack, 0); ++ CALL_ON_STACK_NORETURN(smp_init_secondary, S390_lowcore.kernel_stack); + } + + /* Upping and downing of CPUs */ +diff --git a/arch/x86/include/asm/crash.h b/arch/x86/include/asm/crash.h +index ef5638f641f2b..88eadd08ad708 100644 +--- a/arch/x86/include/asm/crash.h ++++ b/arch/x86/include/asm/crash.h +@@ -10,4 +10,10 @@ int crash_setup_memmap_entries(struct kimage *image, + struct boot_params *params); + void crash_smp_send_stop(void); + ++#ifdef CONFIG_KEXEC_CORE ++void __init crash_reserve_low_1M(void); ++#else ++static inline void __init crash_reserve_low_1M(void) { } ++#endif ++ + #endif /* _ASM_X86_CRASH_H */ +diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h +index 5c24a7b351665..b222a35959467 100644 +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -320,7 +320,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear); + * combination with microcode which triggers a CPU buffer flush when the + * instruction is executed. + */ +-static inline void mds_clear_cpu_buffers(void) ++static __always_inline void mds_clear_cpu_buffers(void) + { + static const u16 ds = __KERNEL_DS; + +@@ -341,7 +341,7 @@ static inline void mds_clear_cpu_buffers(void) + * + * Clear CPU buffers if the corresponding static key is enabled + */ +-static inline void mds_user_clear_cpu_buffers(void) ++static __always_inline void mds_user_clear_cpu_buffers(void) + { + if (static_branch_likely(&mds_user_clear)) + mds_clear_cpu_buffers(); +diff --git a/arch/x86/include/asm/pkeys.h b/arch/x86/include/asm/pkeys.h +index 19b137f1b3beb..2ff9b98812b76 100644 +--- a/arch/x86/include/asm/pkeys.h ++++ b/arch/x86/include/asm/pkeys.h +@@ -4,6 +4,11 @@ + + #define ARCH_DEFAULT_PKEY 0 + ++/* ++ * If more than 16 keys are ever supported, a thorough audit ++ * will be necessary to ensure that the types that store key ++ * numbers and masks have sufficient capacity. ++ */ + #define arch_max_pkey() (boot_cpu_has(X86_FEATURE_OSPKE) ? 16 : 1) + + extern int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index ea6d9da9b0941..4b6301946f455 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2256,6 +2256,7 @@ static inline void __init check_timer(void) + legacy_pic->init(0); + legacy_pic->make_irq(0); + apic_write(APIC_LVT0, APIC_DM_EXTINT); ++ legacy_pic->unmask(0); + + unlock_ExtINT_logic(); + +diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c +index eb651fbde92ac..ff25a2ea271cf 100644 +--- a/arch/x86/kernel/crash.c ++++ b/arch/x86/kernel/crash.c +@@ -24,6 +24,7 @@ + #include <linux/export.h> + #include <linux/slab.h> + #include <linux/vmalloc.h> ++#include <linux/memblock.h> + + #include <asm/processor.h> + #include <asm/hardirq.h> +@@ -39,6 +40,7 @@ + #include <asm/virtext.h> + #include <asm/intel_pt.h> + #include <asm/crash.h> ++#include <asm/cmdline.h> + + /* Used while preparing memory map entries for second kernel */ + struct crash_memmap_data { +@@ -68,6 +70,19 @@ static inline void cpu_crash_vmclear_loaded_vmcss(void) + rcu_read_unlock(); + } + ++/* ++ * When the crashkernel option is specified, only use the low ++ * 1M for the real mode trampoline. ++ */ ++void __init crash_reserve_low_1M(void) ++{ ++ if (cmdline_find_option(boot_command_line, "crashkernel", NULL, 0) < 0) ++ return; ++ ++ memblock_reserve(0, 1<<20); ++ pr_info("Reserving the low 1M of memory for crashkernel\n"); ++} ++ + #if defined(CONFIG_SMP) && defined(CONFIG_X86_LOCAL_APIC) + + static void kdump_nmi_callback(int cpu, struct pt_regs *regs) +diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c +index 755eb26cbec04..735d1f1bbabc7 100644 +--- a/arch/x86/kernel/fpu/xstate.c ++++ b/arch/x86/kernel/fpu/xstate.c +@@ -895,8 +895,6 @@ const void *get_xsave_field_ptr(int xfeature_nr) + + #ifdef CONFIG_ARCH_HAS_PKEYS + +-#define NR_VALID_PKRU_BITS (CONFIG_NR_PROTECTION_KEYS * 2) +-#define PKRU_VALID_MASK (NR_VALID_PKRU_BITS - 1) + /* + * This will go out and modify PKRU register to set the access + * rights for @pkey to @init_val. +@@ -915,6 +913,13 @@ int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, + if (!boot_cpu_has(X86_FEATURE_OSPKE)) + return -EINVAL; + ++ /* ++ * This code should only be called with valid 'pkey' ++ * values originating from in-kernel users. Complain ++ * if a bad value is observed. ++ */ ++ WARN_ON_ONCE(pkey >= arch_max_pkey()); ++ + /* Set the bits we need in PKRU: */ + if (init_val & PKEY_DISABLE_ACCESS) + new_pkru_bits |= PKRU_AD_BIT; +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 128d3ad46e965..cc7823e7ef96c 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -5836,6 +5836,8 @@ writeback: + } + + ctxt->eip = ctxt->_eip; ++ if (ctxt->mode != X86EMUL_MODE_PROT64) ++ ctxt->eip = (u32)ctxt->_eip; + + done: + if (rc == X86EMUL_PROPAGATE_FAULT) { +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 6920f1d3b66f5..9f793c9649cdf 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1684,7 +1684,7 @@ static void start_sw_period(struct kvm_lapic *apic) + + hrtimer_start(&apic->lapic_timer.timer, + apic->lapic_timer.target_expiration, +- HRTIMER_MODE_ABS); ++ HRTIMER_MODE_ABS_HARD); + } + + bool kvm_lapic_hv_timer_in_use(struct kvm_vcpu *vcpu) +diff --git a/arch/x86/kvm/mmutrace.h b/arch/x86/kvm/mmutrace.h +index 3c6522b84ff11..ffcd96fc02d0a 100644 +--- a/arch/x86/kvm/mmutrace.h ++++ b/arch/x86/kvm/mmutrace.h +@@ -339,7 +339,7 @@ TRACE_EVENT( + /* These depend on page entry type, so compute them now. */ + __field(bool, r) + __field(bool, x) +- __field(u8, u) ++ __field(signed char, u) + ), + + TP_fast_assign( +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 3243a80ea32c0..b58495fde2e89 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -787,9 +787,6 @@ static int skip_emulated_instruction(struct kvm_vcpu *vcpu) + if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP)) + return 0; + } else { +- if (svm->next_rip - kvm_rip_read(vcpu) > MAX_INST_SIZE) +- pr_err("%s: ip 0x%lx next 0x%llx\n", +- __func__, kvm_rip_read(vcpu), svm->next_rip); + kvm_rip_write(vcpu, svm->next_rip); + } + svm_set_interrupt_shadow(vcpu, 0); +@@ -3970,6 +3967,12 @@ static int iret_interception(struct vcpu_svm *svm) + return 1; + } + ++static int invd_interception(struct vcpu_svm *svm) ++{ ++ /* Treat an INVD instruction as a NOP and just skip it. */ ++ return kvm_skip_emulated_instruction(&svm->vcpu); ++} ++ + static int invlpg_interception(struct vcpu_svm *svm) + { + if (!static_cpu_has(X86_FEATURE_DECODEASSISTS)) +@@ -4822,7 +4825,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = { + [SVM_EXIT_RDPMC] = rdpmc_interception, + [SVM_EXIT_CPUID] = cpuid_interception, + [SVM_EXIT_IRET] = iret_interception, +- [SVM_EXIT_INVD] = emulate_on_interception, ++ [SVM_EXIT_INVD] = invd_interception, + [SVM_EXIT_PAUSE] = pause_interception, + [SVM_EXIT_HLT] = halt_interception, + [SVM_EXIT_INVLPG] = invlpg_interception, +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index a1e62dda56074..2a1ed3aae100e 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -1130,6 +1130,10 @@ void vmx_prepare_switch_to_guest(struct kvm_vcpu *vcpu) + vmx->guest_msrs[i].mask); + + } ++ ++ if (vmx->nested.need_vmcs12_to_shadow_sync) ++ nested_sync_vmcs12_to_shadow(vcpu); ++ + if (vmx->guest_state_loaded) + return; + +@@ -1537,7 +1541,7 @@ static int vmx_rtit_ctl_check(struct kvm_vcpu *vcpu, u64 data) + + static int skip_emulated_instruction(struct kvm_vcpu *vcpu) + { +- unsigned long rip; ++ unsigned long rip, orig_rip; + + /* + * Using VMCS.VM_EXIT_INSTRUCTION_LEN on EPT misconfig depends on +@@ -1549,8 +1553,17 @@ static int skip_emulated_instruction(struct kvm_vcpu *vcpu) + */ + if (!static_cpu_has(X86_FEATURE_HYPERVISOR) || + to_vmx(vcpu)->exit_reason != EXIT_REASON_EPT_MISCONFIG) { +- rip = kvm_rip_read(vcpu); +- rip += vmcs_read32(VM_EXIT_INSTRUCTION_LEN); ++ orig_rip = kvm_rip_read(vcpu); ++ rip = orig_rip + vmcs_read32(VM_EXIT_INSTRUCTION_LEN); ++#ifdef CONFIG_X86_64 ++ /* ++ * We need to mask out the high 32 bits of RIP if not in 64-bit ++ * mode, but just finding out that we are in 64-bit mode is ++ * quite expensive. Only do it if there was a carry. ++ */ ++ if (unlikely(((rip ^ orig_rip) >> 31) == 3) && !is_64_bit_mode(vcpu)) ++ rip = (u32)rip; ++#endif + kvm_rip_write(vcpu, rip); + } else { + if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP)) +@@ -6486,8 +6499,11 @@ static void vmx_vcpu_run(struct kvm_vcpu *vcpu) + vmcs_write32(PLE_WINDOW, vmx->ple_window); + } + +- if (vmx->nested.need_vmcs12_to_shadow_sync) +- nested_sync_vmcs12_to_shadow(vcpu); ++ /* ++ * We did this in prepare_switch_to_guest, because it needs to ++ * be within srcu_read_lock. ++ */ ++ WARN_ON_ONCE(vmx->nested.need_vmcs12_to_shadow_sync); + + if (test_bit(VCPU_REGS_RSP, (unsigned long *)&vcpu->arch.regs_dirty)) + vmcs_writel(GUEST_RSP, vcpu->arch.regs[VCPU_REGS_RSP]); +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 8920ee7b28811..12e83297ea020 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -973,6 +973,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + unsigned long old_cr4 = kvm_read_cr4(vcpu); + unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE | + X86_CR4_SMEP; ++ unsigned long mmu_role_bits = pdptr_bits | X86_CR4_SMAP | X86_CR4_PKE; + + if (kvm_valid_cr4(vcpu, cr4)) + return 1; +@@ -1000,7 +1001,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + if (kvm_x86_ops->set_cr4(vcpu, cr4)) + return 1; + +- if (((cr4 ^ old_cr4) & pdptr_bits) || ++ if (((cr4 ^ old_cr4) & mmu_role_bits) || + (!(cr4 & X86_CR4_PCIDE) && (old_cr4 & X86_CR4_PCIDE))) + kvm_mmu_reset_context(vcpu); + +@@ -5050,10 +5051,13 @@ set_identity_unlock: + r = -EFAULT; + if (copy_from_user(&u.ps, argp, sizeof(u.ps))) + goto out; ++ mutex_lock(&kvm->lock); + r = -ENXIO; + if (!kvm->arch.vpit) +- goto out; ++ goto set_pit_out; + r = kvm_vm_ioctl_set_pit(kvm, &u.ps); ++set_pit_out: ++ mutex_unlock(&kvm->lock); + break; + } + case KVM_GET_PIT2: { +@@ -5073,10 +5077,13 @@ set_identity_unlock: + r = -EFAULT; + if (copy_from_user(&u.ps2, argp, sizeof(u.ps2))) + goto out; ++ mutex_lock(&kvm->lock); + r = -ENXIO; + if (!kvm->arch.vpit) +- goto out; ++ goto set_pit2_out; + r = kvm_vm_ioctl_set_pit2(kvm, &u.ps2); ++set_pit2_out: ++ mutex_unlock(&kvm->lock); + break; + } + case KVM_REINJECT_CONTROL: { +diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c +index b0dfac3d3df71..1847e993ac63a 100644 +--- a/arch/x86/lib/usercopy_64.c ++++ b/arch/x86/lib/usercopy_64.c +@@ -120,7 +120,7 @@ long __copy_user_flushcache(void *dst, const void __user *src, unsigned size) + */ + if (size < 8) { + if (!IS_ALIGNED(dest, 4) || size != 4) +- clean_cache_range(dst, 1); ++ clean_cache_range(dst, size); + } else { + if (!IS_ALIGNED(dest, 8)) { + dest = ALIGN(dest, boot_cpu_data.x86_clflush_size); +diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c +index 7dce39c8c034a..262f83cad3551 100644 +--- a/arch/x86/realmode/init.c ++++ b/arch/x86/realmode/init.c +@@ -8,6 +8,7 @@ + #include <asm/pgtable.h> + #include <asm/realmode.h> + #include <asm/tlbflush.h> ++#include <asm/crash.h> + + struct real_mode_header *real_mode_header; + u32 *trampoline_cr4_features; +@@ -34,6 +35,7 @@ void __init reserve_real_mode(void) + + memblock_reserve(mem, size); + set_real_mode_mem(mem); ++ crash_reserve_low_1M(); + } + + static void __init setup_real_mode(void) +diff --git a/arch/xtensa/kernel/entry.S b/arch/xtensa/kernel/entry.S +index 59671603c9c62..1f07876ea2ed7 100644 +--- a/arch/xtensa/kernel/entry.S ++++ b/arch/xtensa/kernel/entry.S +@@ -1897,6 +1897,7 @@ ENTRY(system_call) + + mov a6, a2 + call4 do_syscall_trace_enter ++ beqz a6, .Lsyscall_exit + l32i a7, a2, PT_SYSCALL + + 1: +@@ -1911,8 +1912,6 @@ ENTRY(system_call) + + addx4 a4, a7, a4 + l32i a4, a4, 0 +- movi a5, sys_ni_syscall; +- beq a4, a5, 1f + + /* Load args: arg0 - arg5 are passed via regs. */ + +@@ -1932,6 +1931,7 @@ ENTRY(system_call) + + s32i a6, a2, PT_AREG2 + bnez a3, 1f ++.Lsyscall_exit: + abi_ret(4) + + 1: +diff --git a/arch/xtensa/kernel/ptrace.c b/arch/xtensa/kernel/ptrace.c +index b964f0b2d8864..145742d70a9f2 100644 +--- a/arch/xtensa/kernel/ptrace.c ++++ b/arch/xtensa/kernel/ptrace.c +@@ -542,14 +542,28 @@ long arch_ptrace(struct task_struct *child, long request, + return ret; + } + +-void do_syscall_trace_enter(struct pt_regs *regs) ++void do_syscall_trace_leave(struct pt_regs *regs); ++int do_syscall_trace_enter(struct pt_regs *regs) + { ++ if (regs->syscall == NO_SYSCALL) ++ regs->areg[2] = -ENOSYS; ++ + if (test_thread_flag(TIF_SYSCALL_TRACE) && +- tracehook_report_syscall_entry(regs)) ++ tracehook_report_syscall_entry(regs)) { ++ regs->areg[2] = -ENOSYS; + regs->syscall = NO_SYSCALL; ++ return 0; ++ } ++ ++ if (regs->syscall == NO_SYSCALL) { ++ do_syscall_trace_leave(regs); ++ return 0; ++ } + + if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) + trace_sys_enter(regs, syscall_get_nr(current, regs)); ++ ++ return 1; + } + + void do_syscall_trace_leave(struct pt_regs *regs) +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 57eacdcbf8208..1ec55345252b6 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1043,29 +1043,21 @@ void acpi_ec_unblock_transactions(void) + /* -------------------------------------------------------------------------- + Event Management + -------------------------------------------------------------------------- */ +-static struct acpi_ec_query_handler * +-acpi_ec_get_query_handler(struct acpi_ec_query_handler *handler) +-{ +- if (handler) +- kref_get(&handler->kref); +- return handler; +-} +- + static struct acpi_ec_query_handler * + acpi_ec_get_query_handler_by_value(struct acpi_ec *ec, u8 value) + { + struct acpi_ec_query_handler *handler; +- bool found = false; + + mutex_lock(&ec->mutex); + list_for_each_entry(handler, &ec->list, node) { + if (value == handler->query_bit) { +- found = true; +- break; ++ kref_get(&handler->kref); ++ mutex_unlock(&ec->mutex); ++ return handler; + } + } + mutex_unlock(&ec->mutex); +- return found ? acpi_ec_get_query_handler(handler) : NULL; ++ return NULL; + } + + static void acpi_ec_query_handler_release(struct kref *kref) +diff --git a/drivers/ata/acard-ahci.c b/drivers/ata/acard-ahci.c +index 753985c015177..46dc54d18f0b7 100644 +--- a/drivers/ata/acard-ahci.c ++++ b/drivers/ata/acard-ahci.c +@@ -56,7 +56,7 @@ struct acard_sg { + __le32 size; /* bit 31 (EOT) max==0x10000 (64k) */ + }; + +-static void acard_ahci_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors acard_ahci_qc_prep(struct ata_queued_cmd *qc); + static bool acard_ahci_qc_fill_rtf(struct ata_queued_cmd *qc); + static int acard_ahci_port_start(struct ata_port *ap); + static int acard_ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent); +@@ -210,7 +210,7 @@ static unsigned int acard_ahci_fill_sg(struct ata_queued_cmd *qc, void *cmd_tbl) + return si; + } + +-static void acard_ahci_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors acard_ahci_qc_prep(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct ahci_port_priv *pp = ap->private_data; +@@ -248,6 +248,8 @@ static void acard_ahci_qc_prep(struct ata_queued_cmd *qc) + opts |= AHCI_CMD_ATAPI | AHCI_CMD_PREFETCH; + + ahci_fill_cmd_slot(pp, qc->hw_tag, opts); ++ ++ return AC_ERR_OK; + } + + static bool acard_ahci_qc_fill_rtf(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c +index bff369d9a1a78..ea5bf5f4cbed5 100644 +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -57,7 +57,7 @@ static int ahci_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val); + static bool ahci_qc_fill_rtf(struct ata_queued_cmd *qc); + static int ahci_port_start(struct ata_port *ap); + static void ahci_port_stop(struct ata_port *ap); +-static void ahci_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors ahci_qc_prep(struct ata_queued_cmd *qc); + static int ahci_pmp_qc_defer(struct ata_queued_cmd *qc); + static void ahci_freeze(struct ata_port *ap); + static void ahci_thaw(struct ata_port *ap); +@@ -1624,7 +1624,7 @@ static int ahci_pmp_qc_defer(struct ata_queued_cmd *qc) + return sata_pmp_qc_defer_cmd_switch(qc); + } + +-static void ahci_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors ahci_qc_prep(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct ahci_port_priv *pp = ap->private_data; +@@ -1660,6 +1660,8 @@ static void ahci_qc_prep(struct ata_queued_cmd *qc) + opts |= AHCI_CMD_ATAPI | AHCI_CMD_PREFETCH; + + ahci_fill_cmd_slot(pp, qc->hw_tag, opts); ++ ++ return AC_ERR_OK; + } + + static void ahci_fbs_dec_intr(struct ata_port *ap) +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 066b37963ad5f..f67b3fb33d579 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4978,7 +4978,10 @@ int ata_std_qc_defer(struct ata_queued_cmd *qc) + return ATA_DEFER_LINK; + } + +-void ata_noop_qc_prep(struct ata_queued_cmd *qc) { } ++enum ata_completion_errors ata_noop_qc_prep(struct ata_queued_cmd *qc) ++{ ++ return AC_ERR_OK; ++} + + /** + * ata_sg_init - Associate command with scatter-gather table. +@@ -5465,7 +5468,9 @@ void ata_qc_issue(struct ata_queued_cmd *qc) + return; + } + +- ap->ops->qc_prep(qc); ++ qc->err_mask |= ap->ops->qc_prep(qc); ++ if (unlikely(qc->err_mask)) ++ goto err; + trace_ata_qc_issue(qc); + qc->err_mask |= ap->ops->qc_issue(qc); + if (unlikely(qc->err_mask)) +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index 4ed682da52ae9..038db94216a91 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -2679,12 +2679,14 @@ static void ata_bmdma_fill_sg_dumb(struct ata_queued_cmd *qc) + * LOCKING: + * spin_lock_irqsave(host lock) + */ +-void ata_bmdma_qc_prep(struct ata_queued_cmd *qc) ++enum ata_completion_errors ata_bmdma_qc_prep(struct ata_queued_cmd *qc) + { + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + ata_bmdma_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + EXPORT_SYMBOL_GPL(ata_bmdma_qc_prep); + +@@ -2697,12 +2699,14 @@ EXPORT_SYMBOL_GPL(ata_bmdma_qc_prep); + * LOCKING: + * spin_lock_irqsave(host lock) + */ +-void ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc) ++enum ata_completion_errors ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc) + { + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + ata_bmdma_fill_sg_dumb(qc); ++ ++ return AC_ERR_OK; + } + EXPORT_SYMBOL_GPL(ata_bmdma_dumb_qc_prep); + +diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c +index 57f2ec71cfc34..1bfd0154dad5d 100644 +--- a/drivers/ata/pata_macio.c ++++ b/drivers/ata/pata_macio.c +@@ -510,7 +510,7 @@ static int pata_macio_cable_detect(struct ata_port *ap) + return ATA_CBL_PATA40; + } + +-static void pata_macio_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc) + { + unsigned int write = (qc->tf.flags & ATA_TFLAG_WRITE); + struct ata_port *ap = qc->ap; +@@ -523,7 +523,7 @@ static void pata_macio_qc_prep(struct ata_queued_cmd *qc) + __func__, qc, qc->flags, write, qc->dev->devno); + + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + table = (struct dbdma_cmd *) priv->dma_table_cpu; + +@@ -568,6 +568,8 @@ static void pata_macio_qc_prep(struct ata_queued_cmd *qc) + table->command = cpu_to_le16(DBDMA_STOP); + + dev_dbgdma(priv->dev, "%s: %d DMA list entries\n", __func__, pi); ++ ++ return AC_ERR_OK; + } + + +diff --git a/drivers/ata/pata_pxa.c b/drivers/ata/pata_pxa.c +index 4afcb8e63e211..41430f79663c1 100644 +--- a/drivers/ata/pata_pxa.c ++++ b/drivers/ata/pata_pxa.c +@@ -44,25 +44,27 @@ static void pxa_ata_dma_irq(void *d) + /* + * Prepare taskfile for submission. + */ +-static void pxa_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors pxa_qc_prep(struct ata_queued_cmd *qc) + { + struct pata_pxa_data *pd = qc->ap->private_data; + struct dma_async_tx_descriptor *tx; + enum dma_transfer_direction dir; + + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + dir = (qc->dma_dir == DMA_TO_DEVICE ? DMA_MEM_TO_DEV : DMA_DEV_TO_MEM); + tx = dmaengine_prep_slave_sg(pd->dma_chan, qc->sg, qc->n_elem, dir, + DMA_PREP_INTERRUPT); + if (!tx) { + ata_dev_err(qc->dev, "prep_slave_sg() failed\n"); +- return; ++ return AC_ERR_OK; + } + tx->callback = pxa_ata_dma_irq; + tx->callback_param = pd; + pd->dma_cookie = dmaengine_submit(tx); ++ ++ return AC_ERR_OK; + } + + /* +diff --git a/drivers/ata/pdc_adma.c b/drivers/ata/pdc_adma.c +index cb490531b62ec..5db55e1e2a61d 100644 +--- a/drivers/ata/pdc_adma.c ++++ b/drivers/ata/pdc_adma.c +@@ -116,7 +116,7 @@ static int adma_ata_init_one(struct pci_dev *pdev, + const struct pci_device_id *ent); + static int adma_port_start(struct ata_port *ap); + static void adma_port_stop(struct ata_port *ap); +-static void adma_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors adma_qc_prep(struct ata_queued_cmd *qc); + static unsigned int adma_qc_issue(struct ata_queued_cmd *qc); + static int adma_check_atapi_dma(struct ata_queued_cmd *qc); + static void adma_freeze(struct ata_port *ap); +@@ -295,7 +295,7 @@ static int adma_fill_sg(struct ata_queued_cmd *qc) + return i; + } + +-static void adma_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors adma_qc_prep(struct ata_queued_cmd *qc) + { + struct adma_port_priv *pp = qc->ap->private_data; + u8 *buf = pp->pkt; +@@ -306,7 +306,7 @@ static void adma_qc_prep(struct ata_queued_cmd *qc) + + adma_enter_reg_mode(qc->ap); + if (qc->tf.protocol != ATA_PROT_DMA) +- return; ++ return AC_ERR_OK; + + buf[i++] = 0; /* Response flags */ + buf[i++] = 0; /* reserved */ +@@ -371,6 +371,7 @@ static void adma_qc_prep(struct ata_queued_cmd *qc) + printk("%s\n", obuf); + } + #endif ++ return AC_ERR_OK; + } + + static inline void adma_packet_start(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c +index ca6c706e9c256..d55ee244d6931 100644 +--- a/drivers/ata/sata_fsl.c ++++ b/drivers/ata/sata_fsl.c +@@ -502,7 +502,7 @@ static unsigned int sata_fsl_fill_sg(struct ata_queued_cmd *qc, void *cmd_desc, + return num_prde; + } + +-static void sata_fsl_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors sata_fsl_qc_prep(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct sata_fsl_port_priv *pp = ap->private_data; +@@ -548,6 +548,8 @@ static void sata_fsl_qc_prep(struct ata_queued_cmd *qc) + + VPRINTK("SATA FSL : xx_qc_prep, di = 0x%x, ttl = %d, num_prde = %d\n", + desc_info, ttl_dwords, num_prde); ++ ++ return AC_ERR_OK; + } + + static unsigned int sata_fsl_qc_issue(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_inic162x.c b/drivers/ata/sata_inic162x.c +index 7f99e23bff88c..a6b76cc12a661 100644 +--- a/drivers/ata/sata_inic162x.c ++++ b/drivers/ata/sata_inic162x.c +@@ -478,7 +478,7 @@ static void inic_fill_sg(struct inic_prd *prd, struct ata_queued_cmd *qc) + prd[-1].flags |= PRD_END; + } + +-static void inic_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors inic_qc_prep(struct ata_queued_cmd *qc) + { + struct inic_port_priv *pp = qc->ap->private_data; + struct inic_pkt *pkt = pp->pkt; +@@ -538,6 +538,8 @@ static void inic_qc_prep(struct ata_queued_cmd *qc) + inic_fill_sg(prd, qc); + + pp->cpb_tbl[0] = pp->pkt_dma; ++ ++ return AC_ERR_OK; + } + + static unsigned int inic_qc_issue(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c +index bde695a320973..d7228f8e9297c 100644 +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -592,8 +592,8 @@ static int mv5_scr_write(struct ata_link *link, unsigned int sc_reg_in, u32 val) + static int mv_port_start(struct ata_port *ap); + static void mv_port_stop(struct ata_port *ap); + static int mv_qc_defer(struct ata_queued_cmd *qc); +-static void mv_qc_prep(struct ata_queued_cmd *qc); +-static void mv_qc_prep_iie(struct ata_queued_cmd *qc); ++static enum ata_completion_errors mv_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors mv_qc_prep_iie(struct ata_queued_cmd *qc); + static unsigned int mv_qc_issue(struct ata_queued_cmd *qc); + static int mv_hardreset(struct ata_link *link, unsigned int *class, + unsigned long deadline); +@@ -2031,7 +2031,7 @@ static void mv_rw_multi_errata_sata24(struct ata_queued_cmd *qc) + * LOCKING: + * Inherited from caller. + */ +-static void mv_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors mv_qc_prep(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct mv_port_priv *pp = ap->private_data; +@@ -2043,15 +2043,15 @@ static void mv_qc_prep(struct ata_queued_cmd *qc) + switch (tf->protocol) { + case ATA_PROT_DMA: + if (tf->command == ATA_CMD_DSM) +- return; ++ return AC_ERR_OK; + /* fall-thru */ + case ATA_PROT_NCQ: + break; /* continue below */ + case ATA_PROT_PIO: + mv_rw_multi_errata_sata24(qc); +- return; ++ return AC_ERR_OK; + default: +- return; ++ return AC_ERR_OK; + } + + /* Fill in command request block +@@ -2098,12 +2098,10 @@ static void mv_qc_prep(struct ata_queued_cmd *qc) + * non-NCQ mode are: [RW] STREAM DMA and W DMA FUA EXT, none + * of which are defined/used by Linux. If we get here, this + * driver needs work. +- * +- * FIXME: modify libata to give qc_prep a return value and +- * return error here. + */ +- BUG_ON(tf->command); +- break; ++ ata_port_err(ap, "%s: unsupported command: %.2x\n", __func__, ++ tf->command); ++ return AC_ERR_INVALID; + } + mv_crqb_pack_cmd(cw++, tf->nsect, ATA_REG_NSECT, 0); + mv_crqb_pack_cmd(cw++, tf->hob_lbal, ATA_REG_LBAL, 0); +@@ -2116,8 +2114,10 @@ static void mv_qc_prep(struct ata_queued_cmd *qc) + mv_crqb_pack_cmd(cw++, tf->command, ATA_REG_CMD, 1); /* last */ + + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + mv_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + + /** +@@ -2132,7 +2132,7 @@ static void mv_qc_prep(struct ata_queued_cmd *qc) + * LOCKING: + * Inherited from caller. + */ +-static void mv_qc_prep_iie(struct ata_queued_cmd *qc) ++static enum ata_completion_errors mv_qc_prep_iie(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct mv_port_priv *pp = ap->private_data; +@@ -2143,9 +2143,9 @@ static void mv_qc_prep_iie(struct ata_queued_cmd *qc) + + if ((tf->protocol != ATA_PROT_DMA) && + (tf->protocol != ATA_PROT_NCQ)) +- return; ++ return AC_ERR_OK; + if (tf->command == ATA_CMD_DSM) +- return; /* use bmdma for this */ ++ return AC_ERR_OK; /* use bmdma for this */ + + /* Fill in Gen IIE command request block */ + if (!(tf->flags & ATA_TFLAG_WRITE)) +@@ -2186,8 +2186,10 @@ static void mv_qc_prep_iie(struct ata_queued_cmd *qc) + ); + + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + mv_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + + /** +diff --git a/drivers/ata/sata_nv.c b/drivers/ata/sata_nv.c +index 7510303111fa0..18b147c182b96 100644 +--- a/drivers/ata/sata_nv.c ++++ b/drivers/ata/sata_nv.c +@@ -297,7 +297,7 @@ static void nv_ck804_freeze(struct ata_port *ap); + static void nv_ck804_thaw(struct ata_port *ap); + static int nv_adma_slave_config(struct scsi_device *sdev); + static int nv_adma_check_atapi_dma(struct ata_queued_cmd *qc); +-static void nv_adma_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors nv_adma_qc_prep(struct ata_queued_cmd *qc); + static unsigned int nv_adma_qc_issue(struct ata_queued_cmd *qc); + static irqreturn_t nv_adma_interrupt(int irq, void *dev_instance); + static void nv_adma_irq_clear(struct ata_port *ap); +@@ -319,7 +319,7 @@ static void nv_mcp55_freeze(struct ata_port *ap); + static void nv_swncq_error_handler(struct ata_port *ap); + static int nv_swncq_slave_config(struct scsi_device *sdev); + static int nv_swncq_port_start(struct ata_port *ap); +-static void nv_swncq_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors nv_swncq_qc_prep(struct ata_queued_cmd *qc); + static void nv_swncq_fill_sg(struct ata_queued_cmd *qc); + static unsigned int nv_swncq_qc_issue(struct ata_queued_cmd *qc); + static void nv_swncq_irq_clear(struct ata_port *ap, u16 fis); +@@ -1344,7 +1344,7 @@ static int nv_adma_use_reg_mode(struct ata_queued_cmd *qc) + return 1; + } + +-static void nv_adma_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors nv_adma_qc_prep(struct ata_queued_cmd *qc) + { + struct nv_adma_port_priv *pp = qc->ap->private_data; + struct nv_adma_cpb *cpb = &pp->cpb[qc->hw_tag]; +@@ -1356,7 +1356,7 @@ static void nv_adma_qc_prep(struct ata_queued_cmd *qc) + (qc->flags & ATA_QCFLAG_DMAMAP)); + nv_adma_register_mode(qc->ap); + ata_bmdma_qc_prep(qc); +- return; ++ return AC_ERR_OK; + } + + cpb->resp_flags = NV_CPB_RESP_DONE; +@@ -1388,6 +1388,8 @@ static void nv_adma_qc_prep(struct ata_queued_cmd *qc) + cpb->ctl_flags = ctl_flags; + wmb(); + cpb->resp_flags = 0; ++ ++ return AC_ERR_OK; + } + + static unsigned int nv_adma_qc_issue(struct ata_queued_cmd *qc) +@@ -1950,17 +1952,19 @@ static int nv_swncq_port_start(struct ata_port *ap) + return 0; + } + +-static void nv_swncq_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors nv_swncq_qc_prep(struct ata_queued_cmd *qc) + { + if (qc->tf.protocol != ATA_PROT_NCQ) { + ata_bmdma_qc_prep(qc); +- return; ++ return AC_ERR_OK; + } + + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + nv_swncq_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + + static void nv_swncq_fill_sg(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_promise.c b/drivers/ata/sata_promise.c +index 5fd464765ddcb..c451d7d1c817a 100644 +--- a/drivers/ata/sata_promise.c ++++ b/drivers/ata/sata_promise.c +@@ -139,7 +139,7 @@ static int pdc_sata_scr_write(struct ata_link *link, unsigned int sc_reg, u32 va + static int pdc_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent); + static int pdc_common_port_start(struct ata_port *ap); + static int pdc_sata_port_start(struct ata_port *ap); +-static void pdc_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors pdc_qc_prep(struct ata_queued_cmd *qc); + static void pdc_tf_load_mmio(struct ata_port *ap, const struct ata_taskfile *tf); + static void pdc_exec_command_mmio(struct ata_port *ap, const struct ata_taskfile *tf); + static int pdc_check_atapi_dma(struct ata_queued_cmd *qc); +@@ -633,7 +633,7 @@ static void pdc_fill_sg(struct ata_queued_cmd *qc) + prd[idx - 1].flags_len |= cpu_to_le32(ATA_PRD_EOT); + } + +-static void pdc_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors pdc_qc_prep(struct ata_queued_cmd *qc) + { + struct pdc_port_priv *pp = qc->ap->private_data; + unsigned int i; +@@ -665,6 +665,8 @@ static void pdc_qc_prep(struct ata_queued_cmd *qc) + default: + break; + } ++ ++ return AC_ERR_OK; + } + + static int pdc_is_sataii_tx4(unsigned long flags) +diff --git a/drivers/ata/sata_qstor.c b/drivers/ata/sata_qstor.c +index c53c5a47204db..ef00ab644afb7 100644 +--- a/drivers/ata/sata_qstor.c ++++ b/drivers/ata/sata_qstor.c +@@ -100,7 +100,7 @@ static int qs_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val); + static int qs_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent); + static int qs_port_start(struct ata_port *ap); + static void qs_host_stop(struct ata_host *host); +-static void qs_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors qs_qc_prep(struct ata_queued_cmd *qc); + static unsigned int qs_qc_issue(struct ata_queued_cmd *qc); + static int qs_check_atapi_dma(struct ata_queued_cmd *qc); + static void qs_freeze(struct ata_port *ap); +@@ -260,7 +260,7 @@ static unsigned int qs_fill_sg(struct ata_queued_cmd *qc) + return si; + } + +-static void qs_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors qs_qc_prep(struct ata_queued_cmd *qc) + { + struct qs_port_priv *pp = qc->ap->private_data; + u8 dflags = QS_DF_PORD, *buf = pp->pkt; +@@ -272,7 +272,7 @@ static void qs_qc_prep(struct ata_queued_cmd *qc) + + qs_enter_reg_mode(qc->ap); + if (qc->tf.protocol != ATA_PROT_DMA) +- return; ++ return AC_ERR_OK; + + nelem = qs_fill_sg(qc); + +@@ -295,6 +295,8 @@ static void qs_qc_prep(struct ata_queued_cmd *qc) + + /* frame information structure (FIS) */ + ata_tf_to_fis(&qc->tf, 0, 1, &buf[32]); ++ ++ return AC_ERR_OK; + } + + static inline void qs_packet_start(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c +index c35b7b993133e..141ac600b64c8 100644 +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -550,12 +550,14 @@ static void sata_rcar_bmdma_fill_sg(struct ata_queued_cmd *qc) + prd[si - 1].addr |= cpu_to_le32(SATA_RCAR_DTEND); + } + +-static void sata_rcar_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors sata_rcar_qc_prep(struct ata_queued_cmd *qc) + { + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + sata_rcar_bmdma_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + + static void sata_rcar_bmdma_setup(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c +index e6fbae2f645ac..75321f1ceba52 100644 +--- a/drivers/ata/sata_sil.c ++++ b/drivers/ata/sata_sil.c +@@ -103,7 +103,7 @@ static void sil_dev_config(struct ata_device *dev); + static int sil_scr_read(struct ata_link *link, unsigned int sc_reg, u32 *val); + static int sil_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val); + static int sil_set_mode(struct ata_link *link, struct ata_device **r_failed); +-static void sil_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors sil_qc_prep(struct ata_queued_cmd *qc); + static void sil_bmdma_setup(struct ata_queued_cmd *qc); + static void sil_bmdma_start(struct ata_queued_cmd *qc); + static void sil_bmdma_stop(struct ata_queued_cmd *qc); +@@ -317,12 +317,14 @@ static void sil_fill_sg(struct ata_queued_cmd *qc) + last_prd->flags_len |= cpu_to_le32(ATA_PRD_EOT); + } + +-static void sil_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors sil_qc_prep(struct ata_queued_cmd *qc) + { + if (!(qc->flags & ATA_QCFLAG_DMAMAP)) +- return; ++ return AC_ERR_OK; + + sil_fill_sg(qc); ++ ++ return AC_ERR_OK; + } + + static unsigned char sil_get_device_cache_line(struct pci_dev *pdev) +diff --git a/drivers/ata/sata_sil24.c b/drivers/ata/sata_sil24.c +index 7bef82de53ca9..560070d4f1d09 100644 +--- a/drivers/ata/sata_sil24.c ++++ b/drivers/ata/sata_sil24.c +@@ -326,7 +326,7 @@ static void sil24_dev_config(struct ata_device *dev); + static int sil24_scr_read(struct ata_link *link, unsigned sc_reg, u32 *val); + static int sil24_scr_write(struct ata_link *link, unsigned sc_reg, u32 val); + static int sil24_qc_defer(struct ata_queued_cmd *qc); +-static void sil24_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc); + static unsigned int sil24_qc_issue(struct ata_queued_cmd *qc); + static bool sil24_qc_fill_rtf(struct ata_queued_cmd *qc); + static void sil24_pmp_attach(struct ata_port *ap); +@@ -830,7 +830,7 @@ static int sil24_qc_defer(struct ata_queued_cmd *qc) + return ata_std_qc_defer(qc); + } + +-static void sil24_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc) + { + struct ata_port *ap = qc->ap; + struct sil24_port_priv *pp = ap->private_data; +@@ -874,6 +874,8 @@ static void sil24_qc_prep(struct ata_queued_cmd *qc) + + if (qc->flags & ATA_QCFLAG_DMAMAP) + sil24_fill_sg(qc, sge); ++ ++ return AC_ERR_OK; + } + + static unsigned int sil24_qc_issue(struct ata_queued_cmd *qc) +diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c +index 2277ba0c9c7f4..2c7b30c5ea3dd 100644 +--- a/drivers/ata/sata_sx4.c ++++ b/drivers/ata/sata_sx4.c +@@ -202,7 +202,7 @@ static void pdc_error_handler(struct ata_port *ap); + static void pdc_freeze(struct ata_port *ap); + static void pdc_thaw(struct ata_port *ap); + static int pdc_port_start(struct ata_port *ap); +-static void pdc20621_qc_prep(struct ata_queued_cmd *qc); ++static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc); + static void pdc_tf_load_mmio(struct ata_port *ap, const struct ata_taskfile *tf); + static void pdc_exec_command_mmio(struct ata_port *ap, const struct ata_taskfile *tf); + static unsigned int pdc20621_dimm_init(struct ata_host *host); +@@ -530,7 +530,7 @@ static void pdc20621_nodata_prep(struct ata_queued_cmd *qc) + VPRINTK("ata pkt buf ofs %u, mmio copied\n", i); + } + +-static void pdc20621_qc_prep(struct ata_queued_cmd *qc) ++static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc) + { + switch (qc->tf.protocol) { + case ATA_PROT_DMA: +@@ -542,6 +542,8 @@ static void pdc20621_qc_prep(struct ata_queued_cmd *qc) + default: + break; + } ++ ++ return AC_ERR_OK; + } + + static void __pdc20621_push_hdma(struct ata_queued_cmd *qc, +diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c +index 9d0d65efcd94e..bedaebd5a4956 100644 +--- a/drivers/atm/eni.c ++++ b/drivers/atm/eni.c +@@ -2245,7 +2245,7 @@ static int eni_init_one(struct pci_dev *pci_dev, + + rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32)); + if (rc < 0) +- goto out; ++ goto err_disable; + + rc = -ENOMEM; + eni_dev = kmalloc(sizeof(struct eni_dev), GFP_KERNEL); +diff --git a/drivers/base/arch_topology.c b/drivers/base/arch_topology.c +index 1eb81f113786f..83e26fd188cc9 100644 +--- a/drivers/base/arch_topology.c ++++ b/drivers/base/arch_topology.c +@@ -270,7 +270,7 @@ static int __init get_cpu_for_node(struct device_node *node) + static int __init parse_core(struct device_node *core, int package_id, + int core_id) + { +- char name[10]; ++ char name[20]; + bool leaf = true; + int i = 0; + int cpu; +@@ -317,7 +317,7 @@ static int __init parse_core(struct device_node *core, int package_id, + + static int __init parse_cluster(struct device_node *cluster, int depth) + { +- char name[10]; ++ char name[20]; + bool leaf = true; + bool has_cores = false; + struct device_node *c; +diff --git a/drivers/base/regmap/internal.h b/drivers/base/regmap/internal.h +index 3d80c4b43f720..d7c01b70e43db 100644 +--- a/drivers/base/regmap/internal.h ++++ b/drivers/base/regmap/internal.h +@@ -259,7 +259,7 @@ bool regcache_set_val(struct regmap *map, void *base, unsigned int idx, + int regcache_lookup_reg(struct regmap *map, unsigned int reg); + + int _regmap_raw_write(struct regmap *map, unsigned int reg, +- const void *val, size_t val_len); ++ const void *val, size_t val_len, bool noinc); + + void regmap_async_complete_cb(struct regmap_async *async, int ret); + +diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c +index a93cafd7be4f2..7f4b3b62492ca 100644 +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -717,7 +717,7 @@ static int regcache_sync_block_raw_flush(struct regmap *map, const void **data, + + map->cache_bypass = true; + +- ret = _regmap_raw_write(map, base, *data, count * val_bytes); ++ ret = _regmap_raw_write(map, base, *data, count * val_bytes, false); + if (ret) + dev_err(map->dev, "Unable to sync registers %#x-%#x. %d\n", + base, cur - map->reg_stride, ret); +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 927ebde1607be..e0893f1b14522 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1468,7 +1468,7 @@ static void regmap_set_work_buf_flag_mask(struct regmap *map, int max_bytes, + } + + static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, +- const void *val, size_t val_len) ++ const void *val, size_t val_len, bool noinc) + { + struct regmap_range_node *range; + unsigned long flags; +@@ -1527,7 +1527,7 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, + win_residue, val_len / map->format.val_bytes); + ret = _regmap_raw_write_impl(map, reg, val, + win_residue * +- map->format.val_bytes); ++ map->format.val_bytes, noinc); + if (ret != 0) + return ret; + +@@ -1541,7 +1541,7 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, + win_residue = range->window_len - win_offset; + } + +- ret = _regmap_select_page(map, ®, range, val_num); ++ ret = _regmap_select_page(map, ®, range, noinc ? 1 : val_num); + if (ret != 0) + return ret; + } +@@ -1749,7 +1749,8 @@ static int _regmap_bus_raw_write(void *context, unsigned int reg, + map->work_buf + + map->format.reg_bytes + + map->format.pad_bytes, +- map->format.val_bytes); ++ map->format.val_bytes, ++ false); + } + + static inline void *_regmap_map_get_context(struct regmap *map) +@@ -1843,7 +1844,7 @@ int regmap_write_async(struct regmap *map, unsigned int reg, unsigned int val) + EXPORT_SYMBOL_GPL(regmap_write_async); + + int _regmap_raw_write(struct regmap *map, unsigned int reg, +- const void *val, size_t val_len) ++ const void *val, size_t val_len, bool noinc) + { + size_t val_bytes = map->format.val_bytes; + size_t val_count = val_len / val_bytes; +@@ -1864,7 +1865,7 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg, + + /* Write as many bytes as possible with chunk_size */ + for (i = 0; i < chunk_count; i++) { +- ret = _regmap_raw_write_impl(map, reg, val, chunk_bytes); ++ ret = _regmap_raw_write_impl(map, reg, val, chunk_bytes, noinc); + if (ret) + return ret; + +@@ -1875,7 +1876,7 @@ int _regmap_raw_write(struct regmap *map, unsigned int reg, + + /* Write remaining bytes */ + if (val_len) +- ret = _regmap_raw_write_impl(map, reg, val, val_len); ++ ret = _regmap_raw_write_impl(map, reg, val, val_len, noinc); + + return ret; + } +@@ -1908,7 +1909,7 @@ int regmap_raw_write(struct regmap *map, unsigned int reg, + + map->lock(map->lock_arg); + +- ret = _regmap_raw_write(map, reg, val, val_len); ++ ret = _regmap_raw_write(map, reg, val, val_len, false); + + map->unlock(map->lock_arg); + +@@ -1966,7 +1967,7 @@ int regmap_noinc_write(struct regmap *map, unsigned int reg, + write_len = map->max_raw_write; + else + write_len = val_len; +- ret = _regmap_raw_write(map, reg, val, write_len); ++ ret = _regmap_raw_write(map, reg, val, write_len, true); + if (ret) + goto out_unlock; + val = ((u8 *)val) + write_len; +@@ -2443,7 +2444,7 @@ int regmap_raw_write_async(struct regmap *map, unsigned int reg, + + map->async = true; + +- ret = _regmap_raw_write(map, reg, val, val_len); ++ ret = _regmap_raw_write(map, reg, val, val_len, false); + + map->async = false; + +@@ -2454,7 +2455,7 @@ int regmap_raw_write_async(struct regmap *map, unsigned int reg, + EXPORT_SYMBOL_GPL(regmap_raw_write_async); + + static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val, +- unsigned int val_len) ++ unsigned int val_len, bool noinc) + { + struct regmap_range_node *range; + int ret; +@@ -2467,7 +2468,7 @@ static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val, + range = _regmap_range_lookup(map, reg); + if (range) { + ret = _regmap_select_page(map, ®, range, +- val_len / map->format.val_bytes); ++ noinc ? 1 : val_len / map->format.val_bytes); + if (ret != 0) + return ret; + } +@@ -2505,7 +2506,7 @@ static int _regmap_bus_read(void *context, unsigned int reg, + if (!map->format.parse_val) + return -EINVAL; + +- ret = _regmap_raw_read(map, reg, work_val, map->format.val_bytes); ++ ret = _regmap_raw_read(map, reg, work_val, map->format.val_bytes, false); + if (ret == 0) + *val = map->format.parse_val(work_val); + +@@ -2621,7 +2622,7 @@ int regmap_raw_read(struct regmap *map, unsigned int reg, void *val, + + /* Read bytes that fit into whole chunks */ + for (i = 0; i < chunk_count; i++) { +- ret = _regmap_raw_read(map, reg, val, chunk_bytes); ++ ret = _regmap_raw_read(map, reg, val, chunk_bytes, false); + if (ret != 0) + goto out; + +@@ -2632,7 +2633,7 @@ int regmap_raw_read(struct regmap *map, unsigned int reg, void *val, + + /* Read remaining bytes */ + if (val_len) { +- ret = _regmap_raw_read(map, reg, val, val_len); ++ ret = _regmap_raw_read(map, reg, val, val_len, false); + if (ret != 0) + goto out; + } +@@ -2707,7 +2708,7 @@ int regmap_noinc_read(struct regmap *map, unsigned int reg, + read_len = map->max_raw_read; + else + read_len = val_len; +- ret = _regmap_raw_read(map, reg, val, read_len); ++ ret = _regmap_raw_read(map, reg, val, read_len, true); + if (ret) + goto out_unlock; + val = ((u8 *)val) + read_len; +diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c +index bf3c02be69305..0dfaf90a31b06 100644 +--- a/drivers/bluetooth/btrtl.c ++++ b/drivers/bluetooth/btrtl.c +@@ -370,11 +370,11 @@ static int rtlbt_parse_firmware(struct hci_dev *hdev, + * the end. + */ + len = patch_length; +- buf = kmemdup(btrtl_dev->fw_data + patch_offset, patch_length, +- GFP_KERNEL); ++ buf = kvmalloc(patch_length, GFP_KERNEL); + if (!buf) + return -ENOMEM; + ++ memcpy(buf, btrtl_dev->fw_data + patch_offset, patch_length - 4); + memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4); + + *_buf = buf; +@@ -460,8 +460,10 @@ static int rtl_load_file(struct hci_dev *hdev, const char *name, u8 **buff) + if (ret < 0) + return ret; + ret = fw->size; +- *buff = kmemdup(fw->data, ret, GFP_KERNEL); +- if (!*buff) ++ *buff = kvmalloc(fw->size, GFP_KERNEL); ++ if (*buff) ++ memcpy(*buff, fw->data, ret); ++ else + ret = -ENOMEM; + + release_firmware(fw); +@@ -499,14 +501,14 @@ static int btrtl_setup_rtl8723b(struct hci_dev *hdev, + goto out; + + if (btrtl_dev->cfg_len > 0) { +- tbuff = kzalloc(ret + btrtl_dev->cfg_len, GFP_KERNEL); ++ tbuff = kvzalloc(ret + btrtl_dev->cfg_len, GFP_KERNEL); + if (!tbuff) { + ret = -ENOMEM; + goto out; + } + + memcpy(tbuff, fw_data, ret); +- kfree(fw_data); ++ kvfree(fw_data); + + memcpy(tbuff + ret, btrtl_dev->cfg_data, btrtl_dev->cfg_len); + ret += btrtl_dev->cfg_len; +@@ -519,14 +521,14 @@ static int btrtl_setup_rtl8723b(struct hci_dev *hdev, + ret = rtl_download_firmware(hdev, fw_data, ret); + + out: +- kfree(fw_data); ++ kvfree(fw_data); + return ret; + } + + void btrtl_free(struct btrtl_device_info *btrtl_dev) + { +- kfree(btrtl_dev->fw_data); +- kfree(btrtl_dev->cfg_data); ++ kvfree(btrtl_dev->fw_data); ++ kvfree(btrtl_dev->cfg_data); + kfree(btrtl_dev); + } + EXPORT_SYMBOL_GPL(btrtl_free); +diff --git a/drivers/bus/hisi_lpc.c b/drivers/bus/hisi_lpc.c +index 20c957185af20..2e9252d37a18f 100644 +--- a/drivers/bus/hisi_lpc.c ++++ b/drivers/bus/hisi_lpc.c +@@ -358,6 +358,26 @@ static int hisi_lpc_acpi_xlat_io_res(struct acpi_device *adev, + return 0; + } + ++/* ++ * Released firmware describes the IO port max address as 0x3fff, which is ++ * the max host bus address. Fixup to a proper range. This will probably ++ * never be fixed in firmware. ++ */ ++static void hisi_lpc_acpi_fixup_child_resource(struct device *hostdev, ++ struct resource *r) ++{ ++ if (r->end != 0x3fff) ++ return; ++ ++ if (r->start == 0xe4) ++ r->end = 0xe4 + 0x04 - 1; ++ else if (r->start == 0x2f8) ++ r->end = 0x2f8 + 0x08 - 1; ++ else ++ dev_warn(hostdev, "unrecognised resource %pR to fixup, ignoring\n", ++ r); ++} ++ + /* + * hisi_lpc_acpi_set_io_res - set the resources for a child + * @child: the device node to be updated the I/O resource +@@ -419,8 +439,11 @@ static int hisi_lpc_acpi_set_io_res(struct device *child, + return -ENOMEM; + } + count = 0; +- list_for_each_entry(rentry, &resource_list, node) +- resources[count++] = *rentry->res; ++ list_for_each_entry(rentry, &resource_list, node) { ++ resources[count] = *rentry->res; ++ hisi_lpc_acpi_fixup_child_resource(hostdev, &resources[count]); ++ count++; ++ } + + acpi_dev_free_resource_list(&resource_list); + +diff --git a/drivers/char/ipmi/bt-bmc.c b/drivers/char/ipmi/bt-bmc.c +index 40b9927c072c9..89a8faa9b6cfa 100644 +--- a/drivers/char/ipmi/bt-bmc.c ++++ b/drivers/char/ipmi/bt-bmc.c +@@ -399,15 +399,15 @@ static int bt_bmc_config_irq(struct bt_bmc *bt_bmc, + struct device *dev = &pdev->dev; + int rc; + +- bt_bmc->irq = platform_get_irq(pdev, 0); +- if (!bt_bmc->irq) +- return -ENODEV; ++ bt_bmc->irq = platform_get_irq_optional(pdev, 0); ++ if (bt_bmc->irq < 0) ++ return bt_bmc->irq; + + rc = devm_request_irq(dev, bt_bmc->irq, bt_bmc_irq, IRQF_SHARED, + DEVICE_NAME, bt_bmc); + if (rc < 0) { + dev_warn(dev, "Unable to request IRQ %d\n", bt_bmc->irq); +- bt_bmc->irq = 0; ++ bt_bmc->irq = rc; + return rc; + } + +@@ -479,7 +479,7 @@ static int bt_bmc_probe(struct platform_device *pdev) + + bt_bmc_config_irq(bt_bmc, pdev); + +- if (bt_bmc->irq) { ++ if (bt_bmc->irq >= 0) { + dev_info(dev, "Using IRQ %d\n", bt_bmc->irq); + } else { + dev_info(dev, "No IRQ; using timer\n"); +@@ -505,7 +505,7 @@ static int bt_bmc_remove(struct platform_device *pdev) + struct bt_bmc *bt_bmc = dev_get_drvdata(&pdev->dev); + + misc_deregister(&bt_bmc->miscdev); +- if (!bt_bmc->irq) ++ if (bt_bmc->irq < 0) + del_timer_sync(&bt_bmc->poll_timer); + return 0; + } +diff --git a/drivers/char/random.c b/drivers/char/random.c +index e877c20e0ee02..75a8f7f572697 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1223,14 +1223,14 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num) + * We take into account the first, second and third-order deltas + * in order to make our estimate. + */ +- delta = sample.jiffies - state->last_time; +- state->last_time = sample.jiffies; ++ delta = sample.jiffies - READ_ONCE(state->last_time); ++ WRITE_ONCE(state->last_time, sample.jiffies); + +- delta2 = delta - state->last_delta; +- state->last_delta = delta; ++ delta2 = delta - READ_ONCE(state->last_delta); ++ WRITE_ONCE(state->last_delta, delta); + +- delta3 = delta2 - state->last_delta2; +- state->last_delta2 = delta2; ++ delta3 = delta2 - READ_ONCE(state->last_delta2); ++ WRITE_ONCE(state->last_delta2, delta2); + + if (delta < 0) + delta = -delta; +diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c +index 6d81bb3bb503f..896a3550fba9f 100644 +--- a/drivers/char/tlclk.c ++++ b/drivers/char/tlclk.c +@@ -777,17 +777,21 @@ static int __init tlclk_init(void) + { + int ret; + ++ telclk_interrupt = (inb(TLCLK_REG7) & 0x0f); ++ ++ alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); ++ if (!alarm_events) { ++ ret = -ENOMEM; ++ goto out1; ++ } ++ + ret = register_chrdev(tlclk_major, "telco_clock", &tlclk_fops); + if (ret < 0) { + printk(KERN_ERR "tlclk: can't get major %d.\n", tlclk_major); ++ kfree(alarm_events); + return ret; + } + tlclk_major = ret; +- alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL); +- if (!alarm_events) { +- ret = -ENOMEM; +- goto out1; +- } + + /* Read telecom clock IRQ number (Set by BIOS) */ + if (!request_region(TLCLK_BASE, 8, "telco_clock")) { +@@ -796,7 +800,6 @@ static int __init tlclk_init(void) + ret = -EBUSY; + goto out2; + } +- telclk_interrupt = (inb(TLCLK_REG7) & 0x0f); + + if (0x0F == telclk_interrupt ) { /* not MCPBL0010 ? */ + printk(KERN_ERR "telclk_interrupt = 0x%x non-mcpbl0010 hw.\n", +@@ -837,8 +840,8 @@ out3: + release_region(TLCLK_BASE, 8); + out2: + kfree(alarm_events); +-out1: + unregister_chrdev(tlclk_major, "telco_clock"); ++out1: + return ret; + } + +diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c +index e59f1f91d7f3e..a9dcf31eadd21 100644 +--- a/drivers/char/tpm/tpm_crb.c ++++ b/drivers/char/tpm/tpm_crb.c +@@ -22,6 +22,7 @@ + #include "tpm.h" + + #define ACPI_SIG_TPM2 "TPM2" ++#define TPM_CRB_MAX_RESOURCES 3 + + static const guid_t crb_acpi_start_guid = + GUID_INIT(0x6BBF6CAB, 0x5463, 0x4714, +@@ -91,7 +92,6 @@ enum crb_status { + struct crb_priv { + u32 sm; + const char *hid; +- void __iomem *iobase; + struct crb_regs_head __iomem *regs_h; + struct crb_regs_tail __iomem *regs_t; + u8 __iomem *cmd; +@@ -434,21 +434,27 @@ static const struct tpm_class_ops tpm_crb = { + + static int crb_check_resource(struct acpi_resource *ares, void *data) + { +- struct resource *io_res = data; ++ struct resource *iores_array = data; + struct resource_win win; + struct resource *res = &(win.res); ++ int i; + + if (acpi_dev_resource_memory(ares, res) || + acpi_dev_resource_address_space(ares, &win)) { +- *io_res = *res; +- io_res->name = NULL; ++ for (i = 0; i < TPM_CRB_MAX_RESOURCES + 1; ++i) { ++ if (resource_type(iores_array + i) != IORESOURCE_MEM) { ++ iores_array[i] = *res; ++ iores_array[i].name = NULL; ++ break; ++ } ++ } + } + + return 1; + } + +-static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv, +- struct resource *io_res, u64 start, u32 size) ++static void __iomem *crb_map_res(struct device *dev, struct resource *iores, ++ void __iomem **iobase_ptr, u64 start, u32 size) + { + struct resource new_res = { + .start = start, +@@ -460,10 +466,16 @@ static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv, + if (start != new_res.start) + return (void __iomem *) ERR_PTR(-EINVAL); + +- if (!resource_contains(io_res, &new_res)) ++ if (!iores) + return devm_ioremap_resource(dev, &new_res); + +- return priv->iobase + (new_res.start - io_res->start); ++ if (!*iobase_ptr) { ++ *iobase_ptr = devm_ioremap_resource(dev, iores); ++ if (IS_ERR(*iobase_ptr)) ++ return *iobase_ptr; ++ } ++ ++ return *iobase_ptr + (new_res.start - iores->start); + } + + /* +@@ -490,9 +502,13 @@ static u64 crb_fixup_cmd_size(struct device *dev, struct resource *io_res, + static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, + struct acpi_table_tpm2 *buf) + { +- struct list_head resources; +- struct resource io_res; ++ struct list_head acpi_resource_list; ++ struct resource iores_array[TPM_CRB_MAX_RESOURCES + 1] = { {0} }; ++ void __iomem *iobase_array[TPM_CRB_MAX_RESOURCES] = {NULL}; + struct device *dev = &device->dev; ++ struct resource *iores; ++ void __iomem **iobase_ptr; ++ int i; + u32 pa_high, pa_low; + u64 cmd_pa; + u32 cmd_size; +@@ -501,21 +517,41 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, + u32 rsp_size; + int ret; + +- INIT_LIST_HEAD(&resources); +- ret = acpi_dev_get_resources(device, &resources, crb_check_resource, +- &io_res); ++ INIT_LIST_HEAD(&acpi_resource_list); ++ ret = acpi_dev_get_resources(device, &acpi_resource_list, ++ crb_check_resource, iores_array); + if (ret < 0) + return ret; +- acpi_dev_free_resource_list(&resources); ++ acpi_dev_free_resource_list(&acpi_resource_list); + +- if (resource_type(&io_res) != IORESOURCE_MEM) { ++ if (resource_type(iores_array) != IORESOURCE_MEM) { + dev_err(dev, FW_BUG "TPM2 ACPI table does not define a memory resource\n"); + return -EINVAL; ++ } else if (resource_type(iores_array + TPM_CRB_MAX_RESOURCES) == ++ IORESOURCE_MEM) { ++ dev_warn(dev, "TPM2 ACPI table defines too many memory resources\n"); ++ memset(iores_array + TPM_CRB_MAX_RESOURCES, ++ 0, sizeof(*iores_array)); ++ iores_array[TPM_CRB_MAX_RESOURCES].flags = 0; + } + +- priv->iobase = devm_ioremap_resource(dev, &io_res); +- if (IS_ERR(priv->iobase)) +- return PTR_ERR(priv->iobase); ++ iores = NULL; ++ iobase_ptr = NULL; ++ for (i = 0; resource_type(iores_array + i) == IORESOURCE_MEM; ++i) { ++ if (buf->control_address >= iores_array[i].start && ++ buf->control_address + sizeof(struct crb_regs_tail) - 1 <= ++ iores_array[i].end) { ++ iores = iores_array + i; ++ iobase_ptr = iobase_array + i; ++ break; ++ } ++ } ++ ++ priv->regs_t = crb_map_res(dev, iores, iobase_ptr, buf->control_address, ++ sizeof(struct crb_regs_tail)); ++ ++ if (IS_ERR(priv->regs_t)) ++ return PTR_ERR(priv->regs_t); + + /* The ACPI IO region starts at the head area and continues to include + * the control area, as one nice sane region except for some older +@@ -523,9 +559,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, + */ + if ((priv->sm == ACPI_TPM2_COMMAND_BUFFER) || + (priv->sm == ACPI_TPM2_MEMORY_MAPPED)) { +- if (buf->control_address == io_res.start + ++ if (iores && ++ buf->control_address == iores->start + + sizeof(*priv->regs_h)) +- priv->regs_h = priv->iobase; ++ priv->regs_h = *iobase_ptr; + else + dev_warn(dev, FW_BUG "Bad ACPI memory layout"); + } +@@ -534,13 +571,6 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, + if (ret) + return ret; + +- priv->regs_t = crb_map_res(dev, priv, &io_res, buf->control_address, +- sizeof(struct crb_regs_tail)); +- if (IS_ERR(priv->regs_t)) { +- ret = PTR_ERR(priv->regs_t); +- goto out_relinquish_locality; +- } +- + /* + * PTT HW bug w/a: wake up the device to access + * possibly not retained registers. +@@ -552,13 +582,26 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, + pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high); + pa_low = ioread32(&priv->regs_t->ctrl_cmd_pa_low); + cmd_pa = ((u64)pa_high << 32) | pa_low; +- cmd_size = crb_fixup_cmd_size(dev, &io_res, cmd_pa, +- ioread32(&priv->regs_t->ctrl_cmd_size)); ++ cmd_size = ioread32(&priv->regs_t->ctrl_cmd_size); ++ ++ iores = NULL; ++ iobase_ptr = NULL; ++ for (i = 0; iores_array[i].end; ++i) { ++ if (cmd_pa >= iores_array[i].start && ++ cmd_pa <= iores_array[i].end) { ++ iores = iores_array + i; ++ iobase_ptr = iobase_array + i; ++ break; ++ } ++ } ++ ++ if (iores) ++ cmd_size = crb_fixup_cmd_size(dev, iores, cmd_pa, cmd_size); + + dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n", + pa_high, pa_low, cmd_size); + +- priv->cmd = crb_map_res(dev, priv, &io_res, cmd_pa, cmd_size); ++ priv->cmd = crb_map_res(dev, iores, iobase_ptr, cmd_pa, cmd_size); + if (IS_ERR(priv->cmd)) { + ret = PTR_ERR(priv->cmd); + goto out; +@@ -566,11 +609,25 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv, + + memcpy_fromio(&__rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8); + rsp_pa = le64_to_cpu(__rsp_pa); +- rsp_size = crb_fixup_cmd_size(dev, &io_res, rsp_pa, +- ioread32(&priv->regs_t->ctrl_rsp_size)); ++ rsp_size = ioread32(&priv->regs_t->ctrl_rsp_size); ++ ++ iores = NULL; ++ iobase_ptr = NULL; ++ for (i = 0; resource_type(iores_array + i) == IORESOURCE_MEM; ++i) { ++ if (rsp_pa >= iores_array[i].start && ++ rsp_pa <= iores_array[i].end) { ++ iores = iores_array + i; ++ iobase_ptr = iobase_array + i; ++ break; ++ } ++ } ++ ++ if (iores) ++ rsp_size = crb_fixup_cmd_size(dev, iores, rsp_pa, rsp_size); + + if (cmd_pa != rsp_pa) { +- priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size); ++ priv->rsp = crb_map_res(dev, iores, iobase_ptr, ++ rsp_pa, rsp_size); + ret = PTR_ERR_OR_ZERO(priv->rsp); + goto out; + } +diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c +index e82013d587b46..64428dbed9928 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.c ++++ b/drivers/char/tpm/tpm_ibmvtpm.c +@@ -581,6 +581,7 @@ static irqreturn_t ibmvtpm_interrupt(int irq, void *vtpm_instance) + */ + while ((crq = ibmvtpm_crq_get_next(ibmvtpm)) != NULL) { + ibmvtpm_crq_process(crq, ibmvtpm); ++ wake_up_interruptible(&ibmvtpm->crq_queue.wq); + crq->valid = 0; + smp_wmb(); + } +@@ -628,6 +629,7 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev, + } + + crq_q->num_entry = CRQ_RES_BUF_SIZE / sizeof(*crq_q->crq_addr); ++ init_waitqueue_head(&crq_q->wq); + ibmvtpm->crq_dma_handle = dma_map_single(dev, crq_q->crq_addr, + CRQ_RES_BUF_SIZE, + DMA_BIDIRECTIONAL); +@@ -680,6 +682,13 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev, + if (rc) + goto init_irq_cleanup; + ++ if (!wait_event_timeout(ibmvtpm->crq_queue.wq, ++ ibmvtpm->rtce_buf != NULL, ++ HZ)) { ++ dev_err(dev, "CRQ response timed out\n"); ++ goto init_irq_cleanup; ++ } ++ + return tpm_chip_register(chip); + init_irq_cleanup: + do { +diff --git a/drivers/char/tpm/tpm_ibmvtpm.h b/drivers/char/tpm/tpm_ibmvtpm.h +index 7983f1a33267e..b92aa7d3e93e7 100644 +--- a/drivers/char/tpm/tpm_ibmvtpm.h ++++ b/drivers/char/tpm/tpm_ibmvtpm.h +@@ -26,6 +26,7 @@ struct ibmvtpm_crq_queue { + struct ibmvtpm_crq *crq_addr; + u32 index; + u32 num_entry; ++ wait_queue_head_t wq; + }; + + struct ibmvtpm_dev { +diff --git a/drivers/clk/imx/clk-pfdv2.c b/drivers/clk/imx/clk-pfdv2.c +index a03bbed662c6b..2a46b9b61b466 100644 +--- a/drivers/clk/imx/clk-pfdv2.c ++++ b/drivers/clk/imx/clk-pfdv2.c +@@ -139,6 +139,12 @@ static int clk_pfdv2_set_rate(struct clk_hw *hw, unsigned long rate, + u32 val; + u8 frac; + ++ if (!rate) ++ return -EINVAL; ++ ++ /* PFD can NOT change rate without gating */ ++ WARN_ON(clk_pfdv2_is_enabled(hw)); ++ + tmp = tmp * 18 + rate / 2; + do_div(tmp, rate); + frac = tmp; +diff --git a/drivers/clk/socfpga/clk-pll-s10.c b/drivers/clk/socfpga/clk-pll-s10.c +index 4705eb544f01b..8d7b1d0c46643 100644 +--- a/drivers/clk/socfpga/clk-pll-s10.c ++++ b/drivers/clk/socfpga/clk-pll-s10.c +@@ -39,7 +39,9 @@ static unsigned long clk_pll_recalc_rate(struct clk_hw *hwclk, + /* read VCO1 reg for numerator and denominator */ + reg = readl(socfpgaclk->hw.reg); + refdiv = (reg & SOCFPGA_PLL_REFDIV_MASK) >> SOCFPGA_PLL_REFDIV_SHIFT; +- vco_freq = (unsigned long long)parent_rate / refdiv; ++ ++ vco_freq = parent_rate; ++ do_div(vco_freq, refdiv); + + /* Read mdiv and fdiv from the fdbck register */ + reg = readl(socfpgaclk->hw.reg + 0x4); +diff --git a/drivers/clk/ti/adpll.c b/drivers/clk/ti/adpll.c +index fdfb90058504c..bb2f2836dab22 100644 +--- a/drivers/clk/ti/adpll.c ++++ b/drivers/clk/ti/adpll.c +@@ -194,15 +194,8 @@ static const char *ti_adpll_clk_get_name(struct ti_adpll_data *d, + if (err) + return NULL; + } else { +- const char *base_name = "adpll"; +- char *buf; +- +- buf = devm_kzalloc(d->dev, 8 + 1 + strlen(base_name) + 1 + +- strlen(postfix), GFP_KERNEL); +- if (!buf) +- return NULL; +- sprintf(buf, "%08lx.%s.%s", d->pa, base_name, postfix); +- name = buf; ++ name = devm_kasprintf(d->dev, GFP_KERNEL, "%08lx.adpll.%s", ++ d->pa, postfix); + } + + return name; +diff --git a/drivers/clocksource/h8300_timer8.c b/drivers/clocksource/h8300_timer8.c +index 1d740a8c42ab3..47114c2a7cb54 100644 +--- a/drivers/clocksource/h8300_timer8.c ++++ b/drivers/clocksource/h8300_timer8.c +@@ -169,7 +169,7 @@ static int __init h8300_8timer_init(struct device_node *node) + return PTR_ERR(clk); + } + +- ret = ENXIO; ++ ret = -ENXIO; + base = of_iomap(node, 0); + if (!base) { + pr_err("failed to map registers for clockevent\n"); +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c +index 1806b1da43665..3a2f022f6bde2 100644 +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -902,6 +902,7 @@ static struct notifier_block powernv_cpufreq_reboot_nb = { + void powernv_cpufreq_work_fn(struct work_struct *work) + { + struct chip *chip = container_of(work, struct chip, throttle); ++ struct cpufreq_policy *policy; + unsigned int cpu; + cpumask_t mask; + +@@ -916,12 +917,14 @@ void powernv_cpufreq_work_fn(struct work_struct *work) + chip->restore = false; + for_each_cpu(cpu, &mask) { + int index; +- struct cpufreq_policy policy; + +- cpufreq_get_policy(&policy, cpu); +- index = cpufreq_table_find_index_c(&policy, policy.cur); +- powernv_cpufreq_target_index(&policy, index); +- cpumask_andnot(&mask, &mask, policy.cpus); ++ policy = cpufreq_cpu_get(cpu); ++ if (!policy) ++ continue; ++ index = cpufreq_table_find_index_c(policy, policy->cur); ++ powernv_cpufreq_target_index(policy, index); ++ cpumask_andnot(&mask, &mask, policy->cpus); ++ cpufreq_cpu_put(policy); + } + out: + put_online_cpus(); +diff --git a/drivers/crypto/chelsio/chcr_algo.c b/drivers/crypto/chelsio/chcr_algo.c +index fe2eadc0ce83d..2d30ed5a2674b 100644 +--- a/drivers/crypto/chelsio/chcr_algo.c ++++ b/drivers/crypto/chelsio/chcr_algo.c +@@ -2480,8 +2480,9 @@ int chcr_aead_dma_map(struct device *dev, + else + reqctx->b0_dma = 0; + if (req->src == req->dst) { +- error = dma_map_sg(dev, req->src, sg_nents(req->src), +- DMA_BIDIRECTIONAL); ++ error = dma_map_sg(dev, req->src, ++ sg_nents_for_len(req->src, dst_size), ++ DMA_BIDIRECTIONAL); + if (!error) + goto err; + } else { +diff --git a/drivers/crypto/chelsio/chtls/chtls_io.c b/drivers/crypto/chelsio/chtls/chtls_io.c +index ce1f1d5d7cd5a..c403d6b64e087 100644 +--- a/drivers/crypto/chelsio/chtls/chtls_io.c ++++ b/drivers/crypto/chelsio/chtls/chtls_io.c +@@ -1437,7 +1437,7 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + csk->wr_max_credits)) + sk->sk_write_space(sk); + +- if (copied >= target && !sk->sk_backlog.tail) ++ if (copied >= target && !READ_ONCE(sk->sk_backlog.tail)) + break; + + if (copied) { +@@ -1470,7 +1470,7 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + break; + } + } +- if (sk->sk_backlog.tail) { ++ if (READ_ONCE(sk->sk_backlog.tail)) { + release_sock(sk); + lock_sock(sk); + chtls_cleanup_rbuf(sk, copied); +@@ -1615,7 +1615,7 @@ static int peekmsg(struct sock *sk, struct msghdr *msg, + break; + } + +- if (sk->sk_backlog.tail) { ++ if (READ_ONCE(sk->sk_backlog.tail)) { + /* Do not sleep, just process backlog. */ + release_sock(sk); + lock_sock(sk); +@@ -1743,7 +1743,7 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + csk->wr_max_credits)) + sk->sk_write_space(sk); + +- if (copied >= target && !sk->sk_backlog.tail) ++ if (copied >= target && !READ_ONCE(sk->sk_backlog.tail)) + break; + + if (copied) { +@@ -1774,7 +1774,7 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + } + } + +- if (sk->sk_backlog.tail) { ++ if (READ_ONCE(sk->sk_backlog.tail)) { + release_sock(sk); + lock_sock(sk); + chtls_cleanup_rbuf(sk, copied); +diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c +index 8fafbeab510a8..eccdda1f7b71b 100644 +--- a/drivers/dax/bus.c ++++ b/drivers/dax/bus.c +@@ -227,7 +227,7 @@ static void dax_region_unregister(void *region) + + struct dax_region *alloc_dax_region(struct device *parent, int region_id, + struct resource *res, int target_node, unsigned int align, +- unsigned long pfn_flags) ++ unsigned long long pfn_flags) + { + struct dax_region *dax_region; + +diff --git a/drivers/dax/bus.h b/drivers/dax/bus.h +index 8619e32999436..9e4eba67e8b98 100644 +--- a/drivers/dax/bus.h ++++ b/drivers/dax/bus.h +@@ -11,7 +11,7 @@ struct dax_region; + void dax_region_put(struct dax_region *dax_region); + struct dax_region *alloc_dax_region(struct device *parent, int region_id, + struct resource *res, int target_node, unsigned int align, +- unsigned long flags); ++ unsigned long long flags); + + enum dev_dax_subsys { + DEV_DAX_BUS, +diff --git a/drivers/dax/dax-private.h b/drivers/dax/dax-private.h +index 6ccca3b890d6f..3107ce80e8090 100644 +--- a/drivers/dax/dax-private.h ++++ b/drivers/dax/dax-private.h +@@ -32,7 +32,7 @@ struct dax_region { + struct device *dev; + unsigned int align; + struct resource res; +- unsigned long pfn_flags; ++ unsigned long long pfn_flags; + }; + + /** +diff --git a/drivers/devfreq/tegra30-devfreq.c b/drivers/devfreq/tegra30-devfreq.c +index a6ba75f4106d8..e273011c83fbd 100644 +--- a/drivers/devfreq/tegra30-devfreq.c ++++ b/drivers/devfreq/tegra30-devfreq.c +@@ -68,6 +68,8 @@ + + #define KHZ 1000 + ++#define KHZ_MAX (ULONG_MAX / KHZ) ++ + /* Assume that the bus is saturated if the utilization is 25% */ + #define BUS_SATURATION_RATIO 25 + +@@ -169,7 +171,7 @@ struct tegra_actmon_emc_ratio { + }; + + static struct tegra_actmon_emc_ratio actmon_emc_ratios[] = { +- { 1400000, ULONG_MAX }, ++ { 1400000, KHZ_MAX }, + { 1200000, 750000 }, + { 1100000, 600000 }, + { 1000000, 500000 }, +diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c +index eba7e3fe769cf..f6df6ef1b0fbe 100644 +--- a/drivers/dma-buf/dma-buf.c ++++ b/drivers/dma-buf/dma-buf.c +@@ -59,6 +59,8 @@ static void dma_buf_release(struct dentry *dentry) + struct dma_buf *dmabuf; + + dmabuf = dentry->d_fsdata; ++ if (unlikely(!dmabuf)) ++ return; + + BUG_ON(dmabuf->vmapping_counter); + +diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c +index 2c136aee3e794..052a41e2451c1 100644 +--- a/drivers/dma-buf/dma-fence.c ++++ b/drivers/dma-buf/dma-fence.c +@@ -273,6 +273,30 @@ void dma_fence_free(struct dma_fence *fence) + } + EXPORT_SYMBOL(dma_fence_free); + ++static bool __dma_fence_enable_signaling(struct dma_fence *fence) ++{ ++ bool was_set; ++ ++ lockdep_assert_held(fence->lock); ++ ++ was_set = test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT, ++ &fence->flags); ++ ++ if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) ++ return false; ++ ++ if (!was_set && fence->ops->enable_signaling) { ++ trace_dma_fence_enable_signal(fence); ++ ++ if (!fence->ops->enable_signaling(fence)) { ++ dma_fence_signal_locked(fence); ++ return false; ++ } ++ } ++ ++ return true; ++} ++ + /** + * dma_fence_enable_sw_signaling - enable signaling on fence + * @fence: the fence to enable +@@ -285,19 +309,12 @@ void dma_fence_enable_sw_signaling(struct dma_fence *fence) + { + unsigned long flags; + +- if (!test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT, +- &fence->flags) && +- !test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags) && +- fence->ops->enable_signaling) { +- trace_dma_fence_enable_signal(fence); +- +- spin_lock_irqsave(fence->lock, flags); +- +- if (!fence->ops->enable_signaling(fence)) +- dma_fence_signal_locked(fence); ++ if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) ++ return; + +- spin_unlock_irqrestore(fence->lock, flags); +- } ++ spin_lock_irqsave(fence->lock, flags); ++ __dma_fence_enable_signaling(fence); ++ spin_unlock_irqrestore(fence->lock, flags); + } + EXPORT_SYMBOL(dma_fence_enable_sw_signaling); + +@@ -331,7 +348,6 @@ int dma_fence_add_callback(struct dma_fence *fence, struct dma_fence_cb *cb, + { + unsigned long flags; + int ret = 0; +- bool was_set; + + if (WARN_ON(!fence || !func)) + return -EINVAL; +@@ -343,25 +359,14 @@ int dma_fence_add_callback(struct dma_fence *fence, struct dma_fence_cb *cb, + + spin_lock_irqsave(fence->lock, flags); + +- was_set = test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT, +- &fence->flags); +- +- if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) +- ret = -ENOENT; +- else if (!was_set && fence->ops->enable_signaling) { +- trace_dma_fence_enable_signal(fence); +- +- if (!fence->ops->enable_signaling(fence)) { +- dma_fence_signal_locked(fence); +- ret = -ENOENT; +- } +- } +- +- if (!ret) { ++ if (__dma_fence_enable_signaling(fence)) { + cb->func = func; + list_add_tail(&cb->node, &fence->cb_list); +- } else ++ } else { + INIT_LIST_HEAD(&cb->node); ++ ret = -ENOENT; ++ } ++ + spin_unlock_irqrestore(fence->lock, flags); + + return ret; +@@ -461,7 +466,6 @@ dma_fence_default_wait(struct dma_fence *fence, bool intr, signed long timeout) + struct default_wait_cb cb; + unsigned long flags; + signed long ret = timeout ? timeout : 1; +- bool was_set; + + if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) + return ret; +@@ -473,21 +477,9 @@ dma_fence_default_wait(struct dma_fence *fence, bool intr, signed long timeout) + goto out; + } + +- was_set = test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT, +- &fence->flags); +- +- if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) ++ if (!__dma_fence_enable_signaling(fence)) + goto out; + +- if (!was_set && fence->ops->enable_signaling) { +- trace_dma_fence_enable_signal(fence); +- +- if (!fence->ops->enable_signaling(fence)) { +- dma_fence_signal_locked(fence); +- goto out; +- } +- } +- + if (!timeout) { + ret = 0; + goto out; +diff --git a/drivers/dma/mediatek/mtk-hsdma.c b/drivers/dma/mediatek/mtk-hsdma.c +index 1a2028e1c29e9..4c58da7421432 100644 +--- a/drivers/dma/mediatek/mtk-hsdma.c ++++ b/drivers/dma/mediatek/mtk-hsdma.c +@@ -997,7 +997,7 @@ static int mtk_hsdma_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, + "request_irq failed with err %d\n", err); +- goto err_unregister; ++ goto err_free; + } + + platform_set_drvdata(pdev, hsdma); +@@ -1006,6 +1006,8 @@ static int mtk_hsdma_probe(struct platform_device *pdev) + + return 0; + ++err_free: ++ of_dma_controller_free(pdev->dev.of_node); + err_unregister: + dma_async_device_unregister(dd); + +diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c +index 5989b08935211..6c5771de32c67 100644 +--- a/drivers/dma/stm32-dma.c ++++ b/drivers/dma/stm32-dma.c +@@ -488,8 +488,10 @@ static int stm32_dma_terminate_all(struct dma_chan *c) + + spin_lock_irqsave(&chan->vchan.lock, flags); + +- if (chan->busy) { +- stm32_dma_stop(chan); ++ if (chan->desc) { ++ vchan_terminate_vdesc(&chan->desc->vdesc); ++ if (chan->busy) ++ stm32_dma_stop(chan); + chan->desc = NULL; + } + +@@ -545,6 +547,8 @@ static void stm32_dma_start_transfer(struct stm32_dma_chan *chan) + if (!vdesc) + return; + ++ list_del(&vdesc->node); ++ + chan->desc = to_stm32_dma_desc(vdesc); + chan->next_sg = 0; + } +@@ -622,7 +626,6 @@ static void stm32_dma_handle_chan_done(struct stm32_dma_chan *chan) + } else { + chan->busy = false; + if (chan->next_sg == chan->desc->num_sgs) { +- list_del(&chan->desc->vdesc.node); + vchan_cookie_complete(&chan->desc->vdesc); + chan->desc = NULL; + } +diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c +index 5838311cf9900..ee1cbf3be75d5 100644 +--- a/drivers/dma/stm32-mdma.c ++++ b/drivers/dma/stm32-mdma.c +@@ -1127,6 +1127,8 @@ static void stm32_mdma_start_transfer(struct stm32_mdma_chan *chan) + return; + } + ++ list_del(&vdesc->node); ++ + chan->desc = to_stm32_mdma_desc(vdesc); + hwdesc = chan->desc->node[0].hwdesc; + chan->curr_hwdesc = 0; +@@ -1242,8 +1244,10 @@ static int stm32_mdma_terminate_all(struct dma_chan *c) + LIST_HEAD(head); + + spin_lock_irqsave(&chan->vchan.lock, flags); +- if (chan->busy) { +- stm32_mdma_stop(chan); ++ if (chan->desc) { ++ vchan_terminate_vdesc(&chan->desc->vdesc); ++ if (chan->busy) ++ stm32_mdma_stop(chan); + chan->desc = NULL; + } + vchan_get_all_descriptors(&chan->vchan, &head); +@@ -1331,7 +1335,6 @@ static enum dma_status stm32_mdma_tx_status(struct dma_chan *c, + + static void stm32_mdma_xfer_end(struct stm32_mdma_chan *chan) + { +- list_del(&chan->desc->vdesc.node); + vchan_cookie_complete(&chan->desc->vdesc); + chan->desc = NULL; + chan->busy = false; +diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c +index 4a750e29bfb53..3fe27dbde5b2b 100644 +--- a/drivers/dma/tegra20-apb-dma.c ++++ b/drivers/dma/tegra20-apb-dma.c +@@ -1287,8 +1287,7 @@ static void tegra_dma_free_chan_resources(struct dma_chan *dc) + + dev_dbg(tdc2dev(tdc), "Freeing channel %d\n", tdc->id); + +- if (tdc->busy) +- tegra_dma_terminate_all(dc); ++ tegra_dma_terminate_all(dc); + + spin_lock_irqsave(&tdc->lock, flags); + list_splice_init(&tdc->pending_sg_req, &sg_req_list); +diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c +index 9c845c07b107c..d47749a35863f 100644 +--- a/drivers/dma/xilinx/zynqmp_dma.c ++++ b/drivers/dma/xilinx/zynqmp_dma.c +@@ -123,10 +123,12 @@ + /* Max transfer size per descriptor */ + #define ZYNQMP_DMA_MAX_TRANS_LEN 0x40000000 + ++/* Max burst lengths */ ++#define ZYNQMP_DMA_MAX_DST_BURST_LEN 32768U ++#define ZYNQMP_DMA_MAX_SRC_BURST_LEN 32768U ++ + /* Reset values for data attributes */ + #define ZYNQMP_DMA_AXCACHE_VAL 0xF +-#define ZYNQMP_DMA_ARLEN_RST_VAL 0xF +-#define ZYNQMP_DMA_AWLEN_RST_VAL 0xF + + #define ZYNQMP_DMA_SRC_ISSUE_RST_VAL 0x1F + +@@ -534,17 +536,19 @@ static void zynqmp_dma_handle_ovfl_int(struct zynqmp_dma_chan *chan, u32 status) + + static void zynqmp_dma_config(struct zynqmp_dma_chan *chan) + { +- u32 val; ++ u32 val, burst_val; + + val = readl(chan->regs + ZYNQMP_DMA_CTRL0); + val |= ZYNQMP_DMA_POINT_TYPE_SG; + writel(val, chan->regs + ZYNQMP_DMA_CTRL0); + + val = readl(chan->regs + ZYNQMP_DMA_DATA_ATTR); ++ burst_val = __ilog2_u32(chan->src_burst_len); + val = (val & ~ZYNQMP_DMA_ARLEN) | +- (chan->src_burst_len << ZYNQMP_DMA_ARLEN_OFST); ++ ((burst_val << ZYNQMP_DMA_ARLEN_OFST) & ZYNQMP_DMA_ARLEN); ++ burst_val = __ilog2_u32(chan->dst_burst_len); + val = (val & ~ZYNQMP_DMA_AWLEN) | +- (chan->dst_burst_len << ZYNQMP_DMA_AWLEN_OFST); ++ ((burst_val << ZYNQMP_DMA_AWLEN_OFST) & ZYNQMP_DMA_AWLEN); + writel(val, chan->regs + ZYNQMP_DMA_DATA_ATTR); + } + +@@ -560,8 +564,10 @@ static int zynqmp_dma_device_config(struct dma_chan *dchan, + { + struct zynqmp_dma_chan *chan = to_chan(dchan); + +- chan->src_burst_len = config->src_maxburst; +- chan->dst_burst_len = config->dst_maxburst; ++ chan->src_burst_len = clamp(config->src_maxburst, 1U, ++ ZYNQMP_DMA_MAX_SRC_BURST_LEN); ++ chan->dst_burst_len = clamp(config->dst_maxburst, 1U, ++ ZYNQMP_DMA_MAX_DST_BURST_LEN); + + return 0; + } +@@ -887,8 +893,8 @@ static int zynqmp_dma_chan_probe(struct zynqmp_dma_device *zdev, + return PTR_ERR(chan->regs); + + chan->bus_width = ZYNQMP_DMA_BUS_WIDTH_64; +- chan->dst_burst_len = ZYNQMP_DMA_AWLEN_RST_VAL; +- chan->src_burst_len = ZYNQMP_DMA_ARLEN_RST_VAL; ++ chan->dst_burst_len = ZYNQMP_DMA_MAX_DST_BURST_LEN; ++ chan->src_burst_len = ZYNQMP_DMA_MAX_SRC_BURST_LEN; + err = of_property_read_u32(node, "xlnx,bus-width", &chan->bus_width); + if (err < 0) { + dev_err(&pdev->dev, "missing xlnx,bus-width property\n"); +diff --git a/drivers/edac/ghes_edac.c b/drivers/edac/ghes_edac.c +index 523dd56a798c9..0031819402d0c 100644 +--- a/drivers/edac/ghes_edac.c ++++ b/drivers/edac/ghes_edac.c +@@ -488,6 +488,7 @@ int ghes_edac_register(struct ghes *ghes, struct device *dev) + if (!force_load && idx < 0) + return -ENODEV; + } else { ++ force_load = true; + idx = 0; + } + +@@ -586,6 +587,9 @@ void ghes_edac_unregister(struct ghes *ghes) + struct mem_ctl_info *mci; + unsigned long flags; + ++ if (!force_load) ++ return; ++ + mutex_lock(&ghes_reg_mutex); + + if (!refcount_dec_and_test(&ghes_refcount)) +diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c +index eb2df89d4924f..e497785cd99fe 100644 +--- a/drivers/firmware/arm_sdei.c ++++ b/drivers/firmware/arm_sdei.c +@@ -412,14 +412,19 @@ int sdei_event_enable(u32 event_num) + return -ENOENT; + } + +- spin_lock(&sdei_list_lock); +- event->reenable = true; +- spin_unlock(&sdei_list_lock); + ++ cpus_read_lock(); + if (event->type == SDEI_EVENT_TYPE_SHARED) + err = sdei_api_event_enable(event->event_num); + else + err = sdei_do_cross_call(_local_event_enable, event); ++ ++ if (!err) { ++ spin_lock(&sdei_list_lock); ++ event->reenable = true; ++ spin_unlock(&sdei_list_lock); ++ } ++ cpus_read_unlock(); + mutex_unlock(&sdei_events_lock); + + return err; +@@ -621,21 +626,18 @@ int sdei_event_register(u32 event_num, sdei_event_callback *cb, void *arg) + break; + } + +- spin_lock(&sdei_list_lock); +- event->reregister = true; +- spin_unlock(&sdei_list_lock); +- ++ cpus_read_lock(); + err = _sdei_event_register(event); + if (err) { +- spin_lock(&sdei_list_lock); +- event->reregister = false; +- event->reenable = false; +- spin_unlock(&sdei_list_lock); +- + sdei_event_destroy(event); + pr_warn("Failed to register event %u: %d\n", event_num, + err); ++ } else { ++ spin_lock(&sdei_list_lock); ++ event->reregister = true; ++ spin_unlock(&sdei_list_lock); + } ++ cpus_read_unlock(); + } while (0); + mutex_unlock(&sdei_events_lock); + +diff --git a/drivers/gpio/gpio-rcar.c b/drivers/gpio/gpio-rcar.c +index 187984d26f47a..f0b6c68e848e3 100644 +--- a/drivers/gpio/gpio-rcar.c ++++ b/drivers/gpio/gpio-rcar.c +@@ -250,8 +250,10 @@ static int gpio_rcar_request(struct gpio_chip *chip, unsigned offset) + int error; + + error = pm_runtime_get_sync(p->dev); +- if (error < 0) ++ if (error < 0) { ++ pm_runtime_put(p->dev); + return error; ++ } + + error = pinctrl_gpio_request(chip->base + offset); + if (error) +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v10.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v10.c +index d10f483f5e273..ce30d4e8bf25f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v10.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v10.c +@@ -644,6 +644,9 @@ static int kgd_hqd_destroy(struct kgd_dev *kgd, void *mqd, + uint32_t temp; + struct v10_compute_mqd *m = get_mqd(mqd); + ++ if (amdgpu_sriov_vf(adev) && adev->in_gpu_reset) ++ return 0; ++ + #if 0 + unsigned long flags; + int retry; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v9.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v9.c +index e262f2ac07a35..92754cfb98086 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v9.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v9.c +@@ -540,6 +540,9 @@ int kgd_gfx_v9_hqd_destroy(struct kgd_dev *kgd, void *mqd, + uint32_t temp; + struct v9_mqd *m = get_mqd(mqd); + ++ if (amdgpu_sriov_vf(adev) && adev->in_gpu_reset) ++ return 0; ++ + if (adev->in_gpu_reset) + return -EIO; + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +index edb561baf8b90..f3fa271e3394c 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -1247,15 +1247,15 @@ int amdgpu_amdkfd_gpuvm_free_memory_of_gpu( + * be freed anyway + */ + +- /* No more MMU notifiers */ +- amdgpu_mn_unregister(mem->bo); +- + /* Make sure restore workers don't access the BO any more */ + bo_list_entry = &mem->validate_list; + mutex_lock(&process_info->lock); + list_del(&bo_list_entry->head); + mutex_unlock(&process_info->lock); + ++ /* No more MMU notifiers */ ++ amdgpu_mn_unregister(mem->bo); ++ + ret = reserve_bo_and_cond_vms(mem, NULL, BO_VM_ALL, &ctx); + if (unlikely(ret)) + return ret; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c +index 50dff69a0f6e3..b1172d93c99c3 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c +@@ -192,30 +192,35 @@ static bool amdgpu_read_bios_from_rom(struct amdgpu_device *adev) + + static bool amdgpu_read_platform_bios(struct amdgpu_device *adev) + { +- uint8_t __iomem *bios; +- size_t size; ++ phys_addr_t rom = adev->pdev->rom; ++ size_t romlen = adev->pdev->romlen; ++ void __iomem *bios; + + adev->bios = NULL; + +- bios = pci_platform_rom(adev->pdev, &size); +- if (!bios) { ++ if (!rom || romlen == 0) + return false; +- } + +- adev->bios = kzalloc(size, GFP_KERNEL); +- if (adev->bios == NULL) ++ adev->bios = kzalloc(romlen, GFP_KERNEL); ++ if (!adev->bios) + return false; + +- memcpy_fromio(adev->bios, bios, size); ++ bios = ioremap(rom, romlen); ++ if (!bios) ++ goto free_bios; + +- if (!check_atom_bios(adev->bios, size)) { +- kfree(adev->bios); +- return false; +- } ++ memcpy_fromio(adev->bios, bios, romlen); ++ iounmap(bios); + +- adev->bios_size = size; ++ if (!check_atom_bios(adev->bios, romlen)) ++ goto free_bios; ++ ++ adev->bios_size = romlen; + + return true; ++free_bios: ++ kfree(adev->bios); ++ return false; + } + + #ifdef CONFIG_ACPI +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 5e1dce4241547..4105fbf571674 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3466,6 +3466,8 @@ static int amdgpu_device_reset_sriov(struct amdgpu_device *adev, + if (r) + return r; + ++ amdgpu_amdkfd_pre_reset(adev); ++ + /* Resume IP prior to SMC */ + r = amdgpu_device_ip_reinit_early_sriov(adev); + if (r) +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_rlc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_rlc.c +index c8793e6cc3c5d..6373bfb47d55d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_rlc.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_rlc.c +@@ -124,13 +124,12 @@ int amdgpu_gfx_rlc_init_sr(struct amdgpu_device *adev, u32 dws) + */ + int amdgpu_gfx_rlc_init_csb(struct amdgpu_device *adev) + { +- volatile u32 *dst_ptr; + u32 dws; + int r; + + /* allocate clear state block */ + adev->gfx.rlc.clear_state_size = dws = adev->gfx.rlc.funcs->get_csb_size(adev); +- r = amdgpu_bo_create_reserved(adev, dws * 4, PAGE_SIZE, ++ r = amdgpu_bo_create_kernel(adev, dws * 4, PAGE_SIZE, + AMDGPU_GEM_DOMAIN_VRAM, + &adev->gfx.rlc.clear_state_obj, + &adev->gfx.rlc.clear_state_gpu_addr, +@@ -141,13 +140,6 @@ int amdgpu_gfx_rlc_init_csb(struct amdgpu_device *adev) + return r; + } + +- /* set up the cs buffer */ +- dst_ptr = adev->gfx.rlc.cs_ptr; +- adev->gfx.rlc.funcs->get_csb_buffer(adev, dst_ptr); +- amdgpu_bo_kunmap(adev->gfx.rlc.clear_state_obj); +- amdgpu_bo_unpin(adev->gfx.rlc.clear_state_obj); +- amdgpu_bo_unreserve(adev->gfx.rlc.clear_state_obj); +- + return 0; + } + +diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c +index dd30f4e61a8cd..cae426c7c0863 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atom.c ++++ b/drivers/gpu/drm/amd/amdgpu/atom.c +@@ -744,8 +744,8 @@ static void atom_op_jump(atom_exec_context *ctx, int *ptr, int arg) + cjiffies = jiffies; + if (time_after(cjiffies, ctx->last_jump_jiffies)) { + cjiffies -= ctx->last_jump_jiffies; +- if ((jiffies_to_msecs(cjiffies) > 5000)) { +- DRM_ERROR("atombios stuck in loop for more than 5secs aborting\n"); ++ if ((jiffies_to_msecs(cjiffies) > 10000)) { ++ DRM_ERROR("atombios stuck in loop for more than 10secs aborting\n"); + ctx->abort = true; + } + } else { +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +index 19876c90be0e1..d17edc850427a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +@@ -993,39 +993,6 @@ static int gfx_v10_0_rlc_init(struct amdgpu_device *adev) + return 0; + } + +-static int gfx_v10_0_csb_vram_pin(struct amdgpu_device *adev) +-{ +- int r; +- +- r = amdgpu_bo_reserve(adev->gfx.rlc.clear_state_obj, false); +- if (unlikely(r != 0)) +- return r; +- +- r = amdgpu_bo_pin(adev->gfx.rlc.clear_state_obj, +- AMDGPU_GEM_DOMAIN_VRAM); +- if (!r) +- adev->gfx.rlc.clear_state_gpu_addr = +- amdgpu_bo_gpu_offset(adev->gfx.rlc.clear_state_obj); +- +- amdgpu_bo_unreserve(adev->gfx.rlc.clear_state_obj); +- +- return r; +-} +- +-static void gfx_v10_0_csb_vram_unpin(struct amdgpu_device *adev) +-{ +- int r; +- +- if (!adev->gfx.rlc.clear_state_obj) +- return; +- +- r = amdgpu_bo_reserve(adev->gfx.rlc.clear_state_obj, true); +- if (likely(r == 0)) { +- amdgpu_bo_unpin(adev->gfx.rlc.clear_state_obj); +- amdgpu_bo_unreserve(adev->gfx.rlc.clear_state_obj); +- } +-} +- + static void gfx_v10_0_mec_fini(struct amdgpu_device *adev) + { + amdgpu_bo_free_kernel(&adev->gfx.mec.hpd_eop_obj, NULL, NULL); +@@ -1787,25 +1754,7 @@ static void gfx_v10_0_enable_gui_idle_interrupt(struct amdgpu_device *adev, + + static int gfx_v10_0_init_csb(struct amdgpu_device *adev) + { +- int r; +- +- if (adev->in_gpu_reset) { +- r = amdgpu_bo_reserve(adev->gfx.rlc.clear_state_obj, false); +- if (r) +- return r; +- +- r = amdgpu_bo_kmap(adev->gfx.rlc.clear_state_obj, +- (void **)&adev->gfx.rlc.cs_ptr); +- if (!r) { +- adev->gfx.rlc.funcs->get_csb_buffer(adev, +- adev->gfx.rlc.cs_ptr); +- amdgpu_bo_kunmap(adev->gfx.rlc.clear_state_obj); +- } +- +- amdgpu_bo_unreserve(adev->gfx.rlc.clear_state_obj); +- if (r) +- return r; +- } ++ adev->gfx.rlc.funcs->get_csb_buffer(adev, adev->gfx.rlc.cs_ptr); + + /* csib */ + WREG32_SOC15(GC, 0, mmRLC_CSIB_ADDR_HI, +@@ -3774,10 +3723,6 @@ static int gfx_v10_0_hw_init(void *handle) + int r; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + +- r = gfx_v10_0_csb_vram_pin(adev); +- if (r) +- return r; +- + if (!amdgpu_emu_mode) + gfx_v10_0_init_golden_registers(adev); + +@@ -3865,7 +3810,6 @@ static int gfx_v10_0_hw_fini(void *handle) + } + gfx_v10_0_cp_enable(adev, false); + gfx_v10_0_enable_gui_idle_interrupt(adev, false); +- gfx_v10_0_csb_vram_unpin(adev); + + return 0; + } +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c +index 791ba398f007e..d92e92e5d50b7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c +@@ -4554,6 +4554,8 @@ static int gfx_v7_0_hw_init(void *handle) + + gfx_v7_0_constants_init(adev); + ++ /* init CSB */ ++ adev->gfx.rlc.funcs->get_csb_buffer(adev, adev->gfx.rlc.cs_ptr); + /* init rlc */ + r = adev->gfx.rlc.funcs->resume(adev); + if (r) +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +index cc88ba76a8d4a..467ed7fca884d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +@@ -1321,39 +1321,6 @@ static int gfx_v8_0_rlc_init(struct amdgpu_device *adev) + return 0; + } + +-static int gfx_v8_0_csb_vram_pin(struct amdgpu_device *adev) +-{ +- int r; +- +- r = amdgpu_bo_reserve(adev->gfx.rlc.clear_state_obj, false); +- if (unlikely(r != 0)) +- return r; +- +- r = amdgpu_bo_pin(adev->gfx.rlc.clear_state_obj, +- AMDGPU_GEM_DOMAIN_VRAM); +- if (!r) +- adev->gfx.rlc.clear_state_gpu_addr = +- amdgpu_bo_gpu_offset(adev->gfx.rlc.clear_state_obj); +- +- amdgpu_bo_unreserve(adev->gfx.rlc.clear_state_obj); +- +- return r; +-} +- +-static void gfx_v8_0_csb_vram_unpin(struct amdgpu_device *adev) +-{ +- int r; +- +- if (!adev->gfx.rlc.clear_state_obj) +- return; +- +- r = amdgpu_bo_reserve(adev->gfx.rlc.clear_state_obj, true); +- if (likely(r == 0)) { +- amdgpu_bo_unpin(adev->gfx.rlc.clear_state_obj); +- amdgpu_bo_unreserve(adev->gfx.rlc.clear_state_obj); +- } +-} +- + static void gfx_v8_0_mec_fini(struct amdgpu_device *adev) + { + amdgpu_bo_free_kernel(&adev->gfx.mec.hpd_eop_obj, NULL, NULL); +@@ -3917,6 +3884,7 @@ static void gfx_v8_0_enable_gui_idle_interrupt(struct amdgpu_device *adev, + + static void gfx_v8_0_init_csb(struct amdgpu_device *adev) + { ++ adev->gfx.rlc.funcs->get_csb_buffer(adev, adev->gfx.rlc.cs_ptr); + /* csib */ + WREG32(mmRLC_CSIB_ADDR_HI, + adev->gfx.rlc.clear_state_gpu_addr >> 32); +@@ -4837,10 +4805,6 @@ static int gfx_v8_0_hw_init(void *handle) + gfx_v8_0_init_golden_registers(adev); + gfx_v8_0_constants_init(adev); + +- r = gfx_v8_0_csb_vram_pin(adev); +- if (r) +- return r; +- + r = adev->gfx.rlc.funcs->resume(adev); + if (r) + return r; +@@ -4958,8 +4922,6 @@ static int gfx_v8_0_hw_fini(void *handle) + pr_err("rlc is busy, skip halt rlc\n"); + amdgpu_gfx_rlc_exit_safe_mode(adev); + +- gfx_v8_0_csb_vram_unpin(adev); +- + return 0; + } + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index 6004fdacc8663..90dcc7afc9c43 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -1675,39 +1675,6 @@ static int gfx_v9_0_rlc_init(struct amdgpu_device *adev) + return 0; + } + +-static int gfx_v9_0_csb_vram_pin(struct amdgpu_device *adev) +-{ +- int r; +- +- r = amdgpu_bo_reserve(adev->gfx.rlc.clear_state_obj, false); +- if (unlikely(r != 0)) +- return r; +- +- r = amdgpu_bo_pin(adev->gfx.rlc.clear_state_obj, +- AMDGPU_GEM_DOMAIN_VRAM); +- if (!r) +- adev->gfx.rlc.clear_state_gpu_addr = +- amdgpu_bo_gpu_offset(adev->gfx.rlc.clear_state_obj); +- +- amdgpu_bo_unreserve(adev->gfx.rlc.clear_state_obj); +- +- return r; +-} +- +-static void gfx_v9_0_csb_vram_unpin(struct amdgpu_device *adev) +-{ +- int r; +- +- if (!adev->gfx.rlc.clear_state_obj) +- return; +- +- r = amdgpu_bo_reserve(adev->gfx.rlc.clear_state_obj, true); +- if (likely(r == 0)) { +- amdgpu_bo_unpin(adev->gfx.rlc.clear_state_obj); +- amdgpu_bo_unreserve(adev->gfx.rlc.clear_state_obj); +- } +-} +- + static void gfx_v9_0_mec_fini(struct amdgpu_device *adev) + { + amdgpu_bo_free_kernel(&adev->gfx.mec.hpd_eop_obj, NULL, NULL); +@@ -2596,6 +2563,7 @@ static void gfx_v9_0_enable_gui_idle_interrupt(struct amdgpu_device *adev, + + static void gfx_v9_0_init_csb(struct amdgpu_device *adev) + { ++ adev->gfx.rlc.funcs->get_csb_buffer(adev, adev->gfx.rlc.cs_ptr); + /* csib */ + WREG32_RLC(SOC15_REG_OFFSET(GC, 0, mmRLC_CSIB_ADDR_HI), + adev->gfx.rlc.clear_state_gpu_addr >> 32); +@@ -3888,10 +3856,6 @@ static int gfx_v9_0_hw_init(void *handle) + + gfx_v9_0_constants_init(adev); + +- r = gfx_v9_0_csb_vram_pin(adev); +- if (r) +- return r; +- + r = adev->gfx.rlc.funcs->resume(adev); + if (r) + return r; +@@ -3977,8 +3941,6 @@ static int gfx_v9_0_hw_fini(void *handle) + gfx_v9_0_cp_enable(adev, false); + adev->gfx.rlc.funcs->stop(adev); + +- gfx_v9_0_csb_vram_unpin(adev); +- + return 0; + } + +diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c +index 36ad0c0e8efbc..cd2cbe760e883 100644 +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c +@@ -1026,6 +1026,10 @@ static int vcn_v2_0_start_dpg_mode(struct amdgpu_device *adev, bool indirect) + tmp = REG_SET_FIELD(tmp, UVD_RBC_RB_CNTL, RB_RPTR_WR_EN, 1); + WREG32_SOC15(UVD, 0, mmUVD_RBC_RB_CNTL, tmp); + ++ /* Stall DPG before WPTR/RPTR reset */ ++ WREG32_P(SOC15_REG_OFFSET(UVD, 0, mmUVD_POWER_STATUS), ++ UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK, ++ ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK); + /* set the write pointer delay */ + WREG32_SOC15(UVD, 0, mmUVD_RBC_RB_WPTR_CNTL, 0); + +@@ -1048,6 +1052,9 @@ static int vcn_v2_0_start_dpg_mode(struct amdgpu_device *adev, bool indirect) + WREG32_SOC15(UVD, 0, mmUVD_RBC_RB_WPTR, + lower_32_bits(ring->wptr)); + ++ /* Unstall DPG */ ++ WREG32_P(SOC15_REG_OFFSET(UVD, 0, mmUVD_POWER_STATUS), ++ 0, ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK); + return 0; + } + +@@ -1357,8 +1364,13 @@ static int vcn_v2_0_pause_dpg_mode(struct amdgpu_device *adev, + UVD_DPG_PAUSE__NJ_PAUSE_DPG_ACK_MASK, + UVD_DPG_PAUSE__NJ_PAUSE_DPG_ACK_MASK, ret_code); + ++ /* Stall DPG before WPTR/RPTR reset */ ++ WREG32_P(SOC15_REG_OFFSET(UVD, 0, mmUVD_POWER_STATUS), ++ UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK, ++ ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK); + /* Restore */ + ring = &adev->vcn.inst->ring_enc[0]; ++ ring->wptr = 0; + WREG32_SOC15(UVD, 0, mmUVD_RB_BASE_LO, ring->gpu_addr); + WREG32_SOC15(UVD, 0, mmUVD_RB_BASE_HI, upper_32_bits(ring->gpu_addr)); + WREG32_SOC15(UVD, 0, mmUVD_RB_SIZE, ring->ring_size / 4); +@@ -1366,6 +1378,7 @@ static int vcn_v2_0_pause_dpg_mode(struct amdgpu_device *adev, + WREG32_SOC15(UVD, 0, mmUVD_RB_WPTR, lower_32_bits(ring->wptr)); + + ring = &adev->vcn.inst->ring_enc[1]; ++ ring->wptr = 0; + WREG32_SOC15(UVD, 0, mmUVD_RB_BASE_LO2, ring->gpu_addr); + WREG32_SOC15(UVD, 0, mmUVD_RB_BASE_HI2, upper_32_bits(ring->gpu_addr)); + WREG32_SOC15(UVD, 0, mmUVD_RB_SIZE2, ring->ring_size / 4); +@@ -1374,6 +1387,9 @@ static int vcn_v2_0_pause_dpg_mode(struct amdgpu_device *adev, + + WREG32_SOC15(UVD, 0, mmUVD_RBC_RB_WPTR, + RREG32_SOC15(UVD, 0, mmUVD_SCRATCH2) & 0x7FFFFFFF); ++ /* Unstall DPG */ ++ WREG32_P(SOC15_REG_OFFSET(UVD, 0, mmUVD_POWER_STATUS), ++ 0, ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK); + + SOC15_WAIT_ON_RREG(UVD, 0, mmUVD_POWER_STATUS, + UVD_PGFSM_CONFIG__UVDM_UVDU_PWR_ON, +diff --git a/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h b/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h +index 901fe35901656..d3400da6ab643 100644 +--- a/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h ++++ b/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h +@@ -905,7 +905,7 @@ static const uint32_t cwsr_trap_gfx10_hex[] = { + 0x7a5d0000, 0x807c817c, + 0x807aff7a, 0x00000080, + 0xbf0a717c, 0xbf85fff8, +- 0xbf820141, 0xbef4037e, ++ 0xbf820142, 0xbef4037e, + 0x8775ff7f, 0x0000ffff, + 0x8875ff75, 0x00040000, + 0xbef60380, 0xbef703ff, +@@ -967,7 +967,7 @@ static const uint32_t cwsr_trap_gfx10_hex[] = { + 0x725d0000, 0xe0304080, + 0x725d0100, 0xe0304100, + 0x725d0200, 0xe0304180, +- 0x725d0300, 0xbf820031, ++ 0x725d0300, 0xbf820032, + 0xbef603ff, 0x01000000, + 0xbef20378, 0x8078ff78, + 0x00000400, 0xbefc0384, +@@ -992,83 +992,84 @@ static const uint32_t cwsr_trap_gfx10_hex[] = { + 0x725d0000, 0xe0304100, + 0x725d0100, 0xe0304200, + 0x725d0200, 0xe0304300, +- 0x725d0300, 0xb9782a05, +- 0x80788178, 0x907c9973, +- 0x877c817c, 0xbf06817c, +- 0xbf850002, 0x8f788978, +- 0xbf820001, 0x8f788a78, +- 0xb9721e06, 0x8f728a72, +- 0x80787278, 0x8078ff78, +- 0x00000200, 0x80f8ff78, +- 0x00000050, 0xbef603ff, +- 0x01000000, 0xbefc03ff, +- 0x0000006c, 0x80f89078, +- 0xf429003a, 0xf0000000, +- 0xbf8cc07f, 0x80fc847c, +- 0xbf800000, 0xbe803100, +- 0xbe823102, 0x80f8a078, +- 0xf42d003a, 0xf0000000, +- 0xbf8cc07f, 0x80fc887c, +- 0xbf800000, 0xbe803100, +- 0xbe823102, 0xbe843104, +- 0xbe863106, 0x80f8c078, +- 0xf431003a, 0xf0000000, +- 0xbf8cc07f, 0x80fc907c, +- 0xbf800000, 0xbe803100, +- 0xbe823102, 0xbe843104, +- 0xbe863106, 0xbe883108, +- 0xbe8a310a, 0xbe8c310c, +- 0xbe8e310e, 0xbf06807c, +- 0xbf84fff0, 0xb9782a05, +- 0x80788178, 0x907c9973, +- 0x877c817c, 0xbf06817c, +- 0xbf850002, 0x8f788978, +- 0xbf820001, 0x8f788a78, +- 0xb9721e06, 0x8f728a72, +- 0x80787278, 0x8078ff78, +- 0x00000200, 0xbef603ff, +- 0x01000000, 0xf4211bfa, ++ 0x725d0300, 0xbf8c3f70, ++ 0xb9782a05, 0x80788178, ++ 0x907c9973, 0x877c817c, ++ 0xbf06817c, 0xbf850002, ++ 0x8f788978, 0xbf820001, ++ 0x8f788a78, 0xb9721e06, ++ 0x8f728a72, 0x80787278, ++ 0x8078ff78, 0x00000200, ++ 0x80f8ff78, 0x00000050, ++ 0xbef603ff, 0x01000000, ++ 0xbefc03ff, 0x0000006c, ++ 0x80f89078, 0xf429003a, ++ 0xf0000000, 0xbf8cc07f, ++ 0x80fc847c, 0xbf800000, ++ 0xbe803100, 0xbe823102, ++ 0x80f8a078, 0xf42d003a, ++ 0xf0000000, 0xbf8cc07f, ++ 0x80fc887c, 0xbf800000, ++ 0xbe803100, 0xbe823102, ++ 0xbe843104, 0xbe863106, ++ 0x80f8c078, 0xf431003a, ++ 0xf0000000, 0xbf8cc07f, ++ 0x80fc907c, 0xbf800000, ++ 0xbe803100, 0xbe823102, ++ 0xbe843104, 0xbe863106, ++ 0xbe883108, 0xbe8a310a, ++ 0xbe8c310c, 0xbe8e310e, ++ 0xbf06807c, 0xbf84fff0, ++ 0xb9782a05, 0x80788178, ++ 0x907c9973, 0x877c817c, ++ 0xbf06817c, 0xbf850002, ++ 0x8f788978, 0xbf820001, ++ 0x8f788a78, 0xb9721e06, ++ 0x8f728a72, 0x80787278, ++ 0x8078ff78, 0x00000200, ++ 0xbef603ff, 0x01000000, ++ 0xf4211bfa, 0xf0000000, ++ 0x80788478, 0xf4211b3a, + 0xf0000000, 0x80788478, +- 0xf4211b3a, 0xf0000000, +- 0x80788478, 0xf4211b7a, ++ 0xf4211b7a, 0xf0000000, ++ 0x80788478, 0xf4211eba, + 0xf0000000, 0x80788478, +- 0xf4211eba, 0xf0000000, +- 0x80788478, 0xf4211efa, ++ 0xf4211efa, 0xf0000000, ++ 0x80788478, 0xf4211c3a, + 0xf0000000, 0x80788478, +- 0xf4211c3a, 0xf0000000, +- 0x80788478, 0xf4211c7a, ++ 0xf4211c7a, 0xf0000000, ++ 0x80788478, 0xf4211e7a, + 0xf0000000, 0x80788478, +- 0xf4211e7a, 0xf0000000, +- 0x80788478, 0xf4211cfa, ++ 0xf4211cfa, 0xf0000000, ++ 0x80788478, 0xf4211bba, + 0xf0000000, 0x80788478, ++ 0xbf8cc07f, 0xb9eef814, + 0xf4211bba, 0xf0000000, + 0x80788478, 0xbf8cc07f, +- 0xb9eef814, 0xf4211bba, +- 0xf0000000, 0x80788478, +- 0xbf8cc07f, 0xb9eef815, +- 0xbef2036d, 0x876dff72, +- 0x0000ffff, 0xbefc036f, +- 0xbefe037a, 0xbeff037b, +- 0x876f71ff, 0x000003ff, +- 0xb9ef4803, 0xb9f9f816, +- 0x876f71ff, 0xfffff800, +- 0x906f8b6f, 0xb9efa2c3, +- 0xb9f3f801, 0x876fff72, +- 0xfc000000, 0x906f9a6f, +- 0x8f6f906f, 0xbef30380, ++ 0xb9eef815, 0xbef2036d, ++ 0x876dff72, 0x0000ffff, ++ 0xbefc036f, 0xbefe037a, ++ 0xbeff037b, 0x876f71ff, ++ 0x000003ff, 0xb9ef4803, ++ 0xb9f9f816, 0x876f71ff, ++ 0xfffff800, 0x906f8b6f, ++ 0xb9efa2c3, 0xb9f3f801, ++ 0x876fff72, 0xfc000000, ++ 0x906f9a6f, 0x8f6f906f, ++ 0xbef30380, 0x88736f73, ++ 0x876fff72, 0x02000000, ++ 0x906f996f, 0x8f6f8f6f, + 0x88736f73, 0x876fff72, +- 0x02000000, 0x906f996f, +- 0x8f6f8f6f, 0x88736f73, +- 0x876fff72, 0x01000000, +- 0x906f986f, 0x8f6f996f, +- 0x88736f73, 0x876fff70, +- 0x00800000, 0x906f976f, +- 0xb9f3f807, 0x87fe7e7e, +- 0x87ea6a6a, 0xb9f0f802, +- 0xbf8a0000, 0xbe80226c, +- 0xbf810000, 0xbf9f0000, ++ 0x01000000, 0x906f986f, ++ 0x8f6f996f, 0x88736f73, ++ 0x876fff70, 0x00800000, ++ 0x906f976f, 0xb9f3f807, ++ 0x87fe7e7e, 0x87ea6a6a, ++ 0xb9f0f802, 0xbf8a0000, ++ 0xbe80226c, 0xbf810000, + 0xbf9f0000, 0xbf9f0000, + 0xbf9f0000, 0xbf9f0000, ++ 0xbf9f0000, 0x00000000, + }; + static const uint32_t cwsr_trap_arcturus_hex[] = { + 0xbf820001, 0xbf8202c4, +diff --git a/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx10.asm b/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx10.asm +index cdaa523ce6bee..4433bda2ce25e 100644 +--- a/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx10.asm ++++ b/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx10.asm +@@ -758,6 +758,7 @@ L_RESTORE_V0: + buffer_load_dword v1, v0, s_restore_buf_rsrc0, s_restore_mem_offset_save slc:1 glc:1 offset:256 + buffer_load_dword v2, v0, s_restore_buf_rsrc0, s_restore_mem_offset_save slc:1 glc:1 offset:256*2 + buffer_load_dword v3, v0, s_restore_buf_rsrc0, s_restore_mem_offset_save slc:1 glc:1 offset:256*3 ++ s_waitcnt vmcnt(0) + + /* restore SGPRs */ + //will be 2+8+16*6 +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +index a2ed9c257cb0d..e9a2784400792 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1075,6 +1075,8 @@ static int stop_cpsch(struct device_queue_manager *dqm) + unmap_queues_cpsch(dqm, KFD_UNMAP_QUEUES_FILTER_ALL_QUEUES, 0); + dqm_unlock(dqm); + ++ pm_release_ib(&dqm->packets); ++ + kfd_gtt_sa_free(dqm->dev, dqm->fence_mem); + pm_uninit(&dqm->packets); + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 60e50181f6d39..2384aa018993d 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4299,19 +4299,6 @@ static void dm_crtc_helper_disable(struct drm_crtc *crtc) + { + } + +-static bool does_crtc_have_active_cursor(struct drm_crtc_state *new_crtc_state) +-{ +- struct drm_device *dev = new_crtc_state->crtc->dev; +- struct drm_plane *plane; +- +- drm_for_each_plane_mask(plane, dev, new_crtc_state->plane_mask) { +- if (plane->type == DRM_PLANE_TYPE_CURSOR) +- return true; +- } +- +- return false; +-} +- + static int count_crtc_active_planes(struct drm_crtc_state *new_crtc_state) + { + struct drm_atomic_state *state = new_crtc_state->state; +@@ -4391,19 +4378,20 @@ static int dm_crtc_helper_atomic_check(struct drm_crtc *crtc, + return ret; + } + +- /* In some use cases, like reset, no stream is attached */ +- if (!dm_crtc_state->stream) +- return 0; +- + /* +- * We want at least one hardware plane enabled to use +- * the stream with a cursor enabled. ++ * We require the primary plane to be enabled whenever the CRTC is, otherwise ++ * drm_mode_cursor_universal may end up trying to enable the cursor plane while all other ++ * planes are disabled, which is not supported by the hardware. And there is legacy ++ * userspace which stops using the HW cursor altogether in response to the resulting EINVAL. + */ +- if (state->enable && state->active && +- does_crtc_have_active_cursor(state) && +- dm_crtc_state->active_planes == 0) ++ if (state->enable && ++ !(state->plane_mask & drm_plane_mask(crtc->primary))) + return -EINVAL; + ++ /* In some use cases, like reset, no stream is attached */ ++ if (!dm_crtc_state->stream) ++ return 0; ++ + if (dc_validate_stream(dc, dm_crtc_state->stream) == DC_OK) + return 0; + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c +index b43bb7f90e4e9..2233d293a707a 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c +@@ -210,6 +210,8 @@ static int __set_legacy_tf(struct dc_transfer_func *func, + res = mod_color_calculate_regamma_params(func, gamma, true, has_rom, + NULL); + ++ dc_gamma_release(&gamma); ++ + return res ? 0 : -ENOMEM; + } + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +index 5bf12a446e952..3efee7b3378a3 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +@@ -1733,8 +1733,7 @@ static void write_i2c_retimer_setting( + slave_address, buffer[0], buffer[1], i2c_success?1:0); + + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Based on DP159 specs, APPLY_RX_TX_CHANGE bit in 0x0A + * needs to be set to 1 on every 0xA-0xC write. +@@ -1752,8 +1751,7 @@ static void write_i2c_retimer_setting( + pipe_ctx->stream->link->ddc, + slave_address, &offset, 1, &value, 1); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + } + + buffer[0] = offset; +@@ -1765,8 +1763,7 @@ static void write_i2c_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + } + } + } +@@ -1786,8 +1783,7 @@ static void write_i2c_retimer_setting( + slave_address, buffer[0], buffer[1], i2c_success?1:0); + + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Based on DP159 specs, APPLY_RX_TX_CHANGE bit in 0x0A + * needs to be set to 1 on every 0xA-0xC write. +@@ -1805,8 +1801,7 @@ static void write_i2c_retimer_setting( + pipe_ctx->stream->link->ddc, + slave_address, &offset, 1, &value, 1); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + } + + buffer[0] = offset; +@@ -1818,8 +1813,7 @@ static void write_i2c_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + } + } + } +@@ -1837,8 +1831,7 @@ static void write_i2c_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Write offset 0x00 to 0x23 */ + buffer[0] = 0x00; +@@ -1849,8 +1842,7 @@ static void write_i2c_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Write offset 0xff to 0x00 */ + buffer[0] = 0xff; +@@ -1861,10 +1853,14 @@ static void write_i2c_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + } ++ ++ return; ++ ++i2c_write_fail: ++ DC_LOG_DEBUG("Set retimer failed"); + } + + static void write_i2c_default_retimer_setting( +@@ -1889,8 +1885,7 @@ static void write_i2c_default_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Write offset 0x0A to 0x17 */ + buffer[0] = 0x0A; +@@ -1901,8 +1896,7 @@ static void write_i2c_default_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Write offset 0x0B to 0xDA or 0xD8 */ + buffer[0] = 0x0B; +@@ -1913,8 +1907,7 @@ static void write_i2c_default_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Write offset 0x0A to 0x17 */ + buffer[0] = 0x0A; +@@ -1925,8 +1918,7 @@ static void write_i2c_default_retimer_setting( + offset = 0x%x, reg_val= 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Write offset 0x0C to 0x1D or 0x91 */ + buffer[0] = 0x0C; +@@ -1937,8 +1929,7 @@ static void write_i2c_default_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Write offset 0x0A to 0x17 */ + buffer[0] = 0x0A; +@@ -1949,8 +1940,7 @@ static void write_i2c_default_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + + if (is_vga_mode) { +@@ -1965,8 +1955,7 @@ static void write_i2c_default_retimer_setting( + offset = 0x%x, reg_val = 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Write offset 0x00 to 0x23 */ + buffer[0] = 0x00; +@@ -1977,8 +1966,7 @@ static void write_i2c_default_retimer_setting( + offset = 0x%x, reg_val= 0x%x, i2c_success = %d\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + + /* Write offset 0xff to 0x00 */ + buffer[0] = 0xff; +@@ -1989,9 +1977,13 @@ static void write_i2c_default_retimer_setting( + offset = 0x%x, reg_val= 0x%x, i2c_success = %d end here\n", + slave_address, buffer[0], buffer[1], i2c_success?1:0); + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ goto i2c_write_fail; + } ++ ++ return; ++ ++i2c_write_fail: ++ DC_LOG_DEBUG("Set default retimer failed"); + } + + static void write_i2c_redriver_setting( +@@ -2020,8 +2012,7 @@ static void write_i2c_redriver_setting( + slave_address, buffer[3], buffer[4], buffer[5], buffer[6], i2c_success?1:0); + + if (!i2c_success) +- /* Write failure */ +- ASSERT(i2c_success); ++ DC_LOG_DEBUG("Set redriver failed"); + } + + static void enable_link_hdmi(struct pipe_ctx *pipe_ctx) +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c +index 51991bf26a93c..4c90d68db2307 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c +@@ -126,22 +126,16 @@ struct aux_payloads { + struct vector payloads; + }; + +-static struct i2c_payloads *dal_ddc_i2c_payloads_create(struct dc_context *ctx, uint32_t count) ++static bool dal_ddc_i2c_payloads_create( ++ struct dc_context *ctx, ++ struct i2c_payloads *payloads, ++ uint32_t count) + { +- struct i2c_payloads *payloads; +- +- payloads = kzalloc(sizeof(struct i2c_payloads), GFP_KERNEL); +- +- if (!payloads) +- return NULL; +- + if (dal_vector_construct( + &payloads->payloads, ctx, count, sizeof(struct i2c_payload))) +- return payloads; +- +- kfree(payloads); +- return NULL; ++ return true; + ++ return false; + } + + static struct i2c_payload *dal_ddc_i2c_payloads_get(struct i2c_payloads *p) +@@ -154,14 +148,12 @@ static uint32_t dal_ddc_i2c_payloads_get_count(struct i2c_payloads *p) + return p->payloads.count; + } + +-static void dal_ddc_i2c_payloads_destroy(struct i2c_payloads **p) ++static void dal_ddc_i2c_payloads_destroy(struct i2c_payloads *p) + { +- if (!p || !*p) ++ if (!p) + return; +- dal_vector_destruct(&(*p)->payloads); +- kfree(*p); +- *p = NULL; + ++ dal_vector_destruct(&p->payloads); + } + + #define DDC_MIN(a, b) (((a) < (b)) ? (a) : (b)) +@@ -521,9 +513,13 @@ bool dal_ddc_service_query_ddc_data( + + uint32_t payloads_num = write_payloads + read_payloads; + ++ + if (write_size > EDID_SEGMENT_SIZE || read_size > EDID_SEGMENT_SIZE) + return false; + ++ if (!payloads_num) ++ return false; ++ + /*TODO: len of payload data for i2c and aux is uint8!!!!, + * but we want to read 256 over i2c!!!!*/ + if (dal_ddc_service_is_in_aux_transaction_mode(ddc)) { +@@ -556,23 +552,25 @@ bool dal_ddc_service_query_ddc_data( + + ret = dc_link_aux_transfer_with_retries(ddc, &read_payload); + } else { +- struct i2c_payloads *payloads = +- dal_ddc_i2c_payloads_create(ddc->ctx, payloads_num); ++ struct i2c_command command = {0}; ++ struct i2c_payloads payloads; ++ ++ if (!dal_ddc_i2c_payloads_create(ddc->ctx, &payloads, payloads_num)) ++ return false; + +- struct i2c_command command = { +- .payloads = dal_ddc_i2c_payloads_get(payloads), +- .number_of_payloads = 0, +- .engine = DDC_I2C_COMMAND_ENGINE, +- .speed = ddc->ctx->dc->caps.i2c_speed_in_khz }; ++ command.payloads = dal_ddc_i2c_payloads_get(&payloads); ++ command.number_of_payloads = 0; ++ command.engine = DDC_I2C_COMMAND_ENGINE; ++ command.speed = ddc->ctx->dc->caps.i2c_speed_in_khz; + + dal_ddc_i2c_payloads_add( +- payloads, address, write_size, write_buf, true); ++ &payloads, address, write_size, write_buf, true); + + dal_ddc_i2c_payloads_add( +- payloads, address, read_size, read_buf, false); ++ &payloads, address, read_size, read_buf, false); + + command.number_of_payloads = +- dal_ddc_i2c_payloads_get_count(payloads); ++ dal_ddc_i2c_payloads_get_count(&payloads); + + ret = dm_helpers_submit_i2c( + ddc->ctx, +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_hwss.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_hwss.c +index a519dbc5ecb65..5641a9477d291 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_hwss.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_hwss.c +@@ -400,6 +400,7 @@ void dp_set_dsc_on_stream(struct pipe_ctx *pipe_ctx, bool enable) + dsc_cfg.pic_height = stream->timing.v_addressable + stream->timing.v_border_top + stream->timing.v_border_bottom; + dsc_cfg.pixel_encoding = stream->timing.pixel_encoding; + dsc_cfg.color_depth = stream->timing.display_color_depth; ++ dsc_cfg.is_odm = pipe_ctx->next_odm_pipe ? true : false; + dsc_cfg.dc_dsc_cfg = stream->timing.dsc_cfg; + ASSERT(dsc_cfg.dc_dsc_cfg.num_slices_h % opp_cnt == 0); + dsc_cfg.dc_dsc_cfg.num_slices_h /= opp_cnt; +@@ -496,11 +497,15 @@ bool dp_set_dsc_pps_sdp(struct pipe_ctx *pipe_ctx, bool enable) + struct dsc_config dsc_cfg; + uint8_t dsc_packed_pps[128]; + ++ memset(&dsc_cfg, 0, sizeof(dsc_cfg)); ++ memset(dsc_packed_pps, 0, 128); ++ + /* Enable DSC hw block */ + dsc_cfg.pic_width = stream->timing.h_addressable + stream->timing.h_border_left + stream->timing.h_border_right; + dsc_cfg.pic_height = stream->timing.v_addressable + stream->timing.v_border_top + stream->timing.v_border_bottom; + dsc_cfg.pixel_encoding = stream->timing.pixel_encoding; + dsc_cfg.color_depth = stream->timing.display_color_depth; ++ dsc_cfg.is_odm = pipe_ctx->next_odm_pipe ? true : false; + dsc_cfg.dc_dsc_cfg = stream->timing.dsc_cfg; + + DC_LOG_DSC(" "); +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dccg.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dccg.c +index 16476ed255363..2064366322755 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dccg.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dccg.c +@@ -119,32 +119,6 @@ void dccg2_get_dccg_ref_freq(struct dccg *dccg, + + void dccg2_init(struct dccg *dccg) + { +- struct dcn_dccg *dccg_dcn = TO_DCN_DCCG(dccg); +- +- // Fallthrough intentional to program all available dpp_dto's +- switch (dccg_dcn->base.ctx->dc->res_pool->pipe_count) { +- case 6: +- REG_UPDATE(DPPCLK_DTO_CTRL, DPPCLK_DTO_DB_EN[5], 1); +- /* Fall through */ +- case 5: +- REG_UPDATE(DPPCLK_DTO_CTRL, DPPCLK_DTO_DB_EN[4], 1); +- /* Fall through */ +- case 4: +- REG_UPDATE(DPPCLK_DTO_CTRL, DPPCLK_DTO_DB_EN[3], 1); +- /* Fall through */ +- case 3: +- REG_UPDATE(DPPCLK_DTO_CTRL, DPPCLK_DTO_DB_EN[2], 1); +- /* Fall through */ +- case 2: +- REG_UPDATE(DPPCLK_DTO_CTRL, DPPCLK_DTO_DB_EN[1], 1); +- /* Fall through */ +- case 1: +- REG_UPDATE(DPPCLK_DTO_CTRL, DPPCLK_DTO_DB_EN[0], 1); +- break; +- default: +- ASSERT(false); +- break; +- } + } + + static const struct dccg_funcs dccg2_funcs = { +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dsc.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dsc.c +index 1b419407af942..5c45c39662fbb 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dsc.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dsc.c +@@ -207,6 +207,9 @@ static bool dsc2_get_packed_pps(struct display_stream_compressor *dsc, const str + struct dsc_reg_values dsc_reg_vals; + struct dsc_optc_config dsc_optc_cfg; + ++ memset(&dsc_reg_vals, 0, sizeof(dsc_reg_vals)); ++ memset(&dsc_optc_cfg, 0, sizeof(dsc_optc_cfg)); ++ + DC_LOG_DSC("Getting packed DSC PPS for DSC Config:"); + dsc_config_log(dsc, dsc_cfg); + DC_LOG_DSC("DSC Picture Parameter Set (PPS):"); +@@ -348,6 +351,7 @@ static bool dsc_prepare_config(const struct dsc_config *dsc_cfg, struct dsc_reg_ + dsc_reg_vals->pps.block_pred_enable = dsc_cfg->dc_dsc_cfg.block_pred_enable; + dsc_reg_vals->pps.line_buf_depth = dsc_cfg->dc_dsc_cfg.linebuf_depth; + dsc_reg_vals->alternate_ich_encoding_en = dsc_reg_vals->pps.dsc_version_minor == 1 ? 0 : 1; ++ dsc_reg_vals->ich_reset_at_eol = (dsc_cfg->is_odm || dsc_reg_vals->num_slices_h > 1) ? 0xF : 0; + + // TODO: in addition to validating slice height (pic height must be divisible by slice height), + // see what happens when the same condition doesn't apply for slice_width/pic_width. +@@ -510,7 +514,6 @@ static void dsc_update_from_dsc_parameters(struct dsc_reg_values *reg_vals, cons + reg_vals->pps.rc_buf_thresh[i] = reg_vals->pps.rc_buf_thresh[i] >> 6; + + reg_vals->rc_buffer_model_size = dsc_params->rc_buffer_model_size; +- reg_vals->ich_reset_at_eol = reg_vals->num_slices_h == 1 ? 0 : 0xf; + } + + static void dsc_write_to_registers(struct display_stream_compressor *dsc, const struct dsc_reg_values *reg_vals) +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +index 05b98eadc2899..08062de3fbebd 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +@@ -340,8 +340,8 @@ struct _vcs_dpi_soc_bounding_box_st dcn2_0_nv14_soc = { + }, + }, + .num_states = 5, +- .sr_exit_time_us = 8.6, +- .sr_enter_plus_exit_time_us = 10.9, ++ .sr_exit_time_us = 11.6, ++ .sr_enter_plus_exit_time_us = 13.9, + .urgent_latency_us = 4.0, + .urgent_latency_pixel_data_only_us = 4.0, + .urgent_latency_pixel_mixed_with_vm_data_us = 4.0, +@@ -2275,6 +2275,7 @@ static bool dcn20_validate_dsc(struct dc *dc, struct dc_state *new_ctx) + + stream->timing.v_border_bottom; + dsc_cfg.pixel_encoding = stream->timing.pixel_encoding; + dsc_cfg.color_depth = stream->timing.display_color_depth; ++ dsc_cfg.is_odm = pipe_ctx->next_odm_pipe ? true : false; + dsc_cfg.dc_dsc_cfg = stream->timing.dsc_cfg; + dsc_cfg.dc_dsc_cfg.num_slices_h /= opp_cnt; + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_hubp.c b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_hubp.c +index a00af513aa2b0..c8f77bd0ce8a6 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_hubp.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_hubp.c +@@ -73,32 +73,47 @@ void apply_DEDCN21_142_wa_for_hostvm_deadline( + struct _vcs_dpi_display_dlg_regs_st *dlg_attr) + { + struct dcn21_hubp *hubp21 = TO_DCN21_HUBP(hubp); +- uint32_t cur_value; ++ uint32_t refcyc_per_vm_group_vblank; ++ uint32_t refcyc_per_vm_req_vblank; ++ uint32_t refcyc_per_vm_group_flip; ++ uint32_t refcyc_per_vm_req_flip; ++ const uint32_t uninitialized_hw_default = 0; + +- REG_GET(VBLANK_PARAMETERS_5, REFCYC_PER_VM_GROUP_VBLANK, &cur_value); +- if (cur_value > dlg_attr->refcyc_per_vm_group_vblank) ++ REG_GET(VBLANK_PARAMETERS_5, ++ REFCYC_PER_VM_GROUP_VBLANK, &refcyc_per_vm_group_vblank); ++ ++ if (refcyc_per_vm_group_vblank == uninitialized_hw_default || ++ refcyc_per_vm_group_vblank > dlg_attr->refcyc_per_vm_group_vblank) + REG_SET(VBLANK_PARAMETERS_5, 0, + REFCYC_PER_VM_GROUP_VBLANK, dlg_attr->refcyc_per_vm_group_vblank); + + REG_GET(VBLANK_PARAMETERS_6, +- REFCYC_PER_VM_REQ_VBLANK, +- &cur_value); +- if (cur_value > dlg_attr->refcyc_per_vm_req_vblank) ++ REFCYC_PER_VM_REQ_VBLANK, &refcyc_per_vm_req_vblank); ++ ++ if (refcyc_per_vm_req_vblank == uninitialized_hw_default || ++ refcyc_per_vm_req_vblank > dlg_attr->refcyc_per_vm_req_vblank) + REG_SET(VBLANK_PARAMETERS_6, 0, + REFCYC_PER_VM_REQ_VBLANK, dlg_attr->refcyc_per_vm_req_vblank); + +- REG_GET(FLIP_PARAMETERS_3, REFCYC_PER_VM_GROUP_FLIP, &cur_value); +- if (cur_value > dlg_attr->refcyc_per_vm_group_flip) ++ REG_GET(FLIP_PARAMETERS_3, ++ REFCYC_PER_VM_GROUP_FLIP, &refcyc_per_vm_group_flip); ++ ++ if (refcyc_per_vm_group_flip == uninitialized_hw_default || ++ refcyc_per_vm_group_flip > dlg_attr->refcyc_per_vm_group_flip) + REG_SET(FLIP_PARAMETERS_3, 0, + REFCYC_PER_VM_GROUP_FLIP, dlg_attr->refcyc_per_vm_group_flip); + +- REG_GET(FLIP_PARAMETERS_4, REFCYC_PER_VM_REQ_FLIP, &cur_value); +- if (cur_value > dlg_attr->refcyc_per_vm_req_flip) ++ REG_GET(FLIP_PARAMETERS_4, ++ REFCYC_PER_VM_REQ_FLIP, &refcyc_per_vm_req_flip); ++ ++ if (refcyc_per_vm_req_flip == uninitialized_hw_default || ++ refcyc_per_vm_req_flip > dlg_attr->refcyc_per_vm_req_flip) + REG_SET(FLIP_PARAMETERS_4, 0, + REFCYC_PER_VM_REQ_FLIP, dlg_attr->refcyc_per_vm_req_flip); + + REG_SET(FLIP_PARAMETERS_5, 0, + REFCYC_PER_PTE_GROUP_FLIP_C, dlg_attr->refcyc_per_pte_group_flip_c); ++ + REG_SET(FLIP_PARAMETERS_6, 0, + REFCYC_PER_META_CHUNK_FLIP_C, dlg_attr->refcyc_per_meta_chunk_flip_c); + } +diff --git a/drivers/gpu/drm/amd/display/dc/inc/hw/dsc.h b/drivers/gpu/drm/amd/display/dc/inc/hw/dsc.h +index 1ddb1c6fa1493..75ecfdc5d5cd2 100644 +--- a/drivers/gpu/drm/amd/display/dc/inc/hw/dsc.h ++++ b/drivers/gpu/drm/amd/display/dc/inc/hw/dsc.h +@@ -36,6 +36,7 @@ struct dsc_config { + uint32_t pic_height; + enum dc_pixel_encoding pixel_encoding; + enum dc_color_depth color_depth; /* Bits per component */ ++ bool is_odm; + struct dc_dsc_config dc_dsc_cfg; + }; + +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c +index 3a2a1dc9a786a..1b55f037ba4a7 100644 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c +@@ -3987,6 +3987,13 @@ static int smu7_set_power_state_tasks(struct pp_hwmgr *hwmgr, const void *input) + "Failed to populate and upload SCLK MCLK DPM levels!", + result = tmp_result); + ++ /* ++ * If a custom pp table is loaded, set DPMTABLE_OD_UPDATE_VDDC flag. ++ * That effectively disables AVFS feature. ++ */ ++ if (hwmgr->hardcode_pp_table != NULL) ++ data->need_update_smu7_dpm_table |= DPMTABLE_OD_UPDATE_VDDC; ++ + tmp_result = smu7_update_avfs(hwmgr); + PP_ASSERT_WITH_CODE((0 == tmp_result), + "Failed to update avfs voltages!", +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c +index beacfffbdc3eb..ecbc9daea57e0 100644 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c +@@ -3691,6 +3691,13 @@ static int vega10_set_power_state_tasks(struct pp_hwmgr *hwmgr, + PP_ASSERT_WITH_CODE(!result, + "Failed to upload PPtable!", return result); + ++ /* ++ * If a custom pp table is loaded, set DPMTABLE_OD_UPDATE_VDDC flag. ++ * That effectively disables AVFS feature. ++ */ ++ if(hwmgr->hardcode_pp_table != NULL) ++ data->need_update_dpm_table |= DPMTABLE_OD_UPDATE_VDDC; ++ + vega10_update_avfs(hwmgr); + + /* +diff --git a/drivers/gpu/drm/exynos/exynos_drm_dsi.c b/drivers/gpu/drm/exynos/exynos_drm_dsi.c +index 8ed94c9948008..b83acd696774b 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_dsi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_dsi.c +@@ -1741,10 +1741,6 @@ static int exynos_dsi_probe(struct platform_device *pdev) + dsi->dev = dev; + dsi->driver_data = of_device_get_match_data(dev); + +- ret = exynos_dsi_parse_dt(dsi); +- if (ret) +- return ret; +- + dsi->supplies[0].supply = "vddcore"; + dsi->supplies[1].supply = "vddio"; + ret = devm_regulator_bulk_get(dev, ARRAY_SIZE(dsi->supplies), +@@ -1805,11 +1801,25 @@ static int exynos_dsi_probe(struct platform_device *pdev) + return ret; + } + ++ ret = exynos_dsi_parse_dt(dsi); ++ if (ret) ++ return ret; ++ + platform_set_drvdata(pdev, &dsi->encoder); + + pm_runtime_enable(dev); + +- return component_add(dev, &exynos_dsi_component_ops); ++ ret = component_add(dev, &exynos_dsi_component_ops); ++ if (ret) ++ goto err_disable_runtime; ++ ++ return 0; ++ ++err_disable_runtime: ++ pm_runtime_disable(dev); ++ of_node_put(dsi->in_bridge_node); ++ ++ return ret; + } + + static int exynos_dsi_remove(struct platform_device *pdev) +diff --git a/drivers/gpu/drm/gma500/cdv_intel_display.c b/drivers/gpu/drm/gma500/cdv_intel_display.c +index f56852a503e8d..8b784947ed3b9 100644 +--- a/drivers/gpu/drm/gma500/cdv_intel_display.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_display.c +@@ -405,6 +405,8 @@ static bool cdv_intel_find_dp_pll(const struct gma_limit_t *limit, + struct gma_crtc *gma_crtc = to_gma_crtc(crtc); + struct gma_clock_t clock; + ++ memset(&clock, 0, sizeof(clock)); ++ + switch (refclk) { + case 27000: + if (target < 200000) { +diff --git a/drivers/gpu/drm/mcde/mcde_display.c b/drivers/gpu/drm/mcde/mcde_display.c +index 751454ae3cd10..28ed506285018 100644 +--- a/drivers/gpu/drm/mcde/mcde_display.c ++++ b/drivers/gpu/drm/mcde/mcde_display.c +@@ -946,6 +946,7 @@ static void mcde_display_disable(struct drm_simple_display_pipe *pipe) + struct drm_crtc *crtc = &pipe->crtc; + struct drm_device *drm = crtc->dev; + struct mcde *mcde = drm->dev_private; ++ struct drm_pending_vblank_event *event; + + if (mcde->te_sync) + drm_crtc_vblank_off(crtc); +@@ -953,6 +954,15 @@ static void mcde_display_disable(struct drm_simple_display_pipe *pipe) + /* Disable FIFO A flow */ + mcde_disable_fifo(mcde, MCDE_FIFO_A, true); + ++ event = crtc->state->event; ++ if (event) { ++ crtc->state->event = NULL; ++ ++ spin_lock_irq(&crtc->dev->event_lock); ++ drm_crtc_send_vblank_event(crtc, event); ++ spin_unlock_irq(&crtc->dev->event_lock); ++ } ++ + dev_info(drm->dev, "MCDE display is disabled\n"); + } + +diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +index 24b55103bfe00..c8fb21cc0d6ff 100644 +--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c +@@ -1414,18 +1414,31 @@ static const struct adreno_gpu_funcs funcs = { + static void check_speed_bin(struct device *dev) + { + struct nvmem_cell *cell; +- u32 bin, val; ++ u32 val; ++ ++ /* ++ * If the OPP table specifies a opp-supported-hw property then we have ++ * to set something with dev_pm_opp_set_supported_hw() or the table ++ * doesn't get populated so pick an arbitrary value that should ++ * ensure the default frequencies are selected but not conflict with any ++ * actual bins ++ */ ++ val = 0x80; + + cell = nvmem_cell_get(dev, "speed_bin"); + +- /* If a nvmem cell isn't defined, nothing to do */ +- if (IS_ERR(cell)) +- return; ++ if (!IS_ERR(cell)) { ++ void *buf = nvmem_cell_read(cell, NULL); ++ ++ if (!IS_ERR(buf)) { ++ u8 bin = *((u8 *) buf); + +- bin = *((u32 *) nvmem_cell_read(cell, NULL)); +- nvmem_cell_put(cell); ++ val = (1 << bin); ++ kfree(buf); ++ } + +- val = (1 << bin); ++ nvmem_cell_put(cell); ++ } + + dev_pm_opp_set_supported_hw(dev, &val, 1); + } +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index 4558d66761b3c..108632a1f2438 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -444,8 +444,10 @@ static int msm_drm_init(struct device *dev, struct drm_driver *drv) + if (!dev->dma_parms) { + dev->dma_parms = devm_kzalloc(dev, sizeof(*dev->dma_parms), + GFP_KERNEL); +- if (!dev->dma_parms) +- return -ENOMEM; ++ if (!dev->dma_parms) { ++ ret = -ENOMEM; ++ goto err_msm_uninit; ++ } + } + dma_set_max_seg_size(dev, DMA_BIT_MASK(32)); + +diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c +index 419a02260bfa7..ee2b1e1199e09 100644 +--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c ++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c +@@ -1032,8 +1032,10 @@ nv50_mstc_detect(struct drm_connector *connector, bool force) + return connector_status_disconnected; + + ret = pm_runtime_get_sync(connector->dev->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(connector->dev->dev); + return connector_status_disconnected; ++ } + + conn_status = drm_dp_mst_detect_port(connector, mstc->port->mgr, + mstc->port); +diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c +index 5c314f135dd10..3b13feca970f7 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c ++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c +@@ -183,8 +183,11 @@ nouveau_debugfs_pstate_set(struct file *file, const char __user *ubuf, + } + + ret = pm_runtime_get_sync(drm->dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(drm->dev); + return ret; ++ } ++ + ret = nvif_mthd(ctrl, NVIF_CONTROL_PSTATE_USER, &args, sizeof(args)); + pm_runtime_put_autosuspend(drm->dev); + if (ret < 0) +diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c +index fbfe254227740..7d39d4949ee77 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -78,8 +78,10 @@ nouveau_gem_object_open(struct drm_gem_object *gem, struct drm_file *file_priv) + return ret; + + ret = pm_runtime_get_sync(dev); +- if (ret < 0 && ret != -EACCES) ++ if (ret < 0 && ret != -EACCES) { ++ pm_runtime_put_autosuspend(dev); + goto out; ++ } + + ret = nouveau_vma_new(nvbo, vmm, &vma); + pm_runtime_mark_last_busy(dev); +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowpci.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowpci.c +index 9b91da09dc5f8..8d9812a51ef63 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowpci.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowpci.c +@@ -101,9 +101,13 @@ platform_init(struct nvkm_bios *bios, const char *name) + else + return ERR_PTR(-ENODEV); + ++ if (!pdev->rom || pdev->romlen == 0) ++ return ERR_PTR(-ENODEV); ++ + if ((priv = kmalloc(sizeof(*priv), GFP_KERNEL))) { ++ priv->size = pdev->romlen; + if (ret = -ENODEV, +- (priv->rom = pci_platform_rom(pdev, &priv->size))) ++ (priv->rom = ioremap(pdev->rom, pdev->romlen))) + return priv; + kfree(priv); + } +@@ -111,11 +115,20 @@ platform_init(struct nvkm_bios *bios, const char *name) + return ERR_PTR(ret); + } + ++static void ++platform_fini(void *data) ++{ ++ struct priv *priv = data; ++ ++ iounmap(priv->rom); ++ kfree(priv); ++} ++ + const struct nvbios_source + nvbios_platform = { + .name = "PLATFORM", + .init = platform_init, +- .fini = (void(*)(void *))kfree, ++ .fini = platform_fini, + .read = pcirom_read, + .rw = true, + }; +diff --git a/drivers/gpu/drm/omapdrm/dss/dss.c b/drivers/gpu/drm/omapdrm/dss/dss.c +index 4bdd63b571002..ac93dae2a9c84 100644 +--- a/drivers/gpu/drm/omapdrm/dss/dss.c ++++ b/drivers/gpu/drm/omapdrm/dss/dss.c +@@ -1151,46 +1151,38 @@ static const struct dss_features dra7xx_dss_feats = { + .has_lcd_clk_src = true, + }; + +-static int dss_init_ports(struct dss_device *dss) ++static void __dss_uninit_ports(struct dss_device *dss, unsigned int num_ports) + { + struct platform_device *pdev = dss->pdev; + struct device_node *parent = pdev->dev.of_node; + struct device_node *port; + unsigned int i; +- int r; + +- for (i = 0; i < dss->feat->num_ports; i++) { ++ for (i = 0; i < num_ports; i++) { + port = of_graph_get_port_by_id(parent, i); + if (!port) + continue; + + switch (dss->feat->ports[i]) { + case OMAP_DISPLAY_TYPE_DPI: +- r = dpi_init_port(dss, pdev, port, dss->feat->model); +- if (r) +- return r; ++ dpi_uninit_port(port); + break; +- + case OMAP_DISPLAY_TYPE_SDI: +- r = sdi_init_port(dss, pdev, port); +- if (r) +- return r; ++ sdi_uninit_port(port); + break; +- + default: + break; + } + } +- +- return 0; + } + +-static void dss_uninit_ports(struct dss_device *dss) ++static int dss_init_ports(struct dss_device *dss) + { + struct platform_device *pdev = dss->pdev; + struct device_node *parent = pdev->dev.of_node; + struct device_node *port; +- int i; ++ unsigned int i; ++ int r; + + for (i = 0; i < dss->feat->num_ports; i++) { + port = of_graph_get_port_by_id(parent, i); +@@ -1199,15 +1191,32 @@ static void dss_uninit_ports(struct dss_device *dss) + + switch (dss->feat->ports[i]) { + case OMAP_DISPLAY_TYPE_DPI: +- dpi_uninit_port(port); ++ r = dpi_init_port(dss, pdev, port, dss->feat->model); ++ if (r) ++ goto error; + break; ++ + case OMAP_DISPLAY_TYPE_SDI: +- sdi_uninit_port(port); ++ r = sdi_init_port(dss, pdev, port); ++ if (r) ++ goto error; + break; ++ + default: + break; + } + } ++ ++ return 0; ++ ++error: ++ __dss_uninit_ports(dss, i); ++ return r; ++} ++ ++static void dss_uninit_ports(struct dss_device *dss) ++{ ++ __dss_uninit_ports(dss, dss->feat->num_ports); + } + + static int dss_video_pll_probe(struct dss_device *dss) +diff --git a/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c b/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c +index 31502857f013d..ce67891eedd46 100644 +--- a/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c ++++ b/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c +@@ -192,7 +192,7 @@ static int __init omapdss_boot_init(void) + dss = of_find_matching_node(NULL, omapdss_of_match); + + if (dss == NULL || !of_device_is_available(dss)) +- return 0; ++ goto put_node; + + omapdss_walk_device(dss, true); + +@@ -217,6 +217,8 @@ static int __init omapdss_boot_init(void) + kfree(n); + } + ++put_node: ++ of_node_put(dss); + return 0; + } + +diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c +index 4d1490fbb0750..756a50e8aff20 100644 +--- a/drivers/gpu/drm/radeon/radeon_bios.c ++++ b/drivers/gpu/drm/radeon/radeon_bios.c +@@ -108,25 +108,33 @@ static bool radeon_read_bios(struct radeon_device *rdev) + + static bool radeon_read_platform_bios(struct radeon_device *rdev) + { +- uint8_t __iomem *bios; +- size_t size; ++ phys_addr_t rom = rdev->pdev->rom; ++ size_t romlen = rdev->pdev->romlen; ++ void __iomem *bios; + + rdev->bios = NULL; + +- bios = pci_platform_rom(rdev->pdev, &size); +- if (!bios) { ++ if (!rom || romlen == 0) + return false; +- } + +- if (size == 0 || bios[0] != 0x55 || bios[1] != 0xaa) { ++ rdev->bios = kzalloc(romlen, GFP_KERNEL); ++ if (!rdev->bios) + return false; +- } +- rdev->bios = kmemdup(bios, size, GFP_KERNEL); +- if (rdev->bios == NULL) { +- return false; +- } ++ ++ bios = ioremap(rom, romlen); ++ if (!bios) ++ goto free_bios; ++ ++ memcpy_fromio(rdev->bios, bios, romlen); ++ iounmap(bios); ++ ++ if (rdev->bios[0] != 0x55 || rdev->bios[1] != 0xaa) ++ goto free_bios; + + return true; ++free_bios: ++ kfree(rdev->bios); ++ return false; + } + + #ifdef CONFIG_ACPI +diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c +index 30c5ddd6d081c..134e9106ebac1 100644 +--- a/drivers/gpu/drm/scheduler/sched_main.c ++++ b/drivers/gpu/drm/scheduler/sched_main.c +@@ -284,10 +284,21 @@ static void drm_sched_job_timedout(struct work_struct *work) + unsigned long flags; + + sched = container_of(work, struct drm_gpu_scheduler, work_tdr.work); ++ ++ /* Protects against concurrent deletion in drm_sched_get_cleanup_job */ ++ spin_lock_irqsave(&sched->job_list_lock, flags); + job = list_first_entry_or_null(&sched->ring_mirror_list, + struct drm_sched_job, node); + + if (job) { ++ /* ++ * Remove the bad job so it cannot be freed by concurrent ++ * drm_sched_cleanup_jobs. It will be reinserted back after sched->thread ++ * is parked at which point it's safe. ++ */ ++ list_del_init(&job->node); ++ spin_unlock_irqrestore(&sched->job_list_lock, flags); ++ + job->sched->ops->timedout_job(job); + + /* +@@ -298,6 +309,8 @@ static void drm_sched_job_timedout(struct work_struct *work) + job->sched->ops->free_job(job); + sched->free_guilty = false; + } ++ } else { ++ spin_unlock_irqrestore(&sched->job_list_lock, flags); + } + + spin_lock_irqsave(&sched->job_list_lock, flags); +@@ -369,6 +382,20 @@ void drm_sched_stop(struct drm_gpu_scheduler *sched, struct drm_sched_job *bad) + + kthread_park(sched->thread); + ++ /* ++ * Reinsert back the bad job here - now it's safe as ++ * drm_sched_get_cleanup_job cannot race against us and release the ++ * bad job at this point - we parked (waited for) any in progress ++ * (earlier) cleanups and drm_sched_get_cleanup_job will not be called ++ * now until the scheduler thread is unparked. ++ */ ++ if (bad && bad->sched == sched) ++ /* ++ * Add at the head of the queue to reflect it was the earliest ++ * job extracted. ++ */ ++ list_add(&bad->node, &sched->ring_mirror_list); ++ + /* + * Iterate the job list from later to earlier one and either deactive + * their HW callbacks or remove them from mirror list if they already +diff --git a/drivers/gpu/drm/sun4i/sun8i_csc.h b/drivers/gpu/drm/sun4i/sun8i_csc.h +index f42441b1b14dd..a55a38ad849c1 100644 +--- a/drivers/gpu/drm/sun4i/sun8i_csc.h ++++ b/drivers/gpu/drm/sun4i/sun8i_csc.h +@@ -12,7 +12,7 @@ struct sun8i_mixer; + + /* VI channel CSC units offsets */ + #define CCSC00_OFFSET 0xAA050 +-#define CCSC01_OFFSET 0xFA000 ++#define CCSC01_OFFSET 0xFA050 + #define CCSC10_OFFSET 0xA0000 + #define CCSC11_OFFSET 0xF0000 + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index d5f5ba4105241..54435b72b7611 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -1125,6 +1125,7 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *hdmi) + card->num_links = 1; + card->name = "vc4-hdmi"; + card->dev = dev; ++ card->owner = THIS_MODULE; + + /* + * Be careful, snd_soc_register_card() calls dev_set_drvdata() and +diff --git a/drivers/hwtracing/coresight/coresight-etm4x.c b/drivers/hwtracing/coresight/coresight-etm4x.c +index a128b5063f46c..83dccdeef9069 100644 +--- a/drivers/hwtracing/coresight/coresight-etm4x.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x.c +@@ -1184,6 +1184,7 @@ static int etm4_probe(struct amba_device *adev, const struct amba_id *id) + return 0; + + err_arch_supported: ++ etmdrvdata[drvdata->cpu] = NULL; + if (--etm4_count == 0) { + cpuhp_remove_state_nocalls(CPUHP_AP_ARM_CORESIGHT_STARTING); + if (hp_online) +diff --git a/drivers/hwtracing/intel_th/intel_th.h b/drivers/hwtracing/intel_th/intel_th.h +index 6f4f5486fe6dc..5fe694708b7a3 100644 +--- a/drivers/hwtracing/intel_th/intel_th.h ++++ b/drivers/hwtracing/intel_th/intel_th.h +@@ -47,11 +47,13 @@ struct intel_th_output { + /** + * struct intel_th_drvdata - describes hardware capabilities and quirks + * @tscu_enable: device needs SW to enable time stamping unit ++ * @multi_is_broken: device has multiblock mode is broken + * @has_mintctl: device has interrupt control (MINTCTL) register + * @host_mode_only: device can only operate in 'host debugger' mode + */ + struct intel_th_drvdata { + unsigned int tscu_enable : 1, ++ multi_is_broken : 1, + has_mintctl : 1, + host_mode_only : 1; + }; +diff --git a/drivers/hwtracing/intel_th/msu.c b/drivers/hwtracing/intel_th/msu.c +index 255f8f41c8ff7..3cd2489d398c5 100644 +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -157,7 +157,8 @@ struct msc { + /* config */ + unsigned int enabled : 1, + wrap : 1, +- do_irq : 1; ++ do_irq : 1, ++ multi_is_broken : 1; + unsigned int mode; + unsigned int burst_len; + unsigned int index; +@@ -1665,7 +1666,7 @@ static int intel_th_msc_init(struct msc *msc) + { + atomic_set(&msc->user_count, -1); + +- msc->mode = MSC_MODE_MULTI; ++ msc->mode = msc->multi_is_broken ? MSC_MODE_SINGLE : MSC_MODE_MULTI; + mutex_init(&msc->buf_mutex); + INIT_LIST_HEAD(&msc->win_list); + INIT_LIST_HEAD(&msc->iter_list); +@@ -1877,6 +1878,9 @@ mode_store(struct device *dev, struct device_attribute *attr, const char *buf, + return -EINVAL; + + found: ++ if (i == MSC_MODE_MULTI && msc->multi_is_broken) ++ return -EOPNOTSUPP; ++ + mutex_lock(&msc->buf_mutex); + ret = 0; + +@@ -2083,6 +2087,9 @@ static int intel_th_msc_probe(struct intel_th_device *thdev) + if (!res) + msc->do_irq = 1; + ++ if (INTEL_TH_CAP(to_intel_th(thdev), multi_is_broken)) ++ msc->multi_is_broken = 1; ++ + msc->index = thdev->id; + + msc->thdev = thdev; +diff --git a/drivers/hwtracing/intel_th/pci.c b/drivers/hwtracing/intel_th/pci.c +index 0d26484d67955..21fdf0b935166 100644 +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -120,6 +120,10 @@ static void intel_th_pci_remove(struct pci_dev *pdev) + pci_free_irq_vectors(pdev); + } + ++static const struct intel_th_drvdata intel_th_1x_multi_is_broken = { ++ .multi_is_broken = 1, ++}; ++ + static const struct intel_th_drvdata intel_th_2x = { + .tscu_enable = 1, + .has_mintctl = 1, +@@ -152,7 +156,7 @@ static const struct pci_device_id intel_th_pci_id_table[] = { + { + /* Kaby Lake PCH-H */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa2a6), +- .driver_data = (kernel_ulong_t)0, ++ .driver_data = (kernel_ulong_t)&intel_th_1x_multi_is_broken, + }, + { + /* Denverton */ +@@ -207,7 +211,7 @@ static const struct pci_device_id intel_th_pci_id_table[] = { + { + /* Comet Lake PCH-V */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa3a6), +- .driver_data = (kernel_ulong_t)&intel_th_2x, ++ .driver_data = (kernel_ulong_t)&intel_th_1x_multi_is_broken, + }, + { + /* Ice Lake NNPI */ +diff --git a/drivers/i2c/busses/i2c-aspeed.c b/drivers/i2c/busses/i2c-aspeed.c +index dad6e432de89f..bdcc3c9d0abe5 100644 +--- a/drivers/i2c/busses/i2c-aspeed.c ++++ b/drivers/i2c/busses/i2c-aspeed.c +@@ -69,6 +69,7 @@ + * These share bit definitions, so use the same values for the enable & + * status bits. + */ ++#define ASPEED_I2CD_INTR_RECV_MASK 0xf000ffff + #define ASPEED_I2CD_INTR_SDA_DL_TIMEOUT BIT(14) + #define ASPEED_I2CD_INTR_BUS_RECOVER_DONE BIT(13) + #define ASPEED_I2CD_INTR_SLAVE_MATCH BIT(7) +@@ -604,6 +605,7 @@ static irqreturn_t aspeed_i2c_bus_irq(int irq, void *dev_id) + writel(irq_received & ~ASPEED_I2CD_INTR_RX_DONE, + bus->base + ASPEED_I2C_INTR_STS_REG); + readl(bus->base + ASPEED_I2C_INTR_STS_REG); ++ irq_received &= ASPEED_I2CD_INTR_RECV_MASK; + irq_remaining = irq_received; + + #if IS_ENABLED(CONFIG_I2C_SLAVE) +diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c +index 331f7cca9babe..db94e96aed77e 100644 +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -16,6 +16,7 @@ + #include <linux/interrupt.h> + #include <linux/io.h> + #include <linux/iopoll.h> ++#include <linux/irq.h> + #include <linux/kernel.h> + #include <linux/module.h> + #include <linux/of_device.h> +@@ -230,7 +231,6 @@ struct tegra_i2c_hw_feature { + * @base_phys: physical base address of the I2C controller + * @cont_id: I2C controller ID, used for packet header + * @irq: IRQ number of transfer complete interrupt +- * @irq_disabled: used to track whether or not the interrupt is enabled + * @is_dvc: identifies the DVC I2C controller, has a different register layout + * @msg_complete: transfer completion notifier + * @msg_err: error code for completed message +@@ -240,7 +240,6 @@ struct tegra_i2c_hw_feature { + * @bus_clk_rate: current I2C bus clock rate + * @clk_divisor_non_hs_mode: clock divider for non-high-speed modes + * @is_multimaster_mode: track if I2C controller is in multi-master mode +- * @xfer_lock: lock to serialize transfer submission and processing + * @tx_dma_chan: DMA transmit channel + * @rx_dma_chan: DMA receive channel + * @dma_phys: handle to DMA resources +@@ -260,7 +259,6 @@ struct tegra_i2c_dev { + phys_addr_t base_phys; + int cont_id; + int irq; +- bool irq_disabled; + int is_dvc; + struct completion msg_complete; + int msg_err; +@@ -270,8 +268,6 @@ struct tegra_i2c_dev { + u32 bus_clk_rate; + u16 clk_divisor_non_hs_mode; + bool is_multimaster_mode; +- /* xfer_lock: lock to serialize transfer submission and processing */ +- spinlock_t xfer_lock; + struct dma_chan *tx_dma_chan; + struct dma_chan *rx_dma_chan; + dma_addr_t dma_phys; +@@ -790,11 +786,6 @@ static int tegra_i2c_init(struct tegra_i2c_dev *i2c_dev, bool clk_reinit) + if (err) + return err; + +- if (i2c_dev->irq_disabled) { +- i2c_dev->irq_disabled = false; +- enable_irq(i2c_dev->irq); +- } +- + return 0; + } + +@@ -825,18 +816,12 @@ static irqreturn_t tegra_i2c_isr(int irq, void *dev_id) + + status = i2c_readl(i2c_dev, I2C_INT_STATUS); + +- spin_lock(&i2c_dev->xfer_lock); + if (status == 0) { + dev_warn(i2c_dev->dev, "irq status 0 %08x %08x %08x\n", + i2c_readl(i2c_dev, I2C_PACKET_TRANSFER_STATUS), + i2c_readl(i2c_dev, I2C_STATUS), + i2c_readl(i2c_dev, I2C_CNFG)); + i2c_dev->msg_err |= I2C_ERR_UNKNOWN_INTERRUPT; +- +- if (!i2c_dev->irq_disabled) { +- disable_irq_nosync(i2c_dev->irq); +- i2c_dev->irq_disabled = true; +- } + goto err; + } + +@@ -925,7 +910,6 @@ err: + + complete(&i2c_dev->msg_complete); + done: +- spin_unlock(&i2c_dev->xfer_lock); + return IRQ_HANDLED; + } + +@@ -999,6 +983,30 @@ out: + i2c_writel(i2c_dev, val, reg); + } + ++static unsigned long ++tegra_i2c_wait_completion_timeout(struct tegra_i2c_dev *i2c_dev, ++ struct completion *complete, ++ unsigned int timeout_ms) ++{ ++ unsigned long ret; ++ ++ enable_irq(i2c_dev->irq); ++ ret = wait_for_completion_timeout(complete, ++ msecs_to_jiffies(timeout_ms)); ++ disable_irq(i2c_dev->irq); ++ ++ /* ++ * There is a chance that completion may happen after IRQ ++ * synchronization, which is done by disable_irq(). ++ */ ++ if (ret == 0 && completion_done(complete)) { ++ dev_warn(i2c_dev->dev, "completion done after timeout\n"); ++ ret = 1; ++ } ++ ++ return ret; ++} ++ + static int tegra_i2c_issue_bus_clear(struct i2c_adapter *adap) + { + struct tegra_i2c_dev *i2c_dev = i2c_get_adapdata(adap); +@@ -1020,8 +1028,8 @@ static int tegra_i2c_issue_bus_clear(struct i2c_adapter *adap) + i2c_writel(i2c_dev, reg, I2C_BUS_CLEAR_CNFG); + tegra_i2c_unmask_irq(i2c_dev, I2C_INT_BUS_CLR_DONE); + +- time_left = wait_for_completion_timeout(&i2c_dev->msg_complete, +- msecs_to_jiffies(50)); ++ time_left = tegra_i2c_wait_completion_timeout( ++ i2c_dev, &i2c_dev->msg_complete, 50); + if (time_left == 0) { + dev_err(i2c_dev->dev, "timed out for bus clear\n"); + return -ETIMEDOUT; +@@ -1044,7 +1052,6 @@ static int tegra_i2c_xfer_msg(struct tegra_i2c_dev *i2c_dev, + u32 packet_header; + u32 int_mask; + unsigned long time_left; +- unsigned long flags; + size_t xfer_size; + u32 *buffer = NULL; + int err = 0; +@@ -1075,7 +1082,6 @@ static int tegra_i2c_xfer_msg(struct tegra_i2c_dev *i2c_dev, + */ + xfer_time += DIV_ROUND_CLOSEST(((xfer_size * 9) + 2) * MSEC_PER_SEC, + i2c_dev->bus_clk_rate); +- spin_lock_irqsave(&i2c_dev->xfer_lock, flags); + + int_mask = I2C_INT_NO_ACK | I2C_INT_ARBITRATION_LOST; + tegra_i2c_unmask_irq(i2c_dev, int_mask); +@@ -1090,7 +1096,7 @@ static int tegra_i2c_xfer_msg(struct tegra_i2c_dev *i2c_dev, + dev_err(i2c_dev->dev, + "starting RX DMA failed, err %d\n", + err); +- goto unlock; ++ return err; + } + + } else { +@@ -1149,7 +1155,7 @@ static int tegra_i2c_xfer_msg(struct tegra_i2c_dev *i2c_dev, + dev_err(i2c_dev->dev, + "starting TX DMA failed, err %d\n", + err); +- goto unlock; ++ return err; + } + } else { + tegra_i2c_fill_tx_fifo(i2c_dev); +@@ -1169,15 +1175,10 @@ static int tegra_i2c_xfer_msg(struct tegra_i2c_dev *i2c_dev, + dev_dbg(i2c_dev->dev, "unmasked irq: %02x\n", + i2c_readl(i2c_dev, I2C_INT_MASK)); + +-unlock: +- spin_unlock_irqrestore(&i2c_dev->xfer_lock, flags); +- + if (dma) { +- if (err) +- return err; ++ time_left = tegra_i2c_wait_completion_timeout( ++ i2c_dev, &i2c_dev->dma_complete, xfer_time); + +- time_left = wait_for_completion_timeout(&i2c_dev->dma_complete, +- msecs_to_jiffies(xfer_time)); + if (time_left == 0) { + dev_err(i2c_dev->dev, "DMA transfer timeout\n"); + dmaengine_terminate_sync(i2c_dev->msg_read ? +@@ -1202,13 +1203,13 @@ unlock: + i2c_dev->tx_dma_chan); + } + +- time_left = wait_for_completion_timeout(&i2c_dev->msg_complete, +- msecs_to_jiffies(xfer_time)); ++ time_left = tegra_i2c_wait_completion_timeout( ++ i2c_dev, &i2c_dev->msg_complete, xfer_time); ++ + tegra_i2c_mask_irq(i2c_dev, int_mask); + + if (time_left == 0) { + dev_err(i2c_dev->dev, "i2c transfer timed out\n"); +- + tegra_i2c_init(i2c_dev, true); + return -ETIMEDOUT; + } +@@ -1568,7 +1569,6 @@ static int tegra_i2c_probe(struct platform_device *pdev) + I2C_PACKET_HEADER_SIZE; + init_completion(&i2c_dev->msg_complete); + init_completion(&i2c_dev->dma_complete); +- spin_lock_init(&i2c_dev->xfer_lock); + + if (!i2c_dev->hw->has_single_clk_source) { + fast_clk = devm_clk_get(&pdev->dev, "fast-clk"); +@@ -1644,6 +1644,8 @@ static int tegra_i2c_probe(struct platform_device *pdev) + goto release_dma; + } + ++ irq_set_status_flags(i2c_dev->irq, IRQ_NOAUTOEN); ++ + ret = devm_request_irq(&pdev->dev, i2c_dev->irq, + tegra_i2c_isr, 0, dev_name(&pdev->dev), i2c_dev); + if (ret) { +@@ -1719,10 +1721,14 @@ static int tegra_i2c_remove(struct platform_device *pdev) + static int __maybe_unused tegra_i2c_suspend(struct device *dev) + { + struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev); ++ int err = 0; + + i2c_mark_adapter_suspended(&i2c_dev->adapter); + +- return 0; ++ if (!pm_runtime_status_suspended(dev)) ++ err = tegra_i2c_runtime_suspend(dev); ++ ++ return err; + } + + static int __maybe_unused tegra_i2c_resume(struct device *dev) +@@ -1730,6 +1736,10 @@ static int __maybe_unused tegra_i2c_resume(struct device *dev) + struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev); + int err; + ++ /* ++ * We need to ensure that clocks are enabled so that registers can be ++ * restored in tegra_i2c_init(). ++ */ + err = tegra_i2c_runtime_resume(dev); + if (err) + return err; +@@ -1738,9 +1748,16 @@ static int __maybe_unused tegra_i2c_resume(struct device *dev) + if (err) + return err; + +- err = tegra_i2c_runtime_suspend(dev); +- if (err) +- return err; ++ /* ++ * In case we are runtime suspended, disable clocks again so that we ++ * don't unbalance the clock reference counts during the next runtime ++ * resume transition. ++ */ ++ if (pm_runtime_status_suspended(dev)) { ++ err = tegra_i2c_runtime_suspend(dev); ++ if (err) ++ return err; ++ } + + i2c_mark_adapter_resumed(&i2c_dev->adapter); + +diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c +index def62d5b42ca7..2dfe2ffcf8825 100644 +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -1385,8 +1385,8 @@ static int i2c_register_adapter(struct i2c_adapter *adap) + + /* create pre-declared device nodes */ + of_i2c_register_devices(adap); +- i2c_acpi_register_devices(adap); + i2c_acpi_install_space_handler(adap); ++ i2c_acpi_register_devices(adap); + + if (adap->nr < __i2c_first_dynamic_bus_num) + i2c_scan_static_board_info(adap); +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index 09af96ec41dd6..c1d6a068f50fe 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -1092,14 +1092,22 @@ retest: + break; + } + +- spin_lock_irq(&cm.lock); ++ spin_lock_irq(&cm_id_priv->lock); ++ spin_lock(&cm.lock); ++ /* Required for cleanup paths related cm_req_handler() */ ++ if (cm_id_priv->timewait_info) { ++ cm_cleanup_timewait(cm_id_priv->timewait_info); ++ kfree(cm_id_priv->timewait_info); ++ cm_id_priv->timewait_info = NULL; ++ } + if (!list_empty(&cm_id_priv->altr_list) && + (!cm_id_priv->altr_send_port_not_ready)) + list_del(&cm_id_priv->altr_list); + if (!list_empty(&cm_id_priv->prim_list) && + (!cm_id_priv->prim_send_port_not_ready)) + list_del(&cm_id_priv->prim_list); +- spin_unlock_irq(&cm.lock); ++ spin_unlock(&cm.lock); ++ spin_unlock_irq(&cm_id_priv->lock); + + cm_free_id(cm_id->local_id); + cm_deref_id(cm_id_priv); +@@ -1416,7 +1424,7 @@ int ib_send_cm_req(struct ib_cm_id *cm_id, + /* Verify that we're not in timewait. */ + cm_id_priv = container_of(cm_id, struct cm_id_private, id); + spin_lock_irqsave(&cm_id_priv->lock, flags); +- if (cm_id->state != IB_CM_IDLE) { ++ if (cm_id->state != IB_CM_IDLE || WARN_ON(cm_id_priv->timewait_info)) { + spin_unlock_irqrestore(&cm_id_priv->lock, flags); + ret = -EINVAL; + goto out; +@@ -1434,12 +1442,12 @@ int ib_send_cm_req(struct ib_cm_id *cm_id, + param->ppath_sgid_attr, &cm_id_priv->av, + cm_id_priv); + if (ret) +- goto error1; ++ goto out; + if (param->alternate_path) { + ret = cm_init_av_by_path(param->alternate_path, NULL, + &cm_id_priv->alt_av, cm_id_priv); + if (ret) +- goto error1; ++ goto out; + } + cm_id->service_id = param->service_id; + cm_id->service_mask = ~cpu_to_be64(0); +@@ -1457,7 +1465,7 @@ int ib_send_cm_req(struct ib_cm_id *cm_id, + + ret = cm_alloc_msg(cm_id_priv, &cm_id_priv->msg); + if (ret) +- goto error1; ++ goto out; + + req_msg = (struct cm_req_msg *) cm_id_priv->msg->mad; + cm_format_req(req_msg, cm_id_priv, param); +@@ -1480,7 +1488,6 @@ int ib_send_cm_req(struct ib_cm_id *cm_id, + return 0; + + error2: cm_free_msg(cm_id_priv->msg); +-error1: kfree(cm_id_priv->timewait_info); + out: return ret; + } + EXPORT_SYMBOL(ib_send_cm_req); +@@ -1965,7 +1972,7 @@ static int cm_req_handler(struct cm_work *work) + pr_debug("%s: local_id %d, no listen_cm_id_priv\n", __func__, + be32_to_cpu(cm_id->local_id)); + ret = -EINVAL; +- goto free_timeinfo; ++ goto destroy; + } + + cm_id_priv->id.cm_handler = listen_cm_id_priv->id.cm_handler; +@@ -2050,8 +2057,6 @@ static int cm_req_handler(struct cm_work *work) + rejected: + atomic_dec(&cm_id_priv->refcount); + cm_deref_id(listen_cm_id_priv); +-free_timeinfo: +- kfree(cm_id_priv->timewait_info); + destroy: + ib_destroy_cm_id(cm_id); + return ret; +diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c +index 6b4e7235d2f56..30e08bcc9afb5 100644 +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3382,7 +3382,7 @@ int c4iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + if (raddr->sin_addr.s_addr == htonl(INADDR_ANY)) { + err = pick_local_ipaddrs(dev, cm_id); + if (err) +- goto fail2; ++ goto fail3; + } + + /* find a route */ +@@ -3404,7 +3404,7 @@ int c4iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param) + if (ipv6_addr_type(&raddr6->sin6_addr) == IPV6_ADDR_ANY) { + err = pick_local_ip6addrs(dev, cm_id); + if (err) +- goto fail2; ++ goto fail3; + } + + /* find a route */ +diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c +index b1df93b69df44..fa7a5ff498c73 100644 +--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c +@@ -2074,9 +2074,9 @@ static int i40iw_addr_resolve_neigh_ipv6(struct i40iw_device *iwdev, + dst = i40iw_get_dst_ipv6(&src_addr, &dst_addr); + if (!dst || dst->error) { + if (dst) { +- dst_release(dst); + i40iw_pr_err("ip6_route_output returned dst->error = %d\n", + dst->error); ++ dst_release(dst); + } + return rc; + } +diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +index a7a926b7b5628..6dea49e11f5f0 100644 +--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c ++++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c +@@ -490,10 +490,10 @@ qedr_addr6_resolve(struct qedr_dev *dev, + + if ((!dst) || dst->error) { + if (dst) { +- dst_release(dst); + DP_ERR(dev, + "ip6_route_output returned dst->error = %d\n", + dst->error); ++ dst_release(dst); + } + return -EINVAL; + } +diff --git a/drivers/infiniband/sw/rxe/rxe.c b/drivers/infiniband/sw/rxe/rxe.c +index 70c4ea438664d..de5f3efe9fcb4 100644 +--- a/drivers/infiniband/sw/rxe/rxe.c ++++ b/drivers/infiniband/sw/rxe/rxe.c +@@ -118,6 +118,8 @@ static void rxe_init_device_param(struct rxe_dev *rxe) + rxe->attr.max_fast_reg_page_list_len = RXE_MAX_FMR_PAGE_LIST_LEN; + rxe->attr.max_pkeys = RXE_MAX_PKEYS; + rxe->attr.local_ca_ack_delay = RXE_LOCAL_CA_ACK_DELAY; ++ addrconf_addr_eui48((unsigned char *)&rxe->attr.sys_image_guid, ++ rxe->ndev->dev_addr); + + rxe->max_ucontext = RXE_MAX_UCONTEXT; + } +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index e2c6d1cedf416..f85273883794b 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -592,15 +592,16 @@ int rxe_qp_from_attr(struct rxe_qp *qp, struct ib_qp_attr *attr, int mask, + int err; + + if (mask & IB_QP_MAX_QP_RD_ATOMIC) { +- int max_rd_atomic = __roundup_pow_of_two(attr->max_rd_atomic); ++ int max_rd_atomic = attr->max_rd_atomic ? ++ roundup_pow_of_two(attr->max_rd_atomic) : 0; + + qp->attr.max_rd_atomic = max_rd_atomic; + atomic_set(&qp->req.rd_atomic, max_rd_atomic); + } + + if (mask & IB_QP_MAX_DEST_RD_ATOMIC) { +- int max_dest_rd_atomic = +- __roundup_pow_of_two(attr->max_dest_rd_atomic); ++ int max_dest_rd_atomic = attr->max_dest_rd_atomic ? ++ roundup_pow_of_two(attr->max_dest_rd_atomic) : 0; + + qp->attr.max_dest_rd_atomic = max_dest_rd_atomic; + +diff --git a/drivers/infiniband/ulp/iser/iser_memory.c b/drivers/infiniband/ulp/iser/iser_memory.c +index 2cc89a9b9e9bb..ea8e611397a3b 100644 +--- a/drivers/infiniband/ulp/iser/iser_memory.c ++++ b/drivers/infiniband/ulp/iser/iser_memory.c +@@ -292,12 +292,27 @@ void iser_unreg_mem_fastreg(struct iscsi_iser_task *iser_task, + { + struct iser_device *device = iser_task->iser_conn->ib_conn.device; + struct iser_mem_reg *reg = &iser_task->rdma_reg[cmd_dir]; ++ struct iser_fr_desc *desc; ++ struct ib_mr_status mr_status; + +- if (!reg->mem_h) ++ desc = reg->mem_h; ++ if (!desc) + return; + +- device->reg_ops->reg_desc_put(&iser_task->iser_conn->ib_conn, +- reg->mem_h); ++ /* ++ * The signature MR cannot be invalidated and reused without checking. ++ * libiscsi calls the check_protection transport handler only if ++ * SCSI-Response is received. And the signature MR is not checked if ++ * the task is completed for some other reason like a timeout or error ++ * handling. That's why we must check the signature MR here before ++ * putting it to the free pool. ++ */ ++ if (unlikely(desc->sig_protected)) { ++ desc->sig_protected = false; ++ ib_check_mr_status(desc->rsc.sig_mr, IB_MR_CHECK_SIG_STATUS, ++ &mr_status); ++ } ++ device->reg_ops->reg_desc_put(&iser_task->iser_conn->ib_conn, desc); + reg->mem_h = NULL; + } + +diff --git a/drivers/leds/leds-mlxreg.c b/drivers/leds/leds-mlxreg.c +index cabe379071a7c..82aea1cd0c125 100644 +--- a/drivers/leds/leds-mlxreg.c ++++ b/drivers/leds/leds-mlxreg.c +@@ -228,8 +228,8 @@ static int mlxreg_led_config(struct mlxreg_led_priv_data *priv) + brightness = LED_OFF; + led_data->base_color = MLXREG_LED_GREEN_SOLID; + } +- sprintf(led_data->led_cdev_name, "%s:%s", "mlxreg", +- data->label); ++ snprintf(led_data->led_cdev_name, sizeof(led_data->led_cdev_name), ++ "mlxreg:%s", data->label); + led_cdev->name = led_data->led_cdev_name; + led_cdev->brightness = brightness; + led_cdev->max_brightness = LED_ON; +diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h +index 217c838a1b405..859567ad3db4e 100644 +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -585,6 +585,7 @@ struct cache_set { + */ + wait_queue_head_t btree_cache_wait; + struct task_struct *btree_cache_alloc_lock; ++ spinlock_t btree_cannibalize_lock; + + /* + * When we free a btree node, we increment the gen of the bucket the +diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c +index 46556bde032e2..8d06105fc9ff5 100644 +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -886,15 +886,17 @@ out: + + static int mca_cannibalize_lock(struct cache_set *c, struct btree_op *op) + { +- struct task_struct *old; +- +- old = cmpxchg(&c->btree_cache_alloc_lock, NULL, current); +- if (old && old != current) { ++ spin_lock(&c->btree_cannibalize_lock); ++ if (likely(c->btree_cache_alloc_lock == NULL)) { ++ c->btree_cache_alloc_lock = current; ++ } else if (c->btree_cache_alloc_lock != current) { + if (op) + prepare_to_wait(&c->btree_cache_wait, &op->wait, + TASK_UNINTERRUPTIBLE); ++ spin_unlock(&c->btree_cannibalize_lock); + return -EINTR; + } ++ spin_unlock(&c->btree_cannibalize_lock); + + return 0; + } +@@ -929,10 +931,12 @@ static struct btree *mca_cannibalize(struct cache_set *c, struct btree_op *op, + */ + static void bch_cannibalize_unlock(struct cache_set *c) + { ++ spin_lock(&c->btree_cannibalize_lock); + if (c->btree_cache_alloc_lock == current) { + c->btree_cache_alloc_lock = NULL; + wake_up(&c->btree_cache_wait); + } ++ spin_unlock(&c->btree_cannibalize_lock); + } + + static struct btree *mca_alloc(struct cache_set *c, struct btree_op *op, +diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c +index 2cbfcd99b7ee7..63f5ce18311bb 100644 +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1798,6 +1798,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) + sema_init(&c->sb_write_mutex, 1); + mutex_init(&c->bucket_lock); + init_waitqueue_head(&c->btree_cache_wait); ++ spin_lock_init(&c->btree_cannibalize_lock); + init_waitqueue_head(&c->bucket_wait); + init_waitqueue_head(&c->gc_wait); + sema_init(&c->uuid_write_mutex, 1); +diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c +index edc3660759131..13ad791126618 100644 +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -922,21 +922,15 @@ bool dm_table_supports_dax(struct dm_table *t, + + static bool dm_table_does_not_support_partial_completion(struct dm_table *t); + +-struct verify_rq_based_data { +- unsigned sq_count; +- unsigned mq_count; +-}; +- +-static int device_is_rq_based(struct dm_target *ti, struct dm_dev *dev, +- sector_t start, sector_t len, void *data) ++static int device_is_rq_stackable(struct dm_target *ti, struct dm_dev *dev, ++ sector_t start, sector_t len, void *data) + { +- struct request_queue *q = bdev_get_queue(dev->bdev); +- struct verify_rq_based_data *v = data; ++ struct block_device *bdev = dev->bdev; ++ struct request_queue *q = bdev_get_queue(bdev); + +- if (queue_is_mq(q)) +- v->mq_count++; +- else +- v->sq_count++; ++ /* request-based cannot stack on partitions! */ ++ if (bdev != bdev->bd_contains) ++ return false; + + return queue_is_mq(q); + } +@@ -945,7 +939,6 @@ static int dm_table_determine_type(struct dm_table *t) + { + unsigned i; + unsigned bio_based = 0, request_based = 0, hybrid = 0; +- struct verify_rq_based_data v = {.sq_count = 0, .mq_count = 0}; + struct dm_target *tgt; + struct list_head *devices = dm_table_get_devices(t); + enum dm_queue_mode live_md_type = dm_get_md_type(t->md); +@@ -1049,14 +1042,10 @@ verify_rq_based: + + /* Non-request-stackable devices can't be used for request-based dm */ + if (!tgt->type->iterate_devices || +- !tgt->type->iterate_devices(tgt, device_is_rq_based, &v)) { ++ !tgt->type->iterate_devices(tgt, device_is_rq_stackable, NULL)) { + DMERR("table load rejected: including non-request-stackable devices"); + return -EINVAL; + } +- if (v.sq_count > 0) { +- DMERR("table load rejected: not all devices are blk-mq request-stackable"); +- return -EINVAL; +- } + + return 0; + } +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 63d59e2ed1582..667db23f10ee1 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1720,23 +1720,6 @@ out: + return ret; + } + +-static void dm_queue_split(struct mapped_device *md, struct dm_target *ti, struct bio **bio) +-{ +- unsigned len, sector_count; +- +- sector_count = bio_sectors(*bio); +- len = min_t(sector_t, max_io_len((*bio)->bi_iter.bi_sector, ti), sector_count); +- +- if (sector_count > len) { +- struct bio *split = bio_split(*bio, len, GFP_NOIO, &md->queue->bio_split); +- +- bio_chain(split, *bio); +- trace_block_split(md->queue, split, (*bio)->bi_iter.bi_sector); +- generic_make_request(*bio); +- *bio = split; +- } +-} +- + static blk_qc_t dm_process_bio(struct mapped_device *md, + struct dm_table *map, struct bio *bio) + { +@@ -1764,14 +1747,12 @@ static blk_qc_t dm_process_bio(struct mapped_device *md, + if (current->bio_list) { + if (is_abnormal_io(bio)) + blk_queue_split(md->queue, &bio); +- else +- dm_queue_split(md, ti, &bio); ++ /* regular IO is split by __split_and_process_bio */ + } + + if (dm_get_md_type(md) == DM_TYPE_NVME_BIO_BASED) + return __process_bio(md, map, bio, ti); +- else +- return __split_and_process_bio(md, map, bio); ++ return __split_and_process_bio(md, map, bio); + } + + static blk_qc_t dm_make_request(struct request_queue *q, struct bio *bio) +diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c +index 1953b00b3e487..685c0ac71819e 100644 +--- a/drivers/media/dvb-frontends/tda10071.c ++++ b/drivers/media/dvb-frontends/tda10071.c +@@ -470,10 +470,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status) + goto error; + + if (dev->delivery_system == SYS_DVBS) { +- dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 | +- buf[2] << 8 | buf[3] << 0; +- dev->post_bit_error += buf[0] << 24 | buf[1] << 16 | +- buf[2] << 8 | buf[3] << 0; ++ u32 bit_error = buf[0] << 24 | buf[1] << 16 | ++ buf[2] << 8 | buf[3] << 0; ++ ++ dev->dvbv3_ber = bit_error; ++ dev->post_bit_error += bit_error; + c->post_bit_error.stat[0].scale = FE_SCALE_COUNTER; + c->post_bit_error.stat[0].uvalue = dev->post_bit_error; + dev->block_error += buf[4] << 8 | buf[5] << 0; +diff --git a/drivers/media/i2c/smiapp/smiapp-core.c b/drivers/media/i2c/smiapp/smiapp-core.c +index 42805dfbffeb9..06edbe8749c64 100644 +--- a/drivers/media/i2c/smiapp/smiapp-core.c ++++ b/drivers/media/i2c/smiapp/smiapp-core.c +@@ -2327,11 +2327,12 @@ smiapp_sysfs_nvm_read(struct device *dev, struct device_attribute *attr, + if (rval < 0) { + if (rval != -EBUSY && rval != -EAGAIN) + pm_runtime_set_active(&client->dev); +- pm_runtime_put(&client->dev); ++ pm_runtime_put_noidle(&client->dev); + return -ENODEV; + } + + if (smiapp_read_nvm(sensor, sensor->nvm)) { ++ pm_runtime_put(&client->dev); + dev_err(&client->dev, "nvm read failed\n"); + return -ENODEV; + } +diff --git a/drivers/media/mc/mc-device.c b/drivers/media/mc/mc-device.c +index e19df5165e78c..da80883511352 100644 +--- a/drivers/media/mc/mc-device.c ++++ b/drivers/media/mc/mc-device.c +@@ -575,6 +575,38 @@ static void media_device_release(struct media_devnode *devnode) + dev_dbg(devnode->parent, "Media device released\n"); + } + ++static void __media_device_unregister_entity(struct media_entity *entity) ++{ ++ struct media_device *mdev = entity->graph_obj.mdev; ++ struct media_link *link, *tmp; ++ struct media_interface *intf; ++ unsigned int i; ++ ++ ida_free(&mdev->entity_internal_idx, entity->internal_idx); ++ ++ /* Remove all interface links pointing to this entity */ ++ list_for_each_entry(intf, &mdev->interfaces, graph_obj.list) { ++ list_for_each_entry_safe(link, tmp, &intf->links, list) { ++ if (link->entity == entity) ++ __media_remove_intf_link(link); ++ } ++ } ++ ++ /* Remove all data links that belong to this entity */ ++ __media_entity_remove_links(entity); ++ ++ /* Remove all pads that belong to this entity */ ++ for (i = 0; i < entity->num_pads; i++) ++ media_gobj_destroy(&entity->pads[i].graph_obj); ++ ++ /* Remove the entity */ ++ media_gobj_destroy(&entity->graph_obj); ++ ++ /* invoke entity_notify callbacks to handle entity removal?? */ ++ ++ entity->graph_obj.mdev = NULL; ++} ++ + /** + * media_device_register_entity - Register an entity with a media device + * @mdev: The media device +@@ -632,6 +664,7 @@ int __must_check media_device_register_entity(struct media_device *mdev, + */ + ret = media_graph_walk_init(&new, mdev); + if (ret) { ++ __media_device_unregister_entity(entity); + mutex_unlock(&mdev->graph_mutex); + return ret; + } +@@ -644,38 +677,6 @@ int __must_check media_device_register_entity(struct media_device *mdev, + } + EXPORT_SYMBOL_GPL(media_device_register_entity); + +-static void __media_device_unregister_entity(struct media_entity *entity) +-{ +- struct media_device *mdev = entity->graph_obj.mdev; +- struct media_link *link, *tmp; +- struct media_interface *intf; +- unsigned int i; +- +- ida_free(&mdev->entity_internal_idx, entity->internal_idx); +- +- /* Remove all interface links pointing to this entity */ +- list_for_each_entry(intf, &mdev->interfaces, graph_obj.list) { +- list_for_each_entry_safe(link, tmp, &intf->links, list) { +- if (link->entity == entity) +- __media_remove_intf_link(link); +- } +- } +- +- /* Remove all data links that belong to this entity */ +- __media_entity_remove_links(entity); +- +- /* Remove all pads that belong to this entity */ +- for (i = 0; i < entity->num_pads; i++) +- media_gobj_destroy(&entity->pads[i].graph_obj); +- +- /* Remove the entity */ +- media_gobj_destroy(&entity->graph_obj); +- +- /* invoke entity_notify callbacks to handle entity removal?? */ +- +- entity->graph_obj.mdev = NULL; +-} +- + void media_device_unregister_entity(struct media_entity *entity) + { + struct media_device *mdev = entity->graph_obj.mdev; +diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c +index 59ae7a1e63bc2..05b80a66e80ed 100644 +--- a/drivers/media/platform/qcom/venus/vdec.c ++++ b/drivers/media/platform/qcom/venus/vdec.c +@@ -987,13 +987,14 @@ static int vdec_stop_capture(struct venus_inst *inst) + ret = hfi_session_flush(inst, HFI_FLUSH_OUTPUT); + vdec_cancel_dst_buffers(inst); + inst->codec_state = VENUS_DEC_STATE_CAPTURE_SETUP; +- INIT_LIST_HEAD(&inst->registeredbufs); + venus_helper_free_dpb_bufs(inst); + break; + default: +- return 0; ++ break; + } + ++ INIT_LIST_HEAD(&inst->registeredbufs); ++ + return ret; + } + +diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c +index 955a49b8e9c08..f06408009a9c2 100644 +--- a/drivers/media/platform/ti-vpe/cal.c ++++ b/drivers/media/platform/ti-vpe/cal.c +@@ -678,12 +678,13 @@ static void pix_proc_config(struct cal_ctx *ctx) + } + + static void cal_wr_dma_config(struct cal_ctx *ctx, +- unsigned int width) ++ unsigned int width, unsigned int height) + { + u32 val; + + val = reg_read(ctx->dev, CAL_WR_DMA_CTRL(ctx->csi2_port)); + set_field(&val, ctx->csi2_port, CAL_WR_DMA_CTRL_CPORT_MASK); ++ set_field(&val, height, CAL_WR_DMA_CTRL_YSIZE_MASK); + set_field(&val, CAL_WR_DMA_CTRL_DTAG_PIX_DAT, + CAL_WR_DMA_CTRL_DTAG_MASK); + set_field(&val, CAL_WR_DMA_CTRL_MODE_CONST, +@@ -1306,7 +1307,8 @@ static int cal_start_streaming(struct vb2_queue *vq, unsigned int count) + csi2_lane_config(ctx); + csi2_ctx_config(ctx); + pix_proc_config(ctx); +- cal_wr_dma_config(ctx, ctx->v_fmt.fmt.pix.bytesperline); ++ cal_wr_dma_config(ctx, ctx->v_fmt.fmt.pix.bytesperline, ++ ctx->v_fmt.fmt.pix.height); + cal_wr_dma_addr(ctx, addr); + csi2_ppi_enable(ctx); + +diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c +index ff2aa057c1fbc..f889c9d740cd1 100644 +--- a/drivers/media/usb/go7007/go7007-usb.c ++++ b/drivers/media/usb/go7007/go7007-usb.c +@@ -1044,6 +1044,7 @@ static int go7007_usb_probe(struct usb_interface *intf, + struct go7007_usb *usb; + const struct go7007_usb_board *board; + struct usb_device *usbdev = interface_to_usbdev(intf); ++ struct usb_host_endpoint *ep; + unsigned num_i2c_devs; + char *name; + int video_pipe, i, v_urb_len; +@@ -1140,7 +1141,8 @@ static int go7007_usb_probe(struct usb_interface *intf, + if (usb->intr_urb->transfer_buffer == NULL) + goto allocfail; + +- if (go->board_id == GO7007_BOARDID_SENSORAY_2250) ++ ep = usb->usbdev->ep_in[4]; ++ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) + usb_fill_bulk_urb(usb->intr_urb, usb->usbdev, + usb_rcvbulkpipe(usb->usbdev, 4), + usb->intr_urb->transfer_buffer, 2*sizeof(u16), +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c +index 23276a80e3b48..96d02b6f06fd8 100644 +--- a/drivers/mfd/mfd-core.c ++++ b/drivers/mfd/mfd-core.c +@@ -28,6 +28,11 @@ int mfd_cell_enable(struct platform_device *pdev) + const struct mfd_cell *cell = mfd_get_cell(pdev); + int err = 0; + ++ if (!cell->enable) { ++ dev_dbg(&pdev->dev, "No .enable() call-back registered\n"); ++ return 0; ++ } ++ + /* only call enable hook if the cell wasn't previously enabled */ + if (atomic_inc_return(cell->usage_count) == 1) + err = cell->enable(pdev); +@@ -45,6 +50,11 @@ int mfd_cell_disable(struct platform_device *pdev) + const struct mfd_cell *cell = mfd_get_cell(pdev); + int err = 0; + ++ if (!cell->disable) { ++ dev_dbg(&pdev->dev, "No .disable() call-back registered\n"); ++ return 0; ++ } ++ + /* only disable if no other clients are using it */ + if (atomic_dec_return(cell->usage_count) == 0) + err = cell->disable(pdev); +diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c +index b7159e243323b..de14b5845f525 100644 +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -297,7 +297,7 @@ static void mmc_manage_enhanced_area(struct mmc_card *card, u8 *ext_csd) + } + } + +-static void mmc_part_add(struct mmc_card *card, unsigned int size, ++static void mmc_part_add(struct mmc_card *card, u64 size, + unsigned int part_cfg, char *name, int idx, bool ro, + int area_type) + { +@@ -313,7 +313,7 @@ static void mmc_manage_gp_partitions(struct mmc_card *card, u8 *ext_csd) + { + int idx; + u8 hc_erase_grp_sz, hc_wp_grp_sz; +- unsigned int part_size; ++ u64 part_size; + + /* + * General purpose partition feature support -- +@@ -343,8 +343,7 @@ static void mmc_manage_gp_partitions(struct mmc_card *card, u8 *ext_csd) + (ext_csd[EXT_CSD_GP_SIZE_MULT + idx * 3 + 1] + << 8) + + ext_csd[EXT_CSD_GP_SIZE_MULT + idx * 3]; +- part_size *= (size_t)(hc_erase_grp_sz * +- hc_wp_grp_sz); ++ part_size *= (hc_erase_grp_sz * hc_wp_grp_sz); + mmc_part_add(card, part_size << 19, + EXT_CSD_PART_CONFIG_ACC_GP0 + idx, + "gp%d", idx, false, +@@ -362,7 +361,7 @@ static void mmc_manage_gp_partitions(struct mmc_card *card, u8 *ext_csd) + static int mmc_decode_ext_csd(struct mmc_card *card, u8 *ext_csd) + { + int err = 0, idx; +- unsigned int part_size; ++ u64 part_size; + struct device_node *np; + bool broken_hpi = false; + +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index a4f2d8cdca120..c8b9ab40a1027 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -794,7 +794,6 @@ static struct mtd_info *cfi_amdstd_setup(struct mtd_info *mtd) + kfree(mtd->eraseregions); + kfree(mtd); + kfree(cfi->cmdset_priv); +- kfree(cfi->cfiq); + return NULL; + } + +diff --git a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c +index b9d5d55a5edb9..ef89947ee3191 100644 +--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c +@@ -540,8 +540,10 @@ static int bch_set_geometry(struct gpmi_nand_data *this) + return ret; + + ret = pm_runtime_get_sync(this->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(this->dev); + return ret; ++ } + + /* + * Due to erratum #2847 of the MX23, the BCH cannot be soft reset on this +diff --git a/drivers/mtd/nand/raw/omap_elm.c b/drivers/mtd/nand/raw/omap_elm.c +index 5502ffbdd1e6d..6e0e31eab7cce 100644 +--- a/drivers/mtd/nand/raw/omap_elm.c ++++ b/drivers/mtd/nand/raw/omap_elm.c +@@ -411,6 +411,7 @@ static int elm_probe(struct platform_device *pdev) + pm_runtime_enable(&pdev->dev); + if (pm_runtime_get_sync(&pdev->dev) < 0) { + ret = -EINVAL; ++ pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + dev_err(&pdev->dev, "can't enable clock\n"); + return ret; +diff --git a/drivers/mtd/parsers/cmdlinepart.c b/drivers/mtd/parsers/cmdlinepart.c +index c86f2db8c882d..0625b25620ca7 100644 +--- a/drivers/mtd/parsers/cmdlinepart.c ++++ b/drivers/mtd/parsers/cmdlinepart.c +@@ -218,12 +218,29 @@ static int mtdpart_setup_real(char *s) + struct cmdline_mtd_partition *this_mtd; + struct mtd_partition *parts; + int mtd_id_len, num_parts; +- char *p, *mtd_id; ++ char *p, *mtd_id, *semicol; ++ ++ /* ++ * Replace the first ';' by a NULL char so strrchr can work ++ * properly. ++ */ ++ semicol = strchr(s, ';'); ++ if (semicol) ++ *semicol = '\0'; + + mtd_id = s; + +- /* fetch <mtd-id> */ +- p = strchr(s, ':'); ++ /* ++ * fetch <mtd-id>. We use strrchr to ignore all ':' that could ++ * be present in the MTD name, only the last one is interpreted ++ * as an <mtd-id>/<part-definition> separator. ++ */ ++ p = strrchr(s, ':'); ++ ++ /* Restore the ';' now. */ ++ if (semicol) ++ *semicol = ';'; ++ + if (!p) { + pr_err("no mtd-id\n"); + return -EINVAL; +diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c +index c44c8470247e1..b486250923c5a 100644 +--- a/drivers/mtd/ubi/fastmap-wl.c ++++ b/drivers/mtd/ubi/fastmap-wl.c +@@ -39,6 +39,13 @@ static struct ubi_wl_entry *find_anchor_wl_entry(struct rb_root *root) + return victim; + } + ++static inline void return_unused_peb(struct ubi_device *ubi, ++ struct ubi_wl_entry *e) ++{ ++ wl_tree_add(e, &ubi->free); ++ ubi->free_count++; ++} ++ + /** + * return_unused_pool_pebs - returns unused PEB to the free tree. + * @ubi: UBI device description object +@@ -52,23 +59,10 @@ static void return_unused_pool_pebs(struct ubi_device *ubi, + + for (i = pool->used; i < pool->size; i++) { + e = ubi->lookuptbl[pool->pebs[i]]; +- wl_tree_add(e, &ubi->free); +- ubi->free_count++; ++ return_unused_peb(ubi, e); + } + } + +-static int anchor_pebs_available(struct rb_root *root) +-{ +- struct rb_node *p; +- struct ubi_wl_entry *e; +- +- ubi_rb_for_each_entry(p, e, root, u.rb) +- if (e->pnum < UBI_FM_MAX_START) +- return 1; +- +- return 0; +-} +- + /** + * ubi_wl_get_fm_peb - find a physical erase block with a given maximal number. + * @ubi: UBI device description object +@@ -277,8 +271,26 @@ static struct ubi_wl_entry *get_peb_for_wl(struct ubi_device *ubi) + int ubi_ensure_anchor_pebs(struct ubi_device *ubi) + { + struct ubi_work *wrk; ++ struct ubi_wl_entry *anchor; + + spin_lock(&ubi->wl_lock); ++ ++ /* Do we already have an anchor? */ ++ if (ubi->fm_anchor) { ++ spin_unlock(&ubi->wl_lock); ++ return 0; ++ } ++ ++ /* See if we can find an anchor PEB on the list of free PEBs */ ++ anchor = ubi_wl_get_fm_peb(ubi, 1); ++ if (anchor) { ++ ubi->fm_anchor = anchor; ++ spin_unlock(&ubi->wl_lock); ++ return 0; ++ } ++ ++ /* No luck, trigger wear leveling to produce a new anchor PEB */ ++ ubi->fm_do_produce_anchor = 1; + if (ubi->wl_scheduled) { + spin_unlock(&ubi->wl_lock); + return 0; +@@ -294,7 +306,6 @@ int ubi_ensure_anchor_pebs(struct ubi_device *ubi) + return -ENOMEM; + } + +- wrk->anchor = 1; + wrk->func = &wear_leveling_worker; + __schedule_ubi_work(ubi, wrk); + return 0; +@@ -356,6 +367,11 @@ static void ubi_fastmap_close(struct ubi_device *ubi) + return_unused_pool_pebs(ubi, &ubi->fm_pool); + return_unused_pool_pebs(ubi, &ubi->fm_wl_pool); + ++ if (ubi->fm_anchor) { ++ return_unused_peb(ubi, ubi->fm_anchor); ++ ubi->fm_anchor = NULL; ++ } ++ + if (ubi->fm) { + for (i = 0; i < ubi->fm->used_blocks; i++) + kfree(ubi->fm->e[i]); +diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c +index 604772fc4a965..53f448e7433a9 100644 +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -1543,14 +1543,6 @@ int ubi_update_fastmap(struct ubi_device *ubi) + return 0; + } + +- ret = ubi_ensure_anchor_pebs(ubi); +- if (ret) { +- up_write(&ubi->fm_eba_sem); +- up_write(&ubi->work_sem); +- up_write(&ubi->fm_protect); +- return ret; +- } +- + new_fm = kzalloc(sizeof(*new_fm), GFP_KERNEL); + if (!new_fm) { + up_write(&ubi->fm_eba_sem); +@@ -1621,7 +1613,8 @@ int ubi_update_fastmap(struct ubi_device *ubi) + } + + spin_lock(&ubi->wl_lock); +- tmp_e = ubi_wl_get_fm_peb(ubi, 1); ++ tmp_e = ubi->fm_anchor; ++ ubi->fm_anchor = NULL; + spin_unlock(&ubi->wl_lock); + + if (old_fm) { +@@ -1673,6 +1666,9 @@ out_unlock: + up_write(&ubi->work_sem); + up_write(&ubi->fm_protect); + kfree(old_fm); ++ ++ ubi_ensure_anchor_pebs(ubi); ++ + return ret; + + err: +diff --git a/drivers/mtd/ubi/ubi.h b/drivers/mtd/ubi/ubi.h +index 721b6aa7936cf..a173eb707bddb 100644 +--- a/drivers/mtd/ubi/ubi.h ++++ b/drivers/mtd/ubi/ubi.h +@@ -491,6 +491,8 @@ struct ubi_debug_info { + * @fm_work: fastmap work queue + * @fm_work_scheduled: non-zero if fastmap work was scheduled + * @fast_attach: non-zero if UBI was attached by fastmap ++ * @fm_anchor: The next anchor PEB to use for fastmap ++ * @fm_do_produce_anchor: If true produce an anchor PEB in wl + * + * @used: RB-tree of used physical eraseblocks + * @erroneous: RB-tree of erroneous used physical eraseblocks +@@ -599,6 +601,8 @@ struct ubi_device { + struct work_struct fm_work; + int fm_work_scheduled; + int fast_attach; ++ struct ubi_wl_entry *fm_anchor; ++ int fm_do_produce_anchor; + + /* Wear-leveling sub-system's stuff */ + struct rb_root used; +@@ -789,7 +793,6 @@ struct ubi_attach_info { + * @vol_id: the volume ID on which this erasure is being performed + * @lnum: the logical eraseblock number + * @torture: if the physical eraseblock has to be tortured +- * @anchor: produce a anchor PEB to by used by fastmap + * + * The @func pointer points to the worker function. If the @shutdown argument is + * not zero, the worker has to free the resources and exit immediately as the +@@ -805,7 +808,6 @@ struct ubi_work { + int vol_id; + int lnum; + int torture; +- int anchor; + }; + + #include "debug.h" +diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c +index 3fcdefe2714d0..5d77a38dba542 100644 +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -339,13 +339,6 @@ static struct ubi_wl_entry *find_wl_entry(struct ubi_device *ubi, + } + } + +- /* If no fastmap has been written and this WL entry can be used +- * as anchor PEB, hold it back and return the second best WL entry +- * such that fastmap can use the anchor PEB later. */ +- if (prev_e && !ubi->fm_disabled && +- !ubi->fm && e->pnum < UBI_FM_MAX_START) +- return prev_e; +- + return e; + } + +@@ -656,9 +649,6 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, + { + int err, scrubbing = 0, torture = 0, protect = 0, erroneous = 0; + int erase = 0, keep = 0, vol_id = -1, lnum = -1; +-#ifdef CONFIG_MTD_UBI_FASTMAP +- int anchor = wrk->anchor; +-#endif + struct ubi_wl_entry *e1, *e2; + struct ubi_vid_io_buf *vidb; + struct ubi_vid_hdr *vid_hdr; +@@ -698,11 +688,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, + } + + #ifdef CONFIG_MTD_UBI_FASTMAP +- /* Check whether we need to produce an anchor PEB */ +- if (!anchor) +- anchor = !anchor_pebs_available(&ubi->free); +- +- if (anchor) { ++ if (ubi->fm_do_produce_anchor) { + e1 = find_anchor_wl_entry(&ubi->used); + if (!e1) + goto out_cancel; +@@ -719,6 +705,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, + self_check_in_wl_tree(ubi, e1, &ubi->used); + rb_erase(&e1->u.rb, &ubi->used); + dbg_wl("anchor-move PEB %d to PEB %d", e1->pnum, e2->pnum); ++ ubi->fm_do_produce_anchor = 0; + } else if (!ubi->scrub.rb_node) { + #else + if (!ubi->scrub.rb_node) { +@@ -1051,7 +1038,6 @@ static int ensure_wear_leveling(struct ubi_device *ubi, int nested) + goto out_cancel; + } + +- wrk->anchor = 0; + wrk->func = &wear_leveling_worker; + if (nested) + __schedule_ubi_work(ubi, wrk); +@@ -1093,8 +1079,15 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk) + err = sync_erase(ubi, e, wl_wrk->torture); + if (!err) { + spin_lock(&ubi->wl_lock); +- wl_tree_add(e, &ubi->free); +- ubi->free_count++; ++ ++ if (!ubi->fm_anchor && e->pnum < UBI_FM_MAX_START) { ++ ubi->fm_anchor = e; ++ ubi->fm_do_produce_anchor = 0; ++ } else { ++ wl_tree_add(e, &ubi->free); ++ ubi->free_count++; ++ } ++ + spin_unlock(&ubi->wl_lock); + + /* +@@ -1882,6 +1875,9 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai) + if (err) + goto out_free; + ++#ifdef CONFIG_MTD_UBI_FASTMAP ++ ubi_ensure_anchor_pebs(ubi); ++#endif + return 0; + + out_free: +diff --git a/drivers/mtd/ubi/wl.h b/drivers/mtd/ubi/wl.h +index a9e2d669acd81..c93a532937863 100644 +--- a/drivers/mtd/ubi/wl.h ++++ b/drivers/mtd/ubi/wl.h +@@ -2,7 +2,6 @@ + #ifndef UBI_WL_H + #define UBI_WL_H + #ifdef CONFIG_MTD_UBI_FASTMAP +-static int anchor_pebs_available(struct rb_root *root); + static void update_fastmap_work_fn(struct work_struct *wrk); + static struct ubi_wl_entry *find_anchor_wl_entry(struct rb_root *root); + static struct ubi_wl_entry *get_peb_for_wl(struct ubi_device *ubi); +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +index 7a248cc1055a3..7af7cc7c8669a 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -2654,8 +2654,10 @@ static int setup_dpni(struct fsl_mc_device *ls_dev) + + priv->cls_rules = devm_kzalloc(dev, sizeof(struct dpaa2_eth_cls_rule) * + dpaa2_eth_fs_count(priv), GFP_KERNEL); +- if (!priv->cls_rules) ++ if (!priv->cls_rules) { ++ err = -ENOMEM; + goto close; ++ } + + return 0; + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index f93ed70709c65..a2ee28e487a6f 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -542,8 +542,13 @@ void e1000_reinit_locked(struct e1000_adapter *adapter) + WARN_ON(in_interrupt()); + while (test_and_set_bit(__E1000_RESETTING, &adapter->flags)) + msleep(1); +- e1000_down(adapter); +- e1000_up(adapter); ++ ++ /* only run the task if not already down */ ++ if (!test_bit(__E1000_DOWN, &adapter->flags)) { ++ e1000_down(adapter); ++ e1000_up(adapter); ++ } ++ + clear_bit(__E1000_RESETTING, &adapter->flags); + } + +@@ -1433,10 +1438,15 @@ int e1000_close(struct net_device *netdev) + struct e1000_hw *hw = &adapter->hw; + int count = E1000_CHECK_RESET_COUNT; + +- while (test_bit(__E1000_RESETTING, &adapter->flags) && count--) ++ while (test_and_set_bit(__E1000_RESETTING, &adapter->flags) && count--) + usleep_range(10000, 20000); + +- WARN_ON(test_bit(__E1000_RESETTING, &adapter->flags)); ++ WARN_ON(count < 0); ++ ++ /* signal that we're down so that the reset task will no longer run */ ++ set_bit(__E1000_DOWN, &adapter->flags); ++ clear_bit(__E1000_RESETTING, &adapter->flags); ++ + e1000_down(adapter); + e1000_power_down_phy(adapter); + e1000_free_irq(adapter); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 34124c213d27c..222ae76809aa1 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3077,9 +3077,6 @@ static int iavf_delete_clsflower(struct iavf_adapter *adapter, + static int iavf_setup_tc_cls_flower(struct iavf_adapter *adapter, + struct flow_cls_offload *cls_flower) + { +- if (cls_flower->common.chain_index) +- return -EOPNOTSUPP; +- + switch (cls_flower->command) { + case FLOW_CLS_REPLACE: + return iavf_configure_clsflower(adapter, cls_flower); +@@ -3103,6 +3100,11 @@ static int iavf_setup_tc_cls_flower(struct iavf_adapter *adapter, + static int iavf_setup_tc_block_cb(enum tc_setup_type type, void *type_data, + void *cb_priv) + { ++ struct iavf_adapter *adapter = cb_priv; ++ ++ if (!tc_cls_can_offload_and_chain0(adapter->netdev, type_data)) ++ return -EOPNOTSUPP; ++ + switch (type) { + case TC_SETUP_CLSFLOWER: + return iavf_setup_tc_cls_flower(cb_priv, type_data); +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index 62673e27af0e8..fc9ff985a62bd 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -2635,14 +2635,14 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring) + netdev_info(netdev, "Changing Tx descriptor count from %d to %d\n", + vsi->tx_rings[0]->count, new_tx_cnt); + +- tx_rings = devm_kcalloc(&pf->pdev->dev, vsi->alloc_txq, ++ tx_rings = devm_kcalloc(&pf->pdev->dev, vsi->num_txq, + sizeof(*tx_rings), GFP_KERNEL); + if (!tx_rings) { + err = -ENOMEM; + goto done; + } + +- for (i = 0; i < vsi->alloc_txq; i++) { ++ ice_for_each_txq(vsi, i) { + /* clone ring and setup updated count */ + tx_rings[i] = *vsi->tx_rings[i]; + tx_rings[i].count = new_tx_cnt; +@@ -2667,14 +2667,14 @@ process_rx: + netdev_info(netdev, "Changing Rx descriptor count from %d to %d\n", + vsi->rx_rings[0]->count, new_rx_cnt); + +- rx_rings = devm_kcalloc(&pf->pdev->dev, vsi->alloc_rxq, ++ rx_rings = devm_kcalloc(&pf->pdev->dev, vsi->num_rxq, + sizeof(*rx_rings), GFP_KERNEL); + if (!rx_rings) { + err = -ENOMEM; + goto done; + } + +- for (i = 0; i < vsi->alloc_rxq; i++) { ++ ice_for_each_rxq(vsi, i) { + /* clone ring and setup updated count */ + rx_rings[i] = *vsi->rx_rings[i]; + rx_rings[i].count = new_rx_cnt; +@@ -2712,7 +2712,7 @@ process_link: + ice_down(vsi); + + if (tx_rings) { +- for (i = 0; i < vsi->alloc_txq; i++) { ++ ice_for_each_txq(vsi, i) { + ice_free_tx_ring(vsi->tx_rings[i]); + *vsi->tx_rings[i] = tx_rings[i]; + } +@@ -2720,7 +2720,7 @@ process_link: + } + + if (rx_rings) { +- for (i = 0; i < vsi->alloc_rxq; i++) { ++ ice_for_each_rxq(vsi, i) { + ice_free_rx_ring(vsi->rx_rings[i]); + /* copy the real tail offset */ + rx_rings[i].tail = vsi->rx_rings[i]->tail; +@@ -2744,7 +2744,7 @@ process_link: + free_tx: + /* error cleanup if the Rx allocations failed after getting Tx */ + if (tx_rings) { +- for (i = 0; i < vsi->alloc_txq; i++) ++ ice_for_each_txq(vsi, i) + ice_free_tx_ring(&tx_rings[i]); + devm_kfree(&pf->pdev->dev, tx_rings); + } +diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c +index 4456ce5325a74..a923c65532702 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -4142,7 +4142,8 @@ static int qed_hw_get_nvm_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + cdev->mf_bits = BIT(QED_MF_LLH_MAC_CLSS) | + BIT(QED_MF_LLH_PROTO_CLSS) | + BIT(QED_MF_LL2_NON_UNICAST) | +- BIT(QED_MF_INTER_PF_SWITCH); ++ BIT(QED_MF_INTER_PF_SWITCH) | ++ BIT(QED_MF_DISABLE_ARFS); + break; + case NVM_CFG1_GLOB_MF_MODE_DEFAULT: + cdev->mf_bits = BIT(QED_MF_LLH_MAC_CLSS) | +@@ -4155,6 +4156,14 @@ static int qed_hw_get_nvm_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + + DP_INFO(p_hwfn, "Multi function mode is 0x%lx\n", + cdev->mf_bits); ++ ++ /* In CMT the PF is unknown when the GFS block processes the ++ * packet. Therefore cannot use searcher as it has a per PF ++ * database, and thus ARFS must be disabled. ++ * ++ */ ++ if (QED_IS_CMT(cdev)) ++ cdev->mf_bits |= BIT(QED_MF_DISABLE_ARFS); + } + + DP_INFO(p_hwfn, "Multi function mode is 0x%lx\n", +diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.c b/drivers/net/ethernet/qlogic/qed/qed_l2.c +index 1a5fc2ae351c4..8a73482cb7a88 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c +@@ -2001,6 +2001,9 @@ void qed_arfs_mode_configure(struct qed_hwfn *p_hwfn, + struct qed_ptt *p_ptt, + struct qed_arfs_config_params *p_cfg_params) + { ++ if (test_bit(QED_MF_DISABLE_ARFS, &p_hwfn->cdev->mf_bits)) ++ return; ++ + if (p_cfg_params->mode != QED_FILTER_CONFIG_MODE_DISABLE) { + qed_gft_config(p_hwfn, p_ptt, p_hwfn->rel_pf_id, + p_cfg_params->tcp, +diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c +index e72f9f1d2e94d..bc1f5b36b5bf2 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -280,6 +280,8 @@ int qed_fill_dev_info(struct qed_dev *cdev, + dev_info->fw_eng = FW_ENGINEERING_VERSION; + dev_info->b_inter_pf_switch = test_bit(QED_MF_INTER_PF_SWITCH, + &cdev->mf_bits); ++ if (!test_bit(QED_MF_DISABLE_ARFS, &cdev->mf_bits)) ++ dev_info->b_arfs_capable = true; + dev_info->tx_switching = true; + + if (hw_info->b_wol_support == QED_WOL_SUPPORT_PME) +diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +index dcb5c917f3733..fb9c3ca5d36cc 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +@@ -96,6 +96,7 @@ static int qed_sp_vf_start(struct qed_hwfn *p_hwfn, struct qed_vf_info *p_vf) + p_ramrod->personality = PERSONALITY_ETH; + break; + case QED_PCI_ETH_ROCE: ++ case QED_PCI_ETH_IWARP: + p_ramrod->personality = PERSONALITY_RDMA_AND_ETH; + break; + default: +diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c +index c8bdbf057d5a2..5041994bf03fb 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c +@@ -336,6 +336,9 @@ int qede_alloc_arfs(struct qede_dev *edev) + { + int i; + ++ if (!edev->dev_info.common.b_arfs_capable) ++ return -EINVAL; ++ + edev->arfs = vzalloc(sizeof(*edev->arfs)); + if (!edev->arfs) + return -ENOMEM; +diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c +index 2c3d654c84543..ce3e62e73e4cd 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -770,7 +770,7 @@ static void qede_init_ndev(struct qede_dev *edev) + NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | + NETIF_F_TSO | NETIF_F_TSO6 | NETIF_F_HW_TC; + +- if (!IS_VF(edev) && edev->dev_info.common.num_hwfns == 1) ++ if (edev->dev_info.common.b_arfs_capable) + hw_features |= NETIF_F_NTUPLE; + + if (edev->dev_info.common.vxlan_enable || +@@ -2211,7 +2211,7 @@ static void qede_unload(struct qede_dev *edev, enum qede_unload_mode mode, + qede_vlan_mark_nonconfigured(edev); + edev->ops->fastpath_stop(edev->cdev); + +- if (!IS_VF(edev) && edev->dev_info.common.num_hwfns == 1) { ++ if (edev->dev_info.common.b_arfs_capable) { + qede_poll_for_freeing_arfs_filters(edev); + qede_free_arfs(edev); + } +@@ -2278,10 +2278,9 @@ static int qede_load(struct qede_dev *edev, enum qede_load_mode mode, + if (rc) + goto err2; + +- if (!IS_VF(edev) && edev->dev_info.common.num_hwfns == 1) { +- rc = qede_alloc_arfs(edev); +- if (rc) +- DP_NOTICE(edev, "aRFS memory allocation failed\n"); ++ if (qede_alloc_arfs(edev)) { ++ edev->ndev->features &= ~NETIF_F_NTUPLE; ++ edev->dev_info.common.b_arfs_capable = false; + } + + qede_napi_add_enable(edev); +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index 6fa9852e3f97f..903212ad9bb2f 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -6256,8 +6256,7 @@ static irqreturn_t rtl8169_interrupt(int irq, void *dev_instance) + if (unlikely(status & RxFIFOOver && + tp->mac_version == RTL_GIGA_MAC_VER_11)) { + netif_stop_queue(tp->dev); +- /* XXX - Hack alert. See rtl_task(). */ +- set_bit(RTL_FLAG_TASK_RESET_PENDING, tp->wk.flags); ++ rtl_schedule_task(tp, RTL_FLAG_TASK_RESET_PENDING); + } + + rtl_irq_disable(tp); +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet.h b/drivers/net/ethernet/xilinx/xilinx_axienet.h +index 2dacfc85b3baa..04e51af32178c 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet.h ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet.h +@@ -435,7 +435,7 @@ struct axienet_local { + void __iomem *regs; + void __iomem *dma_regs; + +- struct tasklet_struct dma_err_tasklet; ++ struct work_struct dma_err_task; + + int tx_irq; + int rx_irq; +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 479325eeaf8a0..bb6e52f3bdf9b 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -437,9 +437,10 @@ static void axienet_setoptions(struct net_device *ndev, u32 options) + lp->options |= options; + } + +-static void __axienet_device_reset(struct axienet_local *lp) ++static int __axienet_device_reset(struct axienet_local *lp) + { + u32 timeout; ++ + /* Reset Axi DMA. This would reset Axi Ethernet core as well. The reset + * process of Axi DMA takes a while to complete as all pending + * commands/transfers will be flushed or completed during this +@@ -455,9 +456,11 @@ static void __axienet_device_reset(struct axienet_local *lp) + if (--timeout == 0) { + netdev_err(lp->ndev, "%s: DMA reset timeout!\n", + __func__); +- break; ++ return -ETIMEDOUT; + } + } ++ ++ return 0; + } + + /** +@@ -470,13 +473,17 @@ static void __axienet_device_reset(struct axienet_local *lp) + * areconnected to Axi Ethernet reset lines, this in turn resets the Axi + * Ethernet core. No separate hardware reset is done for the Axi Ethernet + * core. ++ * Returns 0 on success or a negative error number otherwise. + */ +-static void axienet_device_reset(struct net_device *ndev) ++static int axienet_device_reset(struct net_device *ndev) + { + u32 axienet_status; + struct axienet_local *lp = netdev_priv(ndev); ++ int ret; + +- __axienet_device_reset(lp); ++ ret = __axienet_device_reset(lp); ++ if (ret) ++ return ret; + + lp->max_frm_size = XAE_MAX_VLAN_FRAME_SIZE; + lp->options |= XAE_OPTION_VLAN; +@@ -491,9 +498,11 @@ static void axienet_device_reset(struct net_device *ndev) + lp->options |= XAE_OPTION_JUMBO; + } + +- if (axienet_dma_bd_init(ndev)) { ++ ret = axienet_dma_bd_init(ndev); ++ if (ret) { + netdev_err(ndev, "%s: descriptor allocation failed\n", + __func__); ++ return ret; + } + + axienet_status = axienet_ior(lp, XAE_RCW1_OFFSET); +@@ -518,6 +527,8 @@ static void axienet_device_reset(struct net_device *ndev) + axienet_setoptions(ndev, lp->options); + + netif_trans_update(ndev); ++ ++ return 0; + } + + /** +@@ -806,7 +817,7 @@ static irqreturn_t axienet_tx_irq(int irq, void *_ndev) + /* Write to the Rx channel control register */ + axienet_dma_out32(lp, XAXIDMA_RX_CR_OFFSET, cr); + +- tasklet_schedule(&lp->dma_err_tasklet); ++ schedule_work(&lp->dma_err_task); + axienet_dma_out32(lp, XAXIDMA_TX_SR_OFFSET, status); + } + out: +@@ -855,7 +866,7 @@ static irqreturn_t axienet_rx_irq(int irq, void *_ndev) + /* write to the Rx channel control register */ + axienet_dma_out32(lp, XAXIDMA_RX_CR_OFFSET, cr); + +- tasklet_schedule(&lp->dma_err_tasklet); ++ schedule_work(&lp->dma_err_task); + axienet_dma_out32(lp, XAXIDMA_RX_SR_OFFSET, status); + } + out: +@@ -891,7 +902,7 @@ static irqreturn_t axienet_eth_irq(int irq, void *_ndev) + return IRQ_HANDLED; + } + +-static void axienet_dma_err_handler(unsigned long data); ++static void axienet_dma_err_handler(struct work_struct *work); + + /** + * axienet_open - Driver open routine. +@@ -921,8 +932,9 @@ static int axienet_open(struct net_device *ndev) + */ + mutex_lock(&lp->mii_bus->mdio_lock); + axienet_mdio_disable(lp); +- axienet_device_reset(ndev); +- ret = axienet_mdio_enable(lp); ++ ret = axienet_device_reset(ndev); ++ if (ret == 0) ++ ret = axienet_mdio_enable(lp); + mutex_unlock(&lp->mii_bus->mdio_lock); + if (ret < 0) + return ret; +@@ -935,9 +947,8 @@ static int axienet_open(struct net_device *ndev) + + phylink_start(lp->phylink); + +- /* Enable tasklets for Axi DMA error handling */ +- tasklet_init(&lp->dma_err_tasklet, axienet_dma_err_handler, +- (unsigned long) lp); ++ /* Enable worker thread for Axi DMA error handling */ ++ INIT_WORK(&lp->dma_err_task, axienet_dma_err_handler); + + /* Enable interrupts for Axi DMA Tx */ + ret = request_irq(lp->tx_irq, axienet_tx_irq, IRQF_SHARED, +@@ -966,7 +977,7 @@ err_rx_irq: + err_tx_irq: + phylink_stop(lp->phylink); + phylink_disconnect_phy(lp->phylink); +- tasklet_kill(&lp->dma_err_tasklet); ++ cancel_work_sync(&lp->dma_err_task); + dev_err(lp->dev, "request_irq() failed\n"); + return ret; + } +@@ -1025,7 +1036,7 @@ static int axienet_stop(struct net_device *ndev) + axienet_mdio_enable(lp); + mutex_unlock(&lp->mii_bus->mdio_lock); + +- tasklet_kill(&lp->dma_err_tasklet); ++ cancel_work_sync(&lp->dma_err_task); + + if (lp->eth_irq > 0) + free_irq(lp->eth_irq, ndev); +@@ -1505,17 +1516,18 @@ static const struct phylink_mac_ops axienet_phylink_ops = { + }; + + /** +- * axienet_dma_err_handler - Tasklet handler for Axi DMA Error +- * @data: Data passed ++ * axienet_dma_err_handler - Work queue task for Axi DMA Error ++ * @work: pointer to work_struct + * + * Resets the Axi DMA and Axi Ethernet devices, and reconfigures the + * Tx/Rx BDs. + */ +-static void axienet_dma_err_handler(unsigned long data) ++static void axienet_dma_err_handler(struct work_struct *work) + { + u32 axienet_status; + u32 cr, i; +- struct axienet_local *lp = (struct axienet_local *) data; ++ struct axienet_local *lp = container_of(work, struct axienet_local, ++ dma_err_task); + struct net_device *ndev = lp->ndev; + struct axidma_bd *cur_p; + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index 8dbccec6ac866..5945ac5f38eea 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -882,7 +882,9 @@ static int adf7242_rx(struct adf7242_local *lp) + int ret; + u8 lqi, len_u8, *data; + +- adf7242_read_reg(lp, 0, &len_u8); ++ ret = adf7242_read_reg(lp, 0, &len_u8); ++ if (ret) ++ return ret; + + len = len_u8; + +diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c +index 430c937861534..25dbea302fb6d 100644 +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2924,6 +2924,7 @@ static int ca8210_dev_com_init(struct ca8210_priv *priv) + ); + if (!priv->irq_workqueue) { + dev_crit(&priv->spi->dev, "alloc of irq_workqueue failed!\n"); ++ destroy_workqueue(priv->mlme_workqueue); + return -ENOMEM; + } + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index da2d179430ca5..4c57e79e5779a 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -1770,6 +1770,8 @@ static const struct usb_device_id ar5523_id_table[] = { + AR5523_DEVICE_UX(0x0846, 0x4300), /* Netgear / WG111U */ + AR5523_DEVICE_UG(0x0846, 0x4250), /* Netgear / WG111T */ + AR5523_DEVICE_UG(0x0846, 0x5f00), /* Netgear / WPN111 */ ++ AR5523_DEVICE_UG(0x083a, 0x4506), /* SMC / EZ Connect ++ SMCWUSBT-G2 */ + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / AR5523_1 */ + AR5523_DEVICE_UX(0x157e, 0x3205), /* Umedia / AR5523_2 */ + AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / TEW444UBEU */ +diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c +index bd2b5628f850b..04c50a26a4f47 100644 +--- a/drivers/net/wireless/ath/ath10k/debug.c ++++ b/drivers/net/wireless/ath/ath10k/debug.c +@@ -1516,7 +1516,7 @@ static void ath10k_tpc_stats_print(struct ath10k_tpc_stats *tpc_stats, + *len += scnprintf(buf + *len, buf_len - *len, + "No. Preamble Rate_code "); + +- for (i = 0; i < WMI_TPC_TX_N_CHAIN; i++) ++ for (i = 0; i < tpc_stats->num_tx_chain; i++) + *len += scnprintf(buf + *len, buf_len - *len, + "tpc_value%d ", i); + +@@ -2532,6 +2532,7 @@ void ath10k_debug_destroy(struct ath10k *ar) + ath10k_debug_fw_stats_reset(ar); + + kfree(ar->debug.tpc_stats); ++ kfree(ar->debug.tpc_stats_final); + } + + int ath10k_debug_register(struct ath10k *ar) +diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c +index 9870d2d095c87..8fe626deadeb0 100644 +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -1582,23 +1582,33 @@ static int ath10k_sdio_hif_diag_read(struct ath10k *ar, u32 address, void *buf, + size_t buf_len) + { + int ret; ++ void *mem; ++ ++ mem = kzalloc(buf_len, GFP_KERNEL); ++ if (!mem) ++ return -ENOMEM; + + /* set window register to start read cycle */ + ret = ath10k_sdio_write32(ar, MBOX_WINDOW_READ_ADDR_ADDRESS, address); + if (ret) { + ath10k_warn(ar, "failed to set mbox window read address: %d", ret); +- return ret; ++ goto out; + } + + /* read the data */ +- ret = ath10k_sdio_read(ar, MBOX_WINDOW_DATA_ADDRESS, buf, buf_len); ++ ret = ath10k_sdio_read(ar, MBOX_WINDOW_DATA_ADDRESS, mem, buf_len); + if (ret) { + ath10k_warn(ar, "failed to read from mbox window data address: %d\n", + ret); +- return ret; ++ goto out; + } + +- return 0; ++ memcpy(buf, mem, buf_len); ++ ++out: ++ kfree(mem); ++ ++ return ret; + } + + static int ath10k_sdio_hif_diag_read32(struct ath10k *ar, u32 address, +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index 90f1197a6ad84..2675174cc4fec 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -4668,16 +4668,13 @@ static void ath10k_tpc_config_disp_tables(struct ath10k *ar, + } + + pream_idx = 0; +- for (i = 0; i < __le32_to_cpu(ev->rate_max); i++) { ++ for (i = 0; i < tpc_stats->rate_max; i++) { + memset(tpc_value, 0, sizeof(tpc_value)); + memset(buff, 0, sizeof(buff)); + if (i == pream_table[pream_idx]) + pream_idx++; + +- for (j = 0; j < WMI_TPC_TX_N_CHAIN; j++) { +- if (j >= __le32_to_cpu(ev->num_tx_chain)) +- break; +- ++ for (j = 0; j < tpc_stats->num_tx_chain; j++) { + tpc[j] = ath10k_tpc_config_get_rate(ar, ev, i, j + 1, + rate_code[i], + type); +@@ -4790,7 +4787,7 @@ void ath10k_wmi_tpc_config_get_rate_code(u8 *rate_code, u16 *pream_table, + + void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) + { +- u32 num_tx_chain; ++ u32 num_tx_chain, rate_max; + u8 rate_code[WMI_TPC_RATE_MAX]; + u16 pream_table[WMI_TPC_PREAM_TABLE_MAX]; + struct wmi_pdev_tpc_config_event *ev; +@@ -4806,6 +4803,13 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) + return; + } + ++ rate_max = __le32_to_cpu(ev->rate_max); ++ if (rate_max > WMI_TPC_RATE_MAX) { ++ ath10k_warn(ar, "number of rate is %d greater than TPC configured rate %d\n", ++ rate_max, WMI_TPC_RATE_MAX); ++ rate_max = WMI_TPC_RATE_MAX; ++ } ++ + tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC); + if (!tpc_stats) + return; +@@ -4822,8 +4826,8 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) + __le32_to_cpu(ev->twice_antenna_reduction); + tpc_stats->power_limit = __le32_to_cpu(ev->power_limit); + tpc_stats->twice_max_rd_power = __le32_to_cpu(ev->twice_max_rd_power); +- tpc_stats->num_tx_chain = __le32_to_cpu(ev->num_tx_chain); +- tpc_stats->rate_max = __le32_to_cpu(ev->rate_max); ++ tpc_stats->num_tx_chain = num_tx_chain; ++ tpc_stats->rate_max = rate_max; + + ath10k_tpc_config_disp_tables(ar, ev, tpc_stats, + rate_code, pream_table, +@@ -5018,16 +5022,13 @@ ath10k_wmi_tpc_stats_final_disp_tables(struct ath10k *ar, + } + + pream_idx = 0; +- for (i = 0; i < __le32_to_cpu(ev->rate_max); i++) { ++ for (i = 0; i < tpc_stats->rate_max; i++) { + memset(tpc_value, 0, sizeof(tpc_value)); + memset(buff, 0, sizeof(buff)); + if (i == pream_table[pream_idx]) + pream_idx++; + +- for (j = 0; j < WMI_TPC_TX_N_CHAIN; j++) { +- if (j >= __le32_to_cpu(ev->num_tx_chain)) +- break; +- ++ for (j = 0; j < tpc_stats->num_tx_chain; j++) { + tpc[j] = ath10k_wmi_tpc_final_get_rate(ar, ev, i, j + 1, + rate_code[i], + type, pream_idx); +@@ -5043,7 +5044,7 @@ ath10k_wmi_tpc_stats_final_disp_tables(struct ath10k *ar, + + void ath10k_wmi_event_tpc_final_table(struct ath10k *ar, struct sk_buff *skb) + { +- u32 num_tx_chain; ++ u32 num_tx_chain, rate_max; + u8 rate_code[WMI_TPC_FINAL_RATE_MAX]; + u16 pream_table[WMI_TPC_PREAM_TABLE_MAX]; + struct wmi_pdev_tpc_final_table_event *ev; +@@ -5051,12 +5052,24 @@ void ath10k_wmi_event_tpc_final_table(struct ath10k *ar, struct sk_buff *skb) + + ev = (struct wmi_pdev_tpc_final_table_event *)skb->data; + ++ num_tx_chain = __le32_to_cpu(ev->num_tx_chain); ++ if (num_tx_chain > WMI_TPC_TX_N_CHAIN) { ++ ath10k_warn(ar, "number of tx chain is %d greater than TPC final configured tx chain %d\n", ++ num_tx_chain, WMI_TPC_TX_N_CHAIN); ++ return; ++ } ++ ++ rate_max = __le32_to_cpu(ev->rate_max); ++ if (rate_max > WMI_TPC_FINAL_RATE_MAX) { ++ ath10k_warn(ar, "number of rate is %d greater than TPC final configured rate %d\n", ++ rate_max, WMI_TPC_FINAL_RATE_MAX); ++ rate_max = WMI_TPC_FINAL_RATE_MAX; ++ } ++ + tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC); + if (!tpc_stats) + return; + +- num_tx_chain = __le32_to_cpu(ev->num_tx_chain); +- + ath10k_wmi_tpc_config_get_rate_code(rate_code, pream_table, + num_tx_chain); + +@@ -5069,8 +5082,8 @@ void ath10k_wmi_event_tpc_final_table(struct ath10k *ar, struct sk_buff *skb) + __le32_to_cpu(ev->twice_antenna_reduction); + tpc_stats->power_limit = __le32_to_cpu(ev->power_limit); + tpc_stats->twice_max_rd_power = __le32_to_cpu(ev->twice_max_rd_power); +- tpc_stats->num_tx_chain = __le32_to_cpu(ev->num_tx_chain); +- tpc_stats->rate_max = __le32_to_cpu(ev->rate_max); ++ tpc_stats->num_tx_chain = num_tx_chain; ++ tpc_stats->rate_max = rate_max; + + ath10k_wmi_tpc_stats_final_disp_tables(ar, ev, tpc_stats, + rate_code, pream_table, +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +index eadc64454839d..3d36b6ee158bb 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c +@@ -2149,8 +2149,7 @@ int brcmf_fws_process_skb(struct brcmf_if *ifp, struct sk_buff *skb) + brcmf_fws_enq(fws, BRCMF_FWS_SKBSTATE_DELAYED, fifo, skb); + brcmf_fws_schedule_deq(fws); + } else { +- bphy_err(drvr, "drop skb: no hanger slot\n"); +- brcmf_txfinalize(ifp, skb, false); ++ bphy_err(drvr, "no hanger slot available\n"); + rc = -ENOMEM; + } + brcmf_fws_unlock(fws); +diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h +index 1fb76d2f5d3fd..8b9d0809daf62 100644 +--- a/drivers/net/wireless/marvell/mwifiex/fw.h ++++ b/drivers/net/wireless/marvell/mwifiex/fw.h +@@ -953,7 +953,7 @@ struct mwifiex_tkip_param { + struct mwifiex_aes_param { + u8 pn[WPA_PN_SIZE]; + __le16 key_len; +- u8 key[WLAN_KEY_LEN_CCMP]; ++ u8 key[WLAN_KEY_LEN_CCMP_256]; + } __packed; + + struct mwifiex_wapi_param { +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +index 7ae2c34f65db2..4eaa493e33253 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c +@@ -619,7 +619,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + key_v2 = &resp->params.key_material_v2; + + len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); +- if (len > WLAN_KEY_LEN_CCMP) ++ if (len > sizeof(key_v2->key_param_set.key_params.aes.key)) + return -EINVAL; + + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { +@@ -635,7 +635,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + return 0; + + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, +- WLAN_KEY_LEN_CCMP); ++ sizeof(key_v2->key_param_set.key_params.aes.key)); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = + cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c b/drivers/net/wireless/mediatek/mt76/agg-rx.c +index cbff0dfc96311..f8441fd65400c 100644 +--- a/drivers/net/wireless/mediatek/mt76/agg-rx.c ++++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c +@@ -268,6 +268,7 @@ static void mt76_rx_aggr_shutdown(struct mt76_dev *dev, struct mt76_rx_tid *tid) + if (!skb) + continue; + ++ tid->reorder_buf[i] = NULL; + tid->nframes--; + dev_kfree_skb(skb); + } +diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c +index 6249a46c19762..026d996612fbe 100644 +--- a/drivers/net/wireless/mediatek/mt76/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/dma.c +@@ -261,10 +261,13 @@ mt76_dma_tx_queue_skb_raw(struct mt76_dev *dev, enum mt76_txq_id qid, + struct mt76_queue_buf buf; + dma_addr_t addr; + ++ if (q->queued + 1 >= q->ndesc - 1) ++ goto error; ++ + addr = dma_map_single(dev->dev, skb->data, skb->len, + DMA_TO_DEVICE); + if (unlikely(dma_mapping_error(dev->dev, addr))) +- return -ENOMEM; ++ goto error; + + buf.addr = addr; + buf.len = skb->len; +@@ -275,6 +278,10 @@ mt76_dma_tx_queue_skb_raw(struct mt76_dev *dev, enum mt76_txq_id qid, + spin_unlock_bh(&q->lock); + + return 0; ++ ++error: ++ dev_kfree_skb(skb); ++ return -ENOMEM; + } + + static int +diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c +index 1a2c143b34d01..8bd191347b9fb 100644 +--- a/drivers/net/wireless/mediatek/mt76/mac80211.c ++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c +@@ -105,7 +105,15 @@ static int mt76_led_init(struct mt76_dev *dev) + dev->led_al = of_property_read_bool(np, "led-active-low"); + } + +- return devm_led_classdev_register(dev->dev, &dev->led_cdev); ++ return led_classdev_register(dev->dev, &dev->led_cdev); ++} ++ ++static void mt76_led_cleanup(struct mt76_dev *dev) ++{ ++ if (!dev->led_cdev.brightness_set && !dev->led_cdev.blink_set) ++ return; ++ ++ led_classdev_unregister(&dev->led_cdev); + } + + static void mt76_init_stream_cap(struct mt76_dev *dev, +@@ -360,6 +368,8 @@ void mt76_unregister_device(struct mt76_dev *dev) + { + struct ieee80211_hw *hw = dev->hw; + ++ if (IS_ENABLED(CONFIG_MT76_LEDS)) ++ mt76_led_cleanup(dev); + mt76_tx_status_check(dev, NULL, true); + ieee80211_unregister_hw(hw); + } +diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/main.c b/drivers/net/wireless/mediatek/mt76/mt7603/main.c +index 25d5b1608bc91..0a5695c3d9241 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7603/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7603/main.c +@@ -561,6 +561,7 @@ mt7603_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + + mtxq = (struct mt76_txq *)txq->drv_priv; + ++ mutex_lock(&dev->mt76.mutex); + switch (action) { + case IEEE80211_AMPDU_RX_START: + mt76_rx_aggr_start(&dev->mt76, &msta->wcid, tid, ssn, +@@ -590,6 +591,7 @@ mt7603_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); + break; + } ++ mutex_unlock(&dev->mt76.mutex); + + return 0; + } +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c +index 87c748715b5d7..38183aef0eb92 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c +@@ -455,6 +455,7 @@ mt7615_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + + mtxq = (struct mt76_txq *)txq->drv_priv; + ++ mutex_lock(&dev->mt76.mutex); + switch (action) { + case IEEE80211_AMPDU_RX_START: + mt76_rx_aggr_start(&dev->mt76, &msta->wcid, tid, ssn, +@@ -485,6 +486,7 @@ mt7615_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); + break; + } ++ mutex_unlock(&dev->mt76.mutex); + + return 0; + } +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c +index aec73a0295e86..de0d6f21c621c 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c +@@ -371,6 +371,7 @@ int mt76x02_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + + mtxq = (struct mt76_txq *)txq->drv_priv; + ++ mutex_lock(&dev->mt76.mutex); + switch (action) { + case IEEE80211_AMPDU_RX_START: + mt76_rx_aggr_start(&dev->mt76, &msta->wcid, tid, +@@ -400,6 +401,7 @@ int mt76x02_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); + break; + } ++ mutex_unlock(&dev->mt76.mutex); + + return 0; + } +diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c +index 547ad538d8b66..5f74cf821068d 100644 +--- a/drivers/net/wireless/ti/wlcore/main.c ++++ b/drivers/net/wireless/ti/wlcore/main.c +@@ -3658,8 +3658,10 @@ void wlcore_regdomain_config(struct wl1271 *wl) + goto out; + + ret = pm_runtime_get_sync(wl->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_autosuspend(wl->dev); + goto out; ++ } + + ret = wlcore_cmd_regdomain_config_locked(wl); + if (ret < 0) { +diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c +index 90e56d4c3df3b..e20e18cd04aed 100644 +--- a/drivers/net/wireless/ti/wlcore/tx.c ++++ b/drivers/net/wireless/ti/wlcore/tx.c +@@ -863,6 +863,7 @@ void wl1271_tx_work(struct work_struct *work) + + ret = wlcore_tx_work_locked(wl); + if (ret < 0) { ++ pm_runtime_put_noidle(wl->dev); + wl12xx_queue_recovery_work(wl); + goto out; + } +diff --git a/drivers/nvme/host/Kconfig b/drivers/nvme/host/Kconfig +index 2b36f052bfb91..7b3f6555e67ba 100644 +--- a/drivers/nvme/host/Kconfig ++++ b/drivers/nvme/host/Kconfig +@@ -64,6 +64,7 @@ config NVME_TCP + depends on INET + depends on BLK_DEV_NVME + select NVME_FABRICS ++ select CRYPTO + select CRYPTO_CRC32C + help + This provides support for the NVMe over Fabrics protocol using +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 2d2673d360ff2..2cd32901d95c7 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -288,11 +288,8 @@ void nvme_complete_rq(struct request *req) + nvme_req(req)->ctrl->comp_seen = true; + + if (unlikely(status != BLK_STS_OK && nvme_req_needs_retry(req))) { +- if ((req->cmd_flags & REQ_NVME_MPATH) && +- blk_path_error(status)) { +- nvme_failover_req(req); ++ if ((req->cmd_flags & REQ_NVME_MPATH) && nvme_failover_req(req)) + return; +- } + + if (!blk_queue_dying(req->q)) { + nvme_retry_req(req); +@@ -1867,7 +1864,7 @@ static void __nvme_revalidate_disk(struct gendisk *disk, struct nvme_id_ns *id) + if (ns->head->disk) { + nvme_update_disk_info(ns->head->disk, ns, id); + blk_queue_stack_limits(ns->head->disk->queue, ns->queue); +- revalidate_disk(ns->head->disk); ++ nvme_mpath_update_disk_size(ns->head->disk); + } + #endif + } +@@ -3200,6 +3197,10 @@ static ssize_t nvme_sysfs_delete(struct device *dev, + { + struct nvme_ctrl *ctrl = dev_get_drvdata(dev); + ++ /* Can't delete non-created controllers */ ++ if (!ctrl->created) ++ return -EBUSY; ++ + if (device_remove_file_self(dev, attr)) + nvme_delete_ctrl_sync(ctrl); + return count; +@@ -3995,6 +3996,7 @@ void nvme_start_ctrl(struct nvme_ctrl *ctrl) + nvme_queue_scan(ctrl); + nvme_start_queues(ctrl); + } ++ ctrl->created = true; + } + EXPORT_SYMBOL_GPL(nvme_start_ctrl); + +@@ -4085,6 +4087,7 @@ int nvme_init_ctrl(struct nvme_ctrl *ctrl, struct device *dev, + if (ret) + goto out_release_instance; + ++ nvme_get_ctrl(ctrl); + cdev_init(&ctrl->cdev, &nvme_dev_fops); + ctrl->cdev.owner = ops->module; + ret = cdev_device_add(&ctrl->cdev, ctrl->device); +@@ -4103,6 +4106,7 @@ int nvme_init_ctrl(struct nvme_ctrl *ctrl, struct device *dev, + + return 0; + out_free_name: ++ nvme_put_ctrl(ctrl); + kfree_const(ctrl->device->kobj.name); + out_release_instance: + ida_simple_remove(&nvme_instance_ida, ctrl->instance); +diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c +index dae050d1f814d..da801a14cd13d 100644 +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3171,10 +3171,7 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts, + goto fail_ctrl; + } + +- nvme_get_ctrl(&ctrl->ctrl); +- + if (!queue_delayed_work(nvme_wq, &ctrl->connect_work, 0)) { +- nvme_put_ctrl(&ctrl->ctrl); + dev_err(ctrl->ctrl.device, + "NVME-FC{%d}: failed to schedule initial connect\n", + ctrl->cnum); +@@ -3199,6 +3196,7 @@ fail_ctrl: + + /* initiate nvme ctrl ref counting teardown */ + nvme_uninit_ctrl(&ctrl->ctrl); ++ nvme_put_ctrl(&ctrl->ctrl); + + /* Remove core ctrl ref. */ + nvme_put_ctrl(&ctrl->ctrl); +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 0a458f7880887..3968f89f7855a 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -65,17 +65,12 @@ void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, + } + } + +-void nvme_failover_req(struct request *req) ++bool nvme_failover_req(struct request *req) + { + struct nvme_ns *ns = req->q->queuedata; + u16 status = nvme_req(req)->status; + unsigned long flags; + +- spin_lock_irqsave(&ns->head->requeue_lock, flags); +- blk_steal_bios(&ns->head->requeue_list, req); +- spin_unlock_irqrestore(&ns->head->requeue_lock, flags); +- blk_mq_end_request(req, 0); +- + switch (status & 0x7ff) { + case NVME_SC_ANA_TRANSITION: + case NVME_SC_ANA_INACCESSIBLE: +@@ -104,15 +99,17 @@ void nvme_failover_req(struct request *req) + nvme_mpath_clear_current_path(ns); + break; + default: +- /* +- * Reset the controller for any non-ANA error as we don't know +- * what caused the error. +- */ +- nvme_reset_ctrl(ns->ctrl); +- break; ++ /* This was a non-ANA error so follow the normal error path. */ ++ return false; + } + ++ spin_lock_irqsave(&ns->head->requeue_lock, flags); ++ blk_steal_bios(&ns->head->requeue_list, req); ++ spin_unlock_irqrestore(&ns->head->requeue_lock, flags); ++ blk_mq_end_request(req, 0); ++ + kblockd_schedule_work(&ns->head->requeue_work); ++ return true; + } + + void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl) +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 2bd9f7c3084f2..b7117fb09dd0f 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -253,6 +253,7 @@ struct nvme_ctrl { + struct nvme_command ka_cmd; + struct work_struct fw_act_work; + unsigned long events; ++ bool created; + + #ifdef CONFIG_NVME_MULTIPATH + /* asymmetric namespace access: */ +@@ -530,7 +531,7 @@ void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys); + void nvme_mpath_start_freeze(struct nvme_subsystem *subsys); + void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, + struct nvme_ctrl *ctrl, int *flags); +-void nvme_failover_req(struct request *req); ++bool nvme_failover_req(struct request *req); + void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl); + int nvme_mpath_alloc_disk(struct nvme_ctrl *ctrl,struct nvme_ns_head *head); + void nvme_mpath_add_disk(struct nvme_ns *ns, struct nvme_id_ns *id); +@@ -560,6 +561,16 @@ static inline void nvme_trace_bio_complete(struct request *req, + req->bio, status); + } + ++static inline void nvme_mpath_update_disk_size(struct gendisk *disk) ++{ ++ struct block_device *bdev = bdget_disk(disk, 0); ++ ++ if (bdev) { ++ bd_set_size(bdev, get_capacity(disk) << SECTOR_SHIFT); ++ bdput(bdev); ++ } ++} ++ + extern struct device_attribute dev_attr_ana_grpid; + extern struct device_attribute dev_attr_ana_state; + extern struct device_attribute subsys_attr_iopolicy; +@@ -579,8 +590,9 @@ static inline void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns, + sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance); + } + +-static inline void nvme_failover_req(struct request *req) ++static inline bool nvme_failover_req(struct request *req) + { ++ return false; + } + static inline void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl) + { +@@ -634,6 +646,9 @@ static inline void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys) + static inline void nvme_mpath_start_freeze(struct nvme_subsystem *subsys) + { + } ++static inline void nvme_mpath_update_disk_size(struct gendisk *disk) ++{ ++} + #endif /* CONFIG_NVME_MULTIPATH */ + + #ifdef CONFIG_NVM +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index a91433bdf5de4..75f26d2ec6429 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2850,7 +2850,6 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id) + dev_info(dev->ctrl.device, "pci function %s\n", dev_name(&pdev->dev)); + + nvme_reset_ctrl(&dev->ctrl); +- nvme_get_ctrl(&dev->ctrl); + async_schedule(nvme_async_probe, dev); + + return 0; +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index f9444272f861e..abe4fe496d05c 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -2088,8 +2088,6 @@ static struct nvme_ctrl *nvme_rdma_create_ctrl(struct device *dev, + dev_info(ctrl->ctrl.device, "new ctrl: NQN \"%s\", addr %pISpcs\n", + ctrl->ctrl.opts->subsysnqn, &ctrl->addr); + +- nvme_get_ctrl(&ctrl->ctrl); +- + mutex_lock(&nvme_rdma_ctrl_mutex); + list_add_tail(&ctrl->list, &nvme_rdma_ctrl_list); + mutex_unlock(&nvme_rdma_ctrl_mutex); +@@ -2099,6 +2097,7 @@ static struct nvme_ctrl *nvme_rdma_create_ctrl(struct device *dev, + out_uninit_ctrl: + nvme_uninit_ctrl(&ctrl->ctrl); + nvme_put_ctrl(&ctrl->ctrl); ++ nvme_put_ctrl(&ctrl->ctrl); + if (ret > 0) + ret = -EIO; + return ERR_PTR(ret); +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index c782005ee99f9..6d7a813e7183a 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -2404,8 +2404,6 @@ static struct nvme_ctrl *nvme_tcp_create_ctrl(struct device *dev, + dev_info(ctrl->ctrl.device, "new ctrl: NQN \"%s\", addr %pISp\n", + ctrl->ctrl.opts->subsysnqn, &ctrl->addr); + +- nvme_get_ctrl(&ctrl->ctrl); +- + mutex_lock(&nvme_tcp_ctrl_mutex); + list_add_tail(&ctrl->list, &nvme_tcp_ctrl_list); + mutex_unlock(&nvme_tcp_ctrl_mutex); +@@ -2415,6 +2413,7 @@ static struct nvme_ctrl *nvme_tcp_create_ctrl(struct device *dev, + out_uninit_ctrl: + nvme_uninit_ctrl(&ctrl->ctrl); + nvme_put_ctrl(&ctrl->ctrl); ++ nvme_put_ctrl(&ctrl->ctrl); + if (ret > 0) + ret = -EIO; + return ERR_PTR(ret); +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index 11f5aea97d1b1..82b87a4c50f63 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -619,8 +619,6 @@ static struct nvme_ctrl *nvme_loop_create_ctrl(struct device *dev, + dev_info(ctrl->ctrl.device, + "new ctrl: \"%s\"\n", ctrl->ctrl.opts->subsysnqn); + +- nvme_get_ctrl(&ctrl->ctrl); +- + changed = nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_LIVE); + WARN_ON_ONCE(!changed); + +@@ -638,6 +636,7 @@ out_free_queues: + kfree(ctrl->queues); + out_uninit_ctrl: + nvme_uninit_ctrl(&ctrl->ctrl); ++ nvme_put_ctrl(&ctrl->ctrl); + out_put_ctrl: + nvme_put_ctrl(&ctrl->ctrl); + if (ret > 0) +diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c +index 36d906a7f70d3..b5314164479e9 100644 +--- a/drivers/nvme/target/rdma.c ++++ b/drivers/nvme/target/rdma.c +@@ -75,6 +75,7 @@ enum nvmet_rdma_queue_state { + + struct nvmet_rdma_queue { + struct rdma_cm_id *cm_id; ++ struct ib_qp *qp; + struct nvmet_port *port; + struct ib_cq *cq; + atomic_t sq_wr_avail; +@@ -464,7 +465,7 @@ static int nvmet_rdma_post_recv(struct nvmet_rdma_device *ndev, + if (ndev->srq) + ret = ib_post_srq_recv(ndev->srq, &cmd->wr, NULL); + else +- ret = ib_post_recv(cmd->queue->cm_id->qp, &cmd->wr, NULL); ++ ret = ib_post_recv(cmd->queue->qp, &cmd->wr, NULL); + + if (unlikely(ret)) + pr_err("post_recv cmd failed\n"); +@@ -503,7 +504,7 @@ static void nvmet_rdma_release_rsp(struct nvmet_rdma_rsp *rsp) + atomic_add(1 + rsp->n_rdma, &queue->sq_wr_avail); + + if (rsp->n_rdma) { +- rdma_rw_ctx_destroy(&rsp->rw, queue->cm_id->qp, ++ rdma_rw_ctx_destroy(&rsp->rw, queue->qp, + queue->cm_id->port_num, rsp->req.sg, + rsp->req.sg_cnt, nvmet_data_dir(&rsp->req)); + } +@@ -587,7 +588,7 @@ static void nvmet_rdma_read_data_done(struct ib_cq *cq, struct ib_wc *wc) + + WARN_ON(rsp->n_rdma <= 0); + atomic_add(rsp->n_rdma, &queue->sq_wr_avail); +- rdma_rw_ctx_destroy(&rsp->rw, queue->cm_id->qp, ++ rdma_rw_ctx_destroy(&rsp->rw, queue->qp, + queue->cm_id->port_num, rsp->req.sg, + rsp->req.sg_cnt, nvmet_data_dir(&rsp->req)); + rsp->n_rdma = 0; +@@ -742,7 +743,7 @@ static bool nvmet_rdma_execute_command(struct nvmet_rdma_rsp *rsp) + } + + if (nvmet_rdma_need_data_in(rsp)) { +- if (rdma_rw_ctx_post(&rsp->rw, queue->cm_id->qp, ++ if (rdma_rw_ctx_post(&rsp->rw, queue->qp, + queue->cm_id->port_num, &rsp->read_cqe, NULL)) + nvmet_req_complete(&rsp->req, NVME_SC_DATA_XFER_ERROR); + } else { +@@ -1025,6 +1026,7 @@ static int nvmet_rdma_create_queue_ib(struct nvmet_rdma_queue *queue) + pr_err("failed to create_qp ret= %d\n", ret); + goto err_destroy_cq; + } ++ queue->qp = queue->cm_id->qp; + + atomic_set(&queue->sq_wr_avail, qp_attr.cap.max_send_wr); + +@@ -1053,11 +1055,10 @@ err_destroy_cq: + + static void nvmet_rdma_destroy_queue_ib(struct nvmet_rdma_queue *queue) + { +- struct ib_qp *qp = queue->cm_id->qp; +- +- ib_drain_qp(qp); +- rdma_destroy_id(queue->cm_id); +- ib_destroy_qp(qp); ++ ib_drain_qp(queue->qp); ++ if (queue->cm_id) ++ rdma_destroy_id(queue->cm_id); ++ ib_destroy_qp(queue->qp); + ib_free_cq(queue->cq); + } + +@@ -1291,9 +1292,12 @@ static int nvmet_rdma_queue_connect(struct rdma_cm_id *cm_id, + + ret = nvmet_rdma_cm_accept(cm_id, queue, &event->param.conn); + if (ret) { +- schedule_work(&queue->release_work); +- /* Destroying rdma_cm id is not needed here */ +- return 0; ++ /* ++ * Don't destroy the cm_id in free path, as we implicitly ++ * destroy the cm_id here with non-zero ret code. ++ */ ++ queue->cm_id = NULL; ++ goto free_queue; + } + + mutex_lock(&nvmet_rdma_queue_mutex); +@@ -1302,6 +1306,8 @@ static int nvmet_rdma_queue_connect(struct rdma_cm_id *cm_id, + + return 0; + ++free_queue: ++ nvmet_rdma_free_queue(queue); + put_device: + kref_put(&ndev->ref, nvmet_rdma_free_dev); + +diff --git a/drivers/opp/core.c b/drivers/opp/core.c +index 7b057c32e11b1..29dfaa591f8b0 100644 +--- a/drivers/opp/core.c ++++ b/drivers/opp/core.c +@@ -990,7 +990,6 @@ static struct opp_table *_allocate_opp_table(struct device *dev, int index) + BLOCKING_INIT_NOTIFIER_HEAD(&opp_table->head); + INIT_LIST_HEAD(&opp_table->opp_list); + kref_init(&opp_table->kref); +- kref_init(&opp_table->list_kref); + + /* Secure the device table modification */ + list_add(&opp_table->node, &opp_tables); +@@ -1074,33 +1073,6 @@ static void _opp_table_kref_release(struct kref *kref) + mutex_unlock(&opp_table_lock); + } + +-void _opp_remove_all_static(struct opp_table *opp_table) +-{ +- struct dev_pm_opp *opp, *tmp; +- +- list_for_each_entry_safe(opp, tmp, &opp_table->opp_list, node) { +- if (!opp->dynamic) +- dev_pm_opp_put(opp); +- } +- +- opp_table->parsed_static_opps = false; +-} +- +-static void _opp_table_list_kref_release(struct kref *kref) +-{ +- struct opp_table *opp_table = container_of(kref, struct opp_table, +- list_kref); +- +- _opp_remove_all_static(opp_table); +- mutex_unlock(&opp_table_lock); +-} +- +-void _put_opp_list_kref(struct opp_table *opp_table) +-{ +- kref_put_mutex(&opp_table->list_kref, _opp_table_list_kref_release, +- &opp_table_lock); +-} +- + void dev_pm_opp_put_opp_table(struct opp_table *opp_table) + { + kref_put_mutex(&opp_table->kref, _opp_table_kref_release, +@@ -1204,6 +1176,24 @@ void dev_pm_opp_remove(struct device *dev, unsigned long freq) + } + EXPORT_SYMBOL_GPL(dev_pm_opp_remove); + ++void _opp_remove_all_static(struct opp_table *opp_table) ++{ ++ struct dev_pm_opp *opp, *tmp; ++ ++ mutex_lock(&opp_table->lock); ++ ++ if (!opp_table->parsed_static_opps || --opp_table->parsed_static_opps) ++ goto unlock; ++ ++ list_for_each_entry_safe(opp, tmp, &opp_table->opp_list, node) { ++ if (!opp->dynamic) ++ dev_pm_opp_put_unlocked(opp); ++ } ++ ++unlock: ++ mutex_unlock(&opp_table->lock); ++} ++ + /** + * dev_pm_opp_remove_all_dynamic() - Remove all dynamically created OPPs + * @dev: device for which we do this operation +@@ -2209,7 +2199,7 @@ void _dev_pm_opp_find_and_remove_table(struct device *dev) + return; + } + +- _put_opp_list_kref(opp_table); ++ _opp_remove_all_static(opp_table); + + /* Drop reference taken by _find_opp_table() */ + dev_pm_opp_put_opp_table(opp_table); +diff --git a/drivers/opp/of.c b/drivers/opp/of.c +index 1e5fcdee043c4..249738e1e0b7a 100644 +--- a/drivers/opp/of.c ++++ b/drivers/opp/of.c +@@ -658,17 +658,15 @@ static int _of_add_opp_table_v2(struct device *dev, struct opp_table *opp_table) + struct dev_pm_opp *opp; + + /* OPP table is already initialized for the device */ ++ mutex_lock(&opp_table->lock); + if (opp_table->parsed_static_opps) { +- kref_get(&opp_table->list_kref); ++ opp_table->parsed_static_opps++; ++ mutex_unlock(&opp_table->lock); + return 0; + } + +- /* +- * Re-initialize list_kref every time we add static OPPs to the OPP +- * table as the reference count may be 0 after the last tie static OPPs +- * were removed. +- */ +- kref_init(&opp_table->list_kref); ++ opp_table->parsed_static_opps = 1; ++ mutex_unlock(&opp_table->lock); + + /* We have opp-table node now, iterate over it and add OPPs */ + for_each_available_child_of_node(opp_table->np, np) { +@@ -678,7 +676,7 @@ static int _of_add_opp_table_v2(struct device *dev, struct opp_table *opp_table) + dev_err(dev, "%s: Failed to add OPP, %d\n", __func__, + ret); + of_node_put(np); +- goto put_list_kref; ++ goto remove_static_opp; + } else if (opp) { + count++; + } +@@ -687,7 +685,7 @@ static int _of_add_opp_table_v2(struct device *dev, struct opp_table *opp_table) + /* There should be one of more OPP defined */ + if (WARN_ON(!count)) { + ret = -ENOENT; +- goto put_list_kref; ++ goto remove_static_opp; + } + + list_for_each_entry(opp, &opp_table->opp_list, node) +@@ -698,18 +696,16 @@ static int _of_add_opp_table_v2(struct device *dev, struct opp_table *opp_table) + dev_err(dev, "Not all nodes have performance state set (%d: %d)\n", + count, pstate_count); + ret = -ENOENT; +- goto put_list_kref; ++ goto remove_static_opp; + } + + if (pstate_count) + opp_table->genpd_performance_state = true; + +- opp_table->parsed_static_opps = true; +- + return 0; + +-put_list_kref: +- _put_opp_list_kref(opp_table); ++remove_static_opp: ++ _opp_remove_all_static(opp_table); + + return ret; + } +@@ -737,6 +733,10 @@ static int _of_add_opp_table_v1(struct device *dev, struct opp_table *opp_table) + return -EINVAL; + } + ++ mutex_lock(&opp_table->lock); ++ opp_table->parsed_static_opps = 1; ++ mutex_unlock(&opp_table->lock); ++ + val = prop->value; + while (nr) { + unsigned long freq = be32_to_cpup(val++) * 1000; +@@ -746,7 +746,7 @@ static int _of_add_opp_table_v1(struct device *dev, struct opp_table *opp_table) + if (ret) { + dev_err(dev, "%s: Failed to add OPP %ld (%d)\n", + __func__, freq, ret); +- _put_opp_list_kref(opp_table); ++ _opp_remove_all_static(opp_table); + return ret; + } + nr -= 2; +diff --git a/drivers/opp/opp.h b/drivers/opp/opp.h +index 01a500e2c40a1..d14e27102730c 100644 +--- a/drivers/opp/opp.h ++++ b/drivers/opp/opp.h +@@ -127,11 +127,10 @@ enum opp_table_access { + * @dev_list: list of devices that share these OPPs + * @opp_list: table of opps + * @kref: for reference count of the table. +- * @list_kref: for reference count of the OPP list. + * @lock: mutex protecting the opp_list and dev_list. + * @np: struct device_node pointer for opp's DT node. + * @clock_latency_ns_max: Max clock latency in nanoseconds. +- * @parsed_static_opps: True if OPPs are initialized from DT. ++ * @parsed_static_opps: Count of devices for which OPPs are initialized from DT. + * @shared_opp: OPP is shared between multiple devices. + * @suspend_opp: Pointer to OPP to be used during device suspend. + * @genpd_virt_dev_lock: Mutex protecting the genpd virtual device pointers. +@@ -167,7 +166,6 @@ struct opp_table { + struct list_head dev_list; + struct list_head opp_list; + struct kref kref; +- struct kref list_kref; + struct mutex lock; + + struct device_node *np; +@@ -176,7 +174,7 @@ struct opp_table { + /* For backward compatibility with v1 bindings */ + unsigned int voltage_tolerance_v1; + +- bool parsed_static_opps; ++ unsigned int parsed_static_opps; + enum opp_table_access shared_opp; + struct dev_pm_opp *suspend_opp; + +diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c +index f89f5acee72d4..c06b05ab9f787 100644 +--- a/drivers/pci/controller/dwc/pcie-tegra194.c ++++ b/drivers/pci/controller/dwc/pcie-tegra194.c +@@ -1395,7 +1395,7 @@ static int tegra_pcie_config_rp(struct tegra_pcie_dw *pcie) + ret = pinctrl_pm_select_default_state(dev); + if (ret < 0) { + dev_err(dev, "Failed to configure sideband pins: %d\n", ret); +- goto fail_pinctrl; ++ goto fail_pm_get_sync; + } + + tegra_pcie_init_controller(pcie); +@@ -1422,9 +1422,8 @@ static int tegra_pcie_config_rp(struct tegra_pcie_dw *pcie) + + fail_host_init: + tegra_pcie_deinit_controller(pcie); +-fail_pinctrl: +- pm_runtime_put_sync(dev); + fail_pm_get_sync: ++ pm_runtime_put_sync(dev); + pm_runtime_disable(dev); + return ret; + } +diff --git a/drivers/pci/controller/pci-tegra.c b/drivers/pci/controller/pci-tegra.c +index b71e753419c2d..cfa3c83d6cc74 100644 +--- a/drivers/pci/controller/pci-tegra.c ++++ b/drivers/pci/controller/pci-tegra.c +@@ -2768,7 +2768,7 @@ static int tegra_pcie_probe(struct platform_device *pdev) + err = pm_runtime_get_sync(pcie->dev); + if (err < 0) { + dev_err(dev, "fail to enable pcie controller: %d\n", err); +- goto teardown_msi; ++ goto pm_runtime_put; + } + + err = tegra_pcie_request_resources(pcie); +@@ -2808,7 +2808,6 @@ free_resources: + pm_runtime_put: + pm_runtime_put_sync(pcie->dev); + pm_runtime_disable(pcie->dev); +-teardown_msi: + tegra_pcie_msi_teardown(pcie); + put_resources: + tegra_pcie_put_resources(pcie); +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index 356786a3b7f4b..88b996764ff95 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -529,7 +529,7 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id) + struct controller *ctrl = (struct controller *)dev_id; + struct pci_dev *pdev = ctrl_dev(ctrl); + struct device *parent = pdev->dev.parent; +- u16 status, events; ++ u16 status, events = 0; + + /* + * Interrupts only occur in D3hot or shallower and only if enabled +@@ -554,6 +554,7 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id) + } + } + ++read_status: + pcie_capability_read_word(pdev, PCI_EXP_SLTSTA, &status); + if (status == (u16) ~0) { + ctrl_info(ctrl, "%s: no response from device\n", __func__); +@@ -566,24 +567,37 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id) + * Slot Status contains plain status bits as well as event + * notification bits; right now we only want the event bits. + */ +- events = status & (PCI_EXP_SLTSTA_ABP | PCI_EXP_SLTSTA_PFD | +- PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_CC | +- PCI_EXP_SLTSTA_DLLSC); ++ status &= PCI_EXP_SLTSTA_ABP | PCI_EXP_SLTSTA_PFD | ++ PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_CC | ++ PCI_EXP_SLTSTA_DLLSC; + + /* + * If we've already reported a power fault, don't report it again + * until we've done something to handle it. + */ + if (ctrl->power_fault_detected) +- events &= ~PCI_EXP_SLTSTA_PFD; ++ status &= ~PCI_EXP_SLTSTA_PFD; + ++ events |= status; + if (!events) { + if (parent) + pm_runtime_put(parent); + return IRQ_NONE; + } + +- pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, events); ++ if (status) { ++ pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, events); ++ ++ /* ++ * In MSI mode, all event bits must be zero before the port ++ * will send a new interrupt (PCIe Base Spec r5.0 sec 6.7.3.4). ++ * So re-read the Slot Status register in case a bit was set ++ * between read and write. ++ */ ++ if (pci_dev_msi_enabled(pdev) && !pciehp_poll_mode) ++ goto read_status; ++ } ++ + ctrl_dbg(ctrl, "pending interrupts %#06x from Slot Status\n", events); + if (parent) + pm_runtime_put(parent); +diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c +index deec9f9e0b616..9c116cbaa95d8 100644 +--- a/drivers/pci/iov.c ++++ b/drivers/pci/iov.c +@@ -253,8 +253,14 @@ static ssize_t sriov_numvfs_show(struct device *dev, + char *buf) + { + struct pci_dev *pdev = to_pci_dev(dev); ++ u16 num_vfs; ++ ++ /* Serialize vs sriov_numvfs_store() so readers see valid num_VFs */ ++ device_lock(&pdev->dev); ++ num_vfs = pdev->sriov->num_VFs; ++ device_unlock(&pdev->dev); + +- return sprintf(buf, "%u\n", pdev->sriov->num_VFs); ++ return sprintf(buf, "%u\n", num_vfs); + } + + /* +diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c +index 137bf0cee897c..8fc9a4e911e3a 100644 +--- a/drivers/pci/rom.c ++++ b/drivers/pci/rom.c +@@ -195,20 +195,3 @@ void pci_unmap_rom(struct pci_dev *pdev, void __iomem *rom) + pci_disable_rom(pdev); + } + EXPORT_SYMBOL(pci_unmap_rom); +- +-/** +- * pci_platform_rom - provides a pointer to any ROM image provided by the +- * platform +- * @pdev: pointer to pci device struct +- * @size: pointer to receive size of pci window over ROM +- */ +-void __iomem *pci_platform_rom(struct pci_dev *pdev, size_t *size) +-{ +- if (pdev->rom && pdev->romlen) { +- *size = pdev->romlen; +- return phys_to_virt((phys_addr_t)pdev->rom); +- } +- +- return NULL; +-} +-EXPORT_SYMBOL(pci_platform_rom); +diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c +index 5356630e0e483..44f4866d95d8c 100644 +--- a/drivers/pci/setup-bus.c ++++ b/drivers/pci/setup-bus.c +@@ -752,24 +752,32 @@ static void pci_bridge_check_ranges(struct pci_bus *bus) + } + + /* +- * Helper function for sizing routines: find first available bus resource +- * of a given type. Note: we intentionally skip the bus resources which +- * have already been assigned (that is, have non-NULL parent resource). ++ * Helper function for sizing routines. Assigned resources have non-NULL ++ * parent resource. ++ * ++ * Return first unassigned resource of the correct type. If there is none, ++ * return first assigned resource of the correct type. If none of the ++ * above, return NULL. ++ * ++ * Returning an assigned resource of the correct type allows the caller to ++ * distinguish between already assigned and no resource of the correct type. + */ +-static struct resource *find_free_bus_resource(struct pci_bus *bus, +- unsigned long type_mask, +- unsigned long type) ++static struct resource *find_bus_resource_of_type(struct pci_bus *bus, ++ unsigned long type_mask, ++ unsigned long type) + { ++ struct resource *r, *r_assigned = NULL; + int i; +- struct resource *r; + + pci_bus_for_each_resource(bus, r, i) { + if (r == &ioport_resource || r == &iomem_resource) + continue; + if (r && (r->flags & type_mask) == type && !r->parent) + return r; ++ if (r && (r->flags & type_mask) == type && !r_assigned) ++ r_assigned = r; + } +- return NULL; ++ return r_assigned; + } + + static resource_size_t calculate_iosize(resource_size_t size, +@@ -866,8 +874,8 @@ static void pbus_size_io(struct pci_bus *bus, resource_size_t min_size, + struct list_head *realloc_head) + { + struct pci_dev *dev; +- struct resource *b_res = find_free_bus_resource(bus, IORESOURCE_IO, +- IORESOURCE_IO); ++ struct resource *b_res = find_bus_resource_of_type(bus, IORESOURCE_IO, ++ IORESOURCE_IO); + resource_size_t size = 0, size0 = 0, size1 = 0; + resource_size_t children_add_size = 0; + resource_size_t min_align, align; +@@ -875,6 +883,10 @@ static void pbus_size_io(struct pci_bus *bus, resource_size_t min_size, + if (!b_res) + return; + ++ /* If resource is already assigned, nothing more to do */ ++ if (b_res->parent) ++ return; ++ + min_align = window_alignment(bus, IORESOURCE_IO); + list_for_each_entry(dev, &bus->devices, bus_list) { + int i; +@@ -978,7 +990,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, + resource_size_t min_align, align, size, size0, size1; + resource_size_t aligns[18]; /* Alignments from 1MB to 128GB */ + int order, max_order; +- struct resource *b_res = find_free_bus_resource(bus, ++ struct resource *b_res = find_bus_resource_of_type(bus, + mask | IORESOURCE_PREFETCH, type); + resource_size_t children_add_size = 0; + resource_size_t children_add_align = 0; +@@ -987,6 +999,10 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, + if (!b_res) + return -ENOSPC; + ++ /* If resource is already assigned, nothing more to do */ ++ if (b_res->parent) ++ return 0; ++ + memset(aligns, 0, sizeof(aligns)); + max_order = 0; + size = 0; +diff --git a/drivers/phy/samsung/phy-s5pv210-usb2.c b/drivers/phy/samsung/phy-s5pv210-usb2.c +index 56a5083fe6f94..32be62e498047 100644 +--- a/drivers/phy/samsung/phy-s5pv210-usb2.c ++++ b/drivers/phy/samsung/phy-s5pv210-usb2.c +@@ -139,6 +139,10 @@ static void s5pv210_phy_pwr(struct samsung_usb2_phy_instance *inst, bool on) + udelay(10); + rst &= ~rstbits; + writel(rst, drv->reg_phy + S5PV210_UPHYRST); ++ /* The following delay is necessary for the reset sequence to be ++ * completed ++ */ ++ udelay(80); + } else { + pwr = readl(drv->reg_phy + S5PV210_UPHYPWR); + pwr |= phypwr; +diff --git a/drivers/power/supply/max17040_battery.c b/drivers/power/supply/max17040_battery.c +index 62499018e68bf..2e845045a3fc0 100644 +--- a/drivers/power/supply/max17040_battery.c ++++ b/drivers/power/supply/max17040_battery.c +@@ -105,7 +105,7 @@ static void max17040_get_vcell(struct i2c_client *client) + + vcell = max17040_read_reg(client, MAX17040_VCELL); + +- chip->vcell = vcell; ++ chip->vcell = (vcell >> 4) * 1250; + } + + static void max17040_get_soc(struct i2c_client *client) +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index 10af330153b5e..0b85a80ae7ef6 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -2384,13 +2384,6 @@ static struct mport_dev *mport_cdev_add(struct rio_mport *mport) + cdev_init(&md->cdev, &mport_fops); + md->cdev.owner = THIS_MODULE; + +- ret = cdev_device_add(&md->cdev, &md->dev); +- if (ret) { +- rmcd_error("Failed to register mport %d (err=%d)", +- mport->id, ret); +- goto err_cdev; +- } +- + INIT_LIST_HEAD(&md->doorbells); + spin_lock_init(&md->db_lock); + INIT_LIST_HEAD(&md->portwrites); +@@ -2410,6 +2403,13 @@ static struct mport_dev *mport_cdev_add(struct rio_mport *mport) + #else + md->properties.transfer_mode |= RIO_TRANSFER_MODE_TRANSFER; + #endif ++ ++ ret = cdev_device_add(&md->cdev, &md->dev); ++ if (ret) { ++ rmcd_error("Failed to register mport %d (err=%d)", ++ mport->id, ret); ++ goto err_cdev; ++ } + ret = rio_query_mport(mport, &attr); + if (!ret) { + md->properties.flags = attr.flags; +diff --git a/drivers/regulator/axp20x-regulator.c b/drivers/regulator/axp20x-regulator.c +index 16f0c85700360..7075f42b9fcf6 100644 +--- a/drivers/regulator/axp20x-regulator.c ++++ b/drivers/regulator/axp20x-regulator.c +@@ -42,8 +42,9 @@ + + #define AXP20X_DCDC2_V_OUT_MASK GENMASK(5, 0) + #define AXP20X_DCDC3_V_OUT_MASK GENMASK(7, 0) +-#define AXP20X_LDO24_V_OUT_MASK GENMASK(7, 4) ++#define AXP20X_LDO2_V_OUT_MASK GENMASK(7, 4) + #define AXP20X_LDO3_V_OUT_MASK GENMASK(6, 0) ++#define AXP20X_LDO4_V_OUT_MASK GENMASK(3, 0) + #define AXP20X_LDO5_V_OUT_MASK GENMASK(7, 4) + + #define AXP20X_PWR_OUT_EXTEN_MASK BIT_MASK(0) +@@ -544,14 +545,14 @@ static const struct regulator_desc axp20x_regulators[] = { + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_DCDC3_MASK), + AXP_DESC_FIXED(AXP20X, LDO1, "ldo1", "acin", 1300), + AXP_DESC(AXP20X, LDO2, "ldo2", "ldo24in", 1800, 3300, 100, +- AXP20X_LDO24_V_OUT, AXP20X_LDO24_V_OUT_MASK, ++ AXP20X_LDO24_V_OUT, AXP20X_LDO2_V_OUT_MASK, + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_LDO2_MASK), + AXP_DESC(AXP20X, LDO3, "ldo3", "ldo3in", 700, 3500, 25, + AXP20X_LDO3_V_OUT, AXP20X_LDO3_V_OUT_MASK, + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_LDO3_MASK), + AXP_DESC_RANGES(AXP20X, LDO4, "ldo4", "ldo24in", + axp20x_ldo4_ranges, AXP20X_LDO4_V_OUT_NUM_VOLTAGES, +- AXP20X_LDO24_V_OUT, AXP20X_LDO24_V_OUT_MASK, ++ AXP20X_LDO24_V_OUT, AXP20X_LDO4_V_OUT_MASK, + AXP20X_PWR_OUT_CTRL, AXP20X_PWR_OUT_LDO4_MASK), + AXP_DESC_IO(AXP20X, LDO5, "ldo5", "ldo5in", 1800, 3300, 100, + AXP20X_LDO5_V_OUT, AXP20X_LDO5_V_OUT_MASK, +diff --git a/drivers/rtc/rtc-ds1374.c b/drivers/rtc/rtc-ds1374.c +index 367497914c100..28eb96cbaf98b 100644 +--- a/drivers/rtc/rtc-ds1374.c ++++ b/drivers/rtc/rtc-ds1374.c +@@ -620,6 +620,10 @@ static int ds1374_probe(struct i2c_client *client, + if (!ds1374) + return -ENOMEM; + ++ ds1374->rtc = devm_rtc_allocate_device(&client->dev); ++ if (IS_ERR(ds1374->rtc)) ++ return PTR_ERR(ds1374->rtc); ++ + ds1374->client = client; + i2c_set_clientdata(client, ds1374); + +@@ -641,12 +645,11 @@ static int ds1374_probe(struct i2c_client *client, + device_set_wakeup_capable(&client->dev, 1); + } + +- ds1374->rtc = devm_rtc_device_register(&client->dev, client->name, +- &ds1374_rtc_ops, THIS_MODULE); +- if (IS_ERR(ds1374->rtc)) { +- dev_err(&client->dev, "unable to register the class device\n"); +- return PTR_ERR(ds1374->rtc); +- } ++ ds1374->rtc->ops = &ds1374_rtc_ops; ++ ++ ret = rtc_register_device(ds1374->rtc); ++ if (ret) ++ return ret; + + #ifdef CONFIG_RTC_DRV_DS1374_WDT + save_client = client; +diff --git a/drivers/rtc/rtc-sa1100.c b/drivers/rtc/rtc-sa1100.c +index 86fa723b3b762..795273269d58e 100644 +--- a/drivers/rtc/rtc-sa1100.c ++++ b/drivers/rtc/rtc-sa1100.c +@@ -182,7 +182,6 @@ static const struct rtc_class_ops sa1100_rtc_ops = { + + int sa1100_rtc_init(struct platform_device *pdev, struct sa1100_rtc *info) + { +- struct rtc_device *rtc; + int ret; + + spin_lock_init(&info->lock); +@@ -211,15 +210,14 @@ int sa1100_rtc_init(struct platform_device *pdev, struct sa1100_rtc *info) + writel_relaxed(0, info->rcnr); + } + +- rtc = devm_rtc_device_register(&pdev->dev, pdev->name, &sa1100_rtc_ops, +- THIS_MODULE); +- if (IS_ERR(rtc)) { ++ info->rtc->ops = &sa1100_rtc_ops; ++ info->rtc->max_user_freq = RTC_FREQ; ++ ++ ret = rtc_register_device(info->rtc); ++ if (ret) { + clk_disable_unprepare(info->clk); +- return PTR_ERR(rtc); ++ return ret; + } +- info->rtc = rtc; +- +- rtc->max_user_freq = RTC_FREQ; + + /* Fix for a nasty initialization problem the in SA11xx RTSR register. + * See also the comments in sa1100_rtc_interrupt(). +@@ -268,6 +266,10 @@ static int sa1100_rtc_probe(struct platform_device *pdev) + info->irq_1hz = irq_1hz; + info->irq_alarm = irq_alarm; + ++ info->rtc = devm_rtc_allocate_device(&pdev->dev); ++ if (IS_ERR(info->rtc)) ++ return PTR_ERR(info->rtc); ++ + ret = devm_request_irq(&pdev->dev, irq_1hz, sa1100_rtc_interrupt, 0, + "rtc 1Hz", &pdev->dev); + if (ret) { +diff --git a/drivers/s390/block/dasd_fba.c b/drivers/s390/block/dasd_fba.c +index cbb770824226f..1a44e321b54e1 100644 +--- a/drivers/s390/block/dasd_fba.c ++++ b/drivers/s390/block/dasd_fba.c +@@ -40,6 +40,7 @@ + MODULE_LICENSE("GPL"); + + static struct dasd_discipline dasd_fba_discipline; ++static void *dasd_fba_zero_page; + + struct dasd_fba_private { + struct dasd_fba_characteristics rdc_data; +@@ -270,7 +271,7 @@ static void ccw_write_zero(struct ccw1 *ccw, int count) + ccw->cmd_code = DASD_FBA_CCW_WRITE; + ccw->flags |= CCW_FLAG_SLI; + ccw->count = count; +- ccw->cda = (__u32) (addr_t) page_to_phys(ZERO_PAGE(0)); ++ ccw->cda = (__u32) (addr_t) dasd_fba_zero_page; + } + + /* +@@ -830,6 +831,11 @@ dasd_fba_init(void) + int ret; + + ASCEBC(dasd_fba_discipline.ebcname, 4); ++ ++ dasd_fba_zero_page = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA); ++ if (!dasd_fba_zero_page) ++ return -ENOMEM; ++ + ret = ccw_driver_register(&dasd_fba_driver); + if (!ret) + wait_for_device_probe(); +@@ -841,6 +847,7 @@ static void __exit + dasd_fba_cleanup(void) + { + ccw_driver_unregister(&dasd_fba_driver); ++ free_page((unsigned long)dasd_fba_zero_page); + } + + module_init(dasd_fba_init); +diff --git a/drivers/s390/cio/airq.c b/drivers/s390/cio/airq.c +index 427b2e24a8cea..cb466ed7eb5ef 100644 +--- a/drivers/s390/cio/airq.c ++++ b/drivers/s390/cio/airq.c +@@ -105,16 +105,12 @@ static irqreturn_t do_airq_interrupt(int irq, void *dummy) + return IRQ_HANDLED; + } + +-static struct irqaction airq_interrupt = { +- .name = "AIO", +- .handler = do_airq_interrupt, +-}; +- + void __init init_airq_interrupts(void) + { + irq_set_chip_and_handler(THIN_INTERRUPT, + &dummy_irq_chip, handle_percpu_irq); +- setup_irq(THIN_INTERRUPT, &airq_interrupt); ++ if (request_irq(THIN_INTERRUPT, do_airq_interrupt, 0, "AIO", NULL)) ++ panic("Failed to register AIO interrupt\n"); + } + + static inline unsigned long iv_size(unsigned long bits) +diff --git a/drivers/s390/cio/cio.c b/drivers/s390/cio/cio.c +index 18f5458f90e8f..6d716db2a46ab 100644 +--- a/drivers/s390/cio/cio.c ++++ b/drivers/s390/cio/cio.c +@@ -563,16 +563,12 @@ static irqreturn_t do_cio_interrupt(int irq, void *dummy) + return IRQ_HANDLED; + } + +-static struct irqaction io_interrupt = { +- .name = "I/O", +- .handler = do_cio_interrupt, +-}; +- + void __init init_cio_interrupts(void) + { + irq_set_chip_and_handler(IO_INTERRUPT, + &dummy_irq_chip, handle_percpu_irq); +- setup_irq(IO_INTERRUPT, &io_interrupt); ++ if (request_irq(IO_INTERRUPT, do_cio_interrupt, 0, "I/O", NULL)) ++ panic("Failed to register I/O interrupt\n"); + } + + #ifdef CONFIG_CCW_CONSOLE +diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c +index 7fa0262e91af0..ec41a8a76398c 100644 +--- a/drivers/s390/crypto/zcrypt_api.c ++++ b/drivers/s390/crypto/zcrypt_api.c +@@ -1419,7 +1419,8 @@ static long zcrypt_unlocked_ioctl(struct file *filp, unsigned int cmd, + if (!reqcnt) + return -ENOMEM; + zcrypt_perdev_reqcnt(reqcnt, AP_DEVICES); +- if (copy_to_user((int __user *) arg, reqcnt, sizeof(reqcnt))) ++ if (copy_to_user((int __user *) arg, reqcnt, ++ sizeof(u32) * AP_DEVICES)) + rc = -EFAULT; + kfree(reqcnt); + return rc; +diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c +index 0ed3f806ace54..2388143d59f5d 100644 +--- a/drivers/scsi/aacraid/aachba.c ++++ b/drivers/scsi/aacraid/aachba.c +@@ -2467,13 +2467,13 @@ static int aac_read(struct scsi_cmnd * scsicmd) + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | + SAM_STAT_CHECK_CONDITION; + set_sense(&dev->fsa_dev[cid].sense_data, +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE, ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE, + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0); + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data, + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data), + SCSI_SENSE_BUFFERSIZE)); + scsicmd->scsi_done(scsicmd); +- return 1; ++ return 0; + } + + dprintk((KERN_DEBUG "aac_read[cpu %d]: lba = %llu, t = %ld.\n", +@@ -2559,13 +2559,13 @@ static int aac_write(struct scsi_cmnd * scsicmd) + scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 | + SAM_STAT_CHECK_CONDITION; + set_sense(&dev->fsa_dev[cid].sense_data, +- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE, ++ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE, + ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0); + memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data, + min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data), + SCSI_SENSE_BUFFERSIZE)); + scsicmd->scsi_done(scsicmd); +- return 1; ++ return 0; + } + + dprintk((KERN_DEBUG "aac_write[cpu %d]: lba = %llu, t = %ld.\n", +diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c +index 2142a649e865b..90fb17c5dd69c 100644 +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -728,7 +728,7 @@ int aac_hba_send(u8 command, struct fib *fibptr, fib_callback callback, + hbacmd->request_id = + cpu_to_le32((((u32)(fibptr - dev->fibs)) << 2) + 1); + fibptr->flags |= FIB_CONTEXT_FLAG_SCSI_CMD; +- } else if (command != HBA_IU_TYPE_SCSI_TM_REQ) ++ } else + return -EINVAL; + + +diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c +index 4a858789e6c5e..1035f947f1bcf 100644 +--- a/drivers/scsi/aacraid/linit.c ++++ b/drivers/scsi/aacraid/linit.c +@@ -723,7 +723,11 @@ static int aac_eh_abort(struct scsi_cmnd* cmd) + status = aac_hba_send(HBA_IU_TYPE_SCSI_TM_REQ, fib, + (fib_callback) aac_hba_callback, + (void *) cmd); +- ++ if (status != -EINPROGRESS) { ++ aac_fib_complete(fib); ++ aac_fib_free(fib); ++ return ret; ++ } + /* Wait up to 15 secs for completion */ + for (count = 0; count < 15; ++count) { + if (cmd->SCp.sent_command) { +@@ -902,11 +906,11 @@ static int aac_eh_dev_reset(struct scsi_cmnd *cmd) + + info = &aac->hba_map[bus][cid]; + +- if (info->devtype != AAC_DEVTYPE_NATIVE_RAW && +- info->reset_state > 0) ++ if (!(info->devtype == AAC_DEVTYPE_NATIVE_RAW && ++ !(info->reset_state > 0))) + return FAILED; + +- pr_err("%s: Host adapter reset request. SCSI hang ?\n", ++ pr_err("%s: Host device reset request. SCSI hang ?\n", + AAC_DRIVERNAME); + + fib = aac_fib_alloc(aac); +@@ -921,7 +925,12 @@ static int aac_eh_dev_reset(struct scsi_cmnd *cmd) + status = aac_hba_send(command, fib, + (fib_callback) aac_tmf_callback, + (void *) info); +- ++ if (status != -EINPROGRESS) { ++ info->reset_state = 0; ++ aac_fib_complete(fib); ++ aac_fib_free(fib); ++ return ret; ++ } + /* Wait up to 15 seconds for completion */ + for (count = 0; count < 15; ++count) { + if (info->reset_state == 0) { +@@ -960,11 +969,11 @@ static int aac_eh_target_reset(struct scsi_cmnd *cmd) + + info = &aac->hba_map[bus][cid]; + +- if (info->devtype != AAC_DEVTYPE_NATIVE_RAW && +- info->reset_state > 0) ++ if (!(info->devtype == AAC_DEVTYPE_NATIVE_RAW && ++ !(info->reset_state > 0))) + return FAILED; + +- pr_err("%s: Host adapter reset request. SCSI hang ?\n", ++ pr_err("%s: Host target reset request. SCSI hang ?\n", + AAC_DRIVERNAME); + + fib = aac_fib_alloc(aac); +@@ -981,6 +990,13 @@ static int aac_eh_target_reset(struct scsi_cmnd *cmd) + (fib_callback) aac_tmf_callback, + (void *) info); + ++ if (status != -EINPROGRESS) { ++ info->reset_state = 0; ++ aac_fib_complete(fib); ++ aac_fib_free(fib); ++ return ret; ++ } ++ + /* Wait up to 15 seconds for completion */ + for (count = 0; count < 15; ++count) { + if (info->reset_state <= 0) { +@@ -1033,7 +1049,7 @@ static int aac_eh_bus_reset(struct scsi_cmnd* cmd) + } + } + +- pr_err("%s: Host adapter reset request. SCSI hang ?\n", AAC_DRIVERNAME); ++ pr_err("%s: Host bus reset request. SCSI hang ?\n", AAC_DRIVERNAME); + + /* + * Check the health of the controller +@@ -1591,7 +1607,7 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + struct Scsi_Host *shost; + struct aac_dev *aac; + struct list_head *insert = &aac_devices; +- int error = -ENODEV; ++ int error; + int unique_id = 0; + u64 dmamask; + int mask_bits = 0; +@@ -1616,7 +1632,6 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + error = pci_enable_device(pdev); + if (error) + goto out; +- error = -ENODEV; + + if (!(aac_drivers[index].quirks & AAC_QUIRK_SRC)) { + error = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)); +@@ -1648,8 +1663,10 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + pci_set_master(pdev); + + shost = scsi_host_alloc(&aac_driver_template, sizeof(struct aac_dev)); +- if (!shost) ++ if (!shost) { ++ error = -ENOMEM; + goto out_disable_pdev; ++ } + + shost->irq = pdev->irq; + shost->unique_id = unique_id; +@@ -1674,8 +1691,11 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + aac->fibs = kcalloc(shost->can_queue + AAC_NUM_MGT_FIB, + sizeof(struct fib), + GFP_KERNEL); +- if (!aac->fibs) ++ if (!aac->fibs) { ++ error = -ENOMEM; + goto out_free_host; ++ } ++ + spin_lock_init(&aac->fib_lock); + + mutex_init(&aac->ioctl_mutex); +diff --git a/drivers/scsi/cxlflash/main.c b/drivers/scsi/cxlflash/main.c +index 93ef97af22df4..67d681c53c295 100644 +--- a/drivers/scsi/cxlflash/main.c ++++ b/drivers/scsi/cxlflash/main.c +@@ -3746,6 +3746,7 @@ static int cxlflash_probe(struct pci_dev *pdev, + cfg->afu_cookie = cfg->ops->create_afu(pdev); + if (unlikely(!cfg->afu_cookie)) { + dev_err(dev, "%s: create_afu failed\n", __func__); ++ rc = -ENOMEM; + goto out_remove; + } + +diff --git a/drivers/scsi/fnic/fnic_scsi.c b/drivers/scsi/fnic/fnic_scsi.c +index e3f5c91d5e4fe..b60795893994c 100644 +--- a/drivers/scsi/fnic/fnic_scsi.c ++++ b/drivers/scsi/fnic/fnic_scsi.c +@@ -1027,7 +1027,8 @@ static void fnic_fcpio_icmnd_cmpl_handler(struct fnic *fnic, + atomic64_inc(&fnic_stats->io_stats.io_completions); + + +- io_duration_time = jiffies_to_msecs(jiffies) - jiffies_to_msecs(io_req->start_time); ++ io_duration_time = jiffies_to_msecs(jiffies) - ++ jiffies_to_msecs(start_time); + + if(io_duration_time <= 10) + atomic64_inc(&fnic_stats->io_stats.io_btw_0_to_10_msec); +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 216e557f703e6..e67cb4561aace 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -504,6 +504,12 @@ static ssize_t host_store_rescan(struct device *dev, + return count; + } + ++static void hpsa_turn_off_ioaccel_for_device(struct hpsa_scsi_dev_t *device) ++{ ++ device->offload_enabled = 0; ++ device->offload_to_be_enabled = 0; ++} ++ + static ssize_t host_show_firmware_revision(struct device *dev, + struct device_attribute *attr, char *buf) + { +@@ -1738,8 +1744,7 @@ static void hpsa_figure_phys_disk_ptrs(struct ctlr_info *h, + __func__, + h->scsi_host->host_no, logical_drive->bus, + logical_drive->target, logical_drive->lun); +- logical_drive->offload_enabled = 0; +- logical_drive->offload_to_be_enabled = 0; ++ hpsa_turn_off_ioaccel_for_device(logical_drive); + logical_drive->queue_depth = 8; + } + } +@@ -2499,8 +2504,7 @@ static void process_ioaccel2_completion(struct ctlr_info *h, + IOACCEL2_SERV_RESPONSE_FAILURE) { + if (c2->error_data.status == + IOACCEL2_STATUS_SR_IOACCEL_DISABLED) { +- dev->offload_enabled = 0; +- dev->offload_to_be_enabled = 0; ++ hpsa_turn_off_ioaccel_for_device(dev); + } + + if (dev->in_reset) { +@@ -3670,10 +3674,17 @@ static void hpsa_get_ioaccel_status(struct ctlr_info *h, + this_device->offload_config = + !!(ioaccel_status & OFFLOAD_CONFIGURED_BIT); + if (this_device->offload_config) { +- this_device->offload_to_be_enabled = ++ bool offload_enabled = + !!(ioaccel_status & OFFLOAD_ENABLED_BIT); +- if (hpsa_get_raid_map(h, scsi3addr, this_device)) +- this_device->offload_to_be_enabled = 0; ++ /* ++ * Check to see if offload can be enabled. ++ */ ++ if (offload_enabled) { ++ rc = hpsa_get_raid_map(h, scsi3addr, this_device); ++ if (rc) /* could not load raid_map */ ++ goto out; ++ this_device->offload_to_be_enabled = 1; ++ } + } + + out: +@@ -3996,8 +4007,7 @@ static int hpsa_update_device_info(struct ctlr_info *h, + } else { + this_device->raid_level = RAID_UNKNOWN; + this_device->offload_config = 0; +- this_device->offload_enabled = 0; +- this_device->offload_to_be_enabled = 0; ++ hpsa_turn_off_ioaccel_for_device(this_device); + this_device->hba_ioaccel_enabled = 0; + this_device->volume_offline = 0; + this_device->queue_depth = h->nr_cmds; +@@ -5230,8 +5240,12 @@ static int hpsa_scsi_ioaccel_raid_map(struct ctlr_info *h, + /* Handles load balance across RAID 1 members. + * (2-drive R1 and R10 with even # of drives.) + * Appropriate for SSDs, not optimal for HDDs ++ * Ensure we have the correct raid_map. + */ +- BUG_ON(le16_to_cpu(map->layout_map_count) != 2); ++ if (le16_to_cpu(map->layout_map_count) != 2) { ++ hpsa_turn_off_ioaccel_for_device(dev); ++ return IO_ACCEL_INELIGIBLE; ++ } + if (dev->offload_to_mirror) + map_index += le16_to_cpu(map->data_disks_per_row); + dev->offload_to_mirror = !dev->offload_to_mirror; +@@ -5239,8 +5253,12 @@ static int hpsa_scsi_ioaccel_raid_map(struct ctlr_info *h, + case HPSA_RAID_ADM: + /* Handles N-way mirrors (R1-ADM) + * and R10 with # of drives divisible by 3.) ++ * Ensure we have the correct raid_map. + */ +- BUG_ON(le16_to_cpu(map->layout_map_count) != 3); ++ if (le16_to_cpu(map->layout_map_count) != 3) { ++ hpsa_turn_off_ioaccel_for_device(dev); ++ return IO_ACCEL_INELIGIBLE; ++ } + + offload_to_mirror = dev->offload_to_mirror; + raid_map_helper(map, offload_to_mirror, +@@ -5265,7 +5283,10 @@ static int hpsa_scsi_ioaccel_raid_map(struct ctlr_info *h, + r5or6_blocks_per_row = + le16_to_cpu(map->strip_size) * + le16_to_cpu(map->data_disks_per_row); +- BUG_ON(r5or6_blocks_per_row == 0); ++ if (r5or6_blocks_per_row == 0) { ++ hpsa_turn_off_ioaccel_for_device(dev); ++ return IO_ACCEL_INELIGIBLE; ++ } + stripesize = r5or6_blocks_per_row * + le16_to_cpu(map->layout_map_count); + #if BITS_PER_LONG == 32 +@@ -8285,7 +8306,7 @@ static int detect_controller_lockup(struct ctlr_info *h) + * + * Called from monitor controller worker (hpsa_event_monitor_worker) + * +- * A Volume (or Volumes that comprise an Array set may be undergoing a ++ * A Volume (or Volumes that comprise an Array set) may be undergoing a + * transformation, so we will be turning off ioaccel for all volumes that + * make up the Array. + */ +@@ -8308,6 +8329,9 @@ static void hpsa_set_ioaccel_status(struct ctlr_info *h) + * Run through current device list used during I/O requests. + */ + for (i = 0; i < h->ndevices; i++) { ++ int offload_to_be_enabled = 0; ++ int offload_config = 0; ++ + device = h->dev[i]; + + if (!device) +@@ -8325,25 +8349,35 @@ static void hpsa_set_ioaccel_status(struct ctlr_info *h) + continue; + + ioaccel_status = buf[IOACCEL_STATUS_BYTE]; +- device->offload_config = ++ ++ /* ++ * Check if offload is still configured on ++ */ ++ offload_config = + !!(ioaccel_status & OFFLOAD_CONFIGURED_BIT); +- if (device->offload_config) +- device->offload_to_be_enabled = ++ /* ++ * If offload is configured on, check to see if ioaccel ++ * needs to be enabled. ++ */ ++ if (offload_config) ++ offload_to_be_enabled = + !!(ioaccel_status & OFFLOAD_ENABLED_BIT); + ++ /* ++ * If ioaccel is to be re-enabled, re-enable later during the ++ * scan operation so the driver can get a fresh raidmap ++ * before turning ioaccel back on. ++ */ ++ if (offload_to_be_enabled) ++ continue; ++ + /* + * Immediately turn off ioaccel for any volume the + * controller tells us to. Some of the reasons could be: + * transformation - change to the LVs of an Array. + * degraded volume - component failure +- * +- * If ioaccel is to be re-enabled, re-enable later during the +- * scan operation so the driver can get a fresh raidmap +- * before turning ioaccel back on. +- * + */ +- if (!device->offload_to_be_enabled) +- device->offload_enabled = 0; ++ hpsa_turn_off_ioaccel_for_device(device); + } + + kfree(buf); +diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c +index 6bb8917b99a19..64500417c22ea 100644 +--- a/drivers/scsi/libfc/fc_rport.c ++++ b/drivers/scsi/libfc/fc_rport.c +@@ -133,8 +133,10 @@ struct fc_rport_priv *fc_rport_create(struct fc_lport *lport, u32 port_id) + lockdep_assert_held(&lport->disc.disc_mutex); + + rdata = fc_rport_lookup(lport, port_id); +- if (rdata) ++ if (rdata) { ++ kref_put(&rdata->kref, fc_rport_destroy); + return rdata; ++ } + + if (lport->rport_priv_size > 0) + rport_priv_size = lport->rport_priv_size; +@@ -481,10 +483,11 @@ static void fc_rport_enter_delete(struct fc_rport_priv *rdata, + + fc_rport_state_enter(rdata, RPORT_ST_DELETE); + +- kref_get(&rdata->kref); +- if (rdata->event == RPORT_EV_NONE && +- !queue_work(rport_event_queue, &rdata->event_work)) +- kref_put(&rdata->kref, fc_rport_destroy); ++ if (rdata->event == RPORT_EV_NONE) { ++ kref_get(&rdata->kref); ++ if (!queue_work(rport_event_queue, &rdata->event_work)) ++ kref_put(&rdata->kref, fc_rport_destroy); ++ } + + rdata->event = event; + } +diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c +index 25aa7a53d255e..bb973901b672d 100644 +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -176,7 +176,6 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + int i; + int len = 0; + char tmp[LPFC_MAX_NVME_INFO_TMP_LEN] = {0}; +- unsigned long iflags = 0; + + if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_NVME)) { + len = scnprintf(buf, PAGE_SIZE, "NVME Disabled\n"); +@@ -347,7 +346,6 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + if (strlcat(buf, "\nNVME Initiator Enabled\n", PAGE_SIZE) >= PAGE_SIZE) + goto buffer_done; + +- rcu_read_lock(); + scnprintf(tmp, sizeof(tmp), + "XRI Dist lpfc%d Total %d IO %d ELS %d\n", + phba->brd_no, +@@ -355,7 +353,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + phba->sli4_hba.io_xri_max, + lpfc_sli4_get_els_iocb_cnt(phba)); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto buffer_done; + + /* Port state is only one of two values for now. */ + if (localport->port_id) +@@ -371,15 +369,17 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + wwn_to_u64(vport->fc_nodename.u.wwn), + localport->port_id, statep); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto buffer_done; ++ ++ spin_lock_irq(shost->host_lock); + + list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) { + nrport = NULL; +- spin_lock_irqsave(&vport->phba->hbalock, iflags); ++ spin_lock(&vport->phba->hbalock); + rport = lpfc_ndlp_get_nrport(ndlp); + if (rport) + nrport = rport->remoteport; +- spin_unlock_irqrestore(&vport->phba->hbalock, iflags); ++ spin_unlock(&vport->phba->hbalock); + if (!nrport) + continue; + +@@ -398,39 +398,39 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + + /* Tab in to show lport ownership. */ + if (strlcat(buf, "NVME RPORT ", PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto unlock_buf_done; + if (phba->brd_no >= 10) { + if (strlcat(buf, " ", PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto unlock_buf_done; + } + + scnprintf(tmp, sizeof(tmp), "WWPN x%llx ", + nrport->port_name); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto unlock_buf_done; + + scnprintf(tmp, sizeof(tmp), "WWNN x%llx ", + nrport->node_name); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto unlock_buf_done; + + scnprintf(tmp, sizeof(tmp), "DID x%06x ", + nrport->port_id); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto unlock_buf_done; + + /* An NVME rport can have multiple roles. */ + if (nrport->port_role & FC_PORT_ROLE_NVME_INITIATOR) { + if (strlcat(buf, "INITIATOR ", PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto unlock_buf_done; + } + if (nrport->port_role & FC_PORT_ROLE_NVME_TARGET) { + if (strlcat(buf, "TARGET ", PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto unlock_buf_done; + } + if (nrport->port_role & FC_PORT_ROLE_NVME_DISCOVERY) { + if (strlcat(buf, "DISCSRVC ", PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto unlock_buf_done; + } + if (nrport->port_role & ~(FC_PORT_ROLE_NVME_INITIATOR | + FC_PORT_ROLE_NVME_TARGET | +@@ -438,14 +438,14 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + scnprintf(tmp, sizeof(tmp), "UNKNOWN ROLE x%x", + nrport->port_role); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto unlock_buf_done; + } + + scnprintf(tmp, sizeof(tmp), "%s\n", statep); + if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE) +- goto rcu_unlock_buf_done; ++ goto unlock_buf_done; + } +- rcu_read_unlock(); ++ spin_unlock_irq(shost->host_lock); + + if (!lport) + goto buffer_done; +@@ -505,11 +505,11 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr, + atomic_read(&lport->cmpl_fcp_err)); + strlcat(buf, tmp, PAGE_SIZE); + +- /* RCU is already unlocked. */ ++ /* host_lock is already unlocked. */ + goto buffer_done; + +- rcu_unlock_buf_done: +- rcu_read_unlock(); ++ unlock_buf_done: ++ spin_unlock_irq(shost->host_lock); + + buffer_done: + len = strnlen(buf, PAGE_SIZE); +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index 4a09f21cb235f..e672fa9e842c9 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -2056,8 +2056,8 @@ lpfc_fdmi_hba_attr_wwnn(struct lpfc_vport *vport, struct lpfc_fdmi_attr_def *ad) + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName, + sizeof(struct lpfc_name)); +@@ -2073,8 +2073,8 @@ lpfc_fdmi_hba_attr_manufacturer(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + /* This string MUST be consistent with other FC platforms + * supported by Broadcom. +@@ -2098,8 +2098,8 @@ lpfc_fdmi_hba_attr_sn(struct lpfc_vport *vport, struct lpfc_fdmi_attr_def *ad) + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->SerialNumber, + sizeof(ae->un.AttrString)); +@@ -2120,8 +2120,8 @@ lpfc_fdmi_hba_attr_model(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->ModelName, + sizeof(ae->un.AttrString)); +@@ -2141,8 +2141,8 @@ lpfc_fdmi_hba_attr_description(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->ModelDesc, + sizeof(ae->un.AttrString)); +@@ -2164,8 +2164,8 @@ lpfc_fdmi_hba_attr_hdw_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t i, j, incr, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + /* Convert JEDEC ID to ascii for hardware version */ + incr = vp->rev.biuRev; +@@ -2194,8 +2194,8 @@ lpfc_fdmi_hba_attr_drvr_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, lpfc_release_version, + sizeof(ae->un.AttrString)); +@@ -2216,8 +2216,8 @@ lpfc_fdmi_hba_attr_rom_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + if (phba->sli_rev == LPFC_SLI_REV4) + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1); +@@ -2241,8 +2241,8 @@ lpfc_fdmi_hba_attr_fmw_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1); + len = strnlen(ae->un.AttrString, +@@ -2261,8 +2261,8 @@ lpfc_fdmi_hba_attr_os_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), "%s %s %s", + init_utsname()->sysname, +@@ -2284,7 +2284,7 @@ lpfc_fdmi_hba_attr_ct_len(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + ae->un.AttrInt = cpu_to_be32(LPFC_MAX_CT_SIZE); + size = FOURBYTES + sizeof(uint32_t); +@@ -2300,8 +2300,8 @@ lpfc_fdmi_hba_attr_symbolic_name(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + len = lpfc_vport_symbolic_node_name(vport, + ae->un.AttrString, 256); +@@ -2319,7 +2319,7 @@ lpfc_fdmi_hba_attr_vendor_info(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* Nothing is defined for this currently */ + ae->un.AttrInt = cpu_to_be32(0); +@@ -2336,7 +2336,7 @@ lpfc_fdmi_hba_attr_num_ports(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* Each driver instance corresponds to a single port */ + ae->un.AttrInt = cpu_to_be32(1); +@@ -2353,8 +2353,8 @@ lpfc_fdmi_hba_attr_fabric_wwnn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fabric_nodename, + sizeof(struct lpfc_name)); +@@ -2372,8 +2372,8 @@ lpfc_fdmi_hba_attr_bios_ver(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strlcat(ae->un.AttrString, phba->BIOSVersion, + sizeof(ae->un.AttrString)); +@@ -2393,7 +2393,7 @@ lpfc_fdmi_hba_attr_bios_state(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* Driver doesn't have access to this information */ + ae->un.AttrInt = cpu_to_be32(0); +@@ -2410,8 +2410,8 @@ lpfc_fdmi_hba_attr_vendor_id(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, "EMULEX", + sizeof(ae->un.AttrString)); +@@ -2433,8 +2433,8 @@ lpfc_fdmi_port_attr_fc4type(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 32); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + ae->un.AttrTypes[3] = 0x02; /* Type 0x1 - ELS */ + ae->un.AttrTypes[2] = 0x01; /* Type 0x8 - FCP */ +@@ -2459,7 +2459,7 @@ lpfc_fdmi_port_attr_support_speed(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + ae->un.AttrInt = 0; + if (!(phba->hba_flag & HBA_FCOE_MODE)) { +@@ -2513,7 +2513,7 @@ lpfc_fdmi_port_attr_speed(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + if (!(phba->hba_flag & HBA_FCOE_MODE)) { + switch (phba->fc_linkspeed) { +@@ -2583,7 +2583,7 @@ lpfc_fdmi_port_attr_max_frame(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + hsp = (struct serv_parm *)&vport->fc_sparam; + ae->un.AttrInt = (((uint32_t) hsp->cmn.bbRcvSizeMsb & 0x0F) << 8) | +@@ -2603,8 +2603,8 @@ lpfc_fdmi_port_attr_os_devname(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), + "/sys/class/scsi_host/host%d", shost->host_no); +@@ -2624,8 +2624,8 @@ lpfc_fdmi_port_attr_host_name(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + scnprintf(ae->un.AttrString, sizeof(ae->un.AttrString), "%s", + vport->phba->os_host_name); +@@ -2645,8 +2645,8 @@ lpfc_fdmi_port_attr_wwnn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName, + sizeof(struct lpfc_name)); +@@ -2663,8 +2663,8 @@ lpfc_fdmi_port_attr_wwpn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fc_sparam.portName, + sizeof(struct lpfc_name)); +@@ -2681,8 +2681,8 @@ lpfc_fdmi_port_attr_symbolic_name(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + len = lpfc_vport_symbolic_port_name(vport, ae->un.AttrString, 256); + len += (len & 3) ? (4 - (len & 3)) : 4; +@@ -2700,7 +2700,7 @@ lpfc_fdmi_port_attr_port_type(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + if (phba->fc_topology == LPFC_TOPOLOGY_LOOP) + ae->un.AttrInt = cpu_to_be32(LPFC_FDMI_PORTTYPE_NLPORT); + else +@@ -2718,7 +2718,7 @@ lpfc_fdmi_port_attr_class(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(FC_COS_CLASS2 | FC_COS_CLASS3); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2733,8 +2733,8 @@ lpfc_fdmi_port_attr_fabric_wwpn(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, sizeof(struct lpfc_name)); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrWWN, &vport->fabric_portname, + sizeof(struct lpfc_name)); +@@ -2751,8 +2751,8 @@ lpfc_fdmi_port_attr_active_fc4type(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 32); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + ae->un.AttrTypes[3] = 0x02; /* Type 0x1 - ELS */ + ae->un.AttrTypes[2] = 0x01; /* Type 0x8 - FCP */ +@@ -2775,7 +2775,7 @@ lpfc_fdmi_port_attr_port_state(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + /* Link Up - operational */ + ae->un.AttrInt = cpu_to_be32(LPFC_FDMI_PORTSTATE_ONLINE); + size = FOURBYTES + sizeof(uint32_t); +@@ -2791,7 +2791,7 @@ lpfc_fdmi_port_attr_num_disc(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + vport->fdmi_num_disc = lpfc_find_map_node(vport); + ae->un.AttrInt = cpu_to_be32(vport->fdmi_num_disc); + size = FOURBYTES + sizeof(uint32_t); +@@ -2807,7 +2807,7 @@ lpfc_fdmi_port_attr_nportid(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(vport->fc_myDID); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2822,8 +2822,8 @@ lpfc_fdmi_smart_attr_service(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, "Smart SAN Initiator", + sizeof(ae->un.AttrString)); +@@ -2843,8 +2843,8 @@ lpfc_fdmi_smart_attr_guid(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + memcpy(&ae->un.AttrString, &vport->fc_sparam.nodeName, + sizeof(struct lpfc_name)); +@@ -2864,8 +2864,8 @@ lpfc_fdmi_smart_attr_version(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, "Smart SAN Version 2.0", + sizeof(ae->un.AttrString)); +@@ -2886,8 +2886,8 @@ lpfc_fdmi_smart_attr_model(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t len, size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; +- memset(ae, 0, 256); ++ ae = &ad->AttrValue; ++ memset(ae, 0, sizeof(*ae)); + + strncpy(ae->un.AttrString, phba->ModelName, + sizeof(ae->un.AttrString)); +@@ -2906,7 +2906,7 @@ lpfc_fdmi_smart_attr_port_info(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + + /* SRIOV (type 3) is not supported */ + if (vport->vpi) +@@ -2926,7 +2926,7 @@ lpfc_fdmi_smart_attr_qos(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(0); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -2941,7 +2941,7 @@ lpfc_fdmi_smart_attr_security(struct lpfc_vport *vport, + struct lpfc_fdmi_attr_entry *ae; + uint32_t size; + +- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue; ++ ae = &ad->AttrValue; + ae->un.AttrInt = cpu_to_be32(1); + size = FOURBYTES + sizeof(uint32_t); + ad->AttrLen = cpu_to_be16(size); +@@ -3089,7 +3089,8 @@ lpfc_fdmi_cmd(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + /* Registered Port List */ + /* One entry (port) per adapter */ + rh->rpl.EntryCnt = cpu_to_be32(1); +- memcpy(&rh->rpl.pe, &phba->pport->fc_sparam.portName, ++ memcpy(&rh->rpl.pe.PortName, ++ &phba->pport->fc_sparam.portName, + sizeof(struct lpfc_name)); + + /* point to the HBA attribute block */ +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 799db8a785c21..0dc1d56ff4709 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -73,6 +73,7 @@ static void lpfc_disc_timeout_handler(struct lpfc_vport *); + static void lpfc_disc_flush_list(struct lpfc_vport *vport); + static void lpfc_unregister_fcfi_cmpl(struct lpfc_hba *, LPFC_MBOXQ_t *); + static int lpfc_fcf_inuse(struct lpfc_hba *); ++static void lpfc_mbx_cmpl_read_sparam(struct lpfc_hba *, LPFC_MBOXQ_t *); + + void + lpfc_terminate_rport_io(struct fc_rport *rport) +@@ -1134,11 +1135,13 @@ out: + return; + } + +- + void + lpfc_mbx_cmpl_local_config_link(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) + { + struct lpfc_vport *vport = pmb->vport; ++ LPFC_MBOXQ_t *sparam_mb; ++ struct lpfc_dmabuf *sparam_mp; ++ int rc; + + if (pmb->u.mb.mbxStatus) + goto out; +@@ -1163,12 +1166,42 @@ lpfc_mbx_cmpl_local_config_link(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) + } + + /* Start discovery by sending a FLOGI. port_state is identically +- * LPFC_FLOGI while waiting for FLOGI cmpl. Check if sending +- * the FLOGI is being deferred till after MBX_READ_SPARAM completes. ++ * LPFC_FLOGI while waiting for FLOGI cmpl. + */ + if (vport->port_state != LPFC_FLOGI) { +- if (!(phba->hba_flag & HBA_DEFER_FLOGI)) ++ /* Issue MBX_READ_SPARAM to update CSPs before FLOGI if ++ * bb-credit recovery is in place. ++ */ ++ if (phba->bbcredit_support && phba->cfg_enable_bbcr && ++ !(phba->link_flag & LS_LOOPBACK_MODE)) { ++ sparam_mb = mempool_alloc(phba->mbox_mem_pool, ++ GFP_KERNEL); ++ if (!sparam_mb) ++ goto sparam_out; ++ ++ rc = lpfc_read_sparam(phba, sparam_mb, 0); ++ if (rc) { ++ mempool_free(sparam_mb, phba->mbox_mem_pool); ++ goto sparam_out; ++ } ++ sparam_mb->vport = vport; ++ sparam_mb->mbox_cmpl = lpfc_mbx_cmpl_read_sparam; ++ rc = lpfc_sli_issue_mbox(phba, sparam_mb, MBX_NOWAIT); ++ if (rc == MBX_NOT_FINISHED) { ++ sparam_mp = (struct lpfc_dmabuf *) ++ sparam_mb->ctx_buf; ++ lpfc_mbuf_free(phba, sparam_mp->virt, ++ sparam_mp->phys); ++ kfree(sparam_mp); ++ sparam_mb->ctx_buf = NULL; ++ mempool_free(sparam_mb, phba->mbox_mem_pool); ++ goto sparam_out; ++ } ++ ++ phba->hba_flag |= HBA_DEFER_FLOGI; ++ } else { + lpfc_initial_flogi(vport); ++ } + } else { + if (vport->fc_flag & FC_PT2PT) + lpfc_disc_start(vport); +@@ -1180,6 +1213,7 @@ out: + "0306 CONFIG_LINK mbxStatus error x%x " + "HBA state x%x\n", + pmb->u.mb.mbxStatus, vport->port_state); ++sparam_out: + mempool_free(pmb, phba->mbox_mem_pool); + + lpfc_linkdown(phba); +@@ -3237,21 +3271,6 @@ lpfc_mbx_process_link_up(struct lpfc_hba *phba, struct lpfc_mbx_read_top *la) + lpfc_linkup(phba); + sparam_mbox = NULL; + +- if (!(phba->hba_flag & HBA_FCOE_MODE)) { +- cfglink_mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); +- if (!cfglink_mbox) +- goto out; +- vport->port_state = LPFC_LOCAL_CFG_LINK; +- lpfc_config_link(phba, cfglink_mbox); +- cfglink_mbox->vport = vport; +- cfglink_mbox->mbox_cmpl = lpfc_mbx_cmpl_local_config_link; +- rc = lpfc_sli_issue_mbox(phba, cfglink_mbox, MBX_NOWAIT); +- if (rc == MBX_NOT_FINISHED) { +- mempool_free(cfglink_mbox, phba->mbox_mem_pool); +- goto out; +- } +- } +- + sparam_mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); + if (!sparam_mbox) + goto out; +@@ -3272,7 +3291,20 @@ lpfc_mbx_process_link_up(struct lpfc_hba *phba, struct lpfc_mbx_read_top *la) + goto out; + } + +- if (phba->hba_flag & HBA_FCOE_MODE) { ++ if (!(phba->hba_flag & HBA_FCOE_MODE)) { ++ cfglink_mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); ++ if (!cfglink_mbox) ++ goto out; ++ vport->port_state = LPFC_LOCAL_CFG_LINK; ++ lpfc_config_link(phba, cfglink_mbox); ++ cfglink_mbox->vport = vport; ++ cfglink_mbox->mbox_cmpl = lpfc_mbx_cmpl_local_config_link; ++ rc = lpfc_sli_issue_mbox(phba, cfglink_mbox, MBX_NOWAIT); ++ if (rc == MBX_NOT_FINISHED) { ++ mempool_free(cfglink_mbox, phba->mbox_mem_pool); ++ goto out; ++ } ++ } else { + vport->port_state = LPFC_VPORT_UNKNOWN; + /* + * Add the driver's default FCF record at FCF index 0 now. This +@@ -3329,10 +3361,6 @@ lpfc_mbx_process_link_up(struct lpfc_hba *phba, struct lpfc_mbx_read_top *la) + } + /* Reset FCF roundrobin bmask for new discovery */ + lpfc_sli4_clear_fcf_rr_bmask(phba); +- } else { +- if (phba->bbcredit_support && phba->cfg_enable_bbcr && +- !(phba->link_flag & LS_LOOPBACK_MODE)) +- phba->hba_flag |= HBA_DEFER_FLOGI; + } + + /* Prepare for LINK up registrations */ +diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h +index 436cdc8c5ef46..b5642c8725938 100644 +--- a/drivers/scsi/lpfc/lpfc_hw.h ++++ b/drivers/scsi/lpfc/lpfc_hw.h +@@ -1340,25 +1340,8 @@ struct fc_rdp_res_frame { + /* lpfc_sli_ct_request defines the CT_IU preamble for FDMI commands */ + #define SLI_CT_FDMI_Subtypes 0x10 /* Management Service Subtype */ + +-/* +- * Registered Port List Format +- */ +-struct lpfc_fdmi_reg_port_list { +- uint32_t EntryCnt; +- uint32_t pe; /* Variable-length array */ +-}; +- +- + /* Definitions for HBA / Port attribute entries */ + +-struct lpfc_fdmi_attr_def { /* Defined in TLV format */ +- /* Structure is in Big Endian format */ +- uint32_t AttrType:16; +- uint32_t AttrLen:16; +- uint32_t AttrValue; /* Marks start of Value (ATTRIBUTE_ENTRY) */ +-}; +- +- + /* Attribute Entry */ + struct lpfc_fdmi_attr_entry { + union { +@@ -1369,7 +1352,13 @@ struct lpfc_fdmi_attr_entry { + } un; + }; + +-#define LPFC_FDMI_MAX_AE_SIZE sizeof(struct lpfc_fdmi_attr_entry) ++struct lpfc_fdmi_attr_def { /* Defined in TLV format */ ++ /* Structure is in Big Endian format */ ++ uint32_t AttrType:16; ++ uint32_t AttrLen:16; ++ /* Marks start of Value (ATTRIBUTE_ENTRY) */ ++ struct lpfc_fdmi_attr_entry AttrValue; ++} __packed; + + /* + * HBA Attribute Block +@@ -1393,13 +1382,20 @@ struct lpfc_fdmi_hba_ident { + struct lpfc_name PortName; + }; + ++/* ++ * Registered Port List Format ++ */ ++struct lpfc_fdmi_reg_port_list { ++ uint32_t EntryCnt; ++ struct lpfc_fdmi_port_entry pe; ++} __packed; ++ + /* + * Register HBA(RHBA) + */ + struct lpfc_fdmi_reg_hba { + struct lpfc_fdmi_hba_ident hi; +- struct lpfc_fdmi_reg_port_list rpl; /* variable-length array */ +-/* struct lpfc_fdmi_attr_block ab; */ ++ struct lpfc_fdmi_reg_port_list rpl; + }; + + /* +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index 95abffd9ad100..d4c83eca0ad2c 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -9124,6 +9124,7 @@ lpfc_sli4_release_hdwq(struct lpfc_hba *phba) + /* Free the CQ/WQ corresponding to the Hardware Queue */ + lpfc_sli4_queue_free(hdwq[idx].io_cq); + lpfc_sli4_queue_free(hdwq[idx].io_wq); ++ hdwq[idx].hba_eq = NULL; + hdwq[idx].io_cq = NULL; + hdwq[idx].io_wq = NULL; + if (phba->cfg_xpsgl && !phba->nvmet_support) +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 6961713825585..590a49e847626 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -279,6 +279,109 @@ lpfc_els_abort(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp) + lpfc_cancel_retry_delay_tmo(phba->pport, ndlp); + } + ++/* lpfc_defer_pt2pt_acc - Complete SLI3 pt2pt processing on link up ++ * @phba: pointer to lpfc hba data structure. ++ * @link_mbox: pointer to CONFIG_LINK mailbox object ++ * ++ * This routine is only called if we are SLI3, direct connect pt2pt ++ * mode and the remote NPort issues the PLOGI after link up. ++ */ ++void ++lpfc_defer_pt2pt_acc(struct lpfc_hba *phba, LPFC_MBOXQ_t *link_mbox) ++{ ++ LPFC_MBOXQ_t *login_mbox; ++ MAILBOX_t *mb = &link_mbox->u.mb; ++ struct lpfc_iocbq *save_iocb; ++ struct lpfc_nodelist *ndlp; ++ int rc; ++ ++ ndlp = link_mbox->ctx_ndlp; ++ login_mbox = link_mbox->context3; ++ save_iocb = login_mbox->context3; ++ link_mbox->context3 = NULL; ++ login_mbox->context3 = NULL; ++ ++ /* Check for CONFIG_LINK error */ ++ if (mb->mbxStatus) { ++ lpfc_printf_log(phba, KERN_ERR, LOG_DISCOVERY, ++ "4575 CONFIG_LINK fails pt2pt discovery: %x\n", ++ mb->mbxStatus); ++ mempool_free(login_mbox, phba->mbox_mem_pool); ++ mempool_free(link_mbox, phba->mbox_mem_pool); ++ kfree(save_iocb); ++ return; ++ } ++ ++ /* Now that CONFIG_LINK completed, and our SID is configured, ++ * we can now proceed with sending the PLOGI ACC. ++ */ ++ rc = lpfc_els_rsp_acc(link_mbox->vport, ELS_CMD_PLOGI, ++ save_iocb, ndlp, login_mbox); ++ if (rc) { ++ lpfc_printf_log(phba, KERN_ERR, LOG_DISCOVERY, ++ "4576 PLOGI ACC fails pt2pt discovery: %x\n", ++ rc); ++ mempool_free(login_mbox, phba->mbox_mem_pool); ++ } ++ ++ mempool_free(link_mbox, phba->mbox_mem_pool); ++ kfree(save_iocb); ++} ++ ++/** ++ * lpfc_defer_tgt_acc - Progress SLI4 target rcv PLOGI handler ++ * @phba: Pointer to HBA context object. ++ * @pmb: Pointer to mailbox object. ++ * ++ * This function provides the unreg rpi mailbox completion handler for a tgt. ++ * The routine frees the memory resources associated with the completed ++ * mailbox command and transmits the ELS ACC. ++ * ++ * This routine is only called if we are SLI4, acting in target ++ * mode and the remote NPort issues the PLOGI after link up. ++ **/ ++void ++lpfc_defer_acc_rsp(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) ++{ ++ struct lpfc_vport *vport = pmb->vport; ++ struct lpfc_nodelist *ndlp = pmb->ctx_ndlp; ++ LPFC_MBOXQ_t *mbox = pmb->context3; ++ struct lpfc_iocbq *piocb = NULL; ++ int rc; ++ ++ if (mbox) { ++ pmb->context3 = NULL; ++ piocb = mbox->context3; ++ mbox->context3 = NULL; ++ } ++ ++ /* ++ * Complete the unreg rpi mbx request, and update flags. ++ * This will also restart any deferred events. ++ */ ++ lpfc_nlp_get(ndlp); ++ lpfc_sli4_unreg_rpi_cmpl_clr(phba, pmb); ++ ++ if (!piocb) { ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_DISCOVERY | LOG_ELS, ++ "4578 PLOGI ACC fail\n"); ++ if (mbox) ++ mempool_free(mbox, phba->mbox_mem_pool); ++ goto out; ++ } ++ ++ rc = lpfc_els_rsp_acc(vport, ELS_CMD_PLOGI, piocb, ndlp, mbox); ++ if (rc) { ++ lpfc_printf_vlog(vport, KERN_ERR, LOG_DISCOVERY | LOG_ELS, ++ "4579 PLOGI ACC fail %x\n", rc); ++ if (mbox) ++ mempool_free(mbox, phba->mbox_mem_pool); ++ } ++ kfree(piocb); ++out: ++ lpfc_nlp_put(ndlp); ++} ++ + static int + lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + struct lpfc_iocbq *cmdiocb) +@@ -291,10 +394,13 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + IOCB_t *icmd; + struct serv_parm *sp; + uint32_t ed_tov; +- LPFC_MBOXQ_t *mbox; ++ LPFC_MBOXQ_t *link_mbox; ++ LPFC_MBOXQ_t *login_mbox; ++ struct lpfc_iocbq *save_iocb; + struct ls_rjt stat; + uint32_t vid, flag; +- int rc; ++ u16 rpi; ++ int rc, defer_acc; + + memset(&stat, 0, sizeof (struct ls_rjt)); + pcmd = (struct lpfc_dmabuf *) cmdiocb->context2; +@@ -343,6 +449,7 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + else + ndlp->nlp_fcp_info |= CLASS3; + ++ defer_acc = 0; + ndlp->nlp_class_sup = 0; + if (sp->cls1.classValid) + ndlp->nlp_class_sup |= FC_COS_CLASS1; +@@ -354,7 +461,6 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + ndlp->nlp_class_sup |= FC_COS_CLASS4; + ndlp->nlp_maxframe = + ((sp->cmn.bbRcvSizeMsb & 0x0F) << 8) | sp->cmn.bbRcvSizeLsb; +- + /* if already logged in, do implicit logout */ + switch (ndlp->nlp_state) { + case NLP_STE_NPR_NODE: +@@ -396,6 +502,10 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + ndlp->nlp_fcp_info &= ~NLP_FCP_2_DEVICE; + ndlp->nlp_flag &= ~NLP_FIRSTBURST; + ++ login_mbox = NULL; ++ link_mbox = NULL; ++ save_iocb = NULL; ++ + /* Check for Nport to NPort pt2pt protocol */ + if ((vport->fc_flag & FC_PT2PT) && + !(vport->fc_flag & FC_PT2PT_PLOGI)) { +@@ -423,17 +533,22 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + if (phba->sli_rev == LPFC_SLI_REV4) + lpfc_issue_reg_vfi(vport); + else { +- mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); +- if (mbox == NULL) ++ defer_acc = 1; ++ link_mbox = mempool_alloc(phba->mbox_mem_pool, ++ GFP_KERNEL); ++ if (!link_mbox) + goto out; +- lpfc_config_link(phba, mbox); +- mbox->mbox_cmpl = lpfc_sli_def_mbox_cmpl; +- mbox->vport = vport; +- rc = lpfc_sli_issue_mbox(phba, mbox, MBX_NOWAIT); +- if (rc == MBX_NOT_FINISHED) { +- mempool_free(mbox, phba->mbox_mem_pool); ++ lpfc_config_link(phba, link_mbox); ++ link_mbox->mbox_cmpl = lpfc_defer_pt2pt_acc; ++ link_mbox->vport = vport; ++ link_mbox->ctx_ndlp = ndlp; ++ ++ save_iocb = kzalloc(sizeof(*save_iocb), GFP_KERNEL); ++ if (!save_iocb) + goto out; +- } ++ /* Save info from cmd IOCB used in rsp */ ++ memcpy((uint8_t *)save_iocb, (uint8_t *)cmdiocb, ++ sizeof(struct lpfc_iocbq)); + } + + lpfc_can_disctmo(vport); +@@ -448,30 +563,57 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + ndlp->nlp_flag |= NLP_SUPPRESS_RSP; + } + +- mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); +- if (!mbox) ++ login_mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); ++ if (!login_mbox) + goto out; + + /* Registering an existing RPI behaves differently for SLI3 vs SLI4 */ +- if (phba->sli_rev == LPFC_SLI_REV4) ++ if (phba->nvmet_support && !defer_acc) { ++ link_mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); ++ if (!link_mbox) ++ goto out; ++ ++ /* As unique identifiers such as iotag would be overwritten ++ * with those from the cmdiocb, allocate separate temporary ++ * storage for the copy. ++ */ ++ save_iocb = kzalloc(sizeof(*save_iocb), GFP_KERNEL); ++ if (!save_iocb) ++ goto out; ++ ++ /* Unreg RPI is required for SLI4. */ ++ rpi = phba->sli4_hba.rpi_ids[ndlp->nlp_rpi]; ++ lpfc_unreg_login(phba, vport->vpi, rpi, link_mbox); ++ link_mbox->vport = vport; ++ link_mbox->ctx_ndlp = ndlp; ++ link_mbox->mbox_cmpl = lpfc_defer_acc_rsp; ++ ++ if (((ndlp->nlp_DID & Fabric_DID_MASK) != Fabric_DID_MASK) && ++ (!(vport->fc_flag & FC_OFFLINE_MODE))) ++ ndlp->nlp_flag |= NLP_UNREG_INP; ++ ++ /* Save info from cmd IOCB used in rsp */ ++ memcpy(save_iocb, cmdiocb, sizeof(*save_iocb)); ++ ++ /* Delay sending ACC till unreg RPI completes. */ ++ defer_acc = 1; ++ } else if (phba->sli_rev == LPFC_SLI_REV4) + lpfc_unreg_rpi(vport, ndlp); + + rc = lpfc_reg_rpi(phba, vport->vpi, icmd->un.rcvels.remoteID, +- (uint8_t *) sp, mbox, ndlp->nlp_rpi); +- if (rc) { +- mempool_free(mbox, phba->mbox_mem_pool); ++ (uint8_t *)sp, login_mbox, ndlp->nlp_rpi); ++ if (rc) + goto out; +- } + + /* ACC PLOGI rsp command needs to execute first, +- * queue this mbox command to be processed later. ++ * queue this login_mbox command to be processed later. + */ +- mbox->mbox_cmpl = lpfc_mbx_cmpl_reg_login; ++ login_mbox->mbox_cmpl = lpfc_mbx_cmpl_reg_login; + /* +- * mbox->ctx_ndlp = lpfc_nlp_get(ndlp) deferred until mailbox ++ * login_mbox->ctx_ndlp = lpfc_nlp_get(ndlp) deferred until mailbox + * command issued in lpfc_cmpl_els_acc(). + */ +- mbox->vport = vport; ++ login_mbox->vport = vport; + spin_lock_irq(shost->host_lock); + ndlp->nlp_flag |= (NLP_ACC_REGLOGIN | NLP_RCV_PLOGI); + spin_unlock_irq(shost->host_lock); +@@ -495,6 +637,9 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + if ((vport->port_type == LPFC_NPIV_PORT && + vport->cfg_restrict_login)) { + ++ /* no deferred ACC */ ++ kfree(save_iocb); ++ + /* In order to preserve RPIs, we want to cleanup + * the default RPI the firmware created to rcv + * this ELS request. The only way to do this is +@@ -506,16 +651,50 @@ lpfc_rcv_plogi(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + stat.un.b.lsRjtRsnCode = LSRJT_INVALID_CMD; + stat.un.b.lsRjtRsnCodeExp = LSEXP_NOTHING_MORE; + rc = lpfc_els_rsp_reject(vport, stat.un.lsRjtError, cmdiocb, +- ndlp, mbox); ++ ndlp, login_mbox); + if (rc) +- mempool_free(mbox, phba->mbox_mem_pool); ++ mempool_free(login_mbox, phba->mbox_mem_pool); + return 1; + } +- rc = lpfc_els_rsp_acc(vport, ELS_CMD_PLOGI, cmdiocb, ndlp, mbox); ++ if (defer_acc) { ++ /* So the order here should be: ++ * SLI3 pt2pt ++ * Issue CONFIG_LINK mbox ++ * CONFIG_LINK cmpl ++ * SLI4 tgt ++ * Issue UNREG RPI mbx ++ * UNREG RPI cmpl ++ * Issue PLOGI ACC ++ * PLOGI ACC cmpl ++ * Issue REG_LOGIN mbox ++ */ ++ ++ /* Save the REG_LOGIN mbox for and rcv IOCB copy later */ ++ link_mbox->context3 = login_mbox; ++ login_mbox->context3 = save_iocb; ++ ++ /* Start the ball rolling by issuing CONFIG_LINK here */ ++ rc = lpfc_sli_issue_mbox(phba, link_mbox, MBX_NOWAIT); ++ if (rc == MBX_NOT_FINISHED) ++ goto out; ++ return 1; ++ } ++ ++ rc = lpfc_els_rsp_acc(vport, ELS_CMD_PLOGI, cmdiocb, ndlp, login_mbox); + if (rc) +- mempool_free(mbox, phba->mbox_mem_pool); ++ mempool_free(login_mbox, phba->mbox_mem_pool); + return 1; + out: ++ if (defer_acc) ++ lpfc_printf_log(phba, KERN_ERR, LOG_DISCOVERY, ++ "4577 discovery failure: %p %p %p\n", ++ save_iocb, link_mbox, login_mbox); ++ kfree(save_iocb); ++ if (link_mbox) ++ mempool_free(link_mbox, phba->mbox_mem_pool); ++ if (login_mbox) ++ mempool_free(login_mbox, phba->mbox_mem_pool); ++ + stat.un.b.lsRjtRsnCode = LSRJT_UNABLE_TPC; + stat.un.b.lsRjtRsnCodeExp = LSEXP_OUT_OF_RESOURCE; + lpfc_els_rsp_reject(vport, stat.un.lsRjtError, cmdiocb, ndlp, NULL); +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index a951e1c8165ed..e2877d2b3cc0d 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -17866,6 +17866,10 @@ lpfc_prep_seq(struct lpfc_vport *vport, struct hbq_dmabuf *seq_dmabuf) + list_add_tail(&iocbq->list, &first_iocbq->list); + } + } ++ /* Free the sequence's header buffer */ ++ if (!first_iocbq) ++ lpfc_in_buf_free(vport->phba, &seq_dmabuf->dbuf); ++ + return first_iocbq; + } + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +index d5a62fea8fe3e..bae7cf70ee177 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c +@@ -3717,12 +3717,6 @@ mpt3sas_ctl_exit(ushort hbas_to_enumerate) + for (i = 0; i < MPI2_DIAG_BUF_TYPE_COUNT; i++) { + if (!ioc->diag_buffer[i]) + continue; +- if (!(ioc->diag_buffer_status[i] & +- MPT3_DIAG_BUFFER_IS_REGISTERED)) +- continue; +- if ((ioc->diag_buffer_status[i] & +- MPT3_DIAG_BUFFER_IS_RELEASED)) +- continue; + dma_free_coherent(&ioc->pdev->dev, + ioc->diag_buffer_sz[i], + ioc->diag_buffer[i], +diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c +index 027bf5b2981b9..36f5bab09f73e 100644 +--- a/drivers/scsi/pm8001/pm8001_sas.c ++++ b/drivers/scsi/pm8001/pm8001_sas.c +@@ -1202,8 +1202,8 @@ int pm8001_abort_task(struct sas_task *task) + pm8001_dev = dev->lldd_dev; + pm8001_ha = pm8001_find_ha_by_dev(dev); + phy_id = pm8001_dev->attached_phy; +- rc = pm8001_find_tag(task, &tag); +- if (rc == 0) { ++ ret = pm8001_find_tag(task, &tag); ++ if (ret == 0) { + pm8001_printk("no tag for task:%p\n", task); + return TMF_RESP_FUNC_FAILED; + } +@@ -1241,26 +1241,50 @@ int pm8001_abort_task(struct sas_task *task) + + /* 2. Send Phy Control Hard Reset */ + reinit_completion(&completion); ++ phy->port_reset_status = PORT_RESET_TMO; + phy->reset_success = false; + phy->enable_completion = &completion; + phy->reset_completion = &completion_reset; + ret = PM8001_CHIP_DISP->phy_ctl_req(pm8001_ha, phy_id, + PHY_HARD_RESET); +- if (ret) +- goto out; +- PM8001_MSG_DBG(pm8001_ha, +- pm8001_printk("Waiting for local phy ctl\n")); +- wait_for_completion(&completion); +- if (!phy->reset_success) ++ if (ret) { ++ phy->enable_completion = NULL; ++ phy->reset_completion = NULL; + goto out; ++ } + +- /* 3. Wait for Port Reset complete / Port reset TMO */ ++ /* In the case of the reset timeout/fail we still ++ * abort the command at the firmware. The assumption ++ * here is that the drive is off doing something so ++ * that it's not processing requests, and we want to ++ * avoid getting a completion for this and either ++ * leaking the task in libsas or losing the race and ++ * getting a double free. ++ */ + PM8001_MSG_DBG(pm8001_ha, ++ pm8001_printk("Waiting for local phy ctl\n")); ++ ret = wait_for_completion_timeout(&completion, ++ PM8001_TASK_TIMEOUT * HZ); ++ if (!ret || !phy->reset_success) { ++ phy->enable_completion = NULL; ++ phy->reset_completion = NULL; ++ } else { ++ /* 3. Wait for Port Reset complete or ++ * Port reset TMO ++ */ ++ PM8001_MSG_DBG(pm8001_ha, + pm8001_printk("Waiting for Port reset\n")); +- wait_for_completion(&completion_reset); +- if (phy->port_reset_status) { +- pm8001_dev_gone_notify(dev); +- goto out; ++ ret = wait_for_completion_timeout( ++ &completion_reset, ++ PM8001_TASK_TIMEOUT * HZ); ++ if (!ret) ++ phy->reset_completion = NULL; ++ WARN_ON(phy->port_reset_status == ++ PORT_RESET_TMO); ++ if (phy->port_reset_status == PORT_RESET_TMO) { ++ pm8001_dev_gone_notify(dev); ++ goto out; ++ } + } + + /* +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index 0f57c80734061..0f2622a48311c 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -1062,6 +1062,9 @@ static void qedi_ep_disconnect(struct iscsi_endpoint *ep) + break; + } + ++ if (!abrt_conn) ++ wait_delay += qedi->pf_params.iscsi_pf_params.two_msl_timer; ++ + qedi_ep->state = EP_STATE_DISCONN_START; + ret = qedi_ops->destroy_conn(qedi->cdev, qedi_ep->handle, abrt_conn); + if (ret) { +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index ac4c47fc5f4c1..62d2ee825c97a 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1002,7 +1002,7 @@ static void qla24xx_async_gnl_sp_done(srb_t *sp, int res) + set_bit(loop_id, vha->hw->loop_id_map); + wwn = wwn_to_u64(e->port_name); + +- ql_dbg(ql_dbg_disc + ql_dbg_verbose, vha, 0x20e8, ++ ql_dbg(ql_dbg_disc, vha, 0x20e8, + "%s %8phC %02x:%02x:%02x CLS %x/%x lid %x \n", + __func__, (void *)&wwn, e->port_id[2], e->port_id[1], + e->port_id[0], e->current_login_state, e->last_login_state, +@@ -1061,6 +1061,16 @@ static void qla24xx_async_gnl_sp_done(srb_t *sp, int res) + + spin_lock_irqsave(&vha->hw->tgt.sess_lock, flags); + vha->gnl.sent = 0; ++ if (!list_empty(&vha->gnl.fcports)) { ++ /* retrigger gnl */ ++ list_for_each_entry_safe(fcport, tf, &vha->gnl.fcports, ++ gnl_entry) { ++ list_del_init(&fcport->gnl_entry); ++ fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE); ++ if (qla24xx_post_gnl_work(vha, fcport) == QLA_SUCCESS) ++ break; ++ } ++ } + spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags); + + sp->free(sp); +@@ -1901,33 +1911,13 @@ qla24xx_handle_prli_done_event(struct scsi_qla_host *vha, struct event_arg *ea) + "%s %d %8phC post fc4 prli\n", + __func__, __LINE__, ea->fcport->port_name); + ea->fcport->fc4f_nvme = 0; +- qla24xx_post_prli_work(vha, ea->fcport); + return; + } + +- /* at this point both PRLI NVME & PRLI FCP failed */ +- if (N2N_TOPO(vha->hw)) { +- if (ea->fcport->n2n_link_reset_cnt < 3) { +- ea->fcport->n2n_link_reset_cnt++; +- /* +- * remote port is not sending Plogi. Reset +- * link to kick start his state machine +- */ +- set_bit(N2N_LINK_RESET, &vha->dpc_flags); +- } else { +- ql_log(ql_log_warn, vha, 0x2119, +- "%s %d %8phC Unable to reconnect\n", +- __func__, __LINE__, ea->fcport->port_name); +- } +- } else { +- /* +- * switch connect. login failed. Take connection +- * down and allow relogin to retrigger +- */ +- ea->fcport->flags &= ~FCF_ASYNC_SENT; +- ea->fcport->keep_nport_handle = 0; +- qlt_schedule_sess_for_deletion(ea->fcport); +- } ++ ea->fcport->flags &= ~FCF_ASYNC_SENT; ++ ea->fcport->keep_nport_handle = 0; ++ ea->fcport->logout_on_delete = 1; ++ qlt_schedule_sess_for_deletion(ea->fcport); + break; + } + } +@@ -1995,7 +1985,7 @@ qla24xx_handle_plogi_done_event(struct scsi_qla_host *vha, struct event_arg *ea) + qla24xx_post_prli_work(vha, ea->fcport); + } else { + ql_dbg(ql_dbg_disc, vha, 0x20ea, +- "%s %d %8phC LoopID 0x%x in use with %06x. post gnl\n", ++ "%s %d %8phC LoopID 0x%x in use with %06x. post gpdb\n", + __func__, __LINE__, ea->fcport->port_name, + ea->fcport->loop_id, ea->fcport->d_id.b24); + +@@ -2066,6 +2056,7 @@ qla24xx_handle_plogi_done_event(struct scsi_qla_host *vha, struct event_arg *ea) + set_bit(lid, vha->hw->loop_id_map); + ea->fcport->loop_id = lid; + ea->fcport->keep_nport_handle = 0; ++ ea->fcport->logout_on_delete = 1; + qlt_schedule_sess_for_deletion(ea->fcport); + } + break; +diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c +index bdf1994251b9b..aed4ce66e6cf9 100644 +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -2749,6 +2749,10 @@ static void qla2x00_els_dcmd2_sp_done(srb_t *sp, int res) + struct scsi_qla_host *vha = sp->vha; + struct event_arg ea; + struct qla_work_evt *e; ++ struct fc_port *conflict_fcport; ++ port_id_t cid; /* conflict Nport id */ ++ u32 *fw_status = sp->u.iocb_cmd.u.els_plogi.fw_status; ++ u16 lid; + + ql_dbg(ql_dbg_disc, vha, 0x3072, + "%s ELS done rc %d hdl=%x, portid=%06x %8phC\n", +@@ -2760,14 +2764,102 @@ static void qla2x00_els_dcmd2_sp_done(srb_t *sp, int res) + if (sp->flags & SRB_WAKEUP_ON_COMP) + complete(&lio->u.els_plogi.comp); + else { +- if (res) { +- set_bit(RELOGIN_NEEDED, &vha->dpc_flags); +- } else { ++ switch (fw_status[0]) { ++ case CS_DATA_UNDERRUN: ++ case CS_COMPLETE: + memset(&ea, 0, sizeof(ea)); + ea.fcport = fcport; + ea.data[0] = MBS_COMMAND_COMPLETE; + ea.sp = sp; + qla24xx_handle_plogi_done_event(vha, &ea); ++ break; ++ ++ case CS_IOCB_ERROR: ++ switch (fw_status[1]) { ++ case LSC_SCODE_PORTID_USED: ++ lid = fw_status[2] & 0xffff; ++ qlt_find_sess_invalidate_other(vha, ++ wwn_to_u64(fcport->port_name), ++ fcport->d_id, lid, &conflict_fcport); ++ if (conflict_fcport) { ++ /* ++ * Another fcport shares the same ++ * loop_id & nport id; conflict ++ * fcport needs to finish cleanup ++ * before this fcport can proceed ++ * to login. ++ */ ++ conflict_fcport->conflict = fcport; ++ fcport->login_pause = 1; ++ ql_dbg(ql_dbg_disc, vha, 0x20ed, ++ "%s %d %8phC pid %06x inuse with lid %#x post gidpn\n", ++ __func__, __LINE__, ++ fcport->port_name, ++ fcport->d_id.b24, lid); ++ } else { ++ ql_dbg(ql_dbg_disc, vha, 0x20ed, ++ "%s %d %8phC pid %06x inuse with lid %#x sched del\n", ++ __func__, __LINE__, ++ fcport->port_name, ++ fcport->d_id.b24, lid); ++ qla2x00_clear_loop_id(fcport); ++ set_bit(lid, vha->hw->loop_id_map); ++ fcport->loop_id = lid; ++ fcport->keep_nport_handle = 0; ++ qlt_schedule_sess_for_deletion(fcport); ++ } ++ break; ++ ++ case LSC_SCODE_NPORT_USED: ++ cid.b.domain = (fw_status[2] >> 16) & 0xff; ++ cid.b.area = (fw_status[2] >> 8) & 0xff; ++ cid.b.al_pa = fw_status[2] & 0xff; ++ cid.b.rsvd_1 = 0; ++ ++ ql_dbg(ql_dbg_disc, vha, 0x20ec, ++ "%s %d %8phC lid %#x in use with pid %06x post gnl\n", ++ __func__, __LINE__, fcport->port_name, ++ fcport->loop_id, cid.b24); ++ set_bit(fcport->loop_id, ++ vha->hw->loop_id_map); ++ fcport->loop_id = FC_NO_LOOP_ID; ++ qla24xx_post_gnl_work(vha, fcport); ++ break; ++ ++ case LSC_SCODE_NOXCB: ++ vha->hw->exch_starvation++; ++ if (vha->hw->exch_starvation > 5) { ++ ql_log(ql_log_warn, vha, 0xd046, ++ "Exchange starvation. Resetting RISC\n"); ++ vha->hw->exch_starvation = 0; ++ set_bit(ISP_ABORT_NEEDED, ++ &vha->dpc_flags); ++ qla2xxx_wake_dpc(vha); ++ } ++ /* fall through */ ++ default: ++ ql_dbg(ql_dbg_disc, vha, 0x20eb, ++ "%s %8phC cmd error fw_status 0x%x 0x%x 0x%x\n", ++ __func__, sp->fcport->port_name, ++ fw_status[0], fw_status[1], fw_status[2]); ++ ++ fcport->flags &= ~FCF_ASYNC_SENT; ++ fcport->disc_state = DSC_LOGIN_FAILED; ++ set_bit(RELOGIN_NEEDED, &vha->dpc_flags); ++ break; ++ } ++ break; ++ ++ default: ++ ql_dbg(ql_dbg_disc, vha, 0x20eb, ++ "%s %8phC cmd error 2 fw_status 0x%x 0x%x 0x%x\n", ++ __func__, sp->fcport->port_name, ++ fw_status[0], fw_status[1], fw_status[2]); ++ ++ sp->fcport->flags &= ~FCF_ASYNC_SENT; ++ sp->fcport->disc_state = DSC_LOGIN_FAILED; ++ set_bit(RELOGIN_NEEDED, &vha->dpc_flags); ++ break; + } + + e = qla2x00_alloc_work(vha, QLA_EVT_UNMAP); +@@ -2801,11 +2893,12 @@ qla24xx_els_dcmd2_iocb(scsi_qla_host_t *vha, int els_opcode, + return -ENOMEM; + } + ++ fcport->flags |= FCF_ASYNC_SENT; ++ fcport->disc_state = DSC_LOGIN_PEND; + elsio = &sp->u.iocb_cmd; + ql_dbg(ql_dbg_io, vha, 0x3073, + "Enter: PLOGI portid=%06x\n", fcport->d_id.b24); + +- fcport->flags |= FCF_ASYNC_SENT; + sp->type = SRB_ELS_DCMD; + sp->name = "ELS_DCMD"; + sp->fcport = fcport; +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index b75e6e4d58c06..a7acc266cec06 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -957,7 +957,7 @@ void qlt_free_session_done(struct work_struct *work) + struct qlt_plogi_ack_t *own = + sess->plogi_link[QLT_PLOGI_LINK_SAME_WWN]; + +- ql_dbg(ql_dbg_tgt_mgt, vha, 0xf084, ++ ql_dbg(ql_dbg_disc, vha, 0xf084, + "%s: se_sess %p / sess %p from port %8phC loop_id %#04x" + " s_id %02x:%02x:%02x logout %d keep %d els_logo %d\n", + __func__, sess->se_sess, sess, sess->port_name, sess->loop_id, +@@ -1024,7 +1024,7 @@ void qlt_free_session_done(struct work_struct *work) + + while (!READ_ONCE(sess->logout_completed)) { + if (!traced) { +- ql_dbg(ql_dbg_tgt_mgt, vha, 0xf086, ++ ql_dbg(ql_dbg_disc, vha, 0xf086, + "%s: waiting for sess %p logout\n", + __func__, sess); + traced = true; +@@ -1045,6 +1045,10 @@ void qlt_free_session_done(struct work_struct *work) + (struct imm_ntfy_from_isp *)sess->iocb, SRB_NACK_LOGO); + } + ++ spin_lock_irqsave(&vha->work_lock, flags); ++ sess->flags &= ~FCF_ASYNC_SENT; ++ spin_unlock_irqrestore(&vha->work_lock, flags); ++ + spin_lock_irqsave(&ha->tgt.sess_lock, flags); + if (sess->se_sess) { + sess->se_sess = NULL; +@@ -1108,7 +1112,7 @@ void qlt_free_session_done(struct work_struct *work) + spin_unlock_irqrestore(&ha->tgt.sess_lock, flags); + sess->free_pending = 0; + +- ql_dbg(ql_dbg_tgt_mgt, vha, 0xf001, ++ ql_dbg(ql_dbg_disc, vha, 0xf001, + "Unregistration of sess %p %8phC finished fcp_cnt %d\n", + sess, sess->port_name, vha->fcport_count); + +@@ -1151,6 +1155,11 @@ void qlt_unreg_sess(struct fc_port *sess) + return; + } + sess->free_pending = 1; ++ /* ++ * Use FCF_ASYNC_SENT flag to block other cmds used in sess ++ * management from being sent. ++ */ ++ sess->flags |= FCF_ASYNC_SENT; + spin_unlock_irqrestore(&sess->vha->work_lock, flags); + + if (sess->se_sess) +@@ -4580,7 +4589,7 @@ qlt_find_sess_invalidate_other(scsi_qla_host_t *vha, uint64_t wwn, + /* find other sess with nport_id collision */ + if (port_id.b24 == other_sess->d_id.b24) { + if (loop_id != other_sess->loop_id) { +- ql_dbg(ql_dbg_tgt_tmr, vha, 0x1000c, ++ ql_dbg(ql_dbg_disc, vha, 0x1000c, + "Invalidating sess %p loop_id %d wwn %llx.\n", + other_sess, other_sess->loop_id, other_wwn); + +@@ -4596,7 +4605,7 @@ qlt_find_sess_invalidate_other(scsi_qla_host_t *vha, uint64_t wwn, + * Another wwn used to have our s_id/loop_id + * kill the session, but don't free the loop_id + */ +- ql_dbg(ql_dbg_tgt_tmr, vha, 0xf01b, ++ ql_dbg(ql_dbg_disc, vha, 0xf01b, + "Invalidating sess %p loop_id %d wwn %llx.\n", + other_sess, other_sess->loop_id, other_wwn); + +@@ -4611,7 +4620,7 @@ qlt_find_sess_invalidate_other(scsi_qla_host_t *vha, uint64_t wwn, + /* find other sess with nport handle collision */ + if ((loop_id == other_sess->loop_id) && + (loop_id != FC_NO_LOOP_ID)) { +- ql_dbg(ql_dbg_tgt_tmr, vha, 0x1000d, ++ ql_dbg(ql_dbg_disc, vha, 0x1000d, + "Invalidating sess %p loop_id %d wwn %llx.\n", + other_sess, other_sess->loop_id, other_wwn); + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 5e502e1605549..d538b3d4f74a5 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -334,27 +334,27 @@ static void ufshcd_add_command_trace(struct ufs_hba *hba, + u8 opcode = 0; + u32 intr, doorbell; + struct ufshcd_lrb *lrbp = &hba->lrb[tag]; ++ struct scsi_cmnd *cmd = lrbp->cmd; + int transfer_len = -1; + + if (!trace_ufshcd_command_enabled()) { + /* trace UPIU W/O tracing command */ +- if (lrbp->cmd) ++ if (cmd) + ufshcd_add_cmd_upiu_trace(hba, tag, str); + return; + } + +- if (lrbp->cmd) { /* data phase exists */ ++ if (cmd) { /* data phase exists */ + /* trace UPIU also */ + ufshcd_add_cmd_upiu_trace(hba, tag, str); +- opcode = (u8)(*lrbp->cmd->cmnd); ++ opcode = cmd->cmnd[0]; + if ((opcode == READ_10) || (opcode == WRITE_10)) { + /* + * Currently we only fully trace read(10) and write(10) + * commands + */ +- if (lrbp->cmd->request && lrbp->cmd->request->bio) +- lba = +- lrbp->cmd->request->bio->bi_iter.bi_sector; ++ if (cmd->request && cmd->request->bio) ++ lba = cmd->request->bio->bi_iter.bi_sector; + transfer_len = be32_to_cpu( + lrbp->ucd_req_ptr->sc.exp_data_transfer_len); + } +@@ -1888,12 +1888,12 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag) + { + hba->lrb[task_tag].issue_time_stamp = ktime_get(); + hba->lrb[task_tag].compl_time_stamp = ktime_set(0, 0); ++ ufshcd_add_command_trace(hba, task_tag, "send"); + ufshcd_clk_scaling_start_busy(hba); + __set_bit(task_tag, &hba->outstanding_reqs); + ufshcd_writel(hba, 1 << task_tag, REG_UTP_TRANSFER_REQ_DOOR_BELL); + /* Make sure that doorbell is committed immediately */ + wmb(); +- ufshcd_add_command_trace(hba, task_tag, "send"); + } + + /** +diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c +index fc53dbe57f854..a90963812357c 100644 +--- a/drivers/soundwire/bus.c ++++ b/drivers/soundwire/bus.c +@@ -113,6 +113,8 @@ static int sdw_delete_slave(struct device *dev, void *data) + struct sdw_slave *slave = dev_to_sdw_dev(dev); + struct sdw_bus *bus = slave->bus; + ++ pm_runtime_disable(dev); ++ + sdw_slave_debugfs_exit(slave); + + mutex_lock(&bus->bus_lock); +diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c +index 502ed4ec8f070..e3d06330d1258 100644 +--- a/drivers/soundwire/cadence_master.c ++++ b/drivers/soundwire/cadence_master.c +@@ -231,6 +231,22 @@ static int cdns_clear_bit(struct sdw_cdns *cdns, int offset, u32 value) + return -EAGAIN; + } + ++/* ++ * all changes to the MCP_CONFIG, MCP_CONTROL, MCP_CMDCTRL and MCP_PHYCTRL ++ * need to be confirmed with a write to MCP_CONFIG_UPDATE ++ */ ++static int cdns_update_config(struct sdw_cdns *cdns) ++{ ++ int ret; ++ ++ ret = cdns_clear_bit(cdns, CDNS_MCP_CONFIG_UPDATE, ++ CDNS_MCP_CONFIG_UPDATE_BIT); ++ if (ret < 0) ++ dev_err(cdns->dev, "Config update timedout\n"); ++ ++ return ret; ++} ++ + /* + * debugfs + */ +@@ -752,7 +768,38 @@ EXPORT_SYMBOL(sdw_cdns_thread); + /* + * init routines + */ +-static int _cdns_enable_interrupt(struct sdw_cdns *cdns) ++ ++/** ++ * sdw_cdns_exit_reset() - Program reset parameters and start bus operations ++ * @cdns: Cadence instance ++ */ ++int sdw_cdns_exit_reset(struct sdw_cdns *cdns) ++{ ++ /* program maximum length reset to be safe */ ++ cdns_updatel(cdns, CDNS_MCP_CONTROL, ++ CDNS_MCP_CONTROL_RST_DELAY, ++ CDNS_MCP_CONTROL_RST_DELAY); ++ ++ /* use hardware generated reset */ ++ cdns_updatel(cdns, CDNS_MCP_CONTROL, ++ CDNS_MCP_CONTROL_HW_RST, ++ CDNS_MCP_CONTROL_HW_RST); ++ ++ /* enable bus operations with clock and data */ ++ cdns_updatel(cdns, CDNS_MCP_CONFIG, ++ CDNS_MCP_CONFIG_OP, ++ CDNS_MCP_CONFIG_OP_NORMAL); ++ ++ /* commit changes */ ++ return cdns_update_config(cdns); ++} ++EXPORT_SYMBOL(sdw_cdns_exit_reset); ++ ++/** ++ * sdw_cdns_enable_interrupt() - Enable SDW interrupts and update config ++ * @cdns: Cadence instance ++ */ ++int sdw_cdns_enable_interrupt(struct sdw_cdns *cdns) + { + u32 mask; + +@@ -784,24 +831,8 @@ static int _cdns_enable_interrupt(struct sdw_cdns *cdns) + + cdns_writel(cdns, CDNS_MCP_INTMASK, mask); + +- return 0; +-} +- +-/** +- * sdw_cdns_enable_interrupt() - Enable SDW interrupts and update config +- * @cdns: Cadence instance +- */ +-int sdw_cdns_enable_interrupt(struct sdw_cdns *cdns) +-{ +- int ret; +- +- _cdns_enable_interrupt(cdns); +- ret = cdns_clear_bit(cdns, CDNS_MCP_CONFIG_UPDATE, +- CDNS_MCP_CONFIG_UPDATE_BIT); +- if (ret < 0) +- dev_err(cdns->dev, "Config update timedout\n"); +- +- return ret; ++ /* commit changes */ ++ return cdns_update_config(cdns); + } + EXPORT_SYMBOL(sdw_cdns_enable_interrupt); + +@@ -975,6 +1006,10 @@ int sdw_cdns_init(struct sdw_cdns *cdns) + cdns_writel(cdns, CDNS_MCP_SSP_CTRL0, CDNS_DEFAULT_SSP_INTERVAL); + cdns_writel(cdns, CDNS_MCP_SSP_CTRL1, CDNS_DEFAULT_SSP_INTERVAL); + ++ /* flush command FIFOs */ ++ cdns_updatel(cdns, CDNS_MCP_CONTROL, CDNS_MCP_CONTROL_CMD_RST, ++ CDNS_MCP_CONTROL_CMD_RST); ++ + /* Set cmd accept mode */ + cdns_updatel(cdns, CDNS_MCP_CONTROL, CDNS_MCP_CONTROL_CMD_ACCEPT, + CDNS_MCP_CONTROL_CMD_ACCEPT); +@@ -997,13 +1032,10 @@ int sdw_cdns_init(struct sdw_cdns *cdns) + /* Set cmd mode for Tx and Rx cmds */ + val &= ~CDNS_MCP_CONFIG_CMD; + +- /* Set operation to normal */ +- val &= ~CDNS_MCP_CONFIG_OP; +- val |= CDNS_MCP_CONFIG_OP_NORMAL; +- + cdns_writel(cdns, CDNS_MCP_CONFIG, val); + +- return 0; ++ /* commit changes */ ++ return cdns_update_config(cdns); + } + EXPORT_SYMBOL(sdw_cdns_init); + +diff --git a/drivers/soundwire/cadence_master.h b/drivers/soundwire/cadence_master.h +index 0b72b70947352..1a67728c5000f 100644 +--- a/drivers/soundwire/cadence_master.h ++++ b/drivers/soundwire/cadence_master.h +@@ -161,6 +161,7 @@ irqreturn_t sdw_cdns_thread(int irq, void *dev_id); + int sdw_cdns_init(struct sdw_cdns *cdns); + int sdw_cdns_pdi_init(struct sdw_cdns *cdns, + struct sdw_cdns_stream_config config); ++int sdw_cdns_exit_reset(struct sdw_cdns *cdns); + int sdw_cdns_enable_interrupt(struct sdw_cdns *cdns); + + #ifdef CONFIG_DEBUG_FS +diff --git a/drivers/soundwire/intel.c b/drivers/soundwire/intel.c +index 243af8198d1c6..a2da04946f0b4 100644 +--- a/drivers/soundwire/intel.c ++++ b/drivers/soundwire/intel.c +@@ -1050,8 +1050,6 @@ static int intel_probe(struct platform_device *pdev) + if (ret) + goto err_init; + +- ret = sdw_cdns_enable_interrupt(&sdw->cdns); +- + /* Read the PDI config and initialize cadence PDI */ + intel_pdi_init(sdw, &config); + ret = sdw_cdns_pdi_init(&sdw->cdns, config); +@@ -1069,6 +1067,18 @@ static int intel_probe(struct platform_device *pdev) + goto err_init; + } + ++ ret = sdw_cdns_enable_interrupt(&sdw->cdns); ++ if (ret < 0) { ++ dev_err(sdw->cdns.dev, "cannot enable interrupts\n"); ++ goto err_init; ++ } ++ ++ ret = sdw_cdns_exit_reset(&sdw->cdns); ++ if (ret < 0) { ++ dev_err(sdw->cdns.dev, "unable to exit bus reset sequence\n"); ++ goto err_init; ++ } ++ + /* Register DAIs */ + ret = intel_register_dai(sdw); + if (ret) { +diff --git a/drivers/staging/media/imx/imx-media-capture.c b/drivers/staging/media/imx/imx-media-capture.c +index 46576e32581f0..d151cd6d31884 100644 +--- a/drivers/staging/media/imx/imx-media-capture.c ++++ b/drivers/staging/media/imx/imx-media-capture.c +@@ -785,7 +785,7 @@ int imx_media_capture_device_register(struct imx_media_video_dev *vdev) + /* setup default format */ + fmt_src.pad = priv->src_sd_pad; + fmt_src.which = V4L2_SUBDEV_FORMAT_ACTIVE; +- v4l2_subdev_call(sd, pad, get_fmt, NULL, &fmt_src); ++ ret = v4l2_subdev_call(sd, pad, get_fmt, NULL, &fmt_src); + if (ret) { + v4l2_err(sd, "failed to get src_sd format\n"); + goto unreg; +diff --git a/drivers/staging/rtl8188eu/core/rtw_recv.c b/drivers/staging/rtl8188eu/core/rtw_recv.c +index d4278361e0028..a036ef104198e 100644 +--- a/drivers/staging/rtl8188eu/core/rtw_recv.c ++++ b/drivers/staging/rtl8188eu/core/rtw_recv.c +@@ -1525,21 +1525,14 @@ static int amsdu_to_msdu(struct adapter *padapter, struct recv_frame *prframe) + + /* Allocate new skb for releasing to upper layer */ + sub_skb = dev_alloc_skb(nSubframe_Length + 12); +- if (sub_skb) { +- skb_reserve(sub_skb, 12); +- skb_put_data(sub_skb, pdata, nSubframe_Length); +- } else { +- sub_skb = skb_clone(prframe->pkt, GFP_ATOMIC); +- if (sub_skb) { +- sub_skb->data = pdata; +- sub_skb->len = nSubframe_Length; +- skb_set_tail_pointer(sub_skb, nSubframe_Length); +- } else { +- DBG_88E("skb_clone() Fail!!! , nr_subframes=%d\n", nr_subframes); +- break; +- } ++ if (!sub_skb) { ++ DBG_88E("dev_alloc_skb() Fail!!! , nr_subframes=%d\n", nr_subframes); ++ break; + } + ++ skb_reserve(sub_skb, 12); ++ skb_put_data(sub_skb, pdata, nSubframe_Length); ++ + subframes[nr_subframes++] = sub_skb; + + if (nr_subframes >= MAX_SUBFRAME_COUNT) { +diff --git a/drivers/thermal/rcar_thermal.c b/drivers/thermal/rcar_thermal.c +index d0873de718da9..43f0cd2bd0ae6 100644 +--- a/drivers/thermal/rcar_thermal.c ++++ b/drivers/thermal/rcar_thermal.c +@@ -526,8 +526,10 @@ static int rcar_thermal_probe(struct platform_device *pdev) + res = platform_get_resource(pdev, IORESOURCE_MEM, + mres++); + common->base = devm_ioremap_resource(dev, res); +- if (IS_ERR(common->base)) +- return PTR_ERR(common->base); ++ if (IS_ERR(common->base)) { ++ ret = PTR_ERR(common->base); ++ goto error_unregister; ++ } + + idle = 0; /* polling delay is not needed */ + } +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index 836e736ae188b..f2c6d9d3bb28f 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -790,7 +790,10 @@ static void __dma_rx_do_complete(struct uart_8250_port *p) + dmaengine_tx_status(dma->rxchan, dma->rx_cookie, &state); + + count = dma->rx_size - state.residue; +- ++ if (count < dma->rx_size) ++ dmaengine_terminate_async(dma->rxchan); ++ if (!count) ++ goto unlock; + ret = tty_insert_flip_string(tty_port, dma->rx_buf, count); + + p->port.icount.rx += ret; +@@ -852,7 +855,6 @@ static void omap_8250_rx_dma_flush(struct uart_8250_port *p) + spin_unlock_irqrestore(&priv->rx_dma_lock, flags); + + __dma_rx_do_complete(p); +- dmaengine_terminate_all(dma->rxchan); + } + + static int omap_8250_rx_dma(struct uart_8250_port *p) +@@ -1234,6 +1236,7 @@ static int omap8250_probe(struct platform_device *pdev) + spin_lock_init(&priv->rx_dma_lock); + + device_init_wakeup(&pdev->dev, true); ++ pm_runtime_enable(&pdev->dev); + pm_runtime_use_autosuspend(&pdev->dev); + + /* +@@ -1247,7 +1250,6 @@ static int omap8250_probe(struct platform_device *pdev) + pm_runtime_set_autosuspend_delay(&pdev->dev, -1); + + pm_runtime_irq_safe(&pdev->dev); +- pm_runtime_enable(&pdev->dev); + + pm_runtime_get_sync(&pdev->dev); + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 90f09ed6e5ad3..5b673077639ba 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1816,6 +1816,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir) + unsigned char status; + unsigned long flags; + struct uart_8250_port *up = up_to_u8250p(port); ++ bool skip_rx = false; + + if (iir & UART_IIR_NO_INT) + return 0; +@@ -1824,7 +1825,20 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir) + + status = serial_port_in(port, UART_LSR); + +- if (status & (UART_LSR_DR | UART_LSR_BI)) { ++ /* ++ * If port is stopped and there are no error conditions in the ++ * FIFO, then don't drain the FIFO, as this may lead to TTY buffer ++ * overflow. Not servicing, RX FIFO would trigger auto HW flow ++ * control when FIFO occupancy reaches preset threshold, thus ++ * halting RX. This only works when auto HW flow control is ++ * available. ++ */ ++ if (!(status & (UART_LSR_FIFOE | UART_LSR_BRK_ERROR_BITS)) && ++ (port->status & (UPSTAT_AUTOCTS | UPSTAT_AUTORTS)) && ++ !(port->read_status_mask & UART_LSR_DR)) ++ skip_rx = true; ++ ++ if (status & (UART_LSR_DR | UART_LSR_BI) && !skip_rx) { + if (!up->dma || handle_rx_dma(up, iir)) + status = serial8250_rx_chars(up, status); + } +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 71f99e9217592..c7683beb3412a 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1187,14 +1187,14 @@ static unsigned int s3c24xx_serial_getclk(struct s3c24xx_uart_port *ourport, + struct s3c24xx_uart_info *info = ourport->info; + struct clk *clk; + unsigned long rate; +- unsigned int cnt, baud, quot, clk_sel, best_quot = 0; ++ unsigned int cnt, baud, quot, best_quot = 0; + char clkname[MAX_CLK_NAME_LENGTH]; + int calc_deviation, deviation = (1 << 30) - 1; + +- clk_sel = (ourport->cfg->clk_sel) ? ourport->cfg->clk_sel : +- ourport->info->def_clk_sel; + for (cnt = 0; cnt < info->num_clks; cnt++) { +- if (!(clk_sel & (1 << cnt))) ++ /* Keep selected clock if provided */ ++ if (ourport->cfg->clk_sel && ++ !(ourport->cfg->clk_sel & (1 << cnt))) + continue; + + sprintf(clkname, "clk_uart_baud%d", cnt); +diff --git a/drivers/tty/serial/sifive.c b/drivers/tty/serial/sifive.c +index 38133eba83a87..b4343c6aa6512 100644 +--- a/drivers/tty/serial/sifive.c ++++ b/drivers/tty/serial/sifive.c +@@ -618,10 +618,10 @@ static void sifive_serial_shutdown(struct uart_port *port) + * + * On the V0 SoC, the UART IP block is derived from the CPU clock source + * after a synchronous divide-by-two divider, so any CPU clock rate change +- * requires the UART baud rate to be updated. This presumably could corrupt any +- * serial word currently being transmitted or received. It would probably +- * be better to stop receives and transmits, then complete the baud rate +- * change, then re-enable them. ++ * requires the UART baud rate to be updated. This presumably corrupts any ++ * serial word currently being transmitted or received. In order to avoid ++ * corrupting the output data stream, we drain the transmit queue before ++ * allowing the clock's rate to be changed. + */ + static int sifive_serial_clk_notifier(struct notifier_block *nb, + unsigned long event, void *data) +@@ -629,6 +629,26 @@ static int sifive_serial_clk_notifier(struct notifier_block *nb, + struct clk_notifier_data *cnd = data; + struct sifive_serial_port *ssp = notifier_to_sifive_serial_port(nb); + ++ if (event == PRE_RATE_CHANGE) { ++ /* ++ * The TX watermark is always set to 1 by this driver, which ++ * means that the TX busy bit will lower when there are 0 bytes ++ * left in the TX queue -- in other words, when the TX FIFO is ++ * empty. ++ */ ++ __ssp_wait_for_xmitr(ssp); ++ /* ++ * On the cycle the TX FIFO goes empty there is still a full ++ * UART frame left to be transmitted in the shift register. ++ * The UART provides no way for software to directly determine ++ * when that last frame has been transmitted, so we just sleep ++ * here instead. As we're not tracking the number of stop bits ++ * they're just worst cased here. The rest of the serial ++ * framing parameters aren't configurable by software. ++ */ ++ udelay(DIV_ROUND_UP(12 * 1000 * 1000, ssp->baud_rate)); ++ } ++ + if (event == POST_RATE_CHANGE && ssp->clkin_rate != cnd->new_rate) { + ssp->clkin_rate = cnd->new_rate; + __ssp_update_div(ssp); +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 8948970f795e6..9359c80fbb9f5 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1248,6 +1248,7 @@ static int cdns_uart_console_setup(struct console *co, char *options) + int bits = 8; + int parity = 'n'; + int flow = 'n'; ++ unsigned long time_out; + + if (!port->membase) { + pr_debug("console on " CDNS_UART_TTY_NAME "%i not present\n", +@@ -1258,6 +1259,13 @@ static int cdns_uart_console_setup(struct console *co, char *options) + if (options) + uart_parse_options(options, &baud, &parity, &bits, &flow); + ++ /* Wait for tx_empty before setting up the console */ ++ time_out = jiffies + usecs_to_jiffies(TX_TIMEOUT); ++ ++ while (time_before(jiffies, time_out) && ++ cdns_uart_tx_empty(port) != TIOCSER_TEMT) ++ cpu_relax(); ++ + return uart_set_options(port, co, baud, parity, bits, flow); + } + +diff --git a/drivers/tty/vcc.c b/drivers/tty/vcc.c +index d2a1e1228c82d..9ffd42e333b83 100644 +--- a/drivers/tty/vcc.c ++++ b/drivers/tty/vcc.c +@@ -605,6 +605,7 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id) + port->index = vcc_table_add(port); + if (port->index == -1) { + pr_err("VCC: no more TTY indices left for allocation\n"); ++ rv = -ENOMEM; + goto free_ldc; + } + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 4225544342519..809103254fc64 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -270,7 +270,7 @@ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned cmd, + { + const struct usb_endpoint_descriptor *desc = dep->endpoint.desc; + struct dwc3 *dwc = dep->dwc; +- u32 timeout = 1000; ++ u32 timeout = 5000; + u32 saved_config = 0; + u32 reg; + +diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c +index 66ec1fdf9fe7d..b6f196f5e252e 100644 +--- a/drivers/usb/host/ehci-mv.c ++++ b/drivers/usb/host/ehci-mv.c +@@ -156,12 +156,10 @@ static int mv_ehci_probe(struct platform_device *pdev) + hcd->rsrc_len = resource_size(r); + hcd->regs = ehci_mv->op_regs; + +- hcd->irq = platform_get_irq(pdev, 0); +- if (!hcd->irq) { +- dev_err(&pdev->dev, "Cannot get irq."); +- retval = -ENODEV; ++ retval = platform_get_irq(pdev, 0); ++ if (retval < 0) + goto err_disable_clk; +- } ++ hcd->irq = retval; + + ehci = hcd_to_ehci(hcd); + ehci->caps = (struct ehci_caps *) ehci_mv->cap_regs; +diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c +index 0d16f9806655f..a72fd5309b09f 100644 +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -474,6 +474,19 @@ static void vfio_pci_release(void *device_data) + if (!(--vdev->refcnt)) { + vfio_spapr_pci_eeh_release(vdev->pdev); + vfio_pci_disable(vdev); ++ mutex_lock(&vdev->igate); ++ if (vdev->err_trigger) { ++ eventfd_ctx_put(vdev->err_trigger); ++ vdev->err_trigger = NULL; ++ } ++ mutex_unlock(&vdev->igate); ++ ++ mutex_lock(&vdev->igate); ++ if (vdev->req_trigger) { ++ eventfd_ctx_put(vdev->req_trigger); ++ vdev->req_trigger = NULL; ++ } ++ mutex_unlock(&vdev->igate); + } + + mutex_unlock(&vdev->reflck->lock); +diff --git a/fs/block_dev.c b/fs/block_dev.c +index 2dc9c73a4cb29..79272cdbe8277 100644 +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -1857,6 +1857,16 @@ static void __blkdev_put(struct block_device *bdev, fmode_t mode, int for_part) + struct gendisk *disk = bdev->bd_disk; + struct block_device *victim = NULL; + ++ /* ++ * Sync early if it looks like we're the last one. If someone else ++ * opens the block device between now and the decrement of bd_openers ++ * then we did a sync that we didn't need to, but that's not the end ++ * of the world and we want to avoid long (could be several minute) ++ * syncs while holding the mutex. ++ */ ++ if (bdev->bd_openers == 1) ++ sync_blockdev(bdev); ++ + mutex_lock_nested(&bdev->bd_mutex, for_part); + if (for_part) + bdev->bd_part_count--; +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index dd6fb2ee80409..cd65ef7c7c3f2 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -649,16 +649,15 @@ static int btree_readpage_end_io_hook(struct btrfs_io_bio *io_bio, + goto err; + + if (memcmp_extent_buffer(eb, result, 0, csum_size)) { +- u32 val; +- u32 found = 0; +- +- memcpy(&found, result, csum_size); ++ u8 val[BTRFS_CSUM_SIZE] = { 0 }; + + read_extent_buffer(eb, &val, 0, csum_size); + btrfs_warn_rl(fs_info, +- "%s checksum verify failed on %llu wanted %x found %x level %d", ++ "%s checksum verify failed on %llu wanted " CSUM_FMT " found " CSUM_FMT " level %d", + fs_info->sb->s_id, eb->start, +- val, found, btrfs_header_level(eb)); ++ CSUM_FMT_VALUE(csum_size, val), ++ CSUM_FMT_VALUE(csum_size, result), ++ btrfs_header_level(eb)); + ret = -EUCLEAN; + goto err; + } +diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c +index 31c1ed554d26d..7658f3193175b 100644 +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -5428,8 +5428,6 @@ out: + */ + if (!for_reloc && !root_dropped) + btrfs_add_dead_root(root); +- if (err && err != -EAGAIN) +- btrfs_handle_fs_error(fs_info, err, NULL); + return err; + } + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 9ac40991a6405..182e93a5b11d5 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -8586,14 +8586,64 @@ err: + return ret; + } + +-static int btrfs_submit_direct_hook(struct btrfs_dio_private *dip) ++/* ++ * If this succeeds, the btrfs_dio_private is responsible for cleaning up locked ++ * or ordered extents whether or not we submit any bios. ++ */ ++static struct btrfs_dio_private *btrfs_create_dio_private(struct bio *dio_bio, ++ struct inode *inode, ++ loff_t file_offset) + { +- struct inode *inode = dip->inode; ++ const bool write = (bio_op(dio_bio) == REQ_OP_WRITE); ++ struct btrfs_dio_private *dip; ++ struct bio *bio; ++ ++ dip = kzalloc(sizeof(*dip), GFP_NOFS); ++ if (!dip) ++ return NULL; ++ ++ bio = btrfs_bio_clone(dio_bio); ++ bio->bi_private = dip; ++ btrfs_io_bio(bio)->logical = file_offset; ++ ++ dip->private = dio_bio->bi_private; ++ dip->inode = inode; ++ dip->logical_offset = file_offset; ++ dip->bytes = dio_bio->bi_iter.bi_size; ++ dip->disk_bytenr = (u64)dio_bio->bi_iter.bi_sector << 9; ++ dip->orig_bio = bio; ++ dip->dio_bio = dio_bio; ++ atomic_set(&dip->pending_bios, 1); ++ ++ if (write) { ++ struct btrfs_dio_data *dio_data = current->journal_info; ++ ++ /* ++ * Setting range start and end to the same value means that ++ * no cleanup will happen in btrfs_direct_IO ++ */ ++ dio_data->unsubmitted_oe_range_end = dip->logical_offset + ++ dip->bytes; ++ dio_data->unsubmitted_oe_range_start = ++ dio_data->unsubmitted_oe_range_end; ++ ++ bio->bi_end_io = btrfs_endio_direct_write; ++ } else { ++ bio->bi_end_io = btrfs_endio_direct_read; ++ dip->subio_endio = btrfs_subio_endio_read; ++ } ++ return dip; ++} ++ ++static void btrfs_submit_direct(struct bio *dio_bio, struct inode *inode, ++ loff_t file_offset) ++{ ++ const bool write = (bio_op(dio_bio) == REQ_OP_WRITE); + struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb); ++ struct btrfs_dio_private *dip; + struct bio *bio; +- struct bio *orig_bio = dip->orig_bio; +- u64 start_sector = orig_bio->bi_iter.bi_sector; +- u64 file_offset = dip->logical_offset; ++ struct bio *orig_bio; ++ u64 start_sector; + int async_submit = 0; + u64 submit_len; + int clone_offset = 0; +@@ -8602,11 +8652,24 @@ static int btrfs_submit_direct_hook(struct btrfs_dio_private *dip) + blk_status_t status; + struct btrfs_io_geometry geom; + ++ dip = btrfs_create_dio_private(dio_bio, inode, file_offset); ++ if (!dip) { ++ if (!write) { ++ unlock_extent(&BTRFS_I(inode)->io_tree, file_offset, ++ file_offset + dio_bio->bi_iter.bi_size - 1); ++ } ++ dio_bio->bi_status = BLK_STS_RESOURCE; ++ dio_end_io(dio_bio); ++ return; ++ } ++ ++ orig_bio = dip->orig_bio; ++ start_sector = orig_bio->bi_iter.bi_sector; + submit_len = orig_bio->bi_iter.bi_size; + ret = btrfs_get_io_geometry(fs_info, btrfs_op(orig_bio), + start_sector << 9, submit_len, &geom); + if (ret) +- return -EIO; ++ goto out_err; + + if (geom.len >= submit_len) { + bio = orig_bio; +@@ -8669,7 +8732,7 @@ static int btrfs_submit_direct_hook(struct btrfs_dio_private *dip) + submit: + status = btrfs_submit_dio_bio(bio, inode, file_offset, async_submit); + if (!status) +- return 0; ++ return; + + if (bio != orig_bio) + bio_put(bio); +@@ -8683,107 +8746,6 @@ out_err: + */ + if (atomic_dec_and_test(&dip->pending_bios)) + bio_io_error(dip->orig_bio); +- +- /* bio_end_io() will handle error, so we needn't return it */ +- return 0; +-} +- +-static void btrfs_submit_direct(struct bio *dio_bio, struct inode *inode, +- loff_t file_offset) +-{ +- struct btrfs_dio_private *dip = NULL; +- struct bio *bio = NULL; +- struct btrfs_io_bio *io_bio; +- bool write = (bio_op(dio_bio) == REQ_OP_WRITE); +- int ret = 0; +- +- bio = btrfs_bio_clone(dio_bio); +- +- dip = kzalloc(sizeof(*dip), GFP_NOFS); +- if (!dip) { +- ret = -ENOMEM; +- goto free_ordered; +- } +- +- dip->private = dio_bio->bi_private; +- dip->inode = inode; +- dip->logical_offset = file_offset; +- dip->bytes = dio_bio->bi_iter.bi_size; +- dip->disk_bytenr = (u64)dio_bio->bi_iter.bi_sector << 9; +- bio->bi_private = dip; +- dip->orig_bio = bio; +- dip->dio_bio = dio_bio; +- atomic_set(&dip->pending_bios, 1); +- io_bio = btrfs_io_bio(bio); +- io_bio->logical = file_offset; +- +- if (write) { +- bio->bi_end_io = btrfs_endio_direct_write; +- } else { +- bio->bi_end_io = btrfs_endio_direct_read; +- dip->subio_endio = btrfs_subio_endio_read; +- } +- +- /* +- * Reset the range for unsubmitted ordered extents (to a 0 length range) +- * even if we fail to submit a bio, because in such case we do the +- * corresponding error handling below and it must not be done a second +- * time by btrfs_direct_IO(). +- */ +- if (write) { +- struct btrfs_dio_data *dio_data = current->journal_info; +- +- dio_data->unsubmitted_oe_range_end = dip->logical_offset + +- dip->bytes; +- dio_data->unsubmitted_oe_range_start = +- dio_data->unsubmitted_oe_range_end; +- } +- +- ret = btrfs_submit_direct_hook(dip); +- if (!ret) +- return; +- +- btrfs_io_bio_free_csum(io_bio); +- +-free_ordered: +- /* +- * If we arrived here it means either we failed to submit the dip +- * or we either failed to clone the dio_bio or failed to allocate the +- * dip. If we cloned the dio_bio and allocated the dip, we can just +- * call bio_endio against our io_bio so that we get proper resource +- * cleanup if we fail to submit the dip, otherwise, we must do the +- * same as btrfs_endio_direct_[write|read] because we can't call these +- * callbacks - they require an allocated dip and a clone of dio_bio. +- */ +- if (bio && dip) { +- bio_io_error(bio); +- /* +- * The end io callbacks free our dip, do the final put on bio +- * and all the cleanup and final put for dio_bio (through +- * dio_end_io()). +- */ +- dip = NULL; +- bio = NULL; +- } else { +- if (write) +- __endio_write_update_ordered(inode, +- file_offset, +- dio_bio->bi_iter.bi_size, +- false); +- else +- unlock_extent(&BTRFS_I(inode)->io_tree, file_offset, +- file_offset + dio_bio->bi_iter.bi_size - 1); +- +- dio_bio->bi_status = BLK_STS_IOERR; +- /* +- * Releases and cleans up our dio_bio, no need to bio_put() +- * nor bio_endio()/bio_io_error() against dio_bio. +- */ +- dio_end_io(dio_bio); +- } +- if (bio) +- bio_put(bio); +- kfree(dip); + } + + static ssize_t check_direct_IO(struct btrfs_fs_info *fs_info, +@@ -9082,20 +9044,17 @@ again: + /* + * Qgroup reserved space handler + * Page here will be either +- * 1) Already written to disk +- * In this case, its reserved space is released from data rsv map +- * and will be freed by delayed_ref handler finally. +- * So even we call qgroup_free_data(), it won't decrease reserved +- * space. +- * 2) Not written to disk +- * This means the reserved space should be freed here. However, +- * if a truncate invalidates the page (by clearing PageDirty) +- * and the page is accounted for while allocating extent +- * in btrfs_check_data_free_space() we let delayed_ref to +- * free the entire extent. ++ * 1) Already written to disk or ordered extent already submitted ++ * Then its QGROUP_RESERVED bit in io_tree is already cleaned. ++ * Qgroup will be handled by its qgroup_record then. ++ * btrfs_qgroup_free_data() call will do nothing here. ++ * ++ * 2) Not written to disk yet ++ * Then btrfs_qgroup_free_data() call will clear the QGROUP_RESERVED ++ * bit of its io_tree, and free the qgroup reserved data space. ++ * Since the IO will never happen for this page. + */ +- if (PageDirty(page)) +- btrfs_qgroup_free_data(inode, NULL, page_start, PAGE_SIZE); ++ btrfs_qgroup_free_data(inode, NULL, page_start, PAGE_SIZE); + if (!inode_evicting) { + clear_extent_bit(tree, page_start, page_end, EXTENT_LOCKED | + EXTENT_DELALLOC | EXTENT_DELALLOC_NEW | +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index af3605a0bf2e0..1bc57f7b91cfa 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1468,6 +1468,9 @@ int btrfs_init_reloc_root(struct btrfs_trans_handle *trans, + int clear_rsv = 0; + int ret; + ++ if (!rc) ++ return 0; ++ + /* + * The subvolume has reloc tree but the swap is finished, no need to + * create/update the dead reloc tree +@@ -1475,13 +1478,25 @@ int btrfs_init_reloc_root(struct btrfs_trans_handle *trans, + if (reloc_root_is_dead(root)) + return 0; + ++ /* ++ * This is subtle but important. We do not do ++ * record_root_in_transaction for reloc roots, instead we record their ++ * corresponding fs root, and then here we update the last trans for the ++ * reloc root. This means that we have to do this for the entire life ++ * of the reloc root, regardless of which stage of the relocation we are ++ * in. ++ */ + if (root->reloc_root) { + reloc_root = root->reloc_root; + reloc_root->last_trans = trans->transid; + return 0; + } + +- if (!rc || !rc->create_reloc_tree || ++ /* ++ * We are merging reloc roots, we do not need new reloc trees. Also ++ * reloc trees never need their own reloc tree. ++ */ ++ if (!rc->create_reloc_tree || + root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) + return 0; + +@@ -2336,6 +2351,18 @@ static noinline_for_stack int merge_reloc_root(struct reloc_control *rc, + trans = NULL; + goto out; + } ++ ++ /* ++ * At this point we no longer have a reloc_control, so we can't ++ * depend on btrfs_init_reloc_root to update our last_trans. ++ * ++ * But that's ok, we started the trans handle on our ++ * corresponding fs_root, which means it's been added to the ++ * dirty list. At commit time we'll still call ++ * btrfs_update_reloc_root() and update our root item ++ * appropriately. ++ */ ++ reloc_root->last_trans = trans->transid; + trans->block_rsv = rc->block_rsv; + + replaced = 0; +@@ -4342,6 +4369,18 @@ static struct reloc_control *alloc_reloc_control(struct btrfs_fs_info *fs_info) + return rc; + } + ++static void free_reloc_control(struct reloc_control *rc) ++{ ++ struct mapping_node *node, *tmp; ++ ++ free_reloc_roots(&rc->reloc_roots); ++ rbtree_postorder_for_each_entry_safe(node, tmp, ++ &rc->reloc_root_tree.rb_root, rb_node) ++ kfree(node); ++ ++ kfree(rc); ++} ++ + /* + * Print the block group being relocated + */ +@@ -4474,7 +4513,7 @@ out: + btrfs_dec_block_group_ro(rc->block_group); + iput(rc->data_inode); + btrfs_put_block_group(rc->block_group); +- kfree(rc); ++ free_reloc_control(rc); + return err; + } + +@@ -4647,7 +4686,7 @@ out_clean: + err = ret; + out_unset: + unset_reloc_control(rc); +- kfree(rc); ++ free_reloc_control(rc); + out: + if (!list_empty(&reloc_roots)) + free_reloc_roots(&reloc_roots); +diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c +index 91ea38506fbb7..84b8d6ebf98f3 100644 +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -674,6 +674,44 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf, + return 0; + } + ++/* ++ * Enhanced version of chunk item checker. ++ * ++ * The common btrfs_check_chunk_valid() doesn't check item size since it needs ++ * to work on super block sys_chunk_array which doesn't have full item ptr. ++ */ ++static int check_leaf_chunk_item(struct extent_buffer *leaf, ++ struct btrfs_chunk *chunk, ++ struct btrfs_key *key, int slot) ++{ ++ int num_stripes; ++ ++ if (btrfs_item_size_nr(leaf, slot) < sizeof(struct btrfs_chunk)) { ++ chunk_err(leaf, chunk, key->offset, ++ "invalid chunk item size: have %u expect [%zu, %u)", ++ btrfs_item_size_nr(leaf, slot), ++ sizeof(struct btrfs_chunk), ++ BTRFS_LEAF_DATA_SIZE(leaf->fs_info)); ++ return -EUCLEAN; ++ } ++ ++ num_stripes = btrfs_chunk_num_stripes(leaf, chunk); ++ /* Let btrfs_check_chunk_valid() handle this error type */ ++ if (num_stripes == 0) ++ goto out; ++ ++ if (btrfs_chunk_item_size(num_stripes) != ++ btrfs_item_size_nr(leaf, slot)) { ++ chunk_err(leaf, chunk, key->offset, ++ "invalid chunk item size: have %u expect %lu", ++ btrfs_item_size_nr(leaf, slot), ++ btrfs_chunk_item_size(num_stripes)); ++ return -EUCLEAN; ++ } ++out: ++ return btrfs_check_chunk_valid(leaf, chunk, key->offset); ++} ++ + __printf(3, 4) + __cold + static void dev_item_err(const struct extent_buffer *eb, int slot, +@@ -1265,7 +1303,7 @@ static int check_leaf_item(struct extent_buffer *leaf, + break; + case BTRFS_CHUNK_ITEM_KEY: + chunk = btrfs_item_ptr(leaf, slot, struct btrfs_chunk); +- ret = btrfs_check_chunk_valid(leaf, chunk, key->offset); ++ ret = check_leaf_chunk_item(leaf, chunk, key, slot); + break; + case BTRFS_DEV_ITEM_KEY: + ret = check_dev_item(leaf, key, slot); +diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c +index b2695919435e8..af563d73d252c 100644 +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -2013,12 +2013,24 @@ ack: + if (mutex_trylock(&session->s_mutex) == 0) { + dout("inverting session/ino locks on %p\n", + session); ++ session = ceph_get_mds_session(session); + spin_unlock(&ci->i_ceph_lock); + if (took_snap_rwsem) { + up_read(&mdsc->snap_rwsem); + took_snap_rwsem = 0; + } +- mutex_lock(&session->s_mutex); ++ if (session) { ++ mutex_lock(&session->s_mutex); ++ ceph_put_mds_session(session); ++ } else { ++ /* ++ * Because we take the reference while ++ * holding the i_ceph_lock, it should ++ * never be NULL. Throw a warning if it ++ * ever is. ++ */ ++ WARN_ON_ONCE(true); ++ } + goto retry; + } + } +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index c07407586ce87..660a878e20ef2 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -754,8 +754,11 @@ static int fill_inode(struct inode *inode, struct page *locked_page, + info_caps = le32_to_cpu(info->cap.caps); + + /* prealloc new cap struct */ +- if (info_caps && ceph_snap(inode) == CEPH_NOSNAP) ++ if (info_caps && ceph_snap(inode) == CEPH_NOSNAP) { + new_cap = ceph_get_cap(mdsc, caps_reservation); ++ if (!new_cap) ++ return -ENOMEM; ++ } + + /* + * prealloc xattr data, if it looks like we'll need it. only +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index f9cbdfc1591b1..b16c994414ab0 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -268,8 +268,9 @@ struct smb_version_operations { + int (*check_message)(char *, unsigned int, struct TCP_Server_Info *); + bool (*is_oplock_break)(char *, struct TCP_Server_Info *); + int (*handle_cancelled_mid)(char *, struct TCP_Server_Info *); +- void (*downgrade_oplock)(struct TCP_Server_Info *, +- struct cifsInodeInfo *, bool); ++ void (*downgrade_oplock)(struct TCP_Server_Info *server, ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache); + /* process transaction2 response */ + bool (*check_trans2)(struct mid_q_entry *, struct TCP_Server_Info *, + char *, int); +@@ -1261,6 +1262,8 @@ struct cifsFileInfo { + unsigned int f_flags; + bool invalidHandle:1; /* file closed via session abend */ + bool oplock_break_cancelled:1; ++ unsigned int oplock_epoch; /* epoch from the lease break */ ++ __u32 oplock_level; /* oplock/lease level from the lease break */ + int count; + spinlock_t file_info_lock; /* protects four flag/count fields above */ + struct mutex fh_mutex; /* prevents reopen race after dead ses*/ +@@ -1408,7 +1411,7 @@ struct cifsInodeInfo { + unsigned int epoch; /* used to track lease state changes */ + #define CIFS_INODE_PENDING_OPLOCK_BREAK (0) /* oplock break in progress */ + #define CIFS_INODE_PENDING_WRITERS (1) /* Writes in progress */ +-#define CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2 (2) /* Downgrade oplock to L2 */ ++#define CIFS_INODE_FLAG_UNUSED (2) /* Unused flag */ + #define CIFS_INO_DELETE_PENDING (3) /* delete pending on server */ + #define CIFS_INO_INVALID_MAPPING (4) /* pagecache is invalid */ + #define CIFS_INO_LOCK (5) /* lock bit for synchronization */ +diff --git a/fs/cifs/file.c b/fs/cifs/file.c +index 4959dbe740f71..31d578739341b 100644 +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -4269,7 +4269,8 @@ readpages_get_pages(struct address_space *mapping, struct list_head *page_list, + break; + + __SetPageLocked(page); +- if (add_to_page_cache_locked(page, mapping, page->index, gfp)) { ++ rc = add_to_page_cache_locked(page, mapping, page->index, gfp); ++ if (rc) { + __ClearPageLocked(page); + break; + } +@@ -4285,6 +4286,7 @@ static int cifs_readpages(struct file *file, struct address_space *mapping, + struct list_head *page_list, unsigned num_pages) + { + int rc; ++ int err = 0; + struct list_head tmplist; + struct cifsFileInfo *open_file = file->private_data; + struct cifs_sb_info *cifs_sb = CIFS_FILE_SB(file); +@@ -4329,7 +4331,7 @@ static int cifs_readpages(struct file *file, struct address_space *mapping, + * the order of declining indexes. When we put the pages in + * the rdata->pages, then we want them in increasing order. + */ +- while (!list_empty(page_list)) { ++ while (!list_empty(page_list) && !err) { + unsigned int i, nr_pages, bytes, rsize; + loff_t offset; + struct page *page, *tpage; +@@ -4362,9 +4364,10 @@ static int cifs_readpages(struct file *file, struct address_space *mapping, + return 0; + } + +- rc = readpages_get_pages(mapping, page_list, rsize, &tmplist, ++ nr_pages = 0; ++ err = readpages_get_pages(mapping, page_list, rsize, &tmplist, + &nr_pages, &offset, &bytes); +- if (rc) { ++ if (!nr_pages) { + add_credits_and_wake_if(server, credits, 0); + break; + } +@@ -4675,12 +4678,13 @@ void cifs_oplock_break(struct work_struct *work) + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); + struct TCP_Server_Info *server = tcon->ses->server; + int rc = 0; ++ bool purge_cache = false; + + wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS, + TASK_UNINTERRUPTIBLE); + +- server->ops->downgrade_oplock(server, cinode, +- test_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, &cinode->flags)); ++ server->ops->downgrade_oplock(server, cinode, cfile->oplock_level, ++ cfile->oplock_epoch, &purge_cache); + + if (!CIFS_CACHE_WRITE(cinode) && CIFS_CACHE_READ(cinode) && + cifs_has_mand_locks(cinode)) { +@@ -4695,18 +4699,21 @@ void cifs_oplock_break(struct work_struct *work) + else + break_lease(inode, O_WRONLY); + rc = filemap_fdatawrite(inode->i_mapping); +- if (!CIFS_CACHE_READ(cinode)) { ++ if (!CIFS_CACHE_READ(cinode) || purge_cache) { + rc = filemap_fdatawait(inode->i_mapping); + mapping_set_error(inode->i_mapping, rc); + cifs_zap_mapping(inode); + } + cifs_dbg(FYI, "Oplock flush inode %p rc %d\n", inode, rc); ++ if (CIFS_CACHE_WRITE(cinode)) ++ goto oplock_break_ack; + } + + rc = cifs_push_locks(cfile); + if (rc) + cifs_dbg(VFS, "Push locks rc = %d\n", rc); + ++oplock_break_ack: + /* + * releasing stale oplock after recent reconnect of smb session using + * a now incorrect file handle is not a data integrity issue but do +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c +index 5ad83bdb9bea3..40ca394fd5de9 100644 +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -488,21 +488,10 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv) + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, + &pCifsInode->flags); + +- /* +- * Set flag if the server downgrades the oplock +- * to L2 else clear. +- */ +- if (pSMB->OplockLevel) +- set_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &pCifsInode->flags); +- else +- clear_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &pCifsInode->flags); +- +- cifs_queue_oplock_break(netfile); ++ netfile->oplock_epoch = 0; ++ netfile->oplock_level = pSMB->OplockLevel; + netfile->oplock_break_cancelled = false; ++ cifs_queue_oplock_break(netfile); + + spin_unlock(&tcon->open_file_lock); + spin_unlock(&cifs_tcp_ses_lock); +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index 195766221a7a8..e523c05a44876 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -369,12 +369,10 @@ coalesce_t2(char *second_buf, struct smb_hdr *target_hdr) + + static void + cifs_downgrade_oplock(struct TCP_Server_Info *server, +- struct cifsInodeInfo *cinode, bool set_level2) ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache) + { +- if (set_level2) +- cifs_set_oplock_level(cinode, OPLOCK_READ); +- else +- cifs_set_oplock_level(cinode, 0); ++ cifs_set_oplock_level(cinode, oplock); + } + + static bool +diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c +index 2fc96f7923ee5..7d875a47d0226 100644 +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -550,7 +550,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp) + + cifs_dbg(FYI, "found in the open list\n"); + cifs_dbg(FYI, "lease key match, lease break 0x%x\n", +- le32_to_cpu(rsp->NewLeaseState)); ++ lease_state); + + if (ack_req) + cfile->oplock_break_cancelled = false; +@@ -559,17 +559,8 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp) + + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags); + +- /* +- * Set or clear flags depending on the lease state being READ. +- * HANDLE caching flag should be added when the client starts +- * to defer closing remote file handles with HANDLE leases. +- */ +- if (lease_state & SMB2_LEASE_READ_CACHING_HE) +- set_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); +- else +- clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); ++ cfile->oplock_epoch = le16_to_cpu(rsp->Epoch); ++ cfile->oplock_level = lease_state; + + cifs_queue_oplock_break(cfile); + return true; +@@ -599,7 +590,7 @@ smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon, + + cifs_dbg(FYI, "found in the pending open list\n"); + cifs_dbg(FYI, "lease key match, lease break 0x%x\n", +- le32_to_cpu(rsp->NewLeaseState)); ++ lease_state); + + open->oplock = lease_state; + } +@@ -732,18 +723,9 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server) + set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, + &cinode->flags); + +- /* +- * Set flag if the server downgrades the oplock +- * to L2 else clear. +- */ +- if (rsp->OplockLevel) +- set_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); +- else +- clear_bit( +- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, +- &cinode->flags); ++ cfile->oplock_epoch = 0; ++ cfile->oplock_level = rsp->OplockLevel; ++ + spin_unlock(&cfile->file_info_lock); + + cifs_queue_oplock_break(cfile); +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 7ccbfc6564787..64ad466695c55 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1565,35 +1565,32 @@ smb2_ioctl_query_info(const unsigned int xid, + if (le32_to_cpu(io_rsp->OutputCount) < qi.input_buffer_length) + qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount); + if (qi.input_buffer_length > 0 && +- le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length > rsp_iov[1].iov_len) { +- rc = -EFAULT; +- goto iqinf_exit; +- } +- if (copy_to_user(&pqi->input_buffer_length, &qi.input_buffer_length, +- sizeof(qi.input_buffer_length))) { +- rc = -EFAULT; +- goto iqinf_exit; +- } ++ le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length ++ > rsp_iov[1].iov_len) ++ goto e_fault; ++ ++ if (copy_to_user(&pqi->input_buffer_length, ++ &qi.input_buffer_length, ++ sizeof(qi.input_buffer_length))) ++ goto e_fault; ++ + if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info), + (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset), +- qi.input_buffer_length)) { +- rc = -EFAULT; +- goto iqinf_exit; +- } ++ qi.input_buffer_length)) ++ goto e_fault; + } else { + pqi = (struct smb_query_info __user *)arg; + qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base; + if (le32_to_cpu(qi_rsp->OutputBufferLength) < qi.input_buffer_length) + qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength); +- if (copy_to_user(&pqi->input_buffer_length, &qi.input_buffer_length, +- sizeof(qi.input_buffer_length))) { +- rc = -EFAULT; +- goto iqinf_exit; +- } +- if (copy_to_user(pqi + 1, qi_rsp->Buffer, qi.input_buffer_length)) { +- rc = -EFAULT; +- goto iqinf_exit; +- } ++ if (copy_to_user(&pqi->input_buffer_length, ++ &qi.input_buffer_length, ++ sizeof(qi.input_buffer_length))) ++ goto e_fault; ++ ++ if (copy_to_user(pqi + 1, qi_rsp->Buffer, ++ qi.input_buffer_length)) ++ goto e_fault; + } + + iqinf_exit: +@@ -1609,6 +1606,10 @@ smb2_ioctl_query_info(const unsigned int xid, + free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base); + free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base); + return rc; ++ ++e_fault: ++ rc = -EFAULT; ++ goto iqinf_exit; + } + + static ssize_t +@@ -3331,22 +3332,38 @@ static long smb3_fallocate(struct file *file, struct cifs_tcon *tcon, int mode, + + static void + smb2_downgrade_oplock(struct TCP_Server_Info *server, +- struct cifsInodeInfo *cinode, bool set_level2) ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache) + { +- if (set_level2) +- server->ops->set_oplock_level(cinode, SMB2_OPLOCK_LEVEL_II, +- 0, NULL); +- else +- server->ops->set_oplock_level(cinode, 0, 0, NULL); ++ server->ops->set_oplock_level(cinode, oplock, 0, NULL); + } + + static void +-smb21_downgrade_oplock(struct TCP_Server_Info *server, +- struct cifsInodeInfo *cinode, bool set_level2) ++smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache); ++ ++static void ++smb3_downgrade_oplock(struct TCP_Server_Info *server, ++ struct cifsInodeInfo *cinode, __u32 oplock, ++ unsigned int epoch, bool *purge_cache) + { +- server->ops->set_oplock_level(cinode, +- set_level2 ? SMB2_LEASE_READ_CACHING_HE : +- 0, 0, NULL); ++ unsigned int old_state = cinode->oplock; ++ unsigned int old_epoch = cinode->epoch; ++ unsigned int new_state; ++ ++ if (epoch > old_epoch) { ++ smb21_set_oplock_level(cinode, oplock, 0, NULL); ++ cinode->epoch = epoch; ++ } ++ ++ new_state = cinode->oplock; ++ *purge_cache = false; ++ ++ if ((old_state & CIFS_CACHE_READ_FLG) != 0 && ++ (new_state & CIFS_CACHE_READ_FLG) == 0) ++ *purge_cache = true; ++ else if (old_state == new_state && (epoch - old_epoch > 1)) ++ *purge_cache = true; + } + + static void +@@ -4606,7 +4623,7 @@ struct smb_version_operations smb21_operations = { + .print_stats = smb2_print_stats, + .is_oplock_break = smb2_is_valid_oplock_break, + .handle_cancelled_mid = smb2_handle_cancelled_mid, +- .downgrade_oplock = smb21_downgrade_oplock, ++ .downgrade_oplock = smb2_downgrade_oplock, + .need_neg = smb2_need_neg, + .negotiate = smb2_negotiate, + .negotiate_wsize = smb2_negotiate_wsize, +@@ -4706,7 +4723,7 @@ struct smb_version_operations smb30_operations = { + .dump_share_caps = smb2_dump_share_caps, + .is_oplock_break = smb2_is_valid_oplock_break, + .handle_cancelled_mid = smb2_handle_cancelled_mid, +- .downgrade_oplock = smb21_downgrade_oplock, ++ .downgrade_oplock = smb3_downgrade_oplock, + .need_neg = smb2_need_neg, + .negotiate = smb2_negotiate, + .negotiate_wsize = smb3_negotiate_wsize, +@@ -4814,7 +4831,7 @@ struct smb_version_operations smb311_operations = { + .dump_share_caps = smb2_dump_share_caps, + .is_oplock_break = smb2_is_valid_oplock_break, + .handle_cancelled_mid = smb2_handle_cancelled_mid, +- .downgrade_oplock = smb21_downgrade_oplock, ++ .downgrade_oplock = smb3_downgrade_oplock, + .need_neg = smb2_need_neg, + .negotiate = smb2_negotiate, + .negotiate_wsize = smb3_negotiate_wsize, +diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h +index 0abfde6d0b051..f264e1d36fe16 100644 +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -1386,7 +1386,7 @@ struct smb2_oplock_break { + struct smb2_lease_break { + struct smb2_sync_hdr sync_hdr; + __le16 StructureSize; /* Must be 44 */ +- __le16 Reserved; ++ __le16 Epoch; + __le32 Flags; + __u8 LeaseKey[16]; + __le32 CurrentLeaseState; +diff --git a/fs/dcache.c b/fs/dcache.c +index e88cf0554e659..b2a7f1765f0b1 100644 +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -903,17 +903,19 @@ struct dentry *dget_parent(struct dentry *dentry) + { + int gotref; + struct dentry *ret; ++ unsigned seq; + + /* + * Do optimistic parent lookup without any + * locking. + */ + rcu_read_lock(); ++ seq = raw_seqcount_begin(&dentry->d_seq); + ret = READ_ONCE(dentry->d_parent); + gotref = lockref_get_not_zero(&ret->d_lockref); + rcu_read_unlock(); + if (likely(gotref)) { +- if (likely(ret == READ_ONCE(dentry->d_parent))) ++ if (!read_seqcount_retry(&dentry->d_seq, seq)) + return ret; + dput(ret); + } +diff --git a/fs/exec.c b/fs/exec.c +index d62cd1d71098f..de833553ae27d 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1007,16 +1007,26 @@ ssize_t read_code(struct file *file, unsigned long addr, loff_t pos, size_t len) + } + EXPORT_SYMBOL(read_code); + ++/* ++ * Maps the mm_struct mm into the current task struct. ++ * On success, this function returns with the mutex ++ * exec_update_mutex locked. ++ */ + static int exec_mmap(struct mm_struct *mm) + { + struct task_struct *tsk; + struct mm_struct *old_mm, *active_mm; ++ int ret; + + /* Notify parent that we're no longer interested in the old VM */ + tsk = current; + old_mm = current->mm; + exec_mm_release(tsk, old_mm); + ++ ret = mutex_lock_killable(&tsk->signal->exec_update_mutex); ++ if (ret) ++ return ret; ++ + if (old_mm) { + sync_mm_rss(old_mm); + /* +@@ -1028,9 +1038,11 @@ static int exec_mmap(struct mm_struct *mm) + down_read(&old_mm->mmap_sem); + if (unlikely(old_mm->core_state)) { + up_read(&old_mm->mmap_sem); ++ mutex_unlock(&tsk->signal->exec_update_mutex); + return -EINTR; + } + } ++ + task_lock(tsk); + active_mm = tsk->active_mm; + membarrier_exec_mmap(mm); +@@ -1285,11 +1297,12 @@ int flush_old_exec(struct linux_binprm * bprm) + goto out; + + /* +- * After clearing bprm->mm (to mark that current is using the +- * prepared mm now), we have nothing left of the original ++ * After setting bprm->called_exec_mmap (to mark that current is ++ * using the prepared mm now), we have nothing left of the original + * process. If anything from here on returns an error, the check + * in search_binary_handler() will SEGV current. + */ ++ bprm->called_exec_mmap = 1; + bprm->mm = NULL; + + set_fs(USER_DS); +@@ -1423,6 +1436,8 @@ static void free_bprm(struct linux_binprm *bprm) + { + free_arg_pages(bprm); + if (bprm->cred) { ++ if (bprm->called_exec_mmap) ++ mutex_unlock(¤t->signal->exec_update_mutex); + mutex_unlock(¤t->signal->cred_guard_mutex); + abort_creds(bprm->cred); + } +@@ -1472,6 +1487,7 @@ void install_exec_creds(struct linux_binprm *bprm) + * credentials; any time after this it may be unlocked. + */ + security_bprm_committed_creds(bprm); ++ mutex_unlock(¤t->signal->exec_update_mutex); + mutex_unlock(¤t->signal->cred_guard_mutex); + } + EXPORT_SYMBOL(install_exec_creds); +@@ -1663,7 +1679,7 @@ int search_binary_handler(struct linux_binprm *bprm) + + read_lock(&binfmt_lock); + put_binfmt(fmt); +- if (retval < 0 && !bprm->mm) { ++ if (retval < 0 && bprm->called_exec_mmap) { + /* we got to flush_old_exec() and failed after it */ + read_unlock(&binfmt_lock); + force_sigsegv(SIGSEGV); +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index a284d99a1ee57..95a8a04c77dd3 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5315,7 +5315,7 @@ static int ext4_do_update_inode(handle_t *handle, + raw_inode->i_file_acl_high = + cpu_to_le16(ei->i_file_acl >> 32); + raw_inode->i_file_acl_lo = cpu_to_le32(ei->i_file_acl); +- if (ei->i_disksize != ext4_isize(inode->i_sb, raw_inode)) { ++ if (READ_ONCE(ei->i_disksize) != ext4_isize(inode->i_sb, raw_inode)) { + ext4_isize_set(raw_inode, ei->i_disksize); + need_datasync = 1; + } +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index e1782b2e2e2dd..e5d43d2ee474d 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1901,8 +1901,15 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac, + BUG_ON(buddy == NULL); + + k = mb_find_next_zero_bit(buddy, max, 0); +- BUG_ON(k >= max); +- ++ if (k >= max) { ++ ext4_grp_locked_error(ac->ac_sb, e4b->bd_group, 0, 0, ++ "%d free clusters of order %d. But found 0", ++ grp->bb_counters[i], i); ++ ext4_mark_group_bitmap_corrupted(ac->ac_sb, ++ e4b->bd_group, ++ EXT4_GROUP_INFO_BBITMAP_CORRUPT); ++ break; ++ } + ac->ac_found++; + + ac->ac_b_ex.fe_len = 1 << i; +diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c +index e611d768efde3..a78aa5480454f 100644 +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1012,8 +1012,14 @@ next_step: + block_t start_bidx; + nid_t nid = le32_to_cpu(entry->nid); + +- /* stop BG_GC if there is not enough free sections. */ +- if (gc_type == BG_GC && has_not_enough_free_secs(sbi, 0, 0)) ++ /* ++ * stop BG_GC if there is not enough free sections. ++ * Or, stop GC if the segment becomes fully valid caused by ++ * race condition along with SSR block allocation. ++ */ ++ if ((gc_type == BG_GC && has_not_enough_free_secs(sbi, 0, 0)) || ++ get_valid_blocks(sbi, segno, false) == ++ sbi->blocks_per_seg) + return submitted; + + if (check_valid_map(sbi, segno, off) == 0) +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 8a67b933ccd42..ed12e96681842 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -2353,7 +2353,6 @@ static int __f2fs_build_free_nids(struct f2fs_sb_info *sbi, + + if (ret) { + up_read(&nm_i->nat_tree_lock); +- f2fs_bug_on(sbi, !mount); + f2fs_err(sbi, "NAT is corrupt, run fsck to fix it"); + return ret; + } +diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c +index 06dd38e76c62a..f9022b7028754 100644 +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -764,7 +764,6 @@ static int fuse_check_page(struct page *page) + { + if (page_mapcount(page) || + page->mapping != NULL || +- page_count(page) != 1 || + (page->flags & PAGE_FLAGS_CHECK_AT_PREP & + ~(1 << PG_locked | + 1 << PG_referenced | +diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c +index 5dca643a257c9..f58ab84b09fb3 100644 +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -323,6 +323,8 @@ struct inode *fuse_iget(struct super_block *sb, u64 nodeid, + int fuse_reverse_inval_inode(struct super_block *sb, u64 nodeid, + loff_t offset, loff_t len) + { ++ struct fuse_conn *fc = get_fuse_conn_super(sb); ++ struct fuse_inode *fi; + struct inode *inode; + pgoff_t pg_start; + pgoff_t pg_end; +@@ -331,6 +333,11 @@ int fuse_reverse_inval_inode(struct super_block *sb, u64 nodeid, + if (!inode) + return -ENOENT; + ++ fi = get_fuse_inode(inode); ++ spin_lock(&fi->lock); ++ fi->attr_version = atomic64_inc_return(&fc->attr_version); ++ spin_unlock(&fi->lock); ++ + fuse_invalidate_attr(inode); + forget_all_cached_acls(inode); + if (offset >= 0) { +diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c +index 8466166f22e3d..988bb7b17ed8f 100644 +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -712,7 +712,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, + + error = gfs2_trans_begin(sdp, blocks, 0); + if (error) +- goto fail_gunlock2; ++ goto fail_free_inode; + + if (blocks > 1) { + ip->i_eattr = ip->i_no_addr + 1; +@@ -723,7 +723,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, + + error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_iopen_glops, CREATE, &io_gl); + if (error) +- goto fail_gunlock2; ++ goto fail_free_inode; + + BUG_ON(test_and_set_bit(GLF_INODE_CREATING, &io_gl->gl_flags)); + +@@ -732,7 +732,6 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, + goto fail_gunlock2; + + glock_set_object(ip->i_iopen_gh.gh_gl, ip); +- gfs2_glock_put(io_gl); + gfs2_set_iop(inode); + insert_inode_hash(inode); + +@@ -765,6 +764,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, + + mark_inode_dirty(inode); + d_instantiate(dentry, inode); ++ /* After instantiate, errors should result in evict which will destroy ++ * both inode and iopen glocks properly. */ + if (file) { + file->f_mode |= FMODE_CREATED; + error = finish_open(file, dentry, gfs2_open_common); +@@ -772,15 +773,15 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, + gfs2_glock_dq_uninit(ghs); + gfs2_glock_dq_uninit(ghs + 1); + clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags); ++ gfs2_glock_put(io_gl); + return error; + + fail_gunlock3: + glock_clear_object(io_gl, ip); + gfs2_glock_dq_uninit(&ip->i_iopen_gh); +- gfs2_glock_put(io_gl); + fail_gunlock2: +- if (io_gl) +- clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags); ++ clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags); ++ gfs2_glock_put(io_gl); + fail_free_inode: + if (ip->i_gl) { + glock_clear_object(ip->i_gl, ip); +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index e25901ae3ff44..a30ea7ecb790a 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -1040,20 +1040,19 @@ vm_fault_t iomap_page_mkwrite(struct vm_fault *vmf, const struct iomap_ops *ops) + + lock_page(page); + size = i_size_read(inode); +- if ((page->mapping != inode->i_mapping) || +- (page_offset(page) > size)) { ++ offset = page_offset(page); ++ if (page->mapping != inode->i_mapping || offset > size) { + /* We overload EFAULT to mean page got truncated */ + ret = -EFAULT; + goto out_unlock; + } + + /* page is wholly or partially inside EOF */ +- if (((page->index + 1) << PAGE_SHIFT) > size) ++ if (offset > size - PAGE_SIZE) + length = offset_in_page(size); + else + length = PAGE_SIZE; + +- offset = page_offset(page); + while (length > 0) { + ret = iomap_apply(inode, offset, length, + IOMAP_WRITE | IOMAP_FAULT, ops, page, +diff --git a/fs/nfs/nfstrace.h b/fs/nfs/nfstrace.h +index 361cc10d6f95d..c8081d2b4166a 100644 +--- a/fs/nfs/nfstrace.h ++++ b/fs/nfs/nfstrace.h +@@ -1147,7 +1147,12 @@ TRACE_EVENT(nfs_xdr_status, + __field(unsigned int, task_id) + __field(unsigned int, client_id) + __field(u32, xid) ++ __field(int, version) + __field(unsigned long, error) ++ __string(program, ++ xdr->rqst->rq_task->tk_client->cl_program->name) ++ __string(procedure, ++ xdr->rqst->rq_task->tk_msg.rpc_proc->p_name) + ), + + TP_fast_assign( +@@ -1157,13 +1162,19 @@ TRACE_EVENT(nfs_xdr_status, + __entry->task_id = task->tk_pid; + __entry->client_id = task->tk_client->cl_clid; + __entry->xid = be32_to_cpu(rqstp->rq_xid); ++ __entry->version = task->tk_client->cl_vers; + __entry->error = error; ++ __assign_str(program, ++ task->tk_client->cl_program->name) ++ __assign_str(procedure, task->tk_msg.rpc_proc->p_name) + ), + + TP_printk( +- "task:%u@%d xid=0x%08x error=%ld (%s)", ++ "task:%u@%d xid=0x%08x %sv%d %s error=%ld (%s)", + __entry->task_id, __entry->client_id, __entry->xid, +- -__entry->error, nfs_show_status(__entry->error) ++ __get_str(program), __entry->version, ++ __get_str(procedure), -__entry->error, ++ nfs_show_status(__entry->error) + ) + ); + +diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c +index b736912098eee..f4407dd426bf0 100644 +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -133,47 +133,70 @@ nfs_async_iocounter_wait(struct rpc_task *task, struct nfs_lock_context *l_ctx) + EXPORT_SYMBOL_GPL(nfs_async_iocounter_wait); + + /* +- * nfs_page_group_lock - lock the head of the page group +- * @req - request in group that is to be locked ++ * nfs_page_set_headlock - set the request PG_HEADLOCK ++ * @req: request that is to be locked + * +- * this lock must be held when traversing or modifying the page +- * group list ++ * this lock must be held when modifying req->wb_head + * + * return 0 on success, < 0 on error + */ + int +-nfs_page_group_lock(struct nfs_page *req) ++nfs_page_set_headlock(struct nfs_page *req) + { +- struct nfs_page *head = req->wb_head; +- +- WARN_ON_ONCE(head != head->wb_head); +- +- if (!test_and_set_bit(PG_HEADLOCK, &head->wb_flags)) ++ if (!test_and_set_bit(PG_HEADLOCK, &req->wb_flags)) + return 0; + +- set_bit(PG_CONTENDED1, &head->wb_flags); ++ set_bit(PG_CONTENDED1, &req->wb_flags); + smp_mb__after_atomic(); +- return wait_on_bit_lock(&head->wb_flags, PG_HEADLOCK, ++ return wait_on_bit_lock(&req->wb_flags, PG_HEADLOCK, + TASK_UNINTERRUPTIBLE); + } + + /* +- * nfs_page_group_unlock - unlock the head of the page group +- * @req - request in group that is to be unlocked ++ * nfs_page_clear_headlock - clear the request PG_HEADLOCK ++ * @req: request that is to be locked + */ + void +-nfs_page_group_unlock(struct nfs_page *req) ++nfs_page_clear_headlock(struct nfs_page *req) + { +- struct nfs_page *head = req->wb_head; +- +- WARN_ON_ONCE(head != head->wb_head); +- + smp_mb__before_atomic(); +- clear_bit(PG_HEADLOCK, &head->wb_flags); ++ clear_bit(PG_HEADLOCK, &req->wb_flags); + smp_mb__after_atomic(); +- if (!test_bit(PG_CONTENDED1, &head->wb_flags)) ++ if (!test_bit(PG_CONTENDED1, &req->wb_flags)) + return; +- wake_up_bit(&head->wb_flags, PG_HEADLOCK); ++ wake_up_bit(&req->wb_flags, PG_HEADLOCK); ++} ++ ++/* ++ * nfs_page_group_lock - lock the head of the page group ++ * @req: request in group that is to be locked ++ * ++ * this lock must be held when traversing or modifying the page ++ * group list ++ * ++ * return 0 on success, < 0 on error ++ */ ++int ++nfs_page_group_lock(struct nfs_page *req) ++{ ++ int ret; ++ ++ ret = nfs_page_set_headlock(req); ++ if (ret || req->wb_head == req) ++ return ret; ++ return nfs_page_set_headlock(req->wb_head); ++} ++ ++/* ++ * nfs_page_group_unlock - unlock the head of the page group ++ * @req: request in group that is to be unlocked ++ */ ++void ++nfs_page_group_unlock(struct nfs_page *req) ++{ ++ if (req != req->wb_head) ++ nfs_page_clear_headlock(req->wb_head); ++ nfs_page_clear_headlock(req); + } + + /* +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 58c8317dd7d88..613c3ef23e07b 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -425,22 +425,28 @@ nfs_destroy_unlinked_subrequests(struct nfs_page *destroy_list, + destroy_list = (subreq->wb_this_page == old_head) ? + NULL : subreq->wb_this_page; + ++ /* Note: lock subreq in order to change subreq->wb_head */ ++ nfs_page_set_headlock(subreq); + WARN_ON_ONCE(old_head != subreq->wb_head); + + /* make sure old group is not used */ + subreq->wb_this_page = subreq; ++ subreq->wb_head = subreq; + + clear_bit(PG_REMOVE, &subreq->wb_flags); + + /* Note: races with nfs_page_group_destroy() */ + if (!kref_read(&subreq->wb_kref)) { + /* Check if we raced with nfs_page_group_destroy() */ +- if (test_and_clear_bit(PG_TEARDOWN, &subreq->wb_flags)) ++ if (test_and_clear_bit(PG_TEARDOWN, &subreq->wb_flags)) { ++ nfs_page_clear_headlock(subreq); + nfs_free_request(subreq); ++ } else ++ nfs_page_clear_headlock(subreq); + continue; + } ++ nfs_page_clear_headlock(subreq); + +- subreq->wb_head = subreq; + nfs_release_request(old_head); + + if (test_and_clear_bit(PG_INODE_REF, &subreq->wb_flags)) { +diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c +index 3007b8945d388..51c08ae79063c 100644 +--- a/fs/nfsd/filecache.c ++++ b/fs/nfsd/filecache.c +@@ -133,9 +133,13 @@ nfsd_file_mark_find_or_create(struct nfsd_file *nf) + struct nfsd_file_mark, + nfm_mark)); + mutex_unlock(&nfsd_file_fsnotify_group->mark_mutex); +- fsnotify_put_mark(mark); +- if (likely(nfm)) ++ if (nfm) { ++ fsnotify_put_mark(mark); + break; ++ } ++ /* Avoid soft lockup race with nfsd_file_mark_put() */ ++ fsnotify_destroy_mark(mark, nfsd_file_fsnotify_group); ++ fsnotify_put_mark(mark); + } else + mutex_unlock(&nfsd_file_fsnotify_group->mark_mutex); + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 68cf116607645..8cb2f744dde6b 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -495,6 +495,8 @@ find_any_file(struct nfs4_file *f) + { + struct nfsd_file *ret; + ++ if (!f) ++ return NULL; + spin_lock(&f->fi_lock); + ret = __nfs4_get_fd(f, O_RDWR); + if (!ret) { +@@ -1273,6 +1275,12 @@ static void nfs4_put_stateowner(struct nfs4_stateowner *sop) + nfs4_free_stateowner(sop); + } + ++static bool ++nfs4_ol_stateid_unhashed(const struct nfs4_ol_stateid *stp) ++{ ++ return list_empty(&stp->st_perfile); ++} ++ + static bool unhash_ol_stateid(struct nfs4_ol_stateid *stp) + { + struct nfs4_file *fp = stp->st_stid.sc_file; +@@ -1343,9 +1351,11 @@ static bool unhash_lock_stateid(struct nfs4_ol_stateid *stp) + { + lockdep_assert_held(&stp->st_stid.sc_client->cl_lock); + ++ if (!unhash_ol_stateid(stp)) ++ return false; + list_del_init(&stp->st_locks); + nfs4_unhash_stid(&stp->st_stid); +- return unhash_ol_stateid(stp); ++ return true; + } + + static void release_lock_stateid(struct nfs4_ol_stateid *stp) +@@ -1410,13 +1420,12 @@ static void release_open_stateid_locks(struct nfs4_ol_stateid *open_stp, + static bool unhash_open_stateid(struct nfs4_ol_stateid *stp, + struct list_head *reaplist) + { +- bool unhashed; +- + lockdep_assert_held(&stp->st_stid.sc_client->cl_lock); + +- unhashed = unhash_ol_stateid(stp); ++ if (!unhash_ol_stateid(stp)) ++ return false; + release_open_stateid_locks(stp, reaplist); +- return unhashed; ++ return true; + } + + static void release_open_stateid(struct nfs4_ol_stateid *stp) +@@ -6267,21 +6276,21 @@ alloc_init_lock_stateowner(unsigned int strhashval, struct nfs4_client *clp, + } + + static struct nfs4_ol_stateid * +-find_lock_stateid(struct nfs4_lockowner *lo, struct nfs4_file *fp) ++find_lock_stateid(const struct nfs4_lockowner *lo, ++ const struct nfs4_ol_stateid *ost) + { + struct nfs4_ol_stateid *lst; +- struct nfs4_client *clp = lo->lo_owner.so_client; + +- lockdep_assert_held(&clp->cl_lock); ++ lockdep_assert_held(&ost->st_stid.sc_client->cl_lock); + +- list_for_each_entry(lst, &lo->lo_owner.so_stateids, st_perstateowner) { +- if (lst->st_stid.sc_type != NFS4_LOCK_STID) +- continue; +- if (lst->st_stid.sc_file == fp) { +- refcount_inc(&lst->st_stid.sc_count); +- return lst; ++ /* If ost is not hashed, ost->st_locks will not be valid */ ++ if (!nfs4_ol_stateid_unhashed(ost)) ++ list_for_each_entry(lst, &ost->st_locks, st_locks) { ++ if (lst->st_stateowner == &lo->lo_owner) { ++ refcount_inc(&lst->st_stid.sc_count); ++ return lst; ++ } + } +- } + return NULL; + } + +@@ -6297,11 +6306,11 @@ init_lock_stateid(struct nfs4_ol_stateid *stp, struct nfs4_lockowner *lo, + mutex_lock_nested(&stp->st_mutex, OPEN_STATEID_MUTEX); + retry: + spin_lock(&clp->cl_lock); +- spin_lock(&fp->fi_lock); +- retstp = find_lock_stateid(lo, fp); ++ if (nfs4_ol_stateid_unhashed(open_stp)) ++ goto out_close; ++ retstp = find_lock_stateid(lo, open_stp); + if (retstp) +- goto out_unlock; +- ++ goto out_found; + refcount_inc(&stp->st_stid.sc_count); + stp->st_stid.sc_type = NFS4_LOCK_STID; + stp->st_stateowner = nfs4_get_stateowner(&lo->lo_owner); +@@ -6310,22 +6319,26 @@ retry: + stp->st_access_bmap = 0; + stp->st_deny_bmap = open_stp->st_deny_bmap; + stp->st_openstp = open_stp; ++ spin_lock(&fp->fi_lock); + list_add(&stp->st_locks, &open_stp->st_locks); + list_add(&stp->st_perstateowner, &lo->lo_owner.so_stateids); + list_add(&stp->st_perfile, &fp->fi_stateids); +-out_unlock: + spin_unlock(&fp->fi_lock); + spin_unlock(&clp->cl_lock); +- if (retstp) { +- if (nfsd4_lock_ol_stateid(retstp) != nfs_ok) { +- nfs4_put_stid(&retstp->st_stid); +- goto retry; +- } +- /* To keep mutex tracking happy */ +- mutex_unlock(&stp->st_mutex); +- stp = retstp; +- } + return stp; ++out_found: ++ spin_unlock(&clp->cl_lock); ++ if (nfsd4_lock_ol_stateid(retstp) != nfs_ok) { ++ nfs4_put_stid(&retstp->st_stid); ++ goto retry; ++ } ++ /* To keep mutex tracking happy */ ++ mutex_unlock(&stp->st_mutex); ++ return retstp; ++out_close: ++ spin_unlock(&clp->cl_lock); ++ mutex_unlock(&stp->st_mutex); ++ return NULL; + } + + static struct nfs4_ol_stateid * +@@ -6340,7 +6353,7 @@ find_or_create_lock_stateid(struct nfs4_lockowner *lo, struct nfs4_file *fi, + + *new = false; + spin_lock(&clp->cl_lock); +- lst = find_lock_stateid(lo, fi); ++ lst = find_lock_stateid(lo, ost); + spin_unlock(&clp->cl_lock); + if (lst != NULL) { + if (nfsd4_lock_ol_stateid(lst) == nfs_ok) +diff --git a/fs/nfsd/trace.h b/fs/nfsd/trace.h +index ffc78a0e28b24..b073bdc2e6e89 100644 +--- a/fs/nfsd/trace.h ++++ b/fs/nfsd/trace.h +@@ -228,7 +228,7 @@ TRACE_EVENT(nfsd_file_acquire, + TP_ARGS(rqstp, hash, inode, may_flags, nf, status), + + TP_STRUCT__entry( +- __field(__be32, xid) ++ __field(u32, xid) + __field(unsigned int, hash) + __field(void *, inode) + __field(unsigned int, may_flags) +@@ -236,11 +236,11 @@ TRACE_EVENT(nfsd_file_acquire, + __field(unsigned long, nf_flags) + __field(unsigned char, nf_may) + __field(struct file *, nf_file) +- __field(__be32, status) ++ __field(u32, status) + ), + + TP_fast_assign( +- __entry->xid = rqstp->rq_xid; ++ __entry->xid = be32_to_cpu(rqstp->rq_xid); + __entry->hash = hash; + __entry->inode = inode; + __entry->may_flags = may_flags; +@@ -248,15 +248,15 @@ TRACE_EVENT(nfsd_file_acquire, + __entry->nf_flags = nf ? nf->nf_flags : 0; + __entry->nf_may = nf ? nf->nf_may : 0; + __entry->nf_file = nf ? nf->nf_file : NULL; +- __entry->status = status; ++ __entry->status = be32_to_cpu(status); + ), + + TP_printk("xid=0x%x hash=0x%x inode=0x%p may_flags=%s ref=%d nf_flags=%s nf_may=%s nf_file=0x%p status=%u", +- be32_to_cpu(__entry->xid), __entry->hash, __entry->inode, ++ __entry->xid, __entry->hash, __entry->inode, + show_nf_may(__entry->may_flags), __entry->nf_ref, + show_nf_flags(__entry->nf_flags), + show_nf_may(__entry->nf_may), __entry->nf_file, +- be32_to_cpu(__entry->status)) ++ __entry->status) + ); + + DECLARE_EVENT_CLASS(nfsd_file_search_class, +diff --git a/fs/proc/base.c b/fs/proc/base.c +index ebea9501afb84..529d0c6ec6f9c 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -403,11 +403,11 @@ print0: + + static int lock_trace(struct task_struct *task) + { +- int err = mutex_lock_killable(&task->signal->cred_guard_mutex); ++ int err = mutex_lock_killable(&task->signal->exec_update_mutex); + if (err) + return err; + if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) { +- mutex_unlock(&task->signal->cred_guard_mutex); ++ mutex_unlock(&task->signal->exec_update_mutex); + return -EPERM; + } + return 0; +@@ -415,7 +415,7 @@ static int lock_trace(struct task_struct *task) + + static void unlock_trace(struct task_struct *task) + { +- mutex_unlock(&task->signal->cred_guard_mutex); ++ mutex_unlock(&task->signal->exec_update_mutex); + } + + #ifdef CONFIG_STACKTRACE +@@ -2770,7 +2770,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh + unsigned long flags; + int result; + +- result = mutex_lock_killable(&task->signal->cred_guard_mutex); ++ result = mutex_lock_killable(&task->signal->exec_update_mutex); + if (result) + return result; + +@@ -2806,7 +2806,7 @@ static int do_io_accounting(struct task_struct *task, struct seq_file *m, int wh + result = 0; + + out_unlock: +- mutex_unlock(&task->signal->cred_guard_mutex); ++ mutex_unlock(&task->signal->exec_update_mutex); + return result; + } + +diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c +index 8ceb51478800b..7e4bfaf2871fa 100644 +--- a/fs/ubifs/io.c ++++ b/fs/ubifs/io.c +@@ -225,7 +225,7 @@ int ubifs_is_mapped(const struct ubifs_info *c, int lnum) + int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, + int offs, int quiet, int must_chk_crc) + { +- int err = -EINVAL, type, node_len; ++ int err = -EINVAL, type, node_len, dump_node = 1; + uint32_t crc, node_crc, magic; + const struct ubifs_ch *ch = buf; + +@@ -278,10 +278,22 @@ int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum, + out_len: + if (!quiet) + ubifs_err(c, "bad node length %d", node_len); ++ if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ) ++ dump_node = 0; + out: + if (!quiet) { + ubifs_err(c, "bad node at LEB %d:%d", lnum, offs); +- ubifs_dump_node(c, buf); ++ if (dump_node) { ++ ubifs_dump_node(c, buf); ++ } else { ++ int safe_len = min3(node_len, c->leb_size - offs, ++ (int)UBIFS_MAX_DATA_NODE_SZ); ++ pr_err("\tprevent out-of-bounds memory access\n"); ++ pr_err("\ttruncated data node length %d\n", safe_len); ++ pr_err("\tcorrupted data node:\n"); ++ print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1, ++ buf, safe_len, 0); ++ } + dump_stack(); + } + return err; +diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c +index a6ae2428e4c96..5f2ac5ef0891e 100644 +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -906,6 +906,7 @@ int ubifs_jnl_write_inode(struct ubifs_info *c, const struct inode *inode) + ubifs_err(c, "dead directory entry '%s', error %d", + xent->name, err); + ubifs_ro_mode(c, err); ++ kfree(xent); + goto out_release; + } + ubifs_assert(c, ubifs_inode(xino)->xattr); +diff --git a/fs/ubifs/orphan.c b/fs/ubifs/orphan.c +index 7dd740e3692da..283f9eb48410d 100644 +--- a/fs/ubifs/orphan.c ++++ b/fs/ubifs/orphan.c +@@ -157,7 +157,7 @@ int ubifs_add_orphan(struct ubifs_info *c, ino_t inum) + int err = 0; + ino_t xattr_inum; + union ubifs_key key; +- struct ubifs_dent_node *xent; ++ struct ubifs_dent_node *xent, *pxent = NULL; + struct fscrypt_name nm = {0}; + struct ubifs_orphan *xattr_orphan; + struct ubifs_orphan *orphan; +@@ -181,11 +181,16 @@ int ubifs_add_orphan(struct ubifs_info *c, ino_t inum) + xattr_inum = le64_to_cpu(xent->inum); + + xattr_orphan = orphan_add(c, xattr_inum, orphan); +- if (IS_ERR(xattr_orphan)) ++ if (IS_ERR(xattr_orphan)) { ++ kfree(xent); + return PTR_ERR(xattr_orphan); ++ } + ++ kfree(pxent); ++ pxent = xent; + key_read(c, &xent->key, &key); + } ++ kfree(pxent); + + return 0; + } +diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c +index 5472ed3ce6943..de33efc9b4f94 100644 +--- a/fs/xfs/libxfs/xfs_attr_leaf.c ++++ b/fs/xfs/libxfs/xfs_attr_leaf.c +@@ -453,13 +453,15 @@ xfs_attr_copy_value( + * special case for dev/uuid inodes, they have fixed size data forks. + */ + int +-xfs_attr_shortform_bytesfit(xfs_inode_t *dp, int bytes) ++xfs_attr_shortform_bytesfit( ++ struct xfs_inode *dp, ++ int bytes) + { +- int offset; +- int minforkoff; /* lower limit on valid forkoff locations */ +- int maxforkoff; /* upper limit on valid forkoff locations */ +- int dsize; +- xfs_mount_t *mp = dp->i_mount; ++ struct xfs_mount *mp = dp->i_mount; ++ int64_t dsize; ++ int minforkoff; ++ int maxforkoff; ++ int offset; + + /* rounded down */ + offset = (XFS_LITINO(mp, dp->i_d.di_version) - bytes) >> 3; +@@ -525,7 +527,7 @@ xfs_attr_shortform_bytesfit(xfs_inode_t *dp, int bytes) + * A data fork btree root must have space for at least + * MINDBTPTRS key/ptr pairs if the data fork is small or empty. + */ +- minforkoff = max(dsize, XFS_BMDR_SPACE_CALC(MINDBTPTRS)); ++ minforkoff = max_t(int64_t, dsize, XFS_BMDR_SPACE_CALC(MINDBTPTRS)); + minforkoff = roundup(minforkoff, 8) >> 3; + + /* attr fork btree root can have at least this many key/ptr pairs */ +@@ -924,7 +926,7 @@ xfs_attr_shortform_verify( + char *endp; + struct xfs_ifork *ifp; + int i; +- int size; ++ int64_t size; + + ASSERT(ip->i_d.di_aformat == XFS_DINODE_FMT_LOCAL); + ifp = XFS_IFORK_PTR(ip, XFS_ATTR_FORK); +@@ -1449,7 +1451,9 @@ xfs_attr3_leaf_add_work( + for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) { + if (ichdr->freemap[i].base == tmp) { + ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t); +- ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t); ++ ichdr->freemap[i].size -= ++ min_t(uint16_t, ichdr->freemap[i].size, ++ sizeof(xfs_attr_leaf_entry_t)); + } + } + ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index); +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c +index 19a600443b9ee..f8db3fe616df9 100644 +--- a/fs/xfs/libxfs/xfs_bmap.c ++++ b/fs/xfs/libxfs/xfs_bmap.c +@@ -5376,16 +5376,17 @@ __xfs_bunmapi( + } + div_u64_rem(del.br_startblock, mp->m_sb.sb_rextsize, &mod); + if (mod) { ++ xfs_extlen_t off = mp->m_sb.sb_rextsize - mod; ++ + /* + * Realtime extent is lined up at the end but not + * at the front. We'll get rid of full extents if + * we can. + */ +- mod = mp->m_sb.sb_rextsize - mod; +- if (del.br_blockcount > mod) { +- del.br_blockcount -= mod; +- del.br_startoff += mod; +- del.br_startblock += mod; ++ if (del.br_blockcount > off) { ++ del.br_blockcount -= off; ++ del.br_startoff += off; ++ del.br_startblock += off; + } else if (del.br_startoff == start && + (del.br_state == XFS_EXT_UNWRITTEN || + tp->t_blk_res == 0)) { +@@ -5403,6 +5404,7 @@ __xfs_bunmapi( + continue; + } else if (del.br_state == XFS_EXT_UNWRITTEN) { + struct xfs_bmbt_irec prev; ++ xfs_fileoff_t unwrite_start; + + /* + * This one is already unwritten. +@@ -5416,12 +5418,13 @@ __xfs_bunmapi( + ASSERT(!isnullstartblock(prev.br_startblock)); + ASSERT(del.br_startblock == + prev.br_startblock + prev.br_blockcount); +- if (prev.br_startoff < start) { +- mod = start - prev.br_startoff; +- prev.br_blockcount -= mod; +- prev.br_startblock += mod; +- prev.br_startoff = start; +- } ++ unwrite_start = max3(start, ++ del.br_startoff - mod, ++ prev.br_startoff); ++ mod = unwrite_start - prev.br_startoff; ++ prev.br_startoff = unwrite_start; ++ prev.br_startblock += mod; ++ prev.br_blockcount -= mod; + prev.br_state = XFS_EXT_UNWRITTEN; + error = xfs_bmap_add_extent_unwritten_real(tp, + ip, whichfork, &icur, &cur, +diff --git a/fs/xfs/libxfs/xfs_dir2_node.c b/fs/xfs/libxfs/xfs_dir2_node.c +index 705c4f5627582..99d5b2ed67f2e 100644 +--- a/fs/xfs/libxfs/xfs_dir2_node.c ++++ b/fs/xfs/libxfs/xfs_dir2_node.c +@@ -210,6 +210,7 @@ __xfs_dir3_free_read( + if (fa) { + xfs_verifier_error(*bpp, -EFSCORRUPTED, fa); + xfs_trans_brelse(tp, *bpp); ++ *bpp = NULL; + return -EFSCORRUPTED; + } + +diff --git a/fs/xfs/libxfs/xfs_dir2_sf.c b/fs/xfs/libxfs/xfs_dir2_sf.c +index 85f14fc2a8da9..ae16ca7c422a9 100644 +--- a/fs/xfs/libxfs/xfs_dir2_sf.c ++++ b/fs/xfs/libxfs/xfs_dir2_sf.c +@@ -628,7 +628,7 @@ xfs_dir2_sf_verify( + int i; + int i8count; + int offset; +- int size; ++ int64_t size; + int error; + uint8_t filetype; + +diff --git a/fs/xfs/libxfs/xfs_iext_tree.c b/fs/xfs/libxfs/xfs_iext_tree.c +index 7bc87408f1a0a..52451809c4786 100644 +--- a/fs/xfs/libxfs/xfs_iext_tree.c ++++ b/fs/xfs/libxfs/xfs_iext_tree.c +@@ -596,7 +596,7 @@ xfs_iext_realloc_root( + struct xfs_ifork *ifp, + struct xfs_iext_cursor *cur) + { +- size_t new_size = ifp->if_bytes + sizeof(struct xfs_iext_rec); ++ int64_t new_size = ifp->if_bytes + sizeof(struct xfs_iext_rec); + void *new; + + /* account for the prev/next pointers */ +diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c +index c643beeb5a248..8fdd0424070e0 100644 +--- a/fs/xfs/libxfs/xfs_inode_fork.c ++++ b/fs/xfs/libxfs/xfs_inode_fork.c +@@ -129,7 +129,7 @@ xfs_init_local_fork( + struct xfs_inode *ip, + int whichfork, + const void *data, +- int size) ++ int64_t size) + { + struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, whichfork); + int mem_size = size, real_size = 0; +@@ -467,11 +467,11 @@ xfs_iroot_realloc( + void + xfs_idata_realloc( + struct xfs_inode *ip, +- int byte_diff, ++ int64_t byte_diff, + int whichfork) + { + struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, whichfork); +- int new_size = (int)ifp->if_bytes + byte_diff; ++ int64_t new_size = ifp->if_bytes + byte_diff; + + ASSERT(new_size >= 0); + ASSERT(new_size <= XFS_IFORK_SIZE(ip, whichfork)); +@@ -552,7 +552,7 @@ xfs_iextents_copy( + struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, whichfork); + struct xfs_iext_cursor icur; + struct xfs_bmbt_irec rec; +- int copied = 0; ++ int64_t copied = 0; + + ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL | XFS_ILOCK_SHARED)); + ASSERT(ifp->if_bytes > 0); +diff --git a/fs/xfs/libxfs/xfs_inode_fork.h b/fs/xfs/libxfs/xfs_inode_fork.h +index 00c62ce170d0e..7b845c052fb45 100644 +--- a/fs/xfs/libxfs/xfs_inode_fork.h ++++ b/fs/xfs/libxfs/xfs_inode_fork.h +@@ -13,16 +13,16 @@ struct xfs_dinode; + * File incore extent information, present for each of data & attr forks. + */ + struct xfs_ifork { +- int if_bytes; /* bytes in if_u1 */ +- unsigned int if_seq; /* fork mod counter */ ++ int64_t if_bytes; /* bytes in if_u1 */ + struct xfs_btree_block *if_broot; /* file's incore btree root */ +- short if_broot_bytes; /* bytes allocated for root */ +- unsigned char if_flags; /* per-fork flags */ ++ unsigned int if_seq; /* fork mod counter */ + int if_height; /* height of the extent tree */ + union { + void *if_root; /* extent tree root */ + char *if_data; /* inline file data */ + } if_u1; ++ short if_broot_bytes; /* bytes allocated for root */ ++ unsigned char if_flags; /* per-fork flags */ + }; + + /* +@@ -93,12 +93,14 @@ int xfs_iformat_fork(struct xfs_inode *, struct xfs_dinode *); + void xfs_iflush_fork(struct xfs_inode *, struct xfs_dinode *, + struct xfs_inode_log_item *, int); + void xfs_idestroy_fork(struct xfs_inode *, int); +-void xfs_idata_realloc(struct xfs_inode *, int, int); ++void xfs_idata_realloc(struct xfs_inode *ip, int64_t byte_diff, ++ int whichfork); + void xfs_iroot_realloc(struct xfs_inode *, int, int); + int xfs_iread_extents(struct xfs_trans *, struct xfs_inode *, int); + int xfs_iextents_copy(struct xfs_inode *, struct xfs_bmbt_rec *, + int); +-void xfs_init_local_fork(struct xfs_inode *, int, const void *, int); ++void xfs_init_local_fork(struct xfs_inode *ip, int whichfork, ++ const void *data, int64_t size); + + xfs_extnum_t xfs_iext_count(struct xfs_ifork *ifp); + void xfs_iext_insert(struct xfs_inode *, struct xfs_iext_cursor *cur, +diff --git a/fs/xfs/libxfs/xfs_trans_resv.c b/fs/xfs/libxfs/xfs_trans_resv.c +index d12bbd526e7c0..b3584cd2cc164 100644 +--- a/fs/xfs/libxfs/xfs_trans_resv.c ++++ b/fs/xfs/libxfs/xfs_trans_resv.c +@@ -196,6 +196,24 @@ xfs_calc_inode_chunk_res( + return res; + } + ++/* ++ * Per-extent log reservation for the btree changes involved in freeing or ++ * allocating a realtime extent. We have to be able to log as many rtbitmap ++ * blocks as needed to mark inuse MAXEXTLEN blocks' worth of realtime extents, ++ * as well as the realtime summary block. ++ */ ++unsigned int ++xfs_rtalloc_log_count( ++ struct xfs_mount *mp, ++ unsigned int num_ops) ++{ ++ unsigned int blksz = XFS_FSB_TO_B(mp, 1); ++ unsigned int rtbmp_bytes; ++ ++ rtbmp_bytes = (MAXEXTLEN / mp->m_sb.sb_rextsize) / NBBY; ++ return (howmany(rtbmp_bytes, blksz) + 1) * num_ops; ++} ++ + /* + * Various log reservation values. + * +@@ -218,13 +236,21 @@ xfs_calc_inode_chunk_res( + + /* + * In a write transaction we can allocate a maximum of 2 +- * extents. This gives: ++ * extents. This gives (t1): + * the inode getting the new extents: inode size + * the inode's bmap btree: max depth * block size + * the agfs of the ags from which the extents are allocated: 2 * sector + * the superblock free block counter: sector size + * the allocation btrees: 2 exts * 2 trees * (2 * max depth - 1) * block size +- * And the bmap_finish transaction can free bmap blocks in a join: ++ * Or, if we're writing to a realtime file (t2): ++ * the inode getting the new extents: inode size ++ * the inode's bmap btree: max depth * block size ++ * the agfs of the ags from which the extents are allocated: 2 * sector ++ * the superblock free block counter: sector size ++ * the realtime bitmap: ((MAXEXTLEN / rtextsize) / NBBY) bytes ++ * the realtime summary: 1 block ++ * the allocation btrees: 2 trees * (2 * max depth - 1) * block size ++ * And the bmap_finish transaction can free bmap blocks in a join (t3): + * the agfs of the ags containing the blocks: 2 * sector size + * the agfls of the ags containing the blocks: 2 * sector size + * the super block free block counter: sector size +@@ -234,40 +260,72 @@ STATIC uint + xfs_calc_write_reservation( + struct xfs_mount *mp) + { +- return XFS_DQUOT_LOGRES(mp) + +- max((xfs_calc_inode_res(mp, 1) + ++ unsigned int t1, t2, t3; ++ unsigned int blksz = XFS_FSB_TO_B(mp, 1); ++ ++ t1 = xfs_calc_inode_res(mp, 1) + ++ xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK), blksz) + ++ xfs_calc_buf_res(3, mp->m_sb.sb_sectsize) + ++ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), blksz); ++ ++ if (xfs_sb_version_hasrealtime(&mp->m_sb)) { ++ t2 = xfs_calc_inode_res(mp, 1) + + xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK), +- XFS_FSB_TO_B(mp, 1)) + ++ blksz) + + xfs_calc_buf_res(3, mp->m_sb.sb_sectsize) + +- xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), +- XFS_FSB_TO_B(mp, 1))), +- (xfs_calc_buf_res(5, mp->m_sb.sb_sectsize) + +- xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), +- XFS_FSB_TO_B(mp, 1)))); ++ xfs_calc_buf_res(xfs_rtalloc_log_count(mp, 1), blksz) + ++ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 1), blksz); ++ } else { ++ t2 = 0; ++ } ++ ++ t3 = xfs_calc_buf_res(5, mp->m_sb.sb_sectsize) + ++ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), blksz); ++ ++ return XFS_DQUOT_LOGRES(mp) + max3(t1, t2, t3); + } + + /* +- * In truncating a file we free up to two extents at once. We can modify: ++ * In truncating a file we free up to two extents at once. We can modify (t1): + * the inode being truncated: inode size + * the inode's bmap btree: (max depth + 1) * block size +- * And the bmap_finish transaction can free the blocks and bmap blocks: ++ * And the bmap_finish transaction can free the blocks and bmap blocks (t2): + * the agf for each of the ags: 4 * sector size + * the agfl for each of the ags: 4 * sector size + * the super block to reflect the freed blocks: sector size + * worst case split in allocation btrees per extent assuming 4 extents: + * 4 exts * 2 trees * (2 * max depth - 1) * block size ++ * Or, if it's a realtime file (t3): ++ * the agf for each of the ags: 2 * sector size ++ * the agfl for each of the ags: 2 * sector size ++ * the super block to reflect the freed blocks: sector size ++ * the realtime bitmap: 2 exts * ((MAXEXTLEN / rtextsize) / NBBY) bytes ++ * the realtime summary: 2 exts * 1 block ++ * worst case split in allocation btrees per extent assuming 2 extents: ++ * 2 exts * 2 trees * (2 * max depth - 1) * block size + */ + STATIC uint + xfs_calc_itruncate_reservation( + struct xfs_mount *mp) + { +- return XFS_DQUOT_LOGRES(mp) + +- max((xfs_calc_inode_res(mp, 1) + +- xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK) + 1, +- XFS_FSB_TO_B(mp, 1))), +- (xfs_calc_buf_res(9, mp->m_sb.sb_sectsize) + +- xfs_calc_buf_res(xfs_allocfree_log_count(mp, 4), +- XFS_FSB_TO_B(mp, 1)))); ++ unsigned int t1, t2, t3; ++ unsigned int blksz = XFS_FSB_TO_B(mp, 1); ++ ++ t1 = xfs_calc_inode_res(mp, 1) + ++ xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK) + 1, blksz); ++ ++ t2 = xfs_calc_buf_res(9, mp->m_sb.sb_sectsize) + ++ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 4), blksz); ++ ++ if (xfs_sb_version_hasrealtime(&mp->m_sb)) { ++ t3 = xfs_calc_buf_res(5, mp->m_sb.sb_sectsize) + ++ xfs_calc_buf_res(xfs_rtalloc_log_count(mp, 2), blksz) + ++ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), blksz); ++ } else { ++ t3 = 0; ++ } ++ ++ return XFS_DQUOT_LOGRES(mp) + max3(t1, t2, t3); + } + + /* +diff --git a/fs/xfs/scrub/dir.c b/fs/xfs/scrub/dir.c +index 1e2e11721eb99..20eca2d8e7c77 100644 +--- a/fs/xfs/scrub/dir.c ++++ b/fs/xfs/scrub/dir.c +@@ -152,6 +152,9 @@ xchk_dir_actor( + xname.type = XFS_DIR3_FT_UNKNOWN; + + error = xfs_dir_lookup(sdc->sc->tp, ip, &xname, &lookup_ino, NULL); ++ /* ENOENT means the hash lookup failed and the dir is corrupt */ ++ if (error == -ENOENT) ++ error = -EFSCORRUPTED; + if (!xchk_fblock_process_error(sdc->sc, XFS_DATA_FORK, offset, + &error)) + goto out; +diff --git a/fs/xfs/scrub/scrub.c b/fs/xfs/scrub/scrub.c +index 15c8c5f3f688d..720bef5779989 100644 +--- a/fs/xfs/scrub/scrub.c ++++ b/fs/xfs/scrub/scrub.c +@@ -167,6 +167,7 @@ xchk_teardown( + xfs_irele(sc->ip); + sc->ip = NULL; + } ++ sb_end_write(sc->mp->m_super); + if (sc->flags & XCHK_REAPING_DISABLED) + xchk_start_reaping(sc); + if (sc->flags & XCHK_HAS_QUOTAOFFLOCK) { +@@ -489,6 +490,14 @@ xfs_scrub_metadata( + sc.ops = &meta_scrub_ops[sm->sm_type]; + sc.sick_mask = xchk_health_mask_for_scrub_type(sm->sm_type); + retry_op: ++ /* ++ * If freeze runs concurrently with a scrub, the freeze can be delayed ++ * indefinitely as we walk the filesystem and iterate over metadata ++ * buffers. Freeze quiesces the log (which waits for the buffer LRU to ++ * be emptied) and that won't happen while checking is running. ++ */ ++ sb_start_write(mp->m_super); ++ + /* Set up for the operation. */ + error = sc.ops->setup(&sc, ip); + if (error) +diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c +index 0c71acc1b8317..d6d78e1276254 100644 +--- a/fs/xfs/xfs_bmap_util.c ++++ b/fs/xfs/xfs_bmap_util.c +@@ -1039,6 +1039,7 @@ out_trans_cancel: + goto out_unlock; + } + ++/* Caller must first wait for the completion of any pending DIOs if required. */ + int + xfs_flush_unmap_range( + struct xfs_inode *ip, +@@ -1050,9 +1051,6 @@ xfs_flush_unmap_range( + xfs_off_t rounding, start, end; + int error; + +- /* wait for the completion of any pending DIOs */ +- inode_dio_wait(inode); +- + rounding = max_t(xfs_off_t, 1 << mp->m_sb.sb_blocklog, PAGE_SIZE); + start = round_down(offset, rounding); + end = round_up(offset + len, rounding) - 1; +@@ -1084,10 +1082,6 @@ xfs_free_file_space( + if (len <= 0) /* if nothing being freed */ + return 0; + +- error = xfs_flush_unmap_range(ip, offset, len); +- if (error) +- return error; +- + startoffset_fsb = XFS_B_TO_FSB(mp, offset); + endoffset_fsb = XFS_B_TO_FSBT(mp, offset + len); + +diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c +index 1e2176190c86f..203065a647652 100644 +--- a/fs/xfs/xfs_file.c ++++ b/fs/xfs/xfs_file.c +@@ -818,6 +818,36 @@ xfs_file_fallocate( + if (error) + goto out_unlock; + ++ /* ++ * Must wait for all AIO to complete before we continue as AIO can ++ * change the file size on completion without holding any locks we ++ * currently hold. We must do this first because AIO can update both ++ * the on disk and in memory inode sizes, and the operations that follow ++ * require the in-memory size to be fully up-to-date. ++ */ ++ inode_dio_wait(inode); ++ ++ /* ++ * Now AIO and DIO has drained we flush and (if necessary) invalidate ++ * the cached range over the first operation we are about to run. ++ * ++ * We care about zero and collapse here because they both run a hole ++ * punch over the range first. Because that can zero data, and the range ++ * of invalidation for the shift operations is much larger, we still do ++ * the required flush for collapse in xfs_prepare_shift(). ++ * ++ * Insert has the same range requirements as collapse, and we extend the ++ * file first which can zero data. Hence insert has the same ++ * flush/invalidate requirements as collapse and so they are both ++ * handled at the right time by xfs_prepare_shift(). ++ */ ++ if (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE | ++ FALLOC_FL_COLLAPSE_RANGE)) { ++ error = xfs_flush_unmap_range(ip, offset, len); ++ if (error) ++ goto out_unlock; ++ } ++ + if (mode & FALLOC_FL_PUNCH_HOLE) { + error = xfs_free_file_space(ip, offset, len); + if (error) +diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c +index d082143feb5ab..c13754e119be1 100644 +--- a/fs/xfs/xfs_fsmap.c ++++ b/fs/xfs/xfs_fsmap.c +@@ -895,6 +895,14 @@ xfs_getfsmap( + info.format_arg = arg; + info.head = head; + ++ /* ++ * If fsmap runs concurrently with a scrub, the freeze can be delayed ++ * indefinitely as we walk the rmapbt and iterate over metadata ++ * buffers. Freeze quiesces the log (which waits for the buffer LRU to ++ * be emptied) and that won't happen while we're reading buffers. ++ */ ++ sb_start_write(mp->m_super); ++ + /* For each device we support... */ + for (i = 0; i < XFS_GETFSMAP_DEVS; i++) { + /* Is this device within the range the user asked for? */ +@@ -934,6 +942,7 @@ xfs_getfsmap( + + if (tp) + xfs_trans_cancel(tp); ++ sb_end_write(mp->m_super); + head->fmh_oflags = FMH_OF_DEV_T; + return error; + } +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index c93c4b7328ef7..60c4526312771 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -622,6 +622,7 @@ xfs_ioc_space( + error = xfs_break_layouts(inode, &iolock, BREAK_UNMAP); + if (error) + goto out_unlock; ++ inode_dio_wait(inode); + + switch (bf->l_whence) { + case 0: /*SEEK_SET*/ +diff --git a/fs/xfs/xfs_trans.c b/fs/xfs/xfs_trans.c +index f4795fdb7389c..b32a66452d441 100644 +--- a/fs/xfs/xfs_trans.c ++++ b/fs/xfs/xfs_trans.c +@@ -306,6 +306,11 @@ xfs_trans_alloc( + * + * Note the zero-length reservation; this transaction MUST be cancelled + * without any dirty data. ++ * ++ * Callers should obtain freeze protection to avoid two conflicts with fs ++ * freezing: (1) having active transactions trip the m_active_trans ASSERTs; ++ * and (2) grabbing buffers at the same time that freeze is trying to drain ++ * the buffer LRU list. + */ + int + xfs_trans_alloc_empty( +diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h +index 818691846c909..6fd08cf04add7 100644 +--- a/include/asm-generic/pgtable.h ++++ b/include/asm-generic/pgtable.h +@@ -1171,6 +1171,16 @@ static inline bool arch_has_pfn_modify_check(void) + #endif + #endif + ++#ifndef p4d_offset_lockless ++#define p4d_offset_lockless(pgdp, pgd, address) p4d_offset(&(pgd), address) ++#endif ++#ifndef pud_offset_lockless ++#define pud_offset_lockless(p4dp, p4d, address) pud_offset(&(p4d), address) ++#endif ++#ifndef pmd_offset_lockless ++#define pmd_offset_lockless(pudp, pud, address) pmd_offset(&(pud), address) ++#endif ++ + /* + * On some architectures it depends on the mm if the p4d/pud or pmd + * layer of the page table hierarchy is folded or not. +diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h +index b40fc633f3be6..a345d9fed3d8d 100644 +--- a/include/linux/binfmts.h ++++ b/include/linux/binfmts.h +@@ -44,7 +44,13 @@ struct linux_binprm { + * exec has happened. Used to sanitize execution environment + * and to set AT_SECURE auxv for glibc. + */ +- secureexec:1; ++ secureexec:1, ++ /* ++ * Set by flush_old_exec, when exec_mmap has been called. ++ * This is past the point of no return, when the ++ * exec_update_mutex has been taken. ++ */ ++ called_exec_mmap:1; + #ifdef __alpha__ + unsigned int taso:1; + #endif +diff --git a/include/linux/debugfs.h b/include/linux/debugfs.h +index 58424eb3b3291..798f0b9b43aee 100644 +--- a/include/linux/debugfs.h ++++ b/include/linux/debugfs.h +@@ -54,6 +54,8 @@ static const struct file_operations __fops = { \ + .llseek = no_llseek, \ + } + ++typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *); ++ + #if defined(CONFIG_DEBUG_FS) + + struct dentry *debugfs_lookup(const char *name, struct dentry *parent); +@@ -75,7 +77,6 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent); + struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent, + const char *dest); + +-typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *); + struct dentry *debugfs_create_automount(const char *name, + struct dentry *parent, + debugfs_automount_t f, +@@ -203,7 +204,7 @@ static inline struct dentry *debugfs_create_symlink(const char *name, + + static inline struct dentry *debugfs_create_automount(const char *name, + struct dentry *parent, +- struct vfsmount *(*f)(void *), ++ debugfs_automount_t f, + void *data) + { + return ERR_PTR(-ENODEV); +diff --git a/include/linux/kprobes.h b/include/linux/kprobes.h +index 645fd401c856d..a60488867dd06 100644 +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -369,6 +369,8 @@ void unregister_kretprobes(struct kretprobe **rps, int num); + void kprobe_flush_task(struct task_struct *tk); + void recycle_rp_inst(struct kretprobe_instance *ri, struct hlist_head *head); + ++void kprobe_free_init_mem(void); ++ + int disable_kprobe(struct kprobe *kp); + int enable_kprobe(struct kprobe *kp); + +@@ -426,6 +428,9 @@ static inline void unregister_kretprobes(struct kretprobe **rps, int num) + static inline void kprobe_flush_task(struct task_struct *tk) + { + } ++static inline void kprobe_free_init_mem(void) ++{ ++} + static inline int disable_kprobe(struct kprobe *kp) + { + return -ENOSYS; +diff --git a/include/linux/libata.h b/include/linux/libata.h +index e752368ea3516..3c3d8d6b16183 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -486,6 +486,7 @@ enum hsm_task_states { + }; + + enum ata_completion_errors { ++ AC_ERR_OK = 0, /* no error */ + AC_ERR_DEV = (1 << 0), /* device reported error */ + AC_ERR_HSM = (1 << 1), /* host state machine violation */ + AC_ERR_TIMEOUT = (1 << 2), /* timeout */ +@@ -895,9 +896,9 @@ struct ata_port_operations { + /* + * Command execution + */ +- int (*qc_defer)(struct ata_queued_cmd *qc); +- int (*check_atapi_dma)(struct ata_queued_cmd *qc); +- void (*qc_prep)(struct ata_queued_cmd *qc); ++ int (*qc_defer)(struct ata_queued_cmd *qc); ++ int (*check_atapi_dma)(struct ata_queued_cmd *qc); ++ enum ata_completion_errors (*qc_prep)(struct ata_queued_cmd *qc); + unsigned int (*qc_issue)(struct ata_queued_cmd *qc); + bool (*qc_fill_rtf)(struct ata_queued_cmd *qc); + +@@ -1165,7 +1166,7 @@ extern int ata_xfer_mode2shift(unsigned long xfer_mode); + extern const char *ata_mode_string(unsigned long xfer_mask); + extern unsigned long ata_id_xfermask(const u16 *id); + extern int ata_std_qc_defer(struct ata_queued_cmd *qc); +-extern void ata_noop_qc_prep(struct ata_queued_cmd *qc); ++extern enum ata_completion_errors ata_noop_qc_prep(struct ata_queued_cmd *qc); + extern void ata_sg_init(struct ata_queued_cmd *qc, struct scatterlist *sg, + unsigned int n_elem); + extern unsigned int ata_dev_classify(const struct ata_taskfile *tf); +@@ -1899,9 +1900,9 @@ extern const struct ata_port_operations ata_bmdma_port_ops; + .sg_tablesize = LIBATA_MAX_PRD, \ + .dma_boundary = ATA_DMA_BOUNDARY + +-extern void ata_bmdma_qc_prep(struct ata_queued_cmd *qc); ++extern enum ata_completion_errors ata_bmdma_qc_prep(struct ata_queued_cmd *qc); + extern unsigned int ata_bmdma_qc_issue(struct ata_queued_cmd *qc); +-extern void ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc); ++extern enum ata_completion_errors ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc); + extern unsigned int ata_bmdma_port_intr(struct ata_port *ap, + struct ata_queued_cmd *qc); + extern irqreturn_t ata_bmdma_interrupt(int irq, void *dev_instance); +diff --git a/include/linux/mmc/card.h b/include/linux/mmc/card.h +index e459b38ef33cc..cf3780a6ccc4b 100644 +--- a/include/linux/mmc/card.h ++++ b/include/linux/mmc/card.h +@@ -226,7 +226,7 @@ struct mmc_queue_req; + * MMC Physical partitions + */ + struct mmc_part { +- unsigned int size; /* partition size (in bytes) */ ++ u64 size; /* partition size (in bytes) */ + unsigned int part_cfg; /* partition type */ + char name[MAX_MMC_PART_NAME_LEN]; + bool force_ro; /* to make boot parts RO by default */ +diff --git a/include/linux/nfs_page.h b/include/linux/nfs_page.h +index 0bbd587fac6a9..7e9419d74b86b 100644 +--- a/include/linux/nfs_page.h ++++ b/include/linux/nfs_page.h +@@ -142,6 +142,8 @@ extern void nfs_unlock_and_release_request(struct nfs_page *); + extern int nfs_page_group_lock(struct nfs_page *); + extern void nfs_page_group_unlock(struct nfs_page *); + extern bool nfs_page_group_sync_on_bit(struct nfs_page *, unsigned int); ++extern int nfs_page_set_headlock(struct nfs_page *req); ++extern void nfs_page_clear_headlock(struct nfs_page *req); + extern bool nfs_async_iocounter_wait(struct rpc_task *, struct nfs_lock_context *); + + /* +diff --git a/include/linux/pci.h b/include/linux/pci.h +index f39f22f9ee474..e92bd9b32f369 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1216,7 +1216,6 @@ int pci_enable_rom(struct pci_dev *pdev); + void pci_disable_rom(struct pci_dev *pdev); + void __iomem __must_check *pci_map_rom(struct pci_dev *pdev, size_t *size); + void pci_unmap_rom(struct pci_dev *pdev, void __iomem *rom); +-void __iomem __must_check *pci_platform_rom(struct pci_dev *pdev, size_t *size); + + /* Power management related routines */ + int pci_save_state(struct pci_dev *dev); +diff --git a/include/linux/qed/qed_if.h b/include/linux/qed/qed_if.h +index b5db1ee96d789..65a7355ed07b3 100644 +--- a/include/linux/qed/qed_if.h ++++ b/include/linux/qed/qed_if.h +@@ -637,6 +637,7 @@ struct qed_dev_info { + #define QED_MFW_VERSION_3_OFFSET 24 + + u32 flash_size; ++ bool b_arfs_capable; + bool b_inter_pf_switch; + bool tx_switching; + bool rdma_supported; +diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h +index 88050259c466e..a29df79540ce6 100644 +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -224,7 +224,14 @@ struct signal_struct { + + struct mutex cred_guard_mutex; /* guard against foreign influences on + * credential calculations +- * (notably. ptrace) */ ++ * (notably. ptrace) ++ * Deprecated do not use in new code. ++ * Use exec_update_mutex instead. ++ */ ++ struct mutex exec_update_mutex; /* Held while task_struct is being ++ * updated during exec, and may have ++ * inconsistent permissions. ++ */ + } __randomize_layout; + + /* +diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h +index bcf4cf26b8c89..a42a29952889c 100644 +--- a/include/linux/seqlock.h ++++ b/include/linux/seqlock.h +@@ -243,6 +243,13 @@ static inline void raw_write_seqcount_end(seqcount_t *s) + * usual consistency guarantee. It is one wmb cheaper, because we can + * collapse the two back-to-back wmb()s. + * ++ * Note that, writes surrounding the barrier should be declared atomic (e.g. ++ * via WRITE_ONCE): a) to ensure the writes become visible to other threads ++ * atomically, avoiding compiler optimizations; b) to document which writes are ++ * meant to propagate to the reader critical section. This is necessary because ++ * neither writes before and after the barrier are enclosed in a seq-writer ++ * critical section that would ensure readers are aware of ongoing writes. ++ * + * seqcount_t seq; + * bool X = true, Y = false; + * +@@ -262,11 +269,11 @@ static inline void raw_write_seqcount_end(seqcount_t *s) + * + * void write(void) + * { +- * Y = true; ++ * WRITE_ONCE(Y, true); + * + * raw_write_seqcount_barrier(seq); + * +- * X = false; ++ * WRITE_ONCE(X, false); + * } + */ + static inline void raw_write_seqcount_barrier(seqcount_t *s) +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index a62889c8bed7a..68139cc2f3ca3 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1816,6 +1816,18 @@ static inline __u32 skb_queue_len(const struct sk_buff_head *list_) + return list_->qlen; + } + ++/** ++ * skb_queue_len_lockless - get queue length ++ * @list_: list to measure ++ * ++ * Return the length of an &sk_buff queue. ++ * This variant can be used in lockless contexts. ++ */ ++static inline __u32 skb_queue_len_lockless(const struct sk_buff_head *list_) ++{ ++ return READ_ONCE(list_->qlen); ++} ++ + /** + * __skb_queue_head_init - initialize non-spinlock portions of sk_buff_head + * @list: queue to initialize +@@ -2021,7 +2033,7 @@ static inline void __skb_unlink(struct sk_buff *skb, struct sk_buff_head *list) + { + struct sk_buff *next, *prev; + +- list->qlen--; ++ WRITE_ONCE(list->qlen, list->qlen - 1); + next = skb->next; + prev = skb->prev; + skb->next = skb->prev = NULL; +diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h +index 26f282e5e0822..77589ed787f5c 100644 +--- a/include/linux/sunrpc/svc_rdma.h ++++ b/include/linux/sunrpc/svc_rdma.h +@@ -154,9 +154,8 @@ struct svc_rdma_send_ctxt { + }; + + /* svc_rdma_backchannel.c */ +-extern int svc_rdma_handle_bc_reply(struct rpc_xprt *xprt, +- __be32 *rdma_resp, +- struct xdr_buf *rcvbuf); ++extern void svc_rdma_handle_bc_reply(struct svc_rqst *rqstp, ++ struct svc_rdma_recv_ctxt *rctxt); + + /* svc_rdma_recvfrom.c */ + extern void svc_rdma_recv_ctxts_destroy(struct svcxprt_rdma *rdma); +diff --git a/include/net/sock.h b/include/net/sock.h +index 6d9c1131fe5c8..e6a48ebb22aa4 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -909,11 +909,11 @@ static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb) + skb_dst_force(skb); + + if (!sk->sk_backlog.tail) +- sk->sk_backlog.head = skb; ++ WRITE_ONCE(sk->sk_backlog.head, skb); + else + sk->sk_backlog.tail->next = skb; + +- sk->sk_backlog.tail = skb; ++ WRITE_ONCE(sk->sk_backlog.tail, skb); + skb->next = NULL; + } + +diff --git a/include/sound/hda_codec.h b/include/sound/hda_codec.h +index 9a0393cf024c2..65c056ce91128 100644 +--- a/include/sound/hda_codec.h ++++ b/include/sound/hda_codec.h +@@ -494,6 +494,11 @@ void snd_hda_update_power_acct(struct hda_codec *codec); + static inline void snd_hda_set_power_save(struct hda_bus *bus, int delay) {} + #endif + ++static inline bool hda_codec_need_resume(struct hda_codec *codec) ++{ ++ return !codec->relaxed_resume && codec->jacktbl.used; ++} ++ + #ifdef CONFIG_SND_HDA_PATCH_LOADER + /* + * patch firmware +diff --git a/include/trace/events/sctp.h b/include/trace/events/sctp.h +index 7475c7be165aa..d4aac34365955 100644 +--- a/include/trace/events/sctp.h ++++ b/include/trace/events/sctp.h +@@ -75,15 +75,6 @@ TRACE_EVENT(sctp_probe, + __entry->pathmtu = asoc->pathmtu; + __entry->rwnd = asoc->peer.rwnd; + __entry->unack_data = asoc->unack_data; +- +- if (trace_sctp_probe_path_enabled()) { +- struct sctp_transport *sp; +- +- list_for_each_entry(sp, &asoc->peer.transport_addr_list, +- transports) { +- trace_sctp_probe_path(sp, asoc); +- } +- } + ), + + TP_printk("asoc=%#llx mark=%#x bind_port=%d peer_port=%d pathmtu=%d " +diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h +index ffa3c51dbb1a0..28df77a948e56 100644 +--- a/include/trace/events/sunrpc.h ++++ b/include/trace/events/sunrpc.h +@@ -165,6 +165,7 @@ DECLARE_EVENT_CLASS(rpc_task_running, + DEFINE_RPC_RUNNING_EVENT(begin); + DEFINE_RPC_RUNNING_EVENT(run_action); + DEFINE_RPC_RUNNING_EVENT(complete); ++DEFINE_RPC_RUNNING_EVENT(end); + + DECLARE_EVENT_CLASS(rpc_task_queued, + +diff --git a/init/init_task.c b/init/init_task.c +index 9e5cbe5eab7b1..bd403ed3e4184 100644 +--- a/init/init_task.c ++++ b/init/init_task.c +@@ -26,6 +26,7 @@ static struct signal_struct init_signals = { + .multiprocess = HLIST_HEAD_INIT, + .rlim = INIT_RLIMITS, + .cred_guard_mutex = __MUTEX_INITIALIZER(init_signals.cred_guard_mutex), ++ .exec_update_mutex = __MUTEX_INITIALIZER(init_signals.exec_update_mutex), + #ifdef CONFIG_POSIX_TIMERS + .posix_timers = LIST_HEAD_INIT(init_signals.posix_timers), + .cputimer = { +diff --git a/init/main.c b/init/main.c +index 8c7d6b8ee6bd6..fef9e610b74b7 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -32,6 +32,7 @@ + #include <linux/nmi.h> + #include <linux/percpu.h> + #include <linux/kmod.h> ++#include <linux/kprobes.h> + #include <linux/vmalloc.h> + #include <linux/kernel_stat.h> + #include <linux/start_kernel.h> +@@ -1111,6 +1112,7 @@ static int __ref kernel_init(void *unused) + kernel_init_freeable(); + /* need to finish all async __init code before freeing the memory */ + async_synchronize_full(); ++ kprobe_free_init_mem(); + ftrace_free_init_mem(); + free_initmem(); + mark_readonly(); +diff --git a/kernel/Makefile b/kernel/Makefile +index 42557f251fea6..f2cc0d118a0bc 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -115,6 +115,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o + obj-$(CONFIG_HAS_IOMEM) += iomem.o + obj-$(CONFIG_RSEQ) += rseq.o + ++obj-$(CONFIG_SYSCTL_KUNIT_TEST) += sysctl-test.o ++ + obj-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak.o + KASAN_SANITIZE_stackleak.o := n + KCOV_INSTRUMENT_stackleak.o := n +diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c +index 4508d5e0cf696..8a8fd732ff6d0 100644 +--- a/kernel/audit_watch.c ++++ b/kernel/audit_watch.c +@@ -302,8 +302,6 @@ static void audit_update_watch(struct audit_parent *parent, + if (oentry->rule.exe) + audit_remove_mark(oentry->rule.exe); + +- audit_watch_log_rule_change(r, owatch, "updated_rules"); +- + call_rcu(&oentry->rcu, audit_free_rule_rcu); + } + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 039d64b1bfb7d..728ffec52cf36 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -664,15 +664,7 @@ static void htab_elem_free_rcu(struct rcu_head *head) + struct htab_elem *l = container_of(head, struct htab_elem, rcu); + struct bpf_htab *htab = l->htab; + +- /* must increment bpf_prog_active to avoid kprobe+bpf triggering while +- * we're calling kfree, otherwise deadlock is possible if kprobes +- * are placed somewhere inside of slub +- */ +- preempt_disable(); +- __this_cpu_inc(bpf_prog_active); + htab_elem_free(htab, l); +- __this_cpu_dec(bpf_prog_active); +- preempt_enable(); + } + + static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l) +diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c +index 218c09ff6a273..375d93eb71c71 100644 +--- a/kernel/bpf/inode.c ++++ b/kernel/bpf/inode.c +@@ -205,10 +205,12 @@ static void *map_seq_next(struct seq_file *m, void *v, loff_t *pos) + else + prev_key = key; + ++ rcu_read_lock(); + if (map->ops->map_get_next_key(map, prev_key, key)) { + map_iter(m)->done = true; +- return NULL; ++ key = NULL; + } ++ rcu_read_unlock(); + return key; + } + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index db1f5aa755f22..47646050efa0c 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -1253,7 +1253,7 @@ static void put_ctx(struct perf_event_context *ctx) + * function. + * + * Lock order: +- * cred_guard_mutex ++ * exec_update_mutex + * task_struct::perf_event_mutex + * perf_event_context::mutex + * perf_event::child_mutex; +@@ -11002,14 +11002,14 @@ SYSCALL_DEFINE5(perf_event_open, + } + + if (task) { +- err = mutex_lock_interruptible(&task->signal->cred_guard_mutex); ++ err = mutex_lock_interruptible(&task->signal->exec_update_mutex); + if (err) + goto err_task; + + /* + * Reuse ptrace permission checks for now. + * +- * We must hold cred_guard_mutex across this and any potential ++ * We must hold exec_update_mutex across this and any potential + * perf_install_in_context() call for this new event to + * serialize against exec() altering our credentials (and the + * perf_event_exit_task() that could imply). +@@ -11298,7 +11298,7 @@ SYSCALL_DEFINE5(perf_event_open, + mutex_unlock(&ctx->mutex); + + if (task) { +- mutex_unlock(&task->signal->cred_guard_mutex); ++ mutex_unlock(&task->signal->exec_update_mutex); + put_task_struct(task); + } + +@@ -11334,7 +11334,7 @@ err_alloc: + free_event(event); + err_cred: + if (task) +- mutex_unlock(&task->signal->cred_guard_mutex); ++ mutex_unlock(&task->signal->exec_update_mutex); + err_task: + if (task) + put_task_struct(task); +@@ -11639,7 +11639,7 @@ static void perf_event_exit_task_context(struct task_struct *child, int ctxn) + /* + * When a child task exits, feed back event values to parent events. + * +- * Can be called with cred_guard_mutex held when called from ++ * Can be called with exec_update_mutex held when called from + * install_exec_creds(). + */ + void perf_event_exit_task(struct task_struct *child) +diff --git a/kernel/fork.c b/kernel/fork.c +index 9180f4416dbab..594272569a80f 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1221,7 +1221,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) + struct mm_struct *mm; + int err; + +- err = mutex_lock_killable(&task->signal->cred_guard_mutex); ++ err = mutex_lock_killable(&task->signal->exec_update_mutex); + if (err) + return ERR_PTR(err); + +@@ -1231,7 +1231,7 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode) + mmput(mm); + mm = ERR_PTR(-EACCES); + } +- mutex_unlock(&task->signal->cred_guard_mutex); ++ mutex_unlock(&task->signal->exec_update_mutex); + + return mm; + } +@@ -1586,6 +1586,7 @@ static int copy_signal(unsigned long clone_flags, struct task_struct *tsk) + sig->oom_score_adj_min = current->signal->oom_score_adj_min; + + mutex_init(&sig->cred_guard_mutex); ++ mutex_init(&sig->exec_update_mutex); + + return 0; + } +diff --git a/kernel/kcmp.c b/kernel/kcmp.c +index a0e3d7a0e8b81..b3ff9288c6cc9 100644 +--- a/kernel/kcmp.c ++++ b/kernel/kcmp.c +@@ -173,8 +173,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, + /* + * One should have enough rights to inspect task details. + */ +- ret = kcmp_lock(&task1->signal->cred_guard_mutex, +- &task2->signal->cred_guard_mutex); ++ ret = kcmp_lock(&task1->signal->exec_update_mutex, ++ &task2->signal->exec_update_mutex); + if (ret) + goto err; + if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) || +@@ -229,8 +229,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type, + } + + err_unlock: +- kcmp_unlock(&task1->signal->cred_guard_mutex, +- &task2->signal->cred_guard_mutex); ++ kcmp_unlock(&task1->signal->exec_update_mutex, ++ &task2->signal->exec_update_mutex); + err: + put_task_struct(task1); + put_task_struct(task2); +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 5646f291eb705..283c8b01ce789 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1076,9 +1076,20 @@ static int disarm_kprobe_ftrace(struct kprobe *p) + ipmodify ? &kprobe_ipmodify_enabled : &kprobe_ftrace_enabled); + } + #else /* !CONFIG_KPROBES_ON_FTRACE */ +-#define prepare_kprobe(p) arch_prepare_kprobe(p) +-#define arm_kprobe_ftrace(p) (-ENODEV) +-#define disarm_kprobe_ftrace(p) (-ENODEV) ++static inline int prepare_kprobe(struct kprobe *p) ++{ ++ return arch_prepare_kprobe(p); ++} ++ ++static inline int arm_kprobe_ftrace(struct kprobe *p) ++{ ++ return -ENODEV; ++} ++ ++static inline int disarm_kprobe_ftrace(struct kprobe *p) ++{ ++ return -ENODEV; ++} + #endif + + /* Arm a kprobe with text_mutex */ +@@ -2110,9 +2121,10 @@ static void kill_kprobe(struct kprobe *p) + + /* + * The module is going away. We should disarm the kprobe which +- * is using ftrace. ++ * is using ftrace, because ftrace framework is still available at ++ * MODULE_STATE_GOING notification. + */ +- if (kprobe_ftrace(p)) ++ if (kprobe_ftrace(p) && !kprobe_disabled(p) && !kprobes_all_disarmed) + disarm_kprobe_ftrace(p); + } + +@@ -2308,6 +2320,28 @@ static struct notifier_block kprobe_module_nb = { + extern unsigned long __start_kprobe_blacklist[]; + extern unsigned long __stop_kprobe_blacklist[]; + ++void kprobe_free_init_mem(void) ++{ ++ void *start = (void *)(&__init_begin); ++ void *end = (void *)(&__init_end); ++ struct hlist_head *head; ++ struct kprobe *p; ++ int i; ++ ++ mutex_lock(&kprobe_mutex); ++ ++ /* Kill all kprobes on initmem */ ++ for (i = 0; i < KPROBE_TABLE_SIZE; i++) { ++ head = &kprobe_table[i]; ++ hlist_for_each_entry(p, head, hlist) { ++ if (start <= (void *)p->addr && (void *)p->addr < end) ++ kill_kprobe(p); ++ } ++ } ++ ++ mutex_unlock(&kprobe_mutex); ++} ++ + static int __init init_kprobes(void) + { + int i, err = 0; +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 9ab1a965c3b92..bca0f7f71cde4 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -2302,18 +2302,6 @@ static int check_irq_usage(struct task_struct *curr, struct held_lock *prev, + return 0; + } + +-static void inc_chains(void) +-{ +- if (current->hardirq_context) +- nr_hardirq_chains++; +- else { +- if (current->softirq_context) +- nr_softirq_chains++; +- else +- nr_process_chains++; +- } +-} +- + #else + + static inline int check_irq_usage(struct task_struct *curr, +@@ -2321,13 +2309,27 @@ static inline int check_irq_usage(struct task_struct *curr, + { + return 1; + } ++#endif /* CONFIG_TRACE_IRQFLAGS */ + +-static inline void inc_chains(void) ++static void inc_chains(int irq_context) + { +- nr_process_chains++; ++ if (irq_context & LOCK_CHAIN_HARDIRQ_CONTEXT) ++ nr_hardirq_chains++; ++ else if (irq_context & LOCK_CHAIN_SOFTIRQ_CONTEXT) ++ nr_softirq_chains++; ++ else ++ nr_process_chains++; + } + +-#endif /* CONFIG_TRACE_IRQFLAGS */ ++static void dec_chains(int irq_context) ++{ ++ if (irq_context & LOCK_CHAIN_HARDIRQ_CONTEXT) ++ nr_hardirq_chains--; ++ else if (irq_context & LOCK_CHAIN_SOFTIRQ_CONTEXT) ++ nr_softirq_chains--; ++ else ++ nr_process_chains--; ++} + + static void + print_deadlock_scenario(struct held_lock *nxt, struct held_lock *prv) +@@ -2847,7 +2849,7 @@ static inline int add_chain_cache(struct task_struct *curr, + + hlist_add_head_rcu(&chain->entry, hash_head); + debug_atomic_inc(chain_lookup_misses); +- inc_chains(); ++ inc_chains(chain->irq_context); + + return 1; + } +@@ -3600,7 +3602,8 @@ lock_used: + + static inline unsigned int task_irq_context(struct task_struct *task) + { +- return 2 * !!task->hardirq_context + !!task->softirq_context; ++ return LOCK_CHAIN_HARDIRQ_CONTEXT * !!task->hardirq_context + ++ LOCK_CHAIN_SOFTIRQ_CONTEXT * !!task->softirq_context; + } + + static int separate_irq_context(struct task_struct *curr, +@@ -4805,6 +4808,8 @@ recalc: + return; + /* Overwrite the chain key for concurrent RCU readers. */ + WRITE_ONCE(chain->chain_key, chain_key); ++ dec_chains(chain->irq_context); ++ + /* + * Note: calling hlist_del_rcu() from inside a + * hlist_for_each_entry_rcu() loop is safe. +@@ -4826,6 +4831,7 @@ recalc: + } + *new_chain = *chain; + hlist_add_head_rcu(&new_chain->entry, chainhashentry(chain_key)); ++ inc_chains(new_chain->irq_context); + #endif + } + +diff --git a/kernel/locking/lockdep_internals.h b/kernel/locking/lockdep_internals.h +index 18d85aebbb57f..a525368b8cf61 100644 +--- a/kernel/locking/lockdep_internals.h ++++ b/kernel/locking/lockdep_internals.h +@@ -106,6 +106,12 @@ static const unsigned long LOCKF_USED_IN_IRQ_READ = + #define STACK_TRACE_HASH_SIZE 16384 + #endif + ++/* ++ * Bit definitions for lock_chain.irq_context ++ */ ++#define LOCK_CHAIN_SOFTIRQ_CONTEXT (1 << 0) ++#define LOCK_CHAIN_HARDIRQ_CONTEXT (1 << 1) ++ + #define MAX_LOCKDEP_CHAINS (1UL << MAX_LOCKDEP_CHAINS_BITS) + + #define MAX_LOCKDEP_CHAIN_HLOCKS (MAX_LOCKDEP_CHAINS*5) +diff --git a/kernel/notifier.c b/kernel/notifier.c +index 157d7c29f7207..f6d5ffe4e72ec 100644 +--- a/kernel/notifier.c ++++ b/kernel/notifier.c +@@ -23,7 +23,10 @@ static int notifier_chain_register(struct notifier_block **nl, + struct notifier_block *n) + { + while ((*nl) != NULL) { +- WARN_ONCE(((*nl) == n), "double register detected"); ++ if (unlikely((*nl) == n)) { ++ WARN(1, "double register detected"); ++ return 0; ++ } + if (n->priority > (*nl)->priority) + break; + nl = &((*nl)->next); +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index 971197f5d8ee5..5569ef6bc1839 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -2193,6 +2193,9 @@ static int __init console_setup(char *str) + char *s, *options, *brl_options = NULL; + int idx; + ++ if (str[0] == 0) ++ return 1; ++ + if (_braille_console_setup(&str, &brl_options)) + return 1; + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 352239c411a44..79ce22de44095 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -4199,7 +4199,8 @@ static inline void sched_submit_work(struct task_struct *tsk) + * it wants to wake up a task to maintain concurrency. + * As this function is called inside the schedule() context, + * we disable preemption to avoid it calling schedule() again +- * in the possible wakeup of a kworker. ++ * in the possible wakeup of a kworker and because wq_worker_sleeping() ++ * requires it. + */ + if (tsk->flags & PF_WQ_WORKER) { + preempt_disable(); +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 20bf1f66733ac..b02a83ff40687 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -4383,16 +4383,16 @@ static inline struct cfs_bandwidth *tg_cfs_bandwidth(struct task_group *tg) + } + + /* returns 0 on failure to allocate runtime */ +-static int assign_cfs_rq_runtime(struct cfs_rq *cfs_rq) ++static int __assign_cfs_rq_runtime(struct cfs_bandwidth *cfs_b, ++ struct cfs_rq *cfs_rq, u64 target_runtime) + { +- struct task_group *tg = cfs_rq->tg; +- struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(tg); +- u64 amount = 0, min_amount; ++ u64 min_amount, amount = 0; ++ ++ lockdep_assert_held(&cfs_b->lock); + + /* note: this is a positive sum as runtime_remaining <= 0 */ +- min_amount = sched_cfs_bandwidth_slice() - cfs_rq->runtime_remaining; ++ min_amount = target_runtime - cfs_rq->runtime_remaining; + +- raw_spin_lock(&cfs_b->lock); + if (cfs_b->quota == RUNTIME_INF) + amount = min_amount; + else { +@@ -4404,13 +4404,25 @@ static int assign_cfs_rq_runtime(struct cfs_rq *cfs_rq) + cfs_b->idle = 0; + } + } +- raw_spin_unlock(&cfs_b->lock); + + cfs_rq->runtime_remaining += amount; + + return cfs_rq->runtime_remaining > 0; + } + ++/* returns 0 on failure to allocate runtime */ ++static int assign_cfs_rq_runtime(struct cfs_rq *cfs_rq) ++{ ++ struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(cfs_rq->tg); ++ int ret; ++ ++ raw_spin_lock(&cfs_b->lock); ++ ret = __assign_cfs_rq_runtime(cfs_b, cfs_rq, sched_cfs_bandwidth_slice()); ++ raw_spin_unlock(&cfs_b->lock); ++ ++ return ret; ++} ++ + static void __account_cfs_rq_runtime(struct cfs_rq *cfs_rq, u64 delta_exec) + { + /* dock delta_exec before expiring quota (as it could span periods) */ +@@ -4499,13 +4511,33 @@ static int tg_throttle_down(struct task_group *tg, void *data) + return 0; + } + +-static void throttle_cfs_rq(struct cfs_rq *cfs_rq) ++static bool throttle_cfs_rq(struct cfs_rq *cfs_rq) + { + struct rq *rq = rq_of(cfs_rq); + struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(cfs_rq->tg); + struct sched_entity *se; + long task_delta, idle_task_delta, dequeue = 1; +- bool empty; ++ ++ raw_spin_lock(&cfs_b->lock); ++ /* This will start the period timer if necessary */ ++ if (__assign_cfs_rq_runtime(cfs_b, cfs_rq, 1)) { ++ /* ++ * We have raced with bandwidth becoming available, and if we ++ * actually throttled the timer might not unthrottle us for an ++ * entire period. We additionally needed to make sure that any ++ * subsequent check_cfs_rq_runtime calls agree not to throttle ++ * us, as we may commit to do cfs put_prev+pick_next, so we ask ++ * for 1ns of runtime rather than just check cfs_b. ++ */ ++ dequeue = 0; ++ } else { ++ list_add_tail_rcu(&cfs_rq->throttled_list, ++ &cfs_b->throttled_cfs_rq); ++ } ++ raw_spin_unlock(&cfs_b->lock); ++ ++ if (!dequeue) ++ return false; /* Throttle no longer required. */ + + se = cfs_rq->tg->se[cpu_of(rq_of(cfs_rq))]; + +@@ -4534,29 +4566,13 @@ static void throttle_cfs_rq(struct cfs_rq *cfs_rq) + if (!se) + sub_nr_running(rq, task_delta); + +- cfs_rq->throttled = 1; +- cfs_rq->throttled_clock = rq_clock(rq); +- raw_spin_lock(&cfs_b->lock); +- empty = list_empty(&cfs_b->throttled_cfs_rq); +- +- /* +- * Add to the _head_ of the list, so that an already-started +- * distribute_cfs_runtime will not see us. If disribute_cfs_runtime is +- * not running add to the tail so that later runqueues don't get starved. +- */ +- if (cfs_b->distribute_running) +- list_add_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq); +- else +- list_add_tail_rcu(&cfs_rq->throttled_list, &cfs_b->throttled_cfs_rq); +- + /* +- * If we're the first throttled task, make sure the bandwidth +- * timer is running. ++ * Note: distribution will already see us throttled via the ++ * throttled-list. rq->lock protects completion. + */ +- if (empty) +- start_cfs_bandwidth(cfs_b); +- +- raw_spin_unlock(&cfs_b->lock); ++ cfs_rq->throttled = 1; ++ cfs_rq->throttled_clock = rq_clock(rq); ++ return true; + } + + void unthrottle_cfs_rq(struct cfs_rq *cfs_rq) +@@ -4915,8 +4931,7 @@ static bool check_cfs_rq_runtime(struct cfs_rq *cfs_rq) + if (cfs_rq_throttled(cfs_rq)) + return true; + +- throttle_cfs_rq(cfs_rq); +- return true; ++ return throttle_cfs_rq(cfs_rq); + } + + static enum hrtimer_restart sched_cfs_slack_timer(struct hrtimer *timer) +diff --git a/kernel/sys.c b/kernel/sys.c +index a611d1d58c7d0..3459a5ce0da01 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1279,11 +1279,13 @@ SYSCALL_DEFINE1(uname, struct old_utsname __user *, name) + + SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) + { +- struct oldold_utsname tmp = {}; ++ struct oldold_utsname tmp; + + if (!name) + return -EFAULT; + ++ memset(&tmp, 0, sizeof(tmp)); ++ + down_read(&uts_sem); + memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN); + memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN); +diff --git a/kernel/sysctl-test.c b/kernel/sysctl-test.c +new file mode 100644 +index 0000000000000..2a63241a8453b +--- /dev/null ++++ b/kernel/sysctl-test.c +@@ -0,0 +1,392 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* ++ * KUnit test of proc sysctl. ++ */ ++ ++#include <kunit/test.h> ++#include <linux/sysctl.h> ++ ++#define KUNIT_PROC_READ 0 ++#define KUNIT_PROC_WRITE 1 ++ ++static int i_zero; ++static int i_one_hundred = 100; ++ ++/* ++ * Test that proc_dointvec will not try to use a NULL .data field even when the ++ * length is non-zero. ++ */ ++static void sysctl_test_api_dointvec_null_tbl_data(struct kunit *test) ++{ ++ struct ctl_table null_data_table = { ++ .procname = "foo", ++ /* ++ * Here we are testing that proc_dointvec behaves correctly when ++ * we give it a NULL .data field. Normally this would point to a ++ * piece of memory where the value would be stored. ++ */ ++ .data = NULL, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &i_zero, ++ .extra2 = &i_one_hundred, ++ }; ++ /* ++ * proc_dointvec expects a buffer in user space, so we allocate one. We ++ * also need to cast it to __user so sparse doesn't get mad. ++ */ ++ void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int), ++ GFP_USER); ++ size_t len; ++ loff_t pos; ++ ++ /* ++ * We don't care what the starting length is since proc_dointvec should ++ * not try to read because .data is NULL. ++ */ ++ len = 1234; ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&null_data_table, ++ KUNIT_PROC_READ, buffer, &len, ++ &pos)); ++ KUNIT_EXPECT_EQ(test, (size_t)0, len); ++ ++ /* ++ * See above. ++ */ ++ len = 1234; ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&null_data_table, ++ KUNIT_PROC_WRITE, buffer, &len, ++ &pos)); ++ KUNIT_EXPECT_EQ(test, (size_t)0, len); ++} ++ ++/* ++ * Similar to the previous test, we create a struct ctrl_table that has a .data ++ * field that proc_dointvec cannot do anything with; however, this time it is ++ * because we tell proc_dointvec that the size is 0. ++ */ ++static void sysctl_test_api_dointvec_table_maxlen_unset(struct kunit *test) ++{ ++ int data = 0; ++ struct ctl_table data_maxlen_unset_table = { ++ .procname = "foo", ++ .data = &data, ++ /* ++ * So .data is no longer NULL, but we tell proc_dointvec its ++ * length is 0, so it still shouldn't try to use it. ++ */ ++ .maxlen = 0, ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &i_zero, ++ .extra2 = &i_one_hundred, ++ }; ++ void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int), ++ GFP_USER); ++ size_t len; ++ loff_t pos; ++ ++ /* ++ * As before, we don't care what buffer length is because proc_dointvec ++ * cannot do anything because its internal .data buffer has zero length. ++ */ ++ len = 1234; ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&data_maxlen_unset_table, ++ KUNIT_PROC_READ, buffer, &len, ++ &pos)); ++ KUNIT_EXPECT_EQ(test, (size_t)0, len); ++ ++ /* ++ * See previous comment. ++ */ ++ len = 1234; ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&data_maxlen_unset_table, ++ KUNIT_PROC_WRITE, buffer, &len, ++ &pos)); ++ KUNIT_EXPECT_EQ(test, (size_t)0, len); ++} ++ ++/* ++ * Here we provide a valid struct ctl_table, but we try to read and write from ++ * it using a buffer of zero length, so it should still fail in a similar way as ++ * before. ++ */ ++static void sysctl_test_api_dointvec_table_len_is_zero(struct kunit *test) ++{ ++ int data = 0; ++ /* Good table. */ ++ struct ctl_table table = { ++ .procname = "foo", ++ .data = &data, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &i_zero, ++ .extra2 = &i_one_hundred, ++ }; ++ void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int), ++ GFP_USER); ++ /* ++ * However, now our read/write buffer has zero length. ++ */ ++ size_t len = 0; ++ loff_t pos; ++ ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_READ, buffer, ++ &len, &pos)); ++ KUNIT_EXPECT_EQ(test, (size_t)0, len); ++ ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_WRITE, buffer, ++ &len, &pos)); ++ KUNIT_EXPECT_EQ(test, (size_t)0, len); ++} ++ ++/* ++ * Test that proc_dointvec refuses to read when the file position is non-zero. ++ */ ++static void sysctl_test_api_dointvec_table_read_but_position_set( ++ struct kunit *test) ++{ ++ int data = 0; ++ /* Good table. */ ++ struct ctl_table table = { ++ .procname = "foo", ++ .data = &data, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &i_zero, ++ .extra2 = &i_one_hundred, ++ }; ++ void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int), ++ GFP_USER); ++ /* ++ * We don't care about our buffer length because we start off with a ++ * non-zero file position. ++ */ ++ size_t len = 1234; ++ /* ++ * proc_dointvec should refuse to read into the buffer since the file ++ * pos is non-zero. ++ */ ++ loff_t pos = 1; ++ ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_READ, buffer, ++ &len, &pos)); ++ KUNIT_EXPECT_EQ(test, (size_t)0, len); ++} ++ ++/* ++ * Test that we can read a two digit number in a sufficiently size buffer. ++ * Nothing fancy. ++ */ ++static void sysctl_test_dointvec_read_happy_single_positive(struct kunit *test) ++{ ++ int data = 0; ++ /* Good table. */ ++ struct ctl_table table = { ++ .procname = "foo", ++ .data = &data, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &i_zero, ++ .extra2 = &i_one_hundred, ++ }; ++ size_t len = 4; ++ loff_t pos = 0; ++ char *buffer = kunit_kzalloc(test, len, GFP_USER); ++ char __user *user_buffer = (char __user *)buffer; ++ /* Store 13 in the data field. */ ++ *((int *)table.data) = 13; ++ ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_READ, ++ user_buffer, &len, &pos)); ++ KUNIT_ASSERT_EQ(test, (size_t)3, len); ++ buffer[len] = '\0'; ++ /* And we read 13 back out. */ ++ KUNIT_EXPECT_STREQ(test, "13\n", buffer); ++} ++ ++/* ++ * Same as previous test, just now with negative numbers. ++ */ ++static void sysctl_test_dointvec_read_happy_single_negative(struct kunit *test) ++{ ++ int data = 0; ++ /* Good table. */ ++ struct ctl_table table = { ++ .procname = "foo", ++ .data = &data, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &i_zero, ++ .extra2 = &i_one_hundred, ++ }; ++ size_t len = 5; ++ loff_t pos = 0; ++ char *buffer = kunit_kzalloc(test, len, GFP_USER); ++ char __user *user_buffer = (char __user *)buffer; ++ *((int *)table.data) = -16; ++ ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_READ, ++ user_buffer, &len, &pos)); ++ KUNIT_ASSERT_EQ(test, (size_t)4, len); ++ buffer[len] = '\0'; ++ KUNIT_EXPECT_STREQ(test, "-16\n", (char *)buffer); ++} ++ ++/* ++ * Test that a simple positive write works. ++ */ ++static void sysctl_test_dointvec_write_happy_single_positive(struct kunit *test) ++{ ++ int data = 0; ++ /* Good table. */ ++ struct ctl_table table = { ++ .procname = "foo", ++ .data = &data, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &i_zero, ++ .extra2 = &i_one_hundred, ++ }; ++ char input[] = "9"; ++ size_t len = sizeof(input) - 1; ++ loff_t pos = 0; ++ char *buffer = kunit_kzalloc(test, len, GFP_USER); ++ char __user *user_buffer = (char __user *)buffer; ++ ++ memcpy(buffer, input, len); ++ ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_WRITE, ++ user_buffer, &len, &pos)); ++ KUNIT_EXPECT_EQ(test, sizeof(input) - 1, len); ++ KUNIT_EXPECT_EQ(test, sizeof(input) - 1, (size_t)pos); ++ KUNIT_EXPECT_EQ(test, 9, *((int *)table.data)); ++} ++ ++/* ++ * Same as previous test, but now with negative numbers. ++ */ ++static void sysctl_test_dointvec_write_happy_single_negative(struct kunit *test) ++{ ++ int data = 0; ++ struct ctl_table table = { ++ .procname = "foo", ++ .data = &data, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &i_zero, ++ .extra2 = &i_one_hundred, ++ }; ++ char input[] = "-9"; ++ size_t len = sizeof(input) - 1; ++ loff_t pos = 0; ++ char *buffer = kunit_kzalloc(test, len, GFP_USER); ++ char __user *user_buffer = (char __user *)buffer; ++ ++ memcpy(buffer, input, len); ++ ++ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_WRITE, ++ user_buffer, &len, &pos)); ++ KUNIT_EXPECT_EQ(test, sizeof(input) - 1, len); ++ KUNIT_EXPECT_EQ(test, sizeof(input) - 1, (size_t)pos); ++ KUNIT_EXPECT_EQ(test, -9, *((int *)table.data)); ++} ++ ++/* ++ * Test that writing a value smaller than the minimum possible value is not ++ * allowed. ++ */ ++static void sysctl_test_api_dointvec_write_single_less_int_min( ++ struct kunit *test) ++{ ++ int data = 0; ++ struct ctl_table table = { ++ .procname = "foo", ++ .data = &data, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &i_zero, ++ .extra2 = &i_one_hundred, ++ }; ++ size_t max_len = 32, len = max_len; ++ loff_t pos = 0; ++ char *buffer = kunit_kzalloc(test, max_len, GFP_USER); ++ char __user *user_buffer = (char __user *)buffer; ++ unsigned long abs_of_less_than_min = (unsigned long)INT_MAX ++ - (INT_MAX + INT_MIN) + 1; ++ ++ /* ++ * We use this rigmarole to create a string that contains a value one ++ * less than the minimum accepted value. ++ */ ++ KUNIT_ASSERT_LT(test, ++ (size_t)snprintf(buffer, max_len, "-%lu", ++ abs_of_less_than_min), ++ max_len); ++ ++ KUNIT_EXPECT_EQ(test, -EINVAL, proc_dointvec(&table, KUNIT_PROC_WRITE, ++ user_buffer, &len, &pos)); ++ KUNIT_EXPECT_EQ(test, max_len, len); ++ KUNIT_EXPECT_EQ(test, 0, *((int *)table.data)); ++} ++ ++/* ++ * Test that writing the maximum possible value works. ++ */ ++static void sysctl_test_api_dointvec_write_single_greater_int_max( ++ struct kunit *test) ++{ ++ int data = 0; ++ struct ctl_table table = { ++ .procname = "foo", ++ .data = &data, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ .extra1 = &i_zero, ++ .extra2 = &i_one_hundred, ++ }; ++ size_t max_len = 32, len = max_len; ++ loff_t pos = 0; ++ char *buffer = kunit_kzalloc(test, max_len, GFP_USER); ++ char __user *user_buffer = (char __user *)buffer; ++ unsigned long greater_than_max = (unsigned long)INT_MAX + 1; ++ ++ KUNIT_ASSERT_GT(test, greater_than_max, (unsigned long)INT_MAX); ++ KUNIT_ASSERT_LT(test, (size_t)snprintf(buffer, max_len, "%lu", ++ greater_than_max), ++ max_len); ++ KUNIT_EXPECT_EQ(test, -EINVAL, proc_dointvec(&table, KUNIT_PROC_WRITE, ++ user_buffer, &len, &pos)); ++ KUNIT_ASSERT_EQ(test, max_len, len); ++ KUNIT_EXPECT_EQ(test, 0, *((int *)table.data)); ++} ++ ++static struct kunit_case sysctl_test_cases[] = { ++ KUNIT_CASE(sysctl_test_api_dointvec_null_tbl_data), ++ KUNIT_CASE(sysctl_test_api_dointvec_table_maxlen_unset), ++ KUNIT_CASE(sysctl_test_api_dointvec_table_len_is_zero), ++ KUNIT_CASE(sysctl_test_api_dointvec_table_read_but_position_set), ++ KUNIT_CASE(sysctl_test_dointvec_read_happy_single_positive), ++ KUNIT_CASE(sysctl_test_dointvec_read_happy_single_negative), ++ KUNIT_CASE(sysctl_test_dointvec_write_happy_single_positive), ++ KUNIT_CASE(sysctl_test_dointvec_write_happy_single_negative), ++ KUNIT_CASE(sysctl_test_api_dointvec_write_single_less_int_min), ++ KUNIT_CASE(sysctl_test_api_dointvec_write_single_greater_int_max), ++ {} ++}; ++ ++static struct kunit_suite sysctl_test_suite = { ++ .name = "sysctl_test", ++ .test_cases = sysctl_test_cases, ++}; ++ ++kunit_test_suite(sysctl_test_suite); +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index ca69290bee2a3..4fc2af4367a7b 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -1005,9 +1005,8 @@ static int scale64_check_overflow(u64 mult, u64 div, u64 *base) + ((int)sizeof(u64)*8 - fls64(mult) < fls64(rem))) + return -EOVERFLOW; + tmp *= mult; +- rem *= mult; + +- do_div(rem, div); ++ rem = div64_u64(rem * mult, div); + *base = tmp + rem; + return 0; + } +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index f9c2bdbbd8936..db8162b34ef64 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -3233,6 +3233,9 @@ int trace_array_printk(struct trace_array *tr, + if (!(global_trace.trace_flags & TRACE_ITER_PRINTK)) + return 0; + ++ if (!tr) ++ return -ENOENT; ++ + va_start(ap, fmt); + ret = trace_array_vprintk(tr, ip, fmt, ap); + va_end(ap); +@@ -8502,17 +8505,26 @@ static int __remove_instance(struct trace_array *tr) + return 0; + } + +-int trace_array_destroy(struct trace_array *tr) ++int trace_array_destroy(struct trace_array *this_tr) + { ++ struct trace_array *tr; + int ret; + +- if (!tr) ++ if (!this_tr) + return -EINVAL; + + mutex_lock(&event_mutex); + mutex_lock(&trace_types_lock); + +- ret = __remove_instance(tr); ++ ret = -ENODEV; ++ ++ /* Making sure trace array exists before destroying it. */ ++ list_for_each_entry(tr, &ftrace_trace_arrays, list) { ++ if (tr == this_tr) { ++ ret = __remove_instance(tr); ++ break; ++ } ++ } + + mutex_unlock(&trace_types_lock); + mutex_unlock(&event_mutex); +@@ -9134,7 +9146,7 @@ __init static int tracer_alloc_buffers(void) + goto out_free_buffer_mask; + + /* Only allocate trace_printk buffers if a trace_printk exists */ +- if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt) ++ if (&__stop___trace_bprintk_fmt != &__start___trace_bprintk_fmt) + /* Must be called before global_trace.buffer is allocated */ + trace_printk_init_buffers(); + +diff --git a/kernel/trace/trace_entries.h b/kernel/trace/trace_entries.h +index fc8e97328e540..78c146efb8623 100644 +--- a/kernel/trace/trace_entries.h ++++ b/kernel/trace/trace_entries.h +@@ -174,7 +174,7 @@ FTRACE_ENTRY(kernel_stack, stack_entry, + + F_STRUCT( + __field( int, size ) +- __dynamic_array(unsigned long, caller ) ++ __array( unsigned long, caller, FTRACE_STACK_ENTRIES ) + ), + + F_printk("\t=> %ps\n\t=> %ps\n\t=> %ps\n" +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index ed9eb97b64b47..309b2b3c5349e 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -793,6 +793,8 @@ int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set) + char *event = NULL, *sub = NULL, *match; + int ret; + ++ if (!tr) ++ return -ENOENT; + /* + * The buf format can be <subsystem>:<event-name> + * *:<event-name> means any event by that name. +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index 8107574e8af9d..a616b314fb7ab 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -4770,7 +4770,6 @@ static int parse_var_defs(struct hist_trigger_data *hist_data) + + s = kstrdup(field_str, GFP_KERNEL); + if (!s) { +- kfree(hist_data->attrs->var_defs.name[n_vars]); + ret = -ENOMEM; + goto free; + } +diff --git a/kernel/trace/trace_preemptirq.c b/kernel/trace/trace_preemptirq.c +index 4d8e99fdbbbee..26b06b09c9f68 100644 +--- a/kernel/trace/trace_preemptirq.c ++++ b/kernel/trace/trace_preemptirq.c +@@ -63,14 +63,14 @@ NOKPROBE_SYMBOL(trace_hardirqs_on_caller); + + __visible void trace_hardirqs_off_caller(unsigned long caller_addr) + { ++ lockdep_hardirqs_off(CALLER_ADDR0); ++ + if (!this_cpu_read(tracing_irq_cpu)) { + this_cpu_write(tracing_irq_cpu, 1); + tracer_hardirqs_off(CALLER_ADDR0, caller_addr); + if (!in_nmi()) + trace_irq_disable_rcuidle(CALLER_ADDR0, caller_addr); + } +- +- lockdep_hardirqs_off(CALLER_ADDR0); + } + EXPORT_SYMBOL(trace_hardirqs_off_caller); + NOKPROBE_SYMBOL(trace_hardirqs_off_caller); +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 1a0c224af6fb3..4aa268582a225 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -864,7 +864,8 @@ void wq_worker_running(struct task_struct *task) + * @task: task going to sleep + * + * This function is called from schedule() when a busy worker is +- * going to sleep. ++ * going to sleep. Preemption needs to be disabled to protect ->sleeping ++ * assignment. + */ + void wq_worker_sleeping(struct task_struct *task) + { +@@ -881,7 +882,8 @@ void wq_worker_sleeping(struct task_struct *task) + + pool = worker->pool; + +- if (WARN_ON_ONCE(worker->sleeping)) ++ /* Return if preempted before wq_worker_running() was reached */ ++ if (worker->sleeping) + return; + + worker->sleeping = 1; +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 6118d99117daa..ee00c6c8a373e 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1939,6 +1939,17 @@ config TEST_SYSCTL + + If unsure, say N. + ++config SYSCTL_KUNIT_TEST ++ bool "KUnit test for sysctl" ++ depends on KUNIT ++ help ++ This builds the proc sysctl unit test, which runs on boot. ++ Tests the API contract and implementation correctness of sysctl. ++ For more information on KUnit and unit tests in general please refer ++ to the KUnit documentation in Documentation/dev-tools/kunit/. ++ ++ If unsure, say N. ++ + config TEST_UDELAY + tristate "udelay test driver" + help +diff --git a/lib/string.c b/lib/string.c +index 08ec58cc673b5..abfaa05181e2c 100644 +--- a/lib/string.c ++++ b/lib/string.c +@@ -272,6 +272,30 @@ ssize_t strscpy_pad(char *dest, const char *src, size_t count) + } + EXPORT_SYMBOL(strscpy_pad); + ++/** ++ * stpcpy - copy a string from src to dest returning a pointer to the new end ++ * of dest, including src's %NUL-terminator. May overrun dest. ++ * @dest: pointer to end of string being copied into. Must be large enough ++ * to receive copy. ++ * @src: pointer to the beginning of string being copied from. Must not overlap ++ * dest. ++ * ++ * stpcpy differs from strcpy in a key way: the return value is a pointer ++ * to the new %NUL-terminating character in @dest. (For strcpy, the return ++ * value is a pointer to the start of @dest). This interface is considered ++ * unsafe as it doesn't perform bounds checking of the inputs. As such it's ++ * not recommended for usage. Instead, its definition is provided in case ++ * the compiler lowers other libcalls to stpcpy. ++ */ ++char *stpcpy(char *__restrict__ dest, const char *__restrict__ src); ++char *stpcpy(char *__restrict__ dest, const char *__restrict__ src) ++{ ++ while ((*dest++ = *src++) != '\0') ++ /* nothing */; ++ return --dest; ++} ++EXPORT_SYMBOL(stpcpy); ++ + #ifndef __HAVE_ARCH_STRCAT + /** + * strcat - Append one %NUL-terminated string to another +diff --git a/mm/filemap.c b/mm/filemap.c +index 18c1f58300742..51b2cb5aa5030 100644 +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2845,6 +2845,14 @@ filler: + unlock_page(page); + goto out; + } ++ ++ /* ++ * A previous I/O error may have been due to temporary ++ * failures. ++ * Clear page error before actual read, PG_error will be ++ * set again if read page fails. ++ */ ++ ClearPageError(page); + goto filler; + + out: +diff --git a/mm/gup.c b/mm/gup.c +index 4a8e969a6e594..3ef769529548a 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -2184,13 +2184,13 @@ static int gup_huge_pgd(pgd_t orig, pgd_t *pgdp, unsigned long addr, + return 1; + } + +-static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end, ++static int gup_pmd_range(pud_t *pudp, pud_t pud, unsigned long addr, unsigned long end, + unsigned int flags, struct page **pages, int *nr) + { + unsigned long next; + pmd_t *pmdp; + +- pmdp = pmd_offset(&pud, addr); ++ pmdp = pmd_offset_lockless(pudp, pud, addr); + do { + pmd_t pmd = READ_ONCE(*pmdp); + +@@ -2227,13 +2227,13 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end, + return 1; + } + +-static int gup_pud_range(p4d_t p4d, unsigned long addr, unsigned long end, ++static int gup_pud_range(p4d_t *p4dp, p4d_t p4d, unsigned long addr, unsigned long end, + unsigned int flags, struct page **pages, int *nr) + { + unsigned long next; + pud_t *pudp; + +- pudp = pud_offset(&p4d, addr); ++ pudp = pud_offset_lockless(p4dp, p4d, addr); + do { + pud_t pud = READ_ONCE(*pudp); + +@@ -2248,20 +2248,20 @@ static int gup_pud_range(p4d_t p4d, unsigned long addr, unsigned long end, + if (!gup_huge_pd(__hugepd(pud_val(pud)), addr, + PUD_SHIFT, next, flags, pages, nr)) + return 0; +- } else if (!gup_pmd_range(pud, addr, next, flags, pages, nr)) ++ } else if (!gup_pmd_range(pudp, pud, addr, next, flags, pages, nr)) + return 0; + } while (pudp++, addr = next, addr != end); + + return 1; + } + +-static int gup_p4d_range(pgd_t pgd, unsigned long addr, unsigned long end, ++static int gup_p4d_range(pgd_t *pgdp, pgd_t pgd, unsigned long addr, unsigned long end, + unsigned int flags, struct page **pages, int *nr) + { + unsigned long next; + p4d_t *p4dp; + +- p4dp = p4d_offset(&pgd, addr); ++ p4dp = p4d_offset_lockless(pgdp, pgd, addr); + do { + p4d_t p4d = READ_ONCE(*p4dp); + +@@ -2273,7 +2273,7 @@ static int gup_p4d_range(pgd_t pgd, unsigned long addr, unsigned long end, + if (!gup_huge_pd(__hugepd(p4d_val(p4d)), addr, + P4D_SHIFT, next, flags, pages, nr)) + return 0; +- } else if (!gup_pud_range(p4d, addr, next, flags, pages, nr)) ++ } else if (!gup_pud_range(p4dp, p4d, addr, next, flags, pages, nr)) + return 0; + } while (p4dp++, addr = next, addr != end); + +@@ -2301,7 +2301,7 @@ static void gup_pgd_range(unsigned long addr, unsigned long end, + if (!gup_huge_pd(__hugepd(pgd_val(pgd)), addr, + PGDIR_SHIFT, next, flags, pages, nr)) + return; +- } else if (!gup_p4d_range(pgd, addr, next, flags, pages, nr)) ++ } else if (!gup_p4d_range(pgdp, pgd, addr, next, flags, pages, nr)) + return; + } while (pgdp++, addr = next, addr != end); + } +diff --git a/mm/kmemleak.c b/mm/kmemleak.c +index 2446076633631..312942d784058 100644 +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1947,7 +1947,7 @@ void __init kmemleak_init(void) + create_object((unsigned long)__bss_start, __bss_stop - __bss_start, + KMEMLEAK_GREY, GFP_ATOMIC); + /* only register .data..ro_after_init if not within .data */ +- if (__start_ro_after_init < _sdata || __end_ro_after_init > _edata) ++ if (&__start_ro_after_init < &_sdata || &__end_ro_after_init > &_edata) + create_object((unsigned long)__start_ro_after_init, + __end_ro_after_init - __start_ro_after_init, + KMEMLEAK_GREY, GFP_ATOMIC); +diff --git a/mm/madvise.c b/mm/madvise.c +index 26f7954865ed9..1107e99e498b2 100644 +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -380,9 +380,9 @@ huge_unlock: + return 0; + } + ++regular_page: + if (pmd_trans_unstable(pmd)) + return 0; +-regular_page: + #endif + tlb_change_page_size(tlb, PAGE_SIZE); + orig_pte = pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl); +diff --git a/mm/memcontrol.c b/mm/memcontrol.c +index 402c8bc65e08d..ca1632850fb76 100644 +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -5489,7 +5489,6 @@ static int mem_cgroup_move_account(struct page *page, + { + struct lruvec *from_vec, *to_vec; + struct pglist_data *pgdat; +- unsigned long flags; + unsigned int nr_pages = compound ? hpage_nr_pages(page) : 1; + int ret; + bool anon; +@@ -5516,18 +5515,13 @@ static int mem_cgroup_move_account(struct page *page, + from_vec = mem_cgroup_lruvec(pgdat, from); + to_vec = mem_cgroup_lruvec(pgdat, to); + +- spin_lock_irqsave(&from->move_lock, flags); ++ lock_page_memcg(page); + + if (!anon && page_mapped(page)) { + __mod_lruvec_state(from_vec, NR_FILE_MAPPED, -nr_pages); + __mod_lruvec_state(to_vec, NR_FILE_MAPPED, nr_pages); + } + +- /* +- * move_lock grabbed above and caller set from->moving_account, so +- * mod_memcg_page_state will serialize updates to PageDirty. +- * So mapping should be stable for dirty pages. +- */ + if (!anon && PageDirty(page)) { + struct address_space *mapping = page_mapping(page); + +@@ -5543,15 +5537,23 @@ static int mem_cgroup_move_account(struct page *page, + } + + /* ++ * All state has been migrated, let's switch to the new memcg. ++ * + * It is safe to change page->mem_cgroup here because the page +- * is referenced, charged, and isolated - we can't race with +- * uncharging, charging, migration, or LRU putback. ++ * is referenced, charged, isolated, and locked: we can't race ++ * with (un)charging, migration, LRU putback, or anything else ++ * that would rely on a stable page->mem_cgroup. ++ * ++ * Note that lock_page_memcg is a memcg lock, not a page lock, ++ * to save space. As soon as we switch page->mem_cgroup to a ++ * new memcg that isn't locked, the above state can change ++ * concurrently again. Make sure we're truly done with it. + */ ++ smp_mb(); + +- /* caller should have done css_get */ +- page->mem_cgroup = to; ++ page->mem_cgroup = to; /* caller should have done css_get */ + +- spin_unlock_irqrestore(&from->move_lock, flags); ++ __unlock_page_memcg(from); + + ret = 0; + +diff --git a/mm/memory.c b/mm/memory.c +index cb7c940cf800c..2157bb28117ac 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -118,6 +118,18 @@ int randomize_va_space __read_mostly = + 2; + #endif + ++#ifndef arch_faults_on_old_pte ++static inline bool arch_faults_on_old_pte(void) ++{ ++ /* ++ * Those arches which don't have hw access flag feature need to ++ * implement their own helper. By default, "true" means pagefault ++ * will be hit on old pte. ++ */ ++ return true; ++} ++#endif ++ + static int __init disable_randmaps(char *s) + { + randomize_va_space = 0; +@@ -2145,32 +2157,101 @@ static inline int pte_unmap_same(struct mm_struct *mm, pmd_t *pmd, + return same; + } + +-static inline void cow_user_page(struct page *dst, struct page *src, unsigned long va, struct vm_area_struct *vma) ++static inline bool cow_user_page(struct page *dst, struct page *src, ++ struct vm_fault *vmf) + { ++ bool ret; ++ void *kaddr; ++ void __user *uaddr; ++ bool locked = false; ++ struct vm_area_struct *vma = vmf->vma; ++ struct mm_struct *mm = vma->vm_mm; ++ unsigned long addr = vmf->address; ++ + debug_dma_assert_idle(src); + ++ if (likely(src)) { ++ copy_user_highpage(dst, src, addr, vma); ++ return true; ++ } ++ + /* + * If the source page was a PFN mapping, we don't have + * a "struct page" for it. We do a best-effort copy by + * just copying from the original user address. If that + * fails, we just zero-fill it. Live with it. + */ +- if (unlikely(!src)) { +- void *kaddr = kmap_atomic(dst); +- void __user *uaddr = (void __user *)(va & PAGE_MASK); ++ kaddr = kmap_atomic(dst); ++ uaddr = (void __user *)(addr & PAGE_MASK); ++ ++ /* ++ * On architectures with software "accessed" bits, we would ++ * take a double page fault, so mark it accessed here. ++ */ ++ if (arch_faults_on_old_pte() && !pte_young(vmf->orig_pte)) { ++ pte_t entry; ++ ++ vmf->pte = pte_offset_map_lock(mm, vmf->pmd, addr, &vmf->ptl); ++ locked = true; ++ if (!likely(pte_same(*vmf->pte, vmf->orig_pte))) { ++ /* ++ * Other thread has already handled the fault ++ * and we don't need to do anything. If it's ++ * not the case, the fault will be triggered ++ * again on the same address. ++ */ ++ ret = false; ++ goto pte_unlock; ++ } ++ ++ entry = pte_mkyoung(vmf->orig_pte); ++ if (ptep_set_access_flags(vma, addr, vmf->pte, entry, 0)) ++ update_mmu_cache(vma, addr, vmf->pte); ++ } ++ ++ /* ++ * This really shouldn't fail, because the page is there ++ * in the page tables. But it might just be unreadable, ++ * in which case we just give up and fill the result with ++ * zeroes. ++ */ ++ if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) { ++ if (locked) ++ goto warn; ++ ++ /* Re-validate under PTL if the page is still mapped */ ++ vmf->pte = pte_offset_map_lock(mm, vmf->pmd, addr, &vmf->ptl); ++ locked = true; ++ if (!likely(pte_same(*vmf->pte, vmf->orig_pte))) { ++ /* The PTE changed under us. Retry page fault. */ ++ ret = false; ++ goto pte_unlock; ++ } + + /* +- * This really shouldn't fail, because the page is there +- * in the page tables. But it might just be unreadable, +- * in which case we just give up and fill the result with +- * zeroes. ++ * The same page can be mapped back since last copy attampt. ++ * Try to copy again under PTL. + */ +- if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) ++ if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) { ++ /* ++ * Give a warn in case there can be some obscure ++ * use-case ++ */ ++warn: ++ WARN_ON_ONCE(1); + clear_page(kaddr); +- kunmap_atomic(kaddr); +- flush_dcache_page(dst); +- } else +- copy_user_highpage(dst, src, va, vma); ++ } ++ } ++ ++ ret = true; ++ ++pte_unlock: ++ if (locked) ++ pte_unmap_unlock(vmf->pte, vmf->ptl); ++ kunmap_atomic(kaddr); ++ flush_dcache_page(dst); ++ ++ return ret; + } + + static gfp_t __get_fault_gfp_mask(struct vm_area_struct *vma) +@@ -2342,7 +2423,19 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf) + vmf->address); + if (!new_page) + goto oom; +- cow_user_page(new_page, old_page, vmf->address, vma); ++ ++ if (!cow_user_page(new_page, old_page, vmf)) { ++ /* ++ * COW failed, if the fault was solved by other, ++ * it's fine. If not, userspace would re-fault on ++ * the same address and we will handle the fault ++ * from the second attempt. ++ */ ++ put_page(new_page); ++ if (old_page) ++ put_page(old_page); ++ return 0; ++ } + } + + if (mem_cgroup_try_charge_delay(new_page, mm, GFP_KERNEL, &memcg, false)) +diff --git a/mm/mmap.c b/mm/mmap.c +index a3584a90c55c2..ba78f1f1b1bd1 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2126,6 +2126,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr, + info.low_limit = mm->mmap_base; + info.high_limit = mmap_end; + info.align_mask = 0; ++ info.align_offset = 0; + return vm_unmapped_area(&info); + } + #endif +@@ -2167,6 +2168,7 @@ arch_get_unmapped_area_topdown(struct file *filp, unsigned long addr, + info.low_limit = max(PAGE_SIZE, mmap_min_addr); + info.high_limit = arch_get_mmap_base(addr, mm->mmap_base); + info.align_mask = 0; ++ info.align_offset = 0; + addr = vm_unmapped_area(&info); + + /* +diff --git a/mm/pagewalk.c b/mm/pagewalk.c +index d48c2a986ea3f..4eb09e0898817 100644 +--- a/mm/pagewalk.c ++++ b/mm/pagewalk.c +@@ -16,9 +16,9 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, + err = ops->pte_entry(pte, addr, addr + PAGE_SIZE, walk); + if (err) + break; +- addr += PAGE_SIZE; +- if (addr == end) ++ if (addr >= end - PAGE_SIZE) + break; ++ addr += PAGE_SIZE; + pte++; + } + +diff --git a/mm/slub.c b/mm/slub.c +index 822ba07245291..d69934eac9e94 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -533,15 +533,32 @@ static void print_section(char *level, char *text, u8 *addr, + metadata_access_disable(); + } + ++/* ++ * See comment in calculate_sizes(). ++ */ ++static inline bool freeptr_outside_object(struct kmem_cache *s) ++{ ++ return s->offset >= s->inuse; ++} ++ ++/* ++ * Return offset of the end of info block which is inuse + free pointer if ++ * not overlapping with object. ++ */ ++static inline unsigned int get_info_end(struct kmem_cache *s) ++{ ++ if (freeptr_outside_object(s)) ++ return s->inuse + sizeof(void *); ++ else ++ return s->inuse; ++} ++ + static struct track *get_track(struct kmem_cache *s, void *object, + enum track_item alloc) + { + struct track *p; + +- if (s->offset) +- p = object + s->offset + sizeof(void *); +- else +- p = object + s->inuse; ++ p = object + get_info_end(s); + + return p + alloc; + } +@@ -682,10 +699,7 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) + print_section(KERN_ERR, "Redzone ", p + s->object_size, + s->inuse - s->object_size); + +- if (s->offset) +- off = s->offset + sizeof(void *); +- else +- off = s->inuse; ++ off = get_info_end(s); + + if (s->flags & SLAB_STORE_USER) + off += 2 * sizeof(struct track); +@@ -776,7 +790,7 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, + * object address + * Bytes of the object to be managed. + * If the freepointer may overlay the object then the free +- * pointer is the first word of the object. ++ * pointer is at the middle of the object. + * + * Poisoning uses 0x6b (POISON_FREE) and the last byte is + * 0xa5 (POISON_END) +@@ -810,11 +824,7 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, + + static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) + { +- unsigned long off = s->inuse; /* The end of info */ +- +- if (s->offset) +- /* Freepointer is placed after the object. */ +- off += sizeof(void *); ++ unsigned long off = get_info_end(s); /* The end of info */ + + if (s->flags & SLAB_STORE_USER) + /* We also have user information there */ +@@ -900,7 +910,7 @@ static int check_object(struct kmem_cache *s, struct page *page, + check_pad_bytes(s, page, p); + } + +- if (!s->offset && val == SLUB_RED_ACTIVE) ++ if (!freeptr_outside_object(s) && val == SLUB_RED_ACTIVE) + /* + * Object and freepointer overlap. Cannot check + * freepointer while object is allocated. +@@ -3585,6 +3595,11 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) + * + * This is the case if we do RCU, have a constructor or + * destructor or are poisoning the objects. ++ * ++ * The assumption that s->offset >= s->inuse means free ++ * pointer is outside of the object is used in the ++ * freeptr_outside_object() function. If that is no ++ * longer true, the function needs to be modified. + */ + s->offset = size; + size += sizeof(void *); +diff --git a/mm/swap_state.c b/mm/swap_state.c +index 4ce014dc4571a..7c434fcfff0dd 100644 +--- a/mm/swap_state.c ++++ b/mm/swap_state.c +@@ -511,10 +511,11 @@ static unsigned long swapin_nr_pages(unsigned long offset) + return 1; + + hits = atomic_xchg(&swapin_readahead_hits, 0); +- pages = __swapin_nr_pages(prev_offset, offset, hits, max_pages, ++ pages = __swapin_nr_pages(READ_ONCE(prev_offset), offset, hits, ++ max_pages, + atomic_read(&last_readahead_pages)); + if (!hits) +- prev_offset = offset; ++ WRITE_ONCE(prev_offset, offset); + atomic_set(&last_readahead_pages, pages); + + return pages; +diff --git a/mm/swapfile.c b/mm/swapfile.c +index 891a3ef486511..cf62bdb7b3045 100644 +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -1038,7 +1038,7 @@ start_over: + goto nextsi; + } + if (size == SWAPFILE_CLUSTER) { +- if (!(si->flags & SWP_FS)) ++ if (si->flags & SWP_BLKDEV) + n_ret = swap_alloc_cluster(si, swp_entries); + } else + n_ret = scan_swap_map_slots(si, SWAP_HAS_CACHE, +@@ -2132,7 +2132,7 @@ int try_to_unuse(unsigned int type, bool frontswap, + swp_entry_t entry; + unsigned int i; + +- if (!si->inuse_pages) ++ if (!READ_ONCE(si->inuse_pages)) + return 0; + + if (!frontswap) +@@ -2148,7 +2148,7 @@ retry: + + spin_lock(&mmlist_lock); + p = &init_mm.mmlist; +- while (si->inuse_pages && ++ while (READ_ONCE(si->inuse_pages) && + !signal_pending(current) && + (p = p->next) != &init_mm.mmlist) { + +@@ -2177,7 +2177,7 @@ retry: + mmput(prev_mm); + + i = 0; +- while (si->inuse_pages && ++ while (READ_ONCE(si->inuse_pages) && + !signal_pending(current) && + (i = find_next_to_unuse(si, i, frontswap)) != 0) { + +@@ -2219,7 +2219,7 @@ retry: + * been preempted after get_swap_page(), temporarily hiding that swap. + * It's easy and robust (though cpu-intensive) just to keep retrying. + */ +- if (si->inuse_pages) { ++ if (READ_ONCE(si->inuse_pages)) { + if (!signal_pending(current)) + goto retry; + retval = -EINTR; +@@ -2737,10 +2737,10 @@ static void *swap_next(struct seq_file *swap, void *v, loff_t *pos) + else + type = si->type + 1; + ++ ++(*pos); + for (; (si = swap_type_to_swap_info(type)); type++) { + if (!(si->flags & SWP_USED) || !si->swap_map) + continue; +- ++*pos; + return si; + } + +diff --git a/mm/vmscan.c b/mm/vmscan.c +index 6db9176d8c63e..10feb872d9a4f 100644 +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -3168,8 +3168,9 @@ static bool allow_direct_reclaim(pg_data_t *pgdat) + + /* kswapd must be awake if processes are being throttled */ + if (!wmark_ok && waitqueue_active(&pgdat->kswapd_wait)) { +- pgdat->kswapd_classzone_idx = min(pgdat->kswapd_classzone_idx, +- (enum zone_type)ZONE_NORMAL); ++ if (READ_ONCE(pgdat->kswapd_classzone_idx) > ZONE_NORMAL) ++ WRITE_ONCE(pgdat->kswapd_classzone_idx, ZONE_NORMAL); ++ + wake_up_interruptible(&pgdat->kswapd_wait); + } + +@@ -3801,9 +3802,9 @@ out: + static enum zone_type kswapd_classzone_idx(pg_data_t *pgdat, + enum zone_type prev_classzone_idx) + { +- if (pgdat->kswapd_classzone_idx == MAX_NR_ZONES) +- return prev_classzone_idx; +- return pgdat->kswapd_classzone_idx; ++ enum zone_type curr_idx = READ_ONCE(pgdat->kswapd_classzone_idx); ++ ++ return curr_idx == MAX_NR_ZONES ? prev_classzone_idx : curr_idx; + } + + static void kswapd_try_to_sleep(pg_data_t *pgdat, int alloc_order, int reclaim_order, +@@ -3847,8 +3848,11 @@ static void kswapd_try_to_sleep(pg_data_t *pgdat, int alloc_order, int reclaim_o + * the previous request that slept prematurely. + */ + if (remaining) { +- pgdat->kswapd_classzone_idx = kswapd_classzone_idx(pgdat, classzone_idx); +- pgdat->kswapd_order = max(pgdat->kswapd_order, reclaim_order); ++ WRITE_ONCE(pgdat->kswapd_classzone_idx, ++ kswapd_classzone_idx(pgdat, classzone_idx)); ++ ++ if (READ_ONCE(pgdat->kswapd_order) < reclaim_order) ++ WRITE_ONCE(pgdat->kswapd_order, reclaim_order); + } + + finish_wait(&pgdat->kswapd_wait, &wait); +@@ -3925,12 +3929,12 @@ static int kswapd(void *p) + tsk->flags |= PF_MEMALLOC | PF_SWAPWRITE | PF_KSWAPD; + set_freezable(); + +- pgdat->kswapd_order = 0; +- pgdat->kswapd_classzone_idx = MAX_NR_ZONES; ++ WRITE_ONCE(pgdat->kswapd_order, 0); ++ WRITE_ONCE(pgdat->kswapd_classzone_idx, MAX_NR_ZONES); + for ( ; ; ) { + bool ret; + +- alloc_order = reclaim_order = pgdat->kswapd_order; ++ alloc_order = reclaim_order = READ_ONCE(pgdat->kswapd_order); + classzone_idx = kswapd_classzone_idx(pgdat, classzone_idx); + + kswapd_try_sleep: +@@ -3938,10 +3942,10 @@ kswapd_try_sleep: + classzone_idx); + + /* Read the new order and classzone_idx */ +- alloc_order = reclaim_order = pgdat->kswapd_order; ++ alloc_order = reclaim_order = READ_ONCE(pgdat->kswapd_order); + classzone_idx = kswapd_classzone_idx(pgdat, classzone_idx); +- pgdat->kswapd_order = 0; +- pgdat->kswapd_classzone_idx = MAX_NR_ZONES; ++ WRITE_ONCE(pgdat->kswapd_order, 0); ++ WRITE_ONCE(pgdat->kswapd_classzone_idx, MAX_NR_ZONES); + + ret = try_to_freeze(); + if (kthread_should_stop()) +@@ -3985,20 +3989,23 @@ void wakeup_kswapd(struct zone *zone, gfp_t gfp_flags, int order, + enum zone_type classzone_idx) + { + pg_data_t *pgdat; ++ enum zone_type curr_idx; + + if (!managed_zone(zone)) + return; + + if (!cpuset_zone_allowed(zone, gfp_flags)) + return; ++ + pgdat = zone->zone_pgdat; ++ curr_idx = READ_ONCE(pgdat->kswapd_classzone_idx); ++ ++ if (curr_idx == MAX_NR_ZONES || curr_idx < classzone_idx) ++ WRITE_ONCE(pgdat->kswapd_classzone_idx, classzone_idx); ++ ++ if (READ_ONCE(pgdat->kswapd_order) < order) ++ WRITE_ONCE(pgdat->kswapd_order, order); + +- if (pgdat->kswapd_classzone_idx == MAX_NR_ZONES) +- pgdat->kswapd_classzone_idx = classzone_idx; +- else +- pgdat->kswapd_classzone_idx = max(pgdat->kswapd_classzone_idx, +- classzone_idx); +- pgdat->kswapd_order = max(pgdat->kswapd_order, order); + if (!waitqueue_active(&pgdat->kswapd_wait)) + return; + +diff --git a/net/atm/lec.c b/net/atm/lec.c +index 5a77c235a212f..3625a04a6c701 100644 +--- a/net/atm/lec.c ++++ b/net/atm/lec.c +@@ -1269,6 +1269,12 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry) + entry->vcc = NULL; + } + if (entry->recv_vcc) { ++ struct atm_vcc *vcc = entry->recv_vcc; ++ struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc); ++ ++ kfree(vpriv); ++ vcc->user_back = NULL; ++ + entry->recv_vcc->push = entry->old_recv_push; + vcc_release_async(entry->recv_vcc, -EPIPE); + entry->recv_vcc = NULL; +diff --git a/net/atm/proc.c b/net/atm/proc.c +index d79221fd4dae2..c318967073139 100644 +--- a/net/atm/proc.c ++++ b/net/atm/proc.c +@@ -134,8 +134,7 @@ static void vcc_seq_stop(struct seq_file *seq, void *v) + static void *vcc_seq_next(struct seq_file *seq, void *v, loff_t *pos) + { + v = vcc_walk(seq, 1); +- if (v) +- (*pos)++; ++ (*pos)++; + return v; + } + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 5f6309ade1ea1..a6b26ca5c6973 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -25,6 +25,7 @@ + #include <linux/lockdep.h> + #include <linux/netdevice.h> + #include <linux/netlink.h> ++#include <linux/preempt.h> + #include <linux/rculist.h> + #include <linux/rcupdate.h> + #include <linux/seq_file.h> +@@ -83,11 +84,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size) + */ + static inline u32 batadv_choose_backbone_gw(const void *data, u32 size) + { +- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data; ++ const struct batadv_bla_backbone_gw *gw; + u32 hash = 0; + +- hash = jhash(&claim->addr, sizeof(claim->addr), hash); +- hash = jhash(&claim->vid, sizeof(claim->vid), hash); ++ gw = (struct batadv_bla_backbone_gw *)data; ++ hash = jhash(&gw->orig, sizeof(gw->orig), hash); ++ hash = jhash(&gw->vid, sizeof(gw->vid), hash); + + return hash % size; + } +@@ -1579,13 +1581,16 @@ int batadv_bla_init(struct batadv_priv *bat_priv) + } + + /** +- * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup. ++ * batadv_bla_check_duplist() - Check if a frame is in the broadcast dup. + * @bat_priv: the bat priv with all the soft interface information +- * @skb: contains the bcast_packet to be checked ++ * @skb: contains the multicast packet to be checked ++ * @payload_ptr: pointer to position inside the head buffer of the skb ++ * marking the start of the data to be CRC'ed ++ * @orig: originator mac address, NULL if unknown + * +- * check if it is on our broadcast list. Another gateway might +- * have sent the same packet because it is connected to the same backbone, +- * so we have to remove this duplicate. ++ * Check if it is on our broadcast list. Another gateway might have sent the ++ * same packet because it is connected to the same backbone, so we have to ++ * remove this duplicate. + * + * This is performed by checking the CRC, which will tell us + * with a good chance that it is the same packet. If it is furthermore +@@ -1594,19 +1599,17 @@ int batadv_bla_init(struct batadv_priv *bat_priv) + * + * Return: true if a packet is in the duplicate list, false otherwise. + */ +-bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, +- struct sk_buff *skb) ++static bool batadv_bla_check_duplist(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, u8 *payload_ptr, ++ const u8 *orig) + { +- int i, curr; +- __be32 crc; +- struct batadv_bcast_packet *bcast_packet; + struct batadv_bcast_duplist_entry *entry; + bool ret = false; +- +- bcast_packet = (struct batadv_bcast_packet *)skb->data; ++ int i, curr; ++ __be32 crc; + + /* calculate the crc ... */ +- crc = batadv_skb_crc32(skb, (u8 *)(bcast_packet + 1)); ++ crc = batadv_skb_crc32(skb, payload_ptr); + + spin_lock_bh(&bat_priv->bla.bcast_duplist_lock); + +@@ -1625,8 +1628,21 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, + if (entry->crc != crc) + continue; + +- if (batadv_compare_eth(entry->orig, bcast_packet->orig)) +- continue; ++ /* are the originators both known and not anonymous? */ ++ if (orig && !is_zero_ether_addr(orig) && ++ !is_zero_ether_addr(entry->orig)) { ++ /* If known, check if the new frame came from ++ * the same originator: ++ * We are safe to take identical frames from the ++ * same orig, if known, as multiplications in ++ * the mesh are detected via the (orig, seqno) pair. ++ * So we can be a bit more liberal here and allow ++ * identical frames from the same orig which the source ++ * host might have sent multiple times on purpose. ++ */ ++ if (batadv_compare_eth(entry->orig, orig)) ++ continue; ++ } + + /* this entry seems to match: same crc, not too old, + * and from another gw. therefore return true to forbid it. +@@ -1642,7 +1658,14 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, + entry = &bat_priv->bla.bcast_duplist[curr]; + entry->crc = crc; + entry->entrytime = jiffies; +- ether_addr_copy(entry->orig, bcast_packet->orig); ++ ++ /* known originator */ ++ if (orig) ++ ether_addr_copy(entry->orig, orig); ++ /* anonymous originator */ ++ else ++ eth_zero_addr(entry->orig); ++ + bat_priv->bla.bcast_duplist_curr = curr; + + out: +@@ -1651,6 +1674,48 @@ out: + return ret; + } + ++/** ++ * batadv_bla_check_ucast_duplist() - Check if a frame is in the broadcast dup. ++ * @bat_priv: the bat priv with all the soft interface information ++ * @skb: contains the multicast packet to be checked, decapsulated from a ++ * unicast_packet ++ * ++ * Check if it is on our broadcast list. Another gateway might have sent the ++ * same packet because it is connected to the same backbone, so we have to ++ * remove this duplicate. ++ * ++ * Return: true if a packet is in the duplicate list, false otherwise. ++ */ ++static bool batadv_bla_check_ucast_duplist(struct batadv_priv *bat_priv, ++ struct sk_buff *skb) ++{ ++ return batadv_bla_check_duplist(bat_priv, skb, (u8 *)skb->data, NULL); ++} ++ ++/** ++ * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup. ++ * @bat_priv: the bat priv with all the soft interface information ++ * @skb: contains the bcast_packet to be checked ++ * ++ * Check if it is on our broadcast list. Another gateway might have sent the ++ * same packet because it is connected to the same backbone, so we have to ++ * remove this duplicate. ++ * ++ * Return: true if a packet is in the duplicate list, false otherwise. ++ */ ++bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv, ++ struct sk_buff *skb) ++{ ++ struct batadv_bcast_packet *bcast_packet; ++ u8 *payload_ptr; ++ ++ bcast_packet = (struct batadv_bcast_packet *)skb->data; ++ payload_ptr = (u8 *)(bcast_packet + 1); ++ ++ return batadv_bla_check_duplist(bat_priv, skb, payload_ptr, ++ bcast_packet->orig); ++} ++ + /** + * batadv_bla_is_backbone_gw_orig() - Check if the originator is a gateway for + * the VLAN identified by vid. +@@ -1812,7 +1877,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, + * @bat_priv: the bat priv with all the soft interface information + * @skb: the frame to be checked + * @vid: the VLAN ID of the frame +- * @is_bcast: the packet came in a broadcast packet type. ++ * @packet_type: the batman packet type this frame came in + * + * batadv_bla_rx avoidance checks if: + * * we have to race for a claim +@@ -1824,7 +1889,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb, + * further process the skb. + */ + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid, bool is_bcast) ++ unsigned short vid, int packet_type) + { + struct batadv_bla_backbone_gw *backbone_gw; + struct ethhdr *ethhdr; +@@ -1846,9 +1911,32 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + goto handled; + + if (unlikely(atomic_read(&bat_priv->bla.num_requests))) +- /* don't allow broadcasts while requests are in flight */ +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) +- goto handled; ++ /* don't allow multicast packets while requests are in flight */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ /* Both broadcast flooding or multicast-via-unicasts ++ * delivery might send to multiple backbone gateways ++ * sharing the same LAN and therefore need to coordinate ++ * which backbone gateway forwards into the LAN, ++ * by claiming the payload source address. ++ * ++ * Broadcast flooding and multicast-via-unicasts ++ * delivery use the following two batman packet types. ++ * Note: explicitly exclude BATADV_UNICAST_4ADDR, ++ * as the DHCP gateway feature will send explicitly ++ * to only one BLA gateway, so the claiming process ++ * should be avoided there. ++ */ ++ if (packet_type == BATADV_BCAST || ++ packet_type == BATADV_UNICAST) ++ goto handled; ++ ++ /* potential duplicates from foreign BLA backbone gateways via ++ * multicast-in-unicast packets ++ */ ++ if (is_multicast_ether_addr(ethhdr->h_dest) && ++ packet_type == BATADV_UNICAST && ++ batadv_bla_check_ucast_duplist(bat_priv, skb)) ++ goto handled; + + ether_addr_copy(search_claim.addr, ethhdr->h_source); + search_claim.vid = vid; +@@ -1883,13 +1971,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, + goto allow; + } + +- /* if it is a broadcast ... */ +- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) { ++ /* if it is a multicast ... */ ++ if (is_multicast_ether_addr(ethhdr->h_dest) && ++ (packet_type == BATADV_BCAST || packet_type == BATADV_UNICAST)) { + /* ... drop it. the responsible gateway is in charge. + * +- * We need to check is_bcast because with the gateway ++ * We need to check packet type because with the gateway + * feature, broadcasts (like DHCP requests) may be sent +- * using a unicast packet type. ++ * using a unicast 4 address packet type. See comment above. + */ + goto handled; + } else { +diff --git a/net/batman-adv/bridge_loop_avoidance.h b/net/batman-adv/bridge_loop_avoidance.h +index 02b24a861a854..9370be0158130 100644 +--- a/net/batman-adv/bridge_loop_avoidance.h ++++ b/net/batman-adv/bridge_loop_avoidance.h +@@ -35,7 +35,7 @@ static inline bool batadv_bla_is_loopdetect_mac(const uint8_t *mac) + + #ifdef CONFIG_BATMAN_ADV_BLA + bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb, +- unsigned short vid, bool is_bcast); ++ unsigned short vid, int packet_type); + bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid); + bool batadv_bla_is_backbone_gw(struct sk_buff *skb, +@@ -66,7 +66,7 @@ bool batadv_bla_check_claim(struct batadv_priv *bat_priv, u8 *addr, + + static inline bool batadv_bla_rx(struct batadv_priv *bat_priv, + struct sk_buff *skb, unsigned short vid, +- bool is_bcast) ++ int packet_type) + { + return false; + } +diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c +index 1d5bdf3a4b655..f5bf931252c4b 100644 +--- a/net/batman-adv/multicast.c ++++ b/net/batman-adv/multicast.c +@@ -51,6 +51,7 @@ + #include <uapi/linux/batadv_packet.h> + #include <uapi/linux/batman_adv.h> + ++#include "bridge_loop_avoidance.h" + #include "hard-interface.h" + #include "hash.h" + #include "log.h" +@@ -1434,6 +1435,35 @@ batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, + return BATADV_FORW_ALL; + } + ++/** ++ * batadv_mcast_forw_send_orig() - send a multicast packet to an originator ++ * @bat_priv: the bat priv with all the soft interface information ++ * @skb: the multicast packet to send ++ * @vid: the vlan identifier ++ * @orig_node: the originator to send the packet to ++ * ++ * Return: NET_XMIT_DROP in case of error or NET_XMIT_SUCCESS otherwise. ++ */ ++int batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, ++ unsigned short vid, ++ struct batadv_orig_node *orig_node) ++{ ++ /* Avoid sending multicast-in-unicast packets to other BLA ++ * gateways - they already got the frame from the LAN side ++ * we share with them. ++ * TODO: Refactor to take BLA into account earlier, to avoid ++ * reducing the mcast_fanout count. ++ */ ++ if (batadv_bla_is_backbone_gw_orig(bat_priv, orig_node->orig, vid)) { ++ dev_kfree_skb(skb); ++ return NET_XMIT_SUCCESS; ++ } ++ ++ return batadv_send_skb_unicast(bat_priv, skb, BATADV_UNICAST, 0, ++ orig_node, vid); ++} ++ + /** + * batadv_mcast_forw_tt() - forwards a packet to multicast listeners + * @bat_priv: the bat priv with all the soft interface information +@@ -1471,8 +1501,8 @@ batadv_mcast_forw_tt(struct batadv_priv *bat_priv, struct sk_buff *skb, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_entry->orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, ++ orig_entry->orig_node); + } + rcu_read_unlock(); + +@@ -1513,8 +1543,7 @@ batadv_mcast_forw_want_all_ipv4(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +@@ -1551,8 +1580,7 @@ batadv_mcast_forw_want_all_ipv6(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +@@ -1618,8 +1646,7 @@ batadv_mcast_forw_want_all_rtr4(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +@@ -1656,8 +1683,7 @@ batadv_mcast_forw_want_all_rtr6(struct batadv_priv *bat_priv, + break; + } + +- batadv_send_skb_unicast(bat_priv, newskb, BATADV_UNICAST, 0, +- orig_node, vid); ++ batadv_mcast_forw_send_orig(bat_priv, newskb, vid, orig_node); + } + rcu_read_unlock(); + return ret; +diff --git a/net/batman-adv/multicast.h b/net/batman-adv/multicast.h +index 5d9e2bb29c971..403929013ac47 100644 +--- a/net/batman-adv/multicast.h ++++ b/net/batman-adv/multicast.h +@@ -46,6 +46,11 @@ enum batadv_forw_mode + batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, + struct batadv_orig_node **mcast_single_orig); + ++int batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, ++ unsigned short vid, ++ struct batadv_orig_node *orig_node); ++ + int batadv_mcast_forw_send(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid); + +@@ -71,6 +76,16 @@ batadv_mcast_forw_mode(struct batadv_priv *bat_priv, struct sk_buff *skb, + return BATADV_FORW_ALL; + } + ++static inline int ++batadv_mcast_forw_send_orig(struct batadv_priv *bat_priv, ++ struct sk_buff *skb, ++ unsigned short vid, ++ struct batadv_orig_node *orig_node) ++{ ++ kfree_skb(skb); ++ return NET_XMIT_DROP; ++} ++ + static inline int + batadv_mcast_forw_send(struct batadv_priv *bat_priv, struct sk_buff *skb, + unsigned short vid) +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c +index f0f864820dead..708e90cb18a6e 100644 +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -826,6 +826,10 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv, + vid = batadv_get_vid(skb, hdr_len); + ethhdr = (struct ethhdr *)(skb->data + hdr_len); + ++ /* do not reroute multicast frames in a unicast header */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ return true; ++ + /* check if the destination client was served by this node and it is now + * roaming. In this case, it means that the node has got a ROAM_ADV + * message and that it knows the new destination in the mesh to re-route +diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c +index 5ee8e9a100f90..7f209390069ea 100644 +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -364,9 +364,8 @@ send: + goto dropped; + ret = batadv_send_skb_via_gw(bat_priv, skb, vid); + } else if (mcast_single_orig) { +- ret = batadv_send_skb_unicast(bat_priv, skb, +- BATADV_UNICAST, 0, +- mcast_single_orig, vid); ++ ret = batadv_mcast_forw_send_orig(bat_priv, skb, vid, ++ mcast_single_orig); + } else if (forw_mode == BATADV_FORW_SOME) { + ret = batadv_mcast_forw_send(bat_priv, skb, vid); + } else { +@@ -425,10 +424,10 @@ void batadv_interface_rx(struct net_device *soft_iface, + struct vlan_ethhdr *vhdr; + struct ethhdr *ethhdr; + unsigned short vid; +- bool is_bcast; ++ int packet_type; + + batadv_bcast_packet = (struct batadv_bcast_packet *)skb->data; +- is_bcast = (batadv_bcast_packet->packet_type == BATADV_BCAST); ++ packet_type = batadv_bcast_packet->packet_type; + + skb_pull_rcsum(skb, hdr_size); + skb_reset_mac_header(skb); +@@ -471,7 +470,7 @@ void batadv_interface_rx(struct net_device *soft_iface, + /* Let the bridge loop avoidance check the packet. If will + * not handle it, we can safely push it up. + */ +- if (batadv_bla_rx(bat_priv, skb, vid, is_bcast)) ++ if (batadv_bla_rx(bat_priv, skb, vid, packet_type)) + goto out; + + if (orig_node) +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 7bf6860fed783..fd436e5d7b542 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -41,12 +41,27 @@ + + /* Handle HCI Event packets */ + +-static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb) ++static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb, ++ u8 *new_status) + { + __u8 status = *((__u8 *) skb->data); + + BT_DBG("%s status 0x%2.2x", hdev->name, status); + ++ /* It is possible that we receive Inquiry Complete event right ++ * before we receive Inquiry Cancel Command Complete event, in ++ * which case the latter event should have status of Command ++ * Disallowed (0x0c). This should not be treated as error, since ++ * we actually achieve what Inquiry Cancel wants to achieve, ++ * which is to end the last Inquiry session. ++ */ ++ if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) { ++ bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command"); ++ status = 0x00; ++ } ++ ++ *new_status = status; ++ + if (status) + return; + +@@ -3142,7 +3157,7 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb, + + switch (*opcode) { + case HCI_OP_INQUIRY_CANCEL: +- hci_cc_inquiry_cancel(hdev, skb); ++ hci_cc_inquiry_cancel(hdev, skb, status); + break; + + case HCI_OP_PERIODIC_INQ: +@@ -5853,6 +5868,11 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) + u8 status = 0, event = hdr->evt, req_evt = 0; + u16 opcode = HCI_OP_NOP; + ++ if (!event) { ++ bt_dev_warn(hdev, "Received unexpected HCI Event 00000000"); ++ goto done; ++ } ++ + if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) { + struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data; + opcode = __le16_to_cpu(cmd_hdr->opcode); +@@ -6064,6 +6084,7 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb) + req_complete_skb(hdev, status, opcode, orig_skb); + } + ++done: + kfree_skb(orig_skb); + kfree_skb(skb); + hdev->stat.evt_rx++; +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index a845786258a0b..12a50e5a9f452 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -419,6 +419,9 @@ static void l2cap_chan_timeout(struct work_struct *work) + BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); + + mutex_lock(&conn->chan_lock); ++ /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling ++ * this work. No need to call l2cap_chan_hold(chan) here again. ++ */ + l2cap_chan_lock(chan); + + if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG) +@@ -431,12 +434,12 @@ static void l2cap_chan_timeout(struct work_struct *work) + + l2cap_chan_close(chan, reason); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); +- mutex_unlock(&conn->chan_lock); + ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); ++ ++ mutex_unlock(&conn->chan_lock); + } + + struct l2cap_chan *l2cap_chan_create(void) +@@ -1734,9 +1737,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) + + l2cap_chan_del(chan, err); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + } + +@@ -4131,7 +4134,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, + return 0; + } + +- if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) { ++ if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 && ++ chan->state != BT_CONNECTED) { + cmd_reject_invalid_cid(conn, cmd->ident, chan->scid, + chan->dcid); + goto unlock; +@@ -4355,6 +4359,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + return 0; + } + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + + rsp.dcid = cpu_to_le16(chan->scid); +@@ -4363,12 +4368,11 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, + + chan->ops->set_shutdown(chan); + +- l2cap_chan_hold(chan); + l2cap_chan_del(chan, ECONNRESET); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + + mutex_unlock(&conn->chan_lock); +@@ -4400,20 +4404,21 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, + return 0; + } + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); + + if (chan->state != BT_DISCONN) { + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + mutex_unlock(&conn->chan_lock); + return 0; + } + +- l2cap_chan_hold(chan); + l2cap_chan_del(chan, 0); + +- l2cap_chan_unlock(chan); +- + chan->ops->close(chan); ++ ++ l2cap_chan_unlock(chan); + l2cap_chan_put(chan); + + mutex_unlock(&conn->chan_lock); +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index a7be8b59b3c28..390a9afab6473 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1042,7 +1042,7 @@ done: + } + + /* Kill socket (only if zapped and orphan) +- * Must be called on unlocked socket. ++ * Must be called on unlocked socket, with l2cap channel lock. + */ + static void l2cap_sock_kill(struct sock *sk) + { +@@ -1193,6 +1193,7 @@ static int l2cap_sock_release(struct socket *sock) + { + struct sock *sk = sock->sk; + int err; ++ struct l2cap_chan *chan; + + BT_DBG("sock %p, sk %p", sock, sk); + +@@ -1202,9 +1203,17 @@ static int l2cap_sock_release(struct socket *sock) + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, 2); ++ chan = l2cap_pi(sk)->chan; ++ ++ l2cap_chan_hold(chan); ++ l2cap_chan_lock(chan); + + sock_orphan(sk); + l2cap_sock_kill(sk); ++ ++ l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); ++ + return err; + } + +@@ -1222,12 +1231,15 @@ static void l2cap_sock_cleanup_listen(struct sock *parent) + BT_DBG("child chan %p state %s", chan, + state_to_string(chan->state)); + ++ l2cap_chan_hold(chan); + l2cap_chan_lock(chan); ++ + __clear_chan_timer(chan); + l2cap_chan_close(chan, ECONNRESET); +- l2cap_chan_unlock(chan); +- + l2cap_sock_kill(sk); ++ ++ l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + } + } + +diff --git a/net/core/devlink.c b/net/core/devlink.c +index 5667cae57072f..26c8993a17ae0 100644 +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -4823,6 +4823,7 @@ int devlink_health_report(struct devlink_health_reporter *reporter, + { + enum devlink_health_reporter_state prev_health_state; + struct devlink *devlink = reporter->devlink; ++ unsigned long recover_ts_threshold; + + /* write a log message of the current error */ + WARN_ON(!msg); +@@ -4832,10 +4833,12 @@ int devlink_health_report(struct devlink_health_reporter *reporter, + reporter->health_state = DEVLINK_HEALTH_REPORTER_STATE_ERROR; + + /* abort if the previous error wasn't recovered */ ++ recover_ts_threshold = reporter->last_recovery_ts + ++ msecs_to_jiffies(reporter->graceful_period); + if (reporter->auto_recover && + (prev_health_state != DEVLINK_HEALTH_REPORTER_STATE_HEALTHY || +- jiffies - reporter->last_recovery_ts < +- msecs_to_jiffies(reporter->graceful_period))) { ++ (reporter->last_recovery_ts && reporter->recovery_count && ++ time_is_after_jiffies(recover_ts_threshold)))) { + trace_devlink_health_recover_aborted(devlink, + reporter->ops->name, + reporter->health_state, +diff --git a/net/core/filter.c b/net/core/filter.c +index cf2a68513bfd5..c441f9961e917 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -6791,8 +6791,6 @@ static int bpf_gen_ld_abs(const struct bpf_insn *orig, + bool indirect = BPF_MODE(orig->code) == BPF_IND; + struct bpf_insn *insn = insn_buf; + +- /* We're guaranteed here that CTX is in R6. */ +- *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_CTX); + if (!indirect) { + *insn++ = BPF_MOV64_IMM(BPF_REG_2, orig->imm); + } else { +@@ -6800,6 +6798,8 @@ static int bpf_gen_ld_abs(const struct bpf_insn *orig, + if (orig->imm) + *insn++ = BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, orig->imm); + } ++ /* We're guaranteed here that CTX is in R6. */ ++ *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_CTX); + + switch (BPF_SIZE(orig->code)) { + case BPF_B: +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 7b40d12f0c229..04953e5f25302 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -3290,6 +3290,7 @@ static void *neigh_stat_seq_next(struct seq_file *seq, void *v, loff_t *pos) + *pos = cpu+1; + return per_cpu_ptr(tbl->stats, cpu); + } ++ (*pos)++; + return NULL; + } + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index aa77f989ba817..7a5f64cf1fdd2 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -271,6 +271,7 @@ static void *rt_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos) + *pos = cpu+1; + return &per_cpu(rt_cache_stat, cpu); + } ++ (*pos)++; + return NULL; + + } +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 01ddfb4156e4a..2ffa33b5ef404 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2053,7 +2053,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock, + + /* Well, if we have backlog, try to process it now yet. */ + +- if (copied >= target && !sk->sk_backlog.tail) ++ if (copied >= target && !READ_ONCE(sk->sk_backlog.tail)) + break; + + if (copied) { +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index 96d80e50bf35b..9ca6c32065ec6 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -2479,14 +2479,13 @@ static void *ipv6_route_seq_next(struct seq_file *seq, void *v, loff_t *pos) + struct net *net = seq_file_net(seq); + struct ipv6_route_iter *iter = seq->private; + ++ ++(*pos); + if (!v) + goto iter_table; + + n = rcu_dereference_bh(((struct fib6_info *)v)->fib6_next); +- if (n) { +- ++*pos; ++ if (n) + return n; +- } + + iter_table: + ipv6_route_check_sernum(iter); +@@ -2494,8 +2493,6 @@ iter_table: + r = fib6_walk_continue(&iter->w); + spin_unlock_bh(&iter->tbl->tb6_lock); + if (r > 0) { +- if (v) +- ++*pos; + return iter->w.leaf; + } else if (r < 0) { + fib6_walker_unlink(net, &iter->w); +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index 5abb7f9b7ee5f..fa0f3c1543ba5 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -784,7 +784,7 @@ static int llc_ui_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + } + /* Well, if we have backlog, try to process it now yet. */ + +- if (copied >= target && !sk->sk_backlog.tail) ++ if (copied >= target && !READ_ONCE(sk->sk_backlog.tail)) + break; + + if (copied) { +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 30201aeb426cf..f029e75ec815a 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3913,6 +3913,9 @@ void __ieee80211_subif_start_xmit(struct sk_buff *skb, + skb->prev = NULL; + skb->next = NULL; + ++ if (skb->protocol == sdata->control_port_protocol) ++ ctrl_flags |= IEEE80211_TX_CTRL_SKIP_MPATH_LOOKUP; ++ + skb = ieee80211_build_hdr(sdata, skb, info_flags, + sta, ctrl_flags); + if (IS_ERR(skb)) +@@ -5096,7 +5099,8 @@ int ieee80211_tx_control_port(struct wiphy *wiphy, struct net_device *dev, + return -EINVAL; + + if (proto == sdata->control_port_protocol) +- ctrl_flags |= IEEE80211_TX_CTRL_PORT_CTRL_PROTO; ++ ctrl_flags |= IEEE80211_TX_CTRL_PORT_CTRL_PROTO | ++ IEEE80211_TX_CTRL_SKIP_MPATH_LOOKUP; + + if (unencrypted) + flags = IEEE80211_TX_INTFL_DONT_ENCRYPT; +diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c +index ab52811523e99..c829e4a753256 100644 +--- a/net/mac802154/tx.c ++++ b/net/mac802154/tx.c +@@ -34,11 +34,11 @@ void ieee802154_xmit_worker(struct work_struct *work) + if (res) + goto err_tx; + +- ieee802154_xmit_complete(&local->hw, skb, false); +- + dev->stats.tx_packets++; + dev->stats.tx_bytes += skb->len; + ++ ieee802154_xmit_complete(&local->hw, skb, false); ++ + return; + + err_tx: +@@ -78,6 +78,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + + /* async is priority, otherwise sync is fallback */ + if (local->ops->xmit_async) { ++ unsigned int len = skb->len; ++ + ret = drv_xmit_async(local, skb); + if (ret) { + ieee802154_wake_queue(&local->hw); +@@ -85,7 +87,7 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb) + } + + dev->stats.tx_packets++; +- dev->stats.tx_bytes += skb->len; ++ dev->stats.tx_bytes += len; + } else { + local->tx_skb = skb; + queue_work(local->workqueue, &local->tx_work); +diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c +index a0560d175a7ff..aaf4293ddd459 100644 +--- a/net/netfilter/nf_conntrack_proto.c ++++ b/net/netfilter/nf_conntrack_proto.c +@@ -565,6 +565,7 @@ static int nf_ct_netns_inet_get(struct net *net) + int err; + + err = nf_ct_netns_do_get(net, NFPROTO_IPV4); ++#if IS_ENABLED(CONFIG_IPV6) + if (err < 0) + goto err1; + err = nf_ct_netns_do_get(net, NFPROTO_IPV6); +@@ -575,6 +576,7 @@ static int nf_ct_netns_inet_get(struct net *net) + err2: + nf_ct_netns_put(net, NFPROTO_IPV4); + err1: ++#endif + return err; + } + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 2023650c27249..ff2d2b514506e 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -456,7 +456,8 @@ static struct nft_table *nft_table_lookup(const struct net *net, + if (nla == NULL) + return ERR_PTR(-EINVAL); + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &net->nft.tables, list, ++ lockdep_is_held(&net->nft.commit_mutex)) { + if (!nla_strcmp(nla, table->name) && + table->family == family && + nft_active_genmask(table, genmask)) +diff --git a/net/openvswitch/meter.c b/net/openvswitch/meter.c +index 3323b79ff548d..541eea74ef7a6 100644 +--- a/net/openvswitch/meter.c ++++ b/net/openvswitch/meter.c +@@ -251,8 +251,8 @@ static struct dp_meter *dp_meter_create(struct nlattr **a) + * + * Start with a full bucket. + */ +- band->bucket = (band->burst_size + band->rate) * 1000; +- band_max_delta_t = band->bucket / band->rate; ++ band->bucket = (band->burst_size + band->rate) * 1000ULL; ++ band_max_delta_t = div_u64(band->bucket, band->rate); + if (band_max_delta_t > meter->max_delta_t) + meter->max_delta_t = band_max_delta_t; + band++; +diff --git a/net/openvswitch/meter.h b/net/openvswitch/meter.h +index f645913870bd2..2e3fd6f1d7ebe 100644 +--- a/net/openvswitch/meter.h ++++ b/net/openvswitch/meter.h +@@ -23,7 +23,7 @@ struct dp_meter_band { + u32 type; + u32 rate; + u32 burst_size; +- u32 bucket; /* 1/1000 packets, or in bits */ ++ u64 bucket; /* 1/1000 packets, or in bits */ + struct ovs_flow_stats stats; + }; + +diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c +index 0dab62b67b9a4..adceb226ffab3 100644 +--- a/net/sctp/outqueue.c ++++ b/net/sctp/outqueue.c +@@ -36,6 +36,7 @@ + #include <net/sctp/sctp.h> + #include <net/sctp/sm.h> + #include <net/sctp/stream_sched.h> ++#include <trace/events/sctp.h> + + /* Declare internal functions here. */ + static int sctp_acked(struct sctp_sackhdr *sack, __u32 tsn); +@@ -1238,6 +1239,11 @@ int sctp_outq_sack(struct sctp_outq *q, struct sctp_chunk *chunk) + /* Grab the association's destination address list. */ + transport_list = &asoc->peer.transport_addr_list; + ++ /* SCTP path tracepoint for congestion control debugging. */ ++ list_for_each_entry(transport, transport_list, transports) { ++ trace_sctp_probe_path(transport, asoc); ++ } ++ + sack_ctsn = ntohl(sack->cum_tsn_ack); + gap_ack_blocks = ntohs(sack->num_gap_ack_blocks); + asoc->stats.gapcnt += gap_ack_blocks; +diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c +index 987c4b1f0b174..53d8b82eda006 100644 +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -204,10 +204,6 @@ static void __rpc_add_wait_queue(struct rpc_wait_queue *queue, + struct rpc_task *task, + unsigned char queue_priority) + { +- WARN_ON_ONCE(RPC_IS_QUEUED(task)); +- if (RPC_IS_QUEUED(task)) +- return; +- + INIT_LIST_HEAD(&task->u.tk_wait.timer_list); + if (RPC_IS_PRIORITY(queue)) + __rpc_add_wait_queue_priority(queue, task, queue_priority); +@@ -382,7 +378,7 @@ static void rpc_make_runnable(struct workqueue_struct *wq, + * NB: An RPC task will only receive interrupt-driven events as long + * as it's on a wait queue. + */ +-static void __rpc_sleep_on_priority(struct rpc_wait_queue *q, ++static void __rpc_do_sleep_on_priority(struct rpc_wait_queue *q, + struct rpc_task *task, + unsigned char queue_priority) + { +@@ -395,12 +391,23 @@ static void __rpc_sleep_on_priority(struct rpc_wait_queue *q, + + } + ++static void __rpc_sleep_on_priority(struct rpc_wait_queue *q, ++ struct rpc_task *task, ++ unsigned char queue_priority) ++{ ++ if (WARN_ON_ONCE(RPC_IS_QUEUED(task))) ++ return; ++ __rpc_do_sleep_on_priority(q, task, queue_priority); ++} ++ + static void __rpc_sleep_on_priority_timeout(struct rpc_wait_queue *q, + struct rpc_task *task, unsigned long timeout, + unsigned char queue_priority) + { ++ if (WARN_ON_ONCE(RPC_IS_QUEUED(task))) ++ return; + if (time_is_after_jiffies(timeout)) { +- __rpc_sleep_on_priority(q, task, queue_priority); ++ __rpc_do_sleep_on_priority(q, task, queue_priority); + __rpc_add_timer(q, task, timeout); + } else + task->tk_status = -ETIMEDOUT; +@@ -824,6 +831,7 @@ rpc_reset_task_statistics(struct rpc_task *task) + */ + void rpc_exit_task(struct rpc_task *task) + { ++ trace_rpc_task_end(task, task->tk_action); + task->tk_action = NULL; + if (task->tk_ops->rpc_count_stats) + task->tk_ops->rpc_count_stats(task, task->tk_calldata); +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index dc74519286be5..fe4cd0b4c4127 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -104,8 +104,17 @@ void svc_unreg_xprt_class(struct svc_xprt_class *xcl) + } + EXPORT_SYMBOL_GPL(svc_unreg_xprt_class); + +-/* +- * Format the transport list for printing ++/** ++ * svc_print_xprts - Format the transport list for printing ++ * @buf: target buffer for formatted address ++ * @maxlen: length of target buffer ++ * ++ * Fills in @buf with a string containing a list of transport names, each name ++ * terminated with '\n'. If the buffer is too small, some entries may be ++ * missing, but it is guaranteed that all lines in the output buffer are ++ * complete. ++ * ++ * Returns positive length of the filled-in string. + */ + int svc_print_xprts(char *buf, int maxlen) + { +@@ -118,9 +127,9 @@ int svc_print_xprts(char *buf, int maxlen) + list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) { + int slen; + +- sprintf(tmpstr, "%s %d\n", xcl->xcl_name, xcl->xcl_max_payload); +- slen = strlen(tmpstr); +- if (len + slen > maxlen) ++ slen = snprintf(tmpstr, sizeof(tmpstr), "%s %d\n", ++ xcl->xcl_name, xcl->xcl_max_payload); ++ if (slen >= sizeof(tmpstr) || len + slen >= maxlen) + break; + len += slen; + strcat(buf, tmpstr); +diff --git a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c +index cf80394b2db33..68d2dcf0a1be1 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c +@@ -15,26 +15,25 @@ + #undef SVCRDMA_BACKCHANNEL_DEBUG + + /** +- * svc_rdma_handle_bc_reply - Process incoming backchannel reply +- * @xprt: controlling backchannel transport +- * @rdma_resp: pointer to incoming transport header +- * @rcvbuf: XDR buffer into which to decode the reply ++ * svc_rdma_handle_bc_reply - Process incoming backchannel Reply ++ * @rqstp: resources for handling the Reply ++ * @rctxt: Received message + * +- * Returns: +- * %0 if @rcvbuf is filled in, xprt_complete_rqst called, +- * %-EAGAIN if server should call ->recvfrom again. + */ +-int svc_rdma_handle_bc_reply(struct rpc_xprt *xprt, __be32 *rdma_resp, +- struct xdr_buf *rcvbuf) ++void svc_rdma_handle_bc_reply(struct svc_rqst *rqstp, ++ struct svc_rdma_recv_ctxt *rctxt) + { ++ struct svc_xprt *sxprt = rqstp->rq_xprt; ++ struct rpc_xprt *xprt = sxprt->xpt_bc_xprt; + struct rpcrdma_xprt *r_xprt = rpcx_to_rdmax(xprt); ++ struct xdr_buf *rcvbuf = &rqstp->rq_arg; + struct kvec *dst, *src = &rcvbuf->head[0]; ++ __be32 *rdma_resp = rctxt->rc_recv_buf; + struct rpc_rqst *req; + u32 credits; + size_t len; + __be32 xid; + __be32 *p; +- int ret; + + p = (__be32 *)src->iov_base; + len = src->iov_len; +@@ -49,14 +48,10 @@ int svc_rdma_handle_bc_reply(struct rpc_xprt *xprt, __be32 *rdma_resp, + __func__, (int)len, p); + #endif + +- ret = -EAGAIN; +- if (src->iov_len < 24) +- goto out_shortreply; +- + spin_lock(&xprt->queue_lock); + req = xprt_lookup_rqst(xprt, xid); + if (!req) +- goto out_notfound; ++ goto out_unlock; + + dst = &req->rq_private_buf.head[0]; + memcpy(&req->rq_private_buf, &req->rq_rcv_buf, sizeof(struct xdr_buf)); +@@ -77,25 +72,12 @@ int svc_rdma_handle_bc_reply(struct rpc_xprt *xprt, __be32 *rdma_resp, + spin_unlock(&xprt->transport_lock); + + spin_lock(&xprt->queue_lock); +- ret = 0; + xprt_complete_rqst(req->rq_task, rcvbuf->len); + xprt_unpin_rqst(req); + rcvbuf->len = 0; + + out_unlock: + spin_unlock(&xprt->queue_lock); +-out: +- return ret; +- +-out_shortreply: +- dprintk("svcrdma: short bc reply: xprt=%p, len=%zu\n", +- xprt, src->iov_len); +- goto out; +- +-out_notfound: +- dprintk("svcrdma: unrecognized bc reply: xprt=%p, xid=%08x\n", +- xprt, be32_to_cpu(xid)); +- goto out_unlock; + } + + /* Send a backwards direction RPC call. +@@ -252,6 +234,7 @@ xprt_rdma_bc_put(struct rpc_xprt *xprt) + { + dprintk("svcrdma: %s: xprt %p\n", __func__, xprt); + ++ xprt_rdma_free_addresses(xprt); + xprt_free(xprt); + } + +diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +index d803d814a03ad..fd5c1f1bb9885 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c +@@ -817,12 +817,9 @@ int svc_rdma_recvfrom(struct svc_rqst *rqstp) + goto out_drop; + rqstp->rq_xprt_hlen = ret; + +- if (svc_rdma_is_backchannel_reply(xprt, p)) { +- ret = svc_rdma_handle_bc_reply(xprt->xpt_bc_xprt, p, +- &rqstp->rq_arg); +- svc_rdma_recv_ctxt_put(rdma_xprt, ctxt); +- return ret; +- } ++ if (svc_rdma_is_backchannel_reply(xprt, p)) ++ goto out_backchannel; ++ + svc_rdma_get_inv_rkey(rdma_xprt, ctxt); + + p += rpcrdma_fixed_maxsz; +@@ -852,6 +849,8 @@ out_postfail: + svc_rdma_recv_ctxt_put(rdma_xprt, ctxt); + return ret; + ++out_backchannel: ++ svc_rdma_handle_bc_reply(rqstp, ctxt); + out_drop: + svc_rdma_recv_ctxt_put(rdma_xprt, ctxt); + return 0; +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 959155c3a1608..66e8f89bce534 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -260,12 +260,12 @@ static void tipc_sk_respond(struct sock *sk, struct sk_buff *skb, int err) + * + * Caller must hold socket lock + */ +-static void tsk_rej_rx_queue(struct sock *sk) ++static void tsk_rej_rx_queue(struct sock *sk, int error) + { + struct sk_buff *skb; + + while ((skb = __skb_dequeue(&sk->sk_receive_queue))) +- tipc_sk_respond(sk, skb, TIPC_ERR_NO_PORT); ++ tipc_sk_respond(sk, skb, error); + } + + static bool tipc_sk_connected(struct sock *sk) +@@ -515,34 +515,45 @@ static void __tipc_shutdown(struct socket *sock, int error) + /* Remove any pending SYN message */ + __skb_queue_purge(&sk->sk_write_queue); + +- /* Reject all unreceived messages, except on an active connection +- * (which disconnects locally & sends a 'FIN+' to peer). +- */ +- while ((skb = __skb_dequeue(&sk->sk_receive_queue)) != NULL) { +- if (TIPC_SKB_CB(skb)->bytes_read) { +- kfree_skb(skb); +- continue; +- } +- if (!tipc_sk_type_connectionless(sk) && +- sk->sk_state != TIPC_DISCONNECTING) { +- tipc_set_sk_state(sk, TIPC_DISCONNECTING); +- tipc_node_remove_conn(net, dnode, tsk->portid); +- } +- tipc_sk_respond(sk, skb, error); ++ /* Remove partially received buffer if any */ ++ skb = skb_peek(&sk->sk_receive_queue); ++ if (skb && TIPC_SKB_CB(skb)->bytes_read) { ++ __skb_unlink(skb, &sk->sk_receive_queue); ++ kfree_skb(skb); + } + +- if (tipc_sk_type_connectionless(sk)) ++ /* Reject all unreceived messages if connectionless */ ++ if (tipc_sk_type_connectionless(sk)) { ++ tsk_rej_rx_queue(sk, error); + return; ++ } + +- if (sk->sk_state != TIPC_DISCONNECTING) { ++ switch (sk->sk_state) { ++ case TIPC_CONNECTING: ++ case TIPC_ESTABLISHED: ++ tipc_set_sk_state(sk, TIPC_DISCONNECTING); ++ tipc_node_remove_conn(net, dnode, tsk->portid); ++ /* Send a FIN+/- to its peer */ ++ skb = __skb_dequeue(&sk->sk_receive_queue); ++ if (skb) { ++ __skb_queue_purge(&sk->sk_receive_queue); ++ tipc_sk_respond(sk, skb, error); ++ break; ++ } + skb = tipc_msg_create(TIPC_CRITICAL_IMPORTANCE, + TIPC_CONN_MSG, SHORT_H_SIZE, 0, dnode, + tsk_own_node(tsk), tsk_peer_port(tsk), + tsk->portid, error); + if (skb) + tipc_node_xmit_skb(net, skb, dnode, tsk->portid); +- tipc_node_remove_conn(net, dnode, tsk->portid); +- tipc_set_sk_state(sk, TIPC_DISCONNECTING); ++ break; ++ case TIPC_LISTEN: ++ /* Reject all SYN messages */ ++ tsk_rej_rx_queue(sk, error); ++ break; ++ default: ++ __skb_queue_purge(&sk->sk_receive_queue); ++ break; + } + } + +@@ -2564,7 +2575,7 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags, + * Reject any stray messages received by new socket + * before the socket lock was taken (very, very unlikely) + */ +- tsk_rej_rx_queue(new_sk); ++ tsk_rej_rx_queue(new_sk, TIPC_ERR_NO_PORT); + + /* Connect new socket to it's peer */ + tipc_sk_finish_conn(new_tsock, msg_origport(msg), msg_orignode(msg)); +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 73dbed0c4b6b8..931c426673c02 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -400,7 +400,9 @@ static int tipc_conn_rcv_from_sock(struct tipc_conn *con) + return -EWOULDBLOCK; + if (ret == sizeof(s)) { + read_lock_bh(&sk->sk_callback_lock); +- ret = tipc_conn_rcv_sub(srv, con, &s); ++ /* RACE: the connection can be closed in the meantime */ ++ if (likely(connected(con))) ++ ret = tipc_conn_rcv_sub(srv, con, &s); + read_unlock_bh(&sk->sk_callback_lock); + if (!ret) + return 0; +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index b3369d678f1af..ecadd9e482c46 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -189,11 +189,17 @@ static inline int unix_may_send(struct sock *sk, struct sock *osk) + return unix_peer(osk) == NULL || unix_our_peer(sk, osk); + } + +-static inline int unix_recvq_full(struct sock const *sk) ++static inline int unix_recvq_full(const struct sock *sk) + { + return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog; + } + ++static inline int unix_recvq_full_lockless(const struct sock *sk) ++{ ++ return skb_queue_len_lockless(&sk->sk_receive_queue) > ++ READ_ONCE(sk->sk_max_ack_backlog); ++} ++ + struct sock *unix_peer_get(struct sock *s) + { + struct sock *peer; +@@ -1724,7 +1730,8 @@ restart_locked: + * - unix_peer(sk) == sk by time of get but disconnected before lock + */ + if (other != sk && +- unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { ++ unlikely(unix_peer(other) != sk && ++ unix_recvq_full_lockless(other))) { + if (timeo) { + timeo = unix_wait_for_peer(other, timeo); + +diff --git a/net/wireless/Kconfig b/net/wireless/Kconfig +index 63cf7131f601c..211007c091d59 100644 +--- a/net/wireless/Kconfig ++++ b/net/wireless/Kconfig +@@ -217,6 +217,7 @@ config LIB80211_CRYPT_WEP + + config LIB80211_CRYPT_CCMP + tristate ++ select CRYPTO + select CRYPTO_AES + select CRYPTO_CCM + +diff --git a/security/device_cgroup.c b/security/device_cgroup.c +index 725674f3276d3..5d7bb91c64876 100644 +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -352,7 +352,8 @@ static bool match_exception_partial(struct list_head *exceptions, short type, + { + struct dev_exception_item *ex; + +- list_for_each_entry_rcu(ex, exceptions, list) { ++ list_for_each_entry_rcu(ex, exceptions, list, ++ lockdep_is_held(&devcgroup_mutex)) { + if ((type & DEVCG_DEV_BLOCK) && !(ex->type & DEVCG_DEV_BLOCK)) + continue; + if ((type & DEVCG_DEV_CHAR) && !(ex->type & DEVCG_DEV_CHAR)) +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 552e73d90fd25..212f48025db81 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3156,6 +3156,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); + } + ++ if (!selinux_state.initialized) ++ return (inode_owner_or_capable(inode) ? 0 : -EPERM); ++ + sbsec = inode->i_sb->s_security; + if (!(sbsec->flags & SBLABEL_MNT)) + return -EOPNOTSUPP; +@@ -3239,6 +3242,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, + return; + } + ++ if (!selinux_state.initialized) { ++ /* If we haven't even been initialized, then we can't validate ++ * against a policy, so leave the label as invalid. It may ++ * resolve to a valid label on the next revalidation try if ++ * we've since initialized. ++ */ ++ return; ++ } ++ + rc = security_context_to_sid_force(&selinux_state, value, size, + &newsid); + if (rc) { +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index e6c7643c3fc08..e9eaff90cbccd 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -1508,6 +1508,7 @@ static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) + *idx = cpu + 1; + return &per_cpu(avc_cache_stats, cpu); + } ++ (*idx)++; + return NULL; + } + +diff --git a/sound/hda/hdac_bus.c b/sound/hda/hdac_bus.c +index 8f19876244ebe..53be2cac98e7c 100644 +--- a/sound/hda/hdac_bus.c ++++ b/sound/hda/hdac_bus.c +@@ -158,6 +158,7 @@ static void snd_hdac_bus_process_unsol_events(struct work_struct *work) + struct hdac_driver *drv; + unsigned int rp, caddr, res; + ++ spin_lock_irq(&bus->reg_lock); + while (bus->unsol_rp != bus->unsol_wp) { + rp = (bus->unsol_rp + 1) % HDA_UNSOL_QUEUE_SIZE; + bus->unsol_rp = rp; +@@ -169,10 +170,13 @@ static void snd_hdac_bus_process_unsol_events(struct work_struct *work) + codec = bus->caddr_tbl[caddr & 0x0f]; + if (!codec || !codec->dev.driver) + continue; ++ spin_unlock_irq(&bus->reg_lock); + drv = drv_to_hdac_driver(codec->dev.driver); + if (drv->unsol_event) + drv->unsol_event(codec, res); ++ spin_lock_irq(&bus->reg_lock); + } ++ spin_unlock_irq(&bus->reg_lock); + } + + /** +diff --git a/sound/hda/hdac_regmap.c b/sound/hda/hdac_regmap.c +index 2596a881186fa..49780399c2849 100644 +--- a/sound/hda/hdac_regmap.c ++++ b/sound/hda/hdac_regmap.c +@@ -363,7 +363,6 @@ static const struct regmap_config hda_regmap_cfg = { + .reg_write = hda_reg_write, + .use_single_read = true, + .use_single_write = true, +- .disable_locking = true, + }; + + /** +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c +index 496dcde9715d6..9790f5108a166 100644 +--- a/sound/pci/asihpi/hpioctl.c ++++ b/sound/pci/asihpi/hpioctl.c +@@ -343,7 +343,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + struct hpi_message hm; + struct hpi_response hr; + struct hpi_adapter adapter; +- struct hpi_pci pci; ++ struct hpi_pci pci = { 0 }; + + memset(&adapter, 0, sizeof(adapter)); + +@@ -499,7 +499,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + return 0; + + err: +- for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) { ++ while (--idx >= 0) { + if (pci.ap_mem_base[idx]) { + iounmap(pci.ap_mem_base[idx]); + pci.ap_mem_base[idx] = NULL; +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 103011e7285a3..6da296def283e 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -641,8 +641,18 @@ static void hda_jackpoll_work(struct work_struct *work) + struct hda_codec *codec = + container_of(work, struct hda_codec, jackpoll_work.work); + +- snd_hda_jack_set_dirty_all(codec); +- snd_hda_jack_poll_all(codec); ++ /* for non-polling trigger: we need nothing if already powered on */ ++ if (!codec->jackpoll_interval && snd_hdac_is_power_on(&codec->core)) ++ return; ++ ++ /* the power-up/down sequence triggers the runtime resume */ ++ snd_hda_power_up_pm(codec); ++ /* update jacks manually if polling is required, too */ ++ if (codec->jackpoll_interval) { ++ snd_hda_jack_set_dirty_all(codec); ++ snd_hda_jack_poll_all(codec); ++ } ++ snd_hda_power_down_pm(codec); + + if (!codec->jackpoll_interval) + return; +@@ -2958,18 +2968,14 @@ static int hda_codec_runtime_resume(struct device *dev) + static int hda_codec_force_resume(struct device *dev) + { + struct hda_codec *codec = dev_to_hda_codec(dev); +- bool forced_resume = !codec->relaxed_resume && codec->jacktbl.used; + int ret; + +- /* The get/put pair below enforces the runtime resume even if the +- * device hasn't been used at suspend time. This trick is needed to +- * update the jack state change during the sleep. +- */ +- if (forced_resume) +- pm_runtime_get_noresume(dev); + ret = pm_runtime_force_resume(dev); +- if (forced_resume) +- pm_runtime_put(dev); ++ /* schedule jackpoll work for jack detection update */ ++ if (codec->jackpoll_interval || ++ (pm_runtime_suspended(dev) && hda_codec_need_resume(codec))) ++ schedule_delayed_work(&codec->jackpoll_work, ++ codec->jackpoll_interval); + return ret; + } + +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index 76b507058cb4d..5e6081750bd9b 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -1159,16 +1159,23 @@ irqreturn_t azx_interrupt(int irq, void *dev_id) + if (snd_hdac_bus_handle_stream_irq(bus, status, stream_update)) + active = true; + +- /* clear rirb int */ + status = azx_readb(chip, RIRBSTS); + if (status & RIRB_INT_MASK) { ++ /* ++ * Clearing the interrupt status here ensures that no ++ * interrupt gets masked after the RIRB wp is read in ++ * snd_hdac_bus_update_rirb. This avoids a possible ++ * race condition where codec response in RIRB may ++ * remain unserviced by IRQ, eventually falling back ++ * to polling mode in azx_rirb_get_response. ++ */ ++ azx_writeb(chip, RIRBSTS, RIRB_INT_MASK); + active = true; + if (status & RIRB_INT_RESPONSE) { + if (chip->driver_caps & AZX_DCAPS_CTX_WORKAROUND) + udelay(80); + snd_hdac_bus_update_rirb(bus); + } +- azx_writeb(chip, RIRBSTS, RIRB_INT_MASK); + } + } while (active && ++repeat < 10); + +diff --git a/sound/pci/hda/hda_controller.h b/sound/pci/hda/hda_controller.h +index 82e26442724ba..a356fb0e57738 100644 +--- a/sound/pci/hda/hda_controller.h ++++ b/sound/pci/hda/hda_controller.h +@@ -41,7 +41,7 @@ + /* 24 unused */ + #define AZX_DCAPS_COUNT_LPIB_DELAY (1 << 25) /* Take LPIB as delay */ + #define AZX_DCAPS_PM_RUNTIME (1 << 26) /* runtime PM support */ +-/* 27 unused */ ++#define AZX_DCAPS_SUSPEND_SPURIOUS_WAKEUP (1 << 27) /* Workaround for spurious wakeups after suspend */ + #define AZX_DCAPS_CORBRP_SELF_CLEAR (1 << 28) /* CORBRP clears itself after reset */ + #define AZX_DCAPS_NO_MSI64 (1 << 29) /* Stick to 32-bit MSIs */ + #define AZX_DCAPS_SEPARATE_STREAM_TAG (1 << 30) /* capture and playback use separate stream tag */ +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 7353d2ec359ae..590ea262f2e20 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -295,7 +295,8 @@ enum { + /* PCH for HSW/BDW; with runtime PM */ + /* no i915 binding for this as HSW/BDW has another controller for HDMI */ + #define AZX_DCAPS_INTEL_PCH \ +- (AZX_DCAPS_INTEL_PCH_BASE | AZX_DCAPS_PM_RUNTIME) ++ (AZX_DCAPS_INTEL_PCH_BASE | AZX_DCAPS_PM_RUNTIME |\ ++ AZX_DCAPS_SUSPEND_SPURIOUS_WAKEUP) + + /* HSW HDMI */ + #define AZX_DCAPS_INTEL_HASWELL \ +@@ -1002,7 +1003,8 @@ static void __azx_runtime_resume(struct azx *chip, bool from_rt) + + if (status && from_rt) { + list_for_each_codec(codec, &chip->bus) +- if (status & (1 << codec->addr)) ++ if (!codec->relaxed_resume && ++ (status & (1 << codec->addr))) + schedule_delayed_work(&codec->jackpoll_work, + codec->jackpoll_interval); + } +@@ -1025,7 +1027,14 @@ static int azx_suspend(struct device *dev) + chip = card->private_data; + bus = azx_bus(chip); + snd_power_change_state(card, SNDRV_CTL_POWER_D3hot); +- __azx_runtime_suspend(chip); ++ /* An ugly workaround: direct call of __azx_runtime_suspend() and ++ * __azx_runtime_resume() for old Intel platforms that suffer from ++ * spurious wakeups after S3 suspend ++ */ ++ if (chip->driver_caps & AZX_DCAPS_SUSPEND_SPURIOUS_WAKEUP) ++ __azx_runtime_suspend(chip); ++ else ++ pm_runtime_force_suspend(dev); + if (bus->irq >= 0) { + free_irq(bus->irq, chip); + bus->irq = -1; +@@ -1052,7 +1061,11 @@ static int azx_resume(struct device *dev) + chip->msi = 0; + if (azx_acquire_irq(chip, 1) < 0) + return -EIO; +- __azx_runtime_resume(chip, false); ++ ++ if (chip->driver_caps & AZX_DCAPS_SUSPEND_SPURIOUS_WAKEUP) ++ __azx_runtime_resume(chip, false); ++ else ++ pm_runtime_force_resume(dev); + snd_power_change_state(card, SNDRV_CTL_POWER_D0); + + trace_azx_resume(chip); +@@ -1099,12 +1112,12 @@ static int azx_runtime_suspend(struct device *dev) + if (!azx_is_pm_ready(card)) + return 0; + chip = card->private_data; +- if (!azx_has_pm_runtime(chip)) +- return 0; + + /* enable controller wake up event */ +- azx_writew(chip, WAKEEN, azx_readw(chip, WAKEEN) | +- STATESTS_INT_MASK); ++ if (snd_power_get_state(card) == SNDRV_CTL_POWER_D0) { ++ azx_writew(chip, WAKEEN, azx_readw(chip, WAKEEN) | ++ STATESTS_INT_MASK); ++ } + + __azx_runtime_suspend(chip); + trace_azx_runtime_suspend(chip); +@@ -1115,17 +1128,18 @@ static int azx_runtime_resume(struct device *dev) + { + struct snd_card *card = dev_get_drvdata(dev); + struct azx *chip; ++ bool from_rt = snd_power_get_state(card) == SNDRV_CTL_POWER_D0; + + if (!azx_is_pm_ready(card)) + return 0; + chip = card->private_data; +- if (!azx_has_pm_runtime(chip)) +- return 0; +- __azx_runtime_resume(chip, true); ++ __azx_runtime_resume(chip, from_rt); + + /* disable controller Wake Up event*/ +- azx_writew(chip, WAKEEN, azx_readw(chip, WAKEEN) & +- ~STATESTS_INT_MASK); ++ if (from_rt) { ++ azx_writew(chip, WAKEEN, azx_readw(chip, WAKEEN) & ++ ~STATESTS_INT_MASK); ++ } + + trace_azx_runtime_resume(chip); + return 0; +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 54346ae47d112..4dfd714f718b8 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3418,7 +3418,11 @@ static void alc256_shutup(struct hda_codec *codec) + + /* 3k pull low control for Headset jack. */ + /* NOTE: call this before clearing the pin, otherwise codec stalls */ +- alc_update_coef_idx(codec, 0x46, 0, 3 << 12); ++ /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly ++ * when booting with headset plugged. So skip setting it for the codec alc257 ++ */ ++ if (codec->core.vendor_id != 0x10ec0257) ++ alc_update_coef_idx(codec, 0x46, 0, 3 << 12); + + if (!spec->no_shutup_pins) + snd_hda_codec_write(codec, hp_pin, 0, +@@ -6032,6 +6036,7 @@ static void alc_fixup_thinkpad_acpi(struct hda_codec *codec, + #include "hp_x360_helper.c" + + enum { ++ ALC269_FIXUP_GPIO2, + ALC269_FIXUP_SONY_VAIO, + ALC275_FIXUP_SONY_VAIO_GPIO2, + ALC269_FIXUP_DELL_M101Z, +@@ -6213,6 +6218,10 @@ enum { + }; + + static const struct hda_fixup alc269_fixups[] = { ++ [ALC269_FIXUP_GPIO2] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_gpio2, ++ }, + [ALC269_FIXUP_SONY_VAIO] = { + .type = HDA_FIXUP_PINCTLS, + .v.pins = (const struct hda_pintbl[]) { +@@ -7032,6 +7041,8 @@ static const struct hda_fixup alc269_fixups[] = { + [ALC233_FIXUP_LENOVO_MULTI_CODECS] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc233_alc662_fixup_lenovo_dual_codecs, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_GPIO2 + }, + [ALC233_FIXUP_ACER_HEADSET_MIC] = { + .type = HDA_FIXUP_VERBS, +diff --git a/sound/soc/codecs/max98090.c b/sound/soc/codecs/max98090.c +index 45da2b51543e7..6b9d326e11b07 100644 +--- a/sound/soc/codecs/max98090.c ++++ b/sound/soc/codecs/max98090.c +@@ -2112,10 +2112,16 @@ static void max98090_pll_work(struct max98090_priv *max98090) + + dev_info_ratelimited(component->dev, "PLL unlocked\n"); + ++ /* ++ * As the datasheet suggested, the maximum PLL lock time should be ++ * 7 msec. The workaround resets the codec softly by toggling SHDN ++ * off and on if PLL failed to lock for 10 msec. Notably, there is ++ * no suggested hold time for SHDN off. ++ */ ++ + /* Toggle shutdown OFF then ON */ + snd_soc_component_update_bits(component, M98090_REG_DEVICE_SHUTDOWN, + M98090_SHDNN_MASK, 0); +- msleep(10); + snd_soc_component_update_bits(component, M98090_REG_DEVICE_SHUTDOWN, + M98090_SHDNN_MASK, M98090_SHDNN_MASK); + +diff --git a/sound/soc/codecs/pcm3168a.c b/sound/soc/codecs/pcm3168a.c +index 88b75695fbf7f..b37e5fbbd301a 100644 +--- a/sound/soc/codecs/pcm3168a.c ++++ b/sound/soc/codecs/pcm3168a.c +@@ -302,6 +302,13 @@ static int pcm3168a_set_dai_sysclk(struct snd_soc_dai *dai, + struct pcm3168a_priv *pcm3168a = snd_soc_component_get_drvdata(dai->component); + int ret; + ++ /* ++ * Some sound card sets 0 Hz as reset, ++ * but it is impossible to set. Ignore it here ++ */ ++ if (freq == 0) ++ return 0; ++ + if (freq > PCM3168A_MAX_SYSCLK) + return -EINVAL; + +diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c +index d5fb7f5dd551c..6dbab3fc6537e 100644 +--- a/sound/soc/codecs/wm8994.c ++++ b/sound/soc/codecs/wm8994.c +@@ -3372,6 +3372,8 @@ int wm8994_mic_detect(struct snd_soc_component *component, struct snd_soc_jack * + return -EINVAL; + } + ++ pm_runtime_get_sync(component->dev); ++ + switch (micbias) { + case 1: + micdet = &wm8994->micdet[0]; +@@ -3419,6 +3421,8 @@ int wm8994_mic_detect(struct snd_soc_component *component, struct snd_soc_jack * + + snd_soc_dapm_sync(dapm); + ++ pm_runtime_put(component->dev); ++ + return 0; + } + EXPORT_SYMBOL_GPL(wm8994_mic_detect); +@@ -3786,6 +3790,8 @@ int wm8958_mic_detect(struct snd_soc_component *component, struct snd_soc_jack * + return -EINVAL; + } + ++ pm_runtime_get_sync(component->dev); ++ + if (jack) { + snd_soc_dapm_force_enable_pin(dapm, "CLK_SYS"); + snd_soc_dapm_sync(dapm); +@@ -3854,6 +3860,8 @@ int wm8958_mic_detect(struct snd_soc_component *component, struct snd_soc_jack * + snd_soc_dapm_sync(dapm); + } + ++ pm_runtime_put(component->dev); ++ + return 0; + } + EXPORT_SYMBOL_GPL(wm8958_mic_detect); +@@ -4047,11 +4055,13 @@ static int wm8994_component_probe(struct snd_soc_component *component) + wm8994->hubs.dcs_readback_mode = 2; + break; + } ++ wm8994->hubs.micd_scthr = true; + break; + + case WM8958: + wm8994->hubs.dcs_readback_mode = 1; + wm8994->hubs.hp_startup_mode = 1; ++ wm8994->hubs.micd_scthr = true; + + switch (control->revision) { + case 0: +diff --git a/sound/soc/codecs/wm_hubs.c b/sound/soc/codecs/wm_hubs.c +index e93af7edd8f75..dd421e2fe7b21 100644 +--- a/sound/soc/codecs/wm_hubs.c ++++ b/sound/soc/codecs/wm_hubs.c +@@ -1223,6 +1223,9 @@ int wm_hubs_handle_analogue_pdata(struct snd_soc_component *component, + snd_soc_component_update_bits(component, WM8993_ADDITIONAL_CONTROL, + WM8993_LINEOUT2_FB, WM8993_LINEOUT2_FB); + ++ if (!hubs->micd_scthr) ++ return 0; ++ + snd_soc_component_update_bits(component, WM8993_MICBIAS, + WM8993_JD_SCTHR_MASK | WM8993_JD_THR_MASK | + WM8993_MICB1_LVL | WM8993_MICB2_LVL, +diff --git a/sound/soc/codecs/wm_hubs.h b/sound/soc/codecs/wm_hubs.h +index 4b8e5f0d6e32d..988b29e630607 100644 +--- a/sound/soc/codecs/wm_hubs.h ++++ b/sound/soc/codecs/wm_hubs.h +@@ -27,6 +27,7 @@ struct wm_hubs_data { + int hp_startup_mode; + int series_startup; + int no_series_update; ++ bool micd_scthr; + + bool no_cache_dac_hp_direct; + struct list_head dcs_cache; +diff --git a/sound/soc/img/img-i2s-out.c b/sound/soc/img/img-i2s-out.c +index 4b18534096336..9c4212f2f7269 100644 +--- a/sound/soc/img/img-i2s-out.c ++++ b/sound/soc/img/img-i2s-out.c +@@ -347,8 +347,10 @@ static int img_i2s_out_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + chan_control_mask = IMG_I2S_OUT_CHAN_CTL_CLKT_MASK; + + ret = pm_runtime_get_sync(i2s->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(i2s->dev); + return ret; ++ } + + img_i2s_out_disable(i2s); + +@@ -488,8 +490,10 @@ static int img_i2s_out_probe(struct platform_device *pdev) + goto err_pm_disable; + } + ret = pm_runtime_get_sync(&pdev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put_noidle(&pdev->dev); + goto err_suspend; ++ } + + reg = IMG_I2S_OUT_CTL_FRM_SIZE_MASK; + img_i2s_out_writel(i2s, reg, IMG_I2S_OUT_CTL); +diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c +index f7964d1ec486f..6012367f6fe48 100644 +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -591,6 +591,16 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = { + BYT_RT5640_SSP0_AIF1 | + BYT_RT5640_MCLK_EN), + }, ++ { /* MPMAN Converter 9, similar hw as the I.T.Works TW891 2-in-1 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MPMAN"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Converter9"), ++ }, ++ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS | ++ BYT_RT5640_MONO_SPEAKER | ++ BYT_RT5640_SSP0_AIF1 | ++ BYT_RT5640_MCLK_EN), ++ }, + { + /* MPMAN MPWIN895CL */ + .matches = { +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c +index 6f69f314f2c2a..d2d5c25bf5502 100644 +--- a/sound/soc/kirkwood/kirkwood-dma.c ++++ b/sound/soc/kirkwood/kirkwood-dma.c +@@ -132,7 +132,7 @@ static int kirkwood_dma_open(struct snd_pcm_substream *substream) + err = request_irq(priv->irq, kirkwood_dma_irq, IRQF_SHARED, + "kirkwood-i2s", priv); + if (err) +- return -EBUSY; ++ return err; + + /* + * Enable Error interrupts. We're only ack'ing them but +diff --git a/sound/soc/sof/ipc.c b/sound/soc/sof/ipc.c +index e7b1a80e2a14c..f38f651da2246 100644 +--- a/sound/soc/sof/ipc.c ++++ b/sound/soc/sof/ipc.c +@@ -215,15 +215,17 @@ static int tx_wait_done(struct snd_sof_ipc *ipc, struct snd_sof_ipc_msg *msg, + snd_sof_trace_notify_for_error(ipc->sdev); + ret = -ETIMEDOUT; + } else { +- /* copy the data returned from DSP */ + ret = msg->reply_error; +- if (msg->reply_size) +- memcpy(reply_data, msg->reply_data, msg->reply_size); +- if (ret < 0) ++ if (ret < 0) { + dev_err(sdev->dev, "error: ipc error for 0x%x size %zu\n", + hdr->cmd, msg->reply_size); +- else ++ } else { + ipc_log_header(sdev->dev, "ipc tx succeeded", hdr->cmd); ++ if (msg->reply_size) ++ /* copy the data returned from DSP */ ++ memcpy(reply_data, msg->reply_data, ++ msg->reply_size); ++ } + } + + return ret; +diff --git a/sound/usb/midi.c b/sound/usb/midi.c +index 0cb4142b05f64..bc9068b616bb9 100644 +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1827,6 +1827,28 @@ static int snd_usbmidi_create_endpoints(struct snd_usb_midi *umidi, + return 0; + } + ++static struct usb_ms_endpoint_descriptor *find_usb_ms_endpoint_descriptor( ++ struct usb_host_endpoint *hostep) ++{ ++ unsigned char *extra = hostep->extra; ++ int extralen = hostep->extralen; ++ ++ while (extralen > 3) { ++ struct usb_ms_endpoint_descriptor *ms_ep = ++ (struct usb_ms_endpoint_descriptor *)extra; ++ ++ if (ms_ep->bLength > 3 && ++ ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT && ++ ms_ep->bDescriptorSubtype == UAC_MS_GENERAL) ++ return ms_ep; ++ if (!extra[0]) ++ break; ++ extralen -= extra[0]; ++ extra += extra[0]; ++ } ++ return NULL; ++} ++ + /* + * Returns MIDIStreaming device capabilities. + */ +@@ -1864,11 +1886,8 @@ static int snd_usbmidi_get_ms_info(struct snd_usb_midi *umidi, + ep = get_ep_desc(hostep); + if (!usb_endpoint_xfer_bulk(ep) && !usb_endpoint_xfer_int(ep)) + continue; +- ms_ep = (struct usb_ms_endpoint_descriptor *)hostep->extra; +- if (hostep->extralen < 4 || +- ms_ep->bLength < 4 || +- ms_ep->bDescriptorType != USB_DT_CS_ENDPOINT || +- ms_ep->bDescriptorSubtype != UAC_MS_GENERAL) ++ ms_ep = find_usb_ms_endpoint_descriptor(hostep); ++ if (!ms_ep) + continue; + if (usb_endpoint_dir_out(ep)) { + if (endpoints[epidx].out_ep) { +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 9079c380228fc..8aa96ed0b1b56 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1684,6 +1684,16 @@ static void __build_feature_ctl(struct usb_mixer_interface *mixer, + /* get min/max values */ + get_min_max_with_quirks(cval, 0, kctl); + ++ /* skip a bogus volume range */ ++ if (cval->max <= cval->min) { ++ usb_audio_dbg(mixer->chip, ++ "[%d] FU [%s] skipped due to invalid volume\n", ++ cval->head.id, kctl->id.name); ++ snd_ctl_free_one(kctl); ++ return; ++ } ++ ++ + if (control == UAC_FU_VOLUME) { + check_mapped_dB(map, cval); + if (cval->dBmin < cval->dBmax || !cval->initialized) { +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index a756f50d9f078..cc75d9749e9fa 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1604,12 +1604,13 @@ void snd_usb_ctl_msg_quirk(struct usb_device *dev, unsigned int pipe, + && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) + msleep(20); + +- /* Zoom R16/24, Logitech H650e, Jabra 550a, Kingston HyperX needs a tiny +- * delay here, otherwise requests like get/set frequency return as +- * failed despite actually succeeding. ++ /* Zoom R16/24, Logitech H650e/H570e, Jabra 550a, Kingston HyperX ++ * needs a tiny delay here, otherwise requests like get/set ++ * frequency return as failed despite actually succeeding. + */ + if ((chip->usb_id == USB_ID(0x1686, 0x00dd) || + chip->usb_id == USB_ID(0x046d, 0x0a46) || ++ chip->usb_id == USB_ID(0x046d, 0x0a56) || + chip->usb_id == USB_ID(0x0b0e, 0x0349) || + chip->usb_id == USB_ID(0x0951, 0x16ad)) && + (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) +diff --git a/tools/gpio/gpio-hammer.c b/tools/gpio/gpio-hammer.c +index 0e0060a6eb346..083399d276e4e 100644 +--- a/tools/gpio/gpio-hammer.c ++++ b/tools/gpio/gpio-hammer.c +@@ -135,7 +135,14 @@ int main(int argc, char **argv) + device_name = optarg; + break; + case 'o': +- lines[i] = strtoul(optarg, NULL, 10); ++ /* ++ * Avoid overflow. Do not immediately error, we want to ++ * be able to accurately report on the amount of times ++ * '-o' was given to give an accurate error message ++ */ ++ if (i < GPIOHANDLES_MAX) ++ lines[i] = strtoul(optarg, NULL, 10); ++ + i++; + break; + case '?': +@@ -143,6 +150,14 @@ int main(int argc, char **argv) + return -1; + } + } ++ ++ if (i >= GPIOHANDLES_MAX) { ++ fprintf(stderr, ++ "Only %d occurences of '-o' are allowed, %d were found\n", ++ GPIOHANDLES_MAX, i + 1); ++ return -1; ++ } ++ + nlines = i; + + if (!device_name || !nlines) { +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index 48b234d8f251e..1b7e748170e54 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -556,7 +556,7 @@ static int add_jump_destinations(struct objtool_file *file) + insn->type != INSN_JUMP_UNCONDITIONAL) + continue; + +- if (insn->ignore || insn->offset == FAKE_JUMP_OFFSET) ++ if (insn->offset == FAKE_JUMP_OFFSET) + continue; + + rela = find_rela_by_dest_range(insn->sec, insn->offset, +diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c +index 468fc49420ce1..ac2feddc75fdd 100644 +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -351,7 +351,7 @@ static void process_interval(void) + } + + init_stats(&walltime_nsecs_stats); +- update_stats(&walltime_nsecs_stats, stat_config.interval * 1000000); ++ update_stats(&walltime_nsecs_stats, stat_config.interval * 1000000ULL); + print_counters(&rs, 0, NULL); + } + +diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c +index d36ae65ae3330..f4a0d72246cb7 100644 +--- a/tools/perf/pmu-events/jevents.c ++++ b/tools/perf/pmu-events/jevents.c +@@ -1068,10 +1068,9 @@ static int process_one_file(const char *fpath, const struct stat *sb, + */ + int main(int argc, char *argv[]) + { +- int rc; ++ int rc, ret = 0; + int maxfds; + char ldirname[PATH_MAX]; +- + const char *arch; + const char *output_file; + const char *start_dirname; +@@ -1142,7 +1141,8 @@ int main(int argc, char *argv[]) + /* Make build fail */ + fclose(eventsfp); + free_arch_std_events(); +- return 1; ++ ret = 1; ++ goto out_free_mapfile; + } else if (rc) { + goto empty_map; + } +@@ -1160,14 +1160,17 @@ int main(int argc, char *argv[]) + /* Make build fail */ + fclose(eventsfp); + free_arch_std_events(); +- return 1; ++ ret = 1; + } + +- return 0; ++ ++ goto out_free_mapfile; + + empty_map: + fclose(eventsfp); + create_empty_mapping(output_file); + free_arch_std_events(); +- return 0; ++out_free_mapfile: ++ free(mapfile); ++ return ret; + } +diff --git a/tools/perf/tests/shell/lib/probe_vfs_getname.sh b/tools/perf/tests/shell/lib/probe_vfs_getname.sh +index 7cb99b433888b..c2cc42daf9242 100644 +--- a/tools/perf/tests/shell/lib/probe_vfs_getname.sh ++++ b/tools/perf/tests/shell/lib/probe_vfs_getname.sh +@@ -14,7 +14,7 @@ add_probe_vfs_getname() { + if [ $had_vfs_getname -eq 1 ] ; then + line=$(perf probe -L getname_flags 2>&1 | egrep 'result.*=.*filename;' | sed -r 's/[[:space:]]+([[:digit:]]+)[[:space:]]+result->uptr.*/\1/') + perf probe -q "vfs_getname=getname_flags:${line} pathname=result->name:string" || \ +- perf probe $verbose "vfs_getname=getname_flags:${line} pathname=filename:string" ++ perf probe $verbose "vfs_getname=getname_flags:${line} pathname=filename:ustring" + fi + } + +diff --git a/tools/perf/tests/shell/record+zstd_comp_decomp.sh b/tools/perf/tests/shell/record+zstd_comp_decomp.sh +index 63a91ec473bb5..045723b3d9928 100755 +--- a/tools/perf/tests/shell/record+zstd_comp_decomp.sh ++++ b/tools/perf/tests/shell/record+zstd_comp_decomp.sh +@@ -12,7 +12,8 @@ skip_if_no_z_record() { + + collect_z_record() { + echo "Collecting compressed record file:" +- $perf_tool record -o $trace_file -g -z -F 5000 -- \ ++ [[ "$(uname -m)" != s390x ]] && gflag='-g' ++ $perf_tool record -o $trace_file $gflag -z -F 5000 -- \ + dd count=500 if=/dev/urandom of=/dev/null + } + +diff --git a/tools/perf/trace/beauty/arch_errno_names.sh b/tools/perf/trace/beauty/arch_errno_names.sh +index 22c9fc900c847..f8c44a85650be 100755 +--- a/tools/perf/trace/beauty/arch_errno_names.sh ++++ b/tools/perf/trace/beauty/arch_errno_names.sh +@@ -91,7 +91,7 @@ EoHEADER + # in tools/perf/arch + archlist="" + for arch in $(find $toolsdir/arch -maxdepth 1 -mindepth 1 -type d -printf "%f\n" | grep -v x86 | sort); do +- test -d arch/$arch && archlist="$archlist $arch" ++ test -d $toolsdir/perf/arch/$arch && archlist="$archlist $arch" + done + + for arch in x86 $archlist generic; do +diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c +index a22c1114e880d..324ec0456c83f 100644 +--- a/tools/perf/util/cpumap.c ++++ b/tools/perf/util/cpumap.c +@@ -299,7 +299,7 @@ static void set_max_cpu_num(void) + + /* get the highest possible cpu number for a sparse allocation */ + ret = snprintf(path, PATH_MAX, "%s/devices/system/cpu/possible", mnt); +- if (ret == PATH_MAX) { ++ if (ret >= PATH_MAX) { + pr_err("sysfs path crossed PATH_MAX(%d) size\n", PATH_MAX); + goto out; + } +@@ -310,7 +310,7 @@ static void set_max_cpu_num(void) + + /* get the highest present cpu number for a sparse allocation */ + ret = snprintf(path, PATH_MAX, "%s/devices/system/cpu/present", mnt); +- if (ret == PATH_MAX) { ++ if (ret >= PATH_MAX) { + pr_err("sysfs path crossed PATH_MAX(%d) size\n", PATH_MAX); + goto out; + } +@@ -338,7 +338,7 @@ static void set_max_node_num(void) + + /* get the highest possible cpu number for a sparse allocation */ + ret = snprintf(path, PATH_MAX, "%s/devices/system/node/possible", mnt); +- if (ret == PATH_MAX) { ++ if (ret >= PATH_MAX) { + pr_err("sysfs path crossed PATH_MAX(%d) size\n", PATH_MAX); + goto out; + } +@@ -423,7 +423,7 @@ int cpu__setup_cpunode_map(void) + return 0; + + n = snprintf(path, PATH_MAX, "%s/devices/system/node", mnt); +- if (n == PATH_MAX) { ++ if (n >= PATH_MAX) { + pr_err("sysfs path crossed PATH_MAX(%d) size\n", PATH_MAX); + return -1; + } +@@ -438,7 +438,7 @@ int cpu__setup_cpunode_map(void) + continue; + + n = snprintf(buf, PATH_MAX, "%s/%s", path, dent1->d_name); +- if (n == PATH_MAX) { ++ if (n >= PATH_MAX) { + pr_err("sysfs path crossed PATH_MAX(%d) size\n", PATH_MAX); + continue; + } +diff --git a/tools/perf/util/cs-etm.c b/tools/perf/util/cs-etm.c +index f5f855fff412e..451eee24165ee 100644 +--- a/tools/perf/util/cs-etm.c ++++ b/tools/perf/util/cs-etm.c +@@ -363,6 +363,23 @@ struct cs_etm_packet_queue + return NULL; + } + ++static void cs_etm__packet_swap(struct cs_etm_auxtrace *etm, ++ struct cs_etm_traceid_queue *tidq) ++{ ++ struct cs_etm_packet *tmp; ++ ++ if (etm->sample_branches || etm->synth_opts.last_branch || ++ etm->sample_instructions) { ++ /* ++ * Swap PACKET with PREV_PACKET: PACKET becomes PREV_PACKET for ++ * the next incoming packet. ++ */ ++ tmp = tidq->packet; ++ tidq->packet = tidq->prev_packet; ++ tidq->prev_packet = tmp; ++ } ++} ++ + static void cs_etm__packet_dump(const char *pkt_string) + { + const char *color = PERF_COLOR_BLUE; +@@ -1340,12 +1357,14 @@ static int cs_etm__sample(struct cs_etm_queue *etmq, + struct cs_etm_traceid_queue *tidq) + { + struct cs_etm_auxtrace *etm = etmq->etm; +- struct cs_etm_packet *tmp; + int ret; + u8 trace_chan_id = tidq->trace_chan_id; +- u64 instrs_executed = tidq->packet->instr_count; ++ u64 instrs_prev; ++ ++ /* Get instructions remainder from previous packet */ ++ instrs_prev = tidq->period_instructions; + +- tidq->period_instructions += instrs_executed; ++ tidq->period_instructions += tidq->packet->instr_count; + + /* + * Record a branch when the last instruction in +@@ -1363,26 +1382,76 @@ static int cs_etm__sample(struct cs_etm_queue *etmq, + * TODO: allow period to be defined in cycles and clock time + */ + +- /* Get number of instructions executed after the sample point */ +- u64 instrs_over = tidq->period_instructions - +- etm->instructions_sample_period; ++ /* ++ * Below diagram demonstrates the instruction samples ++ * generation flows: ++ * ++ * Instrs Instrs Instrs Instrs ++ * Sample(n) Sample(n+1) Sample(n+2) Sample(n+3) ++ * | | | | ++ * V V V V ++ * -------------------------------------------------- ++ * ^ ^ ++ * | | ++ * Period Period ++ * instructions(Pi) instructions(Pi') ++ * ++ * | | ++ * \---------------- -----------------/ ++ * V ++ * tidq->packet->instr_count ++ * ++ * Instrs Sample(n...) are the synthesised samples occurring ++ * every etm->instructions_sample_period instructions - as ++ * defined on the perf command line. Sample(n) is being the ++ * last sample before the current etm packet, n+1 to n+3 ++ * samples are generated from the current etm packet. ++ * ++ * tidq->packet->instr_count represents the number of ++ * instructions in the current etm packet. ++ * ++ * Period instructions (Pi) contains the the number of ++ * instructions executed after the sample point(n) from the ++ * previous etm packet. This will always be less than ++ * etm->instructions_sample_period. ++ * ++ * When generate new samples, it combines with two parts ++ * instructions, one is the tail of the old packet and another ++ * is the head of the new coming packet, to generate ++ * sample(n+1); sample(n+2) and sample(n+3) consume the ++ * instructions with sample period. After sample(n+3), the rest ++ * instructions will be used by later packet and it is assigned ++ * to tidq->period_instructions for next round calculation. ++ */ + + /* +- * Calculate the address of the sampled instruction (-1 as +- * sample is reported as though instruction has just been +- * executed, but PC has not advanced to next instruction) ++ * Get the initial offset into the current packet instructions; ++ * entry conditions ensure that instrs_prev is less than ++ * etm->instructions_sample_period. + */ +- u64 offset = (instrs_executed - instrs_over - 1); +- u64 addr = cs_etm__instr_addr(etmq, trace_chan_id, +- tidq->packet, offset); ++ u64 offset = etm->instructions_sample_period - instrs_prev; ++ u64 addr; + +- ret = cs_etm__synth_instruction_sample( +- etmq, tidq, addr, etm->instructions_sample_period); +- if (ret) +- return ret; ++ while (tidq->period_instructions >= ++ etm->instructions_sample_period) { ++ /* ++ * Calculate the address of the sampled instruction (-1 ++ * as sample is reported as though instruction has just ++ * been executed, but PC has not advanced to next ++ * instruction) ++ */ ++ addr = cs_etm__instr_addr(etmq, trace_chan_id, ++ tidq->packet, offset - 1); ++ ret = cs_etm__synth_instruction_sample( ++ etmq, tidq, addr, ++ etm->instructions_sample_period); ++ if (ret) ++ return ret; + +- /* Carry remaining instructions into next sample period */ +- tidq->period_instructions = instrs_over; ++ offset += etm->instructions_sample_period; ++ tidq->period_instructions -= ++ etm->instructions_sample_period; ++ } + } + + if (etm->sample_branches) { +@@ -1404,15 +1473,7 @@ static int cs_etm__sample(struct cs_etm_queue *etmq, + } + } + +- if (etm->sample_branches || etm->synth_opts.last_branch) { +- /* +- * Swap PACKET with PREV_PACKET: PACKET becomes PREV_PACKET for +- * the next incoming packet. +- */ +- tmp = tidq->packet; +- tidq->packet = tidq->prev_packet; +- tidq->prev_packet = tmp; +- } ++ cs_etm__packet_swap(etm, tidq); + + return 0; + } +@@ -1441,7 +1502,6 @@ static int cs_etm__flush(struct cs_etm_queue *etmq, + { + int err = 0; + struct cs_etm_auxtrace *etm = etmq->etm; +- struct cs_etm_packet *tmp; + + /* Handle start tracing packet */ + if (tidq->prev_packet->sample_type == CS_ETM_EMPTY) +@@ -1476,15 +1536,7 @@ static int cs_etm__flush(struct cs_etm_queue *etmq, + } + + swap_packet: +- if (etm->sample_branches || etm->synth_opts.last_branch) { +- /* +- * Swap PACKET with PREV_PACKET: PACKET becomes PREV_PACKET for +- * the next incoming packet. +- */ +- tmp = tidq->packet; +- tidq->packet = tidq->prev_packet; +- tidq->prev_packet = tmp; +- } ++ cs_etm__packet_swap(etm, tidq); + + return err; + } +diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c +index a844715a352d8..9dd9e3f4ef591 100644 +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -1254,6 +1254,9 @@ void perf_evsel__exit(struct evsel *evsel) + perf_thread_map__put(evsel->core.threads); + zfree(&evsel->group_name); + zfree(&evsel->name); ++ zfree(&evsel->pmu_name); ++ zfree(&evsel->per_pkg_mask); ++ zfree(&evsel->metric_events); + perf_evsel__object.fini(evsel); + } + +@@ -2357,6 +2360,10 @@ bool perf_evsel__fallback(struct evsel *evsel, int err, + char *new_name; + const char *sep = ":"; + ++ /* If event has exclude user then don't exclude kernel. */ ++ if (evsel->core.attr.exclude_user) ++ return false; ++ + /* Is there already the separator in the name. */ + if (strchr(name, '/') || + strchr(name, ':')) +diff --git a/tools/perf/util/mem2node.c b/tools/perf/util/mem2node.c +index 797d86a1ab095..c84f5841c7abd 100644 +--- a/tools/perf/util/mem2node.c ++++ b/tools/perf/util/mem2node.c +@@ -1,5 +1,6 @@ + #include <errno.h> + #include <inttypes.h> ++#include <asm/bug.h> + #include <linux/bitmap.h> + #include <linux/kernel.h> + #include <linux/zalloc.h> +@@ -95,7 +96,7 @@ int mem2node__init(struct mem2node *map, struct perf_env *env) + + /* Cut unused entries, due to merging. */ + tmp_entries = realloc(entries, sizeof(*entries) * j); +- if (tmp_entries) ++ if (tmp_entries || WARN_ON_ONCE(j == 0)) + entries = tmp_entries; + + for (i = 0; i < j; i++) { +diff --git a/tools/perf/util/metricgroup.c b/tools/perf/util/metricgroup.c +index 940a6e7a68549..7753c3091478a 100644 +--- a/tools/perf/util/metricgroup.c ++++ b/tools/perf/util/metricgroup.c +@@ -174,6 +174,7 @@ static int metricgroup__setup_events(struct list_head *groups, + if (!evsel) { + pr_debug("Cannot resolve %s: %s\n", + eg->metric_name, eg->metric_expr); ++ free(metric_events); + continue; + } + for (i = 0; i < eg->idnum; i++) +@@ -181,11 +182,13 @@ static int metricgroup__setup_events(struct list_head *groups, + me = metricgroup__lookup(metric_events_list, evsel, true); + if (!me) { + ret = -ENOMEM; ++ free(metric_events); + break; + } + expr = malloc(sizeof(struct metric_expr)); + if (!expr) { + ret = -ENOMEM; ++ free(metric_events); + break; + } + expr->metric_expr = eg->metric_expr; +diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c +index 759a99f723fc3..2d651c93b476f 100644 +--- a/tools/perf/util/parse-events.c ++++ b/tools/perf/util/parse-events.c +@@ -1344,7 +1344,7 @@ int parse_events_add_pmu(struct parse_events_state *parse_state, + evsel = __add_event(list, &parse_state->idx, &attr, NULL, pmu, NULL, + auto_merge_stats, NULL); + if (evsel) { +- evsel->pmu_name = name; ++ evsel->pmu_name = name ? strdup(name) : NULL; + evsel->use_uncore_alias = use_uncore_alias; + return 0; + } else { +@@ -1385,7 +1385,7 @@ int parse_events_add_pmu(struct parse_events_state *parse_state, + evsel->snapshot = info.snapshot; + evsel->metric_expr = info.metric_expr; + evsel->metric_name = info.metric_name; +- evsel->pmu_name = name; ++ evsel->pmu_name = name ? strdup(name) : NULL; + evsel->use_uncore_alias = use_uncore_alias; + evsel->percore = config_term_percore(&evsel->config_terms); + } +@@ -1505,12 +1505,11 @@ parse_events__set_leader_for_uncore_aliase(char *name, struct list_head *list, + * event. That can be used to distinguish the leader from + * other members, even they have the same event name. + */ +- if ((leader != evsel) && (leader->pmu_name == evsel->pmu_name)) { ++ if ((leader != evsel) && ++ !strcmp(leader->pmu_name, evsel->pmu_name)) { + is_leader = false; + continue; + } +- /* The name is always alias name */ +- WARN_ON(strcmp(leader->name, evsel->name)); + + /* Store the leader event for each PMU */ + leaders[nr_pmu++] = (uintptr_t) evsel; +diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c +index 43d1d410854a3..4027906fd3e38 100644 +--- a/tools/perf/util/sort.c ++++ b/tools/perf/util/sort.c +@@ -2788,7 +2788,7 @@ static char *prefix_if_not_in(const char *pre, char *str) + return str; + + if (asprintf(&n, "%s,%s", pre, str) < 0) +- return NULL; ++ n = NULL; + + free(str); + return n; +diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c +index 66f4be1df573e..2ec0a32da5793 100644 +--- a/tools/perf/util/symbol-elf.c ++++ b/tools/perf/util/symbol-elf.c +@@ -1449,6 +1449,7 @@ struct kcore_copy_info { + u64 first_symbol; + u64 last_symbol; + u64 first_module; ++ u64 first_module_symbol; + u64 last_module_symbol; + size_t phnum; + struct list_head phdrs; +@@ -1525,6 +1526,8 @@ static int kcore_copy__process_kallsyms(void *arg, const char *name, char type, + return 0; + + if (strchr(name, '[')) { ++ if (!kci->first_module_symbol || start < kci->first_module_symbol) ++ kci->first_module_symbol = start; + if (start > kci->last_module_symbol) + kci->last_module_symbol = start; + return 0; +@@ -1722,6 +1725,10 @@ static int kcore_copy__calc_maps(struct kcore_copy_info *kci, const char *dir, + kci->etext += page_size; + } + ++ if (kci->first_module_symbol && ++ (!kci->first_module || kci->first_module_symbol < kci->first_module)) ++ kci->first_module = kci->first_module_symbol; ++ + kci->first_module = round_down(kci->first_module, page_size); + + if (kci->last_module_symbol) { +diff --git a/tools/power/x86/intel_pstate_tracer/intel_pstate_tracer.py b/tools/power/x86/intel_pstate_tracer/intel_pstate_tracer.py +index 2d6d342b148f1..1351975d07699 100755 +--- a/tools/power/x86/intel_pstate_tracer/intel_pstate_tracer.py ++++ b/tools/power/x86/intel_pstate_tracer/intel_pstate_tracer.py +@@ -11,11 +11,11 @@ then this utility enables and collects trace data for a user specified interval + and generates performance plots. + + Prerequisites: +- Python version 2.7.x ++ Python version 2.7.x or higher + gnuplot 5.0 or higher +- gnuplot-py 1.8 ++ gnuplot-py 1.8 or higher + (Most of the distributions have these required packages. They may be called +- gnuplot-py, phython-gnuplot. ) ++ gnuplot-py, phython-gnuplot or phython3-gnuplot, gnuplot-nox, ... ) + + HWP (Hardware P-States are disabled) + Kernel config for Linux trace is enabled +@@ -181,7 +181,7 @@ def plot_pstate_cpu_with_sample(): + g_plot('set xlabel "Samples"') + g_plot('set ylabel "P-State"') + g_plot('set title "{} : cpu pstate vs. sample : {:%F %H:%M}"'.format(testname, datetime.now())) +- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ') ++ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ') + plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_SAMPLE, C_TO) + g_plot('title_list = "{}"'.format(title_list)) + g_plot(plot_str) +@@ -198,7 +198,7 @@ def plot_pstate_cpu(): + # the following command is really cool, but doesn't work with the CPU masking option because it aborts on the first missing file. + # plot_str = 'plot for [i=0:*] file=sprintf("cpu%03d.csv",i) title_s=sprintf("cpu%03d",i) file using 16:7 pt 7 ps 1 title title_s' + # +- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ') ++ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ') + plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_TO) + g_plot('title_list = "{}"'.format(title_list)) + g_plot(plot_str) +@@ -212,7 +212,7 @@ def plot_load_cpu(): + g_plot('set ylabel "CPU load (percent)"') + g_plot('set title "{} : cpu loads : {:%F %H:%M}"'.format(testname, datetime.now())) + +- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ') ++ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ') + plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_LOAD) + g_plot('title_list = "{}"'.format(title_list)) + g_plot(plot_str) +@@ -226,7 +226,7 @@ def plot_frequency_cpu(): + g_plot('set ylabel "CPU Frequency (GHz)"') + g_plot('set title "{} : cpu frequencies : {:%F %H:%M}"'.format(testname, datetime.now())) + +- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ') ++ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ') + plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_FREQ) + g_plot('title_list = "{}"'.format(title_list)) + g_plot(plot_str) +@@ -241,7 +241,7 @@ def plot_duration_cpu(): + g_plot('set ylabel "Timer Duration (MilliSeconds)"') + g_plot('set title "{} : cpu durations : {:%F %H:%M}"'.format(testname, datetime.now())) + +- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ') ++ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ') + plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_DURATION) + g_plot('title_list = "{}"'.format(title_list)) + g_plot(plot_str) +@@ -255,7 +255,7 @@ def plot_scaled_cpu(): + g_plot('set ylabel "Scaled Busy (Unitless)"') + g_plot('set title "{} : cpu scaled busy : {:%F %H:%M}"'.format(testname, datetime.now())) + +- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ') ++ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ') + plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_SCALED) + g_plot('title_list = "{}"'.format(title_list)) + g_plot(plot_str) +@@ -269,7 +269,7 @@ def plot_boost_cpu(): + g_plot('set ylabel "CPU IO Boost (percent)"') + g_plot('set title "{} : cpu io boost : {:%F %H:%M}"'.format(testname, datetime.now())) + +- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ') ++ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ') + plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_BOOST) + g_plot('title_list = "{}"'.format(title_list)) + g_plot(plot_str) +@@ -283,7 +283,7 @@ def plot_ghz_cpu(): + g_plot('set ylabel "TSC Frequency (GHz)"') + g_plot('set title "{} : cpu TSC Frequencies (Sanity check calculation) : {:%F %H:%M}"'.format(testname, datetime.now())) + +- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ') ++ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ') + plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_GHZ) + g_plot('title_list = "{}"'.format(title_list)) + g_plot(plot_str) +diff --git a/tools/testing/selftests/bpf/progs/test_tcpbpf_kern.c b/tools/testing/selftests/bpf/progs/test_tcpbpf_kern.c +index 2e233613d1fc0..7fa4595d2b66b 100644 +--- a/tools/testing/selftests/bpf/progs/test_tcpbpf_kern.c ++++ b/tools/testing/selftests/bpf/progs/test_tcpbpf_kern.c +@@ -131,6 +131,7 @@ int bpf_testcb(struct bpf_sock_ops *skops) + g.bytes_received = skops->bytes_received; + g.bytes_acked = skops->bytes_acked; + } ++ g.num_close_events++; + bpf_map_update_elem(&global_map, &key, &g, + BPF_ANY); + } +diff --git a/tools/testing/selftests/bpf/test_tcpbpf.h b/tools/testing/selftests/bpf/test_tcpbpf.h +index 7bcfa62070056..6220b95cbd02c 100644 +--- a/tools/testing/selftests/bpf/test_tcpbpf.h ++++ b/tools/testing/selftests/bpf/test_tcpbpf.h +@@ -13,5 +13,6 @@ struct tcpbpf_globals { + __u64 bytes_received; + __u64 bytes_acked; + __u32 num_listen; ++ __u32 num_close_events; + }; + #endif +diff --git a/tools/testing/selftests/bpf/test_tcpbpf_user.c b/tools/testing/selftests/bpf/test_tcpbpf_user.c +index 716b4e3be5813..3ae127620463d 100644 +--- a/tools/testing/selftests/bpf/test_tcpbpf_user.c ++++ b/tools/testing/selftests/bpf/test_tcpbpf_user.c +@@ -16,6 +16,9 @@ + + #include "test_tcpbpf.h" + ++/* 3 comes from one listening socket + both ends of the connection */ ++#define EXPECTED_CLOSE_EVENTS 3 ++ + #define EXPECT_EQ(expected, actual, fmt) \ + do { \ + if ((expected) != (actual)) { \ +@@ -23,13 +26,14 @@ + " Actual: %" fmt "\n" \ + " Expected: %" fmt "\n", \ + (actual), (expected)); \ +- goto err; \ ++ ret--; \ + } \ + } while (0) + + int verify_result(const struct tcpbpf_globals *result) + { + __u32 expected_events; ++ int ret = 0; + + expected_events = ((1 << BPF_SOCK_OPS_TIMEOUT_INIT) | + (1 << BPF_SOCK_OPS_RWND_INIT) | +@@ -48,15 +52,15 @@ int verify_result(const struct tcpbpf_globals *result) + EXPECT_EQ(0x80, result->bad_cb_test_rv, PRIu32); + EXPECT_EQ(0, result->good_cb_test_rv, PRIu32); + EXPECT_EQ(1, result->num_listen, PRIu32); ++ EXPECT_EQ(EXPECTED_CLOSE_EVENTS, result->num_close_events, PRIu32); + +- return 0; +-err: +- return -1; ++ return ret; + } + + int verify_sockopt_result(int sock_map_fd) + { + __u32 key = 0; ++ int ret = 0; + int res; + int rv; + +@@ -69,9 +73,7 @@ int verify_sockopt_result(int sock_map_fd) + rv = bpf_map_lookup_elem(sock_map_fd, &key, &res); + EXPECT_EQ(0, rv, "d"); + EXPECT_EQ(1, res, "d"); +- return 0; +-err: +- return -1; ++ return ret; + } + + static int bpf_find_map(const char *test, struct bpf_object *obj, +@@ -96,6 +98,7 @@ int main(int argc, char **argv) + int error = EXIT_FAILURE; + struct bpf_object *obj; + int cg_fd = -1; ++ int retry = 10; + __u32 key = 0; + int rv; + +@@ -134,12 +137,20 @@ int main(int argc, char **argv) + if (sock_map_fd < 0) + goto err; + ++retry_lookup: + rv = bpf_map_lookup_elem(map_fd, &key, &g); + if (rv != 0) { + printf("FAILED: bpf_map_lookup_elem returns %d\n", rv); + goto err; + } + ++ if (g.num_close_events != EXPECTED_CLOSE_EVENTS && retry--) { ++ printf("Unexpected number of close events (%d), retrying!\n", ++ g.num_close_events); ++ usleep(100); ++ goto retry_lookup; ++ } ++ + if (verify_result(&g)) { + printf("FAILED: Wrong stats\n"); + goto err; +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc +index 27a54a17da65d..f4e92afab14b2 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc +@@ -30,7 +30,7 @@ ftrace_filter_check '*schedule*' '^.*schedule.*$' + ftrace_filter_check 'schedule*' '^schedule.*$' + + # filter by *mid*end +-ftrace_filter_check '*aw*lock' '.*aw.*lock$' ++ftrace_filter_check '*pin*lock' '.*pin.*lock$' + + # filter by start*mid* + ftrace_filter_check 'mutex*try*' '^mutex.*try.*' +diff --git a/tools/testing/selftests/ptrace/Makefile b/tools/testing/selftests/ptrace/Makefile +index c0b7f89f09300..2f1f532c39dbc 100644 +--- a/tools/testing/selftests/ptrace/Makefile ++++ b/tools/testing/selftests/ptrace/Makefile +@@ -1,6 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0-only +-CFLAGS += -iquote../../../../include/uapi -Wall ++CFLAGS += -std=c99 -pthread -iquote../../../../include/uapi -Wall + +-TEST_GEN_PROGS := get_syscall_info peeksiginfo ++TEST_GEN_PROGS := get_syscall_info peeksiginfo vmaccess + + include ../lib.mk +diff --git a/tools/testing/selftests/ptrace/vmaccess.c b/tools/testing/selftests/ptrace/vmaccess.c +new file mode 100644 +index 0000000000000..4db327b445862 +--- /dev/null ++++ b/tools/testing/selftests/ptrace/vmaccess.c +@@ -0,0 +1,86 @@ ++// SPDX-License-Identifier: GPL-2.0+ ++/* ++ * Copyright (c) 2020 Bernd Edlinger <bernd.edlinger@hotmail.de> ++ * All rights reserved. ++ * ++ * Check whether /proc/$pid/mem can be accessed without causing deadlocks ++ * when de_thread is blocked with ->cred_guard_mutex held. ++ */ ++ ++#include "../kselftest_harness.h" ++#include <stdio.h> ++#include <fcntl.h> ++#include <pthread.h> ++#include <signal.h> ++#include <unistd.h> ++#include <sys/ptrace.h> ++ ++static void *thread(void *arg) ++{ ++ ptrace(PTRACE_TRACEME, 0, 0L, 0L); ++ return NULL; ++} ++ ++TEST(vmaccess) ++{ ++ int f, pid = fork(); ++ char mm[64]; ++ ++ if (!pid) { ++ pthread_t pt; ++ ++ pthread_create(&pt, NULL, thread, NULL); ++ pthread_join(pt, NULL); ++ execlp("true", "true", NULL); ++ } ++ ++ sleep(1); ++ sprintf(mm, "/proc/%d/mem", pid); ++ f = open(mm, O_RDONLY); ++ ASSERT_GE(f, 0); ++ close(f); ++ f = kill(pid, SIGCONT); ++ ASSERT_EQ(f, 0); ++} ++ ++TEST(attach) ++{ ++ int s, k, pid = fork(); ++ ++ if (!pid) { ++ pthread_t pt; ++ ++ pthread_create(&pt, NULL, thread, NULL); ++ pthread_join(pt, NULL); ++ execlp("sleep", "sleep", "2", NULL); ++ } ++ ++ sleep(1); ++ k = ptrace(PTRACE_ATTACH, pid, 0L, 0L); ++ ASSERT_EQ(errno, EAGAIN); ++ ASSERT_EQ(k, -1); ++ k = waitpid(-1, &s, WNOHANG); ++ ASSERT_NE(k, -1); ++ ASSERT_NE(k, 0); ++ ASSERT_NE(k, pid); ++ ASSERT_EQ(WIFEXITED(s), 1); ++ ASSERT_EQ(WEXITSTATUS(s), 0); ++ sleep(1); ++ k = ptrace(PTRACE_ATTACH, pid, 0L, 0L); ++ ASSERT_EQ(k, 0); ++ k = waitpid(-1, &s, 0); ++ ASSERT_EQ(k, pid); ++ ASSERT_EQ(WIFSTOPPED(s), 1); ++ ASSERT_EQ(WSTOPSIG(s), SIGSTOP); ++ k = ptrace(PTRACE_DETACH, pid, 0L, 0L); ++ ASSERT_EQ(k, 0); ++ k = waitpid(-1, &s, 0); ++ ASSERT_EQ(k, pid); ++ ASSERT_EQ(WIFEXITED(s), 1); ++ ASSERT_EQ(WEXITSTATUS(s), 0); ++ k = waitpid(-1, NULL, 0); ++ ASSERT_EQ(k, -1); ++ ASSERT_EQ(errno, ECHILD); ++} ++ ++TEST_HARNESS_MAIN +diff --git a/tools/testing/selftests/x86/syscall_nt.c b/tools/testing/selftests/x86/syscall_nt.c +index 02309a1950413..a765f62ee7668 100644 +--- a/tools/testing/selftests/x86/syscall_nt.c ++++ b/tools/testing/selftests/x86/syscall_nt.c +@@ -59,6 +59,7 @@ static void do_it(unsigned long extraflags) + set_eflags(get_eflags() | extraflags); + syscall(SYS_getpid); + flags = get_eflags(); ++ set_eflags(X86_EFLAGS_IF | X86_EFLAGS_FIXED); + if ((flags & extraflags) == extraflags) { + printf("[OK]\tThe syscall worked and flags are still set\n"); + } else { +diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c +index f274fabb4301f..1e9ec878d56d8 100644 +--- a/virt/kvm/arm/mmio.c ++++ b/virt/kvm/arm/mmio.c +@@ -130,7 +130,7 @@ static int decode_hsr(struct kvm_vcpu *vcpu, bool *is_write, int *len) + bool sign_extend; + bool sixty_four; + +- if (kvm_vcpu_dabt_iss1tw(vcpu)) { ++ if (kvm_vcpu_abt_iss1tw(vcpu)) { + /* page table accesses IO mem: tell guest to fix its TTBR */ + kvm_inject_dabt(vcpu, kvm_vcpu_get_hfar(vcpu)); + return 1; +diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c +index 1e1c4f6a85c7d..8700402f3000d 100644 +--- a/virt/kvm/arm/mmu.c ++++ b/virt/kvm/arm/mmu.c +@@ -1690,7 +1690,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa, + unsigned long vma_pagesize, flags = 0; + + write_fault = kvm_is_write_fault(vcpu); +- exec_fault = kvm_vcpu_trap_is_iabt(vcpu); ++ exec_fault = kvm_vcpu_trap_is_exec_fault(vcpu); + VM_BUG_ON(write_fault && exec_fault); + + if (fault_status == FSC_PERM && !write_fault && !exec_fault) { +diff --git a/virt/kvm/arm/vgic/vgic-init.c b/virt/kvm/arm/vgic/vgic-init.c +index 6f50c429196de..6899101538890 100644 +--- a/virt/kvm/arm/vgic/vgic-init.c ++++ b/virt/kvm/arm/vgic/vgic-init.c +@@ -177,6 +177,7 @@ static int kvm_vgic_dist_init(struct kvm *kvm, unsigned int nr_spis) + break; + default: + kfree(dist->spis); ++ dist->spis = NULL; + return -EINVAL; + } + } +@@ -357,6 +358,12 @@ void kvm_vgic_vcpu_destroy(struct kvm_vcpu *vcpu) + { + struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu; + ++ /* ++ * Retire all pending LPIs on this vcpu anyway as we're ++ * going to destroy it. ++ */ ++ vgic_flush_pending_lpis(vcpu); ++ + INIT_LIST_HEAD(&vgic_cpu->ap_list_head); + } + +@@ -368,10 +375,10 @@ static void __kvm_vgic_destroy(struct kvm *kvm) + + vgic_debug_destroy(kvm); + +- kvm_vgic_dist_destroy(kvm); +- + kvm_for_each_vcpu(i, vcpu, kvm) + kvm_vgic_vcpu_destroy(vcpu); ++ ++ kvm_vgic_dist_destroy(kvm); + } + + void kvm_vgic_destroy(struct kvm *kvm) +diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c +index f8ad7096555d7..35be0e2a46393 100644 +--- a/virt/kvm/arm/vgic/vgic-its.c ++++ b/virt/kvm/arm/vgic/vgic-its.c +@@ -96,14 +96,21 @@ out_unlock: + * We "cache" the configuration table entries in our struct vgic_irq's. + * However we only have those structs for mapped IRQs, so we read in + * the respective config data from memory here upon mapping the LPI. ++ * ++ * Should any of these fail, behave as if we couldn't create the LPI ++ * by dropping the refcount and returning the error. + */ + ret = update_lpi_config(kvm, irq, NULL, false); +- if (ret) ++ if (ret) { ++ vgic_put_irq(kvm, irq); + return ERR_PTR(ret); ++ } + + ret = vgic_v3_lpi_sync_pending_status(kvm, irq); +- if (ret) ++ if (ret) { ++ vgic_put_irq(kvm, irq); + return ERR_PTR(ret); ++ } + + return irq; + } +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 4eed7fd8db939..1dfa49d26de91 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -185,6 +185,7 @@ bool kvm_is_reserved_pfn(kvm_pfn_t pfn) + */ + if (pfn_valid(pfn)) + return PageReserved(pfn_to_page(pfn)) && ++ !is_zero_pfn(pfn) && + !kvm_is_zone_device_pfn(pfn); + + return true; |