commit: 6eb3f2503c38b3d4f8abcddfa32c03b74239973c Author: Arisu Tachibana <alicef <AT> gentoo <DOT> org> AuthorDate: Fri Jul 18 12:06:50 2025 +0000 Commit: Arisu Tachibana <alicef <AT> gentoo <DOT> org> CommitDate: Fri Jul 18 12:06:50 2025 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=6eb3f250
Linux patch 5.15.189 Signed-off-by: Arisu Tachibana <alicef <AT> gentoo.org> 0000_README | 4 + 1188_linux-5.15.189.patch | 3286 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 3290 insertions(+) diff --git a/0000_README b/0000_README index fa835cd8..eeeff59c 100644 --- a/0000_README +++ b/0000_README @@ -795,6 +795,10 @@ Patch: 1187_linux-5.15.188.patch From: https://www.kernel.org Desc: Linux 5.15.188 +Patch: 1188_linux-5.15.189.patch +From: https://www.kernel.org +Desc: Linux 5.15.189 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1188_linux-5.15.189.patch b/1188_linux-5.15.189.patch new file mode 100644 index 00000000..c045d056 --- /dev/null +++ b/1188_linux-5.15.189.patch @@ -0,0 +1,3286 @@ +diff --git a/Makefile b/Makefile +index 86a5048e981615..6bc80f4cfd7e34 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 5 + PATCHLEVEL = 15 +-SUBLEVEL = 188 ++SUBLEVEL = 189 + EXTRAVERSION = + NAME = Trick or Treat + +diff --git a/arch/um/drivers/vector_kern.c b/arch/um/drivers/vector_kern.c +index c63ccf1ab4a20a..41fc93ce4d372b 100644 +--- a/arch/um/drivers/vector_kern.c ++++ b/arch/um/drivers/vector_kern.c +@@ -1603,35 +1603,19 @@ static void vector_eth_configure( + + device->dev = dev; + +- *vp = ((struct vector_private) +- { +- .list = LIST_HEAD_INIT(vp->list), +- .dev = dev, +- .unit = n, +- .options = get_transport_options(def), +- .rx_irq = 0, +- .tx_irq = 0, +- .parsed = def, +- .max_packet = get_mtu(def) + ETH_HEADER_OTHER, +- /* TODO - we need to calculate headroom so that ip header +- * is 16 byte aligned all the time +- */ +- .headroom = get_headroom(def), +- .form_header = NULL, +- .verify_header = NULL, +- .header_rxbuffer = NULL, +- .header_txbuffer = NULL, +- .header_size = 0, +- .rx_header_size = 0, +- .rexmit_scheduled = false, +- .opened = false, +- .transport_data = NULL, +- .in_write_poll = false, +- .coalesce = 2, +- .req_size = get_req_size(def), +- .in_error = false, +- .bpf = NULL +- }); ++ INIT_LIST_HEAD(&vp->list); ++ vp->dev = dev; ++ vp->unit = n; ++ vp->options = get_transport_options(def); ++ vp->parsed = def; ++ vp->max_packet = get_mtu(def) + ETH_HEADER_OTHER; ++ /* ++ * TODO - we need to calculate headroom so that ip header ++ * is 16 byte aligned all the time ++ */ ++ vp->headroom = get_headroom(def); ++ vp->coalesce = 2; ++ vp->req_size = get_req_size(def); + + dev->features = dev->hw_features = (NETIF_F_SG | NETIF_F_FRAGLIST); + tasklet_setup(&vp->tx_poll, vector_tx_poll); +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 4eca434fd80bef..3b9ba4b227d579 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -118,7 +118,7 @@ config X86 + select ARCH_WANT_DEFAULT_BPF_JIT if X86_64 + select ARCH_WANTS_DYNAMIC_TASK_STRUCT + select ARCH_WANTS_NO_INSTR +- select ARCH_WANT_HUGE_PMD_SHARE ++ select ARCH_WANT_HUGE_PMD_SHARE if X86_64 + select ARCH_WANT_LD_ORPHAN_WARN + select ARCH_WANTS_THP_SWAP if X86_64 + select ARCH_HAS_PARANOID_L1D_FLUSH +diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h +index 63b84540cfb356..b8d945d8d34ff3 100644 +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -418,8 +418,8 @@ + #define X86_FEATURE_SEV_ES (19*32+ 3) /* AMD Secure Encrypted Virtualization - Encrypted State */ + #define X86_FEATURE_SME_COHERENT (19*32+10) /* "" AMD hardware-enforced cache coherency */ + ++#define X86_FEATURE_VERW_CLEAR (20*32+ 5) /* "" The memory form of VERW mitigates TSA */ + #define X86_FEATURE_AUTOIBRS (20*32+ 8) /* "" Automatic IBRS */ +-#define X86_FEATURE_VERW_CLEAR (20*32+ 10) /* "" The memory form of VERW mitigates TSA */ + #define X86_FEATURE_SBPB (20*32+27) /* "" Selective Branch Prediction Barrier */ + #define X86_FEATURE_IBPB_BRTYPE (20*32+28) /* "" MSR_PRED_CMD[IBPB] flushes all branch type predictions */ + #define X86_FEATURE_SRSO_NO (20*32+29) /* "" CPU is not affected by SRSO */ +diff --git a/arch/x86/include/asm/xen/page.h b/arch/x86/include/asm/xen/page.h +index 1a162e559753b5..c183b7f9efef29 100644 +--- a/arch/x86/include/asm/xen/page.h ++++ b/arch/x86/include/asm/xen/page.h +@@ -355,9 +355,6 @@ unsigned long arbitrary_virt_to_mfn(void *vaddr); + void make_lowmem_page_readonly(void *vaddr); + void make_lowmem_page_readwrite(void *vaddr); + +-#define xen_remap(cookie, size) ioremap((cookie), (size)) +-#define xen_unmap(cookie) iounmap((cookie)) +- + static inline bool xen_arch_need_swiotlb(struct device *dev, + phys_addr_t phys, + dma_addr_t dev_addr) +diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c +index d4e75be64a4c54..aa20b2c6881e95 100644 +--- a/arch/x86/kernel/cpu/mce/amd.c ++++ b/arch/x86/kernel/cpu/mce/amd.c +@@ -310,7 +310,6 @@ static void smca_configure(unsigned int bank, unsigned int cpu) + + struct thresh_restart { + struct threshold_block *b; +- int reset; + int set_lvt_off; + int lvt_off; + u16 old_limit; +@@ -405,13 +404,13 @@ static void threshold_restart_bank(void *_tr) + + rdmsr(tr->b->address, lo, hi); + +- if (tr->b->threshold_limit < (hi & THRESHOLD_MAX)) +- tr->reset = 1; /* limit cannot be lower than err count */ +- +- if (tr->reset) { /* reset err count and overflow bit */ +- hi = +- (hi & ~(MASK_ERR_COUNT_HI | MASK_OVERFLOW_HI)) | +- (THRESHOLD_MAX - tr->b->threshold_limit); ++ /* ++ * Reset error count and overflow bit. ++ * This is done during init or after handling an interrupt. ++ */ ++ if (hi & MASK_OVERFLOW_HI || tr->set_lvt_off) { ++ hi &= ~(MASK_ERR_COUNT_HI | MASK_OVERFLOW_HI); ++ hi |= THRESHOLD_MAX - tr->b->threshold_limit; + } else if (tr->old_limit) { /* change limit w/o reset */ + int new_count = (hi & THRESHOLD_MAX) + + (tr->old_limit - tr->b->threshold_limit); +diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c +index 30d822c2e5c0f0..e8a25b3c02722e 100644 +--- a/arch/x86/kernel/cpu/mce/core.c ++++ b/arch/x86/kernel/cpu/mce/core.c +@@ -2620,15 +2620,9 @@ static int mce_cpu_dead(unsigned int cpu) + static int mce_cpu_online(unsigned int cpu) + { + struct timer_list *t = this_cpu_ptr(&mce_timer); +- int ret; + + mce_device_create(cpu); +- +- ret = mce_threshold_create_device(cpu); +- if (ret) { +- mce_device_remove(cpu); +- return ret; +- } ++ mce_threshold_create_device(cpu); + mce_reenable_cpu(); + mce_start_timer(t); + return 0; +diff --git a/arch/x86/kernel/cpu/mce/intel.c b/arch/x86/kernel/cpu/mce/intel.c +index baafbb37be678d..deabe15fb59314 100644 +--- a/arch/x86/kernel/cpu/mce/intel.c ++++ b/arch/x86/kernel/cpu/mce/intel.c +@@ -542,6 +542,7 @@ void mce_intel_feature_init(struct cpuinfo_x86 *c) + void mce_intel_feature_clear(struct cpuinfo_x86 *c) + { + intel_clear_lmce(); ++ cmci_clear(); + } + + bool intel_filter_mce(struct mce *m) +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index b0a5d077db9054..8bb0f4d06adc01 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -250,23 +250,10 @@ static int acpi_battery_get_property(struct power_supply *psy, + break; + case POWER_SUPPLY_PROP_CURRENT_NOW: + case POWER_SUPPLY_PROP_POWER_NOW: +- if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) { ++ if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) + ret = -ENODEV; +- break; +- } +- +- val->intval = battery->rate_now * 1000; +- /* +- * When discharging, the current should be reported as a +- * negative number as per the power supply class interface +- * definition. +- */ +- if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && +- (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && +- acpi_battery_handle_discharging(battery) +- == POWER_SUPPLY_STATUS_DISCHARGING) +- val->intval = -val->intval; +- ++ else ++ val->intval = battery->rate_now * 1000; + break; + case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: + case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN: +diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c +index 7810f974b2ca99..d9ee20f0048feb 100644 +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -852,6 +852,8 @@ queue_skb(struct idt77252_dev *card, struct vc_map *vc, + + IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, + skb->len, DMA_TO_DEVICE); ++ if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) ++ return -ENOMEM; + + error = -EINVAL; + +@@ -1857,6 +1859,8 @@ add_rx_skb(struct idt77252_dev *card, int queue, + paddr = dma_map_single(&card->pcidev->dev, skb->data, + skb_end_pointer(skb) - skb->data, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(&card->pcidev->dev, paddr)) ++ goto outpoolrm; + IDT77252_PRV_PADDR(skb) = paddr; + + if (push_rx_skb(card, skb, queue)) { +@@ -1871,6 +1875,7 @@ add_rx_skb(struct idt77252_dev *card, int queue, + dma_unmap_single(&card->pcidev->dev, IDT77252_PRV_PADDR(skb), + skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); + ++outpoolrm: + handle = IDT77252_PRV_POOL(skb); + card->sbpool[POOL_QUEUE(handle)].skb[POOL_INDEX(handle)] = NULL; + +diff --git a/drivers/block/aoe/aoeblk.c b/drivers/block/aoe/aoeblk.c +index 06b360f7123af5..4bbb540f26b941 100644 +--- a/drivers/block/aoe/aoeblk.c ++++ b/drivers/block/aoe/aoeblk.c +@@ -346,6 +346,7 @@ aoeblk_gdalloc(void *vp) + struct gendisk *gd; + mempool_t *mp; + struct blk_mq_tag_set *set; ++ sector_t ssize; + ulong flags; + int late = 0; + int err; +@@ -408,7 +409,7 @@ aoeblk_gdalloc(void *vp) + gd->minors = AOE_PARTITIONS; + gd->fops = &aoe_bdops; + gd->private_data = d; +- set_capacity(gd, d->ssize); ++ ssize = d->ssize; + snprintf(gd->disk_name, sizeof gd->disk_name, "etherd/e%ld.%d", + d->aoemajor, d->aoeminor); + +@@ -417,6 +418,8 @@ aoeblk_gdalloc(void *vp) + + spin_unlock_irqrestore(&d->lock, flags); + ++ set_capacity(gd, ssize); ++ + device_add_disk(NULL, gd, aoe_attr_groups); + aoedisk_add_debugfs(d); + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 1b04fd7c6b98a4..eca713f87614fb 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -2011,9 +2011,7 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) + goto out; + } + } +- ret = nbd_start_device(nbd); +- if (ret) +- goto out; ++ + if (info->attrs[NBD_ATTR_BACKEND_IDENTIFIER]) { + nbd->backend = nla_strdup(info->attrs[NBD_ATTR_BACKEND_IDENTIFIER], + GFP_KERNEL); +@@ -2029,6 +2027,8 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) + goto out; + } + set_bit(NBD_RT_HAS_BACKEND_FILE, &config->runtime_flags); ++ ++ ret = nbd_start_device(nbd); + out: + mutex_unlock(&nbd->config_lock); + if (!ret) { +diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c +index e744fd87c63c8b..cafaa54c3d9f1f 100644 +--- a/drivers/dma-buf/dma-resv.c ++++ b/drivers/dma-buf/dma-resv.c +@@ -313,6 +313,106 @@ void dma_resv_add_excl_fence(struct dma_resv *obj, struct dma_fence *fence) + } + EXPORT_SYMBOL(dma_resv_add_excl_fence); + ++/** ++ * dma_resv_iter_restart_unlocked - restart the unlocked iterator ++ * @cursor: The dma_resv_iter object to restart ++ * ++ * Restart the unlocked iteration by initializing the cursor object. ++ */ ++static void dma_resv_iter_restart_unlocked(struct dma_resv_iter *cursor) ++{ ++ cursor->seq = read_seqcount_begin(&cursor->obj->seq); ++ cursor->index = -1; ++ if (cursor->all_fences) ++ cursor->fences = dma_resv_shared_list(cursor->obj); ++ else ++ cursor->fences = NULL; ++ cursor->is_restarted = true; ++} ++ ++/** ++ * dma_resv_iter_walk_unlocked - walk over fences in a dma_resv obj ++ * @cursor: cursor to record the current position ++ * ++ * Return all the fences in the dma_resv object which are not yet signaled. ++ * The returned fence has an extra local reference so will stay alive. ++ * If a concurrent modify is detected the whole iteration is started over again. ++ */ ++static void dma_resv_iter_walk_unlocked(struct dma_resv_iter *cursor) ++{ ++ struct dma_resv *obj = cursor->obj; ++ ++ do { ++ /* Drop the reference from the previous round */ ++ dma_fence_put(cursor->fence); ++ ++ if (cursor->index == -1) { ++ cursor->fence = dma_resv_excl_fence(obj); ++ cursor->index++; ++ if (!cursor->fence) ++ continue; ++ ++ } else if (!cursor->fences || ++ cursor->index >= cursor->fences->shared_count) { ++ cursor->fence = NULL; ++ break; ++ ++ } else { ++ struct dma_resv_list *fences = cursor->fences; ++ unsigned int idx = cursor->index++; ++ ++ cursor->fence = rcu_dereference(fences->shared[idx]); ++ } ++ cursor->fence = dma_fence_get_rcu(cursor->fence); ++ if (!cursor->fence || !dma_fence_is_signaled(cursor->fence)) ++ break; ++ } while (true); ++} ++ ++/** ++ * dma_resv_iter_first_unlocked - first fence in an unlocked dma_resv obj. ++ * @cursor: the cursor with the current position ++ * ++ * Returns the first fence from an unlocked dma_resv obj. ++ */ ++struct dma_fence *dma_resv_iter_first_unlocked(struct dma_resv_iter *cursor) ++{ ++ rcu_read_lock(); ++ do { ++ dma_resv_iter_restart_unlocked(cursor); ++ dma_resv_iter_walk_unlocked(cursor); ++ } while (read_seqcount_retry(&cursor->obj->seq, cursor->seq)); ++ rcu_read_unlock(); ++ ++ return cursor->fence; ++} ++EXPORT_SYMBOL(dma_resv_iter_first_unlocked); ++ ++/** ++ * dma_resv_iter_next_unlocked - next fence in an unlocked dma_resv obj. ++ * @cursor: the cursor with the current position ++ * ++ * Returns the next fence from an unlocked dma_resv obj. ++ */ ++struct dma_fence *dma_resv_iter_next_unlocked(struct dma_resv_iter *cursor) ++{ ++ bool restart; ++ ++ rcu_read_lock(); ++ cursor->is_restarted = false; ++ restart = read_seqcount_retry(&cursor->obj->seq, cursor->seq); ++ do { ++ if (restart) ++ dma_resv_iter_restart_unlocked(cursor); ++ dma_resv_iter_walk_unlocked(cursor); ++ restart = true; ++ } while (read_seqcount_retry(&cursor->obj->seq, cursor->seq)); ++ rcu_read_unlock(); ++ ++ return cursor->fence; ++} ++EXPORT_SYMBOL(dma_resv_iter_next_unlocked); ++ + /** + * dma_resv_copy_fences - Copy all fences from src to dst. + * @dst: the destination reservation object +@@ -513,74 +613,23 @@ long dma_resv_wait_timeout(struct dma_resv *obj, bool wait_all, bool intr, + unsigned long timeout) + { + long ret = timeout ? timeout : 1; +- unsigned int seq, shared_count; ++ struct dma_resv_iter cursor; + struct dma_fence *fence; +- int i; +- +-retry: +- shared_count = 0; +- seq = read_seqcount_begin(&obj->seq); +- rcu_read_lock(); +- i = -1; +- +- fence = dma_resv_excl_fence(obj); +- if (fence && !test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) { +- if (!dma_fence_get_rcu(fence)) +- goto unlock_retry; +- +- if (dma_fence_is_signaled(fence)) { +- dma_fence_put(fence); +- fence = NULL; +- } +- +- } else { +- fence = NULL; +- } +- +- if (wait_all) { +- struct dma_resv_list *fobj = dma_resv_shared_list(obj); +- +- if (fobj) +- shared_count = fobj->shared_count; +- +- for (i = 0; !fence && i < shared_count; ++i) { +- struct dma_fence *lfence; +- +- lfence = rcu_dereference(fobj->shared[i]); +- if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, +- &lfence->flags)) +- continue; + +- if (!dma_fence_get_rcu(lfence)) +- goto unlock_retry; ++ dma_resv_iter_begin(&cursor, obj, wait_all); ++ dma_resv_for_each_fence_unlocked(&cursor, fence) { + +- if (dma_fence_is_signaled(lfence)) { +- dma_fence_put(lfence); +- continue; +- } +- +- fence = lfence; ++ ret = dma_fence_wait_timeout(fence, intr, timeout); ++ if (ret <= 0) + break; +- } +- } + +- rcu_read_unlock(); +- if (fence) { +- if (read_seqcount_retry(&obj->seq, seq)) { +- dma_fence_put(fence); +- goto retry; +- } +- +- ret = dma_fence_wait_timeout(fence, intr, ret); +- dma_fence_put(fence); +- if (ret > 0 && wait_all && (i + 1 < shared_count)) +- goto retry; ++ /* Even for zero timeout the return value is 1 */ ++ if (timeout) ++ timeout = ret; + } +- return ret; ++ dma_resv_iter_end(&cursor); + +-unlock_retry: +- rcu_read_unlock(); +- goto retry; ++ return ret; + } + EXPORT_SYMBOL_GPL(dma_resv_wait_timeout); + +diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c +index dbd19a34b517bd..4d5d5330e3045f 100644 +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -234,6 +234,9 @@ drm_gem_object_release_handle(int id, void *ptr, void *data) + struct drm_file *file_priv = data; + struct drm_gem_object *obj = ptr; + ++ if (drm_WARN_ON(obj->dev, !data)) ++ return 0; ++ + if (obj->funcs->close) + obj->funcs->close(obj, file_priv); + +@@ -361,7 +364,7 @@ drm_gem_handle_create_tail(struct drm_file *file_priv, + idr_preload(GFP_KERNEL); + spin_lock(&file_priv->table_lock); + +- ret = idr_alloc(&file_priv->object_idr, obj, 1, 0, GFP_NOWAIT); ++ ret = idr_alloc(&file_priv->object_idr, NULL, 1, 0, GFP_NOWAIT); + + spin_unlock(&file_priv->table_lock); + idr_preload_end(); +@@ -382,6 +385,11 @@ drm_gem_handle_create_tail(struct drm_file *file_priv, + goto err_revoke; + } + ++ /* mirrors drm_gem_handle_delete to avoid races */ ++ spin_lock(&file_priv->table_lock); ++ obj = idr_replace(&file_priv->object_idr, obj, handle); ++ WARN_ON(obj != NULL); ++ spin_unlock(&file_priv->table_lock); + *handlep = handle; + return 0; + +diff --git a/drivers/gpu/drm/exynos/exynos7_drm_decon.c b/drivers/gpu/drm/exynos/exynos7_drm_decon.c +index 12989a47eb66e4..d255c03aed2255 100644 +--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c +@@ -601,6 +601,10 @@ static irqreturn_t decon_irq_handler(int irq, void *dev_id) + if (!ctx->drm_dev) + goto out; + ++ /* check if crtc and vblank have been initialized properly */ ++ if (!drm_dev_has_vblank(ctx->drm_dev)) ++ goto out; ++ + if (!ctx->i80_if) { + drm_crtc_handle_vblank(&ctx->crtc->base); + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 08494eb652091f..bdad42f1e9f963 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -283,6 +283,8 @@ + #define USB_DEVICE_ID_ASUS_AK1D 0x1125 + #define USB_DEVICE_ID_CHICONY_TOSHIBA_WT10A 0x1408 + #define USB_DEVICE_ID_CHICONY_ACER_SWITCH12 0x1421 ++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA 0xb824 ++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2 0xb82c + + #define USB_VENDOR_ID_CHUNGHWAT 0x2247 + #define USB_DEVICE_ID_CHUNGHWAT_MULTITOUCH 0x0001 +@@ -764,6 +766,7 @@ + #define USB_DEVICE_ID_LENOVO_TPPRODOCK 0x6067 + #define USB_DEVICE_ID_LENOVO_X1_COVER 0x6085 + #define USB_DEVICE_ID_LENOVO_X1_TAB 0x60a3 ++#define USB_DEVICE_ID_LENOVO_X1_TAB2 0x60a4 + #define USB_DEVICE_ID_LENOVO_X1_TAB3 0x60b5 + #define USB_DEVICE_ID_LENOVO_X12_TAB 0x60fe + #define USB_DEVICE_ID_LENOVO_X12_TAB2 0x61ae +@@ -1400,4 +1403,7 @@ + #define USB_VENDOR_ID_SIGNOTEC 0x2133 + #define USB_DEVICE_ID_SIGNOTEC_VIEWSONIC_PD1011 0x0018 + ++#define USB_VENDOR_ID_SMARTLINKTECHNOLOGY 0x4c4a ++#define USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155 0x4155 ++ + #endif +diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c +index 9536f468b42c5c..d74f0ddb45fdba 100644 +--- a/drivers/hid/hid-lenovo.c ++++ b/drivers/hid/hid-lenovo.c +@@ -343,6 +343,7 @@ static int lenovo_input_mapping(struct hid_device *hdev, + return lenovo_input_mapping_tp10_ultrabook_kbd(hdev, hi, field, + usage, bit, max); + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + return lenovo_input_mapping_x1_tab_kbd(hdev, hi, field, usage, bit, max); + default: +@@ -432,6 +433,7 @@ static ssize_t attr_fn_lock_store(struct device *dev, + break; + case USB_DEVICE_ID_LENOVO_TP10UBKBD: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + ret = lenovo_led_set_tp10ubkbd(hdev, TP10UBKBD_FN_LOCK_LED, value); + if (ret) +@@ -616,6 +618,7 @@ static int lenovo_event(struct hid_device *hdev, struct hid_field *field, + return lenovo_event_cptkbd(hdev, field, usage, value); + case USB_DEVICE_ID_LENOVO_TP10UBKBD: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + return lenovo_event_tp10ubkbd(hdev, field, usage, value); + default: +@@ -899,6 +902,7 @@ static int lenovo_led_brightness_set(struct led_classdev *led_cdev, + break; + case USB_DEVICE_ID_LENOVO_TP10UBKBD: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + ret = lenovo_led_set_tp10ubkbd(hdev, tp10ubkbd_led[led_nr], value); + break; +@@ -1140,6 +1144,7 @@ static int lenovo_probe(struct hid_device *hdev, + break; + case USB_DEVICE_ID_LENOVO_TP10UBKBD: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + ret = lenovo_probe_tp10ubkbd(hdev); + break; +@@ -1207,6 +1212,7 @@ static void lenovo_remove(struct hid_device *hdev) + break; + case USB_DEVICE_ID_LENOVO_TP10UBKBD: + case USB_DEVICE_ID_LENOVO_X1_TAB: ++ case USB_DEVICE_ID_LENOVO_X1_TAB2: + case USB_DEVICE_ID_LENOVO_X1_TAB3: + lenovo_remove_tp10ubkbd(hdev); + break; +@@ -1253,6 +1259,8 @@ static const struct hid_device_id lenovo_devices[] = { + */ + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, + USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_X1_TAB) }, ++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, ++ USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_X1_TAB2) }, + { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, + USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_X1_TAB3) }, + { } +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index bc9ba011ff607e..c12f7cb7e1d955 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -2108,12 +2108,18 @@ static const struct hid_device_id mt_devices[] = { + HID_DEVICE(BUS_I2C, HID_GROUP_GENERIC, + USB_VENDOR_ID_LG, I2C_DEVICE_ID_LG_7010) }, + +- /* Lenovo X1 TAB Gen 2 */ ++ /* Lenovo X1 TAB Gen 1 */ + { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, + HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8, + USB_VENDOR_ID_LENOVO, + USB_DEVICE_ID_LENOVO_X1_TAB) }, + ++ /* Lenovo X1 TAB Gen 2 */ ++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, ++ HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8, ++ USB_VENDOR_ID_LENOVO, ++ USB_DEVICE_ID_LENOVO_X1_TAB2) }, ++ + /* Lenovo X1 TAB Gen 3 */ + { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT, + HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8, +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 126cadb117fef9..72b7aebcc771f0 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -727,6 +727,8 @@ static const struct hid_device_id hid_ignore_list[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_AVERMEDIA, USB_DEVICE_ID_AVER_FM_MR800) }, + { HID_USB_DEVICE(USB_VENDOR_ID_AXENTIA, USB_DEVICE_ID_AXENTIA_FM_RADIO) }, + { HID_USB_DEVICE(USB_VENDOR_ID_BERKSHIRE, USB_DEVICE_ID_BERKSHIRE_PCWD) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CIDC, 0x0103) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI470X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI4713) }, +@@ -874,6 +876,7 @@ static const struct hid_device_id hid_ignore_list[] = { + #endif + { HID_USB_DEVICE(USB_VENDOR_ID_YEALINK, USB_DEVICE_ID_YEALINK_P1K_P4K_B2K) }, + { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_HP_5MP_CAMERA_5473) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_SMARTLINKTECHNOLOGY, USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155) }, + { } + }; + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 2236c62a198073..e2f3369342c48c 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -1680,6 +1680,33 @@ static void deallocate_uars(struct mlx5_ib_dev *dev, + mlx5_cmd_free_uar(dev->mdev, bfregi->sys_pages[i]); + } + ++static int mlx5_ib_enable_lb_mp(struct mlx5_core_dev *master, ++ struct mlx5_core_dev *slave) ++{ ++ int err; ++ ++ err = mlx5_nic_vport_update_local_lb(master, true); ++ if (err) ++ return err; ++ ++ err = mlx5_nic_vport_update_local_lb(slave, true); ++ if (err) ++ goto out; ++ ++ return 0; ++ ++out: ++ mlx5_nic_vport_update_local_lb(master, false); ++ return err; ++} ++ ++static void mlx5_ib_disable_lb_mp(struct mlx5_core_dev *master, ++ struct mlx5_core_dev *slave) ++{ ++ mlx5_nic_vport_update_local_lb(slave, false); ++ mlx5_nic_vport_update_local_lb(master, false); ++} ++ + int mlx5_ib_enable_lb(struct mlx5_ib_dev *dev, bool td, bool qp) + { + int err = 0; +@@ -3147,6 +3174,8 @@ static void mlx5_ib_unbind_slave_port(struct mlx5_ib_dev *ibdev, + + lockdep_assert_held(&mlx5_ib_multiport_mutex); + ++ mlx5_ib_disable_lb_mp(ibdev->mdev, mpi->mdev); ++ + mlx5_ib_cleanup_cong_debugfs(ibdev, port_num); + + spin_lock(&port->mp.mpi_lock); +@@ -3231,6 +3260,10 @@ static bool mlx5_ib_bind_slave_port(struct mlx5_ib_dev *ibdev, + + mlx5_ib_init_cong_debugfs(ibdev, port_num); + ++ err = mlx5_ib_enable_lb_mp(ibdev->mdev, mpi->mdev); ++ if (err) ++ goto unbind; ++ + return true; + + unbind: +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index 98397c2c6bfacd..a5207d6a5ebea5 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -149,6 +149,7 @@ static const struct xpad_device { + { 0x05fd, 0x107a, "InterAct 'PowerPad Pro' X-Box pad (Germany)", 0, XTYPE_XBOX }, + { 0x05fe, 0x3030, "Chic Controller", 0, XTYPE_XBOX }, + { 0x05fe, 0x3031, "Chic Controller", 0, XTYPE_XBOX }, ++ { 0x0502, 0x1305, "Acer NGR200", 0, XTYPE_XBOX }, + { 0x062a, 0x0020, "Logic3 Xbox GamePad", 0, XTYPE_XBOX }, + { 0x062a, 0x0033, "Competition Pro Steering Wheel", 0, XTYPE_XBOX }, + { 0x06a3, 0x0200, "Saitek Racing Wheel", 0, XTYPE_XBOX }, +@@ -443,6 +444,7 @@ static const struct usb_device_id xpad_table[] = { + XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */ + XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */ + XPAD_XBOX360_VENDOR(0x046d), /* Logitech X-Box 360 style controllers */ ++ XPAD_XBOX360_VENDOR(0x0502), /* Acer Inc. X-Box 360 style controllers */ + XPAD_XBOX360_VENDOR(0x056e), /* Elecom JC-U3613M */ + XPAD_XBOX360_VENDOR(0x06a3), /* Saitek P3600 */ + XPAD_XBOX360_VENDOR(0x0738), /* Mad Catz X-Box 360 controllers */ +diff --git a/drivers/input/keyboard/atkbd.c b/drivers/input/keyboard/atkbd.c +index e8e9947e2f5cc3..1c033020efc479 100644 +--- a/drivers/input/keyboard/atkbd.c ++++ b/drivers/input/keyboard/atkbd.c +@@ -817,7 +817,7 @@ static int atkbd_probe(struct atkbd *atkbd) + + if (atkbd_skip_getid(atkbd)) { + atkbd->id = 0xab83; +- return 0; ++ goto deactivate_kbd; + } + + /* +@@ -854,6 +854,7 @@ static int atkbd_probe(struct atkbd *atkbd) + return -1; + } + ++deactivate_kbd: + /* + * Make sure nothing is coming from the keyboard and disturbs our + * internal state. +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index de87606b2e04cc..3eacac244f3de5 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -3319,6 +3319,7 @@ static int raid1_reshape(struct mddev *mddev) + /* ok, everything is stopped */ + oldpool = conf->r1bio_pool; + conf->r1bio_pool = newpool; ++ init_waitqueue_head(&conf->r1bio_pool.wait); + + for (d = d2 = 0; d < conf->raid_disks; d++) { + struct md_rdev *rdev = conf->mirrors[d].rdev; +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index e6c0e24cb9ae23..5b0f38e7c8f139 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1196,8 +1196,11 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio, + rcu_read_unlock(); + } + +- if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) ++ if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) { ++ raid_end_bio_io(r10_bio); + return; ++ } ++ + rdev = read_balance(conf, r10_bio, &max_sectors); + if (!rdev) { + if (err_rdev) { +@@ -1431,8 +1434,11 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, + } + + sectors = r10_bio->sectors; +- if (!regular_request_wait(mddev, conf, bio, sectors)) ++ if (!regular_request_wait(mddev, conf, bio, sectors)) { ++ raid_end_bio_io(r10_bio); + return; ++ } ++ + if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery) && + (mddev->reshape_backwards + ? (bio->bi_iter.bi_sector < conf->reshape_safe && +diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c +index e8b35661c53891..17b893eb286e72 100644 +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -582,7 +582,7 @@ static int m_can_handle_lost_msg(struct net_device *dev) + struct can_frame *frame; + u32 timestamp = 0; + +- netdev_err(dev, "msg lost in rxf0\n"); ++ netdev_dbg(dev, "msg lost in rxf0\n"); + + stats->rx_errors++; + stats->rx_over_errors++; +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c +index 228a5db7e1434b..596513ffdfd9cb 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c +@@ -479,7 +479,9 @@ static int bnxt_ets_validate(struct bnxt *bp, struct ieee_ets *ets, u8 *tc) + + if ((ets->tc_tx_bw[i] || ets->tc_tsa[i]) && i > bp->max_tc) + return -EINVAL; ++ } + ++ for (i = 0; i < max_tc; i++) { + switch (ets->tc_tsa[i]) { + case IEEE_8021QAZ_TSA_STRICT: + break; +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +index 148b58f3468b31..8a5009e66a1348 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +@@ -67,7 +67,7 @@ static void __bnxt_xmit_xdp_redirect(struct bnxt *bp, + tx_buf->action = XDP_REDIRECT; + tx_buf->xdpf = xdpf; + dma_unmap_addr_set(tx_buf, mapping, mapping); +- dma_unmap_len_set(tx_buf, len, 0); ++ dma_unmap_len_set(tx_buf, len, len); + } + + void bnxt_tx_int_xdp(struct bnxt *bp, struct bnxt_napi *bnapi, int nr_pkts) +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 91840ea92b0dfe..04e3f6c424c0ca 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -5731,14 +5731,15 @@ ice_fetch_u64_stats_per_ring(struct ice_ring *ring, u64 *pkts, u64 *bytes) + /** + * ice_update_vsi_tx_ring_stats - Update VSI Tx ring stats counters + * @vsi: the VSI to be updated ++ * @vsi_stats: the stats struct to be updated + * @rings: rings to work on + * @count: number of rings + */ + static void +-ice_update_vsi_tx_ring_stats(struct ice_vsi *vsi, struct ice_ring **rings, +- u16 count) ++ice_update_vsi_tx_ring_stats(struct ice_vsi *vsi, ++ struct rtnl_link_stats64 *vsi_stats, ++ struct ice_ring **rings, u16 count) + { +- struct rtnl_link_stats64 *vsi_stats = &vsi->net_stats; + u16 i; + + for (i = 0; i < count; i++) { +@@ -5761,15 +5762,13 @@ ice_update_vsi_tx_ring_stats(struct ice_vsi *vsi, struct ice_ring **rings, + */ + static void ice_update_vsi_ring_stats(struct ice_vsi *vsi) + { +- struct rtnl_link_stats64 *vsi_stats = &vsi->net_stats; ++ struct rtnl_link_stats64 *vsi_stats; + u64 pkts, bytes; + int i; + +- /* reset netdev stats */ +- vsi_stats->tx_packets = 0; +- vsi_stats->tx_bytes = 0; +- vsi_stats->rx_packets = 0; +- vsi_stats->rx_bytes = 0; ++ vsi_stats = kzalloc(sizeof(*vsi_stats), GFP_ATOMIC); ++ if (!vsi_stats) ++ return; + + /* reset non-netdev (extended) stats */ + vsi->tx_restart = 0; +@@ -5781,7 +5780,8 @@ static void ice_update_vsi_ring_stats(struct ice_vsi *vsi) + rcu_read_lock(); + + /* update Tx rings counters */ +- ice_update_vsi_tx_ring_stats(vsi, vsi->tx_rings, vsi->num_txq); ++ ice_update_vsi_tx_ring_stats(vsi, vsi_stats, vsi->tx_rings, ++ vsi->num_txq); + + /* update Rx rings counters */ + ice_for_each_rxq(vsi, i) { +@@ -5796,10 +5796,17 @@ static void ice_update_vsi_ring_stats(struct ice_vsi *vsi) + + /* update XDP Tx rings counters */ + if (ice_is_xdp_ena_vsi(vsi)) +- ice_update_vsi_tx_ring_stats(vsi, vsi->xdp_rings, ++ ice_update_vsi_tx_ring_stats(vsi, vsi_stats, vsi->xdp_rings, + vsi->num_xdp_txq); + + rcu_read_unlock(); ++ ++ vsi->net_stats.tx_packets = vsi_stats->tx_packets; ++ vsi->net_stats.tx_bytes = vsi_stats->tx_bytes; ++ vsi->net_stats.rx_packets = vsi_stats->rx_packets; ++ vsi->net_stats.rx_bytes = vsi_stats->rx_bytes; ++ ++ kfree(vsi_stats); + } + + /** +diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c +index 4e45153959c791..ce0d2760a55e06 100644 +--- a/drivers/net/ethernet/xilinx/ll_temac_main.c ++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c +@@ -1299,7 +1299,7 @@ static int ll_temac_ethtools_set_ringparam(struct net_device *ndev, + if (ering->rx_pending > RX_BD_NUM_MAX || + ering->rx_mini_pending || + ering->rx_jumbo_pending || +- ering->rx_pending > TX_BD_NUM_MAX) ++ ering->tx_pending > TX_BD_NUM_MAX) + return -EINVAL; + + if (netif_running(ndev)) +diff --git a/drivers/net/phy/microchip.c b/drivers/net/phy/microchip.c +index 230f2fcf9c46a1..f2860ec7ac17e6 100644 +--- a/drivers/net/phy/microchip.c ++++ b/drivers/net/phy/microchip.c +@@ -351,7 +351,7 @@ static void lan88xx_link_change_notify(struct phy_device *phydev) + * As workaround, set to 10 before setting to 100 + * at forced 100 F/H mode. + */ +- if (!phydev->autoneg && phydev->speed == 100) { ++ if (phydev->state == PHY_NOLINK && !phydev->autoneg && phydev->speed == 100) { + /* disable phy interrupt */ + temp = phy_read(phydev, LAN88XX_INT_MASK); + temp &= ~LAN88XX_INT_MASK_MDINTPIN_EN_; +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index 36dcf6c7f445d0..5c3ebb66fceb52 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -143,10 +143,29 @@ static int lan911x_config_init(struct phy_device *phydev) + + static int lan87xx_config_aneg(struct phy_device *phydev) + { +- int rc; ++ u8 mdix_ctrl; + int val; ++ int rc; + +- switch (phydev->mdix_ctrl) { ++ /* When auto-negotiation is disabled (forced mode), the PHY's ++ * Auto-MDIX will continue toggling the TX/RX pairs. ++ * ++ * To establish a stable link, we must select a fixed MDI mode. ++ * If the user has not specified a fixed MDI mode (i.e., mdix_ctrl is ++ * 'auto'), we default to ETH_TP_MDI. This choice of a ETH_TP_MDI mode ++ * mirrors the behavior the hardware would exhibit if the AUTOMDIX_EN ++ * strap were configured for a fixed MDI connection. ++ */ ++ if (phydev->autoneg == AUTONEG_DISABLE) { ++ if (phydev->mdix_ctrl == ETH_TP_MDI_AUTO) ++ mdix_ctrl = ETH_TP_MDI; ++ else ++ mdix_ctrl = phydev->mdix_ctrl; ++ } else { ++ mdix_ctrl = phydev->mdix_ctrl; ++ } ++ ++ switch (mdix_ctrl) { + case ETH_TP_MDI: + val = SPECIAL_CTRL_STS_OVRRD_AMDIX_; + break; +@@ -155,7 +174,8 @@ static int lan87xx_config_aneg(struct phy_device *phydev) + SPECIAL_CTRL_STS_AMDIX_STATE_; + break; + case ETH_TP_MDI_AUTO: +- val = SPECIAL_CTRL_STS_AMDIX_ENABLE_; ++ val = SPECIAL_CTRL_STS_OVRRD_AMDIX_ | ++ SPECIAL_CTRL_STS_AMDIX_ENABLE_; + break; + default: + return genphy_config_aneg(phydev); +@@ -171,7 +191,7 @@ static int lan87xx_config_aneg(struct phy_device *phydev) + rc |= val; + phy_write(phydev, SPECIAL_CTRL_STS, rc); + +- phydev->mdix = phydev->mdix_ctrl; ++ phydev->mdix = mdix_ctrl; + return genphy_config_aneg(phydev); + } + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 600a190f221287..d21d23f10d4228 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1421,6 +1421,7 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */ + {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */ + {QMI_QUIRK_SET_DTR(0x1e0e, 0x9001, 5)}, /* SIMCom 7100E, 7230E, 7600E ++ */ ++ {QMI_QUIRK_SET_DTR(0x1e0e, 0x9071, 3)}, /* SIMCom 8230C ++ */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0195, 4)}, /* Quectel EG95 */ +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index d8138ad4f865a6..ed27dd5c7fc8d5 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -394,6 +394,26 @@ static unsigned int mergeable_ctx_to_truesize(void *mrg_ctx) + return (unsigned long)mrg_ctx & ((1 << MRG_CTX_HEADER_SHIFT) - 1); + } + ++static int check_mergeable_len(struct net_device *dev, void *mrg_ctx, ++ unsigned int len) ++{ ++ unsigned int headroom, tailroom, room, truesize; ++ ++ truesize = mergeable_ctx_to_truesize(mrg_ctx); ++ headroom = mergeable_ctx_to_headroom(mrg_ctx); ++ tailroom = headroom ? sizeof(struct skb_shared_info) : 0; ++ room = SKB_DATA_ALIGN(headroom + tailroom); ++ ++ if (len > truesize - room) { ++ pr_debug("%s: rx error: len %u exceeds truesize %lu\n", ++ dev->name, len, (unsigned long)(truesize - room)); ++ dev->stats.rx_length_errors++; ++ return -1; ++ } ++ ++ return 0; ++} ++ + /* Called from bottom half context */ + static struct sk_buff *page_to_skb(struct virtnet_info *vi, + struct receive_queue *rq, +@@ -672,8 +692,9 @@ static unsigned int virtnet_get_headroom(struct virtnet_info *vi) + * across multiple buffers (num_buf > 1), and we make sure buffers + * have enough headroom. + */ +-static struct page *xdp_linearize_page(struct receive_queue *rq, +- u16 *num_buf, ++static struct page *xdp_linearize_page(struct net_device *dev, ++ struct receive_queue *rq, ++ int *num_buf, + struct page *p, + int offset, + int page_off, +@@ -692,18 +713,27 @@ static struct page *xdp_linearize_page(struct receive_queue *rq, + memcpy(page_address(page) + page_off, page_address(p) + offset, *len); + page_off += *len; + ++ /* Only mergeable mode can go inside this while loop. In small mode, ++ * *num_buf == 1, so it cannot go inside. ++ */ + while (--*num_buf) { + unsigned int buflen; + void *buf; ++ void *ctx; + int off; + +- buf = virtqueue_get_buf(rq->vq, &buflen); ++ buf = virtqueue_get_buf_ctx(rq->vq, &buflen, &ctx); + if (unlikely(!buf)) + goto err_buf; + + p = virt_to_head_page(buf); + off = buf - page_address(p); + ++ if (check_mergeable_len(dev, ctx, buflen)) { ++ put_page(p); ++ goto err_buf; ++ } ++ + /* guard against a misconfigured or uncooperative backend that + * is sending packet larger than the MTU. + */ +@@ -771,14 +801,14 @@ static struct sk_buff *receive_small(struct net_device *dev, + if (unlikely(xdp_headroom < virtnet_get_headroom(vi))) { + int offset = buf - page_address(page) + header_offset; + unsigned int tlen = len + vi->hdr_len; +- u16 num_buf = 1; ++ int num_buf = 1; + + xdp_headroom = virtnet_get_headroom(vi); + header_offset = VIRTNET_RX_PAD + xdp_headroom; + headroom = vi->hdr_len + header_offset; + buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) + + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); +- xdp_page = xdp_linearize_page(rq, &num_buf, page, ++ xdp_page = xdp_linearize_page(dev, rq, &num_buf, page, + offset, header_offset, + &tlen); + if (!xdp_page) +@@ -949,10 +979,12 @@ static struct sk_buff *receive_mergeable(struct net_device *dev, + if (unlikely(num_buf > 1 || + headroom < virtnet_get_headroom(vi))) { + /* linearize data for XDP */ +- xdp_page = xdp_linearize_page(rq, &num_buf, ++ int _num_buf = num_buf; ++ xdp_page = xdp_linearize_page(dev, rq, &_num_buf, + page, offset, + VIRTIO_XDP_HEADROOM, + &len); ++ num_buf = _num_buf; + frame_sz = PAGE_SIZE; + + if (!xdp_page) +diff --git a/drivers/net/wireless/zydas/zd1211rw/zd_mac.c b/drivers/net/wireless/zydas/zd1211rw/zd_mac.c +index 3ef8533205f913..0a7f368f0d99ca 100644 +--- a/drivers/net/wireless/zydas/zd1211rw/zd_mac.c ++++ b/drivers/net/wireless/zydas/zd1211rw/zd_mac.c +@@ -583,7 +583,11 @@ void zd_mac_tx_to_dev(struct sk_buff *skb, int error) + + skb_queue_tail(q, skb); + while (skb_queue_len(q) > ZD_MAC_MAX_ACK_WAITERS) { +- zd_mac_tx_status(hw, skb_dequeue(q), ++ skb = skb_dequeue(q); ++ if (!skb) ++ break; ++ ++ zd_mac_tx_status(hw, skb, + mac->ack_pending ? mac->ack_signal : 0, + NULL); + mac->ack_pending = 0; +diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c +index e753161428b4e2..676b16397b07cf 100644 +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -949,6 +949,25 @@ static bool msm_gpio_needs_dual_edge_parent_workaround(struct irq_data *d, + test_bit(d->hwirq, pctrl->skip_wake_irqs); + } + ++static void msm_gpio_irq_init_valid_mask(struct gpio_chip *gc, ++ unsigned long *valid_mask, ++ unsigned int ngpios) ++{ ++ struct msm_pinctrl *pctrl = gpiochip_get_data(gc); ++ const struct msm_pingroup *g; ++ int i; ++ ++ bitmap_fill(valid_mask, ngpios); ++ ++ for (i = 0; i < ngpios; i++) { ++ g = &pctrl->soc->groups[i]; ++ ++ if (g->intr_detection_width != 1 && ++ g->intr_detection_width != 2) ++ clear_bit(i, valid_mask); ++ } ++} ++ + static int msm_gpio_irq_set_type(struct irq_data *d, unsigned int type) + { + struct gpio_chip *gc = irq_data_get_irq_chip_data(d); +@@ -1305,6 +1324,7 @@ static int msm_gpio_init(struct msm_pinctrl *pctrl) + girq->default_type = IRQ_TYPE_NONE; + girq->handler = handle_bad_irq; + girq->parents[0] = pctrl->irq; ++ girq->init_valid_mask = msm_gpio_irq_init_valid_mask; + + ret = gpiochip_add_data(&pctrl->chip, pctrl); + if (ret) { +diff --git a/drivers/pwm/pwm-mediatek.c b/drivers/pwm/pwm-mediatek.c +index bb764428bfe76e..d8a80b06a6f2ee 100644 +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -129,8 +129,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, + return ret; + + clk_rate = clk_get_rate(pc->clk_pwms[pwm->hwpwm]); +- if (!clk_rate) +- return -EINVAL; ++ if (!clk_rate) { ++ ret = -EINVAL; ++ goto out; ++ } + + /* Make sure we use the bus clock and not the 26MHz clock */ + if (pc->soc->has_ck_26m_sel) +@@ -149,9 +151,9 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, + } + + if (clkdiv > PWM_CLK_DIV_MAX) { +- pwm_mediatek_clk_disable(chip, pwm); +- dev_err(chip->dev, "period %d not supported\n", period_ns); +- return -EINVAL; ++ dev_err(chip->dev, "period of %d ns not supported\n", period_ns); ++ ret = -EINVAL; ++ goto out; + } + + if (pc->soc->pwm45_fixup && pwm->hwpwm > 2) { +@@ -168,9 +170,10 @@ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, + pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period); + pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty); + ++out: + pwm_mediatek_clk_disable(chip, pwm); + +- return 0; ++ return ret; + } + + static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm) +diff --git a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +index 6aa5fe9736138e..1c479c72b7d2e0 100644 +--- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c ++++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +@@ -469,7 +469,7 @@ static void int3400_setup_gddv(struct int3400_thermal_priv *priv) + priv->data_vault = kmemdup(obj->package.elements[0].buffer.pointer, + obj->package.elements[0].buffer.length, + GFP_KERNEL); +- if (!priv->data_vault) { ++ if (ZERO_OR_NULL_PTR(priv->data_vault)) { + kfree(buffer.pointer); + return; + } +@@ -540,7 +540,7 @@ static int int3400_thermal_probe(struct platform_device *pdev) + goto free_imok; + } + +- if (priv->data_vault) { ++ if (!ZERO_OR_NULL_PTR(priv->data_vault)) { + result = sysfs_create_group(&pdev->dev.kobj, + &data_attribute_group); + if (result) +@@ -558,7 +558,8 @@ static int int3400_thermal_probe(struct platform_device *pdev) + free_sysfs: + cleanup_odvp(priv); + if (priv->data_vault) { +- sysfs_remove_group(&pdev->dev.kobj, &data_attribute_group); ++ if (!ZERO_OR_NULL_PTR(priv->data_vault)) ++ sysfs_remove_group(&pdev->dev.kobj, &data_attribute_group); + kfree(priv->data_vault); + } + free_uuid: +@@ -590,7 +591,7 @@ static int int3400_thermal_remove(struct platform_device *pdev) + if (!priv->rel_misc_dev_res) + acpi_thermal_rel_misc_device_remove(priv->adev->handle); + +- if (priv->data_vault) ++ if (!ZERO_OR_NULL_PTR(priv->data_vault)) + sysfs_remove_group(&pdev->dev.kobj, &data_attribute_group); + sysfs_remove_group(&pdev->dev.kobj, &uuid_attribute_group); + sysfs_remove_group(&pdev->dev.kobj, &imok_attribute_group); +diff --git a/drivers/tty/hvc/hvc_xen.c b/drivers/tty/hvc/hvc_xen.c +index 141acc662eba9f..6a11a4177a16fc 100644 +--- a/drivers/tty/hvc/hvc_xen.c ++++ b/drivers/tty/hvc/hvc_xen.c +@@ -270,7 +270,7 @@ static int xen_hvm_console_init(void) + if (r < 0 || v == 0) + goto err; + gfn = v; +- info->intf = xen_remap(gfn << XEN_PAGE_SHIFT, XEN_PAGE_SIZE); ++ info->intf = memremap(gfn << XEN_PAGE_SHIFT, XEN_PAGE_SIZE, MEMREMAP_WB); + if (info->intf == NULL) + goto err; + info->vtermno = HVC_COOKIE; +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index a6e0c803e96ec1..a10b7ebbbe918b 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -4443,6 +4443,7 @@ void do_unblank_screen(int leaving_gfx) + set_palette(vc); + set_cursor(vc); + vt_event_post(VT_EVENT_UNBLANK, vc->vc_num, vc->vc_num); ++ notify_update(vc); + } + EXPORT_SYMBOL(do_unblank_screen); + +diff --git a/drivers/usb/cdns3/cdnsp-debug.h b/drivers/usb/cdns3/cdnsp-debug.h +index f0ca865cce2a09..86860686d8363e 100644 +--- a/drivers/usb/cdns3/cdnsp-debug.h ++++ b/drivers/usb/cdns3/cdnsp-debug.h +@@ -131,8 +131,6 @@ static inline const char *cdnsp_trb_type_string(u8 type) + return "Endpoint Not ready"; + case TRB_HALT_ENDPOINT: + return "Halt Endpoint"; +- case TRB_FLUSH_ENDPOINT: +- return "FLush Endpoint"; + default: + return "UNKNOWN"; + } +@@ -189,203 +187,203 @@ static inline const char *cdnsp_decode_trb(char *str, size_t size, u32 field0, + + switch (type) { + case TRB_LINK: +- ret = snprintf(str, size, +- "LINK %08x%08x intr %ld type '%s' flags %c:%c:%c:%c", +- field1, field0, GET_INTR_TARGET(field2), +- cdnsp_trb_type_string(type), +- field3 & TRB_IOC ? 'I' : 'i', +- field3 & TRB_CHAIN ? 'C' : 'c', +- field3 & TRB_TC ? 'T' : 't', +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "LINK %08x%08x intr %ld type '%s' flags %c:%c:%c:%c", ++ field1, field0, GET_INTR_TARGET(field2), ++ cdnsp_trb_type_string(type), ++ field3 & TRB_IOC ? 'I' : 'i', ++ field3 & TRB_CHAIN ? 'C' : 'c', ++ field3 & TRB_TC ? 'T' : 't', ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_TRANSFER: + case TRB_COMPLETION: + case TRB_PORT_STATUS: + case TRB_HC_EVENT: +- ret = snprintf(str, size, +- "ep%d%s(%d) type '%s' TRB %08x%08x status '%s'" +- " len %ld slot %ld flags %c:%c", +- ep_num, ep_id % 2 ? "out" : "in", +- TRB_TO_EP_INDEX(field3), +- cdnsp_trb_type_string(type), field1, field0, +- cdnsp_trb_comp_code_string(GET_COMP_CODE(field2)), +- EVENT_TRB_LEN(field2), TRB_TO_SLOT_ID(field3), +- field3 & EVENT_DATA ? 'E' : 'e', +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "ep%d%s(%d) type '%s' TRB %08x%08x status '%s'" ++ " len %ld slot %ld flags %c:%c", ++ ep_num, ep_id % 2 ? "out" : "in", ++ TRB_TO_EP_INDEX(field3), ++ cdnsp_trb_type_string(type), field1, field0, ++ cdnsp_trb_comp_code_string(GET_COMP_CODE(field2)), ++ EVENT_TRB_LEN(field2), TRB_TO_SLOT_ID(field3), ++ field3 & EVENT_DATA ? 'E' : 'e', ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_MFINDEX_WRAP: +- ret = snprintf(str, size, "%s: flags %c", +- cdnsp_trb_type_string(type), +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, "%s: flags %c", ++ cdnsp_trb_type_string(type), ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_SETUP: +- ret = snprintf(str, size, +- "type '%s' bRequestType %02x bRequest %02x " +- "wValue %02x%02x wIndex %02x%02x wLength %d " +- "length %ld TD size %ld intr %ld Setup ID %ld " +- "flags %c:%c:%c", +- cdnsp_trb_type_string(type), +- field0 & 0xff, +- (field0 & 0xff00) >> 8, +- (field0 & 0xff000000) >> 24, +- (field0 & 0xff0000) >> 16, +- (field1 & 0xff00) >> 8, +- field1 & 0xff, +- (field1 & 0xff000000) >> 16 | +- (field1 & 0xff0000) >> 16, +- TRB_LEN(field2), GET_TD_SIZE(field2), +- GET_INTR_TARGET(field2), +- TRB_SETUPID_TO_TYPE(field3), +- field3 & TRB_IDT ? 'D' : 'd', +- field3 & TRB_IOC ? 'I' : 'i', +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "type '%s' bRequestType %02x bRequest %02x " ++ "wValue %02x%02x wIndex %02x%02x wLength %d " ++ "length %ld TD size %ld intr %ld Setup ID %ld " ++ "flags %c:%c:%c", ++ cdnsp_trb_type_string(type), ++ field0 & 0xff, ++ (field0 & 0xff00) >> 8, ++ (field0 & 0xff000000) >> 24, ++ (field0 & 0xff0000) >> 16, ++ (field1 & 0xff00) >> 8, ++ field1 & 0xff, ++ (field1 & 0xff000000) >> 16 | ++ (field1 & 0xff0000) >> 16, ++ TRB_LEN(field2), GET_TD_SIZE(field2), ++ GET_INTR_TARGET(field2), ++ TRB_SETUPID_TO_TYPE(field3), ++ field3 & TRB_IDT ? 'D' : 'd', ++ field3 & TRB_IOC ? 'I' : 'i', ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_DATA: +- ret = snprintf(str, size, +- "type '%s' Buffer %08x%08x length %ld TD size %ld " +- "intr %ld flags %c:%c:%c:%c:%c:%c:%c", +- cdnsp_trb_type_string(type), +- field1, field0, TRB_LEN(field2), +- GET_TD_SIZE(field2), +- GET_INTR_TARGET(field2), +- field3 & TRB_IDT ? 'D' : 'i', +- field3 & TRB_IOC ? 'I' : 'i', +- field3 & TRB_CHAIN ? 'C' : 'c', +- field3 & TRB_NO_SNOOP ? 'S' : 's', +- field3 & TRB_ISP ? 'I' : 'i', +- field3 & TRB_ENT ? 'E' : 'e', +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "type '%s' Buffer %08x%08x length %ld TD size %ld " ++ "intr %ld flags %c:%c:%c:%c:%c:%c:%c", ++ cdnsp_trb_type_string(type), ++ field1, field0, TRB_LEN(field2), ++ GET_TD_SIZE(field2), ++ GET_INTR_TARGET(field2), ++ field3 & TRB_IDT ? 'D' : 'i', ++ field3 & TRB_IOC ? 'I' : 'i', ++ field3 & TRB_CHAIN ? 'C' : 'c', ++ field3 & TRB_NO_SNOOP ? 'S' : 's', ++ field3 & TRB_ISP ? 'I' : 'i', ++ field3 & TRB_ENT ? 'E' : 'e', ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_STATUS: +- ret = snprintf(str, size, +- "Buffer %08x%08x length %ld TD size %ld intr" +- "%ld type '%s' flags %c:%c:%c:%c", +- field1, field0, TRB_LEN(field2), +- GET_TD_SIZE(field2), +- GET_INTR_TARGET(field2), +- cdnsp_trb_type_string(type), +- field3 & TRB_IOC ? 'I' : 'i', +- field3 & TRB_CHAIN ? 'C' : 'c', +- field3 & TRB_ENT ? 'E' : 'e', +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "Buffer %08x%08x length %ld TD size %ld intr" ++ "%ld type '%s' flags %c:%c:%c:%c", ++ field1, field0, TRB_LEN(field2), ++ GET_TD_SIZE(field2), ++ GET_INTR_TARGET(field2), ++ cdnsp_trb_type_string(type), ++ field3 & TRB_IOC ? 'I' : 'i', ++ field3 & TRB_CHAIN ? 'C' : 'c', ++ field3 & TRB_ENT ? 'E' : 'e', ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_NORMAL: + case TRB_ISOC: + case TRB_EVENT_DATA: + case TRB_TR_NOOP: +- ret = snprintf(str, size, +- "type '%s' Buffer %08x%08x length %ld " +- "TD size %ld intr %ld " +- "flags %c:%c:%c:%c:%c:%c:%c:%c:%c", +- cdnsp_trb_type_string(type), +- field1, field0, TRB_LEN(field2), +- GET_TD_SIZE(field2), +- GET_INTR_TARGET(field2), +- field3 & TRB_BEI ? 'B' : 'b', +- field3 & TRB_IDT ? 'T' : 't', +- field3 & TRB_IOC ? 'I' : 'i', +- field3 & TRB_CHAIN ? 'C' : 'c', +- field3 & TRB_NO_SNOOP ? 'S' : 's', +- field3 & TRB_ISP ? 'I' : 'i', +- field3 & TRB_ENT ? 'E' : 'e', +- field3 & TRB_CYCLE ? 'C' : 'c', +- !(field3 & TRB_EVENT_INVALIDATE) ? 'V' : 'v'); ++ ret = scnprintf(str, size, ++ "type '%s' Buffer %08x%08x length %ld " ++ "TD size %ld intr %ld " ++ "flags %c:%c:%c:%c:%c:%c:%c:%c:%c", ++ cdnsp_trb_type_string(type), ++ field1, field0, TRB_LEN(field2), ++ GET_TD_SIZE(field2), ++ GET_INTR_TARGET(field2), ++ field3 & TRB_BEI ? 'B' : 'b', ++ field3 & TRB_IDT ? 'T' : 't', ++ field3 & TRB_IOC ? 'I' : 'i', ++ field3 & TRB_CHAIN ? 'C' : 'c', ++ field3 & TRB_NO_SNOOP ? 'S' : 's', ++ field3 & TRB_ISP ? 'I' : 'i', ++ field3 & TRB_ENT ? 'E' : 'e', ++ field3 & TRB_CYCLE ? 'C' : 'c', ++ !(field3 & TRB_EVENT_INVALIDATE) ? 'V' : 'v'); + break; + case TRB_CMD_NOOP: + case TRB_ENABLE_SLOT: +- ret = snprintf(str, size, "%s: flags %c", +- cdnsp_trb_type_string(type), +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, "%s: flags %c", ++ cdnsp_trb_type_string(type), ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_DISABLE_SLOT: +- ret = snprintf(str, size, "%s: slot %ld flags %c", +- cdnsp_trb_type_string(type), +- TRB_TO_SLOT_ID(field3), +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, "%s: slot %ld flags %c", ++ cdnsp_trb_type_string(type), ++ TRB_TO_SLOT_ID(field3), ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_ADDR_DEV: +- ret = snprintf(str, size, +- "%s: ctx %08x%08x slot %ld flags %c:%c", +- cdnsp_trb_type_string(type), field1, field0, +- TRB_TO_SLOT_ID(field3), +- field3 & TRB_BSR ? 'B' : 'b', +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "%s: ctx %08x%08x slot %ld flags %c:%c", ++ cdnsp_trb_type_string(type), field1, field0, ++ TRB_TO_SLOT_ID(field3), ++ field3 & TRB_BSR ? 'B' : 'b', ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_CONFIG_EP: +- ret = snprintf(str, size, +- "%s: ctx %08x%08x slot %ld flags %c:%c", +- cdnsp_trb_type_string(type), field1, field0, +- TRB_TO_SLOT_ID(field3), +- field3 & TRB_DC ? 'D' : 'd', +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "%s: ctx %08x%08x slot %ld flags %c:%c", ++ cdnsp_trb_type_string(type), field1, field0, ++ TRB_TO_SLOT_ID(field3), ++ field3 & TRB_DC ? 'D' : 'd', ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_EVAL_CONTEXT: +- ret = snprintf(str, size, +- "%s: ctx %08x%08x slot %ld flags %c", +- cdnsp_trb_type_string(type), field1, field0, +- TRB_TO_SLOT_ID(field3), +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "%s: ctx %08x%08x slot %ld flags %c", ++ cdnsp_trb_type_string(type), field1, field0, ++ TRB_TO_SLOT_ID(field3), ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_RESET_EP: + case TRB_HALT_ENDPOINT: +- case TRB_FLUSH_ENDPOINT: +- ret = snprintf(str, size, +- "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c", +- cdnsp_trb_type_string(type), +- ep_num, ep_id % 2 ? "out" : "in", +- TRB_TO_EP_INDEX(field3), field1, field0, +- TRB_TO_SLOT_ID(field3), +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c %c", ++ cdnsp_trb_type_string(type), ++ ep_num, ep_id % 2 ? "out" : "in", ++ TRB_TO_EP_INDEX(field3), field1, field0, ++ TRB_TO_SLOT_ID(field3), ++ field3 & TRB_CYCLE ? 'C' : 'c', ++ field3 & TRB_ESP ? 'P' : 'p'); + break; + case TRB_STOP_RING: +- ret = snprintf(str, size, +- "%s: ep%d%s(%d) slot %ld sp %d flags %c", +- cdnsp_trb_type_string(type), +- ep_num, ep_id % 2 ? "out" : "in", +- TRB_TO_EP_INDEX(field3), +- TRB_TO_SLOT_ID(field3), +- TRB_TO_SUSPEND_PORT(field3), +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "%s: ep%d%s(%d) slot %ld sp %d flags %c", ++ cdnsp_trb_type_string(type), ++ ep_num, ep_id % 2 ? "out" : "in", ++ TRB_TO_EP_INDEX(field3), ++ TRB_TO_SLOT_ID(field3), ++ TRB_TO_SUSPEND_PORT(field3), ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_SET_DEQ: +- ret = snprintf(str, size, +- "%s: ep%d%s(%d) deq %08x%08x stream %ld slot %ld flags %c", +- cdnsp_trb_type_string(type), +- ep_num, ep_id % 2 ? "out" : "in", +- TRB_TO_EP_INDEX(field3), field1, field0, +- TRB_TO_STREAM_ID(field2), +- TRB_TO_SLOT_ID(field3), +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "%s: ep%d%s(%d) deq %08x%08x stream %ld slot %ld flags %c", ++ cdnsp_trb_type_string(type), ++ ep_num, ep_id % 2 ? "out" : "in", ++ TRB_TO_EP_INDEX(field3), field1, field0, ++ TRB_TO_STREAM_ID(field2), ++ TRB_TO_SLOT_ID(field3), ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_RESET_DEV: +- ret = snprintf(str, size, "%s: slot %ld flags %c", +- cdnsp_trb_type_string(type), +- TRB_TO_SLOT_ID(field3), +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, "%s: slot %ld flags %c", ++ cdnsp_trb_type_string(type), ++ TRB_TO_SLOT_ID(field3), ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + case TRB_ENDPOINT_NRDY: + temp = TRB_TO_HOST_STREAM(field2); + +- ret = snprintf(str, size, +- "%s: ep%d%s(%d) H_SID %x%s%s D_SID %lx flags %c:%c", +- cdnsp_trb_type_string(type), +- ep_num, ep_id % 2 ? "out" : "in", +- TRB_TO_EP_INDEX(field3), temp, +- temp == STREAM_PRIME_ACK ? "(PRIME)" : "", +- temp == STREAM_REJECTED ? "(REJECTED)" : "", +- TRB_TO_DEV_STREAM(field0), +- field3 & TRB_STAT ? 'S' : 's', +- field3 & TRB_CYCLE ? 'C' : 'c'); ++ ret = scnprintf(str, size, ++ "%s: ep%d%s(%d) H_SID %x%s%s D_SID %lx flags %c:%c", ++ cdnsp_trb_type_string(type), ++ ep_num, ep_id % 2 ? "out" : "in", ++ TRB_TO_EP_INDEX(field3), temp, ++ temp == STREAM_PRIME_ACK ? "(PRIME)" : "", ++ temp == STREAM_REJECTED ? "(REJECTED)" : "", ++ TRB_TO_DEV_STREAM(field0), ++ field3 & TRB_STAT ? 'S' : 's', ++ field3 & TRB_CYCLE ? 'C' : 'c'); + break; + default: +- ret = snprintf(str, size, +- "type '%s' -> raw %08x %08x %08x %08x", +- cdnsp_trb_type_string(type), +- field0, field1, field2, field3); ++ ret = scnprintf(str, size, ++ "type '%s' -> raw %08x %08x %08x %08x", ++ cdnsp_trb_type_string(type), ++ field0, field1, field2, field3); + } + +- if (ret >= size) +- pr_info("CDNSP: buffer overflowed.\n"); ++ if (ret == size - 1) ++ pr_info("CDNSP: buffer may be truncated.\n"); + + return str; + } +@@ -468,32 +466,32 @@ static inline const char *cdnsp_decode_portsc(char *str, size_t size, + { + int ret; + +- ret = snprintf(str, size, "%s %s %s Link:%s PortSpeed:%d ", +- portsc & PORT_POWER ? "Powered" : "Powered-off", +- portsc & PORT_CONNECT ? "Connected" : "Not-connected", +- portsc & PORT_PED ? "Enabled" : "Disabled", +- cdnsp_portsc_link_state_string(portsc), +- DEV_PORT_SPEED(portsc)); ++ ret = scnprintf(str, size, "%s %s %s Link:%s PortSpeed:%d ", ++ portsc & PORT_POWER ? "Powered" : "Powered-off", ++ portsc & PORT_CONNECT ? "Connected" : "Not-connected", ++ portsc & PORT_PED ? "Enabled" : "Disabled", ++ cdnsp_portsc_link_state_string(portsc), ++ DEV_PORT_SPEED(portsc)); + + if (portsc & PORT_RESET) +- ret += snprintf(str + ret, size - ret, "In-Reset "); ++ ret += scnprintf(str + ret, size - ret, "In-Reset "); + +- ret += snprintf(str + ret, size - ret, "Change: "); ++ ret += scnprintf(str + ret, size - ret, "Change: "); + if (portsc & PORT_CSC) +- ret += snprintf(str + ret, size - ret, "CSC "); ++ ret += scnprintf(str + ret, size - ret, "CSC "); + if (portsc & PORT_WRC) +- ret += snprintf(str + ret, size - ret, "WRC "); ++ ret += scnprintf(str + ret, size - ret, "WRC "); + if (portsc & PORT_RC) +- ret += snprintf(str + ret, size - ret, "PRC "); ++ ret += scnprintf(str + ret, size - ret, "PRC "); + if (portsc & PORT_PLC) +- ret += snprintf(str + ret, size - ret, "PLC "); ++ ret += scnprintf(str + ret, size - ret, "PLC "); + if (portsc & PORT_CEC) +- ret += snprintf(str + ret, size - ret, "CEC "); +- ret += snprintf(str + ret, size - ret, "Wake: "); ++ ret += scnprintf(str + ret, size - ret, "CEC "); ++ ret += scnprintf(str + ret, size - ret, "Wake: "); + if (portsc & PORT_WKCONN_E) +- ret += snprintf(str + ret, size - ret, "WCE "); ++ ret += scnprintf(str + ret, size - ret, "WCE "); + if (portsc & PORT_WKDISC_E) +- ret += snprintf(str + ret, size - ret, "WDE "); ++ ret += scnprintf(str + ret, size - ret, "WDE "); + + return str; + } +@@ -565,20 +563,20 @@ static inline const char *cdnsp_decode_ep_context(char *str, size_t size, + + avg = EP_AVG_TRB_LENGTH(tx_info); + +- ret = snprintf(str, size, "State %s mult %d max P. Streams %d %s", +- cdnsp_ep_state_string(ep_state), mult, +- max_pstr, lsa ? "LSA " : ""); ++ ret = scnprintf(str, size, "State %s mult %d max P. Streams %d %s", ++ cdnsp_ep_state_string(ep_state), mult, ++ max_pstr, lsa ? "LSA " : ""); + +- ret += snprintf(str + ret, size - ret, +- "interval %d us max ESIT payload %d CErr %d ", +- (1 << interval) * 125, esit, cerr); ++ ret += scnprintf(str + ret, size - ret, ++ "interval %d us max ESIT payload %d CErr %d ", ++ (1 << interval) * 125, esit, cerr); + +- ret += snprintf(str + ret, size - ret, +- "Type %s %sburst %d maxp %d deq %016llx ", +- cdnsp_ep_type_string(ep_type), hid ? "HID" : "", +- burst, maxp, deq); ++ ret += scnprintf(str + ret, size - ret, ++ "Type %s %sburst %d maxp %d deq %016llx ", ++ cdnsp_ep_type_string(ep_type), hid ? "HID" : "", ++ burst, maxp, deq); + +- ret += snprintf(str + ret, size - ret, "avg trb len %d", avg); ++ ret += scnprintf(str + ret, size - ret, "avg trb len %d", avg); + + return str; + } +diff --git a/drivers/usb/cdns3/cdnsp-ep0.c b/drivers/usb/cdns3/cdnsp-ep0.c +index f317d3c8478108..5cd9b898ce971f 100644 +--- a/drivers/usb/cdns3/cdnsp-ep0.c ++++ b/drivers/usb/cdns3/cdnsp-ep0.c +@@ -414,6 +414,7 @@ static int cdnsp_ep0_std_request(struct cdnsp_device *pdev, + void cdnsp_setup_analyze(struct cdnsp_device *pdev) + { + struct usb_ctrlrequest *ctrl = &pdev->setup; ++ struct cdnsp_ep *pep; + int ret = -EINVAL; + u16 len; + +@@ -427,10 +428,21 @@ void cdnsp_setup_analyze(struct cdnsp_device *pdev) + goto out; + } + ++ pep = &pdev->eps[0]; ++ + /* Restore the ep0 to Stopped/Running state. */ +- if (pdev->eps[0].ep_state & EP_HALTED) { +- trace_cdnsp_ep0_halted("Restore to normal state"); +- cdnsp_halt_endpoint(pdev, &pdev->eps[0], 0); ++ if (pep->ep_state & EP_HALTED) { ++ if (GET_EP_CTX_STATE(pep->out_ctx) == EP_STATE_HALTED) ++ cdnsp_halt_endpoint(pdev, pep, 0); ++ ++ /* ++ * Halt Endpoint Command for SSP2 for ep0 preserve current ++ * endpoint state and driver has to synchronize the ++ * software endpoint state with endpoint output context ++ * state. ++ */ ++ pep->ep_state &= ~EP_HALTED; ++ pep->ep_state |= EP_STOPPED; + } + + /* +diff --git a/drivers/usb/cdns3/cdnsp-gadget.c b/drivers/usb/cdns3/cdnsp-gadget.c +index 1e9aee824eb7da..1de82fb9dcb489 100644 +--- a/drivers/usb/cdns3/cdnsp-gadget.c ++++ b/drivers/usb/cdns3/cdnsp-gadget.c +@@ -1061,10 +1061,8 @@ static int cdnsp_gadget_ep_disable(struct usb_ep *ep) + pep->ep_state |= EP_DIS_IN_RROGRESS; + + /* Endpoint was unconfigured by Reset Device command. */ +- if (!(pep->ep_state & EP_UNCONFIGURED)) { ++ if (!(pep->ep_state & EP_UNCONFIGURED)) + cdnsp_cmd_stop_ep(pdev, pep); +- cdnsp_cmd_flush_ep(pdev, pep); +- } + + /* Remove all queued USB requests. */ + while (!list_empty(&pep->pending_list)) { +@@ -1464,8 +1462,6 @@ static void cdnsp_stop(struct cdnsp_device *pdev) + { + u32 temp; + +- cdnsp_cmd_flush_ep(pdev, &pdev->eps[0]); +- + /* Remove internally queued request for ep0. */ + if (!list_empty(&pdev->eps[0].pending_list)) { + struct cdnsp_request *req; +diff --git a/drivers/usb/cdns3/cdnsp-gadget.h b/drivers/usb/cdns3/cdnsp-gadget.h +index 2998548177aba2..155fd770a8cd9b 100644 +--- a/drivers/usb/cdns3/cdnsp-gadget.h ++++ b/drivers/usb/cdns3/cdnsp-gadget.h +@@ -987,6 +987,12 @@ enum cdnsp_setup_dev { + #define STREAM_ID_FOR_TRB(p) ((((p)) << 16) & GENMASK(31, 16)) + #define SCT_FOR_TRB(p) (((p) << 1) & 0x7) + ++/* ++ * Halt Endpoint Command TRB field. ++ * The ESP bit only exists in the SSP2 controller. ++ */ ++#define TRB_ESP BIT(9) ++ + /* Link TRB specific fields. */ + #define TRB_TC BIT(1) + +@@ -1138,8 +1144,6 @@ union cdnsp_trb { + #define TRB_HALT_ENDPOINT 54 + /* Doorbell Overflow Event. */ + #define TRB_DRB_OVERFLOW 57 +-/* Flush Endpoint Command. */ +-#define TRB_FLUSH_ENDPOINT 58 + + #define TRB_TYPE_LINK(x) (((x) & TRB_TYPE_BITMASK) == TRB_TYPE(TRB_LINK)) + #define TRB_TYPE_LINK_LE32(x) (((x) & cpu_to_le32(TRB_TYPE_BITMASK)) == \ +@@ -1552,8 +1556,6 @@ void cdnsp_queue_configure_endpoint(struct cdnsp_device *pdev, + void cdnsp_queue_reset_ep(struct cdnsp_device *pdev, unsigned int ep_index); + void cdnsp_queue_halt_endpoint(struct cdnsp_device *pdev, + unsigned int ep_index); +-void cdnsp_queue_flush_endpoint(struct cdnsp_device *pdev, +- unsigned int ep_index); + void cdnsp_force_header_wakeup(struct cdnsp_device *pdev, int intf_num); + void cdnsp_queue_reset_device(struct cdnsp_device *pdev); + void cdnsp_queue_new_dequeue_state(struct cdnsp_device *pdev, +@@ -1587,7 +1589,6 @@ void cdnsp_irq_reset(struct cdnsp_device *pdev); + int cdnsp_halt_endpoint(struct cdnsp_device *pdev, + struct cdnsp_ep *pep, int value); + int cdnsp_cmd_stop_ep(struct cdnsp_device *pdev, struct cdnsp_ep *pep); +-int cdnsp_cmd_flush_ep(struct cdnsp_device *pdev, struct cdnsp_ep *pep); + void cdnsp_setup_analyze(struct cdnsp_device *pdev); + int cdnsp_status_stage(struct cdnsp_device *pdev); + int cdnsp_reset_device(struct cdnsp_device *pdev); +diff --git a/drivers/usb/cdns3/cdnsp-ring.c b/drivers/usb/cdns3/cdnsp-ring.c +index c9ad4280f4ba23..42db256978bcc8 100644 +--- a/drivers/usb/cdns3/cdnsp-ring.c ++++ b/drivers/usb/cdns3/cdnsp-ring.c +@@ -2157,19 +2157,6 @@ int cdnsp_cmd_stop_ep(struct cdnsp_device *pdev, struct cdnsp_ep *pep) + return ret; + } + +-int cdnsp_cmd_flush_ep(struct cdnsp_device *pdev, struct cdnsp_ep *pep) +-{ +- int ret; +- +- cdnsp_queue_flush_endpoint(pdev, pep->idx); +- cdnsp_ring_cmd_db(pdev); +- ret = cdnsp_wait_for_cmd_compl(pdev); +- +- trace_cdnsp_handle_cmd_flush_ep(pep->out_ctx); +- +- return ret; +-} +- + /* + * The transfer burst count field of the isochronous TRB defines the number of + * bursts that are required to move all packets in this TD. Only SuperSpeed +@@ -2488,18 +2475,8 @@ void cdnsp_queue_halt_endpoint(struct cdnsp_device *pdev, unsigned int ep_index) + { + cdnsp_queue_command(pdev, 0, 0, 0, TRB_TYPE(TRB_HALT_ENDPOINT) | + SLOT_ID_FOR_TRB(pdev->slot_id) | +- EP_ID_FOR_TRB(ep_index)); +-} +- +-/* +- * Queue a flush endpoint request on the command ring. +- */ +-void cdnsp_queue_flush_endpoint(struct cdnsp_device *pdev, +- unsigned int ep_index) +-{ +- cdnsp_queue_command(pdev, 0, 0, 0, TRB_TYPE(TRB_FLUSH_ENDPOINT) | +- SLOT_ID_FOR_TRB(pdev->slot_id) | +- EP_ID_FOR_TRB(ep_index)); ++ EP_ID_FOR_TRB(ep_index) | ++ (!ep_index ? TRB_ESP : 0)); + } + + void cdnsp_force_header_wakeup(struct cdnsp_device *pdev, int intf_num) +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index bb20d8dd187918..488cb16acd67ef 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1818,6 +1818,7 @@ static int dwc3_core_init_for_resume(struct dwc3 *dwc) + static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) + { + u32 reg; ++ int ret; + + if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) { + dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) & +@@ -1836,7 +1837,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) + case DWC3_GCTL_PRTCAP_DEVICE: + if (pm_runtime_suspended(dwc->dev)) + break; +- dwc3_gadget_suspend(dwc); ++ ret = dwc3_gadget_suspend(dwc); ++ if (ret) ++ return ret; + synchronize_irq(dwc->irq_gadget); + dwc3_core_exit(dwc); + break; +@@ -1867,7 +1870,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg) + break; + + if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) { +- dwc3_gadget_suspend(dwc); ++ ret = dwc3_gadget_suspend(dwc); ++ if (ret) ++ return ret; + synchronize_irq(dwc->irq_gadget); + } + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index a99e669468ee30..44bb3770f8bb23 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -4580,26 +4580,22 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) + int ret; + + ret = dwc3_gadget_soft_disconnect(dwc); +- if (ret) +- goto err; +- +- spin_lock_irqsave(&dwc->lock, flags); +- if (dwc->gadget_driver) +- dwc3_disconnect_gadget(dwc); +- spin_unlock_irqrestore(&dwc->lock, flags); +- +- return 0; +- +-err: + /* + * Attempt to reset the controller's state. Likely no + * communication can be established until the host + * performs a port reset. + */ +- if (dwc->softconnect) ++ if (ret && dwc->softconnect) { + dwc3_gadget_soft_connect(dwc); ++ return -EAGAIN; ++ } + +- return ret; ++ spin_lock_irqsave(&dwc->lock, flags); ++ if (dwc->gadget_driver) ++ dwc3_disconnect_gadget(dwc); ++ spin_unlock_irqrestore(&dwc->lock, flags); ++ ++ return 0; + } + + int dwc3_gadget_resume(struct dwc3 *dwc) +diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c +index 37ba396d5473fb..2e5ce075935a9d 100644 +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -290,8 +290,8 @@ __acquires(&port->port_lock) + break; + } + +- if (do_tty_wake && port->port.tty) +- tty_wakeup(port->port.tty); ++ if (do_tty_wake) ++ tty_port_tty_wakeup(&port->port); + return status; + } + +@@ -568,7 +568,7 @@ static int gs_start_io(struct gs_port *port) + gs_start_tx(port); + /* Unblock any pending writes into our circular buffer, in case + * we didn't in gs_start_tx() */ +- tty_wakeup(port->port.tty); ++ tty_port_tty_wakeup(&port->port); + } else { + /* Free reqs only if we are still connected */ + if (port->port_usb) { +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index db22ab0d88893a..149128b89100be 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1462,6 +1462,10 @@ int xhci_endpoint_init(struct xhci_hcd *xhci, + /* Periodic endpoint bInterval limit quirk */ + if (usb_endpoint_xfer_int(&ep->desc) || + usb_endpoint_xfer_isoc(&ep->desc)) { ++ if ((xhci->quirks & XHCI_LIMIT_ENDPOINT_INTERVAL_9) && ++ interval >= 9) { ++ interval = 8; ++ } + if ((xhci->quirks & XHCI_LIMIT_ENDPOINT_INTERVAL_7) && + udev->speed >= USB_SPEED_HIGH && + interval >= 7) { +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 18200d3662fe65..9c7491ac28f2f3 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -65,12 +65,22 @@ + #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI 0x51ed + #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_PCH_XHCI 0x54ed + ++#define PCI_DEVICE_ID_AMD_ARIEL_TYPEC_XHCI 0x13ed ++#define PCI_DEVICE_ID_AMD_ARIEL_TYPEA_XHCI 0x13ee ++#define PCI_DEVICE_ID_AMD_STARSHIP_XHCI 0x148c ++#define PCI_DEVICE_ID_AMD_FIREFLIGHT_15D4_XHCI 0x15d4 ++#define PCI_DEVICE_ID_AMD_FIREFLIGHT_15D5_XHCI 0x15d5 ++#define PCI_DEVICE_ID_AMD_RAVEN_15E0_XHCI 0x15e0 ++#define PCI_DEVICE_ID_AMD_RAVEN_15E1_XHCI 0x15e1 ++#define PCI_DEVICE_ID_AMD_RAVEN2_XHCI 0x15e5 + #define PCI_DEVICE_ID_AMD_RENOIR_XHCI 0x1639 + #define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9 + #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba + #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb + #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc + ++#define PCI_DEVICE_ID_ATI_NAVI10_7316_XHCI 0x7316 ++ + #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042 + #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 + #define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242 +@@ -168,6 +178,21 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + if (pdev->vendor == PCI_VENDOR_ID_NEC) + xhci->quirks |= XHCI_NEC_HOST; + ++ if (pdev->vendor == PCI_VENDOR_ID_AMD && ++ (pdev->device == PCI_DEVICE_ID_AMD_ARIEL_TYPEC_XHCI || ++ pdev->device == PCI_DEVICE_ID_AMD_ARIEL_TYPEA_XHCI || ++ pdev->device == PCI_DEVICE_ID_AMD_STARSHIP_XHCI || ++ pdev->device == PCI_DEVICE_ID_AMD_FIREFLIGHT_15D4_XHCI || ++ pdev->device == PCI_DEVICE_ID_AMD_FIREFLIGHT_15D5_XHCI || ++ pdev->device == PCI_DEVICE_ID_AMD_RAVEN_15E0_XHCI || ++ pdev->device == PCI_DEVICE_ID_AMD_RAVEN_15E1_XHCI || ++ pdev->device == PCI_DEVICE_ID_AMD_RAVEN2_XHCI)) ++ xhci->quirks |= XHCI_LIMIT_ENDPOINT_INTERVAL_9; ++ ++ if (pdev->vendor == PCI_VENDOR_ID_ATI && ++ pdev->device == PCI_DEVICE_ID_ATI_NAVI10_7316_XHCI) ++ xhci->quirks |= XHCI_LIMIT_ENDPOINT_INTERVAL_9; ++ + if (pdev->vendor == PCI_VENDOR_ID_AMD && xhci->hci_version == 0x96) + xhci->quirks |= XHCI_AMD_0x96_HOST; + +@@ -191,8 +216,11 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + xhci->quirks |= XHCI_RESET_ON_RESUME; + } + +- if (pdev->vendor == PCI_VENDOR_ID_AMD) ++ if (pdev->vendor == PCI_VENDOR_ID_AMD) { + xhci->quirks |= XHCI_TRUST_TX_LENGTH; ++ if (pdev->device == 0x43f7) ++ xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW; ++ } + + if ((pdev->vendor == PCI_VENDOR_ID_AMD) && + ((pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_4) || +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index 83c7dffa945c31..daf93bee7669b2 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -361,7 +361,8 @@ static int xhci_plat_probe(struct platform_device *pdev) + if (ret) + goto disable_usb_phy; + +- if (HCC_MAX_PSA(xhci->hcc_params) >= 4) ++ if (HCC_MAX_PSA(xhci->hcc_params) >= 4 && ++ !(xhci->quirks & XHCI_BROKEN_STREAMS)) + xhci->shared_hcd->can_do_streams = 1; + + ret = usb_add_hcd(xhci->shared_hcd, irq, IRQF_SHARED); +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index b71e02ed9f0b32..cc332de73d8131 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1669,6 +1669,7 @@ struct xhci_hcd { + #define XHCI_ZHAOXIN_HOST BIT_ULL(46) + #define XHCI_WRITE_64_HI_LO BIT_ULL(47) + #define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48) ++#define XHCI_LIMIT_ENDPOINT_INTERVAL_9 BIT_ULL(49) + + unsigned int num_active_eps; + unsigned int limit_active_eps; +diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c +index f9930887fdd2c4..2c19fa02141dcf 100644 +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -563,8 +563,10 @@ static void vhost_scsi_complete_cmd_work(struct vhost_work *work) + ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter); + if (likely(ret == sizeof(v_rsp))) { + struct vhost_scsi_virtqueue *q; +- vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); + q = container_of(cmd->tvc_vq, struct vhost_scsi_virtqueue, vq); ++ mutex_lock(&q->vq.mutex); ++ vhost_add_used(cmd->tvc_vq, cmd->tvc_vq_desc, 0); ++ mutex_unlock(&q->vq.mutex); + vq = q - vs->vqs; + __set_bit(vq, signal); + } else +@@ -1166,8 +1168,11 @@ static void vhost_scsi_tmf_resp_work(struct vhost_work *work) + else + resp_code = VIRTIO_SCSI_S_FUNCTION_REJECTED; + ++ mutex_lock(&tmf->svq->vq.mutex); + vhost_scsi_send_tmf_resp(tmf->vhost, &tmf->svq->vq, tmf->in_iovs, + tmf->vq_desc, &tmf->resp_iov, resp_code); ++ mutex_unlock(&tmf->svq->vq.mutex); ++ + vhost_scsi_release_tmf_res(tmf); + } + +diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c +index 0a2d24d6ac6f73..a10e0741bec56e 100644 +--- a/drivers/xen/grant-table.c ++++ b/drivers/xen/grant-table.c +@@ -743,7 +743,7 @@ int gnttab_setup_auto_xlat_frames(phys_addr_t addr) + if (xen_auto_xlat_grant_frames.count) + return -EINVAL; + +- vaddr = xen_remap(addr, XEN_PAGE_SIZE * max_nr_gframes); ++ vaddr = memremap(addr, XEN_PAGE_SIZE * max_nr_gframes, MEMREMAP_WB); + if (vaddr == NULL) { + pr_warn("Failed to ioremap gnttab share frames (addr=%pa)!\n", + &addr); +@@ -751,7 +751,7 @@ int gnttab_setup_auto_xlat_frames(phys_addr_t addr) + } + pfn = kcalloc(max_nr_gframes, sizeof(pfn[0]), GFP_KERNEL); + if (!pfn) { +- xen_unmap(vaddr); ++ memunmap(vaddr); + return -ENOMEM; + } + for (i = 0; i < max_nr_gframes; i++) +@@ -770,7 +770,7 @@ void gnttab_free_auto_xlat_frames(void) + if (!xen_auto_xlat_grant_frames.count) + return; + kfree(xen_auto_xlat_grant_frames.pfn); +- xen_unmap(xen_auto_xlat_grant_frames.vaddr); ++ memunmap(xen_auto_xlat_grant_frames.vaddr); + + xen_auto_xlat_grant_frames.pfn = NULL; + xen_auto_xlat_grant_frames.count = 0; +diff --git a/drivers/xen/xenbus/xenbus_probe.c b/drivers/xen/xenbus/xenbus_probe.c +index 2068f83556b78d..77ca24611293a4 100644 +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -982,8 +982,7 @@ static int __init xenbus_init(void) + #endif + xen_store_gfn = (unsigned long)v; + xen_store_interface = +- xen_remap(xen_store_gfn << XEN_PAGE_SHIFT, +- XEN_PAGE_SIZE); ++ memremap(xen_store_gfn << XEN_PAGE_SHIFT, XEN_PAGE_SIZE, MEMREMAP_WB); + break; + default: + pr_warn("Xenstore state unknown\n"); +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index e3e5bd4fb477aa..27aaa5064ff7e8 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4655,7 +4655,6 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry) + struct inode *inode = d_inode(dentry); + int err = 0; + struct btrfs_trans_handle *trans; +- u64 last_unlink_trans; + + if (inode->i_size > BTRFS_EMPTY_DIR_SIZE) + return -ENOTEMPTY; +@@ -4666,6 +4665,23 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry) + if (IS_ERR(trans)) + return PTR_ERR(trans); + ++ /* ++ * Propagate the last_unlink_trans value of the deleted dir to its ++ * parent directory. This is to prevent an unrecoverable log tree in the ++ * case we do something like this: ++ * 1) create dir foo ++ * 2) create snapshot under dir foo ++ * 3) delete the snapshot ++ * 4) rmdir foo ++ * 5) mkdir foo ++ * 6) fsync foo or some file inside foo ++ * ++ * This is because we can't unlink other roots when replaying the dir ++ * deletes for directory foo. ++ */ ++ if (BTRFS_I(inode)->last_unlink_trans >= trans->transid) ++ btrfs_record_snapshot_destroy(trans, BTRFS_I(dir)); ++ + if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) { + err = btrfs_unlink_subvol(trans, dir, dentry); + goto out; +@@ -4675,28 +4691,12 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry) + if (err) + goto out; + +- last_unlink_trans = BTRFS_I(inode)->last_unlink_trans; +- + /* now the directory is empty */ + err = btrfs_unlink_inode(trans, BTRFS_I(dir), + BTRFS_I(d_inode(dentry)), dentry->d_name.name, + dentry->d_name.len); +- if (!err) { ++ if (!err) + btrfs_i_size_write(BTRFS_I(inode), 0); +- /* +- * Propagate the last_unlink_trans value of the deleted dir to +- * its parent directory. This is to prevent an unrecoverable +- * log tree in the case we do something like this: +- * 1) create dir foo +- * 2) create snapshot under dir foo +- * 3) delete the snapshot +- * 4) rmdir foo +- * 5) mkdir foo +- * 6) fsync foo or some file inside foo +- */ +- if (last_unlink_trans >= trans->transid) +- BTRFS_I(dir)->last_unlink_trans = last_unlink_trans; +- } + out: + btrfs_end_transaction(trans); + btrfs_btree_balance_dirty(BTRFS_I(dir)->root->fs_info); +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index 27ca98614b0bbb..cb57d4f1161f03 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -835,6 +835,8 @@ int dtInsert(tid_t tid, struct inode *ip, + * the full page. + */ + DT_GETSEARCH(ip, btstack->top, bn, mp, p, index); ++ if (p->header.freelist == 0) ++ return -EINVAL; + + /* + * insert entry for new key +diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c +index 355673f2830be0..91e663d5d5bc14 100644 +--- a/fs/ksmbd/transport_rdma.c ++++ b/fs/ksmbd/transport_rdma.c +@@ -426,7 +426,8 @@ static void free_transport(struct smb_direct_transport *t) + if (t->qp) { + ib_drain_qp(t->qp); + ib_mr_pool_destroy(t->qp, &t->qp->rdma_mrs); +- ib_destroy_qp(t->qp); ++ t->qp = NULL; ++ rdma_destroy_qp(t->cm_id); + } + + ksmbd_debug(RDMA, "drain the reassembly queue\n"); +@@ -1934,8 +1935,8 @@ static int smb_direct_create_qpair(struct smb_direct_transport *t, + return 0; + err: + if (t->qp) { +- ib_destroy_qp(t->qp); + t->qp = NULL; ++ rdma_destroy_qp(t->cm_id); + } + if (t->recv_cq) { + ib_destroy_cq(t->recv_cq); +diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c +index 7afb2412c4d432..4804976c0c13fc 100644 +--- a/fs/ksmbd/vfs.c ++++ b/fs/ksmbd/vfs.c +@@ -1280,6 +1280,7 @@ int ksmbd_vfs_kern_path_locked(struct ksmbd_work *work, char *name, + + err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry); + if (err) { ++ mnt_drop_write(parent_path->mnt); + path_put(path); + path_put(parent_path); + } +diff --git a/fs/proc/array.c b/fs/proc/array.c +index 2cb01aaa671872..2ff568dc58387a 100644 +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -530,18 +530,18 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + cgtime = sig->cgtime; + + if (whole) { +- struct task_struct *t = task; ++ struct task_struct *t; + + min_flt = sig->min_flt; + maj_flt = sig->maj_flt; + gtime = sig->gtime; + + rcu_read_lock(); +- do { ++ __for_each_thread(sig, t) { + min_flt += t->min_flt; + maj_flt += t->maj_flt; + gtime += task_gtime(t); +- } while_each_thread(task, t); ++ } + rcu_read_unlock(); + } + } while (need_seqretry(&sig->stats_lock, seq)); +diff --git a/fs/proc/inode.c b/fs/proc/inode.c +index 695471fa24fe5e..de5ae2e5a97df0 100644 +--- a/fs/proc/inode.c ++++ b/fs/proc/inode.c +@@ -54,7 +54,7 @@ static void proc_evict_inode(struct inode *inode) + + head = ei->sysctl; + if (head) { +- RCU_INIT_POINTER(ei->sysctl, NULL); ++ WRITE_ONCE(ei->sysctl, NULL); + proc_sys_evict_inode(inode, head); + } + } +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index 7c5d472b193f88..1a22aa43e740df 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -910,17 +910,21 @@ static int proc_sys_compare(const struct dentry *dentry, + struct ctl_table_header *head; + struct inode *inode; + +- /* Although proc doesn't have negative dentries, rcu-walk means +- * that inode here can be NULL */ +- /* AV: can it, indeed? */ +- inode = d_inode_rcu(dentry); +- if (!inode) +- return 1; + if (name->len != len) + return 1; + if (memcmp(name->name, str, len)) + return 1; +- head = rcu_dereference(PROC_I(inode)->sysctl); ++ ++ // false positive is fine here - we'll recheck anyway ++ if (d_in_lookup(dentry)) ++ return 0; ++ ++ inode = d_inode_rcu(dentry); ++ // we just might have run into dentry in the middle of __dentry_kill() ++ if (!inode) ++ return 1; ++ ++ head = READ_ONCE(PROC_I(inode)->sysctl); + return !head || !sysctl_is_seen(head); + } + +diff --git a/include/drm/drm_file.h b/include/drm/drm_file.h +index a3acb7ac355040..f5cccc92779ce4 100644 +--- a/include/drm/drm_file.h ++++ b/include/drm/drm_file.h +@@ -273,6 +273,9 @@ struct drm_file { + * + * Mapping of mm object handles to object pointers. Used by the GEM + * subsystem. Protected by @table_lock. ++ * ++ * Note that allocated entries might be NULL as a transient state when ++ * creating or deleting a handle. + */ + struct idr object_idr; + +diff --git a/include/drm/spsc_queue.h b/include/drm/spsc_queue.h +index 125f096c88cb96..ee9df8cc67b730 100644 +--- a/include/drm/spsc_queue.h ++++ b/include/drm/spsc_queue.h +@@ -70,9 +70,11 @@ static inline bool spsc_queue_push(struct spsc_queue *queue, struct spsc_node *n + + preempt_disable(); + ++ atomic_inc(&queue->job_count); ++ smp_mb__after_atomic(); ++ + tail = (struct spsc_node **)atomic_long_xchg(&queue->tail, (long)&node->next); + WRITE_ONCE(*tail, node); +- atomic_inc(&queue->job_count); + + /* + * In case of first element verify new node will be visible to the consumer +diff --git a/include/linux/dma-resv.h b/include/linux/dma-resv.h +index e1ca2080a1ff15..ef9f94ce2cc38f 100644 +--- a/include/linux/dma-resv.h ++++ b/include/linux/dma-resv.h +@@ -75,6 +75,101 @@ struct dma_resv { + struct dma_resv_list __rcu *fence; + }; + ++/** ++ * struct dma_resv_iter - current position into the dma_resv fences ++ * ++ * Don't touch this directly in the driver, use the accessor function instead. ++ */ ++struct dma_resv_iter { ++ /** @obj: The dma_resv object we iterate over */ ++ struct dma_resv *obj; ++ ++ /** @all_fences: If all fences should be returned */ ++ bool all_fences; ++ ++ /** @fence: the currently handled fence */ ++ struct dma_fence *fence; ++ ++ /** @seq: sequence number to check for modifications */ ++ unsigned int seq; ++ ++ /** @index: index into the shared fences */ ++ unsigned int index; ++ ++ /** @fences: the shared fences */ ++ struct dma_resv_list *fences; ++ ++ /** @is_restarted: true if this is the first returned fence */ ++ bool is_restarted; ++}; ++ ++struct dma_fence *dma_resv_iter_first_unlocked(struct dma_resv_iter *cursor); ++struct dma_fence *dma_resv_iter_next_unlocked(struct dma_resv_iter *cursor); ++ ++/** ++ * dma_resv_iter_begin - initialize a dma_resv_iter object ++ * @cursor: The dma_resv_iter object to initialize ++ * @obj: The dma_resv object which we want to iterate over ++ * @all_fences: If all fences should be returned or just the exclusive one ++ */ ++static inline void dma_resv_iter_begin(struct dma_resv_iter *cursor, ++ struct dma_resv *obj, ++ bool all_fences) ++{ ++ cursor->obj = obj; ++ cursor->all_fences = all_fences; ++ cursor->fence = NULL; ++} ++ ++/** ++ * dma_resv_iter_end - cleanup a dma_resv_iter object ++ * @cursor: the dma_resv_iter object which should be cleaned up ++ * ++ * Make sure that the reference to the fence in the cursor is properly ++ * dropped. ++ */ ++static inline void dma_resv_iter_end(struct dma_resv_iter *cursor) ++{ ++ dma_fence_put(cursor->fence); ++} ++ ++/** ++ * dma_resv_iter_is_exclusive - test if the current fence is the exclusive one ++ * @cursor: the cursor of the current position ++ * ++ * Returns true if the currently returned fence is the exclusive one. ++ */ ++static inline bool dma_resv_iter_is_exclusive(struct dma_resv_iter *cursor) ++{ ++ return cursor->index == 0; ++} ++ ++/** ++ * dma_resv_iter_is_restarted - test if this is the first fence after a restart ++ * @cursor: the cursor with the current position ++ * ++ * Return true if this is the first fence in an iteration after a restart. ++ */ ++static inline bool dma_resv_iter_is_restarted(struct dma_resv_iter *cursor) ++{ ++ return cursor->is_restarted; ++} ++ ++/** ++ * dma_resv_for_each_fence_unlocked - unlocked fence iterator ++ * @cursor: a struct dma_resv_iter pointer ++ * @fence: the current fence ++ * ++ * Iterate over the fences in a struct dma_resv object without holding the ++ * &dma_resv.lock and using RCU instead. The cursor needs to be initialized ++ * with dma_resv_iter_begin() and cleaned up with dma_resv_iter_end(). Inside ++ * the iterator a reference to the dma_fence is held and the RCU lock dropped. ++ * When the dma_resv is modified the iteration starts over again. ++ */ ++#define dma_resv_for_each_fence_unlocked(cursor, fence) \ ++ for (fence = dma_resv_iter_first_unlocked(cursor); \ ++ fence; fence = dma_resv_iter_next_unlocked(cursor)) ++ + #define dma_resv_held(obj) lockdep_is_held(&(obj)->lock.base) + #define dma_resv_assert_held(obj) lockdep_assert_held(&(obj)->lock.base) + +diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h +index 8e98fb8edff8da..664c3637e283c6 100644 +--- a/include/net/netfilter/nf_flow_table.h ++++ b/include/net/netfilter/nf_flow_table.h +@@ -336,7 +336,7 @@ static inline __be16 __nf_flow_pppoe_proto(const struct sk_buff *skb) + + static inline bool nf_flow_pppoe_proto(struct sk_buff *skb, __be16 *inner_proto) + { +- if (!pskb_may_pull(skb, PPPOE_SES_HLEN)) ++ if (!pskb_may_pull(skb, ETH_HLEN + PPPOE_SES_HLEN)) + return false; + + *inner_proto = __nf_flow_pppoe_proto(skb); +diff --git a/include/xen/arm/page.h b/include/xen/arm/page.h +index ac1b654705631d..f831cfeca00055 100644 +--- a/include/xen/arm/page.h ++++ b/include/xen/arm/page.h +@@ -109,9 +109,6 @@ static inline bool set_phys_to_machine(unsigned long pfn, unsigned long mfn) + return __set_phys_to_machine(pfn, mfn); + } + +-#define xen_remap(cookie, size) ioremap_cache((cookie), (size)) +-#define xen_unmap(cookie) iounmap((cookie)) +- + bool xen_arch_need_swiotlb(struct device *dev, + phys_addr_t phys, + dma_addr_t dev_addr); +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 7049a85a78ab22..89b4fa815a9ba4 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2134,12 +2134,29 @@ static int push_jmp_history(struct bpf_verifier_env *env, + + /* Backtrack one insn at a time. If idx is not at the top of recorded + * history then previous instruction came from straight line execution. ++ * Return -ENOENT if we exhausted all instructions within given state. ++ * ++ * It's legal to have a bit of a looping with the same starting and ending ++ * insn index within the same state, e.g.: 3->4->5->3, so just because current ++ * instruction index is the same as state's first_idx doesn't mean we are ++ * done. If there is still some jump history left, we should keep going. We ++ * need to take into account that we might have a jump history between given ++ * state's parent and itself, due to checkpointing. In this case, we'll have ++ * history entry recording a jump from last instruction of parent state and ++ * first instruction of given state. + */ + static int get_prev_insn_idx(struct bpf_verifier_state *st, int i, + u32 *history) + { + u32 cnt = *history; + ++ if (i == st->first_insn_idx) { ++ if (cnt == 0) ++ return -ENOENT; ++ if (cnt == 1 && st->jmp_history[0].idx == i) ++ return -ENOENT; ++ } ++ + if (cnt && st->jmp_history[cnt - 1].idx == i) { + i = st->jmp_history[cnt - 1].prev_idx; + (*history)--; +@@ -2630,9 +2647,9 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int frame, int r + * Nothing to be tracked further in the parent state. + */ + return 0; +- if (i == first_idx) +- break; + i = get_prev_insn_idx(st, i, &history); ++ if (i == -ENOENT) ++ break; + if (i >= env->prog->len) { + /* This can happen if backtracking reached insn 0 + * and there are still reg_mask or stack_mask +diff --git a/kernel/events/core.c b/kernel/events/core.c +index c7ae6b426de38b..3e98d102931444 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10225,7 +10225,7 @@ static int perf_uprobe_event_init(struct perf_event *event) + if (event->attr.type != perf_uprobe.type) + return -ENOENT; + +- if (!perfmon_capable()) ++ if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + + /* +diff --git a/kernel/rseq.c b/kernel/rseq.c +index 97ac20b4f7387f..4430a84fa2bf6f 100644 +--- a/kernel/rseq.c ++++ b/kernel/rseq.c +@@ -119,6 +119,29 @@ static int rseq_reset_rseq_cpu_id(struct task_struct *t) + return 0; + } + ++/* ++ * Get the user-space pointer value stored in the 'rseq_cs' field. ++ */ ++static int rseq_get_rseq_cs_ptr_val(struct rseq __user *rseq, u64 *rseq_cs) ++{ ++ if (!rseq_cs) ++ return -EFAULT; ++ ++#ifdef CONFIG_64BIT ++ if (get_user(*rseq_cs, &rseq->rseq_cs)) ++ return -EFAULT; ++#else ++ if (copy_from_user(rseq_cs, &rseq->rseq_cs, sizeof(*rseq_cs))) ++ return -EFAULT; ++#endif ++ ++ return 0; ++} ++ ++/* ++ * If the rseq_cs field of 'struct rseq' contains a valid pointer to ++ * user-space, copy 'struct rseq_cs' from user-space and validate its fields. ++ */ + static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs) + { + struct rseq_cs __user *urseq_cs; +@@ -127,17 +150,16 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs) + u32 sig; + int ret; + +-#ifdef CONFIG_64BIT +- if (get_user(ptr, &t->rseq->rseq_cs)) +- return -EFAULT; +-#else +- if (copy_from_user(&ptr, &t->rseq->rseq_cs, sizeof(ptr))) +- return -EFAULT; +-#endif ++ ret = rseq_get_rseq_cs_ptr_val(t->rseq, &ptr); ++ if (ret) ++ return ret; ++ ++ /* If the rseq_cs pointer is NULL, return a cleared struct rseq_cs. */ + if (!ptr) { + memset(rseq_cs, 0, sizeof(*rseq_cs)); + return 0; + } ++ /* Check that the pointer value fits in the user-space process space. */ + if (ptr >= TASK_SIZE) + return -EINVAL; + urseq_cs = (struct rseq_cs __user *)(unsigned long)ptr; +@@ -206,7 +228,7 @@ static int rseq_need_restart(struct task_struct *t, u32 cs_flags) + return !!(event_mask & ~flags); + } + +-static int clear_rseq_cs(struct task_struct *t) ++static int clear_rseq_cs(struct rseq __user *rseq) + { + /* + * The rseq_cs field is set to NULL on preemption or signal +@@ -217,9 +239,9 @@ static int clear_rseq_cs(struct task_struct *t) + * Set rseq_cs to NULL. + */ + #ifdef CONFIG_64BIT +- return put_user(0UL, &t->rseq->rseq_cs); ++ return put_user(0UL, &rseq->rseq_cs); + #else +- if (clear_user(&t->rseq->rseq_cs, sizeof(t->rseq->rseq_cs))) ++ if (clear_user(&rseq->rseq_cs, sizeof(rseq->rseq_cs))) + return -EFAULT; + return 0; + #endif +@@ -251,11 +273,11 @@ static int rseq_ip_fixup(struct pt_regs *regs) + * Clear the rseq_cs pointer and return. + */ + if (!in_rseq_cs(ip, &rseq_cs)) +- return clear_rseq_cs(t); ++ return clear_rseq_cs(t->rseq); + ret = rseq_need_restart(t, rseq_cs.flags); + if (ret <= 0) + return ret; +- ret = clear_rseq_cs(t); ++ ret = clear_rseq_cs(t->rseq); + if (ret) + return ret; + trace_rseq_ip_fixup(ip, rseq_cs.start_ip, rseq_cs.post_commit_offset, +@@ -329,6 +351,7 @@ SYSCALL_DEFINE4(rseq, struct rseq __user *, rseq, u32, rseq_len, + int, flags, u32, sig) + { + int ret; ++ u64 rseq_cs; + + if (flags & RSEQ_FLAG_UNREGISTER) { + if (flags & ~RSEQ_FLAG_UNREGISTER) +@@ -374,6 +397,19 @@ SYSCALL_DEFINE4(rseq, struct rseq __user *, rseq, u32, rseq_len, + return -EINVAL; + if (!access_ok(rseq, rseq_len)) + return -EFAULT; ++ ++ /* ++ * If the rseq_cs pointer is non-NULL on registration, clear it to ++ * avoid a potential segfault on return to user-space. The proper thing ++ * to do would have been to fail the registration but this would break ++ * older libcs that reuse the rseq area for new threads without ++ * clearing the fields. ++ */ ++ if (rseq_get_rseq_cs_ptr_val(rseq, &rseq_cs)) ++ return -EFAULT; ++ if (rseq_cs && clear_rseq_cs(rseq)) ++ return -EFAULT; ++ + current->rseq = rseq; + current->rseq_sig = sig; + /* +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 8daa3a1bfa4cd9..344a38905c48d8 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -563,6 +563,7 @@ static int atrtr_create(struct rtentry *r, struct net_device *devhint) + + /* Fill in the routing entry */ + rt->target = ta->sat_addr; ++ dev_put(rt->dev); /* Release old device */ + dev_hold(devhint); + rt->dev = devhint; + rt->flags = r->rt_flags; +diff --git a/net/atm/clip.c b/net/atm/clip.c +index 511467bb7fe40d..53d62361ae4606 100644 +--- a/net/atm/clip.c ++++ b/net/atm/clip.c +@@ -45,7 +45,8 @@ + #include <net/atmclip.h> + + static struct net_device *clip_devs; +-static struct atm_vcc *atmarpd; ++static struct atm_vcc __rcu *atmarpd; ++static DEFINE_MUTEX(atmarpd_lock); + static struct timer_list idle_timer; + static const struct neigh_ops clip_neigh_ops; + +@@ -53,24 +54,35 @@ static int to_atmarpd(enum atmarp_ctrl_type type, int itf, __be32 ip) + { + struct sock *sk; + struct atmarp_ctrl *ctrl; ++ struct atm_vcc *vcc; + struct sk_buff *skb; ++ int err = 0; + + pr_debug("(%d)\n", type); +- if (!atmarpd) +- return -EUNATCH; ++ ++ rcu_read_lock(); ++ vcc = rcu_dereference(atmarpd); ++ if (!vcc) { ++ err = -EUNATCH; ++ goto unlock; ++ } + skb = alloc_skb(sizeof(struct atmarp_ctrl), GFP_ATOMIC); +- if (!skb) +- return -ENOMEM; ++ if (!skb) { ++ err = -ENOMEM; ++ goto unlock; ++ } + ctrl = skb_put(skb, sizeof(struct atmarp_ctrl)); + ctrl->type = type; + ctrl->itf_num = itf; + ctrl->ip = ip; +- atm_force_charge(atmarpd, skb->truesize); ++ atm_force_charge(vcc, skb->truesize); + +- sk = sk_atm(atmarpd); ++ sk = sk_atm(vcc); + skb_queue_tail(&sk->sk_receive_queue, skb); + sk->sk_data_ready(sk); +- return 0; ++unlock: ++ rcu_read_unlock(); ++ return err; + } + + static void link_vcc(struct clip_vcc *clip_vcc, struct atmarp_entry *entry) +@@ -417,6 +429,8 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout) + + if (!vcc->push) + return -EBADFD; ++ if (vcc->user_back) ++ return -EINVAL; + clip_vcc = kmalloc(sizeof(struct clip_vcc), GFP_KERNEL); + if (!clip_vcc) + return -ENOMEM; +@@ -607,17 +621,27 @@ static void atmarpd_close(struct atm_vcc *vcc) + { + pr_debug("\n"); + +- rtnl_lock(); +- atmarpd = NULL; ++ mutex_lock(&atmarpd_lock); ++ RCU_INIT_POINTER(atmarpd, NULL); ++ mutex_unlock(&atmarpd_lock); ++ ++ synchronize_rcu(); + skb_queue_purge(&sk_atm(vcc)->sk_receive_queue); +- rtnl_unlock(); + + pr_debug("(done)\n"); + module_put(THIS_MODULE); + } + ++static int atmarpd_send(struct atm_vcc *vcc, struct sk_buff *skb) ++{ ++ atm_return_tx(vcc, skb); ++ dev_kfree_skb_any(skb); ++ return 0; ++} ++ + static const struct atmdev_ops atmarpd_dev_ops = { +- .close = atmarpd_close ++ .close = atmarpd_close, ++ .send = atmarpd_send + }; + + +@@ -631,15 +655,18 @@ static struct atm_dev atmarpd_dev = { + + static int atm_init_atmarp(struct atm_vcc *vcc) + { +- rtnl_lock(); ++ if (vcc->push == clip_push) ++ return -EINVAL; ++ ++ mutex_lock(&atmarpd_lock); + if (atmarpd) { +- rtnl_unlock(); ++ mutex_unlock(&atmarpd_lock); + return -EADDRINUSE; + } + + mod_timer(&idle_timer, jiffies + CLIP_CHECK_INTERVAL * HZ); + +- atmarpd = vcc; ++ rcu_assign_pointer(atmarpd, vcc); + set_bit(ATM_VF_META, &vcc->flags); + set_bit(ATM_VF_READY, &vcc->flags); + /* allow replies and avoid getting closed if signaling dies */ +@@ -648,13 +675,14 @@ static int atm_init_atmarp(struct atm_vcc *vcc) + vcc->push = NULL; + vcc->pop = NULL; /* crash */ + vcc->push_oam = NULL; /* crash */ +- rtnl_unlock(); ++ mutex_unlock(&atmarpd_lock); + return 0; + } + + static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + { + struct atm_vcc *vcc = ATM_SD(sock); ++ struct sock *sk = sock->sk; + int err = 0; + + switch (cmd) { +@@ -675,14 +703,18 @@ static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) + err = clip_create(arg); + break; + case ATMARPD_CTRL: ++ lock_sock(sk); + err = atm_init_atmarp(vcc); + if (!err) { + sock->state = SS_CONNECTED; + __module_get(THIS_MODULE); + } ++ release_sock(sk); + break; + case ATMARP_MKIP: ++ lock_sock(sk); + err = clip_mkip(vcc, arg); ++ release_sock(sk); + break; + case ATMARP_SETENTRY: + err = clip_setentry(vcc, (__force __be32)arg); +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index b3d675c3c1ec47..ee38b50eacae53 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -608,12 +608,18 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb + static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb, + u32 off, u32 len, bool ingress) + { ++ int err = 0; ++ + if (!ingress) { + if (!sock_writeable(psock->sk)) + return -EAGAIN; + return skb_send_sock(psock->sk, skb, off, len); + } +- return sk_psock_skb_ingress(psock, skb, off, len); ++ skb_get(skb); ++ err = sk_psock_skb_ingress(psock, skb, off, len); ++ if (err < 0) ++ kfree_skb(skb); ++ return err; + } + + static void sk_psock_skb_state(struct sk_psock *psock, +@@ -693,9 +699,7 @@ static void sk_psock_backlog(struct work_struct *work) + /* The entire skb sent, clear state */ + sk_psock_skb_state(psock, state, 0, 0); + skb = skb_dequeue(&psock->ingress_skb); +- if (!ingress) { +- kfree_skb(skb); +- } ++ kfree_skb(skb); + } + end: + mutex_unlock(&psock->work_mutex); +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 47c4a3e72bcd92..bb0e385992fcc4 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3453,11 +3453,9 @@ static void addrconf_gre_config(struct net_device *dev) + + ASSERT_RTNL(); + +- idev = ipv6_find_idev(dev); +- if (IS_ERR(idev)) { +- pr_debug("%s: add_dev failed\n", __func__); ++ idev = addrconf_add_dev(dev); ++ if (IS_ERR(idev)) + return; +- } + + /* Generate the IPv6 link-local address using addrconf_addr_gen(), + * unless we have an IPv4 GRE device not bound to an IP address and +@@ -3471,9 +3469,6 @@ static void addrconf_gre_config(struct net_device *dev) + } + + add_v4_addrs(idev); +- +- if (dev->flags & IFF_POINTOPOINT) +- addrconf_add_mroute(dev); + } + #endif + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index d3852526ef52ec..08c3908f562ed7 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -387,7 +387,6 @@ static void netlink_skb_set_owner_r(struct sk_buff *skb, struct sock *sk) + WARN_ON(skb->sk != NULL); + skb->sk = sk; + skb->destructor = netlink_skb_destructor; +- atomic_add(skb->truesize, &sk->sk_rmem_alloc); + sk_mem_charge(sk, skb->truesize); + } + +@@ -1211,41 +1210,48 @@ static struct sk_buff *netlink_alloc_large_skb(unsigned int size, + int netlink_attachskb(struct sock *sk, struct sk_buff *skb, + long *timeo, struct sock *ssk) + { ++ DECLARE_WAITQUEUE(wait, current); + struct netlink_sock *nlk; ++ unsigned int rmem; + + nlk = nlk_sk(sk); ++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); + +- if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf || +- test_bit(NETLINK_S_CONGESTED, &nlk->state))) { +- DECLARE_WAITQUEUE(wait, current); +- if (!*timeo) { +- if (!ssk || netlink_is_kernel(ssk)) +- netlink_overrun(sk); +- sock_put(sk); +- kfree_skb(skb); +- return -EAGAIN; +- } +- +- __set_current_state(TASK_INTERRUPTIBLE); +- add_wait_queue(&nlk->wait, &wait); ++ if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) && ++ !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { ++ netlink_skb_set_owner_r(skb, sk); ++ return 0; ++ } + +- if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf || +- test_bit(NETLINK_S_CONGESTED, &nlk->state)) && +- !sock_flag(sk, SOCK_DEAD)) +- *timeo = schedule_timeout(*timeo); ++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc); + +- __set_current_state(TASK_RUNNING); +- remove_wait_queue(&nlk->wait, &wait); ++ if (!*timeo) { ++ if (!ssk || netlink_is_kernel(ssk)) ++ netlink_overrun(sk); + sock_put(sk); ++ kfree_skb(skb); ++ return -EAGAIN; ++ } + +- if (signal_pending(current)) { +- kfree_skb(skb); +- return sock_intr_errno(*timeo); +- } +- return 1; ++ __set_current_state(TASK_INTERRUPTIBLE); ++ add_wait_queue(&nlk->wait, &wait); ++ rmem = atomic_read(&sk->sk_rmem_alloc); ++ ++ if (((rmem && rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)) || ++ test_bit(NETLINK_S_CONGESTED, &nlk->state)) && ++ !sock_flag(sk, SOCK_DEAD)) ++ *timeo = schedule_timeout(*timeo); ++ ++ __set_current_state(TASK_RUNNING); ++ remove_wait_queue(&nlk->wait, &wait); ++ sock_put(sk); ++ ++ if (signal_pending(current)) { ++ kfree_skb(skb); ++ return sock_intr_errno(*timeo); + } +- netlink_skb_set_owner_r(skb, sk); +- return 0; ++ ++ return 1; + } + + static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb) +@@ -1305,6 +1311,7 @@ static int netlink_unicast_kernel(struct sock *sk, struct sk_buff *skb, + ret = -ECONNREFUSED; + if (nlk->netlink_rcv != NULL) { + ret = skb->len; ++ atomic_add(skb->truesize, &sk->sk_rmem_alloc); + netlink_skb_set_owner_r(skb, sk); + NETLINK_CB(skb).sk = ssk; + netlink_deliver_tap_kernel(sk, ssk, skb); +@@ -1383,13 +1390,19 @@ EXPORT_SYMBOL_GPL(netlink_strict_get_check); + static int netlink_broadcast_deliver(struct sock *sk, struct sk_buff *skb) + { + struct netlink_sock *nlk = nlk_sk(sk); ++ unsigned int rmem, rcvbuf; + +- if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf && ++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); ++ rcvbuf = READ_ONCE(sk->sk_rcvbuf); ++ ++ if ((rmem == skb->truesize || rmem <= rcvbuf) && + !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { + netlink_skb_set_owner_r(skb, sk); + __netlink_sendskb(sk, skb); +- return atomic_read(&sk->sk_rmem_alloc) > (sk->sk_rcvbuf >> 1); ++ return rmem > (rcvbuf >> 1); + } ++ ++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc); + return -1; + } + +@@ -2202,6 +2215,7 @@ static int netlink_dump(struct sock *sk, bool lock_taken) + struct netlink_ext_ack extack = {}; + struct netlink_callback *cb; + struct sk_buff *skb = NULL; ++ unsigned int rmem, rcvbuf; + size_t max_recvmsg_len; + struct module *module; + int err = -ENOBUFS; +@@ -2215,9 +2229,6 @@ static int netlink_dump(struct sock *sk, bool lock_taken) + goto errout_skb; + } + +- if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) +- goto errout_skb; +- + /* NLMSG_GOODSIZE is small to avoid high order allocations being + * required, but it makes sense to _attempt_ a 16K bytes allocation + * to reduce number of system calls on dump operations, if user +@@ -2240,6 +2251,13 @@ static int netlink_dump(struct sock *sk, bool lock_taken) + if (!skb) + goto errout_skb; + ++ rcvbuf = READ_ONCE(sk->sk_rcvbuf); ++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); ++ if (rmem != skb->truesize && rmem >= rcvbuf) { ++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc); ++ goto errout_skb; ++ } ++ + /* Trim skb to allocated size. User is expected to provide buffer as + * large as max(min_dump_alloc, 16KiB (mac_recvmsg_len capped at + * netlink_recvmsg())). dump will pack as many smaller messages as +diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c +index 99e10eea373217..658b592e58e058 100644 +--- a/net/rxrpc/call_accept.c ++++ b/net/rxrpc/call_accept.c +@@ -270,6 +270,9 @@ static struct rxrpc_call *rxrpc_alloc_incoming_call(struct rxrpc_sock *rx, + unsigned short call_tail, conn_tail, peer_tail; + unsigned short call_count, conn_count; + ++ if (!b) ++ return NULL; ++ + /* #calls >= #conns >= #peers must hold true. */ + call_head = smp_load_acquire(&b->call_backlog_head); + call_tail = b->call_backlog_tail; +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 222921b4751f35..d12e76cdbff6b6 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -331,17 +331,22 @@ struct Qdisc *qdisc_lookup_rcu(struct net_device *dev, u32 handle) + return q; + } + +-static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid) ++static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid, ++ struct netlink_ext_ack *extack) + { + unsigned long cl; + const struct Qdisc_class_ops *cops = p->ops->cl_ops; + +- if (cops == NULL) +- return NULL; ++ if (cops == NULL) { ++ NL_SET_ERR_MSG(extack, "Parent qdisc is not classful"); ++ return ERR_PTR(-EOPNOTSUPP); ++ } + cl = cops->find(p, classid); + +- if (cl == 0) +- return NULL; ++ if (cl == 0) { ++ NL_SET_ERR_MSG(extack, "Specified class not found"); ++ return ERR_PTR(-ENOENT); ++ } + return cops->leaf(p, cl); + } + +@@ -1462,7 +1467,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + NL_SET_ERR_MSG(extack, "Failed to find qdisc with specified classid"); + return -ENOENT; + } +- q = qdisc_leaf(p, clid); ++ q = qdisc_leaf(p, clid, extack); + } else if (dev_ingress_queue(dev)) { + q = dev_ingress_queue(dev)->qdisc_sleeping; + } +@@ -1473,6 +1478,8 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device"); + return -ENOENT; + } ++ if (IS_ERR(q)) ++ return PTR_ERR(q); + + if (tcm->tcm_handle && q->handle != tcm->tcm_handle) { + NL_SET_ERR_MSG(extack, "Invalid handle"); +@@ -1569,7 +1576,9 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + NL_SET_ERR_MSG(extack, "Failed to find specified qdisc"); + return -ENOENT; + } +- q = qdisc_leaf(p, clid); ++ q = qdisc_leaf(p, clid, extack); ++ if (IS_ERR(q)) ++ return PTR_ERR(q); + } else if (dev_ingress_queue_create(dev)) { + q = dev_ingress_queue(dev)->qdisc_sleeping; + } +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index e3b427a703980d..4292c0f1e3daa3 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -699,8 +699,10 @@ static void tipc_topsrv_stop(struct net *net) + for (id = 0; srv->idr_in_use; id++) { + con = idr_find(&srv->conn_idr, id); + if (con) { ++ conn_get(con); + spin_unlock_bh(&srv->idr_lock); + tipc_conn_close(con); ++ conn_put(con); + spin_lock_bh(&srv->idr_lock); + } + } +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 036bdcc9d5c510..c4006e09db0914 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -400,6 +400,8 @@ EXPORT_SYMBOL_GPL(vsock_enqueue_accept); + + static bool vsock_use_local_transport(unsigned int remote_cid) + { ++ lockdep_assert_held(&vsock_register_mutex); ++ + if (!transport_local) + return false; + +@@ -457,6 +459,8 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk) + + remote_flags = vsk->remote_addr.svm_flags; + ++ mutex_lock(&vsock_register_mutex); ++ + switch (sk->sk_type) { + case SOCK_DGRAM: + new_transport = transport_dgram; +@@ -472,12 +476,15 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk) + new_transport = transport_h2g; + break; + default: +- return -ESOCKTNOSUPPORT; ++ ret = -ESOCKTNOSUPPORT; ++ goto err; + } + + if (vsk->transport) { +- if (vsk->transport == new_transport) +- return 0; ++ if (vsk->transport == new_transport) { ++ ret = 0; ++ goto err; ++ } + + /* transport->release() must be called with sock lock acquired. + * This path can only be taken during vsock_connect(), where we +@@ -501,8 +508,16 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk) + /* We increase the module refcnt to prevent the transport unloading + * while there are open sockets assigned to it. + */ +- if (!new_transport || !try_module_get(new_transport->module)) +- return -ENODEV; ++ if (!new_transport || !try_module_get(new_transport->module)) { ++ ret = -ENODEV; ++ goto err; ++ } ++ ++ /* It's safe to release the mutex after a successful try_module_get(). ++ * Whichever transport `new_transport` points at, it won't go away until ++ * the last module_put() below or in vsock_deassign_transport(). ++ */ ++ mutex_unlock(&vsock_register_mutex); + + if (sk->sk_type == SOCK_SEQPACKET) { + if (!new_transport->seqpacket_allow || +@@ -521,12 +536,31 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk) + vsk->transport = new_transport; + + return 0; ++err: ++ mutex_unlock(&vsock_register_mutex); ++ return ret; + } + EXPORT_SYMBOL_GPL(vsock_assign_transport); + ++/* ++ * Provide safe access to static transport_{h2g,g2h,dgram,local} callbacks. ++ * Otherwise we may race with module removal. Do not use on `vsk->transport`. ++ */ ++static u32 vsock_registered_transport_cid(const struct vsock_transport **transport) ++{ ++ u32 cid = VMADDR_CID_ANY; ++ ++ mutex_lock(&vsock_register_mutex); ++ if (*transport) ++ cid = (*transport)->get_local_cid(); ++ mutex_unlock(&vsock_register_mutex); ++ ++ return cid; ++} ++ + bool vsock_find_cid(unsigned int cid) + { +- if (transport_g2h && cid == transport_g2h->get_local_cid()) ++ if (cid == vsock_registered_transport_cid(&transport_g2h)) + return true; + + if (transport_h2g && cid == VMADDR_CID_HOST) +@@ -2293,18 +2327,19 @@ static long vsock_dev_do_ioctl(struct file *filp, + unsigned int cmd, void __user *ptr) + { + u32 __user *p = ptr; +- u32 cid = VMADDR_CID_ANY; + int retval = 0; ++ u32 cid; + + switch (cmd) { + case IOCTL_VM_SOCKETS_GET_LOCAL_CID: + /* To be compatible with the VMCI behavior, we prioritize the + * guest CID instead of well-know host CID (VMADDR_CID_HOST). + */ +- if (transport_g2h) +- cid = transport_g2h->get_local_cid(); +- else if (transport_h2g) +- cid = transport_h2g->get_local_cid(); ++ cid = vsock_registered_transport_cid(&transport_g2h); ++ if (cid == VMADDR_CID_ANY) ++ cid = vsock_registered_transport_cid(&transport_h2g); ++ if (cid == VMADDR_CID_ANY) ++ cid = vsock_registered_transport_cid(&transport_local); + + if (put_user(cid, p) != 0) + retval = -EFAULT; +diff --git a/sound/soc/fsl/fsl_asrc.c b/sound/soc/fsl/fsl_asrc.c +index 08ca410ef551b9..3f36e3d2d9a202 100644 +--- a/sound/soc/fsl/fsl_asrc.c ++++ b/sound/soc/fsl/fsl_asrc.c +@@ -513,7 +513,8 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate) + regmap_update_bits(asrc->regmap, REG_ASRCTR, + ASRCTR_ATSi_MASK(index), ASRCTR_ATS(index)); + regmap_update_bits(asrc->regmap, REG_ASRCTR, +- ASRCTR_USRi_MASK(index), 0); ++ ASRCTR_IDRi_MASK(index) | ASRCTR_USRi_MASK(index), ++ ASRCTR_USR(index)); + + /* Set the input and output clock sources */ + regmap_update_bits(asrc->regmap, REG_ASRCSR,
