commit: 7025c3edd1a5b6e879af33c672cb9c5cb79d34cb Author: Arisu Tachibana <alicef <AT> gentoo <DOT> org> AuthorDate: Wed Sep 10 05:32:37 2025 +0000 Commit: Arisu Tachibana <alicef <AT> gentoo <DOT> org> CommitDate: Wed Sep 10 05:32:37 2025 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=7025c3ed
Linux patch 5.15.192 Signed-off-by: Arisu Tachibana <alicef <AT> gentoo.org> 0000_README | 4 + 1191_linux-5.15.192.patch | 2178 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 2182 insertions(+) diff --git a/0000_README b/0000_README index cb68bc38..c05666c4 100644 --- a/0000_README +++ b/0000_README @@ -807,6 +807,10 @@ Patch: 1190_linux-5.15.191.patch From: https://www.kernel.org Desc: Linux 5.15.191 +Patch: 1191_linux-5.15.192.patch +From: https://www.kernel.org +Desc: Linux 5.15.192 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1191_linux-5.15.192.patch b/1191_linux-5.15.192.patch new file mode 100644 index 00000000..86eaeab0 --- /dev/null +++ b/1191_linux-5.15.192.patch @@ -0,0 +1,2178 @@ +diff --git a/Makefile b/Makefile +index ea4e8422901d7b..1d707d01578456 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 5 + PATCHLEVEL = 15 +-SUBLEVEL = 191 ++SUBLEVEL = 192 + EXTRAVERSION = + NAME = Trick or Treat + +diff --git a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts +index 95d46e8d081c19..d16200a323c505 100644 +--- a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts ++++ b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts +@@ -28,8 +28,9 @@ memory@0 { + }; + + leds { +- pinctrl-names = "default"; + compatible = "gpio-leds"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&spi_quad_pins>; + + power1 { + label = "udpu:green:power"; +@@ -96,8 +97,6 @@ &sdhci0 { + + &spi0 { + status = "okay"; +- pinctrl-names = "default"; +- pinctrl-0 = <&spi_quad_pins>; + + m25p80@0 { + compatible = "jedec,spi-nor"; +@@ -117,6 +116,10 @@ partition@0 { + }; + }; + ++&spi_quad_pins { ++ function = "gpio"; ++}; ++ + &pinctrl_nb { + i2c1_recovery_pins: i2c1-recovery-pins { + groups = "i2c1"; +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts b/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts +index 60a909a100eeb5..ab2e2ee4ce6fe6 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts +@@ -978,6 +978,7 @@ spiflash: flash@0 { + reg = <0>; + m25p,fast-read; + spi-max-frequency = <10000000>; ++ vcc-supply = <&vcc_3v0>; + }; + }; + +diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h +index 91ac106545703c..101b6fcf7aad48 100644 +--- a/arch/x86/include/asm/pgtable_64_types.h ++++ b/arch/x86/include/asm/pgtable_64_types.h +@@ -40,6 +40,9 @@ static inline bool pgtable_l5_enabled(void) + #define pgtable_l5_enabled() 0 + #endif /* CONFIG_X86_5LEVEL */ + ++#define ARCH_PAGE_TABLE_SYNC_MASK \ ++ (pgtable_l5_enabled() ? PGTBL_PGD_MODIFIED : PGTBL_P4D_MODIFIED) ++ + extern unsigned int pgdir_shift; + extern unsigned int ptrs_per_p4d; + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index d788d1220a21ba..52c59c3bcb91ce 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -12449,16 +12449,22 @@ int kvm_arch_irq_bypass_add_producer(struct irq_bypass_consumer *cons, + { + struct kvm_kernel_irqfd *irqfd = + container_of(cons, struct kvm_kernel_irqfd, consumer); ++ struct kvm *kvm = irqfd->kvm; + int ret; + +- irqfd->producer = prod; + kvm_arch_start_assignment(irqfd->kvm); ++ ++ spin_lock_irq(&kvm->irqfds.lock); ++ irqfd->producer = prod; ++ + ret = static_call(kvm_x86_update_pi_irte)(irqfd->kvm, + prod->irq, irqfd->gsi, 1); +- + if (ret) + kvm_arch_end_assignment(irqfd->kvm); + ++ spin_unlock_irq(&kvm->irqfds.lock); ++ ++ + return ret; + } + +@@ -12468,9 +12474,9 @@ void kvm_arch_irq_bypass_del_producer(struct irq_bypass_consumer *cons, + int ret; + struct kvm_kernel_irqfd *irqfd = + container_of(cons, struct kvm_kernel_irqfd, consumer); ++ struct kvm *kvm = irqfd->kvm; + + WARN_ON(irqfd->producer != prod); +- irqfd->producer = NULL; + + /* + * When producer of consumer is unregistered, we change back to +@@ -12478,11 +12484,17 @@ void kvm_arch_irq_bypass_del_producer(struct irq_bypass_consumer *cons, + * when the irq is masked/disabled or the consumer side (KVM + * int this case doesn't want to receive the interrupts. + */ ++ spin_lock_irq(&kvm->irqfds.lock); ++ irqfd->producer = NULL; ++ + ret = static_call(kvm_x86_update_pi_irte)(irqfd->kvm, prod->irq, irqfd->gsi, 0); + if (ret) + printk(KERN_INFO "irq bypass consumer (token %p) unregistration" + " fails: %d\n", irqfd->consumer.token, ret); + ++ spin_unlock_irq(&kvm->irqfds.lock); ++ ++ + kvm_arch_end_assignment(irqfd->kvm); + } + +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index 200ad5ceeb43fc..ee0885bafe0a6d 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -218,6 +218,24 @@ static void sync_global_pgds(unsigned long start, unsigned long end) + sync_global_pgds_l4(start, end); + } + ++/* ++ * Make kernel mappings visible in all page tables in the system. ++ * This is necessary except when the init task populates kernel mappings ++ * during the boot process. In that case, all processes originating from ++ * the init task copies the kernel mappings, so there is no issue. ++ * Otherwise, missing synchronization could lead to kernel crashes due ++ * to missing page table entries for certain kernel mappings. ++ * ++ * Synchronization is performed at the top level, which is the PGD in ++ * 5-level paging systems. But in 4-level paging systems, however, ++ * pgd_populate() is a no-op, so synchronization is done at the P4D level. ++ * sync_global_pgds() handles this difference between paging levels. ++ */ ++void arch_sync_kernel_mappings(unsigned long start, unsigned long end) ++{ ++ sync_global_pgds(start, end); ++} ++ + /* + * NOTE: This function is marked __ref because it calls __init function + * (alloc_bootmem_pages). It's safe to do it ONLY when after_bootmem == 0. +diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c +index cf23cfd7e46743..da3797241f3196 100644 +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -273,6 +273,9 @@ static int gdsc_enable(struct generic_pm_domain *domain) + */ + udelay(1); + ++ if (sc->flags & RETAIN_FF_ENABLE) ++ gdsc_retain_ff_on(sc); ++ + /* Turn on HW trigger mode if supported */ + if (sc->flags & HW_CTRL) { + ret = gdsc_hwctrl(sc, true); +@@ -289,9 +292,6 @@ static int gdsc_enable(struct generic_pm_domain *domain) + udelay(1); + } + +- if (sc->flags & RETAIN_FF_ENABLE) +- gdsc_retain_ff_on(sc); +- + return 0; + } + +@@ -392,13 +392,6 @@ static int gdsc_init(struct gdsc *sc) + return ret; + } + +- /* Turn on HW trigger mode if supported */ +- if (sc->flags & HW_CTRL) { +- ret = gdsc_hwctrl(sc, true); +- if (ret < 0) +- return ret; +- } +- + /* + * Make sure the retain bit is set if the GDSC is already on, + * otherwise we end up turning off the GDSC and destroying all +@@ -406,6 +399,14 @@ static int gdsc_init(struct gdsc *sc) + */ + if (sc->flags & RETAIN_FF_ENABLE) + gdsc_retain_ff_on(sc); ++ ++ /* Turn on HW trigger mode if supported */ ++ if (sc->flags & HW_CTRL) { ++ ret = gdsc_hwctrl(sc, true); ++ if (ret < 0) ++ return ret; ++ } ++ + } else if (sc->flags & ALWAYS_ON) { + /* If ALWAYS_ON GDSCs are not ON, turn them ON */ + gdsc_enable(&sc->pd); +diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c +index cafaa54c3d9f1f..bcce96d4a7530e 100644 +--- a/drivers/dma-buf/dma-resv.c ++++ b/drivers/dma-buf/dma-resv.c +@@ -267,8 +267,9 @@ void dma_resv_add_shared_fence(struct dma_resv *obj, struct dma_fence *fence) + + replace: + RCU_INIT_POINTER(fobj->shared[i], fence); +- /* pointer update must be visible before we extend the shared_count */ +- smp_store_mb(fobj->shared_count, count); ++ /* fence update must be visible before we extend the shared_count */ ++ smp_wmb(); ++ fobj->shared_count = count; + + write_seqcount_end(&obj->seq); + dma_fence_put(old); +diff --git a/drivers/dma/mediatek/mtk-cqdma.c b/drivers/dma/mediatek/mtk-cqdma.c +index 41ef9f15d3d596..60d1d56b983171 100644 +--- a/drivers/dma/mediatek/mtk-cqdma.c ++++ b/drivers/dma/mediatek/mtk-cqdma.c +@@ -421,15 +421,11 @@ static struct virt_dma_desc *mtk_cqdma_find_active_desc(struct dma_chan *c, + { + struct mtk_cqdma_vchan *cvc = to_cqdma_vchan(c); + struct virt_dma_desc *vd; +- unsigned long flags; + +- spin_lock_irqsave(&cvc->pc->lock, flags); + list_for_each_entry(vd, &cvc->pc->queue, node) + if (vd->tx.cookie == cookie) { +- spin_unlock_irqrestore(&cvc->pc->lock, flags); + return vd; + } +- spin_unlock_irqrestore(&cvc->pc->lock, flags); + + list_for_each_entry(vd, &cvc->vc.desc_issued, node) + if (vd->tx.cookie == cookie) +@@ -453,9 +449,11 @@ static enum dma_status mtk_cqdma_tx_status(struct dma_chan *c, + if (ret == DMA_COMPLETE || !txstate) + return ret; + +- spin_lock_irqsave(&cvc->vc.lock, flags); ++ spin_lock_irqsave(&cvc->pc->lock, flags); ++ spin_lock(&cvc->vc.lock); + vd = mtk_cqdma_find_active_desc(c, cookie); +- spin_unlock_irqrestore(&cvc->vc.lock, flags); ++ spin_unlock(&cvc->vc.lock); ++ spin_unlock_irqrestore(&cvc->pc->lock, flags); + + if (vd) { + cvd = to_cqdma_vdesc(vd); +diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c +index 45f3836c4f0fab..a8f6ef4006fef9 100644 +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -1145,6 +1145,9 @@ static int pca953x_suspend(struct device *dev) + struct pca953x_chip *chip = dev_get_drvdata(dev); + + mutex_lock(&chip->i2c_lock); ++ /* Disable IRQ to prevent early triggering while regmap "cache only" is on */ ++ if (chip->client->irq > 0) ++ disable_irq(chip->client->irq); + regcache_cache_only(chip->regmap, true); + mutex_unlock(&chip->i2c_lock); + +@@ -1170,6 +1173,8 @@ static int pca953x_resume(struct device *dev) + } + + mutex_lock(&chip->i2c_lock); ++ if (chip->client->irq > 0) ++ enable_irq(chip->client->irq); + regcache_cache_only(chip->regmap, false); + regcache_mark_dirty(chip->regmap); + ret = pca953x_regcache_sync(dev); +diff --git a/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c b/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c +index d1570a462a51a9..0b872bc71b70dd 100644 +--- a/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c +@@ -1464,17 +1464,12 @@ static int dce_v10_0_audio_init(struct amdgpu_device *adev) + + static void dce_v10_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v10_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +diff --git a/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c b/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c +index 18a7b3bd633b5d..3a105e41844a0c 100644 +--- a/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c +@@ -1506,17 +1506,12 @@ static int dce_v11_0_audio_init(struct amdgpu_device *adev) + + static void dce_v11_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v11_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +diff --git a/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c b/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c +index c7803dc2b2d533..5e21eb88b2e71d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c +@@ -1375,17 +1375,12 @@ static int dce_v6_0_audio_init(struct amdgpu_device *adev) + + static void dce_v6_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v6_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +diff --git a/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c b/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c +index b200b9e722d978..f3b0642f9d9d2b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c +@@ -1427,17 +1427,12 @@ static int dce_v8_0_audio_init(struct amdgpu_device *adev) + + static void dce_v8_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v8_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c b/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c +index 1e77ffee71b307..fce0c5d72c1a0c 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c +@@ -899,13 +899,13 @@ void dce110_link_encoder_construct( + enc110->base.id, &bp_cap_info); + + /* Override features with DCE-specific values */ +- if (BP_RESULT_OK == result) { ++ if (result == BP_RESULT_OK) { + enc110->base.features.flags.bits.IS_HBR2_CAPABLE = + bp_cap_info.DP_HBR2_EN; + enc110->base.features.flags.bits.IS_HBR3_CAPABLE = + bp_cap_info.DP_HBR3_EN; + enc110->base.features.flags.bits.HDMI_6GB_EN = bp_cap_info.HDMI_6GB_EN; +- } else { ++ } else if (result != BP_RESULT_NORECORD) { + DC_LOG_WARNING("%s: Failed to get encoder_cap_info from VBIOS with error code %d!\n", + __func__, + result); +@@ -1799,13 +1799,13 @@ void dce60_link_encoder_construct( + enc110->base.id, &bp_cap_info); + + /* Override features with DCE-specific values */ +- if (BP_RESULT_OK == result) { ++ if (result == BP_RESULT_OK) { + enc110->base.features.flags.bits.IS_HBR2_CAPABLE = + bp_cap_info.DP_HBR2_EN; + enc110->base.features.flags.bits.IS_HBR3_CAPABLE = + bp_cap_info.DP_HBR3_EN; + enc110->base.features.flags.bits.HDMI_6GB_EN = bp_cap_info.HDMI_6GB_EN; +- } else { ++ } else if (result != BP_RESULT_NORECORD) { + DC_LOG_WARNING("%s: Failed to get encoder_cap_info from VBIOS with error code %d!\n", + __func__, + result); +diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +index 1c9dd62d3c47b1..1187bfb449f29b 100644 +--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c ++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c +@@ -313,6 +313,17 @@ static int __maybe_unused ti_sn65dsi86_resume(struct device *dev) + + gpiod_set_value(pdata->enable_gpio, 1); + ++ /* ++ * After EN is deasserted and an external clock is detected, the bridge ++ * will sample GPIO3:1 to determine its frequency. The driver will ++ * overwrite this setting in ti_sn_bridge_set_refclk_freq(). But this is ++ * racy. Thus we have to wait a couple of us. According to the datasheet ++ * the GPIO lines has to be stable at least 5 us (td5) but it seems that ++ * is not enough and the refclk frequency value is still lost or ++ * overwritten by the bridge itself. Waiting for 20us seems to work. ++ */ ++ usleep_range(20, 30); ++ + /* + * If we have a reference clock we can enable communication w/ the + * panel (including the aux channel) w/out any need for an input clock +diff --git a/drivers/iio/chemical/pms7003.c b/drivers/iio/chemical/pms7003.c +index e9857d93b307e4..70c92cbfc9f141 100644 +--- a/drivers/iio/chemical/pms7003.c ++++ b/drivers/iio/chemical/pms7003.c +@@ -5,7 +5,6 @@ + * Copyright (c) Tomasz Duszynski <[email protected]> + */ + +-#include <asm/unaligned.h> + #include <linux/completion.h> + #include <linux/device.h> + #include <linux/errno.h> +@@ -19,6 +18,8 @@ + #include <linux/module.h> + #include <linux/mutex.h> + #include <linux/serdev.h> ++#include <linux/types.h> ++#include <asm/unaligned.h> + + #define PMS7003_DRIVER_NAME "pms7003" + +@@ -76,7 +77,7 @@ struct pms7003_state { + /* Used to construct scan to push to the IIO buffer */ + struct { + u16 data[3]; /* PM1, PM2P5, PM10 */ +- s64 ts; ++ aligned_s64 ts; + } scan; + }; + +diff --git a/drivers/iio/light/opt3001.c b/drivers/iio/light/opt3001.c +index f2462121aa0456..1cba636edc9243 100644 +--- a/drivers/iio/light/opt3001.c ++++ b/drivers/iio/light/opt3001.c +@@ -692,8 +692,9 @@ static irqreturn_t opt3001_irq(int irq, void *_iio) + struct opt3001 *opt = iio_priv(iio); + int ret; + bool wake_result_ready_queue = false; ++ bool ok_to_ignore_lock = opt->ok_to_ignore_lock; + +- if (!opt->ok_to_ignore_lock) ++ if (!ok_to_ignore_lock) + mutex_lock(&opt->lock); + + ret = i2c_smbus_read_word_swapped(opt->client, OPT3001_CONFIGURATION); +@@ -730,7 +731,7 @@ static irqreturn_t opt3001_irq(int irq, void *_iio) + } + + out: +- if (!opt->ok_to_ignore_lock) ++ if (!ok_to_ignore_lock) + mutex_unlock(&opt->lock); + + if (wake_result_ready_queue) +diff --git a/drivers/isdn/mISDN/dsp_hwec.c b/drivers/isdn/mISDN/dsp_hwec.c +index 0b3f29195330ac..0cd216e28f0090 100644 +--- a/drivers/isdn/mISDN/dsp_hwec.c ++++ b/drivers/isdn/mISDN/dsp_hwec.c +@@ -51,14 +51,14 @@ void dsp_hwec_enable(struct dsp *dsp, const char *arg) + goto _do; + + { +- char *dup, *tok, *name, *val; ++ char *dup, *next, *tok, *name, *val; + int tmp; + +- dup = kstrdup(arg, GFP_ATOMIC); ++ dup = next = kstrdup(arg, GFP_ATOMIC); + if (!dup) + return; + +- while ((tok = strsep(&dup, ","))) { ++ while ((tok = strsep(&next, ","))) { + if (!strlen(tok)) + continue; + name = strsep(&tok, "="); +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index 1831066c76475f..460f8c0989947e 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1491,13 +1491,17 @@ static int bgx_init_of_phy(struct bgx *bgx) + * this cortina phy, for which there is no driver + * support, ignore it. + */ +- if (phy_np && +- !of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { +- /* Wait until the phy drivers are available */ +- pd = of_phy_find_device(phy_np); +- if (!pd) +- goto defer; +- bgx->lmac[lmac].phydev = pd; ++ if (phy_np) { ++ if (!of_device_is_compatible(phy_np, "cortina,cs4223-slice")) { ++ /* Wait until the phy drivers are available */ ++ pd = of_phy_find_device(phy_np); ++ if (!pd) { ++ of_node_put(phy_np); ++ goto defer; ++ } ++ bgx->lmac[lmac].phydev = pd; ++ } ++ of_node_put(phy_np); + } + + lmac++; +@@ -1513,11 +1517,11 @@ static int bgx_init_of_phy(struct bgx *bgx) + * for phy devices we may have already found. + */ + while (lmac) { ++ lmac--; + if (bgx->lmac[lmac].phydev) { + put_device(&bgx->lmac[lmac].phydev->mdio.dev); + bgx->lmac[lmac].phydev = NULL; + } +- lmac--; + } + of_node_put(node); + return -EPROBE_DEFER; +diff --git a/drivers/net/ethernet/intel/e1000e/ethtool.c b/drivers/net/ethernet/intel/e1000e/ethtool.c +index 8515e00d1b400c..9d1fcae545fb8c 100644 +--- a/drivers/net/ethernet/intel/e1000e/ethtool.c ++++ b/drivers/net/ethernet/intel/e1000e/ethtool.c +@@ -559,12 +559,12 @@ static int e1000_set_eeprom(struct net_device *netdev, + { + struct e1000_adapter *adapter = netdev_priv(netdev); + struct e1000_hw *hw = &adapter->hw; ++ size_t total_len, max_len; + u16 *eeprom_buff; +- void *ptr; +- int max_len; ++ int ret_val = 0; + int first_word; + int last_word; +- int ret_val = 0; ++ void *ptr; + u16 i; + + if (eeprom->len == 0) +@@ -579,6 +579,10 @@ static int e1000_set_eeprom(struct net_device *netdev, + + max_len = hw->nvm.word_size * 2; + ++ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) || ++ total_len > max_len) ++ return -EFBIG; ++ + first_word = eeprom->offset >> 1; + last_word = (eeprom->offset + eeprom->len - 1) >> 1; + eeprom_buff = kmalloc(max_len, GFP_KERNEL); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index 8bcb98b85e3d94..4af2a4c5910671 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -362,8 +362,8 @@ static void i40e_client_add_instance(struct i40e_pf *pf) + if (i40e_client_get_params(vsi, &cdev->lan_info.params)) + goto free_cdev; + +- mac = list_first_entry(&cdev->lan_info.netdev->dev_addrs.list, +- struct netdev_hw_addr, list); ++ mac = list_first_entry_or_null(&cdev->lan_info.netdev->dev_addrs.list, ++ struct netdev_hw_addr, list); + if (mac) + ether_addr_copy(cdev->lan_info.lanmac, mac->addr); + else +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 711acc6059a4f4..4d7a72bcee6140 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1196,6 +1196,13 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + bool gso = false; + int tx_num; + ++ if (skb_vlan_tag_present(skb) && ++ !eth_proto_is_802_3(eth_hdr(skb)->h_proto)) { ++ skb = __vlan_hwaccel_push_inside(skb); ++ if (!skb) ++ goto dropped; ++ } ++ + /* normally we can rely on the stack not calling this more than once, + * however we have 2 queues running on the same ring so we need to lock + * the ring access +@@ -1241,8 +1248,9 @@ static netdev_tx_t mtk_start_xmit(struct sk_buff *skb, struct net_device *dev) + + drop: + spin_unlock(ð->page_lock); +- stats->tx_dropped++; + dev_kfree_skb_any(skb); ++dropped: ++ stats->tx_dropped++; + return NETDEV_TX_OK; + } + +diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c +index 10f42b7df8b35b..efbd337b8bb8e9 100644 +--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c ++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c +@@ -1582,7 +1582,7 @@ do_reset(struct net_device *dev, int full) + msleep(40); /* wait 40 msec to let it complete */ + } + if (full_duplex) +- PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR | FullDuplex)); ++ PutByte(XIRCREG1_ECR, GetByte(XIRCREG1_ECR) | FullDuplex); + } else { /* No MII */ + SelectPage(0); + value = GetByte(XIRCREG_ESR); /* read the ESR */ +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index e30e6ba9da2f4f..7b73b78ac9b35f 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -455,12 +455,12 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + *p++ = (reg >> 24) & 0xff; + } + +- len = skb_queue_len(&ptp->tx_queue); ++ len = skb_queue_len_lockless(&ptp->tx_queue); + if (len < 1) + return; + + while (len--) { +- skb = __skb_dequeue(&ptp->tx_queue); ++ skb = skb_dequeue(&ptp->tx_queue); + if (!skb) + return; + +@@ -485,7 +485,7 @@ static void vsc85xx_dequeue_skb(struct vsc85xx_ptp *ptp) + * packet in the FIFO right now, reschedule it for later + * packets. + */ +- __skb_queue_tail(&ptp->tx_queue, skb); ++ skb_queue_tail(&ptp->tx_queue, skb); + } + } + +@@ -1070,6 +1070,7 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr) + case HWTSTAMP_TX_ON: + break; + case HWTSTAMP_TX_OFF: ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + break; + default: + return -ERANGE; +@@ -1094,9 +1095,6 @@ static int vsc85xx_hwtstamp(struct mii_timestamper *mii_ts, struct ifreq *ifr) + + mutex_lock(&vsc8531->ts_lock); + +- __skb_queue_purge(&vsc8531->ptp->tx_queue); +- __skb_queue_head_init(&vsc8531->ptp->tx_queue); +- + /* Disable predictor while configuring the 1588 block */ + val = vsc85xx_ts_read_csr(phydev, PROCESSOR, + MSCC_PHY_PTP_INGR_PREDICTOR); +@@ -1171,18 +1169,22 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts, + container_of(mii_ts, struct vsc8531_private, mii_ts); + + if (!vsc8531->ptp->configured) +- return; ++ goto out; + +- if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) { +- kfree_skb(skb); +- return; +- } ++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) ++ goto out; ++ ++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_ONESTEP_SYNC) ++ if (ptp_msg_is_sync(skb, type)) ++ goto out; + + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + +- mutex_lock(&vsc8531->ts_lock); +- __skb_queue_tail(&vsc8531->ptp->tx_queue, skb); +- mutex_unlock(&vsc8531->ts_lock); ++ skb_queue_tail(&vsc8531->ptp->tx_queue, skb); ++ return; ++ ++out: ++ kfree_skb(skb); + } + + static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts, +@@ -1544,6 +1546,7 @@ void vsc8584_ptp_deinit(struct phy_device *phydev) + if (vsc8531->ptp->ptp_clock) { + ptp_clock_unregister(vsc8531->ptp->ptp_clock); + skb_queue_purge(&vsc8531->rx_skbs_list); ++ skb_queue_purge(&vsc8531->ptp->tx_queue); + } + } + +@@ -1567,7 +1570,7 @@ irqreturn_t vsc8584_handle_ts_interrupt(struct phy_device *phydev) + if (rc & VSC85XX_1588_INT_FIFO_ADD) { + vsc85xx_get_tx_ts(priv->ptp); + } else if (rc & VSC85XX_1588_INT_FIFO_OVERFLOW) { +- __skb_queue_purge(&priv->ptp->tx_queue); ++ skb_queue_purge(&priv->ptp->tx_queue); + vsc85xx_ts_reset_fifo(phydev); + } + +@@ -1587,6 +1590,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev) + mutex_init(&vsc8531->phc_lock); + mutex_init(&vsc8531->ts_lock); + skb_queue_head_init(&vsc8531->rx_skbs_list); ++ skb_queue_head_init(&vsc8531->ptp->tx_queue); + + /* Retrieve the shared load/save GPIO. Request it as non exclusive as + * the same GPIO can be requested by all the PHYs of the same package. +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 5cb06e04293e34..91a19ed03bc7d4 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1752,7 +1752,6 @@ pad_compress_skb(struct ppp *ppp, struct sk_buff *skb) + */ + if (net_ratelimit()) + netdev_err(ppp->dev, "ppp: compressor dropped pkt\n"); +- kfree_skb(skb); + consume_skb(new_skb); + new_skb = NULL; + } +@@ -1854,9 +1853,10 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + "down - pkt dropped.\n"); + goto drop; + } +- skb = pad_compress_skb(ppp, skb); +- if (!skb) ++ new_skb = pad_compress_skb(ppp, skb); ++ if (!new_skb) + goto drop; ++ skb = new_skb; + } + + /* +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 78d8c04b00a7f3..269e0bf1301a70 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -3175,8 +3175,6 @@ vmxnet3_change_mtu(struct net_device *netdev, int new_mtu) + struct vmxnet3_adapter *adapter = netdev_priv(netdev); + int err = 0; + +- netdev->mtu = new_mtu; +- + /* + * Reset_work may be in the middle of resetting the device, wait for its + * completion. +@@ -3190,6 +3188,7 @@ vmxnet3_change_mtu(struct net_device *netdev, int new_mtu) + + /* we need to re-create the rx queue based on the new mtu */ + vmxnet3_rq_destroy_all(adapter); ++ netdev->mtu = new_mtu; + vmxnet3_adjust_rx_ring_size(adapter); + err = vmxnet3_rq_create_all(adapter); + if (err) { +@@ -3206,6 +3205,8 @@ vmxnet3_change_mtu(struct net_device *netdev, int new_mtu) + "Closing it\n", err); + goto out; + } ++ } else { ++ netdev->mtu = new_mtu; + } + + out: +diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c +index 4e3de684928bf9..a659054c1bcd9c 100644 +--- a/drivers/net/wireless/marvell/libertas/cfg.c ++++ b/drivers/net/wireless/marvell/libertas/cfg.c +@@ -1102,10 +1102,13 @@ static int lbs_associate(struct lbs_private *priv, + /* add SSID TLV */ + rcu_read_lock(); + ssid_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); +- if (ssid_eid) +- pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_eid[1]); +- else ++ if (ssid_eid) { ++ u32 ssid_len = min(ssid_eid[1], IEEE80211_MAX_SSID_LEN); ++ ++ pos += lbs_add_ssid_tlv(pos, ssid_eid + 2, ssid_len); ++ } else { + lbs_deb_assoc("no SSID\n"); ++ } + rcu_read_unlock(); + + /* add DS param TLV */ +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index 0273d3e5e0b5c7..d76a8523ef1d3e 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -4282,8 +4282,9 @@ int mwifiex_init_channel_scan_gap(struct mwifiex_adapter *adapter) + * additional active scan request for hidden SSIDs on passive channels. + */ + adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a); +- adapter->chan_stats = vmalloc(array_size(sizeof(*adapter->chan_stats), +- adapter->num_in_chan_stats)); ++ adapter->chan_stats = kcalloc(adapter->num_in_chan_stats, ++ sizeof(*adapter->chan_stats), ++ GFP_KERNEL); + + if (!adapter->chan_stats) + return -ENOMEM; +diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c +index 18ab3222b1406c..edc91e75aaf5d2 100644 +--- a/drivers/net/wireless/marvell/mwifiex/main.c ++++ b/drivers/net/wireless/marvell/mwifiex/main.c +@@ -640,7 +640,7 @@ static int _mwifiex_fw_dpc(const struct firmware *firmware, void *context) + goto done; + + err_add_intf: +- vfree(adapter->chan_stats); ++ kfree(adapter->chan_stats); + err_init_chan_scan: + wiphy_unregister(adapter->wiphy); + wiphy_free(adapter->wiphy); +@@ -1462,7 +1462,7 @@ static void mwifiex_uninit_sw(struct mwifiex_adapter *adapter) + wiphy_free(adapter->wiphy); + adapter->wiphy = NULL; + +- vfree(adapter->chan_stats); ++ kfree(adapter->chan_stats); + mwifiex_free_cmd_buffers(adapter); + } + +diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c +index 236022d4ae2a39..0f2d1ec34cd82e 100644 +--- a/drivers/net/wireless/st/cw1200/sta.c ++++ b/drivers/net/wireless/st/cw1200/sta.c +@@ -1289,7 +1289,7 @@ static void cw1200_do_join(struct cw1200_common *priv) + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID); + if (ssidie) { +- join.ssid_len = ssidie[1]; ++ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN); + memcpy(join.ssid, &ssidie[2], join.ssid_len); + } + rcu_read_unlock(); +diff --git a/drivers/pcmcia/rsrc_iodyn.c b/drivers/pcmcia/rsrc_iodyn.c +index b04b16496b0c4b..2677b577c1f858 100644 +--- a/drivers/pcmcia/rsrc_iodyn.c ++++ b/drivers/pcmcia/rsrc_iodyn.c +@@ -62,6 +62,9 @@ static struct resource *__iodyn_find_io_region(struct pcmcia_socket *s, + unsigned long min = base; + int ret; + ++ if (!res) ++ return NULL; ++ + data.mask = align - 1; + data.offset = base & data.mask; + +diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c +index e6c90c0bb76464..58782f21a442a2 100644 +--- a/drivers/pcmcia/rsrc_nonstatic.c ++++ b/drivers/pcmcia/rsrc_nonstatic.c +@@ -375,7 +375,9 @@ static int do_validate_mem(struct pcmcia_socket *s, + + if (validate && !s->fake_cis) { + /* move it to the validated data set */ +- add_interval(&s_data->mem_db_valid, base, size); ++ ret = add_interval(&s_data->mem_db_valid, base, size); ++ if (ret) ++ return ret; + sub_interval(&s_data->mem_db, base, size); + } + +diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c +index c58669c9346c02..204f33d486a13d 100644 +--- a/drivers/scsi/lpfc/lpfc_nvmet.c ++++ b/drivers/scsi/lpfc/lpfc_nvmet.c +@@ -1244,7 +1244,7 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_target_port *tgtport, + struct lpfc_nvmet_tgtport *tgtp; + struct lpfc_async_xchg_ctx *ctxp = + container_of(rsp, struct lpfc_async_xchg_ctx, hdlrctx.fcp_req); +- struct rqb_dmabuf *nvmebuf = ctxp->rqb_buffer; ++ struct rqb_dmabuf *nvmebuf; + struct lpfc_hba *phba = ctxp->phba; + unsigned long iflag; + +@@ -1252,13 +1252,18 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_target_port *tgtport, + lpfc_nvmeio_data(phba, "NVMET DEFERRCV: xri x%x sz %d CPU %02x\n", + ctxp->oxid, ctxp->size, raw_smp_processor_id()); + ++ spin_lock_irqsave(&ctxp->ctxlock, iflag); ++ nvmebuf = ctxp->rqb_buffer; + if (!nvmebuf) { ++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + lpfc_printf_log(phba, KERN_INFO, LOG_NVME_IOERR, + "6425 Defer rcv: no buffer oxid x%x: " + "flg %x ste %x\n", + ctxp->oxid, ctxp->flag, ctxp->state); + return; + } ++ ctxp->rqb_buffer = NULL; ++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + + tgtp = phba->targetport->private; + if (tgtp) +@@ -1266,9 +1271,6 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_target_port *tgtport, + + /* Free the nvmebuf since a new buffer already replaced it */ + nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf); +- spin_lock_irqsave(&ctxp->ctxlock, iflag); +- ctxp->rqb_buffer = NULL; +- spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + } + + /** +diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c +index bf3f600bdd2c88..319cd96bd201b7 100644 +--- a/drivers/spi/spi-fsl-lpspi.c ++++ b/drivers/spi/spi-fsl-lpspi.c +@@ -3,8 +3,9 @@ + // Freescale i.MX7ULP LPSPI driver + // + // Copyright 2016 Freescale Semiconductor, Inc. +-// Copyright 2018 NXP Semiconductors ++// Copyright 2018, 2023, 2025 NXP + ++#include <linux/bitfield.h> + #include <linux/clk.h> + #include <linux/completion.h> + #include <linux/delay.h> +@@ -71,7 +72,7 @@ + #define DER_TDDE BIT(0) + #define CFGR1_PCSCFG BIT(27) + #define CFGR1_PINCFG (BIT(24)|BIT(25)) +-#define CFGR1_PCSPOL BIT(8) ++#define CFGR1_PCSPOL_MASK GENMASK(11, 8) + #define CFGR1_NOSTALL BIT(3) + #define CFGR1_MASTER BIT(0) + #define FSR_TXCOUNT (0xFF) +@@ -395,7 +396,9 @@ static int fsl_lpspi_config(struct fsl_lpspi_data *fsl_lpspi) + else + temp = CFGR1_PINCFG; + if (fsl_lpspi->config.mode & SPI_CS_HIGH) +- temp |= CFGR1_PCSPOL; ++ temp |= FIELD_PREP(CFGR1_PCSPOL_MASK, ++ BIT(fsl_lpspi->config.chip_select)); ++ + writel(temp, fsl_lpspi->base + IMX7ULP_CFGR1); + + temp = readl(fsl_lpspi->base + IMX7ULP_CR); +@@ -702,12 +705,10 @@ static int fsl_lpspi_pio_transfer(struct spi_controller *controller, + fsl_lpspi_write_tx_fifo(fsl_lpspi); + + ret = fsl_lpspi_wait_for_completion(controller); +- if (ret) +- return ret; + + fsl_lpspi_reset(fsl_lpspi); + +- return 0; ++ return ret; + } + + static int fsl_lpspi_transfer_one(struct spi_controller *controller, +@@ -755,7 +756,7 @@ static irqreturn_t fsl_lpspi_isr(int irq, void *dev_id) + if (temp_SR & SR_MBF || + readl(fsl_lpspi->base + IMX7ULP_FSR) & FSR_TXCOUNT) { + writel(SR_FCF, fsl_lpspi->base + IMX7ULP_SR); +- fsl_lpspi_intctrl(fsl_lpspi, IER_FCIE); ++ fsl_lpspi_intctrl(fsl_lpspi, IER_FCIE | (temp_IER & IER_TDIE)); + return IRQ_HANDLED; + } + +diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c +index 8f345247a8c322..30a699ba9b4c20 100644 +--- a/drivers/spi/spi-tegra114.c ++++ b/drivers/spi/spi-tegra114.c +@@ -723,27 +723,23 @@ static int tegra_spi_set_hw_cs_timing(struct spi_device *spi) + struct spi_delay *setup = &spi->cs_setup; + struct spi_delay *hold = &spi->cs_hold; + struct spi_delay *inactive = &spi->cs_inactive; +- u8 setup_dly, hold_dly, inactive_dly; ++ u8 setup_dly, hold_dly; + u32 setup_hold; + u32 spi_cs_timing; + u32 inactive_cycles; + u8 cs_state; + +- if ((setup && setup->unit != SPI_DELAY_UNIT_SCK) || +- (hold && hold->unit != SPI_DELAY_UNIT_SCK) || +- (inactive && inactive->unit != SPI_DELAY_UNIT_SCK)) { ++ if ((setup->value && setup->unit != SPI_DELAY_UNIT_SCK) || ++ (hold->value && hold->unit != SPI_DELAY_UNIT_SCK) || ++ (inactive->value && inactive->unit != SPI_DELAY_UNIT_SCK)) { + dev_err(&spi->dev, + "Invalid delay unit %d, should be SPI_DELAY_UNIT_SCK\n", + SPI_DELAY_UNIT_SCK); + return -EINVAL; + } + +- setup_dly = setup ? setup->value : 0; +- hold_dly = hold ? hold->value : 0; +- inactive_dly = inactive ? inactive->value : 0; +- +- setup_dly = min_t(u8, setup_dly, MAX_SETUP_HOLD_CYCLES); +- hold_dly = min_t(u8, hold_dly, MAX_SETUP_HOLD_CYCLES); ++ setup_dly = min_t(u8, setup->value, MAX_SETUP_HOLD_CYCLES); ++ hold_dly = min_t(u8, hold->value, MAX_SETUP_HOLD_CYCLES); + if (setup_dly && hold_dly) { + setup_hold = SPI_SETUP_HOLD(setup_dly - 1, hold_dly - 1); + spi_cs_timing = SPI_CS_SETUP_HOLD(tspi->spi_cs_timing1, +@@ -755,7 +751,7 @@ static int tegra_spi_set_hw_cs_timing(struct spi_device *spi) + } + } + +- inactive_cycles = min_t(u8, inactive_dly, MAX_INACTIVE_CYCLES); ++ inactive_cycles = min_t(u8, inactive->value, MAX_INACTIVE_CYCLES); + if (inactive_cycles) + inactive_cycles--; + cs_state = inactive_cycles ? 0 : 1; +diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c +index 6fb4400333fb4b..6d2db6cc247b30 100644 +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -438,9 +438,13 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); + */ + void tee_shm_put(struct tee_shm *shm) + { +- struct tee_device *teedev = shm->ctx->teedev; ++ struct tee_device *teedev; + bool do_release = false; + ++ if (!shm || !shm->ctx || !shm->ctx->teedev) ++ return; ++ ++ teedev = shm->ctx->teedev; + mutex_lock(&teedev->mutex); + if (refcount_dec_and_test(&shm->refcount)) { + /* +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 672d176524f5cb..cb3f1790a296e9 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -2545,10 +2545,6 @@ void __mark_inode_dirty(struct inode *inode, int flags) + wakeup_bdi = inode_io_list_move_locked(inode, wb, + dirty_list); + +- spin_unlock(&wb->list_lock); +- spin_unlock(&inode->i_lock); +- trace_writeback_dirty_inode_enqueue(inode); +- + /* + * If this is the first dirty inode for this bdi, + * we have to wake-up the corresponding bdi thread +@@ -2558,6 +2554,11 @@ void __mark_inode_dirty(struct inode *inode, int flags) + if (wakeup_bdi && + (wb->bdi->capabilities & BDI_CAP_WRITEBACK)) + wb_wakeup_delayed(wb); ++ ++ spin_unlock(&wb->list_lock); ++ spin_unlock(&inode->i_lock); ++ trace_writeback_dirty_inode_enqueue(inode); ++ + return; + } + } +diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h +index 3536ab432b30cb..79c9d3d412cb64 100644 +--- a/include/linux/bpf-cgroup.h ++++ b/include/linux/bpf-cgroup.h +@@ -91,9 +91,6 @@ to_cgroup_bpf_attach_type(enum bpf_attach_type attach_type) + extern struct static_key_false cgroup_bpf_enabled_key[MAX_CGROUP_BPF_ATTACH_TYPE]; + #define cgroup_bpf_enabled(atype) static_branch_unlikely(&cgroup_bpf_enabled_key[atype]) + +-#define for_each_cgroup_storage_type(stype) \ +- for (stype = 0; stype < MAX_BPF_CGROUP_STORAGE_TYPE; stype++) +- + struct bpf_cgroup_storage_map; + + struct bpf_storage_buffer { +@@ -545,8 +542,6 @@ static inline int bpf_percpu_cgroup_storage_update(struct bpf_map *map, + #define BPF_CGROUP_RUN_PROG_SETSOCKOPT(sock, level, optname, optval, optlen, \ + kernel_optval) ({ 0; }) + +-#define for_each_cgroup_storage_type(stype) for (; false; ) +- + #endif /* CONFIG_CGROUP_BPF */ + + #endif /* _BPF_CGROUP_H */ +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 4236de05a8e706..1046f290b4b2b5 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -157,6 +157,109 @@ struct bpf_map_ops { + const struct bpf_iter_seq_info *iter_seq_info; + }; + ++enum { ++ /* Support at most 11 fields in a BTF type */ ++ BTF_FIELDS_MAX = 11, ++}; ++ ++enum btf_field_type { ++ BPF_SPIN_LOCK = (1 << 0), ++ BPF_TIMER = (1 << 1), ++ BPF_KPTR_UNREF = (1 << 2), ++ BPF_KPTR_REF = (1 << 3), ++ BPF_KPTR_PERCPU = (1 << 4), ++ BPF_KPTR = BPF_KPTR_UNREF | BPF_KPTR_REF | BPF_KPTR_PERCPU, ++ BPF_LIST_HEAD = (1 << 5), ++ BPF_LIST_NODE = (1 << 6), ++ BPF_RB_ROOT = (1 << 7), ++ BPF_RB_NODE = (1 << 8), ++ BPF_GRAPH_NODE = BPF_RB_NODE | BPF_LIST_NODE, ++ BPF_GRAPH_ROOT = BPF_RB_ROOT | BPF_LIST_HEAD, ++ BPF_REFCOUNT = (1 << 9), ++ BPF_WORKQUEUE = (1 << 10), ++ BPF_UPTR = (1 << 11), ++ BPF_RES_SPIN_LOCK = (1 << 12), ++}; ++ ++enum bpf_cgroup_storage_type { ++ BPF_CGROUP_STORAGE_SHARED, ++ BPF_CGROUP_STORAGE_PERCPU, ++ __BPF_CGROUP_STORAGE_MAX ++#define MAX_BPF_CGROUP_STORAGE_TYPE __BPF_CGROUP_STORAGE_MAX ++}; ++ ++#ifdef CONFIG_CGROUP_BPF ++# define for_each_cgroup_storage_type(stype) \ ++ for (stype = 0; stype < MAX_BPF_CGROUP_STORAGE_TYPE; stype++) ++#else ++# define for_each_cgroup_storage_type(stype) for (; false; ) ++#endif /* CONFIG_CGROUP_BPF */ ++ ++typedef void (*btf_dtor_kfunc_t)(void *); ++ ++struct btf_field_kptr { ++ struct btf *btf; ++ struct module *module; ++ /* dtor used if btf_is_kernel(btf), otherwise the type is ++ * program-allocated, dtor is NULL, and __bpf_obj_drop_impl is used ++ */ ++ btf_dtor_kfunc_t dtor; ++ u32 btf_id; ++}; ++ ++struct btf_field_graph_root { ++ struct btf *btf; ++ u32 value_btf_id; ++ u32 node_offset; ++ struct btf_record *value_rec; ++}; ++ ++struct btf_field { ++ u32 offset; ++ u32 size; ++ enum btf_field_type type; ++ union { ++ struct btf_field_kptr kptr; ++ struct btf_field_graph_root graph_root; ++ }; ++}; ++ ++struct btf_record { ++ u32 cnt; ++ u32 field_mask; ++ int spin_lock_off; ++ int res_spin_lock_off; ++ int timer_off; ++ int wq_off; ++ int refcount_off; ++ struct btf_field fields[]; ++}; ++ ++/* Non-opaque version of bpf_rb_node in uapi/linux/bpf.h */ ++struct bpf_rb_node_kern { ++ struct rb_node rb_node; ++ void *owner; ++} __attribute__((aligned(8))); ++ ++/* Non-opaque version of bpf_list_node in uapi/linux/bpf.h */ ++struct bpf_list_node_kern { ++ struct list_head list_head; ++ void *owner; ++} __attribute__((aligned(8))); ++ ++/* 'Ownership' of program-containing map is claimed by the first program ++ * that is going to use this map or by the first program which FD is ++ * stored in the map to make sure that all callers and callees have the ++ * same prog type, JITed flag and xdp_has_frags flag. ++ */ ++struct bpf_map_owner { ++ enum bpf_prog_type type; ++ bool jited; ++ bool xdp_has_frags; ++ u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE]; ++ const struct btf_type *attach_func_proto; ++}; ++ + struct bpf_map { + /* The first two cachelines with read-mostly members of which some + * are also accessed in fast-path (e.g. ops, max_entries). +@@ -199,7 +302,10 @@ struct bpf_map { + }; + struct mutex freeze_mutex; + atomic64_t writecnt; ++ spinlock_t owner_lock; ++ struct bpf_map_owner *owner; + bool free_after_mult_rcu_gp; ++ u64 cookie; /* write-once */ + }; + + static inline bool map_value_has_spin_lock(const struct bpf_map *map) +@@ -613,14 +719,6 @@ struct bpf_prog_offload { + u32 jited_len; + }; + +-enum bpf_cgroup_storage_type { +- BPF_CGROUP_STORAGE_SHARED, +- BPF_CGROUP_STORAGE_PERCPU, +- __BPF_CGROUP_STORAGE_MAX +-}; +- +-#define MAX_BPF_CGROUP_STORAGE_TYPE __BPF_CGROUP_STORAGE_MAX +- + /* The longest tracepoint has 12 args. + * See include/trace/bpf_probe.h + */ +@@ -997,16 +1095,6 @@ struct bpf_prog_aux { + }; + + struct bpf_array_aux { +- /* 'Ownership' of prog array is claimed by the first program that +- * is going to use this map or by the first program which FD is +- * stored in the map to make sure that all callers and callees have +- * the same prog type and JITed flag. +- */ +- struct { +- spinlock_t lock; +- enum bpf_prog_type type; +- bool jited; +- } owner; + /* Programs with direct jumps into programs part of this array. */ + struct list_head poke_progs; + struct bpf_map *map; +@@ -1154,6 +1242,16 @@ static inline bool bpf_map_flags_access_ok(u32 access_flags) + (BPF_F_RDONLY_PROG | BPF_F_WRONLY_PROG); + } + ++static inline struct bpf_map_owner *bpf_map_owner_alloc(struct bpf_map *map) ++{ ++ return kzalloc(sizeof(*map->owner), GFP_ATOMIC); ++} ++ ++static inline void bpf_map_owner_free(struct bpf_map *map) ++{ ++ kfree(map->owner); ++} ++ + struct bpf_event_entry { + struct perf_event *event; + struct file *perf_file; +diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h +index d468efcf48f452..b1bb9b8f986009 100644 +--- a/include/linux/pgtable.h ++++ b/include/linux/pgtable.h +@@ -1380,6 +1380,22 @@ static inline int pmd_protnone(pmd_t pmd) + } + #endif /* CONFIG_NUMA_BALANCING */ + ++/* ++ * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values ++ * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() ++ * needs to be called. ++ */ ++#ifndef ARCH_PAGE_TABLE_SYNC_MASK ++#define ARCH_PAGE_TABLE_SYNC_MASK 0 ++#endif ++ ++/* ++ * There is no default implementation for arch_sync_kernel_mappings(). It is ++ * relied upon the compiler to optimize calls out if ARCH_PAGE_TABLE_SYNC_MASK ++ * is 0. ++ */ ++void arch_sync_kernel_mappings(unsigned long start, unsigned long end); ++ + #endif /* CONFIG_MMU */ + + #ifdef CONFIG_HAVE_ARCH_HUGE_VMAP +diff --git a/include/linux/ptp_classify.h b/include/linux/ptp_classify.h +index 7a526b52bd7485..c91ede9654f926 100644 +--- a/include/linux/ptp_classify.h ++++ b/include/linux/ptp_classify.h +@@ -128,6 +128,17 @@ static inline u8 ptp_get_msgtype(const struct ptp_header *hdr, + return msgtype; + } + ++/** ++ * ptp_msg_is_sync - Evaluates whether the given skb is a PTP Sync message ++ * @skb: packet buffer ++ * @type: type of the packet (see ptp_classify_raw()) ++ * ++ * This function evaluates whether the given skb is a PTP Sync message. ++ * ++ * Return: true if sync message, false otherwise ++ */ ++bool ptp_msg_is_sync(struct sk_buff *skb, unsigned int type); ++ + void __init ptp_classifier_init(void); + #else + static inline void ptp_classifier_init(void) +@@ -150,5 +161,9 @@ static inline u8 ptp_get_msgtype(const struct ptp_header *hdr, + */ + return PTP_MSGTYPE_SYNC; + } ++static inline bool ptp_msg_is_sync(struct sk_buff *skb, unsigned int type) ++{ ++ return false; ++} + #endif + #endif /* _PTP_CLASSIFY_H_ */ +diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h +index 5535be1012a284..9efcd95339c279 100644 +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -179,22 +179,6 @@ extern int remap_vmalloc_range_partial(struct vm_area_struct *vma, + extern int remap_vmalloc_range(struct vm_area_struct *vma, void *addr, + unsigned long pgoff); + +-/* +- * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values +- * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() +- * needs to be called. +- */ +-#ifndef ARCH_PAGE_TABLE_SYNC_MASK +-#define ARCH_PAGE_TABLE_SYNC_MASK 0 +-#endif +- +-/* +- * There is no default implementation for arch_sync_kernel_mappings(). It is +- * relied upon the compiler to optimize calls out if ARCH_PAGE_TABLE_SYNC_MASK +- * is 0. +- */ +-void arch_sync_kernel_mappings(unsigned long start, unsigned long end); +- + /* + * Lowlevel-APIs (not for driver use!) + */ +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index 2788da290c2161..dc42970dda9759 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -1044,7 +1044,6 @@ static struct bpf_map *prog_array_map_alloc(union bpf_attr *attr) + INIT_WORK(&aux->work, prog_array_map_clear_deferred); + INIT_LIST_HEAD(&aux->poke_progs); + mutex_init(&aux->poke_mutex); +- spin_lock_init(&aux->owner.lock); + + map = array_map_alloc(attr); + if (IS_ERR(map)) { +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 1ded3eb492b8e4..73a1c66e541756 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1832,31 +1832,74 @@ static unsigned int __bpf_prog_ret0_warn(const void *ctx, + } + #endif + +-bool bpf_prog_array_compatible(struct bpf_array *array, +- const struct bpf_prog *fp) ++static bool __bpf_prog_map_compatible(struct bpf_map *map, ++ const struct bpf_prog *fp) + { +- bool ret; ++ enum bpf_prog_type prog_type = fp->aux->dst_prog ? fp->aux->dst_prog->type : fp->type; ++ struct bpf_prog_aux *aux = fp->aux; ++ enum bpf_cgroup_storage_type i; ++ bool ret = false; ++ u64 cookie; + + if (fp->kprobe_override) +- return false; +- +- spin_lock(&array->aux->owner.lock); ++ return ret; + +- if (!array->aux->owner.type) { +- /* There's no owner yet where we could check for +- * compatibility. +- */ +- array->aux->owner.type = fp->type; +- array->aux->owner.jited = fp->jited; ++ spin_lock(&map->owner_lock); ++ /* There's no owner yet where we could check for compatibility. */ ++ if (!map->owner) { ++ map->owner = bpf_map_owner_alloc(map); ++ if (!map->owner) ++ goto err; ++ map->owner->type = prog_type; ++ map->owner->jited = fp->jited; ++ /* Note: xdp_has_frags doesn't exist in aux yet in our branch */ ++ /* map->owner->xdp_has_frags = aux->xdp_has_frags; */ ++ map->owner->attach_func_proto = aux->attach_func_proto; ++ for_each_cgroup_storage_type(i) { ++ map->owner->storage_cookie[i] = ++ aux->cgroup_storage[i] ? ++ aux->cgroup_storage[i]->cookie : 0; ++ } + ret = true; + } else { +- ret = array->aux->owner.type == fp->type && +- array->aux->owner.jited == fp->jited; ++ ret = map->owner->type == prog_type && ++ map->owner->jited == fp->jited; ++ /* Note: xdp_has_frags check would go here when available */ ++ /* && map->owner->xdp_has_frags == aux->xdp_has_frags; */ ++ for_each_cgroup_storage_type(i) { ++ if (!ret) ++ break; ++ cookie = aux->cgroup_storage[i] ? ++ aux->cgroup_storage[i]->cookie : 0; ++ ret = map->owner->storage_cookie[i] == cookie || ++ !cookie; ++ } ++ if (ret && ++ map->owner->attach_func_proto != aux->attach_func_proto) { ++ switch (prog_type) { ++ case BPF_PROG_TYPE_TRACING: ++ case BPF_PROG_TYPE_LSM: ++ case BPF_PROG_TYPE_EXT: ++ case BPF_PROG_TYPE_STRUCT_OPS: ++ ret = false; ++ break; ++ default: ++ break; ++ } ++ } + } +- spin_unlock(&array->aux->owner.lock); ++err: ++ spin_unlock(&map->owner_lock); + return ret; + } + ++bool bpf_prog_array_compatible(struct bpf_array *array, ++ const struct bpf_prog *fp) ++{ ++ struct bpf_map *map = &array->map; ++ return __bpf_prog_map_compatible(map, fp); ++} ++ + static int bpf_check_tail_call(const struct bpf_prog *fp) + { + struct bpf_prog_aux *aux = fp->aux; +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 6f309248f13fc1..b80d125dcea97d 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -31,6 +31,7 @@ + #include <linux/bpf-netns.h> + #include <linux/rcupdate_trace.h> + #include <linux/memcontrol.h> ++#include <linux/cookie.h> + + #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \ + (map)->map_type == BPF_MAP_TYPE_CGROUP_ARRAY || \ +@@ -43,6 +44,7 @@ + #define BPF_OBJ_FLAG_MASK (BPF_F_RDONLY | BPF_F_WRONLY) + + DEFINE_PER_CPU(int, bpf_prog_active); ++DEFINE_COOKIE(bpf_map_cookie); + static DEFINE_IDR(prog_idr); + static DEFINE_SPINLOCK(prog_idr_lock); + static DEFINE_IDR(map_idr); +@@ -475,6 +477,7 @@ static void bpf_map_free_deferred(struct work_struct *work) + + security_bpf_map_free(map); + bpf_map_release_memcg(map); ++ bpf_map_owner_free(map); + /* implementation dependent freeing */ + map->ops->map_free(map); + } +@@ -574,17 +577,15 @@ static unsigned long bpf_map_memory_footprint(const struct bpf_map *map) + + static void bpf_map_show_fdinfo(struct seq_file *m, struct file *filp) + { +- const struct bpf_map *map = filp->private_data; +- const struct bpf_array *array; ++ struct bpf_map *map = filp->private_data; + u32 type = 0, jited = 0; + +- if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY) { +- array = container_of(map, struct bpf_array, map); +- spin_lock(&array->aux->owner.lock); +- type = array->aux->owner.type; +- jited = array->aux->owner.jited; +- spin_unlock(&array->aux->owner.lock); ++ spin_lock(&map->owner_lock); ++ if (map->owner) { ++ type = map->owner->type; ++ jited = map->owner->jited; + } ++ spin_unlock(&map->owner_lock); + + seq_printf(m, + "map_type:\t%u\n" +@@ -886,9 +887,14 @@ static int map_create(union bpf_attr *attr) + if (err < 0) + goto free_map; + ++ preempt_disable(); ++ map->cookie = gen_cookie_next(&bpf_map_cookie); ++ preempt_enable(); ++ + atomic64_set(&map->refcnt, 1); + atomic64_set(&map->usercnt, 1); + mutex_init(&map->freeze_mutex); ++ spin_lock_init(&map->owner_lock); + + map->spin_lock_off = -EINVAL; + map->timer_off = -EINVAL; +diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c +index 519f742d44f488..954a85b8c27587 100644 +--- a/kernel/sched/cpufreq_schedutil.c ++++ b/kernel/sched/cpufreq_schedutil.c +@@ -89,9 +89,20 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time) + if (!cpufreq_this_cpu_can_update(sg_policy->policy)) + return false; + +- if (unlikely(sg_policy->limits_changed)) { +- sg_policy->limits_changed = false; ++ if (unlikely(READ_ONCE(sg_policy->limits_changed))) { ++ WRITE_ONCE(sg_policy->limits_changed, false); + sg_policy->need_freq_update = true; ++ ++ /* ++ * The above limits_changed update must occur before the reads ++ * of policy limits in cpufreq_driver_resolve_freq() or a policy ++ * limits update might be missed, so use a memory barrier to ++ * ensure it. ++ * ++ * This pairs with the write memory barrier in sugov_limits(). ++ */ ++ smp_mb(); ++ + return true; + } + +@@ -326,7 +337,7 @@ static inline bool sugov_cpu_is_busy(struct sugov_cpu *sg_cpu) { return false; } + static inline void ignore_dl_rate_limit(struct sugov_cpu *sg_cpu) + { + if (cpu_bw_dl(cpu_rq(sg_cpu->cpu)) > sg_cpu->bw_dl) +- sg_cpu->sg_policy->limits_changed = true; ++ WRITE_ONCE(sg_cpu->sg_policy->limits_changed, true); + } + + static inline bool sugov_update_single_common(struct sugov_cpu *sg_cpu, +@@ -826,7 +837,16 @@ static void sugov_limits(struct cpufreq_policy *policy) + mutex_unlock(&sg_policy->work_lock); + } + +- sg_policy->limits_changed = true; ++ /* ++ * The limits_changed update below must take place before the updates ++ * of policy limits in cpufreq_set_policy() or a policy limits update ++ * might be missed, so use a memory barrier to ensure it. ++ * ++ * This pairs with the memory barrier in sugov_should_update_freq(). ++ */ ++ smp_wmb(); ++ ++ WRITE_ONCE(sg_policy->limits_changed, true); + } + + struct cpufreq_governor schedutil_gov = { +diff --git a/mm/khugepaged.c b/mm/khugepaged.c +index 203792e70ac1c2..e318c1abc81f04 100644 +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1609,7 +1609,7 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) + * has higher cost too. It would also probably require locking + * the anon_vma. + */ +- if (vma->anon_vma) ++ if (READ_ONCE(vma->anon_vma)) + continue; + addr = vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); + if (addr & ~HPAGE_PMD_MASK) +@@ -1631,6 +1631,19 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) + if (!khugepaged_test_exit(mm)) { + struct mmu_notifier_range range; + ++ /* ++ * Re-check whether we have an ->anon_vma, because ++ * collapse_and_free_pmd() requires that either no ++ * ->anon_vma exists or the anon_vma is locked. ++ * We already checked ->anon_vma above, but that check ++ * is racy because ->anon_vma can be populated under the ++ * mmap lock in read mode. ++ */ ++ if (vma->anon_vma) { ++ mmap_write_unlock(mm); ++ continue; ++ } ++ + mmu_notifier_range_init(&range, + MMU_NOTIFY_CLEAR, 0, + NULL, mm, addr, +diff --git a/mm/slub.c b/mm/slub.c +index f95ae136a06989..97ac0c7da0f0b6 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -864,7 +864,12 @@ void object_err(struct kmem_cache *s, struct page *page, + return; + + slab_bug(s, "%s", reason); +- print_trailer(s, page, object); ++ if (!object || !check_valid_pointer(s, page, object)) { ++ print_page_info(page); ++ pr_err("Invalid pointer 0x%p\n", object); ++ } else { ++ print_trailer(s, page, object); ++ } + add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); + } + +diff --git a/net/atm/resources.c b/net/atm/resources.c +index b19d851e1f4439..7c6fdedbcf4e5c 100644 +--- a/net/atm/resources.c ++++ b/net/atm/resources.c +@@ -112,7 +112,9 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + + if (atm_proc_dev_register(dev) < 0) { + pr_err("atm_proc_dev_register failed for dev %s\n", type); +- goto out_fail; ++ mutex_unlock(&atm_dev_mutex); ++ kfree(dev); ++ return NULL; + } + + if (atm_register_sysfs(dev, parent) < 0) { +@@ -128,7 +130,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent, + return dev; + + out_fail: +- kfree(dev); ++ put_device(&dev->class_dev); + dev = NULL; + goto out; + } +diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c +index cd6afe895db991..e43f92372cba53 100644 +--- a/net/ax25/ax25_in.c ++++ b/net/ax25/ax25_in.c +@@ -433,6 +433,10 @@ static int ax25_rcv(struct sk_buff *skb, struct net_device *dev, + int ax25_kiss_rcv(struct sk_buff *skb, struct net_device *dev, + struct packet_type *ptype, struct net_device *orig_dev) + { ++ skb = skb_share_check(skb, GFP_ATOMIC); ++ if (!skb) ++ return NET_RX_DROP; ++ + skb_orphan(skb); + + if (!net_eq(dev_net(dev), &init_net)) { +diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c +index 0a7f1d36a6a8f5..f59373232e4ffa 100644 +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -1691,7 +1691,12 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb, + + coding_len = ntohs(coded_packet_tmp.coded_len); + +- if (coding_len > skb->len) ++ /* ensure dst buffer is large enough (payload only) */ ++ if (coding_len + h_size > skb->len) ++ return NULL; ++ ++ /* ensure src buffer is large enough (payload only) */ ++ if (coding_len + h_size > nc_packet->skb->len) + return NULL; + + /* Here the magic is reversed: +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index b2719f1b8adffb..8e2e6d1a6dd154 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1416,7 +1416,10 @@ static int l2cap_sock_release(struct socket *sock) + if (!sk) + return 0; + ++ lock_sock_nested(sk, L2CAP_NESTING_PARENT); + l2cap_sock_cleanup_listen(sk); ++ release_sock(sk); ++ + bt_sock_unlink(&l2cap_sk_list, sk); + + err = l2cap_sock_shutdown(sock, SHUT_RDWR); +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 7cd2bef5833129..9ad0feb248b5db 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -630,9 +630,6 @@ static unsigned int br_nf_local_in(void *priv, + break; + } + +- ct = container_of(nfct, struct nf_conn, ct_general); +- WARN_ON_ONCE(!nf_ct_is_confirmed(ct)); +- + return ret; + } + #endif +diff --git a/net/core/ptp_classifier.c b/net/core/ptp_classifier.c +index dd4cf01d1e0a22..598041b0499e39 100644 +--- a/net/core/ptp_classifier.c ++++ b/net/core/ptp_classifier.c +@@ -137,6 +137,18 @@ struct ptp_header *ptp_parse_header(struct sk_buff *skb, unsigned int type) + } + EXPORT_SYMBOL_GPL(ptp_parse_header); + ++bool ptp_msg_is_sync(struct sk_buff *skb, unsigned int type) ++{ ++ struct ptp_header *hdr; ++ ++ hdr = ptp_parse_header(skb, type); ++ if (!hdr) ++ return false; ++ ++ return ptp_get_msgtype(hdr, type) == PTP_MSGTYPE_SYNC; ++} ++EXPORT_SYMBOL_GPL(ptp_msg_is_sync); ++ + void __init ptp_classifier_init(void) + { + static struct sock_filter ptp_filter[] __initdata = { +diff --git a/net/dsa/tag_ksz.c b/net/dsa/tag_ksz.c +index 6795dd01749968..00e4f40716dcbd 100644 +--- a/net/dsa/tag_ksz.c ++++ b/net/dsa/tag_ksz.c +@@ -70,7 +70,12 @@ static struct sk_buff *ksz8795_xmit(struct sk_buff *skb, struct net_device *dev) + + static struct sk_buff *ksz8795_rcv(struct sk_buff *skb, struct net_device *dev) + { +- u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; ++ u8 *tag; ++ ++ if (skb_linearize(skb)) ++ return NULL; ++ ++ tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; + + return ksz_common_rcv(skb, dev, tag[0] & 7, KSZ_EGRESS_TAG_LEN); + } +@@ -104,8 +109,9 @@ MODULE_ALIAS_DSA_TAG_DRIVER(DSA_TAG_PROTO_KSZ8795); + + #define KSZ9477_INGRESS_TAG_LEN 2 + #define KSZ9477_PTP_TAG_LEN 4 +-#define KSZ9477_PTP_TAG_INDICATION 0x80 ++#define KSZ9477_PTP_TAG_INDICATION BIT(7) + ++#define KSZ9477_TAIL_TAG_EG_PORT_M GENMASK(2, 0) + #define KSZ9477_TAIL_TAG_OVERRIDE BIT(9) + #define KSZ9477_TAIL_TAG_LOOKUP BIT(10) + +@@ -136,10 +142,16 @@ static struct sk_buff *ksz9477_xmit(struct sk_buff *skb, + + static struct sk_buff *ksz9477_rcv(struct sk_buff *skb, struct net_device *dev) + { +- /* Tag decoding */ +- u8 *tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; +- unsigned int port = tag[0] & 7; + unsigned int len = KSZ_EGRESS_TAG_LEN; ++ unsigned int port; ++ u8 *tag; ++ ++ if (skb_linearize(skb)) ++ return NULL; ++ ++ /* Tag decoding */ ++ tag = skb_tail_pointer(skb) - KSZ_EGRESS_TAG_LEN; ++ port = tag[0] & KSZ9477_TAIL_TAG_EG_PORT_M; + + /* Extra 4-bytes PTP timestamp */ + if (tag[0] & KSZ9477_PTP_TAG_INDICATION) +diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c +index 33e87b442b475e..6b0dc07f273a25 100644 +--- a/net/ipv4/devinet.c ++++ b/net/ipv4/devinet.c +@@ -332,14 +332,13 @@ static void inetdev_destroy(struct in_device *in_dev) + + static int __init inet_blackhole_dev_init(void) + { +- int err = 0; ++ struct in_device *in_dev; + + rtnl_lock(); +- if (!inetdev_init(blackhole_netdev)) +- err = -ENOMEM; ++ in_dev = inetdev_init(blackhole_netdev); + rtnl_unlock(); + +- return err; ++ return PTR_ERR_OR_ZERO(in_dev); + } + late_initcall(inet_blackhole_dev_init); + +diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c +index 38b30f67902941..8a70e516542640 100644 +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -792,11 +792,12 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + struct sk_buff *cloned_skb = NULL; + struct ip_options opts = { 0 }; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct nf_conn *ct; + __be32 orig_ip; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmp_send(skb_in, type, code, info, &opts); + return; + } +@@ -811,7 +812,8 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) + goto out; + + orig_ip = ip_hdr(skb_in)->saddr; +- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; ++ dir = CTINFO2DIR(ctinfo); ++ ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip; + __icmp_send(skb_in, type, code, info, &opts); + ip_hdr(skb_in)->saddr = orig_ip; + out: +diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c +index 9e3574880cb03e..233914b63bdb82 100644 +--- a/net/ipv6/ip6_icmp.c ++++ b/net/ipv6/ip6_icmp.c +@@ -54,11 +54,12 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + struct inet6_skb_parm parm = { 0 }; + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; ++ enum ip_conntrack_dir dir; + struct in6_addr orig_ip; + struct nf_conn *ct; + + ct = nf_ct_get(skb_in, &ctinfo); +- if (!ct || !(ct->status & IPS_SRC_NAT)) { ++ if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) { + __icmpv6_send(skb_in, type, code, info, &parm); + return; + } +@@ -73,7 +74,8 @@ void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) + goto out; + + orig_ip = ipv6_hdr(skb_in)->saddr; +- ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6; ++ dir = CTINFO2DIR(ctinfo); ++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.in6; + __icmpv6_send(skb_in, type, code, info, &parm); + ipv6_hdr(skb_in)->saddr = orig_ip; + out: +diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c +index 41c9708b505758..de5ac9f4310314 100644 +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -418,7 +418,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + (cur->tuple.src.l3num == NFPROTO_UNSPEC || + cur->tuple.src.l3num == me->tuple.src.l3num) && + cur->tuple.dst.protonum == me->tuple.dst.protonum) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +@@ -429,7 +429,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) + hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { + if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, + &mask)) { +- ret = -EEXIST; ++ ret = -EBUSY; + goto out; + } + } +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index d977d7a7675e18..e2b4149e5ff43a 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1768,7 +1768,8 @@ cfg80211_update_known_bss(struct cfg80211_registered_device *rdev, + */ + + f = rcu_access_pointer(new->pub.beacon_ies); +- kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); ++ if (!new->pub.hidden_beacon_bss) ++ kfree_rcu((struct cfg80211_bss_ies *)f, rcu_head); + return false; + } + +diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h +index cba1440993450a..8658e9d220b696 100644 +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -137,6 +137,38 @@ static inline tree build_const_char_string(int len, const char *str) + return cstr; + } + ++static inline void __add_type_attr(tree type, const char *attr, tree args) ++{ ++ tree oldattr; ++ ++ if (type == NULL_TREE) ++ return; ++ oldattr = lookup_attribute(attr, TYPE_ATTRIBUTES(type)); ++ if (oldattr != NULL_TREE) { ++ gcc_assert(TREE_VALUE(oldattr) == args || TREE_VALUE(TREE_VALUE(oldattr)) == TREE_VALUE(args)); ++ return; ++ } ++ ++ TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type)); ++ TYPE_ATTRIBUTES(type) = tree_cons(get_identifier(attr), args, TYPE_ATTRIBUTES(type)); ++} ++ ++static inline void add_type_attr(tree type, const char *attr, tree args) ++{ ++ tree main_variant = TYPE_MAIN_VARIANT(type); ++ ++ __add_type_attr(TYPE_CANONICAL(type), attr, args); ++ __add_type_attr(TYPE_CANONICAL(main_variant), attr, args); ++ __add_type_attr(main_variant, attr, args); ++ ++ for (type = TYPE_NEXT_VARIANT(main_variant); type; type = TYPE_NEXT_VARIANT(type)) { ++ if (!lookup_attribute(attr, TYPE_ATTRIBUTES(type))) ++ TYPE_ATTRIBUTES(type) = TYPE_ATTRIBUTES(main_variant); ++ ++ __add_type_attr(TYPE_CANONICAL(type), attr, args); ++ } ++} ++ + #define PASS_INFO(NAME, REF, ID, POS) \ + struct register_pass_info NAME##_pass_info = { \ + .pass = make_##NAME##_pass(), \ +diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c +index 60e9359a71a50a..24155ce8126640 100644 +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -95,6 +95,9 @@ static tree handle_randomize_layout_attr(tree *node, tree name, tree args, int f + + if (TYPE_P(*node)) { + type = *node; ++ } else if (TREE_CODE(*node) == FIELD_DECL) { ++ *no_add_attrs = false; ++ return NULL_TREE; + } else { + gcc_assert(TREE_CODE(*node) == TYPE_DECL); + type = TREE_TYPE(*node); +@@ -377,35 +380,18 @@ static int relayout_struct(tree type) + + shuffle(type, (tree *)newtree, shuffle_length); + +- /* +- * set up a bogus anonymous struct field designed to error out on unnamed struct initializers +- * as gcc provides no other way to detect such code +- */ +- list = make_node(FIELD_DECL); +- TREE_CHAIN(list) = newtree[0]; +- TREE_TYPE(list) = void_type_node; +- DECL_SIZE(list) = bitsize_zero_node; +- DECL_NONADDRESSABLE_P(list) = 1; +- DECL_FIELD_BIT_OFFSET(list) = bitsize_zero_node; +- DECL_SIZE_UNIT(list) = size_zero_node; +- DECL_FIELD_OFFSET(list) = size_zero_node; +- DECL_CONTEXT(list) = type; +- // to satisfy the constify plugin +- TREE_READONLY(list) = 1; +- + for (i = 0; i < num_fields - 1; i++) + TREE_CHAIN(newtree[i]) = newtree[i+1]; + TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE; + ++ add_type_attr(type, "randomize_performed", NULL_TREE); ++ add_type_attr(type, "designated_init", NULL_TREE); ++ if (has_flexarray) ++ add_type_attr(type, "has_flexarray", NULL_TREE); ++ + main_variant = TYPE_MAIN_VARIANT(type); +- for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) { +- TYPE_FIELDS(variant) = list; +- TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant)); +- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +- if (has_flexarray) +- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("has_flexarray"), NULL_TREE, TYPE_ATTRIBUTES(type)); +- } ++ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) ++ TYPE_FIELDS(variant) = newtree[0]; + + /* + * force a re-layout of the main variant +@@ -473,10 +459,8 @@ static void randomize_type(tree type) + if (lookup_attribute("randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))) || is_pure_ops_struct(type)) + relayout_struct(type); + +- for (variant = TYPE_MAIN_VARIANT(type); variant; variant = TYPE_NEXT_VARIANT(variant)) { +- TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type)); +- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("randomize_considered"), NULL_TREE, TYPE_ATTRIBUTES(type)); +- } ++ add_type_attr(type, "randomize_considered", NULL_TREE); ++ + #ifdef __DEBUG_PLUGIN + fprintf(stderr, "Marking randomize_considered on struct %s\n", ORIG_TYPE_NAME(type)); + #ifdef __DEBUG_VERBOSE +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index fcd7d94afc5d56..3aa722970e8665 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1962,6 +1962,7 @@ static int hdmi_add_cvt(struct hda_codec *codec, hda_nid_t cvt_nid) + static const struct snd_pci_quirk force_connect_list[] = { + SND_PCI_QUIRK(0x103c, 0x83e2, "HP EliteDesk 800 G4", 1), + SND_PCI_QUIRK(0x103c, 0x83ef, "HP MP9 G4 Retail System AMS", 1), ++ SND_PCI_QUIRK(0x103c, 0x845a, "HP EliteDesk 800 G4 DM 65W", 1), + SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1), + SND_PCI_QUIRK(0x103c, 0x8711, "HP", 1), +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index 03cba220fff13b..60269535eb5548 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -3609,9 +3609,11 @@ void snd_usb_mixer_fu_apply_quirk(struct usb_mixer_interface *mixer, + snd_dragonfly_quirk_db_scale(mixer, cval, kctl); + break; + /* lowest playback value is muted on some devices */ ++ case USB_ID(0x0572, 0x1b09): /* Conexant Systems (Rockwell), Inc. */ + case USB_ID(0x0d8c, 0x000c): /* C-Media */ + case USB_ID(0x0d8c, 0x0014): /* C-Media */ + case USB_ID(0x19f7, 0x0003): /* RODE NT-USB */ ++ case USB_ID(0x2d99, 0x0026): /* HECATE G2 GAMING HEADSET */ + if (strstr(kctl->id.name, "Playback")) + cval->min_mute = 1; + break; +diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c +index 41b889ab4d6ab6..e96a7fdfe283b5 100644 +--- a/tools/perf/util/bpf-event.c ++++ b/tools/perf/util/bpf-event.c +@@ -301,9 +301,15 @@ static int perf_event__synthesize_one_bpf_prog(struct perf_session *session, + + info_node->info_linear = info_linear; + if (!perf_env__insert_bpf_prog_info(env, info_node)) { +- free(info_linear); ++ /* ++ * Insert failed, likely because of a duplicate event ++ * made by the sideband thread. Ignore synthesizing the ++ * metadata. ++ */ + free(info_node); ++ goto out; + } ++ /* info_linear is now owned by info_node and shouldn't be freed below. */ + info_linear = NULL; + + /* +@@ -459,18 +465,18 @@ int perf_event__synthesize_bpf_events(struct perf_session *session, + return err; + } + +-static void perf_env__add_bpf_info(struct perf_env *env, u32 id) ++static int perf_env__add_bpf_info(struct perf_env *env, u32 id) + { + struct bpf_prog_info_linear *info_linear; + struct bpf_prog_info_node *info_node; + struct btf *btf = NULL; + u64 arrays; + u32 btf_id; +- int fd; ++ int fd, err = 0; + + fd = bpf_prog_get_fd_by_id(id); + if (fd < 0) +- return; ++ return -EINVAL; + + arrays = 1UL << BPF_PROG_INFO_JITED_KSYMS; + arrays |= 1UL << BPF_PROG_INFO_JITED_FUNC_LENS; +@@ -483,6 +489,7 @@ static void perf_env__add_bpf_info(struct perf_env *env, u32 id) + info_linear = bpf_program__get_prog_info_linear(fd, arrays); + if (IS_ERR_OR_NULL(info_linear)) { + pr_debug("%s: failed to get BPF program info. aborting\n", __func__); ++ err = PTR_ERR(info_linear); + goto out; + } + +@@ -492,38 +499,46 @@ static void perf_env__add_bpf_info(struct perf_env *env, u32 id) + if (info_node) { + info_node->info_linear = info_linear; + if (!perf_env__insert_bpf_prog_info(env, info_node)) { ++ pr_debug("%s: duplicate add bpf info request for id %u\n", ++ __func__, btf_id); + free(info_linear); + free(info_node); ++ goto out; + } +- } else ++ } else { + free(info_linear); ++ err = -ENOMEM; ++ goto out; ++ } + + if (btf_id == 0) + goto out; + + btf = btf__load_from_kernel_by_id(btf_id); +- if (libbpf_get_error(btf)) { +- pr_debug("%s: failed to get BTF of id %u, aborting\n", +- __func__, btf_id); +- goto out; ++ if (!btf) { ++ err = -errno; ++ pr_debug("%s: failed to get BTF of id %u %d\n", __func__, btf_id, err); ++ } else { ++ perf_env__fetch_btf(env, btf_id, btf); + } +- perf_env__fetch_btf(env, btf_id, btf); + + out: + btf__free(btf); + close(fd); ++ return err; + } + + static int bpf_event__sb_cb(union perf_event *event, void *data) + { + struct perf_env *env = data; ++ int ret = 0; + + if (event->header.type != PERF_RECORD_BPF_EVENT) + return -1; + + switch (event->bpf.type) { + case PERF_BPF_EVENT_PROG_LOAD: +- perf_env__add_bpf_info(env, event->bpf.id); ++ ret = perf_env__add_bpf_info(env, event->bpf.id); + + case PERF_BPF_EVENT_PROG_UNLOAD: + /* +@@ -537,7 +552,7 @@ static int bpf_event__sb_cb(union perf_event *event, void *data) + break; + } + +- return 0; ++ return ret; + } + + int evlist__add_bpf_sb_event(struct evlist *evlist, struct perf_env *env)
