diff options
| author |   Alice Ferrazzi <alicef@gentoo.org> | 2017-06-07 14:51:38 +0100 |
|---|---|---|
| committer | Alice Ferrazzi <alicef@gentoo.org> | 2017-06-07 14:51:38 +0100 |
| commit | 9b7695af91fc5c130219516add8592617d40c358 (patch) | |
| tree | 18f8e2874be99331ac2047fe6e9b56a1160f8ba0 | |
| parent | linux kernel 4.11.3 (diff) | |
| download | linux-patches-4.11-6.tar.gz linux-patches-4.11-6.tar.bz2 linux-patches-4.11-6.zip | |
linux kernel 4.11.44.11-6
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1003_linux-4.11.4.patch | 4984 |
2 files changed, 4988 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 456097e9..1afb734b 100644 --- a/0000_README +++ b/0000_README @@ -55,6 +55,10 @@ Patch: 1002_linux-4.11.3.patch From: http://www.kernel.org Desc: Linux 4.11.3 +Patch: 1003_linux-4.11.4.patch +From: http://www.kernel.org +Desc: Linux 4.11.4 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1003_linux-4.11.4.patch b/1003_linux-4.11.4.patch new file mode 100644 index 00000000..5be1f37c --- /dev/null +++ b/1003_linux-4.11.4.patch @@ -0,0 +1,4984 @@ +diff --git a/Documentation/acpi/acpi-lid.txt b/Documentation/acpi/acpi-lid.txt +index 22cb3091f297..effe7af3a5af 100644 +--- a/Documentation/acpi/acpi-lid.txt ++++ b/Documentation/acpi/acpi-lid.txt +@@ -59,20 +59,28 @@ button driver uses the following 3 modes in order not to trigger issues. + If the userspace hasn't been prepared to ignore the unreliable "opened" + events and the unreliable initial state notification, Linux users can use + the following kernel parameters to handle the possible issues: +-A. button.lid_init_state=open: ++A. button.lid_init_state=method: ++ When this option is specified, the ACPI button driver reports the ++ initial lid state using the returning value of the _LID control method ++ and whether the "opened"/"closed" events are paired fully relies on the ++ firmware implementation. ++ This option can be used to fix some platforms where the returning value ++ of the _LID control method is reliable but the initial lid state ++ notification is missing. ++ This option is the default behavior during the period the userspace ++ isn't ready to handle the buggy AML tables. ++B. button.lid_init_state=open: + When this option is specified, the ACPI button driver always reports the + initial lid state as "opened" and whether the "opened"/"closed" events + are paired fully relies on the firmware implementation. + This may fix some platforms where the returning value of the _LID + control method is not reliable and the initial lid state notification is + missing. +- This option is the default behavior during the period the userspace +- isn't ready to handle the buggy AML tables. + + If the userspace has been prepared to ignore the unreliable "opened" events + and the unreliable initial state notification, Linux users should always + use the following kernel parameter: +-B. button.lid_init_state=ignore: ++C. button.lid_init_state=ignore: + When this option is specified, the ACPI button driver never reports the + initial lid state and there is a compensation mechanism implemented to + ensure that the reliable "closed" notifications can always be delievered +diff --git a/Makefile b/Makefile +index 7bab1279d0b5..741814dca844 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 11 +-SUBLEVEL = 3 ++SUBLEVEL = 4 + EXTRAVERSION = + NAME = Fearless Coyote + +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index ce8ab0409deb..4b0e0eda698b 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -252,8 +252,9 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx) + */ + off = offsetof(struct bpf_array, ptrs); + emit_a64_mov_i64(tmp, off, ctx); +- emit(A64_LDR64(tmp, r2, tmp), ctx); +- emit(A64_LDR64(prg, tmp, r3), ctx); ++ emit(A64_ADD(1, tmp, r2, tmp), ctx); ++ emit(A64_LSL(1, prg, r3, 3), ctx); ++ emit(A64_LDR64(prg, tmp, prg), ctx); + emit(A64_CBZ(1, prg, jmp_offset), ctx); + + /* goto *(prog->bpf_func + prologue_size); */ +diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c +index f5d399e46193..8d2d98f9ad02 100644 +--- a/arch/powerpc/kernel/prom.c ++++ b/arch/powerpc/kernel/prom.c +@@ -161,7 +161,9 @@ static struct ibm_pa_feature { + { .pabyte = 0, .pabit = 3, .cpu_features = CPU_FTR_CTRL }, + { .pabyte = 0, .pabit = 6, .cpu_features = CPU_FTR_NOEXECUTE }, + { .pabyte = 1, .pabit = 2, .mmu_features = MMU_FTR_CI_LARGE_PAGE }, ++#ifdef CONFIG_PPC_RADIX_MMU + { .pabyte = 40, .pabit = 0, .mmu_features = MMU_FTR_TYPE_RADIX }, ++#endif + { .pabyte = 1, .pabit = 1, .invert = 1, .cpu_features = CPU_FTR_NODSISRALIGN }, + { .pabyte = 5, .pabit = 0, .cpu_features = CPU_FTR_REAL_LE, + .cpu_user_ftrs = PPC_FEATURE_TRUE_LE }, +diff --git a/arch/powerpc/platforms/cell/spu_base.c b/arch/powerpc/platforms/cell/spu_base.c +index 96c2b8a40630..0c45cdbac4cf 100644 +--- a/arch/powerpc/platforms/cell/spu_base.c ++++ b/arch/powerpc/platforms/cell/spu_base.c +@@ -197,7 +197,9 @@ static int __spu_trap_data_map(struct spu *spu, unsigned long ea, u64 dsisr) + (REGION_ID(ea) != USER_REGION_ID)) { + + spin_unlock(&spu->register_lock); +- ret = hash_page(ea, _PAGE_PRESENT | _PAGE_READ, 0x300, dsisr); ++ ret = hash_page(ea, ++ _PAGE_PRESENT | _PAGE_READ | _PAGE_PRIVILEGED, ++ 0x300, dsisr); + spin_lock(&spu->register_lock); + + if (!ret) { +diff --git a/arch/sparc/include/asm/hugetlb.h b/arch/sparc/include/asm/hugetlb.h +index dcbf985ab243..d1f837dc77a4 100644 +--- a/arch/sparc/include/asm/hugetlb.h ++++ b/arch/sparc/include/asm/hugetlb.h +@@ -24,9 +24,11 @@ static inline int is_hugepage_only_range(struct mm_struct *mm, + static inline int prepare_hugepage_range(struct file *file, + unsigned long addr, unsigned long len) + { +- if (len & ~HPAGE_MASK) ++ struct hstate *h = hstate_file(file); ++ ++ if (len & ~huge_page_mask(h)) + return -EINVAL; +- if (addr & ~HPAGE_MASK) ++ if (addr & ~huge_page_mask(h)) + return -EINVAL; + return 0; + } +diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h +index ce6f56980aef..cf190728360b 100644 +--- a/arch/sparc/include/asm/pgtable_32.h ++++ b/arch/sparc/include/asm/pgtable_32.h +@@ -91,9 +91,9 @@ extern unsigned long pfn_base; + * ZERO_PAGE is a global shared page that is always zero: used + * for zero-mapped memory areas etc.. + */ +-extern unsigned long empty_zero_page; ++extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)]; + +-#define ZERO_PAGE(vaddr) (virt_to_page(&empty_zero_page)) ++#define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page)) + + /* + * In general all page table modifications should use the V8 atomic +diff --git a/arch/sparc/include/asm/setup.h b/arch/sparc/include/asm/setup.h +index 478bf6bb4598..3fae200dd251 100644 +--- a/arch/sparc/include/asm/setup.h ++++ b/arch/sparc/include/asm/setup.h +@@ -16,7 +16,7 @@ extern char reboot_command[]; + */ + extern unsigned char boot_cpu_id; + +-extern unsigned long empty_zero_page; ++extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)]; + + extern int serial_console; + static inline int con_is_present(void) +diff --git a/arch/sparc/kernel/ftrace.c b/arch/sparc/kernel/ftrace.c +index 6bcff698069b..cec54dc4ab81 100644 +--- a/arch/sparc/kernel/ftrace.c ++++ b/arch/sparc/kernel/ftrace.c +@@ -130,17 +130,16 @@ unsigned long prepare_ftrace_return(unsigned long parent, + if (unlikely(atomic_read(¤t->tracing_graph_pause))) + return parent + 8UL; + +- if (ftrace_push_return_trace(parent, self_addr, &trace.depth, +- frame_pointer, NULL) == -EBUSY) +- return parent + 8UL; +- + trace.func = self_addr; ++ trace.depth = current->curr_ret_stack + 1; + + /* Only trace if the calling function expects to */ +- if (!ftrace_graph_entry(&trace)) { +- current->curr_ret_stack--; ++ if (!ftrace_graph_entry(&trace)) ++ return parent + 8UL; ++ ++ if (ftrace_push_return_trace(parent, self_addr, &trace.depth, ++ frame_pointer, NULL) == -EBUSY) + return parent + 8UL; +- } + + return return_hooker; + } +diff --git a/arch/sparc/mm/init_32.c b/arch/sparc/mm/init_32.c +index c6afe98de4d9..3bd0d513bddb 100644 +--- a/arch/sparc/mm/init_32.c ++++ b/arch/sparc/mm/init_32.c +@@ -290,7 +290,7 @@ void __init mem_init(void) + + + /* Saves us work later. */ +- memset((void *)&empty_zero_page, 0, PAGE_SIZE); ++ memset((void *)empty_zero_page, 0, PAGE_SIZE); + + i = last_valid_pfn >> ((20 - PAGE_SHIFT) + 5); + i += 1; +diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile +index 44163e8c3868..2c860ad4fe06 100644 +--- a/arch/x86/boot/compressed/Makefile ++++ b/arch/x86/boot/compressed/Makefile +@@ -94,7 +94,7 @@ vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o + quiet_cmd_check_data_rel = DATAREL $@ + define cmd_check_data_rel + for obj in $(filter %.o,$^); do \ +- readelf -S $$obj | grep -qF .rel.local && { \ ++ ${CROSS_COMPILE}readelf -S $$obj | grep -qF .rel.local && { \ + echo "error: $$obj has data relocations!" >&2; \ + exit 1; \ + } || true; \ +diff --git a/arch/x86/include/asm/mce.h b/arch/x86/include/asm/mce.h +index e63873683d4a..f1f68c720675 100644 +--- a/arch/x86/include/asm/mce.h ++++ b/arch/x86/include/asm/mce.h +@@ -264,6 +264,7 @@ static inline int umc_normaddr_to_sysaddr(u64 norm_addr, u16 nid, u8 umc, u64 *s + #endif + + int mce_available(struct cpuinfo_x86 *c); ++bool mce_is_memory_error(struct mce *m); + + DECLARE_PER_CPU(unsigned, mce_exception_count); + DECLARE_PER_CPU(unsigned, mce_poll_count); +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index af44ebeb593f..104cda1f9073 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -643,16 +643,14 @@ static void mce_read_aux(struct mce *m, int i) + } + } + +-static bool memory_error(struct mce *m) ++bool mce_is_memory_error(struct mce *m) + { +- struct cpuinfo_x86 *c = &boot_cpu_data; +- +- if (c->x86_vendor == X86_VENDOR_AMD) { ++ if (m->cpuvendor == X86_VENDOR_AMD) { + /* ErrCodeExt[20:16] */ + u8 xec = (m->status >> 16) & 0x1f; + + return (xec == 0x0 || xec == 0x8); +- } else if (c->x86_vendor == X86_VENDOR_INTEL) { ++ } else if (m->cpuvendor == X86_VENDOR_INTEL) { + /* + * Intel SDM Volume 3B - 15.9.2 Compound Error Codes + * +@@ -673,6 +671,7 @@ static bool memory_error(struct mce *m) + + return false; + } ++EXPORT_SYMBOL_GPL(mce_is_memory_error); + + DEFINE_PER_CPU(unsigned, mce_poll_count); + +@@ -734,7 +733,7 @@ bool machine_check_poll(enum mcp_flags flags, mce_banks_t *b) + + severity = mce_severity(&m, mca_cfg.tolerant, NULL, false); + +- if (severity == MCE_DEFERRED_SEVERITY && memory_error(&m)) ++ if (severity == MCE_DEFERRED_SEVERITY && mce_is_memory_error(&m)) + if (m.status & MCI_STATUS_ADDRV) + m.severity = severity; + +diff --git a/crypto/skcipher.c b/crypto/skcipher.c +index 014af741fc6a..4faa0fd53b0c 100644 +--- a/crypto/skcipher.c ++++ b/crypto/skcipher.c +@@ -764,6 +764,44 @@ static int crypto_init_skcipher_ops_ablkcipher(struct crypto_tfm *tfm) + return 0; + } + ++static int skcipher_setkey_unaligned(struct crypto_skcipher *tfm, ++ const u8 *key, unsigned int keylen) ++{ ++ unsigned long alignmask = crypto_skcipher_alignmask(tfm); ++ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm); ++ u8 *buffer, *alignbuffer; ++ unsigned long absize; ++ int ret; ++ ++ absize = keylen + alignmask; ++ buffer = kmalloc(absize, GFP_ATOMIC); ++ if (!buffer) ++ return -ENOMEM; ++ ++ alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); ++ memcpy(alignbuffer, key, keylen); ++ ret = cipher->setkey(tfm, alignbuffer, keylen); ++ kzfree(buffer); ++ return ret; ++} ++ ++static int skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key, ++ unsigned int keylen) ++{ ++ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm); ++ unsigned long alignmask = crypto_skcipher_alignmask(tfm); ++ ++ if (keylen < cipher->min_keysize || keylen > cipher->max_keysize) { ++ crypto_skcipher_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); ++ return -EINVAL; ++ } ++ ++ if ((unsigned long)key & alignmask) ++ return skcipher_setkey_unaligned(tfm, key, keylen); ++ ++ return cipher->setkey(tfm, key, keylen); ++} ++ + static void crypto_skcipher_exit_tfm(struct crypto_tfm *tfm) + { + struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm); +@@ -784,7 +822,7 @@ static int crypto_skcipher_init_tfm(struct crypto_tfm *tfm) + tfm->__crt_alg->cra_type == &crypto_givcipher_type) + return crypto_init_skcipher_ops_ablkcipher(tfm); + +- skcipher->setkey = alg->setkey; ++ skcipher->setkey = skcipher_setkey; + skcipher->encrypt = alg->encrypt; + skcipher->decrypt = alg->decrypt; + skcipher->ivsize = alg->ivsize; +diff --git a/drivers/acpi/acpica/tbutils.c b/drivers/acpi/acpica/tbutils.c +index 5a968a78652b..7abe66505739 100644 +--- a/drivers/acpi/acpica/tbutils.c ++++ b/drivers/acpi/acpica/tbutils.c +@@ -418,11 +418,7 @@ acpi_tb_get_table(struct acpi_table_desc *table_desc, + + table_desc->validation_count++; + if (table_desc->validation_count == 0) { +- ACPI_ERROR((AE_INFO, +- "Table %p, Validation count is zero after increment\n", +- table_desc)); + table_desc->validation_count--; +- return_ACPI_STATUS(AE_LIMIT); + } + + *out_table = table_desc->pointer; +diff --git a/drivers/acpi/button.c b/drivers/acpi/button.c +index 668137e4a069..e19f530f1083 100644 +--- a/drivers/acpi/button.c ++++ b/drivers/acpi/button.c +@@ -57,6 +57,7 @@ + + #define ACPI_BUTTON_LID_INIT_IGNORE 0x00 + #define ACPI_BUTTON_LID_INIT_OPEN 0x01 ++#define ACPI_BUTTON_LID_INIT_METHOD 0x02 + + #define _COMPONENT ACPI_BUTTON_COMPONENT + ACPI_MODULE_NAME("button"); +@@ -112,7 +113,7 @@ struct acpi_button { + + static BLOCKING_NOTIFIER_HEAD(acpi_lid_notifier); + static struct acpi_device *lid_device; +-static u8 lid_init_state = ACPI_BUTTON_LID_INIT_OPEN; ++static u8 lid_init_state = ACPI_BUTTON_LID_INIT_METHOD; + + static unsigned long lid_report_interval __read_mostly = 500; + module_param(lid_report_interval, ulong, 0644); +@@ -376,6 +377,9 @@ static void acpi_lid_initialize_state(struct acpi_device *device) + case ACPI_BUTTON_LID_INIT_OPEN: + (void)acpi_lid_notify_state(device, 1); + break; ++ case ACPI_BUTTON_LID_INIT_METHOD: ++ (void)acpi_lid_update_state(device); ++ break; + case ACPI_BUTTON_LID_INIT_IGNORE: + default: + break; +@@ -559,6 +563,9 @@ static int param_set_lid_init_state(const char *val, struct kernel_param *kp) + if (!strncmp(val, "open", sizeof("open") - 1)) { + lid_init_state = ACPI_BUTTON_LID_INIT_OPEN; + pr_info("Notify initial lid state as open\n"); ++ } else if (!strncmp(val, "method", sizeof("method") - 1)) { ++ lid_init_state = ACPI_BUTTON_LID_INIT_METHOD; ++ pr_info("Notify initial lid state with _LID return value\n"); + } else if (!strncmp(val, "ignore", sizeof("ignore") - 1)) { + lid_init_state = ACPI_BUTTON_LID_INIT_IGNORE; + pr_info("Do not notify initial lid state\n"); +@@ -572,6 +579,8 @@ static int param_get_lid_init_state(char *buffer, struct kernel_param *kp) + switch (lid_init_state) { + case ACPI_BUTTON_LID_INIT_OPEN: + return sprintf(buffer, "open"); ++ case ACPI_BUTTON_LID_INIT_METHOD: ++ return sprintf(buffer, "method"); + case ACPI_BUTTON_LID_INIT_IGNORE: + return sprintf(buffer, "ignore"); + default: +diff --git a/drivers/acpi/nfit/mce.c b/drivers/acpi/nfit/mce.c +index 3ba1c3472cf9..fd86bec98dea 100644 +--- a/drivers/acpi/nfit/mce.c ++++ b/drivers/acpi/nfit/mce.c +@@ -26,7 +26,7 @@ static int nfit_handle_mce(struct notifier_block *nb, unsigned long val, + struct nfit_spa *nfit_spa; + + /* We only care about memory errors */ +- if (!(mce->status & MCACOD)) ++ if (!mce_is_memory_error(mce)) + return NOTIFY_DONE; + + /* +diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c +index cf05ae973381..5180fef9eb49 100644 +--- a/drivers/acpi/sysfs.c ++++ b/drivers/acpi/sysfs.c +@@ -333,14 +333,17 @@ static ssize_t acpi_table_show(struct file *filp, struct kobject *kobj, + container_of(bin_attr, struct acpi_table_attr, attr); + struct acpi_table_header *table_header = NULL; + acpi_status status; ++ ssize_t rc; + + status = acpi_get_table(table_attr->name, table_attr->instance, + &table_header); + if (ACPI_FAILURE(status)) + return -ENODEV; + +- return memory_read_from_buffer(buf, count, &offset, +- table_header, table_header->length); ++ rc = memory_read_from_buffer(buf, count, &offset, table_header, ++ table_header->length); ++ acpi_put_table(table_header); ++ return rc; + } + + static int acpi_table_attr_init(struct kobject *tables_obj, +diff --git a/drivers/char/pcmcia/cm4040_cs.c b/drivers/char/pcmcia/cm4040_cs.c +index d4dbd8d8e524..382c864814d9 100644 +--- a/drivers/char/pcmcia/cm4040_cs.c ++++ b/drivers/char/pcmcia/cm4040_cs.c +@@ -374,7 +374,7 @@ static ssize_t cm4040_write(struct file *filp, const char __user *buf, + + rc = write_sync_reg(SCR_HOST_TO_READER_START, dev); + if (rc <= 0) { +- DEBUGP(5, dev, "write_sync_reg c=%.2Zx\n", rc); ++ DEBUGP(5, dev, "write_sync_reg c=%.2zx\n", rc); + DEBUGP(2, dev, "<- cm4040_write (failed)\n"); + if (rc == -ERESTARTSYS) + return rc; +@@ -387,7 +387,7 @@ static ssize_t cm4040_write(struct file *filp, const char __user *buf, + for (i = 0; i < bytes_to_write; i++) { + rc = wait_for_bulk_out_ready(dev); + if (rc <= 0) { +- DEBUGP(5, dev, "wait_for_bulk_out_ready rc=%.2Zx\n", ++ DEBUGP(5, dev, "wait_for_bulk_out_ready rc=%.2zx\n", + rc); + DEBUGP(2, dev, "<- cm4040_write (failed)\n"); + if (rc == -ERESTARTSYS) +@@ -403,7 +403,7 @@ static ssize_t cm4040_write(struct file *filp, const char __user *buf, + rc = write_sync_reg(SCR_HOST_TO_READER_DONE, dev); + + if (rc <= 0) { +- DEBUGP(5, dev, "write_sync_reg c=%.2Zx\n", rc); ++ DEBUGP(5, dev, "write_sync_reg c=%.2zx\n", rc); + DEBUGP(2, dev, "<- cm4040_write (failed)\n"); + if (rc == -ERESTARTSYS) + return rc; +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c +index f75ee33ec5bb..98bfa5e41e3b 100644 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c +@@ -2656,6 +2656,28 @@ static int smu7_get_power_state_size(struct pp_hwmgr *hwmgr) + return sizeof(struct smu7_power_state); + } + ++static int smu7_vblank_too_short(struct pp_hwmgr *hwmgr, ++ uint32_t vblank_time_us) ++{ ++ struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend); ++ uint32_t switch_limit_us; ++ ++ switch (hwmgr->chip_id) { ++ case CHIP_POLARIS10: ++ case CHIP_POLARIS11: ++ case CHIP_POLARIS12: ++ switch_limit_us = data->is_memory_gddr5 ? 190 : 150; ++ break; ++ default: ++ switch_limit_us = data->is_memory_gddr5 ? 450 : 150; ++ break; ++ } ++ ++ if (vblank_time_us < switch_limit_us) ++ return true; ++ else ++ return false; ++} + + static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr, + struct pp_power_state *request_ps, +@@ -2670,6 +2692,7 @@ static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr, + bool disable_mclk_switching; + bool disable_mclk_switching_for_frame_lock; + struct cgs_display_info info = {0}; ++ struct cgs_mode_info mode_info = {0}; + const struct phm_clock_and_voltage_limits *max_limits; + uint32_t i; + struct smu7_hwmgr *data = (struct smu7_hwmgr *)(hwmgr->backend); +@@ -2678,6 +2701,7 @@ static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr, + int32_t count; + int32_t stable_pstate_sclk = 0, stable_pstate_mclk = 0; + ++ info.mode_info = &mode_info; + data->battery_state = (PP_StateUILabel_Battery == + request_ps->classification.ui_label); + +@@ -2704,8 +2728,6 @@ static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr, + + cgs_get_active_displays_info(hwmgr->device, &info); + +- /*TO DO result = PHM_CheckVBlankTime(hwmgr, &vblankTooShort);*/ +- + minimum_clocks.engineClock = hwmgr->display_config.min_core_set_clock; + minimum_clocks.memoryClock = hwmgr->display_config.min_mem_set_clock; + +@@ -2770,8 +2792,10 @@ static int smu7_apply_state_adjust_rules(struct pp_hwmgr *hwmgr, + PHM_PlatformCaps_DisableMclkSwitchingForFrameLock); + + +- disable_mclk_switching = (1 < info.display_count) || +- disable_mclk_switching_for_frame_lock; ++ disable_mclk_switching = ((1 < info.display_count) || ++ disable_mclk_switching_for_frame_lock || ++ smu7_vblank_too_short(hwmgr, mode_info.vblank_time_us) || ++ (mode_info.refresh_rate > 120)); + + sclk = smu7_ps->performance_levels[0].engine_clock; + mclk = smu7_ps->performance_levels[0].memory_clock; +diff --git a/drivers/gpu/drm/gma500/psb_intel_lvds.c b/drivers/gpu/drm/gma500/psb_intel_lvds.c +index 483fdce74e39..97c444856d09 100644 +--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c ++++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c +@@ -760,20 +760,23 @@ void psb_intel_lvds_init(struct drm_device *dev, + if (scan->type & DRM_MODE_TYPE_PREFERRED) { + mode_dev->panel_fixed_mode = + drm_mode_duplicate(dev, scan); ++ DRM_DEBUG_KMS("Using mode from DDC\n"); + goto out; /* FIXME: check for quirks */ + } + } + + /* Failed to get EDID, what about VBT? do we need this? */ +- if (mode_dev->vbt_mode) ++ if (dev_priv->lfp_lvds_vbt_mode) { + mode_dev->panel_fixed_mode = +- drm_mode_duplicate(dev, mode_dev->vbt_mode); ++ drm_mode_duplicate(dev, dev_priv->lfp_lvds_vbt_mode); + +- if (!mode_dev->panel_fixed_mode) +- if (dev_priv->lfp_lvds_vbt_mode) +- mode_dev->panel_fixed_mode = +- drm_mode_duplicate(dev, +- dev_priv->lfp_lvds_vbt_mode); ++ if (mode_dev->panel_fixed_mode) { ++ mode_dev->panel_fixed_mode->type |= ++ DRM_MODE_TYPE_PREFERRED; ++ DRM_DEBUG_KMS("Using mode from VBT\n"); ++ goto out; ++ } ++ } + + /* + * If we didn't get EDID, try checking if the panel is already turned +@@ -790,6 +793,7 @@ void psb_intel_lvds_init(struct drm_device *dev, + if (mode_dev->panel_fixed_mode) { + mode_dev->panel_fixed_mode->type |= + DRM_MODE_TYPE_PREFERRED; ++ DRM_DEBUG_KMS("Using pre-programmed mode\n"); + goto out; /* FIXME: check for quirks */ + } + } +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index 7ba450832e6b..ea36dc4dd5d2 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -776,6 +776,12 @@ bool ci_dpm_vblank_too_short(struct radeon_device *rdev) + u32 vblank_time = r600_dpm_get_vblank_time(rdev); + u32 switch_limit = pi->mem_gddr5 ? 450 : 300; + ++ /* disable mclk switching if the refresh is >120Hz, even if the ++ * blanking period would allow it ++ */ ++ if (r600_dpm_get_vrefresh(rdev) > 120) ++ return true; ++ + if (vblank_time < switch_limit) + return true; + else +diff --git a/drivers/gpu/drm/radeon/cik.c b/drivers/gpu/drm/radeon/cik.c +index f6ff41a0eed6..edee6a5f4da9 100644 +--- a/drivers/gpu/drm/radeon/cik.c ++++ b/drivers/gpu/drm/radeon/cik.c +@@ -7416,7 +7416,7 @@ static inline void cik_irq_ack(struct radeon_device *rdev) + WREG32(DC_HPD5_INT_CONTROL, tmp); + } + if (rdev->irq.stat_regs.cik.disp_int_cont5 & DC_HPD6_INTERRUPT) { +- tmp = RREG32(DC_HPD5_INT_CONTROL); ++ tmp = RREG32(DC_HPD6_INT_CONTROL); + tmp |= DC_HPDx_INT_ACK; + WREG32(DC_HPD6_INT_CONTROL, tmp); + } +@@ -7446,7 +7446,7 @@ static inline void cik_irq_ack(struct radeon_device *rdev) + WREG32(DC_HPD5_INT_CONTROL, tmp); + } + if (rdev->irq.stat_regs.cik.disp_int_cont5 & DC_HPD6_RX_INTERRUPT) { +- tmp = RREG32(DC_HPD5_INT_CONTROL); ++ tmp = RREG32(DC_HPD6_INT_CONTROL); + tmp |= DC_HPDx_RX_INT_ACK; + WREG32(DC_HPD6_INT_CONTROL, tmp); + } +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c +index 0b6b5766216f..6068b8a01016 100644 +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -4933,7 +4933,7 @@ static void evergreen_irq_ack(struct radeon_device *rdev) + WREG32(DC_HPD5_INT_CONTROL, tmp); + } + if (rdev->irq.stat_regs.evergreen.disp_int_cont5 & DC_HPD6_INTERRUPT) { +- tmp = RREG32(DC_HPD5_INT_CONTROL); ++ tmp = RREG32(DC_HPD6_INT_CONTROL); + tmp |= DC_HPDx_INT_ACK; + WREG32(DC_HPD6_INT_CONTROL, tmp); + } +@@ -4964,7 +4964,7 @@ static void evergreen_irq_ack(struct radeon_device *rdev) + WREG32(DC_HPD5_INT_CONTROL, tmp); + } + if (rdev->irq.stat_regs.evergreen.disp_int_cont5 & DC_HPD6_RX_INTERRUPT) { +- tmp = RREG32(DC_HPD5_INT_CONTROL); ++ tmp = RREG32(DC_HPD6_INT_CONTROL); + tmp |= DC_HPDx_RX_INT_ACK; + WREG32(DC_HPD6_INT_CONTROL, tmp); + } +diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c +index a951881c2a50..f2eac6b6c46a 100644 +--- a/drivers/gpu/drm/radeon/r600.c ++++ b/drivers/gpu/drm/radeon/r600.c +@@ -3995,7 +3995,7 @@ static void r600_irq_ack(struct radeon_device *rdev) + WREG32(DC_HPD5_INT_CONTROL, tmp); + } + if (rdev->irq.stat_regs.r600.disp_int_cont2 & DC_HPD6_INTERRUPT) { +- tmp = RREG32(DC_HPD5_INT_CONTROL); ++ tmp = RREG32(DC_HPD6_INT_CONTROL); + tmp |= DC_HPDx_INT_ACK; + WREG32(DC_HPD6_INT_CONTROL, tmp); + } +diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c +index 414776811e71..c8047548f8be 100644 +--- a/drivers/gpu/drm/radeon/si.c ++++ b/drivers/gpu/drm/radeon/si.c +@@ -6345,7 +6345,7 @@ static inline void si_irq_ack(struct radeon_device *rdev) + WREG32(DC_HPD5_INT_CONTROL, tmp); + } + if (rdev->irq.stat_regs.evergreen.disp_int_cont5 & DC_HPD6_INTERRUPT) { +- tmp = RREG32(DC_HPD5_INT_CONTROL); ++ tmp = RREG32(DC_HPD6_INT_CONTROL); + tmp |= DC_HPDx_INT_ACK; + WREG32(DC_HPD6_INT_CONTROL, tmp); + } +@@ -6376,7 +6376,7 @@ static inline void si_irq_ack(struct radeon_device *rdev) + WREG32(DC_HPD5_INT_CONTROL, tmp); + } + if (rdev->irq.stat_regs.evergreen.disp_int_cont5 & DC_HPD6_RX_INTERRUPT) { +- tmp = RREG32(DC_HPD5_INT_CONTROL); ++ tmp = RREG32(DC_HPD6_INT_CONTROL); + tmp |= DC_HPDx_RX_INT_ACK; + WREG32(DC_HPD6_INT_CONTROL, tmp); + } +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index c68ac65db7ff..4859926332c1 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1571,37 +1571,38 @@ static int wacom_tpc_irq(struct wacom_wac *wacom, size_t len) + { + unsigned char *data = wacom->data; + +- if (wacom->pen_input) ++ if (wacom->pen_input) { + dev_dbg(wacom->pen_input->dev.parent, + "%s: received report #%d\n", __func__, data[0]); +- else if (wacom->touch_input) ++ ++ if (len == WACOM_PKGLEN_PENABLED || ++ data[0] == WACOM_REPORT_PENABLED) ++ return wacom_tpc_pen(wacom); ++ } ++ else if (wacom->touch_input) { + dev_dbg(wacom->touch_input->dev.parent, + "%s: received report #%d\n", __func__, data[0]); + +- switch (len) { +- case WACOM_PKGLEN_TPC1FG: +- return wacom_tpc_single_touch(wacom, len); ++ switch (len) { ++ case WACOM_PKGLEN_TPC1FG: ++ return wacom_tpc_single_touch(wacom, len); + +- case WACOM_PKGLEN_TPC2FG: +- return wacom_tpc_mt_touch(wacom); ++ case WACOM_PKGLEN_TPC2FG: ++ return wacom_tpc_mt_touch(wacom); + +- case WACOM_PKGLEN_PENABLED: +- return wacom_tpc_pen(wacom); ++ default: ++ switch (data[0]) { ++ case WACOM_REPORT_TPC1FG: ++ case WACOM_REPORT_TPCHID: ++ case WACOM_REPORT_TPCST: ++ case WACOM_REPORT_TPC1FGE: ++ return wacom_tpc_single_touch(wacom, len); + +- default: +- switch (data[0]) { +- case WACOM_REPORT_TPC1FG: +- case WACOM_REPORT_TPCHID: +- case WACOM_REPORT_TPCST: +- case WACOM_REPORT_TPC1FGE: +- return wacom_tpc_single_touch(wacom, len); +- +- case WACOM_REPORT_TPCMT: +- case WACOM_REPORT_TPCMT2: +- return wacom_mt_touch(wacom); ++ case WACOM_REPORT_TPCMT: ++ case WACOM_REPORT_TPCMT2: ++ return wacom_mt_touch(wacom); + +- case WACOM_REPORT_PENABLED: +- return wacom_tpc_pen(wacom); ++ } + } + } + +diff --git a/drivers/i2c/busses/i2c-tiny-usb.c b/drivers/i2c/busses/i2c-tiny-usb.c +index 0ed77eeff31e..a2e3dd715380 100644 +--- a/drivers/i2c/busses/i2c-tiny-usb.c ++++ b/drivers/i2c/busses/i2c-tiny-usb.c +@@ -178,22 +178,39 @@ static int usb_read(struct i2c_adapter *adapter, int cmd, + int value, int index, void *data, int len) + { + struct i2c_tiny_usb *dev = (struct i2c_tiny_usb *)adapter->algo_data; ++ void *dmadata = kmalloc(len, GFP_KERNEL); ++ int ret; ++ ++ if (!dmadata) ++ return -ENOMEM; + + /* do control transfer */ +- return usb_control_msg(dev->usb_dev, usb_rcvctrlpipe(dev->usb_dev, 0), ++ ret = usb_control_msg(dev->usb_dev, usb_rcvctrlpipe(dev->usb_dev, 0), + cmd, USB_TYPE_VENDOR | USB_RECIP_INTERFACE | +- USB_DIR_IN, value, index, data, len, 2000); ++ USB_DIR_IN, value, index, dmadata, len, 2000); ++ ++ memcpy(data, dmadata, len); ++ kfree(dmadata); ++ return ret; + } + + static int usb_write(struct i2c_adapter *adapter, int cmd, + int value, int index, void *data, int len) + { + struct i2c_tiny_usb *dev = (struct i2c_tiny_usb *)adapter->algo_data; ++ void *dmadata = kmemdup(data, len, GFP_KERNEL); ++ int ret; ++ ++ if (!dmadata) ++ return -ENOMEM; + + /* do control transfer */ +- return usb_control_msg(dev->usb_dev, usb_sndctrlpipe(dev->usb_dev, 0), ++ ret = usb_control_msg(dev->usb_dev, usb_sndctrlpipe(dev->usb_dev, 0), + cmd, USB_TYPE_VENDOR | USB_RECIP_INTERFACE, +- value, index, data, len, 2000); ++ value, index, dmadata, len, 2000); ++ ++ kfree(dmadata); ++ return ret; + } + + static void i2c_tiny_usb_free(struct i2c_tiny_usb *dev) +diff --git a/drivers/infiniband/hw/hfi1/rc.c b/drivers/infiniband/hw/hfi1/rc.c +index 7382be11afca..aa71b7384640 100644 +--- a/drivers/infiniband/hw/hfi1/rc.c ++++ b/drivers/infiniband/hw/hfi1/rc.c +@@ -2149,8 +2149,11 @@ void hfi1_rc_rcv(struct hfi1_packet *packet) + ret = hfi1_rvt_get_rwqe(qp, 1); + if (ret < 0) + goto nack_op_err; +- if (!ret) ++ if (!ret) { ++ /* peer will send again */ ++ rvt_put_ss(&qp->r_sge); + goto rnr_nak; ++ } + wc.ex.imm_data = ohdr->u.rc.imm_data; + wc.wc_flags = IB_WC_WITH_IMM; + goto send_last; +diff --git a/drivers/infiniband/hw/qib/qib_rc.c b/drivers/infiniband/hw/qib/qib_rc.c +index 12658e3fe154..f7dfccf9a1e1 100644 +--- a/drivers/infiniband/hw/qib/qib_rc.c ++++ b/drivers/infiniband/hw/qib/qib_rc.c +@@ -1947,8 +1947,10 @@ void qib_rc_rcv(struct qib_ctxtdata *rcd, struct ib_header *hdr, + ret = qib_get_rwqe(qp, 1); + if (ret < 0) + goto nack_op_err; +- if (!ret) ++ if (!ret) { ++ rvt_put_ss(&qp->r_sge); + goto rnr_nak; ++ } + wc.ex.imm_data = ohdr->u.rc.imm_data; + hdrsize += 4; + wc.wc_flags = IB_WC_WITH_IMM; +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index cee46266f434..f6b5e14a7eab 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -570,7 +570,7 @@ static int srp_create_ch_ib(struct srp_rdma_ch *ch) + return 0; + + err_qp: +- srp_destroy_qp(ch, qp); ++ ib_destroy_qp(qp); + + err_send_cq: + ib_free_cq(send_cq); +diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c +index 3275d4995812..61666d269771 100644 +--- a/drivers/mmc/host/sdhci-iproc.c ++++ b/drivers/mmc/host/sdhci-iproc.c +@@ -187,7 +187,8 @@ static const struct sdhci_iproc_data iproc_cygnus_data = { + }; + + static const struct sdhci_pltfm_data sdhci_iproc_pltfm_data = { +- .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK, ++ .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK | ++ SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, + .quirks2 = SDHCI_QUIRK2_ACMD23_BROKEN, + .ops = &sdhci_iproc_ops, + }; +diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c +index edc70ffad660..6dcc42d79cab 100644 +--- a/drivers/net/bonding/bond_3ad.c ++++ b/drivers/net/bonding/bond_3ad.c +@@ -2573,7 +2573,7 @@ int __bond_3ad_get_active_agg_info(struct bonding *bond, + return -1; + + ad_info->aggregator_id = aggregator->aggregator_identifier; +- ad_info->ports = aggregator->num_of_ports; ++ ad_info->ports = __agg_active_ports(aggregator); + ad_info->actor_key = aggregator->actor_oper_aggregator_key; + ad_info->partner_key = aggregator->partner_oper_aggregator_key; + ether_addr_copy(ad_info->partner_system, +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 6be3b9aba8ed..ff617beb8502 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -5027,9 +5027,11 @@ static netdev_features_t be_features_check(struct sk_buff *skb, + struct be_adapter *adapter = netdev_priv(dev); + u8 l4_hdr = 0; + +- /* The code below restricts offload features for some tunneled packets. ++ /* The code below restricts offload features for some tunneled and ++ * Q-in-Q packets. + * Offload features for normal (non tunnel) packets are unchanged. + */ ++ features = vlan_features_check(skb, features); + if (!skb->encapsulation || + !(adapter->flags & BE_FLAGS_VXLAN_OFFLOADS)) + return features; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index a380353a78c2..f95c869c7c29 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -770,7 +770,7 @@ static void cb_timeout_handler(struct work_struct *work) + mlx5_core_warn(dev, "%s(0x%x) timeout. Will cause a leak of a command resource\n", + mlx5_command_str(msg_to_opcode(ent->in)), + msg_to_opcode(ent->in)); +- mlx5_cmd_comp_handler(dev, 1UL << ent->idx); ++ mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); + } + + static void cmd_work_handler(struct work_struct *work) +@@ -800,6 +800,7 @@ static void cmd_work_handler(struct work_struct *work) + } + + cmd->ent_arr[ent->idx] = ent; ++ set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state); + lay = get_inst(cmd, ent->idx); + ent->lay = lay; + memset(lay, 0, sizeof(*lay)); +@@ -821,6 +822,20 @@ static void cmd_work_handler(struct work_struct *work) + if (ent->callback) + schedule_delayed_work(&ent->cb_timeout_work, cb_timeout); + ++ /* Skip sending command to fw if internal error */ ++ if (pci_channel_offline(dev->pdev) || ++ dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) { ++ u8 status = 0; ++ u32 drv_synd; ++ ++ ent->ret = mlx5_internal_err_ret_value(dev, msg_to_opcode(ent->in), &drv_synd, &status); ++ MLX5_SET(mbox_out, ent->out, status, status); ++ MLX5_SET(mbox_out, ent->out, syndrome, drv_synd); ++ ++ mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); ++ return; ++ } ++ + /* ring doorbell after the descriptor is valid */ + mlx5_core_dbg(dev, "writing 0x%x to command doorbell\n", 1 << ent->idx); + wmb(); +@@ -831,7 +846,7 @@ static void cmd_work_handler(struct work_struct *work) + poll_timeout(ent); + /* make sure we read the descriptor after ownership is SW */ + rmb(); +- mlx5_cmd_comp_handler(dev, 1UL << ent->idx); ++ mlx5_cmd_comp_handler(dev, 1UL << ent->idx, (ent->ret == -ETIMEDOUT)); + } + } + +@@ -875,7 +890,7 @@ static int wait_func(struct mlx5_core_dev *dev, struct mlx5_cmd_work_ent *ent) + wait_for_completion(&ent->done); + } else if (!wait_for_completion_timeout(&ent->done, timeout)) { + ent->ret = -ETIMEDOUT; +- mlx5_cmd_comp_handler(dev, 1UL << ent->idx); ++ mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); + } + + err = ent->ret; +@@ -1371,7 +1386,7 @@ static void free_msg(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *msg) + } + } + +-void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec) ++void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool forced) + { + struct mlx5_cmd *cmd = &dev->cmd; + struct mlx5_cmd_work_ent *ent; +@@ -1391,6 +1406,19 @@ void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec) + struct semaphore *sem; + + ent = cmd->ent_arr[i]; ++ ++ /* if we already completed the command, ignore it */ ++ if (!test_and_clear_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, ++ &ent->state)) { ++ /* only real completion can free the cmd slot */ ++ if (!forced) { ++ mlx5_core_err(dev, "Command completion arrived after timeout (entry idx = %d).\n", ++ ent->idx); ++ free_ent(cmd, ent->idx); ++ } ++ continue; ++ } ++ + if (ent->callback) + cancel_delayed_work(&ent->cb_timeout_work); + if (ent->page_queue) +@@ -1413,7 +1441,10 @@ void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec) + mlx5_core_dbg(dev, "command completed. ret 0x%x, delivery status %s(0x%x)\n", + ent->ret, deliv_status_to_str(ent->status), ent->status); + } +- free_ent(cmd, ent->idx); ++ ++ /* only real completion will free the entry slot */ ++ if (!forced) ++ free_ent(cmd, ent->idx); + + if (ent->callback) { + ds = ent->ts2 - ent->ts1; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +index a004a5a1a4c2..949fbadd7817 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c +@@ -773,7 +773,6 @@ static void get_supported(u32 eth_proto_cap, + ptys2ethtool_supported_port(link_ksettings, eth_proto_cap); + ptys2ethtool_supported_link(supported, eth_proto_cap); + ethtool_link_ksettings_add_link_mode(link_ksettings, supported, Pause); +- ethtool_link_ksettings_add_link_mode(link_ksettings, supported, Asym_Pause); + } + + static void get_advertising(u32 eth_proto_cap, u8 tx_pause, +@@ -783,7 +782,7 @@ static void get_advertising(u32 eth_proto_cap, u8 tx_pause, + unsigned long *advertising = link_ksettings->link_modes.advertising; + + ptys2ethtool_adver_link(advertising, eth_proto_cap); +- if (tx_pause) ++ if (rx_pause) + ethtool_link_ksettings_add_link_mode(link_ksettings, advertising, Pause); + if (tx_pause ^ rx_pause) + ethtool_link_ksettings_add_link_mode(link_ksettings, advertising, Asym_Pause); +@@ -828,6 +827,8 @@ static int mlx5e_get_link_ksettings(struct net_device *netdev, + struct mlx5e_priv *priv = netdev_priv(netdev); + struct mlx5_core_dev *mdev = priv->mdev; + u32 out[MLX5_ST_SZ_DW(ptys_reg)] = {0}; ++ u32 rx_pause = 0; ++ u32 tx_pause = 0; + u32 eth_proto_cap; + u32 eth_proto_admin; + u32 eth_proto_lp; +@@ -850,11 +851,13 @@ static int mlx5e_get_link_ksettings(struct net_device *netdev, + an_disable_admin = MLX5_GET(ptys_reg, out, an_disable_admin); + an_status = MLX5_GET(ptys_reg, out, an_status); + ++ mlx5_query_port_pause(mdev, &rx_pause, &tx_pause); ++ + ethtool_link_ksettings_zero_link_mode(link_ksettings, supported); + ethtool_link_ksettings_zero_link_mode(link_ksettings, advertising); + + get_supported(eth_proto_cap, link_ksettings); +- get_advertising(eth_proto_admin, 0, 0, link_ksettings); ++ get_advertising(eth_proto_admin, tx_pause, rx_pause, link_ksettings); + get_speed_duplex(netdev, eth_proto_oper, link_ksettings); + + eth_proto_oper = eth_proto_oper ? eth_proto_oper : eth_proto_cap; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c +index ea5d8d37a75c..33eae5ad2fb0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c +@@ -422,7 +422,7 @@ static irqreturn_t mlx5_eq_int(int irq, void *eq_ptr) + break; + + case MLX5_EVENT_TYPE_CMD: +- mlx5_cmd_comp_handler(dev, be32_to_cpu(eqe->data.cmd.vector)); ++ mlx5_cmd_comp_handler(dev, be32_to_cpu(eqe->data.cmd.vector), false); + break; + + case MLX5_EVENT_TYPE_PORT_CHANGE: +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/health.c b/drivers/net/ethernet/mellanox/mlx5/core/health.c +index d0515391d33b..44f59b1d6f0f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c +@@ -90,7 +90,7 @@ static void trigger_cmd_completions(struct mlx5_core_dev *dev) + spin_unlock_irqrestore(&dev->cmd.alloc_lock, flags); + + mlx5_core_dbg(dev, "vector 0x%llx\n", vector); +- mlx5_cmd_comp_handler(dev, vector); ++ mlx5_cmd_comp_handler(dev, vector, true); + return; + + no_trig: +diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c +index dec5d563ab19..959fd12d2e67 100644 +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -1293,7 +1293,7 @@ static int geneve_fill_info(struct sk_buff *skb, const struct net_device *dev) + if (nla_put_u32(skb, IFLA_GENEVE_ID, vni)) + goto nla_put_failure; + +- if (ip_tunnel_info_af(info) == AF_INET) { ++ if (rtnl_dereference(geneve->sock4)) { + if (nla_put_in_addr(skb, IFLA_GENEVE_REMOTE, + info->key.u.ipv4.dst)) + goto nla_put_failure; +@@ -1302,8 +1302,10 @@ static int geneve_fill_info(struct sk_buff *skb, const struct net_device *dev) + !!(info->key.tun_flags & TUNNEL_CSUM))) + goto nla_put_failure; + ++ } ++ + #if IS_ENABLED(CONFIG_IPV6) +- } else { ++ if (rtnl_dereference(geneve->sock6)) { + if (nla_put_in6_addr(skb, IFLA_GENEVE_REMOTE6, + &info->key.u.ipv6.dst)) + goto nla_put_failure; +@@ -1315,8 +1317,8 @@ static int geneve_fill_info(struct sk_buff *skb, const struct net_device *dev) + if (nla_put_u8(skb, IFLA_GENEVE_UDP_ZERO_CSUM6_RX, + !geneve->use_udp6_rx_checksums)) + goto nla_put_failure; +-#endif + } ++#endif + + if (nla_put_u8(skb, IFLA_GENEVE_TTL, info->key.ttl) || + nla_put_u8(skb, IFLA_GENEVE_TOS, info->key.tos) || +diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c +index 272b051a0199..9097e42bec2e 100644 +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -255,34 +255,6 @@ static int marvell_config_aneg(struct phy_device *phydev) + { + int err; + +- /* The Marvell PHY has an errata which requires +- * that certain registers get written in order +- * to restart autonegotiation */ +- err = phy_write(phydev, MII_BMCR, BMCR_RESET); +- +- if (err < 0) +- return err; +- +- err = phy_write(phydev, 0x1d, 0x1f); +- if (err < 0) +- return err; +- +- err = phy_write(phydev, 0x1e, 0x200c); +- if (err < 0) +- return err; +- +- err = phy_write(phydev, 0x1d, 0x5); +- if (err < 0) +- return err; +- +- err = phy_write(phydev, 0x1e, 0); +- if (err < 0) +- return err; +- +- err = phy_write(phydev, 0x1e, 0x100); +- if (err < 0) +- return err; +- + err = marvell_set_polarity(phydev, phydev->mdix_ctrl); + if (err < 0) + return err; +@@ -316,6 +288,42 @@ static int marvell_config_aneg(struct phy_device *phydev) + return 0; + } + ++static int m88e1101_config_aneg(struct phy_device *phydev) ++{ ++ int err; ++ ++ /* This Marvell PHY has an errata which requires ++ * that certain registers get written in order ++ * to restart autonegotiation ++ */ ++ err = phy_write(phydev, MII_BMCR, BMCR_RESET); ++ ++ if (err < 0) ++ return err; ++ ++ err = phy_write(phydev, 0x1d, 0x1f); ++ if (err < 0) ++ return err; ++ ++ err = phy_write(phydev, 0x1e, 0x200c); ++ if (err < 0) ++ return err; ++ ++ err = phy_write(phydev, 0x1d, 0x5); ++ if (err < 0) ++ return err; ++ ++ err = phy_write(phydev, 0x1e, 0); ++ if (err < 0) ++ return err; ++ ++ err = phy_write(phydev, 0x1e, 0x100); ++ if (err < 0) ++ return err; ++ ++ return marvell_config_aneg(phydev); ++} ++ + static int m88e1111_config_aneg(struct phy_device *phydev) + { + int err; +@@ -1892,7 +1900,7 @@ static struct phy_driver marvell_drivers[] = { + .flags = PHY_HAS_INTERRUPT, + .probe = marvell_probe, + .config_init = &marvell_config_init, +- .config_aneg = &marvell_config_aneg, ++ .config_aneg = &m88e1101_config_aneg, + .read_status = &genphy_read_status, + .ack_interrupt = &marvell_ack_interrupt, + .config_intr = &marvell_config_intr, +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 4e34568db64f..87746c2bc3d3 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -902,6 +902,8 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x1199, 0x9071, 10)}, /* Sierra Wireless MC74xx */ + {QMI_FIXED_INTF(0x1199, 0x9079, 8)}, /* Sierra Wireless EM74xx */ + {QMI_FIXED_INTF(0x1199, 0x9079, 10)}, /* Sierra Wireless EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x907b, 8)}, /* Sierra Wireless EM74xx */ ++ {QMI_FIXED_INTF(0x1199, 0x907b, 10)}, /* Sierra Wireless EM74xx */ + {QMI_FIXED_INTF(0x1bbb, 0x011e, 4)}, /* Telekom Speedstick LTE II (Alcatel One Touch L100V LTE) */ + {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */ + {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */ +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index f36584616e7d..d9d8f4f43f90 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1894,6 +1894,7 @@ static const struct net_device_ops virtnet_netdev = { + .ndo_poll_controller = virtnet_netpoll, + #endif + .ndo_xdp = virtnet_xdp, ++ .ndo_features_check = passthru_features_check, + }; + + static void virtnet_config_changed_work(struct work_struct *work) +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index 7d909c8183e9..df74efcf237b 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -851,6 +851,7 @@ static u32 vrf_fib_table(const struct net_device *dev) + + static int vrf_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb) + { ++ kfree_skb(skb); + return 0; + } + +@@ -860,7 +861,7 @@ static struct sk_buff *vrf_rcv_nfhook(u8 pf, unsigned int hook, + { + struct net *net = dev_net(dev); + +- if (NF_HOOK(pf, hook, net, NULL, skb, dev, NULL, vrf_rcv_finish) < 0) ++ if (nf_hook(pf, hook, net, NULL, skb, dev, NULL, vrf_rcv_finish) != 1) + skb = NULL; /* kfree_skb(skb) handled by nf code */ + + return skb; +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index eeb409c287b8..b3d3c5c2c92f 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2006,7 +2006,6 @@ static void nvme_ns_remove(struct nvme_ns *ns) + if (ns->ndev) + nvme_nvm_unregister_sysfs(ns); + del_gendisk(ns->disk); +- blk_mq_abort_requeue_list(ns->queue); + blk_cleanup_queue(ns->queue); + } + +@@ -2344,8 +2343,16 @@ void nvme_kill_queues(struct nvme_ctrl *ctrl) + continue; + revalidate_disk(ns->disk); + blk_set_queue_dying(ns->queue); +- blk_mq_abort_requeue_list(ns->queue); +- blk_mq_start_stopped_hw_queues(ns->queue, true); ++ ++ /* ++ * Forcibly start all queues to avoid having stuck requests. ++ * Note that we must ensure the queues are not stopped ++ * when the final removal happens. ++ */ ++ blk_mq_start_hw_queues(ns->queue); ++ ++ /* draining requests in requeue list */ ++ blk_mq_kick_requeue_list(ns->queue); + } + mutex_unlock(&ctrl->namespaces_mutex); + } +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 16f84eb0b95e..0aba367ae465 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1029,6 +1029,19 @@ static void nvme_rdma_send_done(struct ib_cq *cq, struct ib_wc *wc) + nvme_rdma_wr_error(cq, wc, "SEND"); + } + ++static inline int nvme_rdma_queue_sig_limit(struct nvme_rdma_queue *queue) ++{ ++ int sig_limit; ++ ++ /* ++ * We signal completion every queue depth/2 and also handle the ++ * degenerated case of a device with queue_depth=1, where we ++ * would need to signal every message. ++ */ ++ sig_limit = max(queue->queue_size / 2, 1); ++ return (++queue->sig_count % sig_limit) == 0; ++} ++ + static int nvme_rdma_post_send(struct nvme_rdma_queue *queue, + struct nvme_rdma_qe *qe, struct ib_sge *sge, u32 num_sge, + struct ib_send_wr *first, bool flush) +@@ -1056,9 +1069,6 @@ static int nvme_rdma_post_send(struct nvme_rdma_queue *queue, + * Would have been way to obvious to handle this in hardware or + * at least the RDMA stack.. + * +- * This messy and racy code sniplet is copy and pasted from the iSER +- * initiator, and the magic '32' comes from there as well. +- * + * Always signal the flushes. The magic request used for the flush + * sequencer is not allocated in our driver's tagset and it's + * triggered to be freed by blk_cleanup_queue(). So we need to +@@ -1066,7 +1076,7 @@ static int nvme_rdma_post_send(struct nvme_rdma_queue *queue, + * embedded in request's payload, is not freed when __ib_process_cq() + * calls wr_cqe->done(). + */ +- if ((++queue->sig_count % 32) == 0 || flush) ++ if (nvme_rdma_queue_sig_limit(queue) || flush) + wr.send_flags |= IB_SEND_SIGNALED; + + if (first) +diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h +index d9561e39c3b2..a26b7e8c0d10 100644 +--- a/drivers/s390/net/qeth_core.h ++++ b/drivers/s390/net/qeth_core.h +@@ -714,6 +714,7 @@ enum qeth_discipline_id { + }; + + struct qeth_discipline { ++ const struct device_type *devtype; + void (*start_poll)(struct ccw_device *, int, unsigned long); + qdio_handler_t *input_handler; + qdio_handler_t *output_handler; +@@ -889,6 +890,9 @@ extern struct qeth_discipline qeth_l2_discipline; + extern struct qeth_discipline qeth_l3_discipline; + extern const struct attribute_group *qeth_generic_attr_groups[]; + extern const struct attribute_group *qeth_osn_attr_groups[]; ++extern const struct attribute_group qeth_device_attr_group; ++extern const struct attribute_group qeth_device_blkt_group; ++extern const struct device_type qeth_generic_devtype; + extern struct workqueue_struct *qeth_wq; + + int qeth_card_hw_is_reachable(struct qeth_card *); +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 9a5f99ccb122..3a8ff756a025 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -5460,10 +5460,12 @@ void qeth_core_free_discipline(struct qeth_card *card) + card->discipline = NULL; + } + +-static const struct device_type qeth_generic_devtype = { ++const struct device_type qeth_generic_devtype = { + .name = "qeth_generic", + .groups = qeth_generic_attr_groups, + }; ++EXPORT_SYMBOL_GPL(qeth_generic_devtype); ++ + static const struct device_type qeth_osn_devtype = { + .name = "qeth_osn", + .groups = qeth_osn_attr_groups, +@@ -5589,23 +5591,22 @@ static int qeth_core_probe_device(struct ccwgroup_device *gdev) + goto err_card; + } + +- if (card->info.type == QETH_CARD_TYPE_OSN) +- gdev->dev.type = &qeth_osn_devtype; +- else +- gdev->dev.type = &qeth_generic_devtype; +- + switch (card->info.type) { + case QETH_CARD_TYPE_OSN: + case QETH_CARD_TYPE_OSM: + rc = qeth_core_load_discipline(card, QETH_DISCIPLINE_LAYER2); + if (rc) + goto err_card; ++ ++ gdev->dev.type = (card->info.type != QETH_CARD_TYPE_OSN) ++ ? card->discipline->devtype ++ : &qeth_osn_devtype; + rc = card->discipline->setup(card->gdev); + if (rc) + goto err_disc; +- case QETH_CARD_TYPE_OSD: +- case QETH_CARD_TYPE_OSX: ++ break; + default: ++ gdev->dev.type = &qeth_generic_devtype; + break; + } + +@@ -5661,8 +5662,10 @@ static int qeth_core_set_online(struct ccwgroup_device *gdev) + if (rc) + goto err; + rc = card->discipline->setup(card->gdev); +- if (rc) ++ if (rc) { ++ qeth_core_free_discipline(card); + goto err; ++ } + } + rc = card->discipline->set_online(gdev); + err: +diff --git a/drivers/s390/net/qeth_core_sys.c b/drivers/s390/net/qeth_core_sys.c +index 75b29fd2fcf4..db6a285d41e0 100644 +--- a/drivers/s390/net/qeth_core_sys.c ++++ b/drivers/s390/net/qeth_core_sys.c +@@ -413,12 +413,16 @@ static ssize_t qeth_dev_layer2_store(struct device *dev, + + if (card->options.layer2 == newdis) + goto out; +- else { +- card->info.mac_bits = 0; +- if (card->discipline) { +- card->discipline->remove(card->gdev); +- qeth_core_free_discipline(card); +- } ++ if (card->info.type == QETH_CARD_TYPE_OSM) { ++ /* fixed layer, can't switch */ ++ rc = -EOPNOTSUPP; ++ goto out; ++ } ++ ++ card->info.mac_bits = 0; ++ if (card->discipline) { ++ card->discipline->remove(card->gdev); ++ qeth_core_free_discipline(card); + } + + rc = qeth_core_load_discipline(card, newdis); +@@ -426,6 +430,8 @@ static ssize_t qeth_dev_layer2_store(struct device *dev, + goto out; + + rc = card->discipline->setup(card->gdev); ++ if (rc) ++ qeth_core_free_discipline(card); + out: + mutex_unlock(&card->discipline_mutex); + return rc ? rc : count; +@@ -703,10 +709,11 @@ static struct attribute *qeth_blkt_device_attrs[] = { + &dev_attr_inter_jumbo.attr, + NULL, + }; +-static struct attribute_group qeth_device_blkt_group = { ++const struct attribute_group qeth_device_blkt_group = { + .name = "blkt", + .attrs = qeth_blkt_device_attrs, + }; ++EXPORT_SYMBOL_GPL(qeth_device_blkt_group); + + static struct attribute *qeth_device_attrs[] = { + &dev_attr_state.attr, +@@ -726,9 +733,10 @@ static struct attribute *qeth_device_attrs[] = { + &dev_attr_switch_attrs.attr, + NULL, + }; +-static struct attribute_group qeth_device_attr_group = { ++const struct attribute_group qeth_device_attr_group = { + .attrs = qeth_device_attrs, + }; ++EXPORT_SYMBOL_GPL(qeth_device_attr_group); + + const struct attribute_group *qeth_generic_attr_groups[] = { + &qeth_device_attr_group, +diff --git a/drivers/s390/net/qeth_l2.h b/drivers/s390/net/qeth_l2.h +index 29d9fb3890ad..0d59f9a45ea9 100644 +--- a/drivers/s390/net/qeth_l2.h ++++ b/drivers/s390/net/qeth_l2.h +@@ -8,6 +8,8 @@ + + #include "qeth_core.h" + ++extern const struct attribute_group *qeth_l2_attr_groups[]; ++ + int qeth_l2_create_device_attributes(struct device *); + void qeth_l2_remove_device_attributes(struct device *); + void qeth_l2_setup_bridgeport_attrs(struct qeth_card *card); +diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c +index af4e6a639fec..a2bb77d7e5bb 100644 +--- a/drivers/s390/net/qeth_l2_main.c ++++ b/drivers/s390/net/qeth_l2_main.c +@@ -1006,11 +1006,21 @@ static int qeth_l2_stop(struct net_device *dev) + return 0; + } + ++static const struct device_type qeth_l2_devtype = { ++ .name = "qeth_layer2", ++ .groups = qeth_l2_attr_groups, ++}; ++ + static int qeth_l2_probe_device(struct ccwgroup_device *gdev) + { + struct qeth_card *card = dev_get_drvdata(&gdev->dev); ++ int rc; + +- qeth_l2_create_device_attributes(&gdev->dev); ++ if (gdev->dev.type == &qeth_generic_devtype) { ++ rc = qeth_l2_create_device_attributes(&gdev->dev); ++ if (rc) ++ return rc; ++ } + INIT_LIST_HEAD(&card->vid_list); + hash_init(card->mac_htable); + card->options.layer2 = 1; +@@ -1022,7 +1032,8 @@ static void qeth_l2_remove_device(struct ccwgroup_device *cgdev) + { + struct qeth_card *card = dev_get_drvdata(&cgdev->dev); + +- qeth_l2_remove_device_attributes(&cgdev->dev); ++ if (cgdev->dev.type == &qeth_generic_devtype) ++ qeth_l2_remove_device_attributes(&cgdev->dev); + qeth_set_allowed_threads(card, 0, 1); + wait_event(card->wait_q, qeth_threads_running(card, 0xffffffff) == 0); + +@@ -1080,7 +1091,6 @@ static int qeth_l2_setup_netdev(struct qeth_card *card) + case QETH_CARD_TYPE_OSN: + card->dev = alloc_netdev(0, "osn%d", NET_NAME_UNKNOWN, + ether_setup); +- card->dev->flags |= IFF_NOARP; + break; + default: + card->dev = alloc_etherdev(0); +@@ -1095,9 +1105,12 @@ static int qeth_l2_setup_netdev(struct qeth_card *card) + card->dev->min_mtu = 64; + card->dev->max_mtu = ETH_MAX_MTU; + card->dev->netdev_ops = &qeth_l2_netdev_ops; +- card->dev->ethtool_ops = +- (card->info.type != QETH_CARD_TYPE_OSN) ? +- &qeth_l2_ethtool_ops : &qeth_l2_osn_ops; ++ if (card->info.type == QETH_CARD_TYPE_OSN) { ++ card->dev->ethtool_ops = &qeth_l2_osn_ops; ++ card->dev->flags |= IFF_NOARP; ++ } else { ++ card->dev->ethtool_ops = &qeth_l2_ethtool_ops; ++ } + card->dev->features |= NETIF_F_HW_VLAN_CTAG_FILTER; + if (card->info.type == QETH_CARD_TYPE_OSD && !card->info.guestlan) { + card->dev->hw_features = NETIF_F_SG; +@@ -1406,6 +1419,7 @@ static int qeth_l2_control_event(struct qeth_card *card, + } + + struct qeth_discipline qeth_l2_discipline = { ++ .devtype = &qeth_l2_devtype, + .start_poll = qeth_qdio_start_poll, + .input_handler = (qdio_handler_t *) qeth_qdio_input_handler, + .output_handler = (qdio_handler_t *) qeth_qdio_output_handler, +diff --git a/drivers/s390/net/qeth_l2_sys.c b/drivers/s390/net/qeth_l2_sys.c +index 692db49e3d2a..a48ed9e7e168 100644 +--- a/drivers/s390/net/qeth_l2_sys.c ++++ b/drivers/s390/net/qeth_l2_sys.c +@@ -272,3 +272,11 @@ void qeth_l2_setup_bridgeport_attrs(struct qeth_card *card) + } else + qeth_bridgeport_an_set(card, 0); + } ++ ++const struct attribute_group *qeth_l2_attr_groups[] = { ++ &qeth_device_attr_group, ++ &qeth_device_blkt_group, ++ /* l2 specific, see l2_{create,remove}_device_attributes(): */ ++ &qeth_l2_bridgeport_attr_group, ++ NULL, ++}; +diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c +index 653f0fb76573..d2fb50fd03dc 100644 +--- a/drivers/s390/net/qeth_l3_main.c ++++ b/drivers/s390/net/qeth_l3_main.c +@@ -3153,8 +3153,13 @@ static int qeth_l3_setup_netdev(struct qeth_card *card) + static int qeth_l3_probe_device(struct ccwgroup_device *gdev) + { + struct qeth_card *card = dev_get_drvdata(&gdev->dev); ++ int rc; + +- qeth_l3_create_device_attributes(&gdev->dev); ++ rc = qeth_l3_create_device_attributes(&gdev->dev); ++ if (rc) ++ return rc; ++ hash_init(card->ip_htable); ++ hash_init(card->ip_mc_htable); + card->options.layer2 = 0; + card->info.hwtrap = 0; + return 0; +@@ -3431,6 +3436,7 @@ static int qeth_l3_control_event(struct qeth_card *card, + } + + struct qeth_discipline qeth_l3_discipline = { ++ .devtype = &qeth_generic_devtype, + .start_poll = qeth_qdio_start_poll, + .input_handler = (qdio_handler_t *) qeth_qdio_input_handler, + .output_handler = (qdio_handler_t *) qeth_qdio_output_handler, +diff --git a/drivers/scsi/device_handler/scsi_dh_rdac.c b/drivers/scsi/device_handler/scsi_dh_rdac.c +index 3cbab8710e58..2ceff585f189 100644 +--- a/drivers/scsi/device_handler/scsi_dh_rdac.c ++++ b/drivers/scsi/device_handler/scsi_dh_rdac.c +@@ -265,18 +265,16 @@ static unsigned int rdac_failover_get(struct rdac_controller *ctlr, + struct list_head *list, + unsigned char *cdb) + { +- struct scsi_device *sdev = ctlr->ms_sdev; +- struct rdac_dh_data *h = sdev->handler_data; + struct rdac_mode_common *common; + unsigned data_size; + struct rdac_queue_data *qdata; + u8 *lun_table; + +- if (h->ctlr->use_ms10) { ++ if (ctlr->use_ms10) { + struct rdac_pg_expanded *rdac_pg; + + data_size = sizeof(struct rdac_pg_expanded); +- rdac_pg = &h->ctlr->mode_select.expanded; ++ rdac_pg = &ctlr->mode_select.expanded; + memset(rdac_pg, 0, data_size); + common = &rdac_pg->common; + rdac_pg->page_code = RDAC_PAGE_CODE_REDUNDANT_CONTROLLER + 0x40; +@@ -288,7 +286,7 @@ static unsigned int rdac_failover_get(struct rdac_controller *ctlr, + struct rdac_pg_legacy *rdac_pg; + + data_size = sizeof(struct rdac_pg_legacy); +- rdac_pg = &h->ctlr->mode_select.legacy; ++ rdac_pg = &ctlr->mode_select.legacy; + memset(rdac_pg, 0, data_size); + common = &rdac_pg->common; + rdac_pg->page_code = RDAC_PAGE_CODE_REDUNDANT_CONTROLLER; +@@ -304,7 +302,7 @@ static unsigned int rdac_failover_get(struct rdac_controller *ctlr, + } + + /* Prepare the command. */ +- if (h->ctlr->use_ms10) { ++ if (ctlr->use_ms10) { + cdb[0] = MODE_SELECT_10; + cdb[7] = data_size >> 8; + cdb[8] = data_size & 0xff; +diff --git a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +index d390325c99ec..abf6026645dd 100644 +--- a/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c ++++ b/drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c +@@ -1170,6 +1170,8 @@ static struct ibmvscsis_cmd *ibmvscsis_get_free_cmd(struct scsi_info *vscsi) + cmd = list_first_entry_or_null(&vscsi->free_cmd, + struct ibmvscsis_cmd, list); + if (cmd) { ++ if (cmd->abort_cmd) ++ cmd->abort_cmd = NULL; + cmd->flags &= ~(DELAY_SEND); + list_del(&cmd->list); + cmd->iue = iue; +@@ -1774,6 +1776,7 @@ static void ibmvscsis_send_messages(struct scsi_info *vscsi) + if (cmd->abort_cmd) { + retry = true; + cmd->abort_cmd->flags &= ~(DELAY_SEND); ++ cmd->abort_cmd = NULL; + } + + /* +@@ -1788,6 +1791,25 @@ static void ibmvscsis_send_messages(struct scsi_info *vscsi) + list_del(&cmd->list); + ibmvscsis_free_cmd_resources(vscsi, + cmd); ++ /* ++ * With a successfully aborted op ++ * through LIO we want to increment the ++ * the vscsi credit so that when we dont ++ * send a rsp to the original scsi abort ++ * op (h_send_crq), but the tm rsp to ++ * the abort is sent, the credit is ++ * correctly sent with the abort tm rsp. ++ * We would need 1 for the abort tm rsp ++ * and 1 credit for the aborted scsi op. ++ * Thus we need to increment here. ++ * Also we want to increment the credit ++ * here because we want to make sure ++ * cmd is actually released first ++ * otherwise the client will think it ++ * it can send a new cmd, and we could ++ * find ourselves short of cmd elements. ++ */ ++ vscsi->credit += 1; + } else { + iue = cmd->iue; + +@@ -2962,10 +2984,7 @@ static long srp_build_response(struct scsi_info *vscsi, + + rsp->opcode = SRP_RSP; + +- if (vscsi->credit > 0 && vscsi->state == SRP_PROCESSING) +- rsp->req_lim_delta = cpu_to_be32(vscsi->credit); +- else +- rsp->req_lim_delta = cpu_to_be32(1 + vscsi->credit); ++ rsp->req_lim_delta = cpu_to_be32(1 + vscsi->credit); + rsp->tag = cmd->rsp.tag; + rsp->flags = 0; + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 15c9fe766071..464e7a989cc5 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1850,7 +1850,7 @@ static int scsi_mq_prep_fn(struct request *req) + + /* zero out the cmd, except for the embedded scsi_request */ + memset((char *)cmd + sizeof(cmd->req), 0, +- sizeof(*cmd) - sizeof(cmd->req)); ++ sizeof(*cmd) - sizeof(cmd->req) + shost->hostt->cmd_size); + + req->special = cmd; + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index 8beed3451346..fd45b48480cb 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -3810,6 +3810,8 @@ int iscsi_target_tx_thread(void *arg) + { + int ret = 0; + struct iscsi_conn *conn = arg; ++ bool conn_freed = false; ++ + /* + * Allow ourselves to be interrupted by SIGINT so that a + * connection recovery / failure event can be triggered externally. +@@ -3835,12 +3837,14 @@ int iscsi_target_tx_thread(void *arg) + goto transport_err; + + ret = iscsit_handle_response_queue(conn); +- if (ret == 1) ++ if (ret == 1) { + goto get_immediate; +- else if (ret == -ECONNRESET) ++ } else if (ret == -ECONNRESET) { ++ conn_freed = true; + goto out; +- else if (ret < 0) ++ } else if (ret < 0) { + goto transport_err; ++ } + } + + transport_err: +@@ -3850,8 +3854,13 @@ int iscsi_target_tx_thread(void *arg) + * responsible for cleaning up the early connection failure. + */ + if (conn->conn_state != TARG_CONN_STATE_IN_LOGIN) +- iscsit_take_action_for_connection_exit(conn); ++ iscsit_take_action_for_connection_exit(conn, &conn_freed); + out: ++ if (!conn_freed) { ++ while (!kthread_should_stop()) { ++ msleep(100); ++ } ++ } + return 0; + } + +@@ -4024,6 +4033,7 @@ int iscsi_target_rx_thread(void *arg) + { + int rc; + struct iscsi_conn *conn = arg; ++ bool conn_freed = false; + + /* + * Allow ourselves to be interrupted by SIGINT so that a +@@ -4036,7 +4046,7 @@ int iscsi_target_rx_thread(void *arg) + */ + rc = wait_for_completion_interruptible(&conn->rx_login_comp); + if (rc < 0 || iscsi_target_check_conn_state(conn)) +- return 0; ++ goto out; + + if (!conn->conn_transport->iscsit_get_rx_pdu) + return 0; +@@ -4045,7 +4055,15 @@ int iscsi_target_rx_thread(void *arg) + + if (!signal_pending(current)) + atomic_set(&conn->transport_failed, 1); +- iscsit_take_action_for_connection_exit(conn); ++ iscsit_take_action_for_connection_exit(conn, &conn_freed); ++ ++out: ++ if (!conn_freed) { ++ while (!kthread_should_stop()) { ++ msleep(100); ++ } ++ } ++ + return 0; + } + +diff --git a/drivers/target/iscsi/iscsi_target_erl0.c b/drivers/target/iscsi/iscsi_target_erl0.c +index 9a96e17bf7cd..7fe2aa73cff6 100644 +--- a/drivers/target/iscsi/iscsi_target_erl0.c ++++ b/drivers/target/iscsi/iscsi_target_erl0.c +@@ -930,8 +930,10 @@ static void iscsit_handle_connection_cleanup(struct iscsi_conn *conn) + } + } + +-void iscsit_take_action_for_connection_exit(struct iscsi_conn *conn) ++void iscsit_take_action_for_connection_exit(struct iscsi_conn *conn, bool *conn_freed) + { ++ *conn_freed = false; ++ + spin_lock_bh(&conn->state_lock); + if (atomic_read(&conn->connection_exit)) { + spin_unlock_bh(&conn->state_lock); +@@ -942,6 +944,7 @@ void iscsit_take_action_for_connection_exit(struct iscsi_conn *conn) + if (conn->conn_state == TARG_CONN_STATE_IN_LOGOUT) { + spin_unlock_bh(&conn->state_lock); + iscsit_close_connection(conn); ++ *conn_freed = true; + return; + } + +@@ -955,4 +958,5 @@ void iscsit_take_action_for_connection_exit(struct iscsi_conn *conn) + spin_unlock_bh(&conn->state_lock); + + iscsit_handle_connection_cleanup(conn); ++ *conn_freed = true; + } +diff --git a/drivers/target/iscsi/iscsi_target_erl0.h b/drivers/target/iscsi/iscsi_target_erl0.h +index 60e69e2af6ed..3822d9cd1230 100644 +--- a/drivers/target/iscsi/iscsi_target_erl0.h ++++ b/drivers/target/iscsi/iscsi_target_erl0.h +@@ -15,6 +15,6 @@ extern int iscsit_stop_time2retain_timer(struct iscsi_session *); + extern void iscsit_connection_reinstatement_rcfr(struct iscsi_conn *); + extern void iscsit_cause_connection_reinstatement(struct iscsi_conn *, int); + extern void iscsit_fall_back_to_erl0(struct iscsi_session *); +-extern void iscsit_take_action_for_connection_exit(struct iscsi_conn *); ++extern void iscsit_take_action_for_connection_exit(struct iscsi_conn *, bool *); + + #endif /*** ISCSI_TARGET_ERL0_H ***/ +diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c +index 66238477137b..92b96b51d506 100644 +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -1464,5 +1464,9 @@ int iscsi_target_login_thread(void *arg) + break; + } + ++ while (!kthread_should_stop()) { ++ msleep(100); ++ } ++ + return 0; + } +diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c +index 7ccc9c1cbfd1..6f88b31242b0 100644 +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -493,14 +493,60 @@ static void iscsi_target_restore_sock_callbacks(struct iscsi_conn *conn) + + static int iscsi_target_do_login(struct iscsi_conn *, struct iscsi_login *); + +-static bool iscsi_target_sk_state_check(struct sock *sk) ++static bool __iscsi_target_sk_check_close(struct sock *sk) + { + if (sk->sk_state == TCP_CLOSE_WAIT || sk->sk_state == TCP_CLOSE) { +- pr_debug("iscsi_target_sk_state_check: TCP_CLOSE_WAIT|TCP_CLOSE," ++ pr_debug("__iscsi_target_sk_check_close: TCP_CLOSE_WAIT|TCP_CLOSE," + "returning FALSE\n"); +- return false; ++ return true; + } +- return true; ++ return false; ++} ++ ++static bool iscsi_target_sk_check_close(struct iscsi_conn *conn) ++{ ++ bool state = false; ++ ++ if (conn->sock) { ++ struct sock *sk = conn->sock->sk; ++ ++ read_lock_bh(&sk->sk_callback_lock); ++ state = (__iscsi_target_sk_check_close(sk) || ++ test_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags)); ++ read_unlock_bh(&sk->sk_callback_lock); ++ } ++ return state; ++} ++ ++static bool iscsi_target_sk_check_flag(struct iscsi_conn *conn, unsigned int flag) ++{ ++ bool state = false; ++ ++ if (conn->sock) { ++ struct sock *sk = conn->sock->sk; ++ ++ read_lock_bh(&sk->sk_callback_lock); ++ state = test_bit(flag, &conn->login_flags); ++ read_unlock_bh(&sk->sk_callback_lock); ++ } ++ return state; ++} ++ ++static bool iscsi_target_sk_check_and_clear(struct iscsi_conn *conn, unsigned int flag) ++{ ++ bool state = false; ++ ++ if (conn->sock) { ++ struct sock *sk = conn->sock->sk; ++ ++ write_lock_bh(&sk->sk_callback_lock); ++ state = (__iscsi_target_sk_check_close(sk) || ++ test_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags)); ++ if (!state) ++ clear_bit(flag, &conn->login_flags); ++ write_unlock_bh(&sk->sk_callback_lock); ++ } ++ return state; + } + + static void iscsi_target_login_drop(struct iscsi_conn *conn, struct iscsi_login *login) +@@ -540,6 +586,20 @@ static void iscsi_target_do_login_rx(struct work_struct *work) + + pr_debug("entering iscsi_target_do_login_rx, conn: %p, %s:%d\n", + conn, current->comm, current->pid); ++ /* ++ * If iscsi_target_do_login_rx() has been invoked by ->sk_data_ready() ++ * before initial PDU processing in iscsi_target_start_negotiation() ++ * has completed, go ahead and retry until it's cleared. ++ * ++ * Otherwise if the TCP connection drops while this is occuring, ++ * iscsi_target_start_negotiation() will detect the failure, call ++ * cancel_delayed_work_sync(&conn->login_work), and cleanup the ++ * remaining iscsi connection resources from iscsi_np process context. ++ */ ++ if (iscsi_target_sk_check_flag(conn, LOGIN_FLAGS_INITIAL_PDU)) { ++ schedule_delayed_work(&conn->login_work, msecs_to_jiffies(10)); ++ return; ++ } + + spin_lock(&tpg->tpg_state_lock); + state = (tpg->tpg_state == TPG_STATE_ACTIVE); +@@ -547,26 +607,12 @@ static void iscsi_target_do_login_rx(struct work_struct *work) + + if (!state) { + pr_debug("iscsi_target_do_login_rx: tpg_state != TPG_STATE_ACTIVE\n"); +- iscsi_target_restore_sock_callbacks(conn); +- iscsi_target_login_drop(conn, login); +- iscsit_deaccess_np(np, tpg, tpg_np); +- return; ++ goto err; + } + +- if (conn->sock) { +- struct sock *sk = conn->sock->sk; +- +- read_lock_bh(&sk->sk_callback_lock); +- state = iscsi_target_sk_state_check(sk); +- read_unlock_bh(&sk->sk_callback_lock); +- +- if (!state) { +- pr_debug("iscsi_target_do_login_rx, TCP state CLOSE\n"); +- iscsi_target_restore_sock_callbacks(conn); +- iscsi_target_login_drop(conn, login); +- iscsit_deaccess_np(np, tpg, tpg_np); +- return; +- } ++ if (iscsi_target_sk_check_close(conn)) { ++ pr_debug("iscsi_target_do_login_rx, TCP state CLOSE\n"); ++ goto err; + } + + conn->login_kworker = current; +@@ -584,34 +630,29 @@ static void iscsi_target_do_login_rx(struct work_struct *work) + flush_signals(current); + conn->login_kworker = NULL; + +- if (rc < 0) { +- iscsi_target_restore_sock_callbacks(conn); +- iscsi_target_login_drop(conn, login); +- iscsit_deaccess_np(np, tpg, tpg_np); +- return; +- } ++ if (rc < 0) ++ goto err; + + pr_debug("iscsi_target_do_login_rx after rx_login_io, %p, %s:%d\n", + conn, current->comm, current->pid); + + rc = iscsi_target_do_login(conn, login); + if (rc < 0) { +- iscsi_target_restore_sock_callbacks(conn); +- iscsi_target_login_drop(conn, login); +- iscsit_deaccess_np(np, tpg, tpg_np); ++ goto err; + } else if (!rc) { +- if (conn->sock) { +- struct sock *sk = conn->sock->sk; +- +- write_lock_bh(&sk->sk_callback_lock); +- clear_bit(LOGIN_FLAGS_READ_ACTIVE, &conn->login_flags); +- write_unlock_bh(&sk->sk_callback_lock); +- } ++ if (iscsi_target_sk_check_and_clear(conn, LOGIN_FLAGS_READ_ACTIVE)) ++ goto err; + } else if (rc == 1) { + iscsi_target_nego_release(conn); + iscsi_post_login_handler(np, conn, zero_tsih); + iscsit_deaccess_np(np, tpg, tpg_np); + } ++ return; ++ ++err: ++ iscsi_target_restore_sock_callbacks(conn); ++ iscsi_target_login_drop(conn, login); ++ iscsit_deaccess_np(np, tpg, tpg_np); + } + + static void iscsi_target_do_cleanup(struct work_struct *work) +@@ -659,31 +700,54 @@ static void iscsi_target_sk_state_change(struct sock *sk) + orig_state_change(sk); + return; + } ++ state = __iscsi_target_sk_check_close(sk); ++ pr_debug("__iscsi_target_sk_close_change: state: %d\n", state); ++ + if (test_bit(LOGIN_FLAGS_READ_ACTIVE, &conn->login_flags)) { + pr_debug("Got LOGIN_FLAGS_READ_ACTIVE=1 sk_state_change" + " conn: %p\n", conn); ++ if (state) ++ set_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags); + write_unlock_bh(&sk->sk_callback_lock); + orig_state_change(sk); + return; + } +- if (test_and_set_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags)) { ++ if (test_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags)) { + pr_debug("Got LOGIN_FLAGS_CLOSED=1 sk_state_change conn: %p\n", + conn); + write_unlock_bh(&sk->sk_callback_lock); + orig_state_change(sk); + return; + } ++ /* ++ * If the TCP connection has dropped, go ahead and set LOGIN_FLAGS_CLOSED, ++ * but only queue conn->login_work -> iscsi_target_do_login_rx() ++ * processing if LOGIN_FLAGS_INITIAL_PDU has already been cleared. ++ * ++ * When iscsi_target_do_login_rx() runs, iscsi_target_sk_check_close() ++ * will detect the dropped TCP connection from delayed workqueue context. ++ * ++ * If LOGIN_FLAGS_INITIAL_PDU is still set, which means the initial ++ * iscsi_target_start_negotiation() is running, iscsi_target_do_login() ++ * via iscsi_target_sk_check_close() or iscsi_target_start_negotiation() ++ * via iscsi_target_sk_check_and_clear() is responsible for detecting the ++ * dropped TCP connection in iscsi_np process context, and cleaning up ++ * the remaining iscsi connection resources. ++ */ ++ if (state) { ++ pr_debug("iscsi_target_sk_state_change got failed state\n"); ++ set_bit(LOGIN_FLAGS_CLOSED, &conn->login_flags); ++ state = test_bit(LOGIN_FLAGS_INITIAL_PDU, &conn->login_flags); ++ write_unlock_bh(&sk->sk_callback_lock); + +- state = iscsi_target_sk_state_check(sk); +- write_unlock_bh(&sk->sk_callback_lock); +- +- pr_debug("iscsi_target_sk_state_change: state: %d\n", state); ++ orig_state_change(sk); + +- if (!state) { +- pr_debug("iscsi_target_sk_state_change got failed state\n"); +- schedule_delayed_work(&conn->login_cleanup_work, 0); ++ if (!state) ++ schedule_delayed_work(&conn->login_work, 0); + return; + } ++ write_unlock_bh(&sk->sk_callback_lock); ++ + orig_state_change(sk); + } + +@@ -946,6 +1010,15 @@ static int iscsi_target_do_login(struct iscsi_conn *conn, struct iscsi_login *lo + if (iscsi_target_handle_csg_one(conn, login) < 0) + return -1; + if (login_rsp->flags & ISCSI_FLAG_LOGIN_TRANSIT) { ++ /* ++ * Check to make sure the TCP connection has not ++ * dropped asynchronously while session reinstatement ++ * was occuring in this kthread context, before ++ * transitioning to full feature phase operation. ++ */ ++ if (iscsi_target_sk_check_close(conn)) ++ return -1; ++ + login->tsih = conn->sess->tsih; + login->login_complete = 1; + iscsi_target_restore_sock_callbacks(conn); +@@ -972,21 +1045,6 @@ static int iscsi_target_do_login(struct iscsi_conn *conn, struct iscsi_login *lo + break; + } + +- if (conn->sock) { +- struct sock *sk = conn->sock->sk; +- bool state; +- +- read_lock_bh(&sk->sk_callback_lock); +- state = iscsi_target_sk_state_check(sk); +- read_unlock_bh(&sk->sk_callback_lock); +- +- if (!state) { +- pr_debug("iscsi_target_do_login() failed state for" +- " conn: %p\n", conn); +- return -1; +- } +- } +- + return 0; + } + +@@ -1255,10 +1313,22 @@ int iscsi_target_start_negotiation( + + write_lock_bh(&sk->sk_callback_lock); + set_bit(LOGIN_FLAGS_READY, &conn->login_flags); ++ set_bit(LOGIN_FLAGS_INITIAL_PDU, &conn->login_flags); + write_unlock_bh(&sk->sk_callback_lock); + } +- ++ /* ++ * If iscsi_target_do_login returns zero to signal more PDU ++ * exchanges are required to complete the login, go ahead and ++ * clear LOGIN_FLAGS_INITIAL_PDU but only if the TCP connection ++ * is still active. ++ * ++ * Otherwise if TCP connection dropped asynchronously, go ahead ++ * and perform connection cleanup now. ++ */ + ret = iscsi_target_do_login(conn, login); ++ if (!ret && iscsi_target_sk_check_and_clear(conn, LOGIN_FLAGS_INITIAL_PDU)) ++ ret = -1; ++ + if (ret < 0) { + cancel_delayed_work_sync(&conn->login_work); + cancel_delayed_work_sync(&conn->login_cleanup_work); +diff --git a/drivers/tty/serdev/serdev-ttyport.c b/drivers/tty/serdev/serdev-ttyport.c +index d05393594f15..06e17faa6dfb 100644 +--- a/drivers/tty/serdev/serdev-ttyport.c ++++ b/drivers/tty/serdev/serdev-ttyport.c +@@ -101,9 +101,6 @@ static int ttyport_open(struct serdev_controller *ctrl) + return PTR_ERR(tty); + serport->tty = tty; + +- serport->port->client_ops = &client_ops; +- serport->port->client_data = ctrl; +- + if (tty->ops->open) + tty->ops->open(serport->tty, NULL); + else +@@ -181,6 +178,7 @@ struct device *serdev_tty_port_register(struct tty_port *port, + struct device *parent, + struct tty_driver *drv, int idx) + { ++ const struct tty_port_client_operations *old_ops; + struct serdev_controller *ctrl; + struct serport *serport; + int ret; +@@ -199,15 +197,22 @@ struct device *serdev_tty_port_register(struct tty_port *port, + + ctrl->ops = &ctrl_ops; + ++ old_ops = port->client_ops; ++ port->client_ops = &client_ops; ++ port->client_data = ctrl; ++ + ret = serdev_controller_add(ctrl); + if (ret) +- goto err_controller_put; ++ goto err_reset_data; + + dev_info(&ctrl->dev, "tty port %s%d registered\n", drv->name, idx); + return &ctrl->dev; + +-err_controller_put: ++err_reset_data: ++ port->client_data = NULL; ++ port->client_ops = old_ops; + serdev_controller_put(ctrl); ++ + return ERR_PTR(ret); + } + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 6119516ef5fc..4c26d15ad7d9 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1337,7 +1337,7 @@ static void autoconfig(struct uart_8250_port *up) + /* + * Check if the device is a Fintek F81216A + */ +- if (port->type == PORT_16550A) ++ if (port->type == PORT_16550A && port->iotype == UPIO_PORT) + fintek_8250_probe(up); + + if (up->capabilities != old_capabilities) { +diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c +index 1d21a9c1d33e..0c880f17d27e 100644 +--- a/drivers/tty/tty_port.c ++++ b/drivers/tty/tty_port.c +@@ -16,7 +16,6 @@ + #include <linux/bitops.h> + #include <linux/delay.h> + #include <linux/module.h> +-#include <linux/serdev.h> + + static int tty_port_default_receive_buf(struct tty_port *port, + const unsigned char *p, +@@ -129,15 +128,7 @@ struct device *tty_port_register_device_attr(struct tty_port *port, + struct device *device, void *drvdata, + const struct attribute_group **attr_grp) + { +- struct device *dev; +- + tty_port_link_device(port, driver, index); +- +- dev = serdev_tty_port_register(port, device, driver, index); +- if (PTR_ERR(dev) != -ENODEV) +- /* Skip creating cdev if we registered a serdev device */ +- return dev; +- + return tty_register_device_attr(driver, index, device, drvdata, + attr_grp); + } +@@ -189,9 +180,6 @@ static void tty_port_destructor(struct kref *kref) + /* check if last port ref was dropped before tty release */ + if (WARN_ON(port->itty)) + return; +- +- serdev_tty_port_unregister(port); +- + if (port->xmit_buf) + free_page((unsigned long)port->xmit_buf); + tty_port_destroy(port); +diff --git a/fs/dax.c b/fs/dax.c +index db0cc52eb22e..285f4ab6f498 100644 +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -1129,6 +1129,17 @@ static int dax_iomap_pte_fault(struct vm_fault *vmf, + return dax_fault_return(PTR_ERR(entry)); + + /* ++ * It is possible, particularly with mixed reads & writes to private ++ * mappings, that we have raced with a PMD fault that overlaps with ++ * the PTE we need to set up. If so just return and the fault will be ++ * retried. ++ */ ++ if (pmd_trans_huge(*vmf->pmd) || pmd_devmap(*vmf->pmd)) { ++ vmf_ret = VM_FAULT_NOPAGE; ++ goto unlock_entry; ++ } ++ ++ /* + * Note that we don't bother to use iomap_apply here: DAX required + * the file system block size to be equal the page size, which means + * that we never have to deal with more than a single extent here. +@@ -1363,6 +1374,18 @@ static int dax_iomap_pmd_fault(struct vm_fault *vmf, + goto fallback; + + /* ++ * It is possible, particularly with mixed reads & writes to private ++ * mappings, that we have raced with a PTE fault that overlaps with ++ * the PMD we need to set up. If so just return and the fault will be ++ * retried. ++ */ ++ if (!pmd_none(*vmf->pmd) && !pmd_trans_huge(*vmf->pmd) && ++ !pmd_devmap(*vmf->pmd)) { ++ result = 0; ++ goto unlock_entry; ++ } ++ ++ /* + * Note that we don't use iomap_apply here. We aren't doing I/O, only + * setting up a mapping, so really we're using iomap_begin() as a way + * to look up our filesystem block. +diff --git a/fs/ufs/super.c b/fs/ufs/super.c +index 131b2b77c818..29ecaf739449 100644 +--- a/fs/ufs/super.c ++++ b/fs/ufs/super.c +@@ -812,9 +812,8 @@ static int ufs_fill_super(struct super_block *sb, void *data, int silent) + uspi->s_dirblksize = UFS_SECTOR_SIZE; + super_block_offset=UFS_SBLOCK; + +- /* Keep 2Gig file limit. Some UFS variants need to override +- this but as I don't know which I'll let those in the know loosen +- the rules */ ++ sb->s_maxbytes = MAX_LFS_FILESIZE; ++ + switch (sbi->s_mount_opt & UFS_MOUNT_UFSTYPE) { + case UFS_MOUNT_UFSTYPE_44BSD: + UFSD("ufstype=44bsd\n"); +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c +index 9bd104f32908..6c68f3b888b0 100644 +--- a/fs/xfs/libxfs/xfs_bmap.c ++++ b/fs/xfs/libxfs/xfs_bmap.c +@@ -2106,8 +2106,10 @@ xfs_bmap_add_extent_delay_real( + } + temp = xfs_bmap_worst_indlen(bma->ip, temp); + temp2 = xfs_bmap_worst_indlen(bma->ip, temp2); +- diff = (int)(temp + temp2 - startblockval(PREV.br_startblock) - +- (bma->cur ? bma->cur->bc_private.b.allocated : 0)); ++ diff = (int)(temp + temp2 - ++ (startblockval(PREV.br_startblock) - ++ (bma->cur ? ++ bma->cur->bc_private.b.allocated : 0))); + if (diff > 0) { + error = xfs_mod_fdblocks(bma->ip->i_mount, + -((int64_t)diff), false); +@@ -2164,7 +2166,6 @@ xfs_bmap_add_extent_delay_real( + temp = da_new; + if (bma->cur) + temp += bma->cur->bc_private.b.allocated; +- ASSERT(temp <= da_old); + if (temp < da_old) + xfs_mod_fdblocks(bma->ip->i_mount, + (int64_t)(da_old - temp), false); +@@ -3863,7 +3864,7 @@ xfs_bmap_remap_alloc( + { + struct xfs_trans *tp = ap->tp; + struct xfs_mount *mp = tp->t_mountp; +- xfs_agblock_t bno; ++ xfs_fsblock_t bno; + struct xfs_alloc_arg args; + int error; + +diff --git a/fs/xfs/libxfs/xfs_btree.c b/fs/xfs/libxfs/xfs_btree.c +index c3decedc9455..3d0f96d159ff 100644 +--- a/fs/xfs/libxfs/xfs_btree.c ++++ b/fs/xfs/libxfs/xfs_btree.c +@@ -4395,7 +4395,7 @@ xfs_btree_visit_blocks( + xfs_btree_readahead_ptr(cur, ptr, 1); + + /* save for the next iteration of the loop */ +- lptr = *ptr; ++ xfs_btree_copy_ptrs(cur, &lptr, ptr, 1); + } + + /* for each buffer in the level */ +diff --git a/fs/xfs/libxfs/xfs_refcount.c b/fs/xfs/libxfs/xfs_refcount.c +index b177ef33cd4c..82a38d86ebad 100644 +--- a/fs/xfs/libxfs/xfs_refcount.c ++++ b/fs/xfs/libxfs/xfs_refcount.c +@@ -1629,13 +1629,28 @@ xfs_refcount_recover_cow_leftovers( + if (mp->m_sb.sb_agblocks >= XFS_REFC_COW_START) + return -EOPNOTSUPP; + +- error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); ++ INIT_LIST_HEAD(&debris); ++ ++ /* ++ * In this first part, we use an empty transaction to gather up ++ * all the leftover CoW extents so that we can subsequently ++ * delete them. The empty transaction is used to avoid ++ * a buffer lock deadlock if there happens to be a loop in the ++ * refcountbt because we're allowed to re-grab a buffer that is ++ * already attached to our transaction. When we're done ++ * recording the CoW debris we cancel the (empty) transaction ++ * and everything goes away cleanly. ++ */ ++ error = xfs_trans_alloc_empty(mp, &tp); + if (error) + return error; +- cur = xfs_refcountbt_init_cursor(mp, NULL, agbp, agno, NULL); ++ ++ error = xfs_alloc_read_agf(mp, tp, agno, 0, &agbp); ++ if (error) ++ goto out_trans; ++ cur = xfs_refcountbt_init_cursor(mp, tp, agbp, agno, NULL); + + /* Find all the leftover CoW staging extents. */ +- INIT_LIST_HEAD(&debris); + memset(&low, 0, sizeof(low)); + memset(&high, 0, sizeof(high)); + low.rc.rc_startblock = XFS_REFC_COW_START; +@@ -1645,10 +1660,11 @@ xfs_refcount_recover_cow_leftovers( + if (error) + goto out_cursor; + xfs_btree_del_cursor(cur, XFS_BTREE_NOERROR); +- xfs_buf_relse(agbp); ++ xfs_trans_brelse(tp, agbp); ++ xfs_trans_cancel(tp); + + /* Now iterate the list to free the leftovers */ +- list_for_each_entry(rr, &debris, rr_list) { ++ list_for_each_entry_safe(rr, n, &debris, rr_list) { + /* Set up transaction. */ + error = xfs_trans_alloc(mp, &M_RES(mp)->tr_write, 0, 0, 0, &tp); + if (error) +@@ -1676,8 +1692,16 @@ xfs_refcount_recover_cow_leftovers( + error = xfs_trans_commit(tp); + if (error) + goto out_free; ++ ++ list_del(&rr->rr_list); ++ kmem_free(rr); + } + ++ return error; ++out_defer: ++ xfs_defer_cancel(&dfops); ++out_trans: ++ xfs_trans_cancel(tp); + out_free: + /* Free the leftover list */ + list_for_each_entry_safe(rr, n, &debris, rr_list) { +@@ -1688,11 +1712,6 @@ xfs_refcount_recover_cow_leftovers( + + out_cursor: + xfs_btree_del_cursor(cur, XFS_BTREE_ERROR); +- xfs_buf_relse(agbp); +- goto out_free; +- +-out_defer: +- xfs_defer_cancel(&dfops); +- xfs_trans_cancel(tp); +- goto out_free; ++ xfs_trans_brelse(tp, agbp); ++ goto out_trans; + } +diff --git a/fs/xfs/libxfs/xfs_trans_space.h b/fs/xfs/libxfs/xfs_trans_space.h +index 7917f6e44286..d787c677d2a3 100644 +--- a/fs/xfs/libxfs/xfs_trans_space.h ++++ b/fs/xfs/libxfs/xfs_trans_space.h +@@ -21,8 +21,20 @@ + /* + * Components of space reservations. + */ ++ ++/* Worst case number of rmaps that can be held in a block. */ + #define XFS_MAX_CONTIG_RMAPS_PER_BLOCK(mp) \ + (((mp)->m_rmap_mxr[0]) - ((mp)->m_rmap_mnr[0])) ++ ++/* Adding one rmap could split every level up to the top of the tree. */ ++#define XFS_RMAPADD_SPACE_RES(mp) ((mp)->m_rmap_maxlevels) ++ ++/* Blocks we might need to add "b" rmaps to a tree. */ ++#define XFS_NRMAPADD_SPACE_RES(mp, b)\ ++ (((b + XFS_MAX_CONTIG_RMAPS_PER_BLOCK(mp) - 1) / \ ++ XFS_MAX_CONTIG_RMAPS_PER_BLOCK(mp)) * \ ++ XFS_RMAPADD_SPACE_RES(mp)) ++ + #define XFS_MAX_CONTIG_EXTENTS_PER_BLOCK(mp) \ + (((mp)->m_alloc_mxr[0]) - ((mp)->m_alloc_mnr[0])) + #define XFS_EXTENTADD_SPACE_RES(mp,w) (XFS_BM_MAXLEVELS(mp,w) - 1) +@@ -30,13 +42,12 @@ + (((b + XFS_MAX_CONTIG_EXTENTS_PER_BLOCK(mp) - 1) / \ + XFS_MAX_CONTIG_EXTENTS_PER_BLOCK(mp)) * \ + XFS_EXTENTADD_SPACE_RES(mp,w)) ++ ++/* Blocks we might need to add "b" mappings & rmappings to a file. */ + #define XFS_SWAP_RMAP_SPACE_RES(mp,b,w)\ +- (((b + XFS_MAX_CONTIG_EXTENTS_PER_BLOCK(mp) - 1) / \ +- XFS_MAX_CONTIG_EXTENTS_PER_BLOCK(mp)) * \ +- XFS_EXTENTADD_SPACE_RES(mp,w) + \ +- ((b + XFS_MAX_CONTIG_RMAPS_PER_BLOCK(mp) - 1) / \ +- XFS_MAX_CONTIG_RMAPS_PER_BLOCK(mp)) * \ +- (mp)->m_rmap_maxlevels) ++ (XFS_NEXTENTADD_SPACE_RES((mp), (b), (w)) + \ ++ XFS_NRMAPADD_SPACE_RES((mp), (b))) ++ + #define XFS_DAENTER_1B(mp,w) \ + ((w) == XFS_DATA_FORK ? (mp)->m_dir_geo->fsbcount : 1) + #define XFS_DAENTER_DBS(mp,w) \ +diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c +index 61494295d92f..a7645be51d87 100644 +--- a/fs/xfs/xfs_aops.c ++++ b/fs/xfs/xfs_aops.c +@@ -111,11 +111,11 @@ xfs_finish_page_writeback( + + bsize = bh->b_size; + do { ++ if (off > end) ++ break; + next = bh->b_this_page; + if (off < bvec->bv_offset) + goto next_bh; +- if (off > end) +- break; + bh->b_end_io(bh, !error); + next_bh: + off += bsize; +diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c +index 9bf57c76623b..c4b90e794e41 100644 +--- a/fs/xfs/xfs_bmap_item.c ++++ b/fs/xfs/xfs_bmap_item.c +@@ -34,6 +34,8 @@ + #include "xfs_bmap.h" + #include "xfs_icache.h" + #include "xfs_trace.h" ++#include "xfs_bmap_btree.h" ++#include "xfs_trans_space.h" + + + kmem_zone_t *xfs_bui_zone; +@@ -446,7 +448,8 @@ xfs_bui_recover( + return -EIO; + } + +- error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, 0, 0, 0, &tp); ++ error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, ++ XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK), 0, 0, &tp); + if (error) + return error; + budp = xfs_trans_get_bud(tp, buip); +diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c +index 828532ce0adc..70fbecbb2845 100644 +--- a/fs/xfs/xfs_bmap_util.c ++++ b/fs/xfs/xfs_bmap_util.c +@@ -583,9 +583,13 @@ xfs_getbmap( + } + break; + default: ++ /* Local format data forks report no extents. */ ++ if (ip->i_d.di_format == XFS_DINODE_FMT_LOCAL) { ++ bmv->bmv_entries = 0; ++ return 0; ++ } + if (ip->i_d.di_format != XFS_DINODE_FMT_EXTENTS && +- ip->i_d.di_format != XFS_DINODE_FMT_BTREE && +- ip->i_d.di_format != XFS_DINODE_FMT_LOCAL) ++ ip->i_d.di_format != XFS_DINODE_FMT_BTREE) + return -EINVAL; + + if (xfs_get_extsz_hint(ip) || +@@ -713,7 +717,7 @@ xfs_getbmap( + * extents. + */ + if (map[i].br_startblock == DELAYSTARTBLOCK && +- map[i].br_startoff <= XFS_B_TO_FSB(mp, XFS_ISIZE(ip))) ++ map[i].br_startoff < XFS_B_TO_FSB(mp, XFS_ISIZE(ip))) + ASSERT((iflags & BMV_IF_DELALLOC) != 0); + + if (map[i].br_startblock == HOLESTARTBLOCK && +@@ -904,9 +908,9 @@ xfs_can_free_eofblocks(struct xfs_inode *ip, bool force) + } + + /* +- * This is called by xfs_inactive to free any blocks beyond eof +- * when the link count isn't zero and by xfs_dm_punch_hole() when +- * punching a hole to EOF. ++ * This is called to free any blocks beyond eof. The caller must hold ++ * IOLOCK_EXCL unless we are in the inode reclaim path and have the only ++ * reference to the inode. + */ + int + xfs_free_eofblocks( +@@ -921,8 +925,6 @@ xfs_free_eofblocks( + struct xfs_bmbt_irec imap; + struct xfs_mount *mp = ip->i_mount; + +- ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL)); +- + /* + * Figure out if there are any blocks beyond the end + * of the file. If not, then there is nothing to do. +diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c +index b6208728ba39..4e19fdabac9d 100644 +--- a/fs/xfs/xfs_buf.c ++++ b/fs/xfs/xfs_buf.c +@@ -97,12 +97,16 @@ static inline void + xfs_buf_ioacct_inc( + struct xfs_buf *bp) + { +- if (bp->b_flags & (XBF_NO_IOACCT|_XBF_IN_FLIGHT)) ++ if (bp->b_flags & XBF_NO_IOACCT) + return; + + ASSERT(bp->b_flags & XBF_ASYNC); +- bp->b_flags |= _XBF_IN_FLIGHT; +- percpu_counter_inc(&bp->b_target->bt_io_count); ++ spin_lock(&bp->b_lock); ++ if (!(bp->b_state & XFS_BSTATE_IN_FLIGHT)) { ++ bp->b_state |= XFS_BSTATE_IN_FLIGHT; ++ percpu_counter_inc(&bp->b_target->bt_io_count); ++ } ++ spin_unlock(&bp->b_lock); + } + + /* +@@ -110,14 +114,24 @@ xfs_buf_ioacct_inc( + * freed and unaccount from the buftarg. + */ + static inline void +-xfs_buf_ioacct_dec( ++__xfs_buf_ioacct_dec( + struct xfs_buf *bp) + { +- if (!(bp->b_flags & _XBF_IN_FLIGHT)) +- return; ++ ASSERT(spin_is_locked(&bp->b_lock)); + +- bp->b_flags &= ~_XBF_IN_FLIGHT; +- percpu_counter_dec(&bp->b_target->bt_io_count); ++ if (bp->b_state & XFS_BSTATE_IN_FLIGHT) { ++ bp->b_state &= ~XFS_BSTATE_IN_FLIGHT; ++ percpu_counter_dec(&bp->b_target->bt_io_count); ++ } ++} ++ ++static inline void ++xfs_buf_ioacct_dec( ++ struct xfs_buf *bp) ++{ ++ spin_lock(&bp->b_lock); ++ __xfs_buf_ioacct_dec(bp); ++ spin_unlock(&bp->b_lock); + } + + /* +@@ -149,9 +163,9 @@ xfs_buf_stale( + * unaccounted (released to LRU) before that occurs. Drop in-flight + * status now to preserve accounting consistency. + */ +- xfs_buf_ioacct_dec(bp); +- + spin_lock(&bp->b_lock); ++ __xfs_buf_ioacct_dec(bp); ++ + atomic_set(&bp->b_lru_ref, 0); + if (!(bp->b_state & XFS_BSTATE_DISPOSE) && + (list_lru_del(&bp->b_target->bt_lru, &bp->b_lru))) +@@ -979,12 +993,12 @@ xfs_buf_rele( + * ensures the decrement occurs only once per-buf. + */ + if ((atomic_read(&bp->b_hold) == 1) && !list_empty(&bp->b_lru)) +- xfs_buf_ioacct_dec(bp); ++ __xfs_buf_ioacct_dec(bp); + goto out_unlock; + } + + /* the last reference has been dropped ... */ +- xfs_buf_ioacct_dec(bp); ++ __xfs_buf_ioacct_dec(bp); + if (!(bp->b_flags & XBF_STALE) && atomic_read(&bp->b_lru_ref)) { + /* + * If the buffer is added to the LRU take a new reference to the +@@ -1079,6 +1093,8 @@ void + xfs_buf_unlock( + struct xfs_buf *bp) + { ++ ASSERT(xfs_buf_islocked(bp)); ++ + XB_CLEAR_OWNER(bp); + up(&bp->b_sema); + +@@ -1815,6 +1831,28 @@ xfs_alloc_buftarg( + } + + /* ++ * Cancel a delayed write list. ++ * ++ * Remove each buffer from the list, clear the delwri queue flag and drop the ++ * associated buffer reference. ++ */ ++void ++xfs_buf_delwri_cancel( ++ struct list_head *list) ++{ ++ struct xfs_buf *bp; ++ ++ while (!list_empty(list)) { ++ bp = list_first_entry(list, struct xfs_buf, b_list); ++ ++ xfs_buf_lock(bp); ++ bp->b_flags &= ~_XBF_DELWRI_Q; ++ list_del_init(&bp->b_list); ++ xfs_buf_relse(bp); ++ } ++} ++ ++/* + * Add a buffer to the delayed write list. + * + * This queues a buffer for writeout if it hasn't already been. Note that +diff --git a/fs/xfs/xfs_buf.h b/fs/xfs/xfs_buf.h +index 3c867e5a63e1..39d9334e59ee 100644 +--- a/fs/xfs/xfs_buf.h ++++ b/fs/xfs/xfs_buf.h +@@ -63,7 +63,6 @@ typedef enum { + #define _XBF_KMEM (1 << 21)/* backed by heap memory */ + #define _XBF_DELWRI_Q (1 << 22)/* buffer on a delwri queue */ + #define _XBF_COMPOUND (1 << 23)/* compound buffer */ +-#define _XBF_IN_FLIGHT (1 << 25) /* I/O in flight, for accounting purposes */ + + typedef unsigned int xfs_buf_flags_t; + +@@ -84,14 +83,14 @@ typedef unsigned int xfs_buf_flags_t; + { _XBF_PAGES, "PAGES" }, \ + { _XBF_KMEM, "KMEM" }, \ + { _XBF_DELWRI_Q, "DELWRI_Q" }, \ +- { _XBF_COMPOUND, "COMPOUND" }, \ +- { _XBF_IN_FLIGHT, "IN_FLIGHT" } ++ { _XBF_COMPOUND, "COMPOUND" } + + + /* + * Internal state flags. + */ + #define XFS_BSTATE_DISPOSE (1 << 0) /* buffer being discarded */ ++#define XFS_BSTATE_IN_FLIGHT (1 << 1) /* I/O in flight */ + + /* + * The xfs_buftarg contains 2 notions of "sector size" - +@@ -330,6 +329,7 @@ extern void *xfs_buf_offset(struct xfs_buf *, size_t); + extern void xfs_buf_stale(struct xfs_buf *bp); + + /* Delayed Write Buffer Routines */ ++extern void xfs_buf_delwri_cancel(struct list_head *); + extern bool xfs_buf_delwri_queue(struct xfs_buf *, struct list_head *); + extern int xfs_buf_delwri_submit(struct list_head *); + extern int xfs_buf_delwri_submit_nowait(struct list_head *); +diff --git a/fs/xfs/xfs_dir2_readdir.c b/fs/xfs/xfs_dir2_readdir.c +index ad9396e516f6..20b7a5c6eb2f 100644 +--- a/fs/xfs/xfs_dir2_readdir.c ++++ b/fs/xfs/xfs_dir2_readdir.c +@@ -394,6 +394,7 @@ xfs_dir2_leaf_readbuf( + + /* + * Do we need more readahead? ++ * Each loop tries to process 1 full dir blk; last may be partial. + */ + blk_start_plug(&plug); + for (mip->ra_index = mip->ra_offset = i = 0; +@@ -404,7 +405,8 @@ xfs_dir2_leaf_readbuf( + * Read-ahead a contiguous directory block. + */ + if (i > mip->ra_current && +- map[mip->ra_index].br_blockcount >= geo->fsbcount) { ++ (map[mip->ra_index].br_blockcount - mip->ra_offset) >= ++ geo->fsbcount) { + xfs_dir3_data_readahead(dp, + map[mip->ra_index].br_startoff + mip->ra_offset, + XFS_FSB_TO_DADDR(dp->i_mount, +@@ -425,14 +427,19 @@ xfs_dir2_leaf_readbuf( + } + + /* +- * Advance offset through the mapping table. ++ * Advance offset through the mapping table, processing a full ++ * dir block even if it is fragmented into several extents. ++ * But stop if we have consumed all valid mappings, even if ++ * it's not yet a full directory block. + */ +- for (j = 0; j < geo->fsbcount; j += length ) { ++ for (j = 0; ++ j < geo->fsbcount && mip->ra_index < mip->map_valid; ++ j += length ) { + /* + * The rest of this extent but not more than a dir + * block. + */ +- length = min_t(int, geo->fsbcount, ++ length = min_t(int, geo->fsbcount - j, + map[mip->ra_index].br_blockcount - + mip->ra_offset); + mip->ra_offset += length; +diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c +index 35703a801372..dc0e4cb7029b 100644 +--- a/fs/xfs/xfs_file.c ++++ b/fs/xfs/xfs_file.c +@@ -1043,13 +1043,13 @@ xfs_find_get_desired_pgoff( + + index = startoff >> PAGE_SHIFT; + endoff = XFS_FSB_TO_B(mp, map->br_startoff + map->br_blockcount); +- end = endoff >> PAGE_SHIFT; ++ end = (endoff - 1) >> PAGE_SHIFT; + do { + int want; + unsigned nr_pages; + unsigned int i; + +- want = min_t(pgoff_t, end - index, PAGEVEC_SIZE); ++ want = min_t(pgoff_t, end - index, PAGEVEC_SIZE - 1) + 1; + nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index, + want); + /* +@@ -1076,17 +1076,6 @@ xfs_find_get_desired_pgoff( + break; + } + +- /* +- * At lease we found one page. If this is the first time we +- * step into the loop, and if the first page index offset is +- * greater than the given search offset, a hole was found. +- */ +- if (type == HOLE_OFF && lastoff == startoff && +- lastoff < page_offset(pvec.pages[0])) { +- found = true; +- break; +- } +- + for (i = 0; i < nr_pages; i++) { + struct page *page = pvec.pages[i]; + loff_t b_offset; +@@ -1098,18 +1087,18 @@ xfs_find_get_desired_pgoff( + * file mapping. However, page->index will not change + * because we have a reference on the page. + * +- * Searching done if the page index is out of range. +- * If the current offset is not reaches the end of +- * the specified search range, there should be a hole +- * between them. ++ * If current page offset is beyond where we've ended, ++ * we've found a hole. + */ +- if (page->index > end) { +- if (type == HOLE_OFF && lastoff < endoff) { +- *offset = lastoff; +- found = true; +- } ++ if (type == HOLE_OFF && lastoff < endoff && ++ lastoff < page_offset(pvec.pages[i])) { ++ found = true; ++ *offset = lastoff; + goto out; + } ++ /* Searching done if the page index is out of range. */ ++ if (page->index > end) ++ goto out; + + lock_page(page); + /* +diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c +index 3531f8f72fa5..f61c84f8e31a 100644 +--- a/fs/xfs/xfs_icache.c ++++ b/fs/xfs/xfs_icache.c +@@ -262,6 +262,22 @@ xfs_inode_clear_reclaim_tag( + xfs_perag_clear_reclaim_tag(pag); + } + ++static void ++xfs_inew_wait( ++ struct xfs_inode *ip) ++{ ++ wait_queue_head_t *wq = bit_waitqueue(&ip->i_flags, __XFS_INEW_BIT); ++ DEFINE_WAIT_BIT(wait, &ip->i_flags, __XFS_INEW_BIT); ++ ++ do { ++ prepare_to_wait(wq, &wait.wait, TASK_UNINTERRUPTIBLE); ++ if (!xfs_iflags_test(ip, XFS_INEW)) ++ break; ++ schedule(); ++ } while (true); ++ finish_wait(wq, &wait.wait); ++} ++ + /* + * When we recycle a reclaimable inode, we need to re-initialise the VFS inode + * part of the structure. This is made more complex by the fact we store +@@ -366,14 +382,17 @@ xfs_iget_cache_hit( + + error = xfs_reinit_inode(mp, inode); + if (error) { ++ bool wake; + /* + * Re-initializing the inode failed, and we are in deep + * trouble. Try to re-add it to the reclaim list. + */ + rcu_read_lock(); + spin_lock(&ip->i_flags_lock); +- ++ wake = !!__xfs_iflags_test(ip, XFS_INEW); + ip->i_flags &= ~(XFS_INEW | XFS_IRECLAIM); ++ if (wake) ++ wake_up_bit(&ip->i_flags, __XFS_INEW_BIT); + ASSERT(ip->i_flags & XFS_IRECLAIMABLE); + trace_xfs_iget_reclaim_fail(ip); + goto out_error; +@@ -623,9 +642,11 @@ xfs_iget( + + STATIC int + xfs_inode_ag_walk_grab( +- struct xfs_inode *ip) ++ struct xfs_inode *ip, ++ int flags) + { + struct inode *inode = VFS_I(ip); ++ bool newinos = !!(flags & XFS_AGITER_INEW_WAIT); + + ASSERT(rcu_read_lock_held()); + +@@ -643,7 +664,8 @@ xfs_inode_ag_walk_grab( + goto out_unlock_noent; + + /* avoid new or reclaimable inodes. Leave for reclaim code to flush */ +- if (__xfs_iflags_test(ip, XFS_INEW | XFS_IRECLAIMABLE | XFS_IRECLAIM)) ++ if ((!newinos && __xfs_iflags_test(ip, XFS_INEW)) || ++ __xfs_iflags_test(ip, XFS_IRECLAIMABLE | XFS_IRECLAIM)) + goto out_unlock_noent; + spin_unlock(&ip->i_flags_lock); + +@@ -671,7 +693,8 @@ xfs_inode_ag_walk( + void *args), + int flags, + void *args, +- int tag) ++ int tag, ++ int iter_flags) + { + uint32_t first_index; + int last_error = 0; +@@ -713,7 +736,7 @@ xfs_inode_ag_walk( + for (i = 0; i < nr_found; i++) { + struct xfs_inode *ip = batch[i]; + +- if (done || xfs_inode_ag_walk_grab(ip)) ++ if (done || xfs_inode_ag_walk_grab(ip, iter_flags)) + batch[i] = NULL; + + /* +@@ -741,6 +764,9 @@ xfs_inode_ag_walk( + for (i = 0; i < nr_found; i++) { + if (!batch[i]) + continue; ++ if ((iter_flags & XFS_AGITER_INEW_WAIT) && ++ xfs_iflags_test(batch[i], XFS_INEW)) ++ xfs_inew_wait(batch[i]); + error = execute(batch[i], flags, args); + IRELE(batch[i]); + if (error == -EAGAIN) { +@@ -820,12 +846,13 @@ xfs_cowblocks_worker( + } + + int +-xfs_inode_ag_iterator( ++xfs_inode_ag_iterator_flags( + struct xfs_mount *mp, + int (*execute)(struct xfs_inode *ip, int flags, + void *args), + int flags, +- void *args) ++ void *args, ++ int iter_flags) + { + struct xfs_perag *pag; + int error = 0; +@@ -835,7 +862,8 @@ xfs_inode_ag_iterator( + ag = 0; + while ((pag = xfs_perag_get(mp, ag))) { + ag = pag->pag_agno + 1; +- error = xfs_inode_ag_walk(mp, pag, execute, flags, args, -1); ++ error = xfs_inode_ag_walk(mp, pag, execute, flags, args, -1, ++ iter_flags); + xfs_perag_put(pag); + if (error) { + last_error = error; +@@ -847,6 +875,17 @@ xfs_inode_ag_iterator( + } + + int ++xfs_inode_ag_iterator( ++ struct xfs_mount *mp, ++ int (*execute)(struct xfs_inode *ip, int flags, ++ void *args), ++ int flags, ++ void *args) ++{ ++ return xfs_inode_ag_iterator_flags(mp, execute, flags, args, 0); ++} ++ ++int + xfs_inode_ag_iterator_tag( + struct xfs_mount *mp, + int (*execute)(struct xfs_inode *ip, int flags, +@@ -863,7 +902,8 @@ xfs_inode_ag_iterator_tag( + ag = 0; + while ((pag = xfs_perag_get_tag(mp, ag, tag))) { + ag = pag->pag_agno + 1; +- error = xfs_inode_ag_walk(mp, pag, execute, flags, args, tag); ++ error = xfs_inode_ag_walk(mp, pag, execute, flags, args, tag, ++ 0); + xfs_perag_put(pag); + if (error) { + last_error = error; +diff --git a/fs/xfs/xfs_icache.h b/fs/xfs/xfs_icache.h +index 8a7c849b4dea..9183f77958ef 100644 +--- a/fs/xfs/xfs_icache.h ++++ b/fs/xfs/xfs_icache.h +@@ -48,6 +48,11 @@ struct xfs_eofblocks { + #define XFS_IGET_UNTRUSTED 0x2 + #define XFS_IGET_DONTCACHE 0x4 + ++/* ++ * flags for AG inode iterator ++ */ ++#define XFS_AGITER_INEW_WAIT 0x1 /* wait on new inodes */ ++ + int xfs_iget(struct xfs_mount *mp, struct xfs_trans *tp, xfs_ino_t ino, + uint flags, uint lock_flags, xfs_inode_t **ipp); + +@@ -79,6 +84,9 @@ void xfs_cowblocks_worker(struct work_struct *); + int xfs_inode_ag_iterator(struct xfs_mount *mp, + int (*execute)(struct xfs_inode *ip, int flags, void *args), + int flags, void *args); ++int xfs_inode_ag_iterator_flags(struct xfs_mount *mp, ++ int (*execute)(struct xfs_inode *ip, int flags, void *args), ++ int flags, void *args, int iter_flags); + int xfs_inode_ag_iterator_tag(struct xfs_mount *mp, + int (*execute)(struct xfs_inode *ip, int flags, void *args), + int flags, void *args, int tag); +diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c +index 7605d8396596..ec9826c56500 100644 +--- a/fs/xfs/xfs_inode.c ++++ b/fs/xfs/xfs_inode.c +@@ -1906,12 +1906,13 @@ xfs_inactive( + * force is true because we are evicting an inode from the + * cache. Post-eof blocks must be freed, lest we end up with + * broken free space accounting. ++ * ++ * Note: don't bother with iolock here since lockdep complains ++ * about acquiring it in reclaim context. We have the only ++ * reference to the inode at this point anyways. + */ +- if (xfs_can_free_eofblocks(ip, true)) { +- xfs_ilock(ip, XFS_IOLOCK_EXCL); ++ if (xfs_can_free_eofblocks(ip, true)) + xfs_free_eofblocks(ip); +- xfs_iunlock(ip, XFS_IOLOCK_EXCL); +- } + + return; + } +diff --git a/fs/xfs/xfs_inode.h b/fs/xfs/xfs_inode.h +index 10dcf27b4c85..10e89fcb49d7 100644 +--- a/fs/xfs/xfs_inode.h ++++ b/fs/xfs/xfs_inode.h +@@ -216,7 +216,8 @@ static inline bool xfs_is_reflink_inode(struct xfs_inode *ip) + #define XFS_IRECLAIM (1 << 0) /* started reclaiming this inode */ + #define XFS_ISTALE (1 << 1) /* inode has been staled */ + #define XFS_IRECLAIMABLE (1 << 2) /* inode can be reclaimed */ +-#define XFS_INEW (1 << 3) /* inode has just been allocated */ ++#define __XFS_INEW_BIT 3 /* inode has just been allocated */ ++#define XFS_INEW (1 << __XFS_INEW_BIT) + #define XFS_ITRUNCATED (1 << 5) /* truncated down so flush-on-close */ + #define XFS_IDIRTY_RELEASE (1 << 6) /* dirty release already seen */ + #define __XFS_IFLOCK_BIT 7 /* inode is being flushed right now */ +@@ -464,6 +465,7 @@ static inline void xfs_finish_inode_setup(struct xfs_inode *ip) + xfs_iflags_clear(ip, XFS_INEW); + barrier(); + unlock_new_inode(VFS_I(ip)); ++ wake_up_bit(&ip->i_flags, __XFS_INEW_BIT); + } + + static inline void xfs_setup_existing_inode(struct xfs_inode *ip) +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index 2fd7fdf5438f..6d30b06e79bc 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -1543,10 +1543,11 @@ xfs_ioc_getbmap( + unsigned int cmd, + void __user *arg) + { +- struct getbmapx bmx; ++ struct getbmapx bmx = { 0 }; + int error; + +- if (copy_from_user(&bmx, arg, sizeof(struct getbmapx))) ++ /* struct getbmap is a strict subset of struct getbmapx. */ ++ if (copy_from_user(&bmx, arg, offsetof(struct getbmapx, bmv_iflags))) + return -EFAULT; + + if (bmx.bmv_count < 2) +diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c +index 288ee5b840d7..79e6dfac3dd6 100644 +--- a/fs/xfs/xfs_iomap.c ++++ b/fs/xfs/xfs_iomap.c +@@ -1170,10 +1170,10 @@ xfs_xattr_iomap_begin( + if (XFS_FORCED_SHUTDOWN(mp)) + return -EIO; + +- lockmode = xfs_ilock_data_map_shared(ip); ++ lockmode = xfs_ilock_attr_map_shared(ip); + + /* if there are no attribute fork or extents, return ENOENT */ +- if (XFS_IFORK_Q(ip) || !ip->i_d.di_anextents) { ++ if (!XFS_IFORK_Q(ip) || !ip->i_d.di_anextents) { + error = -ENOENT; + goto out_unlock; + } +diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c +index b1469f0a91a6..bb58cd1873c9 100644 +--- a/fs/xfs/xfs_log.c ++++ b/fs/xfs/xfs_log.c +@@ -1293,7 +1293,7 @@ void + xfs_log_work_queue( + struct xfs_mount *mp) + { +- queue_delayed_work(mp->m_log_workqueue, &mp->m_log->l_work, ++ queue_delayed_work(mp->m_sync_workqueue, &mp->m_log->l_work, + msecs_to_jiffies(xfs_syncd_centisecs * 10)); + } + +diff --git a/fs/xfs/xfs_mount.h b/fs/xfs/xfs_mount.h +index 6db6fd6b82b0..22b2185e93a0 100644 +--- a/fs/xfs/xfs_mount.h ++++ b/fs/xfs/xfs_mount.h +@@ -183,6 +183,7 @@ typedef struct xfs_mount { + struct workqueue_struct *m_reclaim_workqueue; + struct workqueue_struct *m_log_workqueue; + struct workqueue_struct *m_eofblocks_workqueue; ++ struct workqueue_struct *m_sync_workqueue; + + /* + * Generation of the filesysyem layout. This is incremented by each +diff --git a/fs/xfs/xfs_qm.c b/fs/xfs/xfs_qm.c +index b669b123287b..8b9a9f15f022 100644 +--- a/fs/xfs/xfs_qm.c ++++ b/fs/xfs/xfs_qm.c +@@ -1384,12 +1384,7 @@ xfs_qm_quotacheck( + mp->m_qflags |= flags; + + error_return: +- while (!list_empty(&buffer_list)) { +- struct xfs_buf *bp = +- list_first_entry(&buffer_list, struct xfs_buf, b_list); +- list_del_init(&bp->b_list); +- xfs_buf_relse(bp); +- } ++ xfs_buf_delwri_cancel(&buffer_list); + + if (error) { + xfs_warn(mp, +diff --git a/fs/xfs/xfs_qm_syscalls.c b/fs/xfs/xfs_qm_syscalls.c +index 475a3882a81f..9cb5c381b01c 100644 +--- a/fs/xfs/xfs_qm_syscalls.c ++++ b/fs/xfs/xfs_qm_syscalls.c +@@ -759,5 +759,6 @@ xfs_qm_dqrele_all_inodes( + uint flags) + { + ASSERT(mp->m_quotainfo); +- xfs_inode_ag_iterator(mp, xfs_dqrele_inode, flags, NULL); ++ xfs_inode_ag_iterator_flags(mp, xfs_dqrele_inode, flags, NULL, ++ XFS_AGITER_INEW_WAIT); + } +diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c +index 4a84c5ea266d..20c46d2ff4f5 100644 +--- a/fs/xfs/xfs_reflink.c ++++ b/fs/xfs/xfs_reflink.c +@@ -709,8 +709,22 @@ xfs_reflink_end_cow( + offset_fsb = XFS_B_TO_FSBT(ip->i_mount, offset); + end_fsb = XFS_B_TO_FSB(ip->i_mount, offset + count); + +- /* Start a rolling transaction to switch the mappings */ +- resblks = XFS_EXTENTADD_SPACE_RES(ip->i_mount, XFS_DATA_FORK); ++ /* ++ * Start a rolling transaction to switch the mappings. We're ++ * unlikely ever to have to remap 16T worth of single-block ++ * extents, so just cap the worst case extent count to 2^32-1. ++ * Stick a warning in just in case, and avoid 64-bit division. ++ */ ++ BUILD_BUG_ON(MAX_RW_COUNT > UINT_MAX); ++ if (end_fsb - offset_fsb > UINT_MAX) { ++ error = -EFSCORRUPTED; ++ xfs_force_shutdown(ip->i_mount, SHUTDOWN_CORRUPT_INCORE); ++ ASSERT(0); ++ goto out; ++ } ++ resblks = XFS_NEXTENTADD_SPACE_RES(ip->i_mount, ++ (unsigned int)(end_fsb - offset_fsb), ++ XFS_DATA_FORK); + error = xfs_trans_alloc(ip->i_mount, &M_RES(ip->i_mount)->tr_write, + resblks, 0, 0, &tp); + if (error) +diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c +index 685c042a120f..47d239dcf3f4 100644 +--- a/fs/xfs/xfs_super.c ++++ b/fs/xfs/xfs_super.c +@@ -877,8 +877,15 @@ xfs_init_mount_workqueues( + if (!mp->m_eofblocks_workqueue) + goto out_destroy_log; + ++ mp->m_sync_workqueue = alloc_workqueue("xfs-sync/%s", WQ_FREEZABLE, 0, ++ mp->m_fsname); ++ if (!mp->m_sync_workqueue) ++ goto out_destroy_eofb; ++ + return 0; + ++out_destroy_eofb: ++ destroy_workqueue(mp->m_eofblocks_workqueue); + out_destroy_log: + destroy_workqueue(mp->m_log_workqueue); + out_destroy_reclaim: +@@ -899,6 +906,7 @@ STATIC void + xfs_destroy_mount_workqueues( + struct xfs_mount *mp) + { ++ destroy_workqueue(mp->m_sync_workqueue); + destroy_workqueue(mp->m_eofblocks_workqueue); + destroy_workqueue(mp->m_log_workqueue); + destroy_workqueue(mp->m_reclaim_workqueue); +diff --git a/fs/xfs/xfs_trans.c b/fs/xfs/xfs_trans.c +index 70f42ea86dfb..a280e126491f 100644 +--- a/fs/xfs/xfs_trans.c ++++ b/fs/xfs/xfs_trans.c +@@ -263,6 +263,28 @@ xfs_trans_alloc( + } + + /* ++ * Create an empty transaction with no reservation. This is a defensive ++ * mechanism for routines that query metadata without actually modifying ++ * them -- if the metadata being queried is somehow cross-linked (think a ++ * btree block pointer that points higher in the tree), we risk deadlock. ++ * However, blocks grabbed as part of a transaction can be re-grabbed. ++ * The verifiers will notice the corrupt block and the operation will fail ++ * back to userspace without deadlocking. ++ * ++ * Note the zero-length reservation; this transaction MUST be cancelled ++ * without any dirty data. ++ */ ++int ++xfs_trans_alloc_empty( ++ struct xfs_mount *mp, ++ struct xfs_trans **tpp) ++{ ++ struct xfs_trans_res resv = {0}; ++ ++ return xfs_trans_alloc(mp, &resv, 0, 0, XFS_TRANS_NO_WRITECOUNT, tpp); ++} ++ ++/* + * Record the indicated change to the given field for application + * to the file system's superblock when the transaction commits. + * For now, just store the change in the transaction structure. +diff --git a/fs/xfs/xfs_trans.h b/fs/xfs/xfs_trans.h +index 1646f659b60f..2a9292df6640 100644 +--- a/fs/xfs/xfs_trans.h ++++ b/fs/xfs/xfs_trans.h +@@ -158,6 +158,8 @@ typedef struct xfs_trans { + int xfs_trans_alloc(struct xfs_mount *mp, struct xfs_trans_res *resp, + uint blocks, uint rtextents, uint flags, + struct xfs_trans **tpp); ++int xfs_trans_alloc_empty(struct xfs_mount *mp, ++ struct xfs_trans **tpp); + void xfs_trans_mod_sb(xfs_trans_t *, uint, int64_t); + + struct xfs_buf *xfs_trans_get_buf_map(struct xfs_trans *tp, +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 8d5fcd6284ce..283dc2f5364d 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -614,14 +614,16 @@ static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb) + static inline netdev_features_t vlan_features_check(const struct sk_buff *skb, + netdev_features_t features) + { +- if (skb_vlan_tagged_multi(skb)) +- features = netdev_intersect_features(features, +- NETIF_F_SG | +- NETIF_F_HIGHDMA | +- NETIF_F_FRAGLIST | +- NETIF_F_HW_CSUM | +- NETIF_F_HW_VLAN_CTAG_TX | +- NETIF_F_HW_VLAN_STAG_TX); ++ if (skb_vlan_tagged_multi(skb)) { ++ /* In the case of multi-tagged packets, use a direct mask ++ * instead of using netdev_interesect_features(), to make ++ * sure that only devices supporting NETIF_F_HW_CSUM will ++ * have checksum offloading support. ++ */ ++ features &= NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_HW_CSUM | ++ NETIF_F_FRAGLIST | NETIF_F_HW_VLAN_CTAG_TX | ++ NETIF_F_HW_VLAN_STAG_TX; ++ } + + return features; + } +diff --git a/include/linux/memblock.h b/include/linux/memblock.h +index bdfc65af4152..14dbc4fd0a92 100644 +--- a/include/linux/memblock.h ++++ b/include/linux/memblock.h +@@ -423,12 +423,20 @@ static inline void early_memtest(phys_addr_t start, phys_addr_t end) + } + #endif + ++extern unsigned long memblock_reserved_memory_within(phys_addr_t start_addr, ++ phys_addr_t end_addr); + #else + static inline phys_addr_t memblock_alloc(phys_addr_t size, phys_addr_t align) + { + return 0; + } + ++static inline unsigned long memblock_reserved_memory_within(phys_addr_t start_addr, ++ phys_addr_t end_addr) ++{ ++ return 0; ++} ++ + #endif /* CONFIG_HAVE_MEMBLOCK */ + + #endif /* __KERNEL__ */ +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 2fcff6b4503f..c965d1165df6 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -785,7 +785,12 @@ enum { + + typedef void (*mlx5_cmd_cbk_t)(int status, void *context); + ++enum { ++ MLX5_CMD_ENT_STATE_PENDING_COMP, ++}; ++ + struct mlx5_cmd_work_ent { ++ unsigned long state; + struct mlx5_cmd_msg *in; + struct mlx5_cmd_msg *out; + void *uout; +@@ -979,7 +984,7 @@ void mlx5_cq_completion(struct mlx5_core_dev *dev, u32 cqn); + void mlx5_rsc_event(struct mlx5_core_dev *dev, u32 rsn, int event_type); + void mlx5_srq_event(struct mlx5_core_dev *dev, u32 srqn, int event_type); + struct mlx5_core_srq *mlx5_core_get_srq(struct mlx5_core_dev *dev, u32 srqn); +-void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec); ++void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool forced); + void mlx5_cq_event(struct mlx5_core_dev *dev, u32 cqn, int event_type); + int mlx5_create_map_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq, u8 vecidx, + int nent, u64 mask, const char *name, +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 00a8fa7e366a..018b134f6427 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -2315,6 +2315,17 @@ static inline struct page *follow_page(struct vm_area_struct *vma, + #define FOLL_REMOTE 0x2000 /* we are working on non-current tsk/mm */ + #define FOLL_COW 0x4000 /* internal GUP flag */ + ++static inline int vm_fault_to_errno(int vm_fault, int foll_flags) ++{ ++ if (vm_fault & VM_FAULT_OOM) ++ return -ENOMEM; ++ if (vm_fault & (VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE)) ++ return (foll_flags & FOLL_HWPOISON) ? -EHWPOISON : -EFAULT; ++ if (vm_fault & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV)) ++ return -EFAULT; ++ return 0; ++} ++ + typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr, + void *data); + extern int apply_to_page_range(struct mm_struct *mm, unsigned long address, +diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h +index d45172b559d8..a3e9b7ba2c25 100644 +--- a/include/linux/mmzone.h ++++ b/include/linux/mmzone.h +@@ -672,6 +672,7 @@ typedef struct pglist_data { + * is the first PFN that needs to be initialised. + */ + unsigned long first_deferred_pfn; ++ unsigned long static_init_size; + #endif /* CONFIG_DEFERRED_STRUCT_PAGE_INIT */ + + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +diff --git a/include/net/dst.h b/include/net/dst.h +index 049af33da3b6..cfc043784166 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -107,10 +107,16 @@ struct dst_entry { + }; + }; + ++struct dst_metrics { ++ u32 metrics[RTAX_MAX]; ++ atomic_t refcnt; ++}; ++extern const struct dst_metrics dst_default_metrics; ++ + u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old); +-extern const u32 dst_default_metrics[]; + + #define DST_METRICS_READ_ONLY 0x1UL ++#define DST_METRICS_REFCOUNTED 0x2UL + #define DST_METRICS_FLAGS 0x3UL + #define __DST_METRICS_PTR(Y) \ + ((u32 *)((Y) & ~DST_METRICS_FLAGS)) +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h +index 368bb4024b78..892f8dccc835 100644 +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -114,11 +114,11 @@ struct fib_info { + __be32 fib_prefsrc; + u32 fib_tb_id; + u32 fib_priority; +- u32 *fib_metrics; +-#define fib_mtu fib_metrics[RTAX_MTU-1] +-#define fib_window fib_metrics[RTAX_WINDOW-1] +-#define fib_rtt fib_metrics[RTAX_RTT-1] +-#define fib_advmss fib_metrics[RTAX_ADVMSS-1] ++ struct dst_metrics *fib_metrics; ++#define fib_mtu fib_metrics->metrics[RTAX_MTU-1] ++#define fib_window fib_metrics->metrics[RTAX_WINDOW-1] ++#define fib_rtt fib_metrics->metrics[RTAX_RTT-1] ++#define fib_advmss fib_metrics->metrics[RTAX_ADVMSS-1] + int fib_nhs; + #ifdef CONFIG_IP_ROUTE_MULTIPATH + int fib_weight; +diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h +index 275581d483dd..5f17fb770477 100644 +--- a/include/target/iscsi/iscsi_target_core.h ++++ b/include/target/iscsi/iscsi_target_core.h +@@ -557,6 +557,7 @@ struct iscsi_conn { + #define LOGIN_FLAGS_READ_ACTIVE 1 + #define LOGIN_FLAGS_CLOSED 2 + #define LOGIN_FLAGS_READY 4 ++#define LOGIN_FLAGS_INITIAL_PDU 8 + unsigned long login_flags; + struct delayed_work login_work; + struct delayed_work login_cleanup_work; +diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c +index 6b6f41f0b211..892f47c28377 100644 +--- a/kernel/bpf/arraymap.c ++++ b/kernel/bpf/arraymap.c +@@ -83,6 +83,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) + array->map.key_size = attr->key_size; + array->map.value_size = attr->value_size; + array->map.max_entries = attr->max_entries; ++ array->map.map_flags = attr->map_flags; + array->elem_size = elem_size; + + if (!percpu) +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index b37bd9ab7f57..7ab9e42180ab 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -432,6 +432,7 @@ static struct bpf_map *trie_alloc(union bpf_attr *attr) + trie->map.key_size = attr->key_size; + trie->map.value_size = attr->value_size; + trie->map.max_entries = attr->max_entries; ++ trie->map.map_flags = attr->map_flags; + trie->data_size = attr->key_size - + offsetof(struct bpf_lpm_trie_key, data); + trie->max_prefixlen = trie->data_size * 8; +diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c +index 22aa45cd0324..96f604317685 100644 +--- a/kernel/bpf/stackmap.c ++++ b/kernel/bpf/stackmap.c +@@ -88,6 +88,7 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr) + smap->map.key_size = attr->key_size; + smap->map.value_size = value_size; + smap->map.max_entries = attr->max_entries; ++ smap->map.map_flags = attr->map_flags; + smap->n_buckets = n_buckets; + smap->map.pages = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT; + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 6fd78d4c4164..904decd32783 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -140,7 +140,7 @@ struct bpf_verifier_stack_elem { + struct bpf_verifier_stack_elem *next; + }; + +-#define BPF_COMPLEXITY_LIMIT_INSNS 65536 ++#define BPF_COMPLEXITY_LIMIT_INSNS 98304 + #define BPF_COMPLEXITY_LIMIT_STACK 1024 + + struct bpf_call_arg_meta { +@@ -2546,6 +2546,7 @@ static int check_cfg(struct bpf_verifier_env *env) + env->explored_states[t + 1] = STATE_LIST_MARK; + } else { + /* conditional jump with two edges */ ++ env->explored_states[t] = STATE_LIST_MARK; + ret = push_insn(t, t + 1, FALLTHROUGH, env); + if (ret == 1) + goto peek_stack; +@@ -2704,6 +2705,12 @@ static bool states_equal(struct bpf_verifier_env *env, + rcur->type != NOT_INIT)) + continue; + ++ /* Don't care about the reg->id in this case. */ ++ if (rold->type == PTR_TO_MAP_VALUE_OR_NULL && ++ rcur->type == PTR_TO_MAP_VALUE_OR_NULL && ++ rold->map_ptr == rcur->map_ptr) ++ continue; ++ + if (rold->type == PTR_TO_PACKET && rcur->type == PTR_TO_PACKET && + compare_ptrs_to_packet(rold, rcur)) + continue; +@@ -2838,6 +2845,9 @@ static int do_check(struct bpf_verifier_env *env) + goto process_bpf_exit; + } + ++ if (need_resched()) ++ cond_resched(); ++ + if (log_level && do_print_state) { + verbose("\nfrom %d to %d:", prev_insn_idx, insn_idx); + print_verifier_state(&env->cur_state); +diff --git a/mm/gup.c b/mm/gup.c +index 04aa405350dc..fb87cbf37e52 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -407,12 +407,10 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma, + + ret = handle_mm_fault(vma, address, fault_flags); + if (ret & VM_FAULT_ERROR) { +- if (ret & VM_FAULT_OOM) +- return -ENOMEM; +- if (ret & (VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE)) +- return *flags & FOLL_HWPOISON ? -EHWPOISON : -EFAULT; +- if (ret & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV)) +- return -EFAULT; ++ int err = vm_fault_to_errno(ret, *flags); ++ ++ if (err) ++ return err; + BUG(); + } + +@@ -723,12 +721,10 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm, + ret = handle_mm_fault(vma, address, fault_flags); + major |= ret & VM_FAULT_MAJOR; + if (ret & VM_FAULT_ERROR) { +- if (ret & VM_FAULT_OOM) +- return -ENOMEM; +- if (ret & (VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE)) +- return -EHWPOISON; +- if (ret & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV)) +- return -EFAULT; ++ int err = vm_fault_to_errno(ret, 0); ++ ++ if (err) ++ return err; + BUG(); + } + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index e5828875f7bb..3eedb187e549 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -4170,6 +4170,11 @@ long follow_hugetlb_page(struct mm_struct *mm, struct vm_area_struct *vma, + } + ret = hugetlb_fault(mm, vma, vaddr, fault_flags); + if (ret & VM_FAULT_ERROR) { ++ int err = vm_fault_to_errno(ret, flags); ++ ++ if (err) ++ return err; ++ + remainder = 0; + break; + } +diff --git a/mm/ksm.c b/mm/ksm.c +index 19b4f2dea7a5..11891ca81e40 100644 +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -1028,8 +1028,7 @@ static int try_to_merge_one_page(struct vm_area_struct *vma, + goto out; + + if (PageTransCompound(page)) { +- err = split_huge_page(page); +- if (err) ++ if (split_huge_page(page)) + goto out_unlock; + } + +diff --git a/mm/memblock.c b/mm/memblock.c +index 696f06d17c4e..a749101ed2a2 100644 +--- a/mm/memblock.c ++++ b/mm/memblock.c +@@ -1713,6 +1713,29 @@ static void __init_memblock memblock_dump(struct memblock_type *type) + } + } + ++extern unsigned long __init_memblock ++memblock_reserved_memory_within(phys_addr_t start_addr, phys_addr_t end_addr) ++{ ++ struct memblock_region *rgn; ++ unsigned long size = 0; ++ int idx; ++ ++ for_each_memblock_type((&memblock.reserved), rgn) { ++ phys_addr_t start, end; ++ ++ if (rgn->base + rgn->size < start_addr) ++ continue; ++ if (rgn->base > end_addr) ++ continue; ++ ++ start = rgn->base; ++ end = start + rgn->size; ++ size += end - start; ++ } ++ ++ return size; ++} ++ + void __init_memblock __memblock_dump_all(void) + { + pr_info("MEMBLOCK configuration:\n"); +diff --git a/mm/memory-failure.c b/mm/memory-failure.c +index 27f7210e7fab..d7780dfdf541 100644 +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1587,12 +1587,8 @@ static int soft_offline_huge_page(struct page *page, int flags) + if (ret) { + pr_info("soft offline: %#lx: migration failed %d, type %lx\n", + pfn, ret, page->flags); +- /* +- * We know that soft_offline_huge_page() tries to migrate +- * only one hugepage pointed to by hpage, so we need not +- * run through the pagelist here. +- */ +- putback_active_hugepage(hpage); ++ if (!list_empty(&pagelist)) ++ putback_movable_pages(&pagelist); + if (ret > 0) + ret = -EIO; + } else { +diff --git a/mm/memory.c b/mm/memory.c +index 235ba51b2fbf..2437dc08ab36 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3029,6 +3029,17 @@ static int __do_fault(struct vm_fault *vmf) + return ret; + } + ++/* ++ * The ordering of these checks is important for pmds with _PAGE_DEVMAP set. ++ * If we check pmd_trans_unstable() first we will trip the bad_pmd() check ++ * inside of pmd_none_or_trans_huge_or_clear_bad(). This will end up correctly ++ * returning 1 but not before it spams dmesg with the pmd_clear_bad() output. ++ */ ++static int pmd_devmap_trans_unstable(pmd_t *pmd) ++{ ++ return pmd_devmap(*pmd) || pmd_trans_unstable(pmd); ++} ++ + static int pte_alloc_one_map(struct vm_fault *vmf) + { + struct vm_area_struct *vma = vmf->vma; +@@ -3052,18 +3063,27 @@ static int pte_alloc_one_map(struct vm_fault *vmf) + map_pte: + /* + * If a huge pmd materialized under us just retry later. Use +- * pmd_trans_unstable() instead of pmd_trans_huge() to ensure the pmd +- * didn't become pmd_trans_huge under us and then back to pmd_none, as +- * a result of MADV_DONTNEED running immediately after a huge pmd fault +- * in a different thread of this mm, in turn leading to a misleading +- * pmd_trans_huge() retval. All we have to ensure is that it is a +- * regular pmd that we can walk with pte_offset_map() and we can do that +- * through an atomic read in C, which is what pmd_trans_unstable() +- * provides. ++ * pmd_trans_unstable() via pmd_devmap_trans_unstable() instead of ++ * pmd_trans_huge() to ensure the pmd didn't become pmd_trans_huge ++ * under us and then back to pmd_none, as a result of MADV_DONTNEED ++ * running immediately after a huge pmd fault in a different thread of ++ * this mm, in turn leading to a misleading pmd_trans_huge() retval. ++ * All we have to ensure is that it is a regular pmd that we can walk ++ * with pte_offset_map() and we can do that through an atomic read in ++ * C, which is what pmd_trans_unstable() provides. + */ +- if (pmd_trans_unstable(vmf->pmd) || pmd_devmap(*vmf->pmd)) ++ if (pmd_devmap_trans_unstable(vmf->pmd)) + return VM_FAULT_NOPAGE; + ++ /* ++ * At this point we know that our vmf->pmd points to a page of ptes ++ * and it cannot become pmd_none(), pmd_devmap() or pmd_trans_huge() ++ * for the duration of the fault. If a racing MADV_DONTNEED runs and ++ * we zap the ptes pointed to by our vmf->pmd, the vmf->ptl will still ++ * be valid and we will re-check to make sure the vmf->pte isn't ++ * pte_none() under vmf->ptl protection when we return to ++ * alloc_set_pte(). ++ */ + vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, vmf->address, + &vmf->ptl); + return 0; +@@ -3690,7 +3710,7 @@ static int handle_pte_fault(struct vm_fault *vmf) + vmf->pte = NULL; + } else { + /* See comment in pte_alloc_one_map() */ +- if (pmd_trans_unstable(vmf->pmd) || pmd_devmap(*vmf->pmd)) ++ if (pmd_devmap_trans_unstable(vmf->pmd)) + return 0; + /* + * A regular pmd is established and it can't morph into a huge +diff --git a/mm/mlock.c b/mm/mlock.c +index 0dd9ca18e19e..721679a2c1aa 100644 +--- a/mm/mlock.c ++++ b/mm/mlock.c +@@ -286,7 +286,7 @@ static void __munlock_pagevec(struct pagevec *pvec, struct zone *zone) + { + int i; + int nr = pagevec_count(pvec); +- int delta_munlocked; ++ int delta_munlocked = -nr; + struct pagevec pvec_putback; + int pgrescued = 0; + +@@ -306,6 +306,8 @@ static void __munlock_pagevec(struct pagevec *pvec, struct zone *zone) + continue; + else + __munlock_isolation_failed(page); ++ } else { ++ delta_munlocked++; + } + + /* +@@ -317,7 +319,6 @@ static void __munlock_pagevec(struct pagevec *pvec, struct zone *zone) + pagevec_add(&pvec_putback, pvec->pages[i]); + pvec->pages[i] = NULL; + } +- delta_munlocked = -nr + pagevec_count(&pvec_putback); + __mod_zone_page_state(zone, NR_MLOCK, delta_munlocked); + spin_unlock_irq(zone_lru_lock(zone)); + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index c5fee5a0316d..a2019fc9d94d 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -291,6 +291,26 @@ int page_group_by_mobility_disabled __read_mostly; + #ifdef CONFIG_DEFERRED_STRUCT_PAGE_INIT + static inline void reset_deferred_meminit(pg_data_t *pgdat) + { ++ unsigned long max_initialise; ++ unsigned long reserved_lowmem; ++ ++ /* ++ * Initialise at least 2G of a node but also take into account that ++ * two large system hashes that can take up 1GB for 0.25TB/node. ++ */ ++ max_initialise = max(2UL << (30 - PAGE_SHIFT), ++ (pgdat->node_spanned_pages >> 8)); ++ ++ /* ++ * Compensate the all the memblock reservations (e.g. crash kernel) ++ * from the initial estimation to make sure we will initialize enough ++ * memory to boot. ++ */ ++ reserved_lowmem = memblock_reserved_memory_within(pgdat->node_start_pfn, ++ pgdat->node_start_pfn + max_initialise); ++ max_initialise += reserved_lowmem; ++ ++ pgdat->static_init_size = min(max_initialise, pgdat->node_spanned_pages); + pgdat->first_deferred_pfn = ULONG_MAX; + } + +@@ -313,20 +333,11 @@ static inline bool update_defer_init(pg_data_t *pgdat, + unsigned long pfn, unsigned long zone_end, + unsigned long *nr_initialised) + { +- unsigned long max_initialise; +- + /* Always populate low zones for address-contrained allocations */ + if (zone_end < pgdat_end_pfn(pgdat)) + return true; +- /* +- * Initialise at least 2G of a node but also take into account that +- * two large system hashes that can take up 1GB for 0.25TB/node. +- */ +- max_initialise = max(2UL << (30 - PAGE_SHIFT), +- (pgdat->node_spanned_pages >> 8)); +- + (*nr_initialised)++; +- if ((*nr_initialised > max_initialise) && ++ if ((*nr_initialised > pgdat->static_init_size) && + (pfn & (PAGES_PER_SECTION - 1)) == 0) { + pgdat->first_deferred_pfn = pfn; + return false; +@@ -3834,7 +3845,9 @@ __alloc_pages_slowpath(gfp_t gfp_mask, unsigned int order, + goto got_pg; + + /* Avoid allocations with no watermarks from looping endlessly */ +- if (test_thread_flag(TIF_MEMDIE)) ++ if (test_thread_flag(TIF_MEMDIE) && ++ (alloc_flags == ALLOC_NO_WATERMARKS || ++ (gfp_mask & __GFP_NOMEMALLOC))) + goto nopage; + + /* Retry as long as the OOM killer is making progress */ +@@ -6098,7 +6111,6 @@ void __paginginit free_area_init_node(int nid, unsigned long *zones_size, + /* pg_data_t should be reset to zero when it's allocated */ + WARN_ON(pgdat->nr_zones || pgdat->kswapd_classzone_idx); + +- reset_deferred_meminit(pgdat); + pgdat->node_id = nid; + pgdat->node_start_pfn = node_start_pfn; + pgdat->per_cpu_nodestats = NULL; +@@ -6120,6 +6132,7 @@ void __paginginit free_area_init_node(int nid, unsigned long *zones_size, + (unsigned long)pgdat->node_mem_map); + #endif + ++ reset_deferred_meminit(pgdat); + free_area_init_core(pgdat); + } + +diff --git a/mm/slub.c b/mm/slub.c +index 7f4bc7027ed5..e3863a22e10d 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -5512,6 +5512,7 @@ static void memcg_propagate_slab_attrs(struct kmem_cache *s) + char mbuf[64]; + char *buf; + struct slab_attribute *attr = to_slab_attr(slab_attrs[i]); ++ ssize_t len; + + if (!attr || !attr->store || !attr->show) + continue; +@@ -5536,8 +5537,9 @@ static void memcg_propagate_slab_attrs(struct kmem_cache *s) + buf = buffer; + } + +- attr->show(root_cache, buf); +- attr->store(s, buf, strlen(buf)); ++ len = attr->show(root_cache, buf); ++ if (len > 0) ++ attr->store(s, buf, len); + } + + if (buffer) +diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c +index 225ef7d53701..0488c6735c46 100644 +--- a/net/bridge/br_netlink.c ++++ b/net/bridge/br_netlink.c +@@ -828,6 +828,13 @@ static int br_validate(struct nlattr *tb[], struct nlattr *data[]) + return -EPROTONOSUPPORT; + } + } ++ ++ if (data[IFLA_BR_VLAN_DEFAULT_PVID]) { ++ __u16 defpvid = nla_get_u16(data[IFLA_BR_VLAN_DEFAULT_PVID]); ++ ++ if (defpvid >= VLAN_VID_MASK) ++ return -EINVAL; ++ } + #endif + + return 0; +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index 08341d2aa9c9..0db8102995a5 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -179,6 +179,7 @@ static void br_stp_start(struct net_bridge *br) + br_debug(br, "using kernel STP\n"); + + /* To start timers on any ports left in blocking */ ++ mod_timer(&br->hello_timer, jiffies + br->hello_time); + br_port_state_selection(br); + } + +diff --git a/net/bridge/br_stp_timer.c b/net/bridge/br_stp_timer.c +index c98b3e5c140a..60b6fe277a8b 100644 +--- a/net/bridge/br_stp_timer.c ++++ b/net/bridge/br_stp_timer.c +@@ -40,7 +40,7 @@ static void br_hello_timer_expired(unsigned long arg) + if (br->dev->flags & IFF_UP) { + br_config_bpdu_generation(br); + +- if (br->stp_enabled != BR_USER_STP) ++ if (br->stp_enabled == BR_KERNEL_STP) + mod_timer(&br->hello_timer, + round_jiffies(jiffies + br->hello_time)); + } +diff --git a/net/core/dst.c b/net/core/dst.c +index 960e503b5a52..6192f11beec9 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -151,13 +151,13 @@ int dst_discard_out(struct net *net, struct sock *sk, struct sk_buff *skb) + } + EXPORT_SYMBOL(dst_discard_out); + +-const u32 dst_default_metrics[RTAX_MAX + 1] = { ++const struct dst_metrics dst_default_metrics = { + /* This initializer is needed to force linker to place this variable + * into const section. Otherwise it might end into bss section. + * We really want to avoid false sharing on this variable, and catch + * any writes on it. + */ +- [RTAX_MAX] = 0xdeadbeef, ++ .refcnt = ATOMIC_INIT(1), + }; + + void dst_init(struct dst_entry *dst, struct dst_ops *ops, +@@ -169,7 +169,7 @@ void dst_init(struct dst_entry *dst, struct dst_ops *ops, + if (dev) + dev_hold(dev); + dst->ops = ops; +- dst_init_metrics(dst, dst_default_metrics, true); ++ dst_init_metrics(dst, dst_default_metrics.metrics, true); + dst->expires = 0UL; + dst->path = dst; + dst->from = NULL; +@@ -314,25 +314,30 @@ EXPORT_SYMBOL(dst_release); + + u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old) + { +- u32 *p = kmalloc(sizeof(u32) * RTAX_MAX, GFP_ATOMIC); ++ struct dst_metrics *p = kmalloc(sizeof(*p), GFP_ATOMIC); + + if (p) { +- u32 *old_p = __DST_METRICS_PTR(old); ++ struct dst_metrics *old_p = (struct dst_metrics *)__DST_METRICS_PTR(old); + unsigned long prev, new; + +- memcpy(p, old_p, sizeof(u32) * RTAX_MAX); ++ atomic_set(&p->refcnt, 1); ++ memcpy(p->metrics, old_p->metrics, sizeof(p->metrics)); + + new = (unsigned long) p; + prev = cmpxchg(&dst->_metrics, old, new); + + if (prev != old) { + kfree(p); +- p = __DST_METRICS_PTR(prev); ++ p = (struct dst_metrics *)__DST_METRICS_PTR(prev); + if (prev & DST_METRICS_READ_ONLY) + p = NULL; ++ } else if (prev & DST_METRICS_REFCOUNTED) { ++ if (atomic_dec_and_test(&old_p->refcnt)) ++ kfree(old_p); + } + } +- return p; ++ BUILD_BUG_ON(offsetof(struct dst_metrics, metrics) != 0); ++ return (u32 *)p; + } + EXPORT_SYMBOL(dst_cow_metrics_generic); + +@@ -341,7 +346,7 @@ void __dst_destroy_metrics_generic(struct dst_entry *dst, unsigned long old) + { + unsigned long prev, new; + +- new = ((unsigned long) dst_default_metrics) | DST_METRICS_READ_ONLY; ++ new = ((unsigned long) &dst_default_metrics) | DST_METRICS_READ_ONLY; + prev = cmpxchg(&dst->_metrics, old, new); + if (prev == old) + kfree(__DST_METRICS_PTR(old)); +diff --git a/net/core/filter.c b/net/core/filter.c +index ebaeaf2e46e8..6ca3b05eb627 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -2266,6 +2266,7 @@ bool bpf_helper_changes_pkt_data(void *func) + func == bpf_skb_change_head || + func == bpf_skb_change_tail || + func == bpf_skb_pull_data || ++ func == bpf_clone_redirect || + func == bpf_l3_csum_replace || + func == bpf_l4_csum_replace || + func == bpf_xdp_adjust_head) +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 69daf393cbe1..8d4a185a8143 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1620,13 +1620,13 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, 0, + flags, + ext_filter_mask); +- /* If we ran out of room on the first message, +- * we're in trouble +- */ +- WARN_ON((err == -EMSGSIZE) && (skb->len == 0)); + +- if (err < 0) +- goto out; ++ if (err < 0) { ++ if (likely(skb->len)) ++ goto out; ++ ++ goto out_err; ++ } + + nl_dump_check_consistent(cb, nlmsg_hdr(skb)); + cont: +@@ -1634,10 +1634,12 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) + } + } + out: ++ err = skb->len; ++out_err: + cb->args[1] = idx; + cb->args[0] = h; + +- return skb->len; ++ return err; + } + + int rtnl_nla_parse_ifla(struct nlattr **tb, const struct nlattr *head, int len) +@@ -3427,8 +3429,12 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb) + err = br_dev->netdev_ops->ndo_bridge_getlink( + skb, portid, seq, dev, + filter_mask, NLM_F_MULTI); +- if (err < 0 && err != -EOPNOTSUPP) +- break; ++ if (err < 0 && err != -EOPNOTSUPP) { ++ if (likely(skb->len)) ++ break; ++ ++ goto out_err; ++ } + } + idx++; + } +@@ -3439,16 +3445,22 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb) + seq, dev, + filter_mask, + NLM_F_MULTI); +- if (err < 0 && err != -EOPNOTSUPP) +- break; ++ if (err < 0 && err != -EOPNOTSUPP) { ++ if (likely(skb->len)) ++ break; ++ ++ goto out_err; ++ } + } + idx++; + } + } ++ err = skb->len; ++out_err: + rcu_read_unlock(); + cb->args[0] = idx; + +- return skb->len; ++ return err; + } + + static inline size_t bridge_nlmsg_size(void) +diff --git a/net/core/sock.c b/net/core/sock.c +index 2c4f574168fb..59edc0e8c71a 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -138,10 +138,7 @@ + + #include <trace/events/sock.h> + +-#ifdef CONFIG_INET + #include <net/tcp.h> +-#endif +- + #include <net/busy_poll.h> + + static DEFINE_MUTEX(proto_list_mutex); +@@ -1699,28 +1696,24 @@ EXPORT_SYMBOL(skb_set_owner_w); + * delay queue. We want to allow the owner socket to send more + * packets, as if they were already TX completed by a typical driver. + * But we also want to keep skb->sk set because some packet schedulers +- * rely on it (sch_fq for example). So we set skb->truesize to a small +- * amount (1) and decrease sk_wmem_alloc accordingly. ++ * rely on it (sch_fq for example). + */ + void skb_orphan_partial(struct sk_buff *skb) + { +- /* If this skb is a TCP pure ACK or already went here, +- * we have nothing to do. 2 is already a very small truesize. +- */ +- if (skb->truesize <= 2) ++ if (skb_is_tcp_pure_ack(skb)) + return; + +- /* TCP stack sets skb->ooo_okay based on sk_wmem_alloc, +- * so we do not completely orphan skb, but transfert all +- * accounted bytes but one, to avoid unexpected reorders. +- */ + if (skb->destructor == sock_wfree + #ifdef CONFIG_INET + || skb->destructor == tcp_wfree + #endif + ) { +- atomic_sub(skb->truesize - 1, &skb->sk->sk_wmem_alloc); +- skb->truesize = 1; ++ struct sock *sk = skb->sk; ++ ++ if (atomic_inc_not_zero(&sk->sk_refcnt)) { ++ atomic_sub(skb->truesize, &sk->sk_wmem_alloc); ++ skb->destructor = sock_efree; ++ } + } else { + skb_orphan(skb); + } +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index d9b6a4e403e7..b6bbb71e713e 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, + newsk->sk_backlog_rcv = dccp_v4_do_rcv; + newnp->pktoptions = NULL; + newnp->opt = NULL; ++ newnp->ipv6_mc_list = NULL; ++ newnp->ipv6_ac_list = NULL; ++ newnp->ipv6_fl_list = NULL; + newnp->mcast_oif = inet6_iif(skb); + newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; + +@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, + /* Clone RX bits */ + newnp->rxopt.all = np->rxopt.all; + ++ newnp->ipv6_mc_list = NULL; ++ newnp->ipv6_ac_list = NULL; ++ newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; + newnp->opt = NULL; + newnp->mcast_oif = inet6_iif(skb); +diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c +index 8f2133ffc2ff..a2f7de26670e 100644 +--- a/net/ipv4/fib_frontend.c ++++ b/net/ipv4/fib_frontend.c +@@ -760,7 +760,7 @@ static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb) + unsigned int e = 0, s_e; + struct fib_table *tb; + struct hlist_head *head; +- int dumped = 0; ++ int dumped = 0, err; + + if (nlmsg_len(cb->nlh) >= sizeof(struct rtmsg) && + ((struct rtmsg *) nlmsg_data(cb->nlh))->rtm_flags & RTM_F_CLONED) +@@ -780,20 +780,27 @@ static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb) + if (dumped) + memset(&cb->args[2], 0, sizeof(cb->args) - + 2 * sizeof(cb->args[0])); +- if (fib_table_dump(tb, skb, cb) < 0) +- goto out; ++ err = fib_table_dump(tb, skb, cb); ++ if (err < 0) { ++ if (likely(skb->len)) ++ goto out; ++ ++ goto out_err; ++ } + dumped = 1; + next: + e++; + } + } + out: ++ err = skb->len; ++out_err: + rcu_read_unlock(); + + cb->args[1] = e; + cb->args[0] = h; + +- return skb->len; ++ return err; + } + + /* Prepare and feed intra-kernel routing request. +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 317026a39cfa..6cf74de06467 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -204,6 +204,7 @@ static void rt_fibinfo_free_cpus(struct rtable __rcu * __percpu *rtp) + static void free_fib_info_rcu(struct rcu_head *head) + { + struct fib_info *fi = container_of(head, struct fib_info, rcu); ++ struct dst_metrics *m; + + change_nexthops(fi) { + if (nexthop_nh->nh_dev) +@@ -214,8 +215,9 @@ static void free_fib_info_rcu(struct rcu_head *head) + rt_fibinfo_free(&nexthop_nh->nh_rth_input); + } endfor_nexthops(fi); + +- if (fi->fib_metrics != (u32 *) dst_default_metrics) +- kfree(fi->fib_metrics); ++ m = fi->fib_metrics; ++ if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt)) ++ kfree(m); + kfree(fi); + } + +@@ -975,11 +977,11 @@ fib_convert_metrics(struct fib_info *fi, const struct fib_config *cfg) + val = 255; + if (type == RTAX_FEATURES && (val & ~RTAX_FEATURE_MASK)) + return -EINVAL; +- fi->fib_metrics[type - 1] = val; ++ fi->fib_metrics->metrics[type - 1] = val; + } + + if (ecn_ca) +- fi->fib_metrics[RTAX_FEATURES - 1] |= DST_FEATURE_ECN_CA; ++ fi->fib_metrics->metrics[RTAX_FEATURES - 1] |= DST_FEATURE_ECN_CA; + + return 0; + } +@@ -1037,11 +1039,12 @@ struct fib_info *fib_create_info(struct fib_config *cfg) + goto failure; + fib_info_cnt++; + if (cfg->fc_mx) { +- fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL); ++ fi->fib_metrics = kzalloc(sizeof(*fi->fib_metrics), GFP_KERNEL); + if (!fi->fib_metrics) + goto failure; ++ atomic_set(&fi->fib_metrics->refcnt, 1); + } else +- fi->fib_metrics = (u32 *) dst_default_metrics; ++ fi->fib_metrics = (struct dst_metrics *)&dst_default_metrics; + + fi->fib_net = net; + fi->fib_protocol = cfg->fc_protocol; +@@ -1242,7 +1245,7 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event, + if (fi->fib_priority && + nla_put_u32(skb, RTA_PRIORITY, fi->fib_priority)) + goto nla_put_failure; +- if (rtnetlink_put_metrics(skb, fi->fib_metrics) < 0) ++ if (rtnetlink_put_metrics(skb, fi->fib_metrics->metrics) < 0) + goto nla_put_failure; + + if (fi->fib_prefsrc && +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index 2f0d8233950f..08709fb62d2e 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -2079,6 +2079,8 @@ static int fn_trie_dump_leaf(struct key_vector *l, struct fib_table *tb, + + /* rcu_read_lock is hold by caller */ + hlist_for_each_entry_rcu(fa, &l->leaf, fa_list) { ++ int err; ++ + if (i < s_i) { + i++; + continue; +@@ -2089,17 +2091,14 @@ static int fn_trie_dump_leaf(struct key_vector *l, struct fib_table *tb, + continue; + } + +- if (fib_dump_info(skb, NETLINK_CB(cb->skb).portid, +- cb->nlh->nlmsg_seq, +- RTM_NEWROUTE, +- tb->tb_id, +- fa->fa_type, +- xkey, +- KEYLENGTH - fa->fa_slen, +- fa->fa_tos, +- fa->fa_info, NLM_F_MULTI) < 0) { ++ err = fib_dump_info(skb, NETLINK_CB(cb->skb).portid, ++ cb->nlh->nlmsg_seq, RTM_NEWROUTE, ++ tb->tb_id, fa->fa_type, ++ xkey, KEYLENGTH - fa->fa_slen, ++ fa->fa_tos, fa->fa_info, NLM_F_MULTI); ++ if (err < 0) { + cb->args[4] = i; +- return -1; ++ return err; + } + i++; + } +@@ -2121,10 +2120,13 @@ int fib_table_dump(struct fib_table *tb, struct sk_buff *skb, + t_key key = cb->args[3]; + + while ((l = leaf_walk_rcu(&tp, key)) != NULL) { +- if (fn_trie_dump_leaf(l, tb, skb, cb) < 0) { ++ int err; ++ ++ err = fn_trie_dump_leaf(l, tb, skb, cb); ++ if (err < 0) { + cb->args[3] = key; + cb->args[2] = count; +- return -1; ++ return err; + } + + ++count; +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 5e313c1ac94f..1054d330bf9d 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -794,6 +794,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk, + /* listeners have SOCK_RCU_FREE, not the children */ + sock_reset_flag(newsk, SOCK_RCU_FREE); + ++ inet_sk(newsk)->mc_list = NULL; ++ + newsk->sk_mark = inet_rsk(req)->ir_mark; + atomic64_set(&newsk->sk_cookie, + atomic64_read(&inet_rsk(req)->ir_cookie)); +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index d9724889ff09..e0cc6c1fe69d 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1389,8 +1389,12 @@ static void rt_add_uncached_list(struct rtable *rt) + + static void ipv4_dst_destroy(struct dst_entry *dst) + { ++ struct dst_metrics *p = (struct dst_metrics *)DST_METRICS_PTR(dst); + struct rtable *rt = (struct rtable *) dst; + ++ if (p != &dst_default_metrics && atomic_dec_and_test(&p->refcnt)) ++ kfree(p); ++ + if (!list_empty(&rt->rt_uncached)) { + struct uncached_list *ul = rt->rt_uncached_list; + +@@ -1442,7 +1446,11 @@ static void rt_set_nexthop(struct rtable *rt, __be32 daddr, + rt->rt_gateway = nh->nh_gw; + rt->rt_uses_gateway = 1; + } +- dst_init_metrics(&rt->dst, fi->fib_metrics, true); ++ dst_init_metrics(&rt->dst, fi->fib_metrics->metrics, true); ++ if (fi->fib_metrics != &dst_default_metrics) { ++ rt->dst._metrics |= DST_METRICS_REFCOUNTED; ++ atomic_inc(&fi->fib_metrics->refcnt); ++ } + #ifdef CONFIG_IP_ROUTE_CLASSID + rt->dst.tclassid = nh->nh_tclassid; + #endif +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 2dc7fcf60bf3..651f1f058a64 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1084,9 +1084,12 @@ static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg, + { + struct tcp_sock *tp = tcp_sk(sk); + struct inet_sock *inet = inet_sk(sk); ++ struct sockaddr *uaddr = msg->msg_name; + int err, flags; + +- if (!(sysctl_tcp_fastopen & TFO_CLIENT_ENABLE)) ++ if (!(sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) || ++ (uaddr && msg->msg_namelen >= sizeof(uaddr->sa_family) && ++ uaddr->sa_family == AF_UNSPEC)) + return -EOPNOTSUPP; + if (tp->fastopen_req) + return -EALREADY; /* Another Fast Open is in progress */ +@@ -1108,7 +1111,7 @@ static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg, + } + } + flags = (msg->msg_flags & MSG_DONTWAIT) ? O_NONBLOCK : 0; +- err = __inet_stream_connect(sk->sk_socket, msg->msg_name, ++ err = __inet_stream_connect(sk->sk_socket, uaddr, + msg->msg_namelen, flags, 1); + /* fastopen_req could already be freed in __inet_stream_connect + * if the connection times out or gets rst +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 3c6c8787b42e..896a0458e578 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1174,13 +1174,14 @@ static int tcp_match_skb_to_sack(struct sock *sk, struct sk_buff *skb, + */ + if (pkt_len > mss) { + unsigned int new_len = (pkt_len / mss) * mss; +- if (!in_sack && new_len < pkt_len) { ++ if (!in_sack && new_len < pkt_len) + new_len += mss; +- if (new_len >= skb->len) +- return 0; +- } + pkt_len = new_len; + } ++ ++ if (pkt_len >= skb->len && !in_sack) ++ return 0; ++ + err = tcp_fragment(sk, skb, pkt_len, mss, GFP_ATOMIC); + if (err < 0) + return err; +@@ -3188,7 +3189,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets, + int delta; + + /* Non-retransmitted hole got filled? That's reordering */ +- if (reord < prior_fackets) ++ if (reord < prior_fackets && reord <= tp->fackets_out) + tcp_update_reordering(sk, tp->fackets_out - reord, 0); + + delta = tcp_is_fack(tp) ? pkts_acked : +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 6fcb7cb49bb2..4d60164c17e2 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -537,11 +537,10 @@ static inline int ip6gre_xmit_ipv4(struct sk_buff *skb, struct net_device *dev) + + memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6)); + +- dsfield = ipv4_get_dsfield(iph); +- + if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS) +- fl6.flowlabel |= htonl((__u32)iph->tos << IPV6_TCLASS_SHIFT) +- & IPV6_TCLASS_MASK; ++ dsfield = ipv4_get_dsfield(iph); ++ else ++ dsfield = ip6_tclass(t->parms.flowinfo); + if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK) + fl6.flowi6_mark = skb->mark; + +@@ -596,9 +595,11 @@ static inline int ip6gre_xmit_ipv6(struct sk_buff *skb, struct net_device *dev) + + memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6)); + +- dsfield = ipv6_get_dsfield(ipv6h); + if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS) +- fl6.flowlabel |= (*(__be32 *) ipv6h & IPV6_TCLASS_MASK); ++ dsfield = ipv6_get_dsfield(ipv6h); ++ else ++ dsfield = ip6_tclass(t->parms.flowinfo); ++ + if (t->parms.flags & IP6_TNL_F_USE_ORIG_FLOWLABEL) + fl6.flowlabel |= ip6_flowlabel(ipv6h); + if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK) +diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c +index 93e58a5e1837..280268f1dd7b 100644 +--- a/net/ipv6/ip6_offload.c ++++ b/net/ipv6/ip6_offload.c +@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, + const struct net_offload *ops; + int proto; + struct frag_hdr *fptr; +- unsigned int unfrag_ip6hlen; + unsigned int payload_len; + u8 *prevhdr; + int offset = 0; +@@ -116,8 +115,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, + skb->network_header = (u8 *)ipv6h - skb->head; + + if (udpfrag) { +- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); +- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen); ++ int err = ip6_find_1stfragopt(skb, &prevhdr); ++ if (err < 0) ++ return ERR_PTR(err); ++ fptr = (struct frag_hdr *)((u8 *)ipv6h + err); + fptr->frag_off = htons(offset); + if (skb->next) + fptr->frag_off |= htons(IP6_MF); +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 58f6288e9ba5..bf8a58a1c32d 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -597,7 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + int ptr, offset = 0, err = 0; + u8 *prevhdr, nexthdr = 0; + +- hlen = ip6_find_1stfragopt(skb, &prevhdr); ++ err = ip6_find_1stfragopt(skb, &prevhdr); ++ if (err < 0) ++ goto fail; ++ hlen = err; + nexthdr = *prevhdr; + + mtu = ip6_skb_dst_mtu(skb); +@@ -1463,6 +1466,11 @@ static int __ip6_append_data(struct sock *sk, + */ + alloclen += sizeof(struct frag_hdr); + ++ copy = datalen - transhdrlen - fraggap; ++ if (copy < 0) { ++ err = -EINVAL; ++ goto error; ++ } + if (transhdrlen) { + skb = sock_alloc_send_skb(sk, + alloclen + hh_len, +@@ -1512,13 +1520,9 @@ static int __ip6_append_data(struct sock *sk, + data += fraggap; + pskb_trim_unique(skb_prev, maxfraglen); + } +- copy = datalen - transhdrlen - fraggap; +- +- if (copy < 0) { +- err = -EINVAL; +- kfree_skb(skb); +- goto error; +- } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) { ++ if (copy > 0 && ++ getfrag(from, data + transhdrlen, offset, ++ copy, fraggap, skb) < 0) { + err = -EFAULT; + kfree_skb(skb); + goto error; +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index a9692ec0cd6d..15ff33934f79 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1196,7 +1196,7 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield, + skb_push(skb, sizeof(struct ipv6hdr)); + skb_reset_network_header(skb); + ipv6h = ipv6_hdr(skb); +- ip6_flow_hdr(ipv6h, INET_ECN_encapsulate(0, dsfield), ++ ip6_flow_hdr(ipv6h, dsfield, + ip6_make_flowlabel(net, skb, fl6->flowlabel, true, fl6)); + ipv6h->hop_limit = hop_limit; + ipv6h->nexthdr = proto; +@@ -1231,8 +1231,6 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + if (tproto != IPPROTO_IPIP && tproto != 0) + return -1; + +- dsfield = ipv4_get_dsfield(iph); +- + if (t->parms.collect_md) { + struct ip_tunnel_info *tun_info; + const struct ip_tunnel_key *key; +@@ -1246,6 +1244,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + fl6.flowi6_proto = IPPROTO_IPIP; + fl6.daddr = key->u.ipv6.dst; + fl6.flowlabel = key->label; ++ dsfield = ip6_tclass(key->label); + } else { + if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT)) + encap_limit = t->parms.encap_limit; +@@ -1254,8 +1253,9 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + fl6.flowi6_proto = IPPROTO_IPIP; + + if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS) +- fl6.flowlabel |= htonl((__u32)iph->tos << IPV6_TCLASS_SHIFT) +- & IPV6_TCLASS_MASK; ++ dsfield = ipv4_get_dsfield(iph); ++ else ++ dsfield = ip6_tclass(t->parms.flowinfo); + if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK) + fl6.flowi6_mark = skb->mark; + } +@@ -1265,6 +1265,8 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) + return -1; + ++ dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph)); ++ + skb_set_inner_ipproto(skb, IPPROTO_IPIP); + + err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, +@@ -1298,8 +1300,6 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + ip6_tnl_addr_conflict(t, ipv6h)) + return -1; + +- dsfield = ipv6_get_dsfield(ipv6h); +- + if (t->parms.collect_md) { + struct ip_tunnel_info *tun_info; + const struct ip_tunnel_key *key; +@@ -1313,6 +1313,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + fl6.flowi6_proto = IPPROTO_IPV6; + fl6.daddr = key->u.ipv6.dst; + fl6.flowlabel = key->label; ++ dsfield = ip6_tclass(key->label); + } else { + offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb)); + /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */ +@@ -1335,7 +1336,9 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + fl6.flowi6_proto = IPPROTO_IPV6; + + if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS) +- fl6.flowlabel |= (*(__be32 *)ipv6h & IPV6_TCLASS_MASK); ++ dsfield = ipv6_get_dsfield(ipv6h); ++ else ++ dsfield = ip6_tclass(t->parms.flowinfo); + if (t->parms.flags & IP6_TNL_F_USE_ORIG_FLOWLABEL) + fl6.flowlabel |= ip6_flowlabel(ipv6h); + if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK) +@@ -1347,6 +1350,8 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev) + if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6)) + return -1; + ++ dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h)); ++ + skb_set_inner_ipproto(skb, IPPROTO_IPV6); + + err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu, +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index cd4252346a32..e9065b8d3af8 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -79,14 +79,13 @@ EXPORT_SYMBOL(ipv6_select_ident); + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { + u16 offset = sizeof(struct ipv6hdr); +- struct ipv6_opt_hdr *exthdr = +- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1); + unsigned int packet_len = skb_tail_pointer(skb) - + skb_network_header(skb); + int found_rhdr = 0; + *nexthdr = &ipv6_hdr(skb)->nexthdr; + +- while (offset + 1 <= packet_len) { ++ while (offset <= packet_len) { ++ struct ipv6_opt_hdr *exthdr; + + switch (**nexthdr) { + +@@ -107,13 +106,16 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + return offset; + } + +- offset += ipv6_optlen(exthdr); +- *nexthdr = &exthdr->nexthdr; ++ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len) ++ return -EINVAL; ++ + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + + offset); ++ offset += ipv6_optlen(exthdr); ++ *nexthdr = &exthdr->nexthdr; + } + +- return offset; ++ return -EINVAL; + } + EXPORT_SYMBOL(ip6_find_1stfragopt); + +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 4c4afdca41ff..ff5f87641651 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1070,6 +1070,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + newtp->af_specific = &tcp_sock_ipv6_mapped_specific; + #endif + ++ newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; +@@ -1139,6 +1140,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + First: no IPv4 options. + */ + newinet->inet_opt = NULL; ++ newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; + +diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c +index ac858c480f2f..a2267f80febb 100644 +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, + u8 frag_hdr_sz = sizeof(struct frag_hdr); + __wsum csum; + int tnl_hlen; ++ int err; + + mss = skb_shinfo(skb)->gso_size; + if (unlikely(skb->len <= mss)) +@@ -90,7 +91,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, + /* Find the unfragmentable header and shift it left by frag_hdr_sz + * bytes to insert fragment header. + */ +- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); ++ err = ip6_find_1stfragopt(skb, &prevhdr); ++ if (err < 0) ++ return ERR_PTR(err); ++ unfrag_ip6hlen = err; + nexthdr = *prevhdr; + *prevhdr = NEXTHDR_FRAGMENT; + unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index ea81ccf3c7d6..b2d8e8c23e46 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2614,13 +2614,6 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); + } + +- sockc.tsflags = po->sk.sk_tsflags; +- if (msg->msg_controllen) { +- err = sock_cmsg_send(&po->sk, msg, &sockc); +- if (unlikely(err)) +- goto out; +- } +- + err = -ENXIO; + if (unlikely(dev == NULL)) + goto out; +@@ -2628,6 +2621,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + if (unlikely(!(dev->flags & IFF_UP))) + goto out_put; + ++ sockc.tsflags = po->sk.sk_tsflags; ++ if (msg->msg_controllen) { ++ err = sock_cmsg_send(&po->sk, msg, &sockc); ++ if (unlikely(err)) ++ goto out_put; ++ } ++ + if (po->sk.sk_socket->type == SOCK_RAW) + reserve = dev->hard_header_len; + size_max = po->tx_ring.frame_size +diff --git a/net/sctp/input.c b/net/sctp/input.c +index 0e06a278d2a9..ba9ad32fc447 100644 +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -473,15 +473,14 @@ struct sock *sctp_err_lookup(struct net *net, int family, struct sk_buff *skb, + struct sctp_association **app, + struct sctp_transport **tpp) + { ++ struct sctp_init_chunk *chunkhdr, _chunkhdr; + union sctp_addr saddr; + union sctp_addr daddr; + struct sctp_af *af; + struct sock *sk = NULL; + struct sctp_association *asoc; + struct sctp_transport *transport = NULL; +- struct sctp_init_chunk *chunkhdr; + __u32 vtag = ntohl(sctphdr->vtag); +- int len = skb->len - ((void *)sctphdr - (void *)skb->data); + + *app = NULL; *tpp = NULL; + +@@ -516,13 +515,16 @@ struct sock *sctp_err_lookup(struct net *net, int family, struct sk_buff *skb, + * discard the packet. + */ + if (vtag == 0) { +- chunkhdr = (void *)sctphdr + sizeof(struct sctphdr); +- if (len < sizeof(struct sctphdr) + sizeof(sctp_chunkhdr_t) +- + sizeof(__be32) || ++ /* chunk header + first 4 octects of init header */ ++ chunkhdr = skb_header_pointer(skb, skb_transport_offset(skb) + ++ sizeof(struct sctphdr), ++ sizeof(struct sctp_chunkhdr) + ++ sizeof(__be32), &_chunkhdr); ++ if (!chunkhdr || + chunkhdr->chunk_hdr.type != SCTP_CID_INIT || +- ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag) { ++ ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag) + goto out; +- } ++ + } else if (vtag != asoc->c.peer_vtag) { + goto out; + } +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 961ee59f696a..f5b45b8b8b16 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -240,12 +240,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, + struct sctp_bind_addr *bp; + struct ipv6_pinfo *np = inet6_sk(sk); + struct sctp_sockaddr_entry *laddr; +- union sctp_addr *baddr = NULL; + union sctp_addr *daddr = &t->ipaddr; + union sctp_addr dst_saddr; + struct in6_addr *final_p, final; + __u8 matchlen = 0; +- __u8 bmatchlen; + sctp_scope_t scope; + + memset(fl6, 0, sizeof(struct flowi6)); +@@ -312,23 +310,37 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, + */ + rcu_read_lock(); + list_for_each_entry_rcu(laddr, &bp->address_list, list) { +- if (!laddr->valid) ++ struct dst_entry *bdst; ++ __u8 bmatchlen; ++ ++ if (!laddr->valid || ++ laddr->state != SCTP_ADDR_SRC || ++ laddr->a.sa.sa_family != AF_INET6 || ++ scope > sctp_scope(&laddr->a)) + continue; +- if ((laddr->state == SCTP_ADDR_SRC) && +- (laddr->a.sa.sa_family == AF_INET6) && +- (scope <= sctp_scope(&laddr->a))) { +- bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a); +- if (!baddr || (matchlen < bmatchlen)) { +- baddr = &laddr->a; +- matchlen = bmatchlen; +- } +- } +- } +- if (baddr) { +- fl6->saddr = baddr->v6.sin6_addr; +- fl6->fl6_sport = baddr->v6.sin6_port; ++ ++ fl6->saddr = laddr->a.v6.sin6_addr; ++ fl6->fl6_sport = laddr->a.v6.sin6_port; + final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final); +- dst = ip6_dst_lookup_flow(sk, fl6, final_p); ++ bdst = ip6_dst_lookup_flow(sk, fl6, final_p); ++ ++ if (!IS_ERR(bdst) && ++ ipv6_chk_addr(dev_net(bdst->dev), ++ &laddr->a.v6.sin6_addr, bdst->dev, 1)) { ++ if (!IS_ERR_OR_NULL(dst)) ++ dst_release(dst); ++ dst = bdst; ++ break; ++ } ++ ++ bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a); ++ if (matchlen > bmatchlen) ++ continue; ++ ++ if (!IS_ERR_OR_NULL(dst)) ++ dst_release(dst); ++ dst = bdst; ++ matchlen = bmatchlen; + } + rcu_read_unlock(); + +@@ -665,6 +677,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, + newnp = inet6_sk(newsk); + + memcpy(newnp, np, sizeof(struct ipv6_pinfo)); ++ newnp->ipv6_mc_list = NULL; ++ newnp->ipv6_ac_list = NULL; ++ newnp->ipv6_fl_list = NULL; + + rcu_read_lock(); + opt = rcu_dereference(np->opt); +diff --git a/net/smc/Kconfig b/net/smc/Kconfig +index c717ef0896aa..33954852f3f8 100644 +--- a/net/smc/Kconfig ++++ b/net/smc/Kconfig +@@ -8,6 +8,10 @@ config SMC + The Linux implementation of the SMC-R solution is designed as + a separate socket family SMC. + ++ Warning: SMC will expose all memory for remote reads and writes ++ once a connection is established. Don't enable this option except ++ for tightly controlled lab environment. ++ + Select this option if you want to run SMC socket applications + + config SMC_DIAG +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index e41f594a1e1d..03ec058d18df 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -204,7 +204,7 @@ int smc_clc_send_confirm(struct smc_sock *smc) + memcpy(&cclc.lcl.mac, &link->smcibdev->mac[link->ibport - 1], ETH_ALEN); + hton24(cclc.qpn, link->roce_qp->qp_num); + cclc.rmb_rkey = +- htonl(conn->rmb_desc->mr_rx[SMC_SINGLE_LINK]->rkey); ++ htonl(conn->rmb_desc->rkey[SMC_SINGLE_LINK]); + cclc.conn_idx = 1; /* for now: 1 RMB = 1 RMBE */ + cclc.rmbe_alert_token = htonl(conn->alert_token_local); + cclc.qp_mtu = min(link->path_mtu, link->peer_mtu); +@@ -256,7 +256,7 @@ int smc_clc_send_accept(struct smc_sock *new_smc, int srv_first_contact) + memcpy(&aclc.lcl.mac, link->smcibdev->mac[link->ibport - 1], ETH_ALEN); + hton24(aclc.qpn, link->roce_qp->qp_num); + aclc.rmb_rkey = +- htonl(conn->rmb_desc->mr_rx[SMC_SINGLE_LINK]->rkey); ++ htonl(conn->rmb_desc->rkey[SMC_SINGLE_LINK]); + aclc.conn_idx = 1; /* as long as 1 RMB = 1 RMBE */ + aclc.rmbe_alert_token = htonl(conn->alert_token_local); + aclc.qp_mtu = link->path_mtu; +diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c +index 0eac633fb354..88cbb8a22d4a 100644 +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -613,19 +613,8 @@ int smc_rmb_create(struct smc_sock *smc) + rmb_desc = NULL; + continue; /* if mapping failed, try smaller one */ + } +- rc = smc_ib_get_memory_region(lgr->lnk[SMC_SINGLE_LINK].roce_pd, +- IB_ACCESS_REMOTE_WRITE | +- IB_ACCESS_LOCAL_WRITE, +- &rmb_desc->mr_rx[SMC_SINGLE_LINK]); +- if (rc) { +- smc_ib_buf_unmap(lgr->lnk[SMC_SINGLE_LINK].smcibdev, +- tmp_bufsize, rmb_desc, +- DMA_FROM_DEVICE); +- kfree(rmb_desc->cpu_addr); +- kfree(rmb_desc); +- rmb_desc = NULL; +- continue; +- } ++ rmb_desc->rkey[SMC_SINGLE_LINK] = ++ lgr->lnk[SMC_SINGLE_LINK].roce_pd->unsafe_global_rkey; + rmb_desc->used = 1; + write_lock_bh(&lgr->rmbs_lock); + list_add(&rmb_desc->list, +@@ -668,6 +657,7 @@ int smc_rmb_rtoken_handling(struct smc_connection *conn, + + for (i = 0; i < SMC_RMBS_PER_LGR_MAX; i++) { + if ((lgr->rtokens[i][SMC_SINGLE_LINK].rkey == rkey) && ++ (lgr->rtokens[i][SMC_SINGLE_LINK].dma_addr == dma_addr) && + test_bit(i, lgr->rtokens_used_mask)) { + conn->rtoken_idx = i; + return 0; +diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h +index 27eb38056a27..b013cb43a327 100644 +--- a/net/smc/smc_core.h ++++ b/net/smc/smc_core.h +@@ -93,7 +93,7 @@ struct smc_buf_desc { + u64 dma_addr[SMC_LINKS_PER_LGR_MAX]; + /* mapped address of buffer */ + void *cpu_addr; /* virtual address of buffer */ +- struct ib_mr *mr_rx[SMC_LINKS_PER_LGR_MAX]; ++ u32 rkey[SMC_LINKS_PER_LGR_MAX]; + /* for rmb only: + * rkey provided to peer + */ +diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c +index e6743c008ac5..51e5f0124f31 100644 +--- a/net/smc/smc_ib.c ++++ b/net/smc/smc_ib.c +@@ -37,24 +37,6 @@ u8 local_systemid[SMC_SYSTEMID_LEN] = SMC_LOCAL_SYSTEMID_RESET; /* unique system + * identifier + */ + +-int smc_ib_get_memory_region(struct ib_pd *pd, int access_flags, +- struct ib_mr **mr) +-{ +- int rc; +- +- if (*mr) +- return 0; /* already done */ +- +- /* obtain unique key - +- * next invocation of get_dma_mr returns a different key! +- */ +- *mr = pd->device->get_dma_mr(pd, access_flags); +- rc = PTR_ERR_OR_ZERO(*mr); +- if (IS_ERR(*mr)) +- *mr = NULL; +- return rc; +-} +- + static int smc_ib_modify_qp_init(struct smc_link *lnk) + { + struct ib_qp_attr qp_attr; +@@ -213,7 +195,8 @@ int smc_ib_create_protection_domain(struct smc_link *lnk) + { + int rc; + +- lnk->roce_pd = ib_alloc_pd(lnk->smcibdev->ibdev, 0); ++ lnk->roce_pd = ib_alloc_pd(lnk->smcibdev->ibdev, ++ IB_PD_UNSAFE_GLOBAL_RKEY); + rc = PTR_ERR_OR_ZERO(lnk->roce_pd); + if (IS_ERR(lnk->roce_pd)) + lnk->roce_pd = NULL; +diff --git a/net/smc/smc_ib.h b/net/smc/smc_ib.h +index a95f74bb5569..cde21263287c 100644 +--- a/net/smc/smc_ib.h ++++ b/net/smc/smc_ib.h +@@ -60,8 +60,6 @@ void smc_ib_dealloc_protection_domain(struct smc_link *lnk); + int smc_ib_create_protection_domain(struct smc_link *lnk); + void smc_ib_destroy_queue_pair(struct smc_link *lnk); + int smc_ib_create_queue_pair(struct smc_link *lnk); +-int smc_ib_get_memory_region(struct ib_pd *pd, int access_flags, +- struct ib_mr **mr); + int smc_ib_ready_link(struct smc_link *lnk); + int smc_ib_modify_qp_rts(struct smc_link *lnk); + int smc_ib_modify_qp_reset(struct smc_link *lnk); +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index bdce99f9407a..599c69bca8b9 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -361,25 +361,25 @@ static int tipc_sk_sock_err(struct socket *sock, long *timeout) + return 0; + } + +-#define tipc_wait_for_cond(sock_, timeout_, condition_) \ +-({ \ +- int rc_ = 0; \ +- int done_ = 0; \ +- \ +- while (!(condition_) && !done_) { \ +- struct sock *sk_ = sock->sk; \ +- DEFINE_WAIT_FUNC(wait_, woken_wake_function); \ +- \ +- rc_ = tipc_sk_sock_err(sock_, timeout_); \ +- if (rc_) \ +- break; \ +- prepare_to_wait(sk_sleep(sk_), &wait_, \ +- TASK_INTERRUPTIBLE); \ +- done_ = sk_wait_event(sk_, timeout_, \ +- (condition_), &wait_); \ +- remove_wait_queue(sk_sleep(sk_), &wait_); \ +- } \ +- rc_; \ ++#define tipc_wait_for_cond(sock_, timeo_, condition_) \ ++({ \ ++ struct sock *sk_; \ ++ int rc_; \ ++ \ ++ while ((rc_ = !(condition_))) { \ ++ DEFINE_WAIT_FUNC(wait_, woken_wake_function); \ ++ sk_ = (sock_)->sk; \ ++ rc_ = tipc_sk_sock_err((sock_), timeo_); \ ++ if (rc_) \ ++ break; \ ++ prepare_to_wait(sk_sleep(sk_), &wait_, TASK_INTERRUPTIBLE); \ ++ release_sock(sk_); \ ++ *(timeo_) = wait_woken(&wait_, TASK_INTERRUPTIBLE, *(timeo_)); \ ++ sched_annotate_sleep(); \ ++ lock_sock(sk_); \ ++ remove_wait_queue(sk_sleep(sk_), &wait_); \ ++ } \ ++ rc_; \ + }) + + /** +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 299835d1fbaa..1aa21d7e7245 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6276,8 +6276,11 @@ static int patch_alc269(struct hda_codec *codec) + break; + case 0x10ec0225: + case 0x10ec0295: ++ spec->codec_variant = ALC269_TYPE_ALC225; ++ break; + case 0x10ec0299: + spec->codec_variant = ALC269_TYPE_ALC225; ++ spec->gen.mixer_nid = 0; /* no loopback on ALC299 */ + break; + case 0x10ec0234: + case 0x10ec0274: +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index faa3d38bac0b..6cefdf6c0b75 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -1559,6 +1559,8 @@ static const struct snd_pci_quirk stac9200_fixup_tbl[] = { + "Dell Inspiron 1501", STAC_9200_DELL_M26), + SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x01f6, + "unknown Dell", STAC_9200_DELL_M26), ++ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x0201, ++ "Dell Latitude D430", STAC_9200_DELL_M22), + /* Panasonic */ + SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-74", STAC_9200_PANASONIC), + /* Gateway machines needs EAPD to be set on resume */ +diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c +index dc48eedea92e..442d8f7998e3 100644 +--- a/sound/usb/mixer_us16x08.c ++++ b/sound/usb/mixer_us16x08.c +@@ -698,12 +698,12 @@ static int snd_us16x08_meter_get(struct snd_kcontrol *kcontrol, + struct snd_usb_audio *chip = elem->head.mixer->chip; + struct snd_us16x08_meter_store *store = elem->private_data; + u8 meter_urb[64]; +- char tmp[sizeof(mix_init_msg2)] = {0}; ++ char tmp[max(sizeof(mix_init_msg1), sizeof(mix_init_msg2))]; + + switch (kcontrol->private_value) { + case 0: +- snd_us16x08_send_urb(chip, (char *)mix_init_msg1, +- sizeof(mix_init_msg1)); ++ memcpy(tmp, mix_init_msg1, sizeof(mix_init_msg1)); ++ snd_us16x08_send_urb(chip, tmp, 4); + snd_us16x08_recv_urb(chip, meter_urb, + sizeof(meter_urb)); + kcontrol->private_value++; +@@ -721,7 +721,7 @@ static int snd_us16x08_meter_get(struct snd_kcontrol *kcontrol, + case 3: + memcpy(tmp, mix_init_msg2, sizeof(mix_init_msg2)); + tmp[2] = snd_get_meter_comp_index(store); +- snd_us16x08_send_urb(chip, tmp, sizeof(mix_init_msg2)); ++ snd_us16x08_send_urb(chip, tmp, 10); + snd_us16x08_recv_urb(chip, meter_urb, + sizeof(meter_urb)); + kcontrol->private_value = 0; +@@ -1135,7 +1135,7 @@ static const struct snd_us16x08_control_params eq_controls[] = { + .control_id = SND_US16X08_ID_EQLOWMIDWIDTH, + .type = USB_MIXER_U8, + .num_channels = 16, +- .name = "EQ MidQLow Q", ++ .name = "EQ MidLow Q", + }, + { /* EQ mid high gain */ + .kcontrol_new = &snd_us16x08_eq_gain_ctl, |