Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Lots of overlapping changes.  Also on the net-next side
the XDP state management is handled more in the generic
layers so undo the 'net' nfp fix which isn't applicable
in net-next.

Include a necessary change by Jakub Kicinski, with log message:

====================
cls_bpf no longer takes care of offload tracking.  Make sure
netdevsim performs necessary checks.  This fixes a warning
caused by TC trying to remove a filter it has not added.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

202 files changed, 2851 insertions, 1137 deletions

diff --git a/Documentation/devicetree/bindings/mtd/jedec,spi-nor.txt b/Documentation/devicetree/bindings/mtd/jedec,spi-nor.txt
index 376fa2f50e6b..956bb046e599 100644
--- a/Documentation/devicetree/bindings/mtd/jedec,spi-nor.txt
+++ b/Documentation/devicetree/bindings/mtd/jedec,spi-nor.txt
@@ -13,7 +13,6 @@ Required properties:
                  at25df321a
                  at25df641
                  at26df081a
-                 en25s64
                  mr25h128
                  mr25h256
                  mr25h10
@@ -33,7 +32,6 @@ Required properties:
                  s25fl008k
                  s25fl064k
                  sst25vf040b
-                 sst25wf040b
                  m25p40
                  m25p80
                  m25p16
diff --git a/Documentation/devicetree/bindings/spi/fsl-imx-cspi.txt b/Documentation/devicetree/bindings/spi/fsl-imx-cspi.txt
index 5bf13960f7f4..e3c48b20b1a6 100644
--- a/Documentation/devicetree/bindings/spi/fsl-imx-cspi.txt
+++ b/Documentation/devicetree/bindings/spi/fsl-imx-cspi.txt
@@ -12,24 +12,30 @@ Required properties:
   - "fsl,imx53-ecspi" for SPI compatible with the one integrated on i.MX53 and later Soc
 - reg : Offset and length of the register set for the device
 - interrupts : Should contain CSPI/eCSPI interrupt
-- cs-gpios : Specifies the gpio pins to be used for chipselects.
 - clocks : Clock specifiers for both ipg and per clocks.
 - clock-names : Clock names should include both "ipg" and "per"
 See the clock consumer binding,
         Documentation/devicetree/bindings/clock/clock-bindings.txt
-- dmas: DMA specifiers for tx and rx dma. See the DMA client binding,
-                Documentation/devicetree/bindings/dma/dma.txt
-- dma-names: DMA request names should include "tx" and "rx" if present.
 
-Obsolete properties:
-- fsl,spi-num-chipselects : Contains the number of the chipselect
+Recommended properties:
+- cs-gpios : GPIOs to use as chip selects, see spi-bus.txt.  While the native chip
+select lines can be used, they appear to always generate a pulse between each
+word of a transfer.  Most use cases will require GPIO based chip selects to
+generate a valid transaction.
 
 Optional properties:
+- num-cs :  Number of total chip selects, see spi-bus.txt.
+- dmas: DMA specifiers for tx and rx dma. See the DMA client binding,
+Documentation/devicetree/bindings/dma/dma.txt.
+- dma-names: DMA request names, if present, should include "tx" and "rx".
 - fsl,spi-rdy-drctl: Integer, representing the value of DRCTL, the register
 controlling the SPI_READY handling. Note that to enable the DRCTL consideration,
 the SPI_READY mode-flag needs to be set too.
 Valid values are: 0 (disabled), 1 (edge-triggered burst) and 2 (level-triggered burst).
 
+Obsolete properties:
+- fsl,spi-num-chipselects : Contains the number of the chipselect
+
 Example:
 
 ecspi@70010000 {
diff --git a/Makefile b/Makefile
index 3f4d157add54..7e02f951b284 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
 VERSION = 4
 PATCHLEVEL = 15
 SUBLEVEL = 0
-EXTRAVERSION = -rc3
+EXTRAVERSION = -rc4
 NAME = Fearless Coyote
 
 # *DOCUMENTATION*
diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S
index 1712f132b80d..b83fdc06286a 100644
--- a/arch/arm/lib/csumpartialcopyuser.S
+++ b/arch/arm/lib/csumpartialcopyuser.S
@@ -85,7 +85,11 @@
                 .pushsection .text.fixup,"ax"
                 .align  4
 9001:           mov     r4, #-EFAULT
+#ifdef CONFIG_CPU_SW_DOMAIN_PAN
+                ldr     r5, [sp, #9*4]          @ *err_ptr
+#else
                 ldr     r5, [sp, #8*4]          @ *err_ptr
+#endif
                 str     r4, [r5]
                 ldmia   sp, {r1, r2}            @ retrieve dst, len
                 add     r2, r2, r1
diff --git a/arch/arm64/kvm/hyp/debug-sr.c b/arch/arm64/kvm/hyp/debug-sr.c
index 321c9c05dd9e..f4363d40e2cd 100644
--- a/arch/arm64/kvm/hyp/debug-sr.c
+++ b/arch/arm64/kvm/hyp/debug-sr.c
@@ -74,6 +74,9 @@ static void __hyp_text __debug_save_spe_nvhe(u64 *pmscr_el1)
 {
         u64 reg;
 
+        /* Clear pmscr in case of early return */
+        *pmscr_el1 = 0;
+
         /* SPE present on this CPU? */
         if (!cpuid_feature_extract_unsigned_field(read_sysreg(id_aa64dfr0_el1),
                                                   ID_AA64DFR0_PMSVER_SHIFT))
diff --git a/arch/parisc/boot/compressed/misc.c b/arch/parisc/boot/compressed/misc.c
index 9345b44b86f0..f57118e1f6b4 100644
--- a/arch/parisc/boot/compressed/misc.c
+++ b/arch/parisc/boot/compressed/misc.c
@@ -123,8 +123,8 @@ int puts(const char *s)
         while ((nuline = strchr(s, '\n')) != NULL) {
                 if (nuline != s)
                         pdc_iodc_print(s, nuline - s);
-                        pdc_iodc_print("\r\n", 2);
-                        s = nuline + 1;
+                pdc_iodc_print("\r\n", 2);
+                s = nuline + 1;
         }
         if (*s != '\0')
                 pdc_iodc_print(s, strlen(s));
diff --git a/arch/parisc/include/asm/thread_info.h b/arch/parisc/include/asm/thread_info.h
index c980a02a52bc..598c8d60fa5e 100644
--- a/arch/parisc/include/asm/thread_info.h
+++ b/arch/parisc/include/asm/thread_info.h
@@ -35,7 +35,12 @@ struct thread_info {
 
 /* thread information allocation */
 
+#ifdef CONFIG_IRQSTACKS
+#define THREAD_SIZE_ORDER       2 /* PA-RISC requires at least 16k stack */
+#else
 #define THREAD_SIZE_ORDER       3 /* PA-RISC requires at least 32k stack */
+#endif
+
 /* Be sure to hunt all references to this down when you change the size of
  * the kernel stack */
 #define THREAD_SIZE             (PAGE_SIZE << THREAD_SIZE_ORDER)
diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S
index a4fd296c958e..f3cecf5117cf 100644
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -878,9 +878,6 @@ ENTRY_CFI(syscall_exit_rfi)
         STREG   %r19,PT_SR7(%r16)
 
 intr_return:
-        /* NOTE: Need to enable interrupts incase we schedule. */
-        ssm     PSW_SM_I, %r0
-
         /* check for reschedule */
         mfctl   %cr30,%r1
         LDREG   TI_FLAGS(%r1),%r19      /* sched.h: TIF_NEED_RESCHED */
@@ -907,6 +904,11 @@ intr_check_sig:
         LDREG   PT_IASQ1(%r16), %r20
         cmpib,COND(=),n 0,%r20,intr_restore /* backward */
 
+        /* NOTE: We need to enable interrupts if we have to deliver
+         * signals. We used to do this earlier but it caused kernel
+         * stack overflows. */
+        ssm     PSW_SM_I, %r0
+
         copy    %r0, %r25                       /* long in_syscall = 0 */
 #ifdef CONFIG_64BIT
         ldo     -16(%r30),%r29                  /* Reference param save area */
@@ -958,6 +960,10 @@ intr_do_resched:
         cmpib,COND(=)   0, %r20, intr_do_preempt
         nop
 
+        /* NOTE: We need to enable interrupts if we schedule.  We used
+         * to do this earlier but it caused kernel stack overflows. */
+        ssm     PSW_SM_I, %r0
+
 #ifdef CONFIG_64BIT
         ldo     -16(%r30),%r29          /* Reference param save area */
 #endif
diff --git a/arch/parisc/kernel/hpmc.S b/arch/parisc/kernel/hpmc.S
index e3a8e5e4d5de..8d072c44f300 100644
--- a/arch/parisc/kernel/hpmc.S
+++ b/arch/parisc/kernel/hpmc.S
@@ -305,6 +305,7 @@ ENDPROC_CFI(os_hpmc)
 
 
         __INITRODATA
+        .align 4
         .export os_hpmc_size
 os_hpmc_size:
         .word .os_hpmc_end-.os_hpmc
diff --git a/arch/parisc/kernel/unwind.c b/arch/parisc/kernel/unwind.c
index 5a657986ebbf..143f90e2f9f3 100644
--- a/arch/parisc/kernel/unwind.c
+++ b/arch/parisc/kernel/unwind.c
@@ -15,7 +15,6 @@
 #include <linux/slab.h>
 #include <linux/kallsyms.h>
 #include <linux/sort.h>
-#include <linux/sched.h>
 
 #include <linux/uaccess.h>
 #include <asm/assembly.h>
diff --git a/arch/parisc/lib/delay.c b/arch/parisc/lib/delay.c
index 7eab4bb8abe6..66e506520505 100644
--- a/arch/parisc/lib/delay.c
+++ b/arch/parisc/lib/delay.c
@@ -16,9 +16,7 @@
 #include <linux/preempt.h>
 #include <linux/init.h>
 
-#include <asm/processor.h>
 #include <asm/delay.h>
-
 #include <asm/special_insns.h>    /* for mfctl() */
 #include <asm/processor.h> /* for boot_cpu_data */
 
diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
index d5a5bc43cf8f..6771c63b2bec 100644
--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -763,7 +763,8 @@ emit_clear:
                         func = (u8 *) __bpf_call_base + imm;
 
                         /* Save skb pointer if we need to re-cache skb data */
-                        if (bpf_helper_changes_pkt_data(func))
+                        if ((ctx->seen & SEEN_SKB) &&
+                            bpf_helper_changes_pkt_data(func))
                                 PPC_BPF_STL(3, 1, bpf_jit_stack_local(ctx));
 
                         bpf_jit_emit_func_call(image, ctx, (u64)func);
@@ -772,7 +773,8 @@ emit_clear:
                         PPC_MR(b2p[BPF_REG_0], 3);
 
                         /* refresh skb cache */
-                        if (bpf_helper_changes_pkt_data(func)) {
+                        if ((ctx->seen & SEEN_SKB) &&
+                            bpf_helper_changes_pkt_data(func)) {
                                 /* reload skb pointer to r3 */
                                 PPC_BPF_LL(3, 1, bpf_jit_stack_local(ctx));
                                 bpf_jit_emit_skb_loads(image, ctx);
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index f4baa8c514d3..1dfadbd126f3 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -55,8 +55,7 @@ struct bpf_jit {
 #define SEEN_LITERAL    8       /* code uses literals */
 #define SEEN_FUNC       16      /* calls C functions */
 #define SEEN_TAIL_CALL  32      /* code uses tail calls */
-#define SEEN_SKB_CHANGE 64      /* code changes skb data */
-#define SEEN_REG_AX     128     /* code uses constant blinding */
+#define SEEN_REG_AX     64      /* code uses constant blinding */
 #define SEEN_STACK      (SEEN_FUNC | SEEN_MEM | SEEN_SKB)
 
 /*
@@ -448,12 +447,12 @@ static void bpf_jit_prologue(struct bpf_jit *jit, u32 stack_depth)
                         EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
                                       REG_15, 152);
         }
-        if (jit->seen & SEEN_SKB)
+        if (jit->seen & SEEN_SKB) {
                 emit_load_skb_data_hlen(jit);
-        if (jit->seen & SEEN_SKB_CHANGE)
                 /* stg %b1,ST_OFF_SKBP(%r0,%r15) */
                 EMIT6_DISP_LH(0xe3000000, 0x0024, BPF_REG_1, REG_0, REG_15,
                               STK_OFF_SKBP);
+        }
 }
 
 /*
@@ -983,8 +982,8 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i
                 EMIT2(0x0d00, REG_14, REG_W1);
                 /* lgr %b0,%r2: load return value into %b0 */
                 EMIT4(0xb9040000, BPF_REG_0, REG_2);
-                if (bpf_helper_changes_pkt_data((void *)func)) {
-                        jit->seen |= SEEN_SKB_CHANGE;
+                if ((jit->seen & SEEN_SKB) &&
+                    bpf_helper_changes_pkt_data((void *)func)) {
                         /* lg %b1,ST_OFF_SKBP(%r15) */
                         EMIT6_DISP_LH(0xe3000000, 0x0004, BPF_REG_1, REG_0,
                                       REG_15, STK_OFF_SKBP);
diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c
index be3136f142a9..a8103a84b4ac 100644
--- a/arch/sparc/mm/fault_32.c
+++ b/arch/sparc/mm/fault_32.c
@@ -113,7 +113,7 @@ show_signal_msg(struct pt_regs *regs, int sig, int code,
         if (!printk_ratelimit())
                 return;
 
-        printk("%s%s[%d]: segfault at %lx ip %p (rpc %p) sp %p error %x",
+        printk("%s%s[%d]: segfault at %lx ip %px (rpc %px) sp %px error %x",
                task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
                tsk->comm, task_pid_nr(tsk), address,
                (void *)regs->pc, (void *)regs->u_regs[UREG_I7],
diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
index 815c03d7a765..41363f46797b 100644
--- a/arch/sparc/mm/fault_64.c
+++ b/arch/sparc/mm/fault_64.c
@@ -154,7 +154,7 @@ show_signal_msg(struct pt_regs *regs, int sig, int code,
         if (!printk_ratelimit())
                 return;
 
-        printk("%s%s[%d]: segfault at %lx ip %p (rpc %p) sp %p error %x",
+        printk("%s%s[%d]: segfault at %lx ip %px (rpc %px) sp %px error %x",
                task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
                tsk->comm, task_pid_nr(tsk), address,
                (void *)regs->tpc, (void *)regs->u_regs[UREG_I7],
diff --git a/arch/sparc/net/bpf_jit_comp_64.c b/arch/sparc/net/bpf_jit_comp_64.c
index a2f1b5e774a7..22aff21fa44d 100644
--- a/arch/sparc/net/bpf_jit_comp_64.c
+++ b/arch/sparc/net/bpf_jit_comp_64.c
@@ -1245,14 +1245,16 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
                 u8 *func = ((u8 *)__bpf_call_base) + imm;
 
                 ctx->saw_call = true;
+                if (ctx->saw_ld_abs_ind && bpf_helper_changes_pkt_data(func))
+                        emit_reg_move(bpf2sparc[BPF_REG_1], L7, ctx);
 
                 emit_call((u32 *)func, ctx);
                 emit_nop(ctx);
 
                 emit_reg_move(O0, bpf2sparc[BPF_REG_0], ctx);
 
-                if (bpf_helper_changes_pkt_data(func) && ctx->saw_ld_abs_ind)
-                        load_skb_regs(ctx, bpf2sparc[BPF_REG_6]);
+                if (ctx->saw_ld_abs_ind && bpf_helper_changes_pkt_data(func))
+                        load_skb_regs(ctx, L7);
                 break;
         }
 
diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c
index 4e6fcb32620f..428644175956 100644
--- a/arch/um/kernel/trap.c
+++ b/arch/um/kernel/trap.c
@@ -150,7 +150,7 @@ static void show_segv_info(struct uml_pt_regs *regs)
         if (!printk_ratelimit())
                 return;
 
-        printk("%s%s[%d]: segfault at %lx ip %p sp %p error %x",
+        printk("%s%s[%d]: segfault at %lx ip %px sp %px error %x",
                 task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
                 tsk->comm, task_pid_nr(tsk), FAULT_ADDRESS(*fi),
                 (void *)UPT_IP(regs), (void *)UPT_SP(regs),
diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
index 4838037f97f6..bd8b57a5c874 100644
--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -941,7 +941,8 @@ ENTRY(debug)
         movl    %esp, %eax                      # pt_regs pointer
 
         /* Are we currently on the SYSENTER stack? */
-        PER_CPU(cpu_tss + CPU_TSS_SYSENTER_stack + SIZEOF_SYSENTER_stack, %ecx)
+        movl    PER_CPU_VAR(cpu_entry_area), %ecx
+        addl    $CPU_ENTRY_AREA_SYSENTER_stack + SIZEOF_SYSENTER_stack, %ecx
         subl    %eax, %ecx      /* ecx = (end of SYSENTER_stack) - esp */
         cmpl    $SIZEOF_SYSENTER_stack, %ecx
         jb      .Ldebug_from_sysenter_stack
@@ -984,7 +985,8 @@ ENTRY(nmi)
         movl    %esp, %eax                      # pt_regs pointer
 
         /* Are we currently on the SYSENTER stack? */
-        PER_CPU(cpu_tss + CPU_TSS_SYSENTER_stack + SIZEOF_SYSENTER_stack, %ecx)
+        movl    PER_CPU_VAR(cpu_entry_area), %ecx
+        addl    $CPU_ENTRY_AREA_SYSENTER_stack + SIZEOF_SYSENTER_stack, %ecx
         subl    %eax, %ecx      /* ecx = (end of SYSENTER_stack) - esp */
         cmpl    $SIZEOF_SYSENTER_stack, %ecx
         jb      .Lnmi_from_sysenter_stack
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index f81d50d7ceac..423885bee398 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -140,6 +140,64 @@ END(native_usergs_sysret64)
  * with them due to bugs in both AMD and Intel CPUs.
  */
 
+        .pushsection .entry_trampoline, "ax"
+
+/*
+ * The code in here gets remapped into cpu_entry_area's trampoline.  This means
+ * that the assembler and linker have the wrong idea as to where this code
+ * lives (and, in fact, it's mapped more than once, so it's not even at a
+ * fixed address).  So we can't reference any symbols outside the entry
+ * trampoline and expect it to work.
+ *
+ * Instead, we carefully abuse %rip-relative addressing.
+ * _entry_trampoline(%rip) refers to the start of the remapped) entry
+ * trampoline.  We can thus find cpu_entry_area with this macro:
+ */
+
+#define CPU_ENTRY_AREA \
+        _entry_trampoline - CPU_ENTRY_AREA_entry_trampoline(%rip)
+
+/* The top word of the SYSENTER stack is hot and is usable as scratch space. */
+#define RSP_SCRATCH     CPU_ENTRY_AREA_SYSENTER_stack + \
+                        SIZEOF_SYSENTER_stack - 8 + CPU_ENTRY_AREA
+
+ENTRY(entry_SYSCALL_64_trampoline)
+        UNWIND_HINT_EMPTY
+        swapgs
+
+        /* Stash the user RSP. */
+        movq    %rsp, RSP_SCRATCH
+
+        /* Load the top of the task stack into RSP */
+        movq    CPU_ENTRY_AREA_tss + TSS_sp1 + CPU_ENTRY_AREA, %rsp
+
+        /* Start building the simulated IRET frame. */
+        pushq   $__USER_DS                      /* pt_regs->ss */
+        pushq   RSP_SCRATCH                     /* pt_regs->sp */
+        pushq   %r11                            /* pt_regs->flags */
+        pushq   $__USER_CS                      /* pt_regs->cs */
+        pushq   %rcx                            /* pt_regs->ip */
+
+        /*
+         * x86 lacks a near absolute jump, and we can't jump to the real
+         * entry text with a relative jump.  We could push the target
+         * address and then use retq, but this destroys the pipeline on
+         * many CPUs (wasting over 20 cycles on Sandy Bridge).  Instead,
+         * spill RDI and restore it in a second-stage trampoline.
+         */
+        pushq   %rdi
+        movq    $entry_SYSCALL_64_stage2, %rdi
+        jmp     *%rdi
+END(entry_SYSCALL_64_trampoline)
+
+        .popsection
+
+ENTRY(entry_SYSCALL_64_stage2)
+        UNWIND_HINT_EMPTY
+        popq    %rdi
+        jmp     entry_SYSCALL_64_after_hwframe
+END(entry_SYSCALL_64_stage2)
+
 ENTRY(entry_SYSCALL_64)
         UNWIND_HINT_EMPTY
         /*
@@ -330,8 +388,24 @@ syscall_return_via_sysret:
         popq    %rsi    /* skip rcx */
         popq    %rdx
         popq    %rsi
+
+        /*
+         * Now all regs are restored except RSP and RDI.
+         * Save old stack pointer and switch to trampoline stack.
+         */
+        movq    %rsp, %rdi
+        movq    PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
+
+        pushq   RSP-RDI(%rdi)   /* RSP */
+        pushq   (%rdi)          /* RDI */
+
+        /*
+         * We are on the trampoline stack.  All regs except RDI are live.
+         * We can do future final exit work right here.
+         */
+
         popq    %rdi
-        movq    RSP-ORIG_RAX(%rsp), %rsp
+        popq    %rsp
         USERGS_SYSRET64
 END(entry_SYSCALL_64)
 
@@ -466,12 +540,13 @@ END(irq_entries_start)
 
 .macro DEBUG_ENTRY_ASSERT_IRQS_OFF
 #ifdef CONFIG_DEBUG_ENTRY
-        pushfq
-        testl $X86_EFLAGS_IF, (%rsp)
+        pushq %rax
+        SAVE_FLAGS(CLBR_RAX)
+        testl $X86_EFLAGS_IF, %eax
         jz .Lokay_\@
         ud2
 .Lokay_\@:
-        addq $8, %rsp
+        popq %rax
 #endif
 .endm
 
@@ -563,6 +638,13 @@ END(irq_entries_start)
 /* 0(%rsp): ~(interrupt number) */
         .macro interrupt func
         cld
+
+        testb   $3, CS-ORIG_RAX(%rsp)
+        jz      1f
+        SWAPGS
+        call    switch_to_thread_stack
+1:
+
         ALLOC_PT_GPREGS_ON_STACK
         SAVE_C_REGS
         SAVE_EXTRA_REGS
@@ -572,12 +654,8 @@ END(irq_entries_start)
         jz      1f
 
         /*
-         * IRQ from user mode.  Switch to kernel gsbase and inform context
-         * tracking that we're in kernel mode.
-         */
-        SWAPGS
-
-        /*
+         * IRQ from user mode.
+         *
          * We need to tell lockdep that IRQs are off.  We can't do this until
          * we fix gsbase, and we should do it before enter_from_user_mode
          * (which can take locks).  Since TRACE_IRQS_OFF idempotent,
@@ -630,10 +708,41 @@ GLOBAL(swapgs_restore_regs_and_return_to_usermode)
         ud2
 1:
 #endif
-        SWAPGS
         POP_EXTRA_REGS
-        POP_C_REGS
-        addq    $8, %rsp        /* skip regs->orig_ax */
+        popq    %r11
+        popq    %r10
+        popq    %r9
+        popq    %r8
+        popq    %rax
+        popq    %rcx
+        popq    %rdx
+        popq    %rsi
+
+        /*
+         * The stack is now user RDI, orig_ax, RIP, CS, EFLAGS, RSP, SS.
+         * Save old stack pointer and switch to trampoline stack.
+         */
+        movq    %rsp, %rdi
+        movq    PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
+
+        /* Copy the IRET frame to the trampoline stack. */
+        pushq   6*8(%rdi)       /* SS */
+        pushq   5*8(%rdi)       /* RSP */
+        pushq   4*8(%rdi)       /* EFLAGS */
+        pushq   3*8(%rdi)       /* CS */
+        pushq   2*8(%rdi)       /* RIP */
+
+        /* Push user RDI on the trampoline stack. */
+        pushq   (%rdi)
+
+        /*
+         * We are on the trampoline stack.  All regs except RDI are live.
+         * We can do future final exit work right here.
+         */
+
+        /* Restore RDI. */
+        popq    %rdi
+        SWAPGS
         INTERRUPT_RETURN
 
 
@@ -829,7 +938,33 @@ apicinterrupt IRQ_WORK_VECTOR			irq_work_interrupt		smp_irq_work_interrupt
 /*
  * Exception entry points.
  */
-#define CPU_TSS_IST(x) PER_CPU_VAR(cpu_tss) + (TSS_ist + ((x) - 1) * 8)
+#define CPU_TSS_IST(x) PER_CPU_VAR(cpu_tss_rw) + (TSS_ist + ((x) - 1) * 8)
+
+/*
+ * Switch to the thread stack.  This is called with the IRET frame and
+ * orig_ax on the stack.  (That is, RDI..R12 are not on the stack and
+ * space has not been allocated for them.)
+ */
+ENTRY(switch_to_thread_stack)
+        UNWIND_HINT_FUNC
+
+        pushq   %rdi
+        movq    %rsp, %rdi
+        movq    PER_CPU_VAR(cpu_current_top_of_stack), %rsp
+        UNWIND_HINT sp_offset=16 sp_reg=ORC_REG_DI
+
+        pushq   7*8(%rdi)               /* regs->ss */
+        pushq   6*8(%rdi)               /* regs->rsp */
+        pushq   5*8(%rdi)               /* regs->eflags */
+        pushq   4*8(%rdi)               /* regs->cs */
+        pushq   3*8(%rdi)               /* regs->ip */
+        pushq   2*8(%rdi)               /* regs->orig_ax */
+        pushq   8(%rdi)                 /* return address */
+        UNWIND_HINT_FUNC
+
+        movq    (%rdi), %rdi
+        ret
+END(switch_to_thread_stack)
 
 .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1
 ENTRY(\sym)
@@ -848,11 +983,12 @@ ENTRY(\sym)
 
         ALLOC_PT_GPREGS_ON_STACK
 
-        .if \paranoid
-        .if \paranoid == 1
+        .if \paranoid < 2
         testb   $3, CS(%rsp)                    /* If coming from userspace, switch stacks */
-        jnz     1f
+        jnz     .Lfrom_usermode_switch_stack_\@
         .endif
+
+        .if \paranoid
         call    paranoid_entry
         .else
         call    error_entry
@@ -894,20 +1030,15 @@ ENTRY(\sym)
         jmp     error_exit
         .endif
 
-        .if \paranoid == 1
+        .if \paranoid < 2
         /*
-         * Paranoid entry from userspace.  Switch stacks and treat it
+         * Entry from userspace.  Switch stacks and treat it
          * as a normal entry.  This means that paranoid handlers
          * run in real process context if user_mode(regs).
          */
-1:
+.Lfrom_usermode_switch_stack_\@:
         call    error_entry
 
-
-        movq    %rsp, %rdi                      /* pt_regs pointer */
-        call    sync_regs
-        movq    %rax, %rsp                      /* switch stack */
-
         movq    %rsp, %rdi                      /* pt_regs pointer */
 
         .if \has_error_code
@@ -1170,6 +1301,14 @@ ENTRY(error_entry)
         SWAPGS
 
 .Lerror_entry_from_usermode_after_swapgs:
+        /* Put us onto the real thread stack. */
+        popq    %r12                            /* save return addr in %12 */
+        movq    %rsp, %rdi                      /* arg0 = pt_regs pointer */
+        call    sync_regs
+        movq    %rax, %rsp                      /* switch stack */
+        ENCODE_FRAME_POINTER
+        pushq   %r12
+
         /*
          * We need to tell lockdep that IRQs are off.  We can't do this until
          * we fix gsbase, and we should do it before enter_from_user_mode
diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
index 568e130d932c..95ad40eb7eff 100644
--- a/arch/x86/entry/entry_64_compat.S
+++ b/arch/x86/entry/entry_64_compat.S
@@ -48,7 +48,7 @@
  */
 ENTRY(entry_SYSENTER_compat)
         /* Interrupts are off on entry. */
-        SWAPGS_UNSAFE_STACK
+        SWAPGS
         movq    PER_CPU_VAR(cpu_current_top_of_stack), %rsp
 
         /*
@@ -306,8 +306,11 @@ ENTRY(entry_INT80_compat)
          */
         movl    %eax, %eax
 
-        /* Construct struct pt_regs on stack (iret frame is already on stack) */
         pushq   %rax                    /* pt_regs->orig_ax */
+
+        /* switch to thread stack expects orig_ax to be pushed */
+        call    switch_to_thread_stack
+
         pushq   %rdi                    /* pt_regs->di */
         pushq   %rsi                    /* pt_regs->si */
         pushq   %rdx                    /* pt_regs->dx */
diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
index bf6a76202a77..ea9a7dde62e5 100644
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -135,6 +135,8 @@ extern void clear_cpu_cap(struct cpuinfo_x86 *c, unsigned int bit);
         set_bit(bit, (unsigned long *)cpu_caps_set);    \
 } while (0)
 
+#define setup_force_cpu_bug(bit) setup_force_cpu_cap(bit)
+
 #if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_X86_FAST_FEATURE_TESTS)
 /*
  * Static testing of CPU features.  Used the same as boot_cpu_has().
diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
index 4011cb03ef08..aab4fe9f49f8 100644
--- a/arch/x86/include/asm/desc.h
+++ b/arch/x86/include/asm/desc.h
@@ -60,17 +60,10 @@ static inline struct desc_struct *get_current_gdt_rw(void)
         return this_cpu_ptr(&gdt_page)->gdt;
 }
 
-/* Get the fixmap index for a specific processor */
-static inline unsigned int get_cpu_gdt_ro_index(int cpu)
-{
-        return FIX_GDT_REMAP_BEGIN + cpu;
-}
-
 /* Provide the fixmap address of the remapped GDT */
 static inline struct desc_struct *get_cpu_gdt_ro(int cpu)
 {
-        unsigned int idx = get_cpu_gdt_ro_index(cpu);
-        return (struct desc_struct *)__fix_to_virt(idx);
+        return (struct desc_struct *)&get_cpu_entry_area(cpu)->gdt;
 }
 
 /* Provide the current read-only GDT */
@@ -185,7 +178,7 @@ static inline void set_tssldt_descriptor(void *d, unsigned long addr,
 #endif
 }
 
-static inline void __set_tss_desc(unsigned cpu, unsigned int entry, void *addr)
+static inline void __set_tss_desc(unsigned cpu, unsigned int entry, struct x86_hw_tss *addr)
 {
         struct desc_struct *d = get_cpu_gdt_rw(cpu);
         tss_desc tss;
diff --git a/arch/x86/include/asm/fixmap.h b/arch/x86/include/asm/fixmap.h
index b0c505fe9a95..94fc4fa14127 100644
--- a/arch/x86/include/asm/fixmap.h
+++ b/arch/x86/include/asm/fixmap.h
@@ -44,6 +44,45 @@ extern unsigned long __FIXADDR_TOP;
                          PAGE_SIZE)
 #endif
 
+/*
+ * cpu_entry_area is a percpu region in the fixmap that contains things
+ * needed by the CPU and early entry/exit code.  Real types aren't used
+ * for all fields here to avoid circular header dependencies.
+ *
+ * Every field is a virtual alias of some other allocated backing store.
+ * There is no direct allocation of a struct cpu_entry_area.
+ */
+struct cpu_entry_area {
+        char gdt[PAGE_SIZE];
+
+        /*
+         * The GDT is just below SYSENTER_stack and thus serves (on x86_64) as
+         * a a read-only guard page.
+         */
+        struct SYSENTER_stack_page SYSENTER_stack_page;
+
+        /*
+         * On x86_64, the TSS is mapped RO.  On x86_32, it's mapped RW because
+         * we need task switches to work, and task switches write to the TSS.
+         */
+        struct tss_struct tss;
+
+        char entry_trampoline[PAGE_SIZE];
+
+#ifdef CONFIG_X86_64
+        /*
+         * Exception stacks used for IST entries.
+         *
+         * In the future, this should have a separate slot for each stack
+         * with guard pages between them.
+         */
+        char exception_stacks[(N_EXCEPTION_STACKS - 1) * EXCEPTION_STKSZ + DEBUG_STKSZ];
+#endif
+};
+
+#define CPU_ENTRY_AREA_PAGES (sizeof(struct cpu_entry_area) / PAGE_SIZE)
+
+extern void setup_cpu_entry_areas(void);
 
 /*
  * Here we define all the compile-time 'special' virtual
@@ -101,8 +140,8 @@ enum fixed_addresses {
         FIX_LNW_VRTC,
 #endif
         /* Fixmap entries to remap the GDTs, one per processor. */
-        FIX_GDT_REMAP_BEGIN,
-        FIX_GDT_REMAP_END = FIX_GDT_REMAP_BEGIN + NR_CPUS - 1,
+        FIX_CPU_ENTRY_AREA_TOP,
+        FIX_CPU_ENTRY_AREA_BOTTOM = FIX_CPU_ENTRY_AREA_TOP + (CPU_ENTRY_AREA_PAGES * NR_CPUS) - 1,
 
 #ifdef CONFIG_ACPI_APEI_GHES
         /* Used for GHES mapping from assorted contexts */
@@ -191,5 +230,30 @@ void __init *early_memremap_decrypted_wp(resource_size_t phys_addr,
 void __early_set_fixmap(enum fixed_addresses idx,
                         phys_addr_t phys, pgprot_t flags);
 
+static inline unsigned int __get_cpu_entry_area_page_index(int cpu, int page)
+{
+        BUILD_BUG_ON(sizeof(struct cpu_entry_area) % PAGE_SIZE != 0);
+
+        return FIX_CPU_ENTRY_AREA_BOTTOM - cpu*CPU_ENTRY_AREA_PAGES - page;
+}
+
+#define __get_cpu_entry_area_offset_index(cpu, offset) ({               \
+        BUILD_BUG_ON(offset % PAGE_SIZE != 0);                          \
+        __get_cpu_entry_area_page_index(cpu, offset / PAGE_SIZE);       \
+        })
+
+#define get_cpu_entry_area_index(cpu, field)                            \
+        __get_cpu_entry_area_offset_index((cpu), offsetof(struct cpu_entry_area, field))
+
+static inline struct cpu_entry_area *get_cpu_entry_area(int cpu)
+{
+        return (struct cpu_entry_area *)__fix_to_virt(__get_cpu_entry_area_page_index(cpu, 0));
+}
+
+static inline struct SYSENTER_stack *cpu_SYSENTER_stack(int cpu)
+{
+        return &get_cpu_entry_area(cpu)->SYSENTER_stack_page.stack;
+}
+
 #endif /* !__ASSEMBLY__ */
 #endif /* _ASM_X86_FIXMAP_H */
diff --git a/arch/x86/include/asm/hypervisor.h b/arch/x86/include/asm/hypervisor.h
index 1b0a5abcd8ae..96aa6b9884dc 100644
--- a/arch/x86/include/asm/hypervisor.h
+++ b/arch/x86/include/asm/hypervisor.h
@@ -20,16 +20,7 @@
 #ifndef _ASM_X86_HYPERVISOR_H
 #define _ASM_X86_HYPERVISOR_H
 
-#ifdef CONFIG_HYPERVISOR_GUEST
-
-#include <asm/kvm_para.h>
-#include <asm/x86_init.h>
-#include <asm/xen/hypervisor.h>
-
-/*
- * x86 hypervisor information
- */
-
+/* x86 hypervisor types  */
 enum x86_hypervisor_type {
         X86_HYPER_NATIVE = 0,
         X86_HYPER_VMWARE,
@@ -39,6 +30,12 @@ enum x86_hypervisor_type {
         X86_HYPER_KVM,
 };
 
+#ifdef CONFIG_HYPERVISOR_GUEST
+
+#include <asm/kvm_para.h>
+#include <asm/x86_init.h>
+#include <asm/xen/hypervisor.h>
+
 struct hypervisor_x86 {
         /* Hypervisor name */
         const char      *name;
@@ -58,7 +55,15 @@ struct hypervisor_x86 {
 
 extern enum x86_hypervisor_type x86_hyper_type;
 extern void init_hypervisor_platform(void);
+static inline bool hypervisor_is_type(enum x86_hypervisor_type type)
+{
+        return x86_hyper_type == type;
+}
 #else
 static inline void init_hypervisor_platform(void) { }
+static inline bool hypervisor_is_type(enum x86_hypervisor_type type)
+{
+        return type == X86_HYPER_NATIVE;
+}
 #endif /* CONFIG_HYPERVISOR_GUEST */
 #endif /* _ASM_X86_HYPERVISOR_H */
diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h
index c8ef23f2c28f..89f08955fff7 100644
--- a/arch/x86/include/asm/irqflags.h
+++ b/arch/x86/include/asm/irqflags.h
@@ -142,6 +142,9 @@ static inline notrace unsigned long arch_local_irq_save(void)
         swapgs;                                 \
         sysretl
 
+#ifdef CONFIG_DEBUG_ENTRY
+#define SAVE_FLAGS(x)           pushfq; popq %rax
+#endif
 #else
 #define INTERRUPT_RETURN                iret
 #define ENABLE_INTERRUPTS_SYSEXIT       sti; sysexit
diff --git a/arch/x86/include/asm/kdebug.h b/arch/x86/include/asm/kdebug.h
index f86a8caa561e..395c9631e000 100644
--- a/arch/x86/include/asm/kdebug.h
+++ b/arch/x86/include/asm/kdebug.h
@@ -26,6 +26,7 @@ extern void die(const char *, struct pt_regs *,long);
 extern int __must_check __die(const char *, struct pt_regs *, long);
 extern void show_stack_regs(struct pt_regs *regs);
 extern void __show_regs(struct pt_regs *regs, int all);
+extern void show_iret_regs(struct pt_regs *regs);
 extern unsigned long oops_begin(void);
 extern void oops_end(unsigned long, struct pt_regs *, int signr);
 
diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
index 283efcaac8af..892df375b615 100644
--- a/arch/x86/include/asm/paravirt.h
+++ b/arch/x86/include/asm/paravirt.h
@@ -927,6 +927,15 @@ extern void default_banner(void);
         PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_usergs_sysret64),       \
                   CLBR_NONE,                                            \
                   jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_usergs_sysret64))
+
+#ifdef CONFIG_DEBUG_ENTRY
+#define SAVE_FLAGS(clobbers)                                        \
+        PARA_SITE(PARA_PATCH(pv_irq_ops, PV_IRQ_save_fl), clobbers, \
+                  PV_SAVE_REGS(clobbers | CLBR_CALLEE_SAVE);        \
+                  call PARA_INDIRECT(pv_irq_ops+PV_IRQ_save_fl);    \
+                  PV_RESTORE_REGS(clobbers | CLBR_CALLEE_SAVE);)
+#endif
+
 #endif  /* CONFIG_X86_32 */
 
 #endif /* __ASSEMBLY__ */
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index cc16fa882e3e..1f2434ee9f80 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -163,9 +163,9 @@ enum cpuid_regs_idx {
 extern struct cpuinfo_x86       boot_cpu_data;
 extern struct cpuinfo_x86       new_cpu_data;
 
-extern struct tss_struct        doublefault_tss;
-extern __u32                    cpu_caps_cleared[NCAPINTS];
-extern __u32                    cpu_caps_set[NCAPINTS];
+extern struct x86_hw_tss        doublefault_tss;
+extern __u32                    cpu_caps_cleared[NCAPINTS + NBUGINTS];
+extern __u32                    cpu_caps_set[NCAPINTS + NBUGINTS];
 
 #ifdef CONFIG_SMP
 DECLARE_PER_CPU_READ_MOSTLY(struct cpuinfo_x86, cpu_info);
@@ -253,6 +253,11 @@ static inline void load_cr3(pgd_t *pgdir)
         write_cr3(__sme_pa(pgdir));
 }
 
+/*
+ * Note that while the legacy 'TSS' name comes from 'Task State Segment',
+ * on modern x86 CPUs the TSS also holds information important to 64-bit mode,
+ * unrelated to the task-switch mechanism:
+ */
 #ifdef CONFIG_X86_32
 /* This is the TSS defined by the hardware. */
 struct x86_hw_tss {
@@ -305,7 +310,13 @@ struct x86_hw_tss {
 struct x86_hw_tss {
         u32                     reserved1;
         u64                     sp0;
+
+        /*
+         * We store cpu_current_top_of_stack in sp1 so it's always accessible.
+         * Linux does not use ring 1, so sp1 is not otherwise needed.
+         */
         u64                     sp1;
+
         u64                     sp2;
         u64                     reserved2;
         u64                     ist[7];
@@ -323,12 +334,22 @@ struct x86_hw_tss {
 #define IO_BITMAP_BITS                  65536
 #define IO_BITMAP_BYTES                 (IO_BITMAP_BITS/8)
 #define IO_BITMAP_LONGS                 (IO_BITMAP_BYTES/sizeof(long))
-#define IO_BITMAP_OFFSET                offsetof(struct tss_struct, io_bitmap)
+#define IO_BITMAP_OFFSET                (offsetof(struct tss_struct, io_bitmap) - offsetof(struct tss_struct, x86_tss))
 #define INVALID_IO_BITMAP_OFFSET        0x8000
 
+struct SYSENTER_stack {
+        unsigned long           words[64];
+};
+
+struct SYSENTER_stack_page {
+        struct SYSENTER_stack stack;
+} __aligned(PAGE_SIZE);
+
 struct tss_struct {
         /*
-         * The hardware state:
+         * The fixed hardware portion.  This must not cross a page boundary
+         * at risk of violating the SDM's advice and potentially triggering
+         * errata.
          */
         struct x86_hw_tss       x86_tss;
 
@@ -339,18 +360,9 @@ struct tss_struct {
          * be within the limit.
          */
         unsigned long           io_bitmap[IO_BITMAP_LONGS + 1];
+} __aligned(PAGE_SIZE);
 
-#ifdef CONFIG_X86_32
-        /*
-         * Space for the temporary SYSENTER stack.
-         */
-        unsigned long           SYSENTER_stack_canary;
-        unsigned long           SYSENTER_stack[64];
-#endif
-
-} ____cacheline_aligned;
-
-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss);
+DECLARE_PER_CPU_PAGE_ALIGNED(struct tss_struct, cpu_tss_rw);
 
 /*
  * sizeof(unsigned long) coming from an extra "long" at the end
@@ -364,6 +376,9 @@ DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss);
 
 #ifdef CONFIG_X86_32
 DECLARE_PER_CPU(unsigned long, cpu_current_top_of_stack);
+#else
+/* The RO copy can't be accessed with this_cpu_xyz(), so use the RW copy. */
+#define cpu_current_top_of_stack cpu_tss_rw.x86_tss.sp1
 #endif
 
 /*
@@ -523,7 +538,7 @@ static inline void native_set_iopl_mask(unsigned mask)
 static inline void
 native_load_sp0(unsigned long sp0)
 {
-        this_cpu_write(cpu_tss.x86_tss.sp0, sp0);
+        this_cpu_write(cpu_tss_rw.x86_tss.sp0, sp0);
 }
 
 static inline void native_swapgs(void)
@@ -535,12 +550,12 @@ static inline void native_swapgs(void)
 
 static inline unsigned long current_top_of_stack(void)
 {
-#ifdef CONFIG_X86_64
-        return this_cpu_read_stable(cpu_tss.x86_tss.sp0);
-#else
-        /* sp0 on x86_32 is special in and around vm86 mode. */
+        /*
+         *  We can't read directly from tss.sp0: sp0 on x86_32 is special in
+         *  and around vm86 mode and sp0 on x86_64 is special because of the
+         *  entry trampoline.
+         */
         return this_cpu_read_stable(cpu_current_top_of_stack);
-#endif
 }
 
 static inline bool on_thread_stack(void)
diff --git a/arch/x86/include/asm/stacktrace.h b/arch/x86/include/asm/stacktrace.h
index 8da111b3c342..f8062bfd43a0 100644
--- a/arch/x86/include/asm/stacktrace.h
+++ b/arch/x86/include/asm/stacktrace.h
@@ -16,6 +16,7 @@ enum stack_type {
         STACK_TYPE_TASK,
         STACK_TYPE_IRQ,
         STACK_TYPE_SOFTIRQ,
+        STACK_TYPE_SYSENTER,
         STACK_TYPE_EXCEPTION,
         STACK_TYPE_EXCEPTION_LAST = STACK_TYPE_EXCEPTION + N_EXCEPTION_STACKS-1,
 };
@@ -28,6 +29,8 @@ struct stack_info {
 bool in_task_stack(unsigned long *stack, struct task_struct *task,
                    struct stack_info *info);
 
+bool in_sysenter_stack(unsigned long *stack, struct stack_info *info);
+
 int get_stack_info(unsigned long *stack, struct task_struct *task,
                    struct stack_info *info, unsigned long *visit_mask);
 
diff --git a/arch/x86/include/asm/switch_to.h b/arch/x86/include/asm/switch_to.h
index 8c6bd6863db9..9b6df68d8fd1 100644
--- a/arch/x86/include/asm/switch_to.h
+++ b/arch/x86/include/asm/switch_to.h
@@ -79,10 +79,10 @@ do {									\
 static inline void refresh_sysenter_cs(struct thread_struct *thread)
 {
         /* Only happens when SEP is enabled, no need to test "SEP"arately: */
-        if (unlikely(this_cpu_read(cpu_tss.x86_tss.ss1) == thread->sysenter_cs))
+        if (unlikely(this_cpu_read(cpu_tss_rw.x86_tss.ss1) == thread->sysenter_cs))
                 return;
 
-        this_cpu_write(cpu_tss.x86_tss.ss1, thread->sysenter_cs);
+        this_cpu_write(cpu_tss_rw.x86_tss.ss1, thread->sysenter_cs);
         wrmsr(MSR_IA32_SYSENTER_CS, thread->sysenter_cs, 0);
 }
 #endif
@@ -90,10 +90,12 @@ static inline void refresh_sysenter_cs(struct thread_struct *thread)
 /* This is used when switching tasks or entering/exiting vm86 mode. */
 static inline void update_sp0(struct task_struct *task)
 {
+        /* On x86_64, sp0 always points to the entry trampoline stack, which is constant: */
 #ifdef CONFIG_X86_32
         load_sp0(task->thread.sp0);
 #else
-        load_sp0(task_top_of_stack(task));
+        if (static_cpu_has(X86_FEATURE_XENPV))
+                load_sp0(task_top_of_stack(task));
 #endif
 }
 
diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
index 70f425947dc5..00223333821a 100644
--- a/arch/x86/include/asm/thread_info.h
+++ b/arch/x86/include/asm/thread_info.h
@@ -207,7 +207,7 @@ static inline int arch_within_stack_frames(const void * const stack,
 #else /* !__ASSEMBLY__ */
 
 #ifdef CONFIG_X86_64
-# define cpu_current_top_of_stack (cpu_tss + TSS_sp0)
+# define cpu_current_top_of_stack (cpu_tss_rw + TSS_sp1)
 #endif
 
 #endif
diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h
index 1fadd310ff68..31051f35cbb7 100644
--- a/arch/x86/include/asm/traps.h
+++ b/arch/x86/include/asm/traps.h
@@ -75,7 +75,6 @@ dotraplinkage void do_segment_not_present(struct pt_regs *, long);
 dotraplinkage void do_stack_segment(struct pt_regs *, long);
 #ifdef CONFIG_X86_64
 dotraplinkage void do_double_fault(struct pt_regs *, long);
-asmlinkage struct pt_regs *sync_regs(struct pt_regs *);
 #endif
 dotraplinkage void do_general_protection(struct pt_regs *, long);
 dotraplinkage void do_page_fault(struct pt_regs *, unsigned long);
diff --git a/arch/x86/include/asm/unwind.h b/arch/x86/include/asm/unwind.h
index e9cc6fe1fc6f..c1688c2d0a12 100644
--- a/arch/x86/include/asm/unwind.h
+++ b/arch/x86/include/asm/unwind.h
@@ -7,6 +7,9 @@
 #include <asm/ptrace.h>
 #include <asm/stacktrace.h>
 
+#define IRET_FRAME_OFFSET (offsetof(struct pt_regs, ip))
+#define IRET_FRAME_SIZE   (sizeof(struct pt_regs) - IRET_FRAME_OFFSET)
+
 struct unwind_state {
         struct stack_info stack_info;
         unsigned long stack_mask;
@@ -52,6 +55,10 @@ void unwind_start(struct unwind_state *state, struct task_struct *task,
 }
 
 #if defined(CONFIG_UNWINDER_ORC) || defined(CONFIG_UNWINDER_FRAME_POINTER)
+/*
+ * WARNING: The entire pt_regs may not be safe to dereference.  In some cases,
+ * only the iret frame registers are accessible.  Use with caution!
+ */
 static inline struct pt_regs *unwind_get_entry_regs(struct unwind_state *state)
 {
         if (unwind_done(state))
diff --git a/arch/x86/kernel/asm-offsets.c b/arch/x86/kernel/asm-offsets.c
index 8ea78275480d..cd360a5e0dca 100644
--- a/arch/x86/kernel/asm-offsets.c
+++ b/arch/x86/kernel/asm-offsets.c
@@ -93,4 +93,10 @@ void common(void) {
 
         BLANK();
         DEFINE(PTREGS_SIZE, sizeof(struct pt_regs));
+
+        /* Layout info for cpu_entry_area */
+        OFFSET(CPU_ENTRY_AREA_tss, cpu_entry_area, tss);
+        OFFSET(CPU_ENTRY_AREA_entry_trampoline, cpu_entry_area, entry_trampoline);
+        OFFSET(CPU_ENTRY_AREA_SYSENTER_stack, cpu_entry_area, SYSENTER_stack_page);
+        DEFINE(SIZEOF_SYSENTER_stack, sizeof(struct SYSENTER_stack));
 }
diff --git a/arch/x86/kernel/asm-offsets_32.c b/arch/x86/kernel/asm-offsets_32.c
index dedf428b20b6..7d20d9c0b3d6 100644
--- a/arch/x86/kernel/asm-offsets_32.c
+++ b/arch/x86/kernel/asm-offsets_32.c
@@ -47,13 +47,8 @@ void foo(void)
         BLANK();
 
         /* Offset from the sysenter stack to tss.sp0 */
-        DEFINE(TSS_sysenter_sp0, offsetof(struct tss_struct, x86_tss.sp0) -
-               offsetofend(struct tss_struct, SYSENTER_stack));
-
-        /* Offset from cpu_tss to SYSENTER_stack */
-        OFFSET(CPU_TSS_SYSENTER_stack, tss_struct, SYSENTER_stack);
-        /* Size of SYSENTER_stack */
-        DEFINE(SIZEOF_SYSENTER_stack, sizeof(((struct tss_struct *)0)->SYSENTER_stack));
+        DEFINE(TSS_sysenter_sp0, offsetof(struct cpu_entry_area, tss.x86_tss.sp0) -
+               offsetofend(struct cpu_entry_area, SYSENTER_stack_page.stack));
 
 #ifdef CONFIG_CC_STACKPROTECTOR
         BLANK();
diff --git a/arch/x86/kernel/asm-offsets_64.c b/arch/x86/kernel/asm-offsets_64.c
index 630212fa9b9d..bf51e51d808d 100644
--- a/arch/x86/kernel/asm-offsets_64.c
+++ b/arch/x86/kernel/asm-offsets_64.c
@@ -23,6 +23,9 @@ int main(void)
 #ifdef CONFIG_PARAVIRT
         OFFSET(PV_CPU_usergs_sysret64, pv_cpu_ops, usergs_sysret64);
         OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
+#ifdef CONFIG_DEBUG_ENTRY
+        OFFSET(PV_IRQ_save_fl, pv_irq_ops, save_fl);
+#endif
         BLANK();
 #endif
 
@@ -63,6 +66,7 @@ int main(void)
 
         OFFSET(TSS_ist, tss_struct, x86_tss.ist);
         OFFSET(TSS_sp0, tss_struct, x86_tss.sp0);
+        OFFSET(TSS_sp1, tss_struct, x86_tss.sp1);
         BLANK();
 
 #ifdef CONFIG_CC_STACKPROTECTOR
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index fa998ca8aa5a..7416da3ec4df 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -476,8 +476,8 @@ static const char *table_lookup_model(struct cpuinfo_x86 *c)
         return NULL;            /* Not found */
 }
 
-__u32 cpu_caps_cleared[NCAPINTS];
-__u32 cpu_caps_set[NCAPINTS];
+__u32 cpu_caps_cleared[NCAPINTS + NBUGINTS];
+__u32 cpu_caps_set[NCAPINTS + NBUGINTS];
 
 void load_percpu_segment(int cpu)
 {
@@ -490,27 +490,116 @@ void load_percpu_segment(int cpu)
         load_stack_canary_segment();
 }
 
-/* Setup the fixmap mapping only once per-processor */
-static inline void setup_fixmap_gdt(int cpu)
+#ifdef CONFIG_X86_32
+/* The 32-bit entry code needs to find cpu_entry_area. */
+DEFINE_PER_CPU(struct cpu_entry_area *, cpu_entry_area);
+#endif
+
+#ifdef CONFIG_X86_64
+/*
+ * Special IST stacks which the CPU switches to when it calls
+ * an IST-marked descriptor entry. Up to 7 stacks (hardware
+ * limit), all of them are 4K, except the debug stack which
+ * is 8K.
+ */
+static const unsigned int exception_stack_sizes[N_EXCEPTION_STACKS] = {
+          [0 ... N_EXCEPTION_STACKS - 1]        = EXCEPTION_STKSZ,
+          [DEBUG_STACK - 1]                     = DEBUG_STKSZ
+};
+
+static DEFINE_PER_CPU_PAGE_ALIGNED(char, exception_stacks
+        [(N_EXCEPTION_STACKS - 1) * EXCEPTION_STKSZ + DEBUG_STKSZ]);
+#endif
+
+static DEFINE_PER_CPU_PAGE_ALIGNED(struct SYSENTER_stack_page,
+                                   SYSENTER_stack_storage);
+
+static void __init
+set_percpu_fixmap_pages(int idx, void *ptr, int pages, pgprot_t prot)
+{
+        for ( ; pages; pages--, idx--, ptr += PAGE_SIZE)
+                __set_fixmap(idx, per_cpu_ptr_to_phys(ptr), prot);
+}
+
+/* Setup the fixmap mappings only once per-processor */
+static void __init setup_cpu_entry_area(int cpu)
 {
 #ifdef CONFIG_X86_64
-        /* On 64-bit systems, we use a read-only fixmap GDT. */
-        pgprot_t prot = PAGE_KERNEL_RO;
+        extern char _entry_trampoline[];
+
+        /* On 64-bit systems, we use a read-only fixmap GDT and TSS. */
+        pgprot_t gdt_prot = PAGE_KERNEL_RO;
+        pgprot_t tss_prot = PAGE_KERNEL_RO;
 #else
         /*
          * On native 32-bit systems, the GDT cannot be read-only because
          * our double fault handler uses a task gate, and entering through
-         * a task gate needs to change an available TSS to busy.  If the GDT
-         * is read-only, that will triple fault.
+         * a task gate needs to change an available TSS to busy.  If the
+         * GDT is read-only, that will triple fault.  The TSS cannot be
+         * read-only because the CPU writes to it on task switches.
          *
-         * On Xen PV, the GDT must be read-only because the hypervisor requires
-         * it.
+         * On Xen PV, the GDT must be read-only because the hypervisor
+         * requires it.
          */
-        pgprot_t prot = boot_cpu_has(X86_FEATURE_XENPV) ?
+        pgprot_t gdt_prot = boot_cpu_has(X86_FEATURE_XENPV) ?
                 PAGE_KERNEL_RO : PAGE_KERNEL;
+        pgprot_t tss_prot = PAGE_KERNEL;
 #endif
 
-        __set_fixmap(get_cpu_gdt_ro_index(cpu), get_cpu_gdt_paddr(cpu), prot);
+        __set_fixmap(get_cpu_entry_area_index(cpu, gdt), get_cpu_gdt_paddr(cpu), gdt_prot);
+        set_percpu_fixmap_pages(get_cpu_entry_area_index(cpu, SYSENTER_stack_page),
+                                per_cpu_ptr(&SYSENTER_stack_storage, cpu), 1,
+                                PAGE_KERNEL);
+
+        /*
+         * The Intel SDM says (Volume 3, 7.2.1):
+         *
+         *  Avoid placing a page boundary in the part of the TSS that the
+         *  processor reads during a task switch (the first 104 bytes). The
+         *  processor may not correctly perform address translations if a
+         *  boundary occurs in this area. During a task switch, the processor
+         *  reads and writes into the first 104 bytes of each TSS (using
+         *  contiguous physical addresses beginning with the physical address
+         *  of the first byte of the TSS). So, after TSS access begins, if
+         *  part of the 104 bytes is not physically contiguous, the processor
+         *  will access incorrect information without generating a page-fault
+         *  exception.
+         *
+         * There are also a lot of errata involving the TSS spanning a page
+         * boundary.  Assert that we're not doing that.
+         */
+        BUILD_BUG_ON((offsetof(struct tss_struct, x86_tss) ^
+                      offsetofend(struct tss_struct, x86_tss)) & PAGE_MASK);
+        BUILD_BUG_ON(sizeof(struct tss_struct) % PAGE_SIZE != 0);
+        set_percpu_fixmap_pages(get_cpu_entry_area_index(cpu, tss),
+                                &per_cpu(cpu_tss_rw, cpu),
+                                sizeof(struct tss_struct) / PAGE_SIZE,
+                                tss_prot);
+
+#ifdef CONFIG_X86_32
+        per_cpu(cpu_entry_area, cpu) = get_cpu_entry_area(cpu);
+#endif
+
+#ifdef CONFIG_X86_64
+        BUILD_BUG_ON(sizeof(exception_stacks) % PAGE_SIZE != 0);
+        BUILD_BUG_ON(sizeof(exception_stacks) !=
+                     sizeof(((struct cpu_entry_area *)0)->exception_stacks));
+        set_percpu_fixmap_pages(get_cpu_entry_area_index(cpu, exception_stacks),
+                                &per_cpu(exception_stacks, cpu),
+                                sizeof(exception_stacks) / PAGE_SIZE,
+                                PAGE_KERNEL);
+
+        __set_fixmap(get_cpu_entry_area_index(cpu, entry_trampoline),
+                     __pa_symbol(_entry_trampoline), PAGE_KERNEL_RX);
+#endif
+}
+
+void __init setup_cpu_entry_areas(void)
+{
+        unsigned int cpu;
+
+        for_each_possible_cpu(cpu)
+                setup_cpu_entry_area(cpu);
 }
 
 /* Load the original GDT from the per-cpu structure */
@@ -747,7 +836,7 @@ static void apply_forced_caps(struct cpuinfo_x86 *c)
 {
         int i;
 
-        for (i = 0; i < NCAPINTS; i++) {
+        for (i = 0; i < NCAPINTS + NBUGINTS; i++) {
                 c->x86_capability[i] &= ~cpu_caps_cleared[i];
                 c->x86_capability[i] |= cpu_caps_set[i];
         }
@@ -1250,7 +1339,7 @@ void enable_sep_cpu(void)
                 return;
 
         cpu = get_cpu();
-        tss = &per_cpu(cpu_tss, cpu);
+        tss = &per_cpu(cpu_tss_rw, cpu);
 
         /*
          * We cache MSR_IA32_SYSENTER_CS's value in the TSS's ss1 field --
@@ -1259,11 +1348,7 @@ void enable_sep_cpu(void)
 
         tss->x86_tss.ss1 = __KERNEL_CS;
         wrmsr(MSR_IA32_SYSENTER_CS, tss->x86_tss.ss1, 0);
-
-        wrmsr(MSR_IA32_SYSENTER_ESP,
-              (unsigned long)tss + offsetofend(struct tss_struct, SYSENTER_stack),
-              0);
-
+        wrmsr(MSR_IA32_SYSENTER_ESP, (unsigned long)(cpu_SYSENTER_stack(cpu) + 1), 0);
         wrmsr(MSR_IA32_SYSENTER_EIP, (unsigned long)entry_SYSENTER_32, 0);
 
         put_cpu();
@@ -1357,25 +1442,19 @@ DEFINE_PER_CPU(unsigned int, irq_count) __visible = -1;
 DEFINE_PER_CPU(int, __preempt_count) = INIT_PREEMPT_COUNT;
 EXPORT_PER_CPU_SYMBOL(__preempt_count);
 
-/*
- * Special IST stacks which the CPU switches to when it calls
- * an IST-marked descriptor entry. Up to 7 stacks (hardware
- * limit), all of them are 4K, except the debug stack which
- * is 8K.
- */
-static const unsigned int exception_stack_sizes[N_EXCEPTION_STACKS] = {
-          [0 ... N_EXCEPTION_STACKS - 1]        = EXCEPTION_STKSZ,
-          [DEBUG_STACK - 1]                     = DEBUG_STKSZ
-};
-
-static DEFINE_PER_CPU_PAGE_ALIGNED(char, exception_stacks
-        [(N_EXCEPTION_STACKS - 1) * EXCEPTION_STKSZ + DEBUG_STKSZ]);
-
 /* May not be marked __init: used by software suspend */
 void syscall_init(void)
 {
+        extern char _entry_trampoline[];
+        extern char entry_SYSCALL_64_trampoline[];
+
+        int cpu = smp_processor_id();
+        unsigned long SYSCALL64_entry_trampoline =
+                (unsigned long)get_cpu_entry_area(cpu)->entry_trampoline +
+                (entry_SYSCALL_64_trampoline - _entry_trampoline);
+
         wrmsr(MSR_STAR, 0, (__USER32_CS << 16) | __KERNEL_CS);
-        wrmsrl(MSR_LSTAR, (unsigned long)entry_SYSCALL_64);
+        wrmsrl(MSR_LSTAR, SYSCALL64_entry_trampoline);
 
 #ifdef CONFIG_IA32_EMULATION
         wrmsrl(MSR_CSTAR, (unsigned long)entry_SYSCALL_compat);
@@ -1386,7 +1465,7 @@ void syscall_init(void)
          * AMD doesn't allow SYSENTER in long mode (either 32- or 64-bit).
          */
         wrmsrl_safe(MSR_IA32_SYSENTER_CS, (u64)__KERNEL_CS);
-        wrmsrl_safe(MSR_IA32_SYSENTER_ESP, 0ULL);
+        wrmsrl_safe(MSR_IA32_SYSENTER_ESP, (unsigned long)(cpu_SYSENTER_stack(cpu) + 1));
         wrmsrl_safe(MSR_IA32_SYSENTER_EIP, (u64)entry_SYSENTER_compat);
 #else
         wrmsrl(MSR_CSTAR, (unsigned long)ignore_sysret);
@@ -1530,7 +1609,7 @@ void cpu_init(void)
         if (cpu)
                 load_ucode_ap();
 
-        t = &per_cpu(cpu_tss, cpu);
+        t = &per_cpu(cpu_tss_rw, cpu);
         oist = &per_cpu(orig_ist, cpu);
 
 #ifdef CONFIG_NUMA
@@ -1569,7 +1648,7 @@ void cpu_init(void)
          * set up and load the per-CPU TSS
          */
         if (!oist->ist[0]) {
-                char *estacks = per_cpu(exception_stacks, cpu);
+                char *estacks = get_cpu_entry_area(cpu)->exception_stacks;
 
                 for (v = 0; v < N_EXCEPTION_STACKS; v++) {
                         estacks += exception_stack_sizes[v];
@@ -1580,7 +1659,7 @@ void cpu_init(void)
                 }
         }
 
-        t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap);
+        t->x86_tss.io_bitmap_base = IO_BITMAP_OFFSET;
 
         /*
          * <= is required because the CPU will access up to
@@ -1596,11 +1675,12 @@ void cpu_init(void)
         enter_lazy_tlb(&init_mm, me);
 
         /*
-         * Initialize the TSS.  Don't bother initializing sp0, as the initial
-         * task never enters user mode.
+         * Initialize the TSS.  sp0 points to the entry trampoline stack
+         * regardless of what task is running.
          */
-        set_tss_desc(cpu, t);
+        set_tss_desc(cpu, &get_cpu_entry_area(cpu)->tss.x86_tss);
         load_TR_desc();
+        load_sp0((unsigned long)(cpu_SYSENTER_stack(cpu) + 1));
 
         load_mm_ldt(&init_mm);
 
@@ -1612,7 +1692,6 @@ void cpu_init(void)
         if (is_uv_system())
                 uv_cpu_init();
 
-        setup_fixmap_gdt(cpu);
         load_fixmap_gdt(cpu);
 }
 
@@ -1622,7 +1701,7 @@ void cpu_init(void)
 {
         int cpu = smp_processor_id();
         struct task_struct *curr = current;
-        struct tss_struct *t = &per_cpu(cpu_tss, cpu);
+        struct tss_struct *t = &per_cpu(cpu_tss_rw, cpu);
 
         wait_for_master_cpu(cpu);
 
@@ -1657,12 +1736,12 @@ void cpu_init(void)
          * Initialize the TSS.  Don't bother initializing sp0, as the initial
          * task never enters user mode.
          */
-        set_tss_desc(cpu, t);
+        set_tss_desc(cpu, &get_cpu_entry_area(cpu)->tss.x86_tss);
         load_TR_desc();
 
         load_mm_ldt(&init_mm);
 
-        t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap);
+        t->x86_tss.io_bitmap_base = IO_BITMAP_OFFSET;
 
 #ifdef CONFIG_DOUBLEFAULT
         /* Set up doublefault TSS pointer in the GDT */
@@ -1674,7 +1753,6 @@ void cpu_init(void)
 
         fpu__init_cpu();
 
-        setup_fixmap_gdt(cpu);
         load_fixmap_gdt(cpu);
 }
 #endif
diff --git a/arch/x86/kernel/doublefault.c b/arch/x86/kernel/doublefault.c
index 0e662c55ae90..0b8cedb20d6d 100644
--- a/arch/x86/kernel/doublefault.c
+++ b/arch/x86/kernel/doublefault.c
@@ -50,25 +50,23 @@ static void doublefault_fn(void)
                 cpu_relax();
 }
 
-struct tss_struct doublefault_tss __cacheline_aligned = {
-        .x86_tss = {
-                .sp0            = STACK_START,
-                .ss0            = __KERNEL_DS,
-                .ldt            = 0,
-                .io_bitmap_base = INVALID_IO_BITMAP_OFFSET,
-
-                .ip             = (unsigned long) doublefault_fn,
-                /* 0x2 bit is always set */
-                .flags          = X86_EFLAGS_SF | 0x2,
-                .sp             = STACK_START,
-                .es             = __USER_DS,
-                .cs             = __KERNEL_CS,
-                .ss             = __KERNEL_DS,
-                .ds             = __USER_DS,
-                .fs             = __KERNEL_PERCPU,
-
-                .__cr3          = __pa_nodebug(swapper_pg_dir),
-        }
+struct x86_hw_tss doublefault_tss __cacheline_aligned = {
+        .sp0            = STACK_START,
+        .ss0            = __KERNEL_DS,
+        .ldt            = 0,
+        .io_bitmap_base = INVALID_IO_BITMAP_OFFSET,
+
+        .ip             = (unsigned long) doublefault_fn,
+        /* 0x2 bit is always set */
+        .flags          = X86_EFLAGS_SF | 0x2,
+        .sp             = STACK_START,
+        .es             = __USER_DS,
+        .cs             = __KERNEL_CS,
+        .ss             = __KERNEL_DS,
+        .ds             = __USER_DS,
+        .fs             = __KERNEL_PERCPU,
+
+        .__cr3          = __pa_nodebug(swapper_pg_dir),
 };
 
 /* dummy for do_double_fault() call */
diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index f13b4c00a5de..bbd6d986e2d0 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -43,6 +43,24 @@ bool in_task_stack(unsigned long *stack, struct task_struct *task,
         return true;
 }
 
+bool in_sysenter_stack(unsigned long *stack, struct stack_info *info)
+{
+        struct SYSENTER_stack *ss = cpu_SYSENTER_stack(smp_processor_id());
+
+        void *begin = ss;
+        void *end = ss + 1;
+
+        if ((void *)stack < begin || (void *)stack >= end)
+                return false;
+
+        info->type      = STACK_TYPE_SYSENTER;
+        info->begin     = begin;
+        info->end       = end;
+        info->next_sp   = NULL;
+
+        return true;
+}
+
 static void printk_stack_address(unsigned long address, int reliable,
                                  char *log_lvl)
 {
@@ -50,6 +68,28 @@ static void printk_stack_address(unsigned long address, int reliable,
         printk("%s %s%pB\n", log_lvl, reliable ? "" : "? ", (void *)address);
 }
 
+void show_iret_regs(struct pt_regs *regs)
+{
+        printk(KERN_DEFAULT "RIP: %04x:%pS\n", (int)regs->cs, (void *)regs->ip);
+        printk(KERN_DEFAULT "RSP: %04x:%016lx EFLAGS: %08lx", (int)regs->ss,
+                regs->sp, regs->flags);
+}
+
+static void show_regs_safe(struct stack_info *info, struct pt_regs *regs)
+{
+        if (on_stack(info, regs, sizeof(*regs)))
+                __show_regs(regs, 0);
+        else if (on_stack(info, (void *)regs + IRET_FRAME_OFFSET,
+                          IRET_FRAME_SIZE)) {
+                /*
+                 * When an interrupt or exception occurs in entry code, the
+                 * full pt_regs might not have been saved yet.  In that case
+                 * just print the iret frame.
+                 */
+                show_iret_regs(regs);
+        }
+}
+
 void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
                         unsigned long *stack, char *log_lvl)
 {
@@ -71,31 +111,35 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
          * - task stack
          * - interrupt stack
          * - HW exception stacks (double fault, nmi, debug, mce)
+         * - SYSENTER stack
          *
-         * x86-32 can have up to three stacks:
+         * x86-32 can have up to four stacks:
          * - task stack
          * - softirq stack
          * - hardirq stack
+         * - SYSENTER stack
          */
         for (regs = NULL; stack; stack = PTR_ALIGN(stack_info.next_sp, sizeof(long))) {
                 const char *stack_name;
 
-                /*
-                 * If we overflowed the task stack into a guard page, jump back
-                 * to the bottom of the usable stack.
-                 */
-                if (task_stack_page(task) - (void *)stack < PAGE_SIZE)
-                        stack = task_stack_page(task);
-
-                if (get_stack_info(stack, task, &stack_info, &visit_mask))
-                        break;
+                if (get_stack_info(stack, task, &stack_info, &visit_mask)) {
+                        /*
+                         * We weren't on a valid stack.  It's possible that
+                         * we overflowed a valid stack into a guard page.
+                         * See if the next page up is valid so that we can
+                         * generate some kind of backtrace if this happens.
+                         */
+                        stack = (unsigned long *)PAGE_ALIGN((unsigned long)stack);
+                        if (get_stack_info(stack, task, &stack_info, &visit_mask))
+                                break;
+                }
 
                 stack_name = stack_type_name(stack_info.type);
                 if (stack_name)
                         printk("%s <%s>\n", log_lvl, stack_name);
 
-                if (regs && on_stack(&stack_info, regs, sizeof(*regs)))
-                        __show_regs(regs, 0);
+                if (regs)
+                        show_regs_safe(&stack_info, regs);
 
                 /*
                  * Scan the stack, printing any text addresses we find.  At the
@@ -119,7 +163,7 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
 
                         /*
                          * Don't print regs->ip again if it was already printed
-                         * by __show_regs() below.
+                         * by show_regs_safe() below.
                          */
                         if (regs && stack == &regs->ip)
                                 goto next;
@@ -155,8 +199,8 @@ next:
 
                         /* if the frame has entry regs, print them */
                         regs = unwind_get_entry_regs(&state);
-                        if (regs && on_stack(&stack_info, regs, sizeof(*regs)))
-                                __show_regs(regs, 0);
+                        if (regs)
+                                show_regs_safe(&stack_info, regs);
                 }
 
                 if (stack_name)
diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
index daefae83a3aa..5ff13a6b3680 100644
--- a/arch/x86/kernel/dumpstack_32.c
+++ b/arch/x86/kernel/dumpstack_32.c
@@ -26,6 +26,9 @@ const char *stack_type_name(enum stack_type type)
         if (type == STACK_TYPE_SOFTIRQ)
                 return "SOFTIRQ";
 
+        if (type == STACK_TYPE_SYSENTER)
+                return "SYSENTER";
+
         return NULL;
 }
 
@@ -93,6 +96,9 @@ int get_stack_info(unsigned long *stack, struct task_struct *task,
         if (task != current)
                 goto unknown;
 
+        if (in_sysenter_stack(stack, info))
+                goto recursion_check;
+
         if (in_hardirq_stack(stack, info))
                 goto recursion_check;
 
diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
index 88ce2ffdb110..abc828f8c297 100644
--- a/arch/x86/kernel/dumpstack_64.c
+++ b/arch/x86/kernel/dumpstack_64.c
@@ -37,6 +37,9 @@ const char *stack_type_name(enum stack_type type)
         if (type == STACK_TYPE_IRQ)
                 return "IRQ";
 
+        if (type == STACK_TYPE_SYSENTER)
+                return "SYSENTER";
+
         if (type >= STACK_TYPE_EXCEPTION && type <= STACK_TYPE_EXCEPTION_LAST)
                 return exception_stack_names[type - STACK_TYPE_EXCEPTION];
 
@@ -115,6 +118,9 @@ int get_stack_info(unsigned long *stack, struct task_struct *task,
         if (in_irq_stack(stack, info))
                 goto recursion_check;
 
+        if (in_sysenter_stack(stack, info))
+                goto recursion_check;
+
         goto unknown;
 
 recursion_check:
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index 3feb648781c4..2f723301eb58 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -67,7 +67,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
          * because the ->io_bitmap_max value must match the bitmap
          * contents:
          */
-        tss = &per_cpu(cpu_tss, get_cpu());
+        tss = &per_cpu(cpu_tss_rw, get_cpu());
 
         if (turn_on)
                 bitmap_clear(t->io_bitmap_ptr, from, num);
diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c
index 49cfd9fe7589..68e1867cca80 100644
--- a/arch/x86/kernel/irq.c
+++ b/arch/x86/kernel/irq.c
@@ -219,18 +219,6 @@ __visible unsigned int __irq_entry do_IRQ(struct pt_regs *regs)
         /* high bit used in ret_from_ code  */
         unsigned vector = ~regs->orig_ax;
 
-        /*
-         * NB: Unlike exception entries, IRQ entries do not reliably
-         * handle context tracking in the low-level entry code.  This is
-         * because syscall entries execute briefly with IRQs on before
-         * updating context tracking state, so we can take an IRQ from
-         * kernel mode with CONTEXT_USER.  The low-level entry code only
-         * updates the context if we came from user mode, so we won't
-         * switch to CONTEXT_KERNEL.  We'll fix that once the syscall
-         * code is cleaned up enough that we can cleanly defer enabling
-         * IRQs.
-         */
-
         entering_irq();
 
         /* entering_irq() tells RCU that we're not quiescent.  Check it. */
diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
index 020efbf5786b..d86e344f5b3d 100644
--- a/arch/x86/kernel/irq_64.c
+++ b/arch/x86/kernel/irq_64.c
@@ -57,10 +57,10 @@ static inline void stack_overflow_check(struct pt_regs *regs)
         if (regs->sp >= estack_top && regs->sp <= estack_bottom)
                 return;
 
-        WARN_ONCE(1, "do_IRQ(): %s has overflown the kernel stack (cur:%Lx,sp:%lx,irq stk top-bottom:%Lx-%Lx,exception stk top-bottom:%Lx-%Lx)\n",
+        WARN_ONCE(1, "do_IRQ(): %s has overflown the kernel stack (cur:%Lx,sp:%lx,irq stk top-bottom:%Lx-%Lx,exception stk top-bottom:%Lx-%Lx,ip:%pF)\n",
                 current->comm, curbase, regs->sp,
                 irq_stack_top, irq_stack_bottom,
-                estack_top, estack_bottom);
+                estack_top, estack_bottom, (void *)regs->ip);
 
         if (sysctl_panic_on_stackoverflow)
                 panic("low stack detected by irq handler - check messages\n");
diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c
index ac0be8283325..9edadabf04f6 100644
--- a/arch/x86/kernel/paravirt_patch_64.c
+++ b/arch/x86/kernel/paravirt_patch_64.c
@@ -10,7 +10,6 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
 DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax");
 DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax");
 DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3");
-DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)");
 DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd");
 
 DEF_NATIVE(pv_cpu_ops, usergs_sysret64, "swapgs; sysretq");
@@ -60,7 +59,6 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf,
                 PATCH_SITE(pv_mmu_ops, read_cr2);
                 PATCH_SITE(pv_mmu_ops, read_cr3);
                 PATCH_SITE(pv_mmu_ops, write_cr3);
-                PATCH_SITE(pv_mmu_ops, flush_tlb_single);
                 PATCH_SITE(pv_cpu_ops, wbinvd);
 #if defined(CONFIG_PARAVIRT_SPINLOCKS)
                 case PARAVIRT_PATCH(pv_lock_ops.queued_spin_unlock):
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index bb988a24db92..aed9d94bd46f 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -47,7 +47,7 @@
  * section. Since TSS's are completely CPU-local, we want them
  * on exact cacheline boundaries, to eliminate cacheline ping-pong.
  */
-__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
+__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss_rw) = {
         .x86_tss = {
                 /*
                  * .sp0 is only used when entering ring 0 from a lower
@@ -56,6 +56,16 @@ __visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
                  * Poison it.
                  */
                 .sp0 = (1UL << (BITS_PER_LONG-1)) + 1,
+
+#ifdef CONFIG_X86_64
+                /*
+                 * .sp1 is cpu_current_top_of_stack.  The init task never
+                 * runs user code, but cpu_current_top_of_stack should still
+                 * be well defined before the first context switch.
+                 */
+                .sp1 = TOP_OF_INIT_STACK,
+#endif
+
 #ifdef CONFIG_X86_32
                 .ss0 = __KERNEL_DS,
                 .ss1 = __KERNEL_CS,
@@ -71,11 +81,8 @@ __visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
           */
         .io_bitmap              = { [0 ... IO_BITMAP_LONGS] = ~0 },
 #endif
-#ifdef CONFIG_X86_32
-        .SYSENTER_stack_canary  = STACK_END_MAGIC,
-#endif
 };
-EXPORT_PER_CPU_SYMBOL(cpu_tss);
+EXPORT_PER_CPU_SYMBOL(cpu_tss_rw);
 
 DEFINE_PER_CPU(bool, __tss_limit_invalid);
 EXPORT_PER_CPU_SYMBOL_GPL(__tss_limit_invalid);
@@ -104,7 +111,7 @@ void exit_thread(struct task_struct *tsk)
         struct fpu *fpu = &t->fpu;
 
         if (bp) {
-                struct tss_struct *tss = &per_cpu(cpu_tss, get_cpu());
+                struct tss_struct *tss = &per_cpu(cpu_tss_rw, get_cpu());
 
                 t->io_bitmap_ptr = NULL;
                 clear_thread_flag(TIF_IO_BITMAP);
diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
index 45bf0c5f93e1..5224c6099184 100644
--- a/arch/x86/kernel/process_32.c
+++ b/arch/x86/kernel/process_32.c
@@ -234,7 +234,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
         struct fpu *prev_fpu = &prev->fpu;
         struct fpu *next_fpu = &next->fpu;
         int cpu = smp_processor_id();
-        struct tss_struct *tss = &per_cpu(cpu_tss, cpu);
+        struct tss_struct *tss = &per_cpu(cpu_tss_rw, cpu);
 
         /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
 
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index eeeb34f85c25..c75466232016 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -69,9 +69,8 @@ void __show_regs(struct pt_regs *regs, int all)
         unsigned int fsindex, gsindex;
         unsigned int ds, cs, es;
 
-        printk(KERN_DEFAULT "RIP: %04lx:%pS\n", regs->cs, (void *)regs->ip);
-        printk(KERN_DEFAULT "RSP: %04lx:%016lx EFLAGS: %08lx", regs->ss,
-                regs->sp, regs->flags);
+        show_iret_regs(regs);
+
         if (regs->orig_ax != -1)
                 pr_cont(" ORIG_RAX: %016lx\n", regs->orig_ax);
         else
@@ -88,6 +87,9 @@ void __show_regs(struct pt_regs *regs, int all)
         printk(KERN_DEFAULT "R13: %016lx R14: %016lx R15: %016lx\n",
                regs->r13, regs->r14, regs->r15);
 
+        if (!all)
+                return;
+
         asm("movl %%ds,%0" : "=r" (ds));
         asm("movl %%cs,%0" : "=r" (cs));
         asm("movl %%es,%0" : "=r" (es));
@@ -98,9 +100,6 @@ void __show_regs(struct pt_regs *regs, int all)
         rdmsrl(MSR_GS_BASE, gs);
         rdmsrl(MSR_KERNEL_GS_BASE, shadowgs);
 
-        if (!all)
-                return;
-
         cr0 = read_cr0();
         cr2 = read_cr2();
         cr3 = __read_cr3();
@@ -400,7 +399,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
         struct fpu *prev_fpu = &prev->fpu;
         struct fpu *next_fpu = &next->fpu;
         int cpu = smp_processor_id();
-        struct tss_struct *tss = &per_cpu(cpu_tss, cpu);
+        struct tss_struct *tss = &per_cpu(cpu_tss_rw, cpu);
 
         WARN_ON_ONCE(IS_ENABLED(CONFIG_DEBUG_ENTRY) &&
                      this_cpu_read(irq_count) != -1);
@@ -462,6 +461,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
          * Switch the PDA and FPU contexts.
          */
         this_cpu_write(current_task, next_p);
+        this_cpu_write(cpu_current_top_of_stack, task_top_of_stack(next_p));
 
         /* Reload sp0. */
         update_sp0(next_p);
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 989514c94a55..e98f8b66a460 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -348,9 +348,15 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
 
         /*
          * If IRET takes a non-IST fault on the espfix64 stack, then we
-         * end up promoting it to a doublefault.  In that case, modify
-         * the stack to make it look like we just entered the #GP
-         * handler from user space, similar to bad_iret.
+         * end up promoting it to a doublefault.  In that case, take
+         * advantage of the fact that we're not using the normal (TSS.sp0)
+         * stack right now.  We can write a fake #GP(0) frame at TSS.sp0
+         * and then modify our own IRET frame so that, when we return,
+         * we land directly at the #GP(0) vector with the stack already
+         * set up according to its expectations.
+         *
+         * The net result is that our #GP handler will think that we
+         * entered from usermode with the bad user context.
          *
          * No need for ist_enter here because we don't use RCU.
          */
@@ -358,13 +364,26 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
                 regs->cs == __KERNEL_CS &&
                 regs->ip == (unsigned long)native_irq_return_iret)
         {
-                struct pt_regs *normal_regs = task_pt_regs(current);
+                struct pt_regs *gpregs = (struct pt_regs *)this_cpu_read(cpu_tss_rw.x86_tss.sp0) - 1;
 
-                /* Fake a #GP(0) from userspace. */
-                memmove(&normal_regs->ip, (void *)regs->sp, 5*8);
-                normal_regs->orig_ax = 0;  /* Missing (lost) #GP error code */
+                /*
+                 * regs->sp points to the failing IRET frame on the
+                 * ESPFIX64 stack.  Copy it to the entry stack.  This fills
+                 * in gpregs->ss through gpregs->ip.
+                 *
+                 */
+                memmove(&gpregs->ip, (void *)regs->sp, 5*8);
+                gpregs->orig_ax = 0;  /* Missing (lost) #GP error code */
+
+                /*
+                 * Adjust our frame so that we return straight to the #GP
+                 * vector with the expected RSP value.  This is safe because
+                 * we won't enable interupts or schedule before we invoke
+                 * general_protection, so nothing will clobber the stack
+                 * frame we just set up.
+                 */
                 regs->ip = (unsigned long)general_protection;
-                regs->sp = (unsigned long)&normal_regs->orig_ax;
+                regs->sp = (unsigned long)&gpregs->orig_ax;
 
                 return;
         }
@@ -389,7 +408,7 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
          *
          *   Processors update CR2 whenever a page fault is detected. If a
          *   second page fault occurs while an earlier page fault is being
-         *   deliv- ered, the faulting linear address of the second fault will
+         *   delivered, the faulting linear address of the second fault will
          *   overwrite the contents of CR2 (replacing the previous
          *   address). These updates to CR2 occur even if the page fault
          *   results in a double fault or occurs during the delivery of a
@@ -605,14 +624,15 @@ NOKPROBE_SYMBOL(do_int3);
 
 #ifdef CONFIG_X86_64
 /*
- * Help handler running on IST stack to switch off the IST stack if the
- * interrupted code was in user mode. The actual stack switch is done in
- * entry_64.S
+ * Help handler running on a per-cpu (IST or entry trampoline) stack
+ * to switch to the normal thread stack if the interrupted code was in
+ * user mode. The actual stack switch is done in entry_64.S
  */
 asmlinkage __visible notrace struct pt_regs *sync_regs(struct pt_regs *eregs)
 {
-        struct pt_regs *regs = task_pt_regs(current);
-        *regs = *eregs;
+        struct pt_regs *regs = (struct pt_regs *)this_cpu_read(cpu_current_top_of_stack) - 1;
+        if (regs != eregs)
+                *regs = *eregs;
         return regs;
 }
 NOKPROBE_SYMBOL(sync_regs);
@@ -628,13 +648,13 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
         /*
          * This is called from entry_64.S early in handling a fault
          * caused by a bad iret to user mode.  To handle the fault
-         * correctly, we want move our stack frame to task_pt_regs
-         * and we want to pretend that the exception came from the
-         * iret target.
+         * correctly, we want to move our stack frame to where it would
+         * be had we entered directly on the entry stack (rather than
+         * just below the IRET frame) and we want to pretend that the
+         * exception came from the IRET target.
          */
         struct bad_iret_stack *new_stack =
-                container_of(task_pt_regs(current),
-                             struct bad_iret_stack, regs);
+                (struct bad_iret_stack *)this_cpu_read(cpu_tss_rw.x86_tss.sp0) - 1;
 
         /* Copy the IRET target to the new stack. */
         memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
@@ -795,14 +815,6 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code)
         debug_stack_usage_dec();
 
 exit:
-#if defined(CONFIG_X86_32)
-        /*
-         * This is the most likely code path that involves non-trivial use
-         * of the SYSENTER stack.  Check that we haven't overrun it.
-         */
-        WARN(this_cpu_read(cpu_tss.SYSENTER_stack_canary) != STACK_END_MAGIC,
-             "Overran or corrupted SYSENTER stack\n");
-#endif
         ist_exit(regs);
 }
 NOKPROBE_SYMBOL(do_debug);
@@ -929,6 +941,9 @@ dotraplinkage void do_iret_error(struct pt_regs *regs, long error_code)
 
 void __init trap_init(void)
 {
+        /* Init cpu_entry_area before IST entries are set up */
+        setup_cpu_entry_areas();
+
         idt_setup_traps();
 
         /*
diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
index a3f973b2c97a..be86a865087a 100644
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -253,22 +253,15 @@ unsigned long *unwind_get_return_address_ptr(struct unwind_state *state)
         return NULL;
 }
 
-static bool stack_access_ok(struct unwind_state *state, unsigned long addr,
+static bool stack_access_ok(struct unwind_state *state, unsigned long _addr,
                             size_t len)
 {
         struct stack_info *info = &state->stack_info;
+        void *addr = (void *)_addr;
 
-        /*
-         * If the address isn't on the current stack, switch to the next one.
-         *
-         * We may have to traverse multiple stacks to deal with the possibility
-         * that info->next_sp could point to an empty stack and the address
-         * could be on a subsequent stack.
-         */
-        while (!on_stack(info, (void *)addr, len))
-                if (get_stack_info(info->next_sp, state->task, info,
-                                   &state->stack_mask))
-                        return false;
+        if (!on_stack(info, addr, len) &&
+            (get_stack_info(addr, state->task, info, &state->stack_mask)))
+                return false;
 
         return true;
 }
@@ -283,42 +276,32 @@ static bool deref_stack_reg(struct unwind_state *state, unsigned long addr,
         return true;
 }
 
-#define REGS_SIZE (sizeof(struct pt_regs))
-#define SP_OFFSET (offsetof(struct pt_regs, sp))
-#define IRET_REGS_SIZE (REGS_SIZE - offsetof(struct pt_regs, ip))
-#define IRET_SP_OFFSET (SP_OFFSET - offsetof(struct pt_regs, ip))
-
 static bool deref_stack_regs(struct unwind_state *state, unsigned long addr,
-                             unsigned long *ip, unsigned long *sp, bool full)
+                             unsigned long *ip, unsigned long *sp)
 {
-        size_t regs_size = full ? REGS_SIZE : IRET_REGS_SIZE;
-        size_t sp_offset = full ? SP_OFFSET : IRET_SP_OFFSET;
-        struct pt_regs *regs = (struct pt_regs *)(addr + regs_size - REGS_SIZE);
-
-        if (IS_ENABLED(CONFIG_X86_64)) {
-                if (!stack_access_ok(state, addr, regs_size))
-                        return false;
+        struct pt_regs *regs = (struct pt_regs *)addr;
 
-                *ip = regs->ip;
-                *sp = regs->sp;
+        /* x86-32 support will be more complicated due to the &regs->sp hack */
+        BUILD_BUG_ON(IS_ENABLED(CONFIG_X86_32));
 
-                return true;
-        }
-
-        if (!stack_access_ok(state, addr, sp_offset))
+        if (!stack_access_ok(state, addr, sizeof(struct pt_regs)))
                 return false;
 
         *ip = regs->ip;
+        *sp = regs->sp;
+        return true;
+}
 
-        if (user_mode(regs)) {
-                if (!stack_access_ok(state, addr + sp_offset,
-                                     REGS_SIZE - SP_OFFSET))
-                        return false;
+static bool deref_stack_iret_regs(struct unwind_state *state, unsigned long addr,
+                                  unsigned long *ip, unsigned long *sp)
+{
+        struct pt_regs *regs = (void *)addr - IRET_FRAME_OFFSET;
 
-                *sp = regs->sp;
-        } else
-                *sp = (unsigned long)&regs->sp;
+        if (!stack_access_ok(state, addr, IRET_FRAME_SIZE))
+                return false;
 
+        *ip = regs->ip;
+        *sp = regs->sp;
         return true;
 }
 
@@ -327,7 +310,6 @@ bool unwind_next_frame(struct unwind_state *state)
         unsigned long ip_p, sp, orig_ip, prev_sp = state->sp;
         enum stack_type prev_type = state->stack_info.type;
         struct orc_entry *orc;
-        struct pt_regs *ptregs;
         bool indirect = false;
 
         if (unwind_done(state))
@@ -435,7 +417,7 @@ bool unwind_next_frame(struct unwind_state *state)
                 break;
 
         case ORC_TYPE_REGS:
-                if (!deref_stack_regs(state, sp, &state->ip, &state->sp, true)) {
+                if (!deref_stack_regs(state, sp, &state->ip, &state->sp)) {
                         orc_warn("can't dereference registers at %p for ip %pB\n",
                                  (void *)sp, (void *)orig_ip);
                         goto done;
@@ -447,20 +429,14 @@ bool unwind_next_frame(struct unwind_state *state)
                 break;
 
         case ORC_TYPE_REGS_IRET:
-                if (!deref_stack_regs(state, sp, &state->ip, &state->sp, false)) {
+                if (!deref_stack_iret_regs(state, sp, &state->ip, &state->sp)) {
                         orc_warn("can't dereference iret registers at %p for ip %pB\n",
                                  (void *)sp, (void *)orig_ip);
                         goto done;
                 }
 
-                ptregs = container_of((void *)sp, struct pt_regs, ip);
-                if ((unsigned long)ptregs >= prev_sp &&
-                    on_stack(&state->stack_info, ptregs, REGS_SIZE)) {
-                        state->regs = ptregs;
-                        state->full_regs = false;
-                } else
-                        state->regs = NULL;
-
+                state->regs = (void *)sp - IRET_FRAME_OFFSET;
+                state->full_regs = false;
                 state->signal = true;
                 break;
 
@@ -553,8 +529,18 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
         }
 
         if (get_stack_info((unsigned long *)state->sp, state->task,
-                           &state->stack_info, &state->stack_mask))
-                return;
+                           &state->stack_info, &state->stack_mask)) {
+                /*
+                 * We weren't on a valid stack.  It's possible that
+                 * we overflowed a valid stack into a guard page.
+                 * See if the next page up is valid so that we can
+                 * generate some kind of backtrace if this happens.
+                 */
+                void *next_page = (void *)PAGE_ALIGN((unsigned long)state->sp);
+                if (get_stack_info(next_page, state->task, &state->stack_info,
+                                   &state->stack_mask))
+                        return;
+        }
 
         /*
          * The caller can provide the address of the first frame directly
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index a4009fb9be87..d2a8b5a24a44 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -107,6 +107,15 @@ SECTIONS
                 SOFTIRQENTRY_TEXT
                 *(.fixup)
                 *(.gnu.warning)
+
+#ifdef CONFIG_X86_64
+                . = ALIGN(PAGE_SIZE);
+                _entry_trampoline = .;
+                *(.entry_trampoline)
+                . = ALIGN(PAGE_SIZE);
+                ASSERT(. - _entry_trampoline == PAGE_SIZE, "entry trampoline is too big");
+#endif
+
                 /* End of text section */
                 _etext = .;
         } :text = 0x9090
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index abe74f779f9d..b514b2b2845a 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -2390,9 +2390,21 @@ static int rsm_load_seg_64(struct x86_emulate_ctxt *ctxt, u64 smbase, int n)
 }
 
 static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
-                                     u64 cr0, u64 cr4)
+                                    u64 cr0, u64 cr3, u64 cr4)
 {
         int bad;
+        u64 pcid;
+
+        /* In order to later set CR4.PCIDE, CR3[11:0] must be zero.  */
+        pcid = 0;
+        if (cr4 & X86_CR4_PCIDE) {
+                pcid = cr3 & 0xfff;
+                cr3 &= ~0xfff;
+        }
+
+        bad = ctxt->ops->set_cr(ctxt, 3, cr3);
+        if (bad)
+                return X86EMUL_UNHANDLEABLE;
 
         /*
          * First enable PAE, long mode needs it before CR0.PG = 1 is set.
@@ -2411,6 +2423,12 @@ static int rsm_enter_protected_mode(struct x86_emulate_ctxt *ctxt,
                 bad = ctxt->ops->set_cr(ctxt, 4, cr4);
                 if (bad)
                         return X86EMUL_UNHANDLEABLE;
+                if (pcid) {
+                        bad = ctxt->ops->set_cr(ctxt, 3, cr3 | pcid);
+                        if (bad)
+                                return X86EMUL_UNHANDLEABLE;
+                }
+
         }
 
         return X86EMUL_CONTINUE;
@@ -2421,11 +2439,11 @@ static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt, u64 smbase)
         struct desc_struct desc;
         struct desc_ptr dt;
         u16 selector;
-        u32 val, cr0, cr4;
+        u32 val, cr0, cr3, cr4;
         int i;
 
         cr0 =                      GET_SMSTATE(u32, smbase, 0x7ffc);
-        ctxt->ops->set_cr(ctxt, 3, GET_SMSTATE(u32, smbase, 0x7ff8));
+        cr3 =                      GET_SMSTATE(u32, smbase, 0x7ff8);
         ctxt->eflags =             GET_SMSTATE(u32, smbase, 0x7ff4) | X86_EFLAGS_FIXED;
         ctxt->_eip =               GET_SMSTATE(u32, smbase, 0x7ff0);
 
@@ -2467,14 +2485,14 @@ static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt, u64 smbase)
 
         ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7ef8));
 
-        return rsm_enter_protected_mode(ctxt, cr0, cr4);
+        return rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
 }
 
 static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt, u64 smbase)
 {
         struct desc_struct desc;
         struct desc_ptr dt;
-        u64 val, cr0, cr4;
+        u64 val, cr0, cr3, cr4;
         u32 base3;
         u16 selector;
         int i, r;
@@ -2491,7 +2509,7 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt, u64 smbase)
         ctxt->ops->set_dr(ctxt, 7, (val & DR7_VOLATILE) | DR7_FIXED_1);
 
         cr0 =                       GET_SMSTATE(u64, smbase, 0x7f58);
-        ctxt->ops->set_cr(ctxt, 3,  GET_SMSTATE(u64, smbase, 0x7f50));
+        cr3 =                       GET_SMSTATE(u64, smbase, 0x7f50);
         cr4 =                       GET_SMSTATE(u64, smbase, 0x7f48);
         ctxt->ops->set_smbase(ctxt, GET_SMSTATE(u32, smbase, 0x7f00));
         val =                       GET_SMSTATE(u64, smbase, 0x7ed0);
@@ -2519,7 +2537,7 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt, u64 smbase)
         dt.address =                GET_SMSTATE(u64, smbase, 0x7e68);
         ctxt->ops->set_gdt(ctxt, &dt);
 
-        r = rsm_enter_protected_mode(ctxt, cr0, cr4);
+        r = rsm_enter_protected_mode(ctxt, cr0, cr3, cr4);
         if (r != X86EMUL_CONTINUE)
                 return r;
 
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index e5e66e5c6640..c4deb1f34faa 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3395,7 +3395,7 @@ static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
                 spin_lock(&vcpu->kvm->mmu_lock);
                 if(make_mmu_pages_available(vcpu) < 0) {
                         spin_unlock(&vcpu->kvm->mmu_lock);
-                        return 1;
+                        return -ENOSPC;
                 }
                 sp = kvm_mmu_get_page(vcpu, 0, 0,
                                 vcpu->arch.mmu.shadow_root_level, 1, ACC_ALL);
@@ -3410,7 +3410,7 @@ static int mmu_alloc_direct_roots(struct kvm_vcpu *vcpu)
                         spin_lock(&vcpu->kvm->mmu_lock);
                         if (make_mmu_pages_available(vcpu) < 0) {
                                 spin_unlock(&vcpu->kvm->mmu_lock);
-                                return 1;
+                                return -ENOSPC;
                         }
                         sp = kvm_mmu_get_page(vcpu, i << (30 - PAGE_SHIFT),
                                         i << 30, PT32_ROOT_LEVEL, 1, ACC_ALL);
@@ -3450,7 +3450,7 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
                 spin_lock(&vcpu->kvm->mmu_lock);
                 if (make_mmu_pages_available(vcpu) < 0) {
                         spin_unlock(&vcpu->kvm->mmu_lock);
-                        return 1;
+                        return -ENOSPC;
                 }
                 sp = kvm_mmu_get_page(vcpu, root_gfn, 0,
                                 vcpu->arch.mmu.shadow_root_level, 0, ACC_ALL);
@@ -3487,7 +3487,7 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
                 spin_lock(&vcpu->kvm->mmu_lock);
                 if (make_mmu_pages_available(vcpu) < 0) {
                         spin_unlock(&vcpu->kvm->mmu_lock);
-                        return 1;
+                        return -ENOSPC;
                 }
                 sp = kvm_mmu_get_page(vcpu, root_gfn, i << 30, PT32_ROOT_LEVEL,
                                       0, ACC_ALL);
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 8eba631c4dbd..023afa0c8887 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2302,7 +2302,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
                  * processors.  See 22.2.4.
                  */
                 vmcs_writel(HOST_TR_BASE,
-                            (unsigned long)this_cpu_ptr(&cpu_tss));
+                            (unsigned long)&get_cpu_entry_area(cpu)->tss.x86_tss);
                 vmcs_writel(HOST_GDTR_BASE, (unsigned long)gdt);   /* 22.2.4 */
 
                 /*
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index faf843c9b916..1cec2c62a0b0 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4384,7 +4384,7 @@ static int vcpu_mmio_read(struct kvm_vcpu *vcpu, gpa_t addr, int len, void *v)
                                          addr, n, v))
                     && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
                         break;
-                trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
+                trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
                 handled += n;
                 addr += n;
                 len -= n;
@@ -4643,7 +4643,7 @@ static int read_prepare(struct kvm_vcpu *vcpu, void *val, int bytes)
 {
         if (vcpu->mmio_read_completed) {
                 trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
-                               vcpu->mmio_fragments[0].gpa, *(u64 *)val);
+                               vcpu->mmio_fragments[0].gpa, val);
                 vcpu->mmio_read_completed = 0;
                 return 1;
         }
@@ -4665,14 +4665,14 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa,
 
 static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
 {
-        trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
+        trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
         return vcpu_mmio_write(vcpu, gpa, bytes, val);
 }
 
 static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
                           void *val, int bytes)
 {
-        trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
+        trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
         return X86EMUL_IO_NEEDED;
 }
 
@@ -7264,13 +7264,12 @@ static int complete_emulated_mmio(struct kvm_vcpu *vcpu)
 
 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
 {
-        struct fpu *fpu = &current->thread.fpu;
         int r;
 
-        fpu__initialize(fpu);
-
         kvm_sigset_activate(vcpu);
 
+        kvm_load_guest_fpu(vcpu);
+
         if (unlikely(vcpu->arch.mp_state == KVM_MP_STATE_UNINITIALIZED)) {
                 if (kvm_run->immediate_exit) {
                         r = -EINTR;
@@ -7296,14 +7295,12 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                 }
         }
 
-        kvm_load_guest_fpu(vcpu);
-
         if (unlikely(vcpu->arch.complete_userspace_io)) {
                 int (*cui)(struct kvm_vcpu *) = vcpu->arch.complete_userspace_io;
                 vcpu->arch.complete_userspace_io = NULL;
                 r = cui(vcpu);
                 if (r <= 0)
-                        goto out_fpu;
+                        goto out;
         } else
                 WARN_ON(vcpu->arch.pio.count || vcpu->mmio_needed);
 
@@ -7312,9 +7309,8 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
         else
                 r = vcpu_run(vcpu);
 
-out_fpu:
-        kvm_put_guest_fpu(vcpu);
 out:
+        kvm_put_guest_fpu(vcpu);
         post_kvm_run_save(vcpu);
         kvm_sigset_deactivate(vcpu);
 
@@ -7384,7 +7380,7 @@ int kvm_arch_vcpu_ioctl_set_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)
 #endif
 
         kvm_rip_write(vcpu, regs->rip);
-        kvm_set_rflags(vcpu, regs->rflags);
+        kvm_set_rflags(vcpu, regs->rflags | X86_EFLAGS_FIXED);
 
         vcpu->arch.exception.pending = false;
 
@@ -7498,6 +7494,29 @@ int kvm_task_switch(struct kvm_vcpu *vcpu, u16 tss_selector, int idt_index,
 }
 EXPORT_SYMBOL_GPL(kvm_task_switch);
 
+int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs)
+{
+        if ((sregs->efer & EFER_LME) && (sregs->cr0 & X86_CR0_PG_BIT)) {
+                /*
+                 * When EFER.LME and CR0.PG are set, the processor is in
+                 * 64-bit mode (though maybe in a 32-bit code segment).
+                 * CR4.PAE and EFER.LMA must be set.
+                 */
+                if (!(sregs->cr4 & X86_CR4_PAE_BIT)
+                    || !(sregs->efer & EFER_LMA))
+                        return -EINVAL;
+        } else {
+                /*
+                 * Not in 64-bit mode: EFER.LMA is clear and the code
+                 * segment cannot be 64-bit.
+                 */
+                if (sregs->efer & EFER_LMA || sregs->cs.l)
+                        return -EINVAL;
+        }
+
+        return 0;
+}
+
 int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
                                   struct kvm_sregs *sregs)
 {
@@ -7510,6 +7529,9 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
                         (sregs->cr4 & X86_CR4_OSXSAVE))
                 return -EINVAL;
 
+        if (kvm_valid_sregs(vcpu, sregs))
+                return -EINVAL;
+
         apic_base_msr.data = sregs->apic_base;
         apic_base_msr.host_initiated = true;
         if (kvm_set_apic_base(vcpu, &apic_base_msr))
diff --git a/arch/x86/lib/delay.c b/arch/x86/lib/delay.c
index 553f8fd23cc4..4846eff7e4c8 100644
--- a/arch/x86/lib/delay.c
+++ b/arch/x86/lib/delay.c
@@ -107,10 +107,10 @@ static void delay_mwaitx(unsigned long __loops)
                 delay = min_t(u64, MWAITX_MAX_LOOPS, loops);
 
                 /*
-                 * Use cpu_tss as a cacheline-aligned, seldomly
+                 * Use cpu_tss_rw as a cacheline-aligned, seldomly
                  * accessed per-cpu variable as the monitor target.
                  */
-                __monitorx(raw_cpu_ptr(&cpu_tss), 0, 0);
+                __monitorx(raw_cpu_ptr(&cpu_tss_rw), 0, 0);
 
                 /*
                  * AMD, like Intel, supports the EAX hint and EAX=0xf
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index febf6980e653..06fe3d51d385 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -860,7 +860,7 @@ show_signal_msg(struct pt_regs *regs, unsigned long error_code,
         if (!printk_ratelimit())
                 return;
 
-        printk("%s%s[%d]: segfault at %lx ip %p sp %p error %lx",
+        printk("%s%s[%d]: segfault at %lx ip %px sp %px error %lx",
                 task_pid_nr(tsk) > 1 ? KERN_INFO : KERN_EMERG,
                 tsk->comm, task_pid_nr(tsk), address,
                 (void *)regs->ip, (void *)regs->sp, error_code);
diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c
index 99dfed6dfef8..9ec70d780f1f 100644
--- a/arch/x86/mm/kasan_init_64.c
+++ b/arch/x86/mm/kasan_init_64.c
@@ -277,6 +277,7 @@ void __init kasan_early_init(void)
 void __init kasan_init(void)
 {
         int i;
+        void *shadow_cpu_entry_begin, *shadow_cpu_entry_end;
 
 #ifdef CONFIG_KASAN_INLINE
         register_die_notifier(&kasan_die_notifier);
@@ -329,8 +330,23 @@ void __init kasan_init(void)
                               (unsigned long)kasan_mem_to_shadow(_end),
                               early_pfn_to_nid(__pa(_stext)));
 
+        shadow_cpu_entry_begin = (void *)__fix_to_virt(FIX_CPU_ENTRY_AREA_BOTTOM);
+        shadow_cpu_entry_begin = kasan_mem_to_shadow(shadow_cpu_entry_begin);
+        shadow_cpu_entry_begin = (void *)round_down((unsigned long)shadow_cpu_entry_begin,
+                                                PAGE_SIZE);
+
+        shadow_cpu_entry_end = (void *)(__fix_to_virt(FIX_CPU_ENTRY_AREA_TOP) + PAGE_SIZE);
+        shadow_cpu_entry_end = kasan_mem_to_shadow(shadow_cpu_entry_end);
+        shadow_cpu_entry_end = (void *)round_up((unsigned long)shadow_cpu_entry_end,
+                                        PAGE_SIZE);
+
         kasan_populate_zero_shadow(kasan_mem_to_shadow((void *)MODULES_END),
-                        (void *)KASAN_SHADOW_END);
+                                   shadow_cpu_entry_begin);
+
+        kasan_populate_shadow((unsigned long)shadow_cpu_entry_begin,
+                              (unsigned long)shadow_cpu_entry_end, 0);
+
+        kasan_populate_zero_shadow(shadow_cpu_entry_end, (void *)KASAN_SHADOW_END);
 
         load_cr3(init_top_pgt);
         __flush_tlb_all();
diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
index 36a28eddb435..a7d966964c6f 100644
--- a/arch/x86/power/cpu.c
+++ b/arch/x86/power/cpu.c
@@ -152,17 +152,19 @@ static void do_fpu_end(void)
 static void fix_processor_context(void)
 {
         int cpu = smp_processor_id();
-        struct tss_struct *t = &per_cpu(cpu_tss, cpu);
 #ifdef CONFIG_X86_64
         struct desc_struct *desc = get_cpu_gdt_rw(cpu);
         tss_desc tss;
 #endif
-        set_tss_desc(cpu, t);   /*
-                                 * This just modifies memory; should not be
-                                 * necessary. But... This is necessary, because
-                                 * 386 hardware has concept of busy TSS or some
-                                 * similar stupidity.
-                                 */
+
+        /*
+         * We need to reload TR, which requires that we change the
+         * GDT entry to indicate "available" first.
+         *
+         * XXX: This could probably all be replaced by a call to
+         * force_reload_TR().
+         */
+        set_tss_desc(cpu, &get_cpu_entry_area(cpu)->tss.x86_tss);
 
 #ifdef CONFIG_X86_64
         memcpy(&tss, &desc[GDT_ENTRY_TSS], sizeof(tss_desc));
diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
index f2414c6c5e7c..7beeee1443b3 100644
--- a/arch/x86/xen/enlighten_pv.c
+++ b/arch/x86/xen/enlighten_pv.c
@@ -826,7 +826,7 @@ static void xen_load_sp0(unsigned long sp0)
         mcs = xen_mc_entry(0);
         MULTI_stack_switch(mcs.mc, __KERNEL_DS, sp0);
         xen_mc_issue(PARAVIRT_LAZY_CPU);
-        this_cpu_write(cpu_tss.x86_tss.sp0, sp0);
+        this_cpu_write(cpu_tss_rw.x86_tss.sp0, sp0);
 }
 
 void xen_set_iopl_mask(unsigned mask)
diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
index fc048ec686e7..6cf801ca1142 100644
--- a/arch/x86/xen/mmu_pv.c
+++ b/arch/x86/xen/mmu_pv.c
@@ -2272,7 +2272,7 @@ static void xen_set_fixmap(unsigned idx, phys_addr_t phys, pgprot_t prot)
 #endif
         case FIX_TEXT_POKE0:
         case FIX_TEXT_POKE1:
-        case FIX_GDT_REMAP_BEGIN ... FIX_GDT_REMAP_END:
+        case FIX_CPU_ENTRY_AREA_TOP ... FIX_CPU_ENTRY_AREA_BOTTOM:
                 /* All local page mappings */
                 pte = pfn_pte(phys, prot);
                 break;
diff --git a/block/bio.c b/block/bio.c
index 8bfdea58159b..9ef6cf3addb3 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -599,6 +599,8 @@ void __bio_clone_fast(struct bio *bio, struct bio *bio_src)
         bio->bi_disk = bio_src->bi_disk;
         bio->bi_partno = bio_src->bi_partno;
         bio_set_flag(bio, BIO_CLONED);
+        if (bio_flagged(bio_src, BIO_THROTTLED))
+                bio_set_flag(bio, BIO_THROTTLED);
         bio->bi_opf = bio_src->bi_opf;
         bio->bi_write_hint = bio_src->bi_write_hint;
         bio->bi_iter = bio_src->bi_iter;
diff --git a/block/blk-map.c b/block/blk-map.c
index b21f8e86f120..d3a94719f03f 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -12,22 +12,29 @@
 #include "blk.h"
 
 /*
- * Append a bio to a passthrough request.  Only works can be merged into
- * the request based on the driver constraints.
+ * Append a bio to a passthrough request.  Only works if the bio can be merged
+ * into the request based on the driver constraints.
  */
-int blk_rq_append_bio(struct request *rq, struct bio *bio)
+int blk_rq_append_bio(struct request *rq, struct bio **bio)
 {
-        blk_queue_bounce(rq->q, &bio);
+        struct bio *orig_bio = *bio;
+
+        blk_queue_bounce(rq->q, bio);
 
         if (!rq->bio) {
-                blk_rq_bio_prep(rq->q, rq, bio);
+                blk_rq_bio_prep(rq->q, rq, *bio);
         } else {
-                if (!ll_back_merge_fn(rq->q, rq, bio))
+                if (!ll_back_merge_fn(rq->q, rq, *bio)) {
+                        if (orig_bio != *bio) {
+                                bio_put(*bio);
+                                *bio = orig_bio;
+                        }
                         return -EINVAL;
+                }
 
-                rq->biotail->bi_next = bio;
-                rq->biotail = bio;
-                rq->__data_len += bio->bi_iter.bi_size;
+                rq->biotail->bi_next = *bio;
+                rq->biotail = *bio;
+                rq->__data_len += (*bio)->bi_iter.bi_size;
         }
 
         return 0;
@@ -73,14 +80,12 @@ static int __blk_rq_map_user_iov(struct request *rq,
          * We link the bounce buffer in and could have to traverse it
          * later so we have to get a ref to prevent it from being freed
          */
-        ret = blk_rq_append_bio(rq, bio);
-        bio_get(bio);
+        ret = blk_rq_append_bio(rq, &bio);
         if (ret) {
-                bio_endio(bio);
                 __blk_rq_unmap_user(orig_bio);
-                bio_put(bio);
                 return ret;
         }
+        bio_get(bio);
 
         return 0;
 }
@@ -213,7 +218,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
         int reading = rq_data_dir(rq) == READ;
         unsigned long addr = (unsigned long) kbuf;
         int do_copy = 0;
-        struct bio *bio;
+        struct bio *bio, *orig_bio;
         int ret;
 
         if (len > (queue_max_hw_sectors(q) << 9))
@@ -236,10 +241,11 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
         if (do_copy)
                 rq->rq_flags |= RQF_COPY_USER;
 
-        ret = blk_rq_append_bio(rq, bio);
+        orig_bio = bio;
+        ret = blk_rq_append_bio(rq, &bio);
         if (unlikely(ret)) {
                 /* request is too big */
-                bio_put(bio);
+                bio_put(orig_bio);
                 return ret;
         }
 
diff --git a/block/blk-throttle.c b/block/blk-throttle.c
index 825bc29767e6..d19f416d6101 100644
--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -2226,13 +2226,7 @@ again:
 out_unlock:
         spin_unlock_irq(q->queue_lock);
 out:
-        /*
-         * As multiple blk-throtls may stack in the same issue path, we
-         * don't want bios to leave with the flag set.  Clear the flag if
-         * being issued.
-         */
-        if (!throttled)
-                bio_clear_flag(bio, BIO_THROTTLED);
+        bio_set_flag(bio, BIO_THROTTLED);
 
 #ifdef CONFIG_BLK_DEV_THROTTLING_LOW
         if (throttled || !td->track_bio_latency)
diff --git a/block/bounce.c b/block/bounce.c
index fceb1a96480b..1d05c422c932 100644
--- a/block/bounce.c
+++ b/block/bounce.c
@@ -200,6 +200,7 @@ static void __blk_queue_bounce(struct request_queue *q, struct bio **bio_orig,
         unsigned i = 0;
         bool bounce = false;
         int sectors = 0;
+        bool passthrough = bio_is_passthrough(*bio_orig);
 
         bio_for_each_segment(from, *bio_orig, iter) {
                 if (i++ < BIO_MAX_PAGES)
@@ -210,13 +211,14 @@ static void __blk_queue_bounce(struct request_queue *q, struct bio **bio_orig,
         if (!bounce)
                 return;
 
-        if (sectors < bio_sectors(*bio_orig)) {
+        if (!passthrough && sectors < bio_sectors(*bio_orig)) {
                 bio = bio_split(*bio_orig, sectors, GFP_NOIO, bounce_bio_split);
                 bio_chain(bio, *bio_orig);
                 generic_make_request(*bio_orig);
                 *bio_orig = bio;
         }
-        bio = bio_clone_bioset(*bio_orig, GFP_NOIO, bounce_bio_set);
+        bio = bio_clone_bioset(*bio_orig, GFP_NOIO, passthrough ? NULL :
+                        bounce_bio_set);
 
         bio_for_each_segment_all(to, bio, i) {
                 struct page *page = to->bv_page;
diff --git a/block/kyber-iosched.c b/block/kyber-iosched.c
index b4df317c2916..f95c60774ce8 100644
--- a/block/kyber-iosched.c
+++ b/block/kyber-iosched.c
@@ -100,9 +100,13 @@ struct kyber_hctx_data {
         unsigned int cur_domain;
         unsigned int batching;
         wait_queue_entry_t domain_wait[KYBER_NUM_DOMAINS];
+        struct sbq_wait_state *domain_ws[KYBER_NUM_DOMAINS];
         atomic_t wait_index[KYBER_NUM_DOMAINS];
 };
 
+static int kyber_domain_wake(wait_queue_entry_t *wait, unsigned mode, int flags,
+                             void *key);
+
 static int rq_sched_domain(const struct request *rq)
 {
         unsigned int op = rq->cmd_flags;
@@ -385,6 +389,9 @@ static int kyber_init_hctx(struct blk_mq_hw_ctx *hctx, unsigned int hctx_idx)
 
         for (i = 0; i < KYBER_NUM_DOMAINS; i++) {
                 INIT_LIST_HEAD(&khd->rqs[i]);
+                init_waitqueue_func_entry(&khd->domain_wait[i],
+                                          kyber_domain_wake);
+                khd->domain_wait[i].private = hctx;
                 INIT_LIST_HEAD(&khd->domain_wait[i].entry);
                 atomic_set(&khd->wait_index[i], 0);
         }
@@ -524,35 +531,39 @@ static int kyber_get_domain_token(struct kyber_queue_data *kqd,
         int nr;
 
         nr = __sbitmap_queue_get(domain_tokens);
-        if (nr >= 0)
-                return nr;
 
         /*
          * If we failed to get a domain token, make sure the hardware queue is
          * run when one becomes available. Note that this is serialized on
          * khd->lock, but we still need to be careful about the waker.
          */
-        if (list_empty_careful(&wait->entry)) {
-                init_waitqueue_func_entry(wait, kyber_domain_wake);
-                wait->private = hctx;
+        if (nr < 0 && list_empty_careful(&wait->entry)) {
                 ws = sbq_wait_ptr(domain_tokens,
                                   &khd->wait_index[sched_domain]);
+                khd->domain_ws[sched_domain] = ws;
                 add_wait_queue(&ws->wait, wait);
 
                 /*
                  * Try again in case a token was freed before we got on the wait
-                 * queue. The waker may have already removed the entry from the
-                 * wait queue, but list_del_init() is okay with that.
+                 * queue.
                  */
                 nr = __sbitmap_queue_get(domain_tokens);
-                if (nr >= 0) {
-                        unsigned long flags;
+        }
 
-                        spin_lock_irqsave(&ws->wait.lock, flags);
-                        list_del_init(&wait->entry);
-                        spin_unlock_irqrestore(&ws->wait.lock, flags);
-                }
+        /*
+         * If we got a token while we were on the wait queue, remove ourselves
+         * from the wait queue to ensure that all wake ups make forward
+         * progress. It's possible that the waker already deleted the entry
+         * between the !list_empty_careful() check and us grabbing the lock, but
+         * list_del_init() is okay with that.
+         */
+        if (nr >= 0 && !list_empty_careful(&wait->entry)) {
+                ws = khd->domain_ws[sched_domain];
+                spin_lock_irq(&ws->wait.lock);
+                list_del_init(&wait->entry);
+                spin_unlock_irq(&ws->wait.lock);
         }
+
         return nr;
 }
 
diff --git a/drivers/acpi/apei/erst.c b/drivers/acpi/apei/erst.c
index 6742f6c68034..9bff853e85f3 100644
--- a/drivers/acpi/apei/erst.c
+++ b/drivers/acpi/apei/erst.c
@@ -1007,7 +1007,7 @@ skip:
         /* The record may be cleared by others, try read next record */
         if (len == -ENOENT)
                 goto skip;
-        else if (len < sizeof(*rcd)) {
+        else if (len < 0 || len < sizeof(*rcd)) {
                 rc = -EIO;
                 goto out;
         }
diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
index 30e84cc600ae..06ea4749ebd9 100644
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -1171,7 +1171,7 @@ int cppc_set_perf(int cpu, struct cppc_perf_ctrls *perf_ctrls)
         struct cpc_desc *cpc_desc = per_cpu(cpc_desc_ptr, cpu);
         struct cpc_register_resource *desired_reg;
         int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu);
-        struct cppc_pcc_data *pcc_ss_data = pcc_data[pcc_ss_id];
+        struct cppc_pcc_data *pcc_ss_data;
         int ret = 0;
 
         if (!cpc_desc || pcc_ss_id < 0) {
diff --git a/drivers/block/null_blk.c b/drivers/block/null_blk.c
index ccb9975a97fa..ad0477ae820f 100644
--- a/drivers/block/null_blk.c
+++ b/drivers/block/null_blk.c
@@ -35,13 +35,13 @@ static inline u64 mb_per_tick(int mbps)
 struct nullb_cmd {
         struct list_head list;
         struct llist_node ll_list;
-        call_single_data_t csd;
+        struct __call_single_data csd;
         struct request *rq;
         struct bio *bio;
         unsigned int tag;
+        blk_status_t error;
         struct nullb_queue *nq;
         struct hrtimer timer;
-        blk_status_t error;
 };
 
 struct nullb_queue {
diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
index 58d4f4e1ad6a..ca38229b045a 100644
--- a/drivers/cpufreq/cpufreq_governor.c
+++ b/drivers/cpufreq/cpufreq_governor.c
@@ -22,6 +22,8 @@
 
 #include "cpufreq_governor.h"
 
+#define CPUFREQ_DBS_MIN_SAMPLING_INTERVAL       (2 * TICK_NSEC / NSEC_PER_USEC)
+
 static DEFINE_PER_CPU(struct cpu_dbs_info, cpu_dbs);
 
 static DEFINE_MUTEX(gov_dbs_data_mutex);
@@ -47,11 +49,15 @@ ssize_t store_sampling_rate(struct gov_attr_set *attr_set, const char *buf,
 {
         struct dbs_data *dbs_data = to_dbs_data(attr_set);
         struct policy_dbs_info *policy_dbs;
+        unsigned int sampling_interval;
         int ret;
-        ret = sscanf(buf, "%u", &dbs_data->sampling_rate);
-        if (ret != 1)
+
+        ret = sscanf(buf, "%u", &sampling_interval);
+        if (ret != 1 || sampling_interval < CPUFREQ_DBS_MIN_SAMPLING_INTERVAL)
                 return -EINVAL;
 
+        dbs_data->sampling_rate = sampling_interval;
+
         /*
          * We are operating under dbs_data->mutex and so the list and its
          * entries can't be freed concurrently.
@@ -430,7 +436,14 @@ int cpufreq_dbs_governor_init(struct cpufreq_policy *policy)
         if (ret)
                 goto free_policy_dbs_info;
 
-        dbs_data->sampling_rate = cpufreq_policy_transition_delay_us(policy);
+        /*
+         * The sampling interval should not be less than the transition latency
+         * of the CPU and it also cannot be too small for dbs_update() to work
+         * correctly.
+         */
+        dbs_data->sampling_rate = max_t(unsigned int,
+                                        CPUFREQ_DBS_MIN_SAMPLING_INTERVAL,
+                                        cpufreq_policy_transition_delay_us(policy));
 
         if (!have_governor_per_policy())
                 gov->gdbs_data = dbs_data;
diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c
index 628fe899cb48..d9b2c2de49c4 100644
--- a/drivers/cpufreq/imx6q-cpufreq.c
+++ b/drivers/cpufreq/imx6q-cpufreq.c
@@ -226,17 +226,18 @@ static void imx6q_opp_check_speed_grading(struct device *dev)
         val >>= OCOTP_CFG3_SPEED_SHIFT;
         val &= 0x3;
 
-        if ((val != OCOTP_CFG3_SPEED_1P2GHZ) &&
-             of_machine_is_compatible("fsl,imx6q"))
-                if (dev_pm_opp_disable(dev, 1200000000))
-                        dev_warn(dev, "failed to disable 1.2GHz OPP\n");
         if (val < OCOTP_CFG3_SPEED_996MHZ)
                 if (dev_pm_opp_disable(dev, 996000000))
                         dev_warn(dev, "failed to disable 996MHz OPP\n");
-        if (of_machine_is_compatible("fsl,imx6q")) {
+
+        if (of_machine_is_compatible("fsl,imx6q") ||
+            of_machine_is_compatible("fsl,imx6qp")) {
                 if (val != OCOTP_CFG3_SPEED_852MHZ)
                         if (dev_pm_opp_disable(dev, 852000000))
                                 dev_warn(dev, "failed to disable 852MHz OPP\n");
+                if (val != OCOTP_CFG3_SPEED_1P2GHZ)
+                        if (dev_pm_opp_disable(dev, 1200000000))
+                                dev_warn(dev, "failed to disable 1.2GHz OPP\n");
         }
         iounmap(base);
 put_node:
diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
index fbab271b3bf9..a861b5b4d443 100644
--- a/drivers/dma/at_hdmac.c
+++ b/drivers/dma/at_hdmac.c
@@ -708,7 +708,7 @@ atc_prep_dma_interleaved(struct dma_chan *chan,
                          unsigned long flags)
 {
         struct at_dma_chan      *atchan = to_at_dma_chan(chan);
-        struct data_chunk       *first = xt->sgl;
+        struct data_chunk       *first;
         struct at_desc          *desc = NULL;
         size_t                  xfer_count;
         unsigned int            dwidth;
@@ -720,6 +720,8 @@ atc_prep_dma_interleaved(struct dma_chan *chan,
         if (unlikely(!xt || xt->numf != 1 || !xt->frame_size))
                 return NULL;
 
+        first = xt->sgl;
+
         dev_info(chan2dev(chan),
                  "%s: src=%pad, dest=%pad, numf=%d, frame_size=%d, flags=0x%lx\n",
                 __func__, &xt->src_start, &xt->dst_start, xt->numf,
diff --git a/drivers/dma/dma-jz4740.c b/drivers/dma/dma-jz4740.c
index d50273fed715..afd5e10f8927 100644
--- a/drivers/dma/dma-jz4740.c
+++ b/drivers/dma/dma-jz4740.c
@@ -555,7 +555,7 @@ static int jz4740_dma_probe(struct platform_device *pdev)
 
         ret = dma_async_device_register(dd);
         if (ret)
-                return ret;
+                goto err_clk;
 
         irq = platform_get_irq(pdev, 0);
         ret = request_irq(irq, jz4740_dma_irq, 0, dev_name(&pdev->dev), dmadev);
@@ -568,6 +568,8 @@ static int jz4740_dma_probe(struct platform_device *pdev)
 
 err_unregister:
         dma_async_device_unregister(dd);
+err_clk:
+        clk_disable_unprepare(dmadev->clk);
         return ret;
 }
 
diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
index 47edc7fbf91f..ec5f9d2bc820 100644
--- a/drivers/dma/dmatest.c
+++ b/drivers/dma/dmatest.c
@@ -155,6 +155,12 @@ MODULE_PARM_DESC(run, "Run the test (default: false)");
 #define PATTERN_COUNT_MASK      0x1f
 #define PATTERN_MEMSET_IDX      0x01
 
+/* poor man's completion - we want to use wait_event_freezable() on it */
+struct dmatest_done {
+        bool                    done;
+        wait_queue_head_t       *wait;
+};
+
 struct dmatest_thread {
         struct list_head        node;
         struct dmatest_info     *info;
@@ -165,6 +171,8 @@ struct dmatest_thread {
         u8                      **dsts;
         u8                      **udsts;
         enum dma_transaction_type type;
+        wait_queue_head_t done_wait;
+        struct dmatest_done test_done;
         bool                    done;
 };
 
@@ -342,18 +350,25 @@ static unsigned int dmatest_verify(u8 **bufs, unsigned int start,
         return error_count;
 }
 
-/* poor man's completion - we want to use wait_event_freezable() on it */
-struct dmatest_done {
-        bool                    done;
-        wait_queue_head_t       *wait;
-};
 
 static void dmatest_callback(void *arg)
 {
         struct dmatest_done *done = arg;
-
-        done->done = true;
-        wake_up_all(done->wait);
+        struct dmatest_thread *thread =
+                container_of(arg, struct dmatest_thread, done_wait);
+        if (!thread->done) {
+                done->done = true;
+                wake_up_all(done->wait);
+        } else {
+                /*
+                 * If thread->done, it means that this callback occurred
+                 * after the parent thread has cleaned up. This can
+                 * happen in the case that driver doesn't implement
+                 * the terminate_all() functionality and a dma operation
+                 * did not occur within the timeout period
+                 */
+                WARN(1, "dmatest: Kernel memory may be corrupted!!\n");
+        }
 }
 
 static unsigned int min_odd(unsigned int x, unsigned int y)
@@ -424,9 +439,8 @@ static unsigned long long dmatest_KBs(s64 runtime, unsigned long long len)
  */
 static int dmatest_func(void *data)
 {
-        DECLARE_WAIT_QUEUE_HEAD_ONSTACK(done_wait);
         struct dmatest_thread   *thread = data;
-        struct dmatest_done     done = { .wait = &done_wait };
+        struct dmatest_done     *done = &thread->test_done;
         struct dmatest_info     *info;
         struct dmatest_params   *params;
         struct dma_chan         *chan;
@@ -673,9 +687,9 @@ static int dmatest_func(void *data)
                         continue;
                 }
 
-                done.done = false;
+                done->done = false;
                 tx->callback = dmatest_callback;
-                tx->callback_param = &done;
+                tx->callback_param = done;
                 cookie = tx->tx_submit(tx);
 
                 if (dma_submit_error(cookie)) {
@@ -688,21 +702,12 @@ static int dmatest_func(void *data)
                 }
                 dma_async_issue_pending(chan);
 
-                wait_event_freezable_timeout(done_wait, done.done,
+                wait_event_freezable_timeout(thread->done_wait, done->done,
                                              msecs_to_jiffies(params->timeout));
 
                 status = dma_async_is_tx_complete(chan, cookie, NULL, NULL);
 
-                if (!done.done) {
-                        /*
-                         * We're leaving the timed out dma operation with
-                         * dangling pointer to done_wait.  To make this
-                         * correct, we'll need to allocate wait_done for
-                         * each test iteration and perform "who's gonna
-                         * free it this time?" dancing.  For now, just
-                         * leave it dangling.
-                         */
-                        WARN(1, "dmatest: Kernel stack may be corrupted!!\n");
+                if (!done->done) {
                         dmaengine_unmap_put(um);
                         result("test timed out", total_tests, src_off, dst_off,
                                len, 0);
@@ -789,7 +794,7 @@ err_thread_type:
                 dmatest_KBs(runtime, total_len), ret);
 
         /* terminate all transfers on specified channels */
-        if (ret)
+        if (ret || failed_tests)
                 dmaengine_terminate_all(chan);
 
         thread->done = true;
@@ -849,6 +854,8 @@ static int dmatest_add_threads(struct dmatest_info *info,
                 thread->info = info;
                 thread->chan = dtc->chan;
                 thread->type = type;
+                thread->test_done.wait = &thread->done_wait;
+                init_waitqueue_head(&thread->done_wait);
                 smp_wmb();
                 thread->task = kthread_create(dmatest_func, thread, "%s-%s%u",
                                 dma_chan_name(chan), op, i);
diff --git a/drivers/dma/fsl-edma.c b/drivers/dma/fsl-edma.c
index 6775f2c74e25..c7568869284e 100644
--- a/drivers/dma/fsl-edma.c
+++ b/drivers/dma/fsl-edma.c
@@ -863,11 +863,11 @@ static void fsl_edma_irq_exit(
         }
 }
 
-static void fsl_disable_clocks(struct fsl_edma_engine *fsl_edma)
+static void fsl_disable_clocks(struct fsl_edma_engine *fsl_edma, int nr_clocks)
 {
         int i;
 
-        for (i = 0; i < DMAMUX_NR; i++)
+        for (i = 0; i < nr_clocks; i++)
                 clk_disable_unprepare(fsl_edma->muxclk[i]);
 }
 
@@ -904,25 +904,25 @@ static int fsl_edma_probe(struct platform_device *pdev)
 
                 res = platform_get_resource(pdev, IORESOURCE_MEM, 1 + i);
                 fsl_edma->muxbase[i] = devm_ioremap_resource(&pdev->dev, res);
-                if (IS_ERR(fsl_edma->muxbase[i]))
+                if (IS_ERR(fsl_edma->muxbase[i])) {
+                        /* on error: disable all previously enabled clks */
+                        fsl_disable_clocks(fsl_edma, i);
                         return PTR_ERR(fsl_edma->muxbase[i]);
+                }
 
                 sprintf(clkname, "dmamux%d", i);
                 fsl_edma->muxclk[i] = devm_clk_get(&pdev->dev, clkname);
                 if (IS_ERR(fsl_edma->muxclk[i])) {
                         dev_err(&pdev->dev, "Missing DMAMUX block clock.\n");
+                        /* on error: disable all previously enabled clks */
+                        fsl_disable_clocks(fsl_edma, i);
                         return PTR_ERR(fsl_edma->muxclk[i]);
                 }
 
                 ret = clk_prepare_enable(fsl_edma->muxclk[i]);
-                if (ret) {
-                        /* disable only clks which were enabled on error */
-                        for (; i >= 0; i--)
-                                clk_disable_unprepare(fsl_edma->muxclk[i]);
-
-                        dev_err(&pdev->dev, "DMAMUX clk block failed.\n");
-                        return ret;
-                }
+                if (ret)
+                        /* on error: disable all previously enabled clks */
+                        fsl_disable_clocks(fsl_edma, i);
 
         }
 
@@ -976,7 +976,7 @@ static int fsl_edma_probe(struct platform_device *pdev)
         if (ret) {
                 dev_err(&pdev->dev,
                         "Can't register Freescale eDMA engine. (%d)\n", ret);
-                fsl_disable_clocks(fsl_edma);
+                fsl_disable_clocks(fsl_edma, DMAMUX_NR);
                 return ret;
         }
 
@@ -985,7 +985,7 @@ static int fsl_edma_probe(struct platform_device *pdev)
                 dev_err(&pdev->dev,
                         "Can't register Freescale eDMA of_dma. (%d)\n", ret);
                 dma_async_device_unregister(&fsl_edma->dma_dev);
-                fsl_disable_clocks(fsl_edma);
+                fsl_disable_clocks(fsl_edma, DMAMUX_NR);
                 return ret;
         }
 
@@ -1015,7 +1015,7 @@ static int fsl_edma_remove(struct platform_device *pdev)
         fsl_edma_cleanup_vchan(&fsl_edma->dma_dev);
         of_dma_controller_free(np);
         dma_async_device_unregister(&fsl_edma->dma_dev);
-        fsl_disable_clocks(fsl_edma);
+        fsl_disable_clocks(fsl_edma, DMAMUX_NR);
 
         return 0;
 }
diff --git a/drivers/dma/ioat/init.c b/drivers/dma/ioat/init.c
index 2f31d3d0caa6..7792a9186f9c 100644
--- a/drivers/dma/ioat/init.c
+++ b/drivers/dma/ioat/init.c
@@ -390,7 +390,7 @@ static int ioat_dma_self_test(struct ioatdma_device *ioat_dma)
         if (memcmp(src, dest, IOAT_TEST_SIZE)) {
                 dev_err(dev, "Self-test copy failed compare, disabling\n");
                 err = -ENODEV;
-                goto free_resources;
+                goto unmap_dma;
         }
 
 unmap_dma:
diff --git a/drivers/mfd/cros_ec_spi.c b/drivers/mfd/cros_ec_spi.c
index c9714072e224..59c82cdcf48d 100644
--- a/drivers/mfd/cros_ec_spi.c
+++ b/drivers/mfd/cros_ec_spi.c
@@ -377,6 +377,7 @@ static int cros_ec_pkt_xfer_spi(struct cros_ec_device *ec_dev,
         u8 *ptr;
         u8 *rx_buf;
         u8 sum;
+        u8 rx_byte;
         int ret = 0, final_ret;
 
         len = cros_ec_prepare_tx(ec_dev, ec_msg);
@@ -421,25 +422,22 @@ static int cros_ec_pkt_xfer_spi(struct cros_ec_device *ec_dev,
         if (!ret) {
                 /* Verify that EC can process command */
                 for (i = 0; i < len; i++) {
-                        switch (rx_buf[i]) {
-                        case EC_SPI_PAST_END:
-                        case EC_SPI_RX_BAD_DATA:
-                        case EC_SPI_NOT_READY:
-                                ret = -EAGAIN;
-                                ec_msg->result = EC_RES_IN_PROGRESS;
-                        default:
+                        rx_byte = rx_buf[i];
+                        if (rx_byte == EC_SPI_PAST_END  ||
+                            rx_byte == EC_SPI_RX_BAD_DATA ||
+                            rx_byte == EC_SPI_NOT_READY) {
+                                ret = -EREMOTEIO;
                                 break;
                         }
-                        if (ret)
-                                break;
                 }
-                if (!ret)
-                        ret = cros_ec_spi_receive_packet(ec_dev,
-                                        ec_msg->insize + sizeof(*response));
-        } else {
-                dev_err(ec_dev->dev, "spi transfer failed: %d\n", ret);
         }
 
+        if (!ret)
+                ret = cros_ec_spi_receive_packet(ec_dev,
+                                ec_msg->insize + sizeof(*response));
+        else
+                dev_err(ec_dev->dev, "spi transfer failed: %d\n", ret);
+
         final_ret = terminate_request(ec_dev);
 
         spi_bus_unlock(ec_spi->spi->master);
@@ -508,6 +506,7 @@ static int cros_ec_cmd_xfer_spi(struct cros_ec_device *ec_dev,
         int i, len;
         u8 *ptr;
         u8 *rx_buf;
+        u8 rx_byte;
         int sum;
         int ret = 0, final_ret;
 
@@ -544,25 +543,22 @@ static int cros_ec_cmd_xfer_spi(struct cros_ec_device *ec_dev,
         if (!ret) {
                 /* Verify that EC can process command */
                 for (i = 0; i < len; i++) {
-                        switch (rx_buf[i]) {
-                        case EC_SPI_PAST_END:
-                        case EC_SPI_RX_BAD_DATA:
-                        case EC_SPI_NOT_READY:
-                                ret = -EAGAIN;
-                                ec_msg->result = EC_RES_IN_PROGRESS;
-                        default:
+                        rx_byte = rx_buf[i];
+                        if (rx_byte == EC_SPI_PAST_END  ||
+                            rx_byte == EC_SPI_RX_BAD_DATA ||
+                            rx_byte == EC_SPI_NOT_READY) {
+                                ret = -EREMOTEIO;
                                 break;
                         }
-                        if (ret)
-                                break;
                 }
-                if (!ret)
-                        ret = cros_ec_spi_receive_response(ec_dev,
-                                        ec_msg->insize + EC_MSG_TX_PROTO_BYTES);
-        } else {
-                dev_err(ec_dev->dev, "spi transfer failed: %d\n", ret);
         }
 
+        if (!ret)
+                ret = cros_ec_spi_receive_response(ec_dev,
+                                ec_msg->insize + EC_MSG_TX_PROTO_BYTES);
+        else
+                dev_err(ec_dev->dev, "spi transfer failed: %d\n", ret);
+
         final_ret = terminate_request(ec_dev);
 
         spi_bus_unlock(ec_spi->spi->master);
@@ -667,6 +663,7 @@ static int cros_ec_spi_probe(struct spi_device *spi)
                            sizeof(struct ec_response_get_protocol_info);
         ec_dev->dout_size = sizeof(struct ec_host_request);
 
+        ec_spi->last_transfer_ns = ktime_get_ns();
 
         err = cros_ec_register(ec_dev);
         if (err) {
diff --git a/drivers/mfd/twl4030-audio.c b/drivers/mfd/twl4030-audio.c
index da16bf45fab4..dc94ffc6321a 100644
--- a/drivers/mfd/twl4030-audio.c
+++ b/drivers/mfd/twl4030-audio.c
@@ -159,13 +159,18 @@ unsigned int twl4030_audio_get_mclk(void)
 EXPORT_SYMBOL_GPL(twl4030_audio_get_mclk);
 
 static bool twl4030_audio_has_codec(struct twl4030_audio_data *pdata,
-                              struct device_node *node)
+                              struct device_node *parent)
 {
+        struct device_node *node;
+
         if (pdata && pdata->codec)
                 return true;
 
-        if (of_find_node_by_name(node, "codec"))
+        node = of_get_child_by_name(parent, "codec");
+        if (node) {
+                of_node_put(node);
                 return true;
+        }
 
         return false;
 }
diff --git a/drivers/mfd/twl6040.c b/drivers/mfd/twl6040.c
index d66502d36ba0..dd19f17a1b63 100644
--- a/drivers/mfd/twl6040.c
+++ b/drivers/mfd/twl6040.c
@@ -97,12 +97,16 @@ static struct reg_sequence twl6040_patch[] = {
 };
 
 
-static bool twl6040_has_vibra(struct device_node *node)
+static bool twl6040_has_vibra(struct device_node *parent)
 {
-#ifdef CONFIG_OF
-        if (of_find_node_by_name(node, "vibra"))
+        struct device_node *node;
+
+        node = of_get_child_by_name(parent, "vibra");
+        if (node) {
+                of_node_put(node);
                 return true;
-#endif
+        }
+
         return false;
 }
 
diff --git a/drivers/misc/pti.c b/drivers/misc/pti.c
index eda38cbe8530..41f2a9f6851d 100644
--- a/drivers/misc/pti.c
+++ b/drivers/misc/pti.c
@@ -32,7 +32,7 @@
 #include <linux/pci.h>
 #include <linux/mutex.h>
 #include <linux/miscdevice.h>
-#include <linux/pti.h>
+#include <linux/intel-pti.h>
 #include <linux/slab.h>
 #include <linux/uaccess.h>
 
diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
index f80e911b8843..73b605577447 100644
--- a/drivers/mtd/mtdcore.c
+++ b/drivers/mtd/mtdcore.c
@@ -1114,7 +1114,7 @@ static int mtd_check_oob_ops(struct mtd_info *mtd, loff_t offs,
         if (!ops->oobbuf)
                 ops->ooblen = 0;
 
-        if (offs < 0 || offs + ops->len >= mtd->size)
+        if (offs < 0 || offs + ops->len > mtd->size)
                 return -EINVAL;
 
         if (ops->ooblen) {
diff --git a/drivers/mtd/nand/brcmnand/brcmnand.c b/drivers/mtd/nand/brcmnand/brcmnand.c
index e0eb51d8c012..dd56a671ea42 100644
--- a/drivers/mtd/nand/brcmnand/brcmnand.c
+++ b/drivers/mtd/nand/brcmnand/brcmnand.c
@@ -1763,7 +1763,7 @@ try_dmaread:
                         err = brcmstb_nand_verify_erased_page(mtd, chip, buf,
                                                               addr);
                         /* erased page bitflips corrected */
-                        if (err > 0)
+                        if (err >= 0)
                                 return err;
                 }
 
diff --git a/drivers/mtd/nand/gpio.c b/drivers/mtd/nand/gpio.c
index 484f7fbc3f7d..a8bde6665c24 100644
--- a/drivers/mtd/nand/gpio.c
+++ b/drivers/mtd/nand/gpio.c
@@ -253,9 +253,9 @@ static int gpio_nand_probe(struct platform_device *pdev)
                 goto out_ce;
         }
 
-        gpiomtd->nwp = devm_gpiod_get(dev, "ale", GPIOD_OUT_LOW);
-        if (IS_ERR(gpiomtd->nwp)) {
-                ret = PTR_ERR(gpiomtd->nwp);
+        gpiomtd->ale = devm_gpiod_get(dev, "ale", GPIOD_OUT_LOW);
+        if (IS_ERR(gpiomtd->ale)) {
+                ret = PTR_ERR(gpiomtd->ale);
                 goto out_ce;
         }
 
diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
index 50f8d4a1b983..d4d824ef64e9 100644
--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
@@ -1067,9 +1067,6 @@ static int gpmi_ecc_read_page(struct mtd_info *mtd, struct nand_chip *chip,
                 return ret;
         }
 
-        /* handle the block mark swapping */
-        block_mark_swapping(this, payload_virt, auxiliary_virt);
-
         /* Loop over status bytes, accumulating ECC status. */
         status = auxiliary_virt + nfc_geo->auxiliary_status_offset;
 
@@ -1158,6 +1155,9 @@ static int gpmi_ecc_read_page(struct mtd_info *mtd, struct nand_chip *chip,
                 max_bitflips = max_t(unsigned int, max_bitflips, *status);
         }
 
+        /* handle the block mark swapping */
+        block_mark_swapping(this, buf, auxiliary_virt);
+
         if (oob_required) {
                 /*
                  * It's time to deliver the OOB bytes. See gpmi_ecc_read_oob()
diff --git a/drivers/net/ethernet/arc/emac.h b/drivers/net/ethernet/arc/emac.h
index 3c63b16d485f..d9efbc8d783b 100644
--- a/drivers/net/ethernet/arc/emac.h
+++ b/drivers/net/ethernet/arc/emac.h
@@ -159,6 +159,8 @@ struct arc_emac_priv {
         unsigned int link;
         unsigned int duplex;
         unsigned int speed;
+
+        unsigned int rx_missed_errors;
 };
 
 /**
diff --git a/drivers/net/ethernet/arc/emac_main.c b/drivers/net/ethernet/arc/emac_main.c
index 3241af1ce718..bd277b0dc615 100644
--- a/drivers/net/ethernet/arc/emac_main.c
+++ b/drivers/net/ethernet/arc/emac_main.c
@@ -26,6 +26,8 @@
 
 #include "emac.h"
 
+static void arc_emac_restart(struct net_device *ndev);
+
 /**
  * arc_emac_tx_avail - Return the number of available slots in the tx ring.
  * @priv: Pointer to ARC EMAC private data structure.
@@ -210,39 +212,48 @@ static int arc_emac_rx(struct net_device *ndev, int budget)
                         continue;
                 }
 
-                pktlen = info & LEN_MASK;
-                stats->rx_packets++;
-                stats->rx_bytes += pktlen;
-                skb = rx_buff->skb;
-                skb_put(skb, pktlen);
-                skb->dev = ndev;
-                skb->protocol = eth_type_trans(skb, ndev);
-
-                dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr),
-                                 dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE);
-
-                /* Prepare the BD for next cycle */
-                rx_buff->skb = netdev_alloc_skb_ip_align(ndev,
-                                                         EMAC_BUFFER_SIZE);
-                if (unlikely(!rx_buff->skb)) {
+                /* Prepare the BD for next cycle. netif_receive_skb()
+                 * only if new skb was allocated and mapped to avoid holes
+                 * in the RX fifo.
+                 */
+                skb = netdev_alloc_skb_ip_align(ndev, EMAC_BUFFER_SIZE);
+                if (unlikely(!skb)) {
+                        if (net_ratelimit())
+                                netdev_err(ndev, "cannot allocate skb\n");
+                        /* Return ownership to EMAC */
+                        rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE);
                         stats->rx_errors++;
-                        /* Because receive_skb is below, increment rx_dropped */
                         stats->rx_dropped++;
                         continue;
                 }
 
-                /* receive_skb only if new skb was allocated to avoid holes */
-                netif_receive_skb(skb);
-
-                addr = dma_map_single(&ndev->dev, (void *)rx_buff->skb->data,
+                addr = dma_map_single(&ndev->dev, (void *)skb->data,
                                       EMAC_BUFFER_SIZE, DMA_FROM_DEVICE);
                 if (dma_mapping_error(&ndev->dev, addr)) {
                         if (net_ratelimit())
-                                netdev_err(ndev, "cannot dma map\n");
-                        dev_kfree_skb(rx_buff->skb);
+                                netdev_err(ndev, "cannot map dma buffer\n");
+                        dev_kfree_skb(skb);
+                        /* Return ownership to EMAC */
+                        rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE);
                         stats->rx_errors++;
+                        stats->rx_dropped++;
                         continue;
                 }
+
+                /* unmap previosly mapped skb */
+                dma_unmap_single(&ndev->dev, dma_unmap_addr(rx_buff, addr),
+                                 dma_unmap_len(rx_buff, len), DMA_FROM_DEVICE);
+
+                pktlen = info & LEN_MASK;
+                stats->rx_packets++;
+                stats->rx_bytes += pktlen;
+                skb_put(rx_buff->skb, pktlen);
+                rx_buff->skb->dev = ndev;
+                rx_buff->skb->protocol = eth_type_trans(rx_buff->skb, ndev);
+
+                netif_receive_skb(rx_buff->skb);
+
+                rx_buff->skb = skb;
                 dma_unmap_addr_set(rx_buff, addr, addr);
                 dma_unmap_len_set(rx_buff, len, EMAC_BUFFER_SIZE);
 
@@ -259,6 +270,53 @@ static int arc_emac_rx(struct net_device *ndev, int budget)
 }
 
 /**
+ * arc_emac_rx_miss_handle - handle R_MISS register
+ * @ndev:       Pointer to the net_device structure.
+ */
+static void arc_emac_rx_miss_handle(struct net_device *ndev)
+{
+        struct arc_emac_priv *priv = netdev_priv(ndev);
+        struct net_device_stats *stats = &ndev->stats;
+        unsigned int miss;
+
+        miss = arc_reg_get(priv, R_MISS);
+        if (miss) {
+                stats->rx_errors += miss;
+                stats->rx_missed_errors += miss;
+                priv->rx_missed_errors += miss;
+        }
+}
+
+/**
+ * arc_emac_rx_stall_check - check RX stall
+ * @ndev:       Pointer to the net_device structure.
+ * @budget:     How many BDs requested to process on 1 call.
+ * @work_done:  How many BDs processed
+ *
+ * Under certain conditions EMAC stop reception of incoming packets and
+ * continuously increment R_MISS register instead of saving data into
+ * provided buffer. This function detect that condition and restart
+ * EMAC.
+ */
+static void arc_emac_rx_stall_check(struct net_device *ndev,
+                                    int budget, unsigned int work_done)
+{
+        struct arc_emac_priv *priv = netdev_priv(ndev);
+        struct arc_emac_bd *rxbd;
+
+        if (work_done)
+                priv->rx_missed_errors = 0;
+
+        if (priv->rx_missed_errors && budget) {
+                rxbd = &priv->rxbd[priv->last_rx_bd];
+                if (le32_to_cpu(rxbd->info) & FOR_EMAC) {
+                        arc_emac_restart(ndev);
+                        priv->rx_missed_errors = 0;
+                }
+        }
+}
+
+/**
  * arc_emac_poll - NAPI poll handler.
  * @napi:       Pointer to napi_struct structure.
  * @budget:     How many BDs to process on 1 call.
@@ -272,6 +330,7 @@ static int arc_emac_poll(struct napi_struct *napi, int budget)
         unsigned int work_done;
 
         arc_emac_tx_clean(ndev);
+        arc_emac_rx_miss_handle(ndev);
 
         work_done = arc_emac_rx(ndev, budget);
         if (work_done < budget) {
@@ -279,6 +338,8 @@ static int arc_emac_poll(struct napi_struct *napi, int budget)
                 arc_reg_or(priv, R_ENABLE, RXINT_MASK | TXINT_MASK);
         }
 
+        arc_emac_rx_stall_check(ndev, budget, work_done);
+
         return work_done;
 }
 
@@ -320,6 +381,8 @@ static irqreturn_t arc_emac_intr(int irq, void *dev_instance)
                 if (status & MSER_MASK) {
                         stats->rx_missed_errors += 0x100;
                         stats->rx_errors += 0x100;
+                        priv->rx_missed_errors += 0x100;
+                        napi_schedule(&priv->napi);
                 }
 
                 if (status & RXCR_MASK) {
@@ -732,6 +795,63 @@ static int arc_emac_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
 }
 
 
+/**
+ * arc_emac_restart - Restart EMAC
+ * @ndev:       Pointer to net_device structure.
+ *
+ * This function do hardware reset of EMAC in order to restore
+ * network packets reception.
+ */
+static void arc_emac_restart(struct net_device *ndev)
+{
+        struct arc_emac_priv *priv = netdev_priv(ndev);
+        struct net_device_stats *stats = &ndev->stats;
+        int i;
+
+        if (net_ratelimit())
+                netdev_warn(ndev, "restarting stalled EMAC\n");
+
+        netif_stop_queue(ndev);
+
+        /* Disable interrupts */
+        arc_reg_clr(priv, R_ENABLE, RXINT_MASK | TXINT_MASK | ERR_MASK);
+
+        /* Disable EMAC */
+        arc_reg_clr(priv, R_CTRL, EN_MASK);
+
+        /* Return the sk_buff to system */
+        arc_free_tx_queue(ndev);
+
+        /* Clean Tx BD's */
+        priv->txbd_curr = 0;
+        priv->txbd_dirty = 0;
+        memset(priv->txbd, 0, TX_RING_SZ);
+
+        for (i = 0; i < RX_BD_NUM; i++) {
+                struct arc_emac_bd *rxbd = &priv->rxbd[i];
+                unsigned int info = le32_to_cpu(rxbd->info);
+
+                if (!(info & FOR_EMAC)) {
+                        stats->rx_errors++;
+                        stats->rx_dropped++;
+                }
+                /* Return ownership to EMAC */
+                rxbd->info = cpu_to_le32(FOR_EMAC | EMAC_BUFFER_SIZE);
+        }
+        priv->last_rx_bd = 0;
+
+        /* Make sure info is visible to EMAC before enable */
+        wmb();
+
+        /* Enable interrupts */
+        arc_reg_set(priv, R_ENABLE, RXINT_MASK | TXINT_MASK | ERR_MASK);
+
+        /* Enable EMAC */
+        arc_reg_or(priv, R_CTRL, EN_MASK);
+
+        netif_start_queue(ndev);
+}
+
 static const struct net_device_ops arc_emac_netdev_ops = {
         .ndo_open               = arc_emac_open,
         .ndo_stop               = arc_emac_stop,
diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
index de51c2177d03..d09c5a9c53b5 100644
--- a/drivers/net/ethernet/broadcom/tg3.c
+++ b/drivers/net/ethernet/broadcom/tg3.c
@@ -14225,7 +14225,9 @@ static int tg3_change_mtu(struct net_device *dev, int new_mtu)
         /* Reset PHY, otherwise the read DMA engine will be in a mode that
          * breaks all requests to 256 bytes.
          */
-        if (tg3_asic_rev(tp) == ASIC_REV_57766)
+        if (tg3_asic_rev(tp) == ASIC_REV_57766 ||
+            tg3_asic_rev(tp) == ASIC_REV_5717 ||
+            tg3_asic_rev(tp) == ASIC_REV_5719)
                 reset_phy = true;
 
         err = tg3_restart_hw(tp, reset_phy);
diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
index bc93b69cfd1e..a539263cd79c 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -1214,6 +1214,10 @@ static void mvneta_port_disable(struct mvneta_port *pp)
         val &= ~MVNETA_GMAC0_PORT_ENABLE;
         mvreg_write(pp, MVNETA_GMAC_CTRL_0, val);
 
+        pp->link = 0;
+        pp->duplex = -1;
+        pp->speed = 0;
+
         udelay(200);
 }
 
@@ -1958,9 +1962,9 @@ static int mvneta_rx_swbm(struct mvneta_port *pp, int rx_todo,
 
                 if (!mvneta_rxq_desc_is_first_last(rx_status) ||
                     (rx_status & MVNETA_RXD_ERR_SUMMARY)) {
+                        mvneta_rx_error(pp, rx_desc);
 err_drop_frame:
                         dev->stats.rx_errors++;
-                        mvneta_rx_error(pp, rx_desc);
                         /* leave the descriptor untouched */
                         continue;
                 }
@@ -3011,7 +3015,7 @@ static void mvneta_cleanup_rxqs(struct mvneta_port *pp)
 {
         int queue;
 
-        for (queue = 0; queue < txq_number; queue++)
+        for (queue = 0; queue < rxq_number; queue++)
                 mvneta_rxq_deinit(pp, &pp->rxqs[queue]);
 }
 
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 54adfd967858..fc67e35b253e 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -1961,11 +1961,12 @@ static int mtk_hw_init(struct mtk_eth *eth)
         /* set GE2 TUNE */
         regmap_write(eth->pctl, GPIO_BIAS_CTRL, 0x0);
 
-        /* GE1, Force 1000M/FD, FC ON */
-        mtk_w32(eth, MAC_MCR_FIXED_LINK, MTK_MAC_MCR(0));
-
-        /* GE2, Force 1000M/FD, FC ON */
-        mtk_w32(eth, MAC_MCR_FIXED_LINK, MTK_MAC_MCR(1));
+        /* Set linkdown as the default for each GMAC. Its own MCR would be set
+         * up with the more appropriate value when mtk_phy_link_adjust call is
+         * being invoked.
+         */
+        for (i = 0; i < MTK_MAC_COUNT; i++)
+                mtk_w32(eth, 0, MTK_MAC_MCR(i));
 
         /* Indicates CDM to parse the MTK special tag from CPU
          * which also is working out for untag packets.
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
index 1fffdebbc9e8..e9a1fbcc4adf 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -362,7 +362,7 @@ static int mlx5_internal_err_ret_value(struct mlx5_core_dev *dev, u16 op,
         case MLX5_CMD_OP_QUERY_VPORT_COUNTER:
         case MLX5_CMD_OP_ALLOC_Q_COUNTER:
         case MLX5_CMD_OP_QUERY_Q_COUNTER:
-        case MLX5_CMD_OP_SET_RATE_LIMIT:
+        case MLX5_CMD_OP_SET_PP_RATE_LIMIT:
         case MLX5_CMD_OP_QUERY_RATE_LIMIT:
         case MLX5_CMD_OP_CREATE_SCHEDULING_ELEMENT:
         case MLX5_CMD_OP_QUERY_SCHEDULING_ELEMENT:
@@ -505,7 +505,7 @@ const char *mlx5_command_str(int command)
         MLX5_COMMAND_STR_CASE(ALLOC_Q_COUNTER);
         MLX5_COMMAND_STR_CASE(DEALLOC_Q_COUNTER);
         MLX5_COMMAND_STR_CASE(QUERY_Q_COUNTER);
-        MLX5_COMMAND_STR_CASE(SET_RATE_LIMIT);
+        MLX5_COMMAND_STR_CASE(SET_PP_RATE_LIMIT);
         MLX5_COMMAND_STR_CASE(QUERY_RATE_LIMIT);
         MLX5_COMMAND_STR_CASE(CREATE_SCHEDULING_ELEMENT);
         MLX5_COMMAND_STR_CASE(DESTROY_SCHEDULING_ELEMENT);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
index c0872b3284cb..543060c305a0 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
@@ -82,6 +82,9 @@
         max_t(u32, MLX5_MPWRQ_MIN_LOG_STRIDE_SZ(mdev), req)
 #define MLX5_MPWRQ_DEF_LOG_STRIDE_SZ(mdev)       MLX5_MPWRQ_LOG_STRIDE_SZ(mdev, 6)
 #define MLX5_MPWRQ_CQE_CMPRS_LOG_STRIDE_SZ(mdev) MLX5_MPWRQ_LOG_STRIDE_SZ(mdev, 8)
+#define MLX5E_MPWQE_STRIDE_SZ(mdev, cqe_cmprs) \
+        (cqe_cmprs ? MLX5_MPWRQ_CQE_CMPRS_LOG_STRIDE_SZ(mdev) : \
+        MLX5_MPWRQ_DEF_LOG_STRIDE_SZ(mdev))
 
 #define MLX5_MPWRQ_LOG_WQE_SZ                   18
 #define MLX5_MPWRQ_WQE_PAGE_ORDER  (MLX5_MPWRQ_LOG_WQE_SZ - PAGE_SHIFT > 0 ? \
@@ -590,6 +593,7 @@ struct mlx5e_channel {
         struct mlx5_core_dev      *mdev;
         struct hwtstamp_config    *tstamp;
         int                        ix;
+        int                        cpu;
 };
 
 struct mlx5e_channels {
@@ -935,8 +939,9 @@ void mlx5e_set_tx_cq_mode_params(struct mlx5e_params *params,
                                  u8 cq_period_mode);
 void mlx5e_set_rx_cq_mode_params(struct mlx5e_params *params,
                                  u8 cq_period_mode);
-void mlx5e_set_rq_type_params(struct mlx5_core_dev *mdev,
-                              struct mlx5e_params *params, u8 rq_type);
+void mlx5e_init_rq_type_params(struct mlx5_core_dev *mdev,
+                               struct mlx5e_params *params,
+                               u8 rq_type);
 
 static inline bool mlx5e_tunnel_inner_ft_supported(struct mlx5_core_dev *mdev)
 {
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
index c6d90b6dd80e..9bcf38f4123b 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
@@ -274,6 +274,7 @@ int mlx5e_dcbnl_ieee_setets_core(struct mlx5e_priv *priv, struct ieee_ets *ets)
 static int mlx5e_dbcnl_validate_ets(struct net_device *netdev,
                                     struct ieee_ets *ets)
 {
+        bool have_ets_tc = false;
         int bw_sum = 0;
         int i;
 
@@ -288,11 +289,14 @@ static int mlx5e_dbcnl_validate_ets(struct net_device *netdev,
         }
 
         /* Validate Bandwidth Sum */
-        for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++)
-                if (ets->tc_tsa[i] == IEEE_8021QAZ_TSA_ETS)
+        for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) {
+                if (ets->tc_tsa[i] == IEEE_8021QAZ_TSA_ETS) {
+                        have_ets_tc = true;
                         bw_sum += ets->tc_tx_bw[i];
+                }
+        }
 
-        if (bw_sum != 0 && bw_sum != 100) {
+        if (have_ets_tc && bw_sum != 100) {
                 netdev_err(netdev,
                            "Failed to validate ETS: BW sum is illegal\n");
                 return -EINVAL;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
index 23425f028405..8f05efa5c829 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
@@ -1523,8 +1523,10 @@ int mlx5e_modify_rx_cqe_compression_locked(struct mlx5e_priv *priv, bool new_val
         new_channels.params = priv->channels.params;
         MLX5E_SET_PFLAG(&new_channels.params, MLX5E_PFLAG_RX_CQE_COMPRESS, new_val);
 
-        mlx5e_set_rq_type_params(priv->mdev, &new_channels.params,
-                                 new_channels.params.rq_wq_type);
+        new_channels.params.mpwqe_log_stride_sz =
+                MLX5E_MPWQE_STRIDE_SZ(priv->mdev, new_val);
+        new_channels.params.mpwqe_log_num_strides =
+                MLX5_MPWRQ_LOG_WQE_SZ - new_channels.params.mpwqe_log_stride_sz;
 
         if (!test_bit(MLX5E_STATE_OPENED, &priv->state)) {
                 priv->channels.params = new_channels.params;
@@ -1536,6 +1538,10 @@ int mlx5e_modify_rx_cqe_compression_locked(struct mlx5e_priv *priv, bool new_val
                 return err;
 
         mlx5e_switch_priv_channels(priv, &new_channels, NULL);
+        mlx5e_dbg(DRV, priv, "MLX5E: RxCqeCmprss was turned %s\n",
+                  MLX5E_GET_PFLAG(&priv->channels.params,
+                                  MLX5E_PFLAG_RX_CQE_COMPRESS) ? "ON" : "OFF");
+
         return 0;
 }
 
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index 0f5c012de52e..3aa1c90e7c86 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -71,11 +71,6 @@ struct mlx5e_channel_param {
         struct mlx5e_cq_param      icosq_cq;
 };
 
-static int mlx5e_get_node(struct mlx5e_priv *priv, int ix)
-{
-        return pci_irq_get_node(priv->mdev->pdev, MLX5_EQ_VEC_COMP_BASE + ix);
-}
-
 static bool mlx5e_check_fragmented_striding_rq_cap(struct mlx5_core_dev *mdev)
 {
         return MLX5_CAP_GEN(mdev, striding_rq) &&
@@ -83,8 +78,8 @@ static bool mlx5e_check_fragmented_striding_rq_cap(struct mlx5_core_dev *mdev)
                 MLX5_CAP_ETH(mdev, reg_umr_sq);
 }
 
-void mlx5e_set_rq_type_params(struct mlx5_core_dev *mdev,
-                              struct mlx5e_params *params, u8 rq_type)
+void mlx5e_init_rq_type_params(struct mlx5_core_dev *mdev,
+                               struct mlx5e_params *params, u8 rq_type)
 {
         params->rq_wq_type = rq_type;
         params->lro_wqe_sz = MLX5E_PARAMS_DEFAULT_LRO_WQE_SZ;
@@ -93,10 +88,8 @@ void mlx5e_set_rq_type_params(struct mlx5_core_dev *mdev,
                 params->log_rq_size = is_kdump_kernel() ?
                         MLX5E_PARAMS_MINIMUM_LOG_RQ_SIZE_MPW :
                         MLX5E_PARAMS_DEFAULT_LOG_RQ_SIZE_MPW;
-                params->mpwqe_log_stride_sz =
-                        MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS) ?
-                        MLX5_MPWRQ_CQE_CMPRS_LOG_STRIDE_SZ(mdev) :
-                        MLX5_MPWRQ_DEF_LOG_STRIDE_SZ(mdev);
+                params->mpwqe_log_stride_sz = MLX5E_MPWQE_STRIDE_SZ(mdev,
+                        MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS));
                 params->mpwqe_log_num_strides = MLX5_MPWRQ_LOG_WQE_SZ -
                         params->mpwqe_log_stride_sz;
                 break;
@@ -120,13 +113,14 @@ void mlx5e_set_rq_type_params(struct mlx5_core_dev *mdev,
                        MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS));
 }
 
-static void mlx5e_set_rq_params(struct mlx5_core_dev *mdev, struct mlx5e_params *params)
+static void mlx5e_set_rq_params(struct mlx5_core_dev *mdev,
+                                struct mlx5e_params *params)
 {
         u8 rq_type = mlx5e_check_fragmented_striding_rq_cap(mdev) &&
                     !params->xdp_prog && !MLX5_IPSEC_DEV(mdev) ?
                     MLX5_WQ_TYPE_LINKED_LIST_STRIDING_RQ :
                     MLX5_WQ_TYPE_LINKED_LIST;
-        mlx5e_set_rq_type_params(mdev, params, rq_type);
+        mlx5e_init_rq_type_params(mdev, params, rq_type);
 }
 
 static void mlx5e_update_carrier(struct mlx5e_priv *priv)
@@ -444,17 +438,16 @@ static int mlx5e_rq_alloc_mpwqe_info(struct mlx5e_rq *rq,
         int wq_sz = mlx5_wq_ll_get_size(&rq->wq);
         int mtt_sz = mlx5e_get_wqe_mtt_sz();
         int mtt_alloc = mtt_sz + MLX5_UMR_ALIGN - 1;
-        int node = mlx5e_get_node(c->priv, c->ix);
         int i;
 
         rq->mpwqe.info = kzalloc_node(wq_sz * sizeof(*rq->mpwqe.info),
-                                        GFP_KERNEL, node);
+                                      GFP_KERNEL, cpu_to_node(c->cpu));
         if (!rq->mpwqe.info)
                 goto err_out;
 
         /* We allocate more than mtt_sz as we will align the pointer */
-        rq->mpwqe.mtt_no_align = kzalloc_node(mtt_alloc * wq_sz,
-                                        GFP_KERNEL, node);
+        rq->mpwqe.mtt_no_align = kzalloc_node(mtt_alloc * wq_sz, GFP_KERNEL,
+                                        cpu_to_node(c->cpu));
         if (unlikely(!rq->mpwqe.mtt_no_align))
                 goto err_free_wqe_info;
 
@@ -562,7 +555,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
         int err;
         int i;
 
-        rqp->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix);
+        rqp->wq.db_numa_node = cpu_to_node(c->cpu);
 
         err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->wq,
                                 &rq->wq_ctrl);
@@ -629,8 +622,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
         default: /* MLX5_WQ_TYPE_LINKED_LIST */
                 rq->wqe.frag_info =
                         kzalloc_node(wq_sz * sizeof(*rq->wqe.frag_info),
-                                     GFP_KERNEL,
-                                     mlx5e_get_node(c->priv, c->ix));
+                                     GFP_KERNEL, cpu_to_node(c->cpu));
                 if (!rq->wqe.frag_info) {
                         err = -ENOMEM;
                         goto err_rq_wq_destroy;
@@ -1000,13 +992,13 @@ static int mlx5e_alloc_xdpsq(struct mlx5e_channel *c,
         sq->uar_map   = mdev->mlx5e_res.bfreg.map;
         sq->min_inline_mode = params->tx_min_inline_mode;
 
-        param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix);
+        param->wq.db_numa_node = cpu_to_node(c->cpu);
         err = mlx5_wq_cyc_create(mdev, &param->wq, sqc_wq, &sq->wq, &sq->wq_ctrl);
         if (err)
                 return err;
         sq->wq.db = &sq->wq.db[MLX5_SND_DBR];
 
-        err = mlx5e_alloc_xdpsq_db(sq, mlx5e_get_node(c->priv, c->ix));
+        err = mlx5e_alloc_xdpsq_db(sq, cpu_to_node(c->cpu));
         if (err)
                 goto err_sq_wq_destroy;
 
@@ -1053,13 +1045,13 @@ static int mlx5e_alloc_icosq(struct mlx5e_channel *c,
         sq->channel   = c;
         sq->uar_map   = mdev->mlx5e_res.bfreg.map;
 
-        param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix);
+        param->wq.db_numa_node = cpu_to_node(c->cpu);
         err = mlx5_wq_cyc_create(mdev, &param->wq, sqc_wq, &sq->wq, &sq->wq_ctrl);
         if (err)
                 return err;
         sq->wq.db = &sq->wq.db[MLX5_SND_DBR];
 
-        err = mlx5e_alloc_icosq_db(sq, mlx5e_get_node(c->priv, c->ix));
+        err = mlx5e_alloc_icosq_db(sq, cpu_to_node(c->cpu));
         if (err)
                 goto err_sq_wq_destroy;
 
@@ -1126,13 +1118,13 @@ static int mlx5e_alloc_txqsq(struct mlx5e_channel *c,
         if (MLX5_IPSEC_DEV(c->priv->mdev))
                 set_bit(MLX5E_SQ_STATE_IPSEC, &sq->state);
 
-        param->wq.db_numa_node = mlx5e_get_node(c->priv, c->ix);
+        param->wq.db_numa_node = cpu_to_node(c->cpu);
         err = mlx5_wq_cyc_create(mdev, &param->wq, sqc_wq, &sq->wq, &sq->wq_ctrl);
         if (err)
                 return err;
         sq->wq.db    = &sq->wq.db[MLX5_SND_DBR];
 
-        err = mlx5e_alloc_txqsq_db(sq, mlx5e_get_node(c->priv, c->ix));
+        err = mlx5e_alloc_txqsq_db(sq, cpu_to_node(c->cpu));
         if (err)
                 goto err_sq_wq_destroy;
 
@@ -1504,8 +1496,8 @@ static int mlx5e_alloc_cq(struct mlx5e_channel *c,
         struct mlx5_core_dev *mdev = c->priv->mdev;
         int err;
 
-        param->wq.buf_numa_node = mlx5e_get_node(c->priv, c->ix);
-        param->wq.db_numa_node  = mlx5e_get_node(c->priv, c->ix);
+        param->wq.buf_numa_node = cpu_to_node(c->cpu);
+        param->wq.db_numa_node  = cpu_to_node(c->cpu);
         param->eq_ix   = c->ix;
 
         err = mlx5e_alloc_cq_common(mdev, param, cq);
@@ -1604,6 +1596,11 @@ static void mlx5e_close_cq(struct mlx5e_cq *cq)
         mlx5e_free_cq(cq);
 }
 
+static int mlx5e_get_cpu(struct mlx5e_priv *priv, int ix)
+{
+        return cpumask_first(priv->mdev->priv.irq_info[ix].mask);
+}
+
 static int mlx5e_open_tx_cqs(struct mlx5e_channel *c,
                              struct mlx5e_params *params,
                              struct mlx5e_channel_param *cparam)
@@ -1752,12 +1749,13 @@ static int mlx5e_open_channel(struct mlx5e_priv *priv, int ix,
 {
         struct mlx5e_cq_moder icocq_moder = {0, 0};
         struct net_device *netdev = priv->netdev;
+        int cpu = mlx5e_get_cpu(priv, ix);
         struct mlx5e_channel *c;
         unsigned int irq;
         int err;
         int eqn;
 
-        c = kzalloc_node(sizeof(*c), GFP_KERNEL, mlx5e_get_node(priv, ix));
+        c = kzalloc_node(sizeof(*c), GFP_KERNEL, cpu_to_node(cpu));
         if (!c)
                 return -ENOMEM;
 
@@ -1765,6 +1763,7 @@ static int mlx5e_open_channel(struct mlx5e_priv *priv, int ix,
         c->mdev     = priv->mdev;
         c->tstamp   = &priv->tstamp;
         c->ix       = ix;
+        c->cpu      = cpu;
         c->pdev     = &priv->mdev->pdev->dev;
         c->netdev   = priv->netdev;
         c->mkey_be  = cpu_to_be32(priv->mdev->mlx5e_res.mkey.key);
@@ -1853,8 +1852,7 @@ static void mlx5e_activate_channel(struct mlx5e_channel *c)
         for (tc = 0; tc < c->num_tc; tc++)
                 mlx5e_activate_txqsq(&c->sq[tc]);
         mlx5e_activate_rq(&c->rq);
-        netif_set_xps_queue(c->netdev,
-                mlx5_get_vector_affinity(c->priv->mdev, c->ix), c->ix);
+        netif_set_xps_queue(c->netdev, get_cpu_mask(c->cpu), c->ix);
 }
 
 static void mlx5e_deactivate_channel(struct mlx5e_channel *c)
@@ -3679,6 +3677,7 @@ static netdev_features_t mlx5e_tunnel_features_check(struct mlx5e_priv *priv,
                                                      struct sk_buff *skb,
                                                      netdev_features_t features)
 {
+        unsigned int offset = 0;
         struct udphdr *udph;
         u8 proto;
         u16 port;
@@ -3688,7 +3687,7 @@ static netdev_features_t mlx5e_tunnel_features_check(struct mlx5e_priv *priv,
                 proto = ip_hdr(skb)->protocol;
                 break;
         case htons(ETH_P_IPV6):
-                proto = ipv6_hdr(skb)->nexthdr;
+                proto = ipv6_find_hdr(skb, &offset, -1, NULL, NULL);
                 break;
         default:
                 goto out;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
index 60771865c99c..e7e7cef2bde4 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
@@ -466,7 +466,7 @@ static irqreturn_t mlx5_eq_int(int irq, void *eq_ptr)
                         break;
                 case MLX5_EVENT_TYPE_CQ_ERROR:
                         cqn = be32_to_cpu(eqe->data.cq_err.cqn) & 0xffffff;
-                        mlx5_core_warn(dev, "CQ error on CQN 0x%x, syndrom 0x%x\n",
+                        mlx5_core_warn(dev, "CQ error on CQN 0x%x, syndrome 0x%x\n",
                                        cqn, eqe->data.cq_err.syndrome);
                         mlx5_cq_event(dev, cqn, eqe->type);
                         break;
@@ -775,7 +775,7 @@ err1:
         return err;
 }
 
-int mlx5_stop_eqs(struct mlx5_core_dev *dev)
+void mlx5_stop_eqs(struct mlx5_core_dev *dev)
 {
         struct mlx5_eq_table *table = &dev->priv.eq_table;
         int err;
@@ -784,22 +784,26 @@ int mlx5_stop_eqs(struct mlx5_core_dev *dev)
         if (MLX5_CAP_GEN(dev, pg)) {
                 err = mlx5_destroy_unmap_eq(dev, &table->pfault_eq);
                 if (err)
-                        return err;
+                        mlx5_core_err(dev, "failed to destroy page fault eq, err(%d)\n",
+                                      err);
         }
 #endif
 
         err = mlx5_destroy_unmap_eq(dev, &table->pages_eq);
         if (err)
-                return err;
+                mlx5_core_err(dev, "failed to destroy pages eq, err(%d)\n",
+                              err);
 
-        mlx5_destroy_unmap_eq(dev, &table->async_eq);
+        err = mlx5_destroy_unmap_eq(dev, &table->async_eq);
+        if (err)
+                mlx5_core_err(dev, "failed to destroy async eq, err(%d)\n",
+                              err);
         mlx5_cmd_use_polling(dev);
 
         err = mlx5_destroy_unmap_eq(dev, &table->cmd_eq);
         if (err)
-                mlx5_cmd_use_events(dev);
-
-        return err;
+                mlx5_core_err(dev, "failed to destroy command eq, err(%d)\n",
+                              err);
 }
 
 int mlx5_core_eq_query(struct mlx5_core_dev *dev, struct mlx5_eq *eq,
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c
index 3c11d6e2160a..14962969c5ba 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/sdk.c
@@ -66,6 +66,9 @@ static int mlx5_fpga_mem_read_i2c(struct mlx5_fpga_device *fdev, size_t size,
         u8 actual_size;
         int err;
 
+        if (!size)
+                return -EINVAL;
+
         if (!fdev->mdev)
                 return -ENOTCONN;
 
@@ -95,6 +98,9 @@ static int mlx5_fpga_mem_write_i2c(struct mlx5_fpga_device *fdev, size_t size,
         u8 actual_size;
         int err;
 
+        if (!size)
+                return -EINVAL;
+
         if (!fdev->mdev)
                 return -ENOTCONN;
 
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
index c70fd663a633..dfaad9ecb2b8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -174,6 +174,8 @@ static void del_hw_fte(struct fs_node *node);
 static void del_sw_flow_table(struct fs_node *node);
 static void del_sw_flow_group(struct fs_node *node);
 static void del_sw_fte(struct fs_node *node);
+static void del_sw_prio(struct fs_node *node);
+static void del_sw_ns(struct fs_node *node);
 /* Delete rule (destination) is special case that 
  * requires to lock the FTE for all the deletion process.
  */
@@ -408,6 +410,16 @@ static inline struct mlx5_core_dev *get_dev(struct fs_node *node)
         return NULL;
 }
 
+static void del_sw_ns(struct fs_node *node)
+{
+        kfree(node);
+}
+
+static void del_sw_prio(struct fs_node *node)
+{
+        kfree(node);
+}
+
 static void del_hw_flow_table(struct fs_node *node)
 {
         struct mlx5_flow_table *ft;
@@ -2064,7 +2076,7 @@ static struct fs_prio *fs_create_prio(struct mlx5_flow_namespace *ns,
                 return ERR_PTR(-ENOMEM);
 
         fs_prio->node.type = FS_TYPE_PRIO;
-        tree_init_node(&fs_prio->node, NULL, NULL);
+        tree_init_node(&fs_prio->node, NULL, del_sw_prio);
         tree_add_node(&fs_prio->node, &ns->node);
         fs_prio->num_levels = num_levels;
         fs_prio->prio = prio;
@@ -2090,7 +2102,7 @@ static struct mlx5_flow_namespace *fs_create_namespace(struct fs_prio *prio)
                 return ERR_PTR(-ENOMEM);
 
         fs_init_namespace(ns);
-        tree_init_node(&ns->node, NULL, NULL);
+        tree_init_node(&ns->node, NULL, del_sw_ns);
         tree_add_node(&ns->node, &prio->node);
         list_add_tail(&ns->node.list, &prio->node.children);
 
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/health.c b/drivers/net/ethernet/mellanox/mlx5/core/health.c
index 1a0e797ad001..21d29f7936f6 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c
@@ -241,7 +241,7 @@ static void print_health_info(struct mlx5_core_dev *dev)
         u32 fw;
         int i;
 
-        /* If the syndrom is 0, the device is OK and no need to print buffer */
+        /* If the syndrome is 0, the device is OK and no need to print buffer */
         if (!ioread8(&h->synd))
                 return;
 
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
index d2a66dc4adc6..8812d7208e8f 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
@@ -57,7 +57,7 @@ static void mlx5i_build_nic_params(struct mlx5_core_dev *mdev,
                                    struct mlx5e_params *params)
 {
         /* Override RQ params as IPoIB supports only LINKED LIST RQ for now */
-        mlx5e_set_rq_type_params(mdev, params, MLX5_WQ_TYPE_LINKED_LIST);
+        mlx5e_init_rq_type_params(mdev, params, MLX5_WQ_TYPE_LINKED_LIST);
 
         /* RQ size in ipoib by default is 512 */
         params->log_rq_size = is_kdump_kernel() ?
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
index 5f323442cc5a..8a89c7e8cd63 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -317,9 +317,6 @@ static int mlx5_alloc_irq_vectors(struct mlx5_core_dev *dev)
 {
         struct mlx5_priv *priv = &dev->priv;
         struct mlx5_eq_table *table = &priv->eq_table;
-        struct irq_affinity irqdesc = {
-                .pre_vectors = MLX5_EQ_VEC_COMP_BASE,
-        };
         int num_eqs = 1 << MLX5_CAP_GEN(dev, log_max_eq);
         int nvec;
 
@@ -333,10 +330,9 @@ static int mlx5_alloc_irq_vectors(struct mlx5_core_dev *dev)
         if (!priv->irq_info)
                 goto err_free_msix;
 
-        nvec = pci_alloc_irq_vectors_affinity(dev->pdev,
+        nvec = pci_alloc_irq_vectors(dev->pdev,
                         MLX5_EQ_VEC_COMP_BASE + 1, nvec,
-                        PCI_IRQ_MSIX | PCI_IRQ_AFFINITY,
-                        &irqdesc);
+                        PCI_IRQ_MSIX);
         if (nvec < 0)
                 return nvec;
 
@@ -622,6 +618,63 @@ u64 mlx5_read_internal_timer(struct mlx5_core_dev *dev)
         return (u64)timer_l | (u64)timer_h1 << 32;
 }
 
+static int mlx5_irq_set_affinity_hint(struct mlx5_core_dev *mdev, int i)
+{
+        struct mlx5_priv *priv  = &mdev->priv;
+        int irq = pci_irq_vector(mdev->pdev, MLX5_EQ_VEC_COMP_BASE + i);
+
+        if (!zalloc_cpumask_var(&priv->irq_info[i].mask, GFP_KERNEL)) {
+                mlx5_core_warn(mdev, "zalloc_cpumask_var failed");
+                return -ENOMEM;
+        }
+
+        cpumask_set_cpu(cpumask_local_spread(i, priv->numa_node),
+                        priv->irq_info[i].mask);
+
+        if (IS_ENABLED(CONFIG_SMP) &&
+            irq_set_affinity_hint(irq, priv->irq_info[i].mask))
+                mlx5_core_warn(mdev, "irq_set_affinity_hint failed, irq 0x%.4x", irq);
+
+        return 0;
+}
+
+static void mlx5_irq_clear_affinity_hint(struct mlx5_core_dev *mdev, int i)
+{
+        struct mlx5_priv *priv  = &mdev->priv;
+        int irq = pci_irq_vector(mdev->pdev, MLX5_EQ_VEC_COMP_BASE + i);
+
+        irq_set_affinity_hint(irq, NULL);
+        free_cpumask_var(priv->irq_info[i].mask);
+}
+
+static int mlx5_irq_set_affinity_hints(struct mlx5_core_dev *mdev)
+{
+        int err;
+        int i;
+
+        for (i = 0; i < mdev->priv.eq_table.num_comp_vectors; i++) {
+                err = mlx5_irq_set_affinity_hint(mdev, i);
+                if (err)
+                        goto err_out;
+        }
+
+        return 0;
+
+err_out:
+        for (i--; i >= 0; i--)
+                mlx5_irq_clear_affinity_hint(mdev, i);
+
+        return err;
+}
+
+static void mlx5_irq_clear_affinity_hints(struct mlx5_core_dev *mdev)
+{
+        int i;
+
+        for (i = 0; i < mdev->priv.eq_table.num_comp_vectors; i++)
+                mlx5_irq_clear_affinity_hint(mdev, i);
+}
+
 int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
                     unsigned int *irqn)
 {
@@ -1097,6 +1150,12 @@ static int mlx5_load_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv,
                 goto err_stop_eqs;
         }
 
+        err = mlx5_irq_set_affinity_hints(dev);
+        if (err) {
+                dev_err(&pdev->dev, "Failed to alloc affinity hint cpumask\n");
+                goto err_affinity_hints;
+        }
+
         err = mlx5_init_fs(dev);
         if (err) {
                 dev_err(&pdev->dev, "Failed to init flow steering\n");
@@ -1154,6 +1213,9 @@ err_sriov:
         mlx5_cleanup_fs(dev);
 
 err_fs:
+        mlx5_irq_clear_affinity_hints(dev);
+
+err_affinity_hints:
         free_comp_eqs(dev);
 
 err_stop_eqs:
@@ -1222,6 +1284,7 @@ static int mlx5_unload_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv,
 
         mlx5_sriov_detach(dev);
         mlx5_cleanup_fs(dev);
+        mlx5_irq_clear_affinity_hints(dev);
         free_comp_eqs(dev);
         mlx5_stop_eqs(dev);
         mlx5_put_uars_page(dev, priv->uar);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/qp.c b/drivers/net/ethernet/mellanox/mlx5/core/qp.c
index db9e665ab104..889130edb715 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/qp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/qp.c
@@ -213,8 +213,8 @@ int mlx5_core_create_qp(struct mlx5_core_dev *dev,
 err_cmd:
         memset(din, 0, sizeof(din));
         memset(dout, 0, sizeof(dout));
-        MLX5_SET(destroy_qp_in, in, opcode, MLX5_CMD_OP_DESTROY_QP);
-        MLX5_SET(destroy_qp_in, in, qpn, qp->qpn);
+        MLX5_SET(destroy_qp_in, din, opcode, MLX5_CMD_OP_DESTROY_QP);
+        MLX5_SET(destroy_qp_in, din, qpn, qp->qpn);
         mlx5_cmd_exec(dev, din, sizeof(din), dout, sizeof(dout));
         return err;
 }
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/rl.c b/drivers/net/ethernet/mellanox/mlx5/core/rl.c
index e651e4c02867..d3c33e9eea72 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/rl.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/rl.c
@@ -125,16 +125,16 @@ static struct mlx5_rl_entry *find_rl_entry(struct mlx5_rl_table *table,
         return ret_entry;
 }
 
-static int mlx5_set_rate_limit_cmd(struct mlx5_core_dev *dev,
+static int mlx5_set_pp_rate_limit_cmd(struct mlx5_core_dev *dev,
                                    u32 rate, u16 index)
 {
-        u32 in[MLX5_ST_SZ_DW(set_rate_limit_in)]   = {0};
-        u32 out[MLX5_ST_SZ_DW(set_rate_limit_out)] = {0};
+        u32 in[MLX5_ST_SZ_DW(set_pp_rate_limit_in)]   = {0};
+        u32 out[MLX5_ST_SZ_DW(set_pp_rate_limit_out)] = {0};
 
-        MLX5_SET(set_rate_limit_in, in, opcode,
-                 MLX5_CMD_OP_SET_RATE_LIMIT);
-        MLX5_SET(set_rate_limit_in, in, rate_limit_index, index);
-        MLX5_SET(set_rate_limit_in, in, rate_limit, rate);
+        MLX5_SET(set_pp_rate_limit_in, in, opcode,
+                 MLX5_CMD_OP_SET_PP_RATE_LIMIT);
+        MLX5_SET(set_pp_rate_limit_in, in, rate_limit_index, index);
+        MLX5_SET(set_pp_rate_limit_in, in, rate_limit, rate);
         return mlx5_cmd_exec(dev, in, sizeof(in), out, sizeof(out));
 }
 
@@ -173,7 +173,7 @@ int mlx5_rl_add_rate(struct mlx5_core_dev *dev, u32 rate, u16 *index)
                 entry->refcount++;
         } else {
                 /* new rate limit */
-                err = mlx5_set_rate_limit_cmd(dev, rate, entry->index);
+                err = mlx5_set_pp_rate_limit_cmd(dev, rate, entry->index);
                 if (err) {
                         mlx5_core_err(dev, "Failed configuring rate: %u (%d)\n",
                                       rate, err);
@@ -209,7 +209,7 @@ void mlx5_rl_remove_rate(struct mlx5_core_dev *dev, u32 rate)
         entry->refcount--;
         if (!entry->refcount) {
                 /* need to remove rate */
-                mlx5_set_rate_limit_cmd(dev, 0, entry->index);
+                mlx5_set_pp_rate_limit_cmd(dev, 0, entry->index);
                 entry->rate = 0;
         }
 
@@ -262,8 +262,8 @@ void mlx5_cleanup_rl_table(struct mlx5_core_dev *dev)
         /* Clear all configured rates */
         for (i = 0; i < table->max_size; i++)
                 if (table->rl_entry[i].rate)
-                        mlx5_set_rate_limit_cmd(dev, 0,
-                                                table->rl_entry[i].index);
+                        mlx5_set_pp_rate_limit_cmd(dev, 0,
+                                                   table->rl_entry[i].index);
 
         kfree(dev->priv.rl_table.rl_entry);
 }
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c
index 07a9ba6cfc70..2f74953e4561 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.c
@@ -71,9 +71,9 @@ struct mlx5e_vxlan *mlx5e_vxlan_lookup_port(struct mlx5e_priv *priv, u16 port)
         struct mlx5e_vxlan_db *vxlan_db = &priv->vxlan;
         struct mlx5e_vxlan *vxlan;
 
-        spin_lock(&vxlan_db->lock);
+        spin_lock_bh(&vxlan_db->lock);
         vxlan = radix_tree_lookup(&vxlan_db->tree, port);
-        spin_unlock(&vxlan_db->lock);
+        spin_unlock_bh(&vxlan_db->lock);
 
         return vxlan;
 }
@@ -88,8 +88,12 @@ static void mlx5e_vxlan_add_port(struct work_struct *work)
         struct mlx5e_vxlan *vxlan;
         int err;
 
-        if (mlx5e_vxlan_lookup_port(priv, port))
+        mutex_lock(&priv->state_lock);
+        vxlan = mlx5e_vxlan_lookup_port(priv, port);
+        if (vxlan) {
+                atomic_inc(&vxlan->refcount);
                 goto free_work;
+        }
 
         if (mlx5e_vxlan_core_add_port_cmd(priv->mdev, port))
                 goto free_work;
@@ -99,10 +103,11 @@ static void mlx5e_vxlan_add_port(struct work_struct *work)
                 goto err_delete_port;
 
         vxlan->udp_port = port;
+        atomic_set(&vxlan->refcount, 1);
 
-        spin_lock_irq(&vxlan_db->lock);
+        spin_lock_bh(&vxlan_db->lock);
         err = radix_tree_insert(&vxlan_db->tree, vxlan->udp_port, vxlan);
-        spin_unlock_irq(&vxlan_db->lock);
+        spin_unlock_bh(&vxlan_db->lock);
         if (err)
                 goto err_free;
 
@@ -113,35 +118,39 @@ err_free:
 err_delete_port:
         mlx5e_vxlan_core_del_port_cmd(priv->mdev, port);
 free_work:
+        mutex_unlock(&priv->state_lock);
         kfree(vxlan_work);
 }
 
-static void __mlx5e_vxlan_core_del_port(struct mlx5e_priv *priv, u16 port)
+static void mlx5e_vxlan_del_port(struct work_struct *work)
 {
+        struct mlx5e_vxlan_work *vxlan_work =
+                container_of(work, struct mlx5e_vxlan_work, work);
+        struct mlx5e_priv *priv         = vxlan_work->priv;
         struct mlx5e_vxlan_db *vxlan_db = &priv->vxlan;
+        u16 port = vxlan_work->port;
         struct mlx5e_vxlan *vxlan;
+        bool remove = false;
 
-        spin_lock_irq(&vxlan_db->lock);
-        vxlan = radix_tree_delete(&vxlan_db->tree, port);
-        spin_unlock_irq(&vxlan_db->lock);
-
+        mutex_lock(&priv->state_lock);
+        spin_lock_bh(&vxlan_db->lock);
+        vxlan = radix_tree_lookup(&vxlan_db->tree, port);
         if (!vxlan)
-                return;
-
-        mlx5e_vxlan_core_del_port_cmd(priv->mdev, vxlan->udp_port);
-
-        kfree(vxlan);
-}
+                goto out_unlock;
 
-static void mlx5e_vxlan_del_port(struct work_struct *work)
-{
-        struct mlx5e_vxlan_work *vxlan_work =
-                container_of(work, struct mlx5e_vxlan_work, work);
-        struct mlx5e_priv *priv = vxlan_work->priv;
-        u16 port = vxlan_work->port;
+        if (atomic_dec_and_test(&vxlan->refcount)) {
+                radix_tree_delete(&vxlan_db->tree, port);
+                remove = true;
+        }
 
-        __mlx5e_vxlan_core_del_port(priv, port);
+out_unlock:
+        spin_unlock_bh(&vxlan_db->lock);
 
+        if (remove) {
+                mlx5e_vxlan_core_del_port_cmd(priv->mdev, port);
+                kfree(vxlan);
+        }
+        mutex_unlock(&priv->state_lock);
         kfree(vxlan_work);
 }
 
@@ -171,12 +180,11 @@ void mlx5e_vxlan_cleanup(struct mlx5e_priv *priv)
         struct mlx5e_vxlan *vxlan;
         unsigned int port = 0;
 
-        spin_lock_irq(&vxlan_db->lock);
+        /* Lockless since we are the only radix-tree consumers, wq is disabled */
         while (radix_tree_gang_lookup(&vxlan_db->tree, (void **)&vxlan, port, 1)) {
                 port = vxlan->udp_port;
-                spin_unlock_irq(&vxlan_db->lock);
-                __mlx5e_vxlan_core_del_port(priv, (u16)port);
-                spin_lock_irq(&vxlan_db->lock);
+                radix_tree_delete(&vxlan_db->tree, port);
+                mlx5e_vxlan_core_del_port_cmd(priv->mdev, port);
+                kfree(vxlan);
         }
-        spin_unlock_irq(&vxlan_db->lock);
 }
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h
index 5def12c048e3..5ef6ae7d568a 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/vxlan.h
@@ -36,6 +36,7 @@
 #include "en.h"
 
 struct mlx5e_vxlan {
+        atomic_t refcount;
         u16 udp_port;
 };
 
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index 72ef4f8025f0..be657b8533f0 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -2436,25 +2436,16 @@ static void mlxsw_sp_neigh_fini(struct mlxsw_sp *mlxsw_sp)
         rhashtable_destroy(&mlxsw_sp->router->neigh_ht);
 }
 
-static int mlxsw_sp_neigh_rif_flush(struct mlxsw_sp *mlxsw_sp,
-                                    const struct mlxsw_sp_rif *rif)
-{
-        char rauht_pl[MLXSW_REG_RAUHT_LEN];
-
-        mlxsw_reg_rauht_pack(rauht_pl, MLXSW_REG_RAUHT_OP_WRITE_DELETE_ALL,
-                             rif->rif_index, rif->addr);
-        return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(rauht), rauht_pl);
-}
-
 static void mlxsw_sp_neigh_rif_gone_sync(struct mlxsw_sp *mlxsw_sp,
                                          struct mlxsw_sp_rif *rif)
 {
         struct mlxsw_sp_neigh_entry *neigh_entry, *tmp;
 
-        mlxsw_sp_neigh_rif_flush(mlxsw_sp, rif);
         list_for_each_entry_safe(neigh_entry, tmp, &rif->neigh_list,
-                                 rif_list_node)
+                                 rif_list_node) {
+                mlxsw_sp_neigh_entry_update(mlxsw_sp, neigh_entry, false);
                 mlxsw_sp_neigh_entry_destroy(mlxsw_sp, neigh_entry);
+        }
 }
 
 enum mlxsw_sp_nexthop_type {
diff --git a/drivers/net/ethernet/netronome/nfp/bpf/main.c b/drivers/net/ethernet/netronome/nfp/bpf/main.c
index 4f6553f01178..214b02a3acdd 100644
--- a/drivers/net/ethernet/netronome/nfp/bpf/main.c
+++ b/drivers/net/ethernet/netronome/nfp/bpf/main.c
@@ -89,6 +89,9 @@ static int nfp_bpf_setup_tc_block_cb(enum tc_setup_type type,
 {
         struct tc_cls_bpf_offload *cls_bpf = type_data;
         struct nfp_net *nn = cb_priv;
+        struct bpf_prog *oldprog;
+        struct nfp_bpf_vnic *bv;
+        int err;
 
         if (type != TC_SETUP_CLSBPF ||
             !tc_can_offload(nn->dp.netdev) ||
@@ -96,8 +99,6 @@ static int nfp_bpf_setup_tc_block_cb(enum tc_setup_type type,
             cls_bpf->common.protocol != htons(ETH_P_ALL) ||
             cls_bpf->common.chain_index)
                 return -EOPNOTSUPP;
-        if (nn->dp.bpf_offload_xdp)
-                return -EBUSY;
 
         /* Only support TC direct action */
         if (!cls_bpf->exts_integrated ||
@@ -106,16 +107,25 @@ static int nfp_bpf_setup_tc_block_cb(enum tc_setup_type type,
                 return -EOPNOTSUPP;
         }
 
-        switch (cls_bpf->command) {
-        case TC_CLSBPF_REPLACE:
-                return nfp_net_bpf_offload(nn, cls_bpf->prog, true);
-        case TC_CLSBPF_ADD:
-                return nfp_net_bpf_offload(nn, cls_bpf->prog, false);
-        case TC_CLSBPF_DESTROY:
-                return nfp_net_bpf_offload(nn, NULL, true);
-        default:
+        if (cls_bpf->command != TC_CLSBPF_OFFLOAD)
                 return -EOPNOTSUPP;
+
+        bv = nn->app_priv;
+        oldprog = cls_bpf->oldprog;
+
+        /* Don't remove if oldprog doesn't match driver's state */
+        if (bv->tc_prog != oldprog) {
+                oldprog = NULL;
+                if (!cls_bpf->prog)
+                        return 0;
         }
+
+        err = nfp_net_bpf_offload(nn, cls_bpf->prog, oldprog);
+        if (err)
+                return err;
+
+        bv->tc_prog = cls_bpf->prog;
+        return 0;
 }
 
 static int nfp_bpf_setup_tc_block(struct net_device *netdev,
diff --git a/drivers/net/ethernet/netronome/nfp/bpf/main.h b/drivers/net/ethernet/netronome/nfp/bpf/main.h
index f49669bf6b44..aae1be9ed056 100644
--- a/drivers/net/ethernet/netronome/nfp/bpf/main.h
+++ b/drivers/net/ethernet/netronome/nfp/bpf/main.h
@@ -228,6 +228,14 @@ struct nfp_prog {
         struct list_head insns;
 };
 
+/**
+ * struct nfp_bpf_vnic - per-vNIC BPF priv structure
+ * @tc_prog:    currently loaded cls_bpf program
+ */
+struct nfp_bpf_vnic {
+        struct bpf_prog *tc_prog;
+};
+
 int nfp_bpf_jit(struct nfp_prog *prog);
 
 extern const struct bpf_ext_analyzer_ops nfp_bpf_analyzer_ops;
diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c
index 70c92b649b29..38c924bdd32e 100644
--- a/drivers/net/ethernet/qualcomm/emac/emac.c
+++ b/drivers/net/ethernet/qualcomm/emac/emac.c
@@ -253,18 +253,18 @@ static int emac_open(struct net_device *netdev)
                 return ret;
         }
 
-        ret = emac_mac_up(adpt);
+        ret = adpt->phy.open(adpt);
         if (ret) {
                 emac_mac_rx_tx_rings_free_all(adpt);
                 free_irq(irq->irq, irq);
                 return ret;
         }
 
-        ret = adpt->phy.open(adpt);
+        ret = emac_mac_up(adpt);
         if (ret) {
-                emac_mac_down(adpt);
                 emac_mac_rx_tx_rings_free_all(adpt);
                 free_irq(irq->irq, irq);
+                adpt->phy.close(adpt);
                 return ret;
         }
 
diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h
index e1e5ac053760..ce2ea2d491ac 100644
--- a/drivers/net/ethernet/stmicro/stmmac/common.h
+++ b/drivers/net/ethernet/stmicro/stmmac/common.h
@@ -409,7 +409,7 @@ struct stmmac_desc_ops {
         /* get timestamp value */
          u64(*get_timestamp) (void *desc, u32 ats);
         /* get rx timestamp status */
-        int (*get_rx_timestamp_status) (void *desc, u32 ats);
+        int (*get_rx_timestamp_status)(void *desc, void *next_desc, u32 ats);
         /* Display ring */
         void (*display_ring)(void *head, unsigned int size, bool rx);
         /* set MSS via context descriptor */
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
index 4b286e27c4ca..7e089bf906b4 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
@@ -258,7 +258,8 @@ static int dwmac4_rx_check_timestamp(void *desc)
         return ret;
 }
 
-static int dwmac4_wrback_get_rx_timestamp_status(void *desc, u32 ats)
+static int dwmac4_wrback_get_rx_timestamp_status(void *desc, void *next_desc,
+                                                 u32 ats)
 {
         struct dma_desc *p = (struct dma_desc *)desc;
         int ret = -EINVAL;
@@ -270,7 +271,7 @@ static int dwmac4_wrback_get_rx_timestamp_status(void *desc, u32 ats)
 
                         /* Check if timestamp is OK from context descriptor */
                         do {
-                                ret = dwmac4_rx_check_timestamp(desc);
+                                ret = dwmac4_rx_check_timestamp(next_desc);
                                 if (ret < 0)
                                         goto exit;
                                 i++;
diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
index 7546b3664113..2a828a312814 100644
--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
@@ -400,7 +400,8 @@ static u64 enh_desc_get_timestamp(void *desc, u32 ats)
         return ns;
 }
 
-static int enh_desc_get_rx_timestamp_status(void *desc, u32 ats)
+static int enh_desc_get_rx_timestamp_status(void *desc, void *next_desc,
+                                            u32 ats)
 {
         if (ats) {
                 struct dma_extended_desc *p = (struct dma_extended_desc *)desc;
diff --git a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
index f817f8f36569..db4cee57bb24 100644
--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
@@ -265,7 +265,7 @@ static u64 ndesc_get_timestamp(void *desc, u32 ats)
         return ns;
 }
 
-static int ndesc_get_rx_timestamp_status(void *desc, u32 ats)
+static int ndesc_get_rx_timestamp_status(void *desc, void *next_desc, u32 ats)
 {
         struct dma_desc *p = (struct dma_desc *)desc;
 
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
index 721b61655261..08c19ebd5306 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
@@ -34,6 +34,7 @@ static u32 stmmac_config_sub_second_increment(void __iomem *ioaddr,
 {
         u32 value = readl(ioaddr + PTP_TCR);
         unsigned long data;
+        u32 reg_value;
 
         /* For GMAC3.x, 4.x versions, convert the ptp_clock to nano second
          *      formula = (1/ptp_clock) * 1000000000
@@ -50,10 +51,11 @@ static u32 stmmac_config_sub_second_increment(void __iomem *ioaddr,
 
         data &= PTP_SSIR_SSINC_MASK;
 
+        reg_value = data;
         if (gmac4)
-                data = data << GMAC4_PTP_SSIR_SSINC_SHIFT;
+                reg_value <<= GMAC4_PTP_SSIR_SSINC_SHIFT;
 
-        writel(data, ioaddr + PTP_SSIR);
+        writel(reg_value, ioaddr + PTP_SSIR);
 
         return data;
 }
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index c52a9963c19d..0323d672e1c5 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -482,7 +482,7 @@ static void stmmac_get_rx_hwtstamp(struct stmmac_priv *priv, struct dma_desc *p,
                 desc = np;
 
         /* Check if timestamp is available */
-        if (priv->hw->desc->get_rx_timestamp_status(desc, priv->adv_ts)) {
+        if (priv->hw->desc->get_rx_timestamp_status(p, np, priv->adv_ts)) {
                 ns = priv->hw->desc->get_timestamp(desc, priv->adv_ts);
                 netdev_dbg(priv->dev, "get valid RX hw timestamp %llu\n", ns);
                 shhwtstamp = skb_hwtstamps(skb);
diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c
index 7da814686ad9..a243fa7ae02f 100644
--- a/drivers/net/netdevsim/bpf.c
+++ b/drivers/net/netdevsim/bpf.c
@@ -107,6 +107,7 @@ int nsim_bpf_setup_tc_block_cb(enum tc_setup_type type,
         struct tc_cls_bpf_offload *cls_bpf = type_data;
         struct bpf_prog *prog = cls_bpf->prog;
         struct netdevsim *ns = cb_priv;
+        struct bpf_prog *oldprog;
 
         if (type != TC_SETUP_CLSBPF ||
             !tc_can_offload(ns->netdev) ||
@@ -114,25 +115,27 @@ int nsim_bpf_setup_tc_block_cb(enum tc_setup_type type,
             cls_bpf->common.chain_index)
                 return -EOPNOTSUPP;
 
-        if (nsim_xdp_offload_active(ns))
-                return -EBUSY;
-
         if (!ns->bpf_tc_accept)
                 return -EOPNOTSUPP;
         /* Note: progs without skip_sw will probably not be dev bound */
         if (prog && !prog->aux->offload && !ns->bpf_tc_non_bound_accept)
                 return -EOPNOTSUPP;
 
-        switch (cls_bpf->command) {
-        case TC_CLSBPF_REPLACE:
-                return nsim_bpf_offload(ns, prog, true);
-        case TC_CLSBPF_ADD:
-                return nsim_bpf_offload(ns, prog, false);
-        case TC_CLSBPF_DESTROY:
-                return nsim_bpf_offload(ns, NULL, true);
-        default:
+        if (cls_bpf->command != TC_CLSBPF_OFFLOAD)
                 return -EOPNOTSUPP;
+
+        oldprog = cls_bpf->oldprog;
+
+        /* Don't remove if oldprog doesn't match driver's state */
+        if (ns->bpf_offloaded != oldprog) {
+                oldprog = NULL;
+                if (!cls_bpf->prog)
+                        return 0;
+                if (ns->bpf_offloaded)
+                        return -EBUSY;
         }
+
+        return nsim_bpf_offload(ns, cls_bpf->prog, oldprog);
 }
 
 int nsim_bpf_disable_tc(struct netdevsim *ns)
diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c
index 2fc026dc170a..342325a89d5f 100644
--- a/drivers/net/phy/marvell.c
+++ b/drivers/net/phy/marvell.c
@@ -879,6 +879,8 @@ static int m88e1510_config_init(struct phy_device *phydev)
 
         /* SGMII-to-Copper mode initialization */
         if (phydev->interface == PHY_INTERFACE_MODE_SGMII) {
+                u32 pause;
+
                 /* Select page 18 */
                 err = marvell_set_page(phydev, 18);
                 if (err < 0)
@@ -902,6 +904,16 @@ static int m88e1510_config_init(struct phy_device *phydev)
                 err = marvell_set_page(phydev, MII_MARVELL_COPPER_PAGE);
                 if (err < 0)
                         return err;
+
+                /* There appears to be a bug in the 88e1512 when used in
+                 * SGMII to copper mode, where the AN advertisment register
+                 * clears the pause bits each time a negotiation occurs.
+                 * This means we can never be truely sure what was advertised,
+                 * so disable Pause support.
+                 */
+                pause = SUPPORTED_Pause | SUPPORTED_Asym_Pause;
+                phydev->supported &= ~pause;
+                phydev->advertising &= ~pause;
         }
 
         return m88e1121_config_init(phydev);
@@ -2070,7 +2082,8 @@ static struct phy_driver marvell_drivers[] = {
                 .flags = PHY_HAS_INTERRUPT,
                 .probe = marvell_probe,
                 .config_init = &m88e1145_config_init,
-                .config_aneg = &marvell_config_aneg,
+                .config_aneg = &m88e1101_config_aneg,
+                .read_status = &genphy_read_status,
                 .ack_interrupt = &marvell_ack_interrupt,
                 .config_intr = &marvell_config_intr,
                 .resume = &genphy_resume,
diff --git a/drivers/net/phy/mdio-xgene.c b/drivers/net/phy/mdio-xgene.c
index bfd3090fb055..07c6048200c6 100644
--- a/drivers/net/phy/mdio-xgene.c
+++ b/drivers/net/phy/mdio-xgene.c
@@ -194,8 +194,11 @@ static int xgene_mdio_reset(struct xgene_mdio_pdata *pdata)
         }
 
         ret = xgene_enet_ecc_init(pdata);
-        if (ret)
+        if (ret) {
+                if (pdata->dev->of_node)
+                        clk_disable_unprepare(pdata->clk);
                 return ret;
+        }
         xgene_gmac_reset(pdata);
 
         return 0;
@@ -388,8 +391,10 @@ static int xgene_mdio_probe(struct platform_device *pdev)
                 return ret;
 
         mdio_bus = mdiobus_alloc();
-        if (!mdio_bus)
-                return -ENOMEM;
+        if (!mdio_bus) {
+                ret = -ENOMEM;
+                goto out_clk;
+        }
 
         mdio_bus->name = "APM X-Gene MDIO bus";
 
@@ -418,7 +423,7 @@ static int xgene_mdio_probe(struct platform_device *pdev)
                 mdio_bus->phy_mask = ~0;
                 ret = mdiobus_register(mdio_bus);
                 if (ret)
-                        goto out;
+                        goto out_mdiobus;
 
                 acpi_walk_namespace(ACPI_TYPE_DEVICE, ACPI_HANDLE(dev), 1,
                                     acpi_register_phy, NULL, mdio_bus, NULL);
@@ -426,16 +431,20 @@ static int xgene_mdio_probe(struct platform_device *pdev)
         }
 
         if (ret)
-                goto out;
+                goto out_mdiobus;
 
         pdata->mdio_bus = mdio_bus;
         xgene_mdio_status = true;
 
         return 0;
 
-out:
+out_mdiobus:
         mdiobus_free(mdio_bus);
 
+out_clk:
+        if (dev->of_node)
+                clk_disable_unprepare(pdata->clk);
+
         return ret;
 }
 
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 48a0dc238f73..82090ae7ced1 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2155,6 +2155,13 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
                 }
 
                 ndst = &rt->dst;
+                if (skb_dst(skb)) {
+                        int mtu = dst_mtu(ndst) - VXLAN_HEADROOM;
+
+                        skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL,
+                                                       skb, mtu);
+                }
+
                 tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
                 ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
                 err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr),
@@ -2190,6 +2197,13 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
                                 goto out_unlock;
                 }
 
+                if (skb_dst(skb)) {
+                        int mtu = dst_mtu(ndst) - VXLAN6_HEADROOM;
+
+                        skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL,
+                                                       skb, mtu);
+                }
+
                 tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
                 ttl = ttl ? : ip6_dst_hoplimit(ndst);
                 skb_scrub_packet(skb, xnet);
@@ -3103,6 +3117,11 @@ static void vxlan_config_apply(struct net_device *dev,
 
                 max_mtu = lowerdev->mtu - (use_ipv6 ? VXLAN6_HEADROOM :
                                            VXLAN_HEADROOM);
+                if (max_mtu < ETH_MIN_MTU)
+                        max_mtu = ETH_MIN_MTU;
+
+                if (!changelink && !conf->mtu)
+                        dev->mtu = max_mtu;
         }
 
         if (dev->mtu > max_mtu)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 10b075a46b26..e8189c07b41f 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -684,6 +684,7 @@ static void hwsim_send_nullfunc(struct mac80211_hwsim_data *data, u8 *mac,
         hdr = skb_put(skb, sizeof(*hdr) - ETH_ALEN);
         hdr->frame_control = cpu_to_le16(IEEE80211_FTYPE_DATA |
                                          IEEE80211_STYPE_NULLFUNC |
+                                         IEEE80211_FCTL_TODS |
                                          (ps ? IEEE80211_FCTL_PM : 0));
         hdr->duration_id = cpu_to_le16(0);
         memcpy(hdr->addr1, vp->bssid, ETH_ALEN);
@@ -3215,7 +3216,7 @@ static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info)
                 if (!net_eq(wiphy_net(data->hw->wiphy), genl_info_net(info)))
                         continue;
 
-                skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+                skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
                 if (!skb) {
                         res = -ENOMEM;
                         goto out_err;
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index f837d666cbd4..1e46e60b8f10 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1287,7 +1287,7 @@ static void nvme_config_discard(struct nvme_ctrl *ctrl,
         BUILD_BUG_ON(PAGE_SIZE / sizeof(struct nvme_dsm_range) <
                         NVME_DSM_MAX_RANGES);
 
-        queue->limits.discard_alignment = size;
+        queue->limits.discard_alignment = 0;
         queue->limits.discard_granularity = size;
 
         blk_queue_max_discard_sectors(queue, UINT_MAX);
@@ -1705,7 +1705,8 @@ static void nvme_set_queue_limits(struct nvme_ctrl *ctrl,
                 blk_queue_max_hw_sectors(q, ctrl->max_hw_sectors);
                 blk_queue_max_segments(q, min_t(u32, max_segments, USHRT_MAX));
         }
-        if (ctrl->quirks & NVME_QUIRK_STRIPE_SIZE)
+        if ((ctrl->quirks & NVME_QUIRK_STRIPE_SIZE) &&
+            is_power_of_2(ctrl->max_hw_sectors))
                 blk_queue_chunk_sectors(q, ctrl->max_hw_sectors);
         blk_queue_virt_boundary(q, ctrl->page_size - 1);
         if (ctrl->vwc & NVME_CTRL_VWC_PRESENT)
@@ -2869,7 +2870,6 @@ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid)
 
         blk_queue_logical_block_size(ns->queue, 1 << ns->lba_shift);
         nvme_set_queue_limits(ctrl, ns->queue);
-        nvme_setup_streams_ns(ctrl, ns);
 
         id = nvme_identify_ns(ctrl, nsid);
         if (!id)
@@ -2880,6 +2880,7 @@ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid)
 
         if (nvme_init_ns_head(ns, nsid, id, &new))
                 goto out_free_id;
+        nvme_setup_streams_ns(ctrl, ns);
         
 #ifdef CONFIG_NVME_MULTIPATH
         /*
@@ -2965,8 +2966,6 @@ static void nvme_ns_remove(struct nvme_ns *ns)
                 return;
 
         if (ns->disk && ns->disk->flags & GENHD_FL_UP) {
-                if (blk_get_integrity(ns->disk))
-                        blk_integrity_unregister(ns->disk);
                 nvme_mpath_remove_disk_links(ns);
                 sysfs_remove_group(&disk_to_dev(ns->disk)->kobj,
                                         &nvme_ns_id_attr_group);
@@ -2974,6 +2973,8 @@ static void nvme_ns_remove(struct nvme_ns *ns)
                         nvme_nvm_unregister_sysfs(ns);
                 del_gendisk(ns->disk);
                 blk_cleanup_queue(ns->queue);
+                if (blk_get_integrity(ns->disk))
+                        blk_integrity_unregister(ns->disk);
         }
 
         mutex_lock(&ns->ctrl->subsys->lock);
diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
index 0a8af4daef89..794e66e4aa20 100644
--- a/drivers/nvme/host/fc.c
+++ b/drivers/nvme/host/fc.c
@@ -3221,7 +3221,6 @@ nvme_fc_init_ctrl(struct device *dev, struct nvmf_ctrl_options *opts,
 
                 /* initiate nvme ctrl ref counting teardown */
                 nvme_uninit_ctrl(&ctrl->ctrl);
-                nvme_put_ctrl(&ctrl->ctrl);
 
                 /* Remove core ctrl ref. */
                 nvme_put_ctrl(&ctrl->ctrl);
diff --git a/drivers/parisc/lba_pci.c b/drivers/parisc/lba_pci.c
index a25fed52f7e9..41b740aed3a3 100644
--- a/drivers/parisc/lba_pci.c
+++ b/drivers/parisc/lba_pci.c
@@ -1692,3 +1692,36 @@ void lba_set_iregs(struct parisc_device *lba, u32 ibase, u32 imask)
         iounmap(base_addr);
 }
 
+
+/*
+ * The design of the Diva management card in rp34x0 machines (rp3410, rp3440)
+ * seems rushed, so that many built-in components simply don't work.
+ * The following quirks disable the serial AUX port and the built-in ATI RV100
+ * Radeon 7000 graphics card which both don't have any external connectors and
+ * thus are useless, and even worse, e.g. the AUX port occupies ttyS0 and as
+ * such makes those machines the only PARISC machines on which we can't use
+ * ttyS0 as boot console.
+ */
+static void quirk_diva_ati_card(struct pci_dev *dev)
+{
+        if (dev->subsystem_vendor != PCI_VENDOR_ID_HP ||
+            dev->subsystem_device != 0x1292)
+                return;
+
+        dev_info(&dev->dev, "Hiding Diva built-in ATI card");
+        dev->device = 0;
+}
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RADEON_QY,
+        quirk_diva_ati_card);
+
+static void quirk_diva_aux_disable(struct pci_dev *dev)
+{
+        if (dev->subsystem_vendor != PCI_VENDOR_ID_HP ||
+            dev->subsystem_device != 0x1291)
+                return;
+
+        dev_info(&dev->dev, "Hiding Diva built-in AUX serial device");
+        dev->device = 0;
+}
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_HP, PCI_DEVICE_ID_HP_DIVA_AUX,
+        quirk_diva_aux_disable);
diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
index 945099d49f8f..14fd865a5120 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -1012,7 +1012,12 @@ static int pci_pm_thaw_noirq(struct device *dev)
         if (pci_has_legacy_pm_support(pci_dev))
                 return pci_legacy_resume_early(dev);
 
-        pci_update_current_state(pci_dev, PCI_D0);
+        /*
+         * pci_restore_state() requires the device to be in D0 (because of MSI
+         * restoration among other things), so force it into D0 in case the
+         * driver's "freeze" callbacks put it into a low-power state directly.
+         */
+        pci_set_power_state(pci_dev, PCI_D0);
         pci_restore_state(pci_dev);
 
         if (drv && drv->pm && drv->pm->thaw_noirq)
diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
index a007f6249166..bdc28330800e 100644
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -5383,6 +5383,13 @@ out:
 }
 EXPORT_SYMBOL_GPL(qeth_poll);
 
+static int qeth_setassparms_inspect_rc(struct qeth_ipa_cmd *cmd)
+{
+        if (!cmd->hdr.return_code)
+                cmd->hdr.return_code = cmd->data.setassparms.hdr.return_code;
+        return cmd->hdr.return_code;
+}
+
 int qeth_setassparms_cb(struct qeth_card *card,
                         struct qeth_reply *reply, unsigned long data)
 {
@@ -6239,7 +6246,7 @@ static int qeth_ipa_checksum_run_cmd_cb(struct qeth_card *card,
                                 (struct qeth_checksum_cmd *)reply->param;
 
         QETH_CARD_TEXT(card, 4, "chkdoccb");
-        if (cmd->hdr.return_code)
+        if (qeth_setassparms_inspect_rc(cmd))
                 return 0;
 
         memset(chksum_cb, 0, sizeof(*chksum_cb));
diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h
index 6e3d81969a77..d52265416da2 100644
--- a/drivers/scsi/aacraid/aacraid.h
+++ b/drivers/scsi/aacraid/aacraid.h
@@ -1725,6 +1725,7 @@ struct aac_dev
 #define FIB_CONTEXT_FLAG_NATIVE_HBA             (0x00000010)
 #define FIB_CONTEXT_FLAG_NATIVE_HBA_TMF (0x00000020)
 #define FIB_CONTEXT_FLAG_SCSI_CMD       (0x00000040)
+#define FIB_CONTEXT_FLAG_EH_RESET       (0x00000080)
 
 /*
  *      Define the command values
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index bdf127aaab41..d55332de08f9 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -1037,7 +1037,7 @@ static int aac_eh_bus_reset(struct scsi_cmnd* cmd)
                         info = &aac->hba_map[bus][cid];
                         if (bus >= AAC_MAX_BUSES || cid >= AAC_MAX_TARGETS ||
                             info->devtype != AAC_DEVTYPE_NATIVE_RAW) {
-                                fib->flags |= FIB_CONTEXT_FLAG_TIMED_OUT;
+                                fib->flags |= FIB_CONTEXT_FLAG_EH_RESET;
                                 cmd->SCp.phase = AAC_OWNER_ERROR_HANDLER;
                         }
                 }
diff --git a/drivers/scsi/osd/osd_initiator.c b/drivers/scsi/osd/osd_initiator.c
index a4f28b7e4c65..e18877177f1b 100644
--- a/drivers/scsi/osd/osd_initiator.c
+++ b/drivers/scsi/osd/osd_initiator.c
@@ -1576,7 +1576,9 @@ static struct request *_make_request(struct request_queue *q, bool has_write,
                 return req;
 
         for_each_bio(bio) {
-                ret = blk_rq_append_bio(req, bio);
+                struct bio *bounce_bio = bio;
+
+                ret = blk_rq_append_bio(req, &bounce_bio);
                 if (ret)
                         return ERR_PTR(ret);
         }
diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c
index 449ef5adbb2b..dfb8da83fa50 100644
--- a/drivers/scsi/scsi_devinfo.c
+++ b/drivers/scsi/scsi_devinfo.c
@@ -374,10 +374,8 @@ int scsi_dev_info_list_add_keyed(int compatible, char *vendor, char *model,
                             model, compatible);
 
         if (strflags)
-                devinfo->flags = simple_strtoul(strflags, NULL, 0);
-        else
-                devinfo->flags = flags;
-
+                flags = (__force blist_flags_t)simple_strtoul(strflags, NULL, 0);
+        devinfo->flags = flags;
         devinfo->compatible = compatible;
 
         if (compatible)
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index be5e919db0e8..0880d975eed3 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -770,7 +770,7 @@ static int scsi_probe_lun(struct scsi_device *sdev, unsigned char *inq_result,
  *     SCSI_SCAN_LUN_PRESENT: a new scsi_device was allocated and initialized
  **/
 static int scsi_add_lun(struct scsi_device *sdev, unsigned char *inq_result,
-                int *bflags, int async)
+                blist_flags_t *bflags, int async)
 {
         int ret;
 
@@ -1049,14 +1049,15 @@ static unsigned char *scsi_inq_str(unsigned char *buf, unsigned char *inq,
  *   - SCSI_SCAN_LUN_PRESENT: a new scsi_device was allocated and initialized
  **/
 static int scsi_probe_and_add_lun(struct scsi_target *starget,
-                                  u64 lun, int *bflagsp,
+                                  u64 lun, blist_flags_t *bflagsp,
                                   struct scsi_device **sdevp,
                                   enum scsi_scan_mode rescan,
                                   void *hostdata)
 {
         struct scsi_device *sdev;
         unsigned char *result;
-        int bflags, res = SCSI_SCAN_NO_RESPONSE, result_len = 256;
+        blist_flags_t bflags;
+        int res = SCSI_SCAN_NO_RESPONSE, result_len = 256;
         struct Scsi_Host *shost = dev_to_shost(starget->dev.parent);
 
         /*
@@ -1201,7 +1202,7 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget,
  *     Modifies sdevscan->lun.
  **/
 static void scsi_sequential_lun_scan(struct scsi_target *starget,
-                                     int bflags, int scsi_level,
+                                     blist_flags_t bflags, int scsi_level,
                                      enum scsi_scan_mode rescan)
 {
         uint max_dev_lun;
@@ -1292,7 +1293,7 @@ static void scsi_sequential_lun_scan(struct scsi_target *starget,
  *     0: scan completed (or no memory, so further scanning is futile)
  *     1: could not scan with REPORT LUN
  **/
-static int scsi_report_lun_scan(struct scsi_target *starget, int bflags,
+static int scsi_report_lun_scan(struct scsi_target *starget, blist_flags_t bflags,
                                 enum scsi_scan_mode rescan)
 {
         unsigned char scsi_cmd[MAX_COMMAND_SIZE];
@@ -1538,7 +1539,7 @@ static void __scsi_scan_target(struct device *parent, unsigned int channel,
                 unsigned int id, u64 lun, enum scsi_scan_mode rescan)
 {
         struct Scsi_Host *shost = dev_to_shost(parent);
-        int bflags = 0;
+        blist_flags_t bflags = 0;
         int res;
         struct scsi_target *starget;
 
diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 50e7d7e4a861..a9996c16f4ae 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -967,7 +967,8 @@ sdev_show_wwid(struct device *dev, struct device_attribute *attr,
 }
 static DEVICE_ATTR(wwid, S_IRUGO, sdev_show_wwid, NULL);
 
-#define BLIST_FLAG_NAME(name) [ilog2(BLIST_##name)] = #name
+#define BLIST_FLAG_NAME(name)                                   \
+        [ilog2((__force unsigned int)BLIST_##name)] = #name
 static const char *const sdev_bflags_name[] = {
 #include "scsi_devinfo_tbl.c"
 };
@@ -984,7 +985,7 @@ sdev_show_blacklist(struct device *dev, struct device_attribute *attr,
         for (i = 0; i < sizeof(sdev->sdev_bflags) * BITS_PER_BYTE; i++) {
                 const char *name = NULL;
 
-                if (!(sdev->sdev_bflags & BIT(i)))
+                if (!(sdev->sdev_bflags & (__force blist_flags_t)BIT(i)))
                         continue;
                 if (i < ARRAY_SIZE(sdev_bflags_name) && sdev_bflags_name[i])
                         name = sdev_bflags_name[i];
diff --git a/drivers/scsi/scsi_transport_spi.c b/drivers/scsi/scsi_transport_spi.c
index d0219e36080c..10ebb213ddb3 100644
--- a/drivers/scsi/scsi_transport_spi.c
+++ b/drivers/scsi/scsi_transport_spi.c
@@ -50,14 +50,14 @@
 
 /* Our blacklist flags */
 enum {
-        SPI_BLIST_NOIUS = 0x1,
+        SPI_BLIST_NOIUS = (__force blist_flags_t)0x1,
 };
 
 /* blacklist table, modelled on scsi_devinfo.c */
 static struct {
         char *vendor;
         char *model;
-        unsigned flags;
+        blist_flags_t flags;
 } spi_static_device_list[] __initdata = {
         {"HP", "Ultrium 3-SCSI", SPI_BLIST_NOIUS },
         {"IBM", "ULTRIUM-TD3", SPI_BLIST_NOIUS },
@@ -221,9 +221,11 @@ static int spi_device_configure(struct transport_container *tc,
 {
         struct scsi_device *sdev = to_scsi_device(dev);
         struct scsi_target *starget = sdev->sdev_target;
-        unsigned bflags = scsi_get_device_flags_keyed(sdev, &sdev->inquiry[8],
-                                                      &sdev->inquiry[16],
-                                                      SCSI_DEVINFO_SPI);
+        blist_flags_t bflags;
+
+        bflags = scsi_get_device_flags_keyed(sdev, &sdev->inquiry[8],
+                                             &sdev->inquiry[16],
+                                             SCSI_DEVINFO_SPI);
 
         /* Populate the target capability fields with the values
          * gleaned from the device inquiry */
diff --git a/drivers/spi/spi-armada-3700.c b/drivers/spi/spi-armada-3700.c
index 77fe55ce790c..d65345312527 100644
--- a/drivers/spi/spi-armada-3700.c
+++ b/drivers/spi/spi-armada-3700.c
@@ -79,6 +79,7 @@
 #define A3700_SPI_BYTE_LEN              BIT(5)
 #define A3700_SPI_CLK_PRESCALE          BIT(0)
 #define A3700_SPI_CLK_PRESCALE_MASK     (0x1f)
+#define A3700_SPI_CLK_EVEN_OFFS         (0x10)
 
 #define A3700_SPI_WFIFO_THRS_BIT        28
 #define A3700_SPI_RFIFO_THRS_BIT        24
@@ -220,6 +221,13 @@ static void a3700_spi_clock_set(struct a3700_spi *a3700_spi,
 
         prescale = DIV_ROUND_UP(clk_get_rate(a3700_spi->clk), speed_hz);
 
+        /* For prescaler values over 15, we can only set it by steps of 2.
+         * Starting from A3700_SPI_CLK_EVEN_OFFS, we set values from 0 up to
+         * 30. We only use this range from 16 to 30.
+         */
+        if (prescale > 15)
+                prescale = A3700_SPI_CLK_EVEN_OFFS + DIV_ROUND_UP(prescale, 2);
+
         val = spireg_read(a3700_spi, A3700_SPI_IF_CFG_REG);
         val = val & ~A3700_SPI_CLK_PRESCALE_MASK;
 
diff --git a/drivers/spi/spi-atmel.c b/drivers/spi/spi-atmel.c
index f95da364c283..669470971023 100644
--- a/drivers/spi/spi-atmel.c
+++ b/drivers/spi/spi-atmel.c
@@ -1661,12 +1661,12 @@ static int atmel_spi_remove(struct platform_device *pdev)
         pm_runtime_get_sync(&pdev->dev);
 
         /* reset the hardware and block queue progress */
-        spin_lock_irq(&as->lock);
         if (as->use_dma) {
                 atmel_spi_stop_dma(master);
                 atmel_spi_release_dma(master);
         }
 
+        spin_lock_irq(&as->lock);
         spi_writel(as, CR, SPI_BIT(SWRST));
         spi_writel(as, CR, SPI_BIT(SWRST)); /* AT91SAM9263 Rev B workaround */
         spi_readl(as, SR);
diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c
index 2ce875764ca6..0835a8d88fb8 100644
--- a/drivers/spi/spi-rspi.c
+++ b/drivers/spi/spi-rspi.c
@@ -377,8 +377,8 @@ static int qspi_set_config_register(struct rspi_data *rspi, int access_size)
         /* Sets SPCMD */
         rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
 
-        /* Enables SPI function in master mode */
-        rspi_write8(rspi, SPCR_SPE | SPCR_MSTR, RSPI_SPCR);
+        /* Sets RSPI mode */
+        rspi_write8(rspi, SPCR_MSTR, RSPI_SPCR);
 
         return 0;
 }
diff --git a/drivers/spi/spi-sun4i.c b/drivers/spi/spi-sun4i.c
index c5cd635c28f3..41410031f8e9 100644
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -525,7 +525,7 @@ err_free_master:
 
 static int sun4i_spi_remove(struct platform_device *pdev)
 {
-        pm_runtime_disable(&pdev->dev);
+        pm_runtime_force_suspend(&pdev->dev);
 
         return 0;
 }
diff --git a/drivers/spi/spi-xilinx.c b/drivers/spi/spi-xilinx.c
index bc7100b93dfc..e0b9fe1d0e37 100644
--- a/drivers/spi/spi-xilinx.c
+++ b/drivers/spi/spi-xilinx.c
@@ -271,6 +271,7 @@ static int xilinx_spi_txrx_bufs(struct spi_device *spi, struct spi_transfer *t)
         while (remaining_words) {
                 int n_words, tx_words, rx_words;
                 u32 sr;
+                int stalled;
 
                 n_words = min(remaining_words, xspi->buffer_size);
 
@@ -299,7 +300,17 @@ static int xilinx_spi_txrx_bufs(struct spi_device *spi, struct spi_transfer *t)
 
                 /* Read out all the data from the Rx FIFO */
                 rx_words = n_words;
+                stalled = 10;
                 while (rx_words) {
+                        if (rx_words == n_words && !(stalled--) &&
+                            !(sr & XSPI_SR_TX_EMPTY_MASK) &&
+                            (sr & XSPI_SR_RX_EMPTY_MASK)) {
+                                dev_err(&spi->dev,
+                                        "Detected stall. Check C_SPI_MODE and C_SPI_MEMORY\n");
+                                xspi_init_hw(xspi);
+                                return -EIO;
+                        }
+
                         if ((sr & XSPI_SR_TX_EMPTY_MASK) && (rx_words > 1)) {
                                 xilinx_spi_rx(xspi);
                                 rx_words--;
diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
index 7c69b4a9694d..0d99b242e82e 100644
--- a/drivers/target/target_core_pscsi.c
+++ b/drivers/target/target_core_pscsi.c
@@ -920,7 +920,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
                                         " %d i: %d bio: %p, allocating another"
                                         " bio\n", bio->bi_vcnt, i, bio);
 
-                                rc = blk_rq_append_bio(req, bio);
+                                rc = blk_rq_append_bio(req, &bio);
                                 if (rc) {
                                         pr_err("pSCSI: failed to append bio\n");
                                         goto fail;
@@ -938,7 +938,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
         }
 
         if (bio) {
-                rc = blk_rq_append_bio(req, bio);
+                rc = blk_rq_append_bio(req, &bio);
                 if (rc) {
                         pr_err("pSCSI: failed to append bio\n");
                         goto fail;
diff --git a/fs/cramfs/Kconfig b/fs/cramfs/Kconfig
index f937082f3244..58e2fe40b2a0 100644
--- a/fs/cramfs/Kconfig
+++ b/fs/cramfs/Kconfig
@@ -34,6 +34,7 @@ config CRAMFS_BLOCKDEV
 config CRAMFS_MTD
         bool "Support CramFs image directly mapped in physical memory"
         depends on CRAMFS && MTD
+        depends on CRAMFS=m || MTD=y
         default y if !CRAMFS_BLOCKDEV
         help
           This option allows the CramFs driver to load data directly from
diff --git a/fs/exec.c b/fs/exec.c
index 156f56acfe8e..5688b5e1b937 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1339,15 +1339,10 @@ void setup_new_exec(struct linux_binprm * bprm)
                  * avoid bad behavior from the prior rlimits. This has to
                  * happen before arch_pick_mmap_layout(), which examines
                  * RLIMIT_STACK, but after the point of no return to avoid
-                 * races from other threads changing the limits. This also
-                 * must be protected from races with prlimit() calls.
+                 * needing to clean up the change on failure.
                  */
-                task_lock(current->group_leader);
                 if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
                         current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
-                if (current->signal->rlim[RLIMIT_STACK].rlim_max > _STK_LIM)
-                        current->signal->rlim[RLIMIT_STACK].rlim_max = _STK_LIM;
-                task_unlock(current->group_leader);
         }
 
         arch_pick_mmap_layout(current->mm);
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 07bca11749d4..c941251ac0c0 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -4722,6 +4722,7 @@ retry:
                                                     EXT4_INODE_EOFBLOCKS);
                 }
                 ext4_mark_inode_dirty(handle, inode);
+                ext4_update_inode_fsync_trans(handle, inode, 1);
                 ret2 = ext4_journal_stop(handle);
                 if (ret2)
                         break;
diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index b4267d72f249..b32cf263750d 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -816,6 +816,8 @@ struct inode *__ext4_new_inode(handle_t *handle, struct inode *dir,
 #ifdef CONFIG_EXT4_FS_POSIX_ACL
                 struct posix_acl *p = get_acl(dir, ACL_TYPE_DEFAULT);
 
+                if (IS_ERR(p))
+                        return ERR_CAST(p);
                 if (p) {
                         int acl_size = p->a_count * sizeof(ext4_acl_entry);
 
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 7df2c5644e59..534a9130f625 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -149,6 +149,15 @@ static int ext4_meta_trans_blocks(struct inode *inode, int lblocks,
  */
 int ext4_inode_is_fast_symlink(struct inode *inode)
 {
+        if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
+                int ea_blocks = EXT4_I(inode)->i_file_acl ?
+                                EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0;
+
+                if (ext4_has_inline_data(inode))
+                        return 0;
+
+                return (S_ISLNK(inode->i_mode) && inode->i_blocks - ea_blocks == 0);
+        }
         return S_ISLNK(inode->i_mode) && inode->i_size &&
                (inode->i_size < EXT4_N_BLOCKS * 4);
 }
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 798b3ac680db..e750d68fbcb5 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -1399,6 +1399,10 @@ static struct buffer_head * ext4_find_entry (struct inode *dir,
                                "falling back\n"));
         }
         nblocks = dir->i_size >> EXT4_BLOCK_SIZE_BITS(sb);
+        if (!nblocks) {
+                ret = NULL;
+                goto cleanup_and_exit;
+        }
         start = EXT4_I(dir)->i_dir_start_lookup;
         if (start >= nblocks)
                 start = 0;
diff --git a/fs/namespace.c b/fs/namespace.c
index e158ec6b527b..9d1374ab6e06 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2826,6 +2826,7 @@ long do_mount(const char *dev_name, const char __user *dir_name,
                             SB_DIRSYNC |
                             SB_SILENT |
                             SB_POSIXACL |
+                            SB_LAZYTIME |
                             SB_I_VERSION);
 
         if (flags & MS_REMOUNT)
diff --git a/fs/super.c b/fs/super.c
index d4e33e8f1e6f..7ff1349609e4 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -191,6 +191,24 @@ static struct super_block *alloc_super(struct file_system_type *type, int flags,
 
         INIT_LIST_HEAD(&s->s_mounts);
         s->s_user_ns = get_user_ns(user_ns);
+        init_rwsem(&s->s_umount);
+        lockdep_set_class(&s->s_umount, &type->s_umount_key);
+        /*
+         * sget() can have s_umount recursion.
+         *
+         * When it cannot find a suitable sb, it allocates a new
+         * one (this one), and tries again to find a suitable old
+         * one.
+         *
+         * In case that succeeds, it will acquire the s_umount
+         * lock of the old one. Since these are clearly distrinct
+         * locks, and this object isn't exposed yet, there's no
+         * risk of deadlocks.
+         *
+         * Annotate this by putting this lock in a different
+         * subclass.
+         */
+        down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING);
 
         if (security_sb_alloc(s))
                 goto fail;
@@ -218,25 +236,6 @@ static struct super_block *alloc_super(struct file_system_type *type, int flags,
                 goto fail;
         if (list_lru_init_memcg(&s->s_inode_lru))
                 goto fail;
-
-        init_rwsem(&s->s_umount);
-        lockdep_set_class(&s->s_umount, &type->s_umount_key);
-        /*
-         * sget() can have s_umount recursion.
-         *
-         * When it cannot find a suitable sb, it allocates a new
-         * one (this one), and tries again to find a suitable old
-         * one.
-         *
-         * In case that succeeds, it will acquire the s_umount
-         * lock of the old one. Since these are clearly distrinct
-         * locks, and this object isn't exposed yet, there's no
-         * risk of deadlocks.
-         *
-         * Annotate this by putting this lock in a different
-         * subclass.
-         */
-        down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING);
         s->s_count = 1;
         atomic_set(&s->s_active, 1);
         mutex_init(&s->s_vfs_rename_mutex);
diff --git a/include/kvm/arm_arch_timer.h b/include/kvm/arm_arch_timer.h
index 6e45608b2399..9da6ce22803f 100644
--- a/include/kvm/arm_arch_timer.h
+++ b/include/kvm/arm_arch_timer.h
@@ -62,7 +62,7 @@ struct arch_timer_cpu {
         bool                    enabled;
 };
 
-int kvm_timer_hyp_init(void);
+int kvm_timer_hyp_init(bool);
 int kvm_timer_enable(struct kvm_vcpu *vcpu);
 int kvm_timer_vcpu_reset(struct kvm_vcpu *vcpu);
 void kvm_timer_vcpu_init(struct kvm_vcpu *vcpu);
diff --git a/include/linux/bio.h b/include/linux/bio.h
index 82f0c8fd7be8..23d29b39f71e 100644
--- a/include/linux/bio.h
+++ b/include/linux/bio.h
@@ -492,6 +492,8 @@ extern unsigned int bvec_nr_vecs(unsigned short idx);
 
 #define bio_set_dev(bio, bdev)                  \
 do {                                            \
+        if ((bio)->bi_disk != (bdev)->bd_disk)  \
+                bio_clear_flag(bio, BIO_THROTTLED);\
         (bio)->bi_disk = (bdev)->bd_disk;       \
         (bio)->bi_partno = (bdev)->bd_partno;   \
 } while (0)
diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h
index a1e628e032da..9e7d8bd776d2 100644
--- a/include/linux/blk_types.h
+++ b/include/linux/blk_types.h
@@ -50,8 +50,6 @@ struct blk_issue_stat {
 struct bio {
         struct bio              *bi_next;       /* request queue link */
         struct gendisk          *bi_disk;
-        u8                      bi_partno;
-        blk_status_t            bi_status;
         unsigned int            bi_opf;         /* bottom bits req flags,
                                                  * top bits REQ_OP. Use
                                                  * accessors.
@@ -59,8 +57,8 @@ struct bio {
         unsigned short          bi_flags;       /* status, etc and bvec pool number */
         unsigned short          bi_ioprio;
         unsigned short          bi_write_hint;
-
-        struct bvec_iter        bi_iter;
+        blk_status_t            bi_status;
+        u8                      bi_partno;
 
         /* Number of segments in this BIO after
          * physical address coalescing is performed.
@@ -74,8 +72,9 @@ struct bio {
         unsigned int            bi_seg_front_size;
         unsigned int            bi_seg_back_size;
 
-        atomic_t                __bi_remaining;
+        struct bvec_iter        bi_iter;
 
+        atomic_t                __bi_remaining;
         bio_end_io_t            *bi_end_io;
 
         void                    *bi_private;
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index 8089ca17db9a..0ce8a372d506 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -135,7 +135,7 @@ typedef __u32 __bitwise req_flags_t;
 struct request {
         struct list_head queuelist;
         union {
-                call_single_data_t csd;
+                struct __call_single_data csd;
                 u64 fifo_time;
         };
 
@@ -241,14 +241,24 @@ struct request {
         struct request *next_rq;
 };
 
+static inline bool blk_op_is_scsi(unsigned int op)
+{
+        return op == REQ_OP_SCSI_IN || op == REQ_OP_SCSI_OUT;
+}
+
+static inline bool blk_op_is_private(unsigned int op)
+{
+        return op == REQ_OP_DRV_IN || op == REQ_OP_DRV_OUT;
+}
+
 static inline bool blk_rq_is_scsi(struct request *rq)
 {
-        return req_op(rq) == REQ_OP_SCSI_IN || req_op(rq) == REQ_OP_SCSI_OUT;
+        return blk_op_is_scsi(req_op(rq));
 }
 
 static inline bool blk_rq_is_private(struct request *rq)
 {
-        return req_op(rq) == REQ_OP_DRV_IN || req_op(rq) == REQ_OP_DRV_OUT;
+        return blk_op_is_private(req_op(rq));
 }
 
 static inline bool blk_rq_is_passthrough(struct request *rq)
@@ -256,6 +266,13 @@ static inline bool blk_rq_is_passthrough(struct request *rq)
         return blk_rq_is_scsi(rq) || blk_rq_is_private(rq);
 }
 
+static inline bool bio_is_passthrough(struct bio *bio)
+{
+        unsigned op = bio_op(bio);
+
+        return blk_op_is_scsi(op) || blk_op_is_private(op);
+}
+
 static inline unsigned short req_get_ioprio(struct request *req)
 {
         return req->ioprio;
@@ -948,7 +965,7 @@ extern int blk_rq_prep_clone(struct request *rq, struct request *rq_src,
 extern void blk_rq_unprep_clone(struct request *rq);
 extern blk_status_t blk_insert_cloned_request(struct request_queue *q,
                                      struct request *rq);
-extern int blk_rq_append_bio(struct request *rq, struct bio *bio);
+extern int blk_rq_append_bio(struct request *rq, struct bio **bio);
 extern void blk_delay_queue(struct request_queue *, unsigned long);
 extern void blk_queue_split(struct request_queue *, struct bio **);
 extern void blk_recount_segments(struct request_queue *, struct bio *);
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index aaac589e490c..c009e472f647 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -15,11 +15,11 @@
  * In practice this is far bigger than any realistic pointer offset; this limit
  * ensures that umax_value + (int)off + (int)size cannot overflow a u64.
  */
-#define BPF_MAX_VAR_OFF (1ULL << 31)
+#define BPF_MAX_VAR_OFF (1 << 29)
 /* Maximum variable size permitted for ARG_CONST_SIZE[_OR_ZERO].  This ensures
  * that converting umax_value to int cannot overflow.
  */
-#define BPF_MAX_VAR_SIZ INT_MAX
+#define BPF_MAX_VAR_SIZ (1 << 29)
 
 /* Liveness marks, used for registers and spilled-regs (in stack slots).
  * Read marks propagate upwards until they find a write mark; they record that
diff --git a/include/linux/pti.h b/include/linux/intel-pti.h
index b3ea01a3197e..2710d72de3c9 100644
--- a/include/linux/pti.h
+++ b/include/linux/intel-pti.h
@@ -22,8 +22,8 @@
  * interface to write out it's contents for debugging a mobile system.
  */
 
-#ifndef PTI_H_
-#define PTI_H_
+#ifndef LINUX_INTEL_PTI_H_
+#define LINUX_INTEL_PTI_H_
 
 /* offset for last dword of any PTI message. Part of MIPI P1149.7 */
 #define PTI_LASTDWORD_DTS       0x30
@@ -40,4 +40,4 @@ struct pti_masterchannel *pti_request_masterchannel(u8 type,
                                                     const char *thread_name);
 void pti_release_masterchannel(struct pti_masterchannel *mc);
 
-#endif /*PTI_H_*/
+#endif /* LINUX_INTEL_PTI_H_ */
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index cb18c6290ca8..8415bf1a9776 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -273,7 +273,8 @@ struct ipv6_pinfo {
                                                  * 100: prefer care-of address
                                                  */
                                 dontfrag:1,
-                                autoflowlabel:1;
+                                autoflowlabel:1,
+                                autoflowlabel_set:1;
         __u8                    min_hopcount;
         __u8                    tclass;
         __be32                  rcv_flowinfo;
diff --git a/include/linux/mfd/rtsx_pci.h b/include/linux/mfd/rtsx_pci.h
index a2a1318a3d0c..c3d3f04d8cc6 100644
--- a/include/linux/mfd/rtsx_pci.h
+++ b/include/linux/mfd/rtsx_pci.h
@@ -915,10 +915,10 @@ enum PDEV_STAT  {PDEV_STAT_IDLE, PDEV_STAT_RUN};
 #define LTR_L1SS_PWR_GATE_CHECK_CARD_EN BIT(6)
 
 enum dev_aspm_mode {
-        DEV_ASPM_DISABLE = 0,
         DEV_ASPM_DYNAMIC,
         DEV_ASPM_BACKDOOR,
         DEV_ASPM_STATIC,
+        DEV_ASPM_DISABLE,
 };
 
 /*
diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
index a886b51511ab..57b109c6e422 100644
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -556,6 +556,7 @@ struct mlx5_core_sriov {
 };
 
 struct mlx5_irq_info {
+        cpumask_var_t mask;
         char name[MLX5_MAX_IRQ_NAME];
 };
 
@@ -1048,7 +1049,7 @@ int mlx5_create_map_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq, u8 vecidx,
                        enum mlx5_eq_type type);
 int mlx5_destroy_unmap_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq);
 int mlx5_start_eqs(struct mlx5_core_dev *dev);
-int mlx5_stop_eqs(struct mlx5_core_dev *dev);
+void mlx5_stop_eqs(struct mlx5_core_dev *dev);
 int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
                     unsigned int *irqn);
 int mlx5_core_attach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
index 38a7577a9ce7..d44ec5f41d4a 100644
--- a/include/linux/mlx5/mlx5_ifc.h
+++ b/include/linux/mlx5/mlx5_ifc.h
@@ -147,7 +147,7 @@ enum {
         MLX5_CMD_OP_ALLOC_Q_COUNTER               = 0x771,
         MLX5_CMD_OP_DEALLOC_Q_COUNTER             = 0x772,
         MLX5_CMD_OP_QUERY_Q_COUNTER               = 0x773,
-        MLX5_CMD_OP_SET_RATE_LIMIT                = 0x780,
+        MLX5_CMD_OP_SET_PP_RATE_LIMIT             = 0x780,
         MLX5_CMD_OP_QUERY_RATE_LIMIT              = 0x781,
         MLX5_CMD_OP_CREATE_SCHEDULING_ELEMENT      = 0x782,
         MLX5_CMD_OP_DESTROY_SCHEDULING_ELEMENT     = 0x783,
@@ -7239,7 +7239,7 @@ struct mlx5_ifc_add_vxlan_udp_dport_in_bits {
         u8         vxlan_udp_port[0x10];
 };
 
-struct mlx5_ifc_set_rate_limit_out_bits {
+struct mlx5_ifc_set_pp_rate_limit_out_bits {
         u8         status[0x8];
         u8         reserved_at_8[0x18];
 
@@ -7248,7 +7248,7 @@ struct mlx5_ifc_set_rate_limit_out_bits {
         u8         reserved_at_40[0x40];
 };
 
-struct mlx5_ifc_set_rate_limit_in_bits {
+struct mlx5_ifc_set_pp_rate_limit_in_bits {
         u8         opcode[0x10];
         u8         reserved_at_10[0x10];
 
@@ -7261,6 +7261,8 @@ struct mlx5_ifc_set_rate_limit_in_bits {
         u8         reserved_at_60[0x20];
 
         u8         rate_limit[0x20];
+
+        u8         reserved_at_a0[0x160];
 };
 
 struct mlx5_ifc_access_register_out_bits {
diff --git a/include/linux/spi/spi.h b/include/linux/spi/spi.h
index 7b2170bfd6e7..bc6bb325d1bf 100644
--- a/include/linux/spi/spi.h
+++ b/include/linux/spi/spi.h
@@ -126,7 +126,7 @@ void spi_statistics_add_transfer_stats(struct spi_statistics *stats,
  *      for that name.  This appears in the sysfs "modalias" attribute
  *      for driver coldplugging, and in uevents used for hotplugging
  * @cs_gpio: gpio number of the chipselect line (optional, -ENOENT when
- *      when not using a GPIO line)
+ *      not using a GPIO line)
  *
  * @statistics: statistics for the spi_device
  *
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 8b8118a7fadb..cb4d92b79cd9 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -3226,7 +3226,6 @@ struct cfg80211_ops {
  * @WIPHY_FLAG_IBSS_RSN: The device supports IBSS RSN.
  * @WIPHY_FLAG_MESH_AUTH: The device supports mesh authentication by routing
  *      auth frames to userspace. See @NL80211_MESH_SETUP_USERSPACE_AUTH.
- * @WIPHY_FLAG_SUPPORTS_SCHED_SCAN: The device supports scheduled scans.
  * @WIPHY_FLAG_SUPPORTS_FW_ROAM: The device supports roaming feature in the
  *      firmware.
  * @WIPHY_FLAG_AP_UAPSD: The device supports uapsd on AP.
diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h
index 58bba9c769ea..31574c958673 100644
--- a/include/net/pkt_cls.h
+++ b/include/net/pkt_cls.h
@@ -696,9 +696,7 @@ struct tc_cls_matchall_offload {
 };
 
 enum tc_clsbpf_command {
-        TC_CLSBPF_ADD,
-        TC_CLSBPF_REPLACE,
-        TC_CLSBPF_DESTROY,
+        TC_CLSBPF_OFFLOAD,
         TC_CLSBPF_STATS,
 };
 
@@ -707,6 +705,7 @@ struct tc_cls_bpf_offload {
         enum tc_clsbpf_command command;
         struct tcf_exts *exts;
         struct bpf_prog *prog;
+        struct bpf_prog *oldprog;
         const char *name;
         bool exts_integrated;
         u32 gen_flags;
diff --git a/include/trace/events/kvm.h b/include/trace/events/kvm.h
index e4b0b8e09932..2c735a3e6613 100644
--- a/include/trace/events/kvm.h
+++ b/include/trace/events/kvm.h
@@ -211,7 +211,7 @@ TRACE_EVENT(kvm_ack_irq,
         { KVM_TRACE_MMIO_WRITE, "write" }
 
 TRACE_EVENT(kvm_mmio,
-        TP_PROTO(int type, int len, u64 gpa, u64 val),
+        TP_PROTO(int type, int len, u64 gpa, void *val),
         TP_ARGS(type, len, gpa, val),
 
         TP_STRUCT__entry(
@@ -225,7 +225,10 @@ TRACE_EVENT(kvm_mmio,
                 __entry->type           = type;
                 __entry->len            = len;
                 __entry->gpa            = gpa;
-                __entry->val            = val;
+                __entry->val            = 0;
+                if (val)
+                        memcpy(&__entry->val, val,
+                               min_t(u32, sizeof(__entry->val), len));
         ),
 
         TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 48b2901cf483..1cd2c2d28fc3 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1417,6 +1417,11 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
                 break;
         case PTR_TO_STACK:
                 pointer_desc = "stack ";
+                /* The stack spill tracking logic in check_stack_write()
+                 * and check_stack_read() relies on stack accesses being
+                 * aligned.
+                 */
+                strict = true;
                 break;
         default:
                 break;
@@ -1473,6 +1478,29 @@ static int get_callee_stack_depth(struct bpf_verifier_env *env,
         return env->subprog_stack_depth[subprog];
 }
 
+/* truncate register to smaller size (in bytes)
+ * must be called with size < BPF_REG_SIZE
+ */
+static void coerce_reg_to_size(struct bpf_reg_state *reg, int size)
+{
+        u64 mask;
+
+        /* clear high bits in bit representation */
+        reg->var_off = tnum_cast(reg->var_off, size);
+
+        /* fix arithmetic bounds */
+        mask = ((u64)1 << (size * 8)) - 1;
+        if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) {
+                reg->umin_value &= mask;
+                reg->umax_value &= mask;
+        } else {
+                reg->umin_value = 0;
+                reg->umax_value = mask;
+        }
+        reg->smin_value = reg->umin_value;
+        reg->smax_value = reg->umax_value;
+}
+
 /* check whether memory at (regno + off) is accessible for t = (read | write)
  * if t==write, value_regno is a register which value is stored into memory
  * if t==read, value_regno is a register which will receive the value from memory
@@ -1608,9 +1636,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
         if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ &&
             regs[value_regno].type == SCALAR_VALUE) {
                 /* b/h/w load zero-extends, mark upper bits as known 0 */
-                regs[value_regno].var_off =
-                        tnum_cast(regs[value_regno].var_off, size);
-                __update_reg_bounds(&regs[value_regno]);
+                coerce_reg_to_size(&regs[value_regno], size);
         }
         return err;
 }
@@ -1684,6 +1710,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
                 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
                 verbose(env, "invalid variable stack read R%d var_off=%s\n",
                         regno, tn_buf);
+                return -EACCES;
         }
         off = reg->off + reg->var_off.value;
         if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
@@ -2206,7 +2233,13 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
                 return -EINVAL;
         }
 
+        /* With LD_ABS/IND some JITs save/restore skb from r1. */
         changes_data = bpf_helper_changes_pkt_data(fn->func);
+        if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {
+                verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n",
+                        func_id_name(func_id), func_id);
+                return -EINVAL;
+        }
 
         memset(&meta, 0, sizeof(meta));
         meta.pkt_access = fn->pkt_access;
@@ -2298,14 +2331,6 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
         return 0;
 }
 
-static void coerce_reg_to_32(struct bpf_reg_state *reg)
-{
-        /* clear high 32 bits */
-        reg->var_off = tnum_cast(reg->var_off, 4);
-        /* Update bounds */
-        __update_reg_bounds(reg);
-}
-
 static bool signed_add_overflows(s64 a, s64 b)
 {
         /* Do the add in u64, where overflow is well-defined */
@@ -2326,6 +2351,41 @@ static bool signed_sub_overflows(s64 a, s64 b)
         return res > a;
 }
 
+static bool check_reg_sane_offset(struct bpf_verifier_env *env,
+                                  const struct bpf_reg_state *reg,
+                                  enum bpf_reg_type type)
+{
+        bool known = tnum_is_const(reg->var_off);
+        s64 val = reg->var_off.value;
+        s64 smin = reg->smin_value;
+
+        if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) {
+                verbose(env, "math between %s pointer and %lld is not allowed\n",
+                        reg_type_str[type], val);
+                return false;
+        }
+
+        if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) {
+                verbose(env, "%s pointer offset %d is not allowed\n",
+                        reg_type_str[type], reg->off);
+                return false;
+        }
+
+        if (smin == S64_MIN) {
+                verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n",
+                        reg_type_str[type]);
+                return false;
+        }
+
+        if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) {
+                verbose(env, "value %lld makes %s pointer be out of bounds\n",
+                        smin, reg_type_str[type]);
+                return false;
+        }
+
+        return true;
+}
+
 /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
  * Caller should also handle BPF_MOV case separately.
  * If we return -EACCES, caller may want to try again treating pointer as a
@@ -2364,29 +2424,25 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
 
         if (BPF_CLASS(insn->code) != BPF_ALU64) {
                 /* 32-bit ALU ops on pointers produce (meaningless) scalars */
-                if (!env->allow_ptr_leaks)
-                        verbose(env,
-                                "R%d 32-bit pointer arithmetic prohibited\n",
-                                dst);
+                verbose(env,
+                        "R%d 32-bit pointer arithmetic prohibited\n",
+                        dst);
                 return -EACCES;
         }
 
         if (ptr_reg->type == PTR_TO_MAP_VALUE_OR_NULL) {
-                if (!env->allow_ptr_leaks)
-                        verbose(env, "R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n",
-                                dst);
+                verbose(env, "R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n",
+                        dst);
                 return -EACCES;
         }
         if (ptr_reg->type == CONST_PTR_TO_MAP) {
-                if (!env->allow_ptr_leaks)
-                        verbose(env, "R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n",
-                                dst);
+                verbose(env, "R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n",
+                        dst);
                 return -EACCES;
         }
         if (ptr_reg->type == PTR_TO_PACKET_END) {
-                if (!env->allow_ptr_leaks)
-                        verbose(env, "R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n",
-                                dst);
+                verbose(env, "R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n",
+                        dst);
                 return -EACCES;
         }
 
@@ -2396,6 +2452,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
         dst_reg->type = ptr_reg->type;
         dst_reg->id = ptr_reg->id;
 
+        if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) ||
+            !check_reg_sane_offset(env, ptr_reg, ptr_reg->type))
+                return -EINVAL;
+
         switch (opcode) {
         case BPF_ADD:
                 /* We can take a fixed offset as long as it doesn't overflow
@@ -2449,9 +2509,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
         case BPF_SUB:
                 if (dst_reg == off_reg) {
                         /* scalar -= pointer.  Creates an unknown scalar */
-                        if (!env->allow_ptr_leaks)
-                                verbose(env, "R%d tried to subtract pointer from scalar\n",
-                                        dst);
+                        verbose(env, "R%d tried to subtract pointer from scalar\n",
+                                dst);
                         return -EACCES;
                 }
                 /* We don't allow subtraction from FP, because (according to
@@ -2459,9 +2518,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
                  * be able to deal with it.
                  */
                 if (ptr_reg->type == PTR_TO_STACK) {
-                        if (!env->allow_ptr_leaks)
-                                verbose(env, "R%d subtraction from stack pointer prohibited\n",
-                                        dst);
+                        verbose(env, "R%d subtraction from stack pointer prohibited\n",
+                                dst);
                         return -EACCES;
                 }
                 if (known && (ptr_reg->off - smin_val ==
@@ -2510,28 +2568,30 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
         case BPF_AND:
         case BPF_OR:
         case BPF_XOR:
-                /* bitwise ops on pointers are troublesome, prohibit for now.
-                 * (However, in principle we could allow some cases, e.g.
-                 * ptr &= ~3 which would reduce min_value by 3.)
-                 */
-                if (!env->allow_ptr_leaks)
-                        verbose(env, "R%d bitwise operator %s on pointer prohibited\n",
-                                dst, bpf_alu_string[opcode >> 4]);
+                /* bitwise ops on pointers are troublesome, prohibit. */
+                verbose(env, "R%d bitwise operator %s on pointer prohibited\n",
+                        dst, bpf_alu_string[opcode >> 4]);
                 return -EACCES;
         default:
                 /* other operators (e.g. MUL,LSH) produce non-pointer results */
-                if (!env->allow_ptr_leaks)
-                        verbose(env, "R%d pointer arithmetic with %s operator prohibited\n",
-                                dst, bpf_alu_string[opcode >> 4]);
+                verbose(env, "R%d pointer arithmetic with %s operator prohibited\n",
+                        dst, bpf_alu_string[opcode >> 4]);
                 return -EACCES;
         }
 
+        if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))
+                return -EINVAL;
+
         __update_reg_bounds(dst_reg);
         __reg_deduce_bounds(dst_reg);
         __reg_bound_offset(dst_reg);
         return 0;
 }
 
+/* WARNING: This function does calculations on 64-bit values, but the actual
+ * execution may occur on 32-bit values. Therefore, things like bitshifts
+ * need extra checks in the 32-bit case.
+ */
 static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
                                       struct bpf_insn *insn,
                                       struct bpf_reg_state *dst_reg,
@@ -2542,12 +2602,8 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
         bool src_known, dst_known;
         s64 smin_val, smax_val;
         u64 umin_val, umax_val;
+        u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
 
-        if (BPF_CLASS(insn->code) != BPF_ALU64) {
-                /* 32-bit ALU ops are (32,32)->64 */
-                coerce_reg_to_32(dst_reg);
-                coerce_reg_to_32(&src_reg);
-        }
         smin_val = src_reg.smin_value;
         smax_val = src_reg.smax_value;
         umin_val = src_reg.umin_value;
@@ -2555,6 +2611,12 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
         src_known = tnum_is_const(src_reg.var_off);
         dst_known = tnum_is_const(dst_reg->var_off);
 
+        if (!src_known &&
+            opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {
+                __mark_reg_unknown(dst_reg);
+                return 0;
+        }
+
         switch (opcode) {
         case BPF_ADD:
                 if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
@@ -2683,9 +2745,9 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
                 __update_reg_bounds(dst_reg);
                 break;
         case BPF_LSH:
-                if (umax_val > 63) {
-                        /* Shifts greater than 63 are undefined.  This includes
-                         * shifts by a negative number.
+                if (umax_val >= insn_bitness) {
+                        /* Shifts greater than 31 or 63 are undefined.
+                         * This includes shifts by a negative number.
                          */
                         mark_reg_unknown(env, regs, insn->dst_reg);
                         break;
@@ -2711,27 +2773,29 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
                 __update_reg_bounds(dst_reg);
                 break;
         case BPF_RSH:
-                if (umax_val > 63) {
-                        /* Shifts greater than 63 are undefined.  This includes
-                         * shifts by a negative number.
+                if (umax_val >= insn_bitness) {
+                        /* Shifts greater than 31 or 63 are undefined.
+                         * This includes shifts by a negative number.
                          */
                         mark_reg_unknown(env, regs, insn->dst_reg);
                         break;
                 }
-                /* BPF_RSH is an unsigned shift, so make the appropriate casts */
-                if (dst_reg->smin_value < 0) {
-                        if (umin_val) {
-                                /* Sign bit will be cleared */
-                                dst_reg->smin_value = 0;
-                        } else {
-                                /* Lost sign bit information */
-                                dst_reg->smin_value = S64_MIN;
-                                dst_reg->smax_value = S64_MAX;
-                        }
-                } else {
-                        dst_reg->smin_value =
-                                (u64)(dst_reg->smin_value) >> umax_val;
-                }
+                /* BPF_RSH is an unsigned shift.  If the value in dst_reg might
+                 * be negative, then either:
+                 * 1) src_reg might be zero, so the sign bit of the result is
+                 *    unknown, so we lose our signed bounds
+                 * 2) it's known negative, thus the unsigned bounds capture the
+                 *    signed bounds
+                 * 3) the signed bounds cross zero, so they tell us nothing
+                 *    about the result
+                 * If the value in dst_reg is known nonnegative, then again the
+                 * unsigned bounts capture the signed bounds.
+                 * Thus, in all cases it suffices to blow away our signed bounds
+                 * and rely on inferring new ones from the unsigned bounds and
+                 * var_off of the result.
+                 */
+                dst_reg->smin_value = S64_MIN;
+                dst_reg->smax_value = S64_MAX;
                 if (src_known)
                         dst_reg->var_off = tnum_rshift(dst_reg->var_off,
                                                        umin_val);
@@ -2747,6 +2811,12 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
                 break;
         }
 
+        if (BPF_CLASS(insn->code) != BPF_ALU64) {
+                /* 32-bit ALU ops are (32,32)->32 */
+                coerce_reg_to_size(dst_reg, 4);
+                coerce_reg_to_size(&src_reg, 4);
+        }
+
         __reg_deduce_bounds(dst_reg);
         __reg_bound_offset(dst_reg);
         return 0;
@@ -2763,7 +2833,6 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
         struct bpf_reg_state *regs = state->regs, *dst_reg, *src_reg;
         struct bpf_reg_state *ptr_reg = NULL, off_reg = {0};
         u8 opcode = BPF_OP(insn->code);
-        int rc;
 
         dst_reg = &regs[insn->dst_reg];
         src_reg = NULL;
@@ -2774,43 +2843,29 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
                 if (src_reg->type != SCALAR_VALUE) {
                         if (dst_reg->type != SCALAR_VALUE) {
                                 /* Combining two pointers by any ALU op yields
-                                 * an arbitrary scalar.
+                                 * an arbitrary scalar. Disallow all math except
+                                 * pointer subtraction
                                  */
-                                if (!env->allow_ptr_leaks) {
-                                        verbose(env, "R%d pointer %s pointer prohibited\n",
-                                                insn->dst_reg,
-                                                bpf_alu_string[opcode >> 4]);
-                                        return -EACCES;
+                                if (opcode == BPF_SUB){
+                                        mark_reg_unknown(env, regs, insn->dst_reg);
+                                        return 0;
                                 }
-                                mark_reg_unknown(env, regs, insn->dst_reg);
-                                return 0;
+                                verbose(env, "R%d pointer %s pointer prohibited\n",
+                                        insn->dst_reg,
+                                        bpf_alu_string[opcode >> 4]);
+                                return -EACCES;
                         } else {
                                 /* scalar += pointer
                                  * This is legal, but we have to reverse our
                                  * src/dest handling in computing the range
                                  */
-                                rc = adjust_ptr_min_max_vals(env, insn,
-                                                             src_reg, dst_reg);
-                                if (rc == -EACCES && env->allow_ptr_leaks) {
-                                        /* scalar += unknown scalar */
-                                        __mark_reg_unknown(&off_reg);
-                                        return adjust_scalar_min_max_vals(
-                                                        env, insn,
-                                                        dst_reg, off_reg);
-                                }
-                                return rc;
+                                return adjust_ptr_min_max_vals(env, insn,
+                                                               src_reg, dst_reg);
                         }
                 } else if (ptr_reg) {
                         /* pointer += scalar */
-                        rc = adjust_ptr_min_max_vals(env, insn,
-                                                     dst_reg, src_reg);
-                        if (rc == -EACCES && env->allow_ptr_leaks) {
-                                /* unknown scalar += scalar */
-                                __mark_reg_unknown(dst_reg);
-                                return adjust_scalar_min_max_vals(
-                                                env, insn, dst_reg, *src_reg);
-                        }
-                        return rc;
+                        return adjust_ptr_min_max_vals(env, insn,
+                                                       dst_reg, src_reg);
                 }
         } else {
                 /* Pretend the src is a reg with a known value, since we only
@@ -2819,17 +2874,9 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
                 off_reg.type = SCALAR_VALUE;
                 __mark_reg_known(&off_reg, insn->imm);
                 src_reg = &off_reg;
-                if (ptr_reg) { /* pointer += K */
-                        rc = adjust_ptr_min_max_vals(env, insn,
-                                                     ptr_reg, src_reg);
-                        if (rc == -EACCES && env->allow_ptr_leaks) {
-                                /* unknown scalar += K */
-                                __mark_reg_unknown(dst_reg);
-                                return adjust_scalar_min_max_vals(
-                                                env, insn, dst_reg, off_reg);
-                        }
-                        return rc;
-                }
+                if (ptr_reg) /* pointer += K */
+                        return adjust_ptr_min_max_vals(env, insn,
+                                                       ptr_reg, src_reg);
         }
 
         /* Got here implies adding two SCALAR_VALUEs */
@@ -2926,17 +2973,20 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
                                         return -EACCES;
                                 }
                                 mark_reg_unknown(env, regs, insn->dst_reg);
-                                /* high 32 bits are known zero. */
-                                regs[insn->dst_reg].var_off = tnum_cast(
-                                                regs[insn->dst_reg].var_off, 4);
-                                __update_reg_bounds(&regs[insn->dst_reg]);
+                                coerce_reg_to_size(&regs[insn->dst_reg], 4);
                         }
                 } else {
                         /* case: R = imm
                          * remember the value we stored into this reg
                          */
                         regs[insn->dst_reg].type = SCALAR_VALUE;
-                        __mark_reg_known(regs + insn->dst_reg, insn->imm);
+                        if (BPF_CLASS(insn->code) == BPF_ALU64) {
+                                __mark_reg_known(regs + insn->dst_reg,
+                                                 insn->imm);
+                        } else {
+                                __mark_reg_known(regs + insn->dst_reg,
+                                                 (u32)insn->imm);
+                        }
                 }
 
         } else if (opcode > BPF_END) {
@@ -4013,15 +4063,14 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
                         return range_within(rold, rcur) &&
                                tnum_in(rold->var_off, rcur->var_off);
                 } else {
-                        /* if we knew anything about the old value, we're not
-                         * equal, because we can't know anything about the
-                         * scalar value of the pointer in the new value.
+                        /* We're trying to use a pointer in place of a scalar.
+                         * Even if the scalar was unbounded, this could lead to
+                         * pointer leaks because scalars are allowed to leak
+                         * while pointers are not. We could make this safe in
+                         * special cases if root is calling us, but it's
+                         * probably not worth the hassle.
                          */
-                        return rold->umin_value == 0 &&
-                               rold->umax_value == U64_MAX &&
-                               rold->smin_value == S64_MIN &&
-                               rold->smax_value == S64_MAX &&
-                               tnum_is_unknown(rold->var_off);
+                        return false;
                 }
         case PTR_TO_MAP_VALUE:
                 /* If the new min/max/var_off satisfy the old ones and
diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index 13d6881f908b..ec999f32c840 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -434,17 +434,22 @@ static struct pid *good_sigevent(sigevent_t * event)
 {
         struct task_struct *rtn = current->group_leader;
 
-        if ((event->sigev_notify & SIGEV_THREAD_ID ) &&
-                (!(rtn = find_task_by_vpid(event->sigev_notify_thread_id)) ||
-                 !same_thread_group(rtn, current) ||
-                 (event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_SIGNAL))
+        switch (event->sigev_notify) {
+        case SIGEV_SIGNAL | SIGEV_THREAD_ID:
+                rtn = find_task_by_vpid(event->sigev_notify_thread_id);
+                if (!rtn || !same_thread_group(rtn, current))
+                        return NULL;
+                /* FALLTHRU */
+        case SIGEV_SIGNAL:
+        case SIGEV_THREAD:
+                if (event->sigev_signo <= 0 || event->sigev_signo > SIGRTMAX)
+                        return NULL;
+                /* FALLTHRU */
+        case SIGEV_NONE:
+                return task_pid(rtn);
+        default:
                 return NULL;
-
-        if (((event->sigev_notify & ~SIGEV_THREAD_ID) != SIGEV_NONE) &&
-            ((event->sigev_signo <= 0) || (event->sigev_signo > SIGRTMAX)))
-                return NULL;
-
-        return task_pid(rtn);
+        }
 }
 
 static struct k_itimer * alloc_posix_timer(void)
@@ -669,7 +674,7 @@ void common_timer_get(struct k_itimer *timr, struct itimerspec64 *cur_setting)
         struct timespec64 ts64;
         bool sig_none;
 
-        sig_none = (timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE;
+        sig_none = timr->it_sigev_notify == SIGEV_NONE;
         iv = timr->it_interval;
 
         /* interval timer ? */
@@ -856,7 +861,7 @@ int common_timer_set(struct k_itimer *timr, int flags,
 
         timr->it_interval = timespec64_to_ktime(new_setting->it_interval);
         expires = timespec64_to_ktime(new_setting->it_value);
-        sigev_none = (timr->it_sigev_notify & ~SIGEV_THREAD_ID) == SIGEV_NONE;
+        sigev_none = timr->it_sigev_notify == SIGEV_NONE;
 
         kc->timer_arm(timr, expires, flags & TIMER_ABSTIME, sigev_none);
         timr->it_active = !sigev_none;
diff --git a/lib/test_bpf.c b/lib/test_bpf.c
index aa8812ae6776..9e9748089270 100644
--- a/lib/test_bpf.c
+++ b/lib/test_bpf.c
@@ -435,6 +435,41 @@ loop:
         return 0;
 }
 
+static int bpf_fill_ld_abs_vlan_push_pop2(struct bpf_test *self)
+{
+        struct bpf_insn *insn;
+
+        insn = kmalloc_array(16, sizeof(*insn), GFP_KERNEL);
+        if (!insn)
+                return -ENOMEM;
+
+        /* Due to func address being non-const, we need to
+         * assemble this here.
+         */
+        insn[0] = BPF_MOV64_REG(R6, R1);
+        insn[1] = BPF_LD_ABS(BPF_B, 0);
+        insn[2] = BPF_LD_ABS(BPF_H, 0);
+        insn[3] = BPF_LD_ABS(BPF_W, 0);
+        insn[4] = BPF_MOV64_REG(R7, R6);
+        insn[5] = BPF_MOV64_IMM(R6, 0);
+        insn[6] = BPF_MOV64_REG(R1, R7);
+        insn[7] = BPF_MOV64_IMM(R2, 1);
+        insn[8] = BPF_MOV64_IMM(R3, 2);
+        insn[9] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                               bpf_skb_vlan_push_proto.func - __bpf_call_base);
+        insn[10] = BPF_MOV64_REG(R6, R7);
+        insn[11] = BPF_LD_ABS(BPF_B, 0);
+        insn[12] = BPF_LD_ABS(BPF_H, 0);
+        insn[13] = BPF_LD_ABS(BPF_W, 0);
+        insn[14] = BPF_MOV64_IMM(R0, 42);
+        insn[15] = BPF_EXIT_INSN();
+
+        self->u.ptr.insns = insn;
+        self->u.ptr.len = 16;
+
+        return 0;
+}
+
 static int bpf_fill_jump_around_ld_abs(struct bpf_test *self)
 {
         unsigned int len = BPF_MAXINSNS;
@@ -6066,6 +6101,14 @@ static struct bpf_test tests[] = {
                 {},
                 { {0x1, 0x42 } },
         },
+        {
+                "LD_ABS with helper changing skb data",
+                { },
+                INTERNAL,
+                { 0x34 },
+                { { ETH_HLEN, 42 } },
+                .fill_helper = bpf_fill_ld_abs_vlan_push_pop2,
+        },
 };
 
 static struct net_device dev;
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index 84b2dc76f140..b5f940ce0143 100644
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -882,13 +882,10 @@ int bdi_register_va(struct backing_dev_info *bdi, const char *fmt, va_list args)
         if (IS_ERR(dev))
                 return PTR_ERR(dev);
 
-        if (bdi_debug_register(bdi, dev_name(dev))) {
-                device_destroy(bdi_class, dev->devt);
-                return -ENOMEM;
-        }
         cgwb_bdi_register(bdi);
         bdi->dev = dev;
 
+        bdi_debug_register(bdi, dev_name(dev));
         set_bit(WB_registered, &bdi->wb.state);
 
         spin_lock_bh(&bdi_lock);
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index d0ef0a8e8831..015f465c514b 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -1262,19 +1262,20 @@ static int br_dev_newlink(struct net *src_net, struct net_device *dev,
         struct net_bridge *br = netdev_priv(dev);
         int err;
 
+        err = register_netdevice(dev);
+        if (err)
+                return err;
+
         if (tb[IFLA_ADDRESS]) {
                 spin_lock_bh(&br->lock);
                 br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS]));
                 spin_unlock_bh(&br->lock);
         }
 
-        err = register_netdevice(dev);
-        if (err)
-                return err;
-
         err = br_changelink(dev, tb, data, extack);
         if (err)
-                unregister_netdevice(dev);
+                br_dev_delete(dev, NULL);
+
         return err;
 }
 
diff --git a/net/core/dev.c b/net/core/dev.c
index c7db39926769..59ead3910ab7 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3937,7 +3937,7 @@ static u32 netif_receive_generic_xdp(struct sk_buff *skb,
                                      hroom > 0 ? ALIGN(hroom, NET_SKB_PAD) : 0,
                                      troom > 0 ? troom + 128 : 0, GFP_ATOMIC))
                         goto do_drop;
-                if (troom > 0 && __skb_linearize(skb))
+                if (skb_linearize(skb))
                         goto do_drop;
         }
 
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index b797832565d3..60a71be75aea 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -267,7 +267,7 @@ struct net *get_net_ns_by_id(struct net *net, int id)
         spin_lock_bh(&net->nsid_lock);
         peer = idr_find(&net->netns_ids, id);
         if (peer)
-                get_net(peer);
+                peer = maybe_get_net(peer);
         spin_unlock_bh(&net->nsid_lock);
         rcu_read_unlock();
 
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a592ca025fc4..a3cb0be4c6f3 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1178,7 +1178,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
         u32 d_off;
 
         if (!num_frags)
-                return 0;
+                goto release;
 
         if (skb_shared(skb) || skb_unclone(skb, gfp_mask))
                 return -EINVAL;
@@ -1238,6 +1238,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
         __skb_fill_page_desc(skb, new_frags - 1, head, 0, d_off);
         skb_shinfo(skb)->nr_frags = new_frags;
 
+release:
         skb_zcopy_clear(skb, false);
         return 0;
 }
@@ -3654,8 +3655,6 @@ normal:
 
                 skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
                                               SKBTX_SHARED_FRAG;
-                if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC))
-                        goto err;
 
                 while (pos < offset + len) {
                         if (i >= nfrags) {
@@ -3681,6 +3680,8 @@ normal:
 
                         if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC)))
                                 goto err;
+                        if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
+                                goto err;
 
                         *nskb_frag = *frag;
                         __skb_frag_ref(nskb_frag);
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index f52d27a422c3..08259d078b1c 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -1298,14 +1298,19 @@ err_table_hash_alloc:
 
 static void ip_fib_net_exit(struct net *net)
 {
-        unsigned int i;
+        int i;
 
         rtnl_lock();
 #ifdef CONFIG_IP_MULTIPLE_TABLES
         RCU_INIT_POINTER(net->ipv4.fib_main, NULL);
         RCU_INIT_POINTER(net->ipv4.fib_default, NULL);
 #endif
-        for (i = 0; i < FIB_TABLE_HASHSZ; i++) {
+        /* Destroy the tables in reverse order to guarantee that the
+         * local table, ID 255, is destroyed before the main table, ID
+         * 254. This is necessary as the local table may contain
+         * references to data contained in the main table.
+         */
+        for (i = FIB_TABLE_HASHSZ - 1; i >= 0; i--) {
                 struct hlist_head *head = &net->ipv4.fib_table_hash[i];
                 struct hlist_node *tmp;
                 struct fib_table *tb;
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index f04d944f8abe..c586597da20d 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -698,7 +698,7 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi)
 
         nla_for_each_attr(nla, cfg->fc_mx, cfg->fc_mx_len, remaining) {
                 int type = nla_type(nla);
-                u32 val;
+                u32 fi_val, val;
 
                 if (!type)
                         continue;
@@ -715,7 +715,11 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi)
                         val = nla_get_u32(nla);
                 }
 
-                if (fi->fib_metrics->metrics[type - 1] != val)
+                fi_val = fi->fib_metrics->metrics[type - 1];
+                if (type == RTAX_FEATURES)
+                        fi_val &= ~DST_FEATURE_ECN_CA;
+
+                if (fi_val != val)
                         return false;
         }
 
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 90c912307814..78365094f56c 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -1336,6 +1336,7 @@ static const struct net_device_ops erspan_netdev_ops = {
 static void ipgre_tap_setup(struct net_device *dev)
 {
         ether_setup(dev);
+        dev->max_mtu = 0;
         dev->netdev_ops = &gre_tap_netdev_ops;
         dev->priv_flags &= ~IFF_TX_SKB_SHARING;
         dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index c26f71234b9c..c9441ca45399 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -210,7 +210,6 @@ lookup_protocol:
         np->mcast_hops  = IPV6_DEFAULT_MCASTHOPS;
         np->mc_loop     = 1;
         np->pmtudisc    = IPV6_PMTUDISC_WANT;
-        np->autoflowlabel = ip6_default_np_autolabel(net);
         np->repflow     = net->ipv6.sysctl.flowlabel_reflect;
         sk->sk_ipv6only = net->ipv6.sysctl.bindv6only;
 
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 8451d00b210b..97f148f15429 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1772,6 +1772,7 @@ static void ip6gre_tap_setup(struct net_device *dev)
 
         ether_setup(dev);
 
+        dev->max_mtu = 0;
         dev->netdev_ops = &ip6gre_tap_netdev_ops;
         dev->needs_free_netdev = true;
         dev->priv_destructor = ip6gre_dev_free;
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 176d74fb3b4d..ece2781a31b2 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -166,6 +166,14 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
                             !(IP6CB(skb)->flags & IP6SKB_REROUTED));
 }
 
+static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
+{
+        if (!np->autoflowlabel_set)
+                return ip6_default_np_autolabel(net);
+        else
+                return np->autoflowlabel;
+}
+
 /*
  * xmit an sk_buff (used by TCP, SCTP and DCCP)
  * Note : socket lock is not held for SYNACK packets, but might be modified
@@ -230,7 +238,7 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
                 hlimit = ip6_dst_hoplimit(dst);
 
         ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel,
-                                                     np->autoflowlabel, fl6));
+                                ip6_autoflowlabel(net, np), fl6));
 
         hdr->payload_len = htons(seg_len);
         hdr->nexthdr = proto;
@@ -1626,7 +1634,7 @@ struct sk_buff *__ip6_make_skb(struct sock *sk,
 
         ip6_flow_hdr(hdr, v6_cork->tclass,
                      ip6_make_flowlabel(net, skb, fl6->flowlabel,
-                                        np->autoflowlabel, fl6));
+                                        ip6_autoflowlabel(net, np), fl6));
         hdr->hop_limit = v6_cork->hop_limit;
         hdr->nexthdr = proto;
         hdr->saddr = fl6->saddr;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 6ff2f21ae3fc..8a4610e84e58 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1126,8 +1126,13 @@ route_lookup:
                 max_headroom += 8;
                 mtu -= 8;
         }
-        if (mtu < IPV6_MIN_MTU)
-                mtu = IPV6_MIN_MTU;
+        if (skb->protocol == htons(ETH_P_IPV6)) {
+                if (mtu < IPV6_MIN_MTU)
+                        mtu = IPV6_MIN_MTU;
+        } else if (mtu < 576) {
+                mtu = 576;
+        }
+
         if (skb_dst(skb) && !t->parms.collect_md)
                 skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
         if (skb->len - t->tun_hlen - eth_hlen > mtu && !skb_is_gso(skb)) {
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index b9404feabd78..2d4680e0376f 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -886,6 +886,7 @@ pref_skip_coa:
                 break;
         case IPV6_AUTOFLOWLABEL:
                 np->autoflowlabel = valbool;
+                np->autoflowlabel_set = 1;
                 retv = 0;
                 break;
         case IPV6_RECVFRAGSIZE:
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index b3f4d19b3ca5..2490280b3394 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2336,6 +2336,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
         }
 
         rt->dst.flags |= DST_HOST;
+        rt->dst.input = ip6_input;
         rt->dst.output  = ip6_output;
         rt->rt6i_gateway  = fl6->daddr;
         rt->rt6i_dst.addr = fl6->daddr;
@@ -4297,19 +4298,13 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
                 if (!ipv6_addr_any(&fl6.saddr))
                         flags |= RT6_LOOKUP_F_HAS_SADDR;
 
-                if (!fibmatch)
-                        dst = ip6_route_input_lookup(net, dev, &fl6, flags);
-                else
-                        dst = ip6_route_lookup(net, &fl6, 0);
+                dst = ip6_route_input_lookup(net, dev, &fl6, flags);
 
                 rcu_read_unlock();
         } else {
                 fl6.flowi6_oif = oif;
 
-                if (!fibmatch)
-                        dst = ip6_route_output(net, NULL, &fl6);
-                else
-                        dst = ip6_route_lookup(net, &fl6, 0);
+                dst = ip6_route_output(net, NULL, &fl6);
         }
 
 
@@ -4326,6 +4321,14 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
                 goto errout;
         }
 
+        if (fibmatch && rt->from) {
+                struct rt6_info *ort = rt->from;
+
+                dst_hold(&ort->dst);
+                ip6_rt_put(rt);
+                rt = ort;
+        }
+
         skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
         if (!skb) {
                 ip6_rt_put(rt);
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 76d050aba7a4..56b8e7167790 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -579,6 +579,7 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
                         return -EINVAL;
 
                 skb_reset_network_header(skb);
+                key->eth.type = skb->protocol;
         } else {
                 eth = eth_hdr(skb);
                 ether_addr_copy(key->eth.src, eth->h_source);
@@ -592,15 +593,23 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
                 if (unlikely(parse_vlan(skb, key)))
                         return -ENOMEM;
 
-                skb->protocol = parse_ethertype(skb);
-                if (unlikely(skb->protocol == htons(0)))
+                key->eth.type = parse_ethertype(skb);
+                if (unlikely(key->eth.type == htons(0)))
                         return -ENOMEM;
 
+                /* Multiple tagged packets need to retain TPID to satisfy
+                 * skb_vlan_pop(), which will later shift the ethertype into
+                 * skb->protocol.
+                 */
+                if (key->eth.cvlan.tci & htons(VLAN_TAG_PRESENT))
+                        skb->protocol = key->eth.cvlan.tpid;
+                else
+                        skb->protocol = key->eth.type;
+
                 skb_reset_network_header(skb);
                 __skb_push(skb, skb->data - skb_mac_header(skb));
         }
         skb_reset_mac_len(skb);
-        key->eth.type = skb->protocol;
 
         /* Network layer. */
         if (key->eth.type == htons(ETH_P_IP)) {
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 6fe798c2df1a..8d78e7f4ecc3 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -42,7 +42,6 @@ struct cls_bpf_prog {
         struct list_head link;
         struct tcf_result res;
         bool exts_integrated;
-        bool offloaded;
         u32 gen_flags;
         struct tcf_exts exts;
         u32 handle;
@@ -148,33 +147,37 @@ static bool cls_bpf_is_ebpf(const struct cls_bpf_prog *prog)
 }
 
 static int cls_bpf_offload_cmd(struct tcf_proto *tp, struct cls_bpf_prog *prog,
-                               enum tc_clsbpf_command cmd)
+                               struct cls_bpf_prog *oldprog)
 {
-        bool addorrep = cmd == TC_CLSBPF_ADD || cmd == TC_CLSBPF_REPLACE;
         struct tcf_block *block = tp->chain->block;
-        bool skip_sw = tc_skip_sw(prog->gen_flags);
         struct tc_cls_bpf_offload cls_bpf = {};
+        struct cls_bpf_prog *obj;
+        bool skip_sw;
         int err;
 
+        skip_sw = prog && tc_skip_sw(prog->gen_flags);
+        obj = prog ?: oldprog;
+
         tc_cls_common_offload_init(&cls_bpf.common, tp);
-        cls_bpf.command = cmd;
-        cls_bpf.exts = &prog->exts;
-        cls_bpf.prog = prog->filter;
-        cls_bpf.name = prog->bpf_name;
-        cls_bpf.exts_integrated = prog->exts_integrated;
-        cls_bpf.gen_flags = prog->gen_flags;
+        cls_bpf.command = TC_CLSBPF_OFFLOAD;
+        cls_bpf.exts = &obj->exts;
+        cls_bpf.prog = prog ? prog->filter : NULL;
+        cls_bpf.oldprog = oldprog ? oldprog->filter : NULL;
+        cls_bpf.name = obj->bpf_name;
+        cls_bpf.exts_integrated = obj->exts_integrated;
+        cls_bpf.gen_flags = obj->gen_flags;
 
         err = tc_setup_cb_call(block, NULL, TC_SETUP_CLSBPF, &cls_bpf, skip_sw);
-        if (addorrep) {
+        if (prog) {
                 if (err < 0) {
-                        cls_bpf_offload_cmd(tp, prog, TC_CLSBPF_DESTROY);
+                        cls_bpf_offload_cmd(tp, oldprog, prog);
                         return err;
                 } else if (err > 0) {
                         prog->gen_flags |= TCA_CLS_FLAGS_IN_HW;
                 }
         }
 
-        if (addorrep && skip_sw && !(prog->gen_flags & TCA_CLS_FLAGS_IN_HW))
+        if (prog && skip_sw && !(prog->gen_flags & TCA_CLS_FLAGS_IN_HW))
                 return -EINVAL;
 
         return 0;
@@ -183,38 +186,17 @@ static int cls_bpf_offload_cmd(struct tcf_proto *tp, struct cls_bpf_prog *prog,
 static int cls_bpf_offload(struct tcf_proto *tp, struct cls_bpf_prog *prog,
                            struct cls_bpf_prog *oldprog)
 {
-        struct cls_bpf_prog *obj = prog;
-        enum tc_clsbpf_command cmd;
-        bool skip_sw;
-        int ret;
-
-        skip_sw = tc_skip_sw(prog->gen_flags) ||
-                (oldprog && tc_skip_sw(oldprog->gen_flags));
-
-        if (oldprog && oldprog->offloaded) {
-                if (!tc_skip_hw(prog->gen_flags)) {
-                        cmd = TC_CLSBPF_REPLACE;
-                } else if (!tc_skip_sw(prog->gen_flags)) {
-                        obj = oldprog;
-                        cmd = TC_CLSBPF_DESTROY;
-                } else {
-                        return -EINVAL;
-                }
-        } else {
-                if (tc_skip_hw(prog->gen_flags))
-                        return skip_sw ? -EINVAL : 0;
-                cmd = TC_CLSBPF_ADD;
-        }
-
-        ret = cls_bpf_offload_cmd(tp, obj, cmd);
-        if (ret)
-                return ret;
+        if (prog && oldprog && prog->gen_flags != oldprog->gen_flags)
+                return -EINVAL;
 
-        obj->offloaded = true;
-        if (oldprog)
-                oldprog->offloaded = false;
+        if (prog && tc_skip_hw(prog->gen_flags))
+                prog = NULL;
+        if (oldprog && tc_skip_hw(oldprog->gen_flags))
+                oldprog = NULL;
+        if (!prog && !oldprog)
+                return 0;
 
-        return 0;
+        return cls_bpf_offload_cmd(tp, prog, oldprog);
 }
 
 static void cls_bpf_stop_offload(struct tcf_proto *tp,
@@ -222,25 +204,26 @@ static void cls_bpf_stop_offload(struct tcf_proto *tp,
 {
         int err;
 
-        if (!prog->offloaded)
-                return;
-
-        err = cls_bpf_offload_cmd(tp, prog, TC_CLSBPF_DESTROY);
-        if (err) {
+        err = cls_bpf_offload_cmd(tp, NULL, prog);
+        if (err)
                 pr_err("Stopping hardware offload failed: %d\n", err);
-                return;
-        }
-
-        prog->offloaded = false;
 }
 
 static void cls_bpf_offload_update_stats(struct tcf_proto *tp,
                                          struct cls_bpf_prog *prog)
 {
-        if (!prog->offloaded)
-                return;
+        struct tcf_block *block = tp->chain->block;
+        struct tc_cls_bpf_offload cls_bpf = {};
+
+        tc_cls_common_offload_init(&cls_bpf.common, tp);
+        cls_bpf.command = TC_CLSBPF_STATS;
+        cls_bpf.exts = &prog->exts;
+        cls_bpf.prog = prog->filter;
+        cls_bpf.name = prog->bpf_name;
+        cls_bpf.exts_integrated = prog->exts_integrated;
+        cls_bpf.gen_flags = prog->gen_flags;
 
-        cls_bpf_offload_cmd(tp, prog, TC_CLSBPF_STATS);
+        tc_setup_cb_call(block, NULL, TC_SETUP_CLSBPF, &cls_bpf, false);
 }
 
 static int cls_bpf_init(struct tcf_proto *tp)
diff --git a/net/sctp/debug.c b/net/sctp/debug.c
index 3f619fdcbf0a..291c97b07058 100644
--- a/net/sctp/debug.c
+++ b/net/sctp/debug.c
@@ -78,6 +78,9 @@ const char *sctp_cname(const union sctp_subtype cid)
         case SCTP_CID_AUTH:
                 return "AUTH";
 
+        case SCTP_CID_RECONF:
+                return "RECONF";
+
         default:
                 break;
         }
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index 97fae53310e0..0b427100b0d4 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -1093,29 +1093,21 @@ void sctp_ulpq_partial_delivery(struct sctp_ulpq *ulpq,
 void sctp_ulpq_renege(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk,
                       gfp_t gfp)
 {
-        struct sctp_association *asoc;
-        __u16 needed, freed;
-
-        asoc = ulpq->asoc;
+        struct sctp_association *asoc = ulpq->asoc;
+        __u32 freed = 0;
+        __u16 needed;
 
-        if (chunk) {
-                needed = ntohs(chunk->chunk_hdr->length);
-                needed -= sizeof(struct sctp_data_chunk);
-        } else
-                needed = SCTP_DEFAULT_MAXWINDOW;
-
-        freed = 0;
+        needed = ntohs(chunk->chunk_hdr->length) -
+                 sizeof(struct sctp_data_chunk);
 
         if (skb_queue_empty(&asoc->base.sk->sk_receive_queue)) {
                 freed = sctp_ulpq_renege_order(ulpq, needed);
-                if (freed < needed) {
+                if (freed < needed)
                         freed += sctp_ulpq_renege_frags(ulpq, needed - freed);
-                }
         }
         /* If able to free enough room, accept this chunk. */
-        if (chunk && (freed >= needed)) {
-                int retval;
-                retval = sctp_ulpq_tail_data(ulpq, chunk, gfp);
+        if (freed >= needed) {
+                int retval = sctp_ulpq_tail_data(ulpq, chunk, gfp);
                 /*
                  * Enter partial delivery if chunk has not been
                  * delivered; otherwise, drain the reassembly queue.
diff --git a/net/tipc/group.c b/net/tipc/group.c
index 95fec2c057d6..7ebbdeb2a90e 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -351,8 +351,7 @@ void tipc_group_update_member(struct tipc_member *m, int len)
         if (m->window >= ADV_IDLE)
                 return;
 
-        if (!list_empty(&m->congested))
-                return;
+        list_del_init(&m->congested);
 
         /* Sort member into congested members' list */
         list_for_each_entry_safe(_m, tmp, &grp->congested, congested) {
@@ -648,6 +647,7 @@ static void tipc_group_proto_xmit(struct tipc_group *grp, struct tipc_member *m,
         } else if (mtyp == GRP_REMIT_MSG) {
                 msg_set_grp_remitted(hdr, m->window);
         }
+        msg_set_dest_droppable(hdr, true);
         __skb_queue_tail(xmitq, skb);
 }
 
@@ -689,15 +689,16 @@ void tipc_group_proto_rcv(struct tipc_group *grp, bool *usr_wakeup,
                         msg_set_grp_bc_seqno(ehdr, m->bc_syncpt);
                         __skb_queue_tail(inputq, m->event_msg);
                 }
-                if (m->window < ADV_IDLE)
-                        tipc_group_update_member(m, 0);
-                else
-                        list_del_init(&m->congested);
+                list_del_init(&m->congested);
+                tipc_group_update_member(m, 0);
                 return;
         case GRP_LEAVE_MSG:
                 if (!m)
                         return;
                 m->bc_syncpt = msg_grp_bc_syncpt(hdr);
+                list_del_init(&m->list);
+                list_del_init(&m->congested);
+                *usr_wakeup = true;
 
                 /* Wait until WITHDRAW event is received */
                 if (m->state != MBR_LEAVING) {
@@ -709,8 +710,6 @@ void tipc_group_proto_rcv(struct tipc_group *grp, bool *usr_wakeup,
                 ehdr = buf_msg(m->event_msg);
                 msg_set_grp_bc_seqno(ehdr, m->bc_syncpt);
                 __skb_queue_tail(inputq, m->event_msg);
-                *usr_wakeup = true;
-                list_del_init(&m->congested);
                 return;
         case GRP_ADV_MSG:
                 if (!m)
@@ -862,6 +861,7 @@ void tipc_group_member_evt(struct tipc_group *grp,
                                 msg_set_grp_bc_seqno(hdr, m->bc_rcv_nxt);
                         __skb_queue_tail(inputq, skb);
                 }
+                list_del_init(&m->list);
                 list_del_init(&m->congested);
         }
         *sk_rcvbuf = tipc_group_rcvbuf_limit(grp);
diff --git a/net/wireless/Makefile b/net/wireless/Makefile
index d7d6cb00c47b..1d84f91bbfb0 100644
--- a/net/wireless/Makefile
+++ b/net/wireless/Makefile
@@ -23,27 +23,14 @@ ifneq ($(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR),)
 cfg80211-y += extra-certs.o
 endif
 
-$(obj)/shipped-certs.c: $(wildcard $(srctree)/$(src)/certs/*.x509)
+$(obj)/shipped-certs.c: $(wildcard $(srctree)/$(src)/certs/*.hex)
         @$(kecho) "  GEN     $@"
-        @(set -e; \
-          allf=""; \
-          for f in $^ ; do \
-              # similar to hexdump -v -e '1/1 "0x%.2x," "\n"' \
-              thisf=$$(od -An -v -tx1 < $$f | \
-                           sed -e 's/ /\n/g' | \
-                           sed -e 's/^[0-9a-f]\+$$/\0/;t;d' | \
-                           sed -e 's/^/0x/;s/$$/,/'); \
-              # file should not be empty - maybe command substitution failed? \
-              test ! -z "$$thisf";\
-              allf=$$allf$$thisf;\
-          done; \
-          ( \
-              echo '#include "reg.h"'; \
-              echo 'const u8 shipped_regdb_certs[] = {'; \
-              echo "$$allf"; \
-              echo '};'; \
-              echo 'unsigned int shipped_regdb_certs_len = sizeof(shipped_regdb_certs);'; \
-          ) >> $@)
+        @(echo '#include "reg.h"'; \
+          echo 'const u8 shipped_regdb_certs[] = {'; \
+          cat $^ ; \
+          echo '};'; \
+          echo 'unsigned int shipped_regdb_certs_len = sizeof(shipped_regdb_certs);'; \
+         ) > $@
 
 $(obj)/extra-certs.c: $(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR:"%"=%) \
                       $(wildcard $(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR:"%"=%)/*.x509)
@@ -66,4 +53,6 @@ $(obj)/extra-certs.c: $(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR:"%"=%) \
               echo "$$allf"; \
               echo '};'; \
               echo 'unsigned int extra_regdb_certs_len = sizeof(extra_regdb_certs);'; \
-          ) >> $@)
+          ) > $@)
+
+clean-files += shipped-certs.c extra-certs.c
diff --git a/net/wireless/certs/sforshee.hex b/net/wireless/certs/sforshee.hex
new file mode 100644
index 000000000000..14ea66643ffa
--- /dev/null
+++ b/net/wireless/certs/sforshee.hex
@@ -0,0 +1,86 @@
+/* Seth Forshee's regdb certificate */
+0x30, 0x82, 0x02, 0xa4, 0x30, 0x82, 0x01, 0x8c,
+0x02, 0x09, 0x00, 0xb2, 0x8d, 0xdf, 0x47, 0xae,
+0xf9, 0xce, 0xa7, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+0x05, 0x00, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f,
+0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x73,
+0x66, 0x6f, 0x72, 0x73, 0x68, 0x65, 0x65, 0x30,
+0x20, 0x17, 0x0d, 0x31, 0x37, 0x31, 0x30, 0x30,
+0x36, 0x31, 0x39, 0x34, 0x30, 0x33, 0x35, 0x5a,
+0x18, 0x0f, 0x32, 0x31, 0x31, 0x37, 0x30, 0x39,
+0x31, 0x32, 0x31, 0x39, 0x34, 0x30, 0x33, 0x35,
+0x5a, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06,
+0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x73, 0x66,
+0x6f, 0x72, 0x73, 0x68, 0x65, 0x65, 0x30, 0x82,
+0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
+0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb5,
+0x40, 0xe3, 0x9c, 0x28, 0x84, 0x39, 0x03, 0xf2,
+0x39, 0xd7, 0x66, 0x2c, 0x41, 0x38, 0x15, 0xac,
+0x7e, 0xa5, 0x83, 0x71, 0x25, 0x7e, 0x90, 0x7c,
+0x68, 0xdd, 0x6f, 0x3f, 0xd9, 0xd7, 0x59, 0x38,
+0x9f, 0x7c, 0x6a, 0x52, 0xc2, 0x03, 0x2a, 0x2d,
+0x7e, 0x66, 0xf4, 0x1e, 0xb3, 0x12, 0x70, 0x20,
+0x5b, 0xd4, 0x97, 0x32, 0x3d, 0x71, 0x8b, 0x3b,
+0x1b, 0x08, 0x17, 0x14, 0x6b, 0x61, 0xc4, 0x57,
+0x8b, 0x96, 0x16, 0x1c, 0xfd, 0x24, 0xd5, 0x0b,
+0x09, 0xf9, 0x68, 0x11, 0x84, 0xfb, 0xca, 0x51,
+0x0c, 0xd1, 0x45, 0x19, 0xda, 0x10, 0x44, 0x8a,
+0xd9, 0xfe, 0x76, 0xa9, 0xfd, 0x60, 0x2d, 0x18,
+0x0b, 0x28, 0x95, 0xb2, 0x2d, 0xea, 0x88, 0x98,
+0xb8, 0xd1, 0x56, 0x21, 0xf0, 0x53, 0x1f, 0xf1,
+0x02, 0x6f, 0xe9, 0x46, 0x9b, 0x93, 0x5f, 0x28,
+0x90, 0x0f, 0xac, 0x36, 0xfa, 0x68, 0x23, 0x71,
+0x57, 0x56, 0xf6, 0xcc, 0xd3, 0xdf, 0x7d, 0x2a,
+0xd9, 0x1b, 0x73, 0x45, 0xeb, 0xba, 0x27, 0x85,
+0xef, 0x7a, 0x7f, 0xa5, 0xcb, 0x80, 0xc7, 0x30,
+0x36, 0xd2, 0x53, 0xee, 0xec, 0xac, 0x1e, 0xe7,
+0x31, 0xf1, 0x36, 0xa2, 0x9c, 0x63, 0xc6, 0x65,
+0x5b, 0x7f, 0x25, 0x75, 0x68, 0xa1, 0xea, 0xd3,
+0x7e, 0x00, 0x5c, 0x9a, 0x5e, 0xd8, 0x20, 0x18,
+0x32, 0x77, 0x07, 0x29, 0x12, 0x66, 0x1e, 0x36,
+0x73, 0xe7, 0x97, 0x04, 0x41, 0x37, 0xb1, 0xb1,
+0x72, 0x2b, 0xf4, 0xa1, 0x29, 0x20, 0x7c, 0x96,
+0x79, 0x0b, 0x2b, 0xd0, 0xd8, 0xde, 0xc8, 0x6c,
+0x3f, 0x93, 0xfb, 0xc5, 0xee, 0x78, 0x52, 0x11,
+0x15, 0x1b, 0x7a, 0xf6, 0xe2, 0x68, 0x99, 0xe7,
+0xfb, 0x46, 0x16, 0x84, 0xe3, 0xc7, 0xa1, 0xe6,
+0xe0, 0xd2, 0x46, 0xd5, 0xe1, 0xc4, 0x5f, 0xa0,
+0x66, 0xf4, 0xda, 0xc4, 0xff, 0x95, 0x1d, 0x02,
+0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09,
+0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
+0x87, 0x03, 0xda, 0xf2, 0x82, 0xc2, 0xdd, 0xaf,
+0x7c, 0x44, 0x2f, 0x86, 0xd3, 0x5f, 0x4c, 0x93,
+0x48, 0xb9, 0xfe, 0x07, 0x17, 0xbb, 0x21, 0xf7,
+0x25, 0x23, 0x4e, 0xaa, 0x22, 0x0c, 0x16, 0xb9,
+0x73, 0xae, 0x9d, 0x46, 0x7c, 0x75, 0xd9, 0xc3,
+0x49, 0x57, 0x47, 0xbf, 0x33, 0xb7, 0x97, 0xec,
+0xf5, 0x40, 0x75, 0xc0, 0x46, 0x22, 0xf0, 0xa0,
+0x5d, 0x9c, 0x79, 0x13, 0xa1, 0xff, 0xb8, 0xa3,
+0x2f, 0x7b, 0x8e, 0x06, 0x3f, 0xc8, 0xb6, 0xe4,
+0x6a, 0x28, 0xf2, 0x34, 0x5c, 0x23, 0x3f, 0x32,
+0xc0, 0xe6, 0xad, 0x0f, 0xac, 0xcf, 0x55, 0x74,
+0x47, 0x73, 0xd3, 0x01, 0x85, 0xb7, 0x0b, 0x22,
+0x56, 0x24, 0x7d, 0x9f, 0x09, 0xa9, 0x0e, 0x86,
+0x9e, 0x37, 0x5b, 0x9c, 0x6d, 0x02, 0xd9, 0x8c,
+0xc8, 0x50, 0x6a, 0xe2, 0x59, 0xf3, 0x16, 0x06,
+0xea, 0xb2, 0x42, 0xb5, 0x58, 0xfe, 0xba, 0xd1,
+0x81, 0x57, 0x1a, 0xef, 0xb2, 0x38, 0x88, 0x58,
+0xf6, 0xaa, 0xc4, 0x2e, 0x8b, 0x5a, 0x27, 0xe4,
+0xa5, 0xe8, 0xa4, 0xca, 0x67, 0x5c, 0xac, 0x72,
+0x67, 0xc3, 0x6f, 0x13, 0xc3, 0x2d, 0x35, 0x79,
+0xd7, 0x8a, 0xe7, 0xf5, 0xd4, 0x21, 0x30, 0x4a,
+0xd5, 0xf6, 0xa3, 0xd9, 0x79, 0x56, 0xf2, 0x0f,
+0x10, 0xf7, 0x7d, 0xd0, 0x51, 0x93, 0x2f, 0x47,
+0xf8, 0x7d, 0x4b, 0x0a, 0x84, 0x55, 0x12, 0x0a,
+0x7d, 0x4e, 0x3b, 0x1f, 0x2b, 0x2f, 0xfc, 0x28,
+0xb3, 0x69, 0x34, 0xe1, 0x80, 0x80, 0xbb, 0xe2,
+0xaf, 0xb9, 0xd6, 0x30, 0xf1, 0x1d, 0x54, 0x87,
+0x23, 0x99, 0x9f, 0x51, 0x03, 0x4c, 0x45, 0x7d,
+0x02, 0x65, 0x73, 0xab, 0xfd, 0xcf, 0x94, 0xcc,
+0x0d, 0x3a, 0x60, 0xfd, 0x3c, 0x14, 0x2f, 0x16,
+0x33, 0xa9, 0x21, 0x1f, 0xcb, 0x50, 0xb1, 0x8f,
+0x03, 0xee, 0xa0, 0x66, 0xa9, 0x16, 0x79, 0x14,
diff --git a/net/wireless/certs/sforshee.x509 b/net/wireless/certs/sforshee.x509
deleted file mode 100644
index c6f8f9d6b988..000000000000
--- a/net/wireless/certs/sforshee.x509
+++ /dev/null
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index b1ac23ca20c8..213d0c498c97 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2610,7 +2610,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
         case NL80211_IFTYPE_AP:
                 if (wdev->ssid_len &&
                     nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
-                        goto nla_put_failure;
+                        goto nla_put_failure_locked;
                 break;
         case NL80211_IFTYPE_STATION:
         case NL80211_IFTYPE_P2P_CLIENT:
@@ -2623,7 +2623,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
                 if (!ssid_ie)
                         break;
                 if (nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
-                        goto nla_put_failure;
+                        goto nla_put_failure_locked;
                 break;
                 }
         default:
@@ -2635,6 +2635,8 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
         genlmsg_end(msg, hdr);
         return 0;
 
+ nla_put_failure_locked:
+        wdev_unlock(wdev);
  nla_put_failure:
         genlmsg_cancel(msg, hdr);
         return -EMSGSIZE;
diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
index b3b353d72527..f055ca10bbc1 100644
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -579,15 +579,14 @@ static int snd_rawmidi_info_user(struct snd_rawmidi_substream *substream,
         return 0;
 }
 
-int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
+static int __snd_rawmidi_info_select(struct snd_card *card,
+                                     struct snd_rawmidi_info *info)
 {
         struct snd_rawmidi *rmidi;
         struct snd_rawmidi_str *pstr;
         struct snd_rawmidi_substream *substream;
 
-        mutex_lock(&register_mutex);
         rmidi = snd_rawmidi_search(card, info->device);
-        mutex_unlock(&register_mutex);
         if (!rmidi)
                 return -ENXIO;
         if (info->stream < 0 || info->stream > 1)
@@ -603,6 +602,16 @@ int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info
         }
         return -ENXIO;
 }
+
+int snd_rawmidi_info_select(struct snd_card *card, struct snd_rawmidi_info *info)
+{
+        int ret;
+
+        mutex_lock(&register_mutex);
+        ret = __snd_rawmidi_info_select(card, info);
+        mutex_unlock(&register_mutex);
+        return ret;
+}
 EXPORT_SYMBOL(snd_rawmidi_info_select);
 
 static int snd_rawmidi_info_select_user(struct snd_card *card,
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index c19c81d230bd..b4f1b6e88305 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -55,10 +55,11 @@ MODULE_PARM_DESC(static_hdmi_pcm, "Don't restrict PCM parameters per ELD info");
 #define is_kabylake(codec) ((codec)->core.vendor_id == 0x8086280b)
 #define is_geminilake(codec) (((codec)->core.vendor_id == 0x8086280d) || \
                                 ((codec)->core.vendor_id == 0x80862800))
+#define is_cannonlake(codec) ((codec)->core.vendor_id == 0x8086280c)
 #define is_haswell_plus(codec) (is_haswell(codec) || is_broadwell(codec) \
                                 || is_skylake(codec) || is_broxton(codec) \
-                                || is_kabylake(codec)) || is_geminilake(codec)
-
+                                || is_kabylake(codec)) || is_geminilake(codec) \
+                                || is_cannonlake(codec)
 #define is_valleyview(codec) ((codec)->core.vendor_id == 0x80862882)
 #define is_cherryview(codec) ((codec)->core.vendor_id == 0x80862883)
 #define is_valleyview_plus(codec) (is_valleyview(codec) || is_cherryview(codec))
@@ -3841,6 +3842,7 @@ HDA_CODEC_ENTRY(0x80862808, "Broadwell HDMI",	patch_i915_hsw_hdmi),
 HDA_CODEC_ENTRY(0x80862809, "Skylake HDMI",     patch_i915_hsw_hdmi),
 HDA_CODEC_ENTRY(0x8086280a, "Broxton HDMI",     patch_i915_hsw_hdmi),
 HDA_CODEC_ENTRY(0x8086280b, "Kabylake HDMI",    patch_i915_hsw_hdmi),
+HDA_CODEC_ENTRY(0x8086280c, "Cannonlake HDMI",  patch_i915_glk_hdmi),
 HDA_CODEC_ENTRY(0x8086280d, "Geminilake HDMI",  patch_i915_glk_hdmi),
 HDA_CODEC_ENTRY(0x80862800, "Geminilake HDMI",  patch_i915_glk_hdmi),
 HDA_CODEC_ENTRY(0x80862880, "CedarTrail HDMI",  patch_generic_hdmi),
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 4b21f71d685c..6a4db00511ab 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5185,6 +5185,22 @@ static void alc233_alc662_fixup_lenovo_dual_codecs(struct hda_codec *codec,
         }
 }
 
+/* Forcibly assign NID 0x03 to HP/LO while NID 0x02 to SPK for EQ */
+static void alc274_fixup_bind_dacs(struct hda_codec *codec,
+                                    const struct hda_fixup *fix, int action)
+{
+        struct alc_spec *spec = codec->spec;
+        static hda_nid_t preferred_pairs[] = {
+                0x21, 0x03, 0x1b, 0x03, 0x16, 0x02,
+                0
+        };
+
+        if (action != HDA_FIXUP_ACT_PRE_PROBE)
+                return;
+
+        spec->gen.preferred_dacs = preferred_pairs;
+}
+
 /* for hda_fixup_thinkpad_acpi() */
 #include "thinkpad_helper.c"
 
@@ -5302,6 +5318,8 @@ enum {
         ALC233_FIXUP_LENOVO_MULTI_CODECS,
         ALC294_FIXUP_LENOVO_MIC_LOCATION,
         ALC700_FIXUP_INTEL_REFERENCE,
+        ALC274_FIXUP_DELL_BIND_DACS,
+        ALC274_FIXUP_DELL_AIO_LINEOUT_VERB,
 };
 
 static const struct hda_fixup alc269_fixups[] = {
@@ -6112,6 +6130,21 @@ static const struct hda_fixup alc269_fixups[] = {
                         {}
                 }
         },
+        [ALC274_FIXUP_DELL_BIND_DACS] = {
+                .type = HDA_FIXUP_FUNC,
+                .v.func = alc274_fixup_bind_dacs,
+                .chained = true,
+                .chain_id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE
+        },
+        [ALC274_FIXUP_DELL_AIO_LINEOUT_VERB] = {
+                .type = HDA_FIXUP_PINS,
+                .v.pins = (const struct hda_pintbl[]) {
+                        { 0x1b, 0x0401102f },
+                        { }
+                },
+                .chained = true,
+                .chain_id = ALC274_FIXUP_DELL_BIND_DACS
+        },
 };
 
 static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -6578,7 +6611,7 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
                 {0x14, 0x90170110},
                 {0x1b, 0x90a70130},
                 {0x21, 0x03211020}),
-        SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
+        SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB,
                 {0x12, 0xb7a60130},
                 {0x13, 0xb8a61140},
                 {0x16, 0x90170110},
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 7c9e361b2200..2b4ceda36291 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2173,20 +2173,25 @@ static int parse_audio_selector_unit(struct mixer_build *state, int unitid,
         kctl->private_value = (unsigned long)namelist;
         kctl->private_free = usb_mixer_selector_elem_free;
 
-        nameid = uac_selector_unit_iSelector(desc);
+        /* check the static mapping table at first */
         len = check_mapped_name(map, kctl->id.name, sizeof(kctl->id.name));
-        if (len)
-                ;
-        else if (nameid)
-                len = snd_usb_copy_string_desc(state, nameid, kctl->id.name,
-                                         sizeof(kctl->id.name));
-        else
-                len = get_term_name(state, &state->oterm,
-                                    kctl->id.name, sizeof(kctl->id.name), 0);
-
         if (!len) {
-                strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
+                /* no mapping ? */
+                /* if iSelector is given, use it */
+                nameid = uac_selector_unit_iSelector(desc);
+                if (nameid)
+                        len = snd_usb_copy_string_desc(state, nameid,
+                                                       kctl->id.name,
+                                                       sizeof(kctl->id.name));
+                /* ... or pick up the terminal name at next */
+                if (!len)
+                        len = get_term_name(state, &state->oterm,
+                                    kctl->id.name, sizeof(kctl->id.name), 0);
+                /* ... or use the fixed string "USB" as the last resort */
+                if (!len)
+                        strlcpy(kctl->id.name, "USB", sizeof(kctl->id.name));
 
+                /* and add the proper suffix */
                 if (desc->bDescriptorSubtype == UAC2_CLOCK_SELECTOR)
                         append_ctl_name(kctl, " Clock Source");
                 else if ((state->oterm.type & 0xff00) == 0x0100)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 77eecaa4db1f..a66ef5777887 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1166,10 +1166,11 @@ static bool is_marantz_denon_dac(unsigned int id)
 /* TEAC UD-501/UD-503/NT-503 USB DACs need a vendor cmd to switch
  * between PCM/DOP and native DSD mode
  */
-static bool is_teac_50X_dac(unsigned int id)
+static bool is_teac_dsd_dac(unsigned int id)
 {
         switch (id) {
         case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */
+        case USB_ID(0x0644, 0x8044): /* Esoteric D-05X */
                 return true;
         }
         return false;
@@ -1202,7 +1203,7 @@ int snd_usb_select_mode_quirk(struct snd_usb_substream *subs,
                         break;
                 }
                 mdelay(20);
-        } else if (is_teac_50X_dac(subs->stream->chip->usb_id)) {
+        } else if (is_teac_dsd_dac(subs->stream->chip->usb_id)) {
                 /* Vendor mode switch cmd is required. */
                 switch (fmt->altsetting) {
                 case 3: /* DSD mode (DSD_U32) requested */
@@ -1392,7 +1393,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip,
         }
 
         /* TEAC devices with USB DAC functionality */
-        if (is_teac_50X_dac(chip->usb_id)) {
+        if (is_teac_dsd_dac(chip->usb_id)) {
                 if (fp->altsetting == 3)
                         return SNDRV_PCM_FMTBIT_DSD_U32_BE;
         }
diff --git a/tools/arch/s390/include/uapi/asm/bpf_perf_event.h b/tools/arch/s390/include/uapi/asm/bpf_perf_event.h
index cefe7c7cd4f6..0a8e37a519f2 100644
--- a/tools/arch/s390/include/uapi/asm/bpf_perf_event.h
+++ b/tools/arch/s390/include/uapi/asm/bpf_perf_event.h
@@ -2,7 +2,7 @@
 #ifndef _UAPI__ASM_BPF_PERF_EVENT_H__
 #define _UAPI__ASM_BPF_PERF_EVENT_H__
 
-#include <asm/ptrace.h>
+#include "ptrace.h"
 
 typedef user_pt_regs bpf_user_pt_regs_t;
 
diff --git a/tools/kvm/kvm_stat/kvm_stat b/tools/kvm/kvm_stat/kvm_stat
index 217cf6f95c36..a5684d0968b4 100755
--- a/tools/kvm/kvm_stat/kvm_stat
+++ b/tools/kvm/kvm_stat/kvm_stat
@@ -478,7 +478,7 @@ class Provider(object):
     @staticmethod
     def is_field_wanted(fields_filter, field):
         """Indicate whether field is valid according to fields_filter."""
-        if not fields_filter or fields_filter == "help":
+        if not fields_filter:
             return True
         return re.match(fields_filter, field) is not None
 
@@ -549,8 +549,8 @@ class TracepointProvider(Provider):
 
     def update_fields(self, fields_filter):
         """Refresh fields, applying fields_filter"""
-        self._fields = [field for field in self.get_available_fields()
-                        if self.is_field_wanted(fields_filter, field)]
+        self.fields = [field for field in self.get_available_fields()
+                       if self.is_field_wanted(fields_filter, field)]
 
     @staticmethod
     def get_online_cpus():
@@ -950,7 +950,8 @@ class Tui(object):
             curses.nocbreak()
             curses.endwin()
 
-    def get_all_gnames(self):
+    @staticmethod
+    def get_all_gnames():
         """Returns a list of (pid, gname) tuples of all running guests"""
         res = []
         try:
@@ -963,7 +964,7 @@ class Tui(object):
             # perform a sanity check before calling the more expensive
             # function to possibly extract the guest name
             if ' -name ' in line[1]:
-                res.append((line[0], self.get_gname_from_pid(line[0])))
+                res.append((line[0], Tui.get_gname_from_pid(line[0])))
         child.stdout.close()
 
         return res
@@ -984,7 +985,8 @@ class Tui(object):
         except Exception:
             self.screen.addstr(row + 1, 2, 'Not available')
 
-    def get_pid_from_gname(self, gname):
+    @staticmethod
+    def get_pid_from_gname(gname):
         """Fuzzy function to convert guest name to QEMU process pid.
 
         Returns a list of potential pids, can be empty if no match found.
@@ -992,7 +994,7 @@ class Tui(object):
 
         """
         pids = []
-        for line in self.get_all_gnames():
+        for line in Tui.get_all_gnames():
             if gname == line[1]:
                 pids.append(int(line[0]))
 
@@ -1090,15 +1092,16 @@ class Tui(object):
             # sort by totals
             return (0, -stats[x][0])
         total = 0.
-        for val in stats.values():
-            total += val[0]
+        for key in stats.keys():
+            if key.find('(') is -1:
+                total += stats[key][0]
         if self._sorting == SORT_DEFAULT:
             sortkey = sortCurAvg
         else:
             sortkey = sortTotal
+        tavg = 0
         for key in sorted(stats.keys(), key=sortkey):
-
-            if row >= self.screen.getmaxyx()[0]:
+            if row >= self.screen.getmaxyx()[0] - 1:
                 break
             values = stats[key]
             if not values[0] and not values[1]:
@@ -1110,9 +1113,15 @@ class Tui(object):
                 self.screen.addstr(row, 1, '%-40s %10d%7.1f %8s' %
                                    (key, values[0], values[0] * 100 / total,
                                     cur))
+                if cur is not '' and key.find('(') is -1:
+                    tavg += cur
             row += 1
         if row == 3:
             self.screen.addstr(4, 1, 'No matching events reported yet')
+        else:
+            self.screen.addstr(row, 1, '%-40s %10d        %8s' %
+                               ('Total', total, tavg if tavg else ''),
+                               curses.A_BOLD)
         self.screen.refresh()
 
     def show_msg(self, text):
@@ -1358,7 +1367,7 @@ class Tui(object):
                 if char == 'x':
                     self.update_drilldown()
                     # prevents display of current values on next refresh
-                    self.stats.get()
+                    self.stats.get(self._display_guests)
             except KeyboardInterrupt:
                 break
             except curses.error:
@@ -1451,16 +1460,13 @@ Press any other key to refresh statistics immediately.
         try:
             pids = Tui.get_pid_from_gname(val)
         except:
-            raise optparse.OptionValueError('Error while searching for guest '
-                                            '"{}", use "-p" to specify a pid '
-                                            'instead'.format(val))
+            sys.exit('Error while searching for guest "{}". Use "-p" to '
+                     'specify a pid instead?'.format(val))
         if len(pids) == 0:
-            raise optparse.OptionValueError('No guest by the name "{}" '
-                                            'found'.format(val))
+            sys.exit('Error: No guest by the name "{}" found'.format(val))
         if len(pids) > 1:
-            raise optparse.OptionValueError('Multiple processes found (pids: '
-                                            '{}) - use "-p" to specify a pid '
-                                            'instead'.format(" ".join(pids)))
+            sys.exit('Error: Multiple processes found (pids: {}). Use "-p" '
+                     'to specify the desired pid'.format(" ".join(pids)))
         parser.values.pid = pids[0]
 
     optparser = optparse.OptionParser(description=description_text,
@@ -1518,7 +1524,16 @@ Press any other key to refresh statistics immediately.
                          help='restrict statistics to guest by name',
                          callback=cb_guest_to_pid,
                          )
-    (options, _) = optparser.parse_args(sys.argv)
+    options, unkn = optparser.parse_args(sys.argv)
+    if len(unkn) != 1:
+        sys.exit('Error: Extra argument(s): ' + ' '.join(unkn[1:]))
+    try:
+        # verify that we were passed a valid regex up front
+        re.compile(options.fields)
+    except re.error:
+        sys.exit('Error: "' + options.fields + '" is not a valid regular '
+                 'expression')
+
     return options
 
 
@@ -1564,16 +1579,13 @@ def main():
 
     stats = Stats(options)
 
-    if options.fields == "help":
-        event_list = "\n"
-        s = stats.get()
-        for key in s.keys():
-            if key.find('(') != -1:
-                key = key[0:key.find('(')]
-            if event_list.find('\n' + key + '\n') == -1:
-                event_list += key + '\n'
-        sys.stdout.write(event_list)
-        return ""
+    if options.fields == 'help':
+        stats.fields_filter = None
+        event_list = []
+        for key in stats.get().keys():
+            event_list.append(key.split('(', 1)[0])
+        sys.stdout.write('  ' + '\n  '.join(sorted(set(event_list))) + '\n')
+        sys.exit(0)
 
     if options.log:
         log(stats)
diff --git a/tools/kvm/kvm_stat/kvm_stat.txt b/tools/kvm/kvm_stat/kvm_stat.txt
index e5cf836be8a1..b5b3810c9e94 100644
--- a/tools/kvm/kvm_stat/kvm_stat.txt
+++ b/tools/kvm/kvm_stat/kvm_stat.txt
@@ -50,6 +50,8 @@ INTERACTIVE COMMANDS
 *s*::   set update interval
 
 *x*::   toggle reporting of stats for child trace events
+ ::     *Note*: The stats for the parents summarize the respective child trace
+                events
 
 Press any other key to refresh statistics immediately.
 
@@ -86,7 +88,7 @@ OPTIONS
 
 -f<fields>::
 --fields=<fields>::
-        fields to display (regex)
+        fields to display (regex), "-f help" for a list of available events
 
 -h::
 --help::
diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index a1fcb0c31d02..f1fdb36269f2 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -11,7 +11,7 @@ ifneq ($(wildcard $(GENHDR)),)
 endif
 
 CFLAGS += -Wall -O2 -I$(APIDIR) -I$(LIBDIR) -I$(GENDIR) $(GENFLAGS) -I../../../include
-LDLIBS += -lcap -lelf
+LDLIBS += -lcap -lelf -lrt
 
 TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map test_progs \
         test_align test_verifier_log test_dev_cgroup
diff --git a/tools/testing/selftests/bpf/test_offload.py b/tools/testing/selftests/bpf/test_offload.py
index 3914f7a4585a..c940505c2978 100755
--- a/tools/testing/selftests/bpf/test_offload.py
+++ b/tools/testing/selftests/bpf/test_offload.py
@@ -647,8 +647,8 @@ try:
 
     start_test("Test asking for TC offload of two filters...")
     sim.cls_bpf_add_filter(obj, da=True, skip_sw=True)
-    sim.cls_bpf_add_filter(obj, da=True, skip_sw=True)
-    # The above will trigger a splat until TC cls_bpf drivers are fixed
+    ret, _ = sim.cls_bpf_add_filter(obj, da=True, skip_sw=True, fail=False)
+    fail(ret == 0, "Managed to offload two TC filters at the same time")
 
     sim.tc_flush_filters(bound=2, total=2)
 
diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
index 6472ca98690e..09087ab12293 100644
--- a/tools/testing/selftests/bpf/test_progs.c
+++ b/tools/testing/selftests/bpf/test_progs.c
@@ -441,7 +441,7 @@ static void test_bpf_obj_id(void)
                           info_len != sizeof(struct bpf_map_info) ||
                           strcmp((char *)map_infos[i].name, expected_map_name),
                           "get-map-info(fd)",
-                          "err %d errno %d type %d(%d) info_len %u(%lu) key_size %u value_size %u max_entries %u map_flags %X name %s(%s)\n",
+                          "err %d errno %d type %d(%d) info_len %u(%Zu) key_size %u value_size %u max_entries %u map_flags %X name %s(%s)\n",
                           err, errno,
                           map_infos[i].type, BPF_MAP_TYPE_ARRAY,
                           info_len, sizeof(struct bpf_map_info),
@@ -485,7 +485,7 @@ static void test_bpf_obj_id(void)
                           *(int *)prog_infos[i].map_ids != map_infos[i].id ||
                           strcmp((char *)prog_infos[i].name, expected_prog_name),
                           "get-prog-info(fd)",
-                          "err %d errno %d i %d type %d(%d) info_len %u(%lu) jit_enabled %d jited_prog_len %u xlated_prog_len %u jited_prog %d xlated_prog %d load_time %lu(%lu) uid %u(%u) nr_map_ids %u(%u) map_id %u(%u) name %s(%s)\n",
+                          "err %d errno %d i %d type %d(%d) info_len %u(%Zu) jit_enabled %d jited_prog_len %u xlated_prog_len %u jited_prog %d xlated_prog %d load_time %lu(%lu) uid %u(%u) nr_map_ids %u(%u) map_id %u(%u) name %s(%s)\n",
                           err, errno, i,
                           prog_infos[i].type, BPF_PROG_TYPE_SOCKET_FILTER,
                           info_len, sizeof(struct bpf_prog_info),
@@ -553,7 +553,7 @@ static void test_bpf_obj_id(void)
                       memcmp(&prog_info, &prog_infos[i], info_len) ||
                       *(int *)prog_info.map_ids != saved_map_id,
                       "get-prog-info(next_id->fd)",
-                      "err %d errno %d info_len %u(%lu) memcmp %d map_id %u(%u)\n",
+                      "err %d errno %d info_len %u(%Zu) memcmp %d map_id %u(%u)\n",
                       err, errno, info_len, sizeof(struct bpf_prog_info),
                       memcmp(&prog_info, &prog_infos[i], info_len),
                       *(int *)prog_info.map_ids, saved_map_id);
@@ -599,7 +599,7 @@ static void test_bpf_obj_id(void)
                       memcmp(&map_info, &map_infos[i], info_len) ||
                       array_value != array_magic_value,
                       "check get-map-info(next_id->fd)",
-                      "err %d errno %d info_len %u(%lu) memcmp %d array_value %llu(%llu)\n",
+                      "err %d errno %d info_len %u(%Zu) memcmp %d array_value %llu(%llu)\n",
                       err, errno, info_len, sizeof(struct bpf_map_info),
                       memcmp(&map_info, &map_infos[i], info_len),
                       array_value, array_magic_value);
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 3bacff0d6f91..d38334abb990 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -423,9 +423,7 @@ static struct bpf_test tests[] = {
                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
                         BPF_EXIT_INSN(),
                 },
-                .errstr_unpriv = "R1 subtraction from stack pointer",
-                .result_unpriv = REJECT,
-                .errstr = "R1 invalid mem access",
+                .errstr = "R1 subtraction from stack pointer",
                 .result = REJECT,
         },
         {
@@ -607,7 +605,6 @@ static struct bpf_test tests[] = {
                 },
                 .errstr = "misaligned stack access",
                 .result = REJECT,
-                .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
         },
         {
                 "invalid map_fd for function call",
@@ -1798,7 +1795,6 @@ static struct bpf_test tests[] = {
                 },
                 .result = REJECT,
                 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
-                .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
         },
         {
                 "PTR_TO_STACK store/load - bad alignment on reg",
@@ -1811,7 +1807,6 @@ static struct bpf_test tests[] = {
                 },
                 .result = REJECT,
                 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
-                .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
         },
         {
                 "PTR_TO_STACK store/load - out of bounds low",
@@ -1863,9 +1858,8 @@ static struct bpf_test tests[] = {
                         BPF_MOV64_IMM(BPF_REG_0, 0),
                         BPF_EXIT_INSN(),
                 },
-                .result = ACCEPT,
-                .result_unpriv = REJECT,
-                .errstr_unpriv = "R1 pointer += pointer",
+                .result = REJECT,
+                .errstr = "R1 pointer += pointer",
         },
         {
                 "unpriv: neg pointer",
@@ -2593,7 +2587,8 @@ static struct bpf_test tests[] = {
                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
                                     offsetof(struct __sk_buff, data)),
                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
-                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct __sk_buff, len)),
                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
@@ -2900,7 +2895,7 @@ static struct bpf_test tests[] = {
                         BPF_MOV64_IMM(BPF_REG_0, 0),
                         BPF_EXIT_INSN(),
                 },
-                .errstr = "invalid access to packet",
+                .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
                 .result = REJECT,
                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
         },
@@ -3886,9 +3881,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map2 = { 3, 11 },
-                .errstr_unpriv = "R0 pointer += pointer",
-                .errstr = "R0 invalid mem access 'inv'",
-                .result_unpriv = REJECT,
+                .errstr = "R0 pointer += pointer",
                 .result = REJECT,
                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
@@ -3929,7 +3922,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 4 },
-                .errstr = "R4 invalid mem access",
+                .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
                 .result = REJECT,
                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
         },
@@ -3950,7 +3943,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 4 },
-                .errstr = "R4 invalid mem access",
+                .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
                 .result = REJECT,
                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
         },
@@ -3971,7 +3964,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 4 },
-                .errstr = "R4 invalid mem access",
+                .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
                 .result = REJECT,
                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
         },
@@ -5196,10 +5189,8 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map2 = { 3 },
-                .errstr_unpriv = "R0 bitwise operator &= on pointer",
-                .errstr = "invalid mem access 'inv'",
+                .errstr = "R0 bitwise operator &= on pointer",
                 .result = REJECT,
-                .result_unpriv = REJECT,
         },
         {
                 "map element value illegal alu op, 2",
@@ -5215,10 +5206,8 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map2 = { 3 },
-                .errstr_unpriv = "R0 32-bit pointer arithmetic prohibited",
-                .errstr = "invalid mem access 'inv'",
+                .errstr = "R0 32-bit pointer arithmetic prohibited",
                 .result = REJECT,
-                .result_unpriv = REJECT,
         },
         {
                 "map element value illegal alu op, 3",
@@ -5234,10 +5223,8 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map2 = { 3 },
-                .errstr_unpriv = "R0 pointer arithmetic with /= operator",
-                .errstr = "invalid mem access 'inv'",
+                .errstr = "R0 pointer arithmetic with /= operator",
                 .result = REJECT,
-                .result_unpriv = REJECT,
         },
         {
                 "map element value illegal alu op, 4",
@@ -6020,8 +6007,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map_in_map = { 3 },
-                .errstr = "R1 type=inv expected=map_ptr",
-                .errstr_unpriv = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
+                .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
                 .result = REJECT,
         },
         {
@@ -6118,6 +6104,30 @@ static struct bpf_test tests[] = {
                 .result = ACCEPT,
         },
         {
+                "ld_abs: tests on r6 and skb data reload helper",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
+                        BPF_LD_ABS(BPF_B, 0),
+                        BPF_LD_ABS(BPF_H, 0),
+                        BPF_LD_ABS(BPF_W, 0),
+                        BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_6, 0),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
+                        BPF_MOV64_IMM(BPF_REG_2, 1),
+                        BPF_MOV64_IMM(BPF_REG_3, 2),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_skb_vlan_push),
+                        BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
+                        BPF_LD_ABS(BPF_B, 0),
+                        BPF_LD_ABS(BPF_H, 0),
+                        BPF_LD_ABS(BPF_W, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 42),
+                        BPF_EXIT_INSN(),
+                },
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+                .result = ACCEPT,
+        },
+        {
                 "ld_ind: check calling conv, r1",
                 .insns = {
                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
@@ -6301,7 +6311,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr = "R0 min value is negative",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6325,7 +6335,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr = "R0 min value is negative",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6351,7 +6361,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr = "R8 invalid mem access 'inv'",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6376,7 +6386,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr = "R8 invalid mem access 'inv'",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6424,7 +6434,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr = "R0 min value is negative",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6495,7 +6505,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr = "R0 min value is negative",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6546,7 +6556,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr = "R0 min value is negative",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6573,7 +6583,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr = "R0 min value is negative",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6599,7 +6609,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr = "R0 min value is negative",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6628,7 +6638,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr = "R0 min value is negative",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6658,7 +6668,7 @@ static struct bpf_test tests[] = {
                         BPF_JMP_IMM(BPF_JA, 0, 0, -7),
                 },
                 .fixup_map1 = { 4 },
-                .errstr = "R0 min value is negative",
+                .errstr = "unbounded min value",
                 .result = REJECT,
         },
         {
@@ -6686,8 +6696,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN(),
                 },
                 .fixup_map1 = { 3 },
-                .errstr_unpriv = "R0 pointer comparison prohibited",
-                .errstr = "R0 min value is negative",
+                .errstr = "unbounded min value",
                 .result = REJECT,
                 .result_unpriv = REJECT,
         },
@@ -6743,6 +6752,462 @@ static struct bpf_test tests[] = {
                 .result = REJECT,
         },
         {
+                "bounds check based on zero-extended MOV",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        /* r2 = 0x0000'0000'ffff'ffff */
+                        BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
+                        /* r2 = 0 */
+                        BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
+                        /* no-op */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
+                        /* access at offset 0 */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        /* exit */
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .result = ACCEPT
+        },
+        {
+                "bounds check based on sign-extended MOV. test1",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        /* r2 = 0xffff'ffff'ffff'ffff */
+                        BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
+                        /* r2 = 0xffff'ffff */
+                        BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
+                        /* r0 = <oob pointer> */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
+                        /* access to OOB pointer */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        /* exit */
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .errstr = "map_value pointer and 4294967295",
+                .result = REJECT
+        },
+        {
+                "bounds check based on sign-extended MOV. test2",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        /* r2 = 0xffff'ffff'ffff'ffff */
+                        BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
+                        /* r2 = 0xfff'ffff */
+                        BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
+                        /* r0 = <oob pointer> */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
+                        /* access to OOB pointer */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        /* exit */
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .errstr = "R0 min value is outside of the array range",
+                .result = REJECT
+        },
+        {
+                "bounds check based on reg_off + var_off + insn_off. test1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, mark)),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 4 },
+                .errstr = "value_size=8 off=1073741825",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "bounds check based on reg_off + var_off + insn_off. test2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, mark)),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 4 },
+                .errstr = "value 1073741823",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "bounds check after truncation of non-boundary-crossing range",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
+                        /* r1 = [0x00, 0xff] */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_2, 1),
+                        /* r2 = 0x10'0000'0000 */
+                        BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
+                        /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
+                        /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
+                        /* r1 = [0x00, 0xff] */
+                        BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
+                        /* r1 = 0 */
+                        BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
+                        /* no-op */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        /* access at offset 0 */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        /* exit */
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .result = ACCEPT
+        },
+        {
+                "bounds check after truncation of boundary-crossing range (1)",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
+                        /* r1 = [0x00, 0xff] */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
+                        /* r1 = [0xffff'ff80, 0x1'0000'007f] */
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
+                        /* r1 = [0xffff'ff80, 0xffff'ffff] or
+                         *      [0x0000'0000, 0x0000'007f]
+                         */
+                        BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
+                        /* r1 = [0x00, 0xff] or
+                         *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
+                         */
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
+                        /* r1 = 0 or
+                         *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
+                         */
+                        BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
+                        /* no-op or OOB pointer computation */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        /* potentially OOB access */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        /* exit */
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                /* not actually fully unbounded, but the bound is very high */
+                .errstr = "R0 unbounded memory access",
+                .result = REJECT
+        },
+        {
+                "bounds check after truncation of boundary-crossing range (2)",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
+                        /* r1 = [0x00, 0xff] */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
+                        /* r1 = [0xffff'ff80, 0x1'0000'007f] */
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
+                        /* r1 = [0xffff'ff80, 0xffff'ffff] or
+                         *      [0x0000'0000, 0x0000'007f]
+                         * difference to previous test: truncation via MOV32
+                         * instead of ALU32.
+                         */
+                        BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
+                        /* r1 = [0x00, 0xff] or
+                         *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
+                         */
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
+                        /* r1 = 0 or
+                         *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
+                         */
+                        BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
+                        /* no-op or OOB pointer computation */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        /* potentially OOB access */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        /* exit */
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                /* not actually fully unbounded, but the bound is very high */
+                .errstr = "R0 unbounded memory access",
+                .result = REJECT
+        },
+        {
+                "bounds check after wrapping 32-bit addition",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
+                        /* r1 = 0x7fff'ffff */
+                        BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
+                        /* r1 = 0xffff'fffe */
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
+                        /* r1 = 0 */
+                        BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
+                        /* no-op */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        /* access at offset 0 */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        /* exit */
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .result = ACCEPT
+        },
+        {
+                "bounds check after shift with oversized count operand",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+                        BPF_MOV64_IMM(BPF_REG_2, 32),
+                        BPF_MOV64_IMM(BPF_REG_1, 1),
+                        /* r1 = (u32)1 << (u32)32 = ? */
+                        BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
+                        /* r1 = [0x0000, 0xffff] */
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
+                        /* computes unknown pointer, potentially OOB */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        /* potentially OOB access */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        /* exit */
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .errstr = "R0 max value is outside of the array range",
+                .result = REJECT
+        },
+        {
+                "bounds check after right shift of maybe-negative number",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+                        /* r1 = [0x00, 0xff] */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        /* r1 = [-0x01, 0xfe] */
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
+                        /* r1 = 0 or 0xff'ffff'ffff'ffff */
+                        BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
+                        /* r1 = 0 or 0xffff'ffff'ffff */
+                        BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
+                        /* computes unknown pointer, potentially OOB */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        /* potentially OOB access */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        /* exit */
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .errstr = "R0 unbounded memory access",
+                .result = REJECT
+        },
+        {
+                "bounds check map access with off+size signed 32bit overflow. test1",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_JMP_A(0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .errstr = "map_value pointer and 2147483646",
+                .result = REJECT
+        },
+        {
+                "bounds check map access with off+size signed 32bit overflow. test2",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_JMP_A(0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .errstr = "pointer offset 1073741822",
+                .result = REJECT
+        },
+        {
+                "bounds check map access with off+size signed 32bit overflow. test3",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
+                        BPF_JMP_A(0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .errstr = "pointer offset -1073741822",
+                .result = REJECT
+        },
+        {
+                "bounds check map access with off+size signed 32bit overflow. test4",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_MOV64_IMM(BPF_REG_1, 1000000),
+                        BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
+                        BPF_JMP_A(0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .errstr = "map_value pointer and 1000000000000",
+                .result = REJECT
+        },
+        {
+                "pointer/scalar confusion in state equality check (way 1)",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_JMP_A(1),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
+                        BPF_JMP_A(0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 leaks addr as return value"
+        },
+        {
+                "pointer/scalar confusion in state equality check (way 2)",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
+                        BPF_JMP_A(1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 3 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 leaks addr as return value"
+        },
+        {
                 "variable-offset ctx access",
                 .insns = {
                         /* Get an unknown value */
@@ -6784,6 +7249,71 @@ static struct bpf_test tests[] = {
                 .prog_type = BPF_PROG_TYPE_LWT_IN,
         },
         {
+                "indirect variable-offset stack access",
+                .insns = {
+                        /* Fill the top 8 bytes of the stack */
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        /* Get an unknown value */
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
+                        /* Make it small and 4-byte aligned */
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
+                        /* add it to fp.  We now have either fp-4 or fp-8, but
+                         * we don't know which
+                         */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
+                        /* dereference it indirectly */
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map1 = { 5 },
+                .errstr = "variable stack read R2",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_LWT_IN,
+        },
+        {
+                "direct stack access with 32-bit wraparound. test1",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
+                        BPF_MOV32_IMM(BPF_REG_0, 0),
+                        BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_EXIT_INSN()
+                },
+                .errstr = "fp pointer and 2147483647",
+                .result = REJECT
+        },
+        {
+                "direct stack access with 32-bit wraparound. test2",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
+                        BPF_MOV32_IMM(BPF_REG_0, 0),
+                        BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_EXIT_INSN()
+                },
+                .errstr = "fp pointer and 1073741823",
+                .result = REJECT
+        },
+        {
+                "direct stack access with 32-bit wraparound. test3",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
+                        BPF_MOV32_IMM(BPF_REG_0, 0),
+                        BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_EXIT_INSN()
+                },
+                .errstr = "fp pointer offset 1073741822",
+                .result = REJECT
+        },
+        {
                 "liveness pruning and write screening",
                 .insns = {
                         /* Get an unknown value */
@@ -7105,6 +7635,19 @@ static struct bpf_test tests[] = {
                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
         },
         {
+                "pkt_end - pkt_start is allowed",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
                 "XDP pkt read, pkt_end mangling, bad access 1",
                 .insns = {
                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
@@ -7119,7 +7662,7 @@ static struct bpf_test tests[] = {
                         BPF_MOV64_IMM(BPF_REG_0, 0),
                         BPF_EXIT_INSN(),
                 },
-                .errstr = "R1 offset is outside of the packet",
+                .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
                 .result = REJECT,
                 .prog_type = BPF_PROG_TYPE_XDP,
         },
@@ -7138,7 +7681,7 @@ static struct bpf_test tests[] = {
                         BPF_MOV64_IMM(BPF_REG_0, 0),
                         BPF_EXIT_INSN(),
                 },
-                .errstr = "R1 offset is outside of the packet",
+                .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
                 .result = REJECT,
                 .prog_type = BPF_PROG_TYPE_XDP,
         },
diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config
index e57b4ac40e72..7177bea1fdfa 100644
--- a/tools/testing/selftests/net/config
+++ b/tools/testing/selftests/net/config
@@ -1,3 +1,4 @@
 CONFIG_USER_NS=y
 CONFIG_BPF_SYSCALL=y
 CONFIG_TEST_BPF=m
+CONFIG_NUMA=y
diff --git a/virt/kvm/arm/arch_timer.c b/virt/kvm/arm/arch_timer.c
index f9555b1e7f15..cc29a8148328 100644
--- a/virt/kvm/arm/arch_timer.c
+++ b/virt/kvm/arm/arch_timer.c
@@ -92,16 +92,23 @@ static irqreturn_t kvm_arch_timer_handler(int irq, void *dev_id)
 {
         struct kvm_vcpu *vcpu = *(struct kvm_vcpu **)dev_id;
         struct arch_timer_context *vtimer;
+        u32 cnt_ctl;
 
-        if (!vcpu) {
-                pr_warn_once("Spurious arch timer IRQ on non-VCPU thread\n");
-                return IRQ_NONE;
-        }
-        vtimer = vcpu_vtimer(vcpu);
+        /*
+         * We may see a timer interrupt after vcpu_put() has been called which
+         * sets the CPU's vcpu pointer to NULL, because even though the timer
+         * has been disabled in vtimer_save_state(), the hardware interrupt
+         * signal may not have been retired from the interrupt controller yet.
+         */
+        if (!vcpu)
+                return IRQ_HANDLED;
 
+        vtimer = vcpu_vtimer(vcpu);
         if (!vtimer->irq.level) {
-                vtimer->cnt_ctl = read_sysreg_el0(cntv_ctl);
-                if (kvm_timer_irq_can_fire(vtimer))
+                cnt_ctl = read_sysreg_el0(cntv_ctl);
+                cnt_ctl &= ARCH_TIMER_CTRL_ENABLE | ARCH_TIMER_CTRL_IT_STAT |
+                           ARCH_TIMER_CTRL_IT_MASK;
+                if (cnt_ctl == (ARCH_TIMER_CTRL_ENABLE | ARCH_TIMER_CTRL_IT_STAT))
                         kvm_timer_update_irq(vcpu, true, vtimer);
         }
 
@@ -355,6 +362,7 @@ static void vtimer_save_state(struct kvm_vcpu *vcpu)
 
         /* Disable the virtual timer */
         write_sysreg_el0(0, cntv_ctl);
+        isb();
 
         vtimer->loaded = false;
 out:
@@ -720,7 +728,7 @@ static int kvm_timer_dying_cpu(unsigned int cpu)
         return 0;
 }
 
-int kvm_timer_hyp_init(void)
+int kvm_timer_hyp_init(bool has_gic)
 {
         struct arch_timer_kvm_info *info;
         int err;
@@ -756,10 +764,13 @@ int kvm_timer_hyp_init(void)
                 return err;
         }
 
-        err = irq_set_vcpu_affinity(host_vtimer_irq, kvm_get_running_vcpus());
-        if (err) {
-                kvm_err("kvm_arch_timer: error setting vcpu affinity\n");
-                goto out_free_irq;
+        if (has_gic) {
+                err = irq_set_vcpu_affinity(host_vtimer_irq,
+                                            kvm_get_running_vcpus());
+                if (err) {
+                        kvm_err("kvm_arch_timer: error setting vcpu affinity\n");
+                        goto out_free_irq;
+                }
         }
 
         kvm_info("virtual timer IRQ%d\n", host_vtimer_irq);
@@ -835,10 +846,7 @@ int kvm_timer_enable(struct kvm_vcpu *vcpu)
 no_vgic:
         preempt_disable();
         timer->enabled = 1;
-        if (!irqchip_in_kernel(vcpu->kvm))
-                kvm_timer_vcpu_load_user(vcpu);
-        else
-                kvm_timer_vcpu_load_vgic(vcpu);
+        kvm_timer_vcpu_load(vcpu);
         preempt_enable();
 
         return 0;
diff --git a/virt/kvm/arm/arm.c b/virt/kvm/arm/arm.c
index 6b60c98a6e22..2e43f9d42bd5 100644
--- a/virt/kvm/arm/arm.c
+++ b/virt/kvm/arm/arm.c
@@ -1326,7 +1326,7 @@ static int init_subsystems(void)
         /*
          * Init HYP architected timer support
          */
-        err = kvm_timer_hyp_init();
+        err = kvm_timer_hyp_init(vgic_present);
         if (err)
                 goto out;
 
diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c
index b6e715fd3c90..dac7ceb1a677 100644
--- a/virt/kvm/arm/mmio.c
+++ b/virt/kvm/arm/mmio.c
@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run)
                 }
 
                 trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
-                               data);
+                               &data);
                 data = vcpu_data_host_to_guest(vcpu, data, len);
                 vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
         }
@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
                 data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt),
                                                len);
 
-                trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data);
+                trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
                 kvm_mmio_write_buf(data_buf, len, data);
 
                 ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
                                        data_buf);
         } else {
                 trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len,
-                               fault_ipa, 0);
+                               fault_ipa, NULL);
 
                 ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len,
                                       data_buf);
diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c
index b36945d49986..b4b69c2d1012 100644
--- a/virt/kvm/arm/mmu.c
+++ b/virt/kvm/arm/mmu.c
@@ -509,8 +509,6 @@ static void unmap_hyp_range(pgd_t *pgdp, phys_addr_t start, u64 size)
  */
 void free_hyp_pgds(void)
 {
-        unsigned long addr;
-
         mutex_lock(&kvm_hyp_pgd_mutex);
 
         if (boot_hyp_pgd) {
@@ -521,10 +519,10 @@ void free_hyp_pgds(void)
 
         if (hyp_pgd) {
                 unmap_hyp_range(hyp_pgd, hyp_idmap_start, PAGE_SIZE);
-                for (addr = PAGE_OFFSET; virt_addr_valid(addr); addr += PGDIR_SIZE)
-                        unmap_hyp_range(hyp_pgd, kern_hyp_va(addr), PGDIR_SIZE);
-                for (addr = VMALLOC_START; is_vmalloc_addr((void*)addr); addr += PGDIR_SIZE)
-                        unmap_hyp_range(hyp_pgd, kern_hyp_va(addr), PGDIR_SIZE);
+                unmap_hyp_range(hyp_pgd, kern_hyp_va(PAGE_OFFSET),
+                                (uintptr_t)high_memory - PAGE_OFFSET);
+                unmap_hyp_range(hyp_pgd, kern_hyp_va(VMALLOC_START),
+                                VMALLOC_END - VMALLOC_START);
 
                 free_pages((unsigned long)hyp_pgd, hyp_pgd_order);
                 hyp_pgd = NULL;