Merge branch 'timers/urgent' into timers/core

Pick up urgent bug fix and resolve the conflict. Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
author: Thomas Gleixner <tglx@linutronix.de> 2018-01-27 09:35:29 -0500
committer: Thomas Gleixner <tglx@linutronix.de> 2018-01-27 09:35:29 -0500
commit: 303c146df1c4574db3495d9acc5c440dd46c6b0f (patch)
tree: fbcea289aea24da8a44c7677a776988bb3c8bcbe
parent: b1a31a5f5f27ff8aba42b545a1c721941f735107 (diff)
parent: d5421ea43d30701e03cadc56a38854c36a8b4433 (diff)
539 files changed, 7437 insertions, 2533 deletions
diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
index d6d862db3b5d..bfd29bc8d37a 100644
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
@@ -375,3 +375,19 @@ Contact:	Linux kernel mailing list <linux-kernel@vger.kernel.org>
 Description:    information about CPUs heterogeneity.
                cpu_capacity: capacity of cpu#.
+What:           /sys/devices/system/cpu/vulnerabilities
+                /sys/devices/system/cpu/vulnerabilities/meltdown
+                /sys/devices/system/cpu/vulnerabilities/spectre_v1
+                /sys/devices/system/cpu/vulnerabilities/spectre_v2
+Date:           January 2018
+Contact:        Linux kernel mailing list <linux-kernel@vger.kernel.org>
+Description:    Information about CPU vulnerabilities
+                The files are named after the code names of CPU
+                vulnerabilities. The output of those files reflects the
+                state of the CPUs in the system. Possible output values:
+                "Not affected"    CPU is not affected by the vulnerability
+                "Vulnerable"      CPU is affected and no mitigation in effect
+                "Mitigation: $M"  CPU is affected and mitigation $M is in effect
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index af7104aaffd9..46b26bfee27b 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -713,9 +713,6 @@
                        It will be ignored when crashkernel=X,high is not used
                        or memory reserved is below 4G.
-        crossrelease_fullstack
-                        [KNL] Allow to record full stack trace in cross-release
        cryptomgr.notests
                        [KNL] Disable crypto self-tests
@@ -2626,6 +2623,11 @@
        nosmt           [KNL,S390] Disable symmetric multithreading (SMT).
                        Equivalent to smt=1.
+        nospectre_v2    [X86] Disable all mitigations for the Spectre variant 2
+                        (indirect branch prediction) vulnerability. System may
+                        allow data leaks with this option, which is equivalent
+                        to spectre_v2=off.
        noxsave         [BUGS=X86] Disables x86 extended register state save
                        and restore using xsave. The kernel will fallback to
                        enabling legacy floating-point and sse state.
@@ -2712,8 +2714,6 @@
                        steal time is computed, but won't influence scheduler
                        behaviour
-        nopti           [X86-64] Disable kernel page table isolation
        nolapic         [X86-32,APIC] Do not enable or use the local APIC.
        nolapic_timer   [X86-32,APIC] Do not use the local APIC timer.
@@ -3100,6 +3100,12 @@
                pcie_scan_all   Scan all possible PCIe devices.  Otherwise we
                                only look for one device below a PCIe downstream
                                port.
+                big_root_window Try to add a big 64bit memory window to the PCIe
+                                root complex on AMD CPUs. Some GFX hardware
+                                can resize a BAR to allow access to all VRAM.
+                                Adding the window is slightly risky (it may
+                                conflict with unreported devices), so this
+                                taints the kernel.
        pcie_aspm=      [PCIE] Forcibly enable or disable PCIe Active State Power
                        Management.
@@ -3288,11 +3294,20 @@
        pt.             [PARIDE]
                        See Documentation/blockdev/paride.txt.
-        pti=            [X86_64]
+        pti=            [X86_64] Control Page Table Isolation of user and
-                        Control user/kernel address space isolation:
+                        kernel address spaces.  Disabling this feature
-                        on - enable
+                        removes hardening, but improves performance of
-                        off - disable
+                        system calls and interrupts.
-                        auto - default setting
+                        on   - unconditionally enable
+                        off  - unconditionally disable
+                        auto - kernel detects whether your CPU model is
+                               vulnerable to issues that PTI mitigates
+                        Not specifying this option is equivalent to pti=auto.
+        nopti           [X86_64]
+                        Equivalent to pti=off
        pty.legacy_count=
                        [KNL] Number of legacy pty's. Overwrites compiled-in
@@ -3943,6 +3958,29 @@
        sonypi.*=       [HW] Sony Programmable I/O Control Device driver
                        See Documentation/laptops/sonypi.txt
+        spectre_v2=     [X86] Control mitigation of Spectre variant 2
+                        (indirect branch speculation) vulnerability.
+                        on   - unconditionally enable
+                        off  - unconditionally disable
+                        auto - kernel detects whether your CPU model is
+                               vulnerable
+                        Selecting 'on' will, and 'auto' may, choose a
+                        mitigation method at run time according to the
+                        CPU, the available microcode, the setting of the
+                        CONFIG_RETPOLINE configuration option, and the
+                        compiler with which the kernel was built.
+                        Specific mitigations can also be selected manually:
+                        retpoline         - replace indirect branches
+                        retpoline,generic - google's original retpoline
+                        retpoline,amd     - AMD-specific minimal thunk
+                        Not specifying this option is equivalent to
+                        spectre_v2=auto.
        spia_io_base=   [HW,MTD]
        spia_fio_base=
        spia_pedr=
diff --git a/Documentation/filesystems/nilfs2.txt b/Documentation/filesystems/nilfs2.txt
index c0727dc36271..f2f3f8592a6f 100644
--- a/Documentation/filesystems/nilfs2.txt
+++ b/Documentation/filesystems/nilfs2.txt
@@ -25,8 +25,8 @@ available from the following download page.  At least "mkfs.nilfs2",
 cleaner or garbage collector) are required.  Details on the tools are
 described in the man pages included in the package.
-Project web page:    http://nilfs.sourceforge.net/
+Project web page:    https://nilfs.sourceforge.io/
-Download page:       http://nilfs.sourceforge.net/en/download.html
+Download page:       https://nilfs.sourceforge.io/en/download.html
 List info:           http://vger.kernel.org/vger-lists.html#linux-nilfs
 Caveats
diff --git a/Documentation/kbuild/kconfig-language.txt b/Documentation/kbuild/kconfig-language.txt
index 262722d8867b..c4a293a03c33 100644
--- a/Documentation/kbuild/kconfig-language.txt
+++ b/Documentation/kbuild/kconfig-language.txt
@@ -200,10 +200,14 @@ module state. Dependency expressions have the following syntax:
 <expr> ::= <symbol>                             (1)
           <symbol> '=' <symbol>                (2)
           <symbol> '!=' <symbol>               (3)
-           '(' <expr> ')'                       (4)
+           <symbol1> '<' <symbol2>              (4)
-           '!' <expr>                           (5)
+           <symbol1> '>' <symbol2>              (4)
-           <expr> '&&' <expr>                   (6)
+           <symbol1> '<=' <symbol2>             (4)
-           <expr> '||' <expr>                   (7)
+           <symbol1> '>=' <symbol2>             (4)
+           '(' <expr> ')'                       (5)
+           '!' <expr>                           (6)
+           <expr> '&&' <expr>                   (7)
+           <expr> '||' <expr>                   (8)
 Expressions are listed in decreasing order of precedence. 
@@ -214,10 +218,13 @@ Expressions are listed in decreasing order of precedence.
    otherwise 'n'.
 (3) If the values of both symbols are equal, it returns 'n',
    otherwise 'y'.
-(4) Returns the value of the expression. Used to override precedence.
+(4) If value of <symbol1> is respectively lower, greater, lower-or-equal,
-(5) Returns the result of (2-/expr/).
+    or greater-or-equal than value of <symbol2>, it returns 'y',
-(6) Returns the result of min(/expr/, /expr/).
+    otherwise 'n'.
-(7) Returns the result of max(/expr/, /expr/).
+(5) Returns the value of the expression. Used to override precedence.
+(6) Returns the result of (2-/expr/).
+(7) Returns the result of min(/expr/, /expr/).
+(8) Returns the result of max(/expr/, /expr/).
 An expression can have a value of 'n', 'm' or 'y' (or 0, 1, 2
 respectively for calculations). A menu entry becomes visible when its
diff --git a/Documentation/networking/index.rst b/Documentation/networking/index.rst
index 66e620866245..7d4b15977d61 100644
--- a/Documentation/networking/index.rst
+++ b/Documentation/networking/index.rst
@@ -9,6 +9,7 @@ Contents:
   batman-adv
   kapi
   z8530book
+   msg_zerocopy
 .. only::  subproject
@@ -16,4 +17,3 @@ Contents:
   =======
   * :ref:`genindex`
diff --git a/Documentation/networking/msg_zerocopy.rst b/Documentation/networking/msg_zerocopy.rst
index 77f6d7e25cfd..291a01264967 100644
--- a/Documentation/networking/msg_zerocopy.rst
+++ b/Documentation/networking/msg_zerocopy.rst
@@ -72,6 +72,10 @@ this flag, a process must first signal intent by setting a socket option:
        if (setsockopt(fd, SOL_SOCKET, SO_ZEROCOPY, &one, sizeof(one)))
                error(1, errno, "setsockopt zerocopy");
+Setting the socket option only works when the socket is in its initial
+(TCP_CLOSED) state.  Trying to set the option for a socket returned by accept(),
+for example, will lead to an EBUSY error. In this case, the option should be set
+to the listening socket and it will be inherited by the accepted sockets.
 Transmission
 ------------
diff --git a/Documentation/usb/gadget-testing.txt b/Documentation/usb/gadget-testing.txt
index 441a4b9b666f..5908a21fddb6 100644
--- a/Documentation/usb/gadget-testing.txt
+++ b/Documentation/usb/gadget-testing.txt
@@ -693,7 +693,7 @@ such specification consists of a number of lines with an inverval value
 in each line. The rules stated above are best illustrated with an example:
 # mkdir functions/uvc.usb0/control/header/h
-# cd functions/uvc.usb0/control/header/h
+# cd functions/uvc.usb0/control/
 # ln -s header/h class/fs
 # ln -s header/h class/ss
 # mkdir -p functions/uvc.usb0/streaming/uncompressed/u/360p
diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt
index 57d3ee9e4bde..fc3ae951bc07 100644
--- a/Documentation/virtual/kvm/api.txt
+++ b/Documentation/virtual/kvm/api.txt
@@ -3403,6 +3403,52 @@ invalid, if invalid pages are written to (e.g. after the end of memory)
 or if no page table is present for the addresses (e.g. when using
 hugepages).
+4.108 KVM_PPC_GET_CPU_CHAR
+Capability: KVM_CAP_PPC_GET_CPU_CHAR
+Architectures: powerpc
+Type: vm ioctl
+Parameters: struct kvm_ppc_cpu_char (out)
+Returns: 0 on successful completion
+         -EFAULT if struct kvm_ppc_cpu_char cannot be written
+This ioctl gives userspace information about certain characteristics
+of the CPU relating to speculative execution of instructions and
+possible information leakage resulting from speculative execution (see
+CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754).  The information is
+returned in struct kvm_ppc_cpu_char, which looks like this:
+struct kvm_ppc_cpu_char {
+        __u64   character;              /* characteristics of the CPU */
+        __u64   behaviour;              /* recommended software behaviour */
+        __u64   character_mask;         /* valid bits in character */
+        __u64   behaviour_mask;         /* valid bits in behaviour */
+};
+For extensibility, the character_mask and behaviour_mask fields
+indicate which bits of character and behaviour have been filled in by
+the kernel.  If the set of defined bits is extended in future then
+userspace will be able to tell whether it is running on a kernel that
+knows about the new bits.
+The character field describes attributes of the CPU which can help
+with preventing inadvertent information disclosure - specifically,
+whether there is an instruction to flash-invalidate the L1 data cache
+(ori 30,30,0 or mtspr SPRN_TRIG2,rN), whether the L1 data cache is set
+to a mode where entries can only be used by the thread that created
+them, whether the bcctr[l] instruction prevents speculation, and
+whether a speculation barrier instruction (ori 31,31,0) is provided.
+The behaviour field describes actions that software should take to
+prevent inadvertent information disclosure, and thus describes which
+vulnerabilities the hardware is subject to; specifically whether the
+L1 data cache should be flushed when returning to user mode from the
+kernel, and whether a speculation barrier should be placed between an
+array bounds check and the array access.
+These fields use the same bit definitions as the new
+H_GET_CPU_CHARACTERISTICS hypercall.
 5. The kvm_run structure
 ------------------------
diff --git a/Documentation/x86/pti.txt b/Documentation/x86/pti.txt
new file mode 100644
index 000000000000..5cd58439ad2d
--- /dev/null
+++ b/Documentation/x86/pti.txt
@@ -0,0 +1,186 @@
+Overview
+========
+Page Table Isolation (pti, previously known as KAISER[1]) is a
+countermeasure against attacks on the shared user/kernel address
+space such as the "Meltdown" approach[2].
+To mitigate this class of attacks, we create an independent set of
+page tables for use only when running userspace applications.  When
+the kernel is entered via syscalls, interrupts or exceptions, the
+page tables are switched to the full "kernel" copy.  When the system
+switches back to user mode, the user copy is used again.
+The userspace page tables contain only a minimal amount of kernel
+data: only what is needed to enter/exit the kernel such as the
+entry/exit functions themselves and the interrupt descriptor table
+(IDT).  There are a few strictly unnecessary things that get mapped
+such as the first C function when entering an interrupt (see
+comments in pti.c).
+This approach helps to ensure that side-channel attacks leveraging
+the paging structures do not function when PTI is enabled.  It can be
+enabled by setting CONFIG_PAGE_TABLE_ISOLATION=y at compile time.
+Once enabled at compile-time, it can be disabled at boot with the
+'nopti' or 'pti=' kernel parameters (see kernel-parameters.txt).
+Page Table Management
+=====================
+When PTI is enabled, the kernel manages two sets of page tables.
+The first set is very similar to the single set which is present in
+kernels without PTI.  This includes a complete mapping of userspace
+that the kernel can use for things like copy_to_user().
+Although _complete_, the user portion of the kernel page tables is
+crippled by setting the NX bit in the top level.  This ensures
+that any missed kernel->user CR3 switch will immediately crash
+userspace upon executing its first instruction.
+The userspace page tables map only the kernel data needed to enter
+and exit the kernel.  This data is entirely contained in the 'struct
+cpu_entry_area' structure which is placed in the fixmap which gives
+each CPU's copy of the area a compile-time-fixed virtual address.
+For new userspace mappings, the kernel makes the entries in its
+page tables like normal.  The only difference is when the kernel
+makes entries in the top (PGD) level.  In addition to setting the
+entry in the main kernel PGD, a copy of the entry is made in the
+userspace page tables' PGD.
+This sharing at the PGD level also inherently shares all the lower
+layers of the page tables.  This leaves a single, shared set of
+userspace page tables to manage.  One PTE to lock, one set of
+accessed bits, dirty bits, etc...
+Overhead
+========
+Protection against side-channel attacks is important.  But,
+this protection comes at a cost:
+1. Increased Memory Use
+  a. Each process now needs an order-1 PGD instead of order-0.
+     (Consumes an additional 4k per process).
+  b. The 'cpu_entry_area' structure must be 2MB in size and 2MB
+     aligned so that it can be mapped by setting a single PMD
+     entry.  This consumes nearly 2MB of RAM once the kernel
+     is decompressed, but no space in the kernel image itself.
+2. Runtime Cost
+  a. CR3 manipulation to switch between the page table copies
+     must be done at interrupt, syscall, and exception entry
+     and exit (it can be skipped when the kernel is interrupted,
+     though.)  Moves to CR3 are on the order of a hundred
+     cycles, and are required at every entry and exit.
+  b. A "trampoline" must be used for SYSCALL entry.  This
+     trampoline depends on a smaller set of resources than the
+     non-PTI SYSCALL entry code, so requires mapping fewer
+     things into the userspace page tables.  The downside is
+     that stacks must be switched at entry time.
+  c. Global pages are disabled for all kernel structures not
+     mapped into both kernel and userspace page tables.  This
+     feature of the MMU allows different processes to share TLB
+     entries mapping the kernel.  Losing the feature means more
+     TLB misses after a context switch.  The actual loss of
+     performance is very small, however, never exceeding 1%.
+  d. Process Context IDentifiers (PCID) is a CPU feature that
+     allows us to skip flushing the entire TLB when switching page
+     tables by setting a special bit in CR3 when the page tables
+     are changed.  This makes switching the page tables (at context
+     switch, or kernel entry/exit) cheaper.  But, on systems with
+     PCID support, the context switch code must flush both the user
+     and kernel entries out of the TLB.  The user PCID TLB flush is
+     deferred until the exit to userspace, minimizing the cost.
+     See intel.com/sdm for the gory PCID/INVPCID details.
+  e. The userspace page tables must be populated for each new
+     process.  Even without PTI, the shared kernel mappings
+     are created by copying top-level (PGD) entries into each
+     new process.  But, with PTI, there are now *two* kernel
+     mappings: one in the kernel page tables that maps everything
+     and one for the entry/exit structures.  At fork(), we need to
+     copy both.
+  f. In addition to the fork()-time copying, there must also
+     be an update to the userspace PGD any time a set_pgd() is done
+     on a PGD used to map userspace.  This ensures that the kernel
+     and userspace copies always map the same userspace
+     memory.
+  g. On systems without PCID support, each CR3 write flushes
+     the entire TLB.  That means that each syscall, interrupt
+     or exception flushes the TLB.
+  h. INVPCID is a TLB-flushing instruction which allows flushing
+     of TLB entries for non-current PCIDs.  Some systems support
+     PCIDs, but do not support INVPCID.  On these systems, addresses
+     can only be flushed from the TLB for the current PCID.  When
+     flushing a kernel address, we need to flush all PCIDs, so a
+     single kernel address flush will require a TLB-flushing CR3
+     write upon the next use of every PCID.
+Possible Future Work
+====================
+1. We can be more careful about not actually writing to CR3
+   unless its value is actually changed.
+2. Allow PTI to be enabled/disabled at runtime in addition to the
+   boot-time switching.
+Testing
+========
+To test stability of PTI, the following test procedure is recommended,
+ideally doing all of these in parallel:
+1. Set CONFIG_DEBUG_ENTRY=y
+2. Run several copies of all of the tools/testing/selftests/x86/ tests
+   (excluding MPX and protection_keys) in a loop on multiple CPUs for
+   several minutes.  These tests frequently uncover corner cases in the
+   kernel entry code.  In general, old kernels might cause these tests
+   themselves to crash, but they should never crash the kernel.
+3. Run the 'perf' tool in a mode (top or record) that generates many
+   frequent performance monitoring non-maskable interrupts (see "NMI"
+   in /proc/interrupts).  This exercises the NMI entry/exit code which
+   is known to trigger bugs in code paths that did not expect to be
+   interrupted, including nested NMIs.  Using "-c" boosts the rate of
+   NMIs, and using two -c with separate counters encourages nested NMIs
+   and less deterministic behavior.
+        while true; do perf record -c 10000 -e instructions,cycles -a sleep 10; done
+4. Launch a KVM virtual machine.
+5. Run 32-bit binaries on systems supporting the SYSCALL instruction.
+   This has been a lightly-tested code path and needs extra scrutiny.
+Debugging
+=========
+Bugs in PTI cause a few different signatures of crashes
+that are worth noting here.
+ * Failures of the selftests/x86 code.  Usually a bug in one of the
+   more obscure corners of entry_64.S
+ * Crashes in early boot, especially around CPU bringup.  Bugs
+   in the trampoline code or mappings cause these.
+ * Crashes at the first interrupt.  Caused by bugs in entry_64.S,
+   like screwing up a page table switch.  Also caused by
+   incorrectly mapping the IRQ handler entry code.
+ * Crashes at the first NMI.  The NMI code is separate from main
+   interrupt handlers and can have bugs that do not affect
+   normal interrupts.  Also caused by incorrectly mapping NMI
+   code.  NMIs that interrupt the entry code must be very
+   careful and can be the cause of crashes that show up when
+   running perf.
+ * Kernel crashes at the first exit to userspace.  entry_64.S
+   bugs, or failing to map some of the exit code.
+ * Crashes at first interrupt that interrupts userspace. The paths
+   in entry_64.S that return to userspace are sometimes separate
+   from the ones that return to the kernel.
+ * Double faults: overflowing the kernel stack because of page
+   faults upon page faults.  Caused by touching non-pti-mapped
+   data in the entry code, or forgetting to switch to kernel
+   CR3 before calling into C functions which are not pti-mapped.
+ * Userspace segfaults early in boot, sometimes manifesting
+   as mount(8) failing to mount the rootfs.  These have
+   tended to be TLB invalidation issues.  Usually invalidating
+   the wrong PCID, or otherwise missing an invalidation.
+1. https://gruss.cc/files/kaiser.pdf
+2. https://meltdownattack.com/meltdown.pdf
diff --git a/MAINTAINERS b/MAINTAINERS
index 95c3fa1f520f..810d5d990f4a 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -62,7 +62,15 @@ trivial patch so apply some common sense.
 7.      When sending security related changes or reports to a maintainer
        please Cc: security@kernel.org, especially if the maintainer
-        does not respond.
+        does not respond. Please keep in mind that the security team is
+        a small set of people who can be efficient only when working on
+        verified bugs. Please only Cc: this list when you have identified
+        that the bug would present a short-term risk to other users if it
+        were publicly disclosed. For example, reports of address leaks do
+        not represent an immediate threat and are better handled publicly,
+        and ideally, should come with a patch proposal. Please do not send
+        automated reports to this list either. Such bugs will be handled
+        better and faster in the usual public places.
 8.      Happy hacking.
@@ -9085,6 +9093,7 @@ F:	drivers/usb/image/microtek.*
 MIPS
 M:      Ralf Baechle <ralf@linux-mips.org>
+M:      James Hogan <jhogan@kernel.org>
 L:      linux-mips@linux-mips.org
 W:      http://www.linux-mips.org/
 T:      git git://git.linux-mips.org/pub/scm/ralf/linux.git
@@ -9638,8 +9647,8 @@ F:	include/uapi/linux/sunrpc/
 NILFS2 FILESYSTEM
 M:      Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
 L:      linux-nilfs@vger.kernel.org
-W:      http://nilfs.sourceforge.net/
+W:      https://nilfs.sourceforge.io/
-W:      http://nilfs.osdn.jp/
+W:      https://nilfs.osdn.jp/
 T:      git git://github.com/konis/nilfs2.git
 S:      Supported
 F:      Documentation/filesystems/nilfs2.txt
@@ -10134,7 +10143,7 @@ F:	drivers/irqchip/irq-ompic.c
 F:      drivers/irqchip/irq-or1k-*
 OPENVSWITCH
-M:      Pravin Shelar <pshelar@nicira.com>
+M:      Pravin B Shelar <pshelar@ovn.org>
 L:      netdev@vger.kernel.org
 L:      dev@openvswitch.org
 W:      http://openvswitch.org
@@ -12232,7 +12241,7 @@ M:	Security Officers <security@kernel.org>
 S:      Supported
 SECURITY SUBSYSTEM
-M:      James Morris <james.l.morris@oracle.com>
+M:      James Morris <jmorris@namei.org>
 M:      "Serge E. Hallyn" <serge@hallyn.com>
 L:      linux-security-module@vger.kernel.org (suggested Cc:)
 T:      git git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
diff --git a/Makefile b/Makefile
index eb1f5973813e..339397b838d3 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
 VERSION = 4
 PATCHLEVEL = 15
 SUBLEVEL = 0
-EXTRAVERSION = -rc6
+EXTRAVERSION = -rc9
 NAME = Fearless Coyote
 # *DOCUMENTATION*
@@ -484,26 +484,6 @@ CLANG_GCC_TC	:= --gcc-toolchain=$(GCC_TOOLCHAIN)
 endif
 KBUILD_CFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC)
 KBUILD_AFLAGS += $(CLANG_TARGET) $(CLANG_GCC_TC)
-KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,)
-KBUILD_CFLAGS += $(call cc-disable-warning, unused-variable)
-KBUILD_CFLAGS += $(call cc-disable-warning, format-invalid-specifier)
-KBUILD_CFLAGS += $(call cc-disable-warning, gnu)
-KBUILD_CFLAGS += $(call cc-disable-warning, address-of-packed-member)
-# Quiet clang warning: comparison of unsigned expression < 0 is always false
-KBUILD_CFLAGS += $(call cc-disable-warning, tautological-compare)
-# CLANG uses a _MergedGlobals as optimization, but this breaks modpost, as the
-# source of a reference will be _MergedGlobals and not on of the whitelisted names.
-# See modpost pattern 2
-KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,)
-KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior)
-KBUILD_CFLAGS += $(call cc-option, -no-integrated-as)
-KBUILD_AFLAGS += $(call cc-option, -no-integrated-as)
-else
-# These warnings generated too much noise in a regular build.
-# Use make W=1 to enable them (see scripts/Makefile.extrawarn)
-KBUILD_CFLAGS += $(call cc-disable-warning, unused-but-set-variable)
-KBUILD_CFLAGS += $(call cc-disable-warning, unused-const-variable)
 endif
 ifeq ($(config-targets),1)
@@ -716,6 +696,29 @@ ifdef CONFIG_CC_STACKPROTECTOR
 endif
 KBUILD_CFLAGS += $(stackp-flag)
+ifeq ($(cc-name),clang)
+KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,)
+KBUILD_CFLAGS += $(call cc-disable-warning, unused-variable)
+KBUILD_CFLAGS += $(call cc-disable-warning, format-invalid-specifier)
+KBUILD_CFLAGS += $(call cc-disable-warning, gnu)
+KBUILD_CFLAGS += $(call cc-disable-warning, address-of-packed-member)
+# Quiet clang warning: comparison of unsigned expression < 0 is always false
+KBUILD_CFLAGS += $(call cc-disable-warning, tautological-compare)
+# CLANG uses a _MergedGlobals as optimization, but this breaks modpost, as the
+# source of a reference will be _MergedGlobals and not on of the whitelisted names.
+# See modpost pattern 2
+KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,)
+KBUILD_CFLAGS += $(call cc-option, -fcatch-undefined-behavior)
+KBUILD_CFLAGS += $(call cc-option, -no-integrated-as)
+KBUILD_AFLAGS += $(call cc-option, -no-integrated-as)
+else
+# These warnings generated too much noise in a regular build.
+# Use make W=1 to enable them (see scripts/Makefile.extrawarn)
+KBUILD_CFLAGS += $(call cc-disable-warning, unused-but-set-variable)
+KBUILD_CFLAGS += $(call cc-disable-warning, unused-const-variable)
+endif
 ifdef CONFIG_FRAME_POINTER
 KBUILD_CFLAGS   += -fno-omit-frame-pointer -fno-optimize-sibling-calls
 else
diff --git a/arch/alpha/kernel/sys_sio.c b/arch/alpha/kernel/sys_sio.c
index 37bd6d9b8eb9..a6bdc1da47ad 100644
--- a/arch/alpha/kernel/sys_sio.c
+++ b/arch/alpha/kernel/sys_sio.c
@@ -102,6 +102,15 @@ sio_pci_route(void)
                                   alpha_mv.sys.sio.route_tab);
 }
+static bool sio_pci_dev_irq_needs_level(const struct pci_dev *dev)
+{
+        if ((dev->class >> 16 == PCI_BASE_CLASS_BRIDGE) &&
+            (dev->class >> 8 != PCI_CLASS_BRIDGE_PCMCIA))
+                return false;
+        return true;
+}
 static unsigned int __init
 sio_collect_irq_levels(void)
 {
@@ -110,8 +119,7 @@ sio_collect_irq_levels(void)
        /* Iterate through the devices, collecting IRQ levels.  */
        for_each_pci_dev(dev) {
-                if ((dev->class >> 16 == PCI_BASE_CLASS_BRIDGE) &&
+                if (!sio_pci_dev_irq_needs_level(dev))
-                    (dev->class >> 8 != PCI_CLASS_BRIDGE_PCMCIA))
                        continue;
                if (dev->irq)
@@ -120,8 +128,7 @@ sio_collect_irq_levels(void)
        return level_bits;
 }
-static void __init
+static void __sio_fixup_irq_levels(unsigned int level_bits, bool reset)
-sio_fixup_irq_levels(unsigned int level_bits)
 {
        unsigned int old_level_bits;
@@ -139,12 +146,21 @@ sio_fixup_irq_levels(unsigned int level_bits)
         */
        old_level_bits = inb(0x4d0) | (inb(0x4d1) << 8);
-        level_bits |= (old_level_bits & 0x71ff);
+        if (reset)
+                old_level_bits &= 0x71ff;
+        level_bits |= old_level_bits;
        outb((level_bits >> 0) & 0xff, 0x4d0);
        outb((level_bits >> 8) & 0xff, 0x4d1);
 }
+static inline void
+sio_fixup_irq_levels(unsigned int level_bits)
+{
+        __sio_fixup_irq_levels(level_bits, true);
+}
 static inline int
 noname_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
 {
@@ -181,7 +197,14 @@ noname_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
        const long min_idsel = 6, max_idsel = 14, irqs_per_slot = 5;
        int irq = COMMON_TABLE_LOOKUP, tmp;
        tmp = __kernel_extbl(alpha_mv.sys.sio.route_tab, irq);
-        return irq >= 0 ? tmp : -1;
+        irq = irq >= 0 ? tmp : -1;
+        /* Fixup IRQ level if an actual IRQ mapping is detected */
+        if (sio_pci_dev_irq_needs_level(dev) && irq >= 0)
+                __sio_fixup_irq_levels(1 << irq, false);
+        return irq;
 }
 static inline int
diff --git a/arch/alpha/lib/ev6-memset.S b/arch/alpha/lib/ev6-memset.S
index 316a99aa9efe..1cfcfbbea6f0 100644
--- a/arch/alpha/lib/ev6-memset.S
+++ b/arch/alpha/lib/ev6-memset.S
@@ -18,7 +18,7 @@
 * The algorithm for the leading and trailing quadwords remains the same,
 * however the loop has been unrolled to enable better memory throughput,
 * and the code has been replicated for each of the entry points: __memset
- * and __memsetw to permit better scheduling to eliminate the stalling
+ * and __memset16 to permit better scheduling to eliminate the stalling
 * encountered during the mask replication.
 * A future enhancement might be to put in a byte store loop for really
 * small (say < 32 bytes) memset()s.  Whether or not that change would be
@@ -34,7 +34,7 @@
        .globl memset
        .globl __memset
        .globl ___memset
-        .globl __memsetw
+        .globl __memset16
        .globl __constant_c_memset
        .ent ___memset
@@ -415,9 +415,9 @@ end:
         * to mask stalls.  Note that entry point names also had to change
         */
        .align 5
-        .ent __memsetw
+        .ent __memset16
-__memsetw:
+__memset16:
        .frame $30,0,$26,0
        .prologue 0
@@ -596,8 +596,8 @@ end_w:
        nop
        ret $31,($26),1         # L0 :
-        .end __memsetw
+        .end __memset16
-        EXPORT_SYMBOL(__memsetw)
+        EXPORT_SYMBOL(__memset16)
 memset = ___memset
 __memset = ___memset
diff --git a/arch/arc/boot/dts/axc003.dtsi b/arch/arc/boot/dts/axc003.dtsi
index 4e6e9f57e790..dc91c663bcc0 100644
--- a/arch/arc/boot/dts/axc003.dtsi
+++ b/arch/arc/boot/dts/axc003.dtsi
@@ -35,6 +35,14 @@
                        reg = <0x80 0x10>, <0x100 0x10>;
                        #clock-cells = <0>;
                        clocks = <&input_clk>;
+                        /*
+                         * Set initial core pll output frequency to 90MHz.
+                         * It will be applied at the core pll driver probing
+                         * on early boot.
+                         */
+                        assigned-clocks = <&core_clk>;
+                        assigned-clock-rates = <90000000>;
                };
                core_intc: archs-intc@cpu {
diff --git a/arch/arc/boot/dts/axc003_idu.dtsi b/arch/arc/boot/dts/axc003_idu.dtsi
index 63954a8b0100..69ff4895f2ba 100644
--- a/arch/arc/boot/dts/axc003_idu.dtsi
+++ b/arch/arc/boot/dts/axc003_idu.dtsi
@@ -35,6 +35,14 @@
                        reg = <0x80 0x10>, <0x100 0x10>;
                        #clock-cells = <0>;
                        clocks = <&input_clk>;
+                        /*
+                         * Set initial core pll output frequency to 100MHz.
+                         * It will be applied at the core pll driver probing
+                         * on early boot.
+                         */
+                        assigned-clocks = <&core_clk>;
+                        assigned-clock-rates = <100000000>;
                };
                core_intc: archs-intc@cpu {
diff --git a/arch/arc/boot/dts/hsdk.dts b/arch/arc/boot/dts/hsdk.dts
index 8f627c200d60..006aa3de5348 100644
--- a/arch/arc/boot/dts/hsdk.dts
+++ b/arch/arc/boot/dts/hsdk.dts
@@ -114,6 +114,14 @@
                        reg = <0x00 0x10>, <0x14B8 0x4>;
                        #clock-cells = <0>;
                        clocks = <&input_clk>;
+                        /*
+                         * Set initial core pll output frequency to 1GHz.
+                         * It will be applied at the core pll driver probing
+                         * on early boot.
+                         */
+                        assigned-clocks = <&core_clk>;
+                        assigned-clock-rates = <1000000000>;
                };
                serial: serial@5000 {
diff --git a/arch/arc/configs/hsdk_defconfig b/arch/arc/configs/hsdk_defconfig
index 7b8f8faf8a24..ac6b0ed8341e 100644
--- a/arch/arc/configs/hsdk_defconfig
+++ b/arch/arc/configs/hsdk_defconfig
@@ -49,10 +49,11 @@ CONFIG_SERIAL_8250_DW=y
 CONFIG_SERIAL_OF_PLATFORM=y
 # CONFIG_HW_RANDOM is not set
 # CONFIG_HWMON is not set
+CONFIG_DRM=y
+# CONFIG_DRM_FBDEV_EMULATION is not set
+CONFIG_DRM_UDL=y
 CONFIG_FB=y
-CONFIG_FB_UDL=y
 CONFIG_FRAMEBUFFER_CONSOLE=y
-CONFIG_USB=y
 CONFIG_USB_EHCI_HCD=y
 CONFIG_USB_EHCI_HCD_PLATFORM=y
 CONFIG_USB_OHCI_HCD=y
diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h
index f35974ee7264..c9173c02081c 100644
--- a/arch/arc/include/asm/uaccess.h
+++ b/arch/arc/include/asm/uaccess.h
@@ -668,6 +668,7 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count)
                return 0;
        __asm__ __volatile__(
+        "       mov     lp_count, %5            \n"
        "       lp      3f                      \n"
        "1:     ldb.ab  %3, [%2, 1]             \n"
        "       breq.d  %3, 0, 3f               \n"
@@ -684,8 +685,8 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count)
        "       .word   1b, 4b                  \n"
        "       .previous                       \n"
        : "+r"(res), "+r"(dst), "+r"(src), "=r"(val)
-        : "g"(-EFAULT), "l"(count)
+        : "g"(-EFAULT), "r"(count)
-        : "memory");
+        : "lp_count", "lp_start", "lp_end", "memory");
        return res;
 }
diff --git a/arch/arc/kernel/setup.c b/arch/arc/kernel/setup.c
index 7ef7d9a8ff89..9d27331fe69a 100644
--- a/arch/arc/kernel/setup.c
+++ b/arch/arc/kernel/setup.c
@@ -199,7 +199,7 @@ static void read_arc_build_cfg_regs(void)
                        unsigned int exec_ctrl;
                        READ_BCR(AUX_EXEC_CTRL, exec_ctrl);
-                        cpu->extn.dual_enb = exec_ctrl & 1;
+                        cpu->extn.dual_enb = !(exec_ctrl & 1);
                        /* dual issue always present for this core */
                        cpu->extn.dual = 1;
diff --git a/arch/arc/kernel/stacktrace.c b/arch/arc/kernel/stacktrace.c
index 74315f302971..bf40e06f3fb8 100644
--- a/arch/arc/kernel/stacktrace.c
+++ b/arch/arc/kernel/stacktrace.c
@@ -163,7 +163,7 @@ arc_unwind_core(struct task_struct *tsk, struct pt_regs *regs,
 */
 static int __print_sym(unsigned int address, void *unused)
 {
-        __print_symbol("  %s\n", address);
+        printk("  %pS\n", (void *)address);
        return 0;
 }
diff --git a/arch/arc/kernel/traps.c b/arch/arc/kernel/traps.c
index bcd7c9fc5d0f..133a4dae41fe 100644
--- a/arch/arc/kernel/traps.c
+++ b/arch/arc/kernel/traps.c
@@ -83,6 +83,7 @@ DO_ERROR_INFO(SIGILL, "Illegal Insn (or Seq)", insterror_is_error, ILL_ILLOPC)
 DO_ERROR_INFO(SIGBUS, "Invalid Mem Access", __weak do_memory_error, BUS_ADRERR)
 DO_ERROR_INFO(SIGTRAP, "Breakpoint Set", trap_is_brkpt, TRAP_BRKPT)
 DO_ERROR_INFO(SIGBUS, "Misaligned Access", do_misaligned_error, BUS_ADRALN)
+DO_ERROR_INFO(SIGSEGV, "gcc generated __builtin_trap", do_trap5_error, 0)
 /*
 * Entry Point for Misaligned Data access Exception, for emulating in software
@@ -115,6 +116,8 @@ void do_machine_check_fault(unsigned long address, struct pt_regs *regs)
 * Thus TRAP_S <n> can be used for specific purpose
 *  -1 used for software breakpointing (gdb)
 *  -2 used by kprobes
+ *  -5 __builtin_trap() generated by gcc (2018.03 onwards) for toggle such as
+ *     -fno-isolate-erroneous-paths-dereference
 */
 void do_non_swi_trap(unsigned long address, struct pt_regs *regs)
 {
@@ -134,6 +137,9 @@ void do_non_swi_trap(unsigned long address, struct pt_regs *regs)
                kgdb_trap(regs);
                break;
+        case 5:
+                do_trap5_error(address, regs);
+                break;
        default:
                break;
        }
@@ -155,3 +161,11 @@ void do_insterror_or_kprobe(unsigned long address, struct pt_regs *regs)
        insterror_is_error(address, regs);
 }
+/*
+ * abort() call generated by older gcc for __builtin_trap()
+ */
+void abort(void)
+{
+        __asm__ __volatile__("trap_s  5\n");
+}
diff --git a/arch/arc/kernel/troubleshoot.c b/arch/arc/kernel/troubleshoot.c
index 7d8c1d6c2f60..6e9a0a9a6a04 100644
--- a/arch/arc/kernel/troubleshoot.c
+++ b/arch/arc/kernel/troubleshoot.c
@@ -163,6 +163,9 @@ static void show_ecr_verbose(struct pt_regs *regs)
                else
                        pr_cont("Bus Error, check PRM\n");
 #endif
+        } else if (vec == ECR_V_TRAP) {
+                if (regs->ecr_param == 5)
+                        pr_cont("gcc generated __builtin_trap\n");
        } else {
                pr_cont("Check Programmer's Manual\n");
        }
diff --git a/arch/arc/plat-axs10x/axs10x.c b/arch/arc/plat-axs10x/axs10x.c
index f1ac6790da5f..46544e88492d 100644
--- a/arch/arc/plat-axs10x/axs10x.c
+++ b/arch/arc/plat-axs10x/axs10x.c
@@ -317,25 +317,23 @@ static void __init axs103_early_init(void)
         * Instead of duplicating defconfig/DT for SMP/QUAD, add a small hack
         * of fudging the freq in DT
         */
+#define AXS103_QUAD_CORE_CPU_FREQ_HZ    50000000
        unsigned int num_cores = (read_aux_reg(ARC_REG_MCIP_BCR) >> 16) & 0x3F;
        if (num_cores > 2) {
-                u32 freq = 50, orig;
+                u32 freq;
-                /*
-                 * TODO: use cpu node "cpu-freq" param instead of platform-specific
-                 * "/cpu_card/core_clk" as it works only if we use fixed-clock for cpu.
-                 */
                int off = fdt_path_offset(initial_boot_params, "/cpu_card/core_clk");
                const struct fdt_property *prop;
                prop = fdt_get_property(initial_boot_params, off,
-                                        "clock-frequency", NULL);
+                                        "assigned-clock-rates", NULL);
-                orig = be32_to_cpu(*(u32*)(prop->data)) / 1000000;
+                freq = be32_to_cpu(*(u32 *)(prop->data));
                /* Patching .dtb in-place with new core clock value */
-                if (freq != orig ) {
+                if (freq != AXS103_QUAD_CORE_CPU_FREQ_HZ) {
-                        freq = cpu_to_be32(freq * 1000000);
+                        freq = cpu_to_be32(AXS103_QUAD_CORE_CPU_FREQ_HZ);
                        fdt_setprop_inplace(initial_boot_params, off,
-                                            "clock-frequency", &freq, sizeof(freq));
+                                            "assigned-clock-rates", &freq, sizeof(freq));
                }
        }
 #endif
diff --git a/arch/arc/plat-hsdk/platform.c b/arch/arc/plat-hsdk/platform.c
index fd0ae5e38639..2958aedb649a 100644
--- a/arch/arc/plat-hsdk/platform.c
+++ b/arch/arc/plat-hsdk/platform.c
@@ -38,42 +38,6 @@ static void __init hsdk_init_per_cpu(unsigned int cpu)
 #define CREG_PAE                (CREG_BASE + 0x180)
 #define CREG_PAE_UPDATE         (CREG_BASE + 0x194)
-#define CREG_CORE_IF_CLK_DIV    (CREG_BASE + 0x4B8)
-#define CREG_CORE_IF_CLK_DIV_2  0x1
-#define CGU_BASE                ARC_PERIPHERAL_BASE
-#define CGU_PLL_STATUS          (ARC_PERIPHERAL_BASE + 0x4)
-#define CGU_PLL_CTRL            (ARC_PERIPHERAL_BASE + 0x0)
-#define CGU_PLL_STATUS_LOCK     BIT(0)
-#define CGU_PLL_STATUS_ERR      BIT(1)
-#define CGU_PLL_CTRL_1GHZ       0x3A10
-#define HSDK_PLL_LOCK_TIMEOUT   500
-#define HSDK_PLL_LOCKED() \
-        !!(ioread32((void __iomem *) CGU_PLL_STATUS) & CGU_PLL_STATUS_LOCK)
-#define HSDK_PLL_ERR() \
-        !!(ioread32((void __iomem *) CGU_PLL_STATUS) & CGU_PLL_STATUS_ERR)
-static void __init hsdk_set_cpu_freq_1ghz(void)
-{
-        u32 timeout = HSDK_PLL_LOCK_TIMEOUT;
-        /*
-         * As we set cpu clock which exceeds 500MHz, the divider for the interface
-         * clock must be programmed to div-by-2.
-         */
-        iowrite32(CREG_CORE_IF_CLK_DIV_2, (void __iomem *) CREG_CORE_IF_CLK_DIV);
-        /* Set cpu clock to 1GHz */
-        iowrite32(CGU_PLL_CTRL_1GHZ, (void __iomem *) CGU_PLL_CTRL);
-        while (!HSDK_PLL_LOCKED() && timeout--)
-                cpu_relax();
-        if (!HSDK_PLL_LOCKED() || HSDK_PLL_ERR())
-                pr_err("Failed to setup CPU frequency to 1GHz!");
-}
 #define SDIO_BASE               (ARC_PERIPHERAL_BASE + 0xA000)
 #define SDIO_UHS_REG_EXT        (SDIO_BASE + 0x108)
 #define SDIO_UHS_REG_EXT_DIV_2  (2 << 30)
@@ -98,12 +62,6 @@ static void __init hsdk_init_early(void)
         * minimum possible div-by-2.
         */
        iowrite32(SDIO_UHS_REG_EXT_DIV_2, (void __iomem *) SDIO_UHS_REG_EXT);
-        /*
-         * Setup CPU frequency to 1GHz.
-         * TODO: remove it after smart hsdk pll driver will be introduced.
-         */
-        hsdk_set_cpu_freq_1ghz();
 }
 static const char *hsdk_compat[] __initconst = {
diff --git a/arch/arm/boot/dts/da850-lcdk.dts b/arch/arm/boot/dts/da850-lcdk.dts
index eed89e659143..a1f4d6d5a569 100644
--- a/arch/arm/boot/dts/da850-lcdk.dts
+++ b/arch/arm/boot/dts/da850-lcdk.dts
@@ -293,12 +293,12 @@
                                        label = "u-boot env";
                                        reg = <0 0x020000>;
                                };
-                                partition@0x020000 {
+                                partition@20000 {
                                        /* The LCDK defaults to booting from this partition */
                                        label = "u-boot";
                                        reg = <0x020000 0x080000>;
                                };
-                                partition@0x0a0000 {
+                                partition@a0000 {
                                        label = "free space";
                                        reg = <0x0a0000 0>;
                                };
diff --git a/arch/arm/boot/dts/kirkwood-openblocks_a7.dts b/arch/arm/boot/dts/kirkwood-openblocks_a7.dts
index cf2f5240e176..27cc913ca0f5 100644
--- a/arch/arm/boot/dts/kirkwood-openblocks_a7.dts
+++ b/arch/arm/boot/dts/kirkwood-openblocks_a7.dts
@@ -53,7 +53,8 @@
                };
                pinctrl: pin-controller@10000 {
-                        pinctrl-0 = <&pmx_dip_switches &pmx_gpio_header>;
+                        pinctrl-0 = <&pmx_dip_switches &pmx_gpio_header
+                                     &pmx_gpio_header_gpo>;
                        pinctrl-names = "default";
                        pmx_uart0: pmx-uart0 {
@@ -85,11 +86,16 @@
                         * ground.
                         */
                        pmx_gpio_header: pmx-gpio-header {
-                                marvell,pins = "mpp17", "mpp7", "mpp29", "mpp28",
+                                marvell,pins = "mpp17", "mpp29", "mpp28",
                                               "mpp35", "mpp34", "mpp40";
                                marvell,function = "gpio";
                        };
+                        pmx_gpio_header_gpo: pxm-gpio-header-gpo {
+                                marvell,pins = "mpp7";
+                                marvell,function = "gpo";
+                        };
                        pmx_gpio_init: pmx-init {
                                marvell,pins = "mpp38";
                                marvell,function = "gpio";
diff --git a/arch/arm/boot/dts/sun4i-a10.dtsi b/arch/arm/boot/dts/sun4i-a10.dtsi
index 5840f5c75c3b..4f2f2eea0755 100644
--- a/arch/arm/boot/dts/sun4i-a10.dtsi
+++ b/arch/arm/boot/dts/sun4i-a10.dtsi
@@ -1104,7 +1104,7 @@
                                        be1_out_tcon0: endpoint@0 {
                                                reg = <0>;
-                                                remote-endpoint = <&tcon1_in_be0>;
+                                                remote-endpoint = <&tcon0_in_be1>;
                                        };
                                        be1_out_tcon1: endpoint@1 {
diff --git a/arch/arm/boot/dts/sun7i-a20.dtsi b/arch/arm/boot/dts/sun7i-a20.dtsi
index 59655e42e4b0..bd0cd3204273 100644
--- a/arch/arm/boot/dts/sun7i-a20.dtsi
+++ b/arch/arm/boot/dts/sun7i-a20.dtsi
@@ -1354,7 +1354,7 @@
                                        be1_out_tcon0: endpoint@0 {
                                                reg = <0>;
-                                                remote-endpoint = <&tcon1_in_be0>;
+                                                remote-endpoint = <&tcon0_in_be1>;
                                        };
                                        be1_out_tcon1: endpoint@1 {
diff --git a/arch/arm/configs/sunxi_defconfig b/arch/arm/configs/sunxi_defconfig
index 5caaf971fb50..df433abfcb02 100644
--- a/arch/arm/configs/sunxi_defconfig
+++ b/arch/arm/configs/sunxi_defconfig
@@ -10,6 +10,7 @@ CONFIG_SMP=y
 CONFIG_NR_CPUS=8
 CONFIG_AEABI=y
 CONFIG_HIGHMEM=y
+CONFIG_CMA=y
 CONFIG_ARM_APPENDED_DTB=y
 CONFIG_ARM_ATAG_DTB_COMPAT=y
 CONFIG_CPU_FREQ=y
@@ -33,6 +34,7 @@ CONFIG_CAN_SUN4I=y
 # CONFIG_WIRELESS is not set
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DMA_CMA=y
 CONFIG_BLK_DEV_SD=y
 CONFIG_ATA=y
 CONFIG_AHCI_SUNXI=y
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index c199990e12b6..323a4df59a6c 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -27,14 +27,58 @@
 int bpf_jit_enable __read_mostly;
+/*
+ * eBPF prog stack layout:
+ *
+ *                         high
+ * original ARM_SP =>     +-----+
+ *                        |     | callee saved registers
+ *                        +-----+ <= (BPF_FP + SCRATCH_SIZE)
+ *                        | ... | eBPF JIT scratch space
+ * eBPF fp register =>    +-----+
+ *   (BPF_FP)             | ... | eBPF prog stack
+ *                        +-----+
+ *                        |RSVD | JIT scratchpad
+ * current ARM_SP =>      +-----+ <= (BPF_FP - STACK_SIZE + SCRATCH_SIZE)
+ *                        |     |
+ *                        | ... | Function call stack
+ *                        |     |
+ *                        +-----+
+ *                          low
+ *
+ * The callee saved registers depends on whether frame pointers are enabled.
+ * With frame pointers (to be compliant with the ABI):
+ *
+ *                                high
+ * original ARM_SP =>     +------------------+ \
+ *                        |        pc        | |
+ * current ARM_FP =>      +------------------+ } callee saved registers
+ *                        |r4-r8,r10,fp,ip,lr| |
+ *                        +------------------+ /
+ *                                low
+ *
+ * Without frame pointers:
+ *
+ *                                high
+ * original ARM_SP =>     +------------------+
+ *                        | r4-r8,r10,fp,lr  | callee saved registers
+ * current ARM_FP =>      +------------------+
+ *                                low
+ *
+ * When popping registers off the stack at the end of a BPF function, we
+ * reference them via the current ARM_FP register.
+ */
+#define CALLEE_MASK     (1 << ARM_R4 | 1 << ARM_R5 | 1 << ARM_R6 | \
+                         1 << ARM_R7 | 1 << ARM_R8 | 1 << ARM_R10 | \
+                         1 << ARM_FP)
+#define CALLEE_PUSH_MASK (CALLEE_MASK | 1 << ARM_LR)
+#define CALLEE_POP_MASK  (CALLEE_MASK | 1 << ARM_PC)
 #define STACK_OFFSET(k) (k)
 #define TMP_REG_1       (MAX_BPF_JIT_REG + 0)   /* TEMP Register 1 */
 #define TMP_REG_2       (MAX_BPF_JIT_REG + 1)   /* TEMP Register 2 */
 #define TCALL_CNT       (MAX_BPF_JIT_REG + 2)   /* Tail Call Count */
-/* Flags used for JIT optimization */
-#define SEEN_CALL       (1 << 0)
 #define FLAG_IMM_OVERFLOW       (1 << 0)
 /*
@@ -95,7 +139,6 @@ static const u8 bpf2a32[][2] = {
 * idx                  :       index of current last JITed instruction.
 * prologue_bytes       :       bytes used in prologue.
 * epilogue_offset      :       offset of epilogue starting.
- * seen                 :       bit mask used for JIT optimization.
 * offsets              :       array of eBPF instruction offsets in
 *                              JITed code.
 * target               :       final JITed code.
@@ -110,7 +153,6 @@ struct jit_ctx {
        unsigned int idx;
        unsigned int prologue_bytes;
        unsigned int epilogue_offset;
-        u32 seen;
        u32 flags;
        u32 *offsets;
        u32 *target;
@@ -179,8 +221,13 @@ static void jit_fill_hole(void *area, unsigned int size)
                *ptr++ = __opcode_to_mem_arm(ARM_INST_UDF);
 }
-/* Stack must be multiples of 16 Bytes */
+#if defined(CONFIG_AEABI) && (__LINUX_ARM_ARCH__ >= 5)
-#define STACK_ALIGN(sz) (((sz) + 3) & ~3)
+/* EABI requires the stack to be aligned to 64-bit boundaries */
+#define STACK_ALIGNMENT 8
+#else
+/* Stack must be aligned to 32-bit boundaries */
+#define STACK_ALIGNMENT 4
+#endif
 /* Stack space for BPF_REG_2, BPF_REG_3, BPF_REG_4,
 * BPF_REG_5, BPF_REG_7, BPF_REG_8, BPF_REG_9,
@@ -194,7 +241,7 @@ static void jit_fill_hole(void *area, unsigned int size)
         + SCRATCH_SIZE + \
         + 4 /* extra for skb_copy_bits buffer */)
-#define STACK_SIZE STACK_ALIGN(_STACK_SIZE)
+#define STACK_SIZE ALIGN(_STACK_SIZE, STACK_ALIGNMENT)
 /* Get the offset of eBPF REGISTERs stored on scratch space. */
 #define STACK_VAR(off) (STACK_SIZE-off-4)
@@ -285,16 +332,19 @@ static inline void emit_mov_i(const u8 rd, u32 val, struct jit_ctx *ctx)
                emit_mov_i_no8m(rd, val, ctx);
 }
-static inline void emit_blx_r(u8 tgt_reg, struct jit_ctx *ctx)
+static void emit_bx_r(u8 tgt_reg, struct jit_ctx *ctx)
 {
-        ctx->seen |= SEEN_CALL;
-#if __LINUX_ARM_ARCH__ < 5
-        emit(ARM_MOV_R(ARM_LR, ARM_PC), ctx);
        if (elf_hwcap & HWCAP_THUMB)
                emit(ARM_BX(tgt_reg), ctx);
        else
                emit(ARM_MOV_R(ARM_PC, tgt_reg), ctx);
+}
+static inline void emit_blx_r(u8 tgt_reg, struct jit_ctx *ctx)
+{
+#if __LINUX_ARM_ARCH__ < 5
+        emit(ARM_MOV_R(ARM_LR, ARM_PC), ctx);
+        emit_bx_r(tgt_reg, ctx);
 #else
        emit(ARM_BLX_R(tgt_reg), ctx);
 #endif
@@ -354,7 +404,6 @@ static inline void emit_udivmod(u8 rd, u8 rm, u8 rn, struct jit_ctx *ctx, u8 op)
        }
        /* Call appropriate function */
-        ctx->seen |= SEEN_CALL;
        emit_mov_i(ARM_IP, op == BPF_DIV ?
                   (u32)jit_udiv32 : (u32)jit_mod32, ctx);
        emit_blx_r(ARM_IP, ctx);
@@ -620,8 +669,6 @@ static inline void emit_a32_lsh_r64(const u8 dst[], const u8 src[], bool dstk,
        /* Do LSH operation */
        emit(ARM_SUB_I(ARM_IP, rt, 32), ctx);
        emit(ARM_RSB_I(tmp2[0], rt, 32), ctx);
-        /* As we are using ARM_LR */
-        ctx->seen |= SEEN_CALL;
        emit(ARM_MOV_SR(ARM_LR, rm, SRTYPE_ASL, rt), ctx);
        emit(ARM_ORR_SR(ARM_LR, ARM_LR, rd, SRTYPE_ASL, ARM_IP), ctx);
        emit(ARM_ORR_SR(ARM_IP, ARM_LR, rd, SRTYPE_LSR, tmp2[0]), ctx);
@@ -656,8 +703,6 @@ static inline void emit_a32_arsh_r64(const u8 dst[], const u8 src[], bool dstk,
        /* Do the ARSH operation */
        emit(ARM_RSB_I(ARM_IP, rt, 32), ctx);
        emit(ARM_SUBS_I(tmp2[0], rt, 32), ctx);
-        /* As we are using ARM_LR */
-        ctx->seen |= SEEN_CALL;
        emit(ARM_MOV_SR(ARM_LR, rd, SRTYPE_LSR, rt), ctx);
        emit(ARM_ORR_SR(ARM_LR, ARM_LR, rm, SRTYPE_ASL, ARM_IP), ctx);
        _emit(ARM_COND_MI, ARM_B(0), ctx);
@@ -692,8 +737,6 @@ static inline void emit_a32_lsr_r64(const u8 dst[], const u8 src[], bool dstk,
        /* Do LSH operation */
        emit(ARM_RSB_I(ARM_IP, rt, 32), ctx);
        emit(ARM_SUBS_I(tmp2[0], rt, 32), ctx);
-        /* As we are using ARM_LR */
-        ctx->seen |= SEEN_CALL;
        emit(ARM_MOV_SR(ARM_LR, rd, SRTYPE_LSR, rt), ctx);
        emit(ARM_ORR_SR(ARM_LR, ARM_LR, rm, SRTYPE_ASL, ARM_IP), ctx);
        emit(ARM_ORR_SR(ARM_LR, ARM_LR, rm, SRTYPE_LSR, tmp2[0]), ctx);
@@ -828,8 +871,6 @@ static inline void emit_a32_mul_r64(const u8 dst[], const u8 src[], bool dstk,
        /* Do Multiplication */
        emit(ARM_MUL(ARM_IP, rd, rn), ctx);
        emit(ARM_MUL(ARM_LR, rm, rt), ctx);
-        /* As we are using ARM_LR */
-        ctx->seen |= SEEN_CALL;
        emit(ARM_ADD_R(ARM_LR, ARM_IP, ARM_LR), ctx);
        emit(ARM_UMULL(ARM_IP, rm, rd, rt), ctx);
@@ -872,33 +913,53 @@ static inline void emit_str_r(const u8 dst, const u8 src, bool dstk,
 }
 /* dst = *(size*)(src + off) */
-static inline void emit_ldx_r(const u8 dst, const u8 src, bool dstk,
+static inline void emit_ldx_r(const u8 dst[], const u8 src, bool dstk,
-                              const s32 off, struct jit_ctx *ctx, const u8 sz){
+                              s32 off, struct jit_ctx *ctx, const u8 sz){
        const u8 *tmp = bpf2a32[TMP_REG_1];
-        u8 rd = dstk ? tmp[1] : dst;
+        const u8 *rd = dstk ? tmp : dst;
        u8 rm = src;
+        s32 off_max;
-        if (off) {
+        if (sz == BPF_H)
+                off_max = 0xff;
+        else
+                off_max = 0xfff;
+        if (off < 0 || off > off_max) {
                emit_a32_mov_i(tmp[0], off, false, ctx);
                emit(ARM_ADD_R(tmp[0], tmp[0], src), ctx);
                rm = tmp[0];
+                off = 0;
+        } else if (rd[1] == rm) {
+                emit(ARM_MOV_R(tmp[0], rm), ctx);
+                rm = tmp[0];
        }
        switch (sz) {
-        case BPF_W:
+        case BPF_B:
-                /* Load a Word */
+                /* Load a Byte */
-                emit(ARM_LDR_I(rd, rm, 0), ctx);
+                emit(ARM_LDRB_I(rd[1], rm, off), ctx);
+                emit_a32_mov_i(dst[0], 0, dstk, ctx);
                break;
        case BPF_H:
                /* Load a HalfWord */
-                emit(ARM_LDRH_I(rd, rm, 0), ctx);
+                emit(ARM_LDRH_I(rd[1], rm, off), ctx);
+                emit_a32_mov_i(dst[0], 0, dstk, ctx);
                break;
-        case BPF_B:
+        case BPF_W:
-                /* Load a Byte */
+                /* Load a Word */
-                emit(ARM_LDRB_I(rd, rm, 0), ctx);
+                emit(ARM_LDR_I(rd[1], rm, off), ctx);
+                emit_a32_mov_i(dst[0], 0, dstk, ctx);
+                break;
+        case BPF_DW:
+                /* Load a Double Word */
+                emit(ARM_LDR_I(rd[1], rm, off), ctx);
+                emit(ARM_LDR_I(rd[0], rm, off + 4), ctx);
                break;
        }
        if (dstk)
-                emit(ARM_STR_I(rd, ARM_SP, STACK_VAR(dst)), ctx);
+                emit(ARM_STR_I(rd[1], ARM_SP, STACK_VAR(dst[1])), ctx);
+        if (dstk && sz == BPF_DW)
+                emit(ARM_STR_I(rd[0], ARM_SP, STACK_VAR(dst[0])), ctx);
 }
 /* Arithmatic Operation */
@@ -906,7 +967,6 @@ static inline void emit_ar_r(const u8 rd, const u8 rt, const u8 rm,
                             const u8 rn, struct jit_ctx *ctx, u8 op) {
        switch (op) {
        case BPF_JSET:
-                ctx->seen |= SEEN_CALL;
                emit(ARM_AND_R(ARM_IP, rt, rn), ctx);
                emit(ARM_AND_R(ARM_LR, rd, rm), ctx);
                emit(ARM_ORRS_R(ARM_IP, ARM_LR, ARM_IP), ctx);
@@ -945,7 +1005,7 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
        const u8 *tcc = bpf2a32[TCALL_CNT];
        const int idx0 = ctx->idx;
 #define cur_offset (ctx->idx - idx0)
-#define jmp_offset (out_offset - (cur_offset))
+#define jmp_offset (out_offset - (cur_offset) - 2)
        u32 off, lo, hi;
        /* if (index >= array->map.max_entries)
@@ -956,7 +1016,7 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
        emit_a32_mov_i(tmp[1], off, false, ctx);
        emit(ARM_LDR_I(tmp2[1], ARM_SP, STACK_VAR(r2[1])), ctx);
        emit(ARM_LDR_R(tmp[1], tmp2[1], tmp[1]), ctx);
-        /* index (64 bit) */
+        /* index is 32-bit for arrays */
        emit(ARM_LDR_I(tmp2[1], ARM_SP, STACK_VAR(r3[1])), ctx);
        /* index >= array->map.max_entries */
        emit(ARM_CMP_R(tmp2[1], tmp[1]), ctx);
@@ -997,7 +1057,7 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
        emit_a32_mov_i(tmp2[1], off, false, ctx);
        emit(ARM_LDR_R(tmp[1], tmp[1], tmp2[1]), ctx);
        emit(ARM_ADD_I(tmp[1], tmp[1], ctx->prologue_bytes), ctx);
-        emit(ARM_BX(tmp[1]), ctx);
+        emit_bx_r(tmp[1], ctx);
        /* out: */
        if (out_offset == -1)
@@ -1070,54 +1130,22 @@ static void build_prologue(struct jit_ctx *ctx)
        const u8 r2 = bpf2a32[BPF_REG_1][1];
        const u8 r3 = bpf2a32[BPF_REG_1][0];
        const u8 r4 = bpf2a32[BPF_REG_6][1];
-        const u8 r5 = bpf2a32[BPF_REG_6][0];
-        const u8 r6 = bpf2a32[TMP_REG_1][1];
-        const u8 r7 = bpf2a32[TMP_REG_1][0];
-        const u8 r8 = bpf2a32[TMP_REG_2][1];
-        const u8 r10 = bpf2a32[TMP_REG_2][0];
        const u8 fplo = bpf2a32[BPF_REG_FP][1];
        const u8 fphi = bpf2a32[BPF_REG_FP][0];
-        const u8 sp = ARM_SP;
        const u8 *tcc = bpf2a32[TCALL_CNT];
-        u16 reg_set = 0;
-        /*
-         * eBPF prog stack layout
-         *
-         *                         high
-         * original ARM_SP =>     +-----+ eBPF prologue
-         *                        |FP/LR|
-         * current ARM_FP =>      +-----+
-         *                        | ... | callee saved registers
-         * eBPF fp register =>    +-----+ <= (BPF_FP)
-         *                        | ... | eBPF JIT scratch space
-         *                        |     | eBPF prog stack
-         *                        +-----+
-         *                        |RSVD | JIT scratchpad
-         * current A64_SP =>      +-----+ <= (BPF_FP - STACK_SIZE)
-         *                        |     |
-         *                        | ... | Function call stack
-         *                        |     |
-         *                        +-----+
-         *                          low
-         */
        /* Save callee saved registers. */
-        reg_set |= (1<<r4) | (1<<r5) | (1<<r6) | (1<<r7) | (1<<r8) | (1<<r10);
 #ifdef CONFIG_FRAME_POINTER
-        reg_set |= (1<<ARM_FP) | (1<<ARM_IP) | (1<<ARM_LR) | (1<<ARM_PC);
+        u16 reg_set = CALLEE_PUSH_MASK | 1 << ARM_IP | 1 << ARM_PC;
-        emit(ARM_MOV_R(ARM_IP, sp), ctx);
+        emit(ARM_MOV_R(ARM_IP, ARM_SP), ctx);
        emit(ARM_PUSH(reg_set), ctx);
        emit(ARM_SUB_I(ARM_FP, ARM_IP, 4), ctx);
 #else
-        /* Check if call instruction exists in BPF body */
+        emit(ARM_PUSH(CALLEE_PUSH_MASK), ctx);
-        if (ctx->seen & SEEN_CALL)
+        emit(ARM_MOV_R(ARM_FP, ARM_SP), ctx);
-                reg_set |= (1<<ARM_LR);
-        emit(ARM_PUSH(reg_set), ctx);
 #endif
        /* Save frame pointer for later */
-        emit(ARM_SUB_I(ARM_IP, sp, SCRATCH_SIZE), ctx);
+        emit(ARM_SUB_I(ARM_IP, ARM_SP, SCRATCH_SIZE), ctx);
        ctx->stack_size = imm8m(STACK_SIZE);
@@ -1140,33 +1168,19 @@ static void build_prologue(struct jit_ctx *ctx)
        /* end of prologue */
 }
+/* restore callee saved registers. */
 static void build_epilogue(struct jit_ctx *ctx)
 {
-        const u8 r4 = bpf2a32[BPF_REG_6][1];
-        const u8 r5 = bpf2a32[BPF_REG_6][0];
-        const u8 r6 = bpf2a32[TMP_REG_1][1];
-        const u8 r7 = bpf2a32[TMP_REG_1][0];
-        const u8 r8 = bpf2a32[TMP_REG_2][1];
-        const u8 r10 = bpf2a32[TMP_REG_2][0];
-        u16 reg_set = 0;
-        /* unwind function call stack */
-        emit(ARM_ADD_I(ARM_SP, ARM_SP, ctx->stack_size), ctx);
-        /* restore callee saved registers. */
-        reg_set |= (1<<r4) | (1<<r5) | (1<<r6) | (1<<r7) | (1<<r8) | (1<<r10);
 #ifdef CONFIG_FRAME_POINTER
-        /* the first instruction of the prologue was: mov ip, sp */
+        /* When using frame pointers, some additional registers need to
-        reg_set |= (1<<ARM_FP) | (1<<ARM_SP) | (1<<ARM_PC);
+         * be loaded. */
+        u16 reg_set = CALLEE_POP_MASK | 1 << ARM_SP;
+        emit(ARM_SUB_I(ARM_SP, ARM_FP, hweight16(reg_set) * 4), ctx);
        emit(ARM_LDM(ARM_SP, reg_set), ctx);
 #else
-        if (ctx->seen & SEEN_CALL)
-                reg_set |= (1<<ARM_PC);
        /* Restore callee saved registers. */
-        emit(ARM_POP(reg_set), ctx);
+        emit(ARM_MOV_R(ARM_SP, ARM_FP), ctx);
-        /* Return back to the callee function */
+        emit(ARM_POP(CALLEE_POP_MASK), ctx);
-        if (!(ctx->seen & SEEN_CALL))
-                emit(ARM_BX(ARM_LR), ctx);
 #endif
 }
@@ -1394,8 +1408,6 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
                        emit_rev32(rt, rt, ctx);
                        goto emit_bswap_uxt;
                case 64:
-                        /* Because of the usage of ARM_LR */
-                        ctx->seen |= SEEN_CALL;
                        emit_rev32(ARM_LR, rt, ctx);
                        emit_rev32(rt, rd, ctx);
                        emit(ARM_MOV_R(rd, ARM_LR), ctx);
@@ -1448,22 +1460,7 @@ exit:
                rn = sstk ? tmp2[1] : src_lo;
                if (sstk)
                        emit(ARM_LDR_I(rn, ARM_SP, STACK_VAR(src_lo)), ctx);
-                switch (BPF_SIZE(code)) {
+                emit_ldx_r(dst, rn, dstk, off, ctx, BPF_SIZE(code));
-                case BPF_W:
-                        /* Load a Word */
-                case BPF_H:
-                        /* Load a Half-Word */
-                case BPF_B:
-                        /* Load a Byte */
-                        emit_ldx_r(dst_lo, rn, dstk, off, ctx, BPF_SIZE(code));
-                        emit_a32_mov_i(dst_hi, 0, dstk, ctx);
-                        break;
-                case BPF_DW:
-                        /* Load a double word */
-                        emit_ldx_r(dst_lo, rn, dstk, off, ctx, BPF_W);
-                        emit_ldx_r(dst_hi, rn, dstk, off+4, ctx, BPF_W);
-                        break;
-                }
                break;
        /* R0 = ntohx(*(size *)(((struct sk_buff *)R6)->data + imm)) */
        case BPF_LD | BPF_ABS | BPF_W:
diff --git a/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi b/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
index 7c9bdc7ab50b..9db19314c60c 100644
--- a/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
+++ b/arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi
@@ -66,6 +66,7 @@
                                     <&cpu1>,
                                     <&cpu2>,
                                     <&cpu3>;
+                interrupt-parent = <&intc>;
        };
        psci {
diff --git a/arch/arm64/boot/dts/marvell/armada-cp110-master.dtsi b/arch/arm64/boot/dts/marvell/armada-cp110-master.dtsi
index e3b64d03fbd8..9c7724e82aff 100644
--- a/arch/arm64/boot/dts/marvell/armada-cp110-master.dtsi
+++ b/arch/arm64/boot/dts/marvell/armada-cp110-master.dtsi
@@ -63,8 +63,10 @@
                        cpm_ethernet: ethernet@0 {
                                compatible = "marvell,armada-7k-pp22";
                                reg = <0x0 0x100000>, <0x129000 0xb000>;
-                                clocks = <&cpm_clk 1 3>, <&cpm_clk 1 9>, <&cpm_clk 1 5>;
+                                clocks = <&cpm_clk 1 3>, <&cpm_clk 1 9>,
-                                clock-names = "pp_clk", "gop_clk", "mg_clk";
+                                         <&cpm_clk 1 5>, <&cpm_clk 1 18>;
+                                clock-names = "pp_clk", "gop_clk",
+                                              "mg_clk","axi_clk";
                                marvell,system-controller = <&cpm_syscon0>;
                                status = "disabled";
                                dma-coherent;
@@ -155,7 +157,8 @@
                                #size-cells = <0>;
                                compatible = "marvell,orion-mdio";
                                reg = <0x12a200 0x10>;
-                                clocks = <&cpm_clk 1 9>, <&cpm_clk 1 5>;
+                                clocks = <&cpm_clk 1 9>, <&cpm_clk 1 5>,
+                                         <&cpm_clk 1 6>, <&cpm_clk 1 18>;
                                status = "disabled";
                        };
@@ -338,8 +341,8 @@
                                compatible = "marvell,armada-cp110-sdhci";
                                reg = <0x780000 0x300>;
                                interrupts = <ICU_GRP_NSR 27 IRQ_TYPE_LEVEL_HIGH>;
-                                clock-names = "core";
+                                clock-names = "core","axi";
-                                clocks = <&cpm_clk 1 4>;
+                                clocks = <&cpm_clk 1 4>, <&cpm_clk 1 18>;
                                dma-coherent;
                                status = "disabled";
                        };
diff --git a/arch/arm64/boot/dts/marvell/armada-cp110-slave.dtsi b/arch/arm64/boot/dts/marvell/armada-cp110-slave.dtsi
index 0d51096c69f8..87ac68b2cf37 100644
--- a/arch/arm64/boot/dts/marvell/armada-cp110-slave.dtsi
+++ b/arch/arm64/boot/dts/marvell/armada-cp110-slave.dtsi
@@ -63,8 +63,10 @@
                        cps_ethernet: ethernet@0 {
                                compatible = "marvell,armada-7k-pp22";
                                reg = <0x0 0x100000>, <0x129000 0xb000>;
-                                clocks = <&cps_clk 1 3>, <&cps_clk 1 9>, <&cps_clk 1 5>;
+                                clocks = <&cps_clk 1 3>, <&cps_clk 1 9>,
-                                clock-names = "pp_clk", "gop_clk", "mg_clk";
+                                         <&cps_clk 1 5>, <&cps_clk 1 18>;
+                                clock-names = "pp_clk", "gop_clk",
+                                              "mg_clk", "axi_clk";
                                marvell,system-controller = <&cps_syscon0>;
                                status = "disabled";
                                dma-coherent;
@@ -155,7 +157,8 @@
                                #size-cells = <0>;
                                compatible = "marvell,orion-mdio";
                                reg = <0x12a200 0x10>;
-                                clocks = <&cps_clk 1 9>, <&cps_clk 1 5>;
+                                clocks = <&cps_clk 1 9>, <&cps_clk 1 5>,
+                                         <&cps_clk 1 6>, <&cps_clk 1 18>;
                                status = "disabled";
                        };
diff --git a/arch/arm64/kvm/handle_exit.c b/arch/arm64/kvm/handle_exit.c
index 304203fa9e33..e60494f1eef9 100644
--- a/arch/arm64/kvm/handle_exit.c
+++ b/arch/arm64/kvm/handle_exit.c
@@ -45,7 +45,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
        ret = kvm_psci_call(vcpu);
        if (ret < 0) {
-                kvm_inject_undefined(vcpu);
+                vcpu_set_reg(vcpu, 0, ~0UL);
                return 1;
        }
@@ -54,7 +54,7 @@ static int handle_hvc(struct kvm_vcpu *vcpu, struct kvm_run *run)
 static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run)
 {
-        kvm_inject_undefined(vcpu);
+        vcpu_set_reg(vcpu, 0, ~0UL);
        return 1;
 }
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index ba38d403abb2..bb32f7f6dd0f 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -148,7 +148,8 @@ static inline int epilogue_offset(const struct jit_ctx *ctx)
 /* Stack must be multiples of 16B */
 #define STACK_ALIGN(sz) (((sz) + 15) & ~15)
-#define PROLOGUE_OFFSET 8
+/* Tail call offset to jump into */
+#define PROLOGUE_OFFSET 7
 static int build_prologue(struct jit_ctx *ctx)
 {
@@ -200,19 +201,19 @@ static int build_prologue(struct jit_ctx *ctx)
        /* Initialize tail_call_cnt */
        emit(A64_MOVZ(1, tcc, 0, 0), ctx);
-        /* 4 byte extra for skb_copy_bits buffer */
-        ctx->stack_size = prog->aux->stack_depth + 4;
-        ctx->stack_size = STACK_ALIGN(ctx->stack_size);
-        /* Set up function call stack */
-        emit(A64_SUB_I(1, A64_SP, A64_SP, ctx->stack_size), ctx);
        cur_offset = ctx->idx - idx0;
        if (cur_offset != PROLOGUE_OFFSET) {
                pr_err_once("PROLOGUE_OFFSET = %d, expected %d!\n",
                            cur_offset, PROLOGUE_OFFSET);
                return -1;
        }
+        /* 4 byte extra for skb_copy_bits buffer */
+        ctx->stack_size = prog->aux->stack_depth + 4;
+        ctx->stack_size = STACK_ALIGN(ctx->stack_size);
+        /* Set up function call stack */
+        emit(A64_SUB_I(1, A64_SP, A64_SP, ctx->stack_size), ctx);
        return 0;
 }
@@ -260,11 +261,12 @@ static int emit_bpf_tail_call(struct jit_ctx *ctx)
        emit(A64_LDR64(prg, tmp, prg), ctx);
        emit(A64_CBZ(1, prg, jmp_offset), ctx);
-        /* goto *(prog->bpf_func + prologue_size); */
+        /* goto *(prog->bpf_func + prologue_offset); */
        off = offsetof(struct bpf_prog, bpf_func);
        emit_a64_mov_i64(tmp, off, ctx);
        emit(A64_LDR64(tmp, prg, tmp), ctx);
        emit(A64_ADD_I(1, tmp, tmp, sizeof(u32) * PROLOGUE_OFFSET), ctx);
+        emit(A64_ADD_I(1, A64_SP, A64_SP, ctx->stack_size), ctx);
        emit(A64_BR(tmp), ctx);
        /* out: */
diff --git a/arch/ia64/include/asm/atomic.h b/arch/ia64/include/asm/atomic.h
index 28e02c99be6d..762eeb0fcc1d 100644
--- a/arch/ia64/include/asm/atomic.h
+++ b/arch/ia64/include/asm/atomic.h
@@ -65,29 +65,30 @@ ia64_atomic_fetch_##op (int i, atomic_t *v)				\
 ATOMIC_OPS(add, +)
 ATOMIC_OPS(sub, -)
-#define atomic_add_return(i,v)                                          \
+#ifdef __OPTIMIZE__
+#define __ia64_atomic_const(i)  __builtin_constant_p(i) ?               \
+                ((i) == 1 || (i) == 4 || (i) == 8 || (i) == 16 ||       \
+                 (i) == -1 || (i) == -4 || (i) == -8 || (i) == -16) : 0
+#define atomic_add_return(i, v)                                         \
 ({                                                                      \
-        int __ia64_aar_i = (i);                                         \
+        int __i = (i);                                                  \
-        (__builtin_constant_p(i)                                        \
+        static const int __ia64_atomic_p = __ia64_atomic_const(i);      \
-         && (   (__ia64_aar_i ==  1) || (__ia64_aar_i ==   4)           \
+        __ia64_atomic_p ? ia64_fetch_and_add(__i, &(v)->counter) :      \
-             || (__ia64_aar_i ==  8) || (__ia64_aar_i ==  16)           \
+                                ia64_atomic_add(__i, v);                \
-             || (__ia64_aar_i == -1) || (__ia64_aar_i ==  -4)           \
-             || (__ia64_aar_i == -8) || (__ia64_aar_i == -16)))         \
-                ? ia64_fetch_and_add(__ia64_aar_i, &(v)->counter)       \
-                : ia64_atomic_add(__ia64_aar_i, v);                     \
 })
-#define atomic_sub_return(i,v)                                          \
+#define atomic_sub_return(i, v)                                         \
 ({                                                                      \
-        int __ia64_asr_i = (i);                                         \
+        int __i = (i);                                                  \
-        (__builtin_constant_p(i)                                        \
+        static const int __ia64_atomic_p = __ia64_atomic_const(i);      \
-         && (   (__ia64_asr_i ==   1) || (__ia64_asr_i ==   4)          \
+        __ia64_atomic_p ? ia64_fetch_and_add(-__i, &(v)->counter) :     \
-             || (__ia64_asr_i ==   8) || (__ia64_asr_i ==  16)          \
+                                ia64_atomic_sub(__i, v);                \
-             || (__ia64_asr_i ==  -1) || (__ia64_asr_i ==  -4)          \
-             || (__ia64_asr_i ==  -8) || (__ia64_asr_i == -16)))        \
-                ? ia64_fetch_and_add(-__ia64_asr_i, &(v)->counter)      \
-                : ia64_atomic_sub(__ia64_asr_i, v);                     \
 })
+#else
+#define atomic_add_return(i, v) ia64_atomic_add(i, v)
+#define atomic_sub_return(i, v) ia64_atomic_sub(i, v)
+#endif
 #define atomic_fetch_add(i,v)                                           \
 ({                                                                      \
diff --git a/arch/ia64/kernel/time.c b/arch/ia64/kernel/time.c
index c6ecb97151a2..9025699049ca 100644
--- a/arch/ia64/kernel/time.c
+++ b/arch/ia64/kernel/time.c
@@ -88,7 +88,7 @@ void vtime_flush(struct task_struct *tsk)
        }
        if (ti->softirq_time) {
-                delta = cycle_to_nsec(ti->softirq_time));
+                delta = cycle_to_nsec(ti->softirq_time);
                account_system_index_time(tsk, delta, CPUTIME_SOFTIRQ);
        }
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index 350a990fc719..8e0b3702f1c0 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -259,6 +259,7 @@ config BCM47XX
        select LEDS_GPIO_REGISTER
        select BCM47XX_NVRAM
        select BCM47XX_SPROM
+        select BCM47XX_SSB if !BCM47XX_BCMA
        help
         Support for BCM47XX based boards
@@ -389,6 +390,7 @@ config LANTIQ
        select SYS_SUPPORTS_32BIT_KERNEL
        select SYS_SUPPORTS_MIPS16
        select SYS_SUPPORTS_MULTITHREADING
+        select SYS_SUPPORTS_VPE_LOADER
        select SYS_HAS_EARLY_PRINTK
        select GPIOLIB
        select SWAP_IO_SPACE
@@ -516,6 +518,7 @@ config MIPS_MALTA
        select SYS_SUPPORTS_MIPS16
        select SYS_SUPPORTS_MULTITHREADING
        select SYS_SUPPORTS_SMARTMIPS
+        select SYS_SUPPORTS_VPE_LOADER
        select SYS_SUPPORTS_ZBOOT
        select SYS_SUPPORTS_RELOCATABLE
        select USE_OF
@@ -2281,9 +2284,16 @@ config MIPSR2_TO_R6_EMULATOR
          The only reason this is a build-time option is to save ~14K from the
          final kernel image.
+config SYS_SUPPORTS_VPE_LOADER
+        bool
+        depends on SYS_SUPPORTS_MULTITHREADING
+        help
+          Indicates that the platform supports the VPE loader, and provides
+          physical_memsize.
 config MIPS_VPE_LOADER
        bool "VPE loader support."
-        depends on SYS_SUPPORTS_MULTITHREADING && MODULES
+        depends on SYS_SUPPORTS_VPE_LOADER && MODULES
        select CPU_MIPSR2_IRQ_VI
        select CPU_MIPSR2_IRQ_EI
        select MIPS_MT
diff --git a/arch/mips/Kconfig.debug b/arch/mips/Kconfig.debug
index 464af5e025d6..0749c3724543 100644
--- a/arch/mips/Kconfig.debug
+++ b/arch/mips/Kconfig.debug
@@ -124,30 +124,36 @@ config SCACHE_DEBUGFS
          If unsure, say N.
-menuconfig MIPS_CPS_NS16550
+menuconfig MIPS_CPS_NS16550_BOOL
        bool "CPS SMP NS16550 UART output"
        depends on MIPS_CPS
        help
          Output debug information via an ns16550 compatible UART if exceptions
          occur early in the boot process of a secondary core.
-if MIPS_CPS_NS16550
+if MIPS_CPS_NS16550_BOOL
+config MIPS_CPS_NS16550
+        def_bool MIPS_CPS_NS16550_BASE != 0
 config MIPS_CPS_NS16550_BASE
        hex "UART Base Address"
        default 0x1b0003f8 if MIPS_MALTA
+        default 0
        help
          The base address of the ns16550 compatible UART on which to output
          debug information from the early stages of core startup.
+          This is only used if non-zero.
 config MIPS_CPS_NS16550_SHIFT
        int "UART Register Shift"
-        default 0 if MIPS_MALTA
+        default 0
        help
          The number of bits to shift ns16550 register indices by in order to
          form their addresses. That is, log base 2 of the span between
          adjacent ns16550 registers in the system.
-endif # MIPS_CPS_NS16550
+endif # MIPS_CPS_NS16550_BOOL
 endmenu
diff --git a/arch/mips/ar7/platform.c b/arch/mips/ar7/platform.c
index 4674f1efbe7a..e1675c25d5d4 100644
--- a/arch/mips/ar7/platform.c
+++ b/arch/mips/ar7/platform.c
@@ -575,7 +575,7 @@ static int __init ar7_register_uarts(void)
        uart_port.type          = PORT_AR7;
        uart_port.uartclk       = clk_get_rate(bus_clk) / 2;
        uart_port.iotype        = UPIO_MEM32;
-        uart_port.flags         = UPF_FIXED_TYPE;
+        uart_port.flags         = UPF_FIXED_TYPE | UPF_BOOT_AUTOCONF;
        uart_port.regshift      = 2;
        uart_port.line          = 0;
diff --git a/arch/mips/ath25/devices.c b/arch/mips/ath25/devices.c
index e1156347da53..301a9028273c 100644
--- a/arch/mips/ath25/devices.c
+++ b/arch/mips/ath25/devices.c
@@ -73,6 +73,7 @@ const char *get_system_type(void)
 void __init ath25_serial_setup(u32 mapbase, int irq, unsigned int uartclk)
 {
+#ifdef CONFIG_SERIAL_8250_CONSOLE
        struct uart_port s;
        memset(&s, 0, sizeof(s));
@@ -85,6 +86,7 @@ void __init ath25_serial_setup(u32 mapbase, int irq, unsigned int uartclk)
        s.uartclk = uartclk;
        early_serial_setup(&s);
+#endif /* CONFIG_SERIAL_8250_CONSOLE */
 }
 int __init ath25_add_wmac(int nr, u32 base, int irq)
diff --git a/arch/mips/kernel/cps-vec.S b/arch/mips/kernel/cps-vec.S
index c7ed26029cbb..e68e6e04063a 100644
--- a/arch/mips/kernel/cps-vec.S
+++ b/arch/mips/kernel/cps-vec.S
@@ -235,6 +235,7 @@ LEAF(mips_cps_core_init)
        has_mt  t0, 3f
        .set    push
+        .set    MIPS_ISA_LEVEL_RAW
        .set    mt
        /* Only allow 1 TC per VPE to execute... */
@@ -388,6 +389,7 @@ LEAF(mips_cps_boot_vpes)
 #elif defined(CONFIG_MIPS_MT)
        .set    push
+        .set    MIPS_ISA_LEVEL_RAW
        .set    mt
        /* If the core doesn't support MT then return */
diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c
index dd5567b1e305..8f5bd04f320a 100644
--- a/arch/mips/kernel/mips-cm.c
+++ b/arch/mips/kernel/mips-cm.c
@@ -292,7 +292,6 @@ void mips_cm_lock_other(unsigned int cluster, unsigned int core,
                                  *this_cpu_ptr(&cm_core_lock_flags));
        } else {
                WARN_ON(cluster != 0);
-                WARN_ON(vp != 0);
                WARN_ON(block != CM_GCR_Cx_OTHER_BLOCK_LOCAL);
                /*
diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index 45d0b6b037ee..57028d49c202 100644
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -705,6 +705,18 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value)
        struct task_struct *t;
        int max_users;
+        /* If nothing to change, return right away, successfully.  */
+        if (value == mips_get_process_fp_mode(task))
+                return 0;
+        /* Only accept a mode change if 64-bit FP enabled for o32.  */
+        if (!IS_ENABLED(CONFIG_MIPS_O32_FP64_SUPPORT))
+                return -EOPNOTSUPP;
+        /* And only for o32 tasks.  */
+        if (IS_ENABLED(CONFIG_64BIT) && !test_thread_flag(TIF_32BIT_REGS))
+                return -EOPNOTSUPP;
        /* Check the value is valid */
        if (value & ~known_bits)
                return -EOPNOTSUPP;
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index efbd8df8b665..0b23b1ad99e6 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -419,63 +419,160 @@ static int gpr64_set(struct task_struct *target,
 #endif /* CONFIG_64BIT */
+/*
+ * Copy the floating-point context to the supplied NT_PRFPREG buffer,
+ * !CONFIG_CPU_HAS_MSA variant.  FP context's general register slots
+ * correspond 1:1 to buffer slots.  Only general registers are copied.
+ */
+static int fpr_get_fpa(struct task_struct *target,
+                       unsigned int *pos, unsigned int *count,
+                       void **kbuf, void __user **ubuf)
+{
+        return user_regset_copyout(pos, count, kbuf, ubuf,
+                                   &target->thread.fpu,
+                                   0, NUM_FPU_REGS * sizeof(elf_fpreg_t));
+}
+/*
+ * Copy the floating-point context to the supplied NT_PRFPREG buffer,
+ * CONFIG_CPU_HAS_MSA variant.  Only lower 64 bits of FP context's
+ * general register slots are copied to buffer slots.  Only general
+ * registers are copied.
+ */
+static int fpr_get_msa(struct task_struct *target,
+                       unsigned int *pos, unsigned int *count,
+                       void **kbuf, void __user **ubuf)
+{
+        unsigned int i;
+        u64 fpr_val;
+        int err;
+        BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
+        for (i = 0; i < NUM_FPU_REGS; i++) {
+                fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0);
+                err = user_regset_copyout(pos, count, kbuf, ubuf,
+                                          &fpr_val, i * sizeof(elf_fpreg_t),
+                                          (i + 1) * sizeof(elf_fpreg_t));
+                if (err)
+                        return err;
+        }
+        return 0;
+}
+/*
+ * Copy the floating-point context to the supplied NT_PRFPREG buffer.
+ * Choose the appropriate helper for general registers, and then copy
+ * the FCSR register separately.
+ */
 static int fpr_get(struct task_struct *target,
                   const struct user_regset *regset,
                   unsigned int pos, unsigned int count,
                   void *kbuf, void __user *ubuf)
 {
-        unsigned i;
+        const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
        int err;
-        u64 fpr_val;
-        /* XXX fcr31  */
+        if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
+                err = fpr_get_fpa(target, &pos, &count, &kbuf, &ubuf);
+        else
+                err = fpr_get_msa(target, &pos, &count, &kbuf, &ubuf);
+        if (err)
+                return err;
-        if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))
+        err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
-                return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
+                                  &target->thread.fpu.fcr31,
-                                           &target->thread.fpu,
+                                  fcr31_pos, fcr31_pos + sizeof(u32));
-                                           0, sizeof(elf_fpregset_t));
-        for (i = 0; i < NUM_FPU_REGS; i++) {
+        return err;
-                fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0);
+}
-                err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
-                                          &fpr_val, i * sizeof(elf_fpreg_t),
+/*
-                                          (i + 1) * sizeof(elf_fpreg_t));
+ * Copy the supplied NT_PRFPREG buffer to the floating-point context,
+ * !CONFIG_CPU_HAS_MSA variant.   Buffer slots correspond 1:1 to FP
+ * context's general register slots.  Only general registers are copied.
+ */
+static int fpr_set_fpa(struct task_struct *target,
+                       unsigned int *pos, unsigned int *count,
+                       const void **kbuf, const void __user **ubuf)
+{
+        return user_regset_copyin(pos, count, kbuf, ubuf,
+                                  &target->thread.fpu,
+                                  0, NUM_FPU_REGS * sizeof(elf_fpreg_t));
+}
+/*
+ * Copy the supplied NT_PRFPREG buffer to the floating-point context,
+ * CONFIG_CPU_HAS_MSA variant.  Buffer slots are copied to lower 64
+ * bits only of FP context's general register slots.  Only general
+ * registers are copied.
+ */
+static int fpr_set_msa(struct task_struct *target,
+                       unsigned int *pos, unsigned int *count,
+                       const void **kbuf, const void __user **ubuf)
+{
+        unsigned int i;
+        u64 fpr_val;
+        int err;
+        BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
+        for (i = 0; i < NUM_FPU_REGS && *count > 0; i++) {
+                err = user_regset_copyin(pos, count, kbuf, ubuf,
+                                         &fpr_val, i * sizeof(elf_fpreg_t),
+                                         (i + 1) * sizeof(elf_fpreg_t));
                if (err)
                        return err;
+                set_fpr64(&target->thread.fpu.fpr[i], 0, fpr_val);
        }
        return 0;
 }
+/*
+ * Copy the supplied NT_PRFPREG buffer to the floating-point context.
+ * Choose the appropriate helper for general registers, and then copy
+ * the FCSR register separately.
+ *
+ * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0',
+ * which is supposed to have been guaranteed by the kernel before
+ * calling us, e.g. in `ptrace_regset'.  We enforce that requirement,
+ * so that we can safely avoid preinitializing temporaries for
+ * partial register writes.
+ */
 static int fpr_set(struct task_struct *target,
                   const struct user_regset *regset,
                   unsigned int pos, unsigned int count,
                   const void *kbuf, const void __user *ubuf)
 {
-        unsigned i;
+        const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
+        u32 fcr31;
        int err;
-        u64 fpr_val;
-        /* XXX fcr31  */
+        BUG_ON(count % sizeof(elf_fpreg_t));
+        if (pos + count > sizeof(elf_fpregset_t))
+                return -EIO;
        init_fp_ctx(target);
-        if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))
+        if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
-                return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
+                err = fpr_set_fpa(target, &pos, &count, &kbuf, &ubuf);
-                                          &target->thread.fpu,
+        else
-                                          0, sizeof(elf_fpregset_t));
+                err = fpr_set_msa(target, &pos, &count, &kbuf, &ubuf);
+        if (err)
+                return err;
-        BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
+        if (count > 0) {
-        for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) {
                err = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
-                                         &fpr_val, i * sizeof(elf_fpreg_t),
+                                         &fcr31,
-                                         (i + 1) * sizeof(elf_fpreg_t));
+                                         fcr31_pos, fcr31_pos + sizeof(u32));
                if (err)
                        return err;
-                set_fpr64(&target->thread.fpu.fpr[i], 0, fpr_val);
+                ptrace_setfcr31(target, fcr31);
        }
-        return 0;
+        return err;
 }
 enum mips_regset {
diff --git a/arch/mips/lib/Makefile b/arch/mips/lib/Makefile
index 78c2affeabf8..e84e12655fa8 100644
--- a/arch/mips/lib/Makefile
+++ b/arch/mips/lib/Makefile
@@ -16,4 +16,5 @@ obj-$(CONFIG_CPU_R3000)		+= r3k_dump_tlb.o
 obj-$(CONFIG_CPU_TX39XX)        += r3k_dump_tlb.o
 # libgcc-style stuff needed in the kernel
-obj-y += ashldi3.o ashrdi3.o bswapsi.o bswapdi.o cmpdi2.o lshrdi3.o ucmpdi2.o
+obj-y += ashldi3.o ashrdi3.o bswapsi.o bswapdi.o cmpdi2.o lshrdi3.o multi3.o \
+         ucmpdi2.o
diff --git a/arch/mips/lib/libgcc.h b/arch/mips/lib/libgcc.h
index 28002ed90c2c..199a7f96282f 100644
--- a/arch/mips/lib/libgcc.h
+++ b/arch/mips/lib/libgcc.h
@@ -10,10 +10,18 @@ typedef int word_type __attribute__ ((mode (__word__)));
 struct DWstruct {
        int high, low;
 };
+struct TWstruct {
+        long long high, low;
+};
 #elif defined(__LITTLE_ENDIAN)
 struct DWstruct {
        int low, high;
 };
+struct TWstruct {
+        long long low, high;
+};
 #else
 #error I feel sick.
 #endif
@@ -23,4 +31,13 @@ typedef union {
        long long ll;
 } DWunion;
+#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6)
+typedef int ti_type __attribute__((mode(TI)));
+typedef union {
+        struct TWstruct s;
+        ti_type ti;
+} TWunion;
+#endif
 #endif /* __ASM_LIBGCC_H */
diff --git a/arch/mips/lib/multi3.c b/arch/mips/lib/multi3.c
new file mode 100644
index 000000000000..111ad475aa0c
--- /dev/null
+++ b/arch/mips/lib/multi3.c
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/export.h>
+#include "libgcc.h"
+/*
+ * GCC 7 suboptimally generates __multi3 calls for mips64r6, so for that
+ * specific case only we'll implement it here.
+ *
+ * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82981
+ */
+#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ == 7)
+/* multiply 64-bit values, low 64-bits returned */
+static inline long long notrace dmulu(long long a, long long b)
+{
+        long long res;
+        asm ("dmulu %0,%1,%2" : "=r" (res) : "r" (a), "r" (b));
+        return res;
+}
+/* multiply 64-bit unsigned values, high 64-bits of 128-bit result returned */
+static inline long long notrace dmuhu(long long a, long long b)
+{
+        long long res;
+        asm ("dmuhu %0,%1,%2" : "=r" (res) : "r" (a), "r" (b));
+        return res;
+}
+/* multiply 128-bit values, low 128-bits returned */
+ti_type notrace __multi3(ti_type a, ti_type b)
+{
+        TWunion res, aa, bb;
+        aa.ti = a;
+        bb.ti = b;
+        /*
+         * a * b =           (a.lo * b.lo)
+         *         + 2^64  * (a.hi * b.lo + a.lo * b.hi)
+         *        [+ 2^128 * (a.hi * b.hi)]
+         */
+        res.s.low = dmulu(aa.s.low, bb.s.low);
+        res.s.high = dmuhu(aa.s.low, bb.s.low);
+        res.s.high += dmulu(aa.s.high, bb.s.low);
+        res.s.high += dmulu(aa.s.low, bb.s.high);
+        return res.ti;
+}
+EXPORT_SYMBOL(__multi3);
+#endif /* 64BIT && CPU_MIPSR6 && GCC7 */
diff --git a/arch/mips/mm/uasm-micromips.c b/arch/mips/mm/uasm-micromips.c
index cdb5a191b9d5..9bb6baa45da3 100644
--- a/arch/mips/mm/uasm-micromips.c
+++ b/arch/mips/mm/uasm-micromips.c
@@ -40,7 +40,7 @@
 #include "uasm.c"
-static const struct insn const insn_table_MM[insn_invalid] = {
+static const struct insn insn_table_MM[insn_invalid] = {
        [insn_addu]     = {M(mm_pool32a_op, 0, 0, 0, 0, mm_addu32_op), RT | RS | RD},
        [insn_addiu]    = {M(mm_addiu32_op, 0, 0, 0, 0, 0), RT | RS | SIMM},
        [insn_and]      = {M(mm_pool32a_op, 0, 0, 0, 0, mm_and_op), RT | RS | RD},
diff --git a/arch/mips/ralink/timer.c b/arch/mips/ralink/timer.c
index d4469b20d176..4f46a4509f79 100644
--- a/arch/mips/ralink/timer.c
+++ b/arch/mips/ralink/timer.c
@@ -109,9 +109,9 @@ static int rt_timer_probe(struct platform_device *pdev)
        }
        rt->irq = platform_get_irq(pdev, 0);
-        if (!rt->irq) {
+        if (rt->irq < 0) {
                dev_err(&pdev->dev, "failed to load irq\n");
-                return -ENOENT;
+                return rt->irq;
        }
        rt->membase = devm_ioremap_resource(&pdev->dev, res);
diff --git a/arch/mips/rb532/Makefile b/arch/mips/rb532/Makefile
index efdecdb6e3ea..8186afca2234 100644
--- a/arch/mips/rb532/Makefile
+++ b/arch/mips/rb532/Makefile
@@ -2,4 +2,6 @@
 # Makefile for the RB532 board specific parts of the kernel
 #
-obj-y    += irq.o time.o setup.o serial.o prom.o gpio.o devices.o
+obj-$(CONFIG_SERIAL_8250_CONSOLE) += serial.o
+obj-y    += irq.o time.o setup.o prom.o gpio.o devices.o
diff --git a/arch/mips/rb532/devices.c b/arch/mips/rb532/devices.c
index 32ea3e6731d6..354d258396ff 100644
--- a/arch/mips/rb532/devices.c
+++ b/arch/mips/rb532/devices.c
@@ -310,6 +310,8 @@ static int __init plat_setup_devices(void)
        return platform_add_devices(rb532_devs, ARRAY_SIZE(rb532_devs));
 }
+#ifdef CONFIG_NET
 static int __init setup_kmac(char *s)
 {
        printk(KERN_INFO "korina mac = %s\n", s);
@@ -322,4 +324,6 @@ static int __init setup_kmac(char *s)
 __setup("kmac=", setup_kmac);
+#endif /* CONFIG_NET */
 arch_initcall(plat_setup_devices);
diff --git a/arch/parisc/include/asm/ldcw.h b/arch/parisc/include/asm/ldcw.h
index dd5a08aaa4da..3eb4bfc1fb36 100644
--- a/arch/parisc/include/asm/ldcw.h
+++ b/arch/parisc/include/asm/ldcw.h
@@ -12,6 +12,7 @@
   for the semaphore.  */
 #define __PA_LDCW_ALIGNMENT     16
+#define __PA_LDCW_ALIGN_ORDER   4
 #define __ldcw_align(a) ({                                      \
        unsigned long __ret = (unsigned long) &(a)->lock[0];    \
        __ret = (__ret + __PA_LDCW_ALIGNMENT - 1)               \
@@ -29,6 +30,7 @@
   ldcd). */
 #define __PA_LDCW_ALIGNMENT     4
+#define __PA_LDCW_ALIGN_ORDER   2
 #define __ldcw_align(a) (&(a)->slock)
 #define __LDCW  "ldcw,co"
diff --git a/arch/parisc/kernel/drivers.c b/arch/parisc/kernel/drivers.c
index d8f77358e2ba..29b99b8964aa 100644
--- a/arch/parisc/kernel/drivers.c
+++ b/arch/parisc/kernel/drivers.c
@@ -870,7 +870,7 @@ static void print_parisc_device(struct parisc_device *dev)
        static int count;
        print_pa_hwpath(dev, hw_path);
-        printk(KERN_INFO "%d. %s at 0x%p [%s] { %d, 0x%x, 0x%.3x, 0x%.5x }",
+        printk(KERN_INFO "%d. %s at 0x%px [%s] { %d, 0x%x, 0x%.3x, 0x%.5x }",
                ++count, dev->name, (void*) dev->hpa.start, hw_path, dev->id.hw_type,
                dev->id.hversion_rev, dev->id.hversion, dev->id.sversion);
diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S
index f3cecf5117cf..e95207c0565e 100644
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -35,6 +35,7 @@
 #include <asm/pgtable.h>
 #include <asm/signal.h>
 #include <asm/unistd.h>
+#include <asm/ldcw.h>
 #include <asm/thread_info.h>
 #include <linux/linkage.h>
@@ -46,6 +47,14 @@
 #endif
        .import         pa_tlb_lock,data
+        .macro  load_pa_tlb_lock reg
+#if __PA_LDCW_ALIGNMENT > 4
+        load32  PA(pa_tlb_lock) + __PA_LDCW_ALIGNMENT-1, \reg
+        depi    0,31,__PA_LDCW_ALIGN_ORDER, \reg
+#else
+        load32  PA(pa_tlb_lock), \reg
+#endif
+        .endm
        /* space_to_prot macro creates a prot id from a space id */
@@ -457,7 +466,7 @@
        .macro          tlb_lock        spc,ptp,pte,tmp,tmp1,fault
 #ifdef CONFIG_SMP
        cmpib,COND(=),n 0,\spc,2f
-        load32          PA(pa_tlb_lock),\tmp
+        load_pa_tlb_lock \tmp
 1:      LDCW            0(\tmp),\tmp1
        cmpib,COND(=)   0,\tmp1,1b
        nop
@@ -480,7 +489,7 @@
        /* Release pa_tlb_lock lock. */
        .macro          tlb_unlock1     spc,tmp
 #ifdef CONFIG_SMP
-        load32          PA(pa_tlb_lock),\tmp
+        load_pa_tlb_lock \tmp
        tlb_unlock0     \spc,\tmp
 #endif
        .endm
diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S
index adf7187f8951..2d40c4ff3f69 100644
--- a/arch/parisc/kernel/pacache.S
+++ b/arch/parisc/kernel/pacache.S
@@ -36,6 +36,7 @@
 #include <asm/assembly.h>
 #include <asm/pgtable.h>
 #include <asm/cache.h>
+#include <asm/ldcw.h>
 #include <linux/linkage.h>
        .text
@@ -333,8 +334,12 @@ ENDPROC_CFI(flush_data_cache_local)
        .macro  tlb_lock        la,flags,tmp
 #ifdef CONFIG_SMP
-        ldil            L%pa_tlb_lock,%r1
+#if __PA_LDCW_ALIGNMENT > 4
-        ldo             R%pa_tlb_lock(%r1),\la
+        load32          pa_tlb_lock + __PA_LDCW_ALIGNMENT-1, \la
+        depi            0,31,__PA_LDCW_ALIGN_ORDER, \la
+#else
+        load32          pa_tlb_lock, \la
+#endif
        rsm             PSW_SM_I,\flags
 1:      LDCW            0(\la),\tmp
        cmpib,<>,n      0,\tmp,3f
diff --git a/arch/parisc/kernel/process.c b/arch/parisc/kernel/process.c
index 30f92391a93e..cad3e8661cd6 100644
--- a/arch/parisc/kernel/process.c
+++ b/arch/parisc/kernel/process.c
@@ -39,6 +39,7 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/fs.h>
+#include <linux/cpu.h>
 #include <linux/module.h>
 #include <linux/personality.h>
 #include <linux/ptrace.h>
@@ -184,6 +185,44 @@ int dump_task_fpu (struct task_struct *tsk, elf_fpregset_t *r)
 }
 /*
+ * Idle thread support
+ *
+ * Detect when running on QEMU with SeaBIOS PDC Firmware and let
+ * QEMU idle the host too.
+ */
+int running_on_qemu __read_mostly;
+void __cpuidle arch_cpu_idle_dead(void)
+{
+        /* nop on real hardware, qemu will offline CPU. */
+        asm volatile("or %%r31,%%r31,%%r31\n":::);
+}
+void __cpuidle arch_cpu_idle(void)
+{
+        local_irq_enable();
+        /* nop on real hardware, qemu will idle sleep. */
+        asm volatile("or %%r10,%%r10,%%r10\n":::);
+}
+static int __init parisc_idle_init(void)
+{
+        const char *marker;
+        /* check QEMU/SeaBIOS marker in PAGE0 */
+        marker = (char *) &PAGE0->pad0;
+        running_on_qemu = (memcmp(marker, "SeaBIOS", 8) == 0);
+        if (!running_on_qemu)
+                cpu_idle_poll_ctrl(1);
+        return 0;
+}
+arch_initcall(parisc_idle_init);
+/*
 * Copy architecture-specific thread state
 */
 int
diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c
index 13f7854e0d49..48f41399fc0b 100644
--- a/arch/parisc/mm/init.c
+++ b/arch/parisc/mm/init.c
@@ -631,11 +631,11 @@ void __init mem_init(void)
        mem_init_print_info(NULL);
 #ifdef CONFIG_DEBUG_KERNEL /* double-sanity-check paranoia */
        printk("virtual kernel memory layout:\n"
-               "    vmalloc : 0x%p - 0x%p   (%4ld MB)\n"
+               "    vmalloc : 0x%px - 0x%px   (%4ld MB)\n"
-               "    memory  : 0x%p - 0x%p   (%4ld MB)\n"
+               "    memory  : 0x%px - 0x%px   (%4ld MB)\n"
-               "      .init : 0x%p - 0x%p   (%4ld kB)\n"
+               "      .init : 0x%px - 0x%px   (%4ld kB)\n"
-               "      .data : 0x%p - 0x%p   (%4ld kB)\n"
+               "      .data : 0x%px - 0x%px   (%4ld kB)\n"
-               "      .text : 0x%p - 0x%p   (%4ld kB)\n",
+               "      .text : 0x%px - 0x%px   (%4ld kB)\n",
               (void*)VMALLOC_START, (void*)VMALLOC_END,
               (VMALLOC_END - VMALLOC_START) >> 20,
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index c51e6ce42e7a..2ed525a44734 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -166,6 +166,7 @@ config PPC
        select GENERIC_CLOCKEVENTS_BROADCAST    if SMP
        select GENERIC_CMOS_UPDATE
        select GENERIC_CPU_AUTOPROBE
+        select GENERIC_CPU_VULNERABILITIES      if PPC_BOOK3S_64
        select GENERIC_IRQ_SHOW
        select GENERIC_IRQ_SHOW_LEVEL
        select GENERIC_SMP_IDLE_THREAD
diff --git a/arch/powerpc/include/asm/exception-64e.h b/arch/powerpc/include/asm/exception-64e.h
index a703452d67b6..555e22d5e07f 100644
--- a/arch/powerpc/include/asm/exception-64e.h
+++ b/arch/powerpc/include/asm/exception-64e.h
@@ -209,5 +209,11 @@ exc_##label##_book3e:
        ori     r3,r3,vector_offset@l;          \
        mtspr   SPRN_IVOR##vector_number,r3;
+#define RFI_TO_KERNEL                                                   \
+        rfi
+#define RFI_TO_USER                                                     \
+        rfi
 #endif /* _ASM_POWERPC_EXCEPTION_64E_H */
diff --git a/arch/powerpc/include/asm/exception-64s.h b/arch/powerpc/include/asm/exception-64s.h
index b27205297e1d..7197b179c1b1 100644
--- a/arch/powerpc/include/asm/exception-64s.h
+++ b/arch/powerpc/include/asm/exception-64s.h
@@ -74,6 +74,59 @@
 */
 #define EX_R3           EX_DAR
+/*
+ * Macros for annotating the expected destination of (h)rfid
+ *
+ * The nop instructions allow us to insert one or more instructions to flush the
+ * L1-D cache when returning to userspace or a guest.
+ */
+#define RFI_FLUSH_SLOT                                                  \
+        RFI_FLUSH_FIXUP_SECTION;                                        \
+        nop;                                                            \
+        nop;                                                            \
+        nop
+#define RFI_TO_KERNEL                                                   \
+        rfid
+#define RFI_TO_USER                                                     \
+        RFI_FLUSH_SLOT;                                                 \
+        rfid;                                                           \
+        b       rfi_flush_fallback
+#define RFI_TO_USER_OR_KERNEL                                           \
+        RFI_FLUSH_SLOT;                                                 \
+        rfid;                                                           \
+        b       rfi_flush_fallback
+#define RFI_TO_GUEST                                                    \
+        RFI_FLUSH_SLOT;                                                 \
+        rfid;                                                           \
+        b       rfi_flush_fallback
+#define HRFI_TO_KERNEL                                                  \
+        hrfid
+#define HRFI_TO_USER                                                    \
+        RFI_FLUSH_SLOT;                                                 \
+        hrfid;                                                          \
+        b       hrfi_flush_fallback
+#define HRFI_TO_USER_OR_KERNEL                                          \
+        RFI_FLUSH_SLOT;                                                 \
+        hrfid;                                                          \
+        b       hrfi_flush_fallback
+#define HRFI_TO_GUEST                                                   \
+        RFI_FLUSH_SLOT;                                                 \
+        hrfid;                                                          \
+        b       hrfi_flush_fallback
+#define HRFI_TO_UNKNOWN                                                 \
+        RFI_FLUSH_SLOT;                                                 \
+        hrfid;                                                          \
+        b       hrfi_flush_fallback
 #ifdef CONFIG_RELOCATABLE
 #define __EXCEPTION_RELON_PROLOG_PSERIES_1(label, h)                    \
        mfspr   r11,SPRN_##h##SRR0;     /* save SRR0 */                 \
@@ -218,7 +271,7 @@ END_FTR_SECTION_NESTED(ftr,ftr,943)
        mtspr   SPRN_##h##SRR0,r12;                                     \
        mfspr   r12,SPRN_##h##SRR1;     /* and SRR1 */                  \
        mtspr   SPRN_##h##SRR1,r10;                                     \
-        h##rfid;                                                        \
+        h##RFI_TO_KERNEL;                                               \
        b       .       /* prevent speculative execution */
 #define EXCEPTION_PROLOG_PSERIES_1(label, h)                            \
        __EXCEPTION_PROLOG_PSERIES_1(label, h)
@@ -232,7 +285,7 @@ END_FTR_SECTION_NESTED(ftr,ftr,943)
        mtspr   SPRN_##h##SRR0,r12;                                     \
        mfspr   r12,SPRN_##h##SRR1;     /* and SRR1 */                  \
        mtspr   SPRN_##h##SRR1,r10;                                     \
-        h##rfid;                                                        \
+        h##RFI_TO_KERNEL;                                               \
        b       .       /* prevent speculative execution */
 #define EXCEPTION_PROLOG_PSERIES_1_NORI(label, h)                       \
diff --git a/arch/powerpc/include/asm/feature-fixups.h b/arch/powerpc/include/asm/feature-fixups.h
index 8f88f771cc55..1e82eb3caabd 100644
--- a/arch/powerpc/include/asm/feature-fixups.h
+++ b/arch/powerpc/include/asm/feature-fixups.h
@@ -187,7 +187,20 @@ label##3:					       	\
        FTR_ENTRY_OFFSET label##1b-label##3b;           \
        .popsection;
+#define RFI_FLUSH_FIXUP_SECTION                         \
+951:                                                    \
+        .pushsection __rfi_flush_fixup,"a";             \
+        .align 2;                                       \
+952:                                                    \
+        FTR_ENTRY_OFFSET 951b-952b;                     \
+        .popsection;
 #ifndef __ASSEMBLY__
+#include <linux/types.h>
+extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup;
 void apply_feature_fixups(void);
 void setup_feature_keys(void);
 #endif
diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
index a409177be8bd..eca3f9c68907 100644
--- a/arch/powerpc/include/asm/hvcall.h
+++ b/arch/powerpc/include/asm/hvcall.h
@@ -241,6 +241,7 @@
 #define H_GET_HCA_INFO          0x1B8
 #define H_GET_PERF_COUNT        0x1BC
 #define H_MANAGE_TRACE          0x1C0
+#define H_GET_CPU_CHARACTERISTICS 0x1C8
 #define H_FREE_LOGICAL_LAN_BUFFER 0x1D4
 #define H_QUERY_INT_STATE       0x1E4
 #define H_POLL_PENDING          0x1D8
@@ -330,6 +331,17 @@
 #define H_SIGNAL_SYS_RESET_ALL_OTHERS           -2
 /* >= 0 values are CPU number */
+/* H_GET_CPU_CHARACTERISTICS return values */
+#define H_CPU_CHAR_SPEC_BAR_ORI31       (1ull << 63) // IBM bit 0
+#define H_CPU_CHAR_BCCTRL_SERIALISED    (1ull << 62) // IBM bit 1
+#define H_CPU_CHAR_L1D_FLUSH_ORI30      (1ull << 61) // IBM bit 2
+#define H_CPU_CHAR_L1D_FLUSH_TRIG2      (1ull << 60) // IBM bit 3
+#define H_CPU_CHAR_L1D_THREAD_PRIV      (1ull << 59) // IBM bit 4
+#define H_CPU_BEHAV_FAVOUR_SECURITY     (1ull << 63) // IBM bit 0
+#define H_CPU_BEHAV_L1D_FLUSH_PR        (1ull << 62) // IBM bit 1
+#define H_CPU_BEHAV_BNDS_CHK_SPEC_BAR   (1ull << 61) // IBM bit 2
 /* Flag values used in H_REGISTER_PROC_TBL hcall */
 #define PROC_TABLE_OP_MASK      0x18
 #define PROC_TABLE_DEREG        0x10
@@ -341,6 +353,7 @@
 #define PROC_TABLE_GTSE         0x01
 #ifndef __ASSEMBLY__
+#include <linux/types.h>
 /**
 * plpar_hcall_norets: - Make a pseries hypervisor call with no return arguments
@@ -436,6 +449,11 @@ static inline unsigned int get_longbusy_msecs(int longbusy_rc)
        }
 }
+struct h_cpu_char_result {
+        u64 character;
+        u64 behaviour;
+};
 #endif /* __ASSEMBLY__ */
 #endif /* __KERNEL__ */
 #endif /* _ASM_POWERPC_HVCALL_H */
diff --git a/arch/powerpc/include/asm/paca.h b/arch/powerpc/include/asm/paca.h
index 3892db93b837..23ac7fc0af23 100644
--- a/arch/powerpc/include/asm/paca.h
+++ b/arch/powerpc/include/asm/paca.h
@@ -232,6 +232,16 @@ struct paca_struct {
        struct sibling_subcore_state *sibling_subcore_state;
 #endif
 #endif
+#ifdef CONFIG_PPC_BOOK3S_64
+        /*
+         * rfi fallback flush must be in its own cacheline to prevent
+         * other paca data leaking into the L1d
+         */
+        u64 exrfi[EX_SIZE] __aligned(0x80);
+        void *rfi_flush_fallback_area;
+        u64 l1d_flush_congruence;
+        u64 l1d_flush_sets;
+#endif
 };
 extern void copy_mm_to_paca(struct mm_struct *mm);
diff --git a/arch/powerpc/include/asm/plpar_wrappers.h b/arch/powerpc/include/asm/plpar_wrappers.h
index 7f01b22fa6cb..55eddf50d149 100644
--- a/arch/powerpc/include/asm/plpar_wrappers.h
+++ b/arch/powerpc/include/asm/plpar_wrappers.h
@@ -326,4 +326,18 @@ static inline long plapr_signal_sys_reset(long cpu)
        return plpar_hcall_norets(H_SIGNAL_SYS_RESET, cpu);
 }
+static inline long plpar_get_cpu_characteristics(struct h_cpu_char_result *p)
+{
+        unsigned long retbuf[PLPAR_HCALL_BUFSIZE];
+        long rc;
+        rc = plpar_hcall(H_GET_CPU_CHARACTERISTICS, retbuf);
+        if (rc == H_SUCCESS) {
+                p->character = retbuf[0];
+                p->behaviour = retbuf[1];
+        }
+        return rc;
+}
 #endif /* _ASM_POWERPC_PLPAR_WRAPPERS_H */
diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h
index cf00ec26303a..469b7fdc9be4 100644
--- a/arch/powerpc/include/asm/setup.h
+++ b/arch/powerpc/include/asm/setup.h
@@ -39,6 +39,19 @@ static inline void pseries_big_endian_exceptions(void) {}
 static inline void pseries_little_endian_exceptions(void) {}
 #endif /* CONFIG_PPC_PSERIES */
+void rfi_flush_enable(bool enable);
+/* These are bit flags */
+enum l1d_flush_type {
+        L1D_FLUSH_NONE          = 0x1,
+        L1D_FLUSH_FALLBACK      = 0x2,
+        L1D_FLUSH_ORI           = 0x4,
+        L1D_FLUSH_MTTRIG        = 0x8,
+};
+void __init setup_rfi_flush(enum l1d_flush_type, bool enable);
+void do_rfi_flush_fixups(enum l1d_flush_type types);
 #endif /* !__ASSEMBLY__ */
 #endif  /* _ASM_POWERPC_SETUP_H */
diff --git a/arch/powerpc/include/uapi/asm/kvm.h b/arch/powerpc/include/uapi/asm/kvm.h
index 61d6049f4c1e..637b7263cb86 100644
--- a/arch/powerpc/include/uapi/asm/kvm.h
+++ b/arch/powerpc/include/uapi/asm/kvm.h
@@ -443,6 +443,31 @@ struct kvm_ppc_rmmu_info {
        __u32   ap_encodings[8];
 };
+/* For KVM_PPC_GET_CPU_CHAR */
+struct kvm_ppc_cpu_char {
+        __u64   character;              /* characteristics of the CPU */
+        __u64   behaviour;              /* recommended software behaviour */
+        __u64   character_mask;         /* valid bits in character */
+        __u64   behaviour_mask;         /* valid bits in behaviour */
+};
+/*
+ * Values for character and character_mask.
+ * These are identical to the values used by H_GET_CPU_CHARACTERISTICS.
+ */
+#define KVM_PPC_CPU_CHAR_SPEC_BAR_ORI31         (1ULL << 63)
+#define KVM_PPC_CPU_CHAR_BCCTRL_SERIALISED      (1ULL << 62)
+#define KVM_PPC_CPU_CHAR_L1D_FLUSH_ORI30        (1ULL << 61)
+#define KVM_PPC_CPU_CHAR_L1D_FLUSH_TRIG2        (1ULL << 60)
+#define KVM_PPC_CPU_CHAR_L1D_THREAD_PRIV        (1ULL << 59)
+#define KVM_PPC_CPU_CHAR_BR_HINT_HONOURED       (1ULL << 58)
+#define KVM_PPC_CPU_CHAR_MTTRIG_THR_RECONF      (1ULL << 57)
+#define KVM_PPC_CPU_CHAR_COUNT_CACHE_DIS        (1ULL << 56)
+#define KVM_PPC_CPU_BEHAV_FAVOUR_SECURITY       (1ULL << 63)
+#define KVM_PPC_CPU_BEHAV_L1D_FLUSH_PR          (1ULL << 62)
+#define KVM_PPC_CPU_BEHAV_BNDS_CHK_SPEC_BAR     (1ULL << 61)
 /* Per-vcpu XICS interrupt controller state */
 #define KVM_REG_PPC_ICP_STATE   (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0x8c)
diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c
index 6b958414b4e0..f390d57cf2e1 100644
--- a/arch/powerpc/kernel/asm-offsets.c
+++ b/arch/powerpc/kernel/asm-offsets.c
@@ -237,6 +237,11 @@ int main(void)
        OFFSET(PACA_NMI_EMERG_SP, paca_struct, nmi_emergency_sp);
        OFFSET(PACA_IN_MCE, paca_struct, in_mce);
        OFFSET(PACA_IN_NMI, paca_struct, in_nmi);
+        OFFSET(PACA_RFI_FLUSH_FALLBACK_AREA, paca_struct, rfi_flush_fallback_area);
+        OFFSET(PACA_EXRFI, paca_struct, exrfi);
+        OFFSET(PACA_L1D_FLUSH_CONGRUENCE, paca_struct, l1d_flush_congruence);
+        OFFSET(PACA_L1D_FLUSH_SETS, paca_struct, l1d_flush_sets);
 #endif
        OFFSET(PACAHWCPUID, paca_struct, hw_cpu_id);
        OFFSET(PACAKEXECSTATE, paca_struct, kexec_state);
diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
index 3320bcac7192..2748584b767d 100644
--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -37,6 +37,11 @@
 #include <asm/tm.h>
 #include <asm/ppc-opcode.h>
 #include <asm/export.h>
+#ifdef CONFIG_PPC_BOOK3S
+#include <asm/exception-64s.h>
+#else
+#include <asm/exception-64e.h>
+#endif
 /*
 * System calls.
@@ -262,13 +267,23 @@ BEGIN_FTR_SECTION
 END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
        ld      r13,GPR13(r1)   /* only restore r13 if returning to usermode */
+        ld      r2,GPR2(r1)
+        ld      r1,GPR1(r1)
+        mtlr    r4
+        mtcr    r5
+        mtspr   SPRN_SRR0,r7
+        mtspr   SPRN_SRR1,r8
+        RFI_TO_USER
+        b       .       /* prevent speculative execution */
+        /* exit to kernel */
 1:      ld      r2,GPR2(r1)
        ld      r1,GPR1(r1)
        mtlr    r4
        mtcr    r5
        mtspr   SPRN_SRR0,r7
        mtspr   SPRN_SRR1,r8
-        RFI
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
 .Lsyscall_error:
@@ -397,8 +412,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
        mtmsrd  r10, 1
        mtspr   SPRN_SRR0, r11
        mtspr   SPRN_SRR1, r12
+        RFI_TO_USER
-        rfid
        b       .       /* prevent speculative execution */
 #endif
 _ASM_NOKPROBE_SYMBOL(system_call_common);
@@ -878,7 +892,7 @@ BEGIN_FTR_SECTION
 END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
        ACCOUNT_CPU_USER_EXIT(r13, r2, r4)
        REST_GPR(13, r1)
-1:
        mtspr   SPRN_SRR1,r3
        ld      r2,_CCR(r1)
@@ -891,8 +905,22 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR)
        ld      r3,GPR3(r1)
        ld      r4,GPR4(r1)
        ld      r1,GPR1(r1)
+        RFI_TO_USER
+        b       .       /* prevent speculative execution */
-        rfid
+1:      mtspr   SPRN_SRR1,r3
+        ld      r2,_CCR(r1)
+        mtcrf   0xFF,r2
+        ld      r2,_NIP(r1)
+        mtspr   SPRN_SRR0,r2
+        ld      r0,GPR0(r1)
+        ld      r2,GPR2(r1)
+        ld      r3,GPR3(r1)
+        ld      r4,GPR4(r1)
+        ld      r1,GPR1(r1)
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
 #endif /* CONFIG_PPC_BOOK3E */
@@ -1073,7 +1101,7 @@ __enter_rtas:
        
        mtspr   SPRN_SRR0,r5
        mtspr   SPRN_SRR1,r6
-        rfid
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
 rtas_return_loc:
@@ -1098,7 +1126,7 @@ rtas_return_loc:
        mtspr   SPRN_SRR0,r3
        mtspr   SPRN_SRR1,r4
-        rfid
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
 _ASM_NOKPROBE_SYMBOL(__enter_rtas)
 _ASM_NOKPROBE_SYMBOL(rtas_return_loc)
@@ -1171,7 +1199,7 @@ _GLOBAL(enter_prom)
        LOAD_REG_IMMEDIATE(r12, MSR_SF | MSR_ISF | MSR_LE)
        andc    r11,r11,r12
        mtsrr1  r11
-        rfid
+        RFI_TO_KERNEL
 #endif /* CONFIG_PPC_BOOK3E */
 1:      /* Return from OF */
diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
index e441b469dc8f..2dc10bf646b8 100644
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -256,7 +256,7 @@ BEGIN_FTR_SECTION
        LOAD_HANDLER(r12, machine_check_handle_early)
 1:      mtspr   SPRN_SRR0,r12
        mtspr   SPRN_SRR1,r11
-        rfid
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
 2:
        /* Stack overflow. Stay on emergency stack and panic.
@@ -445,7 +445,7 @@ EXC_COMMON_BEGIN(machine_check_handle_early)
        li      r3,MSR_ME
        andc    r10,r10,r3              /* Turn off MSR_ME */
        mtspr   SPRN_SRR1,r10
-        rfid
+        RFI_TO_KERNEL
        b       .
 2:
        /*
@@ -463,7 +463,7 @@ EXC_COMMON_BEGIN(machine_check_handle_early)
         */
        bl      machine_check_queue_event
        MACHINE_CHECK_HANDLER_WINDUP
-        rfid
+        RFI_TO_USER_OR_KERNEL
 9:
        /* Deliver the machine check to host kernel in V mode. */
        MACHINE_CHECK_HANDLER_WINDUP
@@ -598,6 +598,9 @@ EXC_COMMON_BEGIN(slb_miss_common)
        stw     r9,PACA_EXSLB+EX_CCR(r13)       /* save CR in exc. frame */
        std     r10,PACA_EXSLB+EX_LR(r13)       /* save LR */
+        andi.   r9,r11,MSR_PR   // Check for exception from userspace
+        cmpdi   cr4,r9,MSR_PR   // And save the result in CR4 for later
        /*
         * Test MSR_RI before calling slb_allocate_realmode, because the
         * MSR in r11 gets clobbered. However we still want to allocate
@@ -624,9 +627,12 @@ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_TYPE_RADIX)
        /* All done -- return from exception. */
+        bne     cr4,1f          /* returning to kernel */
 .machine        push
 .machine        "power4"
        mtcrf   0x80,r9
+        mtcrf   0x08,r9         /* MSR[PR] indication is in cr4 */
        mtcrf   0x04,r9         /* MSR[RI] indication is in cr5 */
        mtcrf   0x02,r9         /* I/D indication is in cr6 */
        mtcrf   0x01,r9         /* slb_allocate uses cr0 and cr7 */
@@ -640,9 +646,30 @@ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_TYPE_RADIX)
        ld      r11,PACA_EXSLB+EX_R11(r13)
        ld      r12,PACA_EXSLB+EX_R12(r13)
        ld      r13,PACA_EXSLB+EX_R13(r13)
-        rfid
+        RFI_TO_USER
+        b       .       /* prevent speculative execution */
+1:
+.machine        push
+.machine        "power4"
+        mtcrf   0x80,r9
+        mtcrf   0x08,r9         /* MSR[PR] indication is in cr4 */
+        mtcrf   0x04,r9         /* MSR[RI] indication is in cr5 */
+        mtcrf   0x02,r9         /* I/D indication is in cr6 */
+        mtcrf   0x01,r9         /* slb_allocate uses cr0 and cr7 */
+.machine        pop
+        RESTORE_CTR(r9, PACA_EXSLB)
+        RESTORE_PPR_PACA(PACA_EXSLB, r9)
+        mr      r3,r12
+        ld      r9,PACA_EXSLB+EX_R9(r13)
+        ld      r10,PACA_EXSLB+EX_R10(r13)
+        ld      r11,PACA_EXSLB+EX_R11(r13)
+        ld      r12,PACA_EXSLB+EX_R12(r13)
+        ld      r13,PACA_EXSLB+EX_R13(r13)
+        RFI_TO_KERNEL
        b       .       /* prevent speculative execution */
 2:      std     r3,PACA_EXSLB+EX_DAR(r13)
        mr      r3,r12
        mfspr   r11,SPRN_SRR0
@@ -651,7 +678,7 @@ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_TYPE_RADIX)
        mtspr   SPRN_SRR0,r10
        ld      r10,PACAKMSR(r13)
        mtspr   SPRN_SRR1,r10
-        rfid
+        RFI_TO_KERNEL
        b       .
 8:      std     r3,PACA_EXSLB+EX_DAR(r13)
@@ -662,7 +689,7 @@ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_TYPE_RADIX)
        mtspr   SPRN_SRR0,r10
        ld      r10,PACAKMSR(r13)
        mtspr   SPRN_SRR1,r10
-        rfid
+        RFI_TO_KERNEL
        b       .
 EXC_COMMON_BEGIN(unrecov_slb)
@@ -901,7 +928,7 @@ EXC_COMMON(trap_0b_common, 0xb00, unknown_exception)
        mtspr   SPRN_SRR0,r10 ;                                 \
        ld      r10,PACAKMSR(r13) ;                             \
        mtspr   SPRN_SRR1,r10 ;                                 \
-        rfid ;                                                  \
+        RFI_TO_KERNEL ;                                         \
        b       . ;     /* prevent speculative execution */
 #ifdef CONFIG_PPC_FAST_ENDIAN_SWITCH
@@ -917,7 +944,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_REAL_LE)				\
        xori    r12,r12,MSR_LE ;                                \
        mtspr   SPRN_SRR1,r12 ;                                 \
        mr      r13,r9 ;                                        \
-        rfid ;          /* return to userspace */               \
+        RFI_TO_USER ;   /* return to userspace */               \
        b       . ;     /* prevent speculative execution */
 #else
 #define SYSCALL_FASTENDIAN_TEST
@@ -1063,7 +1090,7 @@ TRAMP_REAL_BEGIN(hmi_exception_early)
        mtcr    r11
        REST_GPR(11, r1)
        ld      r1,GPR1(r1)
-        hrfid
+        HRFI_TO_USER_OR_KERNEL
 1:      mtcr    r11
        REST_GPR(11, r1)
@@ -1314,7 +1341,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_CFAR)
        ld      r11,PACA_EXGEN+EX_R11(r13)
        ld      r12,PACA_EXGEN+EX_R12(r13)
        ld      r13,PACA_EXGEN+EX_R13(r13)
-        HRFID
+        HRFI_TO_UNKNOWN
        b       .
 #endif
@@ -1418,10 +1445,94 @@ masked_##_H##interrupt:					\
        ld      r10,PACA_EXGEN+EX_R10(r13);             \
        ld      r11,PACA_EXGEN+EX_R11(r13);             \
        /* returns to kernel where r13 must be set up, so don't restore it */ \
-        ##_H##rfid;                                     \
+        ##_H##RFI_TO_KERNEL;                            \
        b       .;                                      \
        MASKED_DEC_HANDLER(_H)
+TRAMP_REAL_BEGIN(rfi_flush_fallback)
+        SET_SCRATCH0(r13);
+        GET_PACA(r13);
+        std     r9,PACA_EXRFI+EX_R9(r13)
+        std     r10,PACA_EXRFI+EX_R10(r13)
+        std     r11,PACA_EXRFI+EX_R11(r13)
+        std     r12,PACA_EXRFI+EX_R12(r13)
+        std     r8,PACA_EXRFI+EX_R13(r13)
+        mfctr   r9
+        ld      r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13)
+        ld      r11,PACA_L1D_FLUSH_SETS(r13)
+        ld      r12,PACA_L1D_FLUSH_CONGRUENCE(r13)
+        /*
+         * The load adresses are at staggered offsets within cachelines,
+         * which suits some pipelines better (on others it should not
+         * hurt).
+         */
+        addi    r12,r12,8
+        mtctr   r11
+        DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */
+        /* order ld/st prior to dcbt stop all streams with flushing */
+        sync
+1:      li      r8,0
+        .rept   8 /* 8-way set associative */
+        ldx     r11,r10,r8
+        add     r8,r8,r12
+        xor     r11,r11,r11     // Ensure r11 is 0 even if fallback area is not
+        add     r8,r8,r11       // Add 0, this creates a dependency on the ldx
+        .endr
+        addi    r10,r10,128 /* 128 byte cache line */
+        bdnz    1b
+        mtctr   r9
+        ld      r9,PACA_EXRFI+EX_R9(r13)
+        ld      r10,PACA_EXRFI+EX_R10(r13)
+        ld      r11,PACA_EXRFI+EX_R11(r13)
+        ld      r12,PACA_EXRFI+EX_R12(r13)
+        ld      r8,PACA_EXRFI+EX_R13(r13)
+        GET_SCRATCH0(r13);
+        rfid
+TRAMP_REAL_BEGIN(hrfi_flush_fallback)
+        SET_SCRATCH0(r13);
+        GET_PACA(r13);
+        std     r9,PACA_EXRFI+EX_R9(r13)
+        std     r10,PACA_EXRFI+EX_R10(r13)
+        std     r11,PACA_EXRFI+EX_R11(r13)
+        std     r12,PACA_EXRFI+EX_R12(r13)
+        std     r8,PACA_EXRFI+EX_R13(r13)
+        mfctr   r9
+        ld      r10,PACA_RFI_FLUSH_FALLBACK_AREA(r13)
+        ld      r11,PACA_L1D_FLUSH_SETS(r13)
+        ld      r12,PACA_L1D_FLUSH_CONGRUENCE(r13)
+        /*
+         * The load adresses are at staggered offsets within cachelines,
+         * which suits some pipelines better (on others it should not
+         * hurt).
+         */
+        addi    r12,r12,8
+        mtctr   r11
+        DCBT_STOP_ALL_STREAM_IDS(r11) /* Stop prefetch streams */
+        /* order ld/st prior to dcbt stop all streams with flushing */
+        sync
+1:      li      r8,0
+        .rept   8 /* 8-way set associative */
+        ldx     r11,r10,r8
+        add     r8,r8,r12
+        xor     r11,r11,r11     // Ensure r11 is 0 even if fallback area is not
+        add     r8,r8,r11       // Add 0, this creates a dependency on the ldx
+        .endr
+        addi    r10,r10,128 /* 128 byte cache line */
+        bdnz    1b
+        mtctr   r9
+        ld      r9,PACA_EXRFI+EX_R9(r13)
+        ld      r10,PACA_EXRFI+EX_R10(r13)
+        ld      r11,PACA_EXRFI+EX_R11(r13)
+        ld      r12,PACA_EXRFI+EX_R12(r13)
+        ld      r8,PACA_EXRFI+EX_R13(r13)
+        GET_SCRATCH0(r13);
+        hrfid
 /*
 * Real mode exceptions actually use this too, but alternate
 * instruction code patches (which end up in the common .text area)
@@ -1441,7 +1552,7 @@ TRAMP_REAL_BEGIN(kvmppc_skip_interrupt)
        addi    r13, r13, 4
        mtspr   SPRN_SRR0, r13
        GET_SCRATCH0(r13)
-        rfid
+        RFI_TO_KERNEL
        b       .
 TRAMP_REAL_BEGIN(kvmppc_skip_Hinterrupt)
@@ -1453,7 +1564,7 @@ TRAMP_REAL_BEGIN(kvmppc_skip_Hinterrupt)
        addi    r13, r13, 4
        mtspr   SPRN_HSRR0, r13
        GET_SCRATCH0(r13)
-        hrfid
+        HRFI_TO_KERNEL
        b       .
 #endif
diff --git a/arch/powerpc/kernel/setup-common.c b/arch/powerpc/kernel/setup-common.c
index 9d213542a48b..8fd3a70047f1 100644
--- a/arch/powerpc/kernel/setup-common.c
+++ b/arch/powerpc/kernel/setup-common.c
@@ -242,14 +242,6 @@ static int show_cpuinfo(struct seq_file *m, void *v)
        unsigned short maj;
        unsigned short min;
-        /* We only show online cpus: disable preempt (overzealous, I
-         * knew) to prevent cpu going down. */
-        preempt_disable();
-        if (!cpu_online(cpu_id)) {
-                preempt_enable();
-                return 0;
-        }
 #ifdef CONFIG_SMP
        pvr = per_cpu(cpu_pvr, cpu_id);
 #else
@@ -358,9 +350,6 @@ static int show_cpuinfo(struct seq_file *m, void *v)
 #ifdef CONFIG_SMP
        seq_printf(m, "\n");
 #endif
-        preempt_enable();
        /* If this is the last cpu, print the summary */
        if (cpumask_next(cpu_id, cpu_online_mask) >= nr_cpu_ids)
                show_cpuinfo_summary(m);
diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
index 8956a9856604..e67413f4a8f0 100644
--- a/arch/powerpc/kernel/setup_64.c
+++ b/arch/powerpc/kernel/setup_64.c
@@ -38,6 +38,7 @@
 #include <linux/memory.h>
 #include <linux/nmi.h>
+#include <asm/debugfs.h>
 #include <asm/io.h>
 #include <asm/kdump.h>
 #include <asm/prom.h>
@@ -801,3 +802,141 @@ static int __init disable_hardlockup_detector(void)
        return 0;
 }
 early_initcall(disable_hardlockup_detector);
+#ifdef CONFIG_PPC_BOOK3S_64
+static enum l1d_flush_type enabled_flush_types;
+static void *l1d_flush_fallback_area;
+static bool no_rfi_flush;
+bool rfi_flush;
+static int __init handle_no_rfi_flush(char *p)
+{
+        pr_info("rfi-flush: disabled on command line.");
+        no_rfi_flush = true;
+        return 0;
+}
+early_param("no_rfi_flush", handle_no_rfi_flush);
+/*
+ * The RFI flush is not KPTI, but because users will see doco that says to use
+ * nopti we hijack that option here to also disable the RFI flush.
+ */
+static int __init handle_no_pti(char *p)
+{
+        pr_info("rfi-flush: disabling due to 'nopti' on command line.\n");
+        handle_no_rfi_flush(NULL);
+        return 0;
+}
+early_param("nopti", handle_no_pti);
+static void do_nothing(void *unused)
+{
+        /*
+         * We don't need to do the flush explicitly, just enter+exit kernel is
+         * sufficient, the RFI exit handlers will do the right thing.
+         */
+}
+void rfi_flush_enable(bool enable)
+{
+        if (rfi_flush == enable)
+                return;
+        if (enable) {
+                do_rfi_flush_fixups(enabled_flush_types);
+                on_each_cpu(do_nothing, NULL, 1);
+        } else
+                do_rfi_flush_fixups(L1D_FLUSH_NONE);
+        rfi_flush = enable;
+}
+static void init_fallback_flush(void)
+{
+        u64 l1d_size, limit;
+        int cpu;
+        l1d_size = ppc64_caches.l1d.size;
+        limit = min(safe_stack_limit(), ppc64_rma_size);
+        /*
+         * Align to L1d size, and size it at 2x L1d size, to catch possible
+         * hardware prefetch runoff. We don't have a recipe for load patterns to
+         * reliably avoid the prefetcher.
+         */
+        l1d_flush_fallback_area = __va(memblock_alloc_base(l1d_size * 2, l1d_size, limit));
+        memset(l1d_flush_fallback_area, 0, l1d_size * 2);
+        for_each_possible_cpu(cpu) {
+                /*
+                 * The fallback flush is currently coded for 8-way
+                 * associativity. Different associativity is possible, but it
+                 * will be treated as 8-way and may not evict the lines as
+                 * effectively.
+                 *
+                 * 128 byte lines are mandatory.
+                 */
+                u64 c = l1d_size / 8;
+                paca[cpu].rfi_flush_fallback_area = l1d_flush_fallback_area;
+                paca[cpu].l1d_flush_congruence = c;
+                paca[cpu].l1d_flush_sets = c / 128;
+        }
+}
+void __init setup_rfi_flush(enum l1d_flush_type types, bool enable)
+{
+        if (types & L1D_FLUSH_FALLBACK) {
+                pr_info("rfi-flush: Using fallback displacement flush\n");
+                init_fallback_flush();
+        }
+        if (types & L1D_FLUSH_ORI)
+                pr_info("rfi-flush: Using ori type flush\n");
+        if (types & L1D_FLUSH_MTTRIG)
+                pr_info("rfi-flush: Using mttrig type flush\n");
+        enabled_flush_types = types;
+        if (!no_rfi_flush)
+                rfi_flush_enable(enable);
+}
+#ifdef CONFIG_DEBUG_FS
+static int rfi_flush_set(void *data, u64 val)
+{
+        if (val == 1)
+                rfi_flush_enable(true);
+        else if (val == 0)
+                rfi_flush_enable(false);
+        else
+                return -EINVAL;
+        return 0;
+}
+static int rfi_flush_get(void *data, u64 *val)
+{
+        *val = rfi_flush ? 1 : 0;
+        return 0;
+}
+DEFINE_SIMPLE_ATTRIBUTE(fops_rfi_flush, rfi_flush_get, rfi_flush_set, "%llu\n");
+static __init int rfi_flush_debugfs_init(void)
+{
+        debugfs_create_file("rfi_flush", 0600, powerpc_debugfs_root, NULL, &fops_rfi_flush);
+        return 0;
+}
+device_initcall(rfi_flush_debugfs_init);
+#endif
+ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
+{
+        if (rfi_flush)
+                return sprintf(buf, "Mitigation: RFI Flush\n");
+        return sprintf(buf, "Vulnerable\n");
+}
+#endif /* CONFIG_PPC_BOOK3S_64 */
diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
index 0494e1566ee2..307843d23682 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -132,6 +132,15 @@ SECTIONS
        /* Read-only data */
        RO_DATA(PAGE_SIZE)
+#ifdef CONFIG_PPC64
+        . = ALIGN(8);
+        __rfi_flush_fixup : AT(ADDR(__rfi_flush_fixup) - LOAD_OFFSET) {
+                __start___rfi_flush_fixup = .;
+                *(__rfi_flush_fixup)
+                __stop___rfi_flush_fixup = .;
+        }
+#endif
        EXCEPTION_TABLE(0)
        NOTES :kernel :notes
diff --git a/arch/powerpc/kvm/book3s_64_mmu.c b/arch/powerpc/kvm/book3s_64_mmu.c
index 29ebe2fd5867..a93d719edc90 100644
--- a/arch/powerpc/kvm/book3s_64_mmu.c
+++ b/arch/powerpc/kvm/book3s_64_mmu.c
@@ -235,6 +235,7 @@ static int kvmppc_mmu_book3s_64_xlate(struct kvm_vcpu *vcpu, gva_t eaddr,
                gpte->may_read = true;
                gpte->may_write = true;
                gpte->page_size = MMU_PAGE_4K;
+                gpte->wimg = HPTE_R_M;
                return 0;
        }
diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c
index 966097232d21..b73dbc9e797d 100644
--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c
+++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c
@@ -65,11 +65,17 @@ struct kvm_resize_hpt {
        u32 order;
        /* These fields protected by kvm->lock */
+        /* Possible values and their usage:
+         *  <0     an error occurred during allocation,
+         *  -EBUSY allocation is in the progress,
+         *  0      allocation made successfuly.
+         */
        int error;
-        bool prepare_done;
-        /* Private to the work thread, until prepare_done is true,
+        /* Private to the work thread, until error != -EBUSY,
-         * then protected by kvm->resize_hpt_sem */
+         * then protected by kvm->lock.
+         */
        struct kvm_hpt_info hpt;
 };
@@ -159,8 +165,6 @@ long kvmppc_alloc_reset_hpt(struct kvm *kvm, int order)
                 * Reset all the reverse-mapping chains for all memslots
                 */
                kvmppc_rmap_reset(kvm);
-                /* Ensure that each vcpu will flush its TLB on next entry. */
-                cpumask_setall(&kvm->arch.need_tlb_flush);
                err = 0;
                goto out;
        }
@@ -176,6 +180,10 @@ long kvmppc_alloc_reset_hpt(struct kvm *kvm, int order)
        kvmppc_set_hpt(kvm, &info);
 out:
+        if (err == 0)
+                /* Ensure that each vcpu will flush its TLB on next entry. */
+                cpumask_setall(&kvm->arch.need_tlb_flush);
        mutex_unlock(&kvm->lock);
        return err;
 }
@@ -1413,16 +1421,20 @@ static void resize_hpt_pivot(struct kvm_resize_hpt *resize)
 static void resize_hpt_release(struct kvm *kvm, struct kvm_resize_hpt *resize)
 {
-        BUG_ON(kvm->arch.resize_hpt != resize);
+        if (WARN_ON(!mutex_is_locked(&kvm->lock)))
+                return;
        if (!resize)
                return;
-        if (resize->hpt.virt)
+        if (resize->error != -EBUSY) {
-                kvmppc_free_hpt(&resize->hpt);
+                if (resize->hpt.virt)
+                        kvmppc_free_hpt(&resize->hpt);
+                kfree(resize);
+        }
-        kvm->arch.resize_hpt = NULL;
+        if (kvm->arch.resize_hpt == resize)
-        kfree(resize);
+                kvm->arch.resize_hpt = NULL;
 }
 static void resize_hpt_prepare_work(struct work_struct *work)
@@ -1431,17 +1443,41 @@ static void resize_hpt_prepare_work(struct work_struct *work)
                                                     struct kvm_resize_hpt,
                                                     work);
        struct kvm *kvm = resize->kvm;
-        int err;
+        int err = 0;
-        resize_hpt_debug(resize, "resize_hpt_prepare_work(): order = %d\n",
+        if (WARN_ON(resize->error != -EBUSY))
-                         resize->order);
+                return;
-        err = resize_hpt_allocate(resize);
        mutex_lock(&kvm->lock);
+        /* Request is still current? */
+        if (kvm->arch.resize_hpt == resize) {
+                /* We may request large allocations here:
+                 * do not sleep with kvm->lock held for a while.
+                 */
+                mutex_unlock(&kvm->lock);
+                resize_hpt_debug(resize, "resize_hpt_prepare_work(): order = %d\n",
+                                 resize->order);
+                err = resize_hpt_allocate(resize);
+                /* We have strict assumption about -EBUSY
+                 * when preparing for HPT resize.
+                 */
+                if (WARN_ON(err == -EBUSY))
+                        err = -EINPROGRESS;
+                mutex_lock(&kvm->lock);
+                /* It is possible that kvm->arch.resize_hpt != resize
+                 * after we grab kvm->lock again.
+                 */
+        }
        resize->error = err;
-        resize->prepare_done = true;
+        if (kvm->arch.resize_hpt != resize)
+                resize_hpt_release(kvm, resize);
        mutex_unlock(&kvm->lock);
 }
@@ -1466,14 +1502,12 @@ long kvm_vm_ioctl_resize_hpt_prepare(struct kvm *kvm,
        if (resize) {
                if (resize->order == shift) {
-                        /* Suitable resize in progress */
+                        /* Suitable resize in progress? */
-                        if (resize->prepare_done) {
+                        ret = resize->error;
-                                ret = resize->error;
+                        if (ret == -EBUSY)
-                                if (ret != 0)
-                                        resize_hpt_release(kvm, resize);
-                        } else {
                                ret = 100; /* estimated time in ms */
-                        }
+                        else if (ret)
+                                resize_hpt_release(kvm, resize);
                        goto out;
                }
@@ -1493,6 +1527,8 @@ long kvm_vm_ioctl_resize_hpt_prepare(struct kvm *kvm,
                ret = -ENOMEM;
                goto out;
        }
+        resize->error = -EBUSY;
        resize->order = shift;
        resize->kvm = kvm;
        INIT_WORK(&resize->work, resize_hpt_prepare_work);
@@ -1547,16 +1583,12 @@ long kvm_vm_ioctl_resize_hpt_commit(struct kvm *kvm,
        if (!resize || (resize->order != shift))
                goto out;
-        ret = -EBUSY;
-        if (!resize->prepare_done)
-                goto out;
        ret = resize->error;
-        if (ret != 0)
+        if (ret)
                goto out;
        ret = resize_hpt_rehash(resize);
-        if (ret != 0)
+        if (ret)
                goto out;
        resize_hpt_pivot(resize);
diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
index 2659844784b8..9c61f736c75b 100644
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -79,7 +79,7 @@ _GLOBAL_TOC(kvmppc_hv_entry_trampoline)
        mtmsrd  r0,1            /* clear RI in MSR */
        mtsrr0  r5
        mtsrr1  r6
-        RFI
+        RFI_TO_KERNEL
 kvmppc_call_hv_entry:
 BEGIN_FTR_SECTION
@@ -199,7 +199,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
        mtmsrd  r6, 1                   /* Clear RI in MSR */
        mtsrr0  r8
        mtsrr1  r7
-        RFI
+        RFI_TO_KERNEL
        /* Virtual-mode return */
 .Lvirt_return:
@@ -1167,8 +1167,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
        ld      r0, VCPU_GPR(R0)(r4)
        ld      r4, VCPU_GPR(R4)(r4)
+        HRFI_TO_GUEST
-        hrfid
        b       .
 secondary_too_late:
@@ -3320,7 +3319,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_TYPE_RADIX)
        ld      r4, PACAKMSR(r13)
        mtspr   SPRN_SRR0, r3
        mtspr   SPRN_SRR1, r4
-        rfid
+        RFI_TO_KERNEL
 9:      addi    r3, r1, STACK_FRAME_OVERHEAD
        bl      kvmppc_bad_interrupt
        b       9b
diff --git a/arch/powerpc/kvm/book3s_pr.c b/arch/powerpc/kvm/book3s_pr.c
index d0dc8624198f..7deaeeb14b93 100644
--- a/arch/powerpc/kvm/book3s_pr.c
+++ b/arch/powerpc/kvm/book3s_pr.c
@@ -60,6 +60,7 @@ static void kvmppc_giveup_fac(struct kvm_vcpu *vcpu, ulong fac);
 #define MSR_USER32 MSR_USER
 #define MSR_USER64 MSR_USER
 #define HW_PAGE_SIZE PAGE_SIZE
+#define HPTE_R_M   _PAGE_COHERENT
 #endif
 static bool kvmppc_is_split_real(struct kvm_vcpu *vcpu)
@@ -557,6 +558,7 @@ int kvmppc_handle_pagefault(struct kvm_run *run, struct kvm_vcpu *vcpu,
                pte.eaddr = eaddr;
                pte.vpage = eaddr >> 12;
                pte.page_size = MMU_PAGE_64K;
+                pte.wimg = HPTE_R_M;
        }
        switch (kvmppc_get_msr(vcpu) & (MSR_DR|MSR_IR)) {
diff --git a/arch/powerpc/kvm/book3s_rmhandlers.S b/arch/powerpc/kvm/book3s_rmhandlers.S
index 42a4b237df5f..34a5adeff084 100644
--- a/arch/powerpc/kvm/book3s_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_rmhandlers.S
@@ -46,6 +46,9 @@
 #define FUNC(name)              name
+#define RFI_TO_KERNEL   RFI
+#define RFI_TO_GUEST    RFI
 .macro INTERRUPT_TRAMPOLINE intno
 .global kvmppc_trampoline_\intno
@@ -141,7 +144,7 @@ kvmppc_handler_skip_ins:
        GET_SCRATCH0(r13)
        /* And get back into the code */
-        RFI
+        RFI_TO_KERNEL
 #endif
 /*
@@ -164,6 +167,6 @@ _GLOBAL_TOC(kvmppc_entry_trampoline)
        ori     r5, r5, MSR_EE
        mtsrr0  r7
        mtsrr1  r6
-        RFI
+        RFI_TO_KERNEL
 #include "book3s_segment.S"
diff --git a/arch/powerpc/kvm/book3s_segment.S b/arch/powerpc/kvm/book3s_segment.S
index 2a2b96d53999..93a180ceefad 100644
--- a/arch/powerpc/kvm/book3s_segment.S
+++ b/arch/powerpc/kvm/book3s_segment.S
@@ -156,7 +156,7 @@ no_dcbz32_on:
        PPC_LL  r9, SVCPU_R9(r3)
        PPC_LL  r3, (SVCPU_R3)(r3)
-        RFI
+        RFI_TO_GUEST
 kvmppc_handler_trampoline_enter_end:
@@ -407,5 +407,5 @@ END_FTR_SECTION_IFSET(CPU_FTR_HVMODE)
        cmpwi   r12, BOOK3S_INTERRUPT_DOORBELL
        beqa    BOOK3S_INTERRUPT_DOORBELL
-        RFI
+        RFI_TO_KERNEL
 kvmppc_handler_trampoline_exit_end:
diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
index 1915e86cef6f..0a7c88786ec0 100644
--- a/arch/powerpc/kvm/powerpc.c
+++ b/arch/powerpc/kvm/powerpc.c
@@ -39,6 +39,10 @@
 #include <asm/iommu.h>
 #include <asm/switch_to.h>
 #include <asm/xive.h>
+#ifdef CONFIG_PPC_PSERIES
+#include <asm/hvcall.h>
+#include <asm/plpar_wrappers.h>
+#endif
 #include "timing.h"
 #include "irq.h"
@@ -548,6 +552,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
 #ifdef CONFIG_KVM_XICS
        case KVM_CAP_IRQ_XICS:
 #endif
+        case KVM_CAP_PPC_GET_CPU_CHAR:
                r = 1;
                break;
@@ -1759,6 +1764,124 @@ static int kvm_vm_ioctl_enable_cap(struct kvm *kvm,
        return r;
 }
+#ifdef CONFIG_PPC_BOOK3S_64
+/*
+ * These functions check whether the underlying hardware is safe
+ * against attacks based on observing the effects of speculatively
+ * executed instructions, and whether it supplies instructions for
+ * use in workarounds.  The information comes from firmware, either
+ * via the device tree on powernv platforms or from an hcall on
+ * pseries platforms.
+ */
+#ifdef CONFIG_PPC_PSERIES
+static int pseries_get_cpu_char(struct kvm_ppc_cpu_char *cp)
+{
+        struct h_cpu_char_result c;
+        unsigned long rc;
+        if (!machine_is(pseries))
+                return -ENOTTY;
+        rc = plpar_get_cpu_characteristics(&c);
+        if (rc == H_SUCCESS) {
+                cp->character = c.character;
+                cp->behaviour = c.behaviour;
+                cp->character_mask = KVM_PPC_CPU_CHAR_SPEC_BAR_ORI31 |
+                        KVM_PPC_CPU_CHAR_BCCTRL_SERIALISED |
+                        KVM_PPC_CPU_CHAR_L1D_FLUSH_ORI30 |
+                        KVM_PPC_CPU_CHAR_L1D_FLUSH_TRIG2 |
+                        KVM_PPC_CPU_CHAR_L1D_THREAD_PRIV |
+                        KVM_PPC_CPU_CHAR_BR_HINT_HONOURED |
+                        KVM_PPC_CPU_CHAR_MTTRIG_THR_RECONF |
+                        KVM_PPC_CPU_CHAR_COUNT_CACHE_DIS;
+                cp->behaviour_mask = KVM_PPC_CPU_BEHAV_FAVOUR_SECURITY |
+                        KVM_PPC_CPU_BEHAV_L1D_FLUSH_PR |
+                        KVM_PPC_CPU_BEHAV_BNDS_CHK_SPEC_BAR;
+        }
+        return 0;
+}
+#else
+static int pseries_get_cpu_char(struct kvm_ppc_cpu_char *cp)
+{
+        return -ENOTTY;
+}
+#endif
+static inline bool have_fw_feat(struct device_node *fw_features,
+                                const char *state, const char *name)
+{
+        struct device_node *np;
+        bool r = false;
+        np = of_get_child_by_name(fw_features, name);
+        if (np) {
+                r = of_property_read_bool(np, state);
+                of_node_put(np);
+        }
+        return r;
+}
+static int kvmppc_get_cpu_char(struct kvm_ppc_cpu_char *cp)
+{
+        struct device_node *np, *fw_features;
+        int r;
+        memset(cp, 0, sizeof(*cp));
+        r = pseries_get_cpu_char(cp);
+        if (r != -ENOTTY)
+                return r;
+        np = of_find_node_by_name(NULL, "ibm,opal");
+        if (np) {
+                fw_features = of_get_child_by_name(np, "fw-features");
+                of_node_put(np);
+                if (!fw_features)
+                        return 0;
+                if (have_fw_feat(fw_features, "enabled",
+                                 "inst-spec-barrier-ori31,31,0"))
+                        cp->character |= KVM_PPC_CPU_CHAR_SPEC_BAR_ORI31;
+                if (have_fw_feat(fw_features, "enabled",
+                                 "fw-bcctrl-serialized"))
+                        cp->character |= KVM_PPC_CPU_CHAR_BCCTRL_SERIALISED;
+                if (have_fw_feat(fw_features, "enabled",
+                                 "inst-l1d-flush-ori30,30,0"))
+                        cp->character |= KVM_PPC_CPU_CHAR_L1D_FLUSH_ORI30;
+                if (have_fw_feat(fw_features, "enabled",
+                                 "inst-l1d-flush-trig2"))
+                        cp->character |= KVM_PPC_CPU_CHAR_L1D_FLUSH_TRIG2;
+                if (have_fw_feat(fw_features, "enabled",
+                                 "fw-l1d-thread-split"))
+                        cp->character |= KVM_PPC_CPU_CHAR_L1D_THREAD_PRIV;
+                if (have_fw_feat(fw_features, "enabled",
+                                 "fw-count-cache-disabled"))
+                        cp->character |= KVM_PPC_CPU_CHAR_COUNT_CACHE_DIS;
+                cp->character_mask = KVM_PPC_CPU_CHAR_SPEC_BAR_ORI31 |
+                        KVM_PPC_CPU_CHAR_BCCTRL_SERIALISED |
+                        KVM_PPC_CPU_CHAR_L1D_FLUSH_ORI30 |
+                        KVM_PPC_CPU_CHAR_L1D_FLUSH_TRIG2 |
+                        KVM_PPC_CPU_CHAR_L1D_THREAD_PRIV |
+                        KVM_PPC_CPU_CHAR_COUNT_CACHE_DIS;
+                if (have_fw_feat(fw_features, "enabled",
+                                 "speculation-policy-favor-security"))
+                        cp->behaviour |= KVM_PPC_CPU_BEHAV_FAVOUR_SECURITY;
+                if (!have_fw_feat(fw_features, "disabled",
+                                  "needs-l1d-flush-msr-pr-0-to-1"))
+                        cp->behaviour |= KVM_PPC_CPU_BEHAV_L1D_FLUSH_PR;
+                if (!have_fw_feat(fw_features, "disabled",
+                                  "needs-spec-barrier-for-bound-checks"))
+                        cp->behaviour |= KVM_PPC_CPU_BEHAV_BNDS_CHK_SPEC_BAR;
+                cp->behaviour_mask = KVM_PPC_CPU_BEHAV_FAVOUR_SECURITY |
+                        KVM_PPC_CPU_BEHAV_L1D_FLUSH_PR |
+                        KVM_PPC_CPU_BEHAV_BNDS_CHK_SPEC_BAR;
+                of_node_put(fw_features);
+        }
+        return 0;
+}
+#endif
 long kvm_arch_vm_ioctl(struct file *filp,
                       unsigned int ioctl, unsigned long arg)
 {
@@ -1861,6 +1984,14 @@ long kvm_arch_vm_ioctl(struct file *filp,
                        r = -EFAULT;
                break;
        }
+        case KVM_PPC_GET_CPU_CHAR: {
+                struct kvm_ppc_cpu_char cpuchar;
+                r = kvmppc_get_cpu_char(&cpuchar);
+                if (r >= 0 && copy_to_user(argp, &cpuchar, sizeof(cpuchar)))
+                        r = -EFAULT;
+                break;
+        }
        default: {
                struct kvm *kvm = filp->private_data;
                r = kvm->arch.kvm_ops->arch_vm_ioctl(filp, ioctl, arg);
diff --git a/arch/powerpc/lib/feature-fixups.c b/arch/powerpc/lib/feature-fixups.c
index 41cf5ae273cf..a95ea007d654 100644
--- a/arch/powerpc/lib/feature-fixups.c
+++ b/arch/powerpc/lib/feature-fixups.c
@@ -116,6 +116,47 @@ void do_feature_fixups(unsigned long value, void *fixup_start, void *fixup_end)
        }
 }
+#ifdef CONFIG_PPC_BOOK3S_64
+void do_rfi_flush_fixups(enum l1d_flush_type types)
+{
+        unsigned int instrs[3], *dest;
+        long *start, *end;
+        int i;
+        start = PTRRELOC(&__start___rfi_flush_fixup),
+        end = PTRRELOC(&__stop___rfi_flush_fixup);
+        instrs[0] = 0x60000000; /* nop */
+        instrs[1] = 0x60000000; /* nop */
+        instrs[2] = 0x60000000; /* nop */
+        if (types & L1D_FLUSH_FALLBACK)
+                /* b .+16 to fallback flush */
+                instrs[0] = 0x48000010;
+        i = 0;
+        if (types & L1D_FLUSH_ORI) {
+                instrs[i++] = 0x63ff0000; /* ori 31,31,0 speculation barrier */
+                instrs[i++] = 0x63de0000; /* ori 30,30,0 L1d flush*/
+        }
+        if (types & L1D_FLUSH_MTTRIG)
+                instrs[i++] = 0x7c12dba6; /* mtspr TRIG2,r0 (SPR #882) */
+        for (i = 0; start < end; start++, i++) {
+                dest = (void *)start + *start;
+                pr_devel("patching dest %lx\n", (unsigned long)dest);
+                patch_instruction(dest, instrs[0]);
+                patch_instruction(dest + 1, instrs[1]);
+                patch_instruction(dest + 2, instrs[2]);
+        }
+        printk(KERN_DEBUG "rfi-flush: patched %d locations\n", i);
+}
+#endif /* CONFIG_PPC_BOOK3S_64 */
 void do_lwsync_fixups(unsigned long value, void *fixup_start, void *fixup_end)
 {
        long *start, *end;
diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
index 4797d08581ce..6e1e39035380 100644
--- a/arch/powerpc/mm/fault.c
+++ b/arch/powerpc/mm/fault.c
@@ -145,6 +145,11 @@ static noinline int bad_area(struct pt_regs *regs, unsigned long address)
        return __bad_area(regs, address, SEGV_MAPERR);
 }
+static noinline int bad_access(struct pt_regs *regs, unsigned long address)
+{
+        return __bad_area(regs, address, SEGV_ACCERR);
+}
 static int do_sigbus(struct pt_regs *regs, unsigned long address,
                     unsigned int fault)
 {
@@ -490,7 +495,7 @@ retry:
 good_area:
        if (unlikely(access_error(is_write, is_exec, vma)))
-                return bad_area(regs, address);
+                return bad_access(regs, address);
        /*
         * If for any reason at all we couldn't handle the fault,
diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c
index 1edfbc1e40f4..4fb21e17504a 100644
--- a/arch/powerpc/platforms/powernv/setup.c
+++ b/arch/powerpc/platforms/powernv/setup.c
@@ -37,13 +37,62 @@
 #include <asm/kexec.h>
 #include <asm/smp.h>
 #include <asm/tm.h>
+#include <asm/setup.h>
 #include "powernv.h"
+static void pnv_setup_rfi_flush(void)
+{
+        struct device_node *np, *fw_features;
+        enum l1d_flush_type type;
+        int enable;
+        /* Default to fallback in case fw-features are not available */
+        type = L1D_FLUSH_FALLBACK;
+        enable = 1;
+        np = of_find_node_by_name(NULL, "ibm,opal");
+        fw_features = of_get_child_by_name(np, "fw-features");
+        of_node_put(np);
+        if (fw_features) {
+                np = of_get_child_by_name(fw_features, "inst-l1d-flush-trig2");
+                if (np && of_property_read_bool(np, "enabled"))
+                        type = L1D_FLUSH_MTTRIG;
+                of_node_put(np);
+                np = of_get_child_by_name(fw_features, "inst-l1d-flush-ori30,30,0");
+                if (np && of_property_read_bool(np, "enabled"))
+                        type = L1D_FLUSH_ORI;
+                of_node_put(np);
+                /* Enable unless firmware says NOT to */
+                enable = 2;
+                np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-hv-1-to-0");
+                if (np && of_property_read_bool(np, "disabled"))
+                        enable--;
+                of_node_put(np);
+                np = of_get_child_by_name(fw_features, "needs-l1d-flush-msr-pr-0-to-1");
+                if (np && of_property_read_bool(np, "disabled"))
+                        enable--;
+                of_node_put(np);
+                of_node_put(fw_features);
+        }
+        setup_rfi_flush(type, enable > 0);
+}
 static void __init pnv_setup_arch(void)
 {
        set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT);
+        pnv_setup_rfi_flush();
        /* Initialize SMP */
        pnv_smp_init();
diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c
index 6e35780c5962..a0b20c03f078 100644
--- a/arch/powerpc/platforms/pseries/dlpar.c
+++ b/arch/powerpc/platforms/pseries/dlpar.c
@@ -574,11 +574,26 @@ static ssize_t dlpar_show(struct class *class, struct class_attribute *attr,
 static CLASS_ATTR_RW(dlpar);
-static int __init pseries_dlpar_init(void)
+int __init dlpar_workqueue_init(void)
 {
+        if (pseries_hp_wq)
+                return 0;
        pseries_hp_wq = alloc_workqueue("pseries hotplug workqueue",
-                                        WQ_UNBOUND, 1);
+                        WQ_UNBOUND, 1);
+        return pseries_hp_wq ? 0 : -ENOMEM;
+}
+static int __init dlpar_sysfs_init(void)
+{
+        int rc;
+        rc = dlpar_workqueue_init();
+        if (rc)
+                return rc;
        return sysfs_create_file(kernel_kobj, &class_attr_dlpar.attr);
 }
-machine_device_initcall(pseries, pseries_dlpar_init);
+machine_device_initcall(pseries, dlpar_sysfs_init);
diff --git a/arch/powerpc/platforms/pseries/pseries.h b/arch/powerpc/platforms/pseries/pseries.h
index 4470a3194311..1ae1d9f4dbe9 100644
--- a/arch/powerpc/platforms/pseries/pseries.h
+++ b/arch/powerpc/platforms/pseries/pseries.h
@@ -98,4 +98,6 @@ static inline unsigned long cmo_get_page_size(void)
        return CMO_PageSize;
 }
+int dlpar_workqueue_init(void);
 #endif /* _PSERIES_PSERIES_H */
diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c
index 4923ffe230cf..81d8614e7379 100644
--- a/arch/powerpc/platforms/pseries/ras.c
+++ b/arch/powerpc/platforms/pseries/ras.c
@@ -69,7 +69,8 @@ static int __init init_ras_IRQ(void)
        /* Hotplug Events */
        np = of_find_node_by_path("/event-sources/hot-plug-events");
        if (np != NULL) {
-                request_event_sources_irqs(np, ras_hotplug_interrupt,
+                if (dlpar_workqueue_init() == 0)
+                        request_event_sources_irqs(np, ras_hotplug_interrupt,
                                           "RAS_HOTPLUG");
                of_node_put(np);
        }
diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
index a8531e012658..ae4f596273b5 100644
--- a/arch/powerpc/platforms/pseries/setup.c
+++ b/arch/powerpc/platforms/pseries/setup.c
@@ -459,6 +459,39 @@ static void __init find_and_init_phbs(void)
        of_pci_check_probe_only();
 }
+static void pseries_setup_rfi_flush(void)
+{
+        struct h_cpu_char_result result;
+        enum l1d_flush_type types;
+        bool enable;
+        long rc;
+        /* Enable by default */
+        enable = true;
+        rc = plpar_get_cpu_characteristics(&result);
+        if (rc == H_SUCCESS) {
+                types = L1D_FLUSH_NONE;
+                if (result.character & H_CPU_CHAR_L1D_FLUSH_TRIG2)
+                        types |= L1D_FLUSH_MTTRIG;
+                if (result.character & H_CPU_CHAR_L1D_FLUSH_ORI30)
+                        types |= L1D_FLUSH_ORI;
+                /* Use fallback if nothing set in hcall */
+                if (types == L1D_FLUSH_NONE)
+                        types = L1D_FLUSH_FALLBACK;
+                if (!(result.behaviour & H_CPU_BEHAV_L1D_FLUSH_PR))
+                        enable = false;
+        } else {
+                /* Default to fallback if case hcall is not available */
+                types = L1D_FLUSH_FALLBACK;
+        }
+        setup_rfi_flush(types, enable);
+}
 static void __init pSeries_setup_arch(void)
 {
        set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT);
@@ -476,6 +509,8 @@ static void __init pSeries_setup_arch(void)
        fwnmi_init();
+        pseries_setup_rfi_flush();
        /* By default, only probe PCI (can be overridden by rtas_pci) */
        pci_add_flags(PCI_PROBE_ONLY);
diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
index cab24f549e7c..0ddc7ac6c5f1 100644
--- a/arch/powerpc/xmon/xmon.c
+++ b/arch/powerpc/xmon/xmon.c
@@ -2344,10 +2344,10 @@ static void dump_one_paca(int cpu)
        DUMP(p, kernel_toc, "lx");
        DUMP(p, kernelbase, "lx");
        DUMP(p, kernel_msr, "lx");
-        DUMP(p, emergency_sp, "p");
+        DUMP(p, emergency_sp, "px");
 #ifdef CONFIG_PPC_BOOK3S_64
-        DUMP(p, nmi_emergency_sp, "p");
+        DUMP(p, nmi_emergency_sp, "px");
-        DUMP(p, mc_emergency_sp, "p");
+        DUMP(p, mc_emergency_sp, "px");
        DUMP(p, in_nmi, "x");
        DUMP(p, in_mce, "x");
        DUMP(p, hmi_event_available, "x");
@@ -2375,17 +2375,21 @@ static void dump_one_paca(int cpu)
        DUMP(p, slb_cache_ptr, "x");
        for (i = 0; i < SLB_CACHE_ENTRIES; i++)
                printf(" slb_cache[%d]:        = 0x%016lx\n", i, p->slb_cache[i]);
+        DUMP(p, rfi_flush_fallback_area, "px");
+        DUMP(p, l1d_flush_congruence, "llx");
+        DUMP(p, l1d_flush_sets, "llx");
 #endif
        DUMP(p, dscr_default, "llx");
 #ifdef CONFIG_PPC_BOOK3E
-        DUMP(p, pgd, "p");
+        DUMP(p, pgd, "px");
-        DUMP(p, kernel_pgd, "p");
+        DUMP(p, kernel_pgd, "px");
-        DUMP(p, tcd_ptr, "p");
+        DUMP(p, tcd_ptr, "px");
-        DUMP(p, mc_kstack, "p");
+        DUMP(p, mc_kstack, "px");
-        DUMP(p, crit_kstack, "p");
+        DUMP(p, crit_kstack, "px");
-        DUMP(p, dbg_kstack, "p");
+        DUMP(p, dbg_kstack, "px");
 #endif
-        DUMP(p, __current, "p");
+        DUMP(p, __current, "px");
        DUMP(p, kstack, "lx");
        printf(" kstack_base          = 0x%016lx\n", p->kstack & ~(THREAD_SIZE - 1));
        DUMP(p, stab_rr, "lx");
@@ -2403,7 +2407,7 @@ static void dump_one_paca(int cpu)
 #endif
 #ifdef CONFIG_PPC_POWERNV
-        DUMP(p, core_idle_state_ptr, "p");
+        DUMP(p, core_idle_state_ptr, "px");
        DUMP(p, thread_idle_state, "x");
        DUMP(p, thread_mask, "x");
        DUMP(p, subcore_sibling_mask, "x");
diff --git a/arch/riscv/configs/defconfig b/arch/riscv/configs/defconfig
index e69de29bb2d1..47dacf06c679 100644
--- a/arch/riscv/configs/defconfig
+++ b/arch/riscv/configs/defconfig
@@ -0,0 +1,75 @@
+CONFIG_SMP=y
+CONFIG_PCI=y
+CONFIG_PCIE_XILINX=y
+CONFIG_SYSVIPC=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_CGROUPS=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+CONFIG_CGROUP_BPF=y
+CONFIG_NAMESPACES=y
+CONFIG_USER_NS=y
+CONFIG_BLK_DEV_INITRD=y
+CONFIG_EXPERT=y
+CONFIG_CHECKPOINT_RESTORE=y
+CONFIG_BPF_SYSCALL=y
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_INET=y
+CONFIG_IP_MULTICAST=y
+CONFIG_IP_ADVANCED_ROUTER=y
+CONFIG_IP_PNP=y
+CONFIG_IP_PNP_DHCP=y
+CONFIG_IP_PNP_BOOTP=y
+CONFIG_IP_PNP_RARP=y
+CONFIG_NETLINK_DIAG=y
+CONFIG_DEVTMPFS=y
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_VIRTIO_BLK=y
+CONFIG_BLK_DEV_SD=y
+CONFIG_BLK_DEV_SR=y
+CONFIG_ATA=y
+CONFIG_SATA_AHCI=y
+CONFIG_SATA_AHCI_PLATFORM=y
+CONFIG_NETDEVICES=y
+CONFIG_VIRTIO_NET=y
+CONFIG_MACB=y
+CONFIG_E1000E=y
+CONFIG_R8169=y
+CONFIG_MICROSEMI_PHY=y
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_CONSOLE=y
+CONFIG_SERIAL_OF_PLATFORM=y
+# CONFIG_PTP_1588_CLOCK is not set
+CONFIG_DRM=y
+CONFIG_DRM_RADEON=y
+CONFIG_FRAMEBUFFER_CONSOLE=y
+CONFIG_USB=y
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_XHCI_PLATFORM=y
+CONFIG_USB_EHCI_HCD=y
+CONFIG_USB_EHCI_HCD_PLATFORM=y
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_OHCI_HCD_PLATFORM=y
+CONFIG_USB_STORAGE=y
+CONFIG_USB_UAS=y
+CONFIG_VIRTIO_MMIO=y
+CONFIG_RAS=y
+CONFIG_EXT4_FS=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_AUTOFS4_FS=y
+CONFIG_MSDOS_FS=y
+CONFIG_VFAT_FS=y
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_NFS_FS=y
+CONFIG_NFS_V4=y
+CONFIG_NFS_V4_1=y
+CONFIG_NFS_V4_2=y
+CONFIG_ROOT_NFS=y
+# CONFIG_RCU_TRACE is not set
+CONFIG_CRYPTO_USER_API_HASH=y
diff --git a/arch/riscv/include/asm/csr.h b/arch/riscv/include/asm/csr.h
index 0d64bc9f4f91..3c7a2c97e377 100644
--- a/arch/riscv/include/asm/csr.h
+++ b/arch/riscv/include/asm/csr.h
@@ -17,10 +17,10 @@
 #include <linux/const.h>
 /* Status register flags */
-#define SR_IE   _AC(0x00000002, UL) /* Interrupt Enable */
+#define SR_SIE  _AC(0x00000002, UL) /* Supervisor Interrupt Enable */
-#define SR_PIE  _AC(0x00000020, UL) /* Previous IE */
+#define SR_SPIE _AC(0x00000020, UL) /* Previous Supervisor IE */
-#define SR_PS   _AC(0x00000100, UL) /* Previously Supervisor */
+#define SR_SPP  _AC(0x00000100, UL) /* Previously Supervisor */
-#define SR_SUM  _AC(0x00040000, UL) /* Supervisor may access User Memory */
+#define SR_SUM  _AC(0x00040000, UL) /* Supervisor may access User Memory */
 #define SR_FS           _AC(0x00006000, UL) /* Floating-point Status */
 #define SR_FS_OFF       _AC(0x00000000, UL)
diff --git a/arch/riscv/include/asm/io.h b/arch/riscv/include/asm/io.h
index a82ce599b639..b269451e7e85 100644
--- a/arch/riscv/include/asm/io.h
+++ b/arch/riscv/include/asm/io.h
@@ -21,8 +21,6 @@
 #include <linux/types.h>
-#ifdef CONFIG_MMU
 extern void __iomem *ioremap(phys_addr_t offset, unsigned long size);
 /*
@@ -36,8 +34,6 @@ extern void __iomem *ioremap(phys_addr_t offset, unsigned long size);
 extern void iounmap(volatile void __iomem *addr);
-#endif /* CONFIG_MMU */
 /* Generic IO read/write.  These perform native-endian accesses. */
 #define __raw_writeb __raw_writeb
 static inline void __raw_writeb(u8 val, volatile void __iomem *addr)
diff --git a/arch/riscv/include/asm/irqflags.h b/arch/riscv/include/asm/irqflags.h
index 6fdc860d7f84..07a3c6d5706f 100644
--- a/arch/riscv/include/asm/irqflags.h
+++ b/arch/riscv/include/asm/irqflags.h
@@ -27,25 +27,25 @@ static inline unsigned long arch_local_save_flags(void)
 /* unconditionally enable interrupts */
 static inline void arch_local_irq_enable(void)
 {
-        csr_set(sstatus, SR_IE);
+        csr_set(sstatus, SR_SIE);
 }
 /* unconditionally disable interrupts */
 static inline void arch_local_irq_disable(void)
 {
-        csr_clear(sstatus, SR_IE);
+        csr_clear(sstatus, SR_SIE);
 }
 /* get status and disable interrupts */
 static inline unsigned long arch_local_irq_save(void)
 {
-        return csr_read_clear(sstatus, SR_IE);
+        return csr_read_clear(sstatus, SR_SIE);
 }
 /* test flags */
 static inline int arch_irqs_disabled_flags(unsigned long flags)
 {
-        return !(flags & SR_IE);
+        return !(flags & SR_SIE);
 }
 /* test hardware interrupt enable bit */
@@ -57,7 +57,7 @@ static inline int arch_irqs_disabled(void)
 /* set interrupt enabled status */
 static inline void arch_local_irq_restore(unsigned long flags)
 {
-        csr_set(sstatus, flags & SR_IE);
+        csr_set(sstatus, flags & SR_SIE);
 }
 #endif /* _ASM_RISCV_IRQFLAGS_H */
diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h
index 2cbd92ed1629..16301966d65b 100644
--- a/arch/riscv/include/asm/pgtable.h
+++ b/arch/riscv/include/asm/pgtable.h
@@ -20,8 +20,6 @@
 #ifndef __ASSEMBLY__
-#ifdef CONFIG_MMU
 /* Page Upper Directory not used in RISC-V */
 #include <asm-generic/pgtable-nopud.h>
 #include <asm/page.h>
@@ -413,8 +411,6 @@ static inline void pgtable_cache_init(void)
        /* No page table caches to initialize */
 }
-#endif /* CONFIG_MMU */
 #define VMALLOC_SIZE     (KERN_VIRT_SIZE >> 1)
 #define VMALLOC_END      (PAGE_OFFSET - 1)
 #define VMALLOC_START    (PAGE_OFFSET - VMALLOC_SIZE)
diff --git a/arch/riscv/include/asm/ptrace.h b/arch/riscv/include/asm/ptrace.h
index 93b8956e25e4..2c5df945d43c 100644
--- a/arch/riscv/include/asm/ptrace.h
+++ b/arch/riscv/include/asm/ptrace.h
@@ -66,7 +66,7 @@ struct pt_regs {
 #define REG_FMT "%08lx"
 #endif
-#define user_mode(regs) (((regs)->sstatus & SR_PS) == 0)
+#define user_mode(regs) (((regs)->sstatus & SR_SPP) == 0)
 /* Helpers for working with the instruction pointer */
diff --git a/arch/riscv/include/asm/tlbflush.h b/arch/riscv/include/asm/tlbflush.h
index 715b0f10af58..7b9c24ebdf52 100644
--- a/arch/riscv/include/asm/tlbflush.h
+++ b/arch/riscv/include/asm/tlbflush.h
@@ -15,8 +15,6 @@
 #ifndef _ASM_RISCV_TLBFLUSH_H
 #define _ASM_RISCV_TLBFLUSH_H
-#ifdef CONFIG_MMU
 #include <linux/mm_types.h>
 /*
@@ -64,6 +62,4 @@ static inline void flush_tlb_kernel_range(unsigned long start,
        flush_tlb_all();
 }
-#endif /* CONFIG_MMU */
 #endif /* _ASM_RISCV_TLBFLUSH_H */
diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h
index 27b90d64814b..14b0b22fb578 100644
--- a/arch/riscv/include/asm/uaccess.h
+++ b/arch/riscv/include/asm/uaccess.h
@@ -127,7 +127,6 @@ extern int fixup_exception(struct pt_regs *state);
 * call.
 */
-#ifdef CONFIG_MMU
 #define __get_user_asm(insn, x, ptr, err)                       \
 do {                                                            \
        uintptr_t __tmp;                                        \
@@ -153,13 +152,11 @@ do {								\
        __disable_user_access();                                \
        (x) = __x;                                              \
 } while (0)
-#endif /* CONFIG_MMU */
 #ifdef CONFIG_64BIT
 #define __get_user_8(x, ptr, err) \
        __get_user_asm("ld", x, ptr, err)
 #else /* !CONFIG_64BIT */
-#ifdef CONFIG_MMU
 #define __get_user_8(x, ptr, err)                               \
 do {                                                            \
        u32 __user *__ptr = (u32 __user *)(ptr);                \
@@ -193,7 +190,6 @@ do {								\
        (x) = (__typeof__(x))((__typeof__((x)-(x)))(            \
                (((u64)__hi << 32) | __lo)));                   \
 } while (0)
-#endif /* CONFIG_MMU */
 #endif /* CONFIG_64BIT */
@@ -267,8 +263,6 @@ do {								\
                ((x) = 0, -EFAULT);                             \
 })
-#ifdef CONFIG_MMU
 #define __put_user_asm(insn, x, ptr, err)                       \
 do {                                                            \
        uintptr_t __tmp;                                        \
@@ -292,14 +286,11 @@ do {								\
                : "rJ" (__x), "i" (-EFAULT));                   \
        __disable_user_access();                                \
 } while (0)
-#endif /* CONFIG_MMU */
 #ifdef CONFIG_64BIT
 #define __put_user_8(x, ptr, err) \
        __put_user_asm("sd", x, ptr, err)
 #else /* !CONFIG_64BIT */
-#ifdef CONFIG_MMU
 #define __put_user_8(x, ptr, err)                               \
 do {                                                            \
        u32 __user *__ptr = (u32 __user *)(ptr);                \
@@ -329,7 +320,6 @@ do {								\
                : "rJ" (__x), "rJ" (__x >> 32), "i" (-EFAULT)); \
        __disable_user_access();                                \
 } while (0)
-#endif /* CONFIG_MMU */
 #endif /* CONFIG_64BIT */
@@ -438,7 +428,6 @@ unsigned long __must_check clear_user(void __user *to, unsigned long n)
 * will set "err" to -EFAULT, while successful accesses return the previous
 * value.
 */
-#ifdef CONFIG_MMU
 #define __cmpxchg_user(ptr, old, new, err, size, lrb, scb)      \
 ({                                                              \
        __typeof__(ptr) __ptr = (ptr);                          \
@@ -508,6 +497,5 @@ unsigned long __must_check clear_user(void __user *to, unsigned long n)
        (err) = __err;                                          \
        __ret;                                                  \
 })
-#endif /* CONFIG_MMU */
 #endif /* _ASM_RISCV_UACCESS_H */
diff --git a/arch/riscv/include/asm/unistd.h b/arch/riscv/include/asm/unistd.h
index 9f250ed007cd..2f704a5c4196 100644
--- a/arch/riscv/include/asm/unistd.h
+++ b/arch/riscv/include/asm/unistd.h
@@ -14,3 +14,4 @@
 #define __ARCH_HAVE_MMU
 #define __ARCH_WANT_SYS_CLONE
 #include <uapi/asm/unistd.h>
+#include <uapi/asm/syscalls.h>
diff --git a/arch/riscv/include/asm/vdso-syscalls.h b/arch/riscv/include/asm/vdso-syscalls.h
deleted file mode 100644
index a2ccf1894929..000000000000
--- a/arch/riscv/include/asm/vdso-syscalls.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2017 SiFive
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- */
-#ifndef _ASM_RISCV_VDSO_SYSCALLS_H
-#define _ASM_RISCV_VDSO_SYSCALLS_H
-#ifdef CONFIG_SMP
-/* These syscalls are only used by the vDSO and are not in the uapi. */
-#define __NR_riscv_flush_icache (__NR_arch_specific_syscall + 15)
-__SYSCALL(__NR_riscv_flush_icache, sys_riscv_flush_icache)
-#endif
-#endif /* _ASM_RISCV_VDSO_H */
diff --git a/arch/riscv/include/uapi/asm/syscalls.h b/arch/riscv/include/uapi/asm/syscalls.h
new file mode 100644
index 000000000000..818655b0d535
--- /dev/null
+++ b/arch/riscv/include/uapi/asm/syscalls.h
@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2017 SiFive
+ */
+#ifndef _ASM__UAPI__SYSCALLS_H
+#define _ASM__UAPI__SYSCALLS_H
+/*
+ * Allows the instruction cache to be flushed from userspace.  Despite RISC-V
+ * having a direct 'fence.i' instruction available to userspace (which we
+ * can't trap!), that's not actually viable when running on Linux because the
+ * kernel might schedule a process on another hart.  There is no way for
+ * userspace to handle this without invoking the kernel (as it doesn't know the
+ * thread->hart mappings), so we've defined a RISC-V specific system call to
+ * flush the instruction cache.
+ *
+ * __NR_riscv_flush_icache is defined to flush the instruction cache over an
+ * address range, with the flush applying to either all threads or just the
+ * caller.  We don't currently do anything with the address range, that's just
+ * in there for forwards compatibility.
+ */
+#define __NR_riscv_flush_icache (__NR_arch_specific_syscall + 15)
+__SYSCALL(__NR_riscv_flush_icache, sys_riscv_flush_icache)
+#endif
diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
index 20ee86f782a9..7404ec222406 100644
--- a/arch/riscv/kernel/entry.S
+++ b/arch/riscv/kernel/entry.S
@@ -196,7 +196,7 @@ handle_syscall:
        addi s2, s2, 0x4
        REG_S s2, PT_SEPC(sp)
        /* System calls run with interrupts enabled */
-        csrs sstatus, SR_IE
+        csrs sstatus, SR_SIE
        /* Trace syscalls, but only if requested by the user. */
        REG_L t0, TASK_TI_FLAGS(tp)
        andi t0, t0, _TIF_SYSCALL_TRACE
@@ -224,8 +224,8 @@ ret_from_syscall:
 ret_from_exception:
        REG_L s0, PT_SSTATUS(sp)
-        csrc sstatus, SR_IE
+        csrc sstatus, SR_SIE
-        andi s0, s0, SR_PS
+        andi s0, s0, SR_SPP
        bnez s0, restore_all
 resume_userspace:
@@ -255,7 +255,7 @@ work_pending:
        bnez s1, work_resched
 work_notifysig:
        /* Handle pending signals and notify-resume requests */
-        csrs sstatus, SR_IE /* Enable interrupts for do_notify_resume() */
+        csrs sstatus, SR_SIE /* Enable interrupts for do_notify_resume() */
        move a0, sp /* pt_regs */
        move a1, s0 /* current_thread_info->flags */
        tail do_notify_resume
diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
index 0d90dcc1fbd3..d74d4adf2d54 100644
--- a/arch/riscv/kernel/process.c
+++ b/arch/riscv/kernel/process.c
@@ -76,7 +76,7 @@ void show_regs(struct pt_regs *regs)
 void start_thread(struct pt_regs *regs, unsigned long pc,
        unsigned long sp)
 {
-        regs->sstatus = SR_PIE /* User mode, irqs on */ | SR_FS_INITIAL;
+        regs->sstatus = SR_SPIE /* User mode, irqs on */ | SR_FS_INITIAL;
        regs->sepc = pc;
        regs->sp = sp;
        set_fs(USER_DS);
@@ -110,7 +110,7 @@ int copy_thread(unsigned long clone_flags, unsigned long usp,
                const register unsigned long gp __asm__ ("gp");
                memset(childregs, 0, sizeof(struct pt_regs));
                childregs->gp = gp;
-                childregs->sstatus = SR_PS | SR_PIE; /* Supervisor, irqs on */
+                childregs->sstatus = SR_SPP | SR_SPIE; /* Supervisor, irqs on */
                p->thread.ra = (unsigned long)ret_from_kernel_thread;
                p->thread.s[0] = usp; /* fn */
diff --git a/arch/riscv/kernel/syscall_table.c b/arch/riscv/kernel/syscall_table.c
index a5bd6401f95e..ade52b903a43 100644
--- a/arch/riscv/kernel/syscall_table.c
+++ b/arch/riscv/kernel/syscall_table.c
@@ -23,5 +23,4 @@
 void *sys_call_table[__NR_syscalls] = {
        [0 ... __NR_syscalls - 1] = sys_ni_syscall,
 #include <asm/unistd.h>
-#include <asm/vdso-syscalls.h>
 };
diff --git a/arch/riscv/kernel/vdso/flush_icache.S b/arch/riscv/kernel/vdso/flush_icache.S
index b0fbad74e873..023e4d4aef58 100644
--- a/arch/riscv/kernel/vdso/flush_icache.S
+++ b/arch/riscv/kernel/vdso/flush_icache.S
@@ -13,7 +13,6 @@
 #include <linux/linkage.h>
 #include <asm/unistd.h>
-#include <asm/vdso-syscalls.h>
        .text
 /* int __vdso_flush_icache(void *start, void *end, unsigned long flags); */
diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index df2ca3c65048..0713f3c67ab4 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -63,7 +63,7 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
                goto vmalloc_fault;
        /* Enable interrupts if they were enabled in the parent context. */
-        if (likely(regs->sstatus & SR_PIE))
+        if (likely(regs->sstatus & SR_SPIE))
                local_irq_enable();
        /*
diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
index e14f381757f6..c1b0a9ac1dc8 100644
--- a/arch/s390/include/asm/kvm_host.h
+++ b/arch/s390/include/asm/kvm_host.h
@@ -207,7 +207,8 @@ struct kvm_s390_sie_block {
        __u16   ipa;                    /* 0x0056 */
        __u32   ipb;                    /* 0x0058 */
        __u32   scaoh;                  /* 0x005c */
-        __u8    reserved60;             /* 0x0060 */
+#define FPF_BPBC        0x20
+        __u8    fpf;                    /* 0x0060 */
 #define ECB_GS          0x40
 #define ECB_TE          0x10
 #define ECB_SRSI        0x04
diff --git a/arch/s390/include/uapi/asm/kvm.h b/arch/s390/include/uapi/asm/kvm.h
index 38535a57fef8..4cdaa55fabfe 100644
--- a/arch/s390/include/uapi/asm/kvm.h
+++ b/arch/s390/include/uapi/asm/kvm.h
@@ -224,6 +224,7 @@ struct kvm_guest_debug_arch {
 #define KVM_SYNC_RICCB  (1UL << 7)
 #define KVM_SYNC_FPRS   (1UL << 8)
 #define KVM_SYNC_GSCB   (1UL << 9)
+#define KVM_SYNC_BPBC   (1UL << 10)
 /* length and alignment of the sdnx as a power of two */
 #define SDNXC 8
 #define SDNXL (1UL << SDNXC)
@@ -247,7 +248,9 @@ struct kvm_sync_regs {
        };
        __u8  reserved[512];    /* for future vector expansion */
        __u32 fpc;              /* valid on KVM_SYNC_VRS or KVM_SYNC_FPRS */
-        __u8 padding1[52];      /* riccb needs to be 64byte aligned */
+        __u8 bpbc : 1;          /* bp mode */
+        __u8 reserved2 : 7;
+        __u8 padding1[51];      /* riccb needs to be 64byte aligned */
        __u8 riccb[64];         /* runtime instrumentation controls block */
        __u8 padding2[192];     /* sdnx needs to be 256byte aligned */
        union {
diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index ec8b68e97d3c..1371dff2b90d 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -421,6 +421,9 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
        case KVM_CAP_S390_GS:
                r = test_facility(133);
                break;
+        case KVM_CAP_S390_BPB:
+                r = test_facility(82);
+                break;
        default:
                r = 0;
        }
@@ -766,7 +769,7 @@ static void kvm_s390_sync_request_broadcast(struct kvm *kvm, int req)
 /*
 * Must be called with kvm->srcu held to avoid races on memslots, and with
- * kvm->lock to avoid races with ourselves and kvm_s390_vm_stop_migration.
+ * kvm->slots_lock to avoid races with ourselves and kvm_s390_vm_stop_migration.
 */
 static int kvm_s390_vm_start_migration(struct kvm *kvm)
 {
@@ -792,11 +795,12 @@ static int kvm_s390_vm_start_migration(struct kvm *kvm)
        if (kvm->arch.use_cmma) {
                /*
-                 * Get the last slot. They should be sorted by base_gfn, so the
+                 * Get the first slot. They are reverse sorted by base_gfn, so
-                 * last slot is also the one at the end of the address space.
+                 * the first slot is also the one at the end of the address
-                 * We have verified above that at least one slot is present.
+                 * space. We have verified above that at least one slot is
+                 * present.
                 */
-                ms = slots->memslots + slots->used_slots - 1;
+                ms = slots->memslots;
                /* round up so we only use full longs */
                ram_pages = roundup(ms->base_gfn + ms->npages, BITS_PER_LONG);
                /* allocate enough bytes to store all the bits */
@@ -821,7 +825,7 @@ static int kvm_s390_vm_start_migration(struct kvm *kvm)
 }
 /*
- * Must be called with kvm->lock to avoid races with ourselves and
+ * Must be called with kvm->slots_lock to avoid races with ourselves and
 * kvm_s390_vm_start_migration.
 */
 static int kvm_s390_vm_stop_migration(struct kvm *kvm)
@@ -836,6 +840,8 @@ static int kvm_s390_vm_stop_migration(struct kvm *kvm)
        if (kvm->arch.use_cmma) {
                kvm_s390_sync_request_broadcast(kvm, KVM_REQ_STOP_MIGRATION);
+                /* We have to wait for the essa emulation to finish */
+                synchronize_srcu(&kvm->srcu);
                vfree(mgs->pgste_bitmap);
        }
        kfree(mgs);
@@ -845,14 +851,12 @@ static int kvm_s390_vm_stop_migration(struct kvm *kvm)
 static int kvm_s390_vm_set_migration(struct kvm *kvm,
                                     struct kvm_device_attr *attr)
 {
-        int idx, res = -ENXIO;
+        int res = -ENXIO;
-        mutex_lock(&kvm->lock);
+        mutex_lock(&kvm->slots_lock);
        switch (attr->attr) {
        case KVM_S390_VM_MIGRATION_START:
-                idx = srcu_read_lock(&kvm->srcu);
                res = kvm_s390_vm_start_migration(kvm);
-                srcu_read_unlock(&kvm->srcu, idx);
                break;
        case KVM_S390_VM_MIGRATION_STOP:
                res = kvm_s390_vm_stop_migration(kvm);
@@ -860,7 +864,7 @@ static int kvm_s390_vm_set_migration(struct kvm *kvm,
        default:
                break;
        }
-        mutex_unlock(&kvm->lock);
+        mutex_unlock(&kvm->slots_lock);
        return res;
 }
@@ -1750,7 +1754,9 @@ long kvm_arch_vm_ioctl(struct file *filp,
                r = -EFAULT;
                if (copy_from_user(&args, argp, sizeof(args)))
                        break;
+                mutex_lock(&kvm->slots_lock);
                r = kvm_s390_get_cmma_bits(kvm, &args);
+                mutex_unlock(&kvm->slots_lock);
                if (!r) {
                        r = copy_to_user(argp, &args, sizeof(args));
                        if (r)
@@ -1764,7 +1770,9 @@ long kvm_arch_vm_ioctl(struct file *filp,
                r = -EFAULT;
                if (copy_from_user(&args, argp, sizeof(args)))
                        break;
+                mutex_lock(&kvm->slots_lock);
                r = kvm_s390_set_cmma_bits(kvm, &args);
+                mutex_unlock(&kvm->slots_lock);
                break;
        }
        default:
@@ -2197,6 +2205,8 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
        kvm_s390_set_prefix(vcpu, 0);
        if (test_kvm_facility(vcpu->kvm, 64))
                vcpu->run->kvm_valid_regs |= KVM_SYNC_RICCB;
+        if (test_kvm_facility(vcpu->kvm, 82))
+                vcpu->run->kvm_valid_regs |= KVM_SYNC_BPBC;
        if (test_kvm_facility(vcpu->kvm, 133))
                vcpu->run->kvm_valid_regs |= KVM_SYNC_GSCB;
        /* fprs can be synchronized via vrs, even if the guest has no vx. With
@@ -2338,6 +2348,7 @@ static void kvm_s390_vcpu_initial_reset(struct kvm_vcpu *vcpu)
        current->thread.fpu.fpc = 0;
        vcpu->arch.sie_block->gbea = 1;
        vcpu->arch.sie_block->pp = 0;
+        vcpu->arch.sie_block->fpf &= ~FPF_BPBC;
        vcpu->arch.pfault_token = KVM_S390_PFAULT_TOKEN_INVALID;
        kvm_clear_async_pf_completion_queue(vcpu);
        if (!kvm_s390_user_cpu_state_ctrl(vcpu->kvm))
@@ -3297,6 +3308,11 @@ static void sync_regs(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
                vcpu->arch.sie_block->ecd |= ECD_HOSTREGMGMT;
                vcpu->arch.gs_enabled = 1;
        }
+        if ((kvm_run->kvm_dirty_regs & KVM_SYNC_BPBC) &&
+            test_kvm_facility(vcpu->kvm, 82)) {
+                vcpu->arch.sie_block->fpf &= ~FPF_BPBC;
+                vcpu->arch.sie_block->fpf |= kvm_run->s.regs.bpbc ? FPF_BPBC : 0;
+        }
        save_access_regs(vcpu->arch.host_acrs);
        restore_access_regs(vcpu->run->s.regs.acrs);
        /* save host (userspace) fprs/vrs */
@@ -3343,6 +3359,7 @@ static void store_regs(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
        kvm_run->s.regs.pft = vcpu->arch.pfault_token;
        kvm_run->s.regs.pfs = vcpu->arch.pfault_select;
        kvm_run->s.regs.pfc = vcpu->arch.pfault_compare;
+        kvm_run->s.regs.bpbc = (vcpu->arch.sie_block->fpf & FPF_BPBC) == FPF_BPBC;
        save_access_regs(vcpu->run->s.regs.acrs);
        restore_access_regs(vcpu->arch.host_acrs);
        /* Save guest register state */
diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c
index 572496c688cc..0714bfa56da0 100644
--- a/arch/s390/kvm/priv.c
+++ b/arch/s390/kvm/priv.c
@@ -1006,7 +1006,7 @@ static inline int do_essa(struct kvm_vcpu *vcpu, const int orc)
                cbrlo[entries] = gfn << PAGE_SHIFT;
        }
-        if (orc) {
+        if (orc && gfn < ms->bitmap_size) {
                /* increment only if we are really flipping the bit to 1 */
                if (!test_and_set_bit(gfn, ms->pgste_bitmap))
                        atomic64_inc(&ms->dirty_pages);
diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c
index 5d6ae0326d9e..751348348477 100644
--- a/arch/s390/kvm/vsie.c
+++ b/arch/s390/kvm/vsie.c
@@ -223,6 +223,12 @@ static void unshadow_scb(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page)
        memcpy(scb_o->gcr, scb_s->gcr, 128);
        scb_o->pp = scb_s->pp;
+        /* branch prediction */
+        if (test_kvm_facility(vcpu->kvm, 82)) {
+                scb_o->fpf &= ~FPF_BPBC;
+                scb_o->fpf |= scb_s->fpf & FPF_BPBC;
+        }
        /* interrupt intercept */
        switch (scb_s->icptcode) {
        case ICPT_PROGI:
@@ -265,6 +271,7 @@ static int shadow_scb(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page)
        scb_s->ecb3 = 0;
        scb_s->ecd = 0;
        scb_s->fac = 0;
+        scb_s->fpf = 0;
        rc = prepare_cpuflags(vcpu, vsie_page);
        if (rc)
@@ -324,6 +331,9 @@ static int shadow_scb(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page)
                        prefix_unmapped(vsie_page);
                scb_s->ecb |= scb_o->ecb & ECB_TE;
        }
+        /* branch prediction */
+        if (test_kvm_facility(vcpu->kvm, 82))
+                scb_s->fpf |= scb_o->fpf & FPF_BPBC;
        /* SIMD */
        if (test_kvm_facility(vcpu->kvm, 129)) {
                scb_s->eca |= scb_o->eca & ECA_VX;
diff --git a/arch/sh/boards/mach-se/770x/setup.c b/arch/sh/boards/mach-se/770x/setup.c
index 77c35350ee77..412326d59e6f 100644
--- a/arch/sh/boards/mach-se/770x/setup.c
+++ b/arch/sh/boards/mach-se/770x/setup.c
@@ -9,6 +9,7 @@
 */
 #include <linux/init.h>
 #include <linux/platform_device.h>
+#include <linux/sh_eth.h>
 #include <mach-se/mach/se.h>
 #include <mach-se/mach/mrshpc.h>
 #include <asm/machvec.h>
@@ -115,13 +116,23 @@ static struct platform_device heartbeat_device = {
 #if defined(CONFIG_CPU_SUBTYPE_SH7710) ||\
        defined(CONFIG_CPU_SUBTYPE_SH7712)
 /* SH771X Ethernet driver */
+static struct sh_eth_plat_data sh_eth_plat = {
+        .phy = PHY_ID,
+        .phy_interface = PHY_INTERFACE_MODE_MII,
+};
 static struct resource sh_eth0_resources[] = {
        [0] = {
                .start = SH_ETH0_BASE,
-                .end = SH_ETH0_BASE + 0x1B8,
+                .end = SH_ETH0_BASE + 0x1B8 - 1,
                .flags = IORESOURCE_MEM,
        },
        [1] = {
+                .start = SH_TSU_BASE,
+                .end = SH_TSU_BASE + 0x200 - 1,
+                .flags = IORESOURCE_MEM,
+        },
+        [2] = {
                .start = SH_ETH0_IRQ,
                .end = SH_ETH0_IRQ,
                .flags = IORESOURCE_IRQ,
@@ -132,7 +143,7 @@ static struct platform_device sh_eth0_device = {
        .name = "sh771x-ether",
        .id = 0,
        .dev = {
-                .platform_data = PHY_ID,
+                .platform_data = &sh_eth_plat,
        },
        .num_resources = ARRAY_SIZE(sh_eth0_resources),
        .resource = sh_eth0_resources,
@@ -141,10 +152,15 @@ static struct platform_device sh_eth0_device = {
 static struct resource sh_eth1_resources[] = {
        [0] = {
                .start = SH_ETH1_BASE,
-                .end = SH_ETH1_BASE + 0x1B8,
+                .end = SH_ETH1_BASE + 0x1B8 - 1,
                .flags = IORESOURCE_MEM,
        },
        [1] = {
+                .start = SH_TSU_BASE,
+                .end = SH_TSU_BASE + 0x200 - 1,
+                .flags = IORESOURCE_MEM,
+        },
+        [2] = {
                .start = SH_ETH1_IRQ,
                .end = SH_ETH1_IRQ,
                .flags = IORESOURCE_IRQ,
@@ -155,7 +171,7 @@ static struct platform_device sh_eth1_device = {
        .name = "sh771x-ether",
        .id = 1,
        .dev = {
-                .platform_data = PHY_ID,
+                .platform_data = &sh_eth_plat,
        },
        .num_resources = ARRAY_SIZE(sh_eth1_resources),
        .resource = sh_eth1_resources,
diff --git a/arch/sh/include/mach-se/mach/se.h b/arch/sh/include/mach-se/mach/se.h
index 4246ef9b07a3..aa83fe1ff0b1 100644
--- a/arch/sh/include/mach-se/mach/se.h
+++ b/arch/sh/include/mach-se/mach/se.h
@@ -100,6 +100,7 @@
 /* Base address */
 #define SH_ETH0_BASE 0xA7000000
 #define SH_ETH1_BASE 0xA7000400
+#define SH_TSU_BASE  0xA7000800
 /* PHY ID */
 #if defined(CONFIG_CPU_SUBTYPE_SH7710)
 # define PHY_ID 0x00
diff --git a/arch/sparc/crypto/Makefile b/arch/sparc/crypto/Makefile
index 818d3aa5172e..d257186c27d1 100644
--- a/arch/sparc/crypto/Makefile
+++ b/arch/sparc/crypto/Makefile
@@ -10,7 +10,7 @@ obj-$(CONFIG_CRYPTO_MD5_SPARC64) += md5-sparc64.o
 obj-$(CONFIG_CRYPTO_AES_SPARC64) += aes-sparc64.o
 obj-$(CONFIG_CRYPTO_DES_SPARC64) += des-sparc64.o
-obj-$(CONFIG_CRYPTO_DES_SPARC64) += camellia-sparc64.o
+obj-$(CONFIG_CRYPTO_CAMELLIA_SPARC64) += camellia-sparc64.o
 obj-$(CONFIG_CRYPTO_CRC32C_SPARC64) += crc32c-sparc64.o
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index d4fc98c50378..20da391b5f32 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -55,7 +55,6 @@ config X86
        select ARCH_HAS_GCOV_PROFILE_ALL
        select ARCH_HAS_KCOV                    if X86_64
        select ARCH_HAS_PMEM_API                if X86_64
-        # Causing hangs/crashes, see the commit that added this change for details.
        select ARCH_HAS_REFCOUNT
        select ARCH_HAS_UACCESS_FLUSHCACHE      if X86_64
        select ARCH_HAS_SET_MEMORY
@@ -89,6 +88,7 @@ config X86
        select GENERIC_CLOCKEVENTS_MIN_ADJUST
        select GENERIC_CMOS_UPDATE
        select GENERIC_CPU_AUTOPROBE
+        select GENERIC_CPU_VULNERABILITIES
        select GENERIC_EARLY_IOREMAP
        select GENERIC_FIND_FIRST_BIT
        select GENERIC_IOMAP
@@ -429,6 +429,19 @@ config GOLDFISH
       def_bool y
       depends on X86_GOLDFISH
+config RETPOLINE
+        bool "Avoid speculative indirect branches in kernel"
+        default y
+        help
+          Compile kernel with the retpoline compiler options to guard against
+          kernel-to-user data leaks by avoiding speculative indirect
+          branches. Requires a compiler with -mindirect-branch=thunk-extern
+          support for full protection. The kernel may run slower.
+          Without compiler support, at least indirect branches in assembler
+          code are eliminated. Since this includes the syscall entry path,
+          it is not entirely pointless.
 config INTEL_RDT
        bool "Intel Resource Director Technology support"
        default n
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 3e73bc255e4e..fad55160dcb9 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -230,6 +230,14 @@ KBUILD_CFLAGS += -Wno-sign-compare
 #
 KBUILD_CFLAGS += -fno-asynchronous-unwind-tables
+# Avoid indirect branches in kernel to deal with Spectre
+ifdef CONFIG_RETPOLINE
+    RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register)
+    ifneq ($(RETPOLINE_CFLAGS),)
+        KBUILD_CFLAGS += $(RETPOLINE_CFLAGS) -DRETPOLINE
+    endif
+endif
 archscripts: scripts_basic
        $(Q)$(MAKE) $(build)=arch/x86/tools relocs
diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S
index 16627fec80b2..3d09e3aca18d 100644
--- a/arch/x86/crypto/aesni-intel_asm.S
+++ b/arch/x86/crypto/aesni-intel_asm.S
@@ -32,6 +32,7 @@
 #include <linux/linkage.h>
 #include <asm/inst.h>
 #include <asm/frame.h>
+#include <asm/nospec-branch.h>
 /*
 * The following macros are used to move an (un)aligned 16 byte value to/from
@@ -2884,7 +2885,7 @@ ENTRY(aesni_xts_crypt8)
        pxor INC, STATE4
        movdqu IV, 0x30(OUTP)
-        call *%r11
+        CALL_NOSPEC %r11
        movdqu 0x00(OUTP), INC
        pxor INC, STATE1
@@ -2929,7 +2930,7 @@ ENTRY(aesni_xts_crypt8)
        _aesni_gf128mul_x_ble()
        movups IV, (IVP)
-        call *%r11
+        CALL_NOSPEC %r11
        movdqu 0x40(OUTP), INC
        pxor INC, STATE1
diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
index f7c495e2863c..a14af6eb09cb 100644
--- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S
+++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
@@ -17,6 +17,7 @@
 #include <linux/linkage.h>
 #include <asm/frame.h>
+#include <asm/nospec-branch.h>
 #define CAMELLIA_TABLE_BYTE_LEN 272
@@ -1227,7 +1228,7 @@ camellia_xts_crypt_16way:
        vpxor 14 * 16(%rax), %xmm15, %xmm14;
        vpxor 15 * 16(%rax), %xmm15, %xmm15;
-        call *%r9;
+        CALL_NOSPEC %r9;
        addq $(16 * 16), %rsp;
diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
index eee5b3982cfd..b66bbfa62f50 100644
--- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
+++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
@@ -12,6 +12,7 @@
 #include <linux/linkage.h>
 #include <asm/frame.h>
+#include <asm/nospec-branch.h>
 #define CAMELLIA_TABLE_BYTE_LEN 272
@@ -1343,7 +1344,7 @@ camellia_xts_crypt_32way:
        vpxor 14 * 32(%rax), %ymm15, %ymm14;
        vpxor 15 * 32(%rax), %ymm15, %ymm15;
-        call *%r9;
+        CALL_NOSPEC %r9;
        addq $(16 * 32), %rsp;
diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
index 7a7de27c6f41..d9b734d0c8cc 100644
--- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
+++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
@@ -45,6 +45,7 @@
 #include <asm/inst.h>
 #include <linux/linkage.h>
+#include <asm/nospec-branch.h>
 ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction
@@ -172,7 +173,7 @@ continue_block:
        movzxw  (bufp, %rax, 2), len
        lea     crc_array(%rip), bufp
        lea     (bufp, len, 1), bufp
-        jmp     *bufp
+        JMP_NOSPEC bufp
        ################################################################
        ## 2a) PROCESS FULL BLOCKS:
diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
index 45a63e00a6af..3f48f695d5e6 100644
--- a/arch/x86/entry/calling.h
+++ b/arch/x86/entry/calling.h
@@ -198,8 +198,11 @@ For 32-bit we have the following conventions - kernel is built with
 * PAGE_TABLE_ISOLATION PGDs are 8k.  Flip bit 12 to switch between the two
 * halves:
 */
-#define PTI_SWITCH_PGTABLES_MASK        (1<<PAGE_SHIFT)
+#define PTI_USER_PGTABLE_BIT            PAGE_SHIFT
-#define PTI_SWITCH_MASK         (PTI_SWITCH_PGTABLES_MASK|(1<<X86_CR3_PTI_SWITCH_BIT))
+#define PTI_USER_PGTABLE_MASK           (1 << PTI_USER_PGTABLE_BIT)
+#define PTI_USER_PCID_BIT               X86_CR3_PTI_PCID_USER_BIT
+#define PTI_USER_PCID_MASK              (1 << PTI_USER_PCID_BIT)
+#define PTI_USER_PGTABLE_AND_PCID_MASK  (PTI_USER_PCID_MASK | PTI_USER_PGTABLE_MASK)
 .macro SET_NOFLUSH_BIT  reg:req
        bts     $X86_CR3_PCID_NOFLUSH_BIT, \reg
@@ -208,7 +211,7 @@ For 32-bit we have the following conventions - kernel is built with
 .macro ADJUST_KERNEL_CR3 reg:req
        ALTERNATIVE "", "SET_NOFLUSH_BIT \reg", X86_FEATURE_PCID
        /* Clear PCID and "PAGE_TABLE_ISOLATION bit", point CR3 at kernel pagetables: */
-        andq    $(~PTI_SWITCH_MASK), \reg
+        andq    $(~PTI_USER_PGTABLE_AND_PCID_MASK), \reg
 .endm
 .macro SWITCH_TO_KERNEL_CR3 scratch_reg:req
@@ -239,15 +242,19 @@ For 32-bit we have the following conventions - kernel is built with
        /* Flush needed, clear the bit */
        btr     \scratch_reg, THIS_CPU_user_pcid_flush_mask
        movq    \scratch_reg2, \scratch_reg
-        jmp     .Lwrcr3_\@
+        jmp     .Lwrcr3_pcid_\@
 .Lnoflush_\@:
        movq    \scratch_reg2, \scratch_reg
        SET_NOFLUSH_BIT \scratch_reg
+.Lwrcr3_pcid_\@:
+        /* Flip the ASID to the user version */
+        orq     $(PTI_USER_PCID_MASK), \scratch_reg
 .Lwrcr3_\@:
-        /* Flip the PGD and ASID to the user version */
+        /* Flip the PGD to the user version */
-        orq     $(PTI_SWITCH_MASK), \scratch_reg
+        orq     $(PTI_USER_PGTABLE_MASK), \scratch_reg
        mov     \scratch_reg, %cr3
 .Lend_\@:
 .endm
@@ -263,17 +270,12 @@ For 32-bit we have the following conventions - kernel is built with
        movq    %cr3, \scratch_reg
        movq    \scratch_reg, \save_reg
        /*
-         * Is the "switch mask" all zero?  That means that both of
+         * Test the user pagetable bit. If set, then the user page tables
-         * these are zero:
+         * are active. If clear CR3 already has the kernel page table
-         *
+         * active.
-         *      1. The user/kernel PCID bit, and
-         *      2. The user/kernel "bit" that points CR3 to the
-         *         bottom half of the 8k PGD
-         *
-         * That indicates a kernel CR3 value, not a user CR3.
         */
-        testq   $(PTI_SWITCH_MASK), \scratch_reg
+        bt      $PTI_USER_PGTABLE_BIT, \scratch_reg
-        jz      .Ldone_\@
+        jnc     .Ldone_\@
        ADJUST_KERNEL_CR3 \scratch_reg
        movq    \scratch_reg, %cr3
@@ -290,7 +292,7 @@ For 32-bit we have the following conventions - kernel is built with
         * KERNEL pages can always resume with NOFLUSH as we do
         * explicit flushes.
         */
-        bt      $X86_CR3_PTI_SWITCH_BIT, \save_reg
+        bt      $PTI_USER_PGTABLE_BIT, \save_reg
        jnc     .Lnoflush_\@
        /*
diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
index ace8f321a5a1..60c4c342316c 100644
--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -44,6 +44,7 @@
 #include <asm/asm.h>
 #include <asm/smap.h>
 #include <asm/frame.h>
+#include <asm/nospec-branch.h>
        .section .entry.text, "ax"
@@ -243,6 +244,17 @@ ENTRY(__switch_to_asm)
        movl    %ebx, PER_CPU_VAR(stack_canary)+stack_canary_offset
 #endif
+#ifdef CONFIG_RETPOLINE
+        /*
+         * When switching from a shallower to a deeper call stack
+         * the RSB may either underflow or use entries populated
+         * with userspace addresses. On CPUs where those concerns
+         * exist, overwrite the RSB with entries which capture
+         * speculative execution to prevent attack.
+         */
+        FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
+#endif
        /* restore callee-saved registers */
        popl    %esi
        popl    %edi
@@ -290,7 +302,7 @@ ENTRY(ret_from_fork)
        /* kernel thread */
 1:      movl    %edi, %eax
-        call    *%ebx
+        CALL_NOSPEC %ebx
        /*
         * A kernel thread is allowed to return here after successfully
         * calling do_execve().  Exit to userspace to complete the execve()
@@ -919,7 +931,7 @@ common_exception:
        movl    %ecx, %es
        TRACE_IRQS_OFF
        movl    %esp, %eax                      # pt_regs pointer
-        call    *%edi
+        CALL_NOSPEC %edi
        jmp     ret_from_exception
 END(common_exception)
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index f048e384ff54..ff6f8022612c 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -37,6 +37,7 @@
 #include <asm/pgtable_types.h>
 #include <asm/export.h>
 #include <asm/frame.h>
+#include <asm/nospec-branch.h>
 #include <linux/err.h>
 #include "calling.h"
@@ -191,7 +192,7 @@ ENTRY(entry_SYSCALL_64_trampoline)
         */
        pushq   %rdi
        movq    $entry_SYSCALL_64_stage2, %rdi
-        jmp     *%rdi
+        JMP_NOSPEC %rdi
 END(entry_SYSCALL_64_trampoline)
        .popsection
@@ -270,7 +271,12 @@ entry_SYSCALL_64_fastpath:
         * It might end up jumping to the slow path.  If it jumps, RAX
         * and all argument registers are clobbered.
         */
+#ifdef CONFIG_RETPOLINE
+        movq    sys_call_table(, %rax, 8), %rax
+        call    __x86_indirect_thunk_rax
+#else
        call    *sys_call_table(, %rax, 8)
+#endif
 .Lentry_SYSCALL_64_after_fastpath_call:
        movq    %rax, RAX(%rsp)
@@ -442,7 +448,7 @@ ENTRY(stub_ptregs_64)
        jmp     entry_SYSCALL64_slow_path
 1:
-        jmp     *%rax                           /* Called from C */
+        JMP_NOSPEC %rax                         /* Called from C */
 END(stub_ptregs_64)
 .macro ptregs_stub func
@@ -485,6 +491,17 @@ ENTRY(__switch_to_asm)
        movq    %rbx, PER_CPU_VAR(irq_stack_union)+stack_canary_offset
 #endif
+#ifdef CONFIG_RETPOLINE
+        /*
+         * When switching from a shallower to a deeper call stack
+         * the RSB may either underflow or use entries populated
+         * with userspace addresses. On CPUs where those concerns
+         * exist, overwrite the RSB with entries which capture
+         * speculative execution to prevent attack.
+         */
+        FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW
+#endif
        /* restore callee-saved registers */
        popq    %r15
        popq    %r14
@@ -521,7 +538,7 @@ ENTRY(ret_from_fork)
 1:
        /* kernel thread */
        movq    %r12, %rdi
-        call    *%rbx
+        CALL_NOSPEC %rbx
        /*
         * A kernel thread is allowed to return here after successfully
         * calling do_execve().  Exit to userspace to complete the execve()
@@ -1247,7 +1264,7 @@ idtentry async_page_fault	do_async_page_fault	has_error_code=1
 #endif
 #ifdef CONFIG_X86_MCE
-idtentry machine_check                                  has_error_code=0        paranoid=1 do_sym=*machine_check_vector(%rip)
+idtentry machine_check          do_mce                  has_error_code=0        paranoid=1
 #endif
 /*
diff --git a/arch/x86/events/intel/bts.c b/arch/x86/events/intel/bts.c
index 141e07b06216..24ffa1e88cf9 100644
--- a/arch/x86/events/intel/bts.c
+++ b/arch/x86/events/intel/bts.c
@@ -582,6 +582,24 @@ static __init int bts_init(void)
        if (!boot_cpu_has(X86_FEATURE_DTES64) || !x86_pmu.bts)
                return -ENODEV;
+        if (boot_cpu_has(X86_FEATURE_PTI)) {
+                /*
+                 * BTS hardware writes through a virtual memory map we must
+                 * either use the kernel physical map, or the user mapping of
+                 * the AUX buffer.
+                 *
+                 * However, since this driver supports per-CPU and per-task inherit
+                 * we cannot use the user mapping since it will not be availble
+                 * if we're not running the owning process.
+                 *
+                 * With PTI we can't use the kernal map either, because its not
+                 * there when we run userspace.
+                 *
+                 * For now, disable this driver when using PTI.
+                 */
+                return -ENODEV;
+        }
        bts_pmu.capabilities    = PERF_PMU_CAP_AUX_NO_SG | PERF_PMU_CAP_ITRACE |
                                  PERF_PMU_CAP_EXCLUSIVE;
        bts_pmu.task_ctx_nr     = perf_sw_context;
diff --git a/arch/x86/events/intel/rapl.c b/arch/x86/events/intel/rapl.c
index 005908ee9333..a2efb490f743 100644
--- a/arch/x86/events/intel/rapl.c
+++ b/arch/x86/events/intel/rapl.c
@@ -755,14 +755,14 @@ static const struct x86_cpu_id rapl_cpu_match[] __initconst = {
        X86_RAPL_MODEL_MATCH(INTEL_FAM6_IVYBRIDGE_X, snbep_rapl_init),
        X86_RAPL_MODEL_MATCH(INTEL_FAM6_HASWELL_CORE, hsw_rapl_init),
-        X86_RAPL_MODEL_MATCH(INTEL_FAM6_HASWELL_X,    hsw_rapl_init),
+        X86_RAPL_MODEL_MATCH(INTEL_FAM6_HASWELL_X,    hsx_rapl_init),
        X86_RAPL_MODEL_MATCH(INTEL_FAM6_HASWELL_ULT,  hsw_rapl_init),
        X86_RAPL_MODEL_MATCH(INTEL_FAM6_HASWELL_GT3E, hsw_rapl_init),
        X86_RAPL_MODEL_MATCH(INTEL_FAM6_BROADWELL_CORE,   hsw_rapl_init),
        X86_RAPL_MODEL_MATCH(INTEL_FAM6_BROADWELL_GT3E,   hsw_rapl_init),
        X86_RAPL_MODEL_MATCH(INTEL_FAM6_BROADWELL_X,      hsx_rapl_init),
-        X86_RAPL_MODEL_MATCH(INTEL_FAM6_BROADWELL_XEON_D, hsw_rapl_init),
+        X86_RAPL_MODEL_MATCH(INTEL_FAM6_BROADWELL_XEON_D, hsx_rapl_init),
        X86_RAPL_MODEL_MATCH(INTEL_FAM6_XEON_PHI_KNL, knl_rapl_init),
        X86_RAPL_MODEL_MATCH(INTEL_FAM6_XEON_PHI_KNM, knl_rapl_init),
diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
index a9e57f08bfa6..98722773391d 100644
--- a/arch/x86/include/asm/apic.h
+++ b/arch/x86/include/asm/apic.h
@@ -136,6 +136,7 @@ extern void disconnect_bsp_APIC(int virt_wire_setup);
 extern void disable_local_APIC(void);
 extern void lapic_shutdown(void);
 extern void sync_Arb_IDs(void);
+extern void init_bsp_APIC(void);
 extern void apic_intr_mode_init(void);
 extern void setup_local_APIC(void);
 extern void init_apic_mappings(void);
diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h
index ff700d81e91e..0927cdc4f946 100644
--- a/arch/x86/include/asm/asm-prototypes.h
+++ b/arch/x86/include/asm/asm-prototypes.h
@@ -11,7 +11,32 @@
 #include <asm/pgtable.h>
 #include <asm/special_insns.h>
 #include <asm/preempt.h>
+#include <asm/asm.h>
 #ifndef CONFIG_X86_CMPXCHG64
 extern void cmpxchg8b_emu(void);
 #endif
+#ifdef CONFIG_RETPOLINE
+#ifdef CONFIG_X86_32
+#define INDIRECT_THUNK(reg) extern asmlinkage void __x86_indirect_thunk_e ## reg(void);
+#else
+#define INDIRECT_THUNK(reg) extern asmlinkage void __x86_indirect_thunk_r ## reg(void);
+INDIRECT_THUNK(8)
+INDIRECT_THUNK(9)
+INDIRECT_THUNK(10)
+INDIRECT_THUNK(11)
+INDIRECT_THUNK(12)
+INDIRECT_THUNK(13)
+INDIRECT_THUNK(14)
+INDIRECT_THUNK(15)
+#endif
+INDIRECT_THUNK(ax)
+INDIRECT_THUNK(bx)
+INDIRECT_THUNK(cx)
+INDIRECT_THUNK(dx)
+INDIRECT_THUNK(si)
+INDIRECT_THUNK(di)
+INDIRECT_THUNK(bp)
+INDIRECT_THUNK(sp)
+#endif /* CONFIG_RETPOLINE */
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 21ac898df2d8..25b9375c1484 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -203,12 +203,14 @@
 #define X86_FEATURE_PROC_FEEDBACK       ( 7*32+ 9) /* AMD ProcFeedbackInterface */
 #define X86_FEATURE_SME                 ( 7*32+10) /* AMD Secure Memory Encryption */
 #define X86_FEATURE_PTI                 ( 7*32+11) /* Kernel Page Table Isolation enabled */
+#define X86_FEATURE_RETPOLINE           ( 7*32+12) /* Generic Retpoline mitigation for Spectre variant 2 */
+#define X86_FEATURE_RETPOLINE_AMD       ( 7*32+13) /* AMD Retpoline mitigation for Spectre variant 2 */
 #define X86_FEATURE_INTEL_PPIN          ( 7*32+14) /* Intel Processor Inventory Number */
-#define X86_FEATURE_INTEL_PT            ( 7*32+15) /* Intel Processor Trace */
 #define X86_FEATURE_AVX512_4VNNIW       ( 7*32+16) /* AVX-512 Neural Network Instructions */
 #define X86_FEATURE_AVX512_4FMAPS       ( 7*32+17) /* AVX-512 Multiply Accumulation Single precision */
 #define X86_FEATURE_MBA                 ( 7*32+18) /* Memory Bandwidth Allocation */
+#define X86_FEATURE_RSB_CTXSW           ( 7*32+19) /* Fill RSB on context switches */
 /* Virtualization flags: Linux defined, word 8 */
 #define X86_FEATURE_TPR_SHADOW          ( 8*32+ 0) /* Intel TPR Shadow */
@@ -243,6 +245,7 @@
 #define X86_FEATURE_AVX512IFMA          ( 9*32+21) /* AVX-512 Integer Fused Multiply-Add instructions */
 #define X86_FEATURE_CLFLUSHOPT          ( 9*32+23) /* CLFLUSHOPT instruction */
 #define X86_FEATURE_CLWB                ( 9*32+24) /* CLWB instruction */
+#define X86_FEATURE_INTEL_PT            ( 9*32+25) /* Intel Processor Trace */
 #define X86_FEATURE_AVX512PF            ( 9*32+26) /* AVX-512 Prefetch */
 #define X86_FEATURE_AVX512ER            ( 9*32+27) /* AVX-512 Exponential and Reciprocal */
 #define X86_FEATURE_AVX512CD            ( 9*32+28) /* AVX-512 Conflict Detection */
@@ -342,5 +345,7 @@
 #define X86_BUG_MONITOR                 X86_BUG(12) /* IPI required to wake up remote CPU */
 #define X86_BUG_AMD_E400                X86_BUG(13) /* CPU is among the affected by Erratum 400 */
 #define X86_BUG_CPU_MELTDOWN            X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
+#define X86_BUG_SPECTRE_V1              X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
+#define X86_BUG_SPECTRE_V2              X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
 #endif /* _ASM_X86_CPUFEATURES_H */
diff --git a/arch/x86/include/asm/mem_encrypt.h b/arch/x86/include/asm/mem_encrypt.h
index c9459a4c3c68..22c5f3e6f820 100644
--- a/arch/x86/include/asm/mem_encrypt.h
+++ b/arch/x86/include/asm/mem_encrypt.h
@@ -39,7 +39,7 @@ void __init sme_unmap_bootdata(char *real_mode_data);
 void __init sme_early_init(void);
-void __init sme_encrypt_kernel(void);
+void __init sme_encrypt_kernel(struct boot_params *bp);
 void __init sme_enable(struct boot_params *bp);
 int __init early_set_memory_decrypted(unsigned long vaddr, unsigned long size);
@@ -67,7 +67,7 @@ static inline void __init sme_unmap_bootdata(char *real_mode_data) { }
 static inline void __init sme_early_init(void) { }
-static inline void __init sme_encrypt_kernel(void) { }
+static inline void __init sme_encrypt_kernel(struct boot_params *bp) { }
 static inline void __init sme_enable(struct boot_params *bp) { }
 static inline bool sme_active(void) { return false; }
diff --git a/arch/x86/include/asm/mshyperv.h b/arch/x86/include/asm/mshyperv.h
index 5400add2885b..8bf450b13d9f 100644
--- a/arch/x86/include/asm/mshyperv.h
+++ b/arch/x86/include/asm/mshyperv.h
@@ -7,6 +7,7 @@
 #include <linux/nmi.h>
 #include <asm/io.h>
 #include <asm/hyperv.h>
+#include <asm/nospec-branch.h>
 /*
 * The below CPUID leaves are present if VersionAndFeatures.HypervisorPresent
@@ -186,10 +187,11 @@ static inline u64 hv_do_hypercall(u64 control, void *input, void *output)
                return U64_MAX;
        __asm__ __volatile__("mov %4, %%r8\n"
-                             "call *%5"
+                             CALL_NOSPEC
                             : "=a" (hv_status), ASM_CALL_CONSTRAINT,
                               "+c" (control), "+d" (input_address)
-                             :  "r" (output_address), "m" (hv_hypercall_pg)
+                             :  "r" (output_address),
+                                THUNK_TARGET(hv_hypercall_pg)
                             : "cc", "memory", "r8", "r9", "r10", "r11");
 #else
        u32 input_address_hi = upper_32_bits(input_address);
@@ -200,13 +202,13 @@ static inline u64 hv_do_hypercall(u64 control, void *input, void *output)
        if (!hv_hypercall_pg)
                return U64_MAX;
-        __asm__ __volatile__("call *%7"
+        __asm__ __volatile__(CALL_NOSPEC
                             : "=A" (hv_status),
                               "+c" (input_address_lo), ASM_CALL_CONSTRAINT
                             : "A" (control),
                               "b" (input_address_hi),
                               "D"(output_address_hi), "S"(output_address_lo),
-                               "m" (hv_hypercall_pg)
+                               THUNK_TARGET(hv_hypercall_pg)
                             : "cc", "memory");
 #endif /* !x86_64 */
        return hv_status;
@@ -227,10 +229,10 @@ static inline u64 hv_do_fast_hypercall8(u16 code, u64 input1)
 #ifdef CONFIG_X86_64
        {
-                __asm__ __volatile__("call *%4"
+                __asm__ __volatile__(CALL_NOSPEC
                                     : "=a" (hv_status), ASM_CALL_CONSTRAINT,
                                       "+c" (control), "+d" (input1)
-                                     : "m" (hv_hypercall_pg)
+                                     : THUNK_TARGET(hv_hypercall_pg)
                                     : "cc", "r8", "r9", "r10", "r11");
        }
 #else
@@ -238,13 +240,13 @@ static inline u64 hv_do_fast_hypercall8(u16 code, u64 input1)
                u32 input1_hi = upper_32_bits(input1);
                u32 input1_lo = lower_32_bits(input1);
-                __asm__ __volatile__ ("call *%5"
+                __asm__ __volatile__ (CALL_NOSPEC
                                      : "=A"(hv_status),
                                        "+c"(input1_lo),
                                        ASM_CALL_CONSTRAINT
                                      : "A" (control),
                                        "b" (input1_hi),
-                                        "m" (hv_hypercall_pg)
+                                        THUNK_TARGET(hv_hypercall_pg)
                                      : "cc", "edi", "esi");
        }
 #endif
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
index 34c4922bbc3f..e7b983a35506 100644
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -355,6 +355,9 @@
 #define FAM10H_MMIO_CONF_BASE_MASK      0xfffffffULL
 #define FAM10H_MMIO_CONF_BASE_SHIFT     20
 #define MSR_FAM10H_NODE_ID              0xc001100c
+#define MSR_F10H_DECFG                  0xc0011029
+#define MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT     1
+#define MSR_F10H_DECFG_LFENCE_SERIALIZE         BIT_ULL(MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT)
 /* K8 MSRs */
 #define MSR_K8_TOP_MEM1                 0xc001001a
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
new file mode 100644
index 000000000000..4ad41087ce0e
--- /dev/null
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -0,0 +1,222 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __NOSPEC_BRANCH_H__
+#define __NOSPEC_BRANCH_H__
+#include <asm/alternative.h>
+#include <asm/alternative-asm.h>
+#include <asm/cpufeatures.h>
+/*
+ * Fill the CPU return stack buffer.
+ *
+ * Each entry in the RSB, if used for a speculative 'ret', contains an
+ * infinite 'pause; lfence; jmp' loop to capture speculative execution.
+ *
+ * This is required in various cases for retpoline and IBRS-based
+ * mitigations for the Spectre variant 2 vulnerability. Sometimes to
+ * eliminate potentially bogus entries from the RSB, and sometimes
+ * purely to ensure that it doesn't get empty, which on some CPUs would
+ * allow predictions from other (unwanted!) sources to be used.
+ *
+ * We define a CPP macro such that it can be used from both .S files and
+ * inline assembly. It's possible to do a .macro and then include that
+ * from C via asm(".include <asm/nospec-branch.h>") but let's not go there.
+ */
+#define RSB_CLEAR_LOOPS         32      /* To forcibly overwrite all entries */
+#define RSB_FILL_LOOPS          16      /* To avoid underflow */
+/*
+ * Google experimented with loop-unrolling and this turned out to be
+ * the optimal version — two calls, each with their own speculation
+ * trap should their return address end up getting used, in a loop.
+ */
+#define __FILL_RETURN_BUFFER(reg, nr, sp)       \
+        mov     $(nr/2), reg;                   \
+771:                                            \
+        call    772f;                           \
+773:    /* speculation trap */                  \
+        pause;                                  \
+        lfence;                                 \
+        jmp     773b;                           \
+772:                                            \
+        call    774f;                           \
+775:    /* speculation trap */                  \
+        pause;                                  \
+        lfence;                                 \
+        jmp     775b;                           \
+774:                                            \
+        dec     reg;                            \
+        jnz     771b;                           \
+        add     $(BITS_PER_LONG/8) * nr, sp;
+#ifdef __ASSEMBLY__
+/*
+ * This should be used immediately before a retpoline alternative.  It tells
+ * objtool where the retpolines are so that it can make sense of the control
+ * flow by just reading the original instruction(s) and ignoring the
+ * alternatives.
+ */
+.macro ANNOTATE_NOSPEC_ALTERNATIVE
+        .Lannotate_\@:
+        .pushsection .discard.nospec
+        .long .Lannotate_\@ - .
+        .popsection
+.endm
+/*
+ * These are the bare retpoline primitives for indirect jmp and call.
+ * Do not use these directly; they only exist to make the ALTERNATIVE
+ * invocation below less ugly.
+ */
+.macro RETPOLINE_JMP reg:req
+        call    .Ldo_rop_\@
+.Lspec_trap_\@:
+        pause
+        lfence
+        jmp     .Lspec_trap_\@
+.Ldo_rop_\@:
+        mov     \reg, (%_ASM_SP)
+        ret
+.endm
+/*
+ * This is a wrapper around RETPOLINE_JMP so the called function in reg
+ * returns to the instruction after the macro.
+ */
+.macro RETPOLINE_CALL reg:req
+        jmp     .Ldo_call_\@
+.Ldo_retpoline_jmp_\@:
+        RETPOLINE_JMP \reg
+.Ldo_call_\@:
+        call    .Ldo_retpoline_jmp_\@
+.endm
+/*
+ * JMP_NOSPEC and CALL_NOSPEC macros can be used instead of a simple
+ * indirect jmp/call which may be susceptible to the Spectre variant 2
+ * attack.
+ */
+.macro JMP_NOSPEC reg:req
+#ifdef CONFIG_RETPOLINE
+        ANNOTATE_NOSPEC_ALTERNATIVE
+        ALTERNATIVE_2 __stringify(jmp *\reg),                           \
+                __stringify(RETPOLINE_JMP \reg), X86_FEATURE_RETPOLINE, \
+                __stringify(lfence; jmp *\reg), X86_FEATURE_RETPOLINE_AMD
+#else
+        jmp     *\reg
+#endif
+.endm
+.macro CALL_NOSPEC reg:req
+#ifdef CONFIG_RETPOLINE
+        ANNOTATE_NOSPEC_ALTERNATIVE
+        ALTERNATIVE_2 __stringify(call *\reg),                          \
+                __stringify(RETPOLINE_CALL \reg), X86_FEATURE_RETPOLINE,\
+                __stringify(lfence; call *\reg), X86_FEATURE_RETPOLINE_AMD
+#else
+        call    *\reg
+#endif
+.endm
+ /*
+  * A simpler FILL_RETURN_BUFFER macro. Don't make people use the CPP
+  * monstrosity above, manually.
+  */
+.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req
+#ifdef CONFIG_RETPOLINE
+        ANNOTATE_NOSPEC_ALTERNATIVE
+        ALTERNATIVE "jmp .Lskip_rsb_\@",                                \
+                __stringify(__FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP))    \
+                \ftr
+.Lskip_rsb_\@:
+#endif
+.endm
+#else /* __ASSEMBLY__ */
+#define ANNOTATE_NOSPEC_ALTERNATIVE                             \
+        "999:\n\t"                                              \
+        ".pushsection .discard.nospec\n\t"                      \
+        ".long 999b - .\n\t"                                    \
+        ".popsection\n\t"
+#if defined(CONFIG_X86_64) && defined(RETPOLINE)
+/*
+ * Since the inline asm uses the %V modifier which is only in newer GCC,
+ * the 64-bit one is dependent on RETPOLINE not CONFIG_RETPOLINE.
+ */
+# define CALL_NOSPEC                                            \
+        ANNOTATE_NOSPEC_ALTERNATIVE                             \
+        ALTERNATIVE(                                            \
+        "call *%[thunk_target]\n",                              \
+        "call __x86_indirect_thunk_%V[thunk_target]\n",         \
+        X86_FEATURE_RETPOLINE)
+# define THUNK_TARGET(addr) [thunk_target] "r" (addr)
+#elif defined(CONFIG_X86_32) && defined(CONFIG_RETPOLINE)
+/*
+ * For i386 we use the original ret-equivalent retpoline, because
+ * otherwise we'll run out of registers. We don't care about CET
+ * here, anyway.
+ */
+# define CALL_NOSPEC ALTERNATIVE("call *%[thunk_target]\n",     \
+        "       jmp    904f;\n"                                 \
+        "       .align 16\n"                                    \
+        "901:   call   903f;\n"                                 \
+        "902:   pause;\n"                                       \
+        "       lfence;\n"                                      \
+        "       jmp    902b;\n"                                 \
+        "       .align 16\n"                                    \
+        "903:   addl   $4, %%esp;\n"                            \
+        "       pushl  %[thunk_target];\n"                      \
+        "       ret;\n"                                         \
+        "       .align 16\n"                                    \
+        "904:   call   901b;\n",                                \
+        X86_FEATURE_RETPOLINE)
+# define THUNK_TARGET(addr) [thunk_target] "rm" (addr)
+#else /* No retpoline for C / inline asm */
+# define CALL_NOSPEC "call *%[thunk_target]\n"
+# define THUNK_TARGET(addr) [thunk_target] "rm" (addr)
+#endif
+/* The Spectre V2 mitigation variants */
+enum spectre_v2_mitigation {
+        SPECTRE_V2_NONE,
+        SPECTRE_V2_RETPOLINE_MINIMAL,
+        SPECTRE_V2_RETPOLINE_MINIMAL_AMD,
+        SPECTRE_V2_RETPOLINE_GENERIC,
+        SPECTRE_V2_RETPOLINE_AMD,
+        SPECTRE_V2_IBRS,
+};
+extern char __indirect_thunk_start[];
+extern char __indirect_thunk_end[];
+/*
+ * On VMEXIT we must ensure that no RSB predictions learned in the guest
+ * can be followed in the host, by overwriting the RSB completely. Both
+ * retpoline and IBRS mitigations for Spectre v2 need this; only on future
+ * CPUs with IBRS_ATT *might* it be avoided.
+ */
+static inline void vmexit_fill_RSB(void)
+{
+#ifdef CONFIG_RETPOLINE
+        unsigned long loops;
+        asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE
+                      ALTERNATIVE("jmp 910f",
+                                  __stringify(__FILL_RETURN_BUFFER(%0, RSB_CLEAR_LOOPS, %1)),
+                                  X86_FEATURE_RETPOLINE)
+                      "910:"
+                      : "=r" (loops), ASM_CALL_CONSTRAINT
+                      : : "memory" );
+#endif
+}
+#endif /* __ASSEMBLY__ */
+#endif /* __NOSPEC_BRANCH_H__ */
diff --git a/arch/x86/include/asm/pci_x86.h b/arch/x86/include/asm/pci_x86.h
index 7a5d6695abd3..eb66fa9cd0fc 100644
--- a/arch/x86/include/asm/pci_x86.h
+++ b/arch/x86/include/asm/pci_x86.h
@@ -38,6 +38,7 @@ do {						\
 #define PCI_NOASSIGN_ROMS       0x80000
 #define PCI_ROOT_NO_CRS         0x100000
 #define PCI_NOASSIGN_BARS       0x200000
+#define PCI_BIG_ROOT_WINDOW     0x400000
 extern unsigned int pci_probe;
 extern unsigned long pirq_table_addr;
diff --git a/arch/x86/include/asm/processor-flags.h b/arch/x86/include/asm/processor-flags.h
index 6a60fea90b9d..625a52a5594f 100644
--- a/arch/x86/include/asm/processor-flags.h
+++ b/arch/x86/include/asm/processor-flags.h
@@ -40,7 +40,7 @@
 #define CR3_NOFLUSH     BIT_ULL(63)
 #ifdef CONFIG_PAGE_TABLE_ISOLATION
-# define X86_CR3_PTI_SWITCH_BIT 11
+# define X86_CR3_PTI_PCID_USER_BIT      11
 #endif
 #else
diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
index 4a08dd2ab32a..d33e4a26dc7e 100644
--- a/arch/x86/include/asm/tlbflush.h
+++ b/arch/x86/include/asm/tlbflush.h
@@ -81,13 +81,13 @@ static inline u16 kern_pcid(u16 asid)
         * Make sure that the dynamic ASID space does not confict with the
         * bit we are using to switch between user and kernel ASIDs.
         */
-        BUILD_BUG_ON(TLB_NR_DYN_ASIDS >= (1 << X86_CR3_PTI_SWITCH_BIT));
+        BUILD_BUG_ON(TLB_NR_DYN_ASIDS >= (1 << X86_CR3_PTI_PCID_USER_BIT));
        /*
         * The ASID being passed in here should have respected the
         * MAX_ASID_AVAILABLE and thus never have the switch bit set.
         */
-        VM_WARN_ON_ONCE(asid & (1 << X86_CR3_PTI_SWITCH_BIT));
+        VM_WARN_ON_ONCE(asid & (1 << X86_CR3_PTI_PCID_USER_BIT));
 #endif
        /*
         * The dynamically-assigned ASIDs that get passed in are small
@@ -112,7 +112,7 @@ static inline u16 user_pcid(u16 asid)
 {
        u16 ret = kern_pcid(asid);
 #ifdef CONFIG_PAGE_TABLE_ISOLATION
-        ret |= 1 << X86_CR3_PTI_SWITCH_BIT;
+        ret |= 1 << X86_CR3_PTI_PCID_USER_BIT;
 #endif
        return ret;
 }
diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h
index 31051f35cbb7..3de69330e6c5 100644
--- a/arch/x86/include/asm/traps.h
+++ b/arch/x86/include/asm/traps.h
@@ -88,6 +88,7 @@ dotraplinkage void do_simd_coprocessor_error(struct pt_regs *, long);
 #ifdef CONFIG_X86_32
 dotraplinkage void do_iret_error(struct pt_regs *, long);
 #endif
+dotraplinkage void do_mce(struct pt_regs *, long);
 static inline int get_si_code(unsigned long condition)
 {
diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
index 7cb282e9e587..bfd882617613 100644
--- a/arch/x86/include/asm/xen/hypercall.h
+++ b/arch/x86/include/asm/xen/hypercall.h
@@ -44,6 +44,7 @@
 #include <asm/page.h>
 #include <asm/pgtable.h>
 #include <asm/smap.h>
+#include <asm/nospec-branch.h>
 #include <xen/interface/xen.h>
 #include <xen/interface/sched.h>
@@ -217,9 +218,9 @@ privcmd_call(unsigned call,
        __HYPERCALL_5ARG(a1, a2, a3, a4, a5);
        stac();
-        asm volatile("call *%[call]"
+        asm volatile(CALL_NOSPEC
                     : __HYPERCALL_5PARAM
-                     : [call] "a" (&hypercall_page[call])
+                     : [thunk_target] "a" (&hypercall_page[call])
                     : __HYPERCALL_CLOBBER5);
        clac();
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index 81bb565f4497..7e2baf7304ae 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -29,10 +29,13 @@ KASAN_SANITIZE_stacktrace.o				:= n
 KASAN_SANITIZE_paravirt.o                               := n
 OBJECT_FILES_NON_STANDARD_relocate_kernel_$(BITS).o     := y
-OBJECT_FILES_NON_STANDARD_ftrace_$(BITS).o              := y
 OBJECT_FILES_NON_STANDARD_test_nx.o                     := y
 OBJECT_FILES_NON_STANDARD_paravirt_patch_$(BITS).o      := y
+ifdef CONFIG_FRAME_POINTER
+OBJECT_FILES_NON_STANDARD_ftrace_$(BITS).o              := y
+endif
 # If instrumentation of this dir is enabled, boot hangs during first second.
 # Probably could be more selective here, but note that files related to irqs,
 # boot, dumpstack/stacktrace, etc are either non-interesting or can lead to
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index dbaf14d69ebd..4817d743c263 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -344,9 +344,12 @@ done:
 static void __init_or_module noinline optimize_nops(struct alt_instr *a, u8 *instr)
 {
        unsigned long flags;
+        int i;
-        if (instr[0] != 0x90)
+        for (i = 0; i < a->padlen; i++) {
-                return;
+                if (instr[i] != 0x90)
+                        return;
+        }
        local_irq_save(flags);
        add_nops(instr + (a->instrlen - a->padlen), a->padlen);
diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
index 880441f24146..25ddf02598d2 100644
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1286,6 +1286,55 @@ static int __init apic_intr_mode_select(void)
        return APIC_SYMMETRIC_IO;
 }
+/*
+ * An initial setup of the virtual wire mode.
+ */
+void __init init_bsp_APIC(void)
+{
+        unsigned int value;
+        /*
+         * Don't do the setup now if we have a SMP BIOS as the
+         * through-I/O-APIC virtual wire mode might be active.
+         */
+        if (smp_found_config || !boot_cpu_has(X86_FEATURE_APIC))
+                return;
+        /*
+         * Do not trust the local APIC being empty at bootup.
+         */
+        clear_local_APIC();
+        /*
+         * Enable APIC.
+         */
+        value = apic_read(APIC_SPIV);
+        value &= ~APIC_VECTOR_MASK;
+        value |= APIC_SPIV_APIC_ENABLED;
+#ifdef CONFIG_X86_32
+        /* This bit is reserved on P4/Xeon and should be cleared */
+        if ((boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) &&
+            (boot_cpu_data.x86 == 15))
+                value &= ~APIC_SPIV_FOCUS_DISABLED;
+        else
+#endif
+                value |= APIC_SPIV_FOCUS_DISABLED;
+        value |= SPURIOUS_APIC_VECTOR;
+        apic_write(APIC_SPIV, value);
+        /*
+         * Set up the virtual wire mode.
+         */
+        apic_write(APIC_LVT0, APIC_DM_EXTINT);
+        value = APIC_DM_NMI;
+        if (!lapic_is_integrated())             /* 82489DX */
+                value |= APIC_LVT_LEVEL_TRIGGER;
+        if (apic_extnmi == APIC_EXTNMI_NONE)
+                value |= APIC_LVT_MASKED;
+        apic_write(APIC_LVT1, value);
+}
 /* Init the interrupt delivery mode for the BSP */
 void __init apic_intr_mode_init(void)
 {
diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c
index f8b03bb8e725..3cc471beb50b 100644
--- a/arch/x86/kernel/apic/vector.c
+++ b/arch/x86/kernel/apic/vector.c
@@ -542,14 +542,17 @@ static int x86_vector_alloc_irqs(struct irq_domain *domain, unsigned int virq,
                err = assign_irq_vector_policy(irqd, info);
                trace_vector_setup(virq + i, false, err);
-                if (err)
+                if (err) {
+                        irqd->chip_data = NULL;
+                        free_apic_chip_data(apicd);
                        goto error;
+                }
        }
        return 0;
 error:
-        x86_vector_free_irqs(domain, virq, i + 1);
+        x86_vector_free_irqs(domain, virq, i);
        return err;
 }
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index bcb75dc97d44..ea831c858195 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -829,8 +829,32 @@ static void init_amd(struct cpuinfo_x86 *c)
                set_cpu_cap(c, X86_FEATURE_K8);
        if (cpu_has(c, X86_FEATURE_XMM2)) {
-                /* MFENCE stops RDTSC speculation */
+                unsigned long long val;
-                set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
+                int ret;
+                /*
+                 * A serializing LFENCE has less overhead than MFENCE, so
+                 * use it for execution serialization.  On families which
+                 * don't have that MSR, LFENCE is already serializing.
+                 * msr_set_bit() uses the safe accessors, too, even if the MSR
+                 * is not present.
+                 */
+                msr_set_bit(MSR_F10H_DECFG,
+                            MSR_F10H_DECFG_LFENCE_SERIALIZE_BIT);
+                /*
+                 * Verify that the MSR write was successful (could be running
+                 * under a hypervisor) and only then assume that LFENCE is
+                 * serializing.
+                 */
+                ret = rdmsrl_safe(MSR_F10H_DECFG, &val);
+                if (!ret && (val & MSR_F10H_DECFG_LFENCE_SERIALIZE)) {
+                        /* A serializing LFENCE stops RDTSC speculation */
+                        set_cpu_cap(c, X86_FEATURE_LFENCE_RDTSC);
+                } else {
+                        /* MFENCE stops RDTSC speculation */
+                        set_cpu_cap(c, X86_FEATURE_MFENCE_RDTSC);
+                }
        }
        /*
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index ba0b2424c9b0..390b3dc3d438 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -10,6 +10,10 @@
 */
 #include <linux/init.h>
 #include <linux/utsname.h>
+#include <linux/cpu.h>
+#include <asm/nospec-branch.h>
+#include <asm/cmdline.h>
 #include <asm/bugs.h>
 #include <asm/processor.h>
 #include <asm/processor-flags.h>
@@ -19,6 +23,9 @@
 #include <asm/alternative.h>
 #include <asm/pgtable.h>
 #include <asm/set_memory.h>
+#include <asm/intel-family.h>
+static void __init spectre_v2_select_mitigation(void);
 void __init check_bugs(void)
 {
@@ -29,6 +36,9 @@ void __init check_bugs(void)
                print_cpu_info(&boot_cpu_data);
        }
+        /* Select the proper spectre mitigation before patching alternatives */
+        spectre_v2_select_mitigation();
 #ifdef CONFIG_X86_32
        /*
         * Check whether we are able to run this kernel safely on SMP.
@@ -60,3 +70,214 @@ void __init check_bugs(void)
                set_memory_4k((unsigned long)__va(0), 1);
 #endif
 }
+/* The kernel command line selection */
+enum spectre_v2_mitigation_cmd {
+        SPECTRE_V2_CMD_NONE,
+        SPECTRE_V2_CMD_AUTO,
+        SPECTRE_V2_CMD_FORCE,
+        SPECTRE_V2_CMD_RETPOLINE,
+        SPECTRE_V2_CMD_RETPOLINE_GENERIC,
+        SPECTRE_V2_CMD_RETPOLINE_AMD,
+};
+static const char *spectre_v2_strings[] = {
+        [SPECTRE_V2_NONE]                       = "Vulnerable",
+        [SPECTRE_V2_RETPOLINE_MINIMAL]          = "Vulnerable: Minimal generic ASM retpoline",
+        [SPECTRE_V2_RETPOLINE_MINIMAL_AMD]      = "Vulnerable: Minimal AMD ASM retpoline",
+        [SPECTRE_V2_RETPOLINE_GENERIC]          = "Mitigation: Full generic retpoline",
+        [SPECTRE_V2_RETPOLINE_AMD]              = "Mitigation: Full AMD retpoline",
+};
+#undef pr_fmt
+#define pr_fmt(fmt)     "Spectre V2 mitigation: " fmt
+static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
+static void __init spec2_print_if_insecure(const char *reason)
+{
+        if (boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
+                pr_info("%s\n", reason);
+}
+static void __init spec2_print_if_secure(const char *reason)
+{
+        if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
+                pr_info("%s\n", reason);
+}
+static inline bool retp_compiler(void)
+{
+        return __is_defined(RETPOLINE);
+}
+static inline bool match_option(const char *arg, int arglen, const char *opt)
+{
+        int len = strlen(opt);
+        return len == arglen && !strncmp(arg, opt, len);
+}
+static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void)
+{
+        char arg[20];
+        int ret;
+        ret = cmdline_find_option(boot_command_line, "spectre_v2", arg,
+                                  sizeof(arg));
+        if (ret > 0)  {
+                if (match_option(arg, ret, "off")) {
+                        goto disable;
+                } else if (match_option(arg, ret, "on")) {
+                        spec2_print_if_secure("force enabled on command line.");
+                        return SPECTRE_V2_CMD_FORCE;
+                } else if (match_option(arg, ret, "retpoline")) {
+                        spec2_print_if_insecure("retpoline selected on command line.");
+                        return SPECTRE_V2_CMD_RETPOLINE;
+                } else if (match_option(arg, ret, "retpoline,amd")) {
+                        if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) {
+                                pr_err("retpoline,amd selected but CPU is not AMD. Switching to AUTO select\n");
+                                return SPECTRE_V2_CMD_AUTO;
+                        }
+                        spec2_print_if_insecure("AMD retpoline selected on command line.");
+                        return SPECTRE_V2_CMD_RETPOLINE_AMD;
+                } else if (match_option(arg, ret, "retpoline,generic")) {
+                        spec2_print_if_insecure("generic retpoline selected on command line.");
+                        return SPECTRE_V2_CMD_RETPOLINE_GENERIC;
+                } else if (match_option(arg, ret, "auto")) {
+                        return SPECTRE_V2_CMD_AUTO;
+                }
+        }
+        if (!cmdline_find_option_bool(boot_command_line, "nospectre_v2"))
+                return SPECTRE_V2_CMD_AUTO;
+disable:
+        spec2_print_if_insecure("disabled on command line.");
+        return SPECTRE_V2_CMD_NONE;
+}
+/* Check for Skylake-like CPUs (for RSB handling) */
+static bool __init is_skylake_era(void)
+{
+        if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
+            boot_cpu_data.x86 == 6) {
+                switch (boot_cpu_data.x86_model) {
+                case INTEL_FAM6_SKYLAKE_MOBILE:
+                case INTEL_FAM6_SKYLAKE_DESKTOP:
+                case INTEL_FAM6_SKYLAKE_X:
+                case INTEL_FAM6_KABYLAKE_MOBILE:
+                case INTEL_FAM6_KABYLAKE_DESKTOP:
+                        return true;
+                }
+        }
+        return false;
+}
+static void __init spectre_v2_select_mitigation(void)
+{
+        enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
+        enum spectre_v2_mitigation mode = SPECTRE_V2_NONE;
+        /*
+         * If the CPU is not affected and the command line mode is NONE or AUTO
+         * then nothing to do.
+         */
+        if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2) &&
+            (cmd == SPECTRE_V2_CMD_NONE || cmd == SPECTRE_V2_CMD_AUTO))
+                return;
+        switch (cmd) {
+        case SPECTRE_V2_CMD_NONE:
+                return;
+        case SPECTRE_V2_CMD_FORCE:
+                /* FALLTRHU */
+        case SPECTRE_V2_CMD_AUTO:
+                goto retpoline_auto;
+        case SPECTRE_V2_CMD_RETPOLINE_AMD:
+                if (IS_ENABLED(CONFIG_RETPOLINE))
+                        goto retpoline_amd;
+                break;
+        case SPECTRE_V2_CMD_RETPOLINE_GENERIC:
+                if (IS_ENABLED(CONFIG_RETPOLINE))
+                        goto retpoline_generic;
+                break;
+        case SPECTRE_V2_CMD_RETPOLINE:
+                if (IS_ENABLED(CONFIG_RETPOLINE))
+                        goto retpoline_auto;
+                break;
+        }
+        pr_err("kernel not compiled with retpoline; no mitigation available!");
+        return;
+retpoline_auto:
+        if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) {
+        retpoline_amd:
+                if (!boot_cpu_has(X86_FEATURE_LFENCE_RDTSC)) {
+                        pr_err("LFENCE not serializing. Switching to generic retpoline\n");
+                        goto retpoline_generic;
+                }
+                mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_AMD :
+                                         SPECTRE_V2_RETPOLINE_MINIMAL_AMD;
+                setup_force_cpu_cap(X86_FEATURE_RETPOLINE_AMD);
+                setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
+        } else {
+        retpoline_generic:
+                mode = retp_compiler() ? SPECTRE_V2_RETPOLINE_GENERIC :
+                                         SPECTRE_V2_RETPOLINE_MINIMAL;
+                setup_force_cpu_cap(X86_FEATURE_RETPOLINE);
+        }
+        spectre_v2_enabled = mode;
+        pr_info("%s\n", spectre_v2_strings[mode]);
+        /*
+         * If neither SMEP or KPTI are available, there is a risk of
+         * hitting userspace addresses in the RSB after a context switch
+         * from a shallow call stack to a deeper one. To prevent this fill
+         * the entire RSB, even when using IBRS.
+         *
+         * Skylake era CPUs have a separate issue with *underflow* of the
+         * RSB, when they will predict 'ret' targets from the generic BTB.
+         * The proper mitigation for this is IBRS. If IBRS is not supported
+         * or deactivated in favour of retpolines the RSB fill on context
+         * switch is required.
+         */
+        if ((!boot_cpu_has(X86_FEATURE_PTI) &&
+             !boot_cpu_has(X86_FEATURE_SMEP)) || is_skylake_era()) {
+                setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
+                pr_info("Filling RSB on context switch\n");
+        }
+}
+#undef pr_fmt
+#ifdef CONFIG_SYSFS
+ssize_t cpu_show_meltdown(struct device *dev,
+                          struct device_attribute *attr, char *buf)
+{
+        if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
+                return sprintf(buf, "Not affected\n");
+        if (boot_cpu_has(X86_FEATURE_PTI))
+                return sprintf(buf, "Mitigation: PTI\n");
+        return sprintf(buf, "Vulnerable\n");
+}
+ssize_t cpu_show_spectre_v1(struct device *dev,
+                            struct device_attribute *attr, char *buf)
+{
+        if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1))
+                return sprintf(buf, "Not affected\n");
+        return sprintf(buf, "Vulnerable\n");
+}
+ssize_t cpu_show_spectre_v2(struct device *dev,
+                            struct device_attribute *attr, char *buf)
+{
+        if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
+                return sprintf(buf, "Not affected\n");
+        return sprintf(buf, "%s\n", spectre_v2_strings[spectre_v2_enabled]);
+}
+#endif
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 39d7ea865207..ef29ad001991 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -926,6 +926,9 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
        if (c->x86_vendor != X86_VENDOR_AMD)
                setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
+        setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
+        setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
        fpu__init_system(c);
 #ifdef CONFIG_X86_32
diff --git a/arch/x86/kernel/cpu/intel_rdt.c b/arch/x86/kernel/cpu/intel_rdt.c
index 88dcf8479013..99442370de40 100644
--- a/arch/x86/kernel/cpu/intel_rdt.c
+++ b/arch/x86/kernel/cpu/intel_rdt.c
@@ -525,10 +525,6 @@ static void domain_remove_cpu(int cpu, struct rdt_resource *r)
                 */
                if (static_branch_unlikely(&rdt_mon_enable_key))
                        rmdir_mondata_subdir_allrdtgrp(r, d->id);
-                kfree(d->ctrl_val);
-                kfree(d->rmid_busy_llc);
-                kfree(d->mbm_total);
-                kfree(d->mbm_local);
                list_del(&d->list);
                if (is_mbm_enabled())
                        cancel_delayed_work(&d->mbm_over);
@@ -545,6 +541,10 @@ static void domain_remove_cpu(int cpu, struct rdt_resource *r)
                        cancel_delayed_work(&d->cqm_limbo);
                }
+                kfree(d->ctrl_val);
+                kfree(d->rmid_busy_llc);
+                kfree(d->mbm_total);
+                kfree(d->mbm_local);
                kfree(d);
                return;
        }
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
index b1d616d08eee..868e412b4f0c 100644
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -1785,6 +1785,11 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code)
 void (*machine_check_vector)(struct pt_regs *, long error_code) =
                                                unexpected_machine_check;
+dotraplinkage void do_mce(struct pt_regs *regs, long error_code)
+{
+        machine_check_vector(regs, error_code);
+}
 /*
 * Called for each booted CPU to set up machine checks.
 * Must be called with preempt off:
diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
index 8ccdca6d3f9e..d9e460fc7a3b 100644
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -910,8 +910,17 @@ static bool is_blacklisted(unsigned int cpu)
 {
        struct cpuinfo_x86 *c = &cpu_data(cpu);
-        if (c->x86 == 6 && c->x86_model == INTEL_FAM6_BROADWELL_X) {
+        /*
-                pr_err_once("late loading on model 79 is disabled.\n");
+         * Late loading on model 79 with microcode revision less than 0x0b000021
+         * may result in a system hang. This behavior is documented in item
+         * BDF90, #334165 (Intel Xeon Processor E7-8800/4800 v4 Product Family).
+         */
+        if (c->x86 == 6 &&
+            c->x86_model == INTEL_FAM6_BROADWELL_X &&
+            c->x86_mask == 0x01 &&
+            c->microcode < 0x0b000021) {
+                pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode);
+                pr_err_once("Please consider either early loading through initrd/built-in or a potential BIOS update.\n");
                return true;
        }
diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c
index 05459ad3db46..d0e69769abfd 100644
--- a/arch/x86/kernel/cpu/scattered.c
+++ b/arch/x86/kernel/cpu/scattered.c
@@ -21,7 +21,6 @@ struct cpuid_bit {
 static const struct cpuid_bit cpuid_bits[] = {
        { X86_FEATURE_APERFMPERF,       CPUID_ECX,  0, 0x00000006, 0 },
        { X86_FEATURE_EPB,              CPUID_ECX,  3, 0x00000006, 0 },
-        { X86_FEATURE_INTEL_PT,         CPUID_EBX, 25, 0x00000007, 0 },
        { X86_FEATURE_AVX512_4VNNIW,    CPUID_EDX,  2, 0x00000007, 0 },
        { X86_FEATURE_AVX512_4FMAPS,    CPUID_EDX,  3, 0x00000007, 0 },
        { X86_FEATURE_CAT_L3,           CPUID_EBX,  1, 0x00000010, 0 },
diff --git a/arch/x86/kernel/ftrace_32.S b/arch/x86/kernel/ftrace_32.S
index b6c6468e10bc..4c8440de3355 100644
--- a/arch/x86/kernel/ftrace_32.S
+++ b/arch/x86/kernel/ftrace_32.S
@@ -8,6 +8,7 @@
 #include <asm/segment.h>
 #include <asm/export.h>
 #include <asm/ftrace.h>
+#include <asm/nospec-branch.h>
 #ifdef CC_USING_FENTRY
 # define function_hook  __fentry__
@@ -197,7 +198,8 @@ ftrace_stub:
        movl    0x4(%ebp), %edx
        subl    $MCOUNT_INSN_SIZE, %eax
-        call    *ftrace_trace_function
+        movl    ftrace_trace_function, %ecx
+        CALL_NOSPEC %ecx
        popl    %edx
        popl    %ecx
@@ -241,5 +243,5 @@ return_to_handler:
        movl    %eax, %ecx
        popl    %edx
        popl    %eax
-        jmp     *%ecx
+        JMP_NOSPEC %ecx
 #endif
diff --git a/arch/x86/kernel/ftrace_64.S b/arch/x86/kernel/ftrace_64.S
index c832291d948a..ef61f540cf0a 100644
--- a/arch/x86/kernel/ftrace_64.S
+++ b/arch/x86/kernel/ftrace_64.S
@@ -7,7 +7,8 @@
 #include <asm/ptrace.h>
 #include <asm/ftrace.h>
 #include <asm/export.h>
+#include <asm/nospec-branch.h>
+#include <asm/unwind_hints.h>
        .code64
        .section .entry.text, "ax"
@@ -20,7 +21,6 @@ EXPORT_SYMBOL(__fentry__)
 EXPORT_SYMBOL(mcount)
 #endif
-/* All cases save the original rbp (8 bytes) */
 #ifdef CONFIG_FRAME_POINTER
 # ifdef CC_USING_FENTRY
 /* Save parent and function stack frames (rip and rbp) */
@@ -31,7 +31,7 @@ EXPORT_SYMBOL(mcount)
 # endif
 #else
 /* No need to save a stack frame */
-# define MCOUNT_FRAME_SIZE      8
+# define MCOUNT_FRAME_SIZE      0
 #endif /* CONFIG_FRAME_POINTER */
 /* Size of stack used to save mcount regs in save_mcount_regs */
@@ -64,10 +64,10 @@ EXPORT_SYMBOL(mcount)
 */
 .macro save_mcount_regs added=0
-        /* Always save the original rbp */
+#ifdef CONFIG_FRAME_POINTER
+        /* Save the original rbp */
        pushq %rbp
-#ifdef CONFIG_FRAME_POINTER
        /*
         * Stack traces will stop at the ftrace trampoline if the frame pointer
         * is not set up properly. If fentry is used, we need to save a frame
@@ -105,7 +105,11 @@ EXPORT_SYMBOL(mcount)
         * Save the original RBP. Even though the mcount ABI does not
         * require this, it helps out callers.
         */
+#ifdef CONFIG_FRAME_POINTER
        movq MCOUNT_REG_SIZE-8(%rsp), %rdx
+#else
+        movq %rbp, %rdx
+#endif
        movq %rdx, RBP(%rsp)
        /* Copy the parent address into %rsi (second parameter) */
@@ -148,7 +152,7 @@ EXPORT_SYMBOL(mcount)
 ENTRY(function_hook)
        retq
-END(function_hook)
+ENDPROC(function_hook)
 ENTRY(ftrace_caller)
        /* save_mcount_regs fills in first two parameters */
@@ -184,7 +188,7 @@ GLOBAL(ftrace_graph_call)
 /* This is weak to keep gas from relaxing the jumps */
 WEAK(ftrace_stub)
        retq
-END(ftrace_caller)
+ENDPROC(ftrace_caller)
 ENTRY(ftrace_regs_caller)
        /* Save the current flags before any operations that can change them */
@@ -255,7 +259,7 @@ GLOBAL(ftrace_regs_caller_end)
        jmp ftrace_epilogue
-END(ftrace_regs_caller)
+ENDPROC(ftrace_regs_caller)
 #else /* ! CONFIG_DYNAMIC_FTRACE */
@@ -286,8 +290,8 @@ trace:
         * ip and parent ip are used and the list function is called when
         * function tracing is enabled.
         */
-        call   *ftrace_trace_function
+        movq ftrace_trace_function, %r8
+        CALL_NOSPEC %r8
        restore_mcount_regs
        jmp fgraph_trace
@@ -313,9 +317,10 @@ ENTRY(ftrace_graph_caller)
        restore_mcount_regs
        retq
-END(ftrace_graph_caller)
+ENDPROC(ftrace_graph_caller)
-GLOBAL(return_to_handler)
+ENTRY(return_to_handler)
+        UNWIND_HINT_EMPTY
        subq  $24, %rsp
        /* Save the return values */
@@ -329,5 +334,6 @@ GLOBAL(return_to_handler)
        movq 8(%rsp), %rdx
        movq (%rsp), %rax
        addq $24, %rsp
-        jmp *%rdi
+        JMP_NOSPEC %rdi
+END(return_to_handler)
 #endif
diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
index 6a5d757b9cfd..7ba5d819ebe3 100644
--- a/arch/x86/kernel/head64.c
+++ b/arch/x86/kernel/head64.c
@@ -157,8 +157,8 @@ unsigned long __head __startup_64(unsigned long physaddr,
        p = fixup_pointer(&phys_base, physaddr);
        *p += load_delta - sme_get_me_mask();
-        /* Encrypt the kernel (if SME is active) */
+        /* Encrypt the kernel and related (if SME is active) */
-        sme_encrypt_kernel();
+        sme_encrypt_kernel(bp);
        /*
         * Return the SME encryption mask (if SME is active) to be used as a
diff --git a/arch/x86/kernel/idt.c b/arch/x86/kernel/idt.c
index d985cef3984f..56d99be3706a 100644
--- a/arch/x86/kernel/idt.c
+++ b/arch/x86/kernel/idt.c
@@ -56,7 +56,7 @@ struct idt_data {
 * Early traps running on the DEFAULT_STACK because the other interrupt
 * stacks work only after cpu_init().
 */
-static const __initdata struct idt_data early_idts[] = {
+static const __initconst struct idt_data early_idts[] = {
        INTG(X86_TRAP_DB,               debug),
        SYSG(X86_TRAP_BP,               int3),
 #ifdef CONFIG_X86_32
@@ -70,7 +70,7 @@ static const __initdata struct idt_data early_idts[] = {
 * the traps which use them are reinitialized with IST after cpu_init() has
 * set up TSS.
 */
-static const __initdata struct idt_data def_idts[] = {
+static const __initconst struct idt_data def_idts[] = {
        INTG(X86_TRAP_DE,               divide_error),
        INTG(X86_TRAP_NMI,              nmi),
        INTG(X86_TRAP_BR,               bounds),
@@ -108,7 +108,7 @@ static const __initdata struct idt_data def_idts[] = {
 /*
 * The APIC and SMP idt entries
 */
-static const __initdata struct idt_data apic_idts[] = {
+static const __initconst struct idt_data apic_idts[] = {
 #ifdef CONFIG_SMP
        INTG(RESCHEDULE_VECTOR,         reschedule_interrupt),
        INTG(CALL_FUNCTION_VECTOR,      call_function_interrupt),
@@ -150,7 +150,7 @@ static const __initdata struct idt_data apic_idts[] = {
 * Early traps running on the DEFAULT_STACK because the other interrupt
 * stacks work only after cpu_init().
 */
-static const __initdata struct idt_data early_pf_idts[] = {
+static const __initconst struct idt_data early_pf_idts[] = {
        INTG(X86_TRAP_PF,               page_fault),
 };
@@ -158,7 +158,7 @@ static const __initdata struct idt_data early_pf_idts[] = {
 * Override for the debug_idt. Same as the default, but with interrupt
 * stack set to DEFAULT_STACK (0). Required for NMI trap handling.
 */
-static const __initdata struct idt_data dbg_idts[] = {
+static const __initconst struct idt_data dbg_idts[] = {
        INTG(X86_TRAP_DB,       debug),
        INTG(X86_TRAP_BP,       int3),
 };
@@ -180,7 +180,7 @@ gate_desc debug_idt_table[IDT_ENTRIES] __page_aligned_bss;
 * The exceptions which use Interrupt stacks. They are setup after
 * cpu_init() when the TSS has been initialized.
 */
-static const __initdata struct idt_data ist_idts[] = {
+static const __initconst struct idt_data ist_idts[] = {
        ISTG(X86_TRAP_DB,       debug,          DEBUG_STACK),
        ISTG(X86_TRAP_NMI,      nmi,            NMI_STACK),
        SISTG(X86_TRAP_BP,      int3,           DEBUG_STACK),
diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
index a83b3346a0e1..c1bdbd3d3232 100644
--- a/arch/x86/kernel/irq_32.c
+++ b/arch/x86/kernel/irq_32.c
@@ -20,6 +20,7 @@
 #include <linux/mm.h>
 #include <asm/apic.h>
+#include <asm/nospec-branch.h>
 #ifdef CONFIG_DEBUG_STACKOVERFLOW
@@ -55,11 +56,11 @@ DEFINE_PER_CPU(struct irq_stack *, softirq_stack);
 static void call_on_stack(void *func, void *stack)
 {
        asm volatile("xchgl     %%ebx,%%esp     \n"
-                     "call      *%%edi          \n"
+                     CALL_NOSPEC
                     "movl      %%ebx,%%esp     \n"
                     : "=b" (stack)
                     : "0" (stack),
-                       "D"(func)
+                       [thunk_target] "D"(func)
                     : "memory", "cc", "edx", "ecx", "eax");
 }
@@ -95,11 +96,11 @@ static inline int execute_on_irq_stack(int overflow, struct irq_desc *desc)
                call_on_stack(print_stack_overflow, isp);
        asm volatile("xchgl     %%ebx,%%esp     \n"
-                     "call      *%%edi          \n"
+                     CALL_NOSPEC
                     "movl      %%ebx,%%esp     \n"
                     : "=a" (arg1), "=b" (isp)
                     :  "0" (desc),   "1" (isp),
-                        "D" (desc->handle_irq)
+                        [thunk_target] "D" (desc->handle_irq)
                     : "memory", "cc", "ecx");
        return 1;
 }
diff --git a/arch/x86/kernel/irqinit.c b/arch/x86/kernel/irqinit.c
index 8da3e909e967..a539410c4ea9 100644
--- a/arch/x86/kernel/irqinit.c
+++ b/arch/x86/kernel/irqinit.c
@@ -61,6 +61,9 @@ void __init init_ISA_irqs(void)
        struct irq_chip *chip = legacy_pic->chip;
        int i;
+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_LOCAL_APIC)
+        init_bsp_APIC();
+#endif
        legacy_pic->init(0);
        for (i = 0; i < nr_legacy_irqs(); i++)
diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
index e941136e24d8..203d398802a3 100644
--- a/arch/x86/kernel/kprobes/opt.c
+++ b/arch/x86/kernel/kprobes/opt.c
@@ -40,6 +40,7 @@
 #include <asm/debugreg.h>
 #include <asm/set_memory.h>
 #include <asm/sections.h>
+#include <asm/nospec-branch.h>
 #include "common.h"
@@ -203,7 +204,7 @@ static int copy_optimized_instructions(u8 *dest, u8 *src, u8 *real)
 }
 /* Check whether insn is indirect jump */
-static int insn_is_indirect_jump(struct insn *insn)
+static int __insn_is_indirect_jump(struct insn *insn)
 {
        return ((insn->opcode.bytes[0] == 0xff &&
                (X86_MODRM_REG(insn->modrm.value) & 6) == 4) || /* Jump */
@@ -237,6 +238,26 @@ static int insn_jump_into_range(struct insn *insn, unsigned long start, int len)
        return (start <= target && target <= start + len);
 }
+static int insn_is_indirect_jump(struct insn *insn)
+{
+        int ret = __insn_is_indirect_jump(insn);
+#ifdef CONFIG_RETPOLINE
+        /*
+         * Jump to x86_indirect_thunk_* is treated as an indirect jump.
+         * Note that even with CONFIG_RETPOLINE=y, the kernel compiled with
+         * older gcc may use indirect jump. So we add this check instead of
+         * replace indirect-jump check.
+         */
+        if (!ret)
+                ret = insn_jump_into_range(insn,
+                                (unsigned long)__indirect_thunk_start,
+                                (unsigned long)__indirect_thunk_end -
+                                (unsigned long)__indirect_thunk_start);
+#endif
+        return ret;
+}
 /* Decode whole function to ensure any instructions don't jump into target */
 static int can_optimize(unsigned long paddr)
 {
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 832a6acd730f..cb368c2a22ab 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -380,19 +380,24 @@ void stop_this_cpu(void *dummy)
        disable_local_APIC();
        mcheck_cpu_clear(this_cpu_ptr(&cpu_info));
+        /*
+         * Use wbinvd on processors that support SME. This provides support
+         * for performing a successful kexec when going from SME inactive
+         * to SME active (or vice-versa). The cache must be cleared so that
+         * if there are entries with the same physical address, both with and
+         * without the encryption bit, they don't race each other when flushed
+         * and potentially end up with the wrong entry being committed to
+         * memory.
+         */
+        if (boot_cpu_has(X86_FEATURE_SME))
+                native_wbinvd();
        for (;;) {
                /*
-                 * Use wbinvd followed by hlt to stop the processor. This
+                 * Use native_halt() so that memory contents don't change
-                 * provides support for kexec on a processor that supports
+                 * (stack usage and variables) after possibly issuing the
-                 * SME. With kexec, going from SME inactive to SME active
+                 * native_wbinvd() above.
-                 * requires clearing cache entries so that addresses without
-                 * the encryption bit set don't corrupt the same physical
-                 * address that has the encryption bit set when caches are
-                 * flushed. To achieve this a wbinvd is performed followed by
-                 * a hlt. Even if the processor is not in the kexec/SME
-                 * scenario this only adds a wbinvd to a halting processor.
                 */
-                asm volatile("wbinvd; hlt" : : : "memory");
+                native_halt();
        }
 }
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 145810b0edf6..68d7ab81c62f 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -364,16 +364,6 @@ static void __init reserve_initrd(void)
            !ramdisk_image || !ramdisk_size)
                return;         /* No initrd provided by bootloader */
-        /*
-         * If SME is active, this memory will be marked encrypted by the
-         * kernel when it is accessed (including relocation). However, the
-         * ramdisk image was loaded decrypted by the bootloader, so make
-         * sure that it is encrypted before accessing it. For SEV the
-         * ramdisk will already be encrypted, so only do this for SME.
-         */
-        if (sme_active())
-                sme_early_encrypt(ramdisk_image, ramdisk_end - ramdisk_image);
        initrd_start = 0;
        mapped_size = memblock_mem_size(max_pfn_mapped);
diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
index a4eb27918ceb..a2486f444073 100644
--- a/arch/x86/kernel/tboot.c
+++ b/arch/x86/kernel/tboot.c
@@ -138,6 +138,17 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn,
                return -1;
        set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot));
        pte_unmap(pte);
+        /*
+         * PTI poisons low addresses in the kernel page tables in the
+         * name of making them unusable for userspace.  To execute
+         * code at such a low address, the poison must be cleared.
+         *
+         * Note: 'pgd' actually gets set in p4d_alloc() _or_
+         * pud_alloc() depending on 4/5-level paging.
+         */
+        pgd->pgd &= ~_PAGE_NX;
        return 0;
 }
diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
index 8ea117f8142e..e169e85db434 100644
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -602,7 +602,6 @@ unsigned long native_calibrate_tsc(void)
                case INTEL_FAM6_KABYLAKE_DESKTOP:
                        crystal_khz = 24000;    /* 24.0 MHz */
                        break;
-                case INTEL_FAM6_SKYLAKE_X:
                case INTEL_FAM6_ATOM_DENVERTON:
                        crystal_khz = 25000;    /* 25.0 MHz */
                        break;
@@ -612,6 +611,8 @@ unsigned long native_calibrate_tsc(void)
                }
        }
+        if (crystal_khz == 0)
+                return 0;
        /*
         * TSC frequency determined by CPUID is a "hardware reported"
         * frequency and is the most accurate one so far we have. This
@@ -1315,6 +1316,12 @@ void __init tsc_init(void)
                (unsigned long)cpu_khz / 1000,
                (unsigned long)cpu_khz % 1000);
+        if (cpu_khz != tsc_khz) {
+                pr_info("Detected %lu.%03lu MHz TSC",
+                        (unsigned long)tsc_khz / 1000,
+                        (unsigned long)tsc_khz % 1000);
+        }
        /* Sanitize TSC ADJUST before cyc2ns gets initialized */
        tsc_store_and_check_tsc_adjust(true);
diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
index be86a865087a..1f9188f5357c 100644
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -74,8 +74,50 @@ static struct orc_entry *orc_module_find(unsigned long ip)
 }
 #endif
+#ifdef CONFIG_DYNAMIC_FTRACE
+static struct orc_entry *orc_find(unsigned long ip);
+/*
+ * Ftrace dynamic trampolines do not have orc entries of their own.
+ * But they are copies of the ftrace entries that are static and
+ * defined in ftrace_*.S, which do have orc entries.
+ *
+ * If the undwinder comes across a ftrace trampoline, then find the
+ * ftrace function that was used to create it, and use that ftrace
+ * function's orc entrie, as the placement of the return code in
+ * the stack will be identical.
+ */
+static struct orc_entry *orc_ftrace_find(unsigned long ip)
+{
+        struct ftrace_ops *ops;
+        unsigned long caller;
+        ops = ftrace_ops_trampoline(ip);
+        if (!ops)
+                return NULL;
+        if (ops->flags & FTRACE_OPS_FL_SAVE_REGS)
+                caller = (unsigned long)ftrace_regs_call;
+        else
+                caller = (unsigned long)ftrace_call;
+        /* Prevent unlikely recursion */
+        if (ip == caller)
+                return NULL;
+        return orc_find(caller);
+}
+#else
+static struct orc_entry *orc_ftrace_find(unsigned long ip)
+{
+        return NULL;
+}
+#endif
 static struct orc_entry *orc_find(unsigned long ip)
 {
+        static struct orc_entry *orc;
        if (!orc_init)
                return NULL;
@@ -111,7 +153,11 @@ static struct orc_entry *orc_find(unsigned long ip)
                                  __stop_orc_unwind_ip - __start_orc_unwind_ip, ip);
        /* Module lookup: */
-        return orc_module_find(ip);
+        orc = orc_module_find(ip);
+        if (orc)
+                return orc;
+        return orc_ftrace_find(ip);
 }
 static void orc_sort_swap(void *_a, void *_b, int size)
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 1e413a9326aa..9b138a06c1a4 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -124,6 +124,12 @@ SECTIONS
                ASSERT(. - _entry_trampoline == PAGE_SIZE, "entry trampoline is too big");
 #endif
+#ifdef CONFIG_RETPOLINE
+                __indirect_thunk_start = .;
+                *(.text.__x86.indirect_thunk)
+                __indirect_thunk_end = .;
+#endif
                /* End of text section */
                _etext = .;
        } :text = 0x9090
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index c4deb1f34faa..2b8eb4da4d08 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3781,7 +3781,8 @@ static int kvm_arch_setup_async_pf(struct kvm_vcpu *vcpu, gva_t gva, gfn_t gfn)
 bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu)
 {
        if (unlikely(!lapic_in_kernel(vcpu) ||
-                     kvm_event_needs_reinjection(vcpu)))
+                     kvm_event_needs_reinjection(vcpu) ||
+                     vcpu->arch.exception.pending))
                return false;
        if (!vcpu->arch.apf.delivery_as_pf_vmexit && is_guest_mode(vcpu))
@@ -5465,30 +5466,34 @@ static void mmu_destroy_caches(void)
 int kvm_mmu_module_init(void)
 {
+        int ret = -ENOMEM;
        kvm_mmu_clear_all_pte_masks();
        pte_list_desc_cache = kmem_cache_create("pte_list_desc",
                                            sizeof(struct pte_list_desc),
                                            0, SLAB_ACCOUNT, NULL);
        if (!pte_list_desc_cache)
-                goto nomem;
+                goto out;
        mmu_page_header_cache = kmem_cache_create("kvm_mmu_page_header",
                                                  sizeof(struct kvm_mmu_page),
                                                  0, SLAB_ACCOUNT, NULL);
        if (!mmu_page_header_cache)
-                goto nomem;
+                goto out;
        if (percpu_counter_init(&kvm_total_used_mmu_pages, 0, GFP_KERNEL))
-                goto nomem;
+                goto out;
-        register_shrinker(&mmu_shrinker);
+        ret = register_shrinker(&mmu_shrinker);
+        if (ret)
+                goto out;
        return 0;
-nomem:
+out:
        mmu_destroy_caches();
-        return -ENOMEM;
+        return ret;
 }
 /*
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index eb714f1cdf7e..f40d0da1f1d3 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -45,6 +45,7 @@
 #include <asm/debugreg.h>
 #include <asm/kvm_para.h>
 #include <asm/irq_remapping.h>
+#include <asm/nospec-branch.h>
 #include <asm/virtext.h>
 #include "trace.h"
@@ -361,7 +362,6 @@ static void recalc_intercepts(struct vcpu_svm *svm)
 {
        struct vmcb_control_area *c, *h;
        struct nested_state *g;
-        u32 h_intercept_exceptions;
        mark_dirty(svm->vmcb, VMCB_INTERCEPTS);
@@ -372,14 +372,9 @@ static void recalc_intercepts(struct vcpu_svm *svm)
        h = &svm->nested.hsave->control;
        g = &svm->nested;
-        /* No need to intercept #UD if L1 doesn't intercept it */
-        h_intercept_exceptions =
-                h->intercept_exceptions & ~(1U << UD_VECTOR);
        c->intercept_cr = h->intercept_cr | g->intercept_cr;
        c->intercept_dr = h->intercept_dr | g->intercept_dr;
-        c->intercept_exceptions =
+        c->intercept_exceptions = h->intercept_exceptions | g->intercept_exceptions;
-                h_intercept_exceptions | g->intercept_exceptions;
        c->intercept = h->intercept | g->intercept;
 }
@@ -2202,7 +2197,6 @@ static int ud_interception(struct vcpu_svm *svm)
 {
        int er;
-        WARN_ON_ONCE(is_guest_mode(&svm->vcpu));
        er = emulate_instruction(&svm->vcpu, EMULTYPE_TRAP_UD);
        if (er == EMULATE_USER_EXIT)
                return 0;
@@ -4986,6 +4980,25 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
                "mov %%r14, %c[r14](%[svm]) \n\t"
                "mov %%r15, %c[r15](%[svm]) \n\t"
 #endif
+                /*
+                * Clear host registers marked as clobbered to prevent
+                * speculative use.
+                */
+                "xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"
+                "xor %%" _ASM_CX ", %%" _ASM_CX " \n\t"
+                "xor %%" _ASM_DX ", %%" _ASM_DX " \n\t"
+                "xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"
+                "xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"
+#ifdef CONFIG_X86_64
+                "xor %%r8, %%r8 \n\t"
+                "xor %%r9, %%r9 \n\t"
+                "xor %%r10, %%r10 \n\t"
+                "xor %%r11, %%r11 \n\t"
+                "xor %%r12, %%r12 \n\t"
+                "xor %%r13, %%r13 \n\t"
+                "xor %%r14, %%r14 \n\t"
+                "xor %%r15, %%r15 \n\t"
+#endif
                "pop %%" _ASM_BP
                :
                : [svm]"a"(svm),
@@ -5015,6 +5028,9 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
 #endif
                );
+        /* Eliminate branch target predictions from guest mode */
+        vmexit_fill_RSB();
 #ifdef CONFIG_X86_64
        wrmsrl(MSR_GS_BASE, svm->host.gs_base);
 #else
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 023afa0c8887..c829d89e2e63 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -50,6 +50,7 @@
 #include <asm/apic.h>
 #include <asm/irq_remapping.h>
 #include <asm/mmu_context.h>
+#include <asm/nospec-branch.h>
 #include "trace.h"
 #include "pmu.h"
@@ -899,8 +900,16 @@ static inline short vmcs_field_to_offset(unsigned long field)
 {
        BUILD_BUG_ON(ARRAY_SIZE(vmcs_field_to_offset_table) > SHRT_MAX);
-        if (field >= ARRAY_SIZE(vmcs_field_to_offset_table) ||
+        if (field >= ARRAY_SIZE(vmcs_field_to_offset_table))
-            vmcs_field_to_offset_table[field] == 0)
+                return -ENOENT;
+        /*
+         * FIXME: Mitigation for CVE-2017-5753.  To be replaced with a
+         * generic mechanism.
+         */
+        asm("lfence");
+        if (vmcs_field_to_offset_table[field] == 0)
                return -ENOENT;
        return vmcs_field_to_offset_table[field];
@@ -1887,7 +1896,7 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu)
 {
        u32 eb;
-        eb = (1u << PF_VECTOR) | (1u << MC_VECTOR) |
+        eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
             (1u << DB_VECTOR) | (1u << AC_VECTOR);
        if ((vcpu->guest_debug &
             (KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
@@ -1905,8 +1914,6 @@ static void update_exception_bitmap(struct kvm_vcpu *vcpu)
         */
        if (is_guest_mode(vcpu))
                eb |= get_vmcs12(vcpu)->exception_bitmap;
-        else
-                eb |= 1u << UD_VECTOR;
        vmcs_write32(EXCEPTION_BITMAP, eb);
 }
@@ -5917,7 +5924,6 @@ static int handle_exception(struct kvm_vcpu *vcpu)
                return 1;  /* already handled by vmx_vcpu_run() */
        if (is_invalid_opcode(intr_info)) {
-                WARN_ON_ONCE(is_guest_mode(vcpu));
                er = emulate_instruction(vcpu, EMULTYPE_TRAP_UD);
                if (er == EMULATE_USER_EXIT)
                        return 0;
@@ -9415,6 +9421,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
                /* Save guest registers, load host registers, keep flags */
                "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
                "pop %0 \n\t"
+                "setbe %c[fail](%0)\n\t"
                "mov %%" _ASM_AX ", %c[rax](%0) \n\t"
                "mov %%" _ASM_BX ", %c[rbx](%0) \n\t"
                __ASM_SIZE(pop) " %c[rcx](%0) \n\t"
@@ -9431,12 +9438,23 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
                "mov %%r13, %c[r13](%0) \n\t"
                "mov %%r14, %c[r14](%0) \n\t"
                "mov %%r15, %c[r15](%0) \n\t"
+                "xor %%r8d,  %%r8d \n\t"
+                "xor %%r9d,  %%r9d \n\t"
+                "xor %%r10d, %%r10d \n\t"
+                "xor %%r11d, %%r11d \n\t"
+                "xor %%r12d, %%r12d \n\t"
+                "xor %%r13d, %%r13d \n\t"
+                "xor %%r14d, %%r14d \n\t"
+                "xor %%r15d, %%r15d \n\t"
 #endif
                "mov %%cr2, %%" _ASM_AX "   \n\t"
                "mov %%" _ASM_AX ", %c[cr2](%0) \n\t"
+                "xor %%eax, %%eax \n\t"
+                "xor %%ebx, %%ebx \n\t"
+                "xor %%esi, %%esi \n\t"
+                "xor %%edi, %%edi \n\t"
                "pop  %%" _ASM_BP "; pop  %%" _ASM_DX " \n\t"
-                "setbe %c[fail](%0) \n\t"
                ".pushsection .rodata \n\t"
                ".global vmx_return \n\t"
                "vmx_return: " _ASM_PTR " 2b \n\t"
@@ -9473,6 +9491,9 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
 #endif
              );
+        /* Eliminate branch target predictions from guest mode */
+        vmexit_fill_RSB();
        /* MSR_IA32_DEBUGCTLMSR is zeroed on vmexit. Restore it if needed */
        if (debugctlmsr)
                update_debugctlmsr(debugctlmsr);
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 1cec2c62a0b0..c53298dfbf50 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -7496,13 +7496,13 @@ EXPORT_SYMBOL_GPL(kvm_task_switch);
 int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs)
 {
-        if ((sregs->efer & EFER_LME) && (sregs->cr0 & X86_CR0_PG_BIT)) {
+        if ((sregs->efer & EFER_LME) && (sregs->cr0 & X86_CR0_PG)) {
                /*
                 * When EFER.LME and CR0.PG are set, the processor is in
                 * 64-bit mode (though maybe in a 32-bit code segment).
                 * CR4.PAE and EFER.LMA must be set.
                 */
-                if (!(sregs->cr4 & X86_CR4_PAE_BIT)
+                if (!(sregs->cr4 & X86_CR4_PAE)
                    || !(sregs->efer & EFER_LMA))
                        return -EINVAL;
        } else {
diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile
index 7b181b61170e..f23934bbaf4e 100644
--- a/arch/x86/lib/Makefile
+++ b/arch/x86/lib/Makefile
@@ -26,6 +26,7 @@ lib-y += memcpy_$(BITS).o
 lib-$(CONFIG_RWSEM_XCHGADD_ALGORITHM) += rwsem.o
 lib-$(CONFIG_INSTRUCTION_DECODER) += insn.o inat.o insn-eval.o
 lib-$(CONFIG_RANDOMIZE_BASE) += kaslr.o
+lib-$(CONFIG_RETPOLINE) += retpoline.o
 obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o
diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S
index 4d34bb548b41..46e71a74e612 100644
--- a/arch/x86/lib/checksum_32.S
+++ b/arch/x86/lib/checksum_32.S
@@ -29,7 +29,8 @@
 #include <asm/errno.h>
 #include <asm/asm.h>
 #include <asm/export.h>
-                                
+#include <asm/nospec-branch.h>
 /*
 * computes a partial checksum, e.g. for TCP/UDP fragments
 */
@@ -156,7 +157,7 @@ ENTRY(csum_partial)
        negl %ebx
        lea 45f(%ebx,%ebx,2), %ebx
        testl %esi, %esi
-        jmp *%ebx
+        JMP_NOSPEC %ebx
        # Handle 2-byte-aligned regions
 20:     addw (%esi), %ax
@@ -439,7 +440,7 @@ ENTRY(csum_partial_copy_generic)
        andl $-32,%edx
        lea 3f(%ebx,%ebx), %ebx
        testl %esi, %esi 
-        jmp *%ebx
+        JMP_NOSPEC %ebx
 1:      addl $64,%esi
        addl $64,%edi 
        SRC(movb -32(%edx),%bl) ; SRC(movb (%edx),%bl)
diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S
new file mode 100644
index 000000000000..dfb2ba91b670
--- /dev/null
+++ b/arch/x86/lib/retpoline.S
@@ -0,0 +1,49 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include <linux/stringify.h>
+#include <linux/linkage.h>
+#include <asm/dwarf2.h>
+#include <asm/cpufeatures.h>
+#include <asm/alternative-asm.h>
+#include <asm/export.h>
+#include <asm/nospec-branch.h>
+.macro THUNK reg
+        .section .text.__x86.indirect_thunk
+ENTRY(__x86_indirect_thunk_\reg)
+        CFI_STARTPROC
+        JMP_NOSPEC %\reg
+        CFI_ENDPROC
+ENDPROC(__x86_indirect_thunk_\reg)
+.endm
+/*
+ * Despite being an assembler file we can't just use .irp here
+ * because __KSYM_DEPS__ only uses the C preprocessor and would
+ * only see one instance of "__x86_indirect_thunk_\reg" rather
+ * than one per register with the correct names. So we do it
+ * the simple and nasty way...
+ */
+#define __EXPORT_THUNK(sym) _ASM_NOKPROBE(sym); EXPORT_SYMBOL(sym)
+#define EXPORT_THUNK(reg) __EXPORT_THUNK(__x86_indirect_thunk_ ## reg)
+#define GENERATE_THUNK(reg) THUNK reg ; EXPORT_THUNK(reg)
+GENERATE_THUNK(_ASM_AX)
+GENERATE_THUNK(_ASM_BX)
+GENERATE_THUNK(_ASM_CX)
+GENERATE_THUNK(_ASM_DX)
+GENERATE_THUNK(_ASM_SI)
+GENERATE_THUNK(_ASM_DI)
+GENERATE_THUNK(_ASM_BP)
+GENERATE_THUNK(_ASM_SP)
+#ifdef CONFIG_64BIT
+GENERATE_THUNK(r8)
+GENERATE_THUNK(r9)
+GENERATE_THUNK(r10)
+GENERATE_THUNK(r11)
+GENERATE_THUNK(r12)
+GENERATE_THUNK(r13)
+GENERATE_THUNK(r14)
+GENERATE_THUNK(r15)
+#endif
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 06fe3d51d385..b3e40773dce0 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -172,14 +172,15 @@ is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr)
 * 6. T1   : reaches here, sees vma_pkey(vma)=5, when we really
 *           faulted on a pte with its pkey=4.
 */
-static void fill_sig_info_pkey(int si_code, siginfo_t *info, u32 *pkey)
+static void fill_sig_info_pkey(int si_signo, int si_code, siginfo_t *info,
+                u32 *pkey)
 {
        /* This is effectively an #ifdef */
        if (!boot_cpu_has(X86_FEATURE_OSPKE))
                return;
        /* Fault not from Protection Keys: nothing to do */
-        if (si_code != SEGV_PKUERR)
+        if ((si_code != SEGV_PKUERR) || (si_signo != SIGSEGV))
                return;
        /*
         * force_sig_info_fault() is called from a number of
@@ -218,7 +219,7 @@ force_sig_info_fault(int si_signo, int si_code, unsigned long address,
                lsb = PAGE_SHIFT;
        info.si_addr_lsb = lsb;
-        fill_sig_info_pkey(si_code, &info, pkey);
+        fill_sig_info_pkey(si_signo, si_code, &info, pkey);
        force_sig_info(si_signo, &info, tsk);
 }
diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c
index 47388f0c0e59..af6f2f9c6a26 100644
--- a/arch/x86/mm/kasan_init_64.c
+++ b/arch/x86/mm/kasan_init_64.c
@@ -21,10 +21,14 @@ extern struct range pfn_mapped[E820_MAX_ENTRIES];
 static p4d_t tmp_p4d_table[PTRS_PER_P4D] __initdata __aligned(PAGE_SIZE);
-static __init void *early_alloc(size_t size, int nid)
+static __init void *early_alloc(size_t size, int nid, bool panic)
 {
-        return memblock_virt_alloc_try_nid_nopanic(size, size,
+        if (panic)
-                __pa(MAX_DMA_ADDRESS), BOOTMEM_ALLOC_ACCESSIBLE, nid);
+                return memblock_virt_alloc_try_nid(size, size,
+                        __pa(MAX_DMA_ADDRESS), BOOTMEM_ALLOC_ACCESSIBLE, nid);
+        else
+                return memblock_virt_alloc_try_nid_nopanic(size, size,
+                        __pa(MAX_DMA_ADDRESS), BOOTMEM_ALLOC_ACCESSIBLE, nid);
 }
 static void __init kasan_populate_pmd(pmd_t *pmd, unsigned long addr,
@@ -38,14 +42,14 @@ static void __init kasan_populate_pmd(pmd_t *pmd, unsigned long addr,
                if (boot_cpu_has(X86_FEATURE_PSE) &&
                    ((end - addr) == PMD_SIZE) &&
                    IS_ALIGNED(addr, PMD_SIZE)) {
-                        p = early_alloc(PMD_SIZE, nid);
+                        p = early_alloc(PMD_SIZE, nid, false);
                        if (p && pmd_set_huge(pmd, __pa(p), PAGE_KERNEL))
                                return;
                        else if (p)
                                memblock_free(__pa(p), PMD_SIZE);
                }
-                p = early_alloc(PAGE_SIZE, nid);
+                p = early_alloc(PAGE_SIZE, nid, true);
                pmd_populate_kernel(&init_mm, pmd, p);
        }
@@ -57,7 +61,7 @@ static void __init kasan_populate_pmd(pmd_t *pmd, unsigned long addr,
                if (!pte_none(*pte))
                        continue;
-                p = early_alloc(PAGE_SIZE, nid);
+                p = early_alloc(PAGE_SIZE, nid, true);
                entry = pfn_pte(PFN_DOWN(__pa(p)), PAGE_KERNEL);
                set_pte_at(&init_mm, addr, pte, entry);
        } while (pte++, addr += PAGE_SIZE, addr != end);
@@ -75,14 +79,14 @@ static void __init kasan_populate_pud(pud_t *pud, unsigned long addr,
                if (boot_cpu_has(X86_FEATURE_GBPAGES) &&
                    ((end - addr) == PUD_SIZE) &&
                    IS_ALIGNED(addr, PUD_SIZE)) {
-                        p = early_alloc(PUD_SIZE, nid);
+                        p = early_alloc(PUD_SIZE, nid, false);
                        if (p && pud_set_huge(pud, __pa(p), PAGE_KERNEL))
                                return;
                        else if (p)
                                memblock_free(__pa(p), PUD_SIZE);
                }
-                p = early_alloc(PAGE_SIZE, nid);
+                p = early_alloc(PAGE_SIZE, nid, true);
                pud_populate(&init_mm, pud, p);
        }
@@ -101,7 +105,7 @@ static void __init kasan_populate_p4d(p4d_t *p4d, unsigned long addr,
        unsigned long next;
        if (p4d_none(*p4d)) {
-                void *p = early_alloc(PAGE_SIZE, nid);
+                void *p = early_alloc(PAGE_SIZE, nid, true);
                p4d_populate(&init_mm, p4d, p);
        }
@@ -122,7 +126,7 @@ static void __init kasan_populate_pgd(pgd_t *pgd, unsigned long addr,
        unsigned long next;
        if (pgd_none(*pgd)) {
-                p = early_alloc(PAGE_SIZE, nid);
+                p = early_alloc(PAGE_SIZE, nid, true);
                pgd_populate(&init_mm, pgd, p);
        }
diff --git a/arch/x86/mm/mem_encrypt.c b/arch/x86/mm/mem_encrypt.c
index 391b13402e40..e1d61e8500f9 100644
--- a/arch/x86/mm/mem_encrypt.c
+++ b/arch/x86/mm/mem_encrypt.c
@@ -464,37 +464,62 @@ void swiotlb_set_mem_attributes(void *vaddr, unsigned long size)
        set_memory_decrypted((unsigned long)vaddr, size >> PAGE_SHIFT);
 }
-static void __init sme_clear_pgd(pgd_t *pgd_base, unsigned long start,
+struct sme_populate_pgd_data {
-                                 unsigned long end)
+        void    *pgtable_area;
+        pgd_t   *pgd;
+        pmdval_t pmd_flags;
+        pteval_t pte_flags;
+        unsigned long paddr;
+        unsigned long vaddr;
+        unsigned long vaddr_end;
+};
+static void __init sme_clear_pgd(struct sme_populate_pgd_data *ppd)
 {
        unsigned long pgd_start, pgd_end, pgd_size;
        pgd_t *pgd_p;
-        pgd_start = start & PGDIR_MASK;
+        pgd_start = ppd->vaddr & PGDIR_MASK;
-        pgd_end = end & PGDIR_MASK;
+        pgd_end = ppd->vaddr_end & PGDIR_MASK;
-        pgd_size = (((pgd_end - pgd_start) / PGDIR_SIZE) + 1);
+        pgd_size = (((pgd_end - pgd_start) / PGDIR_SIZE) + 1) * sizeof(pgd_t);
-        pgd_size *= sizeof(pgd_t);
-        pgd_p = pgd_base + pgd_index(start);
+        pgd_p = ppd->pgd + pgd_index(ppd->vaddr);
        memset(pgd_p, 0, pgd_size);
 }
-#define PGD_FLAGS       _KERNPG_TABLE_NOENC
+#define PGD_FLAGS               _KERNPG_TABLE_NOENC
-#define P4D_FLAGS       _KERNPG_TABLE_NOENC
+#define P4D_FLAGS               _KERNPG_TABLE_NOENC
-#define PUD_FLAGS       _KERNPG_TABLE_NOENC
+#define PUD_FLAGS               _KERNPG_TABLE_NOENC
-#define PMD_FLAGS       (__PAGE_KERNEL_LARGE_EXEC & ~_PAGE_GLOBAL)
+#define PMD_FLAGS               _KERNPG_TABLE_NOENC
+#define PMD_FLAGS_LARGE         (__PAGE_KERNEL_LARGE_EXEC & ~_PAGE_GLOBAL)
+#define PMD_FLAGS_DEC           PMD_FLAGS_LARGE
+#define PMD_FLAGS_DEC_WP        ((PMD_FLAGS_DEC & ~_PAGE_CACHE_MASK) | \
+                                 (_PAGE_PAT | _PAGE_PWT))
+#define PMD_FLAGS_ENC           (PMD_FLAGS_LARGE | _PAGE_ENC)
+#define PTE_FLAGS               (__PAGE_KERNEL_EXEC & ~_PAGE_GLOBAL)
+#define PTE_FLAGS_DEC           PTE_FLAGS
+#define PTE_FLAGS_DEC_WP        ((PTE_FLAGS_DEC & ~_PAGE_CACHE_MASK) | \
+                                 (_PAGE_PAT | _PAGE_PWT))
+#define PTE_FLAGS_ENC           (PTE_FLAGS | _PAGE_ENC)
-static void __init *sme_populate_pgd(pgd_t *pgd_base, void *pgtable_area,
+static pmd_t __init *sme_prepare_pgd(struct sme_populate_pgd_data *ppd)
-                                     unsigned long vaddr, pmdval_t pmd_val)
 {
        pgd_t *pgd_p;
        p4d_t *p4d_p;
        pud_t *pud_p;
        pmd_t *pmd_p;
-        pgd_p = pgd_base + pgd_index(vaddr);
+        pgd_p = ppd->pgd + pgd_index(ppd->vaddr);
        if (native_pgd_val(*pgd_p)) {
                if (IS_ENABLED(CONFIG_X86_5LEVEL))
                        p4d_p = (p4d_t *)(native_pgd_val(*pgd_p) & ~PTE_FLAGS_MASK);
@@ -504,15 +529,15 @@ static void __init *sme_populate_pgd(pgd_t *pgd_base, void *pgtable_area,
                pgd_t pgd;
                if (IS_ENABLED(CONFIG_X86_5LEVEL)) {
-                        p4d_p = pgtable_area;
+                        p4d_p = ppd->pgtable_area;
                        memset(p4d_p, 0, sizeof(*p4d_p) * PTRS_PER_P4D);
-                        pgtable_area += sizeof(*p4d_p) * PTRS_PER_P4D;
+                        ppd->pgtable_area += sizeof(*p4d_p) * PTRS_PER_P4D;
                        pgd = native_make_pgd((pgdval_t)p4d_p + PGD_FLAGS);
                } else {
-                        pud_p = pgtable_area;
+                        pud_p = ppd->pgtable_area;
                        memset(pud_p, 0, sizeof(*pud_p) * PTRS_PER_PUD);
-                        pgtable_area += sizeof(*pud_p) * PTRS_PER_PUD;
+                        ppd->pgtable_area += sizeof(*pud_p) * PTRS_PER_PUD;
                        pgd = native_make_pgd((pgdval_t)pud_p + PGD_FLAGS);
                }
@@ -520,58 +545,160 @@ static void __init *sme_populate_pgd(pgd_t *pgd_base, void *pgtable_area,
        }
        if (IS_ENABLED(CONFIG_X86_5LEVEL)) {
-                p4d_p += p4d_index(vaddr);
+                p4d_p += p4d_index(ppd->vaddr);
                if (native_p4d_val(*p4d_p)) {
                        pud_p = (pud_t *)(native_p4d_val(*p4d_p) & ~PTE_FLAGS_MASK);
                } else {
                        p4d_t p4d;
-                        pud_p = pgtable_area;
+                        pud_p = ppd->pgtable_area;
                        memset(pud_p, 0, sizeof(*pud_p) * PTRS_PER_PUD);
-                        pgtable_area += sizeof(*pud_p) * PTRS_PER_PUD;
+                        ppd->pgtable_area += sizeof(*pud_p) * PTRS_PER_PUD;
                        p4d = native_make_p4d((pudval_t)pud_p + P4D_FLAGS);
                        native_set_p4d(p4d_p, p4d);
                }
        }
-        pud_p += pud_index(vaddr);
+        pud_p += pud_index(ppd->vaddr);
        if (native_pud_val(*pud_p)) {
                if (native_pud_val(*pud_p) & _PAGE_PSE)
-                        goto out;
+                        return NULL;
                pmd_p = (pmd_t *)(native_pud_val(*pud_p) & ~PTE_FLAGS_MASK);
        } else {
                pud_t pud;
-                pmd_p = pgtable_area;
+                pmd_p = ppd->pgtable_area;
                memset(pmd_p, 0, sizeof(*pmd_p) * PTRS_PER_PMD);
-                pgtable_area += sizeof(*pmd_p) * PTRS_PER_PMD;
+                ppd->pgtable_area += sizeof(*pmd_p) * PTRS_PER_PMD;
                pud = native_make_pud((pmdval_t)pmd_p + PUD_FLAGS);
                native_set_pud(pud_p, pud);
        }
-        pmd_p += pmd_index(vaddr);
+        return pmd_p;
+}
+static void __init sme_populate_pgd_large(struct sme_populate_pgd_data *ppd)
+{
+        pmd_t *pmd_p;
+        pmd_p = sme_prepare_pgd(ppd);
+        if (!pmd_p)
+                return;
+        pmd_p += pmd_index(ppd->vaddr);
        if (!native_pmd_val(*pmd_p) || !(native_pmd_val(*pmd_p) & _PAGE_PSE))
-                native_set_pmd(pmd_p, native_make_pmd(pmd_val));
+                native_set_pmd(pmd_p, native_make_pmd(ppd->paddr | ppd->pmd_flags));
+}
-out:
+static void __init sme_populate_pgd(struct sme_populate_pgd_data *ppd)
-        return pgtable_area;
+{
+        pmd_t *pmd_p;
+        pte_t *pte_p;
+        pmd_p = sme_prepare_pgd(ppd);
+        if (!pmd_p)
+                return;
+        pmd_p += pmd_index(ppd->vaddr);
+        if (native_pmd_val(*pmd_p)) {
+                if (native_pmd_val(*pmd_p) & _PAGE_PSE)
+                        return;
+                pte_p = (pte_t *)(native_pmd_val(*pmd_p) & ~PTE_FLAGS_MASK);
+        } else {
+                pmd_t pmd;
+                pte_p = ppd->pgtable_area;
+                memset(pte_p, 0, sizeof(*pte_p) * PTRS_PER_PTE);
+                ppd->pgtable_area += sizeof(*pte_p) * PTRS_PER_PTE;
+                pmd = native_make_pmd((pteval_t)pte_p + PMD_FLAGS);
+                native_set_pmd(pmd_p, pmd);
+        }
+        pte_p += pte_index(ppd->vaddr);
+        if (!native_pte_val(*pte_p))
+                native_set_pte(pte_p, native_make_pte(ppd->paddr | ppd->pte_flags));
+}
+static void __init __sme_map_range_pmd(struct sme_populate_pgd_data *ppd)
+{
+        while (ppd->vaddr < ppd->vaddr_end) {
+                sme_populate_pgd_large(ppd);
+                ppd->vaddr += PMD_PAGE_SIZE;
+                ppd->paddr += PMD_PAGE_SIZE;
+        }
+}
+static void __init __sme_map_range_pte(struct sme_populate_pgd_data *ppd)
+{
+        while (ppd->vaddr < ppd->vaddr_end) {
+                sme_populate_pgd(ppd);
+                ppd->vaddr += PAGE_SIZE;
+                ppd->paddr += PAGE_SIZE;
+        }
+}
+static void __init __sme_map_range(struct sme_populate_pgd_data *ppd,
+                                   pmdval_t pmd_flags, pteval_t pte_flags)
+{
+        unsigned long vaddr_end;
+        ppd->pmd_flags = pmd_flags;
+        ppd->pte_flags = pte_flags;
+        /* Save original end value since we modify the struct value */
+        vaddr_end = ppd->vaddr_end;
+        /* If start is not 2MB aligned, create PTE entries */
+        ppd->vaddr_end = ALIGN(ppd->vaddr, PMD_PAGE_SIZE);
+        __sme_map_range_pte(ppd);
+        /* Create PMD entries */
+        ppd->vaddr_end = vaddr_end & PMD_PAGE_MASK;
+        __sme_map_range_pmd(ppd);
+        /* If end is not 2MB aligned, create PTE entries */
+        ppd->vaddr_end = vaddr_end;
+        __sme_map_range_pte(ppd);
+}
+static void __init sme_map_range_encrypted(struct sme_populate_pgd_data *ppd)
+{
+        __sme_map_range(ppd, PMD_FLAGS_ENC, PTE_FLAGS_ENC);
+}
+static void __init sme_map_range_decrypted(struct sme_populate_pgd_data *ppd)
+{
+        __sme_map_range(ppd, PMD_FLAGS_DEC, PTE_FLAGS_DEC);
+}
+static void __init sme_map_range_decrypted_wp(struct sme_populate_pgd_data *ppd)
+{
+        __sme_map_range(ppd, PMD_FLAGS_DEC_WP, PTE_FLAGS_DEC_WP);
 }
 static unsigned long __init sme_pgtable_calc(unsigned long len)
 {
-        unsigned long p4d_size, pud_size, pmd_size;
+        unsigned long p4d_size, pud_size, pmd_size, pte_size;
        unsigned long total;
        /*
         * Perform a relatively simplistic calculation of the pagetable
-         * entries that are needed. That mappings will be covered by 2MB
+         * entries that are needed. Those mappings will be covered mostly
-         * PMD entries so we can conservatively calculate the required
+         * by 2MB PMD entries so we can conservatively calculate the required
         * number of P4D, PUD and PMD structures needed to perform the
-         * mappings. Incrementing the count for each covers the case where
+         * mappings.  For mappings that are not 2MB aligned, PTE mappings
-         * the addresses cross entries.
+         * would be needed for the start and end portion of the address range
+         * that fall outside of the 2MB alignment.  This results in, at most,
+         * two extra pages to hold PTE entries for each range that is mapped.
+         * Incrementing the count for each covers the case where the addresses
+         * cross entries.
         */
        if (IS_ENABLED(CONFIG_X86_5LEVEL)) {
                p4d_size = (ALIGN(len, PGDIR_SIZE) / PGDIR_SIZE) + 1;
@@ -585,8 +712,9 @@ static unsigned long __init sme_pgtable_calc(unsigned long len)
        }
        pmd_size = (ALIGN(len, PUD_SIZE) / PUD_SIZE) + 1;
        pmd_size *= sizeof(pmd_t) * PTRS_PER_PMD;
+        pte_size = 2 * sizeof(pte_t) * PTRS_PER_PTE;
-        total = p4d_size + pud_size + pmd_size;
+        total = p4d_size + pud_size + pmd_size + pte_size;
        /*
         * Now calculate the added pagetable structures needed to populate
@@ -610,29 +738,29 @@ static unsigned long __init sme_pgtable_calc(unsigned long len)
        return total;
 }
-void __init sme_encrypt_kernel(void)
+void __init __nostackprotector sme_encrypt_kernel(struct boot_params *bp)
 {
        unsigned long workarea_start, workarea_end, workarea_len;
        unsigned long execute_start, execute_end, execute_len;
        unsigned long kernel_start, kernel_end, kernel_len;
+        unsigned long initrd_start, initrd_end, initrd_len;
+        struct sme_populate_pgd_data ppd;
        unsigned long pgtable_area_len;
-        unsigned long paddr, pmd_flags;
        unsigned long decrypted_base;
-        void *pgtable_area;
-        pgd_t *pgd;
        if (!sme_active())
                return;
        /*
-         * Prepare for encrypting the kernel by building new pagetables with
+         * Prepare for encrypting the kernel and initrd by building new
-         * the necessary attributes needed to encrypt the kernel in place.
+         * pagetables with the necessary attributes needed to encrypt the
+         * kernel in place.
         *
         *   One range of virtual addresses will map the memory occupied
-         *   by the kernel as encrypted.
+         *   by the kernel and initrd as encrypted.
         *
         *   Another range of virtual addresses will map the memory occupied
-         *   by the kernel as decrypted and write-protected.
+         *   by the kernel and initrd as decrypted and write-protected.
         *
         *     The use of write-protect attribute will prevent any of the
         *     memory from being cached.
@@ -643,6 +771,20 @@ void __init sme_encrypt_kernel(void)
        kernel_end = ALIGN(__pa_symbol(_end), PMD_PAGE_SIZE);
        kernel_len = kernel_end - kernel_start;
+        initrd_start = 0;
+        initrd_end = 0;
+        initrd_len = 0;
+#ifdef CONFIG_BLK_DEV_INITRD
+        initrd_len = (unsigned long)bp->hdr.ramdisk_size |
+                     ((unsigned long)bp->ext_ramdisk_size << 32);
+        if (initrd_len) {
+                initrd_start = (unsigned long)bp->hdr.ramdisk_image |
+                               ((unsigned long)bp->ext_ramdisk_image << 32);
+                initrd_end = PAGE_ALIGN(initrd_start + initrd_len);
+                initrd_len = initrd_end - initrd_start;
+        }
+#endif
        /* Set the encryption workarea to be immediately after the kernel */
        workarea_start = kernel_end;
@@ -665,16 +807,21 @@ void __init sme_encrypt_kernel(void)
         */
        pgtable_area_len = sizeof(pgd_t) * PTRS_PER_PGD;
        pgtable_area_len += sme_pgtable_calc(execute_end - kernel_start) * 2;
+        if (initrd_len)
+                pgtable_area_len += sme_pgtable_calc(initrd_len) * 2;
        /* PUDs and PMDs needed in the current pagetables for the workarea */
        pgtable_area_len += sme_pgtable_calc(execute_len + pgtable_area_len);
        /*
         * The total workarea includes the executable encryption area and
-         * the pagetable area.
+         * the pagetable area. The start of the workarea is already 2MB
+         * aligned, align the end of the workarea on a 2MB boundary so that
+         * we don't try to create/allocate PTE entries from the workarea
+         * before it is mapped.
         */
        workarea_len = execute_len + pgtable_area_len;
-        workarea_end = workarea_start + workarea_len;
+        workarea_end = ALIGN(workarea_start + workarea_len, PMD_PAGE_SIZE);
        /*
         * Set the address to the start of where newly created pagetable
@@ -683,45 +830,30 @@ void __init sme_encrypt_kernel(void)
         * pagetables and when the new encrypted and decrypted kernel
         * mappings are populated.
         */
-        pgtable_area = (void *)execute_end;
+        ppd.pgtable_area = (void *)execute_end;
        /*
         * Make sure the current pagetable structure has entries for
         * addressing the workarea.
         */
-        pgd = (pgd_t *)native_read_cr3_pa();
+        ppd.pgd = (pgd_t *)native_read_cr3_pa();
-        paddr = workarea_start;
+        ppd.paddr = workarea_start;
-        while (paddr < workarea_end) {
+        ppd.vaddr = workarea_start;
-                pgtable_area = sme_populate_pgd(pgd, pgtable_area,
+        ppd.vaddr_end = workarea_end;
-                                                paddr,
+        sme_map_range_decrypted(&ppd);
-                                                paddr + PMD_FLAGS);
-                paddr += PMD_PAGE_SIZE;
-        }
        /* Flush the TLB - no globals so cr3 is enough */
        native_write_cr3(__native_read_cr3());
        /*
         * A new pagetable structure is being built to allow for the kernel
-         * to be encrypted. It starts with an empty PGD that will then be
+         * and initrd to be encrypted. It starts with an empty PGD that will
-         * populated with new PUDs and PMDs as the encrypted and decrypted
+         * then be populated with new PUDs and PMDs as the encrypted and
-         * kernel mappings are created.
+         * decrypted kernel mappings are created.
         */
-        pgd = pgtable_area;
+        ppd.pgd = ppd.pgtable_area;
-        memset(pgd, 0, sizeof(*pgd) * PTRS_PER_PGD);
+        memset(ppd.pgd, 0, sizeof(pgd_t) * PTRS_PER_PGD);
-        pgtable_area += sizeof(*pgd) * PTRS_PER_PGD;
+        ppd.pgtable_area += sizeof(pgd_t) * PTRS_PER_PGD;
-        /* Add encrypted kernel (identity) mappings */
-        pmd_flags = PMD_FLAGS | _PAGE_ENC;
-        paddr = kernel_start;
-        while (paddr < kernel_end) {
-                pgtable_area = sme_populate_pgd(pgd, pgtable_area,
-                                                paddr,
-                                                paddr + pmd_flags);
-                paddr += PMD_PAGE_SIZE;
-        }
        /*
         * A different PGD index/entry must be used to get different
@@ -730,47 +862,79 @@ void __init sme_encrypt_kernel(void)
         * the base of the mapping.
         */
        decrypted_base = (pgd_index(workarea_end) + 1) & (PTRS_PER_PGD - 1);
+        if (initrd_len) {
+                unsigned long check_base;
+                check_base = (pgd_index(initrd_end) + 1) & (PTRS_PER_PGD - 1);
+                decrypted_base = max(decrypted_base, check_base);
+        }
        decrypted_base <<= PGDIR_SHIFT;
+        /* Add encrypted kernel (identity) mappings */
+        ppd.paddr = kernel_start;
+        ppd.vaddr = kernel_start;
+        ppd.vaddr_end = kernel_end;
+        sme_map_range_encrypted(&ppd);
        /* Add decrypted, write-protected kernel (non-identity) mappings */
-        pmd_flags = (PMD_FLAGS & ~_PAGE_CACHE_MASK) | (_PAGE_PAT | _PAGE_PWT);
+        ppd.paddr = kernel_start;
-        paddr = kernel_start;
+        ppd.vaddr = kernel_start + decrypted_base;
-        while (paddr < kernel_end) {
+        ppd.vaddr_end = kernel_end + decrypted_base;
-                pgtable_area = sme_populate_pgd(pgd, pgtable_area,
+        sme_map_range_decrypted_wp(&ppd);
-                                                paddr + decrypted_base,
-                                                paddr + pmd_flags);
+        if (initrd_len) {
+                /* Add encrypted initrd (identity) mappings */
-                paddr += PMD_PAGE_SIZE;
+                ppd.paddr = initrd_start;
+                ppd.vaddr = initrd_start;
+                ppd.vaddr_end = initrd_end;
+                sme_map_range_encrypted(&ppd);
+                /*
+                 * Add decrypted, write-protected initrd (non-identity) mappings
+                 */
+                ppd.paddr = initrd_start;
+                ppd.vaddr = initrd_start + decrypted_base;
+                ppd.vaddr_end = initrd_end + decrypted_base;
+                sme_map_range_decrypted_wp(&ppd);
        }
        /* Add decrypted workarea mappings to both kernel mappings */
-        paddr = workarea_start;
+        ppd.paddr = workarea_start;
-        while (paddr < workarea_end) {
+        ppd.vaddr = workarea_start;
-                pgtable_area = sme_populate_pgd(pgd, pgtable_area,
+        ppd.vaddr_end = workarea_end;
-                                                paddr,
+        sme_map_range_decrypted(&ppd);
-                                                paddr + PMD_FLAGS);
-                pgtable_area = sme_populate_pgd(pgd, pgtable_area,
+        ppd.paddr = workarea_start;
-                                                paddr + decrypted_base,
+        ppd.vaddr = workarea_start + decrypted_base;
-                                                paddr + PMD_FLAGS);
+        ppd.vaddr_end = workarea_end + decrypted_base;
+        sme_map_range_decrypted(&ppd);
-                paddr += PMD_PAGE_SIZE;
-        }
        /* Perform the encryption */
        sme_encrypt_execute(kernel_start, kernel_start + decrypted_base,
-                            kernel_len, workarea_start, (unsigned long)pgd);
+                            kernel_len, workarea_start, (unsigned long)ppd.pgd);
+        if (initrd_len)
+                sme_encrypt_execute(initrd_start, initrd_start + decrypted_base,
+                                    initrd_len, workarea_start,
+                                    (unsigned long)ppd.pgd);
        /*
         * At this point we are running encrypted.  Remove the mappings for
         * the decrypted areas - all that is needed for this is to remove
         * the PGD entry/entries.
         */
-        sme_clear_pgd(pgd, kernel_start + decrypted_base,
+        ppd.vaddr = kernel_start + decrypted_base;
-                      kernel_end + decrypted_base);
+        ppd.vaddr_end = kernel_end + decrypted_base;
+        sme_clear_pgd(&ppd);
+        if (initrd_len) {
+                ppd.vaddr = initrd_start + decrypted_base;
+                ppd.vaddr_end = initrd_end + decrypted_base;
+                sme_clear_pgd(&ppd);
+        }
-        sme_clear_pgd(pgd, workarea_start + decrypted_base,
+        ppd.vaddr = workarea_start + decrypted_base;
-                      workarea_end + decrypted_base);
+        ppd.vaddr_end = workarea_end + decrypted_base;
+        sme_clear_pgd(&ppd);
        /* Flush the TLB - no globals so cr3 is enough */
        native_write_cr3(__native_read_cr3());
diff --git a/arch/x86/mm/mem_encrypt_boot.S b/arch/x86/mm/mem_encrypt_boot.S
index 730e6d541df1..01f682cf77a8 100644
--- a/arch/x86/mm/mem_encrypt_boot.S
+++ b/arch/x86/mm/mem_encrypt_boot.S
@@ -22,9 +22,9 @@ ENTRY(sme_encrypt_execute)
        /*
         * Entry parameters:
-         *   RDI - virtual address for the encrypted kernel mapping
+         *   RDI - virtual address for the encrypted mapping
-         *   RSI - virtual address for the decrypted kernel mapping
+         *   RSI - virtual address for the decrypted mapping
-         *   RDX - length of kernel
+         *   RDX - length to encrypt
         *   RCX - virtual address of the encryption workarea, including:
         *     - stack page (PAGE_SIZE)
         *     - encryption routine page (PAGE_SIZE)
@@ -41,9 +41,9 @@ ENTRY(sme_encrypt_execute)
        addq    $PAGE_SIZE, %rax        /* Workarea encryption routine */
        push    %r12
-        movq    %rdi, %r10              /* Encrypted kernel */
+        movq    %rdi, %r10              /* Encrypted area */
-        movq    %rsi, %r11              /* Decrypted kernel */
+        movq    %rsi, %r11              /* Decrypted area */
-        movq    %rdx, %r12              /* Kernel length */
+        movq    %rdx, %r12              /* Area length */
        /* Copy encryption routine into the workarea */
        movq    %rax, %rdi                              /* Workarea encryption routine */
@@ -52,10 +52,10 @@ ENTRY(sme_encrypt_execute)
        rep     movsb
        /* Setup registers for call */
-        movq    %r10, %rdi              /* Encrypted kernel */
+        movq    %r10, %rdi              /* Encrypted area */
-        movq    %r11, %rsi              /* Decrypted kernel */
+        movq    %r11, %rsi              /* Decrypted area */
        movq    %r8, %rdx               /* Pagetables used for encryption */
-        movq    %r12, %rcx              /* Kernel length */
+        movq    %r12, %rcx              /* Area length */
        movq    %rax, %r8               /* Workarea encryption routine */
        addq    $PAGE_SIZE, %r8         /* Workarea intermediate copy buffer */
@@ -71,7 +71,7 @@ ENDPROC(sme_encrypt_execute)
 ENTRY(__enc_copy)
 /*
- * Routine used to encrypt kernel.
+ * Routine used to encrypt memory in place.
 *   This routine must be run outside of the kernel proper since
 *   the kernel will be encrypted during the process. So this
 *   routine is defined here and then copied to an area outside
@@ -79,19 +79,19 @@ ENTRY(__enc_copy)
 *   during execution.
 *
 *   On entry the registers must be:
- *     RDI - virtual address for the encrypted kernel mapping
+ *     RDI - virtual address for the encrypted mapping
- *     RSI - virtual address for the decrypted kernel mapping
+ *     RSI - virtual address for the decrypted mapping
 *     RDX - address of the pagetables to use for encryption
- *     RCX - length of kernel
+ *     RCX - length of area
 *      R8 - intermediate copy buffer
 *
 *     RAX - points to this routine
 *
- * The kernel will be encrypted by copying from the non-encrypted
+ * The area will be encrypted by copying from the non-encrypted
- * kernel space to an intermediate buffer and then copying from the
+ * memory space to an intermediate buffer and then copying from the
- * intermediate buffer back to the encrypted kernel space. The physical
+ * intermediate buffer back to the encrypted memory space. The physical
- * addresses of the two kernel space mappings are the same which
+ * addresses of the two mappings are the same which results in the area
- * results in the kernel being encrypted "in place".
+ * being encrypted "in place".
 */
        /* Enable the new page tables */
        mov     %rdx, %cr3
@@ -103,47 +103,55 @@ ENTRY(__enc_copy)
        orq     $X86_CR4_PGE, %rdx
        mov     %rdx, %cr4
+        push    %r15
+        push    %r12
+        movq    %rcx, %r9               /* Save area length */
+        movq    %rdi, %r10              /* Save encrypted area address */
+        movq    %rsi, %r11              /* Save decrypted area address */
        /* Set the PAT register PA5 entry to write-protect */
-        push    %rcx
        movl    $MSR_IA32_CR_PAT, %ecx
        rdmsr
-        push    %rdx                    /* Save original PAT value */
+        mov     %rdx, %r15              /* Save original PAT value */
        andl    $0xffff00ff, %edx       /* Clear PA5 */
        orl     $0x00000500, %edx       /* Set PA5 to WP */
        wrmsr
-        pop     %rdx                    /* RDX contains original PAT value */
-        pop     %rcx
-        movq    %rcx, %r9               /* Save kernel length */
-        movq    %rdi, %r10              /* Save encrypted kernel address */
-        movq    %rsi, %r11              /* Save decrypted kernel address */
        wbinvd                          /* Invalidate any cache entries */
-        /* Copy/encrypt 2MB at a time */
+        /* Copy/encrypt up to 2MB at a time */
+        movq    $PMD_PAGE_SIZE, %r12
 1:
-        movq    %r11, %rsi              /* Source - decrypted kernel */
+        cmpq    %r12, %r9
+        jnb     2f
+        movq    %r9, %r12
+2:
+        movq    %r11, %rsi              /* Source - decrypted area */
        movq    %r8, %rdi               /* Dest   - intermediate copy buffer */
-        movq    $PMD_PAGE_SIZE, %rcx    /* 2MB length */
+        movq    %r12, %rcx
        rep     movsb
        movq    %r8, %rsi               /* Source - intermediate copy buffer */
-        movq    %r10, %rdi              /* Dest   - encrypted kernel */
+        movq    %r10, %rdi              /* Dest   - encrypted area */
-        movq    $PMD_PAGE_SIZE, %rcx    /* 2MB length */
+        movq    %r12, %rcx
        rep     movsb
-        addq    $PMD_PAGE_SIZE, %r11
+        addq    %r12, %r11
-        addq    $PMD_PAGE_SIZE, %r10
+        addq    %r12, %r10
-        subq    $PMD_PAGE_SIZE, %r9     /* Kernel length decrement */
+        subq    %r12, %r9               /* Kernel length decrement */
        jnz     1b                      /* Kernel length not zero? */
        /* Restore PAT register */
-        push    %rdx                    /* Save original PAT value */
        movl    $MSR_IA32_CR_PAT, %ecx
        rdmsr
-        pop     %rdx                    /* Restore original PAT value */
+        mov     %r15, %rdx              /* Restore original PAT value */
        wrmsr
+        pop     %r12
+        pop     %r15
        ret
 .L__enc_copy_end:
 ENDPROC(__enc_copy)
diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
index 43d4a4a29037..ce38f165489b 100644
--- a/arch/x86/mm/pti.c
+++ b/arch/x86/mm/pti.c
@@ -149,7 +149,7 @@ pgd_t __pti_set_user_pgd(pgd_t *pgdp, pgd_t pgd)
 *
 * Returns a pointer to a P4D on success, or NULL on failure.
 */
-static p4d_t *pti_user_pagetable_walk_p4d(unsigned long address)
+static __init p4d_t *pti_user_pagetable_walk_p4d(unsigned long address)
 {
        pgd_t *pgd = kernel_to_user_pgdp(pgd_offset_k(address));
        gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
@@ -164,12 +164,7 @@ static p4d_t *pti_user_pagetable_walk_p4d(unsigned long address)
                if (!new_p4d_page)
                        return NULL;
-                if (pgd_none(*pgd)) {
+                set_pgd(pgd, __pgd(_KERNPG_TABLE | __pa(new_p4d_page)));
-                        set_pgd(pgd, __pgd(_KERNPG_TABLE | __pa(new_p4d_page)));
-                        new_p4d_page = 0;
-                }
-                if (new_p4d_page)
-                        free_page(new_p4d_page);
        }
        BUILD_BUG_ON(pgd_large(*pgd) != 0);
@@ -182,7 +177,7 @@ static p4d_t *pti_user_pagetable_walk_p4d(unsigned long address)
 *
 * Returns a pointer to a PMD on success, or NULL on failure.
 */
-static pmd_t *pti_user_pagetable_walk_pmd(unsigned long address)
+static __init pmd_t *pti_user_pagetable_walk_pmd(unsigned long address)
 {
        gfp_t gfp = (GFP_KERNEL | __GFP_NOTRACK | __GFP_ZERO);
        p4d_t *p4d = pti_user_pagetable_walk_p4d(address);
@@ -194,12 +189,7 @@ static pmd_t *pti_user_pagetable_walk_pmd(unsigned long address)
                if (!new_pud_page)
                        return NULL;
-                if (p4d_none(*p4d)) {
+                set_p4d(p4d, __p4d(_KERNPG_TABLE | __pa(new_pud_page)));
-                        set_p4d(p4d, __p4d(_KERNPG_TABLE | __pa(new_pud_page)));
-                        new_pud_page = 0;
-                }
-                if (new_pud_page)
-                        free_page(new_pud_page);
        }
        pud = pud_offset(p4d, address);
@@ -213,12 +203,7 @@ static pmd_t *pti_user_pagetable_walk_pmd(unsigned long address)
                if (!new_pmd_page)
                        return NULL;
-                if (pud_none(*pud)) {
+                set_pud(pud, __pud(_KERNPG_TABLE | __pa(new_pmd_page)));
-                        set_pud(pud, __pud(_KERNPG_TABLE | __pa(new_pmd_page)));
-                        new_pmd_page = 0;
-                }
-                if (new_pmd_page)
-                        free_page(new_pmd_page);
        }
        return pmd_offset(pud, address);
@@ -251,12 +236,7 @@ static __init pte_t *pti_user_pagetable_walk_pte(unsigned long address)
                if (!new_pte_page)
                        return NULL;
-                if (pmd_none(*pmd)) {
+                set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(new_pte_page)));
-                        set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(new_pte_page)));
-                        new_pte_page = 0;
-                }
-                if (new_pte_page)
-                        free_page(new_pte_page);
        }
        pte = pte_offset_kernel(pmd, address);
diff --git a/arch/x86/pci/common.c b/arch/x86/pci/common.c
index 7a5350d08cef..563049c483a1 100644
--- a/arch/x86/pci/common.c
+++ b/arch/x86/pci/common.c
@@ -594,6 +594,11 @@ char *__init pcibios_setup(char *str)
        } else if (!strcmp(str, "nocrs")) {
                pci_probe |= PCI_ROOT_NO_CRS;
                return NULL;
+#ifdef CONFIG_PHYS_ADDR_T_64BIT
+        } else if (!strcmp(str, "big_root_window")) {
+                pci_probe |= PCI_BIG_ROOT_WINDOW;
+                return NULL;
+#endif
        } else if (!strcmp(str, "earlydump")) {
                pci_early_dump_regs = 1;
                return NULL;
diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
index e663d6bf1328..54ef19e90705 100644
--- a/arch/x86/pci/fixup.c
+++ b/arch/x86/pci/fixup.c
@@ -662,10 +662,14 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x2033, quirk_no_aersid);
 */
 static void pci_amd_enable_64bit_bar(struct pci_dev *dev)
 {
-        unsigned i;
+        static const char *name = "PCI Bus 0000:00";
-        u32 base, limit, high;
        struct resource *res, *conflict;
+        u32 base, limit, high;
        struct pci_dev *other;
+        unsigned i;
+        if (!(pci_probe & PCI_BIG_ROOT_WINDOW))
+                return;
        /* Check that we are the only device of that type */
        other = pci_get_device(dev->vendor, dev->device, NULL);
@@ -699,22 +703,30 @@ static void pci_amd_enable_64bit_bar(struct pci_dev *dev)
        if (!res)
                return;
-        res->name = "PCI Bus 0000:00";
+        /*
+         * Allocate a 256GB window directly below the 0xfd00000000 hardware
+         * limit (see AMD Family 15h Models 30h-3Fh BKDG, sec 2.4.6).
+         */
+        res->name = name;
        res->flags = IORESOURCE_PREFETCH | IORESOURCE_MEM |
                IORESOURCE_MEM_64 | IORESOURCE_WINDOW;
-        res->start = 0x100000000ull;
+        res->start = 0xbd00000000ull;
        res->end = 0xfd00000000ull - 1;
-        /* Just grab the free area behind system memory for this */
+        conflict = request_resource_conflict(&iomem_resource, res);
-        while ((conflict = request_resource_conflict(&iomem_resource, res))) {
+        if (conflict) {
-                if (conflict->end >= res->end) {
+                kfree(res);
-                        kfree(res);
+                if (conflict->name != name)
                        return;
-                }
-                res->start = conflict->end + 1;
-        }
-        dev_info(&dev->dev, "adding root bus resource %pR\n", res);
+                /* We are resuming from suspend; just reenable the window */
+                res = conflict;
+        } else {
+                dev_info(&dev->dev, "adding root bus resource %pR (tainting kernel)\n",
+                         res);
+                add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
+                pci_bus_add_resource(dev->bus, res, 0);
+        }
        base = ((res->start >> 8) & AMD_141b_MMIO_BASE_MMIOBASE_MASK) |
                AMD_141b_MMIO_BASE_RE_MASK | AMD_141b_MMIO_BASE_WE_MASK;
@@ -726,13 +738,16 @@ static void pci_amd_enable_64bit_bar(struct pci_dev *dev)
        pci_write_config_dword(dev, AMD_141b_MMIO_HIGH(i), high);
        pci_write_config_dword(dev, AMD_141b_MMIO_LIMIT(i), limit);
        pci_write_config_dword(dev, AMD_141b_MMIO_BASE(i), base);
-        pci_bus_add_resource(dev->bus, res, 0);
 }
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x1401, pci_amd_enable_64bit_bar);
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x141b, pci_amd_enable_64bit_bar);
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x1571, pci_amd_enable_64bit_bar);
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x15b1, pci_amd_enable_64bit_bar);
 DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x1601, pci_amd_enable_64bit_bar);
+DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1401, pci_amd_enable_64bit_bar);
+DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x141b, pci_amd_enable_64bit_bar);
+DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1571, pci_amd_enable_64bit_bar);
+DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x15b1, pci_amd_enable_64bit_bar);
+DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1601, pci_amd_enable_64bit_bar);
 #endif
diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
index d87ac96e37ed..2dd15e967c3f 100644
--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -135,7 +135,9 @@ pgd_t * __init efi_call_phys_prolog(void)
                                pud[j] = *pud_offset(p4d_k, vaddr);
                        }
                }
+                pgd_offset_k(pgd * PGDIR_SIZE)->pgd &= ~_PAGE_NX;
        }
 out:
        __flush_tlb_all();
diff --git a/arch/x86/platform/intel-mid/device_libs/platform_bt.c b/arch/x86/platform/intel-mid/device_libs/platform_bt.c
index dc036e511f48..5a0483e7bf66 100644
--- a/arch/x86/platform/intel-mid/device_libs/platform_bt.c
+++ b/arch/x86/platform/intel-mid/device_libs/platform_bt.c
@@ -60,7 +60,7 @@ static int __init tng_bt_sfi_setup(struct bt_sfi_data *ddata)
        return 0;
 }
-static const struct bt_sfi_data tng_bt_sfi_data __initdata = {
+static struct bt_sfi_data tng_bt_sfi_data __initdata = {
        .setup  = tng_bt_sfi_setup,
 };
diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
index 4d62c071b166..d85076223a69 100644
--- a/arch/x86/xen/mmu_pv.c
+++ b/arch/x86/xen/mmu_pv.c
@@ -1325,20 +1325,18 @@ static void xen_flush_tlb_others(const struct cpumask *cpus,
 {
        struct {
                struct mmuext_op op;
-#ifdef CONFIG_SMP
-                DECLARE_BITMAP(mask, num_processors);
-#else
                DECLARE_BITMAP(mask, NR_CPUS);
-#endif
        } *args;
        struct multicall_space mcs;
+        const size_t mc_entry_size = sizeof(args->op) +
+                sizeof(args->mask[0]) * BITS_TO_LONGS(num_possible_cpus());
        trace_xen_mmu_flush_tlb_others(cpus, info->mm, info->start, info->end);
        if (cpumask_empty(cpus))
                return;         /* nothing to do */
-        mcs = xen_mc_entry(sizeof(*args));
+        mcs = xen_mc_entry(mc_entry_size);
        args = mcs.args;
        args->op.arg2.vcpumask = to_cpumask(args->mask);
diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
index 75011b80660f..3b34745d0a52 100644
--- a/arch/x86/xen/xen-ops.h
+++ b/arch/x86/xen/xen-ops.h
@@ -72,7 +72,7 @@ u64 xen_clocksource_read(void);
 void xen_setup_cpu_clockevents(void);
 void xen_save_time_memory_area(void);
 void xen_restore_time_memory_area(void);
-void __init xen_init_time_ops(void);
+void __ref xen_init_time_ops(void);
 void __init xen_hvm_init_time_ops(void);
 irqreturn_t xen_debug_interrupt(int irq, void *dev_id);
diff --git a/block/blk-core.c b/block/blk-core.c
index b8881750a3ac..3ba4326a63b5 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -562,6 +562,13 @@ static void __blk_drain_queue(struct request_queue *q, bool drain_all)
        }
 }
+void blk_drain_queue(struct request_queue *q)
+{
+        spin_lock_irq(q->queue_lock);
+        __blk_drain_queue(q, true);
+        spin_unlock_irq(q->queue_lock);
+}
 /**
 * blk_queue_bypass_start - enter queue bypass mode
 * @q: queue of interest
@@ -689,8 +696,6 @@ void blk_cleanup_queue(struct request_queue *q)
         */
        blk_freeze_queue(q);
        spin_lock_irq(lock);
-        if (!q->mq_ops)
-                __blk_drain_queue(q, true);
        queue_flag_set(QUEUE_FLAG_DEAD, q);
        spin_unlock_irq(lock);
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 11097477eeab..3d3797327491 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -161,6 +161,8 @@ void blk_freeze_queue(struct request_queue *q)
         * exported to drivers as the only user for unfreeze is blk_mq.
         */
        blk_freeze_queue_start(q);
+        if (!q->mq_ops)
+                blk_drain_queue(q);
        blk_mq_freeze_queue_wait(q);
 }
diff --git a/block/blk.h b/block/blk.h
index 3f1446937aec..442098aa9463 100644
--- a/block/blk.h
+++ b/block/blk.h
@@ -330,4 +330,6 @@ static inline void blk_queue_bounce(struct request_queue *q, struct bio **bio)
 }
 #endif /* CONFIG_BOUNCE */
+extern void blk_drain_queue(struct request_queue *q);
 #endif /* BLK_INTERNAL_H */
diff --git a/crypto/algapi.c b/crypto/algapi.c
index 60d7366ed343..9a636f961572 100644
--- a/crypto/algapi.c
+++ b/crypto/algapi.c
@@ -167,6 +167,18 @@ void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list,
                        spawn->alg = NULL;
                        spawns = &inst->alg.cra_users;
+                        /*
+                         * We may encounter an unregistered instance here, since
+                         * an instance's spawns are set up prior to the instance
+                         * being registered.  An unregistered instance will have
+                         * NULL ->cra_users.next, since ->cra_users isn't
+                         * properly initialized until registration.  But an
+                         * unregistered instance cannot have any users, so treat
+                         * it the same as ->cra_users being empty.
+                         */
+                        if (spawns->next == NULL)
+                                break;
                }
        } while ((spawns = crypto_more_spawns(alg, &stack, &top,
                                              &secondary_spawns)));
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 8193b38a1cae..3c09122bf038 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4449,6 +4449,7 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
         * https://bugzilla.kernel.org/show_bug.cgi?id=121671
         */
        { "LITEON CX1-JB*-HP",  NULL,           ATA_HORKAGE_MAX_SEC_1024 },
+        { "LITEON EP1-*",       NULL,           ATA_HORKAGE_MAX_SEC_1024 },
        /* Devices we expect to fail diagnostics */
diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
index bdc87907d6a1..2415ad9f6dd4 100644
--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
@@ -236,6 +236,9 @@ config GENERIC_CPU_DEVICES
 config GENERIC_CPU_AUTOPROBE
        bool
+config GENERIC_CPU_VULNERABILITIES
+        bool
 config SOC_BUS
        bool
        select GLOB
diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
index 58a9b608d821..d99038487a0d 100644
--- a/drivers/base/cpu.c
+++ b/drivers/base/cpu.c
@@ -511,10 +511,58 @@ static void __init cpu_dev_register_generic(void)
 #endif
 }
+#ifdef CONFIG_GENERIC_CPU_VULNERABILITIES
+ssize_t __weak cpu_show_meltdown(struct device *dev,
+                                 struct device_attribute *attr, char *buf)
+{
+        return sprintf(buf, "Not affected\n");
+}
+ssize_t __weak cpu_show_spectre_v1(struct device *dev,
+                                   struct device_attribute *attr, char *buf)
+{
+        return sprintf(buf, "Not affected\n");
+}
+ssize_t __weak cpu_show_spectre_v2(struct device *dev,
+                                   struct device_attribute *attr, char *buf)
+{
+        return sprintf(buf, "Not affected\n");
+}
+static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
+static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
+static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
+static struct attribute *cpu_root_vulnerabilities_attrs[] = {
+        &dev_attr_meltdown.attr,
+        &dev_attr_spectre_v1.attr,
+        &dev_attr_spectre_v2.attr,
+        NULL
+};
+static const struct attribute_group cpu_root_vulnerabilities_group = {
+        .name  = "vulnerabilities",
+        .attrs = cpu_root_vulnerabilities_attrs,
+};
+static void __init cpu_register_vulnerabilities(void)
+{
+        if (sysfs_create_group(&cpu_subsys.dev_root->kobj,
+                               &cpu_root_vulnerabilities_group))
+                pr_err("Unable to register CPU vulnerabilities\n");
+}
+#else
+static inline void cpu_register_vulnerabilities(void) { }
+#endif
 void __init cpu_dev_init(void)
 {
        if (subsys_system_register(&cpu_subsys, cpu_root_attr_groups))
                panic("Failed to register CPU subsystem");
        cpu_dev_register_generic();
+        cpu_register_vulnerabilities();
 }
diff --git a/drivers/bcma/Kconfig b/drivers/bcma/Kconfig
index 02d78f6cecbb..ba8acca036df 100644
--- a/drivers/bcma/Kconfig
+++ b/drivers/bcma/Kconfig
@@ -55,7 +55,7 @@ config BCMA_DRIVER_PCI
 config BCMA_DRIVER_PCI_HOSTMODE
        bool "Driver for PCI core working in hostmode"
-        depends on MIPS && BCMA_DRIVER_PCI
+        depends on MIPS && BCMA_DRIVER_PCI && PCI_DRIVERS_LEGACY
        help
          PCI core hostmode operation (external PCI bus).
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index bc8e61506968..d5fe720cf149 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1581,9 +1581,8 @@ out:
        return err;
 }
-static void lo_release(struct gendisk *disk, fmode_t mode)
+static void __lo_release(struct loop_device *lo)
 {
-        struct loop_device *lo = disk->private_data;
        int err;
        if (atomic_dec_return(&lo->lo_refcnt))
@@ -1610,6 +1609,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode)
        mutex_unlock(&lo->lo_ctl_mutex);
 }
+static void lo_release(struct gendisk *disk, fmode_t mode)
+{
+        mutex_lock(&loop_index_mutex);
+        __lo_release(disk->private_data);
+        mutex_unlock(&loop_index_mutex);
+}
 static const struct block_device_operations lo_fops = {
        .owner =        THIS_MODULE,
        .open =         lo_open,
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 38fc5f397fde..cc93522a6d41 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -3047,13 +3047,21 @@ static void format_lock_cookie(struct rbd_device *rbd_dev, char *buf)
        mutex_unlock(&rbd_dev->watch_mutex);
 }
+static void __rbd_lock(struct rbd_device *rbd_dev, const char *cookie)
+{
+        struct rbd_client_id cid = rbd_get_cid(rbd_dev);
+        strcpy(rbd_dev->lock_cookie, cookie);
+        rbd_set_owner_cid(rbd_dev, &cid);
+        queue_work(rbd_dev->task_wq, &rbd_dev->acquired_lock_work);
+}
 /*
 * lock_rwsem must be held for write
 */
 static int rbd_lock(struct rbd_device *rbd_dev)
 {
        struct ceph_osd_client *osdc = &rbd_dev->rbd_client->client->osdc;
-        struct rbd_client_id cid = rbd_get_cid(rbd_dev);
        char cookie[32];
        int ret;
@@ -3068,9 +3076,7 @@ static int rbd_lock(struct rbd_device *rbd_dev)
                return ret;
        rbd_dev->lock_state = RBD_LOCK_STATE_LOCKED;
-        strcpy(rbd_dev->lock_cookie, cookie);
+        __rbd_lock(rbd_dev, cookie);
-        rbd_set_owner_cid(rbd_dev, &cid);
-        queue_work(rbd_dev->task_wq, &rbd_dev->acquired_lock_work);
        return 0;
 }
@@ -3856,7 +3862,7 @@ static void rbd_reacquire_lock(struct rbd_device *rbd_dev)
                        queue_delayed_work(rbd_dev->task_wq,
                                           &rbd_dev->lock_dwork, 0);
        } else {
-                strcpy(rbd_dev->lock_cookie, cookie);
+                __rbd_lock(rbd_dev, cookie);
        }
 }
@@ -4381,7 +4387,7 @@ static int rbd_init_disk(struct rbd_device *rbd_dev)
        segment_size = rbd_obj_bytes(&rbd_dev->header);
        blk_queue_max_hw_sectors(q, segment_size / SECTOR_SIZE);
        q->limits.max_sectors = queue_max_hw_sectors(q);
-        blk_queue_max_segments(q, segment_size / SECTOR_SIZE);
+        blk_queue_max_segments(q, USHRT_MAX);
        blk_queue_max_segment_size(q, segment_size);
        blk_queue_io_min(q, segment_size);
        blk_queue_io_opt(q, segment_size);
diff --git a/drivers/gpio/gpio-mmio.c b/drivers/gpio/gpio-mmio.c
index f9042bcc27a4..7b14d6280e44 100644
--- a/drivers/gpio/gpio-mmio.c
+++ b/drivers/gpio/gpio-mmio.c
@@ -152,14 +152,13 @@ static int bgpio_get_set_multiple(struct gpio_chip *gc, unsigned long *mask,
 {
        unsigned long get_mask = 0;
        unsigned long set_mask = 0;
-        int bit = 0;
-        while ((bit = find_next_bit(mask, gc->ngpio, bit)) != gc->ngpio) {
+        /* Make sure we first clear any bits that are zero when we read the register */
-                if (gc->bgpio_dir & BIT(bit))
+        *bits &= ~*mask;
-                        set_mask |= BIT(bit);
-                else
+        /* Exploit the fact that we know which directions are set */
-                        get_mask |= BIT(bit);
+        set_mask = *mask & gc->bgpio_dir;
-        }
+        get_mask = *mask & ~gc->bgpio_dir;
        if (set_mask)
                *bits |= gc->read_reg(gc->reg_set) & set_mask;
@@ -176,13 +175,13 @@ static int bgpio_get(struct gpio_chip *gc, unsigned int gpio)
 /*
 * This only works if the bits in the GPIO register are in native endianness.
- * It is dirt simple and fast in this case. (Also the most common case.)
 */
 static int bgpio_get_multiple(struct gpio_chip *gc, unsigned long *mask,
                              unsigned long *bits)
 {
+        /* Make sure we first clear any bits that are zero when we read the register */
-        *bits = gc->read_reg(gc->reg_dat) & *mask;
+        *bits &= ~*mask;
+        *bits |= gc->read_reg(gc->reg_dat) & *mask;
        return 0;
 }
@@ -196,9 +195,12 @@ static int bgpio_get_multiple_be(struct gpio_chip *gc, unsigned long *mask,
        unsigned long val;
        int bit;
+        /* Make sure we first clear any bits that are zero when we read the register */
+        *bits &= ~*mask;
        /* Create a mirrored mask */
-        bit = 0;
+        bit = -1;
-        while ((bit = find_next_bit(mask, gc->ngpio, bit)) != gc->ngpio)
+        while ((bit = find_next_bit(mask, gc->ngpio, bit + 1)) < gc->ngpio)
                readmask |= bgpio_line2mask(gc, bit);
        /* Read the register */
@@ -208,8 +210,8 @@ static int bgpio_get_multiple_be(struct gpio_chip *gc, unsigned long *mask,
         * Mirror the result into the "bits" result, this will give line 0
         * in bit 0 ... line 31 in bit 31 for a 32bit register.
         */
-        bit = 0;
+        bit = -1;
-        while ((bit = find_next_bit(&val, gc->ngpio, bit)) != gc->ngpio)
+        while ((bit = find_next_bit(&val, gc->ngpio, bit + 1)) < gc->ngpio)
                *bits |= bgpio_line2mask(gc, bit);
        return 0;
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 44332b793718..14532d9576e4 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -2893,6 +2893,27 @@ void gpiod_set_raw_value(struct gpio_desc *desc, int value)
 EXPORT_SYMBOL_GPL(gpiod_set_raw_value);
 /**
+ * gpiod_set_value_nocheck() - set a GPIO line value without checking
+ * @desc: the descriptor to set the value on
+ * @value: value to set
+ *
+ * This sets the value of a GPIO line backing a descriptor, applying
+ * different semantic quirks like active low and open drain/source
+ * handling.
+ */
+static void gpiod_set_value_nocheck(struct gpio_desc *desc, int value)
+{
+        if (test_bit(FLAG_ACTIVE_LOW, &desc->flags))
+                value = !value;
+        if (test_bit(FLAG_OPEN_DRAIN, &desc->flags))
+                gpio_set_open_drain_value_commit(desc, value);
+        else if (test_bit(FLAG_OPEN_SOURCE, &desc->flags))
+                gpio_set_open_source_value_commit(desc, value);
+        else
+                gpiod_set_raw_value_commit(desc, value);
+}
+/**
 * gpiod_set_value() - assign a gpio's value
 * @desc: gpio whose value will be assigned
 * @value: value to assign
@@ -2906,16 +2927,8 @@ EXPORT_SYMBOL_GPL(gpiod_set_raw_value);
 void gpiod_set_value(struct gpio_desc *desc, int value)
 {
        VALIDATE_DESC_VOID(desc);
-        /* Should be using gpiod_set_value_cansleep() */
        WARN_ON(desc->gdev->chip->can_sleep);
-        if (test_bit(FLAG_ACTIVE_LOW, &desc->flags))
+        gpiod_set_value_nocheck(desc, value);
-                value = !value;
-        if (test_bit(FLAG_OPEN_DRAIN, &desc->flags))
-                gpio_set_open_drain_value_commit(desc, value);
-        else if (test_bit(FLAG_OPEN_SOURCE, &desc->flags))
-                gpio_set_open_source_value_commit(desc, value);
-        else
-                gpiod_set_raw_value_commit(desc, value);
 }
 EXPORT_SYMBOL_GPL(gpiod_set_value);
@@ -3243,9 +3256,7 @@ void gpiod_set_value_cansleep(struct gpio_desc *desc, int value)
 {
        might_sleep_if(extra_checks);
        VALIDATE_DESC_VOID(desc);
-        if (test_bit(FLAG_ACTIVE_LOW, &desc->flags))
+        gpiod_set_value_nocheck(desc, value);
-                value = !value;
-        gpiod_set_raw_value_commit(desc, value);
 }
 EXPORT_SYMBOL_GPL(gpiod_set_value_cansleep);
diff --git a/drivers/gpu/drm/i915/gvt/cmd_parser.c b/drivers/gpu/drm/i915/gvt/cmd_parser.c
index 85d4c57870fb..49af94627c8a 100644
--- a/drivers/gpu/drm/i915/gvt/cmd_parser.c
+++ b/drivers/gpu/drm/i915/gvt/cmd_parser.c
@@ -2777,12 +2777,12 @@ int intel_gvt_scan_and_shadow_wa_ctx(struct intel_shadow_wa_ctx *wa_ctx)
 }
 static struct cmd_info *find_cmd_entry_any_ring(struct intel_gvt *gvt,
-                unsigned int opcode, int rings)
+                unsigned int opcode, unsigned long rings)
 {
        struct cmd_info *info = NULL;
        unsigned int ring;
-        for_each_set_bit(ring, (unsigned long *)&rings, I915_NUM_ENGINES) {
+        for_each_set_bit(ring, &rings, I915_NUM_ENGINES) {
                info = find_cmd_entry(gvt, opcode, ring);
                if (info)
                        break;
diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
index 8e331142badb..64d67ff9bf08 100644
--- a/drivers/gpu/drm/i915/gvt/gtt.c
+++ b/drivers/gpu/drm/i915/gvt/gtt.c
@@ -1359,12 +1359,15 @@ static int ppgtt_handle_guest_write_page_table_bytes(void *gp,
                        return ret;
        } else {
                if (!test_bit(index, spt->post_shadow_bitmap)) {
+                        int type = spt->shadow_page.type;
                        ppgtt_get_shadow_entry(spt, &se, index);
                        ret = ppgtt_handle_guest_entry_removal(gpt, &se, index);
                        if (ret)
                                return ret;
+                        ops->set_pfn(&se, vgpu->gtt.scratch_pt[type].page_mfn);
+                        ppgtt_set_shadow_entry(spt, &se, index);
                }
                ppgtt_set_post_shadow(spt, index);
        }
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 18de6569d04a..5cfba89ed586 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -467,7 +467,7 @@ static void __fence_set_priority(struct dma_fence *fence, int prio)
        struct drm_i915_gem_request *rq;
        struct intel_engine_cs *engine;
-        if (!dma_fence_is_i915(fence))
+        if (dma_fence_is_signaled(fence) || !dma_fence_is_i915(fence))
                return;
        rq = to_request(fence);
diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
index 333f40bc03bb..7923dfd9963c 100644
--- a/drivers/gpu/drm/i915/i915_reg.h
+++ b/drivers/gpu/drm/i915/i915_reg.h
@@ -7027,6 +7027,8 @@ enum {
 #define GEN9_SLICE_COMMON_ECO_CHICKEN0          _MMIO(0x7308)
 #define  DISABLE_PIXEL_MASK_CAMMING             (1<<14)
+#define GEN9_SLICE_COMMON_ECO_CHICKEN1          _MMIO(0x731c)
 #define GEN7_L3SQCREG1                          _MMIO(0xB010)
 #define  VLV_B0_WA_L3SQCREG1_VALUE              0x00D30000
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 123585eeb87d..50f8443641b8 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -1211,23 +1211,6 @@ void assert_panel_unlocked(struct drm_i915_private *dev_priv, enum pipe pipe)
             pipe_name(pipe));
 }
-static void assert_cursor(struct drm_i915_private *dev_priv,
-                          enum pipe pipe, bool state)
-{
-        bool cur_state;
-        if (IS_I845G(dev_priv) || IS_I865G(dev_priv))
-                cur_state = I915_READ(CURCNTR(PIPE_A)) & CURSOR_ENABLE;
-        else
-                cur_state = I915_READ(CURCNTR(pipe)) & CURSOR_MODE;
-        I915_STATE_WARN(cur_state != state,
-             "cursor on pipe %c assertion failure (expected %s, current %s)\n",
-                        pipe_name(pipe), onoff(state), onoff(cur_state));
-}
-#define assert_cursor_enabled(d, p) assert_cursor(d, p, true)
-#define assert_cursor_disabled(d, p) assert_cursor(d, p, false)
 void assert_pipe(struct drm_i915_private *dev_priv,
                 enum pipe pipe, bool state)
 {
@@ -1255,77 +1238,25 @@ void assert_pipe(struct drm_i915_private *dev_priv,
                        pipe_name(pipe), onoff(state), onoff(cur_state));
 }
-static void assert_plane(struct drm_i915_private *dev_priv,
+static void assert_plane(struct intel_plane *plane, bool state)
-                         enum plane plane, bool state)
 {
-        u32 val;
+        bool cur_state = plane->get_hw_state(plane);
-        bool cur_state;
-        val = I915_READ(DSPCNTR(plane));
-        cur_state = !!(val & DISPLAY_PLANE_ENABLE);
        I915_STATE_WARN(cur_state != state,
-             "plane %c assertion failure (expected %s, current %s)\n",
+                        "%s assertion failure (expected %s, current %s)\n",
-                        plane_name(plane), onoff(state), onoff(cur_state));
+                        plane->base.name, onoff(state), onoff(cur_state));
 }
-#define assert_plane_enabled(d, p) assert_plane(d, p, true)
+#define assert_plane_enabled(p) assert_plane(p, true)
-#define assert_plane_disabled(d, p) assert_plane(d, p, false)
+#define assert_plane_disabled(p) assert_plane(p, false)
-static void assert_planes_disabled(struct drm_i915_private *dev_priv,
-                                   enum pipe pipe)
-{
-        int i;
-        /* Primary planes are fixed to pipes on gen4+ */
-        if (INTEL_GEN(dev_priv) >= 4) {
-                u32 val = I915_READ(DSPCNTR(pipe));
-                I915_STATE_WARN(val & DISPLAY_PLANE_ENABLE,
-                     "plane %c assertion failure, should be disabled but not\n",
-                     plane_name(pipe));
-                return;
-        }
-        /* Need to check both planes against the pipe */
+static void assert_planes_disabled(struct intel_crtc *crtc)
-        for_each_pipe(dev_priv, i) {
-                u32 val = I915_READ(DSPCNTR(i));
-                enum pipe cur_pipe = (val & DISPPLANE_SEL_PIPE_MASK) >>
-                        DISPPLANE_SEL_PIPE_SHIFT;
-                I915_STATE_WARN((val & DISPLAY_PLANE_ENABLE) && pipe == cur_pipe,
-                     "plane %c assertion failure, should be off on pipe %c but is still active\n",
-                     plane_name(i), pipe_name(pipe));
-        }
-}
-static void assert_sprites_disabled(struct drm_i915_private *dev_priv,
-                                    enum pipe pipe)
 {
-        int sprite;
+        struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
+        struct intel_plane *plane;
-        if (INTEL_GEN(dev_priv) >= 9) {
+        for_each_intel_plane_on_crtc(&dev_priv->drm, crtc, plane)
-                for_each_sprite(dev_priv, pipe, sprite) {
+                assert_plane_disabled(plane);
-                        u32 val = I915_READ(PLANE_CTL(pipe, sprite));
-                        I915_STATE_WARN(val & PLANE_CTL_ENABLE,
-                             "plane %d assertion failure, should be off on pipe %c but is still active\n",
-                             sprite, pipe_name(pipe));
-                }
-        } else if (IS_VALLEYVIEW(dev_priv) || IS_CHERRYVIEW(dev_priv)) {
-                for_each_sprite(dev_priv, pipe, sprite) {
-                        u32 val = I915_READ(SPCNTR(pipe, PLANE_SPRITE0 + sprite));
-                        I915_STATE_WARN(val & SP_ENABLE,
-                             "sprite %c assertion failure, should be off on pipe %c but is still active\n",
-                             sprite_name(pipe, sprite), pipe_name(pipe));
-                }
-        } else if (INTEL_GEN(dev_priv) >= 7) {
-                u32 val = I915_READ(SPRCTL(pipe));
-                I915_STATE_WARN(val & SPRITE_ENABLE,
-                     "sprite %c assertion failure, should be off on pipe %c but is still active\n",
-                     plane_name(pipe), pipe_name(pipe));
-        } else if (INTEL_GEN(dev_priv) >= 5 || IS_G4X(dev_priv)) {
-                u32 val = I915_READ(DVSCNTR(pipe));
-                I915_STATE_WARN(val & DVS_ENABLE,
-                     "sprite %c assertion failure, should be off on pipe %c but is still active\n",
-                     plane_name(pipe), pipe_name(pipe));
-        }
 }
 static void assert_vblank_disabled(struct drm_crtc *crtc)
@@ -1918,9 +1849,7 @@ static void intel_enable_pipe(struct intel_crtc *crtc)
        DRM_DEBUG_KMS("enabling pipe %c\n", pipe_name(pipe));
-        assert_planes_disabled(dev_priv, pipe);
+        assert_planes_disabled(crtc);
-        assert_cursor_disabled(dev_priv, pipe);
-        assert_sprites_disabled(dev_priv, pipe);
        /*
         * A pipe without a PLL won't actually be able to drive bits from
@@ -1989,9 +1918,7 @@ static void intel_disable_pipe(struct intel_crtc *crtc)
         * Make sure planes won't keep trying to pump pixels to us,
         * or we might hang the display.
         */
-        assert_planes_disabled(dev_priv, pipe);
+        assert_planes_disabled(crtc);
-        assert_cursor_disabled(dev_priv, pipe);
-        assert_sprites_disabled(dev_priv, pipe);
        reg = PIPECONF(cpu_transcoder);
        val = I915_READ(reg);
@@ -2820,6 +2747,23 @@ intel_set_plane_visible(struct intel_crtc_state *crtc_state,
                      crtc_state->active_planes);
 }
+static void intel_plane_disable_noatomic(struct intel_crtc *crtc,
+                                         struct intel_plane *plane)
+{
+        struct intel_crtc_state *crtc_state =
+                to_intel_crtc_state(crtc->base.state);
+        struct intel_plane_state *plane_state =
+                to_intel_plane_state(plane->base.state);
+        intel_set_plane_visible(crtc_state, plane_state, false);
+        if (plane->id == PLANE_PRIMARY)
+                intel_pre_disable_primary_noatomic(&crtc->base);
+        trace_intel_disable_plane(&plane->base, crtc);
+        plane->disable_plane(plane, crtc);
+}
 static void
 intel_find_initial_plane_obj(struct intel_crtc *intel_crtc,
                             struct intel_initial_plane_config *plane_config)
@@ -2877,12 +2821,7 @@ intel_find_initial_plane_obj(struct intel_crtc *intel_crtc,
         * simplest solution is to just disable the primary plane now and
         * pretend the BIOS never had it enabled.
         */
-        intel_set_plane_visible(to_intel_crtc_state(crtc_state),
+        intel_plane_disable_noatomic(intel_crtc, intel_plane);
-                                to_intel_plane_state(plane_state),
-                                false);
-        intel_pre_disable_primary_noatomic(&intel_crtc->base);
-        trace_intel_disable_plane(primary, intel_crtc);
-        intel_plane->disable_plane(intel_plane, intel_crtc);
        return;
@@ -3385,6 +3324,31 @@ static void i9xx_disable_primary_plane(struct intel_plane *primary,
        spin_unlock_irqrestore(&dev_priv->uncore.lock, irqflags);
 }
+static bool i9xx_plane_get_hw_state(struct intel_plane *primary)
+{
+        struct drm_i915_private *dev_priv = to_i915(primary->base.dev);
+        enum intel_display_power_domain power_domain;
+        enum plane plane = primary->plane;
+        enum pipe pipe = primary->pipe;
+        bool ret;
+        /*
+         * Not 100% correct for planes that can move between pipes,
+         * but that's only the case for gen2-4 which don't have any
+         * display power wells.
+         */
+        power_domain = POWER_DOMAIN_PIPE(pipe);
+        if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
+                return false;
+        ret = I915_READ(DSPCNTR(plane)) & DISPLAY_PLANE_ENABLE;
+        intel_display_power_put(dev_priv, power_domain);
+        return ret;
+}
 static u32
 intel_fb_stride_alignment(const struct drm_framebuffer *fb, int plane)
 {
@@ -4866,7 +4830,8 @@ void hsw_enable_ips(struct intel_crtc *crtc)
         * a vblank wait.
         */
-        assert_plane_enabled(dev_priv, crtc->plane);
+        assert_plane_enabled(to_intel_plane(crtc->base.primary));
        if (IS_BROADWELL(dev_priv)) {
                mutex_lock(&dev_priv->pcu_lock);
                WARN_ON(sandybridge_pcode_write(dev_priv, DISPLAY_IPS_CONTROL,
@@ -4899,7 +4864,8 @@ void hsw_disable_ips(struct intel_crtc *crtc)
        if (!crtc->config->ips_enabled)
                return;
-        assert_plane_enabled(dev_priv, crtc->plane);
+        assert_plane_enabled(to_intel_plane(crtc->base.primary));
        if (IS_BROADWELL(dev_priv)) {
                mutex_lock(&dev_priv->pcu_lock);
                WARN_ON(sandybridge_pcode_write(dev_priv, DISPLAY_IPS_CONTROL, 0));
@@ -5899,6 +5865,7 @@ static void intel_crtc_disable_noatomic(struct drm_crtc *crtc,
        struct intel_crtc *intel_crtc = to_intel_crtc(crtc);
        struct drm_i915_private *dev_priv = to_i915(crtc->dev);
        enum intel_display_power_domain domain;
+        struct intel_plane *plane;
        u64 domains;
        struct drm_atomic_state *state;
        struct intel_crtc_state *crtc_state;
@@ -5907,11 +5874,12 @@ static void intel_crtc_disable_noatomic(struct drm_crtc *crtc,
        if (!intel_crtc->active)
                return;
-        if (crtc->primary->state->visible) {
+        for_each_intel_plane_on_crtc(&dev_priv->drm, intel_crtc, plane) {
-                intel_pre_disable_primary_noatomic(crtc);
+                const struct intel_plane_state *plane_state =
+                        to_intel_plane_state(plane->base.state);
-                intel_crtc_disable_planes(crtc, 1 << drm_plane_index(crtc->primary));
+                if (plane_state->base.visible)
-                crtc->primary->state->visible = false;
+                        intel_plane_disable_noatomic(intel_crtc, plane);
        }
        state = drm_atomic_state_alloc(crtc->dev);
@@ -9477,6 +9445,23 @@ static void i845_disable_cursor(struct intel_plane *plane,
        i845_update_cursor(plane, NULL, NULL);
 }
+static bool i845_cursor_get_hw_state(struct intel_plane *plane)
+{
+        struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
+        enum intel_display_power_domain power_domain;
+        bool ret;
+        power_domain = POWER_DOMAIN_PIPE(PIPE_A);
+        if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
+                return false;
+        ret = I915_READ(CURCNTR(PIPE_A)) & CURSOR_ENABLE;
+        intel_display_power_put(dev_priv, power_domain);
+        return ret;
+}
 static u32 i9xx_cursor_ctl(const struct intel_crtc_state *crtc_state,
                           const struct intel_plane_state *plane_state)
 {
@@ -9670,6 +9655,28 @@ static void i9xx_disable_cursor(struct intel_plane *plane,
        i9xx_update_cursor(plane, NULL, NULL);
 }
+static bool i9xx_cursor_get_hw_state(struct intel_plane *plane)
+{
+        struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
+        enum intel_display_power_domain power_domain;
+        enum pipe pipe = plane->pipe;
+        bool ret;
+        /*
+         * Not 100% correct for planes that can move between pipes,
+         * but that's only the case for gen2-3 which don't have any
+         * display power wells.
+         */
+        power_domain = POWER_DOMAIN_PIPE(pipe);
+        if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
+                return false;
+        ret = I915_READ(CURCNTR(pipe)) & CURSOR_MODE;
+        intel_display_power_put(dev_priv, power_domain);
+        return ret;
+}
 /* VESA 640x480x72Hz mode to set on the pipe */
 static const struct drm_display_mode load_detect_mode = {
@@ -13205,6 +13212,7 @@ intel_primary_plane_create(struct drm_i915_private *dev_priv, enum pipe pipe)
                primary->update_plane = skl_update_plane;
                primary->disable_plane = skl_disable_plane;
+                primary->get_hw_state = skl_plane_get_hw_state;
        } else if (INTEL_GEN(dev_priv) >= 9) {
                intel_primary_formats = skl_primary_formats;
                num_formats = ARRAY_SIZE(skl_primary_formats);
@@ -13215,6 +13223,7 @@ intel_primary_plane_create(struct drm_i915_private *dev_priv, enum pipe pipe)
                primary->update_plane = skl_update_plane;
                primary->disable_plane = skl_disable_plane;
+                primary->get_hw_state = skl_plane_get_hw_state;
        } else if (INTEL_GEN(dev_priv) >= 4) {
                intel_primary_formats = i965_primary_formats;
                num_formats = ARRAY_SIZE(i965_primary_formats);
@@ -13222,6 +13231,7 @@ intel_primary_plane_create(struct drm_i915_private *dev_priv, enum pipe pipe)
                primary->update_plane = i9xx_update_primary_plane;
                primary->disable_plane = i9xx_disable_primary_plane;
+                primary->get_hw_state = i9xx_plane_get_hw_state;
        } else {
                intel_primary_formats = i8xx_primary_formats;
                num_formats = ARRAY_SIZE(i8xx_primary_formats);
@@ -13229,6 +13239,7 @@ intel_primary_plane_create(struct drm_i915_private *dev_priv, enum pipe pipe)
                primary->update_plane = i9xx_update_primary_plane;
                primary->disable_plane = i9xx_disable_primary_plane;
+                primary->get_hw_state = i9xx_plane_get_hw_state;
        }
        if (INTEL_GEN(dev_priv) >= 9)
@@ -13318,10 +13329,12 @@ intel_cursor_plane_create(struct drm_i915_private *dev_priv,
        if (IS_I845G(dev_priv) || IS_I865G(dev_priv)) {
                cursor->update_plane = i845_update_cursor;
                cursor->disable_plane = i845_disable_cursor;
+                cursor->get_hw_state = i845_cursor_get_hw_state;
                cursor->check_plane = i845_check_cursor;
        } else {
                cursor->update_plane = i9xx_update_cursor;
                cursor->disable_plane = i9xx_disable_cursor;
+                cursor->get_hw_state = i9xx_cursor_get_hw_state;
                cursor->check_plane = i9xx_check_cursor;
        }
@@ -14671,8 +14684,11 @@ void i830_disable_pipe(struct drm_i915_private *dev_priv, enum pipe pipe)
        DRM_DEBUG_KMS("disabling pipe %c due to force quirk\n",
                      pipe_name(pipe));
-        assert_plane_disabled(dev_priv, PLANE_A);
+        WARN_ON(I915_READ(DSPCNTR(PLANE_A)) & DISPLAY_PLANE_ENABLE);
-        assert_plane_disabled(dev_priv, PLANE_B);
+        WARN_ON(I915_READ(DSPCNTR(PLANE_B)) & DISPLAY_PLANE_ENABLE);
+        WARN_ON(I915_READ(DSPCNTR(PLANE_C)) & DISPLAY_PLANE_ENABLE);
+        WARN_ON(I915_READ(CURCNTR(PIPE_A)) & CURSOR_MODE);
+        WARN_ON(I915_READ(CURCNTR(PIPE_B)) & CURSOR_MODE);
        I915_WRITE(PIPECONF(pipe), 0);
        POSTING_READ(PIPECONF(pipe));
@@ -14683,22 +14699,36 @@ void i830_disable_pipe(struct drm_i915_private *dev_priv, enum pipe pipe)
        POSTING_READ(DPLL(pipe));
 }
-static bool
+static bool intel_plane_mapping_ok(struct intel_crtc *crtc,
-intel_check_plane_mapping(struct intel_crtc *crtc)
+                                   struct intel_plane *primary)
 {
        struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
-        u32 val;
+        enum plane plane = primary->plane;
+        u32 val = I915_READ(DSPCNTR(plane));
-        if (INTEL_INFO(dev_priv)->num_pipes == 1)
+        return (val & DISPLAY_PLANE_ENABLE) == 0 ||
-                return true;
+                (val & DISPPLANE_SEL_PIPE_MASK) == DISPPLANE_SEL_PIPE(crtc->pipe);
+}
-        val = I915_READ(DSPCNTR(!crtc->plane));
+static void
+intel_sanitize_plane_mapping(struct drm_i915_private *dev_priv)
+{
+        struct intel_crtc *crtc;
-        if ((val & DISPLAY_PLANE_ENABLE) &&
+        if (INTEL_GEN(dev_priv) >= 4)
-            (!!(val & DISPPLANE_SEL_PIPE_MASK) == crtc->pipe))
+                return;
-                return false;
-        return true;
+        for_each_intel_crtc(&dev_priv->drm, crtc) {
+                struct intel_plane *plane =
+                        to_intel_plane(crtc->base.primary);
+                if (intel_plane_mapping_ok(crtc, plane))
+                        continue;
+                DRM_DEBUG_KMS("%s attached to the wrong pipe, disabling plane\n",
+                              plane->base.name);
+                intel_plane_disable_noatomic(crtc, plane);
+        }
 }
 static bool intel_crtc_has_encoders(struct intel_crtc *crtc)
@@ -14754,33 +14784,15 @@ static void intel_sanitize_crtc(struct intel_crtc *crtc,
                /* Disable everything but the primary plane */
                for_each_intel_plane_on_crtc(dev, crtc, plane) {
-                        if (plane->base.type == DRM_PLANE_TYPE_PRIMARY)
+                        const struct intel_plane_state *plane_state =
-                                continue;
+                                to_intel_plane_state(plane->base.state);
-                        trace_intel_disable_plane(&plane->base, crtc);
+                        if (plane_state->base.visible &&
-                        plane->disable_plane(plane, crtc);
+                            plane->base.type != DRM_PLANE_TYPE_PRIMARY)
+                                intel_plane_disable_noatomic(crtc, plane);
                }
        }
-        /* We need to sanitize the plane -> pipe mapping first because this will
-         * disable the crtc (and hence change the state) if it is wrong. Note
-         * that gen4+ has a fixed plane -> pipe mapping.  */
-        if (INTEL_GEN(dev_priv) < 4 && !intel_check_plane_mapping(crtc)) {
-                bool plane;
-                DRM_DEBUG_KMS("[CRTC:%d:%s] wrong plane connection detected!\n",
-                              crtc->base.base.id, crtc->base.name);
-                /* Pipe has the wrong plane attached and the plane is active.
-                 * Temporarily change the plane mapping and disable everything
-                 * ...  */
-                plane = crtc->plane;
-                crtc->base.primary->state->visible = true;
-                crtc->plane = !plane;
-                intel_crtc_disable_noatomic(&crtc->base, ctx);
-                crtc->plane = plane;
-        }
        /* Adjust the state of the output pipe according to whether we
         * have active connectors/encoders. */
        if (crtc->active && !intel_crtc_has_encoders(crtc))
@@ -14885,24 +14897,21 @@ void i915_redisable_vga(struct drm_i915_private *dev_priv)
        intel_display_power_put(dev_priv, POWER_DOMAIN_VGA);
 }
-static bool primary_get_hw_state(struct intel_plane *plane)
-{
-        struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
-        return I915_READ(DSPCNTR(plane->plane)) & DISPLAY_PLANE_ENABLE;
-}
 /* FIXME read out full plane state for all planes */
 static void readout_plane_state(struct intel_crtc *crtc)
 {
-        struct intel_plane *primary = to_intel_plane(crtc->base.primary);
+        struct drm_i915_private *dev_priv = to_i915(crtc->base.dev);
-        bool visible;
+        struct intel_crtc_state *crtc_state =
+                to_intel_crtc_state(crtc->base.state);
+        struct intel_plane *plane;
-        visible = crtc->active && primary_get_hw_state(primary);
+        for_each_intel_plane_on_crtc(&dev_priv->drm, crtc, plane) {
+                struct intel_plane_state *plane_state =
+                        to_intel_plane_state(plane->base.state);
+                bool visible = plane->get_hw_state(plane);
-        intel_set_plane_visible(to_intel_crtc_state(crtc->base.state),
+                intel_set_plane_visible(crtc_state, plane_state, visible);
-                                to_intel_plane_state(primary->base.state),
+        }
-                                visible);
 }
 static void intel_modeset_readout_hw_state(struct drm_device *dev)
@@ -15100,6 +15109,8 @@ intel_modeset_setup_hw_state(struct drm_device *dev,
        /* HW state is read out, now we need to sanitize this mess. */
        get_encoder_power_domains(dev_priv);
+        intel_sanitize_plane_mapping(dev_priv);
        for_each_intel_encoder(dev, encoder) {
                intel_sanitize_encoder(encoder);
        }
diff --git a/drivers/gpu/drm/i915/intel_drv.h b/drivers/gpu/drm/i915/intel_drv.h
index 6c7f8bca574e..5d77f75a9f9c 100644
--- a/drivers/gpu/drm/i915/intel_drv.h
+++ b/drivers/gpu/drm/i915/intel_drv.h
@@ -862,6 +862,7 @@ struct intel_plane {
                             const struct intel_plane_state *plane_state);
        void (*disable_plane)(struct intel_plane *plane,
                              struct intel_crtc *crtc);
+        bool (*get_hw_state)(struct intel_plane *plane);
        int (*check_plane)(struct intel_plane *plane,
                           struct intel_crtc_state *crtc_state,
                           struct intel_plane_state *state);
@@ -1924,6 +1925,7 @@ void skl_update_plane(struct intel_plane *plane,
                      const struct intel_crtc_state *crtc_state,
                      const struct intel_plane_state *plane_state);
 void skl_disable_plane(struct intel_plane *plane, struct intel_crtc *crtc);
+bool skl_plane_get_hw_state(struct intel_plane *plane);
 /* intel_tv.c */
 void intel_tv_init(struct drm_i915_private *dev_priv);
diff --git a/drivers/gpu/drm/i915/intel_engine_cs.c b/drivers/gpu/drm/i915/intel_engine_cs.c
index ab5bf4e2e28e..6074e04dc99f 100644
--- a/drivers/gpu/drm/i915/intel_engine_cs.c
+++ b/drivers/gpu/drm/i915/intel_engine_cs.c
@@ -1390,6 +1390,11 @@ static int glk_init_workarounds(struct intel_engine_cs *engine)
        if (ret)
                return ret;
+        /* WA #0862: Userspace has to set "Barrier Mode" to avoid hangs. */
+        ret = wa_ring_whitelist_reg(engine, GEN9_SLICE_COMMON_ECO_CHICKEN1);
+        if (ret)
+                return ret;
        /* WaToEnableHwFixForPushConstHWBug:glk */
        WA_SET_BIT_MASKED(COMMON_SLICE_CHICKEN2,
                          GEN8_SBE_DISABLE_REPLAY_BUF_OPTIMIZATION);
diff --git a/drivers/gpu/drm/i915/intel_lrc.c b/drivers/gpu/drm/i915/intel_lrc.c
index d36e25607435..e71a8cd50498 100644
--- a/drivers/gpu/drm/i915/intel_lrc.c
+++ b/drivers/gpu/drm/i915/intel_lrc.c
@@ -974,6 +974,9 @@ static void execlists_schedule(struct drm_i915_gem_request *request, int prio)
        GEM_BUG_ON(prio == I915_PRIORITY_INVALID);
+        if (i915_gem_request_completed(request))
+                return;
        if (prio <= READ_ONCE(request->priotree.priority))
                return;
diff --git a/drivers/gpu/drm/i915/intel_sprite.c b/drivers/gpu/drm/i915/intel_sprite.c
index 4fcf80ca91dd..4a8a5d918a83 100644
--- a/drivers/gpu/drm/i915/intel_sprite.c
+++ b/drivers/gpu/drm/i915/intel_sprite.c
@@ -329,6 +329,26 @@ skl_disable_plane(struct intel_plane *plane, struct intel_crtc *crtc)
        spin_unlock_irqrestore(&dev_priv->uncore.lock, irqflags);
 }
+bool
+skl_plane_get_hw_state(struct intel_plane *plane)
+{
+        struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
+        enum intel_display_power_domain power_domain;
+        enum plane_id plane_id = plane->id;
+        enum pipe pipe = plane->pipe;
+        bool ret;
+        power_domain = POWER_DOMAIN_PIPE(pipe);
+        if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
+                return false;
+        ret = I915_READ(PLANE_CTL(pipe, plane_id)) & PLANE_CTL_ENABLE;
+        intel_display_power_put(dev_priv, power_domain);
+        return ret;
+}
 static void
 chv_update_csc(struct intel_plane *plane, uint32_t format)
 {
@@ -506,6 +526,26 @@ vlv_disable_plane(struct intel_plane *plane, struct intel_crtc *crtc)
        spin_unlock_irqrestore(&dev_priv->uncore.lock, irqflags);
 }
+static bool
+vlv_plane_get_hw_state(struct intel_plane *plane)
+{
+        struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
+        enum intel_display_power_domain power_domain;
+        enum plane_id plane_id = plane->id;
+        enum pipe pipe = plane->pipe;
+        bool ret;
+        power_domain = POWER_DOMAIN_PIPE(pipe);
+        if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
+                return false;
+        ret = I915_READ(SPCNTR(pipe, plane_id)) & SP_ENABLE;
+        intel_display_power_put(dev_priv, power_domain);
+        return ret;
+}
 static u32 ivb_sprite_ctl(const struct intel_crtc_state *crtc_state,
                          const struct intel_plane_state *plane_state)
 {
@@ -646,6 +686,25 @@ ivb_disable_plane(struct intel_plane *plane, struct intel_crtc *crtc)
        spin_unlock_irqrestore(&dev_priv->uncore.lock, irqflags);
 }
+static bool
+ivb_plane_get_hw_state(struct intel_plane *plane)
+{
+        struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
+        enum intel_display_power_domain power_domain;
+        enum pipe pipe = plane->pipe;
+        bool ret;
+        power_domain = POWER_DOMAIN_PIPE(pipe);
+        if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
+                return false;
+        ret =  I915_READ(SPRCTL(pipe)) & SPRITE_ENABLE;
+        intel_display_power_put(dev_priv, power_domain);
+        return ret;
+}
 static u32 g4x_sprite_ctl(const struct intel_crtc_state *crtc_state,
                          const struct intel_plane_state *plane_state)
 {
@@ -777,6 +836,25 @@ g4x_disable_plane(struct intel_plane *plane, struct intel_crtc *crtc)
        spin_unlock_irqrestore(&dev_priv->uncore.lock, irqflags);
 }
+static bool
+g4x_plane_get_hw_state(struct intel_plane *plane)
+{
+        struct drm_i915_private *dev_priv = to_i915(plane->base.dev);
+        enum intel_display_power_domain power_domain;
+        enum pipe pipe = plane->pipe;
+        bool ret;
+        power_domain = POWER_DOMAIN_PIPE(pipe);
+        if (!intel_display_power_get_if_enabled(dev_priv, power_domain))
+                return false;
+        ret = I915_READ(DVSCNTR(pipe)) & DVS_ENABLE;
+        intel_display_power_put(dev_priv, power_domain);
+        return ret;
+}
 static int
 intel_check_sprite_plane(struct intel_plane *plane,
                         struct intel_crtc_state *crtc_state,
@@ -1232,6 +1310,7 @@ intel_sprite_plane_create(struct drm_i915_private *dev_priv,
                intel_plane->update_plane = skl_update_plane;
                intel_plane->disable_plane = skl_disable_plane;
+                intel_plane->get_hw_state = skl_plane_get_hw_state;
                plane_formats = skl_plane_formats;
                num_plane_formats = ARRAY_SIZE(skl_plane_formats);
@@ -1242,6 +1321,7 @@ intel_sprite_plane_create(struct drm_i915_private *dev_priv,
                intel_plane->update_plane = skl_update_plane;
                intel_plane->disable_plane = skl_disable_plane;
+                intel_plane->get_hw_state = skl_plane_get_hw_state;
                plane_formats = skl_plane_formats;
                num_plane_formats = ARRAY_SIZE(skl_plane_formats);
@@ -1252,6 +1332,7 @@ intel_sprite_plane_create(struct drm_i915_private *dev_priv,
                intel_plane->update_plane = vlv_update_plane;
                intel_plane->disable_plane = vlv_disable_plane;
+                intel_plane->get_hw_state = vlv_plane_get_hw_state;
                plane_formats = vlv_plane_formats;
                num_plane_formats = ARRAY_SIZE(vlv_plane_formats);
@@ -1267,6 +1348,7 @@ intel_sprite_plane_create(struct drm_i915_private *dev_priv,
                intel_plane->update_plane = ivb_update_plane;
                intel_plane->disable_plane = ivb_disable_plane;
+                intel_plane->get_hw_state = ivb_plane_get_hw_state;
                plane_formats = snb_plane_formats;
                num_plane_formats = ARRAY_SIZE(snb_plane_formats);
@@ -1277,6 +1359,7 @@ intel_sprite_plane_create(struct drm_i915_private *dev_priv,
                intel_plane->update_plane = g4x_update_plane;
                intel_plane->disable_plane = g4x_disable_plane;
+                intel_plane->get_hw_state = g4x_plane_get_hw_state;
                modifiers = i9xx_plane_format_modifiers;
                if (IS_GEN6(dev_priv)) {
diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/mmu.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/mmu.h
index 0760b93e9d1f..baab93398e54 100644
--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/mmu.h
+++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/mmu.h
@@ -121,6 +121,7 @@ int nv41_mmu_new(struct nvkm_device *, int, struct nvkm_mmu **);
 int nv44_mmu_new(struct nvkm_device *, int, struct nvkm_mmu **);
 int nv50_mmu_new(struct nvkm_device *, int, struct nvkm_mmu **);
 int g84_mmu_new(struct nvkm_device *, int, struct nvkm_mmu **);
+int mcp77_mmu_new(struct nvkm_device *, int, struct nvkm_mmu **);
 int gf100_mmu_new(struct nvkm_device *, int, struct nvkm_mmu **);
 int gk104_mmu_new(struct nvkm_device *, int, struct nvkm_mmu **);
 int gk20a_mmu_new(struct nvkm_device *, int, struct nvkm_mmu **);
diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c
index 435ff8662cfa..ef687414969e 100644
--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
+++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
@@ -1447,11 +1447,13 @@ nouveau_ttm_io_mem_reserve(struct ttm_bo_device *bdev, struct ttm_mem_reg *reg)
                                args.nv50.ro = 0;
                                args.nv50.kind = mem->kind;
                                args.nv50.comp = mem->comp;
+                                argc = sizeof(args.nv50);
                                break;
                        case NVIF_CLASS_MEM_GF100:
                                args.gf100.version = 0;
                                args.gf100.ro = 0;
                                args.gf100.kind = mem->kind;
+                                argc = sizeof(args.gf100);
                                break;
                        default:
                                WARN_ON(1);
@@ -1459,7 +1461,7 @@ nouveau_ttm_io_mem_reserve(struct ttm_bo_device *bdev, struct ttm_mem_reg *reg)
                        }
                        ret = nvif_object_map_handle(&mem->mem.object,
-                                                     &argc, argc,
+                                                     &args, argc,
                                                     &handle, &length);
                        if (ret != 1)
                                return ret ? ret : -EINVAL;
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
index 00eeaaffeae5..08e77cd55e6e 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/device/base.c
@@ -1251,7 +1251,7 @@ nvaa_chipset = {
        .i2c = g94_i2c_new,
        .imem = nv50_instmem_new,
        .mc = g98_mc_new,
-        .mmu = g84_mmu_new,
+        .mmu = mcp77_mmu_new,
        .mxm = nv50_mxm_new,
        .pci = g94_pci_new,
        .therm = g84_therm_new,
@@ -1283,7 +1283,7 @@ nvac_chipset = {
        .i2c = g94_i2c_new,
        .imem = nv50_instmem_new,
        .mc = g98_mc_new,
-        .mmu = g84_mmu_new,
+        .mmu = mcp77_mmu_new,
        .mxm = nv50_mxm_new,
        .pci = g94_pci_new,
        .therm = g84_therm_new,
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c
index a2978a37b4f3..700fc754f28a 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/sorgf119.c
@@ -174,6 +174,7 @@ gf119_sor = {
                .links = gf119_sor_dp_links,
                .power = g94_sor_dp_power,
                .pattern = gf119_sor_dp_pattern,
+                .drive = gf119_sor_dp_drive,
                .vcpi = gf119_sor_dp_vcpi,
                .audio = gf119_sor_dp_audio,
                .audio_sym = gf119_sor_dp_audio_sym,
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/base.c
index 9646adec57cb..243f0a5c8a62 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/base.c
@@ -73,7 +73,8 @@ static int
 nvkm_bar_fini(struct nvkm_subdev *subdev, bool suspend)
 {
        struct nvkm_bar *bar = nvkm_bar(subdev);
-        bar->func->bar1.fini(bar);
+        if (bar->func->bar1.fini)
+                bar->func->bar1.fini(bar);
        return 0;
 }
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/gk20a.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/gk20a.c
index b10077d38839..35878fb538f2 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bar/gk20a.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bar/gk20a.c
@@ -26,7 +26,6 @@ gk20a_bar_func = {
        .dtor = gf100_bar_dtor,
        .oneinit = gf100_bar_oneinit,
        .bar1.init = gf100_bar_bar1_init,
-        .bar1.fini = gf100_bar_bar1_fini,
        .bar1.wait = gf100_bar_bar1_wait,
        .bar1.vmm = gf100_bar_bar1_vmm,
        .flush = g84_bar_flush,
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/Kbuild b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/Kbuild
index 352a65f9371c..67ee983bb026 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/Kbuild
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/Kbuild
@@ -4,6 +4,7 @@ nvkm-y += nvkm/subdev/mmu/nv41.o
 nvkm-y += nvkm/subdev/mmu/nv44.o
 nvkm-y += nvkm/subdev/mmu/nv50.o
 nvkm-y += nvkm/subdev/mmu/g84.o
+nvkm-y += nvkm/subdev/mmu/mcp77.o
 nvkm-y += nvkm/subdev/mmu/gf100.o
 nvkm-y += nvkm/subdev/mmu/gk104.o
 nvkm-y += nvkm/subdev/mmu/gk20a.o
@@ -22,6 +23,7 @@ nvkm-y += nvkm/subdev/mmu/vmmnv04.o
 nvkm-y += nvkm/subdev/mmu/vmmnv41.o
 nvkm-y += nvkm/subdev/mmu/vmmnv44.o
 nvkm-y += nvkm/subdev/mmu/vmmnv50.o
+nvkm-y += nvkm/subdev/mmu/vmmmcp77.o
 nvkm-y += nvkm/subdev/mmu/vmmgf100.o
 nvkm-y += nvkm/subdev/mmu/vmmgk104.o
 nvkm-y += nvkm/subdev/mmu/vmmgk20a.o
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/mcp77.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/mcp77.c
new file mode 100644
index 000000000000..0527b50730d9
--- /dev/null
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/mcp77.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2017 Red Hat Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "mem.h"
+#include "vmm.h"
+#include <nvif/class.h>
+static const struct nvkm_mmu_func
+mcp77_mmu = {
+        .dma_bits = 40,
+        .mmu = {{ -1, -1, NVIF_CLASS_MMU_NV50}},
+        .mem = {{ -1,  0, NVIF_CLASS_MEM_NV50}, nv50_mem_new, nv50_mem_map },
+        .vmm = {{ -1, -1, NVIF_CLASS_VMM_NV50}, mcp77_vmm_new, false, 0x0200 },
+        .kind = nv50_mmu_kind,
+        .kind_sys = true,
+};
+int
+mcp77_mmu_new(struct nvkm_device *device, int index, struct nvkm_mmu **pmmu)
+{
+        return nvkm_mmu_new_(&mcp77_mmu, device, index, pmmu);
+}
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.h b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.h
index 6d8f61ea467a..da06e64d8a7d 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.h
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.h
@@ -95,6 +95,9 @@ struct nvkm_vmm_desc {
        const struct nvkm_vmm_desc_func *func;
 };
+extern const struct nvkm_vmm_desc nv50_vmm_desc_12[];
+extern const struct nvkm_vmm_desc nv50_vmm_desc_16[];
 extern const struct nvkm_vmm_desc gk104_vmm_desc_16_12[];
 extern const struct nvkm_vmm_desc gk104_vmm_desc_16_16[];
 extern const struct nvkm_vmm_desc gk104_vmm_desc_17_12[];
@@ -169,6 +172,11 @@ int nv04_vmm_new_(const struct nvkm_vmm_func *, struct nvkm_mmu *, u32,
                  const char *, struct nvkm_vmm **);
 int nv04_vmm_valid(struct nvkm_vmm *, void *, u32, struct nvkm_vmm_map *);
+int nv50_vmm_join(struct nvkm_vmm *, struct nvkm_memory *);
+void nv50_vmm_part(struct nvkm_vmm *, struct nvkm_memory *);
+int nv50_vmm_valid(struct nvkm_vmm *, void *, u32, struct nvkm_vmm_map *);
+void nv50_vmm_flush(struct nvkm_vmm *, int);
 int gf100_vmm_new_(const struct nvkm_vmm_func *, const struct nvkm_vmm_func *,
                   struct nvkm_mmu *, u64, u64, void *, u32,
                   struct lock_class_key *, const char *, struct nvkm_vmm **);
@@ -200,6 +208,8 @@ int nv44_vmm_new(struct nvkm_mmu *, u64, u64, void *, u32,
                 struct lock_class_key *, const char *, struct nvkm_vmm **);
 int nv50_vmm_new(struct nvkm_mmu *, u64, u64, void *, u32,
                 struct lock_class_key *, const char *, struct nvkm_vmm **);
+int mcp77_vmm_new(struct nvkm_mmu *, u64, u64, void *, u32,
+                  struct lock_class_key *, const char *, struct nvkm_vmm **);
 int g84_vmm_new(struct nvkm_mmu *, u64, u64, void *, u32,
                struct lock_class_key *, const char *, struct nvkm_vmm **);
 int gf100_vmm_new(struct nvkm_mmu *, u64, u64, void *, u32,
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmmmcp77.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmmmcp77.c
new file mode 100644
index 000000000000..e63d984cbfd4
--- /dev/null
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmmmcp77.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2017 Red Hat Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ */
+#include "vmm.h"
+static const struct nvkm_vmm_func
+mcp77_vmm = {
+        .join = nv50_vmm_join,
+        .part = nv50_vmm_part,
+        .valid = nv50_vmm_valid,
+        .flush = nv50_vmm_flush,
+        .page_block = 1 << 29,
+        .page = {
+                { 16, &nv50_vmm_desc_16[0], NVKM_VMM_PAGE_xVxx },
+                { 12, &nv50_vmm_desc_12[0], NVKM_VMM_PAGE_xVHx },
+                {}
+        }
+};
+int
+mcp77_vmm_new(struct nvkm_mmu *mmu, u64 addr, u64 size, void *argv, u32 argc,
+              struct lock_class_key *key, const char *name,
+              struct nvkm_vmm **pvmm)
+{
+        return nv04_vmm_new_(&mcp77_vmm, mmu, 0, addr, size,
+                             argv, argc, key, name, pvmm);
+}
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmmnv50.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmmnv50.c
index 863a2edd9861..64f75d906202 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmmnv50.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmmnv50.c
@@ -32,7 +32,7 @@ static inline void
 nv50_vmm_pgt_pte(struct nvkm_vmm *vmm, struct nvkm_mmu_pt *pt,
                 u32 ptei, u32 ptes, struct nvkm_vmm_map *map, u64 addr)
 {
-        u64 next = addr | map->type, data;
+        u64 next = addr + map->type, data;
        u32 pten;
        int log2blk;
@@ -69,7 +69,7 @@ nv50_vmm_pgt_dma(struct nvkm_vmm *vmm, struct nvkm_mmu_pt *pt,
                VMM_SPAM(vmm, "DMAA %08x %08x PTE(s)", ptei, ptes);
                nvkm_kmap(pt->memory);
                while (ptes--) {
-                        const u64 data = *map->dma++ | map->type;
+                        const u64 data = *map->dma++ + map->type;
                        VMM_WO064(pt, vmm, ptei++ * 8, data);
                        map->type += map->ctag;
                }
@@ -163,21 +163,21 @@ nv50_vmm_pgd = {
        .pde = nv50_vmm_pgd_pde,
 };
-static const struct nvkm_vmm_desc
+const struct nvkm_vmm_desc
 nv50_vmm_desc_12[] = {
        { PGT, 17, 8, 0x1000, &nv50_vmm_pgt },
        { PGD, 11, 0, 0x0000, &nv50_vmm_pgd },
        {}
 };
-static const struct nvkm_vmm_desc
+const struct nvkm_vmm_desc
 nv50_vmm_desc_16[] = {
        { PGT, 13, 8, 0x1000, &nv50_vmm_pgt },
        { PGD, 11, 0, 0x0000, &nv50_vmm_pgd },
        {}
 };
-static void
+void
 nv50_vmm_flush(struct nvkm_vmm *vmm, int level)
 {
        struct nvkm_subdev *subdev = &vmm->mmu->subdev;
@@ -223,7 +223,7 @@ nv50_vmm_flush(struct nvkm_vmm *vmm, int level)
        mutex_unlock(&subdev->mutex);
 }
-static int
+int
 nv50_vmm_valid(struct nvkm_vmm *vmm, void *argv, u32 argc,
               struct nvkm_vmm_map *map)
 {
@@ -321,7 +321,7 @@ nv50_vmm_valid(struct nvkm_vmm *vmm, void *argv, u32 argc,
        return 0;
 }
-static void
+void
 nv50_vmm_part(struct nvkm_vmm *vmm, struct nvkm_memory *inst)
 {
        struct nvkm_vmm_join *join;
@@ -335,7 +335,7 @@ nv50_vmm_part(struct nvkm_vmm *vmm, struct nvkm_memory *inst)
        }
 }
-static int
+int
 nv50_vmm_join(struct nvkm_vmm *vmm, struct nvkm_memory *inst)
 {
        const u32 pd_offset = vmm->mmu->func->vmm.pd_offset;
diff --git a/drivers/gpu/drm/sun4i/sun4i_hdmi_tmds_clk.c b/drivers/gpu/drm/sun4i/sun4i_hdmi_tmds_clk.c
index dc332ea56f6c..3ecffa52c814 100644
--- a/drivers/gpu/drm/sun4i/sun4i_hdmi_tmds_clk.c
+++ b/drivers/gpu/drm/sun4i/sun4i_hdmi_tmds_clk.c
@@ -102,10 +102,13 @@ static int sun4i_tmds_determine_rate(struct clk_hw *hw,
                                        goto out;
                                }
-                                if (abs(rate - rounded / i) <
+                                if (!best_parent ||
-                                    abs(rate - best_parent / best_div)) {
+                                    abs(rate - rounded / i / j) <
+                                    abs(rate - best_parent / best_half /
+                                        best_div)) {
                                        best_parent = rounded;
-                                        best_div = i;
+                                        best_half = i;
+                                        best_div = j;
                                }
                        }
                }
diff --git a/drivers/gpu/drm/tegra/sor.c b/drivers/gpu/drm/tegra/sor.c
index b0a1dedac802..476079f1255f 100644
--- a/drivers/gpu/drm/tegra/sor.c
+++ b/drivers/gpu/drm/tegra/sor.c
@@ -2656,6 +2656,9 @@ static int tegra_sor_probe(struct platform_device *pdev)
                                name, err);
                        goto remove;
                }
+        } else {
+                /* fall back to the module clock on SOR0 (eDP/LVDS only) */
+                sor->clk_out = sor->clk;
        }
        sor->clk_parent = devm_clk_get(&pdev->dev, "parent");
diff --git a/drivers/gpu/drm/vc4/vc4_irq.c b/drivers/gpu/drm/vc4/vc4_irq.c
index 26eddbb62893..3dd62d75f531 100644
--- a/drivers/gpu/drm/vc4/vc4_irq.c
+++ b/drivers/gpu/drm/vc4/vc4_irq.c
@@ -209,9 +209,6 @@ vc4_irq_postinstall(struct drm_device *dev)
 {
        struct vc4_dev *vc4 = to_vc4_dev(dev);
-        /* Undo the effects of a previous vc4_irq_uninstall. */
-        enable_irq(dev->irq);
        /* Enable both the render done and out of memory interrupts. */
        V3D_WRITE(V3D_INTENA, V3D_DRIVER_IRQS);
diff --git a/drivers/gpu/drm/vc4/vc4_v3d.c b/drivers/gpu/drm/vc4/vc4_v3d.c
index 622cd43840b8..493f392b3a0a 100644
--- a/drivers/gpu/drm/vc4/vc4_v3d.c
+++ b/drivers/gpu/drm/vc4/vc4_v3d.c
@@ -327,6 +327,9 @@ static int vc4_v3d_runtime_resume(struct device *dev)
                return ret;
        vc4_v3d_init_hw(vc4->dev);
+        /* We disabled the IRQ as part of vc4_irq_uninstall in suspend. */
+        enable_irq(vc4->dev->irq);
        vc4_irq_postinstall(vc4->dev);
        return 0;
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
index 21c62a34e558..87e8af5776a3 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -2731,6 +2731,8 @@ static int vmw_cmd_dx_view_define(struct vmw_private *dev_priv,
        }
        view_type = vmw_view_cmd_to_type(header->id);
+        if (view_type == vmw_view_max)
+                return -EINVAL;
        cmd = container_of(header, typeof(*cmd), header);
        ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
                                user_surface_converter,
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 0545740b3724..fcd58145d0da 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -697,7 +697,6 @@ vmw_du_plane_duplicate_state(struct drm_plane *plane)
        vps->pinned = 0;
        /* Mapping is managed by prepare_fb/cleanup_fb */
-        memset(&vps->guest_map, 0, sizeof(vps->guest_map));
        memset(&vps->host_map, 0, sizeof(vps->host_map));
        vps->cpp = 0;
@@ -760,11 +759,6 @@ vmw_du_plane_destroy_state(struct drm_plane *plane,
        /* Should have been freed by cleanup_fb */
-        if (vps->guest_map.virtual) {
-                DRM_ERROR("Guest mapping not freed\n");
-                ttm_bo_kunmap(&vps->guest_map);
-        }
        if (vps->host_map.virtual) {
                DRM_ERROR("Host mapping not freed\n");
                ttm_bo_kunmap(&vps->host_map);
@@ -1869,7 +1863,7 @@ u32 vmw_get_vblank_counter(struct drm_device *dev, unsigned int pipe)
 */
 int vmw_enable_vblank(struct drm_device *dev, unsigned int pipe)
 {
-        return -ENOSYS;
+        return -EINVAL;
 }
 /**
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
index ff9c8389ff21..cd9da2dd79af 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
@@ -175,7 +175,7 @@ struct vmw_plane_state {
        int pinned;
        /* For CPU Blit */
-        struct ttm_bo_kmap_obj host_map, guest_map;
+        struct ttm_bo_kmap_obj host_map;
        unsigned int cpp;
 };
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
index b8a09807c5de..3824595fece1 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c
@@ -266,8 +266,8 @@ static const struct drm_connector_funcs vmw_legacy_connector_funcs = {
        .set_property = vmw_du_connector_set_property,
        .destroy = vmw_ldu_connector_destroy,
        .reset = vmw_du_connector_reset,
-        .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
+        .atomic_duplicate_state = vmw_du_connector_duplicate_state,
-        .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
+        .atomic_destroy_state = vmw_du_connector_destroy_state,
        .atomic_set_property = vmw_du_connector_atomic_set_property,
        .atomic_get_property = vmw_du_connector_atomic_get_property,
 };
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
index bc5f6026573d..63a4cd794b73 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c
@@ -420,8 +420,8 @@ static const struct drm_connector_funcs vmw_sou_connector_funcs = {
        .set_property = vmw_du_connector_set_property,
        .destroy = vmw_sou_connector_destroy,
        .reset = vmw_du_connector_reset,
-        .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
+        .atomic_duplicate_state = vmw_du_connector_duplicate_state,
-        .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
+        .atomic_destroy_state = vmw_du_connector_destroy_state,
        .atomic_set_property = vmw_du_connector_atomic_set_property,
        .atomic_get_property = vmw_du_connector_atomic_get_property,
 };
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
index 90b5437fd787..b68d74888ab1 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
@@ -114,7 +114,7 @@ struct vmw_screen_target_display_unit {
        bool defined;
        /* For CPU Blit */
-        struct ttm_bo_kmap_obj host_map, guest_map;
+        struct ttm_bo_kmap_obj host_map;
        unsigned int cpp;
 };
@@ -695,7 +695,8 @@ static void vmw_stdu_dmabuf_cpu_commit(struct vmw_kms_dirty *dirty)
        s32 src_pitch, dst_pitch;
        u8 *src, *dst;
        bool not_used;
+        struct ttm_bo_kmap_obj guest_map;
+        int ret;
        if (!dirty->num_hits)
                return;
@@ -706,6 +707,13 @@ static void vmw_stdu_dmabuf_cpu_commit(struct vmw_kms_dirty *dirty)
        if (width == 0 || height == 0)
                return;
+        ret = ttm_bo_kmap(&ddirty->buf->base, 0, ddirty->buf->base.num_pages,
+                          &guest_map);
+        if (ret) {
+                DRM_ERROR("Failed mapping framebuffer for blit: %d\n",
+                          ret);
+                goto out_cleanup;
+        }
        /* Assume we are blitting from Host (display_srf) to Guest (dmabuf) */
        src_pitch = stdu->display_srf->base_size.width * stdu->cpp;
@@ -713,7 +721,7 @@ static void vmw_stdu_dmabuf_cpu_commit(struct vmw_kms_dirty *dirty)
        src += ddirty->top * src_pitch + ddirty->left * stdu->cpp;
        dst_pitch = ddirty->pitch;
-        dst = ttm_kmap_obj_virtual(&stdu->guest_map, &not_used);
+        dst = ttm_kmap_obj_virtual(&guest_map, &not_used);
        dst += ddirty->fb_top * dst_pitch + ddirty->fb_left * stdu->cpp;
@@ -772,6 +780,7 @@ static void vmw_stdu_dmabuf_cpu_commit(struct vmw_kms_dirty *dirty)
                vmw_fifo_commit(dev_priv, sizeof(*cmd));
        }
+        ttm_bo_kunmap(&guest_map);
 out_cleanup:
        ddirty->left = ddirty->top = ddirty->fb_left = ddirty->fb_top = S32_MAX;
        ddirty->right = ddirty->bottom = S32_MIN;
@@ -1109,9 +1118,6 @@ vmw_stdu_primary_plane_cleanup_fb(struct drm_plane *plane,
 {
        struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state);
-        if (vps->guest_map.virtual)
-                ttm_bo_kunmap(&vps->guest_map);
        if (vps->host_map.virtual)
                ttm_bo_kunmap(&vps->host_map);
@@ -1277,33 +1283,11 @@ vmw_stdu_primary_plane_prepare_fb(struct drm_plane *plane,
         */
        if (vps->content_fb_type == SEPARATE_DMA &&
            !(dev_priv->capabilities & SVGA_CAP_3D)) {
-                struct vmw_framebuffer_dmabuf *new_vfbd;
-                new_vfbd = vmw_framebuffer_to_vfbd(new_fb);
-                ret = ttm_bo_reserve(&new_vfbd->buffer->base, false, false,
-                                     NULL);
-                if (ret)
-                        goto out_srf_unpin;
-                ret = ttm_bo_kmap(&new_vfbd->buffer->base, 0,
-                                  new_vfbd->buffer->base.num_pages,
-                                  &vps->guest_map);
-                ttm_bo_unreserve(&new_vfbd->buffer->base);
-                if (ret) {
-                        DRM_ERROR("Failed to map content buffer to CPU\n");
-                        goto out_srf_unpin;
-                }
                ret = ttm_bo_kmap(&vps->surf->res.backup->base, 0,
                                  vps->surf->res.backup->base.num_pages,
                                  &vps->host_map);
                if (ret) {
                        DRM_ERROR("Failed to map display buffer to CPU\n");
-                        ttm_bo_kunmap(&vps->guest_map);
                        goto out_srf_unpin;
                }
@@ -1350,7 +1334,6 @@ vmw_stdu_primary_plane_atomic_update(struct drm_plane *plane,
        stdu->display_srf = vps->surf;
        stdu->content_fb_type = vps->content_fb_type;
        stdu->cpp = vps->cpp;
-        memcpy(&stdu->guest_map, &vps->guest_map, sizeof(vps->guest_map));
        memcpy(&stdu->host_map, &vps->host_map, sizeof(vps->host_map));
        if (!stdu->defined)
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
index 706164b4c5be..f7829a74140c 100644
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -821,8 +821,12 @@ void i2c_unregister_device(struct i2c_client *client)
 {
        if (!client)
                return;
-        if (client->dev.of_node)
+        if (client->dev.of_node) {
                of_node_clear_flag(client->dev.of_node, OF_POPULATED);
+                of_node_put(client->dev.of_node);
+        }
        if (ACPI_COMPANION(&client->dev))
                acpi_device_clear_enumerated(ACPI_COMPANION(&client->dev));
        device_unregister(&client->dev);
diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c
index 4bb9927afd01..a1082c04ac5c 100644
--- a/drivers/i2c/i2c-core-smbus.c
+++ b/drivers/i2c/i2c-core-smbus.c
@@ -397,16 +397,17 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr,
                                   the underlying bus driver */
                break;
        case I2C_SMBUS_I2C_BLOCK_DATA:
+                if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
+                        dev_err(&adapter->dev, "Invalid block %s size %d\n",
+                                read_write == I2C_SMBUS_READ ? "read" : "write",
+                                data->block[0]);
+                        return -EINVAL;
+                }
                if (read_write == I2C_SMBUS_READ) {
                        msg[1].len = data->block[0];
                } else {
                        msg[0].len = data->block[0] + 1;
-                        if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
-                                dev_err(&adapter->dev,
-                                        "Invalid block write size %d\n",
-                                        data->block[0]);
-                                return -EINVAL;
-                        }
                        for (i = 1; i <= data->block[0]; i++)
                                msgbuf0[i] = data->block[i];
                }
diff --git a/drivers/infiniband/core/core_priv.h b/drivers/infiniband/core/core_priv.h
index a1d687a664f8..66f0268f37a6 100644
--- a/drivers/infiniband/core/core_priv.h
+++ b/drivers/infiniband/core/core_priv.h
@@ -314,7 +314,7 @@ static inline int ib_mad_enforce_security(struct ib_mad_agent_private *map,
 }
 #endif
-struct ib_device *__ib_device_get_by_index(u32 ifindex);
+struct ib_device *ib_device_get_by_index(u32 ifindex);
 /* RDMA device netlink */
 void nldev_init(void);
 void nldev_exit(void);
diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index 30914f3baa5f..465520627e4b 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -134,7 +134,7 @@ static int ib_device_check_mandatory(struct ib_device *device)
        return 0;
 }
-struct ib_device *__ib_device_get_by_index(u32 index)
+static struct ib_device *__ib_device_get_by_index(u32 index)
 {
        struct ib_device *device;
@@ -145,6 +145,22 @@ struct ib_device *__ib_device_get_by_index(u32 index)
        return NULL;
 }
+/*
+ * Caller is responsible to return refrerence count by calling put_device()
+ */
+struct ib_device *ib_device_get_by_index(u32 index)
+{
+        struct ib_device *device;
+        down_read(&lists_rwsem);
+        device = __ib_device_get_by_index(index);
+        if (device)
+                get_device(&device->dev);
+        up_read(&lists_rwsem);
+        return device;
+}
 static struct ib_device *__ib_device_get_by_name(const char *name)
 {
        struct ib_device *device;
diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
index 9a05245a1acf..0dcd1aa6f683 100644
--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -142,27 +142,34 @@ static int nldev_get_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
        index = nla_get_u32(tb[RDMA_NLDEV_ATTR_DEV_INDEX]);
-        device = __ib_device_get_by_index(index);
+        device = ib_device_get_by_index(index);
        if (!device)
                return -EINVAL;
        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
-        if (!msg)
+        if (!msg) {
-                return -ENOMEM;
+                err = -ENOMEM;
+                goto err;
+        }
        nlh = nlmsg_put(msg, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
                        RDMA_NL_GET_TYPE(RDMA_NL_NLDEV, RDMA_NLDEV_CMD_GET),
                        0, 0);
        err = fill_dev_info(msg, device);
-        if (err) {
+        if (err)
-                nlmsg_free(msg);
+                goto err_free;
-                return err;
-        }
        nlmsg_end(msg, nlh);
+        put_device(&device->dev);
        return rdma_nl_unicast(msg, NETLINK_CB(skb).portid);
+err_free:
+        nlmsg_free(msg);
+err:
+        put_device(&device->dev);
+        return err;
 }
 static int _nldev_get_dumpit(struct ib_device *device,
@@ -220,31 +227,40 @@ static int nldev_port_get_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
                return -EINVAL;
        index = nla_get_u32(tb[RDMA_NLDEV_ATTR_DEV_INDEX]);
-        device = __ib_device_get_by_index(index);
+        device = ib_device_get_by_index(index);
        if (!device)
                return -EINVAL;
        port = nla_get_u32(tb[RDMA_NLDEV_ATTR_PORT_INDEX]);
-        if (!rdma_is_port_valid(device, port))
+        if (!rdma_is_port_valid(device, port)) {
-                return -EINVAL;
+                err = -EINVAL;
+                goto err;
+        }
        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
-        if (!msg)
+        if (!msg) {
-                return -ENOMEM;
+                err = -ENOMEM;
+                goto err;
+        }
        nlh = nlmsg_put(msg, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
                        RDMA_NL_GET_TYPE(RDMA_NL_NLDEV, RDMA_NLDEV_CMD_GET),
                        0, 0);
        err = fill_port_info(msg, device, port);
-        if (err) {
+        if (err)
-                nlmsg_free(msg);
+                goto err_free;
-                return err;
-        }
        nlmsg_end(msg, nlh);
+        put_device(&device->dev);
        return rdma_nl_unicast(msg, NETLINK_CB(skb).portid);
+err_free:
+        nlmsg_free(msg);
+err:
+        put_device(&device->dev);
+        return err;
 }
 static int nldev_port_get_dumpit(struct sk_buff *skb,
@@ -265,7 +281,7 @@ static int nldev_port_get_dumpit(struct sk_buff *skb,
                return -EINVAL;
        ifindex = nla_get_u32(tb[RDMA_NLDEV_ATTR_DEV_INDEX]);
-        device = __ib_device_get_by_index(ifindex);
+        device = ib_device_get_by_index(ifindex);
        if (!device)
                return -EINVAL;
@@ -299,7 +315,9 @@ static int nldev_port_get_dumpit(struct sk_buff *skb,
                nlmsg_end(skb, nlh);
        }
-out:    cb->args[0] = idx;
+out:
+        put_device(&device->dev);
+        cb->args[0] = idx;
        return skb->len;
 }
diff --git a/drivers/infiniband/hw/hfi1/file_ops.c b/drivers/infiniband/hw/hfi1/file_ops.c
index 7750a9c38b06..1df7da47f431 100644
--- a/drivers/infiniband/hw/hfi1/file_ops.c
+++ b/drivers/infiniband/hw/hfi1/file_ops.c
@@ -763,11 +763,11 @@ static int complete_subctxt(struct hfi1_filedata *fd)
        }
        if (ret) {
-                hfi1_rcd_put(fd->uctxt);
-                fd->uctxt = NULL;
                spin_lock_irqsave(&fd->dd->uctxt_lock, flags);
                __clear_bit(fd->subctxt, fd->uctxt->in_use_ctxts);
                spin_unlock_irqrestore(&fd->dd->uctxt_lock, flags);
+                hfi1_rcd_put(fd->uctxt);
+                fd->uctxt = NULL;
        }
        return ret;
diff --git a/drivers/infiniband/hw/mlx4/mr.c b/drivers/infiniband/hw/mlx4/mr.c
index 313bfb9ccb71..4975f3e6596e 100644
--- a/drivers/infiniband/hw/mlx4/mr.c
+++ b/drivers/infiniband/hw/mlx4/mr.c
@@ -642,7 +642,6 @@ struct ib_mr *mlx4_ib_alloc_mr(struct ib_pd *pd,
                goto err_free_mr;
        mr->max_pages = max_num_sg;
        err = mlx4_mr_enable(dev->dev, &mr->mmr);
        if (err)
                goto err_free_pl;
@@ -653,6 +652,7 @@ struct ib_mr *mlx4_ib_alloc_mr(struct ib_pd *pd,
        return &mr->ibmr;
 err_free_pl:
+        mr->ibmr.device = pd->device;
        mlx4_free_priv_pages(mr);
 err_free_mr:
        (void) mlx4_mr_free(dev->dev, &mr->mmr);
diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index 8ac50de2b242..262c1aa2e028 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -1324,7 +1324,8 @@ static int mlx5_ib_alloc_transport_domain(struct mlx5_ib_dev *dev, u32 *tdn)
                return err;
        if ((MLX5_CAP_GEN(dev->mdev, port_type) != MLX5_CAP_PORT_TYPE_ETH) ||
-            !MLX5_CAP_GEN(dev->mdev, disable_local_lb))
+            (!MLX5_CAP_GEN(dev->mdev, disable_local_lb_uc) &&
+             !MLX5_CAP_GEN(dev->mdev, disable_local_lb_mc)))
                return err;
        mutex_lock(&dev->lb_mutex);
@@ -1342,7 +1343,8 @@ static void mlx5_ib_dealloc_transport_domain(struct mlx5_ib_dev *dev, u32 tdn)
        mlx5_core_dealloc_transport_domain(dev->mdev, tdn);
        if ((MLX5_CAP_GEN(dev->mdev, port_type) != MLX5_CAP_PORT_TYPE_ETH) ||
-            !MLX5_CAP_GEN(dev->mdev, disable_local_lb))
+            (!MLX5_CAP_GEN(dev->mdev, disable_local_lb_uc) &&
+             !MLX5_CAP_GEN(dev->mdev, disable_local_lb_mc)))
                return;
        mutex_lock(&dev->lb_mutex);
@@ -4158,7 +4160,7 @@ static void *mlx5_ib_add(struct mlx5_core_dev *mdev)
                goto err_cnt;
        dev->mdev->priv.uar = mlx5_get_uars_page(dev->mdev);
-        if (!dev->mdev->priv.uar)
+        if (IS_ERR(dev->mdev->priv.uar))
                goto err_cong;
        err = mlx5_alloc_bfreg(dev->mdev, &dev->bfreg, false, false);
@@ -4187,7 +4189,8 @@ static void *mlx5_ib_add(struct mlx5_core_dev *mdev)
        }
        if ((MLX5_CAP_GEN(mdev, port_type) == MLX5_CAP_PORT_TYPE_ETH) &&
-            MLX5_CAP_GEN(mdev, disable_local_lb))
+            (MLX5_CAP_GEN(mdev, disable_local_lb_uc) ||
+             MLX5_CAP_GEN(mdev, disable_local_lb_mc)))
                mutex_init(&dev->lb_mutex);
        dev->ib_active = true;
diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index 31ad28853efa..cffe5966aef9 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -4362,12 +4362,11 @@ static void to_rdma_ah_attr(struct mlx5_ib_dev *ibdev,
        memset(ah_attr, 0, sizeof(*ah_attr));
-        ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, path->port);
+        if (!path->port || path->port > MLX5_CAP_GEN(dev, num_ports))
-        rdma_ah_set_port_num(ah_attr, path->port);
-        if (rdma_ah_get_port_num(ah_attr) == 0 ||
-            rdma_ah_get_port_num(ah_attr) > MLX5_CAP_GEN(dev, num_ports))
                return;
+        ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, path->port);
        rdma_ah_set_port_num(ah_attr, path->port);
        rdma_ah_set_sl(ah_attr, path->dci_cfi_prio_sl & 0xf);
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index 12b7f911f0e5..8880351df179 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -902,8 +902,8 @@ static int path_rec_start(struct net_device *dev,
        return 0;
 }
-static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
+static struct ipoib_neigh *neigh_add_path(struct sk_buff *skb, u8 *daddr,
-                           struct net_device *dev)
+                                          struct net_device *dev)
 {
        struct ipoib_dev_priv *priv = ipoib_priv(dev);
        struct rdma_netdev *rn = netdev_priv(dev);
@@ -917,7 +917,15 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
                spin_unlock_irqrestore(&priv->lock, flags);
                ++dev->stats.tx_dropped;
                dev_kfree_skb_any(skb);
-                return;
+                return NULL;
+        }
+        /* To avoid race condition, make sure that the
+         * neigh will be added only once.
+         */
+        if (unlikely(!list_empty(&neigh->list))) {
+                spin_unlock_irqrestore(&priv->lock, flags);
+                return neigh;
        }
        path = __path_find(dev, daddr + 4);
@@ -956,7 +964,7 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
                        path->ah->last_send = rn->send(dev, skb, path->ah->ah,
                                                       IPOIB_QPN(daddr));
                        ipoib_neigh_put(neigh);
-                        return;
+                        return NULL;
                }
        } else {
                neigh->ah  = NULL;
@@ -973,7 +981,7 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
        spin_unlock_irqrestore(&priv->lock, flags);
        ipoib_neigh_put(neigh);
-        return;
+        return NULL;
 err_path:
        ipoib_neigh_free(neigh);
@@ -983,6 +991,8 @@ err_drop:
        spin_unlock_irqrestore(&priv->lock, flags);
        ipoib_neigh_put(neigh);
+        return NULL;
 }
 static void unicast_arp_send(struct sk_buff *skb, struct net_device *dev,
@@ -1091,8 +1101,9 @@ static int ipoib_start_xmit(struct sk_buff *skb, struct net_device *dev)
        case htons(ETH_P_TIPC):
                neigh = ipoib_neigh_get(dev, phdr->hwaddr);
                if (unlikely(!neigh)) {
-                        neigh_add_path(skb, phdr->hwaddr, dev);
+                        neigh = neigh_add_path(skb, phdr->hwaddr, dev);
-                        return NETDEV_TX_OK;
+                        if (likely(!neigh))
+                                return NETDEV_TX_OK;
                }
                break;
        case htons(ETH_P_ARP):
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
index 93e149efc1f5..9b3f47ae2016 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
@@ -816,7 +816,10 @@ void ipoib_mcast_send(struct net_device *dev, u8 *daddr, struct sk_buff *skb)
                spin_lock_irqsave(&priv->lock, flags);
                if (!neigh) {
                        neigh = ipoib_neigh_alloc(daddr, dev);
-                        if (neigh) {
+                        /* Make sure that the neigh will be added only
+                         * once to mcast list.
+                         */
+                        if (neigh && list_empty(&neigh->list)) {
                                kref_get(&mcast->ah->ref);
                                neigh->ah       = mcast->ah;
                                list_add_tail(&neigh->list, &mcast->neigh_list);
diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
index 720dfb3a1ac2..1b02283ce20e 100644
--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -741,6 +741,7 @@ isert_connect_error(struct rdma_cm_id *cma_id)
 {
        struct isert_conn *isert_conn = cma_id->qp->qp_context;
+        ib_drain_qp(isert_conn->qp);
        list_del_init(&isert_conn->node);
        isert_conn->cm_id = NULL;
        isert_put_conn(isert_conn);
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
index 8a1bd354b1cc..bfa576aa9f03 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1013,8 +1013,7 @@ static int srpt_init_ch_qp(struct srpt_rdma_ch *ch, struct ib_qp *qp)
                return -ENOMEM;
        attr->qp_state = IB_QPS_INIT;
-        attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_READ |
+        attr->qp_access_flags = IB_ACCESS_LOCAL_WRITE;
-            IB_ACCESS_REMOTE_WRITE;
        attr->port_num = ch->sport->port;
        attr->pkey_index = 0;
@@ -2078,7 +2077,7 @@ static int srpt_cm_req_recv(struct ib_cm_id *cm_id,
                goto destroy_ib;
        }
-        guid = (__be16 *)&param->primary_path->sgid.global.interface_id;
+        guid = (__be16 *)&param->primary_path->dgid.global.interface_id;
        snprintf(ch->ini_guid, sizeof(ch->ini_guid), "%04x:%04x:%04x:%04x",
                 be16_to_cpu(guid[0]), be16_to_cpu(guid[1]),
                 be16_to_cpu(guid[2]), be16_to_cpu(guid[3]));
diff --git a/drivers/input/joystick/analog.c b/drivers/input/joystick/analog.c
index 3d8ff09eba57..c868a878c84f 100644
--- a/drivers/input/joystick/analog.c
+++ b/drivers/input/joystick/analog.c
@@ -163,7 +163,7 @@ static unsigned int get_time_pit(void)
 #define GET_TIME(x)     do { x = (unsigned int)rdtsc(); } while (0)
 #define DELTA(x,y)      ((y)-(x))
 #define TIME_NAME       "TSC"
-#elif defined(__alpha__) || defined(CONFIG_MN10300) || defined(CONFIG_ARM) || defined(CONFIG_ARM64) || defined(CONFIG_TILE)
+#elif defined(__alpha__) || defined(CONFIG_MN10300) || defined(CONFIG_ARM) || defined(CONFIG_ARM64) || defined(CONFIG_RISCV) || defined(CONFIG_TILE)
 #define GET_TIME(x)     do { x = get_cycles(); } while (0)
 #define DELTA(x,y)      ((y)-(x))
 #define TIME_NAME       "get_cycles"
diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index d86e59515b9c..d88d3e0f59fb 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -229,6 +229,7 @@ static const struct xpad_device {
        { 0x0e6f, 0x0213, "Afterglow Gamepad for Xbox 360", 0, XTYPE_XBOX360 },
        { 0x0e6f, 0x021f, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 },
        { 0x0e6f, 0x0246, "Rock Candy Gamepad for Xbox One 2015", 0, XTYPE_XBOXONE },
+        { 0x0e6f, 0x02ab, "PDP Controller for Xbox One", 0, XTYPE_XBOXONE },
        { 0x0e6f, 0x0301, "Logic3 Controller", 0, XTYPE_XBOX360 },
        { 0x0e6f, 0x0346, "Rock Candy Gamepad for Xbox One 2016", 0, XTYPE_XBOXONE },
        { 0x0e6f, 0x0401, "Logic3 Controller", 0, XTYPE_XBOX360 },
@@ -476,6 +477,22 @@ static const u8 xboxone_hori_init[] = {
 };
 /*
+ * This packet is required for some of the PDP pads to start
+ * sending input reports. One of those pads is (0x0e6f:0x02ab).
+ */
+static const u8 xboxone_pdp_init1[] = {
+        0x0a, 0x20, 0x00, 0x03, 0x00, 0x01, 0x14
+};
+/*
+ * This packet is required for some of the PDP pads to start
+ * sending input reports. One of those pads is (0x0e6f:0x02ab).
+ */
+static const u8 xboxone_pdp_init2[] = {
+        0x06, 0x20, 0x00, 0x02, 0x01, 0x00
+};
+/*
 * A specific rumble packet is required for some PowerA pads to start
 * sending input reports. One of those pads is (0x24c6:0x543a).
 */
@@ -505,6 +522,8 @@ static const struct xboxone_init_packet xboxone_init_packets[] = {
        XBOXONE_INIT_PKT(0x0e6f, 0x0165, xboxone_hori_init),
        XBOXONE_INIT_PKT(0x0f0d, 0x0067, xboxone_hori_init),
        XBOXONE_INIT_PKT(0x0000, 0x0000, xboxone_fw2015_init),
+        XBOXONE_INIT_PKT(0x0e6f, 0x02ab, xboxone_pdp_init1),
+        XBOXONE_INIT_PKT(0x0e6f, 0x02ab, xboxone_pdp_init2),
        XBOXONE_INIT_PKT(0x24c6, 0x541a, xboxone_rumblebegin_init),
        XBOXONE_INIT_PKT(0x24c6, 0x542a, xboxone_rumblebegin_init),
        XBOXONE_INIT_PKT(0x24c6, 0x543a, xboxone_rumblebegin_init),
diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index ae473123583b..3d51175c4d72 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1651,7 +1651,7 @@ ims_pcu_get_cdc_union_desc(struct usb_interface *intf)
                                return union_desc;
                        dev_err(&intf->dev,
-                                "Union descriptor to short (%d vs %zd\n)",
+                                "Union descriptor too short (%d vs %zd)\n",
                                union_desc->bLength, sizeof(*union_desc));
                        return NULL;
                }
diff --git a/drivers/input/misc/twl4030-vibra.c b/drivers/input/misc/twl4030-vibra.c
index 6c51d404874b..c37aea9ac272 100644
--- a/drivers/input/misc/twl4030-vibra.c
+++ b/drivers/input/misc/twl4030-vibra.c
@@ -178,12 +178,14 @@ static SIMPLE_DEV_PM_OPS(twl4030_vibra_pm_ops,
                         twl4030_vibra_suspend, twl4030_vibra_resume);
 static bool twl4030_vibra_check_coexist(struct twl4030_vibra_data *pdata,
-                              struct device_node *node)
+                              struct device_node *parent)
 {
+        struct device_node *node;
        if (pdata && pdata->coexist)
                return true;
-        node = of_find_node_by_name(node, "codec");
+        node = of_get_child_by_name(parent, "codec");
        if (node) {
                of_node_put(node);
                return true;
diff --git a/drivers/input/misc/twl6040-vibra.c b/drivers/input/misc/twl6040-vibra.c
index 5690eb7ff954..15e0d352c4cc 100644
--- a/drivers/input/misc/twl6040-vibra.c
+++ b/drivers/input/misc/twl6040-vibra.c
@@ -248,8 +248,7 @@ static int twl6040_vibra_probe(struct platform_device *pdev)
        int vddvibr_uV = 0;
        int error;
-        of_node_get(twl6040_core_dev->of_node);
+        twl6040_core_node = of_get_child_by_name(twl6040_core_dev->of_node,
-        twl6040_core_node = of_find_node_by_name(twl6040_core_dev->of_node,
                                                 "vibra");
        if (!twl6040_core_node) {
                dev_err(&pdev->dev, "parent of node is missing?\n");
diff --git a/drivers/input/misc/xen-kbdfront.c b/drivers/input/misc/xen-kbdfront.c
index 6bf56bb5f8d9..d91f3b1c5375 100644
--- a/drivers/input/misc/xen-kbdfront.c
+++ b/drivers/input/misc/xen-kbdfront.c
@@ -326,8 +326,6 @@ static int xenkbd_probe(struct xenbus_device *dev,
                                     0, width, 0, 0);
                input_set_abs_params(mtouch, ABS_MT_POSITION_Y,
                                     0, height, 0, 0);
-                input_set_abs_params(mtouch, ABS_MT_PRESSURE,
-                                     0, 255, 0, 0);
                ret = input_mt_init_slots(mtouch, num_cont, INPUT_MT_DIRECT);
                if (ret) {
diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
index 579b899add26..dbe57da8c1a1 100644
--- a/drivers/input/mouse/alps.c
+++ b/drivers/input/mouse/alps.c
@@ -1250,29 +1250,32 @@ static int alps_decode_ss4_v2(struct alps_fields *f,
        case SS4_PACKET_ID_MULTI:
                if (priv->flags & ALPS_BUTTONPAD) {
                        if (IS_SS4PLUS_DEV(priv->dev_id)) {
-                                f->mt[0].x = SS4_PLUS_BTL_MF_X_V2(p, 0);
+                                f->mt[2].x = SS4_PLUS_BTL_MF_X_V2(p, 0);
-                                f->mt[1].x = SS4_PLUS_BTL_MF_X_V2(p, 1);
+                                f->mt[3].x = SS4_PLUS_BTL_MF_X_V2(p, 1);
+                                no_data_x = SS4_PLUS_MFPACKET_NO_AX_BL;
                        } else {
                                f->mt[2].x = SS4_BTL_MF_X_V2(p, 0);
                                f->mt[3].x = SS4_BTL_MF_X_V2(p, 1);
+                                no_data_x = SS4_MFPACKET_NO_AX_BL;
                        }
+                        no_data_y = SS4_MFPACKET_NO_AY_BL;
                        f->mt[2].y = SS4_BTL_MF_Y_V2(p, 0);
                        f->mt[3].y = SS4_BTL_MF_Y_V2(p, 1);
-                        no_data_x = SS4_MFPACKET_NO_AX_BL;
-                        no_data_y = SS4_MFPACKET_NO_AY_BL;
                } else {
                        if (IS_SS4PLUS_DEV(priv->dev_id)) {
-                                f->mt[0].x = SS4_PLUS_STD_MF_X_V2(p, 0);
+                                f->mt[2].x = SS4_PLUS_STD_MF_X_V2(p, 0);
-                                f->mt[1].x = SS4_PLUS_STD_MF_X_V2(p, 1);
+                                f->mt[3].x = SS4_PLUS_STD_MF_X_V2(p, 1);
+                                no_data_x = SS4_PLUS_MFPACKET_NO_AX;
                        } else {
-                                f->mt[0].x = SS4_STD_MF_X_V2(p, 0);
+                                f->mt[2].x = SS4_STD_MF_X_V2(p, 0);
-                                f->mt[1].x = SS4_STD_MF_X_V2(p, 1);
+                                f->mt[3].x = SS4_STD_MF_X_V2(p, 1);
+                                no_data_x = SS4_MFPACKET_NO_AX;
                        }
+                        no_data_y = SS4_MFPACKET_NO_AY;
                        f->mt[2].y = SS4_STD_MF_Y_V2(p, 0);
                        f->mt[3].y = SS4_STD_MF_Y_V2(p, 1);
-                        no_data_x = SS4_MFPACKET_NO_AX;
-                        no_data_y = SS4_MFPACKET_NO_AY;
                }
                f->first_mp = 0;
diff --git a/drivers/input/mouse/alps.h b/drivers/input/mouse/alps.h
index c80a7c76cb76..79b6d69d1486 100644
--- a/drivers/input/mouse/alps.h
+++ b/drivers/input/mouse/alps.h
@@ -141,10 +141,12 @@ enum SS4_PACKET_ID {
 #define SS4_TS_Z_V2(_b)         (s8)(_b[4] & 0x7F)
-#define SS4_MFPACKET_NO_AX      8160    /* X-Coordinate value */
+#define SS4_MFPACKET_NO_AX              8160    /* X-Coordinate value */
-#define SS4_MFPACKET_NO_AY      4080    /* Y-Coordinate value */
+#define SS4_MFPACKET_NO_AY              4080    /* Y-Coordinate value */
-#define SS4_MFPACKET_NO_AX_BL   8176    /* Buttonless X-Coordinate value */
+#define SS4_MFPACKET_NO_AX_BL           8176    /* Buttonless X-Coord value */
-#define SS4_MFPACKET_NO_AY_BL   4088    /* Buttonless Y-Coordinate value */
+#define SS4_MFPACKET_NO_AY_BL           4088    /* Buttonless Y-Coord value */
+#define SS4_PLUS_MFPACKET_NO_AX         4080    /* SS4 PLUS, X */
+#define SS4_PLUS_MFPACKET_NO_AX_BL      4088    /* Buttonless SS4 PLUS, X */
 /*
 * enum V7_PACKET_ID - defines the packet type for V7
diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c
index b84cd978fce2..a4aaa748e987 100644
--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1613,7 +1613,7 @@ static int elantech_set_properties(struct elantech_data *etd)
                case 5:
                        etd->hw_version = 3;
                        break;
-                case 6 ... 14:
+                case 6 ... 15:
                        etd->hw_version = 4;
                        break;
                default:
diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
index ee5466a374bf..cd9f61cb3fc6 100644
--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -173,6 +173,7 @@ static const char * const smbus_pnp_ids[] = {
        "LEN0046", /* X250 */
        "LEN004a", /* W541 */
        "LEN200f", /* T450s */
+        "LEN2018", /* T460p */
        NULL
 };
diff --git a/drivers/input/mouse/trackpoint.c b/drivers/input/mouse/trackpoint.c
index 0871010f18d5..bbd29220dbe9 100644
--- a/drivers/input/mouse/trackpoint.c
+++ b/drivers/input/mouse/trackpoint.c
@@ -19,6 +19,13 @@
 #include "psmouse.h"
 #include "trackpoint.h"
+static const char * const trackpoint_variants[] = {
+        [TP_VARIANT_IBM]        = "IBM",
+        [TP_VARIANT_ALPS]       = "ALPS",
+        [TP_VARIANT_ELAN]       = "Elan",
+        [TP_VARIANT_NXP]        = "NXP",
+};
 /*
 * Power-on Reset: Resets all trackpoint parameters, including RAM values,
 * to defaults.
@@ -26,7 +33,7 @@
 */
 static int trackpoint_power_on_reset(struct ps2dev *ps2dev)
 {
-        unsigned char results[2];
+        u8 results[2];
        int tries = 0;
        /* Issue POR command, and repeat up to once if 0xFC00 received */
@@ -38,7 +45,7 @@ static int trackpoint_power_on_reset(struct ps2dev *ps2dev)
        /* Check for success response -- 0xAA00 */
        if (results[0] != 0xAA || results[1] != 0x00)
-                return -1;
+                return -ENODEV;
        return 0;
 }
@@ -46,8 +53,7 @@ static int trackpoint_power_on_reset(struct ps2dev *ps2dev)
 /*
 * Device IO: read, write and toggle bit
 */
-static int trackpoint_read(struct ps2dev *ps2dev,
+static int trackpoint_read(struct ps2dev *ps2dev, u8 loc, u8 *results)
-                           unsigned char loc, unsigned char *results)
 {
        if (ps2_command(ps2dev, NULL, MAKE_PS2_CMD(0, 0, TP_COMMAND)) ||
            ps2_command(ps2dev, results, MAKE_PS2_CMD(0, 1, loc))) {
@@ -57,8 +63,7 @@ static int trackpoint_read(struct ps2dev *ps2dev,
        return 0;
 }
-static int trackpoint_write(struct ps2dev *ps2dev,
+static int trackpoint_write(struct ps2dev *ps2dev, u8 loc, u8 val)
-                            unsigned char loc, unsigned char val)
 {
        if (ps2_command(ps2dev, NULL, MAKE_PS2_CMD(0, 0, TP_COMMAND)) ||
            ps2_command(ps2dev, NULL, MAKE_PS2_CMD(0, 0, TP_WRITE_MEM)) ||
@@ -70,8 +75,7 @@ static int trackpoint_write(struct ps2dev *ps2dev,
        return 0;
 }
-static int trackpoint_toggle_bit(struct ps2dev *ps2dev,
+static int trackpoint_toggle_bit(struct ps2dev *ps2dev, u8 loc, u8 mask)
-                                 unsigned char loc, unsigned char mask)
 {
        /* Bad things will happen if the loc param isn't in this range */
        if (loc < 0x20 || loc >= 0x2F)
@@ -87,11 +91,11 @@ static int trackpoint_toggle_bit(struct ps2dev *ps2dev,
        return 0;
 }
-static int trackpoint_update_bit(struct ps2dev *ps2dev, unsigned char loc,
+static int trackpoint_update_bit(struct ps2dev *ps2dev,
-                                 unsigned char mask, unsigned char value)
+                                 u8 loc, u8 mask, u8 value)
 {
        int retval = 0;
-        unsigned char data;
+        u8 data;
        trackpoint_read(ps2dev, loc, &data);
        if (((data & mask) == mask) != !!value)
@@ -105,17 +109,18 @@ static int trackpoint_update_bit(struct ps2dev *ps2dev, unsigned char loc,
 */
 struct trackpoint_attr_data {
        size_t field_offset;
-        unsigned char command;
+        u8 command;
-        unsigned char mask;
+        u8 mask;
-        unsigned char inverted;
+        bool inverted;
-        unsigned char power_on_default;
+        u8 power_on_default;
 };
-static ssize_t trackpoint_show_int_attr(struct psmouse *psmouse, void *data, char *buf)
+static ssize_t trackpoint_show_int_attr(struct psmouse *psmouse,
+                                        void *data, char *buf)
 {
        struct trackpoint_data *tp = psmouse->private;
        struct trackpoint_attr_data *attr = data;
-        unsigned char value = *(unsigned char *)((char *)tp + attr->field_offset);
+        u8 value = *(u8 *)((void *)tp + attr->field_offset);
        if (attr->inverted)
                value = !value;
@@ -128,8 +133,8 @@ static ssize_t trackpoint_set_int_attr(struct psmouse *psmouse, void *data,
 {
        struct trackpoint_data *tp = psmouse->private;
        struct trackpoint_attr_data *attr = data;
-        unsigned char *field = (unsigned char *)((char *)tp + attr->field_offset);
+        u8 *field = (void *)tp + attr->field_offset;
-        unsigned char value;
+        u8 value;
        int err;
        err = kstrtou8(buf, 10, &value);
@@ -157,17 +162,14 @@ static ssize_t trackpoint_set_bit_attr(struct psmouse *psmouse, void *data,
 {
        struct trackpoint_data *tp = psmouse->private;
        struct trackpoint_attr_data *attr = data;
-        unsigned char *field = (unsigned char *)((char *)tp + attr->field_offset);
+        bool *field = (void *)tp + attr->field_offset;
-        unsigned int value;
+        bool value;
        int err;
-        err = kstrtouint(buf, 10, &value);
+        err = kstrtobool(buf, &value);
        if (err)
                return err;
-        if (value > 1)
-                return -EINVAL;
        if (attr->inverted)
                value = !value;
@@ -193,30 +195,6 @@ PSMOUSE_DEFINE_ATTR(_name, S_IWUSR | S_IRUGO,				\
                    &trackpoint_attr_##_name,                           \
                    trackpoint_show_int_attr, trackpoint_set_bit_attr)
-#define TRACKPOINT_UPDATE_BIT(_psmouse, _tp, _name)                     \
-do {                                                                    \
-        struct trackpoint_attr_data *_attr = &trackpoint_attr_##_name;  \
-                                                                        \
-        trackpoint_update_bit(&_psmouse->ps2dev,                        \
-                        _attr->command, _attr->mask, _tp->_name);       \
-} while (0)
-#define TRACKPOINT_UPDATE(_power_on, _psmouse, _tp, _name)              \
-do {                                                                    \
-        if (!_power_on ||                                               \
-            _tp->_name != trackpoint_attr_##_name.power_on_default) {   \
-                if (!trackpoint_attr_##_name.mask)                      \
-                        trackpoint_write(&_psmouse->ps2dev,             \
-                                 trackpoint_attr_##_name.command,       \
-                                 _tp->_name);                           \
-                else                                                    \
-                        TRACKPOINT_UPDATE_BIT(_psmouse, _tp, _name);    \
-        }                                                               \
-} while (0)
-#define TRACKPOINT_SET_POWER_ON_DEFAULT(_tp, _name)                             \
-        (_tp->_name = trackpoint_attr_##_name.power_on_default)
 TRACKPOINT_INT_ATTR(sensitivity, TP_SENS, TP_DEF_SENS);
 TRACKPOINT_INT_ATTR(speed, TP_SPEED, TP_DEF_SPEED);
 TRACKPOINT_INT_ATTR(inertia, TP_INERTIA, TP_DEF_INERTIA);
@@ -229,13 +207,33 @@ TRACKPOINT_INT_ATTR(ztime, TP_Z_TIME, TP_DEF_Z_TIME);
 TRACKPOINT_INT_ATTR(jenks, TP_JENKS_CURV, TP_DEF_JENKS_CURV);
 TRACKPOINT_INT_ATTR(drift_time, TP_DRIFT_TIME, TP_DEF_DRIFT_TIME);
-TRACKPOINT_BIT_ATTR(press_to_select, TP_TOGGLE_PTSON, TP_MASK_PTSON, 0,
+TRACKPOINT_BIT_ATTR(press_to_select, TP_TOGGLE_PTSON, TP_MASK_PTSON, false,
                    TP_DEF_PTSON);
-TRACKPOINT_BIT_ATTR(skipback, TP_TOGGLE_SKIPBACK, TP_MASK_SKIPBACK, 0,
+TRACKPOINT_BIT_ATTR(skipback, TP_TOGGLE_SKIPBACK, TP_MASK_SKIPBACK, false,
                    TP_DEF_SKIPBACK);
-TRACKPOINT_BIT_ATTR(ext_dev, TP_TOGGLE_EXT_DEV, TP_MASK_EXT_DEV, 1,
+TRACKPOINT_BIT_ATTR(ext_dev, TP_TOGGLE_EXT_DEV, TP_MASK_EXT_DEV, true,
                    TP_DEF_EXT_DEV);
+static bool trackpoint_is_attr_available(struct psmouse *psmouse,
+                                         struct attribute *attr)
+{
+        struct trackpoint_data *tp = psmouse->private;
+        return tp->variant_id == TP_VARIANT_IBM ||
+                attr == &psmouse_attr_sensitivity.dattr.attr ||
+                attr == &psmouse_attr_press_to_select.dattr.attr;
+}
+static umode_t trackpoint_is_attr_visible(struct kobject *kobj,
+                                          struct attribute *attr, int n)
+{
+        struct device *dev = container_of(kobj, struct device, kobj);
+        struct serio *serio = to_serio_port(dev);
+        struct psmouse *psmouse = serio_get_drvdata(serio);
+        return trackpoint_is_attr_available(psmouse, attr) ? attr->mode : 0;
+}
 static struct attribute *trackpoint_attrs[] = {
        &psmouse_attr_sensitivity.dattr.attr,
        &psmouse_attr_speed.dattr.attr,
@@ -255,24 +253,56 @@ static struct attribute *trackpoint_attrs[] = {
 };
 static struct attribute_group trackpoint_attr_group = {
-        .attrs = trackpoint_attrs,
+        .is_visible     = trackpoint_is_attr_visible,
+        .attrs          = trackpoint_attrs,
 };
-static int trackpoint_start_protocol(struct psmouse *psmouse, unsigned char *firmware_id)
+#define TRACKPOINT_UPDATE(_power_on, _psmouse, _tp, _name)              \
-{
+do {                                                                    \
-        unsigned char param[2] = { 0 };
+        struct trackpoint_attr_data *_attr = &trackpoint_attr_##_name;  \
+                                                                        \
+        if ((!_power_on || _tp->_name != _attr->power_on_default) &&    \
+            trackpoint_is_attr_available(_psmouse,                      \
+                                &psmouse_attr_##_name.dattr.attr)) {    \
+                if (!_attr->mask)                                       \
+                        trackpoint_write(&_psmouse->ps2dev,             \
+                                         _attr->command, _tp->_name);   \
+                else                                                    \
+                        trackpoint_update_bit(&_psmouse->ps2dev,        \
+                                        _attr->command, _attr->mask,    \
+                                        _tp->_name);                    \
+        }                                                               \
+} while (0)
-        if (ps2_command(&psmouse->ps2dev, param, MAKE_PS2_CMD(0, 2, TP_READ_ID)))
+#define TRACKPOINT_SET_POWER_ON_DEFAULT(_tp, _name)                     \
-                return -1;
+do {                                                                    \
+        _tp->_name = trackpoint_attr_##_name.power_on_default;          \
+} while (0)
-        /* add new TP ID. */
+static int trackpoint_start_protocol(struct psmouse *psmouse,
-        if (!(param[0] & TP_MAGIC_IDENT))
+                                     u8 *variant_id, u8 *firmware_id)
-                return -1;
+{
+        u8 param[2] = { 0 };
+        int error;
-        if (firmware_id)
+        error = ps2_command(&psmouse->ps2dev,
-                *firmware_id = param[1];
+                            param, MAKE_PS2_CMD(0, 2, TP_READ_ID));
+        if (error)
+                return error;
+        switch (param[0]) {
+        case TP_VARIANT_IBM:
+        case TP_VARIANT_ALPS:
+        case TP_VARIANT_ELAN:
+        case TP_VARIANT_NXP:
+                if (variant_id)
+                        *variant_id = param[0];
+                if (firmware_id)
+                        *firmware_id = param[1];
+                return 0;
+        }
-        return 0;
+        return -ENODEV;
 }
 /*
@@ -285,7 +315,7 @@ static int trackpoint_sync(struct psmouse *psmouse, bool in_power_on_state)
 {
        struct trackpoint_data *tp = psmouse->private;
-        if (!in_power_on_state) {
+        if (!in_power_on_state && tp->variant_id == TP_VARIANT_IBM) {
                /*
                 * Disable features that may make device unusable
                 * with this driver.
@@ -347,7 +377,8 @@ static void trackpoint_defaults(struct trackpoint_data *tp)
 static void trackpoint_disconnect(struct psmouse *psmouse)
 {
-        sysfs_remove_group(&psmouse->ps2dev.serio->dev.kobj, &trackpoint_attr_group);
+        device_remove_group(&psmouse->ps2dev.serio->dev,
+                            &trackpoint_attr_group);
        kfree(psmouse->private);
        psmouse->private = NULL;
@@ -355,14 +386,20 @@ static void trackpoint_disconnect(struct psmouse *psmouse)
 static int trackpoint_reconnect(struct psmouse *psmouse)
 {
-        int reset_fail;
+        struct trackpoint_data *tp = psmouse->private;
+        int error;
+        bool was_reset;
-        if (trackpoint_start_protocol(psmouse, NULL))
+        error = trackpoint_start_protocol(psmouse, NULL, NULL);
-                return -1;
+        if (error)
+                return error;
-        reset_fail = trackpoint_power_on_reset(&psmouse->ps2dev);
+        was_reset = tp->variant_id == TP_VARIANT_IBM &&
-        if (trackpoint_sync(psmouse, !reset_fail))
+                    trackpoint_power_on_reset(&psmouse->ps2dev) == 0;
-                return -1;
+        error = trackpoint_sync(psmouse, was_reset);
+        if (error)
+                return error;
        return 0;
 }
@@ -370,46 +407,66 @@ static int trackpoint_reconnect(struct psmouse *psmouse)
 int trackpoint_detect(struct psmouse *psmouse, bool set_properties)
 {
        struct ps2dev *ps2dev = &psmouse->ps2dev;
-        unsigned char firmware_id;
+        struct trackpoint_data *tp;
-        unsigned char button_info;
+        u8 variant_id;
+        u8 firmware_id;
+        u8 button_info;
        int error;
-        if (trackpoint_start_protocol(psmouse, &firmware_id))
+        error = trackpoint_start_protocol(psmouse, &variant_id, &firmware_id);
-                return -1;
+        if (error)
+                return error;
        if (!set_properties)
                return 0;
-        if (trackpoint_read(ps2dev, TP_EXT_BTN, &button_info)) {
+        tp = kzalloc(sizeof(*tp), GFP_KERNEL);
-                psmouse_warn(psmouse, "failed to get extended button data, assuming 3 buttons\n");
+        if (!tp)
-                button_info = 0x33;
-        }
-        psmouse->private = kzalloc(sizeof(struct trackpoint_data), GFP_KERNEL);
-        if (!psmouse->private)
                return -ENOMEM;
-        psmouse->vendor = "IBM";
+        trackpoint_defaults(tp);
+        tp->variant_id = variant_id;
+        tp->firmware_id = firmware_id;
+        psmouse->private = tp;
+        psmouse->vendor = trackpoint_variants[variant_id];
        psmouse->name = "TrackPoint";
        psmouse->reconnect = trackpoint_reconnect;
        psmouse->disconnect = trackpoint_disconnect;
+        if (variant_id != TP_VARIANT_IBM) {
+                /* Newer variants do not support extended button query. */
+                button_info = 0x33;
+        } else {
+                error = trackpoint_read(ps2dev, TP_EXT_BTN, &button_info);
+                if (error) {
+                        psmouse_warn(psmouse,
+                                     "failed to get extended button data, assuming 3 buttons\n");
+                        button_info = 0x33;
+                } else if (!button_info) {
+                        psmouse_warn(psmouse,
+                                     "got 0 in extended button data, assuming 3 buttons\n");
+                        button_info = 0x33;
+                }
+        }
        if ((button_info & 0x0f) >= 3)
-                __set_bit(BTN_MIDDLE, psmouse->dev->keybit);
+                input_set_capability(psmouse->dev, EV_KEY, BTN_MIDDLE);
        __set_bit(INPUT_PROP_POINTER, psmouse->dev->propbit);
        __set_bit(INPUT_PROP_POINTING_STICK, psmouse->dev->propbit);
-        trackpoint_defaults(psmouse->private);
+        if (variant_id != TP_VARIANT_IBM ||
+            trackpoint_power_on_reset(ps2dev) != 0) {
-        error = trackpoint_power_on_reset(ps2dev);
+                /*
+                 * Write defaults to TP if we did not reset the trackpoint.
-        /* Write defaults to TP only if reset fails. */
+                 */
-        if (error)
                trackpoint_sync(psmouse, false);
+        }
-        error = sysfs_create_group(&ps2dev->serio->dev.kobj, &trackpoint_attr_group);
+        error = device_add_group(&ps2dev->serio->dev, &trackpoint_attr_group);
        if (error) {
                psmouse_err(psmouse,
                            "failed to create sysfs attributes, error: %d\n",
@@ -420,8 +477,8 @@ int trackpoint_detect(struct psmouse *psmouse, bool set_properties)
        }
        psmouse_info(psmouse,
-                     "IBM TrackPoint firmware: 0x%02x, buttons: %d/%d\n",
+                     "%s TrackPoint firmware: 0x%02x, buttons: %d/%d\n",
-                     firmware_id,
+                     psmouse->vendor, firmware_id,
                     (button_info & 0xf0) >> 4, button_info & 0x0f);
        return 0;
diff --git a/drivers/input/mouse/trackpoint.h b/drivers/input/mouse/trackpoint.h
index 88055755f82e..10a039148234 100644
--- a/drivers/input/mouse/trackpoint.h
+++ b/drivers/input/mouse/trackpoint.h
@@ -21,10 +21,16 @@
 #define TP_COMMAND              0xE2    /* Commands start with this */
 #define TP_READ_ID              0xE1    /* Sent for device identification */
-#define TP_MAGIC_IDENT          0x03    /* Sent after a TP_READ_ID followed */
-                                        /* by the firmware ID */
-                                        /* Firmware ID includes 0x1, 0x2, 0x3 */
+/*
+ * Valid first byte responses to the "Read Secondary ID" (0xE1) command.
+ * 0x01 was the original IBM trackpoint, others implement very limited
+ * subset of trackpoint features.
+ */
+#define TP_VARIANT_IBM          0x01
+#define TP_VARIANT_ALPS         0x02
+#define TP_VARIANT_ELAN         0x03
+#define TP_VARIANT_NXP          0x04
 /*
 * Commands
@@ -136,18 +142,20 @@
 #define MAKE_PS2_CMD(params, results, cmd) ((params<<12) | (results<<8) | (cmd))
-struct trackpoint_data
+struct trackpoint_data {
-{
+        u8 variant_id;
-        unsigned char sensitivity, speed, inertia, reach;
+        u8 firmware_id;
-        unsigned char draghys, mindrag;
-        unsigned char thresh, upthresh;
+        u8 sensitivity, speed, inertia, reach;
-        unsigned char ztime, jenks;
+        u8 draghys, mindrag;
-        unsigned char drift_time;
+        u8 thresh, upthresh;
+        u8 ztime, jenks;
+        u8 drift_time;
        /* toggles */
-        unsigned char press_to_select;
+        bool press_to_select;
-        unsigned char skipback;
+        bool skipback;
-        unsigned char ext_dev;
+        bool ext_dev;
 };
 #ifdef CONFIG_MOUSE_PS2_TRACKPOINT
diff --git a/drivers/input/rmi4/rmi_driver.c b/drivers/input/rmi4/rmi_driver.c
index 4f2bb5947a4e..141ea228aac6 100644
--- a/drivers/input/rmi4/rmi_driver.c
+++ b/drivers/input/rmi4/rmi_driver.c
@@ -230,8 +230,10 @@ static irqreturn_t rmi_irq_fn(int irq, void *dev_id)
                rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev,
                        "Failed to process interrupt request: %d\n", ret);
-        if (count)
+        if (count) {
                kfree(attn_data.data);
+                attn_data.data = NULL;
+        }
        if (!kfifo_is_empty(&drvdata->attn_fifo))
                return rmi_irq_fn(irq, dev_id);
diff --git a/drivers/input/rmi4/rmi_f01.c b/drivers/input/rmi4/rmi_f01.c
index ae966e333a2f..8a07ae147df6 100644
--- a/drivers/input/rmi4/rmi_f01.c
+++ b/drivers/input/rmi4/rmi_f01.c
@@ -570,14 +570,19 @@ static int rmi_f01_probe(struct rmi_function *fn)
        dev_set_drvdata(&fn->dev, f01);
-        error = devm_device_add_group(&fn->rmi_dev->dev, &rmi_f01_attr_group);
+        error = sysfs_create_group(&fn->rmi_dev->dev.kobj, &rmi_f01_attr_group);
        if (error)
-                dev_warn(&fn->dev,
+                dev_warn(&fn->dev, "Failed to create sysfs group: %d\n", error);
-                         "Failed to create attribute group: %d\n", error);
        return 0;
 }
+static void rmi_f01_remove(struct rmi_function *fn)
+{
+        /* Note that the bus device is used, not the F01 device */
+        sysfs_remove_group(&fn->rmi_dev->dev.kobj, &rmi_f01_attr_group);
+}
 static int rmi_f01_config(struct rmi_function *fn)
 {
        struct f01_data *f01 = dev_get_drvdata(&fn->dev);
@@ -717,6 +722,7 @@ struct rmi_function_handler rmi_f01_handler = {
        },
        .func           = 0x01,
        .probe          = rmi_f01_probe,
+        .remove         = rmi_f01_remove,
        .config         = rmi_f01_config,
        .attention      = rmi_f01_attention,
        .suspend        = rmi_f01_suspend,
diff --git a/drivers/input/touchscreen/88pm860x-ts.c b/drivers/input/touchscreen/88pm860x-ts.c
index 7ed828a51f4c..3486d9403805 100644
--- a/drivers/input/touchscreen/88pm860x-ts.c
+++ b/drivers/input/touchscreen/88pm860x-ts.c
@@ -126,7 +126,7 @@ static int pm860x_touch_dt_init(struct platform_device *pdev,
        int data, n, ret;
        if (!np)
                return -ENODEV;
-        np = of_find_node_by_name(np, "touch");
+        np = of_get_child_by_name(np, "touch");
        if (!np) {
                dev_err(&pdev->dev, "Can't find touch node\n");
                return -EINVAL;
@@ -144,13 +144,13 @@ static int pm860x_touch_dt_init(struct platform_device *pdev,
        if (data) {
                ret = pm860x_reg_write(i2c, PM8607_GPADC_MISC1, data);
                if (ret < 0)
-                        return -EINVAL;
+                        goto err_put_node;
        }
        /* set tsi prebias time */
        if (!of_property_read_u32(np, "marvell,88pm860x-tsi-prebias", &data)) {
                ret = pm860x_reg_write(i2c, PM8607_TSI_PREBIAS, data);
                if (ret < 0)
-                        return -EINVAL;
+                        goto err_put_node;
        }
        /* set prebias & prechg time of pen detect */
        data = 0;
@@ -161,10 +161,18 @@ static int pm860x_touch_dt_init(struct platform_device *pdev,
        if (data) {
                ret = pm860x_reg_write(i2c, PM8607_PD_PREBIAS, data);
                if (ret < 0)
-                        return -EINVAL;
+                        goto err_put_node;
        }
        of_property_read_u32(np, "marvell,88pm860x-resistor-X", res_x);
+        of_node_put(np);
        return 0;
+err_put_node:
+        of_node_put(np);
+        return -EINVAL;
 }
 #else
 #define pm860x_touch_dt_init(x, y, z)   (-1)
diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c
index e102d7764bc2..a458e5ec9e41 100644
--- a/drivers/input/touchscreen/elants_i2c.c
+++ b/drivers/input/touchscreen/elants_i2c.c
@@ -27,6 +27,7 @@
 #include <linux/module.h>
 #include <linux/input.h>
 #include <linux/interrupt.h>
+#include <linux/irq.h>
 #include <linux/platform_device.h>
 #include <linux/async.h>
 #include <linux/i2c.h>
@@ -1261,10 +1262,13 @@ static int elants_i2c_probe(struct i2c_client *client,
        }
        /*
-         * Systems using device tree should set up interrupt via DTS,
+         * Platform code (ACPI, DTS) should normally set up interrupt
-         * the rest will use the default falling edge interrupts.
+         * for us, but in case it did not let's fall back to using falling
+         * edge to be compatible with older Chromebooks.
         */
-        irqflags = client->dev.of_node ? 0 : IRQF_TRIGGER_FALLING;
+        irqflags = irq_get_trigger_type(client->irq);
+        if (!irqflags)
+                irqflags = IRQF_TRIGGER_FALLING;
        error = devm_request_threaded_irq(&client->dev, client->irq,
                                          NULL, elants_i2c_irq,
diff --git a/drivers/input/touchscreen/hideep.c b/drivers/input/touchscreen/hideep.c
index fc080a7c2e1f..f1cd4dd9a4a3 100644
--- a/drivers/input/touchscreen/hideep.c
+++ b/drivers/input/touchscreen/hideep.c
@@ -10,8 +10,7 @@
 #include <linux/of.h>
 #include <linux/firmware.h>
 #include <linux/delay.h>
-#include <linux/gpio.h>
+#include <linux/gpio/consumer.h>
-#include <linux/gpio/machine.h>
 #include <linux/i2c.h>
 #include <linux/acpi.h>
 #include <linux/interrupt.h>
diff --git a/drivers/input/touchscreen/of_touchscreen.c b/drivers/input/touchscreen/of_touchscreen.c
index 8d7f9c8f2771..9642f103b726 100644
--- a/drivers/input/touchscreen/of_touchscreen.c
+++ b/drivers/input/touchscreen/of_touchscreen.c
@@ -13,6 +13,7 @@
 #include <linux/input.h>
 #include <linux/input/mt.h>
 #include <linux/input/touchscreen.h>
+#include <linux/module.h>
 static bool touchscreen_get_prop_u32(struct device *dev,
                                     const char *property,
@@ -185,3 +186,6 @@ void touchscreen_report_pos(struct input_dev *input,
        input_report_abs(input, multitouch ? ABS_MT_POSITION_Y : ABS_Y, y);
 }
 EXPORT_SYMBOL(touchscreen_report_pos);
+MODULE_LICENSE("GPL v2");
+MODULE_DESCRIPTION("Device-tree helpers functions for touchscreen devices");
diff --git a/drivers/input/touchscreen/s6sy761.c b/drivers/input/touchscreen/s6sy761.c
index 26b1cb8a88ec..675efa93d444 100644
--- a/drivers/input/touchscreen/s6sy761.c
+++ b/drivers/input/touchscreen/s6sy761.c
@@ -1,13 +1,8 @@
-/*
+// SPDX-License-Identifier: GPL-2.0
- * Copyright (c) 2017 Samsung Electronics Co., Ltd.
+// Samsung S6SY761 Touchscreen device driver
- * Author: Andi Shyti <andi.shyti@samsung.com>
+//
- *
+// Copyright (c) 2017 Samsung Electronics Co., Ltd.
- * This program is free software; you can redistribute it and/or modify
+// Copyright (c) 2017 Andi Shyti <andi.shyti@samsung.com>
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * Samsung S6SY761 Touchscreen device driver
- */
 #include <asm/unaligned.h>
 #include <linux/delay.h>
diff --git a/drivers/input/touchscreen/stmfts.c b/drivers/input/touchscreen/stmfts.c
index c12d01899939..2a123e20a42e 100644
--- a/drivers/input/touchscreen/stmfts.c
+++ b/drivers/input/touchscreen/stmfts.c
@@ -1,13 +1,8 @@
-/*
+// SPDX-License-Identifier: GPL-2.0
- * Copyright (c) 2017 Samsung Electronics Co., Ltd.
+// STMicroelectronics FTS Touchscreen device driver
- * Author: Andi Shyti <andi.shyti@samsung.com>
+//
- *
+// Copyright (c) 2017 Samsung Electronics Co., Ltd.
- * This program is free software; you can redistribute it and/or modify
+// Copyright (c) 2017 Andi Shyti <andi.shyti@samsung.com>
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * STMicroelectronics FTS Touchscreen device driver
- */
 #include <linux/delay.h>
 #include <linux/i2c.h>
diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
index f122071688fd..744592d330ca 100644
--- a/drivers/iommu/arm-smmu-v3.c
+++ b/drivers/iommu/arm-smmu-v3.c
@@ -1698,13 +1698,15 @@ static int arm_smmu_domain_finalise(struct iommu_domain *domain)
        domain->pgsize_bitmap = pgtbl_cfg.pgsize_bitmap;
        domain->geometry.aperture_end = (1UL << ias) - 1;
        domain->geometry.force_aperture = true;
-        smmu_domain->pgtbl_ops = pgtbl_ops;
        ret = finalise_stage_fn(smmu_domain, &pgtbl_cfg);
-        if (ret < 0)
+        if (ret < 0) {
                free_io_pgtable_ops(pgtbl_ops);
+                return ret;
+        }
-        return ret;
+        smmu_domain->pgtbl_ops = pgtbl_ops;
+        return 0;
 }
 static __le64 *arm_smmu_get_step_for_sid(struct arm_smmu_device *smmu, u32 sid)
@@ -1731,7 +1733,7 @@ static __le64 *arm_smmu_get_step_for_sid(struct arm_smmu_device *smmu, u32 sid)
 static void arm_smmu_install_ste_for_dev(struct iommu_fwspec *fwspec)
 {
-        int i;
+        int i, j;
        struct arm_smmu_master_data *master = fwspec->iommu_priv;
        struct arm_smmu_device *smmu = master->smmu;
@@ -1739,6 +1741,13 @@ static void arm_smmu_install_ste_for_dev(struct iommu_fwspec *fwspec)
                u32 sid = fwspec->ids[i];
                __le64 *step = arm_smmu_get_step_for_sid(smmu, sid);
+                /* Bridged PCI devices may end up with duplicated IDs */
+                for (j = 0; j < i; j++)
+                        if (fwspec->ids[j] == sid)
+                                break;
+                if (j < i)
+                        continue;
                arm_smmu_write_strtab_ent(smmu, sid, step, &master->ste);
        }
 }
diff --git a/drivers/leds/led-core.c b/drivers/leds/led-core.c
index f3654fd2eaf3..ede4fa0ac2cc 100644
--- a/drivers/leds/led-core.c
+++ b/drivers/leds/led-core.c
@@ -186,8 +186,9 @@ void led_blink_set(struct led_classdev *led_cdev,
                   unsigned long *delay_on,
                   unsigned long *delay_off)
 {
-        led_stop_software_blink(led_cdev);
+        del_timer_sync(&led_cdev->blink_timer);
+        clear_bit(LED_BLINK_SW, &led_cdev->work_flags);
        clear_bit(LED_BLINK_ONESHOT, &led_cdev->work_flags);
        clear_bit(LED_BLINK_ONESHOT_STOP, &led_cdev->work_flags);
diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
index 9fc12f556534..554d60394c06 100644
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -1954,10 +1954,15 @@ static int crypt_setkey(struct crypt_config *cc)
        /* Ignore extra keys (which are used for IV etc) */
        subkey_size = crypt_subkey_size(cc);
-        if (crypt_integrity_hmac(cc))
+        if (crypt_integrity_hmac(cc)) {
+                if (subkey_size < cc->key_mac_size)
+                        return -EINVAL;
                crypt_copy_authenckey(cc->authenc_key, cc->key,
                                      subkey_size - cc->key_mac_size,
                                      cc->key_mac_size);
+        }
        for (i = 0; i < cc->tfms_count; i++) {
                if (crypt_integrity_hmac(cc))
                        r = crypto_aead_setkey(cc->cipher_tfm.tfms_aead[i],
@@ -2053,9 +2058,6 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string
        ret = crypt_setkey(cc);
-        /* wipe the kernel key payload copy in each case */
-        memset(cc->key, 0, cc->key_size * sizeof(u8));
        if (!ret) {
                set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
                kzfree(cc->key_string);
@@ -2523,6 +2525,10 @@ static int crypt_ctr_cipher(struct dm_target *ti, char *cipher_in, char *key)
                }
        }
+        /* wipe the kernel key payload copy */
+        if (cc->key_string)
+                memset(cc->key, 0, cc->key_size * sizeof(u8));
        return ret;
 }
@@ -2740,6 +2746,7 @@ static int crypt_ctr(struct dm_target *ti, unsigned int argc, char **argv)
                        cc->tag_pool_max_sectors * cc->on_disk_tag_size);
                if (!cc->tag_pool) {
                        ti->error = "Cannot allocate integrity tags mempool";
+                        ret = -ENOMEM;
                        goto bad;
                }
@@ -2961,6 +2968,9 @@ static int crypt_message(struct dm_target *ti, unsigned argc, char **argv)
                                return ret;
                        if (cc->iv_gen_ops && cc->iv_gen_ops->init)
                                ret = cc->iv_gen_ops->init(cc);
+                        /* wipe the kernel key payload copy */
+                        if (cc->key_string)
+                                memset(cc->key, 0, cc->key_size * sizeof(u8));
                        return ret;
                }
                if (argc == 2 && !strcasecmp(argv[1], "wipe")) {
@@ -3007,7 +3017,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits)
 static struct target_type crypt_target = {
        .name   = "crypt",
-        .version = {1, 18, 0},
+        .version = {1, 18, 1},
        .module = THIS_MODULE,
        .ctr    = crypt_ctr,
        .dtr    = crypt_dtr,
diff --git a/drivers/md/dm-integrity.c b/drivers/md/dm-integrity.c
index 05c7bfd0c9d9..46d7c8749222 100644
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -2559,7 +2559,8 @@ static int create_journal(struct dm_integrity_c *ic, char **error)
        int r = 0;
        unsigned i;
        __u64 journal_pages, journal_desc_size, journal_tree_size;
-        unsigned char *crypt_data = NULL;
+        unsigned char *crypt_data = NULL, *crypt_iv = NULL;
+        struct skcipher_request *req = NULL;
        ic->commit_ids[0] = cpu_to_le64(0x1111111111111111ULL);
        ic->commit_ids[1] = cpu_to_le64(0x2222222222222222ULL);
@@ -2617,9 +2618,20 @@ static int create_journal(struct dm_integrity_c *ic, char **error)
                if (blocksize == 1) {
                        struct scatterlist *sg;
-                        SKCIPHER_REQUEST_ON_STACK(req, ic->journal_crypt);
-                        unsigned char iv[ivsize];
+                        req = skcipher_request_alloc(ic->journal_crypt, GFP_KERNEL);
-                        skcipher_request_set_tfm(req, ic->journal_crypt);
+                        if (!req) {
+                                *error = "Could not allocate crypt request";
+                                r = -ENOMEM;
+                                goto bad;
+                        }
+                        crypt_iv = kmalloc(ivsize, GFP_KERNEL);
+                        if (!crypt_iv) {
+                                *error = "Could not allocate iv";
+                                r = -ENOMEM;
+                                goto bad;
+                        }
                        ic->journal_xor = dm_integrity_alloc_page_list(ic);
                        if (!ic->journal_xor) {
@@ -2641,9 +2653,9 @@ static int create_journal(struct dm_integrity_c *ic, char **error)
                                sg_set_buf(&sg[i], va, PAGE_SIZE);
                        }
                        sg_set_buf(&sg[i], &ic->commit_ids, sizeof ic->commit_ids);
-                        memset(iv, 0x00, ivsize);
+                        memset(crypt_iv, 0x00, ivsize);
-                        skcipher_request_set_crypt(req, sg, sg, PAGE_SIZE * ic->journal_pages + sizeof ic->commit_ids, iv);
+                        skcipher_request_set_crypt(req, sg, sg, PAGE_SIZE * ic->journal_pages + sizeof ic->commit_ids, crypt_iv);
                        init_completion(&comp.comp);
                        comp.in_flight = (atomic_t)ATOMIC_INIT(1);
                        if (do_crypt(true, req, &comp))
@@ -2659,10 +2671,22 @@ static int create_journal(struct dm_integrity_c *ic, char **error)
                        crypto_free_skcipher(ic->journal_crypt);
                        ic->journal_crypt = NULL;
                } else {
-                        SKCIPHER_REQUEST_ON_STACK(req, ic->journal_crypt);
-                        unsigned char iv[ivsize];
                        unsigned crypt_len = roundup(ivsize, blocksize);
+                        req = skcipher_request_alloc(ic->journal_crypt, GFP_KERNEL);
+                        if (!req) {
+                                *error = "Could not allocate crypt request";
+                                r = -ENOMEM;
+                                goto bad;
+                        }
+                        crypt_iv = kmalloc(ivsize, GFP_KERNEL);
+                        if (!crypt_iv) {
+                                *error = "Could not allocate iv";
+                                r = -ENOMEM;
+                                goto bad;
+                        }
                        crypt_data = kmalloc(crypt_len, GFP_KERNEL);
                        if (!crypt_data) {
                                *error = "Unable to allocate crypt data";
@@ -2670,8 +2694,6 @@ static int create_journal(struct dm_integrity_c *ic, char **error)
                                goto bad;
                        }
-                        skcipher_request_set_tfm(req, ic->journal_crypt);
                        ic->journal_scatterlist = dm_integrity_alloc_journal_scatterlist(ic, ic->journal);
                        if (!ic->journal_scatterlist) {
                                *error = "Unable to allocate sg list";
@@ -2695,12 +2717,12 @@ static int create_journal(struct dm_integrity_c *ic, char **error)
                                struct skcipher_request *section_req;
                                __u32 section_le = cpu_to_le32(i);
-                                memset(iv, 0x00, ivsize);
+                                memset(crypt_iv, 0x00, ivsize);
                                memset(crypt_data, 0x00, crypt_len);
                                memcpy(crypt_data, &section_le, min((size_t)crypt_len, sizeof(section_le)));
                                sg_init_one(&sg, crypt_data, crypt_len);
-                                skcipher_request_set_crypt(req, &sg, &sg, crypt_len, iv);
+                                skcipher_request_set_crypt(req, &sg, &sg, crypt_len, crypt_iv);
                                init_completion(&comp.comp);
                                comp.in_flight = (atomic_t)ATOMIC_INIT(1);
                                if (do_crypt(true, req, &comp))
@@ -2758,6 +2780,9 @@ retest_commit_id:
        }
 bad:
        kfree(crypt_data);
+        kfree(crypt_iv);
+        skcipher_request_free(req);
        return r;
 }
diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
index d31d18d9727c..36ef284ad086 100644
--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -80,10 +80,14 @@
 #define SECTOR_TO_BLOCK_SHIFT 3
 /*
+ * For btree insert:
 *  3 for btree insert +
 *  2 for btree lookup used within space map
+ * For btree remove:
+ *  2 for shadow spine +
+ *  4 for rebalance 3 child node
 */
-#define THIN_MAX_CONCURRENT_LOCKS 5
+#define THIN_MAX_CONCURRENT_LOCKS 6
 /* This should be plenty */
 #define SPACE_MAP_ROOT_SIZE 128
diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c
index f21ce6a3d4cf..58b319757b1e 100644
--- a/drivers/md/persistent-data/dm-btree.c
+++ b/drivers/md/persistent-data/dm-btree.c
@@ -683,23 +683,8 @@ static int btree_split_beneath(struct shadow_spine *s, uint64_t key)
        pn->keys[1] = rn->keys[0];
        memcpy_disk(value_ptr(pn, 1), &val, sizeof(__le64));
-        /*
+        unlock_block(s->info, left);
-         * rejig the spine.  This is ugly, since it knows too
+        unlock_block(s->info, right);
-         * much about the spine
-         */
-        if (s->nodes[0] != new_parent) {
-                unlock_block(s->info, s->nodes[0]);
-                s->nodes[0] = new_parent;
-        }
-        if (key < le64_to_cpu(rn->keys[0])) {
-                unlock_block(s->info, right);
-                s->nodes[1] = left;
-        } else {
-                unlock_block(s->info, left);
-                s->nodes[1] = right;
-        }
-        s->count = 2;
        return 0;
 }
diff --git a/drivers/mmc/host/renesas_sdhi_core.c b/drivers/mmc/host/renesas_sdhi_core.c
index fcf7235d5742..157e1d9e7725 100644
--- a/drivers/mmc/host/renesas_sdhi_core.c
+++ b/drivers/mmc/host/renesas_sdhi_core.c
@@ -24,6 +24,7 @@
 #include <linux/kernel.h>
 #include <linux/clk.h>
 #include <linux/slab.h>
+#include <linux/module.h>
 #include <linux/of_device.h>
 #include <linux/platform_device.h>
 #include <linux/mmc/host.h>
@@ -667,3 +668,5 @@ int renesas_sdhi_remove(struct platform_device *pdev)
        return 0;
 }
 EXPORT_SYMBOL_GPL(renesas_sdhi_remove);
+MODULE_LICENSE("GPL v2");
diff --git a/drivers/mmc/host/s3cmci.c b/drivers/mmc/host/s3cmci.c
index f7f157a62a4a..555c7f133eb8 100644
--- a/drivers/mmc/host/s3cmci.c
+++ b/drivers/mmc/host/s3cmci.c
@@ -1424,7 +1424,9 @@ static const struct file_operations s3cmci_fops_state = {
 struct s3cmci_reg {
        unsigned short  addr;
        unsigned char   *name;
-} debug_regs[] = {
+};
+static const struct s3cmci_reg debug_regs[] = {
        DBG_REG(CON),
        DBG_REG(PRE),
        DBG_REG(CMDARG),
@@ -1446,7 +1448,7 @@ struct s3cmci_reg {
 static int s3cmci_regs_show(struct seq_file *seq, void *v)
 {
        struct s3cmci_host *host = seq->private;
-        struct s3cmci_reg *rptr = debug_regs;
+        const struct s3cmci_reg *rptr = debug_regs;
        for (; rptr->name; rptr++)
                seq_printf(seq, "SDI%s\t=0x%08x\n", rptr->name,
diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
index 85140c9af581..8b941f814472 100644
--- a/drivers/mmc/host/sdhci-esdhc-imx.c
+++ b/drivers/mmc/host/sdhci-esdhc-imx.c
@@ -687,6 +687,20 @@ static inline void esdhc_pltfm_set_clock(struct sdhci_host *host,
                return;
        }
+        /* For i.MX53 eSDHCv3, SYSCTL.SDCLKFS may not be set to 0. */
+        if (is_imx53_esdhc(imx_data)) {
+                /*
+                 * According to the i.MX53 reference manual, if DLLCTRL[10] can
+                 * be set, then the controller is eSDHCv3, else it is eSDHCv2.
+                 */
+                val = readl(host->ioaddr + ESDHC_DLL_CTRL);
+                writel(val | BIT(10), host->ioaddr + ESDHC_DLL_CTRL);
+                temp = readl(host->ioaddr + ESDHC_DLL_CTRL);
+                writel(val, host->ioaddr + ESDHC_DLL_CTRL);
+                if (temp & BIT(10))
+                        pre_div = 2;
+        }
        temp = sdhci_readl(host, ESDHC_SYSTEM_CONTROL);
        temp &= ~(ESDHC_CLOCK_IPGEN | ESDHC_CLOCK_HCKEN | ESDHC_CLOCK_PEREN
                | ESDHC_CLOCK_MASK);
diff --git a/drivers/mtd/nand/pxa3xx_nand.c b/drivers/mtd/nand/pxa3xx_nand.c
index 90b9a9ccbe60..9285f60e5783 100644
--- a/drivers/mtd/nand/pxa3xx_nand.c
+++ b/drivers/mtd/nand/pxa3xx_nand.c
@@ -963,6 +963,7 @@ static void prepare_start_command(struct pxa3xx_nand_info *info, int command)
        switch (command) {
        case NAND_CMD_READ0:
+        case NAND_CMD_READOOB:
        case NAND_CMD_PAGEPROG:
                info->use_ecc = 1;
                break;
diff --git a/drivers/mux/core.c b/drivers/mux/core.c
index 2260063b0ea8..6e5cf9d9cd99 100644
--- a/drivers/mux/core.c
+++ b/drivers/mux/core.c
@@ -413,6 +413,7 @@ static int of_dev_node_match(struct device *dev, const void *data)
        return dev->of_node == data;
 }
+/* Note this function returns a reference to the mux_chip dev. */
 static struct mux_chip *of_find_mux_chip_by_node(struct device_node *np)
 {
        struct device *dev;
@@ -466,6 +467,7 @@ struct mux_control *mux_control_get(struct device *dev, const char *mux_name)
            (!args.args_count && (mux_chip->controllers > 1))) {
                dev_err(dev, "%pOF: wrong #mux-control-cells for %pOF\n",
                        np, args.np);
+                put_device(&mux_chip->dev);
                return ERR_PTR(-EINVAL);
        }
@@ -476,10 +478,10 @@ struct mux_control *mux_control_get(struct device *dev, const char *mux_name)
        if (controller >= mux_chip->controllers) {
                dev_err(dev, "%pOF: bad mux controller %u specified in %pOF\n",
                        np, controller, args.np);
+                put_device(&mux_chip->dev);
                return ERR_PTR(-EINVAL);
        }
-        get_device(&mux_chip->dev);
        return &mux_chip->mux[controller];
 }
 EXPORT_SYMBOL_GPL(mux_control_get);
diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
index 0626dcfd1f3d..760d2c07e3a2 100644
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -526,7 +526,7 @@ static int flexcan_start_xmit(struct sk_buff *skb, struct net_device *dev)
                data = be32_to_cpup((__be32 *)&cf->data[0]);
                flexcan_write(data, &priv->tx_mb->data[0]);
        }
-        if (cf->can_dlc > 3) {
+        if (cf->can_dlc > 4) {
                data = be32_to_cpup((__be32 *)&cf->data[4]);
                flexcan_write(data, &priv->tx_mb->data[1]);
        }
diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c
index b00358297424..12ff0020ecd6 100644
--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -395,6 +395,7 @@ static void ems_usb_rx_err(struct ems_usb *dev, struct ems_cpc_msg *msg)
                if (dev->can.state == CAN_STATE_ERROR_WARNING ||
                    dev->can.state == CAN_STATE_ERROR_PASSIVE) {
+                        cf->can_id |= CAN_ERR_CRTL;
                        cf->data[1] = (txerr > rxerr) ?
                            CAN_ERR_CRTL_TX_PASSIVE : CAN_ERR_CRTL_RX_PASSIVE;
                }
diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index 68ac3e88a8ce..8bf80ad9dc44 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -449,7 +449,7 @@ static int gs_usb_set_bittiming(struct net_device *netdev)
                dev_err(netdev->dev.parent, "Couldn't set bittimings (err=%d)",
                        rc);
-        return rc;
+        return (rc > 0) ? 0 : rc;
 }
 static void gs_usb_xmit_callback(struct urb *urb)
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
index 7ccdc3e30c98..53d6bb045e9e 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
@@ -184,7 +184,7 @@ static int pcan_usb_fd_send_cmd(struct peak_usb_device *dev, void *cmd_tail)
        void *cmd_head = pcan_usb_fd_cmd_buffer(dev);
        int err = 0;
        u8 *packet_ptr;
-        int i, n = 1, packet_len;
+        int packet_len;
        ptrdiff_t cmd_len;
        /* usb device unregistered? */
@@ -201,17 +201,13 @@ static int pcan_usb_fd_send_cmd(struct peak_usb_device *dev, void *cmd_tail)
        }
        packet_ptr = cmd_head;
+        packet_len = cmd_len;
        /* firmware is not able to re-assemble 512 bytes buffer in full-speed */
-        if ((dev->udev->speed != USB_SPEED_HIGH) &&
+        if (unlikely(dev->udev->speed != USB_SPEED_HIGH))
-            (cmd_len > PCAN_UFD_LOSPD_PKT_SIZE)) {
+                packet_len = min(packet_len, PCAN_UFD_LOSPD_PKT_SIZE);
-                packet_len = PCAN_UFD_LOSPD_PKT_SIZE;
-                n += cmd_len / packet_len;
-        } else {
-                packet_len = cmd_len;
-        }
-        for (i = 0; i < n; i++) {
+        do {
                err = usb_bulk_msg(dev->udev,
                                   usb_sndbulkpipe(dev->udev,
                                                   PCAN_USBPRO_EP_CMDOUT),
@@ -224,7 +220,12 @@ static int pcan_usb_fd_send_cmd(struct peak_usb_device *dev, void *cmd_tail)
                }
                packet_ptr += packet_len;
-        }
+                cmd_len -= packet_len;
+                if (cmd_len < PCAN_UFD_LOSPD_PKT_SIZE)
+                        packet_len = cmd_len;
+        } while (packet_len > 0);
        return err;
 }
diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c
index 8404e8852a0f..b4c4a2c76437 100644
--- a/drivers/net/can/vxcan.c
+++ b/drivers/net/can/vxcan.c
@@ -194,7 +194,7 @@ static int vxcan_newlink(struct net *net, struct net_device *dev,
                tbp = peer_tb;
        }
-        if (tbp[IFLA_IFNAME]) {
+        if (ifmp && tbp[IFLA_IFNAME]) {
                nla_strlcpy(ifname, tbp[IFLA_IFNAME], IFNAMSIZ);
                name_assign_type = NET_NAME_USER;
        } else {
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index f5a8dd96fd75..4498ab897d94 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -1500,10 +1500,13 @@ static enum dsa_tag_protocol b53_get_tag_protocol(struct dsa_switch *ds,
 {
        struct b53_device *dev = ds->priv;
-        /* Older models support a different tag format that we do not
+        /* Older models (5325, 5365) support a different tag format that we do
-         * support in net/dsa/tag_brcm.c yet.
+         * not support in net/dsa/tag_brcm.c yet. 539x and 531x5 require managed
+         * mode to be turned on which means we need to specifically manage ARL
+         * misses on multicast addresses (TBD).
         */
-        if (is5325(dev) || is5365(dev) || !b53_can_enable_brcm_tags(ds, port))
+        if (is5325(dev) || is5365(dev) || is539x(dev) || is531x5(dev) ||
+            !b53_can_enable_brcm_tags(ds, port))
                return DSA_TAG_PROTO_NONE;
        /* Broadcom BCM58xx chips have a flow accelerator on Port 8
diff --git a/drivers/net/ethernet/3com/3c59x.c b/drivers/net/ethernet/3com/3c59x.c
index f4e13a7014bd..36c8950dbd2d 100644
--- a/drivers/net/ethernet/3com/3c59x.c
+++ b/drivers/net/ethernet/3com/3c59x.c
@@ -602,7 +602,7 @@ struct vortex_private {
        struct sk_buff* rx_skbuff[RX_RING_SIZE];
        struct sk_buff* tx_skbuff[TX_RING_SIZE];
        unsigned int cur_rx, cur_tx;            /* The next free ring entry */
-        unsigned int dirty_rx, dirty_tx;        /* The ring entries to be free()ed. */
+        unsigned int dirty_tx;  /* The ring entries to be free()ed. */
        struct vortex_extra_stats xstats;       /* NIC-specific extra stats */
        struct sk_buff *tx_skb;                         /* Packet being eaten by bus master ctrl.  */
        dma_addr_t tx_skb_dma;                          /* Allocated DMA address for bus master ctrl DMA.   */
@@ -618,7 +618,6 @@ struct vortex_private {
        /* The remainder are related to chip state, mostly media selection. */
        struct timer_list timer;                        /* Media selection timer. */
-        struct timer_list rx_oom_timer;         /* Rx skb allocation retry timer */
        int options;                                            /* User-settable misc. driver options. */
        unsigned int media_override:4,          /* Passed-in media type. */
                default_media:4,                                /* Read from the EEPROM/Wn3_Config. */
@@ -760,7 +759,6 @@ static void mdio_sync(struct vortex_private *vp, int bits);
 static int mdio_read(struct net_device *dev, int phy_id, int location);
 static void mdio_write(struct net_device *vp, int phy_id, int location, int value);
 static void vortex_timer(struct timer_list *t);
-static void rx_oom_timer(struct timer_list *t);
 static netdev_tx_t vortex_start_xmit(struct sk_buff *skb,
                                     struct net_device *dev);
 static netdev_tx_t boomerang_start_xmit(struct sk_buff *skb,
@@ -1601,7 +1599,6 @@ vortex_up(struct net_device *dev)
        timer_setup(&vp->timer, vortex_timer, 0);
        mod_timer(&vp->timer, RUN_AT(media_tbl[dev->if_port].wait));
-        timer_setup(&vp->rx_oom_timer, rx_oom_timer, 0);
        if (vortex_debug > 1)
                pr_debug("%s: Initial media type %s.\n",
@@ -1676,7 +1673,7 @@ vortex_up(struct net_device *dev)
        window_write16(vp, 0x0040, 4, Wn4_NetDiag);
        if (vp->full_bus_master_rx) { /* Boomerang bus master. */
-                vp->cur_rx = vp->dirty_rx = 0;
+                vp->cur_rx = 0;
                /* Initialize the RxEarly register as recommended. */
                iowrite16(SetRxThreshold + (1536>>2), ioaddr + EL3_CMD);
                iowrite32(0x0020, ioaddr + PktStatus);
@@ -1729,6 +1726,7 @@ vortex_open(struct net_device *dev)
        struct vortex_private *vp = netdev_priv(dev);
        int i;
        int retval;
+        dma_addr_t dma;
        /* Use the now-standard shared IRQ implementation. */
        if ((retval = request_irq(dev->irq, vp->full_bus_master_rx ?
@@ -1753,7 +1751,11 @@ vortex_open(struct net_device *dev)
                                break;                  /* Bad news!  */
                        skb_reserve(skb, NET_IP_ALIGN); /* Align IP on 16 byte boundaries */
-                        vp->rx_ring[i].addr = cpu_to_le32(pci_map_single(VORTEX_PCI(vp), skb->data, PKT_BUF_SZ, PCI_DMA_FROMDEVICE));
+                        dma = pci_map_single(VORTEX_PCI(vp), skb->data,
+                                             PKT_BUF_SZ, PCI_DMA_FROMDEVICE);
+                        if (dma_mapping_error(&VORTEX_PCI(vp)->dev, dma))
+                                break;
+                        vp->rx_ring[i].addr = cpu_to_le32(dma);
                }
                if (i != RX_RING_SIZE) {
                        pr_emerg("%s: no memory for rx ring\n", dev->name);
@@ -2067,6 +2069,12 @@ vortex_start_xmit(struct sk_buff *skb, struct net_device *dev)
                int len = (skb->len + 3) & ~3;
                vp->tx_skb_dma = pci_map_single(VORTEX_PCI(vp), skb->data, len,
                                                PCI_DMA_TODEVICE);
+                if (dma_mapping_error(&VORTEX_PCI(vp)->dev, vp->tx_skb_dma)) {
+                        dev_kfree_skb_any(skb);
+                        dev->stats.tx_dropped++;
+                        return NETDEV_TX_OK;
+                }
                spin_lock_irq(&vp->window_lock);
                window_set(vp, 7);
                iowrite32(vp->tx_skb_dma, ioaddr + Wn7_MasterAddr);
@@ -2593,7 +2601,7 @@ boomerang_rx(struct net_device *dev)
        int entry = vp->cur_rx % RX_RING_SIZE;
        void __iomem *ioaddr = vp->ioaddr;
        int rx_status;
-        int rx_work_limit = vp->dirty_rx + RX_RING_SIZE - vp->cur_rx;
+        int rx_work_limit = RX_RING_SIZE;
        if (vortex_debug > 5)
                pr_debug("boomerang_rx(): status %4.4x\n", ioread16(ioaddr+EL3_STATUS));
@@ -2614,7 +2622,8 @@ boomerang_rx(struct net_device *dev)
                } else {
                        /* The packet length: up to 4.5K!. */
                        int pkt_len = rx_status & 0x1fff;
-                        struct sk_buff *skb;
+                        struct sk_buff *skb, *newskb;
+                        dma_addr_t newdma;
                        dma_addr_t dma = le32_to_cpu(vp->rx_ring[entry].addr);
                        if (vortex_debug > 4)
@@ -2633,9 +2642,27 @@ boomerang_rx(struct net_device *dev)
                                pci_dma_sync_single_for_device(VORTEX_PCI(vp), dma, PKT_BUF_SZ, PCI_DMA_FROMDEVICE);
                                vp->rx_copy++;
                        } else {
+                                /* Pre-allocate the replacement skb.  If it or its
+                                 * mapping fails then recycle the buffer thats already
+                                 * in place
+                                 */
+                                newskb = netdev_alloc_skb_ip_align(dev, PKT_BUF_SZ);
+                                if (!newskb) {
+                                        dev->stats.rx_dropped++;
+                                        goto clear_complete;
+                                }
+                                newdma = pci_map_single(VORTEX_PCI(vp), newskb->data,
+                                                        PKT_BUF_SZ, PCI_DMA_FROMDEVICE);
+                                if (dma_mapping_error(&VORTEX_PCI(vp)->dev, newdma)) {
+                                        dev->stats.rx_dropped++;
+                                        consume_skb(newskb);
+                                        goto clear_complete;
+                                }
                                /* Pass up the skbuff already on the Rx ring. */
                                skb = vp->rx_skbuff[entry];
-                                vp->rx_skbuff[entry] = NULL;
+                                vp->rx_skbuff[entry] = newskb;
+                                vp->rx_ring[entry].addr = cpu_to_le32(newdma);
                                skb_put(skb, pkt_len);
                                pci_unmap_single(VORTEX_PCI(vp), dma, PKT_BUF_SZ, PCI_DMA_FROMDEVICE);
                                vp->rx_nocopy++;
@@ -2653,55 +2680,15 @@ boomerang_rx(struct net_device *dev)
                        netif_rx(skb);
                        dev->stats.rx_packets++;
                }
-                entry = (++vp->cur_rx) % RX_RING_SIZE;
-        }
-        /* Refill the Rx ring buffers. */
-        for (; vp->cur_rx - vp->dirty_rx > 0; vp->dirty_rx++) {
-                struct sk_buff *skb;
-                entry = vp->dirty_rx % RX_RING_SIZE;
-                if (vp->rx_skbuff[entry] == NULL) {
-                        skb = netdev_alloc_skb_ip_align(dev, PKT_BUF_SZ);
-                        if (skb == NULL) {
-                                static unsigned long last_jif;
-                                if (time_after(jiffies, last_jif + 10 * HZ)) {
-                                        pr_warn("%s: memory shortage\n",
-                                                dev->name);
-                                        last_jif = jiffies;
-                                }
-                                if ((vp->cur_rx - vp->dirty_rx) == RX_RING_SIZE)
-                                        mod_timer(&vp->rx_oom_timer, RUN_AT(HZ * 1));
-                                break;                  /* Bad news!  */
-                        }
-                        vp->rx_ring[entry].addr = cpu_to_le32(pci_map_single(VORTEX_PCI(vp), skb->data, PKT_BUF_SZ, PCI_DMA_FROMDEVICE));
+clear_complete:
-                        vp->rx_skbuff[entry] = skb;
-                }
                vp->rx_ring[entry].status = 0;  /* Clear complete bit. */
                iowrite16(UpUnstall, ioaddr + EL3_CMD);
+                entry = (++vp->cur_rx) % RX_RING_SIZE;
        }
        return 0;
 }
-/*
- * If we've hit a total OOM refilling the Rx ring we poll once a second
- * for some memory.  Otherwise there is no way to restart the rx process.
- */
-static void
-rx_oom_timer(struct timer_list *t)
-{
-        struct vortex_private *vp = from_timer(vp, t, rx_oom_timer);
-        struct net_device *dev = vp->mii.dev;
-        spin_lock_irq(&vp->lock);
-        if ((vp->cur_rx - vp->dirty_rx) == RX_RING_SIZE)        /* This test is redundant, but makes me feel good */
-                boomerang_rx(dev);
-        if (vortex_debug > 1) {
-                pr_debug("%s: rx_oom_timer %s\n", dev->name,
-                        ((vp->cur_rx - vp->dirty_rx) != RX_RING_SIZE) ? "succeeded" : "retrying");
-        }
-        spin_unlock_irq(&vp->lock);
-}
 static void
 vortex_down(struct net_device *dev, int final_down)
 {
@@ -2711,7 +2698,6 @@ vortex_down(struct net_device *dev, int final_down)
        netdev_reset_queue(dev);
        netif_stop_queue(dev);
-        del_timer_sync(&vp->rx_oom_timer);
        del_timer_sync(&vp->timer);
        /* Turn off statistics ASAP.  We update dev->stats below. */
diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
index 97c5a89a9cf7..fbe21a817bd8 100644
--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
+++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
@@ -75,6 +75,9 @@ static struct workqueue_struct *ena_wq;
 MODULE_DEVICE_TABLE(pci, ena_pci_tbl);
 static int ena_rss_init_default(struct ena_adapter *adapter);
+static void check_for_admin_com_state(struct ena_adapter *adapter);
+static void ena_destroy_device(struct ena_adapter *adapter);
+static int ena_restore_device(struct ena_adapter *adapter);
 static void ena_tx_timeout(struct net_device *dev)
 {
@@ -1565,7 +1568,7 @@ static int ena_rss_configure(struct ena_adapter *adapter)
 static int ena_up_complete(struct ena_adapter *adapter)
 {
-        int rc, i;
+        int rc;
        rc = ena_rss_configure(adapter);
        if (rc)
@@ -1584,17 +1587,6 @@ static int ena_up_complete(struct ena_adapter *adapter)
        ena_napi_enable_all(adapter);
-        /* Enable completion queues interrupt */
-        for (i = 0; i < adapter->num_queues; i++)
-                ena_unmask_interrupt(&adapter->tx_ring[i],
-                                     &adapter->rx_ring[i]);
-        /* schedule napi in case we had pending packets
-         * from the last time we disable napi
-         */
-        for (i = 0; i < adapter->num_queues; i++)
-                napi_schedule(&adapter->ena_napi[i].napi);
        return 0;
 }
@@ -1731,7 +1723,7 @@ create_err:
 static int ena_up(struct ena_adapter *adapter)
 {
-        int rc;
+        int rc, i;
        netdev_dbg(adapter->netdev, "%s\n", __func__);
@@ -1774,6 +1766,17 @@ static int ena_up(struct ena_adapter *adapter)
        set_bit(ENA_FLAG_DEV_UP, &adapter->flags);
+        /* Enable completion queues interrupt */
+        for (i = 0; i < adapter->num_queues; i++)
+                ena_unmask_interrupt(&adapter->tx_ring[i],
+                                     &adapter->rx_ring[i]);
+        /* schedule napi in case we had pending packets
+         * from the last time we disable napi
+         */
+        for (i = 0; i < adapter->num_queues; i++)
+                napi_schedule(&adapter->ena_napi[i].napi);
        return rc;
 err_up:
@@ -1884,6 +1887,17 @@ static int ena_close(struct net_device *netdev)
        if (test_bit(ENA_FLAG_DEV_UP, &adapter->flags))
                ena_down(adapter);
+        /* Check for device status and issue reset if needed*/
+        check_for_admin_com_state(adapter);
+        if (unlikely(test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) {
+                netif_err(adapter, ifdown, adapter->netdev,
+                          "Destroy failure, restarting device\n");
+                ena_dump_stats_to_dmesg(adapter);
+                /* rtnl lock already obtained in dev_ioctl() layer */
+                ena_destroy_device(adapter);
+                ena_restore_device(adapter);
+        }
        return 0;
 }
@@ -2544,11 +2558,12 @@ static void ena_destroy_device(struct ena_adapter *adapter)
        ena_com_set_admin_running_state(ena_dev, false);
-        ena_close(netdev);
+        if (test_bit(ENA_FLAG_DEV_UP, &adapter->flags))
+                ena_down(adapter);
        /* Before releasing the ENA resources, a device reset is required.
         * (to prevent the device from accessing them).
-         * In case the reset flag is set and the device is up, ena_close
+         * In case the reset flag is set and the device is up, ena_down()
         * already perform the reset, so it can be skipped.
         */
        if (!(test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags) && dev_up))
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
index 5ee18660bc33..c9617675f934 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
@@ -70,7 +70,7 @@ static int bnxt_vf_ndo_prep(struct bnxt *bp, int vf_id)
                netdev_err(bp->dev, "vf ndo called though sriov is disabled\n");
                return -EINVAL;
        }
-        if (vf_id >= bp->pf.max_vfs) {
+        if (vf_id >= bp->pf.active_vfs) {
                netdev_err(bp->dev, "Invalid VF id %d\n", vf_id);
                return -EINVAL;
        }
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
index 3d201d7324bd..d8fee26cd45e 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
@@ -421,7 +421,7 @@ static int bnxt_hwrm_cfa_flow_alloc(struct bnxt *bp, struct bnxt_tc_flow *flow,
        }
        /* If all IP and L4 fields are wildcarded then this is an L2 flow */
-        if (is_wildcard(&l3_mask, sizeof(l3_mask)) &&
+        if (is_wildcard(l3_mask, sizeof(*l3_mask)) &&
            is_wildcard(&flow->l4_mask, sizeof(flow->l4_mask))) {
                flow_flags |= CFA_FLOW_ALLOC_REQ_FLAGS_FLOWTYPE_L2;
        } else {
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h
index 6f9fa6e3c42a..d8424ed16c33 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h
@@ -344,7 +344,6 @@ struct adapter_params {
        unsigned int sf_size;             /* serial flash size in bytes */
        unsigned int sf_nsec;             /* # of flash sectors */
-        unsigned int sf_fw_start;         /* start of FW image in flash */
        unsigned int fw_vers;             /* firmware version */
        unsigned int bs_vers;             /* bootstrap version */
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
index d4a548a6a55c..a452d5a1b0f3 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
@@ -111,6 +111,9 @@ static void cxgb4_process_flow_match(struct net_device *dev,
                        ethtype_mask = 0;
                }
+                if (ethtype_key == ETH_P_IPV6)
+                        fs->type = 1;
                fs->val.ethtype = ethtype_key;
                fs->mask.ethtype = ethtype_mask;
                fs->val.proto = key->ip_proto;
@@ -205,8 +208,8 @@ static void cxgb4_process_flow_match(struct net_device *dev,
                                           VLAN_PRIO_SHIFT);
                vlan_tci_mask = mask->vlan_id | (mask->vlan_priority <<
                                                 VLAN_PRIO_SHIFT);
-                fs->val.ivlan = cpu_to_be16(vlan_tci);
+                fs->val.ivlan = vlan_tci;
-                fs->mask.ivlan = cpu_to_be16(vlan_tci_mask);
+                fs->mask.ivlan = vlan_tci_mask;
                /* Chelsio adapters use ivlan_vld bit to match vlan packets
                 * as 802.1Q. Also, when vlan tag is present in packets,
diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
index f63210f15579..375ef86a84da 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
@@ -2844,8 +2844,6 @@ enum {
        SF_RD_DATA_FAST = 0xb,        /* read flash */
        SF_RD_ID        = 0x9f,       /* read ID */
        SF_ERASE_SECTOR = 0xd8,       /* erase sector */
-        FW_MAX_SIZE = 16 * SF_SEC_SIZE,
 };
 /**
@@ -3558,8 +3556,9 @@ int t4_load_fw(struct adapter *adap, const u8 *fw_data, unsigned int size)
        const __be32 *p = (const __be32 *)fw_data;
        const struct fw_hdr *hdr = (const struct fw_hdr *)fw_data;
        unsigned int sf_sec_size = adap->params.sf_size / adap->params.sf_nsec;
-        unsigned int fw_img_start = adap->params.sf_fw_start;
+        unsigned int fw_start_sec = FLASH_FW_START_SEC;
-        unsigned int fw_start_sec = fw_img_start / sf_sec_size;
+        unsigned int fw_size = FLASH_FW_MAX_SIZE;
+        unsigned int fw_start = FLASH_FW_START;
        if (!size) {
                dev_err(adap->pdev_dev, "FW image has no data\n");
@@ -3575,9 +3574,9 @@ int t4_load_fw(struct adapter *adap, const u8 *fw_data, unsigned int size)
                        "FW image size differs from size in FW header\n");
                return -EINVAL;
        }
-        if (size > FW_MAX_SIZE) {
+        if (size > fw_size) {
                dev_err(adap->pdev_dev, "FW image too large, max is %u bytes\n",
-                        FW_MAX_SIZE);
+                        fw_size);
                return -EFBIG;
        }
        if (!t4_fw_matches_chip(adap, hdr))
@@ -3604,11 +3603,11 @@ int t4_load_fw(struct adapter *adap, const u8 *fw_data, unsigned int size)
         */
        memcpy(first_page, fw_data, SF_PAGE_SIZE);
        ((struct fw_hdr *)first_page)->fw_ver = cpu_to_be32(0xffffffff);
-        ret = t4_write_flash(adap, fw_img_start, SF_PAGE_SIZE, first_page);
+        ret = t4_write_flash(adap, fw_start, SF_PAGE_SIZE, first_page);
        if (ret)
                goto out;
-        addr = fw_img_start;
+        addr = fw_start;
        for (size -= SF_PAGE_SIZE; size; size -= SF_PAGE_SIZE) {
                addr += SF_PAGE_SIZE;
                fw_data += SF_PAGE_SIZE;
@@ -3618,7 +3617,7 @@ int t4_load_fw(struct adapter *adap, const u8 *fw_data, unsigned int size)
        }
        ret = t4_write_flash(adap,
-                             fw_img_start + offsetof(struct fw_hdr, fw_ver),
+                             fw_start + offsetof(struct fw_hdr, fw_ver),
                             sizeof(hdr->fw_ver), (const u8 *)&hdr->fw_ver);
 out:
        if (ret)
diff --git a/drivers/net/ethernet/cirrus/cs89x0.c b/drivers/net/ethernet/cirrus/cs89x0.c
index 410a0a95130b..b3e7fafee3df 100644
--- a/drivers/net/ethernet/cirrus/cs89x0.c
+++ b/drivers/net/ethernet/cirrus/cs89x0.c
@@ -1913,3 +1913,7 @@ static struct platform_driver cs89x0_driver = {
 module_platform_driver_probe(cs89x0_driver, cs89x0_platform_probe);
 #endif /* CONFIG_CS89x0_PLATFORM */
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Crystal Semiconductor (Now Cirrus Logic) CS89[02]0 network driver");
+MODULE_AUTHOR("Russell Nelson <nelson@crynwr.com>");
diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
index c6e859a27ee6..e180657a02ef 100644
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -4634,6 +4634,15 @@ int be_update_queues(struct be_adapter *adapter)
        be_schedule_worker(adapter);
+        /*
+         * The IF was destroyed and re-created. We need to clear
+         * all promiscuous flags valid for the destroyed IF.
+         * Without this promisc mode is not restored during
+         * be_open() because the driver thinks that it is
+         * already enabled in HW.
+         */
+        adapter->if_flags &= ~BE_IF_FLAGS_ALL_PROMISCUOUS;
        if (netif_running(netdev))
                status = be_open(netdev);
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index 8184d2fca9be..a74300a4459c 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -3469,6 +3469,10 @@ fec_probe(struct platform_device *pdev)
                        goto failed_regulator;
                }
        } else {
+                if (PTR_ERR(fep->reg_phy) == -EPROBE_DEFER) {
+                        ret = -EPROBE_DEFER;
+                        goto failed_regulator;
+                }
                fep->reg_phy = NULL;
        }
@@ -3552,8 +3556,9 @@ failed_clk_ipg:
 failed_clk:
        if (of_phy_is_fixed_link(np))
                of_phy_deregister_fixed_link(np);
-failed_phy:
        of_node_put(phy_node);
+failed_phy:
+        dev_id--;
 failed_ioremap:
        free_netdev(ndev);
diff --git a/drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c b/drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c
index 7892f2f0c6b5..2c2976a2dda6 100644
--- a/drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c
+++ b/drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c
@@ -613,9 +613,11 @@ static int fs_enet_start_xmit(struct sk_buff *skb, struct net_device *dev)
        return NETDEV_TX_OK;
 }
-static void fs_timeout(struct net_device *dev)
+static void fs_timeout_work(struct work_struct *work)
 {
-        struct fs_enet_private *fep = netdev_priv(dev);
+        struct fs_enet_private *fep = container_of(work, struct fs_enet_private,
+                                                   timeout_work);
+        struct net_device *dev = fep->ndev;
        unsigned long flags;
        int wake = 0;
@@ -627,7 +629,6 @@ static void fs_timeout(struct net_device *dev)
                phy_stop(dev->phydev);
                (*fep->ops->stop)(dev);
                (*fep->ops->restart)(dev);
-                phy_start(dev->phydev);
        }
        phy_start(dev->phydev);
@@ -639,6 +640,13 @@ static void fs_timeout(struct net_device *dev)
                netif_wake_queue(dev);
 }
+static void fs_timeout(struct net_device *dev)
+{
+        struct fs_enet_private *fep = netdev_priv(dev);
+        schedule_work(&fep->timeout_work);
+}
 /*-----------------------------------------------------------------------------
 *  generic link-change handler - should be sufficient for most cases
 *-----------------------------------------------------------------------------*/
@@ -759,6 +767,7 @@ static int fs_enet_close(struct net_device *dev)
        netif_stop_queue(dev);
        netif_carrier_off(dev);
        napi_disable(&fep->napi);
+        cancel_work_sync(&fep->timeout_work);
        phy_stop(dev->phydev);
        spin_lock_irqsave(&fep->lock, flags);
@@ -1019,6 +1028,7 @@ static int fs_enet_probe(struct platform_device *ofdev)
        ndev->netdev_ops = &fs_enet_netdev_ops;
        ndev->watchdog_timeo = 2 * HZ;
+        INIT_WORK(&fep->timeout_work, fs_timeout_work);
        netif_napi_add(ndev, &fep->napi, fs_enet_napi, fpi->napi_weight);
        ndev->ethtool_ops = &fs_ethtool_ops;
diff --git a/drivers/net/ethernet/freescale/fs_enet/fs_enet.h b/drivers/net/ethernet/freescale/fs_enet/fs_enet.h
index 92e06b37a199..195fae6aec4a 100644
--- a/drivers/net/ethernet/freescale/fs_enet/fs_enet.h
+++ b/drivers/net/ethernet/freescale/fs_enet/fs_enet.h
@@ -125,6 +125,7 @@ struct fs_enet_private {
        spinlock_t lock;        /* during all ops except TX pckt processing */
        spinlock_t tx_lock;     /* during fs_start_xmit and fs_tx         */
        struct fs_platform_info *fpi;
+        struct work_struct timeout_work;
        const struct fs_ops *ops;
        int rx_ring, tx_ring;
        dma_addr_t ring_mem_addr;
diff --git a/drivers/net/ethernet/freescale/gianfar_ptp.c b/drivers/net/ethernet/freescale/gianfar_ptp.c
index 544114281ea7..9f8d4f8e57e3 100644
--- a/drivers/net/ethernet/freescale/gianfar_ptp.c
+++ b/drivers/net/ethernet/freescale/gianfar_ptp.c
@@ -319,11 +319,10 @@ static int ptp_gianfar_adjtime(struct ptp_clock_info *ptp, s64 delta)
        now = tmr_cnt_read(etsects);
        now += delta;
        tmr_cnt_write(etsects, now);
+        set_fipers(etsects);
        spin_unlock_irqrestore(&etsects->lock, flags);
-        set_fipers(etsects);
        return 0;
 }
diff --git a/drivers/net/ethernet/ibm/emac/core.c b/drivers/net/ethernet/ibm/emac/core.c
index 7feff2450ed6..241db3199b88 100644
--- a/drivers/net/ethernet/ibm/emac/core.c
+++ b/drivers/net/ethernet/ibm/emac/core.c
@@ -494,6 +494,9 @@ static u32 __emac_calc_base_mr1(struct emac_instance *dev, int tx_size, int rx_s
        case 16384:
                ret |= EMAC_MR1_RFS_16K;
                break;
+        case 8192:
+                ret |= EMAC4_MR1_RFS_8K;
+                break;
        case 4096:
                ret |= EMAC_MR1_RFS_4K;
                break;
@@ -516,6 +519,9 @@ static u32 __emac4_calc_base_mr1(struct emac_instance *dev, int tx_size, int rx_
        case 16384:
                ret |= EMAC4_MR1_TFS_16K;
                break;
+        case 8192:
+                ret |= EMAC4_MR1_TFS_8K;
+                break;
        case 4096:
                ret |= EMAC4_MR1_TFS_4K;
                break;
diff --git a/drivers/net/ethernet/ibm/emac/emac.h b/drivers/net/ethernet/ibm/emac/emac.h
index 5afcc27ceebb..c26d2631ca30 100644
--- a/drivers/net/ethernet/ibm/emac/emac.h
+++ b/drivers/net/ethernet/ibm/emac/emac.h
@@ -151,9 +151,11 @@ struct emac_regs {
 #define EMAC4_MR1_RFS_2K                0x00100000
 #define EMAC4_MR1_RFS_4K                0x00180000
+#define EMAC4_MR1_RFS_8K                0x00200000
 #define EMAC4_MR1_RFS_16K               0x00280000
 #define EMAC4_MR1_TFS_2K                0x00020000
 #define EMAC4_MR1_TFS_4K                0x00030000
+#define EMAC4_MR1_TFS_8K                0x00040000
 #define EMAC4_MR1_TFS_16K               0x00050000
 #define EMAC4_MR1_TR                    0x00008000
 #define EMAC4_MR1_MWSW_001              0x00001000
@@ -242,7 +244,7 @@ struct emac_regs {
 #define EMAC_STACR_PHYE                 0x00004000
 #define EMAC_STACR_STAC_MASK            0x00003000
 #define EMAC_STACR_STAC_READ            0x00001000
-#define EMAC_STACR_STAC_WRITE           0x00002000
+#define EMAC_STACR_STAC_WRITE           0x00000800
 #define EMAC_STACR_OPBC_MASK            0x00000C00
 #define EMAC_STACR_OPBC_50              0x00000000
 #define EMAC_STACR_OPBC_66              0x00000400
diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
index 1dc4aef37d3a..b65f5f3ac034 100644
--- a/drivers/net/ethernet/ibm/ibmvnic.c
+++ b/drivers/net/ethernet/ibm/ibmvnic.c
@@ -410,6 +410,10 @@ static int reset_rx_pools(struct ibmvnic_adapter *adapter)
        struct ibmvnic_rx_pool *rx_pool;
        int rx_scrqs;
        int i, j, rc;
+        u64 *size_array;
+        size_array = (u64 *)((u8 *)(adapter->login_rsp_buf) +
+                be32_to_cpu(adapter->login_rsp_buf->off_rxadd_buff_size));
        rx_scrqs = be32_to_cpu(adapter->login_rsp_buf->num_rxadd_subcrqs);
        for (i = 0; i < rx_scrqs; i++) {
@@ -417,7 +421,17 @@ static int reset_rx_pools(struct ibmvnic_adapter *adapter)
                netdev_dbg(adapter->netdev, "Re-setting rx_pool[%d]\n", i);
-                rc = reset_long_term_buff(adapter, &rx_pool->long_term_buff);
+                if (rx_pool->buff_size != be64_to_cpu(size_array[i])) {
+                        free_long_term_buff(adapter, &rx_pool->long_term_buff);
+                        rx_pool->buff_size = be64_to_cpu(size_array[i]);
+                        alloc_long_term_buff(adapter, &rx_pool->long_term_buff,
+                                             rx_pool->size *
+                                             rx_pool->buff_size);
+                } else {
+                        rc = reset_long_term_buff(adapter,
+                                                  &rx_pool->long_term_buff);
+                }
                if (rc)
                        return rc;
@@ -439,14 +453,12 @@ static int reset_rx_pools(struct ibmvnic_adapter *adapter)
 static void release_rx_pools(struct ibmvnic_adapter *adapter)
 {
        struct ibmvnic_rx_pool *rx_pool;
-        int rx_scrqs;
        int i, j;
        if (!adapter->rx_pool)
                return;
-        rx_scrqs = be32_to_cpu(adapter->login_rsp_buf->num_rxadd_subcrqs);
+        for (i = 0; i < adapter->num_active_rx_pools; i++) {
-        for (i = 0; i < rx_scrqs; i++) {
                rx_pool = &adapter->rx_pool[i];
                netdev_dbg(adapter->netdev, "Releasing rx_pool[%d]\n", i);
@@ -469,6 +481,7 @@ static void release_rx_pools(struct ibmvnic_adapter *adapter)
        kfree(adapter->rx_pool);
        adapter->rx_pool = NULL;
+        adapter->num_active_rx_pools = 0;
 }
 static int init_rx_pools(struct net_device *netdev)
@@ -493,6 +506,8 @@ static int init_rx_pools(struct net_device *netdev)
                return -1;
        }
+        adapter->num_active_rx_pools = 0;
        for (i = 0; i < rxadd_subcrqs; i++) {
                rx_pool = &adapter->rx_pool[i];
@@ -536,6 +551,8 @@ static int init_rx_pools(struct net_device *netdev)
                rx_pool->next_free = 0;
        }
+        adapter->num_active_rx_pools = rxadd_subcrqs;
        return 0;
 }
@@ -586,13 +603,12 @@ static void release_vpd_data(struct ibmvnic_adapter *adapter)
 static void release_tx_pools(struct ibmvnic_adapter *adapter)
 {
        struct ibmvnic_tx_pool *tx_pool;
-        int i, tx_scrqs;
+        int i;
        if (!adapter->tx_pool)
                return;
-        tx_scrqs = be32_to_cpu(adapter->login_rsp_buf->num_txsubm_subcrqs);
+        for (i = 0; i < adapter->num_active_tx_pools; i++) {
-        for (i = 0; i < tx_scrqs; i++) {
                netdev_dbg(adapter->netdev, "Releasing tx_pool[%d]\n", i);
                tx_pool = &adapter->tx_pool[i];
                kfree(tx_pool->tx_buff);
@@ -603,6 +619,7 @@ static void release_tx_pools(struct ibmvnic_adapter *adapter)
        kfree(adapter->tx_pool);
        adapter->tx_pool = NULL;
+        adapter->num_active_tx_pools = 0;
 }
 static int init_tx_pools(struct net_device *netdev)
@@ -619,6 +636,8 @@ static int init_tx_pools(struct net_device *netdev)
        if (!adapter->tx_pool)
                return -1;
+        adapter->num_active_tx_pools = 0;
        for (i = 0; i < tx_subcrqs; i++) {
                tx_pool = &adapter->tx_pool[i];
@@ -666,6 +685,8 @@ static int init_tx_pools(struct net_device *netdev)
                tx_pool->producer_index = 0;
        }
+        adapter->num_active_tx_pools = tx_subcrqs;
        return 0;
 }
@@ -756,6 +777,12 @@ static int ibmvnic_login(struct net_device *netdev)
                }
        } while (adapter->renegotiate);
+        /* handle pending MAC address changes after successful login */
+        if (adapter->mac_change_pending) {
+                __ibmvnic_set_mac(netdev, &adapter->desired.mac);
+                adapter->mac_change_pending = false;
+        }
        return 0;
 }
@@ -854,7 +881,7 @@ static int ibmvnic_get_vpd(struct ibmvnic_adapter *adapter)
        if (adapter->vpd->buff)
                len = adapter->vpd->len;
-        reinit_completion(&adapter->fw_done);
+        init_completion(&adapter->fw_done);
        crq.get_vpd_size.first = IBMVNIC_CRQ_CMD;
        crq.get_vpd_size.cmd = GET_VPD_SIZE;
        ibmvnic_send_crq(adapter, &crq);
@@ -916,6 +943,13 @@ static int init_resources(struct ibmvnic_adapter *adapter)
        if (!adapter->vpd)
                return -ENOMEM;
+        /* Vital Product Data (VPD) */
+        rc = ibmvnic_get_vpd(adapter);
+        if (rc) {
+                netdev_err(netdev, "failed to initialize Vital Product Data (VPD)\n");
+                return rc;
+        }
        adapter->map_id = 1;
        adapter->napi = kcalloc(adapter->req_rx_queues,
                                sizeof(struct napi_struct), GFP_KERNEL);
@@ -989,15 +1023,10 @@ static int __ibmvnic_open(struct net_device *netdev)
 static int ibmvnic_open(struct net_device *netdev)
 {
        struct ibmvnic_adapter *adapter = netdev_priv(netdev);
-        int rc, vpd;
+        int rc;
        mutex_lock(&adapter->reset_lock);
-        if (adapter->mac_change_pending) {
-                __ibmvnic_set_mac(netdev, &adapter->desired.mac);
-                adapter->mac_change_pending = false;
-        }
        if (adapter->state != VNIC_CLOSED) {
                rc = ibmvnic_login(netdev);
                if (rc) {
@@ -1017,11 +1046,6 @@ static int ibmvnic_open(struct net_device *netdev)
        rc = __ibmvnic_open(netdev);
        netif_carrier_on(netdev);
-        /* Vital Product Data (VPD) */
-        vpd = ibmvnic_get_vpd(adapter);
-        if (vpd)
-                netdev_err(netdev, "failed to initialize Vital Product Data (VPD)\n");
        mutex_unlock(&adapter->reset_lock);
        return rc;
@@ -1275,6 +1299,7 @@ static int ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev)
        unsigned char *dst;
        u64 *handle_array;
        int index = 0;
+        u8 proto = 0;
        int ret = 0;
        if (adapter->resetting) {
@@ -1363,17 +1388,18 @@ static int ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev)
        }
        if (skb->protocol == htons(ETH_P_IP)) {
-                if (ip_hdr(skb)->version == 4)
+                tx_crq.v1.flags1 |= IBMVNIC_TX_PROT_IPV4;
-                        tx_crq.v1.flags1 |= IBMVNIC_TX_PROT_IPV4;
+                proto = ip_hdr(skb)->protocol;
-                else if (ip_hdr(skb)->version == 6)
+        } else if (skb->protocol == htons(ETH_P_IPV6)) {
-                        tx_crq.v1.flags1 |= IBMVNIC_TX_PROT_IPV6;
+                tx_crq.v1.flags1 |= IBMVNIC_TX_PROT_IPV6;
+                proto = ipv6_hdr(skb)->nexthdr;
-                if (ip_hdr(skb)->protocol == IPPROTO_TCP)
-                        tx_crq.v1.flags1 |= IBMVNIC_TX_PROT_TCP;
-                else if (ip_hdr(skb)->protocol != IPPROTO_TCP)
-                        tx_crq.v1.flags1 |= IBMVNIC_TX_PROT_UDP;
        }
+        if (proto == IPPROTO_TCP)
+                tx_crq.v1.flags1 |= IBMVNIC_TX_PROT_TCP;
+        else if (proto == IPPROTO_UDP)
+                tx_crq.v1.flags1 |= IBMVNIC_TX_PROT_UDP;
        if (skb->ip_summed == CHECKSUM_PARTIAL) {
                tx_crq.v1.flags1 |= IBMVNIC_TX_CHKSUM_OFFLOAD;
                hdrs += 2;
@@ -1527,7 +1553,7 @@ static int ibmvnic_set_mac(struct net_device *netdev, void *p)
        struct ibmvnic_adapter *adapter = netdev_priv(netdev);
        struct sockaddr *addr = p;
-        if (adapter->state != VNIC_OPEN) {
+        if (adapter->state == VNIC_PROBED) {
                memcpy(&adapter->desired.mac, addr, sizeof(struct sockaddr));
                adapter->mac_change_pending = true;
                return 0;
@@ -1545,6 +1571,7 @@ static int ibmvnic_set_mac(struct net_device *netdev, void *p)
 static int do_reset(struct ibmvnic_adapter *adapter,
                    struct ibmvnic_rwi *rwi, u32 reset_state)
 {
+        u64 old_num_rx_queues, old_num_tx_queues;
        struct net_device *netdev = adapter->netdev;
        int i, rc;
@@ -1554,6 +1581,9 @@ static int do_reset(struct ibmvnic_adapter *adapter,
        netif_carrier_off(netdev);
        adapter->reset_reason = rwi->reset_reason;
+        old_num_rx_queues = adapter->req_rx_queues;
+        old_num_tx_queues = adapter->req_tx_queues;
        if (rwi->reset_reason == VNIC_RESET_MOBILITY) {
                rc = ibmvnic_reenable_crq_queue(adapter);
                if (rc)
@@ -1598,6 +1628,12 @@ static int do_reset(struct ibmvnic_adapter *adapter,
                        rc = init_resources(adapter);
                        if (rc)
                                return rc;
+                } else if (adapter->req_rx_queues != old_num_rx_queues ||
+                           adapter->req_tx_queues != old_num_tx_queues) {
+                        release_rx_pools(adapter);
+                        release_tx_pools(adapter);
+                        init_rx_pools(netdev);
+                        init_tx_pools(netdev);
                } else {
                        rc = reset_tx_pools(adapter);
                        if (rc)
@@ -3345,7 +3381,11 @@ static void handle_query_ip_offload_rsp(struct ibmvnic_adapter *adapter)
                return;
        }
+        adapter->ip_offload_ctrl.len =
+            cpu_to_be32(sizeof(adapter->ip_offload_ctrl));
        adapter->ip_offload_ctrl.version = cpu_to_be32(INITIAL_VERSION_IOB);
+        adapter->ip_offload_ctrl.ipv4_chksum = buf->ipv4_chksum;
+        adapter->ip_offload_ctrl.ipv6_chksum = buf->ipv6_chksum;
        adapter->ip_offload_ctrl.tcp_ipv4_chksum = buf->tcp_ipv4_chksum;
        adapter->ip_offload_ctrl.udp_ipv4_chksum = buf->udp_ipv4_chksum;
        adapter->ip_offload_ctrl.tcp_ipv6_chksum = buf->tcp_ipv6_chksum;
@@ -3585,7 +3625,17 @@ static void handle_request_cap_rsp(union ibmvnic_crq *crq,
                         *req_value,
                         (long int)be64_to_cpu(crq->request_capability_rsp.
                                               number), name);
-                *req_value = be64_to_cpu(crq->request_capability_rsp.number);
+                if (be16_to_cpu(crq->request_capability_rsp.capability) ==
+                    REQ_MTU) {
+                        pr_err("mtu of %llu is not supported. Reverting.\n",
+                               *req_value);
+                        *req_value = adapter->fallback.mtu;
+                } else {
+                        *req_value =
+                                be64_to_cpu(crq->request_capability_rsp.number);
+                }
                ibmvnic_send_req_caps(adapter, 1);
                return;
        default:
diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h
index 4487f1e2c266..3aec42118db2 100644
--- a/drivers/net/ethernet/ibm/ibmvnic.h
+++ b/drivers/net/ethernet/ibm/ibmvnic.h
@@ -1091,6 +1091,8 @@ struct ibmvnic_adapter {
        u64 opt_rxba_entries_per_subcrq;
        __be64 tx_rx_desc_req;
        u8 map_id;
+        u64 num_active_rx_pools;
+        u64 num_active_tx_pools;
        struct tasklet_struct tasklet;
        enum vnic_state state;
diff --git a/drivers/net/ethernet/intel/e1000/e1000.h b/drivers/net/ethernet/intel/e1000/e1000.h
index d7bdea79e9fa..8fd2458060a0 100644
--- a/drivers/net/ethernet/intel/e1000/e1000.h
+++ b/drivers/net/ethernet/intel/e1000/e1000.h
@@ -331,7 +331,8 @@ struct e1000_adapter {
 enum e1000_state_t {
        __E1000_TESTING,
        __E1000_RESETTING,
-        __E1000_DOWN
+        __E1000_DOWN,
+        __E1000_DISABLED
 };
 #undef pr_fmt
diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
index 1982f7917a8d..3dd4aeb2706d 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -945,7 +945,7 @@ static int e1000_init_hw_struct(struct e1000_adapter *adapter,
 static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 {
        struct net_device *netdev;
-        struct e1000_adapter *adapter;
+        struct e1000_adapter *adapter = NULL;
        struct e1000_hw *hw;
        static int cards_found;
@@ -955,6 +955,7 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
        u16 tmp = 0;
        u16 eeprom_apme_mask = E1000_EEPROM_APME;
        int bars, need_ioport;
+        bool disable_dev = false;
        /* do not allocate ioport bars when not needed */
        need_ioport = e1000_is_need_ioport(pdev);
@@ -1259,11 +1260,13 @@ err_mdio_ioremap:
        iounmap(hw->ce4100_gbe_mdio_base_virt);
        iounmap(hw->hw_addr);
 err_ioremap:
+        disable_dev = !test_and_set_bit(__E1000_DISABLED, &adapter->flags);
        free_netdev(netdev);
 err_alloc_etherdev:
        pci_release_selected_regions(pdev, bars);
 err_pci_reg:
-        pci_disable_device(pdev);
+        if (!adapter || disable_dev)
+                pci_disable_device(pdev);
        return err;
 }
@@ -1281,6 +1284,7 @@ static void e1000_remove(struct pci_dev *pdev)
        struct net_device *netdev = pci_get_drvdata(pdev);
        struct e1000_adapter *adapter = netdev_priv(netdev);
        struct e1000_hw *hw = &adapter->hw;
+        bool disable_dev;
        e1000_down_and_stop(adapter);
        e1000_release_manageability(adapter);
@@ -1299,9 +1303,11 @@ static void e1000_remove(struct pci_dev *pdev)
                iounmap(hw->flash_address);
        pci_release_selected_regions(pdev, adapter->bars);
+        disable_dev = !test_and_set_bit(__E1000_DISABLED, &adapter->flags);
        free_netdev(netdev);
-        pci_disable_device(pdev);
+        if (disable_dev)
+                pci_disable_device(pdev);
 }
 /**
@@ -5156,7 +5162,8 @@ static int __e1000_shutdown(struct pci_dev *pdev, bool *enable_wake)
        if (netif_running(netdev))
                e1000_free_irq(adapter);
-        pci_disable_device(pdev);
+        if (!test_and_set_bit(__E1000_DISABLED, &adapter->flags))
+                pci_disable_device(pdev);
        return 0;
 }
@@ -5200,6 +5207,10 @@ static int e1000_resume(struct pci_dev *pdev)
                pr_err("Cannot enable PCI device from suspend\n");
                return err;
        }
+        /* flush memory to make sure state is correct */
+        smp_mb__before_atomic();
+        clear_bit(__E1000_DISABLED, &adapter->flags);
        pci_set_master(pdev);
        pci_enable_wake(pdev, PCI_D3hot, 0);
@@ -5274,7 +5285,9 @@ static pci_ers_result_t e1000_io_error_detected(struct pci_dev *pdev,
        if (netif_running(netdev))
                e1000_down(adapter);
-        pci_disable_device(pdev);
+        if (!test_and_set_bit(__E1000_DISABLED, &adapter->flags))
+                pci_disable_device(pdev);
        /* Request a slot slot reset. */
        return PCI_ERS_RESULT_NEED_RESET;
@@ -5302,6 +5315,10 @@ static pci_ers_result_t e1000_io_slot_reset(struct pci_dev *pdev)
                pr_err("Cannot re-enable PCI device after reset.\n");
                return PCI_ERS_RESULT_DISCONNECT;
        }
+        /* flush memory to make sure state is correct */
+        smp_mb__before_atomic();
+        clear_bit(__E1000_DISABLED, &adapter->flags);
        pci_set_master(pdev);
        pci_enable_wake(pdev, PCI_D3hot, 0);
diff --git a/drivers/net/ethernet/intel/e1000e/ich8lan.c b/drivers/net/ethernet/intel/e1000e/ich8lan.c
index d6d4ed7acf03..31277d3bb7dc 100644
--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
@@ -1367,6 +1367,9 @@ out:
 *  Checks to see of the link status of the hardware has changed.  If a
 *  change in link status has been detected, then we read the PHY registers
 *  to get the current speed/duplex if link exists.
+ *
+ *  Returns a negative error code (-E1000_ERR_*) or 0 (link down) or 1 (link
+ *  up).
 **/
 static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
 {
@@ -1382,7 +1385,7 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
         * Change or Rx Sequence Error interrupt.
         */
        if (!mac->get_link_status)
-                return 0;
+                return 1;
        /* First we want to see if the MII Status Register reports
         * link.  If so, then we want to get the current speed/duplex
@@ -1613,10 +1616,12 @@ static s32 e1000_check_for_copper_link_ich8lan(struct e1000_hw *hw)
         * different link partner.
         */
        ret_val = e1000e_config_fc_after_link_up(hw);
-        if (ret_val)
+        if (ret_val) {
                e_dbg("Error configuring flow control\n");
+                return ret_val;
+        }
-        return ret_val;
+        return 1;
 }
 static s32 e1000_get_variants_ich8lan(struct e1000_adapter *adapter)
diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
index 7f605221a686..a434fecfdfeb 100644
--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
+++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
@@ -2463,7 +2463,6 @@ static int fm10k_handle_resume(struct fm10k_intfc *interface)
        return err;
 }
-#ifdef CONFIG_PM
 /**
 * fm10k_resume - Generic PM resume hook
 * @dev: generic device structure
@@ -2472,7 +2471,7 @@ static int fm10k_handle_resume(struct fm10k_intfc *interface)
 * suspend or hibernation. This function does not need to handle lower PCIe
 * device state as the stack takes care of that for us.
 **/
-static int fm10k_resume(struct device *dev)
+static int __maybe_unused fm10k_resume(struct device *dev)
 {
        struct fm10k_intfc *interface = pci_get_drvdata(to_pci_dev(dev));
        struct net_device *netdev = interface->netdev;
@@ -2499,7 +2498,7 @@ static int fm10k_resume(struct device *dev)
 * system suspend or hibernation. This function does not need to handle lower
 * PCIe device state as the stack takes care of that for us.
 **/
-static int fm10k_suspend(struct device *dev)
+static int __maybe_unused fm10k_suspend(struct device *dev)
 {
        struct fm10k_intfc *interface = pci_get_drvdata(to_pci_dev(dev));
        struct net_device *netdev = interface->netdev;
@@ -2511,8 +2510,6 @@ static int fm10k_suspend(struct device *dev)
        return 0;
 }
-#endif /* CONFIG_PM */
 /**
 * fm10k_io_error_detected - called when PCI error is detected
 * @pdev: Pointer to PCI device
@@ -2643,11 +2640,9 @@ static struct pci_driver fm10k_driver = {
        .id_table               = fm10k_pci_tbl,
        .probe                  = fm10k_probe,
        .remove                 = fm10k_remove,
-#ifdef CONFIG_PM
        .driver = {
                .pm             = &fm10k_pm_ops,
        },
-#endif /* CONFIG_PM */
        .sriov_configure        = fm10k_iov_configure,
        .err_handler            = &fm10k_err_handler
 };
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 321d8be80871..af792112a2d3 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -1573,11 +1573,18 @@ static int i40e_set_mac(struct net_device *netdev, void *p)
        else
                netdev_info(netdev, "set new mac address %pM\n", addr->sa_data);
+        /* Copy the address first, so that we avoid a possible race with
+         * .set_rx_mode(). If we copy after changing the address in the filter
+         * list, we might open ourselves to a narrow race window where
+         * .set_rx_mode could delete our dev_addr filter and prevent traffic
+         * from passing.
+         */
+        ether_addr_copy(netdev->dev_addr, addr->sa_data);
        spin_lock_bh(&vsi->mac_filter_hash_lock);
        i40e_del_mac_filter(vsi, netdev->dev_addr);
        i40e_add_mac_filter(vsi, addr->sa_data);
        spin_unlock_bh(&vsi->mac_filter_hash_lock);
-        ether_addr_copy(netdev->dev_addr, addr->sa_data);
        if (vsi->type == I40E_VSI_MAIN) {
                i40e_status ret;
@@ -1923,6 +1930,14 @@ static int i40e_addr_unsync(struct net_device *netdev, const u8 *addr)
        struct i40e_netdev_priv *np = netdev_priv(netdev);
        struct i40e_vsi *vsi = np->vsi;
+        /* Under some circumstances, we might receive a request to delete
+         * our own device address from our uc list. Because we store the
+         * device address in the VSI's MAC/VLAN filter list, we need to ignore
+         * such requests and not delete our device address from this list.
+         */
+        if (ether_addr_equal(addr, netdev->dev_addr))
+                return 0;
        i40e_del_mac_filter(vsi, addr);
        return 0;
@@ -6038,8 +6053,8 @@ static int i40e_validate_and_set_switch_mode(struct i40e_vsi *vsi)
        /* Set Bit 7 to be valid */
        mode = I40E_AQ_SET_SWITCH_BIT7_VALID;
-        /* Set L4type to both TCP and UDP support */
+        /* Set L4type for TCP support */
-        mode |= I40E_AQ_SET_SWITCH_L4_TYPE_BOTH;
+        mode |= I40E_AQ_SET_SWITCH_L4_TYPE_TCP;
        /* Set cloud filter mode */
        mode |= I40E_AQ_SET_SWITCH_MODE_NON_TUNNEL;
@@ -6969,18 +6984,18 @@ static int i40e_add_del_cloud_filter_big_buf(struct i40e_vsi *vsi,
             is_valid_ether_addr(filter->src_mac)) ||
            (is_multicast_ether_addr(filter->dst_mac) &&
             is_multicast_ether_addr(filter->src_mac)))
-                return -EINVAL;
+                return -EOPNOTSUPP;
-        /* Make sure port is specified, otherwise bail out, for channel
+        /* Big buffer cloud filter needs 'L4 port' to be non-zero. Also, UDP
-         * specific cloud filter needs 'L4 port' to be non-zero
+         * ports are not supported via big buffer now.
         */
-        if (!filter->dst_port)
+        if (!filter->dst_port || filter->ip_proto == IPPROTO_UDP)
-                return -EINVAL;
+                return -EOPNOTSUPP;
        /* adding filter using src_port/src_ip is not supported at this stage */
        if (filter->src_port || filter->src_ipv4 ||
            !ipv6_addr_any(&filter->ip.v6.src_ip6))
-                return -EINVAL;
+                return -EOPNOTSUPP;
        /* copy element needed to add cloud filter from filter */
        i40e_set_cld_element(filter, &cld_filter.element);
@@ -6991,7 +7006,7 @@ static int i40e_add_del_cloud_filter_big_buf(struct i40e_vsi *vsi,
            is_multicast_ether_addr(filter->src_mac)) {
                /* MAC + IP : unsupported mode */
                if (filter->dst_ipv4)
-                        return -EINVAL;
+                        return -EOPNOTSUPP;
                /* since we validated that L4 port must be valid before
                 * we get here, start with respective "flags" value
@@ -7356,7 +7371,7 @@ static int i40e_configure_clsflower(struct i40e_vsi *vsi,
        if (tc < 0) {
                dev_err(&vsi->back->pdev->dev, "Invalid traffic class\n");
-                return -EINVAL;
+                return -EOPNOTSUPP;
        }
        if (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state) ||
@@ -7490,6 +7505,8 @@ static int i40e_setup_tc_cls_flower(struct i40e_netdev_priv *np,
 {
        struct i40e_vsi *vsi = np->vsi;
+        if (!tc_can_offload(vsi->netdev))
+                return -EOPNOTSUPP;
        if (cls_flower->common.chain_index)
                return -EOPNOTSUPP;
diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
index 4566d66ffc7c..5bc2748ac468 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
@@ -3047,10 +3047,30 @@ bool __i40e_chk_linearize(struct sk_buff *skb)
        /* Walk through fragments adding latest fragment, testing it, and
         * then removing stale fragments from the sum.
         */
-        stale = &skb_shinfo(skb)->frags[0];
+        for (stale = &skb_shinfo(skb)->frags[0];; stale++) {
-        for (;;) {
+                int stale_size = skb_frag_size(stale);
                sum += skb_frag_size(frag++);
+                /* The stale fragment may present us with a smaller
+                 * descriptor than the actual fragment size. To account
+                 * for that we need to remove all the data on the front and
+                 * figure out what the remainder would be in the last
+                 * descriptor associated with the fragment.
+                 */
+                if (stale_size > I40E_MAX_DATA_PER_TXD) {
+                        int align_pad = -(stale->page_offset) &
+                                        (I40E_MAX_READ_REQ_SIZE - 1);
+                        sum -= align_pad;
+                        stale_size -= align_pad;
+                        do {
+                                sum -= I40E_MAX_DATA_PER_TXD_ALIGNED;
+                                stale_size -= I40E_MAX_DATA_PER_TXD_ALIGNED;
+                        } while (stale_size > I40E_MAX_DATA_PER_TXD);
+                }
                /* if sum is negative we failed to make sufficient progress */
                if (sum < 0)
                        return true;
@@ -3058,7 +3078,7 @@ bool __i40e_chk_linearize(struct sk_buff *skb)
                if (!nr_frags--)
                        break;
-                sum -= skb_frag_size(stale++);
+                sum -= stale_size;
        }
        return false;
diff --git a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
index 50864f99446d..1ba29bb85b67 100644
--- a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
+++ b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c
@@ -2012,10 +2012,30 @@ bool __i40evf_chk_linearize(struct sk_buff *skb)
        /* Walk through fragments adding latest fragment, testing it, and
         * then removing stale fragments from the sum.
         */
-        stale = &skb_shinfo(skb)->frags[0];
+        for (stale = &skb_shinfo(skb)->frags[0];; stale++) {
-        for (;;) {
+                int stale_size = skb_frag_size(stale);
                sum += skb_frag_size(frag++);
+                /* The stale fragment may present us with a smaller
+                 * descriptor than the actual fragment size. To account
+                 * for that we need to remove all the data on the front and
+                 * figure out what the remainder would be in the last
+                 * descriptor associated with the fragment.
+                 */
+                if (stale_size > I40E_MAX_DATA_PER_TXD) {
+                        int align_pad = -(stale->page_offset) &
+                                        (I40E_MAX_READ_REQ_SIZE - 1);
+                        sum -= align_pad;
+                        stale_size -= align_pad;
+                        do {
+                                sum -= I40E_MAX_DATA_PER_TXD_ALIGNED;
+                                stale_size -= I40E_MAX_DATA_PER_TXD_ALIGNED;
+                        } while (stale_size > I40E_MAX_DATA_PER_TXD);
+                }
                /* if sum is negative we failed to make sufficient progress */
                if (sum < 0)
                        return true;
@@ -2023,7 +2043,7 @@ bool __i40evf_chk_linearize(struct sk_buff *skb)
                if (!nr_frags--)
                        break;
-                sum -= skb_frag_size(stale++);
+                sum -= stale_size;
        }
        return false;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
index 543060c305a0..c2d89bfa1a70 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
@@ -895,7 +895,7 @@ int mlx5e_vlan_rx_kill_vid(struct net_device *dev, __always_unused __be16 proto,
                           u16 vid);
 void mlx5e_enable_cvlan_filter(struct mlx5e_priv *priv);
 void mlx5e_disable_cvlan_filter(struct mlx5e_priv *priv);
-void mlx5e_timestamp_set(struct mlx5e_priv *priv);
+void mlx5e_timestamp_init(struct mlx5e_priv *priv);
 struct mlx5e_redirect_rqt_param {
        bool is_rss;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
index 9bcf38f4123b..3d46ef48d5b8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
@@ -922,8 +922,9 @@ static void mlx5e_dcbnl_query_dcbx_mode(struct mlx5e_priv *priv,
 static void mlx5e_ets_init(struct mlx5e_priv *priv)
 {
-        int i;
        struct ieee_ets ets;
+        int err;
+        int i;
        if (!MLX5_CAP_GEN(priv->mdev, ets))
                return;
@@ -936,11 +937,16 @@ static void mlx5e_ets_init(struct mlx5e_priv *priv)
                ets.prio_tc[i] = i;
        }
-        /* tclass[prio=0]=1, tclass[prio=1]=0, tclass[prio=i]=i (for i>1) */
+        if (ets.ets_cap > 1) {
-        ets.prio_tc[0] = 1;
+                /* tclass[prio=0]=1, tclass[prio=1]=0, tclass[prio=i]=i (for i>1) */
-        ets.prio_tc[1] = 0;
+                ets.prio_tc[0] = 1;
+                ets.prio_tc[1] = 0;
+        }
-        mlx5e_dcbnl_ieee_setets_core(priv, &ets);
+        err = mlx5e_dcbnl_ieee_setets_core(priv, &ets);
+        if (err)
+                netdev_err(priv->netdev,
+                           "%s, Failed to init ETS: %d\n", __func__, err);
 }
 enum {
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
index 8f05efa5c829..ea5fff2c3143 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
@@ -207,8 +207,7 @@ void mlx5e_ethtool_get_ethtool_stats(struct mlx5e_priv *priv,
                return;
        mutex_lock(&priv->state_lock);
-        if (test_bit(MLX5E_STATE_OPENED, &priv->state))
+        mlx5e_update_stats(priv, true);
-                mlx5e_update_stats(priv, true);
        mutex_unlock(&priv->state_lock);
        for (i = 0; i < mlx5e_num_stats_grps; i++)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index d9d8227f195f..d8aefeed124d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -2669,7 +2669,7 @@ void mlx5e_switch_priv_channels(struct mlx5e_priv *priv,
                netif_carrier_on(netdev);
 }
-void mlx5e_timestamp_set(struct mlx5e_priv *priv)
+void mlx5e_timestamp_init(struct mlx5e_priv *priv)
 {
        priv->tstamp.tx_type   = HWTSTAMP_TX_OFF;
        priv->tstamp.rx_filter = HWTSTAMP_FILTER_NONE;
@@ -2690,7 +2690,6 @@ int mlx5e_open_locked(struct net_device *netdev)
        mlx5e_activate_priv_channels(priv);
        if (priv->profile->update_carrier)
                priv->profile->update_carrier(priv);
-        mlx5e_timestamp_set(priv);
        if (priv->profile->update_stats)
                queue_delayed_work(priv->wq, &priv->update_stats_work, 0);
@@ -3219,12 +3218,12 @@ static int mlx5e_set_mac(struct net_device *netdev, void *addr)
        return 0;
 }
-#define MLX5E_SET_FEATURE(netdev, feature, enable)      \
+#define MLX5E_SET_FEATURE(features, feature, enable)    \
        do {                                            \
                if (enable)                             \
-                        netdev->features |= feature;    \
+                        *features |= feature;           \
                else                                    \
-                        netdev->features &= ~feature;   \
+                        *features &= ~feature;          \
        } while (0)
 typedef int (*mlx5e_feature_handler)(struct net_device *netdev, bool enable);
@@ -3347,6 +3346,7 @@ static int set_feature_arfs(struct net_device *netdev, bool enable)
 #endif
 static int mlx5e_handle_feature(struct net_device *netdev,
+                                netdev_features_t *features,
                                netdev_features_t wanted_features,
                                netdev_features_t feature,
                                mlx5e_feature_handler feature_handler)
@@ -3365,34 +3365,40 @@ static int mlx5e_handle_feature(struct net_device *netdev,
                return err;
        }
-        MLX5E_SET_FEATURE(netdev, feature, enable);
+        MLX5E_SET_FEATURE(features, feature, enable);
        return 0;
 }
 static int mlx5e_set_features(struct net_device *netdev,
                              netdev_features_t features)
 {
+        netdev_features_t oper_features = netdev->features;
        int err;
-        err  = mlx5e_handle_feature(netdev, features, NETIF_F_LRO,
+        err  = mlx5e_handle_feature(netdev, &oper_features, features,
-                                    set_feature_lro);
+                                    NETIF_F_LRO, set_feature_lro);
-        err |= mlx5e_handle_feature(netdev, features,
+        err |= mlx5e_handle_feature(netdev, &oper_features, features,
                                    NETIF_F_HW_VLAN_CTAG_FILTER,
                                    set_feature_cvlan_filter);
-        err |= mlx5e_handle_feature(netdev, features, NETIF_F_HW_TC,
+        err |= mlx5e_handle_feature(netdev, &oper_features, features,
-                                    set_feature_tc_num_filters);
+                                    NETIF_F_HW_TC, set_feature_tc_num_filters);
-        err |= mlx5e_handle_feature(netdev, features, NETIF_F_RXALL,
+        err |= mlx5e_handle_feature(netdev, &oper_features, features,
-                                    set_feature_rx_all);
+                                    NETIF_F_RXALL, set_feature_rx_all);
-        err |= mlx5e_handle_feature(netdev, features, NETIF_F_RXFCS,
+        err |= mlx5e_handle_feature(netdev, &oper_features, features,
-                                    set_feature_rx_fcs);
+                                    NETIF_F_RXFCS, set_feature_rx_fcs);
-        err |= mlx5e_handle_feature(netdev, features, NETIF_F_HW_VLAN_CTAG_RX,
+        err |= mlx5e_handle_feature(netdev, &oper_features, features,
-                                    set_feature_rx_vlan);
+                                    NETIF_F_HW_VLAN_CTAG_RX, set_feature_rx_vlan);
 #ifdef CONFIG_RFS_ACCEL
-        err |= mlx5e_handle_feature(netdev, features, NETIF_F_NTUPLE,
+        err |= mlx5e_handle_feature(netdev, &oper_features, features,
-                                    set_feature_arfs);
+                                    NETIF_F_NTUPLE, set_feature_arfs);
 #endif
-        return err ? -EINVAL : 0;
+        if (err) {
+                netdev->features = oper_features;
+                return -EINVAL;
+        }
+        return 0;
 }
 static netdev_features_t mlx5e_fix_features(struct net_device *netdev,
@@ -4139,6 +4145,8 @@ static void mlx5e_build_nic_netdev_priv(struct mlx5_core_dev *mdev,
        INIT_WORK(&priv->set_rx_mode_work, mlx5e_set_rx_mode_work);
        INIT_WORK(&priv->tx_timeout_work, mlx5e_tx_timeout_work);
        INIT_DELAYED_WORK(&priv->update_stats_work, mlx5e_update_stats_work);
+        mlx5e_timestamp_init(priv);
 }
 static void mlx5e_set_netdev_dev_addr(struct net_device *netdev)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
index 2c43606c26b5..3409d86eb06b 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
@@ -877,6 +877,8 @@ static void mlx5e_init_rep(struct mlx5_core_dev *mdev,
        mlx5e_build_rep_params(mdev, &priv->channels.params);
        mlx5e_build_rep_netdev(netdev);
+        mlx5e_timestamp_init(priv);
 }
 static int mlx5e_init_rep_rx(struct mlx5e_priv *priv)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c
index e401d9d245f3..b69a705fd787 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c
@@ -201,9 +201,15 @@ static int mlx5e_am_stats_compare(struct mlx5e_rx_am_stats *curr,
                return (curr->bpms > prev->bpms) ? MLX5E_AM_STATS_BETTER :
                                                   MLX5E_AM_STATS_WORSE;
+        if (!prev->ppms)
+                return curr->ppms ? MLX5E_AM_STATS_BETTER :
+                                    MLX5E_AM_STATS_SAME;
        if (IS_SIGNIFICANT_DIFF(curr->ppms, prev->ppms))
                return (curr->ppms > prev->ppms) ? MLX5E_AM_STATS_BETTER :
                                                   MLX5E_AM_STATS_WORSE;
+        if (!prev->epms)
+                return MLX5E_AM_STATS_SAME;
        if (IS_SIGNIFICANT_DIFF(curr->epms, prev->epms))
                return (curr->epms < prev->epms) ? MLX5E_AM_STATS_BETTER :
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c b/drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c
index 1f1f8af87d4d..5a4608281f38 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c
@@ -238,15 +238,19 @@ static int mlx5e_test_loopback_setup(struct mlx5e_priv *priv,
        int err = 0;
        /* Temporarily enable local_lb */
-        if (MLX5_CAP_GEN(priv->mdev, disable_local_lb)) {
+        err = mlx5_nic_vport_query_local_lb(priv->mdev, &lbtp->local_lb);
-                mlx5_nic_vport_query_local_lb(priv->mdev, &lbtp->local_lb);
+        if (err)
-                if (!lbtp->local_lb)
+                return err;
-                        mlx5_nic_vport_update_local_lb(priv->mdev, true);
+        if (!lbtp->local_lb) {
+                err = mlx5_nic_vport_update_local_lb(priv->mdev, true);
+                if (err)
+                        return err;
        }
        err = mlx5e_refresh_tirs(priv, true);
        if (err)
-                return err;
+                goto out;
        lbtp->loopback_ok = false;
        init_completion(&lbtp->comp);
@@ -256,16 +260,21 @@ static int mlx5e_test_loopback_setup(struct mlx5e_priv *priv,
        lbtp->pt.dev = priv->netdev;
        lbtp->pt.af_packet_priv = lbtp;
        dev_add_pack(&lbtp->pt);
+        return 0;
+out:
+        if (!lbtp->local_lb)
+                mlx5_nic_vport_update_local_lb(priv->mdev, false);
        return err;
 }
 static void mlx5e_test_loopback_cleanup(struct mlx5e_priv *priv,
                                        struct mlx5e_lbt_priv *lbtp)
 {
-        if (MLX5_CAP_GEN(priv->mdev, disable_local_lb)) {
+        if (!lbtp->local_lb)
-                if (!lbtp->local_lb)
+                mlx5_nic_vport_update_local_lb(priv->mdev, false);
-                        mlx5_nic_vport_update_local_lb(priv->mdev, false);
-        }
        dev_remove_pack(&lbtp->pt);
        mlx5e_refresh_tirs(priv, false);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
index 8812d7208e8f..ee2f378c5030 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
@@ -86,6 +86,8 @@ void mlx5i_init(struct mlx5_core_dev *mdev,
        mlx5e_build_nic_params(mdev, &priv->channels.params, profile->max_nch(mdev));
        mlx5i_build_nic_params(mdev, &priv->channels.params);
+        mlx5e_timestamp_init(priv);
        /* netdev init */
        netdev->hw_features    |= NETIF_F_SG;
        netdev->hw_features    |= NETIF_F_IP_CSUM;
@@ -450,7 +452,6 @@ static int mlx5i_open(struct net_device *netdev)
        mlx5e_refresh_tirs(epriv, false);
        mlx5e_activate_priv_channels(epriv);
-        mlx5e_timestamp_set(epriv);
        mutex_unlock(&epriv->state_lock);
        return 0;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
index fa8aed62b231..5701f125e99c 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
@@ -423,9 +423,13 @@ void mlx5_pps_event(struct mlx5_core_dev *mdev,
        switch (clock->ptp_info.pin_config[pin].func) {
        case PTP_PF_EXTTS:
+                ptp_event.index = pin;
+                ptp_event.timestamp = timecounter_cyc2time(&clock->tc,
+                                        be64_to_cpu(eqe->data.pps.time_stamp));
                if (clock->pps_info.enabled) {
                        ptp_event.type = PTP_CLOCK_PPSUSR;
-                        ptp_event.pps_times.ts_real = ns_to_timespec64(eqe->data.pps.time_stamp);
+                        ptp_event.pps_times.ts_real =
+                                        ns_to_timespec64(ptp_event.timestamp);
                } else {
                        ptp_event.type = PTP_CLOCK_EXTTS;
                }
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
index 8a89c7e8cd63..0f88fd30a09a 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -319,6 +319,7 @@ static int mlx5_alloc_irq_vectors(struct mlx5_core_dev *dev)
        struct mlx5_eq_table *table = &priv->eq_table;
        int num_eqs = 1 << MLX5_CAP_GEN(dev, log_max_eq);
        int nvec;
+        int err;
        nvec = MLX5_CAP_GEN(dev, num_ports) * num_online_cpus() +
               MLX5_EQ_VEC_COMP_BASE;
@@ -328,21 +329,23 @@ static int mlx5_alloc_irq_vectors(struct mlx5_core_dev *dev)
        priv->irq_info = kcalloc(nvec, sizeof(*priv->irq_info), GFP_KERNEL);
        if (!priv->irq_info)
-                goto err_free_msix;
+                return -ENOMEM;
        nvec = pci_alloc_irq_vectors(dev->pdev,
                        MLX5_EQ_VEC_COMP_BASE + 1, nvec,
                        PCI_IRQ_MSIX);
-        if (nvec < 0)
+        if (nvec < 0) {
-                return nvec;
+                err = nvec;
+                goto err_free_irq_info;
+        }
        table->num_comp_vectors = nvec - MLX5_EQ_VEC_COMP_BASE;
        return 0;
-err_free_msix:
+err_free_irq_info:
        kfree(priv->irq_info);
-        return -ENOMEM;
+        return err;
 }
 static void mlx5_free_irq_vectors(struct mlx5_core_dev *dev)
@@ -578,8 +581,7 @@ static int mlx5_core_set_hca_defaults(struct mlx5_core_dev *dev)
        int ret = 0;
        /* Disable local_lb by default */
-        if ((MLX5_CAP_GEN(dev, port_type) == MLX5_CAP_PORT_TYPE_ETH) &&
+        if (MLX5_CAP_GEN(dev, port_type) == MLX5_CAP_PORT_TYPE_ETH)
-            MLX5_CAP_GEN(dev, disable_local_lb))
                ret = mlx5_nic_vport_update_local_lb(dev, false);
        return ret;
@@ -1121,9 +1123,12 @@ static int mlx5_load_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv,
                goto err_stop_poll;
        }
-        if (boot && mlx5_init_once(dev, priv)) {
+        if (boot) {
-                dev_err(&pdev->dev, "sw objs init failed\n");
+                err = mlx5_init_once(dev, priv);
-                goto err_stop_poll;
+                if (err) {
+                        dev_err(&pdev->dev, "sw objs init failed\n");
+                        goto err_stop_poll;
+                }
        }
        err = mlx5_alloc_irq_vectors(dev);
@@ -1133,8 +1138,9 @@ static int mlx5_load_one(struct mlx5_core_dev *dev, struct mlx5_priv *priv,
        }
        dev->priv.uar = mlx5_get_uars_page(dev);
-        if (!dev->priv.uar) {
+        if (IS_ERR(dev->priv.uar)) {
                dev_err(&pdev->dev, "Failed allocating uar, aborting\n");
+                err = PTR_ERR(dev->priv.uar);
                goto err_disable_msix;
        }
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/uar.c b/drivers/net/ethernet/mellanox/mlx5/core/uar.c
index 222b25908d01..8b97066dd1f1 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/uar.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/uar.c
@@ -168,18 +168,16 @@ struct mlx5_uars_page *mlx5_get_uars_page(struct mlx5_core_dev *mdev)
        struct mlx5_uars_page *ret;
        mutex_lock(&mdev->priv.bfregs.reg_head.lock);
-        if (list_empty(&mdev->priv.bfregs.reg_head.list)) {
+        if (!list_empty(&mdev->priv.bfregs.reg_head.list)) {
-                ret = alloc_uars_page(mdev, false);
-                if (IS_ERR(ret)) {
-                        ret = NULL;
-                        goto out;
-                }
-                list_add(&ret->list, &mdev->priv.bfregs.reg_head.list);
-        } else {
                ret = list_first_entry(&mdev->priv.bfregs.reg_head.list,
                                       struct mlx5_uars_page, list);
                kref_get(&ret->ref_count);
+                goto out;
        }
+        ret = alloc_uars_page(mdev, false);
+        if (IS_ERR(ret))
+                goto out;
+        list_add(&ret->list, &mdev->priv.bfregs.reg_head.list);
 out:
        mutex_unlock(&mdev->priv.bfregs.reg_head.lock);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
index d653b0025b13..a1296a62497d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
@@ -908,23 +908,33 @@ int mlx5_nic_vport_update_local_lb(struct mlx5_core_dev *mdev, bool enable)
        void *in;
        int err;
-        mlx5_core_dbg(mdev, "%s local_lb\n", enable ? "enable" : "disable");
+        if (!MLX5_CAP_GEN(mdev, disable_local_lb_mc) &&
+            !MLX5_CAP_GEN(mdev, disable_local_lb_uc))
+                return 0;
        in = kvzalloc(inlen, GFP_KERNEL);
        if (!in)
                return -ENOMEM;
        MLX5_SET(modify_nic_vport_context_in, in,
-                 field_select.disable_mc_local_lb, 1);
-        MLX5_SET(modify_nic_vport_context_in, in,
                 nic_vport_context.disable_mc_local_lb, !enable);
-        MLX5_SET(modify_nic_vport_context_in, in,
-                 field_select.disable_uc_local_lb, 1);
        MLX5_SET(modify_nic_vport_context_in, in,
                 nic_vport_context.disable_uc_local_lb, !enable);
+        if (MLX5_CAP_GEN(mdev, disable_local_lb_mc))
+                MLX5_SET(modify_nic_vport_context_in, in,
+                         field_select.disable_mc_local_lb, 1);
+        if (MLX5_CAP_GEN(mdev, disable_local_lb_uc))
+                MLX5_SET(modify_nic_vport_context_in, in,
+                         field_select.disable_uc_local_lb, 1);
        err = mlx5_modify_nic_vport_context(mdev, in, inlen);
+        if (!err)
+                mlx5_core_dbg(mdev, "%s local_lb\n",
+                              enable ? "enable" : "disable");
        kvfree(in);
        return err;
 }
diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c
index 23f7d828cf67..6ef20e5cc77d 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c
@@ -1643,7 +1643,12 @@ static int mlxsw_pci_sw_reset(struct mlxsw_pci *mlxsw_pci,
                return 0;
        }
-        wmb(); /* reset needs to be written before we read control register */
+        /* Reset needs to be written before we read control register, and
+         * we must wait for the HW to become responsive once again
+         */
+        wmb();
+        msleep(MLXSW_PCI_SW_RESET_WAIT_MSECS);
        end = jiffies + msecs_to_jiffies(MLXSW_PCI_SW_RESET_TIMEOUT_MSECS);
        do {
                u32 val = mlxsw_pci_read32(mlxsw_pci, FW_READY);
diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h b/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h
index a6441208e9d9..fb082ad21b00 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h
+++ b/drivers/net/ethernet/mellanox/mlxsw/pci_hw.h
@@ -59,6 +59,7 @@
 #define MLXSW_PCI_SW_RESET                      0xF0010
 #define MLXSW_PCI_SW_RESET_RST_BIT              BIT(0)
 #define MLXSW_PCI_SW_RESET_TIMEOUT_MSECS        5000
+#define MLXSW_PCI_SW_RESET_WAIT_MSECS           100
 #define MLXSW_PCI_FW_READY                      0xA1844
 #define MLXSW_PCI_FW_READY_MASK                 0xFFFF
 #define MLXSW_PCI_FW_READY_MAGIC                0x5E
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
index 9bd8d28de152..c3837ca7a705 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
@@ -4376,7 +4376,10 @@ static int mlxsw_sp_netdevice_port_upper_event(struct net_device *lower_dev,
                }
                if (!info->linking)
                        break;
-                if (netdev_has_any_upper_dev(upper_dev)) {
+                if (netdev_has_any_upper_dev(upper_dev) &&
+                    (!netif_is_bridge_master(upper_dev) ||
+                     !mlxsw_sp_bridge_device_is_offloaded(mlxsw_sp,
+                                                          upper_dev))) {
                        NL_SET_ERR_MSG(extack,
                                       "spectrum: Enslaving a port to a device that already has an upper device is not supported");
                        return -EINVAL;
@@ -4504,6 +4507,7 @@ static int mlxsw_sp_netdevice_port_vlan_event(struct net_device *vlan_dev,
                                              u16 vid)
 {
        struct mlxsw_sp_port *mlxsw_sp_port = netdev_priv(dev);
+        struct mlxsw_sp *mlxsw_sp = mlxsw_sp_port->mlxsw_sp;
        struct netdev_notifier_changeupper_info *info = ptr;
        struct netlink_ext_ack *extack;
        struct net_device *upper_dev;
@@ -4520,7 +4524,10 @@ static int mlxsw_sp_netdevice_port_vlan_event(struct net_device *vlan_dev,
                }
                if (!info->linking)
                        break;
-                if (netdev_has_any_upper_dev(upper_dev)) {
+                if (netdev_has_any_upper_dev(upper_dev) &&
+                    (!netif_is_bridge_master(upper_dev) ||
+                     !mlxsw_sp_bridge_device_is_offloaded(mlxsw_sp,
+                                                          upper_dev))) {
                        NL_SET_ERR_MSG(extack, "spectrum: Enslaving a port to a device that already has an upper device is not supported");
                        return -EINVAL;
                }
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h
index 432ab9b12b7f..05ce1befd9b3 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h
@@ -365,6 +365,8 @@ int mlxsw_sp_port_bridge_join(struct mlxsw_sp_port *mlxsw_sp_port,
 void mlxsw_sp_port_bridge_leave(struct mlxsw_sp_port *mlxsw_sp_port,
                                struct net_device *brport_dev,
                                struct net_device *br_dev);
+bool mlxsw_sp_bridge_device_is_offloaded(const struct mlxsw_sp *mlxsw_sp,
+                                         const struct net_device *br_dev);
 /* spectrum.c */
 int mlxsw_sp_port_ets_set(struct mlxsw_sp_port *mlxsw_sp_port,
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c
index c33beac5def0..b5397da94d7f 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c
@@ -46,7 +46,8 @@ mlxsw_sp_tclass_congestion_enable(struct mlxsw_sp_port *mlxsw_sp_port,
                                  int tclass_num, u32 min, u32 max,
                                  u32 probability, bool is_ecn)
 {
-        char cwtp_cmd[max_t(u8, MLXSW_REG_CWTP_LEN, MLXSW_REG_CWTPM_LEN)];
+        char cwtpm_cmd[MLXSW_REG_CWTPM_LEN];
+        char cwtp_cmd[MLXSW_REG_CWTP_LEN];
        struct mlxsw_sp *mlxsw_sp = mlxsw_sp_port->mlxsw_sp;
        int err;
@@ -60,10 +61,10 @@ mlxsw_sp_tclass_congestion_enable(struct mlxsw_sp_port *mlxsw_sp_port,
        if (err)
                return err;
-        mlxsw_reg_cwtpm_pack(cwtp_cmd, mlxsw_sp_port->local_port, tclass_num,
+        mlxsw_reg_cwtpm_pack(cwtpm_cmd, mlxsw_sp_port->local_port, tclass_num,
                             MLXSW_REG_CWTP_DEFAULT_PROFILE, true, is_ecn);
-        return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(cwtpm), cwtp_cmd);
+        return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(cwtpm), cwtpm_cmd);
 }
 static int
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index be657b8533f0..7042c855a5d6 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -821,13 +821,18 @@ static int mlxsw_sp_vr_lpm_tree_replace(struct mlxsw_sp *mlxsw_sp,
        struct mlxsw_sp_lpm_tree *old_tree = fib->lpm_tree;
        int err;
-        err = mlxsw_sp_vr_lpm_tree_bind(mlxsw_sp, fib, new_tree->id);
-        if (err)
-                return err;
        fib->lpm_tree = new_tree;
        mlxsw_sp_lpm_tree_hold(new_tree);
+        err = mlxsw_sp_vr_lpm_tree_bind(mlxsw_sp, fib, new_tree->id);
+        if (err)
+                goto err_tree_bind;
        mlxsw_sp_lpm_tree_put(mlxsw_sp, old_tree);
        return 0;
+err_tree_bind:
+        mlxsw_sp_lpm_tree_put(mlxsw_sp, new_tree);
+        fib->lpm_tree = old_tree;
+        return err;
 }
 static int mlxsw_sp_vrs_lpm_tree_replace(struct mlxsw_sp *mlxsw_sp,
@@ -868,11 +873,14 @@ err_tree_replace:
        return err;
 no_replace:
-        err = mlxsw_sp_vr_lpm_tree_bind(mlxsw_sp, fib, new_tree->id);
-        if (err)
-                return err;
        fib->lpm_tree = new_tree;
        mlxsw_sp_lpm_tree_hold(new_tree);
+        err = mlxsw_sp_vr_lpm_tree_bind(mlxsw_sp, fib, new_tree->id);
+        if (err) {
+                mlxsw_sp_lpm_tree_put(mlxsw_sp, new_tree);
+                fib->lpm_tree = NULL;
+                return err;
+        }
        return 0;
 }
@@ -1934,11 +1942,8 @@ static void mlxsw_sp_router_neigh_ent_ipv4_process(struct mlxsw_sp *mlxsw_sp,
        dipn = htonl(dip);
        dev = mlxsw_sp->router->rifs[rif]->dev;
        n = neigh_lookup(&arp_tbl, &dipn, dev);
-        if (!n) {
+        if (!n)
-                netdev_err(dev, "Failed to find matching neighbour for IP=%pI4h\n",
-                           &dip);
                return;
-        }
        netdev_dbg(dev, "Updating neighbour with IP=%pI4h\n", &dip);
        neigh_event_send(n, NULL);
@@ -1965,11 +1970,8 @@ static void mlxsw_sp_router_neigh_ent_ipv6_process(struct mlxsw_sp *mlxsw_sp,
        dev = mlxsw_sp->router->rifs[rif]->dev;
        n = neigh_lookup(&nd_tbl, &dip, dev);
-        if (!n) {
+        if (!n)
-                netdev_err(dev, "Failed to find matching neighbour for IP=%pI6c\n",
-                           &dip);
                return;
-        }
        netdev_dbg(dev, "Updating neighbour with IP=%pI6c\n", &dip);
        neigh_event_send(n, NULL);
@@ -3228,7 +3230,7 @@ static void __mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp_nexthop *nh,
 {
        if (!removing)
                nh->should_offload = 1;
-        else if (nh->offloaded)
+        else
                nh->should_offload = 0;
        nh->update = 1;
 }
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
index 7b8548e25ae7..593ad31be749 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
@@ -152,6 +152,12 @@ mlxsw_sp_bridge_device_find(const struct mlxsw_sp_bridge *bridge,
        return NULL;
 }
+bool mlxsw_sp_bridge_device_is_offloaded(const struct mlxsw_sp *mlxsw_sp,
+                                         const struct net_device *br_dev)
+{
+        return !!mlxsw_sp_bridge_device_find(mlxsw_sp->bridge, br_dev);
+}
 static struct mlxsw_sp_bridge_device *
 mlxsw_sp_bridge_device_create(struct mlxsw_sp_bridge *bridge,
                              struct net_device *br_dev)
diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
index 1a603fdd9e80..99b0487b6d82 100644
--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
+++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
@@ -568,6 +568,7 @@ nfp_net_aux_irq_request(struct nfp_net *nn, u32 ctrl_offset,
                return err;
        }
        nn_writeb(nn, ctrl_offset, entry->entry);
+        nfp_net_irq_unmask(nn, entry->entry);
        return 0;
 }
@@ -582,6 +583,7 @@ static void nfp_net_aux_irq_free(struct nfp_net *nn, u32 ctrl_offset,
                                 unsigned int vector_idx)
 {
        nn_writeb(nn, ctrl_offset, 0xff);
+        nn_pci_flush(nn);
        free_irq(nn->irq_entries[vector_idx].vector, nn);
 }
diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
index 2801ecd09eab..6c02b2d6ba06 100644
--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
@@ -333,7 +333,7 @@ nfp_net_get_link_ksettings(struct net_device *netdev,
            ls >= ARRAY_SIZE(ls_to_ethtool))
                return 0;
-        cmd->base.speed = ls_to_ethtool[sts];
+        cmd->base.speed = ls_to_ethtool[ls];
        cmd->base.duplex = DUPLEX_FULL;
        return 0;
diff --git a/drivers/net/ethernet/qlogic/qed/qed_rdma.c b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
index c8c4b3940564..b7abb8205d3a 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c
@@ -358,10 +358,27 @@ static void qed_rdma_resc_free(struct qed_hwfn *p_hwfn)
        kfree(p_rdma_info);
 }
+static void qed_rdma_free_tid(void *rdma_cxt, u32 itid)
+{
+        struct qed_hwfn *p_hwfn = (struct qed_hwfn *)rdma_cxt;
+        DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "itid = %08x\n", itid);
+        spin_lock_bh(&p_hwfn->p_rdma_info->lock);
+        qed_bmap_release_id(p_hwfn, &p_hwfn->p_rdma_info->tid_map, itid);
+        spin_unlock_bh(&p_hwfn->p_rdma_info->lock);
+}
+static void qed_rdma_free_reserved_lkey(struct qed_hwfn *p_hwfn)
+{
+        qed_rdma_free_tid(p_hwfn, p_hwfn->p_rdma_info->dev->reserved_lkey);
+}
 static void qed_rdma_free(struct qed_hwfn *p_hwfn)
 {
        DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "Freeing RDMA\n");
+        qed_rdma_free_reserved_lkey(p_hwfn);
        qed_rdma_resc_free(p_hwfn);
 }
@@ -615,9 +632,6 @@ static int qed_rdma_reserve_lkey(struct qed_hwfn *p_hwfn)
 {
        struct qed_rdma_device *dev = p_hwfn->p_rdma_info->dev;
-        /* The first DPI is reserved for the Kernel */
-        __set_bit(0, p_hwfn->p_rdma_info->dpi_map.bitmap);
        /* Tid 0 will be used as the key for "reserved MR".
         * The driver should allocate memory for it so it can be loaded but no
         * ramrod should be passed on it.
@@ -797,17 +811,6 @@ static struct qed_rdma_device *qed_rdma_query_device(void *rdma_cxt)
        return p_hwfn->p_rdma_info->dev;
 }
-static void qed_rdma_free_tid(void *rdma_cxt, u32 itid)
-{
-        struct qed_hwfn *p_hwfn = (struct qed_hwfn *)rdma_cxt;
-        DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "itid = %08x\n", itid);
-        spin_lock_bh(&p_hwfn->p_rdma_info->lock);
-        qed_bmap_release_id(p_hwfn, &p_hwfn->p_rdma_info->tid_map, itid);
-        spin_unlock_bh(&p_hwfn->p_rdma_info->lock);
-}
 static void qed_rdma_cnq_prod_update(void *rdma_cxt, u8 qz_offset, u16 prod)
 {
        struct qed_hwfn *p_hwfn;
diff --git a/drivers/net/ethernet/qlogic/qed/qed_spq.c b/drivers/net/ethernet/qlogic/qed/qed_spq.c
index be48d9abd001..3588081b2e27 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_spq.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_spq.c
@@ -776,6 +776,7 @@ int qed_spq_post(struct qed_hwfn *p_hwfn,
        int rc = 0;
        struct qed_spq *p_spq = p_hwfn ? p_hwfn->p_spq : NULL;
        bool b_ret_ent = true;
+        bool eblock;
        if (!p_hwfn)
                return -EINVAL;
@@ -794,6 +795,11 @@ int qed_spq_post(struct qed_hwfn *p_hwfn,
        if (rc)
                goto spq_post_fail;
+        /* Check if entry is in block mode before qed_spq_add_entry,
+         * which might kfree p_ent.
+         */
+        eblock = (p_ent->comp_mode == QED_SPQ_MODE_EBLOCK);
        /* Add the request to the pending queue */
        rc = qed_spq_add_entry(p_hwfn, p_ent, p_ent->priority);
        if (rc)
@@ -811,7 +817,7 @@ int qed_spq_post(struct qed_hwfn *p_hwfn,
        spin_unlock_bh(&p_spq->lock);
-        if (p_ent->comp_mode == QED_SPQ_MODE_EBLOCK) {
+        if (eblock) {
                /* For entries in QED BLOCK mode, the completion code cannot
                 * perform the necessary cleanup - if it did, we couldn't
                 * access p_ent here to see whether it's successful or not.
diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
index 75323000c364..53924a4fc31c 100644
--- a/drivers/net/ethernet/renesas/sh_eth.c
+++ b/drivers/net/ethernet/renesas/sh_eth.c
@@ -147,7 +147,7 @@ static const u16 sh_eth_offset_gigabit[SH_ETH_MAX_REGISTER_OFFSET] = {
        [FWNLCR0]       = 0x0090,
        [FWALCR0]       = 0x0094,
        [TXNLCR1]       = 0x00a0,
-        [TXALCR1]       = 0x00a0,
+        [TXALCR1]       = 0x00a4,
        [RXNLCR1]       = 0x00a8,
        [RXALCR1]       = 0x00ac,
        [FWNLCR1]       = 0x00b0,
@@ -399,7 +399,7 @@ static const u16 sh_eth_offset_fast_sh3_sh2[SH_ETH_MAX_REGISTER_OFFSET] = {
        [FWNLCR0]       = 0x0090,
        [FWALCR0]       = 0x0094,
        [TXNLCR1]       = 0x00a0,
-        [TXALCR1]       = 0x00a0,
+        [TXALCR1]       = 0x00a4,
        [RXNLCR1]       = 0x00a8,
        [RXALCR1]       = 0x00ac,
        [FWNLCR1]       = 0x00b0,
@@ -2089,8 +2089,8 @@ static size_t __sh_eth_get_regs(struct net_device *ndev, u32 *buf)
                add_reg(CSMR);
        if (cd->select_mii)
                add_reg(RMII_MII);
-        add_reg(ARSTR);
        if (cd->tsu) {
+                add_tsu_reg(ARSTR);
                add_tsu_reg(TSU_CTRST);
                add_tsu_reg(TSU_FWEN0);
                add_tsu_reg(TSU_FWEN1);
@@ -3225,18 +3225,37 @@ static int sh_eth_drv_probe(struct platform_device *pdev)
        /* ioremap the TSU registers */
        if (mdp->cd->tsu) {
                struct resource *rtsu;
                rtsu = platform_get_resource(pdev, IORESOURCE_MEM, 1);
-                mdp->tsu_addr = devm_ioremap_resource(&pdev->dev, rtsu);
+                if (!rtsu) {
-                if (IS_ERR(mdp->tsu_addr)) {
+                        dev_err(&pdev->dev, "no TSU resource\n");
-                        ret = PTR_ERR(mdp->tsu_addr);
+                        ret = -ENODEV;
+                        goto out_release;
+                }
+                /* We can only request the  TSU region  for the first port
+                 * of the two  sharing this TSU for the probe to succeed...
+                 */
+                if (devno % 2 == 0 &&
+                    !devm_request_mem_region(&pdev->dev, rtsu->start,
+                                             resource_size(rtsu),
+                                             dev_name(&pdev->dev))) {
+                        dev_err(&pdev->dev, "can't request TSU resource.\n");
+                        ret = -EBUSY;
+                        goto out_release;
+                }
+                mdp->tsu_addr = devm_ioremap(&pdev->dev, rtsu->start,
+                                             resource_size(rtsu));
+                if (!mdp->tsu_addr) {
+                        dev_err(&pdev->dev, "TSU region ioremap() failed.\n");
+                        ret = -ENOMEM;
                        goto out_release;
                }
                mdp->port = devno % 2;
                ndev->features = NETIF_F_HW_VLAN_CTAG_FILTER;
        }
-        /* initialize first or needed device */
+        /* Need to init only the first port of the two sharing a TSU */
-        if (!devno || pd->needs_init) {
+        if (devno % 2 == 0) {
                if (mdp->cd->chip_reset)
                        mdp->cd->chip_reset(ndev);
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 337d53d12e94..c0af0bc4e714 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -364,9 +364,15 @@ static void stmmac_eee_ctrl_timer(struct timer_list *t)
 bool stmmac_eee_init(struct stmmac_priv *priv)
 {
        struct net_device *ndev = priv->dev;
+        int interface = priv->plat->interface;
        unsigned long flags;
        bool ret = false;
+        if ((interface != PHY_INTERFACE_MODE_MII) &&
+            (interface != PHY_INTERFACE_MODE_GMII) &&
+            !phy_interface_mode_is_rgmii(interface))
+                goto out;
        /* Using PCS we cannot dial with the phy registers at this stage
         * so we do not support extra feature like EEE.
         */
diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c
index ed58c746e4af..f5a7eb22d0f5 100644
--- a/drivers/net/ethernet/ti/netcp_core.c
+++ b/drivers/net/ethernet/ti/netcp_core.c
@@ -715,7 +715,7 @@ static int netcp_process_one_rx_packet(struct netcp_intf *netcp)
                /* warning!!!! We are retrieving the virtual ptr in the sw_data
                 * field as a 32bit value. Will not work on 64bit machines
                 */
-                page = (struct page *)GET_SW_DATA0(desc);
+                page = (struct page *)GET_SW_DATA0(ndesc);
                if (likely(dma_buff && buf_len && page)) {
                        dma_unmap_page(netcp->dev, dma_buff, PAGE_SIZE,
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index b718a02a6bb6..0a48b3073d3d 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -825,6 +825,13 @@ static int geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev,
        if (IS_ERR(rt))
                return PTR_ERR(rt);
+        if (skb_dst(skb)) {
+                int mtu = dst_mtu(&rt->dst) - sizeof(struct iphdr) -
+                          GENEVE_BASE_HLEN - info->options_len - 14;
+                skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
+        }
        sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
        if (geneve->collect_md) {
                tos = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb);
@@ -864,6 +871,13 @@ static int geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
        if (IS_ERR(dst))
                return PTR_ERR(dst);
+        if (skb_dst(skb)) {
+                int mtu = dst_mtu(dst) - sizeof(struct ipv6hdr) -
+                          GENEVE_BASE_HLEN - info->options_len - 14;
+                skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
+        }
        sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
        if (geneve->collect_md) {
                prio = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb);
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index a178c5efd33e..a0f2be81d52e 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -1444,9 +1444,14 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev,
        return 0;
 unregister_netdev:
+        /* macvlan_uninit would free the macvlan port */
        unregister_netdevice(dev);
+        return err;
 destroy_macvlan_port:
-        if (create)
+        /* the macvlan port may be freed by macvlan_uninit when fail to register.
+         * so we destroy the macvlan port only when it's valid.
+         */
+        if (create && macvlan_port_get_rtnl(dev))
                macvlan_port_destroy(port->dev);
        return err;
 }
diff --git a/drivers/net/phy/mdio-sun4i.c b/drivers/net/phy/mdio-sun4i.c
index 135296508a7e..6425ce04d3f9 100644
--- a/drivers/net/phy/mdio-sun4i.c
+++ b/drivers/net/phy/mdio-sun4i.c
@@ -118,8 +118,10 @@ static int sun4i_mdio_probe(struct platform_device *pdev)
        data->regulator = devm_regulator_get(&pdev->dev, "phy");
        if (IS_ERR(data->regulator)) {
-                if (PTR_ERR(data->regulator) == -EPROBE_DEFER)
+                if (PTR_ERR(data->regulator) == -EPROBE_DEFER) {
-                        return -EPROBE_DEFER;
+                        ret = -EPROBE_DEFER;
+                        goto err_out_free_mdiobus;
+                }
                dev_info(&pdev->dev, "no regulator found\n");
                data->regulator = NULL;
diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
index 827f3f92560e..249ce5cbea22 100644
--- a/drivers/net/phy/phylink.c
+++ b/drivers/net/phy/phylink.c
@@ -1296,6 +1296,7 @@ int phylink_mii_ioctl(struct phylink *pl, struct ifreq *ifr, int cmd)
                switch (cmd) {
                case SIOCGMIIPHY:
                        mii->phy_id = pl->phydev->mdio.addr;
+                        /* fall through */
                case SIOCGMIIREG:
                        ret = phylink_phy_read(pl, mii->phy_id, mii->reg_num);
@@ -1318,6 +1319,7 @@ int phylink_mii_ioctl(struct phylink *pl, struct ifreq *ifr, int cmd)
                switch (cmd) {
                case SIOCGMIIPHY:
                        mii->phy_id = 0;
+                        /* fall through */
                case SIOCGMIIREG:
                        ret = phylink_mii_read(pl, mii->phy_id, mii->reg_num);
@@ -1429,9 +1431,8 @@ static void phylink_sfp_link_down(void *upstream)
        WARN_ON(!lockdep_rtnl_is_held());
        set_bit(PHYLINK_DISABLE_LINK, &pl->phylink_disable_state);
+        queue_work(system_power_efficient_wq, &pl->resolve);
        flush_work(&pl->resolve);
-        netif_carrier_off(pl->netdev);
 }
 static void phylink_sfp_link_up(void *upstream)
diff --git a/drivers/net/phy/sfp-bus.c b/drivers/net/phy/sfp-bus.c
index 8a1b1f4c1b7c..ab64a142b832 100644
--- a/drivers/net/phy/sfp-bus.c
+++ b/drivers/net/phy/sfp-bus.c
@@ -356,7 +356,8 @@ EXPORT_SYMBOL_GPL(sfp_register_upstream);
 void sfp_unregister_upstream(struct sfp_bus *bus)
 {
        rtnl_lock();
-        sfp_unregister_bus(bus);
+        if (bus->sfp)
+                sfp_unregister_bus(bus);
        bus->upstream = NULL;
        bus->netdev = NULL;
        rtnl_unlock();
@@ -459,7 +460,8 @@ EXPORT_SYMBOL_GPL(sfp_register_socket);
 void sfp_unregister_socket(struct sfp_bus *bus)
 {
        rtnl_lock();
-        sfp_unregister_bus(bus);
+        if (bus->netdev)
+                sfp_unregister_bus(bus);
        bus->sfp_dev = NULL;
        bus->sfp = NULL;
        bus->socket_ops = NULL;
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index d8e5747ff4e3..264d4af0bf69 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1006,17 +1006,18 @@ static int ppp_unit_register(struct ppp *ppp, int unit, bool ifname_is_set)
        if (!ifname_is_set)
                snprintf(ppp->dev->name, IFNAMSIZ, "ppp%i", ppp->file.index);
+        mutex_unlock(&pn->all_ppp_mutex);
        ret = register_netdevice(ppp->dev);
        if (ret < 0)
                goto err_unit;
        atomic_inc(&ppp_unit_count);
-        mutex_unlock(&pn->all_ppp_mutex);
        return 0;
 err_unit:
+        mutex_lock(&pn->all_ppp_mutex);
        unit_put(&pn->units_idr, ppp->file.index);
 err:
        mutex_unlock(&pn->all_ppp_mutex);
diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 4e1da1645b15..5aa59f41bf8c 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -842,6 +842,7 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
        struct pppoe_hdr *ph;
        struct net_device *dev;
        char *start;
+        int hlen;
        lock_sock(sk);
        if (sock_flag(sk, SOCK_DEAD) || !(sk->sk_state & PPPOX_CONNECTED)) {
@@ -860,16 +861,16 @@ static int pppoe_sendmsg(struct socket *sock, struct msghdr *m,
        if (total_len > (dev->mtu + dev->hard_header_len))
                goto end;
+        hlen = LL_RESERVED_SPACE(dev);
-        skb = sock_wmalloc(sk, total_len + dev->hard_header_len + 32,
+        skb = sock_wmalloc(sk, hlen + sizeof(*ph) + total_len +
-                           0, GFP_KERNEL);
+                           dev->needed_tailroom, 0, GFP_KERNEL);
        if (!skb) {
                error = -ENOMEM;
                goto end;
        }
        /* Reserve space for headers. */
-        skb_reserve(skb, dev->hard_header_len);
+        skb_reserve(skb, hlen);
        skb_reset_network_header(skb);
        skb->dev = dev;
@@ -930,7 +931,7 @@ static int __pppoe_xmit(struct sock *sk, struct sk_buff *skb)
        /* Copy the data if there is no space for the header or if it's
         * read-only.
         */
-        if (skb_cow_head(skb, sizeof(*ph) + dev->hard_header_len))
+        if (skb_cow_head(skb, LL_RESERVED_SPACE(dev) + sizeof(*ph)))
                goto abort;
        __skb_push(skb, sizeof(*ph));
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 4f4a842a1c9c..a8ec589d1359 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -611,6 +611,14 @@ static void tun_queue_purge(struct tun_file *tfile)
        skb_queue_purge(&tfile->sk.sk_error_queue);
 }
+static void tun_cleanup_tx_array(struct tun_file *tfile)
+{
+        if (tfile->tx_array.ring.queue) {
+                skb_array_cleanup(&tfile->tx_array);
+                memset(&tfile->tx_array, 0, sizeof(tfile->tx_array));
+        }
+}
 static void __tun_detach(struct tun_file *tfile, bool clean)
 {
        struct tun_file *ntfile;
@@ -657,8 +665,7 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
                            tun->dev->reg_state == NETREG_REGISTERED)
                                unregister_netdevice(tun->dev);
                }
-                if (tun)
+                tun_cleanup_tx_array(tfile);
-                        skb_array_cleanup(&tfile->tx_array);
                sock_put(&tfile->sk);
        }
 }
@@ -700,11 +707,13 @@ static void tun_detach_all(struct net_device *dev)
                /* Drop read queue */
                tun_queue_purge(tfile);
                sock_put(&tfile->sk);
+                tun_cleanup_tx_array(tfile);
        }
        list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) {
                tun_enable_queue(tfile);
                tun_queue_purge(tfile);
                sock_put(&tfile->sk);
+                tun_cleanup_tx_array(tfile);
        }
        BUG_ON(tun->numdisabled != 0);
@@ -2851,6 +2860,8 @@ static int tun_chr_open(struct inode *inode, struct file * file)
        sock_set_flag(&tfile->sk, SOCK_ZEROCOPY);
+        memset(&tfile->tx_array, 0, sizeof(tfile->tx_array));
        return 0;
 }
diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
index 94c7804903c4..ec56ff29aac4 100644
--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -2396,6 +2396,7 @@ static int lan78xx_reset(struct lan78xx_net *dev)
                buf = DEFAULT_BURST_CAP_SIZE / FS_USB_PKT_SIZE;
                dev->rx_urb_size = DEFAULT_BURST_CAP_SIZE;
                dev->rx_qlen = 4;
+                dev->tx_qlen = 4;
        }
        ret = lan78xx_write_reg(dev, BURST_CAP, buf);
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 3000ddd1c7e2..728819feab44 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -1100,6 +1100,7 @@ static const struct usb_device_id products[] = {
        {QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
        {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
        {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+        {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */
        {QMI_FIXED_INTF(0x0846, 0x68a2, 8)},
        {QMI_FIXED_INTF(0x12d1, 0x140c, 1)},    /* Huawei E173 */
        {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)},    /* Huawei E1820 */
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index d51d9abf7986..0657203ffb91 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -606,6 +606,7 @@ enum rtl8152_flags {
        PHY_RESET,
        SCHEDULE_NAPI,
        GREEN_ETHERNET,
+        DELL_TB_RX_AGG_BUG,
 };
 /* Define these values to match your device */
@@ -1798,6 +1799,9 @@ static int r8152_tx_agg_fill(struct r8152 *tp, struct tx_agg *agg)
                dev_kfree_skb_any(skb);
                remain = agg_buf_sz - (int)(tx_agg_align(tx_data) - agg->head);
+                if (test_bit(DELL_TB_RX_AGG_BUG, &tp->flags))
+                        break;
        }
        if (!skb_queue_empty(&skb_head)) {
@@ -4133,6 +4137,9 @@ static void r8153_init(struct r8152 *tp)
        /* rx aggregation */
        ocp_data = ocp_read_word(tp, MCU_TYPE_USB, USB_USB_CTRL);
        ocp_data &= ~(RX_AGG_DISABLE | RX_ZERO_EN);
+        if (test_bit(DELL_TB_RX_AGG_BUG, &tp->flags))
+                ocp_data |= RX_AGG_DISABLE;
        ocp_write_word(tp, MCU_TYPE_USB, USB_USB_CTRL, ocp_data);
        rtl_tally_reset(tp);
@@ -5207,6 +5214,12 @@ static int rtl8152_probe(struct usb_interface *intf,
                netdev->hw_features &= ~NETIF_F_RXCSUM;
        }
+        if (le16_to_cpu(udev->descriptor.bcdDevice) == 0x3011 &&
+            udev->serial && !strcmp(udev->serial, "000001000000")) {
+                dev_info(&udev->dev, "Dell TB16 Dock, disable RX aggregation");
+                set_bit(DELL_TB_RX_AGG_BUG, &tp->flags);
+        }
        netdev->ethtool_ops = &ops;
        netif_set_gso_max_size(netdev, RTL_LIMITED_TSO_SIZE);
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index d56fe32bf48d..8a22ff67b026 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -457,12 +457,10 @@ static enum skb_state defer_bh(struct usbnet *dev, struct sk_buff *skb,
 void usbnet_defer_kevent (struct usbnet *dev, int work)
 {
        set_bit (work, &dev->flags);
-        if (!schedule_work (&dev->kevent)) {
+        if (!schedule_work (&dev->kevent))
-                if (net_ratelimit())
+                netdev_dbg(dev->net, "kevent %d may have been dropped\n", work);
-                        netdev_err(dev->net, "kevent %d may have been dropped\n", work);
+        else
-        } else {
                netdev_dbg(dev->net, "kevent %d scheduled\n", work);
-        }
 }
 EXPORT_SYMBOL_GPL(usbnet_defer_kevent);
diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
index d1c7029ded7c..cf95290b160c 100644
--- a/drivers/net/vmxnet3/vmxnet3_drv.c
+++ b/drivers/net/vmxnet3/vmxnet3_drv.c
@@ -1616,7 +1616,6 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq,
                                          rq->rx_ring[i].basePA);
                        rq->rx_ring[i].base = NULL;
                }
-                rq->buf_info[i] = NULL;
        }
        if (rq->data_ring.base) {
@@ -1638,6 +1637,7 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq,
                        (rq->rx_ring[0].size + rq->rx_ring[1].size);
                dma_free_coherent(&adapter->pdev->dev, sz, rq->buf_info[0],
                                  rq->buf_info_pa);
+                rq->buf_info[0] = rq->buf_info[1] = NULL;
        }
 }
diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
index f7d228b5ba93..987f1252a3cf 100644
--- a/drivers/net/wireless/ath/wcn36xx/main.c
+++ b/drivers/net/wireless/ath/wcn36xx/main.c
@@ -384,6 +384,18 @@ static int wcn36xx_config(struct ieee80211_hw *hw, u32 changed)
                }
        }
+        if (changed & IEEE80211_CONF_CHANGE_PS) {
+                list_for_each_entry(tmp, &wcn->vif_list, list) {
+                        vif = wcn36xx_priv_to_vif(tmp);
+                        if (hw->conf.flags & IEEE80211_CONF_PS) {
+                                if (vif->bss_conf.ps) /* ps allowed ? */
+                                        wcn36xx_pmc_enter_bmps_state(wcn, vif);
+                        } else {
+                                wcn36xx_pmc_exit_bmps_state(wcn, vif);
+                        }
+                }
+        }
        mutex_unlock(&wcn->conf_mutex);
        return 0;
@@ -747,17 +759,6 @@ static void wcn36xx_bss_info_changed(struct ieee80211_hw *hw,
                vif_priv->dtim_period = bss_conf->dtim_period;
        }
-        if (changed & BSS_CHANGED_PS) {
-                wcn36xx_dbg(WCN36XX_DBG_MAC,
-                            "mac bss PS set %d\n",
-                            bss_conf->ps);
-                if (bss_conf->ps) {
-                        wcn36xx_pmc_enter_bmps_state(wcn, vif);
-                } else {
-                        wcn36xx_pmc_exit_bmps_state(wcn, vif);
-                }
-        }
        if (changed & BSS_CHANGED_BSSID) {
                wcn36xx_dbg(WCN36XX_DBG_MAC, "mac bss changed_bssid %pM\n",
                            bss_conf->bssid);
diff --git a/drivers/net/wireless/ath/wcn36xx/pmc.c b/drivers/net/wireless/ath/wcn36xx/pmc.c
index 589fe5f70971..1976b80c235f 100644
--- a/drivers/net/wireless/ath/wcn36xx/pmc.c
+++ b/drivers/net/wireless/ath/wcn36xx/pmc.c
@@ -45,8 +45,10 @@ int wcn36xx_pmc_exit_bmps_state(struct wcn36xx *wcn,
        struct wcn36xx_vif *vif_priv = wcn36xx_vif_to_priv(vif);
        if (WCN36XX_BMPS != vif_priv->pw_state) {
-                wcn36xx_err("Not in BMPS mode, no need to exit from BMPS mode!\n");
+                /* Unbalanced call or last BMPS enter failed */
-                return -EINVAL;
+                wcn36xx_dbg(WCN36XX_DBG_PMC,
+                            "Not in BMPS mode, no need to exit\n");
+                return -EALREADY;
        }
        wcn36xx_smd_exit_bmps(wcn, vif);
        vif_priv->pw_state = WCN36XX_FULL_POWER;
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
index 6a59d0609d30..9be0b051066a 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
@@ -182,12 +182,9 @@ static int brcmf_c_process_clm_blob(struct brcmf_if *ifp)
        err = request_firmware(&clm, clm_name, dev);
        if (err) {
-                if (err == -ENOENT) {
+                brcmf_info("no clm_blob available(err=%d), device may have limited channels available\n",
-                        brcmf_dbg(INFO, "continue with CLM data currently present in firmware\n");
+                           err);
-                        return 0;
+                return 0;
-                }
-                brcmf_err("request CLM blob file failed (%d)\n", err);
-                return err;
        }
        chunk_buf = kzalloc(sizeof(*chunk_buf) + MAX_CHUNK_LEN - 1, GFP_KERNEL);
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
index d749abeca3ae..403e65c309d0 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
@@ -670,11 +670,15 @@ static inline u8 iwl_pcie_get_cmd_index(struct iwl_txq *q, u32 index)
        return index & (q->n_window - 1);
 }
-static inline void *iwl_pcie_get_tfd(struct iwl_trans_pcie *trans_pcie,
+static inline void *iwl_pcie_get_tfd(struct iwl_trans *trans,
                                     struct iwl_txq *txq, int idx)
 {
-        return txq->tfds + trans_pcie->tfd_size * iwl_pcie_get_cmd_index(txq,
+        struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
-                                                                         idx);
+        if (trans->cfg->use_tfh)
+                idx = iwl_pcie_get_cmd_index(txq, idx);
+        return txq->tfds + trans_pcie->tfd_size * idx;
 }
 static inline void iwl_enable_rfkill_int(struct iwl_trans *trans)
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
index 16b345f54ff0..6d0a907d5ba5 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
@@ -171,8 +171,6 @@ static void iwl_pcie_gen2_tfd_unmap(struct iwl_trans *trans,
 static void iwl_pcie_gen2_free_tfd(struct iwl_trans *trans, struct iwl_txq *txq)
 {
-        struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
        /* rd_ptr is bounded by TFD_QUEUE_SIZE_MAX and
         * idx is bounded by n_window
         */
@@ -181,7 +179,7 @@ static void iwl_pcie_gen2_free_tfd(struct iwl_trans *trans, struct iwl_txq *txq)
        lockdep_assert_held(&txq->lock);
        iwl_pcie_gen2_tfd_unmap(trans, &txq->entries[idx].meta,
-                                iwl_pcie_get_tfd(trans_pcie, txq, idx));
+                                iwl_pcie_get_tfd(trans, txq, idx));
        /* free SKB */
        if (txq->entries) {
@@ -364,11 +362,9 @@ struct iwl_tfh_tfd *iwl_pcie_gen2_build_tfd(struct iwl_trans *trans,
                                            struct sk_buff *skb,
                                            struct iwl_cmd_meta *out_meta)
 {
-        struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
        int idx = iwl_pcie_get_cmd_index(txq, txq->write_ptr);
-        struct iwl_tfh_tfd *tfd =
+        struct iwl_tfh_tfd *tfd = iwl_pcie_get_tfd(trans, txq, idx);
-                iwl_pcie_get_tfd(trans_pcie, txq, idx);
        dma_addr_t tb_phys;
        bool amsdu;
        int i, len, tb1_len, tb2_len, hdr_len;
@@ -565,8 +561,7 @@ static int iwl_pcie_gen2_enqueue_hcmd(struct iwl_trans *trans,
        u8 group_id = iwl_cmd_groupid(cmd->id);
        const u8 *cmddata[IWL_MAX_CMD_TBS_PER_TFD];
        u16 cmdlen[IWL_MAX_CMD_TBS_PER_TFD];
-        struct iwl_tfh_tfd *tfd =
+        struct iwl_tfh_tfd *tfd = iwl_pcie_get_tfd(trans, txq, txq->write_ptr);
-                iwl_pcie_get_tfd(trans_pcie, txq, txq->write_ptr);
        memset(tfd, 0, sizeof(*tfd));
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
index fed6d842a5e1..3f85713c41dc 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
@@ -373,7 +373,7 @@ static void iwl_pcie_tfd_unmap(struct iwl_trans *trans,
 {
        struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
        int i, num_tbs;
-        void *tfd = iwl_pcie_get_tfd(trans_pcie, txq, index);
+        void *tfd = iwl_pcie_get_tfd(trans, txq, index);
        /* Sanity check on number of chunks */
        num_tbs = iwl_pcie_tfd_get_num_tbs(trans, tfd);
@@ -2018,7 +2018,7 @@ static int iwl_fill_data_tbs(struct iwl_trans *trans, struct sk_buff *skb,
        }
        trace_iwlwifi_dev_tx(trans->dev, skb,
-                             iwl_pcie_get_tfd(trans_pcie, txq, txq->write_ptr),
+                             iwl_pcie_get_tfd(trans, txq, txq->write_ptr),
                             trans_pcie->tfd_size,
                             &dev_cmd->hdr, IWL_FIRST_TB_SIZE + tb1_len,
                             hdr_len);
@@ -2092,7 +2092,7 @@ static int iwl_fill_data_tbs_amsdu(struct iwl_trans *trans, struct sk_buff *skb,
                IEEE80211_CCMP_HDR_LEN : 0;
        trace_iwlwifi_dev_tx(trans->dev, skb,
-                             iwl_pcie_get_tfd(trans_pcie, txq, txq->write_ptr),
+                             iwl_pcie_get_tfd(trans, txq, txq->write_ptr),
                             trans_pcie->tfd_size,
                             &dev_cmd->hdr, IWL_FIRST_TB_SIZE + tb1_len, 0);
@@ -2425,7 +2425,7 @@ int iwl_trans_pcie_tx(struct iwl_trans *trans, struct sk_buff *skb,
        memcpy(&txq->first_tb_bufs[txq->write_ptr], &dev_cmd->hdr,
               IWL_FIRST_TB_SIZE);
-        tfd = iwl_pcie_get_tfd(trans_pcie, txq, txq->write_ptr);
+        tfd = iwl_pcie_get_tfd(trans, txq, txq->write_ptr);
        /* Set up entry for this TFD in Tx byte-count array */
        iwl_pcie_txq_update_byte_cnt_tbl(trans, txq, le16_to_cpu(tx_cmd->len),
                                         iwl_pcie_tfd_get_num_tbs(trans, tfd));
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index e8189c07b41f..f6d4a50f1bdb 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -489,6 +489,7 @@ static const struct ieee80211_iface_combination hwsim_if_comb_p2p_dev[] = {
 static spinlock_t hwsim_radio_lock;
 static LIST_HEAD(hwsim_radios);
+static struct workqueue_struct *hwsim_wq;
 static int hwsim_radio_idx;
 static struct platform_driver mac80211_hwsim_driver = {
@@ -3120,6 +3121,11 @@ static int hwsim_new_radio_nl(struct sk_buff *msg, struct genl_info *info)
        if (info->attrs[HWSIM_ATTR_CHANNELS])
                param.channels = nla_get_u32(info->attrs[HWSIM_ATTR_CHANNELS]);
+        if (param.channels > CFG80211_MAX_NUM_DIFFERENT_CHANNELS) {
+                GENL_SET_ERR_MSG(info, "too many channels specified");
+                return -EINVAL;
+        }
        if (info->attrs[HWSIM_ATTR_NO_VIF])
                param.no_vif = true;
@@ -3342,7 +3348,7 @@ static void remove_user_radios(u32 portid)
                if (entry->destroy_on_close && entry->portid == portid) {
                        list_del(&entry->list);
                        INIT_WORK(&entry->destroy_work, destroy_radio);
-                        schedule_work(&entry->destroy_work);
+                        queue_work(hwsim_wq, &entry->destroy_work);
                }
        }
        spin_unlock_bh(&hwsim_radio_lock);
@@ -3417,7 +3423,7 @@ static void __net_exit hwsim_exit_net(struct net *net)
                list_del(&data->list);
                INIT_WORK(&data->destroy_work, destroy_radio);
-                schedule_work(&data->destroy_work);
+                queue_work(hwsim_wq, &data->destroy_work);
        }
        spin_unlock_bh(&hwsim_radio_lock);
 }
@@ -3449,6 +3455,10 @@ static int __init init_mac80211_hwsim(void)
        spin_lock_init(&hwsim_radio_lock);
+        hwsim_wq = alloc_workqueue("hwsim_wq",WQ_MEM_RECLAIM,0);
+        if (!hwsim_wq)
+                return -ENOMEM;
        err = register_pernet_device(&hwsim_net_ops);
        if (err)
                return err;
@@ -3587,8 +3597,11 @@ static void __exit exit_mac80211_hwsim(void)
        hwsim_exit_netlink();
        mac80211_hwsim_free();
+        flush_workqueue(hwsim_wq);
        unregister_netdev(hwsim_mon);
        platform_driver_unregister(&mac80211_hwsim_driver);
        unregister_pernet_device(&hwsim_net_ops);
+        destroy_workqueue(hwsim_wq);
 }
 module_exit(exit_mac80211_hwsim);
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index c5a34671abda..9bd7ddeeb6a5 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -1326,6 +1326,7 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev)
        netif_carrier_off(netdev);
+        xenbus_switch_state(dev, XenbusStateInitialising);
        return netdev;
 exit:
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 1e46e60b8f10..839650e0926a 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1335,6 +1335,7 @@ static void nvme_update_disk_info(struct gendisk *disk,
                struct nvme_ns *ns, struct nvme_id_ns *id)
 {
        sector_t capacity = le64_to_cpup(&id->nsze) << (ns->lba_shift - 9);
+        unsigned short bs = 1 << ns->lba_shift;
        unsigned stream_alignment = 0;
        if (ns->ctrl->nr_streams && ns->sws && ns->sgs)
@@ -1343,7 +1344,10 @@ static void nvme_update_disk_info(struct gendisk *disk,
        blk_mq_freeze_queue(disk->queue);
        blk_integrity_unregister(disk);
-        blk_queue_logical_block_size(disk->queue, 1 << ns->lba_shift);
+        blk_queue_logical_block_size(disk->queue, bs);
+        blk_queue_physical_block_size(disk->queue, bs);
+        blk_queue_io_min(disk->queue, bs);
        if (ns->ms && !ns->ext &&
            (ns->ctrl->ops->flags & NVME_F_METADATA_SUPPORTED))
                nvme_init_integrity(disk, ns->ms, ns->pi_type);
@@ -2987,6 +2991,7 @@ static void nvme_ns_remove(struct nvme_ns *ns)
        mutex_unlock(&ns->ctrl->namespaces_mutex);
        synchronize_srcu(&ns->head->srcu);
+        nvme_mpath_check_last_path(ns);
        nvme_put_ns(ns);
 }
diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c
index 76b4fe6816a0..894c2ccb3891 100644
--- a/drivers/nvme/host/fabrics.c
+++ b/drivers/nvme/host/fabrics.c
@@ -74,6 +74,7 @@ static struct nvmf_host *nvmf_host_default(void)
                return NULL;
        kref_init(&host->ref);
+        uuid_gen(&host->id);
        snprintf(host->nqn, NVMF_NQN_SIZE,
                "nqn.2014-08.org.nvmexpress:uuid:%pUb", &host->id);
diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
index ea1aa5283e8e..a00eabd06427 100644
--- a/drivers/nvme/host/nvme.h
+++ b/drivers/nvme/host/nvme.h
@@ -417,6 +417,15 @@ static inline void nvme_mpath_clear_current_path(struct nvme_ns *ns)
                rcu_assign_pointer(head->current_path, NULL);
 }
 struct nvme_ns *nvme_find_path(struct nvme_ns_head *head);
+static inline void nvme_mpath_check_last_path(struct nvme_ns *ns)
+{
+        struct nvme_ns_head *head = ns->head;
+        if (head->disk && list_empty(&head->list))
+                kblockd_schedule_work(&head->requeue_work);
+}
 #else
 static inline void nvme_failover_req(struct request *req)
 {
@@ -448,6 +457,9 @@ static inline void nvme_mpath_remove_disk_links(struct nvme_ns *ns)
 static inline void nvme_mpath_clear_current_path(struct nvme_ns *ns)
 {
 }
+static inline void nvme_mpath_check_last_path(struct nvme_ns *ns)
+{
+}
 #endif /* CONFIG_NVME_MULTIPATH */
 #ifdef CONFIG_NVM
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index f5800c3c9082..4276ebfff22b 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -448,12 +448,34 @@ static void **nvme_pci_iod_list(struct request *req)
        return (void **)(iod->sg + blk_rq_nr_phys_segments(req));
 }
+static inline bool nvme_pci_use_sgls(struct nvme_dev *dev, struct request *req)
+{
+        struct nvme_iod *iod = blk_mq_rq_to_pdu(req);
+        int nseg = blk_rq_nr_phys_segments(req);
+        unsigned int avg_seg_size;
+        if (nseg == 0)
+                return false;
+        avg_seg_size = DIV_ROUND_UP(blk_rq_payload_bytes(req), nseg);
+        if (!(dev->ctrl.sgls & ((1 << 0) | (1 << 1))))
+                return false;
+        if (!iod->nvmeq->qid)
+                return false;
+        if (!sgl_threshold || avg_seg_size < sgl_threshold)
+                return false;
+        return true;
+}
 static blk_status_t nvme_init_iod(struct request *rq, struct nvme_dev *dev)
 {
        struct nvme_iod *iod = blk_mq_rq_to_pdu(rq);
        int nseg = blk_rq_nr_phys_segments(rq);
        unsigned int size = blk_rq_payload_bytes(rq);
+        iod->use_sgl = nvme_pci_use_sgls(dev, rq);
        if (nseg > NVME_INT_PAGES || size > NVME_INT_BYTES(dev)) {
                size_t alloc_size = nvme_pci_iod_alloc_size(dev, size, nseg,
                                iod->use_sgl);
@@ -604,8 +626,6 @@ static blk_status_t nvme_pci_setup_prps(struct nvme_dev *dev,
        dma_addr_t prp_dma;
        int nprps, i;
-        iod->use_sgl = false;
        length -= (page_size - offset);
        if (length <= 0) {
                iod->first_dma = 0;
@@ -705,22 +725,19 @@ static void nvme_pci_sgl_set_seg(struct nvme_sgl_desc *sge,
 }
 static blk_status_t nvme_pci_setup_sgls(struct nvme_dev *dev,
-                struct request *req, struct nvme_rw_command *cmd)
+                struct request *req, struct nvme_rw_command *cmd, int entries)
 {
        struct nvme_iod *iod = blk_mq_rq_to_pdu(req);
-        int length = blk_rq_payload_bytes(req);
        struct dma_pool *pool;
        struct nvme_sgl_desc *sg_list;
        struct scatterlist *sg = iod->sg;
-        int entries = iod->nents, i = 0;
        dma_addr_t sgl_dma;
+        int i = 0;
-        iod->use_sgl = true;
        /* setting the transfer type as SGL */
        cmd->flags = NVME_CMD_SGL_METABUF;
-        if (length == sg_dma_len(sg)) {
+        if (entries == 1) {
                nvme_pci_sgl_set_data(&cmd->dptr.sgl, sg);
                return BLK_STS_OK;
        }
@@ -760,33 +777,12 @@ static blk_status_t nvme_pci_setup_sgls(struct nvme_dev *dev,
                }
                nvme_pci_sgl_set_data(&sg_list[i++], sg);
-                length -= sg_dma_len(sg);
                sg = sg_next(sg);
-                entries--;
+        } while (--entries > 0);
-        } while (length > 0);
-        WARN_ON(entries > 0);
        return BLK_STS_OK;
 }
-static inline bool nvme_pci_use_sgls(struct nvme_dev *dev, struct request *req)
-{
-        struct nvme_iod *iod = blk_mq_rq_to_pdu(req);
-        unsigned int avg_seg_size;
-        avg_seg_size = DIV_ROUND_UP(blk_rq_payload_bytes(req),
-                        blk_rq_nr_phys_segments(req));
-        if (!(dev->ctrl.sgls & ((1 << 0) | (1 << 1))))
-                return false;
-        if (!iod->nvmeq->qid)
-                return false;
-        if (!sgl_threshold || avg_seg_size < sgl_threshold)
-                return false;
-        return true;
-}
 static blk_status_t nvme_map_data(struct nvme_dev *dev, struct request *req,
                struct nvme_command *cmnd)
 {
@@ -795,6 +791,7 @@ static blk_status_t nvme_map_data(struct nvme_dev *dev, struct request *req,
        enum dma_data_direction dma_dir = rq_data_dir(req) ?
                        DMA_TO_DEVICE : DMA_FROM_DEVICE;
        blk_status_t ret = BLK_STS_IOERR;
+        int nr_mapped;
        sg_init_table(iod->sg, blk_rq_nr_phys_segments(req));
        iod->nents = blk_rq_map_sg(q, req, iod->sg);
@@ -802,12 +799,13 @@ static blk_status_t nvme_map_data(struct nvme_dev *dev, struct request *req,
                goto out;
        ret = BLK_STS_RESOURCE;
-        if (!dma_map_sg_attrs(dev->dev, iod->sg, iod->nents, dma_dir,
+        nr_mapped = dma_map_sg_attrs(dev->dev, iod->sg, iod->nents, dma_dir,
-                                DMA_ATTR_NO_WARN))
+                        DMA_ATTR_NO_WARN);
+        if (!nr_mapped)
                goto out;
-        if (nvme_pci_use_sgls(dev, req))
+        if (iod->use_sgl)
-                ret = nvme_pci_setup_sgls(dev, req, &cmnd->rw);
+                ret = nvme_pci_setup_sgls(dev, req, &cmnd->rw, nr_mapped);
        else
                ret = nvme_pci_setup_prps(dev, req, &cmnd->rw);
diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
index 37af56596be6..2a0bba7f50cf 100644
--- a/drivers/nvme/host/rdma.c
+++ b/drivers/nvme/host/rdma.c
@@ -974,12 +974,18 @@ static void nvme_rdma_error_recovery_work(struct work_struct *work)
        blk_mq_unquiesce_queue(ctrl->ctrl.admin_q);
        nvme_start_queues(&ctrl->ctrl);
+        if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_RECONNECTING)) {
+                /* state change failure should never happen */
+                WARN_ON_ONCE(1);
+                return;
+        }
        nvme_rdma_reconnect_or_remove(ctrl);
 }
 static void nvme_rdma_error_recovery(struct nvme_rdma_ctrl *ctrl)
 {
-        if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_RECONNECTING))
+        if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_RESETTING))
                return;
        queue_work(nvme_wq, &ctrl->err_work);
@@ -1753,6 +1759,12 @@ static void nvme_rdma_reset_ctrl_work(struct work_struct *work)
        nvme_stop_ctrl(&ctrl->ctrl);
        nvme_rdma_shutdown_ctrl(ctrl, false);
+        if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_RECONNECTING)) {
+                /* state change failure should never happen */
+                WARN_ON_ONCE(1);
+                return;
+        }
        ret = nvme_rdma_configure_admin_queue(ctrl, false);
        if (ret)
                goto out_fail;
diff --git a/drivers/nvme/target/fcloop.c b/drivers/nvme/target/fcloop.c
index 7b75d9de55ab..6a018a0bd6ce 100644
--- a/drivers/nvme/target/fcloop.c
+++ b/drivers/nvme/target/fcloop.c
@@ -1085,7 +1085,7 @@ fcloop_delete_target_port(struct device *dev, struct device_attribute *attr,
                const char *buf, size_t count)
 {
        struct fcloop_nport *nport = NULL, *tmpport;
-        struct fcloop_tport *tport;
+        struct fcloop_tport *tport = NULL;
        u64 nodename, portname;
        unsigned long flags;
        int ret;
diff --git a/drivers/of/of_mdio.c b/drivers/of/of_mdio.c
index 3481e69738b5..a327be1d264b 100644
--- a/drivers/of/of_mdio.c
+++ b/drivers/of/of_mdio.c
@@ -231,7 +231,12 @@ int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np)
                        rc = of_mdiobus_register_phy(mdio, child, addr);
                else
                        rc = of_mdiobus_register_device(mdio, child, addr);
-                if (rc)
+                if (rc == -ENODEV)
+                        dev_err(&mdio->dev,
+                                "MDIO device at address %d is missing.\n",
+                                addr);
+                else if (rc)
                        goto unregister;
        }
@@ -255,7 +260,7 @@ int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np)
                        if (of_mdiobus_child_is_phy(child)) {
                                rc = of_mdiobus_register_phy(mdio, child, addr);
-                                if (rc)
+                                if (rc && rc != -ENODEV)
                                        goto unregister;
                        }
                }
diff --git a/drivers/parisc/dino.c b/drivers/parisc/dino.c
index 0b3fb99d9b89..7390fb8ca9d1 100644
--- a/drivers/parisc/dino.c
+++ b/drivers/parisc/dino.c
@@ -303,7 +303,7 @@ static void dino_mask_irq(struct irq_data *d)
        struct dino_device *dino_dev = irq_data_get_irq_chip_data(d);
        int local_irq = gsc_find_local_irq(d->irq, dino_dev->global_irq, DINO_LOCAL_IRQS);
-        DBG(KERN_WARNING "%s(0x%p, %d)\n", __func__, dino_dev, d->irq);
+        DBG(KERN_WARNING "%s(0x%px, %d)\n", __func__, dino_dev, d->irq);
        /* Clear the matching bit in the IMR register */
        dino_dev->imr &= ~(DINO_MASK_IRQ(local_irq));
@@ -316,7 +316,7 @@ static void dino_unmask_irq(struct irq_data *d)
        int local_irq = gsc_find_local_irq(d->irq, dino_dev->global_irq, DINO_LOCAL_IRQS);
        u32 tmp;
-        DBG(KERN_WARNING "%s(0x%p, %d)\n", __func__, dino_dev, d->irq);
+        DBG(KERN_WARNING "%s(0x%px, %d)\n", __func__, dino_dev, d->irq);
        /*
        ** clear pending IRQ bits
@@ -396,7 +396,7 @@ ilr_again:
        if (mask) {
                if (--ilr_loop > 0)
                        goto ilr_again;
-                printk(KERN_ERR "Dino 0x%p: stuck interrupt %d\n", 
+                printk(KERN_ERR "Dino 0x%px: stuck interrupt %d\n",
                       dino_dev->hba.base_addr, mask);
                return IRQ_NONE;
        }
@@ -553,7 +553,7 @@ dino_fixup_bus(struct pci_bus *bus)
        struct pci_dev *dev;
        struct dino_device *dino_dev = DINO_DEV(parisc_walk_tree(bus->bridge));
-        DBG(KERN_WARNING "%s(0x%p) bus %d platform_data 0x%p\n",
+        DBG(KERN_WARNING "%s(0x%px) bus %d platform_data 0x%px\n",
            __func__, bus, bus->busn_res.start,
            bus->bridge->platform_data);
@@ -854,7 +854,7 @@ static int __init dino_common_init(struct parisc_device *dev,
        res->flags = IORESOURCE_IO; /* do not mark it busy ! */
        if (request_resource(&ioport_resource, res) < 0) {
                printk(KERN_ERR "%s: request I/O Port region failed "
-                       "0x%lx/%lx (hpa 0x%p)\n",
+                       "0x%lx/%lx (hpa 0x%px)\n",
                       name, (unsigned long)res->start, (unsigned long)res->end,
                       dino_dev->hba.base_addr);
                return 1;
diff --git a/drivers/parisc/eisa_eeprom.c b/drivers/parisc/eisa_eeprom.c
index 4dd9b1308128..99a80da6fd2e 100644
--- a/drivers/parisc/eisa_eeprom.c
+++ b/drivers/parisc/eisa_eeprom.c
@@ -106,7 +106,7 @@ static int __init eisa_eeprom_init(void)
                return retval;
        }
-        printk(KERN_INFO "EISA EEPROM at 0x%p\n", eisa_eeprom_addr);
+        printk(KERN_INFO "EISA EEPROM at 0x%px\n", eisa_eeprom_addr);
        return 0;
 }
diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c
index b4964b067aec..8f6e8e28996d 100644
--- a/drivers/phy/phy-core.c
+++ b/drivers/phy/phy-core.c
@@ -410,6 +410,10 @@ static struct phy *_of_phy_get(struct device_node *np, int index)
        if (ret)
                return ERR_PTR(-ENODEV);
+        /* This phy type handled by the usb-phy subsystem for now */
+        if (of_device_is_compatible(args.np, "usb-nop-xceiv"))
+                return ERR_PTR(-ENODEV);
        mutex_lock(&phy_provider_mutex);
        phy_provider = of_phy_provider_lookup(args.np);
        if (IS_ERR(phy_provider) || !try_module_get(phy_provider->owner)) {
diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
index 791449a2370f..daa68acbc900 100644
--- a/drivers/platform/x86/wmi.c
+++ b/drivers/platform/x86/wmi.c
@@ -1458,5 +1458,5 @@ static void __exit acpi_wmi_exit(void)
        class_unregister(&wmi_bus_class);
 }
-subsys_initcall(acpi_wmi_init);
+subsys_initcall_sync(acpi_wmi_init);
 module_exit(acpi_wmi_exit);
diff --git a/drivers/scsi/libsas/sas_scsi_host.c b/drivers/scsi/libsas/sas_scsi_host.c
index 58476b728c57..c9406852c3e9 100644
--- a/drivers/scsi/libsas/sas_scsi_host.c
+++ b/drivers/scsi/libsas/sas_scsi_host.c
@@ -486,15 +486,28 @@ static int sas_queue_reset(struct domain_device *dev, int reset_type,
 int sas_eh_abort_handler(struct scsi_cmnd *cmd)
 {
-        int res;
+        int res = TMF_RESP_FUNC_FAILED;
        struct sas_task *task = TO_SAS_TASK(cmd);
        struct Scsi_Host *host = cmd->device->host;
+        struct domain_device *dev = cmd_to_domain_dev(cmd);
        struct sas_internal *i = to_sas_internal(host->transportt);
+        unsigned long flags;
        if (!i->dft->lldd_abort_task)
                return FAILED;
-        res = i->dft->lldd_abort_task(task);
+        spin_lock_irqsave(host->host_lock, flags);
+        /* We cannot do async aborts for SATA devices */
+        if (dev_is_sata(dev) && !host->host_eh_scheduled) {
+                spin_unlock_irqrestore(host->host_lock, flags);
+                return FAILED;
+        }
+        spin_unlock_irqrestore(host->host_lock, flags);
+        if (task)
+                res = i->dft->lldd_abort_task(task);
+        else
+                SAS_DPRINTK("no task to abort\n");
        if (res == TMF_RESP_FUNC_SUCC || res == TMF_RESP_FUNC_COMPLETE)
                return SUCCESS;
diff --git a/drivers/ssb/Kconfig b/drivers/ssb/Kconfig
index d8e4219c2324..71c73766ee22 100644
--- a/drivers/ssb/Kconfig
+++ b/drivers/ssb/Kconfig
@@ -32,7 +32,7 @@ config SSB_BLOCKIO
 config SSB_PCIHOST_POSSIBLE
        bool
-        depends on SSB && (PCI = y || PCI = SSB)
+        depends on SSB && (PCI = y || PCI = SSB) && PCI_DRIVERS_LEGACY
        default y
 config SSB_PCIHOST
diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
index 0f695df14c9d..372ce9913e6d 100644
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -765,10 +765,12 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                break;
        case ASHMEM_SET_SIZE:
                ret = -EINVAL;
+                mutex_lock(&ashmem_mutex);
                if (!asma->file) {
                        ret = 0;
                        asma->size = (size_t)arg;
                }
+                mutex_unlock(&ashmem_mutex);
                break;
        case ASHMEM_GET_SIZE:
                ret = asma->size;
diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
index 93eff7dec2f5..1b3efb14aec7 100644
--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -1147,11 +1147,7 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
        udc = kzalloc(sizeof(*udc), GFP_KERNEL);
        if (!udc)
-                goto err1;
+                goto err_put_gadget;
-        ret = device_add(&gadget->dev);
-        if (ret)
-                goto err2;
        device_initialize(&udc->dev);
        udc->dev.release = usb_udc_release;
@@ -1160,7 +1156,11 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
        udc->dev.parent = parent;
        ret = dev_set_name(&udc->dev, "%s", kobject_name(&parent->kobj));
        if (ret)
-                goto err3;
+                goto err_put_udc;
+        ret = device_add(&gadget->dev);
+        if (ret)
+                goto err_put_udc;
        udc->gadget = gadget;
        gadget->udc = udc;
@@ -1170,7 +1170,7 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
        ret = device_add(&udc->dev);
        if (ret)
-                goto err4;
+                goto err_unlist_udc;
        usb_gadget_set_state(gadget, USB_STATE_NOTATTACHED);
        udc->vbus = true;
@@ -1178,27 +1178,25 @@ int usb_add_gadget_udc_release(struct device *parent, struct usb_gadget *gadget,
        /* pick up one of pending gadget drivers */
        ret = check_pending_gadget_drivers(udc);
        if (ret)
-                goto err5;
+                goto err_del_udc;
        mutex_unlock(&udc_lock);
        return 0;
-err5:
+ err_del_udc:
        device_del(&udc->dev);
-err4:
+ err_unlist_udc:
        list_del(&udc->list);
        mutex_unlock(&udc_lock);
-err3:
-        put_device(&udc->dev);
        device_del(&gadget->dev);
-err2:
+ err_put_udc:
-        kfree(udc);
+        put_device(&udc->dev);
-err1:
+ err_put_gadget:
        put_device(&gadget->dev);
        return ret;
 }
diff --git a/drivers/usb/misc/usb3503.c b/drivers/usb/misc/usb3503.c
index 465dbf68b463..f723f7b8c9ac 100644
--- a/drivers/usb/misc/usb3503.c
+++ b/drivers/usb/misc/usb3503.c
@@ -279,6 +279,8 @@ static int usb3503_probe(struct usb3503 *hub)
        if (gpio_is_valid(hub->gpio_reset)) {
                err = devm_gpio_request_one(dev, hub->gpio_reset,
                                GPIOF_OUT_INIT_LOW, "usb3503 reset");
+                /* Datasheet defines a hardware reset to be at least 100us */
+                usleep_range(100, 10000);
                if (err) {
                        dev_err(dev,
                                "unable to request GPIO %d as reset pin (%d)\n",
diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c
index f6ae753ab99b..f932f40302df 100644
--- a/drivers/usb/mon/mon_bin.c
+++ b/drivers/usb/mon/mon_bin.c
@@ -1004,7 +1004,9 @@ static long mon_bin_ioctl(struct file *file, unsigned int cmd, unsigned long arg
                break;
        case MON_IOCQ_RING_SIZE:
+                mutex_lock(&rp->fetch_lock);
                ret = rp->b_size;
+                mutex_unlock(&rp->fetch_lock);
                break;
        case MON_IOCT_RING_SIZE:
@@ -1231,12 +1233,16 @@ static int mon_bin_vma_fault(struct vm_fault *vmf)
        unsigned long offset, chunk_idx;
        struct page *pageptr;
+        mutex_lock(&rp->fetch_lock);
        offset = vmf->pgoff << PAGE_SHIFT;
-        if (offset >= rp->b_size)
+        if (offset >= rp->b_size) {
+                mutex_unlock(&rp->fetch_lock);
                return VM_FAULT_SIGBUS;
+        }
        chunk_idx = offset / CHUNK_SIZE;
        pageptr = rp->b_vec[chunk_idx].pg;
        get_page(pageptr);
+        mutex_unlock(&rp->fetch_lock);
        vmf->page = pageptr;
        return 0;
 }
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index 7c6273bf5beb..06d502b3e913 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -124,6 +124,7 @@ static const struct usb_device_id id_table[] = {
        { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
        { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
        { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
+        { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
        { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
        { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
        { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
@@ -174,6 +175,7 @@ static const struct usb_device_id id_table[] = {
        { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
        { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
        { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
+        { USB_DEVICE(0x18EF, 0xE030) }, /* ELV ALC 8xxx Battery Charger */
        { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */
        { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
        { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
index e6127fb21c12..a7d08ae0adad 100644
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -143,6 +143,13 @@ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999,
                USB_SC_DEVICE, USB_PR_DEVICE, NULL,
                US_FL_NO_ATA_1X),
+/* Reported-by: Icenowy Zheng <icenowy@aosc.io> */
+UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999,
+                "Norelsys",
+                "NS1068X",
+                USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+                US_FL_IGNORE_UAS),
 /* Reported-by: Takeo Nakayama <javhera@gmx.com> */
 UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999,
                "JMicron",
diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
index 7b219d9109b4..ee2bbce24584 100644
--- a/drivers/usb/usbip/usbip_common.c
+++ b/drivers/usb/usbip/usbip_common.c
@@ -91,7 +91,7 @@ static void usbip_dump_usb_device(struct usb_device *udev)
        dev_dbg(dev, "       devnum(%d) devpath(%s) usb speed(%s)",
                udev->devnum, udev->devpath, usb_speed_string(udev->speed));
-        pr_debug("tt %p, ttport %d\n", udev->tt, udev->ttport);
+        pr_debug("tt hub ttport %d\n", udev->ttport);
        dev_dbg(dev, "                    ");
        for (i = 0; i < 16; i++)
@@ -124,12 +124,8 @@ static void usbip_dump_usb_device(struct usb_device *udev)
        }
        pr_debug("\n");
-        dev_dbg(dev, "parent %p, bus %p\n", udev->parent, udev->bus);
+        dev_dbg(dev, "parent %s, bus %s\n", dev_name(&udev->parent->dev),
+                udev->bus->bus_name);
-        dev_dbg(dev,
-                "descriptor %p, config %p, actconfig %p, rawdescriptors %p\n",
-                &udev->descriptor, udev->config,
-                udev->actconfig, udev->rawdescriptors);
        dev_dbg(dev, "have_langid %d, string_langid %d\n",
                udev->have_langid, udev->string_langid);
@@ -237,9 +233,6 @@ void usbip_dump_urb(struct urb *urb)
        dev = &urb->dev->dev;
-        dev_dbg(dev, "   urb                   :%p\n", urb);
-        dev_dbg(dev, "   dev                   :%p\n", urb->dev);
        usbip_dump_usb_device(urb->dev);
        dev_dbg(dev, "   pipe                  :%08x ", urb->pipe);
@@ -248,11 +241,9 @@ void usbip_dump_urb(struct urb *urb)
        dev_dbg(dev, "   status                :%d\n", urb->status);
        dev_dbg(dev, "   transfer_flags        :%08X\n", urb->transfer_flags);
-        dev_dbg(dev, "   transfer_buffer       :%p\n", urb->transfer_buffer);
        dev_dbg(dev, "   transfer_buffer_length:%d\n",
                                                urb->transfer_buffer_length);
        dev_dbg(dev, "   actual_length         :%d\n", urb->actual_length);
-        dev_dbg(dev, "   setup_packet          :%p\n", urb->setup_packet);
        if (urb->setup_packet && usb_pipetype(urb->pipe) == PIPE_CONTROL)
                usbip_dump_usb_ctrlrequest(
@@ -262,8 +253,6 @@ void usbip_dump_urb(struct urb *urb)
        dev_dbg(dev, "   number_of_packets     :%d\n", urb->number_of_packets);
        dev_dbg(dev, "   interval              :%d\n", urb->interval);
        dev_dbg(dev, "   error_count           :%d\n", urb->error_count);
-        dev_dbg(dev, "   context               :%p\n", urb->context);
-        dev_dbg(dev, "   complete              :%p\n", urb->complete);
 }
 EXPORT_SYMBOL_GPL(usbip_dump_urb);
diff --git a/drivers/usb/usbip/vudc_rx.c b/drivers/usb/usbip/vudc_rx.c
index df1e30989148..1e8a23d92cb4 100644
--- a/drivers/usb/usbip/vudc_rx.c
+++ b/drivers/usb/usbip/vudc_rx.c
@@ -120,6 +120,25 @@ static int v_recv_cmd_submit(struct vudc *udc,
        urb_p->new = 1;
        urb_p->seqnum = pdu->base.seqnum;
+        if (urb_p->ep->type == USB_ENDPOINT_XFER_ISOC) {
+                /* validate packet size and number of packets */
+                unsigned int maxp, packets, bytes;
+                maxp = usb_endpoint_maxp(urb_p->ep->desc);
+                maxp *= usb_endpoint_maxp_mult(urb_p->ep->desc);
+                bytes = pdu->u.cmd_submit.transfer_buffer_length;
+                packets = DIV_ROUND_UP(bytes, maxp);
+                if (pdu->u.cmd_submit.number_of_packets < 0 ||
+                    pdu->u.cmd_submit.number_of_packets > packets) {
+                        dev_err(&udc->gadget.dev,
+                                "CMD_SUBMIT: isoc invalid num packets %d\n",
+                                pdu->u.cmd_submit.number_of_packets);
+                        ret = -EMSGSIZE;
+                        goto free_urbp;
+                }
+        }
        ret = alloc_urb_from_cmd(&urb_p->urb, pdu, urb_p->ep->type);
        if (ret) {
                usbip_event_add(&udc->ud, VUDC_EVENT_ERROR_MALLOC);
diff --git a/drivers/usb/usbip/vudc_tx.c b/drivers/usb/usbip/vudc_tx.c
index 1440ae0919ec..3ccb17c3e840 100644
--- a/drivers/usb/usbip/vudc_tx.c
+++ b/drivers/usb/usbip/vudc_tx.c
@@ -85,6 +85,13 @@ static int v_send_ret_submit(struct vudc *udc, struct urbp *urb_p)
        memset(&pdu_header, 0, sizeof(pdu_header));
        memset(&msg, 0, sizeof(msg));
+        if (urb->actual_length > 0 && !urb->transfer_buffer) {
+                dev_err(&udc->gadget.dev,
+                        "urb: actual_length %d transfer_buffer null\n",
+                        urb->actual_length);
+                return -1;
+        }
        if (urb_p->type == USB_ENDPOINT_XFER_ISOC)
                iovnum = 2 + urb->number_of_packets;
        else
@@ -100,8 +107,8 @@ static int v_send_ret_submit(struct vudc *udc, struct urbp *urb_p)
        /* 1. setup usbip_header */
        setup_ret_submit_pdu(&pdu_header, urb_p);
-        usbip_dbg_stub_tx("setup txdata seqnum: %d urb: %p\n",
+        usbip_dbg_stub_tx("setup txdata seqnum: %d\n",
-                          pdu_header.base.seqnum, urb);
+                          pdu_header.base.seqnum);
        usbip_header_correct_endian(&pdu_header, 1);
        iov[iovnum].iov_base = &pdu_header;
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 33ac2b186b85..5727b186b3ca 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -904,7 +904,7 @@ static void vhost_dev_lock_vqs(struct vhost_dev *d)
 {
        int i = 0;
        for (i = 0; i < d->nvqs; ++i)
-                mutex_lock(&d->vqs[i]->mutex);
+                mutex_lock_nested(&d->vqs[i]->mutex, i);
 }
 static void vhost_dev_unlock_vqs(struct vhost_dev *d)
@@ -1015,6 +1015,10 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev,
                vhost_iotlb_notify_vq(dev, msg);
                break;
        case VHOST_IOTLB_INVALIDATE:
+                if (!dev->iotlb) {
+                        ret = -EFAULT;
+                        break;
+                }
                vhost_vq_meta_reset(dev);
                vhost_del_umem_range(dev->iotlb, msg->iova,
                                     msg->iova + msg->size - 1);
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index 57efbd3b053b..bd56653b9bbc 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -380,10 +380,8 @@ static int unmap_grant_pages(struct grant_map *map, int offset, int pages)
                }
                range = 0;
                while (range < pages) {
-                        if (map->unmap_ops[offset+range].handle == -1) {
+                        if (map->unmap_ops[offset+range].handle == -1)
-                                range--;
                                break;
-                        }
                        range++;
                }
                err = __unmap_grant_pages(map, offset, range);
@@ -1073,8 +1071,10 @@ unlock_out:
 out_unlock_put:
        mutex_unlock(&priv->lock);
 out_put_map:
-        if (use_ptemod)
+        if (use_ptemod) {
                map->vma = NULL;
+                unmap_grant_pages(map, 0, map->count);
+        }
        gntdev_put_map(priv, map);
        return err;
 }
diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 056276101c63..a6226cd6063c 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -1633,28 +1633,18 @@ void btrfs_readdir_put_delayed_items(struct inode *inode,
 int btrfs_should_delete_dir_index(struct list_head *del_list,
                                  u64 index)
 {
-        struct btrfs_delayed_item *curr, *next;
+        struct btrfs_delayed_item *curr;
-        int ret;
+        int ret = 0;
-        if (list_empty(del_list))
-                return 0;
-        list_for_each_entry_safe(curr, next, del_list, readdir_list) {
+        list_for_each_entry(curr, del_list, readdir_list) {
                if (curr->key.offset > index)
                        break;
+                if (curr->key.offset == index) {
-                list_del(&curr->readdir_list);
+                        ret = 1;
-                ret = (curr->key.offset == index);
+                        break;
+                }
-                if (refcount_dec_and_test(&curr->refs))
-                        kfree(curr);
-                if (ret)
-                        return 1;
-                else
-                        continue;
        }
-        return 0;
+        return ret;
 }
 /*
diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
index f650e475d8f0..fdf2aad73470 100644
--- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -60,10 +60,10 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
                                gi->gid[i] = exp->ex_anon_gid;
                        else
                                gi->gid[i] = rqgi->gid[i];
-                        /* Each thread allocates its own gi, no race */
-                        groups_sort(gi);
                }
+                /* Each thread allocates its own gi, no race */
+                groups_sort(gi);
        } else {
                gi = get_group_info(rqgi);
        }
diff --git a/fs/orangefs/devorangefs-req.c b/fs/orangefs/devorangefs-req.c
index ded456f17de6..c584ad8d023c 100644
--- a/fs/orangefs/devorangefs-req.c
+++ b/fs/orangefs/devorangefs-req.c
@@ -162,7 +162,7 @@ static ssize_t orangefs_devreq_read(struct file *file,
        struct orangefs_kernel_op_s *op, *temp;
        __s32 proto_ver = ORANGEFS_KERNEL_PROTO_VERSION;
        static __s32 magic = ORANGEFS_DEVREQ_MAGIC;
-        struct orangefs_kernel_op_s *cur_op = NULL;
+        struct orangefs_kernel_op_s *cur_op;
        unsigned long ret;
        /* We do not support blocking IO. */
@@ -186,6 +186,7 @@ static ssize_t orangefs_devreq_read(struct file *file,
                return -EAGAIN;
 restart:
+        cur_op = NULL;
        /* Get next op (if any) from top of list. */
        spin_lock(&orangefs_request_list_lock);
        list_for_each_entry_safe(op, temp, &orangefs_request_list, list) {
diff --git a/fs/orangefs/file.c b/fs/orangefs/file.c
index 1668fd645c45..0d228cd087e6 100644
--- a/fs/orangefs/file.c
+++ b/fs/orangefs/file.c
@@ -452,7 +452,7 @@ ssize_t orangefs_inode_read(struct inode *inode,
 static ssize_t orangefs_file_read_iter(struct kiocb *iocb, struct iov_iter *iter)
 {
        struct file *file = iocb->ki_filp;
-        loff_t pos = *(&iocb->ki_pos);
+        loff_t pos = iocb->ki_pos;
        ssize_t rc = 0;
        BUG_ON(iocb->private);
@@ -492,9 +492,6 @@ static ssize_t orangefs_file_write_iter(struct kiocb *iocb, struct iov_iter *ite
                }
        }
-        if (file->f_pos > i_size_read(file->f_mapping->host))
-                orangefs_i_size_write(file->f_mapping->host, file->f_pos);
        rc = generic_write_checks(iocb, iter);
        if (rc <= 0) {
@@ -508,7 +505,7 @@ static ssize_t orangefs_file_write_iter(struct kiocb *iocb, struct iov_iter *ite
         * pos to the end of the file, so we will wait till now to set
         * pos...
         */
-        pos = *(&iocb->ki_pos);
+        pos = iocb->ki_pos;
        rc = do_readv_writev(ORANGEFS_IO_WRITE,
                             file,
diff --git a/fs/orangefs/orangefs-kernel.h b/fs/orangefs/orangefs-kernel.h
index 97adf7d100b5..2595453fe737 100644
--- a/fs/orangefs/orangefs-kernel.h
+++ b/fs/orangefs/orangefs-kernel.h
@@ -533,17 +533,6 @@ do {									\
        sys_attr.mask = ORANGEFS_ATTR_SYS_ALL_SETABLE;                  \
 } while (0)
-static inline void orangefs_i_size_write(struct inode *inode, loff_t i_size)
-{
-#if BITS_PER_LONG == 32 && defined(CONFIG_SMP)
-        inode_lock(inode);
-#endif
-        i_size_write(inode, i_size);
-#if BITS_PER_LONG == 32 && defined(CONFIG_SMP)
-        inode_unlock(inode);
-#endif
-}
 static inline void orangefs_set_timeout(struct dentry *dentry)
 {
        unsigned long time = jiffies + orangefs_dcache_timeout_msecs*HZ/1000;
diff --git a/fs/orangefs/waitqueue.c b/fs/orangefs/waitqueue.c
index 835c6e148afc..0577d6dba8c8 100644
--- a/fs/orangefs/waitqueue.c
+++ b/fs/orangefs/waitqueue.c
@@ -29,10 +29,10 @@ static void orangefs_clean_up_interrupted_operation(struct orangefs_kernel_op_s
 */
 void purge_waiting_ops(void)
 {
-        struct orangefs_kernel_op_s *op;
+        struct orangefs_kernel_op_s *op, *tmp;
        spin_lock(&orangefs_request_list_lock);
-        list_for_each_entry(op, &orangefs_request_list, list) {
+        list_for_each_entry_safe(op, tmp, &orangefs_request_list, list) {
                gossip_debug(GOSSIP_WAIT_DEBUG,
                             "pvfs2-client-core: purging op tag %llu %s\n",
                             llu(op->tag),
diff --git a/fs/proc/array.c b/fs/proc/array.c
index 79375fc115d2..d67a72dcb92c 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -430,8 +430,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
                 * safe because the task has stopped executing permanently.
                 */
                if (permitted && (task->flags & PF_DUMPCORE)) {
-                        eip = KSTK_EIP(task);
+                        if (try_get_task_stack(task)) {
-                        esp = KSTK_ESP(task);
+                                eip = KSTK_EIP(task);
+                                esp = KSTK_ESP(task);
+                                put_task_stack(task);
+                        }
                }
        }
diff --git a/fs/super.c b/fs/super.c
index 7ff1349609e4..06bd25d90ba5 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -517,7 +517,11 @@ retry:
        hlist_add_head(&s->s_instances, &type->fs_supers);
        spin_unlock(&sb_lock);
        get_filesystem(type);
-        register_shrinker(&s->s_shrink);
+        err = register_shrinker(&s->s_shrink);
+        if (err) {
+                deactivate_locked_super(s);
+                s = ERR_PTR(err);
+        }
        return s;
 }
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index e55e4255a210..0b25cf87b6d6 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -43,7 +43,14 @@ struct bpf_map_ops {
 };
 struct bpf_map {
-        atomic_t refcnt;
+        /* 1st cacheline with read-mostly members of which some
+         * are also accessed in fast-path (e.g. ops, max_entries).
+         */
+        const struct bpf_map_ops *ops ____cacheline_aligned;
+        struct bpf_map *inner_map_meta;
+#ifdef CONFIG_SECURITY
+        void *security;
+#endif
        enum bpf_map_type map_type;
        u32 key_size;
        u32 value_size;
@@ -52,15 +59,17 @@ struct bpf_map {
        u32 pages;
        u32 id;
        int numa_node;
-        struct user_struct *user;
+        bool unpriv_array;
-        const struct bpf_map_ops *ops;
+        /* 7 bytes hole */
-        struct work_struct work;
+        /* 2nd cacheline with misc members to avoid false sharing
+         * particularly with refcounting.
+         */
+        struct user_struct *user ____cacheline_aligned;
+        atomic_t refcnt;
        atomic_t usercnt;
-        struct bpf_map *inner_map_meta;
+        struct work_struct work;
        char name[BPF_OBJ_NAME_LEN];
-#ifdef CONFIG_SECURITY
-        void *security;
-#endif
 };
 /* function argument constraints */
@@ -221,6 +230,7 @@ struct bpf_prog_aux {
 struct bpf_array {
        struct bpf_map map;
        u32 elem_size;
+        u32 index_mask;
        /* 'ownership' of prog_array is claimed by the first program that
         * is going to use this map or by the first program which FD is stored
         * in the map to make sure that all callers and callees have the same
@@ -419,6 +429,8 @@ static inline int bpf_map_attr_numa_node(const union bpf_attr *attr)
                attr->numa_node : NUMA_NO_NODE;
 }
+struct bpf_prog *bpf_prog_get_type_path(const char *name, enum bpf_prog_type type);
 #else /* !CONFIG_BPF_SYSCALL */
 static inline struct bpf_prog *bpf_prog_get(u32 ufd)
 {
@@ -506,6 +518,12 @@ static inline int cpu_map_enqueue(struct bpf_cpu_map_entry *rcpu,
 {
        return 0;
 }
+static inline struct bpf_prog *bpf_prog_get_type_path(const char *name,
+                                enum bpf_prog_type type)
+{
+        return ERR_PTR(-EOPNOTSUPP);
+}
 #endif /* CONFIG_BPF_SYSCALL */
 static inline struct bpf_prog *bpf_prog_get_type(u32 ufd,
@@ -514,6 +532,8 @@ static inline struct bpf_prog *bpf_prog_get_type(u32 ufd,
        return bpf_prog_get_type_dev(ufd, type, false);
 }
+bool bpf_prog_get_ok(struct bpf_prog *, enum bpf_prog_type *, bool);
 int bpf_prog_offload_compile(struct bpf_prog *prog);
 void bpf_prog_offload_destroy(struct bpf_prog *prog);
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index 2272ded07496..631354acfa72 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -219,7 +219,7 @@
 /* Mark a function definition as prohibited from being cloned. */
 #define __noclone       __attribute__((__noclone__, __optimize__("no-tracer")))
-#ifdef RANDSTRUCT_PLUGIN
+#if defined(RANDSTRUCT_PLUGIN) && !defined(__CHECKER__)
 #define __randomize_layout __attribute__((randomize_layout))
 #define __no_randomize_layout __attribute__((no_randomize_layout))
 #endif
diff --git a/include/linux/completion.h b/include/linux/completion.h
index 94a59ba7d422..519e94915d18 100644
--- a/include/linux/completion.h
+++ b/include/linux/completion.h
@@ -32,7 +32,6 @@ struct completion {
 #define init_completion(x) __init_completion(x)
 static inline void complete_acquire(struct completion *x) {}
 static inline void complete_release(struct completion *x) {}
-static inline void complete_release_commit(struct completion *x) {}
 #define COMPLETION_INITIALIZER(work) \
        { 0, __WAIT_QUEUE_HEAD_INITIALIZER((work).wait) }
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index a04ef7c15c6a..7b01bc11c692 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -47,6 +47,13 @@ extern void cpu_remove_dev_attr(struct device_attribute *attr);
 extern int cpu_add_dev_attr_group(struct attribute_group *attrs);
 extern void cpu_remove_dev_attr_group(struct attribute_group *attrs);
+extern ssize_t cpu_show_meltdown(struct device *dev,
+                                 struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_spectre_v1(struct device *dev,
+                                   struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_spectre_v2(struct device *dev,
+                                   struct device_attribute *attr, char *buf);
 extern __printf(4, 5)
 struct device *cpu_device_create(struct device *parent, void *drvdata,
                                 const struct attribute_group **groups,
diff --git a/include/linux/crash_core.h b/include/linux/crash_core.h
index 06097ef30449..b511f6d24b42 100644
--- a/include/linux/crash_core.h
+++ b/include/linux/crash_core.h
@@ -42,6 +42,8 @@ phys_addr_t paddr_vmcoreinfo_note(void);
        vmcoreinfo_append_str("PAGESIZE=%ld\n", value)
 #define VMCOREINFO_SYMBOL(name) \
        vmcoreinfo_append_str("SYMBOL(%s)=%lx\n", #name, (unsigned long)&name)
+#define VMCOREINFO_SYMBOL_ARRAY(name) \
+        vmcoreinfo_append_str("SYMBOL(%s)=%lx\n", #name, (unsigned long)name)
 #define VMCOREINFO_SIZE(name) \
        vmcoreinfo_append_str("SIZE(%s)=%lu\n", #name, \
                              (unsigned long)sizeof(name))
diff --git a/include/linux/delayacct.h b/include/linux/delayacct.h
index 4178d2493547..5e335b6203f4 100644
--- a/include/linux/delayacct.h
+++ b/include/linux/delayacct.h
@@ -71,7 +71,7 @@ extern void delayacct_init(void);
 extern void __delayacct_tsk_init(struct task_struct *);
 extern void __delayacct_tsk_exit(struct task_struct *);
 extern void __delayacct_blkio_start(void);
-extern void __delayacct_blkio_end(void);
+extern void __delayacct_blkio_end(struct task_struct *);
 extern int __delayacct_add_tsk(struct taskstats *, struct task_struct *);
 extern __u64 __delayacct_blkio_ticks(struct task_struct *);
 extern void __delayacct_freepages_start(void);
@@ -122,10 +122,10 @@ static inline void delayacct_blkio_start(void)
                __delayacct_blkio_start();
 }
-static inline void delayacct_blkio_end(void)
+static inline void delayacct_blkio_end(struct task_struct *p)
 {
        if (current->delays)
-                __delayacct_blkio_end();
+                __delayacct_blkio_end(p);
        delayacct_clear_flag(DELAYACCT_PF_BLKIO);
 }
@@ -169,7 +169,7 @@ static inline void delayacct_tsk_free(struct task_struct *tsk)
 {}
 static inline void delayacct_blkio_start(void)
 {}
-static inline void delayacct_blkio_end(void)
+static inline void delayacct_blkio_end(struct task_struct *p)
 {}
 static inline int delayacct_add_tsk(struct taskstats *d,
                                        struct task_struct *tsk)
diff --git a/include/linux/ftrace.h b/include/linux/ftrace.h
index 2bab81951ced..3319df9727aa 100644
--- a/include/linux/ftrace.h
+++ b/include/linux/ftrace.h
@@ -332,6 +332,8 @@ extern int ftrace_text_reserved(const void *start, const void *end);
 extern int ftrace_nr_registered_ops(void);
+struct ftrace_ops *ftrace_ops_trampoline(unsigned long addr);
 bool is_ftrace_trampoline(unsigned long addr);
 /*
diff --git a/include/linux/irqflags.h b/include/linux/irqflags.h
index 46cb57d5eb13..1b3996ff3f16 100644
--- a/include/linux/irqflags.h
+++ b/include/linux/irqflags.h
@@ -27,22 +27,18 @@
 # define trace_hardirq_enter()                  \
 do {                                            \
        current->hardirq_context++;             \
-        crossrelease_hist_start(XHLOCK_HARD);   \
 } while (0)
 # define trace_hardirq_exit()                   \
 do {                                            \
        current->hardirq_context--;             \
-        crossrelease_hist_end(XHLOCK_HARD);     \
 } while (0)
 # define lockdep_softirq_enter()                \
 do {                                            \
        current->softirq_context++;             \
-        crossrelease_hist_start(XHLOCK_SOFT);   \
 } while (0)
 # define lockdep_softirq_exit()                 \
 do {                                            \
        current->softirq_context--;             \
-        crossrelease_hist_end(XHLOCK_SOFT);     \
 } while (0)
 # define INIT_TRACE_IRQFLAGS    .softirqs_enabled = 1,
 #else
diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h
index 2e75dc34bff5..3251d9c0d313 100644
--- a/include/linux/lockdep.h
+++ b/include/linux/lockdep.h
@@ -475,8 +475,6 @@ enum xhlock_context_t {
 #define STATIC_LOCKDEP_MAP_INIT(_name, _key) \
        { .name = (_name), .key = (void *)(_key), }
-static inline void crossrelease_hist_start(enum xhlock_context_t c) {}
-static inline void crossrelease_hist_end(enum xhlock_context_t c) {}
 static inline void lockdep_invariant_state(bool force) {}
 static inline void lockdep_init_task(struct task_struct *task) {}
 static inline void lockdep_free_task(struct task_struct *task) {}
diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
index 1f509d072026..a0610427e168 100644
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -36,6 +36,7 @@
 #include <linux/kernel.h>
 #include <linux/completion.h>
 #include <linux/pci.h>
+#include <linux/irq.h>
 #include <linux/spinlock_types.h>
 #include <linux/semaphore.h>
 #include <linux/slab.h>
@@ -1231,7 +1232,23 @@ enum {
 static inline const struct cpumask *
 mlx5_get_vector_affinity(struct mlx5_core_dev *dev, int vector)
 {
-        return pci_irq_get_affinity(dev->pdev, MLX5_EQ_VEC_COMP_BASE + vector);
+        const struct cpumask *mask;
+        struct irq_desc *desc;
+        unsigned int irq;
+        int eqn;
+        int err;
+        err = mlx5_vector2eqn(dev, vector, &eqn, &irq);
+        if (err)
+                return NULL;
+        desc = irq_to_desc(irq);
+#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK
+        mask = irq_data_get_effective_affinity_mask(&desc->irq_data);
+#else
+        mask = desc->irq_common_data.affinity;
+#endif
+        return mask;
 }
 #endif /* MLX5_DRIVER_H */
diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
index d44ec5f41d4a..1391a82da98e 100644
--- a/include/linux/mlx5/mlx5_ifc.h
+++ b/include/linux/mlx5/mlx5_ifc.h
@@ -1027,8 +1027,9 @@ struct mlx5_ifc_cmd_hca_cap_bits {
        u8         log_max_wq_sz[0x5];
        u8         nic_vport_change_event[0x1];
-        u8         disable_local_lb[0x1];
+        u8         disable_local_lb_uc[0x1];
-        u8         reserved_at_3e2[0x9];
+        u8         disable_local_lb_mc[0x1];
+        u8         reserved_at_3e3[0x8];
        u8         log_max_vlan_list[0x5];
        u8         reserved_at_3f0[0x3];
        u8         log_max_current_mc_list[0x5];
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index 49b4257ce1ea..f3075d6c7e82 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -85,7 +85,7 @@ struct netlink_ext_ack {
 * to the lack of an output buffer.)
 */
 #define NL_SET_ERR_MSG(extack, msg) do {                \
-        static const char __msg[] = (msg);              \
+        static const char __msg[] = msg;                \
        struct netlink_ext_ack *__extack = (extack);    \
                                                        \
        if (__extack)                                   \
@@ -101,7 +101,7 @@ struct netlink_ext_ack {
 } while (0)
 #define NL_SET_ERR_MSG_ATTR(extack, attr, msg) do {     \
-        static const char __msg[] = (msg);              \
+        static const char __msg[] = msg;                \
        struct netlink_ext_ack *__extack = (extack);    \
                                                        \
        if (__extack) {                                 \
diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
index 6866df4f31b5..d72b2e7dd500 100644
--- a/include/linux/ptr_ring.h
+++ b/include/linux/ptr_ring.h
@@ -174,6 +174,15 @@ static inline int ptr_ring_produce_bh(struct ptr_ring *r, void *ptr)
 * if they dereference the pointer - see e.g. PTR_RING_PEEK_CALL.
 * If ring is never resized, and if the pointer is merely
 * tested, there's no need to take the lock - see e.g.  __ptr_ring_empty.
+ * However, if called outside the lock, and if some other CPU
+ * consumes ring entries at the same time, the value returned
+ * is not guaranteed to be correct.
+ * In this case - to avoid incorrectly detecting the ring
+ * as empty - the CPU consuming the ring entries is responsible
+ * for either consuming all ring entries until the ring is empty,
+ * or synchronizing with some other CPU and causing it to
+ * execute __ptr_ring_peek and/or consume the ring enteries
+ * after the synchronization point.
 */
 static inline void *__ptr_ring_peek(struct ptr_ring *r)
 {
@@ -182,10 +191,7 @@ static inline void *__ptr_ring_peek(struct ptr_ring *r)
        return NULL;
 }
-/* Note: callers invoking this in a loop must use a compiler barrier,
+/* See __ptr_ring_peek above for locking rules. */
- * for example cpu_relax(). Callers must take consumer_lock
- * if the ring is ever resized - see e.g. ptr_ring_empty.
- */
 static inline bool __ptr_ring_empty(struct ptr_ring *r)
 {
        return !__ptr_ring_peek(r);
diff --git a/include/linux/sh_eth.h b/include/linux/sh_eth.h
index ff3642d267f7..94081e9a5010 100644
--- a/include/linux/sh_eth.h
+++ b/include/linux/sh_eth.h
@@ -17,7 +17,6 @@ struct sh_eth_plat_data {
        unsigned char mac_addr[ETH_ALEN];
        unsigned no_ether_link:1;
        unsigned ether_link_active_low:1;
-        unsigned needs_init:1;
 };
 #endif
diff --git a/include/linux/swapops.h b/include/linux/swapops.h
index 9c5a2628d6ce..1d3877c39a00 100644
--- a/include/linux/swapops.h
+++ b/include/linux/swapops.h
@@ -124,6 +124,11 @@ static inline bool is_write_device_private_entry(swp_entry_t entry)
        return unlikely(swp_type(entry) == SWP_DEVICE_WRITE);
 }
+static inline unsigned long device_private_entry_to_pfn(swp_entry_t entry)
+{
+        return swp_offset(entry);
+}
 static inline struct page *device_private_entry_to_page(swp_entry_t entry)
 {
        return pfn_to_page(swp_offset(entry));
@@ -154,6 +159,11 @@ static inline bool is_write_device_private_entry(swp_entry_t entry)
        return false;
 }
+static inline unsigned long device_private_entry_to_pfn(swp_entry_t entry)
+{
+        return 0;
+}
 static inline struct page *device_private_entry_to_page(swp_entry_t entry)
 {
        return NULL;
@@ -189,6 +199,11 @@ static inline int is_write_migration_entry(swp_entry_t entry)
        return unlikely(swp_type(entry) == SWP_MIGRATION_WRITE);
 }
+static inline unsigned long migration_entry_to_pfn(swp_entry_t entry)
+{
+        return swp_offset(entry);
+}
 static inline struct page *migration_entry_to_page(swp_entry_t entry)
 {
        struct page *p = pfn_to_page(swp_offset(entry));
@@ -218,6 +233,12 @@ static inline int is_migration_entry(swp_entry_t swp)
 {
        return 0;
 }
+static inline unsigned long migration_entry_to_pfn(swp_entry_t entry)
+{
+        return 0;
+}
 static inline struct page *migration_entry_to_page(swp_entry_t entry)
 {
        return NULL;
diff --git a/include/net/arp.h b/include/net/arp.h
index dc8cd47f883b..977aabfcdc03 100644
--- a/include/net/arp.h
+++ b/include/net/arp.h
@@ -20,6 +20,9 @@ static inline u32 arp_hashfn(const void *pkey, const struct net_device *dev, u32
 static inline struct neighbour *__ipv4_neigh_lookup_noref(struct net_device *dev, u32 key)
 {
+        if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT))
+                key = INADDR_ANY;
        return ___neigh_lookup_noref(&arp_tbl, neigh_key_eq32, arp_hashfn, &key, dev);
 }
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index cb4d92b79cd9..fb94a8bd8ab5 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -815,6 +815,8 @@ struct cfg80211_csa_settings {
        u8 count;
 };
+#define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10
 /**
 * struct iface_combination_params - input parameters for interface combinations
 *
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index f73797e2fa60..221238254eb7 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -331,6 +331,7 @@ int ipv6_flowlabel_opt_get(struct sock *sk, struct in6_flowlabel_req *freq,
                           int flags);
 int ip6_flowlabel_init(void);
 void ip6_flowlabel_cleanup(void);
+bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np);
 static inline void fl6_sock_release(struct ip6_flowlabel *fl)
 {
diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h
index 8e08b6da72f3..753ac9361154 100644
--- a/include/net/pkt_cls.h
+++ b/include/net/pkt_cls.h
@@ -522,7 +522,7 @@ static inline unsigned char * tcf_get_base_ptr(struct sk_buff *skb, int layer)
 {
        switch (layer) {
                case TCF_LAYER_LINK:
-                        return skb->data;
+                        return skb_mac_header(skb);
                case TCF_LAYER_NETWORK:
                        return skb_network_header(skb);
                case TCF_LAYER_TRANSPORT:
diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
index 83a3e47d5845..becf86aa4ac6 100644
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -179,6 +179,7 @@ struct Qdisc_ops {
        const struct Qdisc_class_ops    *cl_ops;
        char                    id[IFNAMSIZ];
        int                     priv_size;
+        unsigned int            static_flags;
        int                     (*enqueue)(struct sk_buff *skb,
                                           struct Qdisc *sch,
@@ -444,6 +445,7 @@ void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, unsigned int n,
                               unsigned int len);
 struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
                          const struct Qdisc_ops *ops);
+void qdisc_free(struct Qdisc *qdisc);
 struct Qdisc *qdisc_create_dflt(struct netdev_queue *dev_queue,
                                const struct Qdisc_ops *ops, u32 parentid);
 void __qdisc_calculate_pkt_len(struct sk_buff *skb,
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 2f8f93da5dc2..9a5ccf03a59b 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -966,7 +966,7 @@ void sctp_transport_burst_limited(struct sctp_transport *);
 void sctp_transport_burst_reset(struct sctp_transport *);
 unsigned long sctp_transport_timeout(struct sctp_transport *);
 void sctp_transport_reset(struct sctp_transport *t);
-void sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu);
+bool sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu);
 void sctp_transport_immediate_rtx(struct sctp_transport *);
 void sctp_transport_dst_release(struct sctp_transport *t);
 void sctp_transport_dst_confirm(struct sctp_transport *t);
diff --git a/include/net/tls.h b/include/net/tls.h
index 936cfc5cab7d..9185e53a743c 100644
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -170,7 +170,7 @@ static inline bool tls_is_pending_open_record(struct tls_context *tls_ctx)
 static inline void tls_err_abort(struct sock *sk)
 {
-        sk->sk_err = -EBADMSG;
+        sk->sk_err = EBADMSG;
        sk->sk_error_report(sk);
 }
diff --git a/include/net/vxlan.h b/include/net/vxlan.h
index 13223396dc64..f96391e84a8a 100644
--- a/include/net/vxlan.h
+++ b/include/net/vxlan.h
@@ -146,7 +146,7 @@ struct vxlanhdr_gpe {
                np_applied:1,
                instance_applied:1,
                version:2,
-reserved_flags2:2;
+                reserved_flags2:2;
 #elif defined(__BIG_ENDIAN_BITFIELD)
        u8      reserved_flags2:2,
                version:2,
diff --git a/include/uapi/linux/if_ether.h b/include/uapi/linux/if_ether.h
index 3ee3bf7c8526..144de4d2f385 100644
--- a/include/uapi/linux/if_ether.h
+++ b/include/uapi/linux/if_ether.h
@@ -23,6 +23,7 @@
 #define _UAPI_LINUX_IF_ETHER_H
 #include <linux/types.h>
+#include <linux/libc-compat.h>
 /*
 *      IEEE 802.3 Ethernet magic constants.  The frame sizes omit the preamble
@@ -149,11 +150,13 @@
 *      This is an Ethernet frame header.
 */
+#if __UAPI_DEF_ETHHDR
 struct ethhdr {
        unsigned char   h_dest[ETH_ALEN];       /* destination eth addr */
        unsigned char   h_source[ETH_ALEN];     /* source ether addr    */
        __be16          h_proto;                /* packet type ID field */
 } __attribute__((packed));
+#endif
 #endif /* _UAPI_LINUX_IF_ETHER_H */
diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
index 496e59a2738b..8fb90a0819c3 100644
--- a/include/uapi/linux/kvm.h
+++ b/include/uapi/linux/kvm.h
@@ -932,6 +932,8 @@ struct kvm_ppc_resize_hpt {
 #define KVM_CAP_HYPERV_SYNIC2 148
 #define KVM_CAP_HYPERV_VP_INDEX 149
 #define KVM_CAP_S390_AIS_MIGRATION 150
+#define KVM_CAP_PPC_GET_CPU_CHAR 151
+#define KVM_CAP_S390_BPB 152
 #ifdef KVM_CAP_IRQ_ROUTING
@@ -1261,6 +1263,8 @@ struct kvm_s390_ucas_mapping {
 #define KVM_PPC_CONFIGURE_V3_MMU  _IOW(KVMIO,  0xaf, struct kvm_ppc_mmuv3_cfg)
 /* Available with KVM_CAP_PPC_RADIX_MMU */
 #define KVM_PPC_GET_RMMU_INFO     _IOW(KVMIO,  0xb0, struct kvm_ppc_rmmu_info)
+/* Available with KVM_CAP_PPC_GET_CPU_CHAR */
+#define KVM_PPC_GET_CPU_CHAR      _IOR(KVMIO,  0xb1, struct kvm_ppc_cpu_char)
 /* ioctl for vm fd */
 #define KVM_CREATE_DEVICE         _IOWR(KVMIO,  0xe0, struct kvm_create_device)
diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
index 282875cf8056..fc29efaa918c 100644
--- a/include/uapi/linux/libc-compat.h
+++ b/include/uapi/linux/libc-compat.h
@@ -168,47 +168,106 @@
 /* If we did not see any headers from any supported C libraries,
 * or we are being included in the kernel, then define everything
- * that we need. */
+ * that we need. Check for previous __UAPI_* definitions to give
+ * unsupported C libraries a way to opt out of any kernel definition. */
 #else /* !defined(__GLIBC__) */
 /* Definitions for if.h */
+#ifndef __UAPI_DEF_IF_IFCONF
 #define __UAPI_DEF_IF_IFCONF 1
+#endif
+#ifndef __UAPI_DEF_IF_IFMAP
 #define __UAPI_DEF_IF_IFMAP 1
+#endif
+#ifndef __UAPI_DEF_IF_IFNAMSIZ
 #define __UAPI_DEF_IF_IFNAMSIZ 1
+#endif
+#ifndef __UAPI_DEF_IF_IFREQ
 #define __UAPI_DEF_IF_IFREQ 1
+#endif
 /* Everything up to IFF_DYNAMIC, matches net/if.h until glibc 2.23 */
+#ifndef __UAPI_DEF_IF_NET_DEVICE_FLAGS
 #define __UAPI_DEF_IF_NET_DEVICE_FLAGS 1
+#endif
 /* For the future if glibc adds IFF_LOWER_UP, IFF_DORMANT and IFF_ECHO */
+#ifndef __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO
 #define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 1
+#endif
 /* Definitions for in.h */
+#ifndef __UAPI_DEF_IN_ADDR
 #define __UAPI_DEF_IN_ADDR              1
+#endif
+#ifndef __UAPI_DEF_IN_IPPROTO
 #define __UAPI_DEF_IN_IPPROTO           1
+#endif
+#ifndef __UAPI_DEF_IN_PKTINFO
 #define __UAPI_DEF_IN_PKTINFO           1
+#endif
+#ifndef __UAPI_DEF_IP_MREQ
 #define __UAPI_DEF_IP_MREQ              1
+#endif
+#ifndef __UAPI_DEF_SOCKADDR_IN
 #define __UAPI_DEF_SOCKADDR_IN          1
+#endif
+#ifndef __UAPI_DEF_IN_CLASS
 #define __UAPI_DEF_IN_CLASS             1
+#endif
 /* Definitions for in6.h */
+#ifndef __UAPI_DEF_IN6_ADDR
 #define __UAPI_DEF_IN6_ADDR             1
+#endif
+#ifndef __UAPI_DEF_IN6_ADDR_ALT
 #define __UAPI_DEF_IN6_ADDR_ALT         1
+#endif
+#ifndef __UAPI_DEF_SOCKADDR_IN6
 #define __UAPI_DEF_SOCKADDR_IN6         1
+#endif
+#ifndef __UAPI_DEF_IPV6_MREQ
 #define __UAPI_DEF_IPV6_MREQ            1
+#endif
+#ifndef __UAPI_DEF_IPPROTO_V6
 #define __UAPI_DEF_IPPROTO_V6           1
+#endif
+#ifndef __UAPI_DEF_IPV6_OPTIONS
 #define __UAPI_DEF_IPV6_OPTIONS         1
+#endif
+#ifndef __UAPI_DEF_IN6_PKTINFO
 #define __UAPI_DEF_IN6_PKTINFO          1
+#endif
+#ifndef __UAPI_DEF_IP6_MTUINFO
 #define __UAPI_DEF_IP6_MTUINFO          1
+#endif
 /* Definitions for ipx.h */
+#ifndef __UAPI_DEF_SOCKADDR_IPX
 #define __UAPI_DEF_SOCKADDR_IPX                 1
+#endif
+#ifndef __UAPI_DEF_IPX_ROUTE_DEFINITION
 #define __UAPI_DEF_IPX_ROUTE_DEFINITION         1
+#endif
+#ifndef __UAPI_DEF_IPX_INTERFACE_DEFINITION
 #define __UAPI_DEF_IPX_INTERFACE_DEFINITION     1
+#endif
+#ifndef __UAPI_DEF_IPX_CONFIG_DATA
 #define __UAPI_DEF_IPX_CONFIG_DATA              1
+#endif
+#ifndef __UAPI_DEF_IPX_ROUTE_DEF
 #define __UAPI_DEF_IPX_ROUTE_DEF                1
+#endif
 /* Definitions for xattr.h */
+#ifndef __UAPI_DEF_XATTR
 #define __UAPI_DEF_XATTR                1
+#endif
 #endif /* __GLIBC__ */
+/* Definitions for if_ether.h */
+/* allow libcs like musl to deactivate this, glibc does not implement this. */
+#ifndef __UAPI_DEF_ETHHDR
+#define __UAPI_DEF_ETHHDR               1
+#endif
 #endif /* _UAPI_LIBC_COMPAT_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
index 3fea7709a441..57ccfb32e87f 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -36,7 +36,7 @@ enum ip_conntrack_info {
 #define NF_CT_STATE_INVALID_BIT                 (1 << 0)
 #define NF_CT_STATE_BIT(ctinfo)                 (1 << ((ctinfo) % IP_CT_IS_REPLY + 1))
-#define NF_CT_STATE_UNTRACKED_BIT               (1 << (IP_CT_UNTRACKED + 1))
+#define NF_CT_STATE_UNTRACKED_BIT               (1 << 6)
 /* Bitset representing status of connection. */
 enum ip_conntrack_status {
diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h
index 4265d7f9e1f2..dcfab5e3b55c 100644
--- a/include/uapi/linux/openvswitch.h
+++ b/include/uapi/linux/openvswitch.h
@@ -363,7 +363,6 @@ enum ovs_tunnel_key_attr {
        OVS_TUNNEL_KEY_ATTR_IPV6_SRC,           /* struct in6_addr src IPv6 address. */
        OVS_TUNNEL_KEY_ATTR_IPV6_DST,           /* struct in6_addr dst IPv6 address. */
        OVS_TUNNEL_KEY_ATTR_PAD,
-        OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS,        /* be32 ERSPAN index. */
        __OVS_TUNNEL_KEY_ATTR_MAX
 };
diff --git a/init/Kconfig b/init/Kconfig
index 690a381adee0..a9a2e2c86671 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -461,6 +461,7 @@ endmenu # "CPU/Task time and stats accounting"
 config CPU_ISOLATION
        bool "CPU isolation"
+        depends on SMP || COMPILE_TEST
        default y
        help
          Make sure that CPUs running critical tasks are not disturbed by
@@ -1396,6 +1397,13 @@ config BPF_SYSCALL
          Enable the bpf() system call that allows to manipulate eBPF
          programs and maps via file descriptors.
+config BPF_JIT_ALWAYS_ON
+        bool "Permanently enable BPF JIT and remove BPF interpreter"
+        depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
+        help
+          Enables BPF JIT and removes BPF interpreter to avoid
+          speculative execution of BPF instructions by the interpreter
 config USERFAULTFD
        bool "Enable userfaultfd() system call"
        select ANON_INODES
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 7c25426d3cf5..ab94d304a634 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -53,9 +53,10 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
 {
        bool percpu = attr->map_type == BPF_MAP_TYPE_PERCPU_ARRAY;
        int numa_node = bpf_map_attr_numa_node(attr);
+        u32 elem_size, index_mask, max_entries;
+        bool unpriv = !capable(CAP_SYS_ADMIN);
        struct bpf_array *array;
-        u64 array_size;
+        u64 array_size, mask64;
-        u32 elem_size;
        /* check sanity of attributes */
        if (attr->max_entries == 0 || attr->key_size != 4 ||
@@ -72,11 +73,32 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
        elem_size = round_up(attr->value_size, 8);
+        max_entries = attr->max_entries;
+        /* On 32 bit archs roundup_pow_of_two() with max_entries that has
+         * upper most bit set in u32 space is undefined behavior due to
+         * resulting 1U << 32, so do it manually here in u64 space.
+         */
+        mask64 = fls_long(max_entries - 1);
+        mask64 = 1ULL << mask64;
+        mask64 -= 1;
+        index_mask = mask64;
+        if (unpriv) {
+                /* round up array size to nearest power of 2,
+                 * since cpu will speculate within index_mask limits
+                 */
+                max_entries = index_mask + 1;
+                /* Check for overflows. */
+                if (max_entries < attr->max_entries)
+                        return ERR_PTR(-E2BIG);
+        }
        array_size = sizeof(*array);
        if (percpu)
-                array_size += (u64) attr->max_entries * sizeof(void *);
+                array_size += (u64) max_entries * sizeof(void *);
        else
-                array_size += (u64) attr->max_entries * elem_size;
+                array_size += (u64) max_entries * elem_size;
        /* make sure there is no u32 overflow later in round_up() */
        if (array_size >= U32_MAX - PAGE_SIZE)
@@ -86,6 +108,8 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
        array = bpf_map_area_alloc(array_size, numa_node);
        if (!array)
                return ERR_PTR(-ENOMEM);
+        array->index_mask = index_mask;
+        array->map.unpriv_array = unpriv;
        /* copy mandatory map attributes */
        array->map.map_type = attr->map_type;
@@ -121,12 +145,13 @@ static void *array_map_lookup_elem(struct bpf_map *map, void *key)
        if (unlikely(index >= array->map.max_entries))
                return NULL;
-        return array->value + array->elem_size * index;
+        return array->value + array->elem_size * (index & array->index_mask);
 }
 /* emit BPF instructions equivalent to C code of array_map_lookup_elem() */
 static u32 array_map_gen_lookup(struct bpf_map *map, struct bpf_insn *insn_buf)
 {
+        struct bpf_array *array = container_of(map, struct bpf_array, map);
        struct bpf_insn *insn = insn_buf;
        u32 elem_size = round_up(map->value_size, 8);
        const int ret = BPF_REG_0;
@@ -135,7 +160,12 @@ static u32 array_map_gen_lookup(struct bpf_map *map, struct bpf_insn *insn_buf)
        *insn++ = BPF_ALU64_IMM(BPF_ADD, map_ptr, offsetof(struct bpf_array, value));
        *insn++ = BPF_LDX_MEM(BPF_W, ret, index, 0);
-        *insn++ = BPF_JMP_IMM(BPF_JGE, ret, map->max_entries, 3);
+        if (map->unpriv_array) {
+                *insn++ = BPF_JMP_IMM(BPF_JGE, ret, map->max_entries, 4);
+                *insn++ = BPF_ALU32_IMM(BPF_AND, ret, array->index_mask);
+        } else {
+                *insn++ = BPF_JMP_IMM(BPF_JGE, ret, map->max_entries, 3);
+        }
        if (is_power_of_2(elem_size)) {
                *insn++ = BPF_ALU64_IMM(BPF_LSH, ret, ilog2(elem_size));
@@ -157,7 +187,7 @@ static void *percpu_array_map_lookup_elem(struct bpf_map *map, void *key)
        if (unlikely(index >= array->map.max_entries))
                return NULL;
-        return this_cpu_ptr(array->pptrs[index]);
+        return this_cpu_ptr(array->pptrs[index & array->index_mask]);
 }
 int bpf_percpu_array_copy(struct bpf_map *map, void *key, void *value)
@@ -177,7 +207,7 @@ int bpf_percpu_array_copy(struct bpf_map *map, void *key, void *value)
         */
        size = round_up(map->value_size, 8);
        rcu_read_lock();
-        pptr = array->pptrs[index];
+        pptr = array->pptrs[index & array->index_mask];
        for_each_possible_cpu(cpu) {
                bpf_long_memcpy(value + off, per_cpu_ptr(pptr, cpu), size);
                off += size;
@@ -225,10 +255,11 @@ static int array_map_update_elem(struct bpf_map *map, void *key, void *value,
                return -EEXIST;
        if (array->map.map_type == BPF_MAP_TYPE_PERCPU_ARRAY)
-                memcpy(this_cpu_ptr(array->pptrs[index]),
+                memcpy(this_cpu_ptr(array->pptrs[index & array->index_mask]),
                       value, map->value_size);
        else
-                memcpy(array->value + array->elem_size * index,
+                memcpy(array->value +
+                       array->elem_size * (index & array->index_mask),
                       value, map->value_size);
        return 0;
 }
@@ -262,7 +293,7 @@ int bpf_percpu_array_update(struct bpf_map *map, void *key, void *value,
         */
        size = round_up(map->value_size, 8);
        rcu_read_lock();
-        pptr = array->pptrs[index];
+        pptr = array->pptrs[index & array->index_mask];
        for_each_possible_cpu(cpu) {
                bpf_long_memcpy(per_cpu_ptr(pptr, cpu), value + off, size);
                off += size;
@@ -613,6 +644,7 @@ static void *array_of_map_lookup_elem(struct bpf_map *map, void *key)
 static u32 array_of_map_gen_lookup(struct bpf_map *map,
                                   struct bpf_insn *insn_buf)
 {
+        struct bpf_array *array = container_of(map, struct bpf_array, map);
        u32 elem_size = round_up(map->value_size, 8);
        struct bpf_insn *insn = insn_buf;
        const int ret = BPF_REG_0;
@@ -621,7 +653,12 @@ static u32 array_of_map_gen_lookup(struct bpf_map *map,
        *insn++ = BPF_ALU64_IMM(BPF_ADD, map_ptr, offsetof(struct bpf_array, value));
        *insn++ = BPF_LDX_MEM(BPF_W, ret, index, 0);
-        *insn++ = BPF_JMP_IMM(BPF_JGE, ret, map->max_entries, 5);
+        if (map->unpriv_array) {
+                *insn++ = BPF_JMP_IMM(BPF_JGE, ret, map->max_entries, 6);
+                *insn++ = BPF_ALU32_IMM(BPF_AND, ret, array->index_mask);
+        } else {
+                *insn++ = BPF_JMP_IMM(BPF_JGE, ret, map->max_entries, 5);
+        }
        if (is_power_of_2(elem_size))
                *insn++ = BPF_ALU64_IMM(BPF_LSH, ret, ilog2(elem_size));
        else
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 86b50aa26ee8..7949e8b8f94e 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -767,6 +767,7 @@ noinline u64 __bpf_call_base(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
 }
 EXPORT_SYMBOL_GPL(__bpf_call_base);
+#ifndef CONFIG_BPF_JIT_ALWAYS_ON
 /**
 *      __bpf_prog_run - run eBPF program on a given context
 *      @ctx: is the data we are operating on
@@ -955,7 +956,7 @@ select_insn:
                DST = tmp;
                CONT;
        ALU_MOD_X:
-                if (unlikely(SRC == 0))
+                if (unlikely((u32)SRC == 0))
                        return 0;
                tmp = (u32) DST;
                DST = do_div(tmp, (u32) SRC);
@@ -974,7 +975,7 @@ select_insn:
                DST = div64_u64(DST, SRC);
                CONT;
        ALU_DIV_X:
-                if (unlikely(SRC == 0))
+                if (unlikely((u32)SRC == 0))
                        return 0;
                tmp = (u32) DST;
                do_div(tmp, (u32) SRC);
@@ -1317,6 +1318,14 @@ EVAL6(PROG_NAME_LIST, 224, 256, 288, 320, 352, 384)
 EVAL4(PROG_NAME_LIST, 416, 448, 480, 512)
 };
+#else
+static unsigned int __bpf_prog_ret0(const void *ctx,
+                                    const struct bpf_insn *insn)
+{
+        return 0;
+}
+#endif
 bool bpf_prog_array_compatible(struct bpf_array *array,
                               const struct bpf_prog *fp)
 {
@@ -1364,9 +1373,13 @@ static int bpf_check_tail_call(const struct bpf_prog *fp)
 */
 struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
 {
+#ifndef CONFIG_BPF_JIT_ALWAYS_ON
        u32 stack_depth = max_t(u32, fp->aux->stack_depth, 1);
        fp->bpf_func = interpreters[(round_up(stack_depth, 32) / 32) - 1];
+#else
+        fp->bpf_func = __bpf_prog_ret0;
+#endif
        /* eBPF JITs can rewrite the program in case constant
         * blinding is active. However, in case of error during
@@ -1376,6 +1389,12 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
         */
        if (!bpf_prog_is_dev_bound(fp->aux)) {
                fp = bpf_int_jit_compile(fp);
+#ifdef CONFIG_BPF_JIT_ALWAYS_ON
+                if (!fp->jited) {
+                        *err = -ENOTSUPP;
+                        return fp;
+                }
+#endif
        } else {
                *err = bpf_prog_offload_compile(fp);
                if (*err)
diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
index 01aaef1a77c5..5bb5e49ef4c3 100644
--- a/kernel/bpf/inode.c
+++ b/kernel/bpf/inode.c
@@ -368,7 +368,45 @@ out:
        putname(pname);
        return ret;
 }
-EXPORT_SYMBOL_GPL(bpf_obj_get_user);
+static struct bpf_prog *__get_prog_inode(struct inode *inode, enum bpf_prog_type type)
+{
+        struct bpf_prog *prog;
+        int ret = inode_permission(inode, MAY_READ | MAY_WRITE);
+        if (ret)
+                return ERR_PTR(ret);
+        if (inode->i_op == &bpf_map_iops)
+                return ERR_PTR(-EINVAL);
+        if (inode->i_op != &bpf_prog_iops)
+                return ERR_PTR(-EACCES);
+        prog = inode->i_private;
+        ret = security_bpf_prog(prog);
+        if (ret < 0)
+                return ERR_PTR(ret);
+        if (!bpf_prog_get_ok(prog, &type, false))
+                return ERR_PTR(-EINVAL);
+        return bpf_prog_inc(prog);
+}
+struct bpf_prog *bpf_prog_get_type_path(const char *name, enum bpf_prog_type type)
+{
+        struct bpf_prog *prog;
+        struct path path;
+        int ret = kern_path(name, LOOKUP_FOLLOW, &path);
+        if (ret)
+                return ERR_PTR(ret);
+        prog = __get_prog_inode(d_backing_inode(path.dentry), type);
+        if (!IS_ERR(prog))
+                touch_atime(&path);
+        path_put(&path);
+        return prog;
+}
+EXPORT_SYMBOL(bpf_prog_get_type_path);
 static void bpf_evict_inode(struct inode *inode)
 {
diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
index 5ee2e41893d9..1712d319c2d8 100644
--- a/kernel/bpf/sockmap.c
+++ b/kernel/bpf/sockmap.c
@@ -591,8 +591,15 @@ static void sock_map_free(struct bpf_map *map)
                write_lock_bh(&sock->sk_callback_lock);
                psock = smap_psock_sk(sock);
-                smap_list_remove(psock, &stab->sock_map[i]);
+                /* This check handles a racing sock event that can get the
-                smap_release_sock(psock, sock);
+                 * sk_callback_lock before this case but after xchg happens
+                 * causing the refcnt to hit zero and sock user data (psock)
+                 * to be null and queued for garbage collection.
+                 */
+                if (likely(psock)) {
+                        smap_list_remove(psock, &stab->sock_map[i]);
+                        smap_release_sock(psock, sock);
+                }
                write_unlock_bh(&sock->sk_callback_lock);
        }
        rcu_read_unlock();
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 2c4cfeaa8d5e..5cb783fc8224 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1057,7 +1057,7 @@ struct bpf_prog *bpf_prog_inc_not_zero(struct bpf_prog *prog)
 }
 EXPORT_SYMBOL_GPL(bpf_prog_inc_not_zero);
-static bool bpf_prog_get_ok(struct bpf_prog *prog,
+bool bpf_prog_get_ok(struct bpf_prog *prog,
                            enum bpf_prog_type *attach_type, bool attach_drv)
 {
        /* not an attachment, just a refcount inc, always allow */
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 04b24876cd23..13551e623501 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -978,6 +978,13 @@ static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
        return __is_pointer_value(env->allow_ptr_leaks, cur_regs(env) + regno);
 }
+static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)
+{
+        const struct bpf_reg_state *reg = cur_regs(env) + regno;
+        return reg->type == PTR_TO_CTX;
+}
 static int check_pkt_ptr_alignment(struct bpf_verifier_env *env,
                                   const struct bpf_reg_state *reg,
                                   int off, int size, bool strict)
@@ -1258,6 +1265,12 @@ static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_ins
                return -EACCES;
        }
+        if (is_ctx_reg(env, insn->dst_reg)) {
+                verbose(env, "BPF_XADD stores into R%d context is not allowed\n",
+                        insn->dst_reg);
+                return -EACCES;
+        }
        /* check whether atomic_add can read the memory */
        err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
                               BPF_SIZE(insn->code), BPF_READ, -1);
@@ -1729,6 +1742,13 @@ static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx)
        err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta);
        if (err)
                return err;
+        if (func_id == BPF_FUNC_tail_call) {
+                if (meta.map_ptr == NULL) {
+                        verbose(env, "verifier bug\n");
+                        return -EINVAL;
+                }
+                env->insn_aux_data[insn_idx].map_ptr = meta.map_ptr;
+        }
        err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta);
        if (err)
                return err;
@@ -1875,17 +1895,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
        dst_reg = &regs[dst];
-        if (WARN_ON_ONCE(known && (smin_val != smax_val))) {
+        if ((known && (smin_val != smax_val || umin_val != umax_val)) ||
-                print_verifier_state(env, env->cur_state);
+            smin_val > smax_val || umin_val > umax_val) {
-                verbose(env,
+                /* Taint dst register if offset had invalid bounds derived from
-                        "verifier internal error: known but bad sbounds\n");
+                 * e.g. dead branches.
-                return -EINVAL;
+                 */
-        }
+                __mark_reg_unknown(dst_reg);
-        if (WARN_ON_ONCE(known && (umin_val != umax_val))) {
+                return 0;
-                print_verifier_state(env, env->cur_state);
-                verbose(env,
-                        "verifier internal error: known but bad ubounds\n");
-                return -EINVAL;
        }
        if (BPF_CLASS(insn->code) != BPF_ALU64) {
@@ -2077,6 +2093,15 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
        src_known = tnum_is_const(src_reg.var_off);
        dst_known = tnum_is_const(dst_reg->var_off);
+        if ((src_known && (smin_val != smax_val || umin_val != umax_val)) ||
+            smin_val > smax_val || umin_val > umax_val) {
+                /* Taint dst register if offset had invalid bounds derived from
+                 * e.g. dead branches.
+                 */
+                __mark_reg_unknown(dst_reg);
+                return 0;
+        }
        if (!src_known &&
            opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {
                __mark_reg_unknown(dst_reg);
@@ -2486,6 +2511,11 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
                        return -EINVAL;
                }
+                if (opcode == BPF_ARSH && BPF_CLASS(insn->code) != BPF_ALU64) {
+                        verbose(env, "BPF_ARSH not supported for 32 bit ALU\n");
+                        return -EINVAL;
+                }
                if ((opcode == BPF_LSH || opcode == BPF_RSH ||
                     opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
                        int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
@@ -3981,6 +4011,12 @@ static int do_check(struct bpf_verifier_env *env)
                        if (err)
                                return err;
+                        if (is_ctx_reg(env, insn->dst_reg)) {
+                                verbose(env, "BPF_ST stores into R%d context is not allowed\n",
+                                        insn->dst_reg);
+                                return -EACCES;
+                        }
                        /* check that memory (dst_reg + off) is writeable */
                        err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
                                               BPF_SIZE(insn->code), BPF_WRITE,
@@ -4433,6 +4469,24 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
        int i, cnt, delta = 0;
        for (i = 0; i < insn_cnt; i++, insn++) {
+                if (insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||
+                    insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {
+                        /* due to JIT bugs clear upper 32-bits of src register
+                         * before div/mod operation
+                         */
+                        insn_buf[0] = BPF_MOV32_REG(insn->src_reg, insn->src_reg);
+                        insn_buf[1] = *insn;
+                        cnt = 2;
+                        new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
+                        if (!new_prog)
+                                return -ENOMEM;
+                        delta    += cnt - 1;
+                        env->prog = prog = new_prog;
+                        insn      = new_prog->insnsi + i + delta;
+                        continue;
+                }
                if (insn->code != (BPF_JMP | BPF_CALL))
                        continue;
@@ -4456,6 +4510,35 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
                         */
                        insn->imm = 0;
                        insn->code = BPF_JMP | BPF_TAIL_CALL;
+                        /* instead of changing every JIT dealing with tail_call
+                         * emit two extra insns:
+                         * if (index >= max_entries) goto out;
+                         * index &= array->index_mask;
+                         * to avoid out-of-bounds cpu speculation
+                         */
+                        map_ptr = env->insn_aux_data[i + delta].map_ptr;
+                        if (map_ptr == BPF_MAP_PTR_POISON) {
+                                verbose(env, "tail_call abusing map_ptr\n");
+                                return -EINVAL;
+                        }
+                        if (!map_ptr->unpriv_array)
+                                continue;
+                        insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3,
+                                                  map_ptr->max_entries, 2);
+                        insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3,
+                                                    container_of(map_ptr,
+                                                                 struct bpf_array,
+                                                                 map)->index_mask);
+                        insn_buf[2] = *insn;
+                        cnt = 3;
+                        new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
+                        if (!new_prog)
+                                return -ENOMEM;
+                        delta    += cnt - 1;
+                        env->prog = prog = new_prog;
+                        insn      = new_prog->insnsi + i + delta;
                        continue;
                }
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 024085daab1a..a2c05d2476ac 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -123,7 +123,11 @@ int cgroup_transfer_tasks(struct cgroup *to, struct cgroup *from)
         */
        do {
                css_task_iter_start(&from->self, 0, &it);
-                task = css_task_iter_next(&it);
+                do {
+                        task = css_task_iter_next(&it);
+                } while (task && (task->flags & PF_EXITING));
                if (task)
                        get_task_struct(task);
                css_task_iter_end(&it);
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 0b1ffe147f24..7e4c44538119 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -1397,7 +1397,7 @@ static char *cgroup_file_name(struct cgroup *cgrp, const struct cftype *cft,
                         cgroup_on_dfl(cgrp) ? ss->name : ss->legacy_name,
                         cft->name);
        else
-                strncpy(buf, cft->name, CGROUP_FILE_NAME_MAX);
+                strlcpy(buf, cft->name, CGROUP_FILE_NAME_MAX);
        return buf;
 }
@@ -1864,9 +1864,9 @@ void init_cgroup_root(struct cgroup_root *root, struct cgroup_sb_opts *opts)
        root->flags = opts->flags;
        if (opts->release_agent)
-                strcpy(root->release_agent_path, opts->release_agent);
+                strlcpy(root->release_agent_path, opts->release_agent, PATH_MAX);
        if (opts->name)
-                strcpy(root->name, opts->name);
+                strlcpy(root->name, opts->name, MAX_CGROUP_ROOT_NAMELEN);
        if (opts->cpuset_clone_children)
                set_bit(CGRP_CPUSET_CLONE_CHILDREN, &root->cgrp.flags);
 }
@@ -4125,26 +4125,24 @@ static void css_task_iter_advance_css_set(struct css_task_iter *it)
 static void css_task_iter_advance(struct css_task_iter *it)
 {
-        struct list_head *l = it->task_pos;
+        struct list_head *next;
        lockdep_assert_held(&css_set_lock);
-        WARN_ON_ONCE(!l);
 repeat:
        /*
         * Advance iterator to find next entry.  cset->tasks is consumed
         * first and then ->mg_tasks.  After ->mg_tasks, we move onto the
         * next cset.
         */
-        l = l->next;
+        next = it->task_pos->next;
-        if (l == it->tasks_head)
+        if (next == it->tasks_head)
-                l = it->mg_tasks_head->next;
+                next = it->mg_tasks_head->next;
-        if (l == it->mg_tasks_head)
+        if (next == it->mg_tasks_head)
                css_task_iter_advance_css_set(it);
        else
-                it->task_pos = l;
+                it->task_pos = next;
        /* if PROCS, skip over tasks which aren't group leaders */
        if ((it->flags & CSS_TASK_ITER_PROCS) && it->task_pos &&
@@ -4449,6 +4447,7 @@ static struct cftype cgroup_base_files[] = {
        },
        {
                .name = "cgroup.threads",
+                .flags = CFTYPE_NS_DELEGATABLE,
                .release = cgroup_procs_release,
                .seq_start = cgroup_threads_start,
                .seq_next = cgroup_procs_next,
diff --git a/kernel/crash_core.c b/kernel/crash_core.c
index b3663896278e..4f63597c824d 100644
--- a/kernel/crash_core.c
+++ b/kernel/crash_core.c
@@ -410,7 +410,7 @@ static int __init crash_save_vmcoreinfo_init(void)
        VMCOREINFO_SYMBOL(contig_page_data);
 #endif
 #ifdef CONFIG_SPARSEMEM
-        VMCOREINFO_SYMBOL(mem_section);
+        VMCOREINFO_SYMBOL_ARRAY(mem_section);
        VMCOREINFO_LENGTH(mem_section, NR_SECTION_ROOTS);
        VMCOREINFO_STRUCT_SIZE(mem_section);
        VMCOREINFO_OFFSET(mem_section, section_mem_map);
diff --git a/kernel/delayacct.c b/kernel/delayacct.c
index 4a1c33416b6a..e2764d767f18 100644
--- a/kernel/delayacct.c
+++ b/kernel/delayacct.c
@@ -51,16 +51,16 @@ void __delayacct_tsk_init(struct task_struct *tsk)
 * Finish delay accounting for a statistic using its timestamps (@start),
 * accumalator (@total) and @count
 */
-static void delayacct_end(u64 *start, u64 *total, u32 *count)
+static void delayacct_end(spinlock_t *lock, u64 *start, u64 *total, u32 *count)
 {
        s64 ns = ktime_get_ns() - *start;
        unsigned long flags;
        if (ns > 0) {
-                spin_lock_irqsave(&current->delays->lock, flags);
+                spin_lock_irqsave(lock, flags);
                *total += ns;
                (*count)++;
-                spin_unlock_irqrestore(&current->delays->lock, flags);
+                spin_unlock_irqrestore(lock, flags);
        }
 }
@@ -69,17 +69,25 @@ void __delayacct_blkio_start(void)
        current->delays->blkio_start = ktime_get_ns();
 }
-void __delayacct_blkio_end(void)
+/*
+ * We cannot rely on the `current` macro, as we haven't yet switched back to
+ * the process being woken.
+ */
+void __delayacct_blkio_end(struct task_struct *p)
 {
-        if (current->delays->flags & DELAYACCT_PF_SWAPIN)
+        struct task_delay_info *delays = p->delays;
-                /* Swapin block I/O */
+        u64 *total;
-                delayacct_end(&current->delays->blkio_start,
+        u32 *count;
-                        &current->delays->swapin_delay,
-                        &current->delays->swapin_count);
+        if (p->delays->flags & DELAYACCT_PF_SWAPIN) {
-        else    /* Other block I/O */
+                total = &delays->swapin_delay;
-                delayacct_end(&current->delays->blkio_start,
+                count = &delays->swapin_count;
-                        &current->delays->blkio_delay,
+        } else {
-                        &current->delays->blkio_count);
+                total = &delays->blkio_delay;
+                count = &delays->blkio_count;
+        }
+        delayacct_end(&delays->lock, &delays->blkio_start, total, count);
 }
 int __delayacct_add_tsk(struct taskstats *d, struct task_struct *tsk)
@@ -153,8 +161,10 @@ void __delayacct_freepages_start(void)
 void __delayacct_freepages_end(void)
 {
-        delayacct_end(&current->delays->freepages_start,
+        delayacct_end(
-                        &current->delays->freepages_delay,
+                &current->delays->lock,
-                        &current->delays->freepages_count);
+                &current->delays->freepages_start,
+                &current->delays->freepages_delay,
+                &current->delays->freepages_count);
 }
diff --git a/kernel/futex.c b/kernel/futex.c
index 57d0b3657e16..8c5424dd5924 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1878,6 +1878,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
        struct futex_q *this, *next;
        DEFINE_WAKE_Q(wake_q);
+        if (nr_wake < 0 || nr_requeue < 0)
+                return -EINVAL;
        /*
         * When PI not supported: return -ENOSYS if requeue_pi is true,
         * consequently the compiler knows requeue_pi is always false past
@@ -2294,21 +2297,17 @@ static void unqueue_me_pi(struct futex_q *q)
        spin_unlock(q->lock_ptr);
 }
-/*
- * Fixup the pi_state owner with the new owner.
- *
- * Must be called with hash bucket lock held and mm->sem held for non
- * private futexes.
- */
 static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
-                                struct task_struct *newowner)
+                                struct task_struct *argowner)
 {
-        u32 newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
        struct futex_pi_state *pi_state = q->pi_state;
        u32 uval, uninitialized_var(curval), newval;
-        struct task_struct *oldowner;
+        struct task_struct *oldowner, *newowner;
+        u32 newtid;
        int ret;
+        lockdep_assert_held(q->lock_ptr);
        raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
        oldowner = pi_state->owner;
@@ -2317,11 +2316,17 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
                newtid |= FUTEX_OWNER_DIED;
        /*
-         * We are here either because we stole the rtmutex from the
+         * We are here because either:
-         * previous highest priority waiter or we are the highest priority
+         *
-         * waiter but have failed to get the rtmutex the first time.
+         *  - we stole the lock and pi_state->owner needs updating to reflect
+         *    that (@argowner == current),
+         *
+         * or:
+         *
+         *  - someone stole our lock and we need to fix things to point to the
+         *    new owner (@argowner == NULL).
         *
-         * We have to replace the newowner TID in the user space variable.
+         * Either way, we have to replace the TID in the user space variable.
         * This must be atomic as we have to preserve the owner died bit here.
         *
         * Note: We write the user space value _before_ changing the pi_state
@@ -2334,6 +2339,42 @@ static int fixup_pi_state_owner(u32 __user *uaddr, struct futex_q *q,
         * in the PID check in lookup_pi_state.
         */
 retry:
+        if (!argowner) {
+                if (oldowner != current) {
+                        /*
+                         * We raced against a concurrent self; things are
+                         * already fixed up. Nothing to do.
+                         */
+                        ret = 0;
+                        goto out_unlock;
+                }
+                if (__rt_mutex_futex_trylock(&pi_state->pi_mutex)) {
+                        /* We got the lock after all, nothing to fix. */
+                        ret = 0;
+                        goto out_unlock;
+                }
+                /*
+                 * Since we just failed the trylock; there must be an owner.
+                 */
+                newowner = rt_mutex_owner(&pi_state->pi_mutex);
+                BUG_ON(!newowner);
+        } else {
+                WARN_ON_ONCE(argowner != current);
+                if (oldowner == current) {
+                        /*
+                         * We raced against a concurrent self; things are
+                         * already fixed up. Nothing to do.
+                         */
+                        ret = 0;
+                        goto out_unlock;
+                }
+                newowner = argowner;
+        }
+        newtid = task_pid_vnr(newowner) | FUTEX_WAITERS;
        if (get_futex_value_locked(&uval, uaddr))
                goto handle_fault;
@@ -2434,9 +2475,9 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
                 * Got the lock. We might not be the anticipated owner if we
                 * did a lock-steal - fix up the PI-state in that case:
                 *
-                 * We can safely read pi_state->owner without holding wait_lock
+                 * Speculative pi_state->owner read (we don't hold wait_lock);
-                 * because we now own the rt_mutex, only the owner will attempt
+                 * since we own the lock pi_state->owner == current is the
-                 * to change it.
+                 * stable state, anything else needs more attention.
                 */
                if (q->pi_state->owner != current)
                        ret = fixup_pi_state_owner(uaddr, q, current);
@@ -2444,6 +2485,19 @@ static int fixup_owner(u32 __user *uaddr, struct futex_q *q, int locked)
        }
        /*
+         * If we didn't get the lock; check if anybody stole it from us. In
+         * that case, we need to fix up the uval to point to them instead of
+         * us, otherwise bad things happen. [10]
+         *
+         * Another speculative read; pi_state->owner == current is unstable
+         * but needs our attention.
+         */
+        if (q->pi_state->owner == current) {
+                ret = fixup_pi_state_owner(uaddr, q, NULL);
+                goto out;
+        }
+        /*
         * Paranoia check. If we did not take the lock, then we should not be
         * the owner of the rt_mutex.
         */
diff --git a/kernel/irq/matrix.c b/kernel/irq/matrix.c
index 0ba0dd8863a7..5187dfe809ac 100644
--- a/kernel/irq/matrix.c
+++ b/kernel/irq/matrix.c
@@ -321,15 +321,23 @@ void irq_matrix_remove_reserved(struct irq_matrix *m)
 int irq_matrix_alloc(struct irq_matrix *m, const struct cpumask *msk,
                     bool reserved, unsigned int *mapped_cpu)
 {
-        unsigned int cpu;
+        unsigned int cpu, best_cpu, maxavl = 0;
+        struct cpumap *cm;
+        unsigned int bit;
+        best_cpu = UINT_MAX;
        for_each_cpu(cpu, msk) {
-                struct cpumap *cm = per_cpu_ptr(m->maps, cpu);
+                cm = per_cpu_ptr(m->maps, cpu);
-                unsigned int bit;
-                if (!cm->online)
+                if (!cm->online || cm->available <= maxavl)
                        continue;
+                best_cpu = cpu;
+                maxavl = cm->available;
+        }
+        if (maxavl) {
+                cm = per_cpu_ptr(m->maps, best_cpu);
                bit = matrix_alloc_area(m, cm, 1, false);
                if (bit < m->alloc_end) {
                        cm->allocated++;
@@ -338,8 +346,8 @@ int irq_matrix_alloc(struct irq_matrix *m, const struct cpumask *msk,
                        m->global_available--;
                        if (reserved)
                                m->global_reserved--;
-                        *mapped_cpu = cpu;
+                        *mapped_cpu = best_cpu;
-                        trace_irq_matrix_alloc(bit, cpu, m, cm);
+                        trace_irq_matrix_alloc(bit, best_cpu, m, cm);
                        return bit;
                }
        }
diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index 6f3dba6e4e9e..65cc0cb984e6 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1290,6 +1290,19 @@ rt_mutex_slowlock(struct rt_mutex *lock, int state,
        return ret;
 }
+static inline int __rt_mutex_slowtrylock(struct rt_mutex *lock)
+{
+        int ret = try_to_take_rt_mutex(lock, current, NULL);
+        /*
+         * try_to_take_rt_mutex() sets the lock waiters bit
+         * unconditionally. Clean this up.
+         */
+        fixup_rt_mutex_waiters(lock);
+        return ret;
+}
 /*
 * Slow path try-lock function:
 */
@@ -1312,13 +1325,7 @@ static inline int rt_mutex_slowtrylock(struct rt_mutex *lock)
         */
        raw_spin_lock_irqsave(&lock->wait_lock, flags);
-        ret = try_to_take_rt_mutex(lock, current, NULL);
+        ret = __rt_mutex_slowtrylock(lock);
-        /*
-         * try_to_take_rt_mutex() sets the lock waiters bit
-         * unconditionally. Clean this up.
-         */
-        fixup_rt_mutex_waiters(lock);
        raw_spin_unlock_irqrestore(&lock->wait_lock, flags);
@@ -1505,6 +1512,11 @@ int __sched rt_mutex_futex_trylock(struct rt_mutex *lock)
        return rt_mutex_slowtrylock(lock);
 }
+int __sched __rt_mutex_futex_trylock(struct rt_mutex *lock)
+{
+        return __rt_mutex_slowtrylock(lock);
+}
 /**
 * rt_mutex_timed_lock - lock a rt_mutex interruptible
 *                      the timeout structure is provided
diff --git a/kernel/locking/rtmutex_common.h b/kernel/locking/rtmutex_common.h
index 124e98ca0b17..68686b3ec3c1 100644
--- a/kernel/locking/rtmutex_common.h
+++ b/kernel/locking/rtmutex_common.h
@@ -148,6 +148,7 @@ extern bool rt_mutex_cleanup_proxy_lock(struct rt_mutex *lock,
                                 struct rt_mutex_waiter *waiter);
 extern int rt_mutex_futex_trylock(struct rt_mutex *l);
+extern int __rt_mutex_futex_trylock(struct rt_mutex *l);
 extern void rt_mutex_futex_unlock(struct rt_mutex *lock);
 extern bool __rt_mutex_futex_unlock(struct rt_mutex *lock,
diff --git a/kernel/sched/completion.c b/kernel/sched/completion.c
index 2ddaec40956f..0926aef10dad 100644
--- a/kernel/sched/completion.c
+++ b/kernel/sched/completion.c
@@ -34,11 +34,6 @@ void complete(struct completion *x)
        spin_lock_irqsave(&x->wait.lock, flags);
-        /*
-         * Perform commit of crossrelease here.
-         */
-        complete_release_commit(x);
        if (x->done != UINT_MAX)
                x->done++;
        __wake_up_locked(&x->wait, TASK_NORMAL, 1);
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 644fa2e3d993..a7bf32aabfda 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -2056,7 +2056,7 @@ try_to_wake_up(struct task_struct *p, unsigned int state, int wake_flags)
        p->state = TASK_WAKING;
        if (p->in_iowait) {
-                delayacct_blkio_end();
+                delayacct_blkio_end(p);
                atomic_dec(&task_rq(p)->nr_iowait);
        }
@@ -2069,7 +2069,7 @@ try_to_wake_up(struct task_struct *p, unsigned int state, int wake_flags)
 #else /* CONFIG_SMP */
        if (p->in_iowait) {
-                delayacct_blkio_end();
+                delayacct_blkio_end(p);
                atomic_dec(&task_rq(p)->nr_iowait);
        }
@@ -2122,7 +2122,7 @@ static void try_to_wake_up_local(struct task_struct *p, struct rq_flags *rf)
        if (!task_on_rq_queued(p)) {
                if (p->in_iowait) {
-                        delayacct_blkio_end();
+                        delayacct_blkio_end(p);
                        atomic_dec(&rq->nr_iowait);
                }
                ttwu_activate(rq, p, ENQUEUE_WAKEUP | ENQUEUE_NOCLOCK);
diff --git a/kernel/sched/membarrier.c b/kernel/sched/membarrier.c
index dd7908743dab..9bcbacba82a8 100644
--- a/kernel/sched/membarrier.c
+++ b/kernel/sched/membarrier.c
@@ -89,7 +89,9 @@ static int membarrier_private_expedited(void)
                rcu_read_unlock();
        }
        if (!fallback) {
+                preempt_disable();
                smp_call_function_many(tmpmask, ipi_mb, NULL, 1);
+                preempt_enable();
                free_cpumask_var(tmpmask);
        }
        cpus_read_unlock();
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 3d201582630d..ae0c8a411fe7 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1760,7 +1760,11 @@ int hrtimers_prepare_cpu(unsigned int cpu)
        }
        cpu_base->cpu = cpu;
+        cpu_base->active_bases = 0;
        cpu_base->hres_active = 0;
+        cpu_base->hang_detected = 0;
+        cpu_base->next_timer = NULL;
+        cpu_base->softirq_next_timer = NULL;
        cpu_base->expires_next = KTIME_MAX;
        cpu_base->softirq_expires_next = KTIME_MAX;
        return 0;
diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig
index 904c952ac383..f54dc62b599c 100644
--- a/kernel/trace/Kconfig
+++ b/kernel/trace/Kconfig
@@ -355,7 +355,7 @@ config PROFILE_ANNOTATED_BRANCHES
          on if you need to profile the system's use of these macros.
 config PROFILE_ALL_BRANCHES
-        bool "Profile all if conditionals"
+        bool "Profile all if conditionals" if !FORTIFY_SOURCE
        select TRACE_BRANCH_PROFILING
        help
          This tracer profiles all branch conditions. Every if ()
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index ccdf3664e4a9..554b517c61a0 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1119,15 +1119,11 @@ static struct ftrace_ops global_ops = {
 };
 /*
- * This is used by __kernel_text_address() to return true if the
+ * Used by the stack undwinder to know about dynamic ftrace trampolines.
- * address is on a dynamically allocated trampoline that would
- * not return true for either core_kernel_text() or
- * is_module_text_address().
 */
-bool is_ftrace_trampoline(unsigned long addr)
+struct ftrace_ops *ftrace_ops_trampoline(unsigned long addr)
 {
-        struct ftrace_ops *op;
+        struct ftrace_ops *op = NULL;
-        bool ret = false;
        /*
         * Some of the ops may be dynamically allocated,
@@ -1144,15 +1140,24 @@ bool is_ftrace_trampoline(unsigned long addr)
                if (op->trampoline && op->trampoline_size)
                        if (addr >= op->trampoline &&
                            addr < op->trampoline + op->trampoline_size) {
-                                ret = true;
+                                preempt_enable_notrace();
-                                goto out;
+                                return op;
                        }
        } while_for_each_ftrace_op(op);
- out:
        preempt_enable_notrace();
-        return ret;
+        return NULL;
+}
+/*
+ * This is used by __kernel_text_address() to return true if the
+ * address is on a dynamically allocated trampoline that would
+ * not return true for either core_kernel_text() or
+ * is_module_text_address().
+ */
+bool is_ftrace_trampoline(unsigned long addr)
+{
+        return ftrace_ops_trampoline(addr) != NULL;
 }
 struct ftrace_page {
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 9ab18995ff1e..5af2842dea96 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -2534,29 +2534,58 @@ rb_wakeups(struct ring_buffer *buffer, struct ring_buffer_per_cpu *cpu_buffer)
 * The lock and unlock are done within a preempt disable section.
 * The current_context per_cpu variable can only be modified
 * by the current task between lock and unlock. But it can
- * be modified more than once via an interrupt. There are four
+ * be modified more than once via an interrupt. To pass this
- * different contexts that we need to consider.
+ * information from the lock to the unlock without having to
+ * access the 'in_interrupt()' functions again (which do show
+ * a bit of overhead in something as critical as function tracing,
+ * we use a bitmask trick.
 *
- *  Normal context.
+ *  bit 0 =  NMI context
- *  SoftIRQ context
+ *  bit 1 =  IRQ context
- *  IRQ context
+ *  bit 2 =  SoftIRQ context
- *  NMI context
+ *  bit 3 =  normal context.
 *
- * If for some reason the ring buffer starts to recurse, we
+ * This works because this is the order of contexts that can
- * only allow that to happen at most 4 times (one for each
+ * preempt other contexts. A SoftIRQ never preempts an IRQ
- * context). If it happens 5 times, then we consider this a
+ * context.
- * recusive loop and do not let it go further.
+ *
+ * When the context is determined, the corresponding bit is
+ * checked and set (if it was set, then a recursion of that context
+ * happened).
+ *
+ * On unlock, we need to clear this bit. To do so, just subtract
+ * 1 from the current_context and AND it to itself.
+ *
+ * (binary)
+ *  101 - 1 = 100
+ *  101 & 100 = 100 (clearing bit zero)
+ *
+ *  1010 - 1 = 1001
+ *  1010 & 1001 = 1000 (clearing bit 1)
+ *
+ * The least significant bit can be cleared this way, and it
+ * just so happens that it is the same bit corresponding to
+ * the current context.
 */
 static __always_inline int
 trace_recursive_lock(struct ring_buffer_per_cpu *cpu_buffer)
 {
-        if (cpu_buffer->current_context >= 4)
+        unsigned int val = cpu_buffer->current_context;
+        unsigned long pc = preempt_count();
+        int bit;
+        if (!(pc & (NMI_MASK | HARDIRQ_MASK | SOFTIRQ_OFFSET)))
+                bit = RB_CTX_NORMAL;
+        else
+                bit = pc & NMI_MASK ? RB_CTX_NMI :
+                        pc & HARDIRQ_MASK ? RB_CTX_IRQ : RB_CTX_SOFTIRQ;
+        if (unlikely(val & (1 << bit)))
                return 1;
-        cpu_buffer->current_context++;
+        val |= (1 << bit);
-        /* Interrupts must see this update */
+        cpu_buffer->current_context = val;
-        barrier();
        return 0;
 }
@@ -2564,9 +2593,7 @@ trace_recursive_lock(struct ring_buffer_per_cpu *cpu_buffer)
 static __always_inline void
 trace_recursive_unlock(struct ring_buffer_per_cpu *cpu_buffer)
 {
-        /* Don't let the dec leak out */
+        cpu_buffer->current_context &= cpu_buffer->current_context - 1;
-        barrier();
-        cpu_buffer->current_context--;
 }
 /**
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 2a8d8a294345..8e3f20a18a06 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -2374,6 +2374,15 @@ void trace_event_buffer_commit(struct trace_event_buffer *fbuffer)
 }
 EXPORT_SYMBOL_GPL(trace_event_buffer_commit);
+/*
+ * Skip 3:
+ *
+ *   trace_buffer_unlock_commit_regs()
+ *   trace_event_buffer_commit()
+ *   trace_event_raw_event_xxx()
+*/
+# define STACK_SKIP 3
 void trace_buffer_unlock_commit_regs(struct trace_array *tr,
                                     struct ring_buffer *buffer,
                                     struct ring_buffer_event *event,
@@ -2383,16 +2392,12 @@ void trace_buffer_unlock_commit_regs(struct trace_array *tr,
        __buffer_unlock_commit(buffer, event);
        /*
-         * If regs is not set, then skip the following callers:
+         * If regs is not set, then skip the necessary functions.
-         *   trace_buffer_unlock_commit_regs
-         *   event_trigger_unlock_commit
-         *   trace_event_buffer_commit
-         *   trace_event_raw_event_sched_switch
         * Note, we can still get here via blktrace, wakeup tracer
         * and mmiotrace, but that's ok if they lose a function or
-         * two. They are that meaningful.
+         * two. They are not that meaningful.
         */
-        ftrace_trace_stack(tr, buffer, flags, regs ? 0 : 4, pc, regs);
+        ftrace_trace_stack(tr, buffer, flags, regs ? 0 : STACK_SKIP, pc, regs);
        ftrace_trace_userstack(buffer, flags, pc);
 }
@@ -2579,11 +2584,13 @@ static void __ftrace_trace_stack(struct ring_buffer *buffer,
        trace.skip              = skip;
        /*
-         * Add two, for this function and the call to save_stack_trace()
+         * Add one, for this function and the call to save_stack_trace()
         * If regs is set, then these functions will not be in the way.
         */
+#ifndef CONFIG_UNWINDER_ORC
        if (!regs)
-                trace.skip += 2;
+                trace.skip++;
+#endif
        /*
         * Since events can happen in NMIs there's no safe way to
@@ -2711,11 +2718,10 @@ void trace_dump_stack(int skip)
        local_save_flags(flags);
-        /*
+#ifndef CONFIG_UNWINDER_ORC
-         * Skip 3 more, seems to get us at the caller of
+        /* Skip 1 to skip this function. */
-         * this function.
+        skip++;
-         */
+#endif
-        skip += 3;
        __ftrace_trace_stack(global_trace.trace_buffer.buffer,
                             flags, skip, preempt_count(), NULL);
 }
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index ec0f9aa4e151..1b87157edbff 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -2213,6 +2213,7 @@ void trace_event_eval_update(struct trace_eval_map **map, int len)
 {
        struct trace_event_call *call, *p;
        const char *last_system = NULL;
+        bool first = false;
        int last_i;
        int i;
@@ -2220,15 +2221,28 @@ void trace_event_eval_update(struct trace_eval_map **map, int len)
        list_for_each_entry_safe(call, p, &ftrace_events, list) {
                /* events are usually grouped together with systems */
                if (!last_system || call->class->system != last_system) {
+                        first = true;
                        last_i = 0;
                        last_system = call->class->system;
                }
+                /*
+                 * Since calls are grouped by systems, the likelyhood that the
+                 * next call in the iteration belongs to the same system as the
+                 * previous call is high. As an optimization, we skip seaching
+                 * for a map[] that matches the call's system if the last call
+                 * was from the same system. That's what last_i is for. If the
+                 * call has the same system as the previous call, then last_i
+                 * will be the index of the first map[] that has a matching
+                 * system.
+                 */
                for (i = last_i; i < len; i++) {
                        if (call->class->system == map[i]->system) {
                                /* Save the first system if need be */
-                                if (!last_i)
+                                if (first) {
                                        last_i = i;
+                                        first = false;
+                                }
                                update_event_printk(call, map[i]);
                        }
                }
diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
index f2ac9d44f6c4..87411482a46f 100644
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -1123,13 +1123,22 @@ static __init int register_trigger_snapshot_cmd(void) { return 0; }
 #endif /* CONFIG_TRACER_SNAPSHOT */
 #ifdef CONFIG_STACKTRACE
+#ifdef CONFIG_UNWINDER_ORC
+/* Skip 2:
+ *   event_triggers_post_call()
+ *   trace_event_raw_event_xxx()
+ */
+# define STACK_SKIP 2
+#else
 /*
- * Skip 3:
+ * Skip 4:
 *   stacktrace_trigger()
 *   event_triggers_post_call()
+ *   trace_event_buffer_commit()
 *   trace_event_raw_event_xxx()
 */
-#define STACK_SKIP 3
+#define STACK_SKIP 4
+#endif
 static void
 stacktrace_trigger(struct event_trigger_data *data, void *rec)
diff --git a/kernel/trace/trace_functions.c b/kernel/trace/trace_functions.c
index 27f7ad12c4b1..b611cd36e22d 100644
--- a/kernel/trace/trace_functions.c
+++ b/kernel/trace/trace_functions.c
@@ -154,6 +154,24 @@ function_trace_call(unsigned long ip, unsigned long parent_ip,
        preempt_enable_notrace();
 }
+#ifdef CONFIG_UNWINDER_ORC
+/*
+ * Skip 2:
+ *
+ *   function_stack_trace_call()
+ *   ftrace_call()
+ */
+#define STACK_SKIP 2
+#else
+/*
+ * Skip 3:
+ *   __trace_stack()
+ *   function_stack_trace_call()
+ *   ftrace_call()
+ */
+#define STACK_SKIP 3
+#endif
 static void
 function_stack_trace_call(unsigned long ip, unsigned long parent_ip,
                          struct ftrace_ops *op, struct pt_regs *pt_regs)
@@ -180,15 +198,7 @@ function_stack_trace_call(unsigned long ip, unsigned long parent_ip,
        if (likely(disabled == 1)) {
                pc = preempt_count();
                trace_function(tr, ip, parent_ip, flags, pc);
-                /*
+                __trace_stack(tr, flags, STACK_SKIP, pc);
-                 * skip over 5 funcs:
-                 *    __ftrace_trace_stack,
-                 *    __trace_stack,
-                 *    function_stack_trace_call
-                 *    ftrace_list_func
-                 *    ftrace_call
-                 */
-                __trace_stack(tr, flags, 5, pc);
        }
        atomic_dec(&data->disabled);
@@ -367,14 +377,27 @@ ftrace_traceoff(unsigned long ip, unsigned long parent_ip,
        tracer_tracing_off(tr);
 }
+#ifdef CONFIG_UNWINDER_ORC
 /*
- * Skip 4:
+ * Skip 3:
+ *
+ *   function_trace_probe_call()
+ *   ftrace_ops_assist_func()
+ *   ftrace_call()
+ */
+#define FTRACE_STACK_SKIP 3
+#else
+/*
+ * Skip 5:
+ *
+ *   __trace_stack()
 *   ftrace_stacktrace()
 *   function_trace_probe_call()
- *   ftrace_ops_list_func()
+ *   ftrace_ops_assist_func()
 *   ftrace_call()
 */
-#define STACK_SKIP 4
+#define FTRACE_STACK_SKIP 5
+#endif
 static __always_inline void trace_stack(struct trace_array *tr)
 {
@@ -384,7 +407,7 @@ static __always_inline void trace_stack(struct trace_array *tr)
        local_save_flags(flags);
        pc = preempt_count();
-        __trace_stack(tr, flags, STACK_SKIP, pc);
+        __trace_stack(tr, flags, FTRACE_STACK_SKIP, pc);
 }
 static void
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 43d18cb46308..f699122dab32 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -48,6 +48,7 @@
 #include <linux/moduleparam.h>
 #include <linux/uaccess.h>
 #include <linux/sched/isolation.h>
+#include <linux/nmi.h>
 #include "workqueue_internal.h"
@@ -4463,6 +4464,12 @@ void show_workqueue_state(void)
                        if (pwq->nr_active || !list_empty(&pwq->delayed_works))
                                show_pwq(pwq);
                        spin_unlock_irqrestore(&pwq->pool->lock, flags);
+                        /*
+                         * We could be printing a lot from atomic context, e.g.
+                         * sysrq-t -> show_workqueue_state(). Avoid triggering
+                         * hard lockup.
+                         */
+                        touch_nmi_watchdog();
                }
        }
@@ -4490,6 +4497,12 @@ void show_workqueue_state(void)
                pr_cont("\n");
        next_pool:
                spin_unlock_irqrestore(&pool->lock, flags);
+                /*
+                 * We could be printing a lot from atomic context, e.g.
+                 * sysrq-t -> show_workqueue_state(). Avoid triggering
+                 * hard lockup.
+                 */
+                touch_nmi_watchdog();
        }
        rcu_read_unlock_sched();
diff --git a/lib/test_bpf.c b/lib/test_bpf.c
index 9e9748089270..f369889e521d 100644
--- a/lib/test_bpf.c
+++ b/lib/test_bpf.c
@@ -6250,9 +6250,8 @@ static struct bpf_prog *generate_filter(int which, int *err)
                                return NULL;
                        }
                }
-                /* We don't expect to fail. */
                if (*err) {
-                        pr_cont("FAIL to attach err=%d len=%d\n",
+                        pr_cont("FAIL to prog_create err=%d len=%d\n",
                                *err, fprog.len);
                        return NULL;
                }
@@ -6276,6 +6275,10 @@ static struct bpf_prog *generate_filter(int which, int *err)
                 * checks.
                 */
                fp = bpf_prog_select_runtime(fp, err);
+                if (*err) {
+                        pr_cont("FAIL to select_runtime err=%d\n", *err);
+                        return NULL;
+                }
                break;
        }
@@ -6461,8 +6464,8 @@ static __init int test_bpf(void)
                                pass_cnt++;
                                continue;
                        }
+                        err_cnt++;
-                        return err;
+                        continue;
                }
                pr_cont("jited:%u ", fp->jited);
diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index d73c14294f3a..f656ca27f6c2 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -127,7 +127,7 @@
 /* GFP bitmask for kmemleak internal allocations */
 #define gfp_kmemleak_mask(gfp)  (((gfp) & (GFP_KERNEL | GFP_ATOMIC)) | \
                                 __GFP_NORETRY | __GFP_NOMEMALLOC | \
-                                 __GFP_NOWARN)
+                                 __GFP_NOWARN | __GFP_NOFAIL)
 /* scanning area inside a memory block */
 struct kmemleak_scan_area {
diff --git a/mm/memory.c b/mm/memory.c
index ca5674cbaff2..793004608332 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2857,8 +2857,11 @@ int do_swap_page(struct vm_fault *vmf)
        int ret = 0;
        bool vma_readahead = swap_use_vma_readahead();
-        if (vma_readahead)
+        if (vma_readahead) {
                page = swap_readahead_detect(vmf, &swap_ra);
+                swapcache = page;
+        }
        if (!pte_unmap_same(vma->vm_mm, vmf->pmd, vmf->pte, vmf->orig_pte)) {
                if (page)
                        put_page(page);
@@ -2889,9 +2892,12 @@ int do_swap_page(struct vm_fault *vmf)
        delayacct_set_flag(DELAYACCT_PF_SWAPIN);
-        if (!page)
+        if (!page) {
                page = lookup_swap_cache(entry, vma_readahead ? vma : NULL,
                                         vmf->address);
+                swapcache = page;
+        }
        if (!page) {
                struct swap_info_struct *si = swp_swap_info(entry);
diff --git a/mm/page_owner.c b/mm/page_owner.c
index 8592543a0f15..270a8219ccd0 100644
--- a/mm/page_owner.c
+++ b/mm/page_owner.c
@@ -616,7 +616,6 @@ static void init_early_allocated_pages(void)
 {
        pg_data_t *pgdat;
-        drain_all_pages(NULL);
        for_each_online_pgdat(pgdat)
                init_zones_in_node(pgdat);
 }
diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c
index d22b84310f6d..ae3c2a35d61b 100644
--- a/mm/page_vma_mapped.c
+++ b/mm/page_vma_mapped.c
@@ -30,10 +30,37 @@ static bool map_pte(struct page_vma_mapped_walk *pvmw)
        return true;
 }
+static inline bool pfn_in_hpage(struct page *hpage, unsigned long pfn)
+{
+        unsigned long hpage_pfn = page_to_pfn(hpage);
+        /* THP can be referenced by any subpage */
+        return pfn >= hpage_pfn && pfn - hpage_pfn < hpage_nr_pages(hpage);
+}
+/**
+ * check_pte - check if @pvmw->page is mapped at the @pvmw->pte
+ *
+ * page_vma_mapped_walk() found a place where @pvmw->page is *potentially*
+ * mapped. check_pte() has to validate this.
+ *
+ * @pvmw->pte may point to empty PTE, swap PTE or PTE pointing to arbitrary
+ * page.
+ *
+ * If PVMW_MIGRATION flag is set, returns true if @pvmw->pte contains migration
+ * entry that points to @pvmw->page or any subpage in case of THP.
+ *
+ * If PVMW_MIGRATION flag is not set, returns true if @pvmw->pte points to
+ * @pvmw->page or any subpage in case of THP.
+ *
+ * Otherwise, return false.
+ *
+ */
 static bool check_pte(struct page_vma_mapped_walk *pvmw)
 {
+        unsigned long pfn;
        if (pvmw->flags & PVMW_MIGRATION) {
-#ifdef CONFIG_MIGRATION
                swp_entry_t entry;
                if (!is_swap_pte(*pvmw->pte))
                        return false;
@@ -41,38 +68,25 @@ static bool check_pte(struct page_vma_mapped_walk *pvmw)
                if (!is_migration_entry(entry))
                        return false;
-                if (migration_entry_to_page(entry) - pvmw->page >=
-                                hpage_nr_pages(pvmw->page)) {
-                        return false;
-                }
-                if (migration_entry_to_page(entry) < pvmw->page)
-                        return false;
-#else
-                WARN_ON_ONCE(1);
-#endif
-        } else {
-                if (is_swap_pte(*pvmw->pte)) {
-                        swp_entry_t entry;
-                        entry = pte_to_swp_entry(*pvmw->pte);
+                pfn = migration_entry_to_pfn(entry);
-                        if (is_device_private_entry(entry) &&
+        } else if (is_swap_pte(*pvmw->pte)) {
-                            device_private_entry_to_page(entry) == pvmw->page)
+                swp_entry_t entry;
-                                return true;
-                }
-                if (!pte_present(*pvmw->pte))
+                /* Handle un-addressable ZONE_DEVICE memory */
+                entry = pte_to_swp_entry(*pvmw->pte);
+                if (!is_device_private_entry(entry))
                        return false;
-                /* THP can be referenced by any subpage */
+                pfn = device_private_entry_to_pfn(entry);
-                if (pte_page(*pvmw->pte) - pvmw->page >=
+        } else {
-                                hpage_nr_pages(pvmw->page)) {
+                if (!pte_present(*pvmw->pte))
-                        return false;
-                }
-                if (pte_page(*pvmw->pte) < pvmw->page)
                        return false;
+                pfn = pte_pfn(*pvmw->pte);
        }
-        return true;
+        return pfn_in_hpage(pvmw->page, pfn);
 }
 /**
diff --git a/mm/vmscan.c b/mm/vmscan.c
index c02c850ea349..47d5ced51f2d 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -297,10 +297,13 @@ EXPORT_SYMBOL(register_shrinker);
 */
 void unregister_shrinker(struct shrinker *shrinker)
 {
+        if (!shrinker->nr_deferred)
+                return;
        down_write(&shrinker_rwsem);
        list_del(&shrinker->list);
        up_write(&shrinker_rwsem);
        kfree(shrinker->nr_deferred);
+        shrinker->nr_deferred = NULL;
 }
 EXPORT_SYMBOL(unregister_shrinker);
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 8dfdd94e430f..bad01b14a4ad 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -111,12 +111,7 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
                vlan_gvrp_uninit_applicant(real_dev);
        }
-        /* Take it out of our own structures, but be sure to interlock with
+        vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
-         * HW accelerating devices or SW vlan input packet processing if
-         * VLAN is not 0 (leave it there for 802.1p).
-         */
-        if (vlan_id)
-                vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
        /* Get rid of the vlan's reference to real_dev */
        dev_put(real_dev);
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 325c56043007..086a4abdfa7c 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -543,3 +543,7 @@ static void p9_trans_xen_exit(void)
        return xenbus_unregister_driver(&xen_9pfs_front_driver);
 }
 module_exit(p9_trans_xen_exit);
+MODULE_AUTHOR("Stefano Stabellini <stefano@aporeto.com>");
+MODULE_DESCRIPTION("Xen Transport for 9P");
+MODULE_LICENSE("GPL");
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 43ba91c440bc..fc6615d59165 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3363,9 +3363,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
                        break;
                case L2CAP_CONF_EFS:
-                        remote_efs = 1;
+                        if (olen == sizeof(efs)) {
-                        if (olen == sizeof(efs))
+                                remote_efs = 1;
                                memcpy(&efs, (void *) val, olen);
+                        }
                        break;
                case L2CAP_CONF_EWS:
@@ -3584,16 +3585,17 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
                        break;
                case L2CAP_CONF_EFS:
-                        if (olen == sizeof(efs))
+                        if (olen == sizeof(efs)) {
                                memcpy(&efs, (void *)val, olen);
-                        if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+                                if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
-                            efs.stype != L2CAP_SERV_NOTRAFIC &&
+                                    efs.stype != L2CAP_SERV_NOTRAFIC &&
-                            efs.stype != chan->local_stype)
+                                    efs.stype != chan->local_stype)
-                                return -ECONNREFUSED;
+                                        return -ECONNREFUSED;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+                                l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
-                                           (unsigned long) &efs, endptr - ptr);
+                                                   (unsigned long) &efs, endptr - ptr);
+                        }
                        break;
                case L2CAP_CONF_FCS:
diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index 2d38b6e34203..e0adcd123f48 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -334,9 +334,8 @@ void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
        mutex_lock(&caifdevs->lock);
        list_add_rcu(&caifd->list, &caifdevs->list);
-        strncpy(caifd->layer.name, dev->name,
+        strlcpy(caifd->layer.name, dev->name,
-                sizeof(caifd->layer.name) - 1);
+                sizeof(caifd->layer.name));
-        caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0;
        caifd->layer.transmit = transmit;
        cfcnfg_add_phy_layer(cfg,
                                dev,
diff --git a/net/caif/caif_usb.c b/net/caif/caif_usb.c
index 5cd44f001f64..1a082a946045 100644
--- a/net/caif/caif_usb.c
+++ b/net/caif/caif_usb.c
@@ -176,9 +176,7 @@ static int cfusbl_device_notify(struct notifier_block *me, unsigned long what,
                dev_add_pack(&caif_usb_type);
        pack_added = true;
-        strncpy(layer->name, dev->name,
+        strlcpy(layer->name, dev->name, sizeof(layer->name));
-                        sizeof(layer->name) - 1);
-        layer->name[sizeof(layer->name) - 1] = 0;
        return 0;
 }
diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c
index 273cb07f57d8..8f00bea093b9 100644
--- a/net/caif/cfcnfg.c
+++ b/net/caif/cfcnfg.c
@@ -268,17 +268,15 @@ static int caif_connect_req_to_link_param(struct cfcnfg *cnfg,
        case CAIFPROTO_RFM:
                l->linktype = CFCTRL_SRV_RFM;
                l->u.datagram.connid = s->sockaddr.u.rfm.connection_id;
-                strncpy(l->u.rfm.volume, s->sockaddr.u.rfm.volume,
+                strlcpy(l->u.rfm.volume, s->sockaddr.u.rfm.volume,
-                        sizeof(l->u.rfm.volume)-1);
+                        sizeof(l->u.rfm.volume));
-                l->u.rfm.volume[sizeof(l->u.rfm.volume)-1] = 0;
                break;
        case CAIFPROTO_UTIL:
                l->linktype = CFCTRL_SRV_UTIL;
                l->endpoint = 0x00;
                l->chtype = 0x00;
-                strncpy(l->u.utility.name, s->sockaddr.u.util.service,
+                strlcpy(l->u.utility.name, s->sockaddr.u.util.service,
-                        sizeof(l->u.utility.name)-1);
+                        sizeof(l->u.utility.name));
-                l->u.utility.name[sizeof(l->u.utility.name)-1] = 0;
                caif_assert(sizeof(l->u.utility.name) > 10);
                l->u.utility.paramlen = s->param.size;
                if (l->u.utility.paramlen > sizeof(l->u.utility.params))
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index f5afda1abc76..655ed7032150 100644
--- a/net/caif/cfctrl.c
+++ b/net/caif/cfctrl.c
@@ -258,8 +258,8 @@ int cfctrl_linkup_request(struct cflayer *layer,
                tmp16 = cpu_to_le16(param->u.utility.fifosize_bufs);
                cfpkt_add_body(pkt, &tmp16, 2);
                memset(utility_name, 0, sizeof(utility_name));
-                strncpy(utility_name, param->u.utility.name,
+                strlcpy(utility_name, param->u.utility.name,
-                        UTILITY_NAME_LENGTH - 1);
+                        UTILITY_NAME_LENGTH);
                cfpkt_add_body(pkt, utility_name, UTILITY_NAME_LENGTH);
                tmp8 = param->u.utility.paramlen;
                cfpkt_add_body(pkt, &tmp8, 1);
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 003b2d6d655f..4d7f988a3130 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -721,20 +721,16 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev,
 {
        struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
-        if (WARN_ONCE(dev->type != ARPHRD_CAN ||
+        if (unlikely(dev->type != ARPHRD_CAN || skb->len != CAN_MTU ||
-                      skb->len != CAN_MTU ||
+                     cfd->len > CAN_MAX_DLEN)) {
-                      cfd->len > CAN_MAX_DLEN,
+                pr_warn_once("PF_CAN: dropped non conform CAN skbuf: dev type %d, len %d, datalen %d\n",
-                      "PF_CAN: dropped non conform CAN skbuf: "
+                             dev->type, skb->len, cfd->len);
-                      "dev type %d, len %d, datalen %d\n",
+                kfree_skb(skb);
-                      dev->type, skb->len, cfd->len))
+                return NET_RX_DROP;
-                goto drop;
+        }
        can_receive(skb, dev);
        return NET_RX_SUCCESS;
-drop:
-        kfree_skb(skb);
-        return NET_RX_DROP;
 }
 static int canfd_rcv(struct sk_buff *skb, struct net_device *dev,
@@ -742,20 +738,16 @@ static int canfd_rcv(struct sk_buff *skb, struct net_device *dev,
 {
        struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
-        if (WARN_ONCE(dev->type != ARPHRD_CAN ||
+        if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU ||
-                      skb->len != CANFD_MTU ||
+                     cfd->len > CANFD_MAX_DLEN)) {
-                      cfd->len > CANFD_MAX_DLEN,
+                pr_warn_once("PF_CAN: dropped non conform CAN FD skbuf: dev type %d, len %d, datalen %d\n",
-                      "PF_CAN: dropped non conform CAN FD skbuf: "
+                             dev->type, skb->len, cfd->len);
-                      "dev type %d, len %d, datalen %d\n",
+                kfree_skb(skb);
-                      dev->type, skb->len, cfd->len))
+                return NET_RX_DROP;
-                goto drop;
+        }
        can_receive(skb, dev);
        return NET_RX_SUCCESS;
-drop:
-        kfree_skb(skb);
-        return NET_RX_DROP;
 }
 /*
diff --git a/net/core/dev.c b/net/core/dev.c
index 01ee854454a8..613fb4066be7 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1146,7 +1146,19 @@ EXPORT_SYMBOL(dev_alloc_name);
 int dev_get_valid_name(struct net *net, struct net_device *dev,
                       const char *name)
 {
-        return dev_alloc_name_ns(net, dev, name);
+        BUG_ON(!net);
+        if (!dev_valid_name(name))
+                return -EINVAL;
+        if (strchr(name, '%'))
+                return dev_alloc_name_ns(net, dev, name);
+        else if (__dev_get_by_name(net, name))
+                return -EEXIST;
+        else if (dev->name != name)
+                strlcpy(dev->name, name, IFNAMSIZ);
+        return 0;
 }
 EXPORT_SYMBOL(dev_get_valid_name);
@@ -3139,10 +3151,21 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
                hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
                /* + transport layer */
-                if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))
+                if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) {
-                        hdr_len += tcp_hdrlen(skb);
+                        const struct tcphdr *th;
-                else
+                        struct tcphdr _tcphdr;
-                        hdr_len += sizeof(struct udphdr);
+                        th = skb_header_pointer(skb, skb_transport_offset(skb),
+                                                sizeof(_tcphdr), &_tcphdr);
+                        if (likely(th))
+                                hdr_len += __tcp_hdrlen(th);
+                } else {
+                        struct udphdr _udphdr;
+                        if (skb_header_pointer(skb, skb_transport_offset(skb),
+                                               sizeof(_udphdr), &_udphdr))
+                                hdr_len += sizeof(struct udphdr);
+                }
                if (shinfo->gso_type & SKB_GSO_DODGY)
                        gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index f8fcf450a36e..8225416911ae 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -770,15 +770,6 @@ static int ethtool_set_link_ksettings(struct net_device *dev,
        return dev->ethtool_ops->set_link_ksettings(dev, &link_ksettings);
 }
-static void
-warn_incomplete_ethtool_legacy_settings_conversion(const char *details)
-{
-        char name[sizeof(current->comm)];
-        pr_info_once("warning: `%s' uses legacy ethtool link settings API, %s\n",
-                     get_task_comm(name, current), details);
-}
 /* Query device for its ethtool_cmd settings.
 *
 * Backward compatibility note: for compatibility with legacy ethtool,
@@ -805,10 +796,8 @@ static int ethtool_get_settings(struct net_device *dev, void __user *useraddr)
                                                           &link_ksettings);
                if (err < 0)
                        return err;
-                if (!convert_link_ksettings_to_legacy_settings(&cmd,
+                convert_link_ksettings_to_legacy_settings(&cmd,
-                                                               &link_ksettings))
+                                                          &link_ksettings);
-                        warn_incomplete_ethtool_legacy_settings_conversion(
-                                "link modes are only partially reported");
                /* send a sensible cmd tag back to user */
                cmd.cmd = ETHTOOL_GSET;
diff --git a/net/core/filter.c b/net/core/filter.c
index 6a85e67fafce..1c0eb436671f 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -458,6 +458,10 @@ do_pass:
                            convert_bpf_extensions(fp, &insn))
                                break;
+                        if (fp->code == (BPF_ALU | BPF_DIV | BPF_X) ||
+                            fp->code == (BPF_ALU | BPF_MOD | BPF_X))
+                                *insn++ = BPF_MOV32_REG(BPF_REG_X, BPF_REG_X);
                        *insn = BPF_RAW_INSN(fp->code, BPF_REG_A, BPF_REG_X, 0, fp->k);
                        break;
@@ -1054,11 +1058,9 @@ static struct bpf_prog *bpf_migrate_filter(struct bpf_prog *fp)
                 */
                goto out_err_free;
-        /* We are guaranteed to never error here with cBPF to eBPF
-         * transitions, since there's no issue with type compatibility
-         * checks on program arrays.
-         */
        fp = bpf_prog_select_runtime(fp, &err);
+        if (err)
+                goto out_err_free;
        kfree(old_prog);
        return fp;
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 15ce30063765..544bddf08e13 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -976,8 +976,8 @@ ip_proto_again:
 out_good:
        ret = true;
-        key_control->thoff = (u16)nhoff;
 out:
+        key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
        key_basic->n_proto = proto;
        key_basic->ip_proto = ip_proto;
@@ -985,7 +985,6 @@ out:
 out_bad:
        ret = false;
-        key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
        goto out;
 }
 EXPORT_SYMBOL(__skb_flow_dissect);
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index d1f5fe986edd..7f831711b6e0 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -532,7 +532,7 @@ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
        if (atomic_read(&tbl->entries) > (1 << nht->hash_shift))
                nht = neigh_hash_grow(tbl, nht->hash_shift + 1);
-        hash_val = tbl->hash(pkey, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
+        hash_val = tbl->hash(n->primary_key, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
        if (n->parms->dead) {
                rc = ERR_PTR(-EINVAL);
@@ -544,7 +544,7 @@ struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
             n1 != NULL;
             n1 = rcu_dereference_protected(n1->next,
                        lockdep_is_held(&tbl->lock))) {
-                if (dev == n1->dev && !memcmp(n1->primary_key, pkey, key_len)) {
+                if (dev == n1->dev && !memcmp(n1->primary_key, n->primary_key, key_len)) {
                        if (want_ref)
                                neigh_hold(n1);
                        rc = n1;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index dabba2a91fc8..778d7f03404a 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1681,18 +1681,18 @@ static bool link_dump_filtered(struct net_device *dev,
        return false;
 }
-static struct net *get_target_net(struct sk_buff *skb, int netnsid)
+static struct net *get_target_net(struct sock *sk, int netnsid)
 {
        struct net *net;
-        net = get_net_ns_by_id(sock_net(skb->sk), netnsid);
+        net = get_net_ns_by_id(sock_net(sk), netnsid);
        if (!net)
                return ERR_PTR(-EINVAL);
        /* For now, the caller is required to have CAP_NET_ADMIN in
         * the user namespace owning the target net ns.
         */
-        if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) {
+        if (!sk_ns_capable(sk, net->user_ns, CAP_NET_ADMIN)) {
                put_net(net);
                return ERR_PTR(-EACCES);
        }
@@ -1733,7 +1733,7 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
                        ifla_policy, NULL) >= 0) {
                if (tb[IFLA_IF_NETNSID]) {
                        netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]);
-                        tgt_net = get_target_net(skb, netnsid);
+                        tgt_net = get_target_net(skb->sk, netnsid);
                        if (IS_ERR(tgt_net)) {
                                tgt_net = net;
                                netnsid = -1;
@@ -2883,7 +2883,7 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (tb[IFLA_IF_NETNSID]) {
                netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]);
-                tgt_net = get_target_net(skb, netnsid);
+                tgt_net = get_target_net(NETLINK_CB(skb).sk, netnsid);
                if (IS_ERR(tgt_net))
                        return PTR_ERR(tgt_net);
        }
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 217f4e3b82f6..146b50e30659 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -288,7 +288,7 @@ static int sock_diag_bind(struct net *net, int group)
        case SKNLGRP_INET6_UDP_DESTROY:
                if (!sock_diag_handlers[AF_INET6])
                        request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
-                                       NETLINK_SOCK_DIAG, AF_INET);
+                                       NETLINK_SOCK_DIAG, AF_INET6);
                break;
        }
        return 0;
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index cbc3dde4cfcc..a47ad6cd41c0 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -325,7 +325,13 @@ static struct ctl_table net_core_table[] = {
                .data           = &bpf_jit_enable,
                .maxlen         = sizeof(int),
                .mode           = 0644,
+#ifndef CONFIG_BPF_JIT_ALWAYS_ON
                .proc_handler   = proc_dointvec
+#else
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &one,
+                .extra2         = &one,
+#endif
        },
 # ifdef CONFIG_HAVE_EBPF_JIT
        {
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index a8d7c5a9fb05..6c231b43974d 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -223,11 +223,16 @@ static bool arp_key_eq(const struct neighbour *neigh, const void *pkey)
 static int arp_constructor(struct neighbour *neigh)
 {
-        __be32 addr = *(__be32 *)neigh->primary_key;
+        __be32 addr;
        struct net_device *dev = neigh->dev;
        struct in_device *in_dev;
        struct neigh_parms *parms;
+        u32 inaddr_any = INADDR_ANY;
+        if (dev->flags & (IFF_LOOPBACK | IFF_POINTOPOINT))
+                memcpy(neigh->primary_key, &inaddr_any, arp_tbl.key_len);
+        addr = *(__be32 *)neigh->primary_key;
        rcu_read_lock();
        in_dev = __in_dev_get_rcu(dev);
        if (!in_dev) {
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index d57aa64fa7c7..61fe6e4d23fc 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -981,6 +981,7 @@ static int esp_init_state(struct xfrm_state *x)
                switch (encap->encap_type) {
                default:
+                        err = -EINVAL;
                        goto error;
                case UDP_ENCAP_ESPINUDP:
                        x->props.header_len += sizeof(struct udphdr);
diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index f8b918c766b0..29b333a62ab0 100644
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -38,7 +38,8 @@ static struct sk_buff **esp4_gro_receive(struct sk_buff **head,
        __be32 spi;
        int err;
-        skb_pull(skb, offset);
+        if (!pskb_pull(skb, offset))
+                return NULL;
        if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
                goto out;
@@ -121,6 +122,9 @@ static struct sk_buff *esp4_gso_segment(struct sk_buff *skb,
        if (!xo)
                goto out;
+        if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
+                goto out;
        seq = xo->seq.low;
        x = skb->sp->xvec[skb->sp->len - 1];
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 726f6b608274..2d49717a7421 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -332,7 +332,7 @@ static __be32 igmpv3_get_srcaddr(struct net_device *dev,
                return htonl(INADDR_ANY);
        for_ifa(in_dev) {
-                if (inet_ifa_match(fl4->saddr, ifa))
+                if (fl4->saddr == ifa->ifa_local)
                        return fl4->saddr;
        } endfor_ifa(in_dev);
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 125c1eab3eaa..5e570aa9e43b 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -520,9 +520,11 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
                goto out;
        /* hdrincl should be READ_ONCE(inet->hdrincl)
-         * but READ_ONCE() doesn't work with bit fields
+         * but READ_ONCE() doesn't work with bit fields.
+         * Doing this indirectly yields the same result.
         */
        hdrincl = inet->hdrincl;
+        hdrincl = READ_ONCE(hdrincl);
        /*
         *      Check the flags.
         */
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 43b69af242e1..4e153b23bcec 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2762,6 +2762,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
                if (err == 0 && rt->dst.error)
                        err = -rt->dst.error;
        } else {
+                fl4.flowi4_iif = LOOPBACK_IFINDEX;
                rt = ip_route_output_key_hash_rcu(net, &fl4, &res, skb);
                err = 0;
                if (IS_ERR(rt))
diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c
index b6a2aa1dcf56..4d58e2ce0b5b 100644
--- a/net/ipv4/tcp_offload.c
+++ b/net/ipv4/tcp_offload.c
@@ -32,6 +32,9 @@ static void tcp_gso_tstamp(struct sk_buff *skb, unsigned int ts_seq,
 static struct sk_buff *tcp4_gso_segment(struct sk_buff *skb,
                                        netdev_features_t features)
 {
+        if (!(skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4))
+                return ERR_PTR(-EINVAL);
        if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
                return ERR_PTR(-EINVAL);
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 01801b77bd0d..ea6e6e7df0ee 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -203,6 +203,9 @@ static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb,
                goto out;
        }
+        if (!(skb_shinfo(skb)->gso_type & SKB_GSO_UDP))
+                goto out;
        if (!pskb_may_pull(skb, sizeof(struct udphdr)))
                goto out;
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index e6265e2c274e..20ca486b3cad 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -92,6 +92,7 @@ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
        skb_reset_network_header(skb);
        skb_mac_header_rebuild(skb);
+        eth_hdr(skb)->h_proto = skb->protocol;
        err = 0;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index a902ff8f59be..1a7f00cd4803 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -890,13 +890,12 @@ static int esp6_init_state(struct xfrm_state *x)
                        x->props.header_len += IPV4_BEET_PHMAXLEN +
                                               (sizeof(struct ipv6hdr) - sizeof(struct iphdr));
                break;
+        default:
        case XFRM_MODE_TRANSPORT:
                break;
        case XFRM_MODE_TUNNEL:
                x->props.header_len += sizeof(struct ipv6hdr);
                break;
-        default:
-                goto error;
        }
        align = ALIGN(crypto_aead_blocksize(aead), 4);
diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index 333a478aa161..f52c314d4c97 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -60,7 +60,8 @@ static struct sk_buff **esp6_gro_receive(struct sk_buff **head,
        int nhoff;
        int err;
-        skb_pull(skb, offset);
+        if (!pskb_pull(skb, offset))
+                return NULL;
        if ((err = xfrm_parse_spi(skb, IPPROTO_ESP, &spi, &seq)) != 0)
                goto out;
@@ -148,6 +149,9 @@ static struct sk_buff *esp6_gso_segment(struct sk_buff *skb,
        if (!xo)
                goto out;
+        if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
+                goto out;
        seq = xo->seq.low;
        x = skb->sp->xvec[skb->sp->len - 1];
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 83bd75713535..bc68eb661970 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -925,6 +925,15 @@ static void ipv6_push_rthdr4(struct sk_buff *skb, u8 *proto,
        sr_phdr->segments[0] = **addr_p;
        *addr_p = &sr_ihdr->segments[sr_ihdr->segments_left];
+        if (sr_ihdr->hdrlen > hops * 2) {
+                int tlvs_offset, tlvs_length;
+                tlvs_offset = (1 + hops * 2) << 3;
+                tlvs_length = (sr_ihdr->hdrlen - hops * 2) << 3;
+                memcpy((char *)sr_phdr + tlvs_offset,
+                       (char *)sr_ihdr + tlvs_offset, tlvs_length);
+        }
 #ifdef CONFIG_IPV6_SEG6_HMAC
        if (sr_has_hmac(sr_phdr)) {
                struct net *net = NULL;
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index f5285f4e1d08..217683d40f12 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -640,6 +640,11 @@ static struct fib6_node *fib6_add_1(struct net *net,
                        if (!(fn->fn_flags & RTN_RTINFO)) {
                                RCU_INIT_POINTER(fn->leaf, NULL);
                                rt6_release(leaf);
+                        /* remove null_entry in the root node */
+                        } else if (fn->fn_flags & RTN_TL_ROOT &&
+                                   rcu_access_pointer(fn->leaf) ==
+                                   net->ipv6.ip6_null_entry) {
+                                RCU_INIT_POINTER(fn->leaf, NULL);
                        }
                        return fn;
@@ -1221,8 +1226,14 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt,
                }
                if (!rcu_access_pointer(fn->leaf)) {
-                        atomic_inc(&rt->rt6i_ref);
+                        if (fn->fn_flags & RTN_TL_ROOT) {
-                        rcu_assign_pointer(fn->leaf, rt);
+                                /* put back null_entry for root node */
+                                rcu_assign_pointer(fn->leaf,
+                                            info->nl_net->ipv6.ip6_null_entry);
+                        } else {
+                                atomic_inc(&rt->rt6i_ref);
+                                rcu_assign_pointer(fn->leaf, rt);
+                        }
                }
                fn = sn;
        }
@@ -1241,23 +1252,28 @@ out:
                 * If fib6_add_1 has cleared the old leaf pointer in the
                 * super-tree leaf node we have to find a new one for it.
                 */
-                struct rt6_info *pn_leaf = rcu_dereference_protected(pn->leaf,
+                if (pn != fn) {
-                                            lockdep_is_held(&table->tb6_lock));
+                        struct rt6_info *pn_leaf =
-                if (pn != fn && pn_leaf == rt) {
+                                rcu_dereference_protected(pn->leaf,
-                        pn_leaf = NULL;
+                                    lockdep_is_held(&table->tb6_lock));
-                        RCU_INIT_POINTER(pn->leaf, NULL);
+                        if (pn_leaf == rt) {
-                        atomic_dec(&rt->rt6i_ref);
+                                pn_leaf = NULL;
-                }
+                                RCU_INIT_POINTER(pn->leaf, NULL);
-                if (pn != fn && !pn_leaf && !(pn->fn_flags & RTN_RTINFO)) {
+                                atomic_dec(&rt->rt6i_ref);
-                        pn_leaf = fib6_find_prefix(info->nl_net, table, pn);
-#if RT6_DEBUG >= 2
-                        if (!pn_leaf) {
-                                WARN_ON(!pn_leaf);
-                                pn_leaf = info->nl_net->ipv6.ip6_null_entry;
                        }
+                        if (!pn_leaf && !(pn->fn_flags & RTN_RTINFO)) {
+                                pn_leaf = fib6_find_prefix(info->nl_net, table,
+                                                           pn);
+#if RT6_DEBUG >= 2
+                                if (!pn_leaf) {
+                                        WARN_ON(!pn_leaf);
+                                        pn_leaf =
+                                            info->nl_net->ipv6.ip6_null_entry;
+                                }
 #endif
-                        atomic_inc(&pn_leaf->rt6i_ref);
+                                atomic_inc(&pn_leaf->rt6i_ref);
-                        rcu_assign_pointer(pn->leaf, pn_leaf);
+                                rcu_assign_pointer(pn->leaf, pn_leaf);
+                        }
                }
 #endif
                goto failure;
@@ -1265,13 +1281,17 @@ out:
        return err;
 failure:
-        /* fn->leaf could be NULL if fn is an intermediate node and we
+        /* fn->leaf could be NULL and fib6_repair_tree() needs to be called if:
-         * failed to add the new route to it in both subtree creation
+         * 1. fn is an intermediate node and we failed to add the new
-         * failure and fib6_add_rt2node() failure case.
+         * route to it in both subtree creation failure and fib6_add_rt2node()
-         * In both cases, fib6_repair_tree() should be called to fix
+         * failure case.
-         * fn->leaf.
+         * 2. fn is the root node in the table and we fail to add the first
+         * default route to it.
         */
-        if (fn && !(fn->fn_flags & (RTN_RTINFO|RTN_ROOT)))
+        if (fn &&
+            (!(fn->fn_flags & (RTN_RTINFO|RTN_ROOT)) ||
+             (fn->fn_flags & RTN_TL_ROOT &&
+              !rcu_access_pointer(fn->leaf))))
                fib6_repair_tree(info->nl_net, table, fn);
        /* Always release dst as dst->__refcnt is guaranteed
         * to be taken before entering this function
@@ -1526,6 +1546,12 @@ static struct fib6_node *fib6_repair_tree(struct net *net,
        struct fib6_walker *w;
        int iter = 0;
+        /* Set fn->leaf to null_entry for root node. */
+        if (fn->fn_flags & RTN_TL_ROOT) {
+                rcu_assign_pointer(fn->leaf, net->ipv6.ip6_null_entry);
+                return fn;
+        }
        for (;;) {
                struct fib6_node *fn_r = rcu_dereference_protected(fn->right,
                                            lockdep_is_held(&table->tb6_lock));
@@ -1680,10 +1706,15 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn,
        }
        read_unlock(&net->ipv6.fib6_walker_lock);
-        /* If it was last route, expunge its radix tree node */
+        /* If it was last route, call fib6_repair_tree() to:
+         * 1. For root node, put back null_entry as how the table was created.
+         * 2. For other nodes, expunge its radix tree node.
+         */
        if (!rcu_access_pointer(fn->leaf)) {
-                fn->fn_flags &= ~RTN_RTINFO;
+                if (!(fn->fn_flags & RTN_TL_ROOT)) {
-                net->ipv6.rt6_stats->fib_route_nodes--;
+                        fn->fn_flags &= ~RTN_RTINFO;
+                        net->ipv6.rt6_stats->fib_route_nodes--;
+                }
                fn = fib6_repair_tree(net, table, fn);
        }
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 772695960890..873549228ccb 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -337,11 +337,12 @@ static struct ip6_tnl *ip6gre_tunnel_locate(struct net *net,
        nt->dev = dev;
        nt->net = dev_net(dev);
-        ip6gre_tnl_link_config(nt, 1);
        if (register_netdevice(dev) < 0)
                goto failed_free;
+        ip6gre_tnl_link_config(nt, 1);
        /* Can use a lockless transmit, unless we generate output sequences */
        if (!(nt->parms.o_flags & TUNNEL_SEQ))
                dev->features |= NETIF_F_LLTX;
@@ -1303,7 +1304,6 @@ static void ip6gre_netlink_parms(struct nlattr *data[],
 static int ip6gre_tap_init(struct net_device *dev)
 {
-        struct ip6_tnl *tunnel;
        int ret;
        ret = ip6gre_tunnel_init_common(dev);
@@ -1312,10 +1312,6 @@ static int ip6gre_tap_init(struct net_device *dev)
        dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
-        tunnel = netdev_priv(dev);
-        ip6gre_tnl_link_config(tunnel, 1);
        return 0;
 }
@@ -1408,12 +1404,16 @@ static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
        nt->dev = dev;
        nt->net = dev_net(dev);
-        ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
        err = register_netdevice(dev);
        if (err)
                goto out;
+        ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
+        if (tb[IFLA_MTU])
+                ip6_tnl_change_mtu(dev, nla_get_u32(tb[IFLA_MTU]));
        dev_hold(dev);
        ip6gre_tunnel_link(ign, nt);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index f7dd51c42314..3763dc01e374 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -166,7 +166,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
                            !(IP6CB(skb)->flags & IP6SKB_REROUTED));
 }
-static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
+bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
 {
        if (!np->autoflowlabel_set)
                return ip6_default_np_autolabel(net);
@@ -1206,14 +1206,16 @@ static int ip6_setup_cork(struct sock *sk, struct inet_cork_full *cork,
        v6_cork->tclass = ipc6->tclass;
        if (rt->dst.flags & DST_XFRM_TUNNEL)
                mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
-                      rt->dst.dev->mtu : dst_mtu(&rt->dst);
+                      READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst);
        else
                mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
-                      rt->dst.dev->mtu : dst_mtu(rt->dst.path);
+                      READ_ONCE(rt->dst.dev->mtu) : dst_mtu(rt->dst.path);
        if (np->frag_size < mtu) {
                if (np->frag_size)
                        mtu = np->frag_size;
        }
+        if (mtu < IPV6_MIN_MTU)
+                return -EINVAL;
        cork->base.fragsize = mtu;
        if (dst_allfrag(rt->dst.path))
                cork->base.flags |= IPCORK_ALLFRAG;
@@ -1733,11 +1735,13 @@ struct sk_buff *ip6_make_skb(struct sock *sk,
        cork.base.flags = 0;
        cork.base.addr = 0;
        cork.base.opt = NULL;
+        cork.base.dst = NULL;
        v6_cork.opt = NULL;
        err = ip6_setup_cork(sk, &cork, &v6_cork, ipc6, rt, fl6);
-        if (err)
+        if (err) {
+                ip6_cork_release(&cork, &v6_cork);
                return ERR_PTR(err);
+        }
        if (ipc6->dontfrag < 0)
                ipc6->dontfrag = inet6_sk(sk)->dontfrag;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 931c38f6ff4a..9a7cf355bc8c 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1074,10 +1074,11 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
                        memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
                        neigh_release(neigh);
                }
-        } else if (!(t->parms.flags &
+        } else if (t->parms.proto != 0 && !(t->parms.flags &
-                     (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) {
+                                            (IP6_TNL_F_USE_ORIG_TCLASS |
-                /* enable the cache only only if the routing decision does
+                                             IP6_TNL_F_USE_ORIG_FWMARK))) {
-                 * not depend on the current inner header value
+                /* enable the cache only if neither the outer protocol nor the
+                 * routing decision depends on the current inner header value
                 */
                use_cache = true;
        }
@@ -1676,11 +1677,11 @@ int ip6_tnl_change_mtu(struct net_device *dev, int new_mtu)
 {
        struct ip6_tnl *tnl = netdev_priv(dev);
-        if (tnl->parms.proto == IPPROTO_IPIP) {
+        if (tnl->parms.proto == IPPROTO_IPV6) {
-                if (new_mtu < ETH_MIN_MTU)
+                if (new_mtu < IPV6_MIN_MTU)
                        return -EINVAL;
        } else {
-                if (new_mtu < IPV6_MIN_MTU)
+                if (new_mtu < ETH_MIN_MTU)
                        return -EINVAL;
        }
        if (new_mtu > 0xFFF8 - dev->hard_header_len)
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 2d4680e0376f..e8ffb5b5d84e 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -1336,7 +1336,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
                break;
        case IPV6_AUTOFLOWLABEL:
-                val = np->autoflowlabel;
+                val = ip6_autoflowlabel(sock_net(sk), np);
                break;
        case IPV6_RECVFRAGSIZE:
diff --git a/net/ipv6/tcpv6_offload.c b/net/ipv6/tcpv6_offload.c
index d883c9204c01..278e49cd67d4 100644
--- a/net/ipv6/tcpv6_offload.c
+++ b/net/ipv6/tcpv6_offload.c
@@ -46,6 +46,9 @@ static struct sk_buff *tcp6_gso_segment(struct sk_buff *skb,
 {
        struct tcphdr *th;
+        if (!(skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6))
+                return ERR_PTR(-EINVAL);
        if (!pskb_may_pull(skb, sizeof(*th)))
                return ERR_PTR(-EINVAL);
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index a0f89ad76f9d..2a04dc9c781b 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -42,6 +42,9 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
                const struct ipv6hdr *ipv6h;
                struct udphdr *uh;
+                if (!(skb_shinfo(skb)->gso_type & SKB_GSO_UDP))
+                        goto out;
                if (!pskb_may_pull(skb, sizeof(struct udphdr)))
                        goto out;
diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
index 02556e356f87..dc93002ff9d1 100644
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -92,6 +92,7 @@ static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
        skb_reset_network_header(skb);
        skb_mac_header_rebuild(skb);
+        eth_hdr(skb)->h_proto = skb->protocol;
        err = 0;
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index d4e98f20fc2a..4a8d407f8902 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1387,8 +1387,13 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
        if (!csk)
                return -EINVAL;
-        /* We must prevent loops or risk deadlock ! */
+        /* Only allow TCP sockets to be attached for now */
-        if (csk->sk_family == PF_KCM)
+        if ((csk->sk_family != AF_INET && csk->sk_family != AF_INET6) ||
+            csk->sk_protocol != IPPROTO_TCP)
+                return -EOPNOTSUPP;
+        /* Don't allow listeners or closed sockets */
+        if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE)
                return -EOPNOTSUPP;
        psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL);
@@ -1405,9 +1410,18 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
                return err;
        }
-        sock_hold(csk);
        write_lock_bh(&csk->sk_callback_lock);
+        /* Check if sk_user_data is aready by KCM or someone else.
+         * Must be done under lock to prevent race conditions.
+         */
+        if (csk->sk_user_data) {
+                write_unlock_bh(&csk->sk_callback_lock);
+                strp_done(&psock->strp);
+                kmem_cache_free(kcm_psockp, psock);
+                return -EALREADY;
+        }
        psock->save_data_ready = csk->sk_data_ready;
        psock->save_write_space = csk->sk_write_space;
        psock->save_state_change = csk->sk_state_change;
@@ -1415,8 +1429,11 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
        csk->sk_data_ready = psock_data_ready;
        csk->sk_write_space = psock_write_space;
        csk->sk_state_change = psock_state_change;
        write_unlock_bh(&csk->sk_callback_lock);
+        sock_hold(csk);
        /* Finished initialization, now add the psock to the MUX. */
        spin_lock_bh(&mux->lock);
        head = &mux->psocks;
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 3dffb892d52c..7e2e7188e7f4 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -401,6 +401,11 @@ static int verify_address_len(const void *p)
 #endif
        int len;
+        if (sp->sadb_address_len <
+            DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family),
+                         sizeof(uint64_t)))
+                return -EINVAL;
        switch (addr->sa_family) {
        case AF_INET:
                len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t));
@@ -511,6 +516,9 @@ static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void *
                uint16_t ext_type;
                int ext_len;
+                if (len < sizeof(*ehdr))
+                        return -EINVAL;
                ext_len  = ehdr->sadb_ext_len;
                ext_len *= sizeof(uint64_t);
                ext_type = ehdr->sadb_ext_type;
@@ -2194,8 +2202,10 @@ static int key_notify_policy(struct xfrm_policy *xp, int dir, const struct km_ev
                return PTR_ERR(out_skb);
        err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
-        if (err < 0)
+        if (err < 0) {
+                kfree_skb(out_skb);
                return err;
+        }
        out_hdr = (struct sadb_msg *) out_skb->data;
        out_hdr->sadb_msg_version = PF_KEY_V2;
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 70e9d2ca8bbe..4daafb07602f 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3632,6 +3632,8 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
                }
                return true;
        case NL80211_IFTYPE_MESH_POINT:
+                if (ether_addr_equal(sdata->vif.addr, hdr->addr2))
+                        return false;
                if (multicast)
                        return true;
                return ether_addr_equal(sdata->vif.addr, hdr->addr1);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 10798b357481..07bd4138c84e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2072,7 +2072,7 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
                                continue;
                        list_for_each_entry_rcu(chain, &table->chains, list) {
-                                if (ctx && ctx->chain[0] &&
+                                if (ctx && ctx->chain &&
                                    strcmp(ctx->chain, chain->name) != 0)
                                        continue;
@@ -4665,8 +4665,10 @@ static int nf_tables_dump_obj_done(struct netlink_callback *cb)
 {
        struct nft_obj_filter *filter = cb->data;
-        kfree(filter->table);
+        if (filter) {
-        kfree(filter);
+                kfree(filter->table);
+                kfree(filter);
+        }
        return 0;
 }
diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
index 1f7fbd3c7e5a..06b090d8e901 100644
--- a/net/netfilter/xt_bpf.c
+++ b/net/netfilter/xt_bpf.c
@@ -55,21 +55,11 @@ static int __bpf_mt_check_fd(int fd, struct bpf_prog **ret)
 static int __bpf_mt_check_path(const char *path, struct bpf_prog **ret)
 {
-        mm_segment_t oldfs = get_fs();
-        int retval, fd;
        if (strnlen(path, XT_BPF_PATH_MAX) == XT_BPF_PATH_MAX)
                return -EINVAL;
-        set_fs(KERNEL_DS);
+        *ret = bpf_prog_get_type_path(path, BPF_PROG_TYPE_SOCKET_FILTER);
-        fd = bpf_obj_get_user(path, 0);
+        return PTR_ERR_OR_ZERO(*ret);
-        set_fs(oldfs);
-        if (fd < 0)
-                return fd;
-        retval = __bpf_mt_check_fd(fd, ret);
-        sys_close(fd);
-        return retval;
 }
 static int bpf_mt_check(const struct xt_mtchk_param *par)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 79cc1bf36e4a..84a4e4c3be4b 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2384,13 +2384,14 @@ int netlink_rcv_skb(struct sk_buff *skb, int (*cb)(struct sk_buff *,
                                                   struct nlmsghdr *,
                                                   struct netlink_ext_ack *))
 {
-        struct netlink_ext_ack extack = {};
+        struct netlink_ext_ack extack;
        struct nlmsghdr *nlh;
        int err;
        while (skb->len >= nlmsg_total_size(0)) {
                int msglen;
+                memset(&extack, 0, sizeof(extack));
                nlh = nlmsg_hdr(skb);
                err = 0;
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 624ea74353dd..f143908b651d 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -49,7 +49,6 @@
 #include <net/mpls.h>
 #include <net/vxlan.h>
 #include <net/tun_proto.h>
-#include <net/erspan.h>
 #include "flow_netlink.h"
@@ -334,8 +333,7 @@ size_t ovs_tun_key_attr_size(void)
                 * OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS and covered by it.
                 */
                + nla_total_size(2)    /* OVS_TUNNEL_KEY_ATTR_TP_SRC */
-                + nla_total_size(2)    /* OVS_TUNNEL_KEY_ATTR_TP_DST */
+                + nla_total_size(2);   /* OVS_TUNNEL_KEY_ATTR_TP_DST */
-                + nla_total_size(4);   /* OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS */
 }
 static size_t ovs_nsh_key_attr_size(void)
@@ -402,7 +400,6 @@ static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1]
                                                .next = ovs_vxlan_ext_key_lens },
        [OVS_TUNNEL_KEY_ATTR_IPV6_SRC]      = { .len = sizeof(struct in6_addr) },
        [OVS_TUNNEL_KEY_ATTR_IPV6_DST]      = { .len = sizeof(struct in6_addr) },
-        [OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS]   = { .len = sizeof(u32) },
 };
 static const struct ovs_len_tbl
@@ -634,33 +631,6 @@ static int vxlan_tun_opt_from_nlattr(const struct nlattr *attr,
        return 0;
 }
-static int erspan_tun_opt_from_nlattr(const struct nlattr *attr,
-                                      struct sw_flow_match *match, bool is_mask,
-                                      bool log)
-{
-        unsigned long opt_key_offset;
-        struct erspan_metadata opts;
-        BUILD_BUG_ON(sizeof(opts) > sizeof(match->key->tun_opts));
-        memset(&opts, 0, sizeof(opts));
-        opts.index = nla_get_be32(attr);
-        /* Index has only 20-bit */
-        if (ntohl(opts.index) & ~INDEX_MASK) {
-                OVS_NLERR(log, "ERSPAN index number %x too large.",
-                          ntohl(opts.index));
-                return -EINVAL;
-        }
-        SW_FLOW_KEY_PUT(match, tun_opts_len, sizeof(opts), is_mask);
-        opt_key_offset = TUN_METADATA_OFFSET(sizeof(opts));
-        SW_FLOW_KEY_MEMCPY_OFFSET(match, opt_key_offset, &opts, sizeof(opts),
-                                  is_mask);
-        return 0;
-}
 static int ip_tun_from_nlattr(const struct nlattr *attr,
                              struct sw_flow_match *match, bool is_mask,
                              bool log)
@@ -768,19 +738,6 @@ static int ip_tun_from_nlattr(const struct nlattr *attr,
                        break;
                case OVS_TUNNEL_KEY_ATTR_PAD:
                        break;
-                case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS:
-                        if (opts_type) {
-                                OVS_NLERR(log, "Multiple metadata blocks provided");
-                                return -EINVAL;
-                        }
-                        err = erspan_tun_opt_from_nlattr(a, match, is_mask, log);
-                        if (err)
-                                return err;
-                        tun_flags |= TUNNEL_ERSPAN_OPT;
-                        opts_type = type;
-                        break;
                default:
                        OVS_NLERR(log, "Unknown IP tunnel attribute %d",
                                  type);
@@ -905,10 +862,6 @@ static int __ip_tun_to_nlattr(struct sk_buff *skb,
                else if (output->tun_flags & TUNNEL_VXLAN_OPT &&
                         vxlan_opt_to_nlattr(skb, tun_opts, swkey_tun_opts_len))
                        return -EMSGSIZE;
-                else if (output->tun_flags & TUNNEL_ERSPAN_OPT &&
-                         nla_put_be32(skb, OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS,
-                                      ((struct erspan_metadata *)tun_opts)->index))
-                        return -EMSGSIZE;
        }
        return 0;
@@ -2533,8 +2486,6 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
                        break;
                case OVS_TUNNEL_KEY_ATTR_VXLAN_OPTS:
                        break;
-                case OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS:
-                        break;
                }
        };
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index bc2f1e0977d6..634cfcb7bba6 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
        local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
+        if (args->nr_local == 0)
+                return -EINVAL;
        /* figure out the number of pages in the vector */
        for (i = 0; i < args->nr_local; i++) {
                if (copy_from_user(&vec, &local_vec[i],
@@ -874,6 +877,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
 err:
        if (page)
                put_page(page);
+        rm->atomic.op_active = 0;
        kfree(rm->atomic.op_notifier);
        return ret;
diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index 6b7ee71f40c6..ab7356e0ba83 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -90,9 +90,10 @@ void rds_tcp_nonagle(struct socket *sock)
                              sizeof(val));
 }
-u32 rds_tcp_snd_nxt(struct rds_tcp_connection *tc)
+u32 rds_tcp_write_seq(struct rds_tcp_connection *tc)
 {
-        return tcp_sk(tc->t_sock->sk)->snd_nxt;
+        /* seq# of the last byte of data in tcp send buffer */
+        return tcp_sk(tc->t_sock->sk)->write_seq;
 }
 u32 rds_tcp_snd_una(struct rds_tcp_connection *tc)
diff --git a/net/rds/tcp.h b/net/rds/tcp.h
index 1aafbf7c3011..864ca7d8f019 100644
--- a/net/rds/tcp.h
+++ b/net/rds/tcp.h
@@ -54,7 +54,7 @@ void rds_tcp_set_callbacks(struct socket *sock, struct rds_conn_path *cp);
 void rds_tcp_reset_callbacks(struct socket *sock, struct rds_conn_path *cp);
 void rds_tcp_restore_callbacks(struct socket *sock,
                               struct rds_tcp_connection *tc);
-u32 rds_tcp_snd_nxt(struct rds_tcp_connection *tc);
+u32 rds_tcp_write_seq(struct rds_tcp_connection *tc);
 u32 rds_tcp_snd_una(struct rds_tcp_connection *tc);
 u64 rds_tcp_map_seq(struct rds_tcp_connection *tc, u32 seq);
 extern struct rds_transport rds_tcp_transport;
diff --git a/net/rds/tcp_send.c b/net/rds/tcp_send.c
index dc860d1bb608..9b76e0fa1722 100644
--- a/net/rds/tcp_send.c
+++ b/net/rds/tcp_send.c
@@ -86,7 +86,7 @@ int rds_tcp_xmit(struct rds_connection *conn, struct rds_message *rm,
                 * m_ack_seq is set to the sequence number of the last byte of
                 * header and data.  see rds_tcp_is_acked().
                 */
-                tc->t_last_sent_nxt = rds_tcp_snd_nxt(tc);
+                tc->t_last_sent_nxt = rds_tcp_write_seq(tc);
                rm->m_ack_seq = tc->t_last_sent_nxt +
                                sizeof(struct rds_header) +
                                be32_to_cpu(rm->m_inc.i_hdr.h_len) - 1;
@@ -98,7 +98,7 @@ int rds_tcp_xmit(struct rds_connection *conn, struct rds_message *rm,
                        rm->m_inc.i_hdr.h_flags |= RDS_FLAG_RETRANSMITTED;
                rdsdebug("rm %p tcp nxt %u ack_seq %llu\n",
-                         rm, rds_tcp_snd_nxt(tc),
+                         rm, rds_tcp_write_seq(tc),
                         (unsigned long long)rm->m_ack_seq);
        }
diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
index e29a48ef7fc3..a0ac42b3ed06 100644
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@@ -159,7 +159,7 @@ static void tcf_gact_stats_update(struct tc_action *a, u64 bytes, u32 packets,
        if (action == TC_ACT_SHOT)
                this_cpu_ptr(gact->common.cpu_qstats)->drops += packets;
-        tm->lastuse = lastuse;
+        tm->lastuse = max_t(u64, tm->lastuse, lastuse);
 }
 static int tcf_gact_dump(struct sk_buff *skb, struct tc_action *a,
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 8b3e59388480..08b61849c2a2 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -239,7 +239,7 @@ static void tcf_stats_update(struct tc_action *a, u64 bytes, u32 packets,
        struct tcf_t *tm = &m->tcf_tm;
        _bstats_cpu_update(this_cpu_ptr(a->cpu_bstats), bytes, packets);
-        tm->lastuse = lastuse;
+        tm->lastuse = max_t(u64, tm->lastuse, lastuse);
 }
 static int tcf_mirred_dump(struct sk_buff *skb, struct tc_action *a, int bind,
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 8d78e7f4ecc3..a62586e2dbdb 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -183,10 +183,17 @@ static int cls_bpf_offload_cmd(struct tcf_proto *tp, struct cls_bpf_prog *prog,
        return 0;
 }
+static u32 cls_bpf_flags(u32 flags)
+{
+        return flags & CLS_BPF_SUPPORTED_GEN_FLAGS;
+}
 static int cls_bpf_offload(struct tcf_proto *tp, struct cls_bpf_prog *prog,
                           struct cls_bpf_prog *oldprog)
 {
-        if (prog && oldprog && prog->gen_flags != oldprog->gen_flags)
+        if (prog && oldprog &&
+            cls_bpf_flags(prog->gen_flags) !=
+            cls_bpf_flags(oldprog->gen_flags))
                return -EINVAL;
        if (prog && tc_skip_hw(prog->gen_flags))
diff --git a/net/sched/em_nbyte.c b/net/sched/em_nbyte.c
index df3110d69585..07c10bac06a0 100644
--- a/net/sched/em_nbyte.c
+++ b/net/sched/em_nbyte.c
@@ -51,7 +51,7 @@ static int em_nbyte_match(struct sk_buff *skb, struct tcf_ematch *em,
        if (!tcf_valid_offset(skb, ptr, nbyte->hdr.len))
                return 0;
-        return !memcmp(ptr + nbyte->hdr.off, nbyte->pattern, nbyte->hdr.len);
+        return !memcmp(ptr, nbyte->pattern, nbyte->hdr.len);
 }
 static struct tcf_ematch_ops em_nbyte_ops = {
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 0f1eab99ff4e..52529b7f8d96 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1063,17 +1063,6 @@ static struct Qdisc *qdisc_create(struct net_device *dev,
        }
        if (!ops->init || (err = ops->init(sch, tca[TCA_OPTIONS])) == 0) {
-                if (qdisc_is_percpu_stats(sch)) {
-                        sch->cpu_bstats =
-                                netdev_alloc_pcpu_stats(struct gnet_stats_basic_cpu);
-                        if (!sch->cpu_bstats)
-                                goto err_out4;
-                        sch->cpu_qstats = alloc_percpu(struct gnet_stats_queue);
-                        if (!sch->cpu_qstats)
-                                goto err_out4;
-                }
                if (tca[TCA_STAB]) {
                        stab = qdisc_get_stab(tca[TCA_STAB]);
                        if (IS_ERR(stab)) {
@@ -1115,7 +1104,7 @@ static struct Qdisc *qdisc_create(struct net_device *dev,
                ops->destroy(sch);
 err_out3:
        dev_put(dev);
-        kfree((char *) sch - sch->padded);
+        qdisc_free(sch);
 err_out2:
        module_put(ops->owner);
 err_out:
@@ -1123,8 +1112,6 @@ err_out:
        return NULL;
 err_out4:
-        free_percpu(sch->cpu_bstats);
-        free_percpu(sch->cpu_qstats);
        /*
         * Any broken qdiscs that would require a ops->reset() here?
         * The qdisc was never in action so it shouldn't be necessary.
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 661c7144b53a..cac003fddf3e 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -633,6 +633,19 @@ struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
        qdisc_skb_head_init(&sch->q);
        spin_lock_init(&sch->q.lock);
+        if (ops->static_flags & TCQ_F_CPUSTATS) {
+                sch->cpu_bstats =
+                        netdev_alloc_pcpu_stats(struct gnet_stats_basic_cpu);
+                if (!sch->cpu_bstats)
+                        goto errout1;
+                sch->cpu_qstats = alloc_percpu(struct gnet_stats_queue);
+                if (!sch->cpu_qstats) {
+                        free_percpu(sch->cpu_bstats);
+                        goto errout1;
+                }
+        }
        spin_lock_init(&sch->busylock);
        lockdep_set_class(&sch->busylock,
                          dev->qdisc_tx_busylock ?: &qdisc_tx_busylock);
@@ -642,6 +655,7 @@ struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
                          dev->qdisc_running_key ?: &qdisc_running_key);
        sch->ops = ops;
+        sch->flags = ops->static_flags;
        sch->enqueue = ops->enqueue;
        sch->dequeue = ops->dequeue;
        sch->dev_queue = dev_queue;
@@ -649,6 +663,8 @@ struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
        refcount_set(&sch->refcnt, 1);
        return sch;
+errout1:
+        kfree(p);
 errout:
        return ERR_PTR(err);
 }
@@ -698,7 +714,7 @@ void qdisc_reset(struct Qdisc *qdisc)
 }
 EXPORT_SYMBOL(qdisc_reset);
-static void qdisc_free(struct Qdisc *qdisc)
+void qdisc_free(struct Qdisc *qdisc)
 {
        if (qdisc_is_percpu_stats(qdisc)) {
                free_percpu(qdisc->cpu_bstats);
diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
index fc1286f499c1..003e1b063447 100644
--- a/net/sched/sch_ingress.c
+++ b/net/sched/sch_ingress.c
@@ -66,7 +66,6 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt)
 {
        struct ingress_sched_data *q = qdisc_priv(sch);
        struct net_device *dev = qdisc_dev(sch);
-        int err;
        net_inc_ingress_queue();
@@ -76,13 +75,7 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt)
        q->block_info.chain_head_change = clsact_chain_head_change;
        q->block_info.chain_head_change_priv = &q->miniqp;
-        err = tcf_block_get_ext(&q->block, sch, &q->block_info);
+        return tcf_block_get_ext(&q->block, sch, &q->block_info);
-        if (err)
-                return err;
-        sch->flags |= TCQ_F_CPUSTATS;
-        return 0;
 }
 static void ingress_destroy(struct Qdisc *sch)
@@ -121,6 +114,7 @@ static struct Qdisc_ops ingress_qdisc_ops __read_mostly = {
        .cl_ops         =       &ingress_class_ops,
        .id             =       "ingress",
        .priv_size      =       sizeof(struct ingress_sched_data),
+        .static_flags   =       TCQ_F_CPUSTATS,
        .init           =       ingress_init,
        .destroy        =       ingress_destroy,
        .dump           =       ingress_dump,
@@ -192,13 +186,7 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt)
        q->egress_block_info.chain_head_change = clsact_chain_head_change;
        q->egress_block_info.chain_head_change_priv = &q->miniqp_egress;
-        err = tcf_block_get_ext(&q->egress_block, sch, &q->egress_block_info);
+        return tcf_block_get_ext(&q->egress_block, sch, &q->egress_block_info);
-        if (err)
-                return err;
-        sch->flags |= TCQ_F_CPUSTATS;
-        return 0;
 }
 static void clsact_destroy(struct Qdisc *sch)
@@ -225,6 +213,7 @@ static struct Qdisc_ops clsact_qdisc_ops __read_mostly = {
        .cl_ops         =       &clsact_class_ops,
        .id             =       "clsact",
        .priv_size      =       sizeof(struct clsact_sched_data),
+        .static_flags   =       TCQ_F_CPUSTATS,
        .init           =       clsact_init,
        .destroy        =       clsact_destroy,
        .dump           =       ingress_dump,
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 621b5ca3fd1c..141c9c466ec1 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -399,20 +399,24 @@ void sctp_icmp_frag_needed(struct sock *sk, struct sctp_association *asoc,
                return;
        }
-        if (t->param_flags & SPP_PMTUD_ENABLE) {
+        if (!(t->param_flags & SPP_PMTUD_ENABLE))
-                /* Update transports view of the MTU */
+                /* We can't allow retransmitting in such case, as the
-                sctp_transport_update_pmtu(t, pmtu);
+                 * retransmission would be sized just as before, and thus we
+                 * would get another icmp, and retransmit again.
-                /* Update association pmtu. */
+                 */
-                sctp_assoc_sync_pmtu(asoc);
+                return;
-        }
-        /* Retransmit with the new pmtu setting.
+        /* Update transports view of the MTU. Return if no update was needed.
-         * Normally, if PMTU discovery is disabled, an ICMP Fragmentation
+         * If an update wasn't needed/possible, it also doesn't make sense to
-         * Needed will never be sent, but if a message was sent before
+         * try to retransmit now.
-         * PMTU discovery was disabled that was larger than the PMTU, it
-         * would not be fragmented, so it must be re-transmitted fragmented.
         */
+        if (!sctp_transport_update_pmtu(t, pmtu))
+                return;
+        /* Update association pmtu. */
+        sctp_assoc_sync_pmtu(asoc);
+        /* Retransmit with the new pmtu setting. */
        sctp_retransmit(&asoc->outqueue, t, SCTP_RTXR_PMTUD);
 }
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 3b18085e3b10..5d4c15bf66d2 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -826,6 +826,7 @@ static int sctp_inet6_af_supported(sa_family_t family, struct sctp_sock *sp)
        case AF_INET:
                if (!__ipv6_only_sock(sctp_opt2sk(sp)))
                        return 1;
+                /* fallthru */
        default:
                return 0;
        }
diff --git a/net/sctp/offload.c b/net/sctp/offload.c
index 275925b93b29..35bc7106d182 100644
--- a/net/sctp/offload.c
+++ b/net/sctp/offload.c
@@ -45,6 +45,9 @@ static struct sk_buff *sctp_gso_segment(struct sk_buff *skb,
        struct sk_buff *segs = ERR_PTR(-EINVAL);
        struct sctphdr *sh;
+        if (!(skb_shinfo(skb)->gso_type & SKB_GSO_SCTP))
+                goto out;
        sh = sctp_hdr(skb);
        if (!pskb_may_pull(skb, sizeof(*sh)))
                goto out;
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 7d67feeeffc1..c4ec99b20150 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -918,9 +918,9 @@ static void sctp_outq_flush(struct sctp_outq *q, int rtx_timeout, gfp_t gfp)
                        break;
                case SCTP_CID_ABORT:
-                        if (sctp_test_T_bit(chunk)) {
+                        if (sctp_test_T_bit(chunk))
                                packet->vtag = asoc->c.my_vtag;
-                        }
+                        /* fallthru */
                /* The following chunks are "response" chunks, i.e.
                 * they are generated in response to something we
                 * received.  If we are sending these, then we can
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index b4fb6e4886d2..039fcb618c34 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -85,7 +85,7 @@
 static int sctp_writeable(struct sock *sk);
 static void sctp_wfree(struct sk_buff *skb);
 static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
-                                size_t msg_len, struct sock **orig_sk);
+                                size_t msg_len);
 static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
 static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
 static int sctp_wait_for_accept(struct sock *sk, long timeo);
@@ -335,16 +335,14 @@ static struct sctp_af *sctp_sockaddr_af(struct sctp_sock *opt,
        if (len < sizeof (struct sockaddr))
                return NULL;
+        if (!opt->pf->af_supported(addr->sa.sa_family, opt))
+                return NULL;
        /* V4 mapped address are really of AF_INET family */
        if (addr->sa.sa_family == AF_INET6 &&
-            ipv6_addr_v4mapped(&addr->v6.sin6_addr)) {
+            ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
-                if (!opt->pf->af_supported(AF_INET, opt))
+            !opt->pf->af_supported(AF_INET, opt))
-                        return NULL;
+                return NULL;
-        } else {
-                /* Does this PF support this AF? */
-                if (!opt->pf->af_supported(addr->sa.sa_family, opt))
-                        return NULL;
-        }
        /* If we get this far, af is valid. */
        af = sctp_get_af_specific(addr->sa.sa_family);
@@ -1883,8 +1881,14 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
                 */
                if (sinit) {
                        if (sinit->sinit_num_ostreams) {
-                                asoc->c.sinit_num_ostreams =
+                                __u16 outcnt = sinit->sinit_num_ostreams;
-                                        sinit->sinit_num_ostreams;
+                                asoc->c.sinit_num_ostreams = outcnt;
+                                /* outcnt has been changed, so re-init stream */
+                                err = sctp_stream_init(&asoc->stream, outcnt, 0,
+                                                       GFP_KERNEL);
+                                if (err)
+                                        goto out_free;
                        }
                        if (sinit->sinit_max_instreams) {
                                asoc->c.sinit_max_instreams =
@@ -1971,7 +1975,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
        timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
        if (!sctp_wspace(asoc)) {
                /* sk can be changed by peel off when waiting for buf. */
-                err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
+                err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
                if (err) {
                        if (err == -ESRCH) {
                                /* asoc is already dead. */
@@ -2277,7 +2281,7 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
                if (asoc && sctp_outq_is_empty(&asoc->outqueue)) {
                        event = sctp_ulpevent_make_sender_dry_event(asoc,
-                                        GFP_ATOMIC);
+                                        GFP_USER | __GFP_NOWARN);
                        if (!event)
                                return -ENOMEM;
@@ -3498,6 +3502,8 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
        if (optlen < sizeof(struct sctp_hmacalgo))
                return -EINVAL;
+        optlen = min_t(unsigned int, optlen, sizeof(struct sctp_hmacalgo) +
+                                             SCTP_AUTH_NUM_HMACS * sizeof(u16));
        hmacs = memdup_user(optval, optlen);
        if (IS_ERR(hmacs))
@@ -3536,6 +3542,11 @@ static int sctp_setsockopt_auth_key(struct sock *sk,
        if (optlen <= sizeof(struct sctp_authkey))
                return -EINVAL;
+        /* authkey->sca_keylength is u16, so optlen can't be bigger than
+         * this.
+         */
+        optlen = min_t(unsigned int, optlen, USHRT_MAX +
+                                             sizeof(struct sctp_authkey));
        authkey = memdup_user(optval, optlen);
        if (IS_ERR(authkey))
@@ -3893,6 +3904,9 @@ static int sctp_setsockopt_reset_streams(struct sock *sk,
        if (optlen < sizeof(*params))
                return -EINVAL;
+        /* srs_number_streams is u16, so optlen can't be bigger than this. */
+        optlen = min_t(unsigned int, optlen, USHRT_MAX +
+                                             sizeof(__u16) * sizeof(*params));
        params = memdup_user(optval, optlen);
        if (IS_ERR(params))
@@ -5015,7 +5029,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
        len = sizeof(int);
        if (put_user(len, optlen))
                return -EFAULT;
-        if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int)))
+        if (copy_to_user(optval, &sctp_sk(sk)->autoclose, len))
                return -EFAULT;
        return 0;
 }
@@ -5645,6 +5659,9 @@ copy_getaddrs:
                err = -EFAULT;
                goto out;
        }
+        /* XXX: We should have accounted for sizeof(struct sctp_getaddrs) too,
+         * but we can't change it anymore.
+         */
        if (put_user(bytes_copied, optlen))
                err = -EFAULT;
 out:
@@ -6081,7 +6098,7 @@ static int sctp_getsockopt_maxseg(struct sock *sk, int len,
                params.assoc_id = 0;
        } else if (len >= sizeof(struct sctp_assoc_value)) {
                len = sizeof(struct sctp_assoc_value);
-                if (copy_from_user(&params, optval, sizeof(params)))
+                if (copy_from_user(&params, optval, len))
                        return -EFAULT;
        } else
                return -EINVAL;
@@ -6251,7 +6268,9 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len,
        if (len < sizeof(struct sctp_authkeyid))
                return -EINVAL;
-        if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid)))
+        len = sizeof(struct sctp_authkeyid);
+        if (copy_from_user(&val, optval, len))
                return -EFAULT;
        asoc = sctp_id2assoc(sk, val.scact_assoc_id);
@@ -6263,7 +6282,6 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len,
        else
                val.scact_keynumber = ep->active_key_id;
-        len = sizeof(struct sctp_authkeyid);
        if (put_user(len, optlen))
                return -EFAULT;
        if (copy_to_user(optval, &val, len))
@@ -6289,7 +6307,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
        if (len < sizeof(struct sctp_authchunks))
                return -EINVAL;
-        if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
+        if (copy_from_user(&val, optval, sizeof(val)))
                return -EFAULT;
        to = p->gauth_chunks;
@@ -6334,7 +6352,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
        if (len < sizeof(struct sctp_authchunks))
                return -EINVAL;
-        if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
+        if (copy_from_user(&val, optval, sizeof(val)))
                return -EFAULT;
        to = p->gauth_chunks;
@@ -8002,12 +8020,12 @@ void sctp_sock_rfree(struct sk_buff *skb)
 /* Helper function to wait for space in the sndbuf.  */
 static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
-                                size_t msg_len, struct sock **orig_sk)
+                                size_t msg_len)
 {
        struct sock *sk = asoc->base.sk;
-        int err = 0;
        long current_timeo = *timeo_p;
        DEFINE_WAIT(wait);
+        int err = 0;
        pr_debug("%s: asoc:%p, timeo:%ld, msg_len:%zu\n", __func__, asoc,
                 *timeo_p, msg_len);
@@ -8036,17 +8054,13 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
                release_sock(sk);
                current_timeo = schedule_timeout(current_timeo);
                lock_sock(sk);
-                if (sk != asoc->base.sk) {
+                if (sk != asoc->base.sk)
-                        release_sock(sk);
+                        goto do_error;
-                        sk = asoc->base.sk;
-                        lock_sock(sk);
-                }
                *timeo_p = current_timeo;
        }
 out:
-        *orig_sk = sk;
        finish_wait(&asoc->wait, &wait);
        /* Release the association's refcnt.  */
diff --git a/net/sctp/stream.c b/net/sctp/stream.c
index 76ea66be0bbe..524dfeb94c41 100644
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -156,9 +156,9 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt,
        sctp_stream_outq_migrate(stream, NULL, outcnt);
        sched->sched_all(stream);
-        i = sctp_stream_alloc_out(stream, outcnt, gfp);
+        ret = sctp_stream_alloc_out(stream, outcnt, gfp);
-        if (i)
+        if (ret)
-                return i;
+                goto out;
        stream->outcnt = outcnt;
        for (i = 0; i < stream->outcnt; i++)
@@ -170,19 +170,17 @@ in:
        if (!incnt)
                goto out;
-        i = sctp_stream_alloc_in(stream, incnt, gfp);
+        ret = sctp_stream_alloc_in(stream, incnt, gfp);
-        if (i) {
+        if (ret) {
-                ret = -ENOMEM;
+                sched->free(stream);
-                goto free;
+                kfree(stream->out);
+                stream->out = NULL;
+                stream->outcnt = 0;
+                goto out;
        }
        stream->incnt = incnt;
-        goto out;
-free:
-        sched->free(stream);
-        kfree(stream->out);
-        stream->out = NULL;
 out:
        return ret;
 }
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 1e5a22430cf5..47f82bd794d9 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -248,28 +248,37 @@ void sctp_transport_pmtu(struct sctp_transport *transport, struct sock *sk)
                transport->pathmtu = SCTP_DEFAULT_MAXSEGMENT;
 }
-void sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu)
+bool sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu)
 {
        struct dst_entry *dst = sctp_transport_dst_check(t);
+        bool change = true;
        if (unlikely(pmtu < SCTP_DEFAULT_MINSEGMENT)) {
-                pr_warn("%s: Reported pmtu %d too low, using default minimum of %d\n",
+                pr_warn_ratelimited("%s: Reported pmtu %d too low, using default minimum of %d\n",
-                        __func__, pmtu, SCTP_DEFAULT_MINSEGMENT);
+                                    __func__, pmtu, SCTP_DEFAULT_MINSEGMENT);
-                /* Use default minimum segment size and disable
+                /* Use default minimum segment instead */
-                 * pmtu discovery on this transport.
+                pmtu = SCTP_DEFAULT_MINSEGMENT;
-                 */
-                t->pathmtu = SCTP_DEFAULT_MINSEGMENT;
-        } else {
-                t->pathmtu = pmtu;
        }
+        pmtu = SCTP_TRUNC4(pmtu);
        if (dst) {
                dst->ops->update_pmtu(dst, t->asoc->base.sk, NULL, pmtu);
                dst = sctp_transport_dst_check(t);
        }
-        if (!dst)
+        if (!dst) {
                t->af_specific->get_dst(t, &t->saddr, &t->fl, t->asoc->base.sk);
+                dst = t->dst;
+        }
+        if (dst) {
+                /* Re-fetch, as under layers may have a higher minimum size */
+                pmtu = SCTP_TRUNC4(dst_mtu(dst));
+                change = t->pathmtu != pmtu;
+        }
+        t->pathmtu = pmtu;
+        return change;
 }
 /* Caches the dst entry and source address for a transport's destination
diff --git a/net/socket.c b/net/socket.c
index 05f361faec45..6f05d5c4bf30 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -436,8 +436,10 @@ static int sock_map_fd(struct socket *sock, int flags)
 {
        struct file *newfile;
        int fd = get_unused_fd_flags(flags);
-        if (unlikely(fd < 0))
+        if (unlikely(fd < 0)) {
+                sock_release(sock);
                return fd;
+        }
        newfile = sock_alloc_file(sock, flags, NULL);
        if (likely(!IS_ERR(newfile))) {
@@ -2619,6 +2621,15 @@ out_fs:
 core_initcall(sock_init);       /* early initcall */
+static int __init jit_init(void)
+{
+#ifdef CONFIG_BPF_JIT_ALWAYS_ON
+        bpf_jit_enable = 1;
+#endif
+        return 0;
+}
+pure_initcall(jit_init);
 #ifdef CONFIG_PROC_FS
 void socket_seq_show(struct seq_file *seq)
 {
diff --git a/net/tipc/group.c b/net/tipc/group.c
index 8e12ab55346b..5f4ffae807ee 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -109,7 +109,8 @@ static void tipc_group_proto_xmit(struct tipc_group *grp, struct tipc_member *m,
 static void tipc_group_decr_active(struct tipc_group *grp,
                                   struct tipc_member *m)
 {
-        if (m->state == MBR_ACTIVE || m->state == MBR_RECLAIMING)
+        if (m->state == MBR_ACTIVE || m->state == MBR_RECLAIMING ||
+            m->state == MBR_REMITTED)
                grp->active_cnt--;
 }
@@ -562,7 +563,7 @@ void tipc_group_update_rcv_win(struct tipc_group *grp, int blks, u32 node,
        int max_active = grp->max_active;
        int reclaim_limit = max_active * 3 / 4;
        int active_cnt = grp->active_cnt;
-        struct tipc_member *m, *rm;
+        struct tipc_member *m, *rm, *pm;
        m = tipc_group_find_member(grp, node, port);
        if (!m)
@@ -605,6 +606,17 @@ void tipc_group_update_rcv_win(struct tipc_group *grp, int blks, u32 node,
                        pr_warn_ratelimited("Rcv unexpected msg after REMIT\n");
                        tipc_group_proto_xmit(grp, m, GRP_ADV_MSG, xmitq);
                }
+                grp->active_cnt--;
+                list_del_init(&m->list);
+                if (list_empty(&grp->pending))
+                        return;
+                /* Set oldest pending member to active and advertise */
+                pm = list_first_entry(&grp->pending, struct tipc_member, list);
+                pm->state = MBR_ACTIVE;
+                list_move_tail(&pm->list, &grp->active);
+                grp->active_cnt++;
+                tipc_group_proto_xmit(grp, pm, GRP_ADV_MSG, xmitq);
                break;
        case MBR_RECLAIMING:
        case MBR_DISCOVERED:
@@ -742,14 +754,14 @@ void tipc_group_proto_rcv(struct tipc_group *grp, bool *usr_wakeup,
                if (!m || m->state != MBR_RECLAIMING)
                        return;
-                list_del_init(&m->list);
-                grp->active_cnt--;
                remitted = msg_grp_remitted(hdr);
                /* Messages preceding the REMIT still in receive queue */
                if (m->advertised > remitted) {
                        m->state = MBR_REMITTED;
                        in_flight = m->advertised - remitted;
+                        m->advertised = ADV_IDLE + in_flight;
+                        return;
                }
                /* All messages preceding the REMIT have been read */
                if (m->advertised <= remitted) {
@@ -761,6 +773,8 @@ void tipc_group_proto_rcv(struct tipc_group *grp, bool *usr_wakeup,
                        tipc_group_proto_xmit(grp, m, GRP_ADV_MSG, xmitq);
                m->advertised = ADV_IDLE + in_flight;
+                grp->active_cnt--;
+                list_del_init(&m->list);
                /* Set oldest pending member to active and advertise */
                if (list_empty(&grp->pending))
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 507017fe0f1b..9036d8756e73 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1880,36 +1880,38 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
        if (strcmp(name, tipc_bclink_name) == 0) {
                err = tipc_nl_add_bc_link(net, &msg);
-                if (err) {
+                if (err)
-                        nlmsg_free(msg.skb);
+                        goto err_free;
-                        return err;
-                }
        } else {
                int bearer_id;
                struct tipc_node *node;
                struct tipc_link *link;
                node = tipc_node_find_by_name(net, name, &bearer_id);
-                if (!node)
+                if (!node) {
-                        return -EINVAL;
+                        err = -EINVAL;
+                        goto err_free;
+                }
                tipc_node_read_lock(node);
                link = node->links[bearer_id].link;
                if (!link) {
                        tipc_node_read_unlock(node);
-                        nlmsg_free(msg.skb);
+                        err = -EINVAL;
-                        return -EINVAL;
+                        goto err_free;
                }
                err = __tipc_nl_add_link(net, &msg, link, 0);
                tipc_node_read_unlock(node);
-                if (err) {
+                if (err)
-                        nlmsg_free(msg.skb);
+                        goto err_free;
-                        return err;
-                }
        }
        return genlmsg_reply(msg.skb, info);
+err_free:
+        nlmsg_free(msg.skb);
+        return err;
 }
 int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info *info)
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index e07ee3ae0023..736719c8314e 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -367,8 +367,10 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
        crypto_info = &ctx->crypto_send;
        /* Currently we don't support set crypto info more than one time */
-        if (TLS_CRYPTO_INFO_READY(crypto_info))
+        if (TLS_CRYPTO_INFO_READY(crypto_info)) {
+                rc = -EBUSY;
                goto out;
+        }
        rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
        if (rc) {
@@ -386,7 +388,7 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
        case TLS_CIPHER_AES_GCM_128: {
                if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
                        rc = -EINVAL;
-                        goto out;
+                        goto err_crypto_info;
                }
                rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
                                    optlen - sizeof(*crypto_info));
@@ -398,7 +400,7 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
        }
        default:
                rc = -EINVAL;
-                goto out;
+                goto err_crypto_info;
        }
        /* currently SW is default, we will have ethtool in future */
@@ -454,6 +456,15 @@ static int tls_init(struct sock *sk)
        struct tls_context *ctx;
        int rc = 0;
+        /* The TLS ulp is currently supported only for TCP sockets
+         * in ESTABLISHED state.
+         * Supporting sockets in LISTEN state will require us
+         * to modify the accept implementation to clone rather then
+         * share the ulp context.
+         */
+        if (sk->sk_state != TCP_ESTABLISHED)
+                return -ENOTSUPP;
        /* allocate tls context */
        ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
        if (!ctx) {
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 73d19210dd49..0a9b72fbd761 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -391,7 +391,7 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
        while (msg_data_left(msg)) {
                if (sk->sk_err) {
-                        ret = sk->sk_err;
+                        ret = -sk->sk_err;
                        goto send_end;
                }
@@ -544,7 +544,7 @@ int tls_sw_sendpage(struct sock *sk, struct page *page,
                size_t copy, required_size;
                if (sk->sk_err) {
-                        ret = sk->sk_err;
+                        ret = -sk->sk_err;
                        goto sendpage_end;
                }
@@ -577,6 +577,8 @@ alloc_payload:
                get_page(page);
                sg = ctx->sg_plaintext_data + ctx->sg_plaintext_num_elem;
                sg_set_page(sg, page, copy, offset);
+                sg_unmark_end(sg);
                ctx->sg_plaintext_num_elem++;
                sk_mem_charge(sk, copy);
@@ -681,18 +683,17 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx)
        }
        default:
                rc = -EINVAL;
-                goto out;
+                goto free_priv;
        }
        ctx->prepend_size = TLS_HEADER_SIZE + nonce_size;
        ctx->tag_size = tag_size;
        ctx->overhead_size = ctx->prepend_size + ctx->tag_size;
        ctx->iv_size = iv_size;
-        ctx->iv = kmalloc(iv_size + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
+        ctx->iv = kmalloc(iv_size + TLS_CIPHER_AES_GCM_128_SALT_SIZE, GFP_KERNEL);
-                          GFP_KERNEL);
        if (!ctx->iv) {
                rc = -ENOMEM;
-                goto out;
+                goto free_priv;
        }
        memcpy(ctx->iv, gcm_128_info->salt, TLS_CIPHER_AES_GCM_128_SALT_SIZE);
        memcpy(ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, iv, iv_size);
@@ -740,7 +741,7 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx)
        rc = crypto_aead_setauthsize(sw_ctx->aead_send, ctx->tag_size);
        if (!rc)
-                goto out;
+                return 0;
 free_aead:
        crypto_free_aead(sw_ctx->aead_send);
@@ -751,6 +752,9 @@ free_rec_seq:
 free_iv:
        kfree(ctx->iv);
        ctx->iv = NULL;
+free_priv:
+        kfree(ctx->priv_ctx);
+        ctx->priv_ctx = NULL;
 out:
        return rc;
 }
diff --git a/net/wireless/core.c b/net/wireless/core.c
index fdde0d98fde1..a6f3cac8c640 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -439,6 +439,8 @@ struct wiphy *wiphy_new_nm(const struct cfg80211_ops *ops, int sizeof_priv,
                if (rv)
                        goto use_default_name;
        } else {
+                int rv;
 use_default_name:
                /* NOTE:  This is *probably* safe w/out holding rtnl because of
                 * the restrictions on phy names.  Probably this call could
@@ -446,7 +448,11 @@ use_default_name:
                 * phyX.  But, might should add some locking and check return
                 * value, and use a different name if this one exists?
                 */
-                dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx);
+                rv = dev_set_name(&rdev->wiphy.dev, PHY_NAME "%d", rdev->wiphy_idx);
+                if (rv < 0) {
+                        kfree(rdev);
+                        return NULL;
+                }
        }
        INIT_LIST_HEAD(&rdev->wiphy.wdev_list);
diff --git a/net/wireless/core.h b/net/wireless/core.h
index d2f7e8b8a097..eaff636169c2 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -507,8 +507,6 @@ void cfg80211_stop_p2p_device(struct cfg80211_registered_device *rdev,
 void cfg80211_stop_nan(struct cfg80211_registered_device *rdev,
                       struct wireless_dev *wdev);
-#define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10
 #ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS
 #define CFG80211_DEV_WARN_ON(cond)      WARN_ON(cond)
 #else
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 213d0c498c97..542a4fc0a8d7 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2618,12 +2618,13 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
                const u8 *ssid_ie;
                if (!wdev->current_bss)
                        break;
+                rcu_read_lock();
                ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
                                               WLAN_EID_SSID);
-                if (!ssid_ie)
+                if (ssid_ie &&
-                        break;
+                    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
-                if (nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
+                        goto nla_put_failure_rcu_locked;
-                        goto nla_put_failure_locked;
+                rcu_read_unlock();
                break;
                }
        default:
@@ -2635,6 +2636,8 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
        genlmsg_end(msg, hdr);
        return 0;
+ nla_put_failure_rcu_locked:
+        rcu_read_unlock();
 nla_put_failure_locked:
        wdev_unlock(wdev);
 nla_put_failure:
@@ -9806,7 +9809,7 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
         */
        if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
            rdev->ops->get_station) {
-                struct station_info sinfo;
+                struct station_info sinfo = {};
                u8 *mac_addr;
                mac_addr = wdev->current_bss->pub.bssid;
@@ -11361,7 +11364,8 @@ static int nl80211_nan_add_func(struct sk_buff *skb,
                break;
        case NL80211_NAN_FUNC_FOLLOW_UP:
                if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
-                    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]) {
+                    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
+                    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
                        err = -EINVAL;
                        goto out;
                }
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 78e71b0390be..7b42f0bacfd8 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1769,8 +1769,7 @@ static void handle_reg_beacon(struct wiphy *wiphy, unsigned int chan_idx,
        if (wiphy->regulatory_flags & REGULATORY_DISABLE_BEACON_HINTS)
                return;
-        chan_before.center_freq = chan->center_freq;
+        chan_before = *chan;
-        chan_before.flags = chan->flags;
        if (chan->flags & IEEE80211_CHAN_NO_IR) {
                chan->flags &= ~IEEE80211_CHAN_NO_IR;
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index 7ca04a7de85a..05186a47878f 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -1254,8 +1254,7 @@ static int cfg80211_wext_giwrate(struct net_device *dev,
 {
        struct wireless_dev *wdev = dev->ieee80211_ptr;
        struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
-        /* we are under RTNL - globally locked - so can use a static struct */
+        struct station_info sinfo = {};
-        static struct station_info sinfo;
        u8 addr[ETH_ALEN];
        int err;
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 30e5746085b8..ac9477189d1c 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -102,6 +102,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
        err = dev->xfrmdev_ops->xdo_dev_state_add(x);
        if (err) {
+                xso->dev = NULL;
                dev_put(dev);
                return err;
        }
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 3f6f6f8c9fa5..5b2409746ae0 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -518,7 +518,7 @@ int xfrm_trans_queue(struct sk_buff *skb,
                return -ENOBUFS;
        XFRM_TRANS_SKB_CB(skb)->finish = finish;
-        skb_queue_tail(&trans->queue, skb);
+        __skb_queue_tail(&trans->queue, skb);
        tasklet_schedule(&trans->tasklet);
        return 0;
 }
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 70aa5cb0c659..bd6b0e7a0ee4 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -609,7 +609,8 @@ static void xfrm_hash_rebuild(struct work_struct *work)
        /* re-insert all policies by order of creation */
        list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
-                if (xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
+                if (policy->walk.dead ||
+                    xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
                        /* skip socket policies */
                        continue;
                }
@@ -974,8 +975,6 @@ int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
        }
        if (!cnt)
                err = -ESRCH;
-        else
-                xfrm_policy_cache_flush();
 out:
        spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
        return err;
@@ -1743,6 +1742,8 @@ void xfrm_policy_cache_flush(void)
        bool found = 0;
        int cpu;
+        might_sleep();
        local_bh_disable();
        rcu_read_lock();
        for_each_possible_cpu(cpu) {
@@ -2062,8 +2063,11 @@ xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
        if (num_xfrms <= 0)
                goto make_dummy_bundle;
+        local_bh_disable();
        xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family,
-                                                  xflo->dst_orig);
+                                              xflo->dst_orig);
+        local_bh_enable();
        if (IS_ERR(xdst)) {
                err = PTR_ERR(xdst);
                if (err != -EAGAIN)
@@ -2150,9 +2154,12 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
                                goto no_transform;
                        }
+                        local_bh_disable();
                        xdst = xfrm_resolve_and_create_bundle(
                                        pols, num_pols, fl,
                                        family, dst_orig);
+                        local_bh_enable();
                        if (IS_ERR(xdst)) {
                                xfrm_pols_put(pols, num_pols);
                                err = PTR_ERR(xdst);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 500b3391f474..a3785f538018 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -313,13 +313,14 @@ retry:
        if ((type && !try_module_get(type->owner)))
                type = NULL;
+        rcu_read_unlock();
        if (!type && try_load) {
                request_module("xfrm-offload-%d-%d", family, proto);
-                try_load = 0;
+                try_load = false;
                goto retry;
        }
-        rcu_read_unlock();
        return type;
 }
@@ -1534,8 +1535,12 @@ out:
        err = -EINVAL;
        spin_lock_bh(&x1->lock);
        if (likely(x1->km.state == XFRM_STATE_VALID)) {
-                if (x->encap && x1->encap)
+                if (x->encap && x1->encap &&
+                    x->encap->encap_type == x1->encap->encap_type)
                        memcpy(x1->encap, x->encap, sizeof(*x1->encap));
+                else if (x->encap || x1->encap)
+                        goto fail;
                if (x->coaddr && x1->coaddr) {
                        memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
                }
@@ -1552,6 +1557,8 @@ out:
                x->km.state = XFRM_STATE_DEAD;
                __xfrm_state_put(x);
        }
+fail:
        spin_unlock_bh(&x1->lock);
        xfrm_state_put(x1);
@@ -2265,8 +2272,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload)
                        goto error;
        }
-        x->km.state = XFRM_STATE_VALID;
 error:
        return err;
 }
@@ -2275,7 +2280,13 @@ EXPORT_SYMBOL(__xfrm_init_state);
 int xfrm_init_state(struct xfrm_state *x)
 {
-        return __xfrm_init_state(x, true, false);
+        int err;
+        err = __xfrm_init_state(x, true, false);
+        if (!err)
+                x->km.state = XFRM_STATE_VALID;
+        return err;
 }
 EXPORT_SYMBOL(xfrm_init_state);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index bdb48e5dba04..7f52b8eb177d 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -598,13 +598,6 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
                        goto error;
        }
-        if (attrs[XFRMA_OFFLOAD_DEV]) {
-                err = xfrm_dev_state_add(net, x,
-                                         nla_data(attrs[XFRMA_OFFLOAD_DEV]));
-                if (err)
-                        goto error;
-        }
        if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
                                               attrs[XFRMA_REPLAY_ESN_VAL])))
                goto error;
@@ -620,6 +613,14 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
        /* override default values from above */
        xfrm_update_ae_params(x, attrs, 0);
+        /* configure the hardware if offload is requested */
+        if (attrs[XFRMA_OFFLOAD_DEV]) {
+                err = xfrm_dev_state_add(net, x,
+                                         nla_data(attrs[XFRMA_OFFLOAD_DEV]));
+                if (err)
+                        goto error;
+        }
        return x;
 error:
@@ -662,6 +663,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
                goto out;
        }
+        if (x->km.state == XFRM_STATE_VOID)
+                x->km.state = XFRM_STATE_VALID;
        c.seq = nlh->nlmsg_seq;
        c.portid = nlh->nlmsg_pid;
        c.event = nlh->nlmsg_type;
diff --git a/scripts/Makefile.build b/scripts/Makefile.build
index cb8997ed0149..47cddf32aeba 100644
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -265,12 +265,18 @@ else
 objtool_args += $(call cc-ifversion, -lt, 0405, --no-unreachable)
 endif
+ifdef CONFIG_MODVERSIONS
+objtool_o = $(@D)/.tmp_$(@F)
+else
+objtool_o = $(@)
+endif
 # 'OBJECT_FILES_NON_STANDARD := y': skip objtool checking for a directory
 # 'OBJECT_FILES_NON_STANDARD_foo.o := 'y': skip objtool checking for a file
 # 'OBJECT_FILES_NON_STANDARD_foo.o := 'n': override directory skip for a file
 cmd_objtool = $(if $(patsubst y%,, \
        $(OBJECT_FILES_NON_STANDARD_$(basetarget).o)$(OBJECT_FILES_NON_STANDARD)n), \
-        $(__objtool_obj) $(objtool_args) "$(@)";)
+        $(__objtool_obj) $(objtool_args) "$(objtool_o)";)
 objtool_obj = $(if $(patsubst y%,, \
        $(OBJECT_FILES_NON_STANDARD_$(basetarget).o)$(OBJECT_FILES_NON_STANDARD)n), \
        $(__objtool_obj))
@@ -286,16 +292,16 @@ objtool_dep = $(objtool_obj)					\
 define rule_cc_o_c
        $(call echo-cmd,checksrc) $(cmd_checksrc)                         \
        $(call cmd_and_fixdep,cc_o_c)                                     \
-        $(cmd_modversions_c)                                              \
        $(cmd_checkdoc)                                                   \
        $(call echo-cmd,objtool) $(cmd_objtool)                           \
+        $(cmd_modversions_c)                                              \
        $(call echo-cmd,record_mcount) $(cmd_record_mcount)
 endef
 define rule_as_o_S
        $(call cmd_and_fixdep,as_o_S)                                     \
-        $(cmd_modversions_S)                                              \
+        $(call echo-cmd,objtool) $(cmd_objtool)                           \
-        $(call echo-cmd,objtool) $(cmd_objtool)
+        $(cmd_modversions_S)
 endef
 # List module undefined symbols (or empty line if not enabled)
diff --git a/scripts/decodecode b/scripts/decodecode
index 438120da1361..5ea071099330 100755
--- a/scripts/decodecode
+++ b/scripts/decodecode
@@ -59,6 +59,14 @@ disas() {
                ${CROSS_COMPILE}strip $1.o
        fi
+        if [ "$ARCH" = "arm64" ]; then
+                if [ $width -eq 4 ]; then
+                        type=inst
+                fi
+                ${CROSS_COMPILE}strip $1.o
+        fi
        ${CROSS_COMPILE}objdump $OBJDUMPFLAGS -S $1.o | \
                grep -v "/tmp\|Disassembly\|\.text\|^$" > $1.dis 2>&1
 }
diff --git a/scripts/gdb/linux/tasks.py b/scripts/gdb/linux/tasks.py
index 1bf949c43b76..f6ab3ccf698f 100644
--- a/scripts/gdb/linux/tasks.py
+++ b/scripts/gdb/linux/tasks.py
@@ -96,6 +96,8 @@ def get_thread_info(task):
        thread_info_addr = task.address + ia64_task_size
        thread_info = thread_info_addr.cast(thread_info_ptr_type)
    else:
+        if task.type.fields()[0].type == thread_info_type.get_type():
+            return task['thread_info']
        thread_info = task['stack'].cast(thread_info_ptr_type)
    return thread_info.dereference()
diff --git a/scripts/genksyms/.gitignore b/scripts/genksyms/.gitignore
index 86dc07a01b43..e7836b47f060 100644
--- a/scripts/genksyms/.gitignore
+++ b/scripts/genksyms/.gitignore
@@ -1,4 +1,3 @@
-*.hash.c
 *.lex.c
 *.tab.c
 *.tab.h
diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c
index cbf4996dd9c1..8cee597d33a5 100644
--- a/scripts/kconfig/expr.c
+++ b/scripts/kconfig/expr.c
@@ -893,7 +893,10 @@ static enum string_value_kind expr_parse_string(const char *str,
        switch (type) {
        case S_BOOLEAN:
        case S_TRISTATE:
-                return k_string;
+                val->s = !strcmp(str, "n") ? 0 :
+                         !strcmp(str, "m") ? 1 :
+                         !strcmp(str, "y") ? 2 : -1;
+                return k_signed;
        case S_INT:
                val->s = strtoll(str, &tail, 10);
                kind = k_signed;
diff --git a/security/Kconfig b/security/Kconfig
index 3d4debd0257e..b0cb9a5f9448 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -63,7 +63,7 @@ config PAGE_TABLE_ISOLATION
          ensuring that the majority of kernel addresses are not mapped
          into userspace.
-          See Documentation/x86/pagetable-isolation.txt for more details.
+          See Documentation/x86/pti.txt for more details.
 config SECURITY_INFINIBAND
        bool "Infiniband Security Hooks"
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 04ba9d0718ea..6a54d2ffa840 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -330,10 +330,7 @@ static struct aa_profile *__attach_match(const char *name,
                        continue;
                if (profile->xmatch) {
-                        if (profile->xmatch_len == len) {
+                        if (profile->xmatch_len >= len) {
-                                conflict = true;
-                                continue;
-                        } else if (profile->xmatch_len > len) {
                                unsigned int state;
                                u32 perm;
@@ -342,6 +339,10 @@ static struct aa_profile *__attach_match(const char *name,
                                perm = dfa_user_allow(profile->xmatch, state);
                                /* any accepting state means a valid match. */
                                if (perm & MAY_EXEC) {
+                                        if (profile->xmatch_len == len) {
+                                                conflict = true;
+                                                continue;
+                                        }
                                        candidate = profile;
                                        len = profile->xmatch_len;
                                        conflict = false;
diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
index 2b27bb79aec4..d7b7e7115160 100644
--- a/security/apparmor/include/perms.h
+++ b/security/apparmor/include/perms.h
@@ -133,6 +133,9 @@ extern struct aa_perms allperms;
 #define xcheck_labels_profiles(L1, L2, FN, args...)             \
        xcheck_ns_labels((L1), (L2), xcheck_ns_profile_label, (FN), args)
+#define xcheck_labels(L1, L2, P, FN1, FN2)                      \
+        xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2)))
 void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
 void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask);
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
index 7ca0032e7ba9..b40678f3c1d5 100644
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -64,40 +64,48 @@ static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
                        FLAGS_NONE, GFP_ATOMIC);
 }
+/* assumes check for PROFILE_MEDIATES is already done */
 /* TODO: conditionals */
 static int profile_ptrace_perm(struct aa_profile *profile,
-                               struct aa_profile *peer, u32 request,
+                             struct aa_label *peer, u32 request,
-                               struct common_audit_data *sa)
+                             struct common_audit_data *sa)
 {
        struct aa_perms perms = { };
-        /* need because of peer in cross check */
+        aad(sa)->peer = peer;
-        if (profile_unconfined(profile) ||
+        aa_profile_match_label(profile, peer, AA_CLASS_PTRACE, request,
-            !PROFILE_MEDIATES(profile, AA_CLASS_PTRACE))
-                return 0;
-        aad(sa)->peer = &peer->label;
-        aa_profile_match_label(profile, &peer->label, AA_CLASS_PTRACE, request,
                               &perms);
        aa_apply_modes_to_perms(profile, &perms);
        return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb);
 }
-static int cross_ptrace_perm(struct aa_profile *tracer,
+static int profile_tracee_perm(struct aa_profile *tracee,
-                             struct aa_profile *tracee, u32 request,
+                               struct aa_label *tracer, u32 request,
-                             struct common_audit_data *sa)
+                               struct common_audit_data *sa)
 {
+        if (profile_unconfined(tracee) || unconfined(tracer) ||
+            !PROFILE_MEDIATES(tracee, AA_CLASS_PTRACE))
+                return 0;
+        return profile_ptrace_perm(tracee, tracer, request, sa);
+}
+static int profile_tracer_perm(struct aa_profile *tracer,
+                               struct aa_label *tracee, u32 request,
+                               struct common_audit_data *sa)
+{
+        if (profile_unconfined(tracer))
+                return 0;
        if (PROFILE_MEDIATES(tracer, AA_CLASS_PTRACE))
-                return xcheck(profile_ptrace_perm(tracer, tracee, request, sa),
+                return profile_ptrace_perm(tracer, tracee, request, sa);
-                              profile_ptrace_perm(tracee, tracer,
-                                                  request << PTRACE_PERM_SHIFT,
+        /* profile uses the old style capability check for ptrace */
-                                                  sa));
+        if (&tracer->label == tracee)
-        /* policy uses the old style capability check for ptrace */
-        if (profile_unconfined(tracer) || tracer == tracee)
                return 0;
        aad(sa)->label = &tracer->label;
-        aad(sa)->peer = &tracee->label;
+        aad(sa)->peer = tracee;
        aad(sa)->request = 0;
        aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE, 1);
@@ -115,10 +123,13 @@ static int cross_ptrace_perm(struct aa_profile *tracer,
 int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
                  u32 request)
 {
+        struct aa_profile *profile;
+        u32 xrequest = request << PTRACE_PERM_SHIFT;
        DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE);
-        return xcheck_labels_profiles(tracer, tracee, cross_ptrace_perm,
+        return xcheck_labels(tracer, tracee, profile,
-                                      request, &sa);
+                        profile_tracer_perm(profile, tracee, request, &sa),
+                        profile_tracee_perm(profile, tracer, xrequest, &sa));
 }
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index ed9b4d0f9f7e..8c558cbce930 100644
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -329,6 +329,9 @@ static int match_mnt_path_str(struct aa_profile *profile,
        AA_BUG(!mntpath);
        AA_BUG(!buffer);
+        if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+                return 0;
        error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
                             &mntpnt, &info, profile->disconnected);
        if (error)
@@ -380,6 +383,9 @@ static int match_mnt(struct aa_profile *profile, const struct path *path,
        AA_BUG(!profile);
        AA_BUG(devpath && !devbuffer);
+        if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+                return 0;
        if (devpath) {
                error = aa_path_name(devpath, path_flags(profile, devpath),
                                     devbuffer, &devname, &info,
@@ -558,6 +564,9 @@ static int profile_umount(struct aa_profile *profile, struct path *path,
        AA_BUG(!profile);
        AA_BUG(!path);
+        if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
+                return 0;
        error = aa_path_name(path, path_flags(profile, path), buffer, &name,
                             &info, profile->disconnected);
        if (error)
@@ -613,7 +622,8 @@ static struct aa_label *build_pivotroot(struct aa_profile *profile,
        AA_BUG(!new_path);
        AA_BUG(!old_path);
-        if (profile_unconfined(profile))
+        if (profile_unconfined(profile) ||
+            !PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
                return aa_get_newest_label(&profile->label);
        error = aa_path_name(old_path, path_flags(profile, old_path),
diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
index e49f448ee04f..c2db7e905f7d 100644
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -455,7 +455,6 @@ static int snd_pcm_hw_param_near(struct snd_pcm_substream *pcm,
                v = snd_pcm_hw_param_last(pcm, params, var, dir);
        else
                v = snd_pcm_hw_param_first(pcm, params, var, dir);
-        snd_BUG_ON(v < 0);
        return v;
 }
@@ -1335,8 +1334,11 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha
        if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
                return tmp;
-        mutex_lock(&runtime->oss.params_lock);
        while (bytes > 0) {
+                if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
+                        tmp = -ERESTARTSYS;
+                        break;
+                }
                if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
                        tmp = bytes;
                        if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes)
@@ -1380,14 +1382,18 @@ static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const cha
                        xfer += tmp;
                        if ((substream->f_flags & O_NONBLOCK) != 0 &&
                            tmp != runtime->oss.period_bytes)
-                                break;
+                                tmp = -EAGAIN;
                }
-        }
-        mutex_unlock(&runtime->oss.params_lock);
-        return xfer;
 err:
-        mutex_unlock(&runtime->oss.params_lock);
+                mutex_unlock(&runtime->oss.params_lock);
+                if (tmp < 0)
+                        break;
+                if (signal_pending(current)) {
+                        tmp = -ERESTARTSYS;
+                        break;
+                }
+                tmp = 0;
+        }
        return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
 }
@@ -1435,8 +1441,11 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use
        if ((tmp = snd_pcm_oss_make_ready(substream)) < 0)
                return tmp;
-        mutex_lock(&runtime->oss.params_lock);
        while (bytes > 0) {
+                if (mutex_lock_interruptible(&runtime->oss.params_lock)) {
+                        tmp = -ERESTARTSYS;
+                        break;
+                }
                if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) {
                        if (runtime->oss.buffer_used == 0) {
                                tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1);
@@ -1467,12 +1476,16 @@ static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __use
                        bytes -= tmp;
                        xfer += tmp;
                }
-        }
-        mutex_unlock(&runtime->oss.params_lock);
-        return xfer;
 err:
-        mutex_unlock(&runtime->oss.params_lock);
+                mutex_unlock(&runtime->oss.params_lock);
+                if (tmp < 0)
+                        break;
+                if (signal_pending(current)) {
+                        tmp = -ERESTARTSYS;
+                        break;
+                }
+                tmp = 0;
+        }
        return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp;
 }
diff --git a/sound/core/oss/pcm_plugin.c b/sound/core/oss/pcm_plugin.c
index cadc93792868..85a56af104bd 100644
--- a/sound/core/oss/pcm_plugin.c
+++ b/sound/core/oss/pcm_plugin.c
@@ -592,18 +592,26 @@ snd_pcm_sframes_t snd_pcm_plug_write_transfer(struct snd_pcm_substream *plug, st
        snd_pcm_sframes_t frames = size;
        plugin = snd_pcm_plug_first(plug);
-        while (plugin && frames > 0) {
+        while (plugin) {
+                if (frames <= 0)
+                        return frames;
                if ((next = plugin->next) != NULL) {
                        snd_pcm_sframes_t frames1 = frames;
-                        if (plugin->dst_frames)
+                        if (plugin->dst_frames) {
                                frames1 = plugin->dst_frames(plugin, frames);
+                                if (frames1 <= 0)
+                                        return frames1;
+                        }
                        if ((err = next->client_channels(next, frames1, &dst_channels)) < 0) {
                                return err;
                        }
                        if (err != frames1) {
                                frames = err;
-                                if (plugin->src_frames)
+                                if (plugin->src_frames) {
                                        frames = plugin->src_frames(plugin, frames1);
+                                        if (frames <= 0)
+                                                return frames;
+                                }
                        }
                } else
                        dst_channels = NULL;
diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
index 10e7ef7a8804..faa67861cbc1 100644
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -560,7 +560,6 @@ static inline unsigned int muldiv32(unsigned int a, unsigned int b,
 {
        u_int64_t n = (u_int64_t) a * b;
        if (c == 0) {
-                snd_BUG_ON(!n);
                *r = 0;
                return UINT_MAX;
        }
@@ -1632,7 +1631,7 @@ int snd_pcm_hw_param_first(struct snd_pcm_substream *pcm,
                return changed;
        if (params->rmask) {
                int err = snd_pcm_hw_refine(pcm, params);
-                if (snd_BUG_ON(err < 0))
+                if (err < 0)
                        return err;
        }
        return snd_pcm_hw_param_value(params, var, dir);
@@ -1678,7 +1677,7 @@ int snd_pcm_hw_param_last(struct snd_pcm_substream *pcm,
                return changed;
        if (params->rmask) {
                int err = snd_pcm_hw_refine(pcm, params);
-                if (snd_BUG_ON(err < 0))
+                if (err < 0)
                        return err;
        }
        return snd_pcm_hw_param_value(params, var, dir);
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index a4d92e46c459..f08772568c17 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -2580,7 +2580,7 @@ static snd_pcm_sframes_t forward_appl_ptr(struct snd_pcm_substream *substream,
        return ret < 0 ? ret : frames;
 }
-/* decrease the appl_ptr; returns the processed frames or a negative error */
+/* decrease the appl_ptr; returns the processed frames or zero for error */
 static snd_pcm_sframes_t rewind_appl_ptr(struct snd_pcm_substream *substream,
                                         snd_pcm_uframes_t frames,
                                         snd_pcm_sframes_t avail)
@@ -2597,7 +2597,12 @@ static snd_pcm_sframes_t rewind_appl_ptr(struct snd_pcm_substream *substream,
        if (appl_ptr < 0)
                appl_ptr += runtime->boundary;
        ret = pcm_lib_apply_appl_ptr(substream, appl_ptr);
-        return ret < 0 ? ret : frames;
+        /* NOTE: we return zero for errors because PulseAudio gets depressed
+         * upon receiving an error from rewind ioctl and stops processing
+         * any longer.  Returning zero means that no rewind is done, so
+         * it's not absolutely wrong to answer like that.
+         */
+        return ret < 0 ? 0 : frames;
 }
 static snd_pcm_sframes_t snd_pcm_playback_rewind(struct snd_pcm_substream *substream,
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 6e22eea72654..d01913404581 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -221,6 +221,7 @@ static struct snd_seq_client *seq_create_client1(int client_index, int poolsize)
        rwlock_init(&client->ports_lock);
        mutex_init(&client->ports_mutex);
        INIT_LIST_HEAD(&client->ports_list_head);
+        mutex_init(&client->ioctl_mutex);
        /* find free slot in the client table */
        spin_lock_irqsave(&clients_lock, flags);
@@ -2130,7 +2131,9 @@ static long snd_seq_ioctl(struct file *file, unsigned int cmd,
                        return -EFAULT;
        }
+        mutex_lock(&client->ioctl_mutex);
        err = handler->func(client, &buf);
+        mutex_unlock(&client->ioctl_mutex);
        if (err >= 0) {
                /* Some commands includes a bug in 'dir' field. */
                if (handler->cmd == SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT ||
diff --git a/sound/core/seq/seq_clientmgr.h b/sound/core/seq/seq_clientmgr.h
index c6614254ef8a..0611e1e0ed5b 100644
--- a/sound/core/seq/seq_clientmgr.h
+++ b/sound/core/seq/seq_clientmgr.h
@@ -61,6 +61,7 @@ struct snd_seq_client {
        struct list_head ports_list_head;
        rwlock_t ports_lock;
        struct mutex ports_mutex;
+        struct mutex ioctl_mutex;
        int convert32;          /* convert 32->64bit */
        /* output pool */
diff --git a/sound/drivers/aloop.c b/sound/drivers/aloop.c
index afac886ffa28..0333143a1fa7 100644
--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -39,6 +39,7 @@
 #include <sound/core.h>
 #include <sound/control.h>
 #include <sound/pcm.h>
+#include <sound/pcm_params.h>
 #include <sound/info.h>
 #include <sound/initval.h>
@@ -305,19 +306,6 @@ static int loopback_trigger(struct snd_pcm_substream *substream, int cmd)
        return 0;
 }
-static void params_change_substream(struct loopback_pcm *dpcm,
-                                    struct snd_pcm_runtime *runtime)
-{
-        struct snd_pcm_runtime *dst_runtime;
-        if (dpcm == NULL || dpcm->substream == NULL)
-                return;
-        dst_runtime = dpcm->substream->runtime;
-        if (dst_runtime == NULL)
-                return;
-        dst_runtime->hw = dpcm->cable->hw;
-}
 static void params_change(struct snd_pcm_substream *substream)
 {
        struct snd_pcm_runtime *runtime = substream->runtime;
@@ -329,10 +317,6 @@ static void params_change(struct snd_pcm_substream *substream)
        cable->hw.rate_max = runtime->rate;
        cable->hw.channels_min = runtime->channels;
        cable->hw.channels_max = runtime->channels;
-        params_change_substream(cable->streams[SNDRV_PCM_STREAM_PLAYBACK],
-                                runtime);
-        params_change_substream(cable->streams[SNDRV_PCM_STREAM_CAPTURE],
-                                runtime);
 }
 static int loopback_prepare(struct snd_pcm_substream *substream)
@@ -620,26 +604,29 @@ static unsigned int get_cable_index(struct snd_pcm_substream *substream)
 static int rule_format(struct snd_pcm_hw_params *params,
                       struct snd_pcm_hw_rule *rule)
 {
+        struct loopback_pcm *dpcm = rule->private;
+        struct loopback_cable *cable = dpcm->cable;
+        struct snd_mask m;
-        struct snd_pcm_hardware *hw = rule->private;
+        snd_mask_none(&m);
-        struct snd_mask *maskp = hw_param_mask(params, rule->var);
+        mutex_lock(&dpcm->loopback->cable_lock);
+        m.bits[0] = (u_int32_t)cable->hw.formats;
-        maskp->bits[0] &= (u_int32_t)hw->formats;
+        m.bits[1] = (u_int32_t)(cable->hw.formats >> 32);
-        maskp->bits[1] &= (u_int32_t)(hw->formats >> 32);
+        mutex_unlock(&dpcm->loopback->cable_lock);
-        memset(maskp->bits + 2, 0, (SNDRV_MASK_MAX-64) / 8); /* clear rest */
+        return snd_mask_refine(hw_param_mask(params, rule->var), &m);
-        if (! maskp->bits[0] && ! maskp->bits[1])
-                return -EINVAL;
-        return 0;
 }
 static int rule_rate(struct snd_pcm_hw_params *params,
                     struct snd_pcm_hw_rule *rule)
 {
-        struct snd_pcm_hardware *hw = rule->private;
+        struct loopback_pcm *dpcm = rule->private;
+        struct loopback_cable *cable = dpcm->cable;
        struct snd_interval t;
-        t.min = hw->rate_min;
+        mutex_lock(&dpcm->loopback->cable_lock);
-        t.max = hw->rate_max;
+        t.min = cable->hw.rate_min;
+        t.max = cable->hw.rate_max;
+        mutex_unlock(&dpcm->loopback->cable_lock);
        t.openmin = t.openmax = 0;
        t.integer = 0;
        return snd_interval_refine(hw_param_interval(params, rule->var), &t);
@@ -648,22 +635,44 @@ static int rule_rate(struct snd_pcm_hw_params *params,
 static int rule_channels(struct snd_pcm_hw_params *params,
                         struct snd_pcm_hw_rule *rule)
 {
-        struct snd_pcm_hardware *hw = rule->private;
+        struct loopback_pcm *dpcm = rule->private;
+        struct loopback_cable *cable = dpcm->cable;
        struct snd_interval t;
-        t.min = hw->channels_min;
+        mutex_lock(&dpcm->loopback->cable_lock);
-        t.max = hw->channels_max;
+        t.min = cable->hw.channels_min;
+        t.max = cable->hw.channels_max;
+        mutex_unlock(&dpcm->loopback->cable_lock);
        t.openmin = t.openmax = 0;
        t.integer = 0;
        return snd_interval_refine(hw_param_interval(params, rule->var), &t);
 }
+static void free_cable(struct snd_pcm_substream *substream)
+{
+        struct loopback *loopback = substream->private_data;
+        int dev = get_cable_index(substream);
+        struct loopback_cable *cable;
+        cable = loopback->cables[substream->number][dev];
+        if (!cable)
+                return;
+        if (cable->streams[!substream->stream]) {
+                /* other stream is still alive */
+                cable->streams[substream->stream] = NULL;
+        } else {
+                /* free the cable */
+                loopback->cables[substream->number][dev] = NULL;
+                kfree(cable);
+        }
+}
 static int loopback_open(struct snd_pcm_substream *substream)
 {
        struct snd_pcm_runtime *runtime = substream->runtime;
        struct loopback *loopback = substream->private_data;
        struct loopback_pcm *dpcm;
-        struct loopback_cable *cable;
+        struct loopback_cable *cable = NULL;
        int err = 0;
        int dev = get_cable_index(substream);
@@ -681,7 +690,6 @@ static int loopback_open(struct snd_pcm_substream *substream)
        if (!cable) {
                cable = kzalloc(sizeof(*cable), GFP_KERNEL);
                if (!cable) {
-                        kfree(dpcm);
                        err = -ENOMEM;
                        goto unlock;
                }
@@ -699,19 +707,19 @@ static int loopback_open(struct snd_pcm_substream *substream)
        /* are cached -> they do not reflect the actual state */
        err = snd_pcm_hw_rule_add(runtime, 0,
                                  SNDRV_PCM_HW_PARAM_FORMAT,
-                                  rule_format, &runtime->hw,
+                                  rule_format, dpcm,
                                  SNDRV_PCM_HW_PARAM_FORMAT, -1);
        if (err < 0)
                goto unlock;
        err = snd_pcm_hw_rule_add(runtime, 0,
                                  SNDRV_PCM_HW_PARAM_RATE,
-                                  rule_rate, &runtime->hw,
+                                  rule_rate, dpcm,
                                  SNDRV_PCM_HW_PARAM_RATE, -1);
        if (err < 0)
                goto unlock;
        err = snd_pcm_hw_rule_add(runtime, 0,
                                  SNDRV_PCM_HW_PARAM_CHANNELS,
-                                  rule_channels, &runtime->hw,
+                                  rule_channels, dpcm,
                                  SNDRV_PCM_HW_PARAM_CHANNELS, -1);
        if (err < 0)
                goto unlock;
@@ -723,6 +731,10 @@ static int loopback_open(struct snd_pcm_substream *substream)
        else
                runtime->hw = cable->hw;
 unlock:
+        if (err < 0) {
+                free_cable(substream);
+                kfree(dpcm);
+        }
        mutex_unlock(&loopback->cable_lock);
        return err;
 }
@@ -731,20 +743,10 @@ static int loopback_close(struct snd_pcm_substream *substream)
 {
        struct loopback *loopback = substream->private_data;
        struct loopback_pcm *dpcm = substream->runtime->private_data;
-        struct loopback_cable *cable;
-        int dev = get_cable_index(substream);
        loopback_timer_stop(dpcm);
        mutex_lock(&loopback->cable_lock);
-        cable = loopback->cables[substream->number][dev];
+        free_cable(substream);
-        if (cable->streams[!substream->stream]) {
-                /* other stream is still alive */
-                cable->streams[substream->stream] = NULL;
-        } else {
-                /* free the cable */
-                loopback->cables[substream->number][dev] = NULL;
-                kfree(cable);
-        }
        mutex_unlock(&loopback->cable_lock);
        return 0;
 }
diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c
index 80bbadc83721..d6e079f4ec09 100644
--- a/sound/pci/hda/patch_cirrus.c
+++ b/sound/pci/hda/patch_cirrus.c
@@ -408,6 +408,7 @@ static const struct snd_pci_quirk cs420x_fixup_tbl[] = {
        /*SND_PCI_QUIRK(0x8086, 0x7270, "IMac 27 Inch", CS420X_IMAC27),*/
        /* codec SSID */
+        SND_PCI_QUIRK(0x106b, 0x0600, "iMac 14,1", CS420X_IMAC27_122),
        SND_PCI_QUIRK(0x106b, 0x1c00, "MacBookPro 8,1", CS420X_MBP81),
        SND_PCI_QUIRK(0x106b, 0x2000, "iMac 12,2", CS420X_IMAC27_122),
        SND_PCI_QUIRK(0x106b, 0x2800, "MacBookPro 10,1", CS420X_MBP101),
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 8fd2d9c62c96..9aafc6c86132 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6196,6 +6196,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
        SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
        SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
        SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
+        SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
        SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
        SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
        SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
diff --git a/tools/objtool/Makefile b/tools/objtool/Makefile
index ae0272f9a091..e6acc281dd37 100644
--- a/tools/objtool/Makefile
+++ b/tools/objtool/Makefile
@@ -46,7 +46,7 @@ $(OBJTOOL_IN): fixdep FORCE
        @$(MAKE) $(build)=objtool
 $(OBJTOOL): $(LIBSUBCMD) $(OBJTOOL_IN)
-        @./sync-check.sh
+        @$(CONFIG_SHELL) ./sync-check.sh
        $(QUIET_LINK)$(CC) $(OBJTOOL_IN) $(LDFLAGS) -o $@
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index 9b341584eb1b..f40d46e24bcc 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -428,6 +428,40 @@ static void add_ignores(struct objtool_file *file)
 }
 /*
+ * FIXME: For now, just ignore any alternatives which add retpolines.  This is
+ * a temporary hack, as it doesn't allow ORC to unwind from inside a retpoline.
+ * But it at least allows objtool to understand the control flow *around* the
+ * retpoline.
+ */
+static int add_nospec_ignores(struct objtool_file *file)
+{
+        struct section *sec;
+        struct rela *rela;
+        struct instruction *insn;
+        sec = find_section_by_name(file->elf, ".rela.discard.nospec");
+        if (!sec)
+                return 0;
+        list_for_each_entry(rela, &sec->rela_list, list) {
+                if (rela->sym->type != STT_SECTION) {
+                        WARN("unexpected relocation symbol type in %s", sec->name);
+                        return -1;
+                }
+                insn = find_insn(file, rela->sym->sec, rela->addend);
+                if (!insn) {
+                        WARN("bad .discard.nospec entry");
+                        return -1;
+                }
+                insn->ignore_alts = true;
+        }
+        return 0;
+}
+/*
 * Find the destination instructions for all jumps.
 */
 static int add_jump_destinations(struct objtool_file *file)
@@ -456,6 +490,13 @@ static int add_jump_destinations(struct objtool_file *file)
                } else if (rela->sym->sec->idx) {
                        dest_sec = rela->sym->sec;
                        dest_off = rela->sym->sym.st_value + rela->addend + 4;
+                } else if (strstr(rela->sym->name, "_indirect_thunk_")) {
+                        /*
+                         * Retpoline jumps are really dynamic jumps in
+                         * disguise, so convert them accordingly.
+                         */
+                        insn->type = INSN_JUMP_DYNAMIC;
+                        continue;
                } else {
                        /* sibling call */
                        insn->jump_dest = 0;
@@ -502,11 +543,18 @@ static int add_call_destinations(struct objtool_file *file)
                        dest_off = insn->offset + insn->len + insn->immediate;
                        insn->call_dest = find_symbol_by_offset(insn->sec,
                                                                dest_off);
+                        /*
+                         * FIXME: Thanks to retpolines, it's now considered
+                         * normal for a function to call within itself.  So
+                         * disable this warning for now.
+                         */
+#if 0
                        if (!insn->call_dest) {
                                WARN_FUNC("can't find call dest symbol at offset 0x%lx",
                                          insn->sec, insn->offset, dest_off);
                                return -1;
                        }
+#endif
                } else if (rela->sym->type == STT_SECTION) {
                        insn->call_dest = find_symbol_by_offset(rela->sym->sec,
                                                                rela->addend+4);
@@ -671,12 +719,6 @@ static int add_special_section_alts(struct objtool_file *file)
                return ret;
        list_for_each_entry_safe(special_alt, tmp, &special_alts, list) {
-                alt = malloc(sizeof(*alt));
-                if (!alt) {
-                        WARN("malloc failed");
-                        ret = -1;
-                        goto out;
-                }
                orig_insn = find_insn(file, special_alt->orig_sec,
                                      special_alt->orig_off);
@@ -687,6 +729,10 @@ static int add_special_section_alts(struct objtool_file *file)
                        goto out;
                }
+                /* Ignore retpoline alternatives. */
+                if (orig_insn->ignore_alts)
+                        continue;
                new_insn = NULL;
                if (!special_alt->group || special_alt->new_len) {
                        new_insn = find_insn(file, special_alt->new_sec,
@@ -712,6 +758,13 @@ static int add_special_section_alts(struct objtool_file *file)
                                goto out;
                }
+                alt = malloc(sizeof(*alt));
+                if (!alt) {
+                        WARN("malloc failed");
+                        ret = -1;
+                        goto out;
+                }
                alt->insn = new_insn;
                list_add_tail(&alt->list, &orig_insn->alts);
@@ -1028,6 +1081,10 @@ static int decode_sections(struct objtool_file *file)
        add_ignores(file);
+        ret = add_nospec_ignores(file);
+        if (ret)
+                return ret;
        ret = add_jump_destinations(file);
        if (ret)
                return ret;
diff --git a/tools/objtool/check.h b/tools/objtool/check.h
index 47d9ea70a83d..dbadb304a410 100644
--- a/tools/objtool/check.h
+++ b/tools/objtool/check.h
@@ -44,7 +44,7 @@ struct instruction {
        unsigned int len;
        unsigned char type;
        unsigned long immediate;
-        bool alt_group, visited, dead_end, ignore, hint, save, restore;
+        bool alt_group, visited, dead_end, ignore, hint, save, restore, ignore_alts;
        struct symbol *call_dest;
        struct instruction *jump_dest;
        struct list_head alts;
diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
index 24460155c82c..c1c338661699 100644
--- a/tools/objtool/elf.c
+++ b/tools/objtool/elf.c
@@ -26,6 +26,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <errno.h>
 #include "elf.h"
 #include "warn.h"
@@ -358,7 +359,8 @@ struct elf *elf_open(const char *name, int flags)
        elf->fd = open(name, flags);
        if (elf->fd == -1) {
-                perror("open");
+                fprintf(stderr, "objtool: Can't open '%s': %s\n",
+                        name, strerror(errno));
                goto err;
        }
diff --git a/tools/testing/selftests/bpf/test_align.c b/tools/testing/selftests/bpf/test_align.c
index 8591c89c0828..471bbbdb94db 100644
--- a/tools/testing/selftests/bpf/test_align.c
+++ b/tools/testing/selftests/bpf/test_align.c
@@ -474,27 +474,7 @@ static struct bpf_align_test tests[] = {
                .result = REJECT,
                .matches = {
                        {4, "R5=pkt(id=0,off=0,r=0,imm=0)"},
-                        /* ptr & 0x40 == either 0 or 0x40 */
+                        /* R5 bitwise operator &= on pointer prohibited */
-                        {5, "R5=inv(id=0,umax_value=64,var_off=(0x0; 0x40))"},
-                        /* ptr << 2 == unknown, (4n) */
-                        {7, "R5=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc))"},
-                        /* (4n) + 14 == (4n+2).  We blow our bounds, because
-                         * the add could overflow.
-                         */
-                        {8, "R5=inv(id=0,var_off=(0x2; 0xfffffffffffffffc))"},
-                        /* Checked s>=0 */
-                        {10, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
-                        /* packet pointer + nonnegative (4n+2) */
-                        {12, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
-                        {14, "R4=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
-                        /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine.
-                         * We checked the bounds, but it might have been able
-                         * to overflow if the packet pointer started in the
-                         * upper half of the address space.
-                         * So we did not get a 'range' on R6, and the access
-                         * attempt will fail.
-                         */
-                        {16, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
                }
        },
        {
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index b51017404c62..5ed4175c4ff8 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -273,6 +273,46 @@ static struct bpf_test tests[] = {
                .result = REJECT,
        },
        {
+                "arsh32 on imm",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "BPF_ARSH not supported for 32 bit ALU",
+        },
+        {
+                "arsh32 on reg",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_MOV64_IMM(BPF_REG_1, 5),
+                        BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "BPF_ARSH not supported for 32 bit ALU",
+        },
+        {
+                "arsh64 on imm",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+        },
+        {
+                "arsh64 on reg",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_MOV64_IMM(BPF_REG_1, 5),
+                        BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+        },
+        {
                "no bpf_exit",
                .insns = {
                        BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
@@ -2553,6 +2593,29 @@ static struct bpf_test tests[] = {
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
        {
+                "context stores via ST",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "BPF_ST stores into R1 context is not allowed",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "context stores via XADD",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
+                                     BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "BPF_XADD stores into R1 context is not allowed",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
                "direct packet access: test1",
                .insns = {
                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
@@ -4272,7 +4335,8 @@ static struct bpf_test tests[] = {
                .fixup_map1 = { 2 },
                .errstr_unpriv = "R2 leaks addr into mem",
                .result_unpriv = REJECT,
-                .result = ACCEPT,
+                .result = REJECT,
+                .errstr = "BPF_XADD stores into R1 context is not allowed",
        },
        {
                "leak pointer into ctx 2",
@@ -4286,7 +4350,8 @@ static struct bpf_test tests[] = {
                },
                .errstr_unpriv = "R10 leaks addr into mem",
                .result_unpriv = REJECT,
-                .result = ACCEPT,
+                .result = REJECT,
+                .errstr = "BPF_XADD stores into R1 context is not allowed",
        },
        {
                "leak pointer into ctx 3",
@@ -6667,7 +6732,7 @@ static struct bpf_test tests[] = {
                        BPF_JMP_IMM(BPF_JA, 0, 0, -7),
                },
                .fixup_map1 = { 4 },
-                .errstr = "unbounded min value",
+                .errstr = "R0 invalid mem access 'inv'",
                .result = REJECT,
        },
        {
@@ -8569,6 +8634,127 @@ static struct bpf_test tests[] = {
                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
        },
        {
+                "check deducing bounds from const, 1",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "R0 tried to subtract pointer from scalar",
+        },
+        {
+                "check deducing bounds from const, 2",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+        },
+        {
+                "check deducing bounds from const, 3",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "R0 tried to subtract pointer from scalar",
+        },
+        {
+                "check deducing bounds from const, 4",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+        },
+        {
+                "check deducing bounds from const, 5",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "R0 tried to subtract pointer from scalar",
+        },
+        {
+                "check deducing bounds from const, 6",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "R0 tried to subtract pointer from scalar",
+        },
+        {
+                "check deducing bounds from const, 7",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, ~0),
+                        BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
+                                    offsetof(struct __sk_buff, mark)),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "dereference of modified ctx ptr",
+        },
+        {
+                "check deducing bounds from const, 8",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, ~0),
+                        BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
+                                    offsetof(struct __sk_buff, mark)),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "dereference of modified ctx ptr",
+        },
+        {
+                "check deducing bounds from const, 9",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "R0 tried to subtract pointer from scalar",
+        },
+        {
+                "check deducing bounds from const, 10",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
+                        /* Marks reg as unknown. */
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
+        },
+        {
                "bpf_exit with invalid return code. test1",
                .insns = {
                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
diff --git a/tools/testing/selftests/x86/Makefile b/tools/testing/selftests/x86/Makefile
index 939a337128db..5d4f10ac2af2 100644
--- a/tools/testing/selftests/x86/Makefile
+++ b/tools/testing/selftests/x86/Makefile
@@ -7,7 +7,7 @@ include ../lib.mk
 TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt ptrace_syscall test_mremap_vdso \
                        check_initial_reg_state sigreturn ldt_gdt iopl mpx-mini-test ioperm \
-                        protection_keys test_vdso
+                        protection_keys test_vdso test_vsyscall
 TARGETS_C_32BIT_ONLY := entry_from_vm86 syscall_arg_fault test_syscall_vdso unwind_vdso \
                        test_FCMOV test_FCOMI test_FISTTP \
                        vdso_restorer
diff --git a/tools/testing/selftests/x86/test_vsyscall.c b/tools/testing/selftests/x86/test_vsyscall.c
new file mode 100644
index 000000000000..7a744fa7b786
--- /dev/null
+++ b/tools/testing/selftests/x86/test_vsyscall.c
@@ -0,0 +1,500 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <sys/time.h>
+#include <time.h>
+#include <stdlib.h>
+#include <sys/syscall.h>
+#include <unistd.h>
+#include <dlfcn.h>
+#include <string.h>
+#include <inttypes.h>
+#include <signal.h>
+#include <sys/ucontext.h>
+#include <errno.h>
+#include <err.h>
+#include <sched.h>
+#include <stdbool.h>
+#include <setjmp.h>
+#ifdef __x86_64__
+# define VSYS(x) (x)
+#else
+# define VSYS(x) 0
+#endif
+#ifndef SYS_getcpu
+# ifdef __x86_64__
+#  define SYS_getcpu 309
+# else
+#  define SYS_getcpu 318
+# endif
+#endif
+static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
+                       int flags)
+{
+        struct sigaction sa;
+        memset(&sa, 0, sizeof(sa));
+        sa.sa_sigaction = handler;
+        sa.sa_flags = SA_SIGINFO | flags;
+        sigemptyset(&sa.sa_mask);
+        if (sigaction(sig, &sa, 0))
+                err(1, "sigaction");
+}
+/* vsyscalls and vDSO */
+bool should_read_vsyscall = false;
+typedef long (*gtod_t)(struct timeval *tv, struct timezone *tz);
+gtod_t vgtod = (gtod_t)VSYS(0xffffffffff600000);
+gtod_t vdso_gtod;
+typedef int (*vgettime_t)(clockid_t, struct timespec *);
+vgettime_t vdso_gettime;
+typedef long (*time_func_t)(time_t *t);
+time_func_t vtime = (time_func_t)VSYS(0xffffffffff600400);
+time_func_t vdso_time;
+typedef long (*getcpu_t)(unsigned *, unsigned *, void *);
+getcpu_t vgetcpu = (getcpu_t)VSYS(0xffffffffff600800);
+getcpu_t vdso_getcpu;
+static void init_vdso(void)
+{
+        void *vdso = dlopen("linux-vdso.so.1", RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
+        if (!vdso)
+                vdso = dlopen("linux-gate.so.1", RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
+        if (!vdso) {
+                printf("[WARN]\tfailed to find vDSO\n");
+                return;
+        }
+        vdso_gtod = (gtod_t)dlsym(vdso, "__vdso_gettimeofday");
+        if (!vdso_gtod)
+                printf("[WARN]\tfailed to find gettimeofday in vDSO\n");
+        vdso_gettime = (vgettime_t)dlsym(vdso, "__vdso_clock_gettime");
+        if (!vdso_gettime)
+                printf("[WARN]\tfailed to find clock_gettime in vDSO\n");
+        vdso_time = (time_func_t)dlsym(vdso, "__vdso_time");
+        if (!vdso_time)
+                printf("[WARN]\tfailed to find time in vDSO\n");
+        vdso_getcpu = (getcpu_t)dlsym(vdso, "__vdso_getcpu");
+        if (!vdso_getcpu) {
+                /* getcpu() was never wired up in the 32-bit vDSO. */
+                printf("[%s]\tfailed to find getcpu in vDSO\n",
+                       sizeof(long) == 8 ? "WARN" : "NOTE");
+        }
+}
+static int init_vsys(void)
+{
+#ifdef __x86_64__
+        int nerrs = 0;
+        FILE *maps;
+        char line[128];
+        bool found = false;
+        maps = fopen("/proc/self/maps", "r");
+        if (!maps) {
+                printf("[WARN]\tCould not open /proc/self/maps -- assuming vsyscall is r-x\n");
+                should_read_vsyscall = true;
+                return 0;
+        }
+        while (fgets(line, sizeof(line), maps)) {
+                char r, x;
+                void *start, *end;
+                char name[128];
+                if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s",
+                           &start, &end, &r, &x, name) != 5)
+                        continue;
+                if (strcmp(name, "[vsyscall]"))
+                        continue;
+                printf("\tvsyscall map: %s", line);
+                if (start != (void *)0xffffffffff600000 ||
+                    end != (void *)0xffffffffff601000) {
+                        printf("[FAIL]\taddress range is nonsense\n");
+                        nerrs++;
+                }
+                printf("\tvsyscall permissions are %c-%c\n", r, x);
+                should_read_vsyscall = (r == 'r');
+                if (x != 'x') {
+                        vgtod = NULL;
+                        vtime = NULL;
+                        vgetcpu = NULL;
+                }
+                found = true;
+                break;
+        }
+        fclose(maps);
+        if (!found) {
+                printf("\tno vsyscall map in /proc/self/maps\n");
+                should_read_vsyscall = false;
+                vgtod = NULL;
+                vtime = NULL;
+                vgetcpu = NULL;
+        }
+        return nerrs;
+#else
+        return 0;
+#endif
+}
+/* syscalls */
+static inline long sys_gtod(struct timeval *tv, struct timezone *tz)
+{
+        return syscall(SYS_gettimeofday, tv, tz);
+}
+static inline int sys_clock_gettime(clockid_t id, struct timespec *ts)
+{
+        return syscall(SYS_clock_gettime, id, ts);
+}
+static inline long sys_time(time_t *t)
+{
+        return syscall(SYS_time, t);
+}
+static inline long sys_getcpu(unsigned * cpu, unsigned * node,
+                              void* cache)
+{
+        return syscall(SYS_getcpu, cpu, node, cache);
+}
+static jmp_buf jmpbuf;
+static void sigsegv(int sig, siginfo_t *info, void *ctx_void)
+{
+        siglongjmp(jmpbuf, 1);
+}
+static double tv_diff(const struct timeval *a, const struct timeval *b)
+{
+        return (double)(a->tv_sec - b->tv_sec) +
+                (double)((int)a->tv_usec - (int)b->tv_usec) * 1e-6;
+}
+static int check_gtod(const struct timeval *tv_sys1,
+                      const struct timeval *tv_sys2,
+                      const struct timezone *tz_sys,
+                      const char *which,
+                      const struct timeval *tv_other,
+                      const struct timezone *tz_other)
+{
+        int nerrs = 0;
+        double d1, d2;
+        if (tz_other && (tz_sys->tz_minuteswest != tz_other->tz_minuteswest || tz_sys->tz_dsttime != tz_other->tz_dsttime)) {
+                printf("[FAIL] %s tz mismatch\n", which);
+                nerrs++;
+        }
+        d1 = tv_diff(tv_other, tv_sys1);
+        d2 = tv_diff(tv_sys2, tv_other); 
+        printf("\t%s time offsets: %lf %lf\n", which, d1, d2);
+        if (d1 < 0 || d2 < 0) {
+                printf("[FAIL]\t%s time was inconsistent with the syscall\n", which);
+                nerrs++;
+        } else {
+                printf("[OK]\t%s gettimeofday()'s timeval was okay\n", which);
+        }
+        return nerrs;
+}
+static int test_gtod(void)
+{
+        struct timeval tv_sys1, tv_sys2, tv_vdso, tv_vsys;
+        struct timezone tz_sys, tz_vdso, tz_vsys;
+        long ret_vdso = -1;
+        long ret_vsys = -1;
+        int nerrs = 0;
+        printf("[RUN]\ttest gettimeofday()\n");
+        if (sys_gtod(&tv_sys1, &tz_sys) != 0)
+                err(1, "syscall gettimeofday");
+        if (vdso_gtod)
+                ret_vdso = vdso_gtod(&tv_vdso, &tz_vdso);
+        if (vgtod)
+                ret_vsys = vgtod(&tv_vsys, &tz_vsys);
+        if (sys_gtod(&tv_sys2, &tz_sys) != 0)
+                err(1, "syscall gettimeofday");
+        if (vdso_gtod) {
+                if (ret_vdso == 0) {
+                        nerrs += check_gtod(&tv_sys1, &tv_sys2, &tz_sys, "vDSO", &tv_vdso, &tz_vdso);
+                } else {
+                        printf("[FAIL]\tvDSO gettimeofday() failed: %ld\n", ret_vdso);
+                        nerrs++;
+                }
+        }
+        if (vgtod) {
+                if (ret_vsys == 0) {
+                        nerrs += check_gtod(&tv_sys1, &tv_sys2, &tz_sys, "vsyscall", &tv_vsys, &tz_vsys);
+                } else {
+                        printf("[FAIL]\tvsys gettimeofday() failed: %ld\n", ret_vsys);
+                        nerrs++;
+                }
+        }
+        return nerrs;
+}
+static int test_time(void) {
+        int nerrs = 0;
+        printf("[RUN]\ttest time()\n");
+        long t_sys1, t_sys2, t_vdso = 0, t_vsys = 0;
+        long t2_sys1 = -1, t2_sys2 = -1, t2_vdso = -1, t2_vsys = -1;
+        t_sys1 = sys_time(&t2_sys1);
+        if (vdso_time)
+                t_vdso = vdso_time(&t2_vdso);
+        if (vtime)
+                t_vsys = vtime(&t2_vsys);
+        t_sys2 = sys_time(&t2_sys2);
+        if (t_sys1 < 0 || t_sys1 != t2_sys1 || t_sys2 < 0 || t_sys2 != t2_sys2) {
+                printf("[FAIL]\tsyscall failed (ret1:%ld output1:%ld ret2:%ld output2:%ld)\n", t_sys1, t2_sys1, t_sys2, t2_sys2);
+                nerrs++;
+                return nerrs;
+        }
+        if (vdso_time) {
+                if (t_vdso < 0 || t_vdso != t2_vdso) {
+                        printf("[FAIL]\tvDSO failed (ret:%ld output:%ld)\n", t_vdso, t2_vdso);
+                        nerrs++;
+                } else if (t_vdso < t_sys1 || t_vdso > t_sys2) {
+                        printf("[FAIL]\tvDSO returned the wrong time (%ld %ld %ld)\n", t_sys1, t_vdso, t_sys2);
+                        nerrs++;
+                } else {
+                        printf("[OK]\tvDSO time() is okay\n");
+                }
+        }
+        if (vtime) {
+                if (t_vsys < 0 || t_vsys != t2_vsys) {
+                        printf("[FAIL]\tvsyscall failed (ret:%ld output:%ld)\n", t_vsys, t2_vsys);
+                        nerrs++;
+                } else if (t_vsys < t_sys1 || t_vsys > t_sys2) {
+                        printf("[FAIL]\tvsyscall returned the wrong time (%ld %ld %ld)\n", t_sys1, t_vsys, t_sys2);
+                        nerrs++;
+                } else {
+                        printf("[OK]\tvsyscall time() is okay\n");
+                }
+        }
+        return nerrs;
+}
+static int test_getcpu(int cpu)
+{
+        int nerrs = 0;
+        long ret_sys, ret_vdso = -1, ret_vsys = -1;
+        printf("[RUN]\tgetcpu() on CPU %d\n", cpu);
+        cpu_set_t cpuset;
+        CPU_ZERO(&cpuset);
+        CPU_SET(cpu, &cpuset);
+        if (sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0) {
+                printf("[SKIP]\tfailed to force CPU %d\n", cpu);
+                return nerrs;
+        }
+        unsigned cpu_sys, cpu_vdso, cpu_vsys, node_sys, node_vdso, node_vsys;
+        unsigned node = 0;
+        bool have_node = false;
+        ret_sys = sys_getcpu(&cpu_sys, &node_sys, 0);
+        if (vdso_getcpu)
+                ret_vdso = vdso_getcpu(&cpu_vdso, &node_vdso, 0);
+        if (vgetcpu)
+                ret_vsys = vgetcpu(&cpu_vsys, &node_vsys, 0);
+        if (ret_sys == 0) {
+                if (cpu_sys != cpu) {
+                        printf("[FAIL]\tsyscall reported CPU %hu but should be %d\n", cpu_sys, cpu);
+                        nerrs++;
+                }
+                have_node = true;
+                node = node_sys;
+        }
+        if (vdso_getcpu) {
+                if (ret_vdso) {
+                        printf("[FAIL]\tvDSO getcpu() failed\n");
+                        nerrs++;
+                } else {
+                        if (!have_node) {
+                                have_node = true;
+                                node = node_vdso;
+                        }
+                        if (cpu_vdso != cpu) {
+                                printf("[FAIL]\tvDSO reported CPU %hu but should be %d\n", cpu_vdso, cpu);
+                                nerrs++;
+                        } else {
+                                printf("[OK]\tvDSO reported correct CPU\n");
+                        }
+                        if (node_vdso != node) {
+                                printf("[FAIL]\tvDSO reported node %hu but should be %hu\n", node_vdso, node);
+                                nerrs++;
+                        } else {
+                                printf("[OK]\tvDSO reported correct node\n");
+                        }
+                }
+        }
+        if (vgetcpu) {
+                if (ret_vsys) {
+                        printf("[FAIL]\tvsyscall getcpu() failed\n");
+                        nerrs++;
+                } else {
+                        if (!have_node) {
+                                have_node = true;
+                                node = node_vsys;
+                        }
+                        if (cpu_vsys != cpu) {
+                                printf("[FAIL]\tvsyscall reported CPU %hu but should be %d\n", cpu_vsys, cpu);
+                                nerrs++;
+                        } else {
+                                printf("[OK]\tvsyscall reported correct CPU\n");
+                        }
+                        if (node_vsys != node) {
+                                printf("[FAIL]\tvsyscall reported node %hu but should be %hu\n", node_vsys, node);
+                                nerrs++;
+                        } else {
+                                printf("[OK]\tvsyscall reported correct node\n");
+                        }
+                }
+        }
+        return nerrs;
+}
+static int test_vsys_r(void)
+{
+#ifdef __x86_64__
+        printf("[RUN]\tChecking read access to the vsyscall page\n");
+        bool can_read;
+        if (sigsetjmp(jmpbuf, 1) == 0) {
+                *(volatile int *)0xffffffffff600000;
+                can_read = true;
+        } else {
+                can_read = false;
+        }
+        if (can_read && !should_read_vsyscall) {
+                printf("[FAIL]\tWe have read access, but we shouldn't\n");
+                return 1;
+        } else if (!can_read && should_read_vsyscall) {
+                printf("[FAIL]\tWe don't have read access, but we should\n");
+                return 1;
+        } else {
+                printf("[OK]\tgot expected result\n");
+        }
+#endif
+        return 0;
+}
+#ifdef __x86_64__
+#define X86_EFLAGS_TF (1UL << 8)
+static volatile sig_atomic_t num_vsyscall_traps;
+static unsigned long get_eflags(void)
+{
+        unsigned long eflags;
+        asm volatile ("pushfq\n\tpopq %0" : "=rm" (eflags));
+        return eflags;
+}
+static void set_eflags(unsigned long eflags)
+{
+        asm volatile ("pushq %0\n\tpopfq" : : "rm" (eflags) : "flags");
+}
+static void sigtrap(int sig, siginfo_t *info, void *ctx_void)
+{
+        ucontext_t *ctx = (ucontext_t *)ctx_void;
+        unsigned long ip = ctx->uc_mcontext.gregs[REG_RIP];
+        if (((ip ^ 0xffffffffff600000UL) & ~0xfffUL) == 0)
+                num_vsyscall_traps++;
+}
+static int test_native_vsyscall(void)
+{
+        time_t tmp;
+        bool is_native;
+        if (!vtime)
+                return 0;
+        printf("[RUN]\tchecking for native vsyscall\n");
+        sethandler(SIGTRAP, sigtrap, 0);
+        set_eflags(get_eflags() | X86_EFLAGS_TF);
+        vtime(&tmp);
+        set_eflags(get_eflags() & ~X86_EFLAGS_TF);
+        /*
+         * If vsyscalls are emulated, we expect a single trap in the
+         * vsyscall page -- the call instruction will trap with RIP
+         * pointing to the entry point before emulation takes over.
+         * In native mode, we expect two traps, since whatever code
+         * the vsyscall page contains will be more than just a ret
+         * instruction.
+         */
+        is_native = (num_vsyscall_traps > 1);
+        printf("\tvsyscalls are %s (%d instructions in vsyscall page)\n",
+               (is_native ? "native" : "emulated"),
+               (int)num_vsyscall_traps);
+        return 0;
+}
+#endif
+int main(int argc, char **argv)
+{
+        int nerrs = 0;
+        init_vdso();
+        nerrs += init_vsys();
+        nerrs += test_gtod();
+        nerrs += test_time();
+        nerrs += test_getcpu(0);
+        nerrs += test_getcpu(1);
+        sethandler(SIGSEGV, sigsegv, 0);
+        nerrs += test_vsys_r();
+#ifdef __x86_64__
+        nerrs += test_native_vsyscall();
+#endif
+        return nerrs ? 1 : 0;
+}
diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c
index b4b69c2d1012..9dea96380339 100644
--- a/virt/kvm/arm/mmu.c
+++ b/virt/kvm/arm/mmu.c
@@ -1310,7 +1310,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
                return -EFAULT;
        }
-        if (is_vm_hugetlb_page(vma) && !logging_active) {
+        if (vma_kernel_pagesize(vma) == PMD_SIZE && !logging_active) {
                hugetlb = true;
                gfn = (fault_ipa & PMD_MASK) >> PAGE_SHIFT;
        } else {
diff --git a/virt/kvm/arm/vgic/vgic-init.c b/virt/kvm/arm/vgic/vgic-init.c
index 62310122ee78..743ca5cb05ef 100644
--- a/virt/kvm/arm/vgic/vgic-init.c
+++ b/virt/kvm/arm/vgic/vgic-init.c
@@ -285,9 +285,11 @@ int vgic_init(struct kvm *kvm)
        if (ret)
                goto out;
-        ret = vgic_v4_init(kvm);
+        if (vgic_has_its(kvm)) {
-        if (ret)
+                ret = vgic_v4_init(kvm);
-                goto out;
+                if (ret)
+                        goto out;
+        }
        kvm_for_each_vcpu(i, vcpu, kvm)
                kvm_vgic_vcpu_enable(vcpu);
diff --git a/virt/kvm/arm/vgic/vgic-v4.c b/virt/kvm/arm/vgic/vgic-v4.c
index 4a37292855bc..bc4265154bac 100644
--- a/virt/kvm/arm/vgic/vgic-v4.c
+++ b/virt/kvm/arm/vgic/vgic-v4.c
@@ -118,7 +118,7 @@ int vgic_v4_init(struct kvm *kvm)
        struct kvm_vcpu *vcpu;
        int i, nr_vcpus, ret;
-        if (!vgic_supports_direct_msis(kvm))
+        if (!kvm_vgic_global_state.has_gicv4)
                return 0; /* Nothing to see here... move along. */
        if (dist->its_vm.vpes)
author	Thomas Gleixner <tglx@linutronix.de>	2018-01-27 09:35:29 -0500
committer	Thomas Gleixner <tglx@linutronix.de>	2018-01-27 09:35:29 -0500
commit	303c146df1c4574db3495d9acc5c440dd46c6b0f (patch)
tree	fbcea289aea24da8a44c7677a776988bb3c8bcbe
parent	b1a31a5f5f27ff8aba42b545a1c721941f735107 (diff)
parent	d5421ea43d30701e03cadc56a38854c36a8b4433 (diff)