288 files changed, 3877 insertions, 1459 deletions

diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu b/Documentation/ABI/testing/sysfs-devices-system-cpu
index 025b7cf3768d..bd4975e132d3 100644
--- a/Documentation/ABI/testing/sysfs-devices-system-cpu
+++ b/Documentation/ABI/testing/sysfs-devices-system-cpu
@@ -478,6 +478,7 @@ What:		/sys/devices/system/cpu/vulnerabilities
                 /sys/devices/system/cpu/vulnerabilities/meltdown
                 /sys/devices/system/cpu/vulnerabilities/spectre_v1
                 /sys/devices/system/cpu/vulnerabilities/spectre_v2
+                /sys/devices/system/cpu/vulnerabilities/spec_store_bypass
 Date:           January 2018
 Contact:        Linux kernel mailing list <linux-kernel@vger.kernel.org>
 Description:    Information about CPU vulnerabilities
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 11fc28ecdb6d..f2040d46f095 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2680,6 +2680,9 @@
                         allow data leaks with this option, which is equivalent
                         to spectre_v2=off.
 
+        nospec_store_bypass_disable
+                        [HW] Disable all mitigations for the Speculative Store Bypass vulnerability
+
         noxsave         [BUGS=X86] Disables x86 extended register state save
                         and restore using xsave. The kernel will fallback to
                         enabling legacy floating-point and sse state.
@@ -4025,6 +4028,48 @@
                         Not specifying this option is equivalent to
                         spectre_v2=auto.
 
+        spec_store_bypass_disable=
+                        [HW] Control Speculative Store Bypass (SSB) Disable mitigation
+                        (Speculative Store Bypass vulnerability)
+
+                        Certain CPUs are vulnerable to an exploit against a
+                        a common industry wide performance optimization known
+                        as "Speculative Store Bypass" in which recent stores
+                        to the same memory location may not be observed by
+                        later loads during speculative execution. The idea
+                        is that such stores are unlikely and that they can
+                        be detected prior to instruction retirement at the
+                        end of a particular speculation execution window.
+
+                        In vulnerable processors, the speculatively forwarded
+                        store can be used in a cache side channel attack, for
+                        example to read memory to which the attacker does not
+                        directly have access (e.g. inside sandboxed code).
+
+                        This parameter controls whether the Speculative Store
+                        Bypass optimization is used.
+
+                        on      - Unconditionally disable Speculative Store Bypass
+                        off     - Unconditionally enable Speculative Store Bypass
+                        auto    - Kernel detects whether the CPU model contains an
+                                  implementation of Speculative Store Bypass and
+                                  picks the most appropriate mitigation. If the
+                                  CPU is not vulnerable, "off" is selected. If the
+                                  CPU is vulnerable the default mitigation is
+                                  architecture and Kconfig dependent. See below.
+                        prctl   - Control Speculative Store Bypass per thread
+                                  via prctl. Speculative Store Bypass is enabled
+                                  for a process by default. The state of the control
+                                  is inherited on fork.
+                        seccomp - Same as "prctl" above, but all seccomp threads
+                                  will disable SSB unless they explicitly opt out.
+
+                        Not specifying this option is equivalent to
+                        spec_store_bypass_disable=auto.
+
+                        Default mitigations:
+                        X86:    If CONFIG_SECCOMP=y "seccomp", otherwise "prctl"
+
         spia_io_base=   [HW,MTD]
         spia_fio_base=
         spia_pedr=
diff --git a/Documentation/devicetree/bindings/net/micrel-ksz90x1.txt b/Documentation/devicetree/bindings/net/micrel-ksz90x1.txt
index 42a248301615..e22d8cfea687 100644
--- a/Documentation/devicetree/bindings/net/micrel-ksz90x1.txt
+++ b/Documentation/devicetree/bindings/net/micrel-ksz90x1.txt
@@ -57,6 +57,13 @@ KSZ9031:
       - txd2-skew-ps : Skew control of TX data 2 pad
       - txd3-skew-ps : Skew control of TX data 3 pad
 
+    - micrel,force-master:
+        Boolean, force phy to master mode. Only set this option if the phy
+        reference clock provided at CLK125_NDO pin is used as MAC reference
+        clock because the clock jitter in slave mode is to high (errata#2).
+        Attention: The link partner must be configurable as slave otherwise
+        no link will be established.
+
 Examples:
 
         mdio {
diff --git a/Documentation/networking/ppp_generic.txt b/Documentation/networking/ppp_generic.txt
index 091d20273dcb..61daf4b39600 100644
--- a/Documentation/networking/ppp_generic.txt
+++ b/Documentation/networking/ppp_generic.txt
@@ -300,12 +300,6 @@ unattached instance are:
 The ioctl calls available on an instance of /dev/ppp attached to a
 channel are:
 
-* PPPIOCDETACH detaches the instance from the channel.  This ioctl is
-  deprecated since the same effect can be achieved by closing the
-  instance.  In order to prevent possible races this ioctl will fail
-  with an EINVAL error if more than one file descriptor refers to this
-  instance (i.e. as a result of dup(), dup2() or fork()).
-
 * PPPIOCCONNECT connects this channel to a PPP interface.  The
   argument should point to an int containing the interface unit
   number.  It will return an EINVAL error if the channel is already
diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst
index 7b2eb1b7d4ca..a3233da7fa88 100644
--- a/Documentation/userspace-api/index.rst
+++ b/Documentation/userspace-api/index.rst
@@ -19,6 +19,7 @@ place where this information is gathered.
    no_new_privs
    seccomp_filter
    unshare
+   spec_ctrl
 
 .. only::  subproject and html
 
diff --git a/Documentation/userspace-api/spec_ctrl.rst b/Documentation/userspace-api/spec_ctrl.rst
new file mode 100644
index 000000000000..32f3d55c54b7
--- /dev/null
+++ b/Documentation/userspace-api/spec_ctrl.rst
@@ -0,0 +1,94 @@
+===================
+Speculation Control
+===================
+
+Quite some CPUs have speculation-related misfeatures which are in
+fact vulnerabilities causing data leaks in various forms even across
+privilege domains.
+
+The kernel provides mitigation for such vulnerabilities in various
+forms. Some of these mitigations are compile-time configurable and some
+can be supplied on the kernel command line.
+
+There is also a class of mitigations which are very expensive, but they can
+be restricted to a certain set of processes or tasks in controlled
+environments. The mechanism to control these mitigations is via
+:manpage:`prctl(2)`.
+
+There are two prctl options which are related to this:
+
+ * PR_GET_SPECULATION_CTRL
+
+ * PR_SET_SPECULATION_CTRL
+
+PR_GET_SPECULATION_CTRL
+-----------------------
+
+PR_GET_SPECULATION_CTRL returns the state of the speculation misfeature
+which is selected with arg2 of prctl(2). The return value uses bits 0-3 with
+the following meaning:
+
+==== ===================== ===================================================
+Bit  Define                Description
+==== ===================== ===================================================
+0    PR_SPEC_PRCTL         Mitigation can be controlled per task by
+                           PR_SET_SPECULATION_CTRL.
+1    PR_SPEC_ENABLE        The speculation feature is enabled, mitigation is
+                           disabled.
+2    PR_SPEC_DISABLE       The speculation feature is disabled, mitigation is
+                           enabled.
+3    PR_SPEC_FORCE_DISABLE Same as PR_SPEC_DISABLE, but cannot be undone. A
+                           subsequent prctl(..., PR_SPEC_ENABLE) will fail.
+==== ===================== ===================================================
+
+If all bits are 0 the CPU is not affected by the speculation misfeature.
+
+If PR_SPEC_PRCTL is set, then the per-task control of the mitigation is
+available. If not set, prctl(PR_SET_SPECULATION_CTRL) for the speculation
+misfeature will fail.
+
+PR_SET_SPECULATION_CTRL
+-----------------------
+
+PR_SET_SPECULATION_CTRL allows to control the speculation misfeature, which
+is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
+in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
+PR_SPEC_FORCE_DISABLE.
+
+Common error codes
+------------------
+======= =================================================================
+Value   Meaning
+======= =================================================================
+EINVAL  The prctl is not implemented by the architecture or unused
+        prctl(2) arguments are not 0.
+
+ENODEV  arg2 is selecting a not supported speculation misfeature.
+======= =================================================================
+
+PR_SET_SPECULATION_CTRL error codes
+-----------------------------------
+======= =================================================================
+Value   Meaning
+======= =================================================================
+0       Success
+
+ERANGE  arg3 is incorrect, i.e. it's neither PR_SPEC_ENABLE nor
+        PR_SPEC_DISABLE nor PR_SPEC_FORCE_DISABLE.
+
+ENXIO   Control of the selected speculation misfeature is not possible.
+        See PR_GET_SPECULATION_CTRL.
+
+EPERM   Speculation was disabled with PR_SPEC_FORCE_DISABLE and caller
+        tried to enable it again.
+======= =================================================================
+
+Speculation misfeature controls
+-------------------------------
+- PR_SPEC_STORE_BYPASS: Speculative Store Bypass
+
+  Invocations:
+   * prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, 0, 0, 0);
+   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_ENABLE, 0, 0);
+   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+   * prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_FORCE_DISABLE, 0, 0);
diff --git a/MAINTAINERS b/MAINTAINERS
index 078fd80f664f..ca4afd68530c 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2332,7 +2332,7 @@ F:	drivers/gpio/gpio-ath79.c
 F:      Documentation/devicetree/bindings/gpio/gpio-ath79.txt
 
 ATHEROS ATH GENERIC UTILITIES
-M:      "Luis R. Rodriguez" <mcgrof@do-not-panic.com>
+M:      Kalle Valo <kvalo@codeaurora.org>
 L:      linux-wireless@vger.kernel.org
 S:      Supported
 F:      drivers/net/wireless/ath/*
@@ -2347,7 +2347,7 @@ S:	Maintained
 F:      drivers/net/wireless/ath/ath5k/
 
 ATHEROS ATH6KL WIRELESS DRIVER
-M:      Kalle Valo <kvalo@qca.qualcomm.com>
+M:      Kalle Valo <kvalo@codeaurora.org>
 L:      linux-wireless@vger.kernel.org
 W:      http://wireless.kernel.org/en/users/Drivers/ath6kl
 T:      git git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
@@ -5388,7 +5388,6 @@ S:	Maintained
 F:      drivers/iommu/exynos-iommu.c
 
 EZchip NPS platform support
-M:      Elad Kanfi <eladkan@mellanox.com>
 M:      Vineet Gupta <vgupta@synopsys.com>
 S:      Supported
 F:      arch/arc/plat-eznps
@@ -6504,9 +6503,15 @@ F:	Documentation/networking/hinic.txt
 F:      drivers/net/ethernet/huawei/hinic/
 
 HUGETLB FILESYSTEM
-M:      Nadia Yvette Chambers <nyc@holomorphy.com>
+M:      Mike Kravetz <mike.kravetz@oracle.com>
+L:      linux-mm@kvack.org
 S:      Maintained
 F:      fs/hugetlbfs/
+F:      mm/hugetlb.c
+F:      include/linux/hugetlb.h
+F:      Documentation/admin-guide/mm/hugetlbpage.rst
+F:      Documentation/vm/hugetlbfs_reserv.rst
+F:      Documentation/ABI/testing/sysfs-kernel-mm-hugepages
 
 HVA ST MEDIA DRIVER
 M:      Jean-Christophe Trotin <jean-christophe.trotin@st.com>
@@ -9021,7 +9026,6 @@ Q:	http://patchwork.ozlabs.org/project/netdev/list/
 F:      drivers/net/ethernet/mellanox/mlx5/core/en_*
 
 MELLANOX ETHERNET INNOVA DRIVER
-M:      Ilan Tayari <ilant@mellanox.com>
 R:      Boris Pismenny <borisp@mellanox.com>
 L:      netdev@vger.kernel.org
 S:      Supported
@@ -9031,7 +9035,6 @@ F:	drivers/net/ethernet/mellanox/mlx5/core/fpga/*
 F:      include/linux/mlx5/mlx5_ifc_fpga.h
 
 MELLANOX ETHERNET INNOVA IPSEC DRIVER
-M:      Ilan Tayari <ilant@mellanox.com>
 R:      Boris Pismenny <borisp@mellanox.com>
 L:      netdev@vger.kernel.org
 S:      Supported
@@ -9087,7 +9090,6 @@ F:	include/uapi/rdma/mlx4-abi.h
 
 MELLANOX MLX5 core VPI driver
 M:      Saeed Mahameed <saeedm@mellanox.com>
-M:      Matan Barak <matanb@mellanox.com>
 M:      Leon Romanovsky <leonro@mellanox.com>
 L:      netdev@vger.kernel.org
 L:      linux-rdma@vger.kernel.org
@@ -9098,7 +9100,6 @@ F:	drivers/net/ethernet/mellanox/mlx5/core/
 F:      include/linux/mlx5/
 
 MELLANOX MLX5 IB driver
-M:      Matan Barak <matanb@mellanox.com>
 M:      Leon Romanovsky <leonro@mellanox.com>
 L:      linux-rdma@vger.kernel.org
 W:      http://www.mellanox.com
@@ -9832,7 +9833,6 @@ F:	net/netfilter/xt_CONNSECMARK.c
 F:      net/netfilter/xt_SECMARK.c
 
 NETWORKING [TLS]
-M:      Ilya Lesokhin <ilyal@mellanox.com>
 M:      Aviad Yehezkel <aviadye@mellanox.com>
 M:      Dave Watson <davejwatson@fb.com>
 L:      netdev@vger.kernel.org
@@ -11632,7 +11632,7 @@ S:	Maintained
 F:      drivers/media/tuners/qt1010*
 
 QUALCOMM ATHEROS ATH10K WIRELESS DRIVER
-M:      Kalle Valo <kvalo@qca.qualcomm.com>
+M:      Kalle Valo <kvalo@codeaurora.org>
 L:      ath10k@lists.infradead.org
 W:      http://wireless.kernel.org/en/users/Drivers/ath10k
 T:      git git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
@@ -11683,7 +11683,7 @@ S:	Maintained
 F:      drivers/media/platform/qcom/venus/
 
 QUALCOMM WCN36XX WIRELESS DRIVER
-M:      Eugene Krasnikov <k.eugene.e@gmail.com>
+M:      Kalle Valo <kvalo@codeaurora.org>
 L:      wcn36xx@lists.infradead.org
 W:      http://wireless.kernel.org/en/users/Drivers/wcn36xx
 T:      git git://github.com/KrasnikovEugene/wcn36xx.git
diff --git a/Makefile b/Makefile
index ec6f45928fd4..56ba070dfa09 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
 VERSION = 4
 PATCHLEVEL = 17
 SUBLEVEL = 0
-EXTRAVERSION = -rc6
+EXTRAVERSION = -rc7
 NAME = Merciless Moray
 
 # *DOCUMENTATION*
@@ -500,6 +500,9 @@ RETPOLINE_CFLAGS_CLANG := -mretpoline-external-thunk
 RETPOLINE_CFLAGS := $(call cc-option,$(RETPOLINE_CFLAGS_GCC),$(call cc-option,$(RETPOLINE_CFLAGS_CLANG)))
 export RETPOLINE_CFLAGS
 
+KBUILD_CFLAGS   += $(call cc-option,-fno-PIE)
+KBUILD_AFLAGS   += $(call cc-option,-fno-PIE)
+
 # check for 'asm goto'
 ifeq ($(call shell-cached,$(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y)
   CC_HAVE_ASM_GOTO := 1
@@ -621,9 +624,9 @@ endif # $(dot-config)
 # Defaults to vmlinux, but the arch makefile usually adds further targets
 all: vmlinux
 
-KBUILD_CFLAGS   += $(call cc-option,-fno-PIE)
-KBUILD_AFLAGS   += $(call cc-option,-fno-PIE)
-CFLAGS_GCOV     := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
+CFLAGS_GCOV     := -fprofile-arcs -ftest-coverage \
+        $(call cc-option,-fno-tree-loop-im) \
+        $(call cc-disable-warning,maybe-uninitialized,)
 export CFLAGS_GCOV CFLAGS_KCOV
 
 # The arch Makefile can set ARCH_{CPP,A,C}FLAGS to override the default
diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
index b2022885ced8..f19dc31288c8 100644
--- a/arch/alpha/Kconfig
+++ b/arch/alpha/Kconfig
@@ -211,6 +211,7 @@ config ALPHA_EIGER
 config ALPHA_JENSEN
         bool "Jensen"
         depends on BROKEN
+        select DMA_DIRECT_OPS
         help
           DEC PC 150 AXP (aka Jensen): This is a very old Digital system - one
           of the first-generation Alpha systems. A number of these systems
diff --git a/arch/alpha/include/asm/dma-mapping.h b/arch/alpha/include/asm/dma-mapping.h
index b78f61f20796..8beeafd4f68e 100644
--- a/arch/alpha/include/asm/dma-mapping.h
+++ b/arch/alpha/include/asm/dma-mapping.h
@@ -2,11 +2,15 @@
 #ifndef _ALPHA_DMA_MAPPING_H
 #define _ALPHA_DMA_MAPPING_H
 
-extern const struct dma_map_ops *dma_ops;
+extern const struct dma_map_ops alpha_pci_ops;
 
 static inline const struct dma_map_ops *get_arch_dma_ops(struct bus_type *bus)
 {
-        return dma_ops;
+#ifdef CONFIG_ALPHA_JENSEN
+        return &dma_direct_ops;
+#else
+        return &alpha_pci_ops;
+#endif
 }
 
 #endif  /* _ALPHA_DMA_MAPPING_H */
diff --git a/arch/alpha/kernel/io.c b/arch/alpha/kernel/io.c
index 3e3d49c254c5..c025a3e5e357 100644
--- a/arch/alpha/kernel/io.c
+++ b/arch/alpha/kernel/io.c
@@ -37,20 +37,20 @@ unsigned int ioread32(void __iomem *addr)
 
 void iowrite8(u8 b, void __iomem *addr)
 {
-        IO_CONCAT(__IO_PREFIX,iowrite8)(b, addr);
         mb();
+        IO_CONCAT(__IO_PREFIX,iowrite8)(b, addr);
 }
 
 void iowrite16(u16 b, void __iomem *addr)
 {
-        IO_CONCAT(__IO_PREFIX,iowrite16)(b, addr);
         mb();
+        IO_CONCAT(__IO_PREFIX,iowrite16)(b, addr);
 }
 
 void iowrite32(u32 b, void __iomem *addr)
 {
-        IO_CONCAT(__IO_PREFIX,iowrite32)(b, addr);
         mb();
+        IO_CONCAT(__IO_PREFIX,iowrite32)(b, addr);
 }
 
 EXPORT_SYMBOL(ioread8);
@@ -176,26 +176,26 @@ u64 readq(const volatile void __iomem *addr)
 
 void writeb(u8 b, volatile void __iomem *addr)
 {
-        __raw_writeb(b, addr);
         mb();
+        __raw_writeb(b, addr);
 }
 
 void writew(u16 b, volatile void __iomem *addr)
 {
-        __raw_writew(b, addr);
         mb();
+        __raw_writew(b, addr);
 }
 
 void writel(u32 b, volatile void __iomem *addr)
 {
-        __raw_writel(b, addr);
         mb();
+        __raw_writel(b, addr);
 }
 
 void writeq(u64 b, volatile void __iomem *addr)
 {
-        __raw_writeq(b, addr);
         mb();
+        __raw_writeq(b, addr);
 }
 
 EXPORT_SYMBOL(readb);
diff --git a/arch/alpha/kernel/pci-noop.c b/arch/alpha/kernel/pci-noop.c
index b6ebb65127a8..c7c5879869d3 100644
--- a/arch/alpha/kernel/pci-noop.c
+++ b/arch/alpha/kernel/pci-noop.c
@@ -102,36 +102,3 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn,
         else
                 return -ENODEV;
 }
-
-static void *alpha_noop_alloc_coherent(struct device *dev, size_t size,
-                                       dma_addr_t *dma_handle, gfp_t gfp,
-                                       unsigned long attrs)
-{
-        void *ret;
-
-        if (!dev || *dev->dma_mask >= 0xffffffffUL)
-                gfp &= ~GFP_DMA;
-        ret = (void *)__get_free_pages(gfp, get_order(size));
-        if (ret) {
-                memset(ret, 0, size);
-                *dma_handle = virt_to_phys(ret);
-        }
-        return ret;
-}
-
-static int alpha_noop_supported(struct device *dev, u64 mask)
-{
-        return mask < 0x00ffffffUL ? 0 : 1;
-}
-
-const struct dma_map_ops alpha_noop_ops = {
-        .alloc                  = alpha_noop_alloc_coherent,
-        .free                   = dma_noop_free_coherent,
-        .map_page               = dma_noop_map_page,
-        .map_sg                 = dma_noop_map_sg,
-        .mapping_error          = dma_noop_mapping_error,
-        .dma_supported          = alpha_noop_supported,
-};
-
-const struct dma_map_ops *dma_ops = &alpha_noop_ops;
-EXPORT_SYMBOL(dma_ops);
diff --git a/arch/alpha/kernel/pci_iommu.c b/arch/alpha/kernel/pci_iommu.c
index 83b34b9188ea..6923b0d9c1e1 100644
--- a/arch/alpha/kernel/pci_iommu.c
+++ b/arch/alpha/kernel/pci_iommu.c
@@ -950,6 +950,4 @@ const struct dma_map_ops alpha_pci_ops = {
         .mapping_error          = alpha_pci_mapping_error,
         .dma_supported          = alpha_pci_supported,
 };
-
-const struct dma_map_ops *dma_ops = &alpha_pci_ops;
-EXPORT_SYMBOL(dma_ops);
+EXPORT_SYMBOL(alpha_pci_ops);
diff --git a/arch/arm/boot/dts/sun4i-a10.dtsi b/arch/arm/boot/dts/sun4i-a10.dtsi
index 77e8436beed4..3a1c6b45c9a1 100644
--- a/arch/arm/boot/dts/sun4i-a10.dtsi
+++ b/arch/arm/boot/dts/sun4i-a10.dtsi
@@ -76,7 +76,7 @@
                         allwinner,pipeline = "de_fe0-de_be0-lcd0-hdmi";
                         clocks = <&ccu CLK_AHB_LCD0>, <&ccu CLK_AHB_HDMI0>,
                                  <&ccu CLK_AHB_DE_BE0>, <&ccu CLK_AHB_DE_FE0>,
-                                 <&ccu CLK_DE_BE0>, <&ccu CLK_AHB_DE_FE0>,
+                                 <&ccu CLK_DE_BE0>, <&ccu CLK_DE_FE0>,
                                  <&ccu CLK_TCON0_CH1>, <&ccu CLK_HDMI>,
                                  <&ccu CLK_DRAM_DE_FE0>, <&ccu CLK_DRAM_DE_BE0>;
                         status = "disabled";
@@ -88,7 +88,7 @@
                         allwinner,pipeline = "de_fe0-de_be0-lcd0";
                         clocks = <&ccu CLK_AHB_LCD0>, <&ccu CLK_AHB_DE_BE0>,
                                  <&ccu CLK_AHB_DE_FE0>, <&ccu CLK_DE_BE0>,
-                                 <&ccu CLK_AHB_DE_FE0>, <&ccu CLK_TCON0_CH0>,
+                                 <&ccu CLK_DE_FE0>, <&ccu CLK_TCON0_CH0>,
                                  <&ccu CLK_DRAM_DE_FE0>, <&ccu CLK_DRAM_DE_BE0>;
                         status = "disabled";
                 };
@@ -99,7 +99,7 @@
                         allwinner,pipeline = "de_fe0-de_be0-lcd0-tve0";
                         clocks = <&ccu CLK_AHB_TVE0>, <&ccu CLK_AHB_LCD0>,
                                  <&ccu CLK_AHB_DE_BE0>, <&ccu CLK_AHB_DE_FE0>,
-                                 <&ccu CLK_DE_BE0>, <&ccu CLK_AHB_DE_FE0>,
+                                 <&ccu CLK_DE_BE0>, <&ccu CLK_DE_FE0>,
                                  <&ccu CLK_TCON0_CH1>, <&ccu CLK_DRAM_TVE0>,
                                  <&ccu CLK_DRAM_DE_FE0>, <&ccu CLK_DRAM_DE_BE0>;
                         status = "disabled";
diff --git a/arch/arm/boot/dts/sun8i-h3-orangepi-one.dts b/arch/arm/boot/dts/sun8i-h3-orangepi-one.dts
index 3328fe583c9b..232f124ce62c 100644
--- a/arch/arm/boot/dts/sun8i-h3-orangepi-one.dts
+++ b/arch/arm/boot/dts/sun8i-h3-orangepi-one.dts
@@ -117,6 +117,7 @@
         phy-handle = <&int_mii_phy>;
         phy-mode = "mii";
         allwinner,leds-active-low;
+        status = "okay";
 };
 
 &hdmi {
diff --git a/arch/arm/boot/dts/sun8i-v3s-licheepi-zero-dock.dts b/arch/arm/boot/dts/sun8i-v3s-licheepi-zero-dock.dts
index d1311098ea45..ad173605b1b8 100644
--- a/arch/arm/boot/dts/sun8i-v3s-licheepi-zero-dock.dts
+++ b/arch/arm/boot/dts/sun8i-v3s-licheepi-zero-dock.dts
@@ -51,7 +51,7 @@
 
         leds {
                 /* The LEDs use PG0~2 pins, which conflict with MMC1 */
-                status = "disbaled";
+                status = "disabled";
         };
 };
 
diff --git a/arch/arm/mach-ep93xx/core.c b/arch/arm/mach-ep93xx/core.c
index e70feec6fad5..0581ffbedddd 100644
--- a/arch/arm/mach-ep93xx/core.c
+++ b/arch/arm/mach-ep93xx/core.c
@@ -323,7 +323,7 @@ void __init ep93xx_register_eth(struct ep93xx_eth_data *data, int copy_addr)
 
 /* All EP93xx devices use the same two GPIO pins for I2C bit-banging */
 static struct gpiod_lookup_table ep93xx_i2c_gpiod_table = {
-        .dev_id         = "i2c-gpio",
+        .dev_id         = "i2c-gpio.0",
         .table          = {
                 /* Use local offsets on gpiochip/port "G" */
                 GPIO_LOOKUP_IDX("G", 1, NULL, 0,
diff --git a/arch/arm/mach-ixp4xx/avila-setup.c b/arch/arm/mach-ixp4xx/avila-setup.c
index 77def6169f50..44cbbce6bda6 100644
--- a/arch/arm/mach-ixp4xx/avila-setup.c
+++ b/arch/arm/mach-ixp4xx/avila-setup.c
@@ -51,7 +51,7 @@ static struct platform_device avila_flash = {
 };
 
 static struct gpiod_lookup_table avila_i2c_gpiod_table = {
-        .dev_id         = "i2c-gpio",
+        .dev_id         = "i2c-gpio.0",
         .table          = {
                 GPIO_LOOKUP_IDX("IXP4XX_GPIO_CHIP", AVILA_SDA_PIN,
                                 NULL, 0, GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
diff --git a/arch/arm/mach-ixp4xx/dsmg600-setup.c b/arch/arm/mach-ixp4xx/dsmg600-setup.c
index 0f5c99941a7d..397190f3a8da 100644
--- a/arch/arm/mach-ixp4xx/dsmg600-setup.c
+++ b/arch/arm/mach-ixp4xx/dsmg600-setup.c
@@ -70,7 +70,7 @@ static struct platform_device dsmg600_flash = {
 };
 
 static struct gpiod_lookup_table dsmg600_i2c_gpiod_table = {
-        .dev_id         = "i2c-gpio",
+        .dev_id         = "i2c-gpio.0",
         .table          = {
                 GPIO_LOOKUP_IDX("IXP4XX_GPIO_CHIP", DSMG600_SDA_PIN,
                                 NULL, 0, GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
diff --git a/arch/arm/mach-ixp4xx/fsg-setup.c b/arch/arm/mach-ixp4xx/fsg-setup.c
index 033f79b35d51..f0a152e365b1 100644
--- a/arch/arm/mach-ixp4xx/fsg-setup.c
+++ b/arch/arm/mach-ixp4xx/fsg-setup.c
@@ -56,7 +56,7 @@ static struct platform_device fsg_flash = {
 };
 
 static struct gpiod_lookup_table fsg_i2c_gpiod_table = {
-        .dev_id         = "i2c-gpio",
+        .dev_id         = "i2c-gpio.0",
         .table          = {
                 GPIO_LOOKUP_IDX("IXP4XX_GPIO_CHIP", FSG_SDA_PIN,
                                 NULL, 0, GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
diff --git a/arch/arm/mach-ixp4xx/ixdp425-setup.c b/arch/arm/mach-ixp4xx/ixdp425-setup.c
index b168e2fbdbeb..3ec829d52cdd 100644
--- a/arch/arm/mach-ixp4xx/ixdp425-setup.c
+++ b/arch/arm/mach-ixp4xx/ixdp425-setup.c
@@ -124,7 +124,7 @@ static struct platform_device ixdp425_flash_nand = {
 #endif  /* CONFIG_MTD_NAND_PLATFORM */
 
 static struct gpiod_lookup_table ixdp425_i2c_gpiod_table = {
-        .dev_id         = "i2c-gpio",
+        .dev_id         = "i2c-gpio.0",
         .table          = {
                 GPIO_LOOKUP_IDX("IXP4XX_GPIO_CHIP", IXDP425_SDA_PIN,
                                 NULL, 0, GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
diff --git a/arch/arm/mach-ixp4xx/nas100d-setup.c b/arch/arm/mach-ixp4xx/nas100d-setup.c
index 76dfff03cb71..4138d6aa4c52 100644
--- a/arch/arm/mach-ixp4xx/nas100d-setup.c
+++ b/arch/arm/mach-ixp4xx/nas100d-setup.c
@@ -102,7 +102,7 @@ static struct platform_device nas100d_leds = {
 };
 
 static struct gpiod_lookup_table nas100d_i2c_gpiod_table = {
-        .dev_id         = "i2c-gpio",
+        .dev_id         = "i2c-gpio.0",
         .table          = {
                 GPIO_LOOKUP_IDX("IXP4XX_GPIO_CHIP", NAS100D_SDA_PIN,
                                 NULL, 0, GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
diff --git a/arch/arm/mach-ixp4xx/nslu2-setup.c b/arch/arm/mach-ixp4xx/nslu2-setup.c
index 91da63a7d7b5..341b263482ef 100644
--- a/arch/arm/mach-ixp4xx/nslu2-setup.c
+++ b/arch/arm/mach-ixp4xx/nslu2-setup.c
@@ -70,7 +70,7 @@ static struct platform_device nslu2_flash = {
 };
 
 static struct gpiod_lookup_table nslu2_i2c_gpiod_table = {
-        .dev_id         = "i2c-gpio",
+        .dev_id         = "i2c-gpio.0",
         .table          = {
                 GPIO_LOOKUP_IDX("IXP4XX_GPIO_CHIP", NSLU2_SDA_PIN,
                                 NULL, 0, GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
diff --git a/arch/arm/mach-pxa/palmz72.c b/arch/arm/mach-pxa/palmz72.c
index 5877e547cecd..0adb1bd6208e 100644
--- a/arch/arm/mach-pxa/palmz72.c
+++ b/arch/arm/mach-pxa/palmz72.c
@@ -322,7 +322,7 @@ static struct soc_camera_link palmz72_iclink = {
 };
 
 static struct gpiod_lookup_table palmz72_i2c_gpiod_table = {
-        .dev_id         = "i2c-gpio",
+        .dev_id         = "i2c-gpio.0",
         .table          = {
                 GPIO_LOOKUP_IDX("gpio-pxa", 118, NULL, 0,
                                 GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
diff --git a/arch/arm/mach-pxa/viper.c b/arch/arm/mach-pxa/viper.c
index 90d0f277de55..207dcc2e94e7 100644
--- a/arch/arm/mach-pxa/viper.c
+++ b/arch/arm/mach-pxa/viper.c
@@ -460,7 +460,7 @@ static struct platform_device smc91x_device = {
 
 /* i2c */
 static struct gpiod_lookup_table viper_i2c_gpiod_table = {
-        .dev_id         = "i2c-gpio",
+        .dev_id         = "i2c-gpio.1",
         .table          = {
                 GPIO_LOOKUP_IDX("gpio-pxa", VIPER_RTC_I2C_SDA_GPIO,
                                 NULL, 0, GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
@@ -789,7 +789,7 @@ static int __init viper_tpm_setup(char *str)
 __setup("tpm=", viper_tpm_setup);
 
 struct gpiod_lookup_table viper_tpm_i2c_gpiod_table = {
-        .dev_id = "i2c-gpio",
+        .dev_id = "i2c-gpio.2",
         .table = {
                 GPIO_LOOKUP_IDX("gpio-pxa", VIPER_TPM_I2C_SDA_GPIO,
                                 NULL, 0, GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
diff --git a/arch/arm/mach-sa1100/simpad.c b/arch/arm/mach-sa1100/simpad.c
index ace010479eb6..f45aed2519ba 100644
--- a/arch/arm/mach-sa1100/simpad.c
+++ b/arch/arm/mach-sa1100/simpad.c
@@ -327,7 +327,7 @@ static struct platform_device simpad_gpio_leds = {
  * i2c
  */
 static struct gpiod_lookup_table simpad_i2c_gpiod_table = {
-        .dev_id = "i2c-gpio",
+        .dev_id = "i2c-gpio.0",
         .table = {
                 GPIO_LOOKUP_IDX("gpio", 21, NULL, 0,
                                 GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN),
diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
index 8c398fedbbb6..ada8eb206a90 100644
--- a/arch/arm/mm/dma-mapping.c
+++ b/arch/arm/mm/dma-mapping.c
@@ -466,12 +466,6 @@ void __init dma_contiguous_early_fixup(phys_addr_t base, unsigned long size)
 void __init dma_contiguous_remap(void)
 {
         int i;
-
-        if (!dma_mmu_remap_num)
-                return;
-
-        /* call flush_cache_all() since CMA area would be large enough */
-        flush_cache_all();
         for (i = 0; i < dma_mmu_remap_num; i++) {
                 phys_addr_t start = dma_mmu_remap[i].base;
                 phys_addr_t end = start + dma_mmu_remap[i].size;
@@ -504,15 +498,7 @@ void __init dma_contiguous_remap(void)
                 flush_tlb_kernel_range(__phys_to_virt(start),
                                        __phys_to_virt(end));
 
-                /*
-                 * All the memory in CMA region will be on ZONE_MOVABLE.
-                 * If that zone is considered as highmem, the memory in CMA
-                 * region is also considered as highmem even if it's
-                 * physical address belong to lowmem. In this case,
-                 * re-mapping isn't required.
-                 */
-                if (!is_highmem_idx(ZONE_MOVABLE))
-                        iotable_init(&map, 1);
+                iotable_init(&map, 1);
         }
 }
 
diff --git a/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts b/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts
index 724a0d3b7683..edb4ee0b8896 100644
--- a/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts
+++ b/arch/arm64/boot/dts/hisilicon/hi6220-hikey.dts
@@ -299,7 +299,6 @@
                 /* GPIO blocks 16 thru 19 do not appear to be routed to pins */
 
                 dwmmc_0: dwmmc0@f723d000 {
-                        max-frequency = <150000000>;
                         cap-mmc-highspeed;
                         mmc-hs200-1_8v;
                         non-removable;
diff --git a/arch/arm64/include/asm/atomic_lse.h b/arch/arm64/include/asm/atomic_lse.h
index 9ef0797380cb..f9b0b09153e0 100644
--- a/arch/arm64/include/asm/atomic_lse.h
+++ b/arch/arm64/include/asm/atomic_lse.h
@@ -117,7 +117,7 @@ static inline void atomic_and(int i, atomic_t *v)
         /* LSE atomics */
         "       mvn     %w[i], %w[i]\n"
         "       stclr   %w[i], %[v]")
-        : [i] "+r" (w0), [v] "+Q" (v->counter)
+        : [i] "+&r" (w0), [v] "+Q" (v->counter)
         : "r" (x1)
         : __LL_SC_CLOBBERS);
 }
@@ -135,7 +135,7 @@ static inline int atomic_fetch_and##name(int i, atomic_t *v)		\
         /* LSE atomics */                                               \
         "       mvn     %w[i], %w[i]\n"                                 \
         "       ldclr" #mb "    %w[i], %w[i], %[v]")                    \
-        : [i] "+r" (w0), [v] "+Q" (v->counter)                          \
+        : [i] "+&r" (w0), [v] "+Q" (v->counter)                         \
         : "r" (x1)                                                      \
         : __LL_SC_CLOBBERS, ##cl);                                      \
                                                                         \
@@ -161,7 +161,7 @@ static inline void atomic_sub(int i, atomic_t *v)
         /* LSE atomics */
         "       neg     %w[i], %w[i]\n"
         "       stadd   %w[i], %[v]")
-        : [i] "+r" (w0), [v] "+Q" (v->counter)
+        : [i] "+&r" (w0), [v] "+Q" (v->counter)
         : "r" (x1)
         : __LL_SC_CLOBBERS);
 }
@@ -180,7 +180,7 @@ static inline int atomic_sub_return##name(int i, atomic_t *v)		\
         "       neg     %w[i], %w[i]\n"                                 \
         "       ldadd" #mb "    %w[i], w30, %[v]\n"                     \
         "       add     %w[i], %w[i], w30")                             \
-        : [i] "+r" (w0), [v] "+Q" (v->counter)                          \
+        : [i] "+&r" (w0), [v] "+Q" (v->counter)                         \
         : "r" (x1)                                                      \
         : __LL_SC_CLOBBERS , ##cl);                                     \
                                                                         \
@@ -207,7 +207,7 @@ static inline int atomic_fetch_sub##name(int i, atomic_t *v)		\
         /* LSE atomics */                                               \
         "       neg     %w[i], %w[i]\n"                                 \
         "       ldadd" #mb "    %w[i], %w[i], %[v]")                    \
-        : [i] "+r" (w0), [v] "+Q" (v->counter)                          \
+        : [i] "+&r" (w0), [v] "+Q" (v->counter)                         \
         : "r" (x1)                                                      \
         : __LL_SC_CLOBBERS, ##cl);                                      \
                                                                         \
@@ -314,7 +314,7 @@ static inline void atomic64_and(long i, atomic64_t *v)
         /* LSE atomics */
         "       mvn     %[i], %[i]\n"
         "       stclr   %[i], %[v]")
-        : [i] "+r" (x0), [v] "+Q" (v->counter)
+        : [i] "+&r" (x0), [v] "+Q" (v->counter)
         : "r" (x1)
         : __LL_SC_CLOBBERS);
 }
@@ -332,7 +332,7 @@ static inline long atomic64_fetch_and##name(long i, atomic64_t *v)	\
         /* LSE atomics */                                               \
         "       mvn     %[i], %[i]\n"                                   \
         "       ldclr" #mb "    %[i], %[i], %[v]")                      \
-        : [i] "+r" (x0), [v] "+Q" (v->counter)                          \
+        : [i] "+&r" (x0), [v] "+Q" (v->counter)                         \
         : "r" (x1)                                                      \
         : __LL_SC_CLOBBERS, ##cl);                                      \
                                                                         \
@@ -358,7 +358,7 @@ static inline void atomic64_sub(long i, atomic64_t *v)
         /* LSE atomics */
         "       neg     %[i], %[i]\n"
         "       stadd   %[i], %[v]")
-        : [i] "+r" (x0), [v] "+Q" (v->counter)
+        : [i] "+&r" (x0), [v] "+Q" (v->counter)
         : "r" (x1)
         : __LL_SC_CLOBBERS);
 }
@@ -377,7 +377,7 @@ static inline long atomic64_sub_return##name(long i, atomic64_t *v)	\
         "       neg     %[i], %[i]\n"                                   \
         "       ldadd" #mb "    %[i], x30, %[v]\n"                      \
         "       add     %[i], %[i], x30")                               \
-        : [i] "+r" (x0), [v] "+Q" (v->counter)                          \
+        : [i] "+&r" (x0), [v] "+Q" (v->counter)                         \
         : "r" (x1)                                                      \
         : __LL_SC_CLOBBERS, ##cl);                                      \
                                                                         \
@@ -404,7 +404,7 @@ static inline long atomic64_fetch_sub##name(long i, atomic64_t *v)	\
         /* LSE atomics */                                               \
         "       neg     %[i], %[i]\n"                                   \
         "       ldadd" #mb "    %[i], %[i], %[v]")                      \
-        : [i] "+r" (x0), [v] "+Q" (v->counter)                          \
+        : [i] "+&r" (x0), [v] "+Q" (v->counter)                         \
         : "r" (x1)                                                      \
         : __LL_SC_CLOBBERS, ##cl);                                      \
                                                                         \
@@ -435,7 +435,7 @@ static inline long atomic64_dec_if_positive(atomic64_t *v)
         "       sub     x30, x30, %[ret]\n"
         "       cbnz    x30, 1b\n"
         "2:")
-        : [ret] "+r" (x0), [v] "+Q" (v->counter)
+        : [ret] "+&r" (x0), [v] "+Q" (v->counter)
         :
         : __LL_SC_CLOBBERS, "cc", "memory");
 
@@ -516,7 +516,7 @@ static inline long __cmpxchg_double##name(unsigned long old1,		\
         "       eor     %[old1], %[old1], %[oldval1]\n"                 \
         "       eor     %[old2], %[old2], %[oldval2]\n"                 \
         "       orr     %[old1], %[old1], %[old2]")                     \
-        : [old1] "+r" (x0), [old2] "+r" (x1),                           \
+        : [old1] "+&r" (x0), [old2] "+&r" (x1),                         \
           [v] "+Q" (*(unsigned long *)ptr)                              \
         : [new1] "r" (x2), [new2] "r" (x3), [ptr] "r" (x4),             \
           [oldval1] "r" (oldval1), [oldval2] "r" (oldval2)              \
diff --git a/arch/arm64/kernel/arm64ksyms.c b/arch/arm64/kernel/arm64ksyms.c
index 66be504edb6c..d894a20b70b2 100644
--- a/arch/arm64/kernel/arm64ksyms.c
+++ b/arch/arm64/kernel/arm64ksyms.c
@@ -75,3 +75,11 @@ NOKPROBE_SYMBOL(_mcount);
         /* arm-smccc */
 EXPORT_SYMBOL(__arm_smccc_smc);
 EXPORT_SYMBOL(__arm_smccc_hvc);
+
+        /* tishift.S */
+extern long long __ashlti3(long long a, int b);
+EXPORT_SYMBOL(__ashlti3);
+extern long long __ashrti3(long long a, int b);
+EXPORT_SYMBOL(__ashrti3);
+extern long long __lshrti3(long long a, int b);
+EXPORT_SYMBOL(__lshrti3);
diff --git a/arch/arm64/lib/tishift.S b/arch/arm64/lib/tishift.S
index d3db9b2cd479..0fdff97794de 100644
--- a/arch/arm64/lib/tishift.S
+++ b/arch/arm64/lib/tishift.S
@@ -1,17 +1,6 @@
-/*
- * Copyright (C) 2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+/* SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
  *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
  */
 
 #include <linux/linkage.h>
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 4165485e8b6e..2af3dd89bcdb 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -293,6 +293,57 @@ static void __do_kernel_fault(unsigned long addr, unsigned int esr,
 static void __do_user_fault(struct siginfo *info, unsigned int esr)
 {
         current->thread.fault_address = (unsigned long)info->si_addr;
+
+        /*
+         * If the faulting address is in the kernel, we must sanitize the ESR.
+         * From userspace's point of view, kernel-only mappings don't exist
+         * at all, so we report them as level 0 translation faults.
+         * (This is not quite the way that "no mapping there at all" behaves:
+         * an alignment fault not caused by the memory type would take
+         * precedence over translation fault for a real access to empty
+         * space. Unfortunately we can't easily distinguish "alignment fault
+         * not caused by memory type" from "alignment fault caused by memory
+         * type", so we ignore this wrinkle and just return the translation
+         * fault.)
+         */
+        if (current->thread.fault_address >= TASK_SIZE) {
+                switch (ESR_ELx_EC(esr)) {
+                case ESR_ELx_EC_DABT_LOW:
+                        /*
+                         * These bits provide only information about the
+                         * faulting instruction, which userspace knows already.
+                         * We explicitly clear bits which are architecturally
+                         * RES0 in case they are given meanings in future.
+                         * We always report the ESR as if the fault was taken
+                         * to EL1 and so ISV and the bits in ISS[23:14] are
+                         * clear. (In fact it always will be a fault to EL1.)
+                         */
+                        esr &= ESR_ELx_EC_MASK | ESR_ELx_IL |
+                                ESR_ELx_CM | ESR_ELx_WNR;
+                        esr |= ESR_ELx_FSC_FAULT;
+                        break;
+                case ESR_ELx_EC_IABT_LOW:
+                        /*
+                         * Claim a level 0 translation fault.
+                         * All other bits are architecturally RES0 for faults
+                         * reported with that DFSC value, so we clear them.
+                         */
+                        esr &= ESR_ELx_EC_MASK | ESR_ELx_IL;
+                        esr |= ESR_ELx_FSC_FAULT;
+                        break;
+                default:
+                        /*
+                         * This should never happen (entry.S only brings us
+                         * into this code for insn and data aborts from a lower
+                         * exception level). Fail safe by not providing an ESR
+                         * context record at all.
+                         */
+                        WARN(1, "ESR 0x%x is not DABT or IABT from EL0\n", esr);
+                        esr = 0;
+                        break;
+                }
+        }
+
         current->thread.fault_code = esr;
         arm64_force_sig_info(info, esr_to_fault_info(esr)->name, current);
 }
diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
index 2dbb2c9f1ec1..493ff75670ff 100644
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -933,13 +933,15 @@ int pud_set_huge(pud_t *pudp, phys_addr_t phys, pgprot_t prot)
 {
         pgprot_t sect_prot = __pgprot(PUD_TYPE_SECT |
                                         pgprot_val(mk_sect_prot(prot)));
+        pud_t new_pud = pfn_pud(__phys_to_pfn(phys), sect_prot);
 
-        /* ioremap_page_range doesn't honour BBM */
-        if (pud_present(READ_ONCE(*pudp)))
+        /* Only allow permission changes for now */
+        if (!pgattr_change_is_safe(READ_ONCE(pud_val(*pudp)),
+                                   pud_val(new_pud)))
                 return 0;
 
         BUG_ON(phys & ~PUD_MASK);
-        set_pud(pudp, pfn_pud(__phys_to_pfn(phys), sect_prot));
+        set_pud(pudp, new_pud);
         return 1;
 }
 
@@ -947,13 +949,15 @@ int pmd_set_huge(pmd_t *pmdp, phys_addr_t phys, pgprot_t prot)
 {
         pgprot_t sect_prot = __pgprot(PMD_TYPE_SECT |
                                         pgprot_val(mk_sect_prot(prot)));
+        pmd_t new_pmd = pfn_pmd(__phys_to_pfn(phys), sect_prot);
 
-        /* ioremap_page_range doesn't honour BBM */
-        if (pmd_present(READ_ONCE(*pmdp)))
+        /* Only allow permission changes for now */
+        if (!pgattr_change_is_safe(READ_ONCE(pmd_val(*pmdp)),
+                                   pmd_val(new_pmd)))
                 return 0;
 
         BUG_ON(phys & ~PMD_MASK);
-        set_pmd(pmdp, pfn_pmd(__phys_to_pfn(phys), sect_prot));
+        set_pmd(pmdp, new_pmd);
         return 1;
 }
 
diff --git a/arch/mips/boot/compressed/uart-16550.c b/arch/mips/boot/compressed/uart-16550.c
index b3043c08f769..aee8d7b8f091 100644
--- a/arch/mips/boot/compressed/uart-16550.c
+++ b/arch/mips/boot/compressed/uart-16550.c
@@ -18,9 +18,9 @@
 #define PORT(offset) (CKSEG1ADDR(AR7_REGS_UART0) + (4 * offset))
 #endif
 
-#if defined(CONFIG_MACH_JZ4740) || defined(CONFIG_MACH_JZ4780)
-#include <asm/mach-jz4740/base.h>
-#define PORT(offset) (CKSEG1ADDR(JZ4740_UART0_BASE_ADDR) + (4 * offset))
+#ifdef CONFIG_MACH_INGENIC
+#define INGENIC_UART0_BASE_ADDR 0x10030000
+#define PORT(offset) (CKSEG1ADDR(INGENIC_UART0_BASE_ADDR) + (4 * offset))
 #endif
 
 #ifdef CONFIG_CPU_XLR
diff --git a/arch/mips/boot/dts/xilfpga/Makefile b/arch/mips/boot/dts/xilfpga/Makefile
index 9987e0e378c5..69ca00590b8d 100644
--- a/arch/mips/boot/dts/xilfpga/Makefile
+++ b/arch/mips/boot/dts/xilfpga/Makefile
@@ -1,4 +1,2 @@
 # SPDX-License-Identifier: GPL-2.0
 dtb-$(CONFIG_FIT_IMAGE_FDT_XILFPGA)     += nexys4ddr.dtb
-
-obj-y                           += $(patsubst %.dtb, %.dtb.o, $(dtb-y))
diff --git a/arch/mips/generic/Platform b/arch/mips/generic/Platform
index b51432dd10b6..0dd0d5d460a5 100644
--- a/arch/mips/generic/Platform
+++ b/arch/mips/generic/Platform
@@ -16,3 +16,4 @@ all-$(CONFIG_MIPS_GENERIC)	:= vmlinux.gz.itb
 its-y                                   := vmlinux.its.S
 its-$(CONFIG_FIT_IMAGE_FDT_BOSTON)      += board-boston.its.S
 its-$(CONFIG_FIT_IMAGE_FDT_NI169445)    += board-ni169445.its.S
+its-$(CONFIG_FIT_IMAGE_FDT_XILFPGA)     += board-xilfpga.its.S
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index 0b23b1ad99e6..8d098b9f395c 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -463,7 +463,7 @@ static int fpr_get_msa(struct task_struct *target,
 /*
  * Copy the floating-point context to the supplied NT_PRFPREG buffer.
  * Choose the appropriate helper for general registers, and then copy
- * the FCSR register separately.
+ * the FCSR and FIR registers separately.
  */
 static int fpr_get(struct task_struct *target,
                    const struct user_regset *regset,
@@ -471,6 +471,7 @@ static int fpr_get(struct task_struct *target,
                    void *kbuf, void __user *ubuf)
 {
         const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
+        const int fir_pos = fcr31_pos + sizeof(u32);
         int err;
 
         if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))
@@ -483,6 +484,12 @@ static int fpr_get(struct task_struct *target,
         err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
                                   &target->thread.fpu.fcr31,
                                   fcr31_pos, fcr31_pos + sizeof(u32));
+        if (err)
+                return err;
+
+        err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
+                                  &boot_cpu_data.fpu_id,
+                                  fir_pos, fir_pos + sizeof(u32));
 
         return err;
 }
@@ -531,7 +538,8 @@ static int fpr_set_msa(struct task_struct *target,
 /*
  * Copy the supplied NT_PRFPREG buffer to the floating-point context.
  * Choose the appropriate helper for general registers, and then copy
- * the FCSR register separately.
+ * the FCSR register separately.  Ignore the incoming FIR register
+ * contents though, as the register is read-only.
  *
  * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0',
  * which is supposed to have been guaranteed by the kernel before
@@ -545,6 +553,7 @@ static int fpr_set(struct task_struct *target,
                    const void *kbuf, const void __user *ubuf)
 {
         const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);
+        const int fir_pos = fcr31_pos + sizeof(u32);
         u32 fcr31;
         int err;
 
@@ -572,6 +581,11 @@ static int fpr_set(struct task_struct *target,
                 ptrace_setfcr31(target, fcr31);
         }
 
+        if (count > 0)
+                err = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
+                                                fir_pos,
+                                                fir_pos + sizeof(u32));
+
         return err;
 }
 
@@ -793,7 +807,7 @@ long arch_ptrace(struct task_struct *child, long request,
                         fregs = get_fpu_regs(child);
 
 #ifdef CONFIG_32BIT
-                        if (test_thread_flag(TIF_32BIT_FPREGS)) {
+                        if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
                                 /*
                                  * The odd registers are actually the high
                                  * order bits of the values stored in the even
@@ -888,7 +902,7 @@ long arch_ptrace(struct task_struct *child, long request,
 
                         init_fp_ctx(child);
 #ifdef CONFIG_32BIT
-                        if (test_thread_flag(TIF_32BIT_FPREGS)) {
+                        if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
                                 /*
                                  * The odd registers are actually the high
                                  * order bits of the values stored in the even
diff --git a/arch/mips/kernel/ptrace32.c b/arch/mips/kernel/ptrace32.c
index 2b9260f92ccd..656a137c1fe2 100644
--- a/arch/mips/kernel/ptrace32.c
+++ b/arch/mips/kernel/ptrace32.c
@@ -99,7 +99,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
                                 break;
                         }
                         fregs = get_fpu_regs(child);
-                        if (test_thread_flag(TIF_32BIT_FPREGS)) {
+                        if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
                                 /*
                                  * The odd registers are actually the high
                                  * order bits of the values stored in the even
@@ -212,7 +212,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
                                        sizeof(child->thread.fpu));
                                 child->thread.fpu.fcr31 = 0;
                         }
-                        if (test_thread_flag(TIF_32BIT_FPREGS)) {
+                        if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) {
                                 /*
                                  * The odd registers are actually the high
                                  * order bits of the values stored in the even
diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
index 2549fdd27ee1..0f725e9cee8f 100644
--- a/arch/mips/kvm/mips.c
+++ b/arch/mips/kvm/mips.c
@@ -45,7 +45,7 @@ struct kvm_stats_debugfs_item debugfs_entries[] = {
         { "cache",        VCPU_STAT(cache_exits),        KVM_STAT_VCPU },
         { "signal",       VCPU_STAT(signal_exits),       KVM_STAT_VCPU },
         { "interrupt",    VCPU_STAT(int_exits),          KVM_STAT_VCPU },
-        { "cop_unsuable", VCPU_STAT(cop_unusable_exits), KVM_STAT_VCPU },
+        { "cop_unusable", VCPU_STAT(cop_unusable_exits), KVM_STAT_VCPU },
         { "tlbmod",       VCPU_STAT(tlbmod_exits),       KVM_STAT_VCPU },
         { "tlbmiss_ld",   VCPU_STAT(tlbmiss_ld_exits),   KVM_STAT_VCPU },
         { "tlbmiss_st",   VCPU_STAT(tlbmiss_st_exits),   KVM_STAT_VCPU },
diff --git a/arch/mips/mm/c-r4k.c b/arch/mips/mm/c-r4k.c
index 6f534b209971..e12dfa48b478 100644
--- a/arch/mips/mm/c-r4k.c
+++ b/arch/mips/mm/c-r4k.c
@@ -851,9 +851,12 @@ static void r4k_dma_cache_wback_inv(unsigned long addr, unsigned long size)
         /*
          * Either no secondary cache or the available caches don't have the
          * subset property so we have to flush the primary caches
-         * explicitly
+         * explicitly.
+         * If we would need IPI to perform an INDEX-type operation, then
+         * we have to use the HIT-type alternative as IPI cannot be used
+         * here due to interrupts possibly being disabled.
          */
-        if (size >= dcache_size) {
+        if (!r4k_op_needs_ipi(R4K_INDEX) && size >= dcache_size) {
                 r4k_blast_dcache();
         } else {
                 R4600_HIT_CACHEOP_WAR_IMPL;
@@ -890,7 +893,7 @@ static void r4k_dma_cache_inv(unsigned long addr, unsigned long size)
                 return;
         }
 
-        if (size >= dcache_size) {
+        if (!r4k_op_needs_ipi(R4K_INDEX) && size >= dcache_size) {
                 r4k_blast_dcache();
         } else {
                 R4600_HIT_CACHEOP_WAR_IMPL;
diff --git a/arch/powerpc/include/asm/exception-64s.h b/arch/powerpc/include/asm/exception-64s.h
index 471b2274fbeb..c40b4380951c 100644
--- a/arch/powerpc/include/asm/exception-64s.h
+++ b/arch/powerpc/include/asm/exception-64s.h
@@ -74,6 +74,27 @@
  */
 #define EX_R3           EX_DAR
 
+#define STF_ENTRY_BARRIER_SLOT                                          \
+        STF_ENTRY_BARRIER_FIXUP_SECTION;                                \
+        nop;                                                            \
+        nop;                                                            \
+        nop
+
+#define STF_EXIT_BARRIER_SLOT                                           \
+        STF_EXIT_BARRIER_FIXUP_SECTION;                                 \
+        nop;                                                            \
+        nop;                                                            \
+        nop;                                                            \
+        nop;                                                            \
+        nop;                                                            \
+        nop
+
+/*
+ * r10 must be free to use, r13 must be paca
+ */
+#define INTERRUPT_TO_KERNEL                                             \
+        STF_ENTRY_BARRIER_SLOT
+
 /*
  * Macros for annotating the expected destination of (h)rfid
  *
@@ -90,16 +111,19 @@
         rfid
 
 #define RFI_TO_USER                                                     \
+        STF_EXIT_BARRIER_SLOT;                                          \
         RFI_FLUSH_SLOT;                                                 \
         rfid;                                                           \
         b       rfi_flush_fallback
 
 #define RFI_TO_USER_OR_KERNEL                                           \
+        STF_EXIT_BARRIER_SLOT;                                          \
         RFI_FLUSH_SLOT;                                                 \
         rfid;                                                           \
         b       rfi_flush_fallback
 
 #define RFI_TO_GUEST                                                    \
+        STF_EXIT_BARRIER_SLOT;                                          \
         RFI_FLUSH_SLOT;                                                 \
         rfid;                                                           \
         b       rfi_flush_fallback
@@ -108,21 +132,25 @@
         hrfid
 
 #define HRFI_TO_USER                                                    \
+        STF_EXIT_BARRIER_SLOT;                                          \
         RFI_FLUSH_SLOT;                                                 \
         hrfid;                                                          \
         b       hrfi_flush_fallback
 
 #define HRFI_TO_USER_OR_KERNEL                                          \
+        STF_EXIT_BARRIER_SLOT;                                          \
         RFI_FLUSH_SLOT;                                                 \
         hrfid;                                                          \
         b       hrfi_flush_fallback
 
 #define HRFI_TO_GUEST                                                   \
+        STF_EXIT_BARRIER_SLOT;                                          \
         RFI_FLUSH_SLOT;                                                 \
         hrfid;                                                          \
         b       hrfi_flush_fallback
 
 #define HRFI_TO_UNKNOWN                                                 \
+        STF_EXIT_BARRIER_SLOT;                                          \
         RFI_FLUSH_SLOT;                                                 \
         hrfid;                                                          \
         b       hrfi_flush_fallback
@@ -254,6 +282,7 @@ END_FTR_SECTION_NESTED(ftr,ftr,943)
 #define __EXCEPTION_PROLOG_1_PRE(area)                                  \
         OPT_SAVE_REG_TO_PACA(area+EX_PPR, r9, CPU_FTR_HAS_PPR);         \
         OPT_SAVE_REG_TO_PACA(area+EX_CFAR, r10, CPU_FTR_CFAR);          \
+        INTERRUPT_TO_KERNEL;                                            \
         SAVE_CTR(r10, area);                                            \
         mfcr    r9;
 
diff --git a/arch/powerpc/include/asm/feature-fixups.h b/arch/powerpc/include/asm/feature-fixups.h
index 1e82eb3caabd..a9b64df34e2a 100644
--- a/arch/powerpc/include/asm/feature-fixups.h
+++ b/arch/powerpc/include/asm/feature-fixups.h
@@ -187,6 +187,22 @@ label##3:					       	\
         FTR_ENTRY_OFFSET label##1b-label##3b;           \
         .popsection;
 
+#define STF_ENTRY_BARRIER_FIXUP_SECTION                 \
+953:                                                    \
+        .pushsection __stf_entry_barrier_fixup,"a";     \
+        .align 2;                                       \
+954:                                                    \
+        FTR_ENTRY_OFFSET 953b-954b;                     \
+        .popsection;
+
+#define STF_EXIT_BARRIER_FIXUP_SECTION                  \
+955:                                                    \
+        .pushsection __stf_exit_barrier_fixup,"a";      \
+        .align 2;                                       \
+956:                                                    \
+        FTR_ENTRY_OFFSET 955b-956b;                     \
+        .popsection;
+
 #define RFI_FLUSH_FIXUP_SECTION                         \
 951:                                                    \
         .pushsection __rfi_flush_fixup,"a";             \
@@ -199,6 +215,9 @@ label##3:					       	\
 #ifndef __ASSEMBLY__
 #include <linux/types.h>
 
+extern long stf_barrier_fallback;
+extern long __start___stf_entry_barrier_fixup, __stop___stf_entry_barrier_fixup;
+extern long __start___stf_exit_barrier_fixup, __stop___stf_exit_barrier_fixup;
 extern long __start___rfi_flush_fixup, __stop___rfi_flush_fixup;
 
 void apply_feature_fixups(void);
diff --git a/arch/powerpc/include/asm/kvm_book3s.h b/arch/powerpc/include/asm/kvm_book3s.h
index 4c02a7378d06..e7377b73cfec 100644
--- a/arch/powerpc/include/asm/kvm_book3s.h
+++ b/arch/powerpc/include/asm/kvm_book3s.h
@@ -96,6 +96,7 @@ struct kvmppc_vcore {
         struct kvm_vcpu *runner;
         struct kvm *kvm;
         u64 tb_offset;          /* guest timebase - host timebase */
+        u64 tb_offset_applied;  /* timebase offset currently in force */
         ulong lpcr;
         u32 arch_compat;
         ulong pcr;
diff --git a/arch/powerpc/include/asm/security_features.h b/arch/powerpc/include/asm/security_features.h
index fa4d2e1cf772..44989b22383c 100644
--- a/arch/powerpc/include/asm/security_features.h
+++ b/arch/powerpc/include/asm/security_features.h
@@ -12,6 +12,17 @@
 extern unsigned long powerpc_security_features;
 extern bool rfi_flush;
 
+/* These are bit flags */
+enum stf_barrier_type {
+        STF_BARRIER_NONE        = 0x1,
+        STF_BARRIER_FALLBACK    = 0x2,
+        STF_BARRIER_EIEIO       = 0x4,
+        STF_BARRIER_SYNC_ORI    = 0x8,
+};
+
+void setup_stf_barrier(void);
+void do_stf_barrier_fixups(enum stf_barrier_type types);
+
 static inline void security_ftr_set(unsigned long feature)
 {
         powerpc_security_features |= feature;
diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c
index 6bee65f3cfd3..373dc1d6ef44 100644
--- a/arch/powerpc/kernel/asm-offsets.c
+++ b/arch/powerpc/kernel/asm-offsets.c
@@ -562,6 +562,7 @@ int main(void)
         OFFSET(VCORE_NAPPING_THREADS, kvmppc_vcore, napping_threads);
         OFFSET(VCORE_KVM, kvmppc_vcore, kvm);
         OFFSET(VCORE_TB_OFFSET, kvmppc_vcore, tb_offset);
+        OFFSET(VCORE_TB_OFFSET_APPL, kvmppc_vcore, tb_offset_applied);
         OFFSET(VCORE_LPCR, kvmppc_vcore, lpcr);
         OFFSET(VCORE_PCR, kvmppc_vcore, pcr);
         OFFSET(VCORE_DPDES, kvmppc_vcore, dpdes);
diff --git a/arch/powerpc/kernel/cpu_setup_power.S b/arch/powerpc/kernel/cpu_setup_power.S
index 3f30c994e931..458b928dbd84 100644
--- a/arch/powerpc/kernel/cpu_setup_power.S
+++ b/arch/powerpc/kernel/cpu_setup_power.S
@@ -28,6 +28,7 @@ _GLOBAL(__setup_cpu_power7)
         beqlr
         li      r0,0
         mtspr   SPRN_LPID,r0
+        mtspr   SPRN_PCR,r0
         mfspr   r3,SPRN_LPCR
         li      r4,(LPCR_LPES1 >> LPCR_LPES_SH)
         bl      __init_LPCR_ISA206
@@ -41,6 +42,7 @@ _GLOBAL(__restore_cpu_power7)
         beqlr
         li      r0,0
         mtspr   SPRN_LPID,r0
+        mtspr   SPRN_PCR,r0
         mfspr   r3,SPRN_LPCR
         li      r4,(LPCR_LPES1 >> LPCR_LPES_SH)
         bl      __init_LPCR_ISA206
@@ -57,6 +59,7 @@ _GLOBAL(__setup_cpu_power8)
         beqlr
         li      r0,0
         mtspr   SPRN_LPID,r0
+        mtspr   SPRN_PCR,r0
         mfspr   r3,SPRN_LPCR
         ori     r3, r3, LPCR_PECEDH
         li      r4,0 /* LPES = 0 */
@@ -78,6 +81,7 @@ _GLOBAL(__restore_cpu_power8)
         beqlr
         li      r0,0
         mtspr   SPRN_LPID,r0
+        mtspr   SPRN_PCR,r0
         mfspr   r3,SPRN_LPCR
         ori     r3, r3, LPCR_PECEDH
         li      r4,0 /* LPES = 0 */
@@ -99,6 +103,7 @@ _GLOBAL(__setup_cpu_power9)
         mtspr   SPRN_PSSCR,r0
         mtspr   SPRN_LPID,r0
         mtspr   SPRN_PID,r0
+        mtspr   SPRN_PCR,r0
         mfspr   r3,SPRN_LPCR
         LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE  | LPCR_HEIC)
         or      r3, r3, r4
@@ -123,6 +128,7 @@ _GLOBAL(__restore_cpu_power9)
         mtspr   SPRN_PSSCR,r0
         mtspr   SPRN_LPID,r0
         mtspr   SPRN_PID,r0
+        mtspr   SPRN_PCR,r0
         mfspr   r3,SPRN_LPCR
         LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC)
         or      r3, r3, r4
diff --git a/arch/powerpc/kernel/dt_cpu_ftrs.c b/arch/powerpc/kernel/dt_cpu_ftrs.c
index 8ab51f6ca03a..c904477abaf3 100644
--- a/arch/powerpc/kernel/dt_cpu_ftrs.c
+++ b/arch/powerpc/kernel/dt_cpu_ftrs.c
@@ -101,6 +101,7 @@ static void __restore_cpu_cpufeatures(void)
         if (hv_mode) {
                 mtspr(SPRN_LPID, 0);
                 mtspr(SPRN_HFSCR, system_registers.hfscr);
+                mtspr(SPRN_PCR, 0);
         }
         mtspr(SPRN_FSCR, system_registers.fscr);
 
diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
index ae6a849db60b..f283958129f2 100644
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -885,7 +885,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_TM)
 #endif
 
 
-EXC_REAL_MASKABLE(decrementer, 0x900, 0x80, IRQS_DISABLED)
+EXC_REAL_OOL_MASKABLE(decrementer, 0x900, 0x80, IRQS_DISABLED)
 EXC_VIRT_MASKABLE(decrementer, 0x4900, 0x80, 0x900, IRQS_DISABLED)
 TRAMP_KVM(PACA_EXGEN, 0x900)
 EXC_COMMON_ASYNC(decrementer_common, 0x900, timer_interrupt)
@@ -961,6 +961,7 @@ EXC_COMMON(trap_0b_common, 0xb00, unknown_exception)
         mtctr   r13;                                                    \
         GET_PACA(r13);                                                  \
         std     r10,PACA_EXGEN+EX_R10(r13);                             \
+        INTERRUPT_TO_KERNEL;                                            \
         KVMTEST_PR(0xc00); /* uses r10, branch to do_kvm_0xc00_system_call */ \
         HMT_MEDIUM;                                                     \
         mfctr   r9;
@@ -969,7 +970,8 @@ EXC_COMMON(trap_0b_common, 0xb00, unknown_exception)
 #define SYSCALL_KVMTEST                                                 \
         HMT_MEDIUM;                                                     \
         mr      r9,r13;                                                 \
-        GET_PACA(r13);
+        GET_PACA(r13);                                                  \
+        INTERRUPT_TO_KERNEL;
 #endif
         
 #define LOAD_SYSCALL_HANDLER(reg)                                       \
@@ -1507,6 +1509,19 @@ masked_##_H##interrupt:					\
         b       .;                                      \
         MASKED_DEC_HANDLER(_H)
 
+TRAMP_REAL_BEGIN(stf_barrier_fallback)
+        std     r9,PACA_EXRFI+EX_R9(r13)
+        std     r10,PACA_EXRFI+EX_R10(r13)
+        sync
+        ld      r9,PACA_EXRFI+EX_R9(r13)
+        ld      r10,PACA_EXRFI+EX_R10(r13)
+        ori     31,31,0
+        .rept 14
+        b       1f
+1:
+        .endr
+        blr
+
 TRAMP_REAL_BEGIN(rfi_flush_fallback)
         SET_SCRATCH0(r13);
         GET_PACA(r13);
diff --git a/arch/powerpc/kernel/security.c b/arch/powerpc/kernel/security.c
index bab5a27ea805..b98a722da915 100644
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -8,6 +8,7 @@
 #include <linux/device.h>
 #include <linux/seq_buf.h>
 
+#include <asm/debugfs.h>
 #include <asm/security_features.h>
 
 
@@ -86,3 +87,151 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, c
 
         return s.len;
 }
+
+/*
+ * Store-forwarding barrier support.
+ */
+
+static enum stf_barrier_type stf_enabled_flush_types;
+static bool no_stf_barrier;
+bool stf_barrier;
+
+static int __init handle_no_stf_barrier(char *p)
+{
+        pr_info("stf-barrier: disabled on command line.");
+        no_stf_barrier = true;
+        return 0;
+}
+
+early_param("no_stf_barrier", handle_no_stf_barrier);
+
+/* This is the generic flag used by other architectures */
+static int __init handle_ssbd(char *p)
+{
+        if (!p || strncmp(p, "auto", 5) == 0 || strncmp(p, "on", 2) == 0 ) {
+                /* Until firmware tells us, we have the barrier with auto */
+                return 0;
+        } else if (strncmp(p, "off", 3) == 0) {
+                handle_no_stf_barrier(NULL);
+                return 0;
+        } else
+                return 1;
+
+        return 0;
+}
+early_param("spec_store_bypass_disable", handle_ssbd);
+
+/* This is the generic flag used by other architectures */
+static int __init handle_no_ssbd(char *p)
+{
+        handle_no_stf_barrier(NULL);
+        return 0;
+}
+early_param("nospec_store_bypass_disable", handle_no_ssbd);
+
+static void stf_barrier_enable(bool enable)
+{
+        if (enable)
+                do_stf_barrier_fixups(stf_enabled_flush_types);
+        else
+                do_stf_barrier_fixups(STF_BARRIER_NONE);
+
+        stf_barrier = enable;
+}
+
+void setup_stf_barrier(void)
+{
+        enum stf_barrier_type type;
+        bool enable, hv;
+
+        hv = cpu_has_feature(CPU_FTR_HVMODE);
+
+        /* Default to fallback in case fw-features are not available */
+        if (cpu_has_feature(CPU_FTR_ARCH_300))
+                type = STF_BARRIER_EIEIO;
+        else if (cpu_has_feature(CPU_FTR_ARCH_207S))
+                type = STF_BARRIER_SYNC_ORI;
+        else if (cpu_has_feature(CPU_FTR_ARCH_206))
+                type = STF_BARRIER_FALLBACK;
+        else
+                type = STF_BARRIER_NONE;
+
+        enable = security_ftr_enabled(SEC_FTR_FAVOUR_SECURITY) &&
+                (security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR) ||
+                 (security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) && hv));
+
+        if (type == STF_BARRIER_FALLBACK) {
+                pr_info("stf-barrier: fallback barrier available\n");
+        } else if (type == STF_BARRIER_SYNC_ORI) {
+                pr_info("stf-barrier: hwsync barrier available\n");
+        } else if (type == STF_BARRIER_EIEIO) {
+                pr_info("stf-barrier: eieio barrier available\n");
+        }
+
+        stf_enabled_flush_types = type;
+
+        if (!no_stf_barrier)
+                stf_barrier_enable(enable);
+}
+
+ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
+{
+        if (stf_barrier && stf_enabled_flush_types != STF_BARRIER_NONE) {
+                const char *type;
+                switch (stf_enabled_flush_types) {
+                case STF_BARRIER_EIEIO:
+                        type = "eieio";
+                        break;
+                case STF_BARRIER_SYNC_ORI:
+                        type = "hwsync";
+                        break;
+                case STF_BARRIER_FALLBACK:
+                        type = "fallback";
+                        break;
+                default:
+                        type = "unknown";
+                }
+                return sprintf(buf, "Mitigation: Kernel entry/exit barrier (%s)\n", type);
+        }
+
+        if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
+            !security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
+                return sprintf(buf, "Not affected\n");
+
+        return sprintf(buf, "Vulnerable\n");
+}
+
+#ifdef CONFIG_DEBUG_FS
+static int stf_barrier_set(void *data, u64 val)
+{
+        bool enable;
+
+        if (val == 1)
+                enable = true;
+        else if (val == 0)
+                enable = false;
+        else
+                return -EINVAL;
+
+        /* Only do anything if we're changing state */
+        if (enable != stf_barrier)
+                stf_barrier_enable(enable);
+
+        return 0;
+}
+
+static int stf_barrier_get(void *data, u64 *val)
+{
+        *val = stf_barrier ? 1 : 0;
+        return 0;
+}
+
+DEFINE_SIMPLE_ATTRIBUTE(fops_stf_barrier, stf_barrier_get, stf_barrier_set, "%llu\n");
+
+static __init int stf_barrier_debugfs_init(void)
+{
+        debugfs_create_file("stf_barrier", 0600, powerpc_debugfs_root, NULL, &fops_stf_barrier);
+        return 0;
+}
+device_initcall(stf_barrier_debugfs_init);
+#endif /* CONFIG_DEBUG_FS */
diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
index c8af90ff49f0..b8d82678f8b4 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -134,6 +134,20 @@ SECTIONS
 
 #ifdef CONFIG_PPC64
         . = ALIGN(8);
+        __stf_entry_barrier_fixup : AT(ADDR(__stf_entry_barrier_fixup) - LOAD_OFFSET) {
+                __start___stf_entry_barrier_fixup = .;
+                *(__stf_entry_barrier_fixup)
+                __stop___stf_entry_barrier_fixup = .;
+        }
+
+        . = ALIGN(8);
+        __stf_exit_barrier_fixup : AT(ADDR(__stf_exit_barrier_fixup) - LOAD_OFFSET) {
+                __start___stf_exit_barrier_fixup = .;
+                *(__stf_exit_barrier_fixup)
+                __stop___stf_exit_barrier_fixup = .;
+        }
+
+        . = ALIGN(8);
         __rfi_flush_fixup : AT(ADDR(__rfi_flush_fixup) - LOAD_OFFSET) {
                 __start___rfi_flush_fixup = .;
                 *(__rfi_flush_fixup)
diff --git a/arch/powerpc/kvm/book3s_64_mmu_radix.c b/arch/powerpc/kvm/book3s_64_mmu_radix.c
index a57eafec4dc2..361f42c8c73e 100644
--- a/arch/powerpc/kvm/book3s_64_mmu_radix.c
+++ b/arch/powerpc/kvm/book3s_64_mmu_radix.c
@@ -162,7 +162,7 @@ static void kvmppc_radix_tlbie_page(struct kvm *kvm, unsigned long addr,
         if (cpu_has_feature(CPU_FTR_P9_TLBIE_BUG))
                 asm volatile(PPC_TLBIE_5(%0, %1, 0, 0, 1)
                              : : "r" (addr), "r" (kvm->arch.lpid) : "memory");
-        asm volatile("ptesync": : :"memory");
+        asm volatile("eieio ; tlbsync ; ptesync": : :"memory");
 }
 
 static void kvmppc_radix_flush_pwc(struct kvm *kvm, unsigned long addr)
@@ -173,7 +173,7 @@ static void kvmppc_radix_flush_pwc(struct kvm *kvm, unsigned long addr)
         /* RIC=1 PRS=0 R=1 IS=2 */
         asm volatile(PPC_TLBIE_5(%0, %1, 1, 0, 1)
                      : : "r" (rb), "r" (kvm->arch.lpid) : "memory");
-        asm volatile("ptesync": : :"memory");
+        asm volatile("eieio ; tlbsync ; ptesync": : :"memory");
 }
 
 unsigned long kvmppc_radix_update_pte(struct kvm *kvm, pte_t *ptep,
@@ -584,7 +584,7 @@ int kvm_unmap_radix(struct kvm *kvm, struct kvm_memory_slot *memslot,
 
         ptep = __find_linux_pte(kvm->arch.pgtable, gpa, NULL, &shift);
         if (ptep && pte_present(*ptep)) {
-                old = kvmppc_radix_update_pte(kvm, ptep, _PAGE_PRESENT, 0,
+                old = kvmppc_radix_update_pte(kvm, ptep, ~0UL, 0,
                                               gpa, shift);
                 kvmppc_radix_tlbie_page(kvm, gpa, shift);
                 if ((old & _PAGE_DIRTY) && memslot->dirty_bitmap) {
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index 4d07fca5121c..9963f65c212b 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -2441,6 +2441,7 @@ static void init_vcore_to_run(struct kvmppc_vcore *vc)
         vc->in_guest = 0;
         vc->napping_threads = 0;
         vc->conferring_threads = 0;
+        vc->tb_offset_applied = 0;
 }
 
 static bool can_dynamic_split(struct kvmppc_vcore *vc, struct core_info *cip)
diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
index bd63fa8a08b5..07ca1b2a7966 100644
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -692,6 +692,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
 22:     ld      r8,VCORE_TB_OFFSET(r5)
         cmpdi   r8,0
         beq     37f
+        std     r8, VCORE_TB_OFFSET_APPL(r5)
         mftb    r6              /* current host timebase */
         add     r8,r8,r6
         mtspr   SPRN_TBU40,r8   /* update upper 40 bits */
@@ -940,18 +941,6 @@ FTR_SECTION_ELSE
 ALT_FTR_SECTION_END_IFCLR(CPU_FTR_ARCH_300)
 8:
 
-        /*
-         * Set the decrementer to the guest decrementer.
-         */
-        ld      r8,VCPU_DEC_EXPIRES(r4)
-        /* r8 is a host timebase value here, convert to guest TB */
-        ld      r5,HSTATE_KVM_VCORE(r13)
-        ld      r6,VCORE_TB_OFFSET(r5)
-        add     r8,r8,r6
-        mftb    r7
-        subf    r3,r7,r8
-        mtspr   SPRN_DEC,r3
-
         ld      r5, VCPU_SPRG0(r4)
         ld      r6, VCPU_SPRG1(r4)
         ld      r7, VCPU_SPRG2(r4)
@@ -1005,6 +994,18 @@ ALT_FTR_SECTION_END_IFCLR(CPU_FTR_ARCH_300)
         mtspr   SPRN_LPCR,r8
         isync
 
+        /*
+         * Set the decrementer to the guest decrementer.
+         */
+        ld      r8,VCPU_DEC_EXPIRES(r4)
+        /* r8 is a host timebase value here, convert to guest TB */
+        ld      r5,HSTATE_KVM_VCORE(r13)
+        ld      r6,VCORE_TB_OFFSET_APPL(r5)
+        add     r8,r8,r6
+        mftb    r7
+        subf    r3,r7,r8
+        mtspr   SPRN_DEC,r3
+
         /* Check if HDEC expires soon */
         mfspr   r3, SPRN_HDEC
         EXTEND_HDEC(r3)
@@ -1597,8 +1598,27 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_TYPE_RADIX)
 
 guest_bypass:
         stw     r12, STACK_SLOT_TRAP(r1)
-        mr      r3, r12
+
+        /* Save DEC */
+        /* Do this before kvmhv_commence_exit so we know TB is guest TB */
+        ld      r3, HSTATE_KVM_VCORE(r13)
+        mfspr   r5,SPRN_DEC
+        mftb    r6
+        /* On P9, if the guest has large decr enabled, don't sign extend */
+BEGIN_FTR_SECTION
+        ld      r4, VCORE_LPCR(r3)
+        andis.  r4, r4, LPCR_LD@h
+        bne     16f
+END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
+        extsw   r5,r5
+16:     add     r5,r5,r6
+        /* r5 is a guest timebase value here, convert to host TB */
+        ld      r4,VCORE_TB_OFFSET_APPL(r3)
+        subf    r5,r4,r5
+        std     r5,VCPU_DEC_EXPIRES(r9)
+
         /* Increment exit count, poke other threads to exit */
+        mr      r3, r12
         bl      kvmhv_commence_exit
         nop
         ld      r9, HSTATE_KVM_VCPU(r13)
@@ -1639,23 +1659,6 @@ guest_bypass:
         mtspr   SPRN_PURR,r3
         mtspr   SPRN_SPURR,r4
 
-        /* Save DEC */
-        ld      r3, HSTATE_KVM_VCORE(r13)
-        mfspr   r5,SPRN_DEC
-        mftb    r6
-        /* On P9, if the guest has large decr enabled, don't sign extend */
-BEGIN_FTR_SECTION
-        ld      r4, VCORE_LPCR(r3)
-        andis.  r4, r4, LPCR_LD@h
-        bne     16f
-END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
-        extsw   r5,r5
-16:     add     r5,r5,r6
-        /* r5 is a guest timebase value here, convert to host TB */
-        ld      r4,VCORE_TB_OFFSET(r3)
-        subf    r5,r4,r5
-        std     r5,VCPU_DEC_EXPIRES(r9)
-
 BEGIN_FTR_SECTION
         b       8f
 END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S)
@@ -1905,6 +1908,14 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
         cmpwi   cr2, r0, 0
         beq     cr2, 4f
 
+        /*
+         * Radix: do eieio; tlbsync; ptesync sequence in case we
+         * interrupted the guest between a tlbie and a ptesync.
+         */
+        eieio
+        tlbsync
+        ptesync
+
         /* Radix: Handle the case where the guest used an illegal PID */
         LOAD_REG_ADDR(r4, mmu_base_pid)
         lwz     r3, VCPU_GUEST_PID(r9)
@@ -2017,9 +2028,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S)
 
 27:
         /* Subtract timebase offset from timebase */
-        ld      r8,VCORE_TB_OFFSET(r5)
+        ld      r8, VCORE_TB_OFFSET_APPL(r5)
         cmpdi   r8,0
         beq     17f
+        li      r0, 0
+        std     r0, VCORE_TB_OFFSET_APPL(r5)
         mftb    r6                      /* current guest timebase */
         subf    r8,r8,r6
         mtspr   SPRN_TBU40,r8           /* update upper 40 bits */
@@ -2700,7 +2713,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
         add     r3, r3, r5
         ld      r4, HSTATE_KVM_VCPU(r13)
         ld      r5, HSTATE_KVM_VCORE(r13)
-        ld      r6, VCORE_TB_OFFSET(r5)
+        ld      r6, VCORE_TB_OFFSET_APPL(r5)
         subf    r3, r6, r3      /* convert to host TB value */
         std     r3, VCPU_DEC_EXPIRES(r4)
 
@@ -2799,7 +2812,7 @@ END_FTR_SECTION(CPU_FTR_TM | CPU_FTR_P9_TM_HV_ASSIST, 0)
         /* Restore guest decrementer */
         ld      r3, VCPU_DEC_EXPIRES(r4)
         ld      r5, HSTATE_KVM_VCORE(r13)
-        ld      r6, VCORE_TB_OFFSET(r5)
+        ld      r6, VCORE_TB_OFFSET_APPL(r5)
         add     r3, r3, r6      /* convert host TB to guest TB value */
         mftb    r7
         subf    r3, r7, r3
@@ -3606,12 +3619,9 @@ kvmppc_fix_pmao:
  */
 kvmhv_start_timing:
         ld      r5, HSTATE_KVM_VCORE(r13)
-        lbz     r6, VCORE_IN_GUEST(r5)
-        cmpwi   r6, 0
-        beq     5f                              /* if in guest, need to */
-        ld      r6, VCORE_TB_OFFSET(r5)         /* subtract timebase offset */
-5:      mftb    r5
-        subf    r5, r6, r5
+        ld      r6, VCORE_TB_OFFSET_APPL(r5)
+        mftb    r5
+        subf    r5, r6, r5      /* subtract current timebase offset */
         std     r3, VCPU_CUR_ACTIVITY(r4)
         std     r5, VCPU_ACTIVITY_START(r4)
         blr
@@ -3622,15 +3632,12 @@ kvmhv_start_timing:
  */
 kvmhv_accumulate_time:
         ld      r5, HSTATE_KVM_VCORE(r13)
-        lbz     r8, VCORE_IN_GUEST(r5)
-        cmpwi   r8, 0
-        beq     4f                              /* if in guest, need to */
-        ld      r8, VCORE_TB_OFFSET(r5)         /* subtract timebase offset */
-4:      ld      r5, VCPU_CUR_ACTIVITY(r4)
+        ld      r8, VCORE_TB_OFFSET_APPL(r5)
+        ld      r5, VCPU_CUR_ACTIVITY(r4)
         ld      r6, VCPU_ACTIVITY_START(r4)
         std     r3, VCPU_CUR_ACTIVITY(r4)
         mftb    r7
-        subf    r7, r8, r7
+        subf    r7, r8, r7      /* subtract current timebase offset */
         std     r7, VCPU_ACTIVITY_START(r4)
         cmpdi   r5, 0
         beqlr
diff --git a/arch/powerpc/kvm/book3s_xive_template.c b/arch/powerpc/kvm/book3s_xive_template.c
index c7a5deadd1cc..99c3620b40d9 100644
--- a/arch/powerpc/kvm/book3s_xive_template.c
+++ b/arch/powerpc/kvm/book3s_xive_template.c
@@ -11,6 +11,9 @@
 #define XGLUE(a,b) a##b
 #define GLUE(a,b) XGLUE(a,b)
 
+/* Dummy interrupt used when taking interrupts out of a queue in H_CPPR */
+#define XICS_DUMMY      1
+
 static void GLUE(X_PFX,ack_pending)(struct kvmppc_xive_vcpu *xc)
 {
         u8 cppr;
@@ -205,6 +208,10 @@ skip_ipi:
                                 goto skip_ipi;
                 }
 
+                /* If it's the dummy interrupt, continue searching */
+                if (hirq == XICS_DUMMY)
+                        goto skip_ipi;
+
                 /* If fetching, update queue pointers */
                 if (scan_type == scan_fetch) {
                         q->idx = idx;
@@ -385,9 +392,76 @@ static void GLUE(X_PFX,push_pending_to_hw)(struct kvmppc_xive_vcpu *xc)
         __x_writeb(prio, __x_tima + TM_SPC_SET_OS_PENDING);
 }
 
+static void GLUE(X_PFX,scan_for_rerouted_irqs)(struct kvmppc_xive *xive,
+                                               struct kvmppc_xive_vcpu *xc)
+{
+        unsigned int prio;
+
+        /* For each priority that is now masked */
+        for (prio = xc->cppr; prio < KVMPPC_XIVE_Q_COUNT; prio++) {
+                struct xive_q *q = &xc->queues[prio];
+                struct kvmppc_xive_irq_state *state;
+                struct kvmppc_xive_src_block *sb;
+                u32 idx, toggle, entry, irq, hw_num;
+                struct xive_irq_data *xd;
+                __be32 *qpage;
+                u16 src;
+
+                idx = q->idx;
+                toggle = q->toggle;
+                qpage = READ_ONCE(q->qpage);
+                if (!qpage)
+                        continue;
+
+                /* For each interrupt in the queue */
+                for (;;) {
+                        entry = be32_to_cpup(qpage + idx);
+
+                        /* No more ? */
+                        if ((entry >> 31) == toggle)
+                                break;
+                        irq = entry & 0x7fffffff;
+
+                        /* Skip dummies and IPIs */
+                        if (irq == XICS_DUMMY || irq == XICS_IPI)
+                                goto next;
+                        sb = kvmppc_xive_find_source(xive, irq, &src);
+                        if (!sb)
+                                goto next;
+                        state = &sb->irq_state[src];
+
+                        /* Has it been rerouted ? */
+                        if (xc->server_num == state->act_server)
+                                goto next;
+
+                        /*
+                         * Allright, it *has* been re-routed, kill it from
+                         * the queue.
+                         */
+                        qpage[idx] = cpu_to_be32((entry & 0x80000000) | XICS_DUMMY);
+
+                        /* Find the HW interrupt */
+                        kvmppc_xive_select_irq(state, &hw_num, &xd);
+
+                        /* If it's not an LSI, set PQ to 11 the EOI will force a resend */
+                        if (!(xd->flags & XIVE_IRQ_FLAG_LSI))
+                                GLUE(X_PFX,esb_load)(xd, XIVE_ESB_SET_PQ_11);
+
+                        /* EOI the source */
+                        GLUE(X_PFX,source_eoi)(hw_num, xd);
+
+                next:
+                        idx = (idx + 1) & q->msk;
+                        if (idx == 0)
+                                toggle ^= 1;
+                }
+        }
+}
+
 X_STATIC int GLUE(X_PFX,h_cppr)(struct kvm_vcpu *vcpu, unsigned long cppr)
 {
         struct kvmppc_xive_vcpu *xc = vcpu->arch.xive_vcpu;
+        struct kvmppc_xive *xive = vcpu->kvm->arch.xive;
         u8 old_cppr;
 
         pr_devel("H_CPPR(cppr=%ld)\n", cppr);
@@ -407,14 +481,34 @@ X_STATIC int GLUE(X_PFX,h_cppr)(struct kvm_vcpu *vcpu, unsigned long cppr)
          */
         smp_mb();
 
-        /*
-         * We are masking less, we need to look for pending things
-         * to deliver and set VP pending bits accordingly to trigger
-         * a new interrupt otherwise we might miss MFRR changes for
-         * which we have optimized out sending an IPI signal.
-         */
-        if (cppr > old_cppr)
+        if (cppr > old_cppr) {
+                /*
+                 * We are masking less, we need to look for pending things
+                 * to deliver and set VP pending bits accordingly to trigger
+                 * a new interrupt otherwise we might miss MFRR changes for
+                 * which we have optimized out sending an IPI signal.
+                 */
                 GLUE(X_PFX,push_pending_to_hw)(xc);
+        } else {
+                /*
+                 * We are masking more, we need to check the queue for any
+                 * interrupt that has been routed to another CPU, take
+                 * it out (replace it with the dummy) and retrigger it.
+                 *
+                 * This is necessary since those interrupts may otherwise
+                 * never be processed, at least not until this CPU restores
+                 * its CPPR.
+                 *
+                 * This is in theory racy vs. HW adding new interrupts to
+                 * the queue. In practice this works because the interesting
+                 * cases are when the guest has done a set_xive() to move the
+                 * interrupt away, which flushes the xive, followed by the
+                 * target CPU doing a H_CPPR. So any new interrupt coming into
+                 * the queue must still be routed to us and isn't a source
+                 * of concern.
+                 */
+                GLUE(X_PFX,scan_for_rerouted_irqs)(xive, xc);
+        }
 
         /* Apply new CPPR */
         xc->hw_cppr = cppr;
diff --git a/arch/powerpc/lib/feature-fixups.c b/arch/powerpc/lib/feature-fixups.c
index 288fe4f0db4e..e1bcdc32a851 100644
--- a/arch/powerpc/lib/feature-fixups.c
+++ b/arch/powerpc/lib/feature-fixups.c
@@ -23,6 +23,7 @@
 #include <asm/page.h>
 #include <asm/sections.h>
 #include <asm/setup.h>
+#include <asm/security_features.h>
 #include <asm/firmware.h>
 
 struct fixup_entry {
@@ -117,6 +118,120 @@ void do_feature_fixups(unsigned long value, void *fixup_start, void *fixup_end)
 }
 
 #ifdef CONFIG_PPC_BOOK3S_64
+void do_stf_entry_barrier_fixups(enum stf_barrier_type types)
+{
+        unsigned int instrs[3], *dest;
+        long *start, *end;
+        int i;
+
+        start = PTRRELOC(&__start___stf_entry_barrier_fixup),
+        end = PTRRELOC(&__stop___stf_entry_barrier_fixup);
+
+        instrs[0] = 0x60000000; /* nop */
+        instrs[1] = 0x60000000; /* nop */
+        instrs[2] = 0x60000000; /* nop */
+
+        i = 0;
+        if (types & STF_BARRIER_FALLBACK) {
+                instrs[i++] = 0x7d4802a6; /* mflr r10           */
+                instrs[i++] = 0x60000000; /* branch patched below */
+                instrs[i++] = 0x7d4803a6; /* mtlr r10           */
+        } else if (types & STF_BARRIER_EIEIO) {
+                instrs[i++] = 0x7e0006ac; /* eieio + bit 6 hint */
+        } else if (types & STF_BARRIER_SYNC_ORI) {
+                instrs[i++] = 0x7c0004ac; /* hwsync             */
+                instrs[i++] = 0xe94d0000; /* ld r10,0(r13)      */
+                instrs[i++] = 0x63ff0000; /* ori 31,31,0 speculation barrier */
+        }
+
+        for (i = 0; start < end; start++, i++) {
+                dest = (void *)start + *start;
+
+                pr_devel("patching dest %lx\n", (unsigned long)dest);
+
+                patch_instruction(dest, instrs[0]);
+
+                if (types & STF_BARRIER_FALLBACK)
+                        patch_branch(dest + 1, (unsigned long)&stf_barrier_fallback,
+                                     BRANCH_SET_LINK);
+                else
+                        patch_instruction(dest + 1, instrs[1]);
+
+                patch_instruction(dest + 2, instrs[2]);
+        }
+
+        printk(KERN_DEBUG "stf-barrier: patched %d entry locations (%s barrier)\n", i,
+                (types == STF_BARRIER_NONE)                  ? "no" :
+                (types == STF_BARRIER_FALLBACK)              ? "fallback" :
+                (types == STF_BARRIER_EIEIO)                 ? "eieio" :
+                (types == (STF_BARRIER_SYNC_ORI))            ? "hwsync"
+                                                           : "unknown");
+}
+
+void do_stf_exit_barrier_fixups(enum stf_barrier_type types)
+{
+        unsigned int instrs[6], *dest;
+        long *start, *end;
+        int i;
+
+        start = PTRRELOC(&__start___stf_exit_barrier_fixup),
+        end = PTRRELOC(&__stop___stf_exit_barrier_fixup);
+
+        instrs[0] = 0x60000000; /* nop */
+        instrs[1] = 0x60000000; /* nop */
+        instrs[2] = 0x60000000; /* nop */
+        instrs[3] = 0x60000000; /* nop */
+        instrs[4] = 0x60000000; /* nop */
+        instrs[5] = 0x60000000; /* nop */
+
+        i = 0;
+        if (types & STF_BARRIER_FALLBACK || types & STF_BARRIER_SYNC_ORI) {
+                if (cpu_has_feature(CPU_FTR_HVMODE)) {
+                        instrs[i++] = 0x7db14ba6; /* mtspr 0x131, r13 (HSPRG1) */
+                        instrs[i++] = 0x7db04aa6; /* mfspr r13, 0x130 (HSPRG0) */
+                } else {
+                        instrs[i++] = 0x7db243a6; /* mtsprg 2,r13       */
+                        instrs[i++] = 0x7db142a6; /* mfsprg r13,1    */
+                }
+                instrs[i++] = 0x7c0004ac; /* hwsync             */
+                instrs[i++] = 0xe9ad0000; /* ld r13,0(r13)      */
+                instrs[i++] = 0x63ff0000; /* ori 31,31,0 speculation barrier */
+                if (cpu_has_feature(CPU_FTR_HVMODE)) {
+                        instrs[i++] = 0x7db14aa6; /* mfspr r13, 0x131 (HSPRG1) */
+                } else {
+                        instrs[i++] = 0x7db242a6; /* mfsprg r13,2 */
+                }
+        } else if (types & STF_BARRIER_EIEIO) {
+                instrs[i++] = 0x7e0006ac; /* eieio + bit 6 hint */
+        }
+
+        for (i = 0; start < end; start++, i++) {
+                dest = (void *)start + *start;
+
+                pr_devel("patching dest %lx\n", (unsigned long)dest);
+
+                patch_instruction(dest, instrs[0]);
+                patch_instruction(dest + 1, instrs[1]);
+                patch_instruction(dest + 2, instrs[2]);
+                patch_instruction(dest + 3, instrs[3]);
+                patch_instruction(dest + 4, instrs[4]);
+                patch_instruction(dest + 5, instrs[5]);
+        }
+        printk(KERN_DEBUG "stf-barrier: patched %d exit locations (%s barrier)\n", i,
+                (types == STF_BARRIER_NONE)                  ? "no" :
+                (types == STF_BARRIER_FALLBACK)              ? "fallback" :
+                (types == STF_BARRIER_EIEIO)                 ? "eieio" :
+                (types == (STF_BARRIER_SYNC_ORI))            ? "hwsync"
+                                                           : "unknown");
+}
+
+
+void do_stf_barrier_fixups(enum stf_barrier_type types)
+{
+        do_stf_entry_barrier_fixups(types);
+        do_stf_exit_barrier_fixups(types);
+}
+
 void do_rfi_flush_fixups(enum l1d_flush_type types)
 {
         unsigned int instrs[3], *dest;
diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platforms/powernv/setup.c
index ef8c9ce53a61..a6648ec99ca7 100644
--- a/arch/powerpc/platforms/powernv/setup.c
+++ b/arch/powerpc/platforms/powernv/setup.c
@@ -131,6 +131,7 @@ static void __init pnv_setup_arch(void)
         set_arch_panic_timeout(10, ARCH_PANIC_TIMEOUT);
 
         pnv_setup_rfi_flush();
+        setup_stf_barrier();
 
         /* Initialize SMP */
         pnv_smp_init();
diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
index b55ad4286dc7..fdb32e056ef4 100644
--- a/arch/powerpc/platforms/pseries/setup.c
+++ b/arch/powerpc/platforms/pseries/setup.c
@@ -710,6 +710,7 @@ static void __init pSeries_setup_arch(void)
         fwnmi_init();
 
         pseries_setup_rfi_flush();
+        setup_stf_barrier();
 
         /* By default, only probe PCI (can be overridden by rtas_pci) */
         pci_add_flags(PCI_PROBE_ONLY);
diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c
index 8961e3970901..969882b54266 100644
--- a/arch/s390/kvm/vsie.c
+++ b/arch/s390/kvm/vsie.c
@@ -578,7 +578,7 @@ static int pin_blocks(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page)
 
         gpa = READ_ONCE(scb_o->itdba) & ~0xffUL;
         if (gpa && (scb_s->ecb & ECB_TE)) {
-                if (!(gpa & ~0x1fffU)) {
+                if (!(gpa & ~0x1fffUL)) {
                         rc = set_validity_icpt(scb_s, 0x0080U);
                         goto unpin;
                 }
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 578793e97431..fb00a2fca990 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -198,7 +198,6 @@
 #define X86_FEATURE_CAT_L2              ( 7*32+ 5) /* Cache Allocation Technology L2 */
 #define X86_FEATURE_CDP_L3              ( 7*32+ 6) /* Code and Data Prioritization L3 */
 #define X86_FEATURE_INVPCID_SINGLE      ( 7*32+ 7) /* Effectively INVPCID && CR4.PCIDE=1 */
-
 #define X86_FEATURE_HW_PSTATE           ( 7*32+ 8) /* AMD HW-PState */
 #define X86_FEATURE_PROC_FEEDBACK       ( 7*32+ 9) /* AMD ProcFeedbackInterface */
 #define X86_FEATURE_SME                 ( 7*32+10) /* AMD Secure Memory Encryption */
@@ -207,13 +206,19 @@
 #define X86_FEATURE_RETPOLINE_AMD       ( 7*32+13) /* "" AMD Retpoline mitigation for Spectre variant 2 */
 #define X86_FEATURE_INTEL_PPIN          ( 7*32+14) /* Intel Processor Inventory Number */
 #define X86_FEATURE_CDP_L2              ( 7*32+15) /* Code and Data Prioritization L2 */
-
+#define X86_FEATURE_MSR_SPEC_CTRL       ( 7*32+16) /* "" MSR SPEC_CTRL is implemented */
+#define X86_FEATURE_SSBD                ( 7*32+17) /* Speculative Store Bypass Disable */
 #define X86_FEATURE_MBA                 ( 7*32+18) /* Memory Bandwidth Allocation */
 #define X86_FEATURE_RSB_CTXSW           ( 7*32+19) /* "" Fill RSB on context switches */
 #define X86_FEATURE_SEV                 ( 7*32+20) /* AMD Secure Encrypted Virtualization */
-
 #define X86_FEATURE_USE_IBPB            ( 7*32+21) /* "" Indirect Branch Prediction Barrier enabled */
 #define X86_FEATURE_USE_IBRS_FW         ( 7*32+22) /* "" Use IBRS during runtime firmware calls */
+#define X86_FEATURE_SPEC_STORE_BYPASS_DISABLE   ( 7*32+23) /* "" Disable Speculative Store Bypass. */
+#define X86_FEATURE_LS_CFG_SSBD         ( 7*32+24)  /* "" AMD SSBD implementation via LS_CFG MSR */
+#define X86_FEATURE_IBRS                ( 7*32+25) /* Indirect Branch Restricted Speculation */
+#define X86_FEATURE_IBPB                ( 7*32+26) /* Indirect Branch Prediction Barrier */
+#define X86_FEATURE_STIBP               ( 7*32+27) /* Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_ZEN                 ( 7*32+28) /* "" CPU is AMD family 0x17 (Zen) */
 
 /* Virtualization flags: Linux defined, word 8 */
 #define X86_FEATURE_TPR_SHADOW          ( 8*32+ 0) /* Intel TPR Shadow */
@@ -274,9 +279,10 @@
 #define X86_FEATURE_CLZERO              (13*32+ 0) /* CLZERO instruction */
 #define X86_FEATURE_IRPERF              (13*32+ 1) /* Instructions Retired Count */
 #define X86_FEATURE_XSAVEERPTR          (13*32+ 2) /* Always save/restore FP error pointers */
-#define X86_FEATURE_IBPB                (13*32+12) /* Indirect Branch Prediction Barrier */
-#define X86_FEATURE_IBRS                (13*32+14) /* Indirect Branch Restricted Speculation */
-#define X86_FEATURE_STIBP               (13*32+15) /* Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_AMD_IBPB            (13*32+12) /* "" Indirect Branch Prediction Barrier */
+#define X86_FEATURE_AMD_IBRS            (13*32+14) /* "" Indirect Branch Restricted Speculation */
+#define X86_FEATURE_AMD_STIBP           (13*32+15) /* "" Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_VIRT_SSBD           (13*32+25) /* Virtualized Speculative Store Bypass Disable */
 
 /* Thermal and Power Management Leaf, CPUID level 0x00000006 (EAX), word 14 */
 #define X86_FEATURE_DTHERM              (14*32+ 0) /* Digital Thermal Sensor */
@@ -334,6 +340,7 @@
 #define X86_FEATURE_SPEC_CTRL           (18*32+26) /* "" Speculation Control (IBRS + IBPB) */
 #define X86_FEATURE_INTEL_STIBP         (18*32+27) /* "" Single Thread Indirect Branch Predictors */
 #define X86_FEATURE_ARCH_CAPABILITIES   (18*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
+#define X86_FEATURE_SPEC_CTRL_SSBD      (18*32+31) /* "" Speculative Store Bypass Disable */
 
 /*
  * BUG word(s)
@@ -363,5 +370,6 @@
 #define X86_BUG_CPU_MELTDOWN            X86_BUG(14) /* CPU is affected by meltdown attack and needs kernel page table isolation */
 #define X86_BUG_SPECTRE_V1              X86_BUG(15) /* CPU is affected by Spectre variant 1 attack with conditional branches */
 #define X86_BUG_SPECTRE_V2              X86_BUG(16) /* CPU is affected by Spectre variant 2 attack with indirect branches */
+#define X86_BUG_SPEC_STORE_BYPASS       X86_BUG(17) /* CPU is affected by speculative store bypass attack */
 
 #endif /* _ASM_X86_CPUFEATURES_H */
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index c25775fad4ed..f4b2588865e9 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -924,7 +924,7 @@ struct kvm_x86_ops {
         int (*hardware_setup)(void);               /* __init */
         void (*hardware_unsetup)(void);            /* __exit */
         bool (*cpu_has_accelerated_tpr)(void);
-        bool (*cpu_has_high_real_mode_segbase)(void);
+        bool (*has_emulated_msr)(int index);
         void (*cpuid_update)(struct kvm_vcpu *vcpu);
 
         struct kvm *(*vm_alloc)(void);
diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
index 53d5b1b9255e..fda2114197b3 100644
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -42,6 +42,8 @@
 #define MSR_IA32_SPEC_CTRL              0x00000048 /* Speculation Control */
 #define SPEC_CTRL_IBRS                  (1 << 0)   /* Indirect Branch Restricted Speculation */
 #define SPEC_CTRL_STIBP                 (1 << 1)   /* Single Thread Indirect Branch Predictors */
+#define SPEC_CTRL_SSBD_SHIFT            2          /* Speculative Store Bypass Disable bit */
+#define SPEC_CTRL_SSBD                  (1 << SPEC_CTRL_SSBD_SHIFT)   /* Speculative Store Bypass Disable */
 
 #define MSR_IA32_PRED_CMD               0x00000049 /* Prediction Command */
 #define PRED_CMD_IBPB                   (1 << 0)   /* Indirect Branch Prediction Barrier */
@@ -68,6 +70,11 @@
 #define MSR_IA32_ARCH_CAPABILITIES      0x0000010a
 #define ARCH_CAP_RDCL_NO                (1 << 0)   /* Not susceptible to Meltdown */
 #define ARCH_CAP_IBRS_ALL               (1 << 1)   /* Enhanced IBRS support */
+#define ARCH_CAP_SSB_NO                 (1 << 4)   /*
+                                                    * Not susceptible to Speculative Store Bypass
+                                                    * attack, so no Speculative Store Bypass
+                                                    * control required.
+                                                    */
 
 #define MSR_IA32_BBL_CR_CTL             0x00000119
 #define MSR_IA32_BBL_CR_CTL3            0x0000011e
@@ -340,6 +347,8 @@
 #define MSR_AMD64_SEV_ENABLED_BIT       0
 #define MSR_AMD64_SEV_ENABLED           BIT_ULL(MSR_AMD64_SEV_ENABLED_BIT)
 
+#define MSR_AMD64_VIRT_SPEC_CTRL        0xc001011f
+
 /* Fam 17h MSRs */
 #define MSR_F17H_IRPERF                 0xc00000e9
 
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index f928ad9b143f..8b38df98548e 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -217,6 +217,14 @@ enum spectre_v2_mitigation {
         SPECTRE_V2_IBRS,
 };
 
+/* The Speculative Store Bypass disable variants */
+enum ssb_mitigation {
+        SPEC_STORE_BYPASS_NONE,
+        SPEC_STORE_BYPASS_DISABLE,
+        SPEC_STORE_BYPASS_PRCTL,
+        SPEC_STORE_BYPASS_SECCOMP,
+};
+
 extern char __indirect_thunk_start[];
 extern char __indirect_thunk_end[];
 
@@ -241,22 +249,27 @@ static inline void vmexit_fill_RSB(void)
 #endif
 }
 
-#define alternative_msr_write(_msr, _val, _feature)             \
-        asm volatile(ALTERNATIVE("",                            \
-                                 "movl %[msr], %%ecx\n\t"       \
-                                 "movl %[val], %%eax\n\t"       \
-                                 "movl $0, %%edx\n\t"           \
-                                 "wrmsr",                       \
-                                 _feature)                      \
-                     : : [msr] "i" (_msr), [val] "i" (_val)     \
-                     : "eax", "ecx", "edx", "memory")
+static __always_inline
+void alternative_msr_write(unsigned int msr, u64 val, unsigned int feature)
+{
+        asm volatile(ALTERNATIVE("", "wrmsr", %c[feature])
+                : : "c" (msr),
+                    "a" ((u32)val),
+                    "d" ((u32)(val >> 32)),
+                    [feature] "i" (feature)
+                : "memory");
+}
 
 static inline void indirect_branch_prediction_barrier(void)
 {
-        alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB,
-                              X86_FEATURE_USE_IBPB);
+        u64 val = PRED_CMD_IBPB;
+
+        alternative_msr_write(MSR_IA32_PRED_CMD, val, X86_FEATURE_USE_IBPB);
 }
 
+/* The Intel SPEC CTRL MSR base value cache */
+extern u64 x86_spec_ctrl_base;
+
 /*
  * With retpoline, we must use IBRS to restrict branch prediction
  * before calling into firmware.
@@ -265,14 +278,18 @@ static inline void indirect_branch_prediction_barrier(void)
  */
 #define firmware_restrict_branch_speculation_start()                    \
 do {                                                                    \
+        u64 val = x86_spec_ctrl_base | SPEC_CTRL_IBRS;                  \
+                                                                        \
         preempt_disable();                                              \
-        alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS,       \
+        alternative_msr_write(MSR_IA32_SPEC_CTRL, val,                  \
                               X86_FEATURE_USE_IBRS_FW);                 \
 } while (0)
 
 #define firmware_restrict_branch_speculation_end()                      \
 do {                                                                    \
-        alternative_msr_write(MSR_IA32_SPEC_CTRL, 0,                    \
+        u64 val = x86_spec_ctrl_base;                                   \
+                                                                        \
+        alternative_msr_write(MSR_IA32_SPEC_CTRL, val,                  \
                               X86_FEATURE_USE_IBRS_FW);                 \
         preempt_enable();                                               \
 } while (0)
diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h
new file mode 100644
index 000000000000..ae7c2c5cd7f0
--- /dev/null
+++ b/arch/x86/include/asm/spec-ctrl.h
@@ -0,0 +1,80 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_X86_SPECCTRL_H_
+#define _ASM_X86_SPECCTRL_H_
+
+#include <linux/thread_info.h>
+#include <asm/nospec-branch.h>
+
+/*
+ * On VMENTER we must preserve whatever view of the SPEC_CTRL MSR
+ * the guest has, while on VMEXIT we restore the host view. This
+ * would be easier if SPEC_CTRL were architecturally maskable or
+ * shadowable for guests but this is not (currently) the case.
+ * Takes the guest view of SPEC_CTRL MSR as a parameter and also
+ * the guest's version of VIRT_SPEC_CTRL, if emulated.
+ */
+extern void x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool guest);
+
+/**
+ * x86_spec_ctrl_set_guest - Set speculation control registers for the guest
+ * @guest_spec_ctrl:            The guest content of MSR_SPEC_CTRL
+ * @guest_virt_spec_ctrl:       The guest controlled bits of MSR_VIRT_SPEC_CTRL
+ *                              (may get translated to MSR_AMD64_LS_CFG bits)
+ *
+ * Avoids writing to the MSR if the content/bits are the same
+ */
+static inline
+void x86_spec_ctrl_set_guest(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
+{
+        x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, true);
+}
+
+/**
+ * x86_spec_ctrl_restore_host - Restore host speculation control registers
+ * @guest_spec_ctrl:            The guest content of MSR_SPEC_CTRL
+ * @guest_virt_spec_ctrl:       The guest controlled bits of MSR_VIRT_SPEC_CTRL
+ *                              (may get translated to MSR_AMD64_LS_CFG bits)
+ *
+ * Avoids writing to the MSR if the content/bits are the same
+ */
+static inline
+void x86_spec_ctrl_restore_host(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl)
+{
+        x86_virt_spec_ctrl(guest_spec_ctrl, guest_virt_spec_ctrl, false);
+}
+
+/* AMD specific Speculative Store Bypass MSR data */
+extern u64 x86_amd_ls_cfg_base;
+extern u64 x86_amd_ls_cfg_ssbd_mask;
+
+static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn)
+{
+        BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
+        return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
+}
+
+static inline unsigned long ssbd_spec_ctrl_to_tif(u64 spec_ctrl)
+{
+        BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT);
+        return (spec_ctrl & SPEC_CTRL_SSBD) << (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT);
+}
+
+static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn)
+{
+        return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL;
+}
+
+#ifdef CONFIG_SMP
+extern void speculative_store_bypass_ht_init(void);
+#else
+static inline void speculative_store_bypass_ht_init(void) { }
+#endif
+
+extern void speculative_store_bypass_update(unsigned long tif);
+
+static inline void speculative_store_bypass_update_current(void)
+{
+        speculative_store_bypass_update(current_thread_info()->flags);
+}
+
+#endif
diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
index a5d9521bb2cb..2ff2a30a264f 100644
--- a/arch/x86/include/asm/thread_info.h
+++ b/arch/x86/include/asm/thread_info.h
@@ -79,6 +79,7 @@ struct thread_info {
 #define TIF_SIGPENDING          2       /* signal pending */
 #define TIF_NEED_RESCHED        3       /* rescheduling necessary */
 #define TIF_SINGLESTEP          4       /* reenable singlestep on user return*/
+#define TIF_SSBD                        5       /* Reduced data speculation */
 #define TIF_SYSCALL_EMU         6       /* syscall emulation active */
 #define TIF_SYSCALL_AUDIT       7       /* syscall auditing active */
 #define TIF_SECCOMP             8       /* secure computing */
@@ -105,6 +106,7 @@ struct thread_info {
 #define _TIF_SIGPENDING         (1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED       (1 << TIF_NEED_RESCHED)
 #define _TIF_SINGLESTEP         (1 << TIF_SINGLESTEP)
+#define _TIF_SSBD               (1 << TIF_SSBD)
 #define _TIF_SYSCALL_EMU        (1 << TIF_SYSCALL_EMU)
 #define _TIF_SYSCALL_AUDIT      (1 << TIF_SYSCALL_AUDIT)
 #define _TIF_SECCOMP            (1 << TIF_SECCOMP)
@@ -144,7 +146,7 @@ struct thread_info {
 
 /* flags to check in __switch_to() */
 #define _TIF_WORK_CTXSW                                                 \
-        (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP)
+        (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_SSBD)
 
 #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY)
 #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW)
diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
index 12bc0a1139da..1b18be3f35a8 100644
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -10,6 +10,7 @@
 #include <asm/processor.h>
 #include <asm/apic.h>
 #include <asm/cpu.h>
+#include <asm/spec-ctrl.h>
 #include <asm/smp.h>
 #include <asm/pci-direct.h>
 #include <asm/delay.h>
@@ -554,6 +555,26 @@ static void bsp_init_amd(struct cpuinfo_x86 *c)
                 rdmsrl(MSR_FAM10H_NODE_ID, value);
                 nodes_per_socket = ((value >> 3) & 7) + 1;
         }
+
+        if (c->x86 >= 0x15 && c->x86 <= 0x17) {
+                unsigned int bit;
+
+                switch (c->x86) {
+                case 0x15: bit = 54; break;
+                case 0x16: bit = 33; break;
+                case 0x17: bit = 10; break;
+                default: return;
+                }
+                /*
+                 * Try to cache the base value so further operations can
+                 * avoid RMW. If that faults, do not enable SSBD.
+                 */
+                if (!rdmsrl_safe(MSR_AMD64_LS_CFG, &x86_amd_ls_cfg_base)) {
+                        setup_force_cpu_cap(X86_FEATURE_LS_CFG_SSBD);
+                        setup_force_cpu_cap(X86_FEATURE_SSBD);
+                        x86_amd_ls_cfg_ssbd_mask = 1ULL << bit;
+                }
+        }
 }
 
 static void early_detect_mem_encrypt(struct cpuinfo_x86 *c)
@@ -791,6 +812,7 @@ static void init_amd_bd(struct cpuinfo_x86 *c)
 
 static void init_amd_zn(struct cpuinfo_x86 *c)
 {
+        set_cpu_cap(c, X86_FEATURE_ZEN);
         /*
          * Fix erratum 1076: CPB feature bit not being set in CPUID. It affects
          * all up to and including B1.
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index bfca937bdcc3..7416fc206b4a 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -12,8 +12,10 @@
 #include <linux/utsname.h>
 #include <linux/cpu.h>
 #include <linux/module.h>
+#include <linux/nospec.h>
+#include <linux/prctl.h>
 
-#include <asm/nospec-branch.h>
+#include <asm/spec-ctrl.h>
 #include <asm/cmdline.h>
 #include <asm/bugs.h>
 #include <asm/processor.h>
@@ -27,6 +29,27 @@
 #include <asm/intel-family.h>
 
 static void __init spectre_v2_select_mitigation(void);
+static void __init ssb_select_mitigation(void);
+
+/*
+ * Our boot-time value of the SPEC_CTRL MSR. We read it once so that any
+ * writes to SPEC_CTRL contain whatever reserved bits have been set.
+ */
+u64 __ro_after_init x86_spec_ctrl_base;
+EXPORT_SYMBOL_GPL(x86_spec_ctrl_base);
+
+/*
+ * The vendor and possibly platform specific bits which can be modified in
+ * x86_spec_ctrl_base.
+ */
+static u64 __ro_after_init x86_spec_ctrl_mask = SPEC_CTRL_IBRS;
+
+/*
+ * AMD specific MSR info for Speculative Store Bypass control.
+ * x86_amd_ls_cfg_ssbd_mask is initialized in identify_boot_cpu().
+ */
+u64 __ro_after_init x86_amd_ls_cfg_base;
+u64 __ro_after_init x86_amd_ls_cfg_ssbd_mask;
 
 void __init check_bugs(void)
 {
@@ -37,9 +60,27 @@ void __init check_bugs(void)
                 print_cpu_info(&boot_cpu_data);
         }
 
+        /*
+         * Read the SPEC_CTRL MSR to account for reserved bits which may
+         * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD
+         * init code as it is not enumerated and depends on the family.
+         */
+        if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
+                rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+
+        /* Allow STIBP in MSR_SPEC_CTRL if supported */
+        if (boot_cpu_has(X86_FEATURE_STIBP))
+                x86_spec_ctrl_mask |= SPEC_CTRL_STIBP;
+
         /* Select the proper spectre mitigation before patching alternatives */
         spectre_v2_select_mitigation();
 
+        /*
+         * Select proper mitigation for any exposure to the Speculative Store
+         * Bypass vulnerability.
+         */
+        ssb_select_mitigation();
+
 #ifdef CONFIG_X86_32
         /*
          * Check whether we are able to run this kernel safely on SMP.
@@ -93,7 +134,76 @@ static const char *spectre_v2_strings[] = {
 #undef pr_fmt
 #define pr_fmt(fmt)     "Spectre V2 : " fmt
 
-static enum spectre_v2_mitigation spectre_v2_enabled = SPECTRE_V2_NONE;
+static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init =
+        SPECTRE_V2_NONE;
+
+void
+x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest)
+{
+        u64 msrval, guestval, hostval = x86_spec_ctrl_base;
+        struct thread_info *ti = current_thread_info();
+
+        /* Is MSR_SPEC_CTRL implemented ? */
+        if (static_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) {
+                /*
+                 * Restrict guest_spec_ctrl to supported values. Clear the
+                 * modifiable bits in the host base value and or the
+                 * modifiable bits from the guest value.
+                 */
+                guestval = hostval & ~x86_spec_ctrl_mask;
+                guestval |= guest_spec_ctrl & x86_spec_ctrl_mask;
+
+                /* SSBD controlled in MSR_SPEC_CTRL */
+                if (static_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD))
+                        hostval |= ssbd_tif_to_spec_ctrl(ti->flags);
+
+                if (hostval != guestval) {
+                        msrval = setguest ? guestval : hostval;
+                        wrmsrl(MSR_IA32_SPEC_CTRL, msrval);
+                }
+        }
+
+        /*
+         * If SSBD is not handled in MSR_SPEC_CTRL on AMD, update
+         * MSR_AMD64_L2_CFG or MSR_VIRT_SPEC_CTRL if supported.
+         */
+        if (!static_cpu_has(X86_FEATURE_LS_CFG_SSBD) &&
+            !static_cpu_has(X86_FEATURE_VIRT_SSBD))
+                return;
+
+        /*
+         * If the host has SSBD mitigation enabled, force it in the host's
+         * virtual MSR value. If its not permanently enabled, evaluate
+         * current's TIF_SSBD thread flag.
+         */
+        if (static_cpu_has(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE))
+                hostval = SPEC_CTRL_SSBD;
+        else
+                hostval = ssbd_tif_to_spec_ctrl(ti->flags);
+
+        /* Sanitize the guest value */
+        guestval = guest_virt_spec_ctrl & SPEC_CTRL_SSBD;
+
+        if (hostval != guestval) {
+                unsigned long tif;
+
+                tif = setguest ? ssbd_spec_ctrl_to_tif(guestval) :
+                                 ssbd_spec_ctrl_to_tif(hostval);
+
+                speculative_store_bypass_update(tif);
+        }
+}
+EXPORT_SYMBOL_GPL(x86_virt_spec_ctrl);
+
+static void x86_amd_ssb_disable(void)
+{
+        u64 msrval = x86_amd_ls_cfg_base | x86_amd_ls_cfg_ssbd_mask;
+
+        if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
+                wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, SPEC_CTRL_SSBD);
+        else if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
+                wrmsrl(MSR_AMD64_LS_CFG, msrval);
+}
 
 #ifdef RETPOLINE
 static bool spectre_v2_bad_module;
@@ -312,32 +422,289 @@ retpoline_auto:
 }
 
 #undef pr_fmt
+#define pr_fmt(fmt)     "Speculative Store Bypass: " fmt
+
+static enum ssb_mitigation ssb_mode __ro_after_init = SPEC_STORE_BYPASS_NONE;
+
+/* The kernel command line selection */
+enum ssb_mitigation_cmd {
+        SPEC_STORE_BYPASS_CMD_NONE,
+        SPEC_STORE_BYPASS_CMD_AUTO,
+        SPEC_STORE_BYPASS_CMD_ON,
+        SPEC_STORE_BYPASS_CMD_PRCTL,
+        SPEC_STORE_BYPASS_CMD_SECCOMP,
+};
+
+static const char *ssb_strings[] = {
+        [SPEC_STORE_BYPASS_NONE]        = "Vulnerable",
+        [SPEC_STORE_BYPASS_DISABLE]     = "Mitigation: Speculative Store Bypass disabled",
+        [SPEC_STORE_BYPASS_PRCTL]       = "Mitigation: Speculative Store Bypass disabled via prctl",
+        [SPEC_STORE_BYPASS_SECCOMP]     = "Mitigation: Speculative Store Bypass disabled via prctl and seccomp",
+};
+
+static const struct {
+        const char *option;
+        enum ssb_mitigation_cmd cmd;
+} ssb_mitigation_options[] = {
+        { "auto",       SPEC_STORE_BYPASS_CMD_AUTO },    /* Platform decides */
+        { "on",         SPEC_STORE_BYPASS_CMD_ON },      /* Disable Speculative Store Bypass */
+        { "off",        SPEC_STORE_BYPASS_CMD_NONE },    /* Don't touch Speculative Store Bypass */
+        { "prctl",      SPEC_STORE_BYPASS_CMD_PRCTL },   /* Disable Speculative Store Bypass via prctl */
+        { "seccomp",    SPEC_STORE_BYPASS_CMD_SECCOMP }, /* Disable Speculative Store Bypass via prctl and seccomp */
+};
+
+static enum ssb_mitigation_cmd __init ssb_parse_cmdline(void)
+{
+        enum ssb_mitigation_cmd cmd = SPEC_STORE_BYPASS_CMD_AUTO;
+        char arg[20];
+        int ret, i;
+
+        if (cmdline_find_option_bool(boot_command_line, "nospec_store_bypass_disable")) {
+                return SPEC_STORE_BYPASS_CMD_NONE;
+        } else {
+                ret = cmdline_find_option(boot_command_line, "spec_store_bypass_disable",
+                                          arg, sizeof(arg));
+                if (ret < 0)
+                        return SPEC_STORE_BYPASS_CMD_AUTO;
+
+                for (i = 0; i < ARRAY_SIZE(ssb_mitigation_options); i++) {
+                        if (!match_option(arg, ret, ssb_mitigation_options[i].option))
+                                continue;
+
+                        cmd = ssb_mitigation_options[i].cmd;
+                        break;
+                }
+
+                if (i >= ARRAY_SIZE(ssb_mitigation_options)) {
+                        pr_err("unknown option (%s). Switching to AUTO select\n", arg);
+                        return SPEC_STORE_BYPASS_CMD_AUTO;
+                }
+        }
+
+        return cmd;
+}
+
+static enum ssb_mitigation __init __ssb_select_mitigation(void)
+{
+        enum ssb_mitigation mode = SPEC_STORE_BYPASS_NONE;
+        enum ssb_mitigation_cmd cmd;
+
+        if (!boot_cpu_has(X86_FEATURE_SSBD))
+                return mode;
+
+        cmd = ssb_parse_cmdline();
+        if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS) &&
+            (cmd == SPEC_STORE_BYPASS_CMD_NONE ||
+             cmd == SPEC_STORE_BYPASS_CMD_AUTO))
+                return mode;
+
+        switch (cmd) {
+        case SPEC_STORE_BYPASS_CMD_AUTO:
+        case SPEC_STORE_BYPASS_CMD_SECCOMP:
+                /*
+                 * Choose prctl+seccomp as the default mode if seccomp is
+                 * enabled.
+                 */
+                if (IS_ENABLED(CONFIG_SECCOMP))
+                        mode = SPEC_STORE_BYPASS_SECCOMP;
+                else
+                        mode = SPEC_STORE_BYPASS_PRCTL;
+                break;
+        case SPEC_STORE_BYPASS_CMD_ON:
+                mode = SPEC_STORE_BYPASS_DISABLE;
+                break;
+        case SPEC_STORE_BYPASS_CMD_PRCTL:
+                mode = SPEC_STORE_BYPASS_PRCTL;
+                break;
+        case SPEC_STORE_BYPASS_CMD_NONE:
+                break;
+        }
+
+        /*
+         * We have three CPU feature flags that are in play here:
+         *  - X86_BUG_SPEC_STORE_BYPASS - CPU is susceptible.
+         *  - X86_FEATURE_SSBD - CPU is able to turn off speculative store bypass
+         *  - X86_FEATURE_SPEC_STORE_BYPASS_DISABLE - engage the mitigation
+         */
+        if (mode == SPEC_STORE_BYPASS_DISABLE) {
+                setup_force_cpu_cap(X86_FEATURE_SPEC_STORE_BYPASS_DISABLE);
+                /*
+                 * Intel uses the SPEC CTRL MSR Bit(2) for this, while AMD uses
+                 * a completely different MSR and bit dependent on family.
+                 */
+                switch (boot_cpu_data.x86_vendor) {
+                case X86_VENDOR_INTEL:
+                        x86_spec_ctrl_base |= SPEC_CTRL_SSBD;
+                        x86_spec_ctrl_mask |= SPEC_CTRL_SSBD;
+                        wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+                        break;
+                case X86_VENDOR_AMD:
+                        x86_amd_ssb_disable();
+                        break;
+                }
+        }
+
+        return mode;
+}
+
+static void ssb_select_mitigation(void)
+{
+        ssb_mode = __ssb_select_mitigation();
+
+        if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
+                pr_info("%s\n", ssb_strings[ssb_mode]);
+}
+
+#undef pr_fmt
+#define pr_fmt(fmt)     "Speculation prctl: " fmt
+
+static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
+{
+        bool update;
+
+        if (ssb_mode != SPEC_STORE_BYPASS_PRCTL &&
+            ssb_mode != SPEC_STORE_BYPASS_SECCOMP)
+                return -ENXIO;
+
+        switch (ctrl) {
+        case PR_SPEC_ENABLE:
+                /* If speculation is force disabled, enable is not allowed */
+                if (task_spec_ssb_force_disable(task))
+                        return -EPERM;
+                task_clear_spec_ssb_disable(task);
+                update = test_and_clear_tsk_thread_flag(task, TIF_SSBD);
+                break;
+        case PR_SPEC_DISABLE:
+                task_set_spec_ssb_disable(task);
+                update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
+                break;
+        case PR_SPEC_FORCE_DISABLE:
+                task_set_spec_ssb_disable(task);
+                task_set_spec_ssb_force_disable(task);
+                update = !test_and_set_tsk_thread_flag(task, TIF_SSBD);
+                break;
+        default:
+                return -ERANGE;
+        }
+
+        /*
+         * If being set on non-current task, delay setting the CPU
+         * mitigation until it is next scheduled.
+         */
+        if (task == current && update)
+                speculative_store_bypass_update_current();
+
+        return 0;
+}
+
+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
+                             unsigned long ctrl)
+{
+        switch (which) {
+        case PR_SPEC_STORE_BYPASS:
+                return ssb_prctl_set(task, ctrl);
+        default:
+                return -ENODEV;
+        }
+}
+
+#ifdef CONFIG_SECCOMP
+void arch_seccomp_spec_mitigate(struct task_struct *task)
+{
+        if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
+                ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
+}
+#endif
+
+static int ssb_prctl_get(struct task_struct *task)
+{
+        switch (ssb_mode) {
+        case SPEC_STORE_BYPASS_DISABLE:
+                return PR_SPEC_DISABLE;
+        case SPEC_STORE_BYPASS_SECCOMP:
+        case SPEC_STORE_BYPASS_PRCTL:
+                if (task_spec_ssb_force_disable(task))
+                        return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
+                if (task_spec_ssb_disable(task))
+                        return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
+                return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
+        default:
+                if (boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS))
+                        return PR_SPEC_ENABLE;
+                return PR_SPEC_NOT_AFFECTED;
+        }
+}
+
+int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
+{
+        switch (which) {
+        case PR_SPEC_STORE_BYPASS:
+                return ssb_prctl_get(task);
+        default:
+                return -ENODEV;
+        }
+}
+
+void x86_spec_ctrl_setup_ap(void)
+{
+        if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL))
+                wrmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base);
+
+        if (ssb_mode == SPEC_STORE_BYPASS_DISABLE)
+                x86_amd_ssb_disable();
+}
 
 #ifdef CONFIG_SYSFS
-ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
+
+static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
+                               char *buf, unsigned int bug)
 {
-        if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN))
+        if (!boot_cpu_has_bug(bug))
                 return sprintf(buf, "Not affected\n");
-        if (boot_cpu_has(X86_FEATURE_PTI))
-                return sprintf(buf, "Mitigation: PTI\n");
+
+        switch (bug) {
+        case X86_BUG_CPU_MELTDOWN:
+                if (boot_cpu_has(X86_FEATURE_PTI))
+                        return sprintf(buf, "Mitigation: PTI\n");
+
+                break;
+
+        case X86_BUG_SPECTRE_V1:
+                return sprintf(buf, "Mitigation: __user pointer sanitization\n");
+
+        case X86_BUG_SPECTRE_V2:
+                return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+                               boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
+                               boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
+                               spectre_v2_module_string());
+
+        case X86_BUG_SPEC_STORE_BYPASS:
+                return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
+
+        default:
+                break;
+        }
+
         return sprintf(buf, "Vulnerable\n");
 }
 
+ssize_t cpu_show_meltdown(struct device *dev, struct device_attribute *attr, char *buf)
+{
+        return cpu_show_common(dev, attr, buf, X86_BUG_CPU_MELTDOWN);
+}
+
 ssize_t cpu_show_spectre_v1(struct device *dev, struct device_attribute *attr, char *buf)
 {
-        if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V1))
-                return sprintf(buf, "Not affected\n");
-        return sprintf(buf, "Mitigation: __user pointer sanitization\n");
+        return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V1);
 }
 
 ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, char *buf)
 {
-        if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
-                return sprintf(buf, "Not affected\n");
+        return cpu_show_common(dev, attr, buf, X86_BUG_SPECTRE_V2);
+}
 
-        return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
-                       boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
-                       boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
-                       spectre_v2_module_string());
+ssize_t cpu_show_spec_store_bypass(struct device *dev, struct device_attribute *attr, char *buf)
+{
+        return cpu_show_common(dev, attr, buf, X86_BUG_SPEC_STORE_BYPASS);
 }
 #endif
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index ce243f7d2d4e..38276f58d3bf 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -757,17 +757,32 @@ static void init_speculation_control(struct cpuinfo_x86 *c)
          * and they also have a different bit for STIBP support. Also,
          * a hypervisor might have set the individual AMD bits even on
          * Intel CPUs, for finer-grained selection of what's available.
-         *
-         * We use the AMD bits in 0x8000_0008 EBX as the generic hardware
-         * features, which are visible in /proc/cpuinfo and used by the
-         * kernel. So set those accordingly from the Intel bits.
          */
         if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
                 set_cpu_cap(c, X86_FEATURE_IBRS);
                 set_cpu_cap(c, X86_FEATURE_IBPB);
+                set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
         }
+
         if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
                 set_cpu_cap(c, X86_FEATURE_STIBP);
+
+        if (cpu_has(c, X86_FEATURE_SPEC_CTRL_SSBD) ||
+            cpu_has(c, X86_FEATURE_VIRT_SSBD))
+                set_cpu_cap(c, X86_FEATURE_SSBD);
+
+        if (cpu_has(c, X86_FEATURE_AMD_IBRS)) {
+                set_cpu_cap(c, X86_FEATURE_IBRS);
+                set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
+        }
+
+        if (cpu_has(c, X86_FEATURE_AMD_IBPB))
+                set_cpu_cap(c, X86_FEATURE_IBPB);
+
+        if (cpu_has(c, X86_FEATURE_AMD_STIBP)) {
+                set_cpu_cap(c, X86_FEATURE_STIBP);
+                set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL);
+        }
 }
 
 void get_cpu_cap(struct cpuinfo_x86 *c)
@@ -927,21 +942,47 @@ static const __initconst struct x86_cpu_id cpu_no_meltdown[] = {
         {}
 };
 
-static bool __init cpu_vulnerable_to_meltdown(struct cpuinfo_x86 *c)
+/* Only list CPUs which speculate but are non susceptible to SSB */
+static const __initconst struct x86_cpu_id cpu_no_spec_store_bypass[] = {
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_SILVERMONT1     },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_AIRMONT         },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_SILVERMONT2     },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_ATOM_MERRIFIELD      },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_CORE_YONAH           },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_XEON_PHI_KNL         },
+        { X86_VENDOR_INTEL,     6,      INTEL_FAM6_XEON_PHI_KNM         },
+        { X86_VENDOR_AMD,       0x12,                                   },
+        { X86_VENDOR_AMD,       0x11,                                   },
+        { X86_VENDOR_AMD,       0x10,                                   },
+        { X86_VENDOR_AMD,       0xf,                                    },
+        {}
+};
+
+static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
 {
         u64 ia32_cap = 0;
 
-        if (x86_match_cpu(cpu_no_meltdown))
-                return false;
+        if (x86_match_cpu(cpu_no_speculation))
+                return;
+
+        setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
+        setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
 
         if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES))
                 rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap);
 
+        if (!x86_match_cpu(cpu_no_spec_store_bypass) &&
+           !(ia32_cap & ARCH_CAP_SSB_NO))
+                setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS);
+
+        if (x86_match_cpu(cpu_no_meltdown))
+                return;
+
         /* Rogue Data Cache Load? No! */
         if (ia32_cap & ARCH_CAP_RDCL_NO)
-                return false;
+                return;
 
-        return true;
+        setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
 }
 
 /*
@@ -992,12 +1033,7 @@ static void __init early_identify_cpu(struct cpuinfo_x86 *c)
 
         setup_force_cpu_cap(X86_FEATURE_ALWAYS);
 
-        if (!x86_match_cpu(cpu_no_speculation)) {
-                if (cpu_vulnerable_to_meltdown(c))
-                        setup_force_cpu_bug(X86_BUG_CPU_MELTDOWN);
-                setup_force_cpu_bug(X86_BUG_SPECTRE_V1);
-                setup_force_cpu_bug(X86_BUG_SPECTRE_V2);
-        }
+        cpu_set_bug_bits(c);
 
         fpu__init_system(c);
 
@@ -1359,6 +1395,7 @@ void identify_secondary_cpu(struct cpuinfo_x86 *c)
 #endif
         mtrr_ap_init();
         validate_apic_and_package_id(c);
+        x86_spec_ctrl_setup_ap();
 }
 
 static __init int setup_noclflush(char *arg)
diff --git a/arch/x86/kernel/cpu/cpu.h b/arch/x86/kernel/cpu/cpu.h
index e806b11a99af..37672d299e35 100644
--- a/arch/x86/kernel/cpu/cpu.h
+++ b/arch/x86/kernel/cpu/cpu.h
@@ -50,4 +50,6 @@ extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c);
 
 unsigned int aperfmperf_get_khz(int cpu);
 
+extern void x86_spec_ctrl_setup_ap(void);
+
 #endif /* ARCH_X86_CPU_H */
diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c
index 60d1897041da..577e7f7ae273 100644
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -188,7 +188,10 @@ static void early_init_intel(struct cpuinfo_x86 *c)
                 setup_clear_cpu_cap(X86_FEATURE_IBPB);
                 setup_clear_cpu_cap(X86_FEATURE_STIBP);
                 setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
+                setup_clear_cpu_cap(X86_FEATURE_MSR_SPEC_CTRL);
                 setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
+                setup_clear_cpu_cap(X86_FEATURE_SSBD);
+                setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL_SSBD);
         }
 
         /*
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 03408b942adb..30ca2d1a9231 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -38,6 +38,7 @@
 #include <asm/switch_to.h>
 #include <asm/desc.h>
 #include <asm/prctl.h>
+#include <asm/spec-ctrl.h>
 
 /*
  * per-CPU TSS segments. Threads are completely 'soft' on Linux,
@@ -278,6 +279,148 @@ static inline void switch_to_bitmap(struct tss_struct *tss,
         }
 }
 
+#ifdef CONFIG_SMP
+
+struct ssb_state {
+        struct ssb_state        *shared_state;
+        raw_spinlock_t          lock;
+        unsigned int            disable_state;
+        unsigned long           local_state;
+};
+
+#define LSTATE_SSB      0
+
+static DEFINE_PER_CPU(struct ssb_state, ssb_state);
+
+void speculative_store_bypass_ht_init(void)
+{
+        struct ssb_state *st = this_cpu_ptr(&ssb_state);
+        unsigned int this_cpu = smp_processor_id();
+        unsigned int cpu;
+
+        st->local_state = 0;
+
+        /*
+         * Shared state setup happens once on the first bringup
+         * of the CPU. It's not destroyed on CPU hotunplug.
+         */
+        if (st->shared_state)
+                return;
+
+        raw_spin_lock_init(&st->lock);
+
+        /*
+         * Go over HT siblings and check whether one of them has set up the
+         * shared state pointer already.
+         */
+        for_each_cpu(cpu, topology_sibling_cpumask(this_cpu)) {
+                if (cpu == this_cpu)
+                        continue;
+
+                if (!per_cpu(ssb_state, cpu).shared_state)
+                        continue;
+
+                /* Link it to the state of the sibling: */
+                st->shared_state = per_cpu(ssb_state, cpu).shared_state;
+                return;
+        }
+
+        /*
+         * First HT sibling to come up on the core.  Link shared state of
+         * the first HT sibling to itself. The siblings on the same core
+         * which come up later will see the shared state pointer and link
+         * themself to the state of this CPU.
+         */
+        st->shared_state = st;
+}
+
+/*
+ * Logic is: First HT sibling enables SSBD for both siblings in the core
+ * and last sibling to disable it, disables it for the whole core. This how
+ * MSR_SPEC_CTRL works in "hardware":
+ *
+ *  CORE_SPEC_CTRL = THREAD0_SPEC_CTRL | THREAD1_SPEC_CTRL
+ */
+static __always_inline void amd_set_core_ssb_state(unsigned long tifn)
+{
+        struct ssb_state *st = this_cpu_ptr(&ssb_state);
+        u64 msr = x86_amd_ls_cfg_base;
+
+        if (!static_cpu_has(X86_FEATURE_ZEN)) {
+                msr |= ssbd_tif_to_amd_ls_cfg(tifn);
+                wrmsrl(MSR_AMD64_LS_CFG, msr);
+                return;
+        }
+
+        if (tifn & _TIF_SSBD) {
+                /*
+                 * Since this can race with prctl(), block reentry on the
+                 * same CPU.
+                 */
+                if (__test_and_set_bit(LSTATE_SSB, &st->local_state))
+                        return;
+
+                msr |= x86_amd_ls_cfg_ssbd_mask;
+
+                raw_spin_lock(&st->shared_state->lock);
+                /* First sibling enables SSBD: */
+                if (!st->shared_state->disable_state)
+                        wrmsrl(MSR_AMD64_LS_CFG, msr);
+                st->shared_state->disable_state++;
+                raw_spin_unlock(&st->shared_state->lock);
+        } else {
+                if (!__test_and_clear_bit(LSTATE_SSB, &st->local_state))
+                        return;
+
+                raw_spin_lock(&st->shared_state->lock);
+                st->shared_state->disable_state--;
+                if (!st->shared_state->disable_state)
+                        wrmsrl(MSR_AMD64_LS_CFG, msr);
+                raw_spin_unlock(&st->shared_state->lock);
+        }
+}
+#else
+static __always_inline void amd_set_core_ssb_state(unsigned long tifn)
+{
+        u64 msr = x86_amd_ls_cfg_base | ssbd_tif_to_amd_ls_cfg(tifn);
+
+        wrmsrl(MSR_AMD64_LS_CFG, msr);
+}
+#endif
+
+static __always_inline void amd_set_ssb_virt_state(unsigned long tifn)
+{
+        /*
+         * SSBD has the same definition in SPEC_CTRL and VIRT_SPEC_CTRL,
+         * so ssbd_tif_to_spec_ctrl() just works.
+         */
+        wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, ssbd_tif_to_spec_ctrl(tifn));
+}
+
+static __always_inline void intel_set_ssb_state(unsigned long tifn)
+{
+        u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn);
+
+        wrmsrl(MSR_IA32_SPEC_CTRL, msr);
+}
+
+static __always_inline void __speculative_store_bypass_update(unsigned long tifn)
+{
+        if (static_cpu_has(X86_FEATURE_VIRT_SSBD))
+                amd_set_ssb_virt_state(tifn);
+        else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD))
+                amd_set_core_ssb_state(tifn);
+        else
+                intel_set_ssb_state(tifn);
+}
+
+void speculative_store_bypass_update(unsigned long tif)
+{
+        preempt_disable();
+        __speculative_store_bypass_update(tif);
+        preempt_enable();
+}
+
 void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
                       struct tss_struct *tss)
 {
@@ -309,6 +452,9 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p,
 
         if ((tifp ^ tifn) & _TIF_NOCPUID)
                 set_cpuid_faulting(!!(tifn & _TIF_NOCPUID));
+
+        if ((tifp ^ tifn) & _TIF_SSBD)
+                __speculative_store_bypass_update(tifn);
 }
 
 /*
diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
index 0f1cbb042f49..9dd324ae4832 100644
--- a/arch/x86/kernel/smpboot.c
+++ b/arch/x86/kernel/smpboot.c
@@ -79,6 +79,7 @@
 #include <asm/qspinlock.h>
 #include <asm/intel-family.h>
 #include <asm/cpu_device_id.h>
+#include <asm/spec-ctrl.h>
 
 /* Number of siblings per CPU package */
 int smp_num_siblings = 1;
@@ -244,6 +245,8 @@ static void notrace start_secondary(void *unused)
          */
         check_tsc_sync_target();
 
+        speculative_store_bypass_ht_init();
+
         /*
          * Lock vector_lock, set CPU online and bring the vector
          * allocator online. Online must be set with vector_lock held
@@ -1292,6 +1295,8 @@ void __init native_smp_prepare_cpus(unsigned int max_cpus)
         set_mtrr_aps_delayed_init();
 
         smp_quirk_init_udelay();
+
+        speculative_store_bypass_ht_init();
 }
 
 void arch_enable_nonboot_cpus_begin(void)
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 82055b90a8b3..92bf2f2e7cdd 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -379,7 +379,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
 
         /* cpuid 0x80000008.ebx */
         const u32 kvm_cpuid_8000_0008_ebx_x86_features =
-                F(IBPB) | F(IBRS);
+                F(AMD_IBPB) | F(AMD_IBRS) | F(VIRT_SSBD);
 
         /* cpuid 0xC0000001.edx */
         const u32 kvm_cpuid_C000_0001_edx_x86_features =
@@ -408,7 +408,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
         /* cpuid 7.0.edx*/
         const u32 kvm_cpuid_7_0_edx_x86_features =
                 F(AVX512_4VNNIW) | F(AVX512_4FMAPS) | F(SPEC_CTRL) |
-                F(ARCH_CAPABILITIES);
+                F(SPEC_CTRL_SSBD) | F(ARCH_CAPABILITIES);
 
         /* all calls to cpuid_count() should be made on the same cpu */
         get_cpu();
@@ -495,6 +495,11 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
                                 entry->ecx &= ~F(PKU);
                         entry->edx &= kvm_cpuid_7_0_edx_x86_features;
                         cpuid_mask(&entry->edx, CPUID_7_EDX);
+                        /*
+                         * We emulate ARCH_CAPABILITIES in software even
+                         * if the host doesn't support it.
+                         */
+                        entry->edx |= F(ARCH_CAPABILITIES);
                 } else {
                         entry->ebx = 0;
                         entry->ecx = 0;
@@ -647,13 +652,20 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
                         g_phys_as = phys_as;
                 entry->eax = g_phys_as | (virt_as << 8);
                 entry->edx = 0;
-                /* IBRS and IBPB aren't necessarily present in hardware cpuid */
-                if (boot_cpu_has(X86_FEATURE_IBPB))
-                        entry->ebx |= F(IBPB);
-                if (boot_cpu_has(X86_FEATURE_IBRS))
-                        entry->ebx |= F(IBRS);
+                /*
+                 * IBRS, IBPB and VIRT_SSBD aren't necessarily present in
+                 * hardware cpuid
+                 */
+                if (boot_cpu_has(X86_FEATURE_AMD_IBPB))
+                        entry->ebx |= F(AMD_IBPB);
+                if (boot_cpu_has(X86_FEATURE_AMD_IBRS))
+                        entry->ebx |= F(AMD_IBRS);
+                if (boot_cpu_has(X86_FEATURE_VIRT_SSBD))
+                        entry->ebx |= F(VIRT_SSBD);
                 entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features;
                 cpuid_mask(&entry->ebx, CPUID_8000_0008_EBX);
+                if (boot_cpu_has(X86_FEATURE_LS_CFG_SSBD))
+                        entry->ebx |= F(VIRT_SSBD);
                 break;
         }
         case 0x80000019:
diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
index 5708e951a5c6..46ff64da44ca 100644
--- a/arch/x86/kvm/hyperv.c
+++ b/arch/x86/kvm/hyperv.c
@@ -1260,14 +1260,18 @@ static void kvm_hv_hypercall_set_result(struct kvm_vcpu *vcpu, u64 result)
         }
 }
 
-static int kvm_hv_hypercall_complete_userspace(struct kvm_vcpu *vcpu)
+static int kvm_hv_hypercall_complete(struct kvm_vcpu *vcpu, u64 result)
 {
-        struct kvm_run *run = vcpu->run;
-
-        kvm_hv_hypercall_set_result(vcpu, run->hyperv.u.hcall.result);
+        kvm_hv_hypercall_set_result(vcpu, result);
+        ++vcpu->stat.hypercalls;
         return kvm_skip_emulated_instruction(vcpu);
 }
 
+static int kvm_hv_hypercall_complete_userspace(struct kvm_vcpu *vcpu)
+{
+        return kvm_hv_hypercall_complete(vcpu, vcpu->run->hyperv.u.hcall.result);
+}
+
 static u16 kvm_hvcall_signal_event(struct kvm_vcpu *vcpu, bool fast, u64 param)
 {
         struct eventfd_ctx *eventfd;
@@ -1350,7 +1354,7 @@ int kvm_hv_hypercall(struct kvm_vcpu *vcpu)
         /* Hypercall continuation is not supported yet */
         if (rep_cnt || rep_idx) {
                 ret = HV_STATUS_INVALID_HYPERCALL_CODE;
-                goto set_result;
+                goto out;
         }
 
         switch (code) {
@@ -1381,9 +1385,8 @@ int kvm_hv_hypercall(struct kvm_vcpu *vcpu)
                 break;
         }
 
-set_result:
-        kvm_hv_hypercall_set_result(vcpu, ret);
-        return 1;
+out:
+        return kvm_hv_hypercall_complete(vcpu, ret);
 }
 
 void kvm_hv_init_vm(struct kvm *kvm)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index b74c9c1405b9..3773c4625114 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1522,11 +1522,23 @@ static bool set_target_expiration(struct kvm_lapic *apic)
 
 static void advance_periodic_target_expiration(struct kvm_lapic *apic)
 {
-        apic->lapic_timer.tscdeadline +=
-                nsec_to_cycles(apic->vcpu, apic->lapic_timer.period);
+        ktime_t now = ktime_get();
+        u64 tscl = rdtsc();
+        ktime_t delta;
+
+        /*
+         * Synchronize both deadlines to the same time source or
+         * differences in the periods (caused by differences in the
+         * underlying clocks or numerical approximation errors) will
+         * cause the two to drift apart over time as the errors
+         * accumulate.
+         */
         apic->lapic_timer.target_expiration =
                 ktime_add_ns(apic->lapic_timer.target_expiration,
                                 apic->lapic_timer.period);
+        delta = ktime_sub(apic->lapic_timer.target_expiration, now);
+        apic->lapic_timer.tscdeadline = kvm_read_l1_tsc(apic->vcpu, tscl) +
+                nsec_to_cycles(apic->vcpu, delta);
 }
 
 static void start_sw_period(struct kvm_lapic *apic)
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 1fc05e428aba..26110c202b19 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -49,7 +49,7 @@
 #include <asm/debugreg.h>
 #include <asm/kvm_para.h>
 #include <asm/irq_remapping.h>
-#include <asm/nospec-branch.h>
+#include <asm/spec-ctrl.h>
 
 #include <asm/virtext.h>
 #include "trace.h"
@@ -213,6 +213,12 @@ struct vcpu_svm {
         } host;
 
         u64 spec_ctrl;
+        /*
+         * Contains guest-controlled bits of VIRT_SPEC_CTRL, which will be
+         * translated into the appropriate L2_CFG bits on the host to
+         * perform speculative control.
+         */
+        u64 virt_spec_ctrl;
 
         u32 *msrpm;
 
@@ -2060,6 +2066,7 @@ static void svm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
 
         vcpu->arch.microcode_version = 0x01000065;
         svm->spec_ctrl = 0;
+        svm->virt_spec_ctrl = 0;
 
         if (!init_event) {
                 svm->vcpu.arch.apic_base = APIC_DEFAULT_PHYS_BASE |
@@ -4108,11 +4115,18 @@ static int svm_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
                 break;
         case MSR_IA32_SPEC_CTRL:
                 if (!msr_info->host_initiated &&
-                    !guest_cpuid_has(vcpu, X86_FEATURE_IBRS))
+                    !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS))
                         return 1;
 
                 msr_info->data = svm->spec_ctrl;
                 break;
+        case MSR_AMD64_VIRT_SPEC_CTRL:
+                if (!msr_info->host_initiated &&
+                    !guest_cpuid_has(vcpu, X86_FEATURE_VIRT_SSBD))
+                        return 1;
+
+                msr_info->data = svm->virt_spec_ctrl;
+                break;
         case MSR_F15H_IC_CFG: {
 
                 int family, model;
@@ -4203,7 +4217,7 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
                 break;
         case MSR_IA32_SPEC_CTRL:
                 if (!msr->host_initiated &&
-                    !guest_cpuid_has(vcpu, X86_FEATURE_IBRS))
+                    !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS))
                         return 1;
 
                 /* The STIBP bit doesn't fault even if it's not advertised */
@@ -4230,7 +4244,7 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
                 break;
         case MSR_IA32_PRED_CMD:
                 if (!msr->host_initiated &&
-                    !guest_cpuid_has(vcpu, X86_FEATURE_IBPB))
+                    !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBPB))
                         return 1;
 
                 if (data & ~PRED_CMD_IBPB)
@@ -4244,6 +4258,16 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
                         break;
                 set_msr_interception(svm->msrpm, MSR_IA32_PRED_CMD, 0, 1);
                 break;
+        case MSR_AMD64_VIRT_SPEC_CTRL:
+                if (!msr->host_initiated &&
+                    !guest_cpuid_has(vcpu, X86_FEATURE_VIRT_SSBD))
+                        return 1;
+
+                if (data & ~SPEC_CTRL_SSBD)
+                        return 1;
+
+                svm->virt_spec_ctrl = data;
+                break;
         case MSR_STAR:
                 svm->vmcb->save.star = data;
                 break;
@@ -5557,8 +5581,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
          * is no need to worry about the conditional branch over the wrmsr
          * being speculatively taken.
          */
-        if (svm->spec_ctrl)
-                native_wrmsrl(MSR_IA32_SPEC_CTRL, svm->spec_ctrl);
+        x86_spec_ctrl_set_guest(svm->spec_ctrl, svm->virt_spec_ctrl);
 
         asm volatile (
                 "push %%" _ASM_BP "; \n\t"
@@ -5652,6 +5675,18 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
 #endif
                 );
 
+        /* Eliminate branch target predictions from guest mode */
+        vmexit_fill_RSB();
+
+#ifdef CONFIG_X86_64
+        wrmsrl(MSR_GS_BASE, svm->host.gs_base);
+#else
+        loadsegment(fs, svm->host.fs);
+#ifndef CONFIG_X86_32_LAZY_GS
+        loadsegment(gs, svm->host.gs);
+#endif
+#endif
+
         /*
          * We do not use IBRS in the kernel. If this vCPU has used the
          * SPEC_CTRL MSR it may have left it on; save the value and
@@ -5670,20 +5705,7 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
         if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
                 svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
 
-        if (svm->spec_ctrl)
-                native_wrmsrl(MSR_IA32_SPEC_CTRL, 0);
-
-        /* Eliminate branch target predictions from guest mode */
-        vmexit_fill_RSB();
-
-#ifdef CONFIG_X86_64
-        wrmsrl(MSR_GS_BASE, svm->host.gs_base);
-#else
-        loadsegment(fs, svm->host.fs);
-#ifndef CONFIG_X86_32_LAZY_GS
-        loadsegment(gs, svm->host.gs);
-#endif
-#endif
+        x86_spec_ctrl_restore_host(svm->spec_ctrl, svm->virt_spec_ctrl);
 
         reload_tss(vcpu);
 
@@ -5786,7 +5808,7 @@ static bool svm_cpu_has_accelerated_tpr(void)
         return false;
 }
 
-static bool svm_has_high_real_mode_segbase(void)
+static bool svm_has_emulated_msr(int index)
 {
         return true;
 }
@@ -7012,7 +7034,7 @@ static struct kvm_x86_ops svm_x86_ops __ro_after_init = {
         .hardware_enable = svm_hardware_enable,
         .hardware_disable = svm_hardware_disable,
         .cpu_has_accelerated_tpr = svm_cpu_has_accelerated_tpr,
-        .cpu_has_high_real_mode_segbase = svm_has_high_real_mode_segbase,
+        .has_emulated_msr = svm_has_emulated_msr,
 
         .vcpu_create = svm_create_vcpu,
         .vcpu_free = svm_free_vcpu,
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 3f1696570b41..40aa29204baf 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -51,7 +51,7 @@
 #include <asm/apic.h>
 #include <asm/irq_remapping.h>
 #include <asm/mmu_context.h>
-#include <asm/nospec-branch.h>
+#include <asm/spec-ctrl.h>
 #include <asm/mshyperv.h>
 
 #include "trace.h"
@@ -3529,7 +3529,6 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
                 return kvm_get_msr_common(vcpu, msr_info);
         case MSR_IA32_SPEC_CTRL:
                 if (!msr_info->host_initiated &&
-                    !guest_cpuid_has(vcpu, X86_FEATURE_IBRS) &&
                     !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
                         return 1;
 
@@ -3648,12 +3647,11 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
                 break;
         case MSR_IA32_SPEC_CTRL:
                 if (!msr_info->host_initiated &&
-                    !guest_cpuid_has(vcpu, X86_FEATURE_IBRS) &&
                     !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
                         return 1;
 
                 /* The STIBP bit doesn't fault even if it's not advertised */
-                if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP))
+                if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD))
                         return 1;
 
                 vmx->spec_ctrl = data;
@@ -3679,7 +3677,6 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
                 break;
         case MSR_IA32_PRED_CMD:
                 if (!msr_info->host_initiated &&
-                    !guest_cpuid_has(vcpu, X86_FEATURE_IBPB) &&
                     !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
                         return 1;
 
@@ -9488,9 +9485,21 @@ static void vmx_handle_external_intr(struct kvm_vcpu *vcpu)
 }
 STACK_FRAME_NON_STANDARD(vmx_handle_external_intr);
 
-static bool vmx_has_high_real_mode_segbase(void)
+static bool vmx_has_emulated_msr(int index)
 {
-        return enable_unrestricted_guest || emulate_invalid_guest_state;
+        switch (index) {
+        case MSR_IA32_SMBASE:
+                /*
+                 * We cannot do SMM unless we can run the guest in big
+                 * real mode.
+                 */
+                return enable_unrestricted_guest || emulate_invalid_guest_state;
+        case MSR_AMD64_VIRT_SPEC_CTRL:
+                /* This is AMD only.  */
+                return false;
+        default:
+                return true;
+        }
 }
 
 static bool vmx_mpx_supported(void)
@@ -9722,8 +9731,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
          * is no need to worry about the conditional branch over the wrmsr
          * being speculatively taken.
          */
-        if (vmx->spec_ctrl)
-                native_wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
+        x86_spec_ctrl_set_guest(vmx->spec_ctrl, 0);
 
         vmx->__launched = vmx->loaded_vmcs->launched;
 
@@ -9871,8 +9879,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
         if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
                 vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
 
-        if (vmx->spec_ctrl)
-                native_wrmsrl(MSR_IA32_SPEC_CTRL, 0);
+        x86_spec_ctrl_restore_host(vmx->spec_ctrl, 0);
 
         /* Eliminate branch target predictions from guest mode */
         vmexit_fill_RSB();
@@ -12632,7 +12639,7 @@ static struct kvm_x86_ops vmx_x86_ops __ro_after_init = {
         .hardware_enable = hardware_enable,
         .hardware_disable = hardware_disable,
         .cpu_has_accelerated_tpr = report_flexpriority,
-        .cpu_has_high_real_mode_segbase = vmx_has_high_real_mode_segbase,
+        .has_emulated_msr = vmx_has_emulated_msr,
 
         .vm_init = vmx_vm_init,
         .vm_alloc = vmx_vm_alloc,
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 59371de5d722..71e7cda6d014 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1061,6 +1061,7 @@ static u32 emulated_msrs[] = {
         MSR_SMI_COUNT,
         MSR_PLATFORM_INFO,
         MSR_MISC_FEATURES_ENABLES,
+        MSR_AMD64_VIRT_SPEC_CTRL,
 };
 
 static unsigned num_emulated_msrs;
@@ -2906,7 +2907,7 @@ int kvm_vm_ioctl_check_extension(struct kvm *kvm, long ext)
                  * fringe case that is not enabled except via specific settings
                  * of the module parameters.
                  */
-                r = kvm_x86_ops->cpu_has_high_real_mode_segbase();
+                r = kvm_x86_ops->has_emulated_msr(MSR_IA32_SMBASE);
                 break;
         case KVM_CAP_VAPIC:
                 r = !kvm_x86_ops->cpu_has_accelerated_tpr();
@@ -4606,14 +4607,8 @@ static void kvm_init_msr_list(void)
         num_msrs_to_save = j;
 
         for (i = j = 0; i < ARRAY_SIZE(emulated_msrs); i++) {
-                switch (emulated_msrs[i]) {
-                case MSR_IA32_SMBASE:
-                        if (!kvm_x86_ops->cpu_has_high_real_mode_segbase())
-                                continue;
-                        break;
-                default:
-                        break;
-                }
+                if (!kvm_x86_ops->has_emulated_msr(emulated_msrs[i]))
+                        continue;
 
                 if (j < i)
                         emulated_msrs[j] = emulated_msrs[i];
@@ -6676,11 +6671,8 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
         unsigned long nr, a0, a1, a2, a3, ret;
         int op_64_bit;
 
-        if (kvm_hv_hypercall_enabled(vcpu->kvm)) {
-                if (!kvm_hv_hypercall(vcpu))
-                        return 0;
-                goto out;
-        }
+        if (kvm_hv_hypercall_enabled(vcpu->kvm))
+                return kvm_hv_hypercall(vcpu);
 
         nr = kvm_register_read(vcpu, VCPU_REGS_RAX);
         a0 = kvm_register_read(vcpu, VCPU_REGS_RBX);
@@ -6701,7 +6693,7 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
 
         if (kvm_x86_ops->get_cpl(vcpu) != 0) {
                 ret = -KVM_EPERM;
-                goto out_error;
+                goto out;
         }
 
         switch (nr) {
@@ -6721,12 +6713,11 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
                 ret = -KVM_ENOSYS;
                 break;
         }
-out_error:
+out:
         if (!op_64_bit)
                 ret = (u32)ret;
         kvm_register_write(vcpu, VCPU_REGS_RAX, ret);
 
-out:
         ++vcpu->stat.hypercalls;
         return kvm_skip_emulated_instruction(vcpu);
 }
@@ -7985,6 +7976,7 @@ static int __set_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs)
 {
         struct msr_data apic_base_msr;
         int mmu_reset_needed = 0;
+        int cpuid_update_needed = 0;
         int pending_vec, max_bits, idx;
         struct desc_ptr dt;
         int ret = -EINVAL;
@@ -8023,8 +8015,10 @@ static int __set_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs)
         vcpu->arch.cr0 = sregs->cr0;
 
         mmu_reset_needed |= kvm_read_cr4(vcpu) != sregs->cr4;
+        cpuid_update_needed |= ((kvm_read_cr4(vcpu) ^ sregs->cr4) &
+                                (X86_CR4_OSXSAVE | X86_CR4_PKE));
         kvm_x86_ops->set_cr4(vcpu, sregs->cr4);
-        if (sregs->cr4 & (X86_CR4_OSXSAVE | X86_CR4_PKE))
+        if (cpuid_update_needed)
                 kvm_update_cpuid(vcpu);
 
         idx = srcu_read_lock(&vcpu->kvm->srcu);
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index 6389c88b3500..738fb22978dd 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -334,6 +334,7 @@ static const struct pci_device_id ahci_pci_tbl[] = {
         { PCI_VDEVICE(INTEL, 0x9c07), board_ahci_mobile }, /* Lynx LP RAID */
         { PCI_VDEVICE(INTEL, 0x9c0e), board_ahci_mobile }, /* Lynx LP RAID */
         { PCI_VDEVICE(INTEL, 0x9c0f), board_ahci_mobile }, /* Lynx LP RAID */
+        { PCI_VDEVICE(INTEL, 0x9dd3), board_ahci_mobile }, /* Cannon Lake PCH-LP AHCI */
         { PCI_VDEVICE(INTEL, 0x1f22), board_ahci }, /* Avoton AHCI */
         { PCI_VDEVICE(INTEL, 0x1f23), board_ahci }, /* Avoton AHCI */
         { PCI_VDEVICE(INTEL, 0x1f24), board_ahci }, /* Avoton RAID */
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 68596bd4cf06..346b163f6e89 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4493,6 +4493,10 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
         /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */
         { "C300-CTFDDAC128MAG", "0001",         ATA_HORKAGE_NONCQ, },
 
+        /* Some Sandisk SSDs lock up hard with NCQ enabled.  Reported on
+           SD7SN6S256G and SD8SN8U256G */
+        { "SanDisk SD[78]SN*G", NULL,           ATA_HORKAGE_NONCQ, },
+
         /* devices which puke on READ_NATIVE_MAX */
         { "HDS724040KLSA80",    "KFAOA20N",     ATA_HORKAGE_BROKEN_HPA, },
         { "WDC WD3200JD-00KLB0", "WD-WCAMR1130137", ATA_HORKAGE_BROKEN_HPA },
@@ -4549,13 +4553,16 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
                                                 ATA_HORKAGE_ZERO_AFTER_TRIM |
                                                 ATA_HORKAGE_NOLPM, },
 
-        /* This specific Samsung model/firmware-rev does not handle LPM well */
+        /* These specific Samsung models/firmware-revs do not handle LPM well */
         { "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, },
+        { "SAMSUNG SSD PM830 mSATA *",  "CXM13D1Q", ATA_HORKAGE_NOLPM, },
 
         /* Sandisk devices which are known to not handle LPM well */
         { "SanDisk SD7UB3Q*G1001",      NULL,   ATA_HORKAGE_NOLPM, },
 
         /* devices that don't properly handle queued TRIM commands */
+        { "Micron_M500IT_*",            "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
+                                                ATA_HORKAGE_ZERO_AFTER_TRIM, },
         { "Micron_M500_*",              NULL,   ATA_HORKAGE_NO_NCQ_TRIM |
                                                 ATA_HORKAGE_ZERO_AFTER_TRIM, },
         { "Crucial_CT*M500*",           NULL,   ATA_HORKAGE_NO_NCQ_TRIM |
diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
index 2da998baa75c..30cc9c877ebb 100644
--- a/drivers/base/cpu.c
+++ b/drivers/base/cpu.c
@@ -534,14 +534,22 @@ ssize_t __weak cpu_show_spectre_v2(struct device *dev,
         return sprintf(buf, "Not affected\n");
 }
 
+ssize_t __weak cpu_show_spec_store_bypass(struct device *dev,
+                                          struct device_attribute *attr, char *buf)
+{
+        return sprintf(buf, "Not affected\n");
+}
+
 static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
 static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
 static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
+static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL);
 
 static struct attribute *cpu_root_vulnerabilities_attrs[] = {
         &dev_attr_meltdown.attr,
         &dev_attr_spectre_v1.attr,
         &dev_attr_spectre_v2.attr,
+        &dev_attr_spec_store_bypass.attr,
         NULL
 };
 
diff --git a/drivers/base/node.c b/drivers/base/node.c
index 7a3a580821e0..a5e821d09656 100644
--- a/drivers/base/node.c
+++ b/drivers/base/node.c
@@ -490,7 +490,8 @@ int unregister_mem_sect_under_nodes(struct memory_block *mem_blk,
         return 0;
 }
 
-int link_mem_sections(int nid, unsigned long start_pfn, unsigned long nr_pages)
+int link_mem_sections(int nid, unsigned long start_pfn, unsigned long nr_pages,
+                      bool check_nid)
 {
         unsigned long end_pfn = start_pfn + nr_pages;
         unsigned long pfn;
@@ -514,7 +515,7 @@ int link_mem_sections(int nid, unsigned long start_pfn, unsigned long nr_pages)
 
                 mem_blk = find_memory_block_hinted(mem_sect, mem_blk);
 
-                ret = register_mem_sect_under_node(mem_blk, nid, true);
+                ret = register_mem_sect_under_node(mem_blk, nid, check_nid);
                 if (!err)
                         err = ret;
 
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index 02a497e7c785..e5e067091572 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -1923,10 +1923,8 @@ static int device_prepare(struct device *dev, pm_message_t state)
 
         dev->power.wakeup_path = false;
 
-        if (dev->power.no_pm_callbacks) {
-                ret = 1;        /* Let device go direct_complete */
+        if (dev->power.no_pm_callbacks)
                 goto unlock;
-        }
 
         if (dev->pm_domain)
                 callback = dev->pm_domain->ops.prepare;
@@ -1960,7 +1958,8 @@ unlock:
          */
         spin_lock_irq(&dev->power.lock);
         dev->power.direct_complete = state.event == PM_EVENT_SUSPEND &&
-                pm_runtime_suspended(dev) && ret > 0 &&
+                ((pm_runtime_suspended(dev) && ret > 0) ||
+                 dev->power.no_pm_callbacks) &&
                 !dev_pm_test_driver_flags(dev, DPM_FLAG_NEVER_SKIP);
         spin_unlock_irq(&dev->power.lock);
         return 0;
diff --git a/drivers/bcma/driver_mips.c b/drivers/bcma/driver_mips.c
index f040aba48d50..27e9686b6d3a 100644
--- a/drivers/bcma/driver_mips.c
+++ b/drivers/bcma/driver_mips.c
@@ -184,7 +184,7 @@ static void bcma_core_mips_print_irq(struct bcma_device *dev, unsigned int irq)
 {
         int i;
         static const char *irq_name[] = {"2(S)", "3", "4", "5", "6", "D", "I"};
-        char interrupts[20];
+        char interrupts[25];
         char *ints = interrupts;
 
         for (i = 0; i < ARRAY_SIZE(irq_name); i++)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 5d4e31655d96..55cf554bc914 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1068,6 +1068,7 @@ static int loop_clr_fd(struct loop_device *lo)
         if (bdev) {
                 bdput(bdev);
                 invalidate_bdev(bdev);
+                bdev->bd_inode->i_mapping->wb_err = 0;
         }
         set_capacity(lo->lo_disk, 0);
         loop_sysfs_exit(lo);
diff --git a/drivers/firmware/qcom_scm-32.c b/drivers/firmware/qcom_scm-32.c
index dfbd894d5bb7..4e24e591ae74 100644
--- a/drivers/firmware/qcom_scm-32.c
+++ b/drivers/firmware/qcom_scm-32.c
@@ -147,7 +147,7 @@ static u32 smc(u32 cmd_addr)
                         "smc    #0      @ switch to secure world\n"
                         : "=r" (r0)
                         : "r" (r0), "r" (r1), "r" (r2)
-                        : "r3");
+                        : "r3", "r12");
         } while (r0 == QCOM_SCM_INTERRUPTED);
 
         return r0;
@@ -263,7 +263,7 @@ static s32 qcom_scm_call_atomic1(u32 svc, u32 cmd, u32 arg1)
                         "smc    #0      @ switch to secure world\n"
                         : "=r" (r0)
                         : "r" (r0), "r" (r1), "r" (r2)
-                        : "r3");
+                        : "r3", "r12");
         return r0;
 }
 
@@ -298,7 +298,7 @@ static s32 qcom_scm_call_atomic2(u32 svc, u32 cmd, u32 arg1, u32 arg2)
                         "smc    #0      @ switch to secure world\n"
                         : "=r" (r0)
                         : "r" (r0), "r" (r1), "r" (r2), "r" (r3)
-                        );
+                        : "r12");
         return r0;
 }
 
@@ -328,7 +328,7 @@ u32 qcom_scm_get_version(void)
                         "smc    #0      @ switch to secure world\n"
                         : "=r" (r0), "=r" (r1)
                         : "r" (r0), "r" (r1)
-                        : "r2", "r3");
+                        : "r2", "r3", "r12");
         } while (r0 == QCOM_SCM_INTERRUPTED);
 
         version = r1;
diff --git a/drivers/gpu/drm/rcar-du/rcar_lvds.c b/drivers/gpu/drm/rcar-du/rcar_lvds.c
index 3d2d3bbd1342..155ad840f3c5 100644
--- a/drivers/gpu/drm/rcar-du/rcar_lvds.c
+++ b/drivers/gpu/drm/rcar-du/rcar_lvds.c
@@ -88,6 +88,9 @@ static int rcar_lvds_connector_atomic_check(struct drm_connector *connector,
         const struct drm_display_mode *panel_mode;
         struct drm_crtc_state *crtc_state;
 
+        if (!state->crtc)
+                return 0;
+
         if (list_empty(&connector->modes)) {
                 dev_dbg(lvds->dev, "connector: empty modes list\n");
                 return -EINVAL;
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
index 70e1a8820a7c..8b770a8e02cd 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
@@ -1278,8 +1278,6 @@ static void vmw_master_drop(struct drm_device *dev,
         dev_priv->active_master = &dev_priv->fbdev_master;
         ttm_lock_set_kill(&dev_priv->fbdev_master.lock, false, SIGTERM);
         ttm_vt_unlock(&dev_priv->fbdev_master.lock);
-
-        vmw_fb_refresh(dev_priv);
 }
 
 /**
@@ -1483,7 +1481,6 @@ static int vmw_pm_freeze(struct device *kdev)
                         vmw_kms_resume(dev);
                 if (dev_priv->enable_fb)
                         vmw_fb_on(dev_priv);
-                vmw_fb_refresh(dev_priv);
                 return -EBUSY;
         }
 
@@ -1523,8 +1520,6 @@ static int vmw_pm_restore(struct device *kdev)
         if (dev_priv->enable_fb)
                 vmw_fb_on(dev_priv);
 
-        vmw_fb_refresh(dev_priv);
-
         return 0;
 }
 
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
index f34f368c1a2e..5fcbe1620d50 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
@@ -910,7 +910,6 @@ int vmw_fb_init(struct vmw_private *vmw_priv);
 int vmw_fb_close(struct vmw_private *dev_priv);
 int vmw_fb_off(struct vmw_private *vmw_priv);
 int vmw_fb_on(struct vmw_private *vmw_priv);
-void vmw_fb_refresh(struct vmw_private *vmw_priv);
 
 /**
  * Kernel modesetting - vmwgfx_kms.c
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
index ba0cdb743c3e..54e300365a5c 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
@@ -866,21 +866,13 @@ int vmw_fb_on(struct vmw_private *vmw_priv)
         spin_lock_irqsave(&par->dirty.lock, flags);
         par->dirty.active = true;
         spin_unlock_irqrestore(&par->dirty.lock, flags);
- 
-        return 0;
-}
 
-/**
- * vmw_fb_refresh - Refresh fb display
- *
- * @vmw_priv: Pointer to device private
- *
- * Call into kms to show the fbdev display(s).
- */
-void vmw_fb_refresh(struct vmw_private *vmw_priv)
-{
-        if (!vmw_priv->fb_info)
-                return;
+        /*
+         * Need to reschedule a dirty update, because otherwise that's
+         * only done in dirty_mark() if the previous coalesced
+         * dirty region was empty.
+         */
+        schedule_delayed_work(&par->local_work, 0);
 
-        vmw_fb_set_par(vmw_priv->fb_info);
+        return 0;
 }
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
index cdff99211602..21d746bdc922 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
@@ -329,8 +329,6 @@ int vmw_host_get_guestinfo(const char *guest_info_param,
         struct rpc_channel channel;
         char *msg, *reply = NULL;
         size_t reply_len = 0;
-        int ret = 0;
-
 
         if (!vmw_msg_enabled)
                 return -ENODEV;
@@ -344,15 +342,14 @@ int vmw_host_get_guestinfo(const char *guest_info_param,
                 return -ENOMEM;
         }
 
-        if (vmw_open_channel(&channel, RPCI_PROTOCOL_NUM) ||
-            vmw_send_msg(&channel, msg) ||
-            vmw_recv_msg(&channel, (void *) &reply, &reply_len) ||
-            vmw_close_channel(&channel)) {
-                DRM_ERROR("Failed to get %s", guest_info_param);
+        if (vmw_open_channel(&channel, RPCI_PROTOCOL_NUM))
+                goto out_open;
 
-                ret = -EINVAL;
-        }
+        if (vmw_send_msg(&channel, msg) ||
+            vmw_recv_msg(&channel, (void *) &reply, &reply_len))
+                goto out_msg;
 
+        vmw_close_channel(&channel);
         if (buffer && reply && reply_len > 0) {
                 /* Remove reply code, which are the first 2 characters of
                  * the reply
@@ -369,7 +366,17 @@ int vmw_host_get_guestinfo(const char *guest_info_param,
         kfree(reply);
         kfree(msg);
 
-        return ret;
+        return 0;
+
+out_msg:
+        vmw_close_channel(&channel);
+        kfree(reply);
+out_open:
+        *length = 0;
+        kfree(msg);
+        DRM_ERROR("Failed to get %s", guest_info_param);
+
+        return -EINVAL;
 }
 
 
@@ -400,15 +407,22 @@ int vmw_host_log(const char *log)
                 return -ENOMEM;
         }
 
-        if (vmw_open_channel(&channel, RPCI_PROTOCOL_NUM) ||
-            vmw_send_msg(&channel, msg) ||
-            vmw_close_channel(&channel)) {
-                DRM_ERROR("Failed to send log\n");
+        if (vmw_open_channel(&channel, RPCI_PROTOCOL_NUM))
+                goto out_open;
 
-                ret = -EINVAL;
-        }
+        if (vmw_send_msg(&channel, msg))
+                goto out_msg;
 
+        vmw_close_channel(&channel);
         kfree(msg);
 
-        return ret;
+        return 0;
+
+out_msg:
+        vmw_close_channel(&channel);
+out_open:
+        kfree(msg);
+        DRM_ERROR("Failed to send log\n");
+
+        return -EINVAL;
 }
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.h b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.h
index 557a033fb610..8545488aa0cf 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.h
@@ -135,17 +135,24 @@
 
 #else
 
-/* In the 32-bit version of this macro, we use "m" because there is no
- * more register left for bp
+/*
+ * In the 32-bit version of this macro, we store bp in a memory location
+ * because we've ran out of registers.
+ * Now we can't reference that memory location while we've modified
+ * %esp or %ebp, so we first push it on the stack, just before we push
+ * %ebp, and then when we need it we read it from the stack where we
+ * just pushed it.
  */
 #define VMW_PORT_HB_OUT(cmd, in_ecx, in_si, in_di,      \
                         port_num, magic, bp,            \
                         eax, ebx, ecx, edx, si, di)     \
 ({                                                      \
-        asm volatile ("push %%ebp;"                     \
-                "mov %12, %%ebp;"                       \
+        asm volatile ("push %12;"                       \
+                "push %%ebp;"                           \
+                "mov 0x04(%%esp), %%ebp;"               \
                 "rep outsb;"                            \
-                "pop %%ebp;" :                          \
+                "pop %%ebp;"                            \
+                "add $0x04, %%esp;" :                   \
                 "=a"(eax),                              \
                 "=b"(ebx),                              \
                 "=c"(ecx),                              \
@@ -167,10 +174,12 @@
                        port_num, magic, bp,             \
                        eax, ebx, ecx, edx, si, di)      \
 ({                                                      \
-        asm volatile ("push %%ebp;"                     \
-                "mov %12, %%ebp;"                       \
+        asm volatile ("push %12;"                       \
+                "push %%ebp;"                           \
+                "mov 0x04(%%esp), %%ebp;"               \
                 "rep insb;"                             \
-                "pop %%ebp" :                           \
+                "pop %%ebp;"                            \
+                "add $0x04, %%esp;" :                   \
                 "=a"(eax),                              \
                 "=b"(ebx),                              \
                 "=c"(ecx),                              \
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index 9a4e899d94b3..2b6c9b516070 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -119,7 +119,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
         umem->length     = size;
         umem->address    = addr;
         umem->page_shift = PAGE_SHIFT;
-        umem->pid        = get_task_pid(current, PIDTYPE_PID);
         /*
          * We ask for writable memory if any of the following
          * access flags are set.  "Local write" and "remote write"
@@ -132,7 +131,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
                  IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND));
 
         if (access & IB_ACCESS_ON_DEMAND) {
-                put_pid(umem->pid);
                 ret = ib_umem_odp_get(context, umem, access);
                 if (ret) {
                         kfree(umem);
@@ -148,7 +146,6 @@ struct ib_umem *ib_umem_get(struct ib_ucontext *context, unsigned long addr,
 
         page_list = (struct page **) __get_free_page(GFP_KERNEL);
         if (!page_list) {
-                put_pid(umem->pid);
                 kfree(umem);
                 return ERR_PTR(-ENOMEM);
         }
@@ -231,7 +228,6 @@ out:
         if (ret < 0) {
                 if (need_release)
                         __ib_umem_release(context->device, umem, 0);
-                put_pid(umem->pid);
                 kfree(umem);
         } else
                 current->mm->pinned_vm = locked;
@@ -274,8 +270,7 @@ void ib_umem_release(struct ib_umem *umem)
 
         __ib_umem_release(umem->context->device, umem, 1);
 
-        task = get_pid_task(umem->pid, PIDTYPE_PID);
-        put_pid(umem->pid);
+        task = get_pid_task(umem->context->tgid, PIDTYPE_PID);
         if (!task)
                 goto out;
         mm = get_task_mm(task);
diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c
index e90f2fd8dc16..1445918e3239 100644
--- a/drivers/infiniband/hw/cxgb4/mem.c
+++ b/drivers/infiniband/hw/cxgb4/mem.c
@@ -489,10 +489,10 @@ struct ib_mr *c4iw_get_dma_mr(struct ib_pd *pd, int acc)
 err_dereg_mem:
         dereg_mem(&rhp->rdev, mhp->attr.stag, mhp->attr.pbl_size,
                   mhp->attr.pbl_addr, mhp->dereg_skb, mhp->wr_waitp);
-err_free_wr_wait:
-        c4iw_put_wr_wait(mhp->wr_waitp);
 err_free_skb:
         kfree_skb(mhp->dereg_skb);
+err_free_wr_wait:
+        c4iw_put_wr_wait(mhp->wr_waitp);
 err_free_mhp:
         kfree(mhp);
         return ERR_PTR(ret);
diff --git a/drivers/infiniband/hw/hfi1/chip.c b/drivers/infiniband/hw/hfi1/chip.c
index e6a60fa59f2b..e6bdd0c1e80a 100644
--- a/drivers/infiniband/hw/hfi1/chip.c
+++ b/drivers/infiniband/hw/hfi1/chip.c
@@ -5944,6 +5944,7 @@ static void is_sendctxt_err_int(struct hfi1_devdata *dd,
         u64 status;
         u32 sw_index;
         int i = 0;
+        unsigned long irq_flags;
 
         sw_index = dd->hw_to_sw[hw_context];
         if (sw_index >= dd->num_send_contexts) {
@@ -5953,10 +5954,12 @@ static void is_sendctxt_err_int(struct hfi1_devdata *dd,
                 return;
         }
         sci = &dd->send_contexts[sw_index];
+        spin_lock_irqsave(&dd->sc_lock, irq_flags);
         sc = sci->sc;
         if (!sc) {
                 dd_dev_err(dd, "%s: context %u(%u): no sc?\n", __func__,
                            sw_index, hw_context);
+                spin_unlock_irqrestore(&dd->sc_lock, irq_flags);
                 return;
         }
 
@@ -5978,6 +5981,7 @@ static void is_sendctxt_err_int(struct hfi1_devdata *dd,
          */
         if (sc->type != SC_USER)
                 queue_work(dd->pport->hfi1_wq, &sc->halt_work);
+        spin_unlock_irqrestore(&dd->sc_lock, irq_flags);
 
         /*
          * Update the counters for the corresponding status bits.
diff --git a/drivers/infiniband/hw/hns/hns_roce_cq.c b/drivers/infiniband/hw/hns/hns_roce_cq.c
index 14734d0d0b76..3a485f50fede 100644
--- a/drivers/infiniband/hw/hns/hns_roce_cq.c
+++ b/drivers/infiniband/hw/hns/hns_roce_cq.c
@@ -377,6 +377,7 @@ struct ib_cq *hns_roce_ib_create_cq(struct ib_device *ib_dev,
 
                         hr_cq->set_ci_db = hr_cq->db.db_record;
                         *hr_cq->set_ci_db = 0;
+                        hr_cq->db_en = 1;
                 }
 
                 /* Init mmt table and write buff address to mtt table */
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
index 47e1b6ac1e1a..8013d69c5ac4 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
@@ -722,6 +722,7 @@ static int hns_roce_v1_rsv_lp_qp(struct hns_roce_dev *hr_dev)
         free_mr->mr_free_pd = to_hr_pd(pd);
         free_mr->mr_free_pd->ibpd.device  = &hr_dev->ib_dev;
         free_mr->mr_free_pd->ibpd.uobject = NULL;
+        free_mr->mr_free_pd->ibpd.__internal_mr = NULL;
         atomic_set(&free_mr->mr_free_pd->ibpd.usecnt, 0);
 
         attr.qp_access_flags    = IB_ACCESS_REMOTE_WRITE;
@@ -1036,7 +1037,7 @@ static void hns_roce_v1_mr_free_work_fn(struct work_struct *work)
 
         do {
                 ret = hns_roce_v1_poll_cq(&mr_free_cq->ib_cq, ne, wc);
-                if (ret < 0) {
+                if (ret < 0 && hr_qp) {
                         dev_err(dev,
                            "(qp:0x%lx) starts, Poll cqe failed(%d) for mr 0x%x free! Remain %d cqe\n",
                            hr_qp->qpn, ret, hr_mr->key, ne);
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
index 25916e8522ed..1f0965bb64ee 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
@@ -142,8 +142,8 @@ static int hns_roce_v2_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr,
         unsigned long flags;
         unsigned int ind;
         void *wqe = NULL;
-        u32 tmp_len = 0;
         bool loopback;
+        u32 tmp_len;
         int ret = 0;
         u8 *smac;
         int nreq;
@@ -189,6 +189,7 @@ static int hns_roce_v2_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr,
 
                 owner_bit =
                        ~(((qp->sq.head + nreq) >> ilog2(qp->sq.wqe_cnt)) & 0x1);
+                tmp_len = 0;
 
                 /* Corresponding to the QP type, wqe process separately */
                 if (ibqp->qp_type == IB_QPT_GSI) {
@@ -547,16 +548,20 @@ static int hns_roce_v2_post_recv(struct ib_qp *ibqp, struct ib_recv_wr *wr,
                 }
 
                 if (i < hr_qp->rq.max_gs) {
-                        dseg[i].lkey = cpu_to_le32(HNS_ROCE_INVALID_LKEY);
-                        dseg[i].addr = 0;
+                        dseg->lkey = cpu_to_le32(HNS_ROCE_INVALID_LKEY);
+                        dseg->addr = 0;
                 }
 
                 /* rq support inline data */
-                sge_list = hr_qp->rq_inl_buf.wqe_list[ind].sg_list;
-                hr_qp->rq_inl_buf.wqe_list[ind].sge_cnt = (u32)wr->num_sge;
-                for (i = 0; i < wr->num_sge; i++) {
-                        sge_list[i].addr = (void *)(u64)wr->sg_list[i].addr;
-                        sge_list[i].len = wr->sg_list[i].length;
+                if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_RQ_INLINE) {
+                        sge_list = hr_qp->rq_inl_buf.wqe_list[ind].sg_list;
+                        hr_qp->rq_inl_buf.wqe_list[ind].sge_cnt =
+                                                               (u32)wr->num_sge;
+                        for (i = 0; i < wr->num_sge; i++) {
+                                sge_list[i].addr =
+                                               (void *)(u64)wr->sg_list[i].addr;
+                                sge_list[i].len = wr->sg_list[i].length;
+                        }
                 }
 
                 hr_qp->rq.wrid[ind] = wr->wr_id;
@@ -613,6 +618,8 @@ static void hns_roce_free_cmq_desc(struct hns_roce_dev *hr_dev,
         dma_unmap_single(hr_dev->dev, ring->desc_dma_addr,
                          ring->desc_num * sizeof(struct hns_roce_cmq_desc),
                          DMA_BIDIRECTIONAL);
+
+        ring->desc_dma_addr = 0;
         kfree(ring->desc);
 }
 
@@ -1081,6 +1088,7 @@ static int hns_roce_v2_profile(struct hns_roce_dev *hr_dev)
         if (ret) {
                 dev_err(hr_dev->dev, "Configure global param fail, ret = %d.\n",
                         ret);
+                return ret;
         }
 
         /* Get pf resource owned by every pf */
@@ -1372,6 +1380,8 @@ static int hns_roce_v2_write_mtpt(void *mb_buf, struct hns_roce_mr *mr,
 
         roce_set_bit(mpt_entry->byte_12_mw_pa, V2_MPT_BYTE_12_PA_S,
                      mr->type == MR_TYPE_MR ? 0 : 1);
+        roce_set_bit(mpt_entry->byte_12_mw_pa, V2_MPT_BYTE_12_INNER_PA_VLD_S,
+                     1);
         mpt_entry->byte_12_mw_pa = cpu_to_le32(mpt_entry->byte_12_mw_pa);
 
         mpt_entry->len_l = cpu_to_le32(lower_32_bits(mr->size));
@@ -2169,6 +2179,7 @@ static void modify_qp_reset_to_init(struct ib_qp *ibqp,
                                     struct hns_roce_v2_qp_context *context,
                                     struct hns_roce_v2_qp_context *qpc_mask)
 {
+        struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device);
         struct hns_roce_qp *hr_qp = to_hr_qp(ibqp);
 
         /*
@@ -2281,7 +2292,8 @@ static void modify_qp_reset_to_init(struct ib_qp *ibqp,
         context->rq_db_record_addr = hr_qp->rdb.dma >> 32;
         qpc_mask->rq_db_record_addr = 0;
 
-        roce_set_bit(context->byte_76_srqn_op_en, V2_QPC_BYTE_76_RQIE_S, 1);
+        roce_set_bit(context->byte_76_srqn_op_en, V2_QPC_BYTE_76_RQIE_S,
+                    (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_RQ_INLINE) ? 1 : 0);
         roce_set_bit(qpc_mask->byte_76_srqn_op_en, V2_QPC_BYTE_76_RQIE_S, 0);
 
         roce_set_field(context->byte_80_rnr_rx_cqn, V2_QPC_BYTE_80_RX_CQN_M,
@@ -4703,6 +4715,8 @@ static const struct pci_device_id hns_roce_hw_v2_pci_tbl[] = {
         {0, }
 };
 
+MODULE_DEVICE_TABLE(pci, hns_roce_hw_v2_pci_tbl);
+
 static int hns_roce_hw_v2_get_cfg(struct hns_roce_dev *hr_dev,
                                   struct hnae3_handle *handle)
 {
diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
index 9d48bc07a9e6..96fb6a9ed93c 100644
--- a/drivers/infiniband/hw/hns/hns_roce_main.c
+++ b/drivers/infiniband/hw/hns/hns_roce_main.c
@@ -199,7 +199,7 @@ static int hns_roce_query_device(struct ib_device *ib_dev,
 
         memset(props, 0, sizeof(*props));
 
-        props->sys_image_guid = cpu_to_be32(hr_dev->sys_image_guid);
+        props->sys_image_guid = cpu_to_be64(hr_dev->sys_image_guid);
         props->max_mr_size = (u64)(~(0ULL));
         props->page_size_cap = hr_dev->caps.page_size_cap;
         props->vendor_id = hr_dev->vendor_id;
diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
index d4aad34c21e2..baaf906f7c2e 100644
--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
+++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
@@ -660,6 +660,7 @@ static int hns_roce_create_qp_common(struct hns_roce_dev *hr_dev,
                                 goto err_rq_sge_list;
                         }
                         *hr_qp->rdb.db_record = 0;
+                        hr_qp->rdb_en = 1;
                 }
 
                 /* Allocate QP buf */
@@ -955,7 +956,14 @@ int hns_roce_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr,
         }
 
         if (cur_state == new_state && cur_state == IB_QPS_RESET) {
-                ret = 0;
+                if (hr_dev->caps.min_wqes) {
+                        ret = -EPERM;
+                        dev_err(dev, "cur_state=%d new_state=%d\n", cur_state,
+                                new_state);
+                } else {
+                        ret = 0;
+                }
+
                 goto out;
         }
 
diff --git a/drivers/infiniband/hw/i40iw/i40iw.h b/drivers/infiniband/hw/i40iw/i40iw.h
index d5d8c1be345a..2f2b4426ded7 100644
--- a/drivers/infiniband/hw/i40iw/i40iw.h
+++ b/drivers/infiniband/hw/i40iw/i40iw.h
@@ -207,6 +207,7 @@ struct i40iw_msix_vector {
         u32 irq;
         u32 cpu_affinity;
         u32 ceq_id;
+        cpumask_t mask;
 };
 
 struct l2params_work {
diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
index 4cfa8f4647e2..f7c6fd9ff6e2 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
@@ -2093,7 +2093,7 @@ static int i40iw_addr_resolve_neigh_ipv6(struct i40iw_device *iwdev,
         if (netif_is_bond_slave(netdev))
                 netdev = netdev_master_upper_dev_get(netdev);
 
-        neigh = dst_neigh_lookup(dst, &dst_addr);
+        neigh = dst_neigh_lookup(dst, dst_addr.sin6_addr.in6_u.u6_addr32);
 
         rcu_read_lock();
         if (neigh) {
diff --git a/drivers/infiniband/hw/i40iw/i40iw_hw.c b/drivers/infiniband/hw/i40iw/i40iw_hw.c
index 6139836fb533..c9f62ca7643c 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_hw.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c
@@ -331,7 +331,7 @@ void i40iw_process_aeq(struct i40iw_device *iwdev)
                 switch (info->ae_id) {
                 case I40IW_AE_LLP_FIN_RECEIVED:
                         if (qp->term_flags)
-                                continue;
+                                break;
                         if (atomic_inc_return(&iwqp->close_timer_started) == 1) {
                                 iwqp->hw_tcp_state = I40IW_TCP_STATE_CLOSE_WAIT;
                                 if ((iwqp->hw_tcp_state == I40IW_TCP_STATE_CLOSE_WAIT) &&
@@ -360,7 +360,7 @@ void i40iw_process_aeq(struct i40iw_device *iwdev)
                         break;
                 case I40IW_AE_LLP_CONNECTION_RESET:
                         if (atomic_read(&iwqp->close_timer_started))
-                                continue;
+                                break;
                         i40iw_cm_disconn(iwqp);
                         break;
                 case I40IW_AE_QP_SUSPEND_COMPLETE:
diff --git a/drivers/infiniband/hw/i40iw/i40iw_main.c b/drivers/infiniband/hw/i40iw/i40iw_main.c
index 9cd0d3ef9057..05001e6da1f8 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_main.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_main.c
@@ -687,7 +687,6 @@ static enum i40iw_status_code i40iw_configure_ceq_vector(struct i40iw_device *iw
                                                          struct i40iw_msix_vector *msix_vec)
 {
         enum i40iw_status_code status;
-        cpumask_t mask;
 
         if (iwdev->msix_shared && !ceq_id) {
                 tasklet_init(&iwdev->dpc_tasklet, i40iw_dpc, (unsigned long)iwdev);
@@ -697,9 +696,9 @@ static enum i40iw_status_code i40iw_configure_ceq_vector(struct i40iw_device *iw
                 status = request_irq(msix_vec->irq, i40iw_ceq_handler, 0, "CEQ", iwceq);
         }
 
-        cpumask_clear(&mask);
-        cpumask_set_cpu(msix_vec->cpu_affinity, &mask);
-        irq_set_affinity_hint(msix_vec->irq, &mask);
+        cpumask_clear(&msix_vec->mask);
+        cpumask_set_cpu(msix_vec->cpu_affinity, &msix_vec->mask);
+        irq_set_affinity_hint(msix_vec->irq, &msix_vec->mask);
 
         if (status) {
                 i40iw_pr_err("ceq irq config fail\n");
diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
index 40e4f5ab2b46..68679ad4c6da 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
@@ -394,6 +394,7 @@ static struct i40iw_pbl *i40iw_get_pbl(unsigned long va,
 
         list_for_each_entry(iwpbl, pbl_list, list) {
                 if (iwpbl->user_base == va) {
+                        iwpbl->on_list = false;
                         list_del(&iwpbl->list);
                         return iwpbl;
                 }
@@ -614,6 +615,7 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd,
                 return ERR_PTR(-ENOMEM);
 
         iwqp = (struct i40iw_qp *)mem;
+        iwqp->allocated_buffer = mem;
         qp = &iwqp->sc_qp;
         qp->back_qp = (void *)iwqp;
         qp->push_idx = I40IW_INVALID_PUSH_PAGE_INDEX;
@@ -642,7 +644,6 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd,
                 goto error;
         }
 
-        iwqp->allocated_buffer = mem;
         iwqp->iwdev = iwdev;
         iwqp->iwpd = iwpd;
         iwqp->ibqp.qp_num = qp_num;
@@ -1898,6 +1899,7 @@ static struct ib_mr *i40iw_reg_user_mr(struct ib_pd *pd,
                         goto error;
                 spin_lock_irqsave(&ucontext->qp_reg_mem_list_lock, flags);
                 list_add_tail(&iwpbl->list, &ucontext->qp_reg_mem_list);
+                iwpbl->on_list = true;
                 spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, flags);
                 break;
         case IW_MEMREG_TYPE_CQ:
@@ -1908,6 +1910,7 @@ static struct ib_mr *i40iw_reg_user_mr(struct ib_pd *pd,
 
                 spin_lock_irqsave(&ucontext->cq_reg_mem_list_lock, flags);
                 list_add_tail(&iwpbl->list, &ucontext->cq_reg_mem_list);
+                iwpbl->on_list = true;
                 spin_unlock_irqrestore(&ucontext->cq_reg_mem_list_lock, flags);
                 break;
         case IW_MEMREG_TYPE_MEM:
@@ -2045,14 +2048,18 @@ static void i40iw_del_memlist(struct i40iw_mr *iwmr,
         switch (iwmr->type) {
         case IW_MEMREG_TYPE_CQ:
                 spin_lock_irqsave(&ucontext->cq_reg_mem_list_lock, flags);
-                if (!list_empty(&ucontext->cq_reg_mem_list))
+                if (iwpbl->on_list) {
+                        iwpbl->on_list = false;
                         list_del(&iwpbl->list);
+                }
                 spin_unlock_irqrestore(&ucontext->cq_reg_mem_list_lock, flags);
                 break;
         case IW_MEMREG_TYPE_QP:
                 spin_lock_irqsave(&ucontext->qp_reg_mem_list_lock, flags);
-                if (!list_empty(&ucontext->qp_reg_mem_list))
+                if (iwpbl->on_list) {
+                        iwpbl->on_list = false;
                         list_del(&iwpbl->list);
+                }
                 spin_unlock_irqrestore(&ucontext->qp_reg_mem_list_lock, flags);
                 break;
         default:
diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.h b/drivers/infiniband/hw/i40iw/i40iw_verbs.h
index 9067443cd311..76cf173377ab 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.h
+++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.h
@@ -78,6 +78,7 @@ struct i40iw_pbl {
         };
 
         bool pbl_allocated;
+        bool on_list;
         u64 user_base;
         struct i40iw_pble_alloc pble_alloc;
         struct i40iw_mr *iwmr;
diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index b4d8ff8ab807..69716a7ea993 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -2416,7 +2416,7 @@ static void set_proto(void *outer_c, void *outer_v, u8 mask, u8 val)
         MLX5_SET(fte_match_set_lyr_2_4, outer_v, ip_protocol, val);
 }
 
-static void set_flow_label(void *misc_c, void *misc_v, u8 mask, u8 val,
+static void set_flow_label(void *misc_c, void *misc_v, u32 mask, u32 val,
                            bool inner)
 {
         if (inner) {
diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index 87b7c1be2a11..2193dc1765fb 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -484,11 +484,6 @@ static int qp_has_rq(struct ib_qp_init_attr *attr)
         return 1;
 }
 
-static int first_med_bfreg(void)
-{
-        return 1;
-}
-
 enum {
         /* this is the first blue flame register in the array of bfregs assigned
          * to a processes. Since we do not use it for blue flame but rather
@@ -514,6 +509,12 @@ static int num_med_bfreg(struct mlx5_ib_dev *dev,
         return n >= 0 ? n : 0;
 }
 
+static int first_med_bfreg(struct mlx5_ib_dev *dev,
+                           struct mlx5_bfreg_info *bfregi)
+{
+        return num_med_bfreg(dev, bfregi) ? 1 : -ENOMEM;
+}
+
 static int first_hi_bfreg(struct mlx5_ib_dev *dev,
                           struct mlx5_bfreg_info *bfregi)
 {
@@ -541,10 +542,13 @@ static int alloc_high_class_bfreg(struct mlx5_ib_dev *dev,
 static int alloc_med_class_bfreg(struct mlx5_ib_dev *dev,
                                  struct mlx5_bfreg_info *bfregi)
 {
-        int minidx = first_med_bfreg();
+        int minidx = first_med_bfreg(dev, bfregi);
         int i;
 
-        for (i = first_med_bfreg(); i < first_hi_bfreg(dev, bfregi); i++) {
+        if (minidx < 0)
+                return minidx;
+
+        for (i = minidx; i < first_hi_bfreg(dev, bfregi); i++) {
                 if (bfregi->count[i] < bfregi->count[minidx])
                         minidx = i;
                 if (!bfregi->count[minidx])
diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c
index 7d3763b2e01c..3f9afc02d166 100644
--- a/drivers/infiniband/hw/qedr/verbs.c
+++ b/drivers/infiniband/hw/qedr/verbs.c
@@ -401,49 +401,47 @@ int qedr_mmap(struct ib_ucontext *context, struct vm_area_struct *vma)
 {
         struct qedr_ucontext *ucontext = get_qedr_ucontext(context);
         struct qedr_dev *dev = get_qedr_dev(context->device);
-        unsigned long vm_page = vma->vm_pgoff << PAGE_SHIFT;
-        u64 unmapped_db = dev->db_phys_addr;
+        unsigned long phys_addr = vma->vm_pgoff << PAGE_SHIFT;
         unsigned long len = (vma->vm_end - vma->vm_start);
-        int rc = 0;
-        bool found;
+        unsigned long dpi_start;
+
+        dpi_start = dev->db_phys_addr + (ucontext->dpi * ucontext->dpi_size);
 
         DP_DEBUG(dev, QEDR_MSG_INIT,
-                 "qedr_mmap called vm_page=0x%lx vm_pgoff=0x%lx unmapped_db=0x%llx db_size=%x, len=%lx\n",
-                 vm_page, vma->vm_pgoff, unmapped_db, dev->db_size, len);
-        if (vma->vm_start & (PAGE_SIZE - 1)) {
-                DP_ERR(dev, "Vma_start not page aligned = %ld\n",
-                       vma->vm_start);
+                 "mmap invoked with vm_start=0x%pK, vm_end=0x%pK,vm_pgoff=0x%pK; dpi_start=0x%pK dpi_size=0x%x\n",
+                 (void *)vma->vm_start, (void *)vma->vm_end,
+                 (void *)vma->vm_pgoff, (void *)dpi_start, ucontext->dpi_size);
+
+        if ((vma->vm_start & (PAGE_SIZE - 1)) || (len & (PAGE_SIZE - 1))) {
+                DP_ERR(dev,
+                       "failed mmap, adrresses must be page aligned: start=0x%pK, end=0x%pK\n",
+                       (void *)vma->vm_start, (void *)vma->vm_end);
                 return -EINVAL;
         }
 
-        found = qedr_search_mmap(ucontext, vm_page, len);
-        if (!found) {
-                DP_ERR(dev, "Vma_pgoff not found in mapped array = %ld\n",
+        if (!qedr_search_mmap(ucontext, phys_addr, len)) {
+                DP_ERR(dev, "failed mmap, vm_pgoff=0x%lx is not authorized\n",
                        vma->vm_pgoff);
                 return -EINVAL;
         }
 
-        DP_DEBUG(dev, QEDR_MSG_INIT, "Mapping doorbell bar\n");
-
-        if ((vm_page >= unmapped_db) && (vm_page <= (unmapped_db +
-                                                     dev->db_size))) {
-                DP_DEBUG(dev, QEDR_MSG_INIT, "Mapping doorbell bar\n");
-                if (vma->vm_flags & VM_READ) {
-                        DP_ERR(dev, "Trying to map doorbell bar for read\n");
-                        return -EPERM;
-                }
-
-                vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
+        if (phys_addr < dpi_start ||
+            ((phys_addr + len) > (dpi_start + ucontext->dpi_size))) {
+                DP_ERR(dev,
+                       "failed mmap, pages are outside of dpi; page address=0x%pK, dpi_start=0x%pK, dpi_size=0x%x\n",
+                       (void *)phys_addr, (void *)dpi_start,
+                       ucontext->dpi_size);
+                return -EINVAL;
+        }
 
-                rc = io_remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
-                                        PAGE_SIZE, vma->vm_page_prot);
-        } else {
-                DP_DEBUG(dev, QEDR_MSG_INIT, "Mapping chains\n");
-                rc = remap_pfn_range(vma, vma->vm_start,
-                                     vma->vm_pgoff, len, vma->vm_page_prot);
+        if (vma->vm_flags & VM_READ) {
+                DP_ERR(dev, "failed mmap, cannot map doorbell bar for read\n");
+                return -EINVAL;
         }
-        DP_DEBUG(dev, QEDR_MSG_INIT, "qedr_mmap return code: %d\n", rc);
-        return rc;
+
+        vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
+        return io_remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, len,
+                                  vma->vm_page_prot);
 }
 
 struct ib_pd *qedr_alloc_pd(struct ib_device *ibdev,
diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
index 2cb52fd48cf1..73a00a1c06f6 100644
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -761,7 +761,6 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, struct ib_send_wr *wr,
         unsigned int mask;
         unsigned int length = 0;
         int i;
-        int must_sched;
 
         while (wr) {
                 mask = wr_opcode_mask(wr->opcode, qp);
@@ -791,14 +790,7 @@ static int rxe_post_send_kernel(struct rxe_qp *qp, struct ib_send_wr *wr,
                 wr = wr->next;
         }
 
-        /*
-         * Must sched in case of GSI QP because ib_send_mad() hold irq lock,
-         * and the requester call ip_local_out_sk() that takes spin_lock_bh.
-         */
-        must_sched = (qp_type(qp) == IB_QPT_GSI) ||
-                        (queue_count(qp->sq.queue) > 1);
-
-        rxe_run_task(&qp->req.task, must_sched);
+        rxe_run_task(&qp->req.task, 1);
         if (unlikely(qp->req.state == QP_STATE_ERROR))
                 rxe_run_task(&qp->comp.task, 1);
 
diff --git a/drivers/infiniband/ulp/srpt/Kconfig b/drivers/infiniband/ulp/srpt/Kconfig
index fb8b7182f05e..25bf6955b6d0 100644
--- a/drivers/infiniband/ulp/srpt/Kconfig
+++ b/drivers/infiniband/ulp/srpt/Kconfig
@@ -1,6 +1,6 @@
 config INFINIBAND_SRPT
         tristate "InfiniBand SCSI RDMA Protocol target support"
-        depends on INFINIBAND && INFINIBAND_ADDR_TRANS && TARGET_CORE
+        depends on INFINIBAND_ADDR_TRANS && TARGET_CORE
         ---help---
 
           Support for the SCSI RDMA Protocol (SRP) Target driver. The
diff --git a/drivers/isdn/hardware/eicon/diva.c b/drivers/isdn/hardware/eicon/diva.c
index 944a7f338099..1b25d8bc153a 100644
--- a/drivers/isdn/hardware/eicon/diva.c
+++ b/drivers/isdn/hardware/eicon/diva.c
@@ -388,10 +388,10 @@ void divasa_xdi_driver_unload(void)
 **  Receive and process command from user mode utility
 */
 void *diva_xdi_open_adapter(void *os_handle, const void __user *src,
-                            int length,
+                            int length, void *mptr,
                             divas_xdi_copy_from_user_fn_t cp_fn)
 {
-        diva_xdi_um_cfg_cmd_t msg;
+        diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr;
         diva_os_xdi_adapter_t *a = NULL;
         diva_os_spin_lock_magic_t old_irql;
         struct list_head *tmp;
@@ -401,21 +401,21 @@ void *diva_xdi_open_adapter(void *os_handle, const void __user *src,
                          length, sizeof(diva_xdi_um_cfg_cmd_t)))
                         return NULL;
         }
-        if ((*cp_fn) (os_handle, &msg, src, sizeof(msg)) <= 0) {
+        if ((*cp_fn) (os_handle, msg, src, sizeof(*msg)) <= 0) {
                 DBG_ERR(("A: A(?) open, write error"))
                         return NULL;
         }
         diva_os_enter_spin_lock(&adapter_lock, &old_irql, "open_adapter");
         list_for_each(tmp, &adapter_queue) {
                 a = list_entry(tmp, diva_os_xdi_adapter_t, link);
-                if (a->controller == (int)msg.adapter)
+                if (a->controller == (int)msg->adapter)
                         break;
                 a = NULL;
         }
         diva_os_leave_spin_lock(&adapter_lock, &old_irql, "open_adapter");
 
         if (!a) {
-                DBG_ERR(("A: A(%d) open, adapter not found", msg.adapter))
+                DBG_ERR(("A: A(%d) open, adapter not found", msg->adapter))
                         }
 
         return (a);
@@ -437,8 +437,10 @@ void diva_xdi_close_adapter(void *adapter, void *os_handle)
 
 int
 diva_xdi_write(void *adapter, void *os_handle, const void __user *src,
-               int length, divas_xdi_copy_from_user_fn_t cp_fn)
+               int length, void *mptr,
+               divas_xdi_copy_from_user_fn_t cp_fn)
 {
+        diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr;
         diva_os_xdi_adapter_t *a = (diva_os_xdi_adapter_t *) adapter;
         void *data;
 
@@ -459,7 +461,13 @@ diva_xdi_write(void *adapter, void *os_handle, const void __user *src,
                         return (-2);
         }
 
-        length = (*cp_fn) (os_handle, data, src, length);
+        if (msg) {
+                *(diva_xdi_um_cfg_cmd_t *)data = *msg;
+                length = (*cp_fn) (os_handle, (char *)data + sizeof(*msg),
+                                   src + sizeof(*msg), length - sizeof(*msg));
+        } else {
+                length = (*cp_fn) (os_handle, data, src, length);
+        }
         if (length > 0) {
                 if ((*(a->interface.cmd_proc))
                     (a, (diva_xdi_um_cfg_cmd_t *) data, length)) {
diff --git a/drivers/isdn/hardware/eicon/diva.h b/drivers/isdn/hardware/eicon/diva.h
index b067032093a8..1ad76650fbf9 100644
--- a/drivers/isdn/hardware/eicon/diva.h
+++ b/drivers/isdn/hardware/eicon/diva.h
@@ -20,10 +20,11 @@ int diva_xdi_read(void *adapter, void *os_handle, void __user *dst,
                   int max_length, divas_xdi_copy_to_user_fn_t cp_fn);
 
 int diva_xdi_write(void *adapter, void *os_handle, const void __user *src,
-                   int length, divas_xdi_copy_from_user_fn_t cp_fn);
+                   int length, void *msg,
+                   divas_xdi_copy_from_user_fn_t cp_fn);
 
 void *diva_xdi_open_adapter(void *os_handle, const void __user *src,
-                            int length,
+                            int length, void *msg,
                             divas_xdi_copy_from_user_fn_t cp_fn);
 
 void diva_xdi_close_adapter(void *adapter, void *os_handle);
diff --git a/drivers/isdn/hardware/eicon/divasmain.c b/drivers/isdn/hardware/eicon/divasmain.c
index b9980e84f9db..b6a3950b2564 100644
--- a/drivers/isdn/hardware/eicon/divasmain.c
+++ b/drivers/isdn/hardware/eicon/divasmain.c
@@ -591,19 +591,22 @@ static int divas_release(struct inode *inode, struct file *file)
 static ssize_t divas_write(struct file *file, const char __user *buf,
                            size_t count, loff_t *ppos)
 {
+        diva_xdi_um_cfg_cmd_t msg;
         int ret = -EINVAL;
 
         if (!file->private_data) {
                 file->private_data = diva_xdi_open_adapter(file, buf,
-                                                           count,
+                                                           count, &msg,
                                                            xdi_copy_from_user);
-        }
-        if (!file->private_data) {
-                return (-ENODEV);
+                if (!file->private_data)
+                        return (-ENODEV);
+                ret = diva_xdi_write(file->private_data, file,
+                                     buf, count, &msg, xdi_copy_from_user);
+        } else {
+                ret = diva_xdi_write(file->private_data, file,
+                                     buf, count, NULL, xdi_copy_from_user);
         }
 
-        ret = diva_xdi_write(file->private_data, file,
-                             buf, count, xdi_copy_from_user);
         switch (ret) {
         case -1:                /* Message should be removed from rx mailbox first */
                 ret = -EBUSY;
@@ -622,11 +625,12 @@ static ssize_t divas_write(struct file *file, const char __user *buf,
 static ssize_t divas_read(struct file *file, char __user *buf,
                           size_t count, loff_t *ppos)
 {
+        diva_xdi_um_cfg_cmd_t msg;
         int ret = -EINVAL;
 
         if (!file->private_data) {
                 file->private_data = diva_xdi_open_adapter(file, buf,
-                                                           count,
+                                                           count, &msg,
                                                            xdi_copy_from_user);
         }
         if (!file->private_data) {
diff --git a/drivers/mfd/cros_ec_spi.c b/drivers/mfd/cros_ec_spi.c
index 1b52b8557034..2060d1483043 100644
--- a/drivers/mfd/cros_ec_spi.c
+++ b/drivers/mfd/cros_ec_spi.c
@@ -419,10 +419,25 @@ static int cros_ec_pkt_xfer_spi(struct cros_ec_device *ec_dev,
                 /* Verify that EC can process command */
                 for (i = 0; i < len; i++) {
                         rx_byte = rx_buf[i];
+                        /*
+                         * Seeing the PAST_END, RX_BAD_DATA, or NOT_READY
+                         * markers are all signs that the EC didn't fully
+                         * receive our command. e.g., if the EC is flashing
+                         * itself, it can't respond to any commands and instead
+                         * clocks out EC_SPI_PAST_END from its SPI hardware
+                         * buffer. Similar occurrences can happen if the AP is
+                         * too slow to clock out data after asserting CS -- the
+                         * EC will abort and fill its buffer with
+                         * EC_SPI_RX_BAD_DATA.
+                         *
+                         * In all cases, these errors should be safe to retry.
+                         * Report -EAGAIN and let the caller decide what to do
+                         * about that.
+                         */
                         if (rx_byte == EC_SPI_PAST_END  ||
                             rx_byte == EC_SPI_RX_BAD_DATA ||
                             rx_byte == EC_SPI_NOT_READY) {
-                                ret = -EREMOTEIO;
+                                ret = -EAGAIN;
                                 break;
                         }
                 }
@@ -431,7 +446,7 @@ static int cros_ec_pkt_xfer_spi(struct cros_ec_device *ec_dev,
         if (!ret)
                 ret = cros_ec_spi_receive_packet(ec_dev,
                                 ec_msg->insize + sizeof(*response));
-        else
+        else if (ret != -EAGAIN)
                 dev_err(ec_dev->dev, "spi transfer failed: %d\n", ret);
 
         final_ret = terminate_request(ec_dev);
@@ -537,10 +552,11 @@ static int cros_ec_cmd_xfer_spi(struct cros_ec_device *ec_dev,
                 /* Verify that EC can process command */
                 for (i = 0; i < len; i++) {
                         rx_byte = rx_buf[i];
+                        /* See comments in cros_ec_pkt_xfer_spi() */
                         if (rx_byte == EC_SPI_PAST_END  ||
                             rx_byte == EC_SPI_RX_BAD_DATA ||
                             rx_byte == EC_SPI_NOT_READY) {
-                                ret = -EREMOTEIO;
+                                ret = -EAGAIN;
                                 break;
                         }
                 }
@@ -549,7 +565,7 @@ static int cros_ec_cmd_xfer_spi(struct cros_ec_device *ec_dev,
         if (!ret)
                 ret = cros_ec_spi_receive_response(ec_dev,
                                 ec_msg->insize + EC_MSG_TX_PROTO_BYTES);
-        else
+        else if (ret != -EAGAIN)
                 dev_err(ec_dev->dev, "spi transfer failed: %d\n", ret);
 
         final_ret = terminate_request(ec_dev);
diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
index 9e923cd1d80e..38a7586b00cc 100644
--- a/drivers/mmc/core/block.c
+++ b/drivers/mmc/core/block.c
@@ -2485,7 +2485,7 @@ static long mmc_rpmb_ioctl(struct file *filp, unsigned int cmd,
                 break;
         }
 
-        return 0;
+        return ret;
 }
 
 #ifdef CONFIG_COMPAT
diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c
index 0ef741bc515d..d0e83db42ae5 100644
--- a/drivers/mmc/host/sdhci-iproc.c
+++ b/drivers/mmc/host/sdhci-iproc.c
@@ -33,6 +33,8 @@ struct sdhci_iproc_host {
         const struct sdhci_iproc_data *data;
         u32 shadow_cmd;
         u32 shadow_blk;
+        bool is_cmd_shadowed;
+        bool is_blk_shadowed;
 };
 
 #define REG_OFFSET_IN_BITS(reg) ((reg) << 3 & 0x18)
@@ -48,8 +50,22 @@ static inline u32 sdhci_iproc_readl(struct sdhci_host *host, int reg)
 
 static u16 sdhci_iproc_readw(struct sdhci_host *host, int reg)
 {
-        u32 val = sdhci_iproc_readl(host, (reg & ~3));
-        u16 word = val >> REG_OFFSET_IN_BITS(reg) & 0xffff;
+        struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+        struct sdhci_iproc_host *iproc_host = sdhci_pltfm_priv(pltfm_host);
+        u32 val;
+        u16 word;
+
+        if ((reg == SDHCI_TRANSFER_MODE) && iproc_host->is_cmd_shadowed) {
+                /* Get the saved transfer mode */
+                val = iproc_host->shadow_cmd;
+        } else if ((reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) &&
+                   iproc_host->is_blk_shadowed) {
+                /* Get the saved block info */
+                val = iproc_host->shadow_blk;
+        } else {
+                val = sdhci_iproc_readl(host, (reg & ~3));
+        }
+        word = val >> REG_OFFSET_IN_BITS(reg) & 0xffff;
         return word;
 }
 
@@ -105,13 +121,15 @@ static void sdhci_iproc_writew(struct sdhci_host *host, u16 val, int reg)
 
         if (reg == SDHCI_COMMAND) {
                 /* Write the block now as we are issuing a command */
-                if (iproc_host->shadow_blk != 0) {
+                if (iproc_host->is_blk_shadowed) {
                         sdhci_iproc_writel(host, iproc_host->shadow_blk,
                                 SDHCI_BLOCK_SIZE);
-                        iproc_host->shadow_blk = 0;
+                        iproc_host->is_blk_shadowed = false;
                 }
                 oldval = iproc_host->shadow_cmd;
-        } else if (reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) {
+                iproc_host->is_cmd_shadowed = false;
+        } else if ((reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) &&
+                   iproc_host->is_blk_shadowed) {
                 /* Block size and count are stored in shadow reg */
                 oldval = iproc_host->shadow_blk;
         } else {
@@ -123,9 +141,11 @@ static void sdhci_iproc_writew(struct sdhci_host *host, u16 val, int reg)
         if (reg == SDHCI_TRANSFER_MODE) {
                 /* Save the transfer mode until the command is issued */
                 iproc_host->shadow_cmd = newval;
+                iproc_host->is_cmd_shadowed = true;
         } else if (reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) {
                 /* Save the block info until the command is issued */
                 iproc_host->shadow_blk = newval;
+                iproc_host->is_blk_shadowed = true;
         } else {
                 /* Command or other regular 32-bit write */
                 sdhci_iproc_writel(host, newval, reg & ~3);
@@ -166,7 +186,7 @@ static const struct sdhci_ops sdhci_iproc_32only_ops = {
 
 static const struct sdhci_pltfm_data sdhci_iproc_cygnus_pltfm_data = {
         .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK,
-        .quirks2 = SDHCI_QUIRK2_ACMD23_BROKEN,
+        .quirks2 = SDHCI_QUIRK2_ACMD23_BROKEN | SDHCI_QUIRK2_HOST_OFF_CARD_ON,
         .ops = &sdhci_iproc_32only_ops,
 };
 
@@ -206,7 +226,6 @@ static const struct sdhci_iproc_data iproc_data = {
         .caps1 = SDHCI_DRIVER_TYPE_C |
                  SDHCI_DRIVER_TYPE_D |
                  SDHCI_SUPPORT_DDR50,
-        .mmc_caps = MMC_CAP_1_8V_DDR,
 };
 
 static const struct sdhci_pltfm_data sdhci_bcm2835_pltfm_data = {
diff --git a/drivers/net/dsa/bcm_sf2_cfp.c b/drivers/net/dsa/bcm_sf2_cfp.c
index 23b45da784cb..b89acaee12d4 100644
--- a/drivers/net/dsa/bcm_sf2_cfp.c
+++ b/drivers/net/dsa/bcm_sf2_cfp.c
@@ -354,10 +354,13 @@ static int bcm_sf2_cfp_ipv4_rule_set(struct bcm_sf2_priv *priv, int port,
         /* Locate the first rule available */
         if (fs->location == RX_CLS_LOC_ANY)
                 rule_index = find_first_zero_bit(priv->cfp.used,
-                                                 bcm_sf2_cfp_rule_size(priv));
+                                                 priv->num_cfp_rules);
         else
                 rule_index = fs->location;
 
+        if (rule_index > bcm_sf2_cfp_rule_size(priv))
+                return -ENOSPC;
+
         layout = &udf_tcpip4_layout;
         /* We only use one UDF slice for now */
         slice_num = bcm_sf2_get_slice_number(layout, 0);
@@ -562,19 +565,21 @@ static int bcm_sf2_cfp_ipv6_rule_set(struct bcm_sf2_priv *priv, int port,
          * first half because the HW search is by incrementing addresses.
          */
         if (fs->location == RX_CLS_LOC_ANY)
-                rule_index[0] = find_first_zero_bit(priv->cfp.used,
-                                                    bcm_sf2_cfp_rule_size(priv));
+                rule_index[1] = find_first_zero_bit(priv->cfp.used,
+                                                    priv->num_cfp_rules);
         else
-                rule_index[0] = fs->location;
+                rule_index[1] = fs->location;
+        if (rule_index[1] > bcm_sf2_cfp_rule_size(priv))
+                return -ENOSPC;
 
         /* Flag it as used (cleared on error path) such that we can immediately
          * obtain a second one to chain from.
          */
-        set_bit(rule_index[0], priv->cfp.used);
+        set_bit(rule_index[1], priv->cfp.used);
 
-        rule_index[1] = find_first_zero_bit(priv->cfp.used,
-                                            bcm_sf2_cfp_rule_size(priv));
-        if (rule_index[1] > bcm_sf2_cfp_rule_size(priv)) {
+        rule_index[0] = find_first_zero_bit(priv->cfp.used,
+                                            priv->num_cfp_rules);
+        if (rule_index[0] > bcm_sf2_cfp_rule_size(priv)) {
                 ret = -ENOSPC;
                 goto out_err;
         }
@@ -712,14 +717,14 @@ static int bcm_sf2_cfp_ipv6_rule_set(struct bcm_sf2_priv *priv, int port,
         /* Flag the second half rule as being used now, return it as the
          * location, and flag it as unique while dumping rules
          */
-        set_bit(rule_index[1], priv->cfp.used);
+        set_bit(rule_index[0], priv->cfp.used);
         set_bit(rule_index[1], priv->cfp.unique);
         fs->location = rule_index[1];
 
         return ret;
 
 out_err:
-        clear_bit(rule_index[0], priv->cfp.used);
+        clear_bit(rule_index[1], priv->cfp.used);
         return ret;
 }
 
@@ -785,10 +790,6 @@ static int bcm_sf2_cfp_rule_del_one(struct bcm_sf2_priv *priv, int port,
         int ret;
         u32 reg;
 
-        /* Refuse deletion of unused rules, and the default reserved rule */
-        if (!test_bit(loc, priv->cfp.used) || loc == 0)
-                return -EINVAL;
-
         /* Indicate which rule we want to read */
         bcm_sf2_cfp_rule_addr_set(priv, loc);
 
@@ -826,6 +827,13 @@ static int bcm_sf2_cfp_rule_del(struct bcm_sf2_priv *priv, int port,
         u32 next_loc = 0;
         int ret;
 
+        /* Refuse deleting unused rules, and those that are not unique since
+         * that could leave IPv6 rules with one of the chained rule in the
+         * table.
+         */
+        if (!test_bit(loc, priv->cfp.unique) || loc == 0)
+                return -EINVAL;
+
         ret = bcm_sf2_cfp_rule_del_one(priv, port, loc, &next_loc);
         if (ret)
                 return ret;
diff --git a/drivers/net/ethernet/3com/3c59x.c b/drivers/net/ethernet/3com/3c59x.c
index 36c8950dbd2d..176861bd2252 100644
--- a/drivers/net/ethernet/3com/3c59x.c
+++ b/drivers/net/ethernet/3com/3c59x.c
@@ -1212,9 +1212,9 @@ static int vortex_probe1(struct device *gendev, void __iomem *ioaddr, int irq,
         vp->mii.reg_num_mask = 0x1f;
 
         /* Makes sure rings are at least 16 byte aligned. */
-        vp->rx_ring = pci_alloc_consistent(pdev, sizeof(struct boom_rx_desc) * RX_RING_SIZE
+        vp->rx_ring = dma_alloc_coherent(gendev, sizeof(struct boom_rx_desc) * RX_RING_SIZE
                                            + sizeof(struct boom_tx_desc) * TX_RING_SIZE,
-                                           &vp->rx_ring_dma);
+                                           &vp->rx_ring_dma, GFP_KERNEL);
         retval = -ENOMEM;
         if (!vp->rx_ring)
                 goto free_device;
@@ -1476,11 +1476,10 @@ static int vortex_probe1(struct device *gendev, void __iomem *ioaddr, int irq,
                 return 0;
 
 free_ring:
-        pci_free_consistent(pdev,
-                                                sizeof(struct boom_rx_desc) * RX_RING_SIZE
-                                                        + sizeof(struct boom_tx_desc) * TX_RING_SIZE,
-                                                vp->rx_ring,
-                                                vp->rx_ring_dma);
+        dma_free_coherent(&pdev->dev,
+                sizeof(struct boom_rx_desc) * RX_RING_SIZE +
+                sizeof(struct boom_tx_desc) * TX_RING_SIZE,
+                vp->rx_ring, vp->rx_ring_dma);
 free_device:
         free_netdev(dev);
         pr_err(PFX "vortex_probe1 fails.  Returns %d\n", retval);
@@ -1751,9 +1750,9 @@ vortex_open(struct net_device *dev)
                                 break;                  /* Bad news!  */
 
                         skb_reserve(skb, NET_IP_ALIGN); /* Align IP on 16 byte boundaries */
-                        dma = pci_map_single(VORTEX_PCI(vp), skb->data,
-                                             PKT_BUF_SZ, PCI_DMA_FROMDEVICE);
-                        if (dma_mapping_error(&VORTEX_PCI(vp)->dev, dma))
+                        dma = dma_map_single(vp->gendev, skb->data,
+                                             PKT_BUF_SZ, DMA_FROM_DEVICE);
+                        if (dma_mapping_error(vp->gendev, dma))
                                 break;
                         vp->rx_ring[i].addr = cpu_to_le32(dma);
                 }
@@ -2067,9 +2066,9 @@ vortex_start_xmit(struct sk_buff *skb, struct net_device *dev)
         if (vp->bus_master) {
                 /* Set the bus-master controller to transfer the packet. */
                 int len = (skb->len + 3) & ~3;
-                vp->tx_skb_dma = pci_map_single(VORTEX_PCI(vp), skb->data, len,
-                                                PCI_DMA_TODEVICE);
-                if (dma_mapping_error(&VORTEX_PCI(vp)->dev, vp->tx_skb_dma)) {
+                vp->tx_skb_dma = dma_map_single(vp->gendev, skb->data, len,
+                                                DMA_TO_DEVICE);
+                if (dma_mapping_error(vp->gendev, vp->tx_skb_dma)) {
                         dev_kfree_skb_any(skb);
                         dev->stats.tx_dropped++;
                         return NETDEV_TX_OK;
@@ -2168,9 +2167,9 @@ boomerang_start_xmit(struct sk_buff *skb, struct net_device *dev)
                         vp->tx_ring[entry].status = cpu_to_le32(skb->len | TxIntrUploaded | AddTCPChksum | AddUDPChksum);
 
         if (!skb_shinfo(skb)->nr_frags) {
-                dma_addr = pci_map_single(VORTEX_PCI(vp), skb->data, skb->len,
-                                          PCI_DMA_TODEVICE);
-                if (dma_mapping_error(&VORTEX_PCI(vp)->dev, dma_addr))
+                dma_addr = dma_map_single(vp->gendev, skb->data, skb->len,
+                                          DMA_TO_DEVICE);
+                if (dma_mapping_error(vp->gendev, dma_addr))
                         goto out_dma_err;
 
                 vp->tx_ring[entry].frag[0].addr = cpu_to_le32(dma_addr);
@@ -2178,9 +2177,9 @@ boomerang_start_xmit(struct sk_buff *skb, struct net_device *dev)
         } else {
                 int i;
 
-                dma_addr = pci_map_single(VORTEX_PCI(vp), skb->data,
-                                          skb_headlen(skb), PCI_DMA_TODEVICE);
-                if (dma_mapping_error(&VORTEX_PCI(vp)->dev, dma_addr))
+                dma_addr = dma_map_single(vp->gendev, skb->data,
+                                          skb_headlen(skb), DMA_TO_DEVICE);
+                if (dma_mapping_error(vp->gendev, dma_addr))
                         goto out_dma_err;
 
                 vp->tx_ring[entry].frag[0].addr = cpu_to_le32(dma_addr);
@@ -2189,21 +2188,21 @@ boomerang_start_xmit(struct sk_buff *skb, struct net_device *dev)
                 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
                         skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
 
-                        dma_addr = skb_frag_dma_map(&VORTEX_PCI(vp)->dev, frag,
+                        dma_addr = skb_frag_dma_map(vp->gendev, frag,
                                                     0,
                                                     frag->size,
                                                     DMA_TO_DEVICE);
-                        if (dma_mapping_error(&VORTEX_PCI(vp)->dev, dma_addr)) {
+                        if (dma_mapping_error(vp->gendev, dma_addr)) {
                                 for(i = i-1; i >= 0; i--)
-                                        dma_unmap_page(&VORTEX_PCI(vp)->dev,
+                                        dma_unmap_page(vp->gendev,
                                                        le32_to_cpu(vp->tx_ring[entry].frag[i+1].addr),
                                                        le32_to_cpu(vp->tx_ring[entry].frag[i+1].length),
                                                        DMA_TO_DEVICE);
 
-                                pci_unmap_single(VORTEX_PCI(vp),
+                                dma_unmap_single(vp->gendev,
                                                  le32_to_cpu(vp->tx_ring[entry].frag[0].addr),
                                                  le32_to_cpu(vp->tx_ring[entry].frag[0].length),
-                                                 PCI_DMA_TODEVICE);
+                                                 DMA_TO_DEVICE);
 
                                 goto out_dma_err;
                         }
@@ -2218,8 +2217,8 @@ boomerang_start_xmit(struct sk_buff *skb, struct net_device *dev)
                 }
         }
 #else
-        dma_addr = pci_map_single(VORTEX_PCI(vp), skb->data, skb->len, PCI_DMA_TODEVICE);
-        if (dma_mapping_error(&VORTEX_PCI(vp)->dev, dma_addr))
+        dma_addr = dma_map_single(vp->gendev, skb->data, skb->len, DMA_TO_DEVICE);
+        if (dma_mapping_error(vp->gendev, dma_addr))
                 goto out_dma_err;
         vp->tx_ring[entry].addr = cpu_to_le32(dma_addr);
         vp->tx_ring[entry].length = cpu_to_le32(skb->len | LAST_FRAG);
@@ -2254,7 +2253,7 @@ boomerang_start_xmit(struct sk_buff *skb, struct net_device *dev)
 out:
         return NETDEV_TX_OK;
 out_dma_err:
-        dev_err(&VORTEX_PCI(vp)->dev, "Error mapping dma buffer\n");
+        dev_err(vp->gendev, "Error mapping dma buffer\n");
         goto out;
 }
 
@@ -2322,7 +2321,7 @@ vortex_interrupt(int irq, void *dev_id)
                 if (status & DMADone) {
                         if (ioread16(ioaddr + Wn7_MasterStatus) & 0x1000) {
                                 iowrite16(0x1000, ioaddr + Wn7_MasterStatus); /* Ack the event. */
-                                pci_unmap_single(VORTEX_PCI(vp), vp->tx_skb_dma, (vp->tx_skb->len + 3) & ~3, PCI_DMA_TODEVICE);
+                                dma_unmap_single(vp->gendev, vp->tx_skb_dma, (vp->tx_skb->len + 3) & ~3, DMA_TO_DEVICE);
                                 pkts_compl++;
                                 bytes_compl += vp->tx_skb->len;
                                 dev_kfree_skb_irq(vp->tx_skb); /* Release the transferred buffer */
@@ -2459,19 +2458,19 @@ boomerang_interrupt(int irq, void *dev_id)
                                         struct sk_buff *skb = vp->tx_skbuff[entry];
 #if DO_ZEROCOPY
                                         int i;
-                                        pci_unmap_single(VORTEX_PCI(vp),
+                                        dma_unmap_single(vp->gendev,
                                                         le32_to_cpu(vp->tx_ring[entry].frag[0].addr),
                                                         le32_to_cpu(vp->tx_ring[entry].frag[0].length)&0xFFF,
-                                                        PCI_DMA_TODEVICE);
+                                                        DMA_TO_DEVICE);
 
                                         for (i=1; i<=skb_shinfo(skb)->nr_frags; i++)
-                                                        pci_unmap_page(VORTEX_PCI(vp),
+                                                        dma_unmap_page(vp->gendev,
                                                                                          le32_to_cpu(vp->tx_ring[entry].frag[i].addr),
                                                                                          le32_to_cpu(vp->tx_ring[entry].frag[i].length)&0xFFF,
-                                                                                         PCI_DMA_TODEVICE);
+                                                                                         DMA_TO_DEVICE);
 #else
-                                        pci_unmap_single(VORTEX_PCI(vp),
-                                                le32_to_cpu(vp->tx_ring[entry].addr), skb->len, PCI_DMA_TODEVICE);
+                                        dma_unmap_single(vp->gendev,
+                                                le32_to_cpu(vp->tx_ring[entry].addr), skb->len, DMA_TO_DEVICE);
 #endif
                                         pkts_compl++;
                                         bytes_compl += skb->len;
@@ -2561,14 +2560,14 @@ static int vortex_rx(struct net_device *dev)
                                 /* 'skb_put()' points to the start of sk_buff data area. */
                                 if (vp->bus_master &&
                                         ! (ioread16(ioaddr + Wn7_MasterStatus) & 0x8000)) {
-                                        dma_addr_t dma = pci_map_single(VORTEX_PCI(vp), skb_put(skb, pkt_len),
-                                                                           pkt_len, PCI_DMA_FROMDEVICE);
+                                        dma_addr_t dma = dma_map_single(vp->gendev, skb_put(skb, pkt_len),
+                                                                           pkt_len, DMA_FROM_DEVICE);
                                         iowrite32(dma, ioaddr + Wn7_MasterAddr);
                                         iowrite16((skb->len + 3) & ~3, ioaddr + Wn7_MasterLen);
                                         iowrite16(StartDMAUp, ioaddr + EL3_CMD);
                                         while (ioread16(ioaddr + Wn7_MasterStatus) & 0x8000)
                                                 ;
-                                        pci_unmap_single(VORTEX_PCI(vp), dma, pkt_len, PCI_DMA_FROMDEVICE);
+                                        dma_unmap_single(vp->gendev, dma, pkt_len, DMA_FROM_DEVICE);
                                 } else {
                                         ioread32_rep(ioaddr + RX_FIFO,
                                                      skb_put(skb, pkt_len),
@@ -2635,11 +2634,11 @@ boomerang_rx(struct net_device *dev)
                         if (pkt_len < rx_copybreak &&
                             (skb = netdev_alloc_skb(dev, pkt_len + 2)) != NULL) {
                                 skb_reserve(skb, 2);    /* Align IP on 16 byte boundaries */
-                                pci_dma_sync_single_for_cpu(VORTEX_PCI(vp), dma, PKT_BUF_SZ, PCI_DMA_FROMDEVICE);
+                                dma_sync_single_for_cpu(vp->gendev, dma, PKT_BUF_SZ, DMA_FROM_DEVICE);
                                 /* 'skb_put()' points to the start of sk_buff data area. */
                                 skb_put_data(skb, vp->rx_skbuff[entry]->data,
                                              pkt_len);
-                                pci_dma_sync_single_for_device(VORTEX_PCI(vp), dma, PKT_BUF_SZ, PCI_DMA_FROMDEVICE);
+                                dma_sync_single_for_device(vp->gendev, dma, PKT_BUF_SZ, DMA_FROM_DEVICE);
                                 vp->rx_copy++;
                         } else {
                                 /* Pre-allocate the replacement skb.  If it or its
@@ -2651,9 +2650,9 @@ boomerang_rx(struct net_device *dev)
                                         dev->stats.rx_dropped++;
                                         goto clear_complete;
                                 }
-                                newdma = pci_map_single(VORTEX_PCI(vp), newskb->data,
-                                                        PKT_BUF_SZ, PCI_DMA_FROMDEVICE);
-                                if (dma_mapping_error(&VORTEX_PCI(vp)->dev, newdma)) {
+                                newdma = dma_map_single(vp->gendev, newskb->data,
+                                                        PKT_BUF_SZ, DMA_FROM_DEVICE);
+                                if (dma_mapping_error(vp->gendev, newdma)) {
                                         dev->stats.rx_dropped++;
                                         consume_skb(newskb);
                                         goto clear_complete;
@@ -2664,7 +2663,7 @@ boomerang_rx(struct net_device *dev)
                                 vp->rx_skbuff[entry] = newskb;
                                 vp->rx_ring[entry].addr = cpu_to_le32(newdma);
                                 skb_put(skb, pkt_len);
-                                pci_unmap_single(VORTEX_PCI(vp), dma, PKT_BUF_SZ, PCI_DMA_FROMDEVICE);
+                                dma_unmap_single(vp->gendev, dma, PKT_BUF_SZ, DMA_FROM_DEVICE);
                                 vp->rx_nocopy++;
                         }
                         skb->protocol = eth_type_trans(skb, dev);
@@ -2761,8 +2760,8 @@ vortex_close(struct net_device *dev)
         if (vp->full_bus_master_rx) { /* Free Boomerang bus master Rx buffers. */
                 for (i = 0; i < RX_RING_SIZE; i++)
                         if (vp->rx_skbuff[i]) {
-                                pci_unmap_single(       VORTEX_PCI(vp), le32_to_cpu(vp->rx_ring[i].addr),
-                                                                        PKT_BUF_SZ, PCI_DMA_FROMDEVICE);
+                                dma_unmap_single(vp->gendev, le32_to_cpu(vp->rx_ring[i].addr),
+                                                                        PKT_BUF_SZ, DMA_FROM_DEVICE);
                                 dev_kfree_skb(vp->rx_skbuff[i]);
                                 vp->rx_skbuff[i] = NULL;
                         }
@@ -2775,12 +2774,12 @@ vortex_close(struct net_device *dev)
                                 int k;
 
                                 for (k=0; k<=skb_shinfo(skb)->nr_frags; k++)
-                                                pci_unmap_single(VORTEX_PCI(vp),
+                                                dma_unmap_single(vp->gendev,
                                                                                  le32_to_cpu(vp->tx_ring[i].frag[k].addr),
                                                                                  le32_to_cpu(vp->tx_ring[i].frag[k].length)&0xFFF,
-                                                                                 PCI_DMA_TODEVICE);
+                                                                                 DMA_TO_DEVICE);
 #else
-                                pci_unmap_single(VORTEX_PCI(vp), le32_to_cpu(vp->tx_ring[i].addr), skb->len, PCI_DMA_TODEVICE);
+                                dma_unmap_single(vp->gendev, le32_to_cpu(vp->tx_ring[i].addr), skb->len, DMA_TO_DEVICE);
 #endif
                                 dev_kfree_skb(skb);
                                 vp->tx_skbuff[i] = NULL;
@@ -3288,11 +3287,10 @@ static void vortex_remove_one(struct pci_dev *pdev)
 
         pci_iounmap(pdev, vp->ioaddr);
 
-        pci_free_consistent(pdev,
-                                                sizeof(struct boom_rx_desc) * RX_RING_SIZE
-                                                        + sizeof(struct boom_tx_desc) * TX_RING_SIZE,
-                                                vp->rx_ring,
-                                                vp->rx_ring_dma);
+        dma_free_coherent(&pdev->dev,
+                        sizeof(struct boom_rx_desc) * RX_RING_SIZE +
+                        sizeof(struct boom_tx_desc) * TX_RING_SIZE,
+                        vp->rx_ring, vp->rx_ring_dma);
 
         pci_release_regions(pdev);
 
diff --git a/drivers/net/ethernet/8390/ne.c b/drivers/net/ethernet/8390/ne.c
index ac99d089ac72..1c97e39b478e 100644
--- a/drivers/net/ethernet/8390/ne.c
+++ b/drivers/net/ethernet/8390/ne.c
@@ -164,7 +164,9 @@ bad_clone_list[] __initdata = {
 #define NESM_START_PG   0x40    /* First page of TX buffer */
 #define NESM_STOP_PG    0x80    /* Last page +1 of RX ring */
 
-#if defined(CONFIG_ATARI)       /* 8-bit mode on Atari, normal on Q40 */
+#if defined(CONFIG_MACH_TX49XX)
+#  define DCR_VAL 0x48          /* 8-bit mode */
+#elif defined(CONFIG_ATARI)     /* 8-bit mode on Atari, normal on Q40 */
 #  define DCR_VAL (MACH_IS_ATARI ? 0x48 : 0x49)
 #else
 #  define DCR_VAL 0x49
diff --git a/drivers/net/ethernet/amd/pcnet32.c b/drivers/net/ethernet/amd/pcnet32.c
index a561705f232c..be198cc0b10c 100644
--- a/drivers/net/ethernet/amd/pcnet32.c
+++ b/drivers/net/ethernet/amd/pcnet32.c
@@ -1552,22 +1552,26 @@ pcnet32_probe_pci(struct pci_dev *pdev, const struct pci_device_id *ent)
         if (!ioaddr) {
                 if (pcnet32_debug & NETIF_MSG_PROBE)
                         pr_err("card has no PCI IO resources, aborting\n");
-                return -ENODEV;
+                err = -ENODEV;
+                goto err_disable_dev;
         }
 
         err = pci_set_dma_mask(pdev, PCNET32_DMA_MASK);
         if (err) {
                 if (pcnet32_debug & NETIF_MSG_PROBE)
                         pr_err("architecture does not support 32bit PCI busmaster DMA\n");
-                return err;
+                goto err_disable_dev;
         }
         if (!request_region(ioaddr, PCNET32_TOTAL_SIZE, "pcnet32_probe_pci")) {
                 if (pcnet32_debug & NETIF_MSG_PROBE)
                         pr_err("io address range already allocated\n");
-                return -EBUSY;
+                err = -EBUSY;
+                goto err_disable_dev;
         }
 
         err = pcnet32_probe1(ioaddr, 1, pdev);
+
+err_disable_dev:
         if (err < 0)
                 pci_disable_device(pdev);
 
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cudbg_entity.h b/drivers/net/ethernet/chelsio/cxgb4/cudbg_entity.h
index b57acb8dc35b..dc25066c59a1 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cudbg_entity.h
+++ b/drivers/net/ethernet/chelsio/cxgb4/cudbg_entity.h
@@ -419,15 +419,15 @@ static const u32 t6_up_cim_reg_array[][IREG_NUM_ELEM + 1] = {
         {0x7b50, 0x7b54, 0x280, 0x20, 0}, /* up_cim_280_to_2fc */
         {0x7b50, 0x7b54, 0x300, 0x20, 0}, /* up_cim_300_to_37c */
         {0x7b50, 0x7b54, 0x380, 0x14, 0}, /* up_cim_380_to_3cc */
-        {0x7b50, 0x7b54, 0x2900, 0x4, 0x4}, /* up_cim_2900_to_3d40 */
-        {0x7b50, 0x7b54, 0x2904, 0x4, 0x4}, /* up_cim_2904_to_3d44 */
-        {0x7b50, 0x7b54, 0x2908, 0x4, 0x4}, /* up_cim_2908_to_3d48 */
-        {0x7b50, 0x7b54, 0x2910, 0x4, 0x4}, /* up_cim_2910_to_3d4c */
-        {0x7b50, 0x7b54, 0x2914, 0x4, 0x4}, /* up_cim_2914_to_3d50 */
-        {0x7b50, 0x7b54, 0x2920, 0x10, 0x10}, /* up_cim_2920_to_2a10 */
-        {0x7b50, 0x7b54, 0x2924, 0x10, 0x10}, /* up_cim_2924_to_2a14 */
-        {0x7b50, 0x7b54, 0x2928, 0x10, 0x10}, /* up_cim_2928_to_2a18 */
-        {0x7b50, 0x7b54, 0x292c, 0x10, 0x10}, /* up_cim_292c_to_2a1c */
+        {0x7b50, 0x7b54, 0x4900, 0x4, 0x4}, /* up_cim_4900_to_4c60 */
+        {0x7b50, 0x7b54, 0x4904, 0x4, 0x4}, /* up_cim_4904_to_4c64 */
+        {0x7b50, 0x7b54, 0x4908, 0x4, 0x4}, /* up_cim_4908_to_4c68 */
+        {0x7b50, 0x7b54, 0x4910, 0x4, 0x4}, /* up_cim_4910_to_4c70 */
+        {0x7b50, 0x7b54, 0x4914, 0x4, 0x4}, /* up_cim_4914_to_4c74 */
+        {0x7b50, 0x7b54, 0x4920, 0x10, 0x10}, /* up_cim_4920_to_4a10 */
+        {0x7b50, 0x7b54, 0x4924, 0x10, 0x10}, /* up_cim_4924_to_4a14 */
+        {0x7b50, 0x7b54, 0x4928, 0x10, 0x10}, /* up_cim_4928_to_4a18 */
+        {0x7b50, 0x7b54, 0x492c, 0x10, 0x10}, /* up_cim_492c_to_4a1c */
 };
 
 static const u32 t5_up_cim_reg_array[][IREG_NUM_ELEM + 1] = {
@@ -444,16 +444,6 @@ static const u32 t5_up_cim_reg_array[][IREG_NUM_ELEM + 1] = {
         {0x7b50, 0x7b54, 0x280, 0x20, 0}, /* up_cim_280_to_2fc */
         {0x7b50, 0x7b54, 0x300, 0x20, 0}, /* up_cim_300_to_37c */
         {0x7b50, 0x7b54, 0x380, 0x14, 0}, /* up_cim_380_to_3cc */
-        {0x7b50, 0x7b54, 0x2900, 0x4, 0x4}, /* up_cim_2900_to_3d40 */
-        {0x7b50, 0x7b54, 0x2904, 0x4, 0x4}, /* up_cim_2904_to_3d44 */
-        {0x7b50, 0x7b54, 0x2908, 0x4, 0x4}, /* up_cim_2908_to_3d48 */
-        {0x7b50, 0x7b54, 0x2910, 0x4, 0x4}, /* up_cim_2910_to_3d4c */
-        {0x7b50, 0x7b54, 0x2914, 0x4, 0x4}, /* up_cim_2914_to_3d50 */
-        {0x7b50, 0x7b54, 0x2918, 0x4, 0x4}, /* up_cim_2918_to_3d54 */
-        {0x7b50, 0x7b54, 0x291c, 0x4, 0x4}, /* up_cim_291c_to_3d58 */
-        {0x7b50, 0x7b54, 0x2924, 0x10, 0x10}, /* up_cim_2924_to_2914 */
-        {0x7b50, 0x7b54, 0x2928, 0x10, 0x10}, /* up_cim_2928_to_2a18 */
-        {0x7b50, 0x7b54, 0x292c, 0x10, 0x10}, /* up_cim_292c_to_2a1c */
 };
 
 static const u32 t6_hma_ireg_array[][IREG_NUM_ELEM] = {
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
index db92f1858060..b76447baccaf 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
@@ -836,7 +836,7 @@ bool is_filter_exact_match(struct adapter *adap,
 {
         struct tp_params *tp = &adap->params.tp;
         u64 hash_filter_mask = tp->hash_filter_mask;
-        u32 mask;
+        u64 ntuple_mask = 0;
 
         if (!is_hashfilter(adap))
                 return false;
@@ -865,73 +865,45 @@ bool is_filter_exact_match(struct adapter *adap,
         if (!fs->val.fport || fs->mask.fport != 0xffff)
                 return false;
 
-        if (tp->fcoe_shift >= 0) {
-                mask = (hash_filter_mask >> tp->fcoe_shift) & FT_FCOE_W;
-                if (mask && !fs->mask.fcoe)
-                        return false;
-        }
+        /* calculate tuple mask and compare with mask configured in hw */
+        if (tp->fcoe_shift >= 0)
+                ntuple_mask |= (u64)fs->mask.fcoe << tp->fcoe_shift;
 
-        if (tp->port_shift >= 0) {
-                mask = (hash_filter_mask >> tp->port_shift) & FT_PORT_W;
-                if (mask && !fs->mask.iport)
-                        return false;
-        }
+        if (tp->port_shift >= 0)
+                ntuple_mask |= (u64)fs->mask.iport << tp->port_shift;
 
         if (tp->vnic_shift >= 0) {
-                mask = (hash_filter_mask >> tp->vnic_shift) & FT_VNIC_ID_W;
-
-                if ((adap->params.tp.ingress_config & VNIC_F)) {
-                        if (mask && !fs->mask.pfvf_vld)
-                                return false;
-                } else {
-                        if (mask && !fs->mask.ovlan_vld)
-                                return false;
-                }
+                if ((adap->params.tp.ingress_config & VNIC_F))
+                        ntuple_mask |= (u64)fs->mask.pfvf_vld << tp->vnic_shift;
+                else
+                        ntuple_mask |= (u64)fs->mask.ovlan_vld <<
+                                tp->vnic_shift;
         }
 
-        if (tp->vlan_shift >= 0) {
-                mask = (hash_filter_mask >> tp->vlan_shift) & FT_VLAN_W;
-                if (mask && !fs->mask.ivlan)
-                        return false;
-        }
+        if (tp->vlan_shift >= 0)
+                ntuple_mask |= (u64)fs->mask.ivlan << tp->vlan_shift;
 
-        if (tp->tos_shift >= 0) {
-                mask = (hash_filter_mask >> tp->tos_shift) & FT_TOS_W;
-                if (mask && !fs->mask.tos)
-                        return false;
-        }
+        if (tp->tos_shift >= 0)
+                ntuple_mask |= (u64)fs->mask.tos << tp->tos_shift;
 
-        if (tp->protocol_shift >= 0) {
-                mask = (hash_filter_mask >> tp->protocol_shift) & FT_PROTOCOL_W;
-                if (mask && !fs->mask.proto)
-                        return false;
-        }
+        if (tp->protocol_shift >= 0)
+                ntuple_mask |= (u64)fs->mask.proto << tp->protocol_shift;
 
-        if (tp->ethertype_shift >= 0) {
-                mask = (hash_filter_mask >> tp->ethertype_shift) &
-                        FT_ETHERTYPE_W;
-                if (mask && !fs->mask.ethtype)
-                        return false;
-        }
+        if (tp->ethertype_shift >= 0)
+                ntuple_mask |= (u64)fs->mask.ethtype << tp->ethertype_shift;
 
-        if (tp->macmatch_shift >= 0) {
-                mask = (hash_filter_mask >> tp->macmatch_shift) & FT_MACMATCH_W;
-                if (mask && !fs->mask.macidx)
-                        return false;
-        }
+        if (tp->macmatch_shift >= 0)
+                ntuple_mask |= (u64)fs->mask.macidx << tp->macmatch_shift;
+
+        if (tp->matchtype_shift >= 0)
+                ntuple_mask |= (u64)fs->mask.matchtype << tp->matchtype_shift;
+
+        if (tp->frag_shift >= 0)
+                ntuple_mask |= (u64)fs->mask.frag << tp->frag_shift;
+
+        if (ntuple_mask != hash_filter_mask)
+                return false;
 
-        if (tp->matchtype_shift >= 0) {
-                mask = (hash_filter_mask >> tp->matchtype_shift) &
-                        FT_MPSHITTYPE_W;
-                if (mask && !fs->mask.matchtype)
-                        return false;
-        }
-        if (tp->frag_shift >= 0) {
-                mask = (hash_filter_mask >> tp->frag_shift) &
-                        FT_FRAGMENTATION_W;
-                if (mask && !fs->mask.frag)
-                        return false;
-        }
         return true;
 }
 
diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
index 81684acf52af..8a8b12b720ef 100644
--- a/drivers/net/ethernet/cisco/enic/enic_main.c
+++ b/drivers/net/ethernet/cisco/enic/enic_main.c
@@ -2747,11 +2747,11 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
         pci_set_master(pdev);
 
         /* Query PCI controller on system for DMA addressing
-         * limitation for the device.  Try 64-bit first, and
+         * limitation for the device.  Try 47-bit first, and
          * fail to 32-bit.
          */
 
-        err = pci_set_dma_mask(pdev, DMA_BIT_MASK(64));
+        err = pci_set_dma_mask(pdev, DMA_BIT_MASK(47));
         if (err) {
                 err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32));
                 if (err) {
@@ -2765,10 +2765,10 @@ static int enic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
                         goto err_out_release_regions;
                 }
         } else {
-                err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64));
+                err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(47));
                 if (err) {
                         dev_err(dev, "Unable to obtain %u-bit DMA "
-                                "for consistent allocations, aborting\n", 64);
+                                "for consistent allocations, aborting\n", 47);
                         goto err_out_release_regions;
                 }
                 using_dac = 1;
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index d4604bc8eb5b..9d3eed46830d 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0+
 /*
  * Fast Ethernet Controller (FEC) driver for Motorola MPC8xx.
  * Copyright (c) 1997 Dan Malek (dmalek@jlc.net)
diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
index f81439796ac7..43d973215040 100644
--- a/drivers/net/ethernet/freescale/fec_ptp.c
+++ b/drivers/net/ethernet/freescale/fec_ptp.c
@@ -1,20 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0
 /*
  * Fast Ethernet Controller (ENET) PTP driver for MX6x.
  *
  * Copyright (C) 2012 Freescale Semiconductor, Inc.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms and conditions of the GNU General Public License,
- * version 2, as published by the Free Software Foundation.
- *
- * This program is distributed in the hope it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
index 6e8d6a6f6aaf..5ec1185808e5 100644
--- a/drivers/net/ethernet/ibm/ibmvnic.c
+++ b/drivers/net/ethernet/ibm/ibmvnic.c
@@ -192,6 +192,7 @@ static int alloc_long_term_buff(struct ibmvnic_adapter *adapter,
         if (adapter->fw_done_rc) {
                 dev_err(dev, "Couldn't map long term buffer,rc = %d\n",
                         adapter->fw_done_rc);
+                dma_free_coherent(dev, ltb->size, ltb->buff, ltb->addr);
                 return -1;
         }
         return 0;
@@ -795,9 +796,11 @@ static int ibmvnic_login(struct net_device *netdev)
         struct ibmvnic_adapter *adapter = netdev_priv(netdev);
         unsigned long timeout = msecs_to_jiffies(30000);
         int retry_count = 0;
+        bool retry;
         int rc;
 
         do {
+                retry = false;
                 if (retry_count > IBMVNIC_MAX_QUEUES) {
                         netdev_warn(netdev, "Login attempts exceeded\n");
                         return -1;
@@ -821,6 +824,9 @@ static int ibmvnic_login(struct net_device *netdev)
                         retry_count++;
                         release_sub_crqs(adapter, 1);
 
+                        retry = true;
+                        netdev_dbg(netdev,
+                                   "Received partial success, retrying...\n");
                         adapter->init_done_rc = 0;
                         reinit_completion(&adapter->init_done);
                         send_cap_queries(adapter);
@@ -848,7 +854,7 @@ static int ibmvnic_login(struct net_device *netdev)
                         netdev_warn(netdev, "Adapter login failed\n");
                         return -1;
                 }
-        } while (adapter->init_done_rc == PARTIALSUCCESS);
+        } while (retry);
 
         /* handle pending MAC address changes after successful login */
         if (adapter->mac_change_pending) {
@@ -1821,9 +1827,8 @@ static int do_reset(struct ibmvnic_adapter *adapter,
                         if (rc)
                                 return rc;
                 }
+                ibmvnic_disable_irqs(adapter);
         }
-
-        ibmvnic_disable_irqs(adapter);
         adapter->state = VNIC_CLOSED;
 
         if (reset_state == VNIC_CLOSED)
@@ -2617,18 +2622,21 @@ static int enable_scrq_irq(struct ibmvnic_adapter *adapter,
 {
         struct device *dev = &adapter->vdev->dev;
         unsigned long rc;
-        u64 val;
 
         if (scrq->hw_irq > 0x100000000ULL) {
                 dev_err(dev, "bad hw_irq = %lx\n", scrq->hw_irq);
                 return 1;
         }
 
-        val = (0xff000000) | scrq->hw_irq;
-        rc = plpar_hcall_norets(H_EOI, val);
-        if (rc)
-                dev_err(dev, "H_EOI FAILED irq 0x%llx. rc=%ld\n",
-                        val, rc);
+        if (adapter->resetting &&
+            adapter->reset_reason == VNIC_RESET_MOBILITY) {
+                u64 val = (0xff000000) | scrq->hw_irq;
+
+                rc = plpar_hcall_norets(H_EOI, val);
+                if (rc)
+                        dev_err(dev, "H_EOI FAILED irq 0x%llx. rc=%ld\n",
+                                val, rc);
+        }
 
         rc = plpar_hcall_norets(H_VIOCTL, adapter->vdev->unit_address,
                                 H_ENABLE_VIO_INTERRUPT, scrq->hw_irq, 0, 0);
@@ -4586,14 +4594,6 @@ static int ibmvnic_init(struct ibmvnic_adapter *adapter)
                 release_crq_queue(adapter);
         }
 
-        rc = init_stats_buffers(adapter);
-        if (rc)
-                return rc;
-
-        rc = init_stats_token(adapter);
-        if (rc)
-                return rc;
-
         return rc;
 }
 
@@ -4662,13 +4662,21 @@ static int ibmvnic_probe(struct vio_dev *dev, const struct vio_device_id *id)
                         goto ibmvnic_init_fail;
         } while (rc == EAGAIN);
 
+        rc = init_stats_buffers(adapter);
+        if (rc)
+                goto ibmvnic_init_fail;
+
+        rc = init_stats_token(adapter);
+        if (rc)
+                goto ibmvnic_stats_fail;
+
         netdev->mtu = adapter->req_mtu - ETH_HLEN;
         netdev->min_mtu = adapter->min_mtu - ETH_HLEN;
         netdev->max_mtu = adapter->max_mtu - ETH_HLEN;
 
         rc = device_create_file(&dev->dev, &dev_attr_failover);
         if (rc)
-                goto ibmvnic_init_fail;
+                goto ibmvnic_dev_file_err;
 
         netif_carrier_off(netdev);
         rc = register_netdev(netdev);
@@ -4687,6 +4695,12 @@ static int ibmvnic_probe(struct vio_dev *dev, const struct vio_device_id *id)
 ibmvnic_register_fail:
         device_remove_file(&dev->dev, &dev_attr_failover);
 
+ibmvnic_dev_file_err:
+        release_stats_token(adapter);
+
+ibmvnic_stats_fail:
+        release_stats_buffers(adapter);
+
 ibmvnic_init_fail:
         release_sub_crqs(adapter, 1);
         release_crq_queue(adapter);
diff --git a/drivers/net/ethernet/mellanox/mlx4/icm.c b/drivers/net/ethernet/mellanox/mlx4/icm.c
index a822f7a56bc5..685337d58276 100644
--- a/drivers/net/ethernet/mellanox/mlx4/icm.c
+++ b/drivers/net/ethernet/mellanox/mlx4/icm.c
@@ -43,12 +43,12 @@
 #include "fw.h"
 
 /*
- * We allocate in as big chunks as we can, up to a maximum of 256 KB
- * per chunk.
+ * We allocate in page size (default 4KB on many archs) chunks to avoid high
+ * order memory allocations in fragmented/high usage memory situation.
  */
 enum {
-        MLX4_ICM_ALLOC_SIZE     = 1 << 18,
-        MLX4_TABLE_CHUNK_SIZE   = 1 << 18
+        MLX4_ICM_ALLOC_SIZE     = PAGE_SIZE,
+        MLX4_TABLE_CHUNK_SIZE   = PAGE_SIZE,
 };
 
 static void mlx4_free_icm_pages(struct mlx4_dev *dev, struct mlx4_icm_chunk *chunk)
@@ -398,9 +398,11 @@ int mlx4_init_icm_table(struct mlx4_dev *dev, struct mlx4_icm_table *table,
         u64 size;
 
         obj_per_chunk = MLX4_TABLE_CHUNK_SIZE / obj_size;
+        if (WARN_ON(!obj_per_chunk))
+                return -EINVAL;
         num_icm = (nobj + obj_per_chunk - 1) / obj_per_chunk;
 
-        table->icm      = kcalloc(num_icm, sizeof(*table->icm), GFP_KERNEL);
+        table->icm      = kvzalloc(num_icm * sizeof(*table->icm), GFP_KERNEL);
         if (!table->icm)
                 return -ENOMEM;
         table->virt     = virt;
@@ -446,7 +448,7 @@ err:
                         mlx4_free_icm(dev, table->icm[i], use_coherent);
                 }
 
-        kfree(table->icm);
+        kvfree(table->icm);
 
         return -ENOMEM;
 }
@@ -462,5 +464,5 @@ void mlx4_cleanup_icm_table(struct mlx4_dev *dev, struct mlx4_icm_table *table)
                         mlx4_free_icm(dev, table->icm[i], table->coherent);
                 }
 
-        kfree(table->icm);
+        kvfree(table->icm);
 }
diff --git a/drivers/net/ethernet/mellanox/mlx4/intf.c b/drivers/net/ethernet/mellanox/mlx4/intf.c
index 2edcce98ab2d..65482f004e50 100644
--- a/drivers/net/ethernet/mellanox/mlx4/intf.c
+++ b/drivers/net/ethernet/mellanox/mlx4/intf.c
@@ -172,7 +172,7 @@ int mlx4_do_bond(struct mlx4_dev *dev, bool enable)
                 list_add_tail(&dev_ctx->list, &priv->ctx_list);
                 spin_unlock_irqrestore(&priv->ctx_lock, flags);
 
-                mlx4_dbg(dev, "Inrerface for protocol %d restarted with when bonded mode is %s\n",
+                mlx4_dbg(dev, "Interface for protocol %d restarted with bonded mode %s\n",
                          dev_ctx->intf->protocol, enable ?
                          "enabled" : "disabled");
         }
diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
index 211578ffc70d..60172a38c4a4 100644
--- a/drivers/net/ethernet/mellanox/mlx4/main.c
+++ b/drivers/net/ethernet/mellanox/mlx4/main.c
@@ -2929,6 +2929,7 @@ static int mlx4_init_port_info(struct mlx4_dev *dev, int port)
                 mlx4_err(dev, "Failed to create file for port %d\n", port);
                 devlink_port_unregister(&info->devlink_port);
                 info->port = -1;
+                return err;
         }
 
         sprintf(info->dev_mtu_name, "mlx4_port%d_mtu", port);
@@ -2950,9 +2951,10 @@ static int mlx4_init_port_info(struct mlx4_dev *dev, int port)
                                    &info->port_attr);
                 devlink_port_unregister(&info->devlink_port);
                 info->port = -1;
+                return err;
         }
 
-        return err;
+        return 0;
 }
 
 static void mlx4_cleanup_port_info(struct mlx4_port_info *info)
diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c
index 3aaf4bad6c5a..427e7a31862c 100644
--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
+++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
@@ -393,11 +393,11 @@ struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn)
         struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table;
         struct mlx4_qp *qp;
 
-        spin_lock(&qp_table->lock);
+        spin_lock_irq(&qp_table->lock);
 
         qp = __mlx4_qp_lookup(dev, qpn);
 
-        spin_unlock(&qp_table->lock);
+        spin_unlock_irq(&qp_table->lock);
         return qp;
 }
 
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
index 176645762e49..1ff0b0e93804 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -615,6 +615,45 @@ static inline bool is_last_ethertype_ip(struct sk_buff *skb, int *network_depth)
         return (ethertype == htons(ETH_P_IP) || ethertype == htons(ETH_P_IPV6));
 }
 
+static __be32 mlx5e_get_fcs(struct sk_buff *skb)
+{
+        int last_frag_sz, bytes_in_prev, nr_frags;
+        u8 *fcs_p1, *fcs_p2;
+        skb_frag_t *last_frag;
+        __be32 fcs_bytes;
+
+        if (!skb_is_nonlinear(skb))
+                return *(__be32 *)(skb->data + skb->len - ETH_FCS_LEN);
+
+        nr_frags = skb_shinfo(skb)->nr_frags;
+        last_frag = &skb_shinfo(skb)->frags[nr_frags - 1];
+        last_frag_sz = skb_frag_size(last_frag);
+
+        /* If all FCS data is in last frag */
+        if (last_frag_sz >= ETH_FCS_LEN)
+                return *(__be32 *)(skb_frag_address(last_frag) +
+                                   last_frag_sz - ETH_FCS_LEN);
+
+        fcs_p2 = (u8 *)skb_frag_address(last_frag);
+        bytes_in_prev = ETH_FCS_LEN - last_frag_sz;
+
+        /* Find where the other part of the FCS is - Linear or another frag */
+        if (nr_frags == 1) {
+                fcs_p1 = skb_tail_pointer(skb);
+        } else {
+                skb_frag_t *prev_frag = &skb_shinfo(skb)->frags[nr_frags - 2];
+
+                fcs_p1 = skb_frag_address(prev_frag) +
+                            skb_frag_size(prev_frag);
+        }
+        fcs_p1 -= bytes_in_prev;
+
+        memcpy(&fcs_bytes, fcs_p1, bytes_in_prev);
+        memcpy(((u8 *)&fcs_bytes) + bytes_in_prev, fcs_p2, last_frag_sz);
+
+        return fcs_bytes;
+}
+
 static inline void mlx5e_handle_csum(struct net_device *netdev,
                                      struct mlx5_cqe64 *cqe,
                                      struct mlx5e_rq *rq,
@@ -643,6 +682,9 @@ static inline void mlx5e_handle_csum(struct net_device *netdev,
                         skb->csum = csum_partial(skb->data + ETH_HLEN,
                                                  network_depth - ETH_HLEN,
                                                  skb->csum);
+                if (unlikely(netdev->features & NETIF_F_RXFCS))
+                        skb->csum = csum_add(skb->csum,
+                                             (__force __wsum)mlx5e_get_fcs(skb));
                 rq->stats.csum_complete++;
                 return;
         }
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
index 0f5da499a223..fad8c2e3804e 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
@@ -237,19 +237,17 @@ static void *mlx5_fpga_ipsec_cmd_exec(struct mlx5_core_dev *mdev,
         context->buf.sg[0].data = &context->command;
 
         spin_lock_irqsave(&fdev->ipsec->pending_cmds_lock, flags);
-        list_add_tail(&context->list, &fdev->ipsec->pending_cmds);
+        res = mlx5_fpga_sbu_conn_sendmsg(fdev->ipsec->conn, &context->buf);
+        if (!res)
+                list_add_tail(&context->list, &fdev->ipsec->pending_cmds);
         spin_unlock_irqrestore(&fdev->ipsec->pending_cmds_lock, flags);
 
-        res = mlx5_fpga_sbu_conn_sendmsg(fdev->ipsec->conn, &context->buf);
         if (res) {
-                mlx5_fpga_warn(fdev, "Failure sending IPSec command: %d\n",
-                               res);
-                spin_lock_irqsave(&fdev->ipsec->pending_cmds_lock, flags);
-                list_del(&context->list);
-                spin_unlock_irqrestore(&fdev->ipsec->pending_cmds_lock, flags);
+                mlx5_fpga_warn(fdev, "Failed to send IPSec command: %d\n", res);
                 kfree(context);
                 return ERR_PTR(res);
         }
+
         /* Context will be freed by wait func after completion */
         return context;
 }
diff --git a/drivers/net/ethernet/netronome/nfp/bpf/main.c b/drivers/net/ethernet/netronome/nfp/bpf/main.c
index 1dc424685f4e..35fb31f682af 100644
--- a/drivers/net/ethernet/netronome/nfp/bpf/main.c
+++ b/drivers/net/ethernet/netronome/nfp/bpf/main.c
@@ -335,7 +335,7 @@ static int nfp_bpf_parse_capabilities(struct nfp_app *app)
                 return PTR_ERR(mem) == -ENOENT ? 0 : PTR_ERR(mem);
 
         start = mem;
-        while (mem - start + 8 < nfp_cpp_area_size(area)) {
+        while (mem - start + 8 <= nfp_cpp_area_size(area)) {
                 u8 __iomem *value;
                 u32 type, length;
 
diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
index 00f41c145d4d..820b226d6ff8 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -77,7 +77,7 @@
 #define ILT_CFG_REG(cli, reg)   PSWRQ2_REG_ ## cli ## _ ## reg ## _RT_OFFSET
 
 /* ILT entry structure */
-#define ILT_ENTRY_PHY_ADDR_MASK         0x000FFFFFFFFFFFULL
+#define ILT_ENTRY_PHY_ADDR_MASK         (~0ULL >> 12)
 #define ILT_ENTRY_PHY_ADDR_SHIFT        0
 #define ILT_ENTRY_VALID_MASK            0x1ULL
 #define ILT_ENTRY_VALID_SHIFT           52
diff --git a/drivers/net/ethernet/qlogic/qed/qed_ll2.c b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
index 38502815d681..468c59d2e491 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
@@ -292,6 +292,7 @@ static void qed_ll2_txq_flush(struct qed_hwfn *p_hwfn, u8 connection_handle)
         struct qed_ll2_tx_packet *p_pkt = NULL;
         struct qed_ll2_info *p_ll2_conn;
         struct qed_ll2_tx_queue *p_tx;
+        unsigned long flags = 0;
         dma_addr_t tx_frag;
 
         p_ll2_conn = qed_ll2_handle_sanity_inactive(p_hwfn, connection_handle);
@@ -300,6 +301,7 @@ static void qed_ll2_txq_flush(struct qed_hwfn *p_hwfn, u8 connection_handle)
 
         p_tx = &p_ll2_conn->tx_queue;
 
+        spin_lock_irqsave(&p_tx->lock, flags);
         while (!list_empty(&p_tx->active_descq)) {
                 p_pkt = list_first_entry(&p_tx->active_descq,
                                          struct qed_ll2_tx_packet, list_entry);
@@ -309,6 +311,7 @@ static void qed_ll2_txq_flush(struct qed_hwfn *p_hwfn, u8 connection_handle)
                 list_del(&p_pkt->list_entry);
                 b_last_packet = list_empty(&p_tx->active_descq);
                 list_add_tail(&p_pkt->list_entry, &p_tx->free_descq);
+                spin_unlock_irqrestore(&p_tx->lock, flags);
                 if (p_ll2_conn->input.conn_type == QED_LL2_TYPE_OOO) {
                         struct qed_ooo_buffer *p_buffer;
 
@@ -328,7 +331,9 @@ static void qed_ll2_txq_flush(struct qed_hwfn *p_hwfn, u8 connection_handle)
                                                       b_last_frag,
                                                       b_last_packet);
                 }
+                spin_lock_irqsave(&p_tx->lock, flags);
         }
+        spin_unlock_irqrestore(&p_tx->lock, flags);
 }
 
 static int qed_ll2_txq_completion(struct qed_hwfn *p_hwfn, void *p_cookie)
@@ -556,6 +561,7 @@ static void qed_ll2_rxq_flush(struct qed_hwfn *p_hwfn, u8 connection_handle)
         struct qed_ll2_info *p_ll2_conn = NULL;
         struct qed_ll2_rx_packet *p_pkt = NULL;
         struct qed_ll2_rx_queue *p_rx;
+        unsigned long flags = 0;
 
         p_ll2_conn = qed_ll2_handle_sanity_inactive(p_hwfn, connection_handle);
         if (!p_ll2_conn)
@@ -563,13 +569,14 @@ static void qed_ll2_rxq_flush(struct qed_hwfn *p_hwfn, u8 connection_handle)
 
         p_rx = &p_ll2_conn->rx_queue;
 
+        spin_lock_irqsave(&p_rx->lock, flags);
         while (!list_empty(&p_rx->active_descq)) {
                 p_pkt = list_first_entry(&p_rx->active_descq,
                                          struct qed_ll2_rx_packet, list_entry);
                 if (!p_pkt)
                         break;
-
                 list_move_tail(&p_pkt->list_entry, &p_rx->free_descq);
+                spin_unlock_irqrestore(&p_rx->lock, flags);
 
                 if (p_ll2_conn->input.conn_type == QED_LL2_TYPE_OOO) {
                         struct qed_ooo_buffer *p_buffer;
@@ -588,7 +595,30 @@ static void qed_ll2_rxq_flush(struct qed_hwfn *p_hwfn, u8 connection_handle)
                                                       cookie,
                                                       rx_buf_addr, b_last);
                 }
+                spin_lock_irqsave(&p_rx->lock, flags);
         }
+        spin_unlock_irqrestore(&p_rx->lock, flags);
+}
+
+static bool
+qed_ll2_lb_rxq_handler_slowpath(struct qed_hwfn *p_hwfn,
+                                struct core_rx_slow_path_cqe *p_cqe)
+{
+        struct ooo_opaque *iscsi_ooo;
+        u32 cid;
+
+        if (p_cqe->ramrod_cmd_id != CORE_RAMROD_RX_QUEUE_FLUSH)
+                return false;
+
+        iscsi_ooo = (struct ooo_opaque *)&p_cqe->opaque_data;
+        if (iscsi_ooo->ooo_opcode != TCP_EVENT_DELETE_ISLES)
+                return false;
+
+        /* Need to make a flush */
+        cid = le32_to_cpu(iscsi_ooo->cid);
+        qed_ooo_release_connection_isles(p_hwfn, p_hwfn->p_ooo_info, cid);
+
+        return true;
 }
 
 static int qed_ll2_lb_rxq_handler(struct qed_hwfn *p_hwfn,
@@ -617,6 +647,11 @@ static int qed_ll2_lb_rxq_handler(struct qed_hwfn *p_hwfn,
                 cq_old_idx = qed_chain_get_cons_idx(&p_rx->rcq_chain);
                 cqe_type = cqe->rx_cqe_sp.type;
 
+                if (cqe_type == CORE_RX_CQE_TYPE_SLOW_PATH)
+                        if (qed_ll2_lb_rxq_handler_slowpath(p_hwfn,
+                                                            &cqe->rx_cqe_sp))
+                                continue;
+
                 if (cqe_type != CORE_RX_CQE_TYPE_REGULAR) {
                         DP_NOTICE(p_hwfn,
                                   "Got a non-regular LB LL2 completion [type 0x%02x]\n",
@@ -794,6 +829,9 @@ static int qed_ll2_lb_rxq_completion(struct qed_hwfn *p_hwfn, void *p_cookie)
         struct qed_ll2_info *p_ll2_conn = (struct qed_ll2_info *)p_cookie;
         int rc;
 
+        if (!QED_LL2_RX_REGISTERED(p_ll2_conn))
+                return 0;
+
         rc = qed_ll2_lb_rxq_handler(p_hwfn, p_ll2_conn);
         if (rc)
                 return rc;
@@ -814,6 +852,9 @@ static int qed_ll2_lb_txq_completion(struct qed_hwfn *p_hwfn, void *p_cookie)
         u16 new_idx = 0, num_bds = 0;
         int rc;
 
+        if (!QED_LL2_TX_REGISTERED(p_ll2_conn))
+                return 0;
+
         new_idx = le16_to_cpu(*p_tx->p_fw_cons);
         num_bds = ((s16)new_idx - (s16)p_tx->bds_idx);
 
@@ -1867,17 +1908,25 @@ int qed_ll2_terminate_connection(void *cxt, u8 connection_handle)
 
         /* Stop Tx & Rx of connection, if needed */
         if (QED_LL2_TX_REGISTERED(p_ll2_conn)) {
+                p_ll2_conn->tx_queue.b_cb_registred = false;
+                smp_wmb(); /* Make sure this is seen by ll2_lb_rxq_completion */
                 rc = qed_sp_ll2_tx_queue_stop(p_hwfn, p_ll2_conn);
                 if (rc)
                         goto out;
+
                 qed_ll2_txq_flush(p_hwfn, connection_handle);
+                qed_int_unregister_cb(p_hwfn, p_ll2_conn->tx_queue.tx_sb_index);
         }
 
         if (QED_LL2_RX_REGISTERED(p_ll2_conn)) {
+                p_ll2_conn->rx_queue.b_cb_registred = false;
+                smp_wmb(); /* Make sure this is seen by ll2_lb_rxq_completion */
                 rc = qed_sp_ll2_rx_queue_stop(p_hwfn, p_ll2_conn);
                 if (rc)
                         goto out;
+
                 qed_ll2_rxq_flush(p_hwfn, connection_handle);
+                qed_int_unregister_cb(p_hwfn, p_ll2_conn->rx_queue.rx_sb_index);
         }
 
         if (p_ll2_conn->input.conn_type == QED_LL2_TYPE_OOO)
@@ -1925,16 +1974,6 @@ void qed_ll2_release_connection(void *cxt, u8 connection_handle)
         if (!p_ll2_conn)
                 return;
 
-        if (QED_LL2_RX_REGISTERED(p_ll2_conn)) {
-                p_ll2_conn->rx_queue.b_cb_registred = false;
-                qed_int_unregister_cb(p_hwfn, p_ll2_conn->rx_queue.rx_sb_index);
-        }
-
-        if (QED_LL2_TX_REGISTERED(p_ll2_conn)) {
-                p_ll2_conn->tx_queue.b_cb_registred = false;
-                qed_int_unregister_cb(p_hwfn, p_ll2_conn->tx_queue.tx_sb_index);
-        }
-
         kfree(p_ll2_conn->tx_queue.descq_mem);
         qed_chain_free(p_hwfn->cdev, &p_ll2_conn->tx_queue.txq_chain);
 
diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c
index a01e7d6e5442..f6655e251bbd 100644
--- a/drivers/net/ethernet/qlogic/qede/qede_main.c
+++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
@@ -1066,13 +1066,12 @@ static void __qede_remove(struct pci_dev *pdev, enum qede_remove_mode mode)
 
         DP_INFO(edev, "Starting qede_remove\n");
 
+        qede_rdma_dev_remove(edev);
         unregister_netdev(ndev);
         cancel_delayed_work_sync(&edev->sp_task);
 
         qede_ptp_disable(edev);
 
-        qede_rdma_dev_remove(edev);
-
         edev->ops->common->set_power_state(cdev, PCI_D0);
 
         pci_set_drvdata(pdev, NULL);
diff --git a/drivers/net/ethernet/renesas/sh_eth.h b/drivers/net/ethernet/renesas/sh_eth.h
index a5b792ce2ae7..1bf930d4a1e5 100644
--- a/drivers/net/ethernet/renesas/sh_eth.h
+++ b/drivers/net/ethernet/renesas/sh_eth.h
@@ -163,7 +163,7 @@ enum {
 };
 
 /* Driver's parameters */
-#if defined(CONFIG_CPU_SH4) || defined(CONFIG_ARCH_SHMOBILE)
+#if defined(CONFIG_CPU_SH4) || defined(CONFIG_ARCH_RENESAS)
 #define SH_ETH_RX_ALIGN         32
 #else
 #define SH_ETH_RX_ALIGN         2
diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
index 450eec264a5e..4377c26f714d 100644
--- a/drivers/net/ipvlan/ipvlan_main.c
+++ b/drivers/net/ipvlan/ipvlan_main.c
@@ -792,8 +792,10 @@ static int ipvlan_device_event(struct notifier_block *unused,
                 break;
 
         case NETDEV_CHANGEADDR:
-                list_for_each_entry(ipvlan, &port->ipvlans, pnode)
+                list_for_each_entry(ipvlan, &port->ipvlans, pnode) {
                         ether_addr_copy(ipvlan->dev->dev_addr, dev->dev_addr);
+                        call_netdevice_notifiers(NETDEV_CHANGEADDR, ipvlan->dev);
+                }
                 break;
 
         case NETDEV_PRE_TYPE_CHANGE:
diff --git a/drivers/net/phy/bcm-cygnus.c b/drivers/net/phy/bcm-cygnus.c
index 6838129839ca..e757b09f1889 100644
--- a/drivers/net/phy/bcm-cygnus.c
+++ b/drivers/net/phy/bcm-cygnus.c
@@ -61,17 +61,17 @@ static int bcm_cygnus_afe_config(struct phy_device *phydev)
                 return rc;
 
         /* make rcal=100, since rdb default is 000 */
-        rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB1, 0x10);
+        rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB1, 0x10);
         if (rc < 0)
                 return rc;
 
         /* CORE_EXPB0, Reset R_CAL/RC_CAL Engine */
-        rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB0, 0x10);
+        rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB0, 0x10);
         if (rc < 0)
                 return rc;
 
         /* CORE_EXPB0, Disable Reset R_CAL/RC_CAL Engine */
-        rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB0, 0x00);
+        rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB0, 0x00);
 
         return 0;
 }
diff --git a/drivers/net/phy/bcm-phy-lib.c b/drivers/net/phy/bcm-phy-lib.c
index 5ad130c3da43..d5e0833d69b9 100644
--- a/drivers/net/phy/bcm-phy-lib.c
+++ b/drivers/net/phy/bcm-phy-lib.c
@@ -56,7 +56,7 @@ int bcm54xx_auxctl_read(struct phy_device *phydev, u16 regnum)
         /* The register must be written to both the Shadow Register Select and
          * the Shadow Read Register Selector
          */
-        phy_write(phydev, MII_BCM54XX_AUX_CTL, regnum |
+        phy_write(phydev, MII_BCM54XX_AUX_CTL, MII_BCM54XX_AUXCTL_SHDWSEL_MASK |
                   regnum << MII_BCM54XX_AUXCTL_SHDWSEL_READ_SHIFT);
         return phy_read(phydev, MII_BCM54XX_AUX_CTL);
 }
diff --git a/drivers/net/phy/bcm-phy-lib.h b/drivers/net/phy/bcm-phy-lib.h
index 7c73808cbbde..81cceaa412fe 100644
--- a/drivers/net/phy/bcm-phy-lib.h
+++ b/drivers/net/phy/bcm-phy-lib.h
@@ -14,11 +14,18 @@
 #ifndef _LINUX_BCM_PHY_LIB_H
 #define _LINUX_BCM_PHY_LIB_H
 
+#include <linux/brcmphy.h>
 #include <linux/phy.h>
 
 int bcm_phy_write_exp(struct phy_device *phydev, u16 reg, u16 val);
 int bcm_phy_read_exp(struct phy_device *phydev, u16 reg);
 
+static inline int bcm_phy_write_exp_sel(struct phy_device *phydev,
+                                        u16 reg, u16 val)
+{
+        return bcm_phy_write_exp(phydev, reg | MII_BCM54XX_EXP_SEL_ER, val);
+}
+
 int bcm54xx_auxctl_write(struct phy_device *phydev, u16 regnum, u16 val);
 int bcm54xx_auxctl_read(struct phy_device *phydev, u16 regnum);
 
diff --git a/drivers/net/phy/bcm7xxx.c b/drivers/net/phy/bcm7xxx.c
index 29b1c88b55cc..01d2ff2f6241 100644
--- a/drivers/net/phy/bcm7xxx.c
+++ b/drivers/net/phy/bcm7xxx.c
@@ -65,10 +65,10 @@ struct bcm7xxx_phy_priv {
 static void r_rc_cal_reset(struct phy_device *phydev)
 {
         /* Reset R_CAL/RC_CAL Engine */
-        bcm_phy_write_exp(phydev, 0x00b0, 0x0010);
+        bcm_phy_write_exp_sel(phydev, 0x00b0, 0x0010);
 
         /* Disable Reset R_AL/RC_CAL Engine */
-        bcm_phy_write_exp(phydev, 0x00b0, 0x0000);
+        bcm_phy_write_exp_sel(phydev, 0x00b0, 0x0000);
 }
 
 static int bcm7xxx_28nm_b0_afe_config_init(struct phy_device *phydev)
diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
index f41b224a9cdb..ab195f0916d6 100644
--- a/drivers/net/phy/micrel.c
+++ b/drivers/net/phy/micrel.c
@@ -573,9 +573,40 @@ static int ksz9031_config_init(struct phy_device *phydev)
                 ksz9031_of_load_skew_values(phydev, of_node,
                                 MII_KSZ9031RN_TX_DATA_PAD_SKEW, 4,
                                 tx_data_skews, 4);
+
+                /* Silicon Errata Sheet (DS80000691D or DS80000692D):
+                 * When the device links in the 1000BASE-T slave mode only,
+                 * the optional 125MHz reference output clock (CLK125_NDO)
+                 * has wide duty cycle variation.
+                 *
+                 * The optional CLK125_NDO clock does not meet the RGMII
+                 * 45/55 percent (min/max) duty cycle requirement and therefore
+                 * cannot be used directly by the MAC side for clocking
+                 * applications that have setup/hold time requirements on
+                 * rising and falling clock edges.
+                 *
+                 * Workaround:
+                 * Force the phy to be the master to receive a stable clock
+                 * which meets the duty cycle requirement.
+                 */
+                if (of_property_read_bool(of_node, "micrel,force-master")) {
+                        result = phy_read(phydev, MII_CTRL1000);
+                        if (result < 0)
+                                goto err_force_master;
+
+                        /* enable master mode, config & prefer master */
+                        result |= CTL1000_ENABLE_MASTER | CTL1000_AS_MASTER;
+                        result = phy_write(phydev, MII_CTRL1000, result);
+                        if (result < 0)
+                                goto err_force_master;
+                }
         }
 
         return ksz9031_center_flp_timing(phydev);
+
+err_force_master:
+        phydev_err(phydev, "failed to force the phy to master mode\n");
+        return result;
 }
 
 #define KSZ8873MLL_GLOBAL_CONTROL_4     0x06
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index dc7c7ec43202..02ad03a2fab7 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -605,30 +605,13 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 
         if (cmd == PPPIOCDETACH) {
                 /*
-                 * We have to be careful here... if the file descriptor
-                 * has been dup'd, we could have another process in the
-                 * middle of a poll using the same file *, so we had
-                 * better not free the interface data structures -
-                 * instead we fail the ioctl.  Even in this case, we
-                 * shut down the interface if we are the owner of it.
-                 * Actually, we should get rid of PPPIOCDETACH, userland
-                 * (i.e. pppd) could achieve the same effect by closing
-                 * this fd and reopening /dev/ppp.
+                 * PPPIOCDETACH is no longer supported as it was heavily broken,
+                 * and is only known to have been used by pppd older than
+                 * ppp-2.4.2 (released November 2003).
                  */
+                pr_warn_once("%s (%d) used obsolete PPPIOCDETACH ioctl\n",
+                             current->comm, current->pid);
                 err = -EINVAL;
-                if (pf->kind == INTERFACE) {
-                        ppp = PF_TO_PPP(pf);
-                        rtnl_lock();
-                        if (file == ppp->owner)
-                                unregister_netdevice(ppp->dev);
-                        rtnl_unlock();
-                }
-                if (atomic_long_read(&file->f_count) < 2) {
-                        ppp_release(NULL, file);
-                        err = 0;
-                } else
-                        pr_warn("PPPIOCDETACH file->f_count=%ld\n",
-                                atomic_long_read(&file->f_count));
                 goto out;
         }
 
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index ef33950a45d9..45d807796a18 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -681,15 +681,6 @@ static void tun_queue_purge(struct tun_file *tfile)
         skb_queue_purge(&tfile->sk.sk_error_queue);
 }
 
-static void tun_cleanup_tx_ring(struct tun_file *tfile)
-{
-        if (tfile->tx_ring.queue) {
-                ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free);
-                xdp_rxq_info_unreg(&tfile->xdp_rxq);
-                memset(&tfile->tx_ring, 0, sizeof(tfile->tx_ring));
-        }
-}
-
 static void __tun_detach(struct tun_file *tfile, bool clean)
 {
         struct tun_file *ntfile;
@@ -736,7 +727,9 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
                             tun->dev->reg_state == NETREG_REGISTERED)
                                 unregister_netdevice(tun->dev);
                 }
-                tun_cleanup_tx_ring(tfile);
+                if (tun)
+                        xdp_rxq_info_unreg(&tfile->xdp_rxq);
+                ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free);
                 sock_put(&tfile->sk);
         }
 }
@@ -783,14 +776,14 @@ static void tun_detach_all(struct net_device *dev)
                 tun_napi_del(tun, tfile);
                 /* Drop read queue */
                 tun_queue_purge(tfile);
+                xdp_rxq_info_unreg(&tfile->xdp_rxq);
                 sock_put(&tfile->sk);
-                tun_cleanup_tx_ring(tfile);
         }
         list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) {
                 tun_enable_queue(tfile);
                 tun_queue_purge(tfile);
+                xdp_rxq_info_unreg(&tfile->xdp_rxq);
                 sock_put(&tfile->sk);
-                tun_cleanup_tx_ring(tfile);
         }
         BUG_ON(tun->numdisabled != 0);
 
@@ -834,7 +827,8 @@ static int tun_attach(struct tun_struct *tun, struct file *file,
         }
 
         if (!tfile->detached &&
-            ptr_ring_init(&tfile->tx_ring, dev->tx_queue_len, GFP_KERNEL)) {
+            ptr_ring_resize(&tfile->tx_ring, dev->tx_queue_len,
+                            GFP_KERNEL, tun_ptr_free)) {
                 err = -ENOMEM;
                 goto out;
         }
@@ -1429,6 +1423,13 @@ static void tun_net_init(struct net_device *dev)
         dev->max_mtu = MAX_MTU - dev->hard_header_len;
 }
 
+static bool tun_sock_writeable(struct tun_struct *tun, struct tun_file *tfile)
+{
+        struct sock *sk = tfile->socket.sk;
+
+        return (tun->dev->flags & IFF_UP) && sock_writeable(sk);
+}
+
 /* Character device part */
 
 /* Poll */
@@ -1451,10 +1452,14 @@ static __poll_t tun_chr_poll(struct file *file, poll_table *wait)
         if (!ptr_ring_empty(&tfile->tx_ring))
                 mask |= EPOLLIN | EPOLLRDNORM;
 
-        if (tun->dev->flags & IFF_UP &&
-            (sock_writeable(sk) ||
-             (!test_and_set_bit(SOCKWQ_ASYNC_NOSPACE, &sk->sk_socket->flags) &&
-              sock_writeable(sk))))
+        /* Make sure SOCKWQ_ASYNC_NOSPACE is set if not writable to
+         * guarantee EPOLLOUT to be raised by either here or
+         * tun_sock_write_space(). Then process could get notification
+         * after it writes to a down device and meets -EIO.
+         */
+        if (tun_sock_writeable(tun, tfile) ||
+            (!test_and_set_bit(SOCKWQ_ASYNC_NOSPACE, &sk->sk_socket->flags) &&
+             tun_sock_writeable(tun, tfile)))
                 mask |= EPOLLOUT | EPOLLWRNORM;
 
         if (tun->dev->reg_state != NETREG_REGISTERED)
@@ -3219,6 +3224,11 @@ static int tun_chr_open(struct inode *inode, struct file * file)
                                             &tun_proto, 0);
         if (!tfile)
                 return -ENOMEM;
+        if (ptr_ring_init(&tfile->tx_ring, 0, GFP_KERNEL)) {
+                sk_free(&tfile->sk);
+                return -ENOMEM;
+        }
+
         RCU_INIT_POINTER(tfile->tun, NULL);
         tfile->flags = 0;
         tfile->ifindex = 0;
@@ -3239,8 +3249,6 @@ static int tun_chr_open(struct inode *inode, struct file * file)
 
         sock_set_flag(&tfile->sk, SOCK_ZEROCOPY);
 
-        memset(&tfile->tx_ring, 0, sizeof(tfile->tx_ring));
-
         return 0;
 }
 
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 770422e953f7..032e1ac10a30 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -707,6 +707,13 @@ static struct sk_buff *receive_mergeable(struct net_device *dev,
                 void *data;
                 u32 act;
 
+                /* Transient failure which in theory could occur if
+                 * in-flight packets from before XDP was enabled reach
+                 * the receive path after XDP is loaded.
+                 */
+                if (unlikely(hdr->hdr.gso_type))
+                        goto err_xdp;
+
                 /* This happens when rx buffer size is underestimated
                  * or headroom is not enough because of the buffer
                  * was refilled before XDP is set. This should only
@@ -727,14 +734,6 @@ static struct sk_buff *receive_mergeable(struct net_device *dev,
                         xdp_page = page;
                 }
 
-                /* Transient failure which in theory could occur if
-                 * in-flight packets from before XDP was enabled reach
-                 * the receive path after XDP is loaded. In practice I
-                 * was not able to create this condition.
-                 */
-                if (unlikely(hdr->hdr.gso_type))
-                        goto err_xdp;
-
                 /* Allow consuming headroom but reserve enough space to push
                  * the descriptor on if we get an XDP_TX return code.
                  */
@@ -775,7 +774,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev,
                         }
                         *xdp_xmit = true;
                         if (unlikely(xdp_page != page))
-                                goto err_xdp;
+                                put_page(page);
                         rcu_read_unlock();
                         goto xdp_xmit;
                 case XDP_REDIRECT:
@@ -787,7 +786,7 @@ static struct sk_buff *receive_mergeable(struct net_device *dev,
                         }
                         *xdp_xmit = true;
                         if (unlikely(xdp_page != page))
-                                goto err_xdp;
+                                put_page(page);
                         rcu_read_unlock();
                         goto xdp_xmit;
                 default:
@@ -875,7 +874,7 @@ err_xdp:
         rcu_read_unlock();
 err_skb:
         put_page(page);
-        while (--num_buf) {
+        while (num_buf-- > 1) {
                 buf = virtqueue_get_buf(rq->vq, &len);
                 if (unlikely(!buf)) {
                         pr_debug("%s: rx error: %d buffers missing\n",
diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
index 9ebe2a689966..27a9bb8c9611 100644
--- a/drivers/net/vmxnet3/vmxnet3_drv.c
+++ b/drivers/net/vmxnet3/vmxnet3_drv.c
@@ -369,6 +369,11 @@ vmxnet3_tq_tx_complete(struct vmxnet3_tx_queue *tq,
 
         gdesc = tq->comp_ring.base + tq->comp_ring.next2proc;
         while (VMXNET3_TCD_GET_GEN(&gdesc->tcd) == tq->comp_ring.gen) {
+                /* Prevent any &gdesc->tcd field from being (speculatively)
+                 * read before (&gdesc->tcd)->gen is read.
+                 */
+                dma_rmb();
+
                 completed += vmxnet3_unmap_pkt(VMXNET3_TCD_GET_TXIDX(
                                                &gdesc->tcd), tq, adapter->pdev,
                                                adapter);
@@ -1103,6 +1108,11 @@ vmxnet3_tq_xmit(struct sk_buff *skb, struct vmxnet3_tx_queue *tq,
                 gdesc->txd.tci = skb_vlan_tag_get(skb);
         }
 
+        /* Ensure that the write to (&gdesc->txd)->gen will be observed after
+         * all other writes to &gdesc->txd.
+         */
+        dma_wmb();
+
         /* finally flips the GEN bit of the SOP desc. */
         gdesc->dword[2] = cpu_to_le32(le32_to_cpu(gdesc->dword[2]) ^
                                                   VMXNET3_TXD_GEN);
@@ -1298,6 +1308,12 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
                          */
                         break;
                 }
+
+                /* Prevent any rcd field from being (speculatively) read before
+                 * rcd->gen is read.
+                 */
+                dma_rmb();
+
                 BUG_ON(rcd->rqID != rq->qid && rcd->rqID != rq->qid2 &&
                        rcd->rqID != rq->dataRingQid);
                 idx = rcd->rxdIdx;
@@ -1528,6 +1544,12 @@ rcd_done:
                 ring->next2comp = idx;
                 num_to_alloc = vmxnet3_cmd_ring_desc_avail(ring);
                 ring = rq->rx_ring + ring_idx;
+
+                /* Ensure that the writes to rxd->gen bits will be observed
+                 * after all other writes to rxd objects.
+                 */
+                dma_wmb();
+
                 while (num_to_alloc) {
                         vmxnet3_getRxDesc(rxd, &ring->base[ring->next2fill].rxd,
                                           &rxCmdDesc);
@@ -2688,7 +2710,7 @@ vmxnet3_set_mac_addr(struct net_device *netdev, void *p)
 /* ==================== initialization and cleanup routines ============ */
 
 static int
-vmxnet3_alloc_pci_resources(struct vmxnet3_adapter *adapter, bool *dma64)
+vmxnet3_alloc_pci_resources(struct vmxnet3_adapter *adapter)
 {
         int err;
         unsigned long mmio_start, mmio_len;
@@ -2700,30 +2722,12 @@ vmxnet3_alloc_pci_resources(struct vmxnet3_adapter *adapter, bool *dma64)
                 return err;
         }
 
-        if (pci_set_dma_mask(pdev, DMA_BIT_MASK(64)) == 0) {
-                if (pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64)) != 0) {
-                        dev_err(&pdev->dev,
-                                "pci_set_consistent_dma_mask failed\n");
-                        err = -EIO;
-                        goto err_set_mask;
-                }
-                *dma64 = true;
-        } else {
-                if (pci_set_dma_mask(pdev, DMA_BIT_MASK(32)) != 0) {
-                        dev_err(&pdev->dev,
-                                "pci_set_dma_mask failed\n");
-                        err = -EIO;
-                        goto err_set_mask;
-                }
-                *dma64 = false;
-        }
-
         err = pci_request_selected_regions(pdev, (1 << 2) - 1,
                                            vmxnet3_driver_name);
         if (err) {
                 dev_err(&pdev->dev,
                         "Failed to request region for adapter: error %d\n", err);
-                goto err_set_mask;
+                goto err_enable_device;
         }
 
         pci_set_master(pdev);
@@ -2751,7 +2755,7 @@ err_bar1:
         iounmap(adapter->hw_addr0);
 err_ioremap:
         pci_release_selected_regions(pdev, (1 << 2) - 1);
-err_set_mask:
+err_enable_device:
         pci_disable_device(pdev);
         return err;
 }
@@ -3254,7 +3258,7 @@ vmxnet3_probe_device(struct pci_dev *pdev,
 #endif
         };
         int err;
-        bool dma64 = false; /* stupid gcc */
+        bool dma64;
         u32 ver;
         struct net_device *netdev;
         struct vmxnet3_adapter *adapter;
@@ -3300,6 +3304,24 @@ vmxnet3_probe_device(struct pci_dev *pdev,
         adapter->rx_ring_size = VMXNET3_DEF_RX_RING_SIZE;
         adapter->rx_ring2_size = VMXNET3_DEF_RX_RING2_SIZE;
 
+        if (pci_set_dma_mask(pdev, DMA_BIT_MASK(64)) == 0) {
+                if (pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64)) != 0) {
+                        dev_err(&pdev->dev,
+                                "pci_set_consistent_dma_mask failed\n");
+                        err = -EIO;
+                        goto err_set_mask;
+                }
+                dma64 = true;
+        } else {
+                if (pci_set_dma_mask(pdev, DMA_BIT_MASK(32)) != 0) {
+                        dev_err(&pdev->dev,
+                                "pci_set_dma_mask failed\n");
+                        err = -EIO;
+                        goto err_set_mask;
+                }
+                dma64 = false;
+        }
+
         spin_lock_init(&adapter->cmd_lock);
         adapter->adapter_pa = dma_map_single(&adapter->pdev->dev, adapter,
                                              sizeof(struct vmxnet3_adapter),
@@ -3307,7 +3329,7 @@ vmxnet3_probe_device(struct pci_dev *pdev,
         if (dma_mapping_error(&adapter->pdev->dev, adapter->adapter_pa)) {
                 dev_err(&pdev->dev, "Failed to map dma\n");
                 err = -EFAULT;
-                goto err_dma_map;
+                goto err_set_mask;
         }
         adapter->shared = dma_alloc_coherent(
                                 &adapter->pdev->dev,
@@ -3358,7 +3380,7 @@ vmxnet3_probe_device(struct pci_dev *pdev,
         }
 #endif /* VMXNET3_RSS */
 
-        err = vmxnet3_alloc_pci_resources(adapter, &dma64);
+        err = vmxnet3_alloc_pci_resources(adapter);
         if (err < 0)
                 goto err_alloc_pci;
 
@@ -3504,7 +3526,7 @@ err_alloc_queue_desc:
 err_alloc_shared:
         dma_unmap_single(&adapter->pdev->dev, adapter->adapter_pa,
                          sizeof(struct vmxnet3_adapter), PCI_DMA_TODEVICE);
-err_dma_map:
+err_set_mask:
         free_netdev(netdev);
         return err;
 }
diff --git a/drivers/net/vmxnet3/vmxnet3_int.h b/drivers/net/vmxnet3/vmxnet3_int.h
index a3326463b71f..a2c554f8a61b 100644
--- a/drivers/net/vmxnet3/vmxnet3_int.h
+++ b/drivers/net/vmxnet3/vmxnet3_int.h
@@ -69,10 +69,12 @@
 /*
  * Version numbers
  */
-#define VMXNET3_DRIVER_VERSION_STRING   "1.4.14.0-k"
+#define VMXNET3_DRIVER_VERSION_STRING   "1.4.16.0-k"
 
-/* a 32-bit int, each byte encode a verion number in VMXNET3_DRIVER_VERSION */
-#define VMXNET3_DRIVER_VERSION_NUM      0x01040e00
+/* Each byte of this 32-bit integer encodes a version number in
+ * VMXNET3_DRIVER_VERSION_STRING.
+ */
+#define VMXNET3_DRIVER_VERSION_NUM      0x01041000
 
 #if defined(CONFIG_PCI_MSI)
         /* RSS only makes sense if MSI-X is supported. */
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 4a017a0d71ea..920c23e542a5 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3340,7 +3340,7 @@ out_err:
 static int hwsim_dump_radio_nl(struct sk_buff *skb,
                                struct netlink_callback *cb)
 {
-        int last_idx = cb->args[0];
+        int last_idx = cb->args[0] - 1;
         struct mac80211_hwsim_data *data = NULL;
         int res = 0;
         void *hdr;
@@ -3368,7 +3368,7 @@ static int hwsim_dump_radio_nl(struct sk_buff *skb,
                 last_idx = data->idx;
         }
 
-        cb->args[0] = last_idx;
+        cb->args[0] = last_idx + 1;
 
         /* list changed, but no new element sent, set interrupted flag */
         if (skb->len == 0 && cb->prev_seq && cb->seq != cb->prev_seq) {
diff --git a/drivers/nvme/host/Kconfig b/drivers/nvme/host/Kconfig
index 88a8b5916624..dbb7464c018c 100644
--- a/drivers/nvme/host/Kconfig
+++ b/drivers/nvme/host/Kconfig
@@ -27,7 +27,7 @@ config NVME_FABRICS
 
 config NVME_RDMA
         tristate "NVM Express over Fabrics RDMA host driver"
-        depends on INFINIBAND && INFINIBAND_ADDR_TRANS && BLOCK
+        depends on INFINIBAND_ADDR_TRANS && BLOCK
         select NVME_CORE
         select NVME_FABRICS
         select SG_POOL
diff --git a/drivers/nvme/target/Kconfig b/drivers/nvme/target/Kconfig
index 3c7b61ddb0d1..7595664ee753 100644
--- a/drivers/nvme/target/Kconfig
+++ b/drivers/nvme/target/Kconfig
@@ -27,7 +27,7 @@ config NVME_TARGET_LOOP
 
 config NVME_TARGET_RDMA
         tristate "NVMe over Fabrics RDMA target support"
-        depends on INFINIBAND && INFINIBAND_ADDR_TRANS
+        depends on INFINIBAND_ADDR_TRANS
         depends on NVME_TARGET
         select SGL_ALLOC
         help
diff --git a/drivers/platform/chrome/cros_ec_proto.c b/drivers/platform/chrome/cros_ec_proto.c
index e7bbdf947bbc..8350ca2311c7 100644
--- a/drivers/platform/chrome/cros_ec_proto.c
+++ b/drivers/platform/chrome/cros_ec_proto.c
@@ -91,6 +91,8 @@ static int send_command(struct cros_ec_device *ec_dev,
                         usleep_range(10000, 11000);
 
                         ret = (*xfer_fxn)(ec_dev, status_msg);
+                        if (ret == -EAGAIN)
+                                continue;
                         if (ret < 0)
                                 break;
 
diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c
index a8b831000b2d..18c4f933e8b9 100644
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -4,7 +4,7 @@
  *
  * Debug traces for zfcp.
  *
- * Copyright IBM Corp. 2002, 2017
+ * Copyright IBM Corp. 2002, 2018
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -308,6 +308,27 @@ void zfcp_dbf_rec_trig(char *tag, struct zfcp_adapter *adapter,
         spin_unlock_irqrestore(&dbf->rec_lock, flags);
 }
 
+/**
+ * zfcp_dbf_rec_trig_lock - trace event related to triggered recovery with lock
+ * @tag: identifier for event
+ * @adapter: adapter on which the erp_action should run
+ * @port: remote port involved in the erp_action
+ * @sdev: scsi device involved in the erp_action
+ * @want: wanted erp_action
+ * @need: required erp_action
+ *
+ * The adapter->erp_lock must not be held.
+ */
+void zfcp_dbf_rec_trig_lock(char *tag, struct zfcp_adapter *adapter,
+                            struct zfcp_port *port, struct scsi_device *sdev,
+                            u8 want, u8 need)
+{
+        unsigned long flags;
+
+        read_lock_irqsave(&adapter->erp_lock, flags);
+        zfcp_dbf_rec_trig(tag, adapter, port, sdev, want, need);
+        read_unlock_irqrestore(&adapter->erp_lock, flags);
+}
 
 /**
  * zfcp_dbf_rec_run_lvl - trace event related to running recovery
diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
index bf8ea4df2bb8..e5eed8aac0ce 100644
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -4,7 +4,7 @@
  *
  * External function declarations.
  *
- * Copyright IBM Corp. 2002, 2016
+ * Copyright IBM Corp. 2002, 2018
  */
 
 #ifndef ZFCP_EXT_H
@@ -35,6 +35,9 @@ extern int zfcp_dbf_adapter_register(struct zfcp_adapter *);
 extern void zfcp_dbf_adapter_unregister(struct zfcp_adapter *);
 extern void zfcp_dbf_rec_trig(char *, struct zfcp_adapter *,
                               struct zfcp_port *, struct scsi_device *, u8, u8);
+extern void zfcp_dbf_rec_trig_lock(char *tag, struct zfcp_adapter *adapter,
+                                   struct zfcp_port *port,
+                                   struct scsi_device *sdev, u8 want, u8 need);
 extern void zfcp_dbf_rec_run(char *, struct zfcp_erp_action *);
 extern void zfcp_dbf_rec_run_lvl(int level, char *tag,
                                  struct zfcp_erp_action *erp);
diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
index 4d2ba5682493..22f9562f415c 100644
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -4,7 +4,7 @@
  *
  * Interface to Linux SCSI midlayer.
  *
- * Copyright IBM Corp. 2002, 2017
+ * Copyright IBM Corp. 2002, 2018
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -618,9 +618,9 @@ static void zfcp_scsi_rport_register(struct zfcp_port *port)
         ids.port_id = port->d_id;
         ids.roles = FC_RPORT_ROLE_FCP_TARGET;
 
-        zfcp_dbf_rec_trig("scpaddy", port->adapter, port, NULL,
-                          ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD,
-                          ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD);
+        zfcp_dbf_rec_trig_lock("scpaddy", port->adapter, port, NULL,
+                               ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD,
+                               ZFCP_PSEUDO_ERP_ACTION_RPORT_ADD);
         rport = fc_remote_port_add(port->adapter->scsi_host, 0, &ids);
         if (!rport) {
                 dev_err(&port->adapter->ccw_device->dev,
@@ -642,9 +642,9 @@ static void zfcp_scsi_rport_block(struct zfcp_port *port)
         struct fc_rport *rport = port->rport;
 
         if (rport) {
-                zfcp_dbf_rec_trig("scpdely", port->adapter, port, NULL,
-                                  ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL,
-                                  ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL);
+                zfcp_dbf_rec_trig_lock("scpdely", port->adapter, port, NULL,
+                                       ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL,
+                                       ZFCP_PSEUDO_ERP_ACTION_RPORT_DEL);
                 fc_remote_port_delete(rport);
                 port->rport = NULL;
         }
diff --git a/drivers/scsi/Makefile b/drivers/scsi/Makefile
index e29f9b8fd66d..56c940394729 100644
--- a/drivers/scsi/Makefile
+++ b/drivers/scsi/Makefile
@@ -182,7 +182,7 @@ zalon7xx-objs	:= zalon.o ncr53c8xx.o
 NCR_Q720_mod-objs       := NCR_Q720.o ncr53c8xx.o
 
 # Files generated that shall be removed upon make clean
-clean-files :=  53c700_d.h 53c700_u.h
+clean-files :=  53c700_d.h 53c700_u.h scsi_devinfo_tbl.c
 
 $(obj)/53c700.o $(MODVERDIR)/$(obj)/53c700.ver: $(obj)/53c700_d.h
 
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index c198b96368dd..5c40d809830f 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1894,7 +1894,7 @@ retry:
                 num = (rem_sz > scatter_elem_sz_prev) ?
                         scatter_elem_sz_prev : rem_sz;
 
-                schp->pages[k] = alloc_pages(gfp_mask, order);
+                schp->pages[k] = alloc_pages(gfp_mask | __GFP_ZERO, order);
                 if (!schp->pages[k])
                         goto out;
 
diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c
index 2a21f2d48592..35fab1e18adc 100644
--- a/drivers/scsi/sr_ioctl.c
+++ b/drivers/scsi/sr_ioctl.c
@@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
         struct scsi_device *SDev;
         struct scsi_sense_hdr sshdr;
         int result, err = 0, retries = 0;
+        unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL;
 
         SDev = cd->device;
 
+        if (cgc->sense)
+                senseptr = sense_buffer;
+
       retry:
         if (!scsi_block_when_processing_errors(SDev)) {
                 err = -ENODEV;
@@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct packet_command *cgc)
         }
 
         result = scsi_execute(SDev, cgc->cmd, cgc->data_direction,
-                              cgc->buffer, cgc->buflen,
-                              (unsigned char *)cgc->sense, &sshdr,
+                              cgc->buffer, cgc->buflen, senseptr, &sshdr,
                               cgc->timeout, IOCTL_RETRIES, 0, 0, NULL);
 
+        if (cgc->sense)
+                memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense));
+
         /* Minimal error checking.  Ignore cases we know about, and report the rest. */
         if (driver_byte(result) != 0) {
                 switch (sshdr.sense_key) {
diff --git a/drivers/ssb/Kconfig b/drivers/ssb/Kconfig
index 9371651d8017..c574dd210500 100644
--- a/drivers/ssb/Kconfig
+++ b/drivers/ssb/Kconfig
@@ -117,7 +117,7 @@ config SSB_SERIAL
 
 config SSB_DRIVER_PCICORE_POSSIBLE
         bool
-        depends on SSB_PCIHOST && SSB = y
+        depends on SSB_PCIHOST
         default y
 
 config SSB_DRIVER_PCICORE
@@ -131,7 +131,7 @@ config SSB_DRIVER_PCICORE
 
 config SSB_PCICORE_HOSTMODE
         bool "Hostmode support for SSB PCI core"
-        depends on SSB_DRIVER_PCICORE && SSB_DRIVER_MIPS
+        depends on SSB_DRIVER_PCICORE && SSB_DRIVER_MIPS && SSB = y
         help
           PCIcore hostmode operation (external PCI bus).
 
diff --git a/drivers/staging/lustre/lnet/Kconfig b/drivers/staging/lustre/lnet/Kconfig
index ad049e6f24e4..f3b1ad4bd3dc 100644
--- a/drivers/staging/lustre/lnet/Kconfig
+++ b/drivers/staging/lustre/lnet/Kconfig
@@ -34,7 +34,7 @@ config LNET_SELFTEST
 
 config LNET_XPRT_IB
         tristate "LNET infiniband support"
-        depends on LNET && PCI && INFINIBAND && INFINIBAND_ADDR_TRANS
+        depends on LNET && PCI && INFINIBAND_ADDR_TRANS
         default LNET && INFINIBAND
         help
           This option allows the LNET users to use infiniband as an
diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index 4ad89ea71a70..4f26bdc3d1dc 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -2121,6 +2121,8 @@ static ssize_t tcmu_qfull_time_out_store(struct config_item *item,
 
         if (val >= 0) {
                 udev->qfull_time_out = val * MSEC_PER_SEC;
+        } else if (val == -1) {
+                udev->qfull_time_out = val;
         } else {
                 printk(KERN_ERR "Invalid qfull timeout value %d\n", val);
                 return -EINVAL;
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index f3bd8e941224..f0be5f35ab28 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -981,6 +981,7 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev,
 {
         int ret = 0;
 
+        mutex_lock(&dev->mutex);
         vhost_dev_lock_vqs(dev);
         switch (msg->type) {
         case VHOST_IOTLB_UPDATE:
@@ -1016,6 +1017,8 @@ static int vhost_process_iotlb_msg(struct vhost_dev *dev,
         }
 
         vhost_dev_unlock_vqs(dev);
+        mutex_unlock(&dev->mutex);
+
         return ret;
 }
 ssize_t vhost_chr_write_iter(struct vhost_dev *dev,
diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
index e1c60899fdbc..a6f9ba85dc4b 100644
--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -351,7 +351,7 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
          * physical address */
         phys = xen_bus_to_phys(dev_addr);
 
-        if (((dev_addr + size - 1 > dma_mask)) ||
+        if (((dev_addr + size - 1 <= dma_mask)) ||
             range_straddles_page_boundary(phys, size))
                 xen_destroy_contiguous_region(phys, order);
 
diff --git a/fs/affs/namei.c b/fs/affs/namei.c
index d8aa0ae3d037..41c5749f4db7 100644
--- a/fs/affs/namei.c
+++ b/fs/affs/namei.c
@@ -201,14 +201,16 @@ affs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags)
         struct super_block *sb = dir->i_sb;
         struct buffer_head *bh;
         struct inode *inode = NULL;
+        struct dentry *res;
 
         pr_debug("%s(\"%pd\")\n", __func__, dentry);
 
         affs_lock_dir(dir);
         bh = affs_find_entry(dir, dentry);
-        affs_unlock_dir(dir);
-        if (IS_ERR(bh))
+        if (IS_ERR(bh)) {
+                affs_unlock_dir(dir);
                 return ERR_CAST(bh);
+        }
         if (bh) {
                 u32 ino = bh->b_blocknr;
 
@@ -222,11 +224,12 @@ affs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags)
                 }
                 affs_brelse(bh);
                 inode = affs_iget(sb, ino);
-                if (IS_ERR(inode))
-                        return ERR_CAST(inode);
         }
-        d_add(dentry, inode);
-        return NULL;
+        res = d_splice_alias(inode, dentry);
+        if (!IS_ERR_OR_NULL(res))
+                res->d_fsdata = dentry->d_fsdata;
+        affs_unlock_dir(dir);
+        return res;
 }
 
 int
diff --git a/fs/aio.c b/fs/aio.c
index 88d7927ffbc6..8061d9787e54 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1078,8 +1078,8 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
 
         ctx = rcu_dereference(table->table[id]);
         if (ctx && ctx->user_id == ctx_id) {
-                percpu_ref_get(&ctx->users);
-                ret = ctx;
+                if (percpu_ref_tryget_live(&ctx->users))
+                        ret = ctx;
         }
 out:
         rcu_read_unlock();
diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c
index af2832aaeec5..4700b4534439 100644
--- a/fs/befs/linuxvfs.c
+++ b/fs/befs/linuxvfs.c
@@ -198,23 +198,16 @@ befs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags)
 
         if (ret == BEFS_BT_NOT_FOUND) {
                 befs_debug(sb, "<--- %s %pd not found", __func__, dentry);
-                d_add(dentry, NULL);
-                return ERR_PTR(-ENOENT);
-
+                inode = NULL;
         } else if (ret != BEFS_OK || offset == 0) {
                 befs_error(sb, "<--- %s Error", __func__);
-                return ERR_PTR(-ENODATA);
+                inode = ERR_PTR(-ENODATA);
+        } else {
+                inode = befs_iget(dir->i_sb, (ino_t) offset);
         }
-
-        inode = befs_iget(dir->i_sb, (ino_t) offset);
-        if (IS_ERR(inode))
-                return ERR_CAST(inode);
-
-        d_add(dentry, inode);
-
         befs_debug(sb, "<--- %s", __func__);
 
-        return NULL;
+        return d_splice_alias(inode, dentry);
 }
 
 static int
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 8e604e7071f1..0b86cf10cf2a 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6586,8 +6586,7 @@ static int btrfs_mknod(struct inode *dir, struct dentry *dentry,
                 goto out_unlock_inode;
         } else {
                 btrfs_update_inode(trans, root, inode);
-                unlock_new_inode(inode);
-                d_instantiate(dentry, inode);
+                d_instantiate_new(dentry, inode);
         }
 
 out_unlock:
@@ -6663,8 +6662,7 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry,
                 goto out_unlock_inode;
 
         BTRFS_I(inode)->io_tree.ops = &btrfs_extent_io_ops;
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
 
 out_unlock:
         btrfs_end_transaction(trans);
@@ -6809,12 +6807,7 @@ static int btrfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
         if (err)
                 goto out_fail_inode;
 
-        d_instantiate(dentry, inode);
-        /*
-         * mkdir is special.  We're unlocking after we call d_instantiate
-         * to avoid a race with nfsd calling d_instantiate.
-         */
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
         drop_on_err = 0;
 
 out_fail:
@@ -9124,7 +9117,8 @@ static int btrfs_truncate(struct inode *inode, bool skip_writeback)
                                                  BTRFS_EXTENT_DATA_KEY);
                 trans->block_rsv = &fs_info->trans_block_rsv;
                 if (ret != -ENOSPC && ret != -EAGAIN) {
-                        err = ret;
+                        if (ret < 0)
+                                err = ret;
                         break;
                 }
 
@@ -10257,8 +10251,7 @@ static int btrfs_symlink(struct inode *dir, struct dentry *dentry,
                 goto out_unlock_inode;
         }
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
 
 out_unlock:
         btrfs_end_transaction(trans);
diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
index 0daa1e3fe0df..ab0bbe93b398 100644
--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -572,6 +572,11 @@ lookup_again:
                         if (ret < 0)
                                 goto create_error;
 
+                        if (unlikely(d_unhashed(next))) {
+                                dput(next);
+                                inode_unlock(d_inode(dir));
+                                goto lookup_again;
+                        }
                         ASSERT(d_backing_inode(next));
 
                         _debug("mkdir -> %p{%p{ino=%lu}}",
@@ -764,6 +769,7 @@ struct dentry *cachefiles_get_directory(struct cachefiles_cache *cache,
         /* search the current directory for the element name */
         inode_lock(d_inode(dir));
 
+retry:
         start = jiffies;
         subdir = lookup_one_len(dirname, dir, strlen(dirname));
         cachefiles_hist(cachefiles_lookup_histogram, start);
@@ -793,6 +799,10 @@ struct dentry *cachefiles_get_directory(struct cachefiles_cache *cache,
                 if (ret < 0)
                         goto mkdir_error;
 
+                if (unlikely(d_unhashed(subdir))) {
+                        dput(subdir);
+                        goto retry;
+                }
                 ASSERT(d_backing_inode(subdir));
 
                 _debug("mkdir -> %p{%p{ino=%lu}}",
diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig
index 5f132d59dfc2..d61e2de8d0eb 100644
--- a/fs/cifs/Kconfig
+++ b/fs/cifs/Kconfig
@@ -197,7 +197,7 @@ config CIFS_SMB311
 
 config CIFS_SMB_DIRECT
         bool "SMB Direct support (Experimental)"
-        depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y
+        depends on CIFS=m && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND_ADDR_TRANS=y
         help
           Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1.
           SMB Direct allows transferring SMB packets over RDMA. If unsure,
diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
index 017b0ab19bc4..124b093d14e5 100644
--- a/fs/cramfs/inode.c
+++ b/fs/cramfs/inode.c
@@ -492,7 +492,7 @@ static void cramfs_kill_sb(struct super_block *sb)
 {
         struct cramfs_sb_info *sbi = CRAMFS_SB(sb);
 
-        if (IS_ENABLED(CCONFIG_CRAMFS_MTD) && sb->s_mtd) {
+        if (IS_ENABLED(CONFIG_CRAMFS_MTD) && sb->s_mtd) {
                 if (sbi && sbi->mtd_point_size)
                         mtd_unpoint(sb->s_mtd, 0, sbi->mtd_point_size);
                 kill_mtd_super(sb);
diff --git a/fs/dcache.c b/fs/dcache.c
index 86d2de63461e..2acfc69878f5 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1899,6 +1899,28 @@ void d_instantiate(struct dentry *entry, struct inode * inode)
 }
 EXPORT_SYMBOL(d_instantiate);
 
+/*
+ * This should be equivalent to d_instantiate() + unlock_new_inode(),
+ * with lockdep-related part of unlock_new_inode() done before
+ * anything else.  Use that instead of open-coding d_instantiate()/
+ * unlock_new_inode() combinations.
+ */
+void d_instantiate_new(struct dentry *entry, struct inode *inode)
+{
+        BUG_ON(!hlist_unhashed(&entry->d_u.d_alias));
+        BUG_ON(!inode);
+        lockdep_annotate_inode_mutex_key(inode);
+        security_d_instantiate(entry, inode);
+        spin_lock(&inode->i_lock);
+        __d_instantiate(entry, inode);
+        WARN_ON(!(inode->i_state & I_NEW));
+        inode->i_state &= ~I_NEW;
+        smp_mb();
+        wake_up_bit(&inode->i_state, __I_NEW);
+        spin_unlock(&inode->i_lock);
+}
+EXPORT_SYMBOL(d_instantiate_new);
+
 /**
  * d_instantiate_no_diralias - instantiate a non-aliased dentry
  * @entry: dentry to complete
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index 97d17eaeba07..49121e5a8de2 100644
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -283,8 +283,7 @@ ecryptfs_create(struct inode *directory_inode, struct dentry *ecryptfs_dentry,
                 iget_failed(ecryptfs_inode);
                 goto out;
         }
-        unlock_new_inode(ecryptfs_inode);
-        d_instantiate(ecryptfs_dentry, ecryptfs_inode);
+        d_instantiate_new(ecryptfs_dentry, ecryptfs_inode);
 out:
         return rc;
 }
diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c
index 1e01fabef130..71635909df3b 100644
--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -1264,21 +1264,11 @@ do_indirects:
 
 static void ext2_truncate_blocks(struct inode *inode, loff_t offset)
 {
-        /*
-         * XXX: it seems like a bug here that we don't allow
-         * IS_APPEND inode to have blocks-past-i_size trimmed off.
-         * review and fix this.
-         *
-         * Also would be nice to be able to handle IO errors and such,
-         * but that's probably too much to ask.
-         */
         if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) ||
             S_ISLNK(inode->i_mode)))
                 return;
         if (ext2_inode_is_fast_symlink(inode))
                 return;
-        if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
-                return;
 
         dax_sem_down_write(EXT2_I(inode));
         __ext2_truncate_blocks(inode, offset);
diff --git a/fs/ext2/namei.c b/fs/ext2/namei.c
index 55f7caadb093..152453a91877 100644
--- a/fs/ext2/namei.c
+++ b/fs/ext2/namei.c
@@ -41,8 +41,7 @@ static inline int ext2_add_nondir(struct dentry *dentry, struct inode *inode)
 {
         int err = ext2_add_link(dentry, inode);
         if (!err) {
-                unlock_new_inode(inode);
-                d_instantiate(dentry, inode);
+                d_instantiate_new(dentry, inode);
                 return 0;
         }
         inode_dec_link_count(inode);
@@ -255,8 +254,7 @@ static int ext2_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode)
         if (err)
                 goto out_fail;
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
 out:
         return err;
 
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index b1f21e3a0763..4a09063ce1d2 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2411,8 +2411,7 @@ static int ext4_add_nondir(handle_t *handle,
         int err = ext4_add_entry(handle, dentry, inode);
         if (!err) {
                 ext4_mark_inode_dirty(handle, inode);
-                unlock_new_inode(inode);
-                d_instantiate(dentry, inode);
+                d_instantiate_new(dentry, inode);
                 return 0;
         }
         drop_nlink(inode);
@@ -2651,8 +2650,7 @@ out_clear_inode:
         err = ext4_mark_inode_dirty(handle, dir);
         if (err)
                 goto out_clear_inode;
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         if (IS_DIRSYNC(dir))
                 ext4_handle_sync(handle);
 
diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index d5098efe577c..75e37fd720b2 100644
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -294,8 +294,7 @@ static int f2fs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
 
         alloc_nid_done(sbi, ino);
 
-        d_instantiate(dentry, inode);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
 
         if (IS_DIRSYNC(dir))
                 f2fs_sync_fs(sbi->sb, 1);
@@ -597,8 +596,7 @@ static int f2fs_symlink(struct inode *dir, struct dentry *dentry,
         err = page_symlink(inode, disk_link.name, disk_link.len);
 
 err_out:
-        d_instantiate(dentry, inode);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
 
         /*
          * Let's flush symlink data in order to avoid broken symlink as much as
@@ -661,8 +659,7 @@ static int f2fs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
 
         alloc_nid_done(sbi, inode->i_ino);
 
-        d_instantiate(dentry, inode);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
 
         if (IS_DIRSYNC(dir))
                 f2fs_sync_fs(sbi->sb, 1);
@@ -713,8 +710,7 @@ static int f2fs_mknod(struct inode *dir, struct dentry *dentry,
 
         alloc_nid_done(sbi, inode->i_ino);
 
-        d_instantiate(dentry, inode);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
 
         if (IS_DIRSYNC(dir))
                 f2fs_sync_fs(sbi->sb, 1);
diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c
index 0a754f38462e..e5a6deb38e1e 100644
--- a/fs/jffs2/dir.c
+++ b/fs/jffs2/dir.c
@@ -209,8 +209,7 @@ static int jffs2_create(struct inode *dir_i, struct dentry *dentry,
                   __func__, inode->i_ino, inode->i_mode, inode->i_nlink,
                   f->inocache->pino_nlink, inode->i_mapping->nrpages);
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         return 0;
 
  fail:
@@ -430,8 +429,7 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
         mutex_unlock(&dir_f->sem);
         jffs2_complete_reservation(c);
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         return 0;
 
  fail:
@@ -575,8 +573,7 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, umode_t mode
         mutex_unlock(&dir_f->sem);
         jffs2_complete_reservation(c);
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         return 0;
 
  fail:
@@ -747,8 +744,7 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, umode_t mode
         mutex_unlock(&dir_f->sem);
         jffs2_complete_reservation(c);
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         return 0;
 
  fail:
diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
index b41596d71858..56c3fcbfe80e 100644
--- a/fs/jfs/namei.c
+++ b/fs/jfs/namei.c
@@ -178,8 +178,7 @@ static int jfs_create(struct inode *dip, struct dentry *dentry, umode_t mode,
                 unlock_new_inode(ip);
                 iput(ip);
         } else {
-                unlock_new_inode(ip);
-                d_instantiate(dentry, ip);
+                d_instantiate_new(dentry, ip);
         }
 
       out2:
@@ -313,8 +312,7 @@ static int jfs_mkdir(struct inode *dip, struct dentry *dentry, umode_t mode)
                 unlock_new_inode(ip);
                 iput(ip);
         } else {
-                unlock_new_inode(ip);
-                d_instantiate(dentry, ip);
+                d_instantiate_new(dentry, ip);
         }
 
       out2:
@@ -1059,8 +1057,7 @@ static int jfs_symlink(struct inode *dip, struct dentry *dentry,
                 unlock_new_inode(ip);
                 iput(ip);
         } else {
-                unlock_new_inode(ip);
-                d_instantiate(dentry, ip);
+                d_instantiate_new(dentry, ip);
         }
 
       out2:
@@ -1447,8 +1444,7 @@ static int jfs_mknod(struct inode *dir, struct dentry *dentry,
                 unlock_new_inode(ip);
                 iput(ip);
         } else {
-                unlock_new_inode(ip);
-                d_instantiate(dentry, ip);
+                d_instantiate_new(dentry, ip);
         }
 
       out1:
diff --git a/fs/kernfs/mount.c b/fs/kernfs/mount.c
index 26dd9a50f383..ff2716f9322e 100644
--- a/fs/kernfs/mount.c
+++ b/fs/kernfs/mount.c
@@ -316,6 +316,7 @@ struct dentry *kernfs_mount_ns(struct file_system_type *fs_type, int flags,
 
         info->root = root;
         info->ns = ns;
+        INIT_LIST_HEAD(&info->node);
 
         sb = sget_userns(fs_type, kernfs_test_super, kernfs_set_super, flags,
                          &init_user_ns, info);
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 2410b093a2e6..b0555d7d8200 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1201,6 +1201,28 @@ nfsd_create_locked(struct svc_rqst *rqstp, struct svc_fh *fhp,
                 break;
         case S_IFDIR:
                 host_err = vfs_mkdir(dirp, dchild, iap->ia_mode);
+                if (!host_err && unlikely(d_unhashed(dchild))) {
+                        struct dentry *d;
+                        d = lookup_one_len(dchild->d_name.name,
+                                           dchild->d_parent,
+                                           dchild->d_name.len);
+                        if (IS_ERR(d)) {
+                                host_err = PTR_ERR(d);
+                                break;
+                        }
+                        if (unlikely(d_is_negative(d))) {
+                                dput(d);
+                                err = nfserr_serverfault;
+                                goto out;
+                        }
+                        dput(resfhp->fh_dentry);
+                        resfhp->fh_dentry = dget(d);
+                        err = fh_update(resfhp);
+                        dput(dchild);
+                        dchild = d;
+                        if (err)
+                                goto out;
+                }
                 break;
         case S_IFCHR:
         case S_IFBLK:
diff --git a/fs/nilfs2/namei.c b/fs/nilfs2/namei.c
index 1a2894aa0194..dd52d3f82e8d 100644
--- a/fs/nilfs2/namei.c
+++ b/fs/nilfs2/namei.c
@@ -46,8 +46,7 @@ static inline int nilfs_add_nondir(struct dentry *dentry, struct inode *inode)
         int err = nilfs_add_link(dentry, inode);
 
         if (!err) {
-                d_instantiate(dentry, inode);
-                unlock_new_inode(inode);
+                d_instantiate_new(dentry, inode);
                 return 0;
         }
         inode_dec_link_count(inode);
@@ -243,8 +242,7 @@ static int nilfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
                 goto out_fail;
 
         nilfs_mark_inode_dirty(inode);
-        d_instantiate(dentry, inode);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
 out:
         if (!err)
                 err = nilfs_transaction_commit(dir->i_sb);
diff --git a/fs/ocfs2/cluster/heartbeat.c b/fs/ocfs2/cluster/heartbeat.c
index 91a8889abf9b..ea8c551bcd7e 100644
--- a/fs/ocfs2/cluster/heartbeat.c
+++ b/fs/ocfs2/cluster/heartbeat.c
@@ -570,16 +570,7 @@ static struct bio *o2hb_setup_one_bio(struct o2hb_region *reg,
                      current_page, vec_len, vec_start);
 
                 len = bio_add_page(bio, page, vec_len, vec_start);
-                if (len != vec_len) {
-                        mlog(ML_ERROR, "Adding page[%d] to bio failed, "
-                             "page %p, len %d, vec_len %u, vec_start %u, "
-                             "bi_sector %llu\n", current_page, page, len,
-                             vec_len, vec_start,
-                             (unsigned long long)bio->bi_iter.bi_sector);
-                        bio_put(bio);
-                        bio = ERR_PTR(-EIO);
-                        return bio;
-                }
+                if (len != vec_len) break;
 
                 cs += vec_len / (PAGE_SIZE/spp);
                 vec_start = 0;
diff --git a/fs/orangefs/namei.c b/fs/orangefs/namei.c
index 6e3134e6d98a..1b5707c44c3f 100644
--- a/fs/orangefs/namei.c
+++ b/fs/orangefs/namei.c
@@ -75,8 +75,7 @@ static int orangefs_create(struct inode *dir,
                      get_khandle_from_ino(inode),
                      dentry);
 
-        d_instantiate(dentry, inode);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
         orangefs_set_timeout(dentry);
         ORANGEFS_I(inode)->getattr_time = jiffies - 1;
         ORANGEFS_I(inode)->getattr_mask = STATX_BASIC_STATS;
@@ -332,8 +331,7 @@ static int orangefs_symlink(struct inode *dir,
                      "Assigned symlink inode new number of %pU\n",
                      get_khandle_from_ino(inode));
 
-        d_instantiate(dentry, inode);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
         orangefs_set_timeout(dentry);
         ORANGEFS_I(inode)->getattr_time = jiffies - 1;
         ORANGEFS_I(inode)->getattr_mask = STATX_BASIC_STATS;
@@ -402,8 +400,7 @@ static int orangefs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode
                      "Assigned dir inode new number of %pU\n",
                      get_khandle_from_ino(inode));
 
-        d_instantiate(dentry, inode);
-        unlock_new_inode(inode);
+        d_instantiate_new(dentry, inode);
         orangefs_set_timeout(dentry);
         ORANGEFS_I(inode)->getattr_time = jiffies - 1;
         ORANGEFS_I(inode)->getattr_mask = STATX_BASIC_STATS;
diff --git a/fs/proc/array.c b/fs/proc/array.c
index ae2c807fd719..72391b3f6927 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -85,6 +85,7 @@
 #include <linux/delayacct.h>
 #include <linux/seq_file.h>
 #include <linux/pid_namespace.h>
+#include <linux/prctl.h>
 #include <linux/ptrace.h>
 #include <linux/tracehook.h>
 #include <linux/string_helpers.h>
@@ -335,6 +336,30 @@ static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
 #ifdef CONFIG_SECCOMP
         seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode);
 #endif
+        seq_printf(m, "\nSpeculation_Store_Bypass:\t");
+        switch (arch_prctl_spec_ctrl_get(p, PR_SPEC_STORE_BYPASS)) {
+        case -EINVAL:
+                seq_printf(m, "unknown");
+                break;
+        case PR_SPEC_NOT_AFFECTED:
+                seq_printf(m, "not vulnerable");
+                break;
+        case PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE:
+                seq_printf(m, "thread force mitigated");
+                break;
+        case PR_SPEC_PRCTL | PR_SPEC_DISABLE:
+                seq_printf(m, "thread mitigated");
+                break;
+        case PR_SPEC_PRCTL | PR_SPEC_ENABLE:
+                seq_printf(m, "thread vulnerable");
+                break;
+        case PR_SPEC_DISABLE:
+                seq_printf(m, "globally mitigated");
+                break;
+        default:
+                seq_printf(m, "vulnerable");
+                break;
+        }
         seq_putc(m, '\n');
 }
 
diff --git a/fs/reiserfs/namei.c b/fs/reiserfs/namei.c
index bd39a998843d..5089dac02660 100644
--- a/fs/reiserfs/namei.c
+++ b/fs/reiserfs/namei.c
@@ -687,8 +687,7 @@ static int reiserfs_create(struct inode *dir, struct dentry *dentry, umode_t mod
         reiserfs_update_inode_transaction(inode);
         reiserfs_update_inode_transaction(dir);
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         retval = journal_end(&th);
 
 out_failed:
@@ -771,8 +770,7 @@ static int reiserfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode
                 goto out_failed;
         }
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         retval = journal_end(&th);
 
 out_failed:
@@ -871,8 +869,7 @@ static int reiserfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode
         /* the above add_entry did not update dir's stat data */
         reiserfs_update_sd(&th, dir);
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         retval = journal_end(&th);
 out_failed:
         reiserfs_write_unlock(dir->i_sb);
@@ -1187,8 +1184,7 @@ static int reiserfs_symlink(struct inode *parent_dir,
                 goto out_failed;
         }
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         retval = journal_end(&th);
 out_failed:
         reiserfs_write_unlock(parent_dir->i_sb);
diff --git a/fs/seq_file.c b/fs/seq_file.c
index c6c27f1f9c98..4cc090b50cc5 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -709,11 +709,6 @@ void seq_put_decimal_ull_width(struct seq_file *m, const char *delimiter,
         if (m->count + width >= m->size)
                 goto overflow;
 
-        if (num < 10) {
-                m->buf[m->count++] = num + '0';
-                return;
-        }
-
         len = num_to_str(m->buf + m->count, m->size - m->count, num, width);
         if (!len)
                 goto overflow;
diff --git a/fs/super.c b/fs/super.c
index 122c402049a2..4b5b562176d0 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -121,13 +121,23 @@ static unsigned long super_cache_count(struct shrinker *shrink,
         sb = container_of(shrink, struct super_block, s_shrink);
 
         /*
-         * Don't call trylock_super as it is a potential
-         * scalability bottleneck. The counts could get updated
-         * between super_cache_count and super_cache_scan anyway.
-         * Call to super_cache_count with shrinker_rwsem held
-         * ensures the safety of call to list_lru_shrink_count() and
-         * s_op->nr_cached_objects().
+         * We don't call trylock_super() here as it is a scalability bottleneck,
+         * so we're exposed to partial setup state. The shrinker rwsem does not
+         * protect filesystem operations backing list_lru_shrink_count() or
+         * s_op->nr_cached_objects(). Counts can change between
+         * super_cache_count and super_cache_scan, so we really don't need locks
+         * here.
+         *
+         * However, if we are currently mounting the superblock, the underlying
+         * filesystem might be in a state of partial construction and hence it
+         * is dangerous to access it.  trylock_super() uses a SB_BORN check to
+         * avoid this situation, so do the same here. The memory barrier is
+         * matched with the one in mount_fs() as we don't hold locks here.
          */
+        if (!(sb->s_flags & SB_BORN))
+                return 0;
+        smp_rmb();
+
         if (sb->s_op && sb->s_op->nr_cached_objects)
                 total_objects = sb->s_op->nr_cached_objects(sb, sc);
 
@@ -1272,6 +1282,14 @@ mount_fs(struct file_system_type *type, int flags, const char *name, void *data)
         sb = root->d_sb;
         BUG_ON(!sb);
         WARN_ON(!sb->s_bdi);
+
+        /*
+         * Write barrier is for super_cache_count(). We place it before setting
+         * SB_BORN as the data dependency between the two functions is the
+         * superblock structure contents that we just set up, not the SB_BORN
+         * flag.
+         */
+        smp_wmb();
         sb->s_flags |= SB_BORN;
 
         error = security_sb_kern_mount(sb, flags, secdata);
diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
index b428d317ae92..92682fcc41f6 100644
--- a/fs/sysfs/mount.c
+++ b/fs/sysfs/mount.c
@@ -25,7 +25,7 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type,
 {
         struct dentry *root;
         void *ns;
-        bool new_sb;
+        bool new_sb = false;
 
         if (!(flags & SB_KERNMOUNT)) {
                 if (!kobj_ns_current_may_mount(KOBJ_NS_TYPE_NET))
@@ -35,9 +35,9 @@ static struct dentry *sysfs_mount(struct file_system_type *fs_type,
         ns = kobj_ns_grab_current(KOBJ_NS_TYPE_NET);
         root = kernfs_mount_ns(fs_type, flags, sysfs_root,
                                 SYSFS_MAGIC, &new_sb, ns);
-        if (IS_ERR(root) || !new_sb)
+        if (!new_sb)
                 kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
-        else if (new_sb)
+        else if (!IS_ERR(root))
                 root->d_sb->s_iflags |= SB_I_USERNS_VISIBLE;
 
         return root;
diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index 0458dd47e105..c586026508db 100644
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -622,8 +622,7 @@ static int udf_add_nondir(struct dentry *dentry, struct inode *inode)
         if (fibh.sbh != fibh.ebh)
                 brelse(fibh.ebh);
         brelse(fibh.sbh);
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
 
         return 0;
 }
@@ -733,8 +732,7 @@ static int udf_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
         inc_nlink(dir);
         dir->i_ctime = dir->i_mtime = current_time(dir);
         mark_inode_dirty(dir);
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         if (fibh.sbh != fibh.ebh)
                 brelse(fibh.ebh);
         brelse(fibh.sbh);
diff --git a/fs/ufs/namei.c b/fs/ufs/namei.c
index 32545cd00ceb..d5f43ba76c59 100644
--- a/fs/ufs/namei.c
+++ b/fs/ufs/namei.c
@@ -39,8 +39,7 @@ static inline int ufs_add_nondir(struct dentry *dentry, struct inode *inode)
 {
         int err = ufs_add_link(dentry, inode);
         if (!err) {
-                unlock_new_inode(inode);
-                d_instantiate(dentry, inode);
+                d_instantiate_new(dentry, inode);
                 return 0;
         }
         inode_dec_link_count(inode);
@@ -193,8 +192,7 @@ static int ufs_mkdir(struct inode * dir, struct dentry * dentry, umode_t mode)
         if (err)
                 goto out_fail;
 
-        unlock_new_inode(inode);
-        d_instantiate(dentry, inode);
+        d_instantiate_new(dentry, inode);
         return 0;
 
 out_fail:
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 7e61c395fddf..df36b1b08af0 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -142,10 +142,11 @@ struct bpf_verifier_state_list {
 struct bpf_insn_aux_data {
         union {
                 enum bpf_reg_type ptr_type;     /* pointer type for load/store insns */
-                struct bpf_map *map_ptr;        /* pointer for call insn into lookup_elem */
+                unsigned long map_state;        /* pointer/poison value for maps */
                 s32 call_imm;                   /* saved imm field of call insn */
         };
         int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
+        int sanitize_stack_off; /* stack slot to be cleared */
         bool seen; /* this insn was processed by the verifier */
 };
 
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index 7b01bc11c692..a97a63eef59f 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -53,6 +53,8 @@ extern ssize_t cpu_show_spectre_v1(struct device *dev,
                                    struct device_attribute *attr, char *buf);
 extern ssize_t cpu_show_spectre_v2(struct device *dev,
                                    struct device_attribute *attr, char *buf);
+extern ssize_t cpu_show_spec_store_bypass(struct device *dev,
+                                          struct device_attribute *attr, char *buf);
 
 extern __printf(4, 5)
 struct device *cpu_device_create(struct device *parent, void *drvdata,
diff --git a/include/linux/dcache.h b/include/linux/dcache.h
index 94acbde17bb1..66c6e17e61e5 100644
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -224,6 +224,7 @@ extern seqlock_t rename_lock;
  * These are the low-level FS interfaces to the dcache..
  */
 extern void d_instantiate(struct dentry *, struct inode *);
+extern void d_instantiate_new(struct dentry *, struct inode *);
 extern struct dentry * d_instantiate_unique(struct dentry *, struct inode *);
 extern struct dentry * d_instantiate_anon(struct dentry *, struct inode *);
 extern int d_instantiate_no_diralias(struct dentry *, struct inode *);
diff --git a/include/linux/gfp.h b/include/linux/gfp.h
index 1a4582b44d32..fc5ab85278d5 100644
--- a/include/linux/gfp.h
+++ b/include/linux/gfp.h
@@ -464,7 +464,7 @@ static inline struct page *
 __alloc_pages_node(int nid, gfp_t gfp_mask, unsigned int order)
 {
         VM_BUG_ON(nid < 0 || nid >= MAX_NUMNODES);
-        VM_WARN_ON(!node_online(nid));
+        VM_WARN_ON((gfp_mask & __GFP_THISNODE) && !node_online(nid));
 
         return __alloc_pages(gfp_mask, order, nid);
 }
diff --git a/include/linux/memory_hotplug.h b/include/linux/memory_hotplug.h
index e0e49b5b1ee1..2b0265265c28 100644
--- a/include/linux/memory_hotplug.h
+++ b/include/linux/memory_hotplug.h
@@ -216,6 +216,9 @@ void put_online_mems(void);
 void mem_hotplug_begin(void);
 void mem_hotplug_done(void);
 
+extern void set_zone_contiguous(struct zone *zone);
+extern void clear_zone_contiguous(struct zone *zone);
+
 #else /* ! CONFIG_MEMORY_HOTPLUG */
 #define pfn_to_online_page(pfn)                 \
 ({                                              \
diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
index 2a156c5dfadd..d703774982ca 100644
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -1286,17 +1286,7 @@ enum {
 static inline const struct cpumask *
 mlx5_get_vector_affinity_hint(struct mlx5_core_dev *dev, int vector)
 {
-        struct irq_desc *desc;
-        unsigned int irq;
-        int eqn;
-        int err;
-
-        err = mlx5_vector2eqn(dev, vector, &eqn, &irq);
-        if (err)
-                return NULL;
-
-        desc = irq_to_desc(irq);
-        return desc->affinity_hint;
+        return dev->priv.irq_info[vector].mask;
 }
 
 #endif /* MLX5_DRIVER_H */
diff --git a/include/linux/mm.h b/include/linux/mm.h
index c6fa9a255dbf..02a616e2f17d 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2109,7 +2109,6 @@ extern void setup_per_cpu_pageset(void);
 
 extern void zone_pcp_update(struct zone *zone);
 extern void zone_pcp_reset(struct zone *zone);
-extern void setup_zone_pageset(struct zone *zone);
 
 /* page_alloc.c */
 extern int min_free_kbytes;
diff --git a/include/linux/node.h b/include/linux/node.h
index 41f171861dcc..6d336e38d155 100644
--- a/include/linux/node.h
+++ b/include/linux/node.h
@@ -32,9 +32,11 @@ extern struct node *node_devices[];
 typedef  void (*node_registration_func_t)(struct node *);
 
 #if defined(CONFIG_MEMORY_HOTPLUG_SPARSE) && defined(CONFIG_NUMA)
-extern int link_mem_sections(int nid, unsigned long start_pfn, unsigned long nr_pages);
+extern int link_mem_sections(int nid, unsigned long start_pfn,
+                             unsigned long nr_pages, bool check_nid);
 #else
-static inline int link_mem_sections(int nid, unsigned long start_pfn, unsigned long nr_pages)
+static inline int link_mem_sections(int nid, unsigned long start_pfn,
+                                    unsigned long nr_pages, bool check_nid)
 {
         return 0;
 }
@@ -57,7 +59,7 @@ static inline int register_one_node(int nid)
                 if (error)
                         return error;
                 /* link memory sections under this node */
-                error = link_mem_sections(nid, pgdat->node_start_pfn, pgdat->node_spanned_pages);
+                error = link_mem_sections(nid, pgdat->node_start_pfn, pgdat->node_spanned_pages, true);
         }
 
         return error;
diff --git a/include/linux/nospec.h b/include/linux/nospec.h
index e791ebc65c9c..0c5ef54fd416 100644
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -7,6 +7,8 @@
 #define _LINUX_NOSPEC_H
 #include <asm/barrier.h>
 
+struct task_struct;
+
 /**
  * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
  * @index: array element index
@@ -55,4 +57,12 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
                                                                         \
         (typeof(_i)) (_i & _mask);                                      \
 })
+
+/* Speculation control prctl */
+int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which);
+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
+                             unsigned long ctrl);
+/* Speculation control for seccomp enforced mitigation */
+void arch_seccomp_spec_mitigate(struct task_struct *task);
+
 #endif /* _LINUX_NOSPEC_H */
diff --git a/include/linux/sched.h b/include/linux/sched.h
index c2413703f45d..ca3f3eae8980 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1433,7 +1433,8 @@ static inline bool is_percpu_thread(void)
 #define PFA_NO_NEW_PRIVS                0       /* May not gain new privileges. */
 #define PFA_SPREAD_PAGE                 1       /* Spread page cache over cpuset */
 #define PFA_SPREAD_SLAB                 2       /* Spread some slab caches over cpuset */
-
+#define PFA_SPEC_SSB_DISABLE            3       /* Speculative Store Bypass disabled */
+#define PFA_SPEC_SSB_FORCE_DISABLE      4       /* Speculative Store Bypass force disabled*/
 
 #define TASK_PFA_TEST(name, func)                                       \
         static inline bool task_##func(struct task_struct *p)           \
@@ -1458,6 +1459,13 @@ TASK_PFA_TEST(SPREAD_SLAB, spread_slab)
 TASK_PFA_SET(SPREAD_SLAB, spread_slab)
 TASK_PFA_CLEAR(SPREAD_SLAB, spread_slab)
 
+TASK_PFA_TEST(SPEC_SSB_DISABLE, spec_ssb_disable)
+TASK_PFA_SET(SPEC_SSB_DISABLE, spec_ssb_disable)
+TASK_PFA_CLEAR(SPEC_SSB_DISABLE, spec_ssb_disable)
+
+TASK_PFA_TEST(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
+TASK_PFA_SET(SPEC_SSB_FORCE_DISABLE, spec_ssb_force_disable)
+
 static inline void
 current_restore_flags(unsigned long orig_flags, unsigned long flags)
 {
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index c723a5c4e3ff..e5320f6c8654 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -4,8 +4,9 @@
 
 #include <uapi/linux/seccomp.h>
 
-#define SECCOMP_FILTER_FLAG_MASK        (SECCOMP_FILTER_FLAG_TSYNC | \
-                                         SECCOMP_FILTER_FLAG_LOG)
+#define SECCOMP_FILTER_FLAG_MASK        (SECCOMP_FILTER_FLAG_TSYNC      | \
+                                         SECCOMP_FILTER_FLAG_LOG        | \
+                                         SECCOMP_FILTER_FLAG_SPEC_ALLOW)
 
 #ifdef CONFIG_SECCOMP
 
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index cd368d1b8cb8..a1e28dd5d0bf 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -170,6 +170,7 @@ struct nft_data_desc {
 int nft_data_init(const struct nft_ctx *ctx,
                   struct nft_data *data, unsigned int size,
                   struct nft_data_desc *desc, const struct nlattr *nla);
+void nft_data_hold(const struct nft_data *data, enum nft_data_types type);
 void nft_data_release(const struct nft_data *data, enum nft_data_types type);
 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
                   enum nft_data_types type, unsigned int len);
@@ -736,6 +737,10 @@ struct nft_expr_ops {
         int                             (*init)(const struct nft_ctx *ctx,
                                                 const struct nft_expr *expr,
                                                 const struct nlattr * const tb[]);
+        void                            (*activate)(const struct nft_ctx *ctx,
+                                                    const struct nft_expr *expr);
+        void                            (*deactivate)(const struct nft_ctx *ctx,
+                                                      const struct nft_expr *expr);
         void                            (*destroy)(const struct nft_ctx *ctx,
                                                    const struct nft_expr *expr);
         int                             (*dump)(struct sk_buff *skb,
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index 28b996d63490..35498e613ff5 100644
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -103,6 +103,8 @@ void sctp_addr_wq_mgmt(struct net *, struct sctp_sockaddr_entry *, int);
 /*
  * sctp/socket.c
  */
+int sctp_inet_connect(struct socket *sock, struct sockaddr *uaddr,
+                      int addr_len, int flags);
 int sctp_backlog_rcv(struct sock *sk, struct sk_buff *skb);
 int sctp_inet_listen(struct socket *sock, int backlog);
 void sctp_write_space(struct sock *sk);
diff --git a/include/net/tls.h b/include/net/tls.h
index b400d0bb7448..f5fb16da3860 100644
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -97,6 +97,9 @@ struct tls_sw_context {
         u8 control;
         bool decrypted;
 
+        char rx_aad_ciphertext[TLS_AAD_SPACE_SIZE];
+        char rx_aad_plaintext[TLS_AAD_SPACE_SIZE];
+
         /* Sending context */
         char aad_space[TLS_AAD_SPACE_SIZE];
 
diff --git a/include/rdma/ib_umem.h b/include/rdma/ib_umem.h
index 23159dd5be18..a1fd63871d17 100644
--- a/include/rdma/ib_umem.h
+++ b/include/rdma/ib_umem.h
@@ -48,7 +48,6 @@ struct ib_umem {
         int                     writable;
         int                     hugetlb;
         struct work_struct      work;
-        struct pid             *pid;
         struct mm_struct       *mm;
         unsigned long           diff;
         struct ib_umem_odp     *odp_data;
diff --git a/include/rdma/uverbs_ioctl.h b/include/rdma/uverbs_ioctl.h
index 4a4201d997a7..095383a4bd1a 100644
--- a/include/rdma/uverbs_ioctl.h
+++ b/include/rdma/uverbs_ioctl.h
@@ -411,13 +411,13 @@ static inline int uverbs_attr_get_enum_id(const struct uverbs_attr_bundle *attrs
 static inline void *uverbs_attr_get_obj(const struct uverbs_attr_bundle *attrs_bundle,
                                         u16 idx)
 {
-        struct ib_uobject *uobj =
-                uverbs_attr_get(attrs_bundle, idx)->obj_attr.uobject;
+        const struct uverbs_attr *attr;
 
-        if (IS_ERR(uobj))
-                return uobj;
+        attr = uverbs_attr_get(attrs_bundle, idx);
+        if (IS_ERR(attr))
+                return ERR_CAST(attr);
 
-        return uobj->object;
+        return attr->obj_attr.uobject->object;
 }
 
 static inline int uverbs_copy_to(const struct uverbs_attr_bundle *attrs_bundle,
diff --git a/include/trace/events/sched.h b/include/trace/events/sched.h
index bc01e06bc716..0be866c91f62 100644
--- a/include/trace/events/sched.h
+++ b/include/trace/events/sched.h
@@ -435,7 +435,9 @@ TRACE_EVENT(sched_pi_setprio,
                 memcpy(__entry->comm, tsk->comm, TASK_COMM_LEN);
                 __entry->pid            = tsk->pid;
                 __entry->oldprio        = tsk->prio;
-                __entry->newprio        = pi_task ? pi_task->prio : tsk->prio;
+                __entry->newprio        = pi_task ?
+                                min(tsk->normal_prio, pi_task->prio) :
+                                tsk->normal_prio;
                 /* XXX SCHED_DEADLINE bits missing */
         ),
 
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tcp.h b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
index 74b91151d494..bcba72def817 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
@@ -46,6 +46,9 @@ enum tcp_conntrack {
 /* Marks possibility for expected RFC5961 challenge ACK */
 #define IP_CT_EXP_CHALLENGE_ACK                 0x40
 
+/* Simultaneous open initialized */
+#define IP_CT_TCP_SIMULTANEOUS_OPEN             0x80
+
 struct nf_ct_tcp_flags {
         __u8 flags;
         __u8 mask;
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 9c3630146cec..271b93783d28 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -2698,7 +2698,7 @@ enum nl80211_attrs {
 #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS
 #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS
 
-#define NL80211_WIPHY_NAME_MAXLEN               128
+#define NL80211_WIPHY_NAME_MAXLEN               64
 
 #define NL80211_MAX_SUPP_RATES                  32
 #define NL80211_MAX_SUPP_HT_RATES               77
diff --git a/include/uapi/linux/ppp-ioctl.h b/include/uapi/linux/ppp-ioctl.h
index b19a9c249b15..784c2e3e572e 100644
--- a/include/uapi/linux/ppp-ioctl.h
+++ b/include/uapi/linux/ppp-ioctl.h
@@ -106,7 +106,7 @@ struct pppol2tp_ioc_stats {
 #define PPPIOCGIDLE     _IOR('t', 63, struct ppp_idle) /* get idle time */
 #define PPPIOCNEWUNIT   _IOWR('t', 62, int)     /* create new ppp unit */
 #define PPPIOCATTACH    _IOW('t', 61, int)      /* attach to ppp unit */
-#define PPPIOCDETACH    _IOW('t', 60, int)      /* detach from ppp unit/chan */
+#define PPPIOCDETACH    _IOW('t', 60, int)      /* obsolete, do not use */
 #define PPPIOCSMRRU     _IOW('t', 59, int)      /* set multilink MRU */
 #define PPPIOCCONNECT   _IOW('t', 58, int)      /* connect channel to unit */
 #define PPPIOCDISCONN   _IO('t', 57)            /* disconnect channel */
diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
index af5f8c2df87a..db9f15f5db04 100644
--- a/include/uapi/linux/prctl.h
+++ b/include/uapi/linux/prctl.h
@@ -207,4 +207,16 @@ struct prctl_mm_map {
 # define PR_SVE_VL_LEN_MASK             0xffff
 # define PR_SVE_VL_INHERIT              (1 << 17) /* inherit across exec */
 
+/* Per task speculation control */
+#define PR_GET_SPECULATION_CTRL         52
+#define PR_SET_SPECULATION_CTRL         53
+/* Speculation control variants */
+# define PR_SPEC_STORE_BYPASS           0
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+# define PR_SPEC_NOT_AFFECTED           0
+# define PR_SPEC_PRCTL                  (1UL << 0)
+# define PR_SPEC_ENABLE                 (1UL << 1)
+# define PR_SPEC_DISABLE                (1UL << 2)
+# define PR_SPEC_FORCE_DISABLE          (1UL << 3)
+
 #endif /* _LINUX_PRCTL_H */
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
index 2a0bd9dd104d..9efc0e73d50b 100644
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -17,8 +17,9 @@
 #define SECCOMP_GET_ACTION_AVAIL        2
 
 /* Valid flags for SECCOMP_SET_MODE_FILTER */
-#define SECCOMP_FILTER_FLAG_TSYNC       1
-#define SECCOMP_FILTER_FLAG_LOG         2
+#define SECCOMP_FILTER_FLAG_TSYNC       (1UL << 0)
+#define SECCOMP_FILTER_FLAG_LOG         (1UL << 1)
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW  (1UL << 2)
 
 /*
  * All BPF programs must return a 32-bit value.
diff --git a/init/main.c b/init/main.c
index fd37315835b4..3b4ada11ed52 100644
--- a/init/main.c
+++ b/init/main.c
@@ -91,6 +91,7 @@
 #include <linux/cache.h>
 #include <linux/rodata_test.h>
 #include <linux/jump_label.h>
+#include <linux/mem_encrypt.h>
 
 #include <asm/io.h>
 #include <asm/bugs.h>
diff --git a/ipc/shm.c b/ipc/shm.c
index 3cf48988d68c..d73269381ec7 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1363,14 +1363,17 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,
 
         if (addr) {
                 if (addr & (shmlba - 1)) {
-                        /*
-                         * Round down to the nearest multiple of shmlba.
-                         * For sane do_mmap_pgoff() parameters, avoid
-                         * round downs that trigger nil-page and MAP_FIXED.
-                         */
-                        if ((shmflg & SHM_RND) && addr >= shmlba)
-                                addr &= ~(shmlba - 1);
-                        else
+                        if (shmflg & SHM_RND) {
+                                addr &= ~(shmlba - 1);  /* round down */
+
+                                /*
+                                 * Ensure that the round-down is non-nil
+                                 * when remapping. This can happen for
+                                 * cases when addr < shmlba.
+                                 */
+                                if (!addr && (shmflg & SHM_REMAP))
+                                        goto out;
+                        } else
 #ifndef __ARCH_FORCE_SHMLBA
                                 if (addr & ~PAGE_MASK)
 #endif
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index ba03ec39efb3..6ef6746a7871 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -218,47 +218,84 @@ int bpf_prog_calc_tag(struct bpf_prog *fp)
         return 0;
 }
 
-static void bpf_adj_branches(struct bpf_prog *prog, u32 pos, u32 delta)
+static int bpf_adj_delta_to_imm(struct bpf_insn *insn, u32 pos, u32 delta,
+                                u32 curr, const bool probe_pass)
 {
+        const s64 imm_min = S32_MIN, imm_max = S32_MAX;
+        s64 imm = insn->imm;
+
+        if (curr < pos && curr + imm + 1 > pos)
+                imm += delta;
+        else if (curr > pos + delta && curr + imm + 1 <= pos + delta)
+                imm -= delta;
+        if (imm < imm_min || imm > imm_max)
+                return -ERANGE;
+        if (!probe_pass)
+                insn->imm = imm;
+        return 0;
+}
+
+static int bpf_adj_delta_to_off(struct bpf_insn *insn, u32 pos, u32 delta,
+                                u32 curr, const bool probe_pass)
+{
+        const s32 off_min = S16_MIN, off_max = S16_MAX;
+        s32 off = insn->off;
+
+        if (curr < pos && curr + off + 1 > pos)
+                off += delta;
+        else if (curr > pos + delta && curr + off + 1 <= pos + delta)
+                off -= delta;
+        if (off < off_min || off > off_max)
+                return -ERANGE;
+        if (!probe_pass)
+                insn->off = off;
+        return 0;
+}
+
+static int bpf_adj_branches(struct bpf_prog *prog, u32 pos, u32 delta,
+                            const bool probe_pass)
+{
+        u32 i, insn_cnt = prog->len + (probe_pass ? delta : 0);
         struct bpf_insn *insn = prog->insnsi;
-        u32 i, insn_cnt = prog->len;
-        bool pseudo_call;
-        u8 code;
-        int off;
+        int ret = 0;
 
         for (i = 0; i < insn_cnt; i++, insn++) {
+                u8 code;
+
+                /* In the probing pass we still operate on the original,
+                 * unpatched image in order to check overflows before we
+                 * do any other adjustments. Therefore skip the patchlet.
+                 */
+                if (probe_pass && i == pos) {
+                        i += delta + 1;
+                        insn++;
+                }
                 code = insn->code;
-                if (BPF_CLASS(code) != BPF_JMP)
-                        continue;
-                if (BPF_OP(code) == BPF_EXIT)
+                if (BPF_CLASS(code) != BPF_JMP ||
+                    BPF_OP(code) == BPF_EXIT)
                         continue;
+                /* Adjust offset of jmps if we cross patch boundaries. */
                 if (BPF_OP(code) == BPF_CALL) {
-                        if (insn->src_reg == BPF_PSEUDO_CALL)
-                                pseudo_call = true;
-                        else
+                        if (insn->src_reg != BPF_PSEUDO_CALL)
                                 continue;
+                        ret = bpf_adj_delta_to_imm(insn, pos, delta, i,
+                                                   probe_pass);
                 } else {
-                        pseudo_call = false;
+                        ret = bpf_adj_delta_to_off(insn, pos, delta, i,
+                                                   probe_pass);
                 }
-                off = pseudo_call ? insn->imm : insn->off;
-
-                /* Adjust offset of jmps if we cross boundaries. */
-                if (i < pos && i + off + 1 > pos)
-                        off += delta;
-                else if (i > pos + delta && i + off + 1 <= pos + delta)
-                        off -= delta;
-
-                if (pseudo_call)
-                        insn->imm = off;
-                else
-                        insn->off = off;
+                if (ret)
+                        break;
         }
+
+        return ret;
 }
 
 struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
                                        const struct bpf_insn *patch, u32 len)
 {
         u32 insn_adj_cnt, insn_rest, insn_delta = len - 1;
+        const u32 cnt_max = S16_MAX;
         struct bpf_prog *prog_adj;
 
         /* Since our patchlet doesn't expand the image, we're done. */
@@ -269,6 +306,15 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
 
         insn_adj_cnt = prog->len + insn_delta;
 
+        /* Reject anything that would potentially let the insn->off
+         * target overflow when we have excessive program expansions.
+         * We need to probe here before we do any reallocation where
+         * we afterwards may not fail anymore.
+         */
+        if (insn_adj_cnt > cnt_max &&
+            bpf_adj_branches(prog, off, insn_delta, true))
+                return NULL;
+
         /* Several new instructions need to be inserted. Make room
          * for them. Likely, there's no need for a new allocation as
          * last page could have large enough tailroom.
@@ -294,7 +340,11 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
                 sizeof(*patch) * insn_rest);
         memcpy(prog_adj->insnsi + off, patch, sizeof(*patch) * len);
 
-        bpf_adj_branches(prog_adj, off, insn_delta);
+        /* We are guaranteed to not fail at this point, otherwise
+         * the ship has sailed to reverse to the original state. An
+         * overflow cannot happen at this point.
+         */
+        BUG_ON(bpf_adj_branches(prog_adj, off, insn_delta, false));
 
         return prog_adj;
 }
diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
index 098eca568c2b..95a84b2f10ce 100644
--- a/kernel/bpf/sockmap.c
+++ b/kernel/bpf/sockmap.c
@@ -1703,11 +1703,11 @@ static int sock_map_ctx_update_elem(struct bpf_sock_ops_kern *skops,
                  * we increment the refcnt. If this is the case abort with an
                  * error.
                  */
-                verdict = bpf_prog_inc_not_zero(stab->bpf_verdict);
+                verdict = bpf_prog_inc_not_zero(verdict);
                 if (IS_ERR(verdict))
                         return PTR_ERR(verdict);
 
-                parse = bpf_prog_inc_not_zero(stab->bpf_parse);
+                parse = bpf_prog_inc_not_zero(parse);
                 if (IS_ERR(parse)) {
                         bpf_prog_put(verdict);
                         return PTR_ERR(parse);
@@ -1715,12 +1715,12 @@ static int sock_map_ctx_update_elem(struct bpf_sock_ops_kern *skops,
         }
 
         if (tx_msg) {
-                tx_msg = bpf_prog_inc_not_zero(stab->bpf_tx_msg);
+                tx_msg = bpf_prog_inc_not_zero(tx_msg);
                 if (IS_ERR(tx_msg)) {
-                        if (verdict)
-                                bpf_prog_put(verdict);
-                        if (parse)
+                        if (parse && verdict) {
                                 bpf_prog_put(parse);
+                                bpf_prog_put(verdict);
+                        }
                         return PTR_ERR(tx_msg);
                 }
         }
@@ -1805,10 +1805,10 @@ static int sock_map_ctx_update_elem(struct bpf_sock_ops_kern *skops,
 out_free:
         smap_release_sock(psock, sock);
 out_progs:
-        if (verdict)
-                bpf_prog_put(verdict);
-        if (parse)
+        if (parse && verdict) {
                 bpf_prog_put(parse);
+                bpf_prog_put(verdict);
+        }
         if (tx_msg)
                 bpf_prog_put(tx_msg);
         write_unlock_bh(&sock->sk_callback_lock);
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 5dd1dcb902bf..1904e814f282 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -156,7 +156,29 @@ struct bpf_verifier_stack_elem {
 #define BPF_COMPLEXITY_LIMIT_INSNS      131072
 #define BPF_COMPLEXITY_LIMIT_STACK      1024
 
-#define BPF_MAP_PTR_POISON ((void *)0xeB9F + POISON_POINTER_DELTA)
+#define BPF_MAP_PTR_UNPRIV      1UL
+#define BPF_MAP_PTR_POISON      ((void *)((0xeB9FUL << 1) +     \
+                                          POISON_POINTER_DELTA))
+#define BPF_MAP_PTR(X)          ((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV))
+
+static bool bpf_map_ptr_poisoned(const struct bpf_insn_aux_data *aux)
+{
+        return BPF_MAP_PTR(aux->map_state) == BPF_MAP_PTR_POISON;
+}
+
+static bool bpf_map_ptr_unpriv(const struct bpf_insn_aux_data *aux)
+{
+        return aux->map_state & BPF_MAP_PTR_UNPRIV;
+}
+
+static void bpf_map_ptr_store(struct bpf_insn_aux_data *aux,
+                              const struct bpf_map *map, bool unpriv)
+{
+        BUILD_BUG_ON((unsigned long)BPF_MAP_PTR_POISON & BPF_MAP_PTR_UNPRIV);
+        unpriv |= bpf_map_ptr_unpriv(aux);
+        aux->map_state = (unsigned long)map |
+                         (unpriv ? BPF_MAP_PTR_UNPRIV : 0UL);
+}
 
 struct bpf_call_arg_meta {
         struct bpf_map *map_ptr;
@@ -978,7 +1000,7 @@ static bool register_is_null(struct bpf_reg_state *reg)
  */
 static int check_stack_write(struct bpf_verifier_env *env,
                              struct bpf_func_state *state, /* func where register points to */
-                             int off, int size, int value_regno)
+                             int off, int size, int value_regno, int insn_idx)
 {
         struct bpf_func_state *cur; /* state of the current function */
         int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
@@ -1017,8 +1039,33 @@ static int check_stack_write(struct bpf_verifier_env *env,
                 state->stack[spi].spilled_ptr = cur->regs[value_regno];
                 state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
 
-                for (i = 0; i < BPF_REG_SIZE; i++)
+                for (i = 0; i < BPF_REG_SIZE; i++) {
+                        if (state->stack[spi].slot_type[i] == STACK_MISC &&
+                            !env->allow_ptr_leaks) {
+                                int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;
+                                int soff = (-spi - 1) * BPF_REG_SIZE;
+
+                                /* detected reuse of integer stack slot with a pointer
+                                 * which means either llvm is reusing stack slot or
+                                 * an attacker is trying to exploit CVE-2018-3639
+                                 * (speculative store bypass)
+                                 * Have to sanitize that slot with preemptive
+                                 * store of zero.
+                                 */
+                                if (*poff && *poff != soff) {
+                                        /* disallow programs where single insn stores
+                                         * into two different stack slots, since verifier
+                                         * cannot sanitize them
+                                         */
+                                        verbose(env,
+                                                "insn %d cannot access two stack slots fp%d and fp%d",
+                                                insn_idx, *poff, soff);
+                                        return -EINVAL;
+                                }
+                                *poff = soff;
+                        }
                         state->stack[spi].slot_type[i] = STACK_SPILL;
+                }
         } else {
                 u8 type = STACK_MISC;
 
@@ -1694,7 +1741,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
 
                 if (t == BPF_WRITE)
                         err = check_stack_write(env, state, off, size,
-                                                value_regno);
+                                                value_regno, insn_idx);
                 else
                         err = check_stack_read(env, state, off, size,
                                                value_regno);
@@ -2333,6 +2380,29 @@ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
         return 0;
 }
 
+static int
+record_func_map(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta,
+                int func_id, int insn_idx)
+{
+        struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx];
+
+        if (func_id != BPF_FUNC_tail_call &&
+            func_id != BPF_FUNC_map_lookup_elem)
+                return 0;
+        if (meta->map_ptr == NULL) {
+                verbose(env, "kernel subsystem misconfigured verifier\n");
+                return -EINVAL;
+        }
+
+        if (!BPF_MAP_PTR(aux->map_state))
+                bpf_map_ptr_store(aux, meta->map_ptr,
+                                  meta->map_ptr->unpriv_array);
+        else if (BPF_MAP_PTR(aux->map_state) != meta->map_ptr)
+                bpf_map_ptr_store(aux, BPF_MAP_PTR_POISON,
+                                  meta->map_ptr->unpriv_array);
+        return 0;
+}
+
 static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn_idx)
 {
         const struct bpf_func_proto *fn = NULL;
@@ -2387,13 +2457,6 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
         err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta);
         if (err)
                 return err;
-        if (func_id == BPF_FUNC_tail_call) {
-                if (meta.map_ptr == NULL) {
-                        verbose(env, "verifier bug\n");
-                        return -EINVAL;
-                }
-                env->insn_aux_data[insn_idx].map_ptr = meta.map_ptr;
-        }
         err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta);
         if (err)
                 return err;
@@ -2404,6 +2467,10 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
         if (err)
                 return err;
 
+        err = record_func_map(env, &meta, func_id, insn_idx);
+        if (err)
+                return err;
+
         /* Mark slots with STACK_MISC in case of raw mode, stack offset
          * is inferred from register state.
          */
@@ -2428,8 +2495,6 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
         } else if (fn->ret_type == RET_VOID) {
                 regs[BPF_REG_0].type = NOT_INIT;
         } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL) {
-                struct bpf_insn_aux_data *insn_aux;
-
                 regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL;
                 /* There is no offset yet applied, variable or fixed */
                 mark_reg_known_zero(env, regs, BPF_REG_0);
@@ -2445,11 +2510,6 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
                 }
                 regs[BPF_REG_0].map_ptr = meta.map_ptr;
                 regs[BPF_REG_0].id = ++env->id_gen;
-                insn_aux = &env->insn_aux_data[insn_idx];
-                if (!insn_aux->map_ptr)
-                        insn_aux->map_ptr = meta.map_ptr;
-                else if (insn_aux->map_ptr != meta.map_ptr)
-                        insn_aux->map_ptr = BPF_MAP_PTR_POISON;
         } else {
                 verbose(env, "unknown return type %d of func %s#%d\n",
                         fn->ret_type, func_id_name(func_id), func_id);
@@ -5169,6 +5229,34 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env)
                 else
                         continue;
 
+                if (type == BPF_WRITE &&
+                    env->insn_aux_data[i + delta].sanitize_stack_off) {
+                        struct bpf_insn patch[] = {
+                                /* Sanitize suspicious stack slot with zero.
+                                 * There are no memory dependencies for this store,
+                                 * since it's only using frame pointer and immediate
+                                 * constant of zero
+                                 */
+                                BPF_ST_MEM(BPF_DW, BPF_REG_FP,
+                                           env->insn_aux_data[i + delta].sanitize_stack_off,
+                                           0),
+                                /* the original STX instruction will immediately
+                                 * overwrite the same stack slot with appropriate value
+                                 */
+                                *insn,
+                        };
+
+                        cnt = ARRAY_SIZE(patch);
+                        new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt);
+                        if (!new_prog)
+                                return -ENOMEM;
+
+                        delta    += cnt - 1;
+                        env->prog = new_prog;
+                        insn      = new_prog->insnsi + i + delta;
+                        continue;
+                }
+
                 if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
                         continue;
 
@@ -5417,6 +5505,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
         struct bpf_insn *insn = prog->insnsi;
         const struct bpf_func_proto *fn;
         const int insn_cnt = prog->len;
+        struct bpf_insn_aux_data *aux;
         struct bpf_insn insn_buf[16];
         struct bpf_prog *new_prog;
         struct bpf_map *map_ptr;
@@ -5491,19 +5580,22 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
                         insn->imm = 0;
                         insn->code = BPF_JMP | BPF_TAIL_CALL;
 
+                        aux = &env->insn_aux_data[i + delta];
+                        if (!bpf_map_ptr_unpriv(aux))
+                                continue;
+
                         /* instead of changing every JIT dealing with tail_call
                          * emit two extra insns:
                          * if (index >= max_entries) goto out;
                          * index &= array->index_mask;
                          * to avoid out-of-bounds cpu speculation
                          */
-                        map_ptr = env->insn_aux_data[i + delta].map_ptr;
-                        if (map_ptr == BPF_MAP_PTR_POISON) {
+                        if (bpf_map_ptr_poisoned(aux)) {
                                 verbose(env, "tail_call abusing map_ptr\n");
                                 return -EINVAL;
                         }
-                        if (!map_ptr->unpriv_array)
-                                continue;
+
+                        map_ptr = BPF_MAP_PTR(aux->map_state);
                         insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3,
                                                   map_ptr->max_entries, 2);
                         insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3,
@@ -5527,9 +5619,12 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
                  */
                 if (prog->jit_requested && BITS_PER_LONG == 64 &&
                     insn->imm == BPF_FUNC_map_lookup_elem) {
-                        map_ptr = env->insn_aux_data[i + delta].map_ptr;
-                        if (map_ptr == BPF_MAP_PTR_POISON ||
-                            !map_ptr->ops->map_gen_lookup)
+                        aux = &env->insn_aux_data[i + delta];
+                        if (bpf_map_ptr_poisoned(aux))
+                                goto patch_call_imm;
+
+                        map_ptr = BPF_MAP_PTR(aux->map_state);
+                        if (!map_ptr->ops->map_gen_lookup)
                                 goto patch_call_imm;
 
                         cnt = map_ptr->ops->map_gen_lookup(map_ptr, insn_buf);
diff --git a/kernel/kthread.c b/kernel/kthread.c
index 2017a39ab490..481951bf091d 100644
--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@@ -193,7 +193,7 @@ EXPORT_SYMBOL_GPL(kthread_parkme);
 
 void kthread_park_complete(struct task_struct *k)
 {
-        complete(&to_kthread(k)->parked);
+        complete_all(&to_kthread(k)->parked);
 }
 
 static int kthread(void *_create)
@@ -459,6 +459,7 @@ void kthread_unpark(struct task_struct *k)
         if (test_bit(KTHREAD_IS_PER_CPU, &kthread->flags))
                 __kthread_bind(k, kthread->cpu, TASK_PARKED);
 
+        reinit_completion(&kthread->parked);
         clear_bit(KTHREAD_SHOULD_PARK, &kthread->flags);
         wake_up_state(k, TASK_PARKED);
 }
@@ -483,9 +484,6 @@ int kthread_park(struct task_struct *k)
         if (WARN_ON(k->flags & PF_EXITING))
                 return -ENOSYS;
 
-        if (WARN_ON_ONCE(test_bit(KTHREAD_SHOULD_PARK, &kthread->flags)))
-                return -EBUSY;
-
         set_bit(KTHREAD_SHOULD_PARK, &kthread->flags);
         if (k != current) {
                 wake_up_process(k);
diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c
index 64cc564f5255..61a1125c1ae4 100644
--- a/kernel/sched/topology.c
+++ b/kernel/sched/topology.c
@@ -1708,7 +1708,7 @@ build_sched_domains(const struct cpumask *cpu_map, struct sched_domain_attr *att
         rcu_read_unlock();
 
         if (rq && sched_debug_enabled) {
-                pr_info("span: %*pbl (max cpu_capacity = %lu)\n",
+                pr_info("root domain span: %*pbl (max cpu_capacity = %lu)\n",
                         cpumask_pr_args(cpu_map), rq->rd->max_cpu_capacity);
         }
 
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index dc77548167ef..e691d9a6c58d 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -19,6 +19,8 @@
 #include <linux/compat.h>
 #include <linux/coredump.h>
 #include <linux/kmemleak.h>
+#include <linux/nospec.h>
+#include <linux/prctl.h>
 #include <linux/sched.h>
 #include <linux/sched/task_stack.h>
 #include <linux/seccomp.h>
@@ -227,8 +229,11 @@ static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode)
         return true;
 }
 
+void __weak arch_seccomp_spec_mitigate(struct task_struct *task) { }
+
 static inline void seccomp_assign_mode(struct task_struct *task,
-                                       unsigned long seccomp_mode)
+                                       unsigned long seccomp_mode,
+                                       unsigned long flags)
 {
         assert_spin_locked(&task->sighand->siglock);
 
@@ -238,6 +243,9 @@ static inline void seccomp_assign_mode(struct task_struct *task,
          * filter) is set.
          */
         smp_mb__before_atomic();
+        /* Assume default seccomp processes want spec flaw mitigation. */
+        if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0)
+                arch_seccomp_spec_mitigate(task);
         set_tsk_thread_flag(task, TIF_SECCOMP);
 }
 
@@ -305,7 +313,7 @@ static inline pid_t seccomp_can_sync_threads(void)
  * without dropping the locks.
  *
  */
-static inline void seccomp_sync_threads(void)
+static inline void seccomp_sync_threads(unsigned long flags)
 {
         struct task_struct *thread, *caller;
 
@@ -346,7 +354,8 @@ static inline void seccomp_sync_threads(void)
                  * allow one thread to transition the other.
                  */
                 if (thread->seccomp.mode == SECCOMP_MODE_DISABLED)
-                        seccomp_assign_mode(thread, SECCOMP_MODE_FILTER);
+                        seccomp_assign_mode(thread, SECCOMP_MODE_FILTER,
+                                            flags);
         }
 }
 
@@ -469,7 +478,7 @@ static long seccomp_attach_filter(unsigned int flags,
 
         /* Now that the new filter is in place, synchronize to all threads. */
         if (flags & SECCOMP_FILTER_FLAG_TSYNC)
-                seccomp_sync_threads();
+                seccomp_sync_threads(flags);
 
         return 0;
 }
@@ -818,7 +827,7 @@ static long seccomp_set_mode_strict(void)
 #ifdef TIF_NOTSC
         disable_TSC();
 #endif
-        seccomp_assign_mode(current, seccomp_mode);
+        seccomp_assign_mode(current, seccomp_mode, 0);
         ret = 0;
 
 out:
@@ -876,7 +885,7 @@ static long seccomp_set_mode_filter(unsigned int flags,
         /* Do not free the successfully attached filter. */
         prepared = NULL;
 
-        seccomp_assign_mode(current, seccomp_mode);
+        seccomp_assign_mode(current, seccomp_mode, flags);
 out:
         spin_unlock_irq(&current->sighand->siglock);
         if (flags & SECCOMP_FILTER_FLAG_TSYNC)
diff --git a/kernel/sys.c b/kernel/sys.c
index ad692183dfe9..d1b2b8d934bb 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -61,6 +61,8 @@
 #include <linux/uidgid.h>
 #include <linux/cred.h>
 
+#include <linux/nospec.h>
+
 #include <linux/kmsg_dump.h>
 /* Move somewhere else to avoid recompiling? */
 #include <generated/utsrelease.h>
@@ -69,6 +71,9 @@
 #include <asm/io.h>
 #include <asm/unistd.h>
 
+/* Hardening for Spectre-v1 */
+#include <linux/nospec.h>
+
 #include "uid16.h"
 
 #ifndef SET_UNALIGN_CTL
@@ -1451,6 +1456,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
         if (resource >= RLIM_NLIMITS)
                 return -EINVAL;
 
+        resource = array_index_nospec(resource, RLIM_NLIMITS);
         task_lock(current->group_leader);
         x = current->signal->rlim[resource];
         task_unlock(current->group_leader);
@@ -1470,6 +1476,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
         if (resource >= RLIM_NLIMITS)
                 return -EINVAL;
 
+        resource = array_index_nospec(resource, RLIM_NLIMITS);
         task_lock(current->group_leader);
         r = current->signal->rlim[resource];
         task_unlock(current->group_leader);
@@ -2242,6 +2249,17 @@ static int propagate_has_child_subreaper(struct task_struct *p, void *data)
         return 1;
 }
 
+int __weak arch_prctl_spec_ctrl_get(struct task_struct *t, unsigned long which)
+{
+        return -EINVAL;
+}
+
+int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which,
+                                    unsigned long ctrl)
+{
+        return -EINVAL;
+}
+
 SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
                 unsigned long, arg4, unsigned long, arg5)
 {
@@ -2450,6 +2468,16 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
         case PR_SVE_GET_VL:
                 error = SVE_GET_VL();
                 break;
+        case PR_GET_SPECULATION_CTRL:
+                if (arg3 || arg4 || arg5)
+                        return -EINVAL;
+                error = arch_prctl_spec_ctrl_get(me, arg2);
+                break;
+        case PR_SET_SPECULATION_CTRL:
+                if (arg4 || arg5)
+                        return -EINVAL;
+                error = arch_prctl_spec_ctrl_set(me, arg2, arg3);
+                break;
         default:
                 error = -EINVAL;
                 break;
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 970212670b6a..fdae394172fa 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1012,7 +1012,7 @@ unsigned long iov_iter_gap_alignment(const struct iov_iter *i)
 }
 EXPORT_SYMBOL(iov_iter_gap_alignment);
 
-static inline size_t __pipe_get_pages(struct iov_iter *i,
+static inline ssize_t __pipe_get_pages(struct iov_iter *i,
                                 size_t maxsize,
                                 struct page **pages,
                                 int idx,
@@ -1102,7 +1102,7 @@ static ssize_t pipe_get_pages_alloc(struct iov_iter *i,
                    size_t *start)
 {
         struct page **p;
-        size_t n;
+        ssize_t n;
         int idx;
         int npages;
 
diff --git a/lib/radix-tree.c b/lib/radix-tree.c
index 43e0cbedc3a0..a9e41aed6de4 100644
--- a/lib/radix-tree.c
+++ b/lib/radix-tree.c
@@ -2034,10 +2034,12 @@ void *radix_tree_delete_item(struct radix_tree_root *root,
                              unsigned long index, void *item)
 {
         struct radix_tree_node *node = NULL;
-        void __rcu **slot;
+        void __rcu **slot = NULL;
         void *entry;
 
         entry = __radix_tree_lookup(root, index, &node, &slot);
+        if (!slot)
+                return NULL;
         if (!entry && (!is_idr(root) || node_tag_get(root, node, IDR_FREE,
                                                 get_slot_offset(node, slot))))
                 return NULL;
diff --git a/mm/cma.c b/mm/cma.c
index aa40e6c7b042..5809bbe360d7 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -39,7 +39,6 @@
 #include <trace/events/cma.h>
 
 #include "cma.h"
-#include "internal.h"
 
 struct cma cma_areas[MAX_CMA_AREAS];
 unsigned cma_area_count;
@@ -110,25 +109,23 @@ static int __init cma_activate_area(struct cma *cma)
         if (!cma->bitmap)
                 return -ENOMEM;
 
+        WARN_ON_ONCE(!pfn_valid(pfn));
+        zone = page_zone(pfn_to_page(pfn));
+
         do {
                 unsigned j;
 
                 base_pfn = pfn;
-                if (!pfn_valid(base_pfn))
-                        goto err;
-
-                zone = page_zone(pfn_to_page(base_pfn));
                 for (j = pageblock_nr_pages; j; --j, pfn++) {
-                        if (!pfn_valid(pfn))
-                                goto err;
-
+                        WARN_ON_ONCE(!pfn_valid(pfn));
                         /*
-                         * In init_cma_reserved_pageblock(), present_pages
-                         * is adjusted with assumption that all pages in
-                         * the pageblock come from a single zone.
+                         * alloc_contig_range requires the pfn range
+                         * specified to be in the same zone. Make this
+                         * simple by forcing the entire CMA resv range
+                         * to be in the same zone.
                          */
                         if (page_zone(pfn_to_page(pfn)) != zone)
-                                goto err;
+                                goto not_in_zone;
                 }
                 init_cma_reserved_pageblock(pfn_to_page(base_pfn));
         } while (--i);
@@ -142,7 +139,7 @@ static int __init cma_activate_area(struct cma *cma)
 
         return 0;
 
-err:
+not_in_zone:
         pr_err("CMA area %s could not be activated\n", cma->name);
         kfree(cma->bitmap);
         cma->count = 0;
@@ -152,41 +149,6 @@ err:
 static int __init cma_init_reserved_areas(void)
 {
         int i;
-        struct zone *zone;
-        pg_data_t *pgdat;
-
-        if (!cma_area_count)
-                return 0;
-
-        for_each_online_pgdat(pgdat) {
-                unsigned long start_pfn = UINT_MAX, end_pfn = 0;
-
-                zone = &pgdat->node_zones[ZONE_MOVABLE];
-
-                /*
-                 * In this case, we cannot adjust the zone range
-                 * since it is now maximum node span and we don't
-                 * know original zone range.
-                 */
-                if (populated_zone(zone))
-                        continue;
-
-                for (i = 0; i < cma_area_count; i++) {
-                        if (pfn_to_nid(cma_areas[i].base_pfn) !=
-                                pgdat->node_id)
-                                continue;
-
-                        start_pfn = min(start_pfn, cma_areas[i].base_pfn);
-                        end_pfn = max(end_pfn, cma_areas[i].base_pfn +
-                                                cma_areas[i].count);
-                }
-
-                if (!end_pfn)
-                        continue;
-
-                zone->zone_start_pfn = start_pfn;
-                zone->spanned_pages = end_pfn - start_pfn;
-        }
 
         for (i = 0; i < cma_area_count; i++) {
                 int ret = cma_activate_area(&cma_areas[i]);
@@ -195,32 +157,9 @@ static int __init cma_init_reserved_areas(void)
                         return ret;
         }
 
-        /*
-         * Reserved pages for ZONE_MOVABLE are now activated and
-         * this would change ZONE_MOVABLE's managed page counter and
-         * the other zones' present counter. We need to re-calculate
-         * various zone information that depends on this initialization.
-         */
-        build_all_zonelists(NULL);
-        for_each_populated_zone(zone) {
-                if (zone_idx(zone) == ZONE_MOVABLE) {
-                        zone_pcp_reset(zone);
-                        setup_zone_pageset(zone);
-                } else
-                        zone_pcp_update(zone);
-
-                set_zone_contiguous(zone);
-        }
-
-        /*
-         * We need to re-init per zone wmark by calling
-         * init_per_zone_wmark_min() but doesn't call here because it is
-         * registered on core_initcall and it will be called later than us.
-         */
-
         return 0;
 }
-pure_initcall(cma_init_reserved_areas);
+core_initcall(cma_init_reserved_areas);
 
 /**
  * cma_init_reserved_mem() - create custom contiguous area from reserved memory
diff --git a/mm/compaction.c b/mm/compaction.c
index 028b7210a669..29bd1df18b98 100644
--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -1450,12 +1450,14 @@ static enum compact_result __compaction_suitable(struct zone *zone, int order,
          * if compaction succeeds.
          * For costly orders, we require low watermark instead of min for
          * compaction to proceed to increase its chances.
+         * ALLOC_CMA is used, as pages in CMA pageblocks are considered
+         * suitable migration targets
          */
         watermark = (order > PAGE_ALLOC_COSTLY_ORDER) ?
                                 low_wmark_pages(zone) : min_wmark_pages(zone);
         watermark += compact_gap(order);
         if (!__zone_watermark_ok(zone, 0, watermark, classzone_idx,
-                                                0, wmark_target))
+                                                ALLOC_CMA, wmark_target))
                 return COMPACT_SKIPPED;
 
         return COMPACT_CONTINUE;
diff --git a/mm/internal.h b/mm/internal.h
index 62d8c34e63d5..502d14189794 100644
--- a/mm/internal.h
+++ b/mm/internal.h
@@ -168,9 +168,6 @@ extern void post_alloc_hook(struct page *page, unsigned int order,
                                         gfp_t gfp_flags);
 extern int user_min_free_kbytes;
 
-extern void set_zone_contiguous(struct zone *zone);
-extern void clear_zone_contiguous(struct zone *zone);
-
 #if defined CONFIG_COMPACTION || defined CONFIG_CMA
 
 /*
@@ -498,6 +495,7 @@ unsigned long reclaim_clean_pages_from_list(struct zone *zone,
 #define ALLOC_HARDER            0x10 /* try to alloc harder */
 #define ALLOC_HIGH              0x20 /* __GFP_HIGH set */
 #define ALLOC_CPUSET            0x40 /* check for correct cpuset */
+#define ALLOC_CMA               0x80 /* allow allocations from CMA areas */
 
 enum ttu_flags;
 struct tlbflush_unmap_batch;
diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c
index bc0e68f7dc75..f185455b3406 100644
--- a/mm/kasan/kasan.c
+++ b/mm/kasan/kasan.c
@@ -792,6 +792,40 @@ DEFINE_ASAN_SET_SHADOW(f5);
 DEFINE_ASAN_SET_SHADOW(f8);
 
 #ifdef CONFIG_MEMORY_HOTPLUG
+static bool shadow_mapped(unsigned long addr)
+{
+        pgd_t *pgd = pgd_offset_k(addr);
+        p4d_t *p4d;
+        pud_t *pud;
+        pmd_t *pmd;
+        pte_t *pte;
+
+        if (pgd_none(*pgd))
+                return false;
+        p4d = p4d_offset(pgd, addr);
+        if (p4d_none(*p4d))
+                return false;
+        pud = pud_offset(p4d, addr);
+        if (pud_none(*pud))
+                return false;
+
+        /*
+         * We can't use pud_large() or pud_huge(), the first one is
+         * arch-specific, the last one depends on HUGETLB_PAGE.  So let's abuse
+         * pud_bad(), if pud is bad then it's bad because it's huge.
+         */
+        if (pud_bad(*pud))
+                return true;
+        pmd = pmd_offset(pud, addr);
+        if (pmd_none(*pmd))
+                return false;
+
+        if (pmd_bad(*pmd))
+                return true;
+        pte = pte_offset_kernel(pmd, addr);
+        return !pte_none(*pte);
+}
+
 static int __meminit kasan_mem_notifier(struct notifier_block *nb,
                         unsigned long action, void *data)
 {
@@ -813,6 +847,14 @@ static int __meminit kasan_mem_notifier(struct notifier_block *nb,
         case MEM_GOING_ONLINE: {
                 void *ret;
 
+                /*
+                 * If shadow is mapped already than it must have been mapped
+                 * during the boot. This could happen if we onlining previously
+                 * offlined memory.
+                 */
+                if (shadow_mapped(shadow_start))
+                        return NOTIFY_OK;
+
                 ret = __vmalloc_node_range(shadow_size, PAGE_SIZE, shadow_start,
                                         shadow_end, GFP_KERNEL,
                                         PAGE_KERNEL, VM_NO_GUARD,
@@ -824,8 +866,26 @@ static int __meminit kasan_mem_notifier(struct notifier_block *nb,
                 kmemleak_ignore(ret);
                 return NOTIFY_OK;
         }
-        case MEM_OFFLINE:
-                vfree((void *)shadow_start);
+        case MEM_CANCEL_ONLINE:
+        case MEM_OFFLINE: {
+                struct vm_struct *vm;
+
+                /*
+                 * shadow_start was either mapped during boot by kasan_init()
+                 * or during memory online by __vmalloc_node_range().
+                 * In the latter case we can use vfree() to free shadow.
+                 * Non-NULL result of the find_vm_area() will tell us if
+                 * that was the second case.
+                 *
+                 * Currently it's not possible to free shadow mapped
+                 * during boot by kasan_init(). It's because the code
+                 * to do that hasn't been written yet. So we'll just
+                 * leak the memory.
+                 */
+                vm = find_vm_area((void *)shadow_start);
+                if (vm)
+                        vfree((void *)shadow_start);
+        }
         }
 
         return NOTIFY_OK;
@@ -838,5 +898,5 @@ static int __init kasan_memhotplug_init(void)
         return 0;
 }
 
-module_init(kasan_memhotplug_init);
+core_initcall(kasan_memhotplug_init);
 #endif
diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
index f74826cdceea..25982467800b 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1158,7 +1158,7 @@ int __ref add_memory_resource(int nid, struct resource *res, bool online)
                  * nodes have to go through register_node.
                  * TODO clean up this mess.
                  */
-                ret = link_mem_sections(nid, start_pfn, nr_pages);
+                ret = link_mem_sections(nid, start_pfn, nr_pages, false);
 register_fail:
                 /*
                  * If sysfs file of new node can't create, cpu on the node
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 905db9d7962f..22320ea27489 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1743,38 +1743,16 @@ void __init page_alloc_init_late(void)
 }
 
 #ifdef CONFIG_CMA
-static void __init adjust_present_page_count(struct page *page, long count)
-{
-        struct zone *zone = page_zone(page);
-
-        /* We don't need to hold a lock since it is boot-up process */
-        zone->present_pages += count;
-}
-
 /* Free whole pageblock and set its migration type to MIGRATE_CMA. */
 void __init init_cma_reserved_pageblock(struct page *page)
 {
         unsigned i = pageblock_nr_pages;
-        unsigned long pfn = page_to_pfn(page);
         struct page *p = page;
-        int nid = page_to_nid(page);
-
-        /*
-         * ZONE_MOVABLE will steal present pages from other zones by
-         * changing page links so page_zone() is changed. Before that,
-         * we need to adjust previous zone's page count first.
-         */
-        adjust_present_page_count(page, -pageblock_nr_pages);
 
         do {
                 __ClearPageReserved(p);
                 set_page_count(p, 0);
-
-                /* Steal pages from other zones */
-                set_page_links(p, ZONE_MOVABLE, nid, pfn);
-        } while (++p, ++pfn, --i);
-
-        adjust_present_page_count(page, pageblock_nr_pages);
+        } while (++p, --i);
 
         set_pageblock_migratetype(page, MIGRATE_CMA);
 
@@ -2889,7 +2867,7 @@ int __isolate_free_page(struct page *page, unsigned int order)
                  * exists.
                  */
                 watermark = min_wmark_pages(zone) + (1UL << order);
-                if (!zone_watermark_ok(zone, 0, watermark, 0, 0))
+                if (!zone_watermark_ok(zone, 0, watermark, 0, ALLOC_CMA))
                         return 0;
 
                 __mod_zone_freepage_state(zone, -(1UL << order), mt);
@@ -3165,6 +3143,12 @@ bool __zone_watermark_ok(struct zone *z, unsigned int order, unsigned long mark,
         }
 
 
+#ifdef CONFIG_CMA
+        /* If allocation can't use CMA areas don't use free CMA pages */
+        if (!(alloc_flags & ALLOC_CMA))
+                free_pages -= zone_page_state(z, NR_FREE_CMA_PAGES);
+#endif
+
         /*
          * Check watermarks for an order-0 allocation request. If these
          * are not met, then a high-order request also cannot go ahead
@@ -3191,8 +3175,10 @@ bool __zone_watermark_ok(struct zone *z, unsigned int order, unsigned long mark,
                 }
 
 #ifdef CONFIG_CMA
-                if (!list_empty(&area->free_list[MIGRATE_CMA]))
+                if ((alloc_flags & ALLOC_CMA) &&
+                    !list_empty(&area->free_list[MIGRATE_CMA])) {
                         return true;
+                }
 #endif
                 if (alloc_harder &&
                         !list_empty(&area->free_list[MIGRATE_HIGHATOMIC]))
@@ -3212,6 +3198,13 @@ static inline bool zone_watermark_fast(struct zone *z, unsigned int order,
                 unsigned long mark, int classzone_idx, unsigned int alloc_flags)
 {
         long free_pages = zone_page_state(z, NR_FREE_PAGES);
+        long cma_pages = 0;
+
+#ifdef CONFIG_CMA
+        /* If allocation can't use CMA areas don't use free CMA pages */
+        if (!(alloc_flags & ALLOC_CMA))
+                cma_pages = zone_page_state(z, NR_FREE_CMA_PAGES);
+#endif
 
         /*
          * Fast check for order-0 only. If this fails then the reserves
@@ -3220,7 +3213,7 @@ static inline bool zone_watermark_fast(struct zone *z, unsigned int order,
          * the caller is !atomic then it'll uselessly search the free
          * list. That corner case is then slower but it is harmless.
          */
-        if (!order && free_pages > mark + z->lowmem_reserve[classzone_idx])
+        if (!order && (free_pages - cma_pages) > mark + z->lowmem_reserve[classzone_idx])
                 return true;
 
         return __zone_watermark_ok(z, order, mark, classzone_idx, alloc_flags,
@@ -3856,6 +3849,10 @@ gfp_to_alloc_flags(gfp_t gfp_mask)
         } else if (unlikely(rt_task(current)) && !in_interrupt())
                 alloc_flags |= ALLOC_HARDER;
 
+#ifdef CONFIG_CMA
+        if (gfpflags_to_migratetype(gfp_mask) == MIGRATE_MOVABLE)
+                alloc_flags |= ALLOC_CMA;
+#endif
         return alloc_flags;
 }
 
@@ -4322,6 +4319,9 @@ static inline bool prepare_alloc_pages(gfp_t gfp_mask, unsigned int order,
         if (should_fail_alloc_page(gfp_mask, order))
                 return false;
 
+        if (IS_ENABLED(CONFIG_CMA) && ac->migratetype == MIGRATE_MOVABLE)
+                *alloc_flags |= ALLOC_CMA;
+
         return true;
 }
 
@@ -6204,7 +6204,6 @@ static void __paginginit free_area_init_core(struct pglist_data *pgdat)
 {
         enum zone_type j;
         int nid = pgdat->node_id;
-        unsigned long node_end_pfn = 0;
 
         pgdat_resize_init(pgdat);
 #ifdef CONFIG_NUMA_BALANCING
@@ -6232,13 +6231,9 @@ static void __paginginit free_area_init_core(struct pglist_data *pgdat)
                 struct zone *zone = pgdat->node_zones + j;
                 unsigned long size, realsize, freesize, memmap_pages;
                 unsigned long zone_start_pfn = zone->zone_start_pfn;
-                unsigned long movable_size = 0;
 
                 size = zone->spanned_pages;
                 realsize = freesize = zone->present_pages;
-                if (zone_end_pfn(zone) > node_end_pfn)
-                        node_end_pfn = zone_end_pfn(zone);
-
 
                 /*
                  * Adjust freesize so that it accounts for how much memory
@@ -6287,30 +6282,12 @@ static void __paginginit free_area_init_core(struct pglist_data *pgdat)
                 zone_seqlock_init(zone);
                 zone_pcp_init(zone);
 
-                /*
-                 * The size of the CMA area is unknown now so we need to
-                 * prepare the memory for the usemap at maximum.
-                 */
-                if (IS_ENABLED(CONFIG_CMA) && j == ZONE_MOVABLE &&
-                        pgdat->node_spanned_pages) {
-                        movable_size = node_end_pfn - pgdat->node_start_pfn;
-                }
-
-                if (!size && !movable_size)
+                if (!size)
                         continue;
 
                 set_pageblock_order();
-                if (movable_size) {
-                        zone->zone_start_pfn = pgdat->node_start_pfn;
-                        zone->spanned_pages = movable_size;
-                        setup_usemap(pgdat, zone,
-                                pgdat->node_start_pfn, movable_size);
-                        init_currently_empty_zone(zone,
-                                pgdat->node_start_pfn, movable_size);
-                } else {
-                        setup_usemap(pgdat, zone, zone_start_pfn, size);
-                        init_currently_empty_zone(zone, zone_start_pfn, size);
-                }
+                setup_usemap(pgdat, zone, zone_start_pfn, size);
+                init_currently_empty_zone(zone, zone_start_pfn, size);
                 memmap_init(size, nid, j, zone_start_pfn);
         }
 }
@@ -7621,11 +7598,12 @@ bool has_unmovable_pages(struct zone *zone, struct page *page, int count,
         unsigned long pfn, iter, found;
 
         /*
-         * For avoiding noise data, lru_add_drain_all() should be called
-         * If ZONE_MOVABLE, the zone never contains unmovable pages
+         * TODO we could make this much more efficient by not checking every
+         * page in the range if we know all of them are in MOVABLE_ZONE and
+         * that the movable zone guarantees that pages are migratable but
+         * the later is not the case right now unfortunatelly. E.g. movablecore
+         * can still lead to having bootmem allocations in zone_movable.
          */
-        if (zone_idx(zone) == ZONE_MOVABLE)
-                return false;
 
         /*
          * CMA allocations (alloc_contig_range) really need to mark isolate
@@ -7646,7 +7624,7 @@ bool has_unmovable_pages(struct zone *zone, struct page *page, int count,
                 page = pfn_to_page(check);
 
                 if (PageReserved(page))
-                        return true;
+                        goto unmovable;
 
                 /*
                  * Hugepages are not in LRU lists, but they're movable.
@@ -7696,9 +7674,12 @@ bool has_unmovable_pages(struct zone *zone, struct page *page, int count,
                  * page at boot.
                  */
                 if (found > count)
-                        return true;
+                        goto unmovable;
         }
         return false;
+unmovable:
+        WARN_ON_ONCE(zone_idx(zone) == ZONE_MOVABLE);
+        return true;
 }
 
 bool is_pageblock_removable_nolock(struct page *page)
@@ -7951,7 +7932,7 @@ void free_contig_range(unsigned long pfn, unsigned nr_pages)
 }
 #endif
 
-#if defined CONFIG_MEMORY_HOTPLUG || defined CONFIG_CMA
+#ifdef CONFIG_MEMORY_HOTPLUG
 /*
  * The zone indicated has a new number of managed_pages; batch sizes and percpu
  * page high values need to be recalulated.
diff --git a/mm/swapfile.c b/mm/swapfile.c
index cc2cf04d9018..78a015fcec3b 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -3112,6 +3112,7 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
         unsigned long *frontswap_map = NULL;
         struct page *page = NULL;
         struct inode *inode = NULL;
+        bool inced_nr_rotate_swap = false;
 
         if (swap_flags & ~SWAP_FLAGS_VALID)
                 return -EINVAL;
@@ -3215,8 +3216,10 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
                         cluster = per_cpu_ptr(p->percpu_cluster, cpu);
                         cluster_set_null(&cluster->index);
                 }
-        } else
+        } else {
                 atomic_inc(&nr_rotate_swap);
+                inced_nr_rotate_swap = true;
+        }
 
         error = swap_cgroup_swapon(p->type, maxpages);
         if (error)
@@ -3307,6 +3310,8 @@ bad_swap:
         vfree(swap_map);
         kvfree(cluster_info);
         kvfree(frontswap_map);
+        if (inced_nr_rotate_swap)
+                atomic_dec(&nr_rotate_swap);
         if (swap_file) {
                 if (inode && S_ISREG(inode->i_mode)) {
                         inode_unlock(inode);
diff --git a/net/9p/Kconfig b/net/9p/Kconfig
index e6014e0e51f7..46c39f7da444 100644
--- a/net/9p/Kconfig
+++ b/net/9p/Kconfig
@@ -32,7 +32,7 @@ config NET_9P_XEN
 
 
 config NET_9P_RDMA
-        depends on INET && INFINIBAND && INFINIBAND_ADDR_TRANS
+        depends on INET && INFINIBAND_ADDR_TRANS
         tristate "9P RDMA Transport (Experimental)"
         help
           This builds support for an RDMA transport.
diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
index a11d3d89f012..a35f597e8c8b 100644
--- a/net/batman-adv/multicast.c
+++ b/net/batman-adv/multicast.c
@@ -1536,7 +1536,7 @@ out:
 
         if (!ret && primary_if)
                 *primary_if = hard_iface;
-        else
+        else if (hard_iface)
                 batadv_hardif_put(hard_iface);
 
         return ret;
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 0225616d5771..3986551397ca 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -862,7 +862,7 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
         struct batadv_orig_node_vlan *vlan;
         u8 *tt_change_ptr;
 
-        rcu_read_lock();
+        spin_lock_bh(&orig_node->vlan_list_lock);
         hlist_for_each_entry_rcu(vlan, &orig_node->vlan_list, list) {
                 num_vlan++;
                 num_entries += atomic_read(&vlan->tt.num_entries);
@@ -900,7 +900,7 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
         *tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
 
 out:
-        rcu_read_unlock();
+        spin_unlock_bh(&orig_node->vlan_list_lock);
         return tvlv_len;
 }
 
@@ -931,15 +931,20 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
         struct batadv_tvlv_tt_vlan_data *tt_vlan;
         struct batadv_softif_vlan *vlan;
         u16 num_vlan = 0;
-        u16 num_entries = 0;
+        u16 vlan_entries = 0;
+        u16 total_entries = 0;
         u16 tvlv_len;
         u8 *tt_change_ptr;
         int change_offset;
 
-        rcu_read_lock();
+        spin_lock_bh(&bat_priv->softif_vlan_list_lock);
         hlist_for_each_entry_rcu(vlan, &bat_priv->softif_vlan_list, list) {
+                vlan_entries = atomic_read(&vlan->tt.num_entries);
+                if (vlan_entries < 1)
+                        continue;
+
                 num_vlan++;
-                num_entries += atomic_read(&vlan->tt.num_entries);
+                total_entries += vlan_entries;
         }
 
         change_offset = sizeof(**tt_data);
@@ -947,7 +952,7 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
 
         /* if tt_len is negative, allocate the space needed by the full table */
         if (*tt_len < 0)
-                *tt_len = batadv_tt_len(num_entries);
+                *tt_len = batadv_tt_len(total_entries);
 
         tvlv_len = *tt_len;
         tvlv_len += change_offset;
@@ -964,6 +969,10 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
 
         tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(*tt_data + 1);
         hlist_for_each_entry_rcu(vlan, &bat_priv->softif_vlan_list, list) {
+                vlan_entries = atomic_read(&vlan->tt.num_entries);
+                if (vlan_entries < 1)
+                        continue;
+
                 tt_vlan->vid = htons(vlan->vid);
                 tt_vlan->crc = htonl(vlan->tt.crc);
 
@@ -974,7 +983,7 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
         *tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
 
 out:
-        rcu_read_unlock();
+        spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
         return tvlv_len;
 }
 
@@ -1538,6 +1547,8 @@ batadv_tt_global_orig_entry_find(const struct batadv_tt_global_entry *entry,
  *  handled by a given originator
  * @entry: the TT global entry to check
  * @orig_node: the originator to search in the list
+ * @flags: a pointer to store TT flags for the given @entry received
+ *  from @orig_node
  *
  * find out if an orig_node is already in the list of a tt_global_entry.
  *
@@ -1545,7 +1556,8 @@ batadv_tt_global_orig_entry_find(const struct batadv_tt_global_entry *entry,
  */
 static bool
 batadv_tt_global_entry_has_orig(const struct batadv_tt_global_entry *entry,
-                                const struct batadv_orig_node *orig_node)
+                                const struct batadv_orig_node *orig_node,
+                                u8 *flags)
 {
         struct batadv_tt_orig_list_entry *orig_entry;
         bool found = false;
@@ -1553,6 +1565,10 @@ batadv_tt_global_entry_has_orig(const struct batadv_tt_global_entry *entry,
         orig_entry = batadv_tt_global_orig_entry_find(entry, orig_node);
         if (orig_entry) {
                 found = true;
+
+                if (flags)
+                        *flags = orig_entry->flags;
+
                 batadv_tt_orig_list_entry_put(orig_entry);
         }
 
@@ -1731,7 +1747,7 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
                         if (!(common->flags & BATADV_TT_CLIENT_TEMP))
                                 goto out;
                         if (batadv_tt_global_entry_has_orig(tt_global_entry,
-                                                            orig_node))
+                                                            orig_node, NULL))
                                 goto out_remove;
                         batadv_tt_global_del_orig_list(tt_global_entry);
                         goto add_orig_entry;
@@ -2880,23 +2896,46 @@ unlock:
 }
 
 /**
- * batadv_tt_local_valid() - verify that given tt entry is a valid one
+ * batadv_tt_local_valid() - verify local tt entry and get flags
  * @entry_ptr: to be checked local tt entry
  * @data_ptr: not used but definition required to satisfy the callback prototype
+ * @flags: a pointer to store TT flags for this client to
+ *
+ * Checks the validity of the given local TT entry. If it is, then the provided
+ * flags pointer is updated.
  *
  * Return: true if the entry is a valid, false otherwise.
  */
-static bool batadv_tt_local_valid(const void *entry_ptr, const void *data_ptr)
+static bool batadv_tt_local_valid(const void *entry_ptr,
+                                  const void *data_ptr,
+                                  u8 *flags)
 {
         const struct batadv_tt_common_entry *tt_common_entry = entry_ptr;
 
         if (tt_common_entry->flags & BATADV_TT_CLIENT_NEW)
                 return false;
+
+        if (flags)
+                *flags = tt_common_entry->flags;
+
         return true;
 }
 
+/**
+ * batadv_tt_global_valid() - verify global tt entry and get flags
+ * @entry_ptr: to be checked global tt entry
+ * @data_ptr: an orig_node object (may be NULL)
+ * @flags: a pointer to store TT flags for this client to
+ *
+ * Checks the validity of the given global TT entry. If it is, then the provided
+ * flags pointer is updated either with the common (summed) TT flags if data_ptr
+ * is NULL or the specific, per originator TT flags otherwise.
+ *
+ * Return: true if the entry is a valid, false otherwise.
+ */
 static bool batadv_tt_global_valid(const void *entry_ptr,
-                                   const void *data_ptr)
+                                   const void *data_ptr,
+                                   u8 *flags)
 {
         const struct batadv_tt_common_entry *tt_common_entry = entry_ptr;
         const struct batadv_tt_global_entry *tt_global_entry;
@@ -2910,7 +2949,8 @@ static bool batadv_tt_global_valid(const void *entry_ptr,
                                        struct batadv_tt_global_entry,
                                        common);
 
-        return batadv_tt_global_entry_has_orig(tt_global_entry, orig_node);
+        return batadv_tt_global_entry_has_orig(tt_global_entry, orig_node,
+                                               flags);
 }
 
 /**
@@ -2920,25 +2960,34 @@ static bool batadv_tt_global_valid(const void *entry_ptr,
  * @hash: hash table containing the tt entries
  * @tt_len: expected tvlv tt data buffer length in number of bytes
  * @tvlv_buff: pointer to the buffer to fill with the TT data
- * @valid_cb: function to filter tt change entries
+ * @valid_cb: function to filter tt change entries and to return TT flags
  * @cb_data: data passed to the filter function as argument
+ *
+ * Fills the tvlv buff with the tt entries from the specified hash. If valid_cb
+ * is not provided then this becomes a no-op.
  */
 static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
                                     struct batadv_hashtable *hash,
                                     void *tvlv_buff, u16 tt_len,
                                     bool (*valid_cb)(const void *,
-                                                     const void *),
+                                                     const void *,
+                                                     u8 *flags),
                                     void *cb_data)
 {
         struct batadv_tt_common_entry *tt_common_entry;
         struct batadv_tvlv_tt_change *tt_change;
         struct hlist_head *head;
         u16 tt_tot, tt_num_entries = 0;
+        u8 flags;
+        bool ret;
         u32 i;
 
         tt_tot = batadv_tt_entries(tt_len);
         tt_change = (struct batadv_tvlv_tt_change *)tvlv_buff;
 
+        if (!valid_cb)
+                return;
+
         rcu_read_lock();
         for (i = 0; i < hash->size; i++) {
                 head = &hash->table[i];
@@ -2948,11 +2997,12 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
                         if (tt_tot == tt_num_entries)
                                 break;
 
-                        if ((valid_cb) && (!valid_cb(tt_common_entry, cb_data)))
+                        ret = valid_cb(tt_common_entry, cb_data, &flags);
+                        if (!ret)
                                 continue;
 
                         ether_addr_copy(tt_change->addr, tt_common_entry->addr);
-                        tt_change->flags = tt_common_entry->flags;
+                        tt_change->flags = flags;
                         tt_change->vid = htons(tt_common_entry->vid);
                         memset(tt_change->reserved, 0,
                                sizeof(tt_change->reserved));
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 47ba98db145d..46c1fe7637ea 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -161,8 +161,8 @@ static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
         /* Make sure the match only receives stp frames */
         if (!par->nft_compat &&
             (!ether_addr_equal(e->destmac, eth_stp_addr) ||
-             !is_broadcast_ether_addr(e->destmsk) ||
-             !(e->bitmask & EBT_DESTMAC)))
+             !(e->bitmask & EBT_DESTMAC) ||
+             !is_broadcast_ether_addr(e->destmsk)))
                 return -EINVAL;
 
         return 0;
diff --git a/net/core/dev.c b/net/core/dev.c
index af0558b00c6c..2af787e8b130 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2124,7 +2124,7 @@ static bool remove_xps_queue_cpu(struct net_device *dev,
                 int i, j;
 
                 for (i = count, j = offset; i--; j++) {
-                        if (!remove_xps_queue(dev_maps, cpu, j))
+                        if (!remove_xps_queue(dev_maps, tci, j))
                                 break;
                 }
 
diff --git a/net/core/filter.c b/net/core/filter.c
index e77c30ca491d..201ff36b17a8 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -481,11 +481,18 @@ do_pass:
 
 #define BPF_EMIT_JMP                                                    \
         do {                                                            \
+                const s32 off_min = S16_MIN, off_max = S16_MAX;         \
+                s32 off;                                                \
+                                                                        \
                 if (target >= len || target < 0)                        \
                         goto err;                                       \
-                insn->off = addrs ? addrs[target] - addrs[i] - 1 : 0;   \
+                off = addrs ? addrs[target] - addrs[i] - 1 : 0;         \
                 /* Adjust pc relative offset for 2nd or 3rd insn. */    \
-                insn->off -= insn - tmp_insns;                          \
+                off -= insn - tmp_insns;                                \
+                /* Reject anything not fitting into insn->off. */       \
+                if (off < off_min || off > off_max)                     \
+                        goto err;                                       \
+                insn->off = off;                                        \
         } while (0)
 
                 case BPF_JMP | BPF_JA:
diff --git a/net/core/sock.c b/net/core/sock.c
index 6444525f610c..3b6d02854e57 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1606,7 +1606,7 @@ static void __sk_free(struct sock *sk)
         if (likely(sk->sk_net_refcnt))
                 sock_inuse_add(sock_net(sk), -1);
 
-        if (unlikely(sock_diag_has_destroy_listeners(sk) && sk->sk_net_refcnt))
+        if (unlikely(sk->sk_net_refcnt && sock_diag_has_destroy_listeners(sk)))
                 sock_diag_broadcast_destroy(sk);
         else
                 sk_destruct(sk);
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 84cd4e3fd01b..0d56e36a6db7 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -283,9 +283,7 @@ int dccp_disconnect(struct sock *sk, int flags)
 
         dccp_clear_xmit_timers(sk);
         ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
-        ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
         dp->dccps_hc_rx_ccid = NULL;
-        dp->dccps_hc_tx_ccid = NULL;
 
         __skb_queue_purge(&sk->sk_receive_queue);
         __skb_queue_purge(&sk->sk_write_queue);
diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c
index adf50fbc4c13..47725250b4ca 100644
--- a/net/dsa/dsa2.c
+++ b/net/dsa/dsa2.c
@@ -258,11 +258,13 @@ static void dsa_tree_teardown_default_cpu(struct dsa_switch_tree *dst)
 static int dsa_port_setup(struct dsa_port *dp)
 {
         struct dsa_switch *ds = dp->ds;
-        int err;
+        int err = 0;
 
         memset(&dp->devlink_port, 0, sizeof(dp->devlink_port));
 
-        err = devlink_port_register(ds->devlink, &dp->devlink_port, dp->index);
+        if (dp->type != DSA_PORT_TYPE_UNUSED)
+                err = devlink_port_register(ds->devlink, &dp->devlink_port,
+                                            dp->index);
         if (err)
                 return err;
 
@@ -293,7 +295,8 @@ static int dsa_port_setup(struct dsa_port *dp)
 
 static void dsa_port_teardown(struct dsa_port *dp)
 {
-        devlink_port_unregister(&dp->devlink_port);
+        if (dp->type != DSA_PORT_TYPE_UNUSED)
+                devlink_port_unregister(&dp->devlink_port);
 
         switch (dp->type) {
         case DSA_PORT_TYPE_UNUSED:
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index f05afaf3235c..e66172aaf241 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -326,10 +326,11 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
                                  u8 tos, int oif, struct net_device *dev,
                                  int rpf, struct in_device *idev, u32 *itag)
 {
+        struct net *net = dev_net(dev);
+        struct flow_keys flkeys;
         int ret, no_addr;
         struct fib_result res;
         struct flowi4 fl4;
-        struct net *net = dev_net(dev);
         bool dev_match;
 
         fl4.flowi4_oif = 0;
@@ -347,6 +348,11 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
         no_addr = idev->ifa_list == NULL;
 
         fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0;
+        if (!fib4_rules_early_flow_dissect(net, skb, &fl4, &flkeys)) {
+                fl4.flowi4_proto = 0;
+                fl4.fl4_sport = 0;
+                fl4.fl4_dport = 0;
+        }
 
         trace_fib_validate_source(dev, &fl4);
 
@@ -643,6 +649,7 @@ const struct nla_policy rtm_ipv4_policy[RTA_MAX + 1] = {
         [RTA_ENCAP]             = { .type = NLA_NESTED },
         [RTA_UID]               = { .type = NLA_U32 },
         [RTA_MARK]              = { .type = NLA_U32 },
+        [RTA_TABLE]             = { .type = NLA_U32 },
 };
 
 static int rtm_to_fib_config(struct net *net, struct sk_buff *skb,
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 9c169bb2444d..f200b304f76c 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -722,10 +722,12 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
                 erspan_build_header(skb, ntohl(tunnel->parms.o_key),
                                     tunnel->index,
                                     truncate, true);
-        else
+        else if (tunnel->erspan_ver == 2)
                 erspan_build_header_v2(skb, ntohl(tunnel->parms.o_key),
                                        tunnel->dir, tunnel->hwid,
                                        truncate, true);
+        else
+                goto free_skb;
 
         tunnel->parms.o_flags &= ~TUNNEL_KEY;
         __gre_xmit(skb, dev, &tunnel->parms.iph, htons(ETH_P_ERSPAN));
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 83c73bab2c3d..d54abc097800 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1045,7 +1045,8 @@ alloc_new_skb:
                 if (copy > length)
                         copy = length;
 
-                if (!(rt->dst.dev->features&NETIF_F_SG)) {
+                if (!(rt->dst.dev->features&NETIF_F_SG) &&
+                    skb_tailroom(skb) >= copy) {
                         unsigned int off;
 
                         off = skb->len;
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 5ad2d8ed3a3f..57bbb060faaf 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -505,8 +505,6 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
         int err;
         int copied;
 
-        WARN_ON_ONCE(sk->sk_family == AF_INET6);
-
         err = -EAGAIN;
         skb = sock_dequeue_err_skb(sk);
         if (!skb)
diff --git a/net/ipv4/ipmr_base.c b/net/ipv4/ipmr_base.c
index 4fe97723b53f..30221701614c 100644
--- a/net/ipv4/ipmr_base.c
+++ b/net/ipv4/ipmr_base.c
@@ -43,7 +43,10 @@ mr_table_alloc(struct net *net, u32 id,
         write_pnet(&mrt->net, net);
 
         mrt->ops = *ops;
-        rhltable_init(&mrt->mfc_hash, mrt->ops.rht_params);
+        if (rhltable_init(&mrt->mfc_hash, mrt->ops.rht_params)) {
+                kfree(mrt);
+                return NULL;
+        }
         INIT_LIST_HEAD(&mrt->mfc_cache_list);
         INIT_LIST_HEAD(&mrt->mfc_unres_queue);
 
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 44b308d93ec2..e85f35b89c49 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -34,6 +34,7 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
 MODULE_DESCRIPTION("IPv4 packet filter");
+MODULE_ALIAS("ipt_icmp");
 
 void *ipt_alloc_initial_table(const struct xt_table *info)
 {
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index fd01f13c896a..12843c9ef142 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -89,10 +89,10 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
                         return true ^ invert;
         }
 
+        memset(&flow, 0, sizeof(flow));
         flow.flowi4_iif = LOOPBACK_IFINDEX;
         flow.daddr = iph->saddr;
         flow.saddr = rpfilter_get_saddr(iph->daddr);
-        flow.flowi4_oif = 0;
         flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
         flow.flowi4_tos = RT_TOS(iph->tos);
         flow.flowi4_scope = RT_SCOPE_UNIVERSE;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 29268efad247..2cfa1b518f8d 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1961,8 +1961,13 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
         fl4.saddr = saddr;
         fl4.flowi4_uid = sock_net_uid(net, NULL);
 
-        if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys))
+        if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys)) {
                 flkeys = &_flkeys;
+        } else {
+                fl4.flowi4_proto = 0;
+                fl4.fl4_sport = 0;
+                fl4.fl4_dport = 0;
+        }
 
         err = fib_lookup(net, &fl4, res, 0);
         if (err != 0) {
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 383cac0ff0ec..d07e34f8e309 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2833,8 +2833,10 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
                 return -EBUSY;
 
         if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) {
-                if (before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))
-                        BUG();
+                if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) {
+                        WARN_ON_ONCE(1);
+                        return -EINVAL;
+                }
                 if (tcp_trim_head(sk, skb, tp->snd_una - TCP_SKB_CB(skb)->seq))
                         return -ENOMEM;
         }
@@ -3342,6 +3344,7 @@ static void tcp_connect_init(struct sock *sk)
         sock_reset_flag(sk, SOCK_DONE);
         tp->snd_wnd = 0;
         tcp_init_wl(tp, 0);
+        tcp_write_queue_purge(sk);
         tp->snd_una = tp->write_seq;
         tp->snd_sml = tp->write_seq;
         tp->snd_up = tp->write_seq;
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 69727bc168cb..458de353f5d9 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -71,6 +71,7 @@ struct ip6gre_net {
         struct ip6_tnl __rcu *tunnels[4][IP6_GRE_HASH_SIZE];
 
         struct ip6_tnl __rcu *collect_md_tun;
+        struct ip6_tnl __rcu *collect_md_tun_erspan;
         struct net_device *fb_tunnel_dev;
 };
 
@@ -81,6 +82,7 @@ static int ip6gre_tunnel_init(struct net_device *dev);
 static void ip6gre_tunnel_setup(struct net_device *dev);
 static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t);
 static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu);
+static void ip6erspan_tnl_link_config(struct ip6_tnl *t, int set_mtu);
 
 /* Tunnel hash table */
 
@@ -232,7 +234,12 @@ static struct ip6_tnl *ip6gre_tunnel_lookup(struct net_device *dev,
         if (cand)
                 return cand;
 
-        t = rcu_dereference(ign->collect_md_tun);
+        if (gre_proto == htons(ETH_P_ERSPAN) ||
+            gre_proto == htons(ETH_P_ERSPAN2))
+                t = rcu_dereference(ign->collect_md_tun_erspan);
+        else
+                t = rcu_dereference(ign->collect_md_tun);
+
         if (t && t->dev->flags & IFF_UP)
                 return t;
 
@@ -261,6 +268,31 @@ static struct ip6_tnl __rcu **__ip6gre_bucket(struct ip6gre_net *ign,
         return &ign->tunnels[prio][h];
 }
 
+static void ip6gre_tunnel_link_md(struct ip6gre_net *ign, struct ip6_tnl *t)
+{
+        if (t->parms.collect_md)
+                rcu_assign_pointer(ign->collect_md_tun, t);
+}
+
+static void ip6erspan_tunnel_link_md(struct ip6gre_net *ign, struct ip6_tnl *t)
+{
+        if (t->parms.collect_md)
+                rcu_assign_pointer(ign->collect_md_tun_erspan, t);
+}
+
+static void ip6gre_tunnel_unlink_md(struct ip6gre_net *ign, struct ip6_tnl *t)
+{
+        if (t->parms.collect_md)
+                rcu_assign_pointer(ign->collect_md_tun, NULL);
+}
+
+static void ip6erspan_tunnel_unlink_md(struct ip6gre_net *ign,
+                                       struct ip6_tnl *t)
+{
+        if (t->parms.collect_md)
+                rcu_assign_pointer(ign->collect_md_tun_erspan, NULL);
+}
+
 static inline struct ip6_tnl __rcu **ip6gre_bucket(struct ip6gre_net *ign,
                 const struct ip6_tnl *t)
 {
@@ -271,9 +303,6 @@ static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t)
 {
         struct ip6_tnl __rcu **tp = ip6gre_bucket(ign, t);
 
-        if (t->parms.collect_md)
-                rcu_assign_pointer(ign->collect_md_tun, t);
-
         rcu_assign_pointer(t->next, rtnl_dereference(*tp));
         rcu_assign_pointer(*tp, t);
 }
@@ -283,9 +312,6 @@ static void ip6gre_tunnel_unlink(struct ip6gre_net *ign, struct ip6_tnl *t)
         struct ip6_tnl __rcu **tp;
         struct ip6_tnl *iter;
 
-        if (t->parms.collect_md)
-                rcu_assign_pointer(ign->collect_md_tun, NULL);
-
         for (tp = ip6gre_bucket(ign, t);
              (iter = rtnl_dereference(*tp)) != NULL;
              tp = &iter->next) {
@@ -374,11 +400,23 @@ failed_free:
         return NULL;
 }
 
+static void ip6erspan_tunnel_uninit(struct net_device *dev)
+{
+        struct ip6_tnl *t = netdev_priv(dev);
+        struct ip6gre_net *ign = net_generic(t->net, ip6gre_net_id);
+
+        ip6erspan_tunnel_unlink_md(ign, t);
+        ip6gre_tunnel_unlink(ign, t);
+        dst_cache_reset(&t->dst_cache);
+        dev_put(dev);
+}
+
 static void ip6gre_tunnel_uninit(struct net_device *dev)
 {
         struct ip6_tnl *t = netdev_priv(dev);
         struct ip6gre_net *ign = net_generic(t->net, ip6gre_net_id);
 
+        ip6gre_tunnel_unlink_md(ign, t);
         ip6gre_tunnel_unlink(ign, t);
         dst_cache_reset(&t->dst_cache);
         dev_put(dev);
@@ -698,6 +736,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb,
         else
                 fl6->daddr = tunnel->parms.raddr;
 
+        if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen))
+                return -ENOMEM;
+
         /* Push GRE header. */
         protocol = (dev->type == ARPHRD_ETHER) ? htons(ETH_P_TEB) : proto;
 
@@ -908,7 +949,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                 truncate = true;
         }
 
-        if (skb_cow_head(skb, dev->needed_headroom))
+        if (skb_cow_head(skb, dev->needed_headroom ?: t->hlen))
                 goto tx_err;
 
         t->parms.o_flags &= ~TUNNEL_KEY;
@@ -979,11 +1020,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                         erspan_build_header(skb, ntohl(t->parms.o_key),
                                             t->parms.index,
                                             truncate, false);
-                else
+                else if (t->parms.erspan_ver == 2)
                         erspan_build_header_v2(skb, ntohl(t->parms.o_key),
                                                t->parms.dir,
                                                t->parms.hwid,
                                                truncate, false);
+                else
+                        goto tx_err;
+
                 fl6.daddr = t->parms.raddr;
         }
 
@@ -1019,12 +1063,11 @@ tx_err:
         return NETDEV_TX_OK;
 }
 
-static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
+static void ip6gre_tnl_link_config_common(struct ip6_tnl *t)
 {
         struct net_device *dev = t->dev;
         struct __ip6_tnl_parm *p = &t->parms;
         struct flowi6 *fl6 = &t->fl.u.ip6;
-        int t_hlen;
 
         if (dev->type != ARPHRD_ETHER) {
                 memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
@@ -1051,12 +1094,13 @@ static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
                 dev->flags |= IFF_POINTOPOINT;
         else
                 dev->flags &= ~IFF_POINTOPOINT;
+}
 
-        t->tun_hlen = gre_calc_hlen(t->parms.o_flags);
-
-        t->hlen = t->encap_hlen + t->tun_hlen;
-
-        t_hlen = t->hlen + sizeof(struct ipv6hdr);
+static void ip6gre_tnl_link_config_route(struct ip6_tnl *t, int set_mtu,
+                                         int t_hlen)
+{
+        const struct __ip6_tnl_parm *p = &t->parms;
+        struct net_device *dev = t->dev;
 
         if (p->flags & IP6_TNL_F_CAP_XMIT) {
                 int strict = (ipv6_addr_type(&p->raddr) &
@@ -1088,8 +1132,26 @@ static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
         }
 }
 
-static int ip6gre_tnl_change(struct ip6_tnl *t,
-        const struct __ip6_tnl_parm *p, int set_mtu)
+static int ip6gre_calc_hlen(struct ip6_tnl *tunnel)
+{
+        int t_hlen;
+
+        tunnel->tun_hlen = gre_calc_hlen(tunnel->parms.o_flags);
+        tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen;
+
+        t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
+        tunnel->dev->hard_header_len = LL_MAX_HEADER + t_hlen;
+        return t_hlen;
+}
+
+static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
+{
+        ip6gre_tnl_link_config_common(t);
+        ip6gre_tnl_link_config_route(t, set_mtu, ip6gre_calc_hlen(t));
+}
+
+static void ip6gre_tnl_copy_tnl_parm(struct ip6_tnl *t,
+                                     const struct __ip6_tnl_parm *p)
 {
         t->parms.laddr = p->laddr;
         t->parms.raddr = p->raddr;
@@ -1105,6 +1167,12 @@ static int ip6gre_tnl_change(struct ip6_tnl *t,
         t->parms.o_flags = p->o_flags;
         t->parms.fwmark = p->fwmark;
         dst_cache_reset(&t->dst_cache);
+}
+
+static int ip6gre_tnl_change(struct ip6_tnl *t, const struct __ip6_tnl_parm *p,
+                             int set_mtu)
+{
+        ip6gre_tnl_copy_tnl_parm(t, p);
         ip6gre_tnl_link_config(t, set_mtu);
         return 0;
 }
@@ -1381,11 +1449,7 @@ static int ip6gre_tunnel_init_common(struct net_device *dev)
                 return ret;
         }
 
-        tunnel->tun_hlen = gre_calc_hlen(tunnel->parms.o_flags);
-        tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen;
-        t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
-
-        dev->hard_header_len = LL_MAX_HEADER + t_hlen;
+        t_hlen = ip6gre_calc_hlen(tunnel);
         dev->mtu = ETH_DATA_LEN - t_hlen;
         if (dev->type == ARPHRD_ETHER)
                 dev->mtu -= ETH_HLEN;
@@ -1728,6 +1792,19 @@ static const struct net_device_ops ip6gre_tap_netdev_ops = {
         .ndo_get_iflink = ip6_tnl_get_iflink,
 };
 
+static int ip6erspan_calc_hlen(struct ip6_tnl *tunnel)
+{
+        int t_hlen;
+
+        tunnel->tun_hlen = 8;
+        tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen +
+                       erspan_hdr_len(tunnel->parms.erspan_ver);
+
+        t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
+        tunnel->dev->hard_header_len = LL_MAX_HEADER + t_hlen;
+        return t_hlen;
+}
+
 static int ip6erspan_tap_init(struct net_device *dev)
 {
         struct ip6_tnl *tunnel;
@@ -1751,12 +1828,7 @@ static int ip6erspan_tap_init(struct net_device *dev)
                 return ret;
         }
 
-        tunnel->tun_hlen = 8;
-        tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen +
-                       erspan_hdr_len(tunnel->parms.erspan_ver);
-        t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
-
-        dev->hard_header_len = LL_MAX_HEADER + t_hlen;
+        t_hlen = ip6erspan_calc_hlen(tunnel);
         dev->mtu = ETH_DATA_LEN - t_hlen;
         if (dev->type == ARPHRD_ETHER)
                 dev->mtu -= ETH_HLEN;
@@ -1764,14 +1836,14 @@ static int ip6erspan_tap_init(struct net_device *dev)
                 dev->mtu -= 8;
 
         dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
-        ip6gre_tnl_link_config(tunnel, 1);
+        ip6erspan_tnl_link_config(tunnel, 1);
 
         return 0;
 }
 
 static const struct net_device_ops ip6erspan_netdev_ops = {
         .ndo_init =             ip6erspan_tap_init,
-        .ndo_uninit =           ip6gre_tunnel_uninit,
+        .ndo_uninit =           ip6erspan_tunnel_uninit,
         .ndo_start_xmit =       ip6erspan_tunnel_xmit,
         .ndo_set_mac_address =  eth_mac_addr,
         .ndo_validate_addr =    eth_validate_addr,
@@ -1835,13 +1907,11 @@ static bool ip6gre_netlink_encap_parms(struct nlattr *data[],
         return ret;
 }
 
-static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
-                          struct nlattr *tb[], struct nlattr *data[],
-                          struct netlink_ext_ack *extack)
+static int ip6gre_newlink_common(struct net *src_net, struct net_device *dev,
+                                 struct nlattr *tb[], struct nlattr *data[],
+                                 struct netlink_ext_ack *extack)
 {
         struct ip6_tnl *nt;
-        struct net *net = dev_net(dev);
-        struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
         struct ip_tunnel_encap ipencap;
         int err;
 
@@ -1854,16 +1924,6 @@ static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
                         return err;
         }
 
-        ip6gre_netlink_parms(data, &nt->parms);
-
-        if (nt->parms.collect_md) {
-                if (rtnl_dereference(ign->collect_md_tun))
-                        return -EEXIST;
-        } else {
-                if (ip6gre_tunnel_find(net, &nt->parms, dev->type))
-                        return -EEXIST;
-        }
-
         if (dev->type == ARPHRD_ETHER && !tb[IFLA_ADDRESS])
                 eth_hw_addr_random(dev);
 
@@ -1874,51 +1934,94 @@ static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
         if (err)
                 goto out;
 
-        ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
-
         if (tb[IFLA_MTU])
                 ip6_tnl_change_mtu(dev, nla_get_u32(tb[IFLA_MTU]));
 
         dev_hold(dev);
-        ip6gre_tunnel_link(ign, nt);
 
 out:
         return err;
 }
 
-static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[],
-                             struct nlattr *data[],
-                             struct netlink_ext_ack *extack)
+static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
+                          struct nlattr *tb[], struct nlattr *data[],
+                          struct netlink_ext_ack *extack)
+{
+        struct ip6_tnl *nt = netdev_priv(dev);
+        struct net *net = dev_net(dev);
+        struct ip6gre_net *ign;
+        int err;
+
+        ip6gre_netlink_parms(data, &nt->parms);
+        ign = net_generic(net, ip6gre_net_id);
+
+        if (nt->parms.collect_md) {
+                if (rtnl_dereference(ign->collect_md_tun))
+                        return -EEXIST;
+        } else {
+                if (ip6gre_tunnel_find(net, &nt->parms, dev->type))
+                        return -EEXIST;
+        }
+
+        err = ip6gre_newlink_common(src_net, dev, tb, data, extack);
+        if (!err) {
+                ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
+                ip6gre_tunnel_link_md(ign, nt);
+                ip6gre_tunnel_link(net_generic(net, ip6gre_net_id), nt);
+        }
+        return err;
+}
+
+static struct ip6_tnl *
+ip6gre_changelink_common(struct net_device *dev, struct nlattr *tb[],
+                         struct nlattr *data[], struct __ip6_tnl_parm *p_p,
+                         struct netlink_ext_ack *extack)
 {
         struct ip6_tnl *t, *nt = netdev_priv(dev);
         struct net *net = nt->net;
         struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
-        struct __ip6_tnl_parm p;
         struct ip_tunnel_encap ipencap;
 
         if (dev == ign->fb_tunnel_dev)
-                return -EINVAL;
+                return ERR_PTR(-EINVAL);
 
         if (ip6gre_netlink_encap_parms(data, &ipencap)) {
                 int err = ip6_tnl_encap_setup(nt, &ipencap);
 
                 if (err < 0)
-                        return err;
+                        return ERR_PTR(err);
         }
 
-        ip6gre_netlink_parms(data, &p);
+        ip6gre_netlink_parms(data, p_p);
 
-        t = ip6gre_tunnel_locate(net, &p, 0);
+        t = ip6gre_tunnel_locate(net, p_p, 0);
 
         if (t) {
                 if (t->dev != dev)
-                        return -EEXIST;
+                        return ERR_PTR(-EEXIST);
         } else {
                 t = nt;
         }
 
+        return t;
+}
+
+static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[],
+                             struct nlattr *data[],
+                             struct netlink_ext_ack *extack)
+{
+        struct ip6gre_net *ign = net_generic(dev_net(dev), ip6gre_net_id);
+        struct __ip6_tnl_parm p;
+        struct ip6_tnl *t;
+
+        t = ip6gre_changelink_common(dev, tb, data, &p, extack);
+        if (IS_ERR(t))
+                return PTR_ERR(t);
+
+        ip6gre_tunnel_unlink_md(ign, t);
         ip6gre_tunnel_unlink(ign, t);
         ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
+        ip6gre_tunnel_link_md(ign, t);
         ip6gre_tunnel_link(ign, t);
         return 0;
 }
@@ -2068,6 +2171,69 @@ static void ip6erspan_tap_setup(struct net_device *dev)
         netif_keep_dst(dev);
 }
 
+static int ip6erspan_newlink(struct net *src_net, struct net_device *dev,
+                             struct nlattr *tb[], struct nlattr *data[],
+                             struct netlink_ext_ack *extack)
+{
+        struct ip6_tnl *nt = netdev_priv(dev);
+        struct net *net = dev_net(dev);
+        struct ip6gre_net *ign;
+        int err;
+
+        ip6gre_netlink_parms(data, &nt->parms);
+        ign = net_generic(net, ip6gre_net_id);
+
+        if (nt->parms.collect_md) {
+                if (rtnl_dereference(ign->collect_md_tun_erspan))
+                        return -EEXIST;
+        } else {
+                if (ip6gre_tunnel_find(net, &nt->parms, dev->type))
+                        return -EEXIST;
+        }
+
+        err = ip6gre_newlink_common(src_net, dev, tb, data, extack);
+        if (!err) {
+                ip6erspan_tnl_link_config(nt, !tb[IFLA_MTU]);
+                ip6erspan_tunnel_link_md(ign, nt);
+                ip6gre_tunnel_link(net_generic(net, ip6gre_net_id), nt);
+        }
+        return err;
+}
+
+static void ip6erspan_tnl_link_config(struct ip6_tnl *t, int set_mtu)
+{
+        ip6gre_tnl_link_config_common(t);
+        ip6gre_tnl_link_config_route(t, set_mtu, ip6erspan_calc_hlen(t));
+}
+
+static int ip6erspan_tnl_change(struct ip6_tnl *t,
+                                const struct __ip6_tnl_parm *p, int set_mtu)
+{
+        ip6gre_tnl_copy_tnl_parm(t, p);
+        ip6erspan_tnl_link_config(t, set_mtu);
+        return 0;
+}
+
+static int ip6erspan_changelink(struct net_device *dev, struct nlattr *tb[],
+                                struct nlattr *data[],
+                                struct netlink_ext_ack *extack)
+{
+        struct ip6gre_net *ign = net_generic(dev_net(dev), ip6gre_net_id);
+        struct __ip6_tnl_parm p;
+        struct ip6_tnl *t;
+
+        t = ip6gre_changelink_common(dev, tb, data, &p, extack);
+        if (IS_ERR(t))
+                return PTR_ERR(t);
+
+        ip6gre_tunnel_unlink_md(ign, t);
+        ip6gre_tunnel_unlink(ign, t);
+        ip6erspan_tnl_change(t, &p, !tb[IFLA_MTU]);
+        ip6erspan_tunnel_link_md(ign, t);
+        ip6gre_tunnel_link(ign, t);
+        return 0;
+}
+
 static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
         .kind           = "ip6gre",
         .maxtype        = IFLA_GRE_MAX,
@@ -2104,8 +2270,8 @@ static struct rtnl_link_ops ip6erspan_tap_ops __read_mostly = {
         .priv_size      = sizeof(struct ip6_tnl),
         .setup          = ip6erspan_tap_setup,
         .validate       = ip6erspan_tap_validate,
-        .newlink        = ip6gre_newlink,
-        .changelink     = ip6gre_changelink,
+        .newlink        = ip6erspan_newlink,
+        .changelink     = ip6erspan_changelink,
         .get_size       = ip6gre_get_size,
         .fill_info      = ip6gre_fill_info,
         .get_link_net   = ip6_tnl_get_link_net,
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 2e891d2c30ef..7b6d1689087b 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1503,7 +1503,8 @@ alloc_new_skb:
                 if (copy > length)
                         copy = length;
 
-                if (!(rt->dst.dev->features&NETIF_F_SG)) {
+                if (!(rt->dst.dev->features&NETIF_F_SG) &&
+                    skb_tailroom(skb) >= copy) {
                         unsigned int off;
 
                         off = skb->len;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 65c9e1a58305..97f79dc943d7 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -38,6 +38,7 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
 MODULE_DESCRIPTION("IPv6 packet filter");
+MODULE_ALIAS("ip6t_icmp6");
 
 void *ip6t_alloc_initial_table(const struct xt_table *info)
 {
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index 0f6c9ca59062..5b5b0f95ffd1 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -401,7 +401,7 @@ u32 mesh_plink_deactivate(struct sta_info *sta)
 
 static void mesh_sta_info_init(struct ieee80211_sub_if_data *sdata,
                                struct sta_info *sta,
-                               struct ieee802_11_elems *elems, bool insert)
+                               struct ieee802_11_elems *elems)
 {
         struct ieee80211_local *local = sdata->local;
         struct ieee80211_supported_band *sband;
@@ -447,7 +447,7 @@ static void mesh_sta_info_init(struct ieee80211_sub_if_data *sdata,
                 sta->sta.bandwidth = IEEE80211_STA_RX_BW_20;
         }
 
-        if (insert)
+        if (!test_sta_flag(sta, WLAN_STA_RATE_CONTROL))
                 rate_control_rate_init(sta);
         else
                 rate_control_rate_update(local, sband, sta, changed);
@@ -551,7 +551,7 @@ mesh_sta_info_get(struct ieee80211_sub_if_data *sdata,
         rcu_read_lock();
         sta = sta_info_get(sdata, addr);
         if (sta) {
-                mesh_sta_info_init(sdata, sta, elems, false);
+                mesh_sta_info_init(sdata, sta, elems);
         } else {
                 rcu_read_unlock();
                 /* can't run atomic */
@@ -561,7 +561,7 @@ mesh_sta_info_get(struct ieee80211_sub_if_data *sdata,
                         return NULL;
                 }
 
-                mesh_sta_info_init(sdata, sta, elems, true);
+                mesh_sta_info_init(sdata, sta, elems);
 
                 if (sta_info_insert_rcu(sta))
                         return NULL;
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 0f6b8172fb9a..206fb2c4c319 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -585,7 +585,8 @@ void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
 EXPORT_SYMBOL(nf_nat_decode_session_hook);
 #endif
 
-static void __net_init __netfilter_net_init(struct nf_hook_entries **e, int max)
+static void __net_init
+__netfilter_net_init(struct nf_hook_entries __rcu **e, int max)
 {
         int h;
 
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index 370abbf6f421..75de46576f51 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -232,7 +232,10 @@ static inline int ip_vs_conn_unhash(struct ip_vs_conn *cp)
 static inline bool ip_vs_conn_unlink(struct ip_vs_conn *cp)
 {
         unsigned int hash;
-        bool ret;
+        bool ret = false;
+
+        if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
+                return refcount_dec_if_one(&cp->refcnt);
 
         hash = ip_vs_conn_hashkey_conn(cp);
 
@@ -240,15 +243,13 @@ static inline bool ip_vs_conn_unlink(struct ip_vs_conn *cp)
         spin_lock(&cp->lock);
 
         if (cp->flags & IP_VS_CONN_F_HASHED) {
-                ret = false;
                 /* Decrease refcnt and unlink conn only if we are last user */
                 if (refcount_dec_if_one(&cp->refcnt)) {
                         hlist_del_rcu(&cp->c_list);
                         cp->flags &= ~IP_VS_CONN_F_HASHED;
                         ret = true;
                 }
-        } else
-                ret = refcount_read(&cp->refcnt) ? false : true;
+        }
 
         spin_unlock(&cp->lock);
         ct_write_unlock_bh(hash);
@@ -454,12 +455,6 @@ ip_vs_conn_out_get_proto(struct netns_ipvs *ipvs, int af,
 }
 EXPORT_SYMBOL_GPL(ip_vs_conn_out_get_proto);
 
-static void __ip_vs_conn_put_notimer(struct ip_vs_conn *cp)
-{
-        __ip_vs_conn_put(cp);
-        ip_vs_conn_expire(&cp->timer);
-}
-
 /*
  *      Put back the conn and restart its timer with its timeout
  */
@@ -478,7 +473,7 @@ void ip_vs_conn_put(struct ip_vs_conn *cp)
             (refcount_read(&cp->refcnt) == 1) &&
             !timer_pending(&cp->timer))
                 /* expire connection immediately */
-                __ip_vs_conn_put_notimer(cp);
+                ip_vs_conn_expire(&cp->timer);
         else
                 __ip_vs_conn_put_timer(cp);
 }
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 5f6f73cf2174..0679dd101e72 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -119,6 +119,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
                 struct ip_vs_cpu_stats *s;
                 struct ip_vs_service *svc;
 
+                local_bh_disable();
+
                 s = this_cpu_ptr(dest->stats.cpustats);
                 u64_stats_update_begin(&s->syncp);
                 s->cnt.inpkts++;
@@ -137,6 +139,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
                 s->cnt.inpkts++;
                 s->cnt.inbytes += skb->len;
                 u64_stats_update_end(&s->syncp);
+
+                local_bh_enable();
         }
 }
 
@@ -151,6 +155,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
                 struct ip_vs_cpu_stats *s;
                 struct ip_vs_service *svc;
 
+                local_bh_disable();
+
                 s = this_cpu_ptr(dest->stats.cpustats);
                 u64_stats_update_begin(&s->syncp);
                 s->cnt.outpkts++;
@@ -169,6 +175,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
                 s->cnt.outpkts++;
                 s->cnt.outbytes += skb->len;
                 u64_stats_update_end(&s->syncp);
+
+                local_bh_enable();
         }
 }
 
@@ -179,6 +187,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
         struct netns_ipvs *ipvs = svc->ipvs;
         struct ip_vs_cpu_stats *s;
 
+        local_bh_disable();
+
         s = this_cpu_ptr(cp->dest->stats.cpustats);
         u64_stats_update_begin(&s->syncp);
         s->cnt.conns++;
@@ -193,6 +203,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
         u64_stats_update_begin(&s->syncp);
         s->cnt.conns++;
         u64_stats_update_end(&s->syncp);
+
+        local_bh_enable();
 }
 
 
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index e97cdc1cf98c..8e67910185a0 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -981,6 +981,17 @@ static int tcp_packet(struct nf_conn *ct,
                         return NF_ACCEPT; /* Don't change state */
                 }
                 break;
+        case TCP_CONNTRACK_SYN_SENT2:
+                /* tcp_conntracks table is not smart enough to handle
+                 * simultaneous open.
+                 */
+                ct->proto.tcp.last_flags |= IP_CT_TCP_SIMULTANEOUS_OPEN;
+                break;
+        case TCP_CONNTRACK_SYN_RECV:
+                if (dir == IP_CT_DIR_REPLY && index == TCP_ACK_SET &&
+                    ct->proto.tcp.last_flags & IP_CT_TCP_SIMULTANEOUS_OPEN)
+                        new_state = TCP_CONNTRACK_ESTABLISHED;
+                break;
         case TCP_CONNTRACK_CLOSE:
                 if (index == TCP_RST_SET
                     && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 04d4e3772584..91e80aa852d6 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -214,6 +214,34 @@ static int nft_delchain(struct nft_ctx *ctx)
         return err;
 }
 
+static void nft_rule_expr_activate(const struct nft_ctx *ctx,
+                                   struct nft_rule *rule)
+{
+        struct nft_expr *expr;
+
+        expr = nft_expr_first(rule);
+        while (expr != nft_expr_last(rule) && expr->ops) {
+                if (expr->ops->activate)
+                        expr->ops->activate(ctx, expr);
+
+                expr = nft_expr_next(expr);
+        }
+}
+
+static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
+                                     struct nft_rule *rule)
+{
+        struct nft_expr *expr;
+
+        expr = nft_expr_first(rule);
+        while (expr != nft_expr_last(rule) && expr->ops) {
+                if (expr->ops->deactivate)
+                        expr->ops->deactivate(ctx, expr);
+
+                expr = nft_expr_next(expr);
+        }
+}
+
 static int
 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
 {
@@ -259,6 +287,7 @@ static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
                 nft_trans_destroy(trans);
                 return err;
         }
+        nft_rule_expr_deactivate(ctx, rule);
 
         return 0;
 }
@@ -2238,6 +2267,13 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
         kfree(rule);
 }
 
+static void nf_tables_rule_release(const struct nft_ctx *ctx,
+                                   struct nft_rule *rule)
+{
+        nft_rule_expr_deactivate(ctx, rule);
+        nf_tables_rule_destroy(ctx, rule);
+}
+
 #define NFT_RULE_MAXEXPRS       128
 
 static struct nft_expr_info *info;
@@ -2402,7 +2438,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
         return 0;
 
 err2:
-        nf_tables_rule_destroy(&ctx, rule);
+        nf_tables_rule_release(&ctx, rule);
 err1:
         for (i = 0; i < n; i++) {
                 if (info[i].ops != NULL)
@@ -4044,8 +4080,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
                         if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
                             nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
                             nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
-                            nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
-                                return -EBUSY;
+                            nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
+                                err = -EBUSY;
+                                goto err5;
+                        }
                         if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
                              nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
                              memcmp(nft_set_ext_data(ext),
@@ -4130,7 +4168,7 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
  *      NFT_GOTO verdicts. This function must be called on active data objects
  *      from the second phase of the commit protocol.
  */
-static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
+void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
 {
         if (type == NFT_DATA_VERDICT) {
                 switch (data->verdict.code) {
@@ -5761,7 +5799,7 @@ static void nft_chain_commit_update(struct nft_trans *trans)
         }
 }
 
-static void nf_tables_commit_release(struct nft_trans *trans)
+static void nft_commit_release(struct nft_trans *trans)
 {
         switch (trans->msg_type) {
         case NFT_MSG_DELTABLE:
@@ -5790,6 +5828,21 @@ static void nf_tables_commit_release(struct nft_trans *trans)
         kfree(trans);
 }
 
+static void nf_tables_commit_release(struct net *net)
+{
+        struct nft_trans *trans, *next;
+
+        if (list_empty(&net->nft.commit_list))
+                return;
+
+        synchronize_rcu();
+
+        list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
+                list_del(&trans->list);
+                nft_commit_release(trans);
+        }
+}
+
 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 {
         struct nft_trans *trans, *next;
@@ -5920,13 +5973,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
                 }
         }
 
-        synchronize_rcu();
-
-        list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
-                list_del(&trans->list);
-                nf_tables_commit_release(trans);
-        }
-
+        nf_tables_commit_release(net);
         nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
 
         return 0;
@@ -6006,10 +6053,12 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb)
                 case NFT_MSG_NEWRULE:
                         trans->ctx.chain->use--;
                         list_del_rcu(&nft_trans_rule(trans)->list);
+                        nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
                         break;
                 case NFT_MSG_DELRULE:
                         trans->ctx.chain->use++;
                         nft_clear(trans->ctx.net, nft_trans_rule(trans));
+                        nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
                         nft_trans_destroy(trans);
                         break;
                 case NFT_MSG_NEWSET:
@@ -6585,7 +6634,7 @@ int __nft_release_basechain(struct nft_ctx *ctx)
         list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
                 list_del(&rule->list);
                 ctx->chain->use--;
-                nf_tables_rule_destroy(ctx, rule);
+                nf_tables_rule_release(ctx, rule);
         }
         list_del(&ctx->chain->list);
         ctx->table->use--;
@@ -6623,7 +6672,7 @@ static void __nft_release_tables(struct net *net)
                         list_for_each_entry_safe(rule, nr, &chain->rules, list) {
                                 list_del(&rule->list);
                                 chain->use--;
-                                nf_tables_rule_destroy(&ctx, rule);
+                                nf_tables_rule_release(&ctx, rule);
                         }
                 }
                 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index dfd0bf3810d2..942702a2776f 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -119,15 +119,22 @@ DEFINE_STATIC_KEY_FALSE(nft_counters_enabled);
 static noinline void nft_update_chain_stats(const struct nft_chain *chain,
                                             const struct nft_pktinfo *pkt)
 {
+        struct nft_base_chain *base_chain;
         struct nft_stats *stats;
 
-        local_bh_disable();
-        stats = this_cpu_ptr(rcu_dereference(nft_base_chain(chain)->stats));
-        u64_stats_update_begin(&stats->syncp);
-        stats->pkts++;
-        stats->bytes += pkt->skb->len;
-        u64_stats_update_end(&stats->syncp);
-        local_bh_enable();
+        base_chain = nft_base_chain(chain);
+        if (!base_chain->stats)
+                return;
+
+        stats = this_cpu_ptr(rcu_dereference(base_chain->stats));
+        if (stats) {
+                local_bh_disable();
+                u64_stats_update_begin(&stats->syncp);
+                stats->pkts++;
+                stats->bytes += pkt->skb->len;
+                u64_stats_update_end(&stats->syncp);
+                local_bh_enable();
+        }
 }
 
 struct nft_jumpstack {
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index b9505bcd3827..6ddf89183e7b 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -115,7 +115,7 @@ static int nfnl_acct_new(struct net *net, struct sock *nfnl,
                 nfacct->flags = flags;
         }
 
-        strncpy(nfacct->name, nla_data(tb[NFACCT_NAME]), NFACCT_NAME_MAX);
+        nla_strlcpy(nfacct->name, nla_data(tb[NFACCT_NAME]), NFACCT_NAME_MAX);
 
         if (tb[NFACCT_BYTES]) {
                 atomic64_set(&nfacct->bytes,
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 4a4b293fb2e5..fa026b269b36 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -149,8 +149,8 @@ nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy,
             !tb[NFCTH_POLICY_EXPECT_TIMEOUT])
                 return -EINVAL;
 
-        strncpy(expect_policy->name,
-                nla_data(tb[NFCTH_POLICY_NAME]), NF_CT_HELPER_NAME_LEN);
+        nla_strlcpy(expect_policy->name,
+                    nla_data(tb[NFCTH_POLICY_NAME]), NF_CT_HELPER_NAME_LEN);
         expect_policy->max_expected =
                 ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
         if (expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
@@ -234,7 +234,8 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
         if (ret < 0)
                 goto err1;
 
-        strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
+        nla_strlcpy(helper->name,
+                    nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
         size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
         if (size > FIELD_SIZEOF(struct nf_conn_help, data)) {
                 ret = -ENOMEM;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 8e23726b9081..1d99a1efdafc 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -27,14 +27,31 @@ struct nft_xt {
         struct list_head        head;
         struct nft_expr_ops     ops;
         unsigned int            refcnt;
+
+        /* Unlike other expressions, ops doesn't have static storage duration.
+         * nft core assumes they do.  We use kfree_rcu so that nft core can
+         * can check expr->ops->size even after nft_compat->destroy() frees
+         * the nft_xt struct that holds the ops structure.
+         */
+        struct rcu_head         rcu_head;
+};
+
+/* Used for matches where *info is larger than X byte */
+#define NFT_MATCH_LARGE_THRESH  192
+
+struct nft_xt_match_priv {
+        void *info;
 };
 
-static void nft_xt_put(struct nft_xt *xt)
+static bool nft_xt_put(struct nft_xt *xt)
 {
         if (--xt->refcnt == 0) {
                 list_del(&xt->head);
-                kfree(xt);
+                kfree_rcu(xt, rcu_head);
+                return true;
         }
+
+        return false;
 }
 
 static int nft_compat_chain_validate_dependency(const char *tablename,
@@ -226,6 +243,7 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
         struct xt_target *target = expr->ops->data;
         struct xt_tgchk_param par;
         size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
+        struct nft_xt *nft_xt;
         u16 proto = 0;
         bool inv = false;
         union nft_entry e = {};
@@ -236,25 +254,22 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
         if (ctx->nla[NFTA_RULE_COMPAT]) {
                 ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
                 if (ret < 0)
-                        goto err;
+                        return ret;
         }
 
         nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv);
 
         ret = xt_check_target(&par, size, proto, inv);
         if (ret < 0)
-                goto err;
+                return ret;
 
         /* The standard target cannot be used */
-        if (target->target == NULL) {
-                ret = -EINVAL;
-                goto err;
-        }
+        if (!target->target)
+                return -EINVAL;
 
+        nft_xt = container_of(expr->ops, struct nft_xt, ops);
+        nft_xt->refcnt++;
         return 0;
-err:
-        module_put(target->me);
-        return ret;
 }
 
 static void
@@ -271,8 +286,8 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
         if (par.target->destroy != NULL)
                 par.target->destroy(&par);
 
-        nft_xt_put(container_of(expr->ops, struct nft_xt, ops));
-        module_put(target->me);
+        if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
+                module_put(target->me);
 }
 
 static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
@@ -316,11 +331,11 @@ static int nft_target_validate(const struct nft_ctx *ctx,
         return 0;
 }
 
-static void nft_match_eval(const struct nft_expr *expr,
-                           struct nft_regs *regs,
-                           const struct nft_pktinfo *pkt)
+static void __nft_match_eval(const struct nft_expr *expr,
+                             struct nft_regs *regs,
+                             const struct nft_pktinfo *pkt,
+                             void *info)
 {
-        void *info = nft_expr_priv(expr);
         struct xt_match *match = expr->ops->data;
         struct sk_buff *skb = pkt->skb;
         bool ret;
@@ -344,6 +359,22 @@ static void nft_match_eval(const struct nft_expr *expr,
         }
 }
 
+static void nft_match_large_eval(const struct nft_expr *expr,
+                                 struct nft_regs *regs,
+                                 const struct nft_pktinfo *pkt)
+{
+        struct nft_xt_match_priv *priv = nft_expr_priv(expr);
+
+        __nft_match_eval(expr, regs, pkt, priv->info);
+}
+
+static void nft_match_eval(const struct nft_expr *expr,
+                           struct nft_regs *regs,
+                           const struct nft_pktinfo *pkt)
+{
+        __nft_match_eval(expr, regs, pkt, nft_expr_priv(expr));
+}
+
 static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
         [NFTA_MATCH_NAME]       = { .type = NLA_NUL_STRING },
         [NFTA_MATCH_REV]        = { .type = NLA_U32 },
@@ -404,13 +435,14 @@ static void match_compat_from_user(struct xt_match *m, void *in, void *out)
 }
 
 static int
-nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
-                const struct nlattr * const tb[])
+__nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+                 const struct nlattr * const tb[],
+                 void *info)
 {
-        void *info = nft_expr_priv(expr);
         struct xt_match *match = expr->ops->data;
         struct xt_mtchk_param par;
         size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO]));
+        struct nft_xt *nft_xt;
         u16 proto = 0;
         bool inv = false;
         union nft_entry e = {};
@@ -421,26 +453,50 @@ nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
         if (ctx->nla[NFTA_RULE_COMPAT]) {
                 ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
                 if (ret < 0)
-                        goto err;
+                        return ret;
         }
 
         nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);
 
         ret = xt_check_match(&par, size, proto, inv);
         if (ret < 0)
-                goto err;
+                return ret;
 
+        nft_xt = container_of(expr->ops, struct nft_xt, ops);
+        nft_xt->refcnt++;
         return 0;
-err:
-        module_put(match->me);
+}
+
+static int
+nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+               const struct nlattr * const tb[])
+{
+        return __nft_match_init(ctx, expr, tb, nft_expr_priv(expr));
+}
+
+static int
+nft_match_large_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+                     const struct nlattr * const tb[])
+{
+        struct nft_xt_match_priv *priv = nft_expr_priv(expr);
+        struct xt_match *m = expr->ops->data;
+        int ret;
+
+        priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL);
+        if (!priv->info)
+                return -ENOMEM;
+
+        ret = __nft_match_init(ctx, expr, tb, priv->info);
+        if (ret)
+                kfree(priv->info);
         return ret;
 }
 
 static void
-nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+__nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr,
+                    void *info)
 {
         struct xt_match *match = expr->ops->data;
-        void *info = nft_expr_priv(expr);
         struct xt_mtdtor_param par;
 
         par.net = ctx->net;
@@ -450,13 +506,28 @@ nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
         if (par.match->destroy != NULL)
                 par.match->destroy(&par);
 
-        nft_xt_put(container_of(expr->ops, struct nft_xt, ops));
-        module_put(match->me);
+        if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
+                module_put(match->me);
 }
 
-static int nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr)
+static void
+nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+{
+        __nft_match_destroy(ctx, expr, nft_expr_priv(expr));
+}
+
+static void
+nft_match_large_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+{
+        struct nft_xt_match_priv *priv = nft_expr_priv(expr);
+
+        __nft_match_destroy(ctx, expr, priv->info);
+        kfree(priv->info);
+}
+
+static int __nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr,
+                            void *info)
 {
-        void *info = nft_expr_priv(expr);
         struct xt_match *match = expr->ops->data;
 
         if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
@@ -470,6 +541,18 @@ nla_put_failure:
         return -1;
 }
 
+static int nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr)
+{
+        return __nft_match_dump(skb, expr, nft_expr_priv(expr));
+}
+
+static int nft_match_large_dump(struct sk_buff *skb, const struct nft_expr *e)
+{
+        struct nft_xt_match_priv *priv = nft_expr_priv(e);
+
+        return __nft_match_dump(skb, e, priv->info);
+}
+
 static int nft_match_validate(const struct nft_ctx *ctx,
                               const struct nft_expr *expr,
                               const struct nft_data **data)
@@ -637,6 +720,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
 {
         struct nft_xt *nft_match;
         struct xt_match *match;
+        unsigned int matchsize;
         char *mt_name;
         u32 rev, family;
         int err;
@@ -654,13 +738,8 @@ nft_match_select_ops(const struct nft_ctx *ctx,
         list_for_each_entry(nft_match, &nft_match_list, head) {
                 struct xt_match *match = nft_match->ops.data;
 
-                if (nft_match_cmp(match, mt_name, rev, family)) {
-                        if (!try_module_get(match->me))
-                                return ERR_PTR(-ENOENT);
-
-                        nft_match->refcnt++;
+                if (nft_match_cmp(match, mt_name, rev, family))
                         return &nft_match->ops;
-                }
         }
 
         match = xt_request_find_match(family, mt_name, rev);
@@ -679,9 +758,8 @@ nft_match_select_ops(const struct nft_ctx *ctx,
                 goto err;
         }
 
-        nft_match->refcnt = 1;
+        nft_match->refcnt = 0;
         nft_match->ops.type = &nft_match_type;
-        nft_match->ops.size = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
         nft_match->ops.eval = nft_match_eval;
         nft_match->ops.init = nft_match_init;
         nft_match->ops.destroy = nft_match_destroy;
@@ -689,6 +767,18 @@ nft_match_select_ops(const struct nft_ctx *ctx,
         nft_match->ops.validate = nft_match_validate;
         nft_match->ops.data = match;
 
+        matchsize = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
+        if (matchsize > NFT_MATCH_LARGE_THRESH) {
+                matchsize = NFT_EXPR_SIZE(sizeof(struct nft_xt_match_priv));
+
+                nft_match->ops.eval = nft_match_large_eval;
+                nft_match->ops.init = nft_match_large_init;
+                nft_match->ops.destroy = nft_match_large_destroy;
+                nft_match->ops.dump = nft_match_large_dump;
+        }
+
+        nft_match->ops.size = matchsize;
+
         list_add(&nft_match->head, &nft_match_list);
 
         return &nft_match->ops;
@@ -739,13 +829,8 @@ nft_target_select_ops(const struct nft_ctx *ctx,
         list_for_each_entry(nft_target, &nft_target_list, head) {
                 struct xt_target *target = nft_target->ops.data;
 
-                if (nft_target_cmp(target, tg_name, rev, family)) {
-                        if (!try_module_get(target->me))
-                                return ERR_PTR(-ENOENT);
-
-                        nft_target->refcnt++;
+                if (nft_target_cmp(target, tg_name, rev, family))
                         return &nft_target->ops;
-                }
         }
 
         target = xt_request_find_target(family, tg_name, rev);
@@ -764,7 +849,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
                 goto err;
         }
 
-        nft_target->refcnt = 1;
+        nft_target->refcnt = 0;
         nft_target->ops.type = &nft_target_type;
         nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
         nft_target->ops.init = nft_target_init;
@@ -823,6 +908,32 @@ err_match:
 
 static void __exit nft_compat_module_exit(void)
 {
+        struct nft_xt *xt, *next;
+
+        /* list should be empty here, it can be non-empty only in case there
+         * was an error that caused nft_xt expr to not be initialized fully
+         * and noone else requested the same expression later.
+         *
+         * In this case, the lists contain 0-refcount entries that still
+         * hold module reference.
+         */
+        list_for_each_entry_safe(xt, next, &nft_target_list, head) {
+                struct xt_target *target = xt->ops.data;
+
+                if (WARN_ON_ONCE(xt->refcnt))
+                        continue;
+                module_put(target->me);
+                kfree(xt);
+        }
+
+        list_for_each_entry_safe(xt, next, &nft_match_list, head) {
+                struct xt_match *match = xt->ops.data;
+
+                if (WARN_ON_ONCE(xt->refcnt))
+                        continue;
+                module_put(match->me);
+                kfree(xt);
+        }
         nfnetlink_subsys_unregister(&nfnl_compat_subsys);
         nft_unregister_expr(&nft_target_type);
         nft_unregister_expr(&nft_match_type);
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index 4717d7796927..aa87ff8beae8 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -69,8 +69,16 @@ err1:
         return err;
 }
 
-static void nft_immediate_destroy(const struct nft_ctx *ctx,
-                                  const struct nft_expr *expr)
+static void nft_immediate_activate(const struct nft_ctx *ctx,
+                                   const struct nft_expr *expr)
+{
+        const struct nft_immediate_expr *priv = nft_expr_priv(expr);
+
+        return nft_data_hold(&priv->data, nft_dreg_to_type(priv->dreg));
+}
+
+static void nft_immediate_deactivate(const struct nft_ctx *ctx,
+                                     const struct nft_expr *expr)
 {
         const struct nft_immediate_expr *priv = nft_expr_priv(expr);
 
@@ -108,7 +116,8 @@ static const struct nft_expr_ops nft_imm_ops = {
         .size           = NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)),
         .eval           = nft_immediate_eval,
         .init           = nft_immediate_init,
-        .destroy        = nft_immediate_destroy,
+        .activate       = nft_immediate_activate,
+        .deactivate     = nft_immediate_deactivate,
         .dump           = nft_immediate_dump,
         .validate       = nft_immediate_validate,
 };
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 71325fef647d..cb7cb300c3bc 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -183,6 +183,9 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
         struct xt_match *m;
         int err = -ENOENT;
 
+        if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+                return ERR_PTR(-EINVAL);
+
         mutex_lock(&xt[af].mutex);
         list_for_each_entry(m, &xt[af].match, list) {
                 if (strcmp(m->name, name) == 0) {
@@ -229,6 +232,9 @@ struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
         struct xt_target *t;
         int err = -ENOENT;
 
+        if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+                return ERR_PTR(-EINVAL);
+
         mutex_lock(&xt[af].mutex);
         list_for_each_entry(t, &xt[af].target, list) {
                 if (strcmp(t->name, name) == 0) {
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 01f3515cada0..acb7b86574cd 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2903,13 +2903,15 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
         if (skb == NULL)
                 goto out_unlock;
 
-        skb_set_network_header(skb, reserve);
+        skb_reset_network_header(skb);
 
         err = -EINVAL;
         if (sock->type == SOCK_DGRAM) {
                 offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len);
                 if (unlikely(offset < 0))
                         goto out_free;
+        } else if (reserve) {
+                skb_reserve(skb, -reserve);
         }
 
         /* Returns -EFAULT on error */
diff --git a/net/rds/Kconfig b/net/rds/Kconfig
index bffde4b46c5d..1a31502ee7db 100644
--- a/net/rds/Kconfig
+++ b/net/rds/Kconfig
@@ -8,7 +8,7 @@ config RDS
 
 config RDS_RDMA
         tristate "RDS over Infiniband"
-        depends on RDS && INFINIBAND && INFINIBAND_ADDR_TRANS
+        depends on RDS && INFINIBAND_ADDR_TRANS
         ---help---
           Allow RDS to use Infiniband as a transport.
           This transport supports RDMA operations.
diff --git a/net/sched/act_vlan.c b/net/sched/act_vlan.c
index 853604685965..1fb39e1f9d07 100644
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@@ -161,6 +161,8 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
                         case htons(ETH_P_8021AD):
                                 break;
                         default:
+                                if (exists)
+                                        tcf_idr_release(*a, bind);
                                 return -EPROTONOSUPPORT;
                         }
                 } else {
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 963e4bf0aab8..a57e112d9b3e 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -1588,7 +1588,7 @@ int tc_setup_cb_call(struct tcf_block *block, struct tcf_exts *exts,
                 return ret;
         ok_count = ret;
 
-        if (!exts)
+        if (!exts || ok_count)
                 return ok_count;
         ret = tc_exts_setup_cb_egdev_call(exts, type, type_data, err_stop);
         if (ret < 0)
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index 16644b3d2362..56c181c3feeb 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -222,10 +222,11 @@ static int red_change(struct Qdisc *sch, struct nlattr *opt,
                                          extack);
                 if (IS_ERR(child))
                         return PTR_ERR(child);
-        }
 
-        if (child != &noop_qdisc)
+                /* child is fifo, no need to check for noop_qdisc */
                 qdisc_hash_add(child, true);
+        }
+
         sch_tree_lock(sch);
         q->flags = ctl->flags;
         q->limit = ctl->limit;
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index 03225a8df973..6f74a426f159 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -383,6 +383,9 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt,
                         err = PTR_ERR(child);
                         goto done;
                 }
+
+                /* child is fifo, no need to check for noop_qdisc */
+                qdisc_hash_add(child, true);
         }
 
         sch_tree_lock(sch);
@@ -391,8 +394,6 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt,
                                           q->qdisc->qstats.backlog);
                 qdisc_destroy(q->qdisc);
                 q->qdisc = child;
-                if (child != &noop_qdisc)
-                        qdisc_hash_add(child, true);
         }
         q->limit = qopt->limit;
         if (tb[TCA_TBF_PBURST])
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 42247110d842..0cd2e764f47f 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -1006,7 +1006,7 @@ static const struct proto_ops inet6_seqpacket_ops = {
         .owner             = THIS_MODULE,
         .release           = inet6_release,
         .bind              = inet6_bind,
-        .connect           = inet_dgram_connect,
+        .connect           = sctp_inet_connect,
         .socketpair        = sock_no_socketpair,
         .accept            = inet_accept,
         .getname           = sctp_getname,
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index d685f8456762..6bf0a9971888 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -1012,7 +1012,7 @@ static const struct proto_ops inet_seqpacket_ops = {
         .owner             = THIS_MODULE,
         .release           = inet_release,      /* Needs to be wrapped... */
         .bind              = inet_bind,
-        .connect           = inet_dgram_connect,
+        .connect           = sctp_inet_connect,
         .socketpair        = sock_no_socketpair,
         .accept            = inet_accept,
         .getname           = inet_getname,      /* Semantics are different.  */
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 80835ac26d2c..ae7e7c606f72 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1086,7 +1086,7 @@ out:
  */
 static int __sctp_connect(struct sock *sk,
                           struct sockaddr *kaddrs,
-                          int addrs_size,
+                          int addrs_size, int flags,
                           sctp_assoc_t *assoc_id)
 {
         struct net *net = sock_net(sk);
@@ -1104,7 +1104,6 @@ static int __sctp_connect(struct sock *sk,
         union sctp_addr *sa_addr = NULL;
         void *addr_buf;
         unsigned short port;
-        unsigned int f_flags = 0;
 
         sp = sctp_sk(sk);
         ep = sp->ep;
@@ -1254,13 +1253,7 @@ static int __sctp_connect(struct sock *sk,
         sp->pf->to_sk_daddr(sa_addr, sk);
         sk->sk_err = 0;
 
-        /* in-kernel sockets don't generally have a file allocated to them
-         * if all they do is call sock_create_kern().
-         */
-        if (sk->sk_socket->file)
-                f_flags = sk->sk_socket->file->f_flags;
-
-        timeo = sock_sndtimeo(sk, f_flags & O_NONBLOCK);
+        timeo = sock_sndtimeo(sk, flags & O_NONBLOCK);
 
         if (assoc_id)
                 *assoc_id = asoc->assoc_id;
@@ -1348,7 +1341,7 @@ static int __sctp_setsockopt_connectx(struct sock *sk,
                                       sctp_assoc_t *assoc_id)
 {
         struct sockaddr *kaddrs;
-        int err = 0;
+        int err = 0, flags = 0;
 
         pr_debug("%s: sk:%p addrs:%p addrs_size:%d\n",
                  __func__, sk, addrs, addrs_size);
@@ -1367,7 +1360,13 @@ static int __sctp_setsockopt_connectx(struct sock *sk,
         if (err)
                 goto out_free;
 
-        err = __sctp_connect(sk, kaddrs, addrs_size, assoc_id);
+        /* in-kernel sockets don't generally have a file allocated to them
+         * if all they do is call sock_create_kern().
+         */
+        if (sk->sk_socket->file)
+                flags = sk->sk_socket->file->f_flags;
+
+        err = __sctp_connect(sk, kaddrs, addrs_size, flags, assoc_id);
 
 out_free:
         kvfree(kaddrs);
@@ -4397,16 +4396,26 @@ out_nounlock:
  * len: the size of the address.
  */
 static int sctp_connect(struct sock *sk, struct sockaddr *addr,
-                        int addr_len)
+                        int addr_len, int flags)
 {
-        int err = 0;
+        struct inet_sock *inet = inet_sk(sk);
         struct sctp_af *af;
+        int err = 0;
 
         lock_sock(sk);
 
         pr_debug("%s: sk:%p, sockaddr:%p, addr_len:%d\n", __func__, sk,
                  addr, addr_len);
 
+        /* We may need to bind the socket. */
+        if (!inet->inet_num) {
+                if (sk->sk_prot->get_port(sk, 0)) {
+                        release_sock(sk);
+                        return -EAGAIN;
+                }
+                inet->inet_sport = htons(inet->inet_num);
+        }
+
         /* Validate addr_len before calling common connect/connectx routine. */
         af = sctp_get_af_specific(addr->sa_family);
         if (!af || addr_len < af->sockaddr_len) {
@@ -4415,13 +4424,25 @@ static int sctp_connect(struct sock *sk, struct sockaddr *addr,
                 /* Pass correct addr len to common routine (so it knows there
                  * is only one address being passed.
                  */
-                err = __sctp_connect(sk, addr, af->sockaddr_len, NULL);
+                err = __sctp_connect(sk, addr, af->sockaddr_len, flags, NULL);
         }
 
         release_sock(sk);
         return err;
 }
 
+int sctp_inet_connect(struct socket *sock, struct sockaddr *uaddr,
+                      int addr_len, int flags)
+{
+        if (addr_len < sizeof(uaddr->sa_family))
+                return -EINVAL;
+
+        if (uaddr->sa_family == AF_UNSPEC)
+                return -EOPNOTSUPP;
+
+        return sctp_connect(sock->sk, uaddr, addr_len, flags);
+}
+
 /* FIXME: Write comments. */
 static int sctp_disconnect(struct sock *sk, int flags)
 {
@@ -8724,7 +8745,6 @@ struct proto sctp_prot = {
         .name        =  "SCTP",
         .owner       =  THIS_MODULE,
         .close       =  sctp_close,
-        .connect     =  sctp_connect,
         .disconnect  =  sctp_disconnect,
         .accept      =  sctp_accept,
         .ioctl       =  sctp_ioctl,
@@ -8767,7 +8787,6 @@ struct proto sctpv6_prot = {
         .name           = "SCTPv6",
         .owner          = THIS_MODULE,
         .close          = sctp_close,
-        .connect        = sctp_connect,
         .disconnect     = sctp_disconnect,
         .accept         = sctp_accept,
         .ioctl          = sctp_ioctl,
diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c
index 74568cdbca70..d7b88b2d1b22 100644
--- a/net/smc/smc_pnet.c
+++ b/net/smc/smc_pnet.c
@@ -245,40 +245,45 @@ out:
 static int smc_pnet_fill_entry(struct net *net, struct smc_pnetentry *pnetelem,
                                struct nlattr *tb[])
 {
-        char *string, *ibname = NULL;
-        int rc = 0;
+        char *string, *ibname;
+        int rc;
 
         memset(pnetelem, 0, sizeof(*pnetelem));
         INIT_LIST_HEAD(&pnetelem->list);
-        if (tb[SMC_PNETID_NAME]) {
-                string = (char *)nla_data(tb[SMC_PNETID_NAME]);
-                if (!smc_pnetid_valid(string, pnetelem->pnet_name)) {
-                        rc = -EINVAL;
-                        goto error;
-                }
-        }
-        if (tb[SMC_PNETID_ETHNAME]) {
-                string = (char *)nla_data(tb[SMC_PNETID_ETHNAME]);
-                pnetelem->ndev = dev_get_by_name(net, string);
-                if (!pnetelem->ndev)
-                        return -ENOENT;
-        }
-        if (tb[SMC_PNETID_IBNAME]) {
-                ibname = (char *)nla_data(tb[SMC_PNETID_IBNAME]);
-                ibname = strim(ibname);
-                pnetelem->smcibdev = smc_pnet_find_ib(ibname);
-                if (!pnetelem->smcibdev) {
-                        rc = -ENOENT;
-                        goto error;
-                }
-        }
-        if (tb[SMC_PNETID_IBPORT]) {
-                pnetelem->ib_port = nla_get_u8(tb[SMC_PNETID_IBPORT]);
-                if (pnetelem->ib_port > SMC_MAX_PORTS) {
-                        rc = -EINVAL;
-                        goto error;
-                }
-        }
+
+        rc = -EINVAL;
+        if (!tb[SMC_PNETID_NAME])
+                goto error;
+        string = (char *)nla_data(tb[SMC_PNETID_NAME]);
+        if (!smc_pnetid_valid(string, pnetelem->pnet_name))
+                goto error;
+
+        rc = -EINVAL;
+        if (!tb[SMC_PNETID_ETHNAME])
+                goto error;
+        rc = -ENOENT;
+        string = (char *)nla_data(tb[SMC_PNETID_ETHNAME]);
+        pnetelem->ndev = dev_get_by_name(net, string);
+        if (!pnetelem->ndev)
+                goto error;
+
+        rc = -EINVAL;
+        if (!tb[SMC_PNETID_IBNAME])
+                goto error;
+        rc = -ENOENT;
+        ibname = (char *)nla_data(tb[SMC_PNETID_IBNAME]);
+        ibname = strim(ibname);
+        pnetelem->smcibdev = smc_pnet_find_ib(ibname);
+        if (!pnetelem->smcibdev)
+                goto error;
+
+        rc = -EINVAL;
+        if (!tb[SMC_PNETID_IBPORT])
+                goto error;
+        pnetelem->ib_port = nla_get_u8(tb[SMC_PNETID_IBPORT]);
+        if (pnetelem->ib_port < 1 || pnetelem->ib_port > SMC_MAX_PORTS)
+                goto error;
+
         return 0;
 
 error:
@@ -307,6 +312,8 @@ static int smc_pnet_get(struct sk_buff *skb, struct genl_info *info)
         void *hdr;
         int rc;
 
+        if (!info->attrs[SMC_PNETID_NAME])
+                return -EINVAL;
         pnetelem = smc_pnet_find_pnetid(
                                 (char *)nla_data(info->attrs[SMC_PNETID_NAME]));
         if (!pnetelem)
@@ -359,6 +366,8 @@ static int smc_pnet_add(struct sk_buff *skb, struct genl_info *info)
 
 static int smc_pnet_del(struct sk_buff *skb, struct genl_info *info)
 {
+        if (!info->attrs[SMC_PNETID_NAME])
+                return -EINVAL;
         return smc_pnet_remove_by_pnetid(
                                 (char *)nla_data(info->attrs[SMC_PNETID_NAME]));
 }
diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
index ac09ca803296..6358e5271070 100644
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -50,7 +50,7 @@ config SUNRPC_DEBUG
 
 config SUNRPC_XPRT_RDMA
         tristate "RPC-over-RDMA transport"
-        depends on SUNRPC && INFINIBAND && INFINIBAND_ADDR_TRANS
+        depends on SUNRPC && INFINIBAND_ADDR_TRANS
         default SUNRPC && INFINIBAND
         select SG_POOL
         help
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 71e79597f940..e1c93ce74e0f 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -680,7 +680,6 @@ static int decrypt_skb(struct sock *sk, struct sk_buff *skb,
         struct scatterlist *sgin = &sgin_arr[0];
         struct strp_msg *rxm = strp_msg(skb);
         int ret, nsg = ARRAY_SIZE(sgin_arr);
-        char aad_recv[TLS_AAD_SPACE_SIZE];
         struct sk_buff *unused;
 
         ret = skb_copy_bits(skb, rxm->offset + TLS_HEADER_SIZE,
@@ -698,13 +697,13 @@ static int decrypt_skb(struct sock *sk, struct sk_buff *skb,
         }
 
         sg_init_table(sgin, nsg);
-        sg_set_buf(&sgin[0], aad_recv, sizeof(aad_recv));
+        sg_set_buf(&sgin[0], ctx->rx_aad_ciphertext, TLS_AAD_SPACE_SIZE);
 
         nsg = skb_to_sgvec(skb, &sgin[1],
                            rxm->offset + tls_ctx->rx.prepend_size,
                            rxm->full_len - tls_ctx->rx.prepend_size);
 
-        tls_make_aad(aad_recv,
+        tls_make_aad(ctx->rx_aad_ciphertext,
                      rxm->full_len - tls_ctx->rx.overhead_size,
                      tls_ctx->rx.rec_seq,
                      tls_ctx->rx.rec_seq_size,
@@ -803,12 +802,12 @@ int tls_sw_recvmsg(struct sock *sk,
                         if (to_copy <= len && page_count < MAX_SKB_FRAGS &&
                             likely(!(flags & MSG_PEEK)))  {
                                 struct scatterlist sgin[MAX_SKB_FRAGS + 1];
-                                char unused[21];
                                 int pages = 0;
 
                                 zc = true;
                                 sg_init_table(sgin, MAX_SKB_FRAGS + 1);
-                                sg_set_buf(&sgin[0], unused, 13);
+                                sg_set_buf(&sgin[0], ctx->rx_aad_plaintext,
+                                           TLS_AAD_SPACE_SIZE);
 
                                 err = zerocopy_from_iter(sk, &msg->msg_iter,
                                                          to_copy, &pages,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index a052693c2e85..7c5135a92d76 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -15555,7 +15555,8 @@ void cfg80211_ft_event(struct net_device *netdev,
         if (!ft_event->target_ap)
                 return;
 
-        msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL);
+        msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
+                        GFP_KERNEL);
         if (!msg)
                 return;
 
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index ac3e12c32aa3..5fcec5c94eb7 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -916,6 +916,9 @@ int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr,
         const struct fwdb_header *hdr = regdb;
         const struct fwdb_country *country;
 
+        if (!regdb)
+                return -ENODATA;
+
         if (IS_ERR(regdb))
                 return PTR_ERR(regdb);
 
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index e16d6713f236..2d42eb9cd1a5 100755
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -5041,7 +5041,7 @@ sub process {
                                 $tmp_stmt =~ s/\b(typeof|__typeof__|__builtin\w+|typecheck\s*\(\s*$Type\s*,|\#+)\s*\(*\s*$arg\s*\)*\b//g;
                                 $tmp_stmt =~ s/\#+\s*$arg\b//g;
                                 $tmp_stmt =~ s/\b$arg\s*\#\#//g;
-                                my $use_cnt = $tmp_stmt =~ s/\b$arg\b//g;
+                                my $use_cnt = () = $tmp_stmt =~ /\b$arg\b/g;
                                 if ($use_cnt > 1) {
                                         CHK("MACRO_ARG_REUSE",
                                             "Macro argument reuse '$arg' - possible side-effects?\n" . "$herectx");
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index be5817df0a9d..179dd20bec0a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1568,8 +1568,15 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                         /* Called from d_instantiate or d_splice_alias. */
                         dentry = dget(opt_dentry);
                 } else {
-                        /* Called from selinux_complete_init, try to find a dentry. */
+                        /*
+                         * Called from selinux_complete_init, try to find a dentry.
+                         * Some filesystems really want a connected one, so try
+                         * that first.  We could split SECURITY_FS_USE_XATTR in
+                         * two, depending upon that...
+                         */
                         dentry = d_find_alias(inode);
+                        if (!dentry)
+                                dentry = d_find_any_alias(inode);
                 }
                 if (!dentry) {
                         /*
@@ -1674,14 +1681,19 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                 if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) {
                         /* We must have a dentry to determine the label on
                          * procfs inodes */
-                        if (opt_dentry)
+                        if (opt_dentry) {
                                 /* Called from d_instantiate or
                                  * d_splice_alias. */
                                 dentry = dget(opt_dentry);
-                        else
+                        } else {
                                 /* Called from selinux_complete_init, try to
-                                 * find a dentry. */
+                                 * find a dentry.  Some filesystems really want
+                                 * a connected one, so try that first.
+                                 */
                                 dentry = d_find_alias(inode);
+                                if (!dentry)
+                                        dentry = d_find_any_alias(inode);
+                        }
                         /*
                          * This can be hit on boot when a file is accessed
                          * before the policy is loaded.  When we load policy we
diff --git a/sound/core/timer.c b/sound/core/timer.c
index dc87728c5b74..0ddcae495838 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -592,7 +592,7 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop)
         else
                 timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
         snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
-                          SNDRV_TIMER_EVENT_CONTINUE);
+                          SNDRV_TIMER_EVENT_PAUSE);
  unlock:
         spin_unlock_irqrestore(&timer->lock, flags);
         return result;
@@ -614,7 +614,7 @@ static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop)
                 list_del_init(&timeri->ack_list);
                 list_del_init(&timeri->active_list);
                 snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
-                                  SNDRV_TIMER_EVENT_CONTINUE);
+                                  SNDRV_TIMER_EVENT_PAUSE);
                 spin_unlock(&timeri->timer->lock);
         }
         spin_unlock_irqrestore(&slave_active_lock, flags);
diff --git a/sound/pci/hda/hda_local.h b/sound/pci/hda/hda_local.h
index 321e78baa63c..9bd935216c18 100644
--- a/sound/pci/hda/hda_local.h
+++ b/sound/pci/hda/hda_local.h
@@ -622,8 +622,10 @@ snd_hda_check_power_state(struct hda_codec *codec, hda_nid_t nid,
 {
         return snd_hdac_check_power_state(&codec->core, nid, target_state);
 }
-static inline bool snd_hda_sync_power_state(struct hda_codec *codec,
-                           hda_nid_t nid, unsigned int target_state)
+
+static inline unsigned int snd_hda_sync_power_state(struct hda_codec *codec,
+                                                    hda_nid_t nid,
+                                                    unsigned int target_state)
 {
         return snd_hdac_sync_power_state(&codec->core, nid, target_state);
 }
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 5922443063f0..0f9f06df49bc 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -2035,7 +2035,7 @@ int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr,
                 return -EINVAL;
 
         obj = bpf_object__open(attr->file);
-        if (IS_ERR(obj))
+        if (IS_ERR_OR_NULL(obj))
                 return -ENOENT;
 
         bpf_object__for_each_program(prog, obj) {
diff --git a/tools/testing/radix-tree/idr-test.c b/tools/testing/radix-tree/idr-test.c
index 6c645eb77d42..ee820fcc29b0 100644
--- a/tools/testing/radix-tree/idr-test.c
+++ b/tools/testing/radix-tree/idr-test.c
@@ -252,6 +252,13 @@ void idr_checks(void)
         idr_remove(&idr, 3);
         idr_remove(&idr, 0);
 
+        assert(idr_alloc(&idr, DUMMY_PTR, 0, 0, GFP_KERNEL) == 0);
+        idr_remove(&idr, 1);
+        for (i = 1; i < RADIX_TREE_MAP_SIZE; i++)
+                assert(idr_alloc(&idr, DUMMY_PTR, 0, 0, GFP_KERNEL) == i);
+        idr_remove(&idr, 1 << 30);
+        idr_destroy(&idr);
+
         for (i = INT_MAX - 3UL; i < INT_MAX + 1UL; i++) {
                 struct item *item = item_create(i, 0);
                 assert(idr_alloc(&idr, item, i, i + 10, GFP_KERNEL) == i);
diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
index 983dd25d49f4..1eefe211a4a8 100644
--- a/tools/testing/selftests/bpf/config
+++ b/tools/testing/selftests/bpf/config
@@ -5,3 +5,5 @@ CONFIG_BPF_EVENTS=y
 CONFIG_TEST_BPF=m
 CONFIG_CGROUP_BPF=y
 CONFIG_NETDEVSIM=m
+CONFIG_NET_CLS_ACT=y
+CONFIG_NET_SCH_INGRESS=y
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 3e7718b1a9ae..fd7de7eb329e 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -11713,6 +11713,11 @@ static void get_unpriv_disabled()
         FILE *fd;
 
         fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
+        if (!fd) {
+                perror("fopen /proc/sys/"UNPRIV_SYSCTL);
+                unpriv_disabled = true;
+                return;
+        }
         if (fgets(buf, 2, fd) == buf && atoi(buf))
                 unpriv_disabled = true;
         fclose(fd);
diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config
index 6a75a3ea44ad..7ba089b33e8b 100644
--- a/tools/testing/selftests/net/config
+++ b/tools/testing/selftests/net/config
@@ -7,3 +7,8 @@ CONFIG_NET_L3_MASTER_DEV=y
 CONFIG_IPV6=y
 CONFIG_IPV6_MULTIPLE_TABLES=y
 CONFIG_VETH=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_NET_IPVTI=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_IPV6_VTI=y
+CONFIG_DUMMY=y
diff --git a/tools/testing/selftests/net/reuseport_bpf_numa.c b/tools/testing/selftests/net/reuseport_bpf_numa.c
index 365c32e84189..c9f478b40996 100644
--- a/tools/testing/selftests/net/reuseport_bpf_numa.c
+++ b/tools/testing/selftests/net/reuseport_bpf_numa.c
@@ -23,6 +23,8 @@
 #include <unistd.h>
 #include <numa.h>
 
+#include "../kselftest.h"
+
 static const int PORT = 8888;
 
 static void build_rcv_group(int *rcv_fd, size_t len, int family, int proto)
@@ -229,7 +231,7 @@ int main(void)
         int *rcv_fd, nodes;
 
         if (numa_available() < 0)
-                error(1, errno, "no numa api support");
+                ksft_exit_skip("no numa api support\n");
 
         nodes = numa_max_node() + 1;
 
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 168c66d74fc5..e1473234968d 100644
--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
@@ -134,11 +134,15 @@ struct seccomp_data {
 #endif
 
 #ifndef SECCOMP_FILTER_FLAG_TSYNC
-#define SECCOMP_FILTER_FLAG_TSYNC 1
+#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0)
 #endif
 
 #ifndef SECCOMP_FILTER_FLAG_LOG
-#define SECCOMP_FILTER_FLAG_LOG 2
+#define SECCOMP_FILTER_FLAG_LOG (1UL << 1)
+#endif
+
+#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
 #endif
 
 #ifndef PTRACE_SECCOMP_GET_METADATA
@@ -2072,14 +2076,26 @@ TEST(seccomp_syscall_mode_lock)
 TEST(detect_seccomp_filter_flags)
 {
         unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC,
-                                 SECCOMP_FILTER_FLAG_LOG };
+                                 SECCOMP_FILTER_FLAG_LOG,
+                                 SECCOMP_FILTER_FLAG_SPEC_ALLOW };
         unsigned int flag, all_flags;
         int i;
         long ret;
 
         /* Test detection of known-good filter flags */
         for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) {
+                int bits = 0;
+
                 flag = flags[i];
+                /* Make sure the flag is a single bit! */
+                while (flag) {
+                        if (flag & 0x1)
+                                bits ++;
+                        flag >>= 1;
+                }
+                ASSERT_EQ(1, bits);
+                flag = flags[i];
+
                 ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL);
                 ASSERT_NE(ENOSYS, errno) {
                         TH_LOG("Kernel does not support seccomp syscall!");