16 files changed, 223 insertions, 90 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 833267bbd80b..6dd556931739 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -641,6 +641,7 @@ static int auditd_send_unicast_skb(struct sk_buff *skb)
        ac = rcu_dereference(auditd_conn);
        if (!ac) {
                rcu_read_unlock();
+                kfree_skb(skb);
                rc = -ECONNREFUSED;
                goto err;
        }
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 6a86723c5b64..af9e84a4944e 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -504,6 +504,7 @@ static void reset_reg_range_values(struct bpf_reg_state *regs, u32 regno)
 {
        regs[regno].min_value = BPF_REGISTER_MIN_RANGE;
        regs[regno].max_value = BPF_REGISTER_MAX_RANGE;
+        regs[regno].value_from_signed = false;
        regs[regno].min_align = 0;
 }
@@ -777,12 +778,13 @@ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off,
        return -EACCES;
 }
-static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
+static bool __is_pointer_value(bool allow_ptr_leaks,
+                               const struct bpf_reg_state *reg)
 {
-        if (env->allow_ptr_leaks)
+        if (allow_ptr_leaks)
                return false;
-        switch (env->cur_state.regs[regno].type) {
+        switch (reg->type) {
        case UNKNOWN_VALUE:
        case CONST_IMM:
                return false;
@@ -791,6 +793,11 @@ static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
        }
 }
+static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
+{
+        return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]);
+}
 static int check_pkt_ptr_alignment(const struct bpf_reg_state *reg,
                                   int off, int size, bool strict)
 {
@@ -1832,10 +1839,24 @@ static void adjust_reg_min_max_vals(struct bpf_verifier_env *env,
        dst_align = dst_reg->min_align;
        /* We don't know anything about what was done to this register, mark it
-         * as unknown.
+         * as unknown. Also, if both derived bounds came from signed/unsigned
+         * mixed compares and one side is unbounded, we cannot really do anything
+         * with them as boundaries cannot be trusted. Thus, arithmetic of two
+         * regs of such kind will get invalidated bounds on the dst side.
         */
-        if (min_val == BPF_REGISTER_MIN_RANGE &&
+        if ((min_val == BPF_REGISTER_MIN_RANGE &&
-            max_val == BPF_REGISTER_MAX_RANGE) {
+             max_val == BPF_REGISTER_MAX_RANGE) ||
+            (BPF_SRC(insn->code) == BPF_X &&
+             ((min_val != BPF_REGISTER_MIN_RANGE &&
+               max_val == BPF_REGISTER_MAX_RANGE) ||
+              (min_val == BPF_REGISTER_MIN_RANGE &&
+               max_val != BPF_REGISTER_MAX_RANGE) ||
+              (dst_reg->min_value != BPF_REGISTER_MIN_RANGE &&
+               dst_reg->max_value == BPF_REGISTER_MAX_RANGE) ||
+              (dst_reg->min_value == BPF_REGISTER_MIN_RANGE &&
+               dst_reg->max_value != BPF_REGISTER_MAX_RANGE)) &&
+             regs[insn->dst_reg].value_from_signed !=
+             regs[insn->src_reg].value_from_signed)) {
                reset_reg_range_values(regs, insn->dst_reg);
                return;
        }
@@ -2023,6 +2044,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
                        regs[insn->dst_reg].max_value = insn->imm;
                        regs[insn->dst_reg].min_value = insn->imm;
                        regs[insn->dst_reg].min_align = calc_align(insn->imm);
+                        regs[insn->dst_reg].value_from_signed = false;
                }
        } else if (opcode > BPF_END) {
@@ -2198,40 +2220,63 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
                            struct bpf_reg_state *false_reg, u64 val,
                            u8 opcode)
 {
+        bool value_from_signed = true;
+        bool is_range = true;
        switch (opcode) {
        case BPF_JEQ:
                /* If this is false then we know nothing Jon Snow, but if it is
                 * true then we know for sure.
                 */
                true_reg->max_value = true_reg->min_value = val;
+                is_range = false;
                break;
        case BPF_JNE:
                /* If this is true we know nothing Jon Snow, but if it is false
                 * we know the value for sure;
                 */
                false_reg->max_value = false_reg->min_value = val;
+                is_range = false;
                break;
        case BPF_JGT:
-                /* Unsigned comparison, the minimum value is 0. */
+                value_from_signed = false;
-                false_reg->min_value = 0;
                /* fallthrough */
        case BPF_JSGT:
+                if (true_reg->value_from_signed != value_from_signed)
+                        reset_reg_range_values(true_reg, 0);
+                if (false_reg->value_from_signed != value_from_signed)
+                        reset_reg_range_values(false_reg, 0);
+                if (opcode == BPF_JGT) {
+                        /* Unsigned comparison, the minimum value is 0. */
+                        false_reg->min_value = 0;
+                }
                /* If this is false then we know the maximum val is val,
                 * otherwise we know the min val is val+1.
                 */
                false_reg->max_value = val;
+                false_reg->value_from_signed = value_from_signed;
                true_reg->min_value = val + 1;
+                true_reg->value_from_signed = value_from_signed;
                break;
        case BPF_JGE:
-                /* Unsigned comparison, the minimum value is 0. */
+                value_from_signed = false;
-                false_reg->min_value = 0;
                /* fallthrough */
        case BPF_JSGE:
+                if (true_reg->value_from_signed != value_from_signed)
+                        reset_reg_range_values(true_reg, 0);
+                if (false_reg->value_from_signed != value_from_signed)
+                        reset_reg_range_values(false_reg, 0);
+                if (opcode == BPF_JGE) {
+                        /* Unsigned comparison, the minimum value is 0. */
+                        false_reg->min_value = 0;
+                }
                /* If this is false then we know the maximum value is val - 1,
                 * otherwise we know the mimimum value is val.
                 */
                false_reg->max_value = val - 1;
+                false_reg->value_from_signed = value_from_signed;
                true_reg->min_value = val;
+                true_reg->value_from_signed = value_from_signed;
                break;
        default:
                break;
@@ -2239,6 +2284,12 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
        check_reg_overflow(false_reg);
        check_reg_overflow(true_reg);
+        if (is_range) {
+                if (__is_pointer_value(false, false_reg))
+                        reset_reg_range_values(false_reg, 0);
+                if (__is_pointer_value(false, true_reg))
+                        reset_reg_range_values(true_reg, 0);
+        }
 }
 /* Same as above, but for the case that dst_reg is a CONST_IMM reg and src_reg
@@ -2248,41 +2299,64 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
                                struct bpf_reg_state *false_reg, u64 val,
                                u8 opcode)
 {
+        bool value_from_signed = true;
+        bool is_range = true;
        switch (opcode) {
        case BPF_JEQ:
                /* If this is false then we know nothing Jon Snow, but if it is
                 * true then we know for sure.
                 */
                true_reg->max_value = true_reg->min_value = val;
+                is_range = false;
                break;
        case BPF_JNE:
                /* If this is true we know nothing Jon Snow, but if it is false
                 * we know the value for sure;
                 */
                false_reg->max_value = false_reg->min_value = val;
+                is_range = false;
                break;
        case BPF_JGT:
-                /* Unsigned comparison, the minimum value is 0. */
+                value_from_signed = false;
-                true_reg->min_value = 0;
                /* fallthrough */
        case BPF_JSGT:
+                if (true_reg->value_from_signed != value_from_signed)
+                        reset_reg_range_values(true_reg, 0);
+                if (false_reg->value_from_signed != value_from_signed)
+                        reset_reg_range_values(false_reg, 0);
+                if (opcode == BPF_JGT) {
+                        /* Unsigned comparison, the minimum value is 0. */
+                        true_reg->min_value = 0;
+                }
                /*
                 * If this is false, then the val is <= the register, if it is
                 * true the register <= to the val.
                 */
                false_reg->min_value = val;
+                false_reg->value_from_signed = value_from_signed;
                true_reg->max_value = val - 1;
+                true_reg->value_from_signed = value_from_signed;
                break;
        case BPF_JGE:
-                /* Unsigned comparison, the minimum value is 0. */
+                value_from_signed = false;
-                true_reg->min_value = 0;
                /* fallthrough */
        case BPF_JSGE:
+                if (true_reg->value_from_signed != value_from_signed)
+                        reset_reg_range_values(true_reg, 0);
+                if (false_reg->value_from_signed != value_from_signed)
+                        reset_reg_range_values(false_reg, 0);
+                if (opcode == BPF_JGE) {
+                        /* Unsigned comparison, the minimum value is 0. */
+                        true_reg->min_value = 0;
+                }
                /* If this is false then constant < register, if it is true then
                 * the register < constant.
                 */
                false_reg->min_value = val + 1;
+                false_reg->value_from_signed = value_from_signed;
                true_reg->max_value = val;
+                true_reg->value_from_signed = value_from_signed;
                break;
        default:
                break;
@@ -2290,6 +2364,12 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
        check_reg_overflow(false_reg);
        check_reg_overflow(true_reg);
+        if (is_range) {
+                if (__is_pointer_value(false, false_reg))
+                        reset_reg_range_values(false_reg, 0);
+                if (__is_pointer_value(false, true_reg))
+                        reset_reg_range_values(true_reg, 0);
+        }
 }
 static void mark_map_reg(struct bpf_reg_state *regs, u32 regno, u32 id,
diff --git a/kernel/cpu.c b/kernel/cpu.c
index ab860453841d..eee033134262 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -279,7 +279,8 @@ static int bringup_wait_for_ap(unsigned int cpu)
        /* Wait for the CPU to reach CPUHP_AP_ONLINE_IDLE */
        wait_for_completion(&st->done);
-        BUG_ON(!cpu_online(cpu));
+        if (WARN_ON_ONCE((!cpu_online(cpu))))
+                return -ECANCELED;
        /* Unpark the stopper thread and the hotplug thread of the target cpu */
        stop_machine_unpark(cpu);
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 1538df9b2b65..426c2ffba16d 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1452,6 +1452,13 @@ static enum event_type_t get_event_type(struct perf_event *event)
        lockdep_assert_held(&ctx->lock);
+        /*
+         * It's 'group type', really, because if our group leader is
+         * pinned, so are we.
+         */
+        if (event->group_leader != event)
+                event = event->group_leader;
        event_type = event->attr.pinned ? EVENT_PINNED : EVENT_FLEXIBLE;
        if (!ctx->task)
                event_type |= EVENT_CPU;
@@ -4378,7 +4385,9 @@ EXPORT_SYMBOL_GPL(perf_event_read_value);
 static int __perf_read_group_add(struct perf_event *leader,
                                        u64 read_format, u64 *values)
 {
+        struct perf_event_context *ctx = leader->ctx;
        struct perf_event *sub;
+        unsigned long flags;
        int n = 1; /* skip @nr */
        int ret;
@@ -4408,12 +4417,15 @@ static int __perf_read_group_add(struct perf_event *leader,
        if (read_format & PERF_FORMAT_ID)
                values[n++] = primary_event_id(leader);
+        raw_spin_lock_irqsave(&ctx->lock, flags);
        list_for_each_entry(sub, &leader->sibling_list, group_entry) {
                values[n++] += perf_event_count(sub);
                if (read_format & PERF_FORMAT_ID)
                        values[n++] = primary_event_id(sub);
        }
+        raw_spin_unlock_irqrestore(&ctx->lock, flags);
        return 0;
 }
@@ -7321,21 +7333,6 @@ int perf_event_account_interrupt(struct perf_event *event)
        return __perf_event_account_interrupt(event, 1);
 }
-static bool sample_is_allowed(struct perf_event *event, struct pt_regs *regs)
-{
-        /*
-         * Due to interrupt latency (AKA "skid"), we may enter the
-         * kernel before taking an overflow, even if the PMU is only
-         * counting user events.
-         * To avoid leaking information to userspace, we must always
-         * reject kernel samples when exclude_kernel is set.
-         */
-        if (event->attr.exclude_kernel && !user_mode(regs))
-                return false;
-        return true;
-}
 /*
 * Generic event overflow handling, sampling.
 */
@@ -7357,12 +7354,6 @@ static int __perf_event_overflow(struct perf_event *event,
        ret = __perf_event_account_interrupt(event, throttle);
        /*
-         * For security, drop the skid kernel samples if necessary.
-         */
-        if (!sample_is_allowed(event, regs))
-                return ret;
-        /*
         * XXX event_limit might not quite work as expected on inherited
         * events
         */
diff --git a/kernel/futex.c b/kernel/futex.c
index c934689043b2..16dbe4c93895 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -212,7 +212,7 @@ struct futex_pi_state {
        atomic_t refcount;
        union futex_key key;
-};
+} __randomize_layout;
 /**
 * struct futex_q - The hashed futex queue entry, one per waiting task
@@ -246,7 +246,7 @@ struct futex_q {
        struct rt_mutex_waiter *rt_waiter;
        union futex_key *requeue_pi_key;
        u32 bitset;
-};
+} __randomize_layout;
 static const struct futex_q futex_q_init = {
        /* list gets initialized in queue_me()*/
diff --git a/kernel/irq/chip.c b/kernel/irq/chip.c
index d171bc57e1e0..a3cc37c0c85e 100644
--- a/kernel/irq/chip.c
+++ b/kernel/irq/chip.c
@@ -170,21 +170,11 @@ static void irq_state_clr_disabled(struct irq_desc *desc)
        irqd_clear(&desc->irq_data, IRQD_IRQ_DISABLED);
 }
-static void irq_state_set_disabled(struct irq_desc *desc)
-{
-        irqd_set(&desc->irq_data, IRQD_IRQ_DISABLED);
-}
 static void irq_state_clr_masked(struct irq_desc *desc)
 {
        irqd_clear(&desc->irq_data, IRQD_IRQ_MASKED);
 }
-static void irq_state_set_masked(struct irq_desc *desc)
-{
-        irqd_set(&desc->irq_data, IRQD_IRQ_MASKED);
-}
 static void irq_state_clr_started(struct irq_desc *desc)
 {
        irqd_clear(&desc->irq_data, IRQD_IRQ_STARTED);
diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h
index dbfba9933ed2..a2c48058354c 100644
--- a/kernel/irq/internals.h
+++ b/kernel/irq/internals.h
@@ -227,6 +227,16 @@ static inline bool irqd_has_set(struct irq_data *d, unsigned int mask)
        return __irqd_to_state(d) & mask;
 }
+static inline void irq_state_set_disabled(struct irq_desc *desc)
+{
+        irqd_set(&desc->irq_data, IRQD_IRQ_DISABLED);
+}
+static inline void irq_state_set_masked(struct irq_desc *desc)
+{
+        irqd_set(&desc->irq_data, IRQD_IRQ_MASKED);
+}
 #undef __irqd_to_state
 static inline void kstat_incr_irqs_this_cpu(struct irq_desc *desc)
diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
index 5624b2dd6b58..1d1a5b945ab4 100644
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -1090,6 +1090,16 @@ setup_irq_thread(struct irqaction *new, unsigned int irq, bool secondary)
 /*
 * Internal function to register an irqaction - typically used to
 * allocate special interrupts that are part of the architecture.
+ *
+ * Locking rules:
+ *
+ * desc->request_mutex  Provides serialization against a concurrent free_irq()
+ *   chip_bus_lock      Provides serialization for slow bus operations
+ *     desc->lock       Provides serialization against hard interrupts
+ *
+ * chip_bus_lock and desc->lock are sufficient for all other management and
+ * interrupt related functions. desc->request_mutex solely serializes
+ * request/free_irq().
 */
 static int
 __setup_irq(unsigned int irq, struct irq_desc *desc, struct irqaction *new)
@@ -1167,20 +1177,35 @@ __setup_irq(unsigned int irq, struct irq_desc *desc, struct irqaction *new)
        if (desc->irq_data.chip->flags & IRQCHIP_ONESHOT_SAFE)
                new->flags &= ~IRQF_ONESHOT;
+        /*
+         * Protects against a concurrent __free_irq() call which might wait
+         * for synchronize_irq() to complete without holding the optional
+         * chip bus lock and desc->lock.
+         */
        mutex_lock(&desc->request_mutex);
+        /*
+         * Acquire bus lock as the irq_request_resources() callback below
+         * might rely on the serialization or the magic power management
+         * functions which are abusing the irq_bus_lock() callback,
+         */
+        chip_bus_lock(desc);
+        /* First installed action requests resources. */
        if (!desc->action) {
                ret = irq_request_resources(desc);
                if (ret) {
                        pr_err("Failed to request resources for %s (irq %d) on irqchip %s\n",
                               new->name, irq, desc->irq_data.chip->name);
-                        goto out_mutex;
+                        goto out_bus_unlock;
                }
        }
-        chip_bus_lock(desc);
        /*
         * The following block of code has to be executed atomically
+         * protected against a concurrent interrupt and any of the other
+         * management calls which are not serialized via
+         * desc->request_mutex or the optional bus lock.
         */
        raw_spin_lock_irqsave(&desc->lock, flags);
        old_ptr = &desc->action;
@@ -1286,10 +1311,8 @@ __setup_irq(unsigned int irq, struct irq_desc *desc, struct irqaction *new)
                        ret = __irq_set_trigger(desc,
                                                new->flags & IRQF_TRIGGER_MASK);
-                        if (ret) {
+                        if (ret)
-                                irq_release_resources(desc);
                                goto out_unlock;
-                        }
                }
                desc->istate &= ~(IRQS_AUTODETECT | IRQS_SPURIOUS_DISABLED | \
@@ -1385,12 +1408,10 @@ mismatch:
 out_unlock:
        raw_spin_unlock_irqrestore(&desc->lock, flags);
-        chip_bus_sync_unlock(desc);
        if (!desc->action)
                irq_release_resources(desc);
+out_bus_unlock:
-out_mutex:
+        chip_bus_sync_unlock(desc);
        mutex_unlock(&desc->request_mutex);
 out_thread:
@@ -1472,6 +1493,7 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id)
                        WARN(1, "Trying to free already-free IRQ %d\n", irq);
                        raw_spin_unlock_irqrestore(&desc->lock, flags);
                        chip_bus_sync_unlock(desc);
+                        mutex_unlock(&desc->request_mutex);
                        return NULL;
                }
@@ -1498,6 +1520,20 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id)
 #endif
        raw_spin_unlock_irqrestore(&desc->lock, flags);
+        /*
+         * Drop bus_lock here so the changes which were done in the chip
+         * callbacks above are synced out to the irq chips which hang
+         * behind a slow bus (I2C, SPI) before calling synchronize_irq().
+         *
+         * Aside of that the bus_lock can also be taken from the threaded
+         * handler in irq_finalize_oneshot() which results in a deadlock
+         * because synchronize_irq() would wait forever for the thread to
+         * complete, which is blocked on the bus lock.
+         *
+         * The still held desc->request_mutex() protects against a
+         * concurrent request_irq() of this irq so the release of resources
+         * and timing data is properly serialized.
+         */
        chip_bus_sync_unlock(desc);
        unregister_handler_proc(irq, action);
@@ -1530,8 +1566,15 @@ static struct irqaction *__free_irq(unsigned int irq, void *dev_id)
                }
        }
+        /* Last action releases resources */
        if (!desc->action) {
+                /*
+                 * Reaquire bus lock as irq_release_resources() might
+                 * require it to deallocate resources over the slow bus.
+                 */
+                chip_bus_lock(desc);
                irq_release_resources(desc);
+                chip_bus_sync_unlock(desc);
                irq_remove_timings(desc);
        }
diff --git a/kernel/irq/pm.c b/kernel/irq/pm.c
index cea1de0161f1..6bd9b58429cc 100644
--- a/kernel/irq/pm.c
+++ b/kernel/irq/pm.c
@@ -149,6 +149,8 @@ static void resume_irq(struct irq_desc *desc)
        /* Pretend that it got disabled ! */
        desc->depth++;
+        irq_state_set_disabled(desc);
+        irq_state_set_masked(desc);
 resume:
        desc->istate &= ~IRQS_SUSPENDED;
        __enable_irq(desc);
diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index 78069895032a..649dc9d3951a 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -963,7 +963,6 @@ static int task_blocks_on_rt_mutex(struct rt_mutex *lock,
                return -EDEADLK;
        raw_spin_lock(&task->pi_lock);
-        rt_mutex_adjust_prio(task);
        waiter->task = task;
        waiter->lock = lock;
        waiter->prio = task->prio;
diff --git a/kernel/sched/cputime.c b/kernel/sched/cputime.c
index 6e3ea4ac1bda..14d2dbf97c53 100644
--- a/kernel/sched/cputime.c
+++ b/kernel/sched/cputime.c
@@ -683,7 +683,7 @@ static u64 vtime_delta(struct vtime *vtime)
 {
        unsigned long long clock;
-        clock = sched_clock_cpu(smp_processor_id());
+        clock = sched_clock();
        if (clock < vtime->starttime)
                return 0;
@@ -814,7 +814,7 @@ void arch_vtime_task_switch(struct task_struct *prev)
        write_seqcount_begin(&vtime->seqcount);
        vtime->state = VTIME_SYS;
-        vtime->starttime = sched_clock_cpu(smp_processor_id());
+        vtime->starttime = sched_clock();
        write_seqcount_end(&vtime->seqcount);
 }
@@ -826,7 +826,7 @@ void vtime_init_idle(struct task_struct *t, int cpu)
        local_irq_save(flags);
        write_seqcount_begin(&vtime->seqcount);
        vtime->state = VTIME_SYS;
-        vtime->starttime = sched_clock_cpu(cpu);
+        vtime->starttime = sched_clock();
        write_seqcount_end(&vtime->seqcount);
        local_irq_restore(flags);
 }
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index a84299f44b5d..755bd3f1a1a9 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -1392,17 +1392,19 @@ static void enqueue_task_dl(struct rq *rq, struct task_struct *p, int flags)
        struct sched_dl_entity *pi_se = &p->dl;
        /*
-         * Use the scheduling parameters of the top pi-waiter
+         * Use the scheduling parameters of the top pi-waiter task if:
-         * task if we have one and its (absolute) deadline is
+         * - we have a top pi-waiter which is a SCHED_DEADLINE task AND
-         * smaller than our one... OTW we keep our runtime and
+         * - our dl_boosted is set (i.e. the pi-waiter's (absolute) deadline is
-         * deadline.
+         *   smaller than our deadline OR we are a !SCHED_DEADLINE task getting
+         *   boosted due to a SCHED_DEADLINE pi-waiter).
+         * Otherwise we keep our runtime and deadline.
         */
-        if (pi_task && p->dl.dl_boosted && dl_prio(pi_task->normal_prio)) {
+        if (pi_task && dl_prio(pi_task->normal_prio) && p->dl.dl_boosted) {
                pi_se = &pi_task->dl;
        } else if (!dl_prio(p->normal_prio)) {
                /*
                 * Special case in which we have a !SCHED_DEADLINE task
-                 * that is going to be deboosted, but exceedes its
+                 * that is going to be deboosted, but exceeds its
                 * runtime while doing so. No point in replenishing
                 * it, as it's going to return back to its original
                 * scheduling class after this.
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 53f6b6401cf0..02004ae91860 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -113,7 +113,7 @@ static int ftrace_disabled __read_mostly;
 static DEFINE_MUTEX(ftrace_lock);
-static struct ftrace_ops *ftrace_ops_list __read_mostly = &ftrace_list_end;
+static struct ftrace_ops __rcu *ftrace_ops_list __read_mostly = &ftrace_list_end;
 ftrace_func_t ftrace_trace_function __read_mostly = ftrace_stub;
 static struct ftrace_ops global_ops;
@@ -169,8 +169,11 @@ int ftrace_nr_registered_ops(void)
        mutex_lock(&ftrace_lock);
-        for (ops = ftrace_ops_list;
+        for (ops = rcu_dereference_protected(ftrace_ops_list,
-             ops != &ftrace_list_end; ops = ops->next)
+                                             lockdep_is_held(&ftrace_lock));
+             ops != &ftrace_list_end;
+             ops = rcu_dereference_protected(ops->next,
+                                             lockdep_is_held(&ftrace_lock)))
                cnt++;
        mutex_unlock(&ftrace_lock);
@@ -275,10 +278,11 @@ static void update_ftrace_function(void)
         * If there's only one ftrace_ops registered, the ftrace_ops_list
         * will point to the ops we want.
         */
-        set_function_trace_op = ftrace_ops_list;
+        set_function_trace_op = rcu_dereference_protected(ftrace_ops_list,
+                                                lockdep_is_held(&ftrace_lock));
        /* If there's no ftrace_ops registered, just call the stub function */
-        if (ftrace_ops_list == &ftrace_list_end) {
+        if (set_function_trace_op == &ftrace_list_end) {
                func = ftrace_stub;
        /*
@@ -286,7 +290,8 @@ static void update_ftrace_function(void)
         * recursion safe and not dynamic and the arch supports passing ops,
         * then have the mcount trampoline call the function directly.
         */
-        } else if (ftrace_ops_list->next == &ftrace_list_end) {
+        } else if (rcu_dereference_protected(ftrace_ops_list->next,
+                        lockdep_is_held(&ftrace_lock)) == &ftrace_list_end) {
                func = ftrace_ops_get_list_func(ftrace_ops_list);
        } else {
@@ -348,9 +353,11 @@ int using_ftrace_ops_list_func(void)
        return ftrace_trace_function == ftrace_ops_list_func;
 }
-static void add_ftrace_ops(struct ftrace_ops **list, struct ftrace_ops *ops)
+static void add_ftrace_ops(struct ftrace_ops __rcu **list,
+                           struct ftrace_ops *ops)
 {
-        ops->next = *list;
+        rcu_assign_pointer(ops->next, *list);
        /*
         * We are entering ops into the list but another
         * CPU might be walking that list. We need to make sure
@@ -360,7 +367,8 @@ static void add_ftrace_ops(struct ftrace_ops **list, struct ftrace_ops *ops)
        rcu_assign_pointer(*list, ops);
 }
-static int remove_ftrace_ops(struct ftrace_ops **list, struct ftrace_ops *ops)
+static int remove_ftrace_ops(struct ftrace_ops __rcu **list,
+                             struct ftrace_ops *ops)
 {
        struct ftrace_ops **p;
@@ -368,7 +376,10 @@ static int remove_ftrace_ops(struct ftrace_ops **list, struct ftrace_ops *ops)
         * If we are removing the last function, then simply point
         * to the ftrace_stub.
         */
-        if (*list == ops && ops->next == &ftrace_list_end) {
+        if (rcu_dereference_protected(*list,
+                        lockdep_is_held(&ftrace_lock)) == ops &&
+            rcu_dereference_protected(ops->next,
+                        lockdep_is_held(&ftrace_lock)) == &ftrace_list_end) {
                *list = &ftrace_list_end;
                return 0;
        }
@@ -1569,8 +1580,8 @@ ftrace_ops_test(struct ftrace_ops *ops, unsigned long ip, void *regs)
                return 0;
 #endif
-        hash.filter_hash = rcu_dereference_raw_notrace(ops->func_hash->filter_hash);
+        rcu_assign_pointer(hash.filter_hash, ops->func_hash->filter_hash);
-        hash.notrace_hash = rcu_dereference_raw_notrace(ops->func_hash->notrace_hash);
+        rcu_assign_pointer(hash.notrace_hash, ops->func_hash->notrace_hash);
        if (hash_contains_ip(ip, &hash))
                ret = 1;
@@ -2840,7 +2851,8 @@ static int ftrace_shutdown(struct ftrace_ops *ops, int command)
         * If there's no more ops registered with ftrace, run a
         * sanity check to make sure all rec flags are cleared.
         */
-        if (ftrace_ops_list == &ftrace_list_end) {
+        if (rcu_dereference_protected(ftrace_ops_list,
+                        lockdep_is_held(&ftrace_lock)) == &ftrace_list_end) {
                struct ftrace_page *pg;
                struct dyn_ftrace *rec;
@@ -6453,7 +6465,8 @@ ftrace_enable_sysctl(struct ctl_table *table, int write,
        if (ftrace_enabled) {
                /* we are starting ftrace again */
-                if (ftrace_ops_list != &ftrace_list_end)
+                if (rcu_dereference_protected(ftrace_ops_list,
+                        lockdep_is_held(&ftrace_lock)) != &ftrace_list_end)
                        update_ftrace_function();
                ftrace_startup_sysctl();
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 4ae268e687fe..529cc50d7243 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -1136,12 +1136,12 @@ static int __rb_allocate_pages(long nr_pages, struct list_head *pages, int cpu)
        for (i = 0; i < nr_pages; i++) {
                struct page *page;
                /*
-                 * __GFP_NORETRY flag makes sure that the allocation fails
+                 * __GFP_RETRY_MAYFAIL flag makes sure that the allocation fails
-                 * gracefully without invoking oom-killer and the system is
+                 * gracefully without invoking oom-killer and the system is not
-                 * not destabilized.
+                 * destabilized.
                 */
                bpage = kzalloc_node(ALIGN(sizeof(*bpage), cache_line_size()),
-                                    GFP_KERNEL | __GFP_NORETRY,
+                                    GFP_KERNEL | __GFP_RETRY_MAYFAIL,
                                    cpu_to_node(cpu));
                if (!bpage)
                        goto free_pages;
@@ -1149,7 +1149,7 @@ static int __rb_allocate_pages(long nr_pages, struct list_head *pages, int cpu)
                list_add(&bpage->list, pages);
                page = alloc_pages_node(cpu_to_node(cpu),
-                                        GFP_KERNEL | __GFP_NORETRY, 0);
+                                        GFP_KERNEL | __GFP_RETRY_MAYFAIL, 0);
                if (!page)
                        goto free_pages;
                bpage->page = page_address(page);
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 2d0ffcc49dba..42b9355033d4 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -7774,6 +7774,7 @@ static int instance_rmdir(const char *name)
        }
        kfree(tr->topts);
+        free_cpumask_var(tr->tracing_cpumask);
        kfree(tr->name);
        kfree(tr);
diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
index 6ade1c55cc3a..490ba229931d 100644
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -1210,9 +1210,9 @@ struct ftrace_event_field {
 struct event_filter {
        int                     n_preds;        /* Number assigned */
        int                     a_preds;        /* allocated */
-        struct filter_pred      *preds;
+        struct filter_pred __rcu        *preds;
-        struct filter_pred      *root;
+        struct filter_pred __rcu        *root;
-        char                    *filter_string;
+        char                            *filter_string;
 };
 struct event_subsystem {