Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next

Pull networking updates from David Miller:
 "Most notable changes in here:

   1) By far the biggest accomplishment, thanks to a large range of
      contributors, is the addition of multi-send for transmit.  This is
      the result of discussions back in Chicago, and the hard work of
      several individuals.

      Now, when the ->ndo_start_xmit() method of a driver sees
      skb->xmit_more as true, it can choose to defer the doorbell
      telling the driver to start processing the new TX queue entires.

      skb->xmit_more means that the generic networking is guaranteed to
      call the driver immediately with another SKB to send.

      There is logic added to the qdisc layer to dequeue multiple
      packets at a time, and the handling mis-predicted offloads in
      software is now done with no locks held.

      Finally, pktgen is extended to have a "burst" parameter that can
      be used to test a multi-send implementation.

      Several drivers have xmit_more support: i40e, igb, ixgbe, mlx4,
      virtio_net

      Adding support is almost trivial, so export more drivers to
      support this optimization soon.

      I want to thank, in no particular or implied order, Jesper
      Dangaard Brouer, Eric Dumazet, Alexander Duyck, Tom Herbert, Jamal
      Hadi Salim, John Fastabend, Florian Westphal, Daniel Borkmann,
      David Tat, Hannes Frederic Sowa, and Rusty Russell.

   2) PTP and timestamping support in bnx2x, from Michal Kalderon.

   3) Allow adjusting the rx_copybreak threshold for a driver via
      ethtool, and add rx_copybreak support to enic driver.  From
      Govindarajulu Varadarajan.

   4) Significant enhancements to the generic PHY layer and the bcm7xxx
      driver in particular (EEE support, auto power down, etc.) from
      Florian Fainelli.

   5) Allow raw buffers to be used for flow dissection, allowing drivers
      to determine the optimal "linear pull" size for devices that DMA
      into pools of pages.  The objective is to get exactly the
      necessary amount of headers into the linear SKB area pre-pulled,
      but no more.  The new interface drivers use is eth_get_headlen().
      From WANG Cong, with driver conversions (several had their own
      by-hand duplicated implementations) by Alexander Duyck and Eric
      Dumazet.

   6) Support checksumming more smoothly and efficiently for
      encapsulations, and add "foo over UDP" facility.  From Tom
      Herbert.

   7) Add Broadcom SF2 switch driver to DSA layer, from Florian
      Fainelli.

   8) eBPF now can load programs via a system call and has an extensive
      testsuite.  Alexei Starovoitov and Daniel Borkmann.

   9) Major overhaul of the packet scheduler to use RCU in several major
      areas such as the classifiers and rate estimators.  From John
      Fastabend.

  10) Add driver for Intel FM10000 Ethernet Switch, from Alexander
      Duyck.

  11) Rearrange TCP_SKB_CB() to reduce cache line misses, from Eric
      Dumazet.

  12) Add Datacenter TCP congestion control algorithm support, From
      Florian Westphal.

  13) Reorganize sk_buff so that __copy_skb_header() is significantly
      faster.  From Eric Dumazet"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1558 commits)
  netlabel: directly return netlbl_unlabel_genl_init()
  net: add netdev_txq_bql_{enqueue, complete}_prefetchw() helpers
  net: description of dma_cookie cause make xmldocs warning
  cxgb4: clean up a type issue
  cxgb4: potential shift wrapping bug
  i40e: skb->xmit_more support
  net: fs_enet: Add NAPI TX
  net: fs_enet: Remove non NAPI RX
  r8169:add support for RTL8168EP
  net_sched: copy exts->type in tcf_exts_change()
  wimax: convert printk to pr_foo()
  af_unix: remove 0 assignment on static
  ipv6: Do not warn for informational ICMP messages, regardless of type.
  Update Intel Ethernet Driver maintainers list
  bridge: Save frag_max_size between PRE_ROUTING and POST_ROUTING
  tipc: fix bug in multicast congestion handling
  net: better IFF_XMIT_DST_RELEASE support
  net/mlx4_en: remove NETDEV_TX_BUSY
  3c59x: fix bad split of cpu_to_le32(pci_map_single())
  net: bcmgenet: fix Tx ring priority programming
  ...

21 files changed, 302 insertions, 179 deletions

diff --git a/arch/arm/boot/dts/am33xx.dtsi b/arch/arm/boot/dts/am33xx.dtsi
index abe530f70296..831810583823 100644
--- a/arch/arm/boot/dts/am33xx.dtsi
+++ b/arch/arm/boot/dts/am33xx.dtsi
@@ -132,6 +132,11 @@
                         };
                 };
 
+                cm: syscon@44e10000 {
+                        compatible = "ti,am33xx-controlmodule", "syscon";
+                        reg = <0x44e10000 0x800>;
+                };
+
                 intc: interrupt-controller@48200000 {
                         compatible = "ti,am33xx-intc";
                         interrupt-controller;
@@ -699,6 +704,7 @@
                          */
                         interrupts = <40 41 42 43>;
                         ranges;
+                        syscon = <&cm>;
                         status = "disabled";
 
                         davinci_mdio: mdio@4a101000 {
diff --git a/arch/arm/boot/dts/berlin2q-marvell-dmp.dts b/arch/arm/boot/dts/berlin2q-marvell-dmp.dts
index a357ce02a64e..ea1f99b8eed6 100644
--- a/arch/arm/boot/dts/berlin2q-marvell-dmp.dts
+++ b/arch/arm/boot/dts/berlin2q-marvell-dmp.dts
@@ -45,3 +45,7 @@
 &uart0 {
         status = "okay";
 };
+
+&eth0 {
+        status = "okay";
+};
diff --git a/arch/arm/boot/dts/berlin2q.dtsi b/arch/arm/boot/dts/berlin2q.dtsi
index 400c40fceccc..891d56b03922 100644
--- a/arch/arm/boot/dts/berlin2q.dtsi
+++ b/arch/arm/boot/dts/berlin2q.dtsi
@@ -114,6 +114,23 @@
                         #interrupt-cells = <3>;
                 };
 
+                eth0: ethernet@b90000 {
+                        compatible = "marvell,pxa168-eth";
+                        reg = <0xb90000 0x10000>;
+                        clocks = <&chip CLKID_GETH0>;
+                        interrupts = <GIC_SPI 24 IRQ_TYPE_LEVEL_HIGH>;
+                        /* set by bootloader */
+                        local-mac-address = [00 00 00 00 00 00];
+                        #address-cells = <1>;
+                        #size-cells = <0>;
+                        phy-handle = <&ethphy0>;
+                        status = "disabled";
+
+                        ethphy0: ethernet-phy@0 {
+                                reg = <0>;
+                        };
+                };
+
                 cpu-ctrl@dd0000 {
                         compatible = "marvell,berlin-cpu-ctrl";
                         reg = <0xdd0000 0x10000>;
diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi
index 888dd767a0b3..f3e88c03b1e4 100644
--- a/arch/arm/boot/dts/imx6sx.dtsi
+++ b/arch/arm/boot/dts/imx6sx.dtsi
@@ -779,6 +779,8 @@
                                          <&clks IMX6SX_CLK_ENET_PTP>;
                                 clock-names = "ipg", "ahb", "ptp",
                                               "enet_clk_ref", "enet_out";
+                                fsl,num-tx-queues=<3>;
+                                fsl,num-rx-queues=<3>;
                                 status = "disabled";
                         };
 
diff --git a/arch/arm/boot/dts/rk3188-radxarock.dts b/arch/arm/boot/dts/rk3188-radxarock.dts
index 39f66e349445..15910c9ddbc7 100644
--- a/arch/arm/boot/dts/rk3188-radxarock.dts
+++ b/arch/arm/boot/dts/rk3188-radxarock.dts
@@ -102,6 +102,22 @@
         };
 };
 
+&emac {
+        status = "okay";
+
+        pinctrl-names = "default";
+        pinctrl-0 = <&emac_xfer>, <&emac_mdio>, <&phy_int>;
+
+        phy = <&phy0>;
+        phy-supply = <&vcc_rmii>;
+
+        phy0: ethernet-phy@0 {
+                reg = <0>;
+                interrupt-parent = <&gpio3>;
+                interrupts = <26 IRQ_TYPE_LEVEL_LOW>;
+        };
+};
+
 &i2c1 {
         status = "okay";
         clock-frequency = <400000>;
@@ -240,6 +256,12 @@
                 };
         };
 
+        lan8720a  {
+                phy_int: phy-int {
+                        rockchip,pins = <RK_GPIO3 26 RK_FUNC_GPIO &pcfg_pull_up>;
+                };
+        };
+
         ir-receiver {
                 ir_recv_pin: ir-recv-pin {
                         rockchip,pins = <RK_GPIO0 10 RK_FUNC_GPIO &pcfg_pull_none>;
diff --git a/arch/arm/boot/dts/rk3188.dtsi b/arch/arm/boot/dts/rk3188.dtsi
index 82732f5249b2..ddaada788b45 100644
--- a/arch/arm/boot/dts/rk3188.dtsi
+++ b/arch/arm/boot/dts/rk3188.dtsi
@@ -168,6 +168,24 @@
                          */
                 };
 
+                emac {
+                        emac_xfer: emac-xfer {
+                                rockchip,pins = <RK_GPIO3 16 RK_FUNC_2 &pcfg_pull_none>, /* tx_en */
+                                                <RK_GPIO3 17 RK_FUNC_2 &pcfg_pull_none>, /* txd1 */
+                                                <RK_GPIO3 18 RK_FUNC_2 &pcfg_pull_none>, /* txd0 */
+                                                <RK_GPIO3 19 RK_FUNC_2 &pcfg_pull_none>, /* rxd0 */
+                                                <RK_GPIO3 20 RK_FUNC_2 &pcfg_pull_none>, /* rxd1 */
+                                                <RK_GPIO3 21 RK_FUNC_2 &pcfg_pull_none>, /* mac_clk */
+                                                <RK_GPIO3 22 RK_FUNC_2 &pcfg_pull_none>, /* rx_err */
+                                                <RK_GPIO3 23 RK_FUNC_2 &pcfg_pull_none>; /* crs_dvalid */
+                        };
+
+                        emac_mdio: emac-mdio {
+                                rockchip,pins = <RK_GPIO3 24 RK_FUNC_2 &pcfg_pull_none>,
+                                                <RK_GPIO3 25 RK_FUNC_2 &pcfg_pull_none>;
+                        };
+                };
+
                 i2c0 {
                         i2c0_xfer: i2c0-xfer {
                                 rockchip,pins = <RK_GPIO1 24 RK_FUNC_1 &pcfg_pull_none>,
@@ -380,6 +398,10 @@
         };
 };
 
+&emac {
+        compatible = "rockchip,rk3188-emac";
+};
+
 &global_timer {
         interrupts = <GIC_PPI 11 0xf04>;
 };
diff --git a/arch/arm/boot/dts/rk3xxx.dtsi b/arch/arm/boot/dts/rk3xxx.dtsi
index 7332d12eb565..499468d42ada 100644
--- a/arch/arm/boot/dts/rk3xxx.dtsi
+++ b/arch/arm/boot/dts/rk3xxx.dtsi
@@ -152,6 +152,23 @@
                 status = "disabled";
         };
 
+        emac: ethernet@10204000 {
+                compatible = "snps,arc-emac";
+                reg = <0x10204000 0x3c>;
+                interrupts = <GIC_SPI 19 IRQ_TYPE_LEVEL_HIGH>;
+                #address-cells = <1>;
+                #size-cells = <0>;
+
+                rockchip,grf = <&grf>;
+
+                clocks = <&cru HCLK_EMAC>, <&cru SCLK_MAC>;
+                clock-names = "hclk", "macref";
+                max-speed = <100>;
+                phy-mode = "rmii";
+
+                status = "disabled";
+        };
+
         mmc0: dwmmc@10214000 {
                 compatible = "rockchip,rk2928-dw-mshc";
                 reg = <0x10214000 0x1000>;
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index a37b989a2f91..e1268f905026 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -12,11 +12,11 @@
 #include <linux/compiler.h>
 #include <linux/errno.h>
 #include <linux/filter.h>
-#include <linux/moduleloader.h>
 #include <linux/netdevice.h>
 #include <linux/string.h>
 #include <linux/slab.h>
 #include <linux/if_vlan.h>
+
 #include <asm/cacheflush.h>
 #include <asm/hwcap.h>
 #include <asm/opcodes.h>
@@ -174,6 +174,14 @@ static inline bool is_load_to_a(u16 inst)
         }
 }
 
+static void jit_fill_hole(void *area, unsigned int size)
+{
+        u32 *ptr;
+        /* We are guaranteed to have aligned memory. */
+        for (ptr = area; size >= sizeof(u32); size -= sizeof(u32))
+                *ptr++ = __opcode_to_mem_arm(ARM_INST_UDF);
+}
+
 static void build_prologue(struct jit_ctx *ctx)
 {
         u16 reg_set = saved_regs(ctx);
@@ -859,9 +867,11 @@ b_epilogue:
 
 void bpf_jit_compile(struct bpf_prog *fp)
 {
+        struct bpf_binary_header *header;
         struct jit_ctx ctx;
         unsigned tmp_idx;
         unsigned alloc_size;
+        u8 *target_ptr;
 
         if (!bpf_jit_enable)
                 return;
@@ -897,13 +907,15 @@ void bpf_jit_compile(struct bpf_prog *fp)
         /* there's nothing after the epilogue on ARMv7 */
         build_epilogue(&ctx);
 #endif
-
         alloc_size = 4 * ctx.idx;
-        ctx.target = module_alloc(alloc_size);
-        if (unlikely(ctx.target == NULL))
+        header = bpf_jit_binary_alloc(alloc_size, &target_ptr,
+                                      4, jit_fill_hole);
+        if (header == NULL)
                 goto out;
 
+        ctx.target = (u32 *) target_ptr;
         ctx.idx = 0;
+
         build_prologue(&ctx);
         build_body(&ctx);
         build_epilogue(&ctx);
@@ -919,8 +931,9 @@ void bpf_jit_compile(struct bpf_prog *fp)
                 /* there are 2 passes here */
                 bpf_jit_dump(fp->len, alloc_size, 2, ctx.target);
 
+        set_memory_ro((unsigned long)header, header->pages);
         fp->bpf_func = (void *)ctx.target;
-        fp->jited = 1;
+        fp->jited = true;
 out:
         kfree(ctx.offsets);
         return;
@@ -928,7 +941,15 @@ out:
 
 void bpf_jit_free(struct bpf_prog *fp)
 {
-        if (fp->jited)
-                module_free(NULL, fp->bpf_func);
-        kfree(fp);
+        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
+        struct bpf_binary_header *header = (void *)addr;
+
+        if (!fp->jited)
+                goto free_filter;
+
+        set_memory_rw(addr, header->pages);
+        bpf_jit_binary_free(header);
+
+free_filter:
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/arm/net/bpf_jit_32.h b/arch/arm/net/bpf_jit_32.h
index afb84621ff6f..b2d7d92859d3 100644
--- a/arch/arm/net/bpf_jit_32.h
+++ b/arch/arm/net/bpf_jit_32.h
@@ -114,6 +114,20 @@
 
 #define ARM_INST_UMULL          0x00800090
 
+/*
+ * Use a suitable undefined instruction to use for ARM/Thumb2 faulting.
+ * We need to be careful not to conflict with those used by other modules
+ * (BUG, kprobes, etc) and the register_undef_hook() system.
+ *
+ * The ARM architecture reference manual guarantees that the following
+ * instruction space will produce an undefined instruction exception on
+ * all CPUs:
+ *
+ * ARM:   xxxx 0111 1111 xxxx xxxx xxxx 1111 xxxx       ARMv7-AR, section A5.4
+ * Thumb: 1101 1110 xxxx xxxx                           ARMv7-M, section A5.2.6
+ */
+#define ARM_INST_UDF            0xe7fddef1
+
 /* register */
 #define _AL3_R(op, rd, rn, rm)  ((op ## _R) | (rd) << 12 | (rn) << 16 | (rm))
 /* immediate */
diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c
index 3ec6e8e8d368..f5b00f41c4f6 100644
--- a/arch/arm/plat-orion/common.c
+++ b/arch/arm/plat-orion/common.c
@@ -499,7 +499,7 @@ void __init orion_ge00_switch_init(struct dsa_platform_data *d, int irq)
 
         d->netdev = &orion_ge00.dev;
         for (i = 0; i < d->nr_chips; i++)
-                d->chip[i].mii_bus = &orion_ge00_shared.dev;
+                d->chip[i].host_dev = &orion_ge00_shared.dev;
         orion_switch_device.dev.platform_data = d;
 
         platform_device_register(&orion_switch_device);
diff --git a/arch/mips/bcm47xx/setup.c b/arch/mips/bcm47xx/setup.c
index ad439c273003..c00585d915bc 100644
--- a/arch/mips/bcm47xx/setup.c
+++ b/arch/mips/bcm47xx/setup.c
@@ -211,6 +211,10 @@ static void __init bcm47xx_register_bcma(void)
 
         err = bcma_host_soc_register(&bcm47xx_bus.bcma);
         if (err)
+                panic("Failed to register BCMA bus (err %d)", err);
+
+        err = bcma_host_soc_init(&bcm47xx_bus.bcma);
+        if (err)
                 panic("Failed to initialize BCMA bus (err %d)", err);
 
         bcm47xx_fill_bcma_boardinfo(&bcm47xx_bus.bcma.bus.boardinfo, NULL);
diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c
index 9f7ecbda250c..7edc08398c4a 100644
--- a/arch/mips/net/bpf_jit.c
+++ b/arch/mips/net/bpf_jit.c
@@ -765,27 +765,6 @@ static u64 jit_get_skb_w(struct sk_buff *skb, unsigned offset)
         return (u64)err << 32 | ntohl(ret);
 }
 
-#ifdef __BIG_ENDIAN_BITFIELD
-#define PKT_TYPE_MAX    (7 << 5)
-#else
-#define PKT_TYPE_MAX    7
-#endif
-static int pkt_type_offset(void)
-{
-        struct sk_buff skb_probe = {
-                .pkt_type = ~0,
-        };
-        u8 *ct = (u8 *)&skb_probe;
-        unsigned int off;
-
-        for (off = 0; off < sizeof(struct sk_buff); off++) {
-                if (ct[off] == PKT_TYPE_MAX)
-                        return off;
-        }
-        pr_err_once("Please fix pkt_type_offset(), as pkt_type couldn't be found\n");
-        return -1;
-}
-
 static int build_body(struct jit_ctx *ctx)
 {
         void *load_func[] = {jit_get_skb_b, jit_get_skb_h, jit_get_skb_w};
@@ -793,7 +772,6 @@ static int build_body(struct jit_ctx *ctx)
         const struct sock_filter *inst;
         unsigned int i, off, load_order, condt;
         u32 k, b_off __maybe_unused;
-        int tmp;
 
         for (i = 0; i < prog->len; i++) {
                 u16 code;
@@ -1333,11 +1311,7 @@ jmp_cmp:
                 case BPF_ANC | SKF_AD_PKTTYPE:
                         ctx->flags |= SEEN_SKB;
 
-                        tmp = off = pkt_type_offset();
-
-                        if (tmp < 0)
-                                return -1;
-                        emit_load_byte(r_tmp, r_skb, off, ctx);
+                        emit_load_byte(r_tmp, r_skb, PKT_TYPE_OFFSET(), ctx);
                         /* Keep only the last 3 bits */
                         emit_andi(r_A, r_tmp, PKT_TYPE_MAX, ctx);
 #ifdef __BIG_ENDIAN_BITFIELD
@@ -1418,7 +1392,7 @@ void bpf_jit_compile(struct bpf_prog *fp)
                 bpf_jit_dump(fp->len, alloc_size, 2, ctx.target);
 
         fp->bpf_func = (void *)ctx.target;
-        fp->jited = 1;
+        fp->jited = true;
 
 out:
         kfree(ctx.offsets);
@@ -1428,5 +1402,6 @@ void bpf_jit_free(struct bpf_prog *fp)
 {
         if (fp->jited)
                 module_free(NULL, fp->bpf_func);
-        kfree(fp);
+
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
index 3afa6f4c1957..cbae2dfd053c 100644
--- a/arch/powerpc/net/bpf_jit_comp.c
+++ b/arch/powerpc/net/bpf_jit_comp.c
@@ -686,7 +686,7 @@ void bpf_jit_compile(struct bpf_prog *fp)
                 ((u64 *)image)[0] = (u64)code_base;
                 ((u64 *)image)[1] = local_paca->kernel_toc;
                 fp->bpf_func = (void *)image;
-                fp->jited = 1;
+                fp->jited = true;
         }
 out:
         kfree(addrs);
@@ -697,5 +697,6 @@ void bpf_jit_free(struct bpf_prog *fp)
 {
         if (fp->jited)
                 module_free(NULL, fp->bpf_func);
-        kfree(fp);
+
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index 61e45b7c04d7..c52ac77408ca 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -5,11 +5,9 @@
  *
  * Author(s): Martin Schwidefsky <schwidefsky@de.ibm.com>
  */
-#include <linux/moduleloader.h>
 #include <linux/netdevice.h>
 #include <linux/if_vlan.h>
 #include <linux/filter.h>
-#include <linux/random.h>
 #include <linux/init.h>
 #include <asm/cacheflush.h>
 #include <asm/facility.h>
@@ -148,6 +146,12 @@ struct bpf_jit {
         ret;                                            \
 })
 
+static void bpf_jit_fill_hole(void *area, unsigned int size)
+{
+        /* Fill whole space with illegal instructions */
+        memset(area, 0, size);
+}
+
 static void bpf_jit_prologue(struct bpf_jit *jit)
 {
         /* Save registers and create stack frame if necessary */
@@ -223,37 +227,6 @@ static void bpf_jit_epilogue(struct bpf_jit *jit)
         EMIT2(0x07fe);
 }
 
-/* Helper to find the offset of pkt_type in sk_buff
- * Make sure its still a 3bit field starting at the MSBs within a byte.
- */
-#define PKT_TYPE_MAX 0xe0
-static int pkt_type_offset;
-
-static int __init bpf_pkt_type_offset_init(void)
-{
-        struct sk_buff skb_probe = {
-                .pkt_type = ~0,
-        };
-        char *ct = (char *)&skb_probe;
-        int off;
-
-        pkt_type_offset = -1;
-        for (off = 0; off < sizeof(struct sk_buff); off++) {
-                if (!ct[off])
-                        continue;
-                if (ct[off] == PKT_TYPE_MAX)
-                        pkt_type_offset = off;
-                else {
-                        /* Found non matching bit pattern, fix needed. */
-                        WARN_ON_ONCE(1);
-                        pkt_type_offset = -1;
-                        return -1;
-                }
-        }
-        return 0;
-}
-device_initcall(bpf_pkt_type_offset_init);
-
 /*
  * make sure we dont leak kernel information to user
  */
@@ -753,12 +726,10 @@ call_fn:	/* lg %r1,<d(function)>(%r13) */
                 }
                 break;
         case BPF_ANC | SKF_AD_PKTTYPE:
-                if (pkt_type_offset < 0)
-                        goto out;
                 /* lhi %r5,0 */
                 EMIT4(0xa7580000);
                 /* ic %r5,<d(pkt_type_offset)>(%r2) */
-                EMIT4_DISP(0x43502000, pkt_type_offset);
+                EMIT4_DISP(0x43502000, PKT_TYPE_OFFSET());
                 /* srl %r5,5 */
                 EMIT4_DISP(0x88500000, 5);
                 break;
@@ -780,38 +751,6 @@ out:
         return -1;
 }
 
-/*
- * Note: for security reasons, bpf code will follow a randomly
- *       sized amount of illegal instructions.
- */
-struct bpf_binary_header {
-        unsigned int pages;
-        u8 image[];
-};
-
-static struct bpf_binary_header *bpf_alloc_binary(unsigned int bpfsize,
-                                                  u8 **image_ptr)
-{
-        struct bpf_binary_header *header;
-        unsigned int sz, hole;
-
-        /* Most BPF filters are really small, but if some of them fill a page,
-         * allow at least 128 extra bytes for illegal instructions.
-         */
-        sz = round_up(bpfsize + sizeof(*header) + 128, PAGE_SIZE);
-        header = module_alloc(sz);
-        if (!header)
-                return NULL;
-        memset(header, 0, sz);
-        header->pages = sz / PAGE_SIZE;
-        hole = min(sz - (bpfsize + sizeof(*header)), PAGE_SIZE - sizeof(*header));
-        /* Insert random number of illegal instructions before BPF code
-         * and make sure the first instruction starts at an even address.
-         */
-        *image_ptr = &header->image[(prandom_u32() % hole) & -2];
-        return header;
-}
-
 void bpf_jit_compile(struct bpf_prog *fp)
 {
         struct bpf_binary_header *header = NULL;
@@ -850,7 +789,8 @@ void bpf_jit_compile(struct bpf_prog *fp)
                         size = prg_len + lit_len;
                         if (size >= BPF_SIZE_MAX)
                                 goto out;
-                        header = bpf_alloc_binary(size, &jit.start);
+                        header = bpf_jit_binary_alloc(size, &jit.start,
+                                                      2, bpf_jit_fill_hole);
                         if (!header)
                                 goto out;
                         jit.prg = jit.mid = jit.start + prg_len;
@@ -869,7 +809,7 @@ void bpf_jit_compile(struct bpf_prog *fp)
         if (jit.start) {
                 set_memory_ro((unsigned long)header, header->pages);
                 fp->bpf_func = (void *) jit.start;
-                fp->jited = 1;
+                fp->jited = true;
         }
 out:
         kfree(addrs);
@@ -884,8 +824,8 @@ void bpf_jit_free(struct bpf_prog *fp)
                 goto free_filter;
 
         set_memory_rw(addr, header->pages);
-        module_free(NULL, header);
+        bpf_jit_binary_free(header);
 
 free_filter:
-        kfree(fp);
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/sparc/include/asm/vio.h b/arch/sparc/include/asm/vio.h
index e0f6c399f1d0..6b135a8ab07b 100644
--- a/arch/sparc/include/asm/vio.h
+++ b/arch/sparc/include/asm/vio.h
@@ -65,6 +65,7 @@ struct vio_dring_register {
         u16                     options;
 #define VIO_TX_DRING            0x0001
 #define VIO_RX_DRING            0x0002
+#define VIO_RX_DRING_DATA       0x0004
         u16                     resv;
         u32                     num_cookies;
         struct ldc_trans_cookie cookies[0];
@@ -80,6 +81,8 @@ struct vio_dring_unregister {
 #define VIO_PKT_MODE            0x01 /* Packet based transfer   */
 #define VIO_DESC_MODE           0x02 /* In-band descriptors     */
 #define VIO_DRING_MODE          0x03 /* Descriptor rings        */
+/* in vers >= 1.2, VIO_DRING_MODE is 0x04 and transfer mode is a bitmask */
+#define VIO_NEW_DRING_MODE      0x04
 
 struct vio_dring_data {
         struct vio_msg_tag      tag;
@@ -205,10 +208,20 @@ struct vio_net_attr_info {
         u8                      addr_type;
 #define VNET_ADDR_ETHERMAC      0x01
         u16                     ack_freq;
-        u32                     resv1;
+        u8                      plnk_updt;
+#define PHYSLINK_UPDATE_NONE            0x00
+#define PHYSLINK_UPDATE_STATE           0x01
+#define PHYSLINK_UPDATE_STATE_ACK       0x02
+#define PHYSLINK_UPDATE_STATE_NACK      0x03
+        u8                      options;
+        u16                     resv1;
         u64                     addr;
         u64                     mtu;
-        u64                     resv2[3];
+        u16                     cflags;
+#define VNET_LSO_IPV4_CAPAB             0x0001
+        u16                     ipv4_lso_maxlen;
+        u32                     resv2;
+        u64                     resv3[2];
 };
 
 #define VNET_NUM_MCAST          7
@@ -366,6 +379,33 @@ struct vio_driver_state {
         struct vio_driver_ops   *ops;
 };
 
+static inline bool vio_version_before(struct vio_driver_state *vio,
+                                      u16 major, u16 minor)
+{
+        u32 have = (u32)vio->ver.major << 16 | vio->ver.minor;
+        u32 want = (u32)major << 16 | minor;
+
+        return have < want;
+}
+
+static inline bool vio_version_after(struct vio_driver_state *vio,
+                                      u16 major, u16 minor)
+{
+        u32 have = (u32)vio->ver.major << 16 | vio->ver.minor;
+        u32 want = (u32)major << 16 | minor;
+
+        return have > want;
+}
+
+static inline bool vio_version_after_eq(struct vio_driver_state *vio,
+                                        u16 major, u16 minor)
+{
+        u32 have = (u32)vio->ver.major << 16 | vio->ver.minor;
+        u32 want = (u32)major << 16 | minor;
+
+        return have >= want;
+}
+
 #define viodbg(TYPE, f, a...) \
 do {    if (vio->debug & VIO_DEBUG_##TYPE) \
                 printk(KERN_INFO "vio: ID[%lu] " f, \
diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c
index 66dacd56bb10..0af28b984695 100644
--- a/arch/sparc/kernel/ldc.c
+++ b/arch/sparc/kernel/ldc.c
@@ -2159,7 +2159,7 @@ int ldc_map_single(struct ldc_channel *lp,
         state.pte_idx = (base - iommu->page_table);
         state.nc = 0;
         fill_cookies(&state, (pa & PAGE_MASK), (pa & ~PAGE_MASK), len);
-        BUG_ON(state.nc != 1);
+        BUG_ON(state.nc > ncookies);
 
         return state.nc;
 }
diff --git a/arch/sparc/kernel/viohs.c b/arch/sparc/kernel/viohs.c
index f8e7dd53e1c7..7ef081a185b1 100644
--- a/arch/sparc/kernel/viohs.c
+++ b/arch/sparc/kernel/viohs.c
@@ -426,6 +426,13 @@ static int process_dreg_info(struct vio_driver_state *vio,
         if (vio->dr_state & VIO_DR_STATE_RXREG)
                 goto send_nack;
 
+        /* v1.6 and higher, ACK with desired, supported mode, or NACK */
+        if (vio_version_after_eq(vio, 1, 6)) {
+                if (!(pkt->options & VIO_TX_DRING))
+                        goto send_nack;
+                pkt->options = VIO_TX_DRING;
+        }
+
         BUG_ON(vio->desc_buf);
 
         vio->desc_buf = kzalloc(pkt->descr_size, GFP_ATOMIC);
@@ -453,8 +460,11 @@ static int process_dreg_info(struct vio_driver_state *vio,
         pkt->tag.stype = VIO_SUBTYPE_ACK;
         pkt->dring_ident = ++dr->ident;
 
-        viodbg(HS, "SEND DRING_REG ACK ident[%llx]\n",
-               (unsigned long long) pkt->dring_ident);
+        viodbg(HS, "SEND DRING_REG ACK ident[%llx] "
+               "ndesc[%u] dsz[%u] opt[0x%x] ncookies[%u]\n",
+               (unsigned long long) pkt->dring_ident,
+               pkt->num_descr, pkt->descr_size, pkt->options,
+               pkt->num_cookies);
 
         len = (sizeof(*pkt) +
                (dr->ncookies * sizeof(struct ldc_trans_cookie)));
diff --git a/arch/sparc/net/bpf_jit_comp.c b/arch/sparc/net/bpf_jit_comp.c
index ece4af0575e9..f33e7c7a3bf7 100644
--- a/arch/sparc/net/bpf_jit_comp.c
+++ b/arch/sparc/net/bpf_jit_comp.c
@@ -585,16 +585,11 @@ void bpf_jit_compile(struct bpf_prog *fp)
                         case BPF_ANC | SKF_AD_PROTOCOL:
                                 emit_skb_load16(protocol, r_A);
                                 break;
-#if 0
-                                /* GCC won't let us take the address of
-                                 * a bit field even though we very much
-                                 * know what we are doing here.
-                                 */
                         case BPF_ANC | SKF_AD_PKTTYPE:
-                                __emit_skb_load8(pkt_type, r_A);
+                                __emit_skb_load8(__pkt_type_offset, r_A);
+                                emit_andi(r_A, PKT_TYPE_MAX, r_A);
                                 emit_alu_K(SRL, 5);
                                 break;
-#endif
                         case BPF_ANC | SKF_AD_IFINDEX:
                                 emit_skb_loadptr(dev, r_A);
                                 emit_cmpi(r_A, 0);
@@ -629,7 +624,12 @@ void bpf_jit_compile(struct bpf_prog *fp)
                                         emit_and(r_A, r_TMP, r_A);
                                 }
                                 break;
-
+                        case BPF_LD | BPF_W | BPF_LEN:
+                                emit_skb_load32(len, r_A);
+                                break;
+                        case BPF_LDX | BPF_W | BPF_LEN:
+                                emit_skb_load32(len, r_X);
+                                break;
                         case BPF_LD | BPF_IMM:
                                 emit_loadimm(K, r_A);
                                 break;
@@ -812,7 +812,7 @@ cond_branch:			f_offset = addrs[i + filter[i].jf];
         if (image) {
                 bpf_flush_icache(image, image + proglen);
                 fp->bpf_func = (void *)image;
-                fp->jited = 1;
+                fp->jited = true;
         }
 out:
         kfree(addrs);
@@ -823,5 +823,6 @@ void bpf_jit_free(struct bpf_prog *fp)
 {
         if (fp->jited)
                 module_free(NULL, fp->bpf_func);
-        kfree(fp);
+
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index 5c8cb8043c5a..d56cd1f515bd 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -8,12 +8,10 @@
  * as published by the Free Software Foundation; version 2
  * of the License.
  */
-#include <linux/moduleloader.h>
-#include <asm/cacheflush.h>
 #include <linux/netdevice.h>
 #include <linux/filter.h>
 #include <linux/if_vlan.h>
-#include <linux/random.h>
+#include <asm/cacheflush.h>
 
 int bpf_jit_enable __read_mostly;
 
@@ -109,39 +107,6 @@ static inline void bpf_flush_icache(void *start, void *end)
 #define CHOOSE_LOAD_FUNC(K, func) \
         ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)
 
-struct bpf_binary_header {
-        unsigned int    pages;
-        /* Note : for security reasons, bpf code will follow a randomly
-         * sized amount of int3 instructions
-         */
-        u8              image[];
-};
-
-static struct bpf_binary_header *bpf_alloc_binary(unsigned int proglen,
-                                                  u8 **image_ptr)
-{
-        unsigned int sz, hole;
-        struct bpf_binary_header *header;
-
-        /* Most of BPF filters are really small,
-         * but if some of them fill a page, allow at least
-         * 128 extra bytes to insert a random section of int3
-         */
-        sz = round_up(proglen + sizeof(*header) + 128, PAGE_SIZE);
-        header = module_alloc(sz);
-        if (!header)
-                return NULL;
-
-        memset(header, 0xcc, sz); /* fill whole space with int3 instructions */
-
-        header->pages = sz / PAGE_SIZE;
-        hole = min(sz - (proglen + sizeof(*header)), PAGE_SIZE - sizeof(*header));
-
-        /* insert a random number of int3 instructions before BPF code */
-        *image_ptr = &header->image[prandom_u32() % hole];
-        return header;
-}
-
 /* pick a register outside of BPF range for JIT internal work */
 #define AUX_REG (MAX_BPF_REG + 1)
 
@@ -206,6 +171,12 @@ static inline u8 add_2reg(u8 byte, u32 dst_reg, u32 src_reg)
         return byte + reg2hex[dst_reg] + (reg2hex[src_reg] << 3);
 }
 
+static void jit_fill_hole(void *area, unsigned int size)
+{
+        /* fill whole space with int3 instructions */
+        memset(area, 0xcc, size);
+}
+
 struct jit_context {
         unsigned int cleanup_addr; /* epilogue code offset */
         bool seen_ld_abs;
@@ -393,6 +364,23 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,
                         EMIT1_off32(add_1reg(0xB8, dst_reg), imm32);
                         break;
 
+                case BPF_LD | BPF_IMM | BPF_DW:
+                        if (insn[1].code != 0 || insn[1].src_reg != 0 ||
+                            insn[1].dst_reg != 0 || insn[1].off != 0) {
+                                /* verifier must catch invalid insns */
+                                pr_err("invalid BPF_LD_IMM64 insn\n");
+                                return -EINVAL;
+                        }
+
+                        /* movabsq %rax, imm64 */
+                        EMIT2(add_1mod(0x48, dst_reg), add_1reg(0xB8, dst_reg));
+                        EMIT(insn[0].imm, 4);
+                        EMIT(insn[1].imm, 4);
+
+                        insn++;
+                        i++;
+                        break;
+
                         /* dst %= src, dst /= src, dst %= imm32, dst /= imm32 */
                 case BPF_ALU | BPF_MOD | BPF_X:
                 case BPF_ALU | BPF_DIV | BPF_X:
@@ -515,6 +503,48 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,
                         EMIT3(0xC1, add_1reg(b3, dst_reg), imm32);
                         break;
 
+                case BPF_ALU | BPF_LSH | BPF_X:
+                case BPF_ALU | BPF_RSH | BPF_X:
+                case BPF_ALU | BPF_ARSH | BPF_X:
+                case BPF_ALU64 | BPF_LSH | BPF_X:
+                case BPF_ALU64 | BPF_RSH | BPF_X:
+                case BPF_ALU64 | BPF_ARSH | BPF_X:
+
+                        /* check for bad case when dst_reg == rcx */
+                        if (dst_reg == BPF_REG_4) {
+                                /* mov r11, dst_reg */
+                                EMIT_mov(AUX_REG, dst_reg);
+                                dst_reg = AUX_REG;
+                        }
+
+                        if (src_reg != BPF_REG_4) { /* common case */
+                                EMIT1(0x51); /* push rcx */
+
+                                /* mov rcx, src_reg */
+                                EMIT_mov(BPF_REG_4, src_reg);
+                        }
+
+                        /* shl %rax, %cl | shr %rax, %cl | sar %rax, %cl */
+                        if (BPF_CLASS(insn->code) == BPF_ALU64)
+                                EMIT1(add_1mod(0x48, dst_reg));
+                        else if (is_ereg(dst_reg))
+                                EMIT1(add_1mod(0x40, dst_reg));
+
+                        switch (BPF_OP(insn->code)) {
+                        case BPF_LSH: b3 = 0xE0; break;
+                        case BPF_RSH: b3 = 0xE8; break;
+                        case BPF_ARSH: b3 = 0xF8; break;
+                        }
+                        EMIT2(0xD3, add_1reg(b3, dst_reg));
+
+                        if (src_reg != BPF_REG_4)
+                                EMIT1(0x59); /* pop rcx */
+
+                        if (insn->dst_reg == BPF_REG_4)
+                                /* mov dst_reg, r11 */
+                                EMIT_mov(insn->dst_reg, AUX_REG);
+                        break;
+
                 case BPF_ALU | BPF_END | BPF_FROM_BE:
                         switch (imm32) {
                         case 16:
@@ -900,7 +930,7 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
                 if (proglen <= 0) {
                         image = NULL;
                         if (header)
-                                module_free(NULL, header);
+                                bpf_jit_binary_free(header);
                         goto out;
                 }
                 if (image) {
@@ -910,7 +940,8 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
                         break;
                 }
                 if (proglen == oldproglen) {
-                        header = bpf_alloc_binary(proglen, &image);
+                        header = bpf_jit_binary_alloc(proglen, &image,
+                                                      1, jit_fill_hole);
                         if (!header)
                                 goto out;
                 }
@@ -924,29 +955,23 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
                 bpf_flush_icache(header, image + proglen);
                 set_memory_ro((unsigned long)header, header->pages);
                 prog->bpf_func = (void *)image;
-                prog->jited = 1;
+                prog->jited = true;
         }
 out:
         kfree(addrs);
 }
 
-static void bpf_jit_free_deferred(struct work_struct *work)
+void bpf_jit_free(struct bpf_prog *fp)
 {
-        struct bpf_prog *fp = container_of(work, struct bpf_prog, work);
         unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
         struct bpf_binary_header *header = (void *)addr;
 
+        if (!fp->jited)
+                goto free_filter;
+
         set_memory_rw(addr, header->pages);
-        module_free(NULL, header);
-        kfree(fp);
-}
+        bpf_jit_binary_free(header);
 
-void bpf_jit_free(struct bpf_prog *fp)
-{
-        if (fp->jited) {
-                INIT_WORK(&fp->work, bpf_jit_free_deferred);
-                schedule_work(&fp->work);
-        } else {
-                kfree(fp);
-        }
+free_filter:
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/x86/syscalls/syscall_32.tbl b/arch/x86/syscalls/syscall_32.tbl
index 028b78168d85..9fe1b5d002f0 100644
--- a/arch/x86/syscalls/syscall_32.tbl
+++ b/arch/x86/syscalls/syscall_32.tbl
@@ -363,3 +363,4 @@
 354     i386    seccomp                 sys_seccomp
 355     i386    getrandom               sys_getrandom
 356     i386    memfd_create            sys_memfd_create
+357     i386    bpf                     sys_bpf
diff --git a/arch/x86/syscalls/syscall_64.tbl b/arch/x86/syscalls/syscall_64.tbl
index 35dd922727b9..281150b539a2 100644
--- a/arch/x86/syscalls/syscall_64.tbl
+++ b/arch/x86/syscalls/syscall_64.tbl
@@ -327,6 +327,7 @@
 318     common  getrandom               sys_getrandom
 319     common  memfd_create            sys_memfd_create
 320     common  kexec_file_load         sys_kexec_file_load
+321     common  bpf                     sys_bpf
 
 #
 # x32-specific system call numbers start at 512 to avoid cache impact