21 files changed, 302 insertions, 179 deletions
diff --git a/arch/arm/boot/dts/am33xx.dtsi b/arch/arm/boot/dts/am33xx.dtsi
index 3a0a161342ba..13e44b0f5adc 100644
--- a/arch/arm/boot/dts/am33xx.dtsi
+++ b/arch/arm/boot/dts/am33xx.dtsi
@@ -132,6 +132,11 @@
                        };
                };
+                cm: syscon@44e10000 {
+                        compatible = "ti,am33xx-controlmodule", "syscon";
+                        reg = <0x44e10000 0x800>;
+                };
                intc: interrupt-controller@48200000 {
                        compatible = "ti,omap2-intc";
                        interrupt-controller;
@@ -696,6 +701,7 @@
                         */
                        interrupts = <40 41 42 43>;
                        ranges;
+                        syscon = <&cm>;
                        status = "disabled";
                        davinci_mdio: mdio@4a101000 {
diff --git a/arch/arm/boot/dts/berlin2q-marvell-dmp.dts b/arch/arm/boot/dts/berlin2q-marvell-dmp.dts
index a357ce02a64e..ea1f99b8eed6 100644
--- a/arch/arm/boot/dts/berlin2q-marvell-dmp.dts
+++ b/arch/arm/boot/dts/berlin2q-marvell-dmp.dts
@@ -45,3 +45,7 @@
 &uart0 {
        status = "okay";
 };
+&eth0 {
+        status = "okay";
+};
diff --git a/arch/arm/boot/dts/berlin2q.dtsi b/arch/arm/boot/dts/berlin2q.dtsi
index 400c40fceccc..891d56b03922 100644
--- a/arch/arm/boot/dts/berlin2q.dtsi
+++ b/arch/arm/boot/dts/berlin2q.dtsi
@@ -114,6 +114,23 @@
                        #interrupt-cells = <3>;
                };
+                eth0: ethernet@b90000 {
+                        compatible = "marvell,pxa168-eth";
+                        reg = <0xb90000 0x10000>;
+                        clocks = <&chip CLKID_GETH0>;
+                        interrupts = <GIC_SPI 24 IRQ_TYPE_LEVEL_HIGH>;
+                        /* set by bootloader */
+                        local-mac-address = [00 00 00 00 00 00];
+                        #address-cells = <1>;
+                        #size-cells = <0>;
+                        phy-handle = <&ethphy0>;
+                        status = "disabled";
+                        ethphy0: ethernet-phy@0 {
+                                reg = <0>;
+                        };
+                };
                cpu-ctrl@dd0000 {
                        compatible = "marvell,berlin-cpu-ctrl";
                        reg = <0xdd0000 0x10000>;
diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi
index f4b9da65bc0f..0a03260c1707 100644
--- a/arch/arm/boot/dts/imx6sx.dtsi
+++ b/arch/arm/boot/dts/imx6sx.dtsi
@@ -776,6 +776,8 @@
                                         <&clks IMX6SX_CLK_ENET_PTP>;
                                clock-names = "ipg", "ahb", "ptp",
                                              "enet_clk_ref", "enet_out";
+                                fsl,num-tx-queues=<3>;
+                                fsl,num-rx-queues=<3>;
                                status = "disabled";
                        };
diff --git a/arch/arm/boot/dts/rk3188-radxarock.dts b/arch/arm/boot/dts/rk3188-radxarock.dts
index 5e4e3c238b2d..d63d685ea6cc 100644
--- a/arch/arm/boot/dts/rk3188-radxarock.dts
+++ b/arch/arm/boot/dts/rk3188-radxarock.dts
@@ -76,6 +76,22 @@
        };
 };
+&emac {
+        status = "okay";
+        pinctrl-names = "default";
+        pinctrl-0 = <&emac_xfer>, <&emac_mdio>, <&phy_int>;
+        phy = <&phy0>;
+        phy-supply = <&vcc_rmii>;
+        phy0: ethernet-phy@0 {
+                reg = <0>;
+                interrupt-parent = <&gpio3>;
+                interrupts = <26 IRQ_TYPE_LEVEL_LOW>;
+        };
+};
 &i2c1 {
        status = "okay";
        clock-frequency = <400000>;
@@ -201,6 +217,12 @@
                };
        };
+        lan8720a  {
+                phy_int: phy-int {
+                        rockchip,pins = <RK_GPIO3 26 RK_FUNC_GPIO &pcfg_pull_up>;
+                };
+        };
        ir-receiver {
                ir_recv_pin: ir-recv-pin {
                        rockchip,pins = <RK_GPIO0 10 RK_FUNC_GPIO &pcfg_pull_none>;
diff --git a/arch/arm/boot/dts/rk3188.dtsi b/arch/arm/boot/dts/rk3188.dtsi
index ee801a9c6b74..7f25bc51f2ee 100644
--- a/arch/arm/boot/dts/rk3188.dtsi
+++ b/arch/arm/boot/dts/rk3188.dtsi
@@ -147,6 +147,24 @@
                        bias-disable;
                };
+                emac {
+                        emac_xfer: emac-xfer {
+                                rockchip,pins = <RK_GPIO3 16 RK_FUNC_2 &pcfg_pull_none>, /* tx_en */
+                                                <RK_GPIO3 17 RK_FUNC_2 &pcfg_pull_none>, /* txd1 */
+                                                <RK_GPIO3 18 RK_FUNC_2 &pcfg_pull_none>, /* txd0 */
+                                                <RK_GPIO3 19 RK_FUNC_2 &pcfg_pull_none>, /* rxd0 */
+                                                <RK_GPIO3 20 RK_FUNC_2 &pcfg_pull_none>, /* rxd1 */
+                                                <RK_GPIO3 21 RK_FUNC_2 &pcfg_pull_none>, /* mac_clk */
+                                                <RK_GPIO3 22 RK_FUNC_2 &pcfg_pull_none>, /* rx_err */
+                                                <RK_GPIO3 23 RK_FUNC_2 &pcfg_pull_none>; /* crs_dvalid */
+                        };
+                        emac_mdio: emac-mdio {
+                                rockchip,pins = <RK_GPIO3 24 RK_FUNC_2 &pcfg_pull_none>,
+                                                <RK_GPIO3 25 RK_FUNC_2 &pcfg_pull_none>;
+                        };
+                };
                i2c0 {
                        i2c0_xfer: i2c0-xfer {
                                rockchip,pins = <RK_GPIO1 24 RK_FUNC_1 &pcfg_pull_none>,
@@ -323,6 +341,10 @@
        };
 };
+&emac {
+        compatible = "rockchip,rk3188-emac";
+};
 &global_timer {
        interrupts = <GIC_PPI 11 0xf04>;
 };
diff --git a/arch/arm/boot/dts/rk3xxx.dtsi b/arch/arm/boot/dts/rk3xxx.dtsi
index 8caf85d83901..208b1df6bcb0 100644
--- a/arch/arm/boot/dts/rk3xxx.dtsi
+++ b/arch/arm/boot/dts/rk3xxx.dtsi
@@ -91,6 +91,23 @@
                status = "disabled";
        };
+        emac: ethernet@10204000 {
+                compatible = "snps,arc-emac";
+                reg = <0x10204000 0x3c>;
+                interrupts = <GIC_SPI 19 IRQ_TYPE_LEVEL_HIGH>;
+                #address-cells = <1>;
+                #size-cells = <0>;
+                rockchip,grf = <&grf>;
+                clocks = <&cru HCLK_EMAC>, <&cru SCLK_MAC>;
+                clock-names = "hclk", "macref";
+                max-speed = <100>;
+                phy-mode = "rmii";
+                status = "disabled";
+        };
        mmc0: dwmmc@10214000 {
                compatible = "rockchip,rk2928-dw-mshc";
                reg = <0x10214000 0x1000>;
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index a37b989a2f91..e1268f905026 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -12,11 +12,11 @@
 #include <linux/compiler.h>
 #include <linux/errno.h>
 #include <linux/filter.h>
-#include <linux/moduleloader.h>
 #include <linux/netdevice.h>
 #include <linux/string.h>
 #include <linux/slab.h>
 #include <linux/if_vlan.h>
 #include <asm/cacheflush.h>
 #include <asm/hwcap.h>
 #include <asm/opcodes.h>
@@ -174,6 +174,14 @@ static inline bool is_load_to_a(u16 inst)
        }
 }
+static void jit_fill_hole(void *area, unsigned int size)
+{
+        u32 *ptr;
+        /* We are guaranteed to have aligned memory. */
+        for (ptr = area; size >= sizeof(u32); size -= sizeof(u32))
+                *ptr++ = __opcode_to_mem_arm(ARM_INST_UDF);
+}
 static void build_prologue(struct jit_ctx *ctx)
 {
        u16 reg_set = saved_regs(ctx);
@@ -859,9 +867,11 @@ b_epilogue:
 void bpf_jit_compile(struct bpf_prog *fp)
 {
+        struct bpf_binary_header *header;
        struct jit_ctx ctx;
        unsigned tmp_idx;
        unsigned alloc_size;
+        u8 *target_ptr;
        if (!bpf_jit_enable)
                return;
@@ -897,13 +907,15 @@ void bpf_jit_compile(struct bpf_prog *fp)
        /* there's nothing after the epilogue on ARMv7 */
        build_epilogue(&ctx);
 #endif
        alloc_size = 4 * ctx.idx;
-        ctx.target = module_alloc(alloc_size);
+        header = bpf_jit_binary_alloc(alloc_size, &target_ptr,
-        if (unlikely(ctx.target == NULL))
+                                      4, jit_fill_hole);
+        if (header == NULL)
                goto out;
+        ctx.target = (u32 *) target_ptr;
        ctx.idx = 0;
        build_prologue(&ctx);
        build_body(&ctx);
        build_epilogue(&ctx);
@@ -919,8 +931,9 @@ void bpf_jit_compile(struct bpf_prog *fp)
                /* there are 2 passes here */
                bpf_jit_dump(fp->len, alloc_size, 2, ctx.target);
+        set_memory_ro((unsigned long)header, header->pages);
        fp->bpf_func = (void *)ctx.target;
-        fp->jited = 1;
+        fp->jited = true;
 out:
        kfree(ctx.offsets);
        return;
@@ -928,7 +941,15 @@ out:
 void bpf_jit_free(struct bpf_prog *fp)
 {
-        if (fp->jited)
+        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
-                module_free(NULL, fp->bpf_func);
+        struct bpf_binary_header *header = (void *)addr;
-        kfree(fp);
+        if (!fp->jited)
+                goto free_filter;
+        set_memory_rw(addr, header->pages);
+        bpf_jit_binary_free(header);
+free_filter:
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/arm/net/bpf_jit_32.h b/arch/arm/net/bpf_jit_32.h
index afb84621ff6f..b2d7d92859d3 100644
--- a/arch/arm/net/bpf_jit_32.h
+++ b/arch/arm/net/bpf_jit_32.h
@@ -114,6 +114,20 @@
 #define ARM_INST_UMULL          0x00800090
+/*
+ * Use a suitable undefined instruction to use for ARM/Thumb2 faulting.
+ * We need to be careful not to conflict with those used by other modules
+ * (BUG, kprobes, etc) and the register_undef_hook() system.
+ *
+ * The ARM architecture reference manual guarantees that the following
+ * instruction space will produce an undefined instruction exception on
+ * all CPUs:
+ *
+ * ARM:   xxxx 0111 1111 xxxx xxxx xxxx 1111 xxxx       ARMv7-AR, section A5.4
+ * Thumb: 1101 1110 xxxx xxxx                           ARMv7-M, section A5.2.6
+ */
+#define ARM_INST_UDF            0xe7fddef1
 /* register */
 #define _AL3_R(op, rd, rn, rm)  ((op ## _R) | (rd) << 12 | (rn) << 16 | (rm))
 /* immediate */
diff --git a/arch/arm/plat-orion/common.c b/arch/arm/plat-orion/common.c
index 3ec6e8e8d368..f5b00f41c4f6 100644
--- a/arch/arm/plat-orion/common.c
+++ b/arch/arm/plat-orion/common.c
@@ -499,7 +499,7 @@ void __init orion_ge00_switch_init(struct dsa_platform_data *d, int irq)
        d->netdev = &orion_ge00.dev;
        for (i = 0; i < d->nr_chips; i++)
-                d->chip[i].mii_bus = &orion_ge00_shared.dev;
+                d->chip[i].host_dev = &orion_ge00_shared.dev;
        orion_switch_device.dev.platform_data = d;
        platform_device_register(&orion_switch_device);
diff --git a/arch/mips/bcm47xx/setup.c b/arch/mips/bcm47xx/setup.c
index ad439c273003..c00585d915bc 100644
--- a/arch/mips/bcm47xx/setup.c
+++ b/arch/mips/bcm47xx/setup.c
@@ -211,6 +211,10 @@ static void __init bcm47xx_register_bcma(void)
        err = bcma_host_soc_register(&bcm47xx_bus.bcma);
        if (err)
+                panic("Failed to register BCMA bus (err %d)", err);
+        err = bcma_host_soc_init(&bcm47xx_bus.bcma);
+        if (err)
                panic("Failed to initialize BCMA bus (err %d)", err);
        bcm47xx_fill_bcma_boardinfo(&bcm47xx_bus.bcma.bus.boardinfo, NULL);
diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c
index 9f7ecbda250c..7edc08398c4a 100644
--- a/arch/mips/net/bpf_jit.c
+++ b/arch/mips/net/bpf_jit.c
@@ -765,27 +765,6 @@ static u64 jit_get_skb_w(struct sk_buff *skb, unsigned offset)
        return (u64)err << 32 | ntohl(ret);
 }
-#ifdef __BIG_ENDIAN_BITFIELD
-#define PKT_TYPE_MAX    (7 << 5)
-#else
-#define PKT_TYPE_MAX    7
-#endif
-static int pkt_type_offset(void)
-{
-        struct sk_buff skb_probe = {
-                .pkt_type = ~0,
-        };
-        u8 *ct = (u8 *)&skb_probe;
-        unsigned int off;
-        for (off = 0; off < sizeof(struct sk_buff); off++) {
-                if (ct[off] == PKT_TYPE_MAX)
-                        return off;
-        }
-        pr_err_once("Please fix pkt_type_offset(), as pkt_type couldn't be found\n");
-        return -1;
-}
 static int build_body(struct jit_ctx *ctx)
 {
        void *load_func[] = {jit_get_skb_b, jit_get_skb_h, jit_get_skb_w};
@@ -793,7 +772,6 @@ static int build_body(struct jit_ctx *ctx)
        const struct sock_filter *inst;
        unsigned int i, off, load_order, condt;
        u32 k, b_off __maybe_unused;
-        int tmp;
        for (i = 0; i < prog->len; i++) {
                u16 code;
@@ -1333,11 +1311,7 @@ jmp_cmp:
                case BPF_ANC | SKF_AD_PKTTYPE:
                        ctx->flags |= SEEN_SKB;
-                        tmp = off = pkt_type_offset();
+                        emit_load_byte(r_tmp, r_skb, PKT_TYPE_OFFSET(), ctx);
-                        if (tmp < 0)
-                                return -1;
-                        emit_load_byte(r_tmp, r_skb, off, ctx);
                        /* Keep only the last 3 bits */
                        emit_andi(r_A, r_tmp, PKT_TYPE_MAX, ctx);
 #ifdef __BIG_ENDIAN_BITFIELD
@@ -1418,7 +1392,7 @@ void bpf_jit_compile(struct bpf_prog *fp)
                bpf_jit_dump(fp->len, alloc_size, 2, ctx.target);
        fp->bpf_func = (void *)ctx.target;
-        fp->jited = 1;
+        fp->jited = true;
 out:
        kfree(ctx.offsets);
@@ -1428,5 +1402,6 @@ void bpf_jit_free(struct bpf_prog *fp)
 {
        if (fp->jited)
                module_free(NULL, fp->bpf_func);
-        kfree(fp);
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
index 3afa6f4c1957..cbae2dfd053c 100644
--- a/arch/powerpc/net/bpf_jit_comp.c
+++ b/arch/powerpc/net/bpf_jit_comp.c
@@ -686,7 +686,7 @@ void bpf_jit_compile(struct bpf_prog *fp)
                ((u64 *)image)[0] = (u64)code_base;
                ((u64 *)image)[1] = local_paca->kernel_toc;
                fp->bpf_func = (void *)image;
-                fp->jited = 1;
+                fp->jited = true;
        }
 out:
        kfree(addrs);
@@ -697,5 +697,6 @@ void bpf_jit_free(struct bpf_prog *fp)
 {
        if (fp->jited)
                module_free(NULL, fp->bpf_func);
-        kfree(fp);
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
index 61e45b7c04d7..c52ac77408ca 100644
--- a/arch/s390/net/bpf_jit_comp.c
+++ b/arch/s390/net/bpf_jit_comp.c
@@ -5,11 +5,9 @@
 *
 * Author(s): Martin Schwidefsky <schwidefsky@de.ibm.com>
 */
-#include <linux/moduleloader.h>
 #include <linux/netdevice.h>
 #include <linux/if_vlan.h>
 #include <linux/filter.h>
-#include <linux/random.h>
 #include <linux/init.h>
 #include <asm/cacheflush.h>
 #include <asm/facility.h>
@@ -148,6 +146,12 @@ struct bpf_jit {
        ret;                                            \
 })
+static void bpf_jit_fill_hole(void *area, unsigned int size)
+{
+        /* Fill whole space with illegal instructions */
+        memset(area, 0, size);
+}
 static void bpf_jit_prologue(struct bpf_jit *jit)
 {
        /* Save registers and create stack frame if necessary */
@@ -223,37 +227,6 @@ static void bpf_jit_epilogue(struct bpf_jit *jit)
        EMIT2(0x07fe);
 }
-/* Helper to find the offset of pkt_type in sk_buff
- * Make sure its still a 3bit field starting at the MSBs within a byte.
- */
-#define PKT_TYPE_MAX 0xe0
-static int pkt_type_offset;
-static int __init bpf_pkt_type_offset_init(void)
-{
-        struct sk_buff skb_probe = {
-                .pkt_type = ~0,
-        };
-        char *ct = (char *)&skb_probe;
-        int off;
-        pkt_type_offset = -1;
-        for (off = 0; off < sizeof(struct sk_buff); off++) {
-                if (!ct[off])
-                        continue;
-                if (ct[off] == PKT_TYPE_MAX)
-                        pkt_type_offset = off;
-                else {
-                        /* Found non matching bit pattern, fix needed. */
-                        WARN_ON_ONCE(1);
-                        pkt_type_offset = -1;
-                        return -1;
-                }
-        }
-        return 0;
-}
-device_initcall(bpf_pkt_type_offset_init);
 /*
 * make sure we dont leak kernel information to user
 */
@@ -753,12 +726,10 @@ call_fn:	/* lg %r1,<d(function)>(%r13) */
                }
                break;
        case BPF_ANC | SKF_AD_PKTTYPE:
-                if (pkt_type_offset < 0)
-                        goto out;
                /* lhi %r5,0 */
                EMIT4(0xa7580000);
                /* ic %r5,<d(pkt_type_offset)>(%r2) */
-                EMIT4_DISP(0x43502000, pkt_type_offset);
+                EMIT4_DISP(0x43502000, PKT_TYPE_OFFSET());
                /* srl %r5,5 */
                EMIT4_DISP(0x88500000, 5);
                break;
@@ -780,38 +751,6 @@ out:
        return -1;
 }
-/*
- * Note: for security reasons, bpf code will follow a randomly
- *       sized amount of illegal instructions.
- */
-struct bpf_binary_header {
-        unsigned int pages;
-        u8 image[];
-};
-static struct bpf_binary_header *bpf_alloc_binary(unsigned int bpfsize,
-                                                  u8 **image_ptr)
-{
-        struct bpf_binary_header *header;
-        unsigned int sz, hole;
-        /* Most BPF filters are really small, but if some of them fill a page,
-         * allow at least 128 extra bytes for illegal instructions.
-         */
-        sz = round_up(bpfsize + sizeof(*header) + 128, PAGE_SIZE);
-        header = module_alloc(sz);
-        if (!header)
-                return NULL;
-        memset(header, 0, sz);
-        header->pages = sz / PAGE_SIZE;
-        hole = min(sz - (bpfsize + sizeof(*header)), PAGE_SIZE - sizeof(*header));
-        /* Insert random number of illegal instructions before BPF code
-         * and make sure the first instruction starts at an even address.
-         */
-        *image_ptr = &header->image[(prandom_u32() % hole) & -2];
-        return header;
-}
 void bpf_jit_compile(struct bpf_prog *fp)
 {
        struct bpf_binary_header *header = NULL;
@@ -850,7 +789,8 @@ void bpf_jit_compile(struct bpf_prog *fp)
                        size = prg_len + lit_len;
                        if (size >= BPF_SIZE_MAX)
                                goto out;
-                        header = bpf_alloc_binary(size, &jit.start);
+                        header = bpf_jit_binary_alloc(size, &jit.start,
+                                                      2, bpf_jit_fill_hole);
                        if (!header)
                                goto out;
                        jit.prg = jit.mid = jit.start + prg_len;
@@ -869,7 +809,7 @@ void bpf_jit_compile(struct bpf_prog *fp)
        if (jit.start) {
                set_memory_ro((unsigned long)header, header->pages);
                fp->bpf_func = (void *) jit.start;
-                fp->jited = 1;
+                fp->jited = true;
        }
 out:
        kfree(addrs);
@@ -884,8 +824,8 @@ void bpf_jit_free(struct bpf_prog *fp)
                goto free_filter;
        set_memory_rw(addr, header->pages);
-        module_free(NULL, header);
+        bpf_jit_binary_free(header);
 free_filter:
-        kfree(fp);
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/sparc/include/asm/vio.h b/arch/sparc/include/asm/vio.h
index e0f6c399f1d0..6b135a8ab07b 100644
--- a/arch/sparc/include/asm/vio.h
+++ b/arch/sparc/include/asm/vio.h
@@ -65,6 +65,7 @@ struct vio_dring_register {
        u16                     options;
 #define VIO_TX_DRING            0x0001
 #define VIO_RX_DRING            0x0002
+#define VIO_RX_DRING_DATA       0x0004
        u16                     resv;
        u32                     num_cookies;
        struct ldc_trans_cookie cookies[0];
@@ -80,6 +81,8 @@ struct vio_dring_unregister {
 #define VIO_PKT_MODE            0x01 /* Packet based transfer   */
 #define VIO_DESC_MODE           0x02 /* In-band descriptors     */
 #define VIO_DRING_MODE          0x03 /* Descriptor rings        */
+/* in vers >= 1.2, VIO_DRING_MODE is 0x04 and transfer mode is a bitmask */
+#define VIO_NEW_DRING_MODE      0x04
 struct vio_dring_data {
        struct vio_msg_tag      tag;
@@ -205,10 +208,20 @@ struct vio_net_attr_info {
        u8                      addr_type;
 #define VNET_ADDR_ETHERMAC      0x01
        u16                     ack_freq;
-        u32                     resv1;
+        u8                      plnk_updt;
+#define PHYSLINK_UPDATE_NONE            0x00
+#define PHYSLINK_UPDATE_STATE           0x01
+#define PHYSLINK_UPDATE_STATE_ACK       0x02
+#define PHYSLINK_UPDATE_STATE_NACK      0x03
+        u8                      options;
+        u16                     resv1;
        u64                     addr;
        u64                     mtu;
-        u64                     resv2[3];
+        u16                     cflags;
+#define VNET_LSO_IPV4_CAPAB             0x0001
+        u16                     ipv4_lso_maxlen;
+        u32                     resv2;
+        u64                     resv3[2];
 };
 #define VNET_NUM_MCAST          7
@@ -366,6 +379,33 @@ struct vio_driver_state {
        struct vio_driver_ops   *ops;
 };
+static inline bool vio_version_before(struct vio_driver_state *vio,
+                                      u16 major, u16 minor)
+{
+        u32 have = (u32)vio->ver.major << 16 | vio->ver.minor;
+        u32 want = (u32)major << 16 | minor;
+        return have < want;
+}
+static inline bool vio_version_after(struct vio_driver_state *vio,
+                                      u16 major, u16 minor)
+{
+        u32 have = (u32)vio->ver.major << 16 | vio->ver.minor;
+        u32 want = (u32)major << 16 | minor;
+        return have > want;
+}
+static inline bool vio_version_after_eq(struct vio_driver_state *vio,
+                                        u16 major, u16 minor)
+{
+        u32 have = (u32)vio->ver.major << 16 | vio->ver.minor;
+        u32 want = (u32)major << 16 | minor;
+        return have >= want;
+}
 #define viodbg(TYPE, f, a...) \
 do {    if (vio->debug & VIO_DEBUG_##TYPE) \
                printk(KERN_INFO "vio: ID[%lu] " f, \
diff --git a/arch/sparc/kernel/ldc.c b/arch/sparc/kernel/ldc.c
index 66dacd56bb10..0af28b984695 100644
--- a/arch/sparc/kernel/ldc.c
+++ b/arch/sparc/kernel/ldc.c
@@ -2159,7 +2159,7 @@ int ldc_map_single(struct ldc_channel *lp,
        state.pte_idx = (base - iommu->page_table);
        state.nc = 0;
        fill_cookies(&state, (pa & PAGE_MASK), (pa & ~PAGE_MASK), len);
-        BUG_ON(state.nc != 1);
+        BUG_ON(state.nc > ncookies);
        return state.nc;
 }
diff --git a/arch/sparc/kernel/viohs.c b/arch/sparc/kernel/viohs.c
index f8e7dd53e1c7..7ef081a185b1 100644
--- a/arch/sparc/kernel/viohs.c
+++ b/arch/sparc/kernel/viohs.c
@@ -426,6 +426,13 @@ static int process_dreg_info(struct vio_driver_state *vio,
        if (vio->dr_state & VIO_DR_STATE_RXREG)
                goto send_nack;
+        /* v1.6 and higher, ACK with desired, supported mode, or NACK */
+        if (vio_version_after_eq(vio, 1, 6)) {
+                if (!(pkt->options & VIO_TX_DRING))
+                        goto send_nack;
+                pkt->options = VIO_TX_DRING;
+        }
        BUG_ON(vio->desc_buf);
        vio->desc_buf = kzalloc(pkt->descr_size, GFP_ATOMIC);
@@ -453,8 +460,11 @@ static int process_dreg_info(struct vio_driver_state *vio,
        pkt->tag.stype = VIO_SUBTYPE_ACK;
        pkt->dring_ident = ++dr->ident;
-        viodbg(HS, "SEND DRING_REG ACK ident[%llx]\n",
+        viodbg(HS, "SEND DRING_REG ACK ident[%llx] "
-               (unsigned long long) pkt->dring_ident);
+               "ndesc[%u] dsz[%u] opt[0x%x] ncookies[%u]\n",
+               (unsigned long long) pkt->dring_ident,
+               pkt->num_descr, pkt->descr_size, pkt->options,
+               pkt->num_cookies);
        len = (sizeof(*pkt) +
               (dr->ncookies * sizeof(struct ldc_trans_cookie)));
diff --git a/arch/sparc/net/bpf_jit_comp.c b/arch/sparc/net/bpf_jit_comp.c
index ece4af0575e9..f33e7c7a3bf7 100644
--- a/arch/sparc/net/bpf_jit_comp.c
+++ b/arch/sparc/net/bpf_jit_comp.c
@@ -585,16 +585,11 @@ void bpf_jit_compile(struct bpf_prog *fp)
                        case BPF_ANC | SKF_AD_PROTOCOL:
                                emit_skb_load16(protocol, r_A);
                                break;
-#if 0
-                                /* GCC won't let us take the address of
-                                 * a bit field even though we very much
-                                 * know what we are doing here.
-                                 */
                        case BPF_ANC | SKF_AD_PKTTYPE:
-                                __emit_skb_load8(pkt_type, r_A);
+                                __emit_skb_load8(__pkt_type_offset, r_A);
+                                emit_andi(r_A, PKT_TYPE_MAX, r_A);
                                emit_alu_K(SRL, 5);
                                break;
-#endif
                        case BPF_ANC | SKF_AD_IFINDEX:
                                emit_skb_loadptr(dev, r_A);
                                emit_cmpi(r_A, 0);
@@ -629,7 +624,12 @@ void bpf_jit_compile(struct bpf_prog *fp)
                                        emit_and(r_A, r_TMP, r_A);
                                }
                                break;
+                        case BPF_LD | BPF_W | BPF_LEN:
+                                emit_skb_load32(len, r_A);
+                                break;
+                        case BPF_LDX | BPF_W | BPF_LEN:
+                                emit_skb_load32(len, r_X);
+                                break;
                        case BPF_LD | BPF_IMM:
                                emit_loadimm(K, r_A);
                                break;
@@ -812,7 +812,7 @@ cond_branch:			f_offset = addrs[i + filter[i].jf];
        if (image) {
                bpf_flush_icache(image, image + proglen);
                fp->bpf_func = (void *)image;
-                fp->jited = 1;
+                fp->jited = true;
        }
 out:
        kfree(addrs);
@@ -823,5 +823,6 @@ void bpf_jit_free(struct bpf_prog *fp)
 {
        if (fp->jited)
                module_free(NULL, fp->bpf_func);
-        kfree(fp);
+        bpf_prog_unlock_free(fp);
 }
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index 5c8cb8043c5a..d56cd1f515bd 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -8,12 +8,10 @@
 * as published by the Free Software Foundation; version 2
 * of the License.
 */
-#include <linux/moduleloader.h>
-#include <asm/cacheflush.h>
 #include <linux/netdevice.h>
 #include <linux/filter.h>
 #include <linux/if_vlan.h>
-#include <linux/random.h>
+#include <asm/cacheflush.h>
 int bpf_jit_enable __read_mostly;
@@ -109,39 +107,6 @@ static inline void bpf_flush_icache(void *start, void *end)
 #define CHOOSE_LOAD_FUNC(K, func) \
        ((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)
-struct bpf_binary_header {
-        unsigned int    pages;
-        /* Note : for security reasons, bpf code will follow a randomly
-         * sized amount of int3 instructions
-         */
-        u8              image[];
-};
-static struct bpf_binary_header *bpf_alloc_binary(unsigned int proglen,
-                                                  u8 **image_ptr)
-{
-        unsigned int sz, hole;
-        struct bpf_binary_header *header;
-        /* Most of BPF filters are really small,
-         * but if some of them fill a page, allow at least
-         * 128 extra bytes to insert a random section of int3
-         */
-        sz = round_up(proglen + sizeof(*header) + 128, PAGE_SIZE);
-        header = module_alloc(sz);
-        if (!header)
-                return NULL;
-        memset(header, 0xcc, sz); /* fill whole space with int3 instructions */
-        header->pages = sz / PAGE_SIZE;
-        hole = min(sz - (proglen + sizeof(*header)), PAGE_SIZE - sizeof(*header));
-        /* insert a random number of int3 instructions before BPF code */
-        *image_ptr = &header->image[prandom_u32() % hole];
-        return header;
-}
 /* pick a register outside of BPF range for JIT internal work */
 #define AUX_REG (MAX_BPF_REG + 1)
@@ -206,6 +171,12 @@ static inline u8 add_2reg(u8 byte, u32 dst_reg, u32 src_reg)
        return byte + reg2hex[dst_reg] + (reg2hex[src_reg] << 3);
 }
+static void jit_fill_hole(void *area, unsigned int size)
+{
+        /* fill whole space with int3 instructions */
+        memset(area, 0xcc, size);
+}
 struct jit_context {
        unsigned int cleanup_addr; /* epilogue code offset */
        bool seen_ld_abs;
@@ -393,6 +364,23 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,
                        EMIT1_off32(add_1reg(0xB8, dst_reg), imm32);
                        break;
+                case BPF_LD | BPF_IMM | BPF_DW:
+                        if (insn[1].code != 0 || insn[1].src_reg != 0 ||
+                            insn[1].dst_reg != 0 || insn[1].off != 0) {
+                                /* verifier must catch invalid insns */
+                                pr_err("invalid BPF_LD_IMM64 insn\n");
+                                return -EINVAL;
+                        }
+                        /* movabsq %rax, imm64 */
+                        EMIT2(add_1mod(0x48, dst_reg), add_1reg(0xB8, dst_reg));
+                        EMIT(insn[0].imm, 4);
+                        EMIT(insn[1].imm, 4);
+                        insn++;
+                        i++;
+                        break;
                        /* dst %= src, dst /= src, dst %= imm32, dst /= imm32 */
                case BPF_ALU | BPF_MOD | BPF_X:
                case BPF_ALU | BPF_DIV | BPF_X:
@@ -515,6 +503,48 @@ static int do_jit(struct bpf_prog *bpf_prog, int *addrs, u8 *image,
                        EMIT3(0xC1, add_1reg(b3, dst_reg), imm32);
                        break;
+                case BPF_ALU | BPF_LSH | BPF_X:
+                case BPF_ALU | BPF_RSH | BPF_X:
+                case BPF_ALU | BPF_ARSH | BPF_X:
+                case BPF_ALU64 | BPF_LSH | BPF_X:
+                case BPF_ALU64 | BPF_RSH | BPF_X:
+                case BPF_ALU64 | BPF_ARSH | BPF_X:
+                        /* check for bad case when dst_reg == rcx */
+                        if (dst_reg == BPF_REG_4) {
+                                /* mov r11, dst_reg */
+                                EMIT_mov(AUX_REG, dst_reg);
+                                dst_reg = AUX_REG;
+                        }
+                        if (src_reg != BPF_REG_4) { /* common case */
+                                EMIT1(0x51); /* push rcx */
+                                /* mov rcx, src_reg */
+                                EMIT_mov(BPF_REG_4, src_reg);
+                        }
+                        /* shl %rax, %cl | shr %rax, %cl | sar %rax, %cl */
+                        if (BPF_CLASS(insn->code) == BPF_ALU64)
+                                EMIT1(add_1mod(0x48, dst_reg));
+                        else if (is_ereg(dst_reg))
+                                EMIT1(add_1mod(0x40, dst_reg));
+                        switch (BPF_OP(insn->code)) {
+                        case BPF_LSH: b3 = 0xE0; break;
+                        case BPF_RSH: b3 = 0xE8; break;
+                        case BPF_ARSH: b3 = 0xF8; break;
+                        }
+                        EMIT2(0xD3, add_1reg(b3, dst_reg));
+                        if (src_reg != BPF_REG_4)
+                                EMIT1(0x59); /* pop rcx */
+                        if (insn->dst_reg == BPF_REG_4)
+                                /* mov dst_reg, r11 */
+                                EMIT_mov(insn->dst_reg, AUX_REG);
+                        break;
                case BPF_ALU | BPF_END | BPF_FROM_BE:
                        switch (imm32) {
                        case 16:
@@ -900,7 +930,7 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
                if (proglen <= 0) {
                        image = NULL;
                        if (header)
-                                module_free(NULL, header);
+                                bpf_jit_binary_free(header);
                        goto out;
                }
                if (image) {
@@ -910,7 +940,8 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
                        break;
                }
                if (proglen == oldproglen) {
-                        header = bpf_alloc_binary(proglen, &image);
+                        header = bpf_jit_binary_alloc(proglen, &image,
+                                                      1, jit_fill_hole);
                        if (!header)
                                goto out;
                }
@@ -924,29 +955,23 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
                bpf_flush_icache(header, image + proglen);
                set_memory_ro((unsigned long)header, header->pages);
                prog->bpf_func = (void *)image;
-                prog->jited = 1;
+                prog->jited = true;
        }
 out:
        kfree(addrs);
 }
-static void bpf_jit_free_deferred(struct work_struct *work)
+void bpf_jit_free(struct bpf_prog *fp)
 {
-        struct bpf_prog *fp = container_of(work, struct bpf_prog, work);
        unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
        struct bpf_binary_header *header = (void *)addr;
+        if (!fp->jited)
+                goto free_filter;
        set_memory_rw(addr, header->pages);
-        module_free(NULL, header);
+        bpf_jit_binary_free(header);
-        kfree(fp);
-}
-void bpf_jit_free(struct bpf_prog *fp)
+free_filter:
-{
+        bpf_prog_unlock_free(fp);
-        if (fp->jited) {
-                INIT_WORK(&fp->work, bpf_jit_free_deferred);
-                schedule_work(&fp->work);
-        } else {
-                kfree(fp);
-        }
 }
diff --git a/arch/x86/syscalls/syscall_32.tbl b/arch/x86/syscalls/syscall_32.tbl
index 028b78168d85..9fe1b5d002f0 100644
--- a/arch/x86/syscalls/syscall_32.tbl
+++ b/arch/x86/syscalls/syscall_32.tbl
@@ -363,3 +363,4 @@
 354     i386    seccomp                 sys_seccomp
 355     i386    getrandom               sys_getrandom
 356     i386    memfd_create            sys_memfd_create
+357     i386    bpf                     sys_bpf
diff --git a/arch/x86/syscalls/syscall_64.tbl b/arch/x86/syscalls/syscall_64.tbl
index 35dd922727b9..281150b539a2 100644
--- a/arch/x86/syscalls/syscall_64.tbl
+++ b/arch/x86/syscalls/syscall_64.tbl
@@ -327,6 +327,7 @@
 318     common  getrandom               sys_getrandom
 319     common  memfd_create            sys_memfd_create
 320     common  kexec_file_load         sys_kexec_file_load
+321     common  bpf                     sys_bpf
 #
 # x32-specific system call numbers start at 512 to avoid cache impact