commit: 795fb9584949e5cff5633e358c2e211d253d2149 Author: Arisu Tachibana <alicef <AT> gentoo <DOT> org> AuthorDate: Thu Jul 24 09:18:44 2025 +0000 Commit: Arisu Tachibana <alicef <AT> gentoo <DOT> org> CommitDate: Thu Jul 24 09:18:44 2025 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=795fb958
Linux patch 6.1.147 Signed-off-by: Arisu Tachibana <alicef <AT> gentoo.org> 0000_README | 4 + 1146_linux-6.1.147.patch | 3022 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 3026 insertions(+) diff --git a/0000_README b/0000_README index c8a2d32d..8ee62915 100644 --- a/0000_README +++ b/0000_README @@ -627,6 +627,10 @@ Patch: 1145_linux-6.1.146.patch From: https://www.kernel.org Desc: Linux 6.1.146 +Patch: 1146_linux-6.1.147.patch +From: https://www.kernel.org +Desc: Linux 6.1.147 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1146_linux-6.1.147.patch b/1146_linux-6.1.147.patch new file mode 100644 index 00000000..5bb6f231 --- /dev/null +++ b/1146_linux-6.1.147.patch @@ -0,0 +1,3022 @@ +diff --git a/Makefile b/Makefile +index 7ebae10b593973..0e07b0834a7c18 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 6 + PATCHLEVEL = 1 +-SUBLEVEL = 146 ++SUBLEVEL = 147 + EXTRAVERSION = + NAME = Curry Ramen + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +index b4bb1746b1f574..13301a479506b4 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi +@@ -466,6 +466,7 @@ reg_vdd_phy: LDO4 { + }; + + reg_nvcc_sd: LDO5 { ++ regulator-always-on; + regulator-max-microvolt = <3300000>; + regulator-min-microvolt = <1800000>; + regulator-name = "On-module +V3.3_1.8_SD (LDO5)"; +diff --git a/drivers/base/power/domain_governor.c b/drivers/base/power/domain_governor.c +index 282a3a135827ce..03e75de4666b88 100644 +--- a/drivers/base/power/domain_governor.c ++++ b/drivers/base/power/domain_governor.c +@@ -8,6 +8,7 @@ + #include <linux/pm_domain.h> + #include <linux/pm_qos.h> + #include <linux/hrtimer.h> ++#include <linux/cpu.h> + #include <linux/cpuidle.h> + #include <linux/cpumask.h> + #include <linux/ktime.h> +@@ -345,6 +346,8 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) + struct cpuidle_device *dev; + ktime_t domain_wakeup, next_hrtimer; + ktime_t now = ktime_get(); ++ struct device *cpu_dev; ++ s64 cpu_constraint, global_constraint; + s64 idle_duration_ns; + int cpu, i; + +@@ -355,6 +358,7 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) + if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) + return true; + ++ global_constraint = cpu_latency_qos_limit(); + /* + * Find the next wakeup for any of the online CPUs within the PM domain + * and its subdomains. Note, we only need the genpd->cpus, as it already +@@ -368,8 +372,16 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) + if (ktime_before(next_hrtimer, domain_wakeup)) + domain_wakeup = next_hrtimer; + } ++ ++ cpu_dev = get_cpu_device(cpu); ++ if (cpu_dev) { ++ cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); ++ if (cpu_constraint < global_constraint) ++ global_constraint = cpu_constraint; ++ } + } + ++ global_constraint *= NSEC_PER_USEC; + /* The minimum idle duration is from now - until the next wakeup. */ + idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now)); + if (idle_duration_ns <= 0) +@@ -382,8 +394,10 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) + */ + i = genpd->state_idx; + do { +- if (idle_duration_ns >= (genpd->states[i].residency_ns + +- genpd->states[i].power_off_latency_ns)) { ++ if ((idle_duration_ns >= (genpd->states[i].residency_ns + ++ genpd->states[i].power_off_latency_ns)) && ++ (global_constraint >= (genpd->states[i].power_on_latency_ns + ++ genpd->states[i].power_off_latency_ns))) { + genpd->state_idx = i; + return true; + } +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 25adb3ac40eb8f..8bb1162031a6a7 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3251,6 +3251,32 @@ static const struct qca_device_info qca_devices_table[] = { + { 0x00190200, 40, 4, 16 }, /* WCN785x 2.0 */ + }; + ++static u16 qca_extract_board_id(const struct qca_version *ver) ++{ ++ u16 flag = le16_to_cpu(ver->flag); ++ u16 board_id = 0; ++ ++ if (((flag >> 8) & 0xff) == QCA_FLAG_MULTI_NVM) { ++ /* The board_id should be split into two bytes ++ * The 1st byte is chip ID, and the 2nd byte is platform ID ++ * For example, board ID 0x010A, 0x01 is platform ID. 0x0A is chip ID ++ * we have several platforms, and platform IDs are continuously added ++ * Platform ID: ++ * 0x00 is for Mobile ++ * 0x01 is for X86 ++ * 0x02 is for Automotive ++ * 0x03 is for Consumer electronic ++ */ ++ board_id = (ver->chip_id << 8) + ver->platform_id; ++ } ++ ++ /* Take 0xffff as invalid board ID */ ++ if (board_id == 0xffff) ++ board_id = 0; ++ ++ return board_id; ++} ++ + static int btusb_qca_send_vendor_req(struct usb_device *udev, u8 request, + void *data, u16 size) + { +@@ -3407,44 +3433,28 @@ static void btusb_generate_qca_nvm_name(char *fwname, size_t max_size, + const struct qca_version *ver) + { + u32 rom_version = le32_to_cpu(ver->rom_version); +- u16 flag = le16_to_cpu(ver->flag); ++ const char *variant; ++ int len; ++ u16 board_id; + +- if (((flag >> 8) & 0xff) == QCA_FLAG_MULTI_NVM) { +- /* The board_id should be split into two bytes +- * The 1st byte is chip ID, and the 2nd byte is platform ID +- * For example, board ID 0x010A, 0x01 is platform ID. 0x0A is chip ID +- * we have several platforms, and platform IDs are continuously added +- * Platform ID: +- * 0x00 is for Mobile +- * 0x01 is for X86 +- * 0x02 is for Automotive +- * 0x03 is for Consumer electronic +- */ +- u16 board_id = (ver->chip_id << 8) + ver->platform_id; +- const char *variant; ++ board_id = qca_extract_board_id(ver); + +- switch (le32_to_cpu(ver->ram_version)) { +- case WCN6855_2_0_RAM_VERSION_GF: +- case WCN6855_2_1_RAM_VERSION_GF: +- variant = "_gf"; +- break; +- default: +- variant = ""; +- break; +- } +- +- if (board_id == 0) { +- snprintf(fwname, max_size, "qca/nvm_usb_%08x%s.bin", +- rom_version, variant); +- } else { +- snprintf(fwname, max_size, "qca/nvm_usb_%08x%s_%04x.bin", +- rom_version, variant, board_id); +- } +- } else { +- snprintf(fwname, max_size, "qca/nvm_usb_%08x.bin", +- rom_version); ++ switch (le32_to_cpu(ver->ram_version)) { ++ case WCN6855_2_0_RAM_VERSION_GF: ++ case WCN6855_2_1_RAM_VERSION_GF: ++ variant = "_gf"; ++ break; ++ default: ++ variant = NULL; ++ break; + } + ++ len = snprintf(fwname, max_size, "qca/nvm_usb_%08x", rom_version); ++ if (variant) ++ len += snprintf(fwname + len, max_size - len, "%s", variant); ++ if (board_id) ++ len += snprintf(fwname + len, max_size - len, "_%04x", board_id); ++ len += snprintf(fwname + len, max_size - len, ".bin"); + } + + static int btusb_setup_qca_load_nvm(struct hci_dev *hdev, +diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c +index 37eb26abfd8788..8325cd4beeda80 100644 +--- a/drivers/comedi/comedi_fops.c ++++ b/drivers/comedi/comedi_fops.c +@@ -1551,21 +1551,27 @@ static int do_insnlist_ioctl(struct comedi_device *dev, + } + + for (i = 0; i < n_insns; ++i) { ++ unsigned int n = insns[i].n; ++ + if (insns[i].insn & INSN_MASK_WRITE) { + if (copy_from_user(data, insns[i].data, +- insns[i].n * sizeof(unsigned int))) { ++ n * sizeof(unsigned int))) { + dev_dbg(dev->class_dev, + "copy_from_user failed\n"); + ret = -EFAULT; + goto error; + } ++ if (n < MIN_SAMPLES) { ++ memset(&data[n], 0, (MIN_SAMPLES - n) * ++ sizeof(unsigned int)); ++ } + } + ret = parse_insn(dev, insns + i, data, file); + if (ret < 0) + goto error; + if (insns[i].insn & INSN_MASK_READ) { + if (copy_to_user(insns[i].data, data, +- insns[i].n * sizeof(unsigned int))) { ++ n * sizeof(unsigned int))) { + dev_dbg(dev->class_dev, + "copy_to_user failed\n"); + ret = -EFAULT; +@@ -1584,6 +1590,16 @@ static int do_insnlist_ioctl(struct comedi_device *dev, + return i; + } + ++#define MAX_INSNS MAX_SAMPLES ++static int check_insnlist_len(struct comedi_device *dev, unsigned int n_insns) ++{ ++ if (n_insns > MAX_INSNS) { ++ dev_dbg(dev->class_dev, "insnlist length too large\n"); ++ return -EINVAL; ++ } ++ return 0; ++} ++ + /* + * COMEDI_INSN ioctl + * synchronous instruction +@@ -1628,6 +1644,10 @@ static int do_insn_ioctl(struct comedi_device *dev, + ret = -EFAULT; + goto error; + } ++ if (insn->n < MIN_SAMPLES) { ++ memset(&data[insn->n], 0, ++ (MIN_SAMPLES - insn->n) * sizeof(unsigned int)); ++ } + } + ret = parse_insn(dev, insn, data, file); + if (ret < 0) +@@ -2234,6 +2254,9 @@ static long comedi_unlocked_ioctl(struct file *file, unsigned int cmd, + rc = -EFAULT; + break; + } ++ rc = check_insnlist_len(dev, insnlist.n_insns); ++ if (rc) ++ break; + insns = kcalloc(insnlist.n_insns, sizeof(*insns), GFP_KERNEL); + if (!insns) { + rc = -ENOMEM; +@@ -3085,6 +3108,9 @@ static int compat_insnlist(struct file *file, unsigned long arg) + if (copy_from_user(&insnlist32, compat_ptr(arg), sizeof(insnlist32))) + return -EFAULT; + ++ rc = check_insnlist_len(dev, insnlist32.n_insns); ++ if (rc) ++ return rc; + insns = kcalloc(insnlist32.n_insns, sizeof(*insns), GFP_KERNEL); + if (!insns) + return -ENOMEM; +diff --git a/drivers/comedi/drivers.c b/drivers/comedi/drivers.c +index d4e2ed709bfc7a..086213bcc49933 100644 +--- a/drivers/comedi/drivers.c ++++ b/drivers/comedi/drivers.c +@@ -338,10 +338,10 @@ int comedi_dio_insn_config(struct comedi_device *dev, + unsigned int *data, + unsigned int mask) + { +- unsigned int chan_mask = 1 << CR_CHAN(insn->chanspec); ++ unsigned int chan = CR_CHAN(insn->chanspec); + +- if (!mask) +- mask = chan_mask; ++ if (!mask && chan < 32) ++ mask = 1U << chan; + + switch (data[0]) { + case INSN_CONFIG_DIO_INPUT: +@@ -381,7 +381,7 @@ EXPORT_SYMBOL_GPL(comedi_dio_insn_config); + unsigned int comedi_dio_update_state(struct comedi_subdevice *s, + unsigned int *data) + { +- unsigned int chanmask = (s->n_chan < 32) ? ((1 << s->n_chan) - 1) ++ unsigned int chanmask = (s->n_chan < 32) ? ((1U << s->n_chan) - 1) + : 0xffffffff; + unsigned int mask = data[0] & chanmask; + unsigned int bits = data[1]; +@@ -614,6 +614,9 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, + unsigned int _data[2]; + int ret; + ++ if (insn->n == 0) ++ return 0; ++ + memset(_data, 0, sizeof(_data)); + memset(&_insn, 0, sizeof(_insn)); + _insn.insn = INSN_BITS; +@@ -624,8 +627,8 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, + if (insn->insn == INSN_WRITE) { + if (!(s->subdev_flags & SDF_WRITABLE)) + return -EINVAL; +- _data[0] = 1 << (chan - base_chan); /* mask */ +- _data[1] = data[0] ? (1 << (chan - base_chan)) : 0; /* bits */ ++ _data[0] = 1U << (chan - base_chan); /* mask */ ++ _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */ + } + + ret = s->insn_bits(dev, s, &_insn, _data); +@@ -708,7 +711,7 @@ static int __comedi_device_postconfig(struct comedi_device *dev) + + if (s->type == COMEDI_SUBD_DO) { + if (s->n_chan < 32) +- s->io_bits = (1 << s->n_chan) - 1; ++ s->io_bits = (1U << s->n_chan) - 1; + else + s->io_bits = 0xffffffff; + } +diff --git a/drivers/comedi/drivers/aio_iiro_16.c b/drivers/comedi/drivers/aio_iiro_16.c +index b00fab0b89d4c4..739cc4db52ac7e 100644 +--- a/drivers/comedi/drivers/aio_iiro_16.c ++++ b/drivers/comedi/drivers/aio_iiro_16.c +@@ -177,7 +177,8 @@ static int aio_iiro_16_attach(struct comedi_device *dev, + * Digital input change of state interrupts are optionally supported + * using IRQ 2-7, 10-12, 14, or 15. + */ +- if ((1 << it->options[1]) & 0xdcfc) { ++ if (it->options[1] > 0 && it->options[1] < 16 && ++ (1 << it->options[1]) & 0xdcfc) { + ret = request_irq(it->options[1], aio_iiro_16_cos, 0, + dev->board_name, dev); + if (ret == 0) +diff --git a/drivers/comedi/drivers/das16m1.c b/drivers/comedi/drivers/das16m1.c +index 275effb77746b6..99e63d51c506c5 100644 +--- a/drivers/comedi/drivers/das16m1.c ++++ b/drivers/comedi/drivers/das16m1.c +@@ -522,7 +522,8 @@ static int das16m1_attach(struct comedi_device *dev, + devpriv->extra_iobase = dev->iobase + DAS16M1_8255_IOBASE; + + /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ +- if ((1 << it->options[1]) & 0xdcfc) { ++ if (it->options[1] >= 2 && it->options[1] <= 15 && ++ (1 << it->options[1]) & 0xdcfc) { + ret = request_irq(it->options[1], das16m1_interrupt, 0, + dev->board_name, dev); + if (ret == 0) +diff --git a/drivers/comedi/drivers/das6402.c b/drivers/comedi/drivers/das6402.c +index 1af394591e7480..e730668236c268 100644 +--- a/drivers/comedi/drivers/das6402.c ++++ b/drivers/comedi/drivers/das6402.c +@@ -567,7 +567,8 @@ static int das6402_attach(struct comedi_device *dev, + das6402_reset(dev); + + /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ +- if ((1 << it->options[1]) & 0x8cec) { ++ if (it->options[1] > 0 && it->options[1] < 16 && ++ (1 << it->options[1]) & 0x8cec) { + ret = request_irq(it->options[1], das6402_interrupt, 0, + dev->board_name, dev); + if (ret == 0) { +diff --git a/drivers/comedi/drivers/pcl812.c b/drivers/comedi/drivers/pcl812.c +index 70dbc129fcf558..e0459f286fa613 100644 +--- a/drivers/comedi/drivers/pcl812.c ++++ b/drivers/comedi/drivers/pcl812.c +@@ -1149,7 +1149,8 @@ static int pcl812_attach(struct comedi_device *dev, struct comedi_devconfig *it) + if (!dev->pacer) + return -ENOMEM; + +- if ((1 << it->options[1]) & board->irq_bits) { ++ if (it->options[1] > 0 && it->options[1] < 16 && ++ (1 << it->options[1]) & board->irq_bits) { + ret = request_irq(it->options[1], pcl812_interrupt, 0, + dev->board_name, dev); + if (ret == 0) +diff --git a/drivers/dma/nbpfaxi.c b/drivers/dma/nbpfaxi.c +index a7063e9cd551cf..e389945e36f252 100644 +--- a/drivers/dma/nbpfaxi.c ++++ b/drivers/dma/nbpfaxi.c +@@ -1354,7 +1354,7 @@ static int nbpf_probe(struct platform_device *pdev) + if (irqs == 1) { + eirq = irqbuf[0]; + +- for (i = 0; i <= num_channels; i++) ++ for (i = 0; i < num_channels; i++) + nbpf->chan[i].irq = irqbuf[0]; + } else { + eirq = platform_get_irq_byname(pdev, "error"); +@@ -1364,16 +1364,15 @@ static int nbpf_probe(struct platform_device *pdev) + if (irqs == num_channels + 1) { + struct nbpf_channel *chan; + +- for (i = 0, chan = nbpf->chan; i <= num_channels; ++ for (i = 0, chan = nbpf->chan; i < num_channels; + i++, chan++) { + /* Skip the error IRQ */ + if (irqbuf[i] == eirq) + i++; ++ if (i >= ARRAY_SIZE(irqbuf)) ++ return -EINVAL; + chan->irq = irqbuf[i]; + } +- +- if (chan != nbpf->chan + num_channels) +- return -EINVAL; + } else { + /* 2 IRQs and more than one channel */ + if (irqbuf[0] == eirq) +@@ -1381,7 +1380,7 @@ static int nbpf_probe(struct platform_device *pdev) + else + irq = irqbuf[0]; + +- for (i = 0; i <= num_channels; i++) ++ for (i = 0; i < num_channels; i++) + nbpf->chan[i].irq = irq; + } + } +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 7790e464e2c6c4..ed65523d77c271 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1876,9 +1876,12 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags) + /* + * 7 extra bytes are necessary to achieve proper functionality + * of implement() working on 8 byte chunks ++ * 1 extra byte for the report ID if it is null (not used) so ++ * we can reserve that extra byte in the first position of the buffer ++ * when sending it to .raw_request() + */ + +- u32 len = hid_report_len(report) + 7; ++ u32 len = hid_report_len(report) + 7 + (report->id == 0); + + return kzalloc(len, flags); + } +@@ -1941,7 +1944,7 @@ static struct hid_report *hid_get_report(struct hid_report_enum *report_enum, + int __hid_request(struct hid_device *hid, struct hid_report *report, + enum hid_class_request reqtype) + { +- char *buf; ++ char *buf, *data_buf; + int ret; + u32 len; + +@@ -1949,13 +1952,19 @@ int __hid_request(struct hid_device *hid, struct hid_report *report, + if (!buf) + return -ENOMEM; + ++ data_buf = buf; + len = hid_report_len(report); + ++ if (report->id == 0) { ++ /* reserve the first byte for the report ID */ ++ data_buf++; ++ len++; ++ } ++ + if (reqtype == HID_REQ_SET_REPORT) +- hid_output_report(report, buf); ++ hid_output_report(report, data_buf); + +- ret = hid->ll_driver->raw_request(hid, report->id, buf, len, +- report->type, reqtype); ++ ret = hid_hw_raw_request(hid, report->id, buf, len, report->type, reqtype); + if (ret < 0) { + dbg_hid("unable to complete request: %d\n", ret); + goto out; +diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c +index 560eeec4035aa1..b0dc0edc69c2fa 100644 +--- a/drivers/hid/hid-mcp2221.c ++++ b/drivers/hid/hid-mcp2221.c +@@ -879,12 +879,12 @@ static int mcp2221_probe(struct hid_device *hdev, + snprintf(mcp->adapter.name, sizeof(mcp->adapter.name), + "MCP2221 usb-i2c bridge"); + ++ i2c_set_adapdata(&mcp->adapter, mcp); + ret = i2c_add_adapter(&mcp->adapter); + if (ret) { + hid_err(hdev, "can't add usb-i2c adapter: %d\n", ret); + goto err_i2c; + } +- i2c_set_adapdata(&mcp->adapter, mcp); + + /* Setup GPIO chip */ + mcp->gc = devm_kzalloc(&hdev->dev, sizeof(*mcp->gc), GFP_KERNEL); +diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c +index 486fb6a8c35664..18da3e013c20b7 100644 +--- a/drivers/hwmon/corsair-cpro.c ++++ b/drivers/hwmon/corsair-cpro.c +@@ -84,6 +84,7 @@ struct ccp_device { + struct mutex mutex; /* whenever buffer is used, lock before send_usb_cmd */ + u8 *cmd_buffer; + u8 *buffer; ++ int buffer_recv_size; /* number of received bytes in buffer */ + int target[6]; + DECLARE_BITMAP(temp_cnct, NUM_TEMP_SENSORS); + DECLARE_BITMAP(fan_cnct, NUM_FANS); +@@ -139,6 +140,9 @@ static int send_usb_cmd(struct ccp_device *ccp, u8 command, u8 byte1, u8 byte2, + if (!t) + return -ETIMEDOUT; + ++ if (ccp->buffer_recv_size != IN_BUFFER_SIZE) ++ return -EPROTO; ++ + return ccp_get_errno(ccp); + } + +@@ -150,6 +154,7 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8 + spin_lock(&ccp->wait_input_report_lock); + if (!completion_done(&ccp->wait_input_report)) { + memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size)); ++ ccp->buffer_recv_size = size; + complete_all(&ccp->wait_input_report); + } + spin_unlock(&ccp->wait_input_report_lock); +diff --git a/drivers/i2c/busses/i2c-stm32.c b/drivers/i2c/busses/i2c-stm32.c +index 157c64e27d0bd3..f84ec056e36dfe 100644 +--- a/drivers/i2c/busses/i2c-stm32.c ++++ b/drivers/i2c/busses/i2c-stm32.c +@@ -102,7 +102,6 @@ int stm32_i2c_prep_dma_xfer(struct device *dev, struct stm32_i2c_dma *dma, + void *dma_async_param) + { + struct dma_async_tx_descriptor *txdesc; +- struct device *chan_dev; + int ret; + + if (rd_wr) { +@@ -116,11 +115,10 @@ int stm32_i2c_prep_dma_xfer(struct device *dev, struct stm32_i2c_dma *dma, + } + + dma->dma_len = len; +- chan_dev = dma->chan_using->device->dev; + +- dma->dma_buf = dma_map_single(chan_dev, buf, dma->dma_len, ++ dma->dma_buf = dma_map_single(dev, buf, dma->dma_len, + dma->dma_data_dir); +- if (dma_mapping_error(chan_dev, dma->dma_buf)) { ++ if (dma_mapping_error(dev, dma->dma_buf)) { + dev_err(dev, "DMA mapping failed\n"); + return -EINVAL; + } +@@ -150,7 +148,7 @@ int stm32_i2c_prep_dma_xfer(struct device *dev, struct stm32_i2c_dma *dma, + return 0; + + err: +- dma_unmap_single(chan_dev, dma->dma_buf, dma->dma_len, ++ dma_unmap_single(dev, dma->dma_buf, dma->dma_len, + dma->dma_data_dir); + return ret; + } +diff --git a/drivers/i2c/busses/i2c-stm32f7.c b/drivers/i2c/busses/i2c-stm32f7.c +index 43846f22af047b..f8d7e7b5d2163e 100644 +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -727,10 +727,10 @@ static void stm32f7_i2c_dma_callback(void *arg) + { + struct stm32f7_i2c_dev *i2c_dev = (struct stm32f7_i2c_dev *)arg; + struct stm32_i2c_dma *dma = i2c_dev->dma; +- struct device *dev = dma->chan_using->device->dev; + + stm32f7_i2c_disable_dma_req(i2c_dev); +- dma_unmap_single(dev, dma->dma_buf, dma->dma_len, dma->dma_data_dir); ++ dma_unmap_single(i2c_dev->dev, dma->dma_buf, dma->dma_len, ++ dma->dma_data_dir); + complete(&dma->dma_complete); + } + +diff --git a/drivers/iio/accel/fxls8962af-core.c b/drivers/iio/accel/fxls8962af-core.c +index 700dc02a25394a..8bd4eef12ac445 100644 +--- a/drivers/iio/accel/fxls8962af-core.c ++++ b/drivers/iio/accel/fxls8962af-core.c +@@ -866,6 +866,8 @@ static int fxls8962af_buffer_predisable(struct iio_dev *indio_dev) + if (ret) + return ret; + ++ synchronize_irq(data->irq); ++ + ret = __fxls8962af_fifo_set_mode(data, false); + + if (data->enable_event) +diff --git a/drivers/iio/adc/max1363.c b/drivers/iio/adc/max1363.c +index a28cf86cdce804..875f5ff2020825 100644 +--- a/drivers/iio/adc/max1363.c ++++ b/drivers/iio/adc/max1363.c +@@ -512,10 +512,10 @@ static const struct iio_event_spec max1363_events[] = { + MAX1363_CHAN_U(1, _s1, 1, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_U(2, _s2, 2, bits, ev_spec, num_ev_spec), \ + MAX1363_CHAN_U(3, _s3, 3, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(0, 1, d0m1, 4, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(2, 3, d2m3, 5, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(1, 0, d1m0, 6, bits, ev_spec, num_ev_spec), \ +- MAX1363_CHAN_B(3, 2, d3m2, 7, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, ev_spec, num_ev_spec), \ ++ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, ev_spec, num_ev_spec), \ + IIO_CHAN_SOFT_TIMESTAMP(8) \ + } + +@@ -533,23 +533,23 @@ static const struct iio_chan_spec max1363_channels[] = + /* Applies to max1236, max1237 */ + static const enum max1363_modes max1236_mode_list[] = { + _s0, _s1, _s2, _s3, +- s0to1, s0to2, s0to3, ++ s0to1, s0to2, s2to3, s0to3, + d0m1, d2m3, d1m0, d3m2, + d0m1to2m3, d1m0to3m2, +- s2to3, + }; + + /* Applies to max1238, max1239 */ + static const enum max1363_modes max1238_mode_list[] = { + _s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7, _s8, _s9, _s10, _s11, + s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, ++ s6to7, s6to8, s6to9, s6to10, s6to11, + s0to7, s0to8, s0to9, s0to10, s0to11, + d0m1, d2m3, d4m5, d6m7, d8m9, d10m11, + d1m0, d3m2, d5m4, d7m6, d9m8, d11m10, +- d0m1to2m3, d0m1to4m5, d0m1to6m7, d0m1to8m9, d0m1to10m11, +- d1m0to3m2, d1m0to5m4, d1m0to7m6, d1m0to9m8, d1m0to11m10, +- s6to7, s6to8, s6to9, s6to10, s6to11, +- d6m7to8m9, d6m7to10m11, d7m6to9m8, d7m6to11m10, ++ d0m1to2m3, d0m1to4m5, d0m1to6m7, d6m7to8m9, ++ d0m1to8m9, d6m7to10m11, d0m1to10m11, d1m0to3m2, ++ d1m0to5m4, d1m0to7m6, d7m6to9m8, d1m0to9m8, ++ d7m6to11m10, d1m0to11m10, + }; + + #define MAX1363_12X_CHANS(bits) { \ +@@ -585,16 +585,15 @@ static const struct iio_chan_spec max1238_channels[] = MAX1363_12X_CHANS(12); + + static const enum max1363_modes max11607_mode_list[] = { + _s0, _s1, _s2, _s3, +- s0to1, s0to2, s0to3, +- s2to3, ++ s0to1, s0to2, s2to3, ++ s0to3, + d0m1, d2m3, d1m0, d3m2, + d0m1to2m3, d1m0to3m2, + }; + + static const enum max1363_modes max11608_mode_list[] = { + _s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7, +- s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s0to7, +- s6to7, ++ s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s6to7, s0to7, + d0m1, d2m3, d4m5, d6m7, + d1m0, d3m2, d5m4, d7m6, + d0m1to2m3, d0m1to4m5, d0m1to6m7, +@@ -610,14 +609,14 @@ static const enum max1363_modes max11608_mode_list[] = { + MAX1363_CHAN_U(5, _s5, 5, bits, NULL, 0), \ + MAX1363_CHAN_U(6, _s6, 6, bits, NULL, 0), \ + MAX1363_CHAN_U(7, _s7, 7, bits, NULL, 0), \ +- MAX1363_CHAN_B(0, 1, d0m1, 8, bits, NULL, 0), \ +- MAX1363_CHAN_B(2, 3, d2m3, 9, bits, NULL, 0), \ +- MAX1363_CHAN_B(4, 5, d4m5, 10, bits, NULL, 0), \ +- MAX1363_CHAN_B(6, 7, d6m7, 11, bits, NULL, 0), \ +- MAX1363_CHAN_B(1, 0, d1m0, 12, bits, NULL, 0), \ +- MAX1363_CHAN_B(3, 2, d3m2, 13, bits, NULL, 0), \ +- MAX1363_CHAN_B(5, 4, d5m4, 14, bits, NULL, 0), \ +- MAX1363_CHAN_B(7, 6, d7m6, 15, bits, NULL, 0), \ ++ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, NULL, 0), \ ++ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, NULL, 0), \ ++ MAX1363_CHAN_B(4, 5, d4m5, 14, bits, NULL, 0), \ ++ MAX1363_CHAN_B(6, 7, d6m7, 15, bits, NULL, 0), \ ++ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, NULL, 0), \ ++ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, NULL, 0), \ ++ MAX1363_CHAN_B(5, 4, d5m4, 20, bits, NULL, 0), \ ++ MAX1363_CHAN_B(7, 6, d7m6, 21, bits, NULL, 0), \ + IIO_CHAN_SOFT_TIMESTAMP(16) \ + } + static const struct iio_chan_spec max11602_channels[] = MAX1363_8X_CHANS(8); +diff --git a/drivers/iio/adc/stm32-adc-core.c b/drivers/iio/adc/stm32-adc-core.c +index dee47b899e5df2..e60d5c8f2be7e4 100644 +--- a/drivers/iio/adc/stm32-adc-core.c ++++ b/drivers/iio/adc/stm32-adc-core.c +@@ -415,10 +415,9 @@ static int stm32_adc_irq_probe(struct platform_device *pdev, + return -ENOMEM; + } + +- for (i = 0; i < priv->cfg->num_irqs; i++) { +- irq_set_chained_handler(priv->irq[i], stm32_adc_irq_handler); +- irq_set_handler_data(priv->irq[i], priv); +- } ++ for (i = 0; i < priv->cfg->num_irqs; i++) ++ irq_set_chained_handler_and_data(priv->irq[i], ++ stm32_adc_irq_handler, priv); + + return 0; + } +diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c +index 7c11d9a1de0e5e..de0182a5652cf5 100644 +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -162,12 +162,12 @@ static const struct xpad_device { + { 0x046d, 0xca88, "Logitech Compact Controller for Xbox", 0, XTYPE_XBOX }, + { 0x046d, 0xca8a, "Logitech Precision Vibration Feedback Wheel", 0, XTYPE_XBOX }, + { 0x046d, 0xcaa3, "Logitech DriveFx Racing Wheel", 0, XTYPE_XBOX360 }, ++ { 0x0502, 0x1305, "Acer NGR200", 0, XTYPE_XBOX360 }, + { 0x056e, 0x2004, "Elecom JC-U3613M", 0, XTYPE_XBOX360 }, + { 0x05fd, 0x1007, "Mad Catz Controller (unverified)", 0, XTYPE_XBOX }, + { 0x05fd, 0x107a, "InterAct 'PowerPad Pro' X-Box pad (Germany)", 0, XTYPE_XBOX }, + { 0x05fe, 0x3030, "Chic Controller", 0, XTYPE_XBOX }, + { 0x05fe, 0x3031, "Chic Controller", 0, XTYPE_XBOX }, +- { 0x0502, 0x1305, "Acer NGR200", 0, XTYPE_XBOX }, + { 0x062a, 0x0020, "Logic3 Xbox GamePad", 0, XTYPE_XBOX }, + { 0x062a, 0x0033, "Competition Pro Steering Wheel", 0, XTYPE_XBOX }, + { 0x06a3, 0x0200, "Saitek Racing Wheel", 0, XTYPE_XBOX }, +diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c +index d410e2e78a3d39..4b62ebfdb9b040 100644 +--- a/drivers/memstick/core/memstick.c ++++ b/drivers/memstick/core/memstick.c +@@ -323,7 +323,7 @@ EXPORT_SYMBOL(memstick_init_req); + static int h_memstick_read_dev_id(struct memstick_dev *card, + struct memstick_request **mrq) + { +- struct ms_id_register id_reg; ++ struct ms_id_register id_reg = {}; + + if (!(*mrq)) { + memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg, +diff --git a/drivers/mmc/host/bcm2835.c b/drivers/mmc/host/bcm2835.c +index c15226be4d2a24..b2f39965b38f7f 100644 +--- a/drivers/mmc/host/bcm2835.c ++++ b/drivers/mmc/host/bcm2835.c +@@ -507,7 +507,8 @@ void bcm2835_prepare_dma(struct bcm2835_host *host, struct mmc_data *data) + DMA_PREP_INTERRUPT | DMA_CTRL_ACK); + + if (!desc) { +- dma_unmap_sg(dma_chan->device->dev, data->sg, sg_len, dir_data); ++ dma_unmap_sg(dma_chan->device->dev, data->sg, data->sg_len, ++ dir_data); + return; + } + +diff --git a/drivers/mmc/host/sdhci-pci-core.c b/drivers/mmc/host/sdhci-pci-core.c +index c71d9956b398df..226232e5d84d5b 100644 +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -916,7 +916,8 @@ static bool glk_broken_cqhci(struct sdhci_pci_slot *slot) + { + return slot->chip->pdev->device == PCI_DEVICE_ID_INTEL_GLK_EMMC && + (dmi_match(DMI_BIOS_VENDOR, "LENOVO") || +- dmi_match(DMI_SYS_VENDOR, "IRBIS")); ++ dmi_match(DMI_SYS_VENDOR, "IRBIS") || ++ dmi_match(DMI_SYS_VENDOR, "Positivo Tecnologia SA")); + } + + static bool jsl_broken_hs400es(struct sdhci_pci_slot *slot) +diff --git a/drivers/mmc/host/sdhci_am654.c b/drivers/mmc/host/sdhci_am654.c +index 52d6cc07e38cc3..ceaea880de24cf 100644 +--- a/drivers/mmc/host/sdhci_am654.c ++++ b/drivers/mmc/host/sdhci_am654.c +@@ -558,7 +558,8 @@ static struct sdhci_ops sdhci_am654_ops = { + static const struct sdhci_pltfm_data sdhci_am654_pdata = { + .ops = &sdhci_am654_ops, + .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | ++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT, + }; + + static const struct sdhci_am654_driver_data sdhci_am654_sr1_drvdata = { +@@ -588,7 +589,8 @@ static struct sdhci_ops sdhci_j721e_8bit_ops = { + static const struct sdhci_pltfm_data sdhci_j721e_8bit_pdata = { + .ops = &sdhci_j721e_8bit_ops, + .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | ++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT, + }; + + static const struct sdhci_am654_driver_data sdhci_j721e_8bit_drvdata = { +@@ -612,7 +614,8 @@ static struct sdhci_ops sdhci_j721e_4bit_ops = { + static const struct sdhci_pltfm_data sdhci_j721e_4bit_pdata = { + .ops = &sdhci_j721e_4bit_ops, + .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | ++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT, + }; + + static const struct sdhci_am654_driver_data sdhci_j721e_4bit_drvdata = { +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index ccddfa49e96c03..74dc45d9c242ed 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -1015,8 +1015,9 @@ static void mlx5e_lro_update_tcp_hdr(struct mlx5_cqe64 *cqe, struct tcphdr *tcp) + } + } + +-static void mlx5e_lro_update_hdr(struct sk_buff *skb, struct mlx5_cqe64 *cqe, +- u32 cqe_bcnt) ++static unsigned int mlx5e_lro_update_hdr(struct sk_buff *skb, ++ struct mlx5_cqe64 *cqe, ++ u32 cqe_bcnt) + { + struct ethhdr *eth = (struct ethhdr *)(skb->data); + struct tcphdr *tcp; +@@ -1067,6 +1068,8 @@ static void mlx5e_lro_update_hdr(struct sk_buff *skb, struct mlx5_cqe64 *cqe, + tcp->check = csum_ipv6_magic(&ipv6->saddr, &ipv6->daddr, payload_len, + IPPROTO_TCP, check); + } ++ ++ return (unsigned int)((unsigned char *)tcp + tcp->doff * 4 - skb->data); + } + + static void *mlx5e_shampo_get_packet_hd(struct mlx5e_rq *rq, u16 header_index) +@@ -1422,8 +1425,9 @@ static inline void mlx5e_build_rx_skb(struct mlx5_cqe64 *cqe, + mlx5e_macsec_offload_handle_rx_skb(netdev, skb, cqe); + + if (lro_num_seg > 1) { +- mlx5e_lro_update_hdr(skb, cqe, cqe_bcnt); +- skb_shinfo(skb)->gso_size = DIV_ROUND_UP(cqe_bcnt, lro_num_seg); ++ unsigned int hdrlen = mlx5e_lro_update_hdr(skb, cqe, cqe_bcnt); ++ ++ skb_shinfo(skb)->gso_size = DIV_ROUND_UP(cqe_bcnt - hdrlen, lro_num_seg); + /* Subtract one since we already counted this as one + * "regular" packet in mlx5e_complete_rx_cqe() + */ +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index de7baa1a1e163b..8c9633f740b485 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -2035,6 +2035,7 @@ static const struct pci_device_id mlx5_core_pci_table[] = { + { PCI_VDEVICE(MELLANOX, 0x1021) }, /* ConnectX-7 */ + { PCI_VDEVICE(MELLANOX, 0x1023) }, /* ConnectX-8 */ + { PCI_VDEVICE(MELLANOX, 0x1025) }, /* ConnectX-9 */ ++ { PCI_VDEVICE(MELLANOX, 0x1027) }, /* ConnectX-10 */ + { PCI_VDEVICE(MELLANOX, 0xa2d2) }, /* BlueField integrated ConnectX-5 network controller */ + { PCI_VDEVICE(MELLANOX, 0xa2d3), MLX5_PCI_DEV_IS_VF}, /* BlueField integrated ConnectX-5 network controller VF */ + { PCI_VDEVICE(MELLANOX, 0xa2d6) }, /* BlueField-2 integrated ConnectX-6 Dx network controller */ +diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +index ad2c30d9a48248..fb0e42ddb3adb9 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c ++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +@@ -285,7 +285,7 @@ static void xemaclite_aligned_read(u32 *src_ptr, u8 *dest_ptr, + + /* Read the remaining data */ + for (; length > 0; length--) +- *to_u8_ptr = *from_u8_ptr; ++ *to_u8_ptr++ = *from_u8_ptr++; + } + } + +diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c +index b3ae949e6f1c54..d067f09fc072b8 100644 +--- a/drivers/net/usb/sierra_net.c ++++ b/drivers/net/usb/sierra_net.c +@@ -689,6 +689,10 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf) + status); + return -ENODEV; + } ++ if (!dev->status) { ++ dev_err(&dev->udev->dev, "No status endpoint found"); ++ return -ENODEV; ++ } + /* Initialize sierra private data */ + priv = kzalloc(sizeof *priv, GFP_KERNEL); + if (!priv) +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index fbe3fb4fbe95f0..7d3759f875b23f 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -706,6 +706,10 @@ blk_status_t nvme_fail_nonready_command(struct nvme_ctrl *ctrl, + !test_bit(NVME_CTRL_FAILFAST_EXPIRED, &ctrl->flags) && + !blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH)) + return BLK_STS_RESOURCE; ++ ++ if (!(rq->rq_flags & RQF_DONTPREP)) ++ nvme_clear_nvme_request(rq); ++ + return nvme_host_path_error(rq); + } + EXPORT_SYMBOL_GPL(nvme_fail_nonready_command); +diff --git a/drivers/nvmem/u-boot-env.c b/drivers/nvmem/u-boot-env.c +index 4fdbdccebda16e..3d86dcd01ecf19 100644 +--- a/drivers/nvmem/u-boot-env.c ++++ b/drivers/nvmem/u-boot-env.c +@@ -139,7 +139,7 @@ static int u_boot_env_parse(struct u_boot_env *priv) + data_offset = offsetof(struct u_boot_env_image_redundant, data); + break; + } +- crc32 = le32_to_cpu(*(__le32 *)(buf + crc32_offset)); ++ crc32 = *(uint32_t *)(buf + crc32_offset); + crc32_data_len = priv->mtd->size - crc32_data_offset; + data_len = priv->mtd->size - data_offset; + +diff --git a/drivers/phy/tegra/xusb-tegra186.c b/drivers/phy/tegra/xusb-tegra186.c +index 0556a57f3ddf2c..1dac290e545704 100644 +--- a/drivers/phy/tegra/xusb-tegra186.c ++++ b/drivers/phy/tegra/xusb-tegra186.c +@@ -719,13 +719,15 @@ static int tegra186_xusb_padctl_vbus_override(struct tegra_xusb_padctl *padctl, + } + + static int tegra186_xusb_padctl_id_override(struct tegra_xusb_padctl *padctl, +- bool status) ++ struct tegra_xusb_usb2_port *port, bool status) + { +- u32 value; ++ u32 value, id_override; ++ int err = 0; + + dev_dbg(padctl->dev, "%s id override\n", status ? "set" : "clear"); + + value = padctl_readl(padctl, USB2_VBUS_ID); ++ id_override = value & ID_OVERRIDE(~0); + + if (status) { + if (value & VBUS_OVERRIDE) { +@@ -736,15 +738,35 @@ static int tegra186_xusb_padctl_id_override(struct tegra_xusb_padctl *padctl, + value = padctl_readl(padctl, USB2_VBUS_ID); + } + +- value &= ~ID_OVERRIDE(~0); +- value |= ID_OVERRIDE_GROUNDED; ++ if (id_override != ID_OVERRIDE_GROUNDED) { ++ value &= ~ID_OVERRIDE(~0); ++ value |= ID_OVERRIDE_GROUNDED; ++ padctl_writel(padctl, value, USB2_VBUS_ID); ++ ++ err = regulator_enable(port->supply); ++ if (err) { ++ dev_err(padctl->dev, "Failed to enable regulator: %d\n", err); ++ return err; ++ } ++ } + } else { +- value &= ~ID_OVERRIDE(~0); +- value |= ID_OVERRIDE_FLOATING; ++ if (id_override == ID_OVERRIDE_GROUNDED) { ++ /* ++ * The regulator is disabled only when the role transitions ++ * from USB_ROLE_HOST to USB_ROLE_NONE. ++ */ ++ err = regulator_disable(port->supply); ++ if (err) { ++ dev_err(padctl->dev, "Failed to disable regulator: %d\n", err); ++ return err; ++ } ++ ++ value &= ~ID_OVERRIDE(~0); ++ value |= ID_OVERRIDE_FLOATING; ++ padctl_writel(padctl, value, USB2_VBUS_ID); ++ } + } + +- padctl_writel(padctl, value, USB2_VBUS_ID); +- + return 0; + } + +@@ -763,27 +785,20 @@ static int tegra186_utmi_phy_set_mode(struct phy *phy, enum phy_mode mode, + + if (mode == PHY_MODE_USB_OTG) { + if (submode == USB_ROLE_HOST) { +- tegra186_xusb_padctl_id_override(padctl, true); +- +- err = regulator_enable(port->supply); ++ err = tegra186_xusb_padctl_id_override(padctl, port, true); ++ if (err) ++ goto out; + } else if (submode == USB_ROLE_DEVICE) { + tegra186_xusb_padctl_vbus_override(padctl, true); + } else if (submode == USB_ROLE_NONE) { +- /* +- * When port is peripheral only or role transitions to +- * USB_ROLE_NONE from USB_ROLE_DEVICE, regulator is not +- * enabled. +- */ +- if (regulator_is_enabled(port->supply)) +- regulator_disable(port->supply); +- +- tegra186_xusb_padctl_id_override(padctl, false); ++ err = tegra186_xusb_padctl_id_override(padctl, port, false); ++ if (err) ++ goto out; + tegra186_xusb_padctl_vbus_override(padctl, false); + } + } +- ++out: + mutex_unlock(&padctl->lock); +- + return err; + } + +diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c +index 22619b853f4495..19780e37d8ea76 100644 +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -59,6 +59,7 @@ struct aspeed_lpc_snoop_model_data { + }; + + struct aspeed_lpc_snoop_channel { ++ bool enabled; + struct kfifo fifo; + wait_queue_head_t wq; + struct miscdevice miscdev; +@@ -191,6 +192,9 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + const struct aspeed_lpc_snoop_model_data *model_data = + of_device_get_match_data(dev); + ++ if (WARN_ON(lpc_snoop->chan[channel].enabled)) ++ return -EBUSY; ++ + init_waitqueue_head(&lpc_snoop->chan[channel].wq); + /* Create FIFO datastructure */ + rc = kfifo_alloc(&lpc_snoop->chan[channel].fifo, +@@ -237,6 +241,8 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + regmap_update_bits(lpc_snoop->regmap, HICRB, + hicrb_en, hicrb_en); + ++ lpc_snoop->chan[channel].enabled = true; ++ + return 0; + + err_misc_deregister: +@@ -249,6 +255,9 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + static void aspeed_lpc_disable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + int channel) + { ++ if (!lpc_snoop->chan[channel].enabled) ++ return; ++ + switch (channel) { + case 0: + regmap_update_bits(lpc_snoop->regmap, HICR5, +@@ -264,8 +273,10 @@ static void aspeed_lpc_disable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + return; + } + +- kfifo_free(&lpc_snoop->chan[channel].fifo); ++ lpc_snoop->chan[channel].enabled = false; ++ /* Consider improving safety wrt concurrent reader(s) */ + misc_deregister(&lpc_snoop->chan[channel].miscdev); ++ kfifo_free(&lpc_snoop->chan[channel].fifo); + } + + static int aspeed_lpc_snoop_probe(struct platform_device *pdev) +diff --git a/drivers/thunderbolt/switch.c b/drivers/thunderbolt/switch.c +index 3c2035fc9cee37..5f88feb7366c72 100644 +--- a/drivers/thunderbolt/switch.c ++++ b/drivers/thunderbolt/switch.c +@@ -1491,7 +1491,7 @@ int tb_dp_port_set_hops(struct tb_port *port, unsigned int video, + return ret; + + data[0] &= ~ADP_DP_CS_0_VIDEO_HOPID_MASK; +- data[1] &= ~ADP_DP_CS_1_AUX_RX_HOPID_MASK; ++ data[1] &= ~ADP_DP_CS_1_AUX_TX_HOPID_MASK; + data[1] &= ~ADP_DP_CS_1_AUX_RX_HOPID_MASK; + + data[0] |= (video << ADP_DP_CS_0_VIDEO_HOPID_SHIFT) & +diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c +index abff1c6470f6a7..28f3d19a5bd712 100644 +--- a/drivers/tty/serial/pch_uart.c ++++ b/drivers/tty/serial/pch_uart.c +@@ -971,7 +971,7 @@ static unsigned int dma_handle_tx(struct eg20t_port *priv) + __func__); + return 0; + } +- dma_sync_sg_for_device(port->dev, priv->sg_tx_p, nent, DMA_TO_DEVICE); ++ dma_sync_sg_for_device(port->dev, priv->sg_tx_p, num, DMA_TO_DEVICE); + priv->desc_tx = desc; + desc->callback = pch_dma_tx_complete; + desc->callback_param = priv; +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index e6435408ea6c2b..5c8400dc79237e 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -66,6 +66,12 @@ + */ + #define USB_SHORT_SET_ADDRESS_REQ_TIMEOUT 500 /* ms */ + ++/* ++ * Give SS hubs 200ms time after wake to train downstream links before ++ * assuming no port activity and allowing hub to runtime suspend back. ++ */ ++#define USB_SS_PORT_U0_WAKE_TIME 200 /* ms */ ++ + /* Protect struct usb_device->state and ->children members + * Note: Both are also protected by ->dev.sem, except that ->state can + * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */ +@@ -1065,6 +1071,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + goto init2; + goto init3; + } ++ + hub_get(hub); + + /* The superspeed hub except for root hub has to use Hub Depth +@@ -1313,6 +1320,17 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + device_unlock(&hdev->dev); + } + ++ if (type == HUB_RESUME && hub_is_superspeed(hub->hdev)) { ++ /* give usb3 downstream links training time after hub resume */ ++ usb_autopm_get_interface_no_resume( ++ to_usb_interface(hub->intfdev)); ++ ++ queue_delayed_work(system_power_efficient_wq, ++ &hub->post_resume_work, ++ msecs_to_jiffies(USB_SS_PORT_U0_WAKE_TIME)); ++ return; ++ } ++ + hub_put(hub); + } + +@@ -1331,6 +1349,14 @@ static void hub_init_func3(struct work_struct *ws) + hub_activate(hub, HUB_INIT3); + } + ++static void hub_post_resume(struct work_struct *ws) ++{ ++ struct usb_hub *hub = container_of(ws, struct usb_hub, post_resume_work.work); ++ ++ usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); ++ hub_put(hub); ++} ++ + enum hub_quiescing_type { + HUB_DISCONNECT, HUB_PRE_RESET, HUB_SUSPEND + }; +@@ -1356,6 +1382,7 @@ static void hub_quiesce(struct usb_hub *hub, enum hub_quiescing_type type) + + /* Stop hub_wq and related activity */ + del_timer_sync(&hub->irq_urb_retry); ++ flush_delayed_work(&hub->post_resume_work); + usb_kill_urb(hub->urb); + if (hub->has_indicators) + cancel_delayed_work_sync(&hub->leds); +@@ -1914,6 +1941,7 @@ static int hub_probe(struct usb_interface *intf, const struct usb_device_id *id) + hub->hdev = hdev; + INIT_DELAYED_WORK(&hub->leds, led_work); + INIT_DELAYED_WORK(&hub->init_work, NULL); ++ INIT_DELAYED_WORK(&hub->post_resume_work, hub_post_resume); + INIT_WORK(&hub->events, hub_event); + INIT_LIST_HEAD(&hub->onboard_hub_devs); + spin_lock_init(&hub->irq_urb_lock); +@@ -5674,6 +5702,7 @@ static void port_event(struct usb_hub *hub, int port1) + struct usb_device *hdev = hub->hdev; + u16 portstatus, portchange; + int i = 0; ++ int err; + + connect_change = test_bit(port1, hub->change_bits); + clear_bit(port1, hub->event_bits); +@@ -5766,8 +5795,11 @@ static void port_event(struct usb_hub *hub, int port1) + } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) + || udev->state == USB_STATE_NOTATTACHED) { + dev_dbg(&port_dev->dev, "do warm reset, port only\n"); +- if (hub_port_reset(hub, port1, NULL, +- HUB_BH_RESET_TIME, true) < 0) ++ err = hub_port_reset(hub, port1, NULL, ++ HUB_BH_RESET_TIME, true); ++ if (!udev && err == -ENOTCONN) ++ connect_change = 0; ++ else if (err < 0) + hub_port_disable(hub, port1, 1); + } else { + dev_dbg(&port_dev->dev, "do warm reset, full device\n"); +diff --git a/drivers/usb/core/hub.h b/drivers/usb/core/hub.h +index 1085c72335d5c2..da3a10a430de37 100644 +--- a/drivers/usb/core/hub.h ++++ b/drivers/usb/core/hub.h +@@ -69,6 +69,7 @@ struct usb_hub { + u8 indicator[USB_MAXCHILDREN]; + struct delayed_work leds; + struct delayed_work init_work; ++ struct delayed_work post_resume_work; + struct work_struct events; + spinlock_t irq_urb_lock; + struct timer_list irq_urb_retry; +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 93747ab2cf5b85..cdf114da31d8f3 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -856,13 +856,13 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + ret = reset_control_deassert(qcom->resets); + if (ret) { + dev_err(&pdev->dev, "failed to deassert resets, err=%d\n", ret); +- goto reset_assert; ++ return ret; + } + + ret = dwc3_qcom_clk_init(qcom, of_clk_get_parent_count(np)); + if (ret) { + dev_err(dev, "failed to get clocks\n"); +- goto reset_assert; ++ return ret; + } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +@@ -966,8 +966,6 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + clk_disable_unprepare(qcom->clks[i]); + clk_put(qcom->clks[i]); + } +-reset_assert: +- reset_control_assert(qcom->resets); + + return ret; + } +@@ -997,7 +995,6 @@ static int dwc3_qcom_remove(struct platform_device *pdev) + qcom->num_clocks = 0; + + dwc3_qcom_interconnect_exit(qcom); +- reset_control_assert(qcom->resets); + + pm_runtime_allow(dev); + pm_runtime_disable(dev); +diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c +index 5c1c7f36e5442c..cdbf12639dfa75 100644 +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -862,6 +862,8 @@ static ssize_t os_desc_qw_sign_store(struct config_item *item, const char *page, + struct gadget_info *gi = os_desc_item_to_gadget_info(item); + int res, l; + ++ if (!len) ++ return len; + l = min((int)len, OS_STRING_QW_SIGN_LEN >> 1); + if (page[l - 1] == '\n') + --l; +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index 03027c6fa3aba3..a0fe2516870bf0 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -502,7 +502,7 @@ int musb_set_host(struct musb *musb) + + init_data: + musb->is_active = 1; +- musb->xceiv->otg->state = OTG_STATE_A_IDLE; ++ musb_set_state(musb, OTG_STATE_A_IDLE); + MUSB_HST_MODE(musb); + + return error; +@@ -549,7 +549,7 @@ int musb_set_peripheral(struct musb *musb) + + init_data: + musb->is_active = 0; +- musb->xceiv->otg->state = OTG_STATE_B_IDLE; ++ musb_set_state(musb, OTG_STATE_B_IDLE); + MUSB_DEV_MODE(musb); + + return error; +@@ -599,12 +599,12 @@ static void musb_otg_timer_func(struct timer_list *t) + unsigned long flags; + + spin_lock_irqsave(&musb->lock, flags); +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_B_WAIT_ACON: + musb_dbg(musb, + "HNP: b_wait_acon timeout; back to b_peripheral"); + musb_g_disconnect(musb); +- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_B_PERIPHERAL); + musb->is_active = 0; + break; + case OTG_STATE_A_SUSPEND: +@@ -612,7 +612,7 @@ static void musb_otg_timer_func(struct timer_list *t) + musb_dbg(musb, "HNP: %s timeout", + usb_otg_state_string(musb->xceiv->otg->state)); + musb_platform_set_vbus(musb, 0); +- musb->xceiv->otg->state = OTG_STATE_A_WAIT_VFALL; ++ musb_set_state(musb, OTG_STATE_A_WAIT_VFALL); + break; + default: + musb_dbg(musb, "HNP: Unhandled mode %s", +@@ -633,7 +633,7 @@ void musb_hnp_stop(struct musb *musb) + musb_dbg(musb, "HNP: stop from %s", + usb_otg_state_string(musb->xceiv->otg->state)); + +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_PERIPHERAL: + musb_g_disconnect(musb); + musb_dbg(musb, "HNP: back to %s", +@@ -643,7 +643,7 @@ void musb_hnp_stop(struct musb *musb) + musb_dbg(musb, "HNP: Disabling HR"); + if (hcd) + hcd->self.is_b_host = 0; +- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_B_PERIPHERAL); + MUSB_DEV_MODE(musb); + reg = musb_readb(mbase, MUSB_POWER); + reg |= MUSB_POWER_SUSPENDM; +@@ -671,7 +671,7 @@ static void musb_handle_intr_resume(struct musb *musb, u8 devctl) + usb_otg_state_string(musb->xceiv->otg->state)); + + if (devctl & MUSB_DEVCTL_HM) { +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_SUSPEND: + /* remote wakeup? */ + musb->port1_status |= +@@ -679,14 +679,14 @@ static void musb_handle_intr_resume(struct musb *musb, u8 devctl) + | MUSB_PORT_STAT_RESUME; + musb->rh_timer = jiffies + + msecs_to_jiffies(USB_RESUME_TIMEOUT); +- musb->xceiv->otg->state = OTG_STATE_A_HOST; ++ musb_set_state(musb, OTG_STATE_A_HOST); + musb->is_active = 1; + musb_host_resume_root_hub(musb); + schedule_delayed_work(&musb->finish_resume_work, + msecs_to_jiffies(USB_RESUME_TIMEOUT)); + break; + case OTG_STATE_B_WAIT_ACON: +- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_B_PERIPHERAL); + musb->is_active = 1; + MUSB_DEV_MODE(musb); + break; +@@ -696,10 +696,10 @@ static void musb_handle_intr_resume(struct musb *musb, u8 devctl) + usb_otg_state_string(musb->xceiv->otg->state)); + } + } else { +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_SUSPEND: + /* possibly DISCONNECT is upcoming */ +- musb->xceiv->otg->state = OTG_STATE_A_HOST; ++ musb_set_state(musb, OTG_STATE_A_HOST); + musb_host_resume_root_hub(musb); + break; + case OTG_STATE_B_WAIT_ACON: +@@ -750,7 +750,7 @@ static irqreturn_t musb_handle_intr_sessreq(struct musb *musb, u8 devctl) + */ + musb_writeb(mbase, MUSB_DEVCTL, MUSB_DEVCTL_SESSION); + musb->ep0_stage = MUSB_EP0_START; +- musb->xceiv->otg->state = OTG_STATE_A_IDLE; ++ musb_set_state(musb, OTG_STATE_A_IDLE); + MUSB_HST_MODE(musb); + musb_platform_set_vbus(musb, 1); + +@@ -777,7 +777,7 @@ static void musb_handle_intr_vbuserr(struct musb *musb, u8 devctl) + * REVISIT: do delays from lots of DEBUG_KERNEL checks + * make trouble here, keeping VBUS < 4.4V ? + */ +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_HOST: + /* recovery is dicey once we've gotten past the + * initial stages of enumeration, but if VBUS +@@ -833,7 +833,7 @@ static void musb_handle_intr_suspend(struct musb *musb, u8 devctl) + musb_dbg(musb, "SUSPEND (%s) devctl %02x", + usb_otg_state_string(musb->xceiv->otg->state), devctl); + +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_PERIPHERAL: + /* We also come here if the cable is removed, since + * this silicon doesn't report ID-no-longer-grounded. +@@ -858,7 +858,7 @@ static void musb_handle_intr_suspend(struct musb *musb, u8 devctl) + musb_g_suspend(musb); + musb->is_active = musb->g.b_hnp_enable; + if (musb->is_active) { +- musb->xceiv->otg->state = OTG_STATE_B_WAIT_ACON; ++ musb_set_state(musb, OTG_STATE_B_WAIT_ACON); + musb_dbg(musb, "HNP: Setting timer for b_ase0_brst"); + mod_timer(&musb->otg_timer, jiffies + + msecs_to_jiffies( +@@ -871,7 +871,7 @@ static void musb_handle_intr_suspend(struct musb *musb, u8 devctl) + + msecs_to_jiffies(musb->a_wait_bcon)); + break; + case OTG_STATE_A_HOST: +- musb->xceiv->otg->state = OTG_STATE_A_SUSPEND; ++ musb_set_state(musb, OTG_STATE_A_SUSPEND); + musb->is_active = musb->hcd->self.b_hnp_enable; + break; + case OTG_STATE_B_HOST: +@@ -909,7 +909,7 @@ static void musb_handle_intr_connect(struct musb *musb, u8 devctl, u8 int_usb) + musb->port1_status |= USB_PORT_STAT_LOW_SPEED; + + /* indicate new connection to OTG machine */ +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_B_PERIPHERAL: + if (int_usb & MUSB_INTR_SUSPEND) { + musb_dbg(musb, "HNP: SUSPEND+CONNECT, now b_host"); +@@ -921,7 +921,7 @@ static void musb_handle_intr_connect(struct musb *musb, u8 devctl, u8 int_usb) + case OTG_STATE_B_WAIT_ACON: + musb_dbg(musb, "HNP: CONNECT, now b_host"); + b_host: +- musb->xceiv->otg->state = OTG_STATE_B_HOST; ++ musb_set_state(musb, OTG_STATE_B_HOST); + if (musb->hcd) + musb->hcd->self.is_b_host = 1; + del_timer(&musb->otg_timer); +@@ -929,7 +929,7 @@ static void musb_handle_intr_connect(struct musb *musb, u8 devctl, u8 int_usb) + default: + if ((devctl & MUSB_DEVCTL_VBUS) + == (3 << MUSB_DEVCTL_VBUS_SHIFT)) { +- musb->xceiv->otg->state = OTG_STATE_A_HOST; ++ musb_set_state(musb, OTG_STATE_A_HOST); + if (hcd) + hcd->self.is_b_host = 0; + } +@@ -948,7 +948,7 @@ static void musb_handle_intr_disconnect(struct musb *musb, u8 devctl) + usb_otg_state_string(musb->xceiv->otg->state), + MUSB_MODE(musb), devctl); + +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_HOST: + case OTG_STATE_A_SUSPEND: + musb_host_resume_root_hub(musb); +@@ -966,7 +966,7 @@ static void musb_handle_intr_disconnect(struct musb *musb, u8 devctl) + musb_root_disconnect(musb); + if (musb->hcd) + musb->hcd->self.is_b_host = 0; +- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_B_PERIPHERAL); + MUSB_DEV_MODE(musb); + musb_g_disconnect(musb); + break; +@@ -1006,7 +1006,7 @@ static void musb_handle_intr_reset(struct musb *musb) + } else { + musb_dbg(musb, "BUS RESET as %s", + usb_otg_state_string(musb->xceiv->otg->state)); +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_SUSPEND: + musb_g_reset(musb); + fallthrough; +@@ -1025,11 +1025,11 @@ static void musb_handle_intr_reset(struct musb *musb) + case OTG_STATE_B_WAIT_ACON: + musb_dbg(musb, "HNP: RESET (%s), to b_peripheral", + usb_otg_state_string(musb->xceiv->otg->state)); +- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_B_PERIPHERAL); + musb_g_reset(musb); + break; + case OTG_STATE_B_IDLE: +- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_B_PERIPHERAL); + fallthrough; + case OTG_STATE_B_PERIPHERAL: + musb_g_reset(musb); +@@ -1216,8 +1216,8 @@ void musb_start(struct musb *musb) + * (c) peripheral initiates, using SRP + */ + if (musb->port_mode != MUSB_HOST && +- musb->xceiv->otg->state != OTG_STATE_A_WAIT_BCON && +- (devctl & MUSB_DEVCTL_VBUS) == MUSB_DEVCTL_VBUS) { ++ musb_get_state(musb) != OTG_STATE_A_WAIT_BCON && ++ (devctl & MUSB_DEVCTL_VBUS) == MUSB_DEVCTL_VBUS) { + musb->is_active = 1; + } else { + devctl |= MUSB_DEVCTL_SESSION; +@@ -1908,7 +1908,7 @@ vbus_store(struct device *dev, struct device_attribute *attr, + spin_lock_irqsave(&musb->lock, flags); + /* force T(a_wait_bcon) to be zero/unlimited *OR* valid */ + musb->a_wait_bcon = val ? max_t(int, val, OTG_TIME_A_WAIT_BCON) : 0 ; +- if (musb->xceiv->otg->state == OTG_STATE_A_WAIT_BCON) ++ if (musb_get_state(musb) == OTG_STATE_A_WAIT_BCON) + musb->is_active = 0; + musb_platform_try_idle(musb, jiffies + msecs_to_jiffies(val)); + spin_unlock_irqrestore(&musb->lock, flags); +@@ -2089,8 +2089,8 @@ static void musb_irq_work(struct work_struct *data) + + musb_pm_runtime_check_session(musb); + +- if (musb->xceiv->otg->state != musb->xceiv_old_state) { +- musb->xceiv_old_state = musb->xceiv->otg->state; ++ if (musb_get_state(musb) != musb->xceiv_old_state) { ++ musb->xceiv_old_state = musb_get_state(musb); + sysfs_notify(&musb->controller->kobj, NULL, "mode"); + } + +@@ -2532,7 +2532,7 @@ musb_init_controller(struct device *dev, int nIrq, void __iomem *ctrl) + } + + MUSB_DEV_MODE(musb); +- musb->xceiv->otg->state = OTG_STATE_B_IDLE; ++ musb_set_state(musb, OTG_STATE_B_IDLE); + + switch (musb->port_mode) { + case MUSB_HOST: +diff --git a/drivers/usb/musb/musb_core.h b/drivers/usb/musb/musb_core.h +index a8a65effe68b56..4a4d485d37bd33 100644 +--- a/drivers/usb/musb/musb_core.h ++++ b/drivers/usb/musb/musb_core.h +@@ -592,6 +592,17 @@ static inline void musb_platform_clear_ep_rxintr(struct musb *musb, int epnum) + musb->ops->clear_ep_rxintr(musb, epnum); + } + ++static inline void musb_set_state(struct musb *musb, ++ enum usb_otg_state otg_state) ++{ ++ musb->xceiv->otg->state = otg_state; ++} ++ ++static inline enum usb_otg_state musb_get_state(struct musb *musb) ++{ ++ return musb->xceiv->otg->state; ++} ++ + /* + * gets the "dr_mode" property from DT and converts it into musb_mode + * if the property is not found or not recognized returns MUSB_OTG +diff --git a/drivers/usb/musb/musb_debugfs.c b/drivers/usb/musb/musb_debugfs.c +index 5401ae66894eb3..2d623284edf63f 100644 +--- a/drivers/usb/musb/musb_debugfs.c ++++ b/drivers/usb/musb/musb_debugfs.c +@@ -235,7 +235,7 @@ static int musb_softconnect_show(struct seq_file *s, void *unused) + u8 reg; + int connect; + +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_HOST: + case OTG_STATE_A_WAIT_BCON: + pm_runtime_get_sync(musb->controller); +@@ -275,7 +275,7 @@ static ssize_t musb_softconnect_write(struct file *file, + + pm_runtime_get_sync(musb->controller); + if (!strncmp(buf, "0", 1)) { +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_HOST: + musb_root_disconnect(musb); + reg = musb_readb(musb->mregs, MUSB_DEVCTL); +@@ -286,7 +286,7 @@ static ssize_t musb_softconnect_write(struct file *file, + break; + } + } else if (!strncmp(buf, "1", 1)) { +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_WAIT_BCON: + /* + * musb_save_context() called in musb_runtime_suspend() +diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c +index eb3464f977a7f4..e3a5d136717d7c 100644 +--- a/drivers/usb/musb/musb_gadget.c ++++ b/drivers/usb/musb/musb_gadget.c +@@ -1530,7 +1530,7 @@ static int musb_gadget_wakeup(struct usb_gadget *gadget) + + spin_lock_irqsave(&musb->lock, flags); + +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_B_PERIPHERAL: + /* NOTE: OTG state machine doesn't include B_SUSPENDED; + * that's part of the standard usb 1.1 state machine, and +@@ -1792,7 +1792,7 @@ int musb_gadget_setup(struct musb *musb) + musb->g.speed = USB_SPEED_UNKNOWN; + + MUSB_DEV_MODE(musb); +- musb->xceiv->otg->state = OTG_STATE_B_IDLE; ++ musb_set_state(musb, OTG_STATE_B_IDLE); + + /* this "gadget" abstracts/virtualizes the controller */ + musb->g.name = musb_driver_name; +@@ -1857,7 +1857,7 @@ static int musb_gadget_start(struct usb_gadget *g, + musb->is_active = 1; + + otg_set_peripheral(otg, &musb->g); +- musb->xceiv->otg->state = OTG_STATE_B_IDLE; ++ musb_set_state(musb, OTG_STATE_B_IDLE); + spin_unlock_irqrestore(&musb->lock, flags); + + musb_start(musb); +@@ -1902,7 +1902,7 @@ static int musb_gadget_stop(struct usb_gadget *g) + + (void) musb_gadget_vbus_draw(&musb->g, 0); + +- musb->xceiv->otg->state = OTG_STATE_UNDEFINED; ++ musb_set_state(musb, OTG_STATE_UNDEFINED); + musb_stop(musb); + otg_set_peripheral(musb->xceiv->otg, NULL); + +@@ -1916,6 +1916,7 @@ static int musb_gadget_stop(struct usb_gadget *g) + * gadget driver here and have everything work; + * that currently misbehaves. + */ ++ usb_gadget_set_state(g, USB_STATE_NOTATTACHED); + + /* Force check of devctl register for PM runtime */ + pm_runtime_mark_last_busy(musb->controller); +@@ -1931,7 +1932,7 @@ static int musb_gadget_stop(struct usb_gadget *g) + void musb_g_resume(struct musb *musb) + { + musb->is_suspended = 0; +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_B_IDLE: + break; + case OTG_STATE_B_WAIT_ACON: +@@ -1957,10 +1958,10 @@ void musb_g_suspend(struct musb *musb) + devctl = musb_readb(musb->mregs, MUSB_DEVCTL); + musb_dbg(musb, "musb_g_suspend: devctl %02x", devctl); + +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_B_IDLE: + if ((devctl & MUSB_DEVCTL_VBUS) == MUSB_DEVCTL_VBUS) +- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_B_PERIPHERAL); + break; + case OTG_STATE_B_PERIPHERAL: + musb->is_suspended = 1; +@@ -2006,22 +2007,23 @@ void musb_g_disconnect(struct musb *musb) + spin_lock(&musb->lock); + } + +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + default: + musb_dbg(musb, "Unhandled disconnect %s, setting a_idle", + usb_otg_state_string(musb->xceiv->otg->state)); +- musb->xceiv->otg->state = OTG_STATE_A_IDLE; ++ musb_set_state(musb, OTG_STATE_A_IDLE); + MUSB_HST_MODE(musb); + break; + case OTG_STATE_A_PERIPHERAL: +- musb->xceiv->otg->state = OTG_STATE_A_WAIT_BCON; ++ musb_set_state(musb, OTG_STATE_A_WAIT_BCON); + MUSB_HST_MODE(musb); + break; + case OTG_STATE_B_WAIT_ACON: + case OTG_STATE_B_HOST: + case OTG_STATE_B_PERIPHERAL: + case OTG_STATE_B_IDLE: +- musb->xceiv->otg->state = OTG_STATE_B_IDLE; ++ musb_set_state(musb, OTG_STATE_B_IDLE); ++ usb_gadget_set_state(&musb->g, USB_STATE_NOTATTACHED); + break; + case OTG_STATE_B_SRP_INIT: + break; +@@ -2085,13 +2087,13 @@ __acquires(musb->lock) + * In that case, do not rely on devctl for setting + * peripheral mode. + */ +- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_B_PERIPHERAL); + musb->g.is_a_peripheral = 0; + } else if (devctl & MUSB_DEVCTL_BDEVICE) { +- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_B_PERIPHERAL); + musb->g.is_a_peripheral = 0; + } else { +- musb->xceiv->otg->state = OTG_STATE_A_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_A_PERIPHERAL); + musb->g.is_a_peripheral = 1; + } + +diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c +index ef0b1589b10eba..08c73e9f75d0f5 100644 +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -2508,7 +2508,7 @@ static int musb_bus_suspend(struct usb_hcd *hcd) + if (!is_host_active(musb)) + return 0; + +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_SUSPEND: + return 0; + case OTG_STATE_A_WAIT_VRISE: +@@ -2518,7 +2518,7 @@ static int musb_bus_suspend(struct usb_hcd *hcd) + */ + devctl = musb_readb(musb->mregs, MUSB_DEVCTL); + if ((devctl & MUSB_DEVCTL_VBUS) == MUSB_DEVCTL_VBUS) +- musb->xceiv->otg->state = OTG_STATE_A_WAIT_BCON; ++ musb_set_state(musb, OTG_STATE_A_WAIT_BCON); + break; + default: + break; +@@ -2727,7 +2727,7 @@ int musb_host_setup(struct musb *musb, int power_budget) + + if (musb->port_mode == MUSB_HOST) { + MUSB_HST_MODE(musb); +- musb->xceiv->otg->state = OTG_STATE_A_IDLE; ++ musb_set_state(musb, OTG_STATE_A_IDLE); + } + otg_set_host(musb->xceiv->otg, &hcd->self); + /* don't support otg protocols */ +diff --git a/drivers/usb/musb/musb_virthub.c b/drivers/usb/musb/musb_virthub.c +index cafc69536e1d78..d1cfd45d69e367 100644 +--- a/drivers/usb/musb/musb_virthub.c ++++ b/drivers/usb/musb/musb_virthub.c +@@ -43,7 +43,7 @@ void musb_host_finish_resume(struct work_struct *work) + musb->port1_status |= USB_PORT_STAT_C_SUSPEND << 16; + usb_hcd_poll_rh_status(musb->hcd); + /* NOTE: it might really be A_WAIT_BCON ... */ +- musb->xceiv->otg->state = OTG_STATE_A_HOST; ++ musb_set_state(musb, OTG_STATE_A_HOST); + + spin_unlock_irqrestore(&musb->lock, flags); + } +@@ -85,9 +85,9 @@ int musb_port_suspend(struct musb *musb, bool do_suspend) + musb_dbg(musb, "Root port suspended, power %02x", power); + + musb->port1_status |= USB_PORT_STAT_SUSPEND; +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_HOST: +- musb->xceiv->otg->state = OTG_STATE_A_SUSPEND; ++ musb_set_state(musb, OTG_STATE_A_SUSPEND); + musb->is_active = otg->host->b_hnp_enable; + if (musb->is_active) + mod_timer(&musb->otg_timer, jiffies +@@ -96,7 +96,7 @@ int musb_port_suspend(struct musb *musb, bool do_suspend) + musb_platform_try_idle(musb, 0); + break; + case OTG_STATE_B_HOST: +- musb->xceiv->otg->state = OTG_STATE_B_WAIT_ACON; ++ musb_set_state(musb, OTG_STATE_B_WAIT_ACON); + musb->is_active = otg->host->b_hnp_enable; + musb_platform_try_idle(musb, 0); + break; +@@ -123,7 +123,7 @@ void musb_port_reset(struct musb *musb, bool do_reset) + u8 power; + void __iomem *mbase = musb->mregs; + +- if (musb->xceiv->otg->state == OTG_STATE_B_IDLE) { ++ if (musb_get_state(musb) == OTG_STATE_B_IDLE) { + musb_dbg(musb, "HNP: Returning from HNP; no hub reset from b_idle"); + musb->port1_status &= ~USB_PORT_STAT_RESET; + return; +@@ -204,20 +204,20 @@ void musb_root_disconnect(struct musb *musb) + usb_hcd_poll_rh_status(musb->hcd); + musb->is_active = 0; + +- switch (musb->xceiv->otg->state) { ++ switch (musb_get_state(musb)) { + case OTG_STATE_A_SUSPEND: + if (otg->host->b_hnp_enable) { +- musb->xceiv->otg->state = OTG_STATE_A_PERIPHERAL; ++ musb_set_state(musb, OTG_STATE_A_PERIPHERAL); + musb->g.is_a_peripheral = 1; + break; + } + fallthrough; + case OTG_STATE_A_HOST: +- musb->xceiv->otg->state = OTG_STATE_A_WAIT_BCON; ++ musb_set_state(musb, OTG_STATE_A_WAIT_BCON); + musb->is_active = 0; + break; + case OTG_STATE_A_WAIT_VFALL: +- musb->xceiv->otg->state = OTG_STATE_B_IDLE; ++ musb_set_state(musb, OTG_STATE_B_IDLE); + break; + default: + musb_dbg(musb, "host disconnect (%s)", +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 56e1c574f6678c..11afbe4a67d1dc 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -803,6 +803,8 @@ static const struct usb_device_id id_table_combined[] = { + .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_NDI_AURORA_SCU_PID), + .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, ++ { USB_DEVICE(FTDI_NDI_VID, FTDI_NDI_EMGUIDE_GEMINI_PID), ++ .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, + { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) }, + { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) }, + { USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 9acb6f83732763..4cc1fae8acb970 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -204,6 +204,9 @@ + #define FTDI_NDI_FUTURE_3_PID 0xDA73 /* NDI future device #3 */ + #define FTDI_NDI_AURORA_SCU_PID 0xDA74 /* NDI Aurora SCU */ + ++#define FTDI_NDI_VID 0x23F2 ++#define FTDI_NDI_EMGUIDE_GEMINI_PID 0x0003 /* NDI Emguide Gemini */ ++ + /* + * ChamSys Limited (www.chamsys.co.uk) USB wing/interface product IDs + */ +diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c +index b09d95da2fe502..1c31ae9fd162f6 100644 +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1415,6 +1415,9 @@ static const struct usb_device_id option_ids[] = { + .driver_info = NCTRL(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x60) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x30), /* Telit FE910C04 (ECM) */ ++ .driver_info = NCTRL(4) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x40) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x30), /* Telit FN990B (MBIM) */ + .driver_info = NCTRL(6) }, + { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x40) }, +@@ -2343,6 +2346,8 @@ static const struct usb_device_id option_ids[] = { + .driver_info = RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff), /* Foxconn T99W651 RNDIS */ + .driver_info = RSVD(5) | RSVD(6) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe167, 0xff), /* Foxconn T99W640 MBIM */ ++ .driver_info = RSVD(3) }, + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 (IOT version) */ + .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, + { USB_DEVICE(0x1782, 0x4d10) }, /* Fibocom L610 (AT mode) */ +diff --git a/fs/cachefiles/io.c b/fs/cachefiles/io.c +index 000a28f46e59ef..5d2a41bab9c19c 100644 +--- a/fs/cachefiles/io.c ++++ b/fs/cachefiles/io.c +@@ -356,8 +356,6 @@ int __cachefiles_write(struct cachefiles_object *object, + default: + ki->was_async = false; + cachefiles_write_complete(&ki->iocb, ret); +- if (ret > 0) +- ret = 0; + break; + } + +diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c +index 3389a373faf680..cfa8f23fdfb655 100644 +--- a/fs/cachefiles/ondemand.c ++++ b/fs/cachefiles/ondemand.c +@@ -84,10 +84,8 @@ static ssize_t cachefiles_ondemand_fd_write_iter(struct kiocb *kiocb, + + trace_cachefiles_ondemand_fd_write(object, file_inode(file), pos, len); + ret = __cachefiles_write(object, file, pos, iter, NULL, NULL); +- if (!ret) { +- ret = len; ++ if (ret > 0) + kiocb->ki_pos += ret; +- } + + out: + fput(file); +diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c +index 8a6c7fdc1d5fc1..e3052d3fe5dcd8 100644 +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -1491,9 +1491,16 @@ static int isofs_read_inode(struct inode *inode, int relocated) + inode->i_op = &page_symlink_inode_operations; + inode_nohighmem(inode); + inode->i_data.a_ops = &isofs_symlink_aops; +- } else ++ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || ++ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { + /* XXX - parse_rock_ridge_inode() had already set i_rdev. */ + init_special_inode(inode, inode->i_mode, inode->i_rdev); ++ } else { ++ printk(KERN_DEBUG "ISOFS: Invalid file type 0%04o for inode %lu.\n", ++ inode->i_mode, inode->i_ino); ++ ret = -EIO; ++ goto fail; ++ } + + ret = 0; + out: +diff --git a/fs/namespace.c b/fs/namespace.c +index 67d89ebb5044ec..f0fa2a1a6b0597 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2018,6 +2018,11 @@ struct vfsmount *clone_private_mount(const struct path *path) + if (!check_mnt(old_mnt)) + goto invalid; + ++ if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN)) { ++ up_read(&namespace_sem); ++ return ERR_PTR(-EPERM); ++ } ++ + if (has_locked_children(old_mnt, path->dentry)) + goto invalid; + +diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c +index 9b0919d9e33702..3551054ef0973e 100644 +--- a/fs/smb/client/file.c ++++ b/fs/smb/client/file.c +@@ -5189,7 +5189,8 @@ void cifs_oplock_break(struct work_struct *work) + struct cifsFileInfo *cfile = container_of(work, struct cifsFileInfo, + oplock_break); + struct inode *inode = d_inode(cfile->dentry); +- struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb); ++ struct super_block *sb = inode->i_sb; ++ struct cifs_sb_info *cifs_sb = CIFS_SB(sb); + struct cifsInodeInfo *cinode = CIFS_I(inode); + struct cifs_tcon *tcon; + struct TCP_Server_Info *server; +@@ -5199,6 +5200,12 @@ void cifs_oplock_break(struct work_struct *work) + __u64 persistent_fid, volatile_fid; + __u16 net_fid; + ++ /* ++ * Hold a reference to the superblock to prevent it and its inodes from ++ * being freed while we are accessing cinode. Otherwise, _cifsFileInfo_put() ++ * may release the last reference to the sb and trigger inode eviction. ++ */ ++ cifs_sb_active(sb); + wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS, + TASK_UNINTERRUPTIBLE); + +@@ -5271,6 +5278,7 @@ void cifs_oplock_break(struct work_struct *work) + cifs_put_tlink(tlink); + out: + cifs_done_oplock_break(cinode); ++ cifs_sb_deactive(sb); + } + + /* +diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c +index c9b9892b510eac..7d720cf9fe7234 100644 +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -4497,6 +4497,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, + u8 key[SMB3_ENC_DEC_KEY_SIZE]; + struct aead_request *req; + u8 *iv; ++ DECLARE_CRYPTO_WAIT(wait); + unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); + void *creq; + +@@ -4545,7 +4546,11 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, + aead_request_set_crypt(req, sg, sg, crypt_len, iv); + aead_request_set_ad(req, assoc_data_len); + +- rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); ++ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, ++ crypto_req_done, &wait); ++ ++ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) ++ : crypto_aead_decrypt(req), &wait); + + if (!rc && enc) + memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index 3dbf947285be29..be396d566b57bb 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -306,8 +306,19 @@ static inline bool nf_ct_is_expired(const struct nf_conn *ct) + /* use after obtaining a reference count */ + static inline bool nf_ct_should_gc(const struct nf_conn *ct) + { +- return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) && +- !nf_ct_is_dying(ct); ++ if (!nf_ct_is_confirmed(ct)) ++ return false; ++ ++ /* load ct->timeout after is_confirmed() test. ++ * Pairs with __nf_conntrack_confirm() which: ++ * 1. Increases ct->timeout value ++ * 2. Inserts ct into rcu hlist ++ * 3. Sets the confirmed bit ++ * 4. Unlocks the hlist lock ++ */ ++ smp_acquire__after_ctrl_dep(); ++ ++ return nf_ct_is_expired(ct) && !nf_ct_is_dying(ct); + } + + #define NF_CT_DAY (86400 * HZ) +diff --git a/io_uring/net.c b/io_uring/net.c +index 898990e7136783..cc25cbb27e5d8b 100644 +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1490,9 +1490,11 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags) + io = &__io; + } + +- if (unlikely(req->flags & REQ_F_FAIL)) { +- ret = -ECONNRESET; +- goto out; ++ if (connect->in_progress) { ++ struct poll_table_struct pt = { ._key = EPOLLERR }; ++ ++ if (vfs_poll(req->file, &pt) & EPOLLERR) ++ goto get_sock_err; + } + + file_flags = force_nonblock ? O_NONBLOCK : 0; +@@ -1524,8 +1526,10 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags) + * which means the previous result is good. For both of these, + * grab the sock_error() and use that for the completion. + */ +- if (ret == -EBADFD || ret == -EISCONN) ++ if (ret == -EBADFD || ret == -EISCONN) { ++get_sock_err: + ret = sock_error(sock_from_file(req->file)->sk); ++ } + } + if (ret == -ERESTARTSYS) + ret = -EINTR; +diff --git a/io_uring/poll.c b/io_uring/poll.c +index bbdc9a7624a13b..ab27a627fd4c62 100644 +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -288,8 +288,6 @@ static int io_poll_check_events(struct io_kiocb *req, bool *locked) + return IOU_POLL_REISSUE; + } + } +- if (unlikely(req->cqe.res & EPOLLERR)) +- req_set_fail(req); + if (req->apoll_events & EPOLLONESHOT) + return IOU_POLL_DONE; + if (io_is_uring_fops(req->file)) +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 94e85d311641b3..be9dc396537f19 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -876,6 +876,13 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args, + if (fmt[i] == 'p') { + sizeof_cur_arg = sizeof(long); + ++ if (fmt[i + 1] == 0 || isspace(fmt[i + 1]) || ++ ispunct(fmt[i + 1])) { ++ if (tmp_buf) ++ cur_arg = raw_args[num_spec]; ++ goto nocopy_fmt; ++ } ++ + if ((fmt[i + 1] == 'k' || fmt[i + 1] == 'u') && + fmt[i + 2] == 's') { + fmt_ptype = fmt[i + 1]; +@@ -883,11 +890,9 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args, + goto fmt_str; + } + +- if (fmt[i + 1] == 0 || isspace(fmt[i + 1]) || +- ispunct(fmt[i + 1]) || fmt[i + 1] == 'K' || ++ if (fmt[i + 1] == 'K' || + fmt[i + 1] == 'x' || fmt[i + 1] == 's' || + fmt[i + 1] == 'S') { +- /* just kernel pointers */ + if (tmp_buf) + cur_arg = raw_args[num_spec]; + i++; +diff --git a/kernel/cgroup/legacy_freezer.c b/kernel/cgroup/legacy_freezer.c +index a3e13e6d5ee40d..bee2f9ea5e4aec 100644 +--- a/kernel/cgroup/legacy_freezer.c ++++ b/kernel/cgroup/legacy_freezer.c +@@ -66,15 +66,9 @@ static struct freezer *parent_freezer(struct freezer *freezer) + bool cgroup_freezing(struct task_struct *task) + { + bool ret; +- unsigned int state; + + rcu_read_lock(); +- /* Check if the cgroup is still FREEZING, but not FROZEN. The extra +- * !FROZEN check is required, because the FREEZING bit is not cleared +- * when the state FROZEN is reached. +- */ +- state = task_freezer(task)->state; +- ret = (state & CGROUP_FREEZING) && !(state & CGROUP_FROZEN); ++ ret = task_freezer(task)->state & CGROUP_FREEZING; + rcu_read_unlock(); + + return ret; +diff --git a/kernel/sched/loadavg.c b/kernel/sched/loadavg.c +index 52c8f8226b0d35..35537ea03fff0d 100644 +--- a/kernel/sched/loadavg.c ++++ b/kernel/sched/loadavg.c +@@ -80,7 +80,7 @@ long calc_load_fold_active(struct rq *this_rq, long adjust) + long nr_active, delta = 0; + + nr_active = this_rq->nr_running - adjust; +- nr_active += (int)this_rq->nr_uninterruptible; ++ nr_active += (long)this_rq->nr_uninterruptible; + + if (nr_active != this_rq->calc_load_active) { + delta = nr_active - this_rq->calc_load_active; +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index f0c3d0d4a0dd59..95afded0b174f7 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -1003,7 +1003,7 @@ struct rq { + * one CPU and if it got migrated afterwards it may decrease + * it on another CPU. Always updated under the runqueue lock: + */ +- unsigned int nr_uninterruptible; ++ unsigned long nr_uninterruptible; + + struct task_struct __rcu *curr; + struct task_struct *idle; +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index 8723ad2f9c63b0..876e14953fa339 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -2714,7 +2714,10 @@ __register_event(struct trace_event_call *call, struct module *mod) + if (ret < 0) + return ret; + ++ down_write(&trace_event_sem); + list_add(&call->list, &ftrace_events); ++ up_write(&trace_event_sem); ++ + if (call->flags & TRACE_EVENT_FL_DYNAMIC) + atomic_set(&call->refcnt, 0); + else +@@ -3189,6 +3192,8 @@ __trace_add_event_dirs(struct trace_array *tr) + struct trace_event_call *call; + int ret; + ++ lockdep_assert_held(&trace_event_sem); ++ + list_for_each_entry(call, &ftrace_events, list) { + ret = __trace_add_new_event(call, tr); + if (ret < 0) +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index 562994159216c4..ebeb6b2e1a15bd 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -467,6 +467,7 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, + unsigned long end, pgprot_t prot, struct page **pages, int *nr, + pgtbl_mod_mask *mask) + { ++ int err = 0; + pte_t *pte; + + /* +@@ -480,18 +481,25 @@ static int vmap_pages_pte_range(pmd_t *pmd, unsigned long addr, + do { + struct page *page = pages[*nr]; + +- if (WARN_ON(!pte_none(*pte))) +- return -EBUSY; +- if (WARN_ON(!page)) +- return -ENOMEM; +- if (WARN_ON(!pfn_valid(page_to_pfn(page)))) +- return -EINVAL; ++ if (WARN_ON(!pte_none(*pte))) { ++ err = -EBUSY; ++ break; ++ } ++ if (WARN_ON(!page)) { ++ err = -ENOMEM; ++ break; ++ } ++ if (WARN_ON(!pfn_valid(page_to_pfn(page)))) { ++ err = -EINVAL; ++ break; ++ } + + set_pte_at(&init_mm, addr, pte, mk_pte(page, prot)); + (*nr)++; + } while (pte++, addr += PAGE_SIZE, addr != end); + *mask |= PGTBL_PTE_MODIFIED; +- return 0; ++ ++ return err; + } + + static int vmap_pages_pmd_range(pud_t *pud, unsigned long addr, +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index b477ba37a6991f..422f726346ea51 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -358,6 +358,35 @@ static int __vlan_device_event(struct net_device *dev, unsigned long event) + return err; + } + ++static void vlan_vid0_add(struct net_device *dev) ++{ ++ struct vlan_info *vlan_info; ++ int err; ++ ++ if (!(dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) ++ return; ++ ++ pr_info("adding VLAN 0 to HW filter on device %s\n", dev->name); ++ ++ err = vlan_vid_add(dev, htons(ETH_P_8021Q), 0); ++ if (err) ++ return; ++ ++ vlan_info = rtnl_dereference(dev->vlan_info); ++ vlan_info->auto_vid0 = true; ++} ++ ++static void vlan_vid0_del(struct net_device *dev) ++{ ++ struct vlan_info *vlan_info = rtnl_dereference(dev->vlan_info); ++ ++ if (!vlan_info || !vlan_info->auto_vid0) ++ return; ++ ++ vlan_info->auto_vid0 = false; ++ vlan_vid_del(dev, htons(ETH_P_8021Q), 0); ++} ++ + static int vlan_device_event(struct notifier_block *unused, unsigned long event, + void *ptr) + { +@@ -379,15 +408,10 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event, + return notifier_from_errno(err); + } + +- if ((event == NETDEV_UP) && +- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) { +- pr_info("adding VLAN 0 to HW filter on device %s\n", +- dev->name); +- vlan_vid_add(dev, htons(ETH_P_8021Q), 0); +- } +- if (event == NETDEV_DOWN && +- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) +- vlan_vid_del(dev, htons(ETH_P_8021Q), 0); ++ if (event == NETDEV_UP) ++ vlan_vid0_add(dev); ++ else if (event == NETDEV_DOWN) ++ vlan_vid0_del(dev); + + vlan_info = rtnl_dereference(dev->vlan_info); + if (!vlan_info) +diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h +index 5eaf38875554b0..c7ffe591d59366 100644 +--- a/net/8021q/vlan.h ++++ b/net/8021q/vlan.h +@@ -33,6 +33,7 @@ struct vlan_info { + struct vlan_group grp; + struct list_head vid_list; + unsigned int nr_vids; ++ bool auto_vid0; + struct rcu_head rcu; + }; + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 8667723d4e9697..866462c97dbaff 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2196,40 +2196,6 @@ static u8 hci_cc_set_adv_param(struct hci_dev *hdev, void *data, + return rp->status; + } + +-static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data, +- struct sk_buff *skb) +-{ +- struct hci_rp_le_set_ext_adv_params *rp = data; +- struct hci_cp_le_set_ext_adv_params *cp; +- struct adv_info *adv_instance; +- +- bt_dev_dbg(hdev, "status 0x%2.2x", rp->status); +- +- if (rp->status) +- return rp->status; +- +- cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS); +- if (!cp) +- return rp->status; +- +- hci_dev_lock(hdev); +- hdev->adv_addr_type = cp->own_addr_type; +- if (!cp->handle) { +- /* Store in hdev for instance 0 */ +- hdev->adv_tx_power = rp->tx_power; +- } else { +- adv_instance = hci_find_adv_instance(hdev, cp->handle); +- if (adv_instance) +- adv_instance->tx_power = rp->tx_power; +- } +- /* Update adv data as tx power is known now */ +- hci_update_adv_data(hdev, cp->handle); +- +- hci_dev_unlock(hdev); +- +- return rp->status; +-} +- + static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data, + struct sk_buff *skb) + { +@@ -4172,8 +4138,6 @@ static const struct hci_cc { + HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS, + hci_cc_le_read_num_adv_sets, + sizeof(struct hci_rp_le_read_num_supported_adv_sets)), +- HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param, +- sizeof(struct hci_rp_le_set_ext_adv_params)), + HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE, + hci_cc_le_set_ext_adv_enable), + HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR, +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 7d22b2b02745ad..3f905ee4338f8d 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1181,9 +1181,129 @@ static int hci_set_adv_set_random_addr_sync(struct hci_dev *hdev, u8 instance, + sizeof(cp), &cp, HCI_CMD_TIMEOUT); + } + ++static int ++hci_set_ext_adv_params_sync(struct hci_dev *hdev, struct adv_info *adv, ++ const struct hci_cp_le_set_ext_adv_params *cp, ++ struct hci_rp_le_set_ext_adv_params *rp) ++{ ++ struct sk_buff *skb; ++ ++ skb = __hci_cmd_sync(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(*cp), ++ cp, HCI_CMD_TIMEOUT); ++ ++ /* If command return a status event, skb will be set to -ENODATA */ ++ if (skb == ERR_PTR(-ENODATA)) ++ return 0; ++ ++ if (IS_ERR(skb)) { ++ bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld", ++ HCI_OP_LE_SET_EXT_ADV_PARAMS, PTR_ERR(skb)); ++ return PTR_ERR(skb); ++ } ++ ++ if (skb->len != sizeof(*rp)) { ++ bt_dev_err(hdev, "Invalid response length for 0x%4.4x: %u", ++ HCI_OP_LE_SET_EXT_ADV_PARAMS, skb->len); ++ kfree_skb(skb); ++ return -EIO; ++ } ++ ++ memcpy(rp, skb->data, sizeof(*rp)); ++ kfree_skb(skb); ++ ++ if (!rp->status) { ++ hdev->adv_addr_type = cp->own_addr_type; ++ if (!cp->handle) { ++ /* Store in hdev for instance 0 */ ++ hdev->adv_tx_power = rp->tx_power; ++ } else if (adv) { ++ adv->tx_power = rp->tx_power; ++ } ++ } ++ ++ return rp->status; ++} ++ ++static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) ++{ ++ struct { ++ struct hci_cp_le_set_ext_adv_data cp; ++ u8 data[HCI_MAX_EXT_AD_LENGTH]; ++ } pdu; ++ u8 len; ++ struct adv_info *adv = NULL; ++ int err; ++ ++ memset(&pdu, 0, sizeof(pdu)); ++ ++ if (instance) { ++ adv = hci_find_adv_instance(hdev, instance); ++ if (!adv || !adv->adv_data_changed) ++ return 0; ++ } ++ ++ len = eir_create_adv_data(hdev, instance, pdu.data); ++ ++ pdu.cp.length = len; ++ pdu.cp.handle = instance; ++ pdu.cp.operation = LE_SET_ADV_DATA_OP_COMPLETE; ++ pdu.cp.frag_pref = LE_SET_ADV_DATA_NO_FRAG; ++ ++ err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, ++ sizeof(pdu.cp) + len, &pdu.cp, ++ HCI_CMD_TIMEOUT); ++ if (err) ++ return err; ++ ++ /* Update data if the command succeed */ ++ if (adv) { ++ adv->adv_data_changed = false; ++ } else { ++ memcpy(hdev->adv_data, pdu.data, len); ++ hdev->adv_data_len = len; ++ } ++ ++ return 0; ++} ++ ++static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) ++{ ++ struct hci_cp_le_set_adv_data cp; ++ u8 len; ++ ++ memset(&cp, 0, sizeof(cp)); ++ ++ len = eir_create_adv_data(hdev, instance, cp.data); ++ ++ /* There's nothing to do if the data hasn't changed */ ++ if (hdev->adv_data_len == len && ++ memcmp(cp.data, hdev->adv_data, len) == 0) ++ return 0; ++ ++ memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); ++ hdev->adv_data_len = len; ++ ++ cp.length = len; ++ ++ return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, ++ sizeof(cp), &cp, HCI_CMD_TIMEOUT); ++} ++ ++int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) ++{ ++ if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) ++ return 0; ++ ++ if (ext_adv_capable(hdev)) ++ return hci_set_ext_adv_data_sync(hdev, instance); ++ ++ return hci_set_adv_data_sync(hdev, instance); ++} ++ + int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) + { + struct hci_cp_le_set_ext_adv_params cp; ++ struct hci_rp_le_set_ext_adv_params rp; + bool connectable; + u32 flags; + bdaddr_t random_addr; +@@ -1290,8 +1410,12 @@ int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance) + cp.secondary_phy = HCI_ADV_PHY_1M; + } + +- err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, +- sizeof(cp), &cp, HCI_CMD_TIMEOUT); ++ err = hci_set_ext_adv_params_sync(hdev, adv, &cp, &rp); ++ if (err) ++ return err; ++ ++ /* Update adv data as tx power is known now */ ++ err = hci_set_ext_adv_data_sync(hdev, cp.handle); + if (err) + return err; + +@@ -1815,82 +1939,6 @@ int hci_le_terminate_big_sync(struct hci_dev *hdev, u8 handle, u8 reason) + sizeof(cp), &cp, HCI_CMD_TIMEOUT); + } + +-static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) +-{ +- struct { +- struct hci_cp_le_set_ext_adv_data cp; +- u8 data[HCI_MAX_EXT_AD_LENGTH]; +- } pdu; +- u8 len; +- struct adv_info *adv = NULL; +- int err; +- +- memset(&pdu, 0, sizeof(pdu)); +- +- if (instance) { +- adv = hci_find_adv_instance(hdev, instance); +- if (!adv || !adv->adv_data_changed) +- return 0; +- } +- +- len = eir_create_adv_data(hdev, instance, pdu.data); +- +- pdu.cp.length = len; +- pdu.cp.handle = instance; +- pdu.cp.operation = LE_SET_ADV_DATA_OP_COMPLETE; +- pdu.cp.frag_pref = LE_SET_ADV_DATA_NO_FRAG; +- +- err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA, +- sizeof(pdu.cp) + len, &pdu.cp, +- HCI_CMD_TIMEOUT); +- if (err) +- return err; +- +- /* Update data if the command succeed */ +- if (adv) { +- adv->adv_data_changed = false; +- } else { +- memcpy(hdev->adv_data, pdu.data, len); +- hdev->adv_data_len = len; +- } +- +- return 0; +-} +- +-static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) +-{ +- struct hci_cp_le_set_adv_data cp; +- u8 len; +- +- memset(&cp, 0, sizeof(cp)); +- +- len = eir_create_adv_data(hdev, instance, cp.data); +- +- /* There's nothing to do if the data hasn't changed */ +- if (hdev->adv_data_len == len && +- memcmp(cp.data, hdev->adv_data, len) == 0) +- return 0; +- +- memcpy(hdev->adv_data, cp.data, sizeof(cp.data)); +- hdev->adv_data_len = len; +- +- cp.length = len; +- +- return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA, +- sizeof(cp), &cp, HCI_CMD_TIMEOUT); +-} +- +-int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance) +-{ +- if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) +- return 0; +- +- if (ext_adv_capable(hdev)) +- return hci_set_ext_adv_data_sync(hdev, instance); +- +- return hci_set_adv_data_sync(hdev, instance); +-} +- + int hci_schedule_adv_instance_sync(struct hci_dev *hdev, u8 instance, + bool force) + { +@@ -6127,6 +6175,7 @@ static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev, + struct hci_conn *conn) + { + struct hci_cp_le_set_ext_adv_params cp; ++ struct hci_rp_le_set_ext_adv_params rp; + int err; + bdaddr_t random_addr; + u8 own_addr_type; +@@ -6169,8 +6218,12 @@ static int hci_le_ext_directed_advertising_sync(struct hci_dev *hdev, + if (err) + return err; + +- err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, +- sizeof(cp), &cp, HCI_CMD_TIMEOUT); ++ err = hci_set_ext_adv_params_sync(hdev, NULL, &cp, &rp); ++ if (err) ++ return err; ++ ++ /* Update adv data as tx power is known now */ ++ err = hci_set_ext_adv_data_sync(hdev, cp.handle); + if (err) + return err; + +@@ -6508,8 +6561,8 @@ int hci_get_random_address(struct hci_dev *hdev, bool require_privacy, + return 0; + } + +- /* No privacy so use a public address. */ +- *own_addr_type = ADDR_LE_DEV_PUBLIC; ++ /* No privacy, use the current address */ ++ hci_copy_identity_address(hdev, rand_addr, own_addr_type); + + return 0; + } +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 514adb013f3f40..8bb6d2690e2b96 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3711,12 +3711,28 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data + /* Configure output options and let the other side know + * which ones we don't like. */ + +- /* If MTU is not provided in configure request, use the most recently +- * explicitly or implicitly accepted value for the other direction, +- * or the default value. ++ /* If MTU is not provided in configure request, try adjusting it ++ * to the current output MTU if it has been set ++ * ++ * Bluetooth Core 6.1, Vol 3, Part A, Section 4.5 ++ * ++ * Each configuration parameter value (if any is present) in an ++ * L2CAP_CONFIGURATION_RSP packet reflects an ‘adjustment’ to a ++ * configuration parameter value that has been sent (or, in case ++ * of default values, implied) in the corresponding ++ * L2CAP_CONFIGURATION_REQ packet. + */ +- if (mtu == 0) +- mtu = chan->imtu ? chan->imtu : L2CAP_DEFAULT_MTU; ++ if (!mtu) { ++ /* Only adjust for ERTM channels as for older modes the ++ * remote stack may not be able to detect that the ++ * adjustment causing it to silently drop packets. ++ */ ++ if (chan->mode == L2CAP_MODE_ERTM && ++ chan->omtu && chan->omtu != L2CAP_DEFAULT_MTU) ++ mtu = chan->omtu; ++ else ++ mtu = L2CAP_DEFAULT_MTU; ++ } + + if (mtu < L2CAP_DEFAULT_MIN_MTU) + result = L2CAP_CONF_UNACCEPT; +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index bdfc83eb7aefc8..c89277848ca833 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1723,6 +1723,9 @@ static void l2cap_sock_resume_cb(struct l2cap_chan *chan) + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return; ++ + if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) { + sk->sk_state = BT_CONNECTED; + chan->state = BT_CONNECTED; +diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c +index b93494790877f1..a03920fe44d948 100644 +--- a/net/bluetooth/smp.c ++++ b/net/bluetooth/smp.c +@@ -1373,7 +1373,7 @@ static void smp_timeout(struct work_struct *work) + + bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); + +- hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); ++ hci_disconnect(conn->hcon, HCI_ERROR_AUTH_FAILURE); + } + + static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) +@@ -2971,8 +2971,25 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) + if (code > SMP_CMD_MAX) + goto drop; + +- if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) ++ if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) { ++ /* If there is a context and the command is not allowed consider ++ * it a failure so the session is cleanup properly. ++ */ ++ switch (code) { ++ case SMP_CMD_IDENT_INFO: ++ case SMP_CMD_IDENT_ADDR_INFO: ++ case SMP_CMD_SIGN_INFO: ++ /* 3.6.1. Key distribution and generation ++ * ++ * A device may reject a distributed key by sending the ++ * Pairing Failed command with the reason set to ++ * "Key Rejected". ++ */ ++ smp_failure(conn, SMP_KEY_REJECTED); ++ break; ++ } + goto drop; ++ } + + /* If we don't have a context the only allowed commands are + * pairing request and security request. +diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h +index 87a59ec2c9f02b..c5da53dfab04f2 100644 +--- a/net/bluetooth/smp.h ++++ b/net/bluetooth/smp.h +@@ -138,6 +138,7 @@ struct smp_cmd_keypress_notify { + #define SMP_NUMERIC_COMP_FAILED 0x0c + #define SMP_BREDR_PAIRING_IN_PROGRESS 0x0d + #define SMP_CROSS_TRANSP_NOT_ALLOWED 0x0e ++#define SMP_KEY_REJECTED 0x0f + + #define SMP_MIN_ENC_KEY_SIZE 7 + #define SMP_MAX_ENC_KEY_SIZE 16 +diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c +index b61ef2dff7a4bf..a0974374bf7175 100644 +--- a/net/bridge/br_switchdev.c ++++ b/net/bridge/br_switchdev.c +@@ -17,6 +17,9 @@ static bool nbp_switchdev_can_offload_tx_fwd(const struct net_bridge_port *p, + if (!static_branch_unlikely(&br_switchdev_tx_fwd_offload)) + return false; + ++ if (br_multicast_igmp_type(skb)) ++ return false; ++ + return (p->flags & BR_TX_FWD_OFFLOAD) && + (p->hwdom != BR_INPUT_SKB_CB(skb)->src_hwdom); + } +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index a1b3f3e7921fa9..e9e59a83ba9b46 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -803,8 +803,8 @@ static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im) + } else { + im->mca_crcount = idev->mc_qrv; + } +- in6_dev_put(pmc->idev); + ip6_mc_clear_src(pmc); ++ in6_dev_put(pmc->idev); + kfree_rcu(pmc, rcu); + } + } +diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c +index 862ac1e2e191c1..952ec785853ab2 100644 +--- a/net/ipv6/rpl_iptunnel.c ++++ b/net/ipv6/rpl_iptunnel.c +@@ -129,13 +129,13 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt, + struct dst_entry *cache_dst) + { + struct ipv6_rpl_sr_hdr *isrh, *csrh; +- const struct ipv6hdr *oldhdr; ++ struct ipv6hdr oldhdr; + struct ipv6hdr *hdr; + unsigned char *buf; + size_t hdrlen; + int err; + +- oldhdr = ipv6_hdr(skb); ++ memcpy(&oldhdr, ipv6_hdr(skb), sizeof(oldhdr)); + + buf = kcalloc(struct_size(srh, segments.addr, srh->segments_left), 2, GFP_ATOMIC); + if (!buf) +@@ -147,7 +147,7 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt, + memcpy(isrh, srh, sizeof(*isrh)); + memcpy(isrh->rpl_segaddr, &srh->rpl_segaddr[1], + (srh->segments_left - 1) * 16); +- isrh->rpl_segaddr[srh->segments_left - 1] = oldhdr->daddr; ++ isrh->rpl_segaddr[srh->segments_left - 1] = oldhdr.daddr; + + ipv6_rpl_srh_compress(csrh, isrh, &srh->rpl_segaddr[0], + isrh->segments_left - 1); +@@ -169,7 +169,7 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt, + skb_mac_header_rebuild(skb); + + hdr = ipv6_hdr(skb); +- memmove(hdr, oldhdr, sizeof(*hdr)); ++ memmove(hdr, &oldhdr, sizeof(*hdr)); + isrh = (void *)hdr + sizeof(*hdr); + memcpy(isrh, csrh, hdrlen); + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index ec4c39641089b2..002d53ded404ec 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1087,6 +1087,12 @@ static int nf_ct_resolve_clash_harder(struct sk_buff *skb, u32 repl_idx) + + hlist_nulls_add_head_rcu(&loser_ct->tuplehash[IP_CT_DIR_REPLY].hnnode, + &nf_conntrack_hash[repl_idx]); ++ /* confirmed bit must be set after hlist add, not before: ++ * loser_ct can still be visible to other cpu due to ++ * SLAB_TYPESAFE_BY_RCU. ++ */ ++ smp_mb__before_atomic(); ++ set_bit(IPS_CONFIRMED_BIT, &loser_ct->status); + + NF_CT_STAT_INC(net, clash_resolve); + return NF_ACCEPT; +@@ -1224,8 +1230,6 @@ __nf_conntrack_confirm(struct sk_buff *skb) + * user context, else we insert an already 'dead' hash, blocking + * further use of that particular connection -JM. + */ +- ct->status |= IPS_CONFIRMED; +- + if (unlikely(nf_ct_is_dying(ct))) { + NF_CT_STAT_INC(net, insert_failed); + goto dying; +@@ -1257,7 +1261,7 @@ __nf_conntrack_confirm(struct sk_buff *skb) + } + } + +- /* Timer relative to confirmation time, not original ++ /* Timeout is relative to confirmation time, not original + setting time, otherwise we'd get timer wrap in + weird delay cases. */ + ct->timeout += nfct_time_stamp; +@@ -1265,11 +1269,21 @@ __nf_conntrack_confirm(struct sk_buff *skb) + __nf_conntrack_insert_prepare(ct); + + /* Since the lookup is lockless, hash insertion must be done after +- * starting the timer and setting the CONFIRMED bit. The RCU barriers +- * guarantee that no other CPU can find the conntrack before the above +- * stores are visible. ++ * setting ct->timeout. The RCU barriers guarantee that no other CPU ++ * can find the conntrack before the above stores are visible. + */ + __nf_conntrack_hash_insert(ct, hash, reply_hash); ++ ++ /* IPS_CONFIRMED unset means 'ct not (yet) in hash', conntrack lookups ++ * skip entries that lack this bit. This happens when a CPU is looking ++ * at a stale entry that is being recycled due to SLAB_TYPESAFE_BY_RCU ++ * or when another CPU encounters this entry right after the insertion ++ * but before the set-confirm-bit below. This bit must not be set until ++ * after __nf_conntrack_hash_insert(). ++ */ ++ smp_mb__before_atomic(); ++ set_bit(IPS_CONFIRMED_BIT, &ct->status); ++ + nf_conntrack_double_unlock(hash, reply_hash); + local_bh_enable(); + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index f3bd3e126703d9..4753a796cf4c77 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2780,7 +2780,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + int len_sum = 0; + int status = TP_STATUS_AVAILABLE; + int hlen, tlen, copylen = 0; +- long timeo = 0; ++ long timeo; + + mutex_lock(&po->pg_vec_lock); + +@@ -2834,22 +2834,28 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + if ((size_max > dev->mtu + reserve + VLAN_HLEN) && !po->has_vnet_hdr) + size_max = dev->mtu + reserve + VLAN_HLEN; + ++ timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT); + reinit_completion(&po->skb_completion); + + do { + ph = packet_current_frame(po, &po->tx_ring, + TP_STATUS_SEND_REQUEST); + if (unlikely(ph == NULL)) { +- if (need_wait && skb) { +- timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT); ++ /* Note: packet_read_pending() might be slow if we ++ * have to call it as it's per_cpu variable, but in ++ * fast-path we don't have to call it, only when ph ++ * is NULL, we need to check the pending_refcnt. ++ */ ++ if (need_wait && packet_read_pending(&po->tx_ring)) { + timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo); + if (timeo <= 0) { + err = !timeo ? -ETIMEDOUT : -ERESTARTSYS; + goto out_put; + } +- } +- /* check for additional frames */ +- continue; ++ /* check for additional frames */ ++ continue; ++ } else ++ break; + } + + skb = NULL; +@@ -2939,14 +2945,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + } + packet_increment_head(&po->tx_ring); + len_sum += tp_len; +- } while (likely((ph != NULL) || +- /* Note: packet_read_pending() might be slow if we have +- * to call it as it's per_cpu variable, but in fast-path +- * we already short-circuit the loop with the first +- * condition, and luckily don't have to go that path +- * anyway. +- */ +- (need_wait && packet_read_pending(&po->tx_ring)))); ++ } while (1); + + err = len_sum; + goto out_put; +diff --git a/net/phonet/pep.c b/net/phonet/pep.c +index 607f54c23647a0..240f4c385234d6 100644 +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -826,6 +826,7 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp, + } + + /* Check for duplicate pipe handle */ ++ pn_skb_get_dst_sockaddr(skb, &dst); + newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle); + if (unlikely(newsk)) { + __sock_put(newsk); +@@ -850,7 +851,6 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp, + newsk->sk_destruct = pipe_destruct; + + newpn = pep_sk(newsk); +- pn_skb_get_dst_sockaddr(skb, &dst); + pn_skb_get_src_sockaddr(skb, &src); + newpn->pn_sk.sobject = pn_sockaddr_get_object(&dst); + newpn->pn_sk.dobject = pn_sockaddr_get_object(&src); +diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c +index 29f394fe399873..1e19d3ffbf219d 100644 +--- a/net/sched/sch_htb.c ++++ b/net/sched/sch_htb.c +@@ -818,7 +818,9 @@ static struct htb_class *htb_lookup_leaf(struct htb_prio *hprio, const int prio) + u32 *pid; + } stk[TC_HTB_MAXDEPTH], *sp = stk; + +- BUG_ON(!hprio->row.rb_node); ++ if (unlikely(!hprio->row.rb_node)) ++ return NULL; ++ + sp->root = hprio->row.rb_node; + sp->pptr = &hprio->ptr; + sp->pid = &hprio->last_ptr_id; +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 6462468bf77c72..f2692c9173f79c 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -414,7 +414,7 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + bool existing = false; + struct nlattr *tb[TCA_QFQ_MAX + 1]; + struct qfq_aggregate *new_agg = NULL; +- u32 weight, lmax, inv_w; ++ u32 weight, lmax, inv_w, old_weight, old_lmax; + int err; + int delta_w; + +@@ -448,12 +448,16 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; + +- if (cl != NULL && +- lmax == cl->agg->lmax && +- weight == cl->agg->class_weight) +- return 0; /* nothing to change */ ++ if (cl != NULL) { ++ sch_tree_lock(sch); ++ old_weight = cl->agg->class_weight; ++ old_lmax = cl->agg->lmax; ++ sch_tree_unlock(sch); ++ if (lmax == old_lmax && weight == old_weight) ++ return 0; /* nothing to change */ ++ } + +- delta_w = weight - (cl ? cl->agg->class_weight : 0); ++ delta_w = weight - (cl ? old_weight : 0); + + if (q->wsum + delta_w > QFQ_MAX_WSUM) { + pr_notice("qfq: total weight out of range (%d + %u)\n", +@@ -557,10 +561,10 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg, + + qdisc_purge_queue(cl->qdisc); + qdisc_class_hash_remove(&q->clhash, &cl->common); ++ qfq_destroy_class(sch, cl); + + sch_tree_unlock(sch); + +- qfq_destroy_class(sch, cl); + return 0; + } + +@@ -627,6 +631,7 @@ static int qfq_dump_class(struct Qdisc *sch, unsigned long arg, + { + struct qfq_class *cl = (struct qfq_class *)arg; + struct nlattr *nest; ++ u32 class_weight, lmax; + + tcm->tcm_parent = TC_H_ROOT; + tcm->tcm_handle = cl->common.classid; +@@ -635,8 +640,13 @@ static int qfq_dump_class(struct Qdisc *sch, unsigned long arg, + nest = nla_nest_start_noflag(skb, TCA_OPTIONS); + if (nest == NULL) + goto nla_put_failure; +- if (nla_put_u32(skb, TCA_QFQ_WEIGHT, cl->agg->class_weight) || +- nla_put_u32(skb, TCA_QFQ_LMAX, cl->agg->lmax)) ++ ++ sch_tree_lock(sch); ++ class_weight = cl->agg->class_weight; ++ lmax = cl->agg->lmax; ++ sch_tree_unlock(sch); ++ if (nla_put_u32(skb, TCA_QFQ_WEIGHT, class_weight) || ++ nla_put_u32(skb, TCA_QFQ_LMAX, lmax)) + goto nla_put_failure; + return nla_nest_end(skb, nest); + +@@ -653,8 +663,10 @@ static int qfq_dump_class_stats(struct Qdisc *sch, unsigned long arg, + + memset(&xstats, 0, sizeof(xstats)); + ++ sch_tree_lock(sch); + xstats.weight = cl->agg->class_weight; + xstats.lmax = cl->agg->lmax; ++ sch_tree_unlock(sch); + + if (gnet_stats_copy_basic(d, NULL, &cl->bstats, true) < 0 || + gnet_stats_copy_rate_est(d, &cl->rate_est) < 0 || +diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c +index 44d7f1aef9f127..b7ed76c0e576e9 100644 +--- a/net/tls/tls_strp.c ++++ b/net/tls/tls_strp.c +@@ -512,9 +512,8 @@ static int tls_strp_read_sock(struct tls_strparser *strp) + if (inq < strp->stm.full_len) + return tls_strp_read_copy(strp, true); + ++ tls_strp_load_anchor_with_queue(strp, inq); + if (!strp->stm.full_len) { +- tls_strp_load_anchor_with_queue(strp, inq); +- + sz = tls_rx_msg_size(strp, strp->anchor); + if (sz < 0) { + tls_strp_abort_strp(strp, sz); +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 4b155e49cbfc57..27ad825c78f21e 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -762,13 +762,15 @@ static void fsl_sai_config_disable(struct fsl_sai *sai, int dir) + * anymore. Add software reset to fix this issue. + * This is a hardware bug, and will be fix in the + * next sai version. ++ * ++ * In consumer mode, this can happen even after a ++ * single open/close, especially if both tx and rx ++ * are running concurrently. + */ +- if (!sai->is_consumer_mode) { +- /* Software Reset */ +- regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); +- /* Clear SR bit to finish the reset */ +- regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); +- } ++ /* Software Reset */ ++ regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR); ++ /* Clear SR bit to finish the reset */ ++ regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0); + } + + static int fsl_sai_trigger(struct snd_pcm_substream *substream, int cmd, +diff --git a/tools/testing/selftests/net/udpgro.sh b/tools/testing/selftests/net/udpgro.sh +index 241c6c37994d8b..f6e50824c5eb91 100755 +--- a/tools/testing/selftests/net/udpgro.sh ++++ b/tools/testing/selftests/net/udpgro.sh +@@ -50,7 +50,7 @@ run_one() { + + cfg_veth + +- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} & ++ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 100 ${rx_args} & + local PID1=$! + + wait_local_port_listen ${PEER_NS} 8000 udp +@@ -97,7 +97,7 @@ run_one_nat() { + # will land on the 'plain' one + ip netns exec "${PEER_NS}" ./udpgso_bench_rx -G ${family} -b ${addr1} -n 0 & + local PID1=$! +- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${family} -b ${addr2%/*} ${rx_args} & ++ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 100 ${family} -b ${addr2%/*} ${rx_args} & + local PID2=$! + + wait_local_port_listen "${PEER_NS}" 8000 udp +@@ -119,9 +119,9 @@ run_one_2sock() { + + cfg_veth + +- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} -p 12345 & ++ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 100 ${rx_args} -p 12345 & + local PID1=$! +- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 2000 -R 10 ${rx_args} & ++ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 2000 -R 100 ${rx_args} & + local PID2=$! + + wait_local_port_listen "${PEER_NS}" 12345 udp
