Update odroidxu4-current to 5.4.212 (#4161)

config/sources/families/odroidxu4.conf

@@ -19,7 +19,6 @@ case $BRANCH in
 
 		KERNELSOURCE='https://github.com/hardkernel/linux'
 		KERNELBRANCH='branch:odroid-5.4.y'
-		KERNELBRANCH='tag:5.4.196-406'
 		KERNELDIR='linux-odroidxu4'
 	;;
 

patch/kernel/archive/odroidxu4-5.4/patch-5.4.200-201.patch

@@ -1,431 +0,0 @@
-diff --git a/Documentation/hwmon/hwmon-kernel-api.rst b/Documentation/hwmon/hwmon-kernel-api.rst
-index 23f27fe78e379..c41eb61081036 100644
---- a/Documentation/hwmon/hwmon-kernel-api.rst
-+++ b/Documentation/hwmon/hwmon-kernel-api.rst
-@@ -72,7 +72,7 @@ hwmon_device_register_with_info is the most comprehensive and preferred means
- to register a hardware monitoring device. It creates the standard sysfs
- attributes in the hardware monitoring core, letting the driver focus on reading
- from and writing to the chip instead of having to bother with sysfs attributes.
--The parent device parameter as well as the chip parameter must not be NULL. Its
-+The parent device parameter cannot be NULL with non-NULL chip info. Its
- parameters are described in more detail below.
- 
- devm_hwmon_device_register_with_info is similar to
-diff --git a/Makefile b/Makefile
-index 32da9117e9d76..75be5870cc55f 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,7 +1,7 @@
- # SPDX-License-Identifier: GPL-2.0
- VERSION = 5
- PATCHLEVEL = 4
--SUBLEVEL = 200
-+SUBLEVEL = 201
- EXTRAVERSION =
- NAME = Kleptomaniac Octopus
- 
-diff --git a/arch/arm64/mm/cache.S b/arch/arm64/mm/cache.S
-index db767b072601e..7b054c67acd81 100644
---- a/arch/arm64/mm/cache.S
-+++ b/arch/arm64/mm/cache.S
-@@ -228,8 +228,6 @@ ENDPIPROC(__dma_flush_area)
-  *	- dir	- DMA direction
-  */
- ENTRY(__dma_map_area)
--	cmp	w2, #DMA_FROM_DEVICE
--	b.eq	__dma_inv_area
- 	b	__dma_clean_area
- ENDPIPROC(__dma_map_area)
- 
-diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c
-index 4438c00acb656..28ca07360e970 100644
---- a/arch/s390/mm/pgtable.c
-+++ b/arch/s390/mm/pgtable.c
-@@ -716,7 +716,7 @@ void ptep_zap_key(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
- 	pgste_val(pgste) |= PGSTE_GR_BIT | PGSTE_GC_BIT;
- 	ptev = pte_val(*ptep);
- 	if (!(ptev & _PAGE_INVALID) && (ptev & _PAGE_WRITE))
--		page_set_storage_key(ptev & PAGE_MASK, PAGE_DEFAULT_KEY, 1);
-+		page_set_storage_key(ptev & PAGE_MASK, PAGE_DEFAULT_KEY, 0);
- 	pgste_set_unlock(ptep, pgste);
- 	preempt_enable();
- }
-diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
-index c73b93b9bb87d..a2175394cd253 100644
---- a/drivers/hwmon/hwmon.c
-+++ b/drivers/hwmon/hwmon.c
-@@ -715,12 +715,11 @@ EXPORT_SYMBOL_GPL(hwmon_device_register_with_groups);
- 
- /**
-  * hwmon_device_register_with_info - register w/ hwmon
-- * @dev: the parent device (mandatory)
-- * @name: hwmon name attribute (mandatory)
-- * @drvdata: driver data to attach to created device (optional)
-- * @chip: pointer to hwmon chip information (mandatory)
-+ * @dev: the parent device
-+ * @name: hwmon name attribute
-+ * @drvdata: driver data to attach to created device
-+ * @chip: pointer to hwmon chip information
-  * @extra_groups: pointer to list of additional non-standard attribute groups
-- *	(optional)
-  *
-  * hwmon_device_unregister() must be called when the device is no
-  * longer needed.
-@@ -733,10 +732,13 @@ hwmon_device_register_with_info(struct device *dev, const char *name,
- 				const struct hwmon_chip_info *chip,
- 				const struct attribute_group **extra_groups)
- {
--	if (!dev || !name || !chip)
-+	if (!name)
-+		return ERR_PTR(-EINVAL);
-+
-+	if (chip && (!chip->ops || !chip->ops->is_visible || !chip->info))
- 		return ERR_PTR(-EINVAL);
- 
--	if (!chip->ops || !chip->ops->is_visible || !chip->info)
-+	if (chip && !dev)
- 		return ERR_PTR(-EINVAL);
- 
- 	return __hwmon_device_register(dev, name, drvdata, chip, extra_groups);
-diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
-index 06b382304d926..81bc36a43b32d 100644
---- a/drivers/md/dm-table.c
-+++ b/drivers/md/dm-table.c
-@@ -872,8 +872,7 @@ EXPORT_SYMBOL(dm_consume_args);
- static bool __table_type_bio_based(enum dm_queue_mode table_type)
- {
- 	return (table_type == DM_TYPE_BIO_BASED ||
--		table_type == DM_TYPE_DAX_BIO_BASED ||
--		table_type == DM_TYPE_NVME_BIO_BASED);
-+		table_type == DM_TYPE_DAX_BIO_BASED);
- }
- 
- static bool __table_type_request_based(enum dm_queue_mode table_type)
-@@ -929,8 +928,6 @@ bool dm_table_supports_dax(struct dm_table *t,
- 	return true;
- }
- 
--static bool dm_table_does_not_support_partial_completion(struct dm_table *t);
--
- static int device_is_rq_stackable(struct dm_target *ti, struct dm_dev *dev,
- 				  sector_t start, sector_t len, void *data)
- {
-@@ -960,7 +957,6 @@ static int dm_table_determine_type(struct dm_table *t)
- 			goto verify_bio_based;
- 		}
- 		BUG_ON(t->type == DM_TYPE_DAX_BIO_BASED);
--		BUG_ON(t->type == DM_TYPE_NVME_BIO_BASED);
- 		goto verify_rq_based;
- 	}
- 
-@@ -999,15 +995,6 @@ verify_bio_based:
- 		if (dm_table_supports_dax(t, device_not_dax_capable, &page_size) ||
- 		    (list_empty(devices) && live_md_type == DM_TYPE_DAX_BIO_BASED)) {
- 			t->type = DM_TYPE_DAX_BIO_BASED;
--		} else {
--			/* Check if upgrading to NVMe bio-based is valid or required */
--			tgt = dm_table_get_immutable_target(t);
--			if (tgt && !tgt->max_io_len && dm_table_does_not_support_partial_completion(t)) {
--				t->type = DM_TYPE_NVME_BIO_BASED;
--				goto verify_rq_based; /* must be stacked directly on NVMe (blk-mq) */
--			} else if (list_empty(devices) && live_md_type == DM_TYPE_NVME_BIO_BASED) {
--				t->type = DM_TYPE_NVME_BIO_BASED;
--			}
- 		}
- 		return 0;
- 	}
-@@ -1024,8 +1011,7 @@ verify_rq_based:
- 	 * (e.g. request completion process for partial completion.)
- 	 */
- 	if (t->num_targets > 1) {
--		DMERR("%s DM doesn't support multiple targets",
--		      t->type == DM_TYPE_NVME_BIO_BASED ? "nvme bio-based" : "request-based");
-+		DMERR("request-based DM doesn't support multiple targets");
- 		return -EINVAL;
- 	}
- 
-@@ -1714,20 +1700,6 @@ static int device_is_not_random(struct dm_target *ti, struct dm_dev *dev,
- 	return q && !blk_queue_add_random(q);
- }
- 
--static int device_is_partial_completion(struct dm_target *ti, struct dm_dev *dev,
--					sector_t start, sector_t len, void *data)
--{
--	char b[BDEVNAME_SIZE];
--
--	/* For now, NVMe devices are the only devices of this class */
--	return (strncmp(bdevname(dev->bdev, b), "nvme", 4) != 0);
--}
--
--static bool dm_table_does_not_support_partial_completion(struct dm_table *t)
--{
--	return !dm_table_any_dev_attr(t, device_is_partial_completion, NULL);
--}
--
- static int device_not_write_same_capable(struct dm_target *ti, struct dm_dev *dev,
- 					 sector_t start, sector_t len, void *data)
- {
-diff --git a/drivers/md/dm.c b/drivers/md/dm.c
-index 37b8bb4d80f0f..77e28f77c59f4 100644
---- a/drivers/md/dm.c
-+++ b/drivers/md/dm.c
-@@ -1000,7 +1000,7 @@ static void clone_endio(struct bio *bio)
- 	struct mapped_device *md = tio->io->md;
- 	dm_endio_fn endio = tio->ti->type->end_io;
- 
--	if (unlikely(error == BLK_STS_TARGET) && md->type != DM_TYPE_NVME_BIO_BASED) {
-+	if (unlikely(error == BLK_STS_TARGET)) {
- 		if (bio_op(bio) == REQ_OP_DISCARD &&
- 		    !bio->bi_disk->queue->limits.max_discard_sectors)
- 			disable_discard(md);
-@@ -1325,7 +1325,6 @@ static blk_qc_t __map_bio(struct dm_target_io *tio)
- 	sector = clone->bi_iter.bi_sector;
- 
- 	if (unlikely(swap_bios_limit(ti, clone))) {
--		struct mapped_device *md = io->md;
- 		int latch = get_swap_bios();
- 		if (unlikely(latch != md->swap_bios))
- 			__set_swap_bios_limit(md, latch);
-@@ -1340,24 +1339,17 @@ static blk_qc_t __map_bio(struct dm_target_io *tio)
- 		/* the bio has been remapped so dispatch it */
- 		trace_block_bio_remap(clone->bi_disk->queue, clone,
- 				      bio_dev(io->orig_bio), sector);
--		if (md->type == DM_TYPE_NVME_BIO_BASED)
--			ret = direct_make_request(clone);
--		else
--			ret = generic_make_request(clone);
-+		ret = generic_make_request(clone);
- 		break;
- 	case DM_MAPIO_KILL:
--		if (unlikely(swap_bios_limit(ti, clone))) {
--			struct mapped_device *md = io->md;
-+		if (unlikely(swap_bios_limit(ti, clone)))
- 			up(&md->swap_bios_semaphore);
--		}
- 		free_tio(tio);
- 		dec_pending(io, BLK_STS_IOERR);
- 		break;
- 	case DM_MAPIO_REQUEUE:
--		if (unlikely(swap_bios_limit(ti, clone))) {
--			struct mapped_device *md = io->md;
-+		if (unlikely(swap_bios_limit(ti, clone)))
- 			up(&md->swap_bios_semaphore);
--		}
- 		free_tio(tio);
- 		dec_pending(io, BLK_STS_DM_REQUEUE);
- 		break;
-@@ -1732,51 +1724,6 @@ static blk_qc_t __split_and_process_bio(struct mapped_device *md,
- 	return ret;
- }
- 
--/*
-- * Optimized variant of __split_and_process_bio that leverages the
-- * fact that targets that use it do _not_ have a need to split bios.
-- */
--static blk_qc_t __process_bio(struct mapped_device *md, struct dm_table *map,
--			      struct bio *bio, struct dm_target *ti)
--{
--	struct clone_info ci;
--	blk_qc_t ret = BLK_QC_T_NONE;
--	int error = 0;
--
--	init_clone_info(&ci, md, map, bio);
--
--	if (bio->bi_opf & REQ_PREFLUSH) {
--		struct bio flush_bio;
--
--		/*
--		 * Use an on-stack bio for this, it's safe since we don't
--		 * need to reference it after submit. It's just used as
--		 * the basis for the clone(s).
--		 */
--		bio_init(&flush_bio, NULL, 0);
--		flush_bio.bi_opf = REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC;
--		ci.bio = &flush_bio;
--		ci.sector_count = 0;
--		error = __send_empty_flush(&ci);
--		bio_uninit(ci.bio);
--		/* dec_pending submits any data associated with flush */
--	} else {
--		struct dm_target_io *tio;
--
--		ci.bio = bio;
--		ci.sector_count = bio_sectors(bio);
--		if (__process_abnormal_io(&ci, ti, &error))
--			goto out;
--
--		tio = alloc_tio(&ci, ti, 0, GFP_NOIO);
--		ret = __clone_and_map_simple_bio(&ci, tio, NULL);
--	}
--out:
--	/* drop the extra reference count */
--	dec_pending(ci.io, errno_to_blk_status(error));
--	return ret;
--}
--
- static blk_qc_t dm_process_bio(struct mapped_device *md,
- 			       struct dm_table *map, struct bio *bio)
- {
-@@ -1807,8 +1754,6 @@ static blk_qc_t dm_process_bio(struct mapped_device *md,
- 		/* regular IO is split by __split_and_process_bio */
- 	}
- 
--	if (dm_get_md_type(md) == DM_TYPE_NVME_BIO_BASED)
--		return __process_bio(md, map, bio, ti);
- 	return __split_and_process_bio(md, map, bio);
- }
- 
-@@ -2200,12 +2145,10 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
- 	if (request_based)
- 		dm_stop_queue(q);
- 
--	if (request_based || md->type == DM_TYPE_NVME_BIO_BASED) {
-+	if (request_based) {
- 		/*
--		 * Leverage the fact that request-based DM targets and
--		 * NVMe bio based targets are immutable singletons
--		 * - used to optimize both dm_request_fn and dm_mq_queue_rq;
--		 *   and __process_bio.
-+		 * Leverage the fact that request-based DM targets are
-+		 * immutable singletons - used to optimize dm_mq_queue_rq.
- 		 */
- 		md->immutable_target = dm_table_get_immutable_target(t);
- 	}
-@@ -2334,7 +2277,6 @@ int dm_setup_md_queue(struct mapped_device *md, struct dm_table *t)
- 		break;
- 	case DM_TYPE_BIO_BASED:
- 	case DM_TYPE_DAX_BIO_BASED:
--	case DM_TYPE_NVME_BIO_BASED:
- 		dm_init_congested_fn(md);
- 		break;
- 	case DM_TYPE_NONE:
-@@ -3070,7 +3012,6 @@ struct dm_md_mempools *dm_alloc_md_mempools(struct mapped_device *md, enum dm_qu
- 	switch (type) {
- 	case DM_TYPE_BIO_BASED:
- 	case DM_TYPE_DAX_BIO_BASED:
--	case DM_TYPE_NVME_BIO_BASED:
- 		pool_size = max(dm_get_reserved_bio_based_ios(), min_pool_size);
- 		front_pad = roundup(per_io_data_size, __alignof__(struct dm_target_io)) + offsetof(struct dm_target_io, clone);
- 		io_front_pad = roundup(front_pad,  __alignof__(struct dm_io)) + offsetof(struct dm_io, tio);
-diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
-index 271bd08f4a255..3f053b11e2cee 100644
---- a/drivers/usb/gadget/function/u_ether.c
-+++ b/drivers/usb/gadget/function/u_ether.c
-@@ -772,9 +772,13 @@ struct eth_dev *gether_setup_name(struct usb_gadget *g,
- 	dev->qmult = qmult;
- 	snprintf(net->name, sizeof(net->name), "%s%%d", netname);
- 
--	if (get_ether_addr(dev_addr, net->dev_addr))
-+	if (get_ether_addr(dev_addr, net->dev_addr)) {
-+		net->addr_assign_type = NET_ADDR_RANDOM;
- 		dev_warn(&g->dev,
- 			"using random %s ethernet address\n", "self");
-+	} else {
-+		net->addr_assign_type = NET_ADDR_SET;
-+	}
- 	if (get_ether_addr(host_addr, dev->host_mac))
- 		dev_warn(&g->dev,
- 			"using random %s ethernet address\n", "host");
-@@ -831,6 +835,9 @@ struct net_device *gether_setup_name_default(const char *netname)
- 	INIT_LIST_HEAD(&dev->tx_reqs);
- 	INIT_LIST_HEAD(&dev->rx_reqs);
- 
-+	/* by default we always have a random MAC address */
-+	net->addr_assign_type = NET_ADDR_RANDOM;
-+
- 	skb_queue_head_init(&dev->rx_frames);
- 
- 	/* network device setup */
-@@ -868,7 +875,6 @@ int gether_register_netdev(struct net_device *net)
- 	g = dev->gadget;
- 
- 	memcpy(net->dev_addr, dev->dev_mac, ETH_ALEN);
--	net->addr_assign_type = NET_ADDR_RANDOM;
- 
- 	status = register_netdev(net);
- 	if (status < 0) {
-@@ -908,6 +914,7 @@ int gether_set_dev_addr(struct net_device *net, const char *dev_addr)
- 	if (get_ether_addr(dev_addr, new_addr))
- 		return -EINVAL;
- 	memcpy(dev->dev_mac, new_addr, ETH_ALEN);
-+	net->addr_assign_type = NET_ADDR_SET;
- 	return 0;
- }
- EXPORT_SYMBOL_GPL(gether_set_dev_addr);
-diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h
-index a53d7d2c2d95c..60631f3abddbd 100644
---- a/include/linux/device-mapper.h
-+++ b/include/linux/device-mapper.h
-@@ -28,7 +28,6 @@ enum dm_queue_mode {
- 	DM_TYPE_BIO_BASED	 = 1,
- 	DM_TYPE_REQUEST_BASED	 = 2,
- 	DM_TYPE_DAX_BIO_BASED	 = 3,
--	DM_TYPE_NVME_BIO_BASED	 = 4,
- };
- 
- typedef enum { STATUSTYPE_INFO, STATUSTYPE_TABLE } status_type_t;
-diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
-index 959f4f0c85460..d9bee15e36a50 100644
---- a/net/ipv4/inet_hashtables.c
-+++ b/net/ipv4/inet_hashtables.c
-@@ -675,12 +675,14 @@ EXPORT_SYMBOL_GPL(inet_unhash);
-  * Note that we use 32bit integers (vs RFC 'short integers')
-  * because 2^16 is not a multiple of num_ephemeral and this
-  * property might be used by clever attacker.
-- * RFC claims using TABLE_LENGTH=10 buckets gives an improvement,
-- * we use 256 instead to really give more isolation and
-- * privacy, this only consumes 1 KB of kernel memory.
-+ * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
-+ * attacks were since demonstrated, thus we use 65536 instead to really
-+ * give more isolation and privacy, at the expense of 256kB of kernel
-+ * memory.
-  */
--#define INET_TABLE_PERTURB_SHIFT 8
--static u32 table_perturb[1 << INET_TABLE_PERTURB_SHIFT];
-+#define INET_TABLE_PERTURB_SHIFT 16
-+#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT)
-+static u32 *table_perturb;
- 
- int __inet_hash_connect(struct inet_timewait_death_row *death_row,
- 		struct sock *sk, u64 port_offset,
-@@ -723,10 +725,11 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
- 	if (likely(remaining > 1))
- 		remaining &= ~1U;
- 
--	net_get_random_once(table_perturb, sizeof(table_perturb));
--	index = hash_32(port_offset, INET_TABLE_PERTURB_SHIFT);
-+	net_get_random_once(table_perturb,
-+			    INET_TABLE_PERTURB_SIZE * sizeof(*table_perturb));
-+	index = port_offset & (INET_TABLE_PERTURB_SIZE - 1);
- 
--	offset = READ_ONCE(table_perturb[index]) + port_offset;
-+	offset = READ_ONCE(table_perturb[index]) + (port_offset >> 32);
- 	offset %= remaining;
- 
- 	/* In first pass we try ports of @low parity.
-@@ -782,6 +785,12 @@ next_port:
- 	return -EADDRNOTAVAIL;
- 
- ok:
-+	/* Here we want to add a little bit of randomness to the next source
-+	 * port that will be chosen. We use a max() with a random here so that
-+	 * on low contention the randomness is maximal and on high contention
-+	 * it may be inexistent.
-+	 */
-+	i = max_t(int, i, (prandom_u32() & 7) * 2);
- 	WRITE_ONCE(table_perturb[index], READ_ONCE(table_perturb[index]) + i + 2);
- 
- 	/* Head lock still held and bh's disabled */
-@@ -855,6 +864,12 @@ void __init inet_hashinfo2_init(struct inet_hashinfo *h, const char *name,
- 					    low_limit,
- 					    high_limit);
- 	init_hashinfo_lhash2(h);
-+
-+	/* this one is used for source ports of outgoing connections */
-+	table_perturb = kmalloc_array(INET_TABLE_PERTURB_SIZE,
-+				      sizeof(*table_perturb), GFP_KERNEL);
-+	if (!table_perturb)
-+		panic("TCP: failed to alloc table_perturb");
- }
- 
- int inet_hashinfo2_init_mod(struct inet_hashinfo *h)

patch/kernel/archive/odroidxu4-5.4/patch-5.4.205-206.patch

@@ -1,26 +0,0 @@
-diff --git a/Makefile b/Makefile
-index c40565492ffba..755123455105f 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,7 +1,7 @@
- # SPDX-License-Identifier: GPL-2.0
- VERSION = 5
- PATCHLEVEL = 4
--SUBLEVEL = 205
-+SUBLEVEL = 206
- EXTRAVERSION =
- NAME = Kleptomaniac Octopus
- 
-diff --git a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
-index 41f7dd58bdcf8..02218c3b548f9 100644
---- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
-+++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
-@@ -682,7 +682,7 @@ static void gpmi_nfc_compute_timings(struct gpmi_nand_data *this,
- 	hw->timing0 = BF_GPMI_TIMING0_ADDRESS_SETUP(addr_setup_cycles) |
- 		      BF_GPMI_TIMING0_DATA_HOLD(data_hold_cycles) |
- 		      BF_GPMI_TIMING0_DATA_SETUP(data_setup_cycles);
--	hw->timing1 = BF_GPMI_TIMING1_BUSY_TIMEOUT(DIV_ROUND_UP(busy_timeout_cycles, 4096));
-+	hw->timing1 = BF_GPMI_TIMING1_BUSY_TIMEOUT(busy_timeout_cycles * 4096);
- 
- 	/*
- 	 * Derive NFC ideal delay from {3}:

patch/kernel/archive/odroidxu4-5.4/patch-5.4.209-210.patch

@@ -1,950 +0,0 @@
-diff --git a/Documentation/admin-guide/hw-vuln/spectre.rst b/Documentation/admin-guide/hw-vuln/spectre.rst
-index 6bd97cd50d625..7e061ed449aaa 100644
---- a/Documentation/admin-guide/hw-vuln/spectre.rst
-+++ b/Documentation/admin-guide/hw-vuln/spectre.rst
-@@ -422,6 +422,14 @@ The possible values in this file are:
-   'RSB filling'   Protection of RSB on context switch enabled
-   =============   ===========================================
- 
-+  - EIBRS Post-barrier Return Stack Buffer (PBRSB) protection status:
-+
-+  ===========================  =======================================================
-+  'PBRSB-eIBRS: SW sequence'   CPU is affected and protection of RSB on VMEXIT enabled
-+  'PBRSB-eIBRS: Vulnerable'    CPU is vulnerable
-+  'PBRSB-eIBRS: Not affected'  CPU is not affected by PBRSB
-+  ===========================  =======================================================
-+
- Full mitigation might require a microcode update from the CPU
- vendor. When the necessary microcode is not available, the kernel will
- report vulnerability.
-diff --git a/Makefile b/Makefile
-index 7093e3b03b9f7..74abb7e389f33 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,7 +1,7 @@
- # SPDX-License-Identifier: GPL-2.0
- VERSION = 5
- PATCHLEVEL = 4
--SUBLEVEL = 209
-+SUBLEVEL = 210
- EXTRAVERSION =
- NAME = Kleptomaniac Octopus
- 
-diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
-index 8c28a2365a92b..a3e32bc938562 100644
---- a/arch/x86/include/asm/cpufeatures.h
-+++ b/arch/x86/include/asm/cpufeatures.h
-@@ -286,6 +286,7 @@
- #define X86_FEATURE_CQM_MBM_LOCAL	(11*32+ 3) /* LLC Local MBM monitoring */
- #define X86_FEATURE_FENCE_SWAPGS_USER	(11*32+ 4) /* "" LFENCE in user entry SWAPGS path */
- #define X86_FEATURE_FENCE_SWAPGS_KERNEL	(11*32+ 5) /* "" LFENCE in kernel entry SWAPGS path */
-+#define X86_FEATURE_RSB_VMEXIT_LITE	(11*32+ 6) /* "" Fill RSB on VM exit when EIBRS is enabled */
- 
- /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
- #define X86_FEATURE_AVX512_BF16		(12*32+ 5) /* AVX512 BFLOAT16 instructions */
-@@ -406,5 +407,6 @@
- #define X86_BUG_ITLB_MULTIHIT		X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */
- #define X86_BUG_SRBDS			X86_BUG(24) /* CPU may leak RNG bits if not mitigated */
- #define X86_BUG_MMIO_STALE_DATA		X86_BUG(25) /* CPU is affected by Processor MMIO Stale Data vulnerabilities */
-+#define X86_BUG_EIBRS_PBRSB		X86_BUG(26) /* EIBRS is vulnerable to Post Barrier RSB Predictions */
- 
- #endif /* _ASM_X86_CPUFEATURES_H */
-diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
-index c56042916a7c3..cef4eba03ff36 100644
---- a/arch/x86/include/asm/msr-index.h
-+++ b/arch/x86/include/asm/msr-index.h
-@@ -129,6 +129,10 @@
- 						 * bit available to control VERW
- 						 * behavior.
- 						 */
-+#define ARCH_CAP_PBRSB_NO		BIT(24)	/*
-+						 * Not susceptible to Post-Barrier
-+						 * Return Stack Buffer Predictions.
-+						 */
- 
- #define MSR_IA32_FLUSH_CMD		0x0000010b
- #define L1D_FLUSH			BIT(0)	/*
-diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
-index ece2b2c6d020d..1e5df3ccdd5cb 100644
---- a/arch/x86/include/asm/nospec-branch.h
-+++ b/arch/x86/include/asm/nospec-branch.h
-@@ -61,7 +61,16 @@
- 774:						\
- 	dec	reg;				\
- 	jnz	771b;				\
--	add	$(BITS_PER_LONG/8) * nr, sp;
-+	add	$(BITS_PER_LONG/8) * nr, sp;	\
-+	/* barrier for jnz misprediction */	\
-+	lfence;
-+
-+#define __ISSUE_UNBALANCED_RET_GUARD(sp)	\
-+	call	881f;				\
-+	int3;					\
-+881:						\
-+	add	$(BITS_PER_LONG/8), sp;		\
-+	lfence;
- 
- #ifdef __ASSEMBLY__
- 
-@@ -130,6 +139,14 @@
- #else
- 	call	*\reg
- #endif
-+.endm
-+
-+.macro ISSUE_UNBALANCED_RET_GUARD ftr:req
-+	ANNOTATE_NOSPEC_ALTERNATIVE
-+	ALTERNATIVE "jmp .Lskip_pbrsb_\@",				\
-+		__stringify(__ISSUE_UNBALANCED_RET_GUARD(%_ASM_SP))	\
-+		\ftr
-+.Lskip_pbrsb_\@:
- .endm
- 
-  /*
-diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
-index 09d02b1f6f71f..57efa90f3fbd0 100644
---- a/arch/x86/kernel/cpu/bugs.c
-+++ b/arch/x86/kernel/cpu/bugs.c
-@@ -1043,6 +1043,49 @@ static enum spectre_v2_mitigation __init spectre_v2_select_retpoline(void)
- 	return SPECTRE_V2_RETPOLINE;
- }
- 
-+static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)
-+{
-+	/*
-+	 * Similar to context switches, there are two types of RSB attacks
-+	 * after VM exit:
-+	 *
-+	 * 1) RSB underflow
-+	 *
-+	 * 2) Poisoned RSB entry
-+	 *
-+	 * When retpoline is enabled, both are mitigated by filling/clearing
-+	 * the RSB.
-+	 *
-+	 * When IBRS is enabled, while #1 would be mitigated by the IBRS branch
-+	 * prediction isolation protections, RSB still needs to be cleared
-+	 * because of #2.  Note that SMEP provides no protection here, unlike
-+	 * user-space-poisoned RSB entries.
-+	 *
-+	 * eIBRS should protect against RSB poisoning, but if the EIBRS_PBRSB
-+	 * bug is present then a LITE version of RSB protection is required,
-+	 * just a single call needs to retire before a RET is executed.
-+	 */
-+	switch (mode) {
-+	case SPECTRE_V2_NONE:
-+	/* These modes already fill RSB at vmexit */
-+	case SPECTRE_V2_LFENCE:
-+	case SPECTRE_V2_RETPOLINE:
-+	case SPECTRE_V2_EIBRS_RETPOLINE:
-+		return;
-+
-+	case SPECTRE_V2_EIBRS_LFENCE:
-+	case SPECTRE_V2_EIBRS:
-+		if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
-+			setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
-+			pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
-+		}
-+		return;
-+	}
-+
-+	pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");
-+	dump_stack();
-+}
-+
- static void __init spectre_v2_select_mitigation(void)
- {
- 	enum spectre_v2_mitigation_cmd cmd = spectre_v2_parse_cmdline();
-@@ -1135,6 +1178,8 @@ static void __init spectre_v2_select_mitigation(void)
- 	setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
- 	pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
- 
-+	spectre_v2_determine_rsb_fill_type_at_vmexit(mode);
-+
- 	/*
- 	 * Retpoline means the kernel is safe because it has no indirect
- 	 * branches. Enhanced IBRS protects firmware too, so, enable restricted
-@@ -1879,6 +1924,19 @@ static char *ibpb_state(void)
- 	return "";
- }
- 
-+static char *pbrsb_eibrs_state(void)
-+{
-+	if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
-+		if (boot_cpu_has(X86_FEATURE_RSB_VMEXIT_LITE) ||
-+		    boot_cpu_has(X86_FEATURE_RETPOLINE))
-+			return ", PBRSB-eIBRS: SW sequence";
-+		else
-+			return ", PBRSB-eIBRS: Vulnerable";
-+	} else {
-+		return ", PBRSB-eIBRS: Not affected";
-+	}
-+}
-+
- static ssize_t spectre_v2_show_state(char *buf)
- {
- 	if (spectre_v2_enabled == SPECTRE_V2_LFENCE)
-@@ -1891,12 +1949,13 @@ static ssize_t spectre_v2_show_state(char *buf)
- 	    spectre_v2_enabled == SPECTRE_V2_EIBRS_LFENCE)
- 		return sprintf(buf, "Vulnerable: eIBRS+LFENCE with unprivileged eBPF and SMT\n");
- 
--	return sprintf(buf, "%s%s%s%s%s%s\n",
-+	return sprintf(buf, "%s%s%s%s%s%s%s\n",
- 		       spectre_v2_strings[spectre_v2_enabled],
- 		       ibpb_state(),
- 		       boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
- 		       stibp_state(),
- 		       boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
-+		       pbrsb_eibrs_state(),
- 		       spectre_v2_module_string());
- }
- 
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 305f30e45f3d3..b926b7244d42d 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1025,6 +1025,7 @@ static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
- #define NO_SWAPGS		BIT(6)
- #define NO_ITLB_MULTIHIT	BIT(7)
- #define NO_SPECTRE_V2		BIT(8)
-+#define NO_EIBRS_PBRSB		BIT(9)
- 
- #define VULNWL(_vendor, _family, _model, _whitelist)	\
- 	{ X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist }
-@@ -1065,7 +1066,7 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
- 
- 	VULNWL_INTEL(ATOM_GOLDMONT,		NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
- 	VULNWL_INTEL(ATOM_GOLDMONT_D,		NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
--	VULNWL_INTEL(ATOM_GOLDMONT_PLUS,	NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT),
-+	VULNWL_INTEL(ATOM_GOLDMONT_PLUS,	NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB),
- 
- 	/*
- 	 * Technically, swapgs isn't serializing on AMD (despite it previously
-@@ -1075,7 +1076,9 @@ static const __initconst struct x86_cpu_id cpu_vuln_whitelist[] = {
- 	 * good enough for our purposes.
- 	 */
- 
--	VULNWL_INTEL(ATOM_TREMONT_D,		NO_ITLB_MULTIHIT),
-+	VULNWL_INTEL(ATOM_TREMONT,		NO_EIBRS_PBRSB),
-+	VULNWL_INTEL(ATOM_TREMONT_L,		NO_EIBRS_PBRSB),
-+	VULNWL_INTEL(ATOM_TREMONT_D,		NO_ITLB_MULTIHIT | NO_EIBRS_PBRSB),
- 
- 	/* AMD Family 0xf - 0x12 */
- 	VULNWL_AMD(0x0f,	NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT),
-@@ -1236,6 +1239,11 @@ static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c)
- 	    !arch_cap_mmio_immune(ia32_cap))
- 		setup_force_cpu_bug(X86_BUG_MMIO_STALE_DATA);
- 
-+	if (cpu_has(c, X86_FEATURE_IBRS_ENHANCED) &&
-+	    !cpu_matches(cpu_vuln_whitelist, NO_EIBRS_PBRSB) &&
-+	    !(ia32_cap & ARCH_CAP_PBRSB_NO))
-+		setup_force_cpu_bug(X86_BUG_EIBRS_PBRSB);
-+
- 	if (cpu_matches(cpu_vuln_whitelist, NO_MELTDOWN))
- 		return;
- 
-diff --git a/arch/x86/kvm/vmx/vmenter.S b/arch/x86/kvm/vmx/vmenter.S
-index ca4252f81bf81..946d9205c3b6d 100644
---- a/arch/x86/kvm/vmx/vmenter.S
-+++ b/arch/x86/kvm/vmx/vmenter.S
-@@ -92,6 +92,7 @@ ENTRY(vmx_vmexit)
- 	pop %_ASM_AX
- .Lvmexit_skip_rsb:
- #endif
-+	ISSUE_UNBALANCED_RET_GUARD X86_FEATURE_RSB_VMEXIT_LITE
- 	ret
- ENDPROC(vmx_vmexit)
- 
-diff --git a/drivers/acpi/apei/bert.c b/drivers/acpi/apei/bert.c
-index 76b7539a37a93..a06f35528c9a7 100644
---- a/drivers/acpi/apei/bert.c
-+++ b/drivers/acpi/apei/bert.c
-@@ -29,16 +29,26 @@
- 
- #undef pr_fmt
- #define pr_fmt(fmt) "BERT: " fmt
-+
-+#define ACPI_BERT_PRINT_MAX_RECORDS 5
- #define ACPI_BERT_PRINT_MAX_LEN 1024
- 
- static int bert_disable;
- 
-+/*
-+ * Print "all" the error records in the BERT table, but avoid huge spam to
-+ * the console if the BIOS included oversize records, or too many records.
-+ * Skipping some records here does not lose anything because the full
-+ * data is available to user tools in:
-+ *	/sys/firmware/acpi/tables/data/BERT
-+ */
- static void __init bert_print_all(struct acpi_bert_region *region,
- 				  unsigned int region_len)
- {
- 	struct acpi_hest_generic_status *estatus =
- 		(struct acpi_hest_generic_status *)region;
- 	int remain = region_len;
-+	int printed = 0, skipped = 0;
- 	u32 estatus_len;
- 
- 	while (remain >= sizeof(struct acpi_bert_region)) {
-@@ -46,24 +56,26 @@ static void __init bert_print_all(struct acpi_bert_region *region,
- 		if (remain < estatus_len) {
- 			pr_err(FW_BUG "Truncated status block (length: %u).\n",
- 			       estatus_len);
--			return;
-+			break;
- 		}
- 
- 		/* No more error records. */
- 		if (!estatus->block_status)
--			return;
-+			break;
- 
- 		if (cper_estatus_check(estatus)) {
- 			pr_err(FW_BUG "Invalid error record.\n");
--			return;
-+			break;
- 		}
- 
--		pr_info_once("Error records from previous boot:\n");
--		if (region_len < ACPI_BERT_PRINT_MAX_LEN)
-+		if (estatus_len < ACPI_BERT_PRINT_MAX_LEN &&
-+		    printed < ACPI_BERT_PRINT_MAX_RECORDS) {
-+			pr_info_once("Error records from previous boot:\n");
- 			cper_estatus_print(KERN_INFO HW_ERR, estatus);
--		else
--			pr_info_once("Max print length exceeded, table data is available at:\n"
--				     "/sys/firmware/acpi/tables/data/BERT");
-+			printed++;
-+		} else {
-+			skipped++;
-+		}
- 
- 		/*
- 		 * Because the boot error source is "one-time polled" type,
-@@ -75,6 +87,9 @@ static void __init bert_print_all(struct acpi_bert_region *region,
- 		estatus = (void *)estatus + estatus_len;
- 		remain -= estatus_len;
- 	}
-+
-+	if (skipped)
-+		pr_info(HW_ERR "Skipped %d error records\n", skipped);
- }
- 
- static int __init setup_bert_disable(char *str)
-diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
-index de4142723ff48..3b972ca536896 100644
---- a/drivers/acpi/video_detect.c
-+++ b/drivers/acpi/video_detect.c
-@@ -387,7 +387,6 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
- 	.callback = video_detect_force_native,
- 	.ident = "Clevo NL5xRU",
- 	.matches = {
--		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
- 		DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
- 		},
- 	},
-@@ -395,59 +394,75 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
- 	.callback = video_detect_force_native,
- 	.ident = "Clevo NL5xRU",
- 	.matches = {
--		DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"),
--		DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
-+		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
-+		DMI_MATCH(DMI_BOARD_NAME, "AURA1501"),
- 		},
- 	},
- 	{
- 	.callback = video_detect_force_native,
- 	.ident = "Clevo NL5xRU",
- 	.matches = {
--		DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
--		DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
-+		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
-+		DMI_MATCH(DMI_BOARD_NAME, "EDUBOOK1502"),
- 		},
- 	},
- 	{
- 	.callback = video_detect_force_native,
--	.ident = "Clevo NL5xRU",
-+	.ident = "Clevo NL5xNU",
- 	.matches = {
--		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
--		DMI_MATCH(DMI_BOARD_NAME, "AURA1501"),
-+		DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
- 		},
- 	},
-+	/*
-+	 * The TongFang PF5PU1G, PF4NU1F, PF5NU1G, and PF5LUXG/TUXEDO BA15 Gen10,
-+	 * Pulse 14/15 Gen1, and Pulse 15 Gen2 have the same problem as the Clevo
-+	 * NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2. See the description
-+	 * above.
-+	 */
- 	{
- 	.callback = video_detect_force_native,
--	.ident = "Clevo NL5xRU",
-+	.ident = "TongFang PF5PU1G",
- 	.matches = {
--		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
--		DMI_MATCH(DMI_BOARD_NAME, "EDUBOOK1502"),
-+		DMI_MATCH(DMI_BOARD_NAME, "PF5PU1G"),
- 		},
- 	},
- 	{
- 	.callback = video_detect_force_native,
--	.ident = "Clevo NL5xNU",
-+	.ident = "TongFang PF4NU1F",
-+	.matches = {
-+		DMI_MATCH(DMI_BOARD_NAME, "PF4NU1F"),
-+		},
-+	},
-+	{
-+	.callback = video_detect_force_native,
-+	.ident = "TongFang PF4NU1F",
- 	.matches = {
- 		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
--		DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
-+		DMI_MATCH(DMI_BOARD_NAME, "PULSE1401"),
- 		},
- 	},
- 	{
- 	.callback = video_detect_force_native,
--	.ident = "Clevo NL5xNU",
-+	.ident = "TongFang PF5NU1G",
- 	.matches = {
--		DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"),
--		DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
-+		DMI_MATCH(DMI_BOARD_NAME, "PF5NU1G"),
- 		},
- 	},
- 	{
- 	.callback = video_detect_force_native,
--	.ident = "Clevo NL5xNU",
-+	.ident = "TongFang PF5NU1G",
- 	.matches = {
--		DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
--		DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
-+		DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
-+		DMI_MATCH(DMI_BOARD_NAME, "PULSE1501"),
-+		},
-+	},
-+	{
-+	.callback = video_detect_force_native,
-+	.ident = "TongFang PF5LUXG",
-+	.matches = {
-+		DMI_MATCH(DMI_BOARD_NAME, "PF5LUXG"),
- 		},
- 	},
--
- 	/*
- 	 * Desktops which falsely report a backlight and which our heuristics
- 	 * for this do not catch.
-diff --git a/drivers/macintosh/adb.c b/drivers/macintosh/adb.c
-index e49d1f287a175..c37d5fce86f79 100644
---- a/drivers/macintosh/adb.c
-+++ b/drivers/macintosh/adb.c
-@@ -647,7 +647,7 @@ do_adb_query(struct adb_request *req)
- 
- 	switch(req->data[1]) {
- 	case ADB_QUERY_GETDEVINFO:
--		if (req->nbytes < 3)
-+		if (req->nbytes < 3 || req->data[2] >= 16)
- 			break;
- 		mutex_lock(&adb_handler_mutex);
- 		req->reply[0] = adb_handler[req->data[2]].original_address;
-diff --git a/drivers/media/v4l2-core/v4l2-mem2mem.c b/drivers/media/v4l2-core/v4l2-mem2mem.c
-index 639dc8d45e603..d56837c04a81a 100644
---- a/drivers/media/v4l2-core/v4l2-mem2mem.c
-+++ b/drivers/media/v4l2-core/v4l2-mem2mem.c
-@@ -460,19 +460,14 @@ int v4l2_m2m_reqbufs(struct file *file, struct v4l2_m2m_ctx *m2m_ctx,
- }
- EXPORT_SYMBOL_GPL(v4l2_m2m_reqbufs);
- 
--int v4l2_m2m_querybuf(struct file *file, struct v4l2_m2m_ctx *m2m_ctx,
--		      struct v4l2_buffer *buf)
-+static void v4l2_m2m_adjust_mem_offset(struct vb2_queue *vq,
-+				       struct v4l2_buffer *buf)
- {
--	struct vb2_queue *vq;
--	int ret = 0;
--	unsigned int i;
--
--	vq = v4l2_m2m_get_vq(m2m_ctx, buf->type);
--	ret = vb2_querybuf(vq, buf);
--
- 	/* Adjust MMAP memory offsets for the CAPTURE queue */
- 	if (buf->memory == V4L2_MEMORY_MMAP && !V4L2_TYPE_IS_OUTPUT(vq->type)) {
- 		if (V4L2_TYPE_IS_MULTIPLANAR(vq->type)) {
-+			unsigned int i;
-+
- 			for (i = 0; i < buf->length; ++i)
- 				buf->m.planes[i].m.mem_offset
- 					+= DST_QUEUE_OFF_BASE;
-@@ -480,8 +475,23 @@ int v4l2_m2m_querybuf(struct file *file, struct v4l2_m2m_ctx *m2m_ctx,
- 			buf->m.offset += DST_QUEUE_OFF_BASE;
- 		}
- 	}
-+}
- 
--	return ret;
-+int v4l2_m2m_querybuf(struct file *file, struct v4l2_m2m_ctx *m2m_ctx,
-+		      struct v4l2_buffer *buf)
-+{
-+	struct vb2_queue *vq;
-+	int ret;
-+
-+	vq = v4l2_m2m_get_vq(m2m_ctx, buf->type);
-+	ret = vb2_querybuf(vq, buf);
-+	if (ret)
-+		return ret;
-+
-+	/* Adjust MMAP memory offsets for the CAPTURE queue */
-+	v4l2_m2m_adjust_mem_offset(vq, buf);
-+
-+	return 0;
- }
- EXPORT_SYMBOL_GPL(v4l2_m2m_querybuf);
- 
-@@ -500,10 +510,16 @@ int v4l2_m2m_qbuf(struct file *file, struct v4l2_m2m_ctx *m2m_ctx,
- 		return -EPERM;
- 	}
- 	ret = vb2_qbuf(vq, vdev->v4l2_dev->mdev, buf);
--	if (!ret && !(buf->flags & V4L2_BUF_FLAG_IN_REQUEST))
-+	if (ret)
-+		return ret;
-+
-+	/* Adjust MMAP memory offsets for the CAPTURE queue */
-+	v4l2_m2m_adjust_mem_offset(vq, buf);
-+
-+	if (!(buf->flags & V4L2_BUF_FLAG_IN_REQUEST))
- 		v4l2_m2m_try_schedule(m2m_ctx);
- 
--	return ret;
-+	return 0;
- }
- EXPORT_SYMBOL_GPL(v4l2_m2m_qbuf);
- 
-@@ -511,9 +527,17 @@ int v4l2_m2m_dqbuf(struct file *file, struct v4l2_m2m_ctx *m2m_ctx,
- 		   struct v4l2_buffer *buf)
- {
- 	struct vb2_queue *vq;
-+	int ret;
- 
- 	vq = v4l2_m2m_get_vq(m2m_ctx, buf->type);
--	return vb2_dqbuf(vq, buf, file->f_flags & O_NONBLOCK);
-+	ret = vb2_dqbuf(vq, buf, file->f_flags & O_NONBLOCK);
-+	if (ret)
-+		return ret;
-+
-+	/* Adjust MMAP memory offsets for the CAPTURE queue */
-+	v4l2_m2m_adjust_mem_offset(vq, buf);
-+
-+	return 0;
- }
- EXPORT_SYMBOL_GPL(v4l2_m2m_dqbuf);
- 
-@@ -522,9 +546,17 @@ int v4l2_m2m_prepare_buf(struct file *file, struct v4l2_m2m_ctx *m2m_ctx,
- {
- 	struct video_device *vdev = video_devdata(file);
- 	struct vb2_queue *vq;
-+	int ret;
- 
- 	vq = v4l2_m2m_get_vq(m2m_ctx, buf->type);
--	return vb2_prepare_buf(vq, vdev->v4l2_dev->mdev, buf);
-+	ret = vb2_prepare_buf(vq, vdev->v4l2_dev->mdev, buf);
-+	if (ret)
-+		return ret;
-+
-+	/* Adjust MMAP memory offsets for the CAPTURE queue */
-+	v4l2_m2m_adjust_mem_offset(vq, buf);
-+
-+	return 0;
- }
- EXPORT_SYMBOL_GPL(v4l2_m2m_prepare_buf);
- 
-diff --git a/drivers/thermal/of-thermal.c b/drivers/thermal/of-thermal.c
-index 68d0c181ec7bb..1f38da5da6e45 100644
---- a/drivers/thermal/of-thermal.c
-+++ b/drivers/thermal/of-thermal.c
-@@ -91,7 +91,7 @@ static int of_thermal_get_temp(struct thermal_zone_device *tz,
- {
- 	struct __thermal_zone *data = tz->devdata;
- 
--	if (!data->ops->get_temp)
-+	if (!data->ops || !data->ops->get_temp)
- 		return -EINVAL;
- 
- 	return data->ops->get_temp(data->sensor_data, temp);
-@@ -188,6 +188,9 @@ static int of_thermal_set_emul_temp(struct thermal_zone_device *tz,
- {
- 	struct __thermal_zone *data = tz->devdata;
- 
-+	if (!data->ops || !data->ops->set_emul_temp)
-+		return -EINVAL;
-+
- 	return data->ops->set_emul_temp(data->sensor_data, temp);
- }
- 
-@@ -196,7 +199,7 @@ static int of_thermal_get_trend(struct thermal_zone_device *tz, int trip,
- {
- 	struct __thermal_zone *data = tz->devdata;
- 
--	if (!data->ops->get_trend)
-+	if (!data->ops || !data->ops->get_trend)
- 		return -EINVAL;
- 
- 	return data->ops->get_trend(data->sensor_data, trip, trend);
-@@ -336,7 +339,7 @@ static int of_thermal_set_trip_temp(struct thermal_zone_device *tz, int trip,
- 	if (trip >= data->ntrips || trip < 0)
- 		return -EDOM;
- 
--	if (data->ops->set_trip_temp) {
-+	if (data->ops && data->ops->set_trip_temp) {
- 		int ret;
- 
- 		ret = data->ops->set_trip_temp(data->sensor_data, trip, temp);
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 34262d83dce11..f705d3752fe0d 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -5083,6 +5083,7 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
- 		coerce_reg_to_size(dst_reg, 4);
- 	}
- 
-+	__update_reg_bounds(dst_reg);
- 	__reg_deduce_bounds(dst_reg);
- 	__reg_bound_offset(dst_reg);
- 	return 0;
-diff --git a/tools/arch/x86/include/asm/cpufeatures.h b/tools/arch/x86/include/asm/cpufeatures.h
-index 4133c721af6ed..59f924e92c284 100644
---- a/tools/arch/x86/include/asm/cpufeatures.h
-+++ b/tools/arch/x86/include/asm/cpufeatures.h
-@@ -284,6 +284,7 @@
- #define X86_FEATURE_CQM_MBM_LOCAL	(11*32+ 3) /* LLC Local MBM monitoring */
- #define X86_FEATURE_FENCE_SWAPGS_USER	(11*32+ 4) /* "" LFENCE in user entry SWAPGS path */
- #define X86_FEATURE_FENCE_SWAPGS_KERNEL	(11*32+ 5) /* "" LFENCE in kernel entry SWAPGS path */
-+#define X86_FEATURE_RSB_VMEXIT_LITE	(11*32+ 6) /* "" Fill RSB on VM-Exit when EIBRS is enabled */
- 
- /* Intel-defined CPU features, CPUID level 0x00000007:1 (EAX), word 12 */
- #define X86_FEATURE_AVX512_BF16		(12*32+ 5) /* AVX512 BFLOAT16 instructions */
-diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
-index 0bfad86ec960a..cb0631098f918 100644
---- a/tools/include/uapi/linux/bpf.h
-+++ b/tools/include/uapi/linux/bpf.h
-@@ -3068,7 +3068,8 @@ struct bpf_sock {
- 	__u32 src_ip4;
- 	__u32 src_ip6[4];
- 	__u32 src_port;		/* host byte order */
--	__u32 dst_port;		/* network byte order */
-+	__be16 dst_port;	/* network byte order */
-+	__u16 :16;		/* zero padding */
- 	__u32 dst_ip4;
- 	__u32 dst_ip6[4];
- 	__u32 state;
-diff --git a/tools/testing/selftests/bpf/test_align.c b/tools/testing/selftests/bpf/test_align.c
-index 0262f7b374f9c..4b9a26caa2c2e 100644
---- a/tools/testing/selftests/bpf/test_align.c
-+++ b/tools/testing/selftests/bpf/test_align.c
-@@ -359,15 +359,15 @@ static struct bpf_align_test tests[] = {
- 			 * is still (4n), fixed offset is not changed.
- 			 * Also, we create a new reg->id.
- 			 */
--			{29, "R5_w=pkt(id=4,off=18,r=0,umax_value=2040,var_off=(0x0; 0x7fc))"},
-+			{29, "R5_w=pkt(id=4,off=18,r=0,umax_value=2040,var_off=(0x0; 0x7fc)"},
- 			/* At the time the word size load is performed from R5,
- 			 * its total fixed offset is NET_IP_ALIGN + reg->off (18)
- 			 * which is 20.  Then the variable offset is (4n), so
- 			 * the total offset is 4-byte aligned and meets the
- 			 * load's requirements.
- 			 */
--			{33, "R4=pkt(id=4,off=22,r=22,umax_value=2040,var_off=(0x0; 0x7fc))"},
--			{33, "R5=pkt(id=4,off=18,r=22,umax_value=2040,var_off=(0x0; 0x7fc))"},
-+			{33, "R4=pkt(id=4,off=22,r=22,umax_value=2040,var_off=(0x0; 0x7fc)"},
-+			{33, "R5=pkt(id=4,off=18,r=22,umax_value=2040,var_off=(0x0; 0x7fc)"},
- 		},
- 	},
- 	{
-@@ -410,15 +410,15 @@ static struct bpf_align_test tests[] = {
- 			/* Adding 14 makes R6 be (4n+2) */
- 			{9, "R6_w=inv(id=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
- 			/* Packet pointer has (4n+2) offset */
--			{11, "R5_w=pkt(id=1,off=0,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
--			{13, "R4=pkt(id=1,off=4,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
-+			{11, "R5_w=pkt(id=1,off=0,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"},
-+			{13, "R4=pkt(id=1,off=4,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"},
- 			/* At the time the word size load is performed from R5,
- 			 * its total fixed offset is NET_IP_ALIGN + reg->off (0)
- 			 * which is 2.  Then the variable offset is (4n+2), so
- 			 * the total offset is 4-byte aligned and meets the
- 			 * load's requirements.
- 			 */
--			{15, "R5=pkt(id=1,off=0,r=4,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
-+			{15, "R5=pkt(id=1,off=0,r=4,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"},
- 			/* Newly read value in R6 was shifted left by 2, so has
- 			 * known alignment of 4.
- 			 */
-@@ -426,15 +426,15 @@ static struct bpf_align_test tests[] = {
- 			/* Added (4n) to packet pointer's (4n+2) var_off, giving
- 			 * another (4n+2).
- 			 */
--			{19, "R5_w=pkt(id=2,off=0,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"},
--			{21, "R4=pkt(id=2,off=4,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"},
-+			{19, "R5_w=pkt(id=2,off=0,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"},
-+			{21, "R4=pkt(id=2,off=4,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"},
- 			/* At the time the word size load is performed from R5,
- 			 * its total fixed offset is NET_IP_ALIGN + reg->off (0)
- 			 * which is 2.  Then the variable offset is (4n+2), so
- 			 * the total offset is 4-byte aligned and meets the
- 			 * load's requirements.
- 			 */
--			{23, "R5=pkt(id=2,off=0,r=4,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"},
-+			{23, "R5=pkt(id=2,off=0,r=4,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"},
- 		},
- 	},
- 	{
-@@ -469,16 +469,16 @@ static struct bpf_align_test tests[] = {
- 		.matches = {
- 			{4, "R5_w=pkt_end(id=0,off=0,imm=0)"},
- 			/* (ptr - ptr) << 2 == unknown, (4n) */
--			{6, "R5_w=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc))"},
-+			{6, "R5_w=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc)"},
- 			/* (4n) + 14 == (4n+2).  We blow our bounds, because
- 			 * the add could overflow.
- 			 */
--			{7, "R5_w=inv(id=0,var_off=(0x2; 0xfffffffffffffffc))"},
-+			{7, "R5_w=inv(id=0,smin_value=-9223372036854775806,smax_value=9223372036854775806,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"},
- 			/* Checked s>=0 */
--			{9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
-+			{9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"},
- 			/* packet pointer + nonnegative (4n+2) */
--			{11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
--			{13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
-+			{11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"},
-+			{13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"},
- 			/* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine.
- 			 * We checked the bounds, but it might have been able
- 			 * to overflow if the packet pointer started in the
-@@ -486,7 +486,7 @@ static struct bpf_align_test tests[] = {
- 			 * So we did not get a 'range' on R6, and the access
- 			 * attempt will fail.
- 			 */
--			{15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
-+			{15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"},
- 		}
- 	},
- 	{
-@@ -528,7 +528,7 @@ static struct bpf_align_test tests[] = {
- 			/* New unknown value in R7 is (4n) */
- 			{11, "R7_w=inv(id=0,umax_value=1020,var_off=(0x0; 0x3fc))"},
- 			/* Subtracting it from R6 blows our unsigned bounds */
--			{12, "R6=inv(id=0,smin_value=-1006,smax_value=1034,var_off=(0x2; 0xfffffffffffffffc))"},
-+			{12, "R6=inv(id=0,smin_value=-1006,smax_value=1034,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"},
- 			/* Checked s>= 0 */
- 			{14, "R6=inv(id=0,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc))"},
- 			/* At the time the word size load is performed from R5,
-@@ -537,7 +537,8 @@ static struct bpf_align_test tests[] = {
- 			 * the total offset is 4-byte aligned and meets the
- 			 * load's requirements.
- 			 */
--			{20, "R5=pkt(id=1,off=0,r=4,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc))"},
-+			{20, "R5=pkt(id=1,off=0,r=4,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc)"},
-+
- 		},
- 	},
- 	{
-@@ -579,18 +580,18 @@ static struct bpf_align_test tests[] = {
- 			/* Adding 14 makes R6 be (4n+2) */
- 			{11, "R6_w=inv(id=0,umin_value=14,umax_value=74,var_off=(0x2; 0x7c))"},
- 			/* Subtracting from packet pointer overflows ubounds */
--			{13, "R5_w=pkt(id=1,off=0,r=8,umin_value=18446744073709551542,umax_value=18446744073709551602,var_off=(0xffffffffffffff82; 0x7c))"},
-+			{13, "R5_w=pkt(id=1,off=0,r=8,umin_value=18446744073709551542,umax_value=18446744073709551602,var_off=(0xffffffffffffff82; 0x7c)"},
- 			/* New unknown value in R7 is (4n), >= 76 */
- 			{15, "R7_w=inv(id=0,umin_value=76,umax_value=1096,var_off=(0x0; 0x7fc))"},
- 			/* Adding it to packet pointer gives nice bounds again */
--			{16, "R5_w=pkt(id=2,off=0,r=0,umin_value=2,umax_value=1082,var_off=(0x2; 0x7fc))"},
-+			{16, "R5_w=pkt(id=2,off=0,r=0,umin_value=2,umax_value=1082,var_off=(0x2; 0xfffffffc)"},
- 			/* At the time the word size load is performed from R5,
- 			 * its total fixed offset is NET_IP_ALIGN + reg->off (0)
- 			 * which is 2.  Then the variable offset is (4n+2), so
- 			 * the total offset is 4-byte aligned and meets the
- 			 * load's requirements.
- 			 */
--			{20, "R5=pkt(id=2,off=0,r=4,umin_value=2,umax_value=1082,var_off=(0x2; 0x7fc))"},
-+			{20, "R5=pkt(id=2,off=0,r=4,umin_value=2,umax_value=1082,var_off=(0x2; 0xfffffffc)"},
- 		},
- 	},
- };
-diff --git a/tools/testing/selftests/bpf/verifier/bounds.c b/tools/testing/selftests/bpf/verifier/bounds.c
-index 92c02e4a1b626..313b345eddcc3 100644
---- a/tools/testing/selftests/bpf/verifier/bounds.c
-+++ b/tools/testing/selftests/bpf/verifier/bounds.c
-@@ -411,16 +411,14 @@
- 	BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31),
- 	/* r1 = 0xffff'fffe (NOT 0!) */
- 	BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2),
--	/* computes OOB pointer */
-+	/* error on computing OOB pointer */
- 	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
--	/* OOB access */
--	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
- 	/* exit */
- 	BPF_MOV64_IMM(BPF_REG_0, 0),
- 	BPF_EXIT_INSN(),
- 	},
- 	.fixup_map_hash_8b = { 3 },
--	.errstr = "R0 invalid mem access",
-+	.errstr = "math between map_value pointer and 4294967294 is not allowed",
- 	.result = REJECT,
- },
- {
-diff --git a/tools/testing/selftests/bpf/verifier/sock.c b/tools/testing/selftests/bpf/verifier/sock.c
-index 9ed192e14f5fe..b2ce50bb935b8 100644
---- a/tools/testing/selftests/bpf/verifier/sock.c
-+++ b/tools/testing/selftests/bpf/verifier/sock.c
-@@ -121,7 +121,25 @@
- 	.result = ACCEPT,
- },
- {
--	"sk_fullsock(skb->sk): sk->dst_port [narrow load]",
-+	"sk_fullsock(skb->sk): sk->dst_port [word load] (backward compatibility)",
-+	.insns = {
-+	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
-+	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
-+	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	},
-+	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
-+	.result = ACCEPT,
-+},
-+{
-+	"sk_fullsock(skb->sk): sk->dst_port [half load]",
- 	.insns = {
- 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
- 	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
-@@ -139,7 +157,64 @@
- 	.result = ACCEPT,
- },
- {
--	"sk_fullsock(skb->sk): sk->dst_port [load 2nd byte]",
-+	"sk_fullsock(skb->sk): sk->dst_port [half load] (invalid)",
-+	.insns = {
-+	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
-+	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
-+	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	},
-+	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
-+	.result = REJECT,
-+	.errstr = "invalid sock access",
-+},
-+{
-+	"sk_fullsock(skb->sk): sk->dst_port [byte load]",
-+	.insns = {
-+	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
-+	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
-+	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
-+	BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	},
-+	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
-+	.result = ACCEPT,
-+},
-+{
-+	"sk_fullsock(skb->sk): sk->dst_port [byte load] (invalid)",
-+	.insns = {
-+	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
-+	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
-+	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),
-+	BPF_MOV64_IMM(BPF_REG_0, 0),
-+	BPF_EXIT_INSN(),
-+	},
-+	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
-+	.result = REJECT,
-+	.errstr = "invalid sock access",
-+},
-+{
-+	"sk_fullsock(skb->sk): past sk->dst_port [half load] (invalid)",
- 	.insns = {
- 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
- 	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
-@@ -149,7 +224,7 @@
- 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
- 	BPF_MOV64_IMM(BPF_REG_0, 0),
- 	BPF_EXIT_INSN(),
--	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),
-+	BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, dst_port)),
- 	BPF_MOV64_IMM(BPF_REG_0, 0),
- 	BPF_EXIT_INSN(),
- 	},
-diff --git a/tools/testing/selftests/kvm/lib/aarch64/ucall.c b/tools/testing/selftests/kvm/lib/aarch64/ucall.c
-index 6cd91970fbad3..3b2a426070c44 100644
---- a/tools/testing/selftests/kvm/lib/aarch64/ucall.c
-+++ b/tools/testing/selftests/kvm/lib/aarch64/ucall.c
-@@ -73,20 +73,19 @@ void ucall_uninit(struct kvm_vm *vm)
- 
- void ucall(uint64_t cmd, int nargs, ...)
- {
--	struct ucall uc = {
--		.cmd = cmd,
--	};
-+	struct ucall uc = {};
- 	va_list va;
- 	int i;
- 
-+	WRITE_ONCE(uc.cmd, cmd);
- 	nargs = nargs <= UCALL_MAX_ARGS ? nargs : UCALL_MAX_ARGS;
- 
- 	va_start(va, nargs);
- 	for (i = 0; i < nargs; ++i)
--		uc.args[i] = va_arg(va, uint64_t);
-+		WRITE_ONCE(uc.args[i], va_arg(va, uint64_t));
- 	va_end(va);
- 
--	*ucall_exit_mmio_addr = (vm_vaddr_t)&uc;
-+	WRITE_ONCE(*ucall_exit_mmio_addr, (vm_vaddr_t)&uc);
- }
- 
- uint64_t get_ucall(struct kvm_vm *vm, uint32_t vcpu_id, struct ucall *uc)
-diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index 287444e52ccf8..4b445dddb7985 100644
---- a/virt/kvm/kvm_main.c
-+++ b/virt/kvm/kvm_main.c
-@@ -3329,8 +3329,11 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
- 		kvm_put_kvm(kvm);
- 		mutex_lock(&kvm->lock);
- 		list_del(&dev->vm_node);
-+		if (ops->release)
-+			ops->release(dev);
- 		mutex_unlock(&kvm->lock);
--		ops->destroy(dev);
-+		if (ops->destroy)
-+			ops->destroy(dev);
- 		return ret;
- 	}
-