diff options
| author |   Mike Pagano <mpagano@gentoo.org> | 2016-01-31 18:31:11 -0500 |
|---|---|---|
| committer | Mike Pagano <mpagano@gentoo.org> | 2016-01-31 18:31:11 -0500 |
| commit | 5c6031723f80c0670aa5fe939f24cbcbbfc2cbcd (patch) | |
| tree | b2de6fb78d1280fca4bc34d733714401c07a99bb | |
| parent | Linux 4.3.4. Includes patch for CVE-2016-0728 (diff) | |
| download | linux-patches-5c6031723f80c0670aa5fe939f24cbcbbfc2cbcd.tar.gz linux-patches-5c6031723f80c0670aa5fe939f24cbcbbfc2cbcd.tar.bz2 linux-patches-5c6031723f80c0670aa5fe939f24cbcbbfc2cbcd.zip | |
Linux patch 4.3.54.3-7
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1004_linux-4.3.5.patch | 5981 |
2 files changed, 5985 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 5f4c1bc5..74a7d33e 100644 --- a/0000_README +++ b/0000_README @@ -59,6 +59,10 @@ Patch: 1003_linux-4.3.4.patch From: http://www.kernel.org Desc: Linux 4.3.4 +Patch: 1004_linux-4.3.5.patch +From: http://www.kernel.org +Desc: Linux 4.3.5 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1004_linux-4.3.5.patch b/1004_linux-4.3.5.patch new file mode 100644 index 00000000..e04b2cb2 --- /dev/null +++ b/1004_linux-4.3.5.patch @@ -0,0 +1,5981 @@ +diff --git a/Documentation/ABI/testing/sysfs-bus-usb b/Documentation/ABI/testing/sysfs-bus-usb +index 864637f25bee..01c7a41c18ac 100644 +--- a/Documentation/ABI/testing/sysfs-bus-usb ++++ b/Documentation/ABI/testing/sysfs-bus-usb +@@ -114,19 +114,21 @@ Description: + enabled for the device. Developer can write y/Y/1 or n/N/0 to + the file to enable/disable the feature. + +-What: /sys/bus/usb/devices/.../power/usb3_hardware_lpm +-Date: June 2015 ++What: /sys/bus/usb/devices/.../power/usb3_hardware_lpm_u1 ++ /sys/bus/usb/devices/.../power/usb3_hardware_lpm_u2 ++Date: November 2015 + Contact: Kevin Strasser <kevin.strasser@linux.intel.com> ++ Lu Baolu <baolu.lu@linux.intel.com> + Description: + If CONFIG_PM is set and a USB 3.0 lpm-capable device is plugged + in to a xHCI host which supports link PM, it will check if U1 + and U2 exit latencies have been set in the BOS descriptor; if +- the check is is passed and the host supports USB3 hardware LPM, ++ the check is passed and the host supports USB3 hardware LPM, + USB3 hardware LPM will be enabled for the device and the USB +- device directory will contain a file named +- power/usb3_hardware_lpm. The file holds a string value (enable +- or disable) indicating whether or not USB3 hardware LPM is +- enabled for the device. ++ device directory will contain two files named ++ power/usb3_hardware_lpm_u1 and power/usb3_hardware_lpm_u2. These ++ files hold a string value (enable or disable) indicating whether ++ or not USB3 hardware LPM U1 or U2 is enabled for the device. + + What: /sys/bus/usb/devices/.../removable + Date: February 2012 +diff --git a/Documentation/usb/power-management.txt b/Documentation/usb/power-management.txt +index 4a15c90bc11d..0a94ffe17ab6 100644 +--- a/Documentation/usb/power-management.txt ++++ b/Documentation/usb/power-management.txt +@@ -537,17 +537,18 @@ relevant attribute files are usb2_hardware_lpm and usb3_hardware_lpm. + can write y/Y/1 or n/N/0 to the file to enable/disable + USB2 hardware LPM manually. This is for test purpose mainly. + +- power/usb3_hardware_lpm ++ power/usb3_hardware_lpm_u1 ++ power/usb3_hardware_lpm_u2 + + When a USB 3.0 lpm-capable device is plugged in to a + xHCI host which supports link PM, it will check if U1 + and U2 exit latencies have been set in the BOS + descriptor; if the check is is passed and the host + supports USB3 hardware LPM, USB3 hardware LPM will be +- enabled for the device and this file will be created. +- The file holds a string value (enable or disable) +- indicating whether or not USB3 hardware LPM is +- enabled for the device. ++ enabled for the device and these files will be created. ++ The files hold a string value (enable or disable) ++ indicating whether or not USB3 hardware LPM U1 or U2 ++ is enabled for the device. + + USB Port Power Control + ---------------------- +diff --git a/Makefile b/Makefile +index 69430ed64270..efc7a766c470 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 3 +-SUBLEVEL = 4 ++SUBLEVEL = 5 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c +index 6984342da13d..61d96a645ff3 100644 +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -98,6 +98,11 @@ static void kvm_flush_dcache_pud(pud_t pud) + __kvm_flush_dcache_pud(pud); + } + ++static bool kvm_is_device_pfn(unsigned long pfn) ++{ ++ return !pfn_valid(pfn); ++} ++ + /** + * stage2_dissolve_pmd() - clear and flush huge PMD entry + * @kvm: pointer to kvm structure. +@@ -213,7 +218,7 @@ static void unmap_ptes(struct kvm *kvm, pmd_t *pmd, + kvm_tlb_flush_vmid_ipa(kvm, addr); + + /* No need to invalidate the cache for device mappings */ +- if ((pte_val(old_pte) & PAGE_S2_DEVICE) != PAGE_S2_DEVICE) ++ if (!kvm_is_device_pfn(pte_pfn(old_pte))) + kvm_flush_dcache_pte(old_pte); + + put_page(virt_to_page(pte)); +@@ -305,8 +310,7 @@ static void stage2_flush_ptes(struct kvm *kvm, pmd_t *pmd, + + pte = pte_offset_kernel(pmd, addr); + do { +- if (!pte_none(*pte) && +- (pte_val(*pte) & PAGE_S2_DEVICE) != PAGE_S2_DEVICE) ++ if (!pte_none(*pte) && !kvm_is_device_pfn(pte_pfn(*pte))) + kvm_flush_dcache_pte(*pte); + } while (pte++, addr += PAGE_SIZE, addr != end); + } +@@ -1037,11 +1041,6 @@ static bool kvm_is_write_fault(struct kvm_vcpu *vcpu) + return kvm_vcpu_dabt_iswrite(vcpu); + } + +-static bool kvm_is_device_pfn(unsigned long pfn) +-{ +- return !pfn_valid(pfn); +-} +- + /** + * stage2_wp_ptes - write protect PMD range + * @pmd: pointer to pmd entry +diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c +index b8efb8cd1f73..4d25fd0fae10 100644 +--- a/arch/arm/net/bpf_jit_32.c ++++ b/arch/arm/net/bpf_jit_32.c +@@ -182,19 +182,6 @@ static inline int mem_words_used(struct jit_ctx *ctx) + return fls(ctx->seen & SEEN_MEM); + } + +-static inline bool is_load_to_a(u16 inst) +-{ +- switch (inst) { +- case BPF_LD | BPF_W | BPF_LEN: +- case BPF_LD | BPF_W | BPF_ABS: +- case BPF_LD | BPF_H | BPF_ABS: +- case BPF_LD | BPF_B | BPF_ABS: +- return true; +- default: +- return false; +- } +-} +- + static void jit_fill_hole(void *area, unsigned int size) + { + u32 *ptr; +@@ -206,7 +193,6 @@ static void jit_fill_hole(void *area, unsigned int size) + static void build_prologue(struct jit_ctx *ctx) + { + u16 reg_set = saved_regs(ctx); +- u16 first_inst = ctx->skf->insns[0].code; + u16 off; + + #ifdef CONFIG_FRAME_POINTER +@@ -236,7 +222,7 @@ static void build_prologue(struct jit_ctx *ctx) + emit(ARM_MOV_I(r_X, 0), ctx); + + /* do not leak kernel data to userspace */ +- if ((first_inst != (BPF_RET | BPF_K)) && !(is_load_to_a(first_inst))) ++ if (bpf_needs_clear_a(&ctx->skf->insns[0])) + emit(ARM_MOV_I(r_A, 0), ctx); + + /* stack space for the BPF_MEM words */ +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 07d1811aa03f..a92266e634cd 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -311,6 +311,27 @@ config ARM64_ERRATUM_832075 + + If unsure, say Y. + ++config ARM64_ERRATUM_834220 ++ bool "Cortex-A57: 834220: Stage 2 translation fault might be incorrectly reported in presence of a Stage 1 fault" ++ depends on KVM ++ default y ++ help ++ This option adds an alternative code sequence to work around ARM ++ erratum 834220 on Cortex-A57 parts up to r1p2. ++ ++ Affected Cortex-A57 parts might report a Stage 2 translation ++ fault as a the result of a Stage 1 fault for a load crossing ++ a page boundary when there is a Stage 1 permission or device ++ memory alignment fault and a Stage 2 translation fault ++ ++ The workaround is to verify that the Stage-1 translation ++ doesn't generate a fault before handling the Stage-2 fault. ++ Please note that this does not necessarily enable the workaround, ++ as it depends on the alternative framework, which will only patch ++ the kernel if an affected CPU is detected. ++ ++ If unsure, say Y. ++ + config ARM64_ERRATUM_845719 + bool "Cortex-A53: 845719: a load might read incorrect data" + depends on COMPAT +diff --git a/arch/arm64/include/asm/atomic_ll_sc.h b/arch/arm64/include/asm/atomic_ll_sc.h +index b3b5c4ae3800..af5b9d5c5c23 100644 +--- a/arch/arm64/include/asm/atomic_ll_sc.h ++++ b/arch/arm64/include/asm/atomic_ll_sc.h +@@ -211,7 +211,7 @@ __CMPXCHG_CASE( , , mb_8, dmb ish, l, "memory") + #undef __CMPXCHG_CASE + + #define __CMPXCHG_DBL(name, mb, rel, cl) \ +-__LL_SC_INLINE int \ ++__LL_SC_INLINE long \ + __LL_SC_PREFIX(__cmpxchg_double##name(unsigned long old1, \ + unsigned long old2, \ + unsigned long new1, \ +diff --git a/arch/arm64/include/asm/atomic_lse.h b/arch/arm64/include/asm/atomic_lse.h +index 55d740e63459..4d548aa54b21 100644 +--- a/arch/arm64/include/asm/atomic_lse.h ++++ b/arch/arm64/include/asm/atomic_lse.h +@@ -348,7 +348,7 @@ __CMPXCHG_CASE(x, , mb_8, al, "memory") + #define __LL_SC_CMPXCHG_DBL(op) __LL_SC_CALL(__cmpxchg_double##op) + + #define __CMPXCHG_DBL(name, mb, cl...) \ +-static inline int __cmpxchg_double##name(unsigned long old1, \ ++static inline long __cmpxchg_double##name(unsigned long old1, \ + unsigned long old2, \ + unsigned long new1, \ + unsigned long new2, \ +diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h +index 171570702bb8..a1a5981526fe 100644 +--- a/arch/arm64/include/asm/cpufeature.h ++++ b/arch/arm64/include/asm/cpufeature.h +@@ -27,8 +27,9 @@ + #define ARM64_HAS_SYSREG_GIC_CPUIF 3 + #define ARM64_HAS_PAN 4 + #define ARM64_HAS_LSE_ATOMICS 5 ++#define ARM64_WORKAROUND_834220 6 + +-#define ARM64_NCAPS 6 ++#define ARM64_NCAPS 7 + + #ifndef __ASSEMBLY__ + +diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h +index 17e92f05b1fe..3ca894ecf699 100644 +--- a/arch/arm64/include/asm/kvm_emulate.h ++++ b/arch/arm64/include/asm/kvm_emulate.h +@@ -99,11 +99,13 @@ static inline void vcpu_set_thumb(struct kvm_vcpu *vcpu) + *vcpu_cpsr(vcpu) |= COMPAT_PSR_T_BIT; + } + ++/* ++ * vcpu_reg should always be passed a register number coming from a ++ * read of ESR_EL2. Otherwise, it may give the wrong result on AArch32 ++ * with banked registers. ++ */ + static inline unsigned long *vcpu_reg(const struct kvm_vcpu *vcpu, u8 reg_num) + { +- if (vcpu_mode_is_32bit(vcpu)) +- return vcpu_reg32(vcpu, reg_num); +- + return (unsigned long *)&vcpu_gp_regs(vcpu)->regs.regs[reg_num]; + } + +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c +index 6ffd91438560..dc0df822def3 100644 +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -74,6 +74,15 @@ const struct arm64_cpu_capabilities arm64_errata[] = { + (1 << MIDR_VARIANT_SHIFT) | 2), + }, + #endif ++#ifdef CONFIG_ARM64_ERRATUM_834220 ++ { ++ /* Cortex-A57 r0p0 - r1p2 */ ++ .desc = "ARM erratum 834220", ++ .capability = ARM64_WORKAROUND_834220, ++ MIDR_RANGE(MIDR_CORTEX_A57, 0x00, ++ (1 << MIDR_VARIANT_SHIFT) | 2), ++ }, ++#endif + #ifdef CONFIG_ARM64_ERRATUM_845719 + { + /* Cortex-A53 r0p[01234] */ +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index 90d09eddd5b2..b84ef8376471 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -524,9 +524,14 @@ CPU_LE( movk x0, #0x30d0, lsl #16 ) // Clear EE and E0E on LE systems + #endif + + /* EL2 debug */ ++ mrs x0, id_aa64dfr0_el1 // Check ID_AA64DFR0_EL1 PMUVer ++ sbfx x0, x0, #8, #4 ++ cmp x0, #1 ++ b.lt 4f // Skip if no PMU present + mrs x0, pmcr_el0 // Disable debug access traps + ubfx x0, x0, #11, #5 // to EL2 and allow access to + msr mdcr_el2, x0 // all PMU counters from EL1 ++4: + + /* Stage-2 translation */ + msr vttbr_el2, xzr +diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c +index f9a74d4fff3b..f325af5b38e3 100644 +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -1159,9 +1159,6 @@ static void armv8pmu_reset(void *info) + + /* Initialize & Reset PMNC: C and P bits. */ + armv8pmu_pmcr_write(ARMV8_PMCR_P | ARMV8_PMCR_C); +- +- /* Disable access from userspace. */ +- asm volatile("msr pmuserenr_el0, %0" :: "r" (0)); + } + + static int armv8_pmuv3_map_event(struct perf_event *event) +diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c +index 1971f491bb90..ff7f13239515 100644 +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -58,6 +58,12 @@ + */ + void ptrace_disable(struct task_struct *child) + { ++ /* ++ * This would be better off in core code, but PTRACE_DETACH has ++ * grown its fair share of arch-specific worts and changing it ++ * is likely to cause regressions on obscure architectures. ++ */ ++ user_disable_single_step(child); + } + + #ifdef CONFIG_HAVE_HW_BREAKPOINT +diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c +index 232247945b1c..9f17dc72645a 100644 +--- a/arch/arm64/kernel/setup.c ++++ b/arch/arm64/kernel/setup.c +@@ -558,6 +558,10 @@ static int c_show(struct seq_file *m, void *v) + */ + seq_printf(m, "processor\t: %d\n", i); + ++ seq_printf(m, "BogoMIPS\t: %lu.%02lu\n", ++ loops_per_jiffy / (500000UL/HZ), ++ loops_per_jiffy / (5000UL/HZ) % 100); ++ + /* + * Dump out the common processor features in a single line. + * Userspace should read the hwcaps with getauxval(AT_HWCAP) +diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c +index 44ca4143b013..dd6ad81d53aa 100644 +--- a/arch/arm64/kernel/suspend.c ++++ b/arch/arm64/kernel/suspend.c +@@ -1,3 +1,4 @@ ++#include <linux/ftrace.h> + #include <linux/percpu.h> + #include <linux/slab.h> + #include <asm/cacheflush.h> +@@ -71,6 +72,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long)) + local_dbg_save(flags); + + /* ++ * Function graph tracer state gets incosistent when the kernel ++ * calls functions that never return (aka suspend finishers) hence ++ * disable graph tracing during their execution. ++ */ ++ pause_graph_tracing(); ++ ++ /* + * mm context saved on the stack, it will be restored when + * the cpu comes out of reset through the identity mapped + * page tables, so that the thread address space is properly +@@ -111,6 +119,8 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long)) + hw_breakpoint_restore(NULL); + } + ++ unpause_graph_tracing(); ++ + /* + * Restore pstate flags. OS lock and mdscr have been already + * restored, so from this point onwards, debugging is fully +diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S +index e5836138ec42..3e840649b133 100644 +--- a/arch/arm64/kvm/hyp.S ++++ b/arch/arm64/kvm/hyp.S +@@ -1007,9 +1007,15 @@ el1_trap: + b.ne 1f // Not an abort we care about + + /* This is an abort. Check for permission fault */ ++alternative_if_not ARM64_WORKAROUND_834220 + and x2, x1, #ESR_ELx_FSC_TYPE + cmp x2, #FSC_PERM + b.ne 1f // Not a permission fault ++alternative_else ++ nop // Force a Stage-1 translation to occur ++ nop // and return to the guest if it failed ++ nop ++alternative_endif + + /* + * Check for Stage-1 page table walk, which is guaranteed +diff --git a/arch/arm64/kvm/inject_fault.c b/arch/arm64/kvm/inject_fault.c +index 85c57158dcd9..648112e90ed5 100644 +--- a/arch/arm64/kvm/inject_fault.c ++++ b/arch/arm64/kvm/inject_fault.c +@@ -48,7 +48,7 @@ static void prepare_fault32(struct kvm_vcpu *vcpu, u32 mode, u32 vect_offset) + + /* Note: These now point to the banked copies */ + *vcpu_spsr(vcpu) = new_spsr_value; +- *vcpu_reg(vcpu, 14) = *vcpu_pc(vcpu) + return_offset; ++ *vcpu_reg32(vcpu, 14) = *vcpu_pc(vcpu) + return_offset; + + /* Branch to exception vector */ + if (sctlr & (1 << 13)) +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 9211b8527f25..9317974c9b8e 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -451,6 +451,9 @@ void __init paging_init(void) + + empty_zero_page = virt_to_page(zero_page); + ++ /* Ensure the zero page is visible to the page table walker */ ++ dsb(ishst); ++ + /* + * TTBR0 is only used for the identity mapping at this stage. Make it + * point to zero page to avoid speculatively fetching new entries. +diff --git a/arch/arm64/mm/proc-macros.S b/arch/arm64/mm/proc-macros.S +index 4c4d93c4bf65..d69dffffaa89 100644 +--- a/arch/arm64/mm/proc-macros.S ++++ b/arch/arm64/mm/proc-macros.S +@@ -62,3 +62,15 @@ + bfi \valreg, \tmpreg, #TCR_T0SZ_OFFSET, #TCR_TxSZ_WIDTH + #endif + .endm ++ ++/* ++ * reset_pmuserenr_el0 - reset PMUSERENR_EL0 if PMUv3 present ++ */ ++ .macro reset_pmuserenr_el0, tmpreg ++ mrs \tmpreg, id_aa64dfr0_el1 // Check ID_AA64DFR0_EL1 PMUVer ++ sbfx \tmpreg, \tmpreg, #8, #4 ++ cmp \tmpreg, #1 // Skip if no PMU present ++ b.lt 9000f ++ msr pmuserenr_el0, xzr // Disable PMU access from EL0 ++9000: ++ .endm +diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S +index e4ee7bd8830a..b722d3e26185 100644 +--- a/arch/arm64/mm/proc.S ++++ b/arch/arm64/mm/proc.S +@@ -115,6 +115,7 @@ ENTRY(cpu_do_resume) + */ + ubfx x11, x11, #1, #1 + msr oslar_el1, x11 ++ reset_pmuserenr_el0 x0 // Disable PMU access from EL0 + mov x0, x12 + dsb nsh // Make sure local tlb invalidation completed + isb +@@ -153,6 +154,7 @@ ENTRY(__cpu_setup) + msr cpacr_el1, x0 // Enable FP/ASIMD + mov x0, #1 << 12 // Reset mdscr_el1 and disable + msr mdscr_el1, x0 // access to the DCC from EL0 ++ reset_pmuserenr_el0 x0 // Disable PMU access from EL0 + /* + * Memory region attributes for LPAE: + * +diff --git a/arch/arm64/net/bpf_jit.h b/arch/arm64/net/bpf_jit.h +index 98a26ce82d26..aee5637ea436 100644 +--- a/arch/arm64/net/bpf_jit.h ++++ b/arch/arm64/net/bpf_jit.h +@@ -1,7 +1,7 @@ + /* + * BPF JIT compiler for ARM64 + * +- * Copyright (C) 2014 Zi Shen Lim <zlim.lnx@gmail.com> ++ * Copyright (C) 2014-2015 Zi Shen Lim <zlim.lnx@gmail.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -35,6 +35,7 @@ + aarch64_insn_gen_comp_branch_imm(0, offset, Rt, A64_VARIANT(sf), \ + AARCH64_INSN_BRANCH_COMP_##type) + #define A64_CBZ(sf, Rt, imm19) A64_COMP_BRANCH(sf, Rt, (imm19) << 2, ZERO) ++#define A64_CBNZ(sf, Rt, imm19) A64_COMP_BRANCH(sf, Rt, (imm19) << 2, NONZERO) + + /* Conditional branch (immediate) */ + #define A64_COND_BRANCH(cond, offset) \ +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index c047598b09e0..6217f80702d2 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -1,7 +1,7 @@ + /* + * BPF JIT compiler for ARM64 + * +- * Copyright (C) 2014 Zi Shen Lim <zlim.lnx@gmail.com> ++ * Copyright (C) 2014-2015 Zi Shen Lim <zlim.lnx@gmail.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -225,6 +225,17 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx) + u8 jmp_cond; + s32 jmp_offset; + ++#define check_imm(bits, imm) do { \ ++ if ((((imm) > 0) && ((imm) >> (bits))) || \ ++ (((imm) < 0) && (~(imm) >> (bits)))) { \ ++ pr_info("[%2d] imm=%d(0x%x) out of range\n", \ ++ i, imm, imm); \ ++ return -EINVAL; \ ++ } \ ++} while (0) ++#define check_imm19(imm) check_imm(19, imm) ++#define check_imm26(imm) check_imm(26, imm) ++ + switch (code) { + /* dst = src */ + case BPF_ALU | BPF_MOV | BPF_X: +@@ -258,15 +269,33 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx) + break; + case BPF_ALU | BPF_DIV | BPF_X: + case BPF_ALU64 | BPF_DIV | BPF_X: +- emit(A64_UDIV(is64, dst, dst, src), ctx); +- break; + case BPF_ALU | BPF_MOD | BPF_X: + case BPF_ALU64 | BPF_MOD | BPF_X: +- ctx->tmp_used = 1; +- emit(A64_UDIV(is64, tmp, dst, src), ctx); +- emit(A64_MUL(is64, tmp, tmp, src), ctx); +- emit(A64_SUB(is64, dst, dst, tmp), ctx); ++ { ++ const u8 r0 = bpf2a64[BPF_REG_0]; ++ ++ /* if (src == 0) return 0 */ ++ jmp_offset = 3; /* skip ahead to else path */ ++ check_imm19(jmp_offset); ++ emit(A64_CBNZ(is64, src, jmp_offset), ctx); ++ emit(A64_MOVZ(1, r0, 0, 0), ctx); ++ jmp_offset = epilogue_offset(ctx); ++ check_imm26(jmp_offset); ++ emit(A64_B(jmp_offset), ctx); ++ /* else */ ++ switch (BPF_OP(code)) { ++ case BPF_DIV: ++ emit(A64_UDIV(is64, dst, dst, src), ctx); ++ break; ++ case BPF_MOD: ++ ctx->tmp_used = 1; ++ emit(A64_UDIV(is64, tmp, dst, src), ctx); ++ emit(A64_MUL(is64, tmp, tmp, src), ctx); ++ emit(A64_SUB(is64, dst, dst, tmp), ctx); ++ break; ++ } + break; ++ } + case BPF_ALU | BPF_LSH | BPF_X: + case BPF_ALU64 | BPF_LSH | BPF_X: + emit(A64_LSLV(is64, dst, dst, src), ctx); +@@ -393,17 +422,6 @@ emit_bswap_uxt: + emit(A64_ASR(is64, dst, dst, imm), ctx); + break; + +-#define check_imm(bits, imm) do { \ +- if ((((imm) > 0) && ((imm) >> (bits))) || \ +- (((imm) < 0) && (~(imm) >> (bits)))) { \ +- pr_info("[%2d] imm=%d(0x%x) out of range\n", \ +- i, imm, imm); \ +- return -EINVAL; \ +- } \ +-} while (0) +-#define check_imm19(imm) check_imm(19, imm) +-#define check_imm26(imm) check_imm(26, imm) +- + /* JUMP off */ + case BPF_JMP | BPF_JA: + jmp_offset = bpf2a64_offset(i + off, i, ctx); +diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c +index 0c4a133f6216..26e947d61040 100644 +--- a/arch/mips/net/bpf_jit.c ++++ b/arch/mips/net/bpf_jit.c +@@ -521,19 +521,6 @@ static inline u16 align_sp(unsigned int num) + return num; + } + +-static bool is_load_to_a(u16 inst) +-{ +- switch (inst) { +- case BPF_LD | BPF_W | BPF_LEN: +- case BPF_LD | BPF_W | BPF_ABS: +- case BPF_LD | BPF_H | BPF_ABS: +- case BPF_LD | BPF_B | BPF_ABS: +- return true; +- default: +- return false; +- } +-} +- + static void save_bpf_jit_regs(struct jit_ctx *ctx, unsigned offset) + { + int i = 0, real_off = 0; +@@ -614,7 +601,6 @@ static unsigned int get_stack_depth(struct jit_ctx *ctx) + + static void build_prologue(struct jit_ctx *ctx) + { +- u16 first_inst = ctx->skf->insns[0].code; + int sp_off; + + /* Calculate the total offset for the stack pointer */ +@@ -641,7 +627,7 @@ static void build_prologue(struct jit_ctx *ctx) + emit_jit_reg_move(r_X, r_zero, ctx); + + /* Do not leak kernel data to userspace */ +- if ((first_inst != (BPF_RET | BPF_K)) && !(is_load_to_a(first_inst))) ++ if (bpf_needs_clear_a(&ctx->skf->insns[0])) + emit_jit_reg_move(r_A, r_zero, ctx); + } + +diff --git a/arch/mn10300/Kconfig b/arch/mn10300/Kconfig +index 4434b54e1d87..78ae5552fdb8 100644 +--- a/arch/mn10300/Kconfig ++++ b/arch/mn10300/Kconfig +@@ -1,6 +1,7 @@ + config MN10300 + def_bool y + select HAVE_OPROFILE ++ select HAVE_UID16 + select GENERIC_IRQ_SHOW + select ARCH_WANT_IPC_PARSE_VERSION + select HAVE_ARCH_TRACEHOOK +@@ -37,9 +38,6 @@ config HIGHMEM + config NUMA + def_bool n + +-config UID16 +- def_bool y +- + config RWSEM_GENERIC_SPINLOCK + def_bool y + +diff --git a/arch/powerpc/include/asm/cmpxchg.h b/arch/powerpc/include/asm/cmpxchg.h +index ad6263cffb0f..d1a8d93cccfd 100644 +--- a/arch/powerpc/include/asm/cmpxchg.h ++++ b/arch/powerpc/include/asm/cmpxchg.h +@@ -18,12 +18,12 @@ __xchg_u32(volatile void *p, unsigned long val) + unsigned long prev; + + __asm__ __volatile__( +- PPC_RELEASE_BARRIER ++ PPC_ATOMIC_ENTRY_BARRIER + "1: lwarx %0,0,%2 \n" + PPC405_ERR77(0,%2) + " stwcx. %3,0,%2 \n\ + bne- 1b" +- PPC_ACQUIRE_BARRIER ++ PPC_ATOMIC_EXIT_BARRIER + : "=&r" (prev), "+m" (*(volatile unsigned int *)p) + : "r" (p), "r" (val) + : "cc", "memory"); +@@ -61,12 +61,12 @@ __xchg_u64(volatile void *p, unsigned long val) + unsigned long prev; + + __asm__ __volatile__( +- PPC_RELEASE_BARRIER ++ PPC_ATOMIC_ENTRY_BARRIER + "1: ldarx %0,0,%2 \n" + PPC405_ERR77(0,%2) + " stdcx. %3,0,%2 \n\ + bne- 1b" +- PPC_ACQUIRE_BARRIER ++ PPC_ATOMIC_EXIT_BARRIER + : "=&r" (prev), "+m" (*(volatile unsigned long *)p) + : "r" (p), "r" (val) + : "cc", "memory"); +@@ -151,14 +151,14 @@ __cmpxchg_u32(volatile unsigned int *p, unsigned long old, unsigned long new) + unsigned int prev; + + __asm__ __volatile__ ( +- PPC_RELEASE_BARRIER ++ PPC_ATOMIC_ENTRY_BARRIER + "1: lwarx %0,0,%2 # __cmpxchg_u32\n\ + cmpw 0,%0,%3\n\ + bne- 2f\n" + PPC405_ERR77(0,%2) + " stwcx. %4,0,%2\n\ + bne- 1b" +- PPC_ACQUIRE_BARRIER ++ PPC_ATOMIC_EXIT_BARRIER + "\n\ + 2:" + : "=&r" (prev), "+m" (*p) +@@ -197,13 +197,13 @@ __cmpxchg_u64(volatile unsigned long *p, unsigned long old, unsigned long new) + unsigned long prev; + + __asm__ __volatile__ ( +- PPC_RELEASE_BARRIER ++ PPC_ATOMIC_ENTRY_BARRIER + "1: ldarx %0,0,%2 # __cmpxchg_u64\n\ + cmpd 0,%0,%3\n\ + bne- 2f\n\ + stdcx. %4,0,%2\n\ + bne- 1b" +- PPC_ACQUIRE_BARRIER ++ PPC_ATOMIC_EXIT_BARRIER + "\n\ + 2:" + : "=&r" (prev), "+m" (*p) +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h +index a908ada8e0a5..2220f7a60def 100644 +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -108,6 +108,7 @@ + #define MSR_TS_T __MASK(MSR_TS_T_LG) /* Transaction Transactional */ + #define MSR_TS_MASK (MSR_TS_T | MSR_TS_S) /* Transaction State bits */ + #define MSR_TM_ACTIVE(x) (((x) & MSR_TS_MASK) != 0) /* Transaction active? */ ++#define MSR_TM_RESV(x) (((x) & MSR_TS_MASK) == MSR_TS_MASK) /* Reserved */ + #define MSR_TM_TRANSACTIONAL(x) (((x) & MSR_TS_MASK) == MSR_TS_T) + #define MSR_TM_SUSPENDED(x) (((x) & MSR_TS_MASK) == MSR_TS_S) + +diff --git a/arch/powerpc/include/asm/synch.h b/arch/powerpc/include/asm/synch.h +index e682a7143edb..c50868681f9e 100644 +--- a/arch/powerpc/include/asm/synch.h ++++ b/arch/powerpc/include/asm/synch.h +@@ -44,7 +44,7 @@ static inline void isync(void) + MAKE_LWSYNC_SECTION_ENTRY(97, __lwsync_fixup); + #define PPC_ACQUIRE_BARRIER "\n" stringify_in_c(__PPC_ACQUIRE_BARRIER) + #define PPC_RELEASE_BARRIER stringify_in_c(LWSYNC) "\n" +-#define PPC_ATOMIC_ENTRY_BARRIER "\n" stringify_in_c(LWSYNC) "\n" ++#define PPC_ATOMIC_ENTRY_BARRIER "\n" stringify_in_c(sync) "\n" + #define PPC_ATOMIC_EXIT_BARRIER "\n" stringify_in_c(sync) "\n" + #else + #define PPC_ACQUIRE_BARRIER +diff --git a/arch/powerpc/include/uapi/asm/elf.h b/arch/powerpc/include/uapi/asm/elf.h +index 59dad113897b..c2d21d11c2d2 100644 +--- a/arch/powerpc/include/uapi/asm/elf.h ++++ b/arch/powerpc/include/uapi/asm/elf.h +@@ -295,6 +295,8 @@ do { \ + #define R_PPC64_TLSLD 108 + #define R_PPC64_TOCSAVE 109 + ++#define R_PPC64_ENTRY 118 ++ + #define R_PPC64_REL16 249 + #define R_PPC64_REL16_LO 250 + #define R_PPC64_REL16_HI 251 +diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c +index 68384514506b..59663af9315f 100644 +--- a/arch/powerpc/kernel/module_64.c ++++ b/arch/powerpc/kernel/module_64.c +@@ -635,6 +635,33 @@ int apply_relocate_add(Elf64_Shdr *sechdrs, + */ + break; + ++ case R_PPC64_ENTRY: ++ /* ++ * Optimize ELFv2 large code model entry point if ++ * the TOC is within 2GB range of current location. ++ */ ++ value = my_r2(sechdrs, me) - (unsigned long)location; ++ if (value + 0x80008000 > 0xffffffff) ++ break; ++ /* ++ * Check for the large code model prolog sequence: ++ * ld r2, ...(r12) ++ * add r2, r2, r12 ++ */ ++ if ((((uint32_t *)location)[0] & ~0xfffc) ++ != 0xe84c0000) ++ break; ++ if (((uint32_t *)location)[1] != 0x7c426214) ++ break; ++ /* ++ * If found, replace it with: ++ * addis r2, r12, (.TOC.-func)@ha ++ * addi r2, r12, (.TOC.-func)@l ++ */ ++ ((uint32_t *)location)[0] = 0x3c4c0000 + PPC_HA(value); ++ ((uint32_t *)location)[1] = 0x38420000 + PPC_LO(value); ++ break; ++ + case R_PPC64_REL16_HA: + /* Subtract location pointer */ + value -= (unsigned long)location; +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index 75b6676c1a0b..646bf4d222c1 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -551,6 +551,24 @@ static void tm_reclaim_thread(struct thread_struct *thr, + msr_diff &= MSR_FP | MSR_VEC | MSR_VSX | MSR_FE0 | MSR_FE1; + } + ++ /* ++ * Use the current MSR TM suspended bit to track if we have ++ * checkpointed state outstanding. ++ * On signal delivery, we'd normally reclaim the checkpointed ++ * state to obtain stack pointer (see:get_tm_stackpointer()). ++ * This will then directly return to userspace without going ++ * through __switch_to(). However, if the stack frame is bad, ++ * we need to exit this thread which calls __switch_to() which ++ * will again attempt to reclaim the already saved tm state. ++ * Hence we need to check that we've not already reclaimed ++ * this state. ++ * We do this using the current MSR, rather tracking it in ++ * some specific thread_struct bit, as it has the additional ++ * benifit of checking for a potential TM bad thing exception. ++ */ ++ if (!MSR_TM_SUSPENDED(mfmsr())) ++ return; ++ + tm_reclaim(thr, thr->regs->msr, cause); + + /* Having done the reclaim, we now have the checkpointed +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index 0dbee465af7a..ef7c24e84a62 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -875,6 +875,15 @@ static long restore_tm_user_regs(struct pt_regs *regs, + return 1; + #endif /* CONFIG_SPE */ + ++ /* Get the top half of the MSR from the user context */ ++ if (__get_user(msr_hi, &tm_sr->mc_gregs[PT_MSR])) ++ return 1; ++ msr_hi <<= 32; ++ /* If TM bits are set to the reserved value, it's an invalid context */ ++ if (MSR_TM_RESV(msr_hi)) ++ return 1; ++ /* Pull in the MSR TM bits from the user context */ ++ regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr_hi & MSR_TS_MASK); + /* Now, recheckpoint. This loads up all of the checkpointed (older) + * registers, including FP and V[S]Rs. After recheckpointing, the + * transactional versions should be loaded. +@@ -884,11 +893,6 @@ static long restore_tm_user_regs(struct pt_regs *regs, + current->thread.tm_texasr |= TEXASR_FS; + /* This loads the checkpointed FP/VEC state, if used */ + tm_recheckpoint(¤t->thread, msr); +- /* Get the top half of the MSR */ +- if (__get_user(msr_hi, &tm_sr->mc_gregs[PT_MSR])) +- return 1; +- /* Pull in MSR TM from user context */ +- regs->msr = (regs->msr & ~MSR_TS_MASK) | ((msr_hi<<32) & MSR_TS_MASK); + + /* This loads the speculative FP/VEC state, if used */ + if (msr & MSR_FP) { +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index 20756dfb9f34..c676ecec0869 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -438,6 +438,10 @@ static long restore_tm_sigcontexts(struct pt_regs *regs, + + /* get MSR separately, transfer the LE bit if doing signal return */ + err |= __get_user(msr, &sc->gp_regs[PT_MSR]); ++ /* Don't allow reserved mode. */ ++ if (MSR_TM_RESV(msr)) ++ return -EINVAL; ++ + /* pull in MSR TM from user context */ + regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK); + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 9c26c5a96ea2..a7352b59e6f9 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -224,6 +224,12 @@ static void kvmppc_core_vcpu_put_hv(struct kvm_vcpu *vcpu) + + static void kvmppc_set_msr_hv(struct kvm_vcpu *vcpu, u64 msr) + { ++ /* ++ * Check for illegal transactional state bit combination ++ * and if we find it, force the TS field to a safe state. ++ */ ++ if ((msr & MSR_TS_MASK) == MSR_TS_MASK) ++ msr &= ~MSR_TS_MASK; + vcpu->arch.shregs.msr = msr; + kvmppc_end_cede(vcpu); + } +@@ -2019,7 +2025,7 @@ static bool can_split_piggybacked_subcores(struct core_info *cip) + return false; + n_subcores += (cip->subcore_threads[sub] - 1) >> 1; + } +- if (n_subcores > 3 || large_sub < 0) ++ if (large_sub < 0 || !subcore_config_ok(n_subcores + 1, 2)) + return false; + + /* +diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c +index 17cea18a09d3..264c473c1b3c 100644 +--- a/arch/powerpc/net/bpf_jit_comp.c ++++ b/arch/powerpc/net/bpf_jit_comp.c +@@ -78,18 +78,9 @@ static void bpf_jit_build_prologue(struct bpf_prog *fp, u32 *image, + PPC_LI(r_X, 0); + } + +- switch (filter[0].code) { +- case BPF_RET | BPF_K: +- case BPF_LD | BPF_W | BPF_LEN: +- case BPF_LD | BPF_W | BPF_ABS: +- case BPF_LD | BPF_H | BPF_ABS: +- case BPF_LD | BPF_B | BPF_ABS: +- /* first instruction sets A register (or is RET 'constant') */ +- break; +- default: +- /* make sure we dont leak kernel information to user */ ++ /* make sure we dont leak kernel information to user */ ++ if (bpf_needs_clear_a(&filter[0])) + PPC_LI(r_A, 0); +- } + } + + static void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx) +diff --git a/arch/powerpc/platforms/powernv/opal-irqchip.c b/arch/powerpc/platforms/powernv/opal-irqchip.c +index 2c91ee7800b9..e96027d27151 100644 +--- a/arch/powerpc/platforms/powernv/opal-irqchip.c ++++ b/arch/powerpc/platforms/powernv/opal-irqchip.c +@@ -43,11 +43,34 @@ static unsigned int opal_irq_count; + static unsigned int *opal_irqs; + + static void opal_handle_irq_work(struct irq_work *work); +-static __be64 last_outstanding_events; ++static u64 last_outstanding_events; + static struct irq_work opal_event_irq_work = { + .func = opal_handle_irq_work, + }; + ++void opal_handle_events(uint64_t events) ++{ ++ int virq, hwirq = 0; ++ u64 mask = opal_event_irqchip.mask; ++ ++ if (!in_irq() && (events & mask)) { ++ last_outstanding_events = events; ++ irq_work_queue(&opal_event_irq_work); ++ return; ++ } ++ ++ while (events & mask) { ++ hwirq = fls64(events) - 1; ++ if (BIT_ULL(hwirq) & mask) { ++ virq = irq_find_mapping(opal_event_irqchip.domain, ++ hwirq); ++ if (virq) ++ generic_handle_irq(virq); ++ } ++ events &= ~BIT_ULL(hwirq); ++ } ++} ++ + static void opal_event_mask(struct irq_data *d) + { + clear_bit(d->hwirq, &opal_event_irqchip.mask); +@@ -55,9 +78,21 @@ static void opal_event_mask(struct irq_data *d) + + static void opal_event_unmask(struct irq_data *d) + { ++ __be64 events; ++ + set_bit(d->hwirq, &opal_event_irqchip.mask); + +- opal_poll_events(&last_outstanding_events); ++ opal_poll_events(&events); ++ last_outstanding_events = be64_to_cpu(events); ++ ++ /* ++ * We can't just handle the events now with opal_handle_events(). ++ * If we did we would deadlock when opal_event_unmask() is called from ++ * handle_level_irq() with the irq descriptor lock held, because ++ * calling opal_handle_events() would call generic_handle_irq() and ++ * then handle_level_irq() which would try to take the descriptor lock ++ * again. Instead queue the events for later. ++ */ + if (last_outstanding_events & opal_event_irqchip.mask) + /* Need to retrigger the interrupt */ + irq_work_queue(&opal_event_irq_work); +@@ -96,29 +131,6 @@ static int opal_event_map(struct irq_domain *d, unsigned int irq, + return 0; + } + +-void opal_handle_events(uint64_t events) +-{ +- int virq, hwirq = 0; +- u64 mask = opal_event_irqchip.mask; +- +- if (!in_irq() && (events & mask)) { +- last_outstanding_events = events; +- irq_work_queue(&opal_event_irq_work); +- return; +- } +- +- while (events & mask) { +- hwirq = fls64(events) - 1; +- if (BIT_ULL(hwirq) & mask) { +- virq = irq_find_mapping(opal_event_irqchip.domain, +- hwirq); +- if (virq) +- generic_handle_irq(virq); +- } +- events &= ~BIT_ULL(hwirq); +- } +-} +- + static irqreturn_t opal_interrupt(int irq, void *data) + { + __be64 events; +@@ -131,7 +143,7 @@ static irqreturn_t opal_interrupt(int irq, void *data) + + static void opal_handle_irq_work(struct irq_work *work) + { +- opal_handle_events(be64_to_cpu(last_outstanding_events)); ++ opal_handle_events(last_outstanding_events); + } + + static int opal_event_match(struct irq_domain *h, struct device_node *node, +diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c +index 4296d55e88f3..57cffb80bc36 100644 +--- a/arch/powerpc/platforms/powernv/opal.c ++++ b/arch/powerpc/platforms/powernv/opal.c +@@ -278,7 +278,7 @@ static void opal_handle_message(void) + + /* Sanity check */ + if (type >= OPAL_MSG_TYPE_MAX) { +- pr_warning("%s: Unknown message type: %u\n", __func__, type); ++ pr_warn_once("%s: Unknown message type: %u\n", __func__, type); + return; + } + opal_message_do_notify(type, (void *)&msg); +diff --git a/arch/sparc/net/bpf_jit_comp.c b/arch/sparc/net/bpf_jit_comp.c +index f8b9f71b9a2b..17e71d2d96e5 100644 +--- a/arch/sparc/net/bpf_jit_comp.c ++++ b/arch/sparc/net/bpf_jit_comp.c +@@ -420,22 +420,9 @@ void bpf_jit_compile(struct bpf_prog *fp) + } + emit_reg_move(O7, r_saved_O7); + +- switch (filter[0].code) { +- case BPF_RET | BPF_K: +- case BPF_LD | BPF_W | BPF_LEN: +- case BPF_LD | BPF_W | BPF_ABS: +- case BPF_LD | BPF_H | BPF_ABS: +- case BPF_LD | BPF_B | BPF_ABS: +- /* The first instruction sets the A register (or is +- * a "RET 'constant'") +- */ +- break; +- default: +- /* Make sure we dont leak kernel information to the +- * user. +- */ ++ /* Make sure we dont leak kernel information to the user. */ ++ if (bpf_needs_clear_a(&filter[0])) + emit_clear(r_A); /* A = 0 */ +- } + + for (i = 0; i < flen; i++) { + unsigned int K = filter[i].k; +diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h +index 4fa687a47a62..6b8d6e8cd449 100644 +--- a/arch/x86/include/asm/boot.h ++++ b/arch/x86/include/asm/boot.h +@@ -27,7 +27,7 @@ + #define BOOT_HEAP_SIZE 0x400000 + #else /* !CONFIG_KERNEL_BZIP2 */ + +-#define BOOT_HEAP_SIZE 0x8000 ++#define BOOT_HEAP_SIZE 0x10000 + + #endif /* !CONFIG_KERNEL_BZIP2 */ + +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h +index 379cd3658799..bfd9b2a35a0b 100644 +--- a/arch/x86/include/asm/mmu_context.h ++++ b/arch/x86/include/asm/mmu_context.h +@@ -116,8 +116,36 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + #endif + cpumask_set_cpu(cpu, mm_cpumask(next)); + +- /* Re-load page tables */ ++ /* ++ * Re-load page tables. ++ * ++ * This logic has an ordering constraint: ++ * ++ * CPU 0: Write to a PTE for 'next' ++ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI. ++ * CPU 1: set bit 1 in next's mm_cpumask ++ * CPU 1: load from the PTE that CPU 0 writes (implicit) ++ * ++ * We need to prevent an outcome in which CPU 1 observes ++ * the new PTE value and CPU 0 observes bit 1 clear in ++ * mm_cpumask. (If that occurs, then the IPI will never ++ * be sent, and CPU 0's TLB will contain a stale entry.) ++ * ++ * The bad outcome can occur if either CPU's load is ++ * reordered before that CPU's store, so both CPUs must ++ * execute full barriers to prevent this from happening. ++ * ++ * Thus, switch_mm needs a full barrier between the ++ * store to mm_cpumask and any operation that could load ++ * from next->pgd. TLB fills are special and can happen ++ * due to instruction fetches or for no reason at all, ++ * and neither LOCK nor MFENCE orders them. ++ * Fortunately, load_cr3() is serializing and gives the ++ * ordering guarantee we need. ++ * ++ */ + load_cr3(next->pgd); ++ + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); + + /* Stop flush ipis for the previous mm */ +@@ -156,10 +184,14 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, + * schedule, protecting us from simultaneous changes. + */ + cpumask_set_cpu(cpu, mm_cpumask(next)); ++ + /* + * We were in lazy tlb mode and leave_mm disabled + * tlb flush IPI delivery. We must reload CR3 + * to make sure to use no freed page tables. ++ * ++ * As above, load_cr3() is serializing and orders TLB ++ * fills with respect to the mm_cpumask write. + */ + load_cr3(next->pgd); + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL); +diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h +index 10d0596433f8..c759b3cca663 100644 +--- a/arch/x86/include/asm/paravirt.h ++++ b/arch/x86/include/asm/paravirt.h +@@ -19,6 +19,12 @@ static inline int paravirt_enabled(void) + return pv_info.paravirt_enabled; + } + ++static inline int paravirt_has_feature(unsigned int feature) ++{ ++ WARN_ON_ONCE(!pv_info.paravirt_enabled); ++ return (pv_info.features & feature); ++} ++ + static inline void load_sp0(struct tss_struct *tss, + struct thread_struct *thread) + { +diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h +index 31247b5bff7c..3d44191185f8 100644 +--- a/arch/x86/include/asm/paravirt_types.h ++++ b/arch/x86/include/asm/paravirt_types.h +@@ -70,9 +70,14 @@ struct pv_info { + #endif + + int paravirt_enabled; ++ unsigned int features; /* valid only if paravirt_enabled is set */ + const char *name; + }; + ++#define paravirt_has(x) paravirt_has_feature(PV_SUPPORTED_##x) ++/* Supported features */ ++#define PV_SUPPORTED_RTC (1<<0) ++ + struct pv_init_ops { + /* + * Patch may replace one of the defined code sequences with +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h +index 19577dd325fa..b7692daeaf92 100644 +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -472,6 +472,7 @@ static inline unsigned long current_top_of_stack(void) + #else + #define __cpuid native_cpuid + #define paravirt_enabled() 0 ++#define paravirt_has(x) 0 + + static inline void load_sp0(struct tss_struct *tss, + struct thread_struct *thread) +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index 9d014b82a124..6b2c8229f9da 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -999,6 +999,17 @@ void do_machine_check(struct pt_regs *regs, long error_code) + int flags = MF_ACTION_REQUIRED; + int lmce = 0; + ++ /* If this CPU is offline, just bail out. */ ++ if (cpu_is_offline(smp_processor_id())) { ++ u64 mcgstatus; ++ ++ mcgstatus = mce_rdmsrl(MSR_IA32_MCG_STATUS); ++ if (mcgstatus & MCG_STATUS_RIPV) { ++ mce_wrmsrl(MSR_IA32_MCG_STATUS, 0); ++ return; ++ } ++ } ++ + ist_enter(regs); + + this_cpu_inc(mce_exception_count); +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index 02693dd9a079..f660d63f40fe 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -182,6 +182,14 @@ static struct dmi_system_id __initdata reboot_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "iMac9,1"), + }, + }, ++ { /* Handle problems with rebooting on the iMac10,1. */ ++ .callback = set_pci_reboot, ++ .ident = "Apple iMac10,1", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac10,1"), ++ }, ++ }, + + /* ASRock */ + { /* Handle problems with rebooting on ASRock Q1900DC-ITX */ +diff --git a/arch/x86/kernel/rtc.c b/arch/x86/kernel/rtc.c +index cd9685235df9..4af8d063fb36 100644 +--- a/arch/x86/kernel/rtc.c ++++ b/arch/x86/kernel/rtc.c +@@ -200,6 +200,9 @@ static __init int add_rtc_cmos(void) + } + #endif + ++ if (paravirt_enabled() && !paravirt_has(RTC)) ++ return -ENODEV; ++ + platform_device_register(&rtc_device); + dev_info(&rtc_device.dev, + "registered platform RTC device (no PNP device found)\n"); +diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c +index da52e6bb5c7f..7d2b2ed33dee 100644 +--- a/arch/x86/kernel/signal.c ++++ b/arch/x86/kernel/signal.c +@@ -688,12 +688,15 @@ handle_signal(struct ksignal *ksig, struct pt_regs *regs) + signal_setup_done(failed, ksig, stepping); + } + +-#ifdef CONFIG_X86_32 +-#define NR_restart_syscall __NR_restart_syscall +-#else /* !CONFIG_X86_32 */ +-#define NR_restart_syscall \ +- test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall : __NR_restart_syscall +-#endif /* CONFIG_X86_32 */ ++static inline unsigned long get_nr_restart_syscall(const struct pt_regs *regs) ++{ ++#if defined(CONFIG_X86_32) || !defined(CONFIG_X86_64) ++ return __NR_restart_syscall; ++#else /* !CONFIG_X86_32 && CONFIG_X86_64 */ ++ return test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall : ++ __NR_restart_syscall | (regs->orig_ax & __X32_SYSCALL_BIT); ++#endif /* CONFIG_X86_32 || !CONFIG_X86_64 */ ++} + + /* + * Note that 'init' is a special process: it doesn't get signals it doesn't +@@ -722,7 +725,7 @@ void do_signal(struct pt_regs *regs) + break; + + case -ERESTART_RESTARTBLOCK: +- regs->ax = NR_restart_syscall; ++ regs->ax = get_nr_restart_syscall(regs); + regs->ip -= 2; + break; + } +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index 892ee2e5ecbc..fbabe4fcc7fb 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -509,7 +509,7 @@ void __inquire_remote_apic(int apicid) + */ + #define UDELAY_10MS_DEFAULT 10000 + +-static unsigned int init_udelay = INT_MAX; ++static unsigned int init_udelay = UINT_MAX; + + static int __init cpu_init_udelay(char *str) + { +@@ -522,14 +522,15 @@ early_param("cpu_init_udelay", cpu_init_udelay); + static void __init smp_quirk_init_udelay(void) + { + /* if cmdline changed it from default, leave it alone */ +- if (init_udelay != INT_MAX) ++ if (init_udelay != UINT_MAX) + return; + + /* if modern processor, use no delay */ + if (((boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) && (boot_cpu_data.x86 == 6)) || +- ((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && (boot_cpu_data.x86 >= 0xF))) ++ ((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && (boot_cpu_data.x86 >= 0xF))) { + init_udelay = 0; +- ++ return; ++ } + /* else, use legacy delay */ + init_udelay = UDELAY_10MS_DEFAULT; + } +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index d7f89387ba0c..22d181350ec9 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1108,6 +1108,7 @@ static void init_vmcb(struct vcpu_svm *svm) + set_exception_intercept(svm, UD_VECTOR); + set_exception_intercept(svm, MC_VECTOR); + set_exception_intercept(svm, AC_VECTOR); ++ set_exception_intercept(svm, DB_VECTOR); + + set_intercept(svm, INTERCEPT_INTR); + set_intercept(svm, INTERCEPT_NMI); +@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu, + mark_dirty(svm->vmcb, VMCB_SEG); + } + +-static void update_db_bp_intercept(struct kvm_vcpu *vcpu) ++static void update_bp_intercept(struct kvm_vcpu *vcpu) + { + struct vcpu_svm *svm = to_svm(vcpu); + +- clr_exception_intercept(svm, DB_VECTOR); + clr_exception_intercept(svm, BP_VECTOR); + +- if (svm->nmi_singlestep) +- set_exception_intercept(svm, DB_VECTOR); +- + if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) { +- if (vcpu->guest_debug & +- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP)) +- set_exception_intercept(svm, DB_VECTOR); + if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP) + set_exception_intercept(svm, BP_VECTOR); + } else +@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm) + if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP)) + svm->vmcb->save.rflags &= + ~(X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(&svm->vcpu); + } + + if (svm->vcpu.guest_debug & +@@ -3761,7 +3754,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu) + */ + svm->nmi_singlestep = true; + svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF); +- update_db_bp_intercept(vcpu); + } + + static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr) +@@ -4383,7 +4375,7 @@ static struct kvm_x86_ops svm_x86_ops = { + .vcpu_load = svm_vcpu_load, + .vcpu_put = svm_vcpu_put, + +- .update_db_bp_intercept = update_db_bp_intercept, ++ .update_db_bp_intercept = update_bp_intercept, + .get_msr = svm_get_msr, + .set_msr = svm_set_msr, + .get_segment_base = svm_get_segment_base, +diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h +index 4eae7c35ddf5..08b668cb3462 100644 +--- a/arch/x86/kvm/trace.h ++++ b/arch/x86/kvm/trace.h +@@ -250,7 +250,7 @@ TRACE_EVENT(kvm_inj_virq, + #define kvm_trace_sym_exc \ + EXS(DE), EXS(DB), EXS(BP), EXS(OF), EXS(BR), EXS(UD), EXS(NM), \ + EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), \ +- EXS(MF), EXS(MC) ++ EXS(MF), EXS(AC), EXS(MC) + + /* + * Tracepoint for kvm interrupt injection: +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 343d3692dd65..2e0bd4884652 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -3644,20 +3644,21 @@ static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4) + if (!is_paging(vcpu)) { + hw_cr4 &= ~X86_CR4_PAE; + hw_cr4 |= X86_CR4_PSE; +- /* +- * SMEP/SMAP is disabled if CPU is in non-paging mode +- * in hardware. However KVM always uses paging mode to +- * emulate guest non-paging mode with TDP. +- * To emulate this behavior, SMEP/SMAP needs to be +- * manually disabled when guest switches to non-paging +- * mode. +- */ +- hw_cr4 &= ~(X86_CR4_SMEP | X86_CR4_SMAP); + } else if (!(cr4 & X86_CR4_PAE)) { + hw_cr4 &= ~X86_CR4_PAE; + } + } + ++ if (!enable_unrestricted_guest && !is_paging(vcpu)) ++ /* ++ * SMEP/SMAP is disabled if CPU is in non-paging mode in ++ * hardware. However KVM always uses paging mode without ++ * unrestricted guest. ++ * To emulate this behavior, SMEP/SMAP needs to be manually ++ * disabled when guest switches to non-paging mode. ++ */ ++ hw_cr4 &= ~(X86_CR4_SMEP | X86_CR4_SMAP); ++ + vmcs_writel(CR4_READ_SHADOW, cr4); + vmcs_writel(GUEST_CR4, hw_cr4); + return 0; +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 43609af03283..37bbbf842350 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -942,7 +942,7 @@ static u32 msrs_to_save[] = { + MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR, + #endif + MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA, +- MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS ++ MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX, + }; + + static unsigned num_msrs_to_save; +@@ -3847,16 +3847,17 @@ static void kvm_init_msr_list(void) + + /* + * Even MSRs that are valid in the host may not be exposed +- * to the guests in some cases. We could work around this +- * in VMX with the generic MSR save/load machinery, but it +- * is not really worthwhile since it will really only +- * happen with nested virtualization. ++ * to the guests in some cases. + */ + switch (msrs_to_save[i]) { + case MSR_IA32_BNDCFGS: + if (!kvm_x86_ops->mpx_supported()) + continue; + break; ++ case MSR_TSC_AUX: ++ if (!kvm_x86_ops->rdtscp_supported()) ++ continue; ++ break; + default: + break; + } +diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c +index a0d09f6c6533..a43b2eafc466 100644 +--- a/arch/x86/lguest/boot.c ++++ b/arch/x86/lguest/boot.c +@@ -1414,6 +1414,7 @@ __init void lguest_init(void) + pv_info.kernel_rpl = 1; + /* Everyone except Xen runs with this set. */ + pv_info.shared_kernel_pmd = 1; ++ pv_info.features = 0; + + /* + * We set up all the lguest overrides for sensitive operations. These +diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c +index 71fc79a58a15..78e47ff74f9d 100644 +--- a/arch/x86/mm/mpx.c ++++ b/arch/x86/mm/mpx.c +@@ -101,19 +101,19 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs, + switch (type) { + case REG_TYPE_RM: + regno = X86_MODRM_RM(insn->modrm.value); +- if (X86_REX_B(insn->rex_prefix.value) == 1) ++ if (X86_REX_B(insn->rex_prefix.value)) + regno += 8; + break; + + case REG_TYPE_INDEX: + regno = X86_SIB_INDEX(insn->sib.value); +- if (X86_REX_X(insn->rex_prefix.value) == 1) ++ if (X86_REX_X(insn->rex_prefix.value)) + regno += 8; + break; + + case REG_TYPE_BASE: + regno = X86_SIB_BASE(insn->sib.value); +- if (X86_REX_B(insn->rex_prefix.value) == 1) ++ if (X86_REX_B(insn->rex_prefix.value)) + regno += 8; + break; + +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 8ddb5d0d66fb..8f4cc3dfac32 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -161,7 +161,10 @@ void flush_tlb_current_task(void) + preempt_disable(); + + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); ++ ++ /* This is an implicit full barrier that synchronizes with switch_mm. */ + local_flush_tlb(); ++ + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL); + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) + flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL); +@@ -188,17 +191,29 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, + unsigned long base_pages_to_flush = TLB_FLUSH_ALL; + + preempt_disable(); +- if (current->active_mm != mm) ++ if (current->active_mm != mm) { ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ + goto out; ++ } + + if (!current->mm) { + leave_mm(smp_processor_id()); ++ ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ + goto out; + } + + if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB)) + base_pages_to_flush = (end - start) >> PAGE_SHIFT; + ++ /* ++ * Both branches below are implicit full barriers (MOV to CR or ++ * INVLPG) that synchronize with switch_mm. ++ */ + if (base_pages_to_flush > tlb_single_page_flush_ceiling) { + base_pages_to_flush = TLB_FLUSH_ALL; + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL); +@@ -228,10 +243,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start) + preempt_disable(); + + if (current->active_mm == mm) { +- if (current->mm) ++ if (current->mm) { ++ /* ++ * Implicit full barrier (INVLPG) that synchronizes ++ * with switch_mm. ++ */ + __flush_tlb_one(start); +- else ++ } else { + leave_mm(smp_processor_id()); ++ ++ /* Synchronize with switch_mm. */ ++ smp_mb(); ++ } + } + + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids) +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index 993b7a71386d..aeb385d86e95 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -1191,7 +1191,7 @@ static const struct pv_info xen_info __initconst = { + #ifdef CONFIG_X86_64 + .extra_user_64bit_cs = FLAT_USER_CS64, + #endif +- ++ .features = 0, + .name = "Xen", + }; + +@@ -1534,6 +1534,8 @@ asmlinkage __visible void __init xen_start_kernel(void) + + /* Install Xen paravirt ops */ + pv_info = xen_info; ++ if (xen_initial_domain()) ++ pv_info.features |= PV_SUPPORTED_RTC; + pv_init_ops = xen_init_ops; + pv_apic_ops = xen_apic_ops; + if (!xen_pvh_domain()) { +diff --git a/arch/x86/xen/suspend.c b/arch/x86/xen/suspend.c +index feddabdab448..4299aa924b9f 100644 +--- a/arch/x86/xen/suspend.c ++++ b/arch/x86/xen/suspend.c +@@ -33,7 +33,8 @@ static void xen_hvm_post_suspend(int suspend_cancelled) + { + #ifdef CONFIG_XEN_PVHVM + int cpu; +- xen_hvm_init_shared_info(); ++ if (!suspend_cancelled) ++ xen_hvm_init_shared_info(); + xen_callback_vector(); + xen_unplug_emulated_devices(); + if (xen_feature(XENFEAT_hvm_safe_pvclock)) { +diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c +index 654f6f36a071..54bccf7db592 100644 +--- a/drivers/char/ipmi/ipmi_si_intf.c ++++ b/drivers/char/ipmi/ipmi_si_intf.c +@@ -412,18 +412,42 @@ static enum si_sm_result start_next_msg(struct smi_info *smi_info) + return rv; + } + +-static void start_check_enables(struct smi_info *smi_info) ++static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val) ++{ ++ smi_info->last_timeout_jiffies = jiffies; ++ mod_timer(&smi_info->si_timer, new_val); ++ smi_info->timer_running = true; ++} ++ ++/* ++ * Start a new message and (re)start the timer and thread. ++ */ ++static void start_new_msg(struct smi_info *smi_info, unsigned char *msg, ++ unsigned int size) ++{ ++ smi_mod_timer(smi_info, jiffies + SI_TIMEOUT_JIFFIES); ++ ++ if (smi_info->thread) ++ wake_up_process(smi_info->thread); ++ ++ smi_info->handlers->start_transaction(smi_info->si_sm, msg, size); ++} ++ ++static void start_check_enables(struct smi_info *smi_info, bool start_timer) + { + unsigned char msg[2]; + + msg[0] = (IPMI_NETFN_APP_REQUEST << 2); + msg[1] = IPMI_GET_BMC_GLOBAL_ENABLES_CMD; + +- smi_info->handlers->start_transaction(smi_info->si_sm, msg, 2); ++ if (start_timer) ++ start_new_msg(smi_info, msg, 2); ++ else ++ smi_info->handlers->start_transaction(smi_info->si_sm, msg, 2); + smi_info->si_state = SI_CHECKING_ENABLES; + } + +-static void start_clear_flags(struct smi_info *smi_info) ++static void start_clear_flags(struct smi_info *smi_info, bool start_timer) + { + unsigned char msg[3]; + +@@ -432,7 +456,10 @@ static void start_clear_flags(struct smi_info *smi_info) + msg[1] = IPMI_CLEAR_MSG_FLAGS_CMD; + msg[2] = WDT_PRE_TIMEOUT_INT; + +- smi_info->handlers->start_transaction(smi_info->si_sm, msg, 3); ++ if (start_timer) ++ start_new_msg(smi_info, msg, 3); ++ else ++ smi_info->handlers->start_transaction(smi_info->si_sm, msg, 3); + smi_info->si_state = SI_CLEARING_FLAGS; + } + +@@ -442,10 +469,8 @@ static void start_getting_msg_queue(struct smi_info *smi_info) + smi_info->curr_msg->data[1] = IPMI_GET_MSG_CMD; + smi_info->curr_msg->data_size = 2; + +- smi_info->handlers->start_transaction( +- smi_info->si_sm, +- smi_info->curr_msg->data, +- smi_info->curr_msg->data_size); ++ start_new_msg(smi_info, smi_info->curr_msg->data, ++ smi_info->curr_msg->data_size); + smi_info->si_state = SI_GETTING_MESSAGES; + } + +@@ -455,20 +480,11 @@ static void start_getting_events(struct smi_info *smi_info) + smi_info->curr_msg->data[1] = IPMI_READ_EVENT_MSG_BUFFER_CMD; + smi_info->curr_msg->data_size = 2; + +- smi_info->handlers->start_transaction( +- smi_info->si_sm, +- smi_info->curr_msg->data, +- smi_info->curr_msg->data_size); ++ start_new_msg(smi_info, smi_info->curr_msg->data, ++ smi_info->curr_msg->data_size); + smi_info->si_state = SI_GETTING_EVENTS; + } + +-static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val) +-{ +- smi_info->last_timeout_jiffies = jiffies; +- mod_timer(&smi_info->si_timer, new_val); +- smi_info->timer_running = true; +-} +- + /* + * When we have a situtaion where we run out of memory and cannot + * allocate messages, we just leave them in the BMC and run the system +@@ -478,11 +494,11 @@ static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val) + * Note that we cannot just use disable_irq(), since the interrupt may + * be shared. + */ +-static inline bool disable_si_irq(struct smi_info *smi_info) ++static inline bool disable_si_irq(struct smi_info *smi_info, bool start_timer) + { + if ((smi_info->irq) && (!smi_info->interrupt_disabled)) { + smi_info->interrupt_disabled = true; +- start_check_enables(smi_info); ++ start_check_enables(smi_info, start_timer); + return true; + } + return false; +@@ -492,7 +508,7 @@ static inline bool enable_si_irq(struct smi_info *smi_info) + { + if ((smi_info->irq) && (smi_info->interrupt_disabled)) { + smi_info->interrupt_disabled = false; +- start_check_enables(smi_info); ++ start_check_enables(smi_info, true); + return true; + } + return false; +@@ -510,7 +526,7 @@ static struct ipmi_smi_msg *alloc_msg_handle_irq(struct smi_info *smi_info) + + msg = ipmi_alloc_smi_msg(); + if (!msg) { +- if (!disable_si_irq(smi_info)) ++ if (!disable_si_irq(smi_info, true)) + smi_info->si_state = SI_NORMAL; + } else if (enable_si_irq(smi_info)) { + ipmi_free_smi_msg(msg); +@@ -526,7 +542,7 @@ static void handle_flags(struct smi_info *smi_info) + /* Watchdog pre-timeout */ + smi_inc_stat(smi_info, watchdog_pretimeouts); + +- start_clear_flags(smi_info); ++ start_clear_flags(smi_info, true); + smi_info->msg_flags &= ~WDT_PRE_TIMEOUT_INT; + if (smi_info->intf) + ipmi_smi_watchdog_pretimeout(smi_info->intf); +@@ -879,8 +895,7 @@ static enum si_sm_result smi_event_handler(struct smi_info *smi_info, + msg[0] = (IPMI_NETFN_APP_REQUEST << 2); + msg[1] = IPMI_GET_MSG_FLAGS_CMD; + +- smi_info->handlers->start_transaction( +- smi_info->si_sm, msg, 2); ++ start_new_msg(smi_info, msg, 2); + smi_info->si_state = SI_GETTING_FLAGS; + goto restart; + } +@@ -910,7 +925,7 @@ static enum si_sm_result smi_event_handler(struct smi_info *smi_info, + * disable and messages disabled. + */ + if (smi_info->supports_event_msg_buff || smi_info->irq) { +- start_check_enables(smi_info); ++ start_check_enables(smi_info, true); + } else { + smi_info->curr_msg = alloc_msg_handle_irq(smi_info); + if (!smi_info->curr_msg) +@@ -1208,14 +1223,14 @@ static int smi_start_processing(void *send_info, + + new_smi->intf = intf; + +- /* Try to claim any interrupts. */ +- if (new_smi->irq_setup) +- new_smi->irq_setup(new_smi); +- + /* Set up the timer that drives the interface. */ + setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi); + smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES); + ++ /* Try to claim any interrupts. */ ++ if (new_smi->irq_setup) ++ new_smi->irq_setup(new_smi); ++ + /* + * Check if the user forcefully enabled the daemon. + */ +@@ -3613,7 +3628,7 @@ static int try_smi_init(struct smi_info *new_smi) + * Start clearing the flags before we enable interrupts or the + * timer to avoid racing with the timer. + */ +- start_clear_flags(new_smi); ++ start_clear_flags(new_smi, false); + + /* + * IRQ is defined to be set when non-zero. req_events will +@@ -3908,7 +3923,7 @@ static void cleanup_one_si(struct smi_info *to_clean) + poll(to_clean); + schedule_timeout_uninterruptible(1); + } +- disable_si_irq(to_clean); ++ disable_si_irq(to_clean, false); + while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) { + poll(to_clean); + schedule_timeout_uninterruptible(1); +diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c +index 30f522848c73..c19e7fc717c3 100644 +--- a/drivers/connector/connector.c ++++ b/drivers/connector/connector.c +@@ -178,26 +178,21 @@ static int cn_call_callback(struct sk_buff *skb) + * + * It checks skb, netlink header and msg sizes, and calls callback helper. + */ +-static void cn_rx_skb(struct sk_buff *__skb) ++static void cn_rx_skb(struct sk_buff *skb) + { + struct nlmsghdr *nlh; +- struct sk_buff *skb; + int len, err; + +- skb = skb_get(__skb); +- + if (skb->len >= NLMSG_HDRLEN) { + nlh = nlmsg_hdr(skb); + len = nlmsg_len(nlh); + + if (len < (int)sizeof(struct cn_msg) || + skb->len < nlh->nlmsg_len || +- len > CONNECTOR_MAX_MSG_SIZE) { +- kfree_skb(skb); ++ len > CONNECTOR_MAX_MSG_SIZE) + return; +- } + +- err = cn_call_callback(skb); ++ err = cn_call_callback(skb_get(skb)); + if (err < 0) + kfree_skb(skb); + } +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 70a11ac38119..c0fbf4ed58ec 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1611,7 +1611,7 @@ int hid_connect(struct hid_device *hdev, unsigned int connect_mask) + "Multi-Axis Controller" + }; + const char *type, *bus; +- char buf[64]; ++ char buf[64] = ""; + unsigned int i; + int len; + int ret; +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c +index 0215ab62bb93..cba008ac9cff 100644 +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1628,6 +1628,7 @@ static void wacom_wac_finger_usage_mapping(struct hid_device *hdev, + wacom_map_usage(input, usage, field, EV_KEY, BTN_TOUCH, 0); + break; + case HID_DG_CONTACTCOUNT: ++ wacom_wac->hid_data.cc_report = field->report->id; + wacom_wac->hid_data.cc_index = field->index; + wacom_wac->hid_data.cc_value_index = usage->usage_index; + break; +@@ -1715,7 +1716,32 @@ static void wacom_wac_finger_pre_report(struct hid_device *hdev, + struct wacom_wac *wacom_wac = &wacom->wacom_wac; + struct hid_data* hid_data = &wacom_wac->hid_data; + +- if (hid_data->cc_index >= 0) { ++ if (hid_data->cc_report != 0 && ++ hid_data->cc_report != report->id) { ++ int i; ++ ++ hid_data->cc_report = report->id; ++ hid_data->cc_index = -1; ++ hid_data->cc_value_index = -1; ++ ++ for (i = 0; i < report->maxfield; i++) { ++ struct hid_field *field = report->field[i]; ++ int j; ++ ++ for (j = 0; j < field->maxusage; j++) { ++ if (field->usage[j].hid == HID_DG_CONTACTCOUNT) { ++ hid_data->cc_index = i; ++ hid_data->cc_value_index = j; ++ ++ /* break */ ++ i = report->maxfield; ++ j = field->maxusage; ++ } ++ } ++ } ++ } ++ if (hid_data->cc_report != 0 && ++ hid_data->cc_index >= 0) { + struct hid_field *field = report->field[hid_data->cc_index]; + int value = field->value[hid_data->cc_value_index]; + if (value) +diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h +index 1e270d401e18..809c03e34f74 100644 +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -198,6 +198,7 @@ struct hid_data { + int width; + int height; + int id; ++ int cc_report; + int cc_index; + int cc_value_index; + int num_expected; +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index 2d0dbbf38ceb..558c1e784613 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -756,7 +756,7 @@ struct ib_cq *mlx5_ib_create_cq(struct ib_device *ibdev, + int uninitialized_var(index); + int uninitialized_var(inlen); + int cqe_size; +- int irqn; ++ unsigned int irqn; + int eqn; + int err; + +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c +index 286e890e7d64..ef7862056978 100644 +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -1427,7 +1427,7 @@ static int arm_smmu_domain_finalise_s1(struct arm_smmu_domain *smmu_domain, + struct io_pgtable_cfg *pgtbl_cfg) + { + int ret; +- u16 asid; ++ int asid; + struct arm_smmu_device *smmu = smmu_domain->smmu; + struct arm_smmu_s1_cfg *cfg = &smmu_domain->s1_cfg; + +@@ -1439,10 +1439,11 @@ static int arm_smmu_domain_finalise_s1(struct arm_smmu_domain *smmu_domain, + &cfg->cdptr_dma, GFP_KERNEL); + if (!cfg->cdptr) { + dev_warn(smmu->dev, "failed to allocate context descriptor\n"); ++ ret = -ENOMEM; + goto out_free_asid; + } + +- cfg->cd.asid = asid; ++ cfg->cd.asid = (u16)asid; + cfg->cd.ttbr = pgtbl_cfg->arm_lpae_s1_cfg.ttbr[0]; + cfg->cd.tcr = pgtbl_cfg->arm_lpae_s1_cfg.tcr; + cfg->cd.mair = pgtbl_cfg->arm_lpae_s1_cfg.mair[0]; +@@ -1456,7 +1457,7 @@ out_free_asid: + static int arm_smmu_domain_finalise_s2(struct arm_smmu_domain *smmu_domain, + struct io_pgtable_cfg *pgtbl_cfg) + { +- u16 vmid; ++ int vmid; + struct arm_smmu_device *smmu = smmu_domain->smmu; + struct arm_smmu_s2_cfg *cfg = &smmu_domain->s2_cfg; + +@@ -1464,7 +1465,7 @@ static int arm_smmu_domain_finalise_s2(struct arm_smmu_domain *smmu_domain, + if (IS_ERR_VALUE(vmid)) + return vmid; + +- cfg->vmid = vmid; ++ cfg->vmid = (u16)vmid; + cfg->vttbr = pgtbl_cfg->arm_lpae_s2_cfg.vttbr; + cfg->vtcr = pgtbl_cfg->arm_lpae_s2_cfg.vtcr; + return 0; +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index d65cf42399e8..dfc64662b386 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -4194,14 +4194,17 @@ int dmar_find_matched_atsr_unit(struct pci_dev *dev) + dev = pci_physfn(dev); + for (bus = dev->bus; bus; bus = bus->parent) { + bridge = bus->self; +- if (!bridge || !pci_is_pcie(bridge) || ++ /* If it's an integrated device, allow ATS */ ++ if (!bridge) ++ return 1; ++ /* Connected via non-PCIe: no ATS */ ++ if (!pci_is_pcie(bridge) || + pci_pcie_type(bridge) == PCI_EXP_TYPE_PCI_BRIDGE) + return 0; ++ /* If we found the root port, look it up in the ATSR */ + if (pci_pcie_type(bridge) == PCI_EXP_TYPE_ROOT_PORT) + break; + } +- if (!bridge) +- return 0; + + rcu_read_lock(); + list_for_each_entry_rcu(atsru, &dmar_atsr_units, list) { +diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c +index c4198fa490bf..9c1e8adaf4fc 100644 +--- a/drivers/isdn/i4l/isdn_ppp.c ++++ b/drivers/isdn/i4l/isdn_ppp.c +@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file) + is->compflags = 0; + + is->reset = isdn_ppp_ccp_reset_alloc(is); ++ if (!is->reset) ++ return -ENOMEM; + + is->lp = NULL; + is->mp_seqno = 0; /* MP sequence number */ +@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file) + * VJ header compression init + */ + is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */ ++ if (IS_ERR(is->slcomp)) { ++ isdn_ppp_ccp_reset_free(is); ++ return PTR_ERR(is->slcomp); ++ } + #endif + #ifdef CONFIG_IPPP_FILTER + is->pass_filter = NULL; +@@ -567,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg) + is->maxcid = val; + #ifdef CONFIG_ISDN_PPP_VJ + sltmp = slhc_init(16, val); +- if (!sltmp) { +- printk(KERN_ERR "ippp, can't realloc slhc struct\n"); +- return -ENOMEM; +- } ++ if (IS_ERR(sltmp)) ++ return PTR_ERR(sltmp); + if (is->slcomp) + slhc_free(is->slcomp); + is->slcomp = sltmp; +diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c +index 084d346fb4c4..e15eef6a94e5 100644 +--- a/drivers/media/platform/vivid/vivid-osd.c ++++ b/drivers/media/platform/vivid/vivid-osd.c +@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg) + case FBIOGET_VBLANK: { + struct fb_vblank vblank; + ++ memset(&vblank, 0, sizeof(vblank)); + vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT | + FB_VBLANK_HAVE_VSYNC; + vblank.count = 0; +diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c +index 8f2e1c277c5f..7b91327bd472 100644 +--- a/drivers/media/usb/airspy/airspy.c ++++ b/drivers/media/usb/airspy/airspy.c +@@ -132,7 +132,7 @@ struct airspy { + int urbs_submitted; + + /* USB control message buffer */ +- #define BUF_SIZE 24 ++ #define BUF_SIZE 128 + u8 buf[BUF_SIZE]; + + /* Current configuration */ +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index bcd7bddbe312..509440cb6411 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1207,7 +1207,6 @@ static int bond_master_upper_dev_link(struct net_device *bond_dev, + err = netdev_master_upper_dev_link_private(slave_dev, bond_dev, slave); + if (err) + return err; +- slave_dev->flags |= IFF_SLAVE; + rtmsg_ifinfo(RTM_NEWLINK, slave_dev, IFF_SLAVE, GFP_KERNEL); + return 0; + } +@@ -1465,6 +1464,9 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev) + } + } + ++ /* set slave flag before open to prevent IPv6 addrconf */ ++ slave_dev->flags |= IFF_SLAVE; ++ + /* open the slave since the application closed it */ + res = dev_open(slave_dev); + if (res) { +@@ -1725,6 +1727,7 @@ err_close: + dev_close(slave_dev); + + err_restore_mac: ++ slave_dev->flags &= ~IFF_SLAVE; + if (!bond->params.fail_over_mac || + BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) { + /* XXX TODO - fom follow mode needs to change master's +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 443632df2010..394744bfbf89 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -746,7 +746,7 @@ static int mlx5e_create_cq(struct mlx5e_channel *c, + struct mlx5_core_dev *mdev = priv->mdev; + struct mlx5_core_cq *mcq = &cq->mcq; + int eqn_not_used; +- int irqn; ++ unsigned int irqn; + int err; + u32 i; + +@@ -800,7 +800,7 @@ static int mlx5e_enable_cq(struct mlx5e_cq *cq, struct mlx5e_cq_param *param) + void *in; + void *cqc; + int inlen; +- int irqn_not_used; ++ unsigned int irqn_not_used; + int eqn; + int err; + +@@ -1498,7 +1498,7 @@ static int mlx5e_create_drop_cq(struct mlx5e_priv *priv, + struct mlx5_core_dev *mdev = priv->mdev; + struct mlx5_core_cq *mcq = &cq->mcq; + int eqn_not_used; +- int irqn; ++ unsigned int irqn; + int err; + + err = mlx5_cqwq_create(mdev, ¶m->wq, param->cqc, &cq->wq, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 03aabdd79abe..af9593baf1bb 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -520,7 +520,8 @@ static void mlx5_irq_clear_affinity_hints(struct mlx5_core_dev *mdev) + mlx5_irq_clear_affinity_hint(mdev, i); + } + +-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, int *irqn) ++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, ++ unsigned int *irqn) + { + struct mlx5_eq_table *table = &dev->priv.eq_table; + struct mlx5_eq *eq, *n; +diff --git a/drivers/net/ethernet/synopsys/dwc_eth_qos.c b/drivers/net/ethernet/synopsys/dwc_eth_qos.c +index 85b3326775b8..37640e11afa6 100644 +--- a/drivers/net/ethernet/synopsys/dwc_eth_qos.c ++++ b/drivers/net/ethernet/synopsys/dwc_eth_qos.c +@@ -2107,7 +2107,7 @@ static int dwceqos_tx_frags(struct sk_buff *skb, struct net_local *lp, + dd = &lp->tx_descs[lp->tx_next]; + + /* Set DMA Descriptor fields */ +- dd->des0 = dma_handle; ++ dd->des0 = dma_handle + consumed_size; + dd->des1 = 0; + dd->des2 = dma_size; + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index ed00446759b2..9a863c6a6a33 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + val &= 0xffff; + } + vj = slhc_init(val2+1, val+1); +- if (!vj) { +- netdev_err(ppp->dev, +- "PPP: no memory (VJ compressor)\n"); +- err = -ENOMEM; ++ if (IS_ERR(vj)) { ++ err = PTR_ERR(vj); + break; + } + ppp_lock(ppp); +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c +index 079f7adfcde5..27ed25252aac 100644 +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp); + static unsigned char * put16(unsigned char *cp, unsigned short x); + static unsigned short pull16(unsigned char **cpp); + +-/* Initialize compression data structure ++/* Allocate compression data structure + * slots must be in range 0 to 255 (zero meaning no compression) ++ * Returns pointer to structure or ERR_PTR() on error. + */ + struct slcompress * + slhc_init(int rslots, int tslots) +@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots) + register struct cstate *ts; + struct slcompress *comp; + ++ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255) ++ return ERR_PTR(-EINVAL); ++ + comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL); + if (! comp) + goto out_fail; + +- if ( rslots > 0 && rslots < 256 ) { ++ if (rslots > 0) { + size_t rsize = rslots * sizeof(struct cstate); + comp->rstate = kzalloc(rsize, GFP_KERNEL); + if (! comp->rstate) +@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots) + comp->rslot_limit = rslots - 1; + } + +- if ( tslots > 0 && tslots < 256 ) { ++ if (tslots > 0) { + size_t tsize = tslots * sizeof(struct cstate); + comp->tstate = kzalloc(tsize, GFP_KERNEL); + if (! comp->tstate) +@@ -141,7 +145,7 @@ out_free2: + out_free: + kfree(comp); + out_fail: +- return NULL; ++ return ERR_PTR(-ENOMEM); + } + + +diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c +index 05387b1e2e95..a17d86a57734 100644 +--- a/drivers/net/slip/slip.c ++++ b/drivers/net/slip/slip.c +@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu) + if (cbuff == NULL) + goto err_exit; + slcomp = slhc_init(16, 16); +- if (slcomp == NULL) ++ if (IS_ERR(slcomp)) + goto err_exit; + #endif + spin_lock_bh(&sl->lock); +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 651d35ea22c5..59fefca74263 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1845,10 +1845,10 @@ static int team_vlan_rx_kill_vid(struct net_device *dev, __be16 proto, u16 vid) + struct team *team = netdev_priv(dev); + struct team_port *port; + +- rcu_read_lock(); +- list_for_each_entry_rcu(port, &team->port_list, list) ++ mutex_lock(&team->lock); ++ list_for_each_entry(port, &team->port_list, list) + vlan_vid_del(port->dev, proto, vid); +- rcu_read_unlock(); ++ mutex_unlock(&team->lock); + + return 0; + } +diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c +index b6ea6ff7fb7b..d87b4acdfa5b 100644 +--- a/drivers/net/usb/cdc_mbim.c ++++ b/drivers/net/usb/cdc_mbim.c +@@ -100,7 +100,7 @@ static const struct net_device_ops cdc_mbim_netdev_ops = { + .ndo_stop = usbnet_stop, + .ndo_start_xmit = usbnet_start_xmit, + .ndo_tx_timeout = usbnet_tx_timeout, +- .ndo_change_mtu = usbnet_change_mtu, ++ .ndo_change_mtu = cdc_ncm_change_mtu, + .ndo_set_mac_address = eth_mac_addr, + .ndo_validate_addr = eth_validate_addr, + .ndo_vlan_rx_add_vid = cdc_mbim_rx_add_vid, +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c +index fa41a6d2a3e5..e278a7a4956d 100644 +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -41,6 +41,7 @@ + #include <linux/module.h> + #include <linux/netdevice.h> + #include <linux/ctype.h> ++#include <linux/etherdevice.h> + #include <linux/ethtool.h> + #include <linux/workqueue.h> + #include <linux/mii.h> +@@ -689,6 +690,33 @@ static void cdc_ncm_free(struct cdc_ncm_ctx *ctx) + kfree(ctx); + } + ++/* we need to override the usbnet change_mtu ndo for two reasons: ++ * - respect the negotiated maximum datagram size ++ * - avoid unwanted changes to rx and tx buffers ++ */ ++int cdc_ncm_change_mtu(struct net_device *net, int new_mtu) ++{ ++ struct usbnet *dev = netdev_priv(net); ++ struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0]; ++ int maxmtu = ctx->max_datagram_size - cdc_ncm_eth_hlen(dev); ++ ++ if (new_mtu <= 0 || new_mtu > maxmtu) ++ return -EINVAL; ++ net->mtu = new_mtu; ++ return 0; ++} ++EXPORT_SYMBOL_GPL(cdc_ncm_change_mtu); ++ ++static const struct net_device_ops cdc_ncm_netdev_ops = { ++ .ndo_open = usbnet_open, ++ .ndo_stop = usbnet_stop, ++ .ndo_start_xmit = usbnet_start_xmit, ++ .ndo_tx_timeout = usbnet_tx_timeout, ++ .ndo_change_mtu = cdc_ncm_change_mtu, ++ .ndo_set_mac_address = eth_mac_addr, ++ .ndo_validate_addr = eth_validate_addr, ++}; ++ + int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_altsetting, int drvflags) + { + const struct usb_cdc_union_desc *union_desc = NULL; +@@ -874,6 +902,9 @@ advance: + /* add our sysfs attrs */ + dev->net->sysfs_groups[0] = &cdc_ncm_sysfs_attr_group; + ++ /* must handle MTU changes */ ++ dev->net->netdev_ops = &cdc_ncm_netdev_ops; ++ + return 0; + + error2: +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index 0ef4a5ad5557..ba21d072be31 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -117,12 +117,6 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + kfree_skb(skb); + goto drop; + } +- /* don't change ip_summed == CHECKSUM_PARTIAL, as that +- * will cause bad checksum on forwarded packets +- */ +- if (skb->ip_summed == CHECKSUM_NONE && +- rcv->features & NETIF_F_RXCSUM) +- skb->ip_summed = CHECKSUM_UNNECESSARY; + + if (likely(dev_forward_skb(rcv, skb) == NET_RX_SUCCESS)) { + struct pcpu_vstats *stats = this_cpu_ptr(dev->vstats); +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index c1587ece28cf..40b5f8af47a3 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2660,7 +2660,7 @@ static int vxlan_dev_configure(struct net *src_net, struct net_device *dev, + struct vxlan_config *conf) + { + struct vxlan_net *vn = net_generic(src_net, vxlan_net_id); +- struct vxlan_dev *vxlan = netdev_priv(dev); ++ struct vxlan_dev *vxlan = netdev_priv(dev), *tmp; + struct vxlan_rdst *dst = &vxlan->default_dst; + int err; + bool use_ipv6 = false; +@@ -2725,9 +2725,15 @@ static int vxlan_dev_configure(struct net *src_net, struct net_device *dev, + if (!vxlan->cfg.age_interval) + vxlan->cfg.age_interval = FDB_AGE_DEFAULT; + +- if (vxlan_find_vni(src_net, conf->vni, use_ipv6 ? AF_INET6 : AF_INET, +- vxlan->cfg.dst_port, vxlan->flags)) ++ list_for_each_entry(tmp, &vn->vxlan_list, next) { ++ if (tmp->cfg.vni == conf->vni && ++ (tmp->default_dst.remote_ip.sa.sa_family == AF_INET6 || ++ tmp->cfg.saddr.sa.sa_family == AF_INET6) == use_ipv6 && ++ tmp->cfg.dst_port == vxlan->cfg.dst_port && ++ (tmp->flags & VXLAN_F_RCV_FLAGS) == ++ (vxlan->flags & VXLAN_F_RCV_FLAGS)) + return -EEXIST; ++ } + + dev->ethtool_ops = &vxlan_ethtool_ops; + +diff --git a/drivers/parisc/iommu-helpers.h b/drivers/parisc/iommu-helpers.h +index 761e77bfce5d..e56f1569f6c3 100644 +--- a/drivers/parisc/iommu-helpers.h ++++ b/drivers/parisc/iommu-helpers.h +@@ -104,7 +104,11 @@ iommu_coalesce_chunks(struct ioc *ioc, struct device *dev, + struct scatterlist *contig_sg; /* contig chunk head */ + unsigned long dma_offset, dma_len; /* start/len of DMA stream */ + unsigned int n_mappings = 0; +- unsigned int max_seg_size = dma_get_max_seg_size(dev); ++ unsigned int max_seg_size = min(dma_get_max_seg_size(dev), ++ (unsigned)DMA_CHUNK_SIZE); ++ unsigned int max_seg_boundary = dma_get_seg_boundary(dev) + 1; ++ if (max_seg_boundary) /* check if the addition above didn't overflow */ ++ max_seg_size = min(max_seg_size, max_seg_boundary); + + while (nents > 0) { + +@@ -138,14 +142,11 @@ iommu_coalesce_chunks(struct ioc *ioc, struct device *dev, + + /* + ** First make sure current dma stream won't +- ** exceed DMA_CHUNK_SIZE if we coalesce the ++ ** exceed max_seg_size if we coalesce the + ** next entry. + */ +- if(unlikely(ALIGN(dma_len + dma_offset + startsg->length, +- IOVP_SIZE) > DMA_CHUNK_SIZE)) +- break; +- +- if (startsg->length + dma_len > max_seg_size) ++ if (unlikely(ALIGN(dma_len + dma_offset + startsg->length, IOVP_SIZE) > ++ max_seg_size)) + break; + + /* +diff --git a/drivers/staging/lustre/lustre/obdecho/echo_client.c b/drivers/staging/lustre/lustre/obdecho/echo_client.c +index 27bd170c3a28..ef2c5e032f10 100644 +--- a/drivers/staging/lustre/lustre/obdecho/echo_client.c ++++ b/drivers/staging/lustre/lustre/obdecho/echo_client.c +@@ -1268,6 +1268,7 @@ static int + echo_copyout_lsm(struct lov_stripe_md *lsm, void *_ulsm, int ulsm_nob) + { + struct lov_stripe_md *ulsm = _ulsm; ++ struct lov_oinfo **p; + int nob, i; + + nob = offsetof(struct lov_stripe_md, lsm_oinfo[lsm->lsm_stripe_count]); +@@ -1277,9 +1278,10 @@ echo_copyout_lsm(struct lov_stripe_md *lsm, void *_ulsm, int ulsm_nob) + if (copy_to_user(ulsm, lsm, sizeof(*ulsm))) + return -EFAULT; + +- for (i = 0; i < lsm->lsm_stripe_count; i++) { +- if (copy_to_user(ulsm->lsm_oinfo[i], lsm->lsm_oinfo[i], +- sizeof(lsm->lsm_oinfo[0]))) ++ for (i = 0, p = lsm->lsm_oinfo; i < lsm->lsm_stripe_count; i++, p++) { ++ struct lov_oinfo __user *up; ++ if (get_user(up, ulsm->lsm_oinfo + i) || ++ copy_to_user(up, *p, sizeof(struct lov_oinfo))) + return -EFAULT; + } + return 0; +@@ -1287,9 +1289,10 @@ echo_copyout_lsm(struct lov_stripe_md *lsm, void *_ulsm, int ulsm_nob) + + static int + echo_copyin_lsm(struct echo_device *ed, struct lov_stripe_md *lsm, +- void *ulsm, int ulsm_nob) ++ struct lov_stripe_md __user *ulsm, int ulsm_nob) + { + struct echo_client_obd *ec = ed->ed_ec; ++ struct lov_oinfo **p; + int i; + + if (ulsm_nob < sizeof(*lsm)) +@@ -1305,11 +1308,10 @@ echo_copyin_lsm(struct echo_device *ed, struct lov_stripe_md *lsm, + return -EINVAL; + + +- for (i = 0; i < lsm->lsm_stripe_count; i++) { +- if (copy_from_user(lsm->lsm_oinfo[i], +- ((struct lov_stripe_md *)ulsm)-> \ +- lsm_oinfo[i], +- sizeof(lsm->lsm_oinfo[0]))) ++ for (i = 0, p = lsm->lsm_oinfo; i < lsm->lsm_stripe_count; i++, p++) { ++ struct lov_oinfo __user *up; ++ if (get_user(up, ulsm->lsm_oinfo + i) || ++ copy_from_user(*p, up, sizeof(struct lov_oinfo))) + return -EFAULT; + } + return 0; +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 522f766a7d07..62084335a608 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1035,10 +1035,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + unsigned delay; + + /* Continue a partial initialization */ +- if (type == HUB_INIT2) +- goto init2; +- if (type == HUB_INIT3) ++ if (type == HUB_INIT2 || type == HUB_INIT3) { ++ device_lock(hub->intfdev); ++ ++ /* Was the hub disconnected while we were waiting? */ ++ if (hub->disconnected) { ++ device_unlock(hub->intfdev); ++ kref_put(&hub->kref, hub_release); ++ return; ++ } ++ if (type == HUB_INIT2) ++ goto init2; + goto init3; ++ } ++ kref_get(&hub->kref); + + /* The superspeed hub except for root hub has to use Hub Depth + * value as an offset into the route string to locate the bits +@@ -1236,6 +1246,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + queue_delayed_work(system_power_efficient_wq, + &hub->init_work, + msecs_to_jiffies(delay)); ++ device_unlock(hub->intfdev); + return; /* Continues at init3: below */ + } else { + msleep(delay); +@@ -1257,6 +1268,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + /* Allow autosuspend if it was suppressed */ + if (type <= HUB_INIT3) + usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); ++ ++ if (type == HUB_INIT2 || type == HUB_INIT3) ++ device_unlock(hub->intfdev); ++ ++ kref_put(&hub->kref, hub_release); + } + + /* Implement the continuations for the delays above */ +@@ -3870,17 +3886,30 @@ static void usb_enable_link_state(struct usb_hcd *hcd, struct usb_device *udev, + return; + } + +- if (usb_set_lpm_timeout(udev, state, timeout)) ++ if (usb_set_lpm_timeout(udev, state, timeout)) { + /* If we can't set the parent hub U1/U2 timeout, + * device-initiated LPM won't be allowed either, so let the xHCI + * host know that this link state won't be enabled. + */ + hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state); ++ } else { ++ /* Only a configured device will accept the Set Feature ++ * U1/U2_ENABLE ++ */ ++ if (udev->actconfig) ++ usb_set_device_initiated_lpm(udev, state, true); + +- /* Only a configured device will accept the Set Feature U1/U2_ENABLE */ +- else if (udev->actconfig) +- usb_set_device_initiated_lpm(udev, state, true); +- ++ /* As soon as usb_set_lpm_timeout(timeout) returns 0, the ++ * hub-initiated LPM is enabled. Thus, LPM is enabled no ++ * matter the result of usb_set_device_initiated_lpm(). ++ * The only difference is whether device is able to initiate ++ * LPM. ++ */ ++ if (state == USB3_LPM_U1) ++ udev->usb3_lpm_u1_enabled = 1; ++ else if (state == USB3_LPM_U2) ++ udev->usb3_lpm_u2_enabled = 1; ++ } + } + + /* +@@ -3920,6 +3949,18 @@ static int usb_disable_link_state(struct usb_hcd *hcd, struct usb_device *udev, + dev_warn(&udev->dev, "Could not disable xHCI %s timeout, " + "bus schedule bandwidth may be impacted.\n", + usb3_lpm_names[state]); ++ ++ /* As soon as usb_set_lpm_timeout(0) return 0, hub initiated LPM ++ * is disabled. Hub will disallows link to enter U1/U2 as well, ++ * even device is initiating LPM. Hence LPM is disabled if hub LPM ++ * timeout set to 0, no matter device-initiated LPM is disabled or ++ * not. ++ */ ++ if (state == USB3_LPM_U1) ++ udev->usb3_lpm_u1_enabled = 0; ++ else if (state == USB3_LPM_U2) ++ udev->usb3_lpm_u2_enabled = 0; ++ + return 0; + } + +@@ -3954,8 +3995,6 @@ int usb_disable_lpm(struct usb_device *udev) + if (usb_disable_link_state(hcd, udev, USB3_LPM_U2)) + goto enable_lpm; + +- udev->usb3_lpm_enabled = 0; +- + return 0; + + enable_lpm: +@@ -4013,8 +4052,6 @@ void usb_enable_lpm(struct usb_device *udev) + + usb_enable_link_state(hcd, udev, USB3_LPM_U1); + usb_enable_link_state(hcd, udev, USB3_LPM_U2); +- +- udev->usb3_lpm_enabled = 1; + } + EXPORT_SYMBOL_GPL(usb_enable_lpm); + +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c +index cfc68c11c3f5..c54fd8b73966 100644 +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -531,7 +531,7 @@ static ssize_t usb2_lpm_besl_store(struct device *dev, + } + static DEVICE_ATTR_RW(usb2_lpm_besl); + +-static ssize_t usb3_hardware_lpm_show(struct device *dev, ++static ssize_t usb3_hardware_lpm_u1_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct usb_device *udev = to_usb_device(dev); +@@ -539,7 +539,7 @@ static ssize_t usb3_hardware_lpm_show(struct device *dev, + + usb_lock_device(udev); + +- if (udev->usb3_lpm_enabled) ++ if (udev->usb3_lpm_u1_enabled) + p = "enabled"; + else + p = "disabled"; +@@ -548,7 +548,26 @@ static ssize_t usb3_hardware_lpm_show(struct device *dev, + + return sprintf(buf, "%s\n", p); + } +-static DEVICE_ATTR_RO(usb3_hardware_lpm); ++static DEVICE_ATTR_RO(usb3_hardware_lpm_u1); ++ ++static ssize_t usb3_hardware_lpm_u2_show(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ struct usb_device *udev = to_usb_device(dev); ++ const char *p; ++ ++ usb_lock_device(udev); ++ ++ if (udev->usb3_lpm_u2_enabled) ++ p = "enabled"; ++ else ++ p = "disabled"; ++ ++ usb_unlock_device(udev); ++ ++ return sprintf(buf, "%s\n", p); ++} ++static DEVICE_ATTR_RO(usb3_hardware_lpm_u2); + + static struct attribute *usb2_hardware_lpm_attr[] = { + &dev_attr_usb2_hardware_lpm.attr, +@@ -562,7 +581,8 @@ static struct attribute_group usb2_hardware_lpm_attr_group = { + }; + + static struct attribute *usb3_hardware_lpm_attr[] = { +- &dev_attr_usb3_hardware_lpm.attr, ++ &dev_attr_usb3_hardware_lpm_u1.attr, ++ &dev_attr_usb3_hardware_lpm_u2.attr, + NULL, + }; + static struct attribute_group usb3_hardware_lpm_attr_group = { +@@ -592,7 +612,8 @@ static int add_power_attributes(struct device *dev) + if (udev->usb2_hw_lpm_capable == 1) + rc = sysfs_merge_group(&dev->kobj, + &usb2_hardware_lpm_attr_group); +- if (udev->lpm_capable == 1) ++ if (udev->speed == USB_SPEED_SUPER && ++ udev->lpm_capable == 1) + rc = sysfs_merge_group(&dev->kobj, + &usb3_hardware_lpm_attr_group); + } +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 385f9f5d6715..e40c300ff8d6 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4778,8 +4778,16 @@ int xhci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev, + ctrl_ctx->add_flags |= cpu_to_le32(SLOT_FLAG); + slot_ctx = xhci_get_slot_ctx(xhci, config_cmd->in_ctx); + slot_ctx->dev_info |= cpu_to_le32(DEV_HUB); ++ /* ++ * refer to section 6.2.2: MTT should be 0 for full speed hub, ++ * but it may be already set to 1 when setup an xHCI virtual ++ * device, so clear it anyway. ++ */ + if (tt->multi) + slot_ctx->dev_info |= cpu_to_le32(DEV_MTT); ++ else if (hdev->speed == USB_SPEED_FULL) ++ slot_ctx->dev_info &= cpu_to_le32(~DEV_MTT); ++ + if (xhci->hci_version > 0x95) { + xhci_dbg(xhci, "xHCI version %x needs hub " + "TT think time and number of ports\n", +@@ -5034,6 +5042,10 @@ static int __init xhci_hcd_init(void) + BUILD_BUG_ON(sizeof(struct xhci_intr_reg) != 8*32/8); + /* xhci_run_regs has eight fields and embeds 128 xhci_intr_regs */ + BUILD_BUG_ON(sizeof(struct xhci_run_regs) != (8+8*128)*32/8); ++ ++ if (usb_disabled()) ++ return -ENODEV; ++ + return 0; + } + +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 7d4f51a32e66..59b2126b21a3 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -160,6 +160,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x17F4, 0xAAAA) }, /* Wavesense Jazz blood glucose meter */ + { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ ++ { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ + { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */ +diff --git a/drivers/usb/serial/ipaq.c b/drivers/usb/serial/ipaq.c +index f51a5d52c0ed..ec1b8f2c1183 100644 +--- a/drivers/usb/serial/ipaq.c ++++ b/drivers/usb/serial/ipaq.c +@@ -531,7 +531,8 @@ static int ipaq_open(struct tty_struct *tty, + * through. Since this has a reasonably high failure rate, we retry + * several times. + */ +- while (retries--) { ++ while (retries) { ++ retries--; + result = usb_control_msg(serial->dev, + usb_sndctrlpipe(serial->dev, 0), 0x22, 0x21, + 0x1, 0, NULL, 0, 100); +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c +index 2ea0b3b2a91d..1be5dd048622 100644 +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -804,7 +804,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) + + vma->vm_ops = &gntdev_vmops; + +- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; ++ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO; + + if (use_ptemod) + vma->vm_flags |= VM_DONTCOPY; +diff --git a/fs/direct-io.c b/fs/direct-io.c +index 11256291642e..3e116320f01b 100644 +--- a/fs/direct-io.c ++++ b/fs/direct-io.c +@@ -1161,6 +1161,16 @@ do_blockdev_direct_IO(struct kiocb *iocb, struct inode *inode, + } + } + ++ /* Once we sampled i_size check for reads beyond EOF */ ++ dio->i_size = i_size_read(inode); ++ if (iov_iter_rw(iter) == READ && offset >= dio->i_size) { ++ if (dio->flags & DIO_LOCKING) ++ mutex_unlock(&inode->i_mutex); ++ kmem_cache_free(dio_cache, dio); ++ retval = 0; ++ goto out; ++ } ++ + /* + * For file extending writes updating i_size before data writeouts + * complete can expose uninitialized blocks in dumb filesystems. +@@ -1214,7 +1224,6 @@ do_blockdev_direct_IO(struct kiocb *iocb, struct inode *inode, + sdio.next_block_for_io = -1; + + dio->iocb = iocb; +- dio->i_size = i_size_read(inode); + + spin_lock_init(&dio->bio_lock); + dio->refcount = 1; +diff --git a/include/linux/filter.h b/include/linux/filter.h +index fa2cab985e57..d42a5b832ad3 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -459,6 +459,25 @@ static inline void bpf_jit_free(struct bpf_prog *fp) + + #define BPF_ANC BIT(15) + ++static inline bool bpf_needs_clear_a(const struct sock_filter *first) ++{ ++ switch (first->code) { ++ case BPF_RET | BPF_K: ++ case BPF_LD | BPF_W | BPF_LEN: ++ return false; ++ ++ case BPF_LD | BPF_W | BPF_ABS: ++ case BPF_LD | BPF_H | BPF_ABS: ++ case BPF_LD | BPF_B | BPF_ABS: ++ if (first->k == SKF_AD_OFF + SKF_AD_ALU_XOR_X) ++ return true; ++ return false; ++ ++ default: ++ return true; ++ } ++} ++ + static inline u16 bpf_anc_helper(const struct sock_filter *ftest) + { + BUG_ON(ftest->code & BPF_ANC); +diff --git a/include/linux/mlx5/cq.h b/include/linux/mlx5/cq.h +index abc4767695e4..b2c9fada8eac 100644 +--- a/include/linux/mlx5/cq.h ++++ b/include/linux/mlx5/cq.h +@@ -45,7 +45,7 @@ struct mlx5_core_cq { + atomic_t refcount; + struct completion free; + unsigned vector; +- int irqn; ++ unsigned int irqn; + void (*comp) (struct mlx5_core_cq *); + void (*event) (struct mlx5_core_cq *, enum mlx5_event); + struct mlx5_uar *uar; +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 8b6d6f2154a4..2b013dcc1d7e 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -303,7 +303,7 @@ struct mlx5_eq { + u32 cons_index; + struct mlx5_buf buf; + int size; +- u8 irqn; ++ unsigned int irqn; + u8 eqn; + int nent; + u64 mask; +@@ -738,7 +738,8 @@ int mlx5_create_map_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq, u8 vecidx, + int mlx5_destroy_unmap_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq); + int mlx5_start_eqs(struct mlx5_core_dev *dev); + int mlx5_stop_eqs(struct mlx5_core_dev *dev); +-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, int *irqn); ++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, ++ unsigned int *irqn); + int mlx5_core_attach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn); + int mlx5_core_detach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn); + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index b7b9501b41af..f477e87ca46f 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -830,6 +830,7 @@ struct user_struct { + unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */ + #endif + unsigned long locked_shm; /* How many pages of mlocked shm ? */ ++ unsigned long unix_inflight; /* How many files in flight in unix sockets */ + + #ifdef CONFIG_KEYS + struct key *uid_keyring; /* UID specific keyring */ +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 4398411236f1..23ce309bd93f 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3437,7 +3437,8 @@ struct skb_gso_cb { + int encap_level; + __u16 csum_start; + }; +-#define SKB_GSO_CB(skb) ((struct skb_gso_cb *)(skb)->cb) ++#define SKB_SGO_CB_OFFSET 32 ++#define SKB_GSO_CB(skb) ((struct skb_gso_cb *)((skb)->cb + SKB_SGO_CB_OFFSET)) + + static inline int skb_tnl_header_len(const struct sk_buff *inner_skb) + { +diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h +index a460e2ef2843..42c36bb6b74a 100644 +--- a/include/linux/syscalls.h ++++ b/include/linux/syscalls.h +@@ -524,7 +524,7 @@ asmlinkage long sys_chown(const char __user *filename, + asmlinkage long sys_lchown(const char __user *filename, + uid_t user, gid_t group); + asmlinkage long sys_fchown(unsigned int fd, uid_t user, gid_t group); +-#ifdef CONFIG_UID16 ++#ifdef CONFIG_HAVE_UID16 + asmlinkage long sys_chown16(const char __user *filename, + old_uid_t user, old_gid_t group); + asmlinkage long sys_lchown16(const char __user *filename, +diff --git a/include/linux/types.h b/include/linux/types.h +index c314989d9158..89f63da62be6 100644 +--- a/include/linux/types.h ++++ b/include/linux/types.h +@@ -35,7 +35,7 @@ typedef __kernel_gid16_t gid16_t; + + typedef unsigned long uintptr_t; + +-#ifdef CONFIG_UID16 ++#ifdef CONFIG_HAVE_UID16 + /* This is defined by include/asm-{arch}/posix_types.h */ + typedef __kernel_old_uid_t old_uid_t; + typedef __kernel_old_gid_t old_gid_t; +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 447fe29b55b4..4aec2113107c 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -507,6 +507,8 @@ struct usb3_lpm_parameters { + * @usb2_hw_lpm_enabled: USB2 hardware LPM is enabled + * @usb2_hw_lpm_allowed: Userspace allows USB 2.0 LPM to be enabled + * @usb3_lpm_enabled: USB3 hardware LPM enabled ++ * @usb3_lpm_u1_enabled: USB3 hardware U1 LPM enabled ++ * @usb3_lpm_u2_enabled: USB3 hardware U2 LPM enabled + * @string_langid: language ID for strings + * @product: iProduct string, if present (static) + * @manufacturer: iManufacturer string, if present (static) +@@ -580,6 +582,8 @@ struct usb_device { + unsigned usb2_hw_lpm_enabled:1; + unsigned usb2_hw_lpm_allowed:1; + unsigned usb3_lpm_enabled:1; ++ unsigned usb3_lpm_u1_enabled:1; ++ unsigned usb3_lpm_u2_enabled:1; + int string_langid; + + /* static strings from the device */ +diff --git a/include/linux/usb/cdc_ncm.h b/include/linux/usb/cdc_ncm.h +index 1f6526c76ee8..3a375d07d0dc 100644 +--- a/include/linux/usb/cdc_ncm.h ++++ b/include/linux/usb/cdc_ncm.h +@@ -138,6 +138,7 @@ struct cdc_ncm_ctx { + }; + + u8 cdc_ncm_select_altsetting(struct usb_interface *intf); ++int cdc_ncm_change_mtu(struct net_device *net, int new_mtu); + int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_altsetting, int drvflags); + void cdc_ncm_unbind(struct usbnet *dev, struct usb_interface *intf); + struct sk_buff *cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign); +diff --git a/include/net/inet_ecn.h b/include/net/inet_ecn.h +index 84b20835b736..0dc0a51da38f 100644 +--- a/include/net/inet_ecn.h ++++ b/include/net/inet_ecn.h +@@ -111,11 +111,24 @@ static inline void ipv4_copy_dscp(unsigned int dscp, struct iphdr *inner) + + struct ipv6hdr; + +-static inline int IP6_ECN_set_ce(struct ipv6hdr *iph) ++/* Note: ++ * IP_ECN_set_ce() has to tweak IPV4 checksum when setting CE, ++ * meaning both changes have no effect on skb->csum if/when CHECKSUM_COMPLETE ++ * In IPv6 case, no checksum compensates the change in IPv6 header, ++ * so we have to update skb->csum. ++ */ ++static inline int IP6_ECN_set_ce(struct sk_buff *skb, struct ipv6hdr *iph) + { ++ __be32 from, to; ++ + if (INET_ECN_is_not_ect(ipv6_get_dsfield(iph))) + return 0; +- *(__be32*)iph |= htonl(INET_ECN_CE << 20); ++ ++ from = *(__be32 *)iph; ++ to = from | htonl(INET_ECN_CE << 20); ++ *(__be32 *)iph = to; ++ if (skb->ip_summed == CHECKSUM_COMPLETE) ++ skb->csum = csum_add(csum_sub(skb->csum, from), to); + return 1; + } + +@@ -142,7 +155,7 @@ static inline int INET_ECN_set_ce(struct sk_buff *skb) + case cpu_to_be16(ETH_P_IPV6): + if (skb_network_header(skb) + sizeof(struct ipv6hdr) <= + skb_tail_pointer(skb)) +- return IP6_ECN_set_ce(ipv6_hdr(skb)); ++ return IP6_ECN_set_ce(skb, ipv6_hdr(skb)); + break; + } + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index b074b23000d6..36c6efeffdd5 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1058,6 +1058,16 @@ static int check_alu_op(struct reg_state *regs, struct bpf_insn *insn) + return -EINVAL; + } + ++ if ((opcode == BPF_LSH || opcode == BPF_RSH || ++ opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) { ++ int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; ++ ++ if (insn->imm < 0 || insn->imm >= size) { ++ verbose("invalid shift %d\n", insn->imm); ++ return -EINVAL; ++ } ++ } ++ + /* pattern match 'bpf_add Rx, imm' instruction */ + if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 && + regs[insn->dst_reg].type == FRAME_PTR && +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index 84190f02b521..101240bfff1e 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -970,13 +970,29 @@ EXPORT_SYMBOL(add_timer); + */ + void add_timer_on(struct timer_list *timer, int cpu) + { +- struct tvec_base *base = per_cpu_ptr(&tvec_bases, cpu); ++ struct tvec_base *new_base = per_cpu_ptr(&tvec_bases, cpu); ++ struct tvec_base *base; + unsigned long flags; + + timer_stats_timer_set_start_info(timer); + BUG_ON(timer_pending(timer) || !timer->function); +- spin_lock_irqsave(&base->lock, flags); +- timer->flags = (timer->flags & ~TIMER_BASEMASK) | cpu; ++ ++ /* ++ * If @timer was on a different CPU, it should be migrated with the ++ * old base locked to prevent other operations proceeding with the ++ * wrong base locked. See lock_timer_base(). ++ */ ++ base = lock_timer_base(timer, &flags); ++ if (base != new_base) { ++ timer->flags |= TIMER_MIGRATING; ++ ++ spin_unlock(&base->lock); ++ base = new_base; ++ spin_lock(&base->lock); ++ WRITE_ONCE(timer->flags, ++ (timer->flags & ~TIMER_BASEMASK) | cpu); ++ } ++ + debug_activate(timer, timer->expires); + internal_add_timer(base, timer); + spin_unlock_irqrestore(&base->lock, flags); +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 191a70290dca..f5d2fe5e31cc 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -127,21 +127,17 @@ batadv_backbone_gw_free_ref(struct batadv_bla_backbone_gw *backbone_gw) + } + + /* finally deinitialize the claim */ +-static void batadv_claim_free_rcu(struct rcu_head *rcu) ++static void batadv_claim_release(struct batadv_bla_claim *claim) + { +- struct batadv_bla_claim *claim; +- +- claim = container_of(rcu, struct batadv_bla_claim, rcu); +- + batadv_backbone_gw_free_ref(claim->backbone_gw); +- kfree(claim); ++ kfree_rcu(claim, rcu); + } + + /* free a claim, call claim_free_rcu if its the last reference */ + static void batadv_claim_free_ref(struct batadv_bla_claim *claim) + { + if (atomic_dec_and_test(&claim->refcount)) +- call_rcu(&claim->rcu, batadv_claim_free_rcu); ++ batadv_claim_release(claim); + } + + /** +diff --git a/net/batman-adv/hard-interface.h b/net/batman-adv/hard-interface.h +index 5a31420513e1..7b12ea8ea29d 100644 +--- a/net/batman-adv/hard-interface.h ++++ b/net/batman-adv/hard-interface.h +@@ -75,18 +75,6 @@ batadv_hardif_free_ref(struct batadv_hard_iface *hard_iface) + call_rcu(&hard_iface->rcu, batadv_hardif_free_rcu); + } + +-/** +- * batadv_hardif_free_ref_now - decrement the hard interface refcounter and +- * possibly free it (without rcu callback) +- * @hard_iface: the hard interface to free +- */ +-static inline void +-batadv_hardif_free_ref_now(struct batadv_hard_iface *hard_iface) +-{ +- if (atomic_dec_and_test(&hard_iface->refcount)) +- batadv_hardif_free_rcu(&hard_iface->rcu); +-} +- + static inline struct batadv_hard_iface * + batadv_primary_if_get_selected(struct batadv_priv *bat_priv) + { +diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c +index f5276be2c77c..d0956f726547 100644 +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -203,28 +203,25 @@ void batadv_nc_init_orig(struct batadv_orig_node *orig_node) + } + + /** +- * batadv_nc_node_free_rcu - rcu callback to free an nc node and remove +- * its refcount on the orig_node +- * @rcu: rcu pointer of the nc node ++ * batadv_nc_node_release - release nc_node from lists and queue for free after ++ * rcu grace period ++ * @nc_node: the nc node to free + */ +-static void batadv_nc_node_free_rcu(struct rcu_head *rcu) ++static void batadv_nc_node_release(struct batadv_nc_node *nc_node) + { +- struct batadv_nc_node *nc_node; +- +- nc_node = container_of(rcu, struct batadv_nc_node, rcu); + batadv_orig_node_free_ref(nc_node->orig_node); +- kfree(nc_node); ++ kfree_rcu(nc_node, rcu); + } + + /** +- * batadv_nc_node_free_ref - decrements the nc node refcounter and possibly +- * frees it ++ * batadv_nc_node_free_ref - decrement the nc node refcounter and possibly ++ * release it + * @nc_node: the nc node to free + */ + static void batadv_nc_node_free_ref(struct batadv_nc_node *nc_node) + { + if (atomic_dec_and_test(&nc_node->refcount)) +- call_rcu(&nc_node->rcu, batadv_nc_node_free_rcu); ++ batadv_nc_node_release(nc_node); + } + + /** +diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c +index 7486df9ed48d..17851d3aaf22 100644 +--- a/net/batman-adv/originator.c ++++ b/net/batman-adv/originator.c +@@ -163,92 +163,66 @@ err: + } + + /** +- * batadv_neigh_ifinfo_free_rcu - free the neigh_ifinfo object +- * @rcu: rcu pointer of the neigh_ifinfo object +- */ +-static void batadv_neigh_ifinfo_free_rcu(struct rcu_head *rcu) +-{ +- struct batadv_neigh_ifinfo *neigh_ifinfo; +- +- neigh_ifinfo = container_of(rcu, struct batadv_neigh_ifinfo, rcu); +- +- if (neigh_ifinfo->if_outgoing != BATADV_IF_DEFAULT) +- batadv_hardif_free_ref_now(neigh_ifinfo->if_outgoing); +- +- kfree(neigh_ifinfo); +-} +- +-/** +- * batadv_neigh_ifinfo_free_now - decrement the refcounter and possibly free +- * the neigh_ifinfo (without rcu callback) ++ * batadv_neigh_ifinfo_release - release neigh_ifinfo from lists and queue for ++ * free after rcu grace period + * @neigh_ifinfo: the neigh_ifinfo object to release + */ + static void +-batadv_neigh_ifinfo_free_ref_now(struct batadv_neigh_ifinfo *neigh_ifinfo) ++batadv_neigh_ifinfo_release(struct batadv_neigh_ifinfo *neigh_ifinfo) + { +- if (atomic_dec_and_test(&neigh_ifinfo->refcount)) +- batadv_neigh_ifinfo_free_rcu(&neigh_ifinfo->rcu); ++ if (neigh_ifinfo->if_outgoing != BATADV_IF_DEFAULT) ++ batadv_hardif_free_ref(neigh_ifinfo->if_outgoing); ++ ++ kfree_rcu(neigh_ifinfo, rcu); + } + + /** +- * batadv_neigh_ifinfo_free_ref - decrement the refcounter and possibly free ++ * batadv_neigh_ifinfo_free_ref - decrement the refcounter and possibly release + * the neigh_ifinfo + * @neigh_ifinfo: the neigh_ifinfo object to release + */ + void batadv_neigh_ifinfo_free_ref(struct batadv_neigh_ifinfo *neigh_ifinfo) + { + if (atomic_dec_and_test(&neigh_ifinfo->refcount)) +- call_rcu(&neigh_ifinfo->rcu, batadv_neigh_ifinfo_free_rcu); ++ batadv_neigh_ifinfo_release(neigh_ifinfo); + } + + /** + * batadv_neigh_node_free_rcu - free the neigh_node +- * @rcu: rcu pointer of the neigh_node ++ * batadv_neigh_node_release - release neigh_node from lists and queue for ++ * free after rcu grace period ++ * @neigh_node: neigh neighbor to free + */ +-static void batadv_neigh_node_free_rcu(struct rcu_head *rcu) ++static void batadv_neigh_node_release(struct batadv_neigh_node *neigh_node) + { + struct hlist_node *node_tmp; +- struct batadv_neigh_node *neigh_node; + struct batadv_neigh_ifinfo *neigh_ifinfo; + struct batadv_algo_ops *bao; + +- neigh_node = container_of(rcu, struct batadv_neigh_node, rcu); + bao = neigh_node->orig_node->bat_priv->bat_algo_ops; + + hlist_for_each_entry_safe(neigh_ifinfo, node_tmp, + &neigh_node->ifinfo_list, list) { +- batadv_neigh_ifinfo_free_ref_now(neigh_ifinfo); ++ batadv_neigh_ifinfo_free_ref(neigh_ifinfo); + } + + if (bao->bat_neigh_free) + bao->bat_neigh_free(neigh_node); + +- batadv_hardif_free_ref_now(neigh_node->if_incoming); ++ batadv_hardif_free_ref(neigh_node->if_incoming); + +- kfree(neigh_node); +-} +- +-/** +- * batadv_neigh_node_free_ref_now - decrement the neighbors refcounter +- * and possibly free it (without rcu callback) +- * @neigh_node: neigh neighbor to free +- */ +-static void +-batadv_neigh_node_free_ref_now(struct batadv_neigh_node *neigh_node) +-{ +- if (atomic_dec_and_test(&neigh_node->refcount)) +- batadv_neigh_node_free_rcu(&neigh_node->rcu); ++ kfree_rcu(neigh_node, rcu); + } + + /** + * batadv_neigh_node_free_ref - decrement the neighbors refcounter +- * and possibly free it ++ * and possibly release it + * @neigh_node: neigh neighbor to free + */ + void batadv_neigh_node_free_ref(struct batadv_neigh_node *neigh_node) + { + if (atomic_dec_and_test(&neigh_node->refcount)) +- call_rcu(&neigh_node->rcu, batadv_neigh_node_free_rcu); ++ batadv_neigh_node_release(neigh_node); + } + + /** +@@ -532,108 +506,99 @@ out: + } + + /** +- * batadv_orig_ifinfo_free_rcu - free the orig_ifinfo object +- * @rcu: rcu pointer of the orig_ifinfo object ++ * batadv_orig_ifinfo_release - release orig_ifinfo from lists and queue for ++ * free after rcu grace period ++ * @orig_ifinfo: the orig_ifinfo object to release + */ +-static void batadv_orig_ifinfo_free_rcu(struct rcu_head *rcu) ++static void batadv_orig_ifinfo_release(struct batadv_orig_ifinfo *orig_ifinfo) + { +- struct batadv_orig_ifinfo *orig_ifinfo; + struct batadv_neigh_node *router; + +- orig_ifinfo = container_of(rcu, struct batadv_orig_ifinfo, rcu); +- + if (orig_ifinfo->if_outgoing != BATADV_IF_DEFAULT) +- batadv_hardif_free_ref_now(orig_ifinfo->if_outgoing); ++ batadv_hardif_free_ref(orig_ifinfo->if_outgoing); + + /* this is the last reference to this object */ + router = rcu_dereference_protected(orig_ifinfo->router, true); + if (router) +- batadv_neigh_node_free_ref_now(router); +- kfree(orig_ifinfo); ++ batadv_neigh_node_free_ref(router); ++ ++ kfree_rcu(orig_ifinfo, rcu); + } + + /** +- * batadv_orig_ifinfo_free_ref - decrement the refcounter and possibly free +- * the orig_ifinfo (without rcu callback) ++ * batadv_orig_ifinfo_free_ref - decrement the refcounter and possibly release ++ * the orig_ifinfo + * @orig_ifinfo: the orig_ifinfo object to release + */ +-static void +-batadv_orig_ifinfo_free_ref_now(struct batadv_orig_ifinfo *orig_ifinfo) ++void batadv_orig_ifinfo_free_ref(struct batadv_orig_ifinfo *orig_ifinfo) + { + if (atomic_dec_and_test(&orig_ifinfo->refcount)) +- batadv_orig_ifinfo_free_rcu(&orig_ifinfo->rcu); ++ batadv_orig_ifinfo_release(orig_ifinfo); + } + + /** +- * batadv_orig_ifinfo_free_ref - decrement the refcounter and possibly free +- * the orig_ifinfo +- * @orig_ifinfo: the orig_ifinfo object to release ++ * batadv_orig_node_free_rcu - free the orig_node ++ * @rcu: rcu pointer of the orig_node + */ +-void batadv_orig_ifinfo_free_ref(struct batadv_orig_ifinfo *orig_ifinfo) ++static void batadv_orig_node_free_rcu(struct rcu_head *rcu) + { +- if (atomic_dec_and_test(&orig_ifinfo->refcount)) +- call_rcu(&orig_ifinfo->rcu, batadv_orig_ifinfo_free_rcu); ++ struct batadv_orig_node *orig_node; ++ ++ orig_node = container_of(rcu, struct batadv_orig_node, rcu); ++ ++ batadv_mcast_purge_orig(orig_node); ++ ++ batadv_frag_purge_orig(orig_node, NULL); ++ ++ if (orig_node->bat_priv->bat_algo_ops->bat_orig_free) ++ orig_node->bat_priv->bat_algo_ops->bat_orig_free(orig_node); ++ ++ kfree(orig_node->tt_buff); ++ kfree(orig_node); + } + +-static void batadv_orig_node_free_rcu(struct rcu_head *rcu) ++/** ++ * batadv_orig_node_release - release orig_node from lists and queue for ++ * free after rcu grace period ++ * @orig_node: the orig node to free ++ */ ++static void batadv_orig_node_release(struct batadv_orig_node *orig_node) + { + struct hlist_node *node_tmp; + struct batadv_neigh_node *neigh_node; +- struct batadv_orig_node *orig_node; + struct batadv_orig_ifinfo *orig_ifinfo; + +- orig_node = container_of(rcu, struct batadv_orig_node, rcu); +- + spin_lock_bh(&orig_node->neigh_list_lock); + + /* for all neighbors towards this originator ... */ + hlist_for_each_entry_safe(neigh_node, node_tmp, + &orig_node->neigh_list, list) { + hlist_del_rcu(&neigh_node->list); +- batadv_neigh_node_free_ref_now(neigh_node); ++ batadv_neigh_node_free_ref(neigh_node); + } + + hlist_for_each_entry_safe(orig_ifinfo, node_tmp, + &orig_node->ifinfo_list, list) { + hlist_del_rcu(&orig_ifinfo->list); +- batadv_orig_ifinfo_free_ref_now(orig_ifinfo); ++ batadv_orig_ifinfo_free_ref(orig_ifinfo); + } + spin_unlock_bh(&orig_node->neigh_list_lock); + +- batadv_mcast_purge_orig(orig_node); +- + /* Free nc_nodes */ + batadv_nc_purge_orig(orig_node->bat_priv, orig_node, NULL); + +- batadv_frag_purge_orig(orig_node, NULL); +- +- if (orig_node->bat_priv->bat_algo_ops->bat_orig_free) +- orig_node->bat_priv->bat_algo_ops->bat_orig_free(orig_node); +- +- kfree(orig_node->tt_buff); +- kfree(orig_node); ++ call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu); + } + + /** + * batadv_orig_node_free_ref - decrement the orig node refcounter and possibly +- * schedule an rcu callback for freeing it ++ * release it + * @orig_node: the orig node to free + */ + void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node) + { + if (atomic_dec_and_test(&orig_node->refcount)) +- call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu); +-} +- +-/** +- * batadv_orig_node_free_ref_now - decrement the orig node refcounter and +- * possibly free it (without rcu callback) +- * @orig_node: the orig node to free +- */ +-void batadv_orig_node_free_ref_now(struct batadv_orig_node *orig_node) +-{ +- if (atomic_dec_and_test(&orig_node->refcount)) +- batadv_orig_node_free_rcu(&orig_node->rcu); ++ batadv_orig_node_release(orig_node); + } + + void batadv_originator_free(struct batadv_priv *bat_priv) +diff --git a/net/batman-adv/originator.h b/net/batman-adv/originator.h +index fa18f9bf266b..a5c37882b409 100644 +--- a/net/batman-adv/originator.h ++++ b/net/batman-adv/originator.h +@@ -38,7 +38,6 @@ int batadv_originator_init(struct batadv_priv *bat_priv); + void batadv_originator_free(struct batadv_priv *bat_priv); + void batadv_purge_orig_ref(struct batadv_priv *bat_priv); + void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node); +-void batadv_orig_node_free_ref_now(struct batadv_orig_node *orig_node); + struct batadv_orig_node *batadv_orig_node_new(struct batadv_priv *bat_priv, + const u8 *addr); + struct batadv_neigh_node * +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c +index 4228b10c47ea..900e94be4393 100644 +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -238,20 +238,6 @@ int batadv_tt_global_hash_count(struct batadv_priv *bat_priv, + return count; + } + +-static void batadv_tt_orig_list_entry_free_rcu(struct rcu_head *rcu) +-{ +- struct batadv_tt_orig_list_entry *orig_entry; +- +- orig_entry = container_of(rcu, struct batadv_tt_orig_list_entry, rcu); +- +- /* We are in an rcu callback here, therefore we cannot use +- * batadv_orig_node_free_ref() and its call_rcu(): +- * An rcu_barrier() wouldn't wait for that to finish +- */ +- batadv_orig_node_free_ref_now(orig_entry->orig_node); +- kfree(orig_entry); +-} +- + /** + * batadv_tt_local_size_mod - change the size by v of the local table identified + * by vid +@@ -347,13 +333,25 @@ static void batadv_tt_global_size_dec(struct batadv_orig_node *orig_node, + batadv_tt_global_size_mod(orig_node, vid, -1); + } + ++/** ++ * batadv_tt_orig_list_entry_release - release tt orig entry from lists and ++ * queue for free after rcu grace period ++ * @orig_entry: tt orig entry to be free'd ++ */ ++static void ++batadv_tt_orig_list_entry_release(struct batadv_tt_orig_list_entry *orig_entry) ++{ ++ batadv_orig_node_free_ref(orig_entry->orig_node); ++ kfree_rcu(orig_entry, rcu); ++} ++ + static void + batadv_tt_orig_list_entry_free_ref(struct batadv_tt_orig_list_entry *orig_entry) + { + if (!atomic_dec_and_test(&orig_entry->refcount)) + return; + +- call_rcu(&orig_entry->rcu, batadv_tt_orig_list_entry_free_rcu); ++ batadv_tt_orig_list_entry_release(orig_entry); + } + + /** +diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c +index 6ed2feb51e3c..9780603ba411 100644 +--- a/net/bridge/br_device.c ++++ b/net/bridge/br_device.c +@@ -28,6 +28,8 @@ + const struct nf_br_ops __rcu *nf_br_ops __read_mostly; + EXPORT_SYMBOL_GPL(nf_br_ops); + ++static struct lock_class_key bridge_netdev_addr_lock_key; ++ + /* net device transmit always called with BH disabled */ + netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev) + { +@@ -87,6 +89,11 @@ out: + return NETDEV_TX_OK; + } + ++static void br_set_lockdep_class(struct net_device *dev) ++{ ++ lockdep_set_class(&dev->addr_list_lock, &bridge_netdev_addr_lock_key); ++} ++ + static int br_dev_init(struct net_device *dev) + { + struct net_bridge *br = netdev_priv(dev); +@@ -99,6 +106,7 @@ static int br_dev_init(struct net_device *dev) + err = br_vlan_init(br); + if (err) + free_percpu(br->stats); ++ br_set_lockdep_class(dev); + + return err; + } +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index 4ca449a16132..49d8d28222d8 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -130,7 +130,10 @@ static void br_stp_start(struct net_bridge *br) + char *envp[] = { NULL }; + struct net_bridge_port *p; + +- r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC); ++ if (net_eq(dev_net(br->dev), &init_net)) ++ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC); ++ else ++ r = -ENOENT; + + spin_lock_bh(&br->lock); + +diff --git a/net/core/dev.c b/net/core/dev.c +index c14748d051e7..6369c456e326 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2539,6 +2539,8 @@ static inline bool skb_needs_check(struct sk_buff *skb, bool tx_path) + * + * It may return NULL if the skb requires no segmentation. This is + * only possible when GSO is used for verifying header integrity. ++ * ++ * Segmentation preserves SKB_SGO_CB_OFFSET bytes of previous skb cb. + */ + struct sk_buff *__skb_gso_segment(struct sk_buff *skb, + netdev_features_t features, bool tx_path) +@@ -2553,6 +2555,9 @@ struct sk_buff *__skb_gso_segment(struct sk_buff *skb, + return ERR_PTR(err); + } + ++ BUILD_BUG_ON(SKB_SGO_CB_OFFSET + ++ sizeof(*SKB_GSO_CB(skb)) > sizeof(skb->cb)); ++ + SKB_GSO_CB(skb)->mac_offset = skb_headroom(skb); + SKB_GSO_CB(skb)->encap_level = 0; + +diff --git a/net/core/dst.c b/net/core/dst.c +index d6a5a0bc7df5..8852021a7093 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -301,12 +301,13 @@ void dst_release(struct dst_entry *dst) + { + if (dst) { + int newrefcnt; ++ unsigned short nocache = dst->flags & DST_NOCACHE; + + newrefcnt = atomic_dec_return(&dst->__refcnt); + if (unlikely(newrefcnt < 0)) + net_warn_ratelimited("%s: dst:%p refcnt:%d\n", + __func__, dst, newrefcnt); +- if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE)) ++ if (!newrefcnt && unlikely(nocache)) + call_rcu(&dst->rcu_head, dst_destroy_rcu); + } + } +diff --git a/net/core/filter.c b/net/core/filter.c +index bb18c3680001..49b44879dc7f 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -781,6 +781,11 @@ static int bpf_check_classic(const struct sock_filter *filter, + if (ftest->k == 0) + return -EINVAL; + break; ++ case BPF_ALU | BPF_LSH | BPF_K: ++ case BPF_ALU | BPF_RSH | BPF_K: ++ if (ftest->k >= 32) ++ return -EINVAL; ++ break; + case BPF_LD | BPF_MEM: + case BPF_LDX | BPF_MEM: + case BPF_ST: +diff --git a/net/core/pktgen.c b/net/core/pktgen.c +index de8d5cc5eb24..4da4d51a2ccf 100644 +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -2787,7 +2787,9 @@ static struct sk_buff *pktgen_alloc_skb(struct net_device *dev, + } else { + skb = __netdev_alloc_skb(dev, size, GFP_NOWAIT); + } +- skb_reserve(skb, LL_RESERVED_SPACE(dev)); ++ ++ if (likely(skb)) ++ skb_reserve(skb, LL_RESERVED_SPACE(dev)); + + return skb; + } +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 0138fada0951..b945f1e9d7ba 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -240,6 +240,7 @@ static int ip_finish_output_gso(struct sock *sk, struct sk_buff *skb, + * from host network stack. + */ + features = netif_skb_features(skb); ++ BUILD_BUG_ON(sizeof(*IPCB(skb)) > SKB_SGO_CB_OFFSET); + segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK); + if (IS_ERR_OR_NULL(segs)) { + kfree_skb(skb); +@@ -918,7 +919,7 @@ static int __ip_append_data(struct sock *sk, + if (((length > mtu) || (skb && skb_is_gso(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len && +- (sk->sk_type == SOCK_DGRAM)) { ++ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) { + err = ip_ufo_append_data(sk, queue, getfrag, from, length, + hh_len, fragheaderlen, transhdrlen, + maxfraglen, flags); +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 0a2b61dbcd4e..064f1a0bef6d 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -2525,6 +2525,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked, + int newly_acked_sacked = prior_unsacked - + (tp->packets_out - tp->sacked_out); + ++ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd)) ++ return; ++ + tp->prr_delivered += newly_acked_sacked; + if (delta < 0) { + u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered + +diff --git a/net/ipv4/tcp_yeah.c b/net/ipv4/tcp_yeah.c +index 17d35662930d..3e6a472e6b88 100644 +--- a/net/ipv4/tcp_yeah.c ++++ b/net/ipv4/tcp_yeah.c +@@ -219,7 +219,7 @@ static u32 tcp_yeah_ssthresh(struct sock *sk) + yeah->fast_count = 0; + yeah->reno_count = max(yeah->reno_count>>1, 2U); + +- return tp->snd_cwnd - reduction; ++ return max_t(int, tp->snd_cwnd - reduction, 2); + } + + static struct tcp_congestion_ops tcp_yeah __read_mostly = { +diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c +index c10a9ee68433..126ff9020bad 100644 +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -236,7 +236,7 @@ static void xfrm4_dst_ifdown(struct dst_entry *dst, struct net_device *dev, + xfrm_dst_ifdown(dst, dev); + } + +-static struct dst_ops xfrm4_dst_ops = { ++static struct dst_ops xfrm4_dst_ops_template = { + .family = AF_INET, + .gc = xfrm4_garbage_collect, + .update_pmtu = xfrm4_update_pmtu, +@@ -250,7 +250,7 @@ static struct dst_ops xfrm4_dst_ops = { + + static struct xfrm_policy_afinfo xfrm4_policy_afinfo = { + .family = AF_INET, +- .dst_ops = &xfrm4_dst_ops, ++ .dst_ops = &xfrm4_dst_ops_template, + .dst_lookup = xfrm4_dst_lookup, + .get_saddr = xfrm4_get_saddr, + .decode_session = _decode_session4, +@@ -272,7 +272,7 @@ static struct ctl_table xfrm4_policy_table[] = { + { } + }; + +-static int __net_init xfrm4_net_init(struct net *net) ++static int __net_init xfrm4_net_sysctl_init(struct net *net) + { + struct ctl_table *table; + struct ctl_table_header *hdr; +@@ -300,7 +300,7 @@ err_alloc: + return -ENOMEM; + } + +-static void __net_exit xfrm4_net_exit(struct net *net) ++static void __net_exit xfrm4_net_sysctl_exit(struct net *net) + { + struct ctl_table *table; + +@@ -312,12 +312,44 @@ static void __net_exit xfrm4_net_exit(struct net *net) + if (!net_eq(net, &init_net)) + kfree(table); + } ++#else /* CONFIG_SYSCTL */ ++static int inline xfrm4_net_sysctl_init(struct net *net) ++{ ++ return 0; ++} ++ ++static void inline xfrm4_net_sysctl_exit(struct net *net) ++{ ++} ++#endif ++ ++static int __net_init xfrm4_net_init(struct net *net) ++{ ++ int ret; ++ ++ memcpy(&net->xfrm.xfrm4_dst_ops, &xfrm4_dst_ops_template, ++ sizeof(xfrm4_dst_ops_template)); ++ ret = dst_entries_init(&net->xfrm.xfrm4_dst_ops); ++ if (ret) ++ return ret; ++ ++ ret = xfrm4_net_sysctl_init(net); ++ if (ret) ++ dst_entries_destroy(&net->xfrm.xfrm4_dst_ops); ++ ++ return ret; ++} ++ ++static void __net_exit xfrm4_net_exit(struct net *net) ++{ ++ xfrm4_net_sysctl_exit(net); ++ dst_entries_destroy(&net->xfrm.xfrm4_dst_ops); ++} + + static struct pernet_operations __net_initdata xfrm4_net_ops = { + .init = xfrm4_net_init, + .exit = xfrm4_net_exit, + }; +-#endif + + static void __init xfrm4_policy_init(void) + { +@@ -326,13 +358,9 @@ static void __init xfrm4_policy_init(void) + + void __init xfrm4_init(void) + { +- dst_entries_init(&xfrm4_dst_ops); +- + xfrm4_state_init(); + xfrm4_policy_init(); + xfrm4_protocol_init(); +-#ifdef CONFIG_SYSCTL + register_pernet_subsys(&xfrm4_net_ops); +-#endif + } + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index ddd351145dea..5462bfdbd2e7 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5349,13 +5349,10 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write, + goto out; + } + +- if (!write) { +- err = snprintf(str, sizeof(str), "%pI6", +- &secret->secret); +- if (err >= sizeof(str)) { +- err = -EIO; +- goto out; +- } ++ err = snprintf(str, sizeof(str), "%pI6", &secret->secret); ++ if (err >= sizeof(str)) { ++ err = -EIO; ++ goto out; + } + + err = proc_dostring(&lctl, write, buffer, lenp, ppos); +diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c +index 882124ebb438..a8f6986dcbe5 100644 +--- a/net/ipv6/addrlabel.c ++++ b/net/ipv6/addrlabel.c +@@ -552,7 +552,7 @@ static int ip6addrlbl_get(struct sk_buff *in_skb, struct nlmsghdr *nlh) + + rcu_read_lock(); + p = __ipv6_addr_label(net, addr, ipv6_addr_type(addr), ifal->ifal_index); +- if (p && ip6addrlbl_hold(p)) ++ if (p && !ip6addrlbl_hold(p)) + p = NULL; + lseq = ip6addrlbl_table.seq; + rcu_read_unlock(); +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index f84ec4e9b2de..fb7973a6e9c1 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1345,7 +1345,7 @@ emsgsize: + (skb && skb_is_gso(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && +- (sk->sk_type == SOCK_DGRAM)) { ++ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) { + err = ip6_ufo_append_data(sk, queue, getfrag, from, length, + hh_len, fragheaderlen, + transhdrlen, mtu, flags, fl6); +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 8935dc173e65..a71fb262ea3f 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -462,8 +462,10 @@ static int tcp_v6_send_synack(struct sock *sk, struct dst_entry *dst, + fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts)); + + skb_set_queue_mapping(skb, queue_mapping); ++ rcu_read_lock(); + err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt), + np->tclass); ++ rcu_read_unlock(); + err = net_xmit_eval(err); + } + +diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c +index f7fbdbabe50e..372855eeaf42 100644 +--- a/net/ipv6/xfrm6_mode_tunnel.c ++++ b/net/ipv6/xfrm6_mode_tunnel.c +@@ -23,7 +23,7 @@ static inline void ipip6_ecn_decapsulate(struct sk_buff *skb) + struct ipv6hdr *inner_iph = ipipv6_hdr(skb); + + if (INET_ECN_is_ce(XFRM_MODE_SKB_CB(skb)->tos)) +- IP6_ECN_set_ce(inner_iph); ++ IP6_ECN_set_ce(skb, inner_iph); + } + + /* Add encapsulation header. +diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c +index da55e0c85bb8..d51a18d607ac 100644 +--- a/net/ipv6/xfrm6_policy.c ++++ b/net/ipv6/xfrm6_policy.c +@@ -281,7 +281,7 @@ static void xfrm6_dst_ifdown(struct dst_entry *dst, struct net_device *dev, + xfrm_dst_ifdown(dst, dev); + } + +-static struct dst_ops xfrm6_dst_ops = { ++static struct dst_ops xfrm6_dst_ops_template = { + .family = AF_INET6, + .gc = xfrm6_garbage_collect, + .update_pmtu = xfrm6_update_pmtu, +@@ -295,7 +295,7 @@ static struct dst_ops xfrm6_dst_ops = { + + static struct xfrm_policy_afinfo xfrm6_policy_afinfo = { + .family = AF_INET6, +- .dst_ops = &xfrm6_dst_ops, ++ .dst_ops = &xfrm6_dst_ops_template, + .dst_lookup = xfrm6_dst_lookup, + .get_saddr = xfrm6_get_saddr, + .decode_session = _decode_session6, +@@ -327,7 +327,7 @@ static struct ctl_table xfrm6_policy_table[] = { + { } + }; + +-static int __net_init xfrm6_net_init(struct net *net) ++static int __net_init xfrm6_net_sysctl_init(struct net *net) + { + struct ctl_table *table; + struct ctl_table_header *hdr; +@@ -355,7 +355,7 @@ err_alloc: + return -ENOMEM; + } + +-static void __net_exit xfrm6_net_exit(struct net *net) ++static void __net_exit xfrm6_net_sysctl_exit(struct net *net) + { + struct ctl_table *table; + +@@ -367,24 +367,52 @@ static void __net_exit xfrm6_net_exit(struct net *net) + if (!net_eq(net, &init_net)) + kfree(table); + } ++#else /* CONFIG_SYSCTL */ ++static int inline xfrm6_net_sysctl_init(struct net *net) ++{ ++ return 0; ++} ++ ++static void inline xfrm6_net_sysctl_exit(struct net *net) ++{ ++} ++#endif ++ ++static int __net_init xfrm6_net_init(struct net *net) ++{ ++ int ret; ++ ++ memcpy(&net->xfrm.xfrm6_dst_ops, &xfrm6_dst_ops_template, ++ sizeof(xfrm6_dst_ops_template)); ++ ret = dst_entries_init(&net->xfrm.xfrm6_dst_ops); ++ if (ret) ++ return ret; ++ ++ ret = xfrm6_net_sysctl_init(net); ++ if (ret) ++ dst_entries_destroy(&net->xfrm.xfrm6_dst_ops); ++ ++ return ret; ++} ++ ++static void __net_exit xfrm6_net_exit(struct net *net) ++{ ++ xfrm6_net_sysctl_exit(net); ++ dst_entries_destroy(&net->xfrm.xfrm6_dst_ops); ++} + + static struct pernet_operations xfrm6_net_ops = { + .init = xfrm6_net_init, + .exit = xfrm6_net_exit, + }; +-#endif + + int __init xfrm6_init(void) + { + int ret; + +- dst_entries_init(&xfrm6_dst_ops); +- + ret = xfrm6_policy_init(); +- if (ret) { +- dst_entries_destroy(&xfrm6_dst_ops); ++ if (ret) + goto out; +- } + ret = xfrm6_state_init(); + if (ret) + goto out_policy; +@@ -393,9 +421,7 @@ int __init xfrm6_init(void) + if (ret) + goto out_state; + +-#ifdef CONFIG_SYSCTL + register_pernet_subsys(&xfrm6_net_ops); +-#endif + out: + return ret; + out_state: +@@ -407,11 +433,8 @@ out_policy: + + void xfrm6_fini(void) + { +-#ifdef CONFIG_SYSCTL + unregister_pernet_subsys(&xfrm6_net_ops); +-#endif + xfrm6_protocol_fini(); + xfrm6_policy_fini(); + xfrm6_state_fini(); +- dst_entries_destroy(&xfrm6_dst_ops); + } +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index c5d08ee37730..6e9a2220939d 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -337,12 +337,10 @@ static int queue_gso_packets(struct datapath *dp, struct sk_buff *skb, + unsigned short gso_type = skb_shinfo(skb)->gso_type; + struct sw_flow_key later_key; + struct sk_buff *segs, *nskb; +- struct ovs_skb_cb ovs_cb; + int err; + +- ovs_cb = *OVS_CB(skb); ++ BUILD_BUG_ON(sizeof(*OVS_CB(skb)) > SKB_SGO_CB_OFFSET); + segs = __skb_gso_segment(skb, NETIF_F_SG, false); +- *OVS_CB(skb) = ovs_cb; + if (IS_ERR(segs)) + return PTR_ERR(segs); + if (segs == NULL) +@@ -360,7 +358,6 @@ static int queue_gso_packets(struct datapath *dp, struct sk_buff *skb, + /* Queue all of the segments. */ + skb = segs; + do { +- *OVS_CB(skb) = ovs_cb; + if (gso_type & SKB_GSO_UDP && skb != segs) + key = &later_key; + +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 38536c137c54..45635118cc86 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -2382,7 +2382,9 @@ static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb) + if (!start) + return -EMSGSIZE; + +- err = ovs_nla_put_tunnel_info(skb, tun_info); ++ err = ipv4_tun_to_nlattr(skb, &tun_info->key, ++ ip_tunnel_info_opts(tun_info), ++ tun_info->options_len); + if (err) + return err; + nla_nest_end(skb, start); +diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c +index 10d42f3220ab..f925753668a7 100644 +--- a/net/phonet/af_phonet.c ++++ b/net/phonet/af_phonet.c +@@ -377,6 +377,10 @@ static int phonet_rcv(struct sk_buff *skb, struct net_device *dev, + struct sockaddr_pn sa; + u16 len; + ++ skb = skb_share_check(skb, GFP_ATOMIC); ++ if (!skb) ++ return NET_RX_DROP; ++ + /* check we have at least a full Phonet header */ + if (!pskb_pull(skb, sizeof(struct phonethdr))) + goto out; +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index 57692947ebbe..95b021243233 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -252,23 +252,28 @@ static int fl_set_key(struct net *net, struct nlattr **tb, + fl_set_key_val(tb, key->eth.src, TCA_FLOWER_KEY_ETH_SRC, + mask->eth.src, TCA_FLOWER_KEY_ETH_SRC_MASK, + sizeof(key->eth.src)); ++ + fl_set_key_val(tb, &key->basic.n_proto, TCA_FLOWER_KEY_ETH_TYPE, + &mask->basic.n_proto, TCA_FLOWER_UNSPEC, + sizeof(key->basic.n_proto)); ++ + if (key->basic.n_proto == htons(ETH_P_IP) || + key->basic.n_proto == htons(ETH_P_IPV6)) { + fl_set_key_val(tb, &key->basic.ip_proto, TCA_FLOWER_KEY_IP_PROTO, + &mask->basic.ip_proto, TCA_FLOWER_UNSPEC, + sizeof(key->basic.ip_proto)); + } +- if (key->control.addr_type == FLOW_DISSECTOR_KEY_IPV4_ADDRS) { ++ ++ if (tb[TCA_FLOWER_KEY_IPV4_SRC] || tb[TCA_FLOWER_KEY_IPV4_DST]) { ++ key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS; + fl_set_key_val(tb, &key->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC, + &mask->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC_MASK, + sizeof(key->ipv4.src)); + fl_set_key_val(tb, &key->ipv4.dst, TCA_FLOWER_KEY_IPV4_DST, + &mask->ipv4.dst, TCA_FLOWER_KEY_IPV4_DST_MASK, + sizeof(key->ipv4.dst)); +- } else if (key->control.addr_type == FLOW_DISSECTOR_KEY_IPV6_ADDRS) { ++ } else if (tb[TCA_FLOWER_KEY_IPV6_SRC] || tb[TCA_FLOWER_KEY_IPV6_DST]) { ++ key->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; + fl_set_key_val(tb, &key->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC, + &mask->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC_MASK, + sizeof(key->ipv6.src)); +@@ -276,6 +281,7 @@ static int fl_set_key(struct net *net, struct nlattr **tb, + &mask->ipv6.dst, TCA_FLOWER_KEY_IPV6_DST_MASK, + sizeof(key->ipv6.dst)); + } ++ + if (key->basic.ip_proto == IPPROTO_TCP) { + fl_set_key_val(tb, &key->tp.src, TCA_FLOWER_KEY_TCP_SRC, + &mask->tp.src, TCA_FLOWER_UNSPEC, +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index e82a1ad80aa5..16bc83b2842a 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -658,8 +658,10 @@ static void qdisc_rcu_free(struct rcu_head *head) + { + struct Qdisc *qdisc = container_of(head, struct Qdisc, rcu_head); + +- if (qdisc_is_percpu_stats(qdisc)) ++ if (qdisc_is_percpu_stats(qdisc)) { + free_percpu(qdisc->cpu_bstats); ++ free_percpu(qdisc->cpu_qstats); ++ } + + kfree((char *) qdisc - qdisc->padded); + } +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index d7eaa7354cf7..c89586e2bacb 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -4829,7 +4829,8 @@ sctp_disposition_t sctp_sf_do_9_1_prm_abort( + + retval = SCTP_DISPOSITION_CONSUME; + +- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); ++ if (abort) ++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); + + /* Even if we can't send the ABORT due to low memory delete the + * TCB. This is a departure from our typical NOMEM handling. +@@ -4966,7 +4967,8 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort( + SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); + retval = SCTP_DISPOSITION_CONSUME; + +- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); ++ if (abort) ++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); + + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, + SCTP_STATE(SCTP_STATE_CLOSED)); +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 84b1b504538a..9dee804b35cd 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1513,8 +1513,7 @@ static void sctp_close(struct sock *sk, long timeout) + struct sctp_chunk *chunk; + + chunk = sctp_make_abort_user(asoc, NULL, 0); +- if (chunk) +- sctp_primitive_ABORT(net, asoc, chunk); ++ sctp_primitive_ABORT(net, asoc, chunk); + } else + sctp_primitive_SHUTDOWN(net, asoc, NULL); + } +diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c +index 26d50c565f54..3e0fc5127225 100644 +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -320,7 +320,7 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write, + struct ctl_table tbl; + bool changed = false; + char *none = "none"; +- char tmp[8]; ++ char tmp[8] = {0}; + int ret; + + memset(&tbl, 0, sizeof(struct ctl_table)); +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 0fc6dbaed39c..7926de14e930 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -952,32 +952,20 @@ fail: + return NULL; + } + +-static int unix_mknod(const char *sun_path, umode_t mode, struct path *res) ++static int unix_mknod(struct dentry *dentry, struct path *path, umode_t mode, ++ struct path *res) + { +- struct dentry *dentry; +- struct path path; +- int err = 0; +- /* +- * Get the parent directory, calculate the hash for last +- * component. +- */ +- dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0); +- err = PTR_ERR(dentry); +- if (IS_ERR(dentry)) +- return err; ++ int err; + +- /* +- * All right, let's create it. +- */ +- err = security_path_mknod(&path, dentry, mode, 0); ++ err = security_path_mknod(path, dentry, mode, 0); + if (!err) { +- err = vfs_mknod(d_inode(path.dentry), dentry, mode, 0); ++ err = vfs_mknod(d_inode(path->dentry), dentry, mode, 0); + if (!err) { +- res->mnt = mntget(path.mnt); ++ res->mnt = mntget(path->mnt); + res->dentry = dget(dentry); + } + } +- done_path_create(&path, dentry); ++ + return err; + } + +@@ -988,10 +976,12 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + struct unix_sock *u = unix_sk(sk); + struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr; + char *sun_path = sunaddr->sun_path; +- int err; ++ int err, name_err; + unsigned int hash; + struct unix_address *addr; + struct hlist_head *list; ++ struct path path; ++ struct dentry *dentry; + + err = -EINVAL; + if (sunaddr->sun_family != AF_UNIX) +@@ -1007,14 +997,34 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + goto out; + addr_len = err; + ++ name_err = 0; ++ dentry = NULL; ++ if (sun_path[0]) { ++ /* Get the parent directory, calculate the hash for last ++ * component. ++ */ ++ dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0); ++ ++ if (IS_ERR(dentry)) { ++ /* delay report until after 'already bound' check */ ++ name_err = PTR_ERR(dentry); ++ dentry = NULL; ++ } ++ } ++ + err = mutex_lock_interruptible(&u->readlock); + if (err) +- goto out; ++ goto out_path; + + err = -EINVAL; + if (u->addr) + goto out_up; + ++ if (name_err) { ++ err = name_err == -EEXIST ? -EADDRINUSE : name_err; ++ goto out_up; ++ } ++ + err = -ENOMEM; + addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL); + if (!addr) +@@ -1025,11 +1035,11 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + addr->hash = hash ^ sk->sk_type; + atomic_set(&addr->refcnt, 1); + +- if (sun_path[0]) { +- struct path path; ++ if (dentry) { ++ struct path u_path; + umode_t mode = S_IFSOCK | + (SOCK_INODE(sock)->i_mode & ~current_umask()); +- err = unix_mknod(sun_path, mode, &path); ++ err = unix_mknod(dentry, &path, mode, &u_path); + if (err) { + if (err == -EEXIST) + err = -EADDRINUSE; +@@ -1037,9 +1047,9 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) + goto out_up; + } + addr->hash = UNIX_HASH_SIZE; +- hash = d_backing_inode(path.dentry)->i_ino & (UNIX_HASH_SIZE-1); ++ hash = d_backing_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1); + spin_lock(&unix_table_lock); +- u->path = path; ++ u->path = u_path; + list = &unix_socket_table[hash]; + } else { + spin_lock(&unix_table_lock); +@@ -1062,6 +1072,10 @@ out_unlock: + spin_unlock(&unix_table_lock); + out_up: + mutex_unlock(&u->readlock); ++out_path: ++ if (dentry) ++ done_path_create(&path, dentry); ++ + out: + return err; + } +@@ -1498,6 +1512,21 @@ static void unix_destruct_scm(struct sk_buff *skb) + sock_wfree(skb); + } + ++/* ++ * The "user->unix_inflight" variable is protected by the garbage ++ * collection lock, and we just read it locklessly here. If you go ++ * over the limit, there might be a tiny race in actually noticing ++ * it across threads. Tough. ++ */ ++static inline bool too_many_unix_fds(struct task_struct *p) ++{ ++ struct user_struct *user = current_user(); ++ ++ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) ++ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); ++ return false; ++} ++ + #define MAX_RECURSION_LEVEL 4 + + static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) +@@ -1506,6 +1535,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) + unsigned char max_level = 0; + int unix_sock_count = 0; + ++ if (too_many_unix_fds(current)) ++ return -ETOOMANYREFS; ++ + for (i = scm->fp->count - 1; i >= 0; i--) { + struct sock *sk = unix_get_socket(scm->fp->fp[i]); + +@@ -1527,10 +1559,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) + if (!UNIXCB(skb).fp) + return -ENOMEM; + +- if (unix_sock_count) { +- for (i = scm->fp->count - 1; i >= 0; i--) +- unix_inflight(scm->fp->fp[i]); +- } ++ for (i = scm->fp->count - 1; i >= 0; i--) ++ unix_inflight(scm->fp->fp[i]); + return max_level; + } + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index a73a226f2d33..8fcdc2283af5 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp) + { + struct sock *s = unix_get_socket(fp); + ++ spin_lock(&unix_gc_lock); ++ + if (s) { + struct unix_sock *u = unix_sk(s); + +- spin_lock(&unix_gc_lock); +- + if (atomic_long_inc_return(&u->inflight) == 1) { + BUG_ON(!list_empty(&u->link)); + list_add_tail(&u->link, &gc_inflight_list); +@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp) + BUG_ON(list_empty(&u->link)); + } + unix_tot_inflight++; +- spin_unlock(&unix_gc_lock); + } ++ fp->f_cred->user->unix_inflight++; ++ spin_unlock(&unix_gc_lock); + } + + void unix_notinflight(struct file *fp) + { + struct sock *s = unix_get_socket(fp); + ++ spin_lock(&unix_gc_lock); ++ + if (s) { + struct unix_sock *u = unix_sk(s); + +- spin_lock(&unix_gc_lock); + BUG_ON(list_empty(&u->link)); + + if (atomic_long_dec_and_test(&u->inflight)) + list_del_init(&u->link); + unix_tot_inflight--; +- spin_unlock(&unix_gc_lock); + } ++ fp->f_cred->user->unix_inflight--; ++ spin_unlock(&unix_gc_lock); + } + + static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *), +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c +index 68ada2ca4b60..443f78c33de2 100644 +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -165,6 +165,8 @@ static int xfrm_output_gso(struct sock *sk, struct sk_buff *skb) + { + struct sk_buff *segs; + ++ BUILD_BUG_ON(sizeof(*IPCB(skb)) > SKB_SGO_CB_OFFSET); ++ BUILD_BUG_ON(sizeof(*IP6CB(skb)) > SKB_SGO_CB_OFFSET); + segs = skb_gso_segment(skb, 0); + kfree_skb(skb); + if (IS_ERR(segs)) +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c +index 94af3d065785..bacd30bda10d 100644 +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -2807,7 +2807,6 @@ static struct neighbour *xfrm_neigh_lookup(const struct dst_entry *dst, + + int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) + { +- struct net *net; + int err = 0; + if (unlikely(afinfo == NULL)) + return -EINVAL; +@@ -2838,26 +2837,6 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo) + } + spin_unlock(&xfrm_policy_afinfo_lock); + +- rtnl_lock(); +- for_each_net(net) { +- struct dst_ops *xfrm_dst_ops; +- +- switch (afinfo->family) { +- case AF_INET: +- xfrm_dst_ops = &net->xfrm.xfrm4_dst_ops; +- break; +-#if IS_ENABLED(CONFIG_IPV6) +- case AF_INET6: +- xfrm_dst_ops = &net->xfrm.xfrm6_dst_ops; +- break; +-#endif +- default: +- BUG(); +- } +- *xfrm_dst_ops = *afinfo->dst_ops; +- } +- rtnl_unlock(); +- + return err; + } + EXPORT_SYMBOL(xfrm_policy_register_afinfo); +@@ -2893,22 +2872,6 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo) + } + EXPORT_SYMBOL(xfrm_policy_unregister_afinfo); + +-static void __net_init xfrm_dst_ops_init(struct net *net) +-{ +- struct xfrm_policy_afinfo *afinfo; +- +- rcu_read_lock(); +- afinfo = rcu_dereference(xfrm_policy_afinfo[AF_INET]); +- if (afinfo) +- net->xfrm.xfrm4_dst_ops = *afinfo->dst_ops; +-#if IS_ENABLED(CONFIG_IPV6) +- afinfo = rcu_dereference(xfrm_policy_afinfo[AF_INET6]); +- if (afinfo) +- net->xfrm.xfrm6_dst_ops = *afinfo->dst_ops; +-#endif +- rcu_read_unlock(); +-} +- + static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); +@@ -3057,7 +3020,6 @@ static int __net_init xfrm_net_init(struct net *net) + rv = xfrm_policy_init(net); + if (rv < 0) + goto out_policy; +- xfrm_dst_ops_init(net); + rv = xfrm_sysctl_init(net); + if (rv < 0) + goto out_sysctl; +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c +index 3d1984e59a30..e00bcd129336 100644 +--- a/scripts/recordmcount.c ++++ b/scripts/recordmcount.c +@@ -42,6 +42,7 @@ + + #ifndef EM_AARCH64 + #define EM_AARCH64 183 ++#define R_AARCH64_NONE 0 + #define R_AARCH64_ABS64 257 + #endif + +@@ -160,6 +161,22 @@ static int make_nop_x86(void *map, size_t const offset) + return 0; + } + ++static unsigned char ideal_nop4_arm64[4] = {0x1f, 0x20, 0x03, 0xd5}; ++static int make_nop_arm64(void *map, size_t const offset) ++{ ++ uint32_t *ptr; ++ ++ ptr = map + offset; ++ /* bl <_mcount> is 0x94000000 before relocation */ ++ if (*ptr != 0x94000000) ++ return -1; ++ ++ /* Convert to nop */ ++ ulseek(fd_map, offset, SEEK_SET); ++ uwrite(fd_map, ideal_nop, 4); ++ return 0; ++} ++ + /* + * Get the whole file as a programming convenience in order to avoid + * malloc+lseek+read+free of many pieces. If successful, then mmap +@@ -353,7 +370,12 @@ do_file(char const *const fname) + altmcount = "__gnu_mcount_nc"; + break; + case EM_AARCH64: +- reltype = R_AARCH64_ABS64; gpfx = '_'; break; ++ reltype = R_AARCH64_ABS64; ++ make_nop = make_nop_arm64; ++ rel_type_nop = R_AARCH64_NONE; ++ ideal_nop = ideal_nop4_arm64; ++ gpfx = '_'; ++ break; + case EM_IA_64: reltype = R_IA64_IMM64; gpfx = '_'; break; + case EM_METAG: reltype = R_METAG_ADDR32; + altmcount = "_mcount_wrapper"; +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h +index 49b582a225b0..b9897e2be404 100644 +--- a/scripts/recordmcount.h ++++ b/scripts/recordmcount.h +@@ -377,7 +377,7 @@ static void nop_mcount(Elf_Shdr const *const relhdr, + + if (mcountsym == Elf_r_sym(relp) && !is_fake_mcount(relp)) { + if (make_nop) +- ret = make_nop((void *)ehdr, shdr->sh_offset + relp->r_offset); ++ ret = make_nop((void *)ehdr, _w(shdr->sh_offset) + _w(relp->r_offset)); + if (warn_on_notrace_sect && !once) { + printf("Section %s has mcount callers being ignored\n", + txtname); +diff --git a/scripts/recordmcount.pl b/scripts/recordmcount.pl +index 826470d7f000..96e2486a6fc4 100755 +--- a/scripts/recordmcount.pl ++++ b/scripts/recordmcount.pl +@@ -263,7 +263,8 @@ if ($arch eq "x86_64") { + + } elsif ($arch eq "powerpc") { + $local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\.?\\S+)"; +- $function_regex = "^([0-9a-fA-F]+)\\s+<(\\.?.*?)>:"; ++ # See comment in the sparc64 section for why we use '\w'. ++ $function_regex = "^([0-9a-fA-F]+)\\s+<(\\.?\\w*?)>:"; + $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s\\.?_mcount\$"; + + if ($bits == 64) { +diff --git a/sound/core/control.c b/sound/core/control.c +index 196a6fe100ca..a85d45595d02 100644 +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file, + return -EFAULT; + if (tlv.length < sizeof(unsigned int) * 2) + return -EINVAL; ++ if (!tlv.numid) ++ return -EINVAL; + down_read(&card->controls_rwsem); + kctl = snd_ctl_find_numid(card, tlv.numid); + if (kctl == NULL) { +diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c +index f845ecf7e172..656d9a9032dc 100644 +--- a/sound/core/hrtimer.c ++++ b/sound/core/hrtimer.c +@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t) + struct snd_hrtimer *stime = t->private_data; + + atomic_set(&stime->running, 0); +- hrtimer_cancel(&stime->hrt); ++ hrtimer_try_to_cancel(&stime->hrt); + hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution), + HRTIMER_MODE_REL); + atomic_set(&stime->running, 1); +@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t) + { + struct snd_hrtimer *stime = t->private_data; + atomic_set(&stime->running, 0); ++ hrtimer_try_to_cancel(&stime->hrt); + return 0; + } + +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c +index b48b434444ed..9630e9f72b7b 100644 +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -255,10 +255,15 @@ static int snd_pcm_ioctl_hw_params_compat(struct snd_pcm_substream *substream, + if (! (runtime = substream->runtime)) + return -ENOTTY; + +- /* only fifo_size is different, so just copy all */ +- data = memdup_user(data32, sizeof(*data32)); +- if (IS_ERR(data)) +- return PTR_ERR(data); ++ data = kmalloc(sizeof(*data), GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ ++ /* only fifo_size (RO from userspace) is different, so just copy all */ ++ if (copy_from_user(data, data32, sizeof(*data32))) { ++ err = -EFAULT; ++ goto error; ++ } + + if (refine) + err = snd_pcm_hw_refine(substream, data); +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c +index b64f20deba90..13cfa815732d 100644 +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client, + * No restrictions so for a user client we can clear + * the whole fifo + */ +- if (client->type == USER_CLIENT) ++ if (client->type == USER_CLIENT && client->data.user.fifo) + snd_seq_fifo_clear(client->data.user.fifo); + } + +diff --git a/sound/core/seq/seq_compat.c b/sound/core/seq/seq_compat.c +index 81f7c109dc46..65175902a68a 100644 +--- a/sound/core/seq/seq_compat.c ++++ b/sound/core/seq/seq_compat.c +@@ -49,11 +49,12 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned + struct snd_seq_port_info *data; + mm_segment_t fs; + +- data = memdup_user(data32, sizeof(*data32)); +- if (IS_ERR(data)) +- return PTR_ERR(data); ++ data = kmalloc(sizeof(*data), GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; + +- if (get_user(data->flags, &data32->flags) || ++ if (copy_from_user(data, data32, sizeof(*data32)) || ++ get_user(data->flags, &data32->flags) || + get_user(data->time_queue, &data32->time_queue)) + goto error; + data->kernel = NULL; +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c +index 7dfd0f429410..0bec02e89d51 100644 +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked) + static void queue_delete(struct snd_seq_queue *q) + { + /* stop and release the timer */ ++ mutex_lock(&q->timer_mutex); + snd_seq_timer_stop(q->timer); + snd_seq_timer_close(q); ++ mutex_unlock(&q->timer_mutex); + /* wait until access free */ + snd_use_lock_sync(&q->use_lock); + /* release resources... */ +diff --git a/sound/core/timer.c b/sound/core/timer.c +index 31f40f03e5b7..0a049c4578f1 100644 +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -65,6 +65,7 @@ struct snd_timer_user { + int qtail; + int qused; + int queue_size; ++ bool disconnected; + struct snd_timer_read *queue; + struct snd_timer_tread *tqueue; + spinlock_t qlock; +@@ -73,7 +74,7 @@ struct snd_timer_user { + struct timespec tstamp; /* trigger tstamp */ + wait_queue_head_t qchange_sleep; + struct fasync_struct *fasync; +- struct mutex tread_sem; ++ struct mutex ioctl_lock; + }; + + /* list of timers */ +@@ -215,11 +216,13 @@ static void snd_timer_check_master(struct snd_timer_instance *master) + slave->slave_id == master->slave_id) { + list_move_tail(&slave->open_list, &master->slave_list_head); + spin_lock_irq(&slave_active_lock); ++ spin_lock(&master->timer->lock); + slave->master = master; + slave->timer = master->timer; + if (slave->flags & SNDRV_TIMER_IFLG_RUNNING) + list_add_tail(&slave->active_list, + &master->slave_active_head); ++ spin_unlock(&master->timer->lock); + spin_unlock_irq(&slave_active_lock); + } + } +@@ -288,6 +291,9 @@ int snd_timer_open(struct snd_timer_instance **ti, + mutex_unlock(®ister_mutex); + return -ENOMEM; + } ++ /* take a card refcount for safe disconnection */ ++ if (timer->card) ++ get_device(&timer->card->card_dev); + timeri->slave_class = tid->dev_sclass; + timeri->slave_id = slave_id; + if (list_empty(&timer->open_list_head) && timer->hw.open) +@@ -346,15 +352,21 @@ int snd_timer_close(struct snd_timer_instance *timeri) + timer->hw.close) + timer->hw.close(timer); + /* remove slave links */ ++ spin_lock_irq(&slave_active_lock); ++ spin_lock(&timer->lock); + list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head, + open_list) { +- spin_lock_irq(&slave_active_lock); +- _snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION); + list_move_tail(&slave->open_list, &snd_timer_slave_list); + slave->master = NULL; + slave->timer = NULL; +- spin_unlock_irq(&slave_active_lock); ++ list_del_init(&slave->ack_list); ++ list_del_init(&slave->active_list); + } ++ spin_unlock(&timer->lock); ++ spin_unlock_irq(&slave_active_lock); ++ /* release a card refcount for safe disconnection */ ++ if (timer->card) ++ put_device(&timer->card->card_dev); + mutex_unlock(®ister_mutex); + } + out: +@@ -441,9 +453,12 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri) + + spin_lock_irqsave(&slave_active_lock, flags); + timeri->flags |= SNDRV_TIMER_IFLG_RUNNING; +- if (timeri->master) ++ if (timeri->master && timeri->timer) { ++ spin_lock(&timeri->timer->lock); + list_add_tail(&timeri->active_list, + &timeri->master->slave_active_head); ++ spin_unlock(&timeri->timer->lock); ++ } + spin_unlock_irqrestore(&slave_active_lock, flags); + return 1; /* delayed start */ + } +@@ -467,6 +482,8 @@ int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks) + timer = timeri->timer; + if (timer == NULL) + return -EINVAL; ++ if (timer->card && timer->card->shutdown) ++ return -ENODEV; + spin_lock_irqsave(&timer->lock, flags); + timeri->ticks = timeri->cticks = ticks; + timeri->pticks = 0; +@@ -489,6 +506,8 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri, + if (!keep_flag) { + spin_lock_irqsave(&slave_active_lock, flags); + timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING; ++ list_del_init(&timeri->ack_list); ++ list_del_init(&timeri->active_list); + spin_unlock_irqrestore(&slave_active_lock, flags); + } + goto __end; +@@ -499,6 +518,10 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri, + spin_lock_irqsave(&timer->lock, flags); + list_del_init(&timeri->ack_list); + list_del_init(&timeri->active_list); ++ if (timer->card && timer->card->shutdown) { ++ spin_unlock_irqrestore(&timer->lock, flags); ++ return 0; ++ } + if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) && + !(--timer->running)) { + timer->hw.stop(timer); +@@ -561,6 +584,8 @@ int snd_timer_continue(struct snd_timer_instance *timeri) + timer = timeri->timer; + if (! timer) + return -EINVAL; ++ if (timer->card && timer->card->shutdown) ++ return -ENODEV; + spin_lock_irqsave(&timer->lock, flags); + if (!timeri->cticks) + timeri->cticks = 1; +@@ -624,6 +649,9 @@ static void snd_timer_tasklet(unsigned long arg) + unsigned long resolution, ticks; + unsigned long flags; + ++ if (timer->card && timer->card->shutdown) ++ return; ++ + spin_lock_irqsave(&timer->lock, flags); + /* now process all callbacks */ + while (!list_empty(&timer->sack_list_head)) { +@@ -664,6 +692,9 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left) + if (timer == NULL) + return; + ++ if (timer->card && timer->card->shutdown) ++ return; ++ + spin_lock_irqsave(&timer->lock, flags); + + /* remember the current resolution */ +@@ -694,7 +725,7 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left) + } else { + ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING; + if (--timer->running) +- list_del(&ti->active_list); ++ list_del_init(&ti->active_list); + } + if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) || + (ti->flags & SNDRV_TIMER_IFLG_FAST)) +@@ -874,11 +905,28 @@ static int snd_timer_dev_register(struct snd_device *dev) + return 0; + } + ++/* just for reference in snd_timer_dev_disconnect() below */ ++static void snd_timer_user_ccallback(struct snd_timer_instance *timeri, ++ int event, struct timespec *tstamp, ++ unsigned long resolution); ++ + static int snd_timer_dev_disconnect(struct snd_device *device) + { + struct snd_timer *timer = device->device_data; ++ struct snd_timer_instance *ti; ++ + mutex_lock(®ister_mutex); + list_del_init(&timer->device_list); ++ /* wake up pending sleepers */ ++ list_for_each_entry(ti, &timer->open_list_head, open_list) { ++ /* FIXME: better to have a ti.disconnect() op */ ++ if (ti->ccallback == snd_timer_user_ccallback) { ++ struct snd_timer_user *tu = ti->callback_data; ++ ++ tu->disconnected = true; ++ wake_up(&tu->qchange_sleep); ++ } ++ } + mutex_unlock(®ister_mutex); + return 0; + } +@@ -889,6 +937,8 @@ void snd_timer_notify(struct snd_timer *timer, int event, struct timespec *tstam + unsigned long resolution = 0; + struct snd_timer_instance *ti, *ts; + ++ if (timer->card && timer->card->shutdown) ++ return; + if (! (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)) + return; + if (snd_BUG_ON(event < SNDRV_TIMER_EVENT_MSTART || +@@ -1047,6 +1097,8 @@ static void snd_timer_proc_read(struct snd_info_entry *entry, + + mutex_lock(®ister_mutex); + list_for_each_entry(timer, &snd_timer_list, device_list) { ++ if (timer->card && timer->card->shutdown) ++ continue; + switch (timer->tmr_class) { + case SNDRV_TIMER_CLASS_GLOBAL: + snd_iprintf(buffer, "G%i: ", timer->tmr_device); +@@ -1253,7 +1305,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file) + return -ENOMEM; + spin_lock_init(&tu->qlock); + init_waitqueue_head(&tu->qchange_sleep); +- mutex_init(&tu->tread_sem); ++ mutex_init(&tu->ioctl_lock); + tu->ticks = 1; + tu->queue_size = 128; + tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read), +@@ -1273,8 +1325,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file) + if (file->private_data) { + tu = file->private_data; + file->private_data = NULL; ++ mutex_lock(&tu->ioctl_lock); + if (tu->timeri) + snd_timer_close(tu->timeri); ++ mutex_unlock(&tu->ioctl_lock); + kfree(tu->queue); + kfree(tu->tqueue); + kfree(tu); +@@ -1512,7 +1566,6 @@ static int snd_timer_user_tselect(struct file *file, + int err = 0; + + tu = file->private_data; +- mutex_lock(&tu->tread_sem); + if (tu->timeri) { + snd_timer_close(tu->timeri); + tu->timeri = NULL; +@@ -1556,7 +1609,6 @@ static int snd_timer_user_tselect(struct file *file, + } + + __err: +- mutex_unlock(&tu->tread_sem); + return err; + } + +@@ -1769,7 +1821,7 @@ enum { + SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23), + }; + +-static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, ++static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) + { + struct snd_timer_user *tu; +@@ -1786,17 +1838,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, + { + int xarg; + +- mutex_lock(&tu->tread_sem); +- if (tu->timeri) { /* too late */ +- mutex_unlock(&tu->tread_sem); ++ if (tu->timeri) /* too late */ + return -EBUSY; +- } +- if (get_user(xarg, p)) { +- mutex_unlock(&tu->tread_sem); ++ if (get_user(xarg, p)) + return -EFAULT; +- } + tu->tread = xarg ? 1 : 0; +- mutex_unlock(&tu->tread_sem); + return 0; + } + case SNDRV_TIMER_IOCTL_GINFO: +@@ -1829,6 +1875,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, + return -ENOTTY; + } + ++static long snd_timer_user_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ struct snd_timer_user *tu = file->private_data; ++ long ret; ++ ++ mutex_lock(&tu->ioctl_lock); ++ ret = __snd_timer_user_ioctl(file, cmd, arg); ++ mutex_unlock(&tu->ioctl_lock); ++ return ret; ++} ++ + static int snd_timer_user_fasync(int fd, struct file * file, int on) + { + struct snd_timer_user *tu; +@@ -1866,6 +1924,10 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer, + + remove_wait_queue(&tu->qchange_sleep, &wait); + ++ if (tu->disconnected) { ++ err = -ENODEV; ++ break; ++ } + if (signal_pending(current)) { + err = -ERESTARTSYS; + break; +@@ -1915,6 +1977,8 @@ static unsigned int snd_timer_user_poll(struct file *file, poll_table * wait) + mask = 0; + if (tu->qused) + mask |= POLLIN | POLLRDNORM; ++ if (tu->disconnected) ++ mask |= POLLERR; + + return mask; + } +diff --git a/sound/firewire/bebob/Makefile b/sound/firewire/bebob/Makefile +index 6cf470c80d1f..af7ed6643266 100644 +--- a/sound/firewire/bebob/Makefile ++++ b/sound/firewire/bebob/Makefile +@@ -1,4 +1,4 @@ + snd-bebob-objs := bebob_command.o bebob_stream.o bebob_proc.o bebob_midi.o \ + bebob_pcm.o bebob_hwdep.o bebob_terratec.o bebob_yamaha.o \ + bebob_focusrite.o bebob_maudio.o bebob.o +-obj-m += snd-bebob.o ++obj-$(CONFIG_SND_BEBOB) += snd-bebob.o +diff --git a/sound/firewire/dice/Makefile b/sound/firewire/dice/Makefile +index 9ef228ef7baf..55b4be9b0034 100644 +--- a/sound/firewire/dice/Makefile ++++ b/sound/firewire/dice/Makefile +@@ -1,3 +1,3 @@ + snd-dice-objs := dice-transaction.o dice-stream.o dice-proc.o dice-midi.o \ + dice-pcm.o dice-hwdep.o dice.o +-obj-m += snd-dice.o ++obj-$(CONFIG_SND_DICE) += snd-dice.o +diff --git a/sound/firewire/fireworks/Makefile b/sound/firewire/fireworks/Makefile +index 0c7440826db8..15ef7f75a8ef 100644 +--- a/sound/firewire/fireworks/Makefile ++++ b/sound/firewire/fireworks/Makefile +@@ -1,4 +1,4 @@ + snd-fireworks-objs := fireworks_transaction.o fireworks_command.o \ + fireworks_stream.o fireworks_proc.o fireworks_midi.o \ + fireworks_pcm.o fireworks_hwdep.o fireworks.o +-obj-m += snd-fireworks.o ++obj-$(CONFIG_SND_FIREWORKS) += snd-fireworks.o +diff --git a/sound/firewire/oxfw/Makefile b/sound/firewire/oxfw/Makefile +index a926850864f6..06ff50f4e6c0 100644 +--- a/sound/firewire/oxfw/Makefile ++++ b/sound/firewire/oxfw/Makefile +@@ -1,3 +1,3 @@ + snd-oxfw-objs := oxfw-command.o oxfw-stream.o oxfw-control.o oxfw-pcm.o \ + oxfw-proc.o oxfw-midi.o oxfw-hwdep.o oxfw.o +-obj-m += snd-oxfw.o ++obj-$(CONFIG_SND_OXFW) += snd-oxfw.o +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c +index 944455997fdc..4013af376327 100644 +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -1059,6 +1059,9 @@ int azx_bus_init(struct azx *chip, const char *model, + bus->needs_damn_long_delay = 1; + } + ++ if (chip->driver_caps & AZX_DCAPS_4K_BDLE_BOUNDARY) ++ bus->core.align_bdle_4k = true; ++ + /* AMD chipsets often cause the communication stalls upon certain + * sequence like the pin-detection. It seems that forcing the synced + * access works around the stall. Grrr... +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index c38c68f57938..e61fbf4270e1 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -334,6 +334,7 @@ enum { + + #define AZX_DCAPS_PRESET_CTHDA \ + (AZX_DCAPS_NO_MSI | AZX_DCAPS_POSFIX_LPIB |\ ++ AZX_DCAPS_NO_64BIT |\ + AZX_DCAPS_4K_BDLE_BOUNDARY | AZX_DCAPS_SNOOP_OFF) + + /* +@@ -926,6 +927,36 @@ static int azx_resume(struct device *dev) + } + #endif /* CONFIG_PM_SLEEP || SUPPORT_VGA_SWITCHEROO */ + ++#ifdef CONFIG_PM_SLEEP ++/* put codec down to D3 at hibernation for Intel SKL+; ++ * otherwise BIOS may still access the codec and screw up the driver ++ */ ++#define IS_SKL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa170) ++#define IS_SKL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d70) ++#define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98) ++#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci)) ++ ++static int azx_freeze_noirq(struct device *dev) ++{ ++ struct pci_dev *pci = to_pci_dev(dev); ++ ++ if (IS_SKL_PLUS(pci)) ++ pci_set_power_state(pci, PCI_D3hot); ++ ++ return 0; ++} ++ ++static int azx_thaw_noirq(struct device *dev) ++{ ++ struct pci_dev *pci = to_pci_dev(dev); ++ ++ if (IS_SKL_PLUS(pci)) ++ pci_set_power_state(pci, PCI_D0); ++ ++ return 0; ++} ++#endif /* CONFIG_PM_SLEEP */ ++ + #ifdef CONFIG_PM + static int azx_runtime_suspend(struct device *dev) + { +@@ -1035,6 +1066,10 @@ static int azx_runtime_idle(struct device *dev) + + static const struct dev_pm_ops azx_pm = { + SET_SYSTEM_SLEEP_PM_OPS(azx_suspend, azx_resume) ++#ifdef CONFIG_PM_SLEEP ++ .freeze_noirq = azx_freeze_noirq, ++ .thaw_noirq = azx_thaw_noirq, ++#endif + SET_RUNTIME_PM_OPS(azx_runtime_suspend, azx_runtime_resume, azx_runtime_idle) + }; + +@@ -2065,9 +2100,17 @@ i915_power_fail: + static void azx_remove(struct pci_dev *pci) + { + struct snd_card *card = pci_get_drvdata(pci); ++ struct azx *chip; ++ struct hda_intel *hda; ++ ++ if (card) { ++ /* flush the pending probing work */ ++ chip = card->private_data; ++ hda = container_of(chip, struct hda_intel, chip); ++ flush_work(&hda->probe_work); + +- if (card) + snd_card_free(card); ++ } + } + + static void azx_shutdown(struct pci_dev *pci) +@@ -2104,6 +2147,11 @@ static const struct pci_device_id azx_ids[] = { + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, + { PCI_DEVICE(0x8086, 0x8d21), + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, ++ /* Lewisburg */ ++ { PCI_DEVICE(0x8086, 0xa1f0), ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, ++ { PCI_DEVICE(0x8086, 0xa270), ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, + /* Lynx Point-LP */ + { PCI_DEVICE(0x8086, 0x9c20), + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH }, +@@ -2284,11 +2332,13 @@ static const struct pci_device_id azx_ids[] = { + .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8, + .class_mask = 0xffffff, + .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND | ++ AZX_DCAPS_NO_64BIT | + AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB }, + #else + /* this entry seems still valid -- i.e. without emu20kx chip */ + { PCI_DEVICE(0x1102, 0x0009), + .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND | ++ AZX_DCAPS_NO_64BIT | + AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB }, + #endif + /* CM8888 */ +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 186792fe226e..5b8a5b84a03c 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -778,7 +778,8 @@ static const struct hda_pintbl alienware_pincfgs[] = { + }; + + static const struct snd_pci_quirk ca0132_quirks[] = { +- SND_PCI_QUIRK(0x1028, 0x0685, "Alienware 15", QUIRK_ALIENWARE), ++ SND_PCI_QUIRK(0x1028, 0x0685, "Alienware 15 2015", QUIRK_ALIENWARE), ++ SND_PCI_QUIRK(0x1028, 0x0688, "Alienware 17 2015", QUIRK_ALIENWARE), + {} + }; + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index f22f5c409447..d1c74295a362 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2330,6 +2330,12 @@ static void intel_pin_eld_notify(void *audio_ptr, int port) + struct hda_codec *codec = audio_ptr; + int pin_nid = port + 0x04; + ++ /* skip notification during system suspend (but not in runtime PM); ++ * the state will be updated at resume ++ */ ++ if (snd_power_get_state(codec->card) != SNDRV_CTL_POWER_D0) ++ return; ++ + check_presence_and_report(codec, pin_nid); + } + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 16b8dcba5c12..887f37761f18 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -67,6 +67,10 @@ enum { + ALC_HEADSET_TYPE_OMTP, + }; + ++enum { ++ ALC_KEY_MICMUTE_INDEX, ++}; ++ + struct alc_customize_define { + unsigned int sku_cfg; + unsigned char port_connectivity; +@@ -111,6 +115,7 @@ struct alc_spec { + void (*power_hook)(struct hda_codec *codec); + #endif + void (*shutup)(struct hda_codec *codec); ++ void (*reboot_notify)(struct hda_codec *codec); + + int init_amp; + int codec_variant; /* flag for other variants */ +@@ -122,6 +127,7 @@ struct alc_spec { + unsigned int pll_coef_idx, pll_coef_bit; + unsigned int coef0; + struct input_dev *kb_dev; ++ u8 alc_mute_keycode_map[1]; + }; + + /* +@@ -773,6 +779,25 @@ static inline void alc_shutup(struct hda_codec *codec) + snd_hda_shutup_pins(codec); + } + ++static void alc_reboot_notify(struct hda_codec *codec) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (spec && spec->reboot_notify) ++ spec->reboot_notify(codec); ++ else ++ alc_shutup(codec); ++} ++ ++/* power down codec to D3 at reboot/shutdown; set as reboot_notify ops */ ++static void alc_d3_at_reboot(struct hda_codec *codec) ++{ ++ snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3); ++ snd_hda_codec_write(codec, codec->core.afg, 0, ++ AC_VERB_SET_POWER_STATE, AC_PWRST_D3); ++ msleep(10); ++} ++ + #define alc_free snd_hda_gen_free + + #ifdef CONFIG_PM +@@ -818,7 +843,7 @@ static const struct hda_codec_ops alc_patch_ops = { + .suspend = alc_suspend, + .check_power_status = snd_hda_gen_check_power_status, + #endif +- .reboot_notify = alc_shutup, ++ .reboot_notify = alc_reboot_notify, + }; + + +@@ -1765,10 +1790,12 @@ enum { + ALC889_FIXUP_MBA11_VREF, + ALC889_FIXUP_MBA21_VREF, + ALC889_FIXUP_MP11_VREF, ++ ALC889_FIXUP_MP41_VREF, + ALC882_FIXUP_INV_DMIC, + ALC882_FIXUP_NO_PRIMARY_HP, + ALC887_FIXUP_ASUS_BASS, + ALC887_FIXUP_BASS_CHMAP, ++ ALC882_FIXUP_DISABLE_AAMIX, + }; + + static void alc889_fixup_coef(struct hda_codec *codec, +@@ -1852,7 +1879,7 @@ static void alc889_fixup_mbp_vref(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { + struct alc_spec *spec = codec->spec; +- static hda_nid_t nids[2] = { 0x14, 0x15 }; ++ static hda_nid_t nids[3] = { 0x14, 0x15, 0x19 }; + int i; + + if (action != HDA_FIXUP_ACT_INIT) +@@ -1930,6 +1957,8 @@ static void alc882_fixup_no_primary_hp(struct hda_codec *codec, + + static void alc_fixup_bass_chmap(struct hda_codec *codec, + const struct hda_fixup *fix, int action); ++static void alc_fixup_disable_aamix(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action); + + static const struct hda_fixup alc882_fixups[] = { + [ALC882_FIXUP_ABIT_AW9D_MAX] = { +@@ -2140,6 +2169,12 @@ static const struct hda_fixup alc882_fixups[] = { + .chained = true, + .chain_id = ALC885_FIXUP_MACPRO_GPIO, + }, ++ [ALC889_FIXUP_MP41_VREF] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc889_fixup_mbp_vref, ++ .chained = true, ++ .chain_id = ALC885_FIXUP_MACPRO_GPIO, ++ }, + [ALC882_FIXUP_INV_DMIC] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_inv_dmic, +@@ -2161,6 +2196,10 @@ static const struct hda_fixup alc882_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_bass_chmap, + }, ++ [ALC882_FIXUP_DISABLE_AAMIX] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_disable_aamix, ++ }, + }; + + static const struct snd_pci_quirk alc882_fixup_tbl[] = { +@@ -2218,7 +2257,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { + SND_PCI_QUIRK(0x106b, 0x3f00, "Macbook 5,1", ALC889_FIXUP_IMAC91_VREF), + SND_PCI_QUIRK(0x106b, 0x4000, "MacbookPro 5,1", ALC889_FIXUP_IMAC91_VREF), + SND_PCI_QUIRK(0x106b, 0x4100, "Macmini 3,1", ALC889_FIXUP_IMAC91_VREF), +- SND_PCI_QUIRK(0x106b, 0x4200, "Mac Pro 5,1", ALC885_FIXUP_MACPRO_GPIO), ++ SND_PCI_QUIRK(0x106b, 0x4200, "Mac Pro 4,1/5,1", ALC889_FIXUP_MP41_VREF), + SND_PCI_QUIRK(0x106b, 0x4300, "iMac 9,1", ALC889_FIXUP_IMAC91_VREF), + SND_PCI_QUIRK(0x106b, 0x4600, "MacbookPro 5,2", ALC889_FIXUP_IMAC91_VREF), + SND_PCI_QUIRK(0x106b, 0x4900, "iMac 9,1 Aluminum", ALC889_FIXUP_IMAC91_VREF), +@@ -2228,6 +2267,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = { + SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD), + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3), + SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1458, 0xa182, "Gigabyte Z170X-UD3", ALC882_FIXUP_DISABLE_AAMIX), + SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX), + SND_PCI_QUIRK_VENDOR(0x1558, "Clevo laptop", ALC882_FIXUP_EAPD), + SND_PCI_QUIRK(0x161f, 0x2054, "Medion laptop", ALC883_FIXUP_EAPD), +@@ -3437,12 +3477,43 @@ static void gpio2_mic_hotkey_event(struct hda_codec *codec, + + /* GPIO2 just toggles on a keypress/keyrelease cycle. Therefore + send both key on and key off event for every interrupt. */ +- input_report_key(spec->kb_dev, KEY_MICMUTE, 1); ++ input_report_key(spec->kb_dev, spec->alc_mute_keycode_map[ALC_KEY_MICMUTE_INDEX], 1); + input_sync(spec->kb_dev); +- input_report_key(spec->kb_dev, KEY_MICMUTE, 0); ++ input_report_key(spec->kb_dev, spec->alc_mute_keycode_map[ALC_KEY_MICMUTE_INDEX], 0); + input_sync(spec->kb_dev); + } + ++static int alc_register_micmute_input_device(struct hda_codec *codec) ++{ ++ struct alc_spec *spec = codec->spec; ++ int i; ++ ++ spec->kb_dev = input_allocate_device(); ++ if (!spec->kb_dev) { ++ codec_err(codec, "Out of memory (input_allocate_device)\n"); ++ return -ENOMEM; ++ } ++ ++ spec->alc_mute_keycode_map[ALC_KEY_MICMUTE_INDEX] = KEY_MICMUTE; ++ ++ spec->kb_dev->name = "Microphone Mute Button"; ++ spec->kb_dev->evbit[0] = BIT_MASK(EV_KEY); ++ spec->kb_dev->keycodesize = sizeof(spec->alc_mute_keycode_map[0]); ++ spec->kb_dev->keycodemax = ARRAY_SIZE(spec->alc_mute_keycode_map); ++ spec->kb_dev->keycode = spec->alc_mute_keycode_map; ++ for (i = 0; i < ARRAY_SIZE(spec->alc_mute_keycode_map); i++) ++ set_bit(spec->alc_mute_keycode_map[i], spec->kb_dev->keybit); ++ ++ if (input_register_device(spec->kb_dev)) { ++ codec_err(codec, "input_register_device failed\n"); ++ input_free_device(spec->kb_dev); ++ spec->kb_dev = NULL; ++ return -ENOMEM; ++ } ++ ++ return 0; ++} ++ + static void alc280_fixup_hp_gpio2_mic_hotkey(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -3460,20 +3531,8 @@ static void alc280_fixup_hp_gpio2_mic_hotkey(struct hda_codec *codec, + struct alc_spec *spec = codec->spec; + + if (action == HDA_FIXUP_ACT_PRE_PROBE) { +- spec->kb_dev = input_allocate_device(); +- if (!spec->kb_dev) { +- codec_err(codec, "Out of memory (input_allocate_device)\n"); ++ if (alc_register_micmute_input_device(codec) != 0) + return; +- } +- spec->kb_dev->name = "Microphone Mute Button"; +- spec->kb_dev->evbit[0] = BIT_MASK(EV_KEY); +- spec->kb_dev->keybit[BIT_WORD(KEY_MICMUTE)] = BIT_MASK(KEY_MICMUTE); +- if (input_register_device(spec->kb_dev)) { +- codec_err(codec, "input_register_device failed\n"); +- input_free_device(spec->kb_dev); +- spec->kb_dev = NULL; +- return; +- } + + snd_hda_add_verbs(codec, gpio_init); + snd_hda_codec_write_cache(codec, codec->core.afg, 0, +@@ -3503,6 +3562,47 @@ static void alc280_fixup_hp_gpio2_mic_hotkey(struct hda_codec *codec, + } + } + ++static void alc233_fixup_lenovo_line2_mic_hotkey(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ /* Line2 = mic mute hotkey ++ GPIO2 = mic mute LED */ ++ static const struct hda_verb gpio_init[] = { ++ { 0x01, AC_VERB_SET_GPIO_MASK, 0x04 }, ++ { 0x01, AC_VERB_SET_GPIO_DIRECTION, 0x04 }, ++ {} ++ }; ++ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ if (alc_register_micmute_input_device(codec) != 0) ++ return; ++ ++ snd_hda_add_verbs(codec, gpio_init); ++ snd_hda_jack_detect_enable_callback(codec, 0x1b, ++ gpio2_mic_hotkey_event); ++ ++ spec->gen.cap_sync_hook = alc_fixup_gpio_mic_mute_hook; ++ spec->gpio_led = 0; ++ spec->mute_led_polarity = 0; ++ spec->gpio_mic_led_mask = 0x04; ++ return; ++ } ++ ++ if (!spec->kb_dev) ++ return; ++ ++ switch (action) { ++ case HDA_FIXUP_ACT_PROBE: ++ spec->init_amp = ALC_INIT_DEFAULT; ++ break; ++ case HDA_FIXUP_ACT_FREE: ++ input_unregister_device(spec->kb_dev); ++ spec->kb_dev = NULL; ++ } ++} ++ + static void alc269_fixup_hp_line1_mic1_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -4200,6 +4300,8 @@ static void alc_fixup_tpt440_dock(struct hda_codec *codec, + struct alc_spec *spec = codec->spec; + + if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ spec->shutup = alc_no_shutup; /* reduce click noise */ ++ spec->reboot_notify = alc_d3_at_reboot; /* reduce noise */ + spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP; + codec->power_save_node = 0; /* avoid click noises */ + snd_hda_apply_pincfgs(codec, pincfgs); +@@ -4574,12 +4676,14 @@ enum { + ALC290_FIXUP_SUBWOOFER, + ALC290_FIXUP_SUBWOOFER_HSJACK, + ALC269_FIXUP_THINKPAD_ACPI, ++ ALC269_FIXUP_DMIC_THINKPAD_ACPI, + ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC255_FIXUP_DELL2_MIC_NO_PRESENCE, + ALC255_FIXUP_HEADSET_MODE, + ALC255_FIXUP_HEADSET_MODE_NO_HP_MIC, + ALC293_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC292_FIXUP_TPT440_DOCK, ++ ALC292_FIXUP_TPT440, + ALC283_FIXUP_BXBT2807_MIC, + ALC255_FIXUP_DELL_WMI_MIC_MUTE_LED, + ALC282_FIXUP_ASPIRE_V5_PINS, +@@ -4595,7 +4699,12 @@ enum { + ALC288_FIXUP_DISABLE_AAMIX, + ALC292_FIXUP_DELL_E7X, + ALC292_FIXUP_DISABLE_AAMIX, ++ ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK, + ALC298_FIXUP_DELL1_MIC_NO_PRESENCE, ++ ALC275_FIXUP_DELL_XPS, ++ ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE, ++ ALC293_FIXUP_LENOVO_SPK_NOISE, ++ ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -5005,6 +5114,12 @@ static const struct hda_fixup alc269_fixups[] = { + .type = HDA_FIXUP_FUNC, + .v.func = hda_fixup_thinkpad_acpi, + }, ++ [ALC269_FIXUP_DMIC_THINKPAD_ACPI] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_inv_dmic, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI, ++ }, + [ALC255_FIXUP_DELL1_MIC_NO_PRESENCE] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -5050,6 +5165,12 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC269_FIXUP_LIMIT_INT_MIC_BOOST + }, ++ [ALC292_FIXUP_TPT440] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_disable_aamix, ++ .chained = true, ++ .chain_id = ALC292_FIXUP_TPT440_DOCK, ++ }, + [ALC283_FIXUP_BXBT2807_MIC] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +@@ -5149,6 +5270,12 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC269_FIXUP_DELL2_MIC_NO_PRESENCE + }, ++ [ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_disable_aamix, ++ .chained = true, ++ .chain_id = ALC293_FIXUP_DELL1_MIC_NO_PRESENCE ++ }, + [ALC292_FIXUP_DELL_E7X] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc_fixup_dell_xps13, +@@ -5165,6 +5292,38 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MODE + }, ++ [ALC275_FIXUP_DELL_XPS] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ /* Enables internal speaker */ ++ {0x20, AC_VERB_SET_COEF_INDEX, 0x1f}, ++ {0x20, AC_VERB_SET_PROC_COEF, 0x00c0}, ++ {0x20, AC_VERB_SET_COEF_INDEX, 0x30}, ++ {0x20, AC_VERB_SET_PROC_COEF, 0x00b1}, ++ {} ++ } ++ }, ++ [ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ /* Disable pass-through path for FRONT 14h */ ++ {0x20, AC_VERB_SET_COEF_INDEX, 0x36}, ++ {0x20, AC_VERB_SET_PROC_COEF, 0x1737}, ++ {} ++ }, ++ .chained = true, ++ .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE ++ }, ++ [ALC293_FIXUP_LENOVO_SPK_NOISE] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_disable_aamix, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI ++ }, ++ [ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc233_fixup_lenovo_line2_mic_hotkey, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -5178,7 +5337,11 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1025, 0x0742, "Acer AO756", ALC271_FIXUP_HP_GATE_MIC_JACK), + SND_PCI_QUIRK(0x1025, 0x0775, "Acer Aspire E1-572", ALC271_FIXUP_HP_GATE_MIC_JACK_E1_572), + SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS), ++ SND_PCI_QUIRK(0x1025, 0x106d, "Acer Cloudbook 14", ALC283_FIXUP_CHROME_BOOK), + SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z), ++ SND_PCI_QUIRK(0x1028, 0x054b, "Dell XPS one 2710", ALC275_FIXUP_DELL_XPS), ++ SND_PCI_QUIRK(0x1028, 0x05bd, "Dell Latitude E6440", ALC292_FIXUP_DELL_E7X), ++ SND_PCI_QUIRK(0x1028, 0x05be, "Dell Latitude E6540", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x05ca, "Dell Latitude E7240", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x05cb, "Dell Latitude E7440", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x05da, "Dell Vostro 5460", ALC290_FIXUP_SUBWOOFER), +@@ -5187,6 +5350,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x05f6, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x0615, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK), + SND_PCI_QUIRK(0x1028, 0x0616, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK), ++ SND_PCI_QUIRK(0x1028, 0x062c, "Dell Latitude E5550", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x062e, "Dell Latitude E7450", ALC292_FIXUP_DELL_E7X), + SND_PCI_QUIRK(0x1028, 0x0638, "Dell Inspiron 5439", ALC290_FIXUP_MONO_SPEAKERS_HSJACK), + SND_PCI_QUIRK(0x1028, 0x064a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), +@@ -5196,11 +5360,12 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x06c7, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x06d9, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x06da, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), +- SND_PCI_QUIRK(0x1028, 0x06db, "Dell", ALC292_FIXUP_DISABLE_AAMIX), +- SND_PCI_QUIRK(0x1028, 0x06dd, "Dell", ALC292_FIXUP_DISABLE_AAMIX), +- SND_PCI_QUIRK(0x1028, 0x06de, "Dell", ALC292_FIXUP_DISABLE_AAMIX), +- SND_PCI_QUIRK(0x1028, 0x06df, "Dell", ALC292_FIXUP_DISABLE_AAMIX), +- SND_PCI_QUIRK(0x1028, 0x06e0, "Dell", ALC292_FIXUP_DISABLE_AAMIX), ++ SND_PCI_QUIRK(0x1028, 0x06db, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK), ++ SND_PCI_QUIRK(0x1028, 0x06dd, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK), ++ SND_PCI_QUIRK(0x1028, 0x06de, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK), ++ SND_PCI_QUIRK(0x1028, 0x06df, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK), ++ SND_PCI_QUIRK(0x1028, 0x06e0, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK), ++ SND_PCI_QUIRK(0x1028, 0x0704, "Dell XPS 13", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2), +@@ -5299,15 +5464,19 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x21fb, "Thinkpad T430s", ALC269_FIXUP_LENOVO_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2203, "Thinkpad X230 Tablet", ALC269_FIXUP_LENOVO_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2208, "Thinkpad T431s", ALC269_FIXUP_LENOVO_DOCK), +- SND_PCI_QUIRK(0x17aa, 0x220c, "Thinkpad T440s", ALC292_FIXUP_TPT440_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x220c, "Thinkpad T440s", ALC292_FIXUP_TPT440), + SND_PCI_QUIRK(0x17aa, 0x220e, "Thinkpad T440p", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2210, "Thinkpad T540p", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2211, "Thinkpad W541", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2212, "Thinkpad T440", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2214, "Thinkpad X240", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2215, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), ++ SND_PCI_QUIRK(0x17aa, 0x2218, "Thinkpad X1 Carbon 2nd", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC293_FIXUP_LENOVO_SPK_NOISE), ++ SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), ++ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC), + SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP), + SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), +@@ -5317,6 +5486,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x5034, "Thinkpad T450", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x5036, "Thinkpad T450s", ALC292_FIXUP_TPT440_DOCK), + SND_PCI_QUIRK(0x17aa, 0x503c, "Thinkpad L450", ALC292_FIXUP_TPT440_DOCK), ++ SND_PCI_QUIRK(0x17aa, 0x504b, "Thinkpad", ALC293_FIXUP_LENOVO_SPK_NOISE), + SND_PCI_QUIRK(0x17aa, 0x5109, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K), + SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD), +@@ -5397,6 +5567,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = { + {.id = ALC283_FIXUP_CHROME_BOOK, .name = "alc283-dac-wcaps"}, + {.id = ALC283_FIXUP_SENSE_COMBO_JACK, .name = "alc283-sense-combo"}, + {.id = ALC292_FIXUP_TPT440_DOCK, .name = "tpt440-dock"}, ++ {.id = ALC292_FIXUP_TPT440, .name = "tpt440"}, + {} + }; + +@@ -5466,6 +5637,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { + {0x21, 0x02211040}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + {0x12, 0x90a60170}, ++ {0x14, 0x90171130}, ++ {0x21, 0x02211040}), ++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x12, 0x90a60170}, + {0x14, 0x90170140}, + {0x21, 0x02211050}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell Inspiron 5548", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, +@@ -6383,6 +6558,7 @@ static const struct hda_fixup alc662_fixups[] = { + static const struct snd_pci_quirk alc662_fixup_tbl[] = { + SND_PCI_QUIRK(0x1019, 0x9087, "ECS", ALC662_FIXUP_ASUS_MODE2), + SND_PCI_QUIRK(0x1025, 0x022f, "Acer Aspire One", ALC662_FIXUP_INV_DMIC), ++ SND_PCI_QUIRK(0x1025, 0x0241, "Packard Bell DOTS", ALC662_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x1025, 0x0308, "Acer Aspire 8942G", ALC662_FIXUP_ASPIRE), + SND_PCI_QUIRK(0x1025, 0x031c, "Gateway NV79", ALC662_FIXUP_SKU_IGNORE), + SND_PCI_QUIRK(0x1025, 0x0349, "eMachines eM250", ALC662_FIXUP_INV_DMIC), +@@ -6400,6 +6576,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = { + SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_BASS_1A), ++ SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A), + SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP), + SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16), + SND_PCI_QUIRK(0x1043, 0x1b73, "ASUS N55SF", ALC662_FIXUP_BASS_16), +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index def5cc8dff02..14a62b8117fd 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -702,6 +702,7 @@ static bool hp_bnb2011_with_dock(struct hda_codec *codec) + static bool hp_blike_system(u32 subsystem_id) + { + switch (subsystem_id) { ++ case 0x103c1473: /* HP ProBook 6550b */ + case 0x103c1520: + case 0x103c1521: + case 0x103c1523: +@@ -3109,6 +3110,29 @@ static void stac92hd71bxx_fixup_hp_hdx(struct hda_codec *codec, + spec->gpio_led = 0x08; + } + ++static bool is_hp_output(struct hda_codec *codec, hda_nid_t pin) ++{ ++ unsigned int pin_cfg = snd_hda_codec_get_pincfg(codec, pin); ++ ++ /* count line-out, too, as BIOS sets often so */ ++ return get_defcfg_connect(pin_cfg) != AC_JACK_PORT_NONE && ++ (get_defcfg_device(pin_cfg) == AC_JACK_LINE_OUT || ++ get_defcfg_device(pin_cfg) == AC_JACK_HP_OUT); ++} ++ ++static void fixup_hp_headphone(struct hda_codec *codec, hda_nid_t pin) ++{ ++ unsigned int pin_cfg = snd_hda_codec_get_pincfg(codec, pin); ++ ++ /* It was changed in the BIOS to just satisfy MS DTM. ++ * Lets turn it back into slaved HP ++ */ ++ pin_cfg = (pin_cfg & (~AC_DEFCFG_DEVICE)) | ++ (AC_JACK_HP_OUT << AC_DEFCFG_DEVICE_SHIFT); ++ pin_cfg = (pin_cfg & (~(AC_DEFCFG_DEF_ASSOC | AC_DEFCFG_SEQUENCE))) | ++ 0x1f; ++ snd_hda_codec_set_pincfg(codec, pin, pin_cfg); ++} + + static void stac92hd71bxx_fixup_hp(struct hda_codec *codec, + const struct hda_fixup *fix, int action) +@@ -3118,22 +3142,12 @@ static void stac92hd71bxx_fixup_hp(struct hda_codec *codec, + if (action != HDA_FIXUP_ACT_PRE_PROBE) + return; + +- if (hp_blike_system(codec->core.subsystem_id)) { +- unsigned int pin_cfg = snd_hda_codec_get_pincfg(codec, 0x0f); +- if (get_defcfg_device(pin_cfg) == AC_JACK_LINE_OUT || +- get_defcfg_device(pin_cfg) == AC_JACK_SPEAKER || +- get_defcfg_device(pin_cfg) == AC_JACK_HP_OUT) { +- /* It was changed in the BIOS to just satisfy MS DTM. +- * Lets turn it back into slaved HP +- */ +- pin_cfg = (pin_cfg & (~AC_DEFCFG_DEVICE)) +- | (AC_JACK_HP_OUT << +- AC_DEFCFG_DEVICE_SHIFT); +- pin_cfg = (pin_cfg & (~(AC_DEFCFG_DEF_ASSOC +- | AC_DEFCFG_SEQUENCE))) +- | 0x1f; +- snd_hda_codec_set_pincfg(codec, 0x0f, pin_cfg); +- } ++ /* when both output A and F are assigned, these are supposedly ++ * dock and built-in headphones; fix both pin configs ++ */ ++ if (is_hp_output(codec, 0x0a) && is_hp_output(codec, 0x0f)) { ++ fixup_hp_headphone(codec, 0x0a); ++ fixup_hp_headphone(codec, 0x0f); + } + + if (find_mute_led_cfg(codec, 1)) +diff --git a/sound/pci/rme96.c b/sound/pci/rme96.c +index 2306ccf7281e..77c963ced67a 100644 +--- a/sound/pci/rme96.c ++++ b/sound/pci/rme96.c +@@ -741,10 +741,11 @@ snd_rme96_playback_setrate(struct rme96 *rme96, + { + /* change to/from double-speed: reset the DAC (if available) */ + snd_rme96_reset_dac(rme96); ++ return 1; /* need to restore volume */ + } else { + writel(rme96->wcreg, rme96->iobase + RME96_IO_CONTROL_REGISTER); ++ return 0; + } +- return 0; + } + + static int +@@ -980,6 +981,7 @@ snd_rme96_playback_hw_params(struct snd_pcm_substream *substream, + struct rme96 *rme96 = snd_pcm_substream_chip(substream); + struct snd_pcm_runtime *runtime = substream->runtime; + int err, rate, dummy; ++ bool apply_dac_volume = false; + + runtime->dma_area = (void __force *)(rme96->iobase + + RME96_IO_PLAY_BUFFER); +@@ -993,24 +995,26 @@ snd_rme96_playback_hw_params(struct snd_pcm_substream *substream, + { + /* slave clock */ + if ((int)params_rate(params) != rate) { +- spin_unlock_irq(&rme96->lock); +- return -EIO; +- } +- } else if ((err = snd_rme96_playback_setrate(rme96, params_rate(params))) < 0) { +- spin_unlock_irq(&rme96->lock); +- return err; +- } +- if ((err = snd_rme96_playback_setformat(rme96, params_format(params))) < 0) { +- spin_unlock_irq(&rme96->lock); +- return err; ++ err = -EIO; ++ goto error; ++ } ++ } else { ++ err = snd_rme96_playback_setrate(rme96, params_rate(params)); ++ if (err < 0) ++ goto error; ++ apply_dac_volume = err > 0; /* need to restore volume later? */ + } ++ ++ err = snd_rme96_playback_setformat(rme96, params_format(params)); ++ if (err < 0) ++ goto error; + snd_rme96_setframelog(rme96, params_channels(params), 1); + if (rme96->capture_periodsize != 0) { + if (params_period_size(params) << rme96->playback_frlog != + rme96->capture_periodsize) + { +- spin_unlock_irq(&rme96->lock); +- return -EBUSY; ++ err = -EBUSY; ++ goto error; + } + } + rme96->playback_periodsize = +@@ -1021,9 +1025,16 @@ snd_rme96_playback_hw_params(struct snd_pcm_substream *substream, + rme96->wcreg &= ~(RME96_WCR_PRO | RME96_WCR_DOLBY | RME96_WCR_EMP); + writel(rme96->wcreg |= rme96->wcreg_spdif_stream, rme96->iobase + RME96_IO_CONTROL_REGISTER); + } ++ ++ err = 0; ++ error: + spin_unlock_irq(&rme96->lock); +- +- return 0; ++ if (apply_dac_volume) { ++ usleep_range(3000, 10000); ++ snd_rme96_apply_dac_volume(rme96); ++ } ++ ++ return err; + } + + static int +diff --git a/sound/soc/codecs/arizona.c b/sound/soc/codecs/arizona.c +index 8a2221ab3d10..a3c8e734ff2f 100644 +--- a/sound/soc/codecs/arizona.c ++++ b/sound/soc/codecs/arizona.c +@@ -1499,7 +1499,7 @@ static int arizona_hw_params(struct snd_pcm_substream *substream, + bool reconfig; + unsigned int aif_tx_state, aif_rx_state; + +- if (params_rate(params) % 8000) ++ if (params_rate(params) % 4000) + rates = &arizona_44k1_bclk_rates[0]; + else + rates = &arizona_48k_bclk_rates[0]; +diff --git a/sound/soc/codecs/es8328.c b/sound/soc/codecs/es8328.c +index 6a091016e0fc..fb7b61faeac5 100644 +--- a/sound/soc/codecs/es8328.c ++++ b/sound/soc/codecs/es8328.c +@@ -85,7 +85,15 @@ static const DECLARE_TLV_DB_SCALE(pga_tlv, 0, 300, 0); + static const DECLARE_TLV_DB_SCALE(bypass_tlv, -1500, 300, 0); + static const DECLARE_TLV_DB_SCALE(mic_tlv, 0, 300, 0); + +-static const int deemph_settings[] = { 0, 32000, 44100, 48000 }; ++static const struct { ++ int rate; ++ unsigned int val; ++} deemph_settings[] = { ++ { 0, ES8328_DACCONTROL6_DEEMPH_OFF }, ++ { 32000, ES8328_DACCONTROL6_DEEMPH_32k }, ++ { 44100, ES8328_DACCONTROL6_DEEMPH_44_1k }, ++ { 48000, ES8328_DACCONTROL6_DEEMPH_48k }, ++}; + + static int es8328_set_deemph(struct snd_soc_codec *codec) + { +@@ -97,21 +105,22 @@ static int es8328_set_deemph(struct snd_soc_codec *codec) + * rate. + */ + if (es8328->deemph) { +- best = 1; +- for (i = 2; i < ARRAY_SIZE(deemph_settings); i++) { +- if (abs(deemph_settings[i] - es8328->playback_fs) < +- abs(deemph_settings[best] - es8328->playback_fs)) ++ best = 0; ++ for (i = 1; i < ARRAY_SIZE(deemph_settings); i++) { ++ if (abs(deemph_settings[i].rate - es8328->playback_fs) < ++ abs(deemph_settings[best].rate - es8328->playback_fs)) + best = i; + } + +- val = best << 1; ++ val = deemph_settings[best].val; + } else { +- val = 0; ++ val = ES8328_DACCONTROL6_DEEMPH_OFF; + } + + dev_dbg(codec->dev, "Set deemphasis %d\n", val); + +- return snd_soc_update_bits(codec, ES8328_DACCONTROL6, 0x6, val); ++ return snd_soc_update_bits(codec, ES8328_DACCONTROL6, ++ ES8328_DACCONTROL6_DEEMPH_MASK, val); + } + + static int es8328_get_deemph(struct snd_kcontrol *kcontrol, +diff --git a/sound/soc/codecs/es8328.h b/sound/soc/codecs/es8328.h +index cb36afe10c0e..156c748c89c7 100644 +--- a/sound/soc/codecs/es8328.h ++++ b/sound/soc/codecs/es8328.h +@@ -153,6 +153,7 @@ int es8328_probe(struct device *dev, struct regmap *regmap); + #define ES8328_DACCONTROL6_CLICKFREE (1 << 3) + #define ES8328_DACCONTROL6_DAC_INVR (1 << 4) + #define ES8328_DACCONTROL6_DAC_INVL (1 << 5) ++#define ES8328_DACCONTROL6_DEEMPH_MASK (3 << 6) + #define ES8328_DACCONTROL6_DEEMPH_OFF (0 << 6) + #define ES8328_DACCONTROL6_DEEMPH_32k (1 << 6) + #define ES8328_DACCONTROL6_DEEMPH_44_1k (2 << 6) +diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c +index bd9365885f73..2088dfa0612d 100644 +--- a/sound/soc/codecs/rt286.c ++++ b/sound/soc/codecs/rt286.c +@@ -38,7 +38,7 @@ + #define RT288_VENDOR_ID 0x10ec0288 + + struct rt286_priv { +- const struct reg_default *index_cache; ++ struct reg_default *index_cache; + int index_cache_size; + struct regmap *regmap; + struct snd_soc_codec *codec; +@@ -1161,7 +1161,11 @@ static int rt286_i2c_probe(struct i2c_client *i2c, + return -ENODEV; + } + +- rt286->index_cache = rt286_index_def; ++ rt286->index_cache = devm_kmemdup(&i2c->dev, rt286_index_def, ++ sizeof(rt286_index_def), GFP_KERNEL); ++ if (!rt286->index_cache) ++ return -ENOMEM; ++ + rt286->index_cache_size = INDEX_CACHE_SIZE; + rt286->i2c = i2c; + i2c_set_clientdata(i2c, rt286); +diff --git a/sound/soc/codecs/wm5110.c b/sound/soc/codecs/wm5110.c +index 9756578fc752..8b4a56f538ea 100644 +--- a/sound/soc/codecs/wm5110.c ++++ b/sound/soc/codecs/wm5110.c +@@ -354,15 +354,13 @@ static int wm5110_hp_ev(struct snd_soc_dapm_widget *w, + + static int wm5110_clear_pga_volume(struct arizona *arizona, int output) + { +- struct reg_sequence clear_pga = { +- ARIZONA_OUTPUT_PATH_CONFIG_1L + output * 4, 0x80 +- }; ++ unsigned int reg = ARIZONA_OUTPUT_PATH_CONFIG_1L + output * 4; + int ret; + +- ret = regmap_multi_reg_write_bypassed(arizona->regmap, &clear_pga, 1); ++ ret = regmap_write(arizona->regmap, reg, 0x80); + if (ret) + dev_err(arizona->dev, "Failed to clear PGA (0x%x): %d\n", +- clear_pga.reg, ret); ++ reg, ret); + + return ret; + } +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c +index 39ebd7bf4f53..a7e79784fc16 100644 +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -365,8 +365,8 @@ static const struct reg_default wm8962_reg[] = { + { 16924, 0x0059 }, /* R16924 - HDBASS_PG_1 */ + { 16925, 0x999A }, /* R16925 - HDBASS_PG_0 */ + +- { 17048, 0x0083 }, /* R17408 - HPF_C_1 */ +- { 17049, 0x98AD }, /* R17409 - HPF_C_0 */ ++ { 17408, 0x0083 }, /* R17408 - HPF_C_1 */ ++ { 17409, 0x98AD }, /* R17409 - HPF_C_0 */ + + { 17920, 0x007F }, /* R17920 - ADCL_RETUNE_C1_1 */ + { 17921, 0xFFFF }, /* R17921 - ADCL_RETUNE_C1_0 */ +diff --git a/sound/soc/codecs/wm8974.c b/sound/soc/codecs/wm8974.c +index 0a60677397b3..4c29bd2ae75c 100644 +--- a/sound/soc/codecs/wm8974.c ++++ b/sound/soc/codecs/wm8974.c +@@ -574,6 +574,7 @@ static const struct regmap_config wm8974_regmap = { + .max_register = WM8974_MONOMIX, + .reg_defaults = wm8974_reg_defaults, + .num_reg_defaults = ARRAY_SIZE(wm8974_reg_defaults), ++ .cache_type = REGCACHE_FLAT, + }; + + static int wm8974_probe(struct snd_soc_codec *codec) +diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c +index 7d45d98a861f..226b3606e8a4 100644 +--- a/sound/soc/davinci/davinci-mcasp.c ++++ b/sound/soc/davinci/davinci-mcasp.c +@@ -222,8 +222,8 @@ static void mcasp_start_tx(struct davinci_mcasp *mcasp) + + /* wait for XDATA to be cleared */ + cnt = 0; +- while (!(mcasp_get_reg(mcasp, DAVINCI_MCASP_TXSTAT_REG) & +- ~XRDATA) && (cnt < 100000)) ++ while ((mcasp_get_reg(mcasp, DAVINCI_MCASP_TXSTAT_REG) & XRDATA) && ++ (cnt < 100000)) + cnt++; + + /* Release TX state machine */ +diff --git a/sound/soc/sh/rcar/gen.c b/sound/soc/sh/rcar/gen.c +index f04d17bc6e3d..916b38d54fda 100644 +--- a/sound/soc/sh/rcar/gen.c ++++ b/sound/soc/sh/rcar/gen.c +@@ -231,7 +231,7 @@ static int rsnd_gen2_probe(struct platform_device *pdev, + RSND_GEN_S_REG(SCU_SYS_STATUS0, 0x1c8), + RSND_GEN_S_REG(SCU_SYS_INT_EN0, 0x1cc), + RSND_GEN_S_REG(SCU_SYS_STATUS1, 0x1d0), +- RSND_GEN_S_REG(SCU_SYS_INT_EN1, 0x1c4), ++ RSND_GEN_S_REG(SCU_SYS_INT_EN1, 0x1d4), + RSND_GEN_M_REG(SRC_SWRSR, 0x200, 0x40), + RSND_GEN_M_REG(SRC_SRCIR, 0x204, 0x40), + RSND_GEN_M_REG(SRC_ADINR, 0x214, 0x40), +diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c +index 025c38fbe3c0..1874cf0e6cab 100644 +--- a/sound/soc/soc-compress.c ++++ b/sound/soc/soc-compress.c +@@ -623,6 +623,7 @@ int soc_new_compress(struct snd_soc_pcm_runtime *rtd, int num) + struct snd_pcm *be_pcm; + char new_name[64]; + int ret = 0, direction = 0; ++ int playback = 0, capture = 0; + + if (rtd->num_codecs > 1) { + dev_err(rtd->card->dev, "Multicodec not supported for compressed stream\n"); +@@ -634,11 +635,27 @@ int soc_new_compress(struct snd_soc_pcm_runtime *rtd, int num) + rtd->dai_link->stream_name, codec_dai->name, num); + + if (codec_dai->driver->playback.channels_min) ++ playback = 1; ++ if (codec_dai->driver->capture.channels_min) ++ capture = 1; ++ ++ capture = capture && cpu_dai->driver->capture.channels_min; ++ playback = playback && cpu_dai->driver->playback.channels_min; ++ ++ /* ++ * Compress devices are unidirectional so only one of the directions ++ * should be set, check for that (xor) ++ */ ++ if (playback + capture != 1) { ++ dev_err(rtd->card->dev, "Invalid direction for compress P %d, C %d\n", ++ playback, capture); ++ return -EINVAL; ++ } ++ ++ if(playback) + direction = SND_COMPRESS_PLAYBACK; +- else if (codec_dai->driver->capture.channels_min) +- direction = SND_COMPRESS_CAPTURE; + else +- return -EINVAL; ++ direction = SND_COMPRESS_CAPTURE; + + compr = kzalloc(sizeof(*compr), GFP_KERNEL); + if (compr == NULL) { +diff --git a/sound/usb/card.c b/sound/usb/card.c +index 18f56646ce86..1f09d9591276 100644 +--- a/sound/usb/card.c ++++ b/sound/usb/card.c +@@ -675,6 +675,8 @@ int snd_usb_autoresume(struct snd_usb_audio *chip) + + void snd_usb_autosuspend(struct snd_usb_audio *chip) + { ++ if (atomic_read(&chip->shutdown)) ++ return; + if (atomic_dec_and_test(&chip->active)) + usb_autopm_put_interface(chip->pm_intf); + } +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index f494dced3c11..4f85757009b3 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1354,6 +1354,8 @@ static void build_feature_ctl(struct mixer_build *state, void *raw_desc, + } + } + ++ snd_usb_mixer_fu_apply_quirk(state->mixer, cval, unitid, kctl); ++ + range = (cval->max - cval->min) / cval->res; + /* + * Are there devices with volume range more than 255? I use a bit more +diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c +index 6a803eff87f7..ddca6547399b 100644 +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -348,13 +348,6 @@ static struct usbmix_name_map bose_companion5_map[] = { + { 0 } /* terminator */ + }; + +-/* Dragonfly DAC 1.2, the dB conversion factor is 1 instead of 256 */ +-static struct usbmix_dB_map dragonfly_1_2_dB = {0, 5000}; +-static struct usbmix_name_map dragonfly_1_2_map[] = { +- { 7, NULL, .dB = &dragonfly_1_2_dB }, +- { 0 } /* terminator */ +-}; +- + /* + * Control map entries + */ +@@ -470,11 +463,6 @@ static struct usbmix_ctl_map usbmix_ctl_maps[] = { + .id = USB_ID(0x05a7, 0x1020), + .map = bose_companion5_map, + }, +- { +- /* Dragonfly DAC 1.2 */ +- .id = USB_ID(0x21b4, 0x0081), +- .map = dragonfly_1_2_map, +- }, + { 0 } /* terminator */ + }; + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index d3608c0a29f3..4aeccd78e5dc 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -37,6 +37,7 @@ + #include <sound/control.h> + #include <sound/hwdep.h> + #include <sound/info.h> ++#include <sound/tlv.h> + + #include "usbaudio.h" + #include "mixer.h" +@@ -792,7 +793,7 @@ static int snd_nativeinstruments_control_put(struct snd_kcontrol *kcontrol, + return 0; + + kcontrol->private_value &= ~(0xff << 24); +- kcontrol->private_value |= newval; ++ kcontrol->private_value |= (unsigned int)newval << 24; + err = snd_ni_update_cur_val(list); + return err < 0 ? err : 1; + } +@@ -1825,3 +1826,39 @@ void snd_usb_mixer_rc_memory_change(struct usb_mixer_interface *mixer, + } + } + ++static void snd_dragonfly_quirk_db_scale(struct usb_mixer_interface *mixer, ++ struct snd_kcontrol *kctl) ++{ ++ /* Approximation using 10 ranges based on output measurement on hw v1.2. ++ * This seems close to the cubic mapping e.g. alsamixer uses. */ ++ static const DECLARE_TLV_DB_RANGE(scale, ++ 0, 1, TLV_DB_MINMAX_ITEM(-5300, -4970), ++ 2, 5, TLV_DB_MINMAX_ITEM(-4710, -4160), ++ 6, 7, TLV_DB_MINMAX_ITEM(-3884, -3710), ++ 8, 14, TLV_DB_MINMAX_ITEM(-3443, -2560), ++ 15, 16, TLV_DB_MINMAX_ITEM(-2475, -2324), ++ 17, 19, TLV_DB_MINMAX_ITEM(-2228, -2031), ++ 20, 26, TLV_DB_MINMAX_ITEM(-1910, -1393), ++ 27, 31, TLV_DB_MINMAX_ITEM(-1322, -1032), ++ 32, 40, TLV_DB_MINMAX_ITEM(-968, -490), ++ 41, 50, TLV_DB_MINMAX_ITEM(-441, 0), ++ ); ++ ++ usb_audio_info(mixer->chip, "applying DragonFly dB scale quirk\n"); ++ kctl->tlv.p = scale; ++ kctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_TLV_READ; ++ kctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK; ++} ++ ++void snd_usb_mixer_fu_apply_quirk(struct usb_mixer_interface *mixer, ++ struct usb_mixer_elem_info *cval, int unitid, ++ struct snd_kcontrol *kctl) ++{ ++ switch (mixer->chip->usb_id) { ++ case USB_ID(0x21b4, 0x0081): /* AudioQuest DragonFly */ ++ if (unitid == 7 && cval->min == 0 && cval->max == 50) ++ snd_dragonfly_quirk_db_scale(mixer, kctl); ++ break; ++ } ++} ++ +diff --git a/sound/usb/mixer_quirks.h b/sound/usb/mixer_quirks.h +index bdbfab093816..177c329cd4dd 100644 +--- a/sound/usb/mixer_quirks.h ++++ b/sound/usb/mixer_quirks.h +@@ -9,5 +9,9 @@ void snd_emuusb_set_samplerate(struct snd_usb_audio *chip, + void snd_usb_mixer_rc_memory_change(struct usb_mixer_interface *mixer, + int unitid); + ++void snd_usb_mixer_fu_apply_quirk(struct usb_mixer_interface *mixer, ++ struct usb_mixer_elem_info *cval, int unitid, ++ struct snd_kcontrol *kctl); ++ + #endif /* SND_USB_MIXER_QUIRKS_H */ + +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index eef9b8e4b949..fb9a8a5787a6 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1122,6 +1122,7 @@ bool snd_usb_get_sample_rate_quirk(struct snd_usb_audio *chip) + case USB_ID(0x045E, 0x0779): /* MS Lifecam HD-3000 */ + case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */ + case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */ ++ case USB_ID(0x21B4, 0x0081): /* AudioQuest DragonFly */ + return true; + } + return false; +@@ -1265,6 +1266,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip, + case USB_ID(0x20b1, 0x3008): /* iFi Audio micro/nano iDSD */ + case USB_ID(0x20b1, 0x2008): /* Matrix Audio X-Sabre */ + case USB_ID(0x20b1, 0x300a): /* Matrix Audio Mini-i Pro */ ++ case USB_ID(0x22d8, 0x0416): /* OPPO HA-1*/ + if (fp->altsetting == 2) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + break; |