Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Wed, 02 May 2018 16:11:32
Message-Id: 1525277478.b0cb1b08a21ac357d6665e406616d7bb3ac69ed3.mpagano@gentoo
1 commit: b0cb1b08a21ac357d6665e406616d7bb3ac69ed3
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed May 2 16:11:18 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed May 2 16:11:18 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=b0cb1b08
7
8 Linux patch 4.4.131
9
10 0000_README | 4 +
11 1130_linux-4.4.131.patch | 1558 ++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 1562 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 33599fb..863ce11 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -563,6 +563,10 @@ Patch: 1129_linux-4.4.130.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.4.130
21
22 +Patch: 1130_linux-4.4.131.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.4.131
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1130_linux-4.4.131.patch b/1130_linux-4.4.131.patch
31 new file mode 100644
32 index 0000000..0a4d377
33 --- /dev/null
34 +++ b/1130_linux-4.4.131.patch
35 @@ -0,0 +1,1558 @@
36 +diff --git a/Makefile b/Makefile
37 +index 151477d4d5e5..6ec65396a56d 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 4
42 + PATCHLEVEL = 4
43 +-SUBLEVEL = 130
44 ++SUBLEVEL = 131
45 + EXTRAVERSION =
46 + NAME = Blurry Fish Butt
47 +
48 +diff --git a/arch/x86/include/uapi/asm/msgbuf.h b/arch/x86/include/uapi/asm/msgbuf.h
49 +index 809134c644a6..90ab9a795b49 100644
50 +--- a/arch/x86/include/uapi/asm/msgbuf.h
51 ++++ b/arch/x86/include/uapi/asm/msgbuf.h
52 +@@ -1 +1,32 @@
53 ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
54 ++#ifndef __ASM_X64_MSGBUF_H
55 ++#define __ASM_X64_MSGBUF_H
56 ++
57 ++#if !defined(__x86_64__) || !defined(__ILP32__)
58 + #include <asm-generic/msgbuf.h>
59 ++#else
60 ++/*
61 ++ * The msqid64_ds structure for x86 architecture with x32 ABI.
62 ++ *
63 ++ * On x86-32 and x86-64 we can just use the generic definition, but
64 ++ * x32 uses the same binary layout as x86_64, which is differnet
65 ++ * from other 32-bit architectures.
66 ++ */
67 ++
68 ++struct msqid64_ds {
69 ++ struct ipc64_perm msg_perm;
70 ++ __kernel_time_t msg_stime; /* last msgsnd time */
71 ++ __kernel_time_t msg_rtime; /* last msgrcv time */
72 ++ __kernel_time_t msg_ctime; /* last change time */
73 ++ __kernel_ulong_t msg_cbytes; /* current number of bytes on queue */
74 ++ __kernel_ulong_t msg_qnum; /* number of messages in queue */
75 ++ __kernel_ulong_t msg_qbytes; /* max number of bytes on queue */
76 ++ __kernel_pid_t msg_lspid; /* pid of last msgsnd */
77 ++ __kernel_pid_t msg_lrpid; /* last receive pid */
78 ++ __kernel_ulong_t __unused4;
79 ++ __kernel_ulong_t __unused5;
80 ++};
81 ++
82 ++#endif
83 ++
84 ++#endif /* __ASM_GENERIC_MSGBUF_H */
85 +diff --git a/arch/x86/include/uapi/asm/shmbuf.h b/arch/x86/include/uapi/asm/shmbuf.h
86 +index 83c05fc2de38..644421f3823b 100644
87 +--- a/arch/x86/include/uapi/asm/shmbuf.h
88 ++++ b/arch/x86/include/uapi/asm/shmbuf.h
89 +@@ -1 +1,43 @@
90 ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
91 ++#ifndef __ASM_X86_SHMBUF_H
92 ++#define __ASM_X86_SHMBUF_H
93 ++
94 ++#if !defined(__x86_64__) || !defined(__ILP32__)
95 + #include <asm-generic/shmbuf.h>
96 ++#else
97 ++/*
98 ++ * The shmid64_ds structure for x86 architecture with x32 ABI.
99 ++ *
100 ++ * On x86-32 and x86-64 we can just use the generic definition, but
101 ++ * x32 uses the same binary layout as x86_64, which is differnet
102 ++ * from other 32-bit architectures.
103 ++ */
104 ++
105 ++struct shmid64_ds {
106 ++ struct ipc64_perm shm_perm; /* operation perms */
107 ++ size_t shm_segsz; /* size of segment (bytes) */
108 ++ __kernel_time_t shm_atime; /* last attach time */
109 ++ __kernel_time_t shm_dtime; /* last detach time */
110 ++ __kernel_time_t shm_ctime; /* last change time */
111 ++ __kernel_pid_t shm_cpid; /* pid of creator */
112 ++ __kernel_pid_t shm_lpid; /* pid of last operator */
113 ++ __kernel_ulong_t shm_nattch; /* no. of current attaches */
114 ++ __kernel_ulong_t __unused4;
115 ++ __kernel_ulong_t __unused5;
116 ++};
117 ++
118 ++struct shminfo64 {
119 ++ __kernel_ulong_t shmmax;
120 ++ __kernel_ulong_t shmmin;
121 ++ __kernel_ulong_t shmmni;
122 ++ __kernel_ulong_t shmseg;
123 ++ __kernel_ulong_t shmall;
124 ++ __kernel_ulong_t __unused1;
125 ++ __kernel_ulong_t __unused2;
126 ++ __kernel_ulong_t __unused3;
127 ++ __kernel_ulong_t __unused4;
128 ++};
129 ++
130 ++#endif
131 ++
132 ++#endif /* __ASM_X86_SHMBUF_H */
133 +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
134 +index fe89f938e0f0..00c7878043ef 100644
135 +--- a/arch/x86/kernel/smpboot.c
136 ++++ b/arch/x86/kernel/smpboot.c
137 +@@ -1442,6 +1442,8 @@ static inline void mwait_play_dead(void)
138 + void *mwait_ptr;
139 + int i;
140 +
141 ++ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
142 ++ return;
143 + if (!this_cpu_has(X86_FEATURE_MWAIT))
144 + return;
145 + if (!this_cpu_has(X86_FEATURE_CLFLUSH))
146 +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
147 +index f0099360039e..1accc01fb0ca 100644
148 +--- a/drivers/amba/bus.c
149 ++++ b/drivers/amba/bus.c
150 +@@ -68,11 +68,12 @@ static ssize_t driver_override_show(struct device *_dev,
151 + struct device_attribute *attr, char *buf)
152 + {
153 + struct amba_device *dev = to_amba_device(_dev);
154 ++ ssize_t len;
155 +
156 +- if (!dev->driver_override)
157 +- return 0;
158 +-
159 +- return sprintf(buf, "%s\n", dev->driver_override);
160 ++ device_lock(_dev);
161 ++ len = sprintf(buf, "%s\n", dev->driver_override);
162 ++ device_unlock(_dev);
163 ++ return len;
164 + }
165 +
166 + static ssize_t driver_override_store(struct device *_dev,
167 +@@ -80,9 +81,10 @@ static ssize_t driver_override_store(struct device *_dev,
168 + const char *buf, size_t count)
169 + {
170 + struct amba_device *dev = to_amba_device(_dev);
171 +- char *driver_override, *old = dev->driver_override, *cp;
172 ++ char *driver_override, *old, *cp;
173 +
174 +- if (count > PATH_MAX)
175 ++ /* We need to keep extra room for a newline */
176 ++ if (count >= (PAGE_SIZE - 1))
177 + return -EINVAL;
178 +
179 + driver_override = kstrndup(buf, count, GFP_KERNEL);
180 +@@ -93,12 +95,15 @@ static ssize_t driver_override_store(struct device *_dev,
181 + if (cp)
182 + *cp = '\0';
183 +
184 ++ device_lock(_dev);
185 ++ old = dev->driver_override;
186 + if (strlen(driver_override)) {
187 + dev->driver_override = driver_override;
188 + } else {
189 + kfree(driver_override);
190 + dev->driver_override = NULL;
191 + }
192 ++ device_unlock(_dev);
193 +
194 + kfree(old);
195 +
196 +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
197 +index be0b09a0fb44..2aca689061e1 100644
198 +--- a/drivers/char/virtio_console.c
199 ++++ b/drivers/char/virtio_console.c
200 +@@ -1399,7 +1399,6 @@ static int add_port(struct ports_device *portdev, u32 id)
201 + {
202 + char debugfs_name[16];
203 + struct port *port;
204 +- struct port_buffer *buf;
205 + dev_t devt;
206 + unsigned int nr_added_bufs;
207 + int err;
208 +@@ -1510,8 +1509,6 @@ static int add_port(struct ports_device *portdev, u32 id)
209 + return 0;
210 +
211 + free_inbufs:
212 +- while ((buf = virtqueue_detach_unused_buf(port->in_vq)))
213 +- free_buf(buf, true);
214 + free_device:
215 + device_destroy(pdrvdata.class, port->dev->devt);
216 + free_cdev:
217 +@@ -1536,34 +1533,14 @@ static void remove_port(struct kref *kref)
218 +
219 + static void remove_port_data(struct port *port)
220 + {
221 +- struct port_buffer *buf;
222 +-
223 + spin_lock_irq(&port->inbuf_lock);
224 + /* Remove unused data this port might have received. */
225 + discard_port_data(port);
226 + spin_unlock_irq(&port->inbuf_lock);
227 +
228 +- /* Remove buffers we queued up for the Host to send us data in. */
229 +- do {
230 +- spin_lock_irq(&port->inbuf_lock);
231 +- buf = virtqueue_detach_unused_buf(port->in_vq);
232 +- spin_unlock_irq(&port->inbuf_lock);
233 +- if (buf)
234 +- free_buf(buf, true);
235 +- } while (buf);
236 +-
237 + spin_lock_irq(&port->outvq_lock);
238 + reclaim_consumed_buffers(port);
239 + spin_unlock_irq(&port->outvq_lock);
240 +-
241 +- /* Free pending buffers from the out-queue. */
242 +- do {
243 +- spin_lock_irq(&port->outvq_lock);
244 +- buf = virtqueue_detach_unused_buf(port->out_vq);
245 +- spin_unlock_irq(&port->outvq_lock);
246 +- if (buf)
247 +- free_buf(buf, true);
248 +- } while (buf);
249 + }
250 +
251 + /*
252 +@@ -1788,13 +1765,24 @@ static void control_work_handler(struct work_struct *work)
253 + spin_unlock(&portdev->c_ivq_lock);
254 + }
255 +
256 ++static void flush_bufs(struct virtqueue *vq, bool can_sleep)
257 ++{
258 ++ struct port_buffer *buf;
259 ++ unsigned int len;
260 ++
261 ++ while ((buf = virtqueue_get_buf(vq, &len)))
262 ++ free_buf(buf, can_sleep);
263 ++}
264 ++
265 + static void out_intr(struct virtqueue *vq)
266 + {
267 + struct port *port;
268 +
269 + port = find_port_by_vq(vq->vdev->priv, vq);
270 +- if (!port)
271 ++ if (!port) {
272 ++ flush_bufs(vq, false);
273 + return;
274 ++ }
275 +
276 + wake_up_interruptible(&port->waitqueue);
277 + }
278 +@@ -1805,8 +1793,10 @@ static void in_intr(struct virtqueue *vq)
279 + unsigned long flags;
280 +
281 + port = find_port_by_vq(vq->vdev->priv, vq);
282 +- if (!port)
283 ++ if (!port) {
284 ++ flush_bufs(vq, false);
285 + return;
286 ++ }
287 +
288 + spin_lock_irqsave(&port->inbuf_lock, flags);
289 + port->inbuf = get_inbuf(port);
290 +@@ -1981,6 +1971,15 @@ static const struct file_operations portdev_fops = {
291 +
292 + static void remove_vqs(struct ports_device *portdev)
293 + {
294 ++ struct virtqueue *vq;
295 ++
296 ++ virtio_device_for_each_vq(portdev->vdev, vq) {
297 ++ struct port_buffer *buf;
298 ++
299 ++ flush_bufs(vq, true);
300 ++ while ((buf = virtqueue_detach_unused_buf(vq)))
301 ++ free_buf(buf, true);
302 ++ }
303 + portdev->vdev->config->del_vqs(portdev->vdev);
304 + kfree(portdev->in_vqs);
305 + kfree(portdev->out_vqs);
306 +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
307 +index 5a0f8a745b9d..52436b3c01bb 100644
308 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
309 ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
310 +@@ -324,7 +324,7 @@ retry:
311 + ret = virtqueue_add_sgs(vq, sgs, outcnt, incnt, vbuf, GFP_ATOMIC);
312 + if (ret == -ENOSPC) {
313 + spin_unlock(&vgdev->ctrlq.qlock);
314 +- wait_event(vgdev->ctrlq.ack_queue, vq->num_free);
315 ++ wait_event(vgdev->ctrlq.ack_queue, vq->num_free >= outcnt + incnt);
316 + spin_lock(&vgdev->ctrlq.qlock);
317 + goto retry;
318 + } else {
319 +@@ -399,7 +399,7 @@ retry:
320 + ret = virtqueue_add_sgs(vq, sgs, outcnt, 0, vbuf, GFP_ATOMIC);
321 + if (ret == -ENOSPC) {
322 + spin_unlock(&vgdev->cursorq.qlock);
323 +- wait_event(vgdev->cursorq.ack_queue, vq->num_free);
324 ++ wait_event(vgdev->cursorq.ack_queue, vq->num_free >= outcnt);
325 + spin_lock(&vgdev->cursorq.qlock);
326 + goto retry;
327 + } else {
328 +diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c
329 +index 286b97a304cf..4509ee0b294a 100644
330 +--- a/drivers/mtd/chips/cfi_cmdset_0001.c
331 ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c
332 +@@ -45,6 +45,7 @@
333 + #define I82802AB 0x00ad
334 + #define I82802AC 0x00ac
335 + #define PF38F4476 0x881c
336 ++#define M28F00AP30 0x8963
337 + /* STMicroelectronics chips */
338 + #define M50LPW080 0x002F
339 + #define M50FLW080A 0x0080
340 +@@ -375,6 +376,17 @@ static void cfi_fixup_major_minor(struct cfi_private *cfi,
341 + extp->MinorVersion = '1';
342 + }
343 +
344 ++static int cfi_is_micron_28F00AP30(struct cfi_private *cfi, struct flchip *chip)
345 ++{
346 ++ /*
347 ++ * Micron(was Numonyx) 1Gbit bottom boot are buggy w.r.t
348 ++ * Erase Supend for their small Erase Blocks(0x8000)
349 ++ */
350 ++ if (cfi->mfr == CFI_MFR_INTEL && cfi->id == M28F00AP30)
351 ++ return 1;
352 ++ return 0;
353 ++}
354 ++
355 + static inline struct cfi_pri_intelext *
356 + read_pri_intelext(struct map_info *map, __u16 adr)
357 + {
358 +@@ -825,21 +837,30 @@ static int chip_ready (struct map_info *map, struct flchip *chip, unsigned long
359 + (mode == FL_WRITING && (cfip->SuspendCmdSupport & 1))))
360 + goto sleep;
361 +
362 ++ /* Do not allow suspend iff read/write to EB address */
363 ++ if ((adr & chip->in_progress_block_mask) ==
364 ++ chip->in_progress_block_addr)
365 ++ goto sleep;
366 ++
367 ++ /* do not suspend small EBs, buggy Micron Chips */
368 ++ if (cfi_is_micron_28F00AP30(cfi, chip) &&
369 ++ (chip->in_progress_block_mask == ~(0x8000-1)))
370 ++ goto sleep;
371 +
372 + /* Erase suspend */
373 +- map_write(map, CMD(0xB0), adr);
374 ++ map_write(map, CMD(0xB0), chip->in_progress_block_addr);
375 +
376 + /* If the flash has finished erasing, then 'erase suspend'
377 + * appears to make some (28F320) flash devices switch to
378 + * 'read' mode. Make sure that we switch to 'read status'
379 + * mode so we get the right data. --rmk
380 + */
381 +- map_write(map, CMD(0x70), adr);
382 ++ map_write(map, CMD(0x70), chip->in_progress_block_addr);
383 + chip->oldstate = FL_ERASING;
384 + chip->state = FL_ERASE_SUSPENDING;
385 + chip->erase_suspended = 1;
386 + for (;;) {
387 +- status = map_read(map, adr);
388 ++ status = map_read(map, chip->in_progress_block_addr);
389 + if (map_word_andequal(map, status, status_OK, status_OK))
390 + break;
391 +
392 +@@ -1035,8 +1056,8 @@ static void put_chip(struct map_info *map, struct flchip *chip, unsigned long ad
393 + sending the 0x70 (Read Status) command to an erasing
394 + chip and expecting it to be ignored, that's what we
395 + do. */
396 +- map_write(map, CMD(0xd0), adr);
397 +- map_write(map, CMD(0x70), adr);
398 ++ map_write(map, CMD(0xd0), chip->in_progress_block_addr);
399 ++ map_write(map, CMD(0x70), chip->in_progress_block_addr);
400 + chip->oldstate = FL_READY;
401 + chip->state = FL_ERASING;
402 + break;
403 +@@ -1927,6 +1948,8 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
404 + map_write(map, CMD(0xD0), adr);
405 + chip->state = FL_ERASING;
406 + chip->erase_suspended = 0;
407 ++ chip->in_progress_block_addr = adr;
408 ++ chip->in_progress_block_mask = ~(len - 1);
409 +
410 + ret = INVAL_CACHE_AND_WAIT(map, chip, adr,
411 + adr, len,
412 +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
413 +index c3624eb571d1..31448a2b39ae 100644
414 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c
415 ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
416 +@@ -814,9 +814,10 @@ static int get_chip(struct map_info *map, struct flchip *chip, unsigned long adr
417 + (mode == FL_WRITING && (cfip->EraseSuspend & 0x2))))
418 + goto sleep;
419 +
420 +- /* We could check to see if we're trying to access the sector
421 +- * that is currently being erased. However, no user will try
422 +- * anything like that so we just wait for the timeout. */
423 ++ /* Do not allow suspend iff read/write to EB address */
424 ++ if ((adr & chip->in_progress_block_mask) ==
425 ++ chip->in_progress_block_addr)
426 ++ goto sleep;
427 +
428 + /* Erase suspend */
429 + /* It's harmless to issue the Erase-Suspend and Erase-Resume
430 +@@ -2265,6 +2266,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
431 + chip->state = FL_ERASING;
432 + chip->erase_suspended = 0;
433 + chip->in_progress_block_addr = adr;
434 ++ chip->in_progress_block_mask = ~(map->size - 1);
435 +
436 + INVALIDATE_CACHE_UDELAY(map, chip,
437 + adr, map->size,
438 +@@ -2354,6 +2356,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
439 + chip->state = FL_ERASING;
440 + chip->erase_suspended = 0;
441 + chip->in_progress_block_addr = adr;
442 ++ chip->in_progress_block_mask = ~(len - 1);
443 +
444 + INVALIDATE_CACHE_UDELAY(map, chip,
445 + adr, len,
446 +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
447 +index dd72205ba298..8c9e4a3ec3fb 100644
448 +--- a/drivers/scsi/sd.c
449 ++++ b/drivers/scsi/sd.c
450 +@@ -1929,6 +1929,8 @@ sd_spinup_disk(struct scsi_disk *sdkp)
451 + break; /* standby */
452 + if (sshdr.asc == 4 && sshdr.ascq == 0xc)
453 + break; /* unavailable */
454 ++ if (sshdr.asc == 4 && sshdr.ascq == 0x1b)
455 ++ break; /* sanitize in progress */
456 + /*
457 + * Issue command to spin up drive when not ready
458 + */
459 +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
460 +index 78bd121ecede..6060c3e8925e 100644
461 +--- a/drivers/tty/n_gsm.c
462 ++++ b/drivers/tty/n_gsm.c
463 +@@ -137,6 +137,9 @@ struct gsm_dlci {
464 + struct mutex mutex;
465 +
466 + /* Link layer */
467 ++ int mode;
468 ++#define DLCI_MODE_ABM 0 /* Normal Asynchronous Balanced Mode */
469 ++#define DLCI_MODE_ADM 1 /* Asynchronous Disconnected Mode */
470 + spinlock_t lock; /* Protects the internal state */
471 + struct timer_list t1; /* Retransmit timer for SABM and UA */
472 + int retries;
473 +@@ -1380,7 +1383,13 @@ retry:
474 + ctrl->data = data;
475 + ctrl->len = clen;
476 + gsm->pending_cmd = ctrl;
477 +- gsm->cretries = gsm->n2;
478 ++
479 ++ /* If DLCI0 is in ADM mode skip retries, it won't respond */
480 ++ if (gsm->dlci[0]->mode == DLCI_MODE_ADM)
481 ++ gsm->cretries = 1;
482 ++ else
483 ++ gsm->cretries = gsm->n2;
484 ++
485 + mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
486 + gsm_control_transmit(gsm, ctrl);
487 + spin_unlock_irqrestore(&gsm->control_lock, flags);
488 +@@ -1488,6 +1497,7 @@ static void gsm_dlci_t1(unsigned long data)
489 + if (debug & 8)
490 + pr_info("DLCI %d opening in ADM mode.\n",
491 + dlci->addr);
492 ++ dlci->mode = DLCI_MODE_ADM;
493 + gsm_dlci_open(dlci);
494 + } else {
495 + gsm_dlci_close(dlci);
496 +@@ -2881,11 +2891,22 @@ static int gsmtty_modem_update(struct gsm_dlci *dlci, u8 brk)
497 + static int gsm_carrier_raised(struct tty_port *port)
498 + {
499 + struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
500 ++ struct gsm_mux *gsm = dlci->gsm;
501 ++
502 + /* Not yet open so no carrier info */
503 + if (dlci->state != DLCI_OPEN)
504 + return 0;
505 + if (debug & 2)
506 + return 1;
507 ++
508 ++ /*
509 ++ * Basic mode with control channel in ADM mode may not respond
510 ++ * to CMD_MSC at all and modem_rx is empty.
511 ++ */
512 ++ if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM &&
513 ++ !dlci->modem_rx)
514 ++ return 1;
515 ++
516 + return dlci->modem_rx & TIOCM_CD;
517 + }
518 +
519 +diff --git a/drivers/tty/serial/serial_mctrl_gpio.c b/drivers/tty/serial/serial_mctrl_gpio.c
520 +index 3eb57eb532f1..02147361eaa9 100644
521 +--- a/drivers/tty/serial/serial_mctrl_gpio.c
522 ++++ b/drivers/tty/serial/serial_mctrl_gpio.c
523 +@@ -20,6 +20,7 @@
524 + #include <linux/gpio/consumer.h>
525 + #include <linux/termios.h>
526 + #include <linux/serial_core.h>
527 ++#include <linux/module.h>
528 +
529 + #include "serial_mctrl_gpio.h"
530 +
531 +@@ -193,6 +194,7 @@ struct mctrl_gpios *mctrl_gpio_init(struct uart_port *port, unsigned int idx)
532 +
533 + return gpios;
534 + }
535 ++EXPORT_SYMBOL_GPL(mctrl_gpio_init);
536 +
537 + void mctrl_gpio_free(struct device *dev, struct mctrl_gpios *gpios)
538 + {
539 +@@ -247,3 +249,6 @@ void mctrl_gpio_disable_ms(struct mctrl_gpios *gpios)
540 + disable_irq(gpios->irq[i]);
541 + }
542 + }
543 ++EXPORT_SYMBOL_GPL(mctrl_gpio_disable_ms);
544 ++
545 ++MODULE_LICENSE("GPL");
546 +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
547 +index 89fd20382ce4..198451fa9e5d 100644
548 +--- a/drivers/tty/tty_io.c
549 ++++ b/drivers/tty/tty_io.c
550 +@@ -3154,7 +3154,10 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx)
551 +
552 + kref_init(&tty->kref);
553 + tty->magic = TTY_MAGIC;
554 +- tty_ldisc_init(tty);
555 ++ if (tty_ldisc_init(tty)) {
556 ++ kfree(tty);
557 ++ return NULL;
558 ++ }
559 + tty->session = NULL;
560 + tty->pgrp = NULL;
561 + mutex_init(&tty->legacy_mutex);
562 +diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
563 +index 9bee25cfa0be..d9e013dc2c08 100644
564 +--- a/drivers/tty/tty_ldisc.c
565 ++++ b/drivers/tty/tty_ldisc.c
566 +@@ -168,12 +168,11 @@ static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc)
567 + return ERR_CAST(ldops);
568 + }
569 +
570 +- ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL);
571 +- if (ld == NULL) {
572 +- put_ldops(ldops);
573 +- return ERR_PTR(-ENOMEM);
574 +- }
575 +-
576 ++ /*
577 ++ * There is no way to handle allocation failure of only 16 bytes.
578 ++ * Let's simplify error handling and save more memory.
579 ++ */
580 ++ ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL | __GFP_NOFAIL);
581 + ld->ops = ldops;
582 + ld->tty = tty;
583 +
584 +@@ -804,12 +803,13 @@ void tty_ldisc_release(struct tty_struct *tty)
585 + * the tty structure is not completely set up when this call is made.
586 + */
587 +
588 +-void tty_ldisc_init(struct tty_struct *tty)
589 ++int tty_ldisc_init(struct tty_struct *tty)
590 + {
591 + struct tty_ldisc *ld = tty_ldisc_get(tty, N_TTY);
592 + if (IS_ERR(ld))
593 +- panic("n_tty: init_tty");
594 ++ return PTR_ERR(ld);
595 + tty->ldisc = ld;
596 ++ return 0;
597 + }
598 +
599 + /**
600 +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
601 +index 87a83d925eea..9c4f9b6e57e2 100644
602 +--- a/drivers/usb/core/hcd.c
603 ++++ b/drivers/usb/core/hcd.c
604 +@@ -2339,6 +2339,7 @@ void usb_hcd_resume_root_hub (struct usb_hcd *hcd)
605 +
606 + spin_lock_irqsave (&hcd_root_hub_lock, flags);
607 + if (hcd->rh_registered) {
608 ++ pm_wakeup_event(&hcd->self.root_hub->dev, 0);
609 + set_bit(HCD_FLAG_WAKEUP_PENDING, &hcd->flags);
610 + queue_work(pm_wq, &hcd->wakeup_work);
611 + }
612 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
613 +index 0f38f577c047..6d84f6c8fbe6 100644
614 +--- a/drivers/usb/core/hub.c
615 ++++ b/drivers/usb/core/hub.c
616 +@@ -632,12 +632,17 @@ void usb_wakeup_notification(struct usb_device *hdev,
617 + unsigned int portnum)
618 + {
619 + struct usb_hub *hub;
620 ++ struct usb_port *port_dev;
621 +
622 + if (!hdev)
623 + return;
624 +
625 + hub = usb_hub_to_struct_hub(hdev);
626 + if (hub) {
627 ++ port_dev = hub->ports[portnum - 1];
628 ++ if (port_dev && port_dev->child)
629 ++ pm_wakeup_event(&port_dev->child->dev, 0);
630 ++
631 + set_bit(portnum, hub->wakeup_bits);
632 + kick_hub_wq(hub);
633 + }
634 +@@ -3361,8 +3366,11 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg)
635 +
636 + /* Skip the initial Clear-Suspend step for a remote wakeup */
637 + status = hub_port_status(hub, port1, &portstatus, &portchange);
638 +- if (status == 0 && !port_is_suspended(hub, portstatus))
639 ++ if (status == 0 && !port_is_suspended(hub, portstatus)) {
640 ++ if (portchange & USB_PORT_STAT_C_SUSPEND)
641 ++ pm_wakeup_event(&udev->dev, 0);
642 + goto SuspendCleared;
643 ++ }
644 +
645 + /* see 7.1.7.7; affects power usage, but not budgeting */
646 + if (hub_is_superspeed(hub->hdev))
647 +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
648 +index 4f1c6f8d4352..40ce175655e6 100644
649 +--- a/drivers/usb/core/quirks.c
650 ++++ b/drivers/usb/core/quirks.c
651 +@@ -45,6 +45,9 @@ static const struct usb_device_id usb_quirk_list[] = {
652 + { USB_DEVICE(0x03f0, 0x0701), .driver_info =
653 + USB_QUIRK_STRING_FETCH_255 },
654 +
655 ++ /* HP v222w 16GB Mini USB Drive */
656 ++ { USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT },
657 ++
658 + /* Creative SB Audigy 2 NX */
659 + { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
660 +
661 +diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig
662 +index 584ae8cbaf1c..77c3ebe860c5 100644
663 +--- a/drivers/usb/serial/Kconfig
664 ++++ b/drivers/usb/serial/Kconfig
665 +@@ -62,6 +62,7 @@ config USB_SERIAL_SIMPLE
666 + - Fundamental Software dongle.
667 + - Google USB serial devices
668 + - HP4x calculators
669 ++ - Libtransistor USB console
670 + - a number of Motorola phones
671 + - Motorola Tetra devices
672 + - Novatel Wireless GPS receivers
673 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
674 +index 64a4427678b0..32cadca198b2 100644
675 +--- a/drivers/usb/serial/cp210x.c
676 ++++ b/drivers/usb/serial/cp210x.c
677 +@@ -210,6 +210,7 @@ static const struct usb_device_id id_table[] = {
678 + { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */
679 + { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */
680 + { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */
681 ++ { USB_DEVICE(0x3923, 0x7A0B) }, /* National Instruments USB Serial Console */
682 + { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */
683 + { } /* Terminating Entry */
684 + };
685 +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
686 +index a224c7a3ce09..3e5b189a79b4 100644
687 +--- a/drivers/usb/serial/ftdi_sio.c
688 ++++ b/drivers/usb/serial/ftdi_sio.c
689 +@@ -1911,7 +1911,8 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial)
690 + return ftdi_jtag_probe(serial);
691 +
692 + if (udev->product &&
693 +- (!strcmp(udev->product, "BeagleBone/XDS100V2") ||
694 ++ (!strcmp(udev->product, "Arrow USB Blaster") ||
695 ++ !strcmp(udev->product, "BeagleBone/XDS100V2") ||
696 + !strcmp(udev->product, "SNAP Connect E10")))
697 + return ftdi_jtag_probe(serial);
698 +
699 +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
700 +index 6aa7ff2c1cf7..2674da40d9cd 100644
701 +--- a/drivers/usb/serial/usb-serial-simple.c
702 ++++ b/drivers/usb/serial/usb-serial-simple.c
703 +@@ -66,6 +66,11 @@ DEVICE(flashloader, FLASHLOADER_IDS);
704 + 0x01) }
705 + DEVICE(google, GOOGLE_IDS);
706 +
707 ++/* Libtransistor USB console */
708 ++#define LIBTRANSISTOR_IDS() \
709 ++ { USB_DEVICE(0x1209, 0x8b00) }
710 ++DEVICE(libtransistor, LIBTRANSISTOR_IDS);
711 ++
712 + /* ViVOpay USB Serial Driver */
713 + #define VIVOPAY_IDS() \
714 + { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */
715 +@@ -113,6 +118,7 @@ static struct usb_serial_driver * const serial_drivers[] = {
716 + &funsoft_device,
717 + &flashloader_device,
718 + &google_device,
719 ++ &libtransistor_device,
720 + &vivopay_device,
721 + &moto_modem_device,
722 + &motorola_tetra_device,
723 +@@ -129,6 +135,7 @@ static const struct usb_device_id id_table[] = {
724 + FUNSOFT_IDS(),
725 + FLASHLOADER_IDS(),
726 + GOOGLE_IDS(),
727 ++ LIBTRANSISTOR_IDS(),
728 + VIVOPAY_IDS(),
729 + MOTO_IDS(),
730 + MOTOROLA_TETRA_IDS(),
731 +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c
732 +index 325b4c05acdd..f761e02e75c9 100644
733 +--- a/drivers/usb/usbip/stub_main.c
734 ++++ b/drivers/usb/usbip/stub_main.c
735 +@@ -201,7 +201,12 @@ static ssize_t rebind_store(struct device_driver *dev, const char *buf,
736 + if (!bid)
737 + return -ENODEV;
738 +
739 ++ /* device_attach() callers should hold parent lock for USB */
740 ++ if (bid->udev->dev.parent)
741 ++ device_lock(bid->udev->dev.parent);
742 + ret = device_attach(&bid->udev->dev);
743 ++ if (bid->udev->dev.parent)
744 ++ device_unlock(bid->udev->dev.parent);
745 + if (ret < 0) {
746 + dev_err(&bid->udev->dev, "rebind failed\n");
747 + return ret;
748 +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
749 +index f875ccaa55f9..0fc5ace57c0e 100644
750 +--- a/drivers/usb/usbip/usbip_common.h
751 ++++ b/drivers/usb/usbip/usbip_common.h
752 +@@ -248,7 +248,7 @@ enum usbip_side {
753 + #define SDEV_EVENT_ERROR_SUBMIT (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
754 + #define SDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
755 +
756 +-#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_BYE)
757 ++#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_RESET | USBIP_EH_BYE)
758 + #define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
759 + #define VDEV_EVENT_ERROR_TCP (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
760 + #define VDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
761 +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
762 +index 78c51ce913db..c57a94f1c198 100644
763 +--- a/fs/ext4/balloc.c
764 ++++ b/fs/ext4/balloc.c
765 +@@ -320,6 +320,7 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
766 + struct ext4_sb_info *sbi = EXT4_SB(sb);
767 + ext4_grpblk_t offset;
768 + ext4_grpblk_t next_zero_bit;
769 ++ ext4_grpblk_t max_bit = EXT4_CLUSTERS_PER_GROUP(sb);
770 + ext4_fsblk_t blk;
771 + ext4_fsblk_t group_first_block;
772 +
773 +@@ -337,20 +338,25 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
774 + /* check whether block bitmap block number is set */
775 + blk = ext4_block_bitmap(sb, desc);
776 + offset = blk - group_first_block;
777 +- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
778 ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
779 ++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
780 + /* bad block bitmap */
781 + return blk;
782 +
783 + /* check whether the inode bitmap block number is set */
784 + blk = ext4_inode_bitmap(sb, desc);
785 + offset = blk - group_first_block;
786 +- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
787 ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
788 ++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
789 + /* bad block bitmap */
790 + return blk;
791 +
792 + /* check whether the inode table block number is set */
793 + blk = ext4_inode_table(sb, desc);
794 + offset = blk - group_first_block;
795 ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
796 ++ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= max_bit)
797 ++ return blk;
798 + next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
799 + EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group),
800 + EXT4_B2C(sbi, offset));
801 +@@ -416,6 +422,7 @@ struct buffer_head *
802 + ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
803 + {
804 + struct ext4_group_desc *desc;
805 ++ struct ext4_sb_info *sbi = EXT4_SB(sb);
806 + struct buffer_head *bh;
807 + ext4_fsblk_t bitmap_blk;
808 + int err;
809 +@@ -424,6 +431,12 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
810 + if (!desc)
811 + return ERR_PTR(-EFSCORRUPTED);
812 + bitmap_blk = ext4_block_bitmap(sb, desc);
813 ++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
814 ++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
815 ++ ext4_error(sb, "Invalid block bitmap block %llu in "
816 ++ "block_group %u", bitmap_blk, block_group);
817 ++ return ERR_PTR(-EFSCORRUPTED);
818 ++ }
819 + bh = sb_getblk(sb, bitmap_blk);
820 + if (unlikely(!bh)) {
821 + ext4_error(sb, "Cannot get buffer for block bitmap - "
822 +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
823 +index 403c4bae3e18..4705c21f9d03 100644
824 +--- a/fs/ext4/extents.c
825 ++++ b/fs/ext4/extents.c
826 +@@ -5380,8 +5380,9 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
827 + stop = le32_to_cpu(extent->ee_block);
828 +
829 + /*
830 +- * In case of left shift, Don't start shifting extents until we make
831 +- * sure the hole is big enough to accommodate the shift.
832 ++ * For left shifts, make sure the hole on the left is big enough to
833 ++ * accommodate the shift. For right shifts, make sure the last extent
834 ++ * won't be shifted beyond EXT_MAX_BLOCKS.
835 + */
836 + if (SHIFT == SHIFT_LEFT) {
837 + path = ext4_find_extent(inode, start - 1, &path,
838 +@@ -5401,9 +5402,14 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
839 +
840 + if ((start == ex_start && shift > ex_start) ||
841 + (shift > start - ex_end)) {
842 +- ext4_ext_drop_refs(path);
843 +- kfree(path);
844 +- return -EINVAL;
845 ++ ret = -EINVAL;
846 ++ goto out;
847 ++ }
848 ++ } else {
849 ++ if (shift > EXT_MAX_BLOCKS -
850 ++ (stop + ext4_ext_get_actual_len(extent))) {
851 ++ ret = -EINVAL;
852 ++ goto out;
853 + }
854 + }
855 +
856 +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
857 +index e10c12f59c58..9fe55b7d4c2c 100644
858 +--- a/fs/ext4/ialloc.c
859 ++++ b/fs/ext4/ialloc.c
860 +@@ -119,6 +119,7 @@ static struct buffer_head *
861 + ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
862 + {
863 + struct ext4_group_desc *desc;
864 ++ struct ext4_sb_info *sbi = EXT4_SB(sb);
865 + struct buffer_head *bh = NULL;
866 + ext4_fsblk_t bitmap_blk;
867 + int err;
868 +@@ -128,6 +129,12 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
869 + return ERR_PTR(-EFSCORRUPTED);
870 +
871 + bitmap_blk = ext4_inode_bitmap(sb, desc);
872 ++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
873 ++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
874 ++ ext4_error(sb, "Invalid inode bitmap blk %llu in "
875 ++ "block_group %u", bitmap_blk, block_group);
876 ++ return ERR_PTR(-EFSCORRUPTED);
877 ++ }
878 + bh = sb_getblk(sb, bitmap_blk);
879 + if (unlikely(!bh)) {
880 + ext4_error(sb, "Cannot read inode bitmap - "
881 +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
882 +index a2e724053919..f3a31f55f372 100644
883 +--- a/fs/jbd2/transaction.c
884 ++++ b/fs/jbd2/transaction.c
885 +@@ -527,6 +527,7 @@ int jbd2_journal_start_reserved(handle_t *handle, unsigned int type,
886 + */
887 + ret = start_this_handle(journal, handle, GFP_NOFS);
888 + if (ret < 0) {
889 ++ handle->h_journal = journal;
890 + jbd2_journal_free_reserved(handle);
891 + return ret;
892 + }
893 +diff --git a/include/linux/mtd/flashchip.h b/include/linux/mtd/flashchip.h
894 +index b63fa457febd..3529683f691e 100644
895 +--- a/include/linux/mtd/flashchip.h
896 ++++ b/include/linux/mtd/flashchip.h
897 +@@ -85,6 +85,7 @@ struct flchip {
898 + unsigned int write_suspended:1;
899 + unsigned int erase_suspended:1;
900 + unsigned long in_progress_block_addr;
901 ++ unsigned long in_progress_block_mask;
902 +
903 + struct mutex mutex;
904 + wait_queue_head_t wq; /* Wait on here when we're waiting for the chip
905 +diff --git a/include/linux/tty.h b/include/linux/tty.h
906 +index d67ceb3f5958..812cdd8cff22 100644
907 +--- a/include/linux/tty.h
908 ++++ b/include/linux/tty.h
909 +@@ -586,7 +586,7 @@ extern int tty_unregister_ldisc(int disc);
910 + extern int tty_set_ldisc(struct tty_struct *tty, int ldisc);
911 + extern int tty_ldisc_setup(struct tty_struct *tty, struct tty_struct *o_tty);
912 + extern void tty_ldisc_release(struct tty_struct *tty);
913 +-extern void tty_ldisc_init(struct tty_struct *tty);
914 ++extern int __must_check tty_ldisc_init(struct tty_struct *tty);
915 + extern void tty_ldisc_deinit(struct tty_struct *tty);
916 + extern void tty_ldisc_begin(void);
917 +
918 +diff --git a/include/linux/virtio.h b/include/linux/virtio.h
919 +index 8f4d4bfa6d46..d7844d215381 100644
920 +--- a/include/linux/virtio.h
921 ++++ b/include/linux/virtio.h
922 +@@ -124,6 +124,9 @@ int virtio_device_freeze(struct virtio_device *dev);
923 + int virtio_device_restore(struct virtio_device *dev);
924 + #endif
925 +
926 ++#define virtio_device_for_each_vq(vdev, vq) \
927 ++ list_for_each_entry(vq, &vdev->vqs, list)
928 ++
929 + /**
930 + * virtio_driver - operations for a virtio I/O driver
931 + * @driver: underlying device driver (populate name and owner).
932 +diff --git a/include/sound/control.h b/include/sound/control.h
933 +index 21d047f229a1..4142757080f8 100644
934 +--- a/include/sound/control.h
935 ++++ b/include/sound/control.h
936 +@@ -22,6 +22,7 @@
937 + *
938 + */
939 +
940 ++#include <linux/nospec.h>
941 + #include <sound/asound.h>
942 +
943 + #define snd_kcontrol_chip(kcontrol) ((kcontrol)->private_data)
944 +@@ -147,12 +148,14 @@ int snd_ctl_get_preferred_subdevice(struct snd_card *card, int type);
945 +
946 + static inline unsigned int snd_ctl_get_ioffnum(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
947 + {
948 +- return id->numid - kctl->id.numid;
949 ++ unsigned int ioff = id->numid - kctl->id.numid;
950 ++ return array_index_nospec(ioff, kctl->count);
951 + }
952 +
953 + static inline unsigned int snd_ctl_get_ioffidx(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
954 + {
955 +- return id->index - kctl->id.index;
956 ++ unsigned int ioff = id->index - kctl->id.index;
957 ++ return array_index_nospec(ioff, kctl->count);
958 + }
959 +
960 + static inline unsigned int snd_ctl_get_ioff(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
961 +diff --git a/lib/kobject.c b/lib/kobject.c
962 +index 7cbccd2b4c72..895edb63fba4 100644
963 +--- a/lib/kobject.c
964 ++++ b/lib/kobject.c
965 +@@ -234,14 +234,12 @@ static int kobject_add_internal(struct kobject *kobj)
966 +
967 + /* be noisy on error issues */
968 + if (error == -EEXIST)
969 +- WARN(1, "%s failed for %s with "
970 +- "-EEXIST, don't try to register things with "
971 +- "the same name in the same directory.\n",
972 +- __func__, kobject_name(kobj));
973 ++ pr_err("%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n",
974 ++ __func__, kobject_name(kobj));
975 + else
976 +- WARN(1, "%s failed for %s (error: %d parent: %s)\n",
977 +- __func__, kobject_name(kobj), error,
978 +- parent ? kobject_name(parent) : "'none'");
979 ++ pr_err("%s failed for %s (error: %d parent: %s)\n",
980 ++ __func__, kobject_name(kobj), error,
981 ++ parent ? kobject_name(parent) : "'none'");
982 + } else
983 + kobj->state_in_sysfs = 1;
984 +
985 +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
986 +index a6b2f2138c9d..ad3c9e96a275 100644
987 +--- a/net/ceph/messenger.c
988 ++++ b/net/ceph/messenger.c
989 +@@ -2531,6 +2531,11 @@ static int try_write(struct ceph_connection *con)
990 + int ret = 1;
991 +
992 + dout("try_write start %p state %lu\n", con, con->state);
993 ++ if (con->state != CON_STATE_PREOPEN &&
994 ++ con->state != CON_STATE_CONNECTING &&
995 ++ con->state != CON_STATE_NEGOTIATING &&
996 ++ con->state != CON_STATE_OPEN)
997 ++ return 0;
998 +
999 + more:
1000 + dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes);
1001 +@@ -2556,6 +2561,8 @@ more:
1002 + }
1003 +
1004 + more_kvec:
1005 ++ BUG_ON(!con->sock);
1006 ++
1007 + /* kvec data queued? */
1008 + if (con->out_kvec_left) {
1009 + ret = write_partial_kvec(con);
1010 +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
1011 +index ce2954a31238..3de88974eeb6 100644
1012 +--- a/sound/core/pcm_native.c
1013 ++++ b/sound/core/pcm_native.c
1014 +@@ -2727,6 +2727,7 @@ static int snd_pcm_sync_ptr(struct snd_pcm_substream *substream,
1015 + sync_ptr.s.status.hw_ptr = status->hw_ptr;
1016 + sync_ptr.s.status.tstamp = status->tstamp;
1017 + sync_ptr.s.status.suspended_state = status->suspended_state;
1018 ++ sync_ptr.s.status.audio_tstamp = status->audio_tstamp;
1019 + snd_pcm_stream_unlock_irq(substream);
1020 + if (copy_to_user(_sync_ptr, &sync_ptr, sizeof(sync_ptr)))
1021 + return -EFAULT;
1022 +diff --git a/sound/core/seq/oss/seq_oss_event.c b/sound/core/seq/oss/seq_oss_event.c
1023 +index c3908862bc8b..86ca584c27b2 100644
1024 +--- a/sound/core/seq/oss/seq_oss_event.c
1025 ++++ b/sound/core/seq/oss/seq_oss_event.c
1026 +@@ -26,6 +26,7 @@
1027 + #include <sound/seq_oss_legacy.h>
1028 + #include "seq_oss_readq.h"
1029 + #include "seq_oss_writeq.h"
1030 ++#include <linux/nospec.h>
1031 +
1032 +
1033 + /*
1034 +@@ -287,10 +288,10 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st
1035 + {
1036 + struct seq_oss_synthinfo *info;
1037 +
1038 +- if (!snd_seq_oss_synth_is_valid(dp, dev))
1039 ++ info = snd_seq_oss_synth_info(dp, dev);
1040 ++ if (!info)
1041 + return -ENXIO;
1042 +
1043 +- info = &dp->synths[dev];
1044 + switch (info->arg.event_passing) {
1045 + case SNDRV_SEQ_OSS_PROCESS_EVENTS:
1046 + if (! info->ch || ch < 0 || ch >= info->nr_voices) {
1047 +@@ -298,6 +299,7 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st
1048 + return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev);
1049 + }
1050 +
1051 ++ ch = array_index_nospec(ch, info->nr_voices);
1052 + if (note == 255 && info->ch[ch].note >= 0) {
1053 + /* volume control */
1054 + int type;
1055 +@@ -347,10 +349,10 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
1056 + {
1057 + struct seq_oss_synthinfo *info;
1058 +
1059 +- if (!snd_seq_oss_synth_is_valid(dp, dev))
1060 ++ info = snd_seq_oss_synth_info(dp, dev);
1061 ++ if (!info)
1062 + return -ENXIO;
1063 +
1064 +- info = &dp->synths[dev];
1065 + switch (info->arg.event_passing) {
1066 + case SNDRV_SEQ_OSS_PROCESS_EVENTS:
1067 + if (! info->ch || ch < 0 || ch >= info->nr_voices) {
1068 +@@ -358,6 +360,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
1069 + return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev);
1070 + }
1071 +
1072 ++ ch = array_index_nospec(ch, info->nr_voices);
1073 + if (info->ch[ch].note >= 0) {
1074 + note = info->ch[ch].note;
1075 + info->ch[ch].vel = 0;
1076 +@@ -381,7 +384,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
1077 + static int
1078 + set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note, int vel, struct snd_seq_event *ev)
1079 + {
1080 +- if (! snd_seq_oss_synth_is_valid(dp, dev))
1081 ++ if (!snd_seq_oss_synth_info(dp, dev))
1082 + return -ENXIO;
1083 +
1084 + ev->type = type;
1085 +@@ -399,7 +402,7 @@ set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note,
1086 + static int
1087 + set_control_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int param, int val, struct snd_seq_event *ev)
1088 + {
1089 +- if (! snd_seq_oss_synth_is_valid(dp, dev))
1090 ++ if (!snd_seq_oss_synth_info(dp, dev))
1091 + return -ENXIO;
1092 +
1093 + ev->type = type;
1094 +diff --git a/sound/core/seq/oss/seq_oss_midi.c b/sound/core/seq/oss/seq_oss_midi.c
1095 +index b30b2139e3f0..9debd1b8fd28 100644
1096 +--- a/sound/core/seq/oss/seq_oss_midi.c
1097 ++++ b/sound/core/seq/oss/seq_oss_midi.c
1098 +@@ -29,6 +29,7 @@
1099 + #include "../seq_lock.h"
1100 + #include <linux/init.h>
1101 + #include <linux/slab.h>
1102 ++#include <linux/nospec.h>
1103 +
1104 +
1105 + /*
1106 +@@ -315,6 +316,7 @@ get_mididev(struct seq_oss_devinfo *dp, int dev)
1107 + {
1108 + if (dev < 0 || dev >= dp->max_mididev)
1109 + return NULL;
1110 ++ dev = array_index_nospec(dev, dp->max_mididev);
1111 + return get_mdev(dev);
1112 + }
1113 +
1114 +diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
1115 +index b16dbef04174..ea545f9291b4 100644
1116 +--- a/sound/core/seq/oss/seq_oss_synth.c
1117 ++++ b/sound/core/seq/oss/seq_oss_synth.c
1118 +@@ -26,6 +26,7 @@
1119 + #include <linux/init.h>
1120 + #include <linux/module.h>
1121 + #include <linux/slab.h>
1122 ++#include <linux/nospec.h>
1123 +
1124 + /*
1125 + * constants
1126 +@@ -339,17 +340,13 @@ snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp)
1127 + dp->max_synthdev = 0;
1128 + }
1129 +
1130 +-/*
1131 +- * check if the specified device is MIDI mapped device
1132 +- */
1133 +-static int
1134 +-is_midi_dev(struct seq_oss_devinfo *dp, int dev)
1135 ++static struct seq_oss_synthinfo *
1136 ++get_synthinfo_nospec(struct seq_oss_devinfo *dp, int dev)
1137 + {
1138 + if (dev < 0 || dev >= dp->max_synthdev)
1139 +- return 0;
1140 +- if (dp->synths[dev].is_midi)
1141 +- return 1;
1142 +- return 0;
1143 ++ return NULL;
1144 ++ dev = array_index_nospec(dev, SNDRV_SEQ_OSS_MAX_SYNTH_DEVS);
1145 ++ return &dp->synths[dev];
1146 + }
1147 +
1148 + /*
1149 +@@ -359,14 +356,20 @@ static struct seq_oss_synth *
1150 + get_synthdev(struct seq_oss_devinfo *dp, int dev)
1151 + {
1152 + struct seq_oss_synth *rec;
1153 +- if (dev < 0 || dev >= dp->max_synthdev)
1154 +- return NULL;
1155 +- if (! dp->synths[dev].opened)
1156 ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);
1157 ++
1158 ++ if (!info)
1159 + return NULL;
1160 +- if (dp->synths[dev].is_midi)
1161 +- return &midi_synth_dev;
1162 +- if ((rec = get_sdev(dev)) == NULL)
1163 ++ if (!info->opened)
1164 + return NULL;
1165 ++ if (info->is_midi) {
1166 ++ rec = &midi_synth_dev;
1167 ++ snd_use_lock_use(&rec->use_lock);
1168 ++ } else {
1169 ++ rec = get_sdev(dev);
1170 ++ if (!rec)
1171 ++ return NULL;
1172 ++ }
1173 + if (! rec->opened) {
1174 + snd_use_lock_free(&rec->use_lock);
1175 + return NULL;
1176 +@@ -402,10 +405,8 @@ snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev)
1177 + struct seq_oss_synth *rec;
1178 + struct seq_oss_synthinfo *info;
1179 +
1180 +- if (snd_BUG_ON(dev < 0 || dev >= dp->max_synthdev))
1181 +- return;
1182 +- info = &dp->synths[dev];
1183 +- if (! info->opened)
1184 ++ info = get_synthinfo_nospec(dp, dev);
1185 ++ if (!info || !info->opened)
1186 + return;
1187 + if (info->sysex)
1188 + info->sysex->len = 0; /* reset sysex */
1189 +@@ -454,12 +455,14 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
1190 + const char __user *buf, int p, int c)
1191 + {
1192 + struct seq_oss_synth *rec;
1193 ++ struct seq_oss_synthinfo *info;
1194 + int rc;
1195 +
1196 +- if (dev < 0 || dev >= dp->max_synthdev)
1197 ++ info = get_synthinfo_nospec(dp, dev);
1198 ++ if (!info)
1199 + return -ENXIO;
1200 +
1201 +- if (is_midi_dev(dp, dev))
1202 ++ if (info->is_midi)
1203 + return 0;
1204 + if ((rec = get_synthdev(dp, dev)) == NULL)
1205 + return -ENXIO;
1206 +@@ -467,24 +470,25 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
1207 + if (rec->oper.load_patch == NULL)
1208 + rc = -ENXIO;
1209 + else
1210 +- rc = rec->oper.load_patch(&dp->synths[dev].arg, fmt, buf, p, c);
1211 ++ rc = rec->oper.load_patch(&info->arg, fmt, buf, p, c);
1212 + snd_use_lock_free(&rec->use_lock);
1213 + return rc;
1214 + }
1215 +
1216 + /*
1217 +- * check if the device is valid synth device
1218 ++ * check if the device is valid synth device and return the synth info
1219 + */
1220 +-int
1221 +-snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev)
1222 ++struct seq_oss_synthinfo *
1223 ++snd_seq_oss_synth_info(struct seq_oss_devinfo *dp, int dev)
1224 + {
1225 + struct seq_oss_synth *rec;
1226 ++
1227 + rec = get_synthdev(dp, dev);
1228 + if (rec) {
1229 + snd_use_lock_free(&rec->use_lock);
1230 +- return 1;
1231 ++ return get_synthinfo_nospec(dp, dev);
1232 + }
1233 +- return 0;
1234 ++ return NULL;
1235 + }
1236 +
1237 +
1238 +@@ -499,16 +503,18 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
1239 + int i, send;
1240 + unsigned char *dest;
1241 + struct seq_oss_synth_sysex *sysex;
1242 ++ struct seq_oss_synthinfo *info;
1243 +
1244 +- if (! snd_seq_oss_synth_is_valid(dp, dev))
1245 ++ info = snd_seq_oss_synth_info(dp, dev);
1246 ++ if (!info)
1247 + return -ENXIO;
1248 +
1249 +- sysex = dp->synths[dev].sysex;
1250 ++ sysex = info->sysex;
1251 + if (sysex == NULL) {
1252 + sysex = kzalloc(sizeof(*sysex), GFP_KERNEL);
1253 + if (sysex == NULL)
1254 + return -ENOMEM;
1255 +- dp->synths[dev].sysex = sysex;
1256 ++ info->sysex = sysex;
1257 + }
1258 +
1259 + send = 0;
1260 +@@ -553,10 +559,12 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
1261 + int
1262 + snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev)
1263 + {
1264 +- if (! snd_seq_oss_synth_is_valid(dp, dev))
1265 ++ struct seq_oss_synthinfo *info = snd_seq_oss_synth_info(dp, dev);
1266 ++
1267 ++ if (!info)
1268 + return -EINVAL;
1269 +- snd_seq_oss_fill_addr(dp, ev, dp->synths[dev].arg.addr.client,
1270 +- dp->synths[dev].arg.addr.port);
1271 ++ snd_seq_oss_fill_addr(dp, ev, info->arg.addr.client,
1272 ++ info->arg.addr.port);
1273 + return 0;
1274 + }
1275 +
1276 +@@ -568,16 +576,18 @@ int
1277 + snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, unsigned long addr)
1278 + {
1279 + struct seq_oss_synth *rec;
1280 ++ struct seq_oss_synthinfo *info;
1281 + int rc;
1282 +
1283 +- if (is_midi_dev(dp, dev))
1284 ++ info = get_synthinfo_nospec(dp, dev);
1285 ++ if (!info || info->is_midi)
1286 + return -ENXIO;
1287 + if ((rec = get_synthdev(dp, dev)) == NULL)
1288 + return -ENXIO;
1289 + if (rec->oper.ioctl == NULL)
1290 + rc = -ENXIO;
1291 + else
1292 +- rc = rec->oper.ioctl(&dp->synths[dev].arg, cmd, addr);
1293 ++ rc = rec->oper.ioctl(&info->arg, cmd, addr);
1294 + snd_use_lock_free(&rec->use_lock);
1295 + return rc;
1296 + }
1297 +@@ -589,7 +599,10 @@ snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, u
1298 + int
1299 + snd_seq_oss_synth_raw_event(struct seq_oss_devinfo *dp, int dev, unsigned char *data, struct snd_seq_event *ev)
1300 + {
1301 +- if (! snd_seq_oss_synth_is_valid(dp, dev) || is_midi_dev(dp, dev))
1302 ++ struct seq_oss_synthinfo *info;
1303 ++
1304 ++ info = snd_seq_oss_synth_info(dp, dev);
1305 ++ if (!info || info->is_midi)
1306 + return -ENXIO;
1307 + ev->type = SNDRV_SEQ_EVENT_OSS;
1308 + memcpy(ev->data.raw8.d, data, 8);
1309 +diff --git a/sound/core/seq/oss/seq_oss_synth.h b/sound/core/seq/oss/seq_oss_synth.h
1310 +index 74ac55f166b6..a63f9e22974d 100644
1311 +--- a/sound/core/seq/oss/seq_oss_synth.h
1312 ++++ b/sound/core/seq/oss/seq_oss_synth.h
1313 +@@ -37,7 +37,8 @@ void snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp);
1314 + void snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev);
1315 + int snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
1316 + const char __user *buf, int p, int c);
1317 +-int snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev);
1318 ++struct seq_oss_synthinfo *snd_seq_oss_synth_info(struct seq_oss_devinfo *dp,
1319 ++ int dev);
1320 + int snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
1321 + struct snd_seq_event *ev);
1322 + int snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev);
1323 +diff --git a/sound/drivers/opl3/opl3_synth.c b/sound/drivers/opl3/opl3_synth.c
1324 +index ddcc1a325a61..42920a243328 100644
1325 +--- a/sound/drivers/opl3/opl3_synth.c
1326 ++++ b/sound/drivers/opl3/opl3_synth.c
1327 +@@ -21,6 +21,7 @@
1328 +
1329 + #include <linux/slab.h>
1330 + #include <linux/export.h>
1331 ++#include <linux/nospec.h>
1332 + #include <sound/opl3.h>
1333 + #include <sound/asound_fm.h>
1334 +
1335 +@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v
1336 + {
1337 + unsigned short reg_side;
1338 + unsigned char op_offset;
1339 +- unsigned char voice_offset;
1340 ++ unsigned char voice_offset, voice_op;
1341 +
1342 + unsigned short opl3_reg;
1343 + unsigned char reg_val;
1344 +@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v
1345 + voice_offset = voice->voice - MAX_OPL2_VOICES;
1346 + }
1347 + /* Get register offset of operator */
1348 +- op_offset = snd_opl3_regmap[voice_offset][voice->op];
1349 ++ voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES);
1350 ++ voice_op = array_index_nospec(voice->op, 4);
1351 ++ op_offset = snd_opl3_regmap[voice_offset][voice_op];
1352 +
1353 + reg_val = 0x00;
1354 + /* Set amplitude modulation (tremolo) effect */
1355 +diff --git a/sound/pci/asihpi/hpimsginit.c b/sound/pci/asihpi/hpimsginit.c
1356 +index 7eb617175fde..a31a70dccecf 100644
1357 +--- a/sound/pci/asihpi/hpimsginit.c
1358 ++++ b/sound/pci/asihpi/hpimsginit.c
1359 +@@ -23,6 +23,7 @@
1360 +
1361 + #include "hpi_internal.h"
1362 + #include "hpimsginit.h"
1363 ++#include <linux/nospec.h>
1364 +
1365 + /* The actual message size for each object type */
1366 + static u16 msg_size[HPI_OBJ_MAXINDEX + 1] = HPI_MESSAGE_SIZE_BY_OBJECT;
1367 +@@ -39,10 +40,12 @@ static void hpi_init_message(struct hpi_message *phm, u16 object,
1368 + {
1369 + u16 size;
1370 +
1371 +- if ((object > 0) && (object <= HPI_OBJ_MAXINDEX))
1372 ++ if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) {
1373 ++ object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1);
1374 + size = msg_size[object];
1375 +- else
1376 ++ } else {
1377 + size = sizeof(*phm);
1378 ++ }
1379 +
1380 + memset(phm, 0, size);
1381 + phm->size = size;
1382 +@@ -66,10 +69,12 @@ void hpi_init_response(struct hpi_response *phr, u16 object, u16 function,
1383 + {
1384 + u16 size;
1385 +
1386 +- if ((object > 0) && (object <= HPI_OBJ_MAXINDEX))
1387 ++ if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) {
1388 ++ object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1);
1389 + size = res_size[object];
1390 +- else
1391 ++ } else {
1392 + size = sizeof(*phr);
1393 ++ }
1394 +
1395 + memset(phr, 0, sizeof(*phr));
1396 + phr->size = size;
1397 +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
1398 +index d17937b92331..7a32abbe0cef 100644
1399 +--- a/sound/pci/asihpi/hpioctl.c
1400 ++++ b/sound/pci/asihpi/hpioctl.c
1401 +@@ -33,6 +33,7 @@
1402 + #include <linux/stringify.h>
1403 + #include <linux/module.h>
1404 + #include <linux/vmalloc.h>
1405 ++#include <linux/nospec.h>
1406 +
1407 + #ifdef MODULE_FIRMWARE
1408 + MODULE_FIRMWARE("asihpi/dsp5000.bin");
1409 +@@ -182,7 +183,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
1410 + struct hpi_adapter *pa = NULL;
1411 +
1412 + if (hm->h.adapter_index < ARRAY_SIZE(adapters))
1413 +- pa = &adapters[hm->h.adapter_index];
1414 ++ pa = &adapters[array_index_nospec(hm->h.adapter_index,
1415 ++ ARRAY_SIZE(adapters))];
1416 +
1417 + if (!pa || !pa->adapter || !pa->adapter->type) {
1418 + hpi_init_response(&hr->r0, hm->h.object,
1419 +diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c
1420 +index 57df06e76968..cc009a4a3d1d 100644
1421 +--- a/sound/pci/hda/hda_hwdep.c
1422 ++++ b/sound/pci/hda/hda_hwdep.c
1423 +@@ -21,6 +21,7 @@
1424 + #include <linux/init.h>
1425 + #include <linux/slab.h>
1426 + #include <linux/compat.h>
1427 ++#include <linux/nospec.h>
1428 + #include <sound/core.h>
1429 + #include "hda_codec.h"
1430 + #include "hda_local.h"
1431 +@@ -51,7 +52,16 @@ static int get_wcap_ioctl(struct hda_codec *codec,
1432 +
1433 + if (get_user(verb, &arg->verb))
1434 + return -EFAULT;
1435 +- res = get_wcaps(codec, verb >> 24);
1436 ++ /* open-code get_wcaps(verb>>24) with nospec */
1437 ++ verb >>= 24;
1438 ++ if (verb < codec->core.start_nid ||
1439 ++ verb >= codec->core.start_nid + codec->core.num_nodes) {
1440 ++ res = 0;
1441 ++ } else {
1442 ++ verb -= codec->core.start_nid;
1443 ++ verb = array_index_nospec(verb, codec->core.num_nodes);
1444 ++ res = codec->wcaps[verb];
1445 ++ }
1446 + if (put_user(res, &arg->res))
1447 + return -EFAULT;
1448 + return 0;
1449 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
1450 +index 8cb14e27988b..6a789278970e 100644
1451 +--- a/sound/pci/hda/patch_realtek.c
1452 ++++ b/sound/pci/hda/patch_realtek.c
1453 +@@ -329,6 +329,7 @@ static void alc_fill_eapd_coef(struct hda_codec *codec)
1454 + break;
1455 + case 0x10ec0225:
1456 + case 0x10ec0233:
1457 ++ case 0x10ec0235:
1458 + case 0x10ec0236:
1459 + case 0x10ec0255:
1460 + case 0x10ec0256:
1461 +@@ -6296,6 +6297,7 @@ static int patch_alc269(struct hda_codec *codec)
1462 + case 0x10ec0298:
1463 + spec->codec_variant = ALC269_TYPE_ALC298;
1464 + break;
1465 ++ case 0x10ec0235:
1466 + case 0x10ec0255:
1467 + spec->codec_variant = ALC269_TYPE_ALC255;
1468 + break;
1469 +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
1470 +index a4a999a0317e..1a0c0d16a279 100644
1471 +--- a/sound/pci/rme9652/hdspm.c
1472 ++++ b/sound/pci/rme9652/hdspm.c
1473 +@@ -137,6 +137,7 @@
1474 + #include <linux/pci.h>
1475 + #include <linux/math64.h>
1476 + #include <linux/io.h>
1477 ++#include <linux/nospec.h>
1478 +
1479 + #include <sound/core.h>
1480 + #include <sound/control.h>
1481 +@@ -5692,40 +5693,43 @@ static int snd_hdspm_channel_info(struct snd_pcm_substream *substream,
1482 + struct snd_pcm_channel_info *info)
1483 + {
1484 + struct hdspm *hdspm = snd_pcm_substream_chip(substream);
1485 ++ unsigned int channel = info->channel;
1486 +
1487 + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
1488 +- if (snd_BUG_ON(info->channel >= hdspm->max_channels_out)) {
1489 ++ if (snd_BUG_ON(channel >= hdspm->max_channels_out)) {
1490 + dev_info(hdspm->card->dev,
1491 + "snd_hdspm_channel_info: output channel out of range (%d)\n",
1492 +- info->channel);
1493 ++ channel);
1494 + return -EINVAL;
1495 + }
1496 +
1497 +- if (hdspm->channel_map_out[info->channel] < 0) {
1498 ++ channel = array_index_nospec(channel, hdspm->max_channels_out);
1499 ++ if (hdspm->channel_map_out[channel] < 0) {
1500 + dev_info(hdspm->card->dev,
1501 + "snd_hdspm_channel_info: output channel %d mapped out\n",
1502 +- info->channel);
1503 ++ channel);
1504 + return -EINVAL;
1505 + }
1506 +
1507 +- info->offset = hdspm->channel_map_out[info->channel] *
1508 ++ info->offset = hdspm->channel_map_out[channel] *
1509 + HDSPM_CHANNEL_BUFFER_BYTES;
1510 + } else {
1511 +- if (snd_BUG_ON(info->channel >= hdspm->max_channels_in)) {
1512 ++ if (snd_BUG_ON(channel >= hdspm->max_channels_in)) {
1513 + dev_info(hdspm->card->dev,
1514 + "snd_hdspm_channel_info: input channel out of range (%d)\n",
1515 +- info->channel);
1516 ++ channel);
1517 + return -EINVAL;
1518 + }
1519 +
1520 +- if (hdspm->channel_map_in[info->channel] < 0) {
1521 ++ channel = array_index_nospec(channel, hdspm->max_channels_in);
1522 ++ if (hdspm->channel_map_in[channel] < 0) {
1523 + dev_info(hdspm->card->dev,
1524 + "snd_hdspm_channel_info: input channel %d mapped out\n",
1525 +- info->channel);
1526 ++ channel);
1527 + return -EINVAL;
1528 + }
1529 +
1530 +- info->offset = hdspm->channel_map_in[info->channel] *
1531 ++ info->offset = hdspm->channel_map_in[channel] *
1532 + HDSPM_CHANNEL_BUFFER_BYTES;
1533 + }
1534 +
1535 +diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c
1536 +index fdbc0aa2776a..c253bdf92e36 100644
1537 +--- a/sound/pci/rme9652/rme9652.c
1538 ++++ b/sound/pci/rme9652/rme9652.c
1539 +@@ -26,6 +26,7 @@
1540 + #include <linux/pci.h>
1541 + #include <linux/module.h>
1542 + #include <linux/io.h>
1543 ++#include <linux/nospec.h>
1544 +
1545 + #include <sound/core.h>
1546 + #include <sound/control.h>
1547 +@@ -2036,9 +2037,10 @@ static int snd_rme9652_channel_info(struct snd_pcm_substream *substream,
1548 + if (snd_BUG_ON(info->channel >= RME9652_NCHANNELS))
1549 + return -EINVAL;
1550 +
1551 +- if ((chn = rme9652->channel_map[info->channel]) < 0) {
1552 ++ chn = rme9652->channel_map[array_index_nospec(info->channel,
1553 ++ RME9652_NCHANNELS)];
1554 ++ if (chn < 0)
1555 + return -EINVAL;
1556 +- }
1557 +
1558 + info->offset = chn * RME9652_CHANNEL_BUFFER_BYTES;
1559 + info->first = 0;
1560 +diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c
1561 +index 59f234e51971..e8adead8be00 100644
1562 +--- a/sound/soc/fsl/fsl_esai.c
1563 ++++ b/sound/soc/fsl/fsl_esai.c
1564 +@@ -143,6 +143,13 @@ static int fsl_esai_divisor_cal(struct snd_soc_dai *dai, bool tx, u32 ratio,
1565 +
1566 + psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8;
1567 +
1568 ++ /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */
1569 ++ if (ratio <= 256) {
1570 ++ pm = ratio;
1571 ++ fp = 1;
1572 ++ goto out;
1573 ++ }
1574 ++
1575 + /* Set the max fluctuation -- 0.1% of the max devisor */
1576 + savesub = (psr ? 1 : 8) * 256 * maxfp / 1000;
1577 +
1578 +diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c
1579 +index 1f8fb0d904e0..f5cf23ffb35b 100644
1580 +--- a/sound/usb/mixer_maps.c
1581 ++++ b/sound/usb/mixer_maps.c
1582 +@@ -351,8 +351,11 @@ static struct usbmix_name_map bose_companion5_map[] = {
1583 + /*
1584 + * Dell usb dock with ALC4020 codec had a firmware problem where it got
1585 + * screwed up when zero volume is passed; just skip it as a workaround
1586 ++ *
1587 ++ * Also the extension unit gives an access error, so skip it as well.
1588 + */
1589 + static const struct usbmix_name_map dell_alc4020_map[] = {
1590 ++ { 4, NULL }, /* extension unit */
1591 + { 16, NULL },
1592 + { 19, NULL },
1593 + { 0 }
Report Message
Find on MARC Find on Google Groups