Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Sun, 31 Jan 2016 23:33:17
Message-Id: 1454283194.1b9ffd87a55579bf6446ced9f8d74949387435e6.mpagano@gentoo
1 commit: 1b9ffd87a55579bf6446ced9f8d74949387435e6
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sun Jan 31 23:33:14 2016 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sun Jan 31 23:33:14 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=1b9ffd87
7
8 Linux patch 4.4.1
9
10 0000_README | 4 +
11 1000_linux-4.4.1.patch | 2541 ++++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 2545 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 3935718..7202fab 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -43,6 +43,10 @@ EXPERIMENTAL
19 Individual Patch Descriptions:
20 --------------------------------------------------------------------------
21
22 +Patch: 1000_linux-4.4.1.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.4.1
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1000_linux-4.4.1.patch b/1000_linux-4.4.1.patch
31 new file mode 100644
32 index 0000000..971ba8d
33 --- /dev/null
34 +++ b/1000_linux-4.4.1.patch
35 @@ -0,0 +1,2541 @@
36 +diff --git a/Documentation/ABI/testing/sysfs-bus-usb b/Documentation/ABI/testing/sysfs-bus-usb
37 +index 3a4abfc44f5e..136ba17d2da0 100644
38 +--- a/Documentation/ABI/testing/sysfs-bus-usb
39 ++++ b/Documentation/ABI/testing/sysfs-bus-usb
40 +@@ -134,19 +134,21 @@ Description:
41 + enabled for the device. Developer can write y/Y/1 or n/N/0 to
42 + the file to enable/disable the feature.
43 +
44 +-What: /sys/bus/usb/devices/.../power/usb3_hardware_lpm
45 +-Date: June 2015
46 ++What: /sys/bus/usb/devices/.../power/usb3_hardware_lpm_u1
47 ++ /sys/bus/usb/devices/.../power/usb3_hardware_lpm_u2
48 ++Date: November 2015
49 + Contact: Kevin Strasser <kevin.strasser@×××××××××××.com>
50 ++ Lu Baolu <baolu.lu@×××××××××××.com>
51 + Description:
52 + If CONFIG_PM is set and a USB 3.0 lpm-capable device is plugged
53 + in to a xHCI host which supports link PM, it will check if U1
54 + and U2 exit latencies have been set in the BOS descriptor; if
55 +- the check is is passed and the host supports USB3 hardware LPM,
56 ++ the check is passed and the host supports USB3 hardware LPM,
57 + USB3 hardware LPM will be enabled for the device and the USB
58 +- device directory will contain a file named
59 +- power/usb3_hardware_lpm. The file holds a string value (enable
60 +- or disable) indicating whether or not USB3 hardware LPM is
61 +- enabled for the device.
62 ++ device directory will contain two files named
63 ++ power/usb3_hardware_lpm_u1 and power/usb3_hardware_lpm_u2. These
64 ++ files hold a string value (enable or disable) indicating whether
65 ++ or not USB3 hardware LPM U1 or U2 is enabled for the device.
66 +
67 + What: /sys/bus/usb/devices/.../removable
68 + Date: February 2012
69 +diff --git a/Documentation/usb/power-management.txt b/Documentation/usb/power-management.txt
70 +index 4a15c90bc11d..0a94ffe17ab6 100644
71 +--- a/Documentation/usb/power-management.txt
72 ++++ b/Documentation/usb/power-management.txt
73 +@@ -537,17 +537,18 @@ relevant attribute files are usb2_hardware_lpm and usb3_hardware_lpm.
74 + can write y/Y/1 or n/N/0 to the file to enable/disable
75 + USB2 hardware LPM manually. This is for test purpose mainly.
76 +
77 +- power/usb3_hardware_lpm
78 ++ power/usb3_hardware_lpm_u1
79 ++ power/usb3_hardware_lpm_u2
80 +
81 + When a USB 3.0 lpm-capable device is plugged in to a
82 + xHCI host which supports link PM, it will check if U1
83 + and U2 exit latencies have been set in the BOS
84 + descriptor; if the check is is passed and the host
85 + supports USB3 hardware LPM, USB3 hardware LPM will be
86 +- enabled for the device and this file will be created.
87 +- The file holds a string value (enable or disable)
88 +- indicating whether or not USB3 hardware LPM is
89 +- enabled for the device.
90 ++ enabled for the device and these files will be created.
91 ++ The files hold a string value (enable or disable)
92 ++ indicating whether or not USB3 hardware LPM U1 or U2
93 ++ is enabled for the device.
94 +
95 + USB Port Power Control
96 + ----------------------
97 +diff --git a/Makefile b/Makefile
98 +index 70dea02f1346..c6a265b52c93 100644
99 +--- a/Makefile
100 ++++ b/Makefile
101 +@@ -1,6 +1,6 @@
102 + VERSION = 4
103 + PATCHLEVEL = 4
104 +-SUBLEVEL = 0
105 ++SUBLEVEL = 1
106 + EXTRAVERSION =
107 + NAME = Blurry Fish Butt
108 +
109 +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
110 +index 23cfc08fc8ba..b685257926f0 100644
111 +--- a/arch/arm64/kernel/head.S
112 ++++ b/arch/arm64/kernel/head.S
113 +@@ -512,9 +512,14 @@ CPU_LE( movk x0, #0x30d0, lsl #16 ) // Clear EE and E0E on LE systems
114 + #endif
115 +
116 + /* EL2 debug */
117 ++ mrs x0, id_aa64dfr0_el1 // Check ID_AA64DFR0_EL1 PMUVer
118 ++ sbfx x0, x0, #8, #4
119 ++ cmp x0, #1
120 ++ b.lt 4f // Skip if no PMU present
121 + mrs x0, pmcr_el0 // Disable debug access traps
122 + ubfx x0, x0, #11, #5 // to EL2 and allow access to
123 + msr mdcr_el2, x0 // all PMU counters from EL1
124 ++4:
125 +
126 + /* Stage-2 translation */
127 + msr vttbr_el2, xzr
128 +diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c
129 +index 5b1897e8ca24..62d3dc60ca09 100644
130 +--- a/arch/arm64/kernel/perf_event.c
131 ++++ b/arch/arm64/kernel/perf_event.c
132 +@@ -574,9 +574,6 @@ static void armv8pmu_reset(void *info)
133 +
134 + /* Initialize & Reset PMNC: C and P bits. */
135 + armv8pmu_pmcr_write(ARMV8_PMCR_P | ARMV8_PMCR_C);
136 +-
137 +- /* Disable access from userspace. */
138 +- asm volatile("msr pmuserenr_el0, %0" :: "r" (0));
139 + }
140 +
141 + static int armv8_pmuv3_map_event(struct perf_event *event)
142 +diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
143 +index 1971f491bb90..ff7f13239515 100644
144 +--- a/arch/arm64/kernel/ptrace.c
145 ++++ b/arch/arm64/kernel/ptrace.c
146 +@@ -58,6 +58,12 @@
147 + */
148 + void ptrace_disable(struct task_struct *child)
149 + {
150 ++ /*
151 ++ * This would be better off in core code, but PTRACE_DETACH has
152 ++ * grown its fair share of arch-specific worts and changing it
153 ++ * is likely to cause regressions on obscure architectures.
154 ++ */
155 ++ user_disable_single_step(child);
156 + }
157 +
158 + #ifdef CONFIG_HAVE_HW_BREAKPOINT
159 +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
160 +index 873e363048c6..116ad654dd59 100644
161 +--- a/arch/arm64/mm/mmu.c
162 ++++ b/arch/arm64/mm/mmu.c
163 +@@ -456,6 +456,9 @@ void __init paging_init(void)
164 +
165 + empty_zero_page = virt_to_page(zero_page);
166 +
167 ++ /* Ensure the zero page is visible to the page table walker */
168 ++ dsb(ishst);
169 ++
170 + /*
171 + * TTBR0 is only used for the identity mapping at this stage. Make it
172 + * point to zero page to avoid speculatively fetching new entries.
173 +diff --git a/arch/arm64/mm/proc-macros.S b/arch/arm64/mm/proc-macros.S
174 +index 4c4d93c4bf65..d69dffffaa89 100644
175 +--- a/arch/arm64/mm/proc-macros.S
176 ++++ b/arch/arm64/mm/proc-macros.S
177 +@@ -62,3 +62,15 @@
178 + bfi \valreg, \tmpreg, #TCR_T0SZ_OFFSET, #TCR_TxSZ_WIDTH
179 + #endif
180 + .endm
181 ++
182 ++/*
183 ++ * reset_pmuserenr_el0 - reset PMUSERENR_EL0 if PMUv3 present
184 ++ */
185 ++ .macro reset_pmuserenr_el0, tmpreg
186 ++ mrs \tmpreg, id_aa64dfr0_el1 // Check ID_AA64DFR0_EL1 PMUVer
187 ++ sbfx \tmpreg, \tmpreg, #8, #4
188 ++ cmp \tmpreg, #1 // Skip if no PMU present
189 ++ b.lt 9000f
190 ++ msr pmuserenr_el0, xzr // Disable PMU access from EL0
191 ++9000:
192 ++ .endm
193 +diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S
194 +index cacecc4ad3e5..b8f04b3f2786 100644
195 +--- a/arch/arm64/mm/proc.S
196 ++++ b/arch/arm64/mm/proc.S
197 +@@ -117,6 +117,7 @@ ENTRY(cpu_do_resume)
198 + */
199 + ubfx x11, x11, #1, #1
200 + msr oslar_el1, x11
201 ++ reset_pmuserenr_el0 x0 // Disable PMU access from EL0
202 + mov x0, x12
203 + dsb nsh // Make sure local tlb invalidation completed
204 + isb
205 +@@ -155,6 +156,7 @@ ENTRY(__cpu_setup)
206 + msr cpacr_el1, x0 // Enable FP/ASIMD
207 + mov x0, #1 << 12 // Reset mdscr_el1 and disable
208 + msr mdscr_el1, x0 // access to the DCC from EL0
209 ++ reset_pmuserenr_el0 x0 // Disable PMU access from EL0
210 + /*
211 + * Memory region attributes for LPAE:
212 + *
213 +diff --git a/arch/powerpc/include/asm/cmpxchg.h b/arch/powerpc/include/asm/cmpxchg.h
214 +index ad6263cffb0f..d1a8d93cccfd 100644
215 +--- a/arch/powerpc/include/asm/cmpxchg.h
216 ++++ b/arch/powerpc/include/asm/cmpxchg.h
217 +@@ -18,12 +18,12 @@ __xchg_u32(volatile void *p, unsigned long val)
218 + unsigned long prev;
219 +
220 + __asm__ __volatile__(
221 +- PPC_RELEASE_BARRIER
222 ++ PPC_ATOMIC_ENTRY_BARRIER
223 + "1: lwarx %0,0,%2 \n"
224 + PPC405_ERR77(0,%2)
225 + " stwcx. %3,0,%2 \n\
226 + bne- 1b"
227 +- PPC_ACQUIRE_BARRIER
228 ++ PPC_ATOMIC_EXIT_BARRIER
229 + : "=&r" (prev), "+m" (*(volatile unsigned int *)p)
230 + : "r" (p), "r" (val)
231 + : "cc", "memory");
232 +@@ -61,12 +61,12 @@ __xchg_u64(volatile void *p, unsigned long val)
233 + unsigned long prev;
234 +
235 + __asm__ __volatile__(
236 +- PPC_RELEASE_BARRIER
237 ++ PPC_ATOMIC_ENTRY_BARRIER
238 + "1: ldarx %0,0,%2 \n"
239 + PPC405_ERR77(0,%2)
240 + " stdcx. %3,0,%2 \n\
241 + bne- 1b"
242 +- PPC_ACQUIRE_BARRIER
243 ++ PPC_ATOMIC_EXIT_BARRIER
244 + : "=&r" (prev), "+m" (*(volatile unsigned long *)p)
245 + : "r" (p), "r" (val)
246 + : "cc", "memory");
247 +@@ -151,14 +151,14 @@ __cmpxchg_u32(volatile unsigned int *p, unsigned long old, unsigned long new)
248 + unsigned int prev;
249 +
250 + __asm__ __volatile__ (
251 +- PPC_RELEASE_BARRIER
252 ++ PPC_ATOMIC_ENTRY_BARRIER
253 + "1: lwarx %0,0,%2 # __cmpxchg_u32\n\
254 + cmpw 0,%0,%3\n\
255 + bne- 2f\n"
256 + PPC405_ERR77(0,%2)
257 + " stwcx. %4,0,%2\n\
258 + bne- 1b"
259 +- PPC_ACQUIRE_BARRIER
260 ++ PPC_ATOMIC_EXIT_BARRIER
261 + "\n\
262 + 2:"
263 + : "=&r" (prev), "+m" (*p)
264 +@@ -197,13 +197,13 @@ __cmpxchg_u64(volatile unsigned long *p, unsigned long old, unsigned long new)
265 + unsigned long prev;
266 +
267 + __asm__ __volatile__ (
268 +- PPC_RELEASE_BARRIER
269 ++ PPC_ATOMIC_ENTRY_BARRIER
270 + "1: ldarx %0,0,%2 # __cmpxchg_u64\n\
271 + cmpd 0,%0,%3\n\
272 + bne- 2f\n\
273 + stdcx. %4,0,%2\n\
274 + bne- 1b"
275 +- PPC_ACQUIRE_BARRIER
276 ++ PPC_ATOMIC_EXIT_BARRIER
277 + "\n\
278 + 2:"
279 + : "=&r" (prev), "+m" (*p)
280 +diff --git a/arch/powerpc/include/asm/synch.h b/arch/powerpc/include/asm/synch.h
281 +index e682a7143edb..c50868681f9e 100644
282 +--- a/arch/powerpc/include/asm/synch.h
283 ++++ b/arch/powerpc/include/asm/synch.h
284 +@@ -44,7 +44,7 @@ static inline void isync(void)
285 + MAKE_LWSYNC_SECTION_ENTRY(97, __lwsync_fixup);
286 + #define PPC_ACQUIRE_BARRIER "\n" stringify_in_c(__PPC_ACQUIRE_BARRIER)
287 + #define PPC_RELEASE_BARRIER stringify_in_c(LWSYNC) "\n"
288 +-#define PPC_ATOMIC_ENTRY_BARRIER "\n" stringify_in_c(LWSYNC) "\n"
289 ++#define PPC_ATOMIC_ENTRY_BARRIER "\n" stringify_in_c(sync) "\n"
290 + #define PPC_ATOMIC_EXIT_BARRIER "\n" stringify_in_c(sync) "\n"
291 + #else
292 + #define PPC_ACQUIRE_BARRIER
293 +diff --git a/arch/powerpc/include/uapi/asm/elf.h b/arch/powerpc/include/uapi/asm/elf.h
294 +index 59dad113897b..c2d21d11c2d2 100644
295 +--- a/arch/powerpc/include/uapi/asm/elf.h
296 ++++ b/arch/powerpc/include/uapi/asm/elf.h
297 +@@ -295,6 +295,8 @@ do { \
298 + #define R_PPC64_TLSLD 108
299 + #define R_PPC64_TOCSAVE 109
300 +
301 ++#define R_PPC64_ENTRY 118
302 ++
303 + #define R_PPC64_REL16 249
304 + #define R_PPC64_REL16_LO 250
305 + #define R_PPC64_REL16_HI 251
306 +diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c
307 +index 68384514506b..59663af9315f 100644
308 +--- a/arch/powerpc/kernel/module_64.c
309 ++++ b/arch/powerpc/kernel/module_64.c
310 +@@ -635,6 +635,33 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
311 + */
312 + break;
313 +
314 ++ case R_PPC64_ENTRY:
315 ++ /*
316 ++ * Optimize ELFv2 large code model entry point if
317 ++ * the TOC is within 2GB range of current location.
318 ++ */
319 ++ value = my_r2(sechdrs, me) - (unsigned long)location;
320 ++ if (value + 0x80008000 > 0xffffffff)
321 ++ break;
322 ++ /*
323 ++ * Check for the large code model prolog sequence:
324 ++ * ld r2, ...(r12)
325 ++ * add r2, r2, r12
326 ++ */
327 ++ if ((((uint32_t *)location)[0] & ~0xfffc)
328 ++ != 0xe84c0000)
329 ++ break;
330 ++ if (((uint32_t *)location)[1] != 0x7c426214)
331 ++ break;
332 ++ /*
333 ++ * If found, replace it with:
334 ++ * addis r2, r12, (.TOC.-func)@ha
335 ++ * addi r2, r12, (.TOC.-func)@l
336 ++ */
337 ++ ((uint32_t *)location)[0] = 0x3c4c0000 + PPC_HA(value);
338 ++ ((uint32_t *)location)[1] = 0x38420000 + PPC_LO(value);
339 ++ break;
340 ++
341 + case R_PPC64_REL16_HA:
342 + /* Subtract location pointer */
343 + value -= (unsigned long)location;
344 +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
345 +index 646bf4d222c1..ef2ad2d682da 100644
346 +--- a/arch/powerpc/kernel/process.c
347 ++++ b/arch/powerpc/kernel/process.c
348 +@@ -569,6 +569,24 @@ static void tm_reclaim_thread(struct thread_struct *thr,
349 + if (!MSR_TM_SUSPENDED(mfmsr()))
350 + return;
351 +
352 ++ /*
353 ++ * Use the current MSR TM suspended bit to track if we have
354 ++ * checkpointed state outstanding.
355 ++ * On signal delivery, we'd normally reclaim the checkpointed
356 ++ * state to obtain stack pointer (see:get_tm_stackpointer()).
357 ++ * This will then directly return to userspace without going
358 ++ * through __switch_to(). However, if the stack frame is bad,
359 ++ * we need to exit this thread which calls __switch_to() which
360 ++ * will again attempt to reclaim the already saved tm state.
361 ++ * Hence we need to check that we've not already reclaimed
362 ++ * this state.
363 ++ * We do this using the current MSR, rather tracking it in
364 ++ * some specific thread_struct bit, as it has the additional
365 ++ * benifit of checking for a potential TM bad thing exception.
366 ++ */
367 ++ if (!MSR_TM_SUSPENDED(mfmsr()))
368 ++ return;
369 ++
370 + tm_reclaim(thr, thr->regs->msr, cause);
371 +
372 + /* Having done the reclaim, we now have the checkpointed
373 +diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h
374 +index 4fa687a47a62..6b8d6e8cd449 100644
375 +--- a/arch/x86/include/asm/boot.h
376 ++++ b/arch/x86/include/asm/boot.h
377 +@@ -27,7 +27,7 @@
378 + #define BOOT_HEAP_SIZE 0x400000
379 + #else /* !CONFIG_KERNEL_BZIP2 */
380 +
381 +-#define BOOT_HEAP_SIZE 0x8000
382 ++#define BOOT_HEAP_SIZE 0x10000
383 +
384 + #endif /* !CONFIG_KERNEL_BZIP2 */
385 +
386 +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
387 +index 379cd3658799..bfd9b2a35a0b 100644
388 +--- a/arch/x86/include/asm/mmu_context.h
389 ++++ b/arch/x86/include/asm/mmu_context.h
390 +@@ -116,8 +116,36 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
391 + #endif
392 + cpumask_set_cpu(cpu, mm_cpumask(next));
393 +
394 +- /* Re-load page tables */
395 ++ /*
396 ++ * Re-load page tables.
397 ++ *
398 ++ * This logic has an ordering constraint:
399 ++ *
400 ++ * CPU 0: Write to a PTE for 'next'
401 ++ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI.
402 ++ * CPU 1: set bit 1 in next's mm_cpumask
403 ++ * CPU 1: load from the PTE that CPU 0 writes (implicit)
404 ++ *
405 ++ * We need to prevent an outcome in which CPU 1 observes
406 ++ * the new PTE value and CPU 0 observes bit 1 clear in
407 ++ * mm_cpumask. (If that occurs, then the IPI will never
408 ++ * be sent, and CPU 0's TLB will contain a stale entry.)
409 ++ *
410 ++ * The bad outcome can occur if either CPU's load is
411 ++ * reordered before that CPU's store, so both CPUs must
412 ++ * execute full barriers to prevent this from happening.
413 ++ *
414 ++ * Thus, switch_mm needs a full barrier between the
415 ++ * store to mm_cpumask and any operation that could load
416 ++ * from next->pgd. TLB fills are special and can happen
417 ++ * due to instruction fetches or for no reason at all,
418 ++ * and neither LOCK nor MFENCE orders them.
419 ++ * Fortunately, load_cr3() is serializing and gives the
420 ++ * ordering guarantee we need.
421 ++ *
422 ++ */
423 + load_cr3(next->pgd);
424 ++
425 + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
426 +
427 + /* Stop flush ipis for the previous mm */
428 +@@ -156,10 +184,14 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
429 + * schedule, protecting us from simultaneous changes.
430 + */
431 + cpumask_set_cpu(cpu, mm_cpumask(next));
432 ++
433 + /*
434 + * We were in lazy tlb mode and leave_mm disabled
435 + * tlb flush IPI delivery. We must reload CR3
436 + * to make sure to use no freed page tables.
437 ++ *
438 ++ * As above, load_cr3() is serializing and orders TLB
439 ++ * fills with respect to the mm_cpumask write.
440 + */
441 + load_cr3(next->pgd);
442 + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
443 +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
444 +index 02693dd9a079..f660d63f40fe 100644
445 +--- a/arch/x86/kernel/reboot.c
446 ++++ b/arch/x86/kernel/reboot.c
447 +@@ -182,6 +182,14 @@ static struct dmi_system_id __initdata reboot_dmi_table[] = {
448 + DMI_MATCH(DMI_PRODUCT_NAME, "iMac9,1"),
449 + },
450 + },
451 ++ { /* Handle problems with rebooting on the iMac10,1. */
452 ++ .callback = set_pci_reboot,
453 ++ .ident = "Apple iMac10,1",
454 ++ .matches = {
455 ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
456 ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac10,1"),
457 ++ },
458 ++ },
459 +
460 + /* ASRock */
461 + { /* Handle problems with rebooting on ASRock Q1900DC-ITX */
462 +diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h
463 +index 120302511802..ab9ae67a80e4 100644
464 +--- a/arch/x86/kvm/trace.h
465 ++++ b/arch/x86/kvm/trace.h
466 +@@ -268,7 +268,7 @@ TRACE_EVENT(kvm_inj_virq,
467 + #define kvm_trace_sym_exc \
468 + EXS(DE), EXS(DB), EXS(BP), EXS(OF), EXS(BR), EXS(UD), EXS(NM), \
469 + EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), \
470 +- EXS(MF), EXS(MC)
471 ++ EXS(MF), EXS(AC), EXS(MC)
472 +
473 + /*
474 + * Tracepoint for kvm interrupt injection:
475 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
476 +index 44976a596fa6..10e7693b3540 100644
477 +--- a/arch/x86/kvm/vmx.c
478 ++++ b/arch/x86/kvm/vmx.c
479 +@@ -8932,7 +8932,8 @@ static void vmx_cpuid_update(struct kvm_vcpu *vcpu)
480 + best->ebx &= ~bit(X86_FEATURE_INVPCID);
481 + }
482 +
483 +- vmcs_set_secondary_exec_control(secondary_exec_ctl);
484 ++ if (cpu_has_secondary_exec_ctrls())
485 ++ vmcs_set_secondary_exec_control(secondary_exec_ctl);
486 +
487 + if (static_cpu_has(X86_FEATURE_PCOMMIT) && nested) {
488 + if (guest_cpuid_has_pcommit(vcpu))
489 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
490 +index 97592e190413..9a2ed8904513 100644
491 +--- a/arch/x86/kvm/x86.c
492 ++++ b/arch/x86/kvm/x86.c
493 +@@ -951,7 +951,7 @@ static u32 msrs_to_save[] = {
494 + MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR,
495 + #endif
496 + MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
497 +- MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS
498 ++ MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX,
499 + };
500 +
501 + static unsigned num_msrs_to_save;
502 +@@ -4006,16 +4006,17 @@ static void kvm_init_msr_list(void)
503 +
504 + /*
505 + * Even MSRs that are valid in the host may not be exposed
506 +- * to the guests in some cases. We could work around this
507 +- * in VMX with the generic MSR save/load machinery, but it
508 +- * is not really worthwhile since it will really only
509 +- * happen with nested virtualization.
510 ++ * to the guests in some cases.
511 + */
512 + switch (msrs_to_save[i]) {
513 + case MSR_IA32_BNDCFGS:
514 + if (!kvm_x86_ops->mpx_supported())
515 + continue;
516 + break;
517 ++ case MSR_TSC_AUX:
518 ++ if (!kvm_x86_ops->rdtscp_supported())
519 ++ continue;
520 ++ break;
521 + default:
522 + break;
523 + }
524 +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
525 +index 8ddb5d0d66fb..8f4cc3dfac32 100644
526 +--- a/arch/x86/mm/tlb.c
527 ++++ b/arch/x86/mm/tlb.c
528 +@@ -161,7 +161,10 @@ void flush_tlb_current_task(void)
529 + preempt_disable();
530 +
531 + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
532 ++
533 ++ /* This is an implicit full barrier that synchronizes with switch_mm. */
534 + local_flush_tlb();
535 ++
536 + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL);
537 + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
538 + flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL);
539 +@@ -188,17 +191,29 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
540 + unsigned long base_pages_to_flush = TLB_FLUSH_ALL;
541 +
542 + preempt_disable();
543 +- if (current->active_mm != mm)
544 ++ if (current->active_mm != mm) {
545 ++ /* Synchronize with switch_mm. */
546 ++ smp_mb();
547 ++
548 + goto out;
549 ++ }
550 +
551 + if (!current->mm) {
552 + leave_mm(smp_processor_id());
553 ++
554 ++ /* Synchronize with switch_mm. */
555 ++ smp_mb();
556 ++
557 + goto out;
558 + }
559 +
560 + if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB))
561 + base_pages_to_flush = (end - start) >> PAGE_SHIFT;
562 +
563 ++ /*
564 ++ * Both branches below are implicit full barriers (MOV to CR or
565 ++ * INVLPG) that synchronize with switch_mm.
566 ++ */
567 + if (base_pages_to_flush > tlb_single_page_flush_ceiling) {
568 + base_pages_to_flush = TLB_FLUSH_ALL;
569 + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
570 +@@ -228,10 +243,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start)
571 + preempt_disable();
572 +
573 + if (current->active_mm == mm) {
574 +- if (current->mm)
575 ++ if (current->mm) {
576 ++ /*
577 ++ * Implicit full barrier (INVLPG) that synchronizes
578 ++ * with switch_mm.
579 ++ */
580 + __flush_tlb_one(start);
581 +- else
582 ++ } else {
583 + leave_mm(smp_processor_id());
584 ++
585 ++ /* Synchronize with switch_mm. */
586 ++ smp_mb();
587 ++ }
588 + }
589 +
590 + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
591 +diff --git a/arch/x86/xen/suspend.c b/arch/x86/xen/suspend.c
592 +index df0c40559583..7f664c416faf 100644
593 +--- a/arch/x86/xen/suspend.c
594 ++++ b/arch/x86/xen/suspend.c
595 +@@ -34,7 +34,8 @@ static void xen_hvm_post_suspend(int suspend_cancelled)
596 + {
597 + #ifdef CONFIG_XEN_PVHVM
598 + int cpu;
599 +- xen_hvm_init_shared_info();
600 ++ if (!suspend_cancelled)
601 ++ xen_hvm_init_shared_info();
602 + xen_callback_vector();
603 + xen_unplug_emulated_devices();
604 + if (xen_feature(XENFEAT_hvm_safe_pvclock)) {
605 +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
606 +index 3dfd287256d6..92ddae101ecc 100644
607 +--- a/drivers/infiniband/hw/mlx5/cq.c
608 ++++ b/drivers/infiniband/hw/mlx5/cq.c
609 +@@ -756,7 +756,7 @@ struct ib_cq *mlx5_ib_create_cq(struct ib_device *ibdev,
610 + int uninitialized_var(index);
611 + int uninitialized_var(inlen);
612 + int cqe_size;
613 +- int irqn;
614 ++ unsigned int irqn;
615 + int eqn;
616 + int err;
617 +
618 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
619 +index 9e0f8a7ef8b1..f1692e418fe4 100644
620 +--- a/drivers/net/bonding/bond_main.c
621 ++++ b/drivers/net/bonding/bond_main.c
622 +@@ -1207,7 +1207,6 @@ static int bond_master_upper_dev_link(struct net_device *bond_dev,
623 + err = netdev_master_upper_dev_link_private(slave_dev, bond_dev, slave);
624 + if (err)
625 + return err;
626 +- slave_dev->flags |= IFF_SLAVE;
627 + rtmsg_ifinfo(RTM_NEWLINK, slave_dev, IFF_SLAVE, GFP_KERNEL);
628 + return 0;
629 + }
630 +@@ -1465,6 +1464,9 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
631 + }
632 + }
633 +
634 ++ /* set slave flag before open to prevent IPv6 addrconf */
635 ++ slave_dev->flags |= IFF_SLAVE;
636 ++
637 + /* open the slave since the application closed it */
638 + res = dev_open(slave_dev);
639 + if (res) {
640 +@@ -1725,6 +1727,7 @@ err_close:
641 + dev_close(slave_dev);
642 +
643 + err_restore_mac:
644 ++ slave_dev->flags &= ~IFF_SLAVE;
645 + if (!bond->params.fail_over_mac ||
646 + BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
647 + /* XXX TODO - fom follow mode needs to change master's
648 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
649 +index 1e52db32c73d..1203d892e842 100644
650 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
651 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
652 +@@ -746,7 +746,7 @@ static int mlx5e_create_cq(struct mlx5e_channel *c,
653 + struct mlx5_core_dev *mdev = priv->mdev;
654 + struct mlx5_core_cq *mcq = &cq->mcq;
655 + int eqn_not_used;
656 +- int irqn;
657 ++ unsigned int irqn;
658 + int err;
659 + u32 i;
660 +
661 +@@ -800,7 +800,7 @@ static int mlx5e_enable_cq(struct mlx5e_cq *cq, struct mlx5e_cq_param *param)
662 + void *in;
663 + void *cqc;
664 + int inlen;
665 +- int irqn_not_used;
666 ++ unsigned int irqn_not_used;
667 + int eqn;
668 + int err;
669 +
670 +@@ -1504,7 +1504,7 @@ static int mlx5e_create_drop_cq(struct mlx5e_priv *priv,
671 + struct mlx5_core_dev *mdev = priv->mdev;
672 + struct mlx5_core_cq *mcq = &cq->mcq;
673 + int eqn_not_used;
674 +- int irqn;
675 ++ unsigned int irqn;
676 + int err;
677 +
678 + err = mlx5_cqwq_create(mdev, &param->wq, param->cqc, &cq->wq,
679 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
680 +index 4ac8d4cc4973..6cf6d93d8831 100644
681 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
682 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
683 +@@ -568,7 +568,8 @@ static void mlx5_irq_clear_affinity_hints(struct mlx5_core_dev *mdev)
684 + mlx5_irq_clear_affinity_hint(mdev, i);
685 + }
686 +
687 +-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, int *irqn)
688 ++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
689 ++ unsigned int *irqn)
690 + {
691 + struct mlx5_eq_table *table = &dev->priv.eq_table;
692 + struct mlx5_eq *eq, *n;
693 +diff --git a/drivers/net/ethernet/synopsys/dwc_eth_qos.c b/drivers/net/ethernet/synopsys/dwc_eth_qos.c
694 +index 9066d7a8483c..f96c6b3606f2 100644
695 +--- a/drivers/net/ethernet/synopsys/dwc_eth_qos.c
696 ++++ b/drivers/net/ethernet/synopsys/dwc_eth_qos.c
697 +@@ -2107,7 +2107,7 @@ static int dwceqos_tx_frags(struct sk_buff *skb, struct net_local *lp,
698 + dd = &lp->tx_descs[lp->tx_next];
699 +
700 + /* Set DMA Descriptor fields */
701 +- dd->des0 = dma_handle;
702 ++ dd->des0 = dma_handle + consumed_size;
703 + dd->des1 = 0;
704 + dd->des2 = dma_size;
705 +
706 +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
707 +index 651d35ea22c5..59fefca74263 100644
708 +--- a/drivers/net/team/team.c
709 ++++ b/drivers/net/team/team.c
710 +@@ -1845,10 +1845,10 @@ static int team_vlan_rx_kill_vid(struct net_device *dev, __be16 proto, u16 vid)
711 + struct team *team = netdev_priv(dev);
712 + struct team_port *port;
713 +
714 +- rcu_read_lock();
715 +- list_for_each_entry_rcu(port, &team->port_list, list)
716 ++ mutex_lock(&team->lock);
717 ++ list_for_each_entry(port, &team->port_list, list)
718 + vlan_vid_del(port->dev, proto, vid);
719 +- rcu_read_unlock();
720 ++ mutex_unlock(&team->lock);
721 +
722 + return 0;
723 + }
724 +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
725 +index ba363cedef80..405a7b6cca25 100644
726 +--- a/drivers/net/vxlan.c
727 ++++ b/drivers/net/vxlan.c
728 +@@ -2751,7 +2751,7 @@ static int vxlan_dev_configure(struct net *src_net, struct net_device *dev,
729 + struct vxlan_config *conf)
730 + {
731 + struct vxlan_net *vn = net_generic(src_net, vxlan_net_id);
732 +- struct vxlan_dev *vxlan = netdev_priv(dev);
733 ++ struct vxlan_dev *vxlan = netdev_priv(dev), *tmp;
734 + struct vxlan_rdst *dst = &vxlan->default_dst;
735 + unsigned short needed_headroom = ETH_HLEN;
736 + int err;
737 +@@ -2817,9 +2817,15 @@ static int vxlan_dev_configure(struct net *src_net, struct net_device *dev,
738 + if (!vxlan->cfg.age_interval)
739 + vxlan->cfg.age_interval = FDB_AGE_DEFAULT;
740 +
741 +- if (vxlan_find_vni(src_net, conf->vni, use_ipv6 ? AF_INET6 : AF_INET,
742 +- vxlan->cfg.dst_port, vxlan->flags))
743 ++ list_for_each_entry(tmp, &vn->vxlan_list, next) {
744 ++ if (tmp->cfg.vni == conf->vni &&
745 ++ (tmp->default_dst.remote_ip.sa.sa_family == AF_INET6 ||
746 ++ tmp->cfg.saddr.sa.sa_family == AF_INET6) == use_ipv6 &&
747 ++ tmp->cfg.dst_port == vxlan->cfg.dst_port &&
748 ++ (tmp->flags & VXLAN_F_RCV_FLAGS) ==
749 ++ (vxlan->flags & VXLAN_F_RCV_FLAGS))
750 + return -EEXIST;
751 ++ }
752 +
753 + dev->ethtool_ops = &vxlan_ethtool_ops;
754 +
755 +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
756 +index 2721cf89fb16..aac1ed3f7bb4 100644
757 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
758 ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
759 +@@ -531,6 +531,8 @@ static void _rtl_usb_rx_process_noagg(struct ieee80211_hw *hw,
760 + ieee80211_rx(hw, skb);
761 + else
762 + dev_kfree_skb_any(skb);
763 ++ } else {
764 ++ dev_kfree_skb_any(skb);
765 + }
766 + }
767 +
768 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
769 +index ddbf32d599cb..8683436788c3 100644
770 +--- a/drivers/usb/core/hub.c
771 ++++ b/drivers/usb/core/hub.c
772 +@@ -3895,17 +3895,30 @@ static void usb_enable_link_state(struct usb_hcd *hcd, struct usb_device *udev,
773 + return;
774 + }
775 +
776 +- if (usb_set_lpm_timeout(udev, state, timeout))
777 ++ if (usb_set_lpm_timeout(udev, state, timeout)) {
778 + /* If we can't set the parent hub U1/U2 timeout,
779 + * device-initiated LPM won't be allowed either, so let the xHCI
780 + * host know that this link state won't be enabled.
781 + */
782 + hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state);
783 ++ } else {
784 ++ /* Only a configured device will accept the Set Feature
785 ++ * U1/U2_ENABLE
786 ++ */
787 ++ if (udev->actconfig)
788 ++ usb_set_device_initiated_lpm(udev, state, true);
789 +
790 +- /* Only a configured device will accept the Set Feature U1/U2_ENABLE */
791 +- else if (udev->actconfig)
792 +- usb_set_device_initiated_lpm(udev, state, true);
793 +-
794 ++ /* As soon as usb_set_lpm_timeout(timeout) returns 0, the
795 ++ * hub-initiated LPM is enabled. Thus, LPM is enabled no
796 ++ * matter the result of usb_set_device_initiated_lpm().
797 ++ * The only difference is whether device is able to initiate
798 ++ * LPM.
799 ++ */
800 ++ if (state == USB3_LPM_U1)
801 ++ udev->usb3_lpm_u1_enabled = 1;
802 ++ else if (state == USB3_LPM_U2)
803 ++ udev->usb3_lpm_u2_enabled = 1;
804 ++ }
805 + }
806 +
807 + /*
808 +@@ -3945,6 +3958,18 @@ static int usb_disable_link_state(struct usb_hcd *hcd, struct usb_device *udev,
809 + dev_warn(&udev->dev, "Could not disable xHCI %s timeout, "
810 + "bus schedule bandwidth may be impacted.\n",
811 + usb3_lpm_names[state]);
812 ++
813 ++ /* As soon as usb_set_lpm_timeout(0) return 0, hub initiated LPM
814 ++ * is disabled. Hub will disallows link to enter U1/U2 as well,
815 ++ * even device is initiating LPM. Hence LPM is disabled if hub LPM
816 ++ * timeout set to 0, no matter device-initiated LPM is disabled or
817 ++ * not.
818 ++ */
819 ++ if (state == USB3_LPM_U1)
820 ++ udev->usb3_lpm_u1_enabled = 0;
821 ++ else if (state == USB3_LPM_U2)
822 ++ udev->usb3_lpm_u2_enabled = 0;
823 ++
824 + return 0;
825 + }
826 +
827 +@@ -3979,8 +4004,6 @@ int usb_disable_lpm(struct usb_device *udev)
828 + if (usb_disable_link_state(hcd, udev, USB3_LPM_U2))
829 + goto enable_lpm;
830 +
831 +- udev->usb3_lpm_enabled = 0;
832 +-
833 + return 0;
834 +
835 + enable_lpm:
836 +@@ -4038,8 +4061,6 @@ void usb_enable_lpm(struct usb_device *udev)
837 +
838 + usb_enable_link_state(hcd, udev, USB3_LPM_U1);
839 + usb_enable_link_state(hcd, udev, USB3_LPM_U2);
840 +-
841 +- udev->usb3_lpm_enabled = 1;
842 + }
843 + EXPORT_SYMBOL_GPL(usb_enable_lpm);
844 +
845 +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
846 +index d9ec2de6c4cf..65b6e6b84043 100644
847 +--- a/drivers/usb/core/sysfs.c
848 ++++ b/drivers/usb/core/sysfs.c
849 +@@ -531,7 +531,7 @@ static ssize_t usb2_lpm_besl_store(struct device *dev,
850 + }
851 + static DEVICE_ATTR_RW(usb2_lpm_besl);
852 +
853 +-static ssize_t usb3_hardware_lpm_show(struct device *dev,
854 ++static ssize_t usb3_hardware_lpm_u1_show(struct device *dev,
855 + struct device_attribute *attr, char *buf)
856 + {
857 + struct usb_device *udev = to_usb_device(dev);
858 +@@ -539,7 +539,7 @@ static ssize_t usb3_hardware_lpm_show(struct device *dev,
859 +
860 + usb_lock_device(udev);
861 +
862 +- if (udev->usb3_lpm_enabled)
863 ++ if (udev->usb3_lpm_u1_enabled)
864 + p = "enabled";
865 + else
866 + p = "disabled";
867 +@@ -548,7 +548,26 @@ static ssize_t usb3_hardware_lpm_show(struct device *dev,
868 +
869 + return sprintf(buf, "%s\n", p);
870 + }
871 +-static DEVICE_ATTR_RO(usb3_hardware_lpm);
872 ++static DEVICE_ATTR_RO(usb3_hardware_lpm_u1);
873 ++
874 ++static ssize_t usb3_hardware_lpm_u2_show(struct device *dev,
875 ++ struct device_attribute *attr, char *buf)
876 ++{
877 ++ struct usb_device *udev = to_usb_device(dev);
878 ++ const char *p;
879 ++
880 ++ usb_lock_device(udev);
881 ++
882 ++ if (udev->usb3_lpm_u2_enabled)
883 ++ p = "enabled";
884 ++ else
885 ++ p = "disabled";
886 ++
887 ++ usb_unlock_device(udev);
888 ++
889 ++ return sprintf(buf, "%s\n", p);
890 ++}
891 ++static DEVICE_ATTR_RO(usb3_hardware_lpm_u2);
892 +
893 + static struct attribute *usb2_hardware_lpm_attr[] = {
894 + &dev_attr_usb2_hardware_lpm.attr,
895 +@@ -562,7 +581,8 @@ static struct attribute_group usb2_hardware_lpm_attr_group = {
896 + };
897 +
898 + static struct attribute *usb3_hardware_lpm_attr[] = {
899 +- &dev_attr_usb3_hardware_lpm.attr,
900 ++ &dev_attr_usb3_hardware_lpm_u1.attr,
901 ++ &dev_attr_usb3_hardware_lpm_u2.attr,
902 + NULL,
903 + };
904 + static struct attribute_group usb3_hardware_lpm_attr_group = {
905 +@@ -592,7 +612,8 @@ static int add_power_attributes(struct device *dev)
906 + if (udev->usb2_hw_lpm_capable == 1)
907 + rc = sysfs_merge_group(&dev->kobj,
908 + &usb2_hardware_lpm_attr_group);
909 +- if (udev->lpm_capable == 1)
910 ++ if (udev->speed == USB_SPEED_SUPER &&
911 ++ udev->lpm_capable == 1)
912 + rc = sysfs_merge_group(&dev->kobj,
913 + &usb3_hardware_lpm_attr_group);
914 + }
915 +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
916 +index 3f912705dcef..dca0a4692f08 100644
917 +--- a/drivers/usb/host/xhci.c
918 ++++ b/drivers/usb/host/xhci.c
919 +@@ -5059,6 +5059,10 @@ static int __init xhci_hcd_init(void)
920 + BUILD_BUG_ON(sizeof(struct xhci_intr_reg) != 8*32/8);
921 + /* xhci_run_regs has eight fields and embeds 128 xhci_intr_regs */
922 + BUILD_BUG_ON(sizeof(struct xhci_run_regs) != (8+8*128)*32/8);
923 ++
924 ++ if (usb_disabled())
925 ++ return -ENODEV;
926 ++
927 + return 0;
928 + }
929 +
930 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
931 +index 7d4f51a32e66..59b2126b21a3 100644
932 +--- a/drivers/usb/serial/cp210x.c
933 ++++ b/drivers/usb/serial/cp210x.c
934 +@@ -160,6 +160,7 @@ static const struct usb_device_id id_table[] = {
935 + { USB_DEVICE(0x17F4, 0xAAAA) }, /* Wavesense Jazz blood glucose meter */
936 + { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
937 + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
938 ++ { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
939 + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
940 + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */
941 + { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */
942 +diff --git a/include/linux/mlx5/cq.h b/include/linux/mlx5/cq.h
943 +index abc4767695e4..b2c9fada8eac 100644
944 +--- a/include/linux/mlx5/cq.h
945 ++++ b/include/linux/mlx5/cq.h
946 +@@ -45,7 +45,7 @@ struct mlx5_core_cq {
947 + atomic_t refcount;
948 + struct completion free;
949 + unsigned vector;
950 +- int irqn;
951 ++ unsigned int irqn;
952 + void (*comp) (struct mlx5_core_cq *);
953 + void (*event) (struct mlx5_core_cq *, enum mlx5_event);
954 + struct mlx5_uar *uar;
955 +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
956 +index 5c857f2a20d7..af3efd9157f0 100644
957 +--- a/include/linux/mlx5/driver.h
958 ++++ b/include/linux/mlx5/driver.h
959 +@@ -303,7 +303,7 @@ struct mlx5_eq {
960 + u32 cons_index;
961 + struct mlx5_buf buf;
962 + int size;
963 +- u8 irqn;
964 ++ unsigned int irqn;
965 + u8 eqn;
966 + int nent;
967 + u64 mask;
968 +@@ -762,7 +762,8 @@ int mlx5_create_map_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq, u8 vecidx,
969 + int mlx5_destroy_unmap_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq);
970 + int mlx5_start_eqs(struct mlx5_core_dev *dev);
971 + int mlx5_stop_eqs(struct mlx5_core_dev *dev);
972 +-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, int *irqn);
973 ++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
974 ++ unsigned int *irqn);
975 + int mlx5_core_attach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
976 + int mlx5_core_detach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
977 +
978 +diff --git a/include/linux/sched.h b/include/linux/sched.h
979 +index fa39434e3fdd..21a6e9649012 100644
980 +--- a/include/linux/sched.h
981 ++++ b/include/linux/sched.h
982 +@@ -830,6 +830,7 @@ struct user_struct {
983 + unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
984 + #endif
985 + unsigned long locked_shm; /* How many pages of mlocked shm ? */
986 ++ unsigned long unix_inflight; /* How many files in flight in unix sockets */
987 +
988 + #ifdef CONFIG_KEYS
989 + struct key *uid_keyring; /* UID specific keyring */
990 +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
991 +index 4355129fff91..9147f9f34cbe 100644
992 +--- a/include/linux/skbuff.h
993 ++++ b/include/linux/skbuff.h
994 +@@ -3446,7 +3446,8 @@ struct skb_gso_cb {
995 + int encap_level;
996 + __u16 csum_start;
997 + };
998 +-#define SKB_GSO_CB(skb) ((struct skb_gso_cb *)(skb)->cb)
999 ++#define SKB_SGO_CB_OFFSET 32
1000 ++#define SKB_GSO_CB(skb) ((struct skb_gso_cb *)((skb)->cb + SKB_SGO_CB_OFFSET))
1001 +
1002 + static inline int skb_tnl_header_len(const struct sk_buff *inner_skb)
1003 + {
1004 +diff --git a/include/linux/usb.h b/include/linux/usb.h
1005 +index b9a28074210f..b79925dd2b41 100644
1006 +--- a/include/linux/usb.h
1007 ++++ b/include/linux/usb.h
1008 +@@ -511,6 +511,8 @@ struct usb3_lpm_parameters {
1009 + * @usb2_hw_lpm_enabled: USB2 hardware LPM is enabled
1010 + * @usb2_hw_lpm_allowed: Userspace allows USB 2.0 LPM to be enabled
1011 + * @usb3_lpm_enabled: USB3 hardware LPM enabled
1012 ++ * @usb3_lpm_u1_enabled: USB3 hardware U1 LPM enabled
1013 ++ * @usb3_lpm_u2_enabled: USB3 hardware U2 LPM enabled
1014 + * @string_langid: language ID for strings
1015 + * @product: iProduct string, if present (static)
1016 + * @manufacturer: iManufacturer string, if present (static)
1017 +@@ -584,6 +586,8 @@ struct usb_device {
1018 + unsigned usb2_hw_lpm_enabled:1;
1019 + unsigned usb2_hw_lpm_allowed:1;
1020 + unsigned usb3_lpm_enabled:1;
1021 ++ unsigned usb3_lpm_u1_enabled:1;
1022 ++ unsigned usb3_lpm_u2_enabled:1;
1023 + int string_langid;
1024 +
1025 + /* static strings from the device */
1026 +diff --git a/include/net/inet_ecn.h b/include/net/inet_ecn.h
1027 +index 84b20835b736..0dc0a51da38f 100644
1028 +--- a/include/net/inet_ecn.h
1029 ++++ b/include/net/inet_ecn.h
1030 +@@ -111,11 +111,24 @@ static inline void ipv4_copy_dscp(unsigned int dscp, struct iphdr *inner)
1031 +
1032 + struct ipv6hdr;
1033 +
1034 +-static inline int IP6_ECN_set_ce(struct ipv6hdr *iph)
1035 ++/* Note:
1036 ++ * IP_ECN_set_ce() has to tweak IPV4 checksum when setting CE,
1037 ++ * meaning both changes have no effect on skb->csum if/when CHECKSUM_COMPLETE
1038 ++ * In IPv6 case, no checksum compensates the change in IPv6 header,
1039 ++ * so we have to update skb->csum.
1040 ++ */
1041 ++static inline int IP6_ECN_set_ce(struct sk_buff *skb, struct ipv6hdr *iph)
1042 + {
1043 ++ __be32 from, to;
1044 ++
1045 + if (INET_ECN_is_not_ect(ipv6_get_dsfield(iph)))
1046 + return 0;
1047 +- *(__be32*)iph |= htonl(INET_ECN_CE << 20);
1048 ++
1049 ++ from = *(__be32 *)iph;
1050 ++ to = from | htonl(INET_ECN_CE << 20);
1051 ++ *(__be32 *)iph = to;
1052 ++ if (skb->ip_summed == CHECKSUM_COMPLETE)
1053 ++ skb->csum = csum_add(csum_sub(skb->csum, from), to);
1054 + return 1;
1055 + }
1056 +
1057 +@@ -142,7 +155,7 @@ static inline int INET_ECN_set_ce(struct sk_buff *skb)
1058 + case cpu_to_be16(ETH_P_IPV6):
1059 + if (skb_network_header(skb) + sizeof(struct ipv6hdr) <=
1060 + skb_tail_pointer(skb))
1061 +- return IP6_ECN_set_ce(ipv6_hdr(skb));
1062 ++ return IP6_ECN_set_ce(skb, ipv6_hdr(skb));
1063 + break;
1064 + }
1065 +
1066 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
1067 +index a7945d10b378..d1d3e8f57de9 100644
1068 +--- a/kernel/bpf/verifier.c
1069 ++++ b/kernel/bpf/verifier.c
1070 +@@ -1121,6 +1121,16 @@ static int check_alu_op(struct verifier_env *env, struct bpf_insn *insn)
1071 + return -EINVAL;
1072 + }
1073 +
1074 ++ if ((opcode == BPF_LSH || opcode == BPF_RSH ||
1075 ++ opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
1076 ++ int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
1077 ++
1078 ++ if (insn->imm < 0 || insn->imm >= size) {
1079 ++ verbose("invalid shift %d\n", insn->imm);
1080 ++ return -EINVAL;
1081 ++ }
1082 ++ }
1083 ++
1084 + /* pattern match 'bpf_add Rx, imm' instruction */
1085 + if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 &&
1086 + regs[insn->dst_reg].type == FRAME_PTR &&
1087 +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
1088 +index 191a70290dca..f5d2fe5e31cc 100644
1089 +--- a/net/batman-adv/bridge_loop_avoidance.c
1090 ++++ b/net/batman-adv/bridge_loop_avoidance.c
1091 +@@ -127,21 +127,17 @@ batadv_backbone_gw_free_ref(struct batadv_bla_backbone_gw *backbone_gw)
1092 + }
1093 +
1094 + /* finally deinitialize the claim */
1095 +-static void batadv_claim_free_rcu(struct rcu_head *rcu)
1096 ++static void batadv_claim_release(struct batadv_bla_claim *claim)
1097 + {
1098 +- struct batadv_bla_claim *claim;
1099 +-
1100 +- claim = container_of(rcu, struct batadv_bla_claim, rcu);
1101 +-
1102 + batadv_backbone_gw_free_ref(claim->backbone_gw);
1103 +- kfree(claim);
1104 ++ kfree_rcu(claim, rcu);
1105 + }
1106 +
1107 + /* free a claim, call claim_free_rcu if its the last reference */
1108 + static void batadv_claim_free_ref(struct batadv_bla_claim *claim)
1109 + {
1110 + if (atomic_dec_and_test(&claim->refcount))
1111 +- call_rcu(&claim->rcu, batadv_claim_free_rcu);
1112 ++ batadv_claim_release(claim);
1113 + }
1114 +
1115 + /**
1116 +diff --git a/net/batman-adv/hard-interface.h b/net/batman-adv/hard-interface.h
1117 +index 5a31420513e1..7b12ea8ea29d 100644
1118 +--- a/net/batman-adv/hard-interface.h
1119 ++++ b/net/batman-adv/hard-interface.h
1120 +@@ -75,18 +75,6 @@ batadv_hardif_free_ref(struct batadv_hard_iface *hard_iface)
1121 + call_rcu(&hard_iface->rcu, batadv_hardif_free_rcu);
1122 + }
1123 +
1124 +-/**
1125 +- * batadv_hardif_free_ref_now - decrement the hard interface refcounter and
1126 +- * possibly free it (without rcu callback)
1127 +- * @hard_iface: the hard interface to free
1128 +- */
1129 +-static inline void
1130 +-batadv_hardif_free_ref_now(struct batadv_hard_iface *hard_iface)
1131 +-{
1132 +- if (atomic_dec_and_test(&hard_iface->refcount))
1133 +- batadv_hardif_free_rcu(&hard_iface->rcu);
1134 +-}
1135 +-
1136 + static inline struct batadv_hard_iface *
1137 + batadv_primary_if_get_selected(struct batadv_priv *bat_priv)
1138 + {
1139 +diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c
1140 +index f5276be2c77c..d0956f726547 100644
1141 +--- a/net/batman-adv/network-coding.c
1142 ++++ b/net/batman-adv/network-coding.c
1143 +@@ -203,28 +203,25 @@ void batadv_nc_init_orig(struct batadv_orig_node *orig_node)
1144 + }
1145 +
1146 + /**
1147 +- * batadv_nc_node_free_rcu - rcu callback to free an nc node and remove
1148 +- * its refcount on the orig_node
1149 +- * @rcu: rcu pointer of the nc node
1150 ++ * batadv_nc_node_release - release nc_node from lists and queue for free after
1151 ++ * rcu grace period
1152 ++ * @nc_node: the nc node to free
1153 + */
1154 +-static void batadv_nc_node_free_rcu(struct rcu_head *rcu)
1155 ++static void batadv_nc_node_release(struct batadv_nc_node *nc_node)
1156 + {
1157 +- struct batadv_nc_node *nc_node;
1158 +-
1159 +- nc_node = container_of(rcu, struct batadv_nc_node, rcu);
1160 + batadv_orig_node_free_ref(nc_node->orig_node);
1161 +- kfree(nc_node);
1162 ++ kfree_rcu(nc_node, rcu);
1163 + }
1164 +
1165 + /**
1166 +- * batadv_nc_node_free_ref - decrements the nc node refcounter and possibly
1167 +- * frees it
1168 ++ * batadv_nc_node_free_ref - decrement the nc node refcounter and possibly
1169 ++ * release it
1170 + * @nc_node: the nc node to free
1171 + */
1172 + static void batadv_nc_node_free_ref(struct batadv_nc_node *nc_node)
1173 + {
1174 + if (atomic_dec_and_test(&nc_node->refcount))
1175 +- call_rcu(&nc_node->rcu, batadv_nc_node_free_rcu);
1176 ++ batadv_nc_node_release(nc_node);
1177 + }
1178 +
1179 + /**
1180 +diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c
1181 +index 7486df9ed48d..17851d3aaf22 100644
1182 +--- a/net/batman-adv/originator.c
1183 ++++ b/net/batman-adv/originator.c
1184 +@@ -163,92 +163,66 @@ err:
1185 + }
1186 +
1187 + /**
1188 +- * batadv_neigh_ifinfo_free_rcu - free the neigh_ifinfo object
1189 +- * @rcu: rcu pointer of the neigh_ifinfo object
1190 +- */
1191 +-static void batadv_neigh_ifinfo_free_rcu(struct rcu_head *rcu)
1192 +-{
1193 +- struct batadv_neigh_ifinfo *neigh_ifinfo;
1194 +-
1195 +- neigh_ifinfo = container_of(rcu, struct batadv_neigh_ifinfo, rcu);
1196 +-
1197 +- if (neigh_ifinfo->if_outgoing != BATADV_IF_DEFAULT)
1198 +- batadv_hardif_free_ref_now(neigh_ifinfo->if_outgoing);
1199 +-
1200 +- kfree(neigh_ifinfo);
1201 +-}
1202 +-
1203 +-/**
1204 +- * batadv_neigh_ifinfo_free_now - decrement the refcounter and possibly free
1205 +- * the neigh_ifinfo (without rcu callback)
1206 ++ * batadv_neigh_ifinfo_release - release neigh_ifinfo from lists and queue for
1207 ++ * free after rcu grace period
1208 + * @neigh_ifinfo: the neigh_ifinfo object to release
1209 + */
1210 + static void
1211 +-batadv_neigh_ifinfo_free_ref_now(struct batadv_neigh_ifinfo *neigh_ifinfo)
1212 ++batadv_neigh_ifinfo_release(struct batadv_neigh_ifinfo *neigh_ifinfo)
1213 + {
1214 +- if (atomic_dec_and_test(&neigh_ifinfo->refcount))
1215 +- batadv_neigh_ifinfo_free_rcu(&neigh_ifinfo->rcu);
1216 ++ if (neigh_ifinfo->if_outgoing != BATADV_IF_DEFAULT)
1217 ++ batadv_hardif_free_ref(neigh_ifinfo->if_outgoing);
1218 ++
1219 ++ kfree_rcu(neigh_ifinfo, rcu);
1220 + }
1221 +
1222 + /**
1223 +- * batadv_neigh_ifinfo_free_ref - decrement the refcounter and possibly free
1224 ++ * batadv_neigh_ifinfo_free_ref - decrement the refcounter and possibly release
1225 + * the neigh_ifinfo
1226 + * @neigh_ifinfo: the neigh_ifinfo object to release
1227 + */
1228 + void batadv_neigh_ifinfo_free_ref(struct batadv_neigh_ifinfo *neigh_ifinfo)
1229 + {
1230 + if (atomic_dec_and_test(&neigh_ifinfo->refcount))
1231 +- call_rcu(&neigh_ifinfo->rcu, batadv_neigh_ifinfo_free_rcu);
1232 ++ batadv_neigh_ifinfo_release(neigh_ifinfo);
1233 + }
1234 +
1235 + /**
1236 + * batadv_neigh_node_free_rcu - free the neigh_node
1237 +- * @rcu: rcu pointer of the neigh_node
1238 ++ * batadv_neigh_node_release - release neigh_node from lists and queue for
1239 ++ * free after rcu grace period
1240 ++ * @neigh_node: neigh neighbor to free
1241 + */
1242 +-static void batadv_neigh_node_free_rcu(struct rcu_head *rcu)
1243 ++static void batadv_neigh_node_release(struct batadv_neigh_node *neigh_node)
1244 + {
1245 + struct hlist_node *node_tmp;
1246 +- struct batadv_neigh_node *neigh_node;
1247 + struct batadv_neigh_ifinfo *neigh_ifinfo;
1248 + struct batadv_algo_ops *bao;
1249 +
1250 +- neigh_node = container_of(rcu, struct batadv_neigh_node, rcu);
1251 + bao = neigh_node->orig_node->bat_priv->bat_algo_ops;
1252 +
1253 + hlist_for_each_entry_safe(neigh_ifinfo, node_tmp,
1254 + &neigh_node->ifinfo_list, list) {
1255 +- batadv_neigh_ifinfo_free_ref_now(neigh_ifinfo);
1256 ++ batadv_neigh_ifinfo_free_ref(neigh_ifinfo);
1257 + }
1258 +
1259 + if (bao->bat_neigh_free)
1260 + bao->bat_neigh_free(neigh_node);
1261 +
1262 +- batadv_hardif_free_ref_now(neigh_node->if_incoming);
1263 ++ batadv_hardif_free_ref(neigh_node->if_incoming);
1264 +
1265 +- kfree(neigh_node);
1266 +-}
1267 +-
1268 +-/**
1269 +- * batadv_neigh_node_free_ref_now - decrement the neighbors refcounter
1270 +- * and possibly free it (without rcu callback)
1271 +- * @neigh_node: neigh neighbor to free
1272 +- */
1273 +-static void
1274 +-batadv_neigh_node_free_ref_now(struct batadv_neigh_node *neigh_node)
1275 +-{
1276 +- if (atomic_dec_and_test(&neigh_node->refcount))
1277 +- batadv_neigh_node_free_rcu(&neigh_node->rcu);
1278 ++ kfree_rcu(neigh_node, rcu);
1279 + }
1280 +
1281 + /**
1282 + * batadv_neigh_node_free_ref - decrement the neighbors refcounter
1283 +- * and possibly free it
1284 ++ * and possibly release it
1285 + * @neigh_node: neigh neighbor to free
1286 + */
1287 + void batadv_neigh_node_free_ref(struct batadv_neigh_node *neigh_node)
1288 + {
1289 + if (atomic_dec_and_test(&neigh_node->refcount))
1290 +- call_rcu(&neigh_node->rcu, batadv_neigh_node_free_rcu);
1291 ++ batadv_neigh_node_release(neigh_node);
1292 + }
1293 +
1294 + /**
1295 +@@ -532,108 +506,99 @@ out:
1296 + }
1297 +
1298 + /**
1299 +- * batadv_orig_ifinfo_free_rcu - free the orig_ifinfo object
1300 +- * @rcu: rcu pointer of the orig_ifinfo object
1301 ++ * batadv_orig_ifinfo_release - release orig_ifinfo from lists and queue for
1302 ++ * free after rcu grace period
1303 ++ * @orig_ifinfo: the orig_ifinfo object to release
1304 + */
1305 +-static void batadv_orig_ifinfo_free_rcu(struct rcu_head *rcu)
1306 ++static void batadv_orig_ifinfo_release(struct batadv_orig_ifinfo *orig_ifinfo)
1307 + {
1308 +- struct batadv_orig_ifinfo *orig_ifinfo;
1309 + struct batadv_neigh_node *router;
1310 +
1311 +- orig_ifinfo = container_of(rcu, struct batadv_orig_ifinfo, rcu);
1312 +-
1313 + if (orig_ifinfo->if_outgoing != BATADV_IF_DEFAULT)
1314 +- batadv_hardif_free_ref_now(orig_ifinfo->if_outgoing);
1315 ++ batadv_hardif_free_ref(orig_ifinfo->if_outgoing);
1316 +
1317 + /* this is the last reference to this object */
1318 + router = rcu_dereference_protected(orig_ifinfo->router, true);
1319 + if (router)
1320 +- batadv_neigh_node_free_ref_now(router);
1321 +- kfree(orig_ifinfo);
1322 ++ batadv_neigh_node_free_ref(router);
1323 ++
1324 ++ kfree_rcu(orig_ifinfo, rcu);
1325 + }
1326 +
1327 + /**
1328 +- * batadv_orig_ifinfo_free_ref - decrement the refcounter and possibly free
1329 +- * the orig_ifinfo (without rcu callback)
1330 ++ * batadv_orig_ifinfo_free_ref - decrement the refcounter and possibly release
1331 ++ * the orig_ifinfo
1332 + * @orig_ifinfo: the orig_ifinfo object to release
1333 + */
1334 +-static void
1335 +-batadv_orig_ifinfo_free_ref_now(struct batadv_orig_ifinfo *orig_ifinfo)
1336 ++void batadv_orig_ifinfo_free_ref(struct batadv_orig_ifinfo *orig_ifinfo)
1337 + {
1338 + if (atomic_dec_and_test(&orig_ifinfo->refcount))
1339 +- batadv_orig_ifinfo_free_rcu(&orig_ifinfo->rcu);
1340 ++ batadv_orig_ifinfo_release(orig_ifinfo);
1341 + }
1342 +
1343 + /**
1344 +- * batadv_orig_ifinfo_free_ref - decrement the refcounter and possibly free
1345 +- * the orig_ifinfo
1346 +- * @orig_ifinfo: the orig_ifinfo object to release
1347 ++ * batadv_orig_node_free_rcu - free the orig_node
1348 ++ * @rcu: rcu pointer of the orig_node
1349 + */
1350 +-void batadv_orig_ifinfo_free_ref(struct batadv_orig_ifinfo *orig_ifinfo)
1351 ++static void batadv_orig_node_free_rcu(struct rcu_head *rcu)
1352 + {
1353 +- if (atomic_dec_and_test(&orig_ifinfo->refcount))
1354 +- call_rcu(&orig_ifinfo->rcu, batadv_orig_ifinfo_free_rcu);
1355 ++ struct batadv_orig_node *orig_node;
1356 ++
1357 ++ orig_node = container_of(rcu, struct batadv_orig_node, rcu);
1358 ++
1359 ++ batadv_mcast_purge_orig(orig_node);
1360 ++
1361 ++ batadv_frag_purge_orig(orig_node, NULL);
1362 ++
1363 ++ if (orig_node->bat_priv->bat_algo_ops->bat_orig_free)
1364 ++ orig_node->bat_priv->bat_algo_ops->bat_orig_free(orig_node);
1365 ++
1366 ++ kfree(orig_node->tt_buff);
1367 ++ kfree(orig_node);
1368 + }
1369 +
1370 +-static void batadv_orig_node_free_rcu(struct rcu_head *rcu)
1371 ++/**
1372 ++ * batadv_orig_node_release - release orig_node from lists and queue for
1373 ++ * free after rcu grace period
1374 ++ * @orig_node: the orig node to free
1375 ++ */
1376 ++static void batadv_orig_node_release(struct batadv_orig_node *orig_node)
1377 + {
1378 + struct hlist_node *node_tmp;
1379 + struct batadv_neigh_node *neigh_node;
1380 +- struct batadv_orig_node *orig_node;
1381 + struct batadv_orig_ifinfo *orig_ifinfo;
1382 +
1383 +- orig_node = container_of(rcu, struct batadv_orig_node, rcu);
1384 +-
1385 + spin_lock_bh(&orig_node->neigh_list_lock);
1386 +
1387 + /* for all neighbors towards this originator ... */
1388 + hlist_for_each_entry_safe(neigh_node, node_tmp,
1389 + &orig_node->neigh_list, list) {
1390 + hlist_del_rcu(&neigh_node->list);
1391 +- batadv_neigh_node_free_ref_now(neigh_node);
1392 ++ batadv_neigh_node_free_ref(neigh_node);
1393 + }
1394 +
1395 + hlist_for_each_entry_safe(orig_ifinfo, node_tmp,
1396 + &orig_node->ifinfo_list, list) {
1397 + hlist_del_rcu(&orig_ifinfo->list);
1398 +- batadv_orig_ifinfo_free_ref_now(orig_ifinfo);
1399 ++ batadv_orig_ifinfo_free_ref(orig_ifinfo);
1400 + }
1401 + spin_unlock_bh(&orig_node->neigh_list_lock);
1402 +
1403 +- batadv_mcast_purge_orig(orig_node);
1404 +-
1405 + /* Free nc_nodes */
1406 + batadv_nc_purge_orig(orig_node->bat_priv, orig_node, NULL);
1407 +
1408 +- batadv_frag_purge_orig(orig_node, NULL);
1409 +-
1410 +- if (orig_node->bat_priv->bat_algo_ops->bat_orig_free)
1411 +- orig_node->bat_priv->bat_algo_ops->bat_orig_free(orig_node);
1412 +-
1413 +- kfree(orig_node->tt_buff);
1414 +- kfree(orig_node);
1415 ++ call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu);
1416 + }
1417 +
1418 + /**
1419 + * batadv_orig_node_free_ref - decrement the orig node refcounter and possibly
1420 +- * schedule an rcu callback for freeing it
1421 ++ * release it
1422 + * @orig_node: the orig node to free
1423 + */
1424 + void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node)
1425 + {
1426 + if (atomic_dec_and_test(&orig_node->refcount))
1427 +- call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu);
1428 +-}
1429 +-
1430 +-/**
1431 +- * batadv_orig_node_free_ref_now - decrement the orig node refcounter and
1432 +- * possibly free it (without rcu callback)
1433 +- * @orig_node: the orig node to free
1434 +- */
1435 +-void batadv_orig_node_free_ref_now(struct batadv_orig_node *orig_node)
1436 +-{
1437 +- if (atomic_dec_and_test(&orig_node->refcount))
1438 +- batadv_orig_node_free_rcu(&orig_node->rcu);
1439 ++ batadv_orig_node_release(orig_node);
1440 + }
1441 +
1442 + void batadv_originator_free(struct batadv_priv *bat_priv)
1443 +diff --git a/net/batman-adv/originator.h b/net/batman-adv/originator.h
1444 +index fa18f9bf266b..a5c37882b409 100644
1445 +--- a/net/batman-adv/originator.h
1446 ++++ b/net/batman-adv/originator.h
1447 +@@ -38,7 +38,6 @@ int batadv_originator_init(struct batadv_priv *bat_priv);
1448 + void batadv_originator_free(struct batadv_priv *bat_priv);
1449 + void batadv_purge_orig_ref(struct batadv_priv *bat_priv);
1450 + void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node);
1451 +-void batadv_orig_node_free_ref_now(struct batadv_orig_node *orig_node);
1452 + struct batadv_orig_node *batadv_orig_node_new(struct batadv_priv *bat_priv,
1453 + const u8 *addr);
1454 + struct batadv_neigh_node *
1455 +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
1456 +index 76f19ba62462..83b0ca27a45e 100644
1457 +--- a/net/batman-adv/translation-table.c
1458 ++++ b/net/batman-adv/translation-table.c
1459 +@@ -240,20 +240,6 @@ int batadv_tt_global_hash_count(struct batadv_priv *bat_priv,
1460 + return count;
1461 + }
1462 +
1463 +-static void batadv_tt_orig_list_entry_free_rcu(struct rcu_head *rcu)
1464 +-{
1465 +- struct batadv_tt_orig_list_entry *orig_entry;
1466 +-
1467 +- orig_entry = container_of(rcu, struct batadv_tt_orig_list_entry, rcu);
1468 +-
1469 +- /* We are in an rcu callback here, therefore we cannot use
1470 +- * batadv_orig_node_free_ref() and its call_rcu():
1471 +- * An rcu_barrier() wouldn't wait for that to finish
1472 +- */
1473 +- batadv_orig_node_free_ref_now(orig_entry->orig_node);
1474 +- kfree(orig_entry);
1475 +-}
1476 +-
1477 + /**
1478 + * batadv_tt_local_size_mod - change the size by v of the local table identified
1479 + * by vid
1480 +@@ -349,13 +335,25 @@ static void batadv_tt_global_size_dec(struct batadv_orig_node *orig_node,
1481 + batadv_tt_global_size_mod(orig_node, vid, -1);
1482 + }
1483 +
1484 ++/**
1485 ++ * batadv_tt_orig_list_entry_release - release tt orig entry from lists and
1486 ++ * queue for free after rcu grace period
1487 ++ * @orig_entry: tt orig entry to be free'd
1488 ++ */
1489 ++static void
1490 ++batadv_tt_orig_list_entry_release(struct batadv_tt_orig_list_entry *orig_entry)
1491 ++{
1492 ++ batadv_orig_node_free_ref(orig_entry->orig_node);
1493 ++ kfree_rcu(orig_entry, rcu);
1494 ++}
1495 ++
1496 + static void
1497 + batadv_tt_orig_list_entry_free_ref(struct batadv_tt_orig_list_entry *orig_entry)
1498 + {
1499 + if (!atomic_dec_and_test(&orig_entry->refcount))
1500 + return;
1501 +
1502 +- call_rcu(&orig_entry->rcu, batadv_tt_orig_list_entry_free_rcu);
1503 ++ batadv_tt_orig_list_entry_release(orig_entry);
1504 + }
1505 +
1506 + /**
1507 +diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
1508 +index 5e88d3e17546..2c8095a5d824 100644
1509 +--- a/net/bridge/br_device.c
1510 ++++ b/net/bridge/br_device.c
1511 +@@ -28,6 +28,8 @@
1512 + const struct nf_br_ops __rcu *nf_br_ops __read_mostly;
1513 + EXPORT_SYMBOL_GPL(nf_br_ops);
1514 +
1515 ++static struct lock_class_key bridge_netdev_addr_lock_key;
1516 ++
1517 + /* net device transmit always called with BH disabled */
1518 + netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
1519 + {
1520 +@@ -87,6 +89,11 @@ out:
1521 + return NETDEV_TX_OK;
1522 + }
1523 +
1524 ++static void br_set_lockdep_class(struct net_device *dev)
1525 ++{
1526 ++ lockdep_set_class(&dev->addr_list_lock, &bridge_netdev_addr_lock_key);
1527 ++}
1528 ++
1529 + static int br_dev_init(struct net_device *dev)
1530 + {
1531 + struct net_bridge *br = netdev_priv(dev);
1532 +@@ -99,6 +106,7 @@ static int br_dev_init(struct net_device *dev)
1533 + err = br_vlan_init(br);
1534 + if (err)
1535 + free_percpu(br->stats);
1536 ++ br_set_lockdep_class(dev);
1537 +
1538 + return err;
1539 + }
1540 +diff --git a/net/core/dev.c b/net/core/dev.c
1541 +index ae00b894e675..7f00f2439770 100644
1542 +--- a/net/core/dev.c
1543 ++++ b/net/core/dev.c
1544 +@@ -2542,6 +2542,8 @@ static inline bool skb_needs_check(struct sk_buff *skb, bool tx_path)
1545 + *
1546 + * It may return NULL if the skb requires no segmentation. This is
1547 + * only possible when GSO is used for verifying header integrity.
1548 ++ *
1549 ++ * Segmentation preserves SKB_SGO_CB_OFFSET bytes of previous skb cb.
1550 + */
1551 + struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
1552 + netdev_features_t features, bool tx_path)
1553 +@@ -2556,6 +2558,9 @@ struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
1554 + return ERR_PTR(err);
1555 + }
1556 +
1557 ++ BUILD_BUG_ON(SKB_SGO_CB_OFFSET +
1558 ++ sizeof(*SKB_GSO_CB(skb)) > sizeof(skb->cb));
1559 ++
1560 + SKB_GSO_CB(skb)->mac_offset = skb_headroom(skb);
1561 + SKB_GSO_CB(skb)->encap_level = 0;
1562 +
1563 +diff --git a/net/core/filter.c b/net/core/filter.c
1564 +index 672eefbfbe99..37157c4c1a78 100644
1565 +--- a/net/core/filter.c
1566 ++++ b/net/core/filter.c
1567 +@@ -777,6 +777,11 @@ static int bpf_check_classic(const struct sock_filter *filter,
1568 + if (ftest->k == 0)
1569 + return -EINVAL;
1570 + break;
1571 ++ case BPF_ALU | BPF_LSH | BPF_K:
1572 ++ case BPF_ALU | BPF_RSH | BPF_K:
1573 ++ if (ftest->k >= 32)
1574 ++ return -EINVAL;
1575 ++ break;
1576 + case BPF_LD | BPF_MEM:
1577 + case BPF_LDX | BPF_MEM:
1578 + case BPF_ST:
1579 +diff --git a/net/core/pktgen.c b/net/core/pktgen.c
1580 +index de8d5cc5eb24..4da4d51a2ccf 100644
1581 +--- a/net/core/pktgen.c
1582 ++++ b/net/core/pktgen.c
1583 +@@ -2787,7 +2787,9 @@ static struct sk_buff *pktgen_alloc_skb(struct net_device *dev,
1584 + } else {
1585 + skb = __netdev_alloc_skb(dev, size, GFP_NOWAIT);
1586 + }
1587 +- skb_reserve(skb, LL_RESERVED_SPACE(dev));
1588 ++
1589 ++ if (likely(skb))
1590 ++ skb_reserve(skb, LL_RESERVED_SPACE(dev));
1591 +
1592 + return skb;
1593 + }
1594 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
1595 +index 4233cbe47052..49f02856304d 100644
1596 +--- a/net/ipv4/ip_output.c
1597 ++++ b/net/ipv4/ip_output.c
1598 +@@ -240,6 +240,7 @@ static int ip_finish_output_gso(struct net *net, struct sock *sk,
1599 + * from host network stack.
1600 + */
1601 + features = netif_skb_features(skb);
1602 ++ BUILD_BUG_ON(sizeof(*IPCB(skb)) > SKB_SGO_CB_OFFSET);
1603 + segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
1604 + if (IS_ERR_OR_NULL(segs)) {
1605 + kfree_skb(skb);
1606 +@@ -921,7 +922,7 @@ static int __ip_append_data(struct sock *sk,
1607 + if (((length > mtu) || (skb && skb_is_gso(skb))) &&
1608 + (sk->sk_protocol == IPPROTO_UDP) &&
1609 + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
1610 +- (sk->sk_type == SOCK_DGRAM)) {
1611 ++ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
1612 + err = ip_ufo_append_data(sk, queue, getfrag, from, length,
1613 + hh_len, fragheaderlen, transhdrlen,
1614 + maxfraglen, flags);
1615 +diff --git a/net/ipv4/tcp_yeah.c b/net/ipv4/tcp_yeah.c
1616 +index 17d35662930d..3e6a472e6b88 100644
1617 +--- a/net/ipv4/tcp_yeah.c
1618 ++++ b/net/ipv4/tcp_yeah.c
1619 +@@ -219,7 +219,7 @@ static u32 tcp_yeah_ssthresh(struct sock *sk)
1620 + yeah->fast_count = 0;
1621 + yeah->reno_count = max(yeah->reno_count>>1, 2U);
1622 +
1623 +- return tp->snd_cwnd - reduction;
1624 ++ return max_t(int, tp->snd_cwnd - reduction, 2);
1625 + }
1626 +
1627 + static struct tcp_congestion_ops tcp_yeah __read_mostly = {
1628 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
1629 +index e6a7bd15b9b7..6473889f1736 100644
1630 +--- a/net/ipv6/ip6_output.c
1631 ++++ b/net/ipv6/ip6_output.c
1632 +@@ -1353,7 +1353,7 @@ emsgsize:
1633 + (skb && skb_is_gso(skb))) &&
1634 + (sk->sk_protocol == IPPROTO_UDP) &&
1635 + (rt->dst.dev->features & NETIF_F_UFO) &&
1636 +- (sk->sk_type == SOCK_DGRAM)) {
1637 ++ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
1638 + err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
1639 + hh_len, fragheaderlen,
1640 + transhdrlen, mtu, flags, fl6);
1641 +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
1642 +index 6b8a8a9091fa..bd100b47c717 100644
1643 +--- a/net/ipv6/tcp_ipv6.c
1644 ++++ b/net/ipv6/tcp_ipv6.c
1645 +@@ -462,8 +462,10 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst,
1646 + if (np->repflow && ireq->pktopts)
1647 + fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts));
1648 +
1649 ++ rcu_read_lock();
1650 + err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt),
1651 + np->tclass);
1652 ++ rcu_read_unlock();
1653 + err = net_xmit_eval(err);
1654 + }
1655 +
1656 +diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
1657 +index f7fbdbabe50e..372855eeaf42 100644
1658 +--- a/net/ipv6/xfrm6_mode_tunnel.c
1659 ++++ b/net/ipv6/xfrm6_mode_tunnel.c
1660 +@@ -23,7 +23,7 @@ static inline void ipip6_ecn_decapsulate(struct sk_buff *skb)
1661 + struct ipv6hdr *inner_iph = ipipv6_hdr(skb);
1662 +
1663 + if (INET_ECN_is_ce(XFRM_MODE_SKB_CB(skb)->tos))
1664 +- IP6_ECN_set_ce(inner_iph);
1665 ++ IP6_ECN_set_ce(skb, inner_iph);
1666 + }
1667 +
1668 + /* Add encapsulation header.
1669 +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
1670 +index 91a8b004dc51..deadfdab1bc3 100644
1671 +--- a/net/openvswitch/datapath.c
1672 ++++ b/net/openvswitch/datapath.c
1673 +@@ -336,12 +336,10 @@ static int queue_gso_packets(struct datapath *dp, struct sk_buff *skb,
1674 + unsigned short gso_type = skb_shinfo(skb)->gso_type;
1675 + struct sw_flow_key later_key;
1676 + struct sk_buff *segs, *nskb;
1677 +- struct ovs_skb_cb ovs_cb;
1678 + int err;
1679 +
1680 +- ovs_cb = *OVS_CB(skb);
1681 ++ BUILD_BUG_ON(sizeof(*OVS_CB(skb)) > SKB_SGO_CB_OFFSET);
1682 + segs = __skb_gso_segment(skb, NETIF_F_SG, false);
1683 +- *OVS_CB(skb) = ovs_cb;
1684 + if (IS_ERR(segs))
1685 + return PTR_ERR(segs);
1686 + if (segs == NULL)
1687 +@@ -359,7 +357,6 @@ static int queue_gso_packets(struct datapath *dp, struct sk_buff *skb,
1688 + /* Queue all of the segments. */
1689 + skb = segs;
1690 + do {
1691 +- *OVS_CB(skb) = ovs_cb;
1692 + if (gso_type & SKB_GSO_UDP && skb != segs)
1693 + key = &later_key;
1694 +
1695 +diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
1696 +index 10d42f3220ab..f925753668a7 100644
1697 +--- a/net/phonet/af_phonet.c
1698 ++++ b/net/phonet/af_phonet.c
1699 +@@ -377,6 +377,10 @@ static int phonet_rcv(struct sk_buff *skb, struct net_device *dev,
1700 + struct sockaddr_pn sa;
1701 + u16 len;
1702 +
1703 ++ skb = skb_share_check(skb, GFP_ATOMIC);
1704 ++ if (!skb)
1705 ++ return NET_RX_DROP;
1706 ++
1707 + /* check we have at least a full Phonet header */
1708 + if (!pskb_pull(skb, sizeof(struct phonethdr)))
1709 + goto out;
1710 +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
1711 +index 57692947ebbe..95b021243233 100644
1712 +--- a/net/sched/cls_flower.c
1713 ++++ b/net/sched/cls_flower.c
1714 +@@ -252,23 +252,28 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
1715 + fl_set_key_val(tb, key->eth.src, TCA_FLOWER_KEY_ETH_SRC,
1716 + mask->eth.src, TCA_FLOWER_KEY_ETH_SRC_MASK,
1717 + sizeof(key->eth.src));
1718 ++
1719 + fl_set_key_val(tb, &key->basic.n_proto, TCA_FLOWER_KEY_ETH_TYPE,
1720 + &mask->basic.n_proto, TCA_FLOWER_UNSPEC,
1721 + sizeof(key->basic.n_proto));
1722 ++
1723 + if (key->basic.n_proto == htons(ETH_P_IP) ||
1724 + key->basic.n_proto == htons(ETH_P_IPV6)) {
1725 + fl_set_key_val(tb, &key->basic.ip_proto, TCA_FLOWER_KEY_IP_PROTO,
1726 + &mask->basic.ip_proto, TCA_FLOWER_UNSPEC,
1727 + sizeof(key->basic.ip_proto));
1728 + }
1729 +- if (key->control.addr_type == FLOW_DISSECTOR_KEY_IPV4_ADDRS) {
1730 ++
1731 ++ if (tb[TCA_FLOWER_KEY_IPV4_SRC] || tb[TCA_FLOWER_KEY_IPV4_DST]) {
1732 ++ key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
1733 + fl_set_key_val(tb, &key->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC,
1734 + &mask->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC_MASK,
1735 + sizeof(key->ipv4.src));
1736 + fl_set_key_val(tb, &key->ipv4.dst, TCA_FLOWER_KEY_IPV4_DST,
1737 + &mask->ipv4.dst, TCA_FLOWER_KEY_IPV4_DST_MASK,
1738 + sizeof(key->ipv4.dst));
1739 +- } else if (key->control.addr_type == FLOW_DISSECTOR_KEY_IPV6_ADDRS) {
1740 ++ } else if (tb[TCA_FLOWER_KEY_IPV6_SRC] || tb[TCA_FLOWER_KEY_IPV6_DST]) {
1741 ++ key->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
1742 + fl_set_key_val(tb, &key->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC,
1743 + &mask->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC_MASK,
1744 + sizeof(key->ipv6.src));
1745 +@@ -276,6 +281,7 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
1746 + &mask->ipv6.dst, TCA_FLOWER_KEY_IPV6_DST_MASK,
1747 + sizeof(key->ipv6.dst));
1748 + }
1749 ++
1750 + if (key->basic.ip_proto == IPPROTO_TCP) {
1751 + fl_set_key_val(tb, &key->tp.src, TCA_FLOWER_KEY_TCP_SRC,
1752 + &mask->tp.src, TCA_FLOWER_UNSPEC,
1753 +diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
1754 +index 26d50c565f54..3e0fc5127225 100644
1755 +--- a/net/sctp/sysctl.c
1756 ++++ b/net/sctp/sysctl.c
1757 +@@ -320,7 +320,7 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
1758 + struct ctl_table tbl;
1759 + bool changed = false;
1760 + char *none = "none";
1761 +- char tmp[8];
1762 ++ char tmp[8] = {0};
1763 + int ret;
1764 +
1765 + memset(&tbl, 0, sizeof(struct ctl_table));
1766 +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
1767 +index ef05cd9403d4..e3f85bc8b135 100644
1768 +--- a/net/unix/af_unix.c
1769 ++++ b/net/unix/af_unix.c
1770 +@@ -1513,6 +1513,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
1771 + sock_wfree(skb);
1772 + }
1773 +
1774 ++/*
1775 ++ * The "user->unix_inflight" variable is protected by the garbage
1776 ++ * collection lock, and we just read it locklessly here. If you go
1777 ++ * over the limit, there might be a tiny race in actually noticing
1778 ++ * it across threads. Tough.
1779 ++ */
1780 ++static inline bool too_many_unix_fds(struct task_struct *p)
1781 ++{
1782 ++ struct user_struct *user = current_user();
1783 ++
1784 ++ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
1785 ++ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
1786 ++ return false;
1787 ++}
1788 ++
1789 + #define MAX_RECURSION_LEVEL 4
1790 +
1791 + static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
1792 +@@ -1521,6 +1536,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
1793 + unsigned char max_level = 0;
1794 + int unix_sock_count = 0;
1795 +
1796 ++ if (too_many_unix_fds(current))
1797 ++ return -ETOOMANYREFS;
1798 ++
1799 + for (i = scm->fp->count - 1; i >= 0; i--) {
1800 + struct sock *sk = unix_get_socket(scm->fp->fp[i]);
1801 +
1802 +@@ -1542,10 +1560,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
1803 + if (!UNIXCB(skb).fp)
1804 + return -ENOMEM;
1805 +
1806 +- if (unix_sock_count) {
1807 +- for (i = scm->fp->count - 1; i >= 0; i--)
1808 +- unix_inflight(scm->fp->fp[i]);
1809 +- }
1810 ++ for (i = scm->fp->count - 1; i >= 0; i--)
1811 ++ unix_inflight(scm->fp->fp[i]);
1812 + return max_level;
1813 + }
1814 +
1815 +diff --git a/net/unix/garbage.c b/net/unix/garbage.c
1816 +index a73a226f2d33..8fcdc2283af5 100644
1817 +--- a/net/unix/garbage.c
1818 ++++ b/net/unix/garbage.c
1819 +@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
1820 + {
1821 + struct sock *s = unix_get_socket(fp);
1822 +
1823 ++ spin_lock(&unix_gc_lock);
1824 ++
1825 + if (s) {
1826 + struct unix_sock *u = unix_sk(s);
1827 +
1828 +- spin_lock(&unix_gc_lock);
1829 +-
1830 + if (atomic_long_inc_return(&u->inflight) == 1) {
1831 + BUG_ON(!list_empty(&u->link));
1832 + list_add_tail(&u->link, &gc_inflight_list);
1833 +@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
1834 + BUG_ON(list_empty(&u->link));
1835 + }
1836 + unix_tot_inflight++;
1837 +- spin_unlock(&unix_gc_lock);
1838 + }
1839 ++ fp->f_cred->user->unix_inflight++;
1840 ++ spin_unlock(&unix_gc_lock);
1841 + }
1842 +
1843 + void unix_notinflight(struct file *fp)
1844 + {
1845 + struct sock *s = unix_get_socket(fp);
1846 +
1847 ++ spin_lock(&unix_gc_lock);
1848 ++
1849 + if (s) {
1850 + struct unix_sock *u = unix_sk(s);
1851 +
1852 +- spin_lock(&unix_gc_lock);
1853 + BUG_ON(list_empty(&u->link));
1854 +
1855 + if (atomic_long_dec_and_test(&u->inflight))
1856 + list_del_init(&u->link);
1857 + unix_tot_inflight--;
1858 +- spin_unlock(&unix_gc_lock);
1859 + }
1860 ++ fp->f_cred->user->unix_inflight--;
1861 ++ spin_unlock(&unix_gc_lock);
1862 + }
1863 +
1864 + static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
1865 +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
1866 +index cc3676eb6239..ff4a91fcab9f 100644
1867 +--- a/net/xfrm/xfrm_output.c
1868 ++++ b/net/xfrm/xfrm_output.c
1869 +@@ -167,6 +167,8 @@ static int xfrm_output_gso(struct net *net, struct sock *sk, struct sk_buff *skb
1870 + {
1871 + struct sk_buff *segs;
1872 +
1873 ++ BUILD_BUG_ON(sizeof(*IPCB(skb)) > SKB_SGO_CB_OFFSET);
1874 ++ BUILD_BUG_ON(sizeof(*IP6CB(skb)) > SKB_SGO_CB_OFFSET);
1875 + segs = skb_gso_segment(skb, 0);
1876 + kfree_skb(skb);
1877 + if (IS_ERR(segs))
1878 +diff --git a/scripts/recordmcount.pl b/scripts/recordmcount.pl
1879 +index 826470d7f000..96e2486a6fc4 100755
1880 +--- a/scripts/recordmcount.pl
1881 ++++ b/scripts/recordmcount.pl
1882 +@@ -263,7 +263,8 @@ if ($arch eq "x86_64") {
1883 +
1884 + } elsif ($arch eq "powerpc") {
1885 + $local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\.?\\S+)";
1886 +- $function_regex = "^([0-9a-fA-F]+)\\s+<(\\.?.*?)>:";
1887 ++ # See comment in the sparc64 section for why we use '\w'.
1888 ++ $function_regex = "^([0-9a-fA-F]+)\\s+<(\\.?\\w*?)>:";
1889 + $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s\\.?_mcount\$";
1890 +
1891 + if ($bits == 64) {
1892 +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
1893 +index a3f85d2a00bb..e6d50172872f 100644
1894 +--- a/security/keys/process_keys.c
1895 ++++ b/security/keys/process_keys.c
1896 +@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
1897 + ret = PTR_ERR(keyring);
1898 + goto error2;
1899 + } else if (keyring == new->session_keyring) {
1900 ++ key_put(keyring);
1901 + ret = 0;
1902 + goto error2;
1903 + }
1904 +diff --git a/sound/core/control.c b/sound/core/control.c
1905 +index 196a6fe100ca..a85d45595d02 100644
1906 +--- a/sound/core/control.c
1907 ++++ b/sound/core/control.c
1908 +@@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
1909 + return -EFAULT;
1910 + if (tlv.length < sizeof(unsigned int) * 2)
1911 + return -EINVAL;
1912 ++ if (!tlv.numid)
1913 ++ return -EINVAL;
1914 + down_read(&card->controls_rwsem);
1915 + kctl = snd_ctl_find_numid(card, tlv.numid);
1916 + if (kctl == NULL) {
1917 +diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c
1918 +index f845ecf7e172..656d9a9032dc 100644
1919 +--- a/sound/core/hrtimer.c
1920 ++++ b/sound/core/hrtimer.c
1921 +@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t)
1922 + struct snd_hrtimer *stime = t->private_data;
1923 +
1924 + atomic_set(&stime->running, 0);
1925 +- hrtimer_cancel(&stime->hrt);
1926 ++ hrtimer_try_to_cancel(&stime->hrt);
1927 + hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution),
1928 + HRTIMER_MODE_REL);
1929 + atomic_set(&stime->running, 1);
1930 +@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t)
1931 + {
1932 + struct snd_hrtimer *stime = t->private_data;
1933 + atomic_set(&stime->running, 0);
1934 ++ hrtimer_try_to_cancel(&stime->hrt);
1935 + return 0;
1936 + }
1937 +
1938 +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
1939 +index b48b434444ed..9630e9f72b7b 100644
1940 +--- a/sound/core/pcm_compat.c
1941 ++++ b/sound/core/pcm_compat.c
1942 +@@ -255,10 +255,15 @@ static int snd_pcm_ioctl_hw_params_compat(struct snd_pcm_substream *substream,
1943 + if (! (runtime = substream->runtime))
1944 + return -ENOTTY;
1945 +
1946 +- /* only fifo_size is different, so just copy all */
1947 +- data = memdup_user(data32, sizeof(*data32));
1948 +- if (IS_ERR(data))
1949 +- return PTR_ERR(data);
1950 ++ data = kmalloc(sizeof(*data), GFP_KERNEL);
1951 ++ if (!data)
1952 ++ return -ENOMEM;
1953 ++
1954 ++ /* only fifo_size (RO from userspace) is different, so just copy all */
1955 ++ if (copy_from_user(data, data32, sizeof(*data32))) {
1956 ++ err = -EFAULT;
1957 ++ goto error;
1958 ++ }
1959 +
1960 + if (refine)
1961 + err = snd_pcm_hw_refine(substream, data);
1962 +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
1963 +index b64f20deba90..13cfa815732d 100644
1964 +--- a/sound/core/seq/seq_clientmgr.c
1965 ++++ b/sound/core/seq/seq_clientmgr.c
1966 +@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client,
1967 + * No restrictions so for a user client we can clear
1968 + * the whole fifo
1969 + */
1970 +- if (client->type == USER_CLIENT)
1971 ++ if (client->type == USER_CLIENT && client->data.user.fifo)
1972 + snd_seq_fifo_clear(client->data.user.fifo);
1973 + }
1974 +
1975 +diff --git a/sound/core/seq/seq_compat.c b/sound/core/seq/seq_compat.c
1976 +index 81f7c109dc46..65175902a68a 100644
1977 +--- a/sound/core/seq/seq_compat.c
1978 ++++ b/sound/core/seq/seq_compat.c
1979 +@@ -49,11 +49,12 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned
1980 + struct snd_seq_port_info *data;
1981 + mm_segment_t fs;
1982 +
1983 +- data = memdup_user(data32, sizeof(*data32));
1984 +- if (IS_ERR(data))
1985 +- return PTR_ERR(data);
1986 ++ data = kmalloc(sizeof(*data), GFP_KERNEL);
1987 ++ if (!data)
1988 ++ return -ENOMEM;
1989 +
1990 +- if (get_user(data->flags, &data32->flags) ||
1991 ++ if (copy_from_user(data, data32, sizeof(*data32)) ||
1992 ++ get_user(data->flags, &data32->flags) ||
1993 + get_user(data->time_queue, &data32->time_queue))
1994 + goto error;
1995 + data->kernel = NULL;
1996 +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
1997 +index 7dfd0f429410..0bec02e89d51 100644
1998 +--- a/sound/core/seq/seq_queue.c
1999 ++++ b/sound/core/seq/seq_queue.c
2000 +@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
2001 + static void queue_delete(struct snd_seq_queue *q)
2002 + {
2003 + /* stop and release the timer */
2004 ++ mutex_lock(&q->timer_mutex);
2005 + snd_seq_timer_stop(q->timer);
2006 + snd_seq_timer_close(q);
2007 ++ mutex_unlock(&q->timer_mutex);
2008 + /* wait until access free */
2009 + snd_use_lock_sync(&q->use_lock);
2010 + /* release resources... */
2011 +diff --git a/sound/core/timer.c b/sound/core/timer.c
2012 +index 31f40f03e5b7..0a049c4578f1 100644
2013 +--- a/sound/core/timer.c
2014 ++++ b/sound/core/timer.c
2015 +@@ -65,6 +65,7 @@ struct snd_timer_user {
2016 + int qtail;
2017 + int qused;
2018 + int queue_size;
2019 ++ bool disconnected;
2020 + struct snd_timer_read *queue;
2021 + struct snd_timer_tread *tqueue;
2022 + spinlock_t qlock;
2023 +@@ -73,7 +74,7 @@ struct snd_timer_user {
2024 + struct timespec tstamp; /* trigger tstamp */
2025 + wait_queue_head_t qchange_sleep;
2026 + struct fasync_struct *fasync;
2027 +- struct mutex tread_sem;
2028 ++ struct mutex ioctl_lock;
2029 + };
2030 +
2031 + /* list of timers */
2032 +@@ -215,11 +216,13 @@ static void snd_timer_check_master(struct snd_timer_instance *master)
2033 + slave->slave_id == master->slave_id) {
2034 + list_move_tail(&slave->open_list, &master->slave_list_head);
2035 + spin_lock_irq(&slave_active_lock);
2036 ++ spin_lock(&master->timer->lock);
2037 + slave->master = master;
2038 + slave->timer = master->timer;
2039 + if (slave->flags & SNDRV_TIMER_IFLG_RUNNING)
2040 + list_add_tail(&slave->active_list,
2041 + &master->slave_active_head);
2042 ++ spin_unlock(&master->timer->lock);
2043 + spin_unlock_irq(&slave_active_lock);
2044 + }
2045 + }
2046 +@@ -288,6 +291,9 @@ int snd_timer_open(struct snd_timer_instance **ti,
2047 + mutex_unlock(&register_mutex);
2048 + return -ENOMEM;
2049 + }
2050 ++ /* take a card refcount for safe disconnection */
2051 ++ if (timer->card)
2052 ++ get_device(&timer->card->card_dev);
2053 + timeri->slave_class = tid->dev_sclass;
2054 + timeri->slave_id = slave_id;
2055 + if (list_empty(&timer->open_list_head) && timer->hw.open)
2056 +@@ -346,15 +352,21 @@ int snd_timer_close(struct snd_timer_instance *timeri)
2057 + timer->hw.close)
2058 + timer->hw.close(timer);
2059 + /* remove slave links */
2060 ++ spin_lock_irq(&slave_active_lock);
2061 ++ spin_lock(&timer->lock);
2062 + list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
2063 + open_list) {
2064 +- spin_lock_irq(&slave_active_lock);
2065 +- _snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION);
2066 + list_move_tail(&slave->open_list, &snd_timer_slave_list);
2067 + slave->master = NULL;
2068 + slave->timer = NULL;
2069 +- spin_unlock_irq(&slave_active_lock);
2070 ++ list_del_init(&slave->ack_list);
2071 ++ list_del_init(&slave->active_list);
2072 + }
2073 ++ spin_unlock(&timer->lock);
2074 ++ spin_unlock_irq(&slave_active_lock);
2075 ++ /* release a card refcount for safe disconnection */
2076 ++ if (timer->card)
2077 ++ put_device(&timer->card->card_dev);
2078 + mutex_unlock(&register_mutex);
2079 + }
2080 + out:
2081 +@@ -441,9 +453,12 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
2082 +
2083 + spin_lock_irqsave(&slave_active_lock, flags);
2084 + timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
2085 +- if (timeri->master)
2086 ++ if (timeri->master && timeri->timer) {
2087 ++ spin_lock(&timeri->timer->lock);
2088 + list_add_tail(&timeri->active_list,
2089 + &timeri->master->slave_active_head);
2090 ++ spin_unlock(&timeri->timer->lock);
2091 ++ }
2092 + spin_unlock_irqrestore(&slave_active_lock, flags);
2093 + return 1; /* delayed start */
2094 + }
2095 +@@ -467,6 +482,8 @@ int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
2096 + timer = timeri->timer;
2097 + if (timer == NULL)
2098 + return -EINVAL;
2099 ++ if (timer->card && timer->card->shutdown)
2100 ++ return -ENODEV;
2101 + spin_lock_irqsave(&timer->lock, flags);
2102 + timeri->ticks = timeri->cticks = ticks;
2103 + timeri->pticks = 0;
2104 +@@ -489,6 +506,8 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
2105 + if (!keep_flag) {
2106 + spin_lock_irqsave(&slave_active_lock, flags);
2107 + timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
2108 ++ list_del_init(&timeri->ack_list);
2109 ++ list_del_init(&timeri->active_list);
2110 + spin_unlock_irqrestore(&slave_active_lock, flags);
2111 + }
2112 + goto __end;
2113 +@@ -499,6 +518,10 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
2114 + spin_lock_irqsave(&timer->lock, flags);
2115 + list_del_init(&timeri->ack_list);
2116 + list_del_init(&timeri->active_list);
2117 ++ if (timer->card && timer->card->shutdown) {
2118 ++ spin_unlock_irqrestore(&timer->lock, flags);
2119 ++ return 0;
2120 ++ }
2121 + if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) &&
2122 + !(--timer->running)) {
2123 + timer->hw.stop(timer);
2124 +@@ -561,6 +584,8 @@ int snd_timer_continue(struct snd_timer_instance *timeri)
2125 + timer = timeri->timer;
2126 + if (! timer)
2127 + return -EINVAL;
2128 ++ if (timer->card && timer->card->shutdown)
2129 ++ return -ENODEV;
2130 + spin_lock_irqsave(&timer->lock, flags);
2131 + if (!timeri->cticks)
2132 + timeri->cticks = 1;
2133 +@@ -624,6 +649,9 @@ static void snd_timer_tasklet(unsigned long arg)
2134 + unsigned long resolution, ticks;
2135 + unsigned long flags;
2136 +
2137 ++ if (timer->card && timer->card->shutdown)
2138 ++ return;
2139 ++
2140 + spin_lock_irqsave(&timer->lock, flags);
2141 + /* now process all callbacks */
2142 + while (!list_empty(&timer->sack_list_head)) {
2143 +@@ -664,6 +692,9 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left)
2144 + if (timer == NULL)
2145 + return;
2146 +
2147 ++ if (timer->card && timer->card->shutdown)
2148 ++ return;
2149 ++
2150 + spin_lock_irqsave(&timer->lock, flags);
2151 +
2152 + /* remember the current resolution */
2153 +@@ -694,7 +725,7 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left)
2154 + } else {
2155 + ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
2156 + if (--timer->running)
2157 +- list_del(&ti->active_list);
2158 ++ list_del_init(&ti->active_list);
2159 + }
2160 + if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) ||
2161 + (ti->flags & SNDRV_TIMER_IFLG_FAST))
2162 +@@ -874,11 +905,28 @@ static int snd_timer_dev_register(struct snd_device *dev)
2163 + return 0;
2164 + }
2165 +
2166 ++/* just for reference in snd_timer_dev_disconnect() below */
2167 ++static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
2168 ++ int event, struct timespec *tstamp,
2169 ++ unsigned long resolution);
2170 ++
2171 + static int snd_timer_dev_disconnect(struct snd_device *device)
2172 + {
2173 + struct snd_timer *timer = device->device_data;
2174 ++ struct snd_timer_instance *ti;
2175 ++
2176 + mutex_lock(&register_mutex);
2177 + list_del_init(&timer->device_list);
2178 ++ /* wake up pending sleepers */
2179 ++ list_for_each_entry(ti, &timer->open_list_head, open_list) {
2180 ++ /* FIXME: better to have a ti.disconnect() op */
2181 ++ if (ti->ccallback == snd_timer_user_ccallback) {
2182 ++ struct snd_timer_user *tu = ti->callback_data;
2183 ++
2184 ++ tu->disconnected = true;
2185 ++ wake_up(&tu->qchange_sleep);
2186 ++ }
2187 ++ }
2188 + mutex_unlock(&register_mutex);
2189 + return 0;
2190 + }
2191 +@@ -889,6 +937,8 @@ void snd_timer_notify(struct snd_timer *timer, int event, struct timespec *tstam
2192 + unsigned long resolution = 0;
2193 + struct snd_timer_instance *ti, *ts;
2194 +
2195 ++ if (timer->card && timer->card->shutdown)
2196 ++ return;
2197 + if (! (timer->hw.flags & SNDRV_TIMER_HW_SLAVE))
2198 + return;
2199 + if (snd_BUG_ON(event < SNDRV_TIMER_EVENT_MSTART ||
2200 +@@ -1047,6 +1097,8 @@ static void snd_timer_proc_read(struct snd_info_entry *entry,
2201 +
2202 + mutex_lock(&register_mutex);
2203 + list_for_each_entry(timer, &snd_timer_list, device_list) {
2204 ++ if (timer->card && timer->card->shutdown)
2205 ++ continue;
2206 + switch (timer->tmr_class) {
2207 + case SNDRV_TIMER_CLASS_GLOBAL:
2208 + snd_iprintf(buffer, "G%i: ", timer->tmr_device);
2209 +@@ -1253,7 +1305,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file)
2210 + return -ENOMEM;
2211 + spin_lock_init(&tu->qlock);
2212 + init_waitqueue_head(&tu->qchange_sleep);
2213 +- mutex_init(&tu->tread_sem);
2214 ++ mutex_init(&tu->ioctl_lock);
2215 + tu->ticks = 1;
2216 + tu->queue_size = 128;
2217 + tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read),
2218 +@@ -1273,8 +1325,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file)
2219 + if (file->private_data) {
2220 + tu = file->private_data;
2221 + file->private_data = NULL;
2222 ++ mutex_lock(&tu->ioctl_lock);
2223 + if (tu->timeri)
2224 + snd_timer_close(tu->timeri);
2225 ++ mutex_unlock(&tu->ioctl_lock);
2226 + kfree(tu->queue);
2227 + kfree(tu->tqueue);
2228 + kfree(tu);
2229 +@@ -1512,7 +1566,6 @@ static int snd_timer_user_tselect(struct file *file,
2230 + int err = 0;
2231 +
2232 + tu = file->private_data;
2233 +- mutex_lock(&tu->tread_sem);
2234 + if (tu->timeri) {
2235 + snd_timer_close(tu->timeri);
2236 + tu->timeri = NULL;
2237 +@@ -1556,7 +1609,6 @@ static int snd_timer_user_tselect(struct file *file,
2238 + }
2239 +
2240 + __err:
2241 +- mutex_unlock(&tu->tread_sem);
2242 + return err;
2243 + }
2244 +
2245 +@@ -1769,7 +1821,7 @@ enum {
2246 + SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23),
2247 + };
2248 +
2249 +-static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
2250 ++static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd,
2251 + unsigned long arg)
2252 + {
2253 + struct snd_timer_user *tu;
2254 +@@ -1786,17 +1838,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
2255 + {
2256 + int xarg;
2257 +
2258 +- mutex_lock(&tu->tread_sem);
2259 +- if (tu->timeri) { /* too late */
2260 +- mutex_unlock(&tu->tread_sem);
2261 ++ if (tu->timeri) /* too late */
2262 + return -EBUSY;
2263 +- }
2264 +- if (get_user(xarg, p)) {
2265 +- mutex_unlock(&tu->tread_sem);
2266 ++ if (get_user(xarg, p))
2267 + return -EFAULT;
2268 +- }
2269 + tu->tread = xarg ? 1 : 0;
2270 +- mutex_unlock(&tu->tread_sem);
2271 + return 0;
2272 + }
2273 + case SNDRV_TIMER_IOCTL_GINFO:
2274 +@@ -1829,6 +1875,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
2275 + return -ENOTTY;
2276 + }
2277 +
2278 ++static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
2279 ++ unsigned long arg)
2280 ++{
2281 ++ struct snd_timer_user *tu = file->private_data;
2282 ++ long ret;
2283 ++
2284 ++ mutex_lock(&tu->ioctl_lock);
2285 ++ ret = __snd_timer_user_ioctl(file, cmd, arg);
2286 ++ mutex_unlock(&tu->ioctl_lock);
2287 ++ return ret;
2288 ++}
2289 ++
2290 + static int snd_timer_user_fasync(int fd, struct file * file, int on)
2291 + {
2292 + struct snd_timer_user *tu;
2293 +@@ -1866,6 +1924,10 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
2294 +
2295 + remove_wait_queue(&tu->qchange_sleep, &wait);
2296 +
2297 ++ if (tu->disconnected) {
2298 ++ err = -ENODEV;
2299 ++ break;
2300 ++ }
2301 + if (signal_pending(current)) {
2302 + err = -ERESTARTSYS;
2303 + break;
2304 +@@ -1915,6 +1977,8 @@ static unsigned int snd_timer_user_poll(struct file *file, poll_table * wait)
2305 + mask = 0;
2306 + if (tu->qused)
2307 + mask |= POLLIN | POLLRDNORM;
2308 ++ if (tu->disconnected)
2309 ++ mask |= POLLERR;
2310 +
2311 + return mask;
2312 + }
2313 +diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c
2314 +index 70671ad65d24..6efadbfb3fe3 100644
2315 +--- a/sound/pci/hda/hda_bind.c
2316 ++++ b/sound/pci/hda/hda_bind.c
2317 +@@ -174,14 +174,40 @@ static inline bool codec_probed(struct hda_codec *codec)
2318 + return device_attach(hda_codec_dev(codec)) > 0 && codec->preset;
2319 + }
2320 +
2321 +-/* try to auto-load and bind the codec module */
2322 +-static void codec_bind_module(struct hda_codec *codec)
2323 ++/* try to auto-load codec module */
2324 ++static void request_codec_module(struct hda_codec *codec)
2325 + {
2326 + #ifdef MODULE
2327 + char modalias[32];
2328 ++ const char *mod = NULL;
2329 ++
2330 ++ switch (codec->probe_id) {
2331 ++ case HDA_CODEC_ID_GENERIC_HDMI:
2332 ++#if IS_MODULE(CONFIG_SND_HDA_CODEC_HDMI)
2333 ++ mod = "snd-hda-codec-hdmi";
2334 ++#endif
2335 ++ break;
2336 ++ case HDA_CODEC_ID_GENERIC:
2337 ++#if IS_MODULE(CONFIG_SND_HDA_GENERIC)
2338 ++ mod = "snd-hda-codec-generic";
2339 ++#endif
2340 ++ break;
2341 ++ default:
2342 ++ snd_hdac_codec_modalias(&codec->core, modalias, sizeof(modalias));
2343 ++ mod = modalias;
2344 ++ break;
2345 ++ }
2346 ++
2347 ++ if (mod)
2348 ++ request_module(mod);
2349 ++#endif /* MODULE */
2350 ++}
2351 +
2352 +- snd_hdac_codec_modalias(&codec->core, modalias, sizeof(modalias));
2353 +- request_module(modalias);
2354 ++/* try to auto-load and bind the codec module */
2355 ++static void codec_bind_module(struct hda_codec *codec)
2356 ++{
2357 ++#ifdef MODULE
2358 ++ request_codec_module(codec);
2359 + if (codec_probed(codec))
2360 + return;
2361 + #endif
2362 +@@ -218,17 +244,13 @@ static int codec_bind_generic(struct hda_codec *codec)
2363 +
2364 + if (is_likely_hdmi_codec(codec)) {
2365 + codec->probe_id = HDA_CODEC_ID_GENERIC_HDMI;
2366 +-#if IS_MODULE(CONFIG_SND_HDA_CODEC_HDMI)
2367 +- request_module("snd-hda-codec-hdmi");
2368 +-#endif
2369 ++ request_codec_module(codec);
2370 + if (codec_probed(codec))
2371 + return 0;
2372 + }
2373 +
2374 + codec->probe_id = HDA_CODEC_ID_GENERIC;
2375 +-#if IS_MODULE(CONFIG_SND_HDA_GENERIC)
2376 +- request_module("snd-hda-codec-generic");
2377 +-#endif
2378 ++ request_codec_module(codec);
2379 + if (codec_probed(codec))
2380 + return 0;
2381 + return -ENODEV;
2382 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
2383 +index 3b3658297070..614baff1f5d7 100644
2384 +--- a/sound/pci/hda/hda_intel.c
2385 ++++ b/sound/pci/hda/hda_intel.c
2386 +@@ -2126,9 +2126,17 @@ i915_power_fail:
2387 + static void azx_remove(struct pci_dev *pci)
2388 + {
2389 + struct snd_card *card = pci_get_drvdata(pci);
2390 ++ struct azx *chip;
2391 ++ struct hda_intel *hda;
2392 ++
2393 ++ if (card) {
2394 ++ /* flush the pending probing work */
2395 ++ chip = card->private_data;
2396 ++ hda = container_of(chip, struct hda_intel, chip);
2397 ++ flush_work(&hda->probe_work);
2398 +
2399 +- if (card)
2400 + snd_card_free(card);
2401 ++ }
2402 + }
2403 +
2404 + static void azx_shutdown(struct pci_dev *pci)
2405 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
2406 +index 3a89d82f8057..33753244f48f 100644
2407 +--- a/sound/pci/hda/patch_realtek.c
2408 ++++ b/sound/pci/hda/patch_realtek.c
2409 +@@ -4666,6 +4666,7 @@ enum {
2410 + ALC290_FIXUP_SUBWOOFER,
2411 + ALC290_FIXUP_SUBWOOFER_HSJACK,
2412 + ALC269_FIXUP_THINKPAD_ACPI,
2413 ++ ALC269_FIXUP_DMIC_THINKPAD_ACPI,
2414 + ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
2415 + ALC255_FIXUP_DELL2_MIC_NO_PRESENCE,
2416 + ALC255_FIXUP_HEADSET_MODE,
2417 +@@ -5103,6 +5104,12 @@ static const struct hda_fixup alc269_fixups[] = {
2418 + .type = HDA_FIXUP_FUNC,
2419 + .v.func = hda_fixup_thinkpad_acpi,
2420 + },
2421 ++ [ALC269_FIXUP_DMIC_THINKPAD_ACPI] = {
2422 ++ .type = HDA_FIXUP_FUNC,
2423 ++ .v.func = alc_fixup_inv_dmic,
2424 ++ .chained = true,
2425 ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI,
2426 ++ },
2427 + [ALC255_FIXUP_DELL1_MIC_NO_PRESENCE] = {
2428 + .type = HDA_FIXUP_PINS,
2429 + .v.pins = (const struct hda_pintbl[]) {
2430 +@@ -5324,6 +5331,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
2431 + SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z),
2432 + SND_PCI_QUIRK(0x1028, 0x054b, "Dell XPS one 2710", ALC275_FIXUP_DELL_XPS),
2433 + SND_PCI_QUIRK(0x1028, 0x05bd, "Dell Latitude E6440", ALC292_FIXUP_DELL_E7X),
2434 ++ SND_PCI_QUIRK(0x1028, 0x05be, "Dell Latitude E6540", ALC292_FIXUP_DELL_E7X),
2435 + SND_PCI_QUIRK(0x1028, 0x05ca, "Dell Latitude E7240", ALC292_FIXUP_DELL_E7X),
2436 + SND_PCI_QUIRK(0x1028, 0x05cb, "Dell Latitude E7440", ALC292_FIXUP_DELL_E7X),
2437 + SND_PCI_QUIRK(0x1028, 0x05da, "Dell Vostro 5460", ALC290_FIXUP_SUBWOOFER),
2438 +@@ -5332,6 +5340,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
2439 + SND_PCI_QUIRK(0x1028, 0x05f6, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE),
2440 + SND_PCI_QUIRK(0x1028, 0x0615, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK),
2441 + SND_PCI_QUIRK(0x1028, 0x0616, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK),
2442 ++ SND_PCI_QUIRK(0x1028, 0x062c, "Dell Latitude E5550", ALC292_FIXUP_DELL_E7X),
2443 + SND_PCI_QUIRK(0x1028, 0x062e, "Dell Latitude E7450", ALC292_FIXUP_DELL_E7X),
2444 + SND_PCI_QUIRK(0x1028, 0x0638, "Dell Inspiron 5439", ALC290_FIXUP_MONO_SPEAKERS_HSJACK),
2445 + SND_PCI_QUIRK(0x1028, 0x064a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
2446 +@@ -5457,6 +5466,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
2447 + SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
2448 + SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC293_FIXUP_LENOVO_SPK_NOISE),
2449 + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
2450 ++ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
2451 + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
2452 + SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
2453 + SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
2454 +@@ -5617,6 +5627,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
2455 + {0x21, 0x02211040}),
2456 + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
2457 + {0x12, 0x90a60170},
2458 ++ {0x14, 0x90171130},
2459 ++ {0x21, 0x02211040}),
2460 ++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
2461 ++ {0x12, 0x90a60170},
2462 + {0x14, 0x90170140},
2463 + {0x21, 0x02211050}),
2464 + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell Inspiron 5548", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
2465 +@@ -6552,6 +6566,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
2466 + SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
2467 + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
2468 + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_BASS_1A),
2469 ++ SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A),
2470 + SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP),
2471 + SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16),
2472 + SND_PCI_QUIRK(0x1043, 0x1b73, "ASUS N55SF", ALC662_FIXUP_BASS_16),
2473 +diff --git a/sound/soc/codecs/wm5110.c b/sound/soc/codecs/wm5110.c
2474 +index c04c0bc6f58a..52b9ccf6d389 100644
2475 +--- a/sound/soc/codecs/wm5110.c
2476 ++++ b/sound/soc/codecs/wm5110.c
2477 +@@ -360,15 +360,13 @@ static int wm5110_hp_ev(struct snd_soc_dapm_widget *w,
2478 +
2479 + static int wm5110_clear_pga_volume(struct arizona *arizona, int output)
2480 + {
2481 +- struct reg_sequence clear_pga = {
2482 +- ARIZONA_OUTPUT_PATH_CONFIG_1L + output * 4, 0x80
2483 +- };
2484 ++ unsigned int reg = ARIZONA_OUTPUT_PATH_CONFIG_1L + output * 4;
2485 + int ret;
2486 +
2487 +- ret = regmap_multi_reg_write_bypassed(arizona->regmap, &clear_pga, 1);
2488 ++ ret = regmap_write(arizona->regmap, reg, 0x80);
2489 + if (ret)
2490 + dev_err(arizona->dev, "Failed to clear PGA (0x%x): %d\n",
2491 +- clear_pga.reg, ret);
2492 ++ reg, ret);
2493 +
2494 + return ret;
2495 + }
2496 +diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c
2497 +index 12a9820feac1..bb82bb966000 100644
2498 +--- a/sound/soc/soc-compress.c
2499 ++++ b/sound/soc/soc-compress.c
2500 +@@ -630,6 +630,7 @@ int snd_soc_new_compress(struct snd_soc_pcm_runtime *rtd, int num)
2501 + struct snd_pcm *be_pcm;
2502 + char new_name[64];
2503 + int ret = 0, direction = 0;
2504 ++ int playback = 0, capture = 0;
2505 +
2506 + if (rtd->num_codecs > 1) {
2507 + dev_err(rtd->card->dev, "Multicodec not supported for compressed stream\n");
2508 +@@ -641,11 +642,27 @@ int snd_soc_new_compress(struct snd_soc_pcm_runtime *rtd, int num)
2509 + rtd->dai_link->stream_name, codec_dai->name, num);
2510 +
2511 + if (codec_dai->driver->playback.channels_min)
2512 ++ playback = 1;
2513 ++ if (codec_dai->driver->capture.channels_min)
2514 ++ capture = 1;
2515 ++
2516 ++ capture = capture && cpu_dai->driver->capture.channels_min;
2517 ++ playback = playback && cpu_dai->driver->playback.channels_min;
2518 ++
2519 ++ /*
2520 ++ * Compress devices are unidirectional so only one of the directions
2521 ++ * should be set, check for that (xor)
2522 ++ */
2523 ++ if (playback + capture != 1) {
2524 ++ dev_err(rtd->card->dev, "Invalid direction for compress P %d, C %d\n",
2525 ++ playback, capture);
2526 ++ return -EINVAL;
2527 ++ }
2528 ++
2529 ++ if(playback)
2530 + direction = SND_COMPRESS_PLAYBACK;
2531 +- else if (codec_dai->driver->capture.channels_min)
2532 +- direction = SND_COMPRESS_CAPTURE;
2533 + else
2534 +- return -EINVAL;
2535 ++ direction = SND_COMPRESS_CAPTURE;
2536 +
2537 + compr = kzalloc(sizeof(*compr), GFP_KERNEL);
2538 + if (compr == NULL) {
2539 +diff --git a/sound/usb/card.c b/sound/usb/card.c
2540 +index 18f56646ce86..1f09d9591276 100644
2541 +--- a/sound/usb/card.c
2542 ++++ b/sound/usb/card.c
2543 +@@ -675,6 +675,8 @@ int snd_usb_autoresume(struct snd_usb_audio *chip)
2544 +
2545 + void snd_usb_autosuspend(struct snd_usb_audio *chip)
2546 + {
2547</