Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.3 commit in: /
Date: Sun, 31 Jan 2016 23:31:13
Message-Id: 1454283071.5c6031723f80c0670aa5fe939f24cbcbbfc2cbcd.mpagano@gentoo
1 commit: 5c6031723f80c0670aa5fe939f24cbcbbfc2cbcd
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Sun Jan 31 23:31:11 2016 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Sun Jan 31 23:31:11 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=5c603172
7
8 Linux patch 4.3.5
9
10 0000_README | 4 +
11 1004_linux-4.3.5.patch | 5981 ++++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 5985 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 5f4c1bc..74a7d33 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -59,6 +59,10 @@ Patch: 1003_linux-4.3.4.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.3.4
21
22 +Patch: 1004_linux-4.3.5.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.3.5
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1004_linux-4.3.5.patch b/1004_linux-4.3.5.patch
31 new file mode 100644
32 index 0000000..e04b2cb
33 --- /dev/null
34 +++ b/1004_linux-4.3.5.patch
35 @@ -0,0 +1,5981 @@
36 +diff --git a/Documentation/ABI/testing/sysfs-bus-usb b/Documentation/ABI/testing/sysfs-bus-usb
37 +index 864637f25bee..01c7a41c18ac 100644
38 +--- a/Documentation/ABI/testing/sysfs-bus-usb
39 ++++ b/Documentation/ABI/testing/sysfs-bus-usb
40 +@@ -114,19 +114,21 @@ Description:
41 + enabled for the device. Developer can write y/Y/1 or n/N/0 to
42 + the file to enable/disable the feature.
43 +
44 +-What: /sys/bus/usb/devices/.../power/usb3_hardware_lpm
45 +-Date: June 2015
46 ++What: /sys/bus/usb/devices/.../power/usb3_hardware_lpm_u1
47 ++ /sys/bus/usb/devices/.../power/usb3_hardware_lpm_u2
48 ++Date: November 2015
49 + Contact: Kevin Strasser <kevin.strasser@×××××××××××.com>
50 ++ Lu Baolu <baolu.lu@×××××××××××.com>
51 + Description:
52 + If CONFIG_PM is set and a USB 3.0 lpm-capable device is plugged
53 + in to a xHCI host which supports link PM, it will check if U1
54 + and U2 exit latencies have been set in the BOS descriptor; if
55 +- the check is is passed and the host supports USB3 hardware LPM,
56 ++ the check is passed and the host supports USB3 hardware LPM,
57 + USB3 hardware LPM will be enabled for the device and the USB
58 +- device directory will contain a file named
59 +- power/usb3_hardware_lpm. The file holds a string value (enable
60 +- or disable) indicating whether or not USB3 hardware LPM is
61 +- enabled for the device.
62 ++ device directory will contain two files named
63 ++ power/usb3_hardware_lpm_u1 and power/usb3_hardware_lpm_u2. These
64 ++ files hold a string value (enable or disable) indicating whether
65 ++ or not USB3 hardware LPM U1 or U2 is enabled for the device.
66 +
67 + What: /sys/bus/usb/devices/.../removable
68 + Date: February 2012
69 +diff --git a/Documentation/usb/power-management.txt b/Documentation/usb/power-management.txt
70 +index 4a15c90bc11d..0a94ffe17ab6 100644
71 +--- a/Documentation/usb/power-management.txt
72 ++++ b/Documentation/usb/power-management.txt
73 +@@ -537,17 +537,18 @@ relevant attribute files are usb2_hardware_lpm and usb3_hardware_lpm.
74 + can write y/Y/1 or n/N/0 to the file to enable/disable
75 + USB2 hardware LPM manually. This is for test purpose mainly.
76 +
77 +- power/usb3_hardware_lpm
78 ++ power/usb3_hardware_lpm_u1
79 ++ power/usb3_hardware_lpm_u2
80 +
81 + When a USB 3.0 lpm-capable device is plugged in to a
82 + xHCI host which supports link PM, it will check if U1
83 + and U2 exit latencies have been set in the BOS
84 + descriptor; if the check is is passed and the host
85 + supports USB3 hardware LPM, USB3 hardware LPM will be
86 +- enabled for the device and this file will be created.
87 +- The file holds a string value (enable or disable)
88 +- indicating whether or not USB3 hardware LPM is
89 +- enabled for the device.
90 ++ enabled for the device and these files will be created.
91 ++ The files hold a string value (enable or disable)
92 ++ indicating whether or not USB3 hardware LPM U1 or U2
93 ++ is enabled for the device.
94 +
95 + USB Port Power Control
96 + ----------------------
97 +diff --git a/Makefile b/Makefile
98 +index 69430ed64270..efc7a766c470 100644
99 +--- a/Makefile
100 ++++ b/Makefile
101 +@@ -1,6 +1,6 @@
102 + VERSION = 4
103 + PATCHLEVEL = 3
104 +-SUBLEVEL = 4
105 ++SUBLEVEL = 5
106 + EXTRAVERSION =
107 + NAME = Blurry Fish Butt
108 +
109 +diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
110 +index 6984342da13d..61d96a645ff3 100644
111 +--- a/arch/arm/kvm/mmu.c
112 ++++ b/arch/arm/kvm/mmu.c
113 +@@ -98,6 +98,11 @@ static void kvm_flush_dcache_pud(pud_t pud)
114 + __kvm_flush_dcache_pud(pud);
115 + }
116 +
117 ++static bool kvm_is_device_pfn(unsigned long pfn)
118 ++{
119 ++ return !pfn_valid(pfn);
120 ++}
121 ++
122 + /**
123 + * stage2_dissolve_pmd() - clear and flush huge PMD entry
124 + * @kvm: pointer to kvm structure.
125 +@@ -213,7 +218,7 @@ static void unmap_ptes(struct kvm *kvm, pmd_t *pmd,
126 + kvm_tlb_flush_vmid_ipa(kvm, addr);
127 +
128 + /* No need to invalidate the cache for device mappings */
129 +- if ((pte_val(old_pte) & PAGE_S2_DEVICE) != PAGE_S2_DEVICE)
130 ++ if (!kvm_is_device_pfn(pte_pfn(old_pte)))
131 + kvm_flush_dcache_pte(old_pte);
132 +
133 + put_page(virt_to_page(pte));
134 +@@ -305,8 +310,7 @@ static void stage2_flush_ptes(struct kvm *kvm, pmd_t *pmd,
135 +
136 + pte = pte_offset_kernel(pmd, addr);
137 + do {
138 +- if (!pte_none(*pte) &&
139 +- (pte_val(*pte) & PAGE_S2_DEVICE) != PAGE_S2_DEVICE)
140 ++ if (!pte_none(*pte) && !kvm_is_device_pfn(pte_pfn(*pte)))
141 + kvm_flush_dcache_pte(*pte);
142 + } while (pte++, addr += PAGE_SIZE, addr != end);
143 + }
144 +@@ -1037,11 +1041,6 @@ static bool kvm_is_write_fault(struct kvm_vcpu *vcpu)
145 + return kvm_vcpu_dabt_iswrite(vcpu);
146 + }
147 +
148 +-static bool kvm_is_device_pfn(unsigned long pfn)
149 +-{
150 +- return !pfn_valid(pfn);
151 +-}
152 +-
153 + /**
154 + * stage2_wp_ptes - write protect PMD range
155 + * @pmd: pointer to pmd entry
156 +diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
157 +index b8efb8cd1f73..4d25fd0fae10 100644
158 +--- a/arch/arm/net/bpf_jit_32.c
159 ++++ b/arch/arm/net/bpf_jit_32.c
160 +@@ -182,19 +182,6 @@ static inline int mem_words_used(struct jit_ctx *ctx)
161 + return fls(ctx->seen & SEEN_MEM);
162 + }
163 +
164 +-static inline bool is_load_to_a(u16 inst)
165 +-{
166 +- switch (inst) {
167 +- case BPF_LD | BPF_W | BPF_LEN:
168 +- case BPF_LD | BPF_W | BPF_ABS:
169 +- case BPF_LD | BPF_H | BPF_ABS:
170 +- case BPF_LD | BPF_B | BPF_ABS:
171 +- return true;
172 +- default:
173 +- return false;
174 +- }
175 +-}
176 +-
177 + static void jit_fill_hole(void *area, unsigned int size)
178 + {
179 + u32 *ptr;
180 +@@ -206,7 +193,6 @@ static void jit_fill_hole(void *area, unsigned int size)
181 + static void build_prologue(struct jit_ctx *ctx)
182 + {
183 + u16 reg_set = saved_regs(ctx);
184 +- u16 first_inst = ctx->skf->insns[0].code;
185 + u16 off;
186 +
187 + #ifdef CONFIG_FRAME_POINTER
188 +@@ -236,7 +222,7 @@ static void build_prologue(struct jit_ctx *ctx)
189 + emit(ARM_MOV_I(r_X, 0), ctx);
190 +
191 + /* do not leak kernel data to userspace */
192 +- if ((first_inst != (BPF_RET | BPF_K)) && !(is_load_to_a(first_inst)))
193 ++ if (bpf_needs_clear_a(&ctx->skf->insns[0]))
194 + emit(ARM_MOV_I(r_A, 0), ctx);
195 +
196 + /* stack space for the BPF_MEM words */
197 +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
198 +index 07d1811aa03f..a92266e634cd 100644
199 +--- a/arch/arm64/Kconfig
200 ++++ b/arch/arm64/Kconfig
201 +@@ -311,6 +311,27 @@ config ARM64_ERRATUM_832075
202 +
203 + If unsure, say Y.
204 +
205 ++config ARM64_ERRATUM_834220
206 ++ bool "Cortex-A57: 834220: Stage 2 translation fault might be incorrectly reported in presence of a Stage 1 fault"
207 ++ depends on KVM
208 ++ default y
209 ++ help
210 ++ This option adds an alternative code sequence to work around ARM
211 ++ erratum 834220 on Cortex-A57 parts up to r1p2.
212 ++
213 ++ Affected Cortex-A57 parts might report a Stage 2 translation
214 ++ fault as a the result of a Stage 1 fault for a load crossing
215 ++ a page boundary when there is a Stage 1 permission or device
216 ++ memory alignment fault and a Stage 2 translation fault
217 ++
218 ++ The workaround is to verify that the Stage-1 translation
219 ++ doesn't generate a fault before handling the Stage-2 fault.
220 ++ Please note that this does not necessarily enable the workaround,
221 ++ as it depends on the alternative framework, which will only patch
222 ++ the kernel if an affected CPU is detected.
223 ++
224 ++ If unsure, say Y.
225 ++
226 + config ARM64_ERRATUM_845719
227 + bool "Cortex-A53: 845719: a load might read incorrect data"
228 + depends on COMPAT
229 +diff --git a/arch/arm64/include/asm/atomic_ll_sc.h b/arch/arm64/include/asm/atomic_ll_sc.h
230 +index b3b5c4ae3800..af5b9d5c5c23 100644
231 +--- a/arch/arm64/include/asm/atomic_ll_sc.h
232 ++++ b/arch/arm64/include/asm/atomic_ll_sc.h
233 +@@ -211,7 +211,7 @@ __CMPXCHG_CASE( , , mb_8, dmb ish, l, "memory")
234 + #undef __CMPXCHG_CASE
235 +
236 + #define __CMPXCHG_DBL(name, mb, rel, cl) \
237 +-__LL_SC_INLINE int \
238 ++__LL_SC_INLINE long \
239 + __LL_SC_PREFIX(__cmpxchg_double##name(unsigned long old1, \
240 + unsigned long old2, \
241 + unsigned long new1, \
242 +diff --git a/arch/arm64/include/asm/atomic_lse.h b/arch/arm64/include/asm/atomic_lse.h
243 +index 55d740e63459..4d548aa54b21 100644
244 +--- a/arch/arm64/include/asm/atomic_lse.h
245 ++++ b/arch/arm64/include/asm/atomic_lse.h
246 +@@ -348,7 +348,7 @@ __CMPXCHG_CASE(x, , mb_8, al, "memory")
247 + #define __LL_SC_CMPXCHG_DBL(op) __LL_SC_CALL(__cmpxchg_double##op)
248 +
249 + #define __CMPXCHG_DBL(name, mb, cl...) \
250 +-static inline int __cmpxchg_double##name(unsigned long old1, \
251 ++static inline long __cmpxchg_double##name(unsigned long old1, \
252 + unsigned long old2, \
253 + unsigned long new1, \
254 + unsigned long new2, \
255 +diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h
256 +index 171570702bb8..a1a5981526fe 100644
257 +--- a/arch/arm64/include/asm/cpufeature.h
258 ++++ b/arch/arm64/include/asm/cpufeature.h
259 +@@ -27,8 +27,9 @@
260 + #define ARM64_HAS_SYSREG_GIC_CPUIF 3
261 + #define ARM64_HAS_PAN 4
262 + #define ARM64_HAS_LSE_ATOMICS 5
263 ++#define ARM64_WORKAROUND_834220 6
264 +
265 +-#define ARM64_NCAPS 6
266 ++#define ARM64_NCAPS 7
267 +
268 + #ifndef __ASSEMBLY__
269 +
270 +diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h
271 +index 17e92f05b1fe..3ca894ecf699 100644
272 +--- a/arch/arm64/include/asm/kvm_emulate.h
273 ++++ b/arch/arm64/include/asm/kvm_emulate.h
274 +@@ -99,11 +99,13 @@ static inline void vcpu_set_thumb(struct kvm_vcpu *vcpu)
275 + *vcpu_cpsr(vcpu) |= COMPAT_PSR_T_BIT;
276 + }
277 +
278 ++/*
279 ++ * vcpu_reg should always be passed a register number coming from a
280 ++ * read of ESR_EL2. Otherwise, it may give the wrong result on AArch32
281 ++ * with banked registers.
282 ++ */
283 + static inline unsigned long *vcpu_reg(const struct kvm_vcpu *vcpu, u8 reg_num)
284 + {
285 +- if (vcpu_mode_is_32bit(vcpu))
286 +- return vcpu_reg32(vcpu, reg_num);
287 +-
288 + return (unsigned long *)&vcpu_gp_regs(vcpu)->regs.regs[reg_num];
289 + }
290 +
291 +diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
292 +index 6ffd91438560..dc0df822def3 100644
293 +--- a/arch/arm64/kernel/cpu_errata.c
294 ++++ b/arch/arm64/kernel/cpu_errata.c
295 +@@ -74,6 +74,15 @@ const struct arm64_cpu_capabilities arm64_errata[] = {
296 + (1 << MIDR_VARIANT_SHIFT) | 2),
297 + },
298 + #endif
299 ++#ifdef CONFIG_ARM64_ERRATUM_834220
300 ++ {
301 ++ /* Cortex-A57 r0p0 - r1p2 */
302 ++ .desc = "ARM erratum 834220",
303 ++ .capability = ARM64_WORKAROUND_834220,
304 ++ MIDR_RANGE(MIDR_CORTEX_A57, 0x00,
305 ++ (1 << MIDR_VARIANT_SHIFT) | 2),
306 ++ },
307 ++#endif
308 + #ifdef CONFIG_ARM64_ERRATUM_845719
309 + {
310 + /* Cortex-A53 r0p[01234] */
311 +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
312 +index 90d09eddd5b2..b84ef8376471 100644
313 +--- a/arch/arm64/kernel/head.S
314 ++++ b/arch/arm64/kernel/head.S
315 +@@ -524,9 +524,14 @@ CPU_LE( movk x0, #0x30d0, lsl #16 ) // Clear EE and E0E on LE systems
316 + #endif
317 +
318 + /* EL2 debug */
319 ++ mrs x0, id_aa64dfr0_el1 // Check ID_AA64DFR0_EL1 PMUVer
320 ++ sbfx x0, x0, #8, #4
321 ++ cmp x0, #1
322 ++ b.lt 4f // Skip if no PMU present
323 + mrs x0, pmcr_el0 // Disable debug access traps
324 + ubfx x0, x0, #11, #5 // to EL2 and allow access to
325 + msr mdcr_el2, x0 // all PMU counters from EL1
326 ++4:
327 +
328 + /* Stage-2 translation */
329 + msr vttbr_el2, xzr
330 +diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c
331 +index f9a74d4fff3b..f325af5b38e3 100644
332 +--- a/arch/arm64/kernel/perf_event.c
333 ++++ b/arch/arm64/kernel/perf_event.c
334 +@@ -1159,9 +1159,6 @@ static void armv8pmu_reset(void *info)
335 +
336 + /* Initialize & Reset PMNC: C and P bits. */
337 + armv8pmu_pmcr_write(ARMV8_PMCR_P | ARMV8_PMCR_C);
338 +-
339 +- /* Disable access from userspace. */
340 +- asm volatile("msr pmuserenr_el0, %0" :: "r" (0));
341 + }
342 +
343 + static int armv8_pmuv3_map_event(struct perf_event *event)
344 +diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
345 +index 1971f491bb90..ff7f13239515 100644
346 +--- a/arch/arm64/kernel/ptrace.c
347 ++++ b/arch/arm64/kernel/ptrace.c
348 +@@ -58,6 +58,12 @@
349 + */
350 + void ptrace_disable(struct task_struct *child)
351 + {
352 ++ /*
353 ++ * This would be better off in core code, but PTRACE_DETACH has
354 ++ * grown its fair share of arch-specific worts and changing it
355 ++ * is likely to cause regressions on obscure architectures.
356 ++ */
357 ++ user_disable_single_step(child);
358 + }
359 +
360 + #ifdef CONFIG_HAVE_HW_BREAKPOINT
361 +diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
362 +index 232247945b1c..9f17dc72645a 100644
363 +--- a/arch/arm64/kernel/setup.c
364 ++++ b/arch/arm64/kernel/setup.c
365 +@@ -558,6 +558,10 @@ static int c_show(struct seq_file *m, void *v)
366 + */
367 + seq_printf(m, "processor\t: %d\n", i);
368 +
369 ++ seq_printf(m, "BogoMIPS\t: %lu.%02lu\n",
370 ++ loops_per_jiffy / (500000UL/HZ),
371 ++ loops_per_jiffy / (5000UL/HZ) % 100);
372 ++
373 + /*
374 + * Dump out the common processor features in a single line.
375 + * Userspace should read the hwcaps with getauxval(AT_HWCAP)
376 +diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c
377 +index 44ca4143b013..dd6ad81d53aa 100644
378 +--- a/arch/arm64/kernel/suspend.c
379 ++++ b/arch/arm64/kernel/suspend.c
380 +@@ -1,3 +1,4 @@
381 ++#include <linux/ftrace.h>
382 + #include <linux/percpu.h>
383 + #include <linux/slab.h>
384 + #include <asm/cacheflush.h>
385 +@@ -71,6 +72,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
386 + local_dbg_save(flags);
387 +
388 + /*
389 ++ * Function graph tracer state gets incosistent when the kernel
390 ++ * calls functions that never return (aka suspend finishers) hence
391 ++ * disable graph tracing during their execution.
392 ++ */
393 ++ pause_graph_tracing();
394 ++
395 ++ /*
396 + * mm context saved on the stack, it will be restored when
397 + * the cpu comes out of reset through the identity mapped
398 + * page tables, so that the thread address space is properly
399 +@@ -111,6 +119,8 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long))
400 + hw_breakpoint_restore(NULL);
401 + }
402 +
403 ++ unpause_graph_tracing();
404 ++
405 + /*
406 + * Restore pstate flags. OS lock and mdscr have been already
407 + * restored, so from this point onwards, debugging is fully
408 +diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S
409 +index e5836138ec42..3e840649b133 100644
410 +--- a/arch/arm64/kvm/hyp.S
411 ++++ b/arch/arm64/kvm/hyp.S
412 +@@ -1007,9 +1007,15 @@ el1_trap:
413 + b.ne 1f // Not an abort we care about
414 +
415 + /* This is an abort. Check for permission fault */
416 ++alternative_if_not ARM64_WORKAROUND_834220
417 + and x2, x1, #ESR_ELx_FSC_TYPE
418 + cmp x2, #FSC_PERM
419 + b.ne 1f // Not a permission fault
420 ++alternative_else
421 ++ nop // Force a Stage-1 translation to occur
422 ++ nop // and return to the guest if it failed
423 ++ nop
424 ++alternative_endif
425 +
426 + /*
427 + * Check for Stage-1 page table walk, which is guaranteed
428 +diff --git a/arch/arm64/kvm/inject_fault.c b/arch/arm64/kvm/inject_fault.c
429 +index 85c57158dcd9..648112e90ed5 100644
430 +--- a/arch/arm64/kvm/inject_fault.c
431 ++++ b/arch/arm64/kvm/inject_fault.c
432 +@@ -48,7 +48,7 @@ static void prepare_fault32(struct kvm_vcpu *vcpu, u32 mode, u32 vect_offset)
433 +
434 + /* Note: These now point to the banked copies */
435 + *vcpu_spsr(vcpu) = new_spsr_value;
436 +- *vcpu_reg(vcpu, 14) = *vcpu_pc(vcpu) + return_offset;
437 ++ *vcpu_reg32(vcpu, 14) = *vcpu_pc(vcpu) + return_offset;
438 +
439 + /* Branch to exception vector */
440 + if (sctlr & (1 << 13))
441 +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
442 +index 9211b8527f25..9317974c9b8e 100644
443 +--- a/arch/arm64/mm/mmu.c
444 ++++ b/arch/arm64/mm/mmu.c
445 +@@ -451,6 +451,9 @@ void __init paging_init(void)
446 +
447 + empty_zero_page = virt_to_page(zero_page);
448 +
449 ++ /* Ensure the zero page is visible to the page table walker */
450 ++ dsb(ishst);
451 ++
452 + /*
453 + * TTBR0 is only used for the identity mapping at this stage. Make it
454 + * point to zero page to avoid speculatively fetching new entries.
455 +diff --git a/arch/arm64/mm/proc-macros.S b/arch/arm64/mm/proc-macros.S
456 +index 4c4d93c4bf65..d69dffffaa89 100644
457 +--- a/arch/arm64/mm/proc-macros.S
458 ++++ b/arch/arm64/mm/proc-macros.S
459 +@@ -62,3 +62,15 @@
460 + bfi \valreg, \tmpreg, #TCR_T0SZ_OFFSET, #TCR_TxSZ_WIDTH
461 + #endif
462 + .endm
463 ++
464 ++/*
465 ++ * reset_pmuserenr_el0 - reset PMUSERENR_EL0 if PMUv3 present
466 ++ */
467 ++ .macro reset_pmuserenr_el0, tmpreg
468 ++ mrs \tmpreg, id_aa64dfr0_el1 // Check ID_AA64DFR0_EL1 PMUVer
469 ++ sbfx \tmpreg, \tmpreg, #8, #4
470 ++ cmp \tmpreg, #1 // Skip if no PMU present
471 ++ b.lt 9000f
472 ++ msr pmuserenr_el0, xzr // Disable PMU access from EL0
473 ++9000:
474 ++ .endm
475 +diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S
476 +index e4ee7bd8830a..b722d3e26185 100644
477 +--- a/arch/arm64/mm/proc.S
478 ++++ b/arch/arm64/mm/proc.S
479 +@@ -115,6 +115,7 @@ ENTRY(cpu_do_resume)
480 + */
481 + ubfx x11, x11, #1, #1
482 + msr oslar_el1, x11
483 ++ reset_pmuserenr_el0 x0 // Disable PMU access from EL0
484 + mov x0, x12
485 + dsb nsh // Make sure local tlb invalidation completed
486 + isb
487 +@@ -153,6 +154,7 @@ ENTRY(__cpu_setup)
488 + msr cpacr_el1, x0 // Enable FP/ASIMD
489 + mov x0, #1 << 12 // Reset mdscr_el1 and disable
490 + msr mdscr_el1, x0 // access to the DCC from EL0
491 ++ reset_pmuserenr_el0 x0 // Disable PMU access from EL0
492 + /*
493 + * Memory region attributes for LPAE:
494 + *
495 +diff --git a/arch/arm64/net/bpf_jit.h b/arch/arm64/net/bpf_jit.h
496 +index 98a26ce82d26..aee5637ea436 100644
497 +--- a/arch/arm64/net/bpf_jit.h
498 ++++ b/arch/arm64/net/bpf_jit.h
499 +@@ -1,7 +1,7 @@
500 + /*
501 + * BPF JIT compiler for ARM64
502 + *
503 +- * Copyright (C) 2014 Zi Shen Lim <zlim.lnx@×××××.com>
504 ++ * Copyright (C) 2014-2015 Zi Shen Lim <zlim.lnx@×××××.com>
505 + *
506 + * This program is free software; you can redistribute it and/or modify
507 + * it under the terms of the GNU General Public License version 2 as
508 +@@ -35,6 +35,7 @@
509 + aarch64_insn_gen_comp_branch_imm(0, offset, Rt, A64_VARIANT(sf), \
510 + AARCH64_INSN_BRANCH_COMP_##type)
511 + #define A64_CBZ(sf, Rt, imm19) A64_COMP_BRANCH(sf, Rt, (imm19) << 2, ZERO)
512 ++#define A64_CBNZ(sf, Rt, imm19) A64_COMP_BRANCH(sf, Rt, (imm19) << 2, NONZERO)
513 +
514 + /* Conditional branch (immediate) */
515 + #define A64_COND_BRANCH(cond, offset) \
516 +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
517 +index c047598b09e0..6217f80702d2 100644
518 +--- a/arch/arm64/net/bpf_jit_comp.c
519 ++++ b/arch/arm64/net/bpf_jit_comp.c
520 +@@ -1,7 +1,7 @@
521 + /*
522 + * BPF JIT compiler for ARM64
523 + *
524 +- * Copyright (C) 2014 Zi Shen Lim <zlim.lnx@×××××.com>
525 ++ * Copyright (C) 2014-2015 Zi Shen Lim <zlim.lnx@×××××.com>
526 + *
527 + * This program is free software; you can redistribute it and/or modify
528 + * it under the terms of the GNU General Public License version 2 as
529 +@@ -225,6 +225,17 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
530 + u8 jmp_cond;
531 + s32 jmp_offset;
532 +
533 ++#define check_imm(bits, imm) do { \
534 ++ if ((((imm) > 0) && ((imm) >> (bits))) || \
535 ++ (((imm) < 0) && (~(imm) >> (bits)))) { \
536 ++ pr_info("[%2d] imm=%d(0x%x) out of range\n", \
537 ++ i, imm, imm); \
538 ++ return -EINVAL; \
539 ++ } \
540 ++} while (0)
541 ++#define check_imm19(imm) check_imm(19, imm)
542 ++#define check_imm26(imm) check_imm(26, imm)
543 ++
544 + switch (code) {
545 + /* dst = src */
546 + case BPF_ALU | BPF_MOV | BPF_X:
547 +@@ -258,15 +269,33 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx)
548 + break;
549 + case BPF_ALU | BPF_DIV | BPF_X:
550 + case BPF_ALU64 | BPF_DIV | BPF_X:
551 +- emit(A64_UDIV(is64, dst, dst, src), ctx);
552 +- break;
553 + case BPF_ALU | BPF_MOD | BPF_X:
554 + case BPF_ALU64 | BPF_MOD | BPF_X:
555 +- ctx->tmp_used = 1;
556 +- emit(A64_UDIV(is64, tmp, dst, src), ctx);
557 +- emit(A64_MUL(is64, tmp, tmp, src), ctx);
558 +- emit(A64_SUB(is64, dst, dst, tmp), ctx);
559 ++ {
560 ++ const u8 r0 = bpf2a64[BPF_REG_0];
561 ++
562 ++ /* if (src == 0) return 0 */
563 ++ jmp_offset = 3; /* skip ahead to else path */
564 ++ check_imm19(jmp_offset);
565 ++ emit(A64_CBNZ(is64, src, jmp_offset), ctx);
566 ++ emit(A64_MOVZ(1, r0, 0, 0), ctx);
567 ++ jmp_offset = epilogue_offset(ctx);
568 ++ check_imm26(jmp_offset);
569 ++ emit(A64_B(jmp_offset), ctx);
570 ++ /* else */
571 ++ switch (BPF_OP(code)) {
572 ++ case BPF_DIV:
573 ++ emit(A64_UDIV(is64, dst, dst, src), ctx);
574 ++ break;
575 ++ case BPF_MOD:
576 ++ ctx->tmp_used = 1;
577 ++ emit(A64_UDIV(is64, tmp, dst, src), ctx);
578 ++ emit(A64_MUL(is64, tmp, tmp, src), ctx);
579 ++ emit(A64_SUB(is64, dst, dst, tmp), ctx);
580 ++ break;
581 ++ }
582 + break;
583 ++ }
584 + case BPF_ALU | BPF_LSH | BPF_X:
585 + case BPF_ALU64 | BPF_LSH | BPF_X:
586 + emit(A64_LSLV(is64, dst, dst, src), ctx);
587 +@@ -393,17 +422,6 @@ emit_bswap_uxt:
588 + emit(A64_ASR(is64, dst, dst, imm), ctx);
589 + break;
590 +
591 +-#define check_imm(bits, imm) do { \
592 +- if ((((imm) > 0) && ((imm) >> (bits))) || \
593 +- (((imm) < 0) && (~(imm) >> (bits)))) { \
594 +- pr_info("[%2d] imm=%d(0x%x) out of range\n", \
595 +- i, imm, imm); \
596 +- return -EINVAL; \
597 +- } \
598 +-} while (0)
599 +-#define check_imm19(imm) check_imm(19, imm)
600 +-#define check_imm26(imm) check_imm(26, imm)
601 +-
602 + /* JUMP off */
603 + case BPF_JMP | BPF_JA:
604 + jmp_offset = bpf2a64_offset(i + off, i, ctx);
605 +diff --git a/arch/mips/net/bpf_jit.c b/arch/mips/net/bpf_jit.c
606 +index 0c4a133f6216..26e947d61040 100644
607 +--- a/arch/mips/net/bpf_jit.c
608 ++++ b/arch/mips/net/bpf_jit.c
609 +@@ -521,19 +521,6 @@ static inline u16 align_sp(unsigned int num)
610 + return num;
611 + }
612 +
613 +-static bool is_load_to_a(u16 inst)
614 +-{
615 +- switch (inst) {
616 +- case BPF_LD | BPF_W | BPF_LEN:
617 +- case BPF_LD | BPF_W | BPF_ABS:
618 +- case BPF_LD | BPF_H | BPF_ABS:
619 +- case BPF_LD | BPF_B | BPF_ABS:
620 +- return true;
621 +- default:
622 +- return false;
623 +- }
624 +-}
625 +-
626 + static void save_bpf_jit_regs(struct jit_ctx *ctx, unsigned offset)
627 + {
628 + int i = 0, real_off = 0;
629 +@@ -614,7 +601,6 @@ static unsigned int get_stack_depth(struct jit_ctx *ctx)
630 +
631 + static void build_prologue(struct jit_ctx *ctx)
632 + {
633 +- u16 first_inst = ctx->skf->insns[0].code;
634 + int sp_off;
635 +
636 + /* Calculate the total offset for the stack pointer */
637 +@@ -641,7 +627,7 @@ static void build_prologue(struct jit_ctx *ctx)
638 + emit_jit_reg_move(r_X, r_zero, ctx);
639 +
640 + /* Do not leak kernel data to userspace */
641 +- if ((first_inst != (BPF_RET | BPF_K)) && !(is_load_to_a(first_inst)))
642 ++ if (bpf_needs_clear_a(&ctx->skf->insns[0]))
643 + emit_jit_reg_move(r_A, r_zero, ctx);
644 + }
645 +
646 +diff --git a/arch/mn10300/Kconfig b/arch/mn10300/Kconfig
647 +index 4434b54e1d87..78ae5552fdb8 100644
648 +--- a/arch/mn10300/Kconfig
649 ++++ b/arch/mn10300/Kconfig
650 +@@ -1,6 +1,7 @@
651 + config MN10300
652 + def_bool y
653 + select HAVE_OPROFILE
654 ++ select HAVE_UID16
655 + select GENERIC_IRQ_SHOW
656 + select ARCH_WANT_IPC_PARSE_VERSION
657 + select HAVE_ARCH_TRACEHOOK
658 +@@ -37,9 +38,6 @@ config HIGHMEM
659 + config NUMA
660 + def_bool n
661 +
662 +-config UID16
663 +- def_bool y
664 +-
665 + config RWSEM_GENERIC_SPINLOCK
666 + def_bool y
667 +
668 +diff --git a/arch/powerpc/include/asm/cmpxchg.h b/arch/powerpc/include/asm/cmpxchg.h
669 +index ad6263cffb0f..d1a8d93cccfd 100644
670 +--- a/arch/powerpc/include/asm/cmpxchg.h
671 ++++ b/arch/powerpc/include/asm/cmpxchg.h
672 +@@ -18,12 +18,12 @@ __xchg_u32(volatile void *p, unsigned long val)
673 + unsigned long prev;
674 +
675 + __asm__ __volatile__(
676 +- PPC_RELEASE_BARRIER
677 ++ PPC_ATOMIC_ENTRY_BARRIER
678 + "1: lwarx %0,0,%2 \n"
679 + PPC405_ERR77(0,%2)
680 + " stwcx. %3,0,%2 \n\
681 + bne- 1b"
682 +- PPC_ACQUIRE_BARRIER
683 ++ PPC_ATOMIC_EXIT_BARRIER
684 + : "=&r" (prev), "+m" (*(volatile unsigned int *)p)
685 + : "r" (p), "r" (val)
686 + : "cc", "memory");
687 +@@ -61,12 +61,12 @@ __xchg_u64(volatile void *p, unsigned long val)
688 + unsigned long prev;
689 +
690 + __asm__ __volatile__(
691 +- PPC_RELEASE_BARRIER
692 ++ PPC_ATOMIC_ENTRY_BARRIER
693 + "1: ldarx %0,0,%2 \n"
694 + PPC405_ERR77(0,%2)
695 + " stdcx. %3,0,%2 \n\
696 + bne- 1b"
697 +- PPC_ACQUIRE_BARRIER
698 ++ PPC_ATOMIC_EXIT_BARRIER
699 + : "=&r" (prev), "+m" (*(volatile unsigned long *)p)
700 + : "r" (p), "r" (val)
701 + : "cc", "memory");
702 +@@ -151,14 +151,14 @@ __cmpxchg_u32(volatile unsigned int *p, unsigned long old, unsigned long new)
703 + unsigned int prev;
704 +
705 + __asm__ __volatile__ (
706 +- PPC_RELEASE_BARRIER
707 ++ PPC_ATOMIC_ENTRY_BARRIER
708 + "1: lwarx %0,0,%2 # __cmpxchg_u32\n\
709 + cmpw 0,%0,%3\n\
710 + bne- 2f\n"
711 + PPC405_ERR77(0,%2)
712 + " stwcx. %4,0,%2\n\
713 + bne- 1b"
714 +- PPC_ACQUIRE_BARRIER
715 ++ PPC_ATOMIC_EXIT_BARRIER
716 + "\n\
717 + 2:"
718 + : "=&r" (prev), "+m" (*p)
719 +@@ -197,13 +197,13 @@ __cmpxchg_u64(volatile unsigned long *p, unsigned long old, unsigned long new)
720 + unsigned long prev;
721 +
722 + __asm__ __volatile__ (
723 +- PPC_RELEASE_BARRIER
724 ++ PPC_ATOMIC_ENTRY_BARRIER
725 + "1: ldarx %0,0,%2 # __cmpxchg_u64\n\
726 + cmpd 0,%0,%3\n\
727 + bne- 2f\n\
728 + stdcx. %4,0,%2\n\
729 + bne- 1b"
730 +- PPC_ACQUIRE_BARRIER
731 ++ PPC_ATOMIC_EXIT_BARRIER
732 + "\n\
733 + 2:"
734 + : "=&r" (prev), "+m" (*p)
735 +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
736 +index a908ada8e0a5..2220f7a60def 100644
737 +--- a/arch/powerpc/include/asm/reg.h
738 ++++ b/arch/powerpc/include/asm/reg.h
739 +@@ -108,6 +108,7 @@
740 + #define MSR_TS_T __MASK(MSR_TS_T_LG) /* Transaction Transactional */
741 + #define MSR_TS_MASK (MSR_TS_T | MSR_TS_S) /* Transaction State bits */
742 + #define MSR_TM_ACTIVE(x) (((x) & MSR_TS_MASK) != 0) /* Transaction active? */
743 ++#define MSR_TM_RESV(x) (((x) & MSR_TS_MASK) == MSR_TS_MASK) /* Reserved */
744 + #define MSR_TM_TRANSACTIONAL(x) (((x) & MSR_TS_MASK) == MSR_TS_T)
745 + #define MSR_TM_SUSPENDED(x) (((x) & MSR_TS_MASK) == MSR_TS_S)
746 +
747 +diff --git a/arch/powerpc/include/asm/synch.h b/arch/powerpc/include/asm/synch.h
748 +index e682a7143edb..c50868681f9e 100644
749 +--- a/arch/powerpc/include/asm/synch.h
750 ++++ b/arch/powerpc/include/asm/synch.h
751 +@@ -44,7 +44,7 @@ static inline void isync(void)
752 + MAKE_LWSYNC_SECTION_ENTRY(97, __lwsync_fixup);
753 + #define PPC_ACQUIRE_BARRIER "\n" stringify_in_c(__PPC_ACQUIRE_BARRIER)
754 + #define PPC_RELEASE_BARRIER stringify_in_c(LWSYNC) "\n"
755 +-#define PPC_ATOMIC_ENTRY_BARRIER "\n" stringify_in_c(LWSYNC) "\n"
756 ++#define PPC_ATOMIC_ENTRY_BARRIER "\n" stringify_in_c(sync) "\n"
757 + #define PPC_ATOMIC_EXIT_BARRIER "\n" stringify_in_c(sync) "\n"
758 + #else
759 + #define PPC_ACQUIRE_BARRIER
760 +diff --git a/arch/powerpc/include/uapi/asm/elf.h b/arch/powerpc/include/uapi/asm/elf.h
761 +index 59dad113897b..c2d21d11c2d2 100644
762 +--- a/arch/powerpc/include/uapi/asm/elf.h
763 ++++ b/arch/powerpc/include/uapi/asm/elf.h
764 +@@ -295,6 +295,8 @@ do { \
765 + #define R_PPC64_TLSLD 108
766 + #define R_PPC64_TOCSAVE 109
767 +
768 ++#define R_PPC64_ENTRY 118
769 ++
770 + #define R_PPC64_REL16 249
771 + #define R_PPC64_REL16_LO 250
772 + #define R_PPC64_REL16_HI 251
773 +diff --git a/arch/powerpc/kernel/module_64.c b/arch/powerpc/kernel/module_64.c
774 +index 68384514506b..59663af9315f 100644
775 +--- a/arch/powerpc/kernel/module_64.c
776 ++++ b/arch/powerpc/kernel/module_64.c
777 +@@ -635,6 +635,33 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
778 + */
779 + break;
780 +
781 ++ case R_PPC64_ENTRY:
782 ++ /*
783 ++ * Optimize ELFv2 large code model entry point if
784 ++ * the TOC is within 2GB range of current location.
785 ++ */
786 ++ value = my_r2(sechdrs, me) - (unsigned long)location;
787 ++ if (value + 0x80008000 > 0xffffffff)
788 ++ break;
789 ++ /*
790 ++ * Check for the large code model prolog sequence:
791 ++ * ld r2, ...(r12)
792 ++ * add r2, r2, r12
793 ++ */
794 ++ if ((((uint32_t *)location)[0] & ~0xfffc)
795 ++ != 0xe84c0000)
796 ++ break;
797 ++ if (((uint32_t *)location)[1] != 0x7c426214)
798 ++ break;
799 ++ /*
800 ++ * If found, replace it with:
801 ++ * addis r2, r12, (.TOC.-func)@ha
802 ++ * addi r2, r12, (.TOC.-func)@l
803 ++ */
804 ++ ((uint32_t *)location)[0] = 0x3c4c0000 + PPC_HA(value);
805 ++ ((uint32_t *)location)[1] = 0x38420000 + PPC_LO(value);
806 ++ break;
807 ++
808 + case R_PPC64_REL16_HA:
809 + /* Subtract location pointer */
810 + value -= (unsigned long)location;
811 +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
812 +index 75b6676c1a0b..646bf4d222c1 100644
813 +--- a/arch/powerpc/kernel/process.c
814 ++++ b/arch/powerpc/kernel/process.c
815 +@@ -551,6 +551,24 @@ static void tm_reclaim_thread(struct thread_struct *thr,
816 + msr_diff &= MSR_FP | MSR_VEC | MSR_VSX | MSR_FE0 | MSR_FE1;
817 + }
818 +
819 ++ /*
820 ++ * Use the current MSR TM suspended bit to track if we have
821 ++ * checkpointed state outstanding.
822 ++ * On signal delivery, we'd normally reclaim the checkpointed
823 ++ * state to obtain stack pointer (see:get_tm_stackpointer()).
824 ++ * This will then directly return to userspace without going
825 ++ * through __switch_to(). However, if the stack frame is bad,
826 ++ * we need to exit this thread which calls __switch_to() which
827 ++ * will again attempt to reclaim the already saved tm state.
828 ++ * Hence we need to check that we've not already reclaimed
829 ++ * this state.
830 ++ * We do this using the current MSR, rather tracking it in
831 ++ * some specific thread_struct bit, as it has the additional
832 ++ * benifit of checking for a potential TM bad thing exception.
833 ++ */
834 ++ if (!MSR_TM_SUSPENDED(mfmsr()))
835 ++ return;
836 ++
837 + tm_reclaim(thr, thr->regs->msr, cause);
838 +
839 + /* Having done the reclaim, we now have the checkpointed
840 +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
841 +index 0dbee465af7a..ef7c24e84a62 100644
842 +--- a/arch/powerpc/kernel/signal_32.c
843 ++++ b/arch/powerpc/kernel/signal_32.c
844 +@@ -875,6 +875,15 @@ static long restore_tm_user_regs(struct pt_regs *regs,
845 + return 1;
846 + #endif /* CONFIG_SPE */
847 +
848 ++ /* Get the top half of the MSR from the user context */
849 ++ if (__get_user(msr_hi, &tm_sr->mc_gregs[PT_MSR]))
850 ++ return 1;
851 ++ msr_hi <<= 32;
852 ++ /* If TM bits are set to the reserved value, it's an invalid context */
853 ++ if (MSR_TM_RESV(msr_hi))
854 ++ return 1;
855 ++ /* Pull in the MSR TM bits from the user context */
856 ++ regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr_hi & MSR_TS_MASK);
857 + /* Now, recheckpoint. This loads up all of the checkpointed (older)
858 + * registers, including FP and V[S]Rs. After recheckpointing, the
859 + * transactional versions should be loaded.
860 +@@ -884,11 +893,6 @@ static long restore_tm_user_regs(struct pt_regs *regs,
861 + current->thread.tm_texasr |= TEXASR_FS;
862 + /* This loads the checkpointed FP/VEC state, if used */
863 + tm_recheckpoint(&current->thread, msr);
864 +- /* Get the top half of the MSR */
865 +- if (__get_user(msr_hi, &tm_sr->mc_gregs[PT_MSR]))
866 +- return 1;
867 +- /* Pull in MSR TM from user context */
868 +- regs->msr = (regs->msr & ~MSR_TS_MASK) | ((msr_hi<<32) & MSR_TS_MASK);
869 +
870 + /* This loads the speculative FP/VEC state, if used */
871 + if (msr & MSR_FP) {
872 +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
873 +index 20756dfb9f34..c676ecec0869 100644
874 +--- a/arch/powerpc/kernel/signal_64.c
875 ++++ b/arch/powerpc/kernel/signal_64.c
876 +@@ -438,6 +438,10 @@ static long restore_tm_sigcontexts(struct pt_regs *regs,
877 +
878 + /* get MSR separately, transfer the LE bit if doing signal return */
879 + err |= __get_user(msr, &sc->gp_regs[PT_MSR]);
880 ++ /* Don't allow reserved mode. */
881 ++ if (MSR_TM_RESV(msr))
882 ++ return -EINVAL;
883 ++
884 + /* pull in MSR TM from user context */
885 + regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
886 +
887 +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
888 +index 9c26c5a96ea2..a7352b59e6f9 100644
889 +--- a/arch/powerpc/kvm/book3s_hv.c
890 ++++ b/arch/powerpc/kvm/book3s_hv.c
891 +@@ -224,6 +224,12 @@ static void kvmppc_core_vcpu_put_hv(struct kvm_vcpu *vcpu)
892 +
893 + static void kvmppc_set_msr_hv(struct kvm_vcpu *vcpu, u64 msr)
894 + {
895 ++ /*
896 ++ * Check for illegal transactional state bit combination
897 ++ * and if we find it, force the TS field to a safe state.
898 ++ */
899 ++ if ((msr & MSR_TS_MASK) == MSR_TS_MASK)
900 ++ msr &= ~MSR_TS_MASK;
901 + vcpu->arch.shregs.msr = msr;
902 + kvmppc_end_cede(vcpu);
903 + }
904 +@@ -2019,7 +2025,7 @@ static bool can_split_piggybacked_subcores(struct core_info *cip)
905 + return false;
906 + n_subcores += (cip->subcore_threads[sub] - 1) >> 1;
907 + }
908 +- if (n_subcores > 3 || large_sub < 0)
909 ++ if (large_sub < 0 || !subcore_config_ok(n_subcores + 1, 2))
910 + return false;
911 +
912 + /*
913 +diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
914 +index 17cea18a09d3..264c473c1b3c 100644
915 +--- a/arch/powerpc/net/bpf_jit_comp.c
916 ++++ b/arch/powerpc/net/bpf_jit_comp.c
917 +@@ -78,18 +78,9 @@ static void bpf_jit_build_prologue(struct bpf_prog *fp, u32 *image,
918 + PPC_LI(r_X, 0);
919 + }
920 +
921 +- switch (filter[0].code) {
922 +- case BPF_RET | BPF_K:
923 +- case BPF_LD | BPF_W | BPF_LEN:
924 +- case BPF_LD | BPF_W | BPF_ABS:
925 +- case BPF_LD | BPF_H | BPF_ABS:
926 +- case BPF_LD | BPF_B | BPF_ABS:
927 +- /* first instruction sets A register (or is RET 'constant') */
928 +- break;
929 +- default:
930 +- /* make sure we dont leak kernel information to user */
931 ++ /* make sure we dont leak kernel information to user */
932 ++ if (bpf_needs_clear_a(&filter[0]))
933 + PPC_LI(r_A, 0);
934 +- }
935 + }
936 +
937 + static void bpf_jit_build_epilogue(u32 *image, struct codegen_context *ctx)
938 +diff --git a/arch/powerpc/platforms/powernv/opal-irqchip.c b/arch/powerpc/platforms/powernv/opal-irqchip.c
939 +index 2c91ee7800b9..e96027d27151 100644
940 +--- a/arch/powerpc/platforms/powernv/opal-irqchip.c
941 ++++ b/arch/powerpc/platforms/powernv/opal-irqchip.c
942 +@@ -43,11 +43,34 @@ static unsigned int opal_irq_count;
943 + static unsigned int *opal_irqs;
944 +
945 + static void opal_handle_irq_work(struct irq_work *work);
946 +-static __be64 last_outstanding_events;
947 ++static u64 last_outstanding_events;
948 + static struct irq_work opal_event_irq_work = {
949 + .func = opal_handle_irq_work,
950 + };
951 +
952 ++void opal_handle_events(uint64_t events)
953 ++{
954 ++ int virq, hwirq = 0;
955 ++ u64 mask = opal_event_irqchip.mask;
956 ++
957 ++ if (!in_irq() && (events & mask)) {
958 ++ last_outstanding_events = events;
959 ++ irq_work_queue(&opal_event_irq_work);
960 ++ return;
961 ++ }
962 ++
963 ++ while (events & mask) {
964 ++ hwirq = fls64(events) - 1;
965 ++ if (BIT_ULL(hwirq) & mask) {
966 ++ virq = irq_find_mapping(opal_event_irqchip.domain,
967 ++ hwirq);
968 ++ if (virq)
969 ++ generic_handle_irq(virq);
970 ++ }
971 ++ events &= ~BIT_ULL(hwirq);
972 ++ }
973 ++}
974 ++
975 + static void opal_event_mask(struct irq_data *d)
976 + {
977 + clear_bit(d->hwirq, &opal_event_irqchip.mask);
978 +@@ -55,9 +78,21 @@ static void opal_event_mask(struct irq_data *d)
979 +
980 + static void opal_event_unmask(struct irq_data *d)
981 + {
982 ++ __be64 events;
983 ++
984 + set_bit(d->hwirq, &opal_event_irqchip.mask);
985 +
986 +- opal_poll_events(&last_outstanding_events);
987 ++ opal_poll_events(&events);
988 ++ last_outstanding_events = be64_to_cpu(events);
989 ++
990 ++ /*
991 ++ * We can't just handle the events now with opal_handle_events().
992 ++ * If we did we would deadlock when opal_event_unmask() is called from
993 ++ * handle_level_irq() with the irq descriptor lock held, because
994 ++ * calling opal_handle_events() would call generic_handle_irq() and
995 ++ * then handle_level_irq() which would try to take the descriptor lock
996 ++ * again. Instead queue the events for later.
997 ++ */
998 + if (last_outstanding_events & opal_event_irqchip.mask)
999 + /* Need to retrigger the interrupt */
1000 + irq_work_queue(&opal_event_irq_work);
1001 +@@ -96,29 +131,6 @@ static int opal_event_map(struct irq_domain *d, unsigned int irq,
1002 + return 0;
1003 + }
1004 +
1005 +-void opal_handle_events(uint64_t events)
1006 +-{
1007 +- int virq, hwirq = 0;
1008 +- u64 mask = opal_event_irqchip.mask;
1009 +-
1010 +- if (!in_irq() && (events & mask)) {
1011 +- last_outstanding_events = events;
1012 +- irq_work_queue(&opal_event_irq_work);
1013 +- return;
1014 +- }
1015 +-
1016 +- while (events & mask) {
1017 +- hwirq = fls64(events) - 1;
1018 +- if (BIT_ULL(hwirq) & mask) {
1019 +- virq = irq_find_mapping(opal_event_irqchip.domain,
1020 +- hwirq);
1021 +- if (virq)
1022 +- generic_handle_irq(virq);
1023 +- }
1024 +- events &= ~BIT_ULL(hwirq);
1025 +- }
1026 +-}
1027 +-
1028 + static irqreturn_t opal_interrupt(int irq, void *data)
1029 + {
1030 + __be64 events;
1031 +@@ -131,7 +143,7 @@ static irqreturn_t opal_interrupt(int irq, void *data)
1032 +
1033 + static void opal_handle_irq_work(struct irq_work *work)
1034 + {
1035 +- opal_handle_events(be64_to_cpu(last_outstanding_events));
1036 ++ opal_handle_events(last_outstanding_events);
1037 + }
1038 +
1039 + static int opal_event_match(struct irq_domain *h, struct device_node *node,
1040 +diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
1041 +index 4296d55e88f3..57cffb80bc36 100644
1042 +--- a/arch/powerpc/platforms/powernv/opal.c
1043 ++++ b/arch/powerpc/platforms/powernv/opal.c
1044 +@@ -278,7 +278,7 @@ static void opal_handle_message(void)
1045 +
1046 + /* Sanity check */
1047 + if (type >= OPAL_MSG_TYPE_MAX) {
1048 +- pr_warning("%s: Unknown message type: %u\n", __func__, type);
1049 ++ pr_warn_once("%s: Unknown message type: %u\n", __func__, type);
1050 + return;
1051 + }
1052 + opal_message_do_notify(type, (void *)&msg);
1053 +diff --git a/arch/sparc/net/bpf_jit_comp.c b/arch/sparc/net/bpf_jit_comp.c
1054 +index f8b9f71b9a2b..17e71d2d96e5 100644
1055 +--- a/arch/sparc/net/bpf_jit_comp.c
1056 ++++ b/arch/sparc/net/bpf_jit_comp.c
1057 +@@ -420,22 +420,9 @@ void bpf_jit_compile(struct bpf_prog *fp)
1058 + }
1059 + emit_reg_move(O7, r_saved_O7);
1060 +
1061 +- switch (filter[0].code) {
1062 +- case BPF_RET | BPF_K:
1063 +- case BPF_LD | BPF_W | BPF_LEN:
1064 +- case BPF_LD | BPF_W | BPF_ABS:
1065 +- case BPF_LD | BPF_H | BPF_ABS:
1066 +- case BPF_LD | BPF_B | BPF_ABS:
1067 +- /* The first instruction sets the A register (or is
1068 +- * a "RET 'constant'")
1069 +- */
1070 +- break;
1071 +- default:
1072 +- /* Make sure we dont leak kernel information to the
1073 +- * user.
1074 +- */
1075 ++ /* Make sure we dont leak kernel information to the user. */
1076 ++ if (bpf_needs_clear_a(&filter[0]))
1077 + emit_clear(r_A); /* A = 0 */
1078 +- }
1079 +
1080 + for (i = 0; i < flen; i++) {
1081 + unsigned int K = filter[i].k;
1082 +diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h
1083 +index 4fa687a47a62..6b8d6e8cd449 100644
1084 +--- a/arch/x86/include/asm/boot.h
1085 ++++ b/arch/x86/include/asm/boot.h
1086 +@@ -27,7 +27,7 @@
1087 + #define BOOT_HEAP_SIZE 0x400000
1088 + #else /* !CONFIG_KERNEL_BZIP2 */
1089 +
1090 +-#define BOOT_HEAP_SIZE 0x8000
1091 ++#define BOOT_HEAP_SIZE 0x10000
1092 +
1093 + #endif /* !CONFIG_KERNEL_BZIP2 */
1094 +
1095 +diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
1096 +index 379cd3658799..bfd9b2a35a0b 100644
1097 +--- a/arch/x86/include/asm/mmu_context.h
1098 ++++ b/arch/x86/include/asm/mmu_context.h
1099 +@@ -116,8 +116,36 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
1100 + #endif
1101 + cpumask_set_cpu(cpu, mm_cpumask(next));
1102 +
1103 +- /* Re-load page tables */
1104 ++ /*
1105 ++ * Re-load page tables.
1106 ++ *
1107 ++ * This logic has an ordering constraint:
1108 ++ *
1109 ++ * CPU 0: Write to a PTE for 'next'
1110 ++ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI.
1111 ++ * CPU 1: set bit 1 in next's mm_cpumask
1112 ++ * CPU 1: load from the PTE that CPU 0 writes (implicit)
1113 ++ *
1114 ++ * We need to prevent an outcome in which CPU 1 observes
1115 ++ * the new PTE value and CPU 0 observes bit 1 clear in
1116 ++ * mm_cpumask. (If that occurs, then the IPI will never
1117 ++ * be sent, and CPU 0's TLB will contain a stale entry.)
1118 ++ *
1119 ++ * The bad outcome can occur if either CPU's load is
1120 ++ * reordered before that CPU's store, so both CPUs must
1121 ++ * execute full barriers to prevent this from happening.
1122 ++ *
1123 ++ * Thus, switch_mm needs a full barrier between the
1124 ++ * store to mm_cpumask and any operation that could load
1125 ++ * from next->pgd. TLB fills are special and can happen
1126 ++ * due to instruction fetches or for no reason at all,
1127 ++ * and neither LOCK nor MFENCE orders them.
1128 ++ * Fortunately, load_cr3() is serializing and gives the
1129 ++ * ordering guarantee we need.
1130 ++ *
1131 ++ */
1132 + load_cr3(next->pgd);
1133 ++
1134 + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
1135 +
1136 + /* Stop flush ipis for the previous mm */
1137 +@@ -156,10 +184,14 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
1138 + * schedule, protecting us from simultaneous changes.
1139 + */
1140 + cpumask_set_cpu(cpu, mm_cpumask(next));
1141 ++
1142 + /*
1143 + * We were in lazy tlb mode and leave_mm disabled
1144 + * tlb flush IPI delivery. We must reload CR3
1145 + * to make sure to use no freed page tables.
1146 ++ *
1147 ++ * As above, load_cr3() is serializing and orders TLB
1148 ++ * fills with respect to the mm_cpumask write.
1149 + */
1150 + load_cr3(next->pgd);
1151 + trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
1152 +diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
1153 +index 10d0596433f8..c759b3cca663 100644
1154 +--- a/arch/x86/include/asm/paravirt.h
1155 ++++ b/arch/x86/include/asm/paravirt.h
1156 +@@ -19,6 +19,12 @@ static inline int paravirt_enabled(void)
1157 + return pv_info.paravirt_enabled;
1158 + }
1159 +
1160 ++static inline int paravirt_has_feature(unsigned int feature)
1161 ++{
1162 ++ WARN_ON_ONCE(!pv_info.paravirt_enabled);
1163 ++ return (pv_info.features & feature);
1164 ++}
1165 ++
1166 + static inline void load_sp0(struct tss_struct *tss,
1167 + struct thread_struct *thread)
1168 + {
1169 +diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h
1170 +index 31247b5bff7c..3d44191185f8 100644
1171 +--- a/arch/x86/include/asm/paravirt_types.h
1172 ++++ b/arch/x86/include/asm/paravirt_types.h
1173 +@@ -70,9 +70,14 @@ struct pv_info {
1174 + #endif
1175 +
1176 + int paravirt_enabled;
1177 ++ unsigned int features; /* valid only if paravirt_enabled is set */
1178 + const char *name;
1179 + };
1180 +
1181 ++#define paravirt_has(x) paravirt_has_feature(PV_SUPPORTED_##x)
1182 ++/* Supported features */
1183 ++#define PV_SUPPORTED_RTC (1<<0)
1184 ++
1185 + struct pv_init_ops {
1186 + /*
1187 + * Patch may replace one of the defined code sequences with
1188 +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
1189 +index 19577dd325fa..b7692daeaf92 100644
1190 +--- a/arch/x86/include/asm/processor.h
1191 ++++ b/arch/x86/include/asm/processor.h
1192 +@@ -472,6 +472,7 @@ static inline unsigned long current_top_of_stack(void)
1193 + #else
1194 + #define __cpuid native_cpuid
1195 + #define paravirt_enabled() 0
1196 ++#define paravirt_has(x) 0
1197 +
1198 + static inline void load_sp0(struct tss_struct *tss,
1199 + struct thread_struct *thread)
1200 +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
1201 +index 9d014b82a124..6b2c8229f9da 100644
1202 +--- a/arch/x86/kernel/cpu/mcheck/mce.c
1203 ++++ b/arch/x86/kernel/cpu/mcheck/mce.c
1204 +@@ -999,6 +999,17 @@ void do_machine_check(struct pt_regs *regs, long error_code)
1205 + int flags = MF_ACTION_REQUIRED;
1206 + int lmce = 0;
1207 +
1208 ++ /* If this CPU is offline, just bail out. */
1209 ++ if (cpu_is_offline(smp_processor_id())) {
1210 ++ u64 mcgstatus;
1211 ++
1212 ++ mcgstatus = mce_rdmsrl(MSR_IA32_MCG_STATUS);
1213 ++ if (mcgstatus & MCG_STATUS_RIPV) {
1214 ++ mce_wrmsrl(MSR_IA32_MCG_STATUS, 0);
1215 ++ return;
1216 ++ }
1217 ++ }
1218 ++
1219 + ist_enter(regs);
1220 +
1221 + this_cpu_inc(mce_exception_count);
1222 +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
1223 +index 02693dd9a079..f660d63f40fe 100644
1224 +--- a/arch/x86/kernel/reboot.c
1225 ++++ b/arch/x86/kernel/reboot.c
1226 +@@ -182,6 +182,14 @@ static struct dmi_system_id __initdata reboot_dmi_table[] = {
1227 + DMI_MATCH(DMI_PRODUCT_NAME, "iMac9,1"),
1228 + },
1229 + },
1230 ++ { /* Handle problems with rebooting on the iMac10,1. */
1231 ++ .callback = set_pci_reboot,
1232 ++ .ident = "Apple iMac10,1",
1233 ++ .matches = {
1234 ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
1235 ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac10,1"),
1236 ++ },
1237 ++ },
1238 +
1239 + /* ASRock */
1240 + { /* Handle problems with rebooting on ASRock Q1900DC-ITX */
1241 +diff --git a/arch/x86/kernel/rtc.c b/arch/x86/kernel/rtc.c
1242 +index cd9685235df9..4af8d063fb36 100644
1243 +--- a/arch/x86/kernel/rtc.c
1244 ++++ b/arch/x86/kernel/rtc.c
1245 +@@ -200,6 +200,9 @@ static __init int add_rtc_cmos(void)
1246 + }
1247 + #endif
1248 +
1249 ++ if (paravirt_enabled() && !paravirt_has(RTC))
1250 ++ return -ENODEV;
1251 ++
1252 + platform_device_register(&rtc_device);
1253 + dev_info(&rtc_device.dev,
1254 + "registered platform RTC device (no PNP device found)\n");
1255 +diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
1256 +index da52e6bb5c7f..7d2b2ed33dee 100644
1257 +--- a/arch/x86/kernel/signal.c
1258 ++++ b/arch/x86/kernel/signal.c
1259 +@@ -688,12 +688,15 @@ handle_signal(struct ksignal *ksig, struct pt_regs *regs)
1260 + signal_setup_done(failed, ksig, stepping);
1261 + }
1262 +
1263 +-#ifdef CONFIG_X86_32
1264 +-#define NR_restart_syscall __NR_restart_syscall
1265 +-#else /* !CONFIG_X86_32 */
1266 +-#define NR_restart_syscall \
1267 +- test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall : __NR_restart_syscall
1268 +-#endif /* CONFIG_X86_32 */
1269 ++static inline unsigned long get_nr_restart_syscall(const struct pt_regs *regs)
1270 ++{
1271 ++#if defined(CONFIG_X86_32) || !defined(CONFIG_X86_64)
1272 ++ return __NR_restart_syscall;
1273 ++#else /* !CONFIG_X86_32 && CONFIG_X86_64 */
1274 ++ return test_thread_flag(TIF_IA32) ? __NR_ia32_restart_syscall :
1275 ++ __NR_restart_syscall | (regs->orig_ax & __X32_SYSCALL_BIT);
1276 ++#endif /* CONFIG_X86_32 || !CONFIG_X86_64 */
1277 ++}
1278 +
1279 + /*
1280 + * Note that 'init' is a special process: it doesn't get signals it doesn't
1281 +@@ -722,7 +725,7 @@ void do_signal(struct pt_regs *regs)
1282 + break;
1283 +
1284 + case -ERESTART_RESTARTBLOCK:
1285 +- regs->ax = NR_restart_syscall;
1286 ++ regs->ax = get_nr_restart_syscall(regs);
1287 + regs->ip -= 2;
1288 + break;
1289 + }
1290 +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
1291 +index 892ee2e5ecbc..fbabe4fcc7fb 100644
1292 +--- a/arch/x86/kernel/smpboot.c
1293 ++++ b/arch/x86/kernel/smpboot.c
1294 +@@ -509,7 +509,7 @@ void __inquire_remote_apic(int apicid)
1295 + */
1296 + #define UDELAY_10MS_DEFAULT 10000
1297 +
1298 +-static unsigned int init_udelay = INT_MAX;
1299 ++static unsigned int init_udelay = UINT_MAX;
1300 +
1301 + static int __init cpu_init_udelay(char *str)
1302 + {
1303 +@@ -522,14 +522,15 @@ early_param("cpu_init_udelay", cpu_init_udelay);
1304 + static void __init smp_quirk_init_udelay(void)
1305 + {
1306 + /* if cmdline changed it from default, leave it alone */
1307 +- if (init_udelay != INT_MAX)
1308 ++ if (init_udelay != UINT_MAX)
1309 + return;
1310 +
1311 + /* if modern processor, use no delay */
1312 + if (((boot_cpu_data.x86_vendor == X86_VENDOR_INTEL) && (boot_cpu_data.x86 == 6)) ||
1313 +- ((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && (boot_cpu_data.x86 >= 0xF)))
1314 ++ ((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && (boot_cpu_data.x86 >= 0xF))) {
1315 + init_udelay = 0;
1316 +-
1317 ++ return;
1318 ++ }
1319 + /* else, use legacy delay */
1320 + init_udelay = UDELAY_10MS_DEFAULT;
1321 + }
1322 +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
1323 +index d7f89387ba0c..22d181350ec9 100644
1324 +--- a/arch/x86/kvm/svm.c
1325 ++++ b/arch/x86/kvm/svm.c
1326 +@@ -1108,6 +1108,7 @@ static void init_vmcb(struct vcpu_svm *svm)
1327 + set_exception_intercept(svm, UD_VECTOR);
1328 + set_exception_intercept(svm, MC_VECTOR);
1329 + set_exception_intercept(svm, AC_VECTOR);
1330 ++ set_exception_intercept(svm, DB_VECTOR);
1331 +
1332 + set_intercept(svm, INTERCEPT_INTR);
1333 + set_intercept(svm, INTERCEPT_NMI);
1334 +@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
1335 + mark_dirty(svm->vmcb, VMCB_SEG);
1336 + }
1337 +
1338 +-static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
1339 ++static void update_bp_intercept(struct kvm_vcpu *vcpu)
1340 + {
1341 + struct vcpu_svm *svm = to_svm(vcpu);
1342 +
1343 +- clr_exception_intercept(svm, DB_VECTOR);
1344 + clr_exception_intercept(svm, BP_VECTOR);
1345 +
1346 +- if (svm->nmi_singlestep)
1347 +- set_exception_intercept(svm, DB_VECTOR);
1348 +-
1349 + if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
1350 +- if (vcpu->guest_debug &
1351 +- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
1352 +- set_exception_intercept(svm, DB_VECTOR);
1353 + if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
1354 + set_exception_intercept(svm, BP_VECTOR);
1355 + } else
1356 +@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm)
1357 + if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
1358 + svm->vmcb->save.rflags &=
1359 + ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
1360 +- update_db_bp_intercept(&svm->vcpu);
1361 + }
1362 +
1363 + if (svm->vcpu.guest_debug &
1364 +@@ -3761,7 +3754,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
1365 + */
1366 + svm->nmi_singlestep = true;
1367 + svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
1368 +- update_db_bp_intercept(vcpu);
1369 + }
1370 +
1371 + static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
1372 +@@ -4383,7 +4375,7 @@ static struct kvm_x86_ops svm_x86_ops = {
1373 + .vcpu_load = svm_vcpu_load,
1374 + .vcpu_put = svm_vcpu_put,
1375 +
1376 +- .update_db_bp_intercept = update_db_bp_intercept,
1377 ++ .update_db_bp_intercept = update_bp_intercept,
1378 + .get_msr = svm_get_msr,
1379 + .set_msr = svm_set_msr,
1380 + .get_segment_base = svm_get_segment_base,
1381 +diff --git a/arch/x86/kvm/trace.h b/arch/x86/kvm/trace.h
1382 +index 4eae7c35ddf5..08b668cb3462 100644
1383 +--- a/arch/x86/kvm/trace.h
1384 ++++ b/arch/x86/kvm/trace.h
1385 +@@ -250,7 +250,7 @@ TRACE_EVENT(kvm_inj_virq,
1386 + #define kvm_trace_sym_exc \
1387 + EXS(DE), EXS(DB), EXS(BP), EXS(OF), EXS(BR), EXS(UD), EXS(NM), \
1388 + EXS(DF), EXS(TS), EXS(NP), EXS(SS), EXS(GP), EXS(PF), \
1389 +- EXS(MF), EXS(MC)
1390 ++ EXS(MF), EXS(AC), EXS(MC)
1391 +
1392 + /*
1393 + * Tracepoint for kvm interrupt injection:
1394 +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
1395 +index 343d3692dd65..2e0bd4884652 100644
1396 +--- a/arch/x86/kvm/vmx.c
1397 ++++ b/arch/x86/kvm/vmx.c
1398 +@@ -3644,20 +3644,21 @@ static int vmx_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
1399 + if (!is_paging(vcpu)) {
1400 + hw_cr4 &= ~X86_CR4_PAE;
1401 + hw_cr4 |= X86_CR4_PSE;
1402 +- /*
1403 +- * SMEP/SMAP is disabled if CPU is in non-paging mode
1404 +- * in hardware. However KVM always uses paging mode to
1405 +- * emulate guest non-paging mode with TDP.
1406 +- * To emulate this behavior, SMEP/SMAP needs to be
1407 +- * manually disabled when guest switches to non-paging
1408 +- * mode.
1409 +- */
1410 +- hw_cr4 &= ~(X86_CR4_SMEP | X86_CR4_SMAP);
1411 + } else if (!(cr4 & X86_CR4_PAE)) {
1412 + hw_cr4 &= ~X86_CR4_PAE;
1413 + }
1414 + }
1415 +
1416 ++ if (!enable_unrestricted_guest && !is_paging(vcpu))
1417 ++ /*
1418 ++ * SMEP/SMAP is disabled if CPU is in non-paging mode in
1419 ++ * hardware. However KVM always uses paging mode without
1420 ++ * unrestricted guest.
1421 ++ * To emulate this behavior, SMEP/SMAP needs to be manually
1422 ++ * disabled when guest switches to non-paging mode.
1423 ++ */
1424 ++ hw_cr4 &= ~(X86_CR4_SMEP | X86_CR4_SMAP);
1425 ++
1426 + vmcs_writel(CR4_READ_SHADOW, cr4);
1427 + vmcs_writel(GUEST_CR4, hw_cr4);
1428 + return 0;
1429 +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
1430 +index 43609af03283..37bbbf842350 100644
1431 +--- a/arch/x86/kvm/x86.c
1432 ++++ b/arch/x86/kvm/x86.c
1433 +@@ -942,7 +942,7 @@ static u32 msrs_to_save[] = {
1434 + MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR,
1435 + #endif
1436 + MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
1437 +- MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS
1438 ++ MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS, MSR_TSC_AUX,
1439 + };
1440 +
1441 + static unsigned num_msrs_to_save;
1442 +@@ -3847,16 +3847,17 @@ static void kvm_init_msr_list(void)
1443 +
1444 + /*
1445 + * Even MSRs that are valid in the host may not be exposed
1446 +- * to the guests in some cases. We could work around this
1447 +- * in VMX with the generic MSR save/load machinery, but it
1448 +- * is not really worthwhile since it will really only
1449 +- * happen with nested virtualization.
1450 ++ * to the guests in some cases.
1451 + */
1452 + switch (msrs_to_save[i]) {
1453 + case MSR_IA32_BNDCFGS:
1454 + if (!kvm_x86_ops->mpx_supported())
1455 + continue;
1456 + break;
1457 ++ case MSR_TSC_AUX:
1458 ++ if (!kvm_x86_ops->rdtscp_supported())
1459 ++ continue;
1460 ++ break;
1461 + default:
1462 + break;
1463 + }
1464 +diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
1465 +index a0d09f6c6533..a43b2eafc466 100644
1466 +--- a/arch/x86/lguest/boot.c
1467 ++++ b/arch/x86/lguest/boot.c
1468 +@@ -1414,6 +1414,7 @@ __init void lguest_init(void)
1469 + pv_info.kernel_rpl = 1;
1470 + /* Everyone except Xen runs with this set. */
1471 + pv_info.shared_kernel_pmd = 1;
1472 ++ pv_info.features = 0;
1473 +
1474 + /*
1475 + * We set up all the lguest overrides for sensitive operations. These
1476 +diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
1477 +index 71fc79a58a15..78e47ff74f9d 100644
1478 +--- a/arch/x86/mm/mpx.c
1479 ++++ b/arch/x86/mm/mpx.c
1480 +@@ -101,19 +101,19 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
1481 + switch (type) {
1482 + case REG_TYPE_RM:
1483 + regno = X86_MODRM_RM(insn->modrm.value);
1484 +- if (X86_REX_B(insn->rex_prefix.value) == 1)
1485 ++ if (X86_REX_B(insn->rex_prefix.value))
1486 + regno += 8;
1487 + break;
1488 +
1489 + case REG_TYPE_INDEX:
1490 + regno = X86_SIB_INDEX(insn->sib.value);
1491 +- if (X86_REX_X(insn->rex_prefix.value) == 1)
1492 ++ if (X86_REX_X(insn->rex_prefix.value))
1493 + regno += 8;
1494 + break;
1495 +
1496 + case REG_TYPE_BASE:
1497 + regno = X86_SIB_BASE(insn->sib.value);
1498 +- if (X86_REX_B(insn->rex_prefix.value) == 1)
1499 ++ if (X86_REX_B(insn->rex_prefix.value))
1500 + regno += 8;
1501 + break;
1502 +
1503 +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
1504 +index 8ddb5d0d66fb..8f4cc3dfac32 100644
1505 +--- a/arch/x86/mm/tlb.c
1506 ++++ b/arch/x86/mm/tlb.c
1507 +@@ -161,7 +161,10 @@ void flush_tlb_current_task(void)
1508 + preempt_disable();
1509 +
1510 + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
1511 ++
1512 ++ /* This is an implicit full barrier that synchronizes with switch_mm. */
1513 + local_flush_tlb();
1514 ++
1515 + trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL);
1516 + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
1517 + flush_tlb_others(mm_cpumask(mm), mm, 0UL, TLB_FLUSH_ALL);
1518 +@@ -188,17 +191,29 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
1519 + unsigned long base_pages_to_flush = TLB_FLUSH_ALL;
1520 +
1521 + preempt_disable();
1522 +- if (current->active_mm != mm)
1523 ++ if (current->active_mm != mm) {
1524 ++ /* Synchronize with switch_mm. */
1525 ++ smp_mb();
1526 ++
1527 + goto out;
1528 ++ }
1529 +
1530 + if (!current->mm) {
1531 + leave_mm(smp_processor_id());
1532 ++
1533 ++ /* Synchronize with switch_mm. */
1534 ++ smp_mb();
1535 ++
1536 + goto out;
1537 + }
1538 +
1539 + if ((end != TLB_FLUSH_ALL) && !(vmflag & VM_HUGETLB))
1540 + base_pages_to_flush = (end - start) >> PAGE_SHIFT;
1541 +
1542 ++ /*
1543 ++ * Both branches below are implicit full barriers (MOV to CR or
1544 ++ * INVLPG) that synchronize with switch_mm.
1545 ++ */
1546 + if (base_pages_to_flush > tlb_single_page_flush_ceiling) {
1547 + base_pages_to_flush = TLB_FLUSH_ALL;
1548 + count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
1549 +@@ -228,10 +243,18 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long start)
1550 + preempt_disable();
1551 +
1552 + if (current->active_mm == mm) {
1553 +- if (current->mm)
1554 ++ if (current->mm) {
1555 ++ /*
1556 ++ * Implicit full barrier (INVLPG) that synchronizes
1557 ++ * with switch_mm.
1558 ++ */
1559 + __flush_tlb_one(start);
1560 +- else
1561 ++ } else {
1562 + leave_mm(smp_processor_id());
1563 ++
1564 ++ /* Synchronize with switch_mm. */
1565 ++ smp_mb();
1566 ++ }
1567 + }
1568 +
1569 + if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
1570 +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
1571 +index 993b7a71386d..aeb385d86e95 100644
1572 +--- a/arch/x86/xen/enlighten.c
1573 ++++ b/arch/x86/xen/enlighten.c
1574 +@@ -1191,7 +1191,7 @@ static const struct pv_info xen_info __initconst = {
1575 + #ifdef CONFIG_X86_64
1576 + .extra_user_64bit_cs = FLAT_USER_CS64,
1577 + #endif
1578 +-
1579 ++ .features = 0,
1580 + .name = "Xen",
1581 + };
1582 +
1583 +@@ -1534,6 +1534,8 @@ asmlinkage __visible void __init xen_start_kernel(void)
1584 +
1585 + /* Install Xen paravirt ops */
1586 + pv_info = xen_info;
1587 ++ if (xen_initial_domain())
1588 ++ pv_info.features |= PV_SUPPORTED_RTC;
1589 + pv_init_ops = xen_init_ops;
1590 + pv_apic_ops = xen_apic_ops;
1591 + if (!xen_pvh_domain()) {
1592 +diff --git a/arch/x86/xen/suspend.c b/arch/x86/xen/suspend.c
1593 +index feddabdab448..4299aa924b9f 100644
1594 +--- a/arch/x86/xen/suspend.c
1595 ++++ b/arch/x86/xen/suspend.c
1596 +@@ -33,7 +33,8 @@ static void xen_hvm_post_suspend(int suspend_cancelled)
1597 + {
1598 + #ifdef CONFIG_XEN_PVHVM
1599 + int cpu;
1600 +- xen_hvm_init_shared_info();
1601 ++ if (!suspend_cancelled)
1602 ++ xen_hvm_init_shared_info();
1603 + xen_callback_vector();
1604 + xen_unplug_emulated_devices();
1605 + if (xen_feature(XENFEAT_hvm_safe_pvclock)) {
1606 +diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
1607 +index 654f6f36a071..54bccf7db592 100644
1608 +--- a/drivers/char/ipmi/ipmi_si_intf.c
1609 ++++ b/drivers/char/ipmi/ipmi_si_intf.c
1610 +@@ -412,18 +412,42 @@ static enum si_sm_result start_next_msg(struct smi_info *smi_info)
1611 + return rv;
1612 + }
1613 +
1614 +-static void start_check_enables(struct smi_info *smi_info)
1615 ++static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val)
1616 ++{
1617 ++ smi_info->last_timeout_jiffies = jiffies;
1618 ++ mod_timer(&smi_info->si_timer, new_val);
1619 ++ smi_info->timer_running = true;
1620 ++}
1621 ++
1622 ++/*
1623 ++ * Start a new message and (re)start the timer and thread.
1624 ++ */
1625 ++static void start_new_msg(struct smi_info *smi_info, unsigned char *msg,
1626 ++ unsigned int size)
1627 ++{
1628 ++ smi_mod_timer(smi_info, jiffies + SI_TIMEOUT_JIFFIES);
1629 ++
1630 ++ if (smi_info->thread)
1631 ++ wake_up_process(smi_info->thread);
1632 ++
1633 ++ smi_info->handlers->start_transaction(smi_info->si_sm, msg, size);
1634 ++}
1635 ++
1636 ++static void start_check_enables(struct smi_info *smi_info, bool start_timer)
1637 + {
1638 + unsigned char msg[2];
1639 +
1640 + msg[0] = (IPMI_NETFN_APP_REQUEST << 2);
1641 + msg[1] = IPMI_GET_BMC_GLOBAL_ENABLES_CMD;
1642 +
1643 +- smi_info->handlers->start_transaction(smi_info->si_sm, msg, 2);
1644 ++ if (start_timer)
1645 ++ start_new_msg(smi_info, msg, 2);
1646 ++ else
1647 ++ smi_info->handlers->start_transaction(smi_info->si_sm, msg, 2);
1648 + smi_info->si_state = SI_CHECKING_ENABLES;
1649 + }
1650 +
1651 +-static void start_clear_flags(struct smi_info *smi_info)
1652 ++static void start_clear_flags(struct smi_info *smi_info, bool start_timer)
1653 + {
1654 + unsigned char msg[3];
1655 +
1656 +@@ -432,7 +456,10 @@ static void start_clear_flags(struct smi_info *smi_info)
1657 + msg[1] = IPMI_CLEAR_MSG_FLAGS_CMD;
1658 + msg[2] = WDT_PRE_TIMEOUT_INT;
1659 +
1660 +- smi_info->handlers->start_transaction(smi_info->si_sm, msg, 3);
1661 ++ if (start_timer)
1662 ++ start_new_msg(smi_info, msg, 3);
1663 ++ else
1664 ++ smi_info->handlers->start_transaction(smi_info->si_sm, msg, 3);
1665 + smi_info->si_state = SI_CLEARING_FLAGS;
1666 + }
1667 +
1668 +@@ -442,10 +469,8 @@ static void start_getting_msg_queue(struct smi_info *smi_info)
1669 + smi_info->curr_msg->data[1] = IPMI_GET_MSG_CMD;
1670 + smi_info->curr_msg->data_size = 2;
1671 +
1672 +- smi_info->handlers->start_transaction(
1673 +- smi_info->si_sm,
1674 +- smi_info->curr_msg->data,
1675 +- smi_info->curr_msg->data_size);
1676 ++ start_new_msg(smi_info, smi_info->curr_msg->data,
1677 ++ smi_info->curr_msg->data_size);
1678 + smi_info->si_state = SI_GETTING_MESSAGES;
1679 + }
1680 +
1681 +@@ -455,20 +480,11 @@ static void start_getting_events(struct smi_info *smi_info)
1682 + smi_info->curr_msg->data[1] = IPMI_READ_EVENT_MSG_BUFFER_CMD;
1683 + smi_info->curr_msg->data_size = 2;
1684 +
1685 +- smi_info->handlers->start_transaction(
1686 +- smi_info->si_sm,
1687 +- smi_info->curr_msg->data,
1688 +- smi_info->curr_msg->data_size);
1689 ++ start_new_msg(smi_info, smi_info->curr_msg->data,
1690 ++ smi_info->curr_msg->data_size);
1691 + smi_info->si_state = SI_GETTING_EVENTS;
1692 + }
1693 +
1694 +-static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val)
1695 +-{
1696 +- smi_info->last_timeout_jiffies = jiffies;
1697 +- mod_timer(&smi_info->si_timer, new_val);
1698 +- smi_info->timer_running = true;
1699 +-}
1700 +-
1701 + /*
1702 + * When we have a situtaion where we run out of memory and cannot
1703 + * allocate messages, we just leave them in the BMC and run the system
1704 +@@ -478,11 +494,11 @@ static void smi_mod_timer(struct smi_info *smi_info, unsigned long new_val)
1705 + * Note that we cannot just use disable_irq(), since the interrupt may
1706 + * be shared.
1707 + */
1708 +-static inline bool disable_si_irq(struct smi_info *smi_info)
1709 ++static inline bool disable_si_irq(struct smi_info *smi_info, bool start_timer)
1710 + {
1711 + if ((smi_info->irq) && (!smi_info->interrupt_disabled)) {
1712 + smi_info->interrupt_disabled = true;
1713 +- start_check_enables(smi_info);
1714 ++ start_check_enables(smi_info, start_timer);
1715 + return true;
1716 + }
1717 + return false;
1718 +@@ -492,7 +508,7 @@ static inline bool enable_si_irq(struct smi_info *smi_info)
1719 + {
1720 + if ((smi_info->irq) && (smi_info->interrupt_disabled)) {
1721 + smi_info->interrupt_disabled = false;
1722 +- start_check_enables(smi_info);
1723 ++ start_check_enables(smi_info, true);
1724 + return true;
1725 + }
1726 + return false;
1727 +@@ -510,7 +526,7 @@ static struct ipmi_smi_msg *alloc_msg_handle_irq(struct smi_info *smi_info)
1728 +
1729 + msg = ipmi_alloc_smi_msg();
1730 + if (!msg) {
1731 +- if (!disable_si_irq(smi_info))
1732 ++ if (!disable_si_irq(smi_info, true))
1733 + smi_info->si_state = SI_NORMAL;
1734 + } else if (enable_si_irq(smi_info)) {
1735 + ipmi_free_smi_msg(msg);
1736 +@@ -526,7 +542,7 @@ static void handle_flags(struct smi_info *smi_info)
1737 + /* Watchdog pre-timeout */
1738 + smi_inc_stat(smi_info, watchdog_pretimeouts);
1739 +
1740 +- start_clear_flags(smi_info);
1741 ++ start_clear_flags(smi_info, true);
1742 + smi_info->msg_flags &= ~WDT_PRE_TIMEOUT_INT;
1743 + if (smi_info->intf)
1744 + ipmi_smi_watchdog_pretimeout(smi_info->intf);
1745 +@@ -879,8 +895,7 @@ static enum si_sm_result smi_event_handler(struct smi_info *smi_info,
1746 + msg[0] = (IPMI_NETFN_APP_REQUEST << 2);
1747 + msg[1] = IPMI_GET_MSG_FLAGS_CMD;
1748 +
1749 +- smi_info->handlers->start_transaction(
1750 +- smi_info->si_sm, msg, 2);
1751 ++ start_new_msg(smi_info, msg, 2);
1752 + smi_info->si_state = SI_GETTING_FLAGS;
1753 + goto restart;
1754 + }
1755 +@@ -910,7 +925,7 @@ static enum si_sm_result smi_event_handler(struct smi_info *smi_info,
1756 + * disable and messages disabled.
1757 + */
1758 + if (smi_info->supports_event_msg_buff || smi_info->irq) {
1759 +- start_check_enables(smi_info);
1760 ++ start_check_enables(smi_info, true);
1761 + } else {
1762 + smi_info->curr_msg = alloc_msg_handle_irq(smi_info);
1763 + if (!smi_info->curr_msg)
1764 +@@ -1208,14 +1223,14 @@ static int smi_start_processing(void *send_info,
1765 +
1766 + new_smi->intf = intf;
1767 +
1768 +- /* Try to claim any interrupts. */
1769 +- if (new_smi->irq_setup)
1770 +- new_smi->irq_setup(new_smi);
1771 +-
1772 + /* Set up the timer that drives the interface. */
1773 + setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi);
1774 + smi_mod_timer(new_smi, jiffies + SI_TIMEOUT_JIFFIES);
1775 +
1776 ++ /* Try to claim any interrupts. */
1777 ++ if (new_smi->irq_setup)
1778 ++ new_smi->irq_setup(new_smi);
1779 ++
1780 + /*
1781 + * Check if the user forcefully enabled the daemon.
1782 + */
1783 +@@ -3613,7 +3628,7 @@ static int try_smi_init(struct smi_info *new_smi)
1784 + * Start clearing the flags before we enable interrupts or the
1785 + * timer to avoid racing with the timer.
1786 + */
1787 +- start_clear_flags(new_smi);
1788 ++ start_clear_flags(new_smi, false);
1789 +
1790 + /*
1791 + * IRQ is defined to be set when non-zero. req_events will
1792 +@@ -3908,7 +3923,7 @@ static void cleanup_one_si(struct smi_info *to_clean)
1793 + poll(to_clean);
1794 + schedule_timeout_uninterruptible(1);
1795 + }
1796 +- disable_si_irq(to_clean);
1797 ++ disable_si_irq(to_clean, false);
1798 + while (to_clean->curr_msg || (to_clean->si_state != SI_NORMAL)) {
1799 + poll(to_clean);
1800 + schedule_timeout_uninterruptible(1);
1801 +diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
1802 +index 30f522848c73..c19e7fc717c3 100644
1803 +--- a/drivers/connector/connector.c
1804 ++++ b/drivers/connector/connector.c
1805 +@@ -178,26 +178,21 @@ static int cn_call_callback(struct sk_buff *skb)
1806 + *
1807 + * It checks skb, netlink header and msg sizes, and calls callback helper.
1808 + */
1809 +-static void cn_rx_skb(struct sk_buff *__skb)
1810 ++static void cn_rx_skb(struct sk_buff *skb)
1811 + {
1812 + struct nlmsghdr *nlh;
1813 +- struct sk_buff *skb;
1814 + int len, err;
1815 +
1816 +- skb = skb_get(__skb);
1817 +-
1818 + if (skb->len >= NLMSG_HDRLEN) {
1819 + nlh = nlmsg_hdr(skb);
1820 + len = nlmsg_len(nlh);
1821 +
1822 + if (len < (int)sizeof(struct cn_msg) ||
1823 + skb->len < nlh->nlmsg_len ||
1824 +- len > CONNECTOR_MAX_MSG_SIZE) {
1825 +- kfree_skb(skb);
1826 ++ len > CONNECTOR_MAX_MSG_SIZE)
1827 + return;
1828 +- }
1829 +
1830 +- err = cn_call_callback(skb);
1831 ++ err = cn_call_callback(skb_get(skb));
1832 + if (err < 0)
1833 + kfree_skb(skb);
1834 + }
1835 +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
1836 +index 70a11ac38119..c0fbf4ed58ec 100644
1837 +--- a/drivers/hid/hid-core.c
1838 ++++ b/drivers/hid/hid-core.c
1839 +@@ -1611,7 +1611,7 @@ int hid_connect(struct hid_device *hdev, unsigned int connect_mask)
1840 + "Multi-Axis Controller"
1841 + };
1842 + const char *type, *bus;
1843 +- char buf[64];
1844 ++ char buf[64] = "";
1845 + unsigned int i;
1846 + int len;
1847 + int ret;
1848 +diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
1849 +index 0215ab62bb93..cba008ac9cff 100644
1850 +--- a/drivers/hid/wacom_wac.c
1851 ++++ b/drivers/hid/wacom_wac.c
1852 +@@ -1628,6 +1628,7 @@ static void wacom_wac_finger_usage_mapping(struct hid_device *hdev,
1853 + wacom_map_usage(input, usage, field, EV_KEY, BTN_TOUCH, 0);
1854 + break;
1855 + case HID_DG_CONTACTCOUNT:
1856 ++ wacom_wac->hid_data.cc_report = field->report->id;
1857 + wacom_wac->hid_data.cc_index = field->index;
1858 + wacom_wac->hid_data.cc_value_index = usage->usage_index;
1859 + break;
1860 +@@ -1715,7 +1716,32 @@ static void wacom_wac_finger_pre_report(struct hid_device *hdev,
1861 + struct wacom_wac *wacom_wac = &wacom->wacom_wac;
1862 + struct hid_data* hid_data = &wacom_wac->hid_data;
1863 +
1864 +- if (hid_data->cc_index >= 0) {
1865 ++ if (hid_data->cc_report != 0 &&
1866 ++ hid_data->cc_report != report->id) {
1867 ++ int i;
1868 ++
1869 ++ hid_data->cc_report = report->id;
1870 ++ hid_data->cc_index = -1;
1871 ++ hid_data->cc_value_index = -1;
1872 ++
1873 ++ for (i = 0; i < report->maxfield; i++) {
1874 ++ struct hid_field *field = report->field[i];
1875 ++ int j;
1876 ++
1877 ++ for (j = 0; j < field->maxusage; j++) {
1878 ++ if (field->usage[j].hid == HID_DG_CONTACTCOUNT) {
1879 ++ hid_data->cc_index = i;
1880 ++ hid_data->cc_value_index = j;
1881 ++
1882 ++ /* break */
1883 ++ i = report->maxfield;
1884 ++ j = field->maxusage;
1885 ++ }
1886 ++ }
1887 ++ }
1888 ++ }
1889 ++ if (hid_data->cc_report != 0 &&
1890 ++ hid_data->cc_index >= 0) {
1891 + struct hid_field *field = report->field[hid_data->cc_index];
1892 + int value = field->value[hid_data->cc_value_index];
1893 + if (value)
1894 +diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h
1895 +index 1e270d401e18..809c03e34f74 100644
1896 +--- a/drivers/hid/wacom_wac.h
1897 ++++ b/drivers/hid/wacom_wac.h
1898 +@@ -198,6 +198,7 @@ struct hid_data {
1899 + int width;
1900 + int height;
1901 + int id;
1902 ++ int cc_report;
1903 + int cc_index;
1904 + int cc_value_index;
1905 + int num_expected;
1906 +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
1907 +index 2d0dbbf38ceb..558c1e784613 100644
1908 +--- a/drivers/infiniband/hw/mlx5/cq.c
1909 ++++ b/drivers/infiniband/hw/mlx5/cq.c
1910 +@@ -756,7 +756,7 @@ struct ib_cq *mlx5_ib_create_cq(struct ib_device *ibdev,
1911 + int uninitialized_var(index);
1912 + int uninitialized_var(inlen);
1913 + int cqe_size;
1914 +- int irqn;
1915 ++ unsigned int irqn;
1916 + int eqn;
1917 + int err;
1918 +
1919 +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c
1920 +index 286e890e7d64..ef7862056978 100644
1921 +--- a/drivers/iommu/arm-smmu-v3.c
1922 ++++ b/drivers/iommu/arm-smmu-v3.c
1923 +@@ -1427,7 +1427,7 @@ static int arm_smmu_domain_finalise_s1(struct arm_smmu_domain *smmu_domain,
1924 + struct io_pgtable_cfg *pgtbl_cfg)
1925 + {
1926 + int ret;
1927 +- u16 asid;
1928 ++ int asid;
1929 + struct arm_smmu_device *smmu = smmu_domain->smmu;
1930 + struct arm_smmu_s1_cfg *cfg = &smmu_domain->s1_cfg;
1931 +
1932 +@@ -1439,10 +1439,11 @@ static int arm_smmu_domain_finalise_s1(struct arm_smmu_domain *smmu_domain,
1933 + &cfg->cdptr_dma, GFP_KERNEL);
1934 + if (!cfg->cdptr) {
1935 + dev_warn(smmu->dev, "failed to allocate context descriptor\n");
1936 ++ ret = -ENOMEM;
1937 + goto out_free_asid;
1938 + }
1939 +
1940 +- cfg->cd.asid = asid;
1941 ++ cfg->cd.asid = (u16)asid;
1942 + cfg->cd.ttbr = pgtbl_cfg->arm_lpae_s1_cfg.ttbr[0];
1943 + cfg->cd.tcr = pgtbl_cfg->arm_lpae_s1_cfg.tcr;
1944 + cfg->cd.mair = pgtbl_cfg->arm_lpae_s1_cfg.mair[0];
1945 +@@ -1456,7 +1457,7 @@ out_free_asid:
1946 + static int arm_smmu_domain_finalise_s2(struct arm_smmu_domain *smmu_domain,
1947 + struct io_pgtable_cfg *pgtbl_cfg)
1948 + {
1949 +- u16 vmid;
1950 ++ int vmid;
1951 + struct arm_smmu_device *smmu = smmu_domain->smmu;
1952 + struct arm_smmu_s2_cfg *cfg = &smmu_domain->s2_cfg;
1953 +
1954 +@@ -1464,7 +1465,7 @@ static int arm_smmu_domain_finalise_s2(struct arm_smmu_domain *smmu_domain,
1955 + if (IS_ERR_VALUE(vmid))
1956 + return vmid;
1957 +
1958 +- cfg->vmid = vmid;
1959 ++ cfg->vmid = (u16)vmid;
1960 + cfg->vttbr = pgtbl_cfg->arm_lpae_s2_cfg.vttbr;
1961 + cfg->vtcr = pgtbl_cfg->arm_lpae_s2_cfg.vtcr;
1962 + return 0;
1963 +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
1964 +index d65cf42399e8..dfc64662b386 100644
1965 +--- a/drivers/iommu/intel-iommu.c
1966 ++++ b/drivers/iommu/intel-iommu.c
1967 +@@ -4194,14 +4194,17 @@ int dmar_find_matched_atsr_unit(struct pci_dev *dev)
1968 + dev = pci_physfn(dev);
1969 + for (bus = dev->bus; bus; bus = bus->parent) {
1970 + bridge = bus->self;
1971 +- if (!bridge || !pci_is_pcie(bridge) ||
1972 ++ /* If it's an integrated device, allow ATS */
1973 ++ if (!bridge)
1974 ++ return 1;
1975 ++ /* Connected via non-PCIe: no ATS */
1976 ++ if (!pci_is_pcie(bridge) ||
1977 + pci_pcie_type(bridge) == PCI_EXP_TYPE_PCI_BRIDGE)
1978 + return 0;
1979 ++ /* If we found the root port, look it up in the ATSR */
1980 + if (pci_pcie_type(bridge) == PCI_EXP_TYPE_ROOT_PORT)
1981 + break;
1982 + }
1983 +- if (!bridge)
1984 +- return 0;
1985 +
1986 + rcu_read_lock();
1987 + list_for_each_entry_rcu(atsru, &dmar_atsr_units, list) {
1988 +diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
1989 +index c4198fa490bf..9c1e8adaf4fc 100644
1990 +--- a/drivers/isdn/i4l/isdn_ppp.c
1991 ++++ b/drivers/isdn/i4l/isdn_ppp.c
1992 +@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
1993 + is->compflags = 0;
1994 +
1995 + is->reset = isdn_ppp_ccp_reset_alloc(is);
1996 ++ if (!is->reset)
1997 ++ return -ENOMEM;
1998 +
1999 + is->lp = NULL;
2000 + is->mp_seqno = 0; /* MP sequence number */
2001 +@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
2002 + * VJ header compression init
2003 + */
2004 + is->slcomp = slhc_init(16, 16); /* not necessary for 2. link in bundle */
2005 ++ if (IS_ERR(is->slcomp)) {
2006 ++ isdn_ppp_ccp_reset_free(is);
2007 ++ return PTR_ERR(is->slcomp);
2008 ++ }
2009 + #endif
2010 + #ifdef CONFIG_IPPP_FILTER
2011 + is->pass_filter = NULL;
2012 +@@ -567,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg)
2013 + is->maxcid = val;
2014 + #ifdef CONFIG_ISDN_PPP_VJ
2015 + sltmp = slhc_init(16, val);
2016 +- if (!sltmp) {
2017 +- printk(KERN_ERR "ippp, can't realloc slhc struct\n");
2018 +- return -ENOMEM;
2019 +- }
2020 ++ if (IS_ERR(sltmp))
2021 ++ return PTR_ERR(sltmp);
2022 + if (is->slcomp)
2023 + slhc_free(is->slcomp);
2024 + is->slcomp = sltmp;
2025 +diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
2026 +index 084d346fb4c4..e15eef6a94e5 100644
2027 +--- a/drivers/media/platform/vivid/vivid-osd.c
2028 ++++ b/drivers/media/platform/vivid/vivid-osd.c
2029 +@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
2030 + case FBIOGET_VBLANK: {
2031 + struct fb_vblank vblank;
2032 +
2033 ++ memset(&vblank, 0, sizeof(vblank));
2034 + vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
2035 + FB_VBLANK_HAVE_VSYNC;
2036 + vblank.count = 0;
2037 +diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
2038 +index 8f2e1c277c5f..7b91327bd472 100644
2039 +--- a/drivers/media/usb/airspy/airspy.c
2040 ++++ b/drivers/media/usb/airspy/airspy.c
2041 +@@ -132,7 +132,7 @@ struct airspy {
2042 + int urbs_submitted;
2043 +
2044 + /* USB control message buffer */
2045 +- #define BUF_SIZE 24
2046 ++ #define BUF_SIZE 128
2047 + u8 buf[BUF_SIZE];
2048 +
2049 + /* Current configuration */
2050 +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
2051 +index bcd7bddbe312..509440cb6411 100644
2052 +--- a/drivers/net/bonding/bond_main.c
2053 ++++ b/drivers/net/bonding/bond_main.c
2054 +@@ -1207,7 +1207,6 @@ static int bond_master_upper_dev_link(struct net_device *bond_dev,
2055 + err = netdev_master_upper_dev_link_private(slave_dev, bond_dev, slave);
2056 + if (err)
2057 + return err;
2058 +- slave_dev->flags |= IFF_SLAVE;
2059 + rtmsg_ifinfo(RTM_NEWLINK, slave_dev, IFF_SLAVE, GFP_KERNEL);
2060 + return 0;
2061 + }
2062 +@@ -1465,6 +1464,9 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
2063 + }
2064 + }
2065 +
2066 ++ /* set slave flag before open to prevent IPv6 addrconf */
2067 ++ slave_dev->flags |= IFF_SLAVE;
2068 ++
2069 + /* open the slave since the application closed it */
2070 + res = dev_open(slave_dev);
2071 + if (res) {
2072 +@@ -1725,6 +1727,7 @@ err_close:
2073 + dev_close(slave_dev);
2074 +
2075 + err_restore_mac:
2076 ++ slave_dev->flags &= ~IFF_SLAVE;
2077 + if (!bond->params.fail_over_mac ||
2078 + BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
2079 + /* XXX TODO - fom follow mode needs to change master's
2080 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
2081 +index 443632df2010..394744bfbf89 100644
2082 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
2083 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
2084 +@@ -746,7 +746,7 @@ static int mlx5e_create_cq(struct mlx5e_channel *c,
2085 + struct mlx5_core_dev *mdev = priv->mdev;
2086 + struct mlx5_core_cq *mcq = &cq->mcq;
2087 + int eqn_not_used;
2088 +- int irqn;
2089 ++ unsigned int irqn;
2090 + int err;
2091 + u32 i;
2092 +
2093 +@@ -800,7 +800,7 @@ static int mlx5e_enable_cq(struct mlx5e_cq *cq, struct mlx5e_cq_param *param)
2094 + void *in;
2095 + void *cqc;
2096 + int inlen;
2097 +- int irqn_not_used;
2098 ++ unsigned int irqn_not_used;
2099 + int eqn;
2100 + int err;
2101 +
2102 +@@ -1498,7 +1498,7 @@ static int mlx5e_create_drop_cq(struct mlx5e_priv *priv,
2103 + struct mlx5_core_dev *mdev = priv->mdev;
2104 + struct mlx5_core_cq *mcq = &cq->mcq;
2105 + int eqn_not_used;
2106 +- int irqn;
2107 ++ unsigned int irqn;
2108 + int err;
2109 +
2110 + err = mlx5_cqwq_create(mdev, &param->wq, param->cqc, &cq->wq,
2111 +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
2112 +index 03aabdd79abe..af9593baf1bb 100644
2113 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
2114 ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
2115 +@@ -520,7 +520,8 @@ static void mlx5_irq_clear_affinity_hints(struct mlx5_core_dev *mdev)
2116 + mlx5_irq_clear_affinity_hint(mdev, i);
2117 + }
2118 +
2119 +-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, int *irqn)
2120 ++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
2121 ++ unsigned int *irqn)
2122 + {
2123 + struct mlx5_eq_table *table = &dev->priv.eq_table;
2124 + struct mlx5_eq *eq, *n;
2125 +diff --git a/drivers/net/ethernet/synopsys/dwc_eth_qos.c b/drivers/net/ethernet/synopsys/dwc_eth_qos.c
2126 +index 85b3326775b8..37640e11afa6 100644
2127 +--- a/drivers/net/ethernet/synopsys/dwc_eth_qos.c
2128 ++++ b/drivers/net/ethernet/synopsys/dwc_eth_qos.c
2129 +@@ -2107,7 +2107,7 @@ static int dwceqos_tx_frags(struct sk_buff *skb, struct net_local *lp,
2130 + dd = &lp->tx_descs[lp->tx_next];
2131 +
2132 + /* Set DMA Descriptor fields */
2133 +- dd->des0 = dma_handle;
2134 ++ dd->des0 = dma_handle + consumed_size;
2135 + dd->des1 = 0;
2136 + dd->des2 = dma_size;
2137 +
2138 +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
2139 +index ed00446759b2..9a863c6a6a33 100644
2140 +--- a/drivers/net/ppp/ppp_generic.c
2141 ++++ b/drivers/net/ppp/ppp_generic.c
2142 +@@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
2143 + val &= 0xffff;
2144 + }
2145 + vj = slhc_init(val2+1, val+1);
2146 +- if (!vj) {
2147 +- netdev_err(ppp->dev,
2148 +- "PPP: no memory (VJ compressor)\n");
2149 +- err = -ENOMEM;
2150 ++ if (IS_ERR(vj)) {
2151 ++ err = PTR_ERR(vj);
2152 + break;
2153 + }
2154 + ppp_lock(ppp);
2155 +diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
2156 +index 079f7adfcde5..27ed25252aac 100644
2157 +--- a/drivers/net/slip/slhc.c
2158 ++++ b/drivers/net/slip/slhc.c
2159 +@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
2160 + static unsigned char * put16(unsigned char *cp, unsigned short x);
2161 + static unsigned short pull16(unsigned char **cpp);
2162 +
2163 +-/* Initialize compression data structure
2164 ++/* Allocate compression data structure
2165 + * slots must be in range 0 to 255 (zero meaning no compression)
2166 ++ * Returns pointer to structure or ERR_PTR() on error.
2167 + */
2168 + struct slcompress *
2169 + slhc_init(int rslots, int tslots)
2170 +@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
2171 + register struct cstate *ts;
2172 + struct slcompress *comp;
2173 +
2174 ++ if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
2175 ++ return ERR_PTR(-EINVAL);
2176 ++
2177 + comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
2178 + if (! comp)
2179 + goto out_fail;
2180 +
2181 +- if ( rslots > 0 && rslots < 256 ) {
2182 ++ if (rslots > 0) {
2183 + size_t rsize = rslots * sizeof(struct cstate);
2184 + comp->rstate = kzalloc(rsize, GFP_KERNEL);
2185 + if (! comp->rstate)
2186 +@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
2187 + comp->rslot_limit = rslots - 1;
2188 + }
2189 +
2190 +- if ( tslots > 0 && tslots < 256 ) {
2191 ++ if (tslots > 0) {
2192 + size_t tsize = tslots * sizeof(struct cstate);
2193 + comp->tstate = kzalloc(tsize, GFP_KERNEL);
2194 + if (! comp->tstate)
2195 +@@ -141,7 +145,7 @@ out_free2:
2196 + out_free:
2197 + kfree(comp);
2198 + out_fail:
2199 +- return NULL;
2200 ++ return ERR_PTR(-ENOMEM);
2201 + }
2202 +
2203 +
2204 +diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
2205 +index 05387b1e2e95..a17d86a57734 100644
2206 +--- a/drivers/net/slip/slip.c
2207 ++++ b/drivers/net/slip/slip.c
2208 +@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu)
2209 + if (cbuff == NULL)
2210 + goto err_exit;
2211 + slcomp = slhc_init(16, 16);
2212 +- if (slcomp == NULL)
2213 ++ if (IS_ERR(slcomp))
2214 + goto err_exit;
2215 + #endif
2216 + spin_lock_bh(&sl->lock);
2217 +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
2218 +index 651d35ea22c5..59fefca74263 100644
2219 +--- a/drivers/net/team/team.c
2220 ++++ b/drivers/net/team/team.c
2221 +@@ -1845,10 +1845,10 @@ static int team_vlan_rx_kill_vid(struct net_device *dev, __be16 proto, u16 vid)
2222 + struct team *team = netdev_priv(dev);
2223 + struct team_port *port;
2224 +
2225 +- rcu_read_lock();
2226 +- list_for_each_entry_rcu(port, &team->port_list, list)
2227 ++ mutex_lock(&team->lock);
2228 ++ list_for_each_entry(port, &team->port_list, list)
2229 + vlan_vid_del(port->dev, proto, vid);
2230 +- rcu_read_unlock();
2231 ++ mutex_unlock(&team->lock);
2232 +
2233 + return 0;
2234 + }
2235 +diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c
2236 +index b6ea6ff7fb7b..d87b4acdfa5b 100644
2237 +--- a/drivers/net/usb/cdc_mbim.c
2238 ++++ b/drivers/net/usb/cdc_mbim.c
2239 +@@ -100,7 +100,7 @@ static const struct net_device_ops cdc_mbim_netdev_ops = {
2240 + .ndo_stop = usbnet_stop,
2241 + .ndo_start_xmit = usbnet_start_xmit,
2242 + .ndo_tx_timeout = usbnet_tx_timeout,
2243 +- .ndo_change_mtu = usbnet_change_mtu,
2244 ++ .ndo_change_mtu = cdc_ncm_change_mtu,
2245 + .ndo_set_mac_address = eth_mac_addr,
2246 + .ndo_validate_addr = eth_validate_addr,
2247 + .ndo_vlan_rx_add_vid = cdc_mbim_rx_add_vid,
2248 +diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
2249 +index fa41a6d2a3e5..e278a7a4956d 100644
2250 +--- a/drivers/net/usb/cdc_ncm.c
2251 ++++ b/drivers/net/usb/cdc_ncm.c
2252 +@@ -41,6 +41,7 @@
2253 + #include <linux/module.h>
2254 + #include <linux/netdevice.h>
2255 + #include <linux/ctype.h>
2256 ++#include <linux/etherdevice.h>
2257 + #include <linux/ethtool.h>
2258 + #include <linux/workqueue.h>
2259 + #include <linux/mii.h>
2260 +@@ -689,6 +690,33 @@ static void cdc_ncm_free(struct cdc_ncm_ctx *ctx)
2261 + kfree(ctx);
2262 + }
2263 +
2264 ++/* we need to override the usbnet change_mtu ndo for two reasons:
2265 ++ * - respect the negotiated maximum datagram size
2266 ++ * - avoid unwanted changes to rx and tx buffers
2267 ++ */
2268 ++int cdc_ncm_change_mtu(struct net_device *net, int new_mtu)
2269 ++{
2270 ++ struct usbnet *dev = netdev_priv(net);
2271 ++ struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0];
2272 ++ int maxmtu = ctx->max_datagram_size - cdc_ncm_eth_hlen(dev);
2273 ++
2274 ++ if (new_mtu <= 0 || new_mtu > maxmtu)
2275 ++ return -EINVAL;
2276 ++ net->mtu = new_mtu;
2277 ++ return 0;
2278 ++}
2279 ++EXPORT_SYMBOL_GPL(cdc_ncm_change_mtu);
2280 ++
2281 ++static const struct net_device_ops cdc_ncm_netdev_ops = {
2282 ++ .ndo_open = usbnet_open,
2283 ++ .ndo_stop = usbnet_stop,
2284 ++ .ndo_start_xmit = usbnet_start_xmit,
2285 ++ .ndo_tx_timeout = usbnet_tx_timeout,
2286 ++ .ndo_change_mtu = cdc_ncm_change_mtu,
2287 ++ .ndo_set_mac_address = eth_mac_addr,
2288 ++ .ndo_validate_addr = eth_validate_addr,
2289 ++};
2290 ++
2291 + int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_altsetting, int drvflags)
2292 + {
2293 + const struct usb_cdc_union_desc *union_desc = NULL;
2294 +@@ -874,6 +902,9 @@ advance:
2295 + /* add our sysfs attrs */
2296 + dev->net->sysfs_groups[0] = &cdc_ncm_sysfs_attr_group;
2297 +
2298 ++ /* must handle MTU changes */
2299 ++ dev->net->netdev_ops = &cdc_ncm_netdev_ops;
2300 ++
2301 + return 0;
2302 +
2303 + error2:
2304 +diff --git a/drivers/net/veth.c b/drivers/net/veth.c
2305 +index 0ef4a5ad5557..ba21d072be31 100644
2306 +--- a/drivers/net/veth.c
2307 ++++ b/drivers/net/veth.c
2308 +@@ -117,12 +117,6 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
2309 + kfree_skb(skb);
2310 + goto drop;
2311 + }
2312 +- /* don't change ip_summed == CHECKSUM_PARTIAL, as that
2313 +- * will cause bad checksum on forwarded packets
2314 +- */
2315 +- if (skb->ip_summed == CHECKSUM_NONE &&
2316 +- rcv->features & NETIF_F_RXCSUM)
2317 +- skb->ip_summed = CHECKSUM_UNNECESSARY;
2318 +
2319 + if (likely(dev_forward_skb(rcv, skb) == NET_RX_SUCCESS)) {
2320 + struct pcpu_vstats *stats = this_cpu_ptr(dev->vstats);
2321 +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
2322 +index c1587ece28cf..40b5f8af47a3 100644
2323 +--- a/drivers/net/vxlan.c
2324 ++++ b/drivers/net/vxlan.c
2325 +@@ -2660,7 +2660,7 @@ static int vxlan_dev_configure(struct net *src_net, struct net_device *dev,
2326 + struct vxlan_config *conf)
2327 + {
2328 + struct vxlan_net *vn = net_generic(src_net, vxlan_net_id);
2329 +- struct vxlan_dev *vxlan = netdev_priv(dev);
2330 ++ struct vxlan_dev *vxlan = netdev_priv(dev), *tmp;
2331 + struct vxlan_rdst *dst = &vxlan->default_dst;
2332 + int err;
2333 + bool use_ipv6 = false;
2334 +@@ -2725,9 +2725,15 @@ static int vxlan_dev_configure(struct net *src_net, struct net_device *dev,
2335 + if (!vxlan->cfg.age_interval)
2336 + vxlan->cfg.age_interval = FDB_AGE_DEFAULT;
2337 +
2338 +- if (vxlan_find_vni(src_net, conf->vni, use_ipv6 ? AF_INET6 : AF_INET,
2339 +- vxlan->cfg.dst_port, vxlan->flags))
2340 ++ list_for_each_entry(tmp, &vn->vxlan_list, next) {
2341 ++ if (tmp->cfg.vni == conf->vni &&
2342 ++ (tmp->default_dst.remote_ip.sa.sa_family == AF_INET6 ||
2343 ++ tmp->cfg.saddr.sa.sa_family == AF_INET6) == use_ipv6 &&
2344 ++ tmp->cfg.dst_port == vxlan->cfg.dst_port &&
2345 ++ (tmp->flags & VXLAN_F_RCV_FLAGS) ==
2346 ++ (vxlan->flags & VXLAN_F_RCV_FLAGS))
2347 + return -EEXIST;
2348 ++ }
2349 +
2350 + dev->ethtool_ops = &vxlan_ethtool_ops;
2351 +
2352 +diff --git a/drivers/parisc/iommu-helpers.h b/drivers/parisc/iommu-helpers.h
2353 +index 761e77bfce5d..e56f1569f6c3 100644
2354 +--- a/drivers/parisc/iommu-helpers.h
2355 ++++ b/drivers/parisc/iommu-helpers.h
2356 +@@ -104,7 +104,11 @@ iommu_coalesce_chunks(struct ioc *ioc, struct device *dev,
2357 + struct scatterlist *contig_sg; /* contig chunk head */
2358 + unsigned long dma_offset, dma_len; /* start/len of DMA stream */
2359 + unsigned int n_mappings = 0;
2360 +- unsigned int max_seg_size = dma_get_max_seg_size(dev);
2361 ++ unsigned int max_seg_size = min(dma_get_max_seg_size(dev),
2362 ++ (unsigned)DMA_CHUNK_SIZE);
2363 ++ unsigned int max_seg_boundary = dma_get_seg_boundary(dev) + 1;
2364 ++ if (max_seg_boundary) /* check if the addition above didn't overflow */
2365 ++ max_seg_size = min(max_seg_size, max_seg_boundary);
2366 +
2367 + while (nents > 0) {
2368 +
2369 +@@ -138,14 +142,11 @@ iommu_coalesce_chunks(struct ioc *ioc, struct device *dev,
2370 +
2371 + /*
2372 + ** First make sure current dma stream won't
2373 +- ** exceed DMA_CHUNK_SIZE if we coalesce the
2374 ++ ** exceed max_seg_size if we coalesce the
2375 + ** next entry.
2376 + */
2377 +- if(unlikely(ALIGN(dma_len + dma_offset + startsg->length,
2378 +- IOVP_SIZE) > DMA_CHUNK_SIZE))
2379 +- break;
2380 +-
2381 +- if (startsg->length + dma_len > max_seg_size)
2382 ++ if (unlikely(ALIGN(dma_len + dma_offset + startsg->length, IOVP_SIZE) >
2383 ++ max_seg_size))
2384 + break;
2385 +
2386 + /*
2387 +diff --git a/drivers/staging/lustre/lustre/obdecho/echo_client.c b/drivers/staging/lustre/lustre/obdecho/echo_client.c
2388 +index 27bd170c3a28..ef2c5e032f10 100644
2389 +--- a/drivers/staging/lustre/lustre/obdecho/echo_client.c
2390 ++++ b/drivers/staging/lustre/lustre/obdecho/echo_client.c
2391 +@@ -1268,6 +1268,7 @@ static int
2392 + echo_copyout_lsm(struct lov_stripe_md *lsm, void *_ulsm, int ulsm_nob)
2393 + {
2394 + struct lov_stripe_md *ulsm = _ulsm;
2395 ++ struct lov_oinfo **p;
2396 + int nob, i;
2397 +
2398 + nob = offsetof(struct lov_stripe_md, lsm_oinfo[lsm->lsm_stripe_count]);
2399 +@@ -1277,9 +1278,10 @@ echo_copyout_lsm(struct lov_stripe_md *lsm, void *_ulsm, int ulsm_nob)
2400 + if (copy_to_user(ulsm, lsm, sizeof(*ulsm)))
2401 + return -EFAULT;
2402 +
2403 +- for (i = 0; i < lsm->lsm_stripe_count; i++) {
2404 +- if (copy_to_user(ulsm->lsm_oinfo[i], lsm->lsm_oinfo[i],
2405 +- sizeof(lsm->lsm_oinfo[0])))
2406 ++ for (i = 0, p = lsm->lsm_oinfo; i < lsm->lsm_stripe_count; i++, p++) {
2407 ++ struct lov_oinfo __user *up;
2408 ++ if (get_user(up, ulsm->lsm_oinfo + i) ||
2409 ++ copy_to_user(up, *p, sizeof(struct lov_oinfo)))
2410 + return -EFAULT;
2411 + }
2412 + return 0;
2413 +@@ -1287,9 +1289,10 @@ echo_copyout_lsm(struct lov_stripe_md *lsm, void *_ulsm, int ulsm_nob)
2414 +
2415 + static int
2416 + echo_copyin_lsm(struct echo_device *ed, struct lov_stripe_md *lsm,
2417 +- void *ulsm, int ulsm_nob)
2418 ++ struct lov_stripe_md __user *ulsm, int ulsm_nob)
2419 + {
2420 + struct echo_client_obd *ec = ed->ed_ec;
2421 ++ struct lov_oinfo **p;
2422 + int i;
2423 +
2424 + if (ulsm_nob < sizeof(*lsm))
2425 +@@ -1305,11 +1308,10 @@ echo_copyin_lsm(struct echo_device *ed, struct lov_stripe_md *lsm,
2426 + return -EINVAL;
2427 +
2428 +
2429 +- for (i = 0; i < lsm->lsm_stripe_count; i++) {
2430 +- if (copy_from_user(lsm->lsm_oinfo[i],
2431 +- ((struct lov_stripe_md *)ulsm)-> \
2432 +- lsm_oinfo[i],
2433 +- sizeof(lsm->lsm_oinfo[0])))
2434 ++ for (i = 0, p = lsm->lsm_oinfo; i < lsm->lsm_stripe_count; i++, p++) {
2435 ++ struct lov_oinfo __user *up;
2436 ++ if (get_user(up, ulsm->lsm_oinfo + i) ||
2437 ++ copy_from_user(*p, up, sizeof(struct lov_oinfo)))
2438 + return -EFAULT;
2439 + }
2440 + return 0;
2441 +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
2442 +index 522f766a7d07..62084335a608 100644
2443 +--- a/drivers/usb/core/hub.c
2444 ++++ b/drivers/usb/core/hub.c
2445 +@@ -1035,10 +1035,20 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
2446 + unsigned delay;
2447 +
2448 + /* Continue a partial initialization */
2449 +- if (type == HUB_INIT2)
2450 +- goto init2;
2451 +- if (type == HUB_INIT3)
2452 ++ if (type == HUB_INIT2 || type == HUB_INIT3) {
2453 ++ device_lock(hub->intfdev);
2454 ++
2455 ++ /* Was the hub disconnected while we were waiting? */
2456 ++ if (hub->disconnected) {
2457 ++ device_unlock(hub->intfdev);
2458 ++ kref_put(&hub->kref, hub_release);
2459 ++ return;
2460 ++ }
2461 ++ if (type == HUB_INIT2)
2462 ++ goto init2;
2463 + goto init3;
2464 ++ }
2465 ++ kref_get(&hub->kref);
2466 +
2467 + /* The superspeed hub except for root hub has to use Hub Depth
2468 + * value as an offset into the route string to locate the bits
2469 +@@ -1236,6 +1246,7 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
2470 + queue_delayed_work(system_power_efficient_wq,
2471 + &hub->init_work,
2472 + msecs_to_jiffies(delay));
2473 ++ device_unlock(hub->intfdev);
2474 + return; /* Continues at init3: below */
2475 + } else {
2476 + msleep(delay);
2477 +@@ -1257,6 +1268,11 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
2478 + /* Allow autosuspend if it was suppressed */
2479 + if (type <= HUB_INIT3)
2480 + usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
2481 ++
2482 ++ if (type == HUB_INIT2 || type == HUB_INIT3)
2483 ++ device_unlock(hub->intfdev);
2484 ++
2485 ++ kref_put(&hub->kref, hub_release);
2486 + }
2487 +
2488 + /* Implement the continuations for the delays above */
2489 +@@ -3870,17 +3886,30 @@ static void usb_enable_link_state(struct usb_hcd *hcd, struct usb_device *udev,
2490 + return;
2491 + }
2492 +
2493 +- if (usb_set_lpm_timeout(udev, state, timeout))
2494 ++ if (usb_set_lpm_timeout(udev, state, timeout)) {
2495 + /* If we can't set the parent hub U1/U2 timeout,
2496 + * device-initiated LPM won't be allowed either, so let the xHCI
2497 + * host know that this link state won't be enabled.
2498 + */
2499 + hcd->driver->disable_usb3_lpm_timeout(hcd, udev, state);
2500 ++ } else {
2501 ++ /* Only a configured device will accept the Set Feature
2502 ++ * U1/U2_ENABLE
2503 ++ */
2504 ++ if (udev->actconfig)
2505 ++ usb_set_device_initiated_lpm(udev, state, true);
2506 +
2507 +- /* Only a configured device will accept the Set Feature U1/U2_ENABLE */
2508 +- else if (udev->actconfig)
2509 +- usb_set_device_initiated_lpm(udev, state, true);
2510 +-
2511 ++ /* As soon as usb_set_lpm_timeout(timeout) returns 0, the
2512 ++ * hub-initiated LPM is enabled. Thus, LPM is enabled no
2513 ++ * matter the result of usb_set_device_initiated_lpm().
2514 ++ * The only difference is whether device is able to initiate
2515 ++ * LPM.
2516 ++ */
2517 ++ if (state == USB3_LPM_U1)
2518 ++ udev->usb3_lpm_u1_enabled = 1;
2519 ++ else if (state == USB3_LPM_U2)
2520 ++ udev->usb3_lpm_u2_enabled = 1;
2521 ++ }
2522 + }
2523 +
2524 + /*
2525 +@@ -3920,6 +3949,18 @@ static int usb_disable_link_state(struct usb_hcd *hcd, struct usb_device *udev,
2526 + dev_warn(&udev->dev, "Could not disable xHCI %s timeout, "
2527 + "bus schedule bandwidth may be impacted.\n",
2528 + usb3_lpm_names[state]);
2529 ++
2530 ++ /* As soon as usb_set_lpm_timeout(0) return 0, hub initiated LPM
2531 ++ * is disabled. Hub will disallows link to enter U1/U2 as well,
2532 ++ * even device is initiating LPM. Hence LPM is disabled if hub LPM
2533 ++ * timeout set to 0, no matter device-initiated LPM is disabled or
2534 ++ * not.
2535 ++ */
2536 ++ if (state == USB3_LPM_U1)
2537 ++ udev->usb3_lpm_u1_enabled = 0;
2538 ++ else if (state == USB3_LPM_U2)
2539 ++ udev->usb3_lpm_u2_enabled = 0;
2540 ++
2541 + return 0;
2542 + }
2543 +
2544 +@@ -3954,8 +3995,6 @@ int usb_disable_lpm(struct usb_device *udev)
2545 + if (usb_disable_link_state(hcd, udev, USB3_LPM_U2))
2546 + goto enable_lpm;
2547 +
2548 +- udev->usb3_lpm_enabled = 0;
2549 +-
2550 + return 0;
2551 +
2552 + enable_lpm:
2553 +@@ -4013,8 +4052,6 @@ void usb_enable_lpm(struct usb_device *udev)
2554 +
2555 + usb_enable_link_state(hcd, udev, USB3_LPM_U1);
2556 + usb_enable_link_state(hcd, udev, USB3_LPM_U2);
2557 +-
2558 +- udev->usb3_lpm_enabled = 1;
2559 + }
2560 + EXPORT_SYMBOL_GPL(usb_enable_lpm);
2561 +
2562 +diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
2563 +index cfc68c11c3f5..c54fd8b73966 100644
2564 +--- a/drivers/usb/core/sysfs.c
2565 ++++ b/drivers/usb/core/sysfs.c
2566 +@@ -531,7 +531,7 @@ static ssize_t usb2_lpm_besl_store(struct device *dev,
2567 + }
2568 + static DEVICE_ATTR_RW(usb2_lpm_besl);
2569 +
2570 +-static ssize_t usb3_hardware_lpm_show(struct device *dev,
2571 ++static ssize_t usb3_hardware_lpm_u1_show(struct device *dev,
2572 + struct device_attribute *attr, char *buf)
2573 + {
2574 + struct usb_device *udev = to_usb_device(dev);
2575 +@@ -539,7 +539,7 @@ static ssize_t usb3_hardware_lpm_show(struct device *dev,
2576 +
2577 + usb_lock_device(udev);
2578 +
2579 +- if (udev->usb3_lpm_enabled)
2580 ++ if (udev->usb3_lpm_u1_enabled)
2581 + p = "enabled";
2582 + else
2583 + p = "disabled";
2584 +@@ -548,7 +548,26 @@ static ssize_t usb3_hardware_lpm_show(struct device *dev,
2585 +
2586 + return sprintf(buf, "%s\n", p);
2587 + }
2588 +-static DEVICE_ATTR_RO(usb3_hardware_lpm);
2589 ++static DEVICE_ATTR_RO(usb3_hardware_lpm_u1);
2590 ++
2591 ++static ssize_t usb3_hardware_lpm_u2_show(struct device *dev,
2592 ++ struct device_attribute *attr, char *buf)
2593 ++{
2594 ++ struct usb_device *udev = to_usb_device(dev);
2595 ++ const char *p;
2596 ++
2597 ++ usb_lock_device(udev);
2598 ++
2599 ++ if (udev->usb3_lpm_u2_enabled)
2600 ++ p = "enabled";
2601 ++ else
2602 ++ p = "disabled";
2603 ++
2604 ++ usb_unlock_device(udev);
2605 ++
2606 ++ return sprintf(buf, "%s\n", p);
2607 ++}
2608 ++static DEVICE_ATTR_RO(usb3_hardware_lpm_u2);
2609 +
2610 + static struct attribute *usb2_hardware_lpm_attr[] = {
2611 + &dev_attr_usb2_hardware_lpm.attr,
2612 +@@ -562,7 +581,8 @@ static struct attribute_group usb2_hardware_lpm_attr_group = {
2613 + };
2614 +
2615 + static struct attribute *usb3_hardware_lpm_attr[] = {
2616 +- &dev_attr_usb3_hardware_lpm.attr,
2617 ++ &dev_attr_usb3_hardware_lpm_u1.attr,
2618 ++ &dev_attr_usb3_hardware_lpm_u2.attr,
2619 + NULL,
2620 + };
2621 + static struct attribute_group usb3_hardware_lpm_attr_group = {
2622 +@@ -592,7 +612,8 @@ static int add_power_attributes(struct device *dev)
2623 + if (udev->usb2_hw_lpm_capable == 1)
2624 + rc = sysfs_merge_group(&dev->kobj,
2625 + &usb2_hardware_lpm_attr_group);
2626 +- if (udev->lpm_capable == 1)
2627 ++ if (udev->speed == USB_SPEED_SUPER &&
2628 ++ udev->lpm_capable == 1)
2629 + rc = sysfs_merge_group(&dev->kobj,
2630 + &usb3_hardware_lpm_attr_group);
2631 + }
2632 +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
2633 +index 385f9f5d6715..e40c300ff8d6 100644
2634 +--- a/drivers/usb/host/xhci.c
2635 ++++ b/drivers/usb/host/xhci.c
2636 +@@ -4778,8 +4778,16 @@ int xhci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev,
2637 + ctrl_ctx->add_flags |= cpu_to_le32(SLOT_FLAG);
2638 + slot_ctx = xhci_get_slot_ctx(xhci, config_cmd->in_ctx);
2639 + slot_ctx->dev_info |= cpu_to_le32(DEV_HUB);
2640 ++ /*
2641 ++ * refer to section 6.2.2: MTT should be 0 for full speed hub,
2642 ++ * but it may be already set to 1 when setup an xHCI virtual
2643 ++ * device, so clear it anyway.
2644 ++ */
2645 + if (tt->multi)
2646 + slot_ctx->dev_info |= cpu_to_le32(DEV_MTT);
2647 ++ else if (hdev->speed == USB_SPEED_FULL)
2648 ++ slot_ctx->dev_info &= cpu_to_le32(~DEV_MTT);
2649 ++
2650 + if (xhci->hci_version > 0x95) {
2651 + xhci_dbg(xhci, "xHCI version %x needs hub "
2652 + "TT think time and number of ports\n",
2653 +@@ -5034,6 +5042,10 @@ static int __init xhci_hcd_init(void)
2654 + BUILD_BUG_ON(sizeof(struct xhci_intr_reg) != 8*32/8);
2655 + /* xhci_run_regs has eight fields and embeds 128 xhci_intr_regs */
2656 + BUILD_BUG_ON(sizeof(struct xhci_run_regs) != (8+8*128)*32/8);
2657 ++
2658 ++ if (usb_disabled())
2659 ++ return -ENODEV;
2660 ++
2661 + return 0;
2662 + }
2663 +
2664 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
2665 +index 7d4f51a32e66..59b2126b21a3 100644
2666 +--- a/drivers/usb/serial/cp210x.c
2667 ++++ b/drivers/usb/serial/cp210x.c
2668 +@@ -160,6 +160,7 @@ static const struct usb_device_id id_table[] = {
2669 + { USB_DEVICE(0x17F4, 0xAAAA) }, /* Wavesense Jazz blood glucose meter */
2670 + { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
2671 + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
2672 ++ { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
2673 + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
2674 + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */
2675 + { USB_DEVICE(0x1BA4, 0x0002) }, /* Silicon Labs 358x factory default */
2676 +diff --git a/drivers/usb/serial/ipaq.c b/drivers/usb/serial/ipaq.c
2677 +index f51a5d52c0ed..ec1b8f2c1183 100644
2678 +--- a/drivers/usb/serial/ipaq.c
2679 ++++ b/drivers/usb/serial/ipaq.c
2680 +@@ -531,7 +531,8 @@ static int ipaq_open(struct tty_struct *tty,
2681 + * through. Since this has a reasonably high failure rate, we retry
2682 + * several times.
2683 + */
2684 +- while (retries--) {
2685 ++ while (retries) {
2686 ++ retries--;
2687 + result = usb_control_msg(serial->dev,
2688 + usb_sndctrlpipe(serial->dev, 0), 0x22, 0x21,
2689 + 0x1, 0, NULL, 0, 100);
2690 +diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
2691 +index 2ea0b3b2a91d..1be5dd048622 100644
2692 +--- a/drivers/xen/gntdev.c
2693 ++++ b/drivers/xen/gntdev.c
2694 +@@ -804,7 +804,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
2695 +
2696 + vma->vm_ops = &gntdev_vmops;
2697 +
2698 +- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
2699 ++ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO;
2700 +
2701 + if (use_ptemod)
2702 + vma->vm_flags |= VM_DONTCOPY;
2703 +diff --git a/fs/direct-io.c b/fs/direct-io.c
2704 +index 11256291642e..3e116320f01b 100644
2705 +--- a/fs/direct-io.c
2706 ++++ b/fs/direct-io.c
2707 +@@ -1161,6 +1161,16 @@ do_blockdev_direct_IO(struct kiocb *iocb, struct inode *inode,
2708 + }
2709 + }
2710 +
2711 ++ /* Once we sampled i_size check for reads beyond EOF */
2712 ++ dio->i_size = i_size_read(inode);
2713 ++ if (iov_iter_rw(iter) == READ && offset >= dio->i_size) {
2714 ++ if (dio->flags & DIO_LOCKING)
2715 ++ mutex_unlock(&inode->i_mutex);
2716 ++ kmem_cache_free(dio_cache, dio);
2717 ++ retval = 0;
2718 ++ goto out;
2719 ++ }
2720 ++
2721 + /*
2722 + * For file extending writes updating i_size before data writeouts
2723 + * complete can expose uninitialized blocks in dumb filesystems.
2724 +@@ -1214,7 +1224,6 @@ do_blockdev_direct_IO(struct kiocb *iocb, struct inode *inode,
2725 + sdio.next_block_for_io = -1;
2726 +
2727 + dio->iocb = iocb;
2728 +- dio->i_size = i_size_read(inode);
2729 +
2730 + spin_lock_init(&dio->bio_lock);
2731 + dio->refcount = 1;
2732 +diff --git a/include/linux/filter.h b/include/linux/filter.h
2733 +index fa2cab985e57..d42a5b832ad3 100644
2734 +--- a/include/linux/filter.h
2735 ++++ b/include/linux/filter.h
2736 +@@ -459,6 +459,25 @@ static inline void bpf_jit_free(struct bpf_prog *fp)
2737 +
2738 + #define BPF_ANC BIT(15)
2739 +
2740 ++static inline bool bpf_needs_clear_a(const struct sock_filter *first)
2741 ++{
2742 ++ switch (first->code) {
2743 ++ case BPF_RET | BPF_K:
2744 ++ case BPF_LD | BPF_W | BPF_LEN:
2745 ++ return false;
2746 ++
2747 ++ case BPF_LD | BPF_W | BPF_ABS:
2748 ++ case BPF_LD | BPF_H | BPF_ABS:
2749 ++ case BPF_LD | BPF_B | BPF_ABS:
2750 ++ if (first->k == SKF_AD_OFF + SKF_AD_ALU_XOR_X)
2751 ++ return true;
2752 ++ return false;
2753 ++
2754 ++ default:
2755 ++ return true;
2756 ++ }
2757 ++}
2758 ++
2759 + static inline u16 bpf_anc_helper(const struct sock_filter *ftest)
2760 + {
2761 + BUG_ON(ftest->code & BPF_ANC);
2762 +diff --git a/include/linux/mlx5/cq.h b/include/linux/mlx5/cq.h
2763 +index abc4767695e4..b2c9fada8eac 100644
2764 +--- a/include/linux/mlx5/cq.h
2765 ++++ b/include/linux/mlx5/cq.h
2766 +@@ -45,7 +45,7 @@ struct mlx5_core_cq {
2767 + atomic_t refcount;
2768 + struct completion free;
2769 + unsigned vector;
2770 +- int irqn;
2771 ++ unsigned int irqn;
2772 + void (*comp) (struct mlx5_core_cq *);
2773 + void (*event) (struct mlx5_core_cq *, enum mlx5_event);
2774 + struct mlx5_uar *uar;
2775 +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
2776 +index 8b6d6f2154a4..2b013dcc1d7e 100644
2777 +--- a/include/linux/mlx5/driver.h
2778 ++++ b/include/linux/mlx5/driver.h
2779 +@@ -303,7 +303,7 @@ struct mlx5_eq {
2780 + u32 cons_index;
2781 + struct mlx5_buf buf;
2782 + int size;
2783 +- u8 irqn;
2784 ++ unsigned int irqn;
2785 + u8 eqn;
2786 + int nent;
2787 + u64 mask;
2788 +@@ -738,7 +738,8 @@ int mlx5_create_map_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq, u8 vecidx,
2789 + int mlx5_destroy_unmap_eq(struct mlx5_core_dev *dev, struct mlx5_eq *eq);
2790 + int mlx5_start_eqs(struct mlx5_core_dev *dev);
2791 + int mlx5_stop_eqs(struct mlx5_core_dev *dev);
2792 +-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn, int *irqn);
2793 ++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
2794 ++ unsigned int *irqn);
2795 + int mlx5_core_attach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
2796 + int mlx5_core_detach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
2797 +
2798 +diff --git a/include/linux/sched.h b/include/linux/sched.h
2799 +index b7b9501b41af..f477e87ca46f 100644
2800 +--- a/include/linux/sched.h
2801 ++++ b/include/linux/sched.h
2802 +@@ -830,6 +830,7 @@ struct user_struct {
2803 + unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
2804 + #endif
2805 + unsigned long locked_shm; /* How many pages of mlocked shm ? */
2806 ++ unsigned long unix_inflight; /* How many files in flight in unix sockets */
2807 +
2808 + #ifdef CONFIG_KEYS
2809 + struct key *uid_keyring; /* UID specific keyring */
2810 +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
2811 +index 4398411236f1..23ce309bd93f 100644
2812 +--- a/include/linux/skbuff.h
2813 ++++ b/include/linux/skbuff.h
2814 +@@ -3437,7 +3437,8 @@ struct skb_gso_cb {
2815 + int encap_level;
2816 + __u16 csum_start;
2817 + };
2818 +-#define SKB_GSO_CB(skb) ((struct skb_gso_cb *)(skb)->cb)
2819 ++#define SKB_SGO_CB_OFFSET 32
2820 ++#define SKB_GSO_CB(skb) ((struct skb_gso_cb *)((skb)->cb + SKB_SGO_CB_OFFSET))
2821 +
2822 + static inline int skb_tnl_header_len(const struct sk_buff *inner_skb)
2823 + {
2824 +diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
2825 +index a460e2ef2843..42c36bb6b74a 100644
2826 +--- a/include/linux/syscalls.h
2827 ++++ b/include/linux/syscalls.h
2828 +@@ -524,7 +524,7 @@ asmlinkage long sys_chown(const char __user *filename,
2829 + asmlinkage long sys_lchown(const char __user *filename,
2830 + uid_t user, gid_t group);
2831 + asmlinkage long sys_fchown(unsigned int fd, uid_t user, gid_t group);
2832 +-#ifdef CONFIG_UID16
2833 ++#ifdef CONFIG_HAVE_UID16
2834 + asmlinkage long sys_chown16(const char __user *filename,
2835 + old_uid_t user, old_gid_t group);
2836 + asmlinkage long sys_lchown16(const char __user *filename,
2837 +diff --git a/include/linux/types.h b/include/linux/types.h
2838 +index c314989d9158..89f63da62be6 100644
2839 +--- a/include/linux/types.h
2840 ++++ b/include/linux/types.h
2841 +@@ -35,7 +35,7 @@ typedef __kernel_gid16_t gid16_t;
2842 +
2843 + typedef unsigned long uintptr_t;
2844 +
2845 +-#ifdef CONFIG_UID16
2846 ++#ifdef CONFIG_HAVE_UID16
2847 + /* This is defined by include/asm-{arch}/posix_types.h */
2848 + typedef __kernel_old_uid_t old_uid_t;
2849 + typedef __kernel_old_gid_t old_gid_t;
2850 +diff --git a/include/linux/usb.h b/include/linux/usb.h
2851 +index 447fe29b55b4..4aec2113107c 100644
2852 +--- a/include/linux/usb.h
2853 ++++ b/include/linux/usb.h
2854 +@@ -507,6 +507,8 @@ struct usb3_lpm_parameters {
2855 + * @usb2_hw_lpm_enabled: USB2 hardware LPM is enabled
2856 + * @usb2_hw_lpm_allowed: Userspace allows USB 2.0 LPM to be enabled
2857 + * @usb3_lpm_enabled: USB3 hardware LPM enabled
2858 ++ * @usb3_lpm_u1_enabled: USB3 hardware U1 LPM enabled
2859 ++ * @usb3_lpm_u2_enabled: USB3 hardware U2 LPM enabled
2860 + * @string_langid: language ID for strings
2861 + * @product: iProduct string, if present (static)
2862 + * @manufacturer: iManufacturer string, if present (static)
2863 +@@ -580,6 +582,8 @@ struct usb_device {
2864 + unsigned usb2_hw_lpm_enabled:1;
2865 + unsigned usb2_hw_lpm_allowed:1;
2866 + unsigned usb3_lpm_enabled:1;
2867 ++ unsigned usb3_lpm_u1_enabled:1;
2868 ++ unsigned usb3_lpm_u2_enabled:1;
2869 + int string_langid;
2870 +
2871 + /* static strings from the device */
2872 +diff --git a/include/linux/usb/cdc_ncm.h b/include/linux/usb/cdc_ncm.h
2873 +index 1f6526c76ee8..3a375d07d0dc 100644
2874 +--- a/include/linux/usb/cdc_ncm.h
2875 ++++ b/include/linux/usb/cdc_ncm.h
2876 +@@ -138,6 +138,7 @@ struct cdc_ncm_ctx {
2877 + };
2878 +
2879 + u8 cdc_ncm_select_altsetting(struct usb_interface *intf);
2880 ++int cdc_ncm_change_mtu(struct net_device *net, int new_mtu);
2881 + int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_altsetting, int drvflags);
2882 + void cdc_ncm_unbind(struct usbnet *dev, struct usb_interface *intf);
2883 + struct sk_buff *cdc_ncm_fill_tx_frame(struct usbnet *dev, struct sk_buff *skb, __le32 sign);
2884 +diff --git a/include/net/inet_ecn.h b/include/net/inet_ecn.h
2885 +index 84b20835b736..0dc0a51da38f 100644
2886 +--- a/include/net/inet_ecn.h
2887 ++++ b/include/net/inet_ecn.h
2888 +@@ -111,11 +111,24 @@ static inline void ipv4_copy_dscp(unsigned int dscp, struct iphdr *inner)
2889 +
2890 + struct ipv6hdr;
2891 +
2892 +-static inline int IP6_ECN_set_ce(struct ipv6hdr *iph)
2893 ++/* Note:
2894 ++ * IP_ECN_set_ce() has to tweak IPV4 checksum when setting CE,
2895 ++ * meaning both changes have no effect on skb->csum if/when CHECKSUM_COMPLETE
2896 ++ * In IPv6 case, no checksum compensates the change in IPv6 header,
2897 ++ * so we have to update skb->csum.
2898 ++ */
2899 ++static inline int IP6_ECN_set_ce(struct sk_buff *skb, struct ipv6hdr *iph)
2900 + {
2901 ++ __be32 from, to;
2902 ++
2903 + if (INET_ECN_is_not_ect(ipv6_get_dsfield(iph)))
2904 + return 0;
2905 +- *(__be32*)iph |= htonl(INET_ECN_CE << 20);
2906 ++
2907 ++ from = *(__be32 *)iph;
2908 ++ to = from | htonl(INET_ECN_CE << 20);
2909 ++ *(__be32 *)iph = to;
2910 ++ if (skb->ip_summed == CHECKSUM_COMPLETE)
2911 ++ skb->csum = csum_add(csum_sub(skb->csum, from), to);
2912 + return 1;
2913 + }
2914 +
2915 +@@ -142,7 +155,7 @@ static inline int INET_ECN_set_ce(struct sk_buff *skb)
2916 + case cpu_to_be16(ETH_P_IPV6):
2917 + if (skb_network_header(skb) + sizeof(struct ipv6hdr) <=
2918 + skb_tail_pointer(skb))
2919 +- return IP6_ECN_set_ce(ipv6_hdr(skb));
2920 ++ return IP6_ECN_set_ce(skb, ipv6_hdr(skb));
2921 + break;
2922 + }
2923 +
2924 +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
2925 +index b074b23000d6..36c6efeffdd5 100644
2926 +--- a/kernel/bpf/verifier.c
2927 ++++ b/kernel/bpf/verifier.c
2928 +@@ -1058,6 +1058,16 @@ static int check_alu_op(struct reg_state *regs, struct bpf_insn *insn)
2929 + return -EINVAL;
2930 + }
2931 +
2932 ++ if ((opcode == BPF_LSH || opcode == BPF_RSH ||
2933 ++ opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
2934 ++ int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
2935 ++
2936 ++ if (insn->imm < 0 || insn->imm >= size) {
2937 ++ verbose("invalid shift %d\n", insn->imm);
2938 ++ return -EINVAL;
2939 ++ }
2940 ++ }
2941 ++
2942 + /* pattern match 'bpf_add Rx, imm' instruction */
2943 + if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 &&
2944 + regs[insn->dst_reg].type == FRAME_PTR &&
2945 +diff --git a/kernel/time/timer.c b/kernel/time/timer.c
2946 +index 84190f02b521..101240bfff1e 100644
2947 +--- a/kernel/time/timer.c
2948 ++++ b/kernel/time/timer.c
2949 +@@ -970,13 +970,29 @@ EXPORT_SYMBOL(add_timer);
2950 + */
2951 + void add_timer_on(struct timer_list *timer, int cpu)
2952 + {
2953 +- struct tvec_base *base = per_cpu_ptr(&tvec_bases, cpu);
2954 ++ struct tvec_base *new_base = per_cpu_ptr(&tvec_bases, cpu);
2955 ++ struct tvec_base *base;
2956 + unsigned long flags;
2957 +
2958 + timer_stats_timer_set_start_info(timer);
2959 + BUG_ON(timer_pending(timer) || !timer->function);
2960 +- spin_lock_irqsave(&base->lock, flags);
2961 +- timer->flags = (timer->flags & ~TIMER_BASEMASK) | cpu;
2962 ++
2963 ++ /*
2964 ++ * If @timer was on a different CPU, it should be migrated with the
2965 ++ * old base locked to prevent other operations proceeding with the
2966 ++ * wrong base locked. See lock_timer_base().
2967 ++ */
2968 ++ base = lock_timer_base(timer, &flags);
2969 ++ if (base != new_base) {
2970 ++ timer->flags |= TIMER_MIGRATING;
2971 ++
2972 ++ spin_unlock(&base->lock);
2973 ++ base = new_base;
2974 ++ spin_lock(&base->lock);
2975 ++ WRITE_ONCE(timer->flags,
2976 ++ (timer->flags & ~TIMER_BASEMASK) | cpu);
2977 ++ }
2978 ++
2979 + debug_activate(timer, timer->expires);
2980 + internal_add_timer(base, timer);
2981 + spin_unlock_irqrestore(&base->lock, flags);
2982 +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
2983 +index 191a70290dca..f5d2fe5e31cc 100644
2984 +--- a/net/batman-adv/bridge_loop_avoidance.c
2985 ++++ b/net/batman-adv/bridge_loop_avoidance.c
2986 +@@ -127,21 +127,17 @@ batadv_backbone_gw_free_ref(struct batadv_bla_backbone_gw *backbone_gw)
2987 + }
2988 +
2989 + /* finally deinitialize the claim */
2990 +-static void batadv_claim_free_rcu(struct rcu_head *rcu)
2991 ++static void batadv_claim_release(struct batadv_bla_claim *claim)
2992 + {
2993 +- struct batadv_bla_claim *claim;
2994 +-
2995 +- claim = container_of(rcu, struct batadv_bla_claim, rcu);
2996 +-
2997 + batadv_backbone_gw_free_ref(claim->backbone_gw);
2998 +- kfree(claim);
2999 ++ kfree_rcu(claim, rcu);
3000 + }
3001 +
3002 + /* free a claim, call claim_free_rcu if its the last reference */
3003 + static void batadv_claim_free_ref(struct batadv_bla_claim *claim)
3004 + {
3005 + if (atomic_dec_and_test(&claim->refcount))
3006 +- call_rcu(&claim->rcu, batadv_claim_free_rcu);
3007 ++ batadv_claim_release(claim);
3008 + }
3009 +
3010 + /**
3011 +diff --git a/net/batman-adv/hard-interface.h b/net/batman-adv/hard-interface.h
3012 +index 5a31420513e1..7b12ea8ea29d 100644
3013 +--- a/net/batman-adv/hard-interface.h
3014 ++++ b/net/batman-adv/hard-interface.h
3015 +@@ -75,18 +75,6 @@ batadv_hardif_free_ref(struct batadv_hard_iface *hard_iface)
3016 + call_rcu(&hard_iface->rcu, batadv_hardif_free_rcu);
3017 + }
3018 +
3019 +-/**
3020 +- * batadv_hardif_free_ref_now - decrement the hard interface refcounter and
3021 +- * possibly free it (without rcu callback)
3022 +- * @hard_iface: the hard interface to free
3023 +- */
3024 +-static inline void
3025 +-batadv_hardif_free_ref_now(struct batadv_hard_iface *hard_iface)
3026 +-{
3027 +- if (atomic_dec_and_test(&hard_iface->refcount))
3028 +- batadv_hardif_free_rcu(&hard_iface->rcu);
3029 +-}
3030 +-
3031 + static inline struct batadv_hard_iface *
3032 + batadv_primary_if_get_selected(struct batadv_priv *bat_priv)
3033 + {
3034 +diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c
3035 +index f5276be2c77c..d0956f726547 100644
3036 +--- a/net/batman-adv/network-coding.c
3037 ++++ b/net/batman-adv/network-coding.c
3038 +@@ -203,28 +203,25 @@ void batadv_nc_init_orig(struct batadv_orig_node *orig_node)
3039 + }
3040 +
3041 + /**
3042 +- * batadv_nc_node_free_rcu - rcu callback to free an nc node and remove
3043 +- * its refcount on the orig_node
3044 +- * @rcu: rcu pointer of the nc node
3045 ++ * batadv_nc_node_release - release nc_node from lists and queue for free after
3046 ++ * rcu grace period
3047 ++ * @nc_node: the nc node to free
3048 + */
3049 +-static void batadv_nc_node_free_rcu(struct rcu_head *rcu)
3050 ++static void batadv_nc_node_release(struct batadv_nc_node *nc_node)
3051 + {
3052 +- struct batadv_nc_node *nc_node;
3053 +-
3054 +- nc_node = container_of(rcu, struct batadv_nc_node, rcu);
3055 + batadv_orig_node_free_ref(nc_node->orig_node);
3056 +- kfree(nc_node);
3057 ++ kfree_rcu(nc_node, rcu);
3058 + }
3059 +
3060 + /**
3061 +- * batadv_nc_node_free_ref - decrements the nc node refcounter and possibly
3062 +- * frees it
3063 ++ * batadv_nc_node_free_ref - decrement the nc node refcounter and possibly
3064 ++ * release it
3065 + * @nc_node: the nc node to free
3066 + */
3067 + static void batadv_nc_node_free_ref(struct batadv_nc_node *nc_node)
3068 + {
3069 + if (atomic_dec_and_test(&nc_node->refcount))
3070 +- call_rcu(&nc_node->rcu, batadv_nc_node_free_rcu);
3071 ++ batadv_nc_node_release(nc_node);
3072 + }
3073 +
3074 + /**
3075 +diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c
3076 +index 7486df9ed48d..17851d3aaf22 100644
3077 +--- a/net/batman-adv/originator.c
3078 ++++ b/net/batman-adv/originator.c
3079 +@@ -163,92 +163,66 @@ err:
3080 + }
3081 +
3082 + /**
3083 +- * batadv_neigh_ifinfo_free_rcu - free the neigh_ifinfo object
3084 +- * @rcu: rcu pointer of the neigh_ifinfo object
3085 +- */
3086 +-static void batadv_neigh_ifinfo_free_rcu(struct rcu_head *rcu)
3087 +-{
3088 +- struct batadv_neigh_ifinfo *neigh_ifinfo;
3089 +-
3090 +- neigh_ifinfo = container_of(rcu, struct batadv_neigh_ifinfo, rcu);
3091 +-
3092 +- if (neigh_ifinfo->if_outgoing != BATADV_IF_DEFAULT)
3093 +- batadv_hardif_free_ref_now(neigh_ifinfo->if_outgoing);
3094 +-
3095 +- kfree(neigh_ifinfo);
3096 +-}
3097 +-
3098 +-/**
3099 +- * batadv_neigh_ifinfo_free_now - decrement the refcounter and possibly free
3100 +- * the neigh_ifinfo (without rcu callback)
3101 ++ * batadv_neigh_ifinfo_release - release neigh_ifinfo from lists and queue for
3102 ++ * free after rcu grace period
3103 + * @neigh_ifinfo: the neigh_ifinfo object to release
3104 + */
3105 + static void
3106 +-batadv_neigh_ifinfo_free_ref_now(struct batadv_neigh_ifinfo *neigh_ifinfo)
3107 ++batadv_neigh_ifinfo_release(struct batadv_neigh_ifinfo *neigh_ifinfo)
3108 + {
3109 +- if (atomic_dec_and_test(&neigh_ifinfo->refcount))
3110 +- batadv_neigh_ifinfo_free_rcu(&neigh_ifinfo->rcu);
3111 ++ if (neigh_ifinfo->if_outgoing != BATADV_IF_DEFAULT)
3112 ++ batadv_hardif_free_ref(neigh_ifinfo->if_outgoing);
3113 ++
3114 ++ kfree_rcu(neigh_ifinfo, rcu);
3115 + }
3116 +
3117 + /**
3118 +- * batadv_neigh_ifinfo_free_ref - decrement the refcounter and possibly free
3119 ++ * batadv_neigh_ifinfo_free_ref - decrement the refcounter and possibly release
3120 + * the neigh_ifinfo
3121 + * @neigh_ifinfo: the neigh_ifinfo object to release
3122 + */
3123 + void batadv_neigh_ifinfo_free_ref(struct batadv_neigh_ifinfo *neigh_ifinfo)
3124 + {
3125 + if (atomic_dec_and_test(&neigh_ifinfo->refcount))
3126 +- call_rcu(&neigh_ifinfo->rcu, batadv_neigh_ifinfo_free_rcu);
3127 ++ batadv_neigh_ifinfo_release(neigh_ifinfo);
3128 + }
3129 +
3130 + /**
3131 + * batadv_neigh_node_free_rcu - free the neigh_node
3132 +- * @rcu: rcu pointer of the neigh_node
3133 ++ * batadv_neigh_node_release - release neigh_node from lists and queue for
3134 ++ * free after rcu grace period
3135 ++ * @neigh_node: neigh neighbor to free
3136 + */
3137 +-static void batadv_neigh_node_free_rcu(struct rcu_head *rcu)
3138 ++static void batadv_neigh_node_release(struct batadv_neigh_node *neigh_node)
3139 + {
3140 + struct hlist_node *node_tmp;
3141 +- struct batadv_neigh_node *neigh_node;
3142 + struct batadv_neigh_ifinfo *neigh_ifinfo;
3143 + struct batadv_algo_ops *bao;
3144 +
3145 +- neigh_node = container_of(rcu, struct batadv_neigh_node, rcu);
3146 + bao = neigh_node->orig_node->bat_priv->bat_algo_ops;
3147 +
3148 + hlist_for_each_entry_safe(neigh_ifinfo, node_tmp,
3149 + &neigh_node->ifinfo_list, list) {
3150 +- batadv_neigh_ifinfo_free_ref_now(neigh_ifinfo);
3151 ++ batadv_neigh_ifinfo_free_ref(neigh_ifinfo);
3152 + }
3153 +
3154 + if (bao->bat_neigh_free)
3155 + bao->bat_neigh_free(neigh_node);
3156 +
3157 +- batadv_hardif_free_ref_now(neigh_node->if_incoming);
3158 ++ batadv_hardif_free_ref(neigh_node->if_incoming);
3159 +
3160 +- kfree(neigh_node);
3161 +-}
3162 +-
3163 +-/**
3164 +- * batadv_neigh_node_free_ref_now - decrement the neighbors refcounter
3165 +- * and possibly free it (without rcu callback)
3166 +- * @neigh_node: neigh neighbor to free
3167 +- */
3168 +-static void
3169 +-batadv_neigh_node_free_ref_now(struct batadv_neigh_node *neigh_node)
3170 +-{
3171 +- if (atomic_dec_and_test(&neigh_node->refcount))
3172 +- batadv_neigh_node_free_rcu(&neigh_node->rcu);
3173 ++ kfree_rcu(neigh_node, rcu);
3174 + }
3175 +
3176 + /**
3177 + * batadv_neigh_node_free_ref - decrement the neighbors refcounter
3178 +- * and possibly free it
3179 ++ * and possibly release it
3180 + * @neigh_node: neigh neighbor to free
3181 + */
3182 + void batadv_neigh_node_free_ref(struct batadv_neigh_node *neigh_node)
3183 + {
3184 + if (atomic_dec_and_test(&neigh_node->refcount))
3185 +- call_rcu(&neigh_node->rcu, batadv_neigh_node_free_rcu);
3186 ++ batadv_neigh_node_release(neigh_node);
3187 + }
3188 +
3189 + /**
3190 +@@ -532,108 +506,99 @@ out:
3191 + }
3192 +
3193 + /**
3194 +- * batadv_orig_ifinfo_free_rcu - free the orig_ifinfo object
3195 +- * @rcu: rcu pointer of the orig_ifinfo object
3196 ++ * batadv_orig_ifinfo_release - release orig_ifinfo from lists and queue for
3197 ++ * free after rcu grace period
3198 ++ * @orig_ifinfo: the orig_ifinfo object to release
3199 + */
3200 +-static void batadv_orig_ifinfo_free_rcu(struct rcu_head *rcu)
3201 ++static void batadv_orig_ifinfo_release(struct batadv_orig_ifinfo *orig_ifinfo)
3202 + {
3203 +- struct batadv_orig_ifinfo *orig_ifinfo;
3204 + struct batadv_neigh_node *router;
3205 +
3206 +- orig_ifinfo = container_of(rcu, struct batadv_orig_ifinfo, rcu);
3207 +-
3208 + if (orig_ifinfo->if_outgoing != BATADV_IF_DEFAULT)
3209 +- batadv_hardif_free_ref_now(orig_ifinfo->if_outgoing);
3210 ++ batadv_hardif_free_ref(orig_ifinfo->if_outgoing);
3211 +
3212 + /* this is the last reference to this object */
3213 + router = rcu_dereference_protected(orig_ifinfo->router, true);
3214 + if (router)
3215 +- batadv_neigh_node_free_ref_now(router);
3216 +- kfree(orig_ifinfo);
3217 ++ batadv_neigh_node_free_ref(router);
3218 ++
3219 ++ kfree_rcu(orig_ifinfo, rcu);
3220 + }
3221 +
3222 + /**
3223 +- * batadv_orig_ifinfo_free_ref - decrement the refcounter and possibly free
3224 +- * the orig_ifinfo (without rcu callback)
3225 ++ * batadv_orig_ifinfo_free_ref - decrement the refcounter and possibly release
3226 ++ * the orig_ifinfo
3227 + * @orig_ifinfo: the orig_ifinfo object to release
3228 + */
3229 +-static void
3230 +-batadv_orig_ifinfo_free_ref_now(struct batadv_orig_ifinfo *orig_ifinfo)
3231 ++void batadv_orig_ifinfo_free_ref(struct batadv_orig_ifinfo *orig_ifinfo)
3232 + {
3233 + if (atomic_dec_and_test(&orig_ifinfo->refcount))
3234 +- batadv_orig_ifinfo_free_rcu(&orig_ifinfo->rcu);
3235 ++ batadv_orig_ifinfo_release(orig_ifinfo);
3236 + }
3237 +
3238 + /**
3239 +- * batadv_orig_ifinfo_free_ref - decrement the refcounter and possibly free
3240 +- * the orig_ifinfo
3241 +- * @orig_ifinfo: the orig_ifinfo object to release
3242 ++ * batadv_orig_node_free_rcu - free the orig_node
3243 ++ * @rcu: rcu pointer of the orig_node
3244 + */
3245 +-void batadv_orig_ifinfo_free_ref(struct batadv_orig_ifinfo *orig_ifinfo)
3246 ++static void batadv_orig_node_free_rcu(struct rcu_head *rcu)
3247 + {
3248 +- if (atomic_dec_and_test(&orig_ifinfo->refcount))
3249 +- call_rcu(&orig_ifinfo->rcu, batadv_orig_ifinfo_free_rcu);
3250 ++ struct batadv_orig_node *orig_node;
3251 ++
3252 ++ orig_node = container_of(rcu, struct batadv_orig_node, rcu);
3253 ++
3254 ++ batadv_mcast_purge_orig(orig_node);
3255 ++
3256 ++ batadv_frag_purge_orig(orig_node, NULL);
3257 ++
3258 ++ if (orig_node->bat_priv->bat_algo_ops->bat_orig_free)
3259 ++ orig_node->bat_priv->bat_algo_ops->bat_orig_free(orig_node);
3260 ++
3261 ++ kfree(orig_node->tt_buff);
3262 ++ kfree(orig_node);
3263 + }
3264 +
3265 +-static void batadv_orig_node_free_rcu(struct rcu_head *rcu)
3266 ++/**
3267 ++ * batadv_orig_node_release - release orig_node from lists and queue for
3268 ++ * free after rcu grace period
3269 ++ * @orig_node: the orig node to free
3270 ++ */
3271 ++static void batadv_orig_node_release(struct batadv_orig_node *orig_node)
3272 + {
3273 + struct hlist_node *node_tmp;
3274 + struct batadv_neigh_node *neigh_node;
3275 +- struct batadv_orig_node *orig_node;
3276 + struct batadv_orig_ifinfo *orig_ifinfo;
3277 +
3278 +- orig_node = container_of(rcu, struct batadv_orig_node, rcu);
3279 +-
3280 + spin_lock_bh(&orig_node->neigh_list_lock);
3281 +
3282 + /* for all neighbors towards this originator ... */
3283 + hlist_for_each_entry_safe(neigh_node, node_tmp,
3284 + &orig_node->neigh_list, list) {
3285 + hlist_del_rcu(&neigh_node->list);
3286 +- batadv_neigh_node_free_ref_now(neigh_node);
3287 ++ batadv_neigh_node_free_ref(neigh_node);
3288 + }
3289 +
3290 + hlist_for_each_entry_safe(orig_ifinfo, node_tmp,
3291 + &orig_node->ifinfo_list, list) {
3292 + hlist_del_rcu(&orig_ifinfo->list);
3293 +- batadv_orig_ifinfo_free_ref_now(orig_ifinfo);
3294 ++ batadv_orig_ifinfo_free_ref(orig_ifinfo);
3295 + }
3296 + spin_unlock_bh(&orig_node->neigh_list_lock);
3297 +
3298 +- batadv_mcast_purge_orig(orig_node);
3299 +-
3300 + /* Free nc_nodes */
3301 + batadv_nc_purge_orig(orig_node->bat_priv, orig_node, NULL);
3302 +
3303 +- batadv_frag_purge_orig(orig_node, NULL);
3304 +-
3305 +- if (orig_node->bat_priv->bat_algo_ops->bat_orig_free)
3306 +- orig_node->bat_priv->bat_algo_ops->bat_orig_free(orig_node);
3307 +-
3308 +- kfree(orig_node->tt_buff);
3309 +- kfree(orig_node);
3310 ++ call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu);
3311 + }
3312 +
3313 + /**
3314 + * batadv_orig_node_free_ref - decrement the orig node refcounter and possibly
3315 +- * schedule an rcu callback for freeing it
3316 ++ * release it
3317 + * @orig_node: the orig node to free
3318 + */
3319 + void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node)
3320 + {
3321 + if (atomic_dec_and_test(&orig_node->refcount))
3322 +- call_rcu(&orig_node->rcu, batadv_orig_node_free_rcu);
3323 +-}
3324 +-
3325 +-/**
3326 +- * batadv_orig_node_free_ref_now - decrement the orig node refcounter and
3327 +- * possibly free it (without rcu callback)
3328 +- * @orig_node: the orig node to free
3329 +- */
3330 +-void batadv_orig_node_free_ref_now(struct batadv_orig_node *orig_node)
3331 +-{
3332 +- if (atomic_dec_and_test(&orig_node->refcount))
3333 +- batadv_orig_node_free_rcu(&orig_node->rcu);
3334 ++ batadv_orig_node_release(orig_node);
3335 + }
3336 +
3337 + void batadv_originator_free(struct batadv_priv *bat_priv)
3338 +diff --git a/net/batman-adv/originator.h b/net/batman-adv/originator.h
3339 +index fa18f9bf266b..a5c37882b409 100644
3340 +--- a/net/batman-adv/originator.h
3341 ++++ b/net/batman-adv/originator.h
3342 +@@ -38,7 +38,6 @@ int batadv_originator_init(struct batadv_priv *bat_priv);
3343 + void batadv_originator_free(struct batadv_priv *bat_priv);
3344 + void batadv_purge_orig_ref(struct batadv_priv *bat_priv);
3345 + void batadv_orig_node_free_ref(struct batadv_orig_node *orig_node);
3346 +-void batadv_orig_node_free_ref_now(struct batadv_orig_node *orig_node);
3347 + struct batadv_orig_node *batadv_orig_node_new(struct batadv_priv *bat_priv,
3348 + const u8 *addr);
3349 + struct batadv_neigh_node *
3350 +diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
3351 +index 4228b10c47ea..900e94be4393 100644
3352 +--- a/net/batman-adv/translation-table.c
3353 ++++ b/net/batman-adv/translation-table.c
3354 +@@ -238,20 +238,6 @@ int batadv_tt_global_hash_count(struct batadv_priv *bat_priv,
3355 + return count;
3356 + }
3357 +
3358 +-static void batadv_tt_orig_list_entry_free_rcu(struct rcu_head *rcu)
3359 +-{
3360 +- struct batadv_tt_orig_list_entry *orig_entry;
3361 +-
3362 +- orig_entry = container_of(rcu, struct batadv_tt_orig_list_entry, rcu);
3363 +-
3364 +- /* We are in an rcu callback here, therefore we cannot use
3365 +- * batadv_orig_node_free_ref() and its call_rcu():
3366 +- * An rcu_barrier() wouldn't wait for that to finish
3367 +- */
3368 +- batadv_orig_node_free_ref_now(orig_entry->orig_node);
3369 +- kfree(orig_entry);
3370 +-}
3371 +-
3372 + /**
3373 + * batadv_tt_local_size_mod - change the size by v of the local table identified
3374 + * by vid
3375 +@@ -347,13 +333,25 @@ static void batadv_tt_global_size_dec(struct batadv_orig_node *orig_node,
3376 + batadv_tt_global_size_mod(orig_node, vid, -1);
3377 + }
3378 +
3379 ++/**
3380 ++ * batadv_tt_orig_list_entry_release - release tt orig entry from lists and
3381 ++ * queue for free after rcu grace period
3382 ++ * @orig_entry: tt orig entry to be free'd
3383 ++ */
3384 ++static void
3385 ++batadv_tt_orig_list_entry_release(struct batadv_tt_orig_list_entry *orig_entry)
3386 ++{
3387 ++ batadv_orig_node_free_ref(orig_entry->orig_node);
3388 ++ kfree_rcu(orig_entry, rcu);
3389 ++}
3390 ++
3391 + static void
3392 + batadv_tt_orig_list_entry_free_ref(struct batadv_tt_orig_list_entry *orig_entry)
3393 + {
3394 + if (!atomic_dec_and_test(&orig_entry->refcount))
3395 + return;
3396 +
3397 +- call_rcu(&orig_entry->rcu, batadv_tt_orig_list_entry_free_rcu);
3398 ++ batadv_tt_orig_list_entry_release(orig_entry);
3399 + }
3400 +
3401 + /**
3402 +diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
3403 +index 6ed2feb51e3c..9780603ba411 100644
3404 +--- a/net/bridge/br_device.c
3405 ++++ b/net/bridge/br_device.c
3406 +@@ -28,6 +28,8 @@
3407 + const struct nf_br_ops __rcu *nf_br_ops __read_mostly;
3408 + EXPORT_SYMBOL_GPL(nf_br_ops);
3409 +
3410 ++static struct lock_class_key bridge_netdev_addr_lock_key;
3411 ++
3412 + /* net device transmit always called with BH disabled */
3413 + netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
3414 + {
3415 +@@ -87,6 +89,11 @@ out:
3416 + return NETDEV_TX_OK;
3417 + }
3418 +
3419 ++static void br_set_lockdep_class(struct net_device *dev)
3420 ++{
3421 ++ lockdep_set_class(&dev->addr_list_lock, &bridge_netdev_addr_lock_key);
3422 ++}
3423 ++
3424 + static int br_dev_init(struct net_device *dev)
3425 + {
3426 + struct net_bridge *br = netdev_priv(dev);
3427 +@@ -99,6 +106,7 @@ static int br_dev_init(struct net_device *dev)
3428 + err = br_vlan_init(br);
3429 + if (err)
3430 + free_percpu(br->stats);
3431 ++ br_set_lockdep_class(dev);
3432 +
3433 + return err;
3434 + }
3435 +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
3436 +index 4ca449a16132..49d8d28222d8 100644
3437 +--- a/net/bridge/br_stp_if.c
3438 ++++ b/net/bridge/br_stp_if.c
3439 +@@ -130,7 +130,10 @@ static void br_stp_start(struct net_bridge *br)
3440 + char *envp[] = { NULL };
3441 + struct net_bridge_port *p;
3442 +
3443 +- r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
3444 ++ if (net_eq(dev_net(br->dev), &init_net))
3445 ++ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
3446 ++ else
3447 ++ r = -ENOENT;
3448 +
3449 + spin_lock_bh(&br->lock);
3450 +
3451 +diff --git a/net/core/dev.c b/net/core/dev.c
3452 +index c14748d051e7..6369c456e326 100644
3453 +--- a/net/core/dev.c
3454 ++++ b/net/core/dev.c
3455 +@@ -2539,6 +2539,8 @@ static inline bool skb_needs_check(struct sk_buff *skb, bool tx_path)
3456 + *
3457 + * It may return NULL if the skb requires no segmentation. This is
3458 + * only possible when GSO is used for verifying header integrity.
3459 ++ *
3460 ++ * Segmentation preserves SKB_SGO_CB_OFFSET bytes of previous skb cb.
3461 + */
3462 + struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
3463 + netdev_features_t features, bool tx_path)
3464 +@@ -2553,6 +2555,9 @@ struct sk_buff *__skb_gso_segment(struct sk_buff *skb,
3465 + return ERR_PTR(err);
3466 + }
3467 +
3468 ++ BUILD_BUG_ON(SKB_SGO_CB_OFFSET +
3469 ++ sizeof(*SKB_GSO_CB(skb)) > sizeof(skb->cb));
3470 ++
3471 + SKB_GSO_CB(skb)->mac_offset = skb_headroom(skb);
3472 + SKB_GSO_CB(skb)->encap_level = 0;
3473 +
3474 +diff --git a/net/core/dst.c b/net/core/dst.c
3475 +index d6a5a0bc7df5..8852021a7093 100644
3476 +--- a/net/core/dst.c
3477 ++++ b/net/core/dst.c
3478 +@@ -301,12 +301,13 @@ void dst_release(struct dst_entry *dst)
3479 + {
3480 + if (dst) {
3481 + int newrefcnt;
3482 ++ unsigned short nocache = dst->flags & DST_NOCACHE;
3483 +
3484 + newrefcnt = atomic_dec_return(&dst->__refcnt);
3485 + if (unlikely(newrefcnt < 0))
3486 + net_warn_ratelimited("%s: dst:%p refcnt:%d\n",
3487 + __func__, dst, newrefcnt);
3488 +- if (!newrefcnt && unlikely(dst->flags & DST_NOCACHE))
3489 ++ if (!newrefcnt && unlikely(nocache))
3490 + call_rcu(&dst->rcu_head, dst_destroy_rcu);
3491 + }
3492 + }
3493 +diff --git a/net/core/filter.c b/net/core/filter.c
3494 +index bb18c3680001..49b44879dc7f 100644
3495 +--- a/net/core/filter.c
3496 ++++ b/net/core/filter.c
3497 +@@ -781,6 +781,11 @@ static int bpf_check_classic(const struct sock_filter *filter,
3498 + if (ftest->k == 0)
3499 + return -EINVAL;
3500 + break;
3501 ++ case BPF_ALU | BPF_LSH | BPF_K:
3502 ++ case BPF_ALU | BPF_RSH | BPF_K:
3503 ++ if (ftest->k >= 32)
3504 ++ return -EINVAL;
3505 ++ break;
3506 + case BPF_LD | BPF_MEM:
3507 + case BPF_LDX | BPF_MEM:
3508 + case BPF_ST:
3509 +diff --git a/net/core/pktgen.c b/net/core/pktgen.c
3510 +index de8d5cc5eb24..4da4d51a2ccf 100644
3511 +--- a/net/core/pktgen.c
3512 ++++ b/net/core/pktgen.c
3513 +@@ -2787,7 +2787,9 @@ static struct sk_buff *pktgen_alloc_skb(struct net_device *dev,
3514 + } else {
3515 + skb = __netdev_alloc_skb(dev, size, GFP_NOWAIT);
3516 + }
3517 +- skb_reserve(skb, LL_RESERVED_SPACE(dev));
3518 ++
3519 ++ if (likely(skb))
3520 ++ skb_reserve(skb, LL_RESERVED_SPACE(dev));
3521 +
3522 + return skb;
3523 + }
3524 +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
3525 +index 0138fada0951..b945f1e9d7ba 100644
3526 +--- a/net/ipv4/ip_output.c
3527 ++++ b/net/ipv4/ip_output.c
3528 +@@ -240,6 +240,7 @@ static int ip_finish_output_gso(struct sock *sk, struct sk_buff *skb,
3529 + * from host network stack.
3530 + */
3531 + features = netif_skb_features(skb);
3532 ++ BUILD_BUG_ON(sizeof(*IPCB(skb)) > SKB_SGO_CB_OFFSET);
3533 + segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
3534 + if (IS_ERR_OR_NULL(segs)) {
3535 + kfree_skb(skb);
3536 +@@ -918,7 +919,7 @@ static int __ip_append_data(struct sock *sk,
3537 + if (((length > mtu) || (skb && skb_is_gso(skb))) &&
3538 + (sk->sk_protocol == IPPROTO_UDP) &&
3539 + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
3540 +- (sk->sk_type == SOCK_DGRAM)) {
3541 ++ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
3542 + err = ip_ufo_append_data(sk, queue, getfrag, from, length,
3543 + hh_len, fragheaderlen, transhdrlen,
3544 + maxfraglen, flags);
3545 +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
3546 +index 0a2b61dbcd4e..064f1a0bef6d 100644
3547 +--- a/net/ipv4/tcp_input.c
3548 ++++ b/net/ipv4/tcp_input.c
3549 +@@ -2525,6 +2525,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked,
3550 + int newly_acked_sacked = prior_unsacked -
3551 + (tp->packets_out - tp->sacked_out);
3552 +
3553 ++ if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd))
3554 ++ return;
3555 ++
3556 + tp->prr_delivered += newly_acked_sacked;
3557 + if (delta < 0) {
3558 + u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered +
3559 +diff --git a/net/ipv4/tcp_yeah.c b/net/ipv4/tcp_yeah.c
3560 +index 17d35662930d..3e6a472e6b88 100644
3561 +--- a/net/ipv4/tcp_yeah.c
3562 ++++ b/net/ipv4/tcp_yeah.c
3563 +@@ -219,7 +219,7 @@ static u32 tcp_yeah_ssthresh(struct sock *sk)
3564 + yeah->fast_count = 0;
3565 + yeah->reno_count = max(yeah->reno_count>>1, 2U);
3566 +
3567 +- return tp->snd_cwnd - reduction;
3568 ++ return max_t(int, tp->snd_cwnd - reduction, 2);
3569 + }
3570 +
3571 + static struct tcp_congestion_ops tcp_yeah __read_mostly = {
3572 +diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
3573 +index c10a9ee68433..126ff9020bad 100644
3574 +--- a/net/ipv4/xfrm4_policy.c
3575 ++++ b/net/ipv4/xfrm4_policy.c
3576 +@@ -236,7 +236,7 @@ static void xfrm4_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
3577 + xfrm_dst_ifdown(dst, dev);
3578 + }
3579 +
3580 +-static struct dst_ops xfrm4_dst_ops = {
3581 ++static struct dst_ops xfrm4_dst_ops_template = {
3582 + .family = AF_INET,
3583 + .gc = xfrm4_garbage_collect,
3584 + .update_pmtu = xfrm4_update_pmtu,
3585 +@@ -250,7 +250,7 @@ static struct dst_ops xfrm4_dst_ops = {
3586 +
3587 + static struct xfrm_policy_afinfo xfrm4_policy_afinfo = {
3588 + .family = AF_INET,
3589 +- .dst_ops = &xfrm4_dst_ops,
3590 ++ .dst_ops = &xfrm4_dst_ops_template,
3591 + .dst_lookup = xfrm4_dst_lookup,
3592 + .get_saddr = xfrm4_get_saddr,
3593 + .decode_session = _decode_session4,
3594 +@@ -272,7 +272,7 @@ static struct ctl_table xfrm4_policy_table[] = {
3595 + { }
3596 + };
3597 +
3598 +-static int __net_init xfrm4_net_init(struct net *net)
3599 ++static int __net_init xfrm4_net_sysctl_init(struct net *net)
3600 + {
3601 + struct ctl_table *table;
3602 + struct ctl_table_header *hdr;
3603 +@@ -300,7 +300,7 @@ err_alloc:
3604 + return -ENOMEM;
3605 + }
3606 +
3607 +-static void __net_exit xfrm4_net_exit(struct net *net)
3608 ++static void __net_exit xfrm4_net_sysctl_exit(struct net *net)
3609 + {
3610 + struct ctl_table *table;
3611 +
3612 +@@ -312,12 +312,44 @@ static void __net_exit xfrm4_net_exit(struct net *net)
3613 + if (!net_eq(net, &init_net))
3614 + kfree(table);
3615 + }
3616 ++#else /* CONFIG_SYSCTL */
3617 ++static int inline xfrm4_net_sysctl_init(struct net *net)
3618 ++{
3619 ++ return 0;
3620 ++}
3621 ++
3622 ++static void inline xfrm4_net_sysctl_exit(struct net *net)
3623 ++{
3624 ++}
3625 ++#endif
3626 ++
3627 ++static int __net_init xfrm4_net_init(struct net *net)
3628 ++{
3629 ++ int ret;
3630 ++
3631 ++ memcpy(&net->xfrm.xfrm4_dst_ops, &xfrm4_dst_ops_template,
3632 ++ sizeof(xfrm4_dst_ops_template));
3633 ++ ret = dst_entries_init(&net->xfrm.xfrm4_dst_ops);
3634 ++ if (ret)
3635 ++ return ret;
3636 ++
3637 ++ ret = xfrm4_net_sysctl_init(net);
3638 ++ if (ret)
3639 ++ dst_entries_destroy(&net->xfrm.xfrm4_dst_ops);
3640 ++
3641 ++ return ret;
3642 ++}
3643 ++
3644 ++static void __net_exit xfrm4_net_exit(struct net *net)
3645 ++{
3646 ++ xfrm4_net_sysctl_exit(net);
3647 ++ dst_entries_destroy(&net->xfrm.xfrm4_dst_ops);
3648 ++}
3649 +
3650 + static struct pernet_operations __net_initdata xfrm4_net_ops = {
3651 + .init = xfrm4_net_init,
3652 + .exit = xfrm4_net_exit,
3653 + };
3654 +-#endif
3655 +
3656 + static void __init xfrm4_policy_init(void)
3657 + {
3658 +@@ -326,13 +358,9 @@ static void __init xfrm4_policy_init(void)
3659 +
3660 + void __init xfrm4_init(void)
3661 + {
3662 +- dst_entries_init(&xfrm4_dst_ops);
3663 +-
3664 + xfrm4_state_init();
3665 + xfrm4_policy_init();
3666 + xfrm4_protocol_init();
3667 +-#ifdef CONFIG_SYSCTL
3668 + register_pernet_subsys(&xfrm4_net_ops);
3669 +-#endif
3670 + }
3671 +
3672 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
3673 +index ddd351145dea..5462bfdbd2e7 100644
3674 +--- a/net/ipv6/addrconf.c
3675 ++++ b/net/ipv6/addrconf.c
3676 +@@ -5349,13 +5349,10 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
3677 + goto out;
3678 + }
3679 +
3680 +- if (!write) {
3681 +- err = snprintf(str, sizeof(str), "%pI6",
3682 +- &secret->secret);
3683 +- if (err >= sizeof(str)) {
3684 +- err = -EIO;
3685 +- goto out;
3686 +- }
3687 ++ err = snprintf(str, sizeof(str), "%pI6", &secret->secret);
3688 ++ if (err >= sizeof(str)) {
3689 ++ err = -EIO;
3690 ++ goto out;
3691 + }
3692 +
3693 + err = proc_dostring(&lctl, write, buffer, lenp, ppos);
3694 +diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c
3695 +index 882124ebb438..a8f6986dcbe5 100644
3696 +--- a/net/ipv6/addrlabel.c
3697 ++++ b/net/ipv6/addrlabel.c
3698 +@@ -552,7 +552,7 @@ static int ip6addrlbl_get(struct sk_buff *in_skb, struct nlmsghdr *nlh)
3699 +
3700 + rcu_read_lock();
3701 + p = __ipv6_addr_label(net, addr, ipv6_addr_type(addr), ifal->ifal_index);
3702 +- if (p && ip6addrlbl_hold(p))
3703 ++ if (p && !ip6addrlbl_hold(p))
3704 + p = NULL;
3705 + lseq = ip6addrlbl_table.seq;
3706 + rcu_read_unlock();
3707 +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
3708 +index f84ec4e9b2de..fb7973a6e9c1 100644
3709 +--- a/net/ipv6/ip6_output.c
3710 ++++ b/net/ipv6/ip6_output.c
3711 +@@ -1345,7 +1345,7 @@ emsgsize:
3712 + (skb && skb_is_gso(skb))) &&
3713 + (sk->sk_protocol == IPPROTO_UDP) &&
3714 + (rt->dst.dev->features & NETIF_F_UFO) &&
3715 +- (sk->sk_type == SOCK_DGRAM)) {
3716 ++ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
3717 + err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
3718 + hh_len, fragheaderlen,
3719 + transhdrlen, mtu, flags, fl6);
3720 +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
3721 +index 8935dc173e65..a71fb262ea3f 100644
3722 +--- a/net/ipv6/tcp_ipv6.c
3723 ++++ b/net/ipv6/tcp_ipv6.c
3724 +@@ -462,8 +462,10 @@ static int tcp_v6_send_synack(struct sock *sk, struct dst_entry *dst,
3725 + fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts));
3726 +
3727 + skb_set_queue_mapping(skb, queue_mapping);
3728 ++ rcu_read_lock();
3729 + err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt),
3730 + np->tclass);
3731 ++ rcu_read_unlock();
3732 + err = net_xmit_eval(err);
3733 + }
3734 +
3735 +diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
3736 +index f7fbdbabe50e..372855eeaf42 100644
3737 +--- a/net/ipv6/xfrm6_mode_tunnel.c
3738 ++++ b/net/ipv6/xfrm6_mode_tunnel.c
3739 +@@ -23,7 +23,7 @@ static inline void ipip6_ecn_decapsulate(struct sk_buff *skb)
3740 + struct ipv6hdr *inner_iph = ipipv6_hdr(skb);
3741 +
3742 + if (INET_ECN_is_ce(XFRM_MODE_SKB_CB(skb)->tos))
3743 +- IP6_ECN_set_ce(inner_iph);
3744 ++ IP6_ECN_set_ce(skb, inner_iph);
3745 + }
3746 +
3747 + /* Add encapsulation header.
3748 +diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
3749 +index da55e0c85bb8..d51a18d607ac 100644
3750 +--- a/net/ipv6/xfrm6_policy.c
3751 ++++ b/net/ipv6/xfrm6_policy.c
3752 +@@ -281,7 +281,7 @@ static void xfrm6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
3753 + xfrm_dst_ifdown(dst, dev);
3754 + }
3755 +
3756 +-static struct dst_ops xfrm6_dst_ops = {
3757 ++static struct dst_ops xfrm6_dst_ops_template = {
3758 + .family = AF_INET6,
3759 + .gc = xfrm6_garbage_collect,
3760 + .update_pmtu = xfrm6_update_pmtu,
3761 +@@ -295,7 +295,7 @@ static struct dst_ops xfrm6_dst_ops = {
3762 +
3763 + static struct xfrm_policy_afinfo xfrm6_policy_afinfo = {
3764 + .family = AF_INET6,
3765 +- .dst_ops = &xfrm6_dst_ops,
3766 ++ .dst_ops = &xfrm6_dst_ops_template,
3767 + .dst_lookup = xfrm6_dst_lookup,
3768 + .get_saddr = xfrm6_get_saddr,
3769 + .decode_session = _decode_session6,
3770 +@@ -327,7 +327,7 @@ static struct ctl_table xfrm6_policy_table[] = {
3771 + { }
3772 + };
3773 +
3774 +-static int __net_init xfrm6_net_init(struct net *net)
3775 ++static int __net_init xfrm6_net_sysctl_init(struct net *net)
3776 + {
3777 + struct ctl_table *table;
3778 + struct ctl_table_header *hdr;
3779 +@@ -355,7 +355,7 @@ err_alloc:
3780 + return -ENOMEM;
3781 + }
3782 +
3783 +-static void __net_exit xfrm6_net_exit(struct net *net)
3784 ++static void __net_exit xfrm6_net_sysctl_exit(struct net *net)
3785 + {
3786 + struct ctl_table *table;
3787 +
3788 +@@ -367,24 +367,52 @@ static void __net_exit xfrm6_net_exit(struct net *net)
3789 + if (!net_eq(net, &init_net))
3790 + kfree(table);
3791 + }
3792 ++#else /* CONFIG_SYSCTL */
3793 ++static int inline xfrm6_net_sysctl_init(struct net *net)
3794 ++{
3795 ++ return 0;
3796 ++}
3797 ++
3798 ++static void inline xfrm6_net_sysctl_exit(struct net *net)
3799 ++{
3800 ++}
3801 ++#endif
3802 ++
3803 ++static int __net_init xfrm6_net_init(struct net *net)
3804 ++{
3805 ++ int ret;
3806 ++
3807 ++ memcpy(&net->xfrm.xfrm6_dst_ops, &xfrm6_dst_ops_template,
3808 ++ sizeof(xfrm6_dst_ops_template));
3809 ++ ret = dst_entries_init(&net->xfrm.xfrm6_dst_ops);
3810 ++ if (ret)
3811 ++ return ret;
3812 ++
3813 ++ ret = xfrm6_net_sysctl_init(net);
3814 ++ if (ret)
3815 ++ dst_entries_destroy(&net->xfrm.xfrm6_dst_ops);
3816 ++
3817 ++ return ret;
3818 ++}
3819 ++
3820 ++static void __net_exit xfrm6_net_exit(struct net *net)
3821 ++{
3822 ++ xfrm6_net_sysctl_exit(net);
3823 ++ dst_entries_destroy(&net->xfrm.xfrm6_dst_ops);
3824 ++}
3825 +
3826 + static struct pernet_operations xfrm6_net_ops = {
3827 + .init = xfrm6_net_init,
3828 + .exit = xfrm6_net_exit,
3829 + };
3830 +-#endif
3831 +
3832 + int __init xfrm6_init(void)
3833 + {
3834 + int ret;
3835 +
3836 +- dst_entries_init(&xfrm6_dst_ops);
3837 +-
3838 + ret = xfrm6_policy_init();
3839 +- if (ret) {
3840 +- dst_entries_destroy(&xfrm6_dst_ops);
3841 ++ if (ret)
3842 + goto out;
3843 +- }
3844 + ret = xfrm6_state_init();
3845 + if (ret)
3846 + goto out_policy;
3847 +@@ -393,9 +421,7 @@ int __init xfrm6_init(void)
3848 + if (ret)
3849 + goto out_state;
3850 +
3851 +-#ifdef CONFIG_SYSCTL
3852 + register_pernet_subsys(&xfrm6_net_ops);
3853 +-#endif
3854 + out:
3855 + return ret;
3856 + out_state:
3857 +@@ -407,11 +433,8 @@ out_policy:
3858 +
3859 + void xfrm6_fini(void)
3860 + {
3861 +-#ifdef CONFIG_SYSCTL
3862 + unregister_pernet_subsys(&xfrm6_net_ops);
3863 +-#endif
3864 + xfrm6_protocol_fini();
3865 + xfrm6_policy_fini();
3866 + xfrm6_state_fini();
3867 +- dst_entries_destroy(&xfrm6_dst_ops);
3868 + }
3869 +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
3870 +index c5d08ee37730..6e9a2220939d 100644
3871 +--- a/net/openvswitch/datapath.c
3872 ++++ b/net/openvswitch/datapath.c
3873 +@@ -337,12 +337,10 @@ static int queue_gso_packets(struct datapath *dp, struct sk_buff *skb,
3874 + unsigned short gso_type = skb_shinfo(skb)->gso_type;
3875 + struct sw_flow_key later_key;
3876 + struct sk_buff *segs, *nskb;
3877 +- struct ovs_skb_cb ovs_cb;
3878 + int err;
3879 +
3880 +- ovs_cb = *OVS_CB(skb);
3881 ++ BUILD_BUG_ON(sizeof(*OVS_CB(skb)) > SKB_SGO_CB_OFFSET);
3882 + segs = __skb_gso_segment(skb, NETIF_F_SG, false);
3883 +- *OVS_CB(skb) = ovs_cb;
3884 + if (IS_ERR(segs))
3885 + return PTR_ERR(segs);
3886 + if (segs == NULL)
3887 +@@ -360,7 +358,6 @@ static int queue_gso_packets(struct datapath *dp, struct sk_buff *skb,
3888 + /* Queue all of the segments. */
3889 + skb = segs;
3890 + do {
3891 +- *OVS_CB(skb) = ovs_cb;
3892 + if (gso_type & SKB_GSO_UDP && skb != segs)
3893 + key = &later_key;
3894 +
3895 +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
3896 +index 38536c137c54..45635118cc86 100644
3897 +--- a/net/openvswitch/flow_netlink.c
3898 ++++ b/net/openvswitch/flow_netlink.c
3899 +@@ -2382,7 +2382,9 @@ static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb)
3900 + if (!start)
3901 + return -EMSGSIZE;
3902 +
3903 +- err = ovs_nla_put_tunnel_info(skb, tun_info);
3904 ++ err = ipv4_tun_to_nlattr(skb, &tun_info->key,
3905 ++ ip_tunnel_info_opts(tun_info),
3906 ++ tun_info->options_len);
3907 + if (err)
3908 + return err;
3909 + nla_nest_end(skb, start);
3910 +diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
3911 +index 10d42f3220ab..f925753668a7 100644
3912 +--- a/net/phonet/af_phonet.c
3913 ++++ b/net/phonet/af_phonet.c
3914 +@@ -377,6 +377,10 @@ static int phonet_rcv(struct sk_buff *skb, struct net_device *dev,
3915 + struct sockaddr_pn sa;
3916 + u16 len;
3917 +
3918 ++ skb = skb_share_check(skb, GFP_ATOMIC);
3919 ++ if (!skb)
3920 ++ return NET_RX_DROP;
3921 ++
3922 + /* check we have at least a full Phonet header */
3923 + if (!pskb_pull(skb, sizeof(struct phonethdr)))
3924 + goto out;
3925 +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
3926 +index 57692947ebbe..95b021243233 100644
3927 +--- a/net/sched/cls_flower.c
3928 ++++ b/net/sched/cls_flower.c
3929 +@@ -252,23 +252,28 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
3930 + fl_set_key_val(tb, key->eth.src, TCA_FLOWER_KEY_ETH_SRC,
3931 + mask->eth.src, TCA_FLOWER_KEY_ETH_SRC_MASK,
3932 + sizeof(key->eth.src));
3933 ++
3934 + fl_set_key_val(tb, &key->basic.n_proto, TCA_FLOWER_KEY_ETH_TYPE,
3935 + &mask->basic.n_proto, TCA_FLOWER_UNSPEC,
3936 + sizeof(key->basic.n_proto));
3937 ++
3938 + if (key->basic.n_proto == htons(ETH_P_IP) ||
3939 + key->basic.n_proto == htons(ETH_P_IPV6)) {
3940 + fl_set_key_val(tb, &key->basic.ip_proto, TCA_FLOWER_KEY_IP_PROTO,
3941 + &mask->basic.ip_proto, TCA_FLOWER_UNSPEC,
3942 + sizeof(key->basic.ip_proto));
3943 + }
3944 +- if (key->control.addr_type == FLOW_DISSECTOR_KEY_IPV4_ADDRS) {
3945 ++
3946 ++ if (tb[TCA_FLOWER_KEY_IPV4_SRC] || tb[TCA_FLOWER_KEY_IPV4_DST]) {
3947 ++ key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
3948 + fl_set_key_val(tb, &key->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC,
3949 + &mask->ipv4.src, TCA_FLOWER_KEY_IPV4_SRC_MASK,
3950 + sizeof(key->ipv4.src));
3951 + fl_set_key_val(tb, &key->ipv4.dst, TCA_FLOWER_KEY_IPV4_DST,
3952 + &mask->ipv4.dst, TCA_FLOWER_KEY_IPV4_DST_MASK,
3953 + sizeof(key->ipv4.dst));
3954 +- } else if (key->control.addr_type == FLOW_DISSECTOR_KEY_IPV6_ADDRS) {
3955 ++ } else if (tb[TCA_FLOWER_KEY_IPV6_SRC] || tb[TCA_FLOWER_KEY_IPV6_DST]) {
3956 ++ key->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
3957 + fl_set_key_val(tb, &key->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC,
3958 + &mask->ipv6.src, TCA_FLOWER_KEY_IPV6_SRC_MASK,
3959 + sizeof(key->ipv6.src));
3960 +@@ -276,6 +281,7 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
3961 + &mask->ipv6.dst, TCA_FLOWER_KEY_IPV6_DST_MASK,
3962 + sizeof(key->ipv6.dst));
3963 + }
3964 ++
3965 + if (key->basic.ip_proto == IPPROTO_TCP) {
3966 + fl_set_key_val(tb, &key->tp.src, TCA_FLOWER_KEY_TCP_SRC,
3967 + &mask->tp.src, TCA_FLOWER_UNSPEC,
3968 +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
3969 +index e82a1ad80aa5..16bc83b2842a 100644
3970 +--- a/net/sched/sch_generic.c
3971 ++++ b/net/sched/sch_generic.c
3972 +@@ -658,8 +658,10 @@ static void qdisc_rcu_free(struct rcu_head *head)
3973 + {
3974 + struct Qdisc *qdisc = container_of(head, struct Qdisc, rcu_head);
3975 +
3976 +- if (qdisc_is_percpu_stats(qdisc))
3977 ++ if (qdisc_is_percpu_stats(qdisc)) {
3978 + free_percpu(qdisc->cpu_bstats);
3979 ++ free_percpu(qdisc->cpu_qstats);
3980 ++ }
3981 +
3982 + kfree((char *) qdisc - qdisc->padded);
3983 + }
3984 +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
3985 +index d7eaa7354cf7..c89586e2bacb 100644
3986 +--- a/net/sctp/sm_statefuns.c
3987 ++++ b/net/sctp/sm_statefuns.c
3988 +@@ -4829,7 +4829,8 @@ sctp_disposition_t sctp_sf_do_9_1_prm_abort(
3989 +
3990 + retval = SCTP_DISPOSITION_CONSUME;
3991 +
3992 +- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
3993 ++ if (abort)
3994 ++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
3995 +
3996 + /* Even if we can't send the ABORT due to low memory delete the
3997 + * TCB. This is a departure from our typical NOMEM handling.
3998 +@@ -4966,7 +4967,8 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort(
3999 + SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT));
4000 + retval = SCTP_DISPOSITION_CONSUME;
4001 +
4002 +- sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4003 ++ if (abort)
4004 ++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
4005 +
4006 + sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
4007 + SCTP_STATE(SCTP_STATE_CLOSED));
4008 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
4009 +index 84b1b504538a..9dee804b35cd 100644
4010 +--- a/net/sctp/socket.c
4011 ++++ b/net/sctp/socket.c
4012 +@@ -1513,8 +1513,7 @@ static void sctp_close(struct sock *sk, long timeout)
4013 + struct sctp_chunk *chunk;
4014 +
4015 + chunk = sctp_make_abort_user(asoc, NULL, 0);
4016 +- if (chunk)
4017 +- sctp_primitive_ABORT(net, asoc, chunk);
4018 ++ sctp_primitive_ABORT(net, asoc, chunk);
4019 + } else
4020 + sctp_primitive_SHUTDOWN(net, asoc, NULL);
4021 + }
4022 +diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
4023 +index 26d50c565f54..3e0fc5127225 100644
4024 +--- a/net/sctp/sysctl.c
4025 ++++ b/net/sctp/sysctl.c
4026 +@@ -320,7 +320,7 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
4027 + struct ctl_table tbl;
4028 + bool changed = false;
4029 + char *none = "none";
4030 +- char tmp[8];
4031 ++ char tmp[8] = {0};
4032 + int ret;
4033 +
4034 + memset(&tbl, 0, sizeof(struct ctl_table));
4035 +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
4036 +index 0fc6dbaed39c..7926de14e930 100644
4037 +--- a/net/unix/af_unix.c
4038 ++++ b/net/unix/af_unix.c
4039 +@@ -952,32 +952,20 @@ fail:
4040 + return NULL;
4041 + }
4042 +
4043 +-static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
4044 ++static int unix_mknod(struct dentry *dentry, struct path *path, umode_t mode,
4045 ++ struct path *res)
4046 + {
4047 +- struct dentry *dentry;
4048 +- struct path path;
4049 +- int err = 0;
4050 +- /*
4051 +- * Get the parent directory, calculate the hash for last
4052 +- * component.
4053 +- */
4054 +- dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0);
4055 +- err = PTR_ERR(dentry);
4056 +- if (IS_ERR(dentry))
4057 +- return err;
4058 ++ int err;
4059 +
4060 +- /*
4061 +- * All right, let's create it.
4062 +- */
4063 +- err = security_path_mknod(&path, dentry, mode, 0);
4064 ++ err = security_path_mknod(path, dentry, mode, 0);
4065 + if (!err) {
4066 +- err = vfs_mknod(d_inode(path.dentry), dentry, mode, 0);
4067 ++ err = vfs_mknod(d_inode(path->dentry), dentry, mode, 0);
4068 + if (!err) {
4069 +- res->mnt = mntget(path.mnt);
4070 ++ res->mnt = mntget(path->mnt);
4071 + res->dentry = dget(dentry);
4072 + }
4073 + }
4074 +- done_path_create(&path, dentry);
4075 ++
4076 + return err;
4077 + }
4078 +
4079 +@@ -988,10 +976,12 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
4080 + struct unix_sock *u = unix_sk(sk);
4081 + struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
4082 + char *sun_path = sunaddr->sun_path;
4083 +- int err;
4084 ++ int err, name_err;
4085 + unsigned int hash;
4086 + struct unix_address *addr;
4087 + struct hlist_head *list;
4088 ++ struct path path;
4089 ++ struct dentry *dentry;
4090 +
4091 + err = -EINVAL;
4092 + if (sunaddr->sun_family != AF_UNIX)
4093 +@@ -1007,14 +997,34 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
4094 + goto out;
4095 + addr_len = err;
4096 +
4097 ++ name_err = 0;
4098 ++ dentry = NULL;
4099 ++ if (sun_path[0]) {
4100 ++ /* Get the parent directory, calculate the hash for last
4101 ++ * component.
4102 ++ */
4103 ++ dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0);
4104 ++
4105 ++ if (IS_ERR(dentry)) {
4106 ++ /* delay report until after 'already bound' check */
4107 ++ name_err = PTR_ERR(dentry);
4108 ++ dentry = NULL;
4109 ++ }
4110 ++ }
4111 ++
4112 + err = mutex_lock_interruptible(&u->readlock);
4113 + if (err)
4114 +- goto out;
4115 ++ goto out_path;
4116 +
4117 + err = -EINVAL;
4118 + if (u->addr)
4119 + goto out_up;
4120 +
4121 ++ if (name_err) {
4122 ++ err = name_err == -EEXIST ? -EADDRINUSE : name_err;
4123 ++ goto out_up;
4124 ++ }
4125 ++
4126 + err = -ENOMEM;
4127 + addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL);
4128 + if (!addr)
4129 +@@ -1025,11 +1035,11 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
4130 + addr->hash = hash ^ sk->sk_type;
4131 + atomic_set(&addr->refcnt, 1);
4132 +
4133 +- if (sun_path[0]) {
4134 +- struct path path;
4135 ++ if (dentry) {
4136 ++ struct path u_path;
4137 + umode_t mode = S_IFSOCK |
4138 + (SOCK_INODE(sock)->i_mode & ~current_umask());
4139 +- err = unix_mknod(sun_path, mode, &path);
4140 ++ err = unix_mknod(dentry, &path, mode, &u_path);
4141 + if (err) {
4142 + if (err == -EEXIST)
4143 + err = -EADDRINUSE;
4144 +@@ -1037,9 +1047,9 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
4145 + goto out_up;
4146 + }
4147 + addr->hash = UNIX_HASH_SIZE;
4148 +- hash = d_backing_inode(path.dentry)->i_ino & (UNIX_HASH_SIZE-1);
4149 ++ hash = d_backing_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1);
4150 + spin_lock(&unix_table_lock);
4151 +- u->path = path;
4152 ++ u->path = u_path;
4153 + list = &unix_socket_table[hash];
4154 + } else {
4155 + spin_lock(&unix_table_lock);
4156 +@@ -1062,6 +1072,10 @@ out_unlock:
4157 + spin_unlock(&unix_table_lock);
4158 + out_up:
4159 + mutex_unlock(&u->readlock);
4160 ++out_path:
4161 ++ if (dentry)
4162 ++ done_path_create(&path, dentry);
4163 ++
4164 + out:
4165 + return err;
4166 + }
4167 +@@ -1498,6 +1512,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
4168 + sock_wfree(skb);
4169 + }
4170 +
4171 ++/*
4172 ++ * The "user->unix_inflight" variable is protected by the garbage
4173 ++ * collection lock, and we just read it locklessly here. If you go
4174 ++ * over the limit, there might be a tiny race in actually noticing
4175 ++ * it across threads. Tough.
4176 ++ */
4177 ++static inline bool too_many_unix_fds(struct task_struct *p)
4178 ++{
4179 ++ struct user_struct *user = current_user();
4180 ++
4181 ++ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
4182 ++ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
4183 ++ return false;
4184 ++}
4185 ++
4186 + #define MAX_RECURSION_LEVEL 4
4187 +
4188 + static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
4189 +@@ -1506,6 +1535,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
4190 + unsigned char max_level = 0;
4191 + int unix_sock_count = 0;
4192 +
4193 ++ if (too_many_unix_fds(current))
4194 ++ return -ETOOMANYREFS;
4195 ++
4196 + for (i = scm->fp->count - 1; i >= 0; i--) {
4197 + struct sock *sk = unix_get_socket(scm->fp->fp[i]);
4198 +
4199 +@@ -1527,10 +1559,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
4200 + if (!UNIXCB(skb).fp)
4201 + return -ENOMEM;
4202 +
4203 +- if (unix_sock_count) {
4204 +- for (i = scm->fp->count - 1; i >= 0; i--)
4205 +- unix_inflight(scm->fp->fp[i]);
4206 +- }
4207 ++ for (i = scm->fp->count - 1; i >= 0; i--)
4208 ++ unix_inflight(scm->fp->fp[i]);
4209 + return max_level;
4210 + }
4211 +
4212 +diff --git a/net/unix/garbage.c b/net/unix/garbage.c
4213 +index a73a226f2d33..8fcdc2283af5 100644
4214 +--- a/net/unix/garbage.c
4215 ++++ b/net/unix/garbage.c
4216 +@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
4217 + {
4218 + struct sock *s = unix_get_socket(fp);
4219 +
4220 ++ spin_lock(&unix_gc_lock);
4221 ++
4222 + if (s) {
4223 + struct unix_sock *u = unix_sk(s);
4224 +
4225 +- spin_lock(&unix_gc_lock);
4226 +-
4227 + if (atomic_long_inc_return(&u->inflight) == 1) {
4228 + BUG_ON(!list_empty(&u->link));
4229 + list_add_tail(&u->link, &gc_inflight_list);
4230 +@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
4231 + BUG_ON(list_empty(&u->link));
4232 + }
4233 + unix_tot_inflight++;
4234 +- spin_unlock(&unix_gc_lock);
4235 + }
4236 ++ fp->f_cred->user->unix_inflight++;
4237 ++ spin_unlock(&unix_gc_lock);
4238 + }
4239 +
4240 + void unix_notinflight(struct file *fp)
4241 + {
4242 + struct sock *s = unix_get_socket(fp);
4243 +
4244 ++ spin_lock(&unix_gc_lock);
4245 ++
4246 + if (s) {
4247 + struct unix_sock *u = unix_sk(s);
4248 +
4249 +- spin_lock(&unix_gc_lock);
4250 + BUG_ON(list_empty(&u->link));
4251 +
4252 + if (atomic_long_dec_and_test(&u->inflight))
4253 + list_del_init(&u->link);
4254 + unix_tot_inflight--;
4255 +- spin_unlock(&unix_gc_lock);
4256 + }
4257 ++ fp->f_cred->user->unix_inflight--;
4258 ++ spin_unlock(&unix_gc_lock);
4259 + }
4260 +
4261 + static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
4262 +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
4263 +index 68ada2ca4b60..443f78c33de2 100644
4264 +--- a/net/xfrm/xfrm_output.c
4265 ++++ b/net/xfrm/xfrm_output.c
4266 +@@ -165,6 +165,8 @@ static int xfrm_output_gso(struct sock *sk, struct sk_buff *skb)
4267 + {
4268 + struct sk_buff *segs;
4269 +
4270 ++ BUILD_BUG_ON(sizeof(*IPCB(skb)) > SKB_SGO_CB_OFFSET);
4271 ++ BUILD_BUG_ON(sizeof(*IP6CB(skb)) > SKB_SGO_CB_OFFSET);
4272 + segs = skb_gso_segment(skb, 0);
4273 + kfree_skb(skb);
4274 + if (IS_ERR(segs))
4275 +diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
4276 +index 94af3d065785..bacd30bda10d 100644
4277 +--- a/net/xfrm/xfrm_policy.c
4278 ++++ b/net/xfrm/xfrm_policy.c
4279 +@@ -2807,7 +2807,6 @@ static struct neighbour *xfrm_neigh_lookup(const struct dst_entry *dst,
4280 +
4281 + int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
4282 + {
4283 +- struct net *net;
4284 + int err = 0;
4285 + if (unlikely(afinfo == NULL))
4286 + return -EINVAL;
4287 +@@ -2838,26 +2837,6 @@ int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
4288 + }
4289 + spin_unlock(&xfrm_policy_afinfo_lock);
4290 +
4291 +- rtnl_lock();
4292 +- for_each_net(net) {
4293 +- struct dst_ops *xfrm_dst_ops;
4294 +-
4295 +- switch (afinfo->family) {
4296 +- case AF_INET:
4297 +- xfrm_dst_ops = &net->xfrm.xfrm4_dst_ops;
4298 +- break;
4299 +-#if IS_ENABLED(CONFIG_IPV6)
4300 +- case AF_INET6:
4301 +- xfrm_dst_ops = &net->xfrm.xfrm6_dst_ops;
4302 +- break;
4303 +-#endif
4304 +- default:
4305 +- BUG();
4306 +- }
4307 +- *xfrm_dst_ops = *afinfo->dst_ops;
4308 +- }
4309 +- rtnl_unlock();
4310 +-
4311 + return err;
4312 + }
4313 + EXPORT_SYMBOL(xfrm_policy_register_afinfo);
4314 +@@ -2893,22 +2872,6 @@ int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo)
4315 + }
4316 + EXPORT_SYMBOL(xfrm_policy_unregister_afinfo);
4317 +
4318 +-static void __net_init xfrm_dst_ops_init(struct net *net)
4319 +-{
4320 +- struct xfrm_policy_afinfo *afinfo;
4321 +-
4322 +- rcu_read_lock();
4323 +- afinfo = rcu_dereference(xfrm_policy_afinfo[AF_INET]);
4324 +- if (afinfo)
4325 +- net->xfrm.xfrm4_dst_ops = *afinfo->dst_ops;
4326 +-#if IS_ENABLED(CONFIG_IPV6)
4327 +- afinfo = rcu_dereference(xfrm_policy_afinfo[AF_INET6]);
4328 +- if (afinfo)
4329 +- net->xfrm.xfrm6_dst_ops = *afinfo->dst_ops;
4330 +-#endif
4331 +- rcu_read_unlock();
4332 +-}
4333 +-
4334 + static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void *ptr)
4335 + {
4336 + struct net_device *dev = netdev_notifier_info_to_dev(ptr);
4337 +@@ -3057,7 +3020,6 @@ static int __net_init xfrm_net_init(struct net *net)
4338 + rv = xfrm_policy_init(net);
4339 + if (rv < 0)
4340 + goto out_policy;
4341 +- xfrm_dst_ops_init(net);
4342 + rv = xfrm_sysctl_init(net);
4343 + if (rv < 0)
4344 + goto out_sysctl;
4345 +diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c
4346 +index 3d1984e59a30..e00bcd129336 100644
4347 +--- a/scripts/recordmcount.c
4348 ++++ b/scripts/recordmcount.c
4349 +@@ -42,6 +42,7 @@
4350 +
4351 + #ifndef EM_AARCH64
4352 + #define EM_AARCH64 183
4353 ++#define R_AARCH64_NONE 0
4354 + #define R_AARCH64_ABS64 257
4355 + #endif
4356 +
4357 +@@ -160,6 +161,22 @@ static int make_nop_x86(void *map, size_t const offset)
4358 + return 0;
4359 + }
4360 +
4361 ++static unsigned char ideal_nop4_arm64[4] = {0x1f, 0x20, 0x03, 0xd5};
4362 ++static int make_nop_arm64(void *map, size_t const offset)
4363 ++{
4364 ++ uint32_t *ptr;
4365 ++
4366 ++ ptr = map + offset;
4367 ++ /* bl <_mcount> is 0x94000000 before relocation */
4368 ++ if (*ptr != 0x94000000)
4369 ++ return -1;
4370 ++
4371 ++ /* Convert to nop */
4372 ++ ulseek(fd_map, offset, SEEK_SET);
4373 ++ uwrite(fd_map, ideal_nop, 4);
4374 ++ return 0;
4375 ++}
4376 ++
4377 + /*
4378 + * Get the whole file as a programming convenience in order to avoid
4379 + * malloc+lseek+read+free of many pieces. If successful, then mmap
4380 +@@ -353,7 +370,12 @@ do_file(char const *const fname)
4381 + altmcount = "__gnu_mcount_nc";
4382 + break;
4383 + case EM_AARCH64:
4384 +- reltype = R_AARCH64_ABS64; gpfx = '_'; break;
4385 ++ reltype = R_AARCH64_ABS64;
4386 ++ make_nop = make_nop_arm64;
4387 ++ rel_type_nop = R_AARCH64_NONE;
4388 ++ ideal_nop = ideal_nop4_arm64;
4389 ++ gpfx = '_';
4390 ++ break;
4391 + case EM_IA_64: reltype = R_IA64_IMM64; gpfx = '_'; break;
4392 + case EM_METAG: reltype = R_METAG_ADDR32;
4393 + altmcount = "_mcount_wrapper";
4394 +diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h
4395 +index 49b582a225b0..b9897e2be404 100644
4396 +--- a/scripts/recordmcount.h
4397 ++++ b/scripts/recordmcount.h
4398 +@@ -377,7 +377,7 @@ static void nop_mcount(Elf_Shdr const *const relhdr,
4399 +
4400 + if (mcountsym == Elf_r_sym(relp) && !is_fake_mcount(relp)) {
4401 + if (make_nop)
4402 +- ret = make_nop((void *)ehdr, shdr->sh_offset + relp->r_offset);
4403 ++ ret = make_nop((void *)ehdr, _w(shdr->sh_offset) + _w(relp->r_offset));
4404 + if (warn_on_notrace_sect && !once) {
4405 + printf("Section %s has mcount callers being ignored\n",
4406 + txtname);
4407 +diff --git a/scripts/recordmcount.pl b/scripts/recordmcount.pl
4408 +index 826470d7f000..96e2486a6fc4 100755
4409 +--- a/scripts/recordmcount.pl
4410 ++++ b/scripts/recordmcount.pl
4411 +@@ -263,7 +263,8 @@ if ($arch eq "x86_64") {
4412 +
4413 + } elsif ($arch eq "powerpc") {
4414 + $local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\.?\\S+)";
4415 +- $function_regex = "^([0-9a-fA-F]+)\\s+<(\\.?.*?)>:";
4416 ++ # See comment in the sparc64 section for why we use '\w'.
4417 ++ $function_regex = "^([0-9a-fA-F]+)\\s+<(\\.?\\w*?)>:";
4418 + $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s\\.?_mcount\$";
4419 +
4420 + if ($bits == 64) {
4421 +diff --git a/sound/core/control.c b/sound/core/control.c
4422 +index 196a6fe100ca..a85d45595d02 100644
4423 +--- a/sound/core/control.c
4424 ++++ b/sound/core/control.c
4425 +@@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
4426 + return -EFAULT;
4427 + if (tlv.length < sizeof(unsigned int) * 2)
4428 + return -EINVAL;
4429 ++ if (!tlv.numid)
4430 ++ return -EINVAL;
4431 + down_read(&card->controls_rwsem);
4432 + kctl = snd_ctl_find_numid(card, tlv.numid);
4433 + if (kctl == NULL) {
4434 +diff --git a/sound/core/hrtimer.c b/sound/core/hrtimer.c
4435 +index f845ecf7e172..656d9a9032dc 100644
4436 +--- a/sound/core/hrtimer.c
4437 ++++ b/sound/core/hrtimer.c
4438 +@@ -90,7 +90,7 @@ static int snd_hrtimer_start(struct snd_timer *t)
4439 + struct snd_hrtimer *stime = t->private_data;
4440 +
4441 + atomic_set(&stime->running, 0);
4442 +- hrtimer_cancel(&stime->hrt);
4443 ++ hrtimer_try_to_cancel(&stime->hrt);
4444 + hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution),
4445 + HRTIMER_MODE_REL);
4446 + atomic_set(&stime->running, 1);
4447 +@@ -101,6 +101,7 @@ static int snd_hrtimer_stop(struct snd_timer *t)
4448 + {
4449 + struct snd_hrtimer *stime = t->private_data;
4450 + atomic_set(&stime->running, 0);
4451 ++ hrtimer_try_to_cancel(&stime->hrt);
4452 + return 0;
4453 + }
4454 +
4455 +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c
4456 +index b48b434444ed..9630e9f72b7b 100644
4457 +--- a/sound/core/pcm_compat.c
4458 ++++ b/sound/core/pcm_compat.c
4459 +@@ -255,10 +255,15 @@ static int snd_pcm_ioctl_hw_params_compat(struct snd_pcm_substream *substream,
4460 + if (! (runtime = substream->runtime))
4461 + return -ENOTTY;
4462 +
4463 +- /* only fifo_size is different, so just copy all */
4464 +- data = memdup_user(data32, sizeof(*data32));
4465 +- if (IS_ERR(data))
4466 +- return PTR_ERR(data);
4467 ++ data = kmalloc(sizeof(*data), GFP_KERNEL);
4468 ++ if (!data)
4469 ++ return -ENOMEM;
4470 ++
4471 ++ /* only fifo_size (RO from userspace) is different, so just copy all */
4472 ++ if (copy_from_user(data, data32, sizeof(*data32))) {
4473 ++ err = -EFAULT;
4474 ++ goto error;
4475 ++ }
4476 +
4477 + if (refine)
4478 + err = snd_pcm_hw_refine(substream, data);
4479 +diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
4480 +index b64f20deba90..13cfa815732d 100644
4481 +--- a/sound/core/seq/seq_clientmgr.c
4482 ++++ b/sound/core/seq/seq_clientmgr.c
4483 +@@ -1962,7 +1962,7 @@ static int snd_seq_ioctl_remove_events(struct snd_seq_client *client,
4484 + * No restrictions so for a user client we can clear
4485 + * the whole fifo
4486 + */
4487 +- if (client->type == USER_CLIENT)
4488 ++ if (client->type == USER_CLIENT && client->data.user.fifo)
4489 + snd_seq_fifo_clear(client->data.user.fifo);
4490 + }
4491 +
4492 +diff --git a/sound/core/seq/seq_compat.c b/sound/core/seq/seq_compat.c
4493 +index 81f7c109dc46..65175902a68a 100644
4494 +--- a/sound/core/seq/seq_compat.c
4495 ++++ b/sound/core/seq/seq_compat.c
4496 +@@ -49,11 +49,12 @@ static int snd_seq_call_port_info_ioctl(struct snd_seq_client *client, unsigned
4497 + struct snd_seq_port_info *data;
4498 + mm_segment_t fs;
4499 +
4500 +- data = memdup_user(data32, sizeof(*data32));
4501 +- if (IS_ERR(data))
4502 +- return PTR_ERR(data);
4503 ++ data = kmalloc(sizeof(*data), GFP_KERNEL);
4504 ++ if (!data)
4505 ++ return -ENOMEM;
4506 +
4507 +- if (get_user(data->flags, &data32->flags) ||
4508 ++ if (copy_from_user(data, data32, sizeof(*data32)) ||
4509 ++ get_user(data->flags, &data32->flags) ||
4510 + get_user(data->time_queue, &data32->time_queue))
4511 + goto error;
4512 + data->kernel = NULL;
4513 +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c
4514 +index 7dfd0f429410..0bec02e89d51 100644
4515 +--- a/sound/core/seq/seq_queue.c
4516 ++++ b/sound/core/seq/seq_queue.c
4517 +@@ -142,8 +142,10 @@ static struct snd_seq_queue *queue_new(int owner, int locked)
4518 + static void queue_delete(struct snd_seq_queue *q)
4519 + {
4520 + /* stop and release the timer */
4521 ++ mutex_lock(&q->timer_mutex);
4522 + snd_seq_timer_stop(q->timer);
4523 + snd_seq_timer_close(q);
4524 ++ mutex_unlock(&q->timer_mutex);
4525 + /* wait until access free */
4526 + snd_use_lock_sync(&q->use_lock);
4527 + /* release resources... */
4528 +diff --git a/sound/core/timer.c b/sound/core/timer.c
4529 +index 31f40f03e5b7..0a049c4578f1 100644
4530 +--- a/sound/core/timer.c
4531 ++++ b/sound/core/timer.c
4532 +@@ -65,6 +65,7 @@ struct snd_timer_user {
4533 + int qtail;
4534 + int qused;
4535 + int queue_size;
4536 ++ bool disconnected;
4537 + struct snd_timer_read *queue;
4538 + struct snd_timer_tread *tqueue;
4539 + spinlock_t qlock;
4540 +@@ -73,7 +74,7 @@ struct snd_timer_user {
4541 + struct timespec tstamp; /* trigger tstamp */
4542 + wait_queue_head_t qchange_sleep;
4543 + struct fasync_struct *fasync;
4544 +- struct mutex tread_sem;
4545 ++ struct mutex ioctl_lock;
4546 + };
4547 +
4548 + /* list of timers */
4549 +@@ -215,11 +216,13 @@ static void snd_timer_check_master(struct snd_timer_instance *master)
4550 + slave->slave_id == master->slave_id) {
4551 + list_move_tail(&slave->open_list, &master->slave_list_head);
4552 + spin_lock_irq(&slave_active_lock);
4553 ++ spin_lock(&master->timer->lock);
4554 + slave->master = master;
4555 + slave->timer = master->timer;
4556 + if (slave->flags & SNDRV_TIMER_IFLG_RUNNING)
4557 + list_add_tail(&slave->active_list,
4558 + &master->slave_active_head);
4559 ++ spin_unlock(&master->timer->lock);
4560 + spin_unlock_irq(&slave_active_lock);
4561 + }
4562 + }
4563 +@@ -288,6 +291,9 @@ int snd_timer_open(struct snd_timer_instance **ti,
4564 + mutex_unlock(&register_mutex);
4565 + return -ENOMEM;
4566 + }
4567 ++ /* take a card refcount for safe disconnection */
4568 ++ if (timer->card)
4569 ++ get_device(&timer->card->card_dev);
4570 + timeri->slave_class = tid->dev_sclass;
4571 + timeri->slave_id = slave_id;
4572 + if (list_empty(&timer->open_list_head) && timer->hw.open)
4573 +@@ -346,15 +352,21 @@ int snd_timer_close(struct snd_timer_instance *timeri)
4574 + timer->hw.close)
4575 + timer->hw.close(timer);
4576 + /* remove slave links */
4577 ++ spin_lock_irq(&slave_active_lock);
4578 ++ spin_lock(&timer->lock);
4579 + list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
4580 + open_list) {
4581 +- spin_lock_irq(&slave_active_lock);
4582 +- _snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION);
4583 + list_move_tail(&slave->open_list, &snd_timer_slave_list);
4584 + slave->master = NULL;
4585 + slave->timer = NULL;
4586 +- spin_unlock_irq(&slave_active_lock);
4587 ++ list_del_init(&slave->ack_list);
4588 ++ list_del_init(&slave->active_list);
4589 + }
4590 ++ spin_unlock(&timer->lock);
4591 ++ spin_unlock_irq(&slave_active_lock);
4592 ++ /* release a card refcount for safe disconnection */
4593 ++ if (timer->card)
4594 ++ put_device(&timer->card->card_dev);
4595 + mutex_unlock(&register_mutex);
4596 + }
4597 + out:
4598 +@@ -441,9 +453,12 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
4599 +
4600 + spin_lock_irqsave(&slave_active_lock, flags);
4601 + timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
4602 +- if (timeri->master)
4603 ++ if (timeri->master && timeri->timer) {
4604 ++ spin_lock(&timeri->timer->lock);
4605 + list_add_tail(&timeri->active_list,
4606 + &timeri->master->slave_active_head);
4607 ++ spin_unlock(&timeri->timer->lock);
4608 ++ }
4609 + spin_unlock_irqrestore(&slave_active_lock, flags);
4610 + return 1; /* delayed start */
4611 + }
4612 +@@ -467,6 +482,8 @@ int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
4613 + timer = timeri->timer;
4614 + if (timer == NULL)
4615 + return -EINVAL;
4616 ++ if (timer->card && timer->card->shutdown)
4617 ++ return -ENODEV;
4618 + spin_lock_irqsave(&timer->lock, flags);
4619 + timeri->ticks = timeri->cticks = ticks;
4620 + timeri->pticks = 0;
4621 +@@ -489,6 +506,8 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
4622 + if (!keep_flag) {
4623 + spin_lock_irqsave(&slave_active_lock, flags);
4624 + timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
4625 ++ list_del_init(&timeri->ack_list);
4626 ++ list_del_init(&timeri->active_list);
4627 + spin_unlock_irqrestore(&slave_active_lock, flags);
4628 + }
4629 + goto __end;
4630 +@@ -499,6 +518,10 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
4631 + spin_lock_irqsave(&timer->lock, flags);
4632 + list_del_init(&timeri->ack_list);
4633 + list_del_init(&timeri->active_list);
4634 ++ if (timer->card && timer->card->shutdown) {
4635 ++ spin_unlock_irqrestore(&timer->lock, flags);
4636 ++ return 0;
4637 ++ }
4638 + if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) &&
4639 + !(--timer->running)) {
4640 + timer->hw.stop(timer);
4641 +@@ -561,6 +584,8 @@ int snd_timer_continue(struct snd_timer_instance *timeri)
4642 + timer = timeri->timer;
4643 + if (! timer)
4644 + return -EINVAL;
4645 ++ if (timer->card && timer->card->shutdown)
4646 ++ return -ENODEV;
4647 + spin_lock_irqsave(&timer->lock, flags);
4648 + if (!timeri->cticks)
4649 + timeri->cticks = 1;
4650 +@@ -624,6 +649,9 @@ static void snd_timer_tasklet(unsigned long arg)
4651 + unsigned long resolution, ticks;
4652 + unsigned long flags;
4653 +
4654 ++ if (timer->card && timer->card->shutdown)
4655 ++ return;
4656 ++
4657 + spin_lock_irqsave(&timer->lock, flags);
4658 + /* now process all callbacks */
4659 + while (!list_empty(&timer->sack_list_head)) {
4660 +@@ -664,6 +692,9 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left)
4661 + if (timer == NULL)
4662 + return;
4663 +
4664 ++ if (timer->card && timer->card->shutdown)
4665 ++ return;
4666 ++
4667 + spin_lock_irqsave(&timer->lock, flags);
4668 +
4669 + /* remember the current resolution */
4670 +@@ -694,7 +725,7 @@ void snd_timer_interrupt(struct snd_timer * timer, unsigned long ticks_left)
4671 + } else {
4672 + ti->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
4673 + if (--timer->running)
4674 +- list_del(&ti->active_list);
4675 ++ list_del_init(&ti->active_list);
4676 + }
4677 + if ((timer->hw.flags & SNDRV_TIMER_HW_TASKLET) ||
4678 + (ti->flags & SNDRV_TIMER_IFLG_FAST))
4679 +@@ -874,11 +905,28 @@ static int snd_timer_dev_register(struct snd_device *dev)
4680 + return 0;
4681 + }
4682 +
4683 ++/* just for reference in snd_timer_dev_disconnect() below */
4684 ++static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
4685 ++ int event, struct timespec *tstamp,
4686 ++ unsigned long resolution);
4687 ++
4688 + static int snd_timer_dev_disconnect(struct snd_device *device)
4689 + {
4690 + struct snd_timer *timer = device->device_data;
4691 ++ struct snd_timer_instance *ti;
4692 ++
4693 + mutex_lock(&register_mutex);
4694 + list_del_init(&timer->device_list);
4695 ++ /* wake up pending sleepers */
4696 ++ list_for_each_entry(ti, &timer->open_list_head, open_list) {
4697 ++ /* FIXME: better to have a ti.disconnect() op */
4698 ++ if (ti->ccallback == snd_timer_user_ccallback) {
4699 ++ struct snd_timer_user *tu = ti->callback_data;
4700 ++
4701 ++ tu->disconnected = true;
4702 ++ wake_up(&tu->qchange_sleep);
4703 ++ }
4704 ++ }
4705 + mutex_unlock(&register_mutex);
4706 + return 0;
4707 + }
4708 +@@ -889,6 +937,8 @@ void snd_timer_notify(struct snd_timer *timer, int event, struct timespec *tstam
4709 + unsigned long resolution = 0;
4710 + struct snd_timer_instance *ti, *ts;
4711 +
4712 ++ if (timer->card && timer->card->shutdown)
4713 ++ return;
4714 + if (! (timer->hw.flags & SNDRV_TIMER_HW_SLAVE))
4715 + return;
4716 + if (snd_BUG_ON(event < SNDRV_TIMER_EVENT_MSTART ||
4717 +@@ -1047,6 +1097,8 @@ static void snd_timer_proc_read(struct snd_info_entry *entry,
4718 +
4719 + mutex_lock(&register_mutex);
4720 + list_for_each_entry(timer, &snd_timer_list, device_list) {
4721 ++ if (timer->card && timer->card->shutdown)
4722 ++ continue;
4723 + switch (timer->tmr_class) {
4724 + case SNDRV_TIMER_CLASS_GLOBAL:
4725 + snd_iprintf(buffer, "G%i: ", timer->tmr_device);
4726 +@@ -1253,7 +1305,7 @@ static int snd_timer_user_open(struct inode *inode, struct file *file)
4727 + return -ENOMEM;
4728 + spin_lock_init(&tu->qlock);
4729 + init_waitqueue_head(&tu->qchange_sleep);
4730 +- mutex_init(&tu->tread_sem);
4731 ++ mutex_init(&tu->ioctl_lock);
4732 + tu->ticks = 1;
4733 + tu->queue_size = 128;
4734 + tu->queue = kmalloc(tu->queue_size * sizeof(struct snd_timer_read),
4735 +@@ -1273,8 +1325,10 @@ static int snd_timer_user_release(struct inode *inode, struct file *file)
4736 + if (file->private_data) {
4737 + tu = file->private_data;
4738 + file->private_data = NULL;
4739 ++ mutex_lock(&tu->ioctl_lock);
4740 + if (tu->timeri)
4741 + snd_timer_close(tu->timeri);
4742 ++ mutex_unlock(&tu->ioctl_lock);
4743 + kfree(tu->queue);
4744 + kfree(tu->tqueue);
4745 + kfree(tu);
4746 +@@ -1512,7 +1566,6 @@ static int snd_timer_user_tselect(struct file *file,
4747 + int err = 0;
4748 +
4749 + tu = file->private_data;
4750 +- mutex_lock(&tu->tread_sem);
4751 + if (tu->timeri) {
4752 + snd_timer_close(tu->timeri);
4753 + tu->timeri = NULL;
4754 +@@ -1556,7 +1609,6 @@ static int snd_timer_user_tselect(struct file *file,
4755 + }
4756 +
4757 + __err:
4758 +- mutex_unlock(&tu->tread_sem);
4759 + return err;
4760 + }
4761 +
4762 +@@ -1769,7 +1821,7 @@ enum {
4763 + SNDRV_TIMER_IOCTL_PAUSE_OLD = _IO('T', 0x23),
4764 + };
4765 +
4766 +-static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
4767 ++static long __snd_timer_user_ioctl(struct file *file, unsigned int cmd,
4768 + unsigned long arg)
4769 + {
4770 + struct snd_timer_user *tu;
4771 +@@ -1786,17 +1838,11 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
4772 + {
4773 + int xarg;
4774 +
4775 +- mutex_lock(&tu->tread_sem);
4776 +- if (tu->timeri) { /* too late */
4777 +- mutex_unlock(&tu->tread_sem);
4778 ++ if (tu->timeri) /* too late */
4779 + return -EBUSY;
4780 +- }
4781 +- if (get_user(xarg, p)) {
4782 +- mutex_unlock(&tu->tread_sem);
4783 ++ if (get_user(xarg, p))
4784 + return -EFAULT;
4785 +- }
4786 + tu->tread = xarg ? 1 : 0;
4787 +- mutex_unlock(&tu->tread_sem);
4788 + return 0;
4789 + }
4790 + case SNDRV_TIMER_IOCTL_GINFO:
4791 +@@ -1829,6 +1875,18 @@ static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
4792 + return -ENOTTY;
4793 + }
4794 +
4795 ++static long snd_timer_user_ioctl(struct file *file, unsigned int cmd,
4796 ++ unsigned long arg)
4797 ++{
4798 ++ struct snd_timer_user *tu = file->private_data;
4799 ++ long ret;
4800 ++
4801 ++ mutex_lock(&tu->ioctl_lock);
4802 ++ ret = __snd_timer_user_ioctl(file, cmd, arg);
4803 ++ mutex_unlock(&tu->ioctl_lock);
4804 ++ return ret;
4805 ++}
4806 ++
4807 + static int snd_timer_user_fasync(int fd, struct file * file, int on)
4808 + {
4809 + struct snd_timer_user *tu;
4810 +@@ -1866,6 +1924,10 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
4811 +
4812 + remove_wait_queue(&tu->qchange_sleep, &wait);
4813 +
4814 ++ if (tu->disconnected) {
4815 ++ err = -ENODEV;
4816 ++ break;
4817 ++ }
4818 + if (signal_pending(current)) {
4819 + err = -ERESTARTSYS;
4820 + break;
4821 +@@ -1915,6 +1977,8 @@ static unsigned int snd_timer_user_poll(struct file *file, poll_table * wait)
4822 + mask = 0;
4823 + if (tu->qused)
4824 + mask |= POLLIN | POLLRDNORM;
4825 ++ if (tu->disconnected)
4826 ++ mask |= POLLERR;
4827 +
4828 + return mask;
4829 + }
4830 +diff --git a/sound/firewire/bebob/Makefile b/sound/firewire/bebob/Makefile
4831 +index 6cf470c80d1f..af7ed6643266 100644
4832 +--- a/sound/firewire/bebob/Makefile
4833 ++++ b/sound/firewire/bebob/Makefile
4834 +@@ -1,4 +1,4 @@
4835 + snd-bebob-objs := bebob_command.o bebob_stream.o bebob_proc.o bebob_midi.o \
4836 + bebob_pcm.o bebob_hwdep.o bebob_terratec.o bebob_yamaha.o \
4837 + bebob_focusrite.o bebob_maudio.o bebob.o
4838 +-obj-m += snd-bebob.o
4839 ++obj-$(CONFIG_SND_BEBOB) += snd-bebob.o
4840 +diff --git a/sound/firewire/dice/Makefile b/sound/firewire/dice/Makefile
4841 +index 9ef228ef7baf..55b4be9b0034 100644
4842 +--- a/sound/firewire/dice/Makefile
4843 ++++ b/sound/firewire/dice/Makefile
4844 +@@ -1,3 +1,3 @@
4845 + snd-dice-objs := dice-transaction.o dice-stream.o dice-proc.o dice-midi.o \
4846 + dice-pcm.o dice-hwdep.o dice.o
4847 +-obj-m += snd-dice.o
4848 ++obj-$(CONFIG_SND_DICE) += snd-dice.o
4849 +diff --git a/sound/firewire/fireworks/Makefile b/sound/firewire/fireworks/Makefile
4850 +index 0c7440826db8..15ef7f75a8ef 100644
4851 +--- a/sound/firewire/fireworks/Makefile
4852 ++++ b/sound/firewire/fireworks/Makefile
4853 +@@ -1,4 +1,4 @@
4854 + snd-fireworks-objs := fireworks_transaction.o fireworks_command.o \
4855 + fireworks_stream.o fireworks_proc.o fireworks_midi.o \
4856 + fireworks_pcm.o fireworks_hwdep.o fireworks.o
4857 +-obj-m += snd-fireworks.o
4858 ++obj-$(CONFIG_SND_FIREWORKS) += snd-fireworks.o
4859 +diff --git a/sound/firewire/oxfw/Makefile b/sound/firewire/oxfw/Makefile
4860 +index a926850864f6..06ff50f4e6c0 100644
4861 +--- a/sound/firewire/oxfw/Makefile
4862 ++++ b/sound/firewire/oxfw/Makefile
4863 +@@ -1,3 +1,3 @@
4864 + snd-oxfw-objs := oxfw-command.o oxfw-stream.o oxfw-control.o oxfw-pcm.o \
4865 + oxfw-proc.o oxfw-midi.o oxfw-hwdep.o oxfw.o
4866 +-obj-m += snd-oxfw.o
4867 ++obj-$(CONFIG_SND_OXFW) += snd-oxfw.o
4868 +diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
4869 +index 944455997fdc..4013af376327 100644
4870 +--- a/sound/pci/hda/hda_controller.c
4871 ++++ b/sound/pci/hda/hda_controller.c
4872 +@@ -1059,6 +1059,9 @@ int azx_bus_init(struct azx *chip, const char *model,
4873 + bus->needs_damn_long_delay = 1;
4874 + }
4875 +
4876 ++ if (chip->driver_caps & AZX_DCAPS_4K_BDLE_BOUNDARY)
4877 ++ bus->core.align_bdle_4k = true;
4878 ++
4879 + /* AMD chipsets often cause the communication stalls upon certain
4880 + * sequence like the pin-detection. It seems that forcing the synced
4881 + * access works around the stall. Grrr...
4882 +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
4883 +index c38c68f57938..e61fbf4270e1 100644
4884 +--- a/sound/pci/hda/hda_intel.c
4885 ++++ b/sound/pci/hda/hda_intel.c
4886 +@@ -334,6 +334,7 @@ enum {
4887 +
4888 + #define AZX_DCAPS_PRESET_CTHDA \
4889 + (AZX_DCAPS_NO_MSI | AZX_DCAPS_POSFIX_LPIB |\
4890 ++ AZX_DCAPS_NO_64BIT |\
4891 + AZX_DCAPS_4K_BDLE_BOUNDARY | AZX_DCAPS_SNOOP_OFF)
4892 +
4893 + /*
4894 +@@ -926,6 +927,36 @@ static int azx_resume(struct device *dev)
4895 + }
4896 + #endif /* CONFIG_PM_SLEEP || SUPPORT_VGA_SWITCHEROO */
4897 +
4898 ++#ifdef CONFIG_PM_SLEEP
4899 ++/* put codec down to D3 at hibernation for Intel SKL+;
4900 ++ * otherwise BIOS may still access the codec and screw up the driver
4901 ++ */
4902 ++#define IS_SKL(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0xa170)
4903 ++#define IS_SKL_LP(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x9d70)
4904 ++#define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98)
4905 ++#define IS_SKL_PLUS(pci) (IS_SKL(pci) || IS_SKL_LP(pci) || IS_BXT(pci))
4906 ++
4907 ++static int azx_freeze_noirq(struct device *dev)
4908 ++{
4909 ++ struct pci_dev *pci = to_pci_dev(dev);
4910 ++
4911 ++ if (IS_SKL_PLUS(pci))
4912 ++ pci_set_power_state(pci, PCI_D3hot);
4913 ++
4914 ++ return 0;
4915 ++}
4916 ++
4917 ++static int azx_thaw_noirq(struct device *dev)
4918 ++{
4919 ++ struct pci_dev *pci = to_pci_dev(dev);
4920 ++
4921 ++ if (IS_SKL_PLUS(pci))
4922 ++ pci_set_power_state(pci, PCI_D0);
4923 ++
4924 ++ return 0;
4925 ++}
4926 ++#endif /* CONFIG_PM_SLEEP */
4927 ++
4928 + #ifdef CONFIG_PM
4929 + static int azx_runtime_suspend(struct device *dev)
4930 + {
4931 +@@ -1035,6 +1066,10 @@ static int azx_runtime_idle(struct device *dev)
4932 +
4933 + static const struct dev_pm_ops azx_pm = {
4934 + SET_SYSTEM_SLEEP_PM_OPS(azx_suspend, azx_resume)
4935 ++#ifdef CONFIG_PM_SLEEP
4936 ++ .freeze_noirq = azx_freeze_noirq,
4937 ++ .thaw_noirq = azx_thaw_noirq,
4938 ++#endif
4939 + SET_RUNTIME_PM_OPS(azx_runtime_suspend, azx_runtime_resume, azx_runtime_idle)
4940 + };
4941 +
4942 +@@ -2065,9 +2100,17 @@ i915_power_fail:
4943 + static void azx_remove(struct pci_dev *pci)
4944 + {
4945 + struct snd_card *card = pci_get_drvdata(pci);
4946 ++ struct azx *chip;
4947 ++ struct hda_intel *hda;
4948 ++
4949 ++ if (card) {
4950 ++ /* flush the pending probing work */
4951 ++ chip = card->private_data;
4952 ++ hda = container_of(chip, struct hda_intel, chip);
4953 ++ flush_work(&hda->probe_work);
4954 +
4955 +- if (card)
4956 + snd_card_free(card);
4957 ++ }
4958 + }
4959 +
4960 + static void azx_shutdown(struct pci_dev *pci)
4961 +@@ -2104,6 +2147,11 @@ static const struct pci_device_id azx_ids[] = {
4962 + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },
4963 + { PCI_DEVICE(0x8086, 0x8d21),
4964 + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },
4965 ++ /* Lewisburg */
4966 ++ { PCI_DEVICE(0x8086, 0xa1f0),
4967 ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },
4968 ++ { PCI_DEVICE(0x8086, 0xa270),
4969 ++ .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },
4970 + /* Lynx Point-LP */
4971 + { PCI_DEVICE(0x8086, 0x9c20),
4972 + .driver_data = AZX_DRIVER_PCH | AZX_DCAPS_INTEL_PCH },
4973 +@@ -2284,11 +2332,13 @@ static const struct pci_device_id azx_ids[] = {
4974 + .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,
4975 + .class_mask = 0xffffff,
4976 + .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND |
4977 ++ AZX_DCAPS_NO_64BIT |
4978 + AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB },
4979 + #else
4980 + /* this entry seems still valid -- i.e. without emu20kx chip */
4981 + { PCI_DEVICE(0x1102, 0x0009),
4982 + .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND |
4983 ++ AZX_DCAPS_NO_64BIT |
4984 + AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB },
4985 + #endif
4986 + /* CM8888 */
4987 +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
4988 +index 186792fe226e..5b8a5b84a03c 100644
4989 +--- a/sound/pci/hda/patch_ca0132.c
4990 ++++ b/sound/pci/hda/patch_ca0132.c
4991 +@@ -778,7 +778,8 @@ static const struct hda_pintbl alienware_pincfgs[] = {
4992 + };
4993 +
4994 + static const struct snd_pci_quirk ca0132_quirks[] = {
4995 +- SND_PCI_QUIRK(0x1028, 0x0685, "Alienware 15", QUIRK_ALIENWARE),
4996 ++ SND_PCI_QUIRK(0x1028, 0x0685, "Alienware 15 2015", QUIRK_ALIENWARE),
4997 ++ SND_PCI_QUIRK(0x1028, 0x0688, "Alienware 17 2015", QUIRK_ALIENWARE),
4998 + {}
4999 + };
5000 +
5001 +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
5002 +index f22f5c409447..d1c74295a362 100644
5003 +--- a/sound/pci/hda/patch_hdmi.c
5004 ++++ b/sound/pci/hda/patch_hdmi.c
5005 +@@ -2330,6 +2330,12 @@ static void intel_pin_eld_notify(void *audio_ptr, int port)
5006 + struct hda_codec *codec = audio_ptr;
5007 + int pin_nid = port + 0x04;
5008 +
5009 ++ /* skip notification during system suspend (but not in runtime PM);
5010 ++ * the state will be updated at resume
5011 ++ */
5012 ++ if (snd_power_get_state(codec->card) != SNDRV_CTL_POWER_D0)
5013 ++ return;
5014 ++
5015 + check_presence_and_report(codec, pin_nid);
5016 + }
5017 +
5018 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
5019 +index 16b8dcba5c12..887f37761f18 100644
5020 +--- a/sound/pci/hda/patch_realtek.c
5021 ++++ b/sound/pci/hda/patch_realtek.c
5022 +@@ -67,6 +67,10 @@ enum {
5023 + ALC_HEADSET_TYPE_OMTP,
5024 + };
5025 +
5026 ++enum {
5027 ++ ALC_KEY_MICMUTE_INDEX,
5028 ++};
5029 ++
5030 + struct alc_customize_define {
5031 + unsigned int sku_cfg;
5032 + unsigned char port_connectivity;
5033 +@@ -111,6 +115,7 @@ struct alc_spec {
5034 + void (*power_hook)(struct hda_codec *codec);
5035 + #endif
5036 + void (*shutup)(struct hda_codec *codec);
5037 ++ void (*reboot_notify)(struct hda_codec *codec);
5038 +
5039 + int init_amp;
5040 + int codec_variant; /* flag for other variants */
5041 +@@ -122,6 +127,7 @@ struct alc_spec {
5042 + unsigned int pll_coef_idx, pll_coef_bit;
5043 + unsigned int coef0;
5044 + struct input_dev *kb_dev;
5045 ++ u8 alc_mute_keycode_map[1];
5046 + };
5047 +
5048 + /*
5049 +@@ -773,6 +779,25 @@ static inline void alc_shutup(struct hda_codec *codec)
5050 + snd_hda_shutup_pins(codec);
5051 + }
5052 +
5053 ++static void alc_reboot_notify(struct hda_codec *codec)
5054 ++{
5055 ++ struct alc_spec *spec = codec->spec;
5056 ++
5057 ++ if (spec && spec->reboot_notify)
5058 ++ spec->reboot_notify(codec);
5059 ++ else
5060 ++ alc_shutup(codec);
5061 ++}
5062 ++
5063 ++/* power down codec to D3 at reboot/shutdown; set as reboot_notify ops */
5064 ++static void alc_d3_at_reboot(struct hda_codec *codec)
5065 ++{
5066 ++ snd_hda_codec_set_power_to_all(codec, codec->core.afg, AC_PWRST_D3);
5067 ++ snd_hda_codec_write(codec, codec->core.afg, 0,
5068 ++ AC_VERB_SET_POWER_STATE, AC_PWRST_D3);
5069 ++ msleep(10);
5070 ++}
5071 ++
5072 + #define alc_free snd_hda_gen_free
5073 +
5074 + #ifdef CONFIG_PM
5075 +@@ -818,7 +843,7 @@ static const struct hda_codec_ops alc_patch_ops = {
5076 + .suspend = alc_suspend,
5077 + .check_power_status = snd_hda_gen_check_power_status,
5078 + #endif
5079 +- .reboot_notify = alc_shutup,
5080 ++ .reboot_notify = alc_reboot_notify,
5081 + };
5082 +
5083 +
5084 +@@ -1765,10 +1790,12 @@ enum {
5085 + ALC889_FIXUP_MBA11_VREF,
5086 + ALC889_FIXUP_MBA21_VREF,
5087 + ALC889_FIXUP_MP11_VREF,
5088 ++ ALC889_FIXUP_MP41_VREF,
5089 + ALC882_FIXUP_INV_DMIC,
5090 + ALC882_FIXUP_NO_PRIMARY_HP,
5091 + ALC887_FIXUP_ASUS_BASS,
5092 + ALC887_FIXUP_BASS_CHMAP,
5093 ++ ALC882_FIXUP_DISABLE_AAMIX,
5094 + };
5095 +
5096 + static void alc889_fixup_coef(struct hda_codec *codec,
5097 +@@ -1852,7 +1879,7 @@ static void alc889_fixup_mbp_vref(struct hda_codec *codec,
5098 + const struct hda_fixup *fix, int action)
5099 + {
5100 + struct alc_spec *spec = codec->spec;
5101 +- static hda_nid_t nids[2] = { 0x14, 0x15 };
5102 ++ static hda_nid_t nids[3] = { 0x14, 0x15, 0x19 };
5103 + int i;
5104 +
5105 + if (action != HDA_FIXUP_ACT_INIT)
5106 +@@ -1930,6 +1957,8 @@ static void alc882_fixup_no_primary_hp(struct hda_codec *codec,
5107 +
5108 + static void alc_fixup_bass_chmap(struct hda_codec *codec,
5109 + const struct hda_fixup *fix, int action);
5110 ++static void alc_fixup_disable_aamix(struct hda_codec *codec,
5111 ++ const struct hda_fixup *fix, int action);
5112 +
5113 + static const struct hda_fixup alc882_fixups[] = {
5114 + [ALC882_FIXUP_ABIT_AW9D_MAX] = {
5115 +@@ -2140,6 +2169,12 @@ static const struct hda_fixup alc882_fixups[] = {
5116 + .chained = true,
5117 + .chain_id = ALC885_FIXUP_MACPRO_GPIO,
5118 + },
5119 ++ [ALC889_FIXUP_MP41_VREF] = {
5120 ++ .type = HDA_FIXUP_FUNC,
5121 ++ .v.func = alc889_fixup_mbp_vref,
5122 ++ .chained = true,
5123 ++ .chain_id = ALC885_FIXUP_MACPRO_GPIO,
5124 ++ },
5125 + [ALC882_FIXUP_INV_DMIC] = {
5126 + .type = HDA_FIXUP_FUNC,
5127 + .v.func = alc_fixup_inv_dmic,
5128 +@@ -2161,6 +2196,10 @@ static const struct hda_fixup alc882_fixups[] = {
5129 + .type = HDA_FIXUP_FUNC,
5130 + .v.func = alc_fixup_bass_chmap,
5131 + },
5132 ++ [ALC882_FIXUP_DISABLE_AAMIX] = {
5133 ++ .type = HDA_FIXUP_FUNC,
5134 ++ .v.func = alc_fixup_disable_aamix,
5135 ++ },
5136 + };
5137 +
5138 + static const struct snd_pci_quirk alc882_fixup_tbl[] = {
5139 +@@ -2218,7 +2257,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
5140 + SND_PCI_QUIRK(0x106b, 0x3f00, "Macbook 5,1", ALC889_FIXUP_IMAC91_VREF),
5141 + SND_PCI_QUIRK(0x106b, 0x4000, "MacbookPro 5,1", ALC889_FIXUP_IMAC91_VREF),
5142 + SND_PCI_QUIRK(0x106b, 0x4100, "Macmini 3,1", ALC889_FIXUP_IMAC91_VREF),
5143 +- SND_PCI_QUIRK(0x106b, 0x4200, "Mac Pro 5,1", ALC885_FIXUP_MACPRO_GPIO),
5144 ++ SND_PCI_QUIRK(0x106b, 0x4200, "Mac Pro 4,1/5,1", ALC889_FIXUP_MP41_VREF),
5145 + SND_PCI_QUIRK(0x106b, 0x4300, "iMac 9,1", ALC889_FIXUP_IMAC91_VREF),
5146 + SND_PCI_QUIRK(0x106b, 0x4600, "MacbookPro 5,2", ALC889_FIXUP_IMAC91_VREF),
5147 + SND_PCI_QUIRK(0x106b, 0x4900, "iMac 9,1 Aluminum", ALC889_FIXUP_IMAC91_VREF),
5148 +@@ -2228,6 +2267,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
5149 + SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD),
5150 + SND_PCI_QUIRK_VENDOR(0x1462, "MSI", ALC882_FIXUP_GPIO3),
5151 + SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE),
5152 ++ SND_PCI_QUIRK(0x1458, 0xa182, "Gigabyte Z170X-UD3", ALC882_FIXUP_DISABLE_AAMIX),
5153 + SND_PCI_QUIRK(0x147b, 0x107a, "Abit AW9D-MAX", ALC882_FIXUP_ABIT_AW9D_MAX),
5154 + SND_PCI_QUIRK_VENDOR(0x1558, "Clevo laptop", ALC882_FIXUP_EAPD),
5155 + SND_PCI_QUIRK(0x161f, 0x2054, "Medion laptop", ALC883_FIXUP_EAPD),
5156 +@@ -3437,12 +3477,43 @@ static void gpio2_mic_hotkey_event(struct hda_codec *codec,
5157 +
5158 + /* GPIO2 just toggles on a keypress/keyrelease cycle. Therefore
5159 + send both key on and key off event for every interrupt. */
5160 +- input_report_key(spec->kb_dev, KEY_MICMUTE, 1);
5161 ++ input_report_key(spec->kb_dev, spec->alc_mute_keycode_map[ALC_KEY_MICMUTE_INDEX], 1);
5162 + input_sync(spec->kb_dev);
5163 +- input_report_key(spec->kb_dev, KEY_MICMUTE, 0);
5164 ++ input_report_key(spec->kb_dev, spec->alc_mute_keycode_map[ALC_KEY_MICMUTE_INDEX], 0);
5165 + input_sync(spec->kb_dev);
5166 + }
5167 +
5168 ++static int alc_register_micmute_input_device(struct hda_codec *codec)
5169 ++{
5170 ++ struct alc_spec *spec = codec->spec;
5171 ++ int i;
5172 ++
5173 ++ spec->kb_dev = input_allocate_device();
5174 ++ if (!spec->kb_dev) {
5175 ++ codec_err(codec, "Out of memory (input_allocate_device)\n");
5176 ++ return -ENOMEM;
5177 ++ }
5178 ++
5179 ++ spec->alc_mute_keycode_map[ALC_KEY_MICMUTE_INDEX] = KEY_MICMUTE;
5180 ++
5181 ++ spec->kb_dev->name = "Microphone Mute Button";
5182 ++ spec->kb_dev->evbit[0] = BIT_MASK(EV_KEY);
5183 ++ spec->kb_dev->keycodesize = sizeof(spec->alc_mute_keycode_map[0]);
5184 ++ spec->kb_dev->keycodemax = ARRAY_SIZE(spec->alc_mute_keycode_map);
5185 ++ spec->kb_dev->keycode = spec->alc_mute_keycode_map;
5186 ++ for (i = 0; i < ARRAY_SIZE(spec->alc_mute_keycode_map); i++)
5187 ++ set_bit(spec->alc_mute_keycode_map[i], spec->kb_dev->keybit);
5188 ++
5189 ++ if (input_register_device(spec->kb_dev)) {
5190 ++ codec_err(codec, "input_register_device failed\n");
5191 ++ input_free_device(spec->kb_dev);
5192 ++ spec->kb_dev = NULL;
5193 ++ return -ENOMEM;
5194 ++ }
5195 ++
5196 ++ return 0;
5197 ++}
5198 ++
5199 + static void alc280_fixup_hp_gpio2_mic_hotkey(struct hda_codec *codec,
5200 + const struct hda_fixup *fix, int action)
5201 + {
5202 +@@ -3460,20 +3531,8 @@ static void alc280_fixup_hp_gpio2_mic_hotkey(struct hda_codec *codec,
5203 + struct alc_spec *spec = codec->spec;
5204 +
5205 + if (action == HDA_FIXUP_ACT_PRE_PROBE) {
5206 +- spec->kb_dev = input_allocate_device();
5207 +- if (!spec->kb_dev) {
5208 +- codec_err(codec, "Out of memory (input_allocate_device)\n");
5209 ++ if (alc_register_micmute_input_device(codec) != 0)
5210 + return;
5211 +- }
5212 +- spec->kb_dev->name = "Microphone Mute Button";
5213 +- spec->kb_dev->evbit[0] = BIT_MASK(EV_KEY);
5214 +- spec->kb_dev->keybit[BIT_WORD(KEY_MICMUTE)] = BIT_MASK(KEY_MICMUTE);
5215 +- if (input_register_device(spec->kb_dev)) {
5216 +- codec_err(codec, "input_register_device failed\n");
5217 +- input_free_device(spec->kb_dev);
5218 +- spec->kb_dev = NULL;
5219 +- return;
5220 +- }
5221 +
5222 + snd_hda_add_verbs(codec, gpio_init);
5223 + snd_hda_codec_write_cache(codec, codec->core.afg, 0,
5224 +@@ -3503,6 +3562,47 @@ static void alc280_fixup_hp_gpio2_mic_hotkey(struct hda_codec *codec,
5225 + }
5226 + }
5227 +
5228 ++static void alc233_fixup_lenovo_line2_mic_hotkey(struct hda_codec *codec,
5229 ++ const struct hda_fixup *fix, int action)
5230 ++{
5231 ++ /* Line2 = mic mute hotkey
5232 ++ GPIO2 = mic mute LED */
5233 ++ static const struct hda_verb gpio_init[] = {
5234 ++ { 0x01, AC_VERB_SET_GPIO_MASK, 0x04 },
5235 ++ { 0x01, AC_VERB_SET_GPIO_DIRECTION, 0x04 },
5236 ++ {}
5237 ++ };
5238 ++
5239 ++ struct alc_spec *spec = codec->spec;
5240 ++
5241 ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
5242 ++ if (alc_register_micmute_input_device(codec) != 0)
5243 ++ return;
5244 ++
5245 ++ snd_hda_add_verbs(codec, gpio_init);
5246 ++ snd_hda_jack_detect_enable_callback(codec, 0x1b,
5247 ++ gpio2_mic_hotkey_event);
5248 ++
5249 ++ spec->gen.cap_sync_hook = alc_fixup_gpio_mic_mute_hook;
5250 ++ spec->gpio_led = 0;
5251 ++ spec->mute_led_polarity = 0;
5252 ++ spec->gpio_mic_led_mask = 0x04;
5253 ++ return;
5254 ++ }
5255 ++
5256 ++ if (!spec->kb_dev)
5257 ++ return;
5258 ++
5259 ++ switch (action) {
5260 ++ case HDA_FIXUP_ACT_PROBE:
5261 ++ spec->init_amp = ALC_INIT_DEFAULT;
5262 ++ break;
5263 ++ case HDA_FIXUP_ACT_FREE:
5264 ++ input_unregister_device(spec->kb_dev);
5265 ++ spec->kb_dev = NULL;
5266 ++ }
5267 ++}
5268 ++
5269 + static void alc269_fixup_hp_line1_mic1_led(struct hda_codec *codec,
5270 + const struct hda_fixup *fix, int action)
5271 + {
5272 +@@ -4200,6 +4300,8 @@ static void alc_fixup_tpt440_dock(struct hda_codec *codec,
5273 + struct alc_spec *spec = codec->spec;
5274 +
5275 + if (action == HDA_FIXUP_ACT_PRE_PROBE) {
5276 ++ spec->shutup = alc_no_shutup; /* reduce click noise */
5277 ++ spec->reboot_notify = alc_d3_at_reboot; /* reduce noise */
5278 + spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
5279 + codec->power_save_node = 0; /* avoid click noises */
5280 + snd_hda_apply_pincfgs(codec, pincfgs);
5281 +@@ -4574,12 +4676,14 @@ enum {
5282 + ALC290_FIXUP_SUBWOOFER,
5283 + ALC290_FIXUP_SUBWOOFER_HSJACK,
5284 + ALC269_FIXUP_THINKPAD_ACPI,
5285 ++ ALC269_FIXUP_DMIC_THINKPAD_ACPI,
5286 + ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
5287 + ALC255_FIXUP_DELL2_MIC_NO_PRESENCE,
5288 + ALC255_FIXUP_HEADSET_MODE,
5289 + ALC255_FIXUP_HEADSET_MODE_NO_HP_MIC,
5290 + ALC293_FIXUP_DELL1_MIC_NO_PRESENCE,
5291 + ALC292_FIXUP_TPT440_DOCK,
5292 ++ ALC292_FIXUP_TPT440,
5293 + ALC283_FIXUP_BXBT2807_MIC,
5294 + ALC255_FIXUP_DELL_WMI_MIC_MUTE_LED,
5295 + ALC282_FIXUP_ASPIRE_V5_PINS,
5296 +@@ -4595,7 +4699,12 @@ enum {
5297 + ALC288_FIXUP_DISABLE_AAMIX,
5298 + ALC292_FIXUP_DELL_E7X,
5299 + ALC292_FIXUP_DISABLE_AAMIX,
5300 ++ ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK,
5301 + ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
5302 ++ ALC275_FIXUP_DELL_XPS,
5303 ++ ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE,
5304 ++ ALC293_FIXUP_LENOVO_SPK_NOISE,
5305 ++ ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY,
5306 + };
5307 +
5308 + static const struct hda_fixup alc269_fixups[] = {
5309 +@@ -5005,6 +5114,12 @@ static const struct hda_fixup alc269_fixups[] = {
5310 + .type = HDA_FIXUP_FUNC,
5311 + .v.func = hda_fixup_thinkpad_acpi,
5312 + },
5313 ++ [ALC269_FIXUP_DMIC_THINKPAD_ACPI] = {
5314 ++ .type = HDA_FIXUP_FUNC,
5315 ++ .v.func = alc_fixup_inv_dmic,
5316 ++ .chained = true,
5317 ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI,
5318 ++ },
5319 + [ALC255_FIXUP_DELL1_MIC_NO_PRESENCE] = {
5320 + .type = HDA_FIXUP_PINS,
5321 + .v.pins = (const struct hda_pintbl[]) {
5322 +@@ -5050,6 +5165,12 @@ static const struct hda_fixup alc269_fixups[] = {
5323 + .chained = true,
5324 + .chain_id = ALC269_FIXUP_LIMIT_INT_MIC_BOOST
5325 + },
5326 ++ [ALC292_FIXUP_TPT440] = {
5327 ++ .type = HDA_FIXUP_FUNC,
5328 ++ .v.func = alc_fixup_disable_aamix,
5329 ++ .chained = true,
5330 ++ .chain_id = ALC292_FIXUP_TPT440_DOCK,
5331 ++ },
5332 + [ALC283_FIXUP_BXBT2807_MIC] = {
5333 + .type = HDA_FIXUP_PINS,
5334 + .v.pins = (const struct hda_pintbl[]) {
5335 +@@ -5149,6 +5270,12 @@ static const struct hda_fixup alc269_fixups[] = {
5336 + .chained = true,
5337 + .chain_id = ALC269_FIXUP_DELL2_MIC_NO_PRESENCE
5338 + },
5339 ++ [ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK] = {
5340 ++ .type = HDA_FIXUP_FUNC,
5341 ++ .v.func = alc_fixup_disable_aamix,
5342 ++ .chained = true,
5343 ++ .chain_id = ALC293_FIXUP_DELL1_MIC_NO_PRESENCE
5344 ++ },
5345 + [ALC292_FIXUP_DELL_E7X] = {
5346 + .type = HDA_FIXUP_FUNC,
5347 + .v.func = alc_fixup_dell_xps13,
5348 +@@ -5165,6 +5292,38 @@ static const struct hda_fixup alc269_fixups[] = {
5349 + .chained = true,
5350 + .chain_id = ALC269_FIXUP_HEADSET_MODE
5351 + },
5352 ++ [ALC275_FIXUP_DELL_XPS] = {
5353 ++ .type = HDA_FIXUP_VERBS,
5354 ++ .v.verbs = (const struct hda_verb[]) {
5355 ++ /* Enables internal speaker */
5356 ++ {0x20, AC_VERB_SET_COEF_INDEX, 0x1f},
5357 ++ {0x20, AC_VERB_SET_PROC_COEF, 0x00c0},
5358 ++ {0x20, AC_VERB_SET_COEF_INDEX, 0x30},
5359 ++ {0x20, AC_VERB_SET_PROC_COEF, 0x00b1},
5360 ++ {}
5361 ++ }
5362 ++ },
5363 ++ [ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE] = {
5364 ++ .type = HDA_FIXUP_VERBS,
5365 ++ .v.verbs = (const struct hda_verb[]) {
5366 ++ /* Disable pass-through path for FRONT 14h */
5367 ++ {0x20, AC_VERB_SET_COEF_INDEX, 0x36},
5368 ++ {0x20, AC_VERB_SET_PROC_COEF, 0x1737},
5369 ++ {}
5370 ++ },
5371 ++ .chained = true,
5372 ++ .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE
5373 ++ },
5374 ++ [ALC293_FIXUP_LENOVO_SPK_NOISE] = {
5375 ++ .type = HDA_FIXUP_FUNC,
5376 ++ .v.func = alc_fixup_disable_aamix,
5377 ++ .chained = true,
5378 ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI
5379 ++ },
5380 ++ [ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY] = {
5381 ++ .type = HDA_FIXUP_FUNC,
5382 ++ .v.func = alc233_fixup_lenovo_line2_mic_hotkey,
5383 ++ },
5384 + };
5385 +
5386 + static const struct snd_pci_quirk alc269_fixup_tbl[] = {
5387 +@@ -5178,7 +5337,11 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
5388 + SND_PCI_QUIRK(0x1025, 0x0742, "Acer AO756", ALC271_FIXUP_HP_GATE_MIC_JACK),
5389 + SND_PCI_QUIRK(0x1025, 0x0775, "Acer Aspire E1-572", ALC271_FIXUP_HP_GATE_MIC_JACK_E1_572),
5390 + SND_PCI_QUIRK(0x1025, 0x079b, "Acer Aspire V5-573G", ALC282_FIXUP_ASPIRE_V5_PINS),
5391 ++ SND_PCI_QUIRK(0x1025, 0x106d, "Acer Cloudbook 14", ALC283_FIXUP_CHROME_BOOK),
5392 + SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z),
5393 ++ SND_PCI_QUIRK(0x1028, 0x054b, "Dell XPS one 2710", ALC275_FIXUP_DELL_XPS),
5394 ++ SND_PCI_QUIRK(0x1028, 0x05bd, "Dell Latitude E6440", ALC292_FIXUP_DELL_E7X),
5395 ++ SND_PCI_QUIRK(0x1028, 0x05be, "Dell Latitude E6540", ALC292_FIXUP_DELL_E7X),
5396 + SND_PCI_QUIRK(0x1028, 0x05ca, "Dell Latitude E7240", ALC292_FIXUP_DELL_E7X),
5397 + SND_PCI_QUIRK(0x1028, 0x05cb, "Dell Latitude E7440", ALC292_FIXUP_DELL_E7X),
5398 + SND_PCI_QUIRK(0x1028, 0x05da, "Dell Vostro 5460", ALC290_FIXUP_SUBWOOFER),
5399 +@@ -5187,6 +5350,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
5400 + SND_PCI_QUIRK(0x1028, 0x05f6, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE),
5401 + SND_PCI_QUIRK(0x1028, 0x0615, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK),
5402 + SND_PCI_QUIRK(0x1028, 0x0616, "Dell Vostro 5470", ALC290_FIXUP_SUBWOOFER_HSJACK),
5403 ++ SND_PCI_QUIRK(0x1028, 0x062c, "Dell Latitude E5550", ALC292_FIXUP_DELL_E7X),
5404 + SND_PCI_QUIRK(0x1028, 0x062e, "Dell Latitude E7450", ALC292_FIXUP_DELL_E7X),
5405 + SND_PCI_QUIRK(0x1028, 0x0638, "Dell Inspiron 5439", ALC290_FIXUP_MONO_SPEAKERS_HSJACK),
5406 + SND_PCI_QUIRK(0x1028, 0x064a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
5407 +@@ -5196,11 +5360,12 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
5408 + SND_PCI_QUIRK(0x1028, 0x06c7, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE),
5409 + SND_PCI_QUIRK(0x1028, 0x06d9, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
5410 + SND_PCI_QUIRK(0x1028, 0x06da, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
5411 +- SND_PCI_QUIRK(0x1028, 0x06db, "Dell", ALC292_FIXUP_DISABLE_AAMIX),
5412 +- SND_PCI_QUIRK(0x1028, 0x06dd, "Dell", ALC292_FIXUP_DISABLE_AAMIX),
5413 +- SND_PCI_QUIRK(0x1028, 0x06de, "Dell", ALC292_FIXUP_DISABLE_AAMIX),
5414 +- SND_PCI_QUIRK(0x1028, 0x06df, "Dell", ALC292_FIXUP_DISABLE_AAMIX),
5415 +- SND_PCI_QUIRK(0x1028, 0x06e0, "Dell", ALC292_FIXUP_DISABLE_AAMIX),
5416 ++ SND_PCI_QUIRK(0x1028, 0x06db, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
5417 ++ SND_PCI_QUIRK(0x1028, 0x06dd, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
5418 ++ SND_PCI_QUIRK(0x1028, 0x06de, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
5419 ++ SND_PCI_QUIRK(0x1028, 0x06df, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
5420 ++ SND_PCI_QUIRK(0x1028, 0x06e0, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
5421 ++ SND_PCI_QUIRK(0x1028, 0x0704, "Dell XPS 13", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
5422 + SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
5423 + SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
5424 + SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
5425 +@@ -5299,15 +5464,19 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
5426 + SND_PCI_QUIRK(0x17aa, 0x21fb, "Thinkpad T430s", ALC269_FIXUP_LENOVO_DOCK),
5427 + SND_PCI_QUIRK(0x17aa, 0x2203, "Thinkpad X230 Tablet", ALC269_FIXUP_LENOVO_DOCK),
5428 + SND_PCI_QUIRK(0x17aa, 0x2208, "Thinkpad T431s", ALC269_FIXUP_LENOVO_DOCK),
5429 +- SND_PCI_QUIRK(0x17aa, 0x220c, "Thinkpad T440s", ALC292_FIXUP_TPT440_DOCK),
5430 ++ SND_PCI_QUIRK(0x17aa, 0x220c, "Thinkpad T440s", ALC292_FIXUP_TPT440),
5431 + SND_PCI_QUIRK(0x17aa, 0x220e, "Thinkpad T440p", ALC292_FIXUP_TPT440_DOCK),
5432 + SND_PCI_QUIRK(0x17aa, 0x2210, "Thinkpad T540p", ALC292_FIXUP_TPT440_DOCK),
5433 + SND_PCI_QUIRK(0x17aa, 0x2211, "Thinkpad W541", ALC292_FIXUP_TPT440_DOCK),
5434 + SND_PCI_QUIRK(0x17aa, 0x2212, "Thinkpad T440", ALC292_FIXUP_TPT440_DOCK),
5435 + SND_PCI_QUIRK(0x17aa, 0x2214, "Thinkpad X240", ALC292_FIXUP_TPT440_DOCK),
5436 + SND_PCI_QUIRK(0x17aa, 0x2215, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
5437 ++ SND_PCI_QUIRK(0x17aa, 0x2218, "Thinkpad X1 Carbon 2nd", ALC292_FIXUP_TPT440_DOCK),
5438 + SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK),
5439 + SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
5440 ++ SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC293_FIXUP_LENOVO_SPK_NOISE),
5441 ++ SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
5442 ++ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
5443 + SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
5444 + SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
5445 + SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
5446 +@@ -5317,6 +5486,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
5447 + SND_PCI_QUIRK(0x17aa, 0x5034, "Thinkpad T450", ALC292_FIXUP_TPT440_DOCK),
5448 + SND_PCI_QUIRK(0x17aa, 0x5036, "Thinkpad T450s", ALC292_FIXUP_TPT440_DOCK),
5449 + SND_PCI_QUIRK(0x17aa, 0x503c, "Thinkpad L450", ALC292_FIXUP_TPT440_DOCK),
5450 ++ SND_PCI_QUIRK(0x17aa, 0x504b, "Thinkpad", ALC293_FIXUP_LENOVO_SPK_NOISE),
5451 + SND_PCI_QUIRK(0x17aa, 0x5109, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
5452 + SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K),
5453 + SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD),
5454 +@@ -5397,6 +5567,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = {
5455 + {.id = ALC283_FIXUP_CHROME_BOOK, .name = "alc283-dac-wcaps"},
5456 + {.id = ALC283_FIXUP_SENSE_COMBO_JACK, .name = "alc283-sense-combo"},
5457 + {.id = ALC292_FIXUP_TPT440_DOCK, .name = "tpt440-dock"},
5458 ++ {.id = ALC292_FIXUP_TPT440, .name = "tpt440"},
5459 + {}
5460 + };
5461 +
5462 +@@ -5466,6 +5637,10 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
5463 + {0x21, 0x02211040}),
5464 + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
5465 + {0x12, 0x90a60170},
5466 ++ {0x14, 0x90171130},
5467 ++ {0x21, 0x02211040}),
5468 ++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
5469 ++ {0x12, 0x90a60170},
5470 + {0x14, 0x90170140},
5471 + {0x21, 0x02211050}),
5472 + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell Inspiron 5548", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
5473 +@@ -6383,6 +6558,7 @@ static const struct hda_fixup alc662_fixups[] = {
5474 + static const struct snd_pci_quirk alc662_fixup_tbl[] = {
5475 + SND_PCI_QUIRK(0x1019, 0x9087, "ECS", ALC662_FIXUP_ASUS_MODE2),
5476 + SND_PCI_QUIRK(0x1025, 0x022f, "Acer Aspire One", ALC662_FIXUP_INV_DMIC),
5477 ++ SND_PCI_QUIRK(0x1025, 0x0241, "Packard Bell DOTS", ALC662_FIXUP_INV_DMIC),
5478 + SND_PCI_QUIRK(0x1025, 0x0308, "Acer Aspire 8942G", ALC662_FIXUP_ASPIRE),
5479 + SND_PCI_QUIRK(0x1025, 0x031c, "Gateway NV79", ALC662_FIXUP_SKU_IGNORE),
5480 + SND_PCI_QUIRK(0x1025, 0x0349, "eMachines eM250", ALC662_FIXUP_INV_DMIC),
5481 +@@ -6400,6 +6576,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
5482 + SND_PCI_QUIRK(0x1028, 0x069f, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
5483 + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
5484 + SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_BASS_1A),
5485 ++ SND_PCI_QUIRK(0x1043, 0x13df, "Asus N550JX", ALC662_FIXUP_BASS_1A),
5486 + SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_MODE4_CHMAP),
5487 + SND_PCI_QUIRK(0x1043, 0x15a7, "ASUS UX51VZH", ALC662_FIXUP_BASS_16),
5488 + SND_PCI_QUIRK(0x1043, 0x1b73, "ASUS N55SF", ALC662_FIXUP_BASS_16),
5489 +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
5490 +index def5cc8dff02..14a62b8117fd 100644
5491 +--- a/sound/pci/hda/patch_sigmatel.c
5492 ++++ b/sound/pci/hda/patch_sigmatel.c
5493 +@@ -702,6 +702,7 @@ static bool hp_bnb2011_with_dock(struct hda_codec *codec)
5494 + static bool hp_blike_system(u32 subsystem_id)
5495 + {
5496 + switch (subsystem_id) {
5497 ++ case 0x103c1473: /* HP ProBook 6550b */
5498 + case 0x103c1520:
5499 + case 0x103c1521:
5500 + case 0x103c1523:
5501 +@@ -3109,6 +3110,29 @@ static void stac92hd71bxx_fixup_hp_hdx(struct hda_codec *codec,
5502 + spec->gpio_led = 0x08;
5503 + }
5504 +
5505 ++static bool is_hp_output(struct hda_codec *codec, hda_nid_t pin)
5506 ++{
5507 ++ unsigned int pin_cfg = snd_hda_codec_get_pincfg(codec, pin);
5508 ++
5509 ++ /* count line-out, too, as BIOS sets often so */
5510 ++ return get_defcfg_connect(pin_cfg) != AC_JACK_PORT_NONE &&
5511 ++ (get_defcfg_device(pin_cfg) == AC_JACK_LINE_OUT ||
5512 ++ get_defcfg_device(pin_cfg) == AC_JACK_HP_OUT);
5513 ++}
5514 ++
5515 ++static void fixup_hp_headphone(struct hda_codec *codec, hda_nid_t pin)
5516 ++{
5517 ++ unsigned int pin_cfg = snd_hda_codec_get_pincfg(codec, pin);
5518 ++
5519 ++ /* It was changed in the BIOS to just satisfy MS DTM.
5520 ++ * Lets turn it back into slaved HP
5521 ++ */
5522 ++ pin_cfg = (pin_cfg & (~AC_DEFCFG_DEVICE)) |
5523 ++ (AC_JACK_HP_OUT << AC_DEFCFG_DEVICE_SHIFT);
5524 ++ pin_cfg = (pin_cfg & (~(AC_DEFCFG_DEF_ASSOC | AC_DEFCFG_SEQUENCE))) |
5525 ++ 0x1f;
5526 ++ snd_hda_codec_set_pincfg(codec, pin, pin_cfg);
5527 ++}
5528 +
5529 + static void stac92hd71bxx_fixup_hp(struct hda_codec *codec,
5530 + const struct hda_fixup *fix, int action)
5531 +@@ -3118,22 +3142,12 @@ static void stac92hd71bxx_fixup_hp(struct hda_codec *codec,
5532 + if (action != HDA_FIXUP_ACT_PRE_PROBE)
5533 + return;
5534 +
5535 +- if (hp_blike_system(codec->core.subsystem_id)) {
5536 +- unsigned int pin_cfg = snd_hda_codec_get_pincfg(codec, 0x0f);
5537 +- if (get_defcfg_device(pin_cfg) == AC_JACK_LINE_OUT ||
5538 +- get_defcfg_device(pin_cfg) == AC_JACK_SPEAKER ||
5539 +- get_defcfg_device(pin_cfg) == AC_JACK_HP_OUT) {
5540 +- /* It was changed in the BIOS to just satisfy MS DTM.
5541 +- * Lets turn it back into slaved HP
5542 +- */
5543 +- pin_cfg = (pin_cfg & (~AC_DEFCFG_DEVICE))
5544 +- | (AC_JACK_HP_OUT <<
5545 +- AC_DEFCFG_DEVICE_SHIFT);
5546 +- pin_cfg = (pin_cfg & (~(AC_DEFCFG_DEF_ASSOC
5547 +- | AC_DEFCFG_SEQUENCE)))
5548 +- | 0x1f;
5549 +- snd_hda_codec_set_pincfg(codec, 0x0f, pin_cfg);
5550 +- }
5551 ++ /* when both output A and F are assigned, these are supposedly
5552 ++ * dock and built-in headphones; fix both pin configs
5553 ++ */
5554 ++ if (is_hp_output(codec, 0x0a) && is_hp_output(codec, 0x0f)) {
5555 ++ fixup_hp_headphone(codec, 0x0a);
5556 ++ fixup_hp_headphone(codec, 0x0f);
5557 + }
5558 +
5559 + if (find_mute_led_cfg(codec, 1))
5560 +diff --git a/sound/pci/rme96.c b/sound/pci/rme96.c
5561 +index 2306ccf7281e..77c963ced67a 100644
5562 +--- a/sound/pci/rme96.c
5563 ++++ b/sound/pci/rme96.c
5564 +@@ -741,10 +741,11 @@ snd_rme96_playback_setrate(struct rme96 *rme96,
5565 + {
5566 + /* change to/from double-speed: reset the DAC (if available) */
5567 + snd_rme96_reset_dac(rme96);
5568 ++ return 1; /* need to restore volume */
5569 + } else {
5570 + writel(rme96->wcreg, rme96->iobase + RME96_IO_CONTROL_REGISTER);
5571 ++ return 0;
5572 + }
5573 +- return 0;
5574 + }
5575 +
5576 + static int
5577 +@@ -980,6 +981,7 @@ snd_rme96_playback_hw_params(struct snd_pcm_substream *substream,
5578 + struct rme96 *rme96 = snd_pcm_substream_chip(substream);
5579 + struct snd_pcm_runtime *runtime = substream->runtime;
5580 + int err, rate, dummy;
5581 ++ bool apply_dac_volume = false;
5582 +
5583 + runtime->dma_area = (void __force *)(rme96->iobase +
5584 + RME96_IO_PLAY_BUFFER);
5585 +@@ -993,24 +995,26 @@ snd_rme96_playback_hw_params(struct snd_pcm_substream *substream,
5586 + {
5587 + /* slave clock */
5588 + if ((int)params_rate(params) != rate) {
5589 +- spin_unlock_irq(&rme96->lock);
5590 +- return -EIO;
5591 +- }
5592 +- } else if ((err = snd_rme96_playback_setrate(rme96, params_rate(params))) < 0) {
5593 +- spin_unlock_irq(&rme96->lock);
5594 +- return err;
5595 +- }
5596 +- if ((err = snd_rme96_playback_setformat(rme96, params_format(params))) < 0) {
5597 +- spin_unlock_irq(&rme96->lock);
5598 +- return err;
5599 ++ err = -EIO;
5600 ++ goto error;
5601 ++ }
5602 ++ } else {
5603 ++ err = snd_rme96_playback_setrate(rme96, params_rate(params));
5604 ++ if (err < 0)
5605 ++ goto error;
5606 ++ apply_dac_volume = err > 0; /* need to restore volume later? */
5607 + }
5608 ++
5609 ++ err = snd_rme96_playback_setformat(rme96, params_format(params));
5610 ++ if (err < 0)
5611 ++ goto error;
5612 + snd_rme96_setframelog(rme96, params_channels(params), 1);
5613 + if (rme96->capture_periodsize != 0) {
5614 + if (params_period_size(params) << rme96->playback_frlog !=
5615 + rme96->capture_periodsize)
5616 + {
5617 +- spin_unlock_irq(&rme96->lock);
5618 +- return -EBUSY;
5619 ++ err = -EBUSY;
5620 ++ goto error;
5621 + }
5622 + }
5623 + rme96->playback_periodsize =
5624 +@@ -1021,9 +1025,16 @@ snd_rme96_playback_hw_params(struct snd_pcm_substream *substream,
5625 + rme96->wcreg &= ~(RME96_WCR_PRO | RME96_WCR_DOLBY | RME96_WCR_EMP);
5626 + writel(rme96->wcreg |= rme96->wcreg_spdif_stream, rme96->iobase + RME96_IO_CONTROL_REGISTER);
5627 + }
5628 ++
5629 ++ err = 0;
5630 ++ error:
5631 + spin_unlock_irq(&rme96->lock);
5632 +-
5633 +- return 0;
5634 ++ if (apply_dac_volume) {
5635 ++ usleep_range(3000, 10000);
5636 ++ snd_rme96_apply_dac_volume(rme96);
5637 ++ }
5638 ++
5639 ++ return err;
5640 + }
5641 +
5642 + static int
5643 +diff --git a/sound/soc/codecs/arizona.c b/sound/soc/codecs/arizona.c
5644 +index 8a2221ab3d10..a3c8e734ff2f 100644
5645 +--- a/sound/soc/codecs/arizona.c
5646 ++++ b/sound/soc/codecs/arizona.c
5647 +@@ -1499,7 +1499,7 @@ static int arizona_hw_params(struct snd_pcm_substream *substream,
5648 + bool reconfig;
5649 + unsigned int aif_tx_state, aif_rx_state;
5650 +
5651 +- if (params_rate(params) % 8000)
5652 ++ if (params_rate(params) % 4000)
5653 + rates = &arizona_44k1_bclk_rates[0];
5654 + else
5655 + rates = &arizona_48k_bclk_rates[0];
5656 +diff --git a/sound/soc/codecs/es8328.c b/sound/soc/codecs/es8328.c
5657 +index 6a091016e0fc..fb7b61faeac5 100644
5658 +--- a/sound/soc/codecs/es8328.c
5659 ++++ b/sound/soc/codecs/es8328.c
5660 +@@ -85,7 +85,15 @@ static const DECLARE_TLV_DB_SCALE(pga_tlv, 0, 300, 0);
5661 + static const DECLARE_TLV_DB_SCALE(bypass_tlv, -1500, 300, 0);
5662 + static const DECLARE_TLV_DB_SCALE(mic_tlv, 0, 300, 0);
5663 +
5664 +-static const int deemph_settings[] = { 0, 32000, 44100, 48000 };
5665 ++static const struct {
5666 ++ int rate;
5667 ++ unsigned int val;
5668 ++} deemph_settings[] = {
5669 ++ { 0, ES8328_DACCONTROL6_DEEMPH_OFF },
5670 ++ { 32000, ES8328_DACCONTROL6_DEEMPH_32k },
5671 ++ { 44100, ES8328_DACCONTROL6_DEEMPH_44_1k },
5672 ++ { 48000, ES8328_DACCONTROL6_DEEMPH_48k },
5673 ++};
5674 +
5675 + static int es8328_set_deemph(struct snd_soc_codec *codec)
5676 + {
5677 +@@ -97,21 +105,22 @@ static int es8328_set_deemph(struct snd_soc_codec *codec)
5678 + * rate.
5679 + */
5680 + if (es8328->deemph) {
5681 +- best = 1;
5682 +- for (i = 2; i < ARRAY_SIZE(deemph_settings); i++) {
5683 +- if (abs(deemph_settings[i] - es8328->playback_fs) <
5684 +- abs(deemph_settings[best] - es8328->playback_fs))
5685 ++ best = 0;
5686 ++ for (i = 1; i < ARRAY_SIZE(deemph_settings); i++) {
5687 ++ if (abs(deemph_settings[i].rate - es8328->playback_fs) <
5688 ++ abs(deemph_settings[best].rate - es8328->playback_fs))
5689 + best = i;
5690 + }
5691 +
5692 +- val = best << 1;
5693 ++ val = deemph_settings[best].val;
5694 + } else {
5695 +- val = 0;
5696 ++ val = ES8328_DACCONTROL6_DEEMPH_OFF;
5697 + }
5698 +
5699 + dev_dbg(codec->dev, "Set deemphasis %d\n", val);
5700 +
5701 +- return snd_soc_update_bits(codec, ES8328_DACCONTROL6, 0x6, val);
5702 ++ return snd_soc_update_bits(codec, ES8328_DACCONTROL6,
5703 ++ ES8328_DACCONTROL6_DEEMPH_MASK, val);
5704 + }
5705 +
5706 + static int es8328_get_deemph(struct snd_kcontrol *kcontrol,
5707 +diff --git a/sound/soc/codecs/es8328.h b/sound/soc/codecs/es8328.h
5708 +index cb36afe10c0e..156c748c89c7 100644
5709 +--- a/sound/soc/codecs/es8328.h
5710 ++++ b/sound/soc/codecs/es8328.h
5711 +@@ -153,6 +153,7 @@ int es8328_probe(struct device *dev, struct regmap *regmap);
5712 + #define ES8328_DACCONTROL6_CLICKFREE (1 << 3)
5713 + #define ES8328_DACCONTROL6_DAC_INVR (1 << 4)
5714 + #define ES8328_DACCONTROL6_DAC_INVL (1 << 5)
5715 ++#define ES8328_DACCONTROL6_DEEMPH_MASK (3 << 6)
5716 + #define ES8328_DACCONTROL6_DEEMPH_OFF (0 << 6)
5717 + #define ES8328_DACCONTROL6_DEEMPH_32k (1 << 6)
5718 + #define ES8328_DACCONTROL6_DEEMPH_44_1k (2 << 6)
5719 +diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c
5720 +index bd9365885f73..2088dfa0612d 100644
5721 +--- a/sound/soc/codecs/rt286.c
5722 ++++ b/sound/soc/codecs/rt286.c
5723 +@@ -38,7 +38,7 @@
5724 + #define RT288_VENDOR_ID 0x10ec0288
5725 +
5726 + struct rt286_priv {
5727 +- const struct reg_default *index_cache;
5728 ++ struct reg_default *index_cache;
5729 + int index_cache_size;
5730 + struct regmap *regmap;
5731 + struct snd_soc_codec *codec;
5732 +@@ -1161,7 +1161,11 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
5733 + return -ENODEV;
5734 + }
5735 +
5736 +- rt286->index_cache = rt286_index_def;
5737 ++ rt286->index_cache = devm_kmemdup(&i2c->dev, rt286_index_def,
5738 ++ sizeof(rt286_index_def), GFP_KERNEL);
5739 ++ if (!rt286->index_cache)
5740 ++ return -ENOMEM;
5741 ++
5742 + rt286->index_cache_size = INDEX_CACHE_SIZE;
5743 + rt286->i2c = i2c;
5744 + i2c_set_clientdata(i2c, rt286);
5745 +diff --git a/sound/soc/codecs/wm5110.c b/sound/soc/codecs/wm5110.c
5746 +index 9756578fc752..8b4a56f538ea 100644
5747 +--- a/sound/soc/codecs/wm5110.c
5748 ++++ b/sound/soc/codecs/wm5110.c
5749 +@@ -354,15 +354,13 @@ static int wm5110_hp_ev(struct snd_soc_dapm_widget *w,
5750 +
5751 + static int wm5110_clear_pga_volume(struct arizona *arizona, int output)
5752 + {
5753 +- struct reg_sequence clear_pga = {
5754 +- ARIZONA_OUTPUT_PATH_CONFIG_1L + output * 4, 0x80
5755 +- };
5756 ++ unsigned int reg = ARIZONA_OUTPUT_PATH_CONFIG_1L + output * 4;
5757 + int ret;
5758 +
5759 +- ret = regmap_multi_reg_write_bypassed(arizona->regmap, &clear_pga, 1);
5760 ++ ret = regmap_write(arizona->regmap, reg, 0x80);
5761 + if (ret)
5762 + dev_err(arizona->dev, "Failed to clear PGA (0x%x): %d\n",
5763 +- clear_pga.reg, ret);
5764 ++ reg, ret);
5765 +
5766 + return ret;
5767 + }
5768 +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c
5769 +index 39ebd7bf4f53..a7e79784fc16 100644
5770 +--- a/sound/soc/codecs/wm8962.c
5771 ++++ b/sound/soc/codecs/wm8962.c
5772 +@@ -365,8 +365,8 @@ static const struct reg_default wm8962_reg[] = {
5773 + { 16924, 0x0059 }, /* R16924 - HDBASS_PG_1 */
5774 + { 16925, 0x999A }, /* R16925 - HDBASS_PG_0 */
5775 +
5776 +- { 17048, 0x0083 }, /* R17408 - HPF_C_1 */
5777 +- { 17049, 0x98AD }, /* R17409 - HPF_C_0 */
5778 ++ { 17408, 0x0083 }, /* R17408 - HPF_C_1 */
5779 ++ { 17409, 0x98AD }, /* R17409 - HPF_C_0 */
5780 +
5781 + { 17920, 0x007F }, /* R17920 - ADCL_RETUNE_C1_1 */
5782 + { 17921, 0xFFFF }, /* R17921 - ADCL_RETUNE_C1_0 */
5783 +diff --git a/sound/soc/codecs/wm8974.c b/sound/soc/codecs/wm8974.c
5784 +index 0a60677397b3..4c29bd2ae75c 100644
5785 +--- a/sound/soc/codecs/wm8974.c
5786 ++++ b/sound/soc/codecs/wm8974.c
5787 +@@ -574,6 +574,7 @@ static const struct regmap_config wm8974_regmap = {
5788 + .max_register = WM8974_MONOMIX,
5789 + .reg_defaults = wm8974_reg_defaults,
5790 + .num_reg_defaults = ARRAY_SIZE(wm8974_reg_defaults),
5791 ++ .cache_type = REGCACHE_FLAT,
5792 + };
5793 +
5794 + static int wm8974_probe(struct snd_soc_codec *codec)
5795 +diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c
5796 +index 7d45d98a861f..226b3606e8a4 100644
5797 +--- a/sound/soc/davinci/davinci-mcasp.c
5798 ++++ b/sound/soc/davinci/davinci-mcasp.c
5799 +@@ -222,8 +222,8 @@ static void mcasp_start_tx(struct davinci_mcasp *mcasp)
5800 +
5801 + /* wait for XDATA to be cleared */
5802 + cnt = 0;
5803 +- while (!(mcasp_get_reg(mcasp, DAVINCI_MCASP_TXSTAT_REG) &
5804 +- ~XRDATA) && (cnt < 100000))
5805 ++ while ((mcasp_get_reg(mcasp, DAVINCI_MCASP_TXSTAT_REG) & XRDATA) &&
5806 ++ (cnt < 100000))
5807 + cnt++;
5808 +
5809 + /* Release TX state machine */
5810 +diff --git a/sound/soc/sh/rcar/gen.c b/sound/soc/sh/rcar/gen.c
5811 +index f04d17bc6e3d..916b38d54fda 100644
5812 +--- a/sound/soc/sh/rcar/gen.c
5813 ++++ b/sound/soc/sh/rcar/gen.c
5814 +@@ -231,7 +231,7 @@ static int rsnd_gen2_probe(struct platform_device *pdev,
5815 + RSND_GEN_S_REG(SCU_SYS_STATUS0, 0x1c8),
5816 + RSND_GEN_S_REG(SCU_SYS_INT_EN0, 0x1cc),
5817 + RSND_GEN_S_REG(SCU_SYS_STATUS1, 0x1d0),
5818 +- RSND_GEN_S_REG(SCU_SYS_INT_EN1, 0x1c4),
5819 ++ RSND_GEN_S_REG(SCU_SYS_INT_EN1, 0x1d4),
5820 + RSND_GEN_M_REG(SRC_SWRSR, 0x200, 0x40),
5821 + RSND_GEN_M_REG(SRC_SRCIR, 0x204, 0x40),
5822 + RSND_GEN_M_REG(SRC_ADINR, 0x214, 0x40),
5823 +diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c
5824 +index 025c38fbe3c0..1874cf0e6cab 100644
5825 +--- a/sound/soc/soc-compress.c
5826 ++++ b/sound/soc/soc-compress.c
5827 +@@ -623,6 +623,7 @@ int soc_new_compress(struct snd_soc_pcm_runtime *rtd, int num)
5828 + struct snd_pcm *be_pcm;
5829 + char new_name[64];
5830 + int ret = 0, direction = 0;
5831 ++ int playback = 0, capture = 0;
5832 +
5833 + if (rtd->num_codecs > 1) {
5834 + dev_err(rtd->card->dev, "Multicodec not supported for compressed stream\n");
5835 +@@ -634,11 +635,27 @@ int soc_new_compress(struct snd_soc_pcm_runtime *rtd, int num)
5836 + rtd->dai_link->stream_name, codec_dai->name, num);
5837 +
5838 + if (codec_dai->driver->playback.channels_min)
5839 ++ playback = 1;
5840 ++ if (codec_dai->driver->capture.channels_min)
5841 ++ capture = 1;
5842 ++
5843 ++ capture = capture && cpu_dai->driver->capture.channels_min;
5844 ++ playback = playback && cpu_dai->driver->playback.channels_min;
5845 ++
5846 ++ /*
5847 ++ * Compress devices are unidirectional so only one of the directions
5848 ++ * should be set, check for that (xor)
5849 ++ */
5850 ++ if (playback + capture != 1) {
5851 ++ dev_err(rtd->card->dev, "Invalid direction for compress P %d, C %d\n",
5852 ++ playback, capture);
5853 ++ return -EINVAL;
5854 ++ }
5855 ++
5856 ++ if(playback)
5857 + direction = SND_COMPRESS_PLAYBACK;
5858 +- else if (codec_dai->driver->capture.channels_min)
5859 +- direction = SND_COMPRESS_CAPTURE;
5860 + else
5861 +- return -EINVAL;
5862 ++ direction = SND_COMPRESS_CAPTURE;
5863 +
5864 + compr = kzalloc(sizeof(*compr), GFP_KERNEL);
5865 + if (compr == NULL) {
5866 +diff --git a/sound/usb/card.c b/sound/usb/card.c
5867 +index 18f56646ce86..1f09d9591276 100644
5868 +--- a/sound/usb/card.c
5869 ++++ b/sound/usb/card.c
5870 +@@ -675,6 +675,8 @@ int snd_usb_autoresume(struct snd_usb_audio *chip)
5871 +
5872 + void snd_usb_autosuspend(struct snd_usb_audio *chip)
5873 + {
5874 ++ if (atomic_read(&chip->shutdown))
5875 ++ return;
5876 + if (atomic_dec_and_test(&chip->active))
5877 + usb_autopm_put_interface(chip->pm_intf);
5878 + }
5879 +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
5880 +index f494dced3c11..4f85757009b3 100644
5881 +--- a/sound/usb/mixer.c
5882 ++++ b/sound/usb/mixer.c
5883 +@@ -1354,6 +1354,8 @@ static void build_feature_ctl(struct mixer_build *state, void *raw_desc,
5884 + }
5885 + }
5886 +
5887 ++ snd_usb_mixer_fu_apply_quirk(state->mixer, cval, unitid, kctl);
5888 ++
5889 + range = (cval->max - cval->min) / cval->res;
5890 + /*
5891 + * Are there devices with volume range more than 255? I use a bit more
5892 +diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c
5893 +index 6a803eff87f7..ddca6547399b 100644
5894 +--- a/sound/usb/mixer_maps.c
5895 ++++ b/sound/usb/mixer_maps.c
5896 +@@ -348,13 +348,6 @@ static struct usbmix_name_map bose_companion5_map[] = {
5897 + { 0 } /* terminator */
5898 + };
5899 +
5900 +-/* Dragonfly DAC 1.2, the dB conversion factor is 1 instead of 256 */
5901 +-static struct usbmix_dB_map dragonfly_1_2_dB = {0, 5000};
5902 +-static struct usbmix_name_map dragonfly_1_2_map[] = {
5903 +- { 7, NULL, .dB = &dragonfly_1_2_dB },
5904 +- { 0 } /* terminator */
5905 +-};
5906 +-
5907 + /*
5908 + * Control map entries
5909 + */
5910 +@@ -470,11 +463,6 @@ static struct usbmix_ctl_map usbmix_ctl_maps[] = {
5911 + .id = USB_ID(0x05a7, 0x1020),
5912 + .map = bose_companion5_map,
5913 + },
5914 +- {
5915 +- /* Dragonfly DAC 1.2 */
5916 +- .id = USB_ID(0x21b4, 0x0081),
5917 +- .map = dragonfly_1_2_map,
5918 +- },
5919 + { 0 } /* terminator */
5920 + };
5921 +
5922 +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
5923 +index d3608c0a29f3..4aeccd78e5dc 100644
5924 +--- a/sound/usb/mixer_quirks.c
5925 ++++ b/sound/usb/mixer_quirks.c
5926 +@@ -37,6 +37,7 @@
5927 + #include <sound/control.h>
5928 + #include <sound/hwdep.h>
5929 + #include <sound/info.h>
5930 ++#include <sound/tlv.h>
5931 +
5932 + #include "usbaudio.h"
5933 + #include "mixer.h"
5934 +@@ -792,7 +793,7 @@ static int snd_nativeinstruments_control_put(struct snd_kcontrol *kcontrol,
5935 + return 0;
5936 +
5937 + kcontrol->private_value &= ~(0xff << 24);
5938 +- kcontrol->private_value |= newval;
5939 ++ kcontrol->private_value |= (unsigned int)newval << 24;
5940 + err = snd_ni_update_cur_val(list);
5941 + return err < 0 ? err : 1;
5942 + }
5943 +@@ -1825,3 +1826,39 @@ void snd_usb_mixer_rc_memory_change(struct usb_mixer_interface *mixer,
5944 + }
5945 + }
5946 +
5947 ++static void snd_dragonfly_quirk_db_scale(struct usb_mixer_interface *mixer,
5948 ++ struct snd_kcontrol *kctl)
5949 ++{
5950 ++ /* Approximation using 10 ranges based on output measurement on hw v1.2.
5951 ++ * This seems close to the cubic mapping e.g. alsamixer uses. */
5952 ++ static const DECLARE_TLV_DB_RANGE(scale,
5953 ++ 0, 1, TLV_DB_MINMAX_ITEM(-5300, -4970),
5954 ++ 2, 5, TLV_DB_MINMAX_ITEM(-4710, -4160),
5955 ++ 6, 7, TLV_DB_MINMAX_ITEM(-3884, -3710),
5956 ++ 8, 14, TLV_DB_MINMAX_ITEM(-3443, -2560),
5957 ++ 15, 16, TLV_DB_MINMAX_ITEM(-2475, -2324),
5958 ++ 17, 19, TLV_DB_MINMAX_ITEM(-2228, -2031),
5959 ++ 20, 26, TLV_DB_MINMAX_ITEM(-1910, -1393),
5960 ++ 27, 31, TLV_DB_MINMAX_ITEM(-1322, -1032),
5961 ++ 32, 40, TLV_DB_MINMAX_ITEM(-968, -490),
5962 ++ 41, 50, TLV_DB_MINMAX_ITEM(-441, 0),
5963 ++ );
5964 ++
5965 ++ usb_audio_info(mixer->chip, "applying DragonFly dB scale quirk\n");
5966 ++ kctl->tlv.p = scale;
5967 ++ kctl->vd[0].access |= SNDRV_CTL_ELEM_ACCESS_TLV_READ;
5968 ++ kctl->vd[0].access &= ~SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK;
5969 ++}
5970 ++
5971 ++void snd_usb_mixer_fu_apply_quirk(struct usb_mixer_interface *mixer,
5972 ++ struct usb_mixer_elem_info *cval, int unitid,
5973 ++ struct snd_kcontrol *kctl)
5974 ++{
5975 ++ switch (mixer->chip->usb_id) {
5976 ++ case USB_ID(0x21b4, 0x0081): /* AudioQuest DragonFly */
5977 ++ if (unitid == 7 && cval->min == 0 && cval->max == 50)
5978 ++ snd_dragonfly_quirk_db_scale(mixer, kctl);
5979 ++ break;
5980 ++ }
5981 ++}
5982 ++
5983 +diff --git a/sound/usb/mixer_quirks.h b/sound/usb/mixer_quirks.h
5984 +index bdbfab093816..177c329cd4dd 100644
5985 +--- a/sound/usb/mixer_quirks.h
5986 ++++ b/sound/usb/mixer_quirks.h
5987 +@@ -9,5 +9,9 @@ void snd_emuusb_set_samplerate(struct snd_usb_audio *chip,
5988 + void snd_usb_mixer_rc_memory_change(struct usb_mixer_interface *mixer,
5989 + int unitid);
5990 +
5991 ++void snd_usb_mixer_fu_apply_quirk(struct usb_mixer_interface *mixer,
5992 ++ struct usb_mixer_elem_info *cval, int unitid,
5993 ++ struct snd_kcontrol *kctl);
5994 ++
5995 + #endif /* SND_USB_MIXER_QUIRKS_H */
5996 +
5997 +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
5998 +index eef9b8e4b949..fb9a8a5787a6 100644
5999 +--- a/sound/usb/quirks.c
6000 ++++ b/sound/usb/quirks.c
6001 +@@ -1122,6 +1122,7 @@ bool snd_usb_get_sample_rate_quirk(struct snd_usb_audio *chip)
6002 + case USB_ID(0x045E, 0x0779): /* MS Lifecam HD-3000 */
6003 + case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
6004 + case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */
6005 ++ case USB_ID(0x21B4, 0x0081): /* AudioQuest DragonFly */
6006 + return true;
6007 + }
6008 + return false;
6009 +@@ -1265,6 +1266,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip,
6010 + case USB_ID(0x20b1, 0x3008): /* iFi Audio micro/nano iDSD */
6011 + case USB_ID(0x20b1, 0x2008): /* Matrix Audio X-Sabre */
6012 + case USB_ID(0x20b1, 0x300a): /* Matrix Audio Mini-i Pro */
6013 ++ case USB_ID(0x22d8, 0x0416): /* OPPO HA-1*/
6014 + if (fp->altsetting == 2)
6015 + return SNDRV_PCM_FMTBIT_DSD_U32_BE;
6016 + break;
Report Message
Find on MARC Find on Google Groups