commit: 316f136dd790037a552e77ba0ef96b8aa00e9493 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Wed May 2 16:14:20 2018 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Wed May 2 16:14:20 2018 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=316f136d
Linux patch 4.14.39 0000_README | 4 + 1038_linux-4.14.39.patch | 3551 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 3555 insertions(+) diff --git a/0000_README b/0000_README index 03b1461..648c705 100644 --- a/0000_README +++ b/0000_README @@ -195,6 +195,10 @@ Patch: 1037_linux-4.14.38.patch From: http://www.kernel.org Desc: Linux 4.14.38 +Patch: 1038_linux-4.14.39.patch +From: http://www.kernel.org +Desc: Linux 4.14.39 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1038_linux-4.14.39.patch b/1038_linux-4.14.39.patch new file mode 100644 index 0000000..f7760eb --- /dev/null +++ b/1038_linux-4.14.39.patch @@ -0,0 +1,3551 @@ +diff --git a/Documentation/virtual/kvm/api.txt b/Documentation/virtual/kvm/api.txt +index 0f9089416b4c..88ad78c6f605 100644 +--- a/Documentation/virtual/kvm/api.txt ++++ b/Documentation/virtual/kvm/api.txt +@@ -1940,6 +1940,9 @@ ARM 32-bit VFP control registers have the following id bit patterns: + ARM 64-bit FP registers have the following id bit patterns: + 0x4030 0000 0012 0 <regno:12> + ++ARM firmware pseudo-registers have the following bit pattern: ++ 0x4030 0000 0014 <regno:16> ++ + + arm64 registers are mapped using the lower 32 bits. The upper 16 of + that is the register group type, or coprocessor number: +@@ -1956,6 +1959,9 @@ arm64 CCSIDR registers are demultiplexed by CSSELR value: + arm64 system registers have the following id bit patterns: + 0x6030 0000 0013 <op0:2> <op1:3> <crn:4> <crm:4> <op2:3> + ++arm64 firmware pseudo-registers have the following bit pattern: ++ 0x6030 0000 0014 <regno:16> ++ + + MIPS registers are mapped using the lower 32 bits. The upper 16 of that is + the register group type: +@@ -2490,7 +2496,8 @@ Possible features: + and execute guest code when KVM_RUN is called. + - KVM_ARM_VCPU_EL1_32BIT: Starts the CPU in a 32bit mode. + Depends on KVM_CAP_ARM_EL1_32BIT (arm64 only). +- - KVM_ARM_VCPU_PSCI_0_2: Emulate PSCI v0.2 for the CPU. ++ - KVM_ARM_VCPU_PSCI_0_2: Emulate PSCI v0.2 (or a future revision ++ backward compatible with v0.2) for the CPU. + Depends on KVM_CAP_ARM_PSCI_0_2. + - KVM_ARM_VCPU_PMU_V3: Emulate PMUv3 for the CPU. + Depends on KVM_CAP_ARM_PMU_V3. +diff --git a/Documentation/virtual/kvm/arm/psci.txt b/Documentation/virtual/kvm/arm/psci.txt +new file mode 100644 +index 000000000000..aafdab887b04 +--- /dev/null ++++ b/Documentation/virtual/kvm/arm/psci.txt +@@ -0,0 +1,30 @@ ++KVM implements the PSCI (Power State Coordination Interface) ++specification in order to provide services such as CPU on/off, reset ++and power-off to the guest. ++ ++The PSCI specification is regularly updated to provide new features, ++and KVM implements these updates if they make sense from a virtualization ++point of view. ++ ++This means that a guest booted on two different versions of KVM can ++observe two different "firmware" revisions. This could cause issues if ++a given guest is tied to a particular PSCI revision (unlikely), or if ++a migration causes a different PSCI version to be exposed out of the ++blue to an unsuspecting guest. ++ ++In order to remedy this situation, KVM exposes a set of "firmware ++pseudo-registers" that can be manipulated using the GET/SET_ONE_REG ++interface. These registers can be saved/restored by userspace, and set ++to a convenient value if required. ++ ++The following register is defined: ++ ++* KVM_REG_ARM_PSCI_VERSION: ++ ++ - Only valid if the vcpu has the KVM_ARM_VCPU_PSCI_0_2 feature set ++ (and thus has already been initialized) ++ - Returns the current PSCI version on GET_ONE_REG (defaulting to the ++ highest PSCI version implemented by KVM and compatible with v0.2) ++ - Allows any PSCI version implemented by KVM and compatible with ++ v0.2 to be set with SET_ONE_REG ++ - Affects the whole VM (even if the register view is per-vcpu) +diff --git a/Makefile b/Makefile +index 27a8d5c37180..248b99283f71 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 14 +-SUBLEVEL = 38 ++SUBLEVEL = 39 + EXTRAVERSION = + NAME = Petit Gorille + +diff --git a/arch/arm/configs/socfpga_defconfig b/arch/arm/configs/socfpga_defconfig +index 2620ce790db0..371fca4e1ab7 100644 +--- a/arch/arm/configs/socfpga_defconfig ++++ b/arch/arm/configs/socfpga_defconfig +@@ -57,6 +57,7 @@ CONFIG_MTD_M25P80=y + CONFIG_MTD_NAND=y + CONFIG_MTD_NAND_DENALI_DT=y + CONFIG_MTD_SPI_NOR=y ++# CONFIG_MTD_SPI_NOR_USE_4K_SECTORS is not set + CONFIG_SPI_CADENCE_QUADSPI=y + CONFIG_OF_OVERLAY=y + CONFIG_OF_CONFIGFS=y +diff --git a/arch/arm/include/asm/kvm_host.h b/arch/arm/include/asm/kvm_host.h +index 31fbb9285f62..8f973e3b7348 100644 +--- a/arch/arm/include/asm/kvm_host.h ++++ b/arch/arm/include/asm/kvm_host.h +@@ -75,6 +75,9 @@ struct kvm_arch { + /* Interrupt controller */ + struct vgic_dist vgic; + int max_vcpus; ++ ++ /* Mandated version of PSCI */ ++ u32 psci_version; + }; + + #define KVM_NR_MEM_OBJS 40 +diff --git a/arch/arm/include/uapi/asm/kvm.h b/arch/arm/include/uapi/asm/kvm.h +index 1f57bbe82b6f..df24fc8da1bc 100644 +--- a/arch/arm/include/uapi/asm/kvm.h ++++ b/arch/arm/include/uapi/asm/kvm.h +@@ -180,6 +180,12 @@ struct kvm_arch_memory_slot { + #define KVM_REG_ARM_VFP_FPINST 0x1009 + #define KVM_REG_ARM_VFP_FPINST2 0x100A + ++/* KVM-as-firmware specific pseudo-registers */ ++#define KVM_REG_ARM_FW (0x0014 << KVM_REG_ARM_COPROC_SHIFT) ++#define KVM_REG_ARM_FW_REG(r) (KVM_REG_ARM | KVM_REG_SIZE_U64 | \ ++ KVM_REG_ARM_FW | ((r) & 0xffff)) ++#define KVM_REG_ARM_PSCI_VERSION KVM_REG_ARM_FW_REG(0) ++ + /* Device Control API: ARM VGIC */ + #define KVM_DEV_ARM_VGIC_GRP_ADDR 0 + #define KVM_DEV_ARM_VGIC_GRP_DIST_REGS 1 +diff --git a/arch/arm/kvm/guest.c b/arch/arm/kvm/guest.c +index 1e0784ebbfd6..a18f33edc471 100644 +--- a/arch/arm/kvm/guest.c ++++ b/arch/arm/kvm/guest.c +@@ -22,6 +22,7 @@ + #include <linux/module.h> + #include <linux/vmalloc.h> + #include <linux/fs.h> ++#include <kvm/arm_psci.h> + #include <asm/cputype.h> + #include <linux/uaccess.h> + #include <asm/kvm.h> +@@ -176,6 +177,7 @@ static unsigned long num_core_regs(void) + unsigned long kvm_arm_num_regs(struct kvm_vcpu *vcpu) + { + return num_core_regs() + kvm_arm_num_coproc_regs(vcpu) ++ + kvm_arm_get_fw_num_regs(vcpu) + + NUM_TIMER_REGS; + } + +@@ -196,6 +198,11 @@ int kvm_arm_copy_reg_indices(struct kvm_vcpu *vcpu, u64 __user *uindices) + uindices++; + } + ++ ret = kvm_arm_copy_fw_reg_indices(vcpu, uindices); ++ if (ret) ++ return ret; ++ uindices += kvm_arm_get_fw_num_regs(vcpu); ++ + ret = copy_timer_indices(vcpu, uindices); + if (ret) + return ret; +@@ -214,6 +221,9 @@ int kvm_arm_get_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) + if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_CORE) + return get_core_reg(vcpu, reg); + ++ if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_FW) ++ return kvm_arm_get_fw_reg(vcpu, reg); ++ + if (is_timer_reg(reg->id)) + return get_timer_reg(vcpu, reg); + +@@ -230,6 +240,9 @@ int kvm_arm_set_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) + if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_CORE) + return set_core_reg(vcpu, reg); + ++ if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_FW) ++ return kvm_arm_set_fw_reg(vcpu, reg); ++ + if (is_timer_reg(reg->id)) + return set_timer_reg(vcpu, reg); + +diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h +index 8ad208cb866c..8abec9f7f430 100644 +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -71,6 +71,9 @@ struct kvm_arch { + + /* Interrupt controller */ + struct vgic_dist vgic; ++ ++ /* Mandated version of PSCI */ ++ u32 psci_version; + }; + + #define KVM_NR_MEM_OBJS 40 +diff --git a/arch/arm64/include/uapi/asm/kvm.h b/arch/arm64/include/uapi/asm/kvm.h +index 51149ec75fe4..9f74ce5899f0 100644 +--- a/arch/arm64/include/uapi/asm/kvm.h ++++ b/arch/arm64/include/uapi/asm/kvm.h +@@ -200,6 +200,12 @@ struct kvm_arch_memory_slot { + #define KVM_REG_ARM_TIMER_CNT ARM64_SYS_REG(3, 3, 14, 3, 2) + #define KVM_REG_ARM_TIMER_CVAL ARM64_SYS_REG(3, 3, 14, 0, 2) + ++/* KVM-as-firmware specific pseudo-registers */ ++#define KVM_REG_ARM_FW (0x0014 << KVM_REG_ARM_COPROC_SHIFT) ++#define KVM_REG_ARM_FW_REG(r) (KVM_REG_ARM64 | KVM_REG_SIZE_U64 | \ ++ KVM_REG_ARM_FW | ((r) & 0xffff)) ++#define KVM_REG_ARM_PSCI_VERSION KVM_REG_ARM_FW_REG(0) ++ + /* Device Control API: ARM VGIC */ + #define KVM_DEV_ARM_VGIC_GRP_ADDR 0 + #define KVM_DEV_ARM_VGIC_GRP_DIST_REGS 1 +diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c +index 5c7f657dd207..811f04c5760e 100644 +--- a/arch/arm64/kvm/guest.c ++++ b/arch/arm64/kvm/guest.c +@@ -25,6 +25,7 @@ + #include <linux/module.h> + #include <linux/vmalloc.h> + #include <linux/fs.h> ++#include <kvm/arm_psci.h> + #include <asm/cputype.h> + #include <linux/uaccess.h> + #include <asm/kvm.h> +@@ -205,7 +206,7 @@ static int get_timer_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) + unsigned long kvm_arm_num_regs(struct kvm_vcpu *vcpu) + { + return num_core_regs() + kvm_arm_num_sys_reg_descs(vcpu) +- + NUM_TIMER_REGS; ++ + kvm_arm_get_fw_num_regs(vcpu) + NUM_TIMER_REGS; + } + + /** +@@ -225,6 +226,11 @@ int kvm_arm_copy_reg_indices(struct kvm_vcpu *vcpu, u64 __user *uindices) + uindices++; + } + ++ ret = kvm_arm_copy_fw_reg_indices(vcpu, uindices); ++ if (ret) ++ return ret; ++ uindices += kvm_arm_get_fw_num_regs(vcpu); ++ + ret = copy_timer_indices(vcpu, uindices); + if (ret) + return ret; +@@ -243,6 +249,9 @@ int kvm_arm_get_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) + if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_CORE) + return get_core_reg(vcpu, reg); + ++ if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_FW) ++ return kvm_arm_get_fw_reg(vcpu, reg); ++ + if (is_timer_reg(reg->id)) + return get_timer_reg(vcpu, reg); + +@@ -259,6 +268,9 @@ int kvm_arm_set_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) + if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_CORE) + return set_core_reg(vcpu, reg); + ++ if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_FW) ++ return kvm_arm_set_fw_reg(vcpu, reg); ++ + if (is_timer_reg(reg->id)) + return set_timer_reg(vcpu, reg); + +diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c +index 8b840191df59..ca2243df9cb2 100644 +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -207,18 +207,18 @@ static void *eeh_report_error(void *data, void *userdata) + + if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe)) + return NULL; ++ ++ device_lock(&dev->dev); + dev->error_state = pci_channel_io_frozen; + + driver = eeh_pcid_get(dev); +- if (!driver) return NULL; ++ if (!driver) goto out_no_dev; + + eeh_disable_irq(dev); + + if (!driver->err_handler || +- !driver->err_handler->error_detected) { +- eeh_pcid_put(dev); +- return NULL; +- } ++ !driver->err_handler->error_detected) ++ goto out; + + rc = driver->err_handler->error_detected(dev, pci_channel_io_frozen); + +@@ -227,7 +227,10 @@ static void *eeh_report_error(void *data, void *userdata) + if (*res == PCI_ERS_RESULT_NONE) *res = rc; + + edev->in_error = true; ++out: + eeh_pcid_put(dev); ++out_no_dev: ++ device_unlock(&dev->dev); + return NULL; + } + +@@ -250,15 +253,14 @@ static void *eeh_report_mmio_enabled(void *data, void *userdata) + if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe)) + return NULL; + ++ device_lock(&dev->dev); + driver = eeh_pcid_get(dev); +- if (!driver) return NULL; ++ if (!driver) goto out_no_dev; + + if (!driver->err_handler || + !driver->err_handler->mmio_enabled || +- (edev->mode & EEH_DEV_NO_HANDLER)) { +- eeh_pcid_put(dev); +- return NULL; +- } ++ (edev->mode & EEH_DEV_NO_HANDLER)) ++ goto out; + + rc = driver->err_handler->mmio_enabled(dev); + +@@ -266,7 +268,10 @@ static void *eeh_report_mmio_enabled(void *data, void *userdata) + if (rc == PCI_ERS_RESULT_NEED_RESET) *res = rc; + if (*res == PCI_ERS_RESULT_NONE) *res = rc; + ++out: + eeh_pcid_put(dev); ++out_no_dev: ++ device_unlock(&dev->dev); + return NULL; + } + +@@ -289,20 +294,20 @@ static void *eeh_report_reset(void *data, void *userdata) + + if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe)) + return NULL; ++ ++ device_lock(&dev->dev); + dev->error_state = pci_channel_io_normal; + + driver = eeh_pcid_get(dev); +- if (!driver) return NULL; ++ if (!driver) goto out_no_dev; + + eeh_enable_irq(dev); + + if (!driver->err_handler || + !driver->err_handler->slot_reset || + (edev->mode & EEH_DEV_NO_HANDLER) || +- (!edev->in_error)) { +- eeh_pcid_put(dev); +- return NULL; +- } ++ (!edev->in_error)) ++ goto out; + + rc = driver->err_handler->slot_reset(dev); + if ((*res == PCI_ERS_RESULT_NONE) || +@@ -310,7 +315,10 @@ static void *eeh_report_reset(void *data, void *userdata) + if (*res == PCI_ERS_RESULT_DISCONNECT && + rc == PCI_ERS_RESULT_NEED_RESET) *res = rc; + ++out: + eeh_pcid_put(dev); ++out_no_dev: ++ device_unlock(&dev->dev); + return NULL; + } + +@@ -361,10 +369,12 @@ static void *eeh_report_resume(void *data, void *userdata) + + if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe)) + return NULL; ++ ++ device_lock(&dev->dev); + dev->error_state = pci_channel_io_normal; + + driver = eeh_pcid_get(dev); +- if (!driver) return NULL; ++ if (!driver) goto out_no_dev; + + was_in_error = edev->in_error; + edev->in_error = false; +@@ -374,13 +384,15 @@ static void *eeh_report_resume(void *data, void *userdata) + !driver->err_handler->resume || + (edev->mode & EEH_DEV_NO_HANDLER) || !was_in_error) { + edev->mode &= ~EEH_DEV_NO_HANDLER; +- eeh_pcid_put(dev); +- return NULL; ++ goto out; + } + + driver->err_handler->resume(dev); + ++out: + eeh_pcid_put(dev); ++out_no_dev: ++ device_unlock(&dev->dev); + return NULL; + } + +@@ -400,22 +412,25 @@ static void *eeh_report_failure(void *data, void *userdata) + + if (!dev || eeh_dev_removed(edev) || eeh_pe_passed(edev->pe)) + return NULL; ++ ++ device_lock(&dev->dev); + dev->error_state = pci_channel_io_perm_failure; + + driver = eeh_pcid_get(dev); +- if (!driver) return NULL; ++ if (!driver) goto out_no_dev; + + eeh_disable_irq(dev); + + if (!driver->err_handler || +- !driver->err_handler->error_detected) { +- eeh_pcid_put(dev); +- return NULL; +- } ++ !driver->err_handler->error_detected) ++ goto out; + + driver->err_handler->error_detected(dev, pci_channel_io_perm_failure); + ++out: + eeh_pcid_put(dev); ++out_no_dev: ++ device_unlock(&dev->dev); + return NULL; + } + +diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c +index 4362b86ef84c..9c2f83331e5b 100644 +--- a/arch/powerpc/mm/mem.c ++++ b/arch/powerpc/mm/mem.c +@@ -143,6 +143,7 @@ int arch_add_memory(int nid, u64 start, u64 size, bool want_memblock) + start, start + size, rc); + return -EFAULT; + } ++ flush_inval_dcache_range(start, start + size); + + return __add_pages(nid, start_pfn, nr_pages, want_memblock); + } +@@ -171,6 +172,7 @@ int arch_remove_memory(u64 start, u64 size) + + /* Remove htab bolted mappings for this section of memory */ + start = (unsigned long)__va(start); ++ flush_inval_dcache_range(start, start + size); + ret = remove_section_mapping(start, start + size); + + /* Ensure all vmalloc mappings are flushed in case they also +diff --git a/arch/powerpc/platforms/powernv/npu-dma.c b/arch/powerpc/platforms/powernv/npu-dma.c +index 2cb6cbea4b3b..4043109f4051 100644 +--- a/arch/powerpc/platforms/powernv/npu-dma.c ++++ b/arch/powerpc/platforms/powernv/npu-dma.c +@@ -33,6 +33,13 @@ + + #define npu_to_phb(x) container_of(x, struct pnv_phb, npu) + ++/* ++ * When an address shootdown range exceeds this threshold we invalidate the ++ * entire TLB on the GPU for the given PID rather than each specific address in ++ * the range. ++ */ ++#define ATSD_THRESHOLD (2*1024*1024) ++ + /* + * Other types of TCE cache invalidation are not functional in the + * hardware. +@@ -621,11 +628,19 @@ static void pnv_npu2_mn_invalidate_range(struct mmu_notifier *mn, + struct npu_context *npu_context = mn_to_npu_context(mn); + unsigned long address; + +- for (address = start; address < end; address += PAGE_SIZE) +- mmio_invalidate(npu_context, 1, address, false); ++ if (end - start > ATSD_THRESHOLD) { ++ /* ++ * Just invalidate the entire PID if the address range is too ++ * large. ++ */ ++ mmio_invalidate(npu_context, 0, 0, true); ++ } else { ++ for (address = start; address < end; address += PAGE_SIZE) ++ mmio_invalidate(npu_context, 1, address, false); + +- /* Do the flush only on the final addess == end */ +- mmio_invalidate(npu_context, 1, address, true); ++ /* Do the flush only on the final addess == end */ ++ mmio_invalidate(npu_context, 1, address, true); ++ } + } + + static const struct mmu_notifier_ops nv_nmmu_notifier_ops = { +diff --git a/arch/powerpc/platforms/powernv/opal-rtc.c b/arch/powerpc/platforms/powernv/opal-rtc.c +index f8868864f373..aa2a5139462e 100644 +--- a/arch/powerpc/platforms/powernv/opal-rtc.c ++++ b/arch/powerpc/platforms/powernv/opal-rtc.c +@@ -48,10 +48,12 @@ unsigned long __init opal_get_boot_time(void) + + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { + rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms); +- if (rc == OPAL_BUSY_EVENT) ++ if (rc == OPAL_BUSY_EVENT) { ++ mdelay(OPAL_BUSY_DELAY_MS); + opal_poll_events(NULL); +- else if (rc == OPAL_BUSY) +- mdelay(10); ++ } else if (rc == OPAL_BUSY) { ++ mdelay(OPAL_BUSY_DELAY_MS); ++ } + } + if (rc != OPAL_SUCCESS) + return 0; +diff --git a/arch/x86/include/uapi/asm/msgbuf.h b/arch/x86/include/uapi/asm/msgbuf.h +index 809134c644a6..90ab9a795b49 100644 +--- a/arch/x86/include/uapi/asm/msgbuf.h ++++ b/arch/x86/include/uapi/asm/msgbuf.h +@@ -1 +1,32 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ ++#ifndef __ASM_X64_MSGBUF_H ++#define __ASM_X64_MSGBUF_H ++ ++#if !defined(__x86_64__) || !defined(__ILP32__) + #include <asm-generic/msgbuf.h> ++#else ++/* ++ * The msqid64_ds structure for x86 architecture with x32 ABI. ++ * ++ * On x86-32 and x86-64 we can just use the generic definition, but ++ * x32 uses the same binary layout as x86_64, which is differnet ++ * from other 32-bit architectures. ++ */ ++ ++struct msqid64_ds { ++ struct ipc64_perm msg_perm; ++ __kernel_time_t msg_stime; /* last msgsnd time */ ++ __kernel_time_t msg_rtime; /* last msgrcv time */ ++ __kernel_time_t msg_ctime; /* last change time */ ++ __kernel_ulong_t msg_cbytes; /* current number of bytes on queue */ ++ __kernel_ulong_t msg_qnum; /* number of messages in queue */ ++ __kernel_ulong_t msg_qbytes; /* max number of bytes on queue */ ++ __kernel_pid_t msg_lspid; /* pid of last msgsnd */ ++ __kernel_pid_t msg_lrpid; /* last receive pid */ ++ __kernel_ulong_t __unused4; ++ __kernel_ulong_t __unused5; ++}; ++ ++#endif ++ ++#endif /* __ASM_GENERIC_MSGBUF_H */ +diff --git a/arch/x86/include/uapi/asm/shmbuf.h b/arch/x86/include/uapi/asm/shmbuf.h +index 83c05fc2de38..644421f3823b 100644 +--- a/arch/x86/include/uapi/asm/shmbuf.h ++++ b/arch/x86/include/uapi/asm/shmbuf.h +@@ -1 +1,43 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ ++#ifndef __ASM_X86_SHMBUF_H ++#define __ASM_X86_SHMBUF_H ++ ++#if !defined(__x86_64__) || !defined(__ILP32__) + #include <asm-generic/shmbuf.h> ++#else ++/* ++ * The shmid64_ds structure for x86 architecture with x32 ABI. ++ * ++ * On x86-32 and x86-64 we can just use the generic definition, but ++ * x32 uses the same binary layout as x86_64, which is differnet ++ * from other 32-bit architectures. ++ */ ++ ++struct shmid64_ds { ++ struct ipc64_perm shm_perm; /* operation perms */ ++ size_t shm_segsz; /* size of segment (bytes) */ ++ __kernel_time_t shm_atime; /* last attach time */ ++ __kernel_time_t shm_dtime; /* last detach time */ ++ __kernel_time_t shm_ctime; /* last change time */ ++ __kernel_pid_t shm_cpid; /* pid of creator */ ++ __kernel_pid_t shm_lpid; /* pid of last operator */ ++ __kernel_ulong_t shm_nattch; /* no. of current attaches */ ++ __kernel_ulong_t __unused4; ++ __kernel_ulong_t __unused5; ++}; ++ ++struct shminfo64 { ++ __kernel_ulong_t shmmax; ++ __kernel_ulong_t shmmin; ++ __kernel_ulong_t shmmni; ++ __kernel_ulong_t shmseg; ++ __kernel_ulong_t shmall; ++ __kernel_ulong_t __unused1; ++ __kernel_ulong_t __unused2; ++ __kernel_ulong_t __unused3; ++ __kernel_ulong_t __unused4; ++}; ++ ++#endif ++ ++#endif /* __ASM_X86_SHMBUF_H */ +diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c +index 021c90464cc2..c8e0cda0f272 100644 +--- a/arch/x86/kernel/cpu/microcode/core.c ++++ b/arch/x86/kernel/cpu/microcode/core.c +@@ -564,14 +564,12 @@ static int __reload_late(void *info) + apply_microcode_local(&err); + spin_unlock(&update_lock); + ++ /* siblings return UCODE_OK because their engine got updated already */ + if (err > UCODE_NFOUND) { + pr_warn("Error reloading microcode on CPU %d\n", cpu); +- return -1; +- /* siblings return UCODE_OK because their engine got updated already */ ++ ret = -1; + } else if (err == UCODE_UPDATED || err == UCODE_OK) { + ret = 1; +- } else { +- return ret; + } + + /* +diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c +index 32b8e5724f96..1c2cfa0644aa 100644 +--- a/arch/x86/kernel/cpu/microcode/intel.c ++++ b/arch/x86/kernel/cpu/microcode/intel.c +@@ -485,7 +485,6 @@ static void show_saved_mc(void) + */ + static void save_mc_for_early(u8 *mc, unsigned int size) + { +-#ifdef CONFIG_HOTPLUG_CPU + /* Synchronization during CPU hotplug. */ + static DEFINE_MUTEX(x86_cpu_microcode_mutex); + +@@ -495,7 +494,6 @@ static void save_mc_for_early(u8 *mc, unsigned int size) + show_saved_mc(); + + mutex_unlock(&x86_cpu_microcode_mutex); +-#endif + } + + static bool load_builtin_intel_microcode(struct cpio_data *cp) +diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c +index 2651ca2112c4..6b841262b790 100644 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1613,6 +1613,8 @@ static inline void mwait_play_dead(void) + void *mwait_ptr; + int i; + ++ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) ++ return; + if (!this_cpu_has(X86_FEATURE_MWAIT)) + return; + if (!this_cpu_has(X86_FEATURE_CLFLUSH)) +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index 0f860cf0d56d..56c9cd01fd1d 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -4447,8 +4447,16 @@ static void bfq_prepare_request(struct request *rq, struct bio *bio) + bool new_queue = false; + bool bfqq_already_existing = false, split = false; + +- if (!rq->elv.icq) ++ /* ++ * Even if we don't have an icq attached, we should still clear ++ * the scheduler pointers, as they might point to previously ++ * allocated bic/bfqq structs. ++ */ ++ if (!rq->elv.icq) { ++ rq->elv.priv[0] = rq->elv.priv[1] = NULL; + return; ++ } ++ + bic = icq_to_bic(rq->elv.icq); + + spin_lock_irq(&bfqd->lock); +diff --git a/crypto/drbg.c b/crypto/drbg.c +index 70018397e59a..6c3221313753 100644 +--- a/crypto/drbg.c ++++ b/crypto/drbg.c +@@ -1134,8 +1134,10 @@ static inline void drbg_dealloc_state(struct drbg_state *drbg) + if (!drbg) + return; + kzfree(drbg->Vbuf); ++ drbg->Vbuf = NULL; + drbg->V = NULL; + kzfree(drbg->Cbuf); ++ drbg->Cbuf = NULL; + drbg->C = NULL; + kzfree(drbg->scratchpadbuf); + drbg->scratchpadbuf = NULL; +diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c +index e0f74ddc22b7..8a99fbe5759f 100644 +--- a/drivers/amba/bus.c ++++ b/drivers/amba/bus.c +@@ -69,11 +69,12 @@ static ssize_t driver_override_show(struct device *_dev, + struct device_attribute *attr, char *buf) + { + struct amba_device *dev = to_amba_device(_dev); ++ ssize_t len; + +- if (!dev->driver_override) +- return 0; +- +- return sprintf(buf, "%s\n", dev->driver_override); ++ device_lock(_dev); ++ len = sprintf(buf, "%s\n", dev->driver_override); ++ device_unlock(_dev); ++ return len; + } + + static ssize_t driver_override_store(struct device *_dev, +@@ -81,9 +82,10 @@ static ssize_t driver_override_store(struct device *_dev, + const char *buf, size_t count) + { + struct amba_device *dev = to_amba_device(_dev); +- char *driver_override, *old = dev->driver_override, *cp; ++ char *driver_override, *old, *cp; + +- if (count > PATH_MAX) ++ /* We need to keep extra room for a newline */ ++ if (count >= (PAGE_SIZE - 1)) + return -EINVAL; + + driver_override = kstrndup(buf, count, GFP_KERNEL); +@@ -94,12 +96,15 @@ static ssize_t driver_override_store(struct device *_dev, + if (cp) + *cp = '\0'; + ++ device_lock(_dev); ++ old = dev->driver_override; + if (strlen(driver_override)) { + dev->driver_override = driver_override; + } else { + kfree(driver_override); + dev->driver_override = NULL; + } ++ device_unlock(_dev); + + kfree(old); + +diff --git a/drivers/android/binder.c b/drivers/android/binder.c +index b7efdc8badee..a86c27948fca 100644 +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2785,6 +2785,14 @@ static void binder_transaction(struct binder_proc *proc, + else + return_error = BR_DEAD_REPLY; + mutex_unlock(&context->context_mgr_node_lock); ++ if (target_node && target_proc == proc) { ++ binder_user_error("%d:%d got transaction to context manager from process owning it\n", ++ proc->pid, thread->pid); ++ return_error = BR_FAILED_REPLY; ++ return_error_param = -EINVAL; ++ return_error_line = __LINE__; ++ goto err_invalid_target_handle; ++ } + } + if (!target_node) { + /* +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 58a2ff7df392..ddc493d976fd 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -261,6 +261,7 @@ + #include <linux/ptrace.h> + #include <linux/workqueue.h> + #include <linux/irq.h> ++#include <linux/ratelimit.h> + #include <linux/syscalls.h> + #include <linux/completion.h> + #include <linux/uuid.h> +@@ -438,6 +439,16 @@ static void _crng_backtrack_protect(struct crng_state *crng, + static void process_random_ready_list(void); + static void _get_random_bytes(void *buf, int nbytes); + ++static struct ratelimit_state unseeded_warning = ++ RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3); ++static struct ratelimit_state urandom_warning = ++ RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3); ++ ++static int ratelimit_disable __read_mostly; ++ ++module_param_named(ratelimit_disable, ratelimit_disable, int, 0644); ++MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); ++ + /********************************************************************** + * + * OS independent entropy store. Here are the functions which handle +@@ -787,6 +798,39 @@ static void crng_initialize(struct crng_state *crng) + crng->init_time = jiffies - CRNG_RESEED_INTERVAL - 1; + } + ++#ifdef CONFIG_NUMA ++static void do_numa_crng_init(struct work_struct *work) ++{ ++ int i; ++ struct crng_state *crng; ++ struct crng_state **pool; ++ ++ pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL); ++ for_each_online_node(i) { ++ crng = kmalloc_node(sizeof(struct crng_state), ++ GFP_KERNEL | __GFP_NOFAIL, i); ++ spin_lock_init(&crng->lock); ++ crng_initialize(crng); ++ pool[i] = crng; ++ } ++ mb(); ++ if (cmpxchg(&crng_node_pool, NULL, pool)) { ++ for_each_node(i) ++ kfree(pool[i]); ++ kfree(pool); ++ } ++} ++ ++static DECLARE_WORK(numa_crng_init_work, do_numa_crng_init); ++ ++static void numa_crng_init(void) ++{ ++ schedule_work(&numa_crng_init_work); ++} ++#else ++static void numa_crng_init(void) {} ++#endif ++ + /* + * crng_fast_load() can be called by code in the interrupt service + * path. So we can't afford to dilly-dally. +@@ -893,10 +937,23 @@ static void crng_reseed(struct crng_state *crng, struct entropy_store *r) + spin_unlock_irqrestore(&crng->lock, flags); + if (crng == &primary_crng && crng_init < 2) { + invalidate_batched_entropy(); ++ numa_crng_init(); + crng_init = 2; + process_random_ready_list(); + wake_up_interruptible(&crng_init_wait); + pr_notice("random: crng init done\n"); ++ if (unseeded_warning.missed) { ++ pr_notice("random: %d get_random_xx warning(s) missed " ++ "due to ratelimiting\n", ++ unseeded_warning.missed); ++ unseeded_warning.missed = 0; ++ } ++ if (urandom_warning.missed) { ++ pr_notice("random: %d urandom warning(s) missed " ++ "due to ratelimiting\n", ++ urandom_warning.missed); ++ urandom_warning.missed = 0; ++ } + } + } + +@@ -1540,8 +1597,9 @@ static void _warn_unseeded_randomness(const char *func_name, void *caller, + #ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM + print_once = true; + #endif +- pr_notice("random: %s called from %pS with crng_init=%d\n", +- func_name, caller, crng_init); ++ if (__ratelimit(&unseeded_warning)) ++ pr_notice("random: %s called from %pS with crng_init=%d\n", ++ func_name, caller, crng_init); + } + + /* +@@ -1731,29 +1789,14 @@ static void init_std_data(struct entropy_store *r) + */ + static int rand_initialize(void) + { +-#ifdef CONFIG_NUMA +- int i; +- struct crng_state *crng; +- struct crng_state **pool; +-#endif +- + init_std_data(&input_pool); + init_std_data(&blocking_pool); + crng_initialize(&primary_crng); + crng_global_init_time = jiffies; +- +-#ifdef CONFIG_NUMA +- pool = kcalloc(nr_node_ids, sizeof(*pool), GFP_KERNEL|__GFP_NOFAIL); +- for_each_online_node(i) { +- crng = kmalloc_node(sizeof(struct crng_state), +- GFP_KERNEL | __GFP_NOFAIL, i); +- spin_lock_init(&crng->lock); +- crng_initialize(crng); +- pool[i] = crng; ++ if (ratelimit_disable) { ++ urandom_warning.interval = 0; ++ unseeded_warning.interval = 0; + } +- mb(); +- crng_node_pool = pool; +-#endif + return 0; + } + early_initcall(rand_initialize); +@@ -1821,9 +1864,10 @@ urandom_read(struct file *file, char __user *buf, size_t nbytes, loff_t *ppos) + + if (!crng_ready() && maxwarn > 0) { + maxwarn--; +- printk(KERN_NOTICE "random: %s: uninitialized urandom read " +- "(%zd bytes read)\n", +- current->comm, nbytes); ++ if (__ratelimit(&urandom_warning)) ++ printk(KERN_NOTICE "random: %s: uninitialized " ++ "urandom read (%zd bytes read)\n", ++ current->comm, nbytes); + spin_lock_irqsave(&primary_crng.lock, flags); + crng_init_cnt = 0; + spin_unlock_irqrestore(&primary_crng.lock, flags); +diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c +index d1aed2513bd9..a089474cb046 100644 +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -422,7 +422,7 @@ static void reclaim_dma_bufs(void) + } + } + +-static struct port_buffer *alloc_buf(struct virtqueue *vq, size_t buf_size, ++static struct port_buffer *alloc_buf(struct virtio_device *vdev, size_t buf_size, + int pages) + { + struct port_buffer *buf; +@@ -445,16 +445,16 @@ static struct port_buffer *alloc_buf(struct virtqueue *vq, size_t buf_size, + return buf; + } + +- if (is_rproc_serial(vq->vdev)) { ++ if (is_rproc_serial(vdev)) { + /* + * Allocate DMA memory from ancestor. When a virtio + * device is created by remoteproc, the DMA memory is + * associated with the grandparent device: + * vdev => rproc => platform-dev. + */ +- if (!vq->vdev->dev.parent || !vq->vdev->dev.parent->parent) ++ if (!vdev->dev.parent || !vdev->dev.parent->parent) + goto free_buf; +- buf->dev = vq->vdev->dev.parent->parent; ++ buf->dev = vdev->dev.parent->parent; + + /* Increase device refcnt to avoid freeing it */ + get_device(buf->dev); +@@ -838,7 +838,7 @@ static ssize_t port_fops_write(struct file *filp, const char __user *ubuf, + + count = min((size_t)(32 * 1024), count); + +- buf = alloc_buf(port->out_vq, count, 0); ++ buf = alloc_buf(port->portdev->vdev, count, 0); + if (!buf) + return -ENOMEM; + +@@ -957,7 +957,7 @@ static ssize_t port_fops_splice_write(struct pipe_inode_info *pipe, + if (ret < 0) + goto error_out; + +- buf = alloc_buf(port->out_vq, 0, pipe->nrbufs); ++ buf = alloc_buf(port->portdev->vdev, 0, pipe->nrbufs); + if (!buf) { + ret = -ENOMEM; + goto error_out; +@@ -1374,7 +1374,7 @@ static unsigned int fill_queue(struct virtqueue *vq, spinlock_t *lock) + + nr_added_bufs = 0; + do { +- buf = alloc_buf(vq, PAGE_SIZE, 0); ++ buf = alloc_buf(vq->vdev, PAGE_SIZE, 0); + if (!buf) + break; + +@@ -1402,7 +1402,6 @@ static int add_port(struct ports_device *portdev, u32 id) + { + char debugfs_name[16]; + struct port *port; +- struct port_buffer *buf; + dev_t devt; + unsigned int nr_added_bufs; + int err; +@@ -1513,8 +1512,6 @@ static int add_port(struct ports_device *portdev, u32 id) + return 0; + + free_inbufs: +- while ((buf = virtqueue_detach_unused_buf(port->in_vq))) +- free_buf(buf, true); + free_device: + device_destroy(pdrvdata.class, port->dev->devt); + free_cdev: +@@ -1539,34 +1536,14 @@ static void remove_port(struct kref *kref) + + static void remove_port_data(struct port *port) + { +- struct port_buffer *buf; +- + spin_lock_irq(&port->inbuf_lock); + /* Remove unused data this port might have received. */ + discard_port_data(port); + spin_unlock_irq(&port->inbuf_lock); + +- /* Remove buffers we queued up for the Host to send us data in. */ +- do { +- spin_lock_irq(&port->inbuf_lock); +- buf = virtqueue_detach_unused_buf(port->in_vq); +- spin_unlock_irq(&port->inbuf_lock); +- if (buf) +- free_buf(buf, true); +- } while (buf); +- + spin_lock_irq(&port->outvq_lock); + reclaim_consumed_buffers(port); + spin_unlock_irq(&port->outvq_lock); +- +- /* Free pending buffers from the out-queue. */ +- do { +- spin_lock_irq(&port->outvq_lock); +- buf = virtqueue_detach_unused_buf(port->out_vq); +- spin_unlock_irq(&port->outvq_lock); +- if (buf) +- free_buf(buf, true); +- } while (buf); + } + + /* +@@ -1791,13 +1768,24 @@ static void control_work_handler(struct work_struct *work) + spin_unlock(&portdev->c_ivq_lock); + } + ++static void flush_bufs(struct virtqueue *vq, bool can_sleep) ++{ ++ struct port_buffer *buf; ++ unsigned int len; ++ ++ while ((buf = virtqueue_get_buf(vq, &len))) ++ free_buf(buf, can_sleep); ++} ++ + static void out_intr(struct virtqueue *vq) + { + struct port *port; + + port = find_port_by_vq(vq->vdev->priv, vq); +- if (!port) ++ if (!port) { ++ flush_bufs(vq, false); + return; ++ } + + wake_up_interruptible(&port->waitqueue); + } +@@ -1808,8 +1796,10 @@ static void in_intr(struct virtqueue *vq) + unsigned long flags; + + port = find_port_by_vq(vq->vdev->priv, vq); +- if (!port) ++ if (!port) { ++ flush_bufs(vq, false); + return; ++ } + + spin_lock_irqsave(&port->inbuf_lock, flags); + port->inbuf = get_inbuf(port); +@@ -1984,24 +1974,54 @@ static const struct file_operations portdev_fops = { + + static void remove_vqs(struct ports_device *portdev) + { ++ struct virtqueue *vq; ++ ++ virtio_device_for_each_vq(portdev->vdev, vq) { ++ struct port_buffer *buf; ++ ++ flush_bufs(vq, true); ++ while ((buf = virtqueue_detach_unused_buf(vq))) ++ free_buf(buf, true); ++ } + portdev->vdev->config->del_vqs(portdev->vdev); + kfree(portdev->in_vqs); + kfree(portdev->out_vqs); + } + +-static void remove_controlq_data(struct ports_device *portdev) ++static void virtcons_remove(struct virtio_device *vdev) + { +- struct port_buffer *buf; +- unsigned int len; ++ struct ports_device *portdev; ++ struct port *port, *port2; + +- if (!use_multiport(portdev)) +- return; ++ portdev = vdev->priv; + +- while ((buf = virtqueue_get_buf(portdev->c_ivq, &len))) +- free_buf(buf, true); ++ spin_lock_irq(&pdrvdata_lock); ++ list_del(&portdev->list); ++ spin_unlock_irq(&pdrvdata_lock); + +- while ((buf = virtqueue_detach_unused_buf(portdev->c_ivq))) +- free_buf(buf, true); ++ /* Disable interrupts for vqs */ ++ vdev->config->reset(vdev); ++ /* Finish up work that's lined up */ ++ if (use_multiport(portdev)) ++ cancel_work_sync(&portdev->control_work); ++ else ++ cancel_work_sync(&portdev->config_work); ++ ++ list_for_each_entry_safe(port, port2, &portdev->ports, list) ++ unplug_port(port); ++ ++ unregister_chrdev(portdev->chr_major, "virtio-portsdev"); ++ ++ /* ++ * When yanking out a device, we immediately lose the ++ * (device-side) queues. So there's no point in keeping the ++ * guest side around till we drop our final reference. This ++ * also means that any ports which are in an open state will ++ * have to just stop using the port, as the vqs are going ++ * away. ++ */ ++ remove_vqs(portdev); ++ kfree(portdev); + } + + /* +@@ -2070,6 +2090,7 @@ static int virtcons_probe(struct virtio_device *vdev) + + spin_lock_init(&portdev->ports_lock); + INIT_LIST_HEAD(&portdev->ports); ++ INIT_LIST_HEAD(&portdev->list); + + virtio_device_ready(portdev->vdev); + +@@ -2087,8 +2108,15 @@ static int virtcons_probe(struct virtio_device *vdev) + if (!nr_added_bufs) { + dev_err(&vdev->dev, + "Error allocating buffers for control queue\n"); +- err = -ENOMEM; +- goto free_vqs; ++ /* ++ * The host might want to notify mgmt sw about device ++ * add failure. ++ */ ++ __send_control_msg(portdev, VIRTIO_CONSOLE_BAD_ID, ++ VIRTIO_CONSOLE_DEVICE_READY, 0); ++ /* Device was functional: we need full cleanup. */ ++ virtcons_remove(vdev); ++ return -ENOMEM; + } + } else { + /* +@@ -2119,11 +2147,6 @@ static int virtcons_probe(struct virtio_device *vdev) + + return 0; + +-free_vqs: +- /* The host might want to notify mgmt sw about device add failure */ +- __send_control_msg(portdev, VIRTIO_CONSOLE_BAD_ID, +- VIRTIO_CONSOLE_DEVICE_READY, 0); +- remove_vqs(portdev); + free_chrdev: + unregister_chrdev(portdev->chr_major, "virtio-portsdev"); + free: +@@ -2132,43 +2155,6 @@ static int virtcons_probe(struct virtio_device *vdev) + return err; + } + +-static void virtcons_remove(struct virtio_device *vdev) +-{ +- struct ports_device *portdev; +- struct port *port, *port2; +- +- portdev = vdev->priv; +- +- spin_lock_irq(&pdrvdata_lock); +- list_del(&portdev->list); +- spin_unlock_irq(&pdrvdata_lock); +- +- /* Disable interrupts for vqs */ +- vdev->config->reset(vdev); +- /* Finish up work that's lined up */ +- if (use_multiport(portdev)) +- cancel_work_sync(&portdev->control_work); +- else +- cancel_work_sync(&portdev->config_work); +- +- list_for_each_entry_safe(port, port2, &portdev->ports, list) +- unplug_port(port); +- +- unregister_chrdev(portdev->chr_major, "virtio-portsdev"); +- +- /* +- * When yanking out a device, we immediately lose the +- * (device-side) queues. So there's no point in keeping the +- * guest side around till we drop our final reference. This +- * also means that any ports which are in an open state will +- * have to just stop using the port, as the vqs are going +- * away. +- */ +- remove_controlq_data(portdev); +- remove_vqs(portdev); +- kfree(portdev); +-} +- + static struct virtio_device_id id_table[] = { + { VIRTIO_ID_CONSOLE, VIRTIO_DEV_ANY_ID }, + { 0 }, +@@ -2209,7 +2195,6 @@ static int virtcons_freeze(struct virtio_device *vdev) + */ + if (use_multiport(portdev)) + virtqueue_disable_cb(portdev->c_ivq); +- remove_controlq_data(portdev); + + list_for_each_entry(port, &portdev->ports, list) { + virtqueue_disable_cb(port->in_vq); +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c +index 6b3a63545619..a28bb8f3f395 100644 +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -646,6 +646,16 @@ void gpstate_timer_handler(unsigned long data) + + if (!spin_trylock(&gpstates->gpstate_lock)) + return; ++ /* ++ * If the timer has migrated to the different cpu then bring ++ * it back to one of the policy->cpus ++ */ ++ if (!cpumask_test_cpu(raw_smp_processor_id(), policy->cpus)) { ++ gpstates->timer.expires = jiffies + msecs_to_jiffies(1); ++ add_timer_on(&gpstates->timer, cpumask_first(policy->cpus)); ++ spin_unlock(&gpstates->gpstate_lock); ++ return; ++ } + + /* + * If PMCR was last updated was using fast_swtich then +@@ -685,10 +695,8 @@ void gpstate_timer_handler(unsigned long data) + if (gpstate_idx != gpstates->last_lpstate_idx) + queue_gpstate_timer(gpstates); + ++ set_pstate(&freq_data); + spin_unlock(&gpstates->gpstate_lock); +- +- /* Timer may get migrated to a different cpu on cpu hot unplug */ +- smp_call_function_any(policy->cpus, set_pstate, &freq_data, 1); + } + + /* +diff --git a/drivers/fpga/altera-ps-spi.c b/drivers/fpga/altera-ps-spi.c +index 14f14efdf0d5..06d212a3d49d 100644 +--- a/drivers/fpga/altera-ps-spi.c ++++ b/drivers/fpga/altera-ps-spi.c +@@ -249,7 +249,7 @@ static int altera_ps_probe(struct spi_device *spi) + + conf->data = of_id->data; + conf->spi = spi; +- conf->config = devm_gpiod_get(&spi->dev, "nconfig", GPIOD_OUT_HIGH); ++ conf->config = devm_gpiod_get(&spi->dev, "nconfig", GPIOD_OUT_LOW); + if (IS_ERR(conf->config)) { + dev_err(&spi->dev, "Failed to get config gpio: %ld\n", + PTR_ERR(conf->config)); +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +index fc260c13b1da..a7e54820a330 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +@@ -1398,10 +1398,11 @@ static const u32 sgpr_init_compute_shader[] = + static const u32 vgpr_init_regs[] = + { + mmCOMPUTE_STATIC_THREAD_MGMT_SE0, 0xffffffff, +- mmCOMPUTE_RESOURCE_LIMITS, 0, ++ mmCOMPUTE_RESOURCE_LIMITS, 0x1000000, /* CU_GROUP_COUNT=1 */ + mmCOMPUTE_NUM_THREAD_X, 256*4, + mmCOMPUTE_NUM_THREAD_Y, 1, + mmCOMPUTE_NUM_THREAD_Z, 1, ++ mmCOMPUTE_PGM_RSRC1, 0x100004f, /* VGPRS=15 (64 logical VGPRs), SGPRS=1 (16 SGPRs), BULKY=1 */ + mmCOMPUTE_PGM_RSRC2, 20, + mmCOMPUTE_USER_DATA_0, 0xedcedc00, + mmCOMPUTE_USER_DATA_1, 0xedcedc01, +@@ -1418,10 +1419,11 @@ static const u32 vgpr_init_regs[] = + static const u32 sgpr1_init_regs[] = + { + mmCOMPUTE_STATIC_THREAD_MGMT_SE0, 0x0f, +- mmCOMPUTE_RESOURCE_LIMITS, 0x1000000, ++ mmCOMPUTE_RESOURCE_LIMITS, 0x1000000, /* CU_GROUP_COUNT=1 */ + mmCOMPUTE_NUM_THREAD_X, 256*5, + mmCOMPUTE_NUM_THREAD_Y, 1, + mmCOMPUTE_NUM_THREAD_Z, 1, ++ mmCOMPUTE_PGM_RSRC1, 0x240, /* SGPRS=9 (80 GPRS) */ + mmCOMPUTE_PGM_RSRC2, 20, + mmCOMPUTE_USER_DATA_0, 0xedcedc00, + mmCOMPUTE_USER_DATA_1, 0xedcedc01, +@@ -1442,6 +1444,7 @@ static const u32 sgpr2_init_regs[] = + mmCOMPUTE_NUM_THREAD_X, 256*5, + mmCOMPUTE_NUM_THREAD_Y, 1, + mmCOMPUTE_NUM_THREAD_Z, 1, ++ mmCOMPUTE_PGM_RSRC1, 0x240, /* SGPRS=9 (80 GPRS) */ + mmCOMPUTE_PGM_RSRC2, 20, + mmCOMPUTE_USER_DATA_0, 0xedcedc00, + mmCOMPUTE_USER_DATA_1, 0xedcedc01, +diff --git a/drivers/gpu/drm/i915/intel_runtime_pm.c b/drivers/gpu/drm/i915/intel_runtime_pm.c +index bcccacba1ec6..bcfc1c235966 100644 +--- a/drivers/gpu/drm/i915/intel_runtime_pm.c ++++ b/drivers/gpu/drm/i915/intel_runtime_pm.c +@@ -622,19 +622,18 @@ void skl_enable_dc6(struct drm_i915_private *dev_priv) + + DRM_DEBUG_KMS("Enabling DC6\n"); + +- gen9_set_dc_state(dev_priv, DC_STATE_EN_UPTO_DC6); ++ /* Wa Display #1183: skl,kbl,cfl */ ++ if (IS_GEN9_BC(dev_priv)) ++ I915_WRITE(GEN8_CHICKEN_DCPR_1, I915_READ(GEN8_CHICKEN_DCPR_1) | ++ SKL_SELECT_ALTERNATE_DC_EXIT); + ++ gen9_set_dc_state(dev_priv, DC_STATE_EN_UPTO_DC6); + } + + void skl_disable_dc6(struct drm_i915_private *dev_priv) + { + DRM_DEBUG_KMS("Disabling DC6\n"); + +- /* Wa Display #1183: skl,kbl,cfl */ +- if (IS_GEN9_BC(dev_priv)) +- I915_WRITE(GEN8_CHICKEN_DCPR_1, I915_READ(GEN8_CHICKEN_DCPR_1) | +- SKL_SELECT_ALTERNATE_DC_EXIT); +- + gen9_set_dc_state(dev_priv, DC_STATE_DISABLE); + } + +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c +index 9eb96fb2c147..26a2da1f712d 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -291,7 +291,7 @@ static int virtio_gpu_queue_ctrl_buffer_locked(struct virtio_gpu_device *vgdev, + ret = virtqueue_add_sgs(vq, sgs, outcnt, incnt, vbuf, GFP_ATOMIC); + if (ret == -ENOSPC) { + spin_unlock(&vgdev->ctrlq.qlock); +- wait_event(vgdev->ctrlq.ack_queue, vq->num_free); ++ wait_event(vgdev->ctrlq.ack_queue, vq->num_free >= outcnt + incnt); + spin_lock(&vgdev->ctrlq.qlock); + goto retry; + } else { +@@ -366,7 +366,7 @@ static int virtio_gpu_queue_cursor(struct virtio_gpu_device *vgdev, + ret = virtqueue_add_sgs(vq, sgs, outcnt, 0, vbuf, GFP_ATOMIC); + if (ret == -ENOSPC) { + spin_unlock(&vgdev->cursorq.qlock); +- wait_event(vgdev->cursorq.ack_queue, vq->num_free); ++ wait_event(vgdev->cursorq.ack_queue, vq->num_free >= outcnt); + spin_lock(&vgdev->cursorq.qlock); + goto retry; + } else { +diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c +index 5e1b68cbcd0a..e1b603ca0170 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0001.c ++++ b/drivers/mtd/chips/cfi_cmdset_0001.c +@@ -45,6 +45,7 @@ + #define I82802AB 0x00ad + #define I82802AC 0x00ac + #define PF38F4476 0x881c ++#define M28F00AP30 0x8963 + /* STMicroelectronics chips */ + #define M50LPW080 0x002F + #define M50FLW080A 0x0080 +@@ -375,6 +376,17 @@ static void cfi_fixup_major_minor(struct cfi_private *cfi, + extp->MinorVersion = '1'; + } + ++static int cfi_is_micron_28F00AP30(struct cfi_private *cfi, struct flchip *chip) ++{ ++ /* ++ * Micron(was Numonyx) 1Gbit bottom boot are buggy w.r.t ++ * Erase Supend for their small Erase Blocks(0x8000) ++ */ ++ if (cfi->mfr == CFI_MFR_INTEL && cfi->id == M28F00AP30) ++ return 1; ++ return 0; ++} ++ + static inline struct cfi_pri_intelext * + read_pri_intelext(struct map_info *map, __u16 adr) + { +@@ -831,21 +843,30 @@ static int chip_ready (struct map_info *map, struct flchip *chip, unsigned long + (mode == FL_WRITING && (cfip->SuspendCmdSupport & 1)))) + goto sleep; + ++ /* Do not allow suspend iff read/write to EB address */ ++ if ((adr & chip->in_progress_block_mask) == ++ chip->in_progress_block_addr) ++ goto sleep; ++ ++ /* do not suspend small EBs, buggy Micron Chips */ ++ if (cfi_is_micron_28F00AP30(cfi, chip) && ++ (chip->in_progress_block_mask == ~(0x8000-1))) ++ goto sleep; + + /* Erase suspend */ +- map_write(map, CMD(0xB0), adr); ++ map_write(map, CMD(0xB0), chip->in_progress_block_addr); + + /* If the flash has finished erasing, then 'erase suspend' + * appears to make some (28F320) flash devices switch to + * 'read' mode. Make sure that we switch to 'read status' + * mode so we get the right data. --rmk + */ +- map_write(map, CMD(0x70), adr); ++ map_write(map, CMD(0x70), chip->in_progress_block_addr); + chip->oldstate = FL_ERASING; + chip->state = FL_ERASE_SUSPENDING; + chip->erase_suspended = 1; + for (;;) { +- status = map_read(map, adr); ++ status = map_read(map, chip->in_progress_block_addr); + if (map_word_andequal(map, status, status_OK, status_OK)) + break; + +@@ -1041,8 +1062,8 @@ static void put_chip(struct map_info *map, struct flchip *chip, unsigned long ad + sending the 0x70 (Read Status) command to an erasing + chip and expecting it to be ignored, that's what we + do. */ +- map_write(map, CMD(0xd0), adr); +- map_write(map, CMD(0x70), adr); ++ map_write(map, CMD(0xd0), chip->in_progress_block_addr); ++ map_write(map, CMD(0x70), chip->in_progress_block_addr); + chip->oldstate = FL_READY; + chip->state = FL_ERASING; + break; +@@ -1933,6 +1954,8 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + map_write(map, CMD(0xD0), adr); + chip->state = FL_ERASING; + chip->erase_suspended = 0; ++ chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(len - 1); + + ret = INVAL_CACHE_AND_WAIT(map, chip, adr, + adr, len, +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index 56aa6b75213d..d524a64ed754 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -816,9 +816,10 @@ static int get_chip(struct map_info *map, struct flchip *chip, unsigned long adr + (mode == FL_WRITING && (cfip->EraseSuspend & 0x2)))) + goto sleep; + +- /* We could check to see if we're trying to access the sector +- * that is currently being erased. However, no user will try +- * anything like that so we just wait for the timeout. */ ++ /* Do not allow suspend iff read/write to EB address */ ++ if ((adr & chip->in_progress_block_mask) == ++ chip->in_progress_block_addr) ++ goto sleep; + + /* Erase suspend */ + /* It's harmless to issue the Erase-Suspend and Erase-Resume +@@ -2267,6 +2268,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + chip->state = FL_ERASING; + chip->erase_suspended = 0; + chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(map->size - 1); + + INVALIDATE_CACHE_UDELAY(map, chip, + adr, map->size, +@@ -2356,6 +2358,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + chip->state = FL_ERASING; + chip->erase_suspended = 0; + chip->in_progress_block_addr = adr; ++ chip->in_progress_block_mask = ~(len - 1); + + INVALIDATE_CACHE_UDELAY(map, chip, + adr, len, +diff --git a/drivers/mtd/nand/tango_nand.c b/drivers/mtd/nand/tango_nand.c +index 766906f03943..ce366816a7ef 100644 +--- a/drivers/mtd/nand/tango_nand.c ++++ b/drivers/mtd/nand/tango_nand.c +@@ -654,7 +654,7 @@ static int tango_nand_probe(struct platform_device *pdev) + + writel_relaxed(MODE_RAW, nfc->pbus_base + PBUS_PAD_MODE); + +- clk = clk_get(&pdev->dev, NULL); ++ clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(clk)) + return PTR_ERR(clk); + +diff --git a/drivers/mtd/spi-nor/cadence-quadspi.c b/drivers/mtd/spi-nor/cadence-quadspi.c +index 53c7d8e0327a..8d89204b90d2 100644 +--- a/drivers/mtd/spi-nor/cadence-quadspi.c ++++ b/drivers/mtd/spi-nor/cadence-quadspi.c +@@ -495,7 +495,9 @@ static int cqspi_indirect_read_execute(struct spi_nor *nor, + void __iomem *reg_base = cqspi->iobase; + void __iomem *ahb_base = cqspi->ahb_base; + unsigned int remaining = n_rx; ++ unsigned int mod_bytes = n_rx % 4; + unsigned int bytes_to_read = 0; ++ u8 *rxbuf_end = rxbuf + n_rx; + int ret = 0; + + writel(remaining, reg_base + CQSPI_REG_INDIRECTRDBYTES); +@@ -523,11 +525,24 @@ static int cqspi_indirect_read_execute(struct spi_nor *nor, + } + + while (bytes_to_read != 0) { ++ unsigned int word_remain = round_down(remaining, 4); ++ + bytes_to_read *= cqspi->fifo_width; + bytes_to_read = bytes_to_read > remaining ? + remaining : bytes_to_read; +- ioread32_rep(ahb_base, rxbuf, +- DIV_ROUND_UP(bytes_to_read, 4)); ++ bytes_to_read = round_down(bytes_to_read, 4); ++ /* Read 4 byte word chunks then single bytes */ ++ if (bytes_to_read) { ++ ioread32_rep(ahb_base, rxbuf, ++ (bytes_to_read / 4)); ++ } else if (!word_remain && mod_bytes) { ++ unsigned int temp = ioread32(ahb_base); ++ ++ bytes_to_read = mod_bytes; ++ memcpy(rxbuf, &temp, min((unsigned int) ++ (rxbuf_end - rxbuf), ++ bytes_to_read)); ++ } + rxbuf += bytes_to_read; + remaining -= bytes_to_read; + bytes_to_read = cqspi_get_rd_sram_level(cqspi); +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index ce30c9a588a4..6337c394bfe3 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -975,7 +975,7 @@ int __init early_init_dt_scan_chosen_stdout(void) + int offset; + const char *p, *q, *options = NULL; + int l; +- const struct earlycon_id *match; ++ const struct earlycon_id **p_match; + const void *fdt = initial_boot_params; + + offset = fdt_path_offset(fdt, "/chosen"); +@@ -1002,7 +1002,10 @@ int __init early_init_dt_scan_chosen_stdout(void) + return 0; + } + +- for (match = __earlycon_table; match < __earlycon_table_end; match++) { ++ for (p_match = __earlycon_table; p_match < __earlycon_table_end; ++ p_match++) { ++ const struct earlycon_id *match = *p_match; ++ + if (!match->compatible[0]) + continue; + +diff --git a/drivers/pci/host/pci-aardvark.c b/drivers/pci/host/pci-aardvark.c +index 26ed0c08f209..9bfc22b5da4b 100644 +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -32,6 +32,7 @@ + #define PCIE_CORE_DEV_CTRL_STATS_MAX_PAYLOAD_SZ_SHIFT 5 + #define PCIE_CORE_DEV_CTRL_STATS_SNOOP_DISABLE (0 << 11) + #define PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SIZE_SHIFT 12 ++#define PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SZ 0x2 + #define PCIE_CORE_LINK_CTRL_STAT_REG 0xd0 + #define PCIE_CORE_LINK_L0S_ENTRY BIT(0) + #define PCIE_CORE_LINK_TRAINING BIT(5) +@@ -103,7 +104,8 @@ + #define PCIE_ISR1_MASK_REG (CONTROL_BASE_ADDR + 0x4C) + #define PCIE_ISR1_POWER_STATE_CHANGE BIT(4) + #define PCIE_ISR1_FLUSH BIT(5) +-#define PCIE_ISR1_ALL_MASK GENMASK(5, 4) ++#define PCIE_ISR1_INTX_ASSERT(val) BIT(8 + (val)) ++#define PCIE_ISR1_ALL_MASK GENMASK(11, 4) + #define PCIE_MSI_ADDR_LOW_REG (CONTROL_BASE_ADDR + 0x50) + #define PCIE_MSI_ADDR_HIGH_REG (CONTROL_BASE_ADDR + 0x54) + #define PCIE_MSI_STATUS_REG (CONTROL_BASE_ADDR + 0x58) +@@ -175,8 +177,6 @@ + #define PCIE_CONFIG_WR_TYPE0 0xa + #define PCIE_CONFIG_WR_TYPE1 0xb + +-/* PCI_BDF shifts 8bit, so we need extra 4bit shift */ +-#define PCIE_BDF(dev) (dev << 4) + #define PCIE_CONF_BUS(bus) (((bus) & 0xff) << 20) + #define PCIE_CONF_DEV(dev) (((dev) & 0x1f) << 15) + #define PCIE_CONF_FUNC(fun) (((fun) & 0x7) << 12) +@@ -299,7 +299,8 @@ static void advk_pcie_setup_hw(struct advk_pcie *pcie) + reg = PCIE_CORE_DEV_CTRL_STATS_RELAX_ORDER_DISABLE | + (7 << PCIE_CORE_DEV_CTRL_STATS_MAX_PAYLOAD_SZ_SHIFT) | + PCIE_CORE_DEV_CTRL_STATS_SNOOP_DISABLE | +- PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SIZE_SHIFT; ++ (PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SZ << ++ PCIE_CORE_DEV_CTRL_STATS_MAX_RD_REQ_SIZE_SHIFT); + advk_writel(pcie, reg, PCIE_CORE_DEV_CTRL_STATS_REG); + + /* Program PCIe Control 2 to disable strict ordering */ +@@ -440,7 +441,7 @@ static int advk_pcie_rd_conf(struct pci_bus *bus, u32 devfn, + u32 reg; + int ret; + +- if (PCI_SLOT(devfn) != 0) { ++ if ((bus->number == pcie->root_bus_nr) && PCI_SLOT(devfn) != 0) { + *val = 0xffffffff; + return PCIBIOS_DEVICE_NOT_FOUND; + } +@@ -459,7 +460,7 @@ static int advk_pcie_rd_conf(struct pci_bus *bus, u32 devfn, + advk_writel(pcie, reg, PIO_CTRL); + + /* Program the address registers */ +- reg = PCIE_BDF(devfn) | PCIE_CONF_REG(where); ++ reg = PCIE_CONF_ADDR(bus->number, devfn, where); + advk_writel(pcie, reg, PIO_ADDR_LS); + advk_writel(pcie, 0, PIO_ADDR_MS); + +@@ -494,7 +495,7 @@ static int advk_pcie_wr_conf(struct pci_bus *bus, u32 devfn, + int offset; + int ret; + +- if (PCI_SLOT(devfn) != 0) ++ if ((bus->number == pcie->root_bus_nr) && PCI_SLOT(devfn) != 0) + return PCIBIOS_DEVICE_NOT_FOUND; + + if (where % size) +@@ -612,9 +613,9 @@ static void advk_pcie_irq_mask(struct irq_data *d) + irq_hw_number_t hwirq = irqd_to_hwirq(d); + u32 mask; + +- mask = advk_readl(pcie, PCIE_ISR0_MASK_REG); +- mask |= PCIE_ISR0_INTX_ASSERT(hwirq); +- advk_writel(pcie, mask, PCIE_ISR0_MASK_REG); ++ mask = advk_readl(pcie, PCIE_ISR1_MASK_REG); ++ mask |= PCIE_ISR1_INTX_ASSERT(hwirq); ++ advk_writel(pcie, mask, PCIE_ISR1_MASK_REG); + } + + static void advk_pcie_irq_unmask(struct irq_data *d) +@@ -623,9 +624,9 @@ static void advk_pcie_irq_unmask(struct irq_data *d) + irq_hw_number_t hwirq = irqd_to_hwirq(d); + u32 mask; + +- mask = advk_readl(pcie, PCIE_ISR0_MASK_REG); +- mask &= ~PCIE_ISR0_INTX_ASSERT(hwirq); +- advk_writel(pcie, mask, PCIE_ISR0_MASK_REG); ++ mask = advk_readl(pcie, PCIE_ISR1_MASK_REG); ++ mask &= ~PCIE_ISR1_INTX_ASSERT(hwirq); ++ advk_writel(pcie, mask, PCIE_ISR1_MASK_REG); + } + + static int advk_pcie_irq_map(struct irq_domain *h, +@@ -768,29 +769,35 @@ static void advk_pcie_handle_msi(struct advk_pcie *pcie) + + static void advk_pcie_handle_int(struct advk_pcie *pcie) + { +- u32 val, mask, status; ++ u32 isr0_val, isr0_mask, isr0_status; ++ u32 isr1_val, isr1_mask, isr1_status; + int i, virq; + +- val = advk_readl(pcie, PCIE_ISR0_REG); +- mask = advk_readl(pcie, PCIE_ISR0_MASK_REG); +- status = val & ((~mask) & PCIE_ISR0_ALL_MASK); ++ isr0_val = advk_readl(pcie, PCIE_ISR0_REG); ++ isr0_mask = advk_readl(pcie, PCIE_ISR0_MASK_REG); ++ isr0_status = isr0_val & ((~isr0_mask) & PCIE_ISR0_ALL_MASK); ++ ++ isr1_val = advk_readl(pcie, PCIE_ISR1_REG); ++ isr1_mask = advk_readl(pcie, PCIE_ISR1_MASK_REG); ++ isr1_status = isr1_val & ((~isr1_mask) & PCIE_ISR1_ALL_MASK); + +- if (!status) { +- advk_writel(pcie, val, PCIE_ISR0_REG); ++ if (!isr0_status && !isr1_status) { ++ advk_writel(pcie, isr0_val, PCIE_ISR0_REG); ++ advk_writel(pcie, isr1_val, PCIE_ISR1_REG); + return; + } + + /* Process MSI interrupts */ +- if (status & PCIE_ISR0_MSI_INT_PENDING) ++ if (isr0_status & PCIE_ISR0_MSI_INT_PENDING) + advk_pcie_handle_msi(pcie); + + /* Process legacy interrupts */ + for (i = 0; i < PCI_NUM_INTX; i++) { +- if (!(status & PCIE_ISR0_INTX_ASSERT(i))) ++ if (!(isr1_status & PCIE_ISR1_INTX_ASSERT(i))) + continue; + +- advk_writel(pcie, PCIE_ISR0_INTX_ASSERT(i), +- PCIE_ISR0_REG); ++ advk_writel(pcie, PCIE_ISR1_INTX_ASSERT(i), ++ PCIE_ISR1_REG); + + virq = irq_find_mapping(pcie->irq_domain, i); + generic_handle_irq(virq); +diff --git a/drivers/rtc/rtc-opal.c b/drivers/rtc/rtc-opal.c +index 304e891e35fc..60f2250fd96b 100644 +--- a/drivers/rtc/rtc-opal.c ++++ b/drivers/rtc/rtc-opal.c +@@ -57,7 +57,7 @@ static void tm_to_opal(struct rtc_time *tm, u32 *y_m_d, u64 *h_m_s_ms) + + static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm) + { +- long rc = OPAL_BUSY; ++ s64 rc = OPAL_BUSY; + int retries = 10; + u32 y_m_d; + u64 h_m_s_ms; +@@ -66,13 +66,17 @@ static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm) + + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { + rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms); +- if (rc == OPAL_BUSY_EVENT) ++ if (rc == OPAL_BUSY_EVENT) { ++ msleep(OPAL_BUSY_DELAY_MS); + opal_poll_events(NULL); +- else if (retries-- && (rc == OPAL_HARDWARE +- || rc == OPAL_INTERNAL_ERROR)) +- msleep(10); +- else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT) +- break; ++ } else if (rc == OPAL_BUSY) { ++ msleep(OPAL_BUSY_DELAY_MS); ++ } else if (rc == OPAL_HARDWARE || rc == OPAL_INTERNAL_ERROR) { ++ if (retries--) { ++ msleep(10); /* Wait 10ms before retry */ ++ rc = OPAL_BUSY; /* go around again */ ++ } ++ } + } + + if (rc != OPAL_SUCCESS) +@@ -87,21 +91,26 @@ static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm) + + static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm) + { +- long rc = OPAL_BUSY; ++ s64 rc = OPAL_BUSY; + int retries = 10; + u32 y_m_d = 0; + u64 h_m_s_ms = 0; + + tm_to_opal(tm, &y_m_d, &h_m_s_ms); ++ + while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { + rc = opal_rtc_write(y_m_d, h_m_s_ms); +- if (rc == OPAL_BUSY_EVENT) ++ if (rc == OPAL_BUSY_EVENT) { ++ msleep(OPAL_BUSY_DELAY_MS); + opal_poll_events(NULL); +- else if (retries-- && (rc == OPAL_HARDWARE +- || rc == OPAL_INTERNAL_ERROR)) +- msleep(10); +- else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT) +- break; ++ } else if (rc == OPAL_BUSY) { ++ msleep(OPAL_BUSY_DELAY_MS); ++ } else if (rc == OPAL_HARDWARE || rc == OPAL_INTERNAL_ERROR) { ++ if (retries--) { ++ msleep(10); /* Wait 10ms before retry */ ++ rc = OPAL_BUSY; /* go around again */ ++ } ++ } + } + + return rc == OPAL_SUCCESS ? 0 : -EIO; +diff --git a/drivers/s390/cio/vfio_ccw_fsm.c b/drivers/s390/cio/vfio_ccw_fsm.c +index c30420c517b1..e96b85579f21 100644 +--- a/drivers/s390/cio/vfio_ccw_fsm.c ++++ b/drivers/s390/cio/vfio_ccw_fsm.c +@@ -20,12 +20,12 @@ static int fsm_io_helper(struct vfio_ccw_private *private) + int ccode; + __u8 lpm; + unsigned long flags; ++ int ret; + + sch = private->sch; + + spin_lock_irqsave(sch->lock, flags); + private->state = VFIO_CCW_STATE_BUSY; +- spin_unlock_irqrestore(sch->lock, flags); + + orb = cp_get_orb(&private->cp, (u32)(addr_t)sch, sch->lpm); + +@@ -38,10 +38,12 @@ static int fsm_io_helper(struct vfio_ccw_private *private) + * Initialize device status information + */ + sch->schib.scsw.cmd.actl |= SCSW_ACTL_START_PEND; +- return 0; ++ ret = 0; ++ break; + case 1: /* Status pending */ + case 2: /* Busy */ +- return -EBUSY; ++ ret = -EBUSY; ++ break; + case 3: /* Device/path not operational */ + { + lpm = orb->cmd.lpm; +@@ -51,13 +53,16 @@ static int fsm_io_helper(struct vfio_ccw_private *private) + sch->lpm = 0; + + if (cio_update_schib(sch)) +- return -ENODEV; +- +- return sch->lpm ? -EACCES : -ENODEV; ++ ret = -ENODEV; ++ else ++ ret = sch->lpm ? -EACCES : -ENODEV; ++ break; + } + default: +- return ccode; ++ ret = ccode; + } ++ spin_unlock_irqrestore(sch->lock, flags); ++ return ret; + } + + static void fsm_notoper(struct vfio_ccw_private *private, +diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c +index 72db0f7d221a..2f9912de2212 100644 +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2132,6 +2132,8 @@ sd_spinup_disk(struct scsi_disk *sdkp) + break; /* standby */ + if (sshdr.asc == 4 && sshdr.ascq == 0xc) + break; /* unavailable */ ++ if (sshdr.asc == 4 && sshdr.ascq == 0x1b) ++ break; /* sanitize in progress */ + /* + * Issue command to spin up drive when not ready + */ +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index 7253e8d2c6d9..f46bd1af7a10 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -133,6 +133,9 @@ struct gsm_dlci { + struct mutex mutex; + + /* Link layer */ ++ int mode; ++#define DLCI_MODE_ABM 0 /* Normal Asynchronous Balanced Mode */ ++#define DLCI_MODE_ADM 1 /* Asynchronous Disconnected Mode */ + spinlock_t lock; /* Protects the internal state */ + struct timer_list t1; /* Retransmit timer for SABM and UA */ + int retries; +@@ -1376,7 +1379,13 @@ static struct gsm_control *gsm_control_send(struct gsm_mux *gsm, + ctrl->data = data; + ctrl->len = clen; + gsm->pending_cmd = ctrl; +- gsm->cretries = gsm->n2; ++ ++ /* If DLCI0 is in ADM mode skip retries, it won't respond */ ++ if (gsm->dlci[0]->mode == DLCI_MODE_ADM) ++ gsm->cretries = 1; ++ else ++ gsm->cretries = gsm->n2; ++ + mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100); + gsm_control_transmit(gsm, ctrl); + spin_unlock_irqrestore(&gsm->control_lock, flags); +@@ -1484,6 +1493,7 @@ static void gsm_dlci_t1(unsigned long data) + if (debug & 8) + pr_info("DLCI %d opening in ADM mode.\n", + dlci->addr); ++ dlci->mode = DLCI_MODE_ADM; + gsm_dlci_open(dlci); + } else { + gsm_dlci_close(dlci); +@@ -2875,11 +2885,22 @@ static int gsmtty_modem_update(struct gsm_dlci *dlci, u8 brk) + static int gsm_carrier_raised(struct tty_port *port) + { + struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port); ++ struct gsm_mux *gsm = dlci->gsm; ++ + /* Not yet open so no carrier info */ + if (dlci->state != DLCI_OPEN) + return 0; + if (debug & 2) + return 1; ++ ++ /* ++ * Basic mode with control channel in ADM mode may not respond ++ * to CMD_MSC at all and modem_rx is empty. ++ */ ++ if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM && ++ !dlci->modem_rx) ++ return 1; ++ + return dlci->modem_rx & TIOCM_CD; + } + +diff --git a/drivers/tty/serial/earlycon.c b/drivers/tty/serial/earlycon.c +index 17dba0af5ee9..ac667b47f199 100644 +--- a/drivers/tty/serial/earlycon.c ++++ b/drivers/tty/serial/earlycon.c +@@ -172,7 +172,7 @@ static int __init register_earlycon(char *buf, const struct earlycon_id *match) + */ + int __init setup_earlycon(char *buf) + { +- const struct earlycon_id *match; ++ const struct earlycon_id **p_match; + + if (!buf || !buf[0]) + return -EINVAL; +@@ -180,7 +180,9 @@ int __init setup_earlycon(char *buf) + if (early_con.flags & CON_ENABLED) + return -EALREADY; + +- for (match = __earlycon_table; match < __earlycon_table_end; match++) { ++ for (p_match = __earlycon_table; p_match < __earlycon_table_end; ++ p_match++) { ++ const struct earlycon_id *match = *p_match; + size_t len = strlen(match->name); + + if (strncmp(buf, match->name, len)) +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 52627478ab61..562d31073f9a 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2815,7 +2815,10 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) + + kref_init(&tty->kref); + tty->magic = TTY_MAGIC; +- tty_ldisc_init(tty); ++ if (tty_ldisc_init(tty)) { ++ kfree(tty); ++ return NULL; ++ } + tty->session = NULL; + tty->pgrp = NULL; + mutex_init(&tty->legacy_mutex); +diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c +index 7c895684c3ef..ca656ef8de64 100644 +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -175,12 +175,11 @@ static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc) + return ERR_CAST(ldops); + } + +- ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL); +- if (ld == NULL) { +- put_ldops(ldops); +- return ERR_PTR(-ENOMEM); +- } +- ++ /* ++ * There is no way to handle allocation failure of only 16 bytes. ++ * Let's simplify error handling and save more memory. ++ */ ++ ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL | __GFP_NOFAIL); + ld->ops = ldops; + ld->tty = tty; + +@@ -526,19 +525,16 @@ static int tty_ldisc_failto(struct tty_struct *tty, int ld) + static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old) + { + /* There is an outstanding reference here so this is safe */ +- old = tty_ldisc_get(tty, old->ops->num); +- WARN_ON(IS_ERR(old)); +- tty->ldisc = old; +- tty_set_termios_ldisc(tty, old->ops->num); +- if (tty_ldisc_open(tty, old) < 0) { +- tty_ldisc_put(old); ++ if (tty_ldisc_failto(tty, old->ops->num) < 0) { ++ const char *name = tty_name(tty); ++ ++ pr_warn("Falling back ldisc for %s.\n", name); + /* The traditional behaviour is to fall back to N_TTY, we + want to avoid falling back to N_NULL unless we have no + choice to avoid the risk of breaking anything */ + if (tty_ldisc_failto(tty, N_TTY) < 0 && + tty_ldisc_failto(tty, N_NULL) < 0) +- panic("Couldn't open N_NULL ldisc for %s.", +- tty_name(tty)); ++ panic("Couldn't open N_NULL ldisc for %s.", name); + } + } + +@@ -823,12 +819,13 @@ EXPORT_SYMBOL_GPL(tty_ldisc_release); + * the tty structure is not completely set up when this call is made. + */ + +-void tty_ldisc_init(struct tty_struct *tty) ++int tty_ldisc_init(struct tty_struct *tty) + { + struct tty_ldisc *ld = tty_ldisc_get(tty, N_TTY); + if (IS_ERR(ld)) +- panic("n_tty: init_tty"); ++ return PTR_ERR(ld); + tty->ldisc = ld; ++ return 0; + } + + /** +diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c +index 75ad6718858c..d0b2e0ed9bab 100644 +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -2376,6 +2376,7 @@ void usb_hcd_resume_root_hub (struct usb_hcd *hcd) + + spin_lock_irqsave (&hcd_root_hub_lock, flags); + if (hcd->rh_registered) { ++ pm_wakeup_event(&hcd->self.root_hub->dev, 0); + set_bit(HCD_FLAG_WAKEUP_PENDING, &hcd->flags); + queue_work(pm_wq, &hcd->wakeup_work); + } +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 8f7d94239ee3..442be7f312f6 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -650,12 +650,17 @@ void usb_wakeup_notification(struct usb_device *hdev, + unsigned int portnum) + { + struct usb_hub *hub; ++ struct usb_port *port_dev; + + if (!hdev) + return; + + hub = usb_hub_to_struct_hub(hdev); + if (hub) { ++ port_dev = hub->ports[portnum - 1]; ++ if (port_dev && port_dev->child) ++ pm_wakeup_event(&port_dev->child->dev, 0); ++ + set_bit(portnum, hub->wakeup_bits); + kick_hub_wq(hub); + } +@@ -3415,8 +3420,11 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg) + + /* Skip the initial Clear-Suspend step for a remote wakeup */ + status = hub_port_status(hub, port1, &portstatus, &portchange); +- if (status == 0 && !port_is_suspended(hub, portstatus)) ++ if (status == 0 && !port_is_suspended(hub, portstatus)) { ++ if (portchange & USB_PORT_STAT_C_SUSPEND) ++ pm_wakeup_event(&udev->dev, 0); + goto SuspendCleared; ++ } + + /* see 7.1.7.7; affects power usage, but not budgeting */ + if (hub_is_superspeed(hub->hdev)) +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 4f1c6f8d4352..40ce175655e6 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -45,6 +45,9 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x03f0, 0x0701), .driver_info = + USB_QUIRK_STRING_FETCH_255 }, + ++ /* HP v222w 16GB Mini USB Drive */ ++ { USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Creative SB Audigy 2 NX */ + { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME }, + +diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c +index 3fb57cf8abb8..d79ab0d85924 100644 +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -134,7 +134,10 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci) + if (pdev->vendor == PCI_VENDOR_ID_AMD && usb_amd_find_chipset_info()) + xhci->quirks |= XHCI_AMD_PLL_FIX; + +- if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x43bb) ++ if (pdev->vendor == PCI_VENDOR_ID_AMD && ++ (pdev->device == 0x15e0 || ++ pdev->device == 0x15e1 || ++ pdev->device == 0x43bb)) + xhci->quirks |= XHCI_SUSPEND_DELAY; + + if (pdev->vendor == PCI_VENDOR_ID_AMD) +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index 1cb6eaef4ae1..7d9e085f7b85 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -423,7 +423,6 @@ MODULE_DEVICE_TABLE(acpi, usb_xhci_acpi_match); + static struct platform_driver usb_xhci_driver = { + .probe = xhci_plat_probe, + .remove = xhci_plat_remove, +- .shutdown = usb_hcd_platform_shutdown, + .driver = { + .name = "xhci-hcd", + .pm = &xhci_plat_pm_ops, +diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig +index c66b93664d54..c508e2d7104b 100644 +--- a/drivers/usb/serial/Kconfig ++++ b/drivers/usb/serial/Kconfig +@@ -62,6 +62,7 @@ config USB_SERIAL_SIMPLE + - Fundamental Software dongle. + - Google USB serial devices + - HP4x calculators ++ - Libtransistor USB console + - a number of Motorola phones + - Motorola Tetra devices + - Novatel Wireless GPS receivers +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c +index 2836acf73a07..d0f00274d16c 100644 +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -217,6 +217,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */ + { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */ + { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */ ++ { USB_DEVICE(0x3923, 0x7A0B) }, /* National Instruments USB Serial Console */ + { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */ + { } /* Terminating Entry */ + }; +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index a2a5232751cb..385f2ae3be24 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1902,7 +1902,8 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial) + return ftdi_jtag_probe(serial); + + if (udev->product && +- (!strcmp(udev->product, "BeagleBone/XDS100V2") || ++ (!strcmp(udev->product, "Arrow USB Blaster") || ++ !strcmp(udev->product, "BeagleBone/XDS100V2") || + !strcmp(udev->product, "SNAP Connect E10"))) + return ftdi_jtag_probe(serial); + +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c +index 6aa7ff2c1cf7..2674da40d9cd 100644 +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -66,6 +66,11 @@ DEVICE(flashloader, FLASHLOADER_IDS); + 0x01) } + DEVICE(google, GOOGLE_IDS); + ++/* Libtransistor USB console */ ++#define LIBTRANSISTOR_IDS() \ ++ { USB_DEVICE(0x1209, 0x8b00) } ++DEVICE(libtransistor, LIBTRANSISTOR_IDS); ++ + /* ViVOpay USB Serial Driver */ + #define VIVOPAY_IDS() \ + { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */ +@@ -113,6 +118,7 @@ static struct usb_serial_driver * const serial_drivers[] = { + &funsoft_device, + &flashloader_device, + &google_device, ++ &libtransistor_device, + &vivopay_device, + &moto_modem_device, + &motorola_tetra_device, +@@ -129,6 +135,7 @@ static const struct usb_device_id id_table[] = { + FUNSOFT_IDS(), + FLASHLOADER_IDS(), + GOOGLE_IDS(), ++ LIBTRANSISTOR_IDS(), + VIVOPAY_IDS(), + MOTO_IDS(), + MOTOROLA_TETRA_IDS(), +diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c +index 714c5bcedf2b..dd24c5c1534d 100644 +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -31,7 +31,7 @@ + * difficult to estimate the time it takes for the system to process the command + * before it is actually passed to the PPM. + */ +-#define UCSI_TIMEOUT_MS 1000 ++#define UCSI_TIMEOUT_MS 5000 + + /* + * UCSI_SWAP_TIMEOUT_MS - Timeout for role swap requests +diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c +index 6968c906fa29..b59a253a8479 100644 +--- a/drivers/usb/usbip/stub_main.c ++++ b/drivers/usb/usbip/stub_main.c +@@ -200,7 +200,12 @@ static ssize_t rebind_store(struct device_driver *dev, const char *buf, + if (!bid) + return -ENODEV; + ++ /* device_attach() callers should hold parent lock for USB */ ++ if (bid->udev->dev.parent) ++ device_lock(bid->udev->dev.parent); + ret = device_attach(&bid->udev->dev); ++ if (bid->udev->dev.parent) ++ device_unlock(bid->udev->dev.parent); + if (ret < 0) { + dev_err(&bid->udev->dev, "rebind failed\n"); + return ret; +diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h +index 33737b612b1f..c81c44c13a56 100644 +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -257,7 +257,7 @@ enum usbip_side { + #define VUDC_EVENT_ERROR_USB (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE) + #define VUDC_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE) + +-#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_BYE) ++#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_RESET | USBIP_EH_BYE) + #define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) + #define VDEV_EVENT_ERROR_TCP (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) + #define VDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE) +diff --git a/drivers/usb/usbip/usbip_event.c b/drivers/usb/usbip/usbip_event.c +index f1635662c299..f8f7f3803a99 100644 +--- a/drivers/usb/usbip/usbip_event.c ++++ b/drivers/usb/usbip/usbip_event.c +@@ -105,10 +105,6 @@ static void event_handler(struct work_struct *work) + unset_event(ud, USBIP_EH_UNUSABLE); + } + +- /* Stop the error handler. */ +- if (ud->event & USBIP_EH_BYE) +- usbip_dbg_eh("removed %p\n", ud); +- + wake_up(&ud->eh_waitq); + } + } +diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c +index 89858aeed647..05aa1ba351b6 100644 +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -368,6 +368,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + usbip_dbg_vhci_rh(" ClearHubFeature\n"); + break; + case ClearPortFeature: ++ if (rhport < 0) ++ goto error; + switch (wValue) { + case USB_PORT_FEAT_SUSPEND: + if (hcd->speed == HCD_USB3) { +@@ -525,11 +527,16 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + goto error; + } + ++ if (rhport < 0) ++ goto error; ++ + vhci_hcd->port_status[rhport] |= USB_PORT_STAT_SUSPEND; + break; + case USB_PORT_FEAT_POWER: + usbip_dbg_vhci_rh( + " SetPortFeature: USB_PORT_FEAT_POWER\n"); ++ if (rhport < 0) ++ goto error; + if (hcd->speed == HCD_USB3) + vhci_hcd->port_status[rhport] |= USB_SS_PORT_STAT_POWER; + else +@@ -538,6 +545,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + case USB_PORT_FEAT_BH_PORT_RESET: + usbip_dbg_vhci_rh( + " SetPortFeature: USB_PORT_FEAT_BH_PORT_RESET\n"); ++ if (rhport < 0) ++ goto error; + /* Applicable only for USB3.0 hub */ + if (hcd->speed != HCD_USB3) { + pr_err("USB_PORT_FEAT_BH_PORT_RESET req not " +@@ -548,6 +557,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + case USB_PORT_FEAT_RESET: + usbip_dbg_vhci_rh( + " SetPortFeature: USB_PORT_FEAT_RESET\n"); ++ if (rhport < 0) ++ goto error; + /* if it's already enabled, disable */ + if (hcd->speed == HCD_USB3) { + vhci_hcd->port_status[rhport] = 0; +@@ -568,6 +579,8 @@ static int vhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, + default: + usbip_dbg_vhci_rh(" SetPortFeature: default %d\n", + wValue); ++ if (rhport < 0) ++ goto error; + if (hcd->speed == HCD_USB3) { + if ((vhci_hcd->port_status[rhport] & + USB_SS_PORT_STAT_POWER) != 0) { +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c +index db5be5e2e6f2..58db8109defa 100644 +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -321,6 +321,7 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb, + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_grpblk_t offset; + ext4_grpblk_t next_zero_bit; ++ ext4_grpblk_t max_bit = EXT4_CLUSTERS_PER_GROUP(sb); + ext4_fsblk_t blk; + ext4_fsblk_t group_first_block; + +@@ -338,20 +339,25 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb, + /* check whether block bitmap block number is set */ + blk = ext4_block_bitmap(sb, desc); + offset = blk - group_first_block; +- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit || ++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) + /* bad block bitmap */ + return blk; + + /* check whether the inode bitmap block number is set */ + blk = ext4_inode_bitmap(sb, desc); + offset = blk - group_first_block; +- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit || ++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data)) + /* bad block bitmap */ + return blk; + + /* check whether the inode table block number is set */ + blk = ext4_inode_table(sb, desc); + offset = blk - group_first_block; ++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit || ++ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= max_bit) ++ return blk; + next_zero_bit = ext4_find_next_zero_bit(bh->b_data, + EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group), + EXT4_B2C(sbi, offset)); +@@ -417,6 +423,7 @@ struct buffer_head * + ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) + { + struct ext4_group_desc *desc; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + struct buffer_head *bh; + ext4_fsblk_t bitmap_blk; + int err; +@@ -425,6 +432,12 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) + if (!desc) + return ERR_PTR(-EFSCORRUPTED); + bitmap_blk = ext4_block_bitmap(sb, desc); ++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || ++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { ++ ext4_error(sb, "Invalid block bitmap block %llu in " ++ "block_group %u", bitmap_blk, block_group); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + bh = sb_getblk(sb, bitmap_blk); + if (unlikely(!bh)) { + ext4_error(sb, "Cannot get buffer for block bitmap - " +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index c941251ac0c0..883e89a903d1 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -5346,8 +5346,9 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, + stop = le32_to_cpu(extent->ee_block); + + /* +- * In case of left shift, Don't start shifting extents until we make +- * sure the hole is big enough to accommodate the shift. ++ * For left shifts, make sure the hole on the left is big enough to ++ * accommodate the shift. For right shifts, make sure the last extent ++ * won't be shifted beyond EXT_MAX_BLOCKS. + */ + if (SHIFT == SHIFT_LEFT) { + path = ext4_find_extent(inode, start - 1, &path, +@@ -5367,9 +5368,14 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle, + + if ((start == ex_start && shift > ex_start) || + (shift > start - ex_end)) { +- ext4_ext_drop_refs(path); +- kfree(path); +- return -EINVAL; ++ ret = -EINVAL; ++ goto out; ++ } ++ } else { ++ if (shift > EXT_MAX_BLOCKS - ++ (stop + ext4_ext_get_actual_len(extent))) { ++ ret = -EINVAL; ++ goto out; + } + } + +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index 7ec55dd8db56..f420124ac035 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -122,6 +122,7 @@ static struct buffer_head * + ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) + { + struct ext4_group_desc *desc; ++ struct ext4_sb_info *sbi = EXT4_SB(sb); + struct buffer_head *bh = NULL; + ext4_fsblk_t bitmap_blk; + int err; +@@ -131,6 +132,12 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) + return ERR_PTR(-EFSCORRUPTED); + + bitmap_blk = ext4_inode_bitmap(sb, desc); ++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || ++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) { ++ ext4_error(sb, "Invalid inode bitmap blk %llu in " ++ "block_group %u", bitmap_blk, block_group); ++ return ERR_PTR(-EFSCORRUPTED); ++ } + bh = sb_getblk(sb, bitmap_blk); + if (unlikely(!bh)) { + ext4_error(sb, "Cannot read inode bitmap - " +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 3a605c672649..9102ae7709d3 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5865,5 +5865,6 @@ static void __exit ext4_exit_fs(void) + MODULE_AUTHOR("Remy Card, Stephen Tweedie, Andrew Morton, Andreas Dilger, Theodore Ts'o and others"); + MODULE_DESCRIPTION("Fourth Extended Filesystem"); + MODULE_LICENSE("GPL"); ++MODULE_SOFTDEP("pre: crc32c"); + module_init(ext4_init_fs) + module_exit(ext4_exit_fs) +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index c0681814c379..07793e25c976 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -535,6 +535,7 @@ int jbd2_journal_start_reserved(handle_t *handle, unsigned int type, + */ + ret = start_this_handle(journal, handle, GFP_NOFS); + if (ret < 0) { ++ handle->h_journal = journal; + jbd2_journal_free_reserved(handle); + return ret; + } +diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h +index 353f52fdc35e..fcec26d60d8c 100644 +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -170,7 +170,7 @@ + #endif + + #ifdef CONFIG_SERIAL_EARLYCON +-#define EARLYCON_TABLE() STRUCT_ALIGN(); \ ++#define EARLYCON_TABLE() . = ALIGN(8); \ + VMLINUX_SYMBOL(__earlycon_table) = .; \ + KEEP(*(__earlycon_table)) \ + VMLINUX_SYMBOL(__earlycon_table_end) = .; +diff --git a/include/kvm/arm_psci.h b/include/kvm/arm_psci.h +index e518e4e3dfb5..4b1548129fa2 100644 +--- a/include/kvm/arm_psci.h ++++ b/include/kvm/arm_psci.h +@@ -37,10 +37,15 @@ static inline int kvm_psci_version(struct kvm_vcpu *vcpu, struct kvm *kvm) + * Our PSCI implementation stays the same across versions from + * v0.2 onward, only adding the few mandatory functions (such + * as FEATURES with 1.0) that are required by newer +- * revisions. It is thus safe to return the latest. ++ * revisions. It is thus safe to return the latest, unless ++ * userspace has instructed us otherwise. + */ +- if (test_bit(KVM_ARM_VCPU_PSCI_0_2, vcpu->arch.features)) ++ if (test_bit(KVM_ARM_VCPU_PSCI_0_2, vcpu->arch.features)) { ++ if (vcpu->kvm->arch.psci_version) ++ return vcpu->kvm->arch.psci_version; ++ + return KVM_ARM_PSCI_LATEST; ++ } + + return KVM_ARM_PSCI_0_1; + } +@@ -48,4 +53,11 @@ static inline int kvm_psci_version(struct kvm_vcpu *vcpu, struct kvm *kvm) + + int kvm_hvc_call_handler(struct kvm_vcpu *vcpu); + ++struct kvm_one_reg; ++ ++int kvm_arm_get_fw_num_regs(struct kvm_vcpu *vcpu); ++int kvm_arm_copy_fw_reg_indices(struct kvm_vcpu *vcpu, u64 __user *uindices); ++int kvm_arm_get_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg); ++int kvm_arm_set_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg); ++ + #endif /* __KVM_ARM_PSCI_H__ */ +diff --git a/include/linux/mtd/flashchip.h b/include/linux/mtd/flashchip.h +index b63fa457febd..3529683f691e 100644 +--- a/include/linux/mtd/flashchip.h ++++ b/include/linux/mtd/flashchip.h +@@ -85,6 +85,7 @@ struct flchip { + unsigned int write_suspended:1; + unsigned int erase_suspended:1; + unsigned long in_progress_block_addr; ++ unsigned long in_progress_block_mask; + + struct mutex mutex; + wait_queue_head_t wq; /* Wait on here when we're waiting for the chip +diff --git a/include/linux/serial_core.h b/include/linux/serial_core.h +index 5553e04e59c9..74fc82d22310 100644 +--- a/include/linux/serial_core.h ++++ b/include/linux/serial_core.h +@@ -351,10 +351,10 @@ struct earlycon_id { + char name[16]; + char compatible[128]; + int (*setup)(struct earlycon_device *, const char *options); +-} __aligned(32); ++}; + +-extern const struct earlycon_id __earlycon_table[]; +-extern const struct earlycon_id __earlycon_table_end[]; ++extern const struct earlycon_id *__earlycon_table[]; ++extern const struct earlycon_id *__earlycon_table_end[]; + + #if defined(CONFIG_SERIAL_EARLYCON) && !defined(MODULE) + #define EARLYCON_USED_OR_UNUSED __used +@@ -362,12 +362,19 @@ extern const struct earlycon_id __earlycon_table_end[]; + #define EARLYCON_USED_OR_UNUSED __maybe_unused + #endif + +-#define OF_EARLYCON_DECLARE(_name, compat, fn) \ +- static const struct earlycon_id __UNIQUE_ID(__earlycon_##_name) \ +- EARLYCON_USED_OR_UNUSED __section(__earlycon_table) \ ++#define _OF_EARLYCON_DECLARE(_name, compat, fn, unique_id) \ ++ static const struct earlycon_id unique_id \ ++ EARLYCON_USED_OR_UNUSED __initconst \ + = { .name = __stringify(_name), \ + .compatible = compat, \ +- .setup = fn } ++ .setup = fn }; \ ++ static const struct earlycon_id EARLYCON_USED_OR_UNUSED \ ++ __section(__earlycon_table) \ ++ * const __PASTE(__p, unique_id) = &unique_id ++ ++#define OF_EARLYCON_DECLARE(_name, compat, fn) \ ++ _OF_EARLYCON_DECLARE(_name, compat, fn, \ ++ __UNIQUE_ID(__earlycon_##_name)) + + #define EARLYCON_DECLARE(_name, fn) OF_EARLYCON_DECLARE(_name, "", fn) + +diff --git a/include/linux/tty.h b/include/linux/tty.h +index 47f8af22f216..1dd587ba6d88 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -701,7 +701,7 @@ extern int tty_unregister_ldisc(int disc); + extern int tty_set_ldisc(struct tty_struct *tty, int disc); + extern int tty_ldisc_setup(struct tty_struct *tty, struct tty_struct *o_tty); + extern void tty_ldisc_release(struct tty_struct *tty); +-extern void tty_ldisc_init(struct tty_struct *tty); ++extern int __must_check tty_ldisc_init(struct tty_struct *tty); + extern void tty_ldisc_deinit(struct tty_struct *tty); + extern int tty_ldisc_receive_buf(struct tty_ldisc *ld, const unsigned char *p, + char *f, int count); +diff --git a/include/linux/virtio.h b/include/linux/virtio.h +index 988c7355bc22..fa1b5da2804e 100644 +--- a/include/linux/virtio.h ++++ b/include/linux/virtio.h +@@ -157,6 +157,9 @@ int virtio_device_freeze(struct virtio_device *dev); + int virtio_device_restore(struct virtio_device *dev); + #endif + ++#define virtio_device_for_each_vq(vdev, vq) \ ++ list_for_each_entry(vq, &vdev->vqs, list) ++ + /** + * virtio_driver - operations for a virtio I/O driver + * @driver: underlying device driver (populate name and owner). +diff --git a/include/sound/control.h b/include/sound/control.h +index ca13a44ae9d4..6011a58d3e20 100644 +--- a/include/sound/control.h ++++ b/include/sound/control.h +@@ -23,6 +23,7 @@ + */ + + #include <linux/wait.h> ++#include <linux/nospec.h> + #include <sound/asound.h> + + #define snd_kcontrol_chip(kcontrol) ((kcontrol)->private_data) +@@ -148,12 +149,14 @@ int snd_ctl_get_preferred_subdevice(struct snd_card *card, int type); + + static inline unsigned int snd_ctl_get_ioffnum(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id) + { +- return id->numid - kctl->id.numid; ++ unsigned int ioff = id->numid - kctl->id.numid; ++ return array_index_nospec(ioff, kctl->count); + } + + static inline unsigned int snd_ctl_get_ioffidx(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id) + { +- return id->index - kctl->id.index; ++ unsigned int ioff = id->index - kctl->id.index; ++ return array_index_nospec(ioff, kctl->count); + } + + static inline unsigned int snd_ctl_get_ioff(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id) +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index dfa4a117fee3..bb2af74e6b62 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -820,12 +820,13 @@ static ktime_t tick_nohz_stop_sched_tick(struct tick_sched *ts, + goto out; + } + +- hrtimer_set_expires(&ts->sched_timer, tick); +- +- if (ts->nohz_mode == NOHZ_MODE_HIGHRES) +- hrtimer_start_expires(&ts->sched_timer, HRTIMER_MODE_ABS_PINNED); +- else ++ if (ts->nohz_mode == NOHZ_MODE_HIGHRES) { ++ hrtimer_start(&ts->sched_timer, tick, HRTIMER_MODE_ABS_PINNED); ++ } else { ++ hrtimer_set_expires(&ts->sched_timer, tick); + tick_program_event(tick, 1); ++ } ++ + out: + /* + * Update the estimated sleep length until the next timer +diff --git a/lib/kobject.c b/lib/kobject.c +index 763d70a18941..34f847252c02 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -234,14 +234,12 @@ static int kobject_add_internal(struct kobject *kobj) + + /* be noisy on error issues */ + if (error == -EEXIST) +- WARN(1, "%s failed for %s with " +- "-EEXIST, don't try to register things with " +- "the same name in the same directory.\n", +- __func__, kobject_name(kobj)); ++ pr_err("%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n", ++ __func__, kobject_name(kobj)); + else +- WARN(1, "%s failed for %s (error: %d parent: %s)\n", +- __func__, kobject_name(kobj), error, +- parent ? kobject_name(parent) : "'none'"); ++ pr_err("%s failed for %s (error: %d parent: %s)\n", ++ __func__, kobject_name(kobj), error, ++ parent ? kobject_name(parent) : "'none'"); + } else + kobj->state_in_sysfs = 1; + +diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c +index ad93342c90d7..5c4e85296cf6 100644 +--- a/net/ceph/messenger.c ++++ b/net/ceph/messenger.c +@@ -2530,6 +2530,11 @@ static int try_write(struct ceph_connection *con) + int ret = 1; + + dout("try_write start %p state %lu\n", con, con->state); ++ if (con->state != CON_STATE_PREOPEN && ++ con->state != CON_STATE_CONNECTING && ++ con->state != CON_STATE_NEGOTIATING && ++ con->state != CON_STATE_OPEN) ++ return 0; + + more: + dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes); +@@ -2555,6 +2560,8 @@ static int try_write(struct ceph_connection *con) + } + + more_kvec: ++ BUG_ON(!con->sock); ++ + /* kvec data queued? */ + if (con->out_kvec_left) { + ret = write_partial_kvec(con); +diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c +index 9ae1bab8c05d..f14498a7eaec 100644 +--- a/net/ceph/mon_client.c ++++ b/net/ceph/mon_client.c +@@ -209,6 +209,14 @@ static void reopen_session(struct ceph_mon_client *monc) + __open_session(monc); + } + ++static void un_backoff(struct ceph_mon_client *monc) ++{ ++ monc->hunt_mult /= 2; /* reduce by 50% */ ++ if (monc->hunt_mult < 1) ++ monc->hunt_mult = 1; ++ dout("%s hunt_mult now %d\n", __func__, monc->hunt_mult); ++} ++ + /* + * Reschedule delayed work timer. + */ +@@ -963,6 +971,7 @@ static void delayed_work(struct work_struct *work) + if (!monc->hunting) { + ceph_con_keepalive(&monc->con); + __validate_auth(monc); ++ un_backoff(monc); + } + + if (is_auth && +@@ -1123,9 +1132,8 @@ static void finish_hunting(struct ceph_mon_client *monc) + dout("%s found mon%d\n", __func__, monc->cur_mon); + monc->hunting = false; + monc->had_a_connection = true; +- monc->hunt_mult /= 2; /* reduce by 50% */ +- if (monc->hunt_mult < 1) +- monc->hunt_mult = 1; ++ un_backoff(monc); ++ __schedule_delayed(monc); + } + } + +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c +index b719d0bd833e..06d7c40af570 100644 +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -27,10 +27,11 @@ static int snd_pcm_ioctl_delay_compat(struct snd_pcm_substream *substream, + s32 __user *src) + { + snd_pcm_sframes_t delay; ++ int err; + +- delay = snd_pcm_delay(substream); +- if (delay < 0) +- return delay; ++ err = snd_pcm_delay(substream, &delay); ++ if (err) ++ return err; + if (put_user(delay, src)) + return -EFAULT; + return 0; +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index eba2bedcbc81..ab3bf36786b6 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2689,7 +2689,8 @@ static int snd_pcm_hwsync(struct snd_pcm_substream *substream) + return err; + } + +-static snd_pcm_sframes_t snd_pcm_delay(struct snd_pcm_substream *substream) ++static int snd_pcm_delay(struct snd_pcm_substream *substream, ++ snd_pcm_sframes_t *delay) + { + struct snd_pcm_runtime *runtime = substream->runtime; + int err; +@@ -2705,7 +2706,9 @@ static snd_pcm_sframes_t snd_pcm_delay(struct snd_pcm_substream *substream) + n += runtime->delay; + } + snd_pcm_stream_unlock_irq(substream); +- return err < 0 ? err : n; ++ if (!err) ++ *delay = n; ++ return err; + } + + static int snd_pcm_sync_ptr(struct snd_pcm_substream *substream, +@@ -2748,6 +2751,7 @@ static int snd_pcm_sync_ptr(struct snd_pcm_substream *substream, + sync_ptr.s.status.hw_ptr = status->hw_ptr; + sync_ptr.s.status.tstamp = status->tstamp; + sync_ptr.s.status.suspended_state = status->suspended_state; ++ sync_ptr.s.status.audio_tstamp = status->audio_tstamp; + snd_pcm_stream_unlock_irq(substream); + if (copy_to_user(_sync_ptr, &sync_ptr, sizeof(sync_ptr))) + return -EFAULT; +@@ -2913,11 +2917,13 @@ static int snd_pcm_common_ioctl(struct file *file, + return snd_pcm_hwsync(substream); + case SNDRV_PCM_IOCTL_DELAY: + { +- snd_pcm_sframes_t delay = snd_pcm_delay(substream); ++ snd_pcm_sframes_t delay; + snd_pcm_sframes_t __user *res = arg; ++ int err; + +- if (delay < 0) +- return delay; ++ err = snd_pcm_delay(substream, &delay); ++ if (err) ++ return err; + if (put_user(delay, res)) + return -EFAULT; + return 0; +@@ -3005,13 +3011,7 @@ int snd_pcm_kernel_ioctl(struct snd_pcm_substream *substream, + case SNDRV_PCM_IOCTL_DROP: + return snd_pcm_drop(substream); + case SNDRV_PCM_IOCTL_DELAY: +- { +- result = snd_pcm_delay(substream); +- if (result < 0) +- return result; +- *frames = result; +- return 0; +- } ++ return snd_pcm_delay(substream, frames); + default: + return -EINVAL; + } +diff --git a/sound/core/seq/oss/seq_oss_event.c b/sound/core/seq/oss/seq_oss_event.c +index c3908862bc8b..86ca584c27b2 100644 +--- a/sound/core/seq/oss/seq_oss_event.c ++++ b/sound/core/seq/oss/seq_oss_event.c +@@ -26,6 +26,7 @@ + #include <sound/seq_oss_legacy.h> + #include "seq_oss_readq.h" + #include "seq_oss_writeq.h" ++#include <linux/nospec.h> + + + /* +@@ -287,10 +288,10 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st + { + struct seq_oss_synthinfo *info; + +- if (!snd_seq_oss_synth_is_valid(dp, dev)) ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info) + return -ENXIO; + +- info = &dp->synths[dev]; + switch (info->arg.event_passing) { + case SNDRV_SEQ_OSS_PROCESS_EVENTS: + if (! info->ch || ch < 0 || ch >= info->nr_voices) { +@@ -298,6 +299,7 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st + return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev); + } + ++ ch = array_index_nospec(ch, info->nr_voices); + if (note == 255 && info->ch[ch].note >= 0) { + /* volume control */ + int type; +@@ -347,10 +349,10 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s + { + struct seq_oss_synthinfo *info; + +- if (!snd_seq_oss_synth_is_valid(dp, dev)) ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info) + return -ENXIO; + +- info = &dp->synths[dev]; + switch (info->arg.event_passing) { + case SNDRV_SEQ_OSS_PROCESS_EVENTS: + if (! info->ch || ch < 0 || ch >= info->nr_voices) { +@@ -358,6 +360,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s + return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev); + } + ++ ch = array_index_nospec(ch, info->nr_voices); + if (info->ch[ch].note >= 0) { + note = info->ch[ch].note; + info->ch[ch].vel = 0; +@@ -381,7 +384,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s + static int + set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note, int vel, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ if (!snd_seq_oss_synth_info(dp, dev)) + return -ENXIO; + + ev->type = type; +@@ -399,7 +402,7 @@ set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note, + static int + set_control_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int param, int val, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ if (!snd_seq_oss_synth_info(dp, dev)) + return -ENXIO; + + ev->type = type; +diff --git a/sound/core/seq/oss/seq_oss_midi.c b/sound/core/seq/oss/seq_oss_midi.c +index b30b2139e3f0..9debd1b8fd28 100644 +--- a/sound/core/seq/oss/seq_oss_midi.c ++++ b/sound/core/seq/oss/seq_oss_midi.c +@@ -29,6 +29,7 @@ + #include "../seq_lock.h" + #include <linux/init.h> + #include <linux/slab.h> ++#include <linux/nospec.h> + + + /* +@@ -315,6 +316,7 @@ get_mididev(struct seq_oss_devinfo *dp, int dev) + { + if (dev < 0 || dev >= dp->max_mididev) + return NULL; ++ dev = array_index_nospec(dev, dp->max_mididev); + return get_mdev(dev); + } + +diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c +index cd0e0ebbfdb1..278ebb993122 100644 +--- a/sound/core/seq/oss/seq_oss_synth.c ++++ b/sound/core/seq/oss/seq_oss_synth.c +@@ -26,6 +26,7 @@ + #include <linux/init.h> + #include <linux/module.h> + #include <linux/slab.h> ++#include <linux/nospec.h> + + /* + * constants +@@ -339,17 +340,13 @@ snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp) + dp->max_synthdev = 0; + } + +-/* +- * check if the specified device is MIDI mapped device +- */ +-static int +-is_midi_dev(struct seq_oss_devinfo *dp, int dev) ++static struct seq_oss_synthinfo * ++get_synthinfo_nospec(struct seq_oss_devinfo *dp, int dev) + { + if (dev < 0 || dev >= dp->max_synthdev) +- return 0; +- if (dp->synths[dev].is_midi) +- return 1; +- return 0; ++ return NULL; ++ dev = array_index_nospec(dev, SNDRV_SEQ_OSS_MAX_SYNTH_DEVS); ++ return &dp->synths[dev]; + } + + /* +@@ -359,14 +356,20 @@ static struct seq_oss_synth * + get_synthdev(struct seq_oss_devinfo *dp, int dev) + { + struct seq_oss_synth *rec; +- if (dev < 0 || dev >= dp->max_synthdev) +- return NULL; +- if (! dp->synths[dev].opened) ++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev); ++ ++ if (!info) + return NULL; +- if (dp->synths[dev].is_midi) +- return &midi_synth_dev; +- if ((rec = get_sdev(dev)) == NULL) ++ if (!info->opened) + return NULL; ++ if (info->is_midi) { ++ rec = &midi_synth_dev; ++ snd_use_lock_use(&rec->use_lock); ++ } else { ++ rec = get_sdev(dev); ++ if (!rec) ++ return NULL; ++ } + if (! rec->opened) { + snd_use_lock_free(&rec->use_lock); + return NULL; +@@ -402,10 +405,8 @@ snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev) + struct seq_oss_synth *rec; + struct seq_oss_synthinfo *info; + +- if (snd_BUG_ON(dev < 0 || dev >= dp->max_synthdev)) +- return; +- info = &dp->synths[dev]; +- if (! info->opened) ++ info = get_synthinfo_nospec(dp, dev); ++ if (!info || !info->opened) + return; + if (info->sysex) + info->sysex->len = 0; /* reset sysex */ +@@ -454,12 +455,14 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt, + const char __user *buf, int p, int c) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info; + int rc; + +- if (dev < 0 || dev >= dp->max_synthdev) ++ info = get_synthinfo_nospec(dp, dev); ++ if (!info) + return -ENXIO; + +- if (is_midi_dev(dp, dev)) ++ if (info->is_midi) + return 0; + if ((rec = get_synthdev(dp, dev)) == NULL) + return -ENXIO; +@@ -467,24 +470,25 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt, + if (rec->oper.load_patch == NULL) + rc = -ENXIO; + else +- rc = rec->oper.load_patch(&dp->synths[dev].arg, fmt, buf, p, c); ++ rc = rec->oper.load_patch(&info->arg, fmt, buf, p, c); + snd_use_lock_free(&rec->use_lock); + return rc; + } + + /* +- * check if the device is valid synth device ++ * check if the device is valid synth device and return the synth info + */ +-int +-snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev) ++struct seq_oss_synthinfo * ++snd_seq_oss_synth_info(struct seq_oss_devinfo *dp, int dev) + { + struct seq_oss_synth *rec; ++ + rec = get_synthdev(dp, dev); + if (rec) { + snd_use_lock_free(&rec->use_lock); +- return 1; ++ return get_synthinfo_nospec(dp, dev); + } +- return 0; ++ return NULL; + } + + +@@ -499,16 +503,18 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf, + int i, send; + unsigned char *dest; + struct seq_oss_synth_sysex *sysex; ++ struct seq_oss_synthinfo *info; + +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info) + return -ENXIO; + +- sysex = dp->synths[dev].sysex; ++ sysex = info->sysex; + if (sysex == NULL) { + sysex = kzalloc(sizeof(*sysex), GFP_KERNEL); + if (sysex == NULL) + return -ENOMEM; +- dp->synths[dev].sysex = sysex; ++ info->sysex = sysex; + } + + send = 0; +@@ -553,10 +559,12 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf, + int + snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev)) ++ struct seq_oss_synthinfo *info = snd_seq_oss_synth_info(dp, dev); ++ ++ if (!info) + return -EINVAL; +- snd_seq_oss_fill_addr(dp, ev, dp->synths[dev].arg.addr.client, +- dp->synths[dev].arg.addr.port); ++ snd_seq_oss_fill_addr(dp, ev, info->arg.addr.client, ++ info->arg.addr.port); + return 0; + } + +@@ -568,16 +576,18 @@ int + snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, unsigned long addr) + { + struct seq_oss_synth *rec; ++ struct seq_oss_synthinfo *info; + int rc; + +- if (is_midi_dev(dp, dev)) ++ info = get_synthinfo_nospec(dp, dev); ++ if (!info || info->is_midi) + return -ENXIO; + if ((rec = get_synthdev(dp, dev)) == NULL) + return -ENXIO; + if (rec->oper.ioctl == NULL) + rc = -ENXIO; + else +- rc = rec->oper.ioctl(&dp->synths[dev].arg, cmd, addr); ++ rc = rec->oper.ioctl(&info->arg, cmd, addr); + snd_use_lock_free(&rec->use_lock); + return rc; + } +@@ -589,7 +599,10 @@ snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, u + int + snd_seq_oss_synth_raw_event(struct seq_oss_devinfo *dp, int dev, unsigned char *data, struct snd_seq_event *ev) + { +- if (! snd_seq_oss_synth_is_valid(dp, dev) || is_midi_dev(dp, dev)) ++ struct seq_oss_synthinfo *info; ++ ++ info = snd_seq_oss_synth_info(dp, dev); ++ if (!info || info->is_midi) + return -ENXIO; + ev->type = SNDRV_SEQ_EVENT_OSS; + memcpy(ev->data.raw8.d, data, 8); +diff --git a/sound/core/seq/oss/seq_oss_synth.h b/sound/core/seq/oss/seq_oss_synth.h +index 74ac55f166b6..a63f9e22974d 100644 +--- a/sound/core/seq/oss/seq_oss_synth.h ++++ b/sound/core/seq/oss/seq_oss_synth.h +@@ -37,7 +37,8 @@ void snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp); + void snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev); + int snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt, + const char __user *buf, int p, int c); +-int snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev); ++struct seq_oss_synthinfo *snd_seq_oss_synth_info(struct seq_oss_devinfo *dp, ++ int dev); + int snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf, + struct snd_seq_event *ev); + int snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev); +diff --git a/sound/drivers/opl3/opl3_synth.c b/sound/drivers/opl3/opl3_synth.c +index ddcc1a325a61..42920a243328 100644 +--- a/sound/drivers/opl3/opl3_synth.c ++++ b/sound/drivers/opl3/opl3_synth.c +@@ -21,6 +21,7 @@ + + #include <linux/slab.h> + #include <linux/export.h> ++#include <linux/nospec.h> + #include <sound/opl3.h> + #include <sound/asound_fm.h> + +@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v + { + unsigned short reg_side; + unsigned char op_offset; +- unsigned char voice_offset; ++ unsigned char voice_offset, voice_op; + + unsigned short opl3_reg; + unsigned char reg_val; +@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v + voice_offset = voice->voice - MAX_OPL2_VOICES; + } + /* Get register offset of operator */ +- op_offset = snd_opl3_regmap[voice_offset][voice->op]; ++ voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES); ++ voice_op = array_index_nospec(voice->op, 4); ++ op_offset = snd_opl3_regmap[voice_offset][voice_op]; + + reg_val = 0x00; + /* Set amplitude modulation (tremolo) effect */ +diff --git a/sound/firewire/dice/dice-stream.c b/sound/firewire/dice/dice-stream.c +index 8573289c381e..928a255bfc35 100644 +--- a/sound/firewire/dice/dice-stream.c ++++ b/sound/firewire/dice/dice-stream.c +@@ -435,7 +435,7 @@ int snd_dice_stream_init_duplex(struct snd_dice *dice) + err = init_stream(dice, AMDTP_IN_STREAM, i); + if (err < 0) { + for (; i >= 0; i--) +- destroy_stream(dice, AMDTP_OUT_STREAM, i); ++ destroy_stream(dice, AMDTP_IN_STREAM, i); + goto end; + } + } +diff --git a/sound/firewire/dice/dice.c b/sound/firewire/dice/dice.c +index 4ddb4cdd054b..96bb01b6b751 100644 +--- a/sound/firewire/dice/dice.c ++++ b/sound/firewire/dice/dice.c +@@ -14,7 +14,7 @@ MODULE_LICENSE("GPL v2"); + #define OUI_WEISS 0x001c6a + #define OUI_LOUD 0x000ff2 + #define OUI_FOCUSRITE 0x00130e +-#define OUI_TCELECTRONIC 0x001486 ++#define OUI_TCELECTRONIC 0x000166 + + #define DICE_CATEGORY_ID 0x04 + #define WEISS_CATEGORY_ID 0x00 +diff --git a/sound/pci/asihpi/hpimsginit.c b/sound/pci/asihpi/hpimsginit.c +index 7eb617175fde..a31a70dccecf 100644 +--- a/sound/pci/asihpi/hpimsginit.c ++++ b/sound/pci/asihpi/hpimsginit.c +@@ -23,6 +23,7 @@ + + #include "hpi_internal.h" + #include "hpimsginit.h" ++#include <linux/nospec.h> + + /* The actual message size for each object type */ + static u16 msg_size[HPI_OBJ_MAXINDEX + 1] = HPI_MESSAGE_SIZE_BY_OBJECT; +@@ -39,10 +40,12 @@ static void hpi_init_message(struct hpi_message *phm, u16 object, + { + u16 size; + +- if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) ++ if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) { ++ object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1); + size = msg_size[object]; +- else ++ } else { + size = sizeof(*phm); ++ } + + memset(phm, 0, size); + phm->size = size; +@@ -66,10 +69,12 @@ void hpi_init_response(struct hpi_response *phr, u16 object, u16 function, + { + u16 size; + +- if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) ++ if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) { ++ object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1); + size = res_size[object]; +- else ++ } else { + size = sizeof(*phr); ++ } + + memset(phr, 0, sizeof(*phr)); + phr->size = size; +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c +index 5badd08e1d69..b1a2a7ea4172 100644 +--- a/sound/pci/asihpi/hpioctl.c ++++ b/sound/pci/asihpi/hpioctl.c +@@ -33,6 +33,7 @@ + #include <linux/stringify.h> + #include <linux/module.h> + #include <linux/vmalloc.h> ++#include <linux/nospec.h> + + #ifdef MODULE_FIRMWARE + MODULE_FIRMWARE("asihpi/dsp5000.bin"); +@@ -186,7 +187,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + struct hpi_adapter *pa = NULL; + + if (hm->h.adapter_index < ARRAY_SIZE(adapters)) +- pa = &adapters[hm->h.adapter_index]; ++ pa = &adapters[array_index_nospec(hm->h.adapter_index, ++ ARRAY_SIZE(adapters))]; + + if (!pa || !pa->adapter || !pa->adapter->type) { + hpi_init_response(&hr->r0, hm->h.object, +diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c +index 57df06e76968..cc009a4a3d1d 100644 +--- a/sound/pci/hda/hda_hwdep.c ++++ b/sound/pci/hda/hda_hwdep.c +@@ -21,6 +21,7 @@ + #include <linux/init.h> + #include <linux/slab.h> + #include <linux/compat.h> ++#include <linux/nospec.h> + #include <sound/core.h> + #include "hda_codec.h" + #include "hda_local.h" +@@ -51,7 +52,16 @@ static int get_wcap_ioctl(struct hda_codec *codec, + + if (get_user(verb, &arg->verb)) + return -EFAULT; +- res = get_wcaps(codec, verb >> 24); ++ /* open-code get_wcaps(verb>>24) with nospec */ ++ verb >>= 24; ++ if (verb < codec->core.start_nid || ++ verb >= codec->core.start_nid + codec->core.num_nodes) { ++ res = 0; ++ } else { ++ verb -= codec->core.start_nid; ++ verb = array_index_nospec(verb, codec->core.num_nodes); ++ res = codec->wcaps[verb]; ++ } + if (put_user(res, &arg->res)) + return -EFAULT; + return 0; +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index b4f1b6e88305..7d7eb1354eee 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1383,6 +1383,8 @@ static void hdmi_pcm_setup_pin(struct hdmi_spec *spec, + pcm = get_pcm_rec(spec, per_pin->pcm_idx); + else + return; ++ if (!pcm->pcm) ++ return; + if (!test_bit(per_pin->pcm_idx, &spec->pcm_in_use)) + return; + +@@ -2151,8 +2153,13 @@ static int generic_hdmi_build_controls(struct hda_codec *codec) + int dev, err; + int pin_idx, pcm_idx; + +- + for (pcm_idx = 0; pcm_idx < spec->pcm_used; pcm_idx++) { ++ if (!get_pcm_rec(spec, pcm_idx)->pcm) { ++ /* no PCM: mark this for skipping permanently */ ++ set_bit(pcm_idx, &spec->pcm_bitmap); ++ continue; ++ } ++ + err = generic_hdmi_build_jack(codec, pcm_idx); + if (err < 0) + return err; +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 590887d9b7a1..59daf9901466 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -331,6 +331,7 @@ static void alc_fill_eapd_coef(struct hda_codec *codec) + /* fallthrough */ + case 0x10ec0215: + case 0x10ec0233: ++ case 0x10ec0235: + case 0x10ec0236: + case 0x10ec0255: + case 0x10ec0256: +@@ -6435,6 +6436,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), ++ SND_PCI_QUIRK(0x17aa, 0x312f, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x3138, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), + SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), +@@ -7015,8 +7017,11 @@ static int patch_alc269(struct hda_codec *codec) + case 0x10ec0298: + spec->codec_variant = ALC269_TYPE_ALC298; + break; ++ case 0x10ec0235: + case 0x10ec0255: + spec->codec_variant = ALC269_TYPE_ALC255; ++ spec->shutup = alc256_shutup; ++ spec->init_hook = alc256_init; + break; + case 0x10ec0236: + case 0x10ec0256: +diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c +index f20d42714e4d..343f533906ba 100644 +--- a/sound/pci/rme9652/hdspm.c ++++ b/sound/pci/rme9652/hdspm.c +@@ -137,6 +137,7 @@ + #include <linux/pci.h> + #include <linux/math64.h> + #include <linux/io.h> ++#include <linux/nospec.h> + + #include <sound/core.h> + #include <sound/control.h> +@@ -5698,40 +5699,43 @@ static int snd_hdspm_channel_info(struct snd_pcm_substream *substream, + struct snd_pcm_channel_info *info) + { + struct hdspm *hdspm = snd_pcm_substream_chip(substream); ++ unsigned int channel = info->channel; + + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { +- if (snd_BUG_ON(info->channel >= hdspm->max_channels_out)) { ++ if (snd_BUG_ON(channel >= hdspm->max_channels_out)) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: output channel out of range (%d)\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- if (hdspm->channel_map_out[info->channel] < 0) { ++ channel = array_index_nospec(channel, hdspm->max_channels_out); ++ if (hdspm->channel_map_out[channel] < 0) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: output channel %d mapped out\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- info->offset = hdspm->channel_map_out[info->channel] * ++ info->offset = hdspm->channel_map_out[channel] * + HDSPM_CHANNEL_BUFFER_BYTES; + } else { +- if (snd_BUG_ON(info->channel >= hdspm->max_channels_in)) { ++ if (snd_BUG_ON(channel >= hdspm->max_channels_in)) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: input channel out of range (%d)\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- if (hdspm->channel_map_in[info->channel] < 0) { ++ channel = array_index_nospec(channel, hdspm->max_channels_in); ++ if (hdspm->channel_map_in[channel] < 0) { + dev_info(hdspm->card->dev, + "snd_hdspm_channel_info: input channel %d mapped out\n", +- info->channel); ++ channel); + return -EINVAL; + } + +- info->offset = hdspm->channel_map_in[info->channel] * ++ info->offset = hdspm->channel_map_in[channel] * + HDSPM_CHANNEL_BUFFER_BYTES; + } + +diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c +index df648b1d9217..edd765e22377 100644 +--- a/sound/pci/rme9652/rme9652.c ++++ b/sound/pci/rme9652/rme9652.c +@@ -26,6 +26,7 @@ + #include <linux/pci.h> + #include <linux/module.h> + #include <linux/io.h> ++#include <linux/nospec.h> + + #include <sound/core.h> + #include <sound/control.h> +@@ -2071,9 +2072,10 @@ static int snd_rme9652_channel_info(struct snd_pcm_substream *substream, + if (snd_BUG_ON(info->channel >= RME9652_NCHANNELS)) + return -EINVAL; + +- if ((chn = rme9652->channel_map[info->channel]) < 0) { ++ chn = rme9652->channel_map[array_index_nospec(info->channel, ++ RME9652_NCHANNELS)]; ++ if (chn < 0) + return -EINVAL; +- } + + info->offset = chn * RME9652_CHANNEL_BUFFER_BYTES; + info->first = 0; +diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c +index cef79a1a620b..81268760b7a9 100644 +--- a/sound/soc/fsl/fsl_esai.c ++++ b/sound/soc/fsl/fsl_esai.c +@@ -144,6 +144,13 @@ static int fsl_esai_divisor_cal(struct snd_soc_dai *dai, bool tx, u32 ratio, + + psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8; + ++ /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */ ++ if (ratio <= 256) { ++ pm = ratio; ++ fp = 1; ++ goto out; ++ } ++ + /* Set the max fluctuation -- 0.1% of the max devisor */ + savesub = (psr ? 1 : 8) * 256 * maxfp / 1000; + +diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c +index 9038b2e7df73..eaa03acd4686 100644 +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -353,8 +353,11 @@ static struct usbmix_name_map bose_companion5_map[] = { + /* + * Dell usb dock with ALC4020 codec had a firmware problem where it got + * screwed up when zero volume is passed; just skip it as a workaround ++ * ++ * Also the extension unit gives an access error, so skip it as well. + */ + static const struct usbmix_name_map dell_alc4020_map[] = { ++ { 4, NULL }, /* extension unit */ + { 16, NULL }, + { 19, NULL }, + { 0 } +diff --git a/tools/lib/str_error_r.c b/tools/lib/str_error_r.c +index d6d65537b0d9..6aad8308a0ac 100644 +--- a/tools/lib/str_error_r.c ++++ b/tools/lib/str_error_r.c +@@ -22,6 +22,6 @@ char *str_error_r(int errnum, char *buf, size_t buflen) + { + int err = strerror_r(errnum, buf, buflen); + if (err) +- snprintf(buf, buflen, "INTERNAL ERROR: strerror_r(%d, %p, %zd)=%d", errnum, buf, buflen, err); ++ snprintf(buf, buflen, "INTERNAL ERROR: strerror_r(%d, [buf], %zd)=%d", errnum, buflen, err); + return buf; + } +diff --git a/tools/lib/subcmd/pager.c b/tools/lib/subcmd/pager.c +index 5ba754d17952..9997a8805a82 100644 +--- a/tools/lib/subcmd/pager.c ++++ b/tools/lib/subcmd/pager.c +@@ -30,10 +30,13 @@ static void pager_preexec(void) + * have real input + */ + fd_set in; ++ fd_set exception; + + FD_ZERO(&in); ++ FD_ZERO(&exception); + FD_SET(0, &in); +- select(1, &in, NULL, &in, NULL); ++ FD_SET(0, &exception); ++ select(1, &in, NULL, &exception, NULL); + + setenv("LESS", "FRSX", 0); + } +diff --git a/virt/kvm/arm/arm.c b/virt/kvm/arm/arm.c +index 1366462a3ab2..9bee849db682 100644 +--- a/virt/kvm/arm/arm.c ++++ b/virt/kvm/arm/arm.c +@@ -61,7 +61,7 @@ static DEFINE_PER_CPU(struct kvm_vcpu *, kvm_arm_running_vcpu); + static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1); + static u32 kvm_next_vmid; + static unsigned int kvm_vmid_bits __read_mostly; +-static DEFINE_SPINLOCK(kvm_vmid_lock); ++static DEFINE_RWLOCK(kvm_vmid_lock); + + static bool vgic_present; + +@@ -462,11 +462,16 @@ static void update_vttbr(struct kvm *kvm) + { + phys_addr_t pgd_phys; + u64 vmid; ++ bool new_gen; + +- if (!need_new_vmid_gen(kvm)) ++ read_lock(&kvm_vmid_lock); ++ new_gen = need_new_vmid_gen(kvm); ++ read_unlock(&kvm_vmid_lock); ++ ++ if (!new_gen) + return; + +- spin_lock(&kvm_vmid_lock); ++ write_lock(&kvm_vmid_lock); + + /* + * We need to re-check the vmid_gen here to ensure that if another vcpu +@@ -474,7 +479,7 @@ static void update_vttbr(struct kvm *kvm) + * use the same vmid. + */ + if (!need_new_vmid_gen(kvm)) { +- spin_unlock(&kvm_vmid_lock); ++ write_unlock(&kvm_vmid_lock); + return; + } + +@@ -508,7 +513,7 @@ static void update_vttbr(struct kvm *kvm) + vmid = ((u64)(kvm->arch.vmid) << VTTBR_VMID_SHIFT) & VTTBR_VMID_MASK(kvm_vmid_bits); + kvm->arch.vttbr = pgd_phys | vmid; + +- spin_unlock(&kvm_vmid_lock); ++ write_unlock(&kvm_vmid_lock); + } + + static int kvm_vcpu_first_run_init(struct kvm_vcpu *vcpu) +diff --git a/virt/kvm/arm/psci.c b/virt/kvm/arm/psci.c +index 6919352cbf15..c4762bef13c6 100644 +--- a/virt/kvm/arm/psci.c ++++ b/virt/kvm/arm/psci.c +@@ -18,6 +18,7 @@ + #include <linux/arm-smccc.h> + #include <linux/preempt.h> + #include <linux/kvm_host.h> ++#include <linux/uaccess.h> + #include <linux/wait.h> + + #include <asm/cputype.h> +@@ -427,3 +428,62 @@ int kvm_hvc_call_handler(struct kvm_vcpu *vcpu) + smccc_set_retval(vcpu, val, 0, 0, 0); + return 1; + } ++ ++int kvm_arm_get_fw_num_regs(struct kvm_vcpu *vcpu) ++{ ++ return 1; /* PSCI version */ ++} ++ ++int kvm_arm_copy_fw_reg_indices(struct kvm_vcpu *vcpu, u64 __user *uindices) ++{ ++ if (put_user(KVM_REG_ARM_PSCI_VERSION, uindices)) ++ return -EFAULT; ++ ++ return 0; ++} ++ ++int kvm_arm_get_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) ++{ ++ if (reg->id == KVM_REG_ARM_PSCI_VERSION) { ++ void __user *uaddr = (void __user *)(long)reg->addr; ++ u64 val; ++ ++ val = kvm_psci_version(vcpu, vcpu->kvm); ++ if (copy_to_user(uaddr, &val, KVM_REG_SIZE(reg->id))) ++ return -EFAULT; ++ ++ return 0; ++ } ++ ++ return -EINVAL; ++} ++ ++int kvm_arm_set_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) ++{ ++ if (reg->id == KVM_REG_ARM_PSCI_VERSION) { ++ void __user *uaddr = (void __user *)(long)reg->addr; ++ bool wants_02; ++ u64 val; ++ ++ if (copy_from_user(&val, uaddr, KVM_REG_SIZE(reg->id))) ++ return -EFAULT; ++ ++ wants_02 = test_bit(KVM_ARM_VCPU_PSCI_0_2, vcpu->arch.features); ++ ++ switch (val) { ++ case KVM_ARM_PSCI_0_1: ++ if (wants_02) ++ return -EINVAL; ++ vcpu->kvm->arch.psci_version = val; ++ return 0; ++ case KVM_ARM_PSCI_0_2: ++ case KVM_ARM_PSCI_1_0: ++ if (!wants_02) ++ return -EINVAL; ++ vcpu->kvm->arch.psci_version = val; ++ return 0; ++ } ++ } ++ ++ return -EINVAL; ++}
