Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Pagano <mpagano@gentoo.org>2019-01-09 12:51:40 -0500
committerMike Pagano <mpagano@gentoo.org>2019-01-09 12:51:40 -0500
commite5d216e0258419f8f3e76a26315623f825786c6d (patch)
tree67cf89efa6fc5355e26fc4cdf4f9ecd976f87c00
parentproj/linux-patches: Select PID_NS to support FEATURES=pid-sandbox (diff)
downloadlinux-patches-e5d216e0258419f8f3e76a26315623f825786c6d.tar.gz
linux-patches-e5d216e0258419f8f3e76a26315623f825786c6d.tar.bz2
linux-patches-e5d216e0258419f8f3e76a26315623f825786c6d.zip
proj/linux-patches: Linux patch 4.9.149
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
Diffstat
-rw-r--r--0000_README4
-rw-r--r--1148_linux-4.9.149.patch1651
2 files changed, 1655 insertions, 0 deletions
diff --git a/0000_README b/0000_README
index 490672dc..81b354f0 100644
--- a/0000_README
+++ b/0000_README
@@ -635,6 +635,10 @@ Patch: 1147_linux-4.9.148.patch
From: http://www.kernel.org
Desc: Linux 4.9.148
+Patch: 1148_linux-4.9.149.patch
+From: http://www.kernel.org
+Desc: Linux 4.9.149
+
Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
diff --git a/1148_linux-4.9.149.patch b/1148_linux-4.9.149.patch
new file mode 100644
index 00000000..95ea39da
--- /dev/null
+++ b/1148_linux-4.9.149.patch
@@ -0,0 +1,1651 @@
+diff --git a/Makefile b/Makefile
+index 1b71b11ea63e..1feac0246fe2 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 9
+-SUBLEVEL = 148
++SUBLEVEL = 149
+ EXTRAVERSION =
+ NAME = Roaring Lionus
+
+diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h
+index 0dbc1c6ab7dc..68dedca5a47e 100644
+--- a/arch/arm64/include/asm/kvm_arm.h
++++ b/arch/arm64/include/asm/kvm_arm.h
+@@ -99,7 +99,7 @@
+ TCR_EL2_ORGN0_MASK | TCR_EL2_IRGN0_MASK | TCR_EL2_T0SZ_MASK)
+
+ /* VTCR_EL2 Registers bits */
+-#define VTCR_EL2_RES1 (1 << 31)
++#define VTCR_EL2_RES1 (1U << 31)
+ #define VTCR_EL2_HD (1 << 22)
+ #define VTCR_EL2_HA (1 << 21)
+ #define VTCR_EL2_PS_MASK TCR_EL2_PS_MASK
+diff --git a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+index 37fe58c19a90..542c3ede9722 100644
+--- a/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
++++ b/arch/mips/boot/compressed/calc_vmlinuz_load_addr.c
+@@ -13,6 +13,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include "../../../../include/linux/sizes.h"
+
+ int main(int argc, char *argv[])
+ {
+@@ -45,11 +46,11 @@ int main(int argc, char *argv[])
+ vmlinuz_load_addr = vmlinux_load_addr + vmlinux_size;
+
+ /*
+- * Align with 16 bytes: "greater than that used for any standard data
+- * types by a MIPS compiler." -- See MIPS Run Linux (Second Edition).
++ * Align with 64KB: KEXEC needs load sections to be aligned to PAGE_SIZE,
++ * which may be as large as 64KB depending on the kernel configuration.
+ */
+
+- vmlinuz_load_addr += (16 - vmlinux_size % 16);
++ vmlinuz_load_addr += (SZ_64K - vmlinux_size % SZ_64K);
+
+ printf("0x%llx\n", vmlinuz_load_addr);
+
+diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper.c b/arch/mips/cavium-octeon/executive/cvmx-helper.c
+index 396236a02b8c..59defc5e88aa 100644
+--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
+@@ -290,7 +290,8 @@ static cvmx_helper_interface_mode_t __cvmx_get_mode_cn7xxx(int interface)
+ case 3:
+ return CVMX_HELPER_INTERFACE_MODE_LOOP;
+ case 4:
+- return CVMX_HELPER_INTERFACE_MODE_RGMII;
++ /* TODO: Implement support for AGL (RGMII). */
++ return CVMX_HELPER_INTERFACE_MODE_DISABLED;
+ default:
+ return CVMX_HELPER_INTERFACE_MODE_DISABLED;
+ }
+diff --git a/arch/mips/include/asm/pgtable-64.h b/arch/mips/include/asm/pgtable-64.h
+index 514cbc0a6a67..ef6f00798011 100644
+--- a/arch/mips/include/asm/pgtable-64.h
++++ b/arch/mips/include/asm/pgtable-64.h
+@@ -193,6 +193,11 @@ static inline int pmd_bad(pmd_t pmd)
+
+ static inline int pmd_present(pmd_t pmd)
+ {
++#ifdef CONFIG_MIPS_HUGE_TLB_SUPPORT
++ if (unlikely(pmd_val(pmd) & _PAGE_HUGE))
++ return pmd_val(pmd) & _PAGE_PRESENT;
++#endif
++
+ return pmd_val(pmd) != (unsigned long) invalid_pte_table;
+ }
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index 22a0ccb17ad0..9a8167b175d5 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1324,7 +1324,7 @@ asmlinkage void kvm_spurious_fault(void);
+ "cmpb $0, kvm_rebooting \n\t" \
+ "jne 668b \n\t" \
+ __ASM_SIZE(push) " $666b \n\t" \
+- "call kvm_spurious_fault \n\t" \
++ "jmp kvm_spurious_fault \n\t" \
+ ".popsection \n\t" \
+ _ASM_EXTABLE(666b, 667b)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index 011050820608..9446a3a2fc69 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6548,9 +6548,24 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
+
+ gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
+ if (!kvm_io_bus_write(vcpu, KVM_FAST_MMIO_BUS, gpa, 0, NULL)) {
+- skip_emulated_instruction(vcpu);
+ trace_kvm_fast_mmio(gpa);
+- return 1;
++ /*
++ * Doing kvm_skip_emulated_instruction() depends on undefined
++ * behavior: Intel's manual doesn't mandate
++ * VM_EXIT_INSTRUCTION_LEN to be set in VMCS when EPT MISCONFIG
++ * occurs and while on real hardware it was observed to be set,
++ * other hypervisors (namely Hyper-V) don't set it, we end up
++ * advancing IP with some random value. Disable fast mmio when
++ * running nested and keep it for real hardware in hope that
++ * VM_EXIT_INSTRUCTION_LEN will always be set correctly.
++ */
++ if (!static_cpu_has(X86_FEATURE_HYPERVISOR)) {
++ skip_emulated_instruction(vcpu);
++ return 1;
++ }
++ else
++ return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP,
++ NULL, 0) == EMULATE_DONE;
+ }
+
+ ret = handle_mmio_page_fault(vcpu, gpa, true);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 27d13b870e07..46e0ad71b4da 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -5707,7 +5707,8 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu,
+ * handle watchpoints yet, those would be handled in
+ * the emulate_ops.
+ */
+- if (kvm_vcpu_check_breakpoint(vcpu, &r))
++ if (!(emulation_type & EMULTYPE_SKIP) &&
++ kvm_vcpu_check_breakpoint(vcpu, &r))
+ return r;
+
+ ctxt->interruptibility = 0;
+diff --git a/drivers/base/platform-msi.c b/drivers/base/platform-msi.c
+index be6a599bc0c1..7ba1d731dece 100644
+--- a/drivers/base/platform-msi.c
++++ b/drivers/base/platform-msi.c
+@@ -375,14 +375,16 @@ void platform_msi_domain_free(struct irq_domain *domain, unsigned int virq,
+ unsigned int nvec)
+ {
+ struct platform_msi_priv_data *data = domain->host_data;
+- struct msi_desc *desc;
+- for_each_msi_entry(desc, data->dev) {
++ struct msi_desc *desc, *tmp;
++ for_each_msi_entry_safe(desc, tmp, data->dev) {
+ if (WARN_ON(!desc->irq || desc->nvec_used != 1))
+ return;
+ if (!(desc->irq >= virq && desc->irq < (virq + nvec)))
+ continue;
+
+ irq_domain_free_irqs_common(domain, desc->irq, 1);
++ list_del(&desc->list);
++ free_msi_entry(desc);
+ }
+ }
+
+diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c
+index caa86b19c76d..f74f451baf6a 100644
+--- a/drivers/char/tpm/tpm_i2c_nuvoton.c
++++ b/drivers/char/tpm/tpm_i2c_nuvoton.c
+@@ -369,6 +369,7 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len)
+ struct device *dev = chip->dev.parent;
+ struct i2c_client *client = to_i2c_client(dev);
+ u32 ordinal;
++ unsigned long duration;
+ size_t count = 0;
+ int burst_count, bytes2write, retries, rc = -EIO;
+
+@@ -455,10 +456,12 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len)
+ return rc;
+ }
+ ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
+- rc = i2c_nuvoton_wait_for_data_avail(chip,
+- tpm_calc_ordinal_duration(chip,
+- ordinal),
+- &priv->read_queue);
++ if (chip->flags & TPM_CHIP_FLAG_TPM2)
++ duration = tpm2_calc_ordinal_duration(chip, ordinal);
++ else
++ duration = tpm_calc_ordinal_duration(chip, ordinal);
++
++ rc = i2c_nuvoton_wait_for_data_avail(chip, duration, &priv->read_queue);
+ if (rc) {
+ dev_err(dev, "%s() timeout command duration\n", __func__);
+ i2c_nuvoton_ready(chip);
+diff --git a/drivers/clk/rockchip/clk-rk3188.c b/drivers/clk/rockchip/clk-rk3188.c
+index d0e722a0e8cf..523378d1396e 100644
+--- a/drivers/clk/rockchip/clk-rk3188.c
++++ b/drivers/clk/rockchip/clk-rk3188.c
+@@ -381,7 +381,7 @@ static struct rockchip_clk_branch common_clk_branches[] __initdata = {
+ COMPOSITE_NOMUX(0, "spdif_pre", "i2s_src", 0,
+ RK2928_CLKSEL_CON(5), 0, 7, DFLAGS,
+ RK2928_CLKGATE_CON(0), 13, GFLAGS),
+- COMPOSITE_FRACMUX(0, "spdif_frac", "spdif_pll", CLK_SET_RATE_PARENT,
++ COMPOSITE_FRACMUX(0, "spdif_frac", "spdif_pre", CLK_SET_RATE_PARENT,
+ RK2928_CLKSEL_CON(9), 0,
+ RK2928_CLKGATE_CON(0), 14, GFLAGS,
+ &common_spdif_fracmux),
+diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c
+index 471984ec2db0..30adc5745cba 100644
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1240,6 +1240,7 @@ MODULE_DEVICE_TABLE(i2c, elan_id);
+ static const struct acpi_device_id elan_acpi_id[] = {
+ { "ELAN0000", 0 },
+ { "ELAN0100", 0 },
++ { "ELAN0501", 0 },
+ { "ELAN0600", 0 },
+ { "ELAN0602", 0 },
+ { "ELAN0605", 0 },
+diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
+index dd7e38ac29bd..d15347de415a 100644
+--- a/drivers/isdn/capi/kcapi.c
++++ b/drivers/isdn/capi/kcapi.c
+@@ -851,7 +851,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
+ u16 ret;
+
+ if (contr == 0) {
+- strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
++ strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
+ return CAPI_NOERROR;
+ }
+
+@@ -859,7 +859,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
+
+ ctr = get_capi_ctr_by_nr(contr);
+ if (ctr && ctr->state == CAPI_CTR_RUNNING) {
+- strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
++ strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
+ ret = CAPI_NOERROR;
+ } else
+ ret = CAPI_REGNOTINSTALLED;
+diff --git a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+index 1f463f4c3024..d2f72f3635aa 100644
+--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+@@ -1618,7 +1618,7 @@ typedef struct { u16 __; u8 _; } __packed x24;
+ unsigned s; \
+ \
+ for (s = 0; s < len; s++) { \
+- u8 chr = font8x16[text[s] * 16 + line]; \
++ u8 chr = font8x16[(u8)text[s] * 16 + line]; \
+ \
+ if (hdiv == 2 && tpg->hflip) { \
+ pos[3] = (chr & (0x01 << 6) ? fg : bg); \
+diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c
+index d5c84ecf2027..25d4fd4f4c0b 100644
+--- a/drivers/media/platform/vivid/vivid-vid-cap.c
++++ b/drivers/media/platform/vivid/vivid-vid-cap.c
+@@ -452,6 +452,8 @@ void vivid_update_format_cap(struct vivid_dev *dev, bool keep_controls)
+ tpg_s_rgb_range(&dev->tpg, v4l2_ctrl_g_ctrl(dev->rgb_range_cap));
+ break;
+ }
++ vfree(dev->bitmap_cap);
++ dev->bitmap_cap = NULL;
+ vivid_update_quality(dev);
+ tpg_reset_source(&dev->tpg, dev->src_rect.width, dev->src_rect.height, dev->field_cap);
+ dev->crop_cap = dev->src_rect;
+diff --git a/drivers/mtd/spi-nor/Kconfig b/drivers/mtd/spi-nor/Kconfig
+index 4a682ee0f632..b4f6cadd28fe 100644
+--- a/drivers/mtd/spi-nor/Kconfig
++++ b/drivers/mtd/spi-nor/Kconfig
+@@ -31,7 +31,7 @@ config MTD_SPI_NOR_USE_4K_SECTORS
+
+ config SPI_ATMEL_QUADSPI
+ tristate "Atmel Quad SPI Controller"
+- depends on ARCH_AT91 || (ARM && COMPILE_TEST)
++ depends on ARCH_AT91 || (ARM && COMPILE_TEST && !ARCH_EBSA110)
+ depends on OF && HAS_IOMEM
+ help
+ This enables support for the Quad SPI controller in master mode.
+diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
+index b375ae9f98ef..4996228fd7e6 100644
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1162,11 +1162,15 @@ out:
+
+ map_failed_frags:
+ last = i+1;
+- for (i = 0; i < last; i++)
++ for (i = 1; i < last; i++)
+ dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address,
+ descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK,
+ DMA_TO_DEVICE);
+
++ dma_unmap_single(&adapter->vdev->dev,
++ descs[0].fields.address,
++ descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK,
++ DMA_TO_DEVICE);
+ map_failed:
+ if (!firmware_has_feature(FW_FEATURE_CMO))
+ netdev_err(netdev, "tx: unable to map xmit buffer\n");
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+index da1d73fe1a81..d5e8ac86c195 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1167,11 +1167,6 @@ static int mlx5e_get_ts_info(struct net_device *dev,
+ struct ethtool_ts_info *info)
+ {
+ struct mlx5e_priv *priv = netdev_priv(dev);
+- int ret;
+-
+- ret = ethtool_op_get_ts_info(dev, info);
+- if (ret)
+- return ret;
+
+ info->phc_index = priv->tstamp.ptp ?
+ ptp_clock_index(priv->tstamp.ptp) : -1;
+@@ -1179,9 +1174,9 @@ static int mlx5e_get_ts_info(struct net_device *dev,
+ if (!MLX5_CAP_GEN(priv->mdev, device_frequency_khz))
+ return 0;
+
+- info->so_timestamping |= SOF_TIMESTAMPING_TX_HARDWARE |
+- SOF_TIMESTAMPING_RX_HARDWARE |
+- SOF_TIMESTAMPING_RAW_HARDWARE;
++ info->so_timestamping = SOF_TIMESTAMPING_TX_HARDWARE |
++ SOF_TIMESTAMPING_RX_HARDWARE |
++ SOF_TIMESTAMPING_RAW_HARDWARE;
+
+ info->tx_types = BIT(HWTSTAMP_TX_OFF) |
+ BIT(HWTSTAMP_TX_ON);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+index 5f3402ba9916..13dfc197bdd8 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -390,7 +390,7 @@ static void del_rule(struct fs_node *node)
+ }
+ if ((fte->action & MLX5_FLOW_CONTEXT_ACTION_FWD_DEST) &&
+ --fte->dests_size) {
+- modify_mask = BIT(MLX5_SET_FTE_MODIFY_ENABLE_MASK_DESTINATION_LIST),
++ modify_mask = BIT(MLX5_SET_FTE_MODIFY_ENABLE_MASK_DESTINATION_LIST);
+ err = mlx5_cmd_update_fte(dev, ft,
+ fg->id,
+ modify_mask,
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index f04be9e8980f..5048a6df6a8e 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -163,11 +163,8 @@ static int mdio_bus_phy_restore(struct device *dev)
+ if (ret < 0)
+ return ret;
+
+- /* The PHY needs to renegotiate. */
+- phydev->link = 0;
+- phydev->state = PHY_UP;
+-
+- phy_start_machine(phydev);
++ if (phydev->attached_dev && phydev->adjust_link)
++ phy_start_machine(phydev);
+
+ return 0;
+ }
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 2b728cc52e3a..134eb184fa22 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -951,7 +951,7 @@ static const struct usb_device_id products[] = {
+ {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
+ {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */
+ {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
+- {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */
++ {QMI_QUIRK_SET_DTR(0x1e0e, 0x9001, 5)}, /* SIMCom 7100E, 7230E, 7600E ++ */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
+diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
+index 1bc5e93d2a34..eb56bb5916be 100644
+--- a/drivers/net/wan/x25_asy.c
++++ b/drivers/net/wan/x25_asy.c
+@@ -488,8 +488,10 @@ static int x25_asy_open(struct net_device *dev)
+
+ /* Cleanup */
+ kfree(sl->xbuff);
++ sl->xbuff = NULL;
+ noxbuff:
+ kfree(sl->rbuff);
++ sl->rbuff = NULL;
+ norbuff:
+ return -ENOMEM;
+ }
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index aceae791baf3..14ceeaaa7fe5 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -903,7 +903,7 @@ static RING_IDX xennet_fill_frags(struct netfront_queue *queue,
+ if (skb_shinfo(skb)->nr_frags == MAX_SKB_FRAGS) {
+ unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
+
+- BUG_ON(pull_to <= skb_headlen(skb));
++ BUG_ON(pull_to < skb_headlen(skb));
+ __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ }
+ if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
+diff --git a/drivers/nfc/nxp-nci/firmware.c b/drivers/nfc/nxp-nci/firmware.c
+index 5291797324ba..553011f58339 100644
+--- a/drivers/nfc/nxp-nci/firmware.c
++++ b/drivers/nfc/nxp-nci/firmware.c
+@@ -24,7 +24,7 @@
+ #include <linux/completion.h>
+ #include <linux/firmware.h>
+ #include <linux/nfc.h>
+-#include <linux/unaligned/access_ok.h>
++#include <asm/unaligned.h>
+
+ #include "nxp-nci.h"
+
+diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
+index 36099e557730..06a157c63416 100644
+--- a/drivers/nfc/nxp-nci/i2c.c
++++ b/drivers/nfc/nxp-nci/i2c.c
+@@ -36,7 +36,7 @@
+ #include <linux/of_gpio.h>
+ #include <linux/of_irq.h>
+ #include <linux/platform_data/nxp-nci.h>
+-#include <linux/unaligned/access_ok.h>
++#include <asm/unaligned.h>
+
+ #include <net/nfc/nfc.h>
+
+diff --git a/drivers/rtc/rtc-m41t80.c b/drivers/rtc/rtc-m41t80.c
+index c4ca6a385790..6b6b623cc250 100644
+--- a/drivers/rtc/rtc-m41t80.c
++++ b/drivers/rtc/rtc-m41t80.c
+@@ -333,7 +333,7 @@ static int m41t80_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
+ alrm->time.tm_min = bcd2bin(alarmvals[3] & 0x7f);
+ alrm->time.tm_hour = bcd2bin(alarmvals[2] & 0x3f);
+ alrm->time.tm_mday = bcd2bin(alarmvals[1] & 0x3f);
+- alrm->time.tm_mon = bcd2bin(alarmvals[0] & 0x3f);
++ alrm->time.tm_mon = bcd2bin(alarmvals[0] & 0x3f) - 1;
+
+ alrm->enabled = !!(alarmvals[0] & M41T80_ALMON_AFE);
+ alrm->pending = (flags & M41T80_FLAGS_AF) && alrm->enabled;
+diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
+index f35cc10772f6..25abf2d1732a 100644
+--- a/drivers/spi/spi-bcm2835.c
++++ b/drivers/spi/spi-bcm2835.c
+@@ -88,7 +88,7 @@ struct bcm2835_spi {
+ u8 *rx_buf;
+ int tx_len;
+ int rx_len;
+- bool dma_pending;
++ unsigned int dma_pending;
+ };
+
+ static inline u32 bcm2835_rd(struct bcm2835_spi *bs, unsigned reg)
+@@ -155,8 +155,7 @@ static irqreturn_t bcm2835_spi_interrupt(int irq, void *dev_id)
+ /* Write as many bytes as possible to FIFO */
+ bcm2835_wr_fifo(bs);
+
+- /* based on flags decide if we can finish the transfer */
+- if (bcm2835_rd(bs, BCM2835_SPI_CS) & BCM2835_SPI_CS_DONE) {
++ if (!bs->rx_len) {
+ /* Transfer complete - reset SPI HW */
+ bcm2835_spi_reset_hw(master);
+ /* wake up the framework */
+@@ -233,10 +232,9 @@ static void bcm2835_spi_dma_done(void *data)
+ * is called the tx-dma must have finished - can't get to this
+ * situation otherwise...
+ */
+- dmaengine_terminate_all(master->dma_tx);
+-
+- /* mark as no longer pending */
+- bs->dma_pending = 0;
++ if (cmpxchg(&bs->dma_pending, true, false)) {
++ dmaengine_terminate_all(master->dma_tx);
++ }
+
+ /* and mark as completed */;
+ complete(&master->xfer_completion);
+@@ -342,6 +340,7 @@ static int bcm2835_spi_transfer_one_dma(struct spi_master *master,
+ if (ret) {
+ /* need to reset on errors */
+ dmaengine_terminate_all(master->dma_tx);
++ bs->dma_pending = false;
+ bcm2835_spi_reset_hw(master);
+ return ret;
+ }
+@@ -617,10 +616,9 @@ static void bcm2835_spi_handle_err(struct spi_master *master,
+ struct bcm2835_spi *bs = spi_master_get_devdata(master);
+
+ /* if an error occurred and we have an active dma, then terminate */
+- if (bs->dma_pending) {
++ if (cmpxchg(&bs->dma_pending, true, false)) {
+ dmaengine_terminate_all(master->dma_tx);
+ dmaengine_terminate_all(master->dma_rx);
+- bs->dma_pending = 0;
+ }
+ /* and reset */
+ bcm2835_spi_reset_hw(master);
+diff --git a/drivers/staging/wilc1000/wilc_sdio.c b/drivers/staging/wilc1000/wilc_sdio.c
+index 39b73fb27398..63c8701dedcf 100644
+--- a/drivers/staging/wilc1000/wilc_sdio.c
++++ b/drivers/staging/wilc1000/wilc_sdio.c
+@@ -830,6 +830,7 @@ static int sdio_read_int(struct wilc *wilc, u32 *int_status)
+ if (!g_sdio.irq_gpio) {
+ int i;
+
++ cmd.read_write = 0;
+ cmd.function = 1;
+ cmd.address = 0x04;
+ cmd.data = 0;
+diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
+index 7497f1d4a818..fcf2e51f2cfe 100644
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -128,7 +128,7 @@ MODULE_PARM_DESC(rx_timeout, "Rx timeout, 1-255");
+ #define CDNS_UART_IXR_RXTRIG 0x00000001 /* RX FIFO trigger interrupt */
+ #define CDNS_UART_IXR_RXFULL 0x00000004 /* RX FIFO full interrupt. */
+ #define CDNS_UART_IXR_RXEMPTY 0x00000002 /* RX FIFO empty interrupt. */
+-#define CDNS_UART_IXR_MASK 0x00001FFF /* Valid bit mask */
++#define CDNS_UART_IXR_RXMASK 0x000021e7 /* Valid RX bit mask */
+
+ /*
+ * Do not enable parity error interrupt for the following
+@@ -362,7 +362,7 @@ static irqreturn_t cdns_uart_isr(int irq, void *dev_id)
+ cdns_uart_handle_tx(dev_id);
+ isrstatus &= ~CDNS_UART_IXR_TXEMPTY;
+ }
+- if (isrstatus & CDNS_UART_IXR_MASK)
++ if (isrstatus & CDNS_UART_IXR_RXMASK)
+ cdns_uart_handle_rx(dev_id, isrstatus);
+
+ spin_unlock(&port->lock);
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index cd4f96354fa8..6c0bb38c4089 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -502,6 +502,13 @@ static int acm_tty_install(struct tty_driver *driver, struct tty_struct *tty)
+ if (retval)
+ goto error_init_termios;
+
++ /*
++ * Suppress initial echoing for some devices which might send data
++ * immediately after acm driver has been installed.
++ */
++ if (acm->quirks & DISABLE_ECHO)
++ tty->termios.c_lflag &= ~ECHO;
++
+ tty->driver_data = acm;
+
+ return 0;
+@@ -1620,6 +1627,9 @@ static const struct usb_device_id acm_ids[] = {
+ { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
++ { USB_DEVICE(0x0e8d, 0x2000), /* MediaTek Inc Preloader */
++ .driver_info = DISABLE_ECHO, /* DISABLE ECHO in termios flag */
++ },
+ { USB_DEVICE(0x0e8d, 0x3329), /* MediaTek Inc GPS */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
+diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
+index b30ac5fcde68..1ad9ff9f493d 100644
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -134,3 +134,4 @@ struct acm {
+ #define QUIRK_CONTROL_LINE_STATE BIT(6)
+ #define CLEAR_HALT_CONDITIONS BIT(7)
+ #define SEND_ZERO_PACKET BIT(8)
++#define DISABLE_ECHO BIT(9)
+diff --git a/drivers/usb/host/r8a66597-hcd.c b/drivers/usb/host/r8a66597-hcd.c
+index 7bf78be1fd32..72c3ed76a77d 100644
+--- a/drivers/usb/host/r8a66597-hcd.c
++++ b/drivers/usb/host/r8a66597-hcd.c
+@@ -1990,6 +1990,8 @@ static int r8a66597_urb_dequeue(struct usb_hcd *hcd, struct urb *urb,
+
+ static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
+ struct usb_host_endpoint *hep)
++__acquires(r8a66597->lock)
++__releases(r8a66597->lock)
+ {
+ struct r8a66597 *r8a66597 = hcd_to_r8a66597(hcd);
+ struct r8a66597_pipe *pipe = (struct r8a66597_pipe *)hep->hcpriv;
+@@ -2002,13 +2004,14 @@ static void r8a66597_endpoint_disable(struct usb_hcd *hcd,
+ return;
+ pipenum = pipe->info.pipenum;
+
++ spin_lock_irqsave(&r8a66597->lock, flags);
+ if (pipenum == 0) {
+ kfree(hep->hcpriv);
+ hep->hcpriv = NULL;
++ spin_unlock_irqrestore(&r8a66597->lock, flags);
+ return;
+ }
+
+- spin_lock_irqsave(&r8a66597->lock, flags);
+ pipe_stop(r8a66597, pipe);
+ pipe_irq_disable(r8a66597, pipenum);
+ disable_irq_empty(r8a66597, pipenum);
+diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
+index 1e3445dd84b2..7bc2c9fef605 100644
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1956,6 +1956,10 @@ static const struct usb_device_id option_ids[] = {
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
+ { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */
+ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
++ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */
++ .driver_info = RSVD(4) | RSVD(5) },
++ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0105, 0xff), /* Fibocom NL678 series */
++ .driver_info = RSVD(6) },
+ { } /* Terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, option_ids);
+diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
+index 3da25ad267a2..4966768d3c98 100644
+--- a/drivers/usb/serial/pl2303.c
++++ b/drivers/usb/serial/pl2303.c
+@@ -86,9 +86,14 @@ static const struct usb_device_id id_table[] = {
+ { USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) },
+ { USB_DEVICE(SUPERIAL_VENDOR_ID, SUPERIAL_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LD220_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LD220TA_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LD960_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LD960TA_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LCM220_PRODUCT_ID) },
+ { USB_DEVICE(HP_VENDOR_ID, HP_LCM960_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LM920_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_LM940_PRODUCT_ID) },
++ { USB_DEVICE(HP_VENDOR_ID, HP_TD620_PRODUCT_ID) },
+ { USB_DEVICE(CRESSI_VENDOR_ID, CRESSI_EDY_PRODUCT_ID) },
+ { USB_DEVICE(ZEAGLE_VENDOR_ID, ZEAGLE_N2ITION3_PRODUCT_ID) },
+ { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) },
+diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h
+index 123289085ee2..a84f0959ab34 100644
+--- a/drivers/usb/serial/pl2303.h
++++ b/drivers/usb/serial/pl2303.h
+@@ -123,10 +123,15 @@
+
+ /* Hewlett-Packard POS Pole Displays */
+ #define HP_VENDOR_ID 0x03f0
++#define HP_LM920_PRODUCT_ID 0x026b
++#define HP_TD620_PRODUCT_ID 0x0956
+ #define HP_LD960_PRODUCT_ID 0x0b39
+ #define HP_LCM220_PRODUCT_ID 0x3139
+ #define HP_LCM960_PRODUCT_ID 0x3239
+ #define HP_LD220_PRODUCT_ID 0x3524
++#define HP_LD220TA_PRODUCT_ID 0x4349
++#define HP_LD960TA_PRODUCT_ID 0x4439
++#define HP_LM940_PRODUCT_ID 0x5039
+
+ /* Cressi Edy (diving computer) PC interface */
+ #define CRESSI_VENDOR_ID 0x04b8
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 4c5625cb540c..53b1b3cfce84 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2145,6 +2145,8 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
+ return -EFAULT;
+ }
+ if (unlikely(vq->log_used)) {
++ /* Make sure used idx is seen before log. */
++ smp_wmb();
+ /* Log used index update. */
+ log_write(vq->log_base,
+ vq->log_addr + offsetof(struct vring_used, idx),
+diff --git a/fs/cifs/smb2maperror.c b/fs/cifs/smb2maperror.c
+index 8257a5a97cc0..98c25b969ab8 100644
+--- a/fs/cifs/smb2maperror.c
++++ b/fs/cifs/smb2maperror.c
+@@ -377,8 +377,8 @@ static const struct status_to_posix_error smb2_error_map_table[] = {
+ {STATUS_NONEXISTENT_EA_ENTRY, -EIO, "STATUS_NONEXISTENT_EA_ENTRY"},
+ {STATUS_NO_EAS_ON_FILE, -ENODATA, "STATUS_NO_EAS_ON_FILE"},
+ {STATUS_EA_CORRUPT_ERROR, -EIO, "STATUS_EA_CORRUPT_ERROR"},
+- {STATUS_FILE_LOCK_CONFLICT, -EIO, "STATUS_FILE_LOCK_CONFLICT"},
+- {STATUS_LOCK_NOT_GRANTED, -EIO, "STATUS_LOCK_NOT_GRANTED"},
++ {STATUS_FILE_LOCK_CONFLICT, -EACCES, "STATUS_FILE_LOCK_CONFLICT"},
++ {STATUS_LOCK_NOT_GRANTED, -EACCES, "STATUS_LOCK_NOT_GRANTED"},
+ {STATUS_DELETE_PENDING, -ENOENT, "STATUS_DELETE_PENDING"},
+ {STATUS_CTL_FILE_NOT_SUPPORTED, -ENOSYS,
+ "STATUS_CTL_FILE_NOT_SUPPORTED"},
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index d06cfe372609..1008384d5ed5 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -702,8 +702,11 @@ int ext4_try_to_write_inline_data(struct address_space *mapping,
+
+ if (!PageUptodate(page)) {
+ ret = ext4_read_inline_page(inode, page);
+- if (ret < 0)
++ if (ret < 0) {
++ unlock_page(page);
++ put_page(page);
+ goto out_up_read;
++ }
+ }
+
+ ret = 1;
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index 9be605c63ae1..58e6b8a03e90 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1600,7 +1600,7 @@ int ext4_group_add(struct super_block *sb, struct ext4_new_group_data *input)
+ }
+
+ if (reserved_gdb || gdb_off == 0) {
+- if (ext4_has_feature_resize_inode(sb) ||
++ if (!ext4_has_feature_resize_inode(sb) ||
+ !le16_to_cpu(es->s_reserved_gdt_blocks)) {
+ ext4_warning(sb,
+ "No reserved GDT blocks, can't resize");
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 75177eb498ed..6810234b0b27 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1076,6 +1076,16 @@ static struct dentry *ext4_fh_to_parent(struct super_block *sb, struct fid *fid,
+ ext4_nfs_get_inode);
+ }
+
++static int ext4_nfs_commit_metadata(struct inode *inode)
++{
++ struct writeback_control wbc = {
++ .sync_mode = WB_SYNC_ALL
++ };
++
++ trace_ext4_nfs_commit_metadata(inode);
++ return ext4_write_inode(inode, &wbc);
++}
++
+ /*
+ * Try to release metadata pages (indirect blocks, directories) which are
+ * mapped via the block device. Since these pages could have journal heads
+@@ -1258,6 +1268,7 @@ static const struct export_operations ext4_export_ops = {
+ .fh_to_dentry = ext4_fh_to_dentry,
+ .fh_to_parent = ext4_fh_to_parent,
+ .get_parent = ext4_get_parent,
++ .commit_metadata = ext4_nfs_commit_metadata,
+ };
+
+ enum {
+@@ -5425,9 +5436,9 @@ static int ext4_quota_enable(struct super_block *sb, int type, int format_id,
+ qf_inode->i_flags |= S_NOQUOTA;
+ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_QUOTA);
+ err = dquot_enable(qf_inode, type, format_id, flags);
+- iput(qf_inode);
+ if (err)
+ lockdep_set_quota_inode(qf_inode, I_DATA_SEM_NORMAL);
++ iput(qf_inode);
+
+ return err;
+ }
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index 22f765069655..ec9beaa69abb 100644
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1499,7 +1499,7 @@ retry:
+ base = IFIRST(header);
+ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ min_offs = end - base;
+- total_ino = sizeof(struct ext4_xattr_ibody_header);
++ total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
+
+ error = xattr_check_inode(inode, header, end);
+ if (error)
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index c8f408d8a582..83a96334dc07 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1427,10 +1427,10 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
+ return 1;
+ }
+
+- if (segment_count > (le32_to_cpu(raw_super->block_count) >> 9)) {
++ if (segment_count > (le64_to_cpu(raw_super->block_count) >> 9)) {
+ f2fs_msg(sb, KERN_INFO,
+- "Wrong segment_count / block_count (%u > %u)",
+- segment_count, le32_to_cpu(raw_super->block_count));
++ "Wrong segment_count / block_count (%u > %llu)",
++ segment_count, le64_to_cpu(raw_super->block_count));
+ return 1;
+ }
+
+diff --git a/include/linux/msi.h b/include/linux/msi.h
+index 0db320b7bb15..debc8aa4ec19 100644
+--- a/include/linux/msi.h
++++ b/include/linux/msi.h
+@@ -108,6 +108,8 @@ struct msi_desc {
+ list_first_entry(dev_to_msi_list((dev)), struct msi_desc, list)
+ #define for_each_msi_entry(desc, dev) \
+ list_for_each_entry((desc), dev_to_msi_list((dev)), list)
++#define for_each_msi_entry_safe(desc, tmp, dev) \
++ list_for_each_entry_safe((desc), (tmp), dev_to_msi_list((dev)), list)
+
+ #ifdef CONFIG_PCI_MSI
+ #define first_pci_msi_entry(pdev) first_msi_entry(&(pdev)->dev)
+diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
+index ac377a23265f..597b84d4805b 100644
+--- a/include/linux/ptr_ring.h
++++ b/include/linux/ptr_ring.h
+@@ -384,6 +384,8 @@ static inline void **__ptr_ring_swap_queue(struct ptr_ring *r, void **queue,
+ else if (destroy)
+ destroy(ptr);
+
++ if (producer >= size)
++ producer = 0;
+ r->size = size;
+ r->producer = producer;
+ r->consumer = 0;
+diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h
+index 2a1abbf8da74..95f33eeee984 100644
+--- a/include/net/gro_cells.h
++++ b/include/net/gro_cells.h
+@@ -86,6 +86,7 @@ static inline void gro_cells_destroy(struct gro_cells *gcells)
+ for_each_possible_cpu(i) {
+ struct gro_cell *cell = per_cpu_ptr(gcells->cells, i);
+
++ napi_disable(&cell->napi);
+ netif_napi_del(&cell->napi);
+ __skb_queue_purge(&cell->napi_skbs);
+ }
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 6d42ed883bf9..15bb04dec40e 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -284,6 +284,7 @@ struct sock_common {
+ * @sk_filter: socket filtering instructions
+ * @sk_timer: sock cleanup timer
+ * @sk_stamp: time stamp of last packet received
++ * @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only
+ * @sk_tsflags: SO_TIMESTAMPING socket options
+ * @sk_tskey: counter to disambiguate concurrent tstamp requests
+ * @sk_socket: Identd and reporting IO signals
+@@ -425,6 +426,9 @@ struct sock {
+ long sk_sndtimeo;
+ struct timer_list sk_timer;
+ ktime_t sk_stamp;
++#if BITS_PER_LONG==32
++ seqlock_t sk_stamp_seq;
++#endif
+ u16 sk_tsflags;
+ u8 sk_shutdown;
+ u32 sk_tskey;
+@@ -2114,6 +2118,34 @@ static inline void sk_drops_add(struct sock *sk, const struct sk_buff *skb)
+ atomic_add(segs, &sk->sk_drops);
+ }
+
++static inline ktime_t sock_read_timestamp(struct sock *sk)
++{
++#if BITS_PER_LONG==32
++ unsigned int seq;
++ ktime_t kt;
++
++ do {
++ seq = read_seqbegin(&sk->sk_stamp_seq);
++ kt = sk->sk_stamp;
++ } while (read_seqretry(&sk->sk_stamp_seq, seq));
++
++ return kt;
++#else
++ return sk->sk_stamp;
++#endif
++}
++
++static inline void sock_write_timestamp(struct sock *sk, ktime_t kt)
++{
++#if BITS_PER_LONG==32
++ write_seqlock(&sk->sk_stamp_seq);
++ sk->sk_stamp = kt;
++ write_sequnlock(&sk->sk_stamp_seq);
++#else
++ sk->sk_stamp = kt;
++#endif
++}
++
+ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
+ struct sk_buff *skb);
+ void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
+@@ -2138,7 +2170,7 @@ sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb)
+ (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)))
+ __sock_recv_timestamp(msg, sk, skb);
+ else
+- sk->sk_stamp = kt;
++ sock_write_timestamp(sk, kt);
+
+ if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid)
+ __sock_recv_wifi_status(msg, sk, skb);
+@@ -2158,7 +2190,7 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,
+ if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY)
+ __sock_recv_ts_and_drops(msg, sk, skb);
+ else
+- sk->sk_stamp = skb->tstamp;
++ sock_write_timestamp(sk, skb->tstamp);
+ }
+
+ void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags);
+diff --git a/include/trace/events/ext4.h b/include/trace/events/ext4.h
+index 09c71e9aaebf..215668b14f61 100644
+--- a/include/trace/events/ext4.h
++++ b/include/trace/events/ext4.h
+@@ -223,6 +223,26 @@ TRACE_EVENT(ext4_drop_inode,
+ (unsigned long) __entry->ino, __entry->drop)
+ );
+
++TRACE_EVENT(ext4_nfs_commit_metadata,
++ TP_PROTO(struct inode *inode),
++
++ TP_ARGS(inode),
++
++ TP_STRUCT__entry(
++ __field( dev_t, dev )
++ __field( ino_t, ino )
++ ),
++
++ TP_fast_assign(
++ __entry->dev = inode->i_sb->s_dev;
++ __entry->ino = inode->i_ino;
++ ),
++
++ TP_printk("dev %d,%d ino %lu",
++ MAJOR(__entry->dev), MINOR(__entry->dev),
++ (unsigned long) __entry->ino)
++);
++
+ TRACE_EVENT(ext4_mark_inode_dirty,
+ TP_PROTO(struct inode *inode, unsigned long IP),
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 2fdebabbfacd..2772f6a13fcb 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -654,15 +654,22 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- dev = dev_get_by_name(&init_net, devname);
++ rtnl_lock();
++ dev = __dev_get_by_name(&init_net, devname);
+ if (!dev) {
++ rtnl_unlock();
+ res = -ENODEV;
+ break;
+ }
+
+ ax25->ax25_dev = ax25_dev_ax25dev(dev);
++ if (!ax25->ax25_dev) {
++ rtnl_unlock();
++ res = -ENODEV;
++ break;
++ }
+ ax25_fillin_cb(ax25, ax25->ax25_dev);
+- dev_put(dev);
++ rtnl_unlock();
+ break;
+
+ default:
+diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
+index 3d106767b272..5faca5db6385 100644
+--- a/net/ax25/ax25_dev.c
++++ b/net/ax25/ax25_dev.c
+@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_device *dev)
+ if ((s = ax25_dev_list) == ax25_dev) {
+ ax25_dev_list = s->next;
+ spin_unlock_bh(&ax25_dev_lock);
++ dev->ax25_ptr = NULL;
+ dev_put(dev);
+ kfree(ax25_dev);
+ return;
+@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_device *dev)
+ if (s->next == ax25_dev) {
+ s->next = ax25_dev->next;
+ spin_unlock_bh(&ax25_dev_lock);
++ dev->ax25_ptr = NULL;
+ dev_put(dev);
+ kfree(ax25_dev);
+ return;
+diff --git a/net/compat.c b/net/compat.c
+index 73671e6ec6eb..633fcf6ee369 100644
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -457,12 +457,14 @@ int compat_sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
+ err = -ENOENT;
+ if (!sock_flag(sk, SOCK_TIMESTAMP))
+ sock_enable_timestamp(sk, SOCK_TIMESTAMP);
+- tv = ktime_to_timeval(sk->sk_stamp);
++ tv = ktime_to_timeval(sock_read_timestamp(sk));
++
+ if (tv.tv_sec == -1)
+ return err;
+ if (tv.tv_sec == 0) {
+- sk->sk_stamp = ktime_get_real();
+- tv = ktime_to_timeval(sk->sk_stamp);
++ ktime_t kt = ktime_get_real();
++ sock_write_timestamp(sk, kt);
++ tv = ktime_to_timeval(kt);
+ }
+ err = 0;
+ if (put_user(tv.tv_sec, &ctv->tv_sec) ||
+@@ -485,12 +487,13 @@ int compat_sock_get_timestampns(struct sock *sk, struct timespec __user *usersta
+ err = -ENOENT;
+ if (!sock_flag(sk, SOCK_TIMESTAMP))
+ sock_enable_timestamp(sk, SOCK_TIMESTAMP);
+- ts = ktime_to_timespec(sk->sk_stamp);
++ ts = ktime_to_timespec(sock_read_timestamp(sk));
+ if (ts.tv_sec == -1)
+ return err;
+ if (ts.tv_sec == 0) {
+- sk->sk_stamp = ktime_get_real();
+- ts = ktime_to_timespec(sk->sk_stamp);
++ ktime_t kt = ktime_get_real();
++ sock_write_timestamp(sk, kt);
++ ts = ktime_to_timespec(kt);
+ }
+ err = 0;
+ if (put_user(ts.tv_sec, &ctv->tv_sec) ||
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 1c4c43483b54..68c831e1a5c0 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2467,6 +2467,9 @@ void sock_init_data(struct socket *sock, struct sock *sk)
+ sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+
+ sk->sk_stamp = ktime_set(-1L, 0);
++#if BITS_PER_LONG==32
++ seqlock_init(&sk->sk_stamp_seq);
++#endif
+
+ #ifdef CONFIG_NET_RX_BUSY_POLL
+ sk->sk_napi_id = 0;
+diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c
+index 50ed47559bb7..34d20a2a5cbd 100644
+--- a/net/ieee802154/6lowpan/tx.c
++++ b/net/ieee802154/6lowpan/tx.c
+@@ -48,6 +48,9 @@ int lowpan_header_create(struct sk_buff *skb, struct net_device *ldev,
+ const struct ipv6hdr *hdr = ipv6_hdr(skb);
+ struct neighbour *n;
+
++ if (!daddr)
++ return -EINVAL;
++
+ /* TODO:
+ * if this package isn't ipv6 one, where should it be routed?
+ */
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index 80e48f40c3a8..496f8d86b503 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -345,10 +345,10 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
+ struct net *net = container_of(qp->q.net, struct net, ipv4.frags);
+ struct rb_node **rbn, *parent;
+ struct sk_buff *skb1, *prev_tail;
++ int ihl, end, skb1_run_end;
+ struct net_device *dev;
+ unsigned int fragsize;
+ int flags, offset;
+- int ihl, end;
+ int err = -ENOENT;
+ u8 ecn;
+
+@@ -418,7 +418,9 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
+ * overlapping fragment, the entire datagram (and any constituent
+ * fragments) MUST be silently discarded.
+ *
+- * We do the same here for IPv4 (and increment an snmp counter).
++ * We do the same here for IPv4 (and increment an snmp counter) but
++ * we do not want to drop the whole queue in response to a duplicate
++ * fragment.
+ */
+
+ /* Find out where to put this fragment. */
+@@ -442,13 +444,17 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb)
+ do {
+ parent = *rbn;
+ skb1 = rb_to_skb(parent);
++ skb1_run_end = skb1->ip_defrag_offset +
++ FRAG_CB(skb1)->frag_run_len;
+ if (end <= skb1->ip_defrag_offset)
+ rbn = &parent->rb_left;
+- else if (offset >= skb1->ip_defrag_offset +
+- FRAG_CB(skb1)->frag_run_len)
++ else if (offset >= skb1_run_end)
+ rbn = &parent->rb_right;
+- else /* Found an overlap with skb1. */
+- goto discard_qp;
++ else if (offset >= skb1->ip_defrag_offset &&
++ end <= skb1_run_end)
++ goto err; /* No new data, potential duplicate */
++ else
++ goto discard_qp; /* Found an overlap */
+ } while (*rbn);
+ /* Here we have parent properly set, and rbn pointing to
+ * one of its NULL left/right children. Insert skb.
+diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
+index 742a3432c3ea..354926e61f06 100644
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -68,6 +68,8 @@
+ #include <linux/netconf.h>
+ #include <net/nexthop.h>
+
++#include <linux/nospec.h>
++
+ struct ipmr_rule {
+ struct fib_rule common;
+ };
+@@ -1562,6 +1564,7 @@ int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
+ return -EFAULT;
+ if (vr.vifi >= mrt->maxvif)
+ return -EINVAL;
++ vr.vifi = array_index_nospec(vr.vifi, mrt->maxvif);
+ read_lock(&mrt_lock);
+ vif = &mrt->vif_table[vr.vifi];
+ if (VIF_EXISTS(mrt, vr.vifi)) {
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index 9c5afa5153ce..f89516d04150 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -907,6 +907,7 @@ static int ipxip6_rcv(struct sk_buff *skb, u8 ipproto,
+ goto drop;
+ if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
+ goto drop;
++ ipv6h = ipv6_hdr(skb);
+ if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr))
+ goto drop;
+ if (iptunnel_pull_header(skb, 0, tpi->proto, false))
+diff --git a/net/ipv6/ip6_udp_tunnel.c b/net/ipv6/ip6_udp_tunnel.c
+index b283f293ee4a..caad40d6e74d 100644
+--- a/net/ipv6/ip6_udp_tunnel.c
++++ b/net/ipv6/ip6_udp_tunnel.c
+@@ -15,7 +15,7 @@
+ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ struct socket **sockp)
+ {
+- struct sockaddr_in6 udp6_addr;
++ struct sockaddr_in6 udp6_addr = {};
+ int err;
+ struct socket *sock = NULL;
+
+@@ -42,6 +42,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
+ goto error;
+
+ if (cfg->peer_udp_port) {
++ memset(&udp6_addr, 0, sizeof(udp6_addr));
+ udp6_addr.sin6_family = AF_INET6;
+ memcpy(&udp6_addr.sin6_addr, &cfg->peer_ip6,
+ sizeof(udp6_addr.sin6_addr));
+diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
+index 3213921cdfee..c2b2ee71fc6c 100644
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -318,6 +318,7 @@ static int vti6_rcv(struct sk_buff *skb)
+ return 0;
+ }
+
++ ipv6h = ipv6_hdr(skb);
+ if (!ip6_tnl_rcv_ctl(t, &ipv6h->daddr, &ipv6h->saddr)) {
+ t->dev->stats.rx_dropped++;
+ rcu_read_unlock();
+diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
+index 4b93ad4fe6d8..ad597b4b22a0 100644
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -72,6 +72,8 @@ struct mr6_table {
+ #endif
+ };
+
++#include <linux/nospec.h>
++
+ struct ip6mr_rule {
+ struct fib_rule common;
+ };
+@@ -1873,6 +1875,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg)
+ return -EFAULT;
+ if (vr.mifi >= mrt->maxvif)
+ return -EINVAL;
++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
+ read_lock(&mrt_lock);
+ vif = &mrt->vif6_table[vr.mifi];
+ if (MIF_EXISTS(mrt, vr.mifi)) {
+@@ -1947,6 +1950,7 @@ int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
+ return -EFAULT;
+ if (vr.mifi >= mrt->maxvif)
+ return -EINVAL;
++ vr.mifi = array_index_nospec(vr.mifi, mrt->maxvif);
+ read_lock(&mrt_lock);
+ vif = &mrt->vif6_table[vr.mifi];
+ if (MIF_EXISTS(mrt, vr.mifi)) {
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index ed212ffc1d9d..046ae1caecea 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax25_address *addr)
+ sk_for_each(s, &nr_list)
+ if (!ax25cmp(&nr_sk(s)->source_addr, addr) &&
+ s->sk_state == TCP_LISTEN) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ s = NULL;
+@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsigned char index, unsigned char id)
+ struct nr_sock *nr = nr_sk(s);
+
+ if (nr->my_index == index && nr->my_id == id) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ }
+@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigned char index, unsigned char id,
+
+ if (nr->your_index == index && nr->your_id == id &&
+ !ax25cmp(&nr->dest_addr, dest)) {
+- bh_lock_sock(s);
++ sock_hold(s);
+ goto found;
+ }
+ }
+@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circuit(void)
+ if (i != 0 && j != 0) {
+ if ((sk=nr_find_socket(i, j)) == NULL)
+ break;
+- bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ id++;
+@@ -918,6 +918,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
+ }
+
+ if (sk != NULL) {
++ bh_lock_sock(sk);
+ skb_reset_transport_header(skb);
+
+ if (frametype == NR_CONNACK && skb->len == 22)
+@@ -927,6 +928,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
+
+ ret = nr_process_rx_frame(sk, skb);
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ return ret;
+ }
+
+@@ -958,10 +960,12 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
+ (make = nr_make_new(sk)) == NULL) {
+ nr_transmit_refusal(skb, 0);
+ if (sk)
+- bh_unlock_sock(sk);
++ sock_put(sk);
+ return 0;
+ }
+
++ bh_lock_sock(sk);
++
+ window = skb->data[20];
+
+ skb->sk = make;
+@@ -1014,6 +1018,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
+ sk->sk_data_ready(sk);
+
+ bh_unlock_sock(sk);
++ sock_put(sk);
+
+ nr_insert_socket(make);
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 24412e8f4061..a9d0358d4f3b 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2660,8 +2660,10 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ sll_addr)))
+ goto out;
+ proto = saddr->sll_protocol;
+- addr = saddr->sll_addr;
++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
+ dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
++ if (addr && dev && saddr->sll_halen < dev->addr_len)
++ goto out;
+ }
+
+ err = -ENXIO;
+@@ -2857,8 +2859,10 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ if (msg->msg_namelen < (saddr->sll_halen + offsetof(struct sockaddr_ll, sll_addr)))
+ goto out;
+ proto = saddr->sll_protocol;
+- addr = saddr->sll_addr;
++ addr = saddr->sll_halen ? saddr->sll_addr : NULL;
+ dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
++ if (addr && dev && saddr->sll_halen < dev->addr_len)
++ goto out;
+ }
+
+ err = -ENXIO;
+diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
+index f4d5efb1d231..e7866d47934d 100644
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -101,6 +101,7 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
+ if (addr) {
+ addr->a.v6.sin6_family = AF_INET6;
+ addr->a.v6.sin6_port = 0;
++ addr->a.v6.sin6_flowinfo = 0;
+ addr->a.v6.sin6_addr = ifa->addr;
+ addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
+ addr->valid = 1;
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index 266a30c8b88b..33f599cb0936 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -572,7 +572,7 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp)
+ /* Don't enable netstamp, sunrpc doesn't
+ need that much accuracy */
+ }
+- svsk->sk_sk->sk_stamp = skb->tstamp;
++ sock_write_timestamp(svsk->sk_sk, skb->tstamp);
+ set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */
+
+ len = skb->len;
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 9d3f047305ce..57df99ca6347 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2281,11 +2281,15 @@ void tipc_sk_reinit(struct net *net)
+ goto walk_stop;
+
+ while ((tsk = rhashtable_walk_next(&iter)) && !IS_ERR(tsk)) {
+- spin_lock_bh(&tsk->sk.sk_lock.slock);
++ sock_hold(&tsk->sk);
++ rhashtable_walk_stop(&iter);
++ lock_sock(&tsk->sk);
+ msg = &tsk->phdr;
+ msg_set_prevnode(msg, tn->own_addr);
+ msg_set_orignode(msg, tn->own_addr);
+- spin_unlock_bh(&tsk->sk.sk_lock.slock);
++ release_sock(&tsk->sk);
++ rhashtable_walk_start(&iter);
++ sock_put(&tsk->sk);
+ }
+ walk_stop:
+ rhashtable_walk_stop(&iter);
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index 107375d80c70..133e72654e77 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -243,10 +243,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
+ }
+
+ err = tipc_udp_xmit(net, _skb, ub, src, &rcast->addr);
+- if (err) {
+- kfree_skb(_skb);
++ if (err)
+ goto out;
+- }
+ }
+ err = 0;
+ out:
+@@ -676,6 +674,11 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
+ if (err)
+ goto err;
+
++ if (remote.proto != local.proto) {
++ err = -EINVAL;
++ goto err;
++ }
++
+ b->bcast_addr.media_id = TIPC_MEDIA_TYPE_UDP;
+ b->bcast_addr.broadcast = 1;
+ rcu_assign_pointer(b->media_ptr, ub);
+diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
+index 4aa391c5c733..008f3424dcbc 100644
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -272,6 +272,31 @@ vmci_transport_send_control_pkt_bh(struct sockaddr_vm *src,
+ false);
+ }
+
++static int
++vmci_transport_alloc_send_control_pkt(struct sockaddr_vm *src,
++ struct sockaddr_vm *dst,
++ enum vmci_transport_packet_type type,
++ u64 size,
++ u64 mode,
++ struct vmci_transport_waiting_info *wait,
++ u16 proto,
++ struct vmci_handle handle)
++{
++ struct vmci_transport_packet *pkt;
++ int err;
++
++ pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
++ if (!pkt)
++ return -ENOMEM;
++
++ err = __vmci_transport_send_control_pkt(pkt, src, dst, type, size,
++ mode, wait, proto, handle,
++ true);
++ kfree(pkt);
++
++ return err;
++}
++
+ static int
+ vmci_transport_send_control_pkt(struct sock *sk,
+ enum vmci_transport_packet_type type,
+@@ -281,9 +306,7 @@ vmci_transport_send_control_pkt(struct sock *sk,
+ u16 proto,
+ struct vmci_handle handle)
+ {
+- struct vmci_transport_packet *pkt;
+ struct vsock_sock *vsk;
+- int err;
+
+ vsk = vsock_sk(sk);
+
+@@ -293,17 +316,10 @@ vmci_transport_send_control_pkt(struct sock *sk,
+ if (!vsock_addr_bound(&vsk->remote_addr))
+ return -EINVAL;
+
+- pkt = kmalloc(sizeof(*pkt), GFP_KERNEL);
+- if (!pkt)
+- return -ENOMEM;
+-
+- err = __vmci_transport_send_control_pkt(pkt, &vsk->local_addr,
+- &vsk->remote_addr, type, size,
+- mode, wait, proto, handle,
+- true);
+- kfree(pkt);
+-
+- return err;
++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr,
++ &vsk->remote_addr,
++ type, size, mode,
++ wait, proto, handle);
+ }
+
+ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
+@@ -321,12 +337,29 @@ static int vmci_transport_send_reset_bh(struct sockaddr_vm *dst,
+ static int vmci_transport_send_reset(struct sock *sk,
+ struct vmci_transport_packet *pkt)
+ {
++ struct sockaddr_vm *dst_ptr;
++ struct sockaddr_vm dst;
++ struct vsock_sock *vsk;
++
+ if (pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST)
+ return 0;
+- return vmci_transport_send_control_pkt(sk,
+- VMCI_TRANSPORT_PACKET_TYPE_RST,
+- 0, 0, NULL, VSOCK_PROTO_INVALID,
+- VMCI_INVALID_HANDLE);
++
++ vsk = vsock_sk(sk);
++
++ if (!vsock_addr_bound(&vsk->local_addr))
++ return -EINVAL;
++
++ if (vsock_addr_bound(&vsk->remote_addr)) {
++ dst_ptr = &vsk->remote_addr;
++ } else {
++ vsock_addr_init(&dst, pkt->dg.src.context,
++ pkt->src_port);
++ dst_ptr = &dst;
++ }
++ return vmci_transport_alloc_send_control_pkt(&vsk->local_addr, dst_ptr,
++ VMCI_TRANSPORT_PACKET_TYPE_RST,
++ 0, 0, NULL, VSOCK_PROTO_INVALID,
++ VMCI_INVALID_HANDLE);
+ }
+
+ static int vmci_transport_send_negotiate(struct sock *sk, size_t size)
+diff --git a/sound/core/pcm.c b/sound/core/pcm.c
+index 6bda8f6c5f84..cdff5f976480 100644
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -25,6 +25,7 @@
+ #include <linux/time.h>
+ #include <linux/mutex.h>
+ #include <linux/device.h>
++#include <linux/nospec.h>
+ #include <sound/core.h>
+ #include <sound/minors.h>
+ #include <sound/pcm.h>
+@@ -125,6 +126,7 @@ static int snd_pcm_control_ioctl(struct snd_card *card,
+ return -EFAULT;
+ if (stream < 0 || stream > 1)
+ return -EINVAL;
++ stream = array_index_nospec(stream, 2);
+ if (get_user(subdevice, &info->subdevice))
+ return -EFAULT;
+ mutex_lock(&register_mutex);
+diff --git a/sound/pci/emu10k1/emufx.c b/sound/pci/emu10k1/emufx.c
+index 50b216fc369f..5d422d65e62b 100644
+--- a/sound/pci/emu10k1/emufx.c
++++ b/sound/pci/emu10k1/emufx.c
+@@ -36,6 +36,7 @@
+ #include <linux/init.h>
+ #include <linux/mutex.h>
+ #include <linux/moduleparam.h>
++#include <linux/nospec.h>
+
+ #include <sound/core.h>
+ #include <sound/tlv.h>
+@@ -1000,6 +1001,8 @@ static int snd_emu10k1_ipcm_poke(struct snd_emu10k1 *emu,
+
+ if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
+ return -EINVAL;
++ ipcm->substream = array_index_nospec(ipcm->substream,
++ EMU10K1_FX8010_PCM_COUNT);
+ if (ipcm->channels > 32)
+ return -EINVAL;
+ pcm = &emu->fx8010.pcm[ipcm->substream];
+@@ -1046,6 +1049,8 @@ static int snd_emu10k1_ipcm_peek(struct snd_emu10k1 *emu,
+
+ if (ipcm->substream >= EMU10K1_FX8010_PCM_COUNT)
+ return -EINVAL;
++ ipcm->substream = array_index_nospec(ipcm->substream,
++ EMU10K1_FX8010_PCM_COUNT);
+ pcm = &emu->fx8010.pcm[ipcm->substream];
+ mutex_lock(&emu->fx8010.lock);
+ spin_lock_irq(&emu->reg_lock);
+diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
+index 0621920f7617..e85fb04ec7be 100644
+--- a/sound/pci/hda/hda_tegra.c
++++ b/sound/pci/hda/hda_tegra.c
+@@ -249,10 +249,12 @@ static int hda_tegra_suspend(struct device *dev)
+ struct snd_card *card = dev_get_drvdata(dev);
+ struct azx *chip = card->private_data;
+ struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip);
++ struct hdac_bus *bus = azx_bus(chip);
+
+ snd_power_change_state(card, SNDRV_CTL_POWER_D3hot);
+
+ azx_stop_chip(chip);
++ synchronize_irq(bus->irq);
+ azx_enter_link_reset(chip);
+ hda_tegra_disable_clocks(hda);
+
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index d392e867e9ab..ba9cd75e4c98 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -853,6 +853,7 @@ static const struct snd_pci_quirk cxt5066_fixups[] = {
+ SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK),
++ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83b3, "HP EliteBook 830 G5", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x83d3, "HP ProBook 640 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
+index b94fc6357139..b044dea3c815 100644
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -30,6 +30,7 @@
+ #include <linux/math64.h>
+ #include <linux/vmalloc.h>
+ #include <linux/io.h>
++#include <linux/nospec.h>
+
+ #include <sound/core.h>
+ #include <sound/control.h>
+@@ -4065,15 +4066,16 @@ static int snd_hdsp_channel_info(struct snd_pcm_substream *substream,
+ struct snd_pcm_channel_info *info)
+ {
+ struct hdsp *hdsp = snd_pcm_substream_chip(substream);
+- int mapped_channel;
++ unsigned int channel = info->channel;
+
+- if (snd_BUG_ON(info->channel >= hdsp->max_channels))
++ if (snd_BUG_ON(channel >= hdsp->max_channels))
+ return -EINVAL;
++ channel = array_index_nospec(channel, hdsp->max_channels);
+
+- if ((mapped_channel = hdsp->channel_map[info->channel]) < 0)
++ if (hdsp->channel_map[channel] < 0)
+ return -EINVAL;
+
+- info->offset = mapped_channel * HDSP_CHANNEL_BUFFER_BYTES;
++ info->offset = hdsp->channel_map[channel] * HDSP_CHANNEL_BUFFER_BYTES;
+ info->first = 0;
+ info->step = 32;
+ return 0;
+diff --git a/sound/synth/emux/emux_hwdep.c b/sound/synth/emux/emux_hwdep.c
+index e557946718a9..d9fcae071b47 100644
+--- a/sound/synth/emux/emux_hwdep.c
++++ b/sound/synth/emux/emux_hwdep.c
+@@ -22,9 +22,9 @@
+ #include <sound/core.h>
+ #include <sound/hwdep.h>
+ #include <linux/uaccess.h>
++#include <linux/nospec.h>
+ #include "emux_voice.h"
+
+-
+ #define TMP_CLIENT_ID 0x1001
+
+ /*
+@@ -66,13 +66,16 @@ snd_emux_hwdep_misc_mode(struct snd_emux *emu, void __user *arg)
+ return -EFAULT;
+ if (info.mode < 0 || info.mode >= EMUX_MD_END)
+ return -EINVAL;
++ info.mode = array_index_nospec(info.mode, EMUX_MD_END);
+
+ if (info.port < 0) {
+ for (i = 0; i < emu->num_ports; i++)
+ emu->portptrs[i]->ctrls[info.mode] = info.value;
+ } else {
+- if (info.port < emu->num_ports)
++ if (info.port < emu->num_ports) {
++ info.port = array_index_nospec(info.port, emu->num_ports);
+ emu->portptrs[info.port]->ctrls[info.mode] = info.value;
++ }
+ }
+ return 0;
+ }
+diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c
+index 0f84371d4d6b..c86c1d5ea65c 100644
+--- a/tools/perf/util/pmu.c
++++ b/tools/perf/util/pmu.c
+@@ -103,7 +103,7 @@ static int perf_pmu__parse_scale(struct perf_pmu_alias *alias, char *dir, char *
+ char path[PATH_MAX];
+ char *lc;
+
+- snprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
++ scnprintf(path, PATH_MAX, "%s/%s.scale", dir, name);
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
+@@ -163,7 +163,7 @@ static int perf_pmu__parse_unit(struct perf_pmu_alias *alias, char *dir, char *n
+ ssize_t sret;
+ int fd;
+
+- snprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
++ scnprintf(path, PATH_MAX, "%s/%s.unit", dir, name);
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
+@@ -193,7 +193,7 @@ perf_pmu__parse_per_pkg(struct perf_pmu_alias *alias, char *dir, char *name)
+ char path[PATH_MAX];
+ int fd;
+
+- snprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name);
++ scnprintf(path, PATH_MAX, "%s/%s.per-pkg", dir, name);
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
+@@ -211,7 +211,7 @@ static int perf_pmu__parse_snapshot(struct perf_pmu_alias *alias,
+ char path[PATH_MAX];
+ int fd;
+
+- snprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name);
++ scnprintf(path, PATH_MAX, "%s/%s.snapshot", dir, name);
+
+ fd = open(path, O_RDONLY);
+ if (fd == -1)