Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Pagano <mpagano@gentoo.org>2018-05-02 12:11:18 -0400
committerMike Pagano <mpagano@gentoo.org>2018-05-02 12:11:18 -0400
commitb0cb1b08a21ac357d6665e406616d7bb3ac69ed3 (patch)
tree9ab0bd4684d7771a5acc8f237cd6a1eca40673c0
parentLinux patch 4.4.130 (diff)
downloadlinux-patches-b0cb1b08a21ac357d6665e406616d7bb3ac69ed3.tar.gz
linux-patches-b0cb1b08a21ac357d6665e406616d7bb3ac69ed3.tar.bz2
linux-patches-b0cb1b08a21ac357d6665e406616d7bb3ac69ed3.zip
Linux patch 4.4.1314.4-133
Diffstat
-rw-r--r--0000_README4
-rw-r--r--1130_linux-4.4.131.patch1558
2 files changed, 1562 insertions, 0 deletions
diff --git a/0000_README b/0000_README
index 33599fbe..863ce11a 100644
--- a/0000_README
+++ b/0000_README
@@ -563,6 +563,10 @@ Patch: 1129_linux-4.4.130.patch
From: http://www.kernel.org
Desc: Linux 4.4.130
+Patch: 1130_linux-4.4.131.patch
+From: http://www.kernel.org
+Desc: Linux 4.4.131
+
Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
diff --git a/1130_linux-4.4.131.patch b/1130_linux-4.4.131.patch
new file mode 100644
index 00000000..0a4d3770
--- /dev/null
+++ b/1130_linux-4.4.131.patch
@@ -0,0 +1,1558 @@
+diff --git a/Makefile b/Makefile
+index 151477d4d5e5..6ec65396a56d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 130
++SUBLEVEL = 131
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+
+diff --git a/arch/x86/include/uapi/asm/msgbuf.h b/arch/x86/include/uapi/asm/msgbuf.h
+index 809134c644a6..90ab9a795b49 100644
+--- a/arch/x86/include/uapi/asm/msgbuf.h
++++ b/arch/x86/include/uapi/asm/msgbuf.h
+@@ -1 +1,32 @@
++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
++#ifndef __ASM_X64_MSGBUF_H
++#define __ASM_X64_MSGBUF_H
++
++#if !defined(__x86_64__) || !defined(__ILP32__)
+ #include <asm-generic/msgbuf.h>
++#else
++/*
++ * The msqid64_ds structure for x86 architecture with x32 ABI.
++ *
++ * On x86-32 and x86-64 we can just use the generic definition, but
++ * x32 uses the same binary layout as x86_64, which is differnet
++ * from other 32-bit architectures.
++ */
++
++struct msqid64_ds {
++ struct ipc64_perm msg_perm;
++ __kernel_time_t msg_stime; /* last msgsnd time */
++ __kernel_time_t msg_rtime; /* last msgrcv time */
++ __kernel_time_t msg_ctime; /* last change time */
++ __kernel_ulong_t msg_cbytes; /* current number of bytes on queue */
++ __kernel_ulong_t msg_qnum; /* number of messages in queue */
++ __kernel_ulong_t msg_qbytes; /* max number of bytes on queue */
++ __kernel_pid_t msg_lspid; /* pid of last msgsnd */
++ __kernel_pid_t msg_lrpid; /* last receive pid */
++ __kernel_ulong_t __unused4;
++ __kernel_ulong_t __unused5;
++};
++
++#endif
++
++#endif /* __ASM_GENERIC_MSGBUF_H */
+diff --git a/arch/x86/include/uapi/asm/shmbuf.h b/arch/x86/include/uapi/asm/shmbuf.h
+index 83c05fc2de38..644421f3823b 100644
+--- a/arch/x86/include/uapi/asm/shmbuf.h
++++ b/arch/x86/include/uapi/asm/shmbuf.h
+@@ -1 +1,43 @@
++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
++#ifndef __ASM_X86_SHMBUF_H
++#define __ASM_X86_SHMBUF_H
++
++#if !defined(__x86_64__) || !defined(__ILP32__)
+ #include <asm-generic/shmbuf.h>
++#else
++/*
++ * The shmid64_ds structure for x86 architecture with x32 ABI.
++ *
++ * On x86-32 and x86-64 we can just use the generic definition, but
++ * x32 uses the same binary layout as x86_64, which is differnet
++ * from other 32-bit architectures.
++ */
++
++struct shmid64_ds {
++ struct ipc64_perm shm_perm; /* operation perms */
++ size_t shm_segsz; /* size of segment (bytes) */
++ __kernel_time_t shm_atime; /* last attach time */
++ __kernel_time_t shm_dtime; /* last detach time */
++ __kernel_time_t shm_ctime; /* last change time */
++ __kernel_pid_t shm_cpid; /* pid of creator */
++ __kernel_pid_t shm_lpid; /* pid of last operator */
++ __kernel_ulong_t shm_nattch; /* no. of current attaches */
++ __kernel_ulong_t __unused4;
++ __kernel_ulong_t __unused5;
++};
++
++struct shminfo64 {
++ __kernel_ulong_t shmmax;
++ __kernel_ulong_t shmmin;
++ __kernel_ulong_t shmmni;
++ __kernel_ulong_t shmseg;
++ __kernel_ulong_t shmall;
++ __kernel_ulong_t __unused1;
++ __kernel_ulong_t __unused2;
++ __kernel_ulong_t __unused3;
++ __kernel_ulong_t __unused4;
++};
++
++#endif
++
++#endif /* __ASM_X86_SHMBUF_H */
+diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
+index fe89f938e0f0..00c7878043ef 100644
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -1442,6 +1442,8 @@ static inline void mwait_play_dead(void)
+ void *mwait_ptr;
+ int i;
+
++ if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
++ return;
+ if (!this_cpu_has(X86_FEATURE_MWAIT))
+ return;
+ if (!this_cpu_has(X86_FEATURE_CLFLUSH))
+diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c
+index f0099360039e..1accc01fb0ca 100644
+--- a/drivers/amba/bus.c
++++ b/drivers/amba/bus.c
+@@ -68,11 +68,12 @@ static ssize_t driver_override_show(struct device *_dev,
+ struct device_attribute *attr, char *buf)
+ {
+ struct amba_device *dev = to_amba_device(_dev);
++ ssize_t len;
+
+- if (!dev->driver_override)
+- return 0;
+-
+- return sprintf(buf, "%s\n", dev->driver_override);
++ device_lock(_dev);
++ len = sprintf(buf, "%s\n", dev->driver_override);
++ device_unlock(_dev);
++ return len;
+ }
+
+ static ssize_t driver_override_store(struct device *_dev,
+@@ -80,9 +81,10 @@ static ssize_t driver_override_store(struct device *_dev,
+ const char *buf, size_t count)
+ {
+ struct amba_device *dev = to_amba_device(_dev);
+- char *driver_override, *old = dev->driver_override, *cp;
++ char *driver_override, *old, *cp;
+
+- if (count > PATH_MAX)
++ /* We need to keep extra room for a newline */
++ if (count >= (PAGE_SIZE - 1))
+ return -EINVAL;
+
+ driver_override = kstrndup(buf, count, GFP_KERNEL);
+@@ -93,12 +95,15 @@ static ssize_t driver_override_store(struct device *_dev,
+ if (cp)
+ *cp = '\0';
+
++ device_lock(_dev);
++ old = dev->driver_override;
+ if (strlen(driver_override)) {
+ dev->driver_override = driver_override;
+ } else {
+ kfree(driver_override);
+ dev->driver_override = NULL;
+ }
++ device_unlock(_dev);
+
+ kfree(old);
+
+diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
+index be0b09a0fb44..2aca689061e1 100644
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -1399,7 +1399,6 @@ static int add_port(struct ports_device *portdev, u32 id)
+ {
+ char debugfs_name[16];
+ struct port *port;
+- struct port_buffer *buf;
+ dev_t devt;
+ unsigned int nr_added_bufs;
+ int err;
+@@ -1510,8 +1509,6 @@ static int add_port(struct ports_device *portdev, u32 id)
+ return 0;
+
+ free_inbufs:
+- while ((buf = virtqueue_detach_unused_buf(port->in_vq)))
+- free_buf(buf, true);
+ free_device:
+ device_destroy(pdrvdata.class, port->dev->devt);
+ free_cdev:
+@@ -1536,34 +1533,14 @@ static void remove_port(struct kref *kref)
+
+ static void remove_port_data(struct port *port)
+ {
+- struct port_buffer *buf;
+-
+ spin_lock_irq(&port->inbuf_lock);
+ /* Remove unused data this port might have received. */
+ discard_port_data(port);
+ spin_unlock_irq(&port->inbuf_lock);
+
+- /* Remove buffers we queued up for the Host to send us data in. */
+- do {
+- spin_lock_irq(&port->inbuf_lock);
+- buf = virtqueue_detach_unused_buf(port->in_vq);
+- spin_unlock_irq(&port->inbuf_lock);
+- if (buf)
+- free_buf(buf, true);
+- } while (buf);
+-
+ spin_lock_irq(&port->outvq_lock);
+ reclaim_consumed_buffers(port);
+ spin_unlock_irq(&port->outvq_lock);
+-
+- /* Free pending buffers from the out-queue. */
+- do {
+- spin_lock_irq(&port->outvq_lock);
+- buf = virtqueue_detach_unused_buf(port->out_vq);
+- spin_unlock_irq(&port->outvq_lock);
+- if (buf)
+- free_buf(buf, true);
+- } while (buf);
+ }
+
+ /*
+@@ -1788,13 +1765,24 @@ static void control_work_handler(struct work_struct *work)
+ spin_unlock(&portdev->c_ivq_lock);
+ }
+
++static void flush_bufs(struct virtqueue *vq, bool can_sleep)
++{
++ struct port_buffer *buf;
++ unsigned int len;
++
++ while ((buf = virtqueue_get_buf(vq, &len)))
++ free_buf(buf, can_sleep);
++}
++
+ static void out_intr(struct virtqueue *vq)
+ {
+ struct port *port;
+
+ port = find_port_by_vq(vq->vdev->priv, vq);
+- if (!port)
++ if (!port) {
++ flush_bufs(vq, false);
+ return;
++ }
+
+ wake_up_interruptible(&port->waitqueue);
+ }
+@@ -1805,8 +1793,10 @@ static void in_intr(struct virtqueue *vq)
+ unsigned long flags;
+
+ port = find_port_by_vq(vq->vdev->priv, vq);
+- if (!port)
++ if (!port) {
++ flush_bufs(vq, false);
+ return;
++ }
+
+ spin_lock_irqsave(&port->inbuf_lock, flags);
+ port->inbuf = get_inbuf(port);
+@@ -1981,6 +1971,15 @@ static const struct file_operations portdev_fops = {
+
+ static void remove_vqs(struct ports_device *portdev)
+ {
++ struct virtqueue *vq;
++
++ virtio_device_for_each_vq(portdev->vdev, vq) {
++ struct port_buffer *buf;
++
++ flush_bufs(vq, true);
++ while ((buf = virtqueue_detach_unused_buf(vq)))
++ free_buf(buf, true);
++ }
+ portdev->vdev->config->del_vqs(portdev->vdev);
+ kfree(portdev->in_vqs);
+ kfree(portdev->out_vqs);
+diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
+index 5a0f8a745b9d..52436b3c01bb 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
+@@ -324,7 +324,7 @@ retry:
+ ret = virtqueue_add_sgs(vq, sgs, outcnt, incnt, vbuf, GFP_ATOMIC);
+ if (ret == -ENOSPC) {
+ spin_unlock(&vgdev->ctrlq.qlock);
+- wait_event(vgdev->ctrlq.ack_queue, vq->num_free);
++ wait_event(vgdev->ctrlq.ack_queue, vq->num_free >= outcnt + incnt);
+ spin_lock(&vgdev->ctrlq.qlock);
+ goto retry;
+ } else {
+@@ -399,7 +399,7 @@ retry:
+ ret = virtqueue_add_sgs(vq, sgs, outcnt, 0, vbuf, GFP_ATOMIC);
+ if (ret == -ENOSPC) {
+ spin_unlock(&vgdev->cursorq.qlock);
+- wait_event(vgdev->cursorq.ack_queue, vq->num_free);
++ wait_event(vgdev->cursorq.ack_queue, vq->num_free >= outcnt);
+ spin_lock(&vgdev->cursorq.qlock);
+ goto retry;
+ } else {
+diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c
+index 286b97a304cf..4509ee0b294a 100644
+--- a/drivers/mtd/chips/cfi_cmdset_0001.c
++++ b/drivers/mtd/chips/cfi_cmdset_0001.c
+@@ -45,6 +45,7 @@
+ #define I82802AB 0x00ad
+ #define I82802AC 0x00ac
+ #define PF38F4476 0x881c
++#define M28F00AP30 0x8963
+ /* STMicroelectronics chips */
+ #define M50LPW080 0x002F
+ #define M50FLW080A 0x0080
+@@ -375,6 +376,17 @@ static void cfi_fixup_major_minor(struct cfi_private *cfi,
+ extp->MinorVersion = '1';
+ }
+
++static int cfi_is_micron_28F00AP30(struct cfi_private *cfi, struct flchip *chip)
++{
++ /*
++ * Micron(was Numonyx) 1Gbit bottom boot are buggy w.r.t
++ * Erase Supend for their small Erase Blocks(0x8000)
++ */
++ if (cfi->mfr == CFI_MFR_INTEL && cfi->id == M28F00AP30)
++ return 1;
++ return 0;
++}
++
+ static inline struct cfi_pri_intelext *
+ read_pri_intelext(struct map_info *map, __u16 adr)
+ {
+@@ -825,21 +837,30 @@ static int chip_ready (struct map_info *map, struct flchip *chip, unsigned long
+ (mode == FL_WRITING && (cfip->SuspendCmdSupport & 1))))
+ goto sleep;
+
++ /* Do not allow suspend iff read/write to EB address */
++ if ((adr & chip->in_progress_block_mask) ==
++ chip->in_progress_block_addr)
++ goto sleep;
++
++ /* do not suspend small EBs, buggy Micron Chips */
++ if (cfi_is_micron_28F00AP30(cfi, chip) &&
++ (chip->in_progress_block_mask == ~(0x8000-1)))
++ goto sleep;
+
+ /* Erase suspend */
+- map_write(map, CMD(0xB0), adr);
++ map_write(map, CMD(0xB0), chip->in_progress_block_addr);
+
+ /* If the flash has finished erasing, then 'erase suspend'
+ * appears to make some (28F320) flash devices switch to
+ * 'read' mode. Make sure that we switch to 'read status'
+ * mode so we get the right data. --rmk
+ */
+- map_write(map, CMD(0x70), adr);
++ map_write(map, CMD(0x70), chip->in_progress_block_addr);
+ chip->oldstate = FL_ERASING;
+ chip->state = FL_ERASE_SUSPENDING;
+ chip->erase_suspended = 1;
+ for (;;) {
+- status = map_read(map, adr);
++ status = map_read(map, chip->in_progress_block_addr);
+ if (map_word_andequal(map, status, status_OK, status_OK))
+ break;
+
+@@ -1035,8 +1056,8 @@ static void put_chip(struct map_info *map, struct flchip *chip, unsigned long ad
+ sending the 0x70 (Read Status) command to an erasing
+ chip and expecting it to be ignored, that's what we
+ do. */
+- map_write(map, CMD(0xd0), adr);
+- map_write(map, CMD(0x70), adr);
++ map_write(map, CMD(0xd0), chip->in_progress_block_addr);
++ map_write(map, CMD(0x70), chip->in_progress_block_addr);
+ chip->oldstate = FL_READY;
+ chip->state = FL_ERASING;
+ break;
+@@ -1927,6 +1948,8 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
+ map_write(map, CMD(0xD0), adr);
+ chip->state = FL_ERASING;
+ chip->erase_suspended = 0;
++ chip->in_progress_block_addr = adr;
++ chip->in_progress_block_mask = ~(len - 1);
+
+ ret = INVAL_CACHE_AND_WAIT(map, chip, adr,
+ adr, len,
+diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
+index c3624eb571d1..31448a2b39ae 100644
+--- a/drivers/mtd/chips/cfi_cmdset_0002.c
++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
+@@ -814,9 +814,10 @@ static int get_chip(struct map_info *map, struct flchip *chip, unsigned long adr
+ (mode == FL_WRITING && (cfip->EraseSuspend & 0x2))))
+ goto sleep;
+
+- /* We could check to see if we're trying to access the sector
+- * that is currently being erased. However, no user will try
+- * anything like that so we just wait for the timeout. */
++ /* Do not allow suspend iff read/write to EB address */
++ if ((adr & chip->in_progress_block_mask) ==
++ chip->in_progress_block_addr)
++ goto sleep;
+
+ /* Erase suspend */
+ /* It's harmless to issue the Erase-Suspend and Erase-Resume
+@@ -2265,6 +2266,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
+ chip->state = FL_ERASING;
+ chip->erase_suspended = 0;
+ chip->in_progress_block_addr = adr;
++ chip->in_progress_block_mask = ~(map->size - 1);
+
+ INVALIDATE_CACHE_UDELAY(map, chip,
+ adr, map->size,
+@@ -2354,6 +2356,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
+ chip->state = FL_ERASING;
+ chip->erase_suspended = 0;
+ chip->in_progress_block_addr = adr;
++ chip->in_progress_block_mask = ~(len - 1);
+
+ INVALIDATE_CACHE_UDELAY(map, chip,
+ adr, len,
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index dd72205ba298..8c9e4a3ec3fb 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -1929,6 +1929,8 @@ sd_spinup_disk(struct scsi_disk *sdkp)
+ break; /* standby */
+ if (sshdr.asc == 4 && sshdr.ascq == 0xc)
+ break; /* unavailable */
++ if (sshdr.asc == 4 && sshdr.ascq == 0x1b)
++ break; /* sanitize in progress */
+ /*
+ * Issue command to spin up drive when not ready
+ */
+diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
+index 78bd121ecede..6060c3e8925e 100644
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -137,6 +137,9 @@ struct gsm_dlci {
+ struct mutex mutex;
+
+ /* Link layer */
++ int mode;
++#define DLCI_MODE_ABM 0 /* Normal Asynchronous Balanced Mode */
++#define DLCI_MODE_ADM 1 /* Asynchronous Disconnected Mode */
+ spinlock_t lock; /* Protects the internal state */
+ struct timer_list t1; /* Retransmit timer for SABM and UA */
+ int retries;
+@@ -1380,7 +1383,13 @@ retry:
+ ctrl->data = data;
+ ctrl->len = clen;
+ gsm->pending_cmd = ctrl;
+- gsm->cretries = gsm->n2;
++
++ /* If DLCI0 is in ADM mode skip retries, it won't respond */
++ if (gsm->dlci[0]->mode == DLCI_MODE_ADM)
++ gsm->cretries = 1;
++ else
++ gsm->cretries = gsm->n2;
++
+ mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
+ gsm_control_transmit(gsm, ctrl);
+ spin_unlock_irqrestore(&gsm->control_lock, flags);
+@@ -1488,6 +1497,7 @@ static void gsm_dlci_t1(unsigned long data)
+ if (debug & 8)
+ pr_info("DLCI %d opening in ADM mode.\n",
+ dlci->addr);
++ dlci->mode = DLCI_MODE_ADM;
+ gsm_dlci_open(dlci);
+ } else {
+ gsm_dlci_close(dlci);
+@@ -2881,11 +2891,22 @@ static int gsmtty_modem_update(struct gsm_dlci *dlci, u8 brk)
+ static int gsm_carrier_raised(struct tty_port *port)
+ {
+ struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
++ struct gsm_mux *gsm = dlci->gsm;
++
+ /* Not yet open so no carrier info */
+ if (dlci->state != DLCI_OPEN)
+ return 0;
+ if (debug & 2)
+ return 1;
++
++ /*
++ * Basic mode with control channel in ADM mode may not respond
++ * to CMD_MSC at all and modem_rx is empty.
++ */
++ if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM &&
++ !dlci->modem_rx)
++ return 1;
++
+ return dlci->modem_rx & TIOCM_CD;
+ }
+
+diff --git a/drivers/tty/serial/serial_mctrl_gpio.c b/drivers/tty/serial/serial_mctrl_gpio.c
+index 3eb57eb532f1..02147361eaa9 100644
+--- a/drivers/tty/serial/serial_mctrl_gpio.c
++++ b/drivers/tty/serial/serial_mctrl_gpio.c
+@@ -20,6 +20,7 @@
+ #include <linux/gpio/consumer.h>
+ #include <linux/termios.h>
+ #include <linux/serial_core.h>
++#include <linux/module.h>
+
+ #include "serial_mctrl_gpio.h"
+
+@@ -193,6 +194,7 @@ struct mctrl_gpios *mctrl_gpio_init(struct uart_port *port, unsigned int idx)
+
+ return gpios;
+ }
++EXPORT_SYMBOL_GPL(mctrl_gpio_init);
+
+ void mctrl_gpio_free(struct device *dev, struct mctrl_gpios *gpios)
+ {
+@@ -247,3 +249,6 @@ void mctrl_gpio_disable_ms(struct mctrl_gpios *gpios)
+ disable_irq(gpios->irq[i]);
+ }
+ }
++EXPORT_SYMBOL_GPL(mctrl_gpio_disable_ms);
++
++MODULE_LICENSE("GPL");
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 89fd20382ce4..198451fa9e5d 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -3154,7 +3154,10 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx)
+
+ kref_init(&tty->kref);
+ tty->magic = TTY_MAGIC;
+- tty_ldisc_init(tty);
++ if (tty_ldisc_init(tty)) {
++ kfree(tty);
++ return NULL;
++ }
+ tty->session = NULL;
+ tty->pgrp = NULL;
+ mutex_init(&tty->legacy_mutex);
+diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
+index 9bee25cfa0be..d9e013dc2c08 100644
+--- a/drivers/tty/tty_ldisc.c
++++ b/drivers/tty/tty_ldisc.c
+@@ -168,12 +168,11 @@ static struct tty_ldisc *tty_ldisc_get(struct tty_struct *tty, int disc)
+ return ERR_CAST(ldops);
+ }
+
+- ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL);
+- if (ld == NULL) {
+- put_ldops(ldops);
+- return ERR_PTR(-ENOMEM);
+- }
+-
++ /*
++ * There is no way to handle allocation failure of only 16 bytes.
++ * Let's simplify error handling and save more memory.
++ */
++ ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL | __GFP_NOFAIL);
+ ld->ops = ldops;
+ ld->tty = tty;
+
+@@ -804,12 +803,13 @@ void tty_ldisc_release(struct tty_struct *tty)
+ * the tty structure is not completely set up when this call is made.
+ */
+
+-void tty_ldisc_init(struct tty_struct *tty)
++int tty_ldisc_init(struct tty_struct *tty)
+ {
+ struct tty_ldisc *ld = tty_ldisc_get(tty, N_TTY);
+ if (IS_ERR(ld))
+- panic("n_tty: init_tty");
++ return PTR_ERR(ld);
+ tty->ldisc = ld;
++ return 0;
+ }
+
+ /**
+diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
+index 87a83d925eea..9c4f9b6e57e2 100644
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -2339,6 +2339,7 @@ void usb_hcd_resume_root_hub (struct usb_hcd *hcd)
+
+ spin_lock_irqsave (&hcd_root_hub_lock, flags);
+ if (hcd->rh_registered) {
++ pm_wakeup_event(&hcd->self.root_hub->dev, 0);
+ set_bit(HCD_FLAG_WAKEUP_PENDING, &hcd->flags);
+ queue_work(pm_wq, &hcd->wakeup_work);
+ }
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 0f38f577c047..6d84f6c8fbe6 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -632,12 +632,17 @@ void usb_wakeup_notification(struct usb_device *hdev,
+ unsigned int portnum)
+ {
+ struct usb_hub *hub;
++ struct usb_port *port_dev;
+
+ if (!hdev)
+ return;
+
+ hub = usb_hub_to_struct_hub(hdev);
+ if (hub) {
++ port_dev = hub->ports[portnum - 1];
++ if (port_dev && port_dev->child)
++ pm_wakeup_event(&port_dev->child->dev, 0);
++
+ set_bit(portnum, hub->wakeup_bits);
+ kick_hub_wq(hub);
+ }
+@@ -3361,8 +3366,11 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg)
+
+ /* Skip the initial Clear-Suspend step for a remote wakeup */
+ status = hub_port_status(hub, port1, &portstatus, &portchange);
+- if (status == 0 && !port_is_suspended(hub, portstatus))
++ if (status == 0 && !port_is_suspended(hub, portstatus)) {
++ if (portchange & USB_PORT_STAT_C_SUSPEND)
++ pm_wakeup_event(&udev->dev, 0);
+ goto SuspendCleared;
++ }
+
+ /* see 7.1.7.7; affects power usage, but not budgeting */
+ if (hub_is_superspeed(hub->hdev))
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index 4f1c6f8d4352..40ce175655e6 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -45,6 +45,9 @@ static const struct usb_device_id usb_quirk_list[] = {
+ { USB_DEVICE(0x03f0, 0x0701), .driver_info =
+ USB_QUIRK_STRING_FETCH_255 },
+
++ /* HP v222w 16GB Mini USB Drive */
++ { USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT },
++
+ /* Creative SB Audigy 2 NX */
+ { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
+
+diff --git a/drivers/usb/serial/Kconfig b/drivers/usb/serial/Kconfig
+index 584ae8cbaf1c..77c3ebe860c5 100644
+--- a/drivers/usb/serial/Kconfig
++++ b/drivers/usb/serial/Kconfig
+@@ -62,6 +62,7 @@ config USB_SERIAL_SIMPLE
+ - Fundamental Software dongle.
+ - Google USB serial devices
+ - HP4x calculators
++ - Libtransistor USB console
+ - a number of Motorola phones
+ - Motorola Tetra devices
+ - Novatel Wireless GPS receivers
+diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
+index 64a4427678b0..32cadca198b2 100644
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -210,6 +210,7 @@ static const struct usb_device_id id_table[] = {
+ { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */
+ { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */
+ { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */
++ { USB_DEVICE(0x3923, 0x7A0B) }, /* National Instruments USB Serial Console */
+ { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */
+ { } /* Terminating Entry */
+ };
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index a224c7a3ce09..3e5b189a79b4 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1911,7 +1911,8 @@ static int ftdi_8u2232c_probe(struct usb_serial *serial)
+ return ftdi_jtag_probe(serial);
+
+ if (udev->product &&
+- (!strcmp(udev->product, "BeagleBone/XDS100V2") ||
++ (!strcmp(udev->product, "Arrow USB Blaster") ||
++ !strcmp(udev->product, "BeagleBone/XDS100V2") ||
+ !strcmp(udev->product, "SNAP Connect E10")))
+ return ftdi_jtag_probe(serial);
+
+diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
+index 6aa7ff2c1cf7..2674da40d9cd 100644
+--- a/drivers/usb/serial/usb-serial-simple.c
++++ b/drivers/usb/serial/usb-serial-simple.c
+@@ -66,6 +66,11 @@ DEVICE(flashloader, FLASHLOADER_IDS);
+ 0x01) }
+ DEVICE(google, GOOGLE_IDS);
+
++/* Libtransistor USB console */
++#define LIBTRANSISTOR_IDS() \
++ { USB_DEVICE(0x1209, 0x8b00) }
++DEVICE(libtransistor, LIBTRANSISTOR_IDS);
++
+ /* ViVOpay USB Serial Driver */
+ #define VIVOPAY_IDS() \
+ { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */
+@@ -113,6 +118,7 @@ static struct usb_serial_driver * const serial_drivers[] = {
+ &funsoft_device,
+ &flashloader_device,
+ &google_device,
++ &libtransistor_device,
+ &vivopay_device,
+ &moto_modem_device,
+ &motorola_tetra_device,
+@@ -129,6 +135,7 @@ static const struct usb_device_id id_table[] = {
+ FUNSOFT_IDS(),
+ FLASHLOADER_IDS(),
+ GOOGLE_IDS(),
++ LIBTRANSISTOR_IDS(),
+ VIVOPAY_IDS(),
+ MOTO_IDS(),
+ MOTOROLA_TETRA_IDS(),
+diff --git a/drivers/usb/usbip/stub_main.c b/drivers/usb/usbip/stub_main.c
+index 325b4c05acdd..f761e02e75c9 100644
+--- a/drivers/usb/usbip/stub_main.c
++++ b/drivers/usb/usbip/stub_main.c
+@@ -201,7 +201,12 @@ static ssize_t rebind_store(struct device_driver *dev, const char *buf,
+ if (!bid)
+ return -ENODEV;
+
++ /* device_attach() callers should hold parent lock for USB */
++ if (bid->udev->dev.parent)
++ device_lock(bid->udev->dev.parent);
+ ret = device_attach(&bid->udev->dev);
++ if (bid->udev->dev.parent)
++ device_unlock(bid->udev->dev.parent);
+ if (ret < 0) {
+ dev_err(&bid->udev->dev, "rebind failed\n");
+ return ret;
+diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
+index f875ccaa55f9..0fc5ace57c0e 100644
+--- a/drivers/usb/usbip/usbip_common.h
++++ b/drivers/usb/usbip/usbip_common.h
+@@ -248,7 +248,7 @@ enum usbip_side {
+ #define SDEV_EVENT_ERROR_SUBMIT (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
+ #define SDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
+
+-#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_BYE)
++#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_RESET | USBIP_EH_BYE)
+ #define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
+ #define VDEV_EVENT_ERROR_TCP (USBIP_EH_SHUTDOWN | USBIP_EH_RESET)
+ #define VDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
+diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
+index 78c51ce913db..c57a94f1c198 100644
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -320,6 +320,7 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ ext4_grpblk_t offset;
+ ext4_grpblk_t next_zero_bit;
++ ext4_grpblk_t max_bit = EXT4_CLUSTERS_PER_GROUP(sb);
+ ext4_fsblk_t blk;
+ ext4_fsblk_t group_first_block;
+
+@@ -337,20 +338,25 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
+ /* check whether block bitmap block number is set */
+ blk = ext4_block_bitmap(sb, desc);
+ offset = blk - group_first_block;
+- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+ /* bad block bitmap */
+ return blk;
+
+ /* check whether the inode bitmap block number is set */
+ blk = ext4_inode_bitmap(sb, desc);
+ offset = blk - group_first_block;
+- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
++ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+ /* bad block bitmap */
+ return blk;
+
+ /* check whether the inode table block number is set */
+ blk = ext4_inode_table(sb, desc);
+ offset = blk - group_first_block;
++ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
++ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= max_bit)
++ return blk;
+ next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
+ EXT4_B2C(sbi, offset + EXT4_SB(sb)->s_itb_per_group),
+ EXT4_B2C(sbi, offset));
+@@ -416,6 +422,7 @@ struct buffer_head *
+ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
+ {
+ struct ext4_group_desc *desc;
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct buffer_head *bh;
+ ext4_fsblk_t bitmap_blk;
+ int err;
+@@ -424,6 +431,12 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
+ if (!desc)
+ return ERR_PTR(-EFSCORRUPTED);
+ bitmap_blk = ext4_block_bitmap(sb, desc);
++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
++ ext4_error(sb, "Invalid block bitmap block %llu in "
++ "block_group %u", bitmap_blk, block_group);
++ return ERR_PTR(-EFSCORRUPTED);
++ }
+ bh = sb_getblk(sb, bitmap_blk);
+ if (unlikely(!bh)) {
+ ext4_error(sb, "Cannot get buffer for block bitmap - "
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 403c4bae3e18..4705c21f9d03 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -5380,8 +5380,9 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
+ stop = le32_to_cpu(extent->ee_block);
+
+ /*
+- * In case of left shift, Don't start shifting extents until we make
+- * sure the hole is big enough to accommodate the shift.
++ * For left shifts, make sure the hole on the left is big enough to
++ * accommodate the shift. For right shifts, make sure the last extent
++ * won't be shifted beyond EXT_MAX_BLOCKS.
+ */
+ if (SHIFT == SHIFT_LEFT) {
+ path = ext4_find_extent(inode, start - 1, &path,
+@@ -5401,9 +5402,14 @@ ext4_ext_shift_extents(struct inode *inode, handle_t *handle,
+
+ if ((start == ex_start && shift > ex_start) ||
+ (shift > start - ex_end)) {
+- ext4_ext_drop_refs(path);
+- kfree(path);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto out;
++ }
++ } else {
++ if (shift > EXT_MAX_BLOCKS -
++ (stop + ext4_ext_get_actual_len(extent))) {
++ ret = -EINVAL;
++ goto out;
+ }
+ }
+
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index e10c12f59c58..9fe55b7d4c2c 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -119,6 +119,7 @@ static struct buffer_head *
+ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
+ {
+ struct ext4_group_desc *desc;
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct buffer_head *bh = NULL;
+ ext4_fsblk_t bitmap_blk;
+ int err;
+@@ -128,6 +129,12 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
+ return ERR_PTR(-EFSCORRUPTED);
+
+ bitmap_blk = ext4_inode_bitmap(sb, desc);
++ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
++ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
++ ext4_error(sb, "Invalid inode bitmap blk %llu in "
++ "block_group %u", bitmap_blk, block_group);
++ return ERR_PTR(-EFSCORRUPTED);
++ }
+ bh = sb_getblk(sb, bitmap_blk);
+ if (unlikely(!bh)) {
+ ext4_error(sb, "Cannot read inode bitmap - "
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index a2e724053919..f3a31f55f372 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -527,6 +527,7 @@ int jbd2_journal_start_reserved(handle_t *handle, unsigned int type,
+ */
+ ret = start_this_handle(journal, handle, GFP_NOFS);
+ if (ret < 0) {
++ handle->h_journal = journal;
+ jbd2_journal_free_reserved(handle);
+ return ret;
+ }
+diff --git a/include/linux/mtd/flashchip.h b/include/linux/mtd/flashchip.h
+index b63fa457febd..3529683f691e 100644
+--- a/include/linux/mtd/flashchip.h
++++ b/include/linux/mtd/flashchip.h
+@@ -85,6 +85,7 @@ struct flchip {
+ unsigned int write_suspended:1;
+ unsigned int erase_suspended:1;
+ unsigned long in_progress_block_addr;
++ unsigned long in_progress_block_mask;
+
+ struct mutex mutex;
+ wait_queue_head_t wq; /* Wait on here when we're waiting for the chip
+diff --git a/include/linux/tty.h b/include/linux/tty.h
+index d67ceb3f5958..812cdd8cff22 100644
+--- a/include/linux/tty.h
++++ b/include/linux/tty.h
+@@ -586,7 +586,7 @@ extern int tty_unregister_ldisc(int disc);
+ extern int tty_set_ldisc(struct tty_struct *tty, int ldisc);
+ extern int tty_ldisc_setup(struct tty_struct *tty, struct tty_struct *o_tty);
+ extern void tty_ldisc_release(struct tty_struct *tty);
+-extern void tty_ldisc_init(struct tty_struct *tty);
++extern int __must_check tty_ldisc_init(struct tty_struct *tty);
+ extern void tty_ldisc_deinit(struct tty_struct *tty);
+ extern void tty_ldisc_begin(void);
+
+diff --git a/include/linux/virtio.h b/include/linux/virtio.h
+index 8f4d4bfa6d46..d7844d215381 100644
+--- a/include/linux/virtio.h
++++ b/include/linux/virtio.h
+@@ -124,6 +124,9 @@ int virtio_device_freeze(struct virtio_device *dev);
+ int virtio_device_restore(struct virtio_device *dev);
+ #endif
+
++#define virtio_device_for_each_vq(vdev, vq) \
++ list_for_each_entry(vq, &vdev->vqs, list)
++
+ /**
+ * virtio_driver - operations for a virtio I/O driver
+ * @driver: underlying device driver (populate name and owner).
+diff --git a/include/sound/control.h b/include/sound/control.h
+index 21d047f229a1..4142757080f8 100644
+--- a/include/sound/control.h
++++ b/include/sound/control.h
+@@ -22,6 +22,7 @@
+ *
+ */
+
++#include <linux/nospec.h>
+ #include <sound/asound.h>
+
+ #define snd_kcontrol_chip(kcontrol) ((kcontrol)->private_data)
+@@ -147,12 +148,14 @@ int snd_ctl_get_preferred_subdevice(struct snd_card *card, int type);
+
+ static inline unsigned int snd_ctl_get_ioffnum(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
+ {
+- return id->numid - kctl->id.numid;
++ unsigned int ioff = id->numid - kctl->id.numid;
++ return array_index_nospec(ioff, kctl->count);
+ }
+
+ static inline unsigned int snd_ctl_get_ioffidx(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
+ {
+- return id->index - kctl->id.index;
++ unsigned int ioff = id->index - kctl->id.index;
++ return array_index_nospec(ioff, kctl->count);
+ }
+
+ static inline unsigned int snd_ctl_get_ioff(struct snd_kcontrol *kctl, struct snd_ctl_elem_id *id)
+diff --git a/lib/kobject.c b/lib/kobject.c
+index 7cbccd2b4c72..895edb63fba4 100644
+--- a/lib/kobject.c
++++ b/lib/kobject.c
+@@ -234,14 +234,12 @@ static int kobject_add_internal(struct kobject *kobj)
+
+ /* be noisy on error issues */
+ if (error == -EEXIST)
+- WARN(1, "%s failed for %s with "
+- "-EEXIST, don't try to register things with "
+- "the same name in the same directory.\n",
+- __func__, kobject_name(kobj));
++ pr_err("%s failed for %s with -EEXIST, don't try to register things with the same name in the same directory.\n",
++ __func__, kobject_name(kobj));
+ else
+- WARN(1, "%s failed for %s (error: %d parent: %s)\n",
+- __func__, kobject_name(kobj), error,
+- parent ? kobject_name(parent) : "'none'");
++ pr_err("%s failed for %s (error: %d parent: %s)\n",
++ __func__, kobject_name(kobj), error,
++ parent ? kobject_name(parent) : "'none'");
+ } else
+ kobj->state_in_sysfs = 1;
+
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index a6b2f2138c9d..ad3c9e96a275 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -2531,6 +2531,11 @@ static int try_write(struct ceph_connection *con)
+ int ret = 1;
+
+ dout("try_write start %p state %lu\n", con, con->state);
++ if (con->state != CON_STATE_PREOPEN &&
++ con->state != CON_STATE_CONNECTING &&
++ con->state != CON_STATE_NEGOTIATING &&
++ con->state != CON_STATE_OPEN)
++ return 0;
+
+ more:
+ dout("try_write out_kvec_bytes %d\n", con->out_kvec_bytes);
+@@ -2556,6 +2561,8 @@ more:
+ }
+
+ more_kvec:
++ BUG_ON(!con->sock);
++
+ /* kvec data queued? */
+ if (con->out_kvec_left) {
+ ret = write_partial_kvec(con);
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index ce2954a31238..3de88974eeb6 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -2727,6 +2727,7 @@ static int snd_pcm_sync_ptr(struct snd_pcm_substream *substream,
+ sync_ptr.s.status.hw_ptr = status->hw_ptr;
+ sync_ptr.s.status.tstamp = status->tstamp;
+ sync_ptr.s.status.suspended_state = status->suspended_state;
++ sync_ptr.s.status.audio_tstamp = status->audio_tstamp;
+ snd_pcm_stream_unlock_irq(substream);
+ if (copy_to_user(_sync_ptr, &sync_ptr, sizeof(sync_ptr)))
+ return -EFAULT;
+diff --git a/sound/core/seq/oss/seq_oss_event.c b/sound/core/seq/oss/seq_oss_event.c
+index c3908862bc8b..86ca584c27b2 100644
+--- a/sound/core/seq/oss/seq_oss_event.c
++++ b/sound/core/seq/oss/seq_oss_event.c
+@@ -26,6 +26,7 @@
+ #include <sound/seq_oss_legacy.h>
+ #include "seq_oss_readq.h"
+ #include "seq_oss_writeq.h"
++#include <linux/nospec.h>
+
+
+ /*
+@@ -287,10 +288,10 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st
+ {
+ struct seq_oss_synthinfo *info;
+
+- if (!snd_seq_oss_synth_is_valid(dp, dev))
++ info = snd_seq_oss_synth_info(dp, dev);
++ if (!info)
+ return -ENXIO;
+
+- info = &dp->synths[dev];
+ switch (info->arg.event_passing) {
+ case SNDRV_SEQ_OSS_PROCESS_EVENTS:
+ if (! info->ch || ch < 0 || ch >= info->nr_voices) {
+@@ -298,6 +299,7 @@ note_on_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, st
+ return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev);
+ }
+
++ ch = array_index_nospec(ch, info->nr_voices);
+ if (note == 255 && info->ch[ch].note >= 0) {
+ /* volume control */
+ int type;
+@@ -347,10 +349,10 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
+ {
+ struct seq_oss_synthinfo *info;
+
+- if (!snd_seq_oss_synth_is_valid(dp, dev))
++ info = snd_seq_oss_synth_info(dp, dev);
++ if (!info)
+ return -ENXIO;
+
+- info = &dp->synths[dev];
+ switch (info->arg.event_passing) {
+ case SNDRV_SEQ_OSS_PROCESS_EVENTS:
+ if (! info->ch || ch < 0 || ch >= info->nr_voices) {
+@@ -358,6 +360,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
+ return set_note_event(dp, dev, SNDRV_SEQ_EVENT_NOTEON, ch, note, vel, ev);
+ }
+
++ ch = array_index_nospec(ch, info->nr_voices);
+ if (info->ch[ch].note >= 0) {
+ note = info->ch[ch].note;
+ info->ch[ch].vel = 0;
+@@ -381,7 +384,7 @@ note_off_event(struct seq_oss_devinfo *dp, int dev, int ch, int note, int vel, s
+ static int
+ set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note, int vel, struct snd_seq_event *ev)
+ {
+- if (! snd_seq_oss_synth_is_valid(dp, dev))
++ if (!snd_seq_oss_synth_info(dp, dev))
+ return -ENXIO;
+
+ ev->type = type;
+@@ -399,7 +402,7 @@ set_note_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int note,
+ static int
+ set_control_event(struct seq_oss_devinfo *dp, int dev, int type, int ch, int param, int val, struct snd_seq_event *ev)
+ {
+- if (! snd_seq_oss_synth_is_valid(dp, dev))
++ if (!snd_seq_oss_synth_info(dp, dev))
+ return -ENXIO;
+
+ ev->type = type;
+diff --git a/sound/core/seq/oss/seq_oss_midi.c b/sound/core/seq/oss/seq_oss_midi.c
+index b30b2139e3f0..9debd1b8fd28 100644
+--- a/sound/core/seq/oss/seq_oss_midi.c
++++ b/sound/core/seq/oss/seq_oss_midi.c
+@@ -29,6 +29,7 @@
+ #include "../seq_lock.h"
+ #include <linux/init.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
+
+
+ /*
+@@ -315,6 +316,7 @@ get_mididev(struct seq_oss_devinfo *dp, int dev)
+ {
+ if (dev < 0 || dev >= dp->max_mididev)
+ return NULL;
++ dev = array_index_nospec(dev, dp->max_mididev);
+ return get_mdev(dev);
+ }
+
+diff --git a/sound/core/seq/oss/seq_oss_synth.c b/sound/core/seq/oss/seq_oss_synth.c
+index b16dbef04174..ea545f9291b4 100644
+--- a/sound/core/seq/oss/seq_oss_synth.c
++++ b/sound/core/seq/oss/seq_oss_synth.c
+@@ -26,6 +26,7 @@
+ #include <linux/init.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
+
+ /*
+ * constants
+@@ -339,17 +340,13 @@ snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp)
+ dp->max_synthdev = 0;
+ }
+
+-/*
+- * check if the specified device is MIDI mapped device
+- */
+-static int
+-is_midi_dev(struct seq_oss_devinfo *dp, int dev)
++static struct seq_oss_synthinfo *
++get_synthinfo_nospec(struct seq_oss_devinfo *dp, int dev)
+ {
+ if (dev < 0 || dev >= dp->max_synthdev)
+- return 0;
+- if (dp->synths[dev].is_midi)
+- return 1;
+- return 0;
++ return NULL;
++ dev = array_index_nospec(dev, SNDRV_SEQ_OSS_MAX_SYNTH_DEVS);
++ return &dp->synths[dev];
+ }
+
+ /*
+@@ -359,14 +356,20 @@ static struct seq_oss_synth *
+ get_synthdev(struct seq_oss_devinfo *dp, int dev)
+ {
+ struct seq_oss_synth *rec;
+- if (dev < 0 || dev >= dp->max_synthdev)
+- return NULL;
+- if (! dp->synths[dev].opened)
++ struct seq_oss_synthinfo *info = get_synthinfo_nospec(dp, dev);
++
++ if (!info)
+ return NULL;
+- if (dp->synths[dev].is_midi)
+- return &midi_synth_dev;
+- if ((rec = get_sdev(dev)) == NULL)
++ if (!info->opened)
+ return NULL;
++ if (info->is_midi) {
++ rec = &midi_synth_dev;
++ snd_use_lock_use(&rec->use_lock);
++ } else {
++ rec = get_sdev(dev);
++ if (!rec)
++ return NULL;
++ }
+ if (! rec->opened) {
+ snd_use_lock_free(&rec->use_lock);
+ return NULL;
+@@ -402,10 +405,8 @@ snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev)
+ struct seq_oss_synth *rec;
+ struct seq_oss_synthinfo *info;
+
+- if (snd_BUG_ON(dev < 0 || dev >= dp->max_synthdev))
+- return;
+- info = &dp->synths[dev];
+- if (! info->opened)
++ info = get_synthinfo_nospec(dp, dev);
++ if (!info || !info->opened)
+ return;
+ if (info->sysex)
+ info->sysex->len = 0; /* reset sysex */
+@@ -454,12 +455,14 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
+ const char __user *buf, int p, int c)
+ {
+ struct seq_oss_synth *rec;
++ struct seq_oss_synthinfo *info;
+ int rc;
+
+- if (dev < 0 || dev >= dp->max_synthdev)
++ info = get_synthinfo_nospec(dp, dev);
++ if (!info)
+ return -ENXIO;
+
+- if (is_midi_dev(dp, dev))
++ if (info->is_midi)
+ return 0;
+ if ((rec = get_synthdev(dp, dev)) == NULL)
+ return -ENXIO;
+@@ -467,24 +470,25 @@ snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
+ if (rec->oper.load_patch == NULL)
+ rc = -ENXIO;
+ else
+- rc = rec->oper.load_patch(&dp->synths[dev].arg, fmt, buf, p, c);
++ rc = rec->oper.load_patch(&info->arg, fmt, buf, p, c);
+ snd_use_lock_free(&rec->use_lock);
+ return rc;
+ }
+
+ /*
+- * check if the device is valid synth device
++ * check if the device is valid synth device and return the synth info
+ */
+-int
+-snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev)
++struct seq_oss_synthinfo *
++snd_seq_oss_synth_info(struct seq_oss_devinfo *dp, int dev)
+ {
+ struct seq_oss_synth *rec;
++
+ rec = get_synthdev(dp, dev);
+ if (rec) {
+ snd_use_lock_free(&rec->use_lock);
+- return 1;
++ return get_synthinfo_nospec(dp, dev);
+ }
+- return 0;
++ return NULL;
+ }
+
+
+@@ -499,16 +503,18 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
+ int i, send;
+ unsigned char *dest;
+ struct seq_oss_synth_sysex *sysex;
++ struct seq_oss_synthinfo *info;
+
+- if (! snd_seq_oss_synth_is_valid(dp, dev))
++ info = snd_seq_oss_synth_info(dp, dev);
++ if (!info)
+ return -ENXIO;
+
+- sysex = dp->synths[dev].sysex;
++ sysex = info->sysex;
+ if (sysex == NULL) {
+ sysex = kzalloc(sizeof(*sysex), GFP_KERNEL);
+ if (sysex == NULL)
+ return -ENOMEM;
+- dp->synths[dev].sysex = sysex;
++ info->sysex = sysex;
+ }
+
+ send = 0;
+@@ -553,10 +559,12 @@ snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
+ int
+ snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev)
+ {
+- if (! snd_seq_oss_synth_is_valid(dp, dev))
++ struct seq_oss_synthinfo *info = snd_seq_oss_synth_info(dp, dev);
++
++ if (!info)
+ return -EINVAL;
+- snd_seq_oss_fill_addr(dp, ev, dp->synths[dev].arg.addr.client,
+- dp->synths[dev].arg.addr.port);
++ snd_seq_oss_fill_addr(dp, ev, info->arg.addr.client,
++ info->arg.addr.port);
+ return 0;
+ }
+
+@@ -568,16 +576,18 @@ int
+ snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, unsigned long addr)
+ {
+ struct seq_oss_synth *rec;
++ struct seq_oss_synthinfo *info;
+ int rc;
+
+- if (is_midi_dev(dp, dev))
++ info = get_synthinfo_nospec(dp, dev);
++ if (!info || info->is_midi)
+ return -ENXIO;
+ if ((rec = get_synthdev(dp, dev)) == NULL)
+ return -ENXIO;
+ if (rec->oper.ioctl == NULL)
+ rc = -ENXIO;
+ else
+- rc = rec->oper.ioctl(&dp->synths[dev].arg, cmd, addr);
++ rc = rec->oper.ioctl(&info->arg, cmd, addr);
+ snd_use_lock_free(&rec->use_lock);
+ return rc;
+ }
+@@ -589,7 +599,10 @@ snd_seq_oss_synth_ioctl(struct seq_oss_devinfo *dp, int dev, unsigned int cmd, u
+ int
+ snd_seq_oss_synth_raw_event(struct seq_oss_devinfo *dp, int dev, unsigned char *data, struct snd_seq_event *ev)
+ {
+- if (! snd_seq_oss_synth_is_valid(dp, dev) || is_midi_dev(dp, dev))
++ struct seq_oss_synthinfo *info;
++
++ info = snd_seq_oss_synth_info(dp, dev);
++ if (!info || info->is_midi)
+ return -ENXIO;
+ ev->type = SNDRV_SEQ_EVENT_OSS;
+ memcpy(ev->data.raw8.d, data, 8);
+diff --git a/sound/core/seq/oss/seq_oss_synth.h b/sound/core/seq/oss/seq_oss_synth.h
+index 74ac55f166b6..a63f9e22974d 100644
+--- a/sound/core/seq/oss/seq_oss_synth.h
++++ b/sound/core/seq/oss/seq_oss_synth.h
+@@ -37,7 +37,8 @@ void snd_seq_oss_synth_cleanup(struct seq_oss_devinfo *dp);
+ void snd_seq_oss_synth_reset(struct seq_oss_devinfo *dp, int dev);
+ int snd_seq_oss_synth_load_patch(struct seq_oss_devinfo *dp, int dev, int fmt,
+ const char __user *buf, int p, int c);
+-int snd_seq_oss_synth_is_valid(struct seq_oss_devinfo *dp, int dev);
++struct seq_oss_synthinfo *snd_seq_oss_synth_info(struct seq_oss_devinfo *dp,
++ int dev);
+ int snd_seq_oss_synth_sysex(struct seq_oss_devinfo *dp, int dev, unsigned char *buf,
+ struct snd_seq_event *ev);
+ int snd_seq_oss_synth_addr(struct seq_oss_devinfo *dp, int dev, struct snd_seq_event *ev);
+diff --git a/sound/drivers/opl3/opl3_synth.c b/sound/drivers/opl3/opl3_synth.c
+index ddcc1a325a61..42920a243328 100644
+--- a/sound/drivers/opl3/opl3_synth.c
++++ b/sound/drivers/opl3/opl3_synth.c
+@@ -21,6 +21,7 @@
+
+ #include <linux/slab.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+ #include <sound/opl3.h>
+ #include <sound/asound_fm.h>
+
+@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v
+ {
+ unsigned short reg_side;
+ unsigned char op_offset;
+- unsigned char voice_offset;
++ unsigned char voice_offset, voice_op;
+
+ unsigned short opl3_reg;
+ unsigned char reg_val;
+@@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd_opl3 * opl3, struct snd_dm_fm_voice * v
+ voice_offset = voice->voice - MAX_OPL2_VOICES;
+ }
+ /* Get register offset of operator */
+- op_offset = snd_opl3_regmap[voice_offset][voice->op];
++ voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES);
++ voice_op = array_index_nospec(voice->op, 4);
++ op_offset = snd_opl3_regmap[voice_offset][voice_op];
+
+ reg_val = 0x00;
+ /* Set amplitude modulation (tremolo) effect */
+diff --git a/sound/pci/asihpi/hpimsginit.c b/sound/pci/asihpi/hpimsginit.c
+index 7eb617175fde..a31a70dccecf 100644
+--- a/sound/pci/asihpi/hpimsginit.c
++++ b/sound/pci/asihpi/hpimsginit.c
+@@ -23,6 +23,7 @@
+
+ #include "hpi_internal.h"
+ #include "hpimsginit.h"
++#include <linux/nospec.h>
+
+ /* The actual message size for each object type */
+ static u16 msg_size[HPI_OBJ_MAXINDEX + 1] = HPI_MESSAGE_SIZE_BY_OBJECT;
+@@ -39,10 +40,12 @@ static void hpi_init_message(struct hpi_message *phm, u16 object,
+ {
+ u16 size;
+
+- if ((object > 0) && (object <= HPI_OBJ_MAXINDEX))
++ if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) {
++ object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1);
+ size = msg_size[object];
+- else
++ } else {
+ size = sizeof(*phm);
++ }
+
+ memset(phm, 0, size);
+ phm->size = size;
+@@ -66,10 +69,12 @@ void hpi_init_response(struct hpi_response *phr, u16 object, u16 function,
+ {
+ u16 size;
+
+- if ((object > 0) && (object <= HPI_OBJ_MAXINDEX))
++ if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) {
++ object = array_index_nospec(object, HPI_OBJ_MAXINDEX + 1);
+ size = res_size[object];
+- else
++ } else {
+ size = sizeof(*phr);
++ }
+
+ memset(phr, 0, sizeof(*phr));
+ phr->size = size;
+diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
+index d17937b92331..7a32abbe0cef 100644
+--- a/sound/pci/asihpi/hpioctl.c
++++ b/sound/pci/asihpi/hpioctl.c
+@@ -33,6 +33,7 @@
+ #include <linux/stringify.h>
+ #include <linux/module.h>
+ #include <linux/vmalloc.h>
++#include <linux/nospec.h>
+
+ #ifdef MODULE_FIRMWARE
+ MODULE_FIRMWARE("asihpi/dsp5000.bin");
+@@ -182,7 +183,8 @@ long asihpi_hpi_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ struct hpi_adapter *pa = NULL;
+
+ if (hm->h.adapter_index < ARRAY_SIZE(adapters))
+- pa = &adapters[hm->h.adapter_index];
++ pa = &adapters[array_index_nospec(hm->h.adapter_index,
++ ARRAY_SIZE(adapters))];
+
+ if (!pa || !pa->adapter || !pa->adapter->type) {
+ hpi_init_response(&hr->r0, hm->h.object,
+diff --git a/sound/pci/hda/hda_hwdep.c b/sound/pci/hda/hda_hwdep.c
+index 57df06e76968..cc009a4a3d1d 100644
+--- a/sound/pci/hda/hda_hwdep.c
++++ b/sound/pci/hda/hda_hwdep.c
+@@ -21,6 +21,7 @@
+ #include <linux/init.h>
+ #include <linux/slab.h>
+ #include <linux/compat.h>
++#include <linux/nospec.h>
+ #include <sound/core.h>
+ #include "hda_codec.h"
+ #include "hda_local.h"
+@@ -51,7 +52,16 @@ static int get_wcap_ioctl(struct hda_codec *codec,
+
+ if (get_user(verb, &arg->verb))
+ return -EFAULT;
+- res = get_wcaps(codec, verb >> 24);
++ /* open-code get_wcaps(verb>>24) with nospec */
++ verb >>= 24;
++ if (verb < codec->core.start_nid ||
++ verb >= codec->core.start_nid + codec->core.num_nodes) {
++ res = 0;
++ } else {
++ verb -= codec->core.start_nid;
++ verb = array_index_nospec(verb, codec->core.num_nodes);
++ res = codec->wcaps[verb];
++ }
+ if (put_user(res, &arg->res))
+ return -EFAULT;
+ return 0;
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 8cb14e27988b..6a789278970e 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -329,6 +329,7 @@ static void alc_fill_eapd_coef(struct hda_codec *codec)
+ break;
+ case 0x10ec0225:
+ case 0x10ec0233:
++ case 0x10ec0235:
+ case 0x10ec0236:
+ case 0x10ec0255:
+ case 0x10ec0256:
+@@ -6296,6 +6297,7 @@ static int patch_alc269(struct hda_codec *codec)
+ case 0x10ec0298:
+ spec->codec_variant = ALC269_TYPE_ALC298;
+ break;
++ case 0x10ec0235:
+ case 0x10ec0255:
+ spec->codec_variant = ALC269_TYPE_ALC255;
+ break;
+diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
+index a4a999a0317e..1a0c0d16a279 100644
+--- a/sound/pci/rme9652/hdspm.c
++++ b/sound/pci/rme9652/hdspm.c
+@@ -137,6 +137,7 @@
+ #include <linux/pci.h>
+ #include <linux/math64.h>
+ #include <linux/io.h>
++#include <linux/nospec.h>
+
+ #include <sound/core.h>
+ #include <sound/control.h>
+@@ -5692,40 +5693,43 @@ static int snd_hdspm_channel_info(struct snd_pcm_substream *substream,
+ struct snd_pcm_channel_info *info)
+ {
+ struct hdspm *hdspm = snd_pcm_substream_chip(substream);
++ unsigned int channel = info->channel;
+
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
+- if (snd_BUG_ON(info->channel >= hdspm->max_channels_out)) {
++ if (snd_BUG_ON(channel >= hdspm->max_channels_out)) {
+ dev_info(hdspm->card->dev,
+ "snd_hdspm_channel_info: output channel out of range (%d)\n",
+- info->channel);
++ channel);
+ return -EINVAL;
+ }
+
+- if (hdspm->channel_map_out[info->channel] < 0) {
++ channel = array_index_nospec(channel, hdspm->max_channels_out);
++ if (hdspm->channel_map_out[channel] < 0) {
+ dev_info(hdspm->card->dev,
+ "snd_hdspm_channel_info: output channel %d mapped out\n",
+- info->channel);
++ channel);
+ return -EINVAL;
+ }
+
+- info->offset = hdspm->channel_map_out[info->channel] *
++ info->offset = hdspm->channel_map_out[channel] *
+ HDSPM_CHANNEL_BUFFER_BYTES;
+ } else {
+- if (snd_BUG_ON(info->channel >= hdspm->max_channels_in)) {
++ if (snd_BUG_ON(channel >= hdspm->max_channels_in)) {
+ dev_info(hdspm->card->dev,
+ "snd_hdspm_channel_info: input channel out of range (%d)\n",
+- info->channel);
++ channel);
+ return -EINVAL;
+ }
+
+- if (hdspm->channel_map_in[info->channel] < 0) {
++ channel = array_index_nospec(channel, hdspm->max_channels_in);
++ if (hdspm->channel_map_in[channel] < 0) {
+ dev_info(hdspm->card->dev,
+ "snd_hdspm_channel_info: input channel %d mapped out\n",
+- info->channel);
++ channel);
+ return -EINVAL;
+ }
+
+- info->offset = hdspm->channel_map_in[info->channel] *
++ info->offset = hdspm->channel_map_in[channel] *
+ HDSPM_CHANNEL_BUFFER_BYTES;
+ }
+
+diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c
+index fdbc0aa2776a..c253bdf92e36 100644
+--- a/sound/pci/rme9652/rme9652.c
++++ b/sound/pci/rme9652/rme9652.c
+@@ -26,6 +26,7 @@
+ #include <linux/pci.h>
+ #include <linux/module.h>
+ #include <linux/io.h>
++#include <linux/nospec.h>
+
+ #include <sound/core.h>
+ #include <sound/control.h>
+@@ -2036,9 +2037,10 @@ static int snd_rme9652_channel_info(struct snd_pcm_substream *substream,
+ if (snd_BUG_ON(info->channel >= RME9652_NCHANNELS))
+ return -EINVAL;
+
+- if ((chn = rme9652->channel_map[info->channel]) < 0) {
++ chn = rme9652->channel_map[array_index_nospec(info->channel,
++ RME9652_NCHANNELS)];
++ if (chn < 0)
+ return -EINVAL;
+- }
+
+ info->offset = chn * RME9652_CHANNEL_BUFFER_BYTES;
+ info->first = 0;
+diff --git a/sound/soc/fsl/fsl_esai.c b/sound/soc/fsl/fsl_esai.c
+index 59f234e51971..e8adead8be00 100644
+--- a/sound/soc/fsl/fsl_esai.c
++++ b/sound/soc/fsl/fsl_esai.c
+@@ -143,6 +143,13 @@ static int fsl_esai_divisor_cal(struct snd_soc_dai *dai, bool tx, u32 ratio,
+
+ psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8;
+
++ /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */
++ if (ratio <= 256) {
++ pm = ratio;
++ fp = 1;
++ goto out;
++ }
++
+ /* Set the max fluctuation -- 0.1% of the max devisor */
+ savesub = (psr ? 1 : 8) * 256 * maxfp / 1000;
+
+diff --git a/sound/usb/mixer_maps.c b/sound/usb/mixer_maps.c
+index 1f8fb0d904e0..f5cf23ffb35b 100644
+--- a/sound/usb/mixer_maps.c
++++ b/sound/usb/mixer_maps.c
+@@ -351,8 +351,11 @@ static struct usbmix_name_map bose_companion5_map[] = {
+ /*
+ * Dell usb dock with ALC4020 codec had a firmware problem where it got
+ * screwed up when zero volume is passed; just skip it as a workaround
++ *
++ * Also the extension unit gives an access error, so skip it as well.
+ */
+ static const struct usbmix_name_map dell_alc4020_map[] = {
++ { 4, NULL }, /* extension unit */
+ { 16, NULL },
+ { 19, NULL },
+ { 0 }