Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.1 commit in: /
Date: Wed, 12 Oct 2016 19:52:59
Message-Id: 1476301964.4635b6f052c8eab94dec6e8fbb7dbbc8905f83eb.mpagano@gentoo
1 commit: 4635b6f052c8eab94dec6e8fbb7dbbc8905f83eb
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Oct 12 19:52:44 2016 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Oct 12 19:52:44 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=4635b6f0
7
8 Linux patch 4.1.34
9
10 0000_README | 4 +
11 1033_linux-4.1.34.patch | 3255 +++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 3259 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 9a2fbfa..72df015 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -175,6 +175,10 @@ Patch: 1032_linux-4.1.33.patch
19 From: http://www.kernel.org
20 Desc: Linux 4.1.33
21
22 +Patch: 1033_linux-4.1.34.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 4.1.34
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1033_linux-4.1.34.patch b/1033_linux-4.1.34.patch
31 new file mode 100644
32 index 0000000..fffc6fa
33 --- /dev/null
34 +++ b/1033_linux-4.1.34.patch
35 @@ -0,0 +1,3255 @@
36 +diff --git a/Makefile b/Makefile
37 +index 47c47d7c0926..2d4dea4b3107 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 4
42 + PATCHLEVEL = 1
43 +-SUBLEVEL = 33
44 ++SUBLEVEL = 34
45 + EXTRAVERSION =
46 + NAME = Series 4800
47 +
48 +diff --git a/arch/alpha/include/asm/uaccess.h b/arch/alpha/include/asm/uaccess.h
49 +index 9b0d40093c9a..c0ddbbf73400 100644
50 +--- a/arch/alpha/include/asm/uaccess.h
51 ++++ b/arch/alpha/include/asm/uaccess.h
52 +@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, const void *from, long len)
53 + return __cu_len;
54 + }
55 +
56 +-extern inline long
57 +-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate)
58 +-{
59 +- if (__access_ok((unsigned long)validate, len, get_fs()))
60 +- len = __copy_tofrom_user_nocheck(to, from, len);
61 +- return len;
62 +-}
63 +-
64 + #define __copy_to_user(to, from, n) \
65 + ({ \
66 + __chk_user_ptr(to); \
67 +@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void *from, long len, const void __user *vali
68 + #define __copy_to_user_inatomic __copy_to_user
69 + #define __copy_from_user_inatomic __copy_from_user
70 +
71 +-
72 + extern inline long
73 + copy_to_user(void __user *to, const void *from, long n)
74 + {
75 +- return __copy_tofrom_user((__force void *)to, from, n, to);
76 ++ if (likely(__access_ok((unsigned long)to, n, get_fs())))
77 ++ n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
78 ++ return n;
79 + }
80 +
81 + extern inline long
82 + copy_from_user(void *to, const void __user *from, long n)
83 + {
84 +- return __copy_tofrom_user(to, (__force void *)from, n, from);
85 ++ if (likely(__access_ok((unsigned long)from, n, get_fs())))
86 ++ n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
87 ++ else
88 ++ memset(to, 0, n);
89 ++ return n;
90 + }
91 +
92 + extern void __do_clear_user(void);
93 +diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h
94 +index 30c9baffa96f..08770c750696 100644
95 +--- a/arch/arc/include/asm/uaccess.h
96 ++++ b/arch/arc/include/asm/uaccess.h
97 +@@ -83,7 +83,10 @@
98 + "2: ;nop\n" \
99 + " .section .fixup, \"ax\"\n" \
100 + " .align 4\n" \
101 +- "3: mov %0, %3\n" \
102 ++ "3: # return -EFAULT\n" \
103 ++ " mov %0, %3\n" \
104 ++ " # zero out dst ptr\n" \
105 ++ " mov %1, 0\n" \
106 + " j 2b\n" \
107 + " .previous\n" \
108 + " .section __ex_table, \"a\"\n" \
109 +@@ -101,7 +104,11 @@
110 + "2: ;nop\n" \
111 + " .section .fixup, \"ax\"\n" \
112 + " .align 4\n" \
113 +- "3: mov %0, %3\n" \
114 ++ "3: # return -EFAULT\n" \
115 ++ " mov %0, %3\n" \
116 ++ " # zero out dst ptr\n" \
117 ++ " mov %1, 0\n" \
118 ++ " mov %R1, 0\n" \
119 + " j 2b\n" \
120 + " .previous\n" \
121 + " .section __ex_table, \"a\"\n" \
122 +diff --git a/arch/arm/boot/dts/kirkwood-ib62x0.dts b/arch/arm/boot/dts/kirkwood-ib62x0.dts
123 +index bfa5edde179c..2c1e7f09205f 100644
124 +--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts
125 ++++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts
126 +@@ -113,7 +113,7 @@
127 +
128 + partition@e0000 {
129 + label = "u-boot environment";
130 +- reg = <0xe0000 0x100000>;
131 ++ reg = <0xe0000 0x20000>;
132 + };
133 +
134 + partition@100000 {
135 +diff --git a/arch/arm/boot/dts/stih410.dtsi b/arch/arm/boot/dts/stih410.dtsi
136 +index 208b5e89036a..f7b2c8defe56 100644
137 +--- a/arch/arm/boot/dts/stih410.dtsi
138 ++++ b/arch/arm/boot/dts/stih410.dtsi
139 +@@ -33,7 +33,8 @@
140 + compatible = "st,st-ohci-300x";
141 + reg = <0x9a03c00 0x100>;
142 + interrupts = <GIC_SPI 180 IRQ_TYPE_NONE>;
143 +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
144 ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
145 ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
146 + resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>,
147 + <&softreset STIH407_USB2_PORT0_SOFTRESET>;
148 + reset-names = "power", "softreset";
149 +@@ -47,7 +48,8 @@
150 + interrupts = <GIC_SPI 151 IRQ_TYPE_NONE>;
151 + pinctrl-names = "default";
152 + pinctrl-0 = <&pinctrl_usb0>;
153 +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
154 ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
155 ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
156 + resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>,
157 + <&softreset STIH407_USB2_PORT0_SOFTRESET>;
158 + reset-names = "power", "softreset";
159 +@@ -59,7 +61,8 @@
160 + compatible = "st,st-ohci-300x";
161 + reg = <0x9a83c00 0x100>;
162 + interrupts = <GIC_SPI 181 IRQ_TYPE_NONE>;
163 +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
164 ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
165 ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
166 + resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>,
167 + <&softreset STIH407_USB2_PORT1_SOFTRESET>;
168 + reset-names = "power", "softreset";
169 +@@ -73,7 +76,8 @@
170 + interrupts = <GIC_SPI 153 IRQ_TYPE_NONE>;
171 + pinctrl-names = "default";
172 + pinctrl-0 = <&pinctrl_usb1>;
173 +- clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
174 ++ clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
175 ++ <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
176 + resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>,
177 + <&softreset STIH407_USB2_PORT1_SOFTRESET>;
178 + reset-names = "power", "softreset";
179 +diff --git a/arch/arm/crypto/aes-ce-glue.c b/arch/arm/crypto/aes-ce-glue.c
180 +index b445a5d56f43..593da7ffb449 100644
181 +--- a/arch/arm/crypto/aes-ce-glue.c
182 ++++ b/arch/arm/crypto/aes-ce-glue.c
183 +@@ -279,7 +279,7 @@ static int ctr_encrypt(struct blkcipher_desc *desc, struct scatterlist *dst,
184 + err = blkcipher_walk_done(desc, &walk,
185 + walk.nbytes % AES_BLOCK_SIZE);
186 + }
187 +- if (nbytes) {
188 ++ if (walk.nbytes % AES_BLOCK_SIZE) {
189 + u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
190 + u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
191 + u8 __aligned(8) tail[AES_BLOCK_SIZE];
192 +diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
193 +index 5414081c0bbf..87b2663a5564 100644
194 +--- a/arch/arm/kvm/arm.c
195 ++++ b/arch/arm/kvm/arm.c
196 +@@ -154,8 +154,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
197 + {
198 + int i;
199 +
200 +- kvm_free_stage2_pgd(kvm);
201 +-
202 + for (i = 0; i < KVM_MAX_VCPUS; ++i) {
203 + if (kvm->vcpus[i]) {
204 + kvm_arch_vcpu_free(kvm->vcpus[i]);
205 +diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
206 +index 691ea94897fd..a33af44230da 100644
207 +--- a/arch/arm/kvm/mmu.c
208 ++++ b/arch/arm/kvm/mmu.c
209 +@@ -1850,6 +1850,7 @@ void kvm_arch_memslots_updated(struct kvm *kvm)
210 +
211 + void kvm_arch_flush_shadow_all(struct kvm *kvm)
212 + {
213 ++ kvm_free_stage2_pgd(kvm);
214 + }
215 +
216 + void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
217 +diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
218 +index 6a7c6fc780cc..4627c862beac 100644
219 +--- a/arch/arm/mach-imx/pm-imx6.c
220 ++++ b/arch/arm/mach-imx/pm-imx6.c
221 +@@ -288,7 +288,7 @@ int imx6q_set_lpm(enum mxc_cpu_pwr_mode mode)
222 + val |= 0x3 << BP_CLPCR_STBY_COUNT;
223 + val |= BM_CLPCR_VSTBY;
224 + val |= BM_CLPCR_SBYOS;
225 +- if (cpu_is_imx6sl())
226 ++ if (cpu_is_imx6sl() || cpu_is_imx6sx())
227 + val |= BM_CLPCR_BYPASS_PMIC_READY;
228 + if (cpu_is_imx6sl() || cpu_is_imx6sx())
229 + val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;
230 +diff --git a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
231 +index 4e8e93c398db..808c8e59000d 100644
232 +--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
233 ++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
234 +@@ -724,8 +724,20 @@ static struct omap_hwmod omap3xxx_dss_dispc_hwmod = {
235 + * display serial interface controller
236 + */
237 +
238 ++static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
239 ++ .rev_offs = 0x0000,
240 ++ .sysc_offs = 0x0010,
241 ++ .syss_offs = 0x0014,
242 ++ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
243 ++ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
244 ++ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
245 ++ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
246 ++ .sysc_fields = &omap_hwmod_sysc_type1,
247 ++};
248 ++
249 + static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
250 + .name = "dsi",
251 ++ .sysc = &omap3xxx_dsi_sysc,
252 + };
253 +
254 + static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
255 +diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c
256 +index 05d9e16c0dfd..6a51dfccfe71 100644
257 +--- a/arch/arm64/crypto/aes-glue.c
258 ++++ b/arch/arm64/crypto/aes-glue.c
259 +@@ -211,7 +211,7 @@ static int ctr_encrypt(struct blkcipher_desc *desc, struct scatterlist *dst,
260 + err = blkcipher_walk_done(desc, &walk,
261 + walk.nbytes % AES_BLOCK_SIZE);
262 + }
263 +- if (nbytes) {
264 ++ if (walk.nbytes % AES_BLOCK_SIZE) {
265 + u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
266 + u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
267 + u8 __aligned(8) tail[AES_BLOCK_SIZE];
268 +diff --git a/arch/arm64/include/asm/spinlock.h b/arch/arm64/include/asm/spinlock.h
269 +index cee128732435..d155a9bbfab6 100644
270 +--- a/arch/arm64/include/asm/spinlock.h
271 ++++ b/arch/arm64/include/asm/spinlock.h
272 +@@ -231,4 +231,14 @@ static inline int arch_read_trylock(arch_rwlock_t *rw)
273 + #define arch_read_relax(lock) cpu_relax()
274 + #define arch_write_relax(lock) cpu_relax()
275 +
276 ++/*
277 ++ * Accesses appearing in program order before a spin_lock() operation
278 ++ * can be reordered with accesses inside the critical section, by virtue
279 ++ * of arch_spin_lock being constructed using acquire semantics.
280 ++ *
281 ++ * In cases where this is problematic (e.g. try_to_wake_up), an
282 ++ * smp_mb__before_spinlock() can restore the required ordering.
283 ++ */
284 ++#define smp_mb__before_spinlock() smp_mb()
285 ++
286 + #endif /* __ASM_SPINLOCK_H */
287 +diff --git a/arch/avr32/include/asm/uaccess.h b/arch/avr32/include/asm/uaccess.h
288 +index a46f7cf3e1ea..20b52c40bcd2 100644
289 +--- a/arch/avr32/include/asm/uaccess.h
290 ++++ b/arch/avr32/include/asm/uaccess.h
291 +@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void *to, const void *from,
292 +
293 + extern __kernel_size_t copy_to_user(void __user *to, const void *from,
294 + __kernel_size_t n);
295 +-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
296 ++extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
297 + __kernel_size_t n);
298 +
299 + static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
300 +@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_from_user(void *to,
301 + {
302 + return __copy_user(to, (const void __force *)from, n);
303 + }
304 ++static inline __kernel_size_t copy_from_user(void *to,
305 ++ const void __user *from,
306 ++ __kernel_size_t n)
307 ++{
308 ++ size_t res = ___copy_from_user(to, from, n);
309 ++ if (unlikely(res))
310 ++ memset(to + (n - res), 0, res);
311 ++ return res;
312 ++}
313 +
314 + #define __copy_to_user_inatomic __copy_to_user
315 + #define __copy_from_user_inatomic __copy_from_user
316 +diff --git a/arch/avr32/kernel/avr32_ksyms.c b/arch/avr32/kernel/avr32_ksyms.c
317 +index d93ead02daed..7c6cf14f0985 100644
318 +--- a/arch/avr32/kernel/avr32_ksyms.c
319 ++++ b/arch/avr32/kernel/avr32_ksyms.c
320 +@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
321 + /*
322 + * Userspace access stuff.
323 + */
324 +-EXPORT_SYMBOL(copy_from_user);
325 ++EXPORT_SYMBOL(___copy_from_user);
326 + EXPORT_SYMBOL(copy_to_user);
327 + EXPORT_SYMBOL(__copy_user);
328 + EXPORT_SYMBOL(strncpy_from_user);
329 +diff --git a/arch/avr32/lib/copy_user.S b/arch/avr32/lib/copy_user.S
330 +index ea59c04b07de..075373471da1 100644
331 +--- a/arch/avr32/lib/copy_user.S
332 ++++ b/arch/avr32/lib/copy_user.S
333 +@@ -23,13 +23,13 @@
334 + */
335 + .text
336 + .align 1
337 +- .global copy_from_user
338 +- .type copy_from_user, @function
339 +-copy_from_user:
340 ++ .global ___copy_from_user
341 ++ .type ___copy_from_user, @function
342 ++___copy_from_user:
343 + branch_if_kernel r8, __copy_user
344 + ret_if_privileged r8, r11, r10, r10
345 + rjmp __copy_user
346 +- .size copy_from_user, . - copy_from_user
347 ++ .size ___copy_from_user, . - ___copy_from_user
348 +
349 + .global copy_to_user
350 + .type copy_to_user, @function
351 +diff --git a/arch/blackfin/include/asm/uaccess.h b/arch/blackfin/include/asm/uaccess.h
352 +index 90612a7f2cf3..8cd0184ea9ef 100644
353 +--- a/arch/blackfin/include/asm/uaccess.h
354 ++++ b/arch/blackfin/include/asm/uaccess.h
355 +@@ -177,11 +177,12 @@ static inline int bad_user_access_length(void)
356 + static inline unsigned long __must_check
357 + copy_from_user(void *to, const void __user *from, unsigned long n)
358 + {
359 +- if (access_ok(VERIFY_READ, from, n))
360 ++ if (likely(access_ok(VERIFY_READ, from, n))) {
361 + memcpy(to, (const void __force *)from, n);
362 +- else
363 +- return n;
364 +- return 0;
365 ++ return 0;
366 ++ }
367 ++ memset(to, 0, n);
368 ++ return n;
369 + }
370 +
371 + static inline unsigned long __must_check
372 +diff --git a/arch/cris/include/asm/uaccess.h b/arch/cris/include/asm/uaccess.h
373 +index e3530d0f13ee..56c7d5750abd 100644
374 +--- a/arch/cris/include/asm/uaccess.h
375 ++++ b/arch/cris/include/asm/uaccess.h
376 +@@ -194,30 +194,6 @@ extern unsigned long __copy_user(void __user *to, const void *from, unsigned lon
377 + extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n);
378 + extern unsigned long __do_clear_user(void __user *to, unsigned long n);
379 +
380 +-static inline unsigned long
381 +-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
382 +-{
383 +- if (access_ok(VERIFY_WRITE, to, n))
384 +- return __copy_user(to, from, n);
385 +- return n;
386 +-}
387 +-
388 +-static inline unsigned long
389 +-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
390 +-{
391 +- if (access_ok(VERIFY_READ, from, n))
392 +- return __copy_user_zeroing(to, from, n);
393 +- return n;
394 +-}
395 +-
396 +-static inline unsigned long
397 +-__generic_clear_user(void __user *to, unsigned long n)
398 +-{
399 +- if (access_ok(VERIFY_WRITE, to, n))
400 +- return __do_clear_user(to, n);
401 +- return n;
402 +-}
403 +-
404 + static inline long
405 + __strncpy_from_user(char *dst, const char __user *src, long count)
406 + {
407 +@@ -282,7 +258,7 @@ __constant_copy_from_user(void *to, const void __user *from, unsigned long n)
408 + else if (n == 24)
409 + __asm_copy_from_user_24(to, from, ret);
410 + else
411 +- ret = __generic_copy_from_user(to, from, n);
412 ++ ret = __copy_user_zeroing(to, from, n);
413 +
414 + return ret;
415 + }
416 +@@ -333,7 +309,7 @@ __constant_copy_to_user(void __user *to, const void *from, unsigned long n)
417 + else if (n == 24)
418 + __asm_copy_to_user_24(to, from, ret);
419 + else
420 +- ret = __generic_copy_to_user(to, from, n);
421 ++ ret = __copy_user(to, from, n);
422 +
423 + return ret;
424 + }
425 +@@ -366,26 +342,43 @@ __constant_clear_user(void __user *to, unsigned long n)
426 + else if (n == 24)
427 + __asm_clear_24(to, ret);
428 + else
429 +- ret = __generic_clear_user(to, n);
430 ++ ret = __do_clear_user(to, n);
431 +
432 + return ret;
433 + }
434 +
435 +
436 +-#define clear_user(to, n) \
437 +- (__builtin_constant_p(n) ? \
438 +- __constant_clear_user(to, n) : \
439 +- __generic_clear_user(to, n))
440 ++static inline size_t clear_user(void __user *to, size_t n)
441 ++{
442 ++ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
443 ++ return n;
444 ++ if (__builtin_constant_p(n))
445 ++ return __constant_clear_user(to, n);
446 ++ else
447 ++ return __do_clear_user(to, n);
448 ++}
449 +
450 +-#define copy_from_user(to, from, n) \
451 +- (__builtin_constant_p(n) ? \
452 +- __constant_copy_from_user(to, from, n) : \
453 +- __generic_copy_from_user(to, from, n))
454 ++static inline size_t copy_from_user(void *to, const void __user *from, size_t n)
455 ++{
456 ++ if (unlikely(!access_ok(VERIFY_READ, from, n))) {
457 ++ memset(to, 0, n);
458 ++ return n;
459 ++ }
460 ++ if (__builtin_constant_p(n))
461 ++ return __constant_copy_from_user(to, from, n);
462 ++ else
463 ++ return __copy_user_zeroing(to, from, n);
464 ++}
465 +
466 +-#define copy_to_user(to, from, n) \
467 +- (__builtin_constant_p(n) ? \
468 +- __constant_copy_to_user(to, from, n) : \
469 +- __generic_copy_to_user(to, from, n))
470 ++static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
471 ++{
472 ++ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
473 ++ return n;
474 ++ if (__builtin_constant_p(n))
475 ++ return __constant_copy_to_user(to, from, n);
476 ++ else
477 ++ return __copy_user(to, from, n);
478 ++}
479 +
480 + /* We let the __ versions of copy_from/to_user inline, because they're often
481 + * used in fast paths and have only a small space overhead.
482 +diff --git a/arch/frv/include/asm/uaccess.h b/arch/frv/include/asm/uaccess.h
483 +index 3ac9a59d65d4..87d9e34c5df8 100644
484 +--- a/arch/frv/include/asm/uaccess.h
485 ++++ b/arch/frv/include/asm/uaccess.h
486 +@@ -263,19 +263,25 @@ do { \
487 + extern long __memset_user(void *dst, unsigned long count);
488 + extern long __memcpy_user(void *dst, const void *src, unsigned long count);
489 +
490 +-#define clear_user(dst,count) __memset_user(____force(dst), (count))
491 ++#define __clear_user(dst,count) __memset_user(____force(dst), (count))
492 + #define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n))
493 + #define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n))
494 +
495 + #else
496 +
497 +-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
498 ++#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
499 + #define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0)
500 + #define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0)
501 +
502 + #endif
503 +
504 +-#define __clear_user clear_user
505 ++static inline unsigned long __must_check
506 ++clear_user(void __user *to, unsigned long n)
507 ++{
508 ++ if (likely(__access_ok(to, n)))
509 ++ n = __clear_user(to, n);
510 ++ return n;
511 ++}
512 +
513 + static inline unsigned long __must_check
514 + __copy_to_user(void __user *to, const void *from, unsigned long n)
515 +diff --git a/arch/hexagon/include/asm/uaccess.h b/arch/hexagon/include/asm/uaccess.h
516 +index e4127e4d6a5b..25fc9049db8a 100644
517 +--- a/arch/hexagon/include/asm/uaccess.h
518 ++++ b/arch/hexagon/include/asm/uaccess.h
519 +@@ -102,7 +102,8 @@ static inline long hexagon_strncpy_from_user(char *dst, const char __user *src,
520 + {
521 + long res = __strnlen_user(src, n);
522 +
523 +- /* return from strnlen can't be zero -- that would be rubbish. */
524 ++ if (unlikely(!res))
525 ++ return -EFAULT;
526 +
527 + if (res > n) {
528 + copy_from_user(dst, src, n);
529 +diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
530 +index 4f3fb6ccbf21..40c2027a2bf4 100644
531 +--- a/arch/ia64/include/asm/uaccess.h
532 ++++ b/arch/ia64/include/asm/uaccess.h
533 +@@ -263,17 +263,15 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
534 + __cu_len; \
535 + })
536 +
537 +-#define copy_from_user(to, from, n) \
538 +-({ \
539 +- void *__cu_to = (to); \
540 +- const void __user *__cu_from = (from); \
541 +- long __cu_len = (n); \
542 +- \
543 +- __chk_user_ptr(__cu_from); \
544 +- if (__access_ok(__cu_from, __cu_len, get_fs())) \
545 +- __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
546 +- __cu_len; \
547 +-})
548 ++static inline unsigned long
549 ++copy_from_user(void *to, const void __user *from, unsigned long n)
550 ++{
551 ++ if (likely(__access_ok(from, n, get_fs())))
552 ++ n = __copy_user((__force void __user *) to, from, n);
553 ++ else
554 ++ memset(to, 0, n);
555 ++ return n;
556 ++}
557 +
558 + #define __copy_in_user(to, from, size) __copy_user((to), (from), (size))
559 +
560 +diff --git a/arch/m32r/include/asm/uaccess.h b/arch/m32r/include/asm/uaccess.h
561 +index 71adff209405..c66a38d0a895 100644
562 +--- a/arch/m32r/include/asm/uaccess.h
563 ++++ b/arch/m32r/include/asm/uaccess.h
564 +@@ -215,7 +215,7 @@ extern int fixup_exception(struct pt_regs *regs);
565 + #define __get_user_nocheck(x, ptr, size) \
566 + ({ \
567 + long __gu_err = 0; \
568 +- unsigned long __gu_val; \
569 ++ unsigned long __gu_val = 0; \
570 + might_fault(); \
571 + __get_user_size(__gu_val, (ptr), (size), __gu_err); \
572 + (x) = (__force __typeof__(*(ptr)))__gu_val; \
573 +diff --git a/arch/metag/include/asm/uaccess.h b/arch/metag/include/asm/uaccess.h
574 +index 8282cbce7e39..273e61225c27 100644
575 +--- a/arch/metag/include/asm/uaccess.h
576 ++++ b/arch/metag/include/asm/uaccess.h
577 +@@ -204,8 +204,9 @@ extern unsigned long __must_check __copy_user_zeroing(void *to,
578 + static inline unsigned long
579 + copy_from_user(void *to, const void __user *from, unsigned long n)
580 + {
581 +- if (access_ok(VERIFY_READ, from, n))
582 ++ if (likely(access_ok(VERIFY_READ, from, n)))
583 + return __copy_user_zeroing(to, from, n);
584 ++ memset(to, 0, n);
585 + return n;
586 + }
587 +
588 +diff --git a/arch/microblaze/include/asm/uaccess.h b/arch/microblaze/include/asm/uaccess.h
589 +index 62942fd12672..0c0a5cfbf79a 100644
590 +--- a/arch/microblaze/include/asm/uaccess.h
591 ++++ b/arch/microblaze/include/asm/uaccess.h
592 +@@ -226,7 +226,7 @@ extern long __user_bad(void);
593 +
594 + #define __get_user(x, ptr) \
595 + ({ \
596 +- unsigned long __gu_val; \
597 ++ unsigned long __gu_val = 0; \
598 + /*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \
599 + long __gu_err; \
600 + switch (sizeof(*(ptr))) { \
601 +@@ -371,10 +371,13 @@ extern long __user_bad(void);
602 + static inline long copy_from_user(void *to,
603 + const void __user *from, unsigned long n)
604 + {
605 ++ unsigned long res = n;
606 + might_fault();
607 +- if (access_ok(VERIFY_READ, from, n))
608 +- return __copy_from_user(to, from, n);
609 +- return n;
610 ++ if (likely(access_ok(VERIFY_READ, from, n)))
611 ++ res = __copy_from_user(to, from, n);
612 ++ if (unlikely(res))
613 ++ memset(to + (n - res), 0, res);
614 ++ return res;
615 + }
616 +
617 + #define __copy_to_user(to, from, n) \
618 +diff --git a/arch/mips/include/asm/asmmacro.h b/arch/mips/include/asm/asmmacro.h
619 +index 6156ac8c4cfb..ab49b14a4be0 100644
620 +--- a/arch/mips/include/asm/asmmacro.h
621 ++++ b/arch/mips/include/asm/asmmacro.h
622 +@@ -135,6 +135,7 @@
623 + ldc1 $f28, THREAD_FPR28(\thread)
624 + ldc1 $f30, THREAD_FPR30(\thread)
625 + ctc1 \tmp, fcr31
626 ++ .set pop
627 + .endm
628 +
629 + .macro fpu_restore_16odd thread
630 +diff --git a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
631 +index 2f82bfa3a773..c9f5769dfc8f 100644
632 +--- a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
633 ++++ b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
634 +@@ -11,11 +11,13 @@
635 + #define CP0_EBASE $15, 1
636 +
637 + .macro kernel_entry_setup
638 ++#ifdef CONFIG_SMP
639 + mfc0 t0, CP0_EBASE
640 + andi t0, t0, 0x3ff # CPUNum
641 + beqz t0, 1f
642 + # CPUs other than zero goto smp_bootstrap
643 + j smp_bootstrap
644 ++#endif /* CONFIG_SMP */
645 +
646 + 1:
647 + .endm
648 +diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
649 +index bf8b32450ef6..bc2f5164ce51 100644
650 +--- a/arch/mips/include/asm/uaccess.h
651 ++++ b/arch/mips/include/asm/uaccess.h
652 +@@ -14,6 +14,7 @@
653 + #include <linux/kernel.h>
654 + #include <linux/errno.h>
655 + #include <linux/thread_info.h>
656 ++#include <linux/string.h>
657 + #include <asm/asm-eva.h>
658 +
659 + /*
660 +@@ -1136,6 +1137,8 @@ extern size_t __copy_in_user_eva(void *__to, const void *__from, size_t __n);
661 + __cu_len = __invoke_copy_from_user(__cu_to, \
662 + __cu_from, \
663 + __cu_len); \
664 ++ } else { \
665 ++ memset(__cu_to, 0, __cu_len); \
666 + } \
667 + } \
668 + __cu_len; \
669 +diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
670 +index e19fa363c8fe..488e50dd2fe6 100644
671 +--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
672 ++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
673 +@@ -1163,7 +1163,9 @@ fpu_emul:
674 + regs->regs[31] = r31;
675 + regs->cp0_epc = epc;
676 + if (!used_math()) { /* First time FPU user. */
677 ++ preempt_disable();
678 + err = init_fpu();
679 ++ preempt_enable();
680 + set_used_math();
681 + }
682 + lose_fpu(1); /* Save FPU state for the emulator. */
683 +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
684 +index 89847bee2b53..44a6f25e902e 100644
685 +--- a/arch/mips/kernel/process.c
686 ++++ b/arch/mips/kernel/process.c
687 +@@ -593,14 +593,14 @@ int mips_set_process_fp_mode(struct task_struct *task, unsigned int value)
688 + return -EOPNOTSUPP;
689 +
690 + /* Avoid inadvertently triggering emulation */
691 +- if ((value & PR_FP_MODE_FR) && cpu_has_fpu &&
692 +- !(current_cpu_data.fpu_id & MIPS_FPIR_F64))
693 ++ if ((value & PR_FP_MODE_FR) && raw_cpu_has_fpu &&
694 ++ !(raw_current_cpu_data.fpu_id & MIPS_FPIR_F64))
695 + return -EOPNOTSUPP;
696 +- if ((value & PR_FP_MODE_FRE) && cpu_has_fpu && !cpu_has_fre)
697 ++ if ((value & PR_FP_MODE_FRE) && raw_cpu_has_fpu && !cpu_has_fre)
698 + return -EOPNOTSUPP;
699 +
700 + /* FR = 0 not supported in MIPS R6 */
701 +- if (!(value & PR_FP_MODE_FR) && cpu_has_fpu && cpu_has_mips_r6)
702 ++ if (!(value & PR_FP_MODE_FR) && raw_cpu_has_fpu && cpu_has_mips_r6)
703 + return -EOPNOTSUPP;
704 +
705 + /* Proceed with the mode switch */
706 +diff --git a/arch/mips/kernel/smp.c b/arch/mips/kernel/smp.c
707 +index 3cef551908f4..a0268f61cd57 100644
708 +--- a/arch/mips/kernel/smp.c
709 ++++ b/arch/mips/kernel/smp.c
710 +@@ -172,6 +172,9 @@ asmlinkage void start_secondary(void)
711 + cpumask_set_cpu(cpu, &cpu_coherent_mask);
712 + notify_cpu_starting(cpu);
713 +
714 ++ cpumask_set_cpu(cpu, &cpu_callin_map);
715 ++ synchronise_count_slave(cpu);
716 ++
717 + set_cpu_online(cpu, true);
718 +
719 + set_cpu_sibling_map(cpu);
720 +@@ -179,10 +182,6 @@ asmlinkage void start_secondary(void)
721 +
722 + calculate_cpu_foreign_map();
723 +
724 +- cpumask_set_cpu(cpu, &cpu_callin_map);
725 +-
726 +- synchronise_count_slave(cpu);
727 +-
728 + /*
729 + * irq will be enabled in ->smp_finish(), enabling it too early
730 + * is dangerous.
731 +diff --git a/arch/mips/kvm/tlb.c b/arch/mips/kvm/tlb.c
732 +index 7a7ed9ca01bb..eff71c75dc27 100644
733 +--- a/arch/mips/kvm/tlb.c
734 ++++ b/arch/mips/kvm/tlb.c
735 +@@ -152,7 +152,7 @@ static int kvm_mips_map_page(struct kvm *kvm, gfn_t gfn)
736 + srcu_idx = srcu_read_lock(&kvm->srcu);
737 + pfn = kvm_mips_gfn_to_pfn(kvm, gfn);
738 +
739 +- if (kvm_mips_is_error_pfn(pfn)) {
740 ++ if (is_error_noslot_pfn(pfn)) {
741 + kvm_err("Couldn't get pfn for gfn %#" PRIx64 "!\n", gfn);
742 + err = -EFAULT;
743 + goto out;
744 +diff --git a/arch/mn10300/include/asm/uaccess.h b/arch/mn10300/include/asm/uaccess.h
745 +index 537278746a15..4af43d9ba495 100644
746 +--- a/arch/mn10300/include/asm/uaccess.h
747 ++++ b/arch/mn10300/include/asm/uaccess.h
748 +@@ -181,6 +181,7 @@ struct __large_struct { unsigned long buf[100]; };
749 + "2:\n" \
750 + " .section .fixup,\"ax\"\n" \
751 + "3:\n\t" \
752 ++ " mov 0,%1\n" \
753 + " mov %3,%0\n" \
754 + " jmp 2b\n" \
755 + " .previous\n" \
756 +diff --git a/arch/mn10300/lib/usercopy.c b/arch/mn10300/lib/usercopy.c
757 +index 7826e6c364e7..ce8899e5e171 100644
758 +--- a/arch/mn10300/lib/usercopy.c
759 ++++ b/arch/mn10300/lib/usercopy.c
760 +@@ -9,7 +9,7 @@
761 + * as published by the Free Software Foundation; either version
762 + * 2 of the Licence, or (at your option) any later version.
763 + */
764 +-#include <asm/uaccess.h>
765 ++#include <linux/uaccess.h>
766 +
767 + unsigned long
768 + __generic_copy_to_user(void *to, const void *from, unsigned long n)
769 +@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const void *from, unsigned long n)
770 + {
771 + if (access_ok(VERIFY_READ, from, n))
772 + __copy_user_zeroing(to, from, n);
773 ++ else
774 ++ memset(to, 0, n);
775 + return n;
776 + }
777 +
778 +diff --git a/arch/nios2/include/asm/uaccess.h b/arch/nios2/include/asm/uaccess.h
779 +index caa51ff85a3c..0ab82324c817 100644
780 +--- a/arch/nios2/include/asm/uaccess.h
781 ++++ b/arch/nios2/include/asm/uaccess.h
782 +@@ -102,9 +102,12 @@ extern long __copy_to_user(void __user *to, const void *from, unsigned long n);
783 + static inline long copy_from_user(void *to, const void __user *from,
784 + unsigned long n)
785 + {
786 +- if (!access_ok(VERIFY_READ, from, n))
787 +- return n;
788 +- return __copy_from_user(to, from, n);
789 ++ unsigned long res = n;
790 ++ if (access_ok(VERIFY_READ, from, n))
791 ++ res = __copy_from_user(to, from, n);
792 ++ if (unlikely(res))
793 ++ memset(to + (n - res), 0, res);
794 ++ return res;
795 + }
796 +
797 + static inline long copy_to_user(void __user *to, const void *from,
798 +@@ -139,7 +142,7 @@ extern long strnlen_user(const char __user *s, long n);
799 +
800 + #define __get_user_unknown(val, size, ptr, err) do { \
801 + err = 0; \
802 +- if (copy_from_user(&(val), ptr, size)) { \
803 ++ if (__copy_from_user(&(val), ptr, size)) { \
804 + err = -EFAULT; \
805 + } \
806 + } while (0)
807 +@@ -166,7 +169,7 @@ do { \
808 + ({ \
809 + long __gu_err = -EFAULT; \
810 + const __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \
811 +- unsigned long __gu_val; \
812 ++ unsigned long __gu_val = 0; \
813 + __get_user_common(__gu_val, sizeof(*(ptr)), __gu_ptr, __gu_err);\
814 + (x) = (__force __typeof__(x))__gu_val; \
815 + __gu_err; \
816 +diff --git a/arch/openrisc/include/asm/uaccess.h b/arch/openrisc/include/asm/uaccess.h
817 +index a6bd07ca3d6c..5cc6b4f1b795 100644
818 +--- a/arch/openrisc/include/asm/uaccess.h
819 ++++ b/arch/openrisc/include/asm/uaccess.h
820 +@@ -273,28 +273,20 @@ __copy_tofrom_user(void *to, const void *from, unsigned long size);
821 + static inline unsigned long
822 + copy_from_user(void *to, const void *from, unsigned long n)
823 + {
824 +- unsigned long over;
825 +-
826 +- if (access_ok(VERIFY_READ, from, n))
827 +- return __copy_tofrom_user(to, from, n);
828 +- if ((unsigned long)from < TASK_SIZE) {
829 +- over = (unsigned long)from + n - TASK_SIZE;
830 +- return __copy_tofrom_user(to, from, n - over) + over;
831 +- }
832 +- return n;
833 ++ unsigned long res = n;
834 ++
835 ++ if (likely(access_ok(VERIFY_READ, from, n)))
836 ++ res = __copy_tofrom_user(to, from, n);
837 ++ if (unlikely(res))
838 ++ memset(to + (n - res), 0, res);
839 ++ return res;
840 + }
841 +
842 + static inline unsigned long
843 + copy_to_user(void *to, const void *from, unsigned long n)
844 + {
845 +- unsigned long over;
846 +-
847 +- if (access_ok(VERIFY_WRITE, to, n))
848 +- return __copy_tofrom_user(to, from, n);
849 +- if ((unsigned long)to < TASK_SIZE) {
850 +- over = (unsigned long)to + n - TASK_SIZE;
851 +- return __copy_tofrom_user(to, from, n - over) + over;
852 +- }
853 ++ if (likely(access_ok(VERIFY_WRITE, to, n)))
854 ++ n = __copy_tofrom_user(to, from, n);
855 + return n;
856 + }
857 +
858 +@@ -303,13 +295,8 @@ extern unsigned long __clear_user(void *addr, unsigned long size);
859 + static inline __must_check unsigned long
860 + clear_user(void *addr, unsigned long size)
861 + {
862 +-
863 +- if (access_ok(VERIFY_WRITE, addr, size))
864 +- return __clear_user(addr, size);
865 +- if ((unsigned long)addr < TASK_SIZE) {
866 +- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
867 +- return __clear_user(addr, size - over) + over;
868 +- }
869 ++ if (likely(access_ok(VERIFY_WRITE, addr, size)))
870 ++ size = __clear_user(addr, size);
871 + return size;
872 + }
873 +
874 +diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
875 +index 1960b87c1c8b..4ad51465890b 100644
876 +--- a/arch/parisc/include/asm/uaccess.h
877 ++++ b/arch/parisc/include/asm/uaccess.h
878 +@@ -10,6 +10,7 @@
879 + #include <asm-generic/uaccess-unaligned.h>
880 +
881 + #include <linux/bug.h>
882 ++#include <linux/string.h>
883 +
884 + #define VERIFY_READ 0
885 + #define VERIFY_WRITE 1
886 +@@ -245,13 +246,14 @@ static inline unsigned long __must_check copy_from_user(void *to,
887 + unsigned long n)
888 + {
889 + int sz = __compiletime_object_size(to);
890 +- int ret = -EFAULT;
891 ++ unsigned long ret = n;
892 +
893 + if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
894 + ret = __copy_from_user(to, from, n);
895 + else
896 + copy_from_user_overflow();
897 +-
898 ++ if (unlikely(ret))
899 ++ memset(to + (n - ret), 0, ret);
900 + return ret;
901 + }
902 +
903 +diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
904 +index a0c071d24e0e..6fbea25d8c78 100644
905 +--- a/arch/powerpc/include/asm/uaccess.h
906 ++++ b/arch/powerpc/include/asm/uaccess.h
907 +@@ -323,30 +323,17 @@ extern unsigned long __copy_tofrom_user(void __user *to,
908 + static inline unsigned long copy_from_user(void *to,
909 + const void __user *from, unsigned long n)
910 + {
911 +- unsigned long over;
912 +-
913 +- if (access_ok(VERIFY_READ, from, n))
914 ++ if (likely(access_ok(VERIFY_READ, from, n)))
915 + return __copy_tofrom_user((__force void __user *)to, from, n);
916 +- if ((unsigned long)from < TASK_SIZE) {
917 +- over = (unsigned long)from + n - TASK_SIZE;
918 +- return __copy_tofrom_user((__force void __user *)to, from,
919 +- n - over) + over;
920 +- }
921 ++ memset(to, 0, n);
922 + return n;
923 + }
924 +
925 + static inline unsigned long copy_to_user(void __user *to,
926 + const void *from, unsigned long n)
927 + {
928 +- unsigned long over;
929 +-
930 + if (access_ok(VERIFY_WRITE, to, n))
931 + return __copy_tofrom_user(to, (__force void __user *)from, n);
932 +- if ((unsigned long)to < TASK_SIZE) {
933 +- over = (unsigned long)to + n - TASK_SIZE;
934 +- return __copy_tofrom_user(to, (__force void __user *)from,
935 +- n - over) + over;
936 +- }
937 + return n;
938 + }
939 +
940 +@@ -437,10 +424,6 @@ static inline unsigned long clear_user(void __user *addr, unsigned long size)
941 + might_fault();
942 + if (likely(access_ok(VERIFY_WRITE, addr, size)))
943 + return __clear_user(addr, size);
944 +- if ((unsigned long)addr < TASK_SIZE) {
945 +- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
946 +- return __clear_user(addr, size - over) + over;
947 +- }
948 + return size;
949 + }
950 +
951 +diff --git a/arch/powerpc/mm/slb_low.S b/arch/powerpc/mm/slb_low.S
952 +index 736d18b3cefd..4c48b487698c 100644
953 +--- a/arch/powerpc/mm/slb_low.S
954 ++++ b/arch/powerpc/mm/slb_low.S
955 +@@ -113,7 +113,12 @@ BEGIN_FTR_SECTION
956 + END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
957 + b slb_finish_load_1T
958 +
959 +-0:
960 ++0: /*
961 ++ * For userspace addresses, make sure this is region 0.
962 ++ */
963 ++ cmpdi r9, 0
964 ++ bne 8f
965 ++
966 + /* when using slices, we extract the psize off the slice bitmaps
967 + * and then we need to get the sllp encoding off the mmu_psize_defs
968 + * array.
969 +diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
970 +index d64a7a62164f..f6ac1d7e7ed8 100644
971 +--- a/arch/s390/include/asm/uaccess.h
972 ++++ b/arch/s390/include/asm/uaccess.h
973 +@@ -213,28 +213,28 @@ int __put_user_bad(void) __attribute__((noreturn));
974 + __chk_user_ptr(ptr); \
975 + switch (sizeof(*(ptr))) { \
976 + case 1: { \
977 +- unsigned char __x; \
978 ++ unsigned char __x = 0; \
979 + __gu_err = __get_user_fn(&__x, ptr, \
980 + sizeof(*(ptr))); \
981 + (x) = *(__force __typeof__(*(ptr)) *) &__x; \
982 + break; \
983 + }; \
984 + case 2: { \
985 +- unsigned short __x; \
986 ++ unsigned short __x = 0; \
987 + __gu_err = __get_user_fn(&__x, ptr, \
988 + sizeof(*(ptr))); \
989 + (x) = *(__force __typeof__(*(ptr)) *) &__x; \
990 + break; \
991 + }; \
992 + case 4: { \
993 +- unsigned int __x; \
994 ++ unsigned int __x = 0; \
995 + __gu_err = __get_user_fn(&__x, ptr, \
996 + sizeof(*(ptr))); \
997 + (x) = *(__force __typeof__(*(ptr)) *) &__x; \
998 + break; \
999 + }; \
1000 + case 8: { \
1001 +- unsigned long long __x; \
1002 ++ unsigned long long __x = 0; \
1003 + __gu_err = __get_user_fn(&__x, ptr, \
1004 + sizeof(*(ptr))); \
1005 + (x) = *(__force __typeof__(*(ptr)) *) &__x; \
1006 +diff --git a/arch/score/include/asm/uaccess.h b/arch/score/include/asm/uaccess.h
1007 +index ab66ddde777b..69326dfb894d 100644
1008 +--- a/arch/score/include/asm/uaccess.h
1009 ++++ b/arch/score/include/asm/uaccess.h
1010 +@@ -158,7 +158,7 @@ do { \
1011 + __get_user_asm(val, "lw", ptr); \
1012 + break; \
1013 + case 8: \
1014 +- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \
1015 ++ if (__copy_from_user((void *)&val, ptr, 8) == 0) \
1016 + __gu_err = 0; \
1017 + else \
1018 + __gu_err = -EFAULT; \
1019 +@@ -183,6 +183,8 @@ do { \
1020 + \
1021 + if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \
1022 + __get_user_common((x), size, __gu_ptr); \
1023 ++ else \
1024 ++ (x) = 0; \
1025 + \
1026 + __gu_err; \
1027 + })
1028 +@@ -196,6 +198,7 @@ do { \
1029 + "2:\n" \
1030 + ".section .fixup,\"ax\"\n" \
1031 + "3:li %0, %4\n" \
1032 ++ "li %1, 0\n" \
1033 + "j 2b\n" \
1034 + ".previous\n" \
1035 + ".section __ex_table,\"a\"\n" \
1036 +@@ -293,35 +296,34 @@ extern int __copy_tofrom_user(void *to, const void *from, unsigned long len);
1037 + static inline unsigned long
1038 + copy_from_user(void *to, const void *from, unsigned long len)
1039 + {
1040 +- unsigned long over;
1041 ++ unsigned long res = len;
1042 +
1043 +- if (access_ok(VERIFY_READ, from, len))
1044 +- return __copy_tofrom_user(to, from, len);
1045 ++ if (likely(access_ok(VERIFY_READ, from, len)))
1046 ++ res = __copy_tofrom_user(to, from, len);
1047 +
1048 +- if ((unsigned long)from < TASK_SIZE) {
1049 +- over = (unsigned long)from + len - TASK_SIZE;
1050 +- return __copy_tofrom_user(to, from, len - over) + over;
1051 +- }
1052 +- return len;
1053 ++ if (unlikely(res))
1054 ++ memset(to + (len - res), 0, res);
1055 ++
1056 ++ return res;
1057 + }
1058 +
1059 + static inline unsigned long
1060 + copy_to_user(void *to, const void *from, unsigned long len)
1061 + {
1062 +- unsigned long over;
1063 +-
1064 +- if (access_ok(VERIFY_WRITE, to, len))
1065 +- return __copy_tofrom_user(to, from, len);
1066 ++ if (likely(access_ok(VERIFY_WRITE, to, len)))
1067 ++ len = __copy_tofrom_user(to, from, len);
1068 +
1069 +- if ((unsigned long)to < TASK_SIZE) {
1070 +- over = (unsigned long)to + len - TASK_SIZE;
1071 +- return __copy_tofrom_user(to, from, len - over) + over;
1072 +- }
1073 + return len;
1074 + }
1075 +
1076 +-#define __copy_from_user(to, from, len) \
1077 +- __copy_tofrom_user((to), (from), (len))
1078 ++static inline unsigned long
1079 ++__copy_from_user(void *to, const void *from, unsigned long len)
1080 ++{
1081 ++ unsigned long left = __copy_tofrom_user(to, from, len);
1082 ++ if (unlikely(left))
1083 ++ memset(to + (len - left), 0, left);
1084 ++ return left;
1085 ++}
1086 +
1087 + #define __copy_to_user(to, from, len) \
1088 + __copy_tofrom_user((to), (from), (len))
1089 +@@ -335,17 +337,17 @@ __copy_to_user_inatomic(void *to, const void *from, unsigned long len)
1090 + static inline unsigned long
1091 + __copy_from_user_inatomic(void *to, const void *from, unsigned long len)
1092 + {
1093 +- return __copy_from_user(to, from, len);
1094 ++ return __copy_tofrom_user(to, from, len);
1095 + }
1096 +
1097 +-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len)
1098 ++#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len)
1099 +
1100 + static inline unsigned long
1101 + copy_in_user(void *to, const void *from, unsigned long len)
1102 + {
1103 + if (access_ok(VERIFY_READ, from, len) &&
1104 + access_ok(VERFITY_WRITE, to, len))
1105 +- return copy_from_user(to, from, len);
1106 ++ return __copy_tofrom_user(to, from, len);
1107 + }
1108 +
1109 + /*
1110 +diff --git a/arch/sh/include/asm/uaccess.h b/arch/sh/include/asm/uaccess.h
1111 +index a49635c51266..92ade79ac427 100644
1112 +--- a/arch/sh/include/asm/uaccess.h
1113 ++++ b/arch/sh/include/asm/uaccess.h
1114 +@@ -151,7 +151,10 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
1115 + __kernel_size_t __copy_size = (__kernel_size_t) n;
1116 +
1117 + if (__copy_size && __access_ok(__copy_from, __copy_size))
1118 +- return __copy_user(to, from, __copy_size);
1119 ++ __copy_size = __copy_user(to, from, __copy_size);
1120 ++
1121 ++ if (unlikely(__copy_size))
1122 ++ memset(to + (n - __copy_size), 0, __copy_size);
1123 +
1124 + return __copy_size;
1125 + }
1126 +diff --git a/arch/sh/include/asm/uaccess_64.h b/arch/sh/include/asm/uaccess_64.h
1127 +index c01376c76b86..ca5073dd4596 100644
1128 +--- a/arch/sh/include/asm/uaccess_64.h
1129 ++++ b/arch/sh/include/asm/uaccess_64.h
1130 +@@ -24,6 +24,7 @@
1131 + #define __get_user_size(x,ptr,size,retval) \
1132 + do { \
1133 + retval = 0; \
1134 ++ x = 0; \
1135 + switch (size) { \
1136 + case 1: \
1137 + retval = __get_user_asm_b((void *)&x, \
1138 +diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
1139 +index 64ee103dc29d..dfb542c7cc71 100644
1140 +--- a/arch/sparc/include/asm/uaccess_32.h
1141 ++++ b/arch/sparc/include/asm/uaccess_32.h
1142 +@@ -328,8 +328,10 @@ static inline unsigned long copy_from_user(void *to, const void __user *from, un
1143 + {
1144 + if (n && __access_ok((unsigned long) from, n))
1145 + return __copy_user((__force void __user *) to, from, n);
1146 +- else
1147 ++ else {
1148 ++ memset(to, 0, n);
1149 + return n;
1150 ++ }
1151 + }
1152 +
1153 + static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
1154 +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
1155 +index ace9dec050b1..d081e7e42fb3 100644
1156 +--- a/arch/x86/include/asm/uaccess.h
1157 ++++ b/arch/x86/include/asm/uaccess.h
1158 +@@ -391,7 +391,11 @@ do { \
1159 + #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
1160 + asm volatile("1: mov"itype" %1,%"rtype"0\n" \
1161 + "2:\n" \
1162 +- _ASM_EXTABLE_EX(1b, 2b) \
1163 ++ ".section .fixup,\"ax\"\n" \
1164 ++ "3:xor"itype" %"rtype"0,%"rtype"0\n" \
1165 ++ " jmp 2b\n" \
1166 ++ ".previous\n" \
1167 ++ _ASM_EXTABLE_EX(1b, 3b) \
1168 + : ltype(x) : "m" (__m(addr)))
1169 +
1170 + #define __put_user_nocheck(x, ptr, size) \
1171 +diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
1172 +index 0122bec38564..f25799f351f7 100644
1173 +--- a/crypto/blkcipher.c
1174 ++++ b/crypto/blkcipher.c
1175 +@@ -233,6 +233,8 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc,
1176 + return blkcipher_walk_done(desc, walk, -EINVAL);
1177 + }
1178 +
1179 ++ bsize = min(walk->walk_blocksize, n);
1180 ++
1181 + walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY |
1182 + BLKCIPHER_WALK_DIFF);
1183 + if (!scatterwalk_aligned(&walk->in, walk->alignmask) ||
1184 +@@ -245,7 +247,6 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc,
1185 + }
1186 + }
1187 +
1188 +- bsize = min(walk->walk_blocksize, n);
1189 + n = scatterwalk_clamp(&walk->in, n);
1190 + n = scatterwalk_clamp(&walk->out, n);
1191 +
1192 +diff --git a/crypto/cryptd.c b/crypto/cryptd.c
1193 +index b0602ba03111..34e4dfafb94f 100644
1194 +--- a/crypto/cryptd.c
1195 ++++ b/crypto/cryptd.c
1196 +@@ -585,9 +585,14 @@ static int cryptd_hash_export(struct ahash_request *req, void *out)
1197 +
1198 + static int cryptd_hash_import(struct ahash_request *req, const void *in)
1199 + {
1200 +- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
1201 ++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
1202 ++ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
1203 ++ struct shash_desc *desc = cryptd_shash_desc(req);
1204 ++
1205 ++ desc->tfm = ctx->child;
1206 ++ desc->flags = req->base.flags;
1207 +
1208 +- return crypto_shash_import(&rctx->desc, in);
1209 ++ return crypto_shash_import(desc, in);
1210 + }
1211 +
1212 + static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
1213 +diff --git a/drivers/bus/arm-ccn.c b/drivers/bus/arm-ccn.c
1214 +index 60397ec77ff7..27fd0dacad5f 100644
1215 +--- a/drivers/bus/arm-ccn.c
1216 ++++ b/drivers/bus/arm-ccn.c
1217 +@@ -804,6 +804,10 @@ static void arm_ccn_pmu_xp_dt_config(struct perf_event *event, int enable)
1218 + struct arm_ccn_component *xp;
1219 + u32 val, dt_cfg;
1220 +
1221 ++ /* Nothing to do for cycle counter */
1222 ++ if (hw->idx == CCN_IDX_PMU_CYCLE_COUNTER)
1223 ++ return;
1224 ++
1225 + if (CCN_CONFIG_TYPE(event->attr.config) == CCN_TYPE_XP)
1226 + xp = &ccn->xp[CCN_CONFIG_XP(event->attr.config)];
1227 + else
1228 +@@ -901,7 +905,7 @@ static void arm_ccn_pmu_xp_watchpoint_config(struct perf_event *event)
1229 +
1230 + /* Comparison values */
1231 + writel(cmp_l & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_L(wp));
1232 +- writel((cmp_l >> 32) & 0xefffffff,
1233 ++ writel((cmp_l >> 32) & 0x7fffffff,
1234 + source->base + CCN_XP_DT_CMP_VAL_L(wp) + 4);
1235 + writel(cmp_h & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_H(wp));
1236 + writel((cmp_h >> 32) & 0x0fffffff,
1237 +@@ -909,7 +913,7 @@ static void arm_ccn_pmu_xp_watchpoint_config(struct perf_event *event)
1238 +
1239 + /* Mask */
1240 + writel(mask_l & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_L(wp));
1241 +- writel((mask_l >> 32) & 0xefffffff,
1242 ++ writel((mask_l >> 32) & 0x7fffffff,
1243 + source->base + CCN_XP_DT_CMP_MASK_L(wp) + 4);
1244 + writel(mask_h & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_H(wp));
1245 + writel((mask_h >> 32) & 0x0fffffff,
1246 +diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
1247 +index 767d0eaabe97..3101f57492c0 100644
1248 +--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
1249 ++++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
1250 +@@ -316,19 +316,19 @@ atmel_hlcdc_plane_update_pos_and_size(struct atmel_hlcdc_plane *plane,
1251 + u32 *coeff_tab = heo_upscaling_ycoef;
1252 + u32 max_memsize;
1253 +
1254 +- if (state->crtc_w < state->src_w)
1255 ++ if (state->crtc_h < state->src_h)
1256 + coeff_tab = heo_downscaling_ycoef;
1257 + for (i = 0; i < ARRAY_SIZE(heo_upscaling_ycoef); i++)
1258 + atmel_hlcdc_layer_update_cfg(&plane->layer,
1259 + 33 + i,
1260 + 0xffffffff,
1261 + coeff_tab[i]);
1262 +- factor = ((8 * 256 * state->src_w) - (256 * 4)) /
1263 +- state->crtc_w;
1264 ++ factor = ((8 * 256 * state->src_h) - (256 * 4)) /
1265 ++ state->crtc_h;
1266 + factor++;
1267 +- max_memsize = ((factor * state->crtc_w) + (256 * 4)) /
1268 ++ max_memsize = ((factor * state->crtc_h) + (256 * 4)) /
1269 + 2048;
1270 +- if (max_memsize > state->src_w)
1271 ++ if (max_memsize > state->src_h)
1272 + factor--;
1273 + factor_reg |= (factor << 16) | 0x80000000;
1274 + }
1275 +diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
1276 +index 9cfcd0aef0df..92c4698e8427 100644
1277 +--- a/drivers/gpu/drm/drm_ioc32.c
1278 ++++ b/drivers/gpu/drm/drm_ioc32.c
1279 +@@ -1018,6 +1018,7 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
1280 + return 0;
1281 + }
1282 +
1283 ++#if defined(CONFIG_X86) || defined(CONFIG_IA64)
1284 + typedef struct drm_mode_fb_cmd232 {
1285 + u32 fb_id;
1286 + u32 width;
1287 +@@ -1074,6 +1075,7 @@ static int compat_drm_mode_addfb2(struct file *file, unsigned int cmd,
1288 +
1289 + return 0;
1290 + }
1291 ++#endif
1292 +
1293 + static drm_ioctl_compat_t *drm_compat_ioctls[] = {
1294 + [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version,
1295 +@@ -1107,7 +1109,9 @@ static drm_ioctl_compat_t *drm_compat_ioctls[] = {
1296 + [DRM_IOCTL_NR(DRM_IOCTL_UPDATE_DRAW32)] = compat_drm_update_draw,
1297 + #endif
1298 + [DRM_IOCTL_NR(DRM_IOCTL_WAIT_VBLANK32)] = compat_drm_wait_vblank,
1299 ++#if defined(CONFIG_X86) || defined(CONFIG_IA64)
1300 + [DRM_IOCTL_NR(DRM_IOCTL_MODE_ADDFB232)] = compat_drm_mode_addfb2,
1301 ++#endif
1302 + };
1303 +
1304 + /**
1305 +diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c
1306 +index 78c911be115d..6bf81d95a3f4 100644
1307 +--- a/drivers/iio/accel/kxsd9.c
1308 ++++ b/drivers/iio/accel/kxsd9.c
1309 +@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev *indio_dev,
1310 + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
1311 + if (ret < 0)
1312 + goto error_ret;
1313 ++ *val = 0;
1314 + *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
1315 + ret = IIO_VAL_INT_PLUS_MICRO;
1316 + break;
1317 +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
1318 +index ad0a7e8c2c2b..8b8cacbaf20d 100644
1319 +--- a/drivers/net/can/flexcan.c
1320 ++++ b/drivers/net/can/flexcan.c
1321 +@@ -1273,11 +1273,10 @@ static int __maybe_unused flexcan_suspend(struct device *device)
1322 + struct flexcan_priv *priv = netdev_priv(dev);
1323 + int err;
1324 +
1325 +- err = flexcan_chip_disable(priv);
1326 +- if (err)
1327 +- return err;
1328 +-
1329 + if (netif_running(dev)) {
1330 ++ err = flexcan_chip_disable(priv);
1331 ++ if (err)
1332 ++ return err;
1333 + netif_stop_queue(dev);
1334 + netif_device_detach(dev);
1335 + }
1336 +@@ -1290,13 +1289,17 @@ static int __maybe_unused flexcan_resume(struct device *device)
1337 + {
1338 + struct net_device *dev = dev_get_drvdata(device);
1339 + struct flexcan_priv *priv = netdev_priv(dev);
1340 ++ int err;
1341 +
1342 + priv->can.state = CAN_STATE_ERROR_ACTIVE;
1343 + if (netif_running(dev)) {
1344 + netif_device_attach(dev);
1345 + netif_start_queue(dev);
1346 ++ err = flexcan_chip_enable(priv);
1347 ++ if (err)
1348 ++ return err;
1349 + }
1350 +- return flexcan_chip_enable(priv);
1351 ++ return 0;
1352 + }
1353 +
1354 + static SIMPLE_DEV_PM_OPS(flexcan_pm_ops, flexcan_suspend, flexcan_resume);
1355 +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
1356 +index d5f2fbf62d72..534b2b87bd5d 100644
1357 +--- a/drivers/net/wireless/ath/ath9k/main.c
1358 ++++ b/drivers/net/wireless/ath/ath9k/main.c
1359 +@@ -1541,13 +1541,13 @@ static int ath9k_sta_state(struct ieee80211_hw *hw,
1360 + struct ath_common *common = ath9k_hw_common(sc->sc_ah);
1361 + int ret = 0;
1362 +
1363 +- if (old_state == IEEE80211_STA_AUTH &&
1364 +- new_state == IEEE80211_STA_ASSOC) {
1365 ++ if (old_state == IEEE80211_STA_NOTEXIST &&
1366 ++ new_state == IEEE80211_STA_NONE) {
1367 + ret = ath9k_sta_add(hw, vif, sta);
1368 + ath_dbg(common, CONFIG,
1369 + "Add station: %pM\n", sta->addr);
1370 +- } else if (old_state == IEEE80211_STA_ASSOC &&
1371 +- new_state == IEEE80211_STA_AUTH) {
1372 ++ } else if (old_state == IEEE80211_STA_NONE &&
1373 ++ new_state == IEEE80211_STA_NOTEXIST) {
1374 + ret = ath9k_sta_remove(hw, vif, sta);
1375 + ath_dbg(common, CONFIG,
1376 + "Remove station: %pM\n", sta->addr);
1377 +diff --git a/drivers/scsi/constants.c b/drivers/scsi/constants.c
1378 +index fa09d4be2b53..2b456ca69d5c 100644
1379 +--- a/drivers/scsi/constants.c
1380 ++++ b/drivers/scsi/constants.c
1381 +@@ -1181,8 +1181,9 @@ static const char * const snstext[] = {
1382 +
1383 + /* Get sense key string or NULL if not available */
1384 + const char *
1385 +-scsi_sense_key_string(unsigned char key) {
1386 +- if (key <= 0xE)
1387 ++scsi_sense_key_string(unsigned char key)
1388 ++{
1389 ++ if (key < ARRAY_SIZE(snstext))
1390 + return snstext[key];
1391 + return NULL;
1392 + }
1393 +diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
1394 +index d93e43cfb6f8..ebcf40c2f12b 100644
1395 +--- a/drivers/usb/chipidea/udc.c
1396 ++++ b/drivers/usb/chipidea/udc.c
1397 +@@ -939,6 +939,15 @@ static int isr_setup_status_phase(struct ci_hdrc *ci)
1398 + int retval;
1399 + struct ci_hw_ep *hwep;
1400 +
1401 ++ /*
1402 ++ * Unexpected USB controller behavior, caused by bad signal integrity
1403 ++ * or ground reference problems, can lead to isr_setup_status_phase
1404 ++ * being called with ci->status equal to NULL.
1405 ++ * If this situation occurs, you should review your USB hardware design.
1406 ++ */
1407 ++ if (WARN_ON_ONCE(!ci->status))
1408 ++ return -EPIPE;
1409 ++
1410 + hwep = (ci->ep0_dir == TX) ? ci->ep0out : ci->ep0in;
1411 + ci->status->context = ci;
1412 + ci->status->complete = isr_setup_status_complete;
1413 +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
1414 +index 894894f2ff93..81336acc7040 100644
1415 +--- a/drivers/usb/core/config.c
1416 ++++ b/drivers/usb/core/config.c
1417 +@@ -184,8 +184,10 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
1418 + memcpy(&endpoint->desc, d, n);
1419 + INIT_LIST_HEAD(&endpoint->urb_list);
1420 +
1421 +- /* Fix up bInterval values outside the legal range. Use 32 ms if no
1422 +- * proper value can be guessed. */
1423 ++ /*
1424 ++ * Fix up bInterval values outside the legal range.
1425 ++ * Use 10 or 8 ms if no proper value can be guessed.
1426 ++ */
1427 + i = 0; /* i = min, j = max, n = default */
1428 + j = 255;
1429 + if (usb_endpoint_xfer_int(d)) {
1430 +@@ -193,13 +195,15 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
1431 + switch (to_usb_device(ddev)->speed) {
1432 + case USB_SPEED_SUPER:
1433 + case USB_SPEED_HIGH:
1434 +- /* Many device manufacturers are using full-speed
1435 ++ /*
1436 ++ * Many device manufacturers are using full-speed
1437 + * bInterval values in high-speed interrupt endpoint
1438 +- * descriptors. Try to fix those and fall back to a
1439 +- * 32 ms default value otherwise. */
1440 ++ * descriptors. Try to fix those and fall back to an
1441 ++ * 8-ms default value otherwise.
1442 ++ */
1443 + n = fls(d->bInterval*8);
1444 + if (n == 0)
1445 +- n = 9; /* 32 ms = 2^(9-1) uframes */
1446 ++ n = 7; /* 8 ms = 2^(7-1) uframes */
1447 + j = 16;
1448 +
1449 + /*
1450 +@@ -214,10 +218,12 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
1451 + }
1452 + break;
1453 + default: /* USB_SPEED_FULL or _LOW */
1454 +- /* For low-speed, 10 ms is the official minimum.
1455 ++ /*
1456 ++ * For low-speed, 10 ms is the official minimum.
1457 + * But some "overclocked" devices might want faster
1458 +- * polling so we'll allow it. */
1459 +- n = 32;
1460 ++ * polling so we'll allow it.
1461 ++ */
1462 ++ n = 10;
1463 + break;
1464 + }
1465 + } else if (usb_endpoint_xfer_isoc(d)) {
1466 +@@ -225,10 +231,10 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
1467 + j = 16;
1468 + switch (to_usb_device(ddev)->speed) {
1469 + case USB_SPEED_HIGH:
1470 +- n = 9; /* 32 ms = 2^(9-1) uframes */
1471 ++ n = 7; /* 8 ms = 2^(7-1) uframes */
1472 + break;
1473 + default: /* USB_SPEED_FULL */
1474 +- n = 6; /* 32 ms = 2^(6-1) frames */
1475 ++ n = 4; /* 8 ms = 2^(4-1) frames */
1476 + break;
1477 + }
1478 + }
1479 +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
1480 +index f7e917866e05..6a2911743829 100644
1481 +--- a/drivers/usb/host/xhci-ring.c
1482 ++++ b/drivers/usb/host/xhci-ring.c
1483 +@@ -846,6 +846,10 @@ void xhci_stop_endpoint_command_watchdog(unsigned long arg)
1484 + spin_lock_irqsave(&xhci->lock, flags);
1485 +
1486 + ep->stop_cmds_pending--;
1487 ++ if (xhci->xhc_state & XHCI_STATE_REMOVING) {
1488 ++ spin_unlock_irqrestore(&xhci->lock, flags);
1489 ++ return;
1490 ++ }
1491 + if (xhci->xhc_state & XHCI_STATE_DYING) {
1492 + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
1493 + "Stop EP timer ran, but another timer marked "
1494 +@@ -899,7 +903,7 @@ void xhci_stop_endpoint_command_watchdog(unsigned long arg)
1495 + spin_unlock_irqrestore(&xhci->lock, flags);
1496 + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
1497 + "Calling usb_hc_died()");
1498 +- usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
1499 ++ usb_hc_died(xhci_to_hcd(xhci));
1500 + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
1501 + "xHCI host controller is dead.");
1502 + }
1503 +diff --git a/drivers/usb/renesas_usbhs/mod.c b/drivers/usb/renesas_usbhs/mod.c
1504 +index 9a705b15b3a1..cf274b8c63fe 100644
1505 +--- a/drivers/usb/renesas_usbhs/mod.c
1506 ++++ b/drivers/usb/renesas_usbhs/mod.c
1507 +@@ -277,9 +277,16 @@ static irqreturn_t usbhs_interrupt(int irq, void *data)
1508 + usbhs_write(priv, INTSTS0, ~irq_state.intsts0 & INTSTS0_MAGIC);
1509 + usbhs_write(priv, INTSTS1, ~irq_state.intsts1 & INTSTS1_MAGIC);
1510 +
1511 +- usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
1512 ++ /*
1513 ++ * The driver should not clear the xxxSTS after the line of
1514 ++ * "call irq callback functions" because each "if" statement is
1515 ++ * possible to call the callback function for avoiding any side effects.
1516 ++ */
1517 ++ if (irq_state.intsts0 & BRDY)
1518 ++ usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
1519 + usbhs_write(priv, NRDYSTS, ~irq_state.nrdysts);
1520 +- usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
1521 ++ if (irq_state.intsts0 & BEMP)
1522 ++ usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
1523 +
1524 + /*
1525 + * call irq callback functions
1526 +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
1527 +index a204782ae530..e98b6e57b703 100644
1528 +--- a/drivers/usb/serial/usb-serial-simple.c
1529 ++++ b/drivers/usb/serial/usb-serial-simple.c
1530 +@@ -54,7 +54,8 @@ DEVICE(funsoft, FUNSOFT_IDS);
1531 + /* Infineon Flashloader driver */
1532 + #define FLASHLOADER_IDS() \
1533 + { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
1534 +- { USB_DEVICE(0x8087, 0x0716) }
1535 ++ { USB_DEVICE(0x8087, 0x0716) }, \
1536 ++ { USB_DEVICE(0x8087, 0x0801) }
1537 + DEVICE(flashloader, FLASHLOADER_IDS);
1538 +
1539 + /* Google Serial USB SubClass */
1540 +diff --git a/fs/autofs4/autofs_i.h b/fs/autofs4/autofs_i.h
1541 +index 5b700ef1e59d..6196b5eaf9a5 100644
1542 +--- a/fs/autofs4/autofs_i.h
1543 ++++ b/fs/autofs4/autofs_i.h
1544 +@@ -79,9 +79,13 @@ struct autofs_info {
1545 + };
1546 +
1547 + #define AUTOFS_INF_EXPIRING (1<<0) /* dentry is in the process of expiring */
1548 +-#define AUTOFS_INF_NO_RCU (1<<1) /* the dentry is being considered
1549 ++#define AUTOFS_INF_WANT_EXPIRE (1<<1) /* the dentry is being considered
1550 + * for expiry, so RCU_walk is
1551 +- * not permitted
1552 ++ * not permitted. If it progresses to
1553 ++ * actual expiry attempt, the flag is
1554 ++ * not cleared when EXPIRING is set -
1555 ++ * in that case it gets cleared only
1556 ++ * when it comes to clearing EXPIRING.
1557 + */
1558 + #define AUTOFS_INF_PENDING (1<<2) /* dentry pending mount */
1559 +
1560 +diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
1561 +index 1cebc3c52fa5..7a5a598a2d94 100644
1562 +--- a/fs/autofs4/expire.c
1563 ++++ b/fs/autofs4/expire.c
1564 +@@ -315,19 +315,17 @@ struct dentry *autofs4_expire_direct(struct super_block *sb,
1565 + if (ino->flags & AUTOFS_INF_PENDING)
1566 + goto out;
1567 + if (!autofs4_direct_busy(mnt, root, timeout, do_now)) {
1568 +- ino->flags |= AUTOFS_INF_NO_RCU;
1569 ++ ino->flags |= AUTOFS_INF_WANT_EXPIRE;
1570 + spin_unlock(&sbi->fs_lock);
1571 + synchronize_rcu();
1572 + spin_lock(&sbi->fs_lock);
1573 + if (!autofs4_direct_busy(mnt, root, timeout, do_now)) {
1574 + ino->flags |= AUTOFS_INF_EXPIRING;
1575 +- smp_mb();
1576 +- ino->flags &= ~AUTOFS_INF_NO_RCU;
1577 + init_completion(&ino->expire_complete);
1578 + spin_unlock(&sbi->fs_lock);
1579 + return root;
1580 + }
1581 +- ino->flags &= ~AUTOFS_INF_NO_RCU;
1582 ++ ino->flags &= ~AUTOFS_INF_WANT_EXPIRE;
1583 + }
1584 + out:
1585 + spin_unlock(&sbi->fs_lock);
1586 +@@ -417,6 +415,7 @@ static struct dentry *should_expire(struct dentry *dentry,
1587 + }
1588 + return NULL;
1589 + }
1590 ++
1591 + /*
1592 + * Find an eligible tree to time-out
1593 + * A tree is eligible if :-
1594 +@@ -432,6 +431,7 @@ struct dentry *autofs4_expire_indirect(struct super_block *sb,
1595 + struct dentry *root = sb->s_root;
1596 + struct dentry *dentry;
1597 + struct dentry *expired;
1598 ++ struct dentry *found;
1599 + struct autofs_info *ino;
1600 +
1601 + if (!root)
1602 +@@ -442,48 +442,54 @@ struct dentry *autofs4_expire_indirect(struct super_block *sb,
1603 +
1604 + dentry = NULL;
1605 + while ((dentry = get_next_positive_subdir(dentry, root))) {
1606 ++ int flags = how;
1607 ++
1608 + spin_lock(&sbi->fs_lock);
1609 + ino = autofs4_dentry_ino(dentry);
1610 +- if (ino->flags & AUTOFS_INF_NO_RCU)
1611 +- expired = NULL;
1612 +- else
1613 +- expired = should_expire(dentry, mnt, timeout, how);
1614 +- if (!expired) {
1615 ++ if (ino->flags & AUTOFS_INF_WANT_EXPIRE) {
1616 + spin_unlock(&sbi->fs_lock);
1617 + continue;
1618 + }
1619 ++ spin_unlock(&sbi->fs_lock);
1620 ++
1621 ++ expired = should_expire(dentry, mnt, timeout, flags);
1622 ++ if (!expired)
1623 ++ continue;
1624 ++
1625 ++ spin_lock(&sbi->fs_lock);
1626 + ino = autofs4_dentry_ino(expired);
1627 +- ino->flags |= AUTOFS_INF_NO_RCU;
1628 ++ ino->flags |= AUTOFS_INF_WANT_EXPIRE;
1629 + spin_unlock(&sbi->fs_lock);
1630 + synchronize_rcu();
1631 +- spin_lock(&sbi->fs_lock);
1632 +- if (should_expire(expired, mnt, timeout, how)) {
1633 +- if (expired != dentry)
1634 +- dput(dentry);
1635 +- goto found;
1636 +- }
1637 +
1638 +- ino->flags &= ~AUTOFS_INF_NO_RCU;
1639 ++ /* Make sure a reference is not taken on found if
1640 ++ * things have changed.
1641 ++ */
1642 ++ flags &= ~AUTOFS_EXP_LEAVES;
1643 ++ found = should_expire(expired, mnt, timeout, how);
1644 ++ if (!found || found != expired)
1645 ++ /* Something has changed, continue */
1646 ++ goto next;
1647 ++
1648 + if (expired != dentry)
1649 +- dput(expired);
1650 ++ dput(dentry);
1651 ++
1652 ++ spin_lock(&sbi->fs_lock);
1653 ++ goto found;
1654 ++next:
1655 ++ spin_lock(&sbi->fs_lock);
1656 ++ ino->flags &= ~AUTOFS_INF_WANT_EXPIRE;
1657 + spin_unlock(&sbi->fs_lock);
1658 ++ if (expired != dentry)
1659 ++ dput(expired);
1660 + }
1661 + return NULL;
1662 +
1663 + found:
1664 + DPRINTK("returning %p %pd", expired, expired);
1665 + ino->flags |= AUTOFS_INF_EXPIRING;
1666 +- smp_mb();
1667 +- ino->flags &= ~AUTOFS_INF_NO_RCU;
1668 + init_completion(&ino->expire_complete);
1669 + spin_unlock(&sbi->fs_lock);
1670 +- spin_lock(&sbi->lookup_lock);
1671 +- spin_lock(&expired->d_parent->d_lock);
1672 +- spin_lock_nested(&expired->d_lock, DENTRY_D_LOCK_NESTED);
1673 +- list_move(&expired->d_parent->d_subdirs, &expired->d_child);
1674 +- spin_unlock(&expired->d_lock);
1675 +- spin_unlock(&expired->d_parent->d_lock);
1676 +- spin_unlock(&sbi->lookup_lock);
1677 + return expired;
1678 + }
1679 +
1680 +@@ -492,15 +498,27 @@ int autofs4_expire_wait(struct dentry *dentry, int rcu_walk)
1681 + struct autofs_sb_info *sbi = autofs4_sbi(dentry->d_sb);
1682 + struct autofs_info *ino = autofs4_dentry_ino(dentry);
1683 + int status;
1684 ++ int state;
1685 +
1686 + /* Block on any pending expire */
1687 +- if (!(ino->flags & (AUTOFS_INF_EXPIRING | AUTOFS_INF_NO_RCU)))
1688 ++ if (!(ino->flags & AUTOFS_INF_WANT_EXPIRE))
1689 + return 0;
1690 + if (rcu_walk)
1691 + return -ECHILD;
1692 +
1693 ++retry:
1694 + spin_lock(&sbi->fs_lock);
1695 +- if (ino->flags & AUTOFS_INF_EXPIRING) {
1696 ++ state = ino->flags & (AUTOFS_INF_WANT_EXPIRE | AUTOFS_INF_EXPIRING);
1697 ++ if (state == AUTOFS_INF_WANT_EXPIRE) {
1698 ++ spin_unlock(&sbi->fs_lock);
1699 ++ /*
1700 ++ * Possibly being selected for expire, wait until
1701 ++ * it's selected or not.
1702 ++ */
1703 ++ schedule_timeout_uninterruptible(HZ/10);
1704 ++ goto retry;
1705 ++ }
1706 ++ if (state & AUTOFS_INF_EXPIRING) {
1707 + spin_unlock(&sbi->fs_lock);
1708 +
1709 + DPRINTK("waiting for expire %p name=%pd", dentry, dentry);
1710 +@@ -551,7 +569,7 @@ int autofs4_expire_run(struct super_block *sb,
1711 + ino = autofs4_dentry_ino(dentry);
1712 + /* avoid rapid-fire expire attempts if expiry fails */
1713 + ino->last_used = now;
1714 +- ino->flags &= ~AUTOFS_INF_EXPIRING;
1715 ++ ino->flags &= ~(AUTOFS_INF_EXPIRING|AUTOFS_INF_WANT_EXPIRE);
1716 + complete_all(&ino->expire_complete);
1717 + spin_unlock(&sbi->fs_lock);
1718 +
1719 +@@ -579,7 +597,7 @@ int autofs4_do_expire_multi(struct super_block *sb, struct vfsmount *mnt,
1720 + spin_lock(&sbi->fs_lock);
1721 + /* avoid rapid-fire expire attempts if expiry fails */
1722 + ino->last_used = now;
1723 +- ino->flags &= ~AUTOFS_INF_EXPIRING;
1724 ++ ino->flags &= ~(AUTOFS_INF_EXPIRING|AUTOFS_INF_WANT_EXPIRE);
1725 + complete_all(&ino->expire_complete);
1726 + spin_unlock(&sbi->fs_lock);
1727 + dput(dentry);
1728 +diff --git a/fs/autofs4/root.c b/fs/autofs4/root.c
1729 +index c6d7d3dbd52a..7a54c6a867c8 100644
1730 +--- a/fs/autofs4/root.c
1731 ++++ b/fs/autofs4/root.c
1732 +@@ -455,7 +455,7 @@ static int autofs4_d_manage(struct dentry *dentry, bool rcu_walk)
1733 + * a mount-trap.
1734 + */
1735 + struct inode *inode;
1736 +- if (ino->flags & (AUTOFS_INF_EXPIRING | AUTOFS_INF_NO_RCU))
1737 ++ if (ino->flags & AUTOFS_INF_WANT_EXPIRE)
1738 + return 0;
1739 + if (d_mountpoint(dentry))
1740 + return 0;
1741 +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
1742 +index 2eca30adb3e3..ff742d30ba60 100644
1743 +--- a/fs/btrfs/ioctl.c
1744 ++++ b/fs/btrfs/ioctl.c
1745 +@@ -1610,6 +1610,9 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file,
1746 + int namelen;
1747 + int ret = 0;
1748 +
1749 ++ if (!S_ISDIR(file_inode(file)->i_mode))
1750 ++ return -ENOTDIR;
1751 ++
1752 + ret = mnt_want_write_file(file);
1753 + if (ret)
1754 + goto out;
1755 +@@ -1667,6 +1670,9 @@ static noinline int btrfs_ioctl_snap_create(struct file *file,
1756 + struct btrfs_ioctl_vol_args *vol_args;
1757 + int ret;
1758 +
1759 ++ if (!S_ISDIR(file_inode(file)->i_mode))
1760 ++ return -ENOTDIR;
1761 ++
1762 + vol_args = memdup_user(arg, sizeof(*vol_args));
1763 + if (IS_ERR(vol_args))
1764 + return PTR_ERR(vol_args);
1765 +@@ -1690,6 +1696,9 @@ static noinline int btrfs_ioctl_snap_create_v2(struct file *file,
1766 + bool readonly = false;
1767 + struct btrfs_qgroup_inherit *inherit = NULL;
1768 +
1769 ++ if (!S_ISDIR(file_inode(file)->i_mode))
1770 ++ return -ENOTDIR;
1771 ++
1772 + vol_args = memdup_user(arg, sizeof(*vol_args));
1773 + if (IS_ERR(vol_args))
1774 + return PTR_ERR(vol_args);
1775 +@@ -2318,6 +2327,9 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file,
1776 + int ret;
1777 + int err = 0;
1778 +
1779 ++ if (!S_ISDIR(dir->i_mode))
1780 ++ return -ENOTDIR;
1781 ++
1782 + vol_args = memdup_user(arg, sizeof(*vol_args));
1783 + if (IS_ERR(vol_args))
1784 + return PTR_ERR(vol_args);
1785 +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
1786 +index 5c222f3c4841..bd3c92b4bcee 100644
1787 +--- a/fs/btrfs/tree-log.c
1788 ++++ b/fs/btrfs/tree-log.c
1789 +@@ -2748,6 +2748,7 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans,
1790 +
1791 + if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) {
1792 + blk_finish_plug(&plug);
1793 ++ list_del_init(&root_log_ctx.list);
1794 + mutex_unlock(&log_root_tree->log_mutex);
1795 + ret = root_log_ctx.log_ret;
1796 + goto out;
1797 +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
1798 +index 2cb9e178d1c5..4196aa567784 100644
1799 +--- a/fs/ext4/ioctl.c
1800 ++++ b/fs/ext4/ioctl.c
1801 +@@ -637,7 +637,13 @@ resizefs_out:
1802 + goto encryption_policy_out;
1803 + }
1804 +
1805 ++ err = mnt_want_write_file(filp);
1806 ++ if (err)
1807 ++ goto encryption_policy_out;
1808 ++
1809 + err = ext4_process_policy(&policy, inode);
1810 ++
1811 ++ mnt_drop_write_file(filp);
1812 + encryption_policy_out:
1813 + return err;
1814 + #else
1815 +diff --git a/fs/fuse/file.c b/fs/fuse/file.c
1816 +index 5cae35490b37..d8f29ef2d819 100644
1817 +--- a/fs/fuse/file.c
1818 ++++ b/fs/fuse/file.c
1819 +@@ -540,13 +540,13 @@ void fuse_read_fill(struct fuse_req *req, struct file *file, loff_t pos,
1820 + req->out.args[0].size = count;
1821 + }
1822 +
1823 +-static void fuse_release_user_pages(struct fuse_req *req, int write)
1824 ++static void fuse_release_user_pages(struct fuse_req *req, bool should_dirty)
1825 + {
1826 + unsigned i;
1827 +
1828 + for (i = 0; i < req->num_pages; i++) {
1829 + struct page *page = req->pages[i];
1830 +- if (write)
1831 ++ if (should_dirty)
1832 + set_page_dirty_lock(page);
1833 + put_page(page);
1834 + }
1835 +@@ -1331,6 +1331,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
1836 + loff_t *ppos, int flags)
1837 + {
1838 + int write = flags & FUSE_DIO_WRITE;
1839 ++ bool should_dirty = !write && iter_is_iovec(iter);
1840 + int cuse = flags & FUSE_DIO_CUSE;
1841 + struct file *file = io->file;
1842 + struct inode *inode = file->f_mapping->host;
1843 +@@ -1375,7 +1376,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
1844 + nres = fuse_send_read(req, io, pos, nbytes, owner);
1845 +
1846 + if (!io->async)
1847 +- fuse_release_user_pages(req, !write);
1848 ++ fuse_release_user_pages(req, should_dirty);
1849 + if (req->out.h.error) {
1850 + if (!res)
1851 + res = req->out.h.error;
1852 +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
1853 +index eef16ec0638a..319ba6814899 100644
1854 +--- a/fs/nfs/nfs4proc.c
1855 ++++ b/fs/nfs/nfs4proc.c
1856 +@@ -7281,12 +7281,20 @@ static int _nfs4_proc_create_session(struct nfs_client *clp,
1857 + status = rpc_call_sync(session->clp->cl_rpcclient, &msg, RPC_TASK_TIMEOUT);
1858 + trace_nfs4_create_session(clp, status);
1859 +
1860 ++ switch (status) {
1861 ++ case -NFS4ERR_STALE_CLIENTID:
1862 ++ case -NFS4ERR_DELAY:
1863 ++ case -ETIMEDOUT:
1864 ++ case -EACCES:
1865 ++ case -EAGAIN:
1866 ++ goto out;
1867 ++ };
1868 ++
1869 ++ clp->cl_seqid++;
1870 + if (!status) {
1871 + /* Verify the session's negotiated channel_attrs values */
1872 + status = nfs4_verify_channel_attrs(&args, &res);
1873 + /* Increment the clientid slot sequence id */
1874 +- if (clp->cl_seqid == res.seqid)
1875 +- clp->cl_seqid++;
1876 + if (status)
1877 + goto out;
1878 + nfs4_update_session(session, &res);
1879 +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
1880 +index d2f97ecca6a5..e0e5f7c3c99f 100644
1881 +--- a/fs/notify/fanotify/fanotify.c
1882 ++++ b/fs/notify/fanotify/fanotify.c
1883 +@@ -67,18 +67,7 @@ static int fanotify_get_response(struct fsnotify_group *group,
1884 +
1885 + pr_debug("%s: group=%p event=%p\n", __func__, group, event);
1886 +
1887 +- wait_event(group->fanotify_data.access_waitq, event->response ||
1888 +- atomic_read(&group->fanotify_data.bypass_perm));
1889 +-
1890 +- if (!event->response) { /* bypass_perm set */
1891 +- /*
1892 +- * Event was canceled because group is being destroyed. Remove
1893 +- * it from group's event list because we are responsible for
1894 +- * freeing the permission event.
1895 +- */
1896 +- fsnotify_remove_event(group, &event->fae.fse);
1897 +- return 0;
1898 +- }
1899 ++ wait_event(group->fanotify_data.access_waitq, event->response);
1900 +
1901 + /* userspace responded, convert to something usable */
1902 + switch (event->response) {
1903 +diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
1904 +index cf275500a665..45ca844d1323 100644
1905 +--- a/fs/notify/fanotify/fanotify_user.c
1906 ++++ b/fs/notify/fanotify/fanotify_user.c
1907 +@@ -358,16 +358,20 @@ static int fanotify_release(struct inode *ignored, struct file *file)
1908 +
1909 + #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
1910 + struct fanotify_perm_event_info *event, *next;
1911 ++ struct fsnotify_event *fsn_event;
1912 +
1913 + /*
1914 +- * There may be still new events arriving in the notification queue
1915 +- * but since userspace cannot use fanotify fd anymore, no event can
1916 +- * enter or leave access_list by now.
1917 ++ * Stop new events from arriving in the notification queue. since
1918 ++ * userspace cannot use fanotify fd anymore, no event can enter or
1919 ++ * leave access_list by now either.
1920 + */
1921 +- spin_lock(&group->fanotify_data.access_lock);
1922 +-
1923 +- atomic_inc(&group->fanotify_data.bypass_perm);
1924 ++ fsnotify_group_stop_queueing(group);
1925 +
1926 ++ /*
1927 ++ * Process all permission events on access_list and notification queue
1928 ++ * and simulate reply from userspace.
1929 ++ */
1930 ++ spin_lock(&group->fanotify_data.access_lock);
1931 + list_for_each_entry_safe(event, next, &group->fanotify_data.access_list,
1932 + fae.fse.list) {
1933 + pr_debug("%s: found group=%p event=%p\n", __func__, group,
1934 +@@ -379,12 +383,21 @@ static int fanotify_release(struct inode *ignored, struct file *file)
1935 + spin_unlock(&group->fanotify_data.access_lock);
1936 +
1937 + /*
1938 +- * Since bypass_perm is set, newly queued events will not wait for
1939 +- * access response. Wake up the already sleeping ones now.
1940 +- * synchronize_srcu() in fsnotify_destroy_group() will wait for all
1941 +- * processes sleeping in fanotify_handle_event() waiting for access
1942 +- * response and thus also for all permission events to be freed.
1943 ++ * Destroy all non-permission events. For permission events just
1944 ++ * dequeue them and set the response. They will be freed once the
1945 ++ * response is consumed and fanotify_get_response() returns.
1946 + */
1947 ++ mutex_lock(&group->notification_mutex);
1948 ++ while (!fsnotify_notify_queue_is_empty(group)) {
1949 ++ fsn_event = fsnotify_remove_first_event(group);
1950 ++ if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS))
1951 ++ fsnotify_destroy_event(group, fsn_event);
1952 ++ else
1953 ++ FANOTIFY_PE(fsn_event)->response = FAN_ALLOW;
1954 ++ }
1955 ++ mutex_unlock(&group->notification_mutex);
1956 ++
1957 ++ /* Response for all permission events it set, wakeup waiters */
1958 + wake_up(&group->fanotify_data.access_waitq);
1959 + #endif
1960 +
1961 +@@ -751,7 +764,6 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
1962 + spin_lock_init(&group->fanotify_data.access_lock);
1963 + init_waitqueue_head(&group->fanotify_data.access_waitq);
1964 + INIT_LIST_HEAD(&group->fanotify_data.access_list);
1965 +- atomic_set(&group->fanotify_data.bypass_perm, 0);
1966 + #endif
1967 + switch (flags & FAN_ALL_CLASS_BITS) {
1968 + case FAN_CLASS_NOTIF:
1969 +diff --git a/fs/notify/group.c b/fs/notify/group.c
1970 +index d16b62cb2854..18eb30c6bd8f 100644
1971 +--- a/fs/notify/group.c
1972 ++++ b/fs/notify/group.c
1973 +@@ -40,6 +40,17 @@ static void fsnotify_final_destroy_group(struct fsnotify_group *group)
1974 + }
1975 +
1976 + /*
1977 ++ * Stop queueing new events for this group. Once this function returns
1978 ++ * fsnotify_add_event() will not add any new events to the group's queue.
1979 ++ */
1980 ++void fsnotify_group_stop_queueing(struct fsnotify_group *group)
1981 ++{
1982 ++ mutex_lock(&group->notification_mutex);
1983 ++ group->shutdown = true;
1984 ++ mutex_unlock(&group->notification_mutex);
1985 ++}
1986 ++
1987 ++/*
1988 + * Trying to get rid of a group. Remove all marks, flush all events and release
1989 + * the group reference.
1990 + * Note that another thread calling fsnotify_clear_marks_by_group() may still
1991 +@@ -47,6 +58,14 @@ static void fsnotify_final_destroy_group(struct fsnotify_group *group)
1992 + */
1993 + void fsnotify_destroy_group(struct fsnotify_group *group)
1994 + {
1995 ++ /*
1996 ++ * Stop queueing new events. The code below is careful enough to not
1997 ++ * require this but fanotify needs to stop queuing events even before
1998 ++ * fsnotify_destroy_group() is called and this makes the other callers
1999 ++ * of fsnotify_destroy_group() to see the same behavior.
2000 ++ */
2001 ++ fsnotify_group_stop_queueing(group);
2002 ++
2003 + /* clear all inode marks for this group */
2004 + fsnotify_clear_marks_by_group(group);
2005 +
2006 +diff --git a/fs/notify/notification.c b/fs/notify/notification.c
2007 +index a95d8e037aeb..e455e83ceeeb 100644
2008 +--- a/fs/notify/notification.c
2009 ++++ b/fs/notify/notification.c
2010 +@@ -82,7 +82,8 @@ void fsnotify_destroy_event(struct fsnotify_group *group,
2011 + * Add an event to the group notification queue. The group can later pull this
2012 + * event off the queue to deal with. The function returns 0 if the event was
2013 + * added to the queue, 1 if the event was merged with some other queued event,
2014 +- * 2 if the queue of events has overflown.
2015 ++ * 2 if the event was not queued - either the queue of events has overflown
2016 ++ * or the group is shutting down.
2017 + */
2018 + int fsnotify_add_event(struct fsnotify_group *group,
2019 + struct fsnotify_event *event,
2020 +@@ -96,6 +97,11 @@ int fsnotify_add_event(struct fsnotify_group *group,
2021 +
2022 + mutex_lock(&group->notification_mutex);
2023 +
2024 ++ if (group->shutdown) {
2025 ++ mutex_unlock(&group->notification_mutex);
2026 ++ return 2;
2027 ++ }
2028 ++
2029 + if (group->q_len >= group->max_events) {
2030 + ret = 2;
2031 + /* Queue overflow event only if it isn't already queued */
2032 +@@ -126,21 +132,6 @@ queue:
2033 + }
2034 +
2035 + /*
2036 +- * Remove @event from group's notification queue. It is the responsibility of
2037 +- * the caller to destroy the event.
2038 +- */
2039 +-void fsnotify_remove_event(struct fsnotify_group *group,
2040 +- struct fsnotify_event *event)
2041 +-{
2042 +- mutex_lock(&group->notification_mutex);
2043 +- if (!list_empty(&event->list)) {
2044 +- list_del_init(&event->list);
2045 +- group->q_len--;
2046 +- }
2047 +- mutex_unlock(&group->notification_mutex);
2048 +-}
2049 +-
2050 +-/*
2051 + * Remove and return the first event from the notification list. It is the
2052 + * responsibility of the caller to destroy the obtained event
2053 + */
2054 +diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c
2055 +index f90931335c6b..2e11658676eb 100644
2056 +--- a/fs/ocfs2/dlm/dlmconvert.c
2057 ++++ b/fs/ocfs2/dlm/dlmconvert.c
2058 +@@ -262,7 +262,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
2059 + struct dlm_lock *lock, int flags, int type)
2060 + {
2061 + enum dlm_status status;
2062 +- u8 old_owner = res->owner;
2063 +
2064 + mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
2065 + lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
2066 +@@ -329,7 +328,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
2067 +
2068 + spin_lock(&res->spinlock);
2069 + res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
2070 +- lock->convert_pending = 0;
2071 + /* if it failed, move it back to granted queue.
2072 + * if master returns DLM_NORMAL and then down before sending ast,
2073 + * it may have already been moved to granted queue, reset to
2074 +@@ -338,12 +336,14 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
2075 + if (status != DLM_NOTQUEUED)
2076 + dlm_error(status);
2077 + dlm_revert_pending_convert(res, lock);
2078 +- } else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
2079 +- (old_owner != res->owner)) {
2080 +- mlog(0, "res %.*s is in recovering or has been recovered.\n",
2081 +- res->lockname.len, res->lockname.name);
2082 ++ } else if (!lock->convert_pending) {
2083 ++ mlog(0, "%s: res %.*s, owner died and lock has been moved back "
2084 ++ "to granted list, retry convert.\n",
2085 ++ dlm->name, res->lockname.len, res->lockname.name);
2086 + status = DLM_RECOVERING;
2087 + }
2088 ++
2089 ++ lock->convert_pending = 0;
2090 + bail:
2091 + spin_unlock(&res->spinlock);
2092 +
2093 +diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
2094 +index 3f1ee404f40f..e00be7f509db 100644
2095 +--- a/fs/ocfs2/file.c
2096 ++++ b/fs/ocfs2/file.c
2097 +@@ -1522,7 +1522,8 @@ static int ocfs2_zero_partial_clusters(struct inode *inode,
2098 + u64 start, u64 len)
2099 + {
2100 + int ret = 0;
2101 +- u64 tmpend, end = start + len;
2102 ++ u64 tmpend = 0;
2103 ++ u64 end = start + len;
2104 + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
2105 + unsigned int csize = osb->s_clustersize;
2106 + handle_t *handle;
2107 +@@ -1554,18 +1555,31 @@ static int ocfs2_zero_partial_clusters(struct inode *inode,
2108 + }
2109 +
2110 + /*
2111 +- * We want to get the byte offset of the end of the 1st cluster.
2112 ++ * If start is on a cluster boundary and end is somewhere in another
2113 ++ * cluster, we have not COWed the cluster starting at start, unless
2114 ++ * end is also within the same cluster. So, in this case, we skip this
2115 ++ * first call to ocfs2_zero_range_for_truncate() truncate and move on
2116 ++ * to the next one.
2117 + */
2118 +- tmpend = (u64)osb->s_clustersize + (start & ~(osb->s_clustersize - 1));
2119 +- if (tmpend > end)
2120 +- tmpend = end;
2121 ++ if ((start & (csize - 1)) != 0) {
2122 ++ /*
2123 ++ * We want to get the byte offset of the end of the 1st
2124 ++ * cluster.
2125 ++ */
2126 ++ tmpend = (u64)osb->s_clustersize +
2127 ++ (start & ~(osb->s_clustersize - 1));
2128 ++ if (tmpend > end)
2129 ++ tmpend = end;
2130 +
2131 +- trace_ocfs2_zero_partial_clusters_range1((unsigned long long)start,
2132 +- (unsigned long long)tmpend);
2133 ++ trace_ocfs2_zero_partial_clusters_range1(
2134 ++ (unsigned long long)start,
2135 ++ (unsigned long long)tmpend);
2136 +
2137 +- ret = ocfs2_zero_range_for_truncate(inode, handle, start, tmpend);
2138 +- if (ret)
2139 +- mlog_errno(ret);
2140 ++ ret = ocfs2_zero_range_for_truncate(inode, handle, start,
2141 ++ tmpend);
2142 ++ if (ret)
2143 ++ mlog_errno(ret);
2144 ++ }
2145 +
2146 + if (tmpend < end) {
2147 + /*
2148 +diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
2149 +index c9b740111526..f60b2c745d02 100644
2150 +--- a/fs/overlayfs/super.c
2151 ++++ b/fs/overlayfs/super.c
2152 +@@ -679,11 +679,11 @@ retry:
2153 + goto out_dput;
2154 +
2155 + err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_DEFAULT);
2156 +- if (err && err != -ENODATA)
2157 ++ if (err && err != -ENODATA && err != -EOPNOTSUPP)
2158 + goto out_dput;
2159 +
2160 + err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_ACCESS);
2161 +- if (err && err != -ENODATA)
2162 ++ if (err && err != -ENODATA && err != -EOPNOTSUPP)
2163 + goto out_dput;
2164 +
2165 + /* Clear any inherited mode bits */
2166 +diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
2167 +index 72d8803832ff..32901d11f8c4 100644
2168 +--- a/include/asm-generic/uaccess.h
2169 ++++ b/include/asm-generic/uaccess.h
2170 +@@ -163,9 +163,10 @@ static inline __must_check long __copy_to_user(void __user *to,
2171 +
2172 + #define put_user(x, ptr) \
2173 + ({ \
2174 ++ void *__p = (ptr); \
2175 + might_fault(); \
2176 +- access_ok(VERIFY_WRITE, ptr, sizeof(*ptr)) ? \
2177 +- __put_user(x, ptr) : \
2178 ++ access_ok(VERIFY_WRITE, __p, sizeof(*ptr)) ? \
2179 ++ __put_user((x), ((__typeof__(*(ptr)) *)__p)) : \
2180 + -EFAULT; \
2181 + })
2182 +
2183 +@@ -225,17 +226,22 @@ extern int __put_user_bad(void) __attribute__((noreturn));
2184 +
2185 + #define get_user(x, ptr) \
2186 + ({ \
2187 ++ const void *__p = (ptr); \
2188 + might_fault(); \
2189 +- access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \
2190 +- __get_user(x, ptr) : \
2191 +- -EFAULT; \
2192 ++ access_ok(VERIFY_READ, __p, sizeof(*ptr)) ? \
2193 ++ __get_user((x), (__typeof__(*(ptr)) *)__p) : \
2194 ++ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \
2195 + })
2196 +
2197 + #ifndef __get_user_fn
2198 + static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
2199 + {
2200 +- size = __copy_from_user(x, ptr, size);
2201 +- return size ? -EFAULT : size;
2202 ++ size_t n = __copy_from_user(x, ptr, size);
2203 ++ if (unlikely(n)) {
2204 ++ memset(x + (size - n), 0, n);
2205 ++ return -EFAULT;
2206 ++ }
2207 ++ return 0;
2208 + }
2209 +
2210 + #define __get_user_fn(sz, u, k) __get_user_fn(sz, u, k)
2211 +@@ -255,11 +261,13 @@ extern int __get_user_bad(void) __attribute__((noreturn));
2212 + static inline long copy_from_user(void *to,
2213 + const void __user * from, unsigned long n)
2214 + {
2215 ++ unsigned long res = n;
2216 + might_fault();
2217 +- if (access_ok(VERIFY_READ, from, n))
2218 +- return __copy_from_user(to, from, n);
2219 +- else
2220 +- return n;
2221 ++ if (likely(access_ok(VERIFY_READ, from, n)))
2222 ++ res = __copy_from_user(to, from, n);
2223 ++ if (unlikely(res))
2224 ++ memset(to + (n - res), 0, res);
2225 ++ return res;
2226 + }
2227 +
2228 + static inline long copy_to_user(void __user *to,
2229 +diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
2230 +index 0f313f93c586..46dde3a3c891 100644
2231 +--- a/include/linux/fsnotify_backend.h
2232 ++++ b/include/linux/fsnotify_backend.h
2233 +@@ -150,6 +150,7 @@ struct fsnotify_group {
2234 + #define FS_PRIO_1 1 /* fanotify content based access control */
2235 + #define FS_PRIO_2 2 /* fanotify pre-content access */
2236 + unsigned int priority;
2237 ++ bool shutdown; /* group is being shut down, don't queue more events */
2238 +
2239 + /* stores all fastpath marks assoc with this group so they can be cleaned on unregister */
2240 + struct mutex mark_mutex; /* protect marks_list */
2241 +@@ -181,7 +182,6 @@ struct fsnotify_group {
2242 + spinlock_t access_lock;
2243 + struct list_head access_list;
2244 + wait_queue_head_t access_waitq;
2245 +- atomic_t bypass_perm;
2246 + #endif /* CONFIG_FANOTIFY_ACCESS_PERMISSIONS */
2247 + int f_flags;
2248 + unsigned int max_marks;
2249 +@@ -301,6 +301,8 @@ extern struct fsnotify_group *fsnotify_alloc_group(const struct fsnotify_ops *op
2250 + extern void fsnotify_get_group(struct fsnotify_group *group);
2251 + /* drop reference on a group from fsnotify_alloc_group */
2252 + extern void fsnotify_put_group(struct fsnotify_group *group);
2253 ++/* group destruction begins, stop queuing new events */
2254 ++extern void fsnotify_group_stop_queueing(struct fsnotify_group *group);
2255 + /* destroy group */
2256 + extern void fsnotify_destroy_group(struct fsnotify_group *group);
2257 + /* fasync handler function */
2258 +@@ -313,8 +315,6 @@ extern int fsnotify_add_event(struct fsnotify_group *group,
2259 + struct fsnotify_event *event,
2260 + int (*merge)(struct list_head *,
2261 + struct fsnotify_event *));
2262 +-/* Remove passed event from groups notification queue */
2263 +-extern void fsnotify_remove_event(struct fsnotify_group *group, struct fsnotify_event *event);
2264 + /* true if the group notification queue is empty */
2265 + extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group);
2266 + /* return, but do not dequeue the first event on the notification queue */
2267 +diff --git a/include/linux/irq.h b/include/linux/irq.h
2268 +index 3532dca843f4..33475a37f1bb 100644
2269 +--- a/include/linux/irq.h
2270 ++++ b/include/linux/irq.h
2271 +@@ -852,6 +852,16 @@ static inline void irq_gc_lock(struct irq_chip_generic *gc) { }
2272 + static inline void irq_gc_unlock(struct irq_chip_generic *gc) { }
2273 + #endif
2274 +
2275 ++/*
2276 ++ * The irqsave variants are for usage in non interrupt code. Do not use
2277 ++ * them in irq_chip callbacks. Use irq_gc_lock() instead.
2278 ++ */
2279 ++#define irq_gc_lock_irqsave(gc, flags) \
2280 ++ raw_spin_lock_irqsave(&(gc)->lock, flags)
2281 ++
2282 ++#define irq_gc_unlock_irqrestore(gc, flags) \
2283 ++ raw_spin_unlock_irqrestore(&(gc)->lock, flags)
2284 ++
2285 + static inline void irq_reg_writel(struct irq_chip_generic *gc,
2286 + u32 val, int reg_offset)
2287 + {
2288 +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
2289 +index 4b3736f7065c..30a8f531236c 100644
2290 +--- a/include/linux/pagemap.h
2291 ++++ b/include/linux/pagemap.h
2292 +@@ -594,56 +594,56 @@ static inline int fault_in_pages_readable(const char __user *uaddr, int size)
2293 + */
2294 + static inline int fault_in_multipages_writeable(char __user *uaddr, int size)
2295 + {
2296 +- int ret = 0;
2297 + char __user *end = uaddr + size - 1;
2298 +
2299 + if (unlikely(size == 0))
2300 +- return ret;
2301 ++ return 0;
2302 +
2303 ++ if (unlikely(uaddr > end))
2304 ++ return -EFAULT;
2305 + /*
2306 + * Writing zeroes into userspace here is OK, because we know that if
2307 + * the zero gets there, we'll be overwriting it.
2308 + */
2309 +- while (uaddr <= end) {
2310 +- ret = __put_user(0, uaddr);
2311 +- if (ret != 0)
2312 +- return ret;
2313 ++ do {
2314 ++ if (unlikely(__put_user(0, uaddr) != 0))
2315 ++ return -EFAULT;
2316 + uaddr += PAGE_SIZE;
2317 +- }
2318 ++ } while (uaddr <= end);
2319 +
2320 + /* Check whether the range spilled into the next page. */
2321 + if (((unsigned long)uaddr & PAGE_MASK) ==
2322 + ((unsigned long)end & PAGE_MASK))
2323 +- ret = __put_user(0, end);
2324 ++ return __put_user(0, end);
2325 +
2326 +- return ret;
2327 ++ return 0;
2328 + }
2329 +
2330 + static inline int fault_in_multipages_readable(const char __user *uaddr,
2331 + int size)
2332 + {
2333 + volatile char c;
2334 +- int ret = 0;
2335 + const char __user *end = uaddr + size - 1;
2336 +
2337 + if (unlikely(size == 0))
2338 +- return ret;
2339 ++ return 0;
2340 +
2341 +- while (uaddr <= end) {
2342 +- ret = __get_user(c, uaddr);
2343 +- if (ret != 0)
2344 +- return ret;
2345 ++ if (unlikely(uaddr > end))
2346 ++ return -EFAULT;
2347 ++
2348 ++ do {
2349 ++ if (unlikely(__get_user(c, uaddr) != 0))
2350 ++ return -EFAULT;
2351 + uaddr += PAGE_SIZE;
2352 +- }
2353 ++ } while (uaddr <= end);
2354 +
2355 + /* Check whether the range spilled into the next page. */
2356 + if (((unsigned long)uaddr & PAGE_MASK) ==
2357 + ((unsigned long)end & PAGE_MASK)) {
2358 +- ret = __get_user(c, end);
2359 +- (void)c;
2360 ++ return __get_user(c, end);
2361 + }
2362 +
2363 +- return ret;
2364 ++ return 0;
2365 + }
2366 +
2367 + int add_to_page_cache_locked(struct page *page, struct address_space *mapping,
2368 +diff --git a/include/linux/uio.h b/include/linux/uio.h
2369 +index 8b01e1c3c614..5f9c59da978b 100644
2370 +--- a/include/linux/uio.h
2371 ++++ b/include/linux/uio.h
2372 +@@ -76,7 +76,7 @@ size_t iov_iter_copy_from_user_atomic(struct page *page,
2373 + struct iov_iter *i, unsigned long offset, size_t bytes);
2374 + void iov_iter_advance(struct iov_iter *i, size_t bytes);
2375 + int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes);
2376 +-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes);
2377 ++#define iov_iter_fault_in_multipages_readable iov_iter_fault_in_readable
2378 + size_t iov_iter_single_seg_count(const struct iov_iter *i);
2379 + size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
2380 + struct iov_iter *i);
2381 +diff --git a/kernel/sched/core.c b/kernel/sched/core.c
2382 +index 98e607121d09..6cb5f00696f5 100644
2383 +--- a/kernel/sched/core.c
2384 ++++ b/kernel/sched/core.c
2385 +@@ -1672,6 +1672,28 @@ try_to_wake_up(struct task_struct *p, unsigned int state, int wake_flags)
2386 + success = 1; /* we're going to change ->state */
2387 + cpu = task_cpu(p);
2388 +
2389 ++ /*
2390 ++ * Ensure we load p->on_rq _after_ p->state, otherwise it would
2391 ++ * be possible to, falsely, observe p->on_rq == 0 and get stuck
2392 ++ * in smp_cond_load_acquire() below.
2393 ++ *
2394 ++ * sched_ttwu_pending() try_to_wake_up()
2395 ++ * [S] p->on_rq = 1; [L] P->state
2396 ++ * UNLOCK rq->lock -----.
2397 ++ * \
2398 ++ * +--- RMB
2399 ++ * schedule() /
2400 ++ * LOCK rq->lock -----'
2401 ++ * UNLOCK rq->lock
2402 ++ *
2403 ++ * [task p]
2404 ++ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq
2405 ++ *
2406 ++ * Pairs with the UNLOCK+LOCK on rq->lock from the
2407 ++ * last wakeup of our task and the schedule that got our task
2408 ++ * current.
2409 ++ */
2410 ++ smp_rmb();
2411 + if (p->on_rq && ttwu_remote(p, wake_flags))
2412 + goto stat;
2413 +
2414 +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
2415 +index de6ea94c41bb..61ea7e8cdde5 100644
2416 +--- a/kernel/trace/trace.c
2417 ++++ b/kernel/trace/trace.c
2418 +@@ -4694,19 +4694,20 @@ tracing_read_pipe(struct file *filp, char __user *ubuf,
2419 + struct trace_iterator *iter = filp->private_data;
2420 + ssize_t sret;
2421 +
2422 +- /* return any leftover data */
2423 +- sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
2424 +- if (sret != -EBUSY)
2425 +- return sret;
2426 +-
2427 +- trace_seq_init(&iter->seq);
2428 +-
2429 + /*
2430 + * Avoid more than one consumer on a single file descriptor
2431 + * This is just a matter of traces coherency, the ring buffer itself
2432 + * is protected.
2433 + */
2434 + mutex_lock(&iter->mutex);
2435 ++
2436 ++ /* return any leftover data */
2437 ++ sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
2438 ++ if (sret != -EBUSY)
2439 ++ goto out;
2440 ++
2441 ++ trace_seq_init(&iter->seq);
2442 ++
2443 + if (iter->trace->read) {
2444 + sret = iter->trace->read(iter, filp, ubuf, cnt, ppos);
2445 + if (sret)
2446 +@@ -5731,9 +5732,6 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
2447 + return -EBUSY;
2448 + #endif
2449 +
2450 +- if (splice_grow_spd(pipe, &spd))
2451 +- return -ENOMEM;
2452 +-
2453 + if (*ppos & (PAGE_SIZE - 1))
2454 + return -EINVAL;
2455 +
2456 +@@ -5743,6 +5741,9 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
2457 + len &= PAGE_MASK;
2458 + }
2459 +
2460 ++ if (splice_grow_spd(pipe, &spd))
2461 ++ return -ENOMEM;
2462 ++
2463 + again:
2464 + trace_access_lock(iter->cpu_file);
2465 + entries = ring_buffer_entries_cpu(iter->trace_buffer->buffer, iter->cpu_file);
2466 +@@ -5800,19 +5801,21 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos,
2467 + /* did we read anything? */
2468 + if (!spd.nr_pages) {
2469 + if (ret)
2470 +- return ret;
2471 ++ goto out;
2472 +
2473 ++ ret = -EAGAIN;
2474 + if ((file->f_flags & O_NONBLOCK) || (flags & SPLICE_F_NONBLOCK))
2475 +- return -EAGAIN;
2476 ++ goto out;
2477 +
2478 + ret = wait_on_pipe(iter, true);
2479 + if (ret)
2480 +- return ret;
2481 ++ goto out;
2482 +
2483 + goto again;
2484 + }
2485 +
2486 + ret = splice_to_pipe(pipe, &spd);
2487 ++out:
2488 + splice_shrink_spd(&spd);
2489 +
2490 + return ret;
2491 +diff --git a/lib/iov_iter.c b/lib/iov_iter.c
2492 +index 75232ad0a5e7..daca582a8ed0 100644
2493 +--- a/lib/iov_iter.c
2494 ++++ b/lib/iov_iter.c
2495 +@@ -298,33 +298,13 @@ done:
2496 + }
2497 +
2498 + /*
2499 +- * Fault in the first iovec of the given iov_iter, to a maximum length
2500 +- * of bytes. Returns 0 on success, or non-zero if the memory could not be
2501 +- * accessed (ie. because it is an invalid address).
2502 +- *
2503 +- * writev-intensive code may want this to prefault several iovecs -- that
2504 +- * would be possible (callers must not rely on the fact that _only_ the
2505 +- * first iovec will be faulted with the current implementation).
2506 +- */
2507 +-int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes)
2508 +-{
2509 +- if (!(i->type & (ITER_BVEC|ITER_KVEC))) {
2510 +- char __user *buf = i->iov->iov_base + i->iov_offset;
2511 +- bytes = min(bytes, i->iov->iov_len - i->iov_offset);
2512 +- return fault_in_pages_readable(buf, bytes);
2513 +- }
2514 +- return 0;
2515 +-}
2516 +-EXPORT_SYMBOL(iov_iter_fault_in_readable);
2517 +-
2518 +-/*
2519 + * Fault in one or more iovecs of the given iov_iter, to a maximum length of
2520 + * bytes. For each iovec, fault in each page that constitutes the iovec.
2521 + *
2522 + * Return 0 on success, or non-zero if the memory could not be accessed (i.e.
2523 + * because it is an invalid address).
2524 + */
2525 +-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes)
2526 ++int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes)
2527 + {
2528 + size_t skip = i->iov_offset;
2529 + const struct iovec *iov;
2530 +@@ -341,7 +321,7 @@ int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes)
2531 + }
2532 + return 0;
2533 + }
2534 +-EXPORT_SYMBOL(iov_iter_fault_in_multipages_readable);
2535 ++EXPORT_SYMBOL(iov_iter_fault_in_readable);
2536 +
2537 + void iov_iter_init(struct iov_iter *i, int direction,
2538 + const struct iovec *iov, unsigned long nr_segs,
2539 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
2540 +index f555f4fc1d62..c66b7d325a39 100644
2541 +--- a/net/ipv6/addrconf.c
2542 ++++ b/net/ipv6/addrconf.c
2543 +@@ -1801,6 +1801,7 @@ errdad:
2544 + spin_unlock_bh(&ifp->lock);
2545 +
2546 + addrconf_mod_dad_work(ifp, 0);
2547 ++ in6_ifa_put(ifp);
2548 + }
2549 +
2550 + /* Join to solicited addr multicast group.
2551 +@@ -3526,6 +3527,7 @@ static void addrconf_dad_work(struct work_struct *w)
2552 + addrconf_dad_begin(ifp);
2553 + goto out;
2554 + } else if (action == DAD_ABORT) {
2555 ++ in6_ifa_hold(ifp);
2556 + addrconf_dad_stop(ifp, 1);
2557 + goto out;
2558 + }
2559 +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
2560 +index f24138681b80..978d7f91ca91 100644
2561 +--- a/net/wireless/nl80211.c
2562 ++++ b/net/wireless/nl80211.c
2563 +@@ -6466,7 +6466,7 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
2564 +
2565 + params.n_counter_offsets_presp = len / sizeof(u16);
2566 + if (rdev->wiphy.max_num_csa_counters &&
2567 +- (params.n_counter_offsets_beacon >
2568 ++ (params.n_counter_offsets_presp >
2569 + rdev->wiphy.max_num_csa_counters))
2570 + return -EINVAL;
2571 +
2572 +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
2573 +index c753211cb83f..b50ee5d622e1 100644
2574 +--- a/net/wireless/wext-core.c
2575 ++++ b/net/wireless/wext-core.c
2576 +@@ -955,29 +955,8 @@ static int wireless_process_ioctl(struct net *net, struct ifreq *ifr,
2577 + return private(dev, iwr, cmd, info, handler);
2578 + }
2579 + /* Old driver API : call driver ioctl handler */
2580 +- if (dev->netdev_ops->ndo_do_ioctl) {
2581 +-#ifdef CONFIG_COMPAT
2582 +- if (info->flags & IW_REQUEST_FLAG_COMPAT) {
2583 +- int ret = 0;
2584 +- struct iwreq iwr_lcl;
2585 +- struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
2586 +-
2587 +- memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
2588 +- iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
2589 +- iwr_lcl.u.data.length = iwp_compat->length;
2590 +- iwr_lcl.u.data.flags = iwp_compat->flags;
2591 +-
2592 +- ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
2593 +-
2594 +- iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
2595 +- iwp_compat->length = iwr_lcl.u.data.length;
2596 +- iwp_compat->flags = iwr_lcl.u.data.flags;
2597 +-
2598 +- return ret;
2599 +- } else
2600 +-#endif
2601 +- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
2602 +- }
2603 ++ if (dev->netdev_ops->ndo_do_ioctl)
2604 ++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
2605 + return -EOPNOTSUPP;
2606 + }
2607 +
2608 +diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
2609 +index 795437b10082..b450a27588c8 100644
2610 +--- a/sound/core/rawmidi.c
2611 ++++ b/sound/core/rawmidi.c
2612 +@@ -1633,11 +1633,13 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
2613 + return -EBUSY;
2614 + }
2615 + list_add_tail(&rmidi->list, &snd_rawmidi_devices);
2616 ++ mutex_unlock(&register_mutex);
2617 + err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
2618 + rmidi->card, rmidi->device,
2619 + &snd_rawmidi_f_ops, rmidi, &rmidi->dev);
2620 + if (err < 0) {
2621 + rmidi_err(rmidi, "unable to register\n");
2622 ++ mutex_lock(&register_mutex);
2623 + list_del(&rmidi->list);
2624 + mutex_unlock(&register_mutex);
2625 + return err;
2626 +@@ -1645,6 +1647,7 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
2627 + if (rmidi->ops && rmidi->ops->dev_register &&
2628 + (err = rmidi->ops->dev_register(rmidi)) < 0) {
2629 + snd_unregister_device(&rmidi->dev);
2630 ++ mutex_lock(&register_mutex);
2631 + list_del(&rmidi->list);
2632 + mutex_unlock(&register_mutex);
2633 + return err;
2634 +@@ -1677,7 +1680,6 @@ static int snd_rawmidi_dev_register(struct snd_device *device)
2635 + }
2636 + }
2637 + #endif /* CONFIG_SND_OSSEMUL */
2638 +- mutex_unlock(&register_mutex);
2639 + sprintf(name, "midi%d", rmidi->device);
2640 + entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root);
2641 + if (entry) {
2642 +diff --git a/sound/core/timer.c b/sound/core/timer.c
2643 +index 43e785a79eb3..8800d237369a 100644
2644 +--- a/sound/core/timer.c
2645 ++++ b/sound/core/timer.c
2646 +@@ -35,6 +35,9 @@
2647 + #include <sound/initval.h>
2648 + #include <linux/kmod.h>
2649 +
2650 ++/* internal flags */
2651 ++#define SNDRV_TIMER_IFLG_PAUSED 0x00010000
2652 ++
2653 + #if IS_ENABLED(CONFIG_SND_HRTIMER)
2654 + #define DEFAULT_TIMER_LIMIT 4
2655 + #elif IS_ENABLED(CONFIG_SND_RTCTIMER)
2656 +@@ -296,8 +299,21 @@ int snd_timer_open(struct snd_timer_instance **ti,
2657 + get_device(&timer->card->card_dev);
2658 + timeri->slave_class = tid->dev_sclass;
2659 + timeri->slave_id = slave_id;
2660 +- if (list_empty(&timer->open_list_head) && timer->hw.open)
2661 +- timer->hw.open(timer);
2662 ++
2663 ++ if (list_empty(&timer->open_list_head) && timer->hw.open) {
2664 ++ int err = timer->hw.open(timer);
2665 ++ if (err) {
2666 ++ kfree(timeri->owner);
2667 ++ kfree(timeri);
2668 ++
2669 ++ if (timer->card)
2670 ++ put_device(&timer->card->card_dev);
2671 ++ module_put(timer->module);
2672 ++ mutex_unlock(&register_mutex);
2673 ++ return err;
2674 ++ }
2675 ++ }
2676 ++
2677 + list_add_tail(&timeri->open_list, &timer->open_list_head);
2678 + snd_timer_check_master(timeri);
2679 + mutex_unlock(&register_mutex);
2680 +@@ -305,8 +321,6 @@ int snd_timer_open(struct snd_timer_instance **ti,
2681 + return 0;
2682 + }
2683 +
2684 +-static int _snd_timer_stop(struct snd_timer_instance *timeri, int event);
2685 +-
2686 + /*
2687 + * close a timer instance
2688 + */
2689 +@@ -395,7 +409,6 @@ unsigned long snd_timer_resolution(struct snd_timer_instance *timeri)
2690 + static void snd_timer_notify1(struct snd_timer_instance *ti, int event)
2691 + {
2692 + struct snd_timer *timer;
2693 +- unsigned long flags;
2694 + unsigned long resolution = 0;
2695 + struct snd_timer_instance *ts;
2696 + struct timespec tstamp;
2697 +@@ -419,34 +432,66 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event)
2698 + return;
2699 + if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
2700 + return;
2701 +- spin_lock_irqsave(&timer->lock, flags);
2702 + list_for_each_entry(ts, &ti->slave_active_head, active_list)
2703 + if (ts->ccallback)
2704 + ts->ccallback(ts, event + 100, &tstamp, resolution);
2705 +- spin_unlock_irqrestore(&timer->lock, flags);
2706 + }
2707 +
2708 +-static int snd_timer_start1(struct snd_timer *timer, struct snd_timer_instance *timeri,
2709 +- unsigned long sticks)
2710 ++/* start/continue a master timer */
2711 ++static int snd_timer_start1(struct snd_timer_instance *timeri,
2712 ++ bool start, unsigned long ticks)
2713 + {
2714 ++ struct snd_timer *timer;
2715 ++ int result;
2716 ++ unsigned long flags;
2717 ++
2718 ++ timer = timeri->timer;
2719 ++ if (!timer)
2720 ++ return -EINVAL;
2721 ++
2722 ++ spin_lock_irqsave(&timer->lock, flags);
2723 ++ if (timer->card && timer->card->shutdown) {
2724 ++ result = -ENODEV;
2725 ++ goto unlock;
2726 ++ }
2727 ++ if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
2728 ++ SNDRV_TIMER_IFLG_START)) {
2729 ++ result = -EBUSY;
2730 ++ goto unlock;
2731 ++ }
2732 ++
2733 ++ if (start)
2734 ++ timeri->ticks = timeri->cticks = ticks;
2735 ++ else if (!timeri->cticks)
2736 ++ timeri->cticks = 1;
2737 ++ timeri->pticks = 0;
2738 ++
2739 + list_move_tail(&timeri->active_list, &timer->active_list_head);
2740 + if (timer->running) {
2741 + if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
2742 + goto __start_now;
2743 + timer->flags |= SNDRV_TIMER_FLG_RESCHED;
2744 + timeri->flags |= SNDRV_TIMER_IFLG_START;
2745 +- return 1; /* delayed start */
2746 ++ result = 1; /* delayed start */
2747 + } else {
2748 +- timer->sticks = sticks;
2749 ++ if (start)
2750 ++ timer->sticks = ticks;
2751 + timer->hw.start(timer);
2752 + __start_now:
2753 + timer->running++;
2754 + timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
2755 +- return 0;
2756 ++ result = 0;
2757 + }
2758 ++ snd_timer_notify1(timeri, start ? SNDRV_TIMER_EVENT_START :
2759 ++ SNDRV_TIMER_EVENT_CONTINUE);
2760 ++ unlock:
2761 ++ spin_unlock_irqrestore(&timer->lock, flags);
2762 ++ return result;
2763 + }
2764 +
2765 +-static int snd_timer_start_slave(struct snd_timer_instance *timeri)
2766 ++/* start/continue a slave timer */
2767 ++static int snd_timer_start_slave(struct snd_timer_instance *timeri,
2768 ++ bool start)
2769 + {
2770 + unsigned long flags;
2771 +
2772 +@@ -460,88 +505,37 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
2773 + spin_lock(&timeri->timer->lock);
2774 + list_add_tail(&timeri->active_list,
2775 + &timeri->master->slave_active_head);
2776 ++ snd_timer_notify1(timeri, start ? SNDRV_TIMER_EVENT_START :
2777 ++ SNDRV_TIMER_EVENT_CONTINUE);
2778 + spin_unlock(&timeri->timer->lock);
2779 + }
2780 + spin_unlock_irqrestore(&slave_active_lock, flags);
2781 + return 1; /* delayed start */
2782 + }
2783 +
2784 +-/*
2785 +- * start the timer instance
2786 +- */
2787 +-int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
2788 ++/* stop/pause a master timer */
2789 ++static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop)
2790 + {
2791 + struct snd_timer *timer;
2792 +- int result = -EINVAL;
2793 ++ int result = 0;
2794 + unsigned long flags;
2795 +
2796 +- if (timeri == NULL || ticks < 1)
2797 +- return -EINVAL;
2798 +- if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
2799 +- result = snd_timer_start_slave(timeri);
2800 +- if (result >= 0)
2801 +- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
2802 +- return result;
2803 +- }
2804 +- timer = timeri->timer;
2805 +- if (timer == NULL)
2806 +- return -EINVAL;
2807 +- if (timer->card && timer->card->shutdown)
2808 +- return -ENODEV;
2809 +- spin_lock_irqsave(&timer->lock, flags);
2810 +- if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
2811 +- SNDRV_TIMER_IFLG_START)) {
2812 +- result = -EBUSY;
2813 +- goto unlock;
2814 +- }
2815 +- timeri->ticks = timeri->cticks = ticks;
2816 +- timeri->pticks = 0;
2817 +- result = snd_timer_start1(timer, timeri, ticks);
2818 +- unlock:
2819 +- spin_unlock_irqrestore(&timer->lock, flags);
2820 +- if (result >= 0)
2821 +- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
2822 +- return result;
2823 +-}
2824 +-
2825 +-static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
2826 +-{
2827 +- struct snd_timer *timer;
2828 +- unsigned long flags;
2829 +-
2830 +- if (snd_BUG_ON(!timeri))
2831 +- return -ENXIO;
2832 +-
2833 +- if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
2834 +- spin_lock_irqsave(&slave_active_lock, flags);
2835 +- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
2836 +- spin_unlock_irqrestore(&slave_active_lock, flags);
2837 +- return -EBUSY;
2838 +- }
2839 +- if (timeri->timer)
2840 +- spin_lock(&timeri->timer->lock);
2841 +- timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
2842 +- list_del_init(&timeri->ack_list);
2843 +- list_del_init(&timeri->active_list);
2844 +- if (timeri->timer)
2845 +- spin_unlock(&timeri->timer->lock);
2846 +- spin_unlock_irqrestore(&slave_active_lock, flags);
2847 +- goto __end;
2848 +- }
2849 + timer = timeri->timer;
2850 + if (!timer)
2851 + return -EINVAL;
2852 + spin_lock_irqsave(&timer->lock, flags);
2853 + if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
2854 + SNDRV_TIMER_IFLG_START))) {
2855 +- spin_unlock_irqrestore(&timer->lock, flags);
2856 +- return -EBUSY;
2857 ++ result = -EBUSY;
2858 ++ goto unlock;
2859 + }
2860 + list_del_init(&timeri->ack_list);
2861 + list_del_init(&timeri->active_list);
2862 +- if (timer->card && timer->card->shutdown) {
2863 +- spin_unlock_irqrestore(&timer->lock, flags);
2864 +- return 0;
2865 ++ if (timer->card && timer->card->shutdown)
2866 ++ goto unlock;
2867 ++ if (stop) {
2868 ++ timeri->cticks = timeri->ticks;
2869 ++ timeri->pticks = 0;
2870 + }
2871 + if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) &&
2872 + !(--timer->running)) {
2873 +@@ -556,35 +550,64 @@ static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
2874 + }
2875 + }
2876 + timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
2877 ++ if (stop)
2878 ++ timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
2879 ++ else
2880 ++ timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
2881 ++ snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
2882 ++ SNDRV_TIMER_EVENT_CONTINUE);
2883 ++ unlock:
2884 + spin_unlock_irqrestore(&timer->lock, flags);
2885 +- __end:
2886 +- if (event != SNDRV_TIMER_EVENT_RESOLUTION)
2887 +- snd_timer_notify1(timeri, event);
2888 ++ return result;
2889 ++}
2890 ++
2891 ++/* stop/pause a slave timer */
2892 ++static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop)
2893 ++{
2894 ++ unsigned long flags;
2895 ++
2896 ++ spin_lock_irqsave(&slave_active_lock, flags);
2897 ++ if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
2898 ++ spin_unlock_irqrestore(&slave_active_lock, flags);
2899 ++ return -EBUSY;
2900 ++ }
2901 ++ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
2902 ++ if (timeri->timer) {
2903 ++ spin_lock(&timeri->timer->lock);
2904 ++ list_del_init(&timeri->ack_list);
2905 ++ list_del_init(&timeri->active_list);
2906 ++ snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
2907 ++ SNDRV_TIMER_EVENT_CONTINUE);
2908 ++ spin_unlock(&timeri->timer->lock);
2909 ++ }
2910 ++ spin_unlock_irqrestore(&slave_active_lock, flags);
2911 + return 0;
2912 + }
2913 +
2914 + /*
2915 ++ * start the timer instance
2916 ++ */
2917 ++int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
2918 ++{
2919 ++ if (timeri == NULL || ticks < 1)
2920 ++ return -EINVAL;
2921 ++ if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
2922 ++ return snd_timer_start_slave(timeri, true);
2923 ++ else
2924 ++ return snd_timer_start1(timeri, true, ticks);
2925 ++}
2926 ++
2927 ++/*
2928 + * stop the timer instance.
2929 + *
2930 + * do not call this from the timer callback!
2931 + */
2932 + int snd_timer_stop(struct snd_timer_instance *timeri)
2933 + {
2934 +- struct snd_timer *timer;
2935 +- unsigned long flags;
2936 +- int err;
2937 +-
2938 +- err = _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_STOP);
2939 +- if (err < 0)
2940 +- return err;
2941 +- timer = timeri->timer;
2942 +- if (!timer)
2943 +- return -EINVAL;
2944 +- spin_lock_irqsave(&timer->lock, flags);
2945 +- timeri->cticks = timeri->ticks;
2946 +- timeri->pticks = 0;
2947 +- spin_unlock_irqrestore(&timer->lock, flags);
2948 +- return 0;
2949 ++ if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
2950 ++ return snd_timer_stop_slave(timeri, true);
2951 ++ else
2952 ++ return snd_timer_stop1(timeri, true);
2953 + }
2954 +
2955 + /*
2956 +@@ -592,32 +615,14 @@ int snd_timer_stop(struct snd_timer_instance *timeri)
2957 + */
2958 + int snd_timer_continue(struct snd_timer_instance *timeri)
2959 + {
2960 +- struct snd_timer *timer;
2961 +- int result = -EINVAL;
2962 +- unsigned long flags;
2963 ++ /* timer can continue only after pause */
2964 ++ if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
2965 ++ return -EINVAL;
2966 +
2967 +- if (timeri == NULL)
2968 +- return result;
2969 + if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
2970 +- return snd_timer_start_slave(timeri);
2971 +- timer = timeri->timer;
2972 +- if (! timer)
2973 +- return -EINVAL;
2974 +- if (timer->card && timer->card->shutdown)
2975 +- return -ENODEV;
2976 +- spin_lock_irqsave(&timer->lock, flags);
2977 +- if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) {
2978 +- result = -EBUSY;
2979 +- goto unlock;
2980 +- }
2981 +- if (!timeri->cticks)
2982 +- timeri->cticks = 1;
2983 +- timeri->pticks = 0;
2984 +- result = snd_timer_start1(timer, timeri, timer->sticks);
2985 +- unlock:
2986 +- spin_unlock_irqrestore(&timer->lock, flags);
2987 +- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_CONTINUE);
2988 +- return result;
2989 ++ return snd_timer_start_slave(timeri, false);
2990 ++ else
2991 ++ return snd_timer_start1(timeri, false, 0);
2992 + }
2993 +
2994 + /*
2995 +@@ -625,7 +630,10 @@ int snd_timer_continue(struct snd_timer_instance *timeri)
2996 + */
2997 + int snd_timer_pause(struct snd_timer_instance * timeri)
2998 + {
2999 +- return _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_PAUSE);
3000 ++ if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
3001 ++ return snd_timer_stop_slave(timeri, false);
3002 ++ else
3003 ++ return snd_timer_stop1(timeri, false);
3004 + }
3005 +
3006 + /*
3007 +@@ -837,6 +845,7 @@ int snd_timer_new(struct snd_card *card, char *id, struct snd_timer_id *tid,
3008 + timer->tmr_subdevice = tid->subdevice;
3009 + if (id)
3010 + strlcpy(timer->id, id, sizeof(timer->id));
3011 ++ timer->sticks = 1;
3012 + INIT_LIST_HEAD(&timer->device_list);
3013 + INIT_LIST_HEAD(&timer->open_list_head);
3014 + INIT_LIST_HEAD(&timer->active_list_head);
3015 +@@ -1826,6 +1835,9 @@ static int snd_timer_user_continue(struct file *file)
3016 + tu = file->private_data;
3017 + if (!tu->timeri)
3018 + return -EBADFD;
3019 ++ /* start timer instead of continue if it's not used before */
3020 ++ if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
3021 ++ return snd_timer_user_start(file);
3022 + tu->timeri->lost = 0;
3023 + return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
3024 + }
3025 +@@ -1967,6 +1979,7 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
3026 + tu->qused--;
3027 + spin_unlock_irq(&tu->qlock);
3028 +
3029 ++ mutex_lock(&tu->ioctl_lock);
3030 + if (tu->tread) {
3031 + if (copy_to_user(buffer, &tu->tqueue[qhead],
3032 + sizeof(struct snd_timer_tread)))
3033 +@@ -1976,6 +1989,7 @@ static ssize_t snd_timer_user_read(struct file *file, char __user *buffer,
3034 + sizeof(struct snd_timer_read)))
3035 + err = -EFAULT;
3036 + }
3037 ++ mutex_unlock(&tu->ioctl_lock);
3038 +
3039 + spin_lock_irq(&tu->qlock);
3040 + if (err < 0)
3041 +diff --git a/sound/firewire/fireworks/fireworks.h b/sound/firewire/fireworks/fireworks.h
3042 +index 084d414b228c..b431c34b2d74 100644
3043 +--- a/sound/firewire/fireworks/fireworks.h
3044 ++++ b/sound/firewire/fireworks/fireworks.h
3045 +@@ -106,7 +106,6 @@ struct snd_efw {
3046 + u8 *resp_buf;
3047 + u8 *pull_ptr;
3048 + u8 *push_ptr;
3049 +- unsigned int resp_queues;
3050 + };
3051 +
3052 + int snd_efw_transaction_cmd(struct fw_unit *unit,
3053 +diff --git a/sound/firewire/fireworks/fireworks_hwdep.c b/sound/firewire/fireworks/fireworks_hwdep.c
3054 +index 33df8655fe81..2e1d9a23920c 100644
3055 +--- a/sound/firewire/fireworks/fireworks_hwdep.c
3056 ++++ b/sound/firewire/fireworks/fireworks_hwdep.c
3057 +@@ -25,6 +25,7 @@ hwdep_read_resp_buf(struct snd_efw *efw, char __user *buf, long remained,
3058 + {
3059 + unsigned int length, till_end, type;
3060 + struct snd_efw_transaction *t;
3061 ++ u8 *pull_ptr;
3062 + long count = 0;
3063 +
3064 + if (remained < sizeof(type) + sizeof(struct snd_efw_transaction))
3065 +@@ -38,8 +39,17 @@ hwdep_read_resp_buf(struct snd_efw *efw, char __user *buf, long remained,
3066 + buf += sizeof(type);
3067 +
3068 + /* write into buffer as many responses as possible */
3069 +- while (efw->resp_queues > 0) {
3070 +- t = (struct snd_efw_transaction *)(efw->pull_ptr);
3071 ++ spin_lock_irq(&efw->lock);
3072 ++
3073 ++ /*
3074 ++ * When another task reaches here during this task's access to user
3075 ++ * space, it picks up current position in buffer and can read the same
3076 ++ * series of responses.
3077 ++ */
3078 ++ pull_ptr = efw->pull_ptr;
3079 ++
3080 ++ while (efw->push_ptr != pull_ptr) {
3081 ++ t = (struct snd_efw_transaction *)(pull_ptr);
3082 + length = be32_to_cpu(t->length) * sizeof(__be32);
3083 +
3084 + /* confirm enough space for this response */
3085 +@@ -49,26 +59,39 @@ hwdep_read_resp_buf(struct snd_efw *efw, char __user *buf, long remained,
3086 + /* copy from ring buffer to user buffer */
3087 + while (length > 0) {
3088 + till_end = snd_efw_resp_buf_size -
3089 +- (unsigned int)(efw->pull_ptr - efw->resp_buf);
3090 ++ (unsigned int)(pull_ptr - efw->resp_buf);
3091 + till_end = min_t(unsigned int, length, till_end);
3092 +
3093 +- if (copy_to_user(buf, efw->pull_ptr, till_end))
3094 ++ spin_unlock_irq(&efw->lock);
3095 ++
3096 ++ if (copy_to_user(buf, pull_ptr, till_end))
3097 + return -EFAULT;
3098 +
3099 +- efw->pull_ptr += till_end;
3100 +- if (efw->pull_ptr >= efw->resp_buf +
3101 +- snd_efw_resp_buf_size)
3102 +- efw->pull_ptr -= snd_efw_resp_buf_size;
3103 ++ spin_lock_irq(&efw->lock);
3104 ++
3105 ++ pull_ptr += till_end;
3106 ++ if (pull_ptr >= efw->resp_buf + snd_efw_resp_buf_size)
3107 ++ pull_ptr -= snd_efw_resp_buf_size;
3108 +
3109 + length -= till_end;
3110 + buf += till_end;
3111 + count += till_end;
3112 + remained -= till_end;
3113 + }
3114 +-
3115 +- efw->resp_queues--;
3116 + }
3117 +
3118 ++ /*
3119 ++ * All of tasks can read from the buffer nearly simultaneously, but the
3120 ++ * last position for each task is different depending on the length of
3121 ++ * given buffer. Here, for simplicity, a position of buffer is set by
3122 ++ * the latest task. It's better for a listening application to allow one
3123 ++ * thread to read from the buffer. Unless, each task can read different
3124 ++ * sequence of responses depending on variation of buffer length.
3125 ++ */
3126 ++ efw->pull_ptr = pull_ptr;
3127 ++
3128 ++ spin_unlock_irq(&efw->lock);
3129 ++
3130 + return count;
3131 + }
3132 +
3133 +@@ -76,14 +99,17 @@ static long
3134 + hwdep_read_locked(struct snd_efw *efw, char __user *buf, long count,
3135 + loff_t *offset)
3136 + {
3137 +- union snd_firewire_event event;
3138 ++ union snd_firewire_event event = {
3139 ++ .lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS,
3140 ++ };
3141 +
3142 +- memset(&event, 0, sizeof(event));
3143 ++ spin_lock_irq(&efw->lock);
3144 +
3145 +- event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
3146 + event.lock_status.status = (efw->dev_lock_count > 0);
3147 + efw->dev_lock_changed = false;
3148 +
3149 ++ spin_unlock_irq(&efw->lock);
3150 ++
3151 + count = min_t(long, count, sizeof(event.lock_status));
3152 +
3153 + if (copy_to_user(buf, &event, count))
3154 +@@ -98,10 +124,15 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
3155 + {
3156 + struct snd_efw *efw = hwdep->private_data;
3157 + DEFINE_WAIT(wait);
3158 ++ bool dev_lock_changed;
3159 ++ bool queued;
3160 +
3161 + spin_lock_irq(&efw->lock);
3162 +
3163 +- while ((!efw->dev_lock_changed) && (efw->resp_queues == 0)) {
3164 ++ dev_lock_changed = efw->dev_lock_changed;
3165 ++ queued = efw->push_ptr != efw->pull_ptr;
3166 ++
3167 ++ while (!dev_lock_changed && !queued) {
3168 + prepare_to_wait(&efw->hwdep_wait, &wait, TASK_INTERRUPTIBLE);
3169 + spin_unlock_irq(&efw->lock);
3170 + schedule();
3171 +@@ -109,15 +140,17 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
3172 + if (signal_pending(current))
3173 + return -ERESTARTSYS;
3174 + spin_lock_irq(&efw->lock);
3175 ++ dev_lock_changed = efw->dev_lock_changed;
3176 ++ queued = efw->push_ptr != efw->pull_ptr;
3177 + }
3178 +
3179 +- if (efw->dev_lock_changed)
3180 ++ spin_unlock_irq(&efw->lock);
3181 ++
3182 ++ if (dev_lock_changed)
3183 + count = hwdep_read_locked(efw, buf, count, offset);
3184 +- else if (efw->resp_queues > 0)
3185 ++ else if (queued)
3186 + count = hwdep_read_resp_buf(efw, buf, count, offset);
3187 +
3188 +- spin_unlock_irq(&efw->lock);
3189 +-
3190 + return count;
3191 + }
3192 +
3193 +@@ -160,7 +193,7 @@ hwdep_poll(struct snd_hwdep *hwdep, struct file *file, poll_table *wait)
3194 + poll_wait(file, &efw->hwdep_wait, wait);
3195 +
3196 + spin_lock_irq(&efw->lock);
3197 +- if (efw->dev_lock_changed || (efw->resp_queues > 0))
3198 ++ if (efw->dev_lock_changed || efw->pull_ptr != efw->push_ptr)
3199 + events = POLLIN | POLLRDNORM;
3200 + else
3201 + events = 0;
3202 +diff --git a/sound/firewire/fireworks/fireworks_proc.c b/sound/firewire/fireworks/fireworks_proc.c
3203 +index 0639dcb13f7d..beb0a0ffee57 100644
3204 +--- a/sound/firewire/fireworks/fireworks_proc.c
3205 ++++ b/sound/firewire/fireworks/fireworks_proc.c
3206 +@@ -188,8 +188,8 @@ proc_read_queues_state(struct snd_info_entry *entry,
3207 + else
3208 + consumed = (unsigned int)(efw->push_ptr - efw->pull_ptr);
3209 +
3210 +- snd_iprintf(buffer, "%d %d/%d\n",
3211 +- efw->resp_queues, consumed, snd_efw_resp_buf_size);
3212 ++ snd_iprintf(buffer, "%d/%d\n",
3213 ++ consumed, snd_efw_resp_buf_size);
3214 + }
3215 +
3216 + static void
3217 +diff --git a/sound/firewire/fireworks/fireworks_transaction.c b/sound/firewire/fireworks/fireworks_transaction.c
3218 +index f550808d1784..36a08ba51ec7 100644
3219 +--- a/sound/firewire/fireworks/fireworks_transaction.c
3220 ++++ b/sound/firewire/fireworks/fireworks_transaction.c
3221 +@@ -121,11 +121,11 @@ copy_resp_to_buf(struct snd_efw *efw, void *data, size_t length, int *rcode)
3222 + size_t capacity, till_end;
3223 + struct snd_efw_transaction *t;
3224 +
3225 +- spin_lock_irq(&efw->lock);
3226 +-
3227 + t = (struct snd_efw_transaction *)data;
3228 + length = min_t(size_t, be32_to_cpu(t->length) * sizeof(u32), length);
3229 +
3230 ++ spin_lock_irq(&efw->lock);
3231 ++
3232 + if (efw->push_ptr < efw->pull_ptr)
3233 + capacity = (unsigned int)(efw->pull_ptr - efw->push_ptr);
3234 + else
3235 +@@ -155,7 +155,6 @@ copy_resp_to_buf(struct snd_efw *efw, void *data, size_t length, int *rcode)
3236 + }
3237 +
3238 + /* for hwdep */
3239 +- efw->resp_queues++;
3240 + wake_up(&efw->hwdep_wait);
3241 +
3242 + *rcode = RCODE_COMPLETE;
3243 +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
3244 +index 429697a93a71..2a9ec9706db8 100644
3245 +--- a/sound/pci/hda/patch_realtek.c
3246 ++++ b/sound/pci/hda/patch_realtek.c
3247 +@@ -4750,6 +4750,7 @@ enum {
3248 + ALC221_FIXUP_HP_FRONT_MIC,
3249 + ALC292_FIXUP_TPT460,
3250 + ALC298_FIXUP_SPK_VOLUME,
3251 ++ ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER,
3252 + };
3253 +
3254 + static const struct hda_fixup alc269_fixups[] = {
3255 +@@ -5411,6 +5412,15 @@ static const struct hda_fixup alc269_fixups[] = {
3256 + .chained = true,
3257 + .chain_id = ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
3258 + },
3259 ++ [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
3260 ++ .type = HDA_FIXUP_PINS,
3261 ++ .v.pins = (const struct hda_pintbl[]) {
3262 ++ { 0x1b, 0x90170151 },
3263 ++ { }
3264 ++ },
3265 ++ .chained = true,
3266 ++ .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE
3267 ++ },
3268 + };
3269 +
3270 + static const struct snd_pci_quirk alc269_fixup_tbl[] = {
3271 +@@ -5455,6 +5465,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
3272 + SND_PCI_QUIRK(0x1028, 0x06df, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
3273 + SND_PCI_QUIRK(0x1028, 0x06e0, "Dell", ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
3274 + SND_PCI_QUIRK(0x1028, 0x0704, "Dell XPS 13 9350", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
3275 ++ SND_PCI_QUIRK(0x1028, 0x0706, "Dell Inspiron 7559", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
3276 + SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE),
3277 + SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
3278 + SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
3279 +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
3280 +index e27df0d3898b..4a083433944e 100644
3281 +--- a/sound/usb/quirks.c
3282 ++++ b/sound/usb/quirks.c
3283 +@@ -1137,6 +1137,7 @@ bool snd_usb_get_sample_rate_quirk(struct snd_usb_audio *chip)
3284 + case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
3285 + case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */
3286 + case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */
3287 ++ case USB_ID(0x1901, 0x0191): /* GE B850V3 CP2114 audio interface */
3288 + case USB_ID(0x1de7, 0x0013): /* Phoenix Audio MT202exe */
3289 + case USB_ID(0x1de7, 0x0014): /* Phoenix Audio TMX320 */
3290 + case USB_ID(0x1de7, 0x0114): /* Phoenix Audio MT202pcs */
Report Message
Find on MARC Find on Google Groups