Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:3.18 commit in: /
Date: Wed, 12 Oct 2016 19:51:19
Message-Id: 1476301863.e847c6fdd3e89d7a472571c54c47bbf87ef0cd0c.mpagano@gentoo
1 commit: e847c6fdd3e89d7a472571c54c47bbf87ef0cd0c
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Wed Oct 12 19:51:03 2016 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Oct 12 19:51:03 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=e847c6fd
7
8 Linux patch 3.18.43
9
10 0000_README | 4 +
11 1042_linux-3.18.43.patch | 3150 ++++++++++++++++++++++++++++++++++++++++++++++
12 2 files changed, 3154 insertions(+)
13
14 diff --git a/0000_README b/0000_README
15 index 7228605..cc667fc 100644
16 --- a/0000_README
17 +++ b/0000_README
18 @@ -211,6 +211,10 @@ Patch: 1041_linux-3.18.42.patch
19 From: http://www.kernel.org
20 Desc: Linux 3.18.42
21
22 +Patch: 1042_linux-3.18.43.patch
23 +From: http://www.kernel.org
24 +Desc: Linux 3.18.43
25 +
26 Patch: 1500_XATTR_USER_PREFIX.patch
27 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
28 Desc: Support for namespace user.pax.* on tmpfs.
29
30 diff --git a/1042_linux-3.18.43.patch b/1042_linux-3.18.43.patch
31 new file mode 100644
32 index 0000000..8356192
33 --- /dev/null
34 +++ b/1042_linux-3.18.43.patch
35 @@ -0,0 +1,3150 @@
36 +diff --git a/Makefile b/Makefile
37 +index dafc1eade47e..28912c341bd8 100644
38 +--- a/Makefile
39 ++++ b/Makefile
40 +@@ -1,6 +1,6 @@
41 + VERSION = 3
42 + PATCHLEVEL = 18
43 +-SUBLEVEL = 42
44 ++SUBLEVEL = 43
45 + EXTRAVERSION =
46 + NAME = Diseased Newt
47 +
48 +diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h
49 +index 30c9baffa96f..08770c750696 100644
50 +--- a/arch/arc/include/asm/uaccess.h
51 ++++ b/arch/arc/include/asm/uaccess.h
52 +@@ -83,7 +83,10 @@
53 + "2: ;nop\n" \
54 + " .section .fixup, \"ax\"\n" \
55 + " .align 4\n" \
56 +- "3: mov %0, %3\n" \
57 ++ "3: # return -EFAULT\n" \
58 ++ " mov %0, %3\n" \
59 ++ " # zero out dst ptr\n" \
60 ++ " mov %1, 0\n" \
61 + " j 2b\n" \
62 + " .previous\n" \
63 + " .section __ex_table, \"a\"\n" \
64 +@@ -101,7 +104,11 @@
65 + "2: ;nop\n" \
66 + " .section .fixup, \"ax\"\n" \
67 + " .align 4\n" \
68 +- "3: mov %0, %3\n" \
69 ++ "3: # return -EFAULT\n" \
70 ++ " mov %0, %3\n" \
71 ++ " # zero out dst ptr\n" \
72 ++ " mov %1, 0\n" \
73 ++ " mov %R1, 0\n" \
74 + " j 2b\n" \
75 + " .previous\n" \
76 + " .section __ex_table, \"a\"\n" \
77 +diff --git a/arch/arm/boot/dts/kirkwood-ib62x0.dts b/arch/arm/boot/dts/kirkwood-ib62x0.dts
78 +index bfa5edde179c..2c1e7f09205f 100644
79 +--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts
80 ++++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts
81 +@@ -113,7 +113,7 @@
82 +
83 + partition@e0000 {
84 + label = "u-boot environment";
85 +- reg = <0xe0000 0x100000>;
86 ++ reg = <0xe0000 0x20000>;
87 + };
88 +
89 + partition@100000 {
90 +diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
91 +index e8193b987313..6c3dc428a881 100644
92 +--- a/arch/arm/kvm/arm.c
93 ++++ b/arch/arm/kvm/arm.c
94 +@@ -153,8 +153,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
95 + {
96 + int i;
97 +
98 +- kvm_free_stage2_pgd(kvm);
99 +-
100 + for (i = 0; i < KVM_MAX_VCPUS; ++i) {
101 + if (kvm->vcpus[i]) {
102 + kvm_arch_vcpu_free(kvm->vcpus[i]);
103 +diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
104 +index 0310b03697e0..feda3ff185e9 100644
105 +--- a/arch/arm/kvm/mmu.c
106 ++++ b/arch/arm/kvm/mmu.c
107 +@@ -1493,6 +1493,7 @@ void kvm_arch_memslots_updated(struct kvm *kvm)
108 +
109 + void kvm_arch_flush_shadow_all(struct kvm *kvm)
110 + {
111 ++ kvm_free_stage2_pgd(kvm);
112 + }
113 +
114 + void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
115 +diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
116 +index 5c3af8f993d0..bdd1d9061759 100644
117 +--- a/arch/arm/mach-imx/pm-imx6.c
118 ++++ b/arch/arm/mach-imx/pm-imx6.c
119 +@@ -293,7 +293,7 @@ int imx6q_set_lpm(enum mxc_cpu_pwr_mode mode)
120 + val |= 0x3 << BP_CLPCR_STBY_COUNT;
121 + val |= BM_CLPCR_VSTBY;
122 + val |= BM_CLPCR_SBYOS;
123 +- if (cpu_is_imx6sl())
124 ++ if (cpu_is_imx6sl() || cpu_is_imx6sx())
125 + val |= BM_CLPCR_BYPASS_PMIC_READY;
126 + if (cpu_is_imx6sl() || cpu_is_imx6sx())
127 + val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;
128 +diff --git a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
129 +index 2a78b093c0ce..e74ddb373131 100644
130 +--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
131 ++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
132 +@@ -724,8 +724,20 @@ static struct omap_hwmod omap3xxx_dss_dispc_hwmod = {
133 + * display serial interface controller
134 + */
135 +
136 ++static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
137 ++ .rev_offs = 0x0000,
138 ++ .sysc_offs = 0x0010,
139 ++ .syss_offs = 0x0014,
140 ++ .sysc_flags = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
141 ++ SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
142 ++ SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
143 ++ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
144 ++ .sysc_fields = &omap_hwmod_sysc_type1,
145 ++};
146 ++
147 + static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
148 + .name = "dsi",
149 ++ .sysc = &omap3xxx_dsi_sysc,
150 + };
151 +
152 + static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
153 +diff --git a/arch/arm/plat-orion/gpio.c b/arch/arm/plat-orion/gpio.c
154 +index e048f6198d68..14f6e647c739 100644
155 +--- a/arch/arm/plat-orion/gpio.c
156 ++++ b/arch/arm/plat-orion/gpio.c
157 +@@ -505,9 +505,9 @@ static void orion_gpio_unmask_irq(struct irq_data *d)
158 + u32 mask = d->mask;
159 +
160 + irq_gc_lock(gc);
161 +- reg_val = irq_reg_readl(gc->reg_base + ct->regs.mask);
162 ++ reg_val = irq_reg_readl(gc, ct->regs.mask);
163 + reg_val |= mask;
164 +- irq_reg_writel(reg_val, gc->reg_base + ct->regs.mask);
165 ++ irq_reg_writel(gc, reg_val, ct->regs.mask);
166 + irq_gc_unlock(gc);
167 + }
168 +
169 +@@ -519,9 +519,9 @@ static void orion_gpio_mask_irq(struct irq_data *d)
170 + u32 reg_val;
171 +
172 + irq_gc_lock(gc);
173 +- reg_val = irq_reg_readl(gc->reg_base + ct->regs.mask);
174 ++ reg_val = irq_reg_readl(gc, ct->regs.mask);
175 + reg_val &= ~mask;
176 +- irq_reg_writel(reg_val, gc->reg_base + ct->regs.mask);
177 ++ irq_reg_writel(gc, reg_val, ct->regs.mask);
178 + irq_gc_unlock(gc);
179 + }
180 +
181 +diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c
182 +index 5f63a791b2fb..31d014f01574 100644
183 +--- a/arch/arm64/crypto/aes-glue.c
184 ++++ b/arch/arm64/crypto/aes-glue.c
185 +@@ -205,7 +205,7 @@ static int ctr_encrypt(struct blkcipher_desc *desc, struct scatterlist *dst,
186 + err = blkcipher_walk_done(desc, &walk,
187 + walk.nbytes % AES_BLOCK_SIZE);
188 + }
189 +- if (nbytes) {
190 ++ if (walk.nbytes % AES_BLOCK_SIZE) {
191 + u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
192 + u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
193 + u8 __aligned(8) tail[AES_BLOCK_SIZE];
194 +diff --git a/arch/arm64/include/asm/spinlock.h b/arch/arm64/include/asm/spinlock.h
195 +index c45b7b1b7197..3c0bb9b303e8 100644
196 +--- a/arch/arm64/include/asm/spinlock.h
197 ++++ b/arch/arm64/include/asm/spinlock.h
198 +@@ -231,4 +231,14 @@ static inline int arch_read_trylock(arch_rwlock_t *rw)
199 + #define arch_read_relax(lock) cpu_relax()
200 + #define arch_write_relax(lock) cpu_relax()
201 +
202 ++/*
203 ++ * Accesses appearing in program order before a spin_lock() operation
204 ++ * can be reordered with accesses inside the critical section, by virtue
205 ++ * of arch_spin_lock being constructed using acquire semantics.
206 ++ *
207 ++ * In cases where this is problematic (e.g. try_to_wake_up), an
208 ++ * smp_mb__before_spinlock() can restore the required ordering.
209 ++ */
210 ++#define smp_mb__before_spinlock() smp_mb()
211 ++
212 + #endif /* __ASM_SPINLOCK_H */
213 +diff --git a/arch/avr32/include/asm/uaccess.h b/arch/avr32/include/asm/uaccess.h
214 +index 245b2ee213c9..a0a9b8c31041 100644
215 +--- a/arch/avr32/include/asm/uaccess.h
216 ++++ b/arch/avr32/include/asm/uaccess.h
217 +@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void *to, const void *from,
218 +
219 + extern __kernel_size_t copy_to_user(void __user *to, const void *from,
220 + __kernel_size_t n);
221 +-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
222 ++extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
223 + __kernel_size_t n);
224 +
225 + static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
226 +@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_from_user(void *to,
227 + {
228 + return __copy_user(to, (const void __force *)from, n);
229 + }
230 ++static inline __kernel_size_t copy_from_user(void *to,
231 ++ const void __user *from,
232 ++ __kernel_size_t n)
233 ++{
234 ++ size_t res = ___copy_from_user(to, from, n);
235 ++ if (unlikely(res))
236 ++ memset(to + (n - res), 0, res);
237 ++ return res;
238 ++}
239 +
240 + #define __copy_to_user_inatomic __copy_to_user
241 + #define __copy_from_user_inatomic __copy_from_user
242 +diff --git a/arch/avr32/kernel/avr32_ksyms.c b/arch/avr32/kernel/avr32_ksyms.c
243 +index d93ead02daed..7c6cf14f0985 100644
244 +--- a/arch/avr32/kernel/avr32_ksyms.c
245 ++++ b/arch/avr32/kernel/avr32_ksyms.c
246 +@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
247 + /*
248 + * Userspace access stuff.
249 + */
250 +-EXPORT_SYMBOL(copy_from_user);
251 ++EXPORT_SYMBOL(___copy_from_user);
252 + EXPORT_SYMBOL(copy_to_user);
253 + EXPORT_SYMBOL(__copy_user);
254 + EXPORT_SYMBOL(strncpy_from_user);
255 +diff --git a/arch/avr32/lib/copy_user.S b/arch/avr32/lib/copy_user.S
256 +index ea59c04b07de..075373471da1 100644
257 +--- a/arch/avr32/lib/copy_user.S
258 ++++ b/arch/avr32/lib/copy_user.S
259 +@@ -23,13 +23,13 @@
260 + */
261 + .text
262 + .align 1
263 +- .global copy_from_user
264 +- .type copy_from_user, @function
265 +-copy_from_user:
266 ++ .global ___copy_from_user
267 ++ .type ___copy_from_user, @function
268 ++___copy_from_user:
269 + branch_if_kernel r8, __copy_user
270 + ret_if_privileged r8, r11, r10, r10
271 + rjmp __copy_user
272 +- .size copy_from_user, . - copy_from_user
273 ++ .size ___copy_from_user, . - ___copy_from_user
274 +
275 + .global copy_to_user
276 + .type copy_to_user, @function
277 +diff --git a/arch/blackfin/include/asm/uaccess.h b/arch/blackfin/include/asm/uaccess.h
278 +index 57701c3b8a59..a992a788409c 100644
279 +--- a/arch/blackfin/include/asm/uaccess.h
280 ++++ b/arch/blackfin/include/asm/uaccess.h
281 +@@ -177,11 +177,12 @@ static inline int bad_user_access_length(void)
282 + static inline unsigned long __must_check
283 + copy_from_user(void *to, const void __user *from, unsigned long n)
284 + {
285 +- if (access_ok(VERIFY_READ, from, n))
286 ++ if (likely(access_ok(VERIFY_READ, from, n))) {
287 + memcpy(to, (const void __force *)from, n);
288 +- else
289 +- return n;
290 +- return 0;
291 ++ return 0;
292 ++ }
293 ++ memset(to, 0, n);
294 ++ return n;
295 + }
296 +
297 + static inline unsigned long __must_check
298 +diff --git a/arch/frv/include/asm/uaccess.h b/arch/frv/include/asm/uaccess.h
299 +index 3ac9a59d65d4..87d9e34c5df8 100644
300 +--- a/arch/frv/include/asm/uaccess.h
301 ++++ b/arch/frv/include/asm/uaccess.h
302 +@@ -263,19 +263,25 @@ do { \
303 + extern long __memset_user(void *dst, unsigned long count);
304 + extern long __memcpy_user(void *dst, const void *src, unsigned long count);
305 +
306 +-#define clear_user(dst,count) __memset_user(____force(dst), (count))
307 ++#define __clear_user(dst,count) __memset_user(____force(dst), (count))
308 + #define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n))
309 + #define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n))
310 +
311 + #else
312 +
313 +-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
314 ++#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
315 + #define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0)
316 + #define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0)
317 +
318 + #endif
319 +
320 +-#define __clear_user clear_user
321 ++static inline unsigned long __must_check
322 ++clear_user(void __user *to, unsigned long n)
323 ++{
324 ++ if (likely(__access_ok(to, n)))
325 ++ n = __clear_user(to, n);
326 ++ return n;
327 ++}
328 +
329 + static inline unsigned long __must_check
330 + __copy_to_user(void __user *to, const void *from, unsigned long n)
331 +diff --git a/arch/hexagon/include/asm/cacheflush.h b/arch/hexagon/include/asm/cacheflush.h
332 +index 49e0896ec240..b86f9f300e94 100644
333 +--- a/arch/hexagon/include/asm/cacheflush.h
334 ++++ b/arch/hexagon/include/asm/cacheflush.h
335 +@@ -21,10 +21,7 @@
336 + #ifndef _ASM_CACHEFLUSH_H
337 + #define _ASM_CACHEFLUSH_H
338 +
339 +-#include <linux/cache.h>
340 +-#include <linux/mm.h>
341 +-#include <asm/string.h>
342 +-#include <asm-generic/cacheflush.h>
343 ++#include <linux/mm_types.h>
344 +
345 + /* Cache flushing:
346 + *
347 +@@ -41,6 +38,20 @@
348 + #define LINESIZE 32
349 + #define LINEBITS 5
350 +
351 ++#define flush_cache_all() do { } while (0)
352 ++#define flush_cache_mm(mm) do { } while (0)
353 ++#define flush_cache_dup_mm(mm) do { } while (0)
354 ++#define flush_cache_range(vma, start, end) do { } while (0)
355 ++#define flush_cache_page(vma, vmaddr, pfn) do { } while (0)
356 ++#define ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE 0
357 ++#define flush_dcache_page(page) do { } while (0)
358 ++#define flush_dcache_mmap_lock(mapping) do { } while (0)
359 ++#define flush_dcache_mmap_unlock(mapping) do { } while (0)
360 ++#define flush_icache_page(vma, pg) do { } while (0)
361 ++#define flush_icache_user_range(vma, pg, adr, len) do { } while (0)
362 ++#define flush_cache_vmap(start, end) do { } while (0)
363 ++#define flush_cache_vunmap(start, end) do { } while (0)
364 ++
365 + /*
366 + * Flush Dcache range through current map.
367 + */
368 +@@ -49,7 +60,6 @@ extern void flush_dcache_range(unsigned long start, unsigned long end);
369 + /*
370 + * Flush Icache range through current map.
371 + */
372 +-#undef flush_icache_range
373 + extern void flush_icache_range(unsigned long start, unsigned long end);
374 +
375 + /*
376 +@@ -79,19 +89,11 @@ static inline void update_mmu_cache(struct vm_area_struct *vma,
377 + /* generic_ptrace_pokedata doesn't wind up here, does it? */
378 + }
379 +
380 +-#undef copy_to_user_page
381 +-static inline void copy_to_user_page(struct vm_area_struct *vma,
382 +- struct page *page,
383 +- unsigned long vaddr,
384 +- void *dst, void *src, int len)
385 +-{
386 +- memcpy(dst, src, len);
387 +- if (vma->vm_flags & VM_EXEC) {
388 +- flush_icache_range((unsigned long) dst,
389 +- (unsigned long) dst + len);
390 +- }
391 +-}
392 ++void copy_to_user_page(struct vm_area_struct *vma, struct page *page,
393 ++ unsigned long vaddr, void *dst, void *src, int len);
394 +
395 ++#define copy_from_user_page(vma, page, vaddr, dst, src, len) \
396 ++ memcpy(dst, src, len)
397 +
398 + extern void hexagon_inv_dcache_range(unsigned long start, unsigned long end);
399 + extern void hexagon_clean_dcache_range(unsigned long start, unsigned long end);
400 +diff --git a/arch/hexagon/include/asm/io.h b/arch/hexagon/include/asm/io.h
401 +index 70298996e9b2..66f5e9a61efc 100644
402 +--- a/arch/hexagon/include/asm/io.h
403 ++++ b/arch/hexagon/include/asm/io.h
404 +@@ -24,14 +24,9 @@
405 + #ifdef __KERNEL__
406 +
407 + #include <linux/types.h>
408 +-#include <linux/delay.h>
409 +-#include <linux/vmalloc.h>
410 +-#include <asm/string.h>
411 +-#include <asm/mem-layout.h>
412 + #include <asm/iomap.h>
413 + #include <asm/page.h>
414 + #include <asm/cacheflush.h>
415 +-#include <asm/tlbflush.h>
416 +
417 + /*
418 + * We don't have PCI yet.
419 +diff --git a/arch/hexagon/include/asm/uaccess.h b/arch/hexagon/include/asm/uaccess.h
420 +index e4127e4d6a5b..25fc9049db8a 100644
421 +--- a/arch/hexagon/include/asm/uaccess.h
422 ++++ b/arch/hexagon/include/asm/uaccess.h
423 +@@ -102,7 +102,8 @@ static inline long hexagon_strncpy_from_user(char *dst, const char __user *src,
424 + {
425 + long res = __strnlen_user(src, n);
426 +
427 +- /* return from strnlen can't be zero -- that would be rubbish. */
428 ++ if (unlikely(!res))
429 ++ return -EFAULT;
430 +
431 + if (res > n) {
432 + copy_from_user(dst, src, n);
433 +diff --git a/arch/hexagon/kernel/setup.c b/arch/hexagon/kernel/setup.c
434 +index 0e7c1dbb37b2..6981949f5df3 100644
435 +--- a/arch/hexagon/kernel/setup.c
436 ++++ b/arch/hexagon/kernel/setup.c
437 +@@ -19,6 +19,7 @@
438 + */
439 +
440 + #include <linux/init.h>
441 ++#include <linux/delay.h>
442 + #include <linux/bootmem.h>
443 + #include <linux/mmzone.h>
444 + #include <linux/mm.h>
445 +diff --git a/arch/hexagon/mm/cache.c b/arch/hexagon/mm/cache.c
446 +index 0c76c802e31c..a7c6d827d8b6 100644
447 +--- a/arch/hexagon/mm/cache.c
448 ++++ b/arch/hexagon/mm/cache.c
449 +@@ -127,3 +127,13 @@ void flush_cache_all_hexagon(void)
450 + local_irq_restore(flags);
451 + mb();
452 + }
453 ++
454 ++void copy_to_user_page(struct vm_area_struct *vma, struct page *page,
455 ++ unsigned long vaddr, void *dst, void *src, int len)
456 ++{
457 ++ memcpy(dst, src, len);
458 ++ if (vma->vm_flags & VM_EXEC) {
459 ++ flush_icache_range((unsigned long) dst,
460 ++ (unsigned long) dst + len);
461 ++ }
462 ++}
463 +diff --git a/arch/hexagon/mm/ioremap.c b/arch/hexagon/mm/ioremap.c
464 +index 5905fd5f97f6..d27d67224046 100644
465 +--- a/arch/hexagon/mm/ioremap.c
466 ++++ b/arch/hexagon/mm/ioremap.c
467 +@@ -20,6 +20,7 @@
468 +
469 + #include <linux/io.h>
470 + #include <linux/vmalloc.h>
471 ++#include <linux/mm.h>
472 +
473 + void __iomem *ioremap_nocache(unsigned long phys_addr, unsigned long size)
474 + {
475 +diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
476 +index 449c8c0fa2bd..810926c56e31 100644
477 +--- a/arch/ia64/include/asm/uaccess.h
478 ++++ b/arch/ia64/include/asm/uaccess.h
479 +@@ -262,17 +262,15 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
480 + __cu_len; \
481 + })
482 +
483 +-#define copy_from_user(to, from, n) \
484 +-({ \
485 +- void *__cu_to = (to); \
486 +- const void __user *__cu_from = (from); \
487 +- long __cu_len = (n); \
488 +- \
489 +- __chk_user_ptr(__cu_from); \
490 +- if (__access_ok(__cu_from, __cu_len, get_fs())) \
491 +- __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
492 +- __cu_len; \
493 +-})
494 ++static inline unsigned long
495 ++copy_from_user(void *to, const void __user *from, unsigned long n)
496 ++{
497 ++ if (likely(__access_ok(from, n, get_fs())))
498 ++ n = __copy_user((__force void __user *) to, from, n);
499 ++ else
500 ++ memset(to, 0, n);
501 ++ return n;
502 ++}
503 +
504 + #define __copy_in_user(to, from, size) __copy_user((to), (from), (size))
505 +
506 +diff --git a/arch/m32r/include/asm/uaccess.h b/arch/m32r/include/asm/uaccess.h
507 +index 84fe7ba53035..c393e8f57cf7 100644
508 +--- a/arch/m32r/include/asm/uaccess.h
509 ++++ b/arch/m32r/include/asm/uaccess.h
510 +@@ -215,7 +215,7 @@ extern int fixup_exception(struct pt_regs *regs);
511 + #define __get_user_nocheck(x,ptr,size) \
512 + ({ \
513 + long __gu_err = 0; \
514 +- unsigned long __gu_val; \
515 ++ unsigned long __gu_val = 0; \
516 + might_fault(); \
517 + __get_user_size(__gu_val,(ptr),(size),__gu_err); \
518 + (x) = (__typeof__(*(ptr)))__gu_val; \
519 +diff --git a/arch/metag/include/asm/uaccess.h b/arch/metag/include/asm/uaccess.h
520 +index 0748b0a97986..7841f2290385 100644
521 +--- a/arch/metag/include/asm/uaccess.h
522 ++++ b/arch/metag/include/asm/uaccess.h
523 +@@ -199,8 +199,9 @@ extern unsigned long __must_check __copy_user_zeroing(void *to,
524 + static inline unsigned long
525 + copy_from_user(void *to, const void __user *from, unsigned long n)
526 + {
527 +- if (access_ok(VERIFY_READ, from, n))
528 ++ if (likely(access_ok(VERIFY_READ, from, n)))
529 + return __copy_user_zeroing(to, from, n);
530 ++ memset(to, 0, n);
531 + return n;
532 + }
533 +
534 +diff --git a/arch/microblaze/include/asm/uaccess.h b/arch/microblaze/include/asm/uaccess.h
535 +index 59a89a64a865..336be7716972 100644
536 +--- a/arch/microblaze/include/asm/uaccess.h
537 ++++ b/arch/microblaze/include/asm/uaccess.h
538 +@@ -226,7 +226,7 @@ extern long __user_bad(void);
539 +
540 + #define __get_user(x, ptr) \
541 + ({ \
542 +- unsigned long __gu_val; \
543 ++ unsigned long __gu_val = 0; \
544 + /*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \
545 + long __gu_err; \
546 + switch (sizeof(*(ptr))) { \
547 +@@ -371,10 +371,13 @@ extern long __user_bad(void);
548 + static inline long copy_from_user(void *to,
549 + const void __user *from, unsigned long n)
550 + {
551 ++ unsigned long res = n;
552 + might_fault();
553 +- if (access_ok(VERIFY_READ, from, n))
554 +- return __copy_from_user(to, from, n);
555 +- return n;
556 ++ if (likely(access_ok(VERIFY_READ, from, n)))
557 ++ res = __copy_from_user(to, from, n);
558 ++ if (unlikely(res))
559 ++ memset(to + (n - res), 0, res);
560 ++ return res;
561 + }
562 +
563 + #define __copy_to_user(to, from, n) \
564 +diff --git a/arch/mips/include/asm/asmmacro.h b/arch/mips/include/asm/asmmacro.h
565 +index 71fef0af9c9a..a7ef4fba9774 100644
566 +--- a/arch/mips/include/asm/asmmacro.h
567 ++++ b/arch/mips/include/asm/asmmacro.h
568 +@@ -134,6 +134,7 @@
569 + ldc1 $f28, THREAD_FPR28_LS64(\thread)
570 + ldc1 $f30, THREAD_FPR30_LS64(\thread)
571 + ctc1 \tmp, fcr31
572 ++ .set pop
573 + .endm
574 +
575 + .macro fpu_restore_16odd thread
576 +diff --git a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
577 +index 2f82bfa3a773..c9f5769dfc8f 100644
578 +--- a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
579 ++++ b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
580 +@@ -11,11 +11,13 @@
581 + #define CP0_EBASE $15, 1
582 +
583 + .macro kernel_entry_setup
584 ++#ifdef CONFIG_SMP
585 + mfc0 t0, CP0_EBASE
586 + andi t0, t0, 0x3ff # CPUNum
587 + beqz t0, 1f
588 + # CPUs other than zero goto smp_bootstrap
589 + j smp_bootstrap
590 ++#endif /* CONFIG_SMP */
591 +
592 + 1:
593 + .endm
594 +diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
595 +index 22a5624e2fd2..953a75a8a8d2 100644
596 +--- a/arch/mips/include/asm/uaccess.h
597 ++++ b/arch/mips/include/asm/uaccess.h
598 +@@ -14,6 +14,7 @@
599 + #include <linux/kernel.h>
600 + #include <linux/errno.h>
601 + #include <linux/thread_info.h>
602 ++#include <linux/string.h>
603 + #include <asm/asm-eva.h>
604 +
605 + /*
606 +@@ -1136,6 +1137,8 @@ extern size_t __copy_in_user_eva(void *__to, const void *__from, size_t __n);
607 + __cu_len = __invoke_copy_from_user(__cu_to, \
608 + __cu_from, \
609 + __cu_len); \
610 ++ } else { \
611 ++ memset(__cu_to, 0, __cu_len); \
612 + } \
613 + } \
614 + __cu_len; \
615 +diff --git a/arch/mips/kvm/tlb.c b/arch/mips/kvm/tlb.c
616 +index bbcd82242059..b814f659f43d 100644
617 +--- a/arch/mips/kvm/tlb.c
618 ++++ b/arch/mips/kvm/tlb.c
619 +@@ -152,7 +152,7 @@ static int kvm_mips_map_page(struct kvm *kvm, gfn_t gfn)
620 + srcu_idx = srcu_read_lock(&kvm->srcu);
621 + pfn = kvm_mips_gfn_to_pfn(kvm, gfn);
622 +
623 +- if (kvm_mips_is_error_pfn(pfn)) {
624 ++ if (is_error_noslot_pfn(pfn)) {
625 + kvm_err("Couldn't get pfn for gfn %#" PRIx64 "!\n", gfn);
626 + err = -EFAULT;
627 + goto out;
628 +diff --git a/arch/mn10300/include/asm/uaccess.h b/arch/mn10300/include/asm/uaccess.h
629 +index 537278746a15..4af43d9ba495 100644
630 +--- a/arch/mn10300/include/asm/uaccess.h
631 ++++ b/arch/mn10300/include/asm/uaccess.h
632 +@@ -181,6 +181,7 @@ struct __large_struct { unsigned long buf[100]; };
633 + "2:\n" \
634 + " .section .fixup,\"ax\"\n" \
635 + "3:\n\t" \
636 ++ " mov 0,%1\n" \
637 + " mov %3,%0\n" \
638 + " jmp 2b\n" \
639 + " .previous\n" \
640 +diff --git a/arch/mn10300/lib/usercopy.c b/arch/mn10300/lib/usercopy.c
641 +index 7826e6c364e7..ce8899e5e171 100644
642 +--- a/arch/mn10300/lib/usercopy.c
643 ++++ b/arch/mn10300/lib/usercopy.c
644 +@@ -9,7 +9,7 @@
645 + * as published by the Free Software Foundation; either version
646 + * 2 of the Licence, or (at your option) any later version.
647 + */
648 +-#include <asm/uaccess.h>
649 ++#include <linux/uaccess.h>
650 +
651 + unsigned long
652 + __generic_copy_to_user(void *to, const void *from, unsigned long n)
653 +@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const void *from, unsigned long n)
654 + {
655 + if (access_ok(VERIFY_READ, from, n))
656 + __copy_user_zeroing(to, from, n);
657 ++ else
658 ++ memset(to, 0, n);
659 + return n;
660 + }
661 +
662 +diff --git a/arch/openrisc/include/asm/uaccess.h b/arch/openrisc/include/asm/uaccess.h
663 +index ab2e7a198a4c..d441480a4af4 100644
664 +--- a/arch/openrisc/include/asm/uaccess.h
665 ++++ b/arch/openrisc/include/asm/uaccess.h
666 +@@ -273,28 +273,20 @@ __copy_tofrom_user(void *to, const void *from, unsigned long size);
667 + static inline unsigned long
668 + copy_from_user(void *to, const void *from, unsigned long n)
669 + {
670 +- unsigned long over;
671 +-
672 +- if (access_ok(VERIFY_READ, from, n))
673 +- return __copy_tofrom_user(to, from, n);
674 +- if ((unsigned long)from < TASK_SIZE) {
675 +- over = (unsigned long)from + n - TASK_SIZE;
676 +- return __copy_tofrom_user(to, from, n - over) + over;
677 +- }
678 +- return n;
679 ++ unsigned long res = n;
680 ++
681 ++ if (likely(access_ok(VERIFY_READ, from, n)))
682 ++ res = __copy_tofrom_user(to, from, n);
683 ++ if (unlikely(res))
684 ++ memset(to + (n - res), 0, res);
685 ++ return res;
686 + }
687 +
688 + static inline unsigned long
689 + copy_to_user(void *to, const void *from, unsigned long n)
690 + {
691 +- unsigned long over;
692 +-
693 +- if (access_ok(VERIFY_WRITE, to, n))
694 +- return __copy_tofrom_user(to, from, n);
695 +- if ((unsigned long)to < TASK_SIZE) {
696 +- over = (unsigned long)to + n - TASK_SIZE;
697 +- return __copy_tofrom_user(to, from, n - over) + over;
698 +- }
699 ++ if (likely(access_ok(VERIFY_WRITE, to, n)))
700 ++ n = __copy_tofrom_user(to, from, n);
701 + return n;
702 + }
703 +
704 +@@ -303,13 +295,8 @@ extern unsigned long __clear_user(void *addr, unsigned long size);
705 + static inline __must_check unsigned long
706 + clear_user(void *addr, unsigned long size)
707 + {
708 +-
709 +- if (access_ok(VERIFY_WRITE, addr, size))
710 +- return __clear_user(addr, size);
711 +- if ((unsigned long)addr < TASK_SIZE) {
712 +- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
713 +- return __clear_user(addr, size - over) + over;
714 +- }
715 ++ if (likely(access_ok(VERIFY_WRITE, addr, size)))
716 ++ size = __clear_user(addr, size);
717 + return size;
718 + }
719 +
720 +diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
721 +index df9d8dd72db2..3c38f8535499 100644
722 +--- a/arch/parisc/include/asm/uaccess.h
723 ++++ b/arch/parisc/include/asm/uaccess.h
724 +@@ -10,6 +10,7 @@
725 + #include <asm-generic/uaccess-unaligned.h>
726 +
727 + #include <linux/bug.h>
728 ++#include <linux/string.h>
729 +
730 + #define VERIFY_READ 0
731 + #define VERIFY_WRITE 1
732 +@@ -245,13 +246,14 @@ static inline unsigned long __must_check copy_from_user(void *to,
733 + unsigned long n)
734 + {
735 + int sz = __compiletime_object_size(to);
736 +- int ret = -EFAULT;
737 ++ unsigned long ret = n;
738 +
739 + if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
740 + ret = __copy_from_user(to, from, n);
741 + else
742 + copy_from_user_overflow();
743 +-
744 ++ if (unlikely(ret))
745 ++ memset(to + (n - ret), 0, ret);
746 + return ret;
747 + }
748 +
749 +diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
750 +index 9485b43a7c00..46c486599645 100644
751 +--- a/arch/powerpc/include/asm/uaccess.h
752 ++++ b/arch/powerpc/include/asm/uaccess.h
753 +@@ -323,30 +323,17 @@ extern unsigned long __copy_tofrom_user(void __user *to,
754 + static inline unsigned long copy_from_user(void *to,
755 + const void __user *from, unsigned long n)
756 + {
757 +- unsigned long over;
758 +-
759 +- if (access_ok(VERIFY_READ, from, n))
760 ++ if (likely(access_ok(VERIFY_READ, from, n)))
761 + return __copy_tofrom_user((__force void __user *)to, from, n);
762 +- if ((unsigned long)from < TASK_SIZE) {
763 +- over = (unsigned long)from + n - TASK_SIZE;
764 +- return __copy_tofrom_user((__force void __user *)to, from,
765 +- n - over) + over;
766 +- }
767 ++ memset(to, 0, n);
768 + return n;
769 + }
770 +
771 + static inline unsigned long copy_to_user(void __user *to,
772 + const void *from, unsigned long n)
773 + {
774 +- unsigned long over;
775 +-
776 + if (access_ok(VERIFY_WRITE, to, n))
777 + return __copy_tofrom_user(to, (__force void __user *)from, n);
778 +- if ((unsigned long)to < TASK_SIZE) {
779 +- over = (unsigned long)to + n - TASK_SIZE;
780 +- return __copy_tofrom_user(to, (__force void __user *)from,
781 +- n - over) + over;
782 +- }
783 + return n;
784 + }
785 +
786 +@@ -437,10 +424,6 @@ static inline unsigned long clear_user(void __user *addr, unsigned long size)
787 + might_fault();
788 + if (likely(access_ok(VERIFY_WRITE, addr, size)))
789 + return __clear_user(addr, size);
790 +- if ((unsigned long)addr < TASK_SIZE) {
791 +- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
792 +- return __clear_user(addr, size - over) + over;
793 +- }
794 + return size;
795 + }
796 +
797 +diff --git a/arch/powerpc/mm/slb_low.S b/arch/powerpc/mm/slb_low.S
798 +index 736d18b3cefd..4c48b487698c 100644
799 +--- a/arch/powerpc/mm/slb_low.S
800 ++++ b/arch/powerpc/mm/slb_low.S
801 +@@ -113,7 +113,12 @@ BEGIN_FTR_SECTION
802 + END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
803 + b slb_finish_load_1T
804 +
805 +-0:
806 ++0: /*
807 ++ * For userspace addresses, make sure this is region 0.
808 ++ */
809 ++ cmpdi r9, 0
810 ++ bne 8f
811 ++
812 + /* when using slices, we extract the psize off the slice bitmaps
813 + * and then we need to get the sllp encoding off the mmu_psize_defs
814 + * array.
815 +diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
816 +index cd4c68e0398d..528f08c1d584 100644
817 +--- a/arch/s390/include/asm/uaccess.h
818 ++++ b/arch/s390/include/asm/uaccess.h
819 +@@ -213,28 +213,28 @@ int __put_user_bad(void) __attribute__((noreturn));
820 + __chk_user_ptr(ptr); \
821 + switch (sizeof(*(ptr))) { \
822 + case 1: { \
823 +- unsigned char __x; \
824 ++ unsigned char __x = 0; \
825 + __gu_err = __get_user_fn(&__x, ptr, \
826 + sizeof(*(ptr))); \
827 + (x) = *(__force __typeof__(*(ptr)) *) &__x; \
828 + break; \
829 + }; \
830 + case 2: { \
831 +- unsigned short __x; \
832 ++ unsigned short __x = 0; \
833 + __gu_err = __get_user_fn(&__x, ptr, \
834 + sizeof(*(ptr))); \
835 + (x) = *(__force __typeof__(*(ptr)) *) &__x; \
836 + break; \
837 + }; \
838 + case 4: { \
839 +- unsigned int __x; \
840 ++ unsigned int __x = 0; \
841 + __gu_err = __get_user_fn(&__x, ptr, \
842 + sizeof(*(ptr))); \
843 + (x) = *(__force __typeof__(*(ptr)) *) &__x; \
844 + break; \
845 + }; \
846 + case 8: { \
847 +- unsigned long long __x; \
848 ++ unsigned long long __x = 0; \
849 + __gu_err = __get_user_fn(&__x, ptr, \
850 + sizeof(*(ptr))); \
851 + (x) = *(__force __typeof__(*(ptr)) *) &__x; \
852 +diff --git a/arch/score/include/asm/uaccess.h b/arch/score/include/asm/uaccess.h
853 +index ab66ddde777b..69326dfb894d 100644
854 +--- a/arch/score/include/asm/uaccess.h
855 ++++ b/arch/score/include/asm/uaccess.h
856 +@@ -158,7 +158,7 @@ do { \
857 + __get_user_asm(val, "lw", ptr); \
858 + break; \
859 + case 8: \
860 +- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \
861 ++ if (__copy_from_user((void *)&val, ptr, 8) == 0) \
862 + __gu_err = 0; \
863 + else \
864 + __gu_err = -EFAULT; \
865 +@@ -183,6 +183,8 @@ do { \
866 + \
867 + if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \
868 + __get_user_common((x), size, __gu_ptr); \
869 ++ else \
870 ++ (x) = 0; \
871 + \
872 + __gu_err; \
873 + })
874 +@@ -196,6 +198,7 @@ do { \
875 + "2:\n" \
876 + ".section .fixup,\"ax\"\n" \
877 + "3:li %0, %4\n" \
878 ++ "li %1, 0\n" \
879 + "j 2b\n" \
880 + ".previous\n" \
881 + ".section __ex_table,\"a\"\n" \
882 +@@ -293,35 +296,34 @@ extern int __copy_tofrom_user(void *to, const void *from, unsigned long len);
883 + static inline unsigned long
884 + copy_from_user(void *to, const void *from, unsigned long len)
885 + {
886 +- unsigned long over;
887 ++ unsigned long res = len;
888 +
889 +- if (access_ok(VERIFY_READ, from, len))
890 +- return __copy_tofrom_user(to, from, len);
891 ++ if (likely(access_ok(VERIFY_READ, from, len)))
892 ++ res = __copy_tofrom_user(to, from, len);
893 +
894 +- if ((unsigned long)from < TASK_SIZE) {
895 +- over = (unsigned long)from + len - TASK_SIZE;
896 +- return __copy_tofrom_user(to, from, len - over) + over;
897 +- }
898 +- return len;
899 ++ if (unlikely(res))
900 ++ memset(to + (len - res), 0, res);
901 ++
902 ++ return res;
903 + }
904 +
905 + static inline unsigned long
906 + copy_to_user(void *to, const void *from, unsigned long len)
907 + {
908 +- unsigned long over;
909 +-
910 +- if (access_ok(VERIFY_WRITE, to, len))
911 +- return __copy_tofrom_user(to, from, len);
912 ++ if (likely(access_ok(VERIFY_WRITE, to, len)))
913 ++ len = __copy_tofrom_user(to, from, len);
914 +
915 +- if ((unsigned long)to < TASK_SIZE) {
916 +- over = (unsigned long)to + len - TASK_SIZE;
917 +- return __copy_tofrom_user(to, from, len - over) + over;
918 +- }
919 + return len;
920 + }
921 +
922 +-#define __copy_from_user(to, from, len) \
923 +- __copy_tofrom_user((to), (from), (len))
924 ++static inline unsigned long
925 ++__copy_from_user(void *to, const void *from, unsigned long len)
926 ++{
927 ++ unsigned long left = __copy_tofrom_user(to, from, len);
928 ++ if (unlikely(left))
929 ++ memset(to + (len - left), 0, left);
930 ++ return left;
931 ++}
932 +
933 + #define __copy_to_user(to, from, len) \
934 + __copy_tofrom_user((to), (from), (len))
935 +@@ -335,17 +337,17 @@ __copy_to_user_inatomic(void *to, const void *from, unsigned long len)
936 + static inline unsigned long
937 + __copy_from_user_inatomic(void *to, const void *from, unsigned long len)
938 + {
939 +- return __copy_from_user(to, from, len);
940 ++ return __copy_tofrom_user(to, from, len);
941 + }
942 +
943 +-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len)
944 ++#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len)
945 +
946 + static inline unsigned long
947 + copy_in_user(void *to, const void *from, unsigned long len)
948 + {
949 + if (access_ok(VERIFY_READ, from, len) &&
950 + access_ok(VERFITY_WRITE, to, len))
951 +- return copy_from_user(to, from, len);
952 ++ return __copy_tofrom_user(to, from, len);
953 + }
954 +
955 + /*
956 +diff --git a/arch/sh/include/asm/uaccess.h b/arch/sh/include/asm/uaccess.h
957 +index 9486376605f4..c04cc18ae9cd 100644
958 +--- a/arch/sh/include/asm/uaccess.h
959 ++++ b/arch/sh/include/asm/uaccess.h
960 +@@ -151,7 +151,10 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
961 + __kernel_size_t __copy_size = (__kernel_size_t) n;
962 +
963 + if (__copy_size && __access_ok(__copy_from, __copy_size))
964 +- return __copy_user(to, from, __copy_size);
965 ++ __copy_size = __copy_user(to, from, __copy_size);
966 ++
967 ++ if (unlikely(__copy_size))
968 ++ memset(to + (n - __copy_size), 0, __copy_size);
969 +
970 + return __copy_size;
971 + }
972 +diff --git a/arch/sh/include/asm/uaccess_64.h b/arch/sh/include/asm/uaccess_64.h
973 +index 2e07e0f40c6a..a2f9d0531328 100644
974 +--- a/arch/sh/include/asm/uaccess_64.h
975 ++++ b/arch/sh/include/asm/uaccess_64.h
976 +@@ -24,6 +24,7 @@
977 + #define __get_user_size(x,ptr,size,retval) \
978 + do { \
979 + retval = 0; \
980 ++ x = 0; \
981 + switch (size) { \
982 + case 1: \
983 + retval = __get_user_asm_b((void *)&x, \
984 +diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
985 +index 9634d086fc56..79b03872e165 100644
986 +--- a/arch/sparc/include/asm/uaccess_32.h
987 ++++ b/arch/sparc/include/asm/uaccess_32.h
988 +@@ -265,8 +265,10 @@ static inline unsigned long copy_from_user(void *to, const void __user *from, un
989 + {
990 + if (n && __access_ok((unsigned long) from, n))
991 + return __copy_user((__force void __user *) to, from, n);
992 +- else
993 ++ else {
994 ++ memset(to, 0, n);
995 + return n;
996 ++ }
997 + }
998 +
999 + static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
1000 +diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
1001 +index 0d592e0a5b84..8e046ade1c88 100644
1002 +--- a/arch/x86/include/asm/uaccess.h
1003 ++++ b/arch/x86/include/asm/uaccess.h
1004 +@@ -391,7 +391,11 @@ do { \
1005 + #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
1006 + asm volatile("1: mov"itype" %1,%"rtype"0\n" \
1007 + "2:\n" \
1008 +- _ASM_EXTABLE_EX(1b, 2b) \
1009 ++ ".section .fixup,\"ax\"\n" \
1010 ++ "3:xor"itype" %"rtype"0,%"rtype"0\n" \
1011 ++ " jmp 2b\n" \
1012 ++ ".previous\n" \
1013 ++ _ASM_EXTABLE_EX(1b, 3b) \
1014 + : ltype(x) : "m" (__m(addr)))
1015 +
1016 + #define __put_user_nocheck(x, ptr, size) \
1017 +diff --git a/block/bio.c b/block/bio.c
1018 +index 3e6e1986a5b2..78803e99c154 100644
1019 +--- a/block/bio.c
1020 ++++ b/block/bio.c
1021 +@@ -1824,8 +1824,9 @@ EXPORT_SYMBOL(bio_endio_nodec);
1022 + * Allocates and returns a new bio which represents @sectors from the start of
1023 + * @bio, and updates @bio to represent the remaining sectors.
1024 + *
1025 +- * The newly allocated bio will point to @bio's bi_io_vec; it is the caller's
1026 +- * responsibility to ensure that @bio is not freed before the split.
1027 ++ * Unless this is a discard request the newly allocated bio will point
1028 ++ * to @bio's bi_io_vec; it is the caller's responsibility to ensure that
1029 ++ * @bio is not freed before the split.
1030 + */
1031 + struct bio *bio_split(struct bio *bio, int sectors,
1032 + gfp_t gfp, struct bio_set *bs)
1033 +@@ -1835,7 +1836,15 @@ struct bio *bio_split(struct bio *bio, int sectors,
1034 + BUG_ON(sectors <= 0);
1035 + BUG_ON(sectors >= bio_sectors(bio));
1036 +
1037 +- split = bio_clone_fast(bio, gfp, bs);
1038 ++ /*
1039 ++ * Discards need a mutable bio_vec to accommodate the payload
1040 ++ * required by the DSM TRIM and UNMAP commands.
1041 ++ */
1042 ++ if (bio->bi_rw & REQ_DISCARD)
1043 ++ split = bio_clone_bioset(bio, gfp, bs);
1044 ++ else
1045 ++ split = bio_clone_fast(bio, gfp, bs);
1046 ++
1047 + if (!split)
1048 + return NULL;
1049 +
1050 +diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
1051 +index 0122bec38564..f25799f351f7 100644
1052 +--- a/crypto/blkcipher.c
1053 ++++ b/crypto/blkcipher.c
1054 +@@ -233,6 +233,8 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc,
1055 + return blkcipher_walk_done(desc, walk, -EINVAL);
1056 + }
1057 +
1058 ++ bsize = min(walk->walk_blocksize, n);
1059 ++
1060 + walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY |
1061 + BLKCIPHER_WALK_DIFF);
1062 + if (!scatterwalk_aligned(&walk->in, walk->alignmask) ||
1063 +@@ -245,7 +247,6 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc,
1064 + }
1065 + }
1066 +
1067 +- bsize = min(walk->walk_blocksize, n);
1068 + n = scatterwalk_clamp(&walk->in, n);
1069 + n = scatterwalk_clamp(&walk->out, n);
1070 +
1071 +diff --git a/crypto/cryptd.c b/crypto/cryptd.c
1072 +index 650afac10fd7..be367e43ffe8 100644
1073 +--- a/crypto/cryptd.c
1074 ++++ b/crypto/cryptd.c
1075 +@@ -565,9 +565,14 @@ static int cryptd_hash_export(struct ahash_request *req, void *out)
1076 +
1077 + static int cryptd_hash_import(struct ahash_request *req, const void *in)
1078 + {
1079 +- struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
1080 ++ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
1081 ++ struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
1082 ++ struct shash_desc *desc = cryptd_shash_desc(req);
1083 ++
1084 ++ desc->tfm = ctx->child;
1085 ++ desc->flags = req->base.flags;
1086 +
1087 +- return crypto_shash_import(&rctx->desc, in);
1088 ++ return crypto_shash_import(desc, in);
1089 + }
1090 +
1091 + static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
1092 +diff --git a/drivers/bus/arm-ccn.c b/drivers/bus/arm-ccn.c
1093 +index 60397ec77ff7..27fd0dacad5f 100644
1094 +--- a/drivers/bus/arm-ccn.c
1095 ++++ b/drivers/bus/arm-ccn.c
1096 +@@ -804,6 +804,10 @@ static void arm_ccn_pmu_xp_dt_config(struct perf_event *event, int enable)
1097 + struct arm_ccn_component *xp;
1098 + u32 val, dt_cfg;
1099 +
1100 ++ /* Nothing to do for cycle counter */
1101 ++ if (hw->idx == CCN_IDX_PMU_CYCLE_COUNTER)
1102 ++ return;
1103 ++
1104 + if (CCN_CONFIG_TYPE(event->attr.config) == CCN_TYPE_XP)
1105 + xp = &ccn->xp[CCN_CONFIG_XP(event->attr.config)];
1106 + else
1107 +@@ -901,7 +905,7 @@ static void arm_ccn_pmu_xp_watchpoint_config(struct perf_event *event)
1108 +
1109 + /* Comparison values */
1110 + writel(cmp_l & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_L(wp));
1111 +- writel((cmp_l >> 32) & 0xefffffff,
1112 ++ writel((cmp_l >> 32) & 0x7fffffff,
1113 + source->base + CCN_XP_DT_CMP_VAL_L(wp) + 4);
1114 + writel(cmp_h & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_H(wp));
1115 + writel((cmp_h >> 32) & 0x0fffffff,
1116 +@@ -909,7 +913,7 @@ static void arm_ccn_pmu_xp_watchpoint_config(struct perf_event *event)
1117 +
1118 + /* Mask */
1119 + writel(mask_l & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_L(wp));
1120 +- writel((mask_l >> 32) & 0xefffffff,
1121 ++ writel((mask_l >> 32) & 0x7fffffff,
1122 + source->base + CCN_XP_DT_CMP_MASK_L(wp) + 4);
1123 + writel(mask_h & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_H(wp));
1124 + writel((mask_h >> 32) & 0x0fffffff,
1125 +diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c
1126 +index 6dfce7e722cb..2254f8509a69 100644
1127 +--- a/drivers/iio/accel/kxsd9.c
1128 ++++ b/drivers/iio/accel/kxsd9.c
1129 +@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev *indio_dev,
1130 + ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
1131 + if (ret)
1132 + goto error_ret;
1133 ++ *val = 0;
1134 + *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
1135 + ret = IIO_VAL_INT_PLUS_MICRO;
1136 + break;
1137 +diff --git a/drivers/irqchip/irq-atmel-aic.c b/drivers/irqchip/irq-atmel-aic.c
1138 +index 9a2cf3c1a3a5..27fdd8c3e7b4 100644
1139 +--- a/drivers/irqchip/irq-atmel-aic.c
1140 ++++ b/drivers/irqchip/irq-atmel-aic.c
1141 +@@ -65,11 +65,11 @@ aic_handle(struct pt_regs *regs)
1142 + u32 irqnr;
1143 + u32 irqstat;
1144 +
1145 +- irqnr = irq_reg_readl(gc->reg_base + AT91_AIC_IVR);
1146 +- irqstat = irq_reg_readl(gc->reg_base + AT91_AIC_ISR);
1147 ++ irqnr = irq_reg_readl(gc, AT91_AIC_IVR);
1148 ++ irqstat = irq_reg_readl(gc, AT91_AIC_ISR);
1149 +
1150 + if (!irqstat)
1151 +- irq_reg_writel(0, gc->reg_base + AT91_AIC_EOICR);
1152 ++ irq_reg_writel(gc, 0, AT91_AIC_EOICR);
1153 + else
1154 + handle_domain_irq(aic_domain, irqnr, regs);
1155 + }
1156 +@@ -80,7 +80,7 @@ static int aic_retrigger(struct irq_data *d)
1157 +
1158 + /* Enable interrupt on AIC5 */
1159 + irq_gc_lock(gc);
1160 +- irq_reg_writel(d->mask, gc->reg_base + AT91_AIC_ISCR);
1161 ++ irq_reg_writel(gc, d->mask, AT91_AIC_ISCR);
1162 + irq_gc_unlock(gc);
1163 +
1164 + return 0;
1165 +@@ -92,12 +92,12 @@ static int aic_set_type(struct irq_data *d, unsigned type)
1166 + unsigned int smr;
1167 + int ret;
1168 +
1169 +- smr = irq_reg_readl(gc->reg_base + AT91_AIC_SMR(d->hwirq));
1170 ++ smr = irq_reg_readl(gc, AT91_AIC_SMR(d->hwirq));
1171 + ret = aic_common_set_type(d, type, &smr);
1172 + if (ret)
1173 + return ret;
1174 +
1175 +- irq_reg_writel(smr, gc->reg_base + AT91_AIC_SMR(d->hwirq));
1176 ++ irq_reg_writel(gc, smr, AT91_AIC_SMR(d->hwirq));
1177 +
1178 + return 0;
1179 + }
1180 +@@ -108,8 +108,8 @@ static void aic_suspend(struct irq_data *d)
1181 + struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
1182 +
1183 + irq_gc_lock(gc);
1184 +- irq_reg_writel(gc->mask_cache, gc->reg_base + AT91_AIC_IDCR);
1185 +- irq_reg_writel(gc->wake_active, gc->reg_base + AT91_AIC_IECR);
1186 ++ irq_reg_writel(gc, gc->mask_cache, AT91_AIC_IDCR);
1187 ++ irq_reg_writel(gc, gc->wake_active, AT91_AIC_IECR);
1188 + irq_gc_unlock(gc);
1189 + }
1190 +
1191 +@@ -118,8 +118,8 @@ static void aic_resume(struct irq_data *d)
1192 + struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
1193 +
1194 + irq_gc_lock(gc);
1195 +- irq_reg_writel(gc->wake_active, gc->reg_base + AT91_AIC_IDCR);
1196 +- irq_reg_writel(gc->mask_cache, gc->reg_base + AT91_AIC_IECR);
1197 ++ irq_reg_writel(gc, gc->wake_active, AT91_AIC_IDCR);
1198 ++ irq_reg_writel(gc, gc->mask_cache, AT91_AIC_IECR);
1199 + irq_gc_unlock(gc);
1200 + }
1201 +
1202 +@@ -128,8 +128,8 @@ static void aic_pm_shutdown(struct irq_data *d)
1203 + struct irq_chip_generic *gc = irq_data_get_irq_chip_data(d);
1204 +
1205 + irq_gc_lock(gc);
1206 +- irq_reg_writel(0xffffffff, gc->reg_base + AT91_AIC_IDCR);
1207 +- irq_reg_writel(0xffffffff, gc->reg_base + AT91_AIC_ICCR);
1208 ++ irq_reg_writel(gc, 0xffffffff, AT91_AIC_IDCR);
1209 ++ irq_reg_writel(gc, 0xffffffff, AT91_AIC_ICCR);
1210 + irq_gc_unlock(gc);
1211 + }
1212 + #else
1213 +@@ -148,24 +148,24 @@ static void __init aic_hw_init(struct irq_domain *domain)
1214 + * will not Lock out nIRQ
1215 + */
1216 + for (i = 0; i < 8; i++)
1217 +- irq_reg_writel(0, gc->reg_base + AT91_AIC_EOICR);
1218 ++ irq_reg_writel(gc, 0, AT91_AIC_EOICR);
1219 +
1220 + /*
1221 + * Spurious Interrupt ID in Spurious Vector Register.
1222 + * When there is no current interrupt, the IRQ Vector Register
1223 + * reads the value stored in AIC_SPU
1224 + */
1225 +- irq_reg_writel(0xffffffff, gc->reg_base + AT91_AIC_SPU);
1226 ++ irq_reg_writel(gc, 0xffffffff, AT91_AIC_SPU);
1227 +
1228 + /* No debugging in AIC: Debug (Protect) Control Register */
1229 +- irq_reg_writel(0, gc->reg_base + AT91_AIC_DCR);
1230 ++ irq_reg_writel(gc, 0, AT91_AIC_DCR);
1231 +
1232 + /* Disable and clear all interrupts initially */
1233 +- irq_reg_writel(0xffffffff, gc->reg_base + AT91_AIC_IDCR);
1234 +- irq_reg_writel(0xffffffff, gc->reg_base + AT91_AIC_ICCR);
1235 ++ irq_reg_writel(gc, 0xffffffff, AT91_AIC_IDCR);
1236 ++ irq_reg_writel(gc, 0xffffffff, AT91_AIC_ICCR);
1237 +
1238 + for (i = 0; i < 32; i++)
1239 +- irq_reg_writel(i, gc->reg_base + AT91_AIC_SVR(i));
1240 ++ irq_reg_writel(gc, i, AT91_AIC_SVR(i));
1241 + }
1242 +
1243 + static int aic_irq_domain_xlate(struct irq_domain *d,
1244 +@@ -195,10 +195,10 @@ static int aic_irq_domain_xlate(struct irq_domain *d,
1245 + gc = dgc->gc[idx];
1246 +
1247 + irq_gc_lock(gc);
1248 +- smr = irq_reg_readl(gc->reg_base + AT91_AIC_SMR(*out_hwirq));
1249 ++ smr = irq_reg_readl(gc, AT91_AIC_SMR(*out_hwirq));
1250 + ret = aic_common_set_priority(intspec[2], &smr);
1251 + if (!ret)
1252 +- irq_reg_writel(smr, gc->reg_base + AT91_AIC_SMR(*out_hwirq));
1253 ++ irq_reg_writel(gc, smr, AT91_AIC_SMR(*out_hwirq));
1254 + irq_gc_unlock(gc);
1255 +
1256 + return ret;
1257 +diff --git a/drivers/irqchip/irq-atmel-aic5.c b/drivers/irqchip/irq-atmel-aic5.c
1258 +index a11aae8fb006..a2e8c3f876cb 100644
1259 +--- a/drivers/irqchip/irq-atmel-aic5.c
1260 ++++ b/drivers/irqchip/irq-atmel-aic5.c
1261 +@@ -75,11 +75,11 @@ aic5_handle(struct pt_regs *regs)
1262 + u32 irqnr;
1263 + u32 irqstat;
1264 +
1265 +- irqnr = irq_reg_readl(gc->reg_base + AT91_AIC5_IVR);
1266 +- irqstat = irq_reg_readl(gc->reg_base + AT91_AIC5_ISR);
1267 ++ irqnr = irq_reg_readl(gc, AT91_AIC5_IVR);
1268 ++ irqstat = irq_reg_readl(gc, AT91_AIC5_ISR);
1269 +
1270 + if (!irqstat)
1271 +- irq_reg_writel(0, gc->reg_base + AT91_AIC5_EOICR);
1272 ++ irq_reg_writel(gc, 0, AT91_AIC5_EOICR);
1273 + else
1274 + handle_domain_irq(aic5_domain, irqnr, regs);
1275 + }
1276 +@@ -92,8 +92,8 @@ static void aic5_mask(struct irq_data *d)
1277 +
1278 + /* Disable interrupt on AIC5 */
1279 + irq_gc_lock(gc);
1280 +- irq_reg_writel(d->hwirq, gc->reg_base + AT91_AIC5_SSR);
1281 +- irq_reg_writel(1, gc->reg_base + AT91_AIC5_IDCR);
1282 ++ irq_reg_writel(gc, d->hwirq, AT91_AIC5_SSR);
1283 ++ irq_reg_writel(gc, 1, AT91_AIC5_IDCR);
1284 + gc->mask_cache &= ~d->mask;
1285 + irq_gc_unlock(gc);
1286 + }
1287 +@@ -106,8 +106,8 @@ static void aic5_unmask(struct irq_data *d)
1288 +
1289 + /* Enable interrupt on AIC5 */
1290 + irq_gc_lock(gc);
1291 +- irq_reg_writel(d->hwirq, gc->reg_base + AT91_AIC5_SSR);
1292 +- irq_reg_writel(1, gc->reg_base + AT91_AIC5_IECR);
1293 ++ irq_reg_writel(gc, d->hwirq, AT91_AIC5_SSR);
1294 ++ irq_reg_writel(gc, 1, AT91_AIC5_IECR);
1295 + gc->mask_cache |= d->mask;
1296 + irq_gc_unlock(gc);
1297 + }
1298 +@@ -120,8 +120,8 @@ static int aic5_retrigger(struct irq_data *d)
1299 +
1300 + /* Enable interrupt on AIC5 */
1301 + irq_gc_lock(gc);
1302 +- irq_reg_writel(d->hwirq, gc->reg_base + AT91_AIC5_SSR);
1303 +- irq_reg_writel(1, gc->reg_base + AT91_AIC5_ISCR);
1304 ++ irq_reg_writel(gc, d->hwirq, AT91_AIC5_SSR);
1305 ++ irq_reg_writel(gc, 1, AT91_AIC5_ISCR);
1306 + irq_gc_unlock(gc);
1307 +
1308 + return 0;
1309 +@@ -136,11 +136,11 @@ static int aic5_set_type(struct irq_data *d, unsigned type)
1310 + int ret;
1311 +
1312 + irq_gc_lock(gc);
1313 +- irq_reg_writel(d->hwirq, gc->reg_base + AT91_AIC5_SSR);
1314 +- smr = irq_reg_readl(gc->reg_base + AT91_AIC5_SMR);
1315 ++ irq_reg_writel(gc, d->hwirq, AT91_AIC5_SSR);
1316 ++ smr = irq_reg_readl(gc, AT91_AIC5_SMR);
1317 + ret = aic_common_set_type(d, type, &smr);
1318 + if (!ret)
1319 +- irq_reg_writel(smr, gc->reg_base + AT91_AIC5_SMR);
1320 ++ irq_reg_writel(gc, smr, AT91_AIC5_SMR);
1321 + irq_gc_unlock(gc);
1322 +
1323 + return ret;
1324 +@@ -162,12 +162,11 @@ static void aic5_suspend(struct irq_data *d)
1325 + if ((mask & gc->mask_cache) == (mask & gc->wake_active))
1326 + continue;
1327 +
1328 +- irq_reg_writel(i + gc->irq_base,
1329 +- bgc->reg_base + AT91_AIC5_SSR);
1330 ++ irq_reg_writel(bgc, i + gc->irq_base, AT91_AIC5_SSR);
1331 + if (mask & gc->wake_active)
1332 +- irq_reg_writel(1, bgc->reg_base + AT91_AIC5_IECR);
1333 ++ irq_reg_writel(bgc, 1, AT91_AIC5_IECR);
1334 + else
1335 +- irq_reg_writel(1, bgc->reg_base + AT91_AIC5_IDCR);
1336 ++ irq_reg_writel(bgc, 1, AT91_AIC5_IDCR);
1337 + }
1338 + irq_gc_unlock(bgc);
1339 + }
1340 +@@ -187,12 +186,11 @@ static void aic5_resume(struct irq_data *d)
1341 + if ((mask & gc->mask_cache) == (mask & gc->wake_active))
1342 + continue;
1343 +
1344 +- irq_reg_writel(i + gc->irq_base,
1345 +- bgc->reg_base + AT91_AIC5_SSR);
1346 ++ irq_reg_writel(bgc, i + gc->irq_base, AT91_AIC5_SSR);
1347 + if (mask & gc->mask_cache)
1348 +- irq_reg_writel(1, bgc->reg_base + AT91_AIC5_IECR);
1349 ++ irq_reg_writel(bgc, 1, AT91_AIC5_IECR);
1350 + else
1351 +- irq_reg_writel(1, bgc->reg_base + AT91_AIC5_IDCR);
1352 ++ irq_reg_writel(bgc, 1, AT91_AIC5_IDCR);
1353 + }
1354 + irq_gc_unlock(bgc);
1355 + }
1356 +@@ -207,10 +205,9 @@ static void aic5_pm_shutdown(struct irq_data *d)
1357 +
1358 + irq_gc_lock(bgc);
1359 + for (i = 0; i < dgc->irqs_per_chip; i++) {
1360 +- irq_reg_writel(i + gc->irq_base,
1361 +- bgc->reg_base + AT91_AIC5_SSR);
1362 +- irq_reg_writel(1, bgc->reg_base + AT91_AIC5_IDCR);
1363 +- irq_reg_writel(1, bgc->reg_base + AT91_AIC5_ICCR);
1364 ++ irq_reg_writel(bgc, i + gc->irq_base, AT91_AIC5_SSR);
1365 ++ irq_reg_writel(bgc, 1, AT91_AIC5_IDCR);
1366 ++ irq_reg_writel(bgc, 1, AT91_AIC5_ICCR);
1367 + }
1368 + irq_gc_unlock(bgc);
1369 + }
1370 +@@ -230,24 +227,24 @@ static void __init aic5_hw_init(struct irq_domain *domain)
1371 + * will not Lock out nIRQ
1372 + */
1373 + for (i = 0; i < 8; i++)
1374 +- irq_reg_writel(0, gc->reg_base + AT91_AIC5_EOICR);
1375 ++ irq_reg_writel(gc, 0, AT91_AIC5_EOICR);
1376 +
1377 + /*
1378 + * Spurious Interrupt ID in Spurious Vector Register.
1379 + * When there is no current interrupt, the IRQ Vector Register
1380 + * reads the value stored in AIC_SPU
1381 + */
1382 +- irq_reg_writel(0xffffffff, gc->reg_base + AT91_AIC5_SPU);
1383 ++ irq_reg_writel(gc, 0xffffffff, AT91_AIC5_SPU);
1384 +
1385 + /* No debugging in AIC: Debug (Protect) Control Register */
1386 +- irq_reg_writel(0, gc->reg_base + AT91_AIC5_DCR);
1387 ++ irq_reg_writel(gc, 0, AT91_AIC5_DCR);
1388 +
1389 + /* Disable and clear all interrupts initially */
1390 + for (i = 0; i < domain->revmap_size; i++) {
1391 +- irq_reg_writel(i, gc->reg_base + AT91_AIC5_SSR);
1392 +- irq_reg_writel(i, gc->reg_base + AT91_AIC5_SVR);
1393 +- irq_reg_writel(1, gc->reg_base + AT91_AIC5_IDCR);
1394 +- irq_reg_writel(1, gc->reg_base + AT91_AIC5_ICCR);
1395 ++ irq_reg_writel(gc, i, AT91_AIC5_SSR);
1396 ++ irq_reg_writel(gc, i, AT91_AIC5_SVR);
1397 ++ irq_reg_writel(gc, 1, AT91_AIC5_IDCR);
1398 ++ irq_reg_writel(gc, 1, AT91_AIC5_ICCR);
1399 + }
1400 + }
1401 +
1402 +@@ -273,11 +270,11 @@ static int aic5_irq_domain_xlate(struct irq_domain *d,
1403 + gc = dgc->gc[0];
1404 +
1405 + irq_gc_lock(gc);
1406 +- irq_reg_writel(*out_hwirq, gc->reg_base + AT91_AIC5_SSR);
1407 +- smr = irq_reg_readl(gc->reg_base + AT91_AIC5_SMR);
1408 ++ irq_reg_writel(gc, *out_hwirq, AT91_AIC5_SSR);
1409 ++ smr = irq_reg_readl(gc, AT91_AIC5_SMR);
1410 + ret = aic_common_set_priority(intspec[2], &smr);
1411 + if (!ret)
1412 +- irq_reg_writel(intspec[2] | smr, gc->reg_base + AT91_AIC5_SMR);
1413 ++ irq_reg_writel(gc, intspec[2] | smr, AT91_AIC5_SMR);
1414 + irq_gc_unlock(gc);
1415 +
1416 + return ret;
1417 +diff --git a/drivers/irqchip/irq-sunxi-nmi.c b/drivers/irqchip/irq-sunxi-nmi.c
1418 +index eb9b59e8f122..6b2b582433bd 100644
1419 +--- a/drivers/irqchip/irq-sunxi-nmi.c
1420 ++++ b/drivers/irqchip/irq-sunxi-nmi.c
1421 +@@ -50,12 +50,12 @@ static struct sunxi_sc_nmi_reg_offs sun6i_reg_offs = {
1422 + static inline void sunxi_sc_nmi_write(struct irq_chip_generic *gc, u32 off,
1423 + u32 val)
1424 + {
1425 +- irq_reg_writel(val, gc->reg_base + off);
1426 ++ irq_reg_writel(gc, val, off);
1427 + }
1428 +
1429 + static inline u32 sunxi_sc_nmi_read(struct irq_chip_generic *gc, u32 off)
1430 + {
1431 +- return irq_reg_readl(gc->reg_base + off);
1432 ++ return irq_reg_readl(gc, off);
1433 + }
1434 +
1435 + static void sunxi_sc_nmi_handle_irq(unsigned int irq, struct irq_desc *desc)
1436 +diff --git a/drivers/irqchip/irq-tb10x.c b/drivers/irqchip/irq-tb10x.c
1437 +index 7c44c99bf1f2..accc20036a3c 100644
1438 +--- a/drivers/irqchip/irq-tb10x.c
1439 ++++ b/drivers/irqchip/irq-tb10x.c
1440 +@@ -43,12 +43,12 @@
1441 + static inline void ab_irqctl_writereg(struct irq_chip_generic *gc, u32 reg,
1442 + u32 val)
1443 + {
1444 +- irq_reg_writel(val, gc->reg_base + reg);
1445 ++ irq_reg_writel(gc, val, reg);
1446 + }
1447 +
1448 + static inline u32 ab_irqctl_readreg(struct irq_chip_generic *gc, u32 reg)
1449 + {
1450 +- return irq_reg_readl(gc->reg_base + reg);
1451 ++ return irq_reg_readl(gc, reg);
1452 + }
1453 +
1454 + static int tb10x_irq_set_type(struct irq_data *data, unsigned int flow_type)
1455 +diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
1456 +index 9768ba6387ad..0a28c50fcb89 100644
1457 +--- a/drivers/net/can/flexcan.c
1458 ++++ b/drivers/net/can/flexcan.c
1459 +@@ -1341,11 +1341,10 @@ static int __maybe_unused flexcan_suspend(struct device *device)
1460 + struct flexcan_priv *priv = netdev_priv(dev);
1461 + int err;
1462 +
1463 +- err = flexcan_chip_disable(priv);
1464 +- if (err)
1465 +- return err;
1466 +-
1467 + if (netif_running(dev)) {
1468 ++ err = flexcan_chip_disable(priv);
1469 ++ if (err)
1470 ++ return err;
1471 + netif_stop_queue(dev);
1472 + netif_device_detach(dev);
1473 + }
1474 +@@ -1358,13 +1357,17 @@ static int __maybe_unused flexcan_resume(struct device *device)
1475 + {
1476 + struct net_device *dev = dev_get_drvdata(device);
1477 + struct flexcan_priv *priv = netdev_priv(dev);
1478 ++ int err;
1479 +
1480 + priv->can.state = CAN_STATE_ERROR_ACTIVE;
1481 + if (netif_running(dev)) {
1482 + netif_device_attach(dev);
1483 + netif_start_queue(dev);
1484 ++ err = flexcan_chip_enable(priv);
1485 ++ if (err)
1486 ++ return err;
1487 + }
1488 +- return flexcan_chip_enable(priv);
1489 ++ return 0;
1490 + }
1491 +
1492 + static SIMPLE_DEV_PM_OPS(flexcan_pm_ops, flexcan_suspend, flexcan_resume);
1493 +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
1494 +index 894894f2ff93..81336acc7040 100644
1495 +--- a/drivers/usb/core/config.c
1496 ++++ b/drivers/usb/core/config.c
1497 +@@ -184,8 +184,10 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
1498 + memcpy(&endpoint->desc, d, n);
1499 + INIT_LIST_HEAD(&endpoint->urb_list);
1500 +
1501 +- /* Fix up bInterval values outside the legal range. Use 32 ms if no
1502 +- * proper value can be guessed. */
1503 ++ /*
1504 ++ * Fix up bInterval values outside the legal range.
1505 ++ * Use 10 or 8 ms if no proper value can be guessed.
1506 ++ */
1507 + i = 0; /* i = min, j = max, n = default */
1508 + j = 255;
1509 + if (usb_endpoint_xfer_int(d)) {
1510 +@@ -193,13 +195,15 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
1511 + switch (to_usb_device(ddev)->speed) {
1512 + case USB_SPEED_SUPER:
1513 + case USB_SPEED_HIGH:
1514 +- /* Many device manufacturers are using full-speed
1515 ++ /*
1516 ++ * Many device manufacturers are using full-speed
1517 + * bInterval values in high-speed interrupt endpoint
1518 +- * descriptors. Try to fix those and fall back to a
1519 +- * 32 ms default value otherwise. */
1520 ++ * descriptors. Try to fix those and fall back to an
1521 ++ * 8-ms default value otherwise.
1522 ++ */
1523 + n = fls(d->bInterval*8);
1524 + if (n == 0)
1525 +- n = 9; /* 32 ms = 2^(9-1) uframes */
1526 ++ n = 7; /* 8 ms = 2^(7-1) uframes */
1527 + j = 16;
1528 +
1529 + /*
1530 +@@ -214,10 +218,12 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
1531 + }
1532 + break;
1533 + default: /* USB_SPEED_FULL or _LOW */
1534 +- /* For low-speed, 10 ms is the official minimum.
1535 ++ /*
1536 ++ * For low-speed, 10 ms is the official minimum.
1537 + * But some "overclocked" devices might want faster
1538 +- * polling so we'll allow it. */
1539 +- n = 32;
1540 ++ * polling so we'll allow it.
1541 ++ */
1542 ++ n = 10;
1543 + break;
1544 + }
1545 + } else if (usb_endpoint_xfer_isoc(d)) {
1546 +@@ -225,10 +231,10 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
1547 + j = 16;
1548 + switch (to_usb_device(ddev)->speed) {
1549 + case USB_SPEED_HIGH:
1550 +- n = 9; /* 32 ms = 2^(9-1) uframes */
1551 ++ n = 7; /* 8 ms = 2^(7-1) uframes */
1552 + break;
1553 + default: /* USB_SPEED_FULL */
1554 +- n = 6; /* 32 ms = 2^(6-1) frames */
1555 ++ n = 4; /* 8 ms = 2^(4-1) frames */
1556 + break;
1557 + }
1558 + }
1559 +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
1560 +index 51ff57497b91..c15dbffe660b 100644
1561 +--- a/drivers/usb/host/xhci-ring.c
1562 ++++ b/drivers/usb/host/xhci-ring.c
1563 +@@ -839,6 +839,10 @@ void xhci_stop_endpoint_command_watchdog(unsigned long arg)
1564 + spin_lock_irqsave(&xhci->lock, flags);
1565 +
1566 + ep->stop_cmds_pending--;
1567 ++ if (xhci->xhc_state & XHCI_STATE_REMOVING) {
1568 ++ spin_unlock_irqrestore(&xhci->lock, flags);
1569 ++ return;
1570 ++ }
1571 + if (xhci->xhc_state & XHCI_STATE_DYING) {
1572 + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
1573 + "Stop EP timer ran, but another timer marked "
1574 +@@ -892,7 +896,7 @@ void xhci_stop_endpoint_command_watchdog(unsigned long arg)
1575 + spin_unlock_irqrestore(&xhci->lock, flags);
1576 + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
1577 + "Calling usb_hc_died()");
1578 +- usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
1579 ++ usb_hc_died(xhci_to_hcd(xhci));
1580 + xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
1581 + "xHCI host controller is dead.");
1582 + }
1583 +diff --git a/drivers/usb/renesas_usbhs/mod.c b/drivers/usb/renesas_usbhs/mod.c
1584 +index 9a705b15b3a1..cf274b8c63fe 100644
1585 +--- a/drivers/usb/renesas_usbhs/mod.c
1586 ++++ b/drivers/usb/renesas_usbhs/mod.c
1587 +@@ -277,9 +277,16 @@ static irqreturn_t usbhs_interrupt(int irq, void *data)
1588 + usbhs_write(priv, INTSTS0, ~irq_state.intsts0 & INTSTS0_MAGIC);
1589 + usbhs_write(priv, INTSTS1, ~irq_state.intsts1 & INTSTS1_MAGIC);
1590 +
1591 +- usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
1592 ++ /*
1593 ++ * The driver should not clear the xxxSTS after the line of
1594 ++ * "call irq callback functions" because each "if" statement is
1595 ++ * possible to call the callback function for avoiding any side effects.
1596 ++ */
1597 ++ if (irq_state.intsts0 & BRDY)
1598 ++ usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
1599 + usbhs_write(priv, NRDYSTS, ~irq_state.nrdysts);
1600 +- usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
1601 ++ if (irq_state.intsts0 & BEMP)
1602 ++ usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
1603 +
1604 + /*
1605 + * call irq callback functions
1606 +diff --git a/drivers/usb/serial/usb-serial-simple.c b/drivers/usb/serial/usb-serial-simple.c
1607 +index a1f2e2a05bc5..40de275cddf4 100644
1608 +--- a/drivers/usb/serial/usb-serial-simple.c
1609 ++++ b/drivers/usb/serial/usb-serial-simple.c
1610 +@@ -54,7 +54,8 @@ DEVICE(funsoft, FUNSOFT_IDS);
1611 + /* Infineon Flashloader driver */
1612 + #define FLASHLOADER_IDS() \
1613 + { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
1614 +- { USB_DEVICE(0x8087, 0x0716) }
1615 ++ { USB_DEVICE(0x8087, 0x0716) }, \
1616 ++ { USB_DEVICE(0x8087, 0x0801) }
1617 + DEVICE(flashloader, FLASHLOADER_IDS);
1618 +
1619 + /* ViVOpay USB Serial Driver */
1620 +diff --git a/fs/autofs4/autofs_i.h b/fs/autofs4/autofs_i.h
1621 +index 8e98cf954bab..cecd252a3e01 100644
1622 +--- a/fs/autofs4/autofs_i.h
1623 ++++ b/fs/autofs4/autofs_i.h
1624 +@@ -79,9 +79,13 @@ struct autofs_info {
1625 + };
1626 +
1627 + #define AUTOFS_INF_EXPIRING (1<<0) /* dentry is in the process of expiring */
1628 +-#define AUTOFS_INF_NO_RCU (1<<1) /* the dentry is being considered
1629 ++#define AUTOFS_INF_WANT_EXPIRE (1<<1) /* the dentry is being considered
1630 + * for expiry, so RCU_walk is
1631 +- * not permitted
1632 ++ * not permitted. If it progresses to
1633 ++ * actual expiry attempt, the flag is
1634 ++ * not cleared when EXPIRING is set -
1635 ++ * in that case it gets cleared only
1636 ++ * when it comes to clearing EXPIRING.
1637 + */
1638 + #define AUTOFS_INF_PENDING (1<<2) /* dentry pending mount */
1639 +
1640 +diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
1641 +index dcdec6fd33c6..513b8e5d151c 100644
1642 +--- a/fs/autofs4/expire.c
1643 ++++ b/fs/autofs4/expire.c
1644 +@@ -321,19 +321,17 @@ struct dentry *autofs4_expire_direct(struct super_block *sb,
1645 + if (ino->flags & AUTOFS_INF_PENDING)
1646 + goto out;
1647 + if (!autofs4_direct_busy(mnt, root, timeout, do_now)) {
1648 +- ino->flags |= AUTOFS_INF_NO_RCU;
1649 ++ ino->flags |= AUTOFS_INF_WANT_EXPIRE;
1650 + spin_unlock(&sbi->fs_lock);
1651 + synchronize_rcu();
1652 + spin_lock(&sbi->fs_lock);
1653 + if (!autofs4_direct_busy(mnt, root, timeout, do_now)) {
1654 + ino->flags |= AUTOFS_INF_EXPIRING;
1655 +- smp_mb();
1656 +- ino->flags &= ~AUTOFS_INF_NO_RCU;
1657 + init_completion(&ino->expire_complete);
1658 + spin_unlock(&sbi->fs_lock);
1659 + return root;
1660 + }
1661 +- ino->flags &= ~AUTOFS_INF_NO_RCU;
1662 ++ ino->flags &= ~AUTOFS_INF_WANT_EXPIRE;
1663 + }
1664 + out:
1665 + spin_unlock(&sbi->fs_lock);
1666 +@@ -425,6 +423,7 @@ static struct dentry *should_expire(struct dentry *dentry,
1667 + }
1668 + return NULL;
1669 + }
1670 ++
1671 + /*
1672 + * Find an eligible tree to time-out
1673 + * A tree is eligible if :-
1674 +@@ -440,6 +439,7 @@ struct dentry *autofs4_expire_indirect(struct super_block *sb,
1675 + struct dentry *root = sb->s_root;
1676 + struct dentry *dentry;
1677 + struct dentry *expired;
1678 ++ struct dentry *found;
1679 + struct autofs_info *ino;
1680 +
1681 + if (!root)
1682 +@@ -450,31 +450,46 @@ struct dentry *autofs4_expire_indirect(struct super_block *sb,
1683 +
1684 + dentry = NULL;
1685 + while ((dentry = get_next_positive_subdir(dentry, root))) {
1686 ++ int flags = how;
1687 ++
1688 + spin_lock(&sbi->fs_lock);
1689 + ino = autofs4_dentry_ino(dentry);
1690 +- if (ino->flags & AUTOFS_INF_NO_RCU)
1691 +- expired = NULL;
1692 +- else
1693 +- expired = should_expire(dentry, mnt, timeout, how);
1694 +- if (!expired) {
1695 ++ if (ino->flags & AUTOFS_INF_WANT_EXPIRE) {
1696 + spin_unlock(&sbi->fs_lock);
1697 + continue;
1698 + }
1699 ++ spin_unlock(&sbi->fs_lock);
1700 ++
1701 ++ expired = should_expire(dentry, mnt, timeout, flags);
1702 ++ if (!expired)
1703 ++ continue;
1704 ++
1705 ++ spin_lock(&sbi->fs_lock);
1706 + ino = autofs4_dentry_ino(expired);
1707 +- ino->flags |= AUTOFS_INF_NO_RCU;
1708 ++ ino->flags |= AUTOFS_INF_WANT_EXPIRE;
1709 + spin_unlock(&sbi->fs_lock);
1710 + synchronize_rcu();
1711 +- spin_lock(&sbi->fs_lock);
1712 +- if (should_expire(expired, mnt, timeout, how)) {
1713 +- if (expired != dentry)
1714 +- dput(dentry);
1715 +- goto found;
1716 +- }
1717 +
1718 +- ino->flags &= ~AUTOFS_INF_NO_RCU;
1719 ++ /* Make sure a reference is not taken on found if
1720 ++ * things have changed.
1721 ++ */
1722 ++ flags &= ~AUTOFS_EXP_LEAVES;
1723 ++ found = should_expire(expired, mnt, timeout, how);
1724 ++ if (!found || found != expired)
1725 ++ /* Something has changed, continue */
1726 ++ goto next;
1727 ++
1728 + if (expired != dentry)
1729 +- dput(expired);
1730 ++ dput(dentry);
1731 ++
1732 ++ spin_lock(&sbi->fs_lock);
1733 ++ goto found;
1734 ++next:
1735 ++ spin_lock(&sbi->fs_lock);
1736 ++ ino->flags &= ~AUTOFS_INF_WANT_EXPIRE;
1737 + spin_unlock(&sbi->fs_lock);
1738 ++ if (expired != dentry)
1739 ++ dput(expired);
1740 + }
1741 + return NULL;
1742 +
1743 +@@ -482,17 +497,8 @@ found:
1744 + DPRINTK("returning %p %.*s",
1745 + expired, (int)expired->d_name.len, expired->d_name.name);
1746 + ino->flags |= AUTOFS_INF_EXPIRING;
1747 +- smp_mb();
1748 +- ino->flags &= ~AUTOFS_INF_NO_RCU;
1749 + init_completion(&ino->expire_complete);
1750 + spin_unlock(&sbi->fs_lock);
1751 +- spin_lock(&sbi->lookup_lock);
1752 +- spin_lock(&expired->d_parent->d_lock);
1753 +- spin_lock_nested(&expired->d_lock, DENTRY_D_LOCK_NESTED);
1754 +- list_move(&expired->d_parent->d_subdirs, &expired->d_child);
1755 +- spin_unlock(&expired->d_lock);
1756 +- spin_unlock(&expired->d_parent->d_lock);
1757 +- spin_unlock(&sbi->lookup_lock);
1758 + return expired;
1759 + }
1760 +
1761 +@@ -501,15 +507,27 @@ int autofs4_expire_wait(struct dentry *dentry, int rcu_walk)
1762 + struct autofs_sb_info *sbi = autofs4_sbi(dentry->d_sb);
1763 + struct autofs_info *ino = autofs4_dentry_ino(dentry);
1764 + int status;
1765 ++ int state;
1766 +
1767 + /* Block on any pending expire */
1768 +- if (!(ino->flags & (AUTOFS_INF_EXPIRING | AUTOFS_INF_NO_RCU)))
1769 ++ if (!(ino->flags & AUTOFS_INF_WANT_EXPIRE))
1770 + return 0;
1771 + if (rcu_walk)
1772 + return -ECHILD;
1773 +
1774 ++retry:
1775 + spin_lock(&sbi->fs_lock);
1776 +- if (ino->flags & AUTOFS_INF_EXPIRING) {
1777 ++ state = ino->flags & (AUTOFS_INF_WANT_EXPIRE | AUTOFS_INF_EXPIRING);
1778 ++ if (state == AUTOFS_INF_WANT_EXPIRE) {
1779 ++ spin_unlock(&sbi->fs_lock);
1780 ++ /*
1781 ++ * Possibly being selected for expire, wait until
1782 ++ * it's selected or not.
1783 ++ */
1784 ++ schedule_timeout_uninterruptible(HZ/10);
1785 ++ goto retry;
1786 ++ }
1787 ++ if (state & AUTOFS_INF_EXPIRING) {
1788 + spin_unlock(&sbi->fs_lock);
1789 +
1790 + DPRINTK("waiting for expire %p name=%.*s",
1791 +@@ -561,7 +579,7 @@ int autofs4_expire_run(struct super_block *sb,
1792 + ino = autofs4_dentry_ino(dentry);
1793 + /* avoid rapid-fire expire attempts if expiry fails */
1794 + ino->last_used = now;
1795 +- ino->flags &= ~AUTOFS_INF_EXPIRING;
1796 ++ ino->flags &= ~(AUTOFS_INF_EXPIRING|AUTOFS_INF_WANT_EXPIRE);
1797 + complete_all(&ino->expire_complete);
1798 + spin_unlock(&sbi->fs_lock);
1799 +
1800 +@@ -589,7 +607,7 @@ int autofs4_do_expire_multi(struct super_block *sb, struct vfsmount *mnt,
1801 + spin_lock(&sbi->fs_lock);
1802 + /* avoid rapid-fire expire attempts if expiry fails */
1803 + ino->last_used = now;
1804 +- ino->flags &= ~AUTOFS_INF_EXPIRING;
1805 ++ ino->flags &= ~(AUTOFS_INF_EXPIRING|AUTOFS_INF_WANT_EXPIRE);
1806 + complete_all(&ino->expire_complete);
1807 + spin_unlock(&sbi->fs_lock);
1808 + dput(dentry);
1809 +diff --git a/fs/autofs4/root.c b/fs/autofs4/root.c
1810 +index 0822c9eacc56..21b5bb13af65 100644
1811 +--- a/fs/autofs4/root.c
1812 ++++ b/fs/autofs4/root.c
1813 +@@ -459,7 +459,7 @@ static int autofs4_d_manage(struct dentry *dentry, bool rcu_walk)
1814 + * a mount-trap.
1815 + */
1816 + struct inode *inode;
1817 +- if (ino->flags & (AUTOFS_INF_EXPIRING | AUTOFS_INF_NO_RCU))
1818 ++ if (ino->flags & AUTOFS_INF_WANT_EXPIRE)
1819 + return 0;
1820 + if (d_mountpoint(dentry))
1821 + return 0;
1822 +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
1823 +index d96b2bc444c8..dd8526a659f8 100644
1824 +--- a/fs/btrfs/ioctl.c
1825 ++++ b/fs/btrfs/ioctl.c
1826 +@@ -1627,6 +1627,9 @@ static noinline int btrfs_ioctl_snap_create_transid(struct file *file,
1827 + int namelen;
1828 + int ret = 0;
1829 +
1830 ++ if (!S_ISDIR(file_inode(file)->i_mode))
1831 ++ return -ENOTDIR;
1832 ++
1833 + ret = mnt_want_write_file(file);
1834 + if (ret)
1835 + goto out;
1836 +@@ -1684,6 +1687,9 @@ static noinline int btrfs_ioctl_snap_create(struct file *file,
1837 + struct btrfs_ioctl_vol_args *vol_args;
1838 + int ret;
1839 +
1840 ++ if (!S_ISDIR(file_inode(file)->i_mode))
1841 ++ return -ENOTDIR;
1842 ++
1843 + vol_args = memdup_user(arg, sizeof(*vol_args));
1844 + if (IS_ERR(vol_args))
1845 + return PTR_ERR(vol_args);
1846 +@@ -1707,6 +1713,9 @@ static noinline int btrfs_ioctl_snap_create_v2(struct file *file,
1847 + bool readonly = false;
1848 + struct btrfs_qgroup_inherit *inherit = NULL;
1849 +
1850 ++ if (!S_ISDIR(file_inode(file)->i_mode))
1851 ++ return -ENOTDIR;
1852 ++
1853 + vol_args = memdup_user(arg, sizeof(*vol_args));
1854 + if (IS_ERR(vol_args))
1855 + return PTR_ERR(vol_args);
1856 +@@ -2335,6 +2344,9 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file,
1857 + int ret;
1858 + int err = 0;
1859 +
1860 ++ if (!S_ISDIR(dir->i_mode))
1861 ++ return -ENOTDIR;
1862 ++
1863 + vol_args = memdup_user(arg, sizeof(*vol_args));
1864 + if (IS_ERR(vol_args))
1865 + return PTR_ERR(vol_args);
1866 +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
1867 +index f6c20cf6090e..ccad76a482ca 100644
1868 +--- a/fs/btrfs/tree-log.c
1869 ++++ b/fs/btrfs/tree-log.c
1870 +@@ -2604,6 +2604,8 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans,
1871 + }
1872 +
1873 + if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) {
1874 ++ blk_finish_plug(&plug);
1875 ++ list_del_init(&root_log_ctx.list);
1876 + mutex_unlock(&log_root_tree->log_mutex);
1877 + ret = root_log_ctx.log_ret;
1878 + goto out;
1879 +diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
1880 +index 30d3addfad75..f6298b974316 100644
1881 +--- a/fs/notify/fanotify/fanotify.c
1882 ++++ b/fs/notify/fanotify/fanotify.c
1883 +@@ -67,18 +67,7 @@ static int fanotify_get_response(struct fsnotify_group *group,
1884 +
1885 + pr_debug("%s: group=%p event=%p\n", __func__, group, event);
1886 +
1887 +- wait_event(group->fanotify_data.access_waitq, event->response ||
1888 +- atomic_read(&group->fanotify_data.bypass_perm));
1889 +-
1890 +- if (!event->response) { /* bypass_perm set */
1891 +- /*
1892 +- * Event was canceled because group is being destroyed. Remove
1893 +- * it from group's event list because we are responsible for
1894 +- * freeing the permission event.
1895 +- */
1896 +- fsnotify_remove_event(group, &event->fae.fse);
1897 +- return 0;
1898 +- }
1899 ++ wait_event(group->fanotify_data.access_waitq, event->response);
1900 +
1901 + /* userspace responded, convert to something usable */
1902 + switch (event->response) {
1903 +diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
1904 +index c991616acca9..f2639f5724e8 100644
1905 +--- a/fs/notify/fanotify/fanotify_user.c
1906 ++++ b/fs/notify/fanotify/fanotify_user.c
1907 +@@ -358,16 +358,20 @@ static int fanotify_release(struct inode *ignored, struct file *file)
1908 +
1909 + #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
1910 + struct fanotify_perm_event_info *event, *next;
1911 ++ struct fsnotify_event *fsn_event;
1912 +
1913 + /*
1914 +- * There may be still new events arriving in the notification queue
1915 +- * but since userspace cannot use fanotify fd anymore, no event can
1916 +- * enter or leave access_list by now.
1917 ++ * Stop new events from arriving in the notification queue. since
1918 ++ * userspace cannot use fanotify fd anymore, no event can enter or
1919 ++ * leave access_list by now either.
1920 + */
1921 +- spin_lock(&group->fanotify_data.access_lock);
1922 +-
1923 +- atomic_inc(&group->fanotify_data.bypass_perm);
1924 ++ fsnotify_group_stop_queueing(group);
1925 +
1926 ++ /*
1927 ++ * Process all permission events on access_list and notification queue
1928 ++ * and simulate reply from userspace.
1929 ++ */
1930 ++ spin_lock(&group->fanotify_data.access_lock);
1931 + list_for_each_entry_safe(event, next, &group->fanotify_data.access_list,
1932 + fae.fse.list) {
1933 + pr_debug("%s: found group=%p event=%p\n", __func__, group,
1934 +@@ -379,12 +383,21 @@ static int fanotify_release(struct inode *ignored, struct file *file)
1935 + spin_unlock(&group->fanotify_data.access_lock);
1936 +
1937 + /*
1938 +- * Since bypass_perm is set, newly queued events will not wait for
1939 +- * access response. Wake up the already sleeping ones now.
1940 +- * synchronize_srcu() in fsnotify_destroy_group() will wait for all
1941 +- * processes sleeping in fanotify_handle_event() waiting for access
1942 +- * response and thus also for all permission events to be freed.
1943 ++ * Destroy all non-permission events. For permission events just
1944 ++ * dequeue them and set the response. They will be freed once the
1945 ++ * response is consumed and fanotify_get_response() returns.
1946 + */
1947 ++ mutex_lock(&group->notification_mutex);
1948 ++ while (!fsnotify_notify_queue_is_empty(group)) {
1949 ++ fsn_event = fsnotify_remove_first_event(group);
1950 ++ if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS))
1951 ++ fsnotify_destroy_event(group, fsn_event);
1952 ++ else
1953 ++ FANOTIFY_PE(fsn_event)->response = FAN_ALLOW;
1954 ++ }
1955 ++ mutex_unlock(&group->notification_mutex);
1956 ++
1957 ++ /* Response for all permission events it set, wakeup waiters */
1958 + wake_up(&group->fanotify_data.access_waitq);
1959 + #endif
1960 +
1961 +@@ -742,7 +755,6 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags)
1962 + spin_lock_init(&group->fanotify_data.access_lock);
1963 + init_waitqueue_head(&group->fanotify_data.access_waitq);
1964 + INIT_LIST_HEAD(&group->fanotify_data.access_list);
1965 +- atomic_set(&group->fanotify_data.bypass_perm, 0);
1966 + #endif
1967 + switch (flags & FAN_ALL_CLASS_BITS) {
1968 + case FAN_CLASS_NOTIF:
1969 +diff --git a/fs/notify/group.c b/fs/notify/group.c
1970 +index d16b62cb2854..18eb30c6bd8f 100644
1971 +--- a/fs/notify/group.c
1972 ++++ b/fs/notify/group.c
1973 +@@ -40,6 +40,17 @@ static void fsnotify_final_destroy_group(struct fsnotify_group *group)
1974 + }
1975 +
1976 + /*
1977 ++ * Stop queueing new events for this group. Once this function returns
1978 ++ * fsnotify_add_event() will not add any new events to the group's queue.
1979 ++ */
1980 ++void fsnotify_group_stop_queueing(struct fsnotify_group *group)
1981 ++{
1982 ++ mutex_lock(&group->notification_mutex);
1983 ++ group->shutdown = true;
1984 ++ mutex_unlock(&group->notification_mutex);
1985 ++}
1986 ++
1987 ++/*
1988 + * Trying to get rid of a group. Remove all marks, flush all events and release
1989 + * the group reference.
1990 + * Note that another thread calling fsnotify_clear_marks_by_group() may still
1991 +@@ -47,6 +58,14 @@ static void fsnotify_final_destroy_group(struct fsnotify_group *group)
1992 + */
1993 + void fsnotify_destroy_group(struct fsnotify_group *group)
1994 + {
1995 ++ /*
1996 ++ * Stop queueing new events. The code below is careful enough to not
1997 ++ * require this but fanotify needs to stop queuing events even before
1998 ++ * fsnotify_destroy_group() is called and this makes the other callers
1999 ++ * of fsnotify_destroy_group() to see the same behavior.
2000 ++ */
2001 ++ fsnotify_group_stop_queueing(group);
2002 ++
2003 + /* clear all inode marks for this group */
2004 + fsnotify_clear_marks_by_group(group);
2005 +
2006 +diff --git a/fs/notify/notification.c b/fs/notify/notification.c
2007 +index a95d8e037aeb..e455e83ceeeb 100644
2008 +--- a/fs/notify/notification.c
2009 ++++ b/fs/notify/notification.c
2010 +@@ -82,7 +82,8 @@ void fsnotify_destroy_event(struct fsnotify_group *group,
2011 + * Add an event to the group notification queue. The group can later pull this
2012 + * event off the queue to deal with. The function returns 0 if the event was
2013 + * added to the queue, 1 if the event was merged with some other queued event,
2014 +- * 2 if the queue of events has overflown.
2015 ++ * 2 if the event was not queued - either the queue of events has overflown
2016 ++ * or the group is shutting down.
2017 + */
2018 + int fsnotify_add_event(struct fsnotify_group *group,
2019 + struct fsnotify_event *event,
2020 +@@ -96,6 +97,11 @@ int fsnotify_add_event(struct fsnotify_group *group,
2021 +
2022 + mutex_lock(&group->notification_mutex);
2023 +
2024 ++ if (group->shutdown) {
2025 ++ mutex_unlock(&group->notification_mutex);
2026 ++ return 2;
2027 ++ }
2028 ++
2029 + if (group->q_len >= group->max_events) {
2030 + ret = 2;
2031 + /* Queue overflow event only if it isn't already queued */
2032 +@@ -126,21 +132,6 @@ queue:
2033 + }
2034 +
2035 + /*
2036 +- * Remove @event from group's notification queue. It is the responsibility of
2037 +- * the caller to destroy the event.
2038 +- */
2039 +-void fsnotify_remove_event(struct fsnotify_group *group,
2040 +- struct fsnotify_event *event)
2041 +-{
2042 +- mutex_lock(&group->notification_mutex);
2043 +- if (!list_empty(&event->list)) {
2044 +- list_del_init(&event->list);
2045 +- group->q_len--;
2046 +- }
2047 +- mutex_unlock(&group->notification_mutex);
2048 +-}
2049 +-
2050 +-/*
2051 + * Remove and return the first event from the notification list. It is the
2052 + * responsibility of the caller to destroy the obtained event
2053 + */
2054 +diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c
2055 +index f90931335c6b..2e11658676eb 100644
2056 +--- a/fs/ocfs2/dlm/dlmconvert.c
2057 ++++ b/fs/ocfs2/dlm/dlmconvert.c
2058 +@@ -262,7 +262,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
2059 + struct dlm_lock *lock, int flags, int type)
2060 + {
2061 + enum dlm_status status;
2062 +- u8 old_owner = res->owner;
2063 +
2064 + mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
2065 + lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
2066 +@@ -329,7 +328,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
2067 +
2068 + spin_lock(&res->spinlock);
2069 + res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
2070 +- lock->convert_pending = 0;
2071 + /* if it failed, move it back to granted queue.
2072 + * if master returns DLM_NORMAL and then down before sending ast,
2073 + * it may have already been moved to granted queue, reset to
2074 +@@ -338,12 +336,14 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
2075 + if (status != DLM_NOTQUEUED)
2076 + dlm_error(status);
2077 + dlm_revert_pending_convert(res, lock);
2078 +- } else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
2079 +- (old_owner != res->owner)) {
2080 +- mlog(0, "res %.*s is in recovering or has been recovered.\n",
2081 +- res->lockname.len, res->lockname.name);
2082 ++ } else if (!lock->convert_pending) {
2083 ++ mlog(0, "%s: res %.*s, owner died and lock has been moved back "
2084 ++ "to granted list, retry convert.\n",
2085 ++ dlm->name, res->lockname.len, res->lockname.name);
2086 + status = DLM_RECOVERING;
2087 + }
2088 ++
2089 ++ lock->convert_pending = 0;
2090 + bail:
2091 + spin_unlock(&res->spinlock);
2092 +
2093 +diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
2094 +index 9d5adfd6b326..2adcb9876e91 100644
2095 +--- a/fs/ocfs2/file.c
2096 ++++ b/fs/ocfs2/file.c
2097 +@@ -1515,7 +1515,8 @@ static int ocfs2_zero_partial_clusters(struct inode *inode,
2098 + u64 start, u64 len)
2099 + {
2100 + int ret = 0;
2101 +- u64 tmpend, end = start + len;
2102 ++ u64 tmpend = 0;
2103 ++ u64 end = start + len;
2104 + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
2105 + unsigned int csize = osb->s_clustersize;
2106 + handle_t *handle;
2107 +@@ -1547,18 +1548,31 @@ static int ocfs2_zero_partial_clusters(struct inode *inode,
2108 + }
2109 +
2110 + /*
2111 +- * We want to get the byte offset of the end of the 1st cluster.
2112 ++ * If start is on a cluster boundary and end is somewhere in another
2113 ++ * cluster, we have not COWed the cluster starting at start, unless
2114 ++ * end is also within the same cluster. So, in this case, we skip this
2115 ++ * first call to ocfs2_zero_range_for_truncate() truncate and move on
2116 ++ * to the next one.
2117 + */
2118 +- tmpend = (u64)osb->s_clustersize + (start & ~(osb->s_clustersize - 1));
2119 +- if (tmpend > end)
2120 +- tmpend = end;
2121 ++ if ((start & (csize - 1)) != 0) {
2122 ++ /*
2123 ++ * We want to get the byte offset of the end of the 1st
2124 ++ * cluster.
2125 ++ */
2126 ++ tmpend = (u64)osb->s_clustersize +
2127 ++ (start & ~(osb->s_clustersize - 1));
2128 ++ if (tmpend > end)
2129 ++ tmpend = end;
2130 +
2131 +- trace_ocfs2_zero_partial_clusters_range1((unsigned long long)start,
2132 +- (unsigned long long)tmpend);
2133 ++ trace_ocfs2_zero_partial_clusters_range1(
2134 ++ (unsigned long long)start,
2135 ++ (unsigned long long)tmpend);
2136 +
2137 +- ret = ocfs2_zero_range_for_truncate(inode, handle, start, tmpend);
2138 +- if (ret)
2139 +- mlog_errno(ret);
2140 ++ ret = ocfs2_zero_range_for_truncate(inode, handle, start,
2141 ++ tmpend);
2142 ++ if (ret)
2143 ++ mlog_errno(ret);
2144 ++ }
2145 +
2146 + if (tmpend < end) {
2147 + /*
2148 +diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
2149 +index 963dba388243..b5bddae27be2 100644
2150 +--- a/fs/overlayfs/super.c
2151 ++++ b/fs/overlayfs/super.c
2152 +@@ -566,11 +566,11 @@ retry:
2153 + goto out_dput;
2154 +
2155 + err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_DEFAULT);
2156 +- if (err && err != -ENODATA)
2157 ++ if (err && err != -ENODATA && err != -EOPNOTSUPP)
2158 + goto out_dput;
2159 +
2160 + err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_ACCESS);
2161 +- if (err && err != -ENODATA)
2162 ++ if (err && err != -ENODATA && err != -EOPNOTSUPP)
2163 + goto out_dput;
2164 +
2165 + /* Clear any inherited mode bits */
2166 +diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
2167 +index 72d8803832ff..32901d11f8c4 100644
2168 +--- a/include/asm-generic/uaccess.h
2169 ++++ b/include/asm-generic/uaccess.h
2170 +@@ -163,9 +163,10 @@ static inline __must_check long __copy_to_user(void __user *to,
2171 +
2172 + #define put_user(x, ptr) \
2173 + ({ \
2174 ++ void *__p = (ptr); \
2175 + might_fault(); \
2176 +- access_ok(VERIFY_WRITE, ptr, sizeof(*ptr)) ? \
2177 +- __put_user(x, ptr) : \
2178 ++ access_ok(VERIFY_WRITE, __p, sizeof(*ptr)) ? \
2179 ++ __put_user((x), ((__typeof__(*(ptr)) *)__p)) : \
2180 + -EFAULT; \
2181 + })
2182 +
2183 +@@ -225,17 +226,22 @@ extern int __put_user_bad(void) __attribute__((noreturn));
2184 +
2185 + #define get_user(x, ptr) \
2186 + ({ \
2187 ++ const void *__p = (ptr); \
2188 + might_fault(); \
2189 +- access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \
2190 +- __get_user(x, ptr) : \
2191 +- -EFAULT; \
2192 ++ access_ok(VERIFY_READ, __p, sizeof(*ptr)) ? \
2193 ++ __get_user((x), (__typeof__(*(ptr)) *)__p) : \
2194 ++ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \
2195 + })
2196 +
2197 + #ifndef __get_user_fn
2198 + static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
2199 + {
2200 +- size = __copy_from_user(x, ptr, size);
2201 +- return size ? -EFAULT : size;
2202 ++ size_t n = __copy_from_user(x, ptr, size);
2203 ++ if (unlikely(n)) {
2204 ++ memset(x + (size - n), 0, n);
2205 ++ return -EFAULT;
2206 ++ }
2207 ++ return 0;
2208 + }
2209 +
2210 + #define __get_user_fn(sz, u, k) __get_user_fn(sz, u, k)
2211 +@@ -255,11 +261,13 @@ extern int __get_user_bad(void) __attribute__((noreturn));
2212 + static inline long copy_from_user(void *to,
2213 + const void __user * from, unsigned long n)
2214 + {
2215 ++ unsigned long res = n;
2216 + might_fault();
2217 +- if (access_ok(VERIFY_READ, from, n))
2218 +- return __copy_from_user(to, from, n);
2219 +- else
2220 +- return n;
2221 ++ if (likely(access_ok(VERIFY_READ, from, n)))
2222 ++ res = __copy_from_user(to, from, n);
2223 ++ if (unlikely(res))
2224 ++ memset(to + (n - res), 0, res);
2225 ++ return res;
2226 + }
2227 +
2228 + static inline long copy_to_user(void __user *to,
2229 +diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
2230 +index ca060d7c4fa6..b36d7a908051 100644
2231 +--- a/include/linux/fsnotify_backend.h
2232 ++++ b/include/linux/fsnotify_backend.h
2233 +@@ -150,6 +150,7 @@ struct fsnotify_group {
2234 + #define FS_PRIO_1 1 /* fanotify content based access control */
2235 + #define FS_PRIO_2 2 /* fanotify pre-content access */
2236 + unsigned int priority;
2237 ++ bool shutdown; /* group is being shut down, don't queue more events */
2238 +
2239 + /* stores all fastpath marks assoc with this group so they can be cleaned on unregister */
2240 + struct mutex mark_mutex; /* protect marks_list */
2241 +@@ -181,7 +182,6 @@ struct fsnotify_group {
2242 + spinlock_t access_lock;
2243 + struct list_head access_list;
2244 + wait_queue_head_t access_waitq;
2245 +- atomic_t bypass_perm;
2246 + #endif /* CONFIG_FANOTIFY_ACCESS_PERMISSIONS */
2247 + int f_flags;
2248 + unsigned int max_marks;
2249 +@@ -314,6 +314,8 @@ extern struct fsnotify_group *fsnotify_alloc_group(const struct fsnotify_ops *op
2250 + extern void fsnotify_get_group(struct fsnotify_group *group);
2251 + /* drop reference on a group from fsnotify_alloc_group */
2252 + extern void fsnotify_put_group(struct fsnotify_group *group);
2253 ++/* group destruction begins, stop queuing new events */
2254 ++extern void fsnotify_group_stop_queueing(struct fsnotify_group *group);
2255 + /* destroy group */
2256 + extern void fsnotify_destroy_group(struct fsnotify_group *group);
2257 + /* fasync handler function */
2258 +@@ -326,8 +328,6 @@ extern int fsnotify_add_event(struct fsnotify_group *group,
2259 + struct fsnotify_event *event,
2260 + int (*merge)(struct list_head *,
2261 + struct fsnotify_event *));
2262 +-/* Remove passed event from groups notification queue */
2263 +-extern void fsnotify_remove_event(struct fsnotify_group *group, struct fsnotify_event *event);
2264 + /* true if the group notification queue is empty */
2265 + extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group);
2266 + /* return, but do not dequeue the first event on the notification queue */
2267 +diff --git a/include/linux/irq.h b/include/linux/irq.h
2268 +index 03f48d936f66..c91ce60746f7 100644
2269 +--- a/include/linux/irq.h
2270 ++++ b/include/linux/irq.h
2271 +@@ -20,6 +20,7 @@
2272 + #include <linux/errno.h>
2273 + #include <linux/topology.h>
2274 + #include <linux/wait.h>
2275 ++#include <linux/io.h>
2276 +
2277 + #include <asm/irq.h>
2278 + #include <asm/ptrace.h>
2279 +@@ -639,13 +640,6 @@ void arch_teardown_hwirq(unsigned int irq);
2280 + void irq_init_desc(unsigned int irq);
2281 + #endif
2282 +
2283 +-#ifndef irq_reg_writel
2284 +-# define irq_reg_writel(val, addr) writel(val, addr)
2285 +-#endif
2286 +-#ifndef irq_reg_readl
2287 +-# define irq_reg_readl(addr) readl(addr)
2288 +-#endif
2289 +-
2290 + /**
2291 + * struct irq_chip_regs - register offsets for struct irq_gci
2292 + * @enable: Enable register offset to reg_base
2293 +@@ -821,4 +815,26 @@ static inline void irq_gc_lock(struct irq_chip_generic *gc) { }
2294 + static inline void irq_gc_unlock(struct irq_chip_generic *gc) { }
2295 + #endif
2296 +
2297 ++/*
2298 ++ * The irqsave variants are for usage in non interrupt code. Do not use
2299 ++ * them in irq_chip callbacks. Use irq_gc_lock() instead.
2300 ++ */
2301 ++#define irq_gc_lock_irqsave(gc, flags) \
2302 ++ raw_spin_lock_irqsave(&(gc)->lock, flags)
2303 ++
2304 ++#define irq_gc_unlock_irqrestore(gc, flags) \
2305 ++ raw_spin_unlock_irqrestore(&(gc)->lock, flags)
2306 ++
2307 ++static inline void irq_reg_writel(struct irq_chip_generic *gc,
2308 ++ u32 val, int reg_offset)
2309 ++{
2310 ++ writel(val, gc->reg_base + reg_offset);
2311 ++}
2312 ++
2313 ++static inline u32 irq_reg_readl(struct irq_chip_generic *gc,
2314 ++ int reg_offset)
2315 ++{
2316 ++ return readl(gc->reg_base + reg_offset);
2317 ++}
2318 ++
2319 + #endif /* _LINUX_IRQ_H */
2320 +diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
2321 +index 4b3736f7065c..30a8f531236c 100644
2322 +--- a/include/linux/pagemap.h
2323 ++++ b/include/linux/pagemap.h
2324 +@@ -594,56 +594,56 @@ static inline int fault_in_pages_readable(const char __user *uaddr, int size)
2325 + */
2326 + static inline int fault_in_multipages_writeable(char __user *uaddr, int size)
2327 + {
2328 +- int ret = 0;
2329 + char __user *end = uaddr + size - 1;
2330 +
2331 + if (unlikely(size == 0))
2332 +- return ret;
2333 ++ return 0;
2334 +
2335 ++ if (unlikely(uaddr > end))
2336 ++ return -EFAULT;
2337 + /*
2338 + * Writing zeroes into userspace here is OK, because we know that if
2339 + * the zero gets there, we'll be overwriting it.
2340 + */
2341 +- while (uaddr <= end) {
2342 +- ret = __put_user(0, uaddr);
2343 +- if (ret != 0)
2344 +- return ret;
2345 ++ do {
2346 ++ if (unlikely(__put_user(0, uaddr) != 0))
2347 ++ return -EFAULT;
2348 + uaddr += PAGE_SIZE;
2349 +- }
2350 ++ } while (uaddr <= end);
2351 +
2352 + /* Check whether the range spilled into the next page. */
2353 + if (((unsigned long)uaddr & PAGE_MASK) ==
2354 + ((unsigned long)end & PAGE_MASK))
2355 +- ret = __put_user(0, end);
2356 ++ return __put_user(0, end);
2357 +
2358 +- return ret;
2359 ++ return 0;
2360 + }
2361 +
2362 + static inline int fault_in_multipages_readable(const char __user *uaddr,
2363 + int size)
2364 + {
2365 + volatile char c;
2366 +- int ret = 0;
2367 + const char __user *end = uaddr + size - 1;
2368 +
2369 + if (unlikely(size == 0))
2370 +- return ret;
2371 ++ return 0;
2372 +
2373 +- while (uaddr <= end) {
2374 +- ret = __get_user(c, uaddr);
2375 +- if (ret != 0)
2376 +- return ret;
2377 ++ if (unlikely(uaddr > end))
2378 ++ return -EFAULT;
2379 ++
2380 ++ do {
2381 ++ if (unlikely(__get_user(c, uaddr) != 0))
2382 ++ return -EFAULT;
2383 + uaddr += PAGE_SIZE;
2384 +- }
2385 ++ } while (uaddr <= end);
2386 +
2387 + /* Check whether the range spilled into the next page. */
2388 + if (((unsigned long)uaddr & PAGE_MASK) ==
2389 + ((unsigned long)end & PAGE_MASK)) {
2390 +- ret = __get_user(c, end);
2391 +- (void)c;
2392 ++ return __get_user(c, end);
2393 + }
2394 +
2395 +- return ret;
2396 ++ return 0;
2397 + }
2398 +
2399 + int add_to_page_cache_locked(struct page *page, struct address_space *mapping,
2400 +diff --git a/kernel/irq/generic-chip.c b/kernel/irq/generic-chip.c
2401 +index cf80e7b0ddab..db458c68e392 100644
2402 +--- a/kernel/irq/generic-chip.c
2403 ++++ b/kernel/irq/generic-chip.c
2404 +@@ -39,7 +39,7 @@ void irq_gc_mask_disable_reg(struct irq_data *d)
2405 + u32 mask = d->mask;
2406 +
2407 + irq_gc_lock(gc);
2408 +- irq_reg_writel(mask, gc->reg_base + ct->regs.disable);
2409 ++ irq_reg_writel(gc, mask, ct->regs.disable);
2410 + *ct->mask_cache &= ~mask;
2411 + irq_gc_unlock(gc);
2412 + }
2413 +@@ -59,7 +59,7 @@ void irq_gc_mask_set_bit(struct irq_data *d)
2414 +
2415 + irq_gc_lock(gc);
2416 + *ct->mask_cache |= mask;
2417 +- irq_reg_writel(*ct->mask_cache, gc->reg_base + ct->regs.mask);
2418 ++ irq_reg_writel(gc, *ct->mask_cache, ct->regs.mask);
2419 + irq_gc_unlock(gc);
2420 + }
2421 + EXPORT_SYMBOL_GPL(irq_gc_mask_set_bit);
2422 +@@ -79,7 +79,7 @@ void irq_gc_mask_clr_bit(struct irq_data *d)
2423 +
2424 + irq_gc_lock(gc);
2425 + *ct->mask_cache &= ~mask;
2426 +- irq_reg_writel(*ct->mask_cache, gc->reg_base + ct->regs.mask);
2427 ++ irq_reg_writel(gc, *ct->mask_cache, ct->regs.mask);
2428 + irq_gc_unlock(gc);
2429 + }
2430 + EXPORT_SYMBOL_GPL(irq_gc_mask_clr_bit);
2431 +@@ -98,7 +98,7 @@ void irq_gc_unmask_enable_reg(struct irq_data *d)
2432 + u32 mask = d->mask;
2433 +
2434 + irq_gc_lock(gc);
2435 +- irq_reg_writel(mask, gc->reg_base + ct->regs.enable);
2436 ++ irq_reg_writel(gc, mask, ct->regs.enable);
2437 + *ct->mask_cache |= mask;
2438 + irq_gc_unlock(gc);
2439 + }
2440 +@@ -114,7 +114,7 @@ void irq_gc_ack_set_bit(struct irq_data *d)
2441 + u32 mask = d->mask;
2442 +
2443 + irq_gc_lock(gc);
2444 +- irq_reg_writel(mask, gc->reg_base + ct->regs.ack);
2445 ++ irq_reg_writel(gc, mask, ct->regs.ack);
2446 + irq_gc_unlock(gc);
2447 + }
2448 + EXPORT_SYMBOL_GPL(irq_gc_ack_set_bit);
2449 +@@ -130,7 +130,7 @@ void irq_gc_ack_clr_bit(struct irq_data *d)
2450 + u32 mask = ~d->mask;
2451 +
2452 + irq_gc_lock(gc);
2453 +- irq_reg_writel(mask, gc->reg_base + ct->regs.ack);
2454 ++ irq_reg_writel(gc, mask, ct->regs.ack);
2455 + irq_gc_unlock(gc);
2456 + }
2457 +
2458 +@@ -145,8 +145,8 @@ void irq_gc_mask_disable_reg_and_ack(struct irq_data *d)
2459 + u32 mask = d->mask;
2460 +
2461 + irq_gc_lock(gc);
2462 +- irq_reg_writel(mask, gc->reg_base + ct->regs.mask);
2463 +- irq_reg_writel(mask, gc->reg_base + ct->regs.ack);
2464 ++ irq_reg_writel(gc, mask, ct->regs.mask);
2465 ++ irq_reg_writel(gc, mask, ct->regs.ack);
2466 + irq_gc_unlock(gc);
2467 + }
2468 +
2469 +@@ -161,7 +161,7 @@ void irq_gc_eoi(struct irq_data *d)
2470 + u32 mask = d->mask;
2471 +
2472 + irq_gc_lock(gc);
2473 +- irq_reg_writel(mask, gc->reg_base + ct->regs.eoi);
2474 ++ irq_reg_writel(gc, mask, ct->regs.eoi);
2475 + irq_gc_unlock(gc);
2476 + }
2477 +
2478 +@@ -245,7 +245,7 @@ irq_gc_init_mask_cache(struct irq_chip_generic *gc, enum irq_gc_flags flags)
2479 + }
2480 + ct[i].mask_cache = mskptr;
2481 + if (flags & IRQ_GC_INIT_MASK_CACHE)
2482 +- *mskptr = irq_reg_readl(gc->reg_base + mskreg);
2483 ++ *mskptr = irq_reg_readl(gc, mskreg);
2484 + }
2485 + }
2486 +
2487 +diff --git a/kernel/sched/core.c b/kernel/sched/core.c
2488 +index 2f774edcc4e8..44de06747e41 100644
2489 +--- a/kernel/sched/core.c
2490 ++++ b/kernel/sched/core.c
2491 +@@ -1705,6 +1705,28 @@ try_to_wake_up(struct task_struct *p, unsigned int state, int wake_flags)
2492 + success = 1; /* we're going to change ->state */
2493 + cpu = task_cpu(p);
2494 +
2495 ++ /*
2496 ++ * Ensure we load p->on_rq _after_ p->state, otherwise it would
2497 ++ * be possible to, falsely, observe p->on_rq == 0 and get stuck
2498 ++ * in smp_cond_load_acquire() below.
2499 ++ *
2500 ++ * sched_ttwu_pending() try_to_wake_up()
2501 ++ * [S] p->on_rq = 1; [L] P->state
2502 ++ * UNLOCK rq->lock -----.
2503 ++ * \
2504 ++ * +--- RMB
2505 ++ * schedule() /
2506 ++ * LOCK rq->lock -----'
2507 ++ * UNLOCK rq->lock
2508 ++ *
2509 ++ * [task p]
2510 ++ * [S] p->state = UNINTERRUPTIBLE [L] p->on_rq
2511 ++ *
2512 ++ * Pairs with the UNLOCK+LOCK on rq->lock from the
2513 ++ * last wakeup of our task and the schedule that got our task
2514 ++ * current.
2515 ++ */
2516 ++ smp_rmb();
2517 + if (p->on_rq && ttwu_remote(p, wake_flags))
2518 + goto stat;
2519 +
2520 +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
2521 +index e34efa766031..953572c17b3d 100644
2522 +--- a/net/ipv6/addrconf.c
2523 ++++ b/net/ipv6/addrconf.c
2524 +@@ -1689,6 +1689,7 @@ void addrconf_dad_failure(struct inet6_ifaddr *ifp)
2525 + spin_unlock_bh(&ifp->state_lock);
2526 +
2527 + addrconf_mod_dad_work(ifp, 0);
2528 ++ in6_ifa_put(ifp);
2529 + }
2530 +
2531 + /* Join to solicited addr multicast group.
2532 +@@ -3277,6 +3278,7 @@ static void addrconf_dad_work(struct work_struct *w)
2533 + addrconf_dad_begin(ifp);
2534 + goto out;
2535 + } else if (action == DAD_ABORT) {
2536 ++ in6_ifa_hold(ifp);
2537 + addrconf_dad_stop(ifp, 1);
2538 + goto out;
2539 + }
2540 +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
2541 +index 0286733f2e8c..7f9a3c932d5b 100644
2542 +--- a/net/wireless/nl80211.c
2543 ++++ b/net/wireless/nl80211.c
2544 +@@ -6033,7 +6033,7 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
2545 +
2546 + params.n_counter_offsets_presp = len / sizeof(u16);
2547 + if (rdev->wiphy.max_num_csa_counters &&
2548 +- (params.n_counter_offsets_beacon >
2549 ++ (params.n_counter_offsets_presp >
2550 + rdev->wiphy.max_num_csa_counters))
2551 + return -EINVAL;
2552 +
2553 +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
2554 +index c753211cb83f..b50ee5d622e1 100644
2555 +--- a/net/wireless/wext-core.c
2556 ++++ b/net/wireless/wext-core.c
2557 +@@ -955,29 +955,8 @@ static int wireless_process_ioctl(struct net *net, struct ifreq *ifr,
2558 + return private(dev, iwr, cmd, info, handler);
2559 + }
2560 + /* Old driver API : call driver ioctl handler */
2561 +- if (dev->netdev_ops->ndo_do_ioctl) {
2562 +-#ifdef CONFIG_COMPAT
2563 +- if (info->flags & IW_REQUEST_FLAG_COMPAT) {
2564 +- int ret = 0;
2565 +- struct iwreq iwr_lcl;
2566 +- struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
2567 +-
2568 +- memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
2569 +- iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
2570 +- iwr_lcl.u.data.length = iwp_compat->length;
2571 +- iwr_lcl.u.data.flags = iwp_compat->flags;
2572 +-
2573 +- ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
2574 +-
2575 +- iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
2576 +- iwp_compat->length = iwr_lcl.u.data.length;
2577 +- iwp_compat->flags = iwr_lcl.u.data.flags;
2578 +-
2579 +- return ret;
2580 +- } else
2581 +-#endif
2582 +- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
2583 +- }
2584 ++ if (dev->netdev_ops->ndo_do_ioctl)
2585 ++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
2586 + return -EOPNOTSUPP;
2587 + }
2588 +
2589 +diff --git a/sound/core/timer.c b/sound/core/timer.c
2590 +index 5c769ea59b68..c9da76e05b3f 100644
2591 +--- a/sound/core/timer.c
2592 ++++ b/sound/core/timer.c
2593 +@@ -35,6 +35,9 @@
2594 + #include <sound/initval.h>
2595 + #include <linux/kmod.h>
2596 +
2597 ++/* internal flags */
2598 ++#define SNDRV_TIMER_IFLG_PAUSED 0x00010000
2599 ++
2600 + #if IS_ENABLED(CONFIG_SND_HRTIMER)
2601 + #define DEFAULT_TIMER_LIMIT 4
2602 + #elif IS_ENABLED(CONFIG_SND_RTCTIMER)
2603 +@@ -296,8 +299,21 @@ int snd_timer_open(struct snd_timer_instance **ti,
2604 + get_device(&timer->card->card_dev);
2605 + timeri->slave_class = tid->dev_sclass;
2606 + timeri->slave_id = slave_id;
2607 +- if (list_empty(&timer->open_list_head) && timer->hw.open)
2608 +- timer->hw.open(timer);
2609 ++
2610 ++ if (list_empty(&timer->open_list_head) && timer->hw.open) {
2611 ++ int err = timer->hw.open(timer);
2612 ++ if (err) {
2613 ++ kfree(timeri->owner);
2614 ++ kfree(timeri);
2615 ++
2616 ++ if (timer->card)
2617 ++ put_device(&timer->card->card_dev);
2618 ++ module_put(timer->module);
2619 ++ mutex_unlock(&register_mutex);
2620 ++ return err;
2621 ++ }
2622 ++ }
2623 ++
2624 + list_add_tail(&timeri->open_list, &timer->open_list_head);
2625 + snd_timer_check_master(timeri);
2626 + mutex_unlock(&register_mutex);
2627 +@@ -305,8 +321,6 @@ int snd_timer_open(struct snd_timer_instance **ti,
2628 + return 0;
2629 + }
2630 +
2631 +-static int _snd_timer_stop(struct snd_timer_instance *timeri, int event);
2632 +-
2633 + /*
2634 + * close a timer instance
2635 + */
2636 +@@ -395,7 +409,6 @@ unsigned long snd_timer_resolution(struct snd_timer_instance *timeri)
2637 + static void snd_timer_notify1(struct snd_timer_instance *ti, int event)
2638 + {
2639 + struct snd_timer *timer;
2640 +- unsigned long flags;
2641 + unsigned long resolution = 0;
2642 + struct snd_timer_instance *ts;
2643 + struct timespec tstamp;
2644 +@@ -419,34 +432,66 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event)
2645 + return;
2646 + if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
2647 + return;
2648 +- spin_lock_irqsave(&timer->lock, flags);
2649 + list_for_each_entry(ts, &ti->slave_active_head, active_list)
2650 + if (ts->ccallback)
2651 + ts->ccallback(ts, event + 100, &tstamp, resolution);
2652 +- spin_unlock_irqrestore(&timer->lock, flags);
2653 + }
2654 +
2655 +-static int snd_timer_start1(struct snd_timer *timer, struct snd_timer_instance *timeri,
2656 +- unsigned long sticks)
2657 ++/* start/continue a master timer */
2658 ++static int snd_timer_start1(struct snd_timer_instance *timeri,
2659 ++ bool start, unsigned long ticks)
2660 + {
2661 ++ struct snd_timer *timer;
2662 ++ int result;
2663 ++ unsigned long flags;
2664 ++
2665 ++ timer = timeri->timer;
2666 ++ if (!timer)
2667 ++ return -EINVAL;
2668 ++
2669 ++ spin_lock_irqsave(&timer->lock, flags);
2670 ++ if (timer->card && timer->card->shutdown) {
2671 ++ result = -ENODEV;
2672 ++ goto unlock;
2673 ++ }
2674 ++ if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
2675 ++ SNDRV_TIMER_IFLG_START)) {
2676 ++ result = -EBUSY;
2677 ++ goto unlock;
2678 ++ }
2679 ++
2680 ++ if (start)
2681 ++ timeri->ticks = timeri->cticks = ticks;
2682 ++ else if (!timeri->cticks)
2683 ++ timeri->cticks = 1;
2684 ++ timeri->pticks = 0;
2685 ++
2686 + list_move_tail(&timeri->active_list, &timer->active_list_head);
2687 + if (timer->running) {
2688 + if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
2689 + goto __start_now;
2690 + timer->flags |= SNDRV_TIMER_FLG_RESCHED;
2691 + timeri->flags |= SNDRV_TIMER_IFLG_START;
2692 +- return 1; /* delayed start */
2693 ++ result = 1; /* delayed start */
2694 + } else {
2695 +- timer->sticks = sticks;
2696 ++ if (start)
2697 ++ timer->sticks = ticks;
2698 + timer->hw.start(timer);
2699 + __start_now:
2700 + timer->running++;
2701 + timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
2702 +- return 0;
2703 ++ result = 0;
2704 + }
2705 ++ snd_timer_notify1(timeri, start ? SNDRV_TIMER_EVENT_START :
2706 ++ SNDRV_TIMER_EVENT_CONTINUE);
2707 ++ unlock:
2708 ++ spin_unlock_irqrestore(&timer->lock, flags);
2709 ++ return result;
2710 + }
2711 +
2712 +-static int snd_timer_start_slave(struct snd_timer_instance *timeri)
2713 ++/* start/continue a slave timer */
2714 ++static int snd_timer_start_slave(struct snd_timer_instance *timeri,
2715 ++ bool start)
2716 + {
2717 + unsigned long flags;
2718 +
2719 +@@ -460,88 +505,37 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
2720 + spin_lock(&timeri->timer->lock);
2721 + list_add_tail(&timeri->active_list,
2722 + &timeri->master->slave_active_head);
2723 ++ snd_timer_notify1(timeri, start ? SNDRV_TIMER_EVENT_START :
2724 ++ SNDRV_TIMER_EVENT_CONTINUE);
2725 + spin_unlock(&timeri->timer->lock);
2726 + }
2727 + spin_unlock_irqrestore(&slave_active_lock, flags);
2728 + return 1; /* delayed start */
2729 + }
2730 +
2731 +-/*
2732 +- * start the timer instance
2733 +- */
2734 +-int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
2735 +-{
2736 +- struct snd_timer *timer;
2737 +- int result = -EINVAL;
2738 +- unsigned long flags;
2739 +-
2740 +- if (timeri == NULL || ticks < 1)
2741 +- return -EINVAL;
2742 +- if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
2743 +- result = snd_timer_start_slave(timeri);
2744 +- if (result >= 0)
2745 +- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
2746 +- return result;
2747 +- }
2748 +- timer = timeri->timer;
2749 +- if (timer == NULL)
2750 +- return -EINVAL;
2751 +- if (timer->card && timer->card->shutdown)
2752 +- return -ENODEV;
2753 +- spin_lock_irqsave(&timer->lock, flags);
2754 +- if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
2755 +- SNDRV_TIMER_IFLG_START)) {
2756 +- result = -EBUSY;
2757 +- goto unlock;
2758 +- }
2759 +- timeri->ticks = timeri->cticks = ticks;
2760 +- timeri->pticks = 0;
2761 +- result = snd_timer_start1(timer, timeri, ticks);
2762 +- unlock:
2763 +- spin_unlock_irqrestore(&timer->lock, flags);
2764 +- if (result >= 0)
2765 +- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
2766 +- return result;
2767 +-}
2768 +-
2769 +-static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
2770 ++/* stop/pause a master timer */
2771 ++static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop)
2772 + {
2773 + struct snd_timer *timer;
2774 ++ int result = 0;
2775 + unsigned long flags;
2776 +
2777 +- if (snd_BUG_ON(!timeri))
2778 +- return -ENXIO;
2779 +-
2780 +- if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
2781 +- spin_lock_irqsave(&slave_active_lock, flags);
2782 +- if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
2783 +- spin_unlock_irqrestore(&slave_active_lock, flags);
2784 +- return -EBUSY;
2785 +- }
2786 +- if (timeri->timer)
2787 +- spin_lock(&timeri->timer->lock);
2788 +- timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
2789 +- list_del_init(&timeri->ack_list);
2790 +- list_del_init(&timeri->active_list);
2791 +- if (timeri->timer)
2792 +- spin_unlock(&timeri->timer->lock);
2793 +- spin_unlock_irqrestore(&slave_active_lock, flags);
2794 +- goto __end;
2795 +- }
2796 + timer = timeri->timer;
2797 + if (!timer)
2798 + return -EINVAL;
2799 + spin_lock_irqsave(&timer->lock, flags);
2800 + if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
2801 + SNDRV_TIMER_IFLG_START))) {
2802 +- spin_unlock_irqrestore(&timer->lock, flags);
2803 +- return -EBUSY;
2804 ++ result = -EBUSY;
2805 ++ goto unlock;
2806 + }
2807 + list_del_init(&timeri->ack_list);
2808 + list_del_init(&timeri->active_list);
2809 +- if (timer->card && timer->card->shutdown) {
2810 +- spin_unlock_irqrestore(&timer->lock, flags);
2811 +- return 0;
2812 ++ if (timer->card && timer->card->shutdown)
2813 ++ goto unlock;
2814 ++ if (stop) {
2815 ++ timeri->cticks = timeri->ticks;
2816 ++ timeri->pticks = 0;
2817 + }
2818 + if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) &&
2819 + !(--timer->running)) {
2820 +@@ -556,35 +550,64 @@ static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
2821 + }
2822 + }
2823 + timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
2824 ++ if (stop)
2825 ++ timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
2826 ++ else
2827 ++ timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
2828 ++ snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
2829 ++ SNDRV_TIMER_EVENT_CONTINUE);
2830 ++ unlock:
2831 + spin_unlock_irqrestore(&timer->lock, flags);
2832 +- __end:
2833 +- if (event != SNDRV_TIMER_EVENT_RESOLUTION)
2834 +- snd_timer_notify1(timeri, event);
2835 ++ return result;
2836 ++}
2837 ++
2838 ++/* stop/pause a slave timer */
2839 ++static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop)
2840 ++{
2841 ++ unsigned long flags;
2842 ++
2843 ++ spin_lock_irqsave(&slave_active_lock, flags);
2844 ++ if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
2845 ++ spin_unlock_irqrestore(&slave_active_lock, flags);
2846 ++ return -EBUSY;
2847 ++ }
2848 ++ timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
2849 ++ if (timeri->timer) {
2850 ++ spin_lock(&timeri->timer->lock);
2851 ++ list_del_init(&timeri->ack_list);
2852 ++ list_del_init(&timeri->active_list);
2853 ++ snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
2854 ++ SNDRV_TIMER_EVENT_CONTINUE);
2855 ++ spin_unlock(&timeri->timer->lock);
2856 ++ }
2857 ++ spin_unlock_irqrestore(&slave_active_lock, flags);
2858 + return 0;
2859 + }
2860 +
2861 + /*
2862 ++ * start the timer instance
2863 ++ */
2864 ++int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
2865 ++{
2866 ++ if (timeri == NULL || ticks < 1)
2867 ++ return -EINVAL;
2868 ++ if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
2869 ++ return snd_timer_start_slave(timeri, true);
2870 ++ else
2871 ++ return snd_timer_start1(timeri, true, ticks);
2872 ++}
2873 ++
2874 ++/*
2875 + * stop the timer instance.
2876 + *
2877 + * do not call this from the timer callback!
2878 + */
2879 + int snd_timer_stop(struct snd_timer_instance *timeri)
2880 + {
2881 +- struct snd_timer *timer;
2882 +- unsigned long flags;
2883 +- int err;
2884 +-
2885 +- err = _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_STOP);
2886 +- if (err < 0)
2887 +- return err;
2888 +- timer = timeri->timer;
2889 +- if (!timer)
2890 +- return -EINVAL;
2891 +- spin_lock_irqsave(&timer->lock, flags);
2892 +- timeri->cticks = timeri->ticks;
2893 +- timeri->pticks = 0;
2894 +- spin_unlock_irqrestore(&timer->lock, flags);
2895 +- return 0;
2896 ++ if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
2897 ++ return snd_timer_stop_slave(timeri, true);
2898 ++ else
2899 ++ return snd_timer_stop1(timeri, true);
2900 + }
2901 +
2902 + /*
2903 +@@ -592,32 +615,14 @@ int snd_timer_stop(struct snd_timer_instance *timeri)
2904 + */
2905 + int snd_timer_continue(struct snd_timer_instance *timeri)
2906 + {
2907 +- struct snd_timer *timer;
2908 +- int result = -EINVAL;
2909 +- unsigned long flags;
2910 ++ /* timer can continue only after pause */
2911 ++ if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
2912 ++ return -EINVAL;
2913 +
2914 +- if (timeri == NULL)
2915 +- return result;
2916 + if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
2917 +- return snd_timer_start_slave(timeri);
2918 +- timer = timeri->timer;
2919 +- if (! timer)
2920 +- return -EINVAL;
2921 +- if (timer->card && timer->card->shutdown)
2922 +- return -ENODEV;
2923 +- spin_lock_irqsave(&timer->lock, flags);
2924 +- if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) {
2925 +- result = -EBUSY;
2926 +- goto unlock;
2927 +- }
2928 +- if (!timeri->cticks)
2929 +- timeri->cticks = 1;
2930 +- timeri->pticks = 0;
2931 +- result = snd_timer_start1(timer, timeri, timer->sticks);
2932 +- unlock:
2933 +- spin_unlock_irqrestore(&timer->lock, flags);
2934 +- snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_CONTINUE);
2935 +- return result;
2936 ++ return snd_timer_start_slave(timeri, false);
2937 ++ else
2938 ++ return snd_timer_start1(timeri, false, 0);
2939 + }
2940 +
2941 + /*
2942 +@@ -625,7 +630,10 @@ int snd_timer_continue(struct snd_timer_instance *timeri)
2943 + */
2944 + int snd_timer_pause(struct snd_timer_instance * timeri)
2945 + {
2946 +- return _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_PAUSE);
2947 ++ if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
2948 ++ return snd_timer_stop_slave(timeri, false);
2949 ++ else
2950 ++ return snd_timer_stop1(timeri, false);
2951 + }
2952 +
2953 + /*
2954 +@@ -839,6 +847,7 @@ int snd_timer_new(struct snd_card *card, char *id, struct snd_timer_id *tid,
2955 + timer->tmr_subdevice = tid->subdevice;
2956 + if (id)
2957 + strlcpy(timer->id, id, sizeof(timer->id));
2958 ++ timer->sticks = 1;
2959 + INIT_LIST_HEAD(&timer->device_list);
2960 + INIT_LIST_HEAD(&timer->open_list_head);
2961 + INIT_LIST_HEAD(&timer->active_list_head);
2962 +@@ -1827,6 +1836,9 @@ static int snd_timer_user_continue(struct file *file)
2963 + tu = file->private_data;
2964 + if (!tu->timeri)
2965 + return -EBADFD;
2966 ++ /* start timer instead of continue if it's not used before */
2967 ++ if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
2968 ++ return snd_timer_user_start(file);
2969 + tu->timeri->lost = 0;
2970 + return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
2971 + }
2972 +diff --git a/sound/firewire/fireworks/fireworks.h b/sound/firewire/fireworks/fireworks.h
2973 +index 084d414b228c..b431c34b2d74 100644
2974 +--- a/sound/firewire/fireworks/fireworks.h
2975 ++++ b/sound/firewire/fireworks/fireworks.h
2976 +@@ -106,7 +106,6 @@ struct snd_efw {
2977 + u8 *resp_buf;
2978 + u8 *pull_ptr;
2979 + u8 *push_ptr;
2980 +- unsigned int resp_queues;
2981 + };
2982 +
2983 + int snd_efw_transaction_cmd(struct fw_unit *unit,
2984 +diff --git a/sound/firewire/fireworks/fireworks_hwdep.c b/sound/firewire/fireworks/fireworks_hwdep.c
2985 +index 33df8655fe81..2e1d9a23920c 100644
2986 +--- a/sound/firewire/fireworks/fireworks_hwdep.c
2987 ++++ b/sound/firewire/fireworks/fireworks_hwdep.c
2988 +@@ -25,6 +25,7 @@ hwdep_read_resp_buf(struct snd_efw *efw, char __user *buf, long remained,
2989 + {
2990 + unsigned int length, till_end, type;
2991 + struct snd_efw_transaction *t;
2992 ++ u8 *pull_ptr;
2993 + long count = 0;
2994 +
2995 + if (remained < sizeof(type) + sizeof(struct snd_efw_transaction))
2996 +@@ -38,8 +39,17 @@ hwdep_read_resp_buf(struct snd_efw *efw, char __user *buf, long remained,
2997 + buf += sizeof(type);
2998 +
2999 + /* write into buffer as many responses as possible */
3000 +- while (efw->resp_queues > 0) {
3001 +- t = (struct snd_efw_transaction *)(efw->pull_ptr);
3002 ++ spin_lock_irq(&efw->lock);
3003 ++
3004 ++ /*
3005 ++ * When another task reaches here during this task's access to user
3006 ++ * space, it picks up current position in buffer and can read the same
3007 ++ * series of responses.
3008 ++ */
3009 ++ pull_ptr = efw->pull_ptr;
3010 ++
3011 ++ while (efw->push_ptr != pull_ptr) {
3012 ++ t = (struct snd_efw_transaction *)(pull_ptr);
3013 + length = be32_to_cpu(t->length) * sizeof(__be32);
3014 +
3015 + /* confirm enough space for this response */
3016 +@@ -49,26 +59,39 @@ hwdep_read_resp_buf(struct snd_efw *efw, char __user *buf, long remained,
3017 + /* copy from ring buffer to user buffer */
3018 + while (length > 0) {
3019 + till_end = snd_efw_resp_buf_size -
3020 +- (unsigned int)(efw->pull_ptr - efw->resp_buf);
3021 ++ (unsigned int)(pull_ptr - efw->resp_buf);
3022 + till_end = min_t(unsigned int, length, till_end);
3023 +
3024 +- if (copy_to_user(buf, efw->pull_ptr, till_end))
3025 ++ spin_unlock_irq(&efw->lock);
3026 ++
3027 ++ if (copy_to_user(buf, pull_ptr, till_end))
3028 + return -EFAULT;
3029 +
3030 +- efw->pull_ptr += till_end;
3031 +- if (efw->pull_ptr >= efw->resp_buf +
3032 +- snd_efw_resp_buf_size)
3033 +- efw->pull_ptr -= snd_efw_resp_buf_size;
3034 ++ spin_lock_irq(&efw->lock);
3035 ++
3036 ++ pull_ptr += till_end;
3037 ++ if (pull_ptr >= efw->resp_buf + snd_efw_resp_buf_size)
3038 ++ pull_ptr -= snd_efw_resp_buf_size;
3039 +
3040 + length -= till_end;
3041 + buf += till_end;
3042 + count += till_end;
3043 + remained -= till_end;
3044 + }
3045 +-
3046 +- efw->resp_queues--;
3047 + }
3048 +
3049 ++ /*
3050 ++ * All of tasks can read from the buffer nearly simultaneously, but the
3051 ++ * last position for each task is different depending on the length of
3052 ++ * given buffer. Here, for simplicity, a position of buffer is set by
3053 ++ * the latest task. It's better for a listening application to allow one
3054 ++ * thread to read from the buffer. Unless, each task can read different
3055 ++ * sequence of responses depending on variation of buffer length.
3056 ++ */
3057 ++ efw->pull_ptr = pull_ptr;
3058 ++
3059 ++ spin_unlock_irq(&efw->lock);
3060 ++
3061 + return count;
3062 + }
3063 +
3064 +@@ -76,14 +99,17 @@ static long
3065 + hwdep_read_locked(struct snd_efw *efw, char __user *buf, long count,
3066 + loff_t *offset)
3067 + {
3068 +- union snd_firewire_event event;
3069 ++ union snd_firewire_event event = {
3070 ++ .lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS,
3071 ++ };
3072 +
3073 +- memset(&event, 0, sizeof(event));
3074 ++ spin_lock_irq(&efw->lock);
3075 +
3076 +- event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
3077 + event.lock_status.status = (efw->dev_lock_count > 0);
3078 + efw->dev_lock_changed = false;
3079 +
3080 ++ spin_unlock_irq(&efw->lock);
3081 ++
3082 + count = min_t(long, count, sizeof(event.lock_status));
3083 +
3084 + if (copy_to_user(buf, &event, count))
3085 +@@ -98,10 +124,15 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
3086 + {
3087 + struct snd_efw *efw = hwdep->private_data;
3088 + DEFINE_WAIT(wait);
3089 ++ bool dev_lock_changed;
3090 ++ bool queued;
3091 +
3092 + spin_lock_irq(&efw->lock);
3093 +
3094 +- while ((!efw->dev_lock_changed) && (efw->resp_queues == 0)) {
3095 ++ dev_lock_changed = efw->dev_lock_changed;
3096 ++ queued = efw->push_ptr != efw->pull_ptr;
3097 ++
3098 ++ while (!dev_lock_changed && !queued) {
3099 + prepare_to_wait(&efw->hwdep_wait, &wait, TASK_INTERRUPTIBLE);
3100 + spin_unlock_irq(&efw->lock);
3101 + schedule();
3102 +@@ -109,15 +140,17 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
3103 + if (signal_pending(current))
3104 + return -ERESTARTSYS;
3105 + spin_lock_irq(&efw->lock);
3106 ++ dev_lock_changed = efw->dev_lock_changed;
3107 ++ queued = efw->push_ptr != efw->pull_ptr;
3108 + }
3109 +
3110 +- if (efw->dev_lock_changed)
3111 ++ spin_unlock_irq(&efw->lock);
3112 ++
3113 ++ if (dev_lock_changed)
3114 + count = hwdep_read_locked(efw, buf, count, offset);
3115 +- else if (efw->resp_queues > 0)
3116 ++ else if (queued)
3117 + count = hwdep_read_resp_buf(efw, buf, count, offset);
3118 +
3119 +- spin_unlock_irq(&efw->lock);
3120 +-
3121 + return count;
3122 + }
3123 +
3124 +@@ -160,7 +193,7 @@ hwdep_poll(struct snd_hwdep *hwdep, struct file *file, poll_table *wait)
3125 + poll_wait(file, &efw->hwdep_wait, wait);
3126 +
3127 + spin_lock_irq(&efw->lock);
3128 +- if (efw->dev_lock_changed || (efw->resp_queues > 0))
3129 ++ if (efw->dev_lock_changed || efw->pull_ptr != efw->push_ptr)
3130 + events = POLLIN | POLLRDNORM;
3131 + else
3132 + events = 0;
3133 +diff --git a/sound/firewire/fireworks/fireworks_proc.c b/sound/firewire/fireworks/fireworks_proc.c
3134 +index 0639dcb13f7d..beb0a0ffee57 100644
3135 +--- a/sound/firewire/fireworks/fireworks_proc.c
3136 ++++ b/sound/firewire/fireworks/fireworks_proc.c
3137 +@@ -188,8 +188,8 @@ proc_read_queues_state(struct snd_info_entry *entry,
3138 + else
3139 + consumed = (unsigned int)(efw->push_ptr - efw->pull_ptr);
3140 +
3141 +- snd_iprintf(buffer, "%d %d/%d\n",
3142 +- efw->resp_queues, consumed, snd_efw_resp_buf_size);
3143 ++ snd_iprintf(buffer, "%d/%d\n",
3144 ++ consumed, snd_efw_resp_buf_size);
3145 + }
3146 +
3147 + static void
3148 +diff --git a/sound/firewire/fireworks/fireworks_transaction.c b/sound/firewire/fireworks/fireworks_transaction.c
3149 +index 2a85e4209f0b..8e9abbb6b68c 100644
3150 +--- a/sound/firewire/fireworks/fireworks_transaction.c
3151 ++++ b/sound/firewire/fireworks/fireworks_transaction.c
3152 +@@ -121,11 +121,11 @@ copy_resp_to_buf(struct snd_efw *efw, void *data, size_t length, int *rcode)
3153 + size_t capacity, till_end;
3154 + struct snd_efw_transaction *t;
3155 +
3156 +- spin_lock_irq(&efw->lock);
3157 +-
3158 + t = (struct snd_efw_transaction *)data;
3159 + length = min_t(size_t, be32_to_cpu(t->length) * sizeof(u32), length);
3160 +
3161 ++ spin_lock_irq(&efw->lock);
3162 ++
3163 + if (efw->push_ptr < efw->pull_ptr)
3164 + capacity = (unsigned int)(efw->pull_ptr - efw->push_ptr);
3165 + else
3166 +@@ -155,7 +155,6 @@ copy_resp_to_buf(struct snd_efw *efw, void *data, size_t length, int *rcode)
3167 + }
3168 +
3169 + /* for hwdep */
3170 +- efw->resp_queues++;
3171 + wake_up(&efw->hwdep_wait);
3172 +
3173 + *rcode = RCODE_COMPLETE;
3174 +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
3175 +index 7a44d07c797d..5ace1fb54595 100644
3176 +--- a/sound/usb/quirks.c
3177 ++++ b/sound/usb/quirks.c
3178 +@@ -1127,6 +1127,7 @@ bool snd_usb_get_sample_rate_quirk(struct snd_usb_audio *chip)
3179 + case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
3180 + case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */
3181 + case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */
3182 ++ case USB_ID(0x1901, 0x0191): /* GE B850V3 CP2114 audio interface */
3183 + case USB_ID(0x1de7, 0x0013): /* Phoenix Audio MT202exe */
3184 + case USB_ID(0x1de7, 0x0014): /* Phoenix Audio TMX320 */
3185 + case USB_ID(0x1de7, 0x0114): /* Phoenix Audio MT202pcs */
Report Message
Find on MARC Find on Google Groups