commit:     4635b6f052c8eab94dec6e8fbb7dbbc8905f83eb
Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 12 19:52:44 2016 +0000
Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
CommitDate: Wed Oct 12 19:52:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=4635b6f0

Linux patch 4.1.34

 0000_README             |    4 +
 1033_linux-4.1.34.patch | 3255 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 3259 insertions(+)

diff --git a/0000_README b/0000_README
index 9a2fbfa..72df015 100644
--- a/0000_README
+++ b/0000_README
@@ -175,6 +175,10 @@ Patch:  1032_linux-4.1.33.patch
 From:   http://www.kernel.org
 Desc:   Linux 4.1.33
 
+Patch:  1033_linux-4.1.34.patch
+From:   http://www.kernel.org
+Desc:   Linux 4.1.34
+
 Patch:  1500_XATTR_USER_PREFIX.patch
 From:   https://bugs.gentoo.org/show_bug.cgi?id=470644
 Desc:   Support for namespace user.pax.* on tmpfs.

diff --git a/1033_linux-4.1.34.patch b/1033_linux-4.1.34.patch
new file mode 100644
index 0000000..fffc6fa
--- /dev/null
+++ b/1033_linux-4.1.34.patch
@@ -0,0 +1,3255 @@
+diff --git a/Makefile b/Makefile
+index 47c47d7c0926..2d4dea4b3107 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 1
+-SUBLEVEL = 33
++SUBLEVEL = 34
+ EXTRAVERSION =
+ NAME = Series 4800
+ 
+diff --git a/arch/alpha/include/asm/uaccess.h 
b/arch/alpha/include/asm/uaccess.h
+index 9b0d40093c9a..c0ddbbf73400 100644
+--- a/arch/alpha/include/asm/uaccess.h
++++ b/arch/alpha/include/asm/uaccess.h
+@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, const void *from, 
long len)
+       return __cu_len;
+ }
+ 
+-extern inline long
+-__copy_tofrom_user(void *to, const void *from, long len, const void __user 
*validate)
+-{
+-      if (__access_ok((unsigned long)validate, len, get_fs()))
+-              len = __copy_tofrom_user_nocheck(to, from, len);
+-      return len;
+-}
+-
+ #define __copy_to_user(to, from, n)                                   \
+ ({                                                                    \
+       __chk_user_ptr(to);                                             \
+@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void *from, long len, 
const void __user *vali
+ #define __copy_to_user_inatomic __copy_to_user
+ #define __copy_from_user_inatomic __copy_from_user
+ 
+-
+ extern inline long
+ copy_to_user(void __user *to, const void *from, long n)
+ {
+-      return __copy_tofrom_user((__force void *)to, from, n, to);
++      if (likely(__access_ok((unsigned long)to, n, get_fs())))
++              n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
++      return n;
+ }
+ 
+ extern inline long
+ copy_from_user(void *to, const void __user *from, long n)
+ {
+-      return __copy_tofrom_user(to, (__force void *)from, n, from);
++      if (likely(__access_ok((unsigned long)from, n, get_fs())))
++              n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
++      else
++              memset(to, 0, n);
++      return n;
+ }
+ 
+ extern void __do_clear_user(void);
+diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h
+index 30c9baffa96f..08770c750696 100644
+--- a/arch/arc/include/asm/uaccess.h
++++ b/arch/arc/include/asm/uaccess.h
+@@ -83,7 +83,10 @@
+       "2:     ;nop\n"                         \
+       "       .section .fixup, \"ax\"\n"      \
+       "       .align 4\n"                     \
+-      "3:     mov %0, %3\n"                   \
++      "3:     # return -EFAULT\n"             \
++      "       mov %0, %3\n"                   \
++      "       # zero out dst ptr\n"           \
++      "       mov %1,  0\n"                   \
+       "       j   2b\n"                       \
+       "       .previous\n"                    \
+       "       .section __ex_table, \"a\"\n"   \
+@@ -101,7 +104,11 @@
+       "2:     ;nop\n"                         \
+       "       .section .fixup, \"ax\"\n"      \
+       "       .align 4\n"                     \
+-      "3:     mov %0, %3\n"                   \
++      "3:     # return -EFAULT\n"             \
++      "       mov %0, %3\n"                   \
++      "       # zero out dst ptr\n"           \
++      "       mov %1,  0\n"                   \
++      "       mov %R1, 0\n"                   \
+       "       j   2b\n"                       \
+       "       .previous\n"                    \
+       "       .section __ex_table, \"a\"\n"   \
+diff --git a/arch/arm/boot/dts/kirkwood-ib62x0.dts 
b/arch/arm/boot/dts/kirkwood-ib62x0.dts
+index bfa5edde179c..2c1e7f09205f 100644
+--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts
++++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts
+@@ -113,7 +113,7 @@
+ 
+       partition@e0000 {
+               label = "u-boot environment";
+-              reg = <0xe0000 0x100000>;
++              reg = <0xe0000 0x20000>;
+       };
+ 
+       partition@100000 {
+diff --git a/arch/arm/boot/dts/stih410.dtsi b/arch/arm/boot/dts/stih410.dtsi
+index 208b5e89036a..f7b2c8defe56 100644
+--- a/arch/arm/boot/dts/stih410.dtsi
++++ b/arch/arm/boot/dts/stih410.dtsi
+@@ -33,7 +33,8 @@
+                       compatible = "st,st-ohci-300x";
+                       reg = <0x9a03c00 0x100>;
+                       interrupts = <GIC_SPI 180 IRQ_TYPE_NONE>;
+-                      clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++                      clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++                               <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+                       resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>,
+                                <&softreset STIH407_USB2_PORT0_SOFTRESET>;
+                       reset-names = "power", "softreset";
+@@ -47,7 +48,8 @@
+                       interrupts = <GIC_SPI 151 IRQ_TYPE_NONE>;
+                       pinctrl-names = "default";
+                       pinctrl-0 = <&pinctrl_usb0>;
+-                      clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++                      clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++                               <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+                       resets = <&powerdown STIH407_USB2_PORT0_POWERDOWN>,
+                                <&softreset STIH407_USB2_PORT0_SOFTRESET>;
+                       reset-names = "power", "softreset";
+@@ -59,7 +61,8 @@
+                       compatible = "st,st-ohci-300x";
+                       reg = <0x9a83c00 0x100>;
+                       interrupts = <GIC_SPI 181 IRQ_TYPE_NONE>;
+-                      clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++                      clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++                               <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+                       resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>,
+                                <&softreset STIH407_USB2_PORT1_SOFTRESET>;
+                       reset-names = "power", "softreset";
+@@ -73,7 +76,8 @@
+                       interrupts = <GIC_SPI 153 IRQ_TYPE_NONE>;
+                       pinctrl-names = "default";
+                       pinctrl-0 = <&pinctrl_usb1>;
+-                      clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>;
++                      clocks = <&clk_s_c0_flexgen CLK_TX_ICN_DISP_0>,
++                               <&clk_s_c0_flexgen CLK_RX_ICN_DISP_0>;
+                       resets = <&powerdown STIH407_USB2_PORT1_POWERDOWN>,
+                                <&softreset STIH407_USB2_PORT1_SOFTRESET>;
+                       reset-names = "power", "softreset";
+diff --git a/arch/arm/crypto/aes-ce-glue.c b/arch/arm/crypto/aes-ce-glue.c
+index b445a5d56f43..593da7ffb449 100644
+--- a/arch/arm/crypto/aes-ce-glue.c
++++ b/arch/arm/crypto/aes-ce-glue.c
+@@ -279,7 +279,7 @@ static int ctr_encrypt(struct blkcipher_desc *desc, struct 
scatterlist *dst,
+               err = blkcipher_walk_done(desc, &walk,
+                                         walk.nbytes % AES_BLOCK_SIZE);
+       }
+-      if (nbytes) {
++      if (walk.nbytes % AES_BLOCK_SIZE) {
+               u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
+               u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
+               u8 __aligned(8) tail[AES_BLOCK_SIZE];
+diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
+index 5414081c0bbf..87b2663a5564 100644
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -154,8 +154,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
+ {
+       int i;
+ 
+-      kvm_free_stage2_pgd(kvm);
+-
+       for (i = 0; i < KVM_MAX_VCPUS; ++i) {
+               if (kvm->vcpus[i]) {
+                       kvm_arch_vcpu_free(kvm->vcpus[i]);
+diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
+index 691ea94897fd..a33af44230da 100644
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -1850,6 +1850,7 @@ void kvm_arch_memslots_updated(struct kvm *kvm)
+ 
+ void kvm_arch_flush_shadow_all(struct kvm *kvm)
+ {
++      kvm_free_stage2_pgd(kvm);
+ }
+ 
+ void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
+diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
+index 6a7c6fc780cc..4627c862beac 100644
+--- a/arch/arm/mach-imx/pm-imx6.c
++++ b/arch/arm/mach-imx/pm-imx6.c
+@@ -288,7 +288,7 @@ int imx6q_set_lpm(enum mxc_cpu_pwr_mode mode)
+               val |= 0x3 << BP_CLPCR_STBY_COUNT;
+               val |= BM_CLPCR_VSTBY;
+               val |= BM_CLPCR_SBYOS;
+-              if (cpu_is_imx6sl())
++              if (cpu_is_imx6sl() || cpu_is_imx6sx())
+                       val |= BM_CLPCR_BYPASS_PMIC_READY;
+               if (cpu_is_imx6sl() || cpu_is_imx6sx())
+                       val |= BM_CLPCR_BYP_MMDC_CH0_LPM_HS;
+diff --git a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c 
b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+index 4e8e93c398db..808c8e59000d 100644
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -724,8 +724,20 @@ static struct omap_hwmod omap3xxx_dss_dispc_hwmod = {
+  * display serial interface controller
+  */
+ 
++static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
++      .rev_offs       = 0x0000,
++      .sysc_offs      = 0x0010,
++      .syss_offs      = 0x0014,
++      .sysc_flags     = (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
++                         SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
++                         SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
++      .idlemodes      = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
++      .sysc_fields    = &omap_hwmod_sysc_type1,
++};
++
+ static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
+       .name = "dsi",
++      .sysc   = &omap3xxx_dsi_sysc,
+ };
+ 
+ static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
+diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c
+index 05d9e16c0dfd..6a51dfccfe71 100644
+--- a/arch/arm64/crypto/aes-glue.c
++++ b/arch/arm64/crypto/aes-glue.c
+@@ -211,7 +211,7 @@ static int ctr_encrypt(struct blkcipher_desc *desc, struct 
scatterlist *dst,
+               err = blkcipher_walk_done(desc, &walk,
+                                         walk.nbytes % AES_BLOCK_SIZE);
+       }
+-      if (nbytes) {
++      if (walk.nbytes % AES_BLOCK_SIZE) {
+               u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
+               u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
+               u8 __aligned(8) tail[AES_BLOCK_SIZE];
+diff --git a/arch/arm64/include/asm/spinlock.h 
b/arch/arm64/include/asm/spinlock.h
+index cee128732435..d155a9bbfab6 100644
+--- a/arch/arm64/include/asm/spinlock.h
++++ b/arch/arm64/include/asm/spinlock.h
+@@ -231,4 +231,14 @@ static inline int arch_read_trylock(arch_rwlock_t *rw)
+ #define arch_read_relax(lock) cpu_relax()
+ #define arch_write_relax(lock)        cpu_relax()
+ 
++/*
++ * Accesses appearing in program order before a spin_lock() operation
++ * can be reordered with accesses inside the critical section, by virtue
++ * of arch_spin_lock being constructed using acquire semantics.
++ *
++ * In cases where this is problematic (e.g. try_to_wake_up), an
++ * smp_mb__before_spinlock() can restore the required ordering.
++ */
++#define smp_mb__before_spinlock()     smp_mb()
++
+ #endif /* __ASM_SPINLOCK_H */
+diff --git a/arch/avr32/include/asm/uaccess.h 
b/arch/avr32/include/asm/uaccess.h
+index a46f7cf3e1ea..20b52c40bcd2 100644
+--- a/arch/avr32/include/asm/uaccess.h
++++ b/arch/avr32/include/asm/uaccess.h
+@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void *to, const void 
*from,
+ 
+ extern __kernel_size_t copy_to_user(void __user *to, const void *from,
+                                   __kernel_size_t n);
+-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
++extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
+                                     __kernel_size_t n);
+ 
+ static inline __kernel_size_t __copy_to_user(void __user *to, const void 
*from,
+@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_from_user(void *to,
+ {
+       return __copy_user(to, (const void __force *)from, n);
+ }
++static inline __kernel_size_t copy_from_user(void *to,
++                                             const void __user *from,
++                                             __kernel_size_t n)
++{
++      size_t res = ___copy_from_user(to, from, n);
++      if (unlikely(res))
++              memset(to + (n - res), 0, res);
++      return res;
++}
+ 
+ #define __copy_to_user_inatomic __copy_to_user
+ #define __copy_from_user_inatomic __copy_from_user
+diff --git a/arch/avr32/kernel/avr32_ksyms.c b/arch/avr32/kernel/avr32_ksyms.c
+index d93ead02daed..7c6cf14f0985 100644
+--- a/arch/avr32/kernel/avr32_ksyms.c
++++ b/arch/avr32/kernel/avr32_ksyms.c
+@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
+ /*
+  * Userspace access stuff.
+  */
+-EXPORT_SYMBOL(copy_from_user);
++EXPORT_SYMBOL(___copy_from_user);
+ EXPORT_SYMBOL(copy_to_user);
+ EXPORT_SYMBOL(__copy_user);
+ EXPORT_SYMBOL(strncpy_from_user);
+diff --git a/arch/avr32/lib/copy_user.S b/arch/avr32/lib/copy_user.S
+index ea59c04b07de..075373471da1 100644
+--- a/arch/avr32/lib/copy_user.S
++++ b/arch/avr32/lib/copy_user.S
+@@ -23,13 +23,13 @@
+        */
+       .text
+       .align  1
+-      .global copy_from_user
+-      .type   copy_from_user, @function
+-copy_from_user:
++      .global ___copy_from_user
++      .type   ___copy_from_user, @function
++___copy_from_user:
+       branch_if_kernel r8, __copy_user
+       ret_if_privileged r8, r11, r10, r10
+       rjmp    __copy_user
+-      .size   copy_from_user, . - copy_from_user
++      .size   ___copy_from_user, . - ___copy_from_user
+ 
+       .global copy_to_user
+       .type   copy_to_user, @function
+diff --git a/arch/blackfin/include/asm/uaccess.h 
b/arch/blackfin/include/asm/uaccess.h
+index 90612a7f2cf3..8cd0184ea9ef 100644
+--- a/arch/blackfin/include/asm/uaccess.h
++++ b/arch/blackfin/include/asm/uaccess.h
+@@ -177,11 +177,12 @@ static inline int bad_user_access_length(void)
+ static inline unsigned long __must_check
+ copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+-      if (access_ok(VERIFY_READ, from, n))
++      if (likely(access_ok(VERIFY_READ, from, n))) {
+               memcpy(to, (const void __force *)from, n);
+-      else
+-              return n;
+-      return 0;
++              return 0;
++      }
++      memset(to, 0, n);
++      return n;
+ }
+ 
+ static inline unsigned long __must_check
+diff --git a/arch/cris/include/asm/uaccess.h b/arch/cris/include/asm/uaccess.h
+index e3530d0f13ee..56c7d5750abd 100644
+--- a/arch/cris/include/asm/uaccess.h
++++ b/arch/cris/include/asm/uaccess.h
+@@ -194,30 +194,6 @@ extern unsigned long __copy_user(void __user *to, const 
void *from, unsigned lon
+ extern unsigned long __copy_user_zeroing(void *to, const void __user *from, 
unsigned long n);
+ extern unsigned long __do_clear_user(void __user *to, unsigned long n);
+ 
+-static inline unsigned long
+-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
+-{
+-      if (access_ok(VERIFY_WRITE, to, n))
+-              return __copy_user(to, from, n);
+-      return n;
+-}
+-
+-static inline unsigned long
+-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
+-{
+-      if (access_ok(VERIFY_READ, from, n))
+-              return __copy_user_zeroing(to, from, n);
+-      return n;
+-}
+-
+-static inline unsigned long
+-__generic_clear_user(void __user *to, unsigned long n)
+-{
+-      if (access_ok(VERIFY_WRITE, to, n))
+-              return __do_clear_user(to, n);
+-      return n;
+-}
+-
+ static inline long
+ __strncpy_from_user(char *dst, const char __user *src, long count)
+ {
+@@ -282,7 +258,7 @@ __constant_copy_from_user(void *to, const void __user 
*from, unsigned long n)
+       else if (n == 24)
+               __asm_copy_from_user_24(to, from, ret);
+       else
+-              ret = __generic_copy_from_user(to, from, n);
++              ret = __copy_user_zeroing(to, from, n);
+ 
+       return ret;
+ }
+@@ -333,7 +309,7 @@ __constant_copy_to_user(void __user *to, const void *from, 
unsigned long n)
+       else if (n == 24)
+               __asm_copy_to_user_24(to, from, ret);
+       else
+-              ret = __generic_copy_to_user(to, from, n);
++              ret = __copy_user(to, from, n);
+ 
+       return ret;
+ }
+@@ -366,26 +342,43 @@ __constant_clear_user(void __user *to, unsigned long n)
+       else if (n == 24)
+               __asm_clear_24(to, ret);
+       else
+-              ret = __generic_clear_user(to, n);
++              ret = __do_clear_user(to, n);
+ 
+       return ret;
+ }
+ 
+ 
+-#define clear_user(to, n)                             \
+-      (__builtin_constant_p(n) ?                      \
+-       __constant_clear_user(to, n) :                 \
+-       __generic_clear_user(to, n))
++static inline size_t clear_user(void __user *to, size_t n)
++{
++      if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
++              return n;
++      if (__builtin_constant_p(n))
++              return __constant_clear_user(to, n);
++      else
++              return __do_clear_user(to, n);
++}
+ 
+-#define copy_from_user(to, from, n)                   \
+-      (__builtin_constant_p(n) ?                      \
+-       __constant_copy_from_user(to, from, n) :       \
+-       __generic_copy_from_user(to, from, n))
++static inline size_t copy_from_user(void *to, const void __user *from, size_t 
n)
++{
++      if (unlikely(!access_ok(VERIFY_READ, from, n))) {
++              memset(to, 0, n);
++              return n;
++      }
++      if (__builtin_constant_p(n))
++              return __constant_copy_from_user(to, from, n);
++      else
++              return __copy_user_zeroing(to, from, n);
++}
+ 
+-#define copy_to_user(to, from, n)                     \
+-      (__builtin_constant_p(n) ?                      \
+-       __constant_copy_to_user(to, from, n) :         \
+-       __generic_copy_to_user(to, from, n))
++static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
++{
++      if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
++              return n;
++      if (__builtin_constant_p(n))
++              return __constant_copy_to_user(to, from, n);
++      else
++              return __copy_user(to, from, n);
++}
+ 
+ /* We let the __ versions of copy_from/to_user inline, because they're often
+  * used in fast paths and have only a small space overhead.
+diff --git a/arch/frv/include/asm/uaccess.h b/arch/frv/include/asm/uaccess.h
+index 3ac9a59d65d4..87d9e34c5df8 100644
+--- a/arch/frv/include/asm/uaccess.h
++++ b/arch/frv/include/asm/uaccess.h
+@@ -263,19 +263,25 @@ do {                                                     
\
+ extern long __memset_user(void *dst, unsigned long count);
+ extern long __memcpy_user(void *dst, const void *src, unsigned long count);
+ 
+-#define clear_user(dst,count)                 __memset_user(____force(dst), 
(count))
++#define __clear_user(dst,count)                       
__memset_user(____force(dst), (count))
+ #define __copy_from_user_inatomic(to, from, n)        __memcpy_user((to), 
____force(from), (n))
+ #define __copy_to_user_inatomic(to, from, n)  __memcpy_user(____force(to), 
(from), (n))
+ 
+ #else
+ 
+-#define clear_user(dst,count)                 (memset(____force(dst), 0, 
(count)), 0)
++#define __clear_user(dst,count)                       (memset(____force(dst), 
0, (count)), 0)
+ #define __copy_from_user_inatomic(to, from, n)        (memcpy((to), 
____force(from), (n)), 0)
+ #define __copy_to_user_inatomic(to, from, n)  (memcpy(____force(to), (from), 
(n)), 0)
+ 
+ #endif
+ 
+-#define __clear_user clear_user
++static inline unsigned long __must_check
++clear_user(void __user *to, unsigned long n)
++{
++      if (likely(__access_ok(to, n)))
++              n = __clear_user(to, n);
++      return n;
++}
+ 
+ static inline unsigned long __must_check
+ __copy_to_user(void __user *to, const void *from, unsigned long n)
+diff --git a/arch/hexagon/include/asm/uaccess.h 
b/arch/hexagon/include/asm/uaccess.h
+index e4127e4d6a5b..25fc9049db8a 100644
+--- a/arch/hexagon/include/asm/uaccess.h
++++ b/arch/hexagon/include/asm/uaccess.h
+@@ -102,7 +102,8 @@ static inline long hexagon_strncpy_from_user(char *dst, 
const char __user *src,
+ {
+       long res = __strnlen_user(src, n);
+ 
+-      /* return from strnlen can't be zero -- that would be rubbish. */
++      if (unlikely(!res))
++              return -EFAULT;
+ 
+       if (res > n) {
+               copy_from_user(dst, src, n);
+diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
+index 4f3fb6ccbf21..40c2027a2bf4 100644
+--- a/arch/ia64/include/asm/uaccess.h
++++ b/arch/ia64/include/asm/uaccess.h
+@@ -263,17 +263,15 @@ __copy_from_user (void *to, const void __user *from, 
unsigned long count)
+       __cu_len;                                                               
        \
+ })
+ 
+-#define copy_from_user(to, from, n)                                           
        \
+-({                                                                            
        \
+-      void *__cu_to = (to);                                                   
        \
+-      const void __user *__cu_from = (from);                                  
        \
+-      long __cu_len = (n);                                                    
        \
+-                                                                              
        \
+-      __chk_user_ptr(__cu_from);                                              
        \
+-      if (__access_ok(__cu_from, __cu_len, get_fs()))                         
        \
+-              __cu_len = __copy_user((__force void __user *) __cu_to, 
__cu_from, __cu_len);   \
+-      __cu_len;                                                               
        \
+-})
++static inline unsigned long
++copy_from_user(void *to, const void __user *from, unsigned long n)
++{
++      if (likely(__access_ok(from, n, get_fs())))
++              n = __copy_user((__force void __user *) to, from, n);
++      else
++              memset(to, 0, n);
++      return n;
++}
+ 
+ #define __copy_in_user(to, from, size)        __copy_user((to), (from), 
(size))
+ 
+diff --git a/arch/m32r/include/asm/uaccess.h b/arch/m32r/include/asm/uaccess.h
+index 71adff209405..c66a38d0a895 100644
+--- a/arch/m32r/include/asm/uaccess.h
++++ b/arch/m32r/include/asm/uaccess.h
+@@ -215,7 +215,7 @@ extern int fixup_exception(struct pt_regs *regs);
+ #define __get_user_nocheck(x, ptr, size)                              \
+ ({                                                                    \
+       long __gu_err = 0;                                              \
+-      unsigned long __gu_val;                                         \
++      unsigned long __gu_val = 0;                                     \
+       might_fault();                                                  \
+       __get_user_size(__gu_val, (ptr), (size), __gu_err);             \
+       (x) = (__force __typeof__(*(ptr)))__gu_val;                     \
+diff --git a/arch/metag/include/asm/uaccess.h 
b/arch/metag/include/asm/uaccess.h
+index 8282cbce7e39..273e61225c27 100644
+--- a/arch/metag/include/asm/uaccess.h
++++ b/arch/metag/include/asm/uaccess.h
+@@ -204,8 +204,9 @@ extern unsigned long __must_check __copy_user_zeroing(void 
*to,
+ static inline unsigned long
+ copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+-      if (access_ok(VERIFY_READ, from, n))
++      if (likely(access_ok(VERIFY_READ, from, n)))
+               return __copy_user_zeroing(to, from, n);
++      memset(to, 0, n);
+       return n;
+ }
+ 
+diff --git a/arch/microblaze/include/asm/uaccess.h 
b/arch/microblaze/include/asm/uaccess.h
+index 62942fd12672..0c0a5cfbf79a 100644
+--- a/arch/microblaze/include/asm/uaccess.h
++++ b/arch/microblaze/include/asm/uaccess.h
+@@ -226,7 +226,7 @@ extern long __user_bad(void);
+ 
+ #define __get_user(x, ptr)                                            \
+ ({                                                                    \
+-      unsigned long __gu_val;                                         \
++      unsigned long __gu_val = 0;                                     \
+       /*unsigned long __gu_ptr = (unsigned long)(ptr);*/              \
+       long __gu_err;                                                  \
+       switch (sizeof(*(ptr))) {                                       \
+@@ -371,10 +371,13 @@ extern long __user_bad(void);
+ static inline long copy_from_user(void *to,
+               const void __user *from, unsigned long n)
+ {
++      unsigned long res = n;
+       might_fault();
+-      if (access_ok(VERIFY_READ, from, n))
+-              return __copy_from_user(to, from, n);
+-      return n;
++      if (likely(access_ok(VERIFY_READ, from, n)))
++              res = __copy_from_user(to, from, n);
++      if (unlikely(res))
++              memset(to + (n - res), 0, res);
++      return res;
+ }
+ 
+ #define __copy_to_user(to, from, n)   \
+diff --git a/arch/mips/include/asm/asmmacro.h 
b/arch/mips/include/asm/asmmacro.h
+index 6156ac8c4cfb..ab49b14a4be0 100644
+--- a/arch/mips/include/asm/asmmacro.h
++++ b/arch/mips/include/asm/asmmacro.h
+@@ -135,6 +135,7 @@
+       ldc1    $f28, THREAD_FPR28(\thread)
+       ldc1    $f30, THREAD_FPR30(\thread)
+       ctc1    \tmp, fcr31
++      .set    pop
+       .endm
+ 
+       .macro  fpu_restore_16odd thread
+diff --git a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h 
b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
+index 2f82bfa3a773..c9f5769dfc8f 100644
+--- a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
++++ b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
+@@ -11,11 +11,13 @@
+ #define CP0_EBASE $15, 1
+ 
+       .macro  kernel_entry_setup
++#ifdef CONFIG_SMP
+       mfc0    t0, CP0_EBASE
+       andi    t0, t0, 0x3ff           # CPUNum
+       beqz    t0, 1f
+       # CPUs other than zero goto smp_bootstrap
+       j       smp_bootstrap
++#endif /* CONFIG_SMP */
+ 
+ 1:
+       .endm
+diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
+index bf8b32450ef6..bc2f5164ce51 100644
+--- a/arch/mips/include/asm/uaccess.h
++++ b/arch/mips/include/asm/uaccess.h
+@@ -14,6 +14,7 @@
+ #include <linux/kernel.h>
+ #include <linux/errno.h>
+ #include <linux/thread_info.h>
++#include <linux/string.h>
+ #include <asm/asm-eva.h>
+ 
+ /*
+@@ -1136,6 +1137,8 @@ extern size_t __copy_in_user_eva(void *__to, const void 
*__from, size_t __n);
+                       __cu_len = __invoke_copy_from_user(__cu_to,     \
+                                                          __cu_from,   \
+                                                          __cu_len);   \
++              } else {                                                \
++                      memset(__cu_to, 0, __cu_len);                   \
+               }                                                       \
+       }                                                               \
+       __cu_len;                                                       \
+diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c 
b/arch/mips/kernel/mips-r2-to-r6-emul.c
+index e19fa363c8fe..488e50dd2fe6 100644
+--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
++++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
+@@ -1163,7 +1163,9 @@ fpu_emul:
+               regs->regs[31] = r31;
+               regs->cp0_epc = epc;
+               if (!used_math()) {     /* First time FPU user.  */
++                      preempt_disable();
+                       err = init_fpu();
++                      preempt_enable();
+                       set_used_math();
+               }
+               lose_fpu(1);    /* Save FPU state for the emulator. */
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index 89847bee2b53..44a6f25e902e 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -593,14 +593,14 @@ int mips_set_process_fp_mode(struct task_struct *task, 
unsigned int value)
+               return -EOPNOTSUPP;
+ 
+       /* Avoid inadvertently triggering emulation */
+-      if ((value & PR_FP_MODE_FR) && cpu_has_fpu &&
+-          !(current_cpu_data.fpu_id & MIPS_FPIR_F64))
++      if ((value & PR_FP_MODE_FR) && raw_cpu_has_fpu &&
++          !(raw_current_cpu_data.fpu_id & MIPS_FPIR_F64))
+               return -EOPNOTSUPP;
+-      if ((value & PR_FP_MODE_FRE) && cpu_has_fpu && !cpu_has_fre)
++      if ((value & PR_FP_MODE_FRE) && raw_cpu_has_fpu && !cpu_has_fre)
+               return -EOPNOTSUPP;
+ 
+       /* FR = 0 not supported in MIPS R6 */
+-      if (!(value & PR_FP_MODE_FR) && cpu_has_fpu && cpu_has_mips_r6)
++      if (!(value & PR_FP_MODE_FR) && raw_cpu_has_fpu && cpu_has_mips_r6)
+               return -EOPNOTSUPP;
+ 
+       /* Proceed with the mode switch */
+diff --git a/arch/mips/kernel/smp.c b/arch/mips/kernel/smp.c
+index 3cef551908f4..a0268f61cd57 100644
+--- a/arch/mips/kernel/smp.c
++++ b/arch/mips/kernel/smp.c
+@@ -172,6 +172,9 @@ asmlinkage void start_secondary(void)
+       cpumask_set_cpu(cpu, &cpu_coherent_mask);
+       notify_cpu_starting(cpu);
+ 
++      cpumask_set_cpu(cpu, &cpu_callin_map);
++      synchronise_count_slave(cpu);
++
+       set_cpu_online(cpu, true);
+ 
+       set_cpu_sibling_map(cpu);
+@@ -179,10 +182,6 @@ asmlinkage void start_secondary(void)
+ 
+       calculate_cpu_foreign_map();
+ 
+-      cpumask_set_cpu(cpu, &cpu_callin_map);
+-
+-      synchronise_count_slave(cpu);
+-
+       /*
+        * irq will be enabled in ->smp_finish(), enabling it too early
+        * is dangerous.
+diff --git a/arch/mips/kvm/tlb.c b/arch/mips/kvm/tlb.c
+index 7a7ed9ca01bb..eff71c75dc27 100644
+--- a/arch/mips/kvm/tlb.c
++++ b/arch/mips/kvm/tlb.c
+@@ -152,7 +152,7 @@ static int kvm_mips_map_page(struct kvm *kvm, gfn_t gfn)
+       srcu_idx = srcu_read_lock(&kvm->srcu);
+       pfn = kvm_mips_gfn_to_pfn(kvm, gfn);
+ 
+-      if (kvm_mips_is_error_pfn(pfn)) {
++      if (is_error_noslot_pfn(pfn)) {
+               kvm_err("Couldn't get pfn for gfn %#" PRIx64 "!\n", gfn);
+               err = -EFAULT;
+               goto out;
+diff --git a/arch/mn10300/include/asm/uaccess.h 
b/arch/mn10300/include/asm/uaccess.h
+index 537278746a15..4af43d9ba495 100644
+--- a/arch/mn10300/include/asm/uaccess.h
++++ b/arch/mn10300/include/asm/uaccess.h
+@@ -181,6 +181,7 @@ struct __large_struct { unsigned long buf[100]; };
+               "2:\n"                                          \
+               "       .section        .fixup,\"ax\"\n"        \
+               "3:\n\t"                                        \
++              "       mov             0,%1\n"                 \
+               "       mov             %3,%0\n"                \
+               "       jmp             2b\n"                   \
+               "       .previous\n"                            \
+diff --git a/arch/mn10300/lib/usercopy.c b/arch/mn10300/lib/usercopy.c
+index 7826e6c364e7..ce8899e5e171 100644
+--- a/arch/mn10300/lib/usercopy.c
++++ b/arch/mn10300/lib/usercopy.c
+@@ -9,7 +9,7 @@
+  * as published by the Free Software Foundation; either version
+  * 2 of the Licence, or (at your option) any later version.
+  */
+-#include <asm/uaccess.h>
++#include <linux/uaccess.h>
+ 
+ unsigned long
+ __generic_copy_to_user(void *to, const void *from, unsigned long n)
+@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const void *from, 
unsigned long n)
+ {
+       if (access_ok(VERIFY_READ, from, n))
+               __copy_user_zeroing(to, from, n);
++      else
++              memset(to, 0, n);
+       return n;
+ }
+ 
+diff --git a/arch/nios2/include/asm/uaccess.h 
b/arch/nios2/include/asm/uaccess.h
+index caa51ff85a3c..0ab82324c817 100644
+--- a/arch/nios2/include/asm/uaccess.h
++++ b/arch/nios2/include/asm/uaccess.h
+@@ -102,9 +102,12 @@ extern long __copy_to_user(void __user *to, const void 
*from, unsigned long n);
+ static inline long copy_from_user(void *to, const void __user *from,
+                               unsigned long n)
+ {
+-      if (!access_ok(VERIFY_READ, from, n))
+-              return n;
+-      return __copy_from_user(to, from, n);
++      unsigned long res = n;
++      if (access_ok(VERIFY_READ, from, n))
++              res = __copy_from_user(to, from, n);
++      if (unlikely(res))
++              memset(to + (n - res), 0, res);
++      return res;
+ }
+ 
+ static inline long copy_to_user(void __user *to, const void *from,
+@@ -139,7 +142,7 @@ extern long strnlen_user(const char __user *s, long n);
+ 
+ #define __get_user_unknown(val, size, ptr, err) do {                  \
+       err = 0;                                                        \
+-      if (copy_from_user(&(val), ptr, size)) {                        \
++      if (__copy_from_user(&(val), ptr, size)) {                      \
+               err = -EFAULT;                                          \
+       }                                                               \
+       } while (0)
+@@ -166,7 +169,7 @@ do {                                                       
                \
+       ({                                                              \
+       long __gu_err = -EFAULT;                                        \
+       const __typeof__(*(ptr)) __user *__gu_ptr = (ptr);              \
+-      unsigned long __gu_val;                                         \
++      unsigned long __gu_val = 0;                                     \
+       __get_user_common(__gu_val, sizeof(*(ptr)), __gu_ptr, __gu_err);\
+       (x) = (__force __typeof__(x))__gu_val;                          \
+       __gu_err;                                                       \
+diff --git a/arch/openrisc/include/asm/uaccess.h 
b/arch/openrisc/include/asm/uaccess.h
+index a6bd07ca3d6c..5cc6b4f1b795 100644
+--- a/arch/openrisc/include/asm/uaccess.h
++++ b/arch/openrisc/include/asm/uaccess.h
+@@ -273,28 +273,20 @@ __copy_tofrom_user(void *to, const void *from, unsigned 
long size);
+ static inline unsigned long
+ copy_from_user(void *to, const void *from, unsigned long n)
+ {
+-      unsigned long over;
+-
+-      if (access_ok(VERIFY_READ, from, n))
+-              return __copy_tofrom_user(to, from, n);
+-      if ((unsigned long)from < TASK_SIZE) {
+-              over = (unsigned long)from + n - TASK_SIZE;
+-              return __copy_tofrom_user(to, from, n - over) + over;
+-      }
+-      return n;
++      unsigned long res = n;
++
++      if (likely(access_ok(VERIFY_READ, from, n)))
++              res = __copy_tofrom_user(to, from, n);
++      if (unlikely(res))
++              memset(to + (n - res), 0, res);
++      return res;
+ }
+ 
+ static inline unsigned long
+ copy_to_user(void *to, const void *from, unsigned long n)
+ {
+-      unsigned long over;
+-
+-      if (access_ok(VERIFY_WRITE, to, n))
+-              return __copy_tofrom_user(to, from, n);
+-      if ((unsigned long)to < TASK_SIZE) {
+-              over = (unsigned long)to + n - TASK_SIZE;
+-              return __copy_tofrom_user(to, from, n - over) + over;
+-      }
++      if (likely(access_ok(VERIFY_WRITE, to, n)))
++              n = __copy_tofrom_user(to, from, n);
+       return n;
+ }
+ 
+@@ -303,13 +295,8 @@ extern unsigned long __clear_user(void *addr, unsigned 
long size);
+ static inline __must_check unsigned long
+ clear_user(void *addr, unsigned long size)
+ {
+-
+-      if (access_ok(VERIFY_WRITE, addr, size))
+-              return __clear_user(addr, size);
+-      if ((unsigned long)addr < TASK_SIZE) {
+-              unsigned long over = (unsigned long)addr + size - TASK_SIZE;
+-              return __clear_user(addr, size - over) + over;
+-      }
++      if (likely(access_ok(VERIFY_WRITE, addr, size)))
++              size = __clear_user(addr, size);
+       return size;
+ }
+ 
+diff --git a/arch/parisc/include/asm/uaccess.h 
b/arch/parisc/include/asm/uaccess.h
+index 1960b87c1c8b..4ad51465890b 100644
+--- a/arch/parisc/include/asm/uaccess.h
++++ b/arch/parisc/include/asm/uaccess.h
+@@ -10,6 +10,7 @@
+ #include <asm-generic/uaccess-unaligned.h>
+ 
+ #include <linux/bug.h>
++#include <linux/string.h>
+ 
+ #define VERIFY_READ 0
+ #define VERIFY_WRITE 1
+@@ -245,13 +246,14 @@ static inline unsigned long __must_check 
copy_from_user(void *to,
+                                           unsigned long n)
+ {
+         int sz = __compiletime_object_size(to);
+-        int ret = -EFAULT;
++        unsigned long ret = n;
+ 
+         if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
+                 ret = __copy_from_user(to, from, n);
+         else
+                 copy_from_user_overflow();
+-
++      if (unlikely(ret))
++              memset(to + (n - ret), 0, ret);
+         return ret;
+ }
+ 
+diff --git a/arch/powerpc/include/asm/uaccess.h 
b/arch/powerpc/include/asm/uaccess.h
+index a0c071d24e0e..6fbea25d8c78 100644
+--- a/arch/powerpc/include/asm/uaccess.h
++++ b/arch/powerpc/include/asm/uaccess.h
+@@ -323,30 +323,17 @@ extern unsigned long __copy_tofrom_user(void __user *to,
+ static inline unsigned long copy_from_user(void *to,
+               const void __user *from, unsigned long n)
+ {
+-      unsigned long over;
+-
+-      if (access_ok(VERIFY_READ, from, n))
++      if (likely(access_ok(VERIFY_READ, from, n)))
+               return __copy_tofrom_user((__force void __user *)to, from, n);
+-      if ((unsigned long)from < TASK_SIZE) {
+-              over = (unsigned long)from + n - TASK_SIZE;
+-              return __copy_tofrom_user((__force void __user *)to, from,
+-                              n - over) + over;
+-      }
++      memset(to, 0, n);
+       return n;
+ }
+ 
+ static inline unsigned long copy_to_user(void __user *to,
+               const void *from, unsigned long n)
+ {
+-      unsigned long over;
+-
+       if (access_ok(VERIFY_WRITE, to, n))
+               return __copy_tofrom_user(to, (__force void __user *)from, n);
+-      if ((unsigned long)to < TASK_SIZE) {
+-              over = (unsigned long)to + n - TASK_SIZE;
+-              return __copy_tofrom_user(to, (__force void __user *)from,
+-                              n - over) + over;
+-      }
+       return n;
+ }
+ 
+@@ -437,10 +424,6 @@ static inline unsigned long clear_user(void __user *addr, 
unsigned long size)
+       might_fault();
+       if (likely(access_ok(VERIFY_WRITE, addr, size)))
+               return __clear_user(addr, size);
+-      if ((unsigned long)addr < TASK_SIZE) {
+-              unsigned long over = (unsigned long)addr + size - TASK_SIZE;
+-              return __clear_user(addr, size - over) + over;
+-      }
+       return size;
+ }
+ 
+diff --git a/arch/powerpc/mm/slb_low.S b/arch/powerpc/mm/slb_low.S
+index 736d18b3cefd..4c48b487698c 100644
+--- a/arch/powerpc/mm/slb_low.S
++++ b/arch/powerpc/mm/slb_low.S
+@@ -113,7 +113,12 @@ BEGIN_FTR_SECTION
+ END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
+       b       slb_finish_load_1T
+ 
+-0:
++0:    /*
++       * For userspace addresses, make sure this is region 0.
++       */
++      cmpdi   r9, 0
++      bne     8f
++
+       /* when using slices, we extract the psize off the slice bitmaps
+        * and then we need to get the sllp encoding off the mmu_psize_defs
+        * array.
+diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
+index d64a7a62164f..f6ac1d7e7ed8 100644
+--- a/arch/s390/include/asm/uaccess.h
++++ b/arch/s390/include/asm/uaccess.h
+@@ -213,28 +213,28 @@ int __put_user_bad(void) __attribute__((noreturn));
+       __chk_user_ptr(ptr);                                    \
+       switch (sizeof(*(ptr))) {                               \
+       case 1: {                                               \
+-              unsigned char __x;                              \
++              unsigned char __x = 0;                          \
+               __gu_err = __get_user_fn(&__x, ptr,             \
+                                        sizeof(*(ptr)));       \
+               (x) = *(__force __typeof__(*(ptr)) *) &__x;     \
+               break;                                          \
+       };                                                      \
+       case 2: {                                               \
+-              unsigned short __x;                             \
++              unsigned short __x = 0;                         \
+               __gu_err = __get_user_fn(&__x, ptr,             \
+                                        sizeof(*(ptr)));       \
+               (x) = *(__force __typeof__(*(ptr)) *) &__x;     \
+               break;                                          \
+       };                                                      \
+       case 4: {                                               \
+-              unsigned int __x;                               \
++              unsigned int __x = 0;                           \
+               __gu_err = __get_user_fn(&__x, ptr,             \
+                                        sizeof(*(ptr)));       \
+               (x) = *(__force __typeof__(*(ptr)) *) &__x;     \
+               break;                                          \
+       };                                                      \
+       case 8: {                                               \
+-              unsigned long long __x;                         \
++              unsigned long long __x = 0;                     \
+               __gu_err = __get_user_fn(&__x, ptr,             \
+                                        sizeof(*(ptr)));       \
+               (x) = *(__force __typeof__(*(ptr)) *) &__x;     \
+diff --git a/arch/score/include/asm/uaccess.h 
b/arch/score/include/asm/uaccess.h
+index ab66ddde777b..69326dfb894d 100644
+--- a/arch/score/include/asm/uaccess.h
++++ b/arch/score/include/asm/uaccess.h
+@@ -158,7 +158,7 @@ do {                                                       
                \
+               __get_user_asm(val, "lw", ptr);                         \
+                break;                                                 \
+       case 8:                                                         \
+-              if ((copy_from_user((void *)&val, ptr, 8)) == 0)        \
++              if (__copy_from_user((void *)&val, ptr, 8) == 0)        \
+                       __gu_err = 0;                                   \
+               else                                                    \
+                       __gu_err = -EFAULT;                             \
+@@ -183,6 +183,8 @@ do {                                                       
                \
+                                                                       \
+       if (likely(access_ok(VERIFY_READ, __gu_ptr, size)))             \
+               __get_user_common((x), size, __gu_ptr);                 \
++      else                                                            \
++              (x) = 0;                                                \
+                                                                       \
+       __gu_err;                                                       \
+ })
+@@ -196,6 +198,7 @@ do {                                                       
                \
+               "2:\n"                                                  \
+               ".section .fixup,\"ax\"\n"                              \
+               "3:li   %0, %4\n"                                       \
++              "li     %1, 0\n"                                        \
+               "j      2b\n"                                           \
+               ".previous\n"                                           \
+               ".section __ex_table,\"a\"\n"                           \
+@@ -293,35 +296,34 @@ extern int __copy_tofrom_user(void *to, const void 
*from, unsigned long len);
+ static inline unsigned long
+ copy_from_user(void *to, const void *from, unsigned long len)
+ {
+-      unsigned long over;
++      unsigned long res = len;
+ 
+-      if (access_ok(VERIFY_READ, from, len))
+-              return __copy_tofrom_user(to, from, len);
++      if (likely(access_ok(VERIFY_READ, from, len)))
++              res = __copy_tofrom_user(to, from, len);
+ 
+-      if ((unsigned long)from < TASK_SIZE) {
+-              over = (unsigned long)from + len - TASK_SIZE;
+-              return __copy_tofrom_user(to, from, len - over) + over;
+-      }
+-      return len;
++      if (unlikely(res))
++              memset(to + (len - res), 0, res);
++
++      return res;
+ }
+ 
+ static inline unsigned long
+ copy_to_user(void *to, const void *from, unsigned long len)
+ {
+-      unsigned long over;
+-
+-      if (access_ok(VERIFY_WRITE, to, len))
+-              return __copy_tofrom_user(to, from, len);
++      if (likely(access_ok(VERIFY_WRITE, to, len)))
++              len = __copy_tofrom_user(to, from, len);
+ 
+-      if ((unsigned long)to < TASK_SIZE) {
+-              over = (unsigned long)to + len - TASK_SIZE;
+-              return __copy_tofrom_user(to, from, len - over) + over;
+-      }
+       return len;
+ }
+ 
+-#define __copy_from_user(to, from, len)       \
+-              __copy_tofrom_user((to), (from), (len))
++static inline unsigned long
++__copy_from_user(void *to, const void *from, unsigned long len)
++{
++      unsigned long left = __copy_tofrom_user(to, from, len);
++      if (unlikely(left))
++              memset(to + (len - left), 0, left);
++      return left;
++}
+ 
+ #define __copy_to_user(to, from, len)         \
+               __copy_tofrom_user((to), (from), (len))
+@@ -335,17 +337,17 @@ __copy_to_user_inatomic(void *to, const void *from, 
unsigned long len)
+ static inline unsigned long
+ __copy_from_user_inatomic(void *to, const void *from, unsigned long len)
+ {
+-      return __copy_from_user(to, from, len);
++      return __copy_tofrom_user(to, from, len);
+ }
+ 
+-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len)
++#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len)
+ 
+ static inline unsigned long
+ copy_in_user(void *to, const void *from, unsigned long len)
+ {
+       if (access_ok(VERIFY_READ, from, len) &&
+                     access_ok(VERFITY_WRITE, to, len))
+-              return copy_from_user(to, from, len);
++              return __copy_tofrom_user(to, from, len);
+ }
+ 
+ /*
+diff --git a/arch/sh/include/asm/uaccess.h b/arch/sh/include/asm/uaccess.h
+index a49635c51266..92ade79ac427 100644
+--- a/arch/sh/include/asm/uaccess.h
++++ b/arch/sh/include/asm/uaccess.h
+@@ -151,7 +151,10 @@ copy_from_user(void *to, const void __user *from, 
unsigned long n)
+       __kernel_size_t __copy_size = (__kernel_size_t) n;
+ 
+       if (__copy_size && __access_ok(__copy_from, __copy_size))
+-              return __copy_user(to, from, __copy_size);
++              __copy_size = __copy_user(to, from, __copy_size);
++
++      if (unlikely(__copy_size))
++              memset(to + (n - __copy_size), 0, __copy_size);
+ 
+       return __copy_size;
+ }
+diff --git a/arch/sh/include/asm/uaccess_64.h 
b/arch/sh/include/asm/uaccess_64.h
+index c01376c76b86..ca5073dd4596 100644
+--- a/arch/sh/include/asm/uaccess_64.h
++++ b/arch/sh/include/asm/uaccess_64.h
+@@ -24,6 +24,7 @@
+ #define __get_user_size(x,ptr,size,retval)                    \
+ do {                                                          \
+       retval = 0;                                             \
++      x = 0;                                                  \
+       switch (size) {                                         \
+       case 1:                                                 \
+               retval = __get_user_asm_b((void *)&x,           \
+diff --git a/arch/sparc/include/asm/uaccess_32.h 
b/arch/sparc/include/asm/uaccess_32.h
+index 64ee103dc29d..dfb542c7cc71 100644
+--- a/arch/sparc/include/asm/uaccess_32.h
++++ b/arch/sparc/include/asm/uaccess_32.h
+@@ -328,8 +328,10 @@ static inline unsigned long copy_from_user(void *to, 
const void __user *from, un
+ {
+       if (n && __access_ok((unsigned long) from, n))
+               return __copy_user((__force void __user *) to, from, n);
+-      else
++      else {
++              memset(to, 0, n);
+               return n;
++      }
+ }
+ 
+ static inline unsigned long __copy_from_user(void *to, const void __user 
*from, unsigned long n)
+diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
+index ace9dec050b1..d081e7e42fb3 100644
+--- a/arch/x86/include/asm/uaccess.h
++++ b/arch/x86/include/asm/uaccess.h
+@@ -391,7 +391,11 @@ do {                                                      
                \
+ #define __get_user_asm_ex(x, addr, itype, rtype, ltype)                       
\
+       asm volatile("1:        mov"itype" %1,%"rtype"0\n"              \
+                    "2:\n"                                             \
+-                   _ASM_EXTABLE_EX(1b, 2b)                            \
++                   ".section .fixup,\"ax\"\n"                         \
++                     "3:xor"itype" %"rtype"0,%"rtype"0\n"             \
++                   "  jmp 2b\n"                                       \
++                   ".previous\n"                                      \
++                   _ASM_EXTABLE_EX(1b, 3b)                            \
+                    : ltype(x) : "m" (__m(addr)))
+ 
+ #define __put_user_nocheck(x, ptr, size)                      \
+diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
+index 0122bec38564..f25799f351f7 100644
+--- a/crypto/blkcipher.c
++++ b/crypto/blkcipher.c
+@@ -233,6 +233,8 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc,
+               return blkcipher_walk_done(desc, walk, -EINVAL);
+       }
+ 
++      bsize = min(walk->walk_blocksize, n);
++
+       walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY |
+                        BLKCIPHER_WALK_DIFF);
+       if (!scatterwalk_aligned(&walk->in, walk->alignmask) ||
+@@ -245,7 +247,6 @@ static int blkcipher_walk_next(struct blkcipher_desc *desc,
+               }
+       }
+ 
+-      bsize = min(walk->walk_blocksize, n);
+       n = scatterwalk_clamp(&walk->in, n);
+       n = scatterwalk_clamp(&walk->out, n);
+ 
+diff --git a/crypto/cryptd.c b/crypto/cryptd.c
+index b0602ba03111..34e4dfafb94f 100644
+--- a/crypto/cryptd.c
++++ b/crypto/cryptd.c
+@@ -585,9 +585,14 @@ static int cryptd_hash_export(struct ahash_request *req, 
void *out)
+ 
+ static int cryptd_hash_import(struct ahash_request *req, const void *in)
+ {
+-      struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
++      struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
++      struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
++      struct shash_desc *desc = cryptd_shash_desc(req);
++
++      desc->tfm = ctx->child;
++      desc->flags = req->base.flags;
+ 
+-      return crypto_shash_import(&rctx->desc, in);
++      return crypto_shash_import(desc, in);
+ }
+ 
+ static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr 
**tb,
+diff --git a/drivers/bus/arm-ccn.c b/drivers/bus/arm-ccn.c
+index 60397ec77ff7..27fd0dacad5f 100644
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -804,6 +804,10 @@ static void arm_ccn_pmu_xp_dt_config(struct perf_event 
*event, int enable)
+       struct arm_ccn_component *xp;
+       u32 val, dt_cfg;
+ 
++      /* Nothing to do for cycle counter */
++      if (hw->idx == CCN_IDX_PMU_CYCLE_COUNTER)
++              return;
++
+       if (CCN_CONFIG_TYPE(event->attr.config) == CCN_TYPE_XP)
+               xp = &ccn->xp[CCN_CONFIG_XP(event->attr.config)];
+       else
+@@ -901,7 +905,7 @@ static void arm_ccn_pmu_xp_watchpoint_config(struct 
perf_event *event)
+ 
+       /* Comparison values */
+       writel(cmp_l & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_L(wp));
+-      writel((cmp_l >> 32) & 0xefffffff,
++      writel((cmp_l >> 32) & 0x7fffffff,
+                       source->base + CCN_XP_DT_CMP_VAL_L(wp) + 4);
+       writel(cmp_h & 0xffffffff, source->base + CCN_XP_DT_CMP_VAL_H(wp));
+       writel((cmp_h >> 32) & 0x0fffffff,
+@@ -909,7 +913,7 @@ static void arm_ccn_pmu_xp_watchpoint_config(struct 
perf_event *event)
+ 
+       /* Mask */
+       writel(mask_l & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_L(wp));
+-      writel((mask_l >> 32) & 0xefffffff,
++      writel((mask_l >> 32) & 0x7fffffff,
+                       source->base + CCN_XP_DT_CMP_MASK_L(wp) + 4);
+       writel(mask_h & 0xffffffff, source->base + CCN_XP_DT_CMP_MASK_H(wp));
+       writel((mask_h >> 32) & 0x0fffffff,
+diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c 
b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
+index 767d0eaabe97..3101f57492c0 100644
+--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
++++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
+@@ -316,19 +316,19 @@ atmel_hlcdc_plane_update_pos_and_size(struct 
atmel_hlcdc_plane *plane,
+                       u32 *coeff_tab = heo_upscaling_ycoef;
+                       u32 max_memsize;
+ 
+-                      if (state->crtc_w < state->src_w)
++                      if (state->crtc_h < state->src_h)
+                               coeff_tab = heo_downscaling_ycoef;
+                       for (i = 0; i < ARRAY_SIZE(heo_upscaling_ycoef); i++)
+                               atmel_hlcdc_layer_update_cfg(&plane->layer,
+                                                            33 + i,
+                                                            0xffffffff,
+                                                            coeff_tab[i]);
+-                      factor = ((8 * 256 * state->src_w) - (256 * 4)) /
+-                               state->crtc_w;
++                      factor = ((8 * 256 * state->src_h) - (256 * 4)) /
++                               state->crtc_h;
+                       factor++;
+-                      max_memsize = ((factor * state->crtc_w) + (256 * 4)) /
++                      max_memsize = ((factor * state->crtc_h) + (256 * 4)) /
+                                     2048;
+-                      if (max_memsize > state->src_w)
++                      if (max_memsize > state->src_h)
+                               factor--;
+                       factor_reg |= (factor << 16) | 0x80000000;
+               }
+diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
+index 9cfcd0aef0df..92c4698e8427 100644
+--- a/drivers/gpu/drm/drm_ioc32.c
++++ b/drivers/gpu/drm/drm_ioc32.c
+@@ -1018,6 +1018,7 @@ static int compat_drm_wait_vblank(struct file *file, 
unsigned int cmd,
+       return 0;
+ }
+ 
++#if defined(CONFIG_X86) || defined(CONFIG_IA64)
+ typedef struct drm_mode_fb_cmd232 {
+       u32 fb_id;
+       u32 width;
+@@ -1074,6 +1075,7 @@ static int compat_drm_mode_addfb2(struct file *file, 
unsigned int cmd,
+ 
+       return 0;
+ }
++#endif
+ 
+ static drm_ioctl_compat_t *drm_compat_ioctls[] = {
+       [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version,
+@@ -1107,7 +1109,9 @@ static drm_ioctl_compat_t *drm_compat_ioctls[] = {
+       [DRM_IOCTL_NR(DRM_IOCTL_UPDATE_DRAW32)] = compat_drm_update_draw,
+ #endif
+       [DRM_IOCTL_NR(DRM_IOCTL_WAIT_VBLANK32)] = compat_drm_wait_vblank,
++#if defined(CONFIG_X86) || defined(CONFIG_IA64)
+       [DRM_IOCTL_NR(DRM_IOCTL_MODE_ADDFB232)] = compat_drm_mode_addfb2,
++#endif
+ };
+ 
+ /**
+diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c
+index 78c911be115d..6bf81d95a3f4 100644
+--- a/drivers/iio/accel/kxsd9.c
++++ b/drivers/iio/accel/kxsd9.c
+@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev *indio_dev,
+               ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
+               if (ret < 0)
+                       goto error_ret;
++              *val = 0;
+               *val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
+               ret = IIO_VAL_INT_PLUS_MICRO;
+               break;
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index ad0a7e8c2c2b..8b8cacbaf20d 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1273,11 +1273,10 @@ static int __maybe_unused flexcan_suspend(struct 
device *device)
+       struct flexcan_priv *priv = netdev_priv(dev);
+       int err;
+ 
+-      err = flexcan_chip_disable(priv);
+-      if (err)
+-              return err;
+-
+       if (netif_running(dev)) {
++              err = flexcan_chip_disable(priv);
++              if (err)
++                      return err;
+               netif_stop_queue(dev);
+               netif_device_detach(dev);
+       }
+@@ -1290,13 +1289,17 @@ static int __maybe_unused flexcan_resume(struct device 
*device)
+ {
+       struct net_device *dev = dev_get_drvdata(device);
+       struct flexcan_priv *priv = netdev_priv(dev);
++      int err;
+ 
+       priv->can.state = CAN_STATE_ERROR_ACTIVE;
+       if (netif_running(dev)) {
+               netif_device_attach(dev);
+               netif_start_queue(dev);
++              err = flexcan_chip_enable(priv);
++              if (err)
++                      return err;
+       }
+-      return flexcan_chip_enable(priv);
++      return 0;
+ }
+ 
+ static SIMPLE_DEV_PM_OPS(flexcan_pm_ops, flexcan_suspend, flexcan_resume);
+diff --git a/drivers/net/wireless/ath/ath9k/main.c 
b/drivers/net/wireless/ath/ath9k/main.c
+index d5f2fbf62d72..534b2b87bd5d 100644
+--- a/drivers/net/wireless/ath/ath9k/main.c
++++ b/drivers/net/wireless/ath/ath9k/main.c
+@@ -1541,13 +1541,13 @@ static int ath9k_sta_state(struct ieee80211_hw *hw,
+       struct ath_common *common = ath9k_hw_common(sc->sc_ah);
+       int ret = 0;
+ 
+-      if (old_state == IEEE80211_STA_AUTH &&
+-          new_state == IEEE80211_STA_ASSOC) {
++      if (old_state == IEEE80211_STA_NOTEXIST &&
++          new_state == IEEE80211_STA_NONE) {
+               ret = ath9k_sta_add(hw, vif, sta);
+               ath_dbg(common, CONFIG,
+                       "Add station: %pM\n", sta->addr);
+-      } else if (old_state == IEEE80211_STA_ASSOC &&
+-                 new_state == IEEE80211_STA_AUTH) {
++      } else if (old_state == IEEE80211_STA_NONE &&
++                 new_state == IEEE80211_STA_NOTEXIST) {
+               ret = ath9k_sta_remove(hw, vif, sta);
+               ath_dbg(common, CONFIG,
+                       "Remove station: %pM\n", sta->addr);
+diff --git a/drivers/scsi/constants.c b/drivers/scsi/constants.c
+index fa09d4be2b53..2b456ca69d5c 100644
+--- a/drivers/scsi/constants.c
++++ b/drivers/scsi/constants.c
+@@ -1181,8 +1181,9 @@ static const char * const snstext[] = {
+ 
+ /* Get sense key string or NULL if not available */
+ const char *
+-scsi_sense_key_string(unsigned char key) {
+-      if (key <= 0xE)
++scsi_sense_key_string(unsigned char key)
++{
++      if (key < ARRAY_SIZE(snstext))
+               return snstext[key];
+       return NULL;
+ }
+diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
+index d93e43cfb6f8..ebcf40c2f12b 100644
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -939,6 +939,15 @@ static int isr_setup_status_phase(struct ci_hdrc *ci)
+       int retval;
+       struct ci_hw_ep *hwep;
+ 
++      /*
++       * Unexpected USB controller behavior, caused by bad signal integrity
++       * or ground reference problems, can lead to isr_setup_status_phase
++       * being called with ci->status equal to NULL.
++       * If this situation occurs, you should review your USB hardware design.
++       */
++      if (WARN_ON_ONCE(!ci->status))
++              return -EPIPE;
++
+       hwep = (ci->ep0_dir == TX) ? ci->ep0out : ci->ep0in;
+       ci->status->context = ci;
+       ci->status->complete = isr_setup_status_complete;
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index 894894f2ff93..81336acc7040 100644
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -184,8 +184,10 @@ static int usb_parse_endpoint(struct device *ddev, int 
cfgno, int inum,
+       memcpy(&endpoint->desc, d, n);
+       INIT_LIST_HEAD(&endpoint->urb_list);
+ 
+-      /* Fix up bInterval values outside the legal range. Use 32 ms if no
+-       * proper value can be guessed. */
++      /*
++       * Fix up bInterval values outside the legal range.
++       * Use 10 or 8 ms if no proper value can be guessed.
++       */
+       i = 0;          /* i = min, j = max, n = default */
+       j = 255;
+       if (usb_endpoint_xfer_int(d)) {
+@@ -193,13 +195,15 @@ static int usb_parse_endpoint(struct device *ddev, int 
cfgno, int inum,
+               switch (to_usb_device(ddev)->speed) {
+               case USB_SPEED_SUPER:
+               case USB_SPEED_HIGH:
+-                      /* Many device manufacturers are using full-speed
++                      /*
++                       * Many device manufacturers are using full-speed
+                        * bInterval values in high-speed interrupt endpoint
+-                       * descriptors. Try to fix those and fall back to a
+-                       * 32 ms default value otherwise. */
++                       * descriptors. Try to fix those and fall back to an
++                       * 8-ms default value otherwise.
++                       */
+                       n = fls(d->bInterval*8);
+                       if (n == 0)
+-                              n = 9;  /* 32 ms = 2^(9-1) uframes */
++                              n = 7;  /* 8 ms = 2^(7-1) uframes */
+                       j = 16;
+ 
+                       /*
+@@ -214,10 +218,12 @@ static int usb_parse_endpoint(struct device *ddev, int 
cfgno, int inum,
+                       }
+                       break;
+               default:                /* USB_SPEED_FULL or _LOW */
+-                      /* For low-speed, 10 ms is the official minimum.
++                      /*
++                       * For low-speed, 10 ms is the official minimum.
+                        * But some "overclocked" devices might want faster
+-                       * polling so we'll allow it. */
+-                      n = 32;
++                       * polling so we'll allow it.
++                       */
++                      n = 10;
+                       break;
+               }
+       } else if (usb_endpoint_xfer_isoc(d)) {
+@@ -225,10 +231,10 @@ static int usb_parse_endpoint(struct device *ddev, int 
cfgno, int inum,
+               j = 16;
+               switch (to_usb_device(ddev)->speed) {
+               case USB_SPEED_HIGH:
+-                      n = 9;          /* 32 ms = 2^(9-1) uframes */
++                      n = 7;          /* 8 ms = 2^(7-1) uframes */
+                       break;
+               default:                /* USB_SPEED_FULL */
+-                      n = 6;          /* 32 ms = 2^(6-1) frames */
++                      n = 4;          /* 8 ms = 2^(4-1) frames */
+                       break;
+               }
+       }
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index f7e917866e05..6a2911743829 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -846,6 +846,10 @@ void xhci_stop_endpoint_command_watchdog(unsigned long 
arg)
+       spin_lock_irqsave(&xhci->lock, flags);
+ 
+       ep->stop_cmds_pending--;
++      if (xhci->xhc_state & XHCI_STATE_REMOVING) {
++              spin_unlock_irqrestore(&xhci->lock, flags);
++              return;
++      }
+       if (xhci->xhc_state & XHCI_STATE_DYING) {
+               xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
+                               "Stop EP timer ran, but another timer marked "
+@@ -899,7 +903,7 @@ void xhci_stop_endpoint_command_watchdog(unsigned long arg)
+       spin_unlock_irqrestore(&xhci->lock, flags);
+       xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
+                       "Calling usb_hc_died()");
+-      usb_hc_died(xhci_to_hcd(xhci)->primary_hcd);
++      usb_hc_died(xhci_to_hcd(xhci));
+       xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
+                       "xHCI host controller is dead.");
+ }
+diff --git a/drivers/usb/renesas_usbhs/mod.c b/drivers/usb/renesas_usbhs/mod.c
+index 9a705b15b3a1..cf274b8c63fe 100644
+--- a/drivers/usb/renesas_usbhs/mod.c
++++ b/drivers/usb/renesas_usbhs/mod.c
+@@ -277,9 +277,16 @@ static irqreturn_t usbhs_interrupt(int irq, void *data)
+       usbhs_write(priv, INTSTS0, ~irq_state.intsts0 & INTSTS0_MAGIC);
+       usbhs_write(priv, INTSTS1, ~irq_state.intsts1 & INTSTS1_MAGIC);
+ 
+-      usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
++      /*
++       * The driver should not clear the xxxSTS after the line of
++       * "call irq callback functions" because each "if" statement is
++       * possible to call the callback function for avoiding any side effects.
++       */
++      if (irq_state.intsts0 & BRDY)
++              usbhs_write(priv, BRDYSTS, ~irq_state.brdysts);
+       usbhs_write(priv, NRDYSTS, ~irq_state.nrdysts);
+-      usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
++      if (irq_state.intsts0 & BEMP)
++              usbhs_write(priv, BEMPSTS, ~irq_state.bempsts);
+ 
+       /*
+        * call irq callback functions
+diff --git a/drivers/usb/serial/usb-serial-simple.c 
b/drivers/usb/serial/usb-serial-simple.c
+index a204782ae530..e98b6e57b703 100644
+--- a/drivers/usb/serial/usb-serial-simple.c
++++ b/drivers/usb/serial/usb-serial-simple.c
+@@ -54,7 +54,8 @@ DEVICE(funsoft, FUNSOFT_IDS);
+ /* Infineon Flashloader driver */
+ #define FLASHLOADER_IDS()             \
+       { USB_DEVICE_INTERFACE_CLASS(0x058b, 0x0041, USB_CLASS_CDC_DATA) }, \
+-      { USB_DEVICE(0x8087, 0x0716) }
++      { USB_DEVICE(0x8087, 0x0716) }, \
++      { USB_DEVICE(0x8087, 0x0801) }
+ DEVICE(flashloader, FLASHLOADER_IDS);
+ 
+ /* Google Serial USB SubClass */
+diff --git a/fs/autofs4/autofs_i.h b/fs/autofs4/autofs_i.h
+index 5b700ef1e59d..6196b5eaf9a5 100644
+--- a/fs/autofs4/autofs_i.h
++++ b/fs/autofs4/autofs_i.h
+@@ -79,9 +79,13 @@ struct autofs_info {
+ };
+ 
+ #define AUTOFS_INF_EXPIRING   (1<<0) /* dentry is in the process of expiring 
*/
+-#define AUTOFS_INF_NO_RCU     (1<<1) /* the dentry is being considered
++#define AUTOFS_INF_WANT_EXPIRE        (1<<1) /* the dentry is being considered
+                                       * for expiry, so RCU_walk is
+-                                      * not permitted
++                                      * not permitted.  If it progresses to
++                                      * actual expiry attempt, the flag is
++                                      * not cleared when EXPIRING is set -
++                                      * in that case it gets cleared only
++                                      * when it comes to clearing EXPIRING.
+                                       */
+ #define AUTOFS_INF_PENDING    (1<<2) /* dentry pending mount */
+ 
+diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
+index 1cebc3c52fa5..7a5a598a2d94 100644
+--- a/fs/autofs4/expire.c
++++ b/fs/autofs4/expire.c
+@@ -315,19 +315,17 @@ struct dentry *autofs4_expire_direct(struct super_block 
*sb,
+       if (ino->flags & AUTOFS_INF_PENDING)
+               goto out;
+       if (!autofs4_direct_busy(mnt, root, timeout, do_now)) {
+-              ino->flags |= AUTOFS_INF_NO_RCU;
++              ino->flags |= AUTOFS_INF_WANT_EXPIRE;
+               spin_unlock(&sbi->fs_lock);
+               synchronize_rcu();
+               spin_lock(&sbi->fs_lock);
+               if (!autofs4_direct_busy(mnt, root, timeout, do_now)) {
+                       ino->flags |= AUTOFS_INF_EXPIRING;
+-                      smp_mb();
+-                      ino->flags &= ~AUTOFS_INF_NO_RCU;
+                       init_completion(&ino->expire_complete);
+                       spin_unlock(&sbi->fs_lock);
+                       return root;
+               }
+-              ino->flags &= ~AUTOFS_INF_NO_RCU;
++              ino->flags &= ~AUTOFS_INF_WANT_EXPIRE;
+       }
+ out:
+       spin_unlock(&sbi->fs_lock);
+@@ -417,6 +415,7 @@ static struct dentry *should_expire(struct dentry *dentry,
+       }
+       return NULL;
+ }
++
+ /*
+  * Find an eligible tree to time-out
+  * A tree is eligible if :-
+@@ -432,6 +431,7 @@ struct dentry *autofs4_expire_indirect(struct super_block 
*sb,
+       struct dentry *root = sb->s_root;
+       struct dentry *dentry;
+       struct dentry *expired;
++      struct dentry *found;
+       struct autofs_info *ino;
+ 
+       if (!root)
+@@ -442,48 +442,54 @@ struct dentry *autofs4_expire_indirect(struct 
super_block *sb,
+ 
+       dentry = NULL;
+       while ((dentry = get_next_positive_subdir(dentry, root))) {
++              int flags = how;
++
+               spin_lock(&sbi->fs_lock);
+               ino = autofs4_dentry_ino(dentry);
+-              if (ino->flags & AUTOFS_INF_NO_RCU)
+-                      expired = NULL;
+-              else
+-                      expired = should_expire(dentry, mnt, timeout, how);
+-              if (!expired) {
++              if (ino->flags & AUTOFS_INF_WANT_EXPIRE) {
+                       spin_unlock(&sbi->fs_lock);
+                       continue;
+               }
++              spin_unlock(&sbi->fs_lock);
++
++              expired = should_expire(dentry, mnt, timeout, flags);
++              if (!expired)
++                      continue;
++
++              spin_lock(&sbi->fs_lock);
+               ino = autofs4_dentry_ino(expired);
+-              ino->flags |= AUTOFS_INF_NO_RCU;
++              ino->flags |= AUTOFS_INF_WANT_EXPIRE;
+               spin_unlock(&sbi->fs_lock);
+               synchronize_rcu();
+-              spin_lock(&sbi->fs_lock);
+-              if (should_expire(expired, mnt, timeout, how)) {
+-                      if (expired != dentry)
+-                              dput(dentry);
+-                      goto found;
+-              }
+ 
+-              ino->flags &= ~AUTOFS_INF_NO_RCU;
++              /* Make sure a reference is not taken on found if
++               * things have changed.
++               */
++              flags &= ~AUTOFS_EXP_LEAVES;
++              found = should_expire(expired, mnt, timeout, how);
++              if (!found || found != expired)
++                      /* Something has changed, continue */
++                      goto next;
++
+               if (expired != dentry)
+-                      dput(expired);
++                      dput(dentry);
++
++              spin_lock(&sbi->fs_lock);
++              goto found;
++next:
++              spin_lock(&sbi->fs_lock);
++              ino->flags &= ~AUTOFS_INF_WANT_EXPIRE;
+               spin_unlock(&sbi->fs_lock);
++              if (expired != dentry)
++                      dput(expired);
+       }
+       return NULL;
+ 
+ found:
+       DPRINTK("returning %p %pd", expired, expired);
+       ino->flags |= AUTOFS_INF_EXPIRING;
+-      smp_mb();
+-      ino->flags &= ~AUTOFS_INF_NO_RCU;
+       init_completion(&ino->expire_complete);
+       spin_unlock(&sbi->fs_lock);
+-      spin_lock(&sbi->lookup_lock);
+-      spin_lock(&expired->d_parent->d_lock);
+-      spin_lock_nested(&expired->d_lock, DENTRY_D_LOCK_NESTED);
+-      list_move(&expired->d_parent->d_subdirs, &expired->d_child);
+-      spin_unlock(&expired->d_lock);
+-      spin_unlock(&expired->d_parent->d_lock);
+-      spin_unlock(&sbi->lookup_lock);
+       return expired;
+ }
+ 
+@@ -492,15 +498,27 @@ int autofs4_expire_wait(struct dentry *dentry, int 
rcu_walk)
+       struct autofs_sb_info *sbi = autofs4_sbi(dentry->d_sb);
+       struct autofs_info *ino = autofs4_dentry_ino(dentry);
+       int status;
++      int state;
+ 
+       /* Block on any pending expire */
+-      if (!(ino->flags & (AUTOFS_INF_EXPIRING | AUTOFS_INF_NO_RCU)))
++      if (!(ino->flags & AUTOFS_INF_WANT_EXPIRE))
+               return 0;
+       if (rcu_walk)
+               return -ECHILD;
+ 
++retry:
+       spin_lock(&sbi->fs_lock);
+-      if (ino->flags & AUTOFS_INF_EXPIRING) {
++      state = ino->flags & (AUTOFS_INF_WANT_EXPIRE | AUTOFS_INF_EXPIRING);
++      if (state == AUTOFS_INF_WANT_EXPIRE) {
++              spin_unlock(&sbi->fs_lock);
++              /*
++               * Possibly being selected for expire, wait until
++               * it's selected or not.
++               */
++              schedule_timeout_uninterruptible(HZ/10);
++              goto retry;
++      }
++      if (state & AUTOFS_INF_EXPIRING) {
+               spin_unlock(&sbi->fs_lock);
+ 
+               DPRINTK("waiting for expire %p name=%pd", dentry, dentry);
+@@ -551,7 +569,7 @@ int autofs4_expire_run(struct super_block *sb,
+       ino = autofs4_dentry_ino(dentry);
+       /* avoid rapid-fire expire attempts if expiry fails */
+       ino->last_used = now;
+-      ino->flags &= ~AUTOFS_INF_EXPIRING;
++      ino->flags &= ~(AUTOFS_INF_EXPIRING|AUTOFS_INF_WANT_EXPIRE);
+       complete_all(&ino->expire_complete);
+       spin_unlock(&sbi->fs_lock);
+ 
+@@ -579,7 +597,7 @@ int autofs4_do_expire_multi(struct super_block *sb, struct 
vfsmount *mnt,
+               spin_lock(&sbi->fs_lock);
+               /* avoid rapid-fire expire attempts if expiry fails */
+               ino->last_used = now;
+-              ino->flags &= ~AUTOFS_INF_EXPIRING;
++              ino->flags &= ~(AUTOFS_INF_EXPIRING|AUTOFS_INF_WANT_EXPIRE);
+               complete_all(&ino->expire_complete);
+               spin_unlock(&sbi->fs_lock);
+               dput(dentry);
+diff --git a/fs/autofs4/root.c b/fs/autofs4/root.c
+index c6d7d3dbd52a..7a54c6a867c8 100644
+--- a/fs/autofs4/root.c
++++ b/fs/autofs4/root.c
+@@ -455,7 +455,7 @@ static int autofs4_d_manage(struct dentry *dentry, bool 
rcu_walk)
+                * a mount-trap.
+                */
+               struct inode *inode;
+-              if (ino->flags & (AUTOFS_INF_EXPIRING | AUTOFS_INF_NO_RCU))
++              if (ino->flags & AUTOFS_INF_WANT_EXPIRE)
+                       return 0;
+               if (d_mountpoint(dentry))
+                       return 0;
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 2eca30adb3e3..ff742d30ba60 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -1610,6 +1610,9 @@ static noinline int 
btrfs_ioctl_snap_create_transid(struct file *file,
+       int namelen;
+       int ret = 0;
+ 
++      if (!S_ISDIR(file_inode(file)->i_mode))
++              return -ENOTDIR;
++
+       ret = mnt_want_write_file(file);
+       if (ret)
+               goto out;
+@@ -1667,6 +1670,9 @@ static noinline int btrfs_ioctl_snap_create(struct file 
*file,
+       struct btrfs_ioctl_vol_args *vol_args;
+       int ret;
+ 
++      if (!S_ISDIR(file_inode(file)->i_mode))
++              return -ENOTDIR;
++
+       vol_args = memdup_user(arg, sizeof(*vol_args));
+       if (IS_ERR(vol_args))
+               return PTR_ERR(vol_args);
+@@ -1690,6 +1696,9 @@ static noinline int btrfs_ioctl_snap_create_v2(struct 
file *file,
+       bool readonly = false;
+       struct btrfs_qgroup_inherit *inherit = NULL;
+ 
++      if (!S_ISDIR(file_inode(file)->i_mode))
++              return -ENOTDIR;
++
+       vol_args = memdup_user(arg, sizeof(*vol_args));
+       if (IS_ERR(vol_args))
+               return PTR_ERR(vol_args);
+@@ -2318,6 +2327,9 @@ static noinline int btrfs_ioctl_snap_destroy(struct file 
*file,
+       int ret;
+       int err = 0;
+ 
++      if (!S_ISDIR(dir->i_mode))
++              return -ENOTDIR;
++
+       vol_args = memdup_user(arg, sizeof(*vol_args));
+       if (IS_ERR(vol_args))
+               return PTR_ERR(vol_args);
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 5c222f3c4841..bd3c92b4bcee 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2748,6 +2748,7 @@ int btrfs_sync_log(struct btrfs_trans_handle *trans,
+ 
+       if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) {
+               blk_finish_plug(&plug);
++              list_del_init(&root_log_ctx.list);
+               mutex_unlock(&log_root_tree->log_mutex);
+               ret = root_log_ctx.log_ret;
+               goto out;
+diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
+index 2cb9e178d1c5..4196aa567784 100644
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -637,7 +637,13 @@ resizefs_out:
+                       goto encryption_policy_out;
+               }
+ 
++              err = mnt_want_write_file(filp);
++              if (err)
++                      goto encryption_policy_out;
++
+               err = ext4_process_policy(&policy, inode);
++
++              mnt_drop_write_file(filp);
+ encryption_policy_out:
+               return err;
+ #else
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 5cae35490b37..d8f29ef2d819 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -540,13 +540,13 @@ void fuse_read_fill(struct fuse_req *req, struct file 
*file, loff_t pos,
+       req->out.args[0].size = count;
+ }
+ 
+-static void fuse_release_user_pages(struct fuse_req *req, int write)
++static void fuse_release_user_pages(struct fuse_req *req, bool should_dirty)
+ {
+       unsigned i;
+ 
+       for (i = 0; i < req->num_pages; i++) {
+               struct page *page = req->pages[i];
+-              if (write)
++              if (should_dirty)
+                       set_page_dirty_lock(page);
+               put_page(page);
+       }
+@@ -1331,6 +1331,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct 
iov_iter *iter,
+                      loff_t *ppos, int flags)
+ {
+       int write = flags & FUSE_DIO_WRITE;
++      bool should_dirty = !write && iter_is_iovec(iter);
+       int cuse = flags & FUSE_DIO_CUSE;
+       struct file *file = io->file;
+       struct inode *inode = file->f_mapping->host;
+@@ -1375,7 +1376,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct 
iov_iter *iter,
+                       nres = fuse_send_read(req, io, pos, nbytes, owner);
+ 
+               if (!io->async)
+-                      fuse_release_user_pages(req, !write);
++                      fuse_release_user_pages(req, should_dirty);
+               if (req->out.h.error) {
+                       if (!res)
+                               res = req->out.h.error;
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index eef16ec0638a..319ba6814899 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -7281,12 +7281,20 @@ static int _nfs4_proc_create_session(struct nfs_client 
*clp,
+       status = rpc_call_sync(session->clp->cl_rpcclient, &msg, 
RPC_TASK_TIMEOUT);
+       trace_nfs4_create_session(clp, status);
+ 
++      switch (status) {
++      case -NFS4ERR_STALE_CLIENTID:
++      case -NFS4ERR_DELAY:
++      case -ETIMEDOUT:
++      case -EACCES:
++      case -EAGAIN:
++              goto out;
++      };
++
++      clp->cl_seqid++;
+       if (!status) {
+               /* Verify the session's negotiated channel_attrs values */
+               status = nfs4_verify_channel_attrs(&args, &res);
+               /* Increment the clientid slot sequence id */
+-              if (clp->cl_seqid == res.seqid)
+-                      clp->cl_seqid++;
+               if (status)
+                       goto out;
+               nfs4_update_session(session, &res);
+diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
+index d2f97ecca6a5..e0e5f7c3c99f 100644
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -67,18 +67,7 @@ static int fanotify_get_response(struct fsnotify_group 
*group,
+ 
+       pr_debug("%s: group=%p event=%p\n", __func__, group, event);
+ 
+-      wait_event(group->fanotify_data.access_waitq, event->response ||
+-                              atomic_read(&group->fanotify_data.bypass_perm));
+-
+-      if (!event->response) { /* bypass_perm set */
+-              /*
+-               * Event was canceled because group is being destroyed. Remove
+-               * it from group's event list because we are responsible for
+-               * freeing the permission event.
+-               */
+-              fsnotify_remove_event(group, &event->fae.fse);
+-              return 0;
+-      }
++      wait_event(group->fanotify_data.access_waitq, event->response);
+ 
+       /* userspace responded, convert to something usable */
+       switch (event->response) {
+diff --git a/fs/notify/fanotify/fanotify_user.c 
b/fs/notify/fanotify/fanotify_user.c
+index cf275500a665..45ca844d1323 100644
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -358,16 +358,20 @@ static int fanotify_release(struct inode *ignored, 
struct file *file)
+ 
+ #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+       struct fanotify_perm_event_info *event, *next;
++      struct fsnotify_event *fsn_event;
+ 
+       /*
+-       * There may be still new events arriving in the notification queue
+-       * but since userspace cannot use fanotify fd anymore, no event can
+-       * enter or leave access_list by now.
++       * Stop new events from arriving in the notification queue. since
++       * userspace cannot use fanotify fd anymore, no event can enter or
++       * leave access_list by now either.
+        */
+-      spin_lock(&group->fanotify_data.access_lock);
+-
+-      atomic_inc(&group->fanotify_data.bypass_perm);
++      fsnotify_group_stop_queueing(group);
+ 
++      /*
++       * Process all permission events on access_list and notification queue
++       * and simulate reply from userspace.
++       */
++      spin_lock(&group->fanotify_data.access_lock);
+       list_for_each_entry_safe(event, next, &group->fanotify_data.access_list,
+                                fae.fse.list) {
+               pr_debug("%s: found group=%p event=%p\n", __func__, group,
+@@ -379,12 +383,21 @@ static int fanotify_release(struct inode *ignored, 
struct file *file)
+       spin_unlock(&group->fanotify_data.access_lock);
+ 
+       /*
+-       * Since bypass_perm is set, newly queued events will not wait for
+-       * access response. Wake up the already sleeping ones now.
+-       * synchronize_srcu() in fsnotify_destroy_group() will wait for all
+-       * processes sleeping in fanotify_handle_event() waiting for access
+-       * response and thus also for all permission events to be freed.
++       * Destroy all non-permission events. For permission events just
++       * dequeue them and set the response. They will be freed once the
++       * response is consumed and fanotify_get_response() returns.
+        */
++      mutex_lock(&group->notification_mutex);
++      while (!fsnotify_notify_queue_is_empty(group)) {
++              fsn_event = fsnotify_remove_first_event(group);
++              if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS))
++                      fsnotify_destroy_event(group, fsn_event);
++              else
++                      FANOTIFY_PE(fsn_event)->response = FAN_ALLOW;
++      }
++      mutex_unlock(&group->notification_mutex);
++
++      /* Response for all permission events it set, wakeup waiters */
+       wake_up(&group->fanotify_data.access_waitq);
+ #endif
+ 
+@@ -751,7 +764,6 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, 
unsigned int, event_f_flags)
+       spin_lock_init(&group->fanotify_data.access_lock);
+       init_waitqueue_head(&group->fanotify_data.access_waitq);
+       INIT_LIST_HEAD(&group->fanotify_data.access_list);
+-      atomic_set(&group->fanotify_data.bypass_perm, 0);
+ #endif
+       switch (flags & FAN_ALL_CLASS_BITS) {
+       case FAN_CLASS_NOTIF:
+diff --git a/fs/notify/group.c b/fs/notify/group.c
+index d16b62cb2854..18eb30c6bd8f 100644
+--- a/fs/notify/group.c
++++ b/fs/notify/group.c
+@@ -40,6 +40,17 @@ static void fsnotify_final_destroy_group(struct 
fsnotify_group *group)
+ }
+ 
+ /*
++ * Stop queueing new events for this group. Once this function returns
++ * fsnotify_add_event() will not add any new events to the group's queue.
++ */
++void fsnotify_group_stop_queueing(struct fsnotify_group *group)
++{
++      mutex_lock(&group->notification_mutex);
++      group->shutdown = true;
++      mutex_unlock(&group->notification_mutex);
++}
++
++/*
+  * Trying to get rid of a group. Remove all marks, flush all events and 
release
+  * the group reference.
+  * Note that another thread calling fsnotify_clear_marks_by_group() may still
+@@ -47,6 +58,14 @@ static void fsnotify_final_destroy_group(struct 
fsnotify_group *group)
+  */
+ void fsnotify_destroy_group(struct fsnotify_group *group)
+ {
++      /*
++       * Stop queueing new events. The code below is careful enough to not
++       * require this but fanotify needs to stop queuing events even before
++       * fsnotify_destroy_group() is called and this makes the other callers
++       * of fsnotify_destroy_group() to see the same behavior.
++       */
++      fsnotify_group_stop_queueing(group);
++
+       /* clear all inode marks for this group */
+       fsnotify_clear_marks_by_group(group);
+ 
+diff --git a/fs/notify/notification.c b/fs/notify/notification.c
+index a95d8e037aeb..e455e83ceeeb 100644
+--- a/fs/notify/notification.c
++++ b/fs/notify/notification.c
+@@ -82,7 +82,8 @@ void fsnotify_destroy_event(struct fsnotify_group *group,
+  * Add an event to the group notification queue.  The group can later pull 
this
+  * event off the queue to deal with.  The function returns 0 if the event was
+  * added to the queue, 1 if the event was merged with some other queued event,
+- * 2 if the queue of events has overflown.
++ * 2 if the event was not queued - either the queue of events has overflown
++ * or the group is shutting down.
+  */
+ int fsnotify_add_event(struct fsnotify_group *group,
+                      struct fsnotify_event *event,
+@@ -96,6 +97,11 @@ int fsnotify_add_event(struct fsnotify_group *group,
+ 
+       mutex_lock(&group->notification_mutex);
+ 
++      if (group->shutdown) {
++              mutex_unlock(&group->notification_mutex);
++              return 2;
++      }
++
+       if (group->q_len >= group->max_events) {
+               ret = 2;
+               /* Queue overflow event only if it isn't already queued */
+@@ -126,21 +132,6 @@ queue:
+ }
+ 
+ /*
+- * Remove @event from group's notification queue. It is the responsibility of
+- * the caller to destroy the event.
+- */
+-void fsnotify_remove_event(struct fsnotify_group *group,
+-                         struct fsnotify_event *event)
+-{
+-      mutex_lock(&group->notification_mutex);
+-      if (!list_empty(&event->list)) {
+-              list_del_init(&event->list);
+-              group->q_len--;
+-      }
+-      mutex_unlock(&group->notification_mutex);
+-}
+-
+-/*
+  * Remove and return the first event from the notification list.  It is the
+  * responsibility of the caller to destroy the obtained event
+  */
+diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c
+index f90931335c6b..2e11658676eb 100644
+--- a/fs/ocfs2/dlm/dlmconvert.c
++++ b/fs/ocfs2/dlm/dlmconvert.c
+@@ -262,7 +262,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
+                                 struct dlm_lock *lock, int flags, int type)
+ {
+       enum dlm_status status;
+-      u8 old_owner = res->owner;
+ 
+       mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
+            lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
+@@ -329,7 +328,6 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
+ 
+       spin_lock(&res->spinlock);
+       res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
+-      lock->convert_pending = 0;
+       /* if it failed, move it back to granted queue.
+        * if master returns DLM_NORMAL and then down before sending ast,
+        * it may have already been moved to granted queue, reset to
+@@ -338,12 +336,14 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
+               if (status != DLM_NOTQUEUED)
+                       dlm_error(status);
+               dlm_revert_pending_convert(res, lock);
+-      } else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
+-                      (old_owner != res->owner)) {
+-              mlog(0, "res %.*s is in recovering or has been recovered.\n",
+-                              res->lockname.len, res->lockname.name);
++      } else if (!lock->convert_pending) {
++              mlog(0, "%s: res %.*s, owner died and lock has been moved back "
++                              "to granted list, retry convert.\n",
++                              dlm->name, res->lockname.len, 
res->lockname.name);
+               status = DLM_RECOVERING;
+       }
++
++      lock->convert_pending = 0;
+ bail:
+       spin_unlock(&res->spinlock);
+ 
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index 3f1ee404f40f..e00be7f509db 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -1522,7 +1522,8 @@ static int ocfs2_zero_partial_clusters(struct inode 
*inode,
+                                      u64 start, u64 len)
+ {
+       int ret = 0;
+-      u64 tmpend, end = start + len;
++      u64 tmpend = 0;
++      u64 end = start + len;
+       struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
+       unsigned int csize = osb->s_clustersize;
+       handle_t *handle;
+@@ -1554,18 +1555,31 @@ static int ocfs2_zero_partial_clusters(struct inode 
*inode,
+       }
+ 
+       /*
+-       * We want to get the byte offset of the end of the 1st cluster.
++       * If start is on a cluster boundary and end is somewhere in another
++       * cluster, we have not COWed the cluster starting at start, unless
++       * end is also within the same cluster. So, in this case, we skip this
++       * first call to ocfs2_zero_range_for_truncate() truncate and move on
++       * to the next one.
+        */
+-      tmpend = (u64)osb->s_clustersize + (start & ~(osb->s_clustersize - 1));
+-      if (tmpend > end)
+-              tmpend = end;
++      if ((start & (csize - 1)) != 0) {
++              /*
++               * We want to get the byte offset of the end of the 1st
++               * cluster.
++               */
++              tmpend = (u64)osb->s_clustersize +
++                      (start & ~(osb->s_clustersize - 1));
++              if (tmpend > end)
++                      tmpend = end;
+ 
+-      trace_ocfs2_zero_partial_clusters_range1((unsigned long long)start,
+-                                               (unsigned long long)tmpend);
++              trace_ocfs2_zero_partial_clusters_range1(
++                      (unsigned long long)start,
++                      (unsigned long long)tmpend);
+ 
+-      ret = ocfs2_zero_range_for_truncate(inode, handle, start, tmpend);
+-      if (ret)
+-              mlog_errno(ret);
++              ret = ocfs2_zero_range_for_truncate(inode, handle, start,
++                                                  tmpend);
++              if (ret)
++                      mlog_errno(ret);
++      }
+ 
+       if (tmpend < end) {
+               /*
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index c9b740111526..f60b2c745d02 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -679,11 +679,11 @@ retry:
+                       goto out_dput;
+ 
+               err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_DEFAULT);
+-              if (err && err != -ENODATA)
++              if (err && err != -ENODATA && err != -EOPNOTSUPP)
+                       goto out_dput;
+ 
+               err = vfs_removexattr(work, XATTR_NAME_POSIX_ACL_ACCESS);
+-              if (err && err != -ENODATA)
++              if (err && err != -ENODATA && err != -EOPNOTSUPP)
+                       goto out_dput;
+ 
+               /* Clear any inherited mode bits */
+diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
+index 72d8803832ff..32901d11f8c4 100644
+--- a/include/asm-generic/uaccess.h
++++ b/include/asm-generic/uaccess.h
+@@ -163,9 +163,10 @@ static inline __must_check long __copy_to_user(void 
__user *to,
+ 
+ #define put_user(x, ptr)                                      \
+ ({                                                            \
++      void *__p = (ptr);                                      \
+       might_fault();                                          \
+-      access_ok(VERIFY_WRITE, ptr, sizeof(*ptr)) ?            \
+-              __put_user(x, ptr) :                            \
++      access_ok(VERIFY_WRITE, __p, sizeof(*ptr)) ?            \
++              __put_user((x), ((__typeof__(*(ptr)) *)__p)) :  \
+               -EFAULT;                                        \
+ })
+ 
+@@ -225,17 +226,22 @@ extern int __put_user_bad(void) 
__attribute__((noreturn));
+ 
+ #define get_user(x, ptr)                                      \
+ ({                                                            \
++      const void *__p = (ptr);                                \
+       might_fault();                                          \
+-      access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ?             \
+-              __get_user(x, ptr) :                            \
+-              -EFAULT;                                        \
++      access_ok(VERIFY_READ, __p, sizeof(*ptr)) ?             \
++              __get_user((x), (__typeof__(*(ptr)) *)__p) :    \
++              ((x) = (__typeof__(*(ptr)))0,-EFAULT);          \
+ })
+ 
+ #ifndef __get_user_fn
+ static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
+ {
+-      size = __copy_from_user(x, ptr, size);
+-      return size ? -EFAULT : size;
++      size_t n = __copy_from_user(x, ptr, size);
++      if (unlikely(n)) {
++              memset(x + (size - n), 0, n);
++              return -EFAULT;
++      }
++      return 0;
+ }
+ 
+ #define __get_user_fn(sz, u, k)       __get_user_fn(sz, u, k)
+@@ -255,11 +261,13 @@ extern int __get_user_bad(void) 
__attribute__((noreturn));
+ static inline long copy_from_user(void *to,
+               const void __user * from, unsigned long n)
+ {
++      unsigned long res = n;
+       might_fault();
+-      if (access_ok(VERIFY_READ, from, n))
+-              return __copy_from_user(to, from, n);
+-      else
+-              return n;
++      if (likely(access_ok(VERIFY_READ, from, n)))
++              res = __copy_from_user(to, from, n);
++      if (unlikely(res))
++              memset(to + (n - res), 0, res);
++      return res;
+ }
+ 
+ static inline long copy_to_user(void __user *to,
+diff --git a/include/linux/fsnotify_backend.h 
b/include/linux/fsnotify_backend.h
+index 0f313f93c586..46dde3a3c891 100644
+--- a/include/linux/fsnotify_backend.h
++++ b/include/linux/fsnotify_backend.h
+@@ -150,6 +150,7 @@ struct fsnotify_group {
+       #define FS_PRIO_1       1 /* fanotify content based access control */
+       #define FS_PRIO_2       2 /* fanotify pre-content access */
+       unsigned int priority;
++      bool shutdown;          /* group is being shut down, don't queue more 
events */
+ 
+       /* stores all fastpath marks assoc with this group so they can be 
cleaned on unregister */
+       struct mutex mark_mutex;        /* protect marks_list */
+@@ -181,7 +182,6 @@ struct fsnotify_group {
+                       spinlock_t access_lock;
+                       struct list_head access_list;
+                       wait_queue_head_t access_waitq;
+-                      atomic_t bypass_perm;
+ #endif /* CONFIG_FANOTIFY_ACCESS_PERMISSIONS */
+                       int f_flags;
+                       unsigned int max_marks;
+@@ -301,6 +301,8 @@ extern struct fsnotify_group *fsnotify_alloc_group(const 
struct fsnotify_ops *op
+ extern void fsnotify_get_group(struct fsnotify_group *group);
+ /* drop reference on a group from fsnotify_alloc_group */
+ extern void fsnotify_put_group(struct fsnotify_group *group);
++/* group destruction begins, stop queuing new events */
++extern void fsnotify_group_stop_queueing(struct fsnotify_group *group);
+ /* destroy group */
+ extern void fsnotify_destroy_group(struct fsnotify_group *group);
+ /* fasync handler function */
+@@ -313,8 +315,6 @@ extern int fsnotify_add_event(struct fsnotify_group *group,
+                             struct fsnotify_event *event,
+                             int (*merge)(struct list_head *,
+                                          struct fsnotify_event *));
+-/* Remove passed event from groups notification queue */
+-extern void fsnotify_remove_event(struct fsnotify_group *group, struct 
fsnotify_event *event);
+ /* true if the group notification queue is empty */
+ extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group);
+ /* return, but do not dequeue the first event on the notification queue */
+diff --git a/include/linux/irq.h b/include/linux/irq.h
+index 3532dca843f4..33475a37f1bb 100644
+--- a/include/linux/irq.h
++++ b/include/linux/irq.h
+@@ -852,6 +852,16 @@ static inline void irq_gc_lock(struct irq_chip_generic 
*gc) { }
+ static inline void irq_gc_unlock(struct irq_chip_generic *gc) { }
+ #endif
+ 
++/*
++ * The irqsave variants are for usage in non interrupt code. Do not use
++ * them in irq_chip callbacks. Use irq_gc_lock() instead.
++ */
++#define irq_gc_lock_irqsave(gc, flags)        \
++      raw_spin_lock_irqsave(&(gc)->lock, flags)
++
++#define irq_gc_unlock_irqrestore(gc, flags)   \
++      raw_spin_unlock_irqrestore(&(gc)->lock, flags)
++
+ static inline void irq_reg_writel(struct irq_chip_generic *gc,
+                                 u32 val, int reg_offset)
+ {
+diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
+index 4b3736f7065c..30a8f531236c 100644
+--- a/include/linux/pagemap.h
++++ b/include/linux/pagemap.h
+@@ -594,56 +594,56 @@ static inline int fault_in_pages_readable(const char 
__user *uaddr, int size)
+  */
+ static inline int fault_in_multipages_writeable(char __user *uaddr, int size)
+ {
+-      int ret = 0;
+       char __user *end = uaddr + size - 1;
+ 
+       if (unlikely(size == 0))
+-              return ret;
++              return 0;
+ 
++      if (unlikely(uaddr > end))
++              return -EFAULT;
+       /*
+        * Writing zeroes into userspace here is OK, because we know that if
+        * the zero gets there, we'll be overwriting it.
+        */
+-      while (uaddr <= end) {
+-              ret = __put_user(0, uaddr);
+-              if (ret != 0)
+-                      return ret;
++      do {
++              if (unlikely(__put_user(0, uaddr) != 0))
++                      return -EFAULT;
+               uaddr += PAGE_SIZE;
+-      }
++      } while (uaddr <= end);
+ 
+       /* Check whether the range spilled into the next page. */
+       if (((unsigned long)uaddr & PAGE_MASK) ==
+                       ((unsigned long)end & PAGE_MASK))
+-              ret = __put_user(0, end);
++              return __put_user(0, end);
+ 
+-      return ret;
++      return 0;
+ }
+ 
+ static inline int fault_in_multipages_readable(const char __user *uaddr,
+                                              int size)
+ {
+       volatile char c;
+-      int ret = 0;
+       const char __user *end = uaddr + size - 1;
+ 
+       if (unlikely(size == 0))
+-              return ret;
++              return 0;
+ 
+-      while (uaddr <= end) {
+-              ret = __get_user(c, uaddr);
+-              if (ret != 0)
+-                      return ret;
++      if (unlikely(uaddr > end))
++              return -EFAULT;
++
++      do {
++              if (unlikely(__get_user(c, uaddr) != 0))
++                      return -EFAULT;
+               uaddr += PAGE_SIZE;
+-      }
++      } while (uaddr <= end);
+ 
+       /* Check whether the range spilled into the next page. */
+       if (((unsigned long)uaddr & PAGE_MASK) ==
+                       ((unsigned long)end & PAGE_MASK)) {
+-              ret = __get_user(c, end);
+-              (void)c;
++              return __get_user(c, end);
+       }
+ 
+-      return ret;
++      return 0;
+ }
+ 
+ int add_to_page_cache_locked(struct page *page, struct address_space *mapping,
+diff --git a/include/linux/uio.h b/include/linux/uio.h
+index 8b01e1c3c614..5f9c59da978b 100644
+--- a/include/linux/uio.h
++++ b/include/linux/uio.h
+@@ -76,7 +76,7 @@ size_t iov_iter_copy_from_user_atomic(struct page *page,
+               struct iov_iter *i, unsigned long offset, size_t bytes);
+ void iov_iter_advance(struct iov_iter *i, size_t bytes);
+ int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes);
+-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes);
++#define iov_iter_fault_in_multipages_readable iov_iter_fault_in_readable
+ size_t iov_iter_single_seg_count(const struct iov_iter *i);
+ size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
+                        struct iov_iter *i);
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 98e607121d09..6cb5f00696f5 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1672,6 +1672,28 @@ try_to_wake_up(struct task_struct *p, unsigned int 
state, int wake_flags)
+       success = 1; /* we're going to change ->state */
+       cpu = task_cpu(p);
+ 
++      /*
++       * Ensure we load p->on_rq _after_ p->state, otherwise it would
++       * be possible to, falsely, observe p->on_rq == 0 and get stuck
++       * in smp_cond_load_acquire() below.
++       *
++       * sched_ttwu_pending()                 try_to_wake_up()
++       *   [S] p->on_rq = 1;                  [L] P->state
++       *       UNLOCK rq->lock  -----.
++       *                              \
++       *                               +---   RMB
++       * schedule()                   /
++       *       LOCK rq->lock    -----'
++       *       UNLOCK rq->lock
++       *
++       * [task p]
++       *   [S] p->state = UNINTERRUPTIBLE     [L] p->on_rq
++       *
++       * Pairs with the UNLOCK+LOCK on rq->lock from the
++       * last wakeup of our task and the schedule that got our task
++       * current.
++       */
++      smp_rmb();
+       if (p->on_rq && ttwu_remote(p, wake_flags))
+               goto stat;
+ 
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index de6ea94c41bb..61ea7e8cdde5 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -4694,19 +4694,20 @@ tracing_read_pipe(struct file *filp, char __user *ubuf,
+       struct trace_iterator *iter = filp->private_data;
+       ssize_t sret;
+ 
+-      /* return any leftover data */
+-      sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
+-      if (sret != -EBUSY)
+-              return sret;
+-
+-      trace_seq_init(&iter->seq);
+-
+       /*
+        * Avoid more than one consumer on a single file descriptor
+        * This is just a matter of traces coherency, the ring buffer itself
+        * is protected.
+        */
+       mutex_lock(&iter->mutex);
++
++      /* return any leftover data */
++      sret = trace_seq_to_user(&iter->seq, ubuf, cnt);
++      if (sret != -EBUSY)
++              goto out;
++
++      trace_seq_init(&iter->seq);
++
+       if (iter->trace->read) {
+               sret = iter->trace->read(iter, filp, ubuf, cnt, ppos);
+               if (sret)
+@@ -5731,9 +5732,6 @@ tracing_buffers_splice_read(struct file *file, loff_t 
*ppos,
+               return -EBUSY;
+ #endif
+ 
+-      if (splice_grow_spd(pipe, &spd))
+-              return -ENOMEM;
+-
+       if (*ppos & (PAGE_SIZE - 1))
+               return -EINVAL;
+ 
+@@ -5743,6 +5741,9 @@ tracing_buffers_splice_read(struct file *file, loff_t 
*ppos,
+               len &= PAGE_MASK;
+       }
+ 
++      if (splice_grow_spd(pipe, &spd))
++              return -ENOMEM;
++
+  again:
+       trace_access_lock(iter->cpu_file);
+       entries = ring_buffer_entries_cpu(iter->trace_buffer->buffer, 
iter->cpu_file);
+@@ -5800,19 +5801,21 @@ tracing_buffers_splice_read(struct file *file, loff_t 
*ppos,
+       /* did we read anything? */
+       if (!spd.nr_pages) {
+               if (ret)
+-                      return ret;
++                      goto out;
+ 
++              ret = -EAGAIN;
+               if ((file->f_flags & O_NONBLOCK) || (flags & SPLICE_F_NONBLOCK))
+-                      return -EAGAIN;
++                      goto out;
+ 
+               ret = wait_on_pipe(iter, true);
+               if (ret)
+-                      return ret;
++                      goto out;
+ 
+               goto again;
+       }
+ 
+       ret = splice_to_pipe(pipe, &spd);
++out:
+       splice_shrink_spd(&spd);
+ 
+       return ret;
+diff --git a/lib/iov_iter.c b/lib/iov_iter.c
+index 75232ad0a5e7..daca582a8ed0 100644
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -298,33 +298,13 @@ done:
+ }
+ 
+ /*
+- * Fault in the first iovec of the given iov_iter, to a maximum length
+- * of bytes. Returns 0 on success, or non-zero if the memory could not be
+- * accessed (ie. because it is an invalid address).
+- *
+- * writev-intensive code may want this to prefault several iovecs -- that
+- * would be possible (callers must not rely on the fact that _only_ the
+- * first iovec will be faulted with the current implementation).
+- */
+-int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes)
+-{
+-      if (!(i->type & (ITER_BVEC|ITER_KVEC))) {
+-              char __user *buf = i->iov->iov_base + i->iov_offset;
+-              bytes = min(bytes, i->iov->iov_len - i->iov_offset);
+-              return fault_in_pages_readable(buf, bytes);
+-      }
+-      return 0;
+-}
+-EXPORT_SYMBOL(iov_iter_fault_in_readable);
+-
+-/*
+  * Fault in one or more iovecs of the given iov_iter, to a maximum length of
+  * bytes.  For each iovec, fault in each page that constitutes the iovec.
+  *
+  * Return 0 on success, or non-zero if the memory could not be accessed (i.e.
+  * because it is an invalid address).
+  */
+-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes)
++int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes)
+ {
+       size_t skip = i->iov_offset;
+       const struct iovec *iov;
+@@ -341,7 +321,7 @@ int iov_iter_fault_in_multipages_readable(struct iov_iter 
*i, size_t bytes)
+       }
+       return 0;
+ }
+-EXPORT_SYMBOL(iov_iter_fault_in_multipages_readable);
++EXPORT_SYMBOL(iov_iter_fault_in_readable);
+ 
+ void iov_iter_init(struct iov_iter *i, int direction,
+                       const struct iovec *iov, unsigned long nr_segs,
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index f555f4fc1d62..c66b7d325a39 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1801,6 +1801,7 @@ errdad:
+       spin_unlock_bh(&ifp->lock);
+ 
+       addrconf_mod_dad_work(ifp, 0);
++      in6_ifa_put(ifp);
+ }
+ 
+ /* Join to solicited addr multicast group.
+@@ -3526,6 +3527,7 @@ static void addrconf_dad_work(struct work_struct *w)
+               addrconf_dad_begin(ifp);
+               goto out;
+       } else if (action == DAD_ABORT) {
++              in6_ifa_hold(ifp);
+               addrconf_dad_stop(ifp, 1);
+               goto out;
+       }
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index f24138681b80..978d7f91ca91 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -6466,7 +6466,7 @@ static int nl80211_channel_switch(struct sk_buff *skb, 
struct genl_info *info)
+ 
+               params.n_counter_offsets_presp = len / sizeof(u16);
+               if (rdev->wiphy.max_num_csa_counters &&
+-                  (params.n_counter_offsets_beacon >
++                  (params.n_counter_offsets_presp >
+                    rdev->wiphy.max_num_csa_counters))
+                       return -EINVAL;
+ 
+diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
+index c753211cb83f..b50ee5d622e1 100644
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -955,29 +955,8 @@ static int wireless_process_ioctl(struct net *net, struct 
ifreq *ifr,
+                       return private(dev, iwr, cmd, info, handler);
+       }
+       /* Old driver API : call driver ioctl handler */
+-      if (dev->netdev_ops->ndo_do_ioctl) {
+-#ifdef CONFIG_COMPAT
+-              if (info->flags & IW_REQUEST_FLAG_COMPAT) {
+-                      int ret = 0;
+-                      struct iwreq iwr_lcl;
+-                      struct compat_iw_point *iwp_compat = (void *) 
&iwr->u.data;
+-
+-                      memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
+-                      iwr_lcl.u.data.pointer = 
compat_ptr(iwp_compat->pointer);
+-                      iwr_lcl.u.data.length = iwp_compat->length;
+-                      iwr_lcl.u.data.flags = iwp_compat->flags;
+-
+-                      ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) 
&iwr_lcl, cmd);
+-
+-                      iwp_compat->pointer = 
ptr_to_compat(iwr_lcl.u.data.pointer);
+-                      iwp_compat->length = iwr_lcl.u.data.length;
+-                      iwp_compat->flags = iwr_lcl.u.data.flags;
+-
+-                      return ret;
+-              } else
+-#endif
+-                      return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
+-      }
++      if (dev->netdev_ops->ndo_do_ioctl)
++              return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
+       return -EOPNOTSUPP;
+ }
+ 
+diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c
+index 795437b10082..b450a27588c8 100644
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -1633,11 +1633,13 @@ static int snd_rawmidi_dev_register(struct snd_device 
*device)
+               return -EBUSY;
+       }
+       list_add_tail(&rmidi->list, &snd_rawmidi_devices);
++      mutex_unlock(&register_mutex);
+       err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
+                                 rmidi->card, rmidi->device,
+                                 &snd_rawmidi_f_ops, rmidi, &rmidi->dev);
+       if (err < 0) {
+               rmidi_err(rmidi, "unable to register\n");
++              mutex_lock(&register_mutex);
+               list_del(&rmidi->list);
+               mutex_unlock(&register_mutex);
+               return err;
+@@ -1645,6 +1647,7 @@ static int snd_rawmidi_dev_register(struct snd_device 
*device)
+       if (rmidi->ops && rmidi->ops->dev_register &&
+           (err = rmidi->ops->dev_register(rmidi)) < 0) {
+               snd_unregister_device(&rmidi->dev);
++              mutex_lock(&register_mutex);
+               list_del(&rmidi->list);
+               mutex_unlock(&register_mutex);
+               return err;
+@@ -1677,7 +1680,6 @@ static int snd_rawmidi_dev_register(struct snd_device 
*device)
+               }
+       }
+ #endif /* CONFIG_SND_OSSEMUL */
+-      mutex_unlock(&register_mutex);
+       sprintf(name, "midi%d", rmidi->device);
+       entry = snd_info_create_card_entry(rmidi->card, name, 
rmidi->card->proc_root);
+       if (entry) {
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index 43e785a79eb3..8800d237369a 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -35,6 +35,9 @@
+ #include <sound/initval.h>
+ #include <linux/kmod.h>
+ 
++/* internal flags */
++#define SNDRV_TIMER_IFLG_PAUSED               0x00010000
++
+ #if IS_ENABLED(CONFIG_SND_HRTIMER)
+ #define DEFAULT_TIMER_LIMIT 4
+ #elif IS_ENABLED(CONFIG_SND_RTCTIMER)
+@@ -296,8 +299,21 @@ int snd_timer_open(struct snd_timer_instance **ti,
+               get_device(&timer->card->card_dev);
+       timeri->slave_class = tid->dev_sclass;
+       timeri->slave_id = slave_id;
+-      if (list_empty(&timer->open_list_head) && timer->hw.open)
+-              timer->hw.open(timer);
++
++      if (list_empty(&timer->open_list_head) && timer->hw.open) {
++              int err = timer->hw.open(timer);
++              if (err) {
++                      kfree(timeri->owner);
++                      kfree(timeri);
++
++                      if (timer->card)
++                              put_device(&timer->card->card_dev);
++                      module_put(timer->module);
++                      mutex_unlock(&register_mutex);
++                      return err;
++              }
++      }
++
+       list_add_tail(&timeri->open_list, &timer->open_list_head);
+       snd_timer_check_master(timeri);
+       mutex_unlock(&register_mutex);
+@@ -305,8 +321,6 @@ int snd_timer_open(struct snd_timer_instance **ti,
+       return 0;
+ }
+ 
+-static int _snd_timer_stop(struct snd_timer_instance *timeri, int event);
+-
+ /*
+  * close a timer instance
+  */
+@@ -395,7 +409,6 @@ unsigned long snd_timer_resolution(struct 
snd_timer_instance *timeri)
+ static void snd_timer_notify1(struct snd_timer_instance *ti, int event)
+ {
+       struct snd_timer *timer;
+-      unsigned long flags;
+       unsigned long resolution = 0;
+       struct snd_timer_instance *ts;
+       struct timespec tstamp;
+@@ -419,34 +432,66 @@ static void snd_timer_notify1(struct snd_timer_instance 
*ti, int event)
+               return;
+       if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
+               return;
+-      spin_lock_irqsave(&timer->lock, flags);
+       list_for_each_entry(ts, &ti->slave_active_head, active_list)
+               if (ts->ccallback)
+                       ts->ccallback(ts, event + 100, &tstamp, resolution);
+-      spin_unlock_irqrestore(&timer->lock, flags);
+ }
+ 
+-static int snd_timer_start1(struct snd_timer *timer, struct 
snd_timer_instance *timeri,
+-                          unsigned long sticks)
++/* start/continue a master timer */
++static int snd_timer_start1(struct snd_timer_instance *timeri,
++                          bool start, unsigned long ticks)
+ {
++      struct snd_timer *timer;
++      int result;
++      unsigned long flags;
++
++      timer = timeri->timer;
++      if (!timer)
++              return -EINVAL;
++
++      spin_lock_irqsave(&timer->lock, flags);
++      if (timer->card && timer->card->shutdown) {
++              result = -ENODEV;
++              goto unlock;
++      }
++      if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
++                           SNDRV_TIMER_IFLG_START)) {
++              result = -EBUSY;
++              goto unlock;
++      }
++
++      if (start)
++              timeri->ticks = timeri->cticks = ticks;
++      else if (!timeri->cticks)
++              timeri->cticks = 1;
++      timeri->pticks = 0;
++
+       list_move_tail(&timeri->active_list, &timer->active_list_head);
+       if (timer->running) {
+               if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
+                       goto __start_now;
+               timer->flags |= SNDRV_TIMER_FLG_RESCHED;
+               timeri->flags |= SNDRV_TIMER_IFLG_START;
+-              return 1;       /* delayed start */
++              result = 1; /* delayed start */
+       } else {
+-              timer->sticks = sticks;
++              if (start)
++                      timer->sticks = ticks;
+               timer->hw.start(timer);
+             __start_now:
+               timer->running++;
+               timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
+-              return 0;
++              result = 0;
+       }
++      snd_timer_notify1(timeri, start ? SNDRV_TIMER_EVENT_START :
++                        SNDRV_TIMER_EVENT_CONTINUE);
++ unlock:
++      spin_unlock_irqrestore(&timer->lock, flags);
++      return result;
+ }
+ 
+-static int snd_timer_start_slave(struct snd_timer_instance *timeri)
++/* start/continue a slave timer */
++static int snd_timer_start_slave(struct snd_timer_instance *timeri,
++                               bool start)
+ {
+       unsigned long flags;
+ 
+@@ -460,88 +505,37 @@ static int snd_timer_start_slave(struct 
snd_timer_instance *timeri)
+               spin_lock(&timeri->timer->lock);
+               list_add_tail(&timeri->active_list,
+                             &timeri->master->slave_active_head);
++              snd_timer_notify1(timeri, start ? SNDRV_TIMER_EVENT_START :
++                                SNDRV_TIMER_EVENT_CONTINUE);
+               spin_unlock(&timeri->timer->lock);
+       }
+       spin_unlock_irqrestore(&slave_active_lock, flags);
+       return 1; /* delayed start */
+ }
+ 
+-/*
+- *  start the timer instance
+- */
+-int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
++/* stop/pause a master timer */
++static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop)
+ {
+       struct snd_timer *timer;
+-      int result = -EINVAL;
++      int result = 0;
+       unsigned long flags;
+ 
+-      if (timeri == NULL || ticks < 1)
+-              return -EINVAL;
+-      if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
+-              result = snd_timer_start_slave(timeri);
+-              if (result >= 0)
+-                      snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
+-              return result;
+-      }
+-      timer = timeri->timer;
+-      if (timer == NULL)
+-              return -EINVAL;
+-      if (timer->card && timer->card->shutdown)
+-              return -ENODEV;
+-      spin_lock_irqsave(&timer->lock, flags);
+-      if (timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
+-                           SNDRV_TIMER_IFLG_START)) {
+-              result = -EBUSY;
+-              goto unlock;
+-      }
+-      timeri->ticks = timeri->cticks = ticks;
+-      timeri->pticks = 0;
+-      result = snd_timer_start1(timer, timeri, ticks);
+- unlock:
+-      spin_unlock_irqrestore(&timer->lock, flags);
+-      if (result >= 0)
+-              snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_START);
+-      return result;
+-}
+-
+-static int _snd_timer_stop(struct snd_timer_instance *timeri, int event)
+-{
+-      struct snd_timer *timer;
+-      unsigned long flags;
+-
+-      if (snd_BUG_ON(!timeri))
+-              return -ENXIO;
+-
+-      if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE) {
+-              spin_lock_irqsave(&slave_active_lock, flags);
+-              if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
+-                      spin_unlock_irqrestore(&slave_active_lock, flags);
+-                      return -EBUSY;
+-              }
+-              if (timeri->timer)
+-                      spin_lock(&timeri->timer->lock);
+-              timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
+-              list_del_init(&timeri->ack_list);
+-              list_del_init(&timeri->active_list);
+-              if (timeri->timer)
+-                      spin_unlock(&timeri->timer->lock);
+-              spin_unlock_irqrestore(&slave_active_lock, flags);
+-              goto __end;
+-      }
+       timer = timeri->timer;
+       if (!timer)
+               return -EINVAL;
+       spin_lock_irqsave(&timer->lock, flags);
+       if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING |
+                              SNDRV_TIMER_IFLG_START))) {
+-              spin_unlock_irqrestore(&timer->lock, flags);
+-              return -EBUSY;
++              result = -EBUSY;
++              goto unlock;
+       }
+       list_del_init(&timeri->ack_list);
+       list_del_init(&timeri->active_list);
+-      if (timer->card && timer->card->shutdown) {
+-              spin_unlock_irqrestore(&timer->lock, flags);
+-              return 0;
++      if (timer->card && timer->card->shutdown)
++              goto unlock;
++      if (stop) {
++              timeri->cticks = timeri->ticks;
++              timeri->pticks = 0;
+       }
+       if ((timeri->flags & SNDRV_TIMER_IFLG_RUNNING) &&
+           !(--timer->running)) {
+@@ -556,35 +550,64 @@ static int _snd_timer_stop(struct snd_timer_instance 
*timeri, int event)
+               }
+       }
+       timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
++      if (stop)
++              timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
++      else
++              timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
++      snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
++                        SNDRV_TIMER_EVENT_CONTINUE);
++ unlock:
+       spin_unlock_irqrestore(&timer->lock, flags);
+-      __end:
+-      if (event != SNDRV_TIMER_EVENT_RESOLUTION)
+-              snd_timer_notify1(timeri, event);
++      return result;
++}
++
++/* stop/pause a slave timer */
++static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop)
++{
++      unsigned long flags;
++
++      spin_lock_irqsave(&slave_active_lock, flags);
++      if (!(timeri->flags & SNDRV_TIMER_IFLG_RUNNING)) {
++              spin_unlock_irqrestore(&slave_active_lock, flags);
++              return -EBUSY;
++      }
++      timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
++      if (timeri->timer) {
++              spin_lock(&timeri->timer->lock);
++              list_del_init(&timeri->ack_list);
++              list_del_init(&timeri->active_list);
++              snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP :
++                                SNDRV_TIMER_EVENT_CONTINUE);
++              spin_unlock(&timeri->timer->lock);
++      }
++      spin_unlock_irqrestore(&slave_active_lock, flags);
+       return 0;
+ }
+ 
+ /*
++ *  start the timer instance
++ */
++int snd_timer_start(struct snd_timer_instance *timeri, unsigned int ticks)
++{
++      if (timeri == NULL || ticks < 1)
++              return -EINVAL;
++      if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
++              return snd_timer_start_slave(timeri, true);
++      else
++              return snd_timer_start1(timeri, true, ticks);
++}
++
++/*
+  * stop the timer instance.
+  *
+  * do not call this from the timer callback!
+  */
+ int snd_timer_stop(struct snd_timer_instance *timeri)
+ {
+-      struct snd_timer *timer;
+-      unsigned long flags;
+-      int err;
+-
+-      err = _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_STOP);
+-      if (err < 0)
+-              return err;
+-      timer = timeri->timer;
+-      if (!timer)
+-              return -EINVAL;
+-      spin_lock_irqsave(&timer->lock, flags);
+-      timeri->cticks = timeri->ticks;
+-      timeri->pticks = 0;
+-      spin_unlock_irqrestore(&timer->lock, flags);
+-      return 0;
++      if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
++              return snd_timer_stop_slave(timeri, true);
++      else
++              return snd_timer_stop1(timeri, true);
+ }
+ 
+ /*
+@@ -592,32 +615,14 @@ int snd_timer_stop(struct snd_timer_instance *timeri)
+  */
+ int snd_timer_continue(struct snd_timer_instance *timeri)
+ {
+-      struct snd_timer *timer;
+-      int result = -EINVAL;
+-      unsigned long flags;
++      /* timer can continue only after pause */
++      if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
++              return -EINVAL;
+ 
+-      if (timeri == NULL)
+-              return result;
+       if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
+-              return snd_timer_start_slave(timeri);
+-      timer = timeri->timer;
+-      if (! timer)
+-              return -EINVAL;
+-      if (timer->card && timer->card->shutdown)
+-              return -ENODEV;
+-      spin_lock_irqsave(&timer->lock, flags);
+-      if (timeri->flags & SNDRV_TIMER_IFLG_RUNNING) {
+-              result = -EBUSY;
+-              goto unlock;
+-      }
+-      if (!timeri->cticks)
+-              timeri->cticks = 1;
+-      timeri->pticks = 0;
+-      result = snd_timer_start1(timer, timeri, timer->sticks);
+- unlock:
+-      spin_unlock_irqrestore(&timer->lock, flags);
+-      snd_timer_notify1(timeri, SNDRV_TIMER_EVENT_CONTINUE);
+-      return result;
++              return snd_timer_start_slave(timeri, false);
++      else
++              return snd_timer_start1(timeri, false, 0);
+ }
+ 
+ /*
+@@ -625,7 +630,10 @@ int snd_timer_continue(struct snd_timer_instance *timeri)
+  */
+ int snd_timer_pause(struct snd_timer_instance * timeri)
+ {
+-      return _snd_timer_stop(timeri, SNDRV_TIMER_EVENT_PAUSE);
++      if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
++              return snd_timer_stop_slave(timeri, false);
++      else
++              return snd_timer_stop1(timeri, false);
+ }
+ 
+ /*
+@@ -837,6 +845,7 @@ int snd_timer_new(struct snd_card *card, char *id, struct 
snd_timer_id *tid,
+       timer->tmr_subdevice = tid->subdevice;
+       if (id)
+               strlcpy(timer->id, id, sizeof(timer->id));
++      timer->sticks = 1;
+       INIT_LIST_HEAD(&timer->device_list);
+       INIT_LIST_HEAD(&timer->open_list_head);
+       INIT_LIST_HEAD(&timer->active_list_head);
+@@ -1826,6 +1835,9 @@ static int snd_timer_user_continue(struct file *file)
+       tu = file->private_data;
+       if (!tu->timeri)
+               return -EBADFD;
++      /* start timer instead of continue if it's not used before */
++      if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
++              return snd_timer_user_start(file);
+       tu->timeri->lost = 0;
+       return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
+ }
+@@ -1967,6 +1979,7 @@ static ssize_t snd_timer_user_read(struct file *file, 
char __user *buffer,
+               tu->qused--;
+               spin_unlock_irq(&tu->qlock);
+ 
++              mutex_lock(&tu->ioctl_lock);
+               if (tu->tread) {
+                       if (copy_to_user(buffer, &tu->tqueue[qhead],
+                                        sizeof(struct snd_timer_tread)))
+@@ -1976,6 +1989,7 @@ static ssize_t snd_timer_user_read(struct file *file, 
char __user *buffer,
+                                        sizeof(struct snd_timer_read)))
+                               err = -EFAULT;
+               }
++              mutex_unlock(&tu->ioctl_lock);
+ 
+               spin_lock_irq(&tu->qlock);
+               if (err < 0)
+diff --git a/sound/firewire/fireworks/fireworks.h 
b/sound/firewire/fireworks/fireworks.h
+index 084d414b228c..b431c34b2d74 100644
+--- a/sound/firewire/fireworks/fireworks.h
++++ b/sound/firewire/fireworks/fireworks.h
+@@ -106,7 +106,6 @@ struct snd_efw {
+       u8 *resp_buf;
+       u8 *pull_ptr;
+       u8 *push_ptr;
+-      unsigned int resp_queues;
+ };
+ 
+ int snd_efw_transaction_cmd(struct fw_unit *unit,
+diff --git a/sound/firewire/fireworks/fireworks_hwdep.c 
b/sound/firewire/fireworks/fireworks_hwdep.c
+index 33df8655fe81..2e1d9a23920c 100644
+--- a/sound/firewire/fireworks/fireworks_hwdep.c
++++ b/sound/firewire/fireworks/fireworks_hwdep.c
+@@ -25,6 +25,7 @@ hwdep_read_resp_buf(struct snd_efw *efw, char __user *buf, 
long remained,
+ {
+       unsigned int length, till_end, type;
+       struct snd_efw_transaction *t;
++      u8 *pull_ptr;
+       long count = 0;
+ 
+       if (remained < sizeof(type) + sizeof(struct snd_efw_transaction))
+@@ -38,8 +39,17 @@ hwdep_read_resp_buf(struct snd_efw *efw, char __user *buf, 
long remained,
+       buf += sizeof(type);
+ 
+       /* write into buffer as many responses as possible */
+-      while (efw->resp_queues > 0) {
+-              t = (struct snd_efw_transaction *)(efw->pull_ptr);
++      spin_lock_irq(&efw->lock);
++
++      /*
++       * When another task reaches here during this task's access to user
++       * space, it picks up current position in buffer and can read the same
++       * series of responses.
++       */
++      pull_ptr = efw->pull_ptr;
++
++      while (efw->push_ptr != pull_ptr) {
++              t = (struct snd_efw_transaction *)(pull_ptr);
+               length = be32_to_cpu(t->length) * sizeof(__be32);
+ 
+               /* confirm enough space for this response */
+@@ -49,26 +59,39 @@ hwdep_read_resp_buf(struct snd_efw *efw, char __user *buf, 
long remained,
+               /* copy from ring buffer to user buffer */
+               while (length > 0) {
+                       till_end = snd_efw_resp_buf_size -
+-                              (unsigned int)(efw->pull_ptr - efw->resp_buf);
++                              (unsigned int)(pull_ptr - efw->resp_buf);
+                       till_end = min_t(unsigned int, length, till_end);
+ 
+-                      if (copy_to_user(buf, efw->pull_ptr, till_end))
++                      spin_unlock_irq(&efw->lock);
++
++                      if (copy_to_user(buf, pull_ptr, till_end))
+                               return -EFAULT;
+ 
+-                      efw->pull_ptr += till_end;
+-                      if (efw->pull_ptr >= efw->resp_buf +
+-                                           snd_efw_resp_buf_size)
+-                              efw->pull_ptr -= snd_efw_resp_buf_size;
++                      spin_lock_irq(&efw->lock);
++
++                      pull_ptr += till_end;
++                      if (pull_ptr >= efw->resp_buf + snd_efw_resp_buf_size)
++                              pull_ptr -= snd_efw_resp_buf_size;
+ 
+                       length -= till_end;
+                       buf += till_end;
+                       count += till_end;
+                       remained -= till_end;
+               }
+-
+-              efw->resp_queues--;
+       }
+ 
++      /*
++       * All of tasks can read from the buffer nearly simultaneously, but the
++       * last position for each task is different depending on the length of
++       * given buffer. Here, for simplicity, a position of buffer is set by
++       * the latest task. It's better for a listening application to allow one
++       * thread to read from the buffer. Unless, each task can read different
++       * sequence of responses depending on variation of buffer length.
++       */
++      efw->pull_ptr = pull_ptr;
++
++      spin_unlock_irq(&efw->lock);
++
+       return count;
+ }
+ 
+@@ -76,14 +99,17 @@ static long
+ hwdep_read_locked(struct snd_efw *efw, char __user *buf, long count,
+                 loff_t *offset)
+ {
+-      union snd_firewire_event event;
++      union snd_firewire_event event = {
++              .lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS,
++      };
+ 
+-      memset(&event, 0, sizeof(event));
++      spin_lock_irq(&efw->lock);
+ 
+-      event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
+       event.lock_status.status = (efw->dev_lock_count > 0);
+       efw->dev_lock_changed = false;
+ 
++      spin_unlock_irq(&efw->lock);
++
+       count = min_t(long, count, sizeof(event.lock_status));
+ 
+       if (copy_to_user(buf, &event, count))
+@@ -98,10 +124,15 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf, 
long count,
+ {
+       struct snd_efw *efw = hwdep->private_data;
+       DEFINE_WAIT(wait);
++      bool dev_lock_changed;
++      bool queued;
+ 
+       spin_lock_irq(&efw->lock);
+ 
+-      while ((!efw->dev_lock_changed) && (efw->resp_queues == 0)) {
++      dev_lock_changed = efw->dev_lock_changed;
++      queued = efw->push_ptr != efw->pull_ptr;
++
++      while (!dev_lock_changed && !queued) {
+               prepare_to_wait(&efw->hwdep_wait, &wait, TASK_INTERRUPTIBLE);
+               spin_unlock_irq(&efw->lock);
+               schedule();
+@@ -109,15 +140,17 @@ hwdep_read(struct snd_hwdep *hwdep, char __user *buf, 
long count,
+               if (signal_pending(current))
+                       return -ERESTARTSYS;
+               spin_lock_irq(&efw->lock);
++              dev_lock_changed = efw->dev_lock_changed;
++              queued = efw->push_ptr != efw->pull_ptr;
+       }
+ 
+-      if (efw->dev_lock_changed)
++      spin_unlock_irq(&efw->lock);
++
++      if (dev_lock_changed)
+               count = hwdep_read_locked(efw, buf, count, offset);
+-      else if (efw->resp_queues > 0)
++      else if (queued)
+               count = hwdep_read_resp_buf(efw, buf, count, offset);
+ 
+-      spin_unlock_irq(&efw->lock);
+-
+       return count;
+ }
+ 
+@@ -160,7 +193,7 @@ hwdep_poll(struct snd_hwdep *hwdep, struct file *file, 
poll_table *wait)
+       poll_wait(file, &efw->hwdep_wait, wait);
+ 
+       spin_lock_irq(&efw->lock);
+-      if (efw->dev_lock_changed || (efw->resp_queues > 0))
++      if (efw->dev_lock_changed || efw->pull_ptr != efw->push_ptr)
+               events = POLLIN | POLLRDNORM;
+       else
+               events = 0;
+diff --git a/sound/firewire/fireworks/fireworks_proc.c 
b/sound/firewire/fireworks/fireworks_proc.c
+index 0639dcb13f7d..beb0a0ffee57 100644
+--- a/sound/firewire/fireworks/fireworks_proc.c
++++ b/sound/firewire/fireworks/fireworks_proc.c
+@@ -188,8 +188,8 @@ proc_read_queues_state(struct snd_info_entry *entry,
+       else
+               consumed = (unsigned int)(efw->push_ptr - efw->pull_ptr);
+ 
+-      snd_iprintf(buffer, "%d %d/%d\n",
+-                  efw->resp_queues, consumed, snd_efw_resp_buf_size);
++      snd_iprintf(buffer, "%d/%d\n",
++                  consumed, snd_efw_resp_buf_size);
+ }
+ 
+ static void
+diff --git a/sound/firewire/fireworks/fireworks_transaction.c 
b/sound/firewire/fireworks/fireworks_transaction.c
+index f550808d1784..36a08ba51ec7 100644
+--- a/sound/firewire/fireworks/fireworks_transaction.c
++++ b/sound/firewire/fireworks/fireworks_transaction.c
+@@ -121,11 +121,11 @@ copy_resp_to_buf(struct snd_efw *efw, void *data, size_t 
length, int *rcode)
+       size_t capacity, till_end;
+       struct snd_efw_transaction *t;
+ 
+-      spin_lock_irq(&efw->lock);
+-
+       t = (struct snd_efw_transaction *)data;
+       length = min_t(size_t, be32_to_cpu(t->length) * sizeof(u32), length);
+ 
++      spin_lock_irq(&efw->lock);
++
+       if (efw->push_ptr < efw->pull_ptr)
+               capacity = (unsigned int)(efw->pull_ptr - efw->push_ptr);
+       else
+@@ -155,7 +155,6 @@ copy_resp_to_buf(struct snd_efw *efw, void *data, size_t 
length, int *rcode)
+       }
+ 
+       /* for hwdep */
+-      efw->resp_queues++;
+       wake_up(&efw->hwdep_wait);
+ 
+       *rcode = RCODE_COMPLETE;
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 429697a93a71..2a9ec9706db8 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4750,6 +4750,7 @@ enum {
+       ALC221_FIXUP_HP_FRONT_MIC,
+       ALC292_FIXUP_TPT460,
+       ALC298_FIXUP_SPK_VOLUME,
++      ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER,
+ };
+ 
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -5411,6 +5412,15 @@ static const struct hda_fixup alc269_fixups[] = {
+               .chained = true,
+               .chain_id = ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
+       },
++      [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
++              .type = HDA_FIXUP_PINS,
++              .v.pins = (const struct hda_pintbl[]) {
++                      { 0x1b, 0x90170151 },
++                      { }
++              },
++              .chained = true,
++              .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE
++      },
+ };
+ 
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -5455,6 +5465,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+       SND_PCI_QUIRK(0x1028, 0x06df, "Dell", 
ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
+       SND_PCI_QUIRK(0x1028, 0x06e0, "Dell", 
ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK),
+       SND_PCI_QUIRK(0x1028, 0x0704, "Dell XPS 13 9350", 
ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
++      SND_PCI_QUIRK(0x1028, 0x0706, "Dell Inspiron 7559", 
ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER),
+       SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", 
ALC255_FIXUP_DELL_SPK_NOISE),
+       SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", 
ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE),
+       SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME),
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index e27df0d3898b..4a083433944e 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1137,6 +1137,7 @@ bool snd_usb_get_sample_rate_quirk(struct snd_usb_audio 
*chip)
+       case USB_ID(0x04D8, 0xFEEA): /* Benchmark DAC1 Pre */
+       case USB_ID(0x0556, 0x0014): /* Phoenix Audio TMX320VC */
+       case USB_ID(0x074D, 0x3553): /* Outlaw RR2150 (Micronas UAC3553B) */
++      case USB_ID(0x1901, 0x0191): /* GE B850V3 CP2114 audio interface */
+       case USB_ID(0x1de7, 0x0013): /* Phoenix Audio MT202exe */
+       case USB_ID(0x1de7, 0x0014): /* Phoenix Audio TMX320 */
+       case USB_ID(0x1de7, 0x0114): /* Phoenix Audio MT202pcs */

Reply via email to