295 files changed, 2809 insertions, 1261 deletions

diff --git a/Documentation/networking/snmp_counter.rst b/Documentation/networking/snmp_counter.rst
index f8eb77ddbd44..b0dfdaaca512 100644
--- a/Documentation/networking/snmp_counter.rst
+++ b/Documentation/networking/snmp_counter.rst
@@ -571,7 +571,97 @@ duplicate packet is received.
 
 * TcpExtTCPDSACKOfoRecv
 The TCP stack receives a DSACK, which indicate an out of order
-duplciate packet is received.
+duplicate packet is received.
+
+TCP out of order
+===============
+* TcpExtTCPOFOQueue
+The TCP layer receives an out of order packet and has enough memory
+to queue it.
+
+* TcpExtTCPOFODrop
+The TCP layer receives an out of order packet but doesn't have enough
+memory, so drops it. Such packets won't be counted into
+TcpExtTCPOFOQueue.
+
+* TcpExtTCPOFOMerge
+The received out of order packet has an overlay with the previous
+packet. the overlay part will be dropped. All of TcpExtTCPOFOMerge
+packets will also be counted into TcpExtTCPOFOQueue.
+
+TCP PAWS
+=======
+PAWS (Protection Against Wrapped Sequence numbers) is an algorithm
+which is used to drop old packets. It depends on the TCP
+timestamps. For detail information, please refer the `timestamp wiki`_
+and the `RFC of PAWS`_.
+
+.. _RFC of PAWS: https://tools.ietf.org/html/rfc1323#page-17
+.. _timestamp wiki: https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_timestamps
+
+* TcpExtPAWSActive
+Packets are dropped by PAWS in Syn-Sent status.
+
+* TcpExtPAWSEstab
+Packets are dropped by PAWS in any status other than Syn-Sent.
+
+TCP ACK skip
+===========
+In some scenarios, kernel would avoid sending duplicate ACKs too
+frequently. Please find more details in the tcp_invalid_ratelimit
+section of the `sysctl document`_. When kernel decides to skip an ACK
+due to tcp_invalid_ratelimit, kernel would update one of below
+counters to indicate the ACK is skipped in which scenario. The ACK
+would only be skipped if the received packet is either a SYN packet or
+it has no data.
+
+.. _sysctl document: https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+
+* TcpExtTCPACKSkippedSynRecv
+The ACK is skipped in Syn-Recv status. The Syn-Recv status means the
+TCP stack receives a SYN and replies SYN+ACK. Now the TCP stack is
+waiting for an ACK. Generally, the TCP stack doesn't need to send ACK
+in the Syn-Recv status. But in several scenarios, the TCP stack need
+to send an ACK. E.g., the TCP stack receives the same SYN packet
+repeately, the received packet does not pass the PAWS check, or the
+received packet sequence number is out of window. In these scenarios,
+the TCP stack needs to send ACK. If the ACk sending frequency is higher than
+tcp_invalid_ratelimit allows, the TCP stack will skip sending ACK and
+increase TcpExtTCPACKSkippedSynRecv.
+
+
+* TcpExtTCPACKSkippedPAWS
+The ACK is skipped due to PAWS (Protect Against Wrapped Sequence
+numbers) check fails. If the PAWS check fails in Syn-Recv, Fin-Wait-2
+or Time-Wait statuses, the skipped ACK would be counted to
+TcpExtTCPACKSkippedSynRecv, TcpExtTCPACKSkippedFinWait2 or
+TcpExtTCPACKSkippedTimeWait. In all other statuses, the skipped ACK
+would be counted to TcpExtTCPACKSkippedPAWS.
+
+* TcpExtTCPACKSkippedSeq
+The sequence number is out of window and the timestamp passes the PAWS
+check and the TCP status is not Syn-Recv, Fin-Wait-2, and Time-Wait.
+
+* TcpExtTCPACKSkippedFinWait2
+The ACK is skipped in Fin-Wait-2 status, the reason would be either
+PAWS check fails or the received sequence number is out of window.
+
+* TcpExtTCPACKSkippedTimeWait
+Tha ACK is skipped in Time-Wait status, the reason would be either
+PAWS check failed or the received sequence number is out of window.
+
+* TcpExtTCPACKSkippedChallenge
+The ACK is skipped if the ACK is a challenge ACK. The RFC 5961 defines
+3 kind of challenge ACK, please refer `RFC 5961 section 3.2`_,
+`RFC 5961 section 4.2`_ and `RFC 5961 section 5.2`_. Besides these
+three scenarios, In some TCP status, the linux TCP stack would also
+send challenge ACKs if the ACK number is before the first
+unacknowledged number (more strict than `RFC 5961 section 5.2`_).
+
+.. _RFC 5961 section 3.2: https://tools.ietf.org/html/rfc5961#page-7
+.. _RFC 5961 section 4.2: https://tools.ietf.org/html/rfc5961#page-9
+.. _RFC 5961 section 5.2: https://tools.ietf.org/html/rfc5961#page-11
+
 
 examples
 =======
@@ -1188,3 +1278,151 @@ Run nstat on server B::
 We have deleted the default route on server B. Server B couldn't find
 a route for the 8.8.8.8 IP address, so server B increased
 IpOutNoRoutes.
+
+TcpExtTCPACKSkippedSynRecv
+------------------------
+In this test, we send 3 same SYN packets from client to server. The
+first SYN will let server create a socket, set it to Syn-Recv status,
+and reply a SYN/ACK. The second SYN will let server reply the SYN/ACK
+again, and record the reply time (the duplicate ACK reply time). The
+third SYN will let server check the previous duplicate ACK reply time,
+and decide to skip the duplicate ACK, then increase the
+TcpExtTCPACKSkippedSynRecv counter.
+
+Run tcpdump to capture a SYN packet::
+
+  nstatuser@nstat-a:~$ sudo tcpdump -c 1 -w /tmp/syn.pcap port 9000
+  tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
+
+Open another terminal, run nc command::
+
+  nstatuser@nstat-a:~$ nc nstat-b 9000
+
+As the nstat-b didn't listen on port 9000, it should reply a RST, and
+the nc command exited immediately. It was enough for the tcpdump
+command to capture a SYN packet. A linux server might use hardware
+offload for the TCP checksum, so the checksum in the /tmp/syn.pcap
+might be not correct. We call tcprewrite to fix it::
+
+  nstatuser@nstat-a:~$ tcprewrite --infile=/tmp/syn.pcap --outfile=/tmp/syn_fixcsum.pcap --fixcsum
+
+On nstat-b, we run nc to listen on port 9000::
+
+  nstatuser@nstat-b:~$ nc -lkv 9000
+  Listening on [0.0.0.0] (family 0, port 9000)
+
+On nstat-a, we blocked the packet from port 9000, or nstat-a would send
+RST to nstat-b::
+
+  nstatuser@nstat-a:~$ sudo iptables -A INPUT -p tcp --sport 9000 -j DROP
+
+Send 3 SYN repeatly to nstat-b::
+
+  nstatuser@nstat-a:~$ for i in {1..3}; do sudo tcpreplay -i ens3 /tmp/syn_fixcsum.pcap; done
+
+Check snmp cunter on nstat-b::
+
+  nstatuser@nstat-b:~$ nstat | grep -i skip
+  TcpExtTCPACKSkippedSynRecv      1                  0.0
+
+As we expected, TcpExtTCPACKSkippedSynRecv is 1.
+
+TcpExtTCPACKSkippedPAWS
+----------------------
+To trigger PAWS, we could send an old SYN.
+
+On nstat-b, let nc listen on port 9000::
+
+  nstatuser@nstat-b:~$ nc -lkv 9000
+  Listening on [0.0.0.0] (family 0, port 9000)
+
+On nstat-a, run tcpdump to capture a SYN::
+
+  nstatuser@nstat-a:~$ sudo tcpdump -w /tmp/paws_pre.pcap -c 1 port 9000
+  tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
+
+On nstat-a, run nc as a client to connect nstat-b::
+
+  nstatuser@nstat-a:~$ nc -v nstat-b 9000
+  Connection to nstat-b 9000 port [tcp/*] succeeded!
+
+Now the tcpdump has captured the SYN and exit. We should fix the
+checksum::
+
+  nstatuser@nstat-a:~$ tcprewrite --infile /tmp/paws_pre.pcap --outfile /tmp/paws.pcap --fixcsum
+
+Send the SYN packet twice::
+
+  nstatuser@nstat-a:~$ for i in {1..2}; do sudo tcpreplay -i ens3 /tmp/paws.pcap; done
+
+On nstat-b, check the snmp counter::
+
+  nstatuser@nstat-b:~$ nstat | grep -i skip
+  TcpExtTCPACKSkippedPAWS         1                  0.0
+
+We sent two SYN via tcpreplay, both of them would let PAWS check
+failed, the nstat-b replied an ACK for the first SYN, skipped the ACK
+for the second SYN, and updated TcpExtTCPACKSkippedPAWS.
+
+TcpExtTCPACKSkippedSeq
+--------------------
+To trigger TcpExtTCPACKSkippedSeq, we send packets which have valid
+timestamp (to pass PAWS check) but the sequence number is out of
+window. The linux TCP stack would avoid to skip if the packet has
+data, so we need a pure ACK packet. To generate such a packet, we
+could create two sockets: one on port 9000, another on port 9001. Then
+we capture an ACK on port 9001, change the source/destination port
+numbers to match the port 9000 socket. Then we could trigger
+TcpExtTCPACKSkippedSeq via this packet.
+
+On nstat-b, open two terminals, run two nc commands to listen on both
+port 9000 and port 9001::
+
+  nstatuser@nstat-b:~$ nc -lkv 9000
+  Listening on [0.0.0.0] (family 0, port 9000)
+
+  nstatuser@nstat-b:~$ nc -lkv 9001
+  Listening on [0.0.0.0] (family 0, port 9001)
+
+On nstat-a, run two nc clients::
+
+  nstatuser@nstat-a:~$ nc -v nstat-b 9000
+  Connection to nstat-b 9000 port [tcp/*] succeeded!
+
+  nstatuser@nstat-a:~$ nc -v nstat-b 9001
+  Connection to nstat-b 9001 port [tcp/*] succeeded!
+
+On nstat-a, run tcpdump to capture an ACK::
+
+  nstatuser@nstat-a:~$ sudo tcpdump -w /tmp/seq_pre.pcap -c 1 dst port 9001
+  tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
+
+On nstat-b, send a packet via the port 9001 socket. E.g. we sent a
+string 'foo' in our example::
+
+  nstatuser@nstat-b:~$ nc -lkv 9001
+  Listening on [0.0.0.0] (family 0, port 9001)
+  Connection from nstat-a 42132 received!
+  foo
+
+On nstat-a, the tcpdump should have caputred the ACK. We should check
+the source port numbers of the two nc clients::
+
+  nstatuser@nstat-a:~$ ss -ta '( dport = :9000 || dport = :9001 )' | tee
+  State  Recv-Q   Send-Q         Local Address:Port           Peer Address:Port
+  ESTAB  0        0            192.168.122.250:50208       192.168.122.251:9000
+  ESTAB  0        0            192.168.122.250:42132       192.168.122.251:9001
+
+Run tcprewrite, change port 9001 to port 9000, chagne port 42132 to
+port 50208::
+
+  nstatuser@nstat-a:~$ tcprewrite --infile /tmp/seq_pre.pcap --outfile /tmp/seq.pcap -r 9001:9000 -r 42132:50208 --fixcsum
+
+Now the /tmp/seq.pcap is the packet we need. Send it to nstat-b::
+
+  nstatuser@nstat-a:~$ for i in {1..2}; do sudo tcpreplay -i ens3 /tmp/seq.pcap; done
+
+Check TcpExtTCPACKSkippedSeq on nstat-b::
+
+  nstatuser@nstat-b:~$ nstat | grep -i skip
+  TcpExtTCPACKSkippedSeq          1                  0.0
diff --git a/arch/alpha/include/asm/futex.h b/arch/alpha/include/asm/futex.h
index ca3322536f72..bfd3c01038f8 100644
--- a/arch/alpha/include/asm/futex.h
+++ b/arch/alpha/include/asm/futex.h
@@ -68,7 +68,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
         int ret = 0, cmp;
         u32 prev;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         __asm__ __volatile__ (
diff --git a/arch/alpha/include/asm/uaccess.h b/arch/alpha/include/asm/uaccess.h
index 87d8c4f0307d..e69c4e13c328 100644
--- a/arch/alpha/include/asm/uaccess.h
+++ b/arch/alpha/include/asm/uaccess.h
@@ -36,7 +36,7 @@
 #define __access_ok(addr, size) \
         ((get_fs().seg & (addr | size | (addr+size))) == 0)
 
-#define access_ok(type, addr, size)                     \
+#define access_ok(addr, size)                           \
 ({                                                      \
         __chk_user_ptr(addr);                           \
         __access_ok(((unsigned long)(addr)), (size));   \
diff --git a/arch/alpha/kernel/signal.c b/arch/alpha/kernel/signal.c
index 8c0c4ee0be6e..33e904a05881 100644
--- a/arch/alpha/kernel/signal.c
+++ b/arch/alpha/kernel/signal.c
@@ -65,7 +65,7 @@ SYSCALL_DEFINE3(osf_sigaction, int, sig,
 
         if (act) {
                 old_sigset_t mask;
-                if (!access_ok(VERIFY_READ, act, sizeof(*act)) ||
+                if (!access_ok(act, sizeof(*act)) ||
                     __get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
                     __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
                     __get_user(mask, &act->sa_mask))
@@ -77,7 +77,7 @@ SYSCALL_DEFINE3(osf_sigaction, int, sig,
         ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
         if (!ret && oact) {
-                if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) ||
+                if (!access_ok(oact, sizeof(*oact)) ||
                     __put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
                     __put_user(old_ka.sa.sa_flags, &oact->sa_flags) ||
                     __put_user(old_ka.sa.sa_mask.sig[0], &oact->sa_mask))
@@ -207,7 +207,7 @@ do_sigreturn(struct sigcontext __user *sc)
         sigset_t set;
 
         /* Verify that it's a good sigcontext before using it */
-        if (!access_ok(VERIFY_READ, sc, sizeof(*sc)))
+        if (!access_ok(sc, sizeof(*sc)))
                 goto give_sigsegv;
         if (__get_user(set.sig[0], &sc->sc_mask))
                 goto give_sigsegv;
@@ -235,7 +235,7 @@ do_rt_sigreturn(struct rt_sigframe __user *frame)
         sigset_t set;
 
         /* Verify that it's a good ucontext_t before using it */
-        if (!access_ok(VERIFY_READ, &frame->uc, sizeof(frame->uc)))
+        if (!access_ok(&frame->uc, sizeof(frame->uc)))
                 goto give_sigsegv;
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                 goto give_sigsegv;
@@ -332,7 +332,7 @@ setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
 
         oldsp = rdusp();
         frame = get_sigframe(ksig, oldsp, sizeof(*frame));
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         err |= setup_sigcontext(&frame->sc, regs, set->sig[0], oldsp);
@@ -377,7 +377,7 @@ setup_rt_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs)
 
         oldsp = rdusp();
         frame = get_sigframe(ksig, oldsp, sizeof(*frame));
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         err |= copy_siginfo_to_user(&frame->info, &ksig->info);
diff --git a/arch/alpha/lib/csum_partial_copy.c b/arch/alpha/lib/csum_partial_copy.c
index ddb9c2f376fa..e53f96e8aa6d 100644
--- a/arch/alpha/lib/csum_partial_copy.c
+++ b/arch/alpha/lib/csum_partial_copy.c
@@ -333,7 +333,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, int len,
         unsigned long doff = 7 & (unsigned long) dst;
 
         if (len) {
-                if (!access_ok(VERIFY_READ, src, len)) {
+                if (!access_ok(src, len)) {
                         if (errp) *errp = -EFAULT;
                         memset(dst, 0, len);
                         return sum;
diff --git a/arch/arc/include/asm/futex.h b/arch/arc/include/asm/futex.h
index eb887dd13e74..c29c3fae6854 100644
--- a/arch/arc/include/asm/futex.h
+++ b/arch/arc/include/asm/futex.h
@@ -126,7 +126,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, u32 expval,
         int ret = 0;
         u32 existval;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
 #ifndef CONFIG_ARC_HAS_LLSC
diff --git a/arch/arc/kernel/process.c b/arch/arc/kernel/process.c
index 8ce6e7235915..641c364fc232 100644
--- a/arch/arc/kernel/process.c
+++ b/arch/arc/kernel/process.c
@@ -61,7 +61,7 @@ SYSCALL_DEFINE3(arc_usr_cmpxchg, int *, uaddr, int, expected, int, new)
         /* Z indicates to userspace if operation succeded */
         regs->status32 &= ~STATUS_Z_MASK;
 
-        ret = access_ok(VERIFY_WRITE, uaddr, sizeof(*uaddr));
+        ret = access_ok(uaddr, sizeof(*uaddr));
         if (!ret)
                  goto fail;
 
diff --git a/arch/arc/kernel/signal.c b/arch/arc/kernel/signal.c
index 48685445002e..1bfb7de696bd 100644
--- a/arch/arc/kernel/signal.c
+++ b/arch/arc/kernel/signal.c
@@ -169,7 +169,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
 
         sf = (struct rt_sigframe __force __user *)(regs->sp);
 
-        if (!access_ok(VERIFY_READ, sf, sizeof(*sf)))
+        if (!access_ok(sf, sizeof(*sf)))
                 goto badframe;
 
         if (__get_user(magic, &sf->sigret_magic))
@@ -219,7 +219,7 @@ static inline void __user *get_sigframe(struct ksignal *ksig,
         frame = (void __user *)((sp - framesize) & ~7);
 
         /* Check that we can actually write to the signal frame */
-        if (!access_ok(VERIFY_WRITE, frame, framesize))
+        if (!access_ok(frame, framesize))
                 frame = NULL;
 
         return frame;
diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
index ffebe7b7a5b7..0a46676b4245 100644
--- a/arch/arm/include/asm/futex.h
+++ b/arch/arm/include/asm/futex.h
@@ -50,7 +50,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
         int ret;
         u32 val;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         smp_mb();
@@ -104,7 +104,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
         int ret = 0;
         u32 val;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         preempt_disable();
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index c136eef8f690..27ed17ec45fe 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -279,7 +279,7 @@ static inline void set_fs(mm_segment_t fs)
 
 #endif /* CONFIG_MMU */
 
-#define access_ok(type, addr, size)     (__range_ok(addr, size) == 0)
+#define access_ok(addr, size)   (__range_ok(addr, size) == 0)
 
 #define user_addr_max() \
         (uaccess_kernel() ? ~0UL : get_fs())
@@ -560,7 +560,7 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n)
 
 static inline unsigned long __must_check clear_user(void __user *to, unsigned long n)
 {
-        if (access_ok(VERIFY_WRITE, to, n))
+        if (access_ok(to, n))
                 n = __clear_user(to, n);
         return n;
 }
diff --git a/arch/arm/kernel/perf_callchain.c b/arch/arm/kernel/perf_callchain.c
index 08e43a32a693..3b69a76d341e 100644
--- a/arch/arm/kernel/perf_callchain.c
+++ b/arch/arm/kernel/perf_callchain.c
@@ -37,7 +37,7 @@ user_backtrace(struct frame_tail __user *tail,
         struct frame_tail buftail;
         unsigned long err;
 
-        if (!access_ok(VERIFY_READ, tail, sizeof(buftail)))
+        if (!access_ok(tail, sizeof(buftail)))
                 return NULL;
 
         pagefault_disable();
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index b908382b69ff..76bb8de6bf6b 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -241,7 +241,7 @@ asmlinkage int sys_sigreturn(struct pt_regs *regs)
 
         frame = (struct sigframe __user *)regs->ARM_sp;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof (*frame)))
+        if (!access_ok(frame, sizeof (*frame)))
                 goto badframe;
 
         if (restore_sigframe(regs, frame))
@@ -271,7 +271,7 @@ asmlinkage int sys_rt_sigreturn(struct pt_regs *regs)
 
         frame = (struct rt_sigframe __user *)regs->ARM_sp;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof (*frame)))
+        if (!access_ok(frame, sizeof (*frame)))
                 goto badframe;
 
         if (restore_sigframe(regs, &frame->sig))
@@ -355,7 +355,7 @@ get_sigframe(struct ksignal *ksig, struct pt_regs *regs, int framesize)
         /*
          * Check that we can actually write to the signal frame.
          */
-        if (!access_ok(VERIFY_WRITE, frame, framesize))
+        if (!access_ok(frame, framesize))
                 frame = NULL;
 
         return frame;
diff --git a/arch/arm/kernel/swp_emulate.c b/arch/arm/kernel/swp_emulate.c
index a188d5e8ab7f..76f6e6a9736c 100644
--- a/arch/arm/kernel/swp_emulate.c
+++ b/arch/arm/kernel/swp_emulate.c
@@ -198,7 +198,7 @@ static int swp_handler(struct pt_regs *regs, unsigned int instr)
                  destreg, EXTRACT_REG_NUM(instr, RT2_OFFSET), data);
 
         /* Check access in reasonable access range for both SWP and SWPB */
-        if (!access_ok(VERIFY_WRITE, (address & ~3), 4)) {
+        if (!access_ok((address & ~3), 4)) {
                 pr_debug("SWP{B} emulation: access to %p not allowed!\n",
                          (void *)address);
                 res = -EFAULT;
diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c
index 40da0872170f..92ab36f38795 100644
--- a/arch/arm/kernel/sys_oabi-compat.c
+++ b/arch/arm/kernel/sys_oabi-compat.c
@@ -285,7 +285,7 @@ asmlinkage long sys_oabi_epoll_wait(int epfd,
                         maxevents > (INT_MAX/sizeof(*kbuf)) ||
                         maxevents > (INT_MAX/sizeof(*events)))
                 return -EINVAL;
-        if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
+        if (!access_ok(events, sizeof(*events) * maxevents))
                 return -EFAULT;
         kbuf = kmalloc_array(maxevents, sizeof(*kbuf), GFP_KERNEL);
         if (!kbuf)
@@ -326,7 +326,7 @@ asmlinkage long sys_oabi_semtimedop(int semid,
 
         if (nsops < 1 || nsops > SEMOPM)
                 return -EINVAL;
-        if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
+        if (!access_ok(tsops, sizeof(*tsops) * nsops))
                 return -EFAULT;
         sops = kmalloc_array(nsops, sizeof(*sops), GFP_KERNEL);
         if (!sops)
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index 2d668cff8ef4..33af097c454b 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -582,7 +582,7 @@ do_cache_op(unsigned long start, unsigned long end, int flags)
         if (end < start || flags)
                 return -EINVAL;
 
-        if (!access_ok(VERIFY_READ, start, end - start))
+        if (!access_ok(start, end - start))
                 return -EFAULT;
 
         return __do_cache_op(start, end);
diff --git a/arch/arm/oprofile/common.c b/arch/arm/oprofile/common.c
index cc649a1e46da..7cb3e0453fcd 100644
--- a/arch/arm/oprofile/common.c
+++ b/arch/arm/oprofile/common.c
@@ -88,7 +88,7 @@ static struct frame_tail* user_backtrace(struct frame_tail *tail)
         struct frame_tail buftail[2];
 
         /* Also check accessibility of one struct frame_tail beyond */
-        if (!access_ok(VERIFY_READ, tail, sizeof(buftail)))
+        if (!access_ok(tail, sizeof(buftail)))
                 return NULL;
         if (__copy_from_user_inatomic(buftail, tail, sizeof(buftail)))
                 return NULL;
diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h
index 07fe2479d310..cccb83ad7fa8 100644
--- a/arch/arm64/include/asm/futex.h
+++ b/arch/arm64/include/asm/futex.h
@@ -96,7 +96,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *_uaddr,
         u32 val, tmp;
         u32 __user *uaddr;
 
-        if (!access_ok(VERIFY_WRITE, _uaddr, sizeof(u32)))
+        if (!access_ok(_uaddr, sizeof(u32)))
                 return -EFAULT;
 
         uaddr = __uaccess_mask_ptr(_uaddr);
diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index ed252435fd92..547d7a0c9d05 100644
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -95,7 +95,7 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si
         return ret;
 }
 
-#define access_ok(type, addr, size)     __range_ok(addr, size)
+#define access_ok(addr, size)   __range_ok(addr, size)
 #define user_addr_max                   get_fs
 
 #define _ASM_EXTABLE(from, to)                                          \
@@ -301,7 +301,7 @@ do {									\
 ({                                                                      \
         __typeof__(*(ptr)) __user *__p = (ptr);                         \
         might_fault();                                                  \
-        if (access_ok(VERIFY_READ, __p, sizeof(*__p))) {                \
+        if (access_ok(__p, sizeof(*__p))) {                             \
                 __p = uaccess_mask_ptr(__p);                            \
                 __get_user_err((x), __p, (err));                        \
         } else {                                                        \
@@ -370,7 +370,7 @@ do {									\
 ({                                                                      \
         __typeof__(*(ptr)) __user *__p = (ptr);                         \
         might_fault();                                                  \
-        if (access_ok(VERIFY_WRITE, __p, sizeof(*__p))) {               \
+        if (access_ok(__p, sizeof(*__p))) {                             \
                 __p = uaccess_mask_ptr(__p);                            \
                 __put_user_err((x), __p, (err));                        \
         } else  {                                                       \
@@ -418,7 +418,7 @@ extern unsigned long __must_check __arch_copy_in_user(void __user *to, const voi
 extern unsigned long __must_check __arch_clear_user(void __user *to, unsigned long n);
 static inline unsigned long __must_check __clear_user(void __user *to, unsigned long n)
 {
-        if (access_ok(VERIFY_WRITE, to, n))
+        if (access_ok(to, n))
                 n = __arch_clear_user(__uaccess_mask_ptr(to), n);
         return n;
 }
diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c
index 92be1d12d590..e52e7280884a 100644
--- a/arch/arm64/kernel/armv8_deprecated.c
+++ b/arch/arm64/kernel/armv8_deprecated.c
@@ -402,7 +402,7 @@ static int swp_handler(struct pt_regs *regs, u32 instr)
 
         /* Check access in reasonable access range for both SWP and SWPB */
         user_ptr = (const void __user *)(unsigned long)(address & ~3);
-        if (!access_ok(VERIFY_WRITE, user_ptr, 4)) {
+        if (!access_ok(user_ptr, 4)) {
                 pr_debug("SWP{B} emulation: access to 0x%08x not allowed!\n",
                         address);
                 goto fault;
diff --git a/arch/arm64/kernel/perf_callchain.c b/arch/arm64/kernel/perf_callchain.c
index a34c26afacb0..61d983f5756f 100644
--- a/arch/arm64/kernel/perf_callchain.c
+++ b/arch/arm64/kernel/perf_callchain.c
@@ -39,7 +39,7 @@ user_backtrace(struct frame_tail __user *tail,
         unsigned long lr;
 
         /* Also check accessibility of one struct frame_tail beyond */
-        if (!access_ok(VERIFY_READ, tail, sizeof(buftail)))
+        if (!access_ok(tail, sizeof(buftail)))
                 return NULL;
 
         pagefault_disable();
@@ -86,7 +86,7 @@ compat_user_backtrace(struct compat_frame_tail __user *tail,
         unsigned long err;
 
         /* Also check accessibility of one struct frame_tail beyond */
-        if (!access_ok(VERIFY_READ, tail, sizeof(buftail)))
+        if (!access_ok(tail, sizeof(buftail)))
                 return NULL;
 
         pagefault_disable();
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 5dcc942906db..867a7cea70e5 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -470,7 +470,7 @@ static int parse_user_sigframe(struct user_ctxs *user,
                         offset = 0;
                         limit = extra_size;
 
-                        if (!access_ok(VERIFY_READ, base, limit))
+                        if (!access_ok(base, limit))
                                 goto invalid;
 
                         continue;
@@ -556,7 +556,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
 
         frame = (struct rt_sigframe __user *)regs->sp;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof (*frame)))
+        if (!access_ok(frame, sizeof (*frame)))
                 goto badframe;
 
         if (restore_sigframe(regs, frame))
@@ -730,7 +730,7 @@ static int get_sigframe(struct rt_sigframe_user_layout *user,
         /*
          * Check that we can actually write to the signal frame.
          */
-        if (!access_ok(VERIFY_WRITE, user->sigframe, sp_top - sp))
+        if (!access_ok(user->sigframe, sp_top - sp))
                 return -EFAULT;
 
         return 0;
diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c
index 24b09003f821..cb7800acd19f 100644
--- a/arch/arm64/kernel/signal32.c
+++ b/arch/arm64/kernel/signal32.c
@@ -303,7 +303,7 @@ COMPAT_SYSCALL_DEFINE0(sigreturn)
 
         frame = (struct compat_sigframe __user *)regs->compat_sp;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof (*frame)))
+        if (!access_ok(frame, sizeof (*frame)))
                 goto badframe;
 
         if (compat_restore_sigframe(regs, frame))
@@ -334,7 +334,7 @@ COMPAT_SYSCALL_DEFINE0(rt_sigreturn)
 
         frame = (struct compat_rt_sigframe __user *)regs->compat_sp;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof (*frame)))
+        if (!access_ok(frame, sizeof (*frame)))
                 goto badframe;
 
         if (compat_restore_sigframe(regs, &frame->sig))
@@ -365,7 +365,7 @@ static void __user *compat_get_sigframe(struct ksignal *ksig,
         /*
          * Check that we can actually write to the signal frame.
          */
-        if (!access_ok(VERIFY_WRITE, frame, framesize))
+        if (!access_ok(frame, framesize))
                 frame = NULL;
 
         return frame;
diff --git a/arch/arm64/kernel/sys_compat.c b/arch/arm64/kernel/sys_compat.c
index 32653d156747..21005dfe8406 100644
--- a/arch/arm64/kernel/sys_compat.c
+++ b/arch/arm64/kernel/sys_compat.c
@@ -58,7 +58,7 @@ do_compat_cache_op(unsigned long start, unsigned long end, int flags)
         if (end < start || flags)
                 return -EINVAL;
 
-        if (!access_ok(VERIFY_READ, (const void __user *)start, end - start))
+        if (!access_ok((const void __user *)start, end - start))
                 return -EFAULT;
 
         return __do_compat_cache_op(start, end);
diff --git a/arch/c6x/kernel/signal.c b/arch/c6x/kernel/signal.c
index 3c4bb5a5c382..33b9f69c38f7 100644
--- a/arch/c6x/kernel/signal.c
+++ b/arch/c6x/kernel/signal.c
@@ -80,7 +80,7 @@ asmlinkage int do_rt_sigreturn(struct pt_regs *regs)
 
         frame = (struct rt_sigframe __user *) ((unsigned long) regs->sp + 8);
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                 goto badframe;
@@ -149,7 +149,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
         frame = get_sigframe(ksig, regs, sizeof(*frame));
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         err |= __put_user(&frame->info, &frame->pinfo);
diff --git a/arch/csky/abiv1/alignment.c b/arch/csky/abiv1/alignment.c
index 60205e98fb87..d789be36eb4f 100644
--- a/arch/csky/abiv1/alignment.c
+++ b/arch/csky/abiv1/alignment.c
@@ -32,7 +32,7 @@ static int ldb_asm(uint32_t addr, uint32_t *valp)
         uint32_t val;
         int err;
 
-        if (!access_ok(VERIFY_READ, (void *)addr, 1))
+        if (!access_ok((void *)addr, 1))
                 return 1;
 
         asm volatile (
@@ -67,7 +67,7 @@ static int stb_asm(uint32_t addr, uint32_t val)
 {
         int err;
 
-        if (!access_ok(VERIFY_WRITE, (void *)addr, 1))
+        if (!access_ok((void *)addr, 1))
                 return 1;
 
         asm volatile (
diff --git a/arch/csky/include/asm/uaccess.h b/arch/csky/include/asm/uaccess.h
index acaf0e210d81..eaa1c3403a42 100644
--- a/arch/csky/include/asm/uaccess.h
+++ b/arch/csky/include/asm/uaccess.h
@@ -16,10 +16,7 @@
 #include <linux/version.h>
 #include <asm/segment.h>
 
-#define VERIFY_READ     0
-#define VERIFY_WRITE    1
-
-static inline int access_ok(int type, const void *addr, unsigned long size)
+static inline int access_ok(const void *addr, unsigned long size)
 {
         unsigned long limit = current_thread_info()->addr_limit.seg;
 
@@ -27,12 +24,7 @@ static inline int access_ok(int type, const void *addr, unsigned long size)
                 ((unsigned long)(addr + size) < limit));
 }
 
-static inline int verify_area(int type, const void *addr, unsigned long size)
-{
-        return access_ok(type, addr, size) ? 0 : -EFAULT;
-}
-
-#define __addr_ok(addr) (access_ok(VERIFY_READ, addr, 0))
+#define __addr_ok(addr) (access_ok(addr, 0))
 
 extern int __put_user_bad(void);
 
@@ -91,7 +83,7 @@ extern int __put_user_bad(void);
         long __pu_err = -EFAULT;                                        \
         typeof(*(ptr)) *__pu_addr = (ptr);                              \
         typeof(*(ptr)) __pu_val = (typeof(*(ptr)))(x);                  \
-        if (access_ok(VERIFY_WRITE, __pu_addr, size) && __pu_addr)      \
+        if (access_ok(__pu_addr, size) && __pu_addr)    \
                 __put_user_size(__pu_val, __pu_addr, (size), __pu_err); \
         __pu_err;                                                       \
 })
@@ -217,7 +209,7 @@ do {								\
 ({                                                              \
         int __gu_err = -EFAULT;                                 \
         const __typeof__(*(ptr)) __user *__gu_ptr = (ptr);      \
-        if (access_ok(VERIFY_READ, __gu_ptr, size) && __gu_ptr) \
+        if (access_ok(__gu_ptr, size) && __gu_ptr)      \
                 __get_user_size(x, __gu_ptr, size, __gu_err);   \
         __gu_err;                                               \
 })
diff --git a/arch/csky/kernel/signal.c b/arch/csky/kernel/signal.c
index 66e1b729b10b..9967c10eee2b 100644
--- a/arch/csky/kernel/signal.c
+++ b/arch/csky/kernel/signal.c
@@ -88,7 +88,7 @@ do_rt_sigreturn(void)
         struct pt_regs *regs = current_pt_regs();
         struct rt_sigframe *frame = (struct rt_sigframe *)(regs->usp);
 
-        if (verify_area(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                 goto badframe;
diff --git a/arch/csky/lib/usercopy.c b/arch/csky/lib/usercopy.c
index ac9170e2cbb8..647a23986fb5 100644
--- a/arch/csky/lib/usercopy.c
+++ b/arch/csky/lib/usercopy.c
@@ -7,7 +7,7 @@
 unsigned long raw_copy_from_user(void *to, const void *from,
                         unsigned long n)
 {
-        if (access_ok(VERIFY_READ, from, n))
+        if (access_ok(from, n))
                 __copy_user_zeroing(to, from, n);
         else
                 memset(to, 0, n);
@@ -18,7 +18,7 @@ EXPORT_SYMBOL(raw_copy_from_user);
 unsigned long raw_copy_to_user(void *to, const void *from,
                         unsigned long n)
 {
-        if (access_ok(VERIFY_WRITE, to, n))
+        if (access_ok(to, n))
                 __copy_user(to, from, n);
         return n;
 }
@@ -113,7 +113,7 @@ long strncpy_from_user(char *dst, const char *src, long count)
 {
         long res = -EFAULT;
 
-        if (access_ok(VERIFY_READ, src, 1))
+        if (access_ok(src, 1))
                 __do_strncpy_from_user(dst, src, count, res);
         return res;
 }
@@ -236,7 +236,7 @@ do {							\
 unsigned long
 clear_user(void __user *to, unsigned long n)
 {
-        if (access_ok(VERIFY_WRITE, to, n))
+        if (access_ok(to, n))
                 __do_clear_user(to, n);
         return n;
 }
diff --git a/arch/h8300/kernel/signal.c b/arch/h8300/kernel/signal.c
index 1e8070d08770..e0f2b708e5d9 100644
--- a/arch/h8300/kernel/signal.c
+++ b/arch/h8300/kernel/signal.c
@@ -110,7 +110,7 @@ asmlinkage int sys_rt_sigreturn(void)
         sigset_t set;
         int er0;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                 goto badframe;
@@ -165,7 +165,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
         frame = get_sigframe(ksig, regs, sizeof(*frame));
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         if (ksig->ka.sa.sa_flags & SA_SIGINFO)
diff --git a/arch/hexagon/include/asm/futex.h b/arch/hexagon/include/asm/futex.h
index c889f5993ecd..cb635216a732 100644
--- a/arch/hexagon/include/asm/futex.h
+++ b/arch/hexagon/include/asm/futex.h
@@ -77,7 +77,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, u32 oldval,
         int prev;
         int ret;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         __asm__ __volatile__ (
diff --git a/arch/hexagon/include/asm/uaccess.h b/arch/hexagon/include/asm/uaccess.h
index 458b69886b34..a30e58d5f351 100644
--- a/arch/hexagon/include/asm/uaccess.h
+++ b/arch/hexagon/include/asm/uaccess.h
@@ -29,9 +29,6 @@
 
 /*
  * access_ok: - Checks if a user space pointer is valid
- * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE.  Note that
- *        %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
- *        to write to a block, it is always safe to read from it.
  * @addr: User space pointer to start of block to check
  * @size: Size of block to check
  *
diff --git a/arch/hexagon/kernel/signal.c b/arch/hexagon/kernel/signal.c
index 78aa7304a5c9..31e2cf95f189 100644
--- a/arch/hexagon/kernel/signal.c
+++ b/arch/hexagon/kernel/signal.c
@@ -115,7 +115,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
         frame = get_sigframe(ksig, regs, sizeof(struct rt_sigframe));
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(struct rt_sigframe)))
+        if (!access_ok(frame, sizeof(struct rt_sigframe)))
                 return -EFAULT;
 
         if (copy_siginfo_to_user(&frame->info, &ksig->info))
@@ -244,7 +244,7 @@ asmlinkage int sys_rt_sigreturn(void)
         current->restart_block.fn = do_no_restart_syscall;
 
         frame = (struct rt_sigframe __user *)pt_psp(regs);
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&blocked, &frame->uc.uc_sigmask, sizeof(blocked)))
                 goto badframe;
diff --git a/arch/hexagon/mm/uaccess.c b/arch/hexagon/mm/uaccess.c
index c599eb126c9e..6f9c4697552c 100644
--- a/arch/hexagon/mm/uaccess.c
+++ b/arch/hexagon/mm/uaccess.c
@@ -51,7 +51,7 @@ __kernel_size_t __clear_user_hexagon(void __user *dest, unsigned long count)
 
 unsigned long clear_user_hexagon(void __user *dest, unsigned long count)
 {
-        if (!access_ok(VERIFY_WRITE, dest, count))
+        if (!access_ok(dest, count))
                 return count;
         else
                 return __clear_user_hexagon(dest, count);
diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
index ccd56f5df8cd..8d7396bd1790 100644
--- a/arch/ia64/Kconfig
+++ b/arch/ia64/Kconfig
@@ -31,7 +31,7 @@ config IA64
         select HAVE_MEMBLOCK_NODE_MAP
         select HAVE_VIRT_CPU_ACCOUNTING
         select ARCH_HAS_DMA_COHERENT_TO_PFN if SWIOTLB
-        select ARCH_HAS_SYNC_DMA_FOR_CPU
+        select ARCH_HAS_SYNC_DMA_FOR_CPU if SWIOTLB
         select VIRT_TO_BUS
         select ARCH_DISCARD_MEMBLOCK
         select GENERIC_IRQ_PROBE
diff --git a/arch/ia64/include/asm/futex.h b/arch/ia64/include/asm/futex.h
index db2dd85918c2..2e106d462196 100644
--- a/arch/ia64/include/asm/futex.h
+++ b/arch/ia64/include/asm/futex.h
@@ -86,7 +86,7 @@ static inline int
 futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
                               u32 oldval, u32 newval)
 {
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         {
diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
index a74524f2d625..306d469e43da 100644
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
@@ -67,7 +67,7 @@ static inline int __access_ok(const void __user *p, unsigned long size)
         return likely(addr <= seg) &&
          (seg == KERNEL_DS.seg || likely(REGION_OFFSET(addr) < RGN_MAP_LIMIT));
 }
-#define access_ok(type, addr, size)     __access_ok((addr), (size))
+#define access_ok(addr, size)   __access_ok((addr), (size))
 
 /*
  * These are the main single-value transfer routines.  They automatically
diff --git a/arch/ia64/kernel/ptrace.c b/arch/ia64/kernel/ptrace.c
index 427cd565fd61..6d50ede0ed69 100644
--- a/arch/ia64/kernel/ptrace.c
+++ b/arch/ia64/kernel/ptrace.c
@@ -836,7 +836,7 @@ ptrace_getregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
         char nat = 0;
         int i;
 
-        if (!access_ok(VERIFY_WRITE, ppr, sizeof(struct pt_all_user_regs)))
+        if (!access_ok(ppr, sizeof(struct pt_all_user_regs)))
                 return -EIO;
 
         pt = task_pt_regs(child);
@@ -981,7 +981,7 @@ ptrace_setregs (struct task_struct *child, struct pt_all_user_regs __user *ppr)
 
         memset(&fpval, 0, sizeof(fpval));
 
-        if (!access_ok(VERIFY_READ, ppr, sizeof(struct pt_all_user_regs)))
+        if (!access_ok(ppr, sizeof(struct pt_all_user_regs)))
                 return -EIO;
 
         pt = task_pt_regs(child);
diff --git a/arch/ia64/kernel/signal.c b/arch/ia64/kernel/signal.c
index 99099f73b207..6062fd14e34e 100644
--- a/arch/ia64/kernel/signal.c
+++ b/arch/ia64/kernel/signal.c
@@ -132,7 +132,7 @@ ia64_rt_sigreturn (struct sigscratch *scr)
                  */
                 retval = (long) &ia64_strace_leave_kernel;
 
-        if (!access_ok(VERIFY_READ, sc, sizeof(*sc)))
+        if (!access_ok(sc, sizeof(*sc)))
                 goto give_sigsegv;
 
         if (GET_SIGSET(&set, &sc->sc_mask))
@@ -264,7 +264,7 @@ setup_frame(struct ksignal *ksig, sigset_t *set, struct sigscratch *scr)
         }
         frame = (void __user *) ((new_sp - sizeof(*frame)) & -STACK_ALIGN);
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) {
+        if (!access_ok(frame, sizeof(*frame))) {
                 force_sigsegv(ksig->sig, current);
                 return 1;
         }
diff --git a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c
index 055382622f07..29d841525ca1 100644
--- a/arch/ia64/mm/init.c
+++ b/arch/ia64/mm/init.c
@@ -67,6 +67,7 @@ __ia64_sync_icache_dcache (pte_t pte)
         set_bit(PG_arch_1, &page->flags);       /* mark page as clean */
 }
 
+#ifdef CONFIG_SWIOTLB
 /*
  * Since DMA is i-cache coherent, any (complete) pages that were written via
  * DMA can be marked as "clean" so that lazy_mmu_prot_update() doesn't have to
@@ -81,6 +82,7 @@ void arch_sync_dma_for_cpu(struct device *dev, phys_addr_t paddr,
                 set_bit(PG_arch_1, &pfn_to_page(pfn)->flags);
         } while (++pfn <= PHYS_PFN(paddr + size - 1));
 }
+#endif
 
 inline void
 ia64_set_rbs_bot (void)
diff --git a/arch/m68k/include/asm/uaccess_mm.h b/arch/m68k/include/asm/uaccess_mm.h
index c4cb889660aa..7e85de984df1 100644
--- a/arch/m68k/include/asm/uaccess_mm.h
+++ b/arch/m68k/include/asm/uaccess_mm.h
@@ -10,7 +10,7 @@
 #include <asm/segment.h>
 
 /* We let the MMU do all checking */
-static inline int access_ok(int type, const void __user *addr,
+static inline int access_ok(const void __user *addr,
                             unsigned long size)
 {
         return 1;
diff --git a/arch/m68k/include/asm/uaccess_no.h b/arch/m68k/include/asm/uaccess_no.h
index 892efb56beef..0134008bf539 100644
--- a/arch/m68k/include/asm/uaccess_no.h
+++ b/arch/m68k/include/asm/uaccess_no.h
@@ -10,7 +10,7 @@
 
 #include <asm/segment.h>
 
-#define access_ok(type,addr,size)       _access_ok((unsigned long)(addr),(size))
+#define access_ok(addr,size)    _access_ok((unsigned long)(addr),(size))
 
 /*
  * It is not enough to just have access_ok check for a real RAM address.
diff --git a/arch/m68k/kernel/signal.c b/arch/m68k/kernel/signal.c
index 72850b85ecf8..e2a9421c5797 100644
--- a/arch/m68k/kernel/signal.c
+++ b/arch/m68k/kernel/signal.c
@@ -787,7 +787,7 @@ asmlinkage int do_sigreturn(struct pt_regs *regs, struct switch_stack *sw)
         struct sigframe __user *frame = (struct sigframe __user *)(usp - 4);
         sigset_t set;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__get_user(set.sig[0], &frame->sc.sc_mask) ||
             (_NSIG_WORDS > 1 &&
@@ -812,7 +812,7 @@ asmlinkage int do_rt_sigreturn(struct pt_regs *regs, struct switch_stack *sw)
         struct rt_sigframe __user *frame = (struct rt_sigframe __user *)(usp - 4);
         sigset_t set;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                 goto badframe;
diff --git a/arch/microblaze/include/asm/futex.h b/arch/microblaze/include/asm/futex.h
index 2572077b04ea..8c90357e5983 100644
--- a/arch/microblaze/include/asm/futex.h
+++ b/arch/microblaze/include/asm/futex.h
@@ -71,7 +71,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
         int ret = 0, cmp;
         u32 prev;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         __asm__ __volatile__ ("1:       lwx     %1, %3, r0;             \
diff --git a/arch/microblaze/include/asm/uaccess.h b/arch/microblaze/include/asm/uaccess.h
index 81f16aadbf9e..dbfea093a7c7 100644
--- a/arch/microblaze/include/asm/uaccess.h
+++ b/arch/microblaze/include/asm/uaccess.h
@@ -60,26 +60,25 @@ static inline int ___range_ok(unsigned long addr, unsigned long size)
 #define __range_ok(addr, size) \
                 ___range_ok((unsigned long)(addr), (unsigned long)(size))
 
-#define access_ok(type, addr, size) (__range_ok((addr), (size)) == 0)
+#define access_ok(addr, size) (__range_ok((addr), (size)) == 0)
 
 #else
 
-static inline int access_ok(int type, const void __user *addr,
-                                                        unsigned long size)
+static inline int access_ok(const void __user *addr, unsigned long size)
 {
         if (!size)
                 goto ok;
 
         if ((get_fs().seg < ((unsigned long)addr)) ||
                         (get_fs().seg < ((unsigned long)addr + size - 1))) {
-                pr_devel("ACCESS fail: %s at 0x%08x (size 0x%x), seg 0x%08x\n",
-                        type ? "WRITE" : "READ ", (__force u32)addr, (u32)size,
+                pr_devel("ACCESS fail at 0x%08x (size 0x%x), seg 0x%08x\n",
+                        (__force u32)addr, (u32)size,
                         (u32)get_fs().seg);
                 return 0;
         }
 ok:
-        pr_devel("ACCESS OK: %s at 0x%08x (size 0x%x), seg 0x%08x\n",
-                        type ? "WRITE" : "READ ", (__force u32)addr, (u32)size,
+        pr_devel("ACCESS OK at 0x%08x (size 0x%x), seg 0x%08x\n",
+                        (__force u32)addr, (u32)size,
                         (u32)get_fs().seg);
         return 1;
 }
@@ -120,7 +119,7 @@ static inline unsigned long __must_check clear_user(void __user *to,
                                                         unsigned long n)
 {
         might_fault();
-        if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
+        if (unlikely(!access_ok(to, n)))
                 return n;
 
         return __clear_user(to, n);
@@ -174,7 +173,7 @@ extern long __user_bad(void);
         const typeof(*(ptr)) __user *__gu_addr = (ptr);                 \
         int __gu_err = 0;                                               \
                                                                         \
-        if (access_ok(VERIFY_READ, __gu_addr, size)) {                  \
+        if (access_ok(__gu_addr, size)) {                       \
                 switch (size) {                                         \
                 case 1:                                                 \
                         __get_user_asm("lbu", __gu_addr, __gu_val,      \
@@ -286,7 +285,7 @@ extern long __user_bad(void);
         typeof(*(ptr)) __user *__pu_addr = (ptr);                       \
         int __pu_err = 0;                                               \
                                                                         \
-        if (access_ok(VERIFY_WRITE, __pu_addr, size)) {                 \
+        if (access_ok(__pu_addr, size)) {                       \
                 switch (size) {                                         \
                 case 1:                                                 \
                         __put_user_asm("sb", __pu_addr, __pu_val,       \
@@ -358,7 +357,7 @@ extern int __strncpy_user(char *to, const char __user *from, int len);
 static inline long
 strncpy_from_user(char *dst, const char __user *src, long count)
 {
-        if (!access_ok(VERIFY_READ, src, 1))
+        if (!access_ok(src, 1))
                 return -EFAULT;
         return __strncpy_user(dst, src, count);
 }
@@ -372,7 +371,7 @@ extern int __strnlen_user(const char __user *sstr, int len);
 
 static inline long strnlen_user(const char __user *src, long n)
 {
-        if (!access_ok(VERIFY_READ, src, 1))
+        if (!access_ok(src, 1))
                 return 0;
         return __strnlen_user(src, n);
 }
diff --git a/arch/microblaze/kernel/signal.c b/arch/microblaze/kernel/signal.c
index 97001524ca2d..0685696349bb 100644
--- a/arch/microblaze/kernel/signal.c
+++ b/arch/microblaze/kernel/signal.c
@@ -91,7 +91,7 @@ asmlinkage long sys_rt_sigreturn(struct pt_regs *regs)
         /* Always make any pending restarted system calls return -EINTR */
         current->restart_block.fn = do_no_restart_syscall;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
 
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -166,7 +166,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
         frame = get_sigframe(ksig, regs, sizeof(*frame));
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         if (ksig->ka.sa.sa_flags & SA_SIGINFO)
diff --git a/arch/mips/include/asm/checksum.h b/arch/mips/include/asm/checksum.h
index e8161e4dfde7..dcebaaf8c862 100644
--- a/arch/mips/include/asm/checksum.h
+++ b/arch/mips/include/asm/checksum.h
@@ -63,7 +63,7 @@ static inline
 __wsum csum_and_copy_from_user(const void __user *src, void *dst,
                                int len, __wsum sum, int *err_ptr)
 {
-        if (access_ok(VERIFY_READ, src, len))
+        if (access_ok(src, len))
                 return csum_partial_copy_from_user(src, dst, len, sum,
                                                    err_ptr);
         if (len)
@@ -81,7 +81,7 @@ __wsum csum_and_copy_to_user(const void *src, void __user *dst, int len,
                              __wsum sum, int *err_ptr)
 {
         might_fault();
-        if (access_ok(VERIFY_WRITE, dst, len)) {
+        if (access_ok(dst, len)) {
                 if (uaccess_kernel())
                         return __csum_partial_copy_kernel(src,
                                                           (__force void *)dst,
diff --git a/arch/mips/include/asm/futex.h b/arch/mips/include/asm/futex.h
index 8eff134b3a43..c14d798f3888 100644
--- a/arch/mips/include/asm/futex.h
+++ b/arch/mips/include/asm/futex.h
@@ -129,7 +129,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
         int ret = 0;
         u32 val;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         if (cpu_has_llsc && R10000_LLSC_WAR) {
diff --git a/arch/mips/include/asm/termios.h b/arch/mips/include/asm/termios.h
index ce2d72e34274..bc29eeacc55a 100644
--- a/arch/mips/include/asm/termios.h
+++ b/arch/mips/include/asm/termios.h
@@ -32,7 +32,7 @@ static inline int user_termio_to_kernel_termios(struct ktermios *termios,
         unsigned short iflag, oflag, cflag, lflag;
         unsigned int err;
 
-        if (!access_ok(VERIFY_READ, termio, sizeof(struct termio)))
+        if (!access_ok(termio, sizeof(struct termio)))
                 return -EFAULT;
 
         err = __get_user(iflag, &termio->c_iflag);
@@ -61,7 +61,7 @@ static inline int kernel_termios_to_user_termio(struct termio __user *termio,
 {
         int err;
 
-        if (!access_ok(VERIFY_WRITE, termio, sizeof(struct termio)))
+        if (!access_ok(termio, sizeof(struct termio)))
                 return -EFAULT;
 
         err = __put_user(termios->c_iflag, &termio->c_iflag);
diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
index 06629011a434..d43c1dc6ef15 100644
--- a/arch/mips/include/asm/uaccess.h
+++ b/arch/mips/include/asm/uaccess.h
@@ -109,9 +109,6 @@ static inline bool eva_kernel_access(void)
 
 /*
  * access_ok: - Checks if a user space pointer is valid
- * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE.  Note that
- *        %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
- *        to write to a block, it is always safe to read from it.
  * @addr: User space pointer to start of block to check
  * @size: Size of block to check
  *
@@ -134,7 +131,7 @@ static inline int __access_ok(const void __user *p, unsigned long size)
         return (get_fs().seg & (addr | (addr + size) | __ua_size(size))) == 0;
 }
 
-#define access_ok(type, addr, size)                                     \
+#define access_ok(addr, size)                                   \
         likely(__access_ok((addr), (size)))
 
 /*
@@ -304,7 +301,7 @@ do {									\
         const __typeof__(*(ptr)) __user * __gu_ptr = (ptr);             \
                                                                         \
         might_fault();                                                  \
-        if (likely(access_ok(VERIFY_READ,  __gu_ptr, size))) {          \
+        if (likely(access_ok( __gu_ptr, size))) {               \
                 if (eva_kernel_access())                                \
                         __get_kernel_common((x), size, __gu_ptr);       \
                 else                                                    \
@@ -446,7 +443,7 @@ do {									\
         int __pu_err = -EFAULT;                                         \
                                                                         \
         might_fault();                                                  \
-        if (likely(access_ok(VERIFY_WRITE,  __pu_addr, size))) {        \
+        if (likely(access_ok( __pu_addr, size))) {      \
                 if (eva_kernel_access())                                \
                         __put_kernel_common(__pu_addr, size);           \
                 else                                                    \
@@ -691,8 +688,7 @@ __clear_user(void __user *addr, __kernel_size_t size)
 ({                                                                      \
         void __user * __cl_addr = (addr);                               \
         unsigned long __cl_size = (n);                                  \
-        if (__cl_size && access_ok(VERIFY_WRITE,                        \
-                                        __cl_addr, __cl_size))          \
+        if (__cl_size && access_ok(__cl_addr, __cl_size))               \
                 __cl_size = __clear_user(__cl_addr, __cl_size);         \
         __cl_size;                                                      \
 })
diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
index cb22a558431e..c50c89a978f1 100644
--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
+++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
@@ -1205,7 +1205,7 @@ fpu_emul:
         case lwl_op:
                 rt = regs->regs[MIPSInst_RT(inst)];
                 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-                if (!access_ok(VERIFY_READ, (void __user *)vaddr, 4)) {
+                if (!access_ok((void __user *)vaddr, 4)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGSEGV;
                         break;
@@ -1278,7 +1278,7 @@ fpu_emul:
         case lwr_op:
                 rt = regs->regs[MIPSInst_RT(inst)];
                 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-                if (!access_ok(VERIFY_READ, (void __user *)vaddr, 4)) {
+                if (!access_ok((void __user *)vaddr, 4)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGSEGV;
                         break;
@@ -1352,7 +1352,7 @@ fpu_emul:
         case swl_op:
                 rt = regs->regs[MIPSInst_RT(inst)];
                 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-                if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 4)) {
+                if (!access_ok((void __user *)vaddr, 4)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGSEGV;
                         break;
@@ -1422,7 +1422,7 @@ fpu_emul:
         case swr_op:
                 rt = regs->regs[MIPSInst_RT(inst)];
                 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-                if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 4)) {
+                if (!access_ok((void __user *)vaddr, 4)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGSEGV;
                         break;
@@ -1497,7 +1497,7 @@ fpu_emul:
 
                 rt = regs->regs[MIPSInst_RT(inst)];
                 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-                if (!access_ok(VERIFY_READ, (void __user *)vaddr, 8)) {
+                if (!access_ok((void __user *)vaddr, 8)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGSEGV;
                         break;
@@ -1616,7 +1616,7 @@ fpu_emul:
 
                 rt = regs->regs[MIPSInst_RT(inst)];
                 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-                if (!access_ok(VERIFY_READ, (void __user *)vaddr, 8)) {
+                if (!access_ok((void __user *)vaddr, 8)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGSEGV;
                         break;
@@ -1735,7 +1735,7 @@ fpu_emul:
 
                 rt = regs->regs[MIPSInst_RT(inst)];
                 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-                if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 8)) {
+                if (!access_ok((void __user *)vaddr, 8)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGSEGV;
                         break;
@@ -1853,7 +1853,7 @@ fpu_emul:
 
                 rt = regs->regs[MIPSInst_RT(inst)];
                 vaddr = regs->regs[MIPSInst_RS(inst)] + MIPSInst_SIMM(inst);
-                if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 8)) {
+                if (!access_ok((void __user *)vaddr, 8)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGSEGV;
                         break;
@@ -1970,7 +1970,7 @@ fpu_emul:
                         err = SIGBUS;
                         break;
                 }
-                if (!access_ok(VERIFY_READ, (void __user *)vaddr, 4)) {
+                if (!access_ok((void __user *)vaddr, 4)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGBUS;
                         break;
@@ -2026,7 +2026,7 @@ fpu_emul:
                         err = SIGBUS;
                         break;
                 }
-                if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 4)) {
+                if (!access_ok((void __user *)vaddr, 4)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGBUS;
                         break;
@@ -2089,7 +2089,7 @@ fpu_emul:
                         err = SIGBUS;
                         break;
                 }
-                if (!access_ok(VERIFY_READ, (void __user *)vaddr, 8)) {
+                if (!access_ok((void __user *)vaddr, 8)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGBUS;
                         break;
@@ -2150,7 +2150,7 @@ fpu_emul:
                         err = SIGBUS;
                         break;
                 }
-                if (!access_ok(VERIFY_WRITE, (void __user *)vaddr, 8)) {
+                if (!access_ok((void __user *)vaddr, 8)) {
                         current->thread.cp0_baduaddr = vaddr;
                         err = SIGBUS;
                         break;
diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
index ea54575255ea..0057c910bc2f 100644
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -71,7 +71,7 @@ int ptrace_getregs(struct task_struct *child, struct user_pt_regs __user *data)
         struct pt_regs *regs;
         int i;
 
-        if (!access_ok(VERIFY_WRITE, data, 38 * 8))
+        if (!access_ok(data, 38 * 8))
                 return -EIO;
 
         regs = task_pt_regs(child);
@@ -98,7 +98,7 @@ int ptrace_setregs(struct task_struct *child, struct user_pt_regs __user *data)
         struct pt_regs *regs;
         int i;
 
-        if (!access_ok(VERIFY_READ, data, 38 * 8))
+        if (!access_ok(data, 38 * 8))
                 return -EIO;
 
         regs = task_pt_regs(child);
@@ -125,7 +125,7 @@ int ptrace_get_watch_regs(struct task_struct *child,
 
         if (!cpu_has_watch || boot_cpu_data.watch_reg_use_cnt == 0)
                 return -EIO;
-        if (!access_ok(VERIFY_WRITE, addr, sizeof(struct pt_watch_regs)))
+        if (!access_ok(addr, sizeof(struct pt_watch_regs)))
                 return -EIO;
 
 #ifdef CONFIG_32BIT
@@ -167,7 +167,7 @@ int ptrace_set_watch_regs(struct task_struct *child,
 
         if (!cpu_has_watch || boot_cpu_data.watch_reg_use_cnt == 0)
                 return -EIO;
-        if (!access_ok(VERIFY_READ, addr, sizeof(struct pt_watch_regs)))
+        if (!access_ok(addr, sizeof(struct pt_watch_regs)))
                 return -EIO;
         /* Check the values. */
         for (i = 0; i < boot_cpu_data.watch_reg_use_cnt; i++) {
@@ -359,7 +359,7 @@ int ptrace_getfpregs(struct task_struct *child, __u32 __user *data)
 {
         int i;
 
-        if (!access_ok(VERIFY_WRITE, data, 33 * 8))
+        if (!access_ok(data, 33 * 8))
                 return -EIO;
 
         if (tsk_used_math(child)) {
@@ -385,7 +385,7 @@ int ptrace_setfpregs(struct task_struct *child, __u32 __user *data)
         u32 value;
         int i;
 
-        if (!access_ok(VERIFY_READ, data, 33 * 8))
+        if (!access_ok(data, 33 * 8))
                 return -EIO;
 
         init_fp_ctx(child);
diff --git a/arch/mips/kernel/signal.c b/arch/mips/kernel/signal.c
index d3a23758592c..d75337974ee9 100644
--- a/arch/mips/kernel/signal.c
+++ b/arch/mips/kernel/signal.c
@@ -590,7 +590,7 @@ SYSCALL_DEFINE3(sigaction, int, sig, const struct sigaction __user *, act,
         if (act) {
                 old_sigset_t mask;
 
-                if (!access_ok(VERIFY_READ, act, sizeof(*act)))
+                if (!access_ok(act, sizeof(*act)))
                         return -EFAULT;
                 err |= __get_user(new_ka.sa.sa_handler, &act->sa_handler);
                 err |= __get_user(new_ka.sa.sa_flags, &act->sa_flags);
@@ -604,7 +604,7 @@ SYSCALL_DEFINE3(sigaction, int, sig, const struct sigaction __user *, act,
         ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
         if (!ret && oact) {
-                if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)))
+                if (!access_ok(oact, sizeof(*oact)))
                         return -EFAULT;
                 err |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags);
                 err |= __put_user(old_ka.sa.sa_handler, &oact->sa_handler);
@@ -630,7 +630,7 @@ asmlinkage void sys_sigreturn(void)
 
         regs = current_pt_regs();
         frame = (struct sigframe __user *)regs->regs[29];
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&blocked, &frame->sf_mask, sizeof(blocked)))
                 goto badframe;
@@ -667,7 +667,7 @@ asmlinkage void sys_rt_sigreturn(void)
 
         regs = current_pt_regs();
         frame = (struct rt_sigframe __user *)regs->regs[29];
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&set, &frame->rs_uc.uc_sigmask, sizeof(set)))
                 goto badframe;
@@ -705,7 +705,7 @@ static int setup_frame(void *sig_return, struct ksignal *ksig,
         int err = 0;
 
         frame = get_sigframe(ksig, regs, sizeof(*frame));
-        if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
+        if (!access_ok(frame, sizeof (*frame)))
                 return -EFAULT;
 
         err |= setup_sigcontext(regs, &frame->sf_sc);
@@ -744,7 +744,7 @@ static int setup_rt_frame(void *sig_return, struct ksignal *ksig,
         int err = 0;
 
         frame = get_sigframe(ksig, regs, sizeof(*frame));
-        if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
+        if (!access_ok(frame, sizeof (*frame)))
                 return -EFAULT;
 
         /* Create siginfo.  */
diff --git a/arch/mips/kernel/signal32.c b/arch/mips/kernel/signal32.c
index b5d9e1784aff..59b8965433c2 100644
--- a/arch/mips/kernel/signal32.c
+++ b/arch/mips/kernel/signal32.c
@@ -46,7 +46,7 @@ SYSCALL_DEFINE3(32_sigaction, long, sig, const struct compat_sigaction __user *,
                 old_sigset_t mask;
                 s32 handler;
 
-                if (!access_ok(VERIFY_READ, act, sizeof(*act)))
+                if (!access_ok(act, sizeof(*act)))
                         return -EFAULT;
                 err |= __get_user(handler, &act->sa_handler);
                 new_ka.sa.sa_handler = (void __user *)(s64)handler;
@@ -61,7 +61,7 @@ SYSCALL_DEFINE3(32_sigaction, long, sig, const struct compat_sigaction __user *,
         ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
         if (!ret && oact) {
-                if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)))
+                if (!access_ok(oact, sizeof(*oact)))
                         return -EFAULT;
                 err |= __put_user(old_ka.sa.sa_flags, &oact->sa_flags);
                 err |= __put_user((u32)(u64)old_ka.sa.sa_handler,
diff --git a/arch/mips/kernel/signal_n32.c b/arch/mips/kernel/signal_n32.c
index 8f65aaf9206d..c498b027823e 100644
--- a/arch/mips/kernel/signal_n32.c
+++ b/arch/mips/kernel/signal_n32.c
@@ -73,7 +73,7 @@ asmlinkage void sysn32_rt_sigreturn(void)
 
         regs = current_pt_regs();
         frame = (struct rt_sigframe_n32 __user *)regs->regs[29];
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_conv_sigset_from_user(&set, &frame->rs_uc.uc_sigmask))
                 goto badframe;
@@ -110,7 +110,7 @@ static int setup_rt_frame_n32(void *sig_return, struct ksignal *ksig,
         int err = 0;
 
         frame = get_sigframe(ksig, regs, sizeof(*frame));
-        if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
+        if (!access_ok(frame, sizeof (*frame)))
                 return -EFAULT;
 
         /* Create siginfo.  */
diff --git a/arch/mips/kernel/signal_o32.c b/arch/mips/kernel/signal_o32.c
index b6e3ddef48a0..df259618e834 100644
--- a/arch/mips/kernel/signal_o32.c
+++ b/arch/mips/kernel/signal_o32.c
@@ -118,7 +118,7 @@ static int setup_frame_32(void *sig_return, struct ksignal *ksig,
         int err = 0;
 
         frame = get_sigframe(ksig, regs, sizeof(*frame));
-        if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
+        if (!access_ok(frame, sizeof (*frame)))
                 return -EFAULT;
 
         err |= setup_sigcontext32(regs, &frame->sf_sc);
@@ -160,7 +160,7 @@ asmlinkage void sys32_rt_sigreturn(void)
 
         regs = current_pt_regs();
         frame = (struct rt_sigframe32 __user *)regs->regs[29];
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_conv_sigset_from_user(&set, &frame->rs_uc.uc_sigmask))
                 goto badframe;
@@ -197,7 +197,7 @@ static int setup_rt_frame_32(void *sig_return, struct ksignal *ksig,
         int err = 0;
 
         frame = get_sigframe(ksig, regs, sizeof(*frame));
-        if (!access_ok(VERIFY_WRITE, frame, sizeof (*frame)))
+        if (!access_ok(frame, sizeof (*frame)))
                 return -EFAULT;
 
         /* Convert (siginfo_t -> compat_siginfo_t) and copy to user. */
@@ -262,7 +262,7 @@ asmlinkage void sys32_sigreturn(void)
 
         regs = current_pt_regs();
         frame = (struct sigframe32 __user *)regs->regs[29];
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_conv_sigset_from_user(&blocked, &frame->sf_mask))
                 goto badframe;
diff --git a/arch/mips/kernel/syscall.c b/arch/mips/kernel/syscall.c
index 41a0db08cd37..b6dc78ad5d8c 100644
--- a/arch/mips/kernel/syscall.c
+++ b/arch/mips/kernel/syscall.c
@@ -101,7 +101,7 @@ static inline int mips_atomic_set(unsigned long addr, unsigned long new)
         if (unlikely(addr & 3))
                 return -EINVAL;
 
-        if (unlikely(!access_ok(VERIFY_WRITE, (const void __user *)addr, 4)))
+        if (unlikely(!access_ok((const void __user *)addr, 4)))
                 return -EINVAL;
 
         if (cpu_has_llsc && R10000_LLSC_WAR) {
diff --git a/arch/mips/kernel/unaligned.c b/arch/mips/kernel/unaligned.c
index c60e7719ef77..595ca9c85111 100644
--- a/arch/mips/kernel/unaligned.c
+++ b/arch/mips/kernel/unaligned.c
@@ -936,7 +936,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                 if (insn.dsp_format.func == lx_op) {
                         switch (insn.dsp_format.op) {
                         case lwx_op:
-                                if (!access_ok(VERIFY_READ, addr, 4))
+                                if (!access_ok(addr, 4))
                                         goto sigbus;
                                 LoadW(addr, value, res);
                                 if (res)
@@ -945,7 +945,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                                 regs->regs[insn.dsp_format.rd] = value;
                                 break;
                         case lhx_op:
-                                if (!access_ok(VERIFY_READ, addr, 2))
+                                if (!access_ok(addr, 2))
                                         goto sigbus;
                                 LoadHW(addr, value, res);
                                 if (res)
@@ -968,7 +968,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                         set_fs(USER_DS);
                         switch (insn.spec3_format.func) {
                         case lhe_op:
-                                if (!access_ok(VERIFY_READ, addr, 2)) {
+                                if (!access_ok(addr, 2)) {
                                         set_fs(seg);
                                         goto sigbus;
                                 }
@@ -981,7 +981,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                                 regs->regs[insn.spec3_format.rt] = value;
                                 break;
                         case lwe_op:
-                                if (!access_ok(VERIFY_READ, addr, 4)) {
+                                if (!access_ok(addr, 4)) {
                                         set_fs(seg);
                                         goto sigbus;
                                 }
@@ -994,7 +994,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                                 regs->regs[insn.spec3_format.rt] = value;
                                 break;
                         case lhue_op:
-                                if (!access_ok(VERIFY_READ, addr, 2)) {
+                                if (!access_ok(addr, 2)) {
                                         set_fs(seg);
                                         goto sigbus;
                                 }
@@ -1007,7 +1007,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                                 regs->regs[insn.spec3_format.rt] = value;
                                 break;
                         case she_op:
-                                if (!access_ok(VERIFY_WRITE, addr, 2)) {
+                                if (!access_ok(addr, 2)) {
                                         set_fs(seg);
                                         goto sigbus;
                                 }
@@ -1020,7 +1020,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                                 }
                                 break;
                         case swe_op:
-                                if (!access_ok(VERIFY_WRITE, addr, 4)) {
+                                if (!access_ok(addr, 4)) {
                                         set_fs(seg);
                                         goto sigbus;
                                 }
@@ -1041,7 +1041,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
 #endif
                 break;
         case lh_op:
-                if (!access_ok(VERIFY_READ, addr, 2))
+                if (!access_ok(addr, 2))
                         goto sigbus;
 
                 if (IS_ENABLED(CONFIG_EVA)) {
@@ -1060,7 +1060,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                 break;
 
         case lw_op:
-                if (!access_ok(VERIFY_READ, addr, 4))
+                if (!access_ok(addr, 4))
                         goto sigbus;
 
                 if (IS_ENABLED(CONFIG_EVA)) {
@@ -1079,7 +1079,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                 break;
 
         case lhu_op:
-                if (!access_ok(VERIFY_READ, addr, 2))
+                if (!access_ok(addr, 2))
                         goto sigbus;
 
                 if (IS_ENABLED(CONFIG_EVA)) {
@@ -1106,7 +1106,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                  * would blow up, so for now we don't handle unaligned 64-bit
                  * instructions on 32-bit kernels.
                  */
-                if (!access_ok(VERIFY_READ, addr, 4))
+                if (!access_ok(addr, 4))
                         goto sigbus;
 
                 LoadWU(addr, value, res);
@@ -1129,7 +1129,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                  * would blow up, so for now we don't handle unaligned 64-bit
                  * instructions on 32-bit kernels.
                  */
-                if (!access_ok(VERIFY_READ, addr, 8))
+                if (!access_ok(addr, 8))
                         goto sigbus;
 
                 LoadDW(addr, value, res);
@@ -1144,7 +1144,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                 goto sigill;
 
         case sh_op:
-                if (!access_ok(VERIFY_WRITE, addr, 2))
+                if (!access_ok(addr, 2))
                         goto sigbus;
 
                 compute_return_epc(regs);
@@ -1164,7 +1164,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                 break;
 
         case sw_op:
-                if (!access_ok(VERIFY_WRITE, addr, 4))
+                if (!access_ok(addr, 4))
                         goto sigbus;
 
                 compute_return_epc(regs);
@@ -1192,7 +1192,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                  * would blow up, so for now we don't handle unaligned 64-bit
                  * instructions on 32-bit kernels.
                  */
-                if (!access_ok(VERIFY_WRITE, addr, 8))
+                if (!access_ok(addr, 8))
                         goto sigbus;
 
                 compute_return_epc(regs);
@@ -1254,7 +1254,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
 
                 switch (insn.msa_mi10_format.func) {
                 case msa_ld_op:
-                        if (!access_ok(VERIFY_READ, addr, sizeof(*fpr)))
+                        if (!access_ok(addr, sizeof(*fpr)))
                                 goto sigbus;
 
                         do {
@@ -1290,7 +1290,7 @@ static void emulate_load_store_insn(struct pt_regs *regs,
                         break;
 
                 case msa_st_op:
-                        if (!access_ok(VERIFY_WRITE, addr, sizeof(*fpr)))
+                        if (!access_ok(addr, sizeof(*fpr)))
                                 goto sigbus;
 
                         /*
@@ -1463,7 +1463,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                         if (reg == 31)
                                 goto sigbus;
 
-                        if (!access_ok(VERIFY_READ, addr, 8))
+                        if (!access_ok(addr, 8))
                                 goto sigbus;
 
                         LoadW(addr, value, res);
@@ -1482,7 +1482,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                         if (reg == 31)
                                 goto sigbus;
 
-                        if (!access_ok(VERIFY_WRITE, addr, 8))
+                        if (!access_ok(addr, 8))
                                 goto sigbus;
 
                         value = regs->regs[reg];
@@ -1502,7 +1502,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                         if (reg == 31)
                                 goto sigbus;
 
-                        if (!access_ok(VERIFY_READ, addr, 16))
+                        if (!access_ok(addr, 16))
                                 goto sigbus;
 
                         LoadDW(addr, value, res);
@@ -1525,7 +1525,7 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                         if (reg == 31)
                                 goto sigbus;
 
-                        if (!access_ok(VERIFY_WRITE, addr, 16))
+                        if (!access_ok(addr, 16))
                                 goto sigbus;
 
                         value = regs->regs[reg];
@@ -1548,11 +1548,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                         if ((rvar > 9) || !reg)
                                 goto sigill;
                         if (reg & 0x10) {
-                                if (!access_ok
-                                    (VERIFY_READ, addr, 4 * (rvar + 1)))
+                                if (!access_ok(addr, 4 * (rvar + 1)))
                                         goto sigbus;
                         } else {
-                                if (!access_ok(VERIFY_READ, addr, 4 * rvar))
+                                if (!access_ok(addr, 4 * rvar))
                                         goto sigbus;
                         }
                         if (rvar == 9)
@@ -1585,11 +1584,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                         if ((rvar > 9) || !reg)
                                 goto sigill;
                         if (reg & 0x10) {
-                                if (!access_ok
-                                    (VERIFY_WRITE, addr, 4 * (rvar + 1)))
+                                if (!access_ok(addr, 4 * (rvar + 1)))
                                         goto sigbus;
                         } else {
-                                if (!access_ok(VERIFY_WRITE, addr, 4 * rvar))
+                                if (!access_ok(addr, 4 * rvar))
                                         goto sigbus;
                         }
                         if (rvar == 9)
@@ -1623,11 +1621,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                         if ((rvar > 9) || !reg)
                                 goto sigill;
                         if (reg & 0x10) {
-                                if (!access_ok
-                                    (VERIFY_READ, addr, 8 * (rvar + 1)))
+                                if (!access_ok(addr, 8 * (rvar + 1)))
                                         goto sigbus;
                         } else {
-                                if (!access_ok(VERIFY_READ, addr, 8 * rvar))
+                                if (!access_ok(addr, 8 * rvar))
                                         goto sigbus;
                         }
                         if (rvar == 9)
@@ -1665,11 +1662,10 @@ static void emulate_load_store_microMIPS(struct pt_regs *regs,
                         if ((rvar > 9) || !reg)
                                 goto sigill;
                         if (reg & 0x10) {
-                                if (!access_ok
-                                    (VERIFY_WRITE, addr, 8 * (rvar + 1)))
+                                if (!access_ok(addr, 8 * (rvar + 1)))
                                         goto sigbus;
                         } else {
-                                if (!access_ok(VERIFY_WRITE, addr, 8 * rvar))
+                                if (!access_ok(addr, 8 * rvar))
                                         goto sigbus;
                         }
                         if (rvar == 9)
@@ -1788,7 +1784,7 @@ fpu_emul:
                 case mm_lwm16_op:
                         reg = insn.mm16_m_format.rlist;
                         rvar = reg + 1;
-                        if (!access_ok(VERIFY_READ, addr, 4 * rvar))
+                        if (!access_ok(addr, 4 * rvar))
                                 goto sigbus;
 
                         for (i = 16; rvar; rvar--, i++) {
@@ -1808,7 +1804,7 @@ fpu_emul:
                 case mm_swm16_op:
                         reg = insn.mm16_m_format.rlist;
                         rvar = reg + 1;
-                        if (!access_ok(VERIFY_WRITE, addr, 4 * rvar))
+                        if (!access_ok(addr, 4 * rvar))
                                 goto sigbus;
 
                         for (i = 16; rvar; rvar--, i++) {
@@ -1862,7 +1858,7 @@ fpu_emul:
         }
 
 loadHW:
-        if (!access_ok(VERIFY_READ, addr, 2))
+        if (!access_ok(addr, 2))
                 goto sigbus;
 
         LoadHW(addr, value, res);
@@ -1872,7 +1868,7 @@ loadHW:
         goto success;
 
 loadHWU:
-        if (!access_ok(VERIFY_READ, addr, 2))
+        if (!access_ok(addr, 2))
                 goto sigbus;
 
         LoadHWU(addr, value, res);
@@ -1882,7 +1878,7 @@ loadHWU:
         goto success;
 
 loadW:
-        if (!access_ok(VERIFY_READ, addr, 4))
+        if (!access_ok(addr, 4))
                 goto sigbus;
 
         LoadW(addr, value, res);
@@ -1900,7 +1896,7 @@ loadWU:
          * would blow up, so for now we don't handle unaligned 64-bit
          * instructions on 32-bit kernels.
          */
-        if (!access_ok(VERIFY_READ, addr, 4))
+        if (!access_ok(addr, 4))
                 goto sigbus;
 
         LoadWU(addr, value, res);
@@ -1922,7 +1918,7 @@ loadDW:
          * would blow up, so for now we don't handle unaligned 64-bit
          * instructions on 32-bit kernels.
          */
-        if (!access_ok(VERIFY_READ, addr, 8))
+        if (!access_ok(addr, 8))
                 goto sigbus;
 
         LoadDW(addr, value, res);
@@ -1936,7 +1932,7 @@ loadDW:
         goto sigill;
 
 storeHW:
-        if (!access_ok(VERIFY_WRITE, addr, 2))
+        if (!access_ok(addr, 2))
                 goto sigbus;
 
         value = regs->regs[reg];
@@ -1946,7 +1942,7 @@ storeHW:
         goto success;
 
 storeW:
-        if (!access_ok(VERIFY_WRITE, addr, 4))
+        if (!access_ok(addr, 4))
                 goto sigbus;
 
         value = regs->regs[reg];
@@ -1964,7 +1960,7 @@ storeDW:
          * would blow up, so for now we don't handle unaligned 64-bit
          * instructions on 32-bit kernels.
          */
-        if (!access_ok(VERIFY_WRITE, addr, 8))
+        if (!access_ok(addr, 8))
                 goto sigbus;
 
         value = regs->regs[reg];
@@ -2122,7 +2118,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
                 goto sigbus;
 
         case MIPS16e_lh_op:
-                if (!access_ok(VERIFY_READ, addr, 2))
+                if (!access_ok(addr, 2))
                         goto sigbus;
 
                 LoadHW(addr, value, res);
@@ -2133,7 +2129,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
                 break;
 
         case MIPS16e_lhu_op:
-                if (!access_ok(VERIFY_READ, addr, 2))
+                if (!access_ok(addr, 2))
                         goto sigbus;
 
                 LoadHWU(addr, value, res);
@@ -2146,7 +2142,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
         case MIPS16e_lw_op:
         case MIPS16e_lwpc_op:
         case MIPS16e_lwsp_op:
-                if (!access_ok(VERIFY_READ, addr, 4))
+                if (!access_ok(addr, 4))
                         goto sigbus;
 
                 LoadW(addr, value, res);
@@ -2165,7 +2161,7 @@ static void emulate_load_store_MIPS16e(struct pt_regs *regs, void __user * addr)
                  * would blow up, so for now we don't handle unaligned 64-bit
                  * instructions on 32-bit kernels.
                  */
-                if (!access_ok(VERIFY_READ, addr, 4))
+                if (!access_ok(addr, 4))
                         goto sigbus;
 
                 LoadWU(addr, value, res);
@@ -2189,7 +2185,7 @@ loadDW:
                  * would blow up, so for now we don't handle unaligned 64-bit
                  * instructions on 32-bit kernels.
                  */
-                if (!access_ok(VERIFY_READ, addr, 8))
+                if (!access_ok(addr, 8))
                         goto sigbus;
 
                 LoadDW(addr, value, res);
@@ -2204,7 +2200,7 @@ loadDW:
                 goto sigill;
 
         case MIPS16e_sh_op:
-                if (!access_ok(VERIFY_WRITE, addr, 2))
+                if (!access_ok(addr, 2))
                         goto sigbus;
 
                 MIPS16e_compute_return_epc(regs, &oldinst);
@@ -2217,7 +2213,7 @@ loadDW:
         case MIPS16e_sw_op:
         case MIPS16e_swsp_op:
         case MIPS16e_i8_op:     /* actually - MIPS16e_swrasp_func */
-                if (!access_ok(VERIFY_WRITE, addr, 4))
+                if (!access_ok(addr, 4))
                         goto sigbus;
 
                 MIPS16e_compute_return_epc(regs, &oldinst);
@@ -2237,7 +2233,7 @@ writeDW:
                  * would blow up, so for now we don't handle unaligned 64-bit
                  * instructions on 32-bit kernels.
                  */
-                if (!access_ok(VERIFY_WRITE, addr, 8))
+                if (!access_ok(addr, 8))
                         goto sigbus;
 
                 MIPS16e_compute_return_epc(regs, &oldinst);
diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
index 82e2993c1a2c..e60e29078ef5 100644
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -1063,7 +1063,7 @@ emul:
                                      MIPSInst_SIMM(ir));
                 MIPS_FPU_EMU_INC_STATS(loads);
 
-                if (!access_ok(VERIFY_READ, dva, sizeof(u64))) {
+                if (!access_ok(dva, sizeof(u64))) {
                         MIPS_FPU_EMU_INC_STATS(errors);
                         *fault_addr = dva;
                         return SIGBUS;
@@ -1081,7 +1081,7 @@ emul:
                                       MIPSInst_SIMM(ir));
                 MIPS_FPU_EMU_INC_STATS(stores);
                 DIFROMREG(dval, MIPSInst_RT(ir));
-                if (!access_ok(VERIFY_WRITE, dva, sizeof(u64))) {
+                if (!access_ok(dva, sizeof(u64))) {
                         MIPS_FPU_EMU_INC_STATS(errors);
                         *fault_addr = dva;
                         return SIGBUS;
@@ -1097,7 +1097,7 @@ emul:
                 wva = (u32 __user *) (xcp->regs[MIPSInst_RS(ir)] +
                                       MIPSInst_SIMM(ir));
                 MIPS_FPU_EMU_INC_STATS(loads);
-                if (!access_ok(VERIFY_READ, wva, sizeof(u32))) {
+                if (!access_ok(wva, sizeof(u32))) {
                         MIPS_FPU_EMU_INC_STATS(errors);
                         *fault_addr = wva;
                         return SIGBUS;
@@ -1115,7 +1115,7 @@ emul:
                                       MIPSInst_SIMM(ir));
                 MIPS_FPU_EMU_INC_STATS(stores);
                 SIFROMREG(wval, MIPSInst_RT(ir));
-                if (!access_ok(VERIFY_WRITE, wva, sizeof(u32))) {
+                if (!access_ok(wva, sizeof(u32))) {
                         MIPS_FPU_EMU_INC_STATS(errors);
                         *fault_addr = wva;
                         return SIGBUS;
@@ -1493,7 +1493,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                                 xcp->regs[MIPSInst_FT(ir)]);
 
                         MIPS_FPU_EMU_INC_STATS(loads);
-                        if (!access_ok(VERIFY_READ, va, sizeof(u32))) {
+                        if (!access_ok(va, sizeof(u32))) {
                                 MIPS_FPU_EMU_INC_STATS(errors);
                                 *fault_addr = va;
                                 return SIGBUS;
@@ -1513,7 +1513,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                         MIPS_FPU_EMU_INC_STATS(stores);
 
                         SIFROMREG(val, MIPSInst_FS(ir));
-                        if (!access_ok(VERIFY_WRITE, va, sizeof(u32))) {
+                        if (!access_ok(va, sizeof(u32))) {
                                 MIPS_FPU_EMU_INC_STATS(errors);
                                 *fault_addr = va;
                                 return SIGBUS;
@@ -1590,7 +1590,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                                 xcp->regs[MIPSInst_FT(ir)]);
 
                         MIPS_FPU_EMU_INC_STATS(loads);
-                        if (!access_ok(VERIFY_READ, va, sizeof(u64))) {
+                        if (!access_ok(va, sizeof(u64))) {
                                 MIPS_FPU_EMU_INC_STATS(errors);
                                 *fault_addr = va;
                                 return SIGBUS;
@@ -1609,7 +1609,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 
                         MIPS_FPU_EMU_INC_STATS(stores);
                         DIFROMREG(val, MIPSInst_FS(ir));
-                        if (!access_ok(VERIFY_WRITE, va, sizeof(u64))) {
+                        if (!access_ok(va, sizeof(u64))) {
                                 MIPS_FPU_EMU_INC_STATS(errors);
                                 *fault_addr = va;
                                 return SIGBUS;
diff --git a/arch/mips/mm/cache.c b/arch/mips/mm/cache.c
index 70a523151ff3..55099fbff4e6 100644
--- a/arch/mips/mm/cache.c
+++ b/arch/mips/mm/cache.c
@@ -76,7 +76,7 @@ SYSCALL_DEFINE3(cacheflush, unsigned long, addr, unsigned long, bytes,
 {
         if (bytes == 0)
                 return 0;
-        if (!access_ok(VERIFY_WRITE, (void __user *) addr, bytes))
+        if (!access_ok((void __user *) addr, bytes))
                 return -EFAULT;
 
         __flush_icache_user_range(addr, addr + bytes);
diff --git a/arch/mips/mm/gup.c b/arch/mips/mm/gup.c
index 5a4875cac1ec..0d14e0d8eacf 100644
--- a/arch/mips/mm/gup.c
+++ b/arch/mips/mm/gup.c
@@ -195,8 +195,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
         addr = start;
         len = (unsigned long) nr_pages << PAGE_SHIFT;
         end = start + len;
-        if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
-                                        (void __user *)start, len)))
+        if (unlikely(!access_ok((void __user *)start, len)))
                 return 0;
 
         /*
diff --git a/arch/mips/oprofile/backtrace.c b/arch/mips/oprofile/backtrace.c
index 806fb798091f..07d98ba7f49e 100644
--- a/arch/mips/oprofile/backtrace.c
+++ b/arch/mips/oprofile/backtrace.c
@@ -19,7 +19,7 @@ struct stackframe {
 static inline int get_mem(unsigned long addr, unsigned long *result)
 {
         unsigned long *address = (unsigned long *) addr;
-        if (!access_ok(VERIFY_READ, address, sizeof(unsigned long)))
+        if (!access_ok(address, sizeof(unsigned long)))
                 return -1;
         if (__copy_from_user_inatomic(result, address, sizeof(unsigned long)))
                 return -3;
diff --git a/arch/mips/sibyte/common/sb_tbprof.c b/arch/mips/sibyte/common/sb_tbprof.c
index 99c720be72d2..9ff26b0cd3b6 100644
--- a/arch/mips/sibyte/common/sb_tbprof.c
+++ b/arch/mips/sibyte/common/sb_tbprof.c
@@ -458,7 +458,7 @@ static ssize_t sbprof_tb_read(struct file *filp, char *buf,
         char *dest    =  buf;
         long  cur_off = *offp;
 
-        if (!access_ok(VERIFY_WRITE, buf, size))
+        if (!access_ok(buf, size))
                 return -EFAULT;
 
         mutex_lock(&sbp.lock);
diff --git a/arch/nds32/include/asm/futex.h b/arch/nds32/include/asm/futex.h
index cb6cb91cfdf8..baf178bf1d0b 100644
--- a/arch/nds32/include/asm/futex.h
+++ b/arch/nds32/include/asm/futex.h
@@ -40,7 +40,7 @@ futex_atomic_cmpxchg_inatomic(u32 * uval, u32 __user * uaddr,
         int ret = 0;
         u32 val, tmp, flags;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         smp_mb();
diff --git a/arch/nds32/include/asm/uaccess.h b/arch/nds32/include/asm/uaccess.h
index 362a32d9bd16..53dcb49b0b12 100644
--- a/arch/nds32/include/asm/uaccess.h
+++ b/arch/nds32/include/asm/uaccess.h
@@ -13,9 +13,6 @@
 #include <asm/types.h>
 #include <linux/mm.h>
 
-#define VERIFY_READ     0
-#define VERIFY_WRITE    1
-
 #define __asmeq(x, y)  ".ifnc " x "," y " ; .err ; .endif\n\t"
 
 /*
@@ -53,7 +50,7 @@ static inline void set_fs(mm_segment_t fs)
 
 #define __range_ok(addr, size) (size <= get_fs() && addr <= (get_fs() -size))
 
-#define access_ok(type, addr, size)     \
+#define access_ok(addr, size)   \
         __range_ok((unsigned long)addr, (unsigned long)size)
 /*
  * Single-value transfer routines.  They automatically use the right
@@ -94,7 +91,7 @@ static inline void set_fs(mm_segment_t fs)
 ({                                                                      \
         const __typeof__(*(ptr)) __user *__p = (ptr);                   \
         might_fault();                                                  \
-        if (access_ok(VERIFY_READ, __p, sizeof(*__p))) {                \
+        if (access_ok(__p, sizeof(*__p))) {             \
                 __get_user_err((x), __p, (err));                        \
         } else {                                                        \
                 (x) = 0; (err) = -EFAULT;                               \
@@ -189,7 +186,7 @@ do {									\
 ({                                                                      \
         __typeof__(*(ptr)) __user *__p = (ptr);                         \
         might_fault();                                                  \
-        if (access_ok(VERIFY_WRITE, __p, sizeof(*__p))) {               \
+        if (access_ok(__p, sizeof(*__p))) {             \
                 __put_user_err((x), __p, (err));                        \
         } else  {                                                       \
                 (err) = -EFAULT;                                        \
@@ -279,7 +276,7 @@ extern unsigned long __arch_copy_to_user(void __user * to, const void *from,
 #define INLINE_COPY_TO_USER
 static inline unsigned long clear_user(void __user * to, unsigned long n)
 {
-        if (access_ok(VERIFY_WRITE, to, n))
+        if (access_ok(to, n))
                 n = __arch_clear_user(to, n);
         return n;
 }
diff --git a/arch/nds32/kernel/perf_event_cpu.c b/arch/nds32/kernel/perf_event_cpu.c
index 5e00ce54d0ff..334c2a6cec23 100644
--- a/arch/nds32/kernel/perf_event_cpu.c
+++ b/arch/nds32/kernel/perf_event_cpu.c
@@ -1306,7 +1306,7 @@ user_backtrace(struct perf_callchain_entry_ctx *entry, unsigned long fp)
                 (unsigned long *)(fp - (unsigned long)sizeof(buftail));
 
         /* Check accessibility of one struct frame_tail beyond */
-        if (!access_ok(VERIFY_READ, user_frame_tail, sizeof(buftail)))
+        if (!access_ok(user_frame_tail, sizeof(buftail)))
                 return 0;
         if (__copy_from_user_inatomic
                 (&buftail, user_frame_tail, sizeof(buftail)))
@@ -1332,7 +1332,7 @@ user_backtrace_opt_size(struct perf_callchain_entry_ctx *entry,
                 (unsigned long *)(fp - (unsigned long)sizeof(buftail));
 
         /* Check accessibility of one struct frame_tail beyond */
-        if (!access_ok(VERIFY_READ, user_frame_tail, sizeof(buftail)))
+        if (!access_ok(user_frame_tail, sizeof(buftail)))
                 return 0;
         if (__copy_from_user_inatomic
                 (&buftail, user_frame_tail, sizeof(buftail)))
@@ -1386,7 +1386,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry,
                 user_frame_tail =
                         (unsigned long *)(fp - (unsigned long)sizeof(fp));
 
-                if (!access_ok(VERIFY_READ, user_frame_tail, sizeof(fp)))
+                if (!access_ok(user_frame_tail, sizeof(fp)))
                         return;
 
                 if (__copy_from_user_inatomic
@@ -1406,8 +1406,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry,
                                 (unsigned long *)(fp -
                                         (unsigned long)sizeof(buftail));
 
-                        if (!access_ok
-                                (VERIFY_READ, user_frame_tail, sizeof(buftail)))
+                        if (!access_ok(user_frame_tail, sizeof(buftail)))
                                 return;
 
                         if (__copy_from_user_inatomic
@@ -1424,7 +1423,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry,
                                         (unsigned long *)(fp - (unsigned long)
                                                 sizeof(buftail_opt_size));
 
-                                if (!access_ok(VERIFY_READ, user_frame_tail,
+                                if (!access_ok(user_frame_tail,
                                                sizeof(buftail_opt_size)))
                                         return;
 
diff --git a/arch/nds32/kernel/signal.c b/arch/nds32/kernel/signal.c
index 5b5be082cfa4..5f7660aa2d68 100644
--- a/arch/nds32/kernel/signal.c
+++ b/arch/nds32/kernel/signal.c
@@ -151,7 +151,7 @@ asmlinkage long sys_rt_sigreturn(struct pt_regs *regs)
 
         frame = (struct rt_sigframe __user *)regs->sp;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
 
         if (restore_sigframe(regs, frame))
@@ -275,7 +275,7 @@ setup_rt_frame(struct ksignal *ksig, sigset_t * set, struct pt_regs *regs)
             get_sigframe(ksig, regs, sizeof(*frame));
         int err = 0;
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         __put_user_error(0, &frame->uc.uc_flags, err);
diff --git a/arch/nds32/mm/alignment.c b/arch/nds32/mm/alignment.c
index e1aed9dc692d..c8b9061a2ee3 100644
--- a/arch/nds32/mm/alignment.c
+++ b/arch/nds32/mm/alignment.c
@@ -289,13 +289,13 @@ static inline int do_16(unsigned long inst, struct pt_regs *regs)
                 unaligned_addr += shift;
 
         if (load) {
-                if (!access_ok(VERIFY_READ, (void *)unaligned_addr, len))
+                if (!access_ok((void *)unaligned_addr, len))
                         return -EACCES;
 
                 get_data(unaligned_addr, &target_val, len);
                 *idx_to_addr(regs, target_idx) = target_val;
         } else {
-                if (!access_ok(VERIFY_WRITE, (void *)unaligned_addr, len))
+                if (!access_ok((void *)unaligned_addr, len))
                         return -EACCES;
                 target_val = *idx_to_addr(regs, target_idx);
                 set_data((void *)unaligned_addr, target_val, len);
@@ -479,7 +479,7 @@ static inline int do_32(unsigned long inst, struct pt_regs *regs)
 
         if (load) {
 
-                if (!access_ok(VERIFY_READ, (void *)unaligned_addr, len))
+                if (!access_ok((void *)unaligned_addr, len))
                         return -EACCES;
 
                 get_data(unaligned_addr, &target_val, len);
@@ -491,7 +491,7 @@ static inline int do_32(unsigned long inst, struct pt_regs *regs)
                         *idx_to_addr(regs, RT(inst)) = target_val;
         } else {
 
-                if (!access_ok(VERIFY_WRITE, (void *)unaligned_addr, len))
+                if (!access_ok((void *)unaligned_addr, len))
                         return -EACCES;
 
                 target_val = *idx_to_addr(regs, RT(inst));
diff --git a/arch/nios2/include/asm/uaccess.h b/arch/nios2/include/asm/uaccess.h
index dfa3c7cb30b4..e0ea10806491 100644
--- a/arch/nios2/include/asm/uaccess.h
+++ b/arch/nios2/include/asm/uaccess.h
@@ -37,7 +37,7 @@
         (((signed long)(((long)get_fs().seg) &  \
                 ((long)(addr) | (((long)(addr)) + (len)) | (len)))) == 0)
 
-#define access_ok(type, addr, len)              \
+#define access_ok(addr, len)            \
         likely(__access_ok((unsigned long)(addr), (unsigned long)(len)))
 
 # define __EX_TABLE_SECTION     ".section __ex_table,\"a\"\n"
@@ -70,7 +70,7 @@ static inline unsigned long __must_check __clear_user(void __user *to,
 static inline unsigned long __must_check clear_user(void __user *to,
                                                     unsigned long n)
 {
-        if (!access_ok(VERIFY_WRITE, to, n))
+        if (!access_ok(to, n))
                 return n;
         return __clear_user(to, n);
 }
@@ -142,7 +142,7 @@ do {									\
         long __gu_err = -EFAULT;                                        \
         const __typeof__(*(ptr)) __user *__gu_ptr = (ptr);              \
         unsigned long __gu_val = 0;                                     \
-        if (access_ok(VERIFY_READ,  __gu_ptr, sizeof(*__gu_ptr)))       \
+        if (access_ok( __gu_ptr, sizeof(*__gu_ptr)))    \
                 __get_user_common(__gu_val, sizeof(*__gu_ptr),          \
                         __gu_ptr, __gu_err);                            \
         (x) = (__force __typeof__(x))__gu_val;                          \
@@ -168,7 +168,7 @@ do {									\
         long __pu_err = -EFAULT;                                        \
         __typeof__(*(ptr)) __user *__pu_ptr = (ptr);                    \
         __typeof__(*(ptr)) __pu_val = (__typeof(*ptr))(x);              \
-        if (access_ok(VERIFY_WRITE, __pu_ptr, sizeof(*__pu_ptr))) {     \
+        if (access_ok(__pu_ptr, sizeof(*__pu_ptr))) {   \
                 switch (sizeof(*__pu_ptr)) {                            \
                 case 1:                                                 \
                         __put_user_asm(__pu_val, "stb", __pu_ptr, __pu_err); \
diff --git a/arch/nios2/kernel/signal.c b/arch/nios2/kernel/signal.c
index 20662b0f6c9e..4a81876b6086 100644
--- a/arch/nios2/kernel/signal.c
+++ b/arch/nios2/kernel/signal.c
@@ -106,7 +106,7 @@ asmlinkage int do_rt_sigreturn(struct switch_stack *sw)
         sigset_t set;
         int rval;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
 
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
diff --git a/arch/openrisc/include/asm/futex.h b/arch/openrisc/include/asm/futex.h
index 618da4a1bffb..fe894e6331ae 100644
--- a/arch/openrisc/include/asm/futex.h
+++ b/arch/openrisc/include/asm/futex.h
@@ -72,7 +72,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
         int ret = 0;
         u32 prev;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         __asm__ __volatile__ (                          \
diff --git a/arch/openrisc/include/asm/uaccess.h b/arch/openrisc/include/asm/uaccess.h
index bbf5c79cce7a..bc8191a34db7 100644
--- a/arch/openrisc/include/asm/uaccess.h
+++ b/arch/openrisc/include/asm/uaccess.h
@@ -58,7 +58,7 @@
 /* Ensure that addr is below task's addr_limit */
 #define __addr_ok(addr) ((unsigned long) addr < get_fs())
 
-#define access_ok(type, addr, size) \
+#define access_ok(addr, size) \
         __range_ok((unsigned long)addr, (unsigned long)size)
 
 /*
@@ -102,7 +102,7 @@ extern long __put_user_bad(void);
 ({                                                                      \
         long __pu_err = -EFAULT;                                        \
         __typeof__(*(ptr)) *__pu_addr = (ptr);                          \
-        if (access_ok(VERIFY_WRITE, __pu_addr, size))                   \
+        if (access_ok(__pu_addr, size))                 \
                 __put_user_size((x), __pu_addr, (size), __pu_err);      \
         __pu_err;                                                       \
 })
@@ -175,7 +175,7 @@ struct __large_struct {
 ({                                                                      \
         long __gu_err = -EFAULT, __gu_val = 0;                          \
         const __typeof__(*(ptr)) * __gu_addr = (ptr);                   \
-        if (access_ok(VERIFY_READ, __gu_addr, size))                    \
+        if (access_ok(__gu_addr, size))                 \
                 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
         (x) = (__force __typeof__(*(ptr)))__gu_val;                     \
         __gu_err;                                                       \
@@ -254,7 +254,7 @@ extern unsigned long __clear_user(void *addr, unsigned long size);
 static inline __must_check unsigned long
 clear_user(void *addr, unsigned long size)
 {
-        if (likely(access_ok(VERIFY_WRITE, addr, size)))
+        if (likely(access_ok(addr, size)))
                 size = __clear_user(addr, size);
         return size;
 }
diff --git a/arch/openrisc/kernel/signal.c b/arch/openrisc/kernel/signal.c
index 265f10fb3930..5ac9d3b1d615 100644
--- a/arch/openrisc/kernel/signal.c
+++ b/arch/openrisc/kernel/signal.c
@@ -50,7 +50,7 @@ static int restore_sigcontext(struct pt_regs *regs,
 
         /*
          * Restore the regs from &sc->regs.
-         * (sc is already checked for VERIFY_READ since the sigframe was
+         * (sc is already checked since the sigframe was
          *  checked in sys_sigreturn previously)
          */
         err |= __copy_from_user(regs, sc->regs.gpr, 32 * sizeof(unsigned long));
@@ -83,7 +83,7 @@ asmlinkage long _sys_rt_sigreturn(struct pt_regs *regs)
         if (((long)frame) & 3)
                 goto badframe;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                 goto badframe;
@@ -161,7 +161,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
         frame = get_sigframe(ksig, regs, sizeof(*frame));
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         /* Create siginfo.  */
diff --git a/arch/parisc/include/asm/futex.h b/arch/parisc/include/asm/futex.h
index cf7ba058f619..d2c3e4106851 100644
--- a/arch/parisc/include/asm/futex.h
+++ b/arch/parisc/include/asm/futex.h
@@ -95,7 +95,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
         if (uaccess_kernel() && !uaddr)
                 return -EFAULT;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         /* HPPA has no cmpxchg in hardware and therefore the
diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
index ea70e36ce6af..30ac2865ea73 100644
--- a/arch/parisc/include/asm/uaccess.h
+++ b/arch/parisc/include/asm/uaccess.h
@@ -27,7 +27,7 @@
  * that put_user is the same as __put_user, etc.
  */
 
-#define access_ok(type, uaddr, size)    \
+#define access_ok(uaddr, size)  \
         ( (uaddr) == (uaddr) )
 
 #define put_user __put_user
diff --git a/arch/powerpc/include/asm/futex.h b/arch/powerpc/include/asm/futex.h
index 94542776a62d..88b38b37c21b 100644
--- a/arch/powerpc/include/asm/futex.h
+++ b/arch/powerpc/include/asm/futex.h
@@ -72,7 +72,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
         int ret = 0;
         u32 prev;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         __asm__ __volatile__ (
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index ebc0b916dcf9..e3a731793ea2 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -62,8 +62,8 @@ static inline int __access_ok(unsigned long addr, unsigned long size,
 
 #endif
 
-#define access_ok(type, addr, size)             \
-        (__chk_user_ptr(addr), (void)(type),            \
+#define access_ok(addr, size)           \
+        (__chk_user_ptr(addr),          \
          __access_ok((__force unsigned long)(addr), (size), get_fs()))
 
 /*
@@ -166,7 +166,7 @@ do {								\
         long __pu_err = -EFAULT;                                        \
         __typeof__(*(ptr)) __user *__pu_addr = (ptr);                   \
         might_fault();                                                  \
-        if (access_ok(VERIFY_WRITE, __pu_addr, size))                   \
+        if (access_ok(__pu_addr, size))                 \
                 __put_user_size((x), __pu_addr, (size), __pu_err);      \
         __pu_err;                                                       \
 })
@@ -276,7 +276,7 @@ do {								\
         __long_type(*(ptr)) __gu_val = 0;                               \
         __typeof__(*(ptr)) __user *__gu_addr = (ptr);           \
         might_fault();                                                  \
-        if (access_ok(VERIFY_READ, __gu_addr, (size))) {                \
+        if (access_ok(__gu_addr, (size))) {             \
                 barrier_nospec();                                       \
                 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
         }                                                               \
@@ -374,7 +374,7 @@ extern unsigned long __clear_user(void __user *addr, unsigned long size);
 static inline unsigned long clear_user(void __user *addr, unsigned long size)
 {
         might_fault();
-        if (likely(access_ok(VERIFY_WRITE, addr, size)))
+        if (likely(access_ok(addr, size)))
                 return __clear_user(addr, size);
         return size;
 }
diff --git a/arch/powerpc/kernel/align.c b/arch/powerpc/kernel/align.c
index 11550a3d1ac2..0d1b6370bae0 100644
--- a/arch/powerpc/kernel/align.c
+++ b/arch/powerpc/kernel/align.c
@@ -131,8 +131,7 @@ static int emulate_spe(struct pt_regs *regs, unsigned int reg,
 
         /* Verify the address of the operand */
         if (unlikely(user_mode(regs) &&
-                     !access_ok((flags & ST ? VERIFY_WRITE : VERIFY_READ),
-                                addr, nb)))
+                     !access_ok(addr, nb)))
                 return -EFAULT;
 
         /* userland only */
diff --git a/arch/powerpc/kernel/rtas_flash.c b/arch/powerpc/kernel/rtas_flash.c
index 10fabae2574d..8246f437bbc6 100644
--- a/arch/powerpc/kernel/rtas_flash.c
+++ b/arch/powerpc/kernel/rtas_flash.c
@@ -523,7 +523,7 @@ static ssize_t validate_flash_write(struct file *file, const char __user *buf,
                 args_buf->status = VALIDATE_INCOMPLETE;
         }
 
-        if (!access_ok(VERIFY_READ, buf, count)) {
+        if (!access_ok(buf, count)) {
                 rc = -EFAULT;
                 goto done;
         }
diff --git a/arch/powerpc/kernel/rtasd.c b/arch/powerpc/kernel/rtasd.c
index 38cadae4ca4f..8a1746d755c9 100644
--- a/arch/powerpc/kernel/rtasd.c
+++ b/arch/powerpc/kernel/rtasd.c
@@ -335,7 +335,7 @@ static ssize_t rtas_log_read(struct file * file, char __user * buf,
 
         count = rtas_error_log_buffer_max;
 
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         tmp = kmalloc(count, GFP_KERNEL);
diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c
index b3e8db376ecd..e6c30cee6abf 100644
--- a/arch/powerpc/kernel/signal.c
+++ b/arch/powerpc/kernel/signal.c
@@ -44,7 +44,7 @@ void __user *get_sigframe(struct ksignal *ksig, unsigned long sp,
         newsp = (oldsp - frame_size) & ~0xFUL;
 
         /* Check access */
-        if (!access_ok(VERIFY_WRITE, (void __user *)newsp, oldsp - newsp))
+        if (!access_ok((void __user *)newsp, oldsp - newsp))
                 return NULL;
 
         return (void __user *)newsp;
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index 2d47cc79e5b3..ede4f04281ae 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -1017,7 +1017,7 @@ static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int
 #else
         if (__get_user(mcp, &ucp->uc_regs))
                 return -EFAULT;
-        if (!access_ok(VERIFY_READ, mcp, sizeof(*mcp)))
+        if (!access_ok(mcp, sizeof(*mcp)))
                 return -EFAULT;
 #endif
         set_current_blocked(&set);
@@ -1120,7 +1120,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
                  */
                 mctx = (struct mcontext __user *)
                         ((unsigned long) &old_ctx->uc_mcontext & ~0xfUL);
-                if (!access_ok(VERIFY_WRITE, old_ctx, ctx_size)
+                if (!access_ok(old_ctx, ctx_size)
                     || save_user_regs(regs, mctx, NULL, 0, ctx_has_vsx_region)
                     || put_sigset_t(&old_ctx->uc_sigmask, &current->blocked)
                     || __put_user(to_user_ptr(mctx), &old_ctx->uc_regs))
@@ -1128,7 +1128,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
         }
         if (new_ctx == NULL)
                 return 0;
-        if (!access_ok(VERIFY_READ, new_ctx, ctx_size) ||
+        if (!access_ok(new_ctx, ctx_size) ||
             fault_in_pages_readable((u8 __user *)new_ctx, ctx_size))
                 return -EFAULT;
 
@@ -1169,7 +1169,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
 
         rt_sf = (struct rt_sigframe __user *)
                 (regs->gpr[1] + __SIGNAL_FRAMESIZE + 16);
-        if (!access_ok(VERIFY_READ, rt_sf, sizeof(*rt_sf)))
+        if (!access_ok(rt_sf, sizeof(*rt_sf)))
                 goto bad;
 
 #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
@@ -1315,7 +1315,7 @@ SYSCALL_DEFINE3(debug_setcontext, struct ucontext __user *, ctx,
         current->thread.debug.dbcr0 = new_dbcr0;
 #endif
 
-        if (!access_ok(VERIFY_READ, ctx, sizeof(*ctx)) ||
+        if (!access_ok(ctx, sizeof(*ctx)) ||
             fault_in_pages_readable((u8 __user *)ctx, sizeof(*ctx)))
                 return -EFAULT;
 
@@ -1500,7 +1500,7 @@ SYSCALL_DEFINE0(sigreturn)
         {
                 sr = (struct mcontext __user *)from_user_ptr(sigctx.regs);
                 addr = sr;
-                if (!access_ok(VERIFY_READ, sr, sizeof(*sr))
+                if (!access_ok(sr, sizeof(*sr))
                     || restore_user_regs(regs, sr, 1))
                         goto badframe;
         }
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index 0935fe6c282a..bd5e6834ca69 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -383,7 +383,7 @@ static long restore_sigcontext(struct task_struct *tsk, sigset_t *set, int sig,
         err |= __get_user(v_regs, &sc->v_regs);
         if (err)
                 return err;
-        if (v_regs && !access_ok(VERIFY_READ, v_regs, 34 * sizeof(vector128)))
+        if (v_regs && !access_ok(v_regs, 34 * sizeof(vector128)))
                 return -EFAULT;
         /* Copy 33 vec registers (vr0..31 and vscr) from the stack */
         if (v_regs != NULL && (msr & MSR_VEC) != 0) {
@@ -502,10 +502,9 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
         err |= __get_user(tm_v_regs, &tm_sc->v_regs);
         if (err)
                 return err;
-        if (v_regs && !access_ok(VERIFY_READ, v_regs, 34 * sizeof(vector128)))
+        if (v_regs && !access_ok(v_regs, 34 * sizeof(vector128)))
                 return -EFAULT;
-        if (tm_v_regs && !access_ok(VERIFY_READ,
-                                    tm_v_regs, 34 * sizeof(vector128)))
+        if (tm_v_regs && !access_ok(tm_v_regs, 34 * sizeof(vector128)))
                 return -EFAULT;
         /* Copy 33 vec registers (vr0..31 and vscr) from the stack */
         if (v_regs != NULL && tm_v_regs != NULL && (msr & MSR_VEC) != 0) {
@@ -671,7 +670,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
                 ctx_has_vsx_region = 1;
 
         if (old_ctx != NULL) {
-                if (!access_ok(VERIFY_WRITE, old_ctx, ctx_size)
+                if (!access_ok(old_ctx, ctx_size)
                     || setup_sigcontext(&old_ctx->uc_mcontext, current, 0, NULL, 0,
                                         ctx_has_vsx_region)
                     || __copy_to_user(&old_ctx->uc_sigmask,
@@ -680,7 +679,7 @@ SYSCALL_DEFINE3(swapcontext, struct ucontext __user *, old_ctx,
         }
         if (new_ctx == NULL)
                 return 0;
-        if (!access_ok(VERIFY_READ, new_ctx, ctx_size)
+        if (!access_ok(new_ctx, ctx_size)
             || __get_user(tmp, (u8 __user *) new_ctx)
             || __get_user(tmp, (u8 __user *) new_ctx + ctx_size - 1))
                 return -EFAULT;
@@ -725,7 +724,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
         /* Always make any pending restarted system calls return -EINTR */
         current->restart_block.fn = do_no_restart_syscall;
 
-        if (!access_ok(VERIFY_READ, uc, sizeof(*uc)))
+        if (!access_ok(uc, sizeof(*uc)))
                 goto badframe;
 
         if (__copy_from_user(&set, &uc->uc_sigmask, sizeof(set)))
diff --git a/arch/powerpc/kernel/syscalls.c b/arch/powerpc/kernel/syscalls.c
index 466216506eb2..e6982ab21816 100644
--- a/arch/powerpc/kernel/syscalls.c
+++ b/arch/powerpc/kernel/syscalls.c
@@ -89,7 +89,7 @@ ppc_select(int n, fd_set __user *inp, fd_set __user *outp, fd_set __user *exp, s
         if ( (unsigned long)n >= 4096 )
         {
                 unsigned long __user *buffer = (unsigned long __user *)n;
-                if (!access_ok(VERIFY_READ, buffer, 5*sizeof(unsigned long))
+                if (!access_ok(buffer, 5*sizeof(unsigned long))
                     || __get_user(n, buffer)
                     || __get_user(inp, ((fd_set __user * __user *)(buffer+1)))
                     || __get_user(outp, ((fd_set  __user * __user *)(buffer+2)))
diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
index 00af2c4febf4..64936b60d521 100644
--- a/arch/powerpc/kernel/traps.c
+++ b/arch/powerpc/kernel/traps.c
@@ -837,7 +837,7 @@ static void p9_hmi_special_emu(struct pt_regs *regs)
         addr = (__force const void __user *)ea;
 
         /* Check it */
-        if (!access_ok(VERIFY_READ, addr, 16)) {
+        if (!access_ok(addr, 16)) {
                 pr_devel("HMI vec emu: bad access %i:%s[%d] nip=%016lx"
                          " instr=%08x addr=%016lx\n",
                          smp_processor_id(), current->comm, current->pid,
diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c
index 6f2d2fb4e098..bd2dcfbf00cd 100644
--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c
+++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c
@@ -1744,7 +1744,7 @@ static ssize_t kvm_htab_read(struct file *file, char __user *buf,
         int first_pass;
         unsigned long hpte[2];
 
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
         if (kvm_is_radix(kvm))
                 return 0;
@@ -1844,7 +1844,7 @@ static ssize_t kvm_htab_write(struct file *file, const char __user *buf,
         int mmu_ready;
         int pshift;
 
-        if (!access_ok(VERIFY_READ, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
         if (kvm_is_radix(kvm))
                 return -EINVAL;
diff --git a/arch/powerpc/lib/checksum_wrappers.c b/arch/powerpc/lib/checksum_wrappers.c
index a0cb63fb76a1..890d4ddd91d6 100644
--- a/arch/powerpc/lib/checksum_wrappers.c
+++ b/arch/powerpc/lib/checksum_wrappers.c
@@ -37,7 +37,7 @@ __wsum csum_and_copy_from_user(const void __user *src, void *dst,
                 goto out;
         }
 
-        if (unlikely((len < 0) || !access_ok(VERIFY_READ, src, len))) {
+        if (unlikely((len < 0) || !access_ok(src, len))) {
                 *err_ptr = -EFAULT;
                 csum = (__force unsigned int)sum;
                 goto out;
@@ -78,7 +78,7 @@ __wsum csum_and_copy_to_user(const void *src, void __user *dst, int len,
                 goto out;
         }
 
-        if (unlikely((len < 0) || !access_ok(VERIFY_WRITE, dst, len))) {
+        if (unlikely((len < 0) || !access_ok(dst, len))) {
                 *err_ptr = -EFAULT;
                 csum = -1; /* invalid checksum */
                 goto out;
diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
index a6dcfda3e11e..887f11bcf330 100644
--- a/arch/powerpc/mm/fault.c
+++ b/arch/powerpc/mm/fault.c
@@ -274,7 +274,7 @@ static bool bad_stack_expansion(struct pt_regs *regs, unsigned long address,
                         return false;
 
                 if ((flags & FAULT_FLAG_WRITE) && (flags & FAULT_FLAG_USER) &&
-                    access_ok(VERIFY_READ, nip, sizeof(*nip))) {
+                    access_ok(nip, sizeof(*nip))) {
                         unsigned int inst;
                         int res;
 
diff --git a/arch/powerpc/mm/subpage-prot.c b/arch/powerpc/mm/subpage-prot.c
index 3327551c8b47..5e4178790dee 100644
--- a/arch/powerpc/mm/subpage-prot.c
+++ b/arch/powerpc/mm/subpage-prot.c
@@ -214,7 +214,7 @@ SYSCALL_DEFINE3(subpage_prot, unsigned long, addr,
                 return 0;
         }
 
-        if (!access_ok(VERIFY_READ, map, (len >> PAGE_SHIFT) * sizeof(u32)))
+        if (!access_ok(map, (len >> PAGE_SHIFT) * sizeof(u32)))
                 return -EFAULT;
 
         down_write(&mm->mmap_sem);
diff --git a/arch/powerpc/oprofile/backtrace.c b/arch/powerpc/oprofile/backtrace.c
index 5df6290d1ccc..260c53700978 100644
--- a/arch/powerpc/oprofile/backtrace.c
+++ b/arch/powerpc/oprofile/backtrace.c
@@ -31,7 +31,7 @@ static unsigned int user_getsp32(unsigned int sp, int is_first)
         unsigned int stack_frame[2];
         void __user *p = compat_ptr(sp);
 
-        if (!access_ok(VERIFY_READ, p, sizeof(stack_frame)))
+        if (!access_ok(p, sizeof(stack_frame)))
                 return 0;
 
         /*
@@ -57,7 +57,7 @@ static unsigned long user_getsp64(unsigned long sp, int is_first)
 {
         unsigned long stack_frame[3];
 
-        if (!access_ok(VERIFY_READ, (void __user *)sp, sizeof(stack_frame)))
+        if (!access_ok((void __user *)sp, sizeof(stack_frame)))
                 return 0;
 
         if (__copy_from_user_inatomic(stack_frame, (void __user *)sp,
diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
index 43e7b93f27c7..ae8123edddc6 100644
--- a/arch/powerpc/platforms/cell/spufs/file.c
+++ b/arch/powerpc/platforms/cell/spufs/file.c
@@ -609,7 +609,7 @@ static ssize_t spufs_mbox_read(struct file *file, char __user *buf,
         if (len < 4)
                 return -EINVAL;
 
-        if (!access_ok(VERIFY_WRITE, buf, len))
+        if (!access_ok(buf, len))
                 return -EFAULT;
 
         udata = (void __user *)buf;
@@ -717,7 +717,7 @@ static ssize_t spufs_ibox_read(struct file *file, char __user *buf,
         if (len < 4)
                 return -EINVAL;
 
-        if (!access_ok(VERIFY_WRITE, buf, len))
+        if (!access_ok(buf, len))
                 return -EFAULT;
 
         udata = (void __user *)buf;
@@ -856,7 +856,7 @@ static ssize_t spufs_wbox_write(struct file *file, const char __user *buf,
                 return -EINVAL;
 
         udata = (void __user *)buf;
-        if (!access_ok(VERIFY_READ, buf, len))
+        if (!access_ok(buf, len))
                 return -EFAULT;
 
         if (__get_user(wbox_data, udata))
@@ -1994,7 +1994,7 @@ static ssize_t spufs_mbox_info_read(struct file *file, char __user *buf,
         int ret;
         struct spu_context *ctx = file->private_data;
 
-        if (!access_ok(VERIFY_WRITE, buf, len))
+        if (!access_ok(buf, len))
                 return -EFAULT;
 
         ret = spu_acquire_saved(ctx);
@@ -2034,7 +2034,7 @@ static ssize_t spufs_ibox_info_read(struct file *file, char __user *buf,
         struct spu_context *ctx = file->private_data;
         int ret;
 
-        if (!access_ok(VERIFY_WRITE, buf, len))
+        if (!access_ok(buf, len))
                 return -EFAULT;
 
         ret = spu_acquire_saved(ctx);
@@ -2077,7 +2077,7 @@ static ssize_t spufs_wbox_info_read(struct file *file, char __user *buf,
         struct spu_context *ctx = file->private_data;
         int ret;
 
-        if (!access_ok(VERIFY_WRITE, buf, len))
+        if (!access_ok(buf, len))
                 return -EFAULT;
 
         ret = spu_acquire_saved(ctx);
@@ -2129,7 +2129,7 @@ static ssize_t spufs_dma_info_read(struct file *file, char __user *buf,
         struct spu_context *ctx = file->private_data;
         int ret;
 
-        if (!access_ok(VERIFY_WRITE, buf, len))
+        if (!access_ok(buf, len))
                 return -EFAULT;
 
         ret = spu_acquire_saved(ctx);
@@ -2160,7 +2160,7 @@ static ssize_t __spufs_proxydma_info_read(struct spu_context *ctx,
         if (len < ret)
                 return -EINVAL;
 
-        if (!access_ok(VERIFY_WRITE, buf, len))
+        if (!access_ok(buf, len))
                 return -EFAULT;
 
         info.proxydma_info_type = ctx->csa.prob.dma_querytype_RW;
diff --git a/arch/powerpc/platforms/powernv/opal-lpc.c b/arch/powerpc/platforms/powernv/opal-lpc.c
index 6c7ad1d8b32e..2623996a193a 100644
--- a/arch/powerpc/platforms/powernv/opal-lpc.c
+++ b/arch/powerpc/platforms/powernv/opal-lpc.c
@@ -192,7 +192,7 @@ static ssize_t lpc_debug_read(struct file *filp, char __user *ubuf,
         u32 data, pos, len, todo;
         int rc;
 
-        if (!access_ok(VERIFY_WRITE, ubuf, count))
+        if (!access_ok(ubuf, count))
                 return -EFAULT;
 
         todo = count;
@@ -283,7 +283,7 @@ static ssize_t lpc_debug_write(struct file *filp, const char __user *ubuf,
         u32 data, pos, len, todo;
         int rc;
 
-        if (!access_ok(VERIFY_READ, ubuf, count))
+        if (!access_ok(ubuf, count))
                 return -EFAULT;
 
         todo = count;
diff --git a/arch/powerpc/platforms/pseries/scanlog.c b/arch/powerpc/platforms/pseries/scanlog.c
index 054ce7a16fc3..24b157e1e890 100644
--- a/arch/powerpc/platforms/pseries/scanlog.c
+++ b/arch/powerpc/platforms/pseries/scanlog.c
@@ -63,7 +63,7 @@ static ssize_t scanlog_read(struct file *file, char __user *buf,
                 return -EINVAL;
         }
 
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         for (;;) {
diff --git a/arch/riscv/include/asm/futex.h b/arch/riscv/include/asm/futex.h
index 3b19eba1bc8e..66641624d8a5 100644
--- a/arch/riscv/include/asm/futex.h
+++ b/arch/riscv/include/asm/futex.h
@@ -95,7 +95,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
         u32 val;
         uintptr_t tmp;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         __enable_user_access();
diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h
index 8c3e3e3c8be1..637b896894fc 100644
--- a/arch/riscv/include/asm/uaccess.h
+++ b/arch/riscv/include/asm/uaccess.h
@@ -54,14 +54,8 @@ static inline void set_fs(mm_segment_t fs)
 #define user_addr_max() (get_fs())
 
 
-#define VERIFY_READ     0
-#define VERIFY_WRITE    1
-
 /**
  * access_ok: - Checks if a user space pointer is valid
- * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE.  Note that
- *        %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
- *        to write to a block, it is always safe to read from it.
  * @addr: User space pointer to start of block to check
  * @size: Size of block to check
  *
@@ -76,7 +70,7 @@ static inline void set_fs(mm_segment_t fs)
  * checks that the pointer is in the user space range - after calling
  * this function, memory access functions may still return -EFAULT.
  */
-#define access_ok(type, addr, size) ({                                  \
+#define access_ok(addr, size) ({                                        \
         __chk_user_ptr(addr);                                           \
         likely(__access_ok((unsigned long __force)(addr), (size)));     \
 })
@@ -258,7 +252,7 @@ do {								\
 ({                                                              \
         const __typeof__(*(ptr)) __user *__p = (ptr);           \
         might_fault();                                          \
-        access_ok(VERIFY_READ, __p, sizeof(*__p)) ?             \
+        access_ok(__p, sizeof(*__p)) ?          \
                 __get_user((x), __p) :                          \
                 ((x) = 0, -EFAULT);                             \
 })
@@ -386,7 +380,7 @@ do {								\
 ({                                                              \
         __typeof__(*(ptr)) __user *__p = (ptr);                 \
         might_fault();                                          \
-        access_ok(VERIFY_WRITE, __p, sizeof(*__p)) ?            \
+        access_ok(__p, sizeof(*__p)) ?          \
                 __put_user((x), __p) :                          \
                 -EFAULT;                                        \
 })
@@ -421,7 +415,7 @@ static inline
 unsigned long __must_check clear_user(void __user *to, unsigned long n)
 {
         might_fault();
-        return access_ok(VERIFY_WRITE, to, n) ?
+        return access_ok(to, n) ?
                 __clear_user(to, n) : n;
 }
 
diff --git a/arch/riscv/kernel/signal.c b/arch/riscv/kernel/signal.c
index f9b5e7e352ef..837e1646091a 100644
--- a/arch/riscv/kernel/signal.c
+++ b/arch/riscv/kernel/signal.c
@@ -115,7 +115,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
 
         frame = (struct rt_sigframe __user *)regs->sp;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
 
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -187,7 +187,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
         long err = 0;
 
         frame = get_sigframe(ksig, regs, sizeof(*frame));
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         err |= copy_siginfo_to_user(&frame->info, &ksig->info);
diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
index ad6b91013a05..bd2545977ad3 100644
--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -48,7 +48,7 @@ static inline int __range_ok(unsigned long addr, unsigned long size)
         __range_ok((unsigned long)(addr), (size));      \
 })
 
-#define access_ok(type, addr, size) __access_ok(addr, size)
+#define access_ok(addr, size) __access_ok(addr, size)
 
 unsigned long __must_check
 raw_copy_from_user(void *to, const void __user *from, unsigned long n);
diff --git a/arch/sh/include/asm/checksum_32.h b/arch/sh/include/asm/checksum_32.h
index b58f3d95dc19..36b84cfd3f67 100644
--- a/arch/sh/include/asm/checksum_32.h
+++ b/arch/sh/include/asm/checksum_32.h
@@ -197,7 +197,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
                                            int len, __wsum sum,
                                            int *err_ptr)
 {
-        if (access_ok(VERIFY_WRITE, dst, len))
+        if (access_ok(dst, len))
                 return csum_partial_copy_generic((__force const void *)src,
                                                 dst, len, sum, NULL, err_ptr);
 
diff --git a/arch/sh/include/asm/futex.h b/arch/sh/include/asm/futex.h
index 6d192f4908a7..3190ec89df81 100644
--- a/arch/sh/include/asm/futex.h
+++ b/arch/sh/include/asm/futex.h
@@ -22,7 +22,7 @@ static inline int
 futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
                               u32 oldval, u32 newval)
 {
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         return atomic_futex_op_cmpxchg_inatomic(uval, uaddr, oldval, newval);
diff --git a/arch/sh/include/asm/uaccess.h b/arch/sh/include/asm/uaccess.h
index 32eb56e00c11..deebbfab5342 100644
--- a/arch/sh/include/asm/uaccess.h
+++ b/arch/sh/include/asm/uaccess.h
@@ -18,7 +18,7 @@
  */
 #define __access_ok(addr, size)         \
         (__addr_ok((addr) + (size)))
-#define access_ok(type, addr, size)     \
+#define access_ok(addr, size)   \
         (__chk_user_ptr(addr),          \
          __access_ok((unsigned long __force)(addr), (size)))
 
@@ -66,7 +66,7 @@ struct __large_struct { unsigned long buf[100]; };
         long __gu_err = -EFAULT;                                        \
         unsigned long __gu_val = 0;                                     \
         const __typeof__(*(ptr)) *__gu_addr = (ptr);                    \
-        if (likely(access_ok(VERIFY_READ, __gu_addr, (size))))          \
+        if (likely(access_ok(__gu_addr, (size))))               \
                 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
         (x) = (__force __typeof__(*(ptr)))__gu_val;                     \
         __gu_err;                                                       \
@@ -87,7 +87,7 @@ struct __large_struct { unsigned long buf[100]; };
         long __pu_err = -EFAULT;                                \
         __typeof__(*(ptr)) __user *__pu_addr = (ptr);           \
         __typeof__(*(ptr)) __pu_val = x;                        \
-        if (likely(access_ok(VERIFY_WRITE, __pu_addr, size)))   \
+        if (likely(access_ok(__pu_addr, size))) \
                 __put_user_size(__pu_val, __pu_addr, (size),    \
                                 __pu_err);                      \
         __pu_err;                                               \
@@ -132,8 +132,7 @@ __kernel_size_t __clear_user(void *addr, __kernel_size_t size);
         void __user * __cl_addr = (addr);                               \
         unsigned long __cl_size = (n);                                  \
                                                                         \
-        if (__cl_size && access_ok(VERIFY_WRITE,                        \
-                ((unsigned long)(__cl_addr)), __cl_size))               \
+        if (__cl_size && access_ok(__cl_addr, __cl_size))               \
                 __cl_size = __clear_user(__cl_addr, __cl_size);         \
                                                                         \
         __cl_size;                                                      \
diff --git a/arch/sh/kernel/signal_32.c b/arch/sh/kernel/signal_32.c
index c46c0020ff55..2a2121ba8ebe 100644
--- a/arch/sh/kernel/signal_32.c
+++ b/arch/sh/kernel/signal_32.c
@@ -160,7 +160,7 @@ asmlinkage int sys_sigreturn(void)
         /* Always make any pending restarted system calls return -EINTR */
         current->restart_block.fn = do_no_restart_syscall;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
 
         if (__get_user(set.sig[0], &frame->sc.oldmask)
@@ -190,7 +190,7 @@ asmlinkage int sys_rt_sigreturn(void)
         /* Always make any pending restarted system calls return -EINTR */
         current->restart_block.fn = do_no_restart_syscall;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
 
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -272,7 +272,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
 
         frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame));
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         err |= setup_sigcontext(&frame->sc, regs, set->sig[0]);
@@ -338,7 +338,7 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
 
         frame = get_sigframe(&ksig->ka, regs->regs[15], sizeof(*frame));
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         err |= copy_siginfo_to_user(&frame->info, &ksig->info);
diff --git a/arch/sh/kernel/signal_64.c b/arch/sh/kernel/signal_64.c
index 76661dee3c65..f1f1598879c2 100644
--- a/arch/sh/kernel/signal_64.c
+++ b/arch/sh/kernel/signal_64.c
@@ -259,7 +259,7 @@ asmlinkage int sys_sigreturn(unsigned long r2, unsigned long r3,
         /* Always make any pending restarted system calls return -EINTR */
         current->restart_block.fn = do_no_restart_syscall;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
 
         if (__get_user(set.sig[0], &frame->sc.oldmask)
@@ -293,7 +293,7 @@ asmlinkage int sys_rt_sigreturn(unsigned long r2, unsigned long r3,
         /* Always make any pending restarted system calls return -EINTR */
         current->restart_block.fn = do_no_restart_syscall;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
 
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -379,7 +379,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs
 
         frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame));
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         err |= setup_sigcontext(&frame->sc, regs, set->sig[0]);
@@ -465,7 +465,7 @@ static int setup_rt_frame(struct ksignal *kig, sigset_t *set,
 
         frame = get_sigframe(&ksig->ka, regs->regs[REG_SP], sizeof(*frame));
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         err |= __put_user(&frame->info, &frame->pinfo);
diff --git a/arch/sh/kernel/traps_64.c b/arch/sh/kernel/traps_64.c
index c52bda4d2574..8ce90a7da67d 100644
--- a/arch/sh/kernel/traps_64.c
+++ b/arch/sh/kernel/traps_64.c
@@ -40,7 +40,7 @@ static int read_opcode(reg_size_t pc, insn_size_t *result_opcode, int from_user_
                 /* SHmedia */
                 aligned_pc = pc & ~3;
                 if (from_user_mode) {
-                        if (!access_ok(VERIFY_READ, aligned_pc, sizeof(insn_size_t))) {
+                        if (!access_ok(aligned_pc, sizeof(insn_size_t))) {
                                 get_user_error = -EFAULT;
                         } else {
                                 get_user_error = __get_user(opcode, (insn_size_t *)aligned_pc);
@@ -180,7 +180,7 @@ static int misaligned_load(struct pt_regs *regs,
         if (user_mode(regs)) {
                 __u64 buffer;
 
-                if (!access_ok(VERIFY_READ, (unsigned long) address, 1UL<<width_shift)) {
+                if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
                         return -1;
                 }
 
@@ -254,7 +254,7 @@ static int misaligned_store(struct pt_regs *regs,
         if (user_mode(regs)) {
                 __u64 buffer;
 
-                if (!access_ok(VERIFY_WRITE, (unsigned long) address, 1UL<<width_shift)) {
+                if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
                         return -1;
                 }
 
@@ -327,7 +327,7 @@ static int misaligned_fpu_load(struct pt_regs *regs,
                 __u64 buffer;
                 __u32 buflo, bufhi;
 
-                if (!access_ok(VERIFY_READ, (unsigned long) address, 1UL<<width_shift)) {
+                if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
                         return -1;
                 }
 
@@ -400,7 +400,7 @@ static int misaligned_fpu_store(struct pt_regs *regs,
                 /* Initialise these to NaNs. */
                 __u32 buflo=0xffffffffUL, bufhi=0xffffffffUL;
 
-                if (!access_ok(VERIFY_WRITE, (unsigned long) address, 1UL<<width_shift)) {
+                if (!access_ok((unsigned long) address, 1UL<<width_shift)) {
                         return -1;
                 }
 
@@ -663,7 +663,7 @@ void do_reserved_inst(unsigned long error_code, struct pt_regs *regs)
         /* SHmedia : check for defect.  This requires executable vmas
            to be readable too. */
         aligned_pc = pc & ~3;
-        if (!access_ok(VERIFY_READ, aligned_pc, sizeof(insn_size_t)))
+        if (!access_ok(aligned_pc, sizeof(insn_size_t)))
                 get_user_error = -EFAULT;
         else
                 get_user_error = __get_user(opcode, (insn_size_t *)aligned_pc);
diff --git a/arch/sh/mm/gup.c b/arch/sh/mm/gup.c
index 56c86ca98ecf..3e27f6d1f1ec 100644
--- a/arch/sh/mm/gup.c
+++ b/arch/sh/mm/gup.c
@@ -177,8 +177,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
         addr = start;
         len = (unsigned long) nr_pages << PAGE_SHIFT;
         end = start + len;
-        if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
-                                        (void __user *)start, len)))
+        if (unlikely(!access_ok((void __user *)start, len)))
                 return 0;
 
         /*
diff --git a/arch/sh/oprofile/backtrace.c b/arch/sh/oprofile/backtrace.c
index c7695f99c8c3..8279a7e91043 100644
--- a/arch/sh/oprofile/backtrace.c
+++ b/arch/sh/oprofile/backtrace.c
@@ -51,7 +51,7 @@ user_backtrace(unsigned long *stackaddr, struct pt_regs *regs)
         unsigned long buf_stack;
 
         /* Also check accessibility of address */
-        if (!access_ok(VERIFY_READ, stackaddr, sizeof(unsigned long)))
+        if (!access_ok(stackaddr, sizeof(unsigned long)))
                 return NULL;
 
         if (__copy_from_user_inatomic(&buf_stack, stackaddr, sizeof(unsigned long)))
diff --git a/arch/sparc/include/asm/checksum_32.h b/arch/sparc/include/asm/checksum_32.h
index d1e53d7aed39..5fc98d80b03b 100644
--- a/arch/sparc/include/asm/checksum_32.h
+++ b/arch/sparc/include/asm/checksum_32.h
@@ -87,7 +87,7 @@ static inline __wsum
 csum_partial_copy_to_user(const void *src, void __user *dst, int len,
                           __wsum sum, int *err)
 {
-        if (!access_ok (VERIFY_WRITE, dst, len)) {
+        if (!access_ok(dst, len)) {
                 *err = -EFAULT;
                 return sum;
         } else {
diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
index de71c65b99f0..5153798051fb 100644
--- a/arch/sparc/include/asm/uaccess_32.h
+++ b/arch/sparc/include/asm/uaccess_32.h
@@ -39,8 +39,7 @@
 #define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
 #define __kernel_ok (uaccess_kernel())
 #define __access_ok(addr, size) (__user_ok((addr) & get_fs().seg, (size)))
-#define access_ok(type, addr, size) \
-        ({ (void)(type); __access_ok((unsigned long)(addr), size); })
+#define access_ok(addr, size) __access_ok((unsigned long)(addr), size)
 
 /*
  * The exception table consists of pairs of addresses: the first is the
diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
index cbb308cee394..87ae9ffb1521 100644
--- a/arch/sparc/include/asm/uaccess_64.h
+++ b/arch/sparc/include/asm/uaccess_64.h
@@ -68,7 +68,7 @@ static inline int __access_ok(const void __user * addr, unsigned long size)
         return 1;
 }
 
-static inline int access_ok(int type, const void __user * addr, unsigned long size)
+static inline int access_ok(const void __user * addr, unsigned long size)
 {
         return 1;
 }
diff --git a/arch/sparc/kernel/sigutil_32.c b/arch/sparc/kernel/sigutil_32.c
index 1e9fae56a853..f25c6daa9f52 100644
--- a/arch/sparc/kernel/sigutil_32.c
+++ b/arch/sparc/kernel/sigutil_32.c
@@ -65,7 +65,7 @@ int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu)
         set_used_math();
         clear_tsk_thread_flag(current, TIF_USEDFPU);
 
-        if (!access_ok(VERIFY_READ, fpu, sizeof(*fpu)))
+        if (!access_ok(fpu, sizeof(*fpu)))
                 return -EFAULT;
 
         err = __copy_from_user(&current->thread.float_regs[0], &fpu->si_float_regs[0],
diff --git a/arch/sparc/kernel/unaligned_32.c b/arch/sparc/kernel/unaligned_32.c
index 64ac8c0c1429..83db94c0b431 100644
--- a/arch/sparc/kernel/unaligned_32.c
+++ b/arch/sparc/kernel/unaligned_32.c
@@ -278,7 +278,6 @@ static inline int ok_for_user(struct pt_regs *regs, unsigned int insn,
                               enum direction dir)
 {
         unsigned int reg;
-        int check = (dir == load) ? VERIFY_READ : VERIFY_WRITE;
         int size = ((insn >> 19) & 3) == 3 ? 8 : 4;
 
         if ((regs->pc | regs->npc) & 3)
@@ -290,18 +289,18 @@ static inline int ok_for_user(struct pt_regs *regs, unsigned int insn,
 
         reg = (insn >> 25) & 0x1f;
         if (reg >= 16) {
-                if (!access_ok(check, WINREG_ADDR(reg - 16), size))
+                if (!access_ok(WINREG_ADDR(reg - 16), size))
                         return -EFAULT;
         }
         reg = (insn >> 14) & 0x1f;
         if (reg >= 16) {
-                if (!access_ok(check, WINREG_ADDR(reg - 16), size))
+                if (!access_ok(WINREG_ADDR(reg - 16), size))
                         return -EFAULT;
         }
         if (!(insn & 0x2000)) {
                 reg = (insn & 0x1f);
                 if (reg >= 16) {
-                        if (!access_ok(check, WINREG_ADDR(reg - 16), size))
+                        if (!access_ok(WINREG_ADDR(reg - 16), size))
                                 return -EFAULT;
                 }
         }
diff --git a/arch/um/kernel/ptrace.c b/arch/um/kernel/ptrace.c
index 1a1d88a4d940..5f47422401e1 100644
--- a/arch/um/kernel/ptrace.c
+++ b/arch/um/kernel/ptrace.c
@@ -66,7 +66,7 @@ long arch_ptrace(struct task_struct *child, long request,
 
 #ifdef PTRACE_GETREGS
         case PTRACE_GETREGS: { /* Get all gp regs from the child. */
-                if (!access_ok(VERIFY_WRITE, p, MAX_REG_OFFSET)) {
+                if (!access_ok(p, MAX_REG_OFFSET)) {
                         ret = -EIO;
                         break;
                 }
@@ -81,7 +81,7 @@ long arch_ptrace(struct task_struct *child, long request,
 #ifdef PTRACE_SETREGS
         case PTRACE_SETREGS: { /* Set all gp regs in the child. */
                 unsigned long tmp = 0;
-                if (!access_ok(VERIFY_READ, p, MAX_REG_OFFSET)) {
+                if (!access_ok(p, MAX_REG_OFFSET)) {
                         ret = -EIO;
                         break;
                 }
diff --git a/arch/unicore32/kernel/signal.c b/arch/unicore32/kernel/signal.c
index 4ae51cf15ade..63be04809d40 100644
--- a/arch/unicore32/kernel/signal.c
+++ b/arch/unicore32/kernel/signal.c
@@ -117,7 +117,7 @@ asmlinkage int __sys_rt_sigreturn(struct pt_regs *regs)
 
         frame = (struct rt_sigframe __user *)regs->UCreg_sp;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
 
         if (restore_sigframe(regs, &frame->sig))
@@ -205,7 +205,7 @@ static inline void __user *get_sigframe(struct k_sigaction *ka,
         /*
          * Check that we can actually write to the signal frame.
          */
-        if (!access_ok(VERIFY_WRITE, frame, framesize))
+        if (!access_ok(frame, framesize))
                 frame = NULL;
 
         return frame;
diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
index d78bcc03e60e..d9d81ad7a400 100644
--- a/arch/x86/entry/vsyscall/vsyscall_64.c
+++ b/arch/x86/entry/vsyscall/vsyscall_64.c
@@ -99,7 +99,7 @@ static bool write_ok_or_segv(unsigned long ptr, size_t size)
          * sig_on_uaccess_err, this could go away.
          */
 
-        if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
+        if (!access_ok((void __user *)ptr, size)) {
                 struct thread_struct *thread = &current->thread;
 
                 thread->error_code      = X86_PF_USER | X86_PF_WRITE;
diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
index 8e02b30cf08e..f65b78d32f5e 100644
--- a/arch/x86/ia32/ia32_aout.c
+++ b/arch/x86/ia32/ia32_aout.c
@@ -176,10 +176,10 @@ static int aout_core_dump(struct coredump_params *cprm)
 
         /* make sure we actually have a data and stack area to dump */
         set_fs(USER_DS);
-        if (!access_ok(VERIFY_READ, (void *) (unsigned long)START_DATA(dump),
+        if (!access_ok((void *) (unsigned long)START_DATA(dump),
                        dump.u_dsize << PAGE_SHIFT))
                 dump.u_dsize = 0;
-        if (!access_ok(VERIFY_READ, (void *) (unsigned long)START_STACK(dump),
+        if (!access_ok((void *) (unsigned long)START_STACK(dump),
                        dump.u_ssize << PAGE_SHIFT))
                 dump.u_ssize = 0;
 
diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
index 86b1341cba9a..321fe5f5d0e9 100644
--- a/arch/x86/ia32/ia32_signal.c
+++ b/arch/x86/ia32/ia32_signal.c
@@ -119,7 +119,7 @@ asmlinkage long sys32_sigreturn(void)
         struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8);
         sigset_t set;
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__get_user(set.sig[0], &frame->sc.oldmask)
             || (_COMPAT_NSIG_WORDS > 1
@@ -147,7 +147,7 @@ asmlinkage long sys32_rt_sigreturn(void)
 
         frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4);
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                 goto badframe;
@@ -269,7 +269,7 @@ int ia32_setup_frame(int sig, struct ksignal *ksig,
 
         frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         if (__put_user(sig, &frame->sig))
@@ -349,7 +349,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
 
         frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         put_user_try {
diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c
index 11ef7b7c9cc8..a43212036257 100644
--- a/arch/x86/ia32/sys_ia32.c
+++ b/arch/x86/ia32/sys_ia32.c
@@ -75,7 +75,7 @@ static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
         typeof(ubuf->st_gid) gid = 0;
         SET_UID(uid, from_kuid_munged(current_user_ns(), stat->uid));
         SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid));
-        if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
+        if (!access_ok(ubuf, sizeof(struct stat64)) ||
             __put_user(huge_encode_dev(stat->dev), &ubuf->st_dev) ||
             __put_user(stat->ino, &ubuf->__st_ino) ||
             __put_user(stat->ino, &ubuf->st_ino) ||
diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h
index 7a659c74cd03..f57b94e02c57 100644
--- a/arch/x86/include/asm/checksum_32.h
+++ b/arch/x86/include/asm/checksum_32.h
@@ -182,7 +182,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
         __wsum ret;
 
         might_sleep();
-        if (access_ok(VERIFY_WRITE, dst, len)) {
+        if (access_ok(dst, len)) {
                 stac();
                 ret = csum_partial_copy_generic(src, (__force void *)dst,
                                                 len, sum, NULL, err_ptr);
diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h
index 832da8229cc7..686247db3106 100644
--- a/arch/x86/include/asm/io.h
+++ b/arch/x86/include/asm/io.h
@@ -221,6 +221,14 @@ extern void set_iounmap_nonlazy(void);
 
 #ifdef __KERNEL__
 
+void memcpy_fromio(void *, const volatile void __iomem *, size_t);
+void memcpy_toio(volatile void __iomem *, const void *, size_t);
+void memset_io(volatile void __iomem *, int, size_t);
+
+#define memcpy_fromio memcpy_fromio
+#define memcpy_toio memcpy_toio
+#define memset_io memset_io
+
 #include <asm-generic/iomap.h>
 
 /*
diff --git a/arch/x86/include/asm/pgtable_32.h b/arch/x86/include/asm/pgtable_32.h
index b3ec519e3982..4fe9e7fc74d3 100644
--- a/arch/x86/include/asm/pgtable_32.h
+++ b/arch/x86/include/asm/pgtable_32.h
@@ -37,7 +37,7 @@ void sync_initial_page_table(void);
 /*
  * Define this if things work differently on an i386 and an i486:
  * it will (on an i486) warn about kernel memory accesses that are
- * done without a 'access_ok(VERIFY_WRITE,..)'
+ * done without a 'access_ok( ..)'
  */
 #undef TEST_ACCESS_OK
 
diff --git a/arch/x86/include/asm/string_64.h b/arch/x86/include/asm/string_64.h
index 7ad41bfcc16c..4e4194e21a09 100644
--- a/arch/x86/include/asm/string_64.h
+++ b/arch/x86/include/asm/string_64.h
@@ -7,24 +7,6 @@
 
 /* Written 2002 by Andi Kleen */
 
-/* Only used for special circumstances. Stolen from i386/string.h */
-static __always_inline void *__inline_memcpy(void *to, const void *from, size_t n)
-{
-        unsigned long d0, d1, d2;
-        asm volatile("rep ; movsl\n\t"
-                     "testb $2,%b4\n\t"
-                     "je 1f\n\t"
-                     "movsw\n"
-                     "1:\ttestb $1,%b4\n\t"
-                     "je 2f\n\t"
-                     "movsb\n"
-                     "2:"
-                     : "=&c" (d0), "=&D" (d1), "=&S" (d2)
-                     : "0" (n / 4), "q" (n), "1" ((long)to), "2" ((long)from)
-                     : "memory");
-        return to;
-}
-
 /* Even with __builtin_ the compiler may decide to use the out of line
    function. */
 
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index b5e58cc0c5e7..a77445d1b034 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -77,9 +77,6 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
 
 /**
  * access_ok: - Checks if a user space pointer is valid
- * @type: Type of access: %VERIFY_READ or %VERIFY_WRITE.  Note that
- *        %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
- *        to write to a block, it is always safe to read from it.
  * @addr: User space pointer to start of block to check
  * @size: Size of block to check
  *
@@ -95,7 +92,7 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
  * checks that the pointer is in the user space range - after calling
  * this function, memory access functions may still return -EFAULT.
  */
-#define access_ok(type, addr, size)                                     \
+#define access_ok(addr, size)                                   \
 ({                                                                      \
         WARN_ON_IN_IRQ();                                               \
         likely(!__range_not_ok(addr, size, user_addr_max()));           \
@@ -189,19 +186,14 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
 
 
 #ifdef CONFIG_X86_32
-#define __put_user_asm_u64(x, addr, err, errret)                        \
-        asm volatile("\n"                                               \
-                     "1:        movl %%eax,0(%2)\n"                     \
-                     "2:        movl %%edx,4(%2)\n"                     \
-                     "3:"                                               \
-                     ".section .fixup,\"ax\"\n"                         \
-                     "4:        movl %3,%0\n"                           \
-                     "  jmp 3b\n"                                       \
-                     ".previous\n"                                      \
-                     _ASM_EXTABLE_UA(1b, 4b)                            \
-                     _ASM_EXTABLE_UA(2b, 4b)                            \
-                     : "=r" (err)                                       \
-                     : "A" (x), "r" (addr), "i" (errret), "0" (err))
+#define __put_user_goto_u64(x, addr, label)                     \
+        asm_volatile_goto("\n"                                  \
+                     "1:        movl %%eax,0(%1)\n"             \
+                     "2:        movl %%edx,4(%1)\n"             \
+                     _ASM_EXTABLE_UA(1b, %l2)                   \
+                     _ASM_EXTABLE_UA(2b, %l2)                   \
+                     : : "A" (x), "r" (addr)                    \
+                     : : label)
 
 #define __put_user_asm_ex_u64(x, addr)                                  \
         asm volatile("\n"                                               \
@@ -216,8 +208,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
         asm volatile("call __put_user_8" : "=a" (__ret_pu)      \
                      : "A" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
 #else
-#define __put_user_asm_u64(x, ptr, retval, errret) \
-        __put_user_asm(x, ptr, retval, "q", "", "er", errret)
+#define __put_user_goto_u64(x, ptr, label) \
+        __put_user_goto(x, ptr, "q", "", "er", label)
 #define __put_user_asm_ex_u64(x, addr)  \
         __put_user_asm_ex(x, addr, "q", "", "er")
 #define __put_user_x8(x, ptr, __ret_pu) __put_user_x(8, x, ptr, __ret_pu)
@@ -278,23 +270,21 @@ extern void __put_user_8(void);
         __builtin_expect(__ret_pu, 0);                          \
 })
 
-#define __put_user_size(x, ptr, size, retval, errret)                   \
+#define __put_user_size(x, ptr, size, label)                            \
 do {                                                                    \
-        retval = 0;                                                     \
         __chk_user_ptr(ptr);                                            \
         switch (size) {                                                 \
         case 1:                                                         \
-                __put_user_asm(x, ptr, retval, "b", "b", "iq", errret); \
+                __put_user_goto(x, ptr, "b", "b", "iq", label); \
                 break;                                                  \
         case 2:                                                         \
-                __put_user_asm(x, ptr, retval, "w", "w", "ir", errret); \
+                __put_user_goto(x, ptr, "w", "w", "ir", label);         \
                 break;                                                  \
         case 4:                                                         \
-                __put_user_asm(x, ptr, retval, "l", "k", "ir", errret); \
+                __put_user_goto(x, ptr, "l", "k", "ir", label);         \
                 break;                                                  \
         case 8:                                                         \
-                __put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval,  \
-                                   errret);                             \
+                __put_user_goto_u64((__typeof__(*ptr))(x), ptr, label); \
                 break;                                                  \
         default:                                                        \
                 __put_user_bad();                                       \
@@ -439,9 +429,12 @@ do {									\
 
 #define __put_user_nocheck(x, ptr, size)                        \
 ({                                                              \
-        int __pu_err;                                           \
+        __label__ __pu_label;                                   \
+        int __pu_err = -EFAULT;                                 \
         __uaccess_begin();                                      \
-        __put_user_size((x), (ptr), (size), __pu_err, -EFAULT); \
+        __put_user_size((x), (ptr), (size), __pu_label);        \
+        __pu_err = 0;                                           \
+__pu_label:                                                     \
         __uaccess_end();                                        \
         __builtin_expect(__pu_err, 0);                          \
 })
@@ -466,17 +459,23 @@ struct __large_struct { unsigned long buf[100]; };
  * we do not write to any memory gcc knows about, so there are no
  * aliasing issues.
  */
-#define __put_user_asm(x, addr, err, itype, rtype, ltype, errret)       \
-        asm volatile("\n"                                               \
-                     "1:        mov"itype" %"rtype"1,%2\n"              \
-                     "2:\n"                                             \
-                     ".section .fixup,\"ax\"\n"                         \
-                     "3:        mov %3,%0\n"                            \
-                     "  jmp 2b\n"                                       \
-                     ".previous\n"                                      \
-                     _ASM_EXTABLE_UA(1b, 3b)                            \
-                     : "=r"(err)                                        \
-                     : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
+#define __put_user_goto(x, addr, itype, rtype, ltype, label)    \
+        asm_volatile_goto("\n"                                          \
+                "1:     mov"itype" %"rtype"0,%1\n"                      \
+                _ASM_EXTABLE_UA(1b, %l2)                                        \
+                : : ltype(x), "m" (__m(addr))                           \
+                : : label)
+
+#define __put_user_failed(x, addr, itype, rtype, ltype, errret)         \
+        ({      __label__ __puflab;                                     \
+                int __pufret = errret;                                  \
+                __put_user_goto(x,addr,itype,rtype,ltype,__puflab);     \
+                __pufret = 0;                                           \
+        __puflab: __pufret; })
+
+#define __put_user_asm(x, addr, retval, itype, rtype, ltype, errret)    do {    \
+        retval = __put_user_failed(x, addr, itype, rtype, ltype, errret);       \
+} while (0)
 
 #define __put_user_asm_ex(x, addr, itype, rtype, ltype)                 \
         asm volatile("1:        mov"itype" %"rtype"0,%1\n"              \
@@ -670,7 +669,7 @@ extern void __cmpxchg_wrong_size(void)
 
 #define user_atomic_cmpxchg_inatomic(uval, ptr, old, new)               \
 ({                                                                      \
-        access_ok(VERIFY_WRITE, (ptr), sizeof(*(ptr))) ?                \
+        access_ok((ptr), sizeof(*(ptr))) ?              \
                 __user_atomic_cmpxchg_inatomic((uval), (ptr),           \
                                 (old), (new), sizeof(*(ptr))) :         \
                 -EFAULT;                                                \
@@ -708,16 +707,18 @@ extern struct movsl_mask {
  * checking before using them, but you have to surround them with the
  * user_access_begin/end() pair.
  */
-#define user_access_begin()     __uaccess_begin()
+static __must_check inline bool user_access_begin(const void __user *ptr, size_t len)
+{
+        if (unlikely(!access_ok(ptr,len)))
+                return 0;
+        __uaccess_begin();
+        return 1;
+}
+#define user_access_begin(a,b)  user_access_begin(a,b)
 #define user_access_end()       __uaccess_end()
 
-#define unsafe_put_user(x, ptr, err_label)                                      \
-do {                                                                            \
-        int __pu_err;                                                           \
-        __typeof__(*(ptr)) __pu_val = (x);                                      \
-        __put_user_size(__pu_val, (ptr), sizeof(*(ptr)), __pu_err, -EFAULT);    \
-        if (unlikely(__pu_err)) goto err_label;                                 \
-} while (0)
+#define unsafe_put_user(x, ptr, label)  \
+        __put_user_size((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)), label)
 
 #define unsafe_get_user(x, ptr, err_label)                                      \
 do {                                                                            \
diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index d99a8ee9e185..f6a1d299627c 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -164,7 +164,7 @@ int copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
         ia32_fxstate &= (IS_ENABLED(CONFIG_X86_32) ||
                          IS_ENABLED(CONFIG_IA32_EMULATION));
 
-        if (!access_ok(VERIFY_WRITE, buf, size))
+        if (!access_ok(buf, size))
                 return -EACCES;
 
         if (!static_cpu_has(X86_FEATURE_FPU))
@@ -281,7 +281,7 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
                 return 0;
         }
 
-        if (!access_ok(VERIFY_READ, buf, size))
+        if (!access_ok(buf, size))
                 return -EACCES;
 
         fpu__initialize(fpu);
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index 92a3b312a53c..08dfd4c1a4f9 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -322,7 +322,7 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
 
         frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate);
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         if (__put_user(sig, &frame->sig))
@@ -385,7 +385,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
 
         frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate);
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         put_user_try {
@@ -465,7 +465,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
 
         frame = get_sigframe(&ksig->ka, regs, sizeof(struct rt_sigframe), &fp);
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
@@ -547,7 +547,7 @@ static int x32_setup_rt_frame(struct ksignal *ksig,
 
         frame = get_sigframe(&ksig->ka, regs, sizeof(*frame), &fpstate);
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return -EFAULT;
 
         if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
@@ -610,7 +610,7 @@ SYSCALL_DEFINE0(sigreturn)
 
         frame = (struct sigframe __user *)(regs->sp - 8);
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__get_user(set.sig[0], &frame->sc.oldmask) || (_NSIG_WORDS > 1
                 && __copy_from_user(&set.sig[1], &frame->extramask,
@@ -642,7 +642,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
         unsigned long uc_flags;
 
         frame = (struct rt_sigframe __user *)(regs->sp - sizeof(long));
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                 goto badframe;
@@ -871,7 +871,7 @@ asmlinkage long sys32_x32_rt_sigreturn(void)
 
         frame = (struct rt_sigframe_x32 __user *)(regs->sp - 8);
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
                 goto badframe;
diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c
index 7627455047c2..5c2d71a1dc06 100644
--- a/arch/x86/kernel/stacktrace.c
+++ b/arch/x86/kernel/stacktrace.c
@@ -177,7 +177,7 @@ copy_stack_frame(const void __user *fp, struct stack_frame_user *frame)
 {
         int ret;
 
-        if (!access_ok(VERIFY_READ, fp, sizeof(*frame)))
+        if (!access_ok(fp, sizeof(*frame)))
                 return 0;
 
         ret = 1;
diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
index c2fd39752da8..a092b6b40c6b 100644
--- a/arch/x86/kernel/vm86_32.c
+++ b/arch/x86/kernel/vm86_32.c
@@ -114,7 +114,7 @@ void save_v86_state(struct kernel_vm86_regs *regs, int retval)
         set_flags(regs->pt.flags, VEFLAGS, X86_EFLAGS_VIF | vm86->veflags_mask);
         user = vm86->user_vm86;
 
-        if (!access_ok(VERIFY_WRITE, user, vm86->vm86plus.is_vm86pus ?
+        if (!access_ok(user, vm86->vm86plus.is_vm86pus ?
                        sizeof(struct vm86plus_struct) :
                        sizeof(struct vm86_struct))) {
                 pr_alert("could not access userspace vm86 info\n");
@@ -278,7 +278,7 @@ static long do_sys_vm86(struct vm86plus_struct __user *user_vm86, bool plus)
         if (vm86->saved_sp0)
                 return -EPERM;
 
-        if (!access_ok(VERIFY_READ, user_vm86, plus ?
+        if (!access_ok(user_vm86, plus ?
                        sizeof(struct vm86_struct) :
                        sizeof(struct vm86plus_struct)))
                 return -EFAULT;
diff --git a/arch/x86/lib/Makefile b/arch/x86/lib/Makefile
index 25a972c61b0a..ce28829f1281 100644
--- a/arch/x86/lib/Makefile
+++ b/arch/x86/lib/Makefile
@@ -30,6 +30,7 @@ lib-$(CONFIG_FUNCTION_ERROR_INJECTION)	+= error-inject.o
 lib-$(CONFIG_RETPOLINE) += retpoline.o
 
 obj-y += msr.o msr-reg.o msr-reg-export.o hweight.o
+obj-y += iomem.o
 
 ifeq ($(CONFIG_X86_32),y)
         obj-y += atomic64_32.o
diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
index 8bd53589ecfb..a6a2b7dccbff 100644
--- a/arch/x86/lib/csum-wrappers_64.c
+++ b/arch/x86/lib/csum-wrappers_64.c
@@ -27,7 +27,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
         might_sleep();
         *errp = 0;
 
-        if (!likely(access_ok(VERIFY_READ, src, len)))
+        if (!likely(access_ok(src, len)))
                 goto out_err;
 
         /*
@@ -89,7 +89,7 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
 
         might_sleep();
 
-        if (unlikely(!access_ok(VERIFY_WRITE, dst, len))) {
+        if (unlikely(!access_ok(dst, len))) {
                 *errp = -EFAULT;
                 return 0;
         }
diff --git a/arch/x86/lib/iomem.c b/arch/x86/lib/iomem.c
new file mode 100644
index 000000000000..66894675f3c8
--- /dev/null
+++ b/arch/x86/lib/iomem.c
@@ -0,0 +1,42 @@
+#include <linux/string.h>
+#include <linux/module.h>
+#include <linux/io.h>
+
+/* Originally from i386/string.h */
+static __always_inline void __iomem_memcpy(void *to, const void *from, size_t n)
+{
+        unsigned long d0, d1, d2;
+        asm volatile("rep ; movsl\n\t"
+                     "testb $2,%b4\n\t"
+                     "je 1f\n\t"
+                     "movsw\n"
+                     "1:\ttestb $1,%b4\n\t"
+                     "je 2f\n\t"
+                     "movsb\n"
+                     "2:"
+                     : "=&c" (d0), "=&D" (d1), "=&S" (d2)
+                     : "0" (n / 4), "q" (n), "1" ((long)to), "2" ((long)from)
+                     : "memory");
+}
+
+void memcpy_fromio(void *to, const volatile void __iomem *from, size_t n)
+{
+        __iomem_memcpy(to, (const void *)from, n);
+}
+EXPORT_SYMBOL(memcpy_fromio);
+
+void memcpy_toio(volatile void __iomem *to, const void *from, size_t n)
+{
+        __iomem_memcpy((void *)to, (const void *) from, n);
+}
+EXPORT_SYMBOL(memcpy_toio);
+
+void memset_io(volatile void __iomem *a, int b, size_t c)
+{
+        /*
+         * TODO: memset can mangle the IO patterns quite a bit.
+         * perhaps it would be better to use a dumb one:
+         */
+        memset((void *)a, b, c);
+}
+EXPORT_SYMBOL(memset_io);
diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
index 71fb58d44d58..bfd94e7812fc 100644
--- a/arch/x86/lib/usercopy_32.c
+++ b/arch/x86/lib/usercopy_32.c
@@ -67,7 +67,7 @@ unsigned long
 clear_user(void __user *to, unsigned long n)
 {
         might_fault();
-        if (access_ok(VERIFY_WRITE, to, n))
+        if (access_ok(to, n))
                 __do_clear_user(to, n);
         return n;
 }
diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
index 1bd837cdc4b1..ee42bb0cbeb3 100644
--- a/arch/x86/lib/usercopy_64.c
+++ b/arch/x86/lib/usercopy_64.c
@@ -48,7 +48,7 @@ EXPORT_SYMBOL(__clear_user);
 
 unsigned long clear_user(void __user *to, unsigned long n)
 {
-        if (access_ok(VERIFY_WRITE, to, n))
+        if (access_ok(to, n))
                 return __clear_user(to, n);
         return n;
 }
diff --git a/arch/x86/math-emu/fpu_system.h b/arch/x86/math-emu/fpu_system.h
index c8b1b31ed7c4..f98a0c956764 100644
--- a/arch/x86/math-emu/fpu_system.h
+++ b/arch/x86/math-emu/fpu_system.h
@@ -104,7 +104,7 @@ static inline bool seg_writable(struct desc_struct *d)
 #define instruction_address     (*(struct address *)&I387->soft.fip)
 #define operand_address         (*(struct address *)&I387->soft.foo)
 
-#define FPU_access_ok(x,y,z)    if ( !access_ok(x,y,z) ) \
+#define FPU_access_ok(y,z)      if ( !access_ok(y,z) ) \
                                 math_abort(FPU_info,SIGSEGV)
 #define FPU_abort               math_abort(FPU_info, SIGSEGV)
 
@@ -119,7 +119,7 @@ static inline bool seg_writable(struct desc_struct *d)
 /* A simpler test than access_ok() can probably be done for
    FPU_code_access_ok() because the only possible error is to step
    past the upper boundary of a legal code area. */
-#define FPU_code_access_ok(z) FPU_access_ok(VERIFY_READ,(void __user *)FPU_EIP,z)
+#define FPU_code_access_ok(z) FPU_access_ok((void __user *)FPU_EIP,z)
 #endif
 
 #define FPU_get_user(x,y)       get_user((x),(y))
diff --git a/arch/x86/math-emu/load_store.c b/arch/x86/math-emu/load_store.c
index f821a9cd7753..f15263e158e8 100644
--- a/arch/x86/math-emu/load_store.c
+++ b/arch/x86/math-emu/load_store.c
@@ -251,7 +251,7 @@ int FPU_load_store(u_char type, fpu_addr_modes addr_modes,
                 break;
         case 024:               /* fldcw */
                 RE_ENTRANT_CHECK_OFF;
-                FPU_access_ok(VERIFY_READ, data_address, 2);
+                FPU_access_ok(data_address, 2);
                 FPU_get_user(control_word,
                              (unsigned short __user *)data_address);
                 RE_ENTRANT_CHECK_ON;
@@ -291,7 +291,7 @@ int FPU_load_store(u_char type, fpu_addr_modes addr_modes,
                 break;
         case 034:               /* fstcw m16int */
                 RE_ENTRANT_CHECK_OFF;
-                FPU_access_ok(VERIFY_WRITE, data_address, 2);
+                FPU_access_ok(data_address, 2);
                 FPU_put_user(control_word,
                              (unsigned short __user *)data_address);
                 RE_ENTRANT_CHECK_ON;
@@ -305,7 +305,7 @@ int FPU_load_store(u_char type, fpu_addr_modes addr_modes,
                 break;
         case 036:               /* fstsw m2byte */
                 RE_ENTRANT_CHECK_OFF;
-                FPU_access_ok(VERIFY_WRITE, data_address, 2);
+                FPU_access_ok(data_address, 2);
                 FPU_put_user(status_word(),
                              (unsigned short __user *)data_address);
                 RE_ENTRANT_CHECK_ON;
diff --git a/arch/x86/math-emu/reg_ld_str.c b/arch/x86/math-emu/reg_ld_str.c
index d40ff45497b9..f3779743d15e 100644
--- a/arch/x86/math-emu/reg_ld_str.c
+++ b/arch/x86/math-emu/reg_ld_str.c
@@ -84,7 +84,7 @@ int FPU_load_extended(long double __user *s, int stnr)
         FPU_REG *sti_ptr = &st(stnr);
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_READ, s, 10);
+        FPU_access_ok(s, 10);
         __copy_from_user(sti_ptr, s, 10);
         RE_ENTRANT_CHECK_ON;
 
@@ -98,7 +98,7 @@ int FPU_load_double(double __user *dfloat, FPU_REG *loaded_data)
         unsigned m64, l64;
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_READ, dfloat, 8);
+        FPU_access_ok(dfloat, 8);
         FPU_get_user(m64, 1 + (unsigned long __user *)dfloat);
         FPU_get_user(l64, (unsigned long __user *)dfloat);
         RE_ENTRANT_CHECK_ON;
@@ -159,7 +159,7 @@ int FPU_load_single(float __user *single, FPU_REG *loaded_data)
         int exp, tag, negative;
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_READ, single, 4);
+        FPU_access_ok(single, 4);
         FPU_get_user(m32, (unsigned long __user *)single);
         RE_ENTRANT_CHECK_ON;
 
@@ -214,7 +214,7 @@ int FPU_load_int64(long long __user *_s)
         FPU_REG *st0_ptr = &st(0);
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_READ, _s, 8);
+        FPU_access_ok(_s, 8);
         if (copy_from_user(&s, _s, 8))
                 FPU_abort;
         RE_ENTRANT_CHECK_ON;
@@ -243,7 +243,7 @@ int FPU_load_int32(long __user *_s, FPU_REG *loaded_data)
         int negative;
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_READ, _s, 4);
+        FPU_access_ok(_s, 4);
         FPU_get_user(s, _s);
         RE_ENTRANT_CHECK_ON;
 
@@ -271,7 +271,7 @@ int FPU_load_int16(short __user *_s, FPU_REG *loaded_data)
         int s, negative;
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_READ, _s, 2);
+        FPU_access_ok(_s, 2);
         /* Cast as short to get the sign extended. */
         FPU_get_user(s, _s);
         RE_ENTRANT_CHECK_ON;
@@ -304,7 +304,7 @@ int FPU_load_bcd(u_char __user *s)
         int sign;
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_READ, s, 10);
+        FPU_access_ok(s, 10);
         RE_ENTRANT_CHECK_ON;
         for (pos = 8; pos >= 0; pos--) {
                 l *= 10;
@@ -345,7 +345,7 @@ int FPU_store_extended(FPU_REG *st0_ptr, u_char st0_tag,
 
         if (st0_tag != TAG_Empty) {
                 RE_ENTRANT_CHECK_OFF;
-                FPU_access_ok(VERIFY_WRITE, d, 10);
+                FPU_access_ok(d, 10);
 
                 FPU_put_user(st0_ptr->sigl, (unsigned long __user *)d);
                 FPU_put_user(st0_ptr->sigh,
@@ -364,7 +364,7 @@ int FPU_store_extended(FPU_REG *st0_ptr, u_char st0_tag,
                 /* The masked response */
                 /* Put out the QNaN indefinite */
                 RE_ENTRANT_CHECK_OFF;
-                FPU_access_ok(VERIFY_WRITE, d, 10);
+                FPU_access_ok(d, 10);
                 FPU_put_user(0, (unsigned long __user *)d);
                 FPU_put_user(0xc0000000, 1 + (unsigned long __user *)d);
                 FPU_put_user(0xffff, 4 + (short __user *)d);
@@ -539,7 +539,7 @@ denormal_arg:
                         /* The masked response */
                         /* Put out the QNaN indefinite */
                         RE_ENTRANT_CHECK_OFF;
-                        FPU_access_ok(VERIFY_WRITE, dfloat, 8);
+                        FPU_access_ok(dfloat, 8);
                         FPU_put_user(0, (unsigned long __user *)dfloat);
                         FPU_put_user(0xfff80000,
                                      1 + (unsigned long __user *)dfloat);
@@ -552,7 +552,7 @@ denormal_arg:
                 l[1] |= 0x80000000;
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_WRITE, dfloat, 8);
+        FPU_access_ok(dfloat, 8);
         FPU_put_user(l[0], (unsigned long __user *)dfloat);
         FPU_put_user(l[1], 1 + (unsigned long __user *)dfloat);
         RE_ENTRANT_CHECK_ON;
@@ -724,7 +724,7 @@ int FPU_store_single(FPU_REG *st0_ptr, u_char st0_tag, float __user *single)
                         /* The masked response */
                         /* Put out the QNaN indefinite */
                         RE_ENTRANT_CHECK_OFF;
-                        FPU_access_ok(VERIFY_WRITE, single, 4);
+                        FPU_access_ok(single, 4);
                         FPU_put_user(0xffc00000,
                                      (unsigned long __user *)single);
                         RE_ENTRANT_CHECK_ON;
@@ -742,7 +742,7 @@ int FPU_store_single(FPU_REG *st0_ptr, u_char st0_tag, float __user *single)
                 templ |= 0x80000000;
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_WRITE, single, 4);
+        FPU_access_ok(single, 4);
         FPU_put_user(templ, (unsigned long __user *)single);
         RE_ENTRANT_CHECK_ON;
 
@@ -791,7 +791,7 @@ int FPU_store_int64(FPU_REG *st0_ptr, u_char st0_tag, long long __user *d)
         }
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_WRITE, d, 8);
+        FPU_access_ok(d, 8);
         if (copy_to_user(d, &tll, 8))
                 FPU_abort;
         RE_ENTRANT_CHECK_ON;
@@ -838,7 +838,7 @@ int FPU_store_int32(FPU_REG *st0_ptr, u_char st0_tag, long __user *d)
         }
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_WRITE, d, 4);
+        FPU_access_ok(d, 4);
         FPU_put_user(t.sigl, (unsigned long __user *)d);
         RE_ENTRANT_CHECK_ON;
 
@@ -884,7 +884,7 @@ int FPU_store_int16(FPU_REG *st0_ptr, u_char st0_tag, short __user *d)
         }
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_WRITE, d, 2);
+        FPU_access_ok(d, 2);
         FPU_put_user((short)t.sigl, d);
         RE_ENTRANT_CHECK_ON;
 
@@ -925,7 +925,7 @@ int FPU_store_bcd(FPU_REG *st0_ptr, u_char st0_tag, u_char __user *d)
                 if (control_word & CW_Invalid) {
                         /* Produce the QNaN "indefinite" */
                         RE_ENTRANT_CHECK_OFF;
-                        FPU_access_ok(VERIFY_WRITE, d, 10);
+                        FPU_access_ok(d, 10);
                         for (i = 0; i < 7; i++)
                                 FPU_put_user(0, d + i); /* These bytes "undefined" */
                         FPU_put_user(0xc0, d + 7);      /* This byte "undefined" */
@@ -941,7 +941,7 @@ int FPU_store_bcd(FPU_REG *st0_ptr, u_char st0_tag, u_char __user *d)
         }
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_WRITE, d, 10);
+        FPU_access_ok(d, 10);
         RE_ENTRANT_CHECK_ON;
         for (i = 0; i < 9; i++) {
                 b = FPU_div_small(&ll, 10);
@@ -1034,7 +1034,7 @@ u_char __user *fldenv(fpu_addr_modes addr_modes, u_char __user *s)
             ((addr_modes.default_mode == PM16)
              ^ (addr_modes.override.operand_size == OP_SIZE_PREFIX))) {
                 RE_ENTRANT_CHECK_OFF;
-                FPU_access_ok(VERIFY_READ, s, 0x0e);
+                FPU_access_ok(s, 0x0e);
                 FPU_get_user(control_word, (unsigned short __user *)s);
                 FPU_get_user(partial_status, (unsigned short __user *)(s + 2));
                 FPU_get_user(tag_word, (unsigned short __user *)(s + 4));
@@ -1056,7 +1056,7 @@ u_char __user *fldenv(fpu_addr_modes addr_modes, u_char __user *s)
                 }
         } else {
                 RE_ENTRANT_CHECK_OFF;
-                FPU_access_ok(VERIFY_READ, s, 0x1c);
+                FPU_access_ok(s, 0x1c);
                 FPU_get_user(control_word, (unsigned short __user *)s);
                 FPU_get_user(partial_status, (unsigned short __user *)(s + 4));
                 FPU_get_user(tag_word, (unsigned short __user *)(s + 8));
@@ -1125,7 +1125,7 @@ void frstor(fpu_addr_modes addr_modes, u_char __user *data_address)
 
         /* Copy all registers in stack order. */
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_READ, s, 80);
+        FPU_access_ok(s, 80);
         __copy_from_user(register_base + offset, s, other);
         if (offset)
                 __copy_from_user(register_base, s + other, offset);
@@ -1146,7 +1146,7 @@ u_char __user *fstenv(fpu_addr_modes addr_modes, u_char __user *d)
             ((addr_modes.default_mode == PM16)
              ^ (addr_modes.override.operand_size == OP_SIZE_PREFIX))) {
                 RE_ENTRANT_CHECK_OFF;
-                FPU_access_ok(VERIFY_WRITE, d, 14);
+                FPU_access_ok(d, 14);
 #ifdef PECULIAR_486
                 FPU_put_user(control_word & ~0xe080, (unsigned long __user *)d);
 #else
@@ -1174,7 +1174,7 @@ u_char __user *fstenv(fpu_addr_modes addr_modes, u_char __user *d)
                 d += 0x0e;
         } else {
                 RE_ENTRANT_CHECK_OFF;
-                FPU_access_ok(VERIFY_WRITE, d, 7 * 4);
+                FPU_access_ok(d, 7 * 4);
 #ifdef PECULIAR_486
                 control_word &= ~0xe080;
                 /* An 80486 sets nearly all of the reserved bits to 1. */
@@ -1204,7 +1204,7 @@ void fsave(fpu_addr_modes addr_modes, u_char __user *data_address)
         d = fstenv(addr_modes, data_address);
 
         RE_ENTRANT_CHECK_OFF;
-        FPU_access_ok(VERIFY_WRITE, d, 80);
+        FPU_access_ok(d, 80);
 
         /* Copy all registers in stack order. */
         if (__copy_to_user(d, register_base + offset, other))
diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
index 2385538e8065..de1851d15699 100644
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -495,7 +495,7 @@ static int get_bt_addr(struct mm_struct *mm,
         unsigned long bd_entry;
         unsigned long bt_addr;
 
-        if (!access_ok(VERIFY_READ, (bd_entry_ptr), sizeof(*bd_entry_ptr)))
+        if (!access_ok((bd_entry_ptr), sizeof(*bd_entry_ptr)))
                 return -EFAULT;
 
         while (1) {
diff --git a/arch/x86/um/asm/checksum_32.h b/arch/x86/um/asm/checksum_32.h
index 83a75f8a1233..b9ac7c9eb72c 100644
--- a/arch/x86/um/asm/checksum_32.h
+++ b/arch/x86/um/asm/checksum_32.h
@@ -43,7 +43,7 @@ static __inline__ __wsum csum_and_copy_to_user(const void *src,
                                                      void __user *dst,
                                                      int len, __wsum sum, int *err_ptr)
 {
-        if (access_ok(VERIFY_WRITE, dst, len)) {
+        if (access_ok(dst, len)) {
                 if (copy_to_user(dst, src, len)) {
                         *err_ptr = -EFAULT;
                         return (__force __wsum)-1;
diff --git a/arch/x86/um/signal.c b/arch/x86/um/signal.c
index 727ed442e0a5..8b4a71efe7ee 100644
--- a/arch/x86/um/signal.c
+++ b/arch/x86/um/signal.c
@@ -367,7 +367,7 @@ int setup_signal_stack_sc(unsigned long stack_top, struct ksignal *ksig,
         /* This is the same calculation as i386 - ((sp + 4) & 15) == 0 */
         stack_top = ((stack_top + 4) & -16UL) - 4;
         frame = (struct sigframe __user *) stack_top - 1;
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return 1;
 
         restorer = frame->retcode;
@@ -412,7 +412,7 @@ int setup_signal_stack_si(unsigned long stack_top, struct ksignal *ksig,
 
         stack_top &= -8UL;
         frame = (struct rt_sigframe __user *) stack_top - 1;
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 return 1;
 
         restorer = frame->retcode;
@@ -497,7 +497,7 @@ int setup_signal_stack_si(unsigned long stack_top, struct ksignal *ksig,
         /* Subtract 128 for a red zone and 8 for proper alignment */
         frame = (struct rt_sigframe __user *) ((unsigned long) frame - 128 - 8);
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto out;
 
         if (ksig->ka.sa.sa_flags & SA_SIGINFO) {
diff --git a/arch/xtensa/include/asm/checksum.h b/arch/xtensa/include/asm/checksum.h
index 3ae74d7e074b..f302ef57973a 100644
--- a/arch/xtensa/include/asm/checksum.h
+++ b/arch/xtensa/include/asm/checksum.h
@@ -243,7 +243,7 @@ static __inline__ __wsum csum_and_copy_to_user(const void *src,
                                                void __user *dst, int len,
                                                __wsum sum, int *err_ptr)
 {
-        if (access_ok(VERIFY_WRITE, dst, len))
+        if (access_ok(dst, len))
                 return csum_partial_copy_generic(src,dst,len,sum,NULL,err_ptr);
 
         if (len)
diff --git a/arch/xtensa/include/asm/futex.h b/arch/xtensa/include/asm/futex.h
index fd0eef6b8e7c..505d09eff184 100644
--- a/arch/xtensa/include/asm/futex.h
+++ b/arch/xtensa/include/asm/futex.h
@@ -93,7 +93,7 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
 {
         int ret = 0;
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
 #if !XCHAL_HAVE_S32C1I
diff --git a/arch/xtensa/include/asm/uaccess.h b/arch/xtensa/include/asm/uaccess.h
index d11ef2939652..4b2480304bc3 100644
--- a/arch/xtensa/include/asm/uaccess.h
+++ b/arch/xtensa/include/asm/uaccess.h
@@ -42,7 +42,7 @@
 #define __user_ok(addr, size) \
                 (((size) <= TASK_SIZE)&&((addr) <= TASK_SIZE-(size)))
 #define __access_ok(addr, size) (__kernel_ok || __user_ok((addr), (size)))
-#define access_ok(type, addr, size) __access_ok((unsigned long)(addr), (size))
+#define access_ok(addr, size) __access_ok((unsigned long)(addr), (size))
 
 #define user_addr_max() (uaccess_kernel() ? ~0UL : TASK_SIZE)
 
@@ -86,7 +86,7 @@ extern long __put_user_bad(void);
 ({                                                                      \
         long __pu_err = -EFAULT;                                        \
         __typeof__(*(ptr)) *__pu_addr = (ptr);                          \
-        if (access_ok(VERIFY_WRITE, __pu_addr, size))                   \
+        if (access_ok(__pu_addr, size))                 \
                 __put_user_size((x), __pu_addr, (size), __pu_err);      \
         __pu_err;                                                       \
 })
@@ -183,7 +183,7 @@ __asm__ __volatile__(					\
 ({                                                                      \
         long __gu_err = -EFAULT, __gu_val = 0;                          \
         const __typeof__(*(ptr)) *__gu_addr = (ptr);                    \
-        if (access_ok(VERIFY_READ, __gu_addr, size))                    \
+        if (access_ok(__gu_addr, size))                 \
                 __get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
         (x) = (__force __typeof__(*(ptr)))__gu_val;                     \
         __gu_err;                                                       \
@@ -269,7 +269,7 @@ __xtensa_clear_user(void *addr, unsigned long size)
 static inline unsigned long
 clear_user(void *addr, unsigned long size)
 {
-        if (access_ok(VERIFY_WRITE, addr, size))
+        if (access_ok(addr, size))
                 return __xtensa_clear_user(addr, size);
         return size ? -EFAULT : 0;
 }
@@ -284,7 +284,7 @@ extern long __strncpy_user(char *, const char *, long);
 static inline long
 strncpy_from_user(char *dst, const char *src, long count)
 {
-        if (access_ok(VERIFY_READ, src, 1))
+        if (access_ok(src, 1))
                 return __strncpy_user(dst, src, count);
         return -EFAULT;
 }
diff --git a/arch/xtensa/kernel/signal.c b/arch/xtensa/kernel/signal.c
index 74e1682876ac..dc22a238ed9c 100644
--- a/arch/xtensa/kernel/signal.c
+++ b/arch/xtensa/kernel/signal.c
@@ -251,7 +251,7 @@ asmlinkage long xtensa_rt_sigreturn(long a0, long a1, long a2, long a3,
 
         frame = (struct rt_sigframe __user *) regs->areg[1];
 
-        if (!access_ok(VERIFY_READ, frame, sizeof(*frame)))
+        if (!access_ok(frame, sizeof(*frame)))
                 goto badframe;
 
         if (__copy_from_user(&set, &frame->uc.uc_sigmask, sizeof(set)))
@@ -348,7 +348,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
         if (regs->depc > 64)
                 panic ("Double exception sys_sigreturn\n");
 
-        if (!access_ok(VERIFY_WRITE, frame, sizeof(*frame))) {
+        if (!access_ok(frame, sizeof(*frame))) {
                 return -EFAULT;
         }
 
diff --git a/arch/xtensa/kernel/stacktrace.c b/arch/xtensa/kernel/stacktrace.c
index 0df4080fa20f..174c11f13bba 100644
--- a/arch/xtensa/kernel/stacktrace.c
+++ b/arch/xtensa/kernel/stacktrace.c
@@ -91,7 +91,7 @@ void xtensa_backtrace_user(struct pt_regs *regs, unsigned int depth,
                 pc = MAKE_PC_FROM_RA(a0, pc);
 
                 /* Check if the region is OK to access. */
-                if (!access_ok(VERIFY_READ, &SPILL_SLOT(a1, 0), 8))
+                if (!access_ok(&SPILL_SLOT(a1, 0), 8))
                         return;
                 /* Copy a1, a0 from user space stack frame. */
                 if (__get_user(a0, &SPILL_SLOT(a1, 0)) ||
diff --git a/drivers/acpi/acpi_dbg.c b/drivers/acpi/acpi_dbg.c
index f21c99ec46ee..a2dcd62ea32f 100644
--- a/drivers/acpi/acpi_dbg.c
+++ b/drivers/acpi/acpi_dbg.c
@@ -614,7 +614,7 @@ static ssize_t acpi_aml_read(struct file *file, char __user *buf,
 
         if (!count)
                 return 0;
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         while (count > 0) {
@@ -684,7 +684,7 @@ static ssize_t acpi_aml_write(struct file *file, const char __user *buf,
 
         if (!count)
                 return 0;
-        if (!access_ok(VERIFY_READ, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         while (count > 0) {
diff --git a/drivers/char/generic_nvram.c b/drivers/char/generic_nvram.c
index 14e728fbb8a0..ff5394f47587 100644
--- a/drivers/char/generic_nvram.c
+++ b/drivers/char/generic_nvram.c
@@ -44,7 +44,7 @@ static ssize_t read_nvram(struct file *file, char __user *buf,
         unsigned int i;
         char __user *p = buf;
 
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
         if (*ppos >= nvram_len)
                 return 0;
@@ -62,7 +62,7 @@ static ssize_t write_nvram(struct file *file, const char __user *buf,
         const char __user *p = buf;
         char c;
 
-        if (!access_ok(VERIFY_READ, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
         if (*ppos >= nvram_len)
                 return 0;
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 7b4e4de778e4..b08dc50f9f26 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -609,7 +609,7 @@ static ssize_t read_port(struct file *file, char __user *buf,
         unsigned long i = *ppos;
         char __user *tmp = buf;
 
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
         while (count-- > 0 && i < 65536) {
                 if (__put_user(inb(i), tmp) < 0)
@@ -627,7 +627,7 @@ static ssize_t write_port(struct file *file, const char __user *buf,
         unsigned long i = *ppos;
         const char __user *tmp = buf;
 
-        if (!access_ok(VERIFY_READ, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
         while (count-- > 0 && i < 65536) {
                 char c;
diff --git a/drivers/char/nwflash.c b/drivers/char/nwflash.c
index a284ae25e69a..76fb434068d4 100644
--- a/drivers/char/nwflash.c
+++ b/drivers/char/nwflash.c
@@ -167,7 +167,7 @@ static ssize_t flash_write(struct file *file, const char __user *buf,
         if (count > gbFlashSize - p)
                 count = gbFlashSize - p;
                         
-        if (!access_ok(VERIFY_READ, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         /*
diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
index 809507bf8f1c..7a4eb86aedac 100644
--- a/drivers/char/pcmcia/cm4000_cs.c
+++ b/drivers/char/pcmcia/cm4000_cs.c
@@ -1445,11 +1445,11 @@ static long cmm_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
               _IOC_DIR(cmd), _IOC_READ, _IOC_WRITE, size, cmd);
 
         if (_IOC_DIR(cmd) & _IOC_READ) {
-                if (!access_ok(VERIFY_WRITE, argp, size))
+                if (!access_ok(argp, size))
                         goto out;
         }
         if (_IOC_DIR(cmd) & _IOC_WRITE) {
-                if (!access_ok(VERIFY_READ, argp, size))
+                if (!access_ok(argp, size))
                         goto out;
         }
         rc = 0;
diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c
index d64a78ccc03e..b16be8a11d92 100644
--- a/drivers/crypto/ccp/psp-dev.c
+++ b/drivers/crypto/ccp/psp-dev.c
@@ -364,7 +364,7 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp)
                 goto cmd;
 
         /* allocate a physically contiguous buffer to store the CSR blob */
-        if (!access_ok(VERIFY_WRITE, input.address, input.length) ||
+        if (!access_ok(input.address, input.length) ||
             input.length > SEV_FW_BLOB_MAX_SIZE) {
                 ret = -EFAULT;
                 goto e_free;
@@ -644,14 +644,14 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp)
 
         /* Allocate a physically contiguous buffer to store the PDH blob. */
         if ((input.pdh_cert_len > SEV_FW_BLOB_MAX_SIZE) ||
-            !access_ok(VERIFY_WRITE, input.pdh_cert_address, input.pdh_cert_len)) {
+            !access_ok(input.pdh_cert_address, input.pdh_cert_len)) {
                 ret = -EFAULT;
                 goto e_free;
         }
 
         /* Allocate a physically contiguous buffer to store the cert chain blob. */
         if ((input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE) ||
-            !access_ok(VERIFY_WRITE, input.cert_chain_address, input.cert_chain_len)) {
+            !access_ok(input.cert_chain_address, input.cert_chain_len)) {
                 ret = -EFAULT;
                 goto e_free;
         }
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index d8e185582642..16a7045736a9 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1094,7 +1094,7 @@ static int ioctl_queue_iso(struct client *client, union ioctl_arg *arg)
                 return -EINVAL;
 
         p = (struct fw_cdev_iso_packet __user *)u64_to_uptr(a->packets);
-        if (!access_ok(VERIFY_READ, p, a->size))
+        if (!access_ok(p, a->size))
                 return -EFAULT;
 
         end = (void __user *)p + a->size;
diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index 769640940c9f..51ecf7d6da48 100644
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -68,7 +68,7 @@ copy_ucs2_from_user_len(efi_char16_t **dst, efi_char16_t __user *src,
                 return 0;
         }
 
-        if (!access_ok(VERIFY_READ, src, 1))
+        if (!access_ok(src, 1))
                 return -EFAULT;
 
         buf = memdup_user(src, len);
@@ -89,7 +89,7 @@ copy_ucs2_from_user_len(efi_char16_t **dst, efi_char16_t __user *src,
 static inline int
 get_ucs2_strsize_from_user(efi_char16_t __user *src, size_t *len)
 {
-        if (!access_ok(VERIFY_READ, src, 1))
+        if (!access_ok(src, 1))
                 return -EFAULT;
 
         *len = user_ucs2_strsize(src);
@@ -116,7 +116,7 @@ copy_ucs2_from_user(efi_char16_t **dst, efi_char16_t __user *src)
 {
         size_t len;
 
-        if (!access_ok(VERIFY_READ, src, 1))
+        if (!access_ok(src, 1))
                 return -EFAULT;
 
         len = user_ucs2_strsize(src);
@@ -140,7 +140,7 @@ copy_ucs2_to_user_len(efi_char16_t __user *dst, efi_char16_t *src, size_t len)
         if (!src)
                 return 0;
 
-        if (!access_ok(VERIFY_WRITE, dst, 1))
+        if (!access_ok(dst, 1))
                 return -EFAULT;
 
         return copy_to_user(dst, src, len);
diff --git a/drivers/fpga/dfl-afu-dma-region.c b/drivers/fpga/dfl-afu-dma-region.c
index 025aba3ea76c..e18a786fc943 100644
--- a/drivers/fpga/dfl-afu-dma-region.c
+++ b/drivers/fpga/dfl-afu-dma-region.c
@@ -369,7 +369,7 @@ int afu_dma_map_region(struct dfl_feature_platform_data *pdata,
         if (user_addr + length < user_addr)
                 return -EINVAL;
 
-        if (!access_ok(VERIFY_WRITE, (void __user *)(unsigned long)user_addr,
+        if (!access_ok((void __user *)(unsigned long)user_addr,
                        length))
                 return -EINVAL;
 
diff --git a/drivers/fpga/dfl-fme-pr.c b/drivers/fpga/dfl-fme-pr.c
index fe5a5578fbf7..d9ca9554844a 100644
--- a/drivers/fpga/dfl-fme-pr.c
+++ b/drivers/fpga/dfl-fme-pr.c
@@ -99,8 +99,7 @@ static int fme_pr(struct platform_device *pdev, unsigned long arg)
                 return -EINVAL;
         }
 
-        if (!access_ok(VERIFY_READ,
-                       (void __user *)(unsigned long)port_pr.buffer_address,
+        if (!access_ok((void __user *)(unsigned long)port_pr.buffer_address,
                        port_pr.buffer_size))
                 return -EFAULT;
 
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 3623538baf6f..be68752c3469 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -158,8 +158,7 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties,
         }
 
         if ((args->ring_base_address) &&
-                (!access_ok(VERIFY_WRITE,
-                        (const void __user *) args->ring_base_address,
+                (!access_ok((const void __user *) args->ring_base_address,
                         sizeof(uint64_t)))) {
                 pr_err("Can't access ring base address\n");
                 return -EFAULT;
@@ -170,31 +169,27 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties,
                 return -EINVAL;
         }
 
-        if (!access_ok(VERIFY_WRITE,
-                        (const void __user *) args->read_pointer_address,
+        if (!access_ok((const void __user *) args->read_pointer_address,
                         sizeof(uint32_t))) {
                 pr_err("Can't access read pointer\n");
                 return -EFAULT;
         }
 
-        if (!access_ok(VERIFY_WRITE,
-                        (const void __user *) args->write_pointer_address,
+        if (!access_ok((const void __user *) args->write_pointer_address,
                         sizeof(uint32_t))) {
                 pr_err("Can't access write pointer\n");
                 return -EFAULT;
         }
 
         if (args->eop_buffer_address &&
-                !access_ok(VERIFY_WRITE,
-                        (const void __user *) args->eop_buffer_address,
+                !access_ok((const void __user *) args->eop_buffer_address,
                         sizeof(uint32_t))) {
                 pr_debug("Can't access eop buffer");
                 return -EFAULT;
         }
 
         if (args->ctx_save_restore_address &&
-                !access_ok(VERIFY_WRITE,
-                        (const void __user *) args->ctx_save_restore_address,
+                !access_ok((const void __user *) args->ctx_save_restore_address,
                         sizeof(uint32_t))) {
                 pr_debug("Can't access ctx save restore buffer");
                 return -EFAULT;
@@ -365,8 +360,7 @@ static int kfd_ioctl_update_queue(struct file *filp, struct kfd_process *p,
         }
 
         if ((args->ring_base_address) &&
-                (!access_ok(VERIFY_WRITE,
-                        (const void __user *) args->ring_base_address,
+                (!access_ok((const void __user *) args->ring_base_address,
                         sizeof(uint64_t)))) {
                 pr_err("Can't access ring base address\n");
                 return -EFAULT;
diff --git a/drivers/gpu/drm/armada/armada_gem.c b/drivers/gpu/drm/armada/armada_gem.c
index 892c1d9304bb..642d0e70d0f8 100644
--- a/drivers/gpu/drm/armada/armada_gem.c
+++ b/drivers/gpu/drm/armada/armada_gem.c
@@ -334,7 +334,7 @@ int armada_gem_pwrite_ioctl(struct drm_device *dev, void *data,
 
         ptr = (char __user *)(uintptr_t)args->ptr;
 
-        if (!access_ok(VERIFY_READ, ptr, args->size))
+        if (!access_ok(ptr, args->size))
                 return -EFAULT;
 
         ret = fault_in_pages_readable(ptr, args->size);
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c
index ffa8dc35515f..46f48f245eb5 100644
--- a/drivers/gpu/drm/drm_file.c
+++ b/drivers/gpu/drm/drm_file.c
@@ -525,7 +525,7 @@ ssize_t drm_read(struct file *filp, char __user *buffer,
         struct drm_device *dev = file_priv->minor->dev;
         ssize_t ret;
 
-        if (!access_ok(VERIFY_WRITE, buffer, count))
+        if (!access_ok(buffer, count))
                 return -EFAULT;
 
         ret = mutex_lock_interruptible(&file_priv->event_read_lock);
diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.c b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
index 96efc84396bf..18c27f795cf6 100644
--- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c
+++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c
@@ -339,7 +339,6 @@ static int etnaviv_ioctl_gem_userptr(struct drm_device *dev, void *data,
         struct drm_file *file)
 {
         struct drm_etnaviv_gem_userptr *args = data;
-        int access;
 
         if (args->flags & ~(ETNA_USERPTR_READ|ETNA_USERPTR_WRITE) ||
             args->flags == 0)
@@ -351,12 +350,7 @@ static int etnaviv_ioctl_gem_userptr(struct drm_device *dev, void *data,
             args->user_ptr & ~PAGE_MASK)
                 return -EINVAL;
 
-        if (args->flags & ETNA_USERPTR_WRITE)
-                access = VERIFY_WRITE;
-        else
-                access = VERIFY_READ;
-
-        if (!access_ok(access, (void __user *)(unsigned long)args->user_ptr,
+        if (!access_ok((void __user *)(unsigned long)args->user_ptr,
                        args->user_size))
                 return -EFAULT;
 
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index a9de07bb72c8..216f52b744a6 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -1282,8 +1282,7 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
         if (args->size == 0)
                 return 0;
 
-        if (!access_ok(VERIFY_WRITE,
-                       u64_to_user_ptr(args->data_ptr),
+        if (!access_ok(u64_to_user_ptr(args->data_ptr),
                        args->size))
                 return -EFAULT;
 
@@ -1609,9 +1608,7 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
         if (args->size == 0)
                 return 0;
 
-        if (!access_ok(VERIFY_READ,
-                       u64_to_user_ptr(args->data_ptr),
-                       args->size))
+        if (!access_ok(u64_to_user_ptr(args->data_ptr), args->size))
                 return -EFAULT;
 
         obj = i915_gem_object_lookup(file, args->handle);
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 8ff6b581cf1c..485b259127c3 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1447,7 +1447,7 @@ static int eb_relocate_vma(struct i915_execbuffer *eb, struct i915_vma *vma)
          * to read. However, if the array is not writable the user loses
          * the updated relocation values.
          */
-        if (unlikely(!access_ok(VERIFY_READ, urelocs, remain*sizeof(*urelocs))))
+        if (unlikely(!access_ok(urelocs, remain*sizeof(*urelocs))))
                 return -EFAULT;
 
         do {
@@ -1554,7 +1554,7 @@ static int check_relocations(const struct drm_i915_gem_exec_object2 *entry)
 
         addr = u64_to_user_ptr(entry->relocs_ptr);
         size *= sizeof(struct drm_i915_gem_relocation_entry);
-        if (!access_ok(VERIFY_READ, addr, size))
+        if (!access_ok(addr, size))
                 return -EFAULT;
 
         end = addr + size;
@@ -1605,6 +1605,7 @@ static int eb_copy_relocations(const struct i915_execbuffer *eb)
                                              (char __user *)urelocs + copied,
                                              len)) {
 end_user:
+                                user_access_end();
                                 kvfree(relocs);
                                 err = -EFAULT;
                                 goto err;
@@ -1623,7 +1624,9 @@ end_user:
                  * happened we would make the mistake of assuming that the
                  * relocations were valid.
                  */
-                user_access_begin();
+                if (!user_access_begin(urelocs, size))
+                        goto end_user;
+
                 for (copied = 0; copied < nreloc; copied++)
                         unsafe_put_user(-1,
                                         &urelocs[copied].presumed_offset,
@@ -2090,7 +2093,7 @@ get_fence_array(struct drm_i915_gem_execbuffer2 *args,
                 return ERR_PTR(-EINVAL);
 
         user = u64_to_user_ptr(args->cliprects_ptr);
-        if (!access_ok(VERIFY_READ, user, nfences * sizeof(*user)))
+        if (!access_ok(user, nfences * sizeof(*user)))
                 return ERR_PTR(-EFAULT);
 
         fences = kvmalloc_array(nfences, sizeof(*fences),
@@ -2605,7 +2608,16 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
                 unsigned int i;
 
                 /* Copy the new buffer offsets back to the user's exec list. */
-                user_access_begin();
+                /*
+                 * Note: count * sizeof(*user_exec_list) does not overflow,
+                 * because we checked 'count' in check_buffer_count().
+                 *
+                 * And this range already got effectively checked earlier
+                 * when we did the "copy_from_user()" above.
+                 */
+                if (!user_access_begin(user_exec_list, count * sizeof(*user_exec_list)))
+                        goto end_user;
+
                 for (i = 0; i < args->buffer_count; i++) {
                         if (!(exec2_list[i].offset & UPDATE))
                                 continue;
diff --git a/drivers/gpu/drm/i915/i915_gem_userptr.c b/drivers/gpu/drm/i915/i915_gem_userptr.c
index 3df77020aada..9558582c105e 100644
--- a/drivers/gpu/drm/i915/i915_gem_userptr.c
+++ b/drivers/gpu/drm/i915/i915_gem_userptr.c
@@ -789,8 +789,7 @@ i915_gem_userptr_ioctl(struct drm_device *dev,
         if (offset_in_page(args->user_ptr | args->user_size))
                 return -EINVAL;
 
-        if (!access_ok(args->flags & I915_USERPTR_READ_ONLY ? VERIFY_READ : VERIFY_WRITE,
-                       (char __user *)(unsigned long)args->user_ptr, args->user_size))
+        if (!access_ok((char __user *)(unsigned long)args->user_ptr, args->user_size))
                 return -EFAULT;
 
         if (args->flags & I915_USERPTR_READ_ONLY) {
diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c
index 0e5c580d117c..e869daf9c8a9 100644
--- a/drivers/gpu/drm/i915/i915_ioc32.c
+++ b/drivers/gpu/drm/i915/i915_ioc32.c
@@ -52,7 +52,7 @@ static int compat_i915_getparam(struct file *file, unsigned int cmd,
                 return -EFAULT;
 
         request = compat_alloc_user_space(sizeof(*request));
-        if (!access_ok(VERIFY_WRITE, request, sizeof(*request)) ||
+        if (!access_ok(request, sizeof(*request)) ||
             __put_user(req32.param, &request->param) ||
             __put_user((void __user *)(unsigned long)req32.value,
                        &request->value))
diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c
index 4529edfdcfc8..2b2eb57ca71f 100644
--- a/drivers/gpu/drm/i915/i915_perf.c
+++ b/drivers/gpu/drm/i915/i915_perf.c
@@ -3052,7 +3052,7 @@ static struct i915_oa_reg *alloc_oa_regs(struct drm_i915_private *dev_priv,
         if (!n_regs)
                 return NULL;
 
-        if (!access_ok(VERIFY_READ, regs, n_regs * sizeof(u32) * 2))
+        if (!access_ok(regs, n_regs * sizeof(u32) * 2))
                 return ERR_PTR(-EFAULT);
 
         /* No is_valid function means we're not allowing any register to be programmed. */
diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
index 6fc4b8eeab42..fe56465cdfd6 100644
--- a/drivers/gpu/drm/i915/i915_query.c
+++ b/drivers/gpu/drm/i915/i915_query.c
@@ -46,7 +46,7 @@ static int query_topology_info(struct drm_i915_private *dev_priv,
         if (topo.flags != 0)
                 return -EINVAL;
 
-        if (!access_ok(VERIFY_WRITE, u64_to_user_ptr(query_item->data_ptr),
+        if (!access_ok(u64_to_user_ptr(query_item->data_ptr),
                        total_length))
                 return -EFAULT;
 
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index a28465d90529..12b983fc0b56 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -77,7 +77,7 @@ void msm_gem_submit_free(struct msm_gem_submit *submit)
 static inline unsigned long __must_check
 copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
 {
-        if (access_ok(VERIFY_READ, from, n))
+        if (access_ok(from, n))
                 return __copy_from_user_inatomic(to, from, n);
         return -EFAULT;
 }
diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c
index 6e828158bcb0..d410e2925162 100644
--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
@@ -163,8 +163,7 @@ static int qxl_process_single_command(struct qxl_device *qdev,
         if (cmd->command_size > PAGE_SIZE - sizeof(union qxl_release_info))
                 return -EINVAL;
 
-        if (!access_ok(VERIFY_READ,
-                       u64_to_user_ptr(cmd->command),
+        if (!access_ok(u64_to_user_ptr(cmd->command),
                        cmd->command_size))
                 return -EFAULT;
 
diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
index 9f9172eb1512..fb0007aa0c27 100644
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -611,8 +611,7 @@ static ssize_t verify_hdr(struct ib_uverbs_cmd_hdr *hdr,
                         if (hdr->out_words * 8 < method_elm->resp_size)
                                 return -ENOSPC;
 
-                        if (!access_ok(VERIFY_WRITE,
-                                       u64_to_user_ptr(ex_hdr->response),
+                        if (!access_ok(u64_to_user_ptr(ex_hdr->response),
                                        (hdr->out_words + ex_hdr->provider_out_words) * 8))
                                 return -EFAULT;
                 } else {
diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
index dbe7d14a5c76..0cd71ce7cc71 100644
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
@@ -232,7 +232,7 @@ static int pin_rcv_pages(struct hfi1_filedata *fd, struct tid_user_buf *tidbuf)
         }
 
         /* Verify that access is OK for the user buffer */
-        if (!access_ok(VERIFY_WRITE, (void __user *)vaddr,
+        if (!access_ok((void __user *)vaddr,
                        npages * PAGE_SIZE)) {
                 dd_dev_err(dd, "Fail vaddr %p, %u pages, !access_ok\n",
                            (void *)vaddr, npages);
diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
index 98e1ce14fa2a..78fa634de98a 100644
--- a/drivers/infiniband/hw/qib/qib_file_ops.c
+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
@@ -343,7 +343,7 @@ static int qib_tid_update(struct qib_ctxtdata *rcd, struct file *fp,
 
         /* virtual address of first page in transfer */
         vaddr = ti->tidvaddr;
-        if (!access_ok(VERIFY_WRITE, (void __user *) vaddr,
+        if (!access_ok((void __user *) vaddr,
                        cnt * PAGE_SIZE)) {
                 ret = -EFAULT;
                 goto done;
diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
index 0ff517d3c98f..a4ceb61c5b60 100644
--- a/drivers/isdn/capi/kcapi.c
+++ b/drivers/isdn/capi/kcapi.c
@@ -852,7 +852,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
         u16 ret;
 
         if (contr == 0) {
-                strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
+                strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN);
                 return CAPI_NOERROR;
         }
 
@@ -860,7 +860,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf)
 
         ctr = get_capi_ctr_by_nr(contr);
         if (ctr && ctr->state == CAPI_CTR_RUNNING) {
-                strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
+                strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN);
                 ret = CAPI_NOERROR;
         } else
                 ret = CAPI_REGNOTINSTALLED;
diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c
index 5b719b561860..81dd465afcf4 100644
--- a/drivers/isdn/hisax/hfc_pci.c
+++ b/drivers/isdn/hisax/hfc_pci.c
@@ -1169,11 +1169,13 @@ HFCPCI_l1hw(struct PStack *st, int pr, void *arg)
                 if (cs->debug & L1_DEB_LAPD)
                         debugl1(cs, "-> PH_REQUEST_PULL");
 #endif
+                spin_lock_irqsave(&cs->lock, flags);
                 if (!cs->tx_skb) {
                         test_and_clear_bit(FLG_L1_PULL_REQ, &st->l1.Flags);
                         st->l1.l1l2(st, PH_PULL | CONFIRM, NULL);
                 } else
                         test_and_set_bit(FLG_L1_PULL_REQ, &st->l1.Flags);
+                spin_unlock_irqrestore(&cs->lock, flags);
                 break;
         case (HW_RESET | REQUEST):
                 spin_lock_irqsave(&cs->lock, flags);
diff --git a/drivers/macintosh/ans-lcd.c b/drivers/macintosh/ans-lcd.c
index ef0c2366cf59..400960cf04d5 100644
--- a/drivers/macintosh/ans-lcd.c
+++ b/drivers/macintosh/ans-lcd.c
@@ -64,7 +64,7 @@ anslcd_write( struct file * file, const char __user * buf,
         printk(KERN_DEBUG "LCD: write\n");
 #endif
 
-        if (!access_ok(VERIFY_READ, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         mutex_lock(&anslcd_mutex);
diff --git a/drivers/macintosh/via-pmu.c b/drivers/macintosh/via-pmu.c
index ac0cf37d6239..21d532a78fa4 100644
--- a/drivers/macintosh/via-pmu.c
+++ b/drivers/macintosh/via-pmu.c
@@ -2188,7 +2188,7 @@ pmu_read(struct file *file, char __user *buf,
 
         if (count < 1 || !pp)
                 return -EINVAL;
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         spin_lock_irqsave(&pp->lock, flags);
diff --git a/drivers/media/pci/ivtv/ivtvfb.c b/drivers/media/pci/ivtv/ivtvfb.c
index 3e02de02ffdd..8ec2525d8ef5 100644
--- a/drivers/media/pci/ivtv/ivtvfb.c
+++ b/drivers/media/pci/ivtv/ivtvfb.c
@@ -356,7 +356,7 @@ static int ivtvfb_prep_frame(struct ivtv *itv, int cmd, void __user *source,
                 IVTVFB_WARN("ivtvfb_prep_frame: Count not a multiple of 4 (%d)\n", count);
 
         /* Check Source */
-        if (!access_ok(VERIFY_READ, source + dest_offset, count)) {
+        if (!access_ok(source + dest_offset, count)) {
                 IVTVFB_WARN("Invalid userspace pointer %p\n", source);
 
                 IVTVFB_DEBUG_WARN("access_ok() failed for offset 0x%08lx source %p count %d\n",
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index fe4577a46869..73dac1d8d4f6 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -158,7 +158,7 @@ static int get_v4l2_window32(struct v4l2_window __user *p64,
         compat_caddr_t p;
         u32 clipcount;
 
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             copy_in_user(&p64->w, &p32->w, sizeof(p32->w)) ||
             assign_in_user(&p64->field, &p32->field) ||
             assign_in_user(&p64->chromakey, &p32->chromakey) ||
@@ -283,7 +283,7 @@ static int __bufsize_v4l2_format(struct v4l2_format32 __user *p32, u32 *size)
 
 static int bufsize_v4l2_format(struct v4l2_format32 __user *p32, u32 *size)
 {
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)))
+        if (!access_ok(p32, sizeof(*p32)))
                 return -EFAULT;
         return __bufsize_v4l2_format(p32, size);
 }
@@ -335,7 +335,7 @@ static int get_v4l2_format32(struct v4l2_format __user *p64,
                              struct v4l2_format32 __user *p32,
                              void __user *aux_buf, u32 aux_space)
 {
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)))
+        if (!access_ok(p32, sizeof(*p32)))
                 return -EFAULT;
         return __get_v4l2_format32(p64, p32, aux_buf, aux_space);
 }
@@ -343,7 +343,7 @@ static int get_v4l2_format32(struct v4l2_format __user *p64,
 static int bufsize_v4l2_create(struct v4l2_create_buffers32 __user *p32,
                                u32 *size)
 {
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)))
+        if (!access_ok(p32, sizeof(*p32)))
                 return -EFAULT;
         return __bufsize_v4l2_format(&p32->format, size);
 }
@@ -352,7 +352,7 @@ static int get_v4l2_create32(struct v4l2_create_buffers __user *p64,
                              struct v4l2_create_buffers32 __user *p32,
                              void __user *aux_buf, u32 aux_space)
 {
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             copy_in_user(p64, p32,
                          offsetof(struct v4l2_create_buffers32, format)))
                 return -EFAULT;
@@ -404,7 +404,7 @@ static int __put_v4l2_format32(struct v4l2_format __user *p64,
 static int put_v4l2_format32(struct v4l2_format __user *p64,
                              struct v4l2_format32 __user *p32)
 {
-        if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)))
+        if (!access_ok(p32, sizeof(*p32)))
                 return -EFAULT;
         return __put_v4l2_format32(p64, p32);
 }
@@ -412,7 +412,7 @@ static int put_v4l2_format32(struct v4l2_format __user *p64,
 static int put_v4l2_create32(struct v4l2_create_buffers __user *p64,
                              struct v4l2_create_buffers32 __user *p32)
 {
-        if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             copy_in_user(p32, p64,
                          offsetof(struct v4l2_create_buffers32, format)) ||
             assign_in_user(&p32->capabilities, &p64->capabilities) ||
@@ -434,7 +434,7 @@ static int get_v4l2_standard32(struct v4l2_standard __user *p64,
                                struct v4l2_standard32 __user *p32)
 {
         /* other fields are not set by the user, nor used by the driver */
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             assign_in_user(&p64->index, &p32->index))
                 return -EFAULT;
         return 0;
@@ -443,7 +443,7 @@ static int get_v4l2_standard32(struct v4l2_standard __user *p64,
 static int put_v4l2_standard32(struct v4l2_standard __user *p64,
                                struct v4l2_standard32 __user *p32)
 {
-        if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             assign_in_user(&p32->index, &p64->index) ||
             assign_in_user(&p32->id, &p64->id) ||
             copy_in_user(p32->name, p64->name, sizeof(p32->name)) ||
@@ -560,7 +560,7 @@ static int bufsize_v4l2_buffer(struct v4l2_buffer32 __user *p32, u32 *size)
         u32 type;
         u32 length;
 
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             get_user(type, &p32->type) ||
             get_user(length, &p32->length))
                 return -EFAULT;
@@ -593,7 +593,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer __user *p64,
         compat_caddr_t p;
         int ret;
 
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             assign_in_user(&p64->index, &p32->index) ||
             get_user(type, &p32->type) ||
             put_user(type, &p64->type) ||
@@ -632,7 +632,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer __user *p64,
                         return -EFAULT;
 
                 uplane32 = compat_ptr(p);
-                if (!access_ok(VERIFY_READ, uplane32,
+                if (!access_ok(uplane32,
                                num_planes * sizeof(*uplane32)))
                         return -EFAULT;
 
@@ -691,7 +691,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer __user *p64,
         compat_caddr_t p;
         int ret;
 
-        if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             assign_in_user(&p32->index, &p64->index) ||
             get_user(type, &p64->type) ||
             put_user(type, &p32->type) ||
@@ -781,7 +781,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer __user *p64,
 {
         compat_caddr_t tmp;
 
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             get_user(tmp, &p32->base) ||
             put_user_force(compat_ptr(tmp), &p64->base) ||
             assign_in_user(&p64->capability, &p32->capability) ||
@@ -796,7 +796,7 @@ static int put_v4l2_framebuffer32(struct v4l2_framebuffer __user *p64,
 {
         void *base;
 
-        if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             get_user(base, &p64->base) ||
             put_user(ptr_to_compat((void __user *)base), &p32->base) ||
             assign_in_user(&p32->capability, &p64->capability) ||
@@ -893,7 +893,7 @@ static int bufsize_v4l2_ext_controls(struct v4l2_ext_controls32 __user *p32,
 {
         u32 count;
 
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             get_user(count, &p32->count))
                 return -EFAULT;
         if (count > V4L2_CID_MAX_CTRLS)
@@ -913,7 +913,7 @@ static int get_v4l2_ext_controls32(struct file *file,
         u32 n;
         compat_caddr_t p;
 
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             assign_in_user(&p64->which, &p32->which) ||
             get_user(count, &p32->count) ||
             put_user(count, &p64->count) ||
@@ -929,7 +929,7 @@ static int get_v4l2_ext_controls32(struct file *file,
         if (get_user(p, &p32->controls))
                 return -EFAULT;
         ucontrols = compat_ptr(p);
-        if (!access_ok(VERIFY_READ, ucontrols, count * sizeof(*ucontrols)))
+        if (!access_ok(ucontrols, count * sizeof(*ucontrols)))
                 return -EFAULT;
         if (aux_space < count * sizeof(*kcontrols))
                 return -EFAULT;
@@ -979,7 +979,7 @@ static int put_v4l2_ext_controls32(struct file *file,
          * with __user causes smatch warnings, so instead declare it
          * without __user and cast it as a userspace pointer where needed.
          */
-        if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             assign_in_user(&p32->which, &p64->which) ||
             get_user(count, &p64->count) ||
             put_user(count, &p32->count) ||
@@ -994,7 +994,7 @@ static int put_v4l2_ext_controls32(struct file *file,
         if (get_user(p, &p32->controls))
                 return -EFAULT;
         ucontrols = compat_ptr(p);
-        if (!access_ok(VERIFY_WRITE, ucontrols, count * sizeof(*ucontrols)))
+        if (!access_ok(ucontrols, count * sizeof(*ucontrols)))
                 return -EFAULT;
 
         for (n = 0; n < count; n++) {
@@ -1043,7 +1043,7 @@ struct v4l2_event32 {
 static int put_v4l2_event32(struct v4l2_event __user *p64,
                             struct v4l2_event32 __user *p32)
 {
-        if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             assign_in_user(&p32->type, &p64->type) ||
             copy_in_user(&p32->u, &p64->u, sizeof(p64->u)) ||
             assign_in_user(&p32->pending, &p64->pending) ||
@@ -1069,7 +1069,7 @@ static int get_v4l2_edid32(struct v4l2_edid __user *p64,
 {
         compat_uptr_t tmp;
 
-        if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             assign_in_user(&p64->pad, &p32->pad) ||
             assign_in_user(&p64->start_block, &p32->start_block) ||
             assign_in_user_cast(&p64->blocks, &p32->blocks) ||
@@ -1085,7 +1085,7 @@ static int put_v4l2_edid32(struct v4l2_edid __user *p64,
 {
         void *edid;
 
-        if (!access_ok(VERIFY_WRITE, p32, sizeof(*p32)) ||
+        if (!access_ok(p32, sizeof(*p32)) ||
             assign_in_user(&p32->pad, &p64->pad) ||
             assign_in_user(&p32->start_block, &p64->start_block) ||
             assign_in_user(&p32->blocks, &p64->blocks) ||
diff --git a/drivers/misc/vmw_vmci/vmci_host.c b/drivers/misc/vmw_vmci/vmci_host.c
index 5da1f3e3f997..997f92543dd4 100644
--- a/drivers/misc/vmw_vmci/vmci_host.c
+++ b/drivers/misc/vmw_vmci/vmci_host.c
@@ -236,7 +236,7 @@ static int vmci_host_setup_notify(struct vmci_ctx *context,
          * about the size.
          */
         BUILD_BUG_ON(sizeof(bool) != sizeof(u8));
-        if (!access_ok(VERIFY_WRITE, (void __user *)uva, sizeof(u8)))
+        if (!access_ok((void __user *)uva, sizeof(u8)))
                 return VMCI_ERROR_GENERIC;
 
         /*
diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c
index aa4a1f5206f1..361fbde76654 100644
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -303,11 +303,10 @@ static int bcm_sf2_sw_mdio_write(struct mii_bus *bus, int addr, int regnum,
          * send them to our master MDIO bus controller
          */
         if (addr == BRCM_PSEUDO_PHY_ADDR && priv->indir_phy_mask & BIT(addr))
-                bcm_sf2_sw_indir_rw(priv, 0, addr, regnum, val);
+                return bcm_sf2_sw_indir_rw(priv, 0, addr, regnum, val);
         else
-                mdiobus_write_nested(priv->master_mii_bus, addr, regnum, val);
-
-        return 0;
+                return mdiobus_write_nested(priv->master_mii_bus, addr,
+                                regnum, val);
 }
 
 static irqreturn_t bcm_sf2_switch_0_isr(int irq, void *dev_id)
diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
index 9dc6da039a6d..3164aad29bcf 100644
--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
@@ -473,7 +473,9 @@ static void atl1e_mdio_write(struct net_device *netdev, int phy_id,
 {
         struct atl1e_adapter *adapter = netdev_priv(netdev);
 
-        atl1e_write_phy_reg(&adapter->hw, reg_num & MDIO_REG_ADDR_MASK, val);
+        if (atl1e_write_phy_reg(&adapter->hw,
+                                reg_num & MDIO_REG_ADDR_MASK, val))
+                netdev_err(netdev, "write phy register failed\n");
 }
 
 static int atl1e_mii_ioctl(struct net_device *netdev,
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c b/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c
index 7c49681407ad..127b1f624413 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c
@@ -1229,6 +1229,10 @@ int cudbg_collect_hw_sched(struct cudbg_init *pdbg_init,
 
         rc = cudbg_get_buff(pdbg_init, dbg_buff, sizeof(struct cudbg_hw_sched),
                             &temp_buff);
+
+        if (rc)
+                return rc;
+
         hw_sched_buff = (struct cudbg_hw_sched *)temp_buff.data;
         hw_sched_buff->map = t4_read_reg(padap, TP_TX_MOD_QUEUE_REQ_MAP_A);
         hw_sched_buff->mode = TIMERMODE_G(t4_read_reg(padap, TP_MOD_CONFIG_A));
diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c
index bc6eb30aa20f..41c6fa200e74 100644
--- a/drivers/net/ethernet/freescale/fman/fman_memac.c
+++ b/drivers/net/ethernet/freescale/fman/fman_memac.c
@@ -928,7 +928,7 @@ int memac_add_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr)
         hash = get_mac_addr_hash_code(addr) & HASH_CTRL_ADDR_MASK;
 
         /* Create element to be added to the driver hash table */
-        hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL);
+        hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC);
         if (!hash_entry)
                 return -ENOMEM;
         hash_entry->addr = addr;
diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c
index 40705938eecc..f75b9c11b2d2 100644
--- a/drivers/net/ethernet/freescale/fman/fman_tgec.c
+++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c
@@ -553,7 +553,7 @@ int tgec_add_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr)
         hash = (crc >> TGEC_HASH_MCAST_SHIFT) & TGEC_HASH_ADR_MSK;
 
         /* Create element to be added to the driver hash table */
-        hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL);
+        hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC);
         if (!hash_entry)
                 return -ENOMEM;
         hash_entry->addr = addr;
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index d3b9aaf96c1c..07cd58798083 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -3995,17 +3995,18 @@ static int hns3_reset_notify_up_enet(struct hnae3_handle *handle)
         struct hns3_nic_priv *priv = netdev_priv(kinfo->netdev);
         int ret = 0;
 
+        clear_bit(HNS3_NIC_STATE_RESETTING, &priv->state);
+
         if (netif_running(kinfo->netdev)) {
-                ret = hns3_nic_net_up(kinfo->netdev);
+                ret = hns3_nic_net_open(kinfo->netdev);
                 if (ret) {
+                        set_bit(HNS3_NIC_STATE_RESETTING, &priv->state);
                         netdev_err(kinfo->netdev,
                                    "hns net up fail, ret=%d!\n", ret);
                         return ret;
                 }
         }
 
-        clear_bit(HNS3_NIC_STATE_RESETTING, &priv->state);
-
         return ret;
 }
 
diff --git a/drivers/net/ethernet/huawei/hinic/hinic_main.c b/drivers/net/ethernet/huawei/hinic/hinic_main.c
index 6d48dc62a44b..da323b9e1f62 100644
--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c
+++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c
@@ -1106,6 +1106,11 @@ static void hinic_remove(struct pci_dev *pdev)
         dev_info(&pdev->dev, "HiNIC driver - removed\n");
 }
 
+static void hinic_shutdown(struct pci_dev *pdev)
+{
+        pci_disable_device(pdev);
+}
+
 static const struct pci_device_id hinic_pci_table[] = {
         { PCI_VDEVICE(HUAWEI, HINIC_DEV_ID_QUAD_PORT_25GE), 0},
         { PCI_VDEVICE(HUAWEI, HINIC_DEV_ID_DUAL_PORT_25GE), 0},
@@ -1119,6 +1124,7 @@ static struct pci_driver hinic_driver = {
         .id_table       = hinic_pci_table,
         .probe          = hinic_probe,
         .remove         = hinic_remove,
+        .shutdown       = hinic_shutdown,
 };
 
 module_pci_driver(hinic_driver);
diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
index a4681780a55d..098d8764c0ea 100644
--- a/drivers/net/ethernet/ibm/ibmveth.c
+++ b/drivers/net/ethernet/ibm/ibmveth.c
@@ -1171,11 +1171,15 @@ out:
 
 map_failed_frags:
         last = i+1;
-        for (i = 0; i < last; i++)
+        for (i = 1; i < last; i++)
                 dma_unmap_page(&adapter->vdev->dev, descs[i].fields.address,
                                descs[i].fields.flags_len & IBMVETH_BUF_LEN_MASK,
                                DMA_TO_DEVICE);
 
+        dma_unmap_single(&adapter->vdev->dev,
+                         descs[0].fields.address,
+                         descs[0].fields.flags_len & IBMVETH_BUF_LEN_MASK,
+                         DMA_TO_DEVICE);
 map_failed:
         if (!firmware_has_feature(FW_FEATURE_CMO))
                 netdev_err(netdev, "tx: unable to map xmit buffer\n");
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 6a059d6ee03f..e0875476a780 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -5240,6 +5240,8 @@ static int mvpp2_probe(struct platform_device *pdev)
         if (has_acpi_companion(&pdev->dev)) {
                 acpi_id = acpi_match_device(pdev->dev.driver->acpi_match_table,
                                             &pdev->dev);
+                if (!acpi_id)
+                        return -EINVAL;
                 priv->hw_version = (unsigned long)acpi_id->driver_data;
         } else {
                 priv->hw_version =
diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
index 99bc3de906e2..298930d39b79 100644
--- a/drivers/net/ethernet/realtek/r8169.c
+++ b/drivers/net/ethernet/realtek/r8169.c
@@ -1477,6 +1477,8 @@ static void __rtl8169_set_wol(struct rtl8169_private *tp, u32 wolopts)
         }
 
         RTL_W8(tp, Cfg9346, Cfg9346_Lock);
+
+        device_set_wakeup_enable(tp_to_dev(tp), wolopts);
 }
 
 static int rtl8169_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
@@ -1498,8 +1500,6 @@ static int rtl8169_set_wol(struct net_device *dev, struct ethtool_wolinfo *wol)
 
         rtl_unlock_work(tp);
 
-        device_set_wakeup_enable(d, tp->saved_wolopts);
-
         pm_runtime_put_noidle(d);
 
         return 0;
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
index d07520fb969e..62ccbd47c1db 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
@@ -59,7 +59,9 @@ static int sun7i_gmac_init(struct platform_device *pdev, void *priv)
                 gmac->clk_enabled = 1;
         } else {
                 clk_set_rate(gmac->tx_clk, SUN7I_GMAC_MII_RATE);
-                clk_prepare(gmac->tx_clk);
+                ret = clk_prepare(gmac->tx_clk);
+                if (ret)
+                        return ret;
         }
 
         return 0;
diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
index 9319d84bf49f..d84501441edd 100644
--- a/drivers/net/ethernet/sun/niu.c
+++ b/drivers/net/ethernet/sun/niu.c
@@ -8100,6 +8100,8 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end)
                 start += 3;
 
                 prop_len = niu_pci_eeprom_read(np, start + 4);
+                if (prop_len < 0)
+                        return prop_len;
                 err = niu_pci_vpd_get_propname(np, start + 5, namebuf, 64);
                 if (err < 0)
                         return err;
@@ -8144,8 +8146,12 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end)
                         netif_printk(np, probe, KERN_DEBUG, np->dev,
                                      "VPD_SCAN: Reading in property [%s] len[%d]\n",
                                      namebuf, prop_len);
-                        for (i = 0; i < prop_len; i++)
-                                *prop_buf++ = niu_pci_eeprom_read(np, off + i);
+                        for (i = 0; i < prop_len; i++) {
+                                err = niu_pci_eeprom_read(np, off + i);
+                                if (err >= 0)
+                                        *prop_buf = err;
+                                ++prop_buf;
+                        }
                 }
 
                 start += len;
diff --git a/drivers/net/ethernet/ti/cpts.c b/drivers/net/ethernet/ti/cpts.c
index 054f78295d1d..2a9ba4acd7fa 100644
--- a/drivers/net/ethernet/ti/cpts.c
+++ b/drivers/net/ethernet/ti/cpts.c
@@ -590,7 +590,9 @@ struct cpts *cpts_create(struct device *dev, void __iomem *regs,
                 return ERR_CAST(cpts->refclk);
         }
 
-        clk_prepare(cpts->refclk);
+        ret = clk_prepare(cpts->refclk);
+        if (ret)
+                return ERR_PTR(ret);
 
         cpts->cc.read = cpts_systim_read;
         cpts->cc.mask = CLOCKSOURCE_MASK(32);
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 28c749980359..a19868cba48c 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -523,10 +523,7 @@ static void resync_tnc(struct timer_list *t)
 
 
         /* Start resync timer again -- the TNC might be still absent */
-
-        del_timer(&sp->resync_t);
-        sp->resync_t.expires    = jiffies + SIXP_RESYNC_TIMEOUT;
-        add_timer(&sp->resync_t);
+        mod_timer(&sp->resync_t, jiffies + SIXP_RESYNC_TIMEOUT);
 }
 
 static inline int tnc_init(struct sixpack *sp)
@@ -537,9 +534,7 @@ static inline int tnc_init(struct sixpack *sp)
 
         sp->tty->ops->write(sp->tty, &inbyte, 1);
 
-        del_timer(&sp->resync_t);
-        sp->resync_t.expires = jiffies + SIXP_RESYNC_TIMEOUT;
-        add_timer(&sp->resync_t);
+        mod_timer(&sp->resync_t, jiffies + SIXP_RESYNC_TIMEOUT);
 
         return 0;
 }
@@ -897,11 +892,8 @@ static void decode_prio_command(struct sixpack *sp, unsigned char cmd)
         /* if the state byte has been received, the TNC is present,
            so the resync timer can be reset. */
 
-        if (sp->tnc_state == TNC_IN_SYNC) {
-                del_timer(&sp->resync_t);
-                sp->resync_t.expires    = jiffies + SIXP_INIT_RESYNC_TIMEOUT;
-                add_timer(&sp->resync_t);
-        }
+        if (sp->tnc_state == TNC_IN_SYNC)
+                mod_timer(&sp->resync_t, jiffies + SIXP_INIT_RESYNC_TIMEOUT);
 
         sp->status1 = cmd & SIXP_PRIO_DATA_MASK;
 }
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index 443b2694130c..c0b52e48f0e6 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1177,8 +1177,6 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
                         goto err_kfree;
         }
 
-        skb_probe_transport_header(skb, ETH_HLEN);
-
         /* Move network header to the right position for VLAN tagged packets */
         if ((skb->protocol == htons(ETH_P_8021Q) ||
              skb->protocol == htons(ETH_P_8021AD)) &&
@@ -1189,6 +1187,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
         tap = rcu_dereference(q->tap);
         if (tap) {
                 skb->dev = tap->dev;
+                skb_probe_transport_header(skb, ETH_HLEN);
                 dev_queue_xmit(skb);
         } else {
                 kfree_skb(skb);
diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c
index 7a42336c8af8..839fa7715709 100644
--- a/drivers/net/wan/fsl_ucc_hdlc.c
+++ b/drivers/net/wan/fsl_ucc_hdlc.c
@@ -1180,7 +1180,6 @@ static int ucc_hdlc_probe(struct platform_device *pdev)
         if (register_hdlc_device(dev)) {
                 ret = -ENOBUFS;
                 pr_err("ucc_hdlc: unable to register hdlc device\n");
-                free_netdev(dev);
                 goto free_dev;
         }
 
diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c
index 1098263ab862..46c3d983b7b7 100644
--- a/drivers/net/wan/x25_asy.c
+++ b/drivers/net/wan/x25_asy.c
@@ -485,8 +485,10 @@ static int x25_asy_open(struct net_device *dev)
 
         /* Cleanup */
         kfree(sl->xbuff);
+        sl->xbuff = NULL;
 noxbuff:
         kfree(sl->rbuff);
+        sl->rbuff = NULL;
 norbuff:
         return -ENOMEM;
 }
diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
index 7ac035af39f0..6fa1627ce08d 100644
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -52,7 +52,7 @@ static ssize_t proc_bus_pci_read(struct file *file, char __user *buf,
                 nbytes = size - pos;
         cnt = nbytes;
 
-        if (!access_ok(VERIFY_WRITE, buf, cnt))
+        if (!access_ok(buf, cnt))
                 return -EINVAL;
 
         pci_config_pm_runtime_get(dev);
@@ -125,7 +125,7 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
                 nbytes = size - pos;
         cnt = nbytes;
 
-        if (!access_ok(VERIFY_READ, buf, cnt))
+        if (!access_ok(buf, cnt))
                 return -EINVAL;
 
         pci_config_pm_runtime_get(dev);
diff --git a/drivers/platform/goldfish/goldfish_pipe.c b/drivers/platform/goldfish/goldfish_pipe.c
index 7c639006252e..321bc673c417 100644
--- a/drivers/platform/goldfish/goldfish_pipe.c
+++ b/drivers/platform/goldfish/goldfish_pipe.c
@@ -416,8 +416,7 @@ static ssize_t goldfish_pipe_read_write(struct file *filp,
         if (unlikely(bufflen == 0))
                 return 0;
         /* Check the buffer range for access */
-        if (unlikely(!access_ok(is_write ? VERIFY_WRITE : VERIFY_READ,
-                                buffer, bufflen)))
+        if (unlikely(!access_ok(buffer, bufflen)))
                 return -EFAULT;
 
         address = (unsigned long)buffer;
diff --git a/drivers/pnp/isapnp/proc.c b/drivers/pnp/isapnp/proc.c
index 262285e48a09..051613140812 100644
--- a/drivers/pnp/isapnp/proc.c
+++ b/drivers/pnp/isapnp/proc.c
@@ -47,7 +47,7 @@ static ssize_t isapnp_proc_bus_read(struct file *file, char __user * buf,
                 nbytes = size - pos;
         cnt = nbytes;
 
-        if (!access_ok(VERIFY_WRITE, buf, cnt))
+        if (!access_ok(buf, cnt))
                 return -EINVAL;
 
         isapnp_cfg_begin(dev->card->number, dev->number);
diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c
index 7c4673308f5b..e338d7a4f571 100644
--- a/drivers/scsi/pmcraid.c
+++ b/drivers/scsi/pmcraid.c
@@ -3600,7 +3600,7 @@ static long pmcraid_ioctl_passthrough(
         u32 ioasc;
         int request_size;
         int buffer_size;
-        u8 access, direction;
+        u8 direction;
         int rc = 0;
 
         /* If IOA reset is in progress, wait 10 secs for reset to complete */
@@ -3649,10 +3649,8 @@ static long pmcraid_ioctl_passthrough(
         request_size = le32_to_cpu(buffer->ioarcb.data_transfer_length);
 
         if (buffer->ioarcb.request_flags0 & TRANSFER_DIR_WRITE) {
-                access = VERIFY_READ;
                 direction = DMA_TO_DEVICE;
         } else {
-                access = VERIFY_WRITE;
                 direction = DMA_FROM_DEVICE;
         }
 
diff --git a/drivers/scsi/scsi_ioctl.c b/drivers/scsi/scsi_ioctl.c
index cc30fccc1a2e..840d96fe81bc 100644
--- a/drivers/scsi/scsi_ioctl.c
+++ b/drivers/scsi/scsi_ioctl.c
@@ -221,7 +221,7 @@ int scsi_ioctl(struct scsi_device *sdev, int cmd, void __user *arg)
 
         switch (cmd) {
         case SCSI_IOCTL_GET_IDLUN:
-                if (!access_ok(VERIFY_WRITE, arg, sizeof(struct scsi_idlun)))
+                if (!access_ok(arg, sizeof(struct scsi_idlun)))
                         return -EFAULT;
 
                 __put_user((sdev->id & 0xff)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 4e27460ec926..d3f15319b9b3 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -434,7 +434,7 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
         SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
                                       "sg_read: count=%d\n", (int) count));
 
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
         if (sfp->force_packid && (count >= SZ_SG_HEADER)) {
                 old_hdr = kmalloc(SZ_SG_HEADER, GFP_KERNEL);
@@ -632,7 +632,7 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
               scsi_block_when_processing_errors(sdp->device)))
                 return -ENXIO;
 
-        if (!access_ok(VERIFY_READ, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT; /* protects following copy_from_user()s + get_user()s */
         if (count < SZ_SG_HEADER)
                 return -EIO;
@@ -729,7 +729,7 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
 
         if (count < SZ_SG_IO_HDR)
                 return -EINVAL;
-        if (!access_ok(VERIFY_READ, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT; /* protects following copy_from_user()s + get_user()s */
 
         sfp->cmd_q = 1; /* when sg_io_hdr seen, set command queuing on */
@@ -768,7 +768,7 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
                 sg_remove_request(sfp, srp);
                 return -EMSGSIZE;
         }
-        if (!access_ok(VERIFY_READ, hp->cmdp, hp->cmd_len)) {
+        if (!access_ok(hp->cmdp, hp->cmd_len)) {
                 sg_remove_request(sfp, srp);
                 return -EFAULT; /* protects following copy_from_user()s + get_user()s */
         }
@@ -922,7 +922,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                         return -ENODEV;
                 if (!scsi_block_when_processing_errors(sdp->device))
                         return -ENXIO;
-                if (!access_ok(VERIFY_WRITE, p, SZ_SG_IO_HDR))
+                if (!access_ok(p, SZ_SG_IO_HDR))
                         return -EFAULT;
                 result = sg_new_write(sfp, filp, p, SZ_SG_IO_HDR,
                                  1, read_only, 1, &srp);
@@ -968,7 +968,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
         case SG_GET_LOW_DMA:
                 return put_user((int) sdp->device->host->unchecked_isa_dma, ip);
         case SG_GET_SCSI_ID:
-                if (!access_ok(VERIFY_WRITE, p, sizeof (sg_scsi_id_t)))
+                if (!access_ok(p, sizeof (sg_scsi_id_t)))
                         return -EFAULT;
                 else {
                         sg_scsi_id_t __user *sg_idp = p;
@@ -997,7 +997,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                 sfp->force_packid = val ? 1 : 0;
                 return 0;
         case SG_GET_PACK_ID:
-                if (!access_ok(VERIFY_WRITE, ip, sizeof (int)))
+                if (!access_ok(ip, sizeof (int)))
                         return -EFAULT;
                 read_lock_irqsave(&sfp->rq_list_lock, iflags);
                 list_for_each_entry(srp, &sfp->rq_list, entry) {
@@ -1078,7 +1078,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                 val = (sdp->device ? 1 : 0);
                 return put_user(val, ip);
         case SG_GET_REQUEST_TABLE:
-                if (!access_ok(VERIFY_WRITE, p, SZ_SG_REQ_INFO * SG_MAX_QUEUE))
+                if (!access_ok(p, SZ_SG_REQ_INFO * SG_MAX_QUEUE))
                         return -EFAULT;
                 else {
                         sg_req_info_t *rinfo;
diff --git a/drivers/staging/comedi/comedi_compat32.c b/drivers/staging/comedi/comedi_compat32.c
index fa9d239474ee..36a3564ba1fb 100644
--- a/drivers/staging/comedi/comedi_compat32.c
+++ b/drivers/staging/comedi/comedi_compat32.c
@@ -102,8 +102,8 @@ static int compat_chaninfo(struct file *file, unsigned long arg)
         chaninfo = compat_alloc_user_space(sizeof(*chaninfo));
 
         /* Copy chaninfo structure.  Ignore unused members. */
-        if (!access_ok(VERIFY_READ, chaninfo32, sizeof(*chaninfo32)) ||
-            !access_ok(VERIFY_WRITE, chaninfo, sizeof(*chaninfo)))
+        if (!access_ok(chaninfo32, sizeof(*chaninfo32)) ||
+            !access_ok(chaninfo, sizeof(*chaninfo)))
                 return -EFAULT;
 
         err = 0;
@@ -136,8 +136,8 @@ static int compat_rangeinfo(struct file *file, unsigned long arg)
         rangeinfo = compat_alloc_user_space(sizeof(*rangeinfo));
 
         /* Copy rangeinfo structure. */
-        if (!access_ok(VERIFY_READ, rangeinfo32, sizeof(*rangeinfo32)) ||
-            !access_ok(VERIFY_WRITE, rangeinfo, sizeof(*rangeinfo)))
+        if (!access_ok(rangeinfo32, sizeof(*rangeinfo32)) ||
+            !access_ok(rangeinfo, sizeof(*rangeinfo)))
                 return -EFAULT;
 
         err = 0;
@@ -163,8 +163,8 @@ static int get_compat_cmd(struct comedi_cmd __user *cmd,
         } temp;
 
         /* Copy cmd structure. */
-        if (!access_ok(VERIFY_READ, cmd32, sizeof(*cmd32)) ||
-            !access_ok(VERIFY_WRITE, cmd, sizeof(*cmd)))
+        if (!access_ok(cmd32, sizeof(*cmd32)) ||
+            !access_ok(cmd, sizeof(*cmd)))
                 return -EFAULT;
 
         err = 0;
@@ -217,8 +217,8 @@ static int put_compat_cmd(struct comedi32_cmd_struct __user *cmd32,
          * Assume the pointer values are already valid.
          * (Could use ptr_to_compat() to set them.)
          */
-        if (!access_ok(VERIFY_READ, cmd, sizeof(*cmd)) ||
-            !access_ok(VERIFY_WRITE, cmd32, sizeof(*cmd32)))
+        if (!access_ok(cmd, sizeof(*cmd)) ||
+            !access_ok(cmd32, sizeof(*cmd32)))
                 return -EFAULT;
 
         err = 0;
@@ -317,8 +317,8 @@ static int get_compat_insn(struct comedi_insn __user *insn,
 
         /* Copy insn structure.  Ignore the unused members. */
         err = 0;
-        if (!access_ok(VERIFY_READ, insn32, sizeof(*insn32)) ||
-            !access_ok(VERIFY_WRITE, insn, sizeof(*insn)))
+        if (!access_ok(insn32, sizeof(*insn32)) ||
+            !access_ok(insn, sizeof(*insn)))
                 return -EFAULT;
 
         err |= __get_user(temp.uint, &insn32->insn);
@@ -350,7 +350,7 @@ static int compat_insnlist(struct file *file, unsigned long arg)
         insnlist32 = compat_ptr(arg);
 
         /* Get 32-bit insnlist structure.  */
-        if (!access_ok(VERIFY_READ, insnlist32, sizeof(*insnlist32)))
+        if (!access_ok(insnlist32, sizeof(*insnlist32)))
                 return -EFAULT;
 
         err = 0;
@@ -365,7 +365,7 @@ static int compat_insnlist(struct file *file, unsigned long arg)
                                              insn[n_insns]));
 
         /* Set native insnlist structure. */
-        if (!access_ok(VERIFY_WRITE, &s->insnlist, sizeof(s->insnlist)))
+        if (!access_ok(&s->insnlist, sizeof(s->insnlist)))
                 return -EFAULT;
 
         err |= __put_user(n_insns, &s->insnlist.n_insns);
diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
index 99460af61b77..4164414d4c64 100644
--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -573,7 +573,7 @@ static ssize_t n_hdlc_tty_read(struct tty_struct *tty, struct file *file,
                 return -EIO;
 
         /* verify user access to buffer */
-        if (!access_ok(VERIFY_WRITE, buf, nr)) {
+        if (!access_ok(buf, nr)) {
                 printk(KERN_WARNING "%s(%d) n_hdlc_tty_read() can't verify user "
                 "buffer\n", __FILE__, __LINE__);
                 return -EFAULT;
diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
index 3de3c750b5f6..44f28a114c2b 100644
--- a/drivers/usb/core/devices.c
+++ b/drivers/usb/core/devices.c
@@ -598,7 +598,7 @@ static ssize_t usb_device_read(struct file *file, char __user *buf,
                 return -EINVAL;
         if (nbytes <= 0)
                 return 0;
-        if (!access_ok(VERIFY_WRITE, buf, nbytes))
+        if (!access_ok(buf, nbytes))
                 return -EFAULT;
 
         mutex_lock(&usb_bus_idr_lock);
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index a75bc0b8a50f..d65566341dd1 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1094,7 +1094,7 @@ static int proc_control(struct usb_dev_state *ps, void __user *arg)
                 ctrl.bRequestType, ctrl.bRequest, ctrl.wValue,
                 ctrl.wIndex, ctrl.wLength);
         if (ctrl.bRequestType & 0x80) {
-                if (ctrl.wLength && !access_ok(VERIFY_WRITE, ctrl.data,
+                if (ctrl.wLength && !access_ok(ctrl.data,
                                                ctrl.wLength)) {
                         ret = -EINVAL;
                         goto done;
@@ -1183,7 +1183,7 @@ static int proc_bulk(struct usb_dev_state *ps, void __user *arg)
         }
         tmo = bulk.timeout;
         if (bulk.ep & 0x80) {
-                if (len1 && !access_ok(VERIFY_WRITE, bulk.data, len1)) {
+                if (len1 && !access_ok(bulk.data, len1)) {
                         ret = -EINVAL;
                         goto done;
                 }
@@ -1584,8 +1584,7 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
         }
 
         if (uurb->buffer_length > 0 &&
-                        !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ,
-                                uurb->buffer, uurb->buffer_length)) {
+                        !access_ok(uurb->buffer, uurb->buffer_length)) {
                 ret = -EFAULT;
                 goto error;
         }
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 54e859dcb25c..75b113a5b25c 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -252,7 +252,7 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
         if (!count)
                 return 0;
 
-        if (!access_ok(VERIFY_WRITE, buffer, count))
+        if (!access_ok(buffer, count))
                 return -EFAULT;
 
         spin_lock_irqsave(&hidg->read_spinlock, flags);
@@ -339,7 +339,7 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer,
         unsigned long flags;
         ssize_t status = -ENOMEM;
 
-        if (!access_ok(VERIFY_READ, buffer, count))
+        if (!access_ok(buffer, count))
                 return -EFAULT;
 
         spin_lock_irqsave(&hidg->write_spinlock, flags);
diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
index 11247322d587..660712e0bf98 100644
--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
+++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
@@ -88,7 +88,7 @@ static ssize_t queue_dbg_read(struct file *file, char __user *buf,
         size_t len, remaining, actual = 0;
         char tmpbuf[38];
 
-        if (!access_ok(VERIFY_WRITE, buf, nbytes))
+        if (!access_ok(buf, nbytes))
                 return -EFAULT;
 
         inode_lock(file_inode(file));
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 55e5aa662ad5..9f7942cbcbb2 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -655,7 +655,7 @@ static bool log_access_ok(void __user *log_base, u64 addr, unsigned long sz)
             a + (unsigned long)log_base > ULONG_MAX)
                 return false;
 
-        return access_ok(VERIFY_WRITE, log_base + a,
+        return access_ok(log_base + a,
                          (sz + VHOST_PAGE_SIZE * 8 - 1) / VHOST_PAGE_SIZE / 8);
 }
 
@@ -681,7 +681,7 @@ static bool vq_memory_access_ok(void __user *log_base, struct vhost_umem *umem,
                         return false;
 
 
-                if (!access_ok(VERIFY_WRITE, (void __user *)a,
+                if (!access_ok((void __user *)a,
                                     node->size))
                         return false;
                 else if (log_all && !log_access_ok(log_base,
@@ -973,10 +973,10 @@ static bool umem_access_ok(u64 uaddr, u64 size, int access)
                 return false;
 
         if ((access & VHOST_ACCESS_RO) &&
-            !access_ok(VERIFY_READ, (void __user *)a, size))
+            !access_ok((void __user *)a, size))
                 return false;
         if ((access & VHOST_ACCESS_WO) &&
-            !access_ok(VERIFY_WRITE, (void __user *)a, size))
+            !access_ok((void __user *)a, size))
                 return false;
         return true;
 }
@@ -1185,10 +1185,10 @@ static bool vq_access_ok(struct vhost_virtqueue *vq, unsigned int num,
 {
         size_t s = vhost_has_feature(vq, VIRTIO_RING_F_EVENT_IDX) ? 2 : 0;
 
-        return access_ok(VERIFY_READ, desc, num * sizeof *desc) &&
-               access_ok(VERIFY_READ, avail,
+        return access_ok(desc, num * sizeof *desc) &&
+               access_ok(avail,
                          sizeof *avail + num * sizeof *avail->ring + s) &&
-               access_ok(VERIFY_WRITE, used,
+               access_ok(used,
                         sizeof *used + num * sizeof *used->ring + s);
 }
 
@@ -1814,7 +1814,7 @@ int vhost_vq_init_access(struct vhost_virtqueue *vq)
                 goto err;
         vq->signalled_used_valid = false;
         if (!vq->iotlb &&
-            !access_ok(VERIFY_READ, &vq->used->idx, sizeof vq->used->idx)) {
+            !access_ok(&vq->used->idx, sizeof vq->used->idx)) {
                 r = -EFAULT;
                 goto err;
         }
diff --git a/drivers/video/fbdev/amifb.c b/drivers/video/fbdev/amifb.c
index 0777aff211e5..758457026694 100644
--- a/drivers/video/fbdev/amifb.c
+++ b/drivers/video/fbdev/amifb.c
@@ -1855,7 +1855,7 @@ static int ami_get_var_cursorinfo(struct fb_var_cursorinfo *var,
         var->yspot = par->crsr.spot_y;
         if (size > var->height * var->width)
                 return -ENAMETOOLONG;
-        if (!access_ok(VERIFY_WRITE, data, size))
+        if (!access_ok(data, size))
                 return -EFAULT;
         delta = 1 << par->crsr.fmode;
         lspr = lofsprite + (delta << 1);
@@ -1935,7 +1935,7 @@ static int ami_set_var_cursorinfo(struct fb_var_cursorinfo *var,
                 return -EINVAL;
         if (!var->height)
                 return -EINVAL;
-        if (!access_ok(VERIFY_READ, data, var->width * var->height))
+        if (!access_ok(data, var->width * var->height))
                 return -EFAULT;
         delta = 1 << fmode;
         lofsprite = shfsprite = (u_short *)spritememory;
diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
index a3edb20ea4c3..53f93616c671 100644
--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
@@ -493,7 +493,7 @@ static int omapfb_memory_read(struct fb_info *fbi,
         if (!display || !display->driver->memory_read)
                 return -ENOENT;
 
-        if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size))
+        if (!access_ok(mr->buffer, mr->buffer_size))
                 return -EFAULT;
 
         if (mr->w > 4096 || mr->h > 4096)
diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
index 7e6e682104dc..b24ddac1604b 100644
--- a/drivers/xen/privcmd.c
+++ b/drivers/xen/privcmd.c
@@ -459,14 +459,14 @@ static long privcmd_ioctl_mmap_batch(
                         return -EFAULT;
                 /* Returns per-frame error in m.arr. */
                 m.err = NULL;
-                if (!access_ok(VERIFY_WRITE, m.arr, m.num * sizeof(*m.arr)))
+                if (!access_ok(m.arr, m.num * sizeof(*m.arr)))
                         return -EFAULT;
                 break;
         case 2:
                 if (copy_from_user(&m, udata, sizeof(struct privcmd_mmapbatch_v2)))
                         return -EFAULT;
                 /* Returns per-frame error code in m.err. */
-                if (!access_ok(VERIFY_WRITE, m.err, m.num * (sizeof(*m.err))))
+                if (!access_ok(m.err, m.num * (sizeof(*m.err))))
                         return -EFAULT;
                 break;
         default:
@@ -661,7 +661,7 @@ static long privcmd_ioctl_dm_op(struct file *file, void __user *udata)
                         goto out;
                 }
 
-                if (!access_ok(VERIFY_WRITE, kbufs[i].uptr,
+                if (!access_ok(kbufs[i].uptr,
                                kbufs[i].size)) {
                         rc = -EFAULT;
                         goto out;
diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c
index c3deb2e35f20..ca9725f18e00 100644
--- a/fs/binfmt_aout.c
+++ b/fs/binfmt_aout.c
@@ -78,9 +78,9 @@ static int aout_core_dump(struct coredump_params *cprm)
 
 /* make sure we actually have a data and stack area to dump */
         set_fs(USER_DS);
-        if (!access_ok(VERIFY_READ, START_DATA(dump), dump.u_dsize << PAGE_SHIFT))
+        if (!access_ok(START_DATA(dump), dump.u_dsize << PAGE_SHIFT))
                 dump.u_dsize = 0;
-        if (!access_ok(VERIFY_READ, START_STACK(dump), dump.u_ssize << PAGE_SHIFT))
+        if (!access_ok(START_STACK(dump), dump.u_ssize << PAGE_SHIFT))
                 dump.u_ssize = 0;
 
         set_fs(KERNEL_DS);
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 1b15b43905f8..7ea2d6b1f170 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6646,7 +6646,7 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg)
                 goto out;
         }
 
-        if (!access_ok(VERIFY_READ, arg->clone_sources,
+        if (!access_ok(arg->clone_sources,
                         sizeof(*arg->clone_sources) *
                         arg->clone_sources_count)) {
                 ret = -EFAULT;
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 2329f96469e2..a5d219d920e7 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -2190,7 +2190,7 @@ static int do_epoll_wait(int epfd, struct epoll_event __user *events,
                 return -EINVAL;
 
         /* Verify that the area passed by the user is writeable */
-        if (!access_ok(VERIFY_WRITE, events, maxevents * sizeof(struct epoll_event)))
+        if (!access_ok(events, maxevents * sizeof(struct epoll_event)))
                 return -EFAULT;
 
         /* Get the "struct file *" for the eventpoll file */
diff --git a/fs/fat/dir.c b/fs/fat/dir.c
index 20acaea8a7e6..9d01db37183f 100644
--- a/fs/fat/dir.c
+++ b/fs/fat/dir.c
@@ -805,7 +805,7 @@ static long fat_dir_ioctl(struct file *filp, unsigned int cmd,
                 return fat_generic_ioctl(filp, cmd, arg);
         }
 
-        if (!access_ok(VERIFY_WRITE, d1, sizeof(struct __fat_dirent[2])))
+        if (!access_ok(d1, sizeof(struct __fat_dirent[2])))
                 return -EFAULT;
         /*
          * Yes, we don't need this put_user() absolutely. However old
@@ -845,7 +845,7 @@ static long fat_compat_dir_ioctl(struct file *filp, unsigned cmd,
                 return fat_generic_ioctl(filp, cmd, (unsigned long)arg);
         }
 
-        if (!access_ok(VERIFY_WRITE, d1, sizeof(struct compat_dirent[2])))
+        if (!access_ok(d1, sizeof(struct compat_dirent[2])))
                 return -EFAULT;
         /*
          * Yes, we don't need this put_user() absolutely. However old
diff --git a/fs/ioctl.c b/fs/ioctl.c
index d64f622cac8b..fef3a6bf7c78 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -203,7 +203,7 @@ static int ioctl_fiemap(struct file *filp, unsigned long arg)
         fieinfo.fi_extents_start = ufiemap->fm_extents;
 
         if (fiemap.fm_extent_count != 0 &&
-            !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
+            !access_ok(fieinfo.fi_extents_start,
                        fieinfo.fi_extents_max * sizeof(struct fiemap_extent)))
                 return -EFAULT;
 
diff --git a/fs/locks.c b/fs/locks.c
index f0b24d98f36b..ff6af2c32601 100644
--- a/fs/locks.c
+++ b/fs/locks.c
@@ -453,7 +453,7 @@ static void locks_move_blocks(struct file_lock *new, struct file_lock *fl)
                 return;
         spin_lock(&blocked_lock_lock);
         list_splice_init(&fl->fl_blocked_requests, &new->fl_blocked_requests);
-        list_for_each_entry(f, &fl->fl_blocked_requests, fl_blocked_member)
+        list_for_each_entry(f, &new->fl_blocked_requests, fl_blocked_member)
                 f->fl_blocker = new;
         spin_unlock(&blocked_lock_lock);
 }
diff --git a/fs/namespace.c b/fs/namespace.c
index a7f91265ea67..97b7c7098c3d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2651,7 +2651,7 @@ static long exact_copy_from_user(void *to, const void __user * from,
         const char __user *f = from;
         char c;
 
-        if (!access_ok(VERIFY_READ, from, n))
+        if (!access_ok(from, n))
                 return n;
 
         current->kernel_uaccess_faults_ok++;
diff --git a/fs/ocfs2/dlmfs/dlmfs.c b/fs/ocfs2/dlmfs/dlmfs.c
index b8fa1487cd85..8decbe95dcec 100644
--- a/fs/ocfs2/dlmfs/dlmfs.c
+++ b/fs/ocfs2/dlmfs/dlmfs.c
@@ -254,7 +254,7 @@ static ssize_t dlmfs_file_read(struct file *filp,
         if (!count)
                 return 0;
 
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         /* don't read past the lvb */
@@ -302,7 +302,7 @@ static ssize_t dlmfs_file_write(struct file *filp,
         if (!count)
                 return 0;
 
-        if (!access_ok(VERIFY_READ, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         /* don't write past the lvb */
diff --git a/fs/pstore/pmsg.c b/fs/pstore/pmsg.c
index 24db02de1787..97fcef74e5af 100644
--- a/fs/pstore/pmsg.c
+++ b/fs/pstore/pmsg.c
@@ -33,7 +33,7 @@ static ssize_t write_pmsg(struct file *file, const char __user *buf,
         record.size = count;
 
         /* check outside lock, page in any data. write_user also checks */
-        if (!access_ok(VERIFY_READ, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         mutex_lock(&pmsg_lock);
diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index c11711c2cc83..f375c0735351 100644
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -357,7 +357,7 @@ int notrace persistent_ram_write_user(struct persistent_ram_zone *prz,
         int rem, ret = 0, c = count;
         size_t start;
 
-        if (unlikely(!access_ok(VERIFY_READ, s, count)))
+        if (unlikely(!access_ok(s, count)))
                 return -EFAULT;
         if (unlikely(c > prz->buffer_size)) {
                 s += c - prz->buffer_size;
diff --git a/fs/read_write.c b/fs/read_write.c
index 58f30537c47a..ff3c5e6f87cf 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -442,7 +442,7 @@ ssize_t vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
                 return -EBADF;
         if (!(file->f_mode & FMODE_CAN_READ))
                 return -EINVAL;
-        if (unlikely(!access_ok(VERIFY_WRITE, buf, count)))
+        if (unlikely(!access_ok(buf, count)))
                 return -EFAULT;
 
         ret = rw_verify_area(READ, file, pos, count);
@@ -538,7 +538,7 @@ ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_
                 return -EBADF;
         if (!(file->f_mode & FMODE_CAN_WRITE))
                 return -EINVAL;
-        if (unlikely(!access_ok(VERIFY_READ, buf, count)))
+        if (unlikely(!access_ok(buf, count)))
                 return -EFAULT;
 
         ret = rw_verify_area(WRITE, file, pos, count);
@@ -718,9 +718,6 @@ static ssize_t do_loop_readv_writev(struct file *filp, struct iov_iter *iter,
         return ret;
 }
 
-/* A write operation does a read from user space and vice versa */
-#define vrfy_dir(type) ((type) == READ ? VERIFY_WRITE : VERIFY_READ)
-
 /**
  * rw_copy_check_uvector() - Copy an array of &struct iovec from userspace
  *     into the kernel and check that it is valid.
@@ -810,7 +807,7 @@ ssize_t rw_copy_check_uvector(int type, const struct iovec __user * uvector,
                         goto out;
                 }
                 if (type >= 0
-                    && unlikely(!access_ok(vrfy_dir(type), buf, len))) {
+                    && unlikely(!access_ok(buf, len))) {
                         ret = -EFAULT;
                         goto out;
                 }
@@ -856,7 +853,7 @@ ssize_t compat_rw_copy_check_uvector(int type,
         *ret_pointer = iov;
 
         ret = -EFAULT;
-        if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
+        if (!access_ok(uvector, nr_segs*sizeof(*uvector)))
                 goto out;
 
         /*
@@ -881,7 +878,7 @@ ssize_t compat_rw_copy_check_uvector(int type,
                 if (len < 0)    /* size_t not fitting in compat_ssize_t .. */
                         goto out;
                 if (type >= 0 &&
-                    !access_ok(vrfy_dir(type), compat_ptr(buf), len)) {
+                    !access_ok(compat_ptr(buf), len)) {
                         ret = -EFAULT;
                         goto out;
                 }
diff --git a/fs/readdir.c b/fs/readdir.c
index d97f548e6323..2f6a4534e0df 100644
--- a/fs/readdir.c
+++ b/fs/readdir.c
@@ -105,7 +105,7 @@ static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
         }
         buf->result++;
         dirent = buf->dirent;
-        if (!access_ok(VERIFY_WRITE, dirent,
+        if (!access_ok(dirent,
                         (unsigned long)(dirent->d_name + namlen + 1) -
                                 (unsigned long)dirent))
                 goto efault;
@@ -221,7 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
         };
         int error;
 
-        if (!access_ok(VERIFY_WRITE, dirent, count))
+        if (!access_ok(dirent, count))
                 return -EFAULT;
 
         f = fdget_pos(fd);
@@ -304,7 +304,7 @@ int ksys_getdents64(unsigned int fd, struct linux_dirent64 __user *dirent,
         };
         int error;
 
-        if (!access_ok(VERIFY_WRITE, dirent, count))
+        if (!access_ok(dirent, count))
                 return -EFAULT;
 
         f = fdget_pos(fd);
@@ -365,7 +365,7 @@ static int compat_fillonedir(struct dir_context *ctx, const char *name,
         }
         buf->result++;
         dirent = buf->dirent;
-        if (!access_ok(VERIFY_WRITE, dirent,
+        if (!access_ok(dirent,
                         (unsigned long)(dirent->d_name + namlen + 1) -
                                 (unsigned long)dirent))
                 goto efault;
@@ -475,7 +475,7 @@ COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
         };
         int error;
 
-        if (!access_ok(VERIFY_WRITE, dirent, count))
+        if (!access_ok(dirent, count))
                 return -EFAULT;
 
         f = fdget_pos(fd);
diff --git a/fs/select.c b/fs/select.c
index 4c8652390c94..d0f35dbc0e8f 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -381,9 +381,6 @@ typedef struct {
 #define FDS_BYTES(nr)   (FDS_LONGS(nr)*sizeof(long))
 
 /*
- * We do a VERIFY_WRITE here even though we are only reading this time:
- * we'll write to it eventually..
- *
  * Use "unsigned long" accesses to let user-mode fd_set's be long-aligned.
  */
 static inline
@@ -782,7 +779,7 @@ SYSCALL_DEFINE6(pselect6, int, n, fd_set __user *, inp, fd_set __user *, outp,
         sigset_t __user *up = NULL;
 
         if (sig) {
-                if (!access_ok(VERIFY_READ, sig, sizeof(void *)+sizeof(size_t))
+                if (!access_ok(sig, sizeof(void *)+sizeof(size_t))
                     || __get_user(up, (sigset_t __user * __user *)sig)
                     || __get_user(sigsetsize,
                                 (size_t __user *)(sig+sizeof(void *))))
@@ -802,7 +799,7 @@ SYSCALL_DEFINE6(pselect6_time32, int, n, fd_set __user *, inp, fd_set __user *,
         sigset_t __user *up = NULL;
 
         if (sig) {
-                if (!access_ok(VERIFY_READ, sig, sizeof(void *)+sizeof(size_t))
+                if (!access_ok(sig, sizeof(void *)+sizeof(size_t))
                     || __get_user(up, (sigset_t __user * __user *)sig)
                     || __get_user(sigsetsize,
                                 (size_t __user *)(sig+sizeof(void *))))
@@ -1368,7 +1365,7 @@ COMPAT_SYSCALL_DEFINE6(pselect6_time64, int, n, compat_ulong_t __user *, inp,
         compat_uptr_t up = 0;
 
         if (sig) {
-                if (!access_ok(VERIFY_READ, sig,
+                if (!access_ok(sig,
                                 sizeof(compat_uptr_t)+sizeof(compat_size_t)) ||
                                 __get_user(up, (compat_uptr_t __user *)sig) ||
                                 __get_user(sigsetsize,
@@ -1390,7 +1387,7 @@ COMPAT_SYSCALL_DEFINE6(pselect6, int, n, compat_ulong_t __user *, inp,
         compat_uptr_t up = 0;
 
         if (sig) {
-                if (!access_ok(VERIFY_READ, sig,
+                if (!access_ok(sig,
                                 sizeof(compat_uptr_t)+sizeof(compat_size_t)) ||
                         __get_user(up, (compat_uptr_t __user *)sig) ||
                         __get_user(sigsetsize,
diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
index 6b2e63df2739..d82c78a79da5 100644
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -35,7 +35,7 @@ static inline void set_fs(mm_segment_t fs)
 #define segment_eq(a, b) ((a).seg == (b).seg)
 #endif
 
-#define access_ok(type, addr, size) __access_ok((unsigned long)(addr),(size))
+#define access_ok(addr, size) __access_ok((unsigned long)(addr),(size))
 
 /*
  * The architecture should really override this if possible, at least
@@ -78,7 +78,7 @@ static inline int __access_ok(unsigned long addr, unsigned long size)
 ({                                                              \
         void __user *__p = (ptr);                               \
         might_fault();                                          \
-        access_ok(VERIFY_WRITE, __p, sizeof(*ptr)) ?            \
+        access_ok(__p, sizeof(*ptr)) ?          \
                 __put_user((x), ((__typeof__(*(ptr)) __user *)__p)) :   \
                 -EFAULT;                                        \
 })
@@ -140,7 +140,7 @@ extern int __put_user_bad(void) __attribute__((noreturn));
 ({                                                              \
         const void __user *__p = (ptr);                         \
         might_fault();                                          \
-        access_ok(VERIFY_READ, __p, sizeof(*ptr)) ?             \
+        access_ok(__p, sizeof(*ptr)) ?          \
                 __get_user((x), (__typeof__(*(ptr)) __user *)__p) :\
                 ((x) = (__typeof__(*(ptr)))0,-EFAULT);          \
 })
@@ -175,7 +175,7 @@ __strncpy_from_user(char *dst, const char __user *src, long count)
 static inline long
 strncpy_from_user(char *dst, const char __user *src, long count)
 {
-        if (!access_ok(VERIFY_READ, src, 1))
+        if (!access_ok(src, 1))
                 return -EFAULT;
         return __strncpy_from_user(dst, src, count);
 }
@@ -196,7 +196,7 @@ strncpy_from_user(char *dst, const char __user *src, long count)
  */
 static inline long strnlen_user(const char __user *src, long n)
 {
-        if (!access_ok(VERIFY_READ, src, 1))
+        if (!access_ok(src, 1))
                 return 0;
         return __strnlen_user(src, n);
 }
@@ -217,7 +217,7 @@ static inline __must_check unsigned long
 clear_user(void __user *to, unsigned long n)
 {
         might_fault();
-        if (!access_ok(VERIFY_WRITE, to, n))
+        if (!access_ok(to, n))
                 return n;
 
         return __clear_user(to, n);
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index c233efc106c6..27b74947cd2b 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -148,6 +148,7 @@ struct bpf_verifier_state {
         /* call stack tracking */
         struct bpf_func_state *frame[MAX_CALL_FRAMES];
         u32 curframe;
+        bool speculative;
 };
 
 #define bpf_get_spilled_reg(slot, frame)                                \
@@ -167,15 +168,24 @@ struct bpf_verifier_state_list {
         struct bpf_verifier_state_list *next;
 };
 
+/* Possible states for alu_state member. */
+#define BPF_ALU_SANITIZE_SRC            1U
+#define BPF_ALU_SANITIZE_DST            2U
+#define BPF_ALU_NEG_VALUE               (1U << 2)
+#define BPF_ALU_SANITIZE                (BPF_ALU_SANITIZE_SRC | \
+                                         BPF_ALU_SANITIZE_DST)
+
 struct bpf_insn_aux_data {
         union {
                 enum bpf_reg_type ptr_type;     /* pointer type for load/store insns */
                 unsigned long map_state;        /* pointer/poison value for maps */
                 s32 call_imm;                   /* saved imm field of call insn */
+                u32 alu_limit;                  /* limit for add/sub register with pointer */
         };
         int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
         int sanitize_stack_off; /* stack slot to be cleared */
         bool seen; /* this insn was processed by the verifier */
+        u8 alu_state; /* used in combination with alu_limit */
 };
 
 #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
@@ -212,6 +222,8 @@ struct bpf_subprog_info {
  * one verifier_env per bpf_check() call
  */
 struct bpf_verifier_env {
+        u32 insn_idx;
+        u32 prev_insn_idx;
         struct bpf_prog *prog;          /* eBPF program being verified */
         const struct bpf_verifier_ops *ops;
         struct bpf_verifier_stack_elem *head; /* stack of verifier states to be processed */
diff --git a/include/linux/filter.h b/include/linux/filter.h
index 8c8544b375eb..ad106d845b22 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -53,14 +53,10 @@ struct sock_reuseport;
 #define BPF_REG_D       BPF_REG_8       /* data, callee-saved */
 #define BPF_REG_H       BPF_REG_9       /* hlen, callee-saved */
 
-/* Kernel hidden auxiliary/helper register for hardening step.
- * Only used by eBPF JITs. It's nothing more than a temporary
- * register that JITs use internally, only that here it's part
- * of eBPF instructions that have been rewritten for blinding
- * constants. See JIT pre-step in bpf_jit_blind_constants().
- */
+/* Kernel hidden auxiliary/helper register. */
 #define BPF_REG_AX              MAX_BPF_REG
-#define MAX_BPF_JIT_REG         (MAX_BPF_REG + 1)
+#define MAX_BPF_EXT_REG         (MAX_BPF_REG + 1)
+#define MAX_BPF_JIT_REG         MAX_BPF_EXT_REG
 
 /* unused opcode to mark special call to bpf_tail_call() helper */
 #define BPF_TAIL_CALL   0xf0
diff --git a/include/linux/phy.h b/include/linux/phy.h
index da039f211c22..3b051f761450 100644
--- a/include/linux/phy.h
+++ b/include/linux/phy.h
@@ -1,6 +1,6 @@
 /*
  * Framework and drivers for configuring and reading different PHYs
- * Based on code in sungem_phy.c and gianfar_phy.c
+ * Based on code in sungem_phy.c and (long-removed) gianfar_phy.c
  *
  * Author: Andy Fleming
  *
@@ -110,9 +110,9 @@ typedef enum {
  * @speeds: buffer to store supported speeds in.
  * @size: size of speeds buffer.
  *
- * Description: Returns the number of supported speeds, and
- * fills the speeds * buffer with the supported speeds. If speeds buffer is
- * too small to contain * all currently supported speeds, will return as
+ * Description: Returns the number of supported speeds, and fills
+ * the speeds buffer with the supported speeds. If speeds buffer is
+ * too small to contain all currently supported speeds, will return as
  * many speeds as can fit.
  */
 unsigned int phy_supported_speeds(struct phy_device *phy,
@@ -120,7 +120,10 @@ unsigned int phy_supported_speeds(struct phy_device *phy,
                                       unsigned int size);
 
 /**
- * It maps 'enum phy_interface_t' found in include/linux/phy.h
+ * phy_modes - map phy_interface_t enum to device tree binding of phy-mode
+ * @interface: enum phy_interface_t value
+ *
+ * Description: maps 'enum phy_interface_t' defined in this file
  * into the device tree binding of 'phy-mode', so that Ethernet
  * device driver can get phy interface from device tree.
  */
diff --git a/include/linux/phy/phy.h b/include/linux/phy/phy.h
index 1fdefadf150a..e8e118d70fd7 100644
--- a/include/linux/phy/phy.h
+++ b/include/linux/phy/phy.h
@@ -110,6 +110,7 @@ struct phy_ops {
 /**
  * struct phy_attrs - represents phy attributes
  * @bus_width: Data path width implemented by PHY
+ * @mode: PHY mode
  */
 struct phy_attrs {
         u32                     bus_width;
@@ -121,7 +122,6 @@ struct phy_attrs {
  * @dev: phy device
  * @id: id of the phy device
  * @ops: function pointers for performing phy operations
- * @init_data: list of PHY consumers (non-dt only)
  * @mutex: mutex to protect phy_ops
  * @init_count: used to protect when the PHY is used by multiple consumers
  * @power_count: used to protect when the PHY is used by multiple consumers
diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
index 6894976b54e3..186cd8e970c7 100644
--- a/include/linux/ptr_ring.h
+++ b/include/linux/ptr_ring.h
@@ -573,6 +573,8 @@ static inline void **__ptr_ring_swap_queue(struct ptr_ring *r, void **queue,
                 else if (destroy)
                         destroy(ptr);
 
+        if (producer >= size)
+                producer = 0;
         __ptr_ring_set_size(r, size);
         r->producer = producer;
         r->consumer_head = 0;
diff --git a/include/linux/regset.h b/include/linux/regset.h
index 494cedaafdf2..a85c1707285c 100644
--- a/include/linux/regset.h
+++ b/include/linux/regset.h
@@ -376,7 +376,7 @@ static inline int copy_regset_to_user(struct task_struct *target,
         if (!regset->get)
                 return -EOPNOTSUPP;
 
-        if (!access_ok(VERIFY_WRITE, data, size))
+        if (!access_ok(data, size))
                 return -EFAULT;
 
         return regset->get(target, regset, offset, size, NULL, data);
@@ -402,7 +402,7 @@ static inline int copy_regset_from_user(struct task_struct *target,
         if (!regset->set)
                 return -EOPNOTSUPP;
 
-        if (!access_ok(VERIFY_READ, data, size))
+        if (!access_ok(data, size))
                 return -EFAULT;
 
         return regset->set(target, regset, offset, size, NULL, data);
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index efe79c1cdd47..37b226e8df13 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -6,9 +6,6 @@
 #include <linux/thread_info.h>
 #include <linux/kasan-checks.h>
 
-#define VERIFY_READ 0
-#define VERIFY_WRITE 1
-
 #define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
 
 #include <asm/uaccess.h>
@@ -111,7 +108,7 @@ _copy_from_user(void *to, const void __user *from, unsigned long n)
 {
         unsigned long res = n;
         might_fault();
-        if (likely(access_ok(VERIFY_READ, from, n))) {
+        if (likely(access_ok(from, n))) {
                 kasan_check_write(to, n);
                 res = raw_copy_from_user(to, from, n);
         }
@@ -129,7 +126,7 @@ static inline unsigned long
 _copy_to_user(void __user *to, const void *from, unsigned long n)
 {
         might_fault();
-        if (access_ok(VERIFY_WRITE, to, n)) {
+        if (access_ok(to, n)) {
                 kasan_check_read(from, n);
                 n = raw_copy_to_user(to, from, n);
         }
@@ -160,7 +157,7 @@ static __always_inline unsigned long __must_check
 copy_in_user(void __user *to, const void __user *from, unsigned long n)
 {
         might_fault();
-        if (access_ok(VERIFY_WRITE, to, n) && access_ok(VERIFY_READ, from, n))
+        if (access_ok(to, n) && access_ok(from, n))
                 n = raw_copy_in_user(to, from, n);
         return n;
 }
@@ -267,7 +264,7 @@ extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count);
         probe_kernel_read(&retval, addr, sizeof(retval))
 
 #ifndef user_access_begin
-#define user_access_begin() do { } while (0)
+#define user_access_begin(ptr,len) access_ok(ptr, len)
 #define user_access_end() do { } while (0)
 #define unsafe_get_user(x, ptr, err) do { if (unlikely(__get_user(x, ptr))) goto err; } while (0)
 #define unsafe_put_user(x, ptr, err) do { if (unlikely(__put_user(x, ptr))) goto err; } while (0)
diff --git a/include/net/checksum.h b/include/net/checksum.h
index aef2b2bb6603..0f319e13be2c 100644
--- a/include/net/checksum.h
+++ b/include/net/checksum.h
@@ -30,7 +30,7 @@ static inline
 __wsum csum_and_copy_from_user (const void __user *src, void *dst,
                                       int len, __wsum sum, int *err_ptr)
 {
-        if (access_ok(VERIFY_READ, src, len))
+        if (access_ok(src, len))
                 return csum_partial_copy_from_user(src, dst, len, sum, err_ptr);
 
         if (len)
@@ -46,7 +46,7 @@ static __inline__ __wsum csum_and_copy_to_user
 {
         sum = csum_partial(src, len, sum);
 
-        if (access_ok(VERIFY_WRITE, dst, len)) {
+        if (access_ok(dst, len)) {
                 if (copy_to_user(dst, src, len) == 0)
                         return sum;
         }
diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
index cbcf35ce1b14..34f019650941 100644
--- a/include/net/ip_tunnels.h
+++ b/include/net/ip_tunnels.h
@@ -308,6 +308,26 @@ int ip_tunnel_encap_del_ops(const struct ip_tunnel_encap_ops *op,
 int ip_tunnel_encap_setup(struct ip_tunnel *t,
                           struct ip_tunnel_encap *ipencap);
 
+static inline bool pskb_inet_may_pull(struct sk_buff *skb)
+{
+        int nhlen;
+
+        switch (skb->protocol) {
+#if IS_ENABLED(CONFIG_IPV6)
+        case htons(ETH_P_IPV6):
+                nhlen = sizeof(struct ipv6hdr);
+                break;
+#endif
+        case htons(ETH_P_IP):
+                nhlen = sizeof(struct iphdr);
+                break;
+        default:
+                nhlen = 0;
+        }
+
+        return pskb_network_may_pull(skb, nhlen);
+}
+
 static inline int ip_encap_hlen(struct ip_tunnel_encap *e)
 {
         const struct ip_tunnel_encap_ops *ops;
diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h
index 4b2b2baf8ab4..f32fc8289473 100644
--- a/include/net/netfilter/nf_conntrack_count.h
+++ b/include/net/netfilter/nf_conntrack_count.h
@@ -5,17 +5,10 @@
 
 struct nf_conncount_data;
 
-enum nf_conncount_list_add {
-        NF_CONNCOUNT_ADDED,     /* list add was ok */
-        NF_CONNCOUNT_ERR,       /* -ENOMEM, must drop skb */
-        NF_CONNCOUNT_SKIP,      /* list is already reclaimed by gc */
-};
-
 struct nf_conncount_list {
         spinlock_t list_lock;
         struct list_head head;  /* connections with the same filtering key */
         unsigned int count;     /* length of list */
-        bool dead;
 };
 
 struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
@@ -29,18 +22,12 @@ unsigned int nf_conncount_count(struct net *net,
                                 const struct nf_conntrack_tuple *tuple,
                                 const struct nf_conntrack_zone *zone);
 
-void nf_conncount_lookup(struct net *net, struct nf_conncount_list *list,
-                         const struct nf_conntrack_tuple *tuple,
-                         const struct nf_conntrack_zone *zone,
-                         bool *addit);
+int nf_conncount_add(struct net *net, struct nf_conncount_list *list,
+                     const struct nf_conntrack_tuple *tuple,
+                     const struct nf_conntrack_zone *zone);
 
 void nf_conncount_list_init(struct nf_conncount_list *list);
 
-enum nf_conncount_list_add
-nf_conncount_add(struct nf_conncount_list *list,
-                 const struct nf_conntrack_tuple *tuple,
-                 const struct nf_conntrack_zone *zone);
-
 bool nf_conncount_gc_list(struct net *net,
                           struct nf_conncount_list *list);
 
diff --git a/include/net/sock.h b/include/net/sock.h
index a6235c286ef9..2b229f7be8eb 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -298,6 +298,7 @@ struct sock_common {
   *     @sk_filter: socket filtering instructions
   *     @sk_timer: sock cleanup timer
   *     @sk_stamp: time stamp of last packet received
+  *     @sk_stamp_seq: lock for accessing sk_stamp on 32 bit architectures only
   *     @sk_tsflags: SO_TIMESTAMPING socket options
   *     @sk_tskey: counter to disambiguate concurrent tstamp requests
   *     @sk_zckey: counter to order MSG_ZEROCOPY notifications
@@ -474,6 +475,9 @@ struct sock {
         const struct cred       *sk_peer_cred;
         long                    sk_rcvtimeo;
         ktime_t                 sk_stamp;
+#if BITS_PER_LONG==32
+        seqlock_t               sk_stamp_seq;
+#endif
         u16                     sk_tsflags;
         u8                      sk_shutdown;
         u32                     sk_tskey;
@@ -2297,6 +2301,34 @@ static inline void sk_drops_add(struct sock *sk, const struct sk_buff *skb)
         atomic_add(segs, &sk->sk_drops);
 }
 
+static inline ktime_t sock_read_timestamp(struct sock *sk)
+{
+#if BITS_PER_LONG==32
+        unsigned int seq;
+        ktime_t kt;
+
+        do {
+                seq = read_seqbegin(&sk->sk_stamp_seq);
+                kt = sk->sk_stamp;
+        } while (read_seqretry(&sk->sk_stamp_seq, seq));
+
+        return kt;
+#else
+        return sk->sk_stamp;
+#endif
+}
+
+static inline void sock_write_timestamp(struct sock *sk, ktime_t kt)
+{
+#if BITS_PER_LONG==32
+        write_seqlock(&sk->sk_stamp_seq);
+        sk->sk_stamp = kt;
+        write_sequnlock(&sk->sk_stamp_seq);
+#else
+        sk->sk_stamp = kt;
+#endif
+}
+
 void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
                            struct sk_buff *skb);
 void __sock_recv_wifi_status(struct msghdr *msg, struct sock *sk,
@@ -2321,7 +2353,7 @@ sock_recv_timestamp(struct msghdr *msg, struct sock *sk, struct sk_buff *skb)
              (sk->sk_tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)))
                 __sock_recv_timestamp(msg, sk, skb);
         else
-                sk->sk_stamp = kt;
+                sock_write_timestamp(sk, kt);
 
         if (sock_flag(sk, SOCK_WIFI_STATUS) && skb->wifi_acked_valid)
                 __sock_recv_wifi_status(msg, sk, skb);
@@ -2342,9 +2374,9 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,
         if (sk->sk_flags & FLAGS_TS_OR_DROPS || sk->sk_tsflags & TSFLAGS_ANY)
                 __sock_recv_ts_and_drops(msg, sk, skb);
         else if (unlikely(sock_flag(sk, SOCK_TIMESTAMP)))
-                sk->sk_stamp = skb->tstamp;
+                sock_write_timestamp(sk, skb->tstamp);
         else if (unlikely(sk->sk_stamp == SK_DEFAULT_STAMP))
-                sk->sk_stamp = 0;
+                sock_write_timestamp(sk, 0);
 }
 
 void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags);
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 38de580abcc2..f908b9356025 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -54,6 +54,7 @@
 #define DST     regs[insn->dst_reg]
 #define SRC     regs[insn->src_reg]
 #define FP      regs[BPF_REG_FP]
+#define AX      regs[BPF_REG_AX]
 #define ARG1    regs[BPF_REG_ARG1]
 #define CTX     regs[BPF_REG_CTX]
 #define IMM     insn->imm
@@ -857,6 +858,26 @@ static int bpf_jit_blind_insn(const struct bpf_insn *from,
         BUILD_BUG_ON(BPF_REG_AX  + 1 != MAX_BPF_JIT_REG);
         BUILD_BUG_ON(MAX_BPF_REG + 1 != MAX_BPF_JIT_REG);
 
+        /* Constraints on AX register:
+         *
+         * AX register is inaccessible from user space. It is mapped in
+         * all JITs, and used here for constant blinding rewrites. It is
+         * typically "stateless" meaning its contents are only valid within
+         * the executed instruction, but not across several instructions.
+         * There are a few exceptions however which are further detailed
+         * below.
+         *
+         * Constant blinding is only used by JITs, not in the interpreter.
+         * The interpreter uses AX in some occasions as a local temporary
+         * register e.g. in DIV or MOD instructions.
+         *
+         * In restricted circumstances, the verifier can also use the AX
+         * register for rewrites as long as they do not interfere with
+         * the above cases!
+         */
+        if (from->dst_reg == BPF_REG_AX || from->src_reg == BPF_REG_AX)
+                goto out;
+
         if (from->imm == 0 &&
             (from->code == (BPF_ALU   | BPF_MOV | BPF_K) ||
              from->code == (BPF_ALU64 | BPF_MOV | BPF_K))) {
@@ -1188,7 +1209,6 @@ bool bpf_opcode_in_insntable(u8 code)
  */
 static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
 {
-        u64 tmp;
 #define BPF_INSN_2_LBL(x, y)    [BPF_##x | BPF_##y] = &&x##_##y
 #define BPF_INSN_3_LBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = &&x##_##y##_##z
         static const void *jumptable[256] = {
@@ -1268,36 +1288,36 @@ select_insn:
                 (*(s64 *) &DST) >>= IMM;
                 CONT;
         ALU64_MOD_X:
-                div64_u64_rem(DST, SRC, &tmp);
-                DST = tmp;
+                div64_u64_rem(DST, SRC, &AX);
+                DST = AX;
                 CONT;
         ALU_MOD_X:
-                tmp = (u32) DST;
-                DST = do_div(tmp, (u32) SRC);
+                AX = (u32) DST;
+                DST = do_div(AX, (u32) SRC);
                 CONT;
         ALU64_MOD_K:
-                div64_u64_rem(DST, IMM, &tmp);
-                DST = tmp;
+                div64_u64_rem(DST, IMM, &AX);
+                DST = AX;
                 CONT;
         ALU_MOD_K:
-                tmp = (u32) DST;
-                DST = do_div(tmp, (u32) IMM);
+                AX = (u32) DST;
+                DST = do_div(AX, (u32) IMM);
                 CONT;
         ALU64_DIV_X:
                 DST = div64_u64(DST, SRC);
                 CONT;
         ALU_DIV_X:
-                tmp = (u32) DST;
-                do_div(tmp, (u32) SRC);
-                DST = (u32) tmp;
+                AX = (u32) DST;
+                do_div(AX, (u32) SRC);
+                DST = (u32) AX;
                 CONT;
         ALU64_DIV_K:
                 DST = div64_u64(DST, IMM);
                 CONT;
         ALU_DIV_K:
-                tmp = (u32) DST;
-                do_div(tmp, (u32) IMM);
-                DST = (u32) tmp;
+                AX = (u32) DST;
+                do_div(AX, (u32) IMM);
+                DST = (u32) AX;
                 CONT;
         ALU_END_TO_BE:
                 switch (IMM) {
@@ -1553,7 +1573,7 @@ STACK_FRAME_NON_STANDARD(___bpf_prog_run); /* jump table */
 static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn *insn) \
 { \
         u64 stack[stack_size / sizeof(u64)]; \
-        u64 regs[MAX_BPF_REG]; \
+        u64 regs[MAX_BPF_EXT_REG]; \
 \
         FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
         ARG1 = (u64) (unsigned long) ctx; \
@@ -1566,7 +1586,7 @@ static u64 PROG_NAME_ARGS(stack_size)(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5, \
                                       const struct bpf_insn *insn) \
 { \
         u64 stack[stack_size / sizeof(u64)]; \
-        u64 regs[MAX_BPF_REG]; \
+        u64 regs[MAX_BPF_EXT_REG]; \
 \
         FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
         BPF_R1 = r1; \
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 0607db304def..b155cd17c1bd 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -79,7 +79,7 @@ int bpf_check_uarg_tail_zero(void __user *uaddr,
         if (unlikely(actual_size > PAGE_SIZE))  /* silly large */
                 return -E2BIG;
 
-        if (unlikely(!access_ok(VERIFY_READ, uaddr, actual_size)))
+        if (unlikely(!access_ok(uaddr, actual_size)))
                 return -EFAULT;
 
         if (actual_size <= expected_size)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 71d86e3024ae..f6bc62a9ee8e 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -710,6 +710,7 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state,
                 free_func_state(dst_state->frame[i]);
                 dst_state->frame[i] = NULL;
         }
+        dst_state->speculative = src->speculative;
         dst_state->curframe = src->curframe;
         for (i = 0; i <= src->curframe; i++) {
                 dst = dst_state->frame[i];
@@ -754,7 +755,8 @@ static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx,
 }
 
 static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
-                                             int insn_idx, int prev_insn_idx)
+                                             int insn_idx, int prev_insn_idx,
+                                             bool speculative)
 {
         struct bpf_verifier_state *cur = env->cur_state;
         struct bpf_verifier_stack_elem *elem;
@@ -772,6 +774,7 @@ static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
         err = copy_verifier_state(&elem->st, cur);
         if (err)
                 goto err;
+        elem->st.speculative |= speculative;
         if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) {
                 verbose(env, "BPF program is too complex\n");
                 goto err;
@@ -1387,6 +1390,31 @@ static int check_stack_read(struct bpf_verifier_env *env,
         }
 }
 
+static int check_stack_access(struct bpf_verifier_env *env,
+                              const struct bpf_reg_state *reg,
+                              int off, int size)
+{
+        /* Stack accesses must be at a fixed offset, so that we
+         * can determine what type of data were returned. See
+         * check_stack_read().
+         */
+        if (!tnum_is_const(reg->var_off)) {
+                char tn_buf[48];
+
+                tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
+                verbose(env, "variable stack access var_off=%s off=%d size=%d",
+                        tn_buf, off, size);
+                return -EACCES;
+        }
+
+        if (off >= 0 || off < -MAX_BPF_STACK) {
+                verbose(env, "invalid stack off=%d size=%d\n", off, size);
+                return -EACCES;
+        }
+
+        return 0;
+}
+
 /* check read/write into map element returned by bpf_map_lookup_elem() */
 static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off,
                               int size, bool zero_size_allowed)
@@ -1418,13 +1446,17 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno,
          */
         if (env->log.level)
                 print_verifier_state(env, state);
+
         /* The minimum value is only important with signed
          * comparisons where we can't assume the floor of a
          * value is 0.  If we are using signed variables for our
          * index'es we need to make sure that whatever we use
          * will have a set floor within our range.
          */
-        if (reg->smin_value < 0) {
+        if (reg->smin_value < 0 &&
+            (reg->smin_value == S64_MIN ||
+             (off + reg->smin_value != (s64)(s32)(off + reg->smin_value)) ||
+              reg->smin_value + off < 0)) {
                 verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
                         regno);
                 return -EACCES;
@@ -1954,24 +1986,10 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
                 }
 
         } else if (reg->type == PTR_TO_STACK) {
-                /* stack accesses must be at a fixed offset, so that we can
-                 * determine what type of data were returned.
-                 * See check_stack_read().
-                 */
-                if (!tnum_is_const(reg->var_off)) {
-                        char tn_buf[48];
-
-                        tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
-                        verbose(env, "variable stack access var_off=%s off=%d size=%d",
-                                tn_buf, off, size);
-                        return -EACCES;
-                }
                 off += reg->var_off.value;
-                if (off >= 0 || off < -MAX_BPF_STACK) {
-                        verbose(env, "invalid stack off=%d size=%d\n", off,
-                                size);
-                        return -EACCES;
-                }
+                err = check_stack_access(env, reg, off, size);
+                if (err)
+                        return err;
 
                 state = func(env, reg);
                 err = update_stack_depth(env, state, off);
@@ -3052,6 +3070,102 @@ static bool check_reg_sane_offset(struct bpf_verifier_env *env,
         return true;
 }
 
+static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env)
+{
+        return &env->insn_aux_data[env->insn_idx];
+}
+
+static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
+                              u32 *ptr_limit, u8 opcode, bool off_is_neg)
+{
+        bool mask_to_left = (opcode == BPF_ADD &&  off_is_neg) ||
+                            (opcode == BPF_SUB && !off_is_neg);
+        u32 off;
+
+        switch (ptr_reg->type) {
+        case PTR_TO_STACK:
+                off = ptr_reg->off + ptr_reg->var_off.value;
+                if (mask_to_left)
+                        *ptr_limit = MAX_BPF_STACK + off;
+                else
+                        *ptr_limit = -off;
+                return 0;
+        case PTR_TO_MAP_VALUE:
+                if (mask_to_left) {
+                        *ptr_limit = ptr_reg->umax_value + ptr_reg->off;
+                } else {
+                        off = ptr_reg->smin_value + ptr_reg->off;
+                        *ptr_limit = ptr_reg->map_ptr->value_size - off;
+                }
+                return 0;
+        default:
+                return -EINVAL;
+        }
+}
+
+static int sanitize_ptr_alu(struct bpf_verifier_env *env,
+                            struct bpf_insn *insn,
+                            const struct bpf_reg_state *ptr_reg,
+                            struct bpf_reg_state *dst_reg,
+                            bool off_is_neg)
+{
+        struct bpf_verifier_state *vstate = env->cur_state;
+        struct bpf_insn_aux_data *aux = cur_aux(env);
+        bool ptr_is_dst_reg = ptr_reg == dst_reg;
+        u8 opcode = BPF_OP(insn->code);
+        u32 alu_state, alu_limit;
+        struct bpf_reg_state tmp;
+        bool ret;
+
+        if (env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K)
+                return 0;
+
+        /* We already marked aux for masking from non-speculative
+         * paths, thus we got here in the first place. We only care
+         * to explore bad access from here.
+         */
+        if (vstate->speculative)
+                goto do_sim;
+
+        alu_state  = off_is_neg ? BPF_ALU_NEG_VALUE : 0;
+        alu_state |= ptr_is_dst_reg ?
+                     BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;
+
+        if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg))
+                return 0;
+
+        /* If we arrived here from different branches with different
+         * limits to sanitize, then this won't work.
+         */
+        if (aux->alu_state &&
+            (aux->alu_state != alu_state ||
+             aux->alu_limit != alu_limit))
+                return -EACCES;
+
+        /* Corresponding fixup done in fixup_bpf_calls(). */
+        aux->alu_state = alu_state;
+        aux->alu_limit = alu_limit;
+
+do_sim:
+        /* Simulate and find potential out-of-bounds access under
+         * speculative execution from truncation as a result of
+         * masking when off was not within expected range. If off
+         * sits in dst, then we temporarily need to move ptr there
+         * to simulate dst (== 0) +/-= ptr. Needed, for example,
+         * for cases where we use K-based arithmetic in one direction
+         * and truncated reg-based in the other in order to explore
+         * bad access.
+         */
+        if (!ptr_is_dst_reg) {
+                tmp = *dst_reg;
+                *dst_reg = *ptr_reg;
+        }
+        ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
+        if (!ptr_is_dst_reg)
+                *dst_reg = tmp;
+        return !ret ? -EFAULT : 0;
+}
+
 /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
  * Caller should also handle BPF_MOV case separately.
  * If we return -EACCES, caller may want to try again treating pointer as a
@@ -3070,8 +3184,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
             smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;
         u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,
             umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;
+        u32 dst = insn->dst_reg, src = insn->src_reg;
         u8 opcode = BPF_OP(insn->code);
-        u32 dst = insn->dst_reg;
+        int ret;
 
         dst_reg = &regs[dst];
 
@@ -3104,6 +3219,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
                 verbose(env, "R%d pointer arithmetic on %s prohibited\n",
                         dst, reg_type_str[ptr_reg->type]);
                 return -EACCES;
+        case PTR_TO_MAP_VALUE:
+                if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
+                        verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
+                                off_reg == dst_reg ? dst : src);
+                        return -EACCES;
+                }
+                /* fall-through */
         default:
                 break;
         }
@@ -3120,6 +3242,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
 
         switch (opcode) {
         case BPF_ADD:
+                ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
+                if (ret < 0) {
+                        verbose(env, "R%d tried to add from different maps or paths\n", dst);
+                        return ret;
+                }
                 /* We can take a fixed offset as long as it doesn't overflow
                  * the s32 'off' field
                  */
@@ -3170,6 +3297,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
                 }
                 break;
         case BPF_SUB:
+                ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
+                if (ret < 0) {
+                        verbose(env, "R%d tried to sub from different maps or paths\n", dst);
+                        return ret;
+                }
                 if (dst_reg == off_reg) {
                         /* scalar -= pointer.  Creates an unknown scalar */
                         verbose(env, "R%d tried to subtract pointer from scalar\n",
@@ -3249,6 +3381,25 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
         __update_reg_bounds(dst_reg);
         __reg_deduce_bounds(dst_reg);
         __reg_bound_offset(dst_reg);
+
+        /* For unprivileged we require that resulting offset must be in bounds
+         * in order to be able to sanitize access later on.
+         */
+        if (!env->allow_ptr_leaks) {
+                if (dst_reg->type == PTR_TO_MAP_VALUE &&
+                    check_map_access(env, dst, dst_reg->off, 1, false)) {
+                        verbose(env, "R%d pointer arithmetic of map value goes out of range, "
+                                "prohibited for !root\n", dst);
+                        return -EACCES;
+                } else if (dst_reg->type == PTR_TO_STACK &&
+                           check_stack_access(env, dst_reg, dst_reg->off +
+                                              dst_reg->var_off.value, 1)) {
+                        verbose(env, "R%d stack pointer arithmetic goes out of range, "
+                                "prohibited for !root\n", dst);
+                        return -EACCES;
+                }
+        }
+
         return 0;
 }
 
@@ -4348,7 +4499,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
                 }
         }
 
-        other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx);
+        other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,
+                                  false);
         if (!other_branch)
                 return -EFAULT;
         other_branch_regs = other_branch->frame[other_branch->curframe]->regs;
@@ -5458,6 +5610,12 @@ static bool states_equal(struct bpf_verifier_env *env,
         if (old->curframe != cur->curframe)
                 return false;
 
+        /* Verification state from speculative execution simulation
+         * must never prune a non-speculative execution one.
+         */
+        if (old->speculative && !cur->speculative)
+                return false;
+
         /* for states to be equal callsites have to be the same
          * and all frame states need to be equivalent
          */
@@ -5650,7 +5808,6 @@ static int do_check(struct bpf_verifier_env *env)
         struct bpf_insn *insns = env->prog->insnsi;
         struct bpf_reg_state *regs;
         int insn_cnt = env->prog->len, i;
-        int insn_idx, prev_insn_idx = 0;
         int insn_processed = 0;
         bool do_print_state = false;
 
@@ -5660,6 +5817,7 @@ static int do_check(struct bpf_verifier_env *env)
         if (!state)
                 return -ENOMEM;
         state->curframe = 0;
+        state->speculative = false;
         state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL);
         if (!state->frame[0]) {
                 kfree(state);
@@ -5670,19 +5828,19 @@ static int do_check(struct bpf_verifier_env *env)
                         BPF_MAIN_FUNC /* callsite */,
                         0 /* frameno */,
                         0 /* subprogno, zero == main subprog */);
-        insn_idx = 0;
+
         for (;;) {
                 struct bpf_insn *insn;
                 u8 class;
                 int err;
 
-                if (insn_idx >= insn_cnt) {
+                if (env->insn_idx >= insn_cnt) {
                         verbose(env, "invalid insn idx %d insn_cnt %d\n",
-                                insn_idx, insn_cnt);
+                                env->insn_idx, insn_cnt);
                         return -EFAULT;
                 }
 
-                insn = &insns[insn_idx];
+                insn = &insns[env->insn_idx];
                 class = BPF_CLASS(insn->code);
 
                 if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {
@@ -5692,17 +5850,19 @@ static int do_check(struct bpf_verifier_env *env)
                         return -E2BIG;
                 }
 
-                err = is_state_visited(env, insn_idx);
+                err = is_state_visited(env, env->insn_idx);
                 if (err < 0)
                         return err;
                 if (err == 1) {
                         /* found equivalent state, can prune the search */
                         if (env->log.level) {
                                 if (do_print_state)
-                                        verbose(env, "\nfrom %d to %d: safe\n",
-                                                prev_insn_idx, insn_idx);
+                                        verbose(env, "\nfrom %d to %d%s: safe\n",
+                                                env->prev_insn_idx, env->insn_idx,
+                                                env->cur_state->speculative ?
+                                                " (speculative execution)" : "");
                                 else
-                                        verbose(env, "%d: safe\n", insn_idx);
+                                        verbose(env, "%d: safe\n", env->insn_idx);
                         }
                         goto process_bpf_exit;
                 }
@@ -5715,10 +5875,12 @@ static int do_check(struct bpf_verifier_env *env)
 
                 if (env->log.level > 1 || (env->log.level && do_print_state)) {
                         if (env->log.level > 1)
-                                verbose(env, "%d:", insn_idx);
+                                verbose(env, "%d:", env->insn_idx);
                         else
-                                verbose(env, "\nfrom %d to %d:",
-                                        prev_insn_idx, insn_idx);
+                                verbose(env, "\nfrom %d to %d%s:",
+                                        env->prev_insn_idx, env->insn_idx,
+                                        env->cur_state->speculative ?
+                                        " (speculative execution)" : "");
                         print_verifier_state(env, state->frame[state->curframe]);
                         do_print_state = false;
                 }
@@ -5729,20 +5891,20 @@ static int do_check(struct bpf_verifier_env *env)
                                 .private_data   = env,
                         };
 
-                        verbose_linfo(env, insn_idx, "; ");
-                        verbose(env, "%d: ", insn_idx);
+                        verbose_linfo(env, env->insn_idx, "; ");
+                        verbose(env, "%d: ", env->insn_idx);
                         print_bpf_insn(&cbs, insn, env->allow_ptr_leaks);
                 }
 
                 if (bpf_prog_is_dev_bound(env->prog->aux)) {
-                        err = bpf_prog_offload_verify_insn(env, insn_idx,
-                                                           prev_insn_idx);
+                        err = bpf_prog_offload_verify_insn(env, env->insn_idx,
+                                                           env->prev_insn_idx);
                         if (err)
                                 return err;
                 }
 
                 regs = cur_regs(env);
-                env->insn_aux_data[insn_idx].seen = true;
+                env->insn_aux_data[env->insn_idx].seen = true;
 
                 if (class == BPF_ALU || class == BPF_ALU64) {
                         err = check_alu_op(env, insn);
@@ -5768,13 +5930,13 @@ static int do_check(struct bpf_verifier_env *env)
                         /* check that memory (src_reg + off) is readable,
                          * the state of dst_reg will be updated by this func
                          */
-                        err = check_mem_access(env, insn_idx, insn->src_reg, insn->off,
-                                               BPF_SIZE(insn->code), BPF_READ,
-                                               insn->dst_reg, false);
+                        err = check_mem_access(env, env->insn_idx, insn->src_reg,
+                                               insn->off, BPF_SIZE(insn->code),
+                                               BPF_READ, insn->dst_reg, false);
                         if (err)
                                 return err;
 
-                        prev_src_type = &env->insn_aux_data[insn_idx].ptr_type;
+                        prev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type;
 
                         if (*prev_src_type == NOT_INIT) {
                                 /* saw a valid insn
@@ -5799,10 +5961,10 @@ static int do_check(struct bpf_verifier_env *env)
                         enum bpf_reg_type *prev_dst_type, dst_reg_type;
 
                         if (BPF_MODE(insn->code) == BPF_XADD) {
-                                err = check_xadd(env, insn_idx, insn);
+                                err = check_xadd(env, env->insn_idx, insn);
                                 if (err)
                                         return err;
-                                insn_idx++;
+                                env->insn_idx++;
                                 continue;
                         }
 
@@ -5818,13 +5980,13 @@ static int do_check(struct bpf_verifier_env *env)
                         dst_reg_type = regs[insn->dst_reg].type;
 
                         /* check that memory (dst_reg + off) is writeable */
-                        err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
-                                               BPF_SIZE(insn->code), BPF_WRITE,
-                                               insn->src_reg, false);
+                        err = check_mem_access(env, env->insn_idx, insn->dst_reg,
+                                               insn->off, BPF_SIZE(insn->code),
+                                               BPF_WRITE, insn->src_reg, false);
                         if (err)
                                 return err;
 
-                        prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type;
+                        prev_dst_type = &env->insn_aux_data[env->insn_idx].ptr_type;
 
                         if (*prev_dst_type == NOT_INIT) {
                                 *prev_dst_type = dst_reg_type;
@@ -5852,9 +6014,9 @@ static int do_check(struct bpf_verifier_env *env)
                         }
 
                         /* check that memory (dst_reg + off) is writeable */
-                        err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
-                                               BPF_SIZE(insn->code), BPF_WRITE,
-                                               -1, false);
+                        err = check_mem_access(env, env->insn_idx, insn->dst_reg,
+                                               insn->off, BPF_SIZE(insn->code),
+                                               BPF_WRITE, -1, false);
                         if (err)
                                 return err;
 
@@ -5872,9 +6034,9 @@ static int do_check(struct bpf_verifier_env *env)
                                 }
 
                                 if (insn->src_reg == BPF_PSEUDO_CALL)
-                                        err = check_func_call(env, insn, &insn_idx);
+                                        err = check_func_call(env, insn, &env->insn_idx);
                                 else
-                                        err = check_helper_call(env, insn->imm, insn_idx);
+                                        err = check_helper_call(env, insn->imm, env->insn_idx);
                                 if (err)
                                         return err;
 
@@ -5887,7 +6049,7 @@ static int do_check(struct bpf_verifier_env *env)
                                         return -EINVAL;
                                 }
 
-                                insn_idx += insn->off + 1;
+                                env->insn_idx += insn->off + 1;
                                 continue;
 
                         } else if (opcode == BPF_EXIT) {
@@ -5901,8 +6063,8 @@ static int do_check(struct bpf_verifier_env *env)
 
                                 if (state->curframe) {
                                         /* exit from nested function */
-                                        prev_insn_idx = insn_idx;
-                                        err = prepare_func_exit(env, &insn_idx);
+                                        env->prev_insn_idx = env->insn_idx;
+                                        err = prepare_func_exit(env, &env->insn_idx);
                                         if (err)
                                                 return err;
                                         do_print_state = true;
@@ -5932,7 +6094,8 @@ static int do_check(struct bpf_verifier_env *env)
                                 if (err)
                                         return err;
 process_bpf_exit:
-                                err = pop_stack(env, &prev_insn_idx, &insn_idx);
+                                err = pop_stack(env, &env->prev_insn_idx,
+                                                &env->insn_idx);
                                 if (err < 0) {
                                         if (err != -ENOENT)
                                                 return err;
@@ -5942,7 +6105,7 @@ process_bpf_exit:
                                         continue;
                                 }
                         } else {
-                                err = check_cond_jmp_op(env, insn, &insn_idx);
+                                err = check_cond_jmp_op(env, insn, &env->insn_idx);
                                 if (err)
                                         return err;
                         }
@@ -5959,8 +6122,8 @@ process_bpf_exit:
                                 if (err)
                                         return err;
 
-                                insn_idx++;
-                                env->insn_aux_data[insn_idx].seen = true;
+                                env->insn_idx++;
+                                env->insn_aux_data[env->insn_idx].seen = true;
                         } else {
                                 verbose(env, "invalid BPF_LD mode\n");
                                 return -EINVAL;
@@ -5970,7 +6133,7 @@ process_bpf_exit:
                         return -EINVAL;
                 }
 
-                insn_idx++;
+                env->insn_idx++;
         }
 
         verbose(env, "processed %d insns (limit %d), stack depth ",
@@ -6709,6 +6872,57 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
                         continue;
                 }
 
+                if (insn->code == (BPF_ALU64 | BPF_ADD | BPF_X) ||
+                    insn->code == (BPF_ALU64 | BPF_SUB | BPF_X)) {
+                        const u8 code_add = BPF_ALU64 | BPF_ADD | BPF_X;
+                        const u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X;
+                        struct bpf_insn insn_buf[16];
+                        struct bpf_insn *patch = &insn_buf[0];
+                        bool issrc, isneg;
+                        u32 off_reg;
+
+                        aux = &env->insn_aux_data[i + delta];
+                        if (!aux->alu_state)
+                                continue;
+
+                        isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
+                        issrc = (aux->alu_state & BPF_ALU_SANITIZE) ==
+                                BPF_ALU_SANITIZE_SRC;
+
+                        off_reg = issrc ? insn->src_reg : insn->dst_reg;
+                        if (isneg)
+                                *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
+                        *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
+                        *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
+                        *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
+                        *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
+                        *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
+                        if (issrc) {
+                                *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
+                                                         off_reg);
+                                insn->src_reg = BPF_REG_AX;
+                        } else {
+                                *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
+                                                         BPF_REG_AX);
+                        }
+                        if (isneg)
+                                insn->code = insn->code == code_add ?
+                                             code_sub : code_add;
+                        *patch++ = *insn;
+                        if (issrc && isneg)
+                                *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
+                        cnt = patch - insn_buf;
+
+                        new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
+                        if (!new_prog)
+                                return -ENOMEM;
+
+                        delta    += cnt - 1;
+                        env->prog = prog = new_prog;
+                        insn      = new_prog->insnsi + i + delta;
+                        continue;
+                }
+
                 if (insn->code != (BPF_JMP | BPF_CALL))
                         continue;
                 if (insn->src_reg == BPF_PSEUDO_CALL)
diff --git a/kernel/compat.c b/kernel/compat.c
index 089d00d0da9c..f01affa17e22 100644
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -95,28 +95,28 @@ int compat_put_timex(struct compat_timex __user *utp, const struct timex *txc)
 
 static int __compat_get_timeval(struct timeval *tv, const struct old_timeval32 __user *ctv)
 {
-        return (!access_ok(VERIFY_READ, ctv, sizeof(*ctv)) ||
+        return (!access_ok(ctv, sizeof(*ctv)) ||
                         __get_user(tv->tv_sec, &ctv->tv_sec) ||
                         __get_user(tv->tv_usec, &ctv->tv_usec)) ? -EFAULT : 0;
 }
 
 static int __compat_put_timeval(const struct timeval *tv, struct old_timeval32 __user *ctv)
 {
-        return (!access_ok(VERIFY_WRITE, ctv, sizeof(*ctv)) ||
+        return (!access_ok(ctv, sizeof(*ctv)) ||
                         __put_user(tv->tv_sec, &ctv->tv_sec) ||
                         __put_user(tv->tv_usec, &ctv->tv_usec)) ? -EFAULT : 0;
 }
 
 static int __compat_get_timespec(struct timespec *ts, const struct old_timespec32 __user *cts)
 {
-        return (!access_ok(VERIFY_READ, cts, sizeof(*cts)) ||
+        return (!access_ok(cts, sizeof(*cts)) ||
                         __get_user(ts->tv_sec, &cts->tv_sec) ||
                         __get_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0;
 }
 
 static int __compat_put_timespec(const struct timespec *ts, struct old_timespec32 __user *cts)
 {
-        return (!access_ok(VERIFY_WRITE, cts, sizeof(*cts)) ||
+        return (!access_ok(cts, sizeof(*cts)) ||
                         __put_user(ts->tv_sec, &cts->tv_sec) ||
                         __put_user(ts->tv_nsec, &cts->tv_nsec)) ? -EFAULT : 0;
 }
@@ -335,7 +335,7 @@ int get_compat_sigevent(struct sigevent *event,
                 const struct compat_sigevent __user *u_event)
 {
         memset(event, 0, sizeof(*event));
-        return (!access_ok(VERIFY_READ, u_event, sizeof(*u_event)) ||
+        return (!access_ok(u_event, sizeof(*u_event)) ||
                 __get_user(event->sigev_value.sival_int,
                         &u_event->sigev_value.sival_int) ||
                 __get_user(event->sigev_signo, &u_event->sigev_signo) ||
@@ -354,10 +354,9 @@ long compat_get_bitmap(unsigned long *mask, const compat_ulong_t __user *umask,
         bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG);
         nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size);
 
-        if (!access_ok(VERIFY_READ, umask, bitmap_size / 8))
+        if (!user_access_begin(umask, bitmap_size / 8))
                 return -EFAULT;
 
-        user_access_begin();
         while (nr_compat_longs > 1) {
                 compat_ulong_t l1, l2;
                 unsafe_get_user(l1, umask++, Efault);
@@ -384,10 +383,9 @@ long compat_put_bitmap(compat_ulong_t __user *umask, unsigned long *mask,
         bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG);
         nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size);
 
-        if (!access_ok(VERIFY_WRITE, umask, bitmap_size / 8))
+        if (!user_access_begin(umask, bitmap_size / 8))
                 return -EFAULT;
 
-        user_access_begin();
         while (nr_compat_longs > 1) {
                 unsigned long m = *mask++;
                 unsafe_put_user((compat_ulong_t)m, umask++, Efault);
@@ -438,7 +436,7 @@ void __user *compat_alloc_user_space(unsigned long len)
 
         ptr = arch_compat_alloc_user_space(len);
 
-        if (unlikely(!access_ok(VERIFY_WRITE, ptr, len)))
+        if (unlikely(!access_ok(ptr, len)))
                 return NULL;
 
         return ptr;
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 67ecac337374..3cd13a30f732 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -10135,7 +10135,7 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr,
         u32 size;
         int ret;
 
-        if (!access_ok(VERIFY_WRITE, uattr, PERF_ATTR_SIZE_VER0))
+        if (!access_ok(uattr, PERF_ATTR_SIZE_VER0))
                 return -EFAULT;
 
         /*
diff --git a/kernel/exit.c b/kernel/exit.c
index 0e21e6d21f35..2d14979577ee 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1604,10 +1604,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
         if (!infop)
                 return err;
 
-        if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
+        if (!user_access_begin(infop, sizeof(*infop)))
                 return -EFAULT;
 
-        user_access_begin();
         unsafe_put_user(signo, &infop->si_signo, Efault);
         unsafe_put_user(0, &infop->si_errno, Efault);
         unsafe_put_user(info.cause, &infop->si_code, Efault);
@@ -1732,10 +1731,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
         if (!infop)
                 return err;
 
-        if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
+        if (!user_access_begin(infop, sizeof(*infop)))
                 return -EFAULT;
 
-        user_access_begin();
         unsafe_put_user(signo, &infop->si_signo, Efault);
         unsafe_put_user(0, &infop->si_errno, Efault);
         unsafe_put_user(info.cause, &infop->si_code, Efault);
diff --git a/kernel/futex.c b/kernel/futex.c
index 054105854e0e..be3bff2315ff 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -481,13 +481,18 @@ static void drop_futex_key_refs(union futex_key *key)
         }
 }
 
+enum futex_access {
+        FUTEX_READ,
+        FUTEX_WRITE
+};
+
 /**
  * get_futex_key() - Get parameters which are the keys for a futex
  * @uaddr:      virtual address of the futex
  * @fshared:    0 for a PROCESS_PRIVATE futex, 1 for PROCESS_SHARED
  * @key:        address where result is stored.
- * @rw:         mapping needs to be read/write (values: VERIFY_READ,
- *              VERIFY_WRITE)
+ * @rw:         mapping needs to be read/write (values: FUTEX_READ,
+ *              FUTEX_WRITE)
  *
  * Return: a negative error code or 0
  *
@@ -500,7 +505,7 @@ static void drop_futex_key_refs(union futex_key *key)
  * lock_page() might sleep, the caller should not hold a spinlock.
  */
 static int
-get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
+get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, enum futex_access rw)
 {
         unsigned long address = (unsigned long)uaddr;
         struct mm_struct *mm = current->mm;
@@ -516,7 +521,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
                 return -EINVAL;
         address -= key->both.offset;
 
-        if (unlikely(!access_ok(rw, uaddr, sizeof(u32))))
+        if (unlikely(!access_ok(uaddr, sizeof(u32))))
                 return -EFAULT;
 
         if (unlikely(should_fail_futex(fshared)))
@@ -546,7 +551,7 @@ again:
          * If write access is not required (eg. FUTEX_WAIT), try
          * and get read-only access.
          */
-        if (err == -EFAULT && rw == VERIFY_READ) {
+        if (err == -EFAULT && rw == FUTEX_READ) {
                 err = get_user_pages_fast(address, 1, 0, &page);
                 ro = 1;
         }
@@ -1583,7 +1588,7 @@ futex_wake(u32 __user *uaddr, unsigned int flags, int nr_wake, u32 bitset)
         if (!bitset)
                 return -EINVAL;
 
-        ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_READ);
+        ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, FUTEX_READ);
         if (unlikely(ret != 0))
                 goto out;
 
@@ -1642,7 +1647,7 @@ static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
                 oparg = 1 << oparg;
         }
 
-        if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
+        if (!access_ok(uaddr, sizeof(u32)))
                 return -EFAULT;
 
         ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr);
@@ -1682,10 +1687,10 @@ futex_wake_op(u32 __user *uaddr1, unsigned int flags, u32 __user *uaddr2,
         DEFINE_WAKE_Q(wake_q);
 
 retry:
-        ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
+        ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, FUTEX_READ);
         if (unlikely(ret != 0))
                 goto out;
-        ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, VERIFY_WRITE);
+        ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, FUTEX_WRITE);
         if (unlikely(ret != 0))
                 goto out_put_key1;
 
@@ -1961,11 +1966,11 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
         }
 
 retry:
-        ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, VERIFY_READ);
+        ret = get_futex_key(uaddr1, flags & FLAGS_SHARED, &key1, FUTEX_READ);
         if (unlikely(ret != 0))
                 goto out;
         ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2,
-                            requeue_pi ? VERIFY_WRITE : VERIFY_READ);
+                            requeue_pi ? FUTEX_WRITE : FUTEX_READ);
         if (unlikely(ret != 0))
                 goto out_put_key1;
 
@@ -2634,7 +2639,7 @@ static int futex_wait_setup(u32 __user *uaddr, u32 val, unsigned int flags,
          * while the syscall executes.
          */
 retry:
-        ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key, VERIFY_READ);
+        ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q->key, FUTEX_READ);
         if (unlikely(ret != 0))
                 return ret;
 
@@ -2793,7 +2798,7 @@ static int futex_lock_pi(u32 __user *uaddr, unsigned int flags,
         }
 
 retry:
-        ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, VERIFY_WRITE);
+        ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, FUTEX_WRITE);
         if (unlikely(ret != 0))
                 goto out;
 
@@ -2972,7 +2977,7 @@ retry:
         if ((uval & FUTEX_TID_MASK) != vpid)
                 return -EPERM;
 
-        ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, VERIFY_WRITE);
+        ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &key, FUTEX_WRITE);
         if (ret)
                 return ret;
 
@@ -3199,7 +3204,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
          */
         rt_mutex_init_waiter(&rt_waiter);
 
-        ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, VERIFY_WRITE);
+        ret = get_futex_key(uaddr2, flags & FLAGS_SHARED, &key2, FUTEX_WRITE);
         if (unlikely(ret != 0))
                 goto out;
 
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 1306fe0c1dc6..d3d170374ceb 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -1466,7 +1466,7 @@ int do_syslog(int type, char __user *buf, int len, int source)
                         return -EINVAL;
                 if (!len)
                         return 0;
-                if (!access_ok(VERIFY_WRITE, buf, len))
+                if (!access_ok(buf, len))
                         return -EFAULT;
                 error = wait_event_interruptible(log_wait,
                                                  syslog_seq != log_next_seq);
@@ -1484,7 +1484,7 @@ int do_syslog(int type, char __user *buf, int len, int source)
                         return -EINVAL;
                 if (!len)
                         return 0;
-                if (!access_ok(VERIFY_WRITE, buf, len))
+                if (!access_ok(buf, len))
                         return -EFAULT;
                 error = syslog_print_all(buf, len, clear);
                 break;
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index c2cee9db5204..771e93f9c43f 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -1073,7 +1073,7 @@ int ptrace_request(struct task_struct *child, long request,
                 struct iovec kiov;
                 struct iovec __user *uiov = datavp;
 
-                if (!access_ok(VERIFY_WRITE, uiov, sizeof(*uiov)))
+                if (!access_ok(uiov, sizeof(*uiov)))
                         return -EFAULT;
 
                 if (__get_user(kiov.iov_base, &uiov->iov_base) ||
@@ -1229,7 +1229,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
                 compat_uptr_t ptr;
                 compat_size_t len;
 
-                if (!access_ok(VERIFY_WRITE, uiov, sizeof(*uiov)))
+                if (!access_ok(uiov, sizeof(*uiov)))
                         return -EFAULT;
 
                 if (__get_user(ptr, &uiov->iov_base) ||
diff --git a/kernel/rseq.c b/kernel/rseq.c
index c6242d8594dc..25e9a7b60eba 100644
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -267,7 +267,7 @@ void __rseq_handle_notify_resume(struct ksignal *ksig, struct pt_regs *regs)
 
         if (unlikely(t->flags & PF_EXITING))
                 return;
-        if (unlikely(!access_ok(VERIFY_WRITE, t->rseq, sizeof(*t->rseq))))
+        if (unlikely(!access_ok(t->rseq, sizeof(*t->rseq))))
                 goto error;
         ret = rseq_ip_fixup(regs);
         if (unlikely(ret < 0))
@@ -295,7 +295,7 @@ void rseq_syscall(struct pt_regs *regs)
 
         if (!t->rseq)
                 return;
-        if (!access_ok(VERIFY_READ, t->rseq, sizeof(*t->rseq)) ||
+        if (!access_ok(t->rseq, sizeof(*t->rseq)) ||
             rseq_get_rseq_cs(t, &rseq_cs) || in_rseq_cs(ip, &rseq_cs))
                 force_sig(SIGSEGV, t);
 }
@@ -351,7 +351,7 @@ SYSCALL_DEFINE4(rseq, struct rseq __user *, rseq, u32, rseq_len,
         if (!IS_ALIGNED((unsigned long)rseq, __alignof__(*rseq)) ||
             rseq_len != sizeof(*rseq))
                 return -EINVAL;
-        if (!access_ok(VERIFY_WRITE, rseq, rseq_len))
+        if (!access_ok(rseq, rseq_len))
                 return -EFAULT;
         current->rseq = rseq;
         current->rseq_len = rseq_len;
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 17a954c9e153..223f78d5c111 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4450,7 +4450,7 @@ static int sched_copy_attr(struct sched_attr __user *uattr, struct sched_attr *a
         u32 size;
         int ret;
 
-        if (!access_ok(VERIFY_WRITE, uattr, SCHED_ATTR_SIZE_VER0))
+        if (!access_ok(uattr, SCHED_ATTR_SIZE_VER0))
                 return -EFAULT;
 
         /* Zero the full structure, so that a short copy will be nice: */
@@ -4650,7 +4650,7 @@ static int sched_read_attr(struct sched_attr __user *uattr,
 {
         int ret;
 
-        if (!access_ok(VERIFY_WRITE, uattr, usize))
+        if (!access_ok(uattr, usize))
                 return -EFAULT;
 
         /*
diff --git a/kernel/signal.c b/kernel/signal.c
index 53e07d97ffe0..e1d7ad8e6ab1 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -3997,7 +3997,7 @@ SYSCALL_DEFINE3(sigaction, int, sig,
 
         if (act) {
                 old_sigset_t mask;
-                if (!access_ok(VERIFY_READ, act, sizeof(*act)) ||
+                if (!access_ok(act, sizeof(*act)) ||
                     __get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
                     __get_user(new_ka.sa.sa_restorer, &act->sa_restorer) ||
                     __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
@@ -4012,7 +4012,7 @@ SYSCALL_DEFINE3(sigaction, int, sig,
         ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
         if (!ret && oact) {
-                if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) ||
+                if (!access_ok(oact, sizeof(*oact)) ||
                     __put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
                     __put_user(old_ka.sa.sa_restorer, &oact->sa_restorer) ||
                     __put_user(old_ka.sa.sa_flags, &oact->sa_flags) ||
@@ -4034,7 +4034,7 @@ COMPAT_SYSCALL_DEFINE3(sigaction, int, sig,
         compat_uptr_t handler, restorer;
 
         if (act) {
-                if (!access_ok(VERIFY_READ, act, sizeof(*act)) ||
+                if (!access_ok(act, sizeof(*act)) ||
                     __get_user(handler, &act->sa_handler) ||
                     __get_user(restorer, &act->sa_restorer) ||
                     __get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
@@ -4052,7 +4052,7 @@ COMPAT_SYSCALL_DEFINE3(sigaction, int, sig,
         ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
 
         if (!ret && oact) {
-                if (!access_ok(VERIFY_WRITE, oact, sizeof(*oact)) ||
+                if (!access_ok(oact, sizeof(*oact)) ||
                     __put_user(ptr_to_compat(old_ka.sa.sa_handler),
                                &oact->sa_handler) ||
                     __put_user(ptr_to_compat(old_ka.sa.sa_restorer),
diff --git a/kernel/sys.c b/kernel/sys.c
index 64b5a230f38d..a48cbf1414b8 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2627,7 +2627,7 @@ COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info)
                 s.freehigh >>= bitcount;
         }
 
-        if (!access_ok(VERIFY_WRITE, info, sizeof(struct compat_sysinfo)) ||
+        if (!access_ok(info, sizeof(struct compat_sysinfo)) ||
             __put_user(s.uptime, &info->uptime) ||
             __put_user(s.loads[0], &info->loads[0]) ||
             __put_user(s.loads[1], &info->loads[1]) ||
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 9ddb6fddb4e0..8b068adb9da1 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -170,7 +170,7 @@ BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src,
                 return -EPERM;
         if (unlikely(uaccess_kernel()))
                 return -EPERM;
-        if (!access_ok(VERIFY_WRITE, unsafe_ptr, size))
+        if (!access_ok(unsafe_ptr, size))
                 return -EPERM;
 
         return probe_kernel_write(unsafe_ptr, src, size);
diff --git a/lib/bitmap.c b/lib/bitmap.c
index eead55aa7170..98872e9025da 100644
--- a/lib/bitmap.c
+++ b/lib/bitmap.c
@@ -443,7 +443,7 @@ int bitmap_parse_user(const char __user *ubuf,
                         unsigned int ulen, unsigned long *maskp,
                         int nmaskbits)
 {
-        if (!access_ok(VERIFY_READ, ubuf, ulen))
+        if (!access_ok(ubuf, ulen))
                 return -EFAULT;
         return __bitmap_parse((const char __force *)ubuf,
                                 ulen, 1, maskp, nmaskbits);
@@ -641,7 +641,7 @@ int bitmap_parselist_user(const char __user *ubuf,
                         unsigned int ulen, unsigned long *maskp,
                         int nmaskbits)
 {
-        if (!access_ok(VERIFY_READ, ubuf, ulen))
+        if (!access_ok(ubuf, ulen))
                 return -EFAULT;
         return __bitmap_parselist((const char __force *)ubuf,
                                         ulen, 1, maskp, nmaskbits);
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 1928009f506e..c93870987b58 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -136,7 +136,7 @@
 
 static int copyout(void __user *to, const void *from, size_t n)
 {
-        if (access_ok(VERIFY_WRITE, to, n)) {
+        if (access_ok(to, n)) {
                 kasan_check_read(from, n);
                 n = raw_copy_to_user(to, from, n);
         }
@@ -145,7 +145,7 @@ static int copyout(void __user *to, const void *from, size_t n)
 
 static int copyin(void *to, const void __user *from, size_t n)
 {
-        if (access_ok(VERIFY_READ, from, n)) {
+        if (access_ok(from, n)) {
                 kasan_check_write(to, n);
                 n = raw_copy_from_user(to, from, n);
         }
@@ -614,7 +614,7 @@ EXPORT_SYMBOL(_copy_to_iter);
 #ifdef CONFIG_ARCH_HAS_UACCESS_MCSAFE
 static int copyout_mcsafe(void __user *to, const void *from, size_t n)
 {
-        if (access_ok(VERIFY_WRITE, to, n)) {
+        if (access_ok(to, n)) {
                 kasan_check_read(from, n);
                 n = copy_to_user_mcsafe((__force void *) to, from, n);
         }
@@ -1663,7 +1663,7 @@ int import_single_range(int rw, void __user *buf, size_t len,
 {
         if (len > MAX_RW_COUNT)
                 len = MAX_RW_COUNT;
-        if (unlikely(!access_ok(!rw, buf, len)))
+        if (unlikely(!access_ok(buf, len)))
                 return -EFAULT;
 
         iov->iov_base = buf;
diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
index b53e1b5d80f4..58eacd41526c 100644
--- a/lib/strncpy_from_user.c
+++ b/lib/strncpy_from_user.c
@@ -114,10 +114,11 @@ long strncpy_from_user(char *dst, const char __user *src, long count)
 
                 kasan_check_write(dst, count);
                 check_object_size(dst, count, false);
-                user_access_begin();
-                retval = do_strncpy_from_user(dst, src, count, max);
-                user_access_end();
-                return retval;
+                if (user_access_begin(src, max)) {
+                        retval = do_strncpy_from_user(dst, src, count, max);
+                        user_access_end();
+                        return retval;
+                }
         }
         return -EFAULT;
 }
diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
index 60d0bbda8f5e..1c1a1b0e38a5 100644
--- a/lib/strnlen_user.c
+++ b/lib/strnlen_user.c
@@ -114,10 +114,11 @@ long strnlen_user(const char __user *str, long count)
                 unsigned long max = max_addr - src_addr;
                 long retval;
 
-                user_access_begin();
-                retval = do_strnlen_user(str, count, max);
-                user_access_end();
-                return retval;
+                if (user_access_begin(str, max)) {
+                        retval = do_strnlen_user(str, count, max);
+                        user_access_end();
+                        return retval;
+                }
         }
         return 0;
 }
diff --git a/lib/usercopy.c b/lib/usercopy.c
index 3744b2a8e591..c2bfbcaeb3dc 100644
--- a/lib/usercopy.c
+++ b/lib/usercopy.c
@@ -8,7 +8,7 @@ unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n
 {
         unsigned long res = n;
         might_fault();
-        if (likely(access_ok(VERIFY_READ, from, n))) {
+        if (likely(access_ok(from, n))) {
                 kasan_check_write(to, n);
                 res = raw_copy_from_user(to, from, n);
         }
@@ -23,7 +23,7 @@ EXPORT_SYMBOL(_copy_from_user);
 unsigned long _copy_to_user(void __user *to, const void *from, unsigned long n)
 {
         might_fault();
-        if (likely(access_ok(VERIFY_WRITE, to, n))) {
+        if (likely(access_ok(to, n))) {
                 kasan_check_read(from, n);
                 n = raw_copy_to_user(to, from, n);
         }
diff --git a/mm/gup.c b/mm/gup.c
index 6dd33e16a806..05acd7e2eb22 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1813,8 +1813,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
         len = (unsigned long) nr_pages << PAGE_SHIFT;
         end = start + len;
 
-        if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
-                                        (void __user *)start, len)))
+        if (unlikely(!access_ok((void __user *)start, len)))
                 return 0;
 
         /*
@@ -1868,8 +1867,7 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
         if (nr_pages <= 0)
                 return 0;
 
-        if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
-                                        (void __user *)start, len)))
+        if (unlikely(!access_ok((void __user *)start, len)))
                 return -EFAULT;
 
         if (gup_fast_permitted(start, nr_pages, write)) {
diff --git a/mm/mincore.c b/mm/mincore.c
index 4985965aa20a..218099b5ed31 100644
--- a/mm/mincore.c
+++ b/mm/mincore.c
@@ -233,14 +233,14 @@ SYSCALL_DEFINE3(mincore, unsigned long, start, size_t, len,
                 return -EINVAL;
 
         /* ..and we need to be passed a valid user-space range */
-        if (!access_ok(VERIFY_READ, (void __user *) start, len))
+        if (!access_ok((void __user *) start, len))
                 return -ENOMEM;
 
         /* This also avoids any overflows on PAGE_ALIGN */
         pages = len >> PAGE_SHIFT;
         pages += (offset_in_page(len)) != 0;
 
-        if (!access_ok(VERIFY_WRITE, vec, pages))
+        if (!access_ok(vec, pages))
                 return -EFAULT;
 
         tmp = (void *) __get_free_page(GFP_USER);
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index c603d33d5410..5d01edf8d819 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -653,15 +653,22 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
                         break;
                 }
 
-                dev = dev_get_by_name(&init_net, devname);
+                rtnl_lock();
+                dev = __dev_get_by_name(&init_net, devname);
                 if (!dev) {
+                        rtnl_unlock();
                         res = -ENODEV;
                         break;
                 }
 
                 ax25->ax25_dev = ax25_dev_ax25dev(dev);
+                if (!ax25->ax25_dev) {
+                        rtnl_unlock();
+                        res = -ENODEV;
+                        break;
+                }
                 ax25_fillin_cb(ax25, ax25->ax25_dev);
-                dev_put(dev);
+                rtnl_unlock();
                 break;
 
         default:
diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index 9a3a301e1e2f..d92195cd7834 100644
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -116,6 +116,7 @@ void ax25_dev_device_down(struct net_device *dev)
         if ((s = ax25_dev_list) == ax25_dev) {
                 ax25_dev_list = s->next;
                 spin_unlock_bh(&ax25_dev_lock);
+                dev->ax25_ptr = NULL;
                 dev_put(dev);
                 kfree(ax25_dev);
                 return;
@@ -125,6 +126,7 @@ void ax25_dev_device_down(struct net_device *dev)
                 if (s->next == ax25_dev) {
                         s->next = ax25_dev->next;
                         spin_unlock_bh(&ax25_dev_lock);
+                        dev->ax25_ptr = NULL;
                         dev_put(dev);
                         kfree(ax25_dev);
                         return;
diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c
index d70f363c52ae..6d5859714f52 100644
--- a/net/batman-adv/icmp_socket.c
+++ b/net/batman-adv/icmp_socket.c
@@ -147,7 +147,7 @@ static ssize_t batadv_socket_read(struct file *file, char __user *buf,
         if (!buf || count < sizeof(struct batadv_icmp_packet))
                 return -EINVAL;
 
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         error = wait_event_interruptible(socket_client->queue_wait,
diff --git a/net/batman-adv/log.c b/net/batman-adv/log.c
index 02e55b78132f..75f602e1ce94 100644
--- a/net/batman-adv/log.c
+++ b/net/batman-adv/log.c
@@ -136,7 +136,7 @@ static ssize_t batadv_log_read(struct file *file, char __user *buf,
         if (count == 0)
                 return 0;
 
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         error = wait_event_interruptible(debug_log->queue_wait,
diff --git a/net/compat.c b/net/compat.c
index f7084780a8f8..959d1c51826d 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -358,7 +358,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
 
         if (optlen < sizeof(*up))
                 return -EINVAL;
-        if (!access_ok(VERIFY_READ, up, sizeof(*up)) ||
+        if (!access_ok(up, sizeof(*up)) ||
             __get_user(ktime.tv_sec, &up->tv_sec) ||
             __get_user(ktime.tv_usec, &up->tv_usec))
                 return -EFAULT;
@@ -438,7 +438,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
 
         if (!err) {
                 if (put_user(sizeof(*up), optlen) ||
-                    !access_ok(VERIFY_WRITE, up, sizeof(*up)) ||
+                    !access_ok(up, sizeof(*up)) ||
                     __put_user(ktime.tv_sec, &up->tv_sec) ||
                     __put_user(ktime.tv_usec, &up->tv_usec))
                         err = -EFAULT;
@@ -467,12 +467,14 @@ int compat_sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
         ctv = (struct compat_timeval __user *) userstamp;
         err = -ENOENT;
         sock_enable_timestamp(sk, SOCK_TIMESTAMP);
-        tv = ktime_to_timeval(sk->sk_stamp);
+        tv = ktime_to_timeval(sock_read_timestamp(sk));
+
         if (tv.tv_sec == -1)
                 return err;
         if (tv.tv_sec == 0) {
-                sk->sk_stamp = ktime_get_real();
-                tv = ktime_to_timeval(sk->sk_stamp);
+                ktime_t kt = ktime_get_real();
+                sock_write_timestamp(sk, kt);
+                tv = ktime_to_timeval(kt);
         }
         err = 0;
         if (put_user(tv.tv_sec, &ctv->tv_sec) ||
@@ -494,12 +496,13 @@ int compat_sock_get_timestampns(struct sock *sk, struct timespec __user *usersta
         ctv = (struct compat_timespec __user *) userstamp;
         err = -ENOENT;
         sock_enable_timestamp(sk, SOCK_TIMESTAMP);
-        ts = ktime_to_timespec(sk->sk_stamp);
+        ts = ktime_to_timespec(sock_read_timestamp(sk));
         if (ts.tv_sec == -1)
                 return err;
         if (ts.tv_sec == 0) {
-                sk->sk_stamp = ktime_get_real();
-                ts = ktime_to_timespec(sk->sk_stamp);
+                ktime_t kt = ktime_get_real();
+                sock_write_timestamp(sk, kt);
+                ts = ktime_to_timespec(kt);
         }
         err = 0;
         if (put_user(ts.tv_sec, &ctv->tv_sec) ||
@@ -587,8 +590,8 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
                         compat_alloc_user_space(sizeof(struct group_req));
                 u32 interface;
 
-                if (!access_ok(VERIFY_READ, gr32, sizeof(*gr32)) ||
-                    !access_ok(VERIFY_WRITE, kgr, sizeof(struct group_req)) ||
+                if (!access_ok(gr32, sizeof(*gr32)) ||
+                    !access_ok(kgr, sizeof(struct group_req)) ||
                     __get_user(interface, &gr32->gr_interface) ||
                     __put_user(interface, &kgr->gr_interface) ||
                     copy_in_user(&kgr->gr_group, &gr32->gr_group,
@@ -608,8 +611,8 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
                         sizeof(struct group_source_req));
                 u32 interface;
 
-                if (!access_ok(VERIFY_READ, gsr32, sizeof(*gsr32)) ||
-                    !access_ok(VERIFY_WRITE, kgsr,
+                if (!access_ok(gsr32, sizeof(*gsr32)) ||
+                    !access_ok(kgsr,
                         sizeof(struct group_source_req)) ||
                     __get_user(interface, &gsr32->gsr_interface) ||
                     __put_user(interface, &kgsr->gsr_interface) ||
@@ -628,7 +631,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
                 struct group_filter __user *kgf;
                 u32 interface, fmode, numsrc;
 
-                if (!access_ok(VERIFY_READ, gf32, __COMPAT_GF0_SIZE) ||
+                if (!access_ok(gf32, __COMPAT_GF0_SIZE) ||
                     __get_user(interface, &gf32->gf_interface) ||
                     __get_user(fmode, &gf32->gf_fmode) ||
                     __get_user(numsrc, &gf32->gf_numsrc))
@@ -638,7 +641,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
                 if (koptlen < GROUP_FILTER_SIZE(numsrc))
                         return -EINVAL;
                 kgf = compat_alloc_user_space(koptlen);
-                if (!access_ok(VERIFY_WRITE, kgf, koptlen) ||
+                if (!access_ok(kgf, koptlen) ||
                     __put_user(interface, &kgf->gf_interface) ||
                     __put_user(fmode, &kgf->gf_fmode) ||
                     __put_user(numsrc, &kgf->gf_numsrc) ||
@@ -672,7 +675,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
                 return getsockopt(sock, level, optname, optval, optlen);
 
         koptlen = compat_alloc_user_space(sizeof(*koptlen));
-        if (!access_ok(VERIFY_READ, optlen, sizeof(*optlen)) ||
+        if (!access_ok(optlen, sizeof(*optlen)) ||
             __get_user(ulen, optlen))
                 return -EFAULT;
 
@@ -682,14 +685,14 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
         if (klen < GROUP_FILTER_SIZE(0))
                 return -EINVAL;
 
-        if (!access_ok(VERIFY_WRITE, koptlen, sizeof(*koptlen)) ||
+        if (!access_ok(koptlen, sizeof(*koptlen)) ||
             __put_user(klen, koptlen))
                 return -EFAULT;
 
         /* have to allow space for previous compat_alloc_user_space, too */
         kgf = compat_alloc_user_space(klen+sizeof(*optlen));
 
-        if (!access_ok(VERIFY_READ, gf32, __COMPAT_GF0_SIZE) ||
+        if (!access_ok(gf32, __COMPAT_GF0_SIZE) ||
             __get_user(interface, &gf32->gf_interface) ||
             __get_user(fmode, &gf32->gf_fmode) ||
             __get_user(numsrc, &gf32->gf_numsrc) ||
@@ -703,18 +706,18 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
         if (err)
                 return err;
 
-        if (!access_ok(VERIFY_READ, koptlen, sizeof(*koptlen)) ||
+        if (!access_ok(koptlen, sizeof(*koptlen)) ||
             __get_user(klen, koptlen))
                 return -EFAULT;
 
         ulen = klen - (sizeof(*kgf)-sizeof(*gf32));
 
-        if (!access_ok(VERIFY_WRITE, optlen, sizeof(*optlen)) ||
+        if (!access_ok(optlen, sizeof(*optlen)) ||
             __put_user(ulen, optlen))
                 return -EFAULT;
 
-        if (!access_ok(VERIFY_READ, kgf, klen) ||
-            !access_ok(VERIFY_WRITE, gf32, ulen) ||
+        if (!access_ok(kgf, klen) ||
+            !access_ok(gf32, ulen) ||
             __get_user(interface, &kgf->gf_interface) ||
             __get_user(fmode, &kgf->gf_fmode) ||
             __get_user(numsrc, &kgf->gf_numsrc) ||
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index d05402868575..158264f7cfaf 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -793,8 +793,13 @@ static noinline_for_stack int ethtool_get_drvinfo(struct net_device *dev,
                 if (rc >= 0)
                         info.n_priv_flags = rc;
         }
-        if (ops->get_regs_len)
-                info.regdump_len = ops->get_regs_len(dev);
+        if (ops->get_regs_len) {
+                int ret = ops->get_regs_len(dev);
+
+                if (ret > 0)
+                        info.regdump_len = ret;
+        }
+
         if (ops->get_eeprom_len)
                 info.eedump_len = ops->get_eeprom_len(dev);
 
@@ -1337,6 +1342,9 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
                 return -EFAULT;
 
         reglen = ops->get_regs_len(dev);
+        if (reglen <= 0)
+                return reglen;
+
         if (regs.len > reglen)
                 regs.len = reglen;
 
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 48f61885fd6f..5ea1bed08ede 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -4104,6 +4104,11 @@ static int rtnl_fdb_get(struct sk_buff *in_skb, struct nlmsghdr *nlh,
         if (err < 0)
                 return err;
 
+        if (!addr) {
+                NL_SET_ERR_MSG(extack, "Missing lookup address for fdb get request");
+                return -EINVAL;
+        }
+
         if (brport_idx) {
                 dev = __dev_get_by_index(net, brport_idx);
                 if (!dev) {
diff --git a/net/core/sock.c b/net/core/sock.c
index f00902c532cc..6aa2e7e0b4fb 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2751,6 +2751,9 @@ void sock_init_data(struct socket *sock, struct sock *sk)
         sk->sk_sndtimeo         =       MAX_SCHEDULE_TIMEOUT;
 
         sk->sk_stamp = SK_DEFAULT_STAMP;
+#if BITS_PER_LONG==32
+        seqlock_init(&sk->sk_stamp_seq);
+#endif
         atomic_set(&sk->sk_zckey, 0);
 
 #ifdef CONFIG_NET_RX_BUSY_POLL
@@ -2850,12 +2853,13 @@ int sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
         struct timeval tv;
 
         sock_enable_timestamp(sk, SOCK_TIMESTAMP);
-        tv = ktime_to_timeval(sk->sk_stamp);
+        tv = ktime_to_timeval(sock_read_timestamp(sk));
         if (tv.tv_sec == -1)
                 return -ENOENT;
         if (tv.tv_sec == 0) {
-                sk->sk_stamp = ktime_get_real();
-                tv = ktime_to_timeval(sk->sk_stamp);
+                ktime_t kt = ktime_get_real();
+                sock_write_timestamp(sk, kt);
+                tv = ktime_to_timeval(kt);
         }
         return copy_to_user(userstamp, &tv, sizeof(tv)) ? -EFAULT : 0;
 }
@@ -2866,11 +2870,12 @@ int sock_get_timestampns(struct sock *sk, struct timespec __user *userstamp)
         struct timespec ts;
 
         sock_enable_timestamp(sk, SOCK_TIMESTAMP);
-        ts = ktime_to_timespec(sk->sk_stamp);
+        ts = ktime_to_timespec(sock_read_timestamp(sk));
         if (ts.tv_sec == -1)
                 return -ENOENT;
         if (ts.tv_sec == 0) {
-                sk->sk_stamp = ktime_get_real();
+                ktime_t kt = ktime_get_real();
+                sock_write_timestamp(sk, kt);
                 ts = ktime_to_timespec(sk->sk_stamp);
         }
         return copy_to_user(userstamp, &ts, sizeof(ts)) ? -EFAULT : 0;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index f8eb78d042a4..cfec3af54c8d 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -198,11 +198,15 @@ static int fib4_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
 
 static struct fib_table *fib_empty_table(struct net *net)
 {
-        u32 id;
+        u32 id = 1;
 
-        for (id = 1; id <= RT_TABLE_MAX; id++)
+        while (1) {
                 if (!fib_get_table(net, id))
                         return fib_new_table(net, id);
+
+                if (id++ == RT_TABLE_MAX)
+                        break;
+        }
         return NULL;
 }
 
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index c7a7bd58a23c..d1d09f3e5f9e 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -676,6 +676,9 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
         struct ip_tunnel *tunnel = netdev_priv(dev);
         const struct iphdr *tnl_params;
 
+        if (!pskb_inet_may_pull(skb))
+                goto free_skb;
+
         if (tunnel->collect_md) {
                 gre_fb_xmit(skb, dev, skb->protocol);
                 return NETDEV_TX_OK;
@@ -719,6 +722,9 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
         struct ip_tunnel *tunnel = netdev_priv(dev);
         bool truncate = false;
 
+        if (!pskb_inet_may_pull(skb))
+                goto free_skb;
+
         if (tunnel->collect_md) {
                 erspan_fb_xmit(skb, dev, skb->protocol);
                 return NETDEV_TX_OK;
@@ -762,6 +768,9 @@ static netdev_tx_t gre_tap_xmit(struct sk_buff *skb,
 {
         struct ip_tunnel *tunnel = netdev_priv(dev);
 
+        if (!pskb_inet_may_pull(skb))
+                goto free_skb;
+
         if (tunnel->collect_md) {
                 gre_fb_xmit(skb, dev, htons(ETH_P_TEB));
                 return NETDEV_TX_OK;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 284a22154b4e..c4f5602308ed 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -627,7 +627,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
                     const struct iphdr *tnl_params, u8 protocol)
 {
         struct ip_tunnel *tunnel = netdev_priv(dev);
-        unsigned int inner_nhdr_len = 0;
         const struct iphdr *inner_iph;
         struct flowi4 fl4;
         u8     tos, ttl;
@@ -637,14 +636,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
         __be32 dst;
         bool connected;
 
-        /* ensure we can access the inner net header, for several users below */
-        if (skb->protocol == htons(ETH_P_IP))
-                inner_nhdr_len = sizeof(struct iphdr);
-        else if (skb->protocol == htons(ETH_P_IPV6))
-                inner_nhdr_len = sizeof(struct ipv6hdr);
-        if (unlikely(!pskb_may_pull(skb, inner_nhdr_len)))
-                goto tx_error;
-
         inner_iph = (const struct iphdr *)skb_inner_network_header(skb);
         connected = (tunnel->parms.iph.daddr != 0);
 
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index de31b302d69c..d7b43e700023 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -241,6 +241,9 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
         struct ip_tunnel *tunnel = netdev_priv(dev);
         struct flowi fl;
 
+        if (!pskb_inet_may_pull(skb))
+                goto tx_err;
+
         memset(&fl, 0, sizeof(fl));
 
         switch (skb->protocol) {
@@ -253,15 +256,18 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
                 memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
                 break;
         default:
-                dev->stats.tx_errors++;
-                dev_kfree_skb(skb);
-                return NETDEV_TX_OK;
+                goto tx_err;
         }
 
         /* override mark with tunnel output key */
         fl.flowi_mark = be32_to_cpu(tunnel->parms.o_key);
 
         return vti_xmit(skb, dev, &fl);
+
+tx_err:
+        dev->stats.tx_errors++;
+        kfree_skb(skb);
+        return NETDEV_TX_OK;
 }
 
 static int vti4_err(struct sk_buff *skb, u32 info)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 521e471f1cf9..8eeec6eb2bd3 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4736,8 +4736,8 @@ inet6_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh,
                          IFA_F_MCAUTOJOIN | IFA_F_OPTIMISTIC;
 
         idev = ipv6_find_idev(dev);
-        if (IS_ERR(idev))
-                return PTR_ERR(idev);
+        if (!idev)
+                return -ENOBUFS;
 
         if (!ipv6_allow_optimistic_dad(net, idev))
                 cfg.ifa_flags &= ~IFA_F_OPTIMISTIC;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index f0cd291034f0..0bfb6cc0a30a 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -350,6 +350,9 @@ static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,
                                         err = -EINVAL;
                                         goto out_unlock;
                                 }
+                        }
+
+                        if (sk->sk_bound_dev_if) {
                                 dev = dev_get_by_index_rcu(net, sk->sk_bound_dev_if);
                                 if (!dev) {
                                         err = -ENODEV;
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index ae3786132c23..6613d8dbb0e5 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -627,7 +627,11 @@ static int inet6_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
                         return -ENOENT;
                 }
 
-                res = fib6_dump_table(tb, skb, cb);
+                if (!cb->args[0]) {
+                        res = fib6_dump_table(tb, skb, cb);
+                        if (!res)
+                                cb->args[0] = 1;
+                }
                 goto out;
         }
 
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 229e55c99021..09d0826742f8 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -881,6 +881,9 @@ static netdev_tx_t ip6gre_tunnel_xmit(struct sk_buff *skb,
         struct net_device_stats *stats = &t->dev->stats;
         int ret;
 
+        if (!pskb_inet_may_pull(skb))
+                goto tx_err;
+
         if (!ip6_tnl_xmit_ctl(t, &t->parms.laddr, &t->parms.raddr))
                 goto tx_err;
 
@@ -923,6 +926,9 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
         int nhoff;
         int thoff;
 
+        if (!pskb_inet_may_pull(skb))
+                goto tx_err;
+
         if (!ip6_tnl_xmit_ctl(t, &t->parms.laddr, &t->parms.raddr))
                 goto tx_err;
 
@@ -995,8 +1001,6 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                         goto tx_err;
                 }
         } else {
-                struct ipv6hdr *ipv6h = ipv6_hdr(skb);
-
                 switch (skb->protocol) {
                 case htons(ETH_P_IP):
                         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
@@ -1004,7 +1008,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                                                  &dsfield, &encap_limit);
                         break;
                 case htons(ETH_P_IPV6):
-                        if (ipv6_addr_equal(&t->parms.raddr, &ipv6h->saddr))
+                        if (ipv6_addr_equal(&t->parms.raddr, &ipv6_hdr(skb)->saddr))
                                 goto tx_err;
                         if (prepare_ip6gre_xmit_ipv6(skb, dev, &fl6,
                                                      &dsfield, &encap_limit))
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 99179b9c8384..0c6403cf8b52 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1243,10 +1243,6 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
         u8 tproto;
         int err;
 
-        /* ensure we can access the full inner ip header */
-        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
-                return -1;
-
         iph = ip_hdr(skb);
         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
 
@@ -1321,9 +1317,6 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
         u8 tproto;
         int err;
 
-        if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
-                return -1;
-
         ipv6h = ipv6_hdr(skb);
         tproto = READ_ONCE(t->parms.proto);
         if ((tproto != IPPROTO_IPV6 && tproto != 0) ||
@@ -1405,6 +1398,9 @@ ip6_tnl_start_xmit(struct sk_buff *skb, struct net_device *dev)
         struct net_device_stats *stats = &t->dev->stats;
         int ret;
 
+        if (!pskb_inet_may_pull(skb))
+                goto tx_err;
+
         switch (skb->protocol) {
         case htons(ETH_P_IP):
                 ret = ip4ip6_tnl_xmit(skb, dev);
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 706fe42e4928..8b6eefff2f7e 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -522,18 +522,18 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
 {
         struct ip6_tnl *t = netdev_priv(dev);
         struct net_device_stats *stats = &t->dev->stats;
-        struct ipv6hdr *ipv6h;
         struct flowi fl;
         int ret;
 
+        if (!pskb_inet_may_pull(skb))
+                goto tx_err;
+
         memset(&fl, 0, sizeof(fl));
 
         switch (skb->protocol) {
         case htons(ETH_P_IPV6):
-                ipv6h = ipv6_hdr(skb);
-
                 if ((t->parms.proto != IPPROTO_IPV6 && t->parms.proto != 0) ||
-                    vti6_addr_conflict(t, ipv6h))
+                    vti6_addr_conflict(t, ipv6_hdr(skb)))
                         goto tx_err;
 
                 xfrm_decode_session(skb, &fl, AF_INET6);
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 8276f1224f16..30337b38274b 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -51,6 +51,7 @@
 #include <linux/export.h>
 #include <net/ip6_checksum.h>
 #include <linux/netconf.h>
+#include <net/ip_tunnels.h>
 
 #include <linux/nospec.h>
 
@@ -599,13 +600,12 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
                 .flowi6_iif     = skb->skb_iif ? : LOOPBACK_IFINDEX,
                 .flowi6_mark    = skb->mark,
         };
-        int err;
 
-        err = ip6mr_fib_lookup(net, &fl6, &mrt);
-        if (err < 0) {
-                kfree_skb(skb);
-                return err;
-        }
+        if (!pskb_inet_may_pull(skb))
+                goto tx_err;
+
+        if (ip6mr_fib_lookup(net, &fl6, &mrt) < 0)
+                goto tx_err;
 
         read_lock(&mrt_lock);
         dev->stats.tx_bytes += skb->len;
@@ -614,6 +614,11 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
         read_unlock(&mrt_lock);
         kfree_skb(skb);
         return NETDEV_TX_OK;
+
+tx_err:
+        dev->stats.tx_errors++;
+        kfree_skb(skb);
+        return NETDEV_TX_OK;
 }
 
 static int reg_vif_get_iflink(const struct net_device *dev)
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index a5bb59ee50ac..36a3d8dc61f5 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -210,7 +210,7 @@ found:
         if (next && next->ip_defrag_offset < end)
                 goto discard_fq;
 
-        /* Note : skb->ip_defrag_offset and skb->dev share the same location */
+        /* Note : skb->ip_defrag_offset and skb->sk share the same location */
         dev = skb->dev;
         if (dev)
                 fq->iif = dev->ifindex;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 194bc162866d..40b225f87d5e 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -210,7 +210,9 @@ struct neighbour *ip6_neigh_lookup(const struct in6_addr *gw,
         n = __ipv6_neigh_lookup(dev, daddr);
         if (n)
                 return n;
-        return neigh_create(&nd_tbl, daddr, dev);
+
+        n = neigh_create(&nd_tbl, daddr, dev);
+        return IS_ERR(n) ? NULL : n;
 }
 
 static struct neighbour *ip6_dst_neigh_lookup(const struct dst_entry *dst,
@@ -5054,12 +5056,16 @@ int ipv6_sysctl_rtcache_flush(struct ctl_table *ctl, int write,
 {
         struct net *net;
         int delay;
+        int ret;
         if (!write)
                 return -EINVAL;
 
         net = (struct net *)ctl->extra1;
         delay = net->ipv6.sysctl.flush_delay;
-        proc_dointvec(ctl, write, buffer, lenp, ppos);
+        ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
+        if (ret)
+                return ret;
+
         fib6_run_gc(delay <= 0 ? 0 : (unsigned long)delay, net, delay > 0);
         return 0;
 }
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 51c9f75f34b9..1e03305c0549 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1021,6 +1021,9 @@ tx_error:
 static netdev_tx_t sit_tunnel_xmit(struct sk_buff *skb,
                                    struct net_device *dev)
 {
+        if (!pskb_inet_may_pull(skb))
+                goto tx_err;
+
         switch (skb->protocol) {
         case htons(ETH_P_IP):
                 sit_tunnel_xmit__(skb, dev, IPPROTO_IPIP);
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 9cd180bda092..7554c56b2e63 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -33,12 +33,6 @@
 
 #define CONNCOUNT_SLOTS         256U
 
-#ifdef CONFIG_LOCKDEP
-#define CONNCOUNT_LOCK_SLOTS    8U
-#else
-#define CONNCOUNT_LOCK_SLOTS    256U
-#endif
-
 #define CONNCOUNT_GC_MAX_NODES  8
 #define MAX_KEYLEN              5
 
@@ -49,8 +43,6 @@ struct nf_conncount_tuple {
         struct nf_conntrack_zone        zone;
         int                             cpu;
         u32                             jiffies32;
-        bool                            dead;
-        struct rcu_head                 rcu_head;
 };
 
 struct nf_conncount_rb {
@@ -60,7 +52,7 @@ struct nf_conncount_rb {
         struct rcu_head rcu_head;
 };
 
-static spinlock_t nf_conncount_locks[CONNCOUNT_LOCK_SLOTS] __cacheline_aligned_in_smp;
+static spinlock_t nf_conncount_locks[CONNCOUNT_SLOTS] __cacheline_aligned_in_smp;
 
 struct nf_conncount_data {
         unsigned int keylen;
@@ -89,79 +81,25 @@ static int key_diff(const u32 *a, const u32 *b, unsigned int klen)
         return memcmp(a, b, klen * sizeof(u32));
 }
 
-enum nf_conncount_list_add
-nf_conncount_add(struct nf_conncount_list *list,
-                 const struct nf_conntrack_tuple *tuple,
-                 const struct nf_conntrack_zone *zone)
-{
-        struct nf_conncount_tuple *conn;
-
-        if (WARN_ON_ONCE(list->count > INT_MAX))
-                return NF_CONNCOUNT_ERR;
-
-        conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
-        if (conn == NULL)
-                return NF_CONNCOUNT_ERR;
-
-        conn->tuple = *tuple;
-        conn->zone = *zone;
-        conn->cpu = raw_smp_processor_id();
-        conn->jiffies32 = (u32)jiffies;
-        conn->dead = false;
-        spin_lock_bh(&list->list_lock);
-        if (list->dead == true) {
-                kmem_cache_free(conncount_conn_cachep, conn);
-                spin_unlock_bh(&list->list_lock);
-                return NF_CONNCOUNT_SKIP;
-        }
-        list_add_tail(&conn->node, &list->head);
-        list->count++;
-        spin_unlock_bh(&list->list_lock);
-        return NF_CONNCOUNT_ADDED;
-}
-EXPORT_SYMBOL_GPL(nf_conncount_add);
-
-static void __conn_free(struct rcu_head *h)
-{
-        struct nf_conncount_tuple *conn;
-
-        conn = container_of(h, struct nf_conncount_tuple, rcu_head);
-        kmem_cache_free(conncount_conn_cachep, conn);
-}
-
-static bool conn_free(struct nf_conncount_list *list,
+static void conn_free(struct nf_conncount_list *list,
                       struct nf_conncount_tuple *conn)
 {
-        bool free_entry = false;
-
-        spin_lock_bh(&list->list_lock);
-
-        if (conn->dead) {
-                spin_unlock_bh(&list->list_lock);
-                return free_entry;
-        }
+        lockdep_assert_held(&list->list_lock);
 
         list->count--;
-        conn->dead = true;
-        list_del_rcu(&conn->node);
-        if (list->count == 0) {
-                list->dead = true;
-                free_entry = true;
-        }
+        list_del(&conn->node);
 
-        spin_unlock_bh(&list->list_lock);
-        call_rcu(&conn->rcu_head, __conn_free);
-        return free_entry;
+        kmem_cache_free(conncount_conn_cachep, conn);
 }
 
 static const struct nf_conntrack_tuple_hash *
 find_or_evict(struct net *net, struct nf_conncount_list *list,
-              struct nf_conncount_tuple *conn, bool *free_entry)
+              struct nf_conncount_tuple *conn)
 {
         const struct nf_conntrack_tuple_hash *found;
         unsigned long a, b;
         int cpu = raw_smp_processor_id();
-        __s32 age;
+        u32 age;
 
         found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple);
         if (found)
@@ -176,52 +114,45 @@ find_or_evict(struct net *net, struct nf_conncount_list *list,
          */
         age = a - b;
         if (conn->cpu == cpu || age >= 2) {
-                *free_entry = conn_free(list, conn);
+                conn_free(list, conn);
                 return ERR_PTR(-ENOENT);
         }
 
         return ERR_PTR(-EAGAIN);
 }
 
-void nf_conncount_lookup(struct net *net,
-                         struct nf_conncount_list *list,
-                         const struct nf_conntrack_tuple *tuple,
-                         const struct nf_conntrack_zone *zone,
-                         bool *addit)
+static int __nf_conncount_add(struct net *net,
+                              struct nf_conncount_list *list,
+                              const struct nf_conntrack_tuple *tuple,
+                              const struct nf_conntrack_zone *zone)
 {
         const struct nf_conntrack_tuple_hash *found;
         struct nf_conncount_tuple *conn, *conn_n;
         struct nf_conn *found_ct;
         unsigned int collect = 0;
-        bool free_entry = false;
-
-        /* best effort only */
-        *addit = tuple ? true : false;
 
         /* check the saved connections */
         list_for_each_entry_safe(conn, conn_n, &list->head, node) {
                 if (collect > CONNCOUNT_GC_MAX_NODES)
                         break;
 
-                found = find_or_evict(net, list, conn, &free_entry);
+                found = find_or_evict(net, list, conn);
                 if (IS_ERR(found)) {
                         /* Not found, but might be about to be confirmed */
                         if (PTR_ERR(found) == -EAGAIN) {
-                                if (!tuple)
-                                        continue;
-
                                 if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
                                     nf_ct_zone_id(&conn->zone, conn->zone.dir) ==
                                     nf_ct_zone_id(zone, zone->dir))
-                                        *addit = false;
-                        } else if (PTR_ERR(found) == -ENOENT)
+                                        return 0; /* already exists */
+                        } else {
                                 collect++;
+                        }
                         continue;
                 }
 
                 found_ct = nf_ct_tuplehash_to_ctrack(found);
 
-                if (tuple && nf_ct_tuple_equal(&conn->tuple, tuple) &&
+                if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
                     nf_ct_zone_equal(found_ct, zone, zone->dir)) {
                         /*
                          * We should not see tuples twice unless someone hooks
@@ -229,7 +160,8 @@ void nf_conncount_lookup(struct net *net,
                          *
                          * Attempt to avoid a re-add in this case.
                          */
-                        *addit = false;
+                        nf_ct_put(found_ct);
+                        return 0;
                 } else if (already_closed(found_ct)) {
                         /*
                          * we do not care about connections which are
@@ -243,19 +175,48 @@ void nf_conncount_lookup(struct net *net,
 
                 nf_ct_put(found_ct);
         }
+
+        if (WARN_ON_ONCE(list->count > INT_MAX))
+                return -EOVERFLOW;
+
+        conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
+        if (conn == NULL)
+                return -ENOMEM;
+
+        conn->tuple = *tuple;
+        conn->zone = *zone;
+        conn->cpu = raw_smp_processor_id();
+        conn->jiffies32 = (u32)jiffies;
+        list_add_tail(&conn->node, &list->head);
+        list->count++;
+        return 0;
 }
-EXPORT_SYMBOL_GPL(nf_conncount_lookup);
+
+int nf_conncount_add(struct net *net,
+                     struct nf_conncount_list *list,
+                     const struct nf_conntrack_tuple *tuple,
+                     const struct nf_conntrack_zone *zone)
+{
+        int ret;
+
+        /* check the saved connections */
+        spin_lock_bh(&list->list_lock);
+        ret = __nf_conncount_add(net, list, tuple, zone);
+        spin_unlock_bh(&list->list_lock);
+
+        return ret;
+}
+EXPORT_SYMBOL_GPL(nf_conncount_add);
 
 void nf_conncount_list_init(struct nf_conncount_list *list)
 {
         spin_lock_init(&list->list_lock);
         INIT_LIST_HEAD(&list->head);
         list->count = 0;
-        list->dead = false;
 }
 EXPORT_SYMBOL_GPL(nf_conncount_list_init);
 
-/* Return true if the list is empty */
+/* Return true if the list is empty. Must be called with BH disabled. */
 bool nf_conncount_gc_list(struct net *net,
                           struct nf_conncount_list *list)
 {
@@ -263,17 +224,17 @@ bool nf_conncount_gc_list(struct net *net,
         struct nf_conncount_tuple *conn, *conn_n;
         struct nf_conn *found_ct;
         unsigned int collected = 0;
-        bool free_entry = false;
         bool ret = false;
 
+        /* don't bother if other cpu is already doing GC */
+        if (!spin_trylock(&list->list_lock))
+                return false;
+
         list_for_each_entry_safe(conn, conn_n, &list->head, node) {
-                found = find_or_evict(net, list, conn, &free_entry);
+                found = find_or_evict(net, list, conn);
                 if (IS_ERR(found)) {
-                        if (PTR_ERR(found) == -ENOENT)  {
-                                if (free_entry)
-                                        return true;
+                        if (PTR_ERR(found) == -ENOENT)
                                 collected++;
-                        }
                         continue;
                 }
 
@@ -284,23 +245,19 @@ bool nf_conncount_gc_list(struct net *net,
                          * closed already -> ditch it
                          */
                         nf_ct_put(found_ct);
-                        if (conn_free(list, conn))
-                                return true;
+                        conn_free(list, conn);
                         collected++;
                         continue;
                 }
 
                 nf_ct_put(found_ct);
                 if (collected > CONNCOUNT_GC_MAX_NODES)
-                        return false;
+                        break;
         }
 
-        spin_lock_bh(&list->list_lock);
-        if (!list->count) {
-                list->dead = true;
+        if (!list->count)
                 ret = true;
-        }
-        spin_unlock_bh(&list->list_lock);
+        spin_unlock(&list->list_lock);
 
         return ret;
 }
@@ -314,6 +271,7 @@ static void __tree_nodes_free(struct rcu_head *h)
         kmem_cache_free(conncount_rb_cachep, rbconn);
 }
 
+/* caller must hold tree nf_conncount_locks[] lock */
 static void tree_nodes_free(struct rb_root *root,
                             struct nf_conncount_rb *gc_nodes[],
                             unsigned int gc_count)
@@ -323,8 +281,10 @@ static void tree_nodes_free(struct rb_root *root,
         while (gc_count) {
                 rbconn = gc_nodes[--gc_count];
                 spin_lock(&rbconn->list.list_lock);
-                rb_erase(&rbconn->node, root);
-                call_rcu(&rbconn->rcu_head, __tree_nodes_free);
+                if (!rbconn->list.count) {
+                        rb_erase(&rbconn->node, root);
+                        call_rcu(&rbconn->rcu_head, __tree_nodes_free);
+                }
                 spin_unlock(&rbconn->list.list_lock);
         }
 }
@@ -341,20 +301,19 @@ insert_tree(struct net *net,
             struct rb_root *root,
             unsigned int hash,
             const u32 *key,
-            u8 keylen,
             const struct nf_conntrack_tuple *tuple,
             const struct nf_conntrack_zone *zone)
 {
-        enum nf_conncount_list_add ret;
         struct nf_conncount_rb *gc_nodes[CONNCOUNT_GC_MAX_NODES];
         struct rb_node **rbnode, *parent;
         struct nf_conncount_rb *rbconn;
         struct nf_conncount_tuple *conn;
         unsigned int count = 0, gc_count = 0;
-        bool node_found = false;
-
-        spin_lock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]);
+        u8 keylen = data->keylen;
+        bool do_gc = true;
 
+        spin_lock_bh(&nf_conncount_locks[hash]);
+restart:
         parent = NULL;
         rbnode = &(root->rb_node);
         while (*rbnode) {
@@ -368,45 +327,32 @@ insert_tree(struct net *net,
                 } else if (diff > 0) {
                         rbnode = &((*rbnode)->rb_right);
                 } else {
-                        /* unlikely: other cpu added node already */
-                        node_found = true;
-                        ret = nf_conncount_add(&rbconn->list, tuple, zone);
-                        if (ret == NF_CONNCOUNT_ERR) {
+                        int ret;
+
+                        ret = nf_conncount_add(net, &rbconn->list, tuple, zone);
+                        if (ret)
                                 count = 0; /* hotdrop */
-                        } else if (ret == NF_CONNCOUNT_ADDED) {
+                        else
                                 count = rbconn->list.count;
-                        } else {
-                                /* NF_CONNCOUNT_SKIP, rbconn is already
-                                 * reclaimed by gc, insert a new tree node
-                                 */
-                                node_found = false;
-                        }
-                        break;
+                        tree_nodes_free(root, gc_nodes, gc_count);
+                        goto out_unlock;
                 }
 
                 if (gc_count >= ARRAY_SIZE(gc_nodes))
                         continue;
 
-                if (nf_conncount_gc_list(net, &rbconn->list))
+                if (do_gc && nf_conncount_gc_list(net, &rbconn->list))
                         gc_nodes[gc_count++] = rbconn;
         }
 
         if (gc_count) {
                 tree_nodes_free(root, gc_nodes, gc_count);
-                /* tree_node_free before new allocation permits
-                 * allocator to re-use newly free'd object.
-                 *
-                 * This is a rare event; in most cases we will find
-                 * existing node to re-use. (or gc_count is 0).
-                 */
-
-                if (gc_count >= ARRAY_SIZE(gc_nodes))
-                        schedule_gc_worker(data, hash);
+                schedule_gc_worker(data, hash);
+                gc_count = 0;
+                do_gc = false;
+                goto restart;
         }
 
-        if (node_found)
-                goto out_unlock;
-
         /* expected case: match, insert new node */
         rbconn = kmem_cache_alloc(conncount_rb_cachep, GFP_ATOMIC);
         if (rbconn == NULL)
@@ -430,7 +376,7 @@ insert_tree(struct net *net,
         rb_link_node_rcu(&rbconn->node, parent, rbnode);
         rb_insert_color(&rbconn->node, root);
 out_unlock:
-        spin_unlock_bh(&nf_conncount_locks[hash % CONNCOUNT_LOCK_SLOTS]);
+        spin_unlock_bh(&nf_conncount_locks[hash]);
         return count;
 }
 
@@ -441,7 +387,6 @@ count_tree(struct net *net,
            const struct nf_conntrack_tuple *tuple,
            const struct nf_conntrack_zone *zone)
 {
-        enum nf_conncount_list_add ret;
         struct rb_root *root;
         struct rb_node *parent;
         struct nf_conncount_rb *rbconn;
@@ -454,7 +399,6 @@ count_tree(struct net *net,
         parent = rcu_dereference_raw(root->rb_node);
         while (parent) {
                 int diff;
-                bool addit;
 
                 rbconn = rb_entry(parent, struct nf_conncount_rb, node);
 
@@ -464,31 +408,36 @@ count_tree(struct net *net,
                 } else if (diff > 0) {
                         parent = rcu_dereference_raw(parent->rb_right);
                 } else {
-                        /* same source network -> be counted! */
-                        nf_conncount_lookup(net, &rbconn->list, tuple, zone,
-                                            &addit);
+                        int ret;
 
-                        if (!addit)
+                        if (!tuple) {
+                                nf_conncount_gc_list(net, &rbconn->list);
                                 return rbconn->list.count;
+                        }
 
-                        ret = nf_conncount_add(&rbconn->list, tuple, zone);
-                        if (ret == NF_CONNCOUNT_ERR) {
-                                return 0; /* hotdrop */
-                        } else if (ret == NF_CONNCOUNT_ADDED) {
-                                return rbconn->list.count;
-                        } else {
-                                /* NF_CONNCOUNT_SKIP, rbconn is already
-                                 * reclaimed by gc, insert a new tree node
-                                 */
+                        spin_lock_bh(&rbconn->list.list_lock);
+                        /* Node might be about to be free'd.
+                         * We need to defer to insert_tree() in this case.
+                         */
+                        if (rbconn->list.count == 0) {
+                                spin_unlock_bh(&rbconn->list.list_lock);
                                 break;
                         }
+
+                        /* same source network -> be counted! */
+                        ret = __nf_conncount_add(net, &rbconn->list, tuple, zone);
+                        spin_unlock_bh(&rbconn->list.list_lock);
+                        if (ret)
+                                return 0; /* hotdrop */
+                        else
+                                return rbconn->list.count;
                 }
         }
 
         if (!tuple)
                 return 0;
 
-        return insert_tree(net, data, root, hash, key, keylen, tuple, zone);
+        return insert_tree(net, data, root, hash, key, tuple, zone);
 }
 
 static void tree_gc_worker(struct work_struct *work)
@@ -499,27 +448,47 @@ static void tree_gc_worker(struct work_struct *work)
         struct rb_node *node;
         unsigned int tree, next_tree, gc_count = 0;
 
-        tree = data->gc_tree % CONNCOUNT_LOCK_SLOTS;
+        tree = data->gc_tree % CONNCOUNT_SLOTS;
         root = &data->root[tree];
 
+        local_bh_disable();
         rcu_read_lock();
         for (node = rb_first(root); node != NULL; node = rb_next(node)) {
                 rbconn = rb_entry(node, struct nf_conncount_rb, node);
                 if (nf_conncount_gc_list(data->net, &rbconn->list))
-                        gc_nodes[gc_count++] = rbconn;
+                        gc_count++;
         }
         rcu_read_unlock();
+        local_bh_enable();
+
+        cond_resched();
 
         spin_lock_bh(&nf_conncount_locks[tree]);
+        if (gc_count < ARRAY_SIZE(gc_nodes))
+                goto next; /* do not bother */
 
-        if (gc_count) {
-                tree_nodes_free(root, gc_nodes, gc_count);
+        gc_count = 0;
+        node = rb_first(root);
+        while (node != NULL) {
+                rbconn = rb_entry(node, struct nf_conncount_rb, node);
+                node = rb_next(node);
+
+                if (rbconn->list.count > 0)
+                        continue;
+
+                gc_nodes[gc_count++] = rbconn;
+                if (gc_count >= ARRAY_SIZE(gc_nodes)) {
+                        tree_nodes_free(root, gc_nodes, gc_count);
+                        gc_count = 0;
+                }
         }
 
+        tree_nodes_free(root, gc_nodes, gc_count);
+next:
         clear_bit(tree, data->pending_trees);
 
         next_tree = (tree + 1) % CONNCOUNT_SLOTS;
-        next_tree = find_next_bit(data->pending_trees, next_tree, CONNCOUNT_SLOTS);
+        next_tree = find_next_bit(data->pending_trees, CONNCOUNT_SLOTS, next_tree);
 
         if (next_tree < CONNCOUNT_SLOTS) {
                 data->gc_tree = next_tree;
@@ -621,10 +590,7 @@ static int __init nf_conncount_modinit(void)
 {
         int i;
 
-        BUILD_BUG_ON(CONNCOUNT_LOCK_SLOTS > CONNCOUNT_SLOTS);
-        BUILD_BUG_ON((CONNCOUNT_SLOTS % CONNCOUNT_LOCK_SLOTS) != 0);
-
-        for (i = 0; i < CONNCOUNT_LOCK_SLOTS; ++i)
+        for (i = 0; i < CONNCOUNT_SLOTS; ++i)
                 spin_lock_init(&nf_conncount_locks[i]);
 
         conncount_conn_cachep = kmem_cache_create("nf_conncount_tuple",
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fec814dace5a..2b0a93300dd7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5727,6 +5727,8 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net,
                 goto nla_put_failure;
 
         nest = nla_nest_start(skb, NFTA_FLOWTABLE_HOOK);
+        if (!nest)
+                goto nla_put_failure;
         if (nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_NUM, htonl(flowtable->hooknum)) ||
             nla_put_be32(skb, NFTA_FLOWTABLE_HOOK_PRIORITY, htonl(flowtable->priority)))
                 goto nla_put_failure;
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index b90d96ba4a12..af1497ab9464 100644
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -30,7 +30,6 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
         enum ip_conntrack_info ctinfo;
         const struct nf_conn *ct;
         unsigned int count;
-        bool addit;
 
         tuple_ptr = &tuple;
 
@@ -44,19 +43,12 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
                 return;
         }
 
-        nf_conncount_lookup(nft_net(pkt), &priv->list, tuple_ptr, zone,
-                            &addit);
-        count = priv->list.count;
-
-        if (!addit)
-                goto out;
-
-        if (nf_conncount_add(&priv->list, tuple_ptr, zone) == NF_CONNCOUNT_ERR) {
+        if (nf_conncount_add(nft_net(pkt), &priv->list, tuple_ptr, zone)) {
                 regs->verdict.code = NF_DROP;
                 return;
         }
-        count++;
-out:
+
+        count = priv->list.count;
 
         if ((count > priv->limit) ^ priv->invert) {
                 regs->verdict.code = NFT_BREAK;
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 03f37c4e64fe..1d3144d19903 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -153,7 +153,7 @@ static struct sock *nr_find_listener(ax25_address *addr)
         sk_for_each(s, &nr_list)
                 if (!ax25cmp(&nr_sk(s)->source_addr, addr) &&
                     s->sk_state == TCP_LISTEN) {
-                        bh_lock_sock(s);
+                        sock_hold(s);
                         goto found;
                 }
         s = NULL;
@@ -174,7 +174,7 @@ static struct sock *nr_find_socket(unsigned char index, unsigned char id)
                 struct nr_sock *nr = nr_sk(s);
 
                 if (nr->my_index == index && nr->my_id == id) {
-                        bh_lock_sock(s);
+                        sock_hold(s);
                         goto found;
                 }
         }
@@ -198,7 +198,7 @@ static struct sock *nr_find_peer(unsigned char index, unsigned char id,
 
                 if (nr->your_index == index && nr->your_id == id &&
                     !ax25cmp(&nr->dest_addr, dest)) {
-                        bh_lock_sock(s);
+                        sock_hold(s);
                         goto found;
                 }
         }
@@ -224,7 +224,7 @@ static unsigned short nr_find_next_circuit(void)
                 if (i != 0 && j != 0) {
                         if ((sk=nr_find_socket(i, j)) == NULL)
                                 break;
-                        bh_unlock_sock(sk);
+                        sock_put(sk);
                 }
 
                 id++;
@@ -920,6 +920,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
         }
 
         if (sk != NULL) {
+                bh_lock_sock(sk);
                 skb_reset_transport_header(skb);
 
                 if (frametype == NR_CONNACK && skb->len == 22)
@@ -929,6 +930,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
 
                 ret = nr_process_rx_frame(sk, skb);
                 bh_unlock_sock(sk);
+                sock_put(sk);
                 return ret;
         }
 
@@ -960,10 +962,12 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
             (make = nr_make_new(sk)) == NULL) {
                 nr_transmit_refusal(skb, 0);
                 if (sk)
-                        bh_unlock_sock(sk);
+                        sock_put(sk);
                 return 0;
         }
 
+        bh_lock_sock(sk);
+
         window = skb->data[20];
 
         skb->sk             = make;
@@ -1016,6 +1020,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
                 sk->sk_data_ready(sk);
 
         bh_unlock_sock(sk);
+        sock_put(sk);
 
         nr_insert_socket(make);
 
diff --git a/net/rds/tcp.c b/net/rds/tcp.c
index b9bbcf3d6c63..c16f0a362c32 100644
--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -623,7 +623,7 @@ static void __net_exit rds_tcp_exit_net(struct net *net)
         if (rtn->rds_tcp_sysctl)
                 unregister_net_sysctl_table(rtn->rds_tcp_sysctl);
 
-        if (net != &init_net && rtn->ctl_table)
+        if (net != &init_net)
                 kfree(rtn->ctl_table);
 }
 
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index c7ae1ed5324f..a6a060925e5d 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -542,7 +542,7 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp)
                 /* Don't enable netstamp, sunrpc doesn't
                    need that much accuracy */
         }
-        svsk->sk_sk->sk_stamp = skb->tstamp;
+        sock_write_timestamp(svsk->sk_sk, skb->tstamp);
         set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */
 
         len  = skb->len;
diff --git a/net/sunrpc/sysctl.c b/net/sunrpc/sysctl.c
index 8c3936403fea..0bea8ff8b0d3 100644
--- a/net/sunrpc/sysctl.c
+++ b/net/sunrpc/sysctl.c
@@ -89,7 +89,7 @@ proc_dodebug(struct ctl_table *table, int write,
         left = *lenp;
 
         if (write) {
-                if (!access_ok(VERIFY_READ, buffer, left))
+                if (!access_ok(buffer, left))
                         return -EFAULT;
                 p = buffer;
                 while (left && __get_user(c, p) >= 0 && isspace(c))
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index fb2c0d8f359f..d27f30a9a01d 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -319,7 +319,6 @@ static int tipc_enable_bearer(struct net *net, const char *name,
         res = tipc_disc_create(net, b, &b->bcast_addr, &skb);
         if (res) {
                 bearer_disable(net, b);
-                kfree(b);
                 errstr = "failed to create discoverer";
                 goto rejected;
         }
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 21f6ccc89401..40f5cae623a7 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -904,6 +904,8 @@ static int tipc_nl_compat_publ_dump(struct tipc_nl_compat_msg *msg, u32 sock)
 
         hdr = genlmsg_put(args, 0, 0, &tipc_genl_family, NLM_F_MULTI,
                           TIPC_NL_PUBL_GET);
+        if (!hdr)
+                return -EMSGSIZE;
 
         nest = nla_nest_start(args, TIPC_NLA_SOCK);
         if (!nest) {
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 9b38f94b5dd0..c598aa00d5e3 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2591,7 +2591,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
         int idx;
         if (!head->write)
                 return -ENOSYS;
-        if (!access_ok(VERIFY_READ, buffer, buffer_len))
+        if (!access_ok(buffer, buffer_len))
                 return -EFAULT;
         if (mutex_lock_interruptible(&head->io_sem))
                 return -EINTR;
diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 92e6524a3a9d..7d4640d1fe9f 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -393,7 +393,7 @@ static ssize_t snd_seq_read(struct file *file, char __user *buf, size_t count,
         if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_INPUT))
                 return -ENXIO;
 
-        if (!access_ok(VERIFY_WRITE, buf, count))
+        if (!access_ok(buf, count))
                 return -EFAULT;
 
         /* check client structures are in place */
diff --git a/sound/isa/sb/emu8000_patch.c b/sound/isa/sb/emu8000_patch.c
index d45a6b9d6437..3d44c358c4b3 100644
--- a/sound/isa/sb/emu8000_patch.c
+++ b/sound/isa/sb/emu8000_patch.c
@@ -183,10 +183,10 @@ snd_emu8000_sample_new(struct snd_emux *rec, struct snd_sf_sample *sp,
         }
 
         if (sp->v.mode_flags & SNDRV_SFNT_SAMPLE_8BITS) {
-                if (!access_ok(VERIFY_READ, data, sp->v.size))
+                if (!access_ok(data, sp->v.size))
                         return -EFAULT;
         } else {
-                if (!access_ok(VERIFY_READ, data, sp->v.size * 2))
+                if (!access_ok(data, sp->v.size * 2))
                         return -EFAULT;
         }
 
diff --git a/sound/pci/hda/Kconfig b/sound/pci/hda/Kconfig
index 0d38c006e182..4235907b7858 100644
--- a/sound/pci/hda/Kconfig
+++ b/sound/pci/hda/Kconfig
@@ -226,68 +226,6 @@ config SND_HDA_POWER_SAVE_DEFAULT
           The default time-out value in seconds for HD-audio automatic
           power-save mode.  0 means to disable the power-save mode.
 
-if SND_HDA_INTEL
-
-# The options below should not be enabled by distributions or
-# users. They are selected by Intel/Skylake or SOF drivers when they
-# register for a PCI ID which is also handled by the HDAudio legacy
-# driver. When this option is selected and the DSP is detected based on
-# the PCI class/subclass/prog-if, the probe of the HDAudio legacy
-# aborts. This mechanism removes the need for distributions to use
-# blacklists. It can be bypassed with module parameters should the
-# Intel/Skylake or SOF drivers fail to handle a specific platform.
-
-config SND_HDA_INTEL_DSP_DETECTION_SKL
-        bool
-        help
-          This option is selected by SOF or SST drivers, not users or distros.
-          It enables DSP detection based on PCI class information for
-          Skylake machines.
-
-config SND_HDA_INTEL_DSP_DETECTION_APL
-        bool
-        help
-          This option is selected by SOF or SST drivers, not users or distros.
-          It enables DSP detection based on PCI class information for
-          Broxton/ApolloLake machines
-
-config SND_HDA_INTEL_DSP_DETECTION_KBL
-        bool
-        help
-          This option is selected by SOF or SST drivers, not users or distros.
-          It enables DSP detection based on PCI class information for
-          KabyLake machines
-
-config SND_HDA_INTEL_DSP_DETECTION_GLK
-        bool
-        help
-          This option is selected by SOF or SST drivers, not users or distros.
-          It enables DSP detection based on PCI class information for
-          GeminiLake machines
-
-config SND_HDA_INTEL_DSP_DETECTION_CNL
-        bool
-        help
-          This option is selected by SOF or SST drivers, not users or distros.
-          It enables DSP detection based on PCI class information for
-          CannonLake machines
-
-config SND_HDA_INTEL_DSP_DETECTION_CFL
-        bool
-        help
-          This option is selected by SOF or SST drivers, not users or distros.
-          It enables DSP detection based on PCI class information for
-          CoffeeLake machines
-
-config SND_HDA_INTEL_DSP_DETECTION_ICL
-        bool
-        help
-          This option is selected by SOF or SST drivers, not users or distros.
-          It enables DSP detection based on PCI class information for
-          IceLake machines
-
-endif ## SND_HDA_INTEL
-
 endif
 
 endmenu
diff --git a/sound/pci/hda/hda_controller.h b/sound/pci/hda/hda_controller.h
index e0c3fcbaa028..7185ed574b41 100644
--- a/sound/pci/hda/hda_controller.h
+++ b/sound/pci/hda/hda_controller.h
@@ -37,7 +37,7 @@
 #else
 #define AZX_DCAPS_I915_COMPONENT 0              /* NOP */
 #endif
-#define AZX_DCAPS_INTEL_SHARED  (1 << 14)       /* shared with ASoC */
+/* 14 unused */
 #define AZX_DCAPS_CTX_WORKAROUND (1 << 15)      /* X-Fi workaround */
 #define AZX_DCAPS_POSFIX_LPIB   (1 << 16)       /* Use LPIB as default */
 /* 17 unused */
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index e42cc2230977..e784130ea4e0 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -172,9 +172,6 @@ module_param_array(beep_mode, bool, NULL, 0444);
 MODULE_PARM_DESC(beep_mode, "Select HDA Beep registration mode "
                             "(0=off, 1=on) (default=1).");
 #endif
-static int skl_pci_binding;
-module_param_named(pci_binding, skl_pci_binding, int, 0444);
-MODULE_PARM_DESC(pci_binding, "PCI binding (0=auto, 1=only legacy, 2=only asoc");
 
 #ifdef CONFIG_PM
 static int param_set_xint(const char *val, const struct kernel_param *kp);
@@ -360,7 +357,6 @@ enum {
          AZX_DCAPS_NO_64BIT |\
          AZX_DCAPS_4K_BDLE_BOUNDARY | AZX_DCAPS_SNOOP_OFF)
 
-#define AZX_DCAPS_INTEL_DSP_DETECTION(conf) (IS_ENABLED(CONFIG_SND_HDA_INTEL_DSP_DETECTION_##conf) ? AZX_DCAPS_INTEL_SHARED : 0)
 /*
  * vga_switcheroo support
  */
@@ -2052,28 +2048,6 @@ static int azx_probe(struct pci_dev *pci,
         bool schedule_probe;
         int err;
 
-        /* check if this driver can be used on SKL+ Intel platforms */
-        if (pci_id->driver_data & AZX_DCAPS_INTEL_SHARED) {
-                switch (skl_pci_binding) {
-                case SND_SKL_PCI_BIND_AUTO:
-                        if (pci->class != 0x040300) {
-                                dev_info(&pci->dev, "The DSP is enabled on this platform, aborting probe\n");
-                                return -ENODEV;
-                        }
-                        dev_info(&pci->dev, "No DSP detected, continuing HDaudio legacy probe\n");
-                        break;
-                case SND_SKL_PCI_BIND_LEGACY:
-                        dev_info(&pci->dev, "Module parameter forced binding with HDaudio legacy, bypassed detection logic\n");
-                        break;
-                case SND_SKL_PCI_BIND_ASOC:
-                        dev_info(&pci->dev, "Module parameter forced binding with SKL+ ASoC driver, aborting probe\n");
-                        return -ENODEV;
-                default:
-                        dev_err(&pci->dev, "invalid value for skl_pci_binding module parameter, ignored\n");
-                        break;
-                }
-        }
-
         if (dev >= SNDRV_CARDS)
                 return -ENODEV;
         if (!enable[dev]) {
@@ -2380,48 +2354,34 @@ static const struct pci_device_id azx_ids[] = {
           .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE },
         /* Sunrise Point-LP */
         { PCI_DEVICE(0x8086, 0x9d70),
-          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE |
-          AZX_DCAPS_INTEL_DSP_DETECTION(SKL)
-        },
+          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE },
         /* Kabylake */
         { PCI_DEVICE(0x8086, 0xa171),
           .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE },
         /* Kabylake-LP */
         { PCI_DEVICE(0x8086, 0x9d71),
-          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE |
-          AZX_DCAPS_INTEL_DSP_DETECTION(KBL)
-        },
+          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE },
         /* Kabylake-H */
         { PCI_DEVICE(0x8086, 0xa2f0),
           .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE },
         /* Coffelake */
         { PCI_DEVICE(0x8086, 0xa348),
-          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE |
-          AZX_DCAPS_INTEL_DSP_DETECTION(CFL)
-        },
+          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
         /* Cannonlake */
         { PCI_DEVICE(0x8086, 0x9dc8),
-          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE |
-          AZX_DCAPS_INTEL_DSP_DETECTION(CNL)
-        },
+          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
         /* Icelake */
         { PCI_DEVICE(0x8086, 0x34c8),
-          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE |
-          AZX_DCAPS_INTEL_DSP_DETECTION(ICL)
-        },
+          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_SKYLAKE},
         /* Broxton-P(Apollolake) */
         { PCI_DEVICE(0x8086, 0x5a98),
-          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON |
-          AZX_DCAPS_INTEL_DSP_DETECTION(APL)
-        },
+          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON },
         /* Broxton-T */
         { PCI_DEVICE(0x8086, 0x1a98),
           .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON },
         /* Gemini-Lake */
         { PCI_DEVICE(0x8086, 0x3198),
-          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON |
-          AZX_DCAPS_INTEL_DSP_DETECTION(GLK)
-        },
+          .driver_data = AZX_DRIVER_SKL | AZX_DCAPS_INTEL_BROXTON },
         /* Haswell */
         { PCI_DEVICE(0x8086, 0x0a0c),
           .driver_data = AZX_DRIVER_HDMI | AZX_DCAPS_INTEL_HASWELL },
diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
index 83befd8d43e8..97a176d817a0 100644
--- a/sound/pci/hda/hda_tegra.c
+++ b/sound/pci/hda/hda_tegra.c
@@ -234,10 +234,12 @@ static int hda_tegra_suspend(struct device *dev)
         struct snd_card *card = dev_get_drvdata(dev);
         struct azx *chip = card->private_data;
         struct hda_tegra *hda = container_of(chip, struct hda_tegra, chip);
+        struct hdac_bus *bus = azx_bus(chip);
 
         snd_power_change_state(card, SNDRV_CTL_POWER_D3hot);
 
         azx_stop_chip(chip);
+        synchronize_irq(bus->irq);
         azx_enter_link_reset(chip);
         hda_tegra_disable_clocks(hda);
 
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index a4f4a9dd488d..aee4cbd29d53 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6501,7 +6501,7 @@ static const struct hda_fixup alc269_fixups[] = {
         [ALC294_FIXUP_ASUS_HEADSET_MIC] = {
                 .type = HDA_FIXUP_PINS,
                 .v.pins = (const struct hda_pintbl[]) {
-                        { 0x19, 0x01a1113c }, /* use as headset mic, without its own jack detect */
+                        { 0x19, 0x01a1103c }, /* use as headset mic */
                         { }
                 },
                 .chained = true,
diff --git a/sound/soc/intel/Kconfig b/sound/soc/intel/Kconfig
index 2fd1b61e8331..99a62ba409df 100644
--- a/sound/soc/intel/Kconfig
+++ b/sound/soc/intel/Kconfig
@@ -188,12 +188,6 @@ config SND_SOC_INTEL_SKYLAKE_COMMON
         select SND_SOC_TOPOLOGY
         select SND_SOC_INTEL_SST
         select SND_SOC_HDAC_HDA if SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC
-        select SND_HDA_INTEL_DSP_DETECTION_SKL if SND_SOC_INTEL_SKL
-        select SND_HDA_INTEL_DSP_DETECTION_APL if SND_SOC_INTEL_APL
-        select SND_HDA_INTEL_DSP_DETECTION_KBL if SND_SOC_INTEL_KBL
-        select SND_HDA_INTEL_DSP_DETECTION_GLK if SND_SOC_INTEL_GLK
-        select SND_HDA_INTEL_DSP_DETECTION_CNL if SND_SOC_INTEL_CNL
-        select SND_HDA_INTEL_DSP_DETECTION_CFL if SND_SOC_INTEL_CFL
         select SND_SOC_ACPI_INTEL_MATCH
         help
           If you have a Intel Skylake/Broxton/ApolloLake/KabyLake/
diff --git a/tools/perf/util/include/asm/uaccess.h b/tools/perf/util/include/asm/uaccess.h
index 6a6f4b990547..548100315710 100644
--- a/tools/perf/util/include/asm/uaccess.h
+++ b/tools/perf/util/include/asm/uaccess.h
@@ -10,6 +10,6 @@
 
 #define get_user        __get_user
 
-#define access_ok(type, addr, size)     1
+#define access_ok(addr, size)   1
 
 #endif
diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c
index 9c79ee017df3..e2b9eee37187 100644
--- a/tools/testing/selftests/bpf/test_maps.c
+++ b/tools/testing/selftests/bpf/test_maps.c
@@ -510,7 +510,7 @@ static void test_devmap(int task, void *data)
         fd = bpf_create_map(BPF_MAP_TYPE_DEVMAP, sizeof(key), sizeof(value),
                             2, 0);
         if (fd < 0) {
-                printf("Failed to create arraymap '%s'!\n", strerror(errno));
+                printf("Failed to create devmap '%s'!\n", strerror(errno));
                 exit(1);
         }
 
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 33f7d38849b8..10d44446e801 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -23,6 +23,7 @@
 #include <stdbool.h>
 #include <sched.h>
 #include <limits.h>
+#include <assert.h>
 
 #include <sys/capability.h>
 
@@ -2577,6 +2578,7 @@ static struct bpf_test tests[] = {
                 },
                 .result = REJECT,
                 .errstr = "invalid stack off=-79992 size=8",
+                .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
         },
         {
                 "PTR_TO_STACK store/load - out of bounds high",
@@ -3104,6 +3106,8 @@ static struct bpf_test tests[] = {
                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
                         BPF_EXIT_INSN(),
                 },
+                .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+                .result_unpriv = REJECT,
                 .result = ACCEPT,
         },
         {
@@ -3206,6 +3210,243 @@ static struct bpf_test tests[] = {
                 .retval_unpriv = 2,
         },
         {
+                "PTR_TO_STACK check high 1",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 42,
+        },
+        {
+                "PTR_TO_STACK check high 2",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 42,
+        },
+        {
+                "PTR_TO_STACK check high 3",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+                .result_unpriv = REJECT,
+                .result = ACCEPT,
+                .retval = 42,
+        },
+        {
+                "PTR_TO_STACK check high 4",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+                .errstr = "invalid stack off=0 size=1",
+                .result = REJECT,
+        },
+        {
+                "PTR_TO_STACK check high 5",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack off",
+        },
+        {
+                "PTR_TO_STACK check high 6",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack off",
+        },
+        {
+                "PTR_TO_STACK check high 7",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+                .errstr = "fp pointer offset",
+        },
+        {
+                "PTR_TO_STACK check low 1",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 42,
+        },
+        {
+                "PTR_TO_STACK check low 2",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+                .result = ACCEPT,
+                .retval = 42,
+        },
+        {
+                "PTR_TO_STACK check low 3",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+                .errstr = "invalid stack off=-513 size=1",
+                .result = REJECT,
+        },
+        {
+                "PTR_TO_STACK check low 4",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "math between fp pointer",
+        },
+        {
+                "PTR_TO_STACK check low 5",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack off",
+        },
+        {
+                "PTR_TO_STACK check low 6",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack off",
+        },
+        {
+                "PTR_TO_STACK check low 7",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+                .errstr = "fp pointer offset",
+        },
+        {
+                "PTR_TO_STACK mixed reg/k, 1",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
+                        BPF_MOV64_IMM(BPF_REG_2, -3),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 42,
+        },
+        {
+                "PTR_TO_STACK mixed reg/k, 2",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
+                        BPF_MOV64_IMM(BPF_REG_2, -3),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 42,
+        },
+        {
+                "PTR_TO_STACK mixed reg/k, 3",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
+                        BPF_MOV64_IMM(BPF_REG_2, -3),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = -3,
+        },
+        {
+                "PTR_TO_STACK reg",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_MOV64_IMM(BPF_REG_2, -3),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
+                        BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "invalid stack off=0 size=1",
+                .result = ACCEPT,
+                .retval = 42,
+        },
+        {
                 "stack pointer arithmetic",
                 .insns = {
                         BPF_MOV64_IMM(BPF_REG_1, 4),
@@ -6610,6 +6851,232 @@ static struct bpf_test tests[] = {
                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
         },
         {
+                "map access: known scalar += value_ptr from different maps",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
+                                    offsetof(struct __sk_buff, len)),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                        BPF_MOV64_IMM(BPF_REG_1, 4),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_hash_16b = { 5 },
+                .fixup_map_array_48b = { 8 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R1 tried to add from different maps",
+                .retval = 1,
+        },
+        {
+                "map access: value_ptr -= known scalar from different maps",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
+                                    offsetof(struct __sk_buff, len)),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        BPF_MOV64_IMM(BPF_REG_1, 4),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_hash_16b = { 5 },
+                .fixup_map_array_48b = { 8 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 min value is outside of the array range",
+                .retval = 1,
+        },
+        {
+                "map access: known scalar += value_ptr from different maps, but same value properties",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
+                                    offsetof(struct __sk_buff, len)),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                        BPF_MOV64_IMM(BPF_REG_1, 4),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_hash_48b = { 5 },
+                .fixup_map_array_48b = { 8 },
+                .result = ACCEPT,
+                .retval = 1,
+        },
+        {
+                "map access: value_ptr += known scalar, upper oob arith, test 1",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        BPF_MOV64_IMM(BPF_REG_1, 48),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+                .retval = 1,
+        },
+        {
+                "map access: value_ptr += known scalar, upper oob arith, test 2",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        BPF_MOV64_IMM(BPF_REG_1, 49),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+                .retval = 1,
+        },
+        {
+                "map access: value_ptr += known scalar, upper oob arith, test 3",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        BPF_MOV64_IMM(BPF_REG_1, 47),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+                .retval = 1,
+        },
+        {
+                "map access: value_ptr -= known scalar, lower oob arith, test 1",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
+                        BPF_MOV64_IMM(BPF_REG_1, 47),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_MOV64_IMM(BPF_REG_1, 48),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = REJECT,
+                .errstr = "R0 min value is outside of the array range",
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+        },
+        {
+                "map access: value_ptr -= known scalar, lower oob arith, test 2",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+                        BPF_MOV64_IMM(BPF_REG_1, 47),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_MOV64_IMM(BPF_REG_1, 48),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_MOV64_IMM(BPF_REG_1, 1),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+                .retval = 1,
+        },
+        {
+                "map access: value_ptr -= known scalar, lower oob arith, test 3",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
+                        BPF_MOV64_IMM(BPF_REG_1, 47),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_MOV64_IMM(BPF_REG_1, 47),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+                .retval = 1,
+        },
+        {
                 "map access: known scalar += value_ptr",
                 .insns = {
                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
@@ -6630,7 +7097,7 @@ static struct bpf_test tests[] = {
                 .retval = 1,
         },
         {
-                "map access: value_ptr += known scalar",
+                "map access: value_ptr += known scalar, 1",
                 .insns = {
                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
@@ -6650,7 +7117,113 @@ static struct bpf_test tests[] = {
                 .retval = 1,
         },
         {
-                "map access: unknown scalar += value_ptr",
+                "map access: value_ptr += known scalar, 2",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                        BPF_MOV64_IMM(BPF_REG_1, 49),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = REJECT,
+                .errstr = "invalid access to map value",
+        },
+        {
+                "map access: value_ptr += known scalar, 3",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                        BPF_MOV64_IMM(BPF_REG_1, -1),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = REJECT,
+                .errstr = "invalid access to map value",
+        },
+        {
+                "map access: value_ptr += known scalar, 4",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+                        BPF_MOV64_IMM(BPF_REG_1, 5),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_MOV64_IMM(BPF_REG_1, -2),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_MOV64_IMM(BPF_REG_1, -1),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+                .retval = 1,
+        },
+        {
+                "map access: value_ptr += known scalar, 5",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+                        BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .retval = 0xabcdef12,
+        },
+        {
+                "map access: value_ptr += known scalar, 6",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
+                        BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .retval = 0xabcdef12,
+        },
+        {
+                "map access: unknown scalar += value_ptr, 1",
                 .insns = {
                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
@@ -6671,7 +7244,76 @@ static struct bpf_test tests[] = {
                 .retval = 1,
         },
         {
-                "map access: value_ptr += unknown scalar",
+                "map access: unknown scalar += value_ptr, 2",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .retval = 0xabcdef12,
+        },
+        {
+                "map access: unknown scalar += value_ptr, 3",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+                        BPF_MOV64_IMM(BPF_REG_1, -1),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_MOV64_IMM(BPF_REG_1, 1),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
+                .retval = 0xabcdef12,
+        },
+        {
+                "map access: unknown scalar += value_ptr, 4",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+                        BPF_MOV64_IMM(BPF_REG_1, 19),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = REJECT,
+                .errstr = "R1 max value is outside of the array range",
+                .errstr_unpriv = "R1 pointer arithmetic of map value goes out of range",
+        },
+        {
+                "map access: value_ptr += unknown scalar, 1",
                 .insns = {
                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
@@ -6692,6 +7334,54 @@ static struct bpf_test tests[] = {
                 .retval = 1,
         },
         {
+                "map access: value_ptr += unknown scalar, 2",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .retval = 0xabcdef12,
+        },
+        {
+                "map access: value_ptr += unknown scalar, 3",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1),
+                        BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_MOV64_IMM(BPF_REG_0, 2),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, -3),
+                },
+                .fixup_map_array_48b = { 3 },
+                .result = ACCEPT,
+                .retval = 1,
+        },
+        {
                 "map access: value_ptr += value_ptr",
                 .insns = {
                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
@@ -6770,6 +7460,8 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_array_48b = { 3 },
                 .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
                 .retval = 1,
         },
         {
@@ -6837,6 +7529,8 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_array_48b = { 3 },
                 .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
                 .retval = 1,
         },
         {
@@ -8376,6 +9070,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8400,6 +9095,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8426,6 +9122,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8451,6 +9148,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8499,6 +9197,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8570,6 +9269,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8621,6 +9321,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8648,6 +9349,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8674,6 +9376,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8703,6 +9406,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8733,6 +9437,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 4 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
@@ -8761,6 +9466,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "unbounded min value",
+                .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
                 .result_unpriv = REJECT,
         },
@@ -8813,9 +9519,39 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
+                .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
                 .result = REJECT,
         },
         {
+                "check subtraction on pointers for unpriv",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
+                        BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 9),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_REG(BPF_REG_9, BPF_REG_FP),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_0),
+                        BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
+                        BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_hash_8b = { 1, 9 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R9 pointer -= pointer prohibited",
+        },
+        {
                 "bounds check based on zero-extended MOV",
                 .insns = {
                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
@@ -9146,6 +9882,36 @@ static struct bpf_test tests[] = {
                 .result = REJECT
         },
         {
+                "bounds check after 32-bit right shift with 64-bit input",
+                .insns = {
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+                                     BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+                        /* r1 = 2 */
+                        BPF_MOV64_IMM(BPF_REG_1, 2),
+                        /* r1 = 1<<32 */
+                        BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 31),
+                        /* r1 = 0 (NOT 2!) */
+                        BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31),
+                        /* r1 = 0xffff'fffe (NOT 0!) */
+                        BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2),
+                        /* computes OOB pointer */
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+                        /* OOB access */
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        /* exit */
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_hash_8b = { 3 },
+                .errstr = "R0 invalid mem access",
+                .result = REJECT,
+        },
+        {
                 "bounds check map access with off+size signed 32bit overflow. test1",
                 .insns = {
                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
@@ -9185,6 +9951,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "pointer offset 1073741822",
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
                 .result = REJECT
         },
         {
@@ -9206,6 +9973,7 @@ static struct bpf_test tests[] = {
                 },
                 .fixup_map_hash_8b = { 3 },
                 .errstr = "pointer offset -1073741822",
+                .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
                 .result = REJECT
         },
         {
@@ -9377,6 +10145,7 @@ static struct bpf_test tests[] = {
                         BPF_EXIT_INSN()
                 },
                 .errstr = "fp pointer offset 1073741822",
+                .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
                 .result = REJECT
         },
         {
@@ -13719,6 +14488,328 @@ static struct bpf_test tests[] = {
                 .insn_processed = 15,
         },
         {
+                "masking, test out of bounds 1",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, 5),
+                        BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 2",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, 1),
+                        BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 3",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
+                        BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 4",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
+                        BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 5",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, -1),
+                        BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 6",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, -1),
+                        BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 7",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_1, 5),
+                        BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 8",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_1, 1),
+                        BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 9",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
+                        BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 10",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
+                        BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 11",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_1, -1),
+                        BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test out of bounds 12",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_1, -1),
+                        BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test in bounds 1",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, 4),
+                        BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 4,
+        },
+        {
+                "masking, test in bounds 2",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, 0),
+                        BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test in bounds 3",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, 0xfffffffe),
+                        BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0xfffffffe,
+        },
+        {
+                "masking, test in bounds 4",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, 0xabcde),
+                        BPF_MOV32_IMM(BPF_REG_2, 0xabcdef - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0xabcde,
+        },
+        {
+                "masking, test in bounds 5",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, 0),
+                        BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
+                "masking, test in bounds 6",
+                .insns = {
+                        BPF_MOV32_IMM(BPF_REG_1, 46),
+                        BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 46,
+        },
+        {
+                "masking, test in bounds 7",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_3, -46),
+                        BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
+                        BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 46,
+        },
+        {
+                "masking, test in bounds 8",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_3, -47),
+                        BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
+                        BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
+                        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
+                        BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
+                        BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
+                        BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
+                        BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .retval = 0,
+        },
+        {
                 "reference tracking in call: free reference in subprog and outside",
                 .insns = {
                         BPF_SK_LOOKUP,
@@ -14413,6 +15504,16 @@ static int create_map(uint32_t type, uint32_t size_key,
         return fd;
 }
 
+static void update_map(int fd, int index)
+{
+        struct test_val value = {
+                .index = (6 + 1) * sizeof(int),
+                .foo[6] = 0xabcdef12,
+        };
+
+        assert(!bpf_map_update_elem(fd, &index, &value, 0));
+}
+
 static int create_prog_dummy1(enum bpf_prog_type prog_type)
 {
         struct bpf_insn prog[] = {
@@ -14564,6 +15665,7 @@ static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
         if (*fixup_map_array_48b) {
                 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
                                         sizeof(struct test_val), 1);
+                update_map(map_fds[3], 0);
                 do {
                         prog[*fixup_map_array_48b].imm = map_fds[3];
                         fixup_map_array_48b++;
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 666d0155662d..1f888a103f78 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -939,8 +939,7 @@ int __kvm_set_memory_region(struct kvm *kvm,
         /* We can read the guest memory with __xxx_user() later on. */
         if ((id < KVM_USER_MEM_SLOTS) &&
             ((mem->userspace_addr & (PAGE_SIZE - 1)) ||
-             !access_ok(VERIFY_WRITE,
-                        (void __user *)(unsigned long)mem->userspace_addr,
+             !access_ok((void __user *)(unsigned long)mem->userspace_addr,
                         mem->memory_size)))
                 goto out;
         if (as_id >= KVM_ADDRESS_SPACE_NUM || id >= KVM_MEM_SLOTS_NUM)