diff options
| -rw-r--r-- | 0000_README | 4 | ||||
| -rw-r--r-- | 1054_linux-4.14.55.patch | 2167 |
2 files changed, 2171 insertions, 0 deletions
diff --git a/0000_README b/0000_README index 6908240e..f834399b 100644 --- a/0000_README +++ b/0000_README @@ -259,6 +259,10 @@ Patch: 1053_linux-4.14.54.patch From: http://www.kernel.org Desc: Linux 4.14.54 +Patch: 1054_linux-4.14.55.patch +From: http://www.kernel.org +Desc: Linux 4.14.55 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1054_linux-4.14.55.patch b/1054_linux-4.14.55.patch new file mode 100644 index 00000000..360661a9 --- /dev/null +++ b/1054_linux-4.14.55.patch @@ -0,0 +1,2167 @@ +diff --git a/Makefile b/Makefile +index de0955d8dfa3..0700feaaa6cf 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 14 +-SUBLEVEL = 54 ++SUBLEVEL = 55 + EXTRAVERSION = + NAME = Petit Gorille + +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S +index be20b1f73384..e928c2af6a10 100644 +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -1244,7 +1244,7 @@ cleanup_critical: + jl 0f + clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end + jl .Lcleanup_load_fpu_regs +-0: BR_EX %r14 ++0: BR_EX %r14,%r11 + + .align 8 + .Lcleanup_table: +@@ -1280,7 +1280,7 @@ cleanup_critical: + ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE + lctlg %c1,%c1,__LC_USER_ASCE # load primary asce + larl %r9,sie_exit # skip forward to sie_exit +- BR_EX %r14 ++ BR_EX %r14,%r11 + #endif + + .Lcleanup_system_call: +diff --git a/block/blk-lib.c b/block/blk-lib.c +index 63fb971d6574..2bc544ce3d2e 100644 +--- a/block/blk-lib.c ++++ b/block/blk-lib.c +@@ -275,6 +275,40 @@ static unsigned int __blkdev_sectors_to_bio_pages(sector_t nr_sects) + return min(pages, (sector_t)BIO_MAX_PAGES); + } + ++static int __blkdev_issue_zero_pages(struct block_device *bdev, ++ sector_t sector, sector_t nr_sects, gfp_t gfp_mask, ++ struct bio **biop) ++{ ++ struct request_queue *q = bdev_get_queue(bdev); ++ struct bio *bio = *biop; ++ int bi_size = 0; ++ unsigned int sz; ++ ++ if (!q) ++ return -ENXIO; ++ ++ while (nr_sects != 0) { ++ bio = next_bio(bio, __blkdev_sectors_to_bio_pages(nr_sects), ++ gfp_mask); ++ bio->bi_iter.bi_sector = sector; ++ bio_set_dev(bio, bdev); ++ bio_set_op_attrs(bio, REQ_OP_WRITE, 0); ++ ++ while (nr_sects != 0) { ++ sz = min((sector_t) PAGE_SIZE, nr_sects << 9); ++ bi_size = bio_add_page(bio, ZERO_PAGE(0), sz, 0); ++ nr_sects -= bi_size >> 9; ++ sector += bi_size >> 9; ++ if (bi_size < sz) ++ break; ++ } ++ cond_resched(); ++ } ++ ++ *biop = bio; ++ return 0; ++} ++ + /** + * __blkdev_issue_zeroout - generate number of zero filed write bios + * @bdev: blockdev to issue +@@ -288,12 +322,6 @@ static unsigned int __blkdev_sectors_to_bio_pages(sector_t nr_sects) + * Zero-fill a block range, either using hardware offload or by explicitly + * writing zeroes to the device. + * +- * Note that this function may fail with -EOPNOTSUPP if the driver signals +- * zeroing offload support, but the device fails to process the command (for +- * some devices there is no non-destructive way to verify whether this +- * operation is actually supported). In this case the caller should call +- * retry the call to blkdev_issue_zeroout() and the fallback path will be used. +- * + * If a device is using logical block provisioning, the underlying space will + * not be released if %flags contains BLKDEV_ZERO_NOUNMAP. + * +@@ -305,9 +333,6 @@ int __blkdev_issue_zeroout(struct block_device *bdev, sector_t sector, + unsigned flags) + { + int ret; +- int bi_size = 0; +- struct bio *bio = *biop; +- unsigned int sz; + sector_t bs_mask; + + bs_mask = (bdev_logical_block_size(bdev) >> 9) - 1; +@@ -317,30 +342,10 @@ int __blkdev_issue_zeroout(struct block_device *bdev, sector_t sector, + ret = __blkdev_issue_write_zeroes(bdev, sector, nr_sects, gfp_mask, + biop, flags); + if (ret != -EOPNOTSUPP || (flags & BLKDEV_ZERO_NOFALLBACK)) +- goto out; +- +- ret = 0; +- while (nr_sects != 0) { +- bio = next_bio(bio, __blkdev_sectors_to_bio_pages(nr_sects), +- gfp_mask); +- bio->bi_iter.bi_sector = sector; +- bio_set_dev(bio, bdev); +- bio_set_op_attrs(bio, REQ_OP_WRITE, 0); +- +- while (nr_sects != 0) { +- sz = min((sector_t) PAGE_SIZE, nr_sects << 9); +- bi_size = bio_add_page(bio, ZERO_PAGE(0), sz, 0); +- nr_sects -= bi_size >> 9; +- sector += bi_size >> 9; +- if (bi_size < sz) +- break; +- } +- cond_resched(); +- } ++ return ret; + +- *biop = bio; +-out: +- return ret; ++ return __blkdev_issue_zero_pages(bdev, sector, nr_sects, gfp_mask, ++ biop); + } + EXPORT_SYMBOL(__blkdev_issue_zeroout); + +@@ -360,18 +365,49 @@ EXPORT_SYMBOL(__blkdev_issue_zeroout); + int blkdev_issue_zeroout(struct block_device *bdev, sector_t sector, + sector_t nr_sects, gfp_t gfp_mask, unsigned flags) + { +- int ret; +- struct bio *bio = NULL; ++ int ret = 0; ++ sector_t bs_mask; ++ struct bio *bio; + struct blk_plug plug; ++ bool try_write_zeroes = !!bdev_write_zeroes_sectors(bdev); + ++ bs_mask = (bdev_logical_block_size(bdev) >> 9) - 1; ++ if ((sector | nr_sects) & bs_mask) ++ return -EINVAL; ++ ++retry: ++ bio = NULL; + blk_start_plug(&plug); +- ret = __blkdev_issue_zeroout(bdev, sector, nr_sects, gfp_mask, +- &bio, flags); ++ if (try_write_zeroes) { ++ ret = __blkdev_issue_write_zeroes(bdev, sector, nr_sects, ++ gfp_mask, &bio, flags); ++ } else if (!(flags & BLKDEV_ZERO_NOFALLBACK)) { ++ ret = __blkdev_issue_zero_pages(bdev, sector, nr_sects, ++ gfp_mask, &bio); ++ } else { ++ /* No zeroing offload support */ ++ ret = -EOPNOTSUPP; ++ } + if (ret == 0 && bio) { + ret = submit_bio_wait(bio); + bio_put(bio); + } + blk_finish_plug(&plug); ++ if (ret && try_write_zeroes) { ++ if (!(flags & BLKDEV_ZERO_NOFALLBACK)) { ++ try_write_zeroes = false; ++ goto retry; ++ } ++ if (!bdev_write_zeroes_sectors(bdev)) { ++ /* ++ * Zeroing offload support was indicated, but the ++ * device reported ILLEGAL REQUEST (for some devices ++ * there is no non-destructive way to verify whether ++ * WRITE ZEROES is actually supported). ++ */ ++ ret = -EOPNOTSUPP; ++ } ++ } + + return ret; + } +diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c +index 03471b3fce86..c2042f822b03 100644 +--- a/drivers/block/drbd/drbd_worker.c ++++ b/drivers/block/drbd/drbd_worker.c +@@ -282,8 +282,8 @@ void drbd_request_endio(struct bio *bio) + what = COMPLETED_OK; + } + +- bio_put(req->private_bio); + req->private_bio = ERR_PTR(blk_status_to_errno(bio->bi_status)); ++ bio_put(bio); + + /* not req_mod(), we need irqsave here! */ + spin_lock_irqsave(&device->resource->req_lock, flags); +diff --git a/drivers/dax/super.c b/drivers/dax/super.c +index c4cd034a3820..6c179c2a9ff9 100644 +--- a/drivers/dax/super.c ++++ b/drivers/dax/super.c +@@ -73,42 +73,50 @@ EXPORT_SYMBOL_GPL(fs_dax_get_by_bdev); + + /** + * __bdev_dax_supported() - Check if the device supports dax for filesystem +- * @sb: The superblock of the device ++ * @bdev: block device to check + * @blocksize: The block size of the device + * + * This is a library function for filesystems to check if the block device + * can be mounted with dax option. + * +- * Return: negative errno if unsupported, 0 if supported. ++ * Return: true if supported, false if unsupported + */ +-int __bdev_dax_supported(struct super_block *sb, int blocksize) ++bool __bdev_dax_supported(struct block_device *bdev, int blocksize) + { +- struct block_device *bdev = sb->s_bdev; + struct dax_device *dax_dev; ++ struct request_queue *q; + pgoff_t pgoff; + int err, id; + void *kaddr; + pfn_t pfn; + long len; ++ char buf[BDEVNAME_SIZE]; + + if (blocksize != PAGE_SIZE) { +- pr_err("VFS (%s): error: unsupported blocksize for dax\n", +- sb->s_id); +- return -EINVAL; ++ pr_debug("%s: error: unsupported blocksize for dax\n", ++ bdevname(bdev, buf)); ++ return false; ++ } ++ ++ q = bdev_get_queue(bdev); ++ if (!q || !blk_queue_dax(q)) { ++ pr_debug("%s: error: request queue doesn't support dax\n", ++ bdevname(bdev, buf)); ++ return false; + } + + err = bdev_dax_pgoff(bdev, 0, PAGE_SIZE, &pgoff); + if (err) { +- pr_err("VFS (%s): error: unaligned partition for dax\n", +- sb->s_id); +- return err; ++ pr_debug("%s: error: unaligned partition for dax\n", ++ bdevname(bdev, buf)); ++ return false; + } + + dax_dev = dax_get_by_host(bdev->bd_disk->disk_name); + if (!dax_dev) { +- pr_err("VFS (%s): error: device does not support dax\n", +- sb->s_id); +- return -EOPNOTSUPP; ++ pr_debug("%s: error: device does not support dax\n", ++ bdevname(bdev, buf)); ++ return false; + } + + id = dax_read_lock(); +@@ -118,12 +126,12 @@ int __bdev_dax_supported(struct super_block *sb, int blocksize) + put_dax(dax_dev); + + if (len < 1) { +- pr_err("VFS (%s): error: dax access failed (%ld)", +- sb->s_id, len); +- return len < 0 ? len : -EIO; ++ pr_debug("%s: error: dax access failed (%ld)\n", ++ bdevname(bdev, buf), len); ++ return false; + } + +- return 0; ++ return true; + } + EXPORT_SYMBOL_GPL(__bdev_dax_supported); + #endif +diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c +index bc5128203056..78e630771214 100644 +--- a/drivers/gpu/drm/drm_property.c ++++ b/drivers/gpu/drm/drm_property.c +@@ -516,7 +516,7 @@ static void drm_property_free_blob(struct kref *kref) + + drm_mode_object_unregister(blob->dev, &blob->base); + +- kfree(blob); ++ kvfree(blob); + } + + /** +@@ -543,7 +543,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, + if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) + return ERR_PTR(-EINVAL); + +- blob = kzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); ++ blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); + if (!blob) + return ERR_PTR(-ENOMEM); + +@@ -559,7 +559,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, + ret = __drm_mode_object_add(dev, &blob->base, DRM_MODE_OBJECT_BLOB, + true, drm_property_free_blob); + if (ret) { +- kfree(blob); ++ kvfree(blob); + return ERR_PTR(-EINVAL); + } + +diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c +index 2ebdc6d5a76e..d5583190f3e4 100644 +--- a/drivers/gpu/drm/udl/udl_fb.c ++++ b/drivers/gpu/drm/udl/udl_fb.c +@@ -137,7 +137,10 @@ int udl_handle_damage(struct udl_framebuffer *fb, int x, int y, + + if (cmd > (char *) urb->transfer_buffer) { + /* Send partial buffer remaining before exiting */ +- int len = cmd - (char *) urb->transfer_buffer; ++ int len; ++ if (cmd < (char *) urb->transfer_buffer + urb->transfer_buffer_length) ++ *cmd++ = 0xAF; ++ len = cmd - (char *) urb->transfer_buffer; + ret = udl_submit_urb(dev, urb, len); + bytes_sent += len; + } else +diff --git a/drivers/gpu/drm/udl/udl_transfer.c b/drivers/gpu/drm/udl/udl_transfer.c +index 0c87b1ac6b68..b992644c17e6 100644 +--- a/drivers/gpu/drm/udl/udl_transfer.c ++++ b/drivers/gpu/drm/udl/udl_transfer.c +@@ -153,11 +153,11 @@ static void udl_compress_hline16( + raw_pixels_count_byte = cmd++; /* we'll know this later */ + raw_pixel_start = pixel; + +- cmd_pixel_end = pixel + (min(MAX_CMD_PIXELS + 1, +- min((int)(pixel_end - pixel) / bpp, +- (int)(cmd_buffer_end - cmd) / 2))) * bpp; ++ cmd_pixel_end = pixel + min3(MAX_CMD_PIXELS + 1UL, ++ (unsigned long)(pixel_end - pixel) / bpp, ++ (unsigned long)(cmd_buffer_end - 1 - cmd) / 2) * bpp; + +- prefetch_range((void *) pixel, (cmd_pixel_end - pixel) * bpp); ++ prefetch_range((void *) pixel, cmd_pixel_end - pixel); + pixel_val16 = get_pixel_val16(pixel, bpp); + + while (pixel < cmd_pixel_end) { +@@ -193,6 +193,9 @@ static void udl_compress_hline16( + if (pixel > raw_pixel_start) { + /* finalize last RAW span */ + *raw_pixels_count_byte = ((pixel-raw_pixel_start) / bpp) & 0xFF; ++ } else { ++ /* undo unused byte */ ++ cmd--; + } + + *cmd_pixels_count_byte = ((pixel - cmd_pixel_start) / bpp) & 0xFF; +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index 5271db593478..ae8c8e66a6c4 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1154,6 +1154,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, + goto out; + if (list->tail > list->head) { + len = list->tail - list->head; ++ if (len > count) ++ len = count; + + if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { + ret = -EFAULT; +@@ -1163,6 +1165,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, + list->head += len; + } else { + len = HID_DEBUG_BUFSIZE - list->head; ++ if (len > count) ++ len = count; + + if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { + ret = -EFAULT; +@@ -1170,7 +1174,9 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, + } + list->head = 0; + ret += len; +- goto copy_rest; ++ count -= len; ++ if (count > 0) ++ goto copy_rest; + } + + } +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c +index 3535073a9a7d..d92827556389 100644 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -476,7 +476,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) + return; + } + +- if ((ret_size > size) || (ret_size <= 2)) { ++ if ((ret_size > size) || (ret_size < 2)) { + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", + __func__, size, ret_size); + return; +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index 7d749b19c27c..cf307bdc3d53 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -36,6 +36,7 @@ + #include <linux/hiddev.h> + #include <linux/compat.h> + #include <linux/vmalloc.h> ++#include <linux/nospec.h> + #include "usbhid.h" + + #ifdef CONFIG_USB_DYNAMIC_MINORS +@@ -469,10 +470,14 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + + if (uref->field_index >= report->maxfield) + goto inval; ++ uref->field_index = array_index_nospec(uref->field_index, ++ report->maxfield); + + field = report->field[uref->field_index]; + if (uref->usage_index >= field->maxusage) + goto inval; ++ uref->usage_index = array_index_nospec(uref->usage_index, ++ field->maxusage); + + uref->usage_code = field->usage[uref->usage_index].hid; + +@@ -499,6 +504,8 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + + if (uref->field_index >= report->maxfield) + goto inval; ++ uref->field_index = array_index_nospec(uref->field_index, ++ report->maxfield); + + field = report->field[uref->field_index]; + +@@ -753,6 +760,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + + if (finfo.field_index >= report->maxfield) + break; ++ finfo.field_index = array_index_nospec(finfo.field_index, ++ report->maxfield); + + field = report->field[finfo.field_index]; + memset(&finfo, 0, sizeof(finfo)); +@@ -797,6 +806,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + + if (cinfo.index >= hid->maxcollection) + break; ++ cinfo.index = array_index_nospec(cinfo.index, ++ hid->maxcollection); + + cinfo.type = hid->collection[cinfo.index].type; + cinfo.usage = hid->collection[cinfo.index].usage; +diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c +index 4287fc9f3527..f9cd81375f28 100644 +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -883,9 +883,7 @@ EXPORT_SYMBOL_GPL(dm_table_set_type); + static int device_supports_dax(struct dm_target *ti, struct dm_dev *dev, + sector_t start, sector_t len, void *data) + { +- struct request_queue *q = bdev_get_queue(dev->bdev); +- +- return q && blk_queue_dax(q); ++ return bdev_dax_supported(dev->bdev, PAGE_SIZE); + } + + static bool dm_table_supports_dax(struct dm_table *t) +@@ -1813,6 +1811,11 @@ void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q, + } + blk_queue_write_cache(q, wc, fua); + ++ if (dm_table_supports_dax(t)) ++ queue_flag_set_unlocked(QUEUE_FLAG_DAX, q); ++ else ++ queue_flag_clear_unlocked(QUEUE_FLAG_DAX, q); ++ + if (dm_table_supports_dax_write_cache(t)) + dax_write_cache(t->md->dax_dev, true); + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 1dfc855ac708..24ec6e039448 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -961,8 +961,7 @@ static long dm_dax_direct_access(struct dax_device *dax_dev, pgoff_t pgoff, + if (len < 1) + goto out; + nr_pages = min(len, nr_pages); +- if (ti->type->direct_access) +- ret = ti->type->direct_access(ti, pgoff, nr_pages, kaddr, pfn); ++ ret = ti->type->direct_access(ti, pgoff, nr_pages, kaddr, pfn); + + out: + dm_put_live_table(md, srcu_idx); +@@ -2050,9 +2049,6 @@ int dm_setup_md_queue(struct mapped_device *md, struct dm_table *t) + */ + bioset_free(md->queue->bio_split); + md->queue->bio_split = NULL; +- +- if (type == DM_TYPE_DAX_BIO_BASED) +- queue_flag_set_unlocked(QUEUE_FLAG_DAX, md->queue); + break; + case DM_TYPE_NONE: + WARN_ON_ONCE(true); +diff --git a/drivers/media/i2c/cx25840/cx25840-core.c b/drivers/media/i2c/cx25840/cx25840-core.c +index 39f51daa7558..c5642813eff1 100644 +--- a/drivers/media/i2c/cx25840/cx25840-core.c ++++ b/drivers/media/i2c/cx25840/cx25840-core.c +@@ -463,8 +463,13 @@ static void cx23885_initialize(struct i2c_client *client) + { + DEFINE_WAIT(wait); + struct cx25840_state *state = to_state(i2c_get_clientdata(client)); ++ u32 clk_freq = 0; + struct workqueue_struct *q; + ++ /* cx23885 sets hostdata to clk_freq pointer */ ++ if (v4l2_get_subdev_hostdata(&state->sd)) ++ clk_freq = *((u32 *)v4l2_get_subdev_hostdata(&state->sd)); ++ + /* + * Come out of digital power down + * The CX23888, at least, needs this, otherwise registers aside from +@@ -500,8 +505,13 @@ static void cx23885_initialize(struct i2c_client *client) + * 50.0 MHz * (0xb + 0xe8ba26/0x2000000)/4 = 5 * 28.636363 MHz + * 572.73 MHz before post divide + */ +- /* HVR1850 or 50MHz xtal */ +- cx25840_write(client, 0x2, 0x71); ++ if (clk_freq == 25000000) { ++ /* 888/ImpactVCBe or 25Mhz xtal */ ++ ; /* nothing to do */ ++ } else { ++ /* HVR1850 or 50MHz xtal */ ++ cx25840_write(client, 0x2, 0x71); ++ } + cx25840_write4(client, 0x11c, 0x01d1744c); + cx25840_write4(client, 0x118, 0x00000416); + cx25840_write4(client, 0x404, 0x0010253e); +@@ -544,9 +554,15 @@ static void cx23885_initialize(struct i2c_client *client) + /* HVR1850 */ + switch (state->id) { + case CX23888_AV: +- /* 888/HVR1250 specific */ +- cx25840_write4(client, 0x10c, 0x13333333); +- cx25840_write4(client, 0x108, 0x00000515); ++ if (clk_freq == 25000000) { ++ /* 888/ImpactVCBe or 25MHz xtal */ ++ cx25840_write4(client, 0x10c, 0x01b6db7b); ++ cx25840_write4(client, 0x108, 0x00000512); ++ } else { ++ /* 888/HVR1250 or 50MHz xtal */ ++ cx25840_write4(client, 0x10c, 0x13333333); ++ cx25840_write4(client, 0x108, 0x00000515); ++ } + break; + default: + cx25840_write4(client, 0x10c, 0x002be2c9); +@@ -576,7 +592,7 @@ static void cx23885_initialize(struct i2c_client *client) + * 368.64 MHz before post divide + * 122.88 MHz / 0xa = 12.288 MHz + */ +- /* HVR1850 or 50MHz xtal */ ++ /* HVR1850 or 50MHz xtal or 25MHz xtal */ + cx25840_write4(client, 0x114, 0x017dbf48); + cx25840_write4(client, 0x110, 0x000a030e); + break; +diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c +index 6d9adcaa26ba..ffbb178c6918 100644 +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -1689,6 +1689,15 @@ static void __vb2_queue_cancel(struct vb2_queue *q) + for (i = 0; i < q->num_buffers; ++i) { + struct vb2_buffer *vb = q->bufs[i]; + ++ if (vb->state == VB2_BUF_STATE_PREPARED || ++ vb->state == VB2_BUF_STATE_QUEUED) { ++ unsigned int plane; ++ ++ for (plane = 0; plane < vb->num_planes; ++plane) ++ call_void_memop(vb, finish, ++ vb->planes[plane].mem_priv); ++ } ++ + if (vb->state != VB2_BUF_STATE_DEQUEUED) { + vb->state = VB2_BUF_STATE_PREPARED; + call_void_vb_qop(vb, buf_finish, vb); +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index ac76c10c042f..af3d207c9cc4 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -42,7 +42,7 @@ + #define AMD_BOOTLOC_BUG + #define FORCE_WORD_WRITE 0 + +-#define MAX_WORD_RETRIES 3 ++#define MAX_RETRIES 3 + + #define SST49LF004B 0x0060 + #define SST49LF040B 0x0050 +@@ -1647,7 +1647,7 @@ static int __xipram do_write_oneword(struct map_info *map, struct flchip *chip, + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + +- if (++retry_cnt <= MAX_WORD_RETRIES) ++ if (++retry_cnt <= MAX_RETRIES) + goto retry; + + ret = -EIO; +@@ -2106,7 +2106,7 @@ static int do_panic_write_oneword(struct map_info *map, struct flchip *chip, + map_write(map, CMD(0xF0), chip->start); + /* FIXME - should have reset delay before continuing */ + +- if (++retry_cnt <= MAX_WORD_RETRIES) ++ if (++retry_cnt <= MAX_RETRIES) + goto retry; + + ret = -EIO; +@@ -2241,6 +2241,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + unsigned long int adr; + DECLARE_WAITQUEUE(wait, current); + int ret = 0; ++ int retry_cnt = 0; + + adr = cfi->addr_unlock1; + +@@ -2258,6 +2259,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + ENABLE_VPP(map); + xip_disable(map, chip, adr); + ++ retry: + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); +@@ -2294,12 +2296,13 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + chip->erase_suspended = 0; + } + +- if (chip_ready(map, adr)) ++ if (chip_good(map, adr, map_word_ff(map))) + break; + + if (time_after(jiffies, timeo)) { + printk(KERN_WARNING "MTD %s(): software timeout\n", + __func__ ); ++ ret = -EIO; + break; + } + +@@ -2307,12 +2310,15 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + UDELAY(map, chip, adr, 1000000/HZ); + } + /* Did we succeed? */ +- if (!chip_good(map, adr, map_word_ff(map))) { ++ if (ret) { + /* reset on all failures. */ + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + +- ret = -EIO; ++ if (++retry_cnt <= MAX_RETRIES) { ++ ret = 0; ++ goto retry; ++ } + } + + chip->state = FL_READY; +@@ -2331,6 +2337,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + unsigned long timeo = jiffies + HZ; + DECLARE_WAITQUEUE(wait, current); + int ret = 0; ++ int retry_cnt = 0; + + adr += chip->start; + +@@ -2348,6 +2355,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + ENABLE_VPP(map); + xip_disable(map, chip, adr); + ++ retry: + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); +@@ -2384,7 +2392,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + chip->erase_suspended = 0; + } + +- if (chip_ready(map, adr)) { ++ if (chip_good(map, adr, map_word_ff(map))) { + xip_enable(map, chip, adr); + break; + } +@@ -2393,6 +2401,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + xip_enable(map, chip, adr); + printk(KERN_WARNING "MTD %s(): software timeout\n", + __func__ ); ++ ret = -EIO; + break; + } + +@@ -2400,12 +2409,15 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + UDELAY(map, chip, adr, 1000000/HZ); + } + /* Did we succeed? */ +- if (!chip_good(map, adr, map_word_ff(map))) { ++ if (ret) { + /* reset on all failures. */ + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + +- ret = -EIO; ++ if (++retry_cnt <= MAX_RETRIES) { ++ ret = 0; ++ goto retry; ++ } + } + + chip->state = FL_READY; +diff --git a/drivers/mtd/nand/mxc_nand.c b/drivers/mtd/nand/mxc_nand.c +index 53e5e0337c3e..fcb575d55b89 100644 +--- a/drivers/mtd/nand/mxc_nand.c ++++ b/drivers/mtd/nand/mxc_nand.c +@@ -48,7 +48,7 @@ + #define NFC_V1_V2_CONFIG (host->regs + 0x0a) + #define NFC_V1_V2_ECC_STATUS_RESULT (host->regs + 0x0c) + #define NFC_V1_V2_RSLTMAIN_AREA (host->regs + 0x0e) +-#define NFC_V1_V2_RSLTSPARE_AREA (host->regs + 0x10) ++#define NFC_V21_RSLTSPARE_AREA (host->regs + 0x10) + #define NFC_V1_V2_WRPROT (host->regs + 0x12) + #define NFC_V1_UNLOCKSTART_BLKADDR (host->regs + 0x14) + #define NFC_V1_UNLOCKEND_BLKADDR (host->regs + 0x16) +@@ -1119,6 +1119,9 @@ static void preset_v2(struct mtd_info *mtd) + writew(config1, NFC_V1_V2_CONFIG1); + /* preset operation */ + ++ /* spare area size in 16-bit half-words */ ++ writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA); ++ + /* Unlock the internal RAM Buffer */ + writew(0x2, NFC_V1_V2_CONFIG); + +diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +index 5b4f05805006..519a021c0a25 100644 +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -2863,7 +2863,7 @@ static int dpaa_remove(struct platform_device *pdev) + struct device *dev; + int err; + +- dev = pdev->dev.parent; ++ dev = &pdev->dev; + net_dev = dev_get_drvdata(dev); + + priv = netdev_priv(net_dev); +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 17a4cc138b00..4d49fb8f2bbc 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -51,6 +51,7 @@ static int sg_version_num = 30536; /* 2 digits for each component */ + #include <linux/atomic.h> + #include <linux/ratelimit.h> + #include <linux/uio.h> ++#include <linux/cred.h> /* for sg_check_file_access() */ + + #include "scsi.h" + #include <scsi/scsi_dbg.h> +@@ -210,6 +211,33 @@ static void sg_device_destroy(struct kref *kref); + sdev_prefix_printk(prefix, (sdp)->device, \ + (sdp)->disk->disk_name, fmt, ##a) + ++/* ++ * The SCSI interfaces that use read() and write() as an asynchronous variant of ++ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways ++ * to trigger read() and write() calls from various contexts with elevated ++ * privileges. This can lead to kernel memory corruption (e.g. if these ++ * interfaces are called through splice()) and privilege escalation inside ++ * userspace (e.g. if a process with access to such a device passes a file ++ * descriptor to a SUID binary as stdin/stdout/stderr). ++ * ++ * This function provides protection for the legacy API by restricting the ++ * calling context. ++ */ ++static int sg_check_file_access(struct file *filp, const char *caller) ++{ ++ if (filp->f_cred != current_real_cred()) { ++ pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n", ++ caller, task_tgid_vnr(current), current->comm); ++ return -EPERM; ++ } ++ if (uaccess_kernel()) { ++ pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n", ++ caller, task_tgid_vnr(current), current->comm); ++ return -EACCES; ++ } ++ return 0; ++} ++ + static int sg_allow_access(struct file *filp, unsigned char *cmd) + { + struct sg_fd *sfp = filp->private_data; +@@ -394,6 +422,14 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos) + struct sg_header *old_hdr = NULL; + int retval = 0; + ++ /* ++ * This could cause a response to be stranded. Close the associated ++ * file descriptor to free up any resources being held. ++ */ ++ retval = sg_check_file_access(filp, __func__); ++ if (retval) ++ return retval; ++ + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; + SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, +@@ -581,9 +617,11 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) + struct sg_header old_hdr; + sg_io_hdr_t *hp; + unsigned char cmnd[SG_MAX_CDB_SIZE]; ++ int retval; + +- if (unlikely(uaccess_kernel())) +- return -EINVAL; ++ retval = sg_check_file_access(filp, __func__); ++ if (retval) ++ return retval; + + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; +diff --git a/drivers/staging/comedi/drivers/quatech_daqp_cs.c b/drivers/staging/comedi/drivers/quatech_daqp_cs.c +index 802f51e46405..171960568356 100644 +--- a/drivers/staging/comedi/drivers/quatech_daqp_cs.c ++++ b/drivers/staging/comedi/drivers/quatech_daqp_cs.c +@@ -642,7 +642,7 @@ static int daqp_ao_insn_write(struct comedi_device *dev, + /* Make sure D/A update mode is direct update */ + outb(0, dev->iobase + DAQP_AUX_REG); + +- for (i = 0; i > insn->n; i++) { ++ for (i = 0; i < insn->n; i++) { + unsigned int val = data[i]; + int ret; + +diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c +index 4ba5004a069e..fd6ce9996488 100644 +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -3729,11 +3729,16 @@ core_scsi3_pri_read_keys(struct se_cmd *cmd) + * Check for overflow of 8byte PRI READ_KEYS payload and + * next reservation key list descriptor. + */ +- if ((add_len + 8) > (cmd->data_length - 8)) +- break; +- +- put_unaligned_be64(pr_reg->pr_res_key, &buf[off]); +- off += 8; ++ if (off + 8 <= cmd->data_length) { ++ put_unaligned_be64(pr_reg->pr_res_key, &buf[off]); ++ off += 8; ++ } ++ /* ++ * SPC5r17: 6.16.2 READ KEYS service action ++ * The ADDITIONAL LENGTH field indicates the number of bytes in ++ * the Reservation key list. The contents of the ADDITIONAL ++ * LENGTH field are not altered based on the allocation length ++ */ + add_len += 8; + } + spin_unlock(&dev->t10_pr.registration_lock); +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index fb4e6a7ee521..d639378e36ac 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -339,18 +339,16 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr, + struct page *page[1]; + struct vm_area_struct *vma; + struct vm_area_struct *vmas[1]; ++ unsigned int flags = 0; + int ret; + ++ if (prot & IOMMU_WRITE) ++ flags |= FOLL_WRITE; ++ ++ down_read(&mm->mmap_sem); + if (mm == current->mm) { +- ret = get_user_pages_longterm(vaddr, 1, !!(prot & IOMMU_WRITE), +- page, vmas); ++ ret = get_user_pages_longterm(vaddr, 1, flags, page, vmas); + } else { +- unsigned int flags = 0; +- +- if (prot & IOMMU_WRITE) +- flags |= FOLL_WRITE; +- +- down_read(&mm->mmap_sem); + ret = get_user_pages_remote(NULL, mm, vaddr, 1, flags, page, + vmas, NULL); + /* +@@ -364,8 +362,8 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr, + ret = -EOPNOTSUPP; + put_page(page[0]); + } +- up_read(&mm->mmap_sem); + } ++ up_read(&mm->mmap_sem); + + if (ret == 1) { + *pfn = page_to_pfn(page[0]); +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index 33d6eb58ce34..f29cdb1cdeb7 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1340,6 +1340,7 @@ typedef int (mid_handle_t)(struct TCP_Server_Info *server, + /* one of these for every pending CIFS request to the server */ + struct mid_q_entry { + struct list_head qhead; /* mids waiting on reply from this server */ ++ struct kref refcount; + struct TCP_Server_Info *server; /* server corresponding to this mid */ + __u64 mid; /* multiplex id */ + __u32 pid; /* process id */ +diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h +index 762d513a5087..ccdb42f71b2e 100644 +--- a/fs/cifs/cifsproto.h ++++ b/fs/cifs/cifsproto.h +@@ -76,6 +76,7 @@ extern struct mid_q_entry *AllocMidQEntry(const struct smb_hdr *smb_buffer, + struct TCP_Server_Info *server); + extern void DeleteMidQEntry(struct mid_q_entry *midEntry); + extern void cifs_delete_mid(struct mid_q_entry *mid); ++extern void cifs_mid_q_entry_release(struct mid_q_entry *midEntry); + extern void cifs_wake_up_task(struct mid_q_entry *mid); + extern int cifs_handle_standard(struct TCP_Server_Info *server, + struct mid_q_entry *mid); +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index 7fd39ea6e22e..b5a436583469 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -150,8 +150,14 @@ cifs_reconnect_tcon(struct cifs_tcon *tcon, int smb_command) + * greater than cifs socket timeout which is 7 seconds + */ + while (server->tcpStatus == CifsNeedReconnect) { +- wait_event_interruptible_timeout(server->response_q, +- (server->tcpStatus != CifsNeedReconnect), 10 * HZ); ++ rc = wait_event_interruptible_timeout(server->response_q, ++ (server->tcpStatus != CifsNeedReconnect), ++ 10 * HZ); ++ if (rc < 0) { ++ cifs_dbg(FYI, "%s: aborting reconnect due to a received" ++ " signal by the process\n", __func__); ++ return -ERESTARTSYS; ++ } + + /* are we still trying to reconnect? */ + if (server->tcpStatus != CifsNeedReconnect) +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index f7db2fedfa8c..fd24c72bd2cd 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -889,6 +889,7 @@ cifs_demultiplex_thread(void *p) + continue; + server->total_read += length; + ++ mid_entry = NULL; + if (server->ops->is_transform_hdr && + server->ops->receive_transform && + server->ops->is_transform_hdr(buf)) { +@@ -903,8 +904,11 @@ cifs_demultiplex_thread(void *p) + length = mid_entry->receive(server, mid_entry); + } + +- if (length < 0) ++ if (length < 0) { ++ if (mid_entry) ++ cifs_mid_q_entry_release(mid_entry); + continue; ++ } + + if (server->large_buf) + buf = server->bigbuf; +@@ -920,6 +924,8 @@ cifs_demultiplex_thread(void *p) + + if (!mid_entry->multiRsp || mid_entry->multiEnd) + mid_entry->callback(mid_entry); ++ ++ cifs_mid_q_entry_release(mid_entry); + } else if (server->ops->is_oplock_break && + server->ops->is_oplock_break(buf, server)) { + cifs_dbg(FYI, "Received oplock break\n"); +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index a723df3e0197..d8cd82001c1c 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -105,6 +105,7 @@ cifs_find_mid(struct TCP_Server_Info *server, char *buffer) + if (compare_mid(mid->mid, buf) && + mid->mid_state == MID_REQUEST_SUBMITTED && + le16_to_cpu(mid->command) == buf->Command) { ++ kref_get(&mid->refcount); + spin_unlock(&GlobalMid_Lock); + return mid; + } +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 36bc9a7eb8ea..83267ac3a3f0 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -202,6 +202,7 @@ smb2_find_mid(struct TCP_Server_Info *server, char *buf) + if ((mid->mid == wire_mid) && + (mid->mid_state == MID_REQUEST_SUBMITTED) && + (mid->command == shdr->Command)) { ++ kref_get(&mid->refcount); + spin_unlock(&GlobalMid_Lock); + return mid; + } +@@ -635,6 +636,8 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon, + + rc = SMB2_set_ea(xid, tcon, fid.persistent_fid, fid.volatile_fid, ea, + len); ++ kfree(ea); ++ + SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); + + return rc; +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 5247b40e57f6..0480cd9a9e81 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -153,7 +153,7 @@ smb2_hdr_assemble(struct smb2_sync_hdr *shdr, __le16 smb2_cmd, + static int + smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + { +- int rc = 0; ++ int rc; + struct nls_table *nls_codepage; + struct cifs_ses *ses; + struct TCP_Server_Info *server; +@@ -164,10 +164,10 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + * for those three - in the calling routine. + */ + if (tcon == NULL) +- return rc; ++ return 0; + + if (smb2_command == SMB2_TREE_CONNECT) +- return rc; ++ return 0; + + if (tcon->tidStatus == CifsExiting) { + /* +@@ -210,8 +210,14 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + return -EAGAIN; + } + +- wait_event_interruptible_timeout(server->response_q, +- (server->tcpStatus != CifsNeedReconnect), 10 * HZ); ++ rc = wait_event_interruptible_timeout(server->response_q, ++ (server->tcpStatus != CifsNeedReconnect), ++ 10 * HZ); ++ if (rc < 0) { ++ cifs_dbg(FYI, "%s: aborting reconnect due to a received" ++ " signal by the process\n", __func__); ++ return -ERESTARTSYS; ++ } + + /* are we still trying to reconnect? */ + if (server->tcpStatus != CifsNeedReconnect) +@@ -229,7 +235,7 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + } + + if (!tcon->ses->need_reconnect && !tcon->need_reconnect) +- return rc; ++ return 0; + + nls_codepage = load_nls_default(); + +@@ -332,7 +338,10 @@ smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon, + return rc; + + /* BB eventually switch this to SMB2 specific small buf size */ +- *request_buf = cifs_small_buf_get(); ++ if (smb2_command == SMB2_SET_INFO) ++ *request_buf = cifs_buf_get(); ++ else ++ *request_buf = cifs_small_buf_get(); + if (*request_buf == NULL) { + /* BB should we add a retry in here if not a writepage? */ + return -ENOMEM; +@@ -3162,7 +3171,7 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon, + } + + rc = SendReceive2(xid, ses, iov, num, &resp_buftype, flags, &rsp_iov); +- cifs_small_buf_release(req); ++ cifs_buf_release(req); + rsp = (struct smb2_set_info_rsp *)rsp_iov.iov_base; + + if (rc != 0) +diff --git a/fs/cifs/smb2transport.c b/fs/cifs/smb2transport.c +index bf49cb73b9e6..a41fc4a63a59 100644 +--- a/fs/cifs/smb2transport.c ++++ b/fs/cifs/smb2transport.c +@@ -548,6 +548,7 @@ smb2_mid_entry_alloc(const struct smb2_sync_hdr *shdr, + + temp = mempool_alloc(cifs_mid_poolp, GFP_NOFS); + memset(temp, 0, sizeof(struct mid_q_entry)); ++ kref_init(&temp->refcount); + temp->mid = le64_to_cpu(shdr->MessageId); + temp->pid = current->pid; + temp->command = shdr->Command; /* Always LE */ +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index 7efbab013957..a10f51dfa7f5 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -56,6 +56,7 @@ AllocMidQEntry(const struct smb_hdr *smb_buffer, struct TCP_Server_Info *server) + + temp = mempool_alloc(cifs_mid_poolp, GFP_NOFS); + memset(temp, 0, sizeof(struct mid_q_entry)); ++ kref_init(&temp->refcount); + temp->mid = get_mid(smb_buffer); + temp->pid = current->pid; + temp->command = cpu_to_le16(smb_buffer->Command); +@@ -77,6 +78,21 @@ AllocMidQEntry(const struct smb_hdr *smb_buffer, struct TCP_Server_Info *server) + return temp; + } + ++static void _cifs_mid_q_entry_release(struct kref *refcount) ++{ ++ struct mid_q_entry *mid = container_of(refcount, struct mid_q_entry, ++ refcount); ++ ++ mempool_free(mid, cifs_mid_poolp); ++} ++ ++void cifs_mid_q_entry_release(struct mid_q_entry *midEntry) ++{ ++ spin_lock(&GlobalMid_Lock); ++ kref_put(&midEntry->refcount, _cifs_mid_q_entry_release); ++ spin_unlock(&GlobalMid_Lock); ++} ++ + void + DeleteMidQEntry(struct mid_q_entry *midEntry) + { +@@ -105,7 +121,7 @@ DeleteMidQEntry(struct mid_q_entry *midEntry) + } + } + #endif +- mempool_free(midEntry, cifs_mid_poolp); ++ cifs_mid_q_entry_release(midEntry); + } + + void +diff --git a/fs/ext2/super.c b/fs/ext2/super.c +index 1458706bd2ec..726e680a3368 100644 +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -953,8 +953,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) + blocksize = BLOCK_SIZE << le32_to_cpu(sbi->s_es->s_log_block_size); + + if (sbi->s_mount_opt & EXT2_MOUNT_DAX) { +- err = bdev_dax_supported(sb, blocksize); +- if (err) ++ if (!bdev_dax_supported(sb->s_bdev, blocksize)) + goto failed_mount; + } + +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c +index 58db8109defa..9c9eafd6bd76 100644 +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -184,7 +184,6 @@ static int ext4_init_block_bitmap(struct super_block *sb, + unsigned int bit, bit_max; + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t start, tmp; +- int flex_bg = 0; + struct ext4_group_info *grp; + + J_ASSERT_BH(bh, buffer_locked(bh)); +@@ -217,22 +216,19 @@ static int ext4_init_block_bitmap(struct super_block *sb, + + start = ext4_group_first_block_no(sb, block_group); + +- if (ext4_has_feature_flex_bg(sb)) +- flex_bg = 1; +- + /* Set bits for block and inode bitmaps, and inode table */ + tmp = ext4_block_bitmap(sb, gdp); +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + + tmp = ext4_inode_bitmap(sb, gdp); +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + + tmp = ext4_inode_table(sb, gdp); + for (; tmp < ext4_inode_table(sb, gdp) + + sbi->s_itb_per_group; tmp++) { +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + } + +@@ -455,7 +451,16 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) + goto verify; + } + ext4_lock_group(sb, block_group); +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { ++ if (block_group == 0) { ++ ext4_unlock_group(sb, block_group); ++ unlock_buffer(bh); ++ ext4_error(sb, "Block bitmap for bg 0 marked " ++ "uninitialized"); ++ err = -EFSCORRUPTED; ++ goto out; ++ } + err = ext4_init_block_bitmap(sb, bh, block_group, desc); + set_bitmap_uptodate(bh); + set_buffer_uptodate(bh); +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 58a0304566db..0abb30d19fa1 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1542,11 +1542,6 @@ static inline struct ext4_inode_info *EXT4_I(struct inode *inode) + static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) + { + return ino == EXT4_ROOT_INO || +- ino == EXT4_USR_QUOTA_INO || +- ino == EXT4_GRP_QUOTA_INO || +- ino == EXT4_BOOT_LOADER_INO || +- ino == EXT4_JOURNAL_INO || +- ino == EXT4_RESIZE_INO || + (ino >= EXT4_FIRST_INO(sb) && + ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)); + } +@@ -3049,9 +3044,6 @@ extern struct buffer_head *ext4_get_first_inline_block(struct inode *inode, + extern int ext4_inline_data_fiemap(struct inode *inode, + struct fiemap_extent_info *fieinfo, + int *has_inline, __u64 start, __u64 len); +-extern int ext4_try_to_evict_inline_data(handle_t *handle, +- struct inode *inode, +- int needed); + extern int ext4_inline_data_truncate(struct inode *inode, int *has_inline); + + extern int ext4_convert_inline_data(struct inode *inode); +diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h +index 8ecf84b8f5a1..a284fb28944b 100644 +--- a/fs/ext4/ext4_extents.h ++++ b/fs/ext4/ext4_extents.h +@@ -103,6 +103,7 @@ struct ext4_extent_header { + }; + + #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) ++#define EXT4_MAX_EXTENT_DEPTH 5 + + #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ + (sizeof(struct ext4_extent_header) + \ +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 883e89a903d1..5592b7726241 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -881,6 +881,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, + + eh = ext_inode_hdr(inode); + depth = ext_depth(inode); ++ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { ++ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", ++ depth); ++ ret = -EFSCORRUPTED; ++ goto err; ++ } + + if (path) { + ext4_ext_drop_refs(path); +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index f420124ac035..95341bc2b3b7 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -155,7 +155,16 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) + } + + ext4_lock_group(sb, block_group); +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) { ++ if (block_group == 0) { ++ ext4_unlock_group(sb, block_group); ++ unlock_buffer(bh); ++ ext4_error(sb, "Inode bitmap for bg 0 marked " ++ "uninitialized"); ++ err = -EFSCORRUPTED; ++ goto out; ++ } + memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); + ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), + sb->s_blocksize * 8, bh->b_data); +@@ -1000,7 +1009,8 @@ struct inode *__ext4_new_inode(handle_t *handle, struct inode *dir, + + /* recheck and clear flag under lock if we still need to */ + ext4_lock_group(sb, group); +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); + ext4_free_group_clusters_set(sb, gdp, + ext4_free_clusters_after_init(sb, group, gdp)); +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 8f5dc243effd..7d498f4a3f90 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -443,6 +443,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle, + + memset((void *)ext4_raw_inode(&is.iloc)->i_block, + 0, EXT4_MIN_INLINE_DATA_SIZE); ++ memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE); + + if (ext4_has_feature_extents(inode->i_sb)) { + if (S_ISDIR(inode->i_mode) || +@@ -892,11 +893,11 @@ int ext4_da_write_inline_data_begin(struct address_space *mapping, + flags |= AOP_FLAG_NOFS; + + if (ret == -ENOSPC) { ++ ext4_journal_stop(handle); + ret = ext4_da_convert_inline_data_to_extent(mapping, + inode, + flags, + fsdata); +- ext4_journal_stop(handle); + if (ret == -ENOSPC && + ext4_should_retry_alloc(inode->i_sb, &retries)) + goto retry_journal; +@@ -1864,42 +1865,6 @@ int ext4_inline_data_fiemap(struct inode *inode, + return (error < 0 ? error : 0); + } + +-/* +- * Called during xattr set, and if we can sparse space 'needed', +- * just create the extent tree evict the data to the outer block. +- * +- * We use jbd2 instead of page cache to move data to the 1st block +- * so that the whole transaction can be committed as a whole and +- * the data isn't lost because of the delayed page cache write. +- */ +-int ext4_try_to_evict_inline_data(handle_t *handle, +- struct inode *inode, +- int needed) +-{ +- int error; +- struct ext4_xattr_entry *entry; +- struct ext4_inode *raw_inode; +- struct ext4_iloc iloc; +- +- error = ext4_get_inode_loc(inode, &iloc); +- if (error) +- return error; +- +- raw_inode = ext4_raw_inode(&iloc); +- entry = (struct ext4_xattr_entry *)((void *)raw_inode + +- EXT4_I(inode)->i_inline_off); +- if (EXT4_XATTR_LEN(entry->e_name_len) + +- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) { +- error = -ENOSPC; +- goto out; +- } +- +- error = ext4_convert_inline_data_nolock(handle, inode, &iloc); +-out: +- brelse(iloc.bh); +- return error; +-} +- + int ext4_inline_data_truncate(struct inode *inode, int *has_inline) + { + handle_t *handle; +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index bd6453e78992..c2efe4d2ad87 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -401,9 +401,9 @@ static int __check_block_validity(struct inode *inode, const char *func, + if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk, + map->m_len)) { + ext4_error_inode(inode, func, line, map->m_pblk, +- "lblock %lu mapped to illegal pblock " ++ "lblock %lu mapped to illegal pblock %llu " + "(length %d)", (unsigned long) map->m_lblk, +- map->m_len); ++ map->m_pblk, map->m_len); + return -EFSCORRUPTED; + } + return 0; +@@ -4455,7 +4455,8 @@ static int __ext4_get_inode_loc(struct inode *inode, + int inodes_per_block, inode_offset; + + iloc->bh = NULL; +- if (!ext4_valid_inum(sb, inode->i_ino)) ++ if (inode->i_ino < EXT4_ROOT_INO || ++ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) + return -EFSCORRUPTED; + + iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb); +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 701085620cd8..048c586d9a8b 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2456,7 +2456,8 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group, + * initialize bb_free to be able to skip + * empty groups without initialization + */ +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + meta_group_info[i]->bb_free = + ext4_free_clusters_after_init(sb, group, desc); + } else { +@@ -3023,7 +3024,8 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, + #endif + ext4_set_bits(bitmap_bh->b_data, ac->ac_b_ex.fe_start, + ac->ac_b_ex.fe_len); +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); + ext4_free_group_clusters_set(sb, gdp, + ext4_free_clusters_after_init(sb, +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index ec74d06fa24a..fc32a67a7a19 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2301,6 +2301,7 @@ static int ext4_check_descriptors(struct super_block *sb, + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block); + ext4_fsblk_t last_block; ++ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1; + ext4_fsblk_t block_bitmap; + ext4_fsblk_t inode_bitmap; + ext4_fsblk_t inode_table; +@@ -2333,6 +2334,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!sb_rdonly(sb)) + return 0; + } ++ if (block_bitmap >= sb_block + 1 && ++ block_bitmap <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Block bitmap for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (block_bitmap < first_block || block_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Block bitmap for group %u not in group " +@@ -2347,6 +2356,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!sb_rdonly(sb)) + return 0; + } ++ if (inode_bitmap >= sb_block + 1 && ++ inode_bitmap <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Inode bitmap for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (inode_bitmap < first_block || inode_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode bitmap for group %u not in group " +@@ -2361,6 +2378,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!sb_rdonly(sb)) + return 0; + } ++ if (inode_table >= sb_block + 1 && ++ inode_table <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Inode table for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (inode_table < first_block || + inode_table + sbi->s_itb_per_group - 1 > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " +@@ -3070,13 +3095,22 @@ static ext4_group_t ext4_has_uninit_itable(struct super_block *sb) + ext4_group_t group, ngroups = EXT4_SB(sb)->s_groups_count; + struct ext4_group_desc *gdp = NULL; + ++ if (!ext4_has_group_desc_csum(sb)) ++ return ngroups; ++ + for (group = 0; group < ngroups; group++) { + gdp = ext4_get_group_desc(sb, group, NULL); + if (!gdp) + continue; + +- if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))) ++ if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)) ++ continue; ++ if (group != 0) + break; ++ ext4_error(sb, "Inode table for bg 0 marked as " ++ "needing zeroing"); ++ if (sb_rdonly(sb)) ++ return ngroups; + } + + return group; +@@ -3715,6 +3749,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + le32_to_cpu(es->s_log_block_size)); + goto failed_mount; + } ++ if (le32_to_cpu(es->s_log_cluster_size) > ++ (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { ++ ext4_msg(sb, KERN_ERR, ++ "Invalid log cluster size: %u", ++ le32_to_cpu(es->s_log_cluster_size)); ++ goto failed_mount; ++ } + + if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) { + ext4_msg(sb, KERN_ERR, +@@ -3729,8 +3770,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + " that may contain inline data"); + goto failed_mount; + } +- err = bdev_dax_supported(sb, blocksize); +- if (err) ++ if (!bdev_dax_supported(sb->s_bdev, blocksize)) + goto failed_mount; + } + +@@ -3777,6 +3817,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + } else { + sbi->s_inode_size = le16_to_cpu(es->s_inode_size); + sbi->s_first_ino = le32_to_cpu(es->s_first_ino); ++ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { ++ ext4_msg(sb, KERN_ERR, "invalid first ino: %u", ++ sbi->s_first_ino); ++ goto failed_mount; ++ } + if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || + (!is_power_of_2(sbi->s_inode_size)) || + (sbi->s_inode_size > blocksize)) { +@@ -3853,13 +3898,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + "block size (%d)", clustersize, blocksize); + goto failed_mount; + } +- if (le32_to_cpu(es->s_log_cluster_size) > +- (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { +- ext4_msg(sb, KERN_ERR, +- "Invalid log cluster size: %u", +- le32_to_cpu(es->s_log_cluster_size)); +- goto failed_mount; +- } + sbi->s_cluster_bits = le32_to_cpu(es->s_log_cluster_size) - + le32_to_cpu(es->s_log_block_size); + sbi->s_clusters_per_group = +@@ -3880,10 +3918,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + } + } else { + if (clustersize != blocksize) { +- ext4_warning(sb, "fragment/cluster size (%d) != " +- "block size (%d)", clustersize, +- blocksize); +- clustersize = blocksize; ++ ext4_msg(sb, KERN_ERR, ++ "fragment/cluster size (%d) != " ++ "block size (%d)", clustersize, blocksize); ++ goto failed_mount; + } + if (sbi->s_blocks_per_group > blocksize * 8) { + ext4_msg(sb, KERN_ERR, +@@ -3937,6 +3975,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + ext4_blocks_count(es)); + goto failed_mount; + } ++ if ((es->s_first_data_block == 0) && (es->s_log_block_size == 0) && ++ (sbi->s_cluster_ratio == 1)) { ++ ext4_msg(sb, KERN_WARNING, "bad geometry: first data " ++ "block is 0 with a 1k block and cluster size"); ++ goto failed_mount; ++ } ++ + blocks_count = (ext4_blocks_count(es) - + le32_to_cpu(es->s_first_data_block) + + EXT4_BLOCKS_PER_GROUP(sb) - 1); +@@ -3972,6 +4017,14 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + ret = -ENOMEM; + goto failed_mount; + } ++ if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) != ++ le32_to_cpu(es->s_inodes_count)) { ++ ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu", ++ le32_to_cpu(es->s_inodes_count), ++ ((u64)sbi->s_groups_count * sbi->s_inodes_per_group)); ++ ret = -EINVAL; ++ goto failed_mount; ++ } + + bgl_lock_init(sbi->s_blockgroup_lock); + +@@ -4700,6 +4753,14 @@ static int ext4_commit_super(struct super_block *sb, int sync) + + if (!sbh || block_device_ejected(sb)) + return error; ++ ++ /* ++ * The superblock bh should be mapped, but it might not be if the ++ * device was hot-removed. Not much we can do but fail the I/O. ++ */ ++ if (!buffer_mapped(sbh)) ++ return error; ++ + /* + * If the file system is mounted read-only, don't update the + * superblock write time. This avoids updating the superblock +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index ed1cf24a7831..c7c8c16ccd93 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -229,12 +229,12 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh, + { + int error = -EFSCORRUPTED; + +- if (buffer_verified(bh)) +- return 0; +- + if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || + BHDR(bh)->h_blocks != cpu_to_le32(1)) + goto errout; ++ if (buffer_verified(bh)) ++ return 0; ++ + error = -EFSBADCRC; + if (!ext4_xattr_block_csum_verify(inode, bh)) + goto errout; +@@ -1559,7 +1559,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, + handle_t *handle, struct inode *inode, + bool is_block) + { +- struct ext4_xattr_entry *last; ++ struct ext4_xattr_entry *last, *next; + struct ext4_xattr_entry *here = s->here; + size_t min_offs = s->end - s->base, name_len = strlen(i->name); + int in_inode = i->in_inode; +@@ -1594,7 +1594,13 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, + + /* Compute min_offs and last. */ + last = s->first; +- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { ++ for (; !IS_LAST_ENTRY(last); last = next) { ++ next = EXT4_XATTR_NEXT(last); ++ if ((void *)next >= s->end) { ++ EXT4_ERROR_INODE(inode, "corrupted xattr entries"); ++ ret = -EFSCORRUPTED; ++ goto out; ++ } + if (!last->e_value_inum && last->e_value_size) { + size_t offs = le16_to_cpu(last->e_value_offs); + if (offs < min_offs) +@@ -2205,23 +2211,8 @@ int ext4_xattr_ibody_inline_set(handle_t *handle, struct inode *inode, + if (EXT4_I(inode)->i_extra_isize == 0) + return -ENOSPC; + error = ext4_xattr_set_entry(i, s, handle, inode, false /* is_block */); +- if (error) { +- if (error == -ENOSPC && +- ext4_has_inline_data(inode)) { +- error = ext4_try_to_evict_inline_data(handle, inode, +- EXT4_XATTR_LEN(strlen(i->name) + +- EXT4_XATTR_SIZE(i->value_len))); +- if (error) +- return error; +- error = ext4_xattr_ibody_find(inode, i, is); +- if (error) +- return error; +- error = ext4_xattr_set_entry(i, s, handle, inode, +- false /* is_block */); +- } +- if (error) +- return error; +- } ++ if (error) ++ return error; + header = IHDR(inode, ext4_raw_inode(&is->iloc)); + if (!IS_LAST_ENTRY(s->first)) { + header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC); +@@ -2650,6 +2641,11 @@ static int ext4_xattr_make_inode_space(handle_t *handle, struct inode *inode, + last = IFIRST(header); + /* Find the entry best suited to be pushed into EA block */ + for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { ++ /* never move system.data out of the inode */ ++ if ((last->e_name_len == 4) && ++ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) && ++ !memcmp(last->e_name, "data", 4)) ++ continue; + total_size = EXT4_XATTR_LEN(last->e_name_len); + if (!last->e_value_inum) + total_size += EXT4_XATTR_SIZE( +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index 29c5f799890c..72c6a9e9a9b4 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -2694,11 +2694,16 @@ static ssize_t f2fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from) + inode_lock(inode); + ret = generic_write_checks(iocb, from); + if (ret > 0) { ++ bool preallocated = false; ++ size_t target_size = 0; + int err; + + if (iov_iter_fault_in_readable(from, iov_iter_count(from))) + set_inode_flag(inode, FI_NO_PREALLOC); + ++ preallocated = true; ++ target_size = iocb->ki_pos + iov_iter_count(from); ++ + err = f2fs_preallocate_blocks(iocb, from); + if (err) { + clear_inode_flag(inode, FI_NO_PREALLOC); +@@ -2710,6 +2715,10 @@ static ssize_t f2fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from) + blk_finish_plug(&plug); + clear_inode_flag(inode, FI_NO_PREALLOC); + ++ /* if we couldn't write data, we should deallocate blocks. */ ++ if (preallocated && i_size_read(inode) < target_size) ++ f2fs_truncate(inode); ++ + if (ret > 0) + f2fs_update_iostat(F2FS_I_SB(inode), APP_WRITE_IO, ret); + } +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index 07793e25c976..e42736c1fdc8 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1366,6 +1366,13 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) + if (jh->b_transaction == transaction && + jh->b_jlist != BJ_Metadata) { + jbd_lock_bh_state(bh); ++ if (jh->b_transaction == transaction && ++ jh->b_jlist != BJ_Metadata) ++ pr_err("JBD2: assertion failure: h_type=%u " ++ "h_line_no=%u block_no=%llu jlist=%u\n", ++ handle->h_type, handle->h_line_no, ++ (unsigned long long) bh->b_blocknr, ++ jh->b_jlist); + J_ASSERT_JH(jh, jh->b_transaction != transaction || + jh->b_jlist == BJ_Metadata); + jbd_unlock_bh_state(bh); +@@ -1385,11 +1392,11 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) + * of the transaction. This needs to be done + * once a transaction -bzzz + */ +- jh->b_modified = 1; + if (handle->h_buffer_credits <= 0) { + ret = -ENOSPC; + goto out_unlock_bh; + } ++ jh->b_modified = 1; + handle->h_buffer_credits--; + } + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 5aa392eae1c3..f6ed92524a03 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -220,24 +220,26 @@ static inline bool userfaultfd_huge_must_wait(struct userfaultfd_ctx *ctx, + unsigned long reason) + { + struct mm_struct *mm = ctx->mm; +- pte_t *pte; ++ pte_t *ptep, pte; + bool ret = true; + + VM_BUG_ON(!rwsem_is_locked(&mm->mmap_sem)); + +- pte = huge_pte_offset(mm, address, vma_mmu_pagesize(vma)); +- if (!pte) ++ ptep = huge_pte_offset(mm, address, vma_mmu_pagesize(vma)); ++ ++ if (!ptep) + goto out; + + ret = false; ++ pte = huge_ptep_get(ptep); + + /* + * Lockless access: we're in a wait_event so it's ok if it + * changes under us. + */ +- if (huge_pte_none(*pte)) ++ if (huge_pte_none(pte)) + ret = true; +- if (!huge_pte_write(*pte) && (reason & VM_UFFD_WP)) ++ if (!huge_pte_write(pte) && (reason & VM_UFFD_WP)) + ret = true; + out: + return ret; +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index aa75389be8cf..79a9a0def7db 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -1101,7 +1101,8 @@ xfs_ioctl_setattr_dax_invalidate( + if (fa->fsx_xflags & FS_XFLAG_DAX) { + if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode))) + return -EINVAL; +- if (bdev_dax_supported(sb, sb->s_blocksize) < 0) ++ if (!bdev_dax_supported(xfs_find_bdev_for_inode(VFS_I(ip)), ++ sb->s_blocksize)) + return -EINVAL; + } + +diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c +index f24e5b6cfc86..1daa965f1e08 100644 +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -1184,6 +1184,30 @@ static const struct inode_operations xfs_inline_symlink_inode_operations = { + .update_time = xfs_vn_update_time, + }; + ++/* Figure out if this file actually supports DAX. */ ++static bool ++xfs_inode_supports_dax( ++ struct xfs_inode *ip) ++{ ++ struct xfs_mount *mp = ip->i_mount; ++ ++ /* Only supported on non-reflinked files. */ ++ if (!S_ISREG(VFS_I(ip)->i_mode) || xfs_is_reflink_inode(ip)) ++ return false; ++ ++ /* DAX mount option or DAX iflag must be set. */ ++ if (!(mp->m_flags & XFS_MOUNT_DAX) && ++ !(ip->i_d.di_flags2 & XFS_DIFLAG2_DAX)) ++ return false; ++ ++ /* Block size must match page size */ ++ if (mp->m_sb.sb_blocksize != PAGE_SIZE) ++ return false; ++ ++ /* Device has to support DAX too. */ ++ return xfs_find_daxdev_for_inode(VFS_I(ip)) != NULL; ++} ++ + STATIC void + xfs_diflags_to_iflags( + struct inode *inode, +@@ -1202,11 +1226,7 @@ xfs_diflags_to_iflags( + inode->i_flags |= S_SYNC; + if (flags & XFS_DIFLAG_NOATIME) + inode->i_flags |= S_NOATIME; +- if (S_ISREG(inode->i_mode) && +- ip->i_mount->m_sb.sb_blocksize == PAGE_SIZE && +- !xfs_is_reflink_inode(ip) && +- (ip->i_mount->m_flags & XFS_MOUNT_DAX || +- ip->i_d.di_flags2 & XFS_DIFLAG2_DAX)) ++ if (xfs_inode_supports_dax(ip)) + inode->i_flags |= S_DAX; + } + +diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c +index f663022353c0..0b0282d2f011 100644 +--- a/fs/xfs/xfs_super.c ++++ b/fs/xfs/xfs_super.c +@@ -1640,11 +1640,17 @@ xfs_fs_fill_super( + sb->s_flags |= SB_I_VERSION; + + if (mp->m_flags & XFS_MOUNT_DAX) { ++ bool rtdev_is_dax = false, datadev_is_dax; ++ + xfs_warn(mp, + "DAX enabled. Warning: EXPERIMENTAL, use at your own risk"); + +- error = bdev_dax_supported(sb, sb->s_blocksize); +- if (error) { ++ datadev_is_dax = bdev_dax_supported(mp->m_ddev_targp->bt_bdev, ++ sb->s_blocksize); ++ if (mp->m_rtdev_targp) ++ rtdev_is_dax = bdev_dax_supported( ++ mp->m_rtdev_targp->bt_bdev, sb->s_blocksize); ++ if (!rtdev_is_dax && !datadev_is_dax) { + xfs_alert(mp, + "DAX unsupported by block device. Turning off DAX."); + mp->m_flags &= ~XFS_MOUNT_DAX; +diff --git a/include/linux/dax.h b/include/linux/dax.h +index 895e16fcc62d..07d6bc1f90a3 100644 +--- a/include/linux/dax.h ++++ b/include/linux/dax.h +@@ -40,10 +40,10 @@ static inline void put_dax(struct dax_device *dax_dev) + + int bdev_dax_pgoff(struct block_device *, sector_t, size_t, pgoff_t *pgoff); + #if IS_ENABLED(CONFIG_FS_DAX) +-int __bdev_dax_supported(struct super_block *sb, int blocksize); +-static inline int bdev_dax_supported(struct super_block *sb, int blocksize) ++bool __bdev_dax_supported(struct block_device *bdev, int blocksize); ++static inline bool bdev_dax_supported(struct block_device *bdev, int blocksize) + { +- return __bdev_dax_supported(sb, blocksize); ++ return __bdev_dax_supported(bdev, blocksize); + } + + static inline struct dax_device *fs_dax_get_by_host(const char *host) +@@ -58,9 +58,10 @@ static inline void fs_put_dax(struct dax_device *dax_dev) + + struct dax_device *fs_dax_get_by_bdev(struct block_device *bdev); + #else +-static inline int bdev_dax_supported(struct super_block *sb, int blocksize) ++static inline bool bdev_dax_supported(struct block_device *bdev, ++ int blocksize) + { +- return -EOPNOTSUPP; ++ return false; + } + + static inline struct dax_device *fs_dax_get_by_host(const char *host) +diff --git a/include/linux/mm.h b/include/linux/mm.h +index f23215854c80..a26cf767407e 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -2549,6 +2549,7 @@ enum mf_action_page_type { + MF_MSG_POISONED_HUGE, + MF_MSG_HUGE, + MF_MSG_FREE_HUGE, ++ MF_MSG_NON_PMD_HUGE, + MF_MSG_UNMAP_FAILED, + MF_MSG_DIRTY_SWAPCACHE, + MF_MSG_CLEAN_SWAPCACHE, +diff --git a/include/trace/events/sched.h b/include/trace/events/sched.h +index da10aa21bebc..d447f24df970 100644 +--- a/include/trace/events/sched.h ++++ b/include/trace/events/sched.h +@@ -435,7 +435,9 @@ TRACE_EVENT(sched_pi_setprio, + memcpy(__entry->comm, tsk->comm, TASK_COMM_LEN); + __entry->pid = tsk->pid; + __entry->oldprio = tsk->prio; +- __entry->newprio = pi_task ? pi_task->prio : tsk->prio; ++ __entry->newprio = pi_task ? ++ min(tsk->normal_prio, pi_task->prio) : ++ tsk->normal_prio; + /* XXX SCHED_DEADLINE bits missing */ + ), + +diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c +index 82afb7ed369f..e97bbae947f0 100644 +--- a/kernel/irq/irqdesc.c ++++ b/kernel/irq/irqdesc.c +@@ -27,7 +27,7 @@ static struct lock_class_key irq_desc_lock_class; + #if defined(CONFIG_SMP) + static int __init irq_affinity_setup(char *str) + { +- zalloc_cpumask_var(&irq_default_affinity, GFP_NOWAIT); ++ alloc_bootmem_cpumask_var(&irq_default_affinity); + cpulist_parse(str, irq_default_affinity); + /* + * Set at least the boot cpu. We don't want to end up with +@@ -40,10 +40,8 @@ __setup("irqaffinity=", irq_affinity_setup); + + static void __init init_irq_default_affinity(void) + { +-#ifdef CONFIG_CPUMASK_OFFSTACK +- if (!irq_default_affinity) ++ if (!cpumask_available(irq_default_affinity)) + zalloc_cpumask_var(&irq_default_affinity, GFP_NOWAIT); +-#endif + if (cpumask_empty(irq_default_affinity)) + cpumask_setall(irq_default_affinity); + } +diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c +index 23c0b0cb5fb9..169b3c44ee97 100644 +--- a/kernel/trace/trace_functions_graph.c ++++ b/kernel/trace/trace_functions_graph.c +@@ -831,6 +831,7 @@ print_graph_entry_leaf(struct trace_iterator *iter, + struct ftrace_graph_ret *graph_ret; + struct ftrace_graph_ent *call; + unsigned long long duration; ++ int cpu = iter->cpu; + int i; + + graph_ret = &ret_entry->ret; +@@ -839,7 +840,6 @@ print_graph_entry_leaf(struct trace_iterator *iter, + + if (data) { + struct fgraph_cpu_data *cpu_data; +- int cpu = iter->cpu; + + cpu_data = per_cpu_ptr(data->cpu_data, cpu); + +@@ -869,6 +869,9 @@ print_graph_entry_leaf(struct trace_iterator *iter, + + trace_seq_printf(s, "%ps();\n", (void *)call->func); + ++ print_graph_irq(iter, graph_ret->func, TRACE_GRAPH_RET, ++ cpu, iter->ent->pid, flags); ++ + return trace_handle_return(s); + } + +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index b1f841a9edd4..dfd2947e046e 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2159,6 +2159,7 @@ static void __init gather_bootmem_prealloc(void) + */ + if (hstate_is_gigantic(h)) + adjust_managed_page_count(page, 1 << h->order); ++ cond_resched(); + } + } + +diff --git a/mm/memory-failure.c b/mm/memory-failure.c +index 1cd3b3569af8..345e69d88b37 100644 +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -508,6 +508,7 @@ static const char * const action_page_types[] = { + [MF_MSG_POISONED_HUGE] = "huge page already hardware poisoned", + [MF_MSG_HUGE] = "huge page", + [MF_MSG_FREE_HUGE] = "free huge page", ++ [MF_MSG_NON_PMD_HUGE] = "non-pmd-sized huge page", + [MF_MSG_UNMAP_FAILED] = "unmapping failed page", + [MF_MSG_DIRTY_SWAPCACHE] = "dirty swapcache page", + [MF_MSG_CLEAN_SWAPCACHE] = "clean swapcache page", +@@ -1090,6 +1091,21 @@ static int memory_failure_hugetlb(unsigned long pfn, int trapno, int flags) + return 0; + } + ++ /* ++ * TODO: hwpoison for pud-sized hugetlb doesn't work right now, so ++ * simply disable it. In order to make it work properly, we need ++ * make sure that: ++ * - conversion of a pud that maps an error hugetlb into hwpoison ++ * entry properly works, and ++ * - other mm code walking over page table is aware of pud-aligned ++ * hwpoison entries. ++ */ ++ if (huge_page_size(page_hstate(head)) > PMD_SIZE) { ++ action_result(pfn, MF_MSG_NON_PMD_HUGE, MF_IGNORED); ++ res = -EBUSY; ++ goto out; ++ } ++ + if (!hwpoison_user_mappings(p, pfn, trapno, flags, &head)) { + action_result(pfn, MF_MSG_UNMAP_FAILED, MF_IGNORED); + res = -EBUSY; +diff --git a/mm/vmstat.c b/mm/vmstat.c +index e085b13c572e..4bb13e72ac97 100644 +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1770,11 +1770,9 @@ static void vmstat_update(struct work_struct *w) + * to occur in the future. Keep on running the + * update worker thread. + */ +- preempt_disable(); + queue_delayed_work_on(smp_processor_id(), mm_percpu_wq, + this_cpu_ptr(&vmstat_work), + round_jiffies_relative(sysctl_stat_interval)); +- preempt_enable(); + } + } + +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c +index 8bb152a7cca4..276324abfa60 100644 +--- a/net/netfilter/nf_log.c ++++ b/net/netfilter/nf_log.c +@@ -458,14 +458,17 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write, + rcu_assign_pointer(net->nf.nf_loggers[tindex], logger); + mutex_unlock(&nf_log_mutex); + } else { ++ struct ctl_table tmp = *table; ++ ++ tmp.data = buf; + mutex_lock(&nf_log_mutex); + logger = nft_log_dereference(net->nf.nf_loggers[tindex]); + if (!logger) +- table->data = "NONE"; ++ strlcpy(buf, "NONE", sizeof(buf)); + else +- table->data = logger->name; +- r = proc_dostring(table, write, buffer, lenp, ppos); ++ strlcpy(buf, logger->name, sizeof(buf)); + mutex_unlock(&nf_log_mutex); ++ r = proc_dostring(&tmp, write, buffer, lenp, ppos); + } + + return r; +diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include +index 97769465de13..fcbbecf92395 100644 +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -8,6 +8,7 @@ squote := ' + empty := + space := $(empty) $(empty) + space_escape := _-_SPACE_-_ ++pound := \# + + ### + # Name of target with a '.' as filename prefix. foo/bar.o => foo/.bar.o +@@ -251,11 +252,11 @@ endif + + # Replace >$< with >$$< to preserve $ when reloading the .cmd file + # (needed for make) +-# Replace >#< with >\#< to avoid starting a comment in the .cmd file ++# Replace >#< with >$(pound)< to avoid starting a comment in the .cmd file + # (needed for make) + # Replace >'< with >'\''< to be able to enclose the whole string in '...' + # (needed for the shell) +-make-cmd = $(call escsq,$(subst \#,\\\#,$(subst $$,$$$$,$(cmd_$(1))))) ++make-cmd = $(call escsq,$(subst $(pound),$$(pound),$(subst $$,$$$$,$(cmd_$(1))))) + + # Find any prerequisites that is newer than target or that does not exist. + # PHONY targets skipped in both cases. +diff --git a/tools/build/Build.include b/tools/build/Build.include +index 418871d02ebf..a4bbb984941d 100644 +--- a/tools/build/Build.include ++++ b/tools/build/Build.include +@@ -12,6 +12,7 @@ + # Convenient variables + comma := , + squote := ' ++pound := \# + + ### + # Name of target with a '.' as filename prefix. foo/bar.o => foo/.bar.o +@@ -43,11 +44,11 @@ echo-cmd = $(if $($(quiet)cmd_$(1)),\ + ### + # Replace >$< with >$$< to preserve $ when reloading the .cmd file + # (needed for make) +-# Replace >#< with >\#< to avoid starting a comment in the .cmd file ++# Replace >#< with >$(pound)< to avoid starting a comment in the .cmd file + # (needed for make) + # Replace >'< with >'\''< to be able to enclose the whole string in '...' + # (needed for the shell) +-make-cmd = $(call escsq,$(subst \#,\\\#,$(subst $$,$$$$,$(cmd_$(1))))) ++make-cmd = $(call escsq,$(subst $(pound),$$(pound),$(subst $$,$$$$,$(cmd_$(1))))) + + ### + # Find any prerequisites that is newer than target or that does not exist. +diff --git a/tools/objtool/Makefile b/tools/objtool/Makefile +index e6acc281dd37..8ae824dbfca3 100644 +--- a/tools/objtool/Makefile ++++ b/tools/objtool/Makefile +@@ -35,7 +35,7 @@ CFLAGS += -Wall -Werror $(WARNINGS) -fomit-frame-pointer -O2 -g $(INCLUDES) + LDFLAGS += -lelf $(LIBSUBCMD) + + # Allow old libelf to be used: +-elfshdr := $(shell echo '\#include <libelf.h>' | $(CC) $(CFLAGS) -x c -E - | grep elf_getshdr) ++elfshdr := $(shell echo '$(pound)include <libelf.h>' | $(CC) $(CFLAGS) -x c -E - | grep elf_getshdr) + CFLAGS += $(if $(elfshdr),,-DLIBELF_USE_DEPRECATED) + + AWK = awk +diff --git a/tools/scripts/Makefile.include b/tools/scripts/Makefile.include +index 654efd9768fd..5f3f1f44ed0a 100644 +--- a/tools/scripts/Makefile.include ++++ b/tools/scripts/Makefile.include +@@ -101,3 +101,5 @@ ifneq ($(silent),1) + QUIET_INSTALL = @printf ' INSTALL %s\n' $1; + endif + endif ++ ++pound := \# |