commit: 8d4733995b6d3df95909b5a116fae17c658d9555 Author: Alice Ferrazzi <alicef <AT> gentoo <DOT> org> AuthorDate: Thu Jul 12 15:14:05 2018 +0000 Commit: Alice Ferrazzi <alicef <AT> gentoo <DOT> org> CommitDate: Thu Jul 12 15:14:05 2018 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=8d473399
Update to linux kernel 4.17.6 0000_README | 4 + 1005_linux-4.17.6.patch | 2386 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 2390 insertions(+) diff --git a/0000_README b/0000_README index 33f7bd8..b414442 100644 --- a/0000_README +++ b/0000_README @@ -63,6 +63,10 @@ Patch: 1004_linux-4.17.5.patch From: http://www.kernel.org Desc: Linux 4.17.5 +Patch: 1005_linux-4.17.6.patch +From: http://www.kernel.org +Desc: Linux 4.17.6 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1005_linux-4.17.6.patch b/1005_linux-4.17.6.patch new file mode 100644 index 0000000..7f17226 --- /dev/null +++ b/1005_linux-4.17.6.patch @@ -0,0 +1,2386 @@ +diff --git a/Makefile b/Makefile +index e4ddbad49636..1a885c8f82ef 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,7 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0 + VERSION = 4 + PATCHLEVEL = 17 +-SUBLEVEL = 5 ++SUBLEVEL = 6 + EXTRAVERSION = + NAME = Merciless Moray + +diff --git a/arch/arm/boot/dts/am3517.dtsi b/arch/arm/boot/dts/am3517.dtsi +index ca294914bbb1..4b6062b631b1 100644 +--- a/arch/arm/boot/dts/am3517.dtsi ++++ b/arch/arm/boot/dts/am3517.dtsi +@@ -39,6 +39,8 @@ + ti,davinci-ctrl-ram-size = <0x2000>; + ti,davinci-rmii-en = /bits/ 8 <1>; + local-mac-address = [ 00 00 00 00 00 00 ]; ++ clocks = <&emac_ick>; ++ clock-names = "ick"; + }; + + davinci_mdio: ethernet@5c030000 { +@@ -49,6 +51,8 @@ + bus_freq = <1000000>; + #address-cells = <1>; + #size-cells = <0>; ++ clocks = <&emac_fck>; ++ clock-names = "fck"; + }; + + uart4: serial@4809e000 { +diff --git a/arch/arm/boot/dts/dra7.dtsi b/arch/arm/boot/dts/dra7.dtsi +index f4ddd86f2c77..9cace9f3dd15 100644 +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -1582,7 +1582,6 @@ + dr_mode = "otg"; + snps,dis_u3_susphy_quirk; + snps,dis_u2_susphy_quirk; +- snps,dis_metastability_quirk; + }; + }; + +@@ -1610,6 +1609,7 @@ + dr_mode = "otg"; + snps,dis_u3_susphy_quirk; + snps,dis_u2_susphy_quirk; ++ snps,dis_metastability_quirk; + }; + }; + +diff --git a/arch/arm/boot/dts/imx51-zii-rdu1.dts b/arch/arm/boot/dts/imx51-zii-rdu1.dts +index 6464f2560e06..0662217751dc 100644 +--- a/arch/arm/boot/dts/imx51-zii-rdu1.dts ++++ b/arch/arm/boot/dts/imx51-zii-rdu1.dts +@@ -768,7 +768,7 @@ + + pinctrl_ts: tsgrp { + fsl,pins = < +- MX51_PAD_CSI1_D8__GPIO3_12 0x85 ++ MX51_PAD_CSI1_D8__GPIO3_12 0x04 + MX51_PAD_CSI1_D9__GPIO3_13 0x85 + >; + }; +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S +index f03402efab4b..3891805bfcdd 100644 +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -1265,7 +1265,7 @@ cleanup_critical: + jl 0f + clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end + jl .Lcleanup_load_fpu_regs +-0: BR_EX %r14 ++0: BR_EX %r14,%r11 + + .align 8 + .Lcleanup_table: +@@ -1301,7 +1301,7 @@ cleanup_critical: + ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE + lctlg %c1,%c1,__LC_USER_ASCE # load primary asce + larl %r9,sie_exit # skip forward to sie_exit +- BR_EX %r14 ++ BR_EX %r14,%r11 + #endif + + .Lcleanup_system_call: +diff --git a/drivers/acpi/acpica/uterror.c b/drivers/acpi/acpica/uterror.c +index 5a64ddaed8a3..e47430272692 100644 +--- a/drivers/acpi/acpica/uterror.c ++++ b/drivers/acpi/acpica/uterror.c +@@ -182,19 +182,19 @@ acpi_ut_prefixed_namespace_error(const char *module_name, + switch (lookup_status) { + case AE_ALREADY_EXISTS: + +- acpi_os_printf("\n" ACPI_MSG_BIOS_ERROR); ++ acpi_os_printf(ACPI_MSG_BIOS_ERROR); + message = "Failure creating"; + break; + + case AE_NOT_FOUND: + +- acpi_os_printf("\n" ACPI_MSG_BIOS_ERROR); ++ acpi_os_printf(ACPI_MSG_BIOS_ERROR); + message = "Could not resolve"; + break; + + default: + +- acpi_os_printf("\n" ACPI_MSG_ERROR); ++ acpi_os_printf(ACPI_MSG_ERROR); + message = "Failure resolving"; + break; + } +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index bdb24d636d9a..4cc7bfec76ff 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -709,10 +709,11 @@ void battery_hook_register(struct acpi_battery_hook *hook) + */ + pr_err("extension failed to load: %s", hook->name); + __battery_hook_unregister(hook, 0); +- return; ++ goto end; + } + } + pr_info("new extension: %s\n", hook->name); ++end: + mutex_unlock(&hook_mutex); + } + EXPORT_SYMBOL_GPL(battery_hook_register); +@@ -724,7 +725,7 @@ EXPORT_SYMBOL_GPL(battery_hook_register); + */ + static void battery_hook_add_battery(struct acpi_battery *battery) + { +- struct acpi_battery_hook *hook_node; ++ struct acpi_battery_hook *hook_node, *tmp; + + mutex_lock(&hook_mutex); + INIT_LIST_HEAD(&battery->list); +@@ -736,15 +737,15 @@ static void battery_hook_add_battery(struct acpi_battery *battery) + * when a battery gets hotplugged or initialized + * during the battery module initialization. + */ +- list_for_each_entry(hook_node, &battery_hook_list, list) { ++ list_for_each_entry_safe(hook_node, tmp, &battery_hook_list, list) { + if (hook_node->add_battery(battery->bat)) { + /* + * The notification of the extensions has failed, to + * prevent further errors we will unload the extension. + */ +- __battery_hook_unregister(hook_node, 0); + pr_err("error in extension, unloading: %s", + hook_node->name); ++ __battery_hook_unregister(hook_node, 0); + } + } + mutex_unlock(&hook_mutex); +diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c +index 1476cb3439f4..5e793dd7adfb 100644 +--- a/drivers/block/drbd/drbd_worker.c ++++ b/drivers/block/drbd/drbd_worker.c +@@ -282,8 +282,8 @@ void drbd_request_endio(struct bio *bio) + what = COMPLETED_OK; + } + +- bio_put(req->private_bio); + req->private_bio = ERR_PTR(blk_status_to_errno(bio->bi_status)); ++ bio_put(bio); + + /* not req_mod(), we need irqsave here! */ + spin_lock_irqsave(&device->resource->req_lock, flags); +diff --git a/drivers/dax/super.c b/drivers/dax/super.c +index 2b2332b605e4..1d2de641cabb 100644 +--- a/drivers/dax/super.c ++++ b/drivers/dax/super.c +@@ -74,42 +74,50 @@ EXPORT_SYMBOL_GPL(fs_dax_get_by_bdev); + + /** + * __bdev_dax_supported() - Check if the device supports dax for filesystem +- * @sb: The superblock of the device ++ * @bdev: block device to check + * @blocksize: The block size of the device + * + * This is a library function for filesystems to check if the block device + * can be mounted with dax option. + * +- * Return: negative errno if unsupported, 0 if supported. ++ * Return: true if supported, false if unsupported + */ +-int __bdev_dax_supported(struct super_block *sb, int blocksize) ++bool __bdev_dax_supported(struct block_device *bdev, int blocksize) + { +- struct block_device *bdev = sb->s_bdev; + struct dax_device *dax_dev; ++ struct request_queue *q; + pgoff_t pgoff; + int err, id; + void *kaddr; + pfn_t pfn; + long len; ++ char buf[BDEVNAME_SIZE]; + + if (blocksize != PAGE_SIZE) { +- pr_debug("VFS (%s): error: unsupported blocksize for dax\n", +- sb->s_id); +- return -EINVAL; ++ pr_debug("%s: error: unsupported blocksize for dax\n", ++ bdevname(bdev, buf)); ++ return false; ++ } ++ ++ q = bdev_get_queue(bdev); ++ if (!q || !blk_queue_dax(q)) { ++ pr_debug("%s: error: request queue doesn't support dax\n", ++ bdevname(bdev, buf)); ++ return false; + } + + err = bdev_dax_pgoff(bdev, 0, PAGE_SIZE, &pgoff); + if (err) { +- pr_debug("VFS (%s): error: unaligned partition for dax\n", +- sb->s_id); +- return err; ++ pr_debug("%s: error: unaligned partition for dax\n", ++ bdevname(bdev, buf)); ++ return false; + } + + dax_dev = dax_get_by_host(bdev->bd_disk->disk_name); + if (!dax_dev) { +- pr_debug("VFS (%s): error: device does not support dax\n", +- sb->s_id); +- return -EOPNOTSUPP; ++ pr_debug("%s: error: device does not support dax\n", ++ bdevname(bdev, buf)); ++ return false; + } + + id = dax_read_lock(); +@@ -119,9 +127,9 @@ int __bdev_dax_supported(struct super_block *sb, int blocksize) + put_dax(dax_dev); + + if (len < 1) { +- pr_debug("VFS (%s): error: dax access failed (%ld)\n", +- sb->s_id, len); +- return len < 0 ? len : -EIO; ++ pr_debug("%s: error: dax access failed (%ld)\n", ++ bdevname(bdev, buf), len); ++ return false; + } + + if (IS_ENABLED(CONFIG_FS_DAX_LIMITED) && pfn_t_special(pfn)) { +@@ -137,12 +145,12 @@ int __bdev_dax_supported(struct super_block *sb, int blocksize) + } else if (pfn_t_devmap(pfn)) { + /* pass */; + } else { +- pr_debug("VFS (%s): error: dax support not enabled\n", +- sb->s_id); +- return -EOPNOTSUPP; ++ pr_debug("%s: error: dax support not enabled\n", ++ bdevname(bdev, buf)); ++ return false; + } + +- return 0; ++ return true; + } + EXPORT_SYMBOL_GPL(__bdev_dax_supported); + #endif +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +index c8b605f3dc05..06401f0cde6d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -188,6 +188,7 @@ struct amdgpu_job; + struct amdgpu_irq_src; + struct amdgpu_fpriv; + struct amdgpu_bo_va_mapping; ++struct amdgpu_atif; + + enum amdgpu_cp_irq { + AMDGPU_CP_IRQ_GFX_EOP = 0, +@@ -1246,43 +1247,6 @@ struct amdgpu_vram_scratch { + /* + * ACPI + */ +-struct amdgpu_atif_notification_cfg { +- bool enabled; +- int command_code; +-}; +- +-struct amdgpu_atif_notifications { +- bool display_switch; +- bool expansion_mode_change; +- bool thermal_state; +- bool forced_power_state; +- bool system_power_state; +- bool display_conf_change; +- bool px_gfx_switch; +- bool brightness_change; +- bool dgpu_display_event; +-}; +- +-struct amdgpu_atif_functions { +- bool system_params; +- bool sbios_requests; +- bool select_active_disp; +- bool lid_state; +- bool get_tv_standard; +- bool set_tv_standard; +- bool get_panel_expansion_mode; +- bool set_panel_expansion_mode; +- bool temperature_change; +- bool graphics_device_types; +-}; +- +-struct amdgpu_atif { +- struct amdgpu_atif_notifications notifications; +- struct amdgpu_atif_functions functions; +- struct amdgpu_atif_notification_cfg notification_cfg; +- struct amdgpu_encoder *encoder_for_bl; +-}; +- + struct amdgpu_atcs_functions { + bool get_ext_state; + bool pcie_perf_req; +@@ -1430,7 +1394,7 @@ struct amdgpu_device { + #if defined(CONFIG_DEBUG_FS) + struct dentry *debugfs_regs[AMDGPU_DEBUGFS_MAX_COMPONENTS]; + #endif +- struct amdgpu_atif atif; ++ struct amdgpu_atif *atif; + struct amdgpu_atcs atcs; + struct mutex srbm_mutex; + /* GRBM index mutex. Protects concurrent access to GRBM index */ +@@ -1855,6 +1819,12 @@ static inline bool amdgpu_atpx_dgpu_req_power_for_displays(void) { return false; + static inline bool amdgpu_has_atpx(void) { return false; } + #endif + ++#if defined(CONFIG_VGA_SWITCHEROO) && defined(CONFIG_ACPI) ++void *amdgpu_atpx_get_dhandle(void); ++#else ++static inline void *amdgpu_atpx_get_dhandle(void) { return NULL; } ++#endif ++ + /* + * KMS + */ +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +index 8fa850a070e0..0d8c3fc6eace 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +@@ -34,6 +34,45 @@ + #include "amd_acpi.h" + #include "atom.h" + ++struct amdgpu_atif_notification_cfg { ++ bool enabled; ++ int command_code; ++}; ++ ++struct amdgpu_atif_notifications { ++ bool display_switch; ++ bool expansion_mode_change; ++ bool thermal_state; ++ bool forced_power_state; ++ bool system_power_state; ++ bool display_conf_change; ++ bool px_gfx_switch; ++ bool brightness_change; ++ bool dgpu_display_event; ++}; ++ ++struct amdgpu_atif_functions { ++ bool system_params; ++ bool sbios_requests; ++ bool select_active_disp; ++ bool lid_state; ++ bool get_tv_standard; ++ bool set_tv_standard; ++ bool get_panel_expansion_mode; ++ bool set_panel_expansion_mode; ++ bool temperature_change; ++ bool graphics_device_types; ++}; ++ ++struct amdgpu_atif { ++ acpi_handle handle; ++ ++ struct amdgpu_atif_notifications notifications; ++ struct amdgpu_atif_functions functions; ++ struct amdgpu_atif_notification_cfg notification_cfg; ++ struct amdgpu_encoder *encoder_for_bl; ++}; ++ + /* Call the ATIF method + */ + /** +@@ -46,8 +85,9 @@ + * Executes the requested ATIF function (all asics). + * Returns a pointer to the acpi output buffer. + */ +-static union acpi_object *amdgpu_atif_call(acpi_handle handle, int function, +- struct acpi_buffer *params) ++static union acpi_object *amdgpu_atif_call(struct amdgpu_atif *atif, ++ int function, ++ struct acpi_buffer *params) + { + acpi_status status; + union acpi_object atif_arg_elements[2]; +@@ -70,7 +110,8 @@ static union acpi_object *amdgpu_atif_call(acpi_handle handle, int function, + atif_arg_elements[1].integer.value = 0; + } + +- status = acpi_evaluate_object(handle, "ATIF", &atif_arg, &buffer); ++ status = acpi_evaluate_object(atif->handle, NULL, &atif_arg, ++ &buffer); + + /* Fail only if calling the method fails and ATIF is supported */ + if (ACPI_FAILURE(status) && status != AE_NOT_FOUND) { +@@ -141,15 +182,14 @@ static void amdgpu_atif_parse_functions(struct amdgpu_atif_functions *f, u32 mas + * (all asics). + * returns 0 on success, error on failure. + */ +-static int amdgpu_atif_verify_interface(acpi_handle handle, +- struct amdgpu_atif *atif) ++static int amdgpu_atif_verify_interface(struct amdgpu_atif *atif) + { + union acpi_object *info; + struct atif_verify_interface output; + size_t size; + int err = 0; + +- info = amdgpu_atif_call(handle, ATIF_FUNCTION_VERIFY_INTERFACE, NULL); ++ info = amdgpu_atif_call(atif, ATIF_FUNCTION_VERIFY_INTERFACE, NULL); + if (!info) + return -EIO; + +@@ -176,6 +216,35 @@ static int amdgpu_atif_verify_interface(acpi_handle handle, + return err; + } + ++static acpi_handle amdgpu_atif_probe_handle(acpi_handle dhandle) ++{ ++ acpi_handle handle = NULL; ++ char acpi_method_name[255] = { 0 }; ++ struct acpi_buffer buffer = { sizeof(acpi_method_name), acpi_method_name }; ++ acpi_status status; ++ ++ /* For PX/HG systems, ATIF and ATPX are in the iGPU's namespace, on dGPU only ++ * systems, ATIF is in the dGPU's namespace. ++ */ ++ status = acpi_get_handle(dhandle, "ATIF", &handle); ++ if (ACPI_SUCCESS(status)) ++ goto out; ++ ++ if (amdgpu_has_atpx()) { ++ status = acpi_get_handle(amdgpu_atpx_get_dhandle(), "ATIF", ++ &handle); ++ if (ACPI_SUCCESS(status)) ++ goto out; ++ } ++ ++ DRM_DEBUG_DRIVER("No ATIF handle found\n"); ++ return NULL; ++out: ++ acpi_get_name(handle, ACPI_FULL_PATHNAME, &buffer); ++ DRM_DEBUG_DRIVER("Found ATIF handle %s\n", acpi_method_name); ++ return handle; ++} ++ + /** + * amdgpu_atif_get_notification_params - determine notify configuration + * +@@ -188,15 +257,16 @@ static int amdgpu_atif_verify_interface(acpi_handle handle, + * where n is specified in the result if a notifier is used. + * Returns 0 on success, error on failure. + */ +-static int amdgpu_atif_get_notification_params(acpi_handle handle, +- struct amdgpu_atif_notification_cfg *n) ++static int amdgpu_atif_get_notification_params(struct amdgpu_atif *atif) + { + union acpi_object *info; ++ struct amdgpu_atif_notification_cfg *n = &atif->notification_cfg; + struct atif_system_params params; + size_t size; + int err = 0; + +- info = amdgpu_atif_call(handle, ATIF_FUNCTION_GET_SYSTEM_PARAMETERS, NULL); ++ info = amdgpu_atif_call(atif, ATIF_FUNCTION_GET_SYSTEM_PARAMETERS, ++ NULL); + if (!info) { + err = -EIO; + goto out; +@@ -250,14 +320,15 @@ static int amdgpu_atif_get_notification_params(acpi_handle handle, + * (all asics). + * Returns 0 on success, error on failure. + */ +-static int amdgpu_atif_get_sbios_requests(acpi_handle handle, +- struct atif_sbios_requests *req) ++static int amdgpu_atif_get_sbios_requests(struct amdgpu_atif *atif, ++ struct atif_sbios_requests *req) + { + union acpi_object *info; + size_t size; + int count = 0; + +- info = amdgpu_atif_call(handle, ATIF_FUNCTION_GET_SYSTEM_BIOS_REQUESTS, NULL); ++ info = amdgpu_atif_call(atif, ATIF_FUNCTION_GET_SYSTEM_BIOS_REQUESTS, ++ NULL); + if (!info) + return -EIO; + +@@ -290,11 +361,10 @@ static int amdgpu_atif_get_sbios_requests(acpi_handle handle, + * Returns NOTIFY code + */ + static int amdgpu_atif_handler(struct amdgpu_device *adev, +- struct acpi_bus_event *event) ++ struct acpi_bus_event *event) + { +- struct amdgpu_atif *atif = &adev->atif; ++ struct amdgpu_atif *atif = adev->atif; + struct atif_sbios_requests req; +- acpi_handle handle; + int count; + + DRM_DEBUG_DRIVER("event, device_class = %s, type = %#x\n", +@@ -303,14 +373,14 @@ static int amdgpu_atif_handler(struct amdgpu_device *adev, + if (strcmp(event->device_class, ACPI_VIDEO_CLASS) != 0) + return NOTIFY_DONE; + +- if (!atif->notification_cfg.enabled || ++ if (!atif || ++ !atif->notification_cfg.enabled || + event->type != atif->notification_cfg.command_code) + /* Not our event */ + return NOTIFY_DONE; + + /* Check pending SBIOS requests */ +- handle = ACPI_HANDLE(&adev->pdev->dev); +- count = amdgpu_atif_get_sbios_requests(handle, &req); ++ count = amdgpu_atif_get_sbios_requests(atif, &req); + + if (count <= 0) + return NOTIFY_DONE; +@@ -641,8 +711,8 @@ static int amdgpu_acpi_event(struct notifier_block *nb, + */ + int amdgpu_acpi_init(struct amdgpu_device *adev) + { +- acpi_handle handle; +- struct amdgpu_atif *atif = &adev->atif; ++ acpi_handle handle, atif_handle; ++ struct amdgpu_atif *atif; + struct amdgpu_atcs *atcs = &adev->atcs; + int ret; + +@@ -658,12 +728,26 @@ int amdgpu_acpi_init(struct amdgpu_device *adev) + DRM_DEBUG_DRIVER("Call to ATCS verify_interface failed: %d\n", ret); + } + ++ /* Probe for ATIF, and initialize it if found */ ++ atif_handle = amdgpu_atif_probe_handle(handle); ++ if (!atif_handle) ++ goto out; ++ ++ atif = kzalloc(sizeof(*atif), GFP_KERNEL); ++ if (!atif) { ++ DRM_WARN("Not enough memory to initialize ATIF\n"); ++ goto out; ++ } ++ atif->handle = atif_handle; ++ + /* Call the ATIF method */ +- ret = amdgpu_atif_verify_interface(handle, atif); ++ ret = amdgpu_atif_verify_interface(atif); + if (ret) { + DRM_DEBUG_DRIVER("Call to ATIF verify_interface failed: %d\n", ret); ++ kfree(atif); + goto out; + } ++ adev->atif = atif; + + if (atif->notifications.brightness_change) { + struct drm_encoder *tmp; +@@ -693,8 +777,7 @@ int amdgpu_acpi_init(struct amdgpu_device *adev) + } + + if (atif->functions.system_params) { +- ret = amdgpu_atif_get_notification_params(handle, +- &atif->notification_cfg); ++ ret = amdgpu_atif_get_notification_params(atif); + if (ret) { + DRM_DEBUG_DRIVER("Call to GET_SYSTEM_PARAMS failed: %d\n", + ret); +@@ -720,4 +803,6 @@ int amdgpu_acpi_init(struct amdgpu_device *adev) + void amdgpu_acpi_fini(struct amdgpu_device *adev) + { + unregister_acpi_notifier(&adev->acpi_nb); ++ if (adev->atif) ++ kfree(adev->atif); + } +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c +index 1ae5ae8c45a4..2593b106d970 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c +@@ -90,6 +90,12 @@ bool amdgpu_atpx_dgpu_req_power_for_displays(void) { + return amdgpu_atpx_priv.atpx.dgpu_req_power_for_displays; + } + ++#if defined(CONFIG_ACPI) ++void *amdgpu_atpx_get_dhandle(void) { ++ return amdgpu_atpx_priv.dhandle; ++} ++#endif ++ + /** + * amdgpu_atpx_call - call an ATPX method + * +diff --git a/drivers/gpu/drm/drm_property.c b/drivers/gpu/drm/drm_property.c +index 8f4672daac7f..52174d017fb4 100644 +--- a/drivers/gpu/drm/drm_property.c ++++ b/drivers/gpu/drm/drm_property.c +@@ -533,7 +533,7 @@ static void drm_property_free_blob(struct kref *kref) + + drm_mode_object_unregister(blob->dev, &blob->base); + +- kfree(blob); ++ kvfree(blob); + } + + /** +@@ -560,7 +560,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, + if (!length || length > ULONG_MAX - sizeof(struct drm_property_blob)) + return ERR_PTR(-EINVAL); + +- blob = kzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); ++ blob = kvzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); + if (!blob) + return ERR_PTR(-ENOMEM); + +@@ -577,7 +577,7 @@ drm_property_create_blob(struct drm_device *dev, size_t length, + ret = __drm_mode_object_add(dev, &blob->base, DRM_MODE_OBJECT_BLOB, + true, drm_property_free_blob); + if (ret) { +- kfree(blob); ++ kvfree(blob); + return ERR_PTR(-EINVAL); + } + +diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c +index 2ebdc6d5a76e..d5583190f3e4 100644 +--- a/drivers/gpu/drm/udl/udl_fb.c ++++ b/drivers/gpu/drm/udl/udl_fb.c +@@ -137,7 +137,10 @@ int udl_handle_damage(struct udl_framebuffer *fb, int x, int y, + + if (cmd > (char *) urb->transfer_buffer) { + /* Send partial buffer remaining before exiting */ +- int len = cmd - (char *) urb->transfer_buffer; ++ int len; ++ if (cmd < (char *) urb->transfer_buffer + urb->transfer_buffer_length) ++ *cmd++ = 0xAF; ++ len = cmd - (char *) urb->transfer_buffer; + ret = udl_submit_urb(dev, urb, len); + bytes_sent += len; + } else +diff --git a/drivers/gpu/drm/udl/udl_transfer.c b/drivers/gpu/drm/udl/udl_transfer.c +index 0c87b1ac6b68..b992644c17e6 100644 +--- a/drivers/gpu/drm/udl/udl_transfer.c ++++ b/drivers/gpu/drm/udl/udl_transfer.c +@@ -153,11 +153,11 @@ static void udl_compress_hline16( + raw_pixels_count_byte = cmd++; /* we'll know this later */ + raw_pixel_start = pixel; + +- cmd_pixel_end = pixel + (min(MAX_CMD_PIXELS + 1, +- min((int)(pixel_end - pixel) / bpp, +- (int)(cmd_buffer_end - cmd) / 2))) * bpp; ++ cmd_pixel_end = pixel + min3(MAX_CMD_PIXELS + 1UL, ++ (unsigned long)(pixel_end - pixel) / bpp, ++ (unsigned long)(cmd_buffer_end - 1 - cmd) / 2) * bpp; + +- prefetch_range((void *) pixel, (cmd_pixel_end - pixel) * bpp); ++ prefetch_range((void *) pixel, cmd_pixel_end - pixel); + pixel_val16 = get_pixel_val16(pixel, bpp); + + while (pixel < cmd_pixel_end) { +@@ -193,6 +193,9 @@ static void udl_compress_hline16( + if (pixel > raw_pixel_start) { + /* finalize last RAW span */ + *raw_pixels_count_byte = ((pixel-raw_pixel_start) / bpp) & 0xFF; ++ } else { ++ /* undo unused byte */ ++ cmd--; + } + + *cmd_pixels_count_byte = ((pixel - cmd_pixel_start) / bpp) & 0xFF; +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 5d7cc6bbbac6..c1ce4baeeaca 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1942,6 +1942,8 @@ static int hid_device_probe(struct device *dev) + } + hdev->io_started = false; + ++ clear_bit(ffs(HID_STAT_REPROBED), &hdev->status); ++ + if (!hdev->driver) { + id = hid_match_device(hdev, hdrv); + if (id == NULL) { +@@ -2205,7 +2207,8 @@ static int __hid_bus_reprobe_drivers(struct device *dev, void *data) + struct hid_device *hdev = to_hid_device(dev); + + if (hdev->driver == hdrv && +- !hdrv->match(hdev, hid_ignore_special_drivers)) ++ !hdrv->match(hdev, hid_ignore_special_drivers) && ++ !test_and_set_bit(ffs(HID_STAT_REPROBED), &hdev->status)) + return device_reprobe(dev); + + return 0; +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index 4f4e7a08a07b..4db8e140f709 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -1154,6 +1154,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, + goto out; + if (list->tail > list->head) { + len = list->tail - list->head; ++ if (len > count) ++ len = count; + + if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { + ret = -EFAULT; +@@ -1163,6 +1165,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, + list->head += len; + } else { + len = HID_DEBUG_BUFSIZE - list->head; ++ if (len > count) ++ len = count; + + if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { + ret = -EFAULT; +@@ -1170,7 +1174,9 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, + } + list->head = 0; + ret += len; +- goto copy_rest; ++ count -= len; ++ if (count > 0) ++ goto copy_rest; + } + + } +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c +index cc33622253aa..a92377285034 100644 +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -486,7 +486,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid) + return; + } + +- if ((ret_size > size) || (ret_size <= 2)) { ++ if ((ret_size > size) || (ret_size < 2)) { + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", + __func__, size, ret_size); + return; +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c +index e3ce233f8bdc..23872d08308c 100644 +--- a/drivers/hid/usbhid/hiddev.c ++++ b/drivers/hid/usbhid/hiddev.c +@@ -36,6 +36,7 @@ + #include <linux/hiddev.h> + #include <linux/compat.h> + #include <linux/vmalloc.h> ++#include <linux/nospec.h> + #include "usbhid.h" + + #ifdef CONFIG_USB_DYNAMIC_MINORS +@@ -469,10 +470,14 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + + if (uref->field_index >= report->maxfield) + goto inval; ++ uref->field_index = array_index_nospec(uref->field_index, ++ report->maxfield); + + field = report->field[uref->field_index]; + if (uref->usage_index >= field->maxusage) + goto inval; ++ uref->usage_index = array_index_nospec(uref->usage_index, ++ field->maxusage); + + uref->usage_code = field->usage[uref->usage_index].hid; + +@@ -499,6 +504,8 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd, + + if (uref->field_index >= report->maxfield) + goto inval; ++ uref->field_index = array_index_nospec(uref->field_index, ++ report->maxfield); + + field = report->field[uref->field_index]; + +@@ -753,6 +760,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + + if (finfo.field_index >= report->maxfield) + break; ++ finfo.field_index = array_index_nospec(finfo.field_index, ++ report->maxfield); + + field = report->field[finfo.field_index]; + memset(&finfo, 0, sizeof(finfo)); +@@ -797,6 +806,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + + if (cinfo.index >= hid->maxcollection) + break; ++ cinfo.index = array_index_nospec(cinfo.index, ++ hid->maxcollection); + + cinfo.type = hid->collection[cinfo.index].type; + cinfo.usage = hid->collection[cinfo.index].usage; +diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c +index b5aec33002c3..51970bae3c4a 100644 +--- a/drivers/i2c/i2c-core-smbus.c ++++ b/drivers/i2c/i2c-core-smbus.c +@@ -465,13 +465,18 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, + + status = i2c_transfer(adapter, msg, num); + if (status < 0) +- return status; ++ goto cleanup; ++ if (status != num) { ++ status = -EIO; ++ goto cleanup; ++ } ++ status = 0; + + /* Check PEC if last message is a read */ + if (i && (msg[num-1].flags & I2C_M_RD)) { + status = i2c_smbus_check_pec(partial_pec, &msg[num-1]); + if (status < 0) +- return status; ++ goto cleanup; + } + + if (read_write == I2C_SMBUS_READ) +@@ -497,12 +502,13 @@ static s32 i2c_smbus_xfer_emulated(struct i2c_adapter *adapter, u16 addr, + break; + } + ++cleanup: + if (msg[0].flags & I2C_M_DMA_SAFE) + kfree(msg[0].buf); + if (msg[1].flags & I2C_M_DMA_SAFE) + kfree(msg[1].buf); + +- return 0; ++ return status; + } + + /** +diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c +index 0589a4da12bb..7c8e5878446a 100644 +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -885,9 +885,7 @@ EXPORT_SYMBOL_GPL(dm_table_set_type); + static int device_supports_dax(struct dm_target *ti, struct dm_dev *dev, + sector_t start, sector_t len, void *data) + { +- struct request_queue *q = bdev_get_queue(dev->bdev); +- +- return q && blk_queue_dax(q); ++ return bdev_dax_supported(dev->bdev, PAGE_SIZE); + } + + static bool dm_table_supports_dax(struct dm_table *t) +@@ -1907,6 +1905,9 @@ void dm_table_set_restrictions(struct dm_table *t, struct request_queue *q, + + if (dm_table_supports_dax(t)) + blk_queue_flag_set(QUEUE_FLAG_DAX, q); ++ else ++ blk_queue_flag_clear(QUEUE_FLAG_DAX, q); ++ + if (dm_table_supports_dax_write_cache(t)) + dax_write_cache(t->md->dax_dev, true); + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index cabae3e280c2..78173e137176 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1056,8 +1056,7 @@ static long dm_dax_direct_access(struct dax_device *dax_dev, pgoff_t pgoff, + if (len < 1) + goto out; + nr_pages = min(len, nr_pages); +- if (ti->type->direct_access) +- ret = ti->type->direct_access(ti, pgoff, nr_pages, kaddr, pfn); ++ ret = ti->type->direct_access(ti, pgoff, nr_pages, kaddr, pfn); + + out: + dm_put_live_table(md, srcu_idx); +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c +index 3a8a88fa06aa..a863ae4e8538 100644 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -42,7 +42,7 @@ + #define AMD_BOOTLOC_BUG + #define FORCE_WORD_WRITE 0 + +-#define MAX_WORD_RETRIES 3 ++#define MAX_RETRIES 3 + + #define SST49LF004B 0x0060 + #define SST49LF040B 0x0050 +@@ -1647,7 +1647,7 @@ static int __xipram do_write_oneword(struct map_info *map, struct flchip *chip, + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + +- if (++retry_cnt <= MAX_WORD_RETRIES) ++ if (++retry_cnt <= MAX_RETRIES) + goto retry; + + ret = -EIO; +@@ -2106,7 +2106,7 @@ static int do_panic_write_oneword(struct map_info *map, struct flchip *chip, + map_write(map, CMD(0xF0), chip->start); + /* FIXME - should have reset delay before continuing */ + +- if (++retry_cnt <= MAX_WORD_RETRIES) ++ if (++retry_cnt <= MAX_RETRIES) + goto retry; + + ret = -EIO; +@@ -2241,6 +2241,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + unsigned long int adr; + DECLARE_WAITQUEUE(wait, current); + int ret = 0; ++ int retry_cnt = 0; + + adr = cfi->addr_unlock1; + +@@ -2258,6 +2259,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + ENABLE_VPP(map); + xip_disable(map, chip, adr); + ++ retry: + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); +@@ -2294,12 +2296,13 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + chip->erase_suspended = 0; + } + +- if (chip_ready(map, adr)) ++ if (chip_good(map, adr, map_word_ff(map))) + break; + + if (time_after(jiffies, timeo)) { + printk(KERN_WARNING "MTD %s(): software timeout\n", + __func__ ); ++ ret = -EIO; + break; + } + +@@ -2307,12 +2310,15 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip) + UDELAY(map, chip, adr, 1000000/HZ); + } + /* Did we succeed? */ +- if (!chip_good(map, adr, map_word_ff(map))) { ++ if (ret) { + /* reset on all failures. */ + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + +- ret = -EIO; ++ if (++retry_cnt <= MAX_RETRIES) { ++ ret = 0; ++ goto retry; ++ } + } + + chip->state = FL_READY; +@@ -2331,6 +2337,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + unsigned long timeo = jiffies + HZ; + DECLARE_WAITQUEUE(wait, current); + int ret = 0; ++ int retry_cnt = 0; + + adr += chip->start; + +@@ -2348,6 +2355,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + ENABLE_VPP(map); + xip_disable(map, chip, adr); + ++ retry: + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); +@@ -2384,7 +2392,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + chip->erase_suspended = 0; + } + +- if (chip_ready(map, adr)) { ++ if (chip_good(map, adr, map_word_ff(map))) { + xip_enable(map, chip, adr); + break; + } +@@ -2393,6 +2401,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + xip_enable(map, chip, adr); + printk(KERN_WARNING "MTD %s(): software timeout\n", + __func__ ); ++ ret = -EIO; + break; + } + +@@ -2400,12 +2409,15 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip, + UDELAY(map, chip, adr, 1000000/HZ); + } + /* Did we succeed? */ +- if (!chip_good(map, adr, map_word_ff(map))) { ++ if (ret) { + /* reset on all failures. */ + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + +- ret = -EIO; ++ if (++retry_cnt <= MAX_RETRIES) { ++ ret = 0; ++ goto retry; ++ } + } + + chip->state = FL_READY; +diff --git a/drivers/pci/pci-acpi.c b/drivers/pci/pci-acpi.c +index 1abdbf267c19..054974055ea4 100644 +--- a/drivers/pci/pci-acpi.c ++++ b/drivers/pci/pci-acpi.c +@@ -598,6 +598,18 @@ static bool acpi_pci_need_resume(struct pci_dev *dev) + { + struct acpi_device *adev = ACPI_COMPANION(&dev->dev); + ++ /* ++ * In some cases (eg. Samsung 305V4A) leaving a bridge in suspend over ++ * system-wide suspend/resume confuses the platform firmware, so avoid ++ * doing that, unless the bridge has a driver that should take care of ++ * the PM handling. According to Section 16.1.6 of ACPI 6.2, endpoint ++ * devices are expected to be in D3 before invoking the S3 entry path ++ * from the firmware, so they should not be affected by this issue. ++ */ ++ if (pci_is_bridge(dev) && !dev->driver && ++ acpi_target_system_state() != ACPI_STATE_S0) ++ return true; ++ + if (!adev || !acpi_device_power_manageable(adev)) + return false; + +diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c +index e7961cbd2c55..1d20aad3aa92 100644 +--- a/drivers/scsi/aacraid/aachba.c ++++ b/drivers/scsi/aacraid/aachba.c +@@ -1974,7 +1974,6 @@ static void aac_set_safw_attr_all_targets(struct aac_dev *dev) + u32 lun_count, nexus; + u32 i, bus, target; + u8 expose_flag, attribs; +- u8 devtype; + + lun_count = aac_get_safw_phys_lun_count(dev); + +@@ -1992,23 +1991,23 @@ static void aac_set_safw_attr_all_targets(struct aac_dev *dev) + continue; + + if (expose_flag != 0) { +- devtype = AAC_DEVTYPE_RAID_MEMBER; +- goto update_devtype; ++ dev->hba_map[bus][target].devtype = ++ AAC_DEVTYPE_RAID_MEMBER; ++ continue; + } + + if (nexus != 0 && (attribs & 8)) { +- devtype = AAC_DEVTYPE_NATIVE_RAW; ++ dev->hba_map[bus][target].devtype = ++ AAC_DEVTYPE_NATIVE_RAW; + dev->hba_map[bus][target].rmw_nexus = + nexus; + } else +- devtype = AAC_DEVTYPE_ARC_RAW; ++ dev->hba_map[bus][target].devtype = ++ AAC_DEVTYPE_ARC_RAW; + + dev->hba_map[bus][target].scan_counter = dev->scan_counter; + + aac_set_safw_target_qd(dev, bus, target); +- +-update_devtype: +- dev->hba_map[bus][target].devtype = devtype; + } + } + +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 5c40d809830f..ecc87a53294f 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -51,6 +51,7 @@ static int sg_version_num = 30536; /* 2 digits for each component */ + #include <linux/atomic.h> + #include <linux/ratelimit.h> + #include <linux/uio.h> ++#include <linux/cred.h> /* for sg_check_file_access() */ + + #include "scsi.h" + #include <scsi/scsi_dbg.h> +@@ -210,6 +211,33 @@ static void sg_device_destroy(struct kref *kref); + sdev_prefix_printk(prefix, (sdp)->device, \ + (sdp)->disk->disk_name, fmt, ##a) + ++/* ++ * The SCSI interfaces that use read() and write() as an asynchronous variant of ++ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways ++ * to trigger read() and write() calls from various contexts with elevated ++ * privileges. This can lead to kernel memory corruption (e.g. if these ++ * interfaces are called through splice()) and privilege escalation inside ++ * userspace (e.g. if a process with access to such a device passes a file ++ * descriptor to a SUID binary as stdin/stdout/stderr). ++ * ++ * This function provides protection for the legacy API by restricting the ++ * calling context. ++ */ ++static int sg_check_file_access(struct file *filp, const char *caller) ++{ ++ if (filp->f_cred != current_real_cred()) { ++ pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n", ++ caller, task_tgid_vnr(current), current->comm); ++ return -EPERM; ++ } ++ if (uaccess_kernel()) { ++ pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n", ++ caller, task_tgid_vnr(current), current->comm); ++ return -EACCES; ++ } ++ return 0; ++} ++ + static int sg_allow_access(struct file *filp, unsigned char *cmd) + { + struct sg_fd *sfp = filp->private_data; +@@ -394,6 +422,14 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos) + struct sg_header *old_hdr = NULL; + int retval = 0; + ++ /* ++ * This could cause a response to be stranded. Close the associated ++ * file descriptor to free up any resources being held. ++ */ ++ retval = sg_check_file_access(filp, __func__); ++ if (retval) ++ return retval; ++ + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; + SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, +@@ -581,9 +617,11 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos) + struct sg_header old_hdr; + sg_io_hdr_t *hp; + unsigned char cmnd[SG_MAX_CDB_SIZE]; ++ int retval; + +- if (unlikely(uaccess_kernel())) +- return -EINVAL; ++ retval = sg_check_file_access(filp, __func__); ++ if (retval) ++ return retval; + + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp))) + return -ENXIO; +diff --git a/drivers/staging/comedi/drivers/quatech_daqp_cs.c b/drivers/staging/comedi/drivers/quatech_daqp_cs.c +index ea194aa01a64..257b0daff01f 100644 +--- a/drivers/staging/comedi/drivers/quatech_daqp_cs.c ++++ b/drivers/staging/comedi/drivers/quatech_daqp_cs.c +@@ -642,7 +642,7 @@ static int daqp_ao_insn_write(struct comedi_device *dev, + /* Make sure D/A update mode is direct update */ + outb(0, dev->iobase + DAQP_AUX_REG); + +- for (i = 0; i > insn->n; i++) { ++ for (i = 0; i < insn->n; i++) { + unsigned int val = data[i]; + int ret; + +diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c +index 01ac306131c1..10db5656fd5d 100644 +--- a/drivers/target/target_core_pr.c ++++ b/drivers/target/target_core_pr.c +@@ -3727,11 +3727,16 @@ core_scsi3_pri_read_keys(struct se_cmd *cmd) + * Check for overflow of 8byte PRI READ_KEYS payload and + * next reservation key list descriptor. + */ +- if ((add_len + 8) > (cmd->data_length - 8)) +- break; +- +- put_unaligned_be64(pr_reg->pr_res_key, &buf[off]); +- off += 8; ++ if (off + 8 <= cmd->data_length) { ++ put_unaligned_be64(pr_reg->pr_res_key, &buf[off]); ++ off += 8; ++ } ++ /* ++ * SPC5r17: 6.16.2 READ KEYS service action ++ * The ADDITIONAL LENGTH field indicates the number of bytes in ++ * the Reservation key list. The contents of the ADDITIONAL ++ * LENGTH field are not altered based on the allocation length ++ */ + add_len += 8; + } + spin_unlock(&dev->t10_pr.registration_lock); +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 3c082451ab1a..0586ad5eb590 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -346,18 +346,16 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr, + struct page *page[1]; + struct vm_area_struct *vma; + struct vm_area_struct *vmas[1]; ++ unsigned int flags = 0; + int ret; + ++ if (prot & IOMMU_WRITE) ++ flags |= FOLL_WRITE; ++ ++ down_read(&mm->mmap_sem); + if (mm == current->mm) { +- ret = get_user_pages_longterm(vaddr, 1, !!(prot & IOMMU_WRITE), +- page, vmas); ++ ret = get_user_pages_longterm(vaddr, 1, flags, page, vmas); + } else { +- unsigned int flags = 0; +- +- if (prot & IOMMU_WRITE) +- flags |= FOLL_WRITE; +- +- down_read(&mm->mmap_sem); + ret = get_user_pages_remote(NULL, mm, vaddr, 1, flags, page, + vmas, NULL); + /* +@@ -371,8 +369,8 @@ static int vaddr_get_pfn(struct mm_struct *mm, unsigned long vaddr, + ret = -EOPNOTSUPP; + put_page(page[0]); + } +- up_read(&mm->mmap_sem); + } ++ up_read(&mm->mmap_sem); + + if (ret == 1) { + *pfn = page_to_pfn(page[0]); +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index cb950a5fa078..c7ee09d9a236 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1362,6 +1362,7 @@ typedef int (mid_handle_t)(struct TCP_Server_Info *server, + /* one of these for every pending CIFS request to the server */ + struct mid_q_entry { + struct list_head qhead; /* mids waiting on reply from this server */ ++ struct kref refcount; + struct TCP_Server_Info *server; /* server corresponding to this mid */ + __u64 mid; /* multiplex id */ + __u32 pid; /* process id */ +diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h +index 365a414a75e9..c4e5c69810f9 100644 +--- a/fs/cifs/cifsproto.h ++++ b/fs/cifs/cifsproto.h +@@ -76,6 +76,7 @@ extern struct mid_q_entry *AllocMidQEntry(const struct smb_hdr *smb_buffer, + struct TCP_Server_Info *server); + extern void DeleteMidQEntry(struct mid_q_entry *midEntry); + extern void cifs_delete_mid(struct mid_q_entry *mid); ++extern void cifs_mid_q_entry_release(struct mid_q_entry *midEntry); + extern void cifs_wake_up_task(struct mid_q_entry *mid); + extern int cifs_handle_standard(struct TCP_Server_Info *server, + struct mid_q_entry *mid); +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index 1529a088383d..9540699ce85a 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -151,8 +151,14 @@ cifs_reconnect_tcon(struct cifs_tcon *tcon, int smb_command) + * greater than cifs socket timeout which is 7 seconds + */ + while (server->tcpStatus == CifsNeedReconnect) { +- wait_event_interruptible_timeout(server->response_q, +- (server->tcpStatus != CifsNeedReconnect), 10 * HZ); ++ rc = wait_event_interruptible_timeout(server->response_q, ++ (server->tcpStatus != CifsNeedReconnect), ++ 10 * HZ); ++ if (rc < 0) { ++ cifs_dbg(FYI, "%s: aborting reconnect due to a received" ++ " signal by the process\n", __func__); ++ return -ERESTARTSYS; ++ } + + /* are we still trying to reconnect? */ + if (server->tcpStatus != CifsNeedReconnect) +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 7a10a5d0731f..5e1c09a3e0ea 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -906,6 +906,7 @@ cifs_demultiplex_thread(void *p) + continue; + server->total_read += length; + ++ mid_entry = NULL; + if (server->ops->is_transform_hdr && + server->ops->receive_transform && + server->ops->is_transform_hdr(buf)) { +@@ -920,8 +921,11 @@ cifs_demultiplex_thread(void *p) + length = mid_entry->receive(server, mid_entry); + } + +- if (length < 0) ++ if (length < 0) { ++ if (mid_entry) ++ cifs_mid_q_entry_release(mid_entry); + continue; ++ } + + if (server->large_buf) + buf = server->bigbuf; +@@ -938,6 +942,8 @@ cifs_demultiplex_thread(void *p) + + if (!mid_entry->multiRsp || mid_entry->multiEnd) + mid_entry->callback(mid_entry); ++ ++ cifs_mid_q_entry_release(mid_entry); + } else if (server->ops->is_oplock_break && + server->ops->is_oplock_break(buf, server)) { + cifs_dbg(FYI, "Received oplock break\n"); +diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c +index aff8ce8ba34d..646dcd149de1 100644 +--- a/fs/cifs/smb1ops.c ++++ b/fs/cifs/smb1ops.c +@@ -107,6 +107,7 @@ cifs_find_mid(struct TCP_Server_Info *server, char *buffer) + if (compare_mid(mid->mid, buf) && + mid->mid_state == MID_REQUEST_SUBMITTED && + le16_to_cpu(mid->command) == buf->Command) { ++ kref_get(&mid->refcount); + spin_unlock(&GlobalMid_Lock); + return mid; + } +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 4ee32488ff74..824ec1742557 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -203,6 +203,7 @@ smb2_find_mid(struct TCP_Server_Info *server, char *buf) + if ((mid->mid == wire_mid) && + (mid->mid_state == MID_REQUEST_SUBMITTED) && + (mid->command == shdr->Command)) { ++ kref_get(&mid->refcount); + spin_unlock(&GlobalMid_Lock); + return mid; + } +@@ -654,6 +655,8 @@ smb2_set_ea(const unsigned int xid, struct cifs_tcon *tcon, + + rc = SMB2_set_ea(xid, tcon, fid.persistent_fid, fid.volatile_fid, ea, + len); ++ kfree(ea); ++ + SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); + + return rc; +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 32d7fd830aae..71013c5268b9 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -154,7 +154,7 @@ smb2_hdr_assemble(struct smb2_sync_hdr *shdr, __le16 smb2_cmd, + static int + smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + { +- int rc = 0; ++ int rc; + struct nls_table *nls_codepage; + struct cifs_ses *ses; + struct TCP_Server_Info *server; +@@ -165,10 +165,10 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + * for those three - in the calling routine. + */ + if (tcon == NULL) +- return rc; ++ return 0; + + if (smb2_command == SMB2_TREE_CONNECT) +- return rc; ++ return 0; + + if (tcon->tidStatus == CifsExiting) { + /* +@@ -211,8 +211,14 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + return -EAGAIN; + } + +- wait_event_interruptible_timeout(server->response_q, +- (server->tcpStatus != CifsNeedReconnect), 10 * HZ); ++ rc = wait_event_interruptible_timeout(server->response_q, ++ (server->tcpStatus != CifsNeedReconnect), ++ 10 * HZ); ++ if (rc < 0) { ++ cifs_dbg(FYI, "%s: aborting reconnect due to a received" ++ " signal by the process\n", __func__); ++ return -ERESTARTSYS; ++ } + + /* are we still trying to reconnect? */ + if (server->tcpStatus != CifsNeedReconnect) +@@ -230,7 +236,7 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon) + } + + if (!tcon->ses->need_reconnect && !tcon->need_reconnect) +- return rc; ++ return 0; + + nls_codepage = load_nls_default(); + +@@ -339,7 +345,10 @@ smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon, + return rc; + + /* BB eventually switch this to SMB2 specific small buf size */ +- *request_buf = cifs_small_buf_get(); ++ if (smb2_command == SMB2_SET_INFO) ++ *request_buf = cifs_buf_get(); ++ else ++ *request_buf = cifs_small_buf_get(); + if (*request_buf == NULL) { + /* BB should we add a retry in here if not a writepage? */ + return -ENOMEM; +@@ -3363,7 +3372,7 @@ send_set_info(const unsigned int xid, struct cifs_tcon *tcon, + + rc = smb2_send_recv(xid, ses, iov, num, &resp_buftype, flags, + &rsp_iov); +- cifs_small_buf_release(req); ++ cifs_buf_release(req); + rsp = (struct smb2_set_info_rsp *)rsp_iov.iov_base; + + if (rc != 0) +diff --git a/fs/cifs/smb2transport.c b/fs/cifs/smb2transport.c +index 8806f3f76c1d..97f24d82ae6b 100644 +--- a/fs/cifs/smb2transport.c ++++ b/fs/cifs/smb2transport.c +@@ -548,6 +548,7 @@ smb2_mid_entry_alloc(const struct smb2_sync_hdr *shdr, + + temp = mempool_alloc(cifs_mid_poolp, GFP_NOFS); + memset(temp, 0, sizeof(struct mid_q_entry)); ++ kref_init(&temp->refcount); + temp->mid = le64_to_cpu(shdr->MessageId); + temp->pid = current->pid; + temp->command = shdr->Command; /* Always LE */ +diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c +index 927226a2122f..60faf2fcec7f 100644 +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -61,6 +61,7 @@ AllocMidQEntry(const struct smb_hdr *smb_buffer, struct TCP_Server_Info *server) + + temp = mempool_alloc(cifs_mid_poolp, GFP_NOFS); + memset(temp, 0, sizeof(struct mid_q_entry)); ++ kref_init(&temp->refcount); + temp->mid = get_mid(smb_buffer); + temp->pid = current->pid; + temp->command = cpu_to_le16(smb_buffer->Command); +@@ -82,6 +83,21 @@ AllocMidQEntry(const struct smb_hdr *smb_buffer, struct TCP_Server_Info *server) + return temp; + } + ++static void _cifs_mid_q_entry_release(struct kref *refcount) ++{ ++ struct mid_q_entry *mid = container_of(refcount, struct mid_q_entry, ++ refcount); ++ ++ mempool_free(mid, cifs_mid_poolp); ++} ++ ++void cifs_mid_q_entry_release(struct mid_q_entry *midEntry) ++{ ++ spin_lock(&GlobalMid_Lock); ++ kref_put(&midEntry->refcount, _cifs_mid_q_entry_release); ++ spin_unlock(&GlobalMid_Lock); ++} ++ + void + DeleteMidQEntry(struct mid_q_entry *midEntry) + { +@@ -110,7 +126,7 @@ DeleteMidQEntry(struct mid_q_entry *midEntry) + } + } + #endif +- mempool_free(midEntry, cifs_mid_poolp); ++ cifs_mid_q_entry_release(midEntry); + } + + void +diff --git a/fs/ext2/super.c b/fs/ext2/super.c +index de1694512f1f..c09289a42dc5 100644 +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -961,8 +961,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) + blocksize = BLOCK_SIZE << le32_to_cpu(sbi->s_es->s_log_block_size); + + if (sbi->s_mount_opt & EXT2_MOUNT_DAX) { +- err = bdev_dax_supported(sb, blocksize); +- if (err) { ++ if (!bdev_dax_supported(sb->s_bdev, blocksize)) { + ext2_msg(sb, KERN_ERR, + "DAX unsupported by block device. Turning off DAX."); + sbi->s_mount_opt &= ~EXT2_MOUNT_DAX; +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c +index 508b905d744d..f8b5635f0396 100644 +--- a/fs/ext4/balloc.c ++++ b/fs/ext4/balloc.c +@@ -184,7 +184,6 @@ static int ext4_init_block_bitmap(struct super_block *sb, + unsigned int bit, bit_max; + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t start, tmp; +- int flex_bg = 0; + struct ext4_group_info *grp; + + J_ASSERT_BH(bh, buffer_locked(bh)); +@@ -217,22 +216,19 @@ static int ext4_init_block_bitmap(struct super_block *sb, + + start = ext4_group_first_block_no(sb, block_group); + +- if (ext4_has_feature_flex_bg(sb)) +- flex_bg = 1; +- + /* Set bits for block and inode bitmaps, and inode table */ + tmp = ext4_block_bitmap(sb, gdp); +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + + tmp = ext4_inode_bitmap(sb, gdp); +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + + tmp = ext4_inode_table(sb, gdp); + for (; tmp < ext4_inode_table(sb, gdp) + + sbi->s_itb_per_group; tmp++) { +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) ++ if (ext4_block_in_group(sb, tmp, block_group)) + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); + } + +@@ -455,7 +451,16 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) + goto verify; + } + ext4_lock_group(sb, block_group); +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { ++ if (block_group == 0) { ++ ext4_unlock_group(sb, block_group); ++ unlock_buffer(bh); ++ ext4_error(sb, "Block bitmap for bg 0 marked " ++ "uninitialized"); ++ err = -EFSCORRUPTED; ++ goto out; ++ } + err = ext4_init_block_bitmap(sb, bh, block_group, desc); + set_bitmap_uptodate(bh); + set_buffer_uptodate(bh); +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index a42e71203e53..51fcfdefc3a6 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1501,11 +1501,6 @@ static inline struct ext4_inode_info *EXT4_I(struct inode *inode) + static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) + { + return ino == EXT4_ROOT_INO || +- ino == EXT4_USR_QUOTA_INO || +- ino == EXT4_GRP_QUOTA_INO || +- ino == EXT4_BOOT_LOADER_INO || +- ino == EXT4_JOURNAL_INO || +- ino == EXT4_RESIZE_INO || + (ino >= EXT4_FIRST_INO(sb) && + ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)); + } +@@ -3005,9 +3000,6 @@ extern int ext4_inline_data_fiemap(struct inode *inode, + struct iomap; + extern int ext4_inline_data_iomap(struct inode *inode, struct iomap *iomap); + +-extern int ext4_try_to_evict_inline_data(handle_t *handle, +- struct inode *inode, +- int needed); + extern int ext4_inline_data_truncate(struct inode *inode, int *has_inline); + + extern int ext4_convert_inline_data(struct inode *inode); +diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h +index 98fb0c119c68..adf6668b596f 100644 +--- a/fs/ext4/ext4_extents.h ++++ b/fs/ext4/ext4_extents.h +@@ -91,6 +91,7 @@ struct ext4_extent_header { + }; + + #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) ++#define EXT4_MAX_EXTENT_DEPTH 5 + + #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ + (sizeof(struct ext4_extent_header) + \ +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index c969275ce3ee..08226f72b7ee 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -869,6 +869,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, + + eh = ext_inode_hdr(inode); + depth = ext_depth(inode); ++ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { ++ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", ++ depth); ++ ret = -EFSCORRUPTED; ++ goto err; ++ } + + if (path) { + ext4_ext_drop_refs(path); +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c +index df92e3ec9913..478b8f21c814 100644 +--- a/fs/ext4/ialloc.c ++++ b/fs/ext4/ialloc.c +@@ -155,7 +155,16 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) + } + + ext4_lock_group(sb, block_group); +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) { ++ if (block_group == 0) { ++ ext4_unlock_group(sb, block_group); ++ unlock_buffer(bh); ++ ext4_error(sb, "Inode bitmap for bg 0 marked " ++ "uninitialized"); ++ err = -EFSCORRUPTED; ++ goto out; ++ } + memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); + ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), + sb->s_blocksize * 8, bh->b_data); +@@ -1000,7 +1009,8 @@ struct inode *__ext4_new_inode(handle_t *handle, struct inode *dir, + + /* recheck and clear flag under lock if we still need to */ + ext4_lock_group(sb, group); +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); + ext4_free_group_clusters_set(sb, gdp, + ext4_free_clusters_after_init(sb, group, gdp)); +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 44b4fcdc3755..851bc552d849 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -437,6 +437,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle, + + memset((void *)ext4_raw_inode(&is.iloc)->i_block, + 0, EXT4_MIN_INLINE_DATA_SIZE); ++ memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE); + + if (ext4_has_feature_extents(inode->i_sb)) { + if (S_ISDIR(inode->i_mode) || +@@ -886,11 +887,11 @@ int ext4_da_write_inline_data_begin(struct address_space *mapping, + flags |= AOP_FLAG_NOFS; + + if (ret == -ENOSPC) { ++ ext4_journal_stop(handle); + ret = ext4_da_convert_inline_data_to_extent(mapping, + inode, + flags, + fsdata); +- ext4_journal_stop(handle); + if (ret == -ENOSPC && + ext4_should_retry_alloc(inode->i_sb, &retries)) + goto retry_journal; +@@ -1890,42 +1891,6 @@ int ext4_inline_data_fiemap(struct inode *inode, + return (error < 0 ? error : 0); + } + +-/* +- * Called during xattr set, and if we can sparse space 'needed', +- * just create the extent tree evict the data to the outer block. +- * +- * We use jbd2 instead of page cache to move data to the 1st block +- * so that the whole transaction can be committed as a whole and +- * the data isn't lost because of the delayed page cache write. +- */ +-int ext4_try_to_evict_inline_data(handle_t *handle, +- struct inode *inode, +- int needed) +-{ +- int error; +- struct ext4_xattr_entry *entry; +- struct ext4_inode *raw_inode; +- struct ext4_iloc iloc; +- +- error = ext4_get_inode_loc(inode, &iloc); +- if (error) +- return error; +- +- raw_inode = ext4_raw_inode(&iloc); +- entry = (struct ext4_xattr_entry *)((void *)raw_inode + +- EXT4_I(inode)->i_inline_off); +- if (EXT4_XATTR_LEN(entry->e_name_len) + +- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) { +- error = -ENOSPC; +- goto out; +- } +- +- error = ext4_convert_inline_data_nolock(handle, inode, &iloc); +-out: +- brelse(iloc.bh); +- return error; +-} +- + int ext4_inline_data_truncate(struct inode *inode, int *has_inline) + { + handle_t *handle; +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index c73cb9346aee..06b963d2fc36 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -402,9 +402,9 @@ static int __check_block_validity(struct inode *inode, const char *func, + if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk, + map->m_len)) { + ext4_error_inode(inode, func, line, map->m_pblk, +- "lblock %lu mapped to illegal pblock " ++ "lblock %lu mapped to illegal pblock %llu " + "(length %d)", (unsigned long) map->m_lblk, +- map->m_len); ++ map->m_pblk, map->m_len); + return -EFSCORRUPTED; + } + return 0; +@@ -4506,7 +4506,8 @@ static int __ext4_get_inode_loc(struct inode *inode, + int inodes_per_block, inode_offset; + + iloc->bh = NULL; +- if (!ext4_valid_inum(sb, inode->i_ino)) ++ if (inode->i_ino < EXT4_ROOT_INO || ++ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) + return -EFSCORRUPTED; + + iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb); +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 769a62708b1c..39187e7b3748 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2444,7 +2444,8 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group, + * initialize bb_free to be able to skip + * empty groups without initialization + */ +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + meta_group_info[i]->bb_free = + ext4_free_clusters_after_init(sb, group, desc); + } else { +@@ -3011,7 +3012,8 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, + #endif + ext4_set_bits(bitmap_bh->b_data, ac->ac_b_ex.fe_start, + ac->ac_b_ex.fe_len); +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { ++ if (ext4_has_group_desc_csum(sb) && ++ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { + gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); + ext4_free_group_clusters_set(sb, gdp, + ext4_free_clusters_after_init(sb, +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index eb104e8476f0..74a6d884ede4 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2307,6 +2307,7 @@ static int ext4_check_descriptors(struct super_block *sb, + struct ext4_sb_info *sbi = EXT4_SB(sb); + ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block); + ext4_fsblk_t last_block; ++ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1; + ext4_fsblk_t block_bitmap; + ext4_fsblk_t inode_bitmap; + ext4_fsblk_t inode_table; +@@ -2339,6 +2340,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!sb_rdonly(sb)) + return 0; + } ++ if (block_bitmap >= sb_block + 1 && ++ block_bitmap <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Block bitmap for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (block_bitmap < first_block || block_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Block bitmap for group %u not in group " +@@ -2353,6 +2362,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!sb_rdonly(sb)) + return 0; + } ++ if (inode_bitmap >= sb_block + 1 && ++ inode_bitmap <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Inode bitmap for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (inode_bitmap < first_block || inode_bitmap > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " + "Inode bitmap for group %u not in group " +@@ -2367,6 +2384,14 @@ static int ext4_check_descriptors(struct super_block *sb, + if (!sb_rdonly(sb)) + return 0; + } ++ if (inode_table >= sb_block + 1 && ++ inode_table <= last_bg_block) { ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " ++ "Inode table for group %u overlaps " ++ "block group descriptors", i); ++ if (!sb_rdonly(sb)) ++ return 0; ++ } + if (inode_table < first_block || + inode_table + sbi->s_itb_per_group - 1 > last_block) { + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " +@@ -3073,13 +3098,22 @@ static ext4_group_t ext4_has_uninit_itable(struct super_block *sb) + ext4_group_t group, ngroups = EXT4_SB(sb)->s_groups_count; + struct ext4_group_desc *gdp = NULL; + ++ if (!ext4_has_group_desc_csum(sb)) ++ return ngroups; ++ + for (group = 0; group < ngroups; group++) { + gdp = ext4_get_group_desc(sb, group, NULL); + if (!gdp) + continue; + +- if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))) ++ if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)) ++ continue; ++ if (group != 0) + break; ++ ext4_error(sb, "Inode table for bg 0 marked as " ++ "needing zeroing"); ++ if (sb_rdonly(sb)) ++ return ngroups; + } + + return group; +@@ -3718,6 +3752,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + le32_to_cpu(es->s_log_block_size)); + goto failed_mount; + } ++ if (le32_to_cpu(es->s_log_cluster_size) > ++ (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { ++ ext4_msg(sb, KERN_ERR, ++ "Invalid log cluster size: %u", ++ le32_to_cpu(es->s_log_cluster_size)); ++ goto failed_mount; ++ } + + if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) { + ext4_msg(sb, KERN_ERR, +@@ -3732,8 +3773,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + " that may contain inline data"); + sbi->s_mount_opt &= ~EXT4_MOUNT_DAX; + } +- err = bdev_dax_supported(sb, blocksize); +- if (err) { ++ if (!bdev_dax_supported(sb->s_bdev, blocksize)) { + ext4_msg(sb, KERN_ERR, + "DAX unsupported by block device. Turning off DAX."); + sbi->s_mount_opt &= ~EXT4_MOUNT_DAX; +@@ -3783,6 +3823,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + } else { + sbi->s_inode_size = le16_to_cpu(es->s_inode_size); + sbi->s_first_ino = le32_to_cpu(es->s_first_ino); ++ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { ++ ext4_msg(sb, KERN_ERR, "invalid first ino: %u", ++ sbi->s_first_ino); ++ goto failed_mount; ++ } + if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || + (!is_power_of_2(sbi->s_inode_size)) || + (sbi->s_inode_size > blocksize)) { +@@ -3859,13 +3904,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + "block size (%d)", clustersize, blocksize); + goto failed_mount; + } +- if (le32_to_cpu(es->s_log_cluster_size) > +- (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { +- ext4_msg(sb, KERN_ERR, +- "Invalid log cluster size: %u", +- le32_to_cpu(es->s_log_cluster_size)); +- goto failed_mount; +- } + sbi->s_cluster_bits = le32_to_cpu(es->s_log_cluster_size) - + le32_to_cpu(es->s_log_block_size); + sbi->s_clusters_per_group = +@@ -3886,10 +3924,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + } + } else { + if (clustersize != blocksize) { +- ext4_warning(sb, "fragment/cluster size (%d) != " +- "block size (%d)", clustersize, +- blocksize); +- clustersize = blocksize; ++ ext4_msg(sb, KERN_ERR, ++ "fragment/cluster size (%d) != " ++ "block size (%d)", clustersize, blocksize); ++ goto failed_mount; + } + if (sbi->s_blocks_per_group > blocksize * 8) { + ext4_msg(sb, KERN_ERR, +@@ -3943,6 +3981,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + ext4_blocks_count(es)); + goto failed_mount; + } ++ if ((es->s_first_data_block == 0) && (es->s_log_block_size == 0) && ++ (sbi->s_cluster_ratio == 1)) { ++ ext4_msg(sb, KERN_WARNING, "bad geometry: first data " ++ "block is 0 with a 1k block and cluster size"); ++ goto failed_mount; ++ } ++ + blocks_count = (ext4_blocks_count(es) - + le32_to_cpu(es->s_first_data_block) + + EXT4_BLOCKS_PER_GROUP(sb) - 1); +@@ -3978,6 +4023,14 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + ret = -ENOMEM; + goto failed_mount; + } ++ if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) != ++ le32_to_cpu(es->s_inodes_count)) { ++ ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu", ++ le32_to_cpu(es->s_inodes_count), ++ ((u64)sbi->s_groups_count * sbi->s_inodes_per_group)); ++ ret = -EINVAL; ++ goto failed_mount; ++ } + + bgl_lock_init(sbi->s_blockgroup_lock); + +@@ -4709,6 +4762,14 @@ static int ext4_commit_super(struct super_block *sb, int sync) + + if (!sbh || block_device_ejected(sb)) + return error; ++ ++ /* ++ * The superblock bh should be mapped, but it might not be if the ++ * device was hot-removed. Not much we can do but fail the I/O. ++ */ ++ if (!buffer_mapped(sbh)) ++ return error; ++ + /* + * If the file system is mounted read-only, don't update the + * superblock write time. This avoids updating the superblock +diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c +index fc4ced59c565..723df14f4084 100644 +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -230,12 +230,12 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh, + { + int error = -EFSCORRUPTED; + +- if (buffer_verified(bh)) +- return 0; +- + if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || + BHDR(bh)->h_blocks != cpu_to_le32(1)) + goto errout; ++ if (buffer_verified(bh)) ++ return 0; ++ + error = -EFSBADCRC; + if (!ext4_xattr_block_csum_verify(inode, bh)) + goto errout; +@@ -1560,7 +1560,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, + handle_t *handle, struct inode *inode, + bool is_block) + { +- struct ext4_xattr_entry *last; ++ struct ext4_xattr_entry *last, *next; + struct ext4_xattr_entry *here = s->here; + size_t min_offs = s->end - s->base, name_len = strlen(i->name); + int in_inode = i->in_inode; +@@ -1595,7 +1595,13 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, + + /* Compute min_offs and last. */ + last = s->first; +- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { ++ for (; !IS_LAST_ENTRY(last); last = next) { ++ next = EXT4_XATTR_NEXT(last); ++ if ((void *)next >= s->end) { ++ EXT4_ERROR_INODE(inode, "corrupted xattr entries"); ++ ret = -EFSCORRUPTED; ++ goto out; ++ } + if (!last->e_value_inum && last->e_value_size) { + size_t offs = le16_to_cpu(last->e_value_offs); + if (offs < min_offs) +@@ -2206,23 +2212,8 @@ int ext4_xattr_ibody_inline_set(handle_t *handle, struct inode *inode, + if (EXT4_I(inode)->i_extra_isize == 0) + return -ENOSPC; + error = ext4_xattr_set_entry(i, s, handle, inode, false /* is_block */); +- if (error) { +- if (error == -ENOSPC && +- ext4_has_inline_data(inode)) { +- error = ext4_try_to_evict_inline_data(handle, inode, +- EXT4_XATTR_LEN(strlen(i->name) + +- EXT4_XATTR_SIZE(i->value_len))); +- if (error) +- return error; +- error = ext4_xattr_ibody_find(inode, i, is); +- if (error) +- return error; +- error = ext4_xattr_set_entry(i, s, handle, inode, +- false /* is_block */); +- } +- if (error) +- return error; +- } ++ if (error) ++ return error; + header = IHDR(inode, ext4_raw_inode(&is->iloc)); + if (!IS_LAST_ENTRY(s->first)) { + header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC); +@@ -2651,6 +2642,11 @@ static int ext4_xattr_make_inode_space(handle_t *handle, struct inode *inode, + last = IFIRST(header); + /* Find the entry best suited to be pushed into EA block */ + for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { ++ /* never move system.data out of the inode */ ++ if ((last->e_name_len == 4) && ++ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) && ++ !memcmp(last->e_name, "data", 4)) ++ continue; + total_size = EXT4_XATTR_LEN(last->e_name_len); + if (!last->e_value_inum) + total_size += EXT4_XATTR_SIZE( +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c +index 8aa453784402..c51bf0d2aa9b 100644 +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1363,6 +1363,13 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) + if (jh->b_transaction == transaction && + jh->b_jlist != BJ_Metadata) { + jbd_lock_bh_state(bh); ++ if (jh->b_transaction == transaction && ++ jh->b_jlist != BJ_Metadata) ++ pr_err("JBD2: assertion failure: h_type=%u " ++ "h_line_no=%u block_no=%llu jlist=%u\n", ++ handle->h_type, handle->h_line_no, ++ (unsigned long long) bh->b_blocknr, ++ jh->b_jlist); + J_ASSERT_JH(jh, jh->b_transaction != transaction || + jh->b_jlist == BJ_Metadata); + jbd_unlock_bh_state(bh); +@@ -1382,11 +1389,11 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) + * of the transaction. This needs to be done + * once a transaction -bzzz + */ +- jh->b_modified = 1; + if (handle->h_buffer_credits <= 0) { + ret = -ENOSPC; + goto out_unlock_bh; + } ++ jh->b_modified = 1; + handle->h_buffer_credits--; + } + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index cec550c8468f..1d85efacfc8e 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -220,24 +220,26 @@ static inline bool userfaultfd_huge_must_wait(struct userfaultfd_ctx *ctx, + unsigned long reason) + { + struct mm_struct *mm = ctx->mm; +- pte_t *pte; ++ pte_t *ptep, pte; + bool ret = true; + + VM_BUG_ON(!rwsem_is_locked(&mm->mmap_sem)); + +- pte = huge_pte_offset(mm, address, vma_mmu_pagesize(vma)); +- if (!pte) ++ ptep = huge_pte_offset(mm, address, vma_mmu_pagesize(vma)); ++ ++ if (!ptep) + goto out; + + ret = false; ++ pte = huge_ptep_get(ptep); + + /* + * Lockless access: we're in a wait_event so it's ok if it + * changes under us. + */ +- if (huge_pte_none(*pte)) ++ if (huge_pte_none(pte)) + ret = true; +- if (!huge_pte_write(*pte) && (reason & VM_UFFD_WP)) ++ if (!huge_pte_write(pte) && (reason & VM_UFFD_WP)) + ret = true; + out: + return ret; +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index 89fb1eb80aae..2c70a0a4f59f 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -1103,7 +1103,8 @@ xfs_ioctl_setattr_dax_invalidate( + if (fa->fsx_xflags & FS_XFLAG_DAX) { + if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode))) + return -EINVAL; +- if (bdev_dax_supported(sb, sb->s_blocksize) < 0) ++ if (!bdev_dax_supported(xfs_find_bdev_for_inode(VFS_I(ip)), ++ sb->s_blocksize)) + return -EINVAL; + } + +diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c +index a3ed3c811dfa..6e83acf74a95 100644 +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -1195,6 +1195,30 @@ static const struct inode_operations xfs_inline_symlink_inode_operations = { + .update_time = xfs_vn_update_time, + }; + ++/* Figure out if this file actually supports DAX. */ ++static bool ++xfs_inode_supports_dax( ++ struct xfs_inode *ip) ++{ ++ struct xfs_mount *mp = ip->i_mount; ++ ++ /* Only supported on non-reflinked files. */ ++ if (!S_ISREG(VFS_I(ip)->i_mode) || xfs_is_reflink_inode(ip)) ++ return false; ++ ++ /* DAX mount option or DAX iflag must be set. */ ++ if (!(mp->m_flags & XFS_MOUNT_DAX) && ++ !(ip->i_d.di_flags2 & XFS_DIFLAG2_DAX)) ++ return false; ++ ++ /* Block size must match page size */ ++ if (mp->m_sb.sb_blocksize != PAGE_SIZE) ++ return false; ++ ++ /* Device has to support DAX too. */ ++ return xfs_find_daxdev_for_inode(VFS_I(ip)) != NULL; ++} ++ + STATIC void + xfs_diflags_to_iflags( + struct inode *inode, +@@ -1213,11 +1237,7 @@ xfs_diflags_to_iflags( + inode->i_flags |= S_SYNC; + if (flags & XFS_DIFLAG_NOATIME) + inode->i_flags |= S_NOATIME; +- if (S_ISREG(inode->i_mode) && +- ip->i_mount->m_sb.sb_blocksize == PAGE_SIZE && +- !xfs_is_reflink_inode(ip) && +- (ip->i_mount->m_flags & XFS_MOUNT_DAX || +- ip->i_d.di_flags2 & XFS_DIFLAG2_DAX)) ++ if (xfs_inode_supports_dax(ip)) + inode->i_flags |= S_DAX; + } + +diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c +index d71424052917..86915dc40eed 100644 +--- a/fs/xfs/xfs_super.c ++++ b/fs/xfs/xfs_super.c +@@ -1690,11 +1690,17 @@ xfs_fs_fill_super( + sb->s_flags |= SB_I_VERSION; + + if (mp->m_flags & XFS_MOUNT_DAX) { ++ bool rtdev_is_dax = false, datadev_is_dax; ++ + xfs_warn(mp, + "DAX enabled. Warning: EXPERIMENTAL, use at your own risk"); + +- error = bdev_dax_supported(sb, sb->s_blocksize); +- if (error) { ++ datadev_is_dax = bdev_dax_supported(mp->m_ddev_targp->bt_bdev, ++ sb->s_blocksize); ++ if (mp->m_rtdev_targp) ++ rtdev_is_dax = bdev_dax_supported( ++ mp->m_rtdev_targp->bt_bdev, sb->s_blocksize); ++ if (!rtdev_is_dax && !datadev_is_dax) { + xfs_alert(mp, + "DAX unsupported by block device. Turning off DAX."); + mp->m_flags &= ~XFS_MOUNT_DAX; +diff --git a/include/linux/dax.h b/include/linux/dax.h +index f9eb22ad341e..c99692ddd4b5 100644 +--- a/include/linux/dax.h ++++ b/include/linux/dax.h +@@ -64,10 +64,10 @@ static inline bool dax_write_cache_enabled(struct dax_device *dax_dev) + struct writeback_control; + int bdev_dax_pgoff(struct block_device *, sector_t, size_t, pgoff_t *pgoff); + #if IS_ENABLED(CONFIG_FS_DAX) +-int __bdev_dax_supported(struct super_block *sb, int blocksize); +-static inline int bdev_dax_supported(struct super_block *sb, int blocksize) ++bool __bdev_dax_supported(struct block_device *bdev, int blocksize); ++static inline bool bdev_dax_supported(struct block_device *bdev, int blocksize) + { +- return __bdev_dax_supported(sb, blocksize); ++ return __bdev_dax_supported(bdev, blocksize); + } + + static inline struct dax_device *fs_dax_get_by_host(const char *host) +@@ -84,9 +84,10 @@ struct dax_device *fs_dax_get_by_bdev(struct block_device *bdev); + int dax_writeback_mapping_range(struct address_space *mapping, + struct block_device *bdev, struct writeback_control *wbc); + #else +-static inline int bdev_dax_supported(struct super_block *sb, int blocksize) ++static inline bool bdev_dax_supported(struct block_device *bdev, ++ int blocksize) + { +- return -EOPNOTSUPP; ++ return false; + } + + static inline struct dax_device *fs_dax_get_by_host(const char *host) +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 26240a22978a..2a4c0900e46a 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -502,6 +502,7 @@ struct hid_output_fifo { + + #define HID_STAT_ADDED BIT(0) + #define HID_STAT_PARSED BIT(1) ++#define HID_STAT_REPROBED BIT(3) + + struct hid_input { + struct list_head list; +@@ -568,7 +569,7 @@ struct hid_device { /* device report descriptor */ + bool battery_avoid_query; + #endif + +- unsigned int status; /* see STAT flags above */ ++ unsigned long status; /* see STAT flags above */ + unsigned claimed; /* Claimed by hidinput, hiddev? */ + unsigned quirks; /* Various quirks the device can pull on us */ + bool io_started; /* If IO has started */ +diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c +index b9061ed59bbd..c7bbc8997db8 100644 +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -393,7 +393,7 @@ static void hist_err_event(char *str, char *system, char *event, char *var) + else if (system) + snprintf(err, MAX_FILTER_STR_VAL, "%s.%s", system, event); + else +- strncpy(err, var, MAX_FILTER_STR_VAL); ++ strscpy(err, var, MAX_FILTER_STR_VAL); + + hist_err(str, err); + } +diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c +index 23c0b0cb5fb9..169b3c44ee97 100644 +--- a/kernel/trace/trace_functions_graph.c ++++ b/kernel/trace/trace_functions_graph.c +@@ -831,6 +831,7 @@ print_graph_entry_leaf(struct trace_iterator *iter, + struct ftrace_graph_ret *graph_ret; + struct ftrace_graph_ent *call; + unsigned long long duration; ++ int cpu = iter->cpu; + int i; + + graph_ret = &ret_entry->ret; +@@ -839,7 +840,6 @@ print_graph_entry_leaf(struct trace_iterator *iter, + + if (data) { + struct fgraph_cpu_data *cpu_data; +- int cpu = iter->cpu; + + cpu_data = per_cpu_ptr(data->cpu_data, cpu); + +@@ -869,6 +869,9 @@ print_graph_entry_leaf(struct trace_iterator *iter, + + trace_seq_printf(s, "%ps();\n", (void *)call->func); + ++ print_graph_irq(iter, graph_ret->func, TRACE_GRAPH_RET, ++ cpu, iter->ent->pid, flags); ++ + return trace_handle_return(s); + } + +diff --git a/mm/debug.c b/mm/debug.c +index 56e2d9125ea5..38c926520c97 100644 +--- a/mm/debug.c ++++ b/mm/debug.c +@@ -43,12 +43,25 @@ const struct trace_print_flags vmaflag_names[] = { + + void __dump_page(struct page *page, const char *reason) + { ++ bool page_poisoned = PagePoisoned(page); ++ int mapcount; ++ ++ /* ++ * If struct page is poisoned don't access Page*() functions as that ++ * leads to recursive loop. Page*() check for poisoned pages, and calls ++ * dump_page() when detected. ++ */ ++ if (page_poisoned) { ++ pr_emerg("page:%px is uninitialized and poisoned", page); ++ goto hex_only; ++ } ++ + /* + * Avoid VM_BUG_ON() in page_mapcount(). + * page->_mapcount space in struct page is used by sl[aou]b pages to + * encode own info. + */ +- int mapcount = PageSlab(page) ? 0 : page_mapcount(page); ++ mapcount = PageSlab(page) ? 0 : page_mapcount(page); + + pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx", + page, page_ref_count(page), mapcount, +@@ -60,6 +73,7 @@ void __dump_page(struct page *page, const char *reason) + + pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags); + ++hex_only: + print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32, + sizeof(unsigned long), page, + sizeof(struct page), false); +@@ -68,7 +82,7 @@ void __dump_page(struct page *page, const char *reason) + pr_alert("page dumped because: %s\n", reason); + + #ifdef CONFIG_MEMCG +- if (page->mem_cgroup) ++ if (!page_poisoned && page->mem_cgroup) + pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup); + #endif + } +diff --git a/mm/hugetlb.c b/mm/hugetlb.c +index 218679138255..a2d9eb6a0af9 100644 +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2163,6 +2163,7 @@ static void __init gather_bootmem_prealloc(void) + */ + if (hstate_is_gigantic(h)) + adjust_managed_page_count(page, 1 << h->order); ++ cond_resched(); + } + } + +diff --git a/mm/vmstat.c b/mm/vmstat.c +index a2b9518980ce..1377a89eb84c 100644 +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1844,11 +1844,9 @@ static void vmstat_update(struct work_struct *w) + * to occur in the future. Keep on running the + * update worker thread. + */ +- preempt_disable(); + queue_delayed_work_on(smp_processor_id(), mm_percpu_wq, + this_cpu_ptr(&vmstat_work), + round_jiffies_relative(sysctl_stat_interval)); +- preempt_enable(); + } + } + +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c +index 6d0357817cda..a82dfb8f8790 100644 +--- a/net/netfilter/nf_log.c ++++ b/net/netfilter/nf_log.c +@@ -457,14 +457,17 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write, + rcu_assign_pointer(net->nf.nf_loggers[tindex], logger); + mutex_unlock(&nf_log_mutex); + } else { ++ struct ctl_table tmp = *table; ++ ++ tmp.data = buf; + mutex_lock(&nf_log_mutex); + logger = nft_log_dereference(net->nf.nf_loggers[tindex]); + if (!logger) +- table->data = "NONE"; ++ strlcpy(buf, "NONE", sizeof(buf)); + else +- table->data = logger->name; +- r = proc_dostring(table, write, buffer, lenp, ppos); ++ strlcpy(buf, logger->name, sizeof(buf)); + mutex_unlock(&nf_log_mutex); ++ r = proc_dostring(&tmp, write, buffer, lenp, ppos); + } + + return r;