commit: fbd9f8078ca139b6a43fd959fa2d17e78aabb6b9 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Fri Oct 27 10:28:53 2017 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Fri Oct 27 10:28:53 2017 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=fbd9f807
Linux patch 4.9.59 0000_README | 4 + 1058_linux-4.9.59.patch | 2217 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 2221 insertions(+) diff --git a/0000_README b/0000_README index 76bcc9e..c92a6b6 100644 --- a/0000_README +++ b/0000_README @@ -275,6 +275,10 @@ Patch: 1057_linux-4.9.58.patch From: http://www.kernel.org Desc: Linux 4.9.58 +Patch: 1058_linux-4.9.59.patch +From: http://www.kernel.org +Desc: Linux 4.9.59 + Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. diff --git a/1058_linux-4.9.59.patch b/1058_linux-4.9.59.patch new file mode 100644 index 0000000..fa6aa7e --- /dev/null +++ b/1058_linux-4.9.59.patch @@ -0,0 +1,2217 @@ +diff --git a/Makefile b/Makefile +index 32686667bb7e..900cd7c3a9ee 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 9 +-SUBLEVEL = 58 ++SUBLEVEL = 59 + EXTRAVERSION = + NAME = Roaring Lionus + +diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S +index 23de307c3052..41e60a9c7db2 100644 +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -742,7 +742,7 @@ lws_compare_and_swap_2: + 10: ldd 0(%r25), %r25 + 11: ldd 0(%r24), %r24 + #else +- /* Load new value into r22/r23 - high/low */ ++ /* Load old value into r22/r23 - high/low */ + 10: ldw 0(%r25), %r22 + 11: ldw 4(%r25), %r23 + /* Load new value into fr4 for atomic store later */ +@@ -834,11 +834,11 @@ cas2_action: + copy %r0, %r28 + #else + /* Compare first word */ +-19: ldw,ma 0(%r26), %r29 ++19: ldw 0(%r26), %r29 + sub,= %r29, %r22, %r0 + b,n cas2_end + /* Compare second word */ +-20: ldw,ma 4(%r26), %r29 ++20: ldw 4(%r26), %r29 + sub,= %r29, %r23, %r0 + b,n cas2_end + /* Perform the store */ +diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c +index cdc0deab00c9..13dbcc0f9d03 100644 +--- a/arch/x86/kernel/cpu/microcode/intel.c ++++ b/arch/x86/kernel/cpu/microcode/intel.c +@@ -34,6 +34,7 @@ + #include <linux/mm.h> + + #include <asm/microcode_intel.h> ++#include <asm/intel-family.h> + #include <asm/processor.h> + #include <asm/tlbflush.h> + #include <asm/setup.h> +@@ -1046,6 +1047,18 @@ static int get_ucode_fw(void *to, const void *from, size_t n) + return 0; + } + ++static bool is_blacklisted(unsigned int cpu) ++{ ++ struct cpuinfo_x86 *c = &cpu_data(cpu); ++ ++ if (c->x86 == 6 && c->x86_model == INTEL_FAM6_BROADWELL_X) { ++ pr_err_once("late loading on model 79 is disabled.\n"); ++ return true; ++ } ++ ++ return false; ++} ++ + static enum ucode_state request_microcode_fw(int cpu, struct device *device, + bool refresh_fw) + { +@@ -1054,6 +1067,9 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device, + const struct firmware *firmware; + enum ucode_state ret; + ++ if (is_blacklisted(cpu)) ++ return UCODE_NFOUND; ++ + sprintf(name, "intel-ucode/%02x-%02x-%02x", + c->x86, c->x86_model, c->x86_mask); + +@@ -1078,6 +1094,9 @@ static int get_ucode_user(void *to, const void *from, size_t n) + static enum ucode_state + request_microcode_user(int cpu, const void __user *buf, size_t size) + { ++ if (is_blacklisted(cpu)) ++ return UCODE_NFOUND; ++ + return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user); + } + +diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c +index af4cd8649117..d140d8bb2c96 100644 +--- a/crypto/asymmetric_keys/pkcs7_parser.c ++++ b/crypto/asymmetric_keys/pkcs7_parser.c +@@ -88,6 +88,9 @@ static int pkcs7_check_authattrs(struct pkcs7_message *msg) + bool want = false; + + sinfo = msg->signed_infos; ++ if (!sinfo) ++ goto inconsistent; ++ + if (sinfo->authattrs) { + want = true; + msg->have_authattrs = true; +diff --git a/drivers/bus/mvebu-mbus.c b/drivers/bus/mvebu-mbus.c +index c7f396903184..70db4d5638a6 100644 +--- a/drivers/bus/mvebu-mbus.c ++++ b/drivers/bus/mvebu-mbus.c +@@ -720,7 +720,7 @@ mvebu_mbus_default_setup_cpu_target(struct mvebu_mbus_state *mbus) + if (mbus->hw_io_coherency) + w->mbus_attr |= ATTR_HW_COHERENCY; + w->base = base & DDR_BASE_CS_LOW_MASK; +- w->size = (size | ~DDR_SIZE_MASK) + 1; ++ w->size = (u64)(size | ~DDR_SIZE_MASK) + 1; + } + } + mvebu_mbus_dram_info.num_cs = cs; +diff --git a/drivers/clocksource/cs5535-clockevt.c b/drivers/clocksource/cs5535-clockevt.c +index 9a7e37cf56b0..e1d7373e63e0 100644 +--- a/drivers/clocksource/cs5535-clockevt.c ++++ b/drivers/clocksource/cs5535-clockevt.c +@@ -117,7 +117,8 @@ static irqreturn_t mfgpt_tick(int irq, void *dev_id) + /* Turn off the clock (and clear the event) */ + disable_timer(cs5535_event_clock); + +- if (clockevent_state_shutdown(&cs5535_clockevent)) ++ if (clockevent_state_detached(&cs5535_clockevent) || ++ clockevent_state_shutdown(&cs5535_clockevent)) + return IRQ_HANDLED; + + /* Clear the counter */ +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c b/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c +index 8e2e24a74774..44e116f7880d 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c +@@ -39,5 +39,5 @@ int + g84_bsp_new(struct nvkm_device *device, int index, struct nvkm_engine **pengine) + { + return nvkm_xtensa_new_(&g84_bsp, device, index, +- true, 0x103000, pengine); ++ device->chipset != 0x92, 0x103000, pengine); + } +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c +index 5df9669ea39c..240872a27c37 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c +@@ -240,6 +240,8 @@ nvkm_vm_unmap_pgt(struct nvkm_vm *vm, int big, u32 fpde, u32 lpde) + mmu->func->map_pgt(vpgd->obj, pde, vpgt->mem); + } + ++ mmu->func->flush(vm); ++ + nvkm_memory_del(&pgt); + } + } +diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c +index 8477292e92c8..7aea28815d99 100644 +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -340,12 +340,15 @@ static int ismt_process_desc(const struct ismt_desc *desc, + data->word = dma_buffer[0] | (dma_buffer[1] << 8); + break; + case I2C_SMBUS_BLOCK_DATA: +- case I2C_SMBUS_I2C_BLOCK_DATA: + if (desc->rxbytes != dma_buffer[0] + 1) + return -EMSGSIZE; + + memcpy(data->block, dma_buffer, desc->rxbytes); + break; ++ case I2C_SMBUS_I2C_BLOCK_DATA: ++ memcpy(&data->block[1], dma_buffer, desc->rxbytes); ++ data->block[0] = desc->rxbytes; ++ break; + } + return 0; + } +diff --git a/drivers/i2c/busses/i2c-piix4.c b/drivers/i2c/busses/i2c-piix4.c +index c21ca7bf2efe..8f1c5f24c1df 100644 +--- a/drivers/i2c/busses/i2c-piix4.c ++++ b/drivers/i2c/busses/i2c-piix4.c +@@ -94,6 +94,12 @@ + #define SB800_PIIX4_PORT_IDX_ALT 0x2e + #define SB800_PIIX4_PORT_IDX_SEL 0x2f + #define SB800_PIIX4_PORT_IDX_MASK 0x06 ++#define SB800_PIIX4_PORT_IDX_SHIFT 1 ++ ++/* On kerncz, SmBus0Sel is at bit 20:19 of PMx00 DecodeEn */ ++#define SB800_PIIX4_PORT_IDX_KERNCZ 0x02 ++#define SB800_PIIX4_PORT_IDX_MASK_KERNCZ 0x18 ++#define SB800_PIIX4_PORT_IDX_SHIFT_KERNCZ 3 + + /* insmod parameters */ + +@@ -149,6 +155,8 @@ static const struct dmi_system_id piix4_dmi_ibm[] = { + */ + static DEFINE_MUTEX(piix4_mutex_sb800); + static u8 piix4_port_sel_sb800; ++static u8 piix4_port_mask_sb800; ++static u8 piix4_port_shift_sb800; + static const char *piix4_main_port_names_sb800[PIIX4_MAX_ADAPTERS] = { + " port 0", " port 2", " port 3", " port 4" + }; +@@ -347,7 +355,19 @@ static int piix4_setup_sb800(struct pci_dev *PIIX4_dev, + + /* Find which register is used for port selection */ + if (PIIX4_dev->vendor == PCI_VENDOR_ID_AMD) { +- piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_ALT; ++ switch (PIIX4_dev->device) { ++ case PCI_DEVICE_ID_AMD_KERNCZ_SMBUS: ++ piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_KERNCZ; ++ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK_KERNCZ; ++ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT_KERNCZ; ++ break; ++ case PCI_DEVICE_ID_AMD_HUDSON2_SMBUS: ++ default: ++ piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_ALT; ++ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK; ++ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT; ++ break; ++ } + } else { + mutex_lock(&piix4_mutex_sb800); + outb_p(SB800_PIIX4_PORT_IDX_SEL, SB800_PIIX4_SMB_IDX); +@@ -355,6 +375,8 @@ static int piix4_setup_sb800(struct pci_dev *PIIX4_dev, + piix4_port_sel_sb800 = (port_sel & 0x01) ? + SB800_PIIX4_PORT_IDX_ALT : + SB800_PIIX4_PORT_IDX; ++ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK; ++ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT; + mutex_unlock(&piix4_mutex_sb800); + } + +@@ -616,8 +638,8 @@ static s32 piix4_access_sb800(struct i2c_adapter *adap, u16 addr, + smba_en_lo = inb_p(SB800_PIIX4_SMB_IDX + 1); + + port = adapdata->port; +- if ((smba_en_lo & SB800_PIIX4_PORT_IDX_MASK) != port) +- outb_p((smba_en_lo & ~SB800_PIIX4_PORT_IDX_MASK) | port, ++ if ((smba_en_lo & piix4_port_mask_sb800) != port) ++ outb_p((smba_en_lo & ~piix4_port_mask_sb800) | port, + SB800_PIIX4_SMB_IDX + 1); + + retval = piix4_access(adap, addr, flags, read_write, +@@ -706,7 +728,7 @@ static int piix4_add_adapter(struct pci_dev *dev, unsigned short smba, + + adapdata->smba = smba; + adapdata->sb800_main = sb800_main; +- adapdata->port = port << 1; ++ adapdata->port = port << piix4_port_shift_sb800; + + /* set up the sysfs linkage to our parent device */ + adap->dev.parent = &dev->dev; +diff --git a/drivers/iio/dummy/iio_simple_dummy_events.c b/drivers/iio/dummy/iio_simple_dummy_events.c +index ed63ffd849f8..7ec2a0bb0807 100644 +--- a/drivers/iio/dummy/iio_simple_dummy_events.c ++++ b/drivers/iio/dummy/iio_simple_dummy_events.c +@@ -72,6 +72,7 @@ int iio_simple_dummy_write_event_config(struct iio_dev *indio_dev, + st->event_en = state; + else + return -EINVAL; ++ break; + default: + return -EINVAL; + } +diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c +index be928ce62d32..9fdb0f0bfa06 100644 +--- a/drivers/net/can/usb/esd_usb2.c ++++ b/drivers/net/can/usb/esd_usb2.c +@@ -333,7 +333,7 @@ static void esd_usb2_rx_can_msg(struct esd_usb2_net_priv *priv, + } + + cf->can_id = id & ESD_IDMASK; +- cf->can_dlc = get_can_dlc(msg->msg.rx.dlc); ++ cf->can_dlc = get_can_dlc(msg->msg.rx.dlc & ~ESD_RTR); + + if (id & ESD_EXTID) + cf->can_id |= CAN_EFF_FLAG; +diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c +index 05369dc9dd09..eea9aea14b00 100644 +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -375,6 +375,8 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) + + gs_free_tx_context(txc); + ++ atomic_dec(&dev->active_tx_urbs); ++ + netif_wake_queue(netdev); + } + +@@ -463,14 +465,6 @@ static void gs_usb_xmit_callback(struct urb *urb) + urb->transfer_buffer_length, + urb->transfer_buffer, + urb->transfer_dma); +- +- atomic_dec(&dev->active_tx_urbs); +- +- if (!netif_device_present(netdev)) +- return; +- +- if (netif_queue_stopped(netdev)) +- netif_wake_queue(netdev); + } + + static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb, +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +index 79c081fd560f..6afcf86b9ba2 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, + if (code != BRCMF_E_IF && !fweh->evt_handler[code]) + return; + +- if (datalen > BRCMF_DCMD_MAXLEN) ++ if (datalen > BRCMF_DCMD_MAXLEN || ++ datalen + sizeof(*event_packet) > packet_len) + return; + + if (in_interrupt()) +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c +index b3aab2fe96eb..ef685465f80a 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c +@@ -14764,8 +14764,8 @@ static void wlc_phy_ipa_restore_tx_digi_filts_nphy(struct brcms_phy *pi) + } + + static void +-wlc_phy_set_rfseq_nphy(struct brcms_phy *pi, u8 cmd, u8 *events, u8 *dlys, +- u8 len) ++wlc_phy_set_rfseq_nphy(struct brcms_phy *pi, u8 cmd, const u8 *events, ++ const u8 *dlys, u8 len) + { + u32 t1_offset, t2_offset; + u8 ctr; +@@ -15240,16 +15240,16 @@ static void wlc_phy_workarounds_nphy_gainctrl_2057_rev5(struct brcms_phy *pi) + static void wlc_phy_workarounds_nphy_gainctrl_2057_rev6(struct brcms_phy *pi) + { + u16 currband; +- s8 lna1G_gain_db_rev7[] = { 9, 14, 19, 24 }; +- s8 *lna1_gain_db = NULL; +- s8 *lna1_gain_db_2 = NULL; +- s8 *lna2_gain_db = NULL; +- s8 tiaA_gain_db_rev7[] = { -9, -6, -3, 0, 3, 3, 3, 3, 3, 3 }; +- s8 *tia_gain_db; +- s8 tiaA_gainbits_rev7[] = { 0, 1, 2, 3, 4, 4, 4, 4, 4, 4 }; +- s8 *tia_gainbits; +- u16 rfseqA_init_gain_rev7[] = { 0x624f, 0x624f }; +- u16 *rfseq_init_gain; ++ static const s8 lna1G_gain_db_rev7[] = { 9, 14, 19, 24 }; ++ const s8 *lna1_gain_db = NULL; ++ const s8 *lna1_gain_db_2 = NULL; ++ const s8 *lna2_gain_db = NULL; ++ static const s8 tiaA_gain_db_rev7[] = { -9, -6, -3, 0, 3, 3, 3, 3, 3, 3 }; ++ const s8 *tia_gain_db; ++ static const s8 tiaA_gainbits_rev7[] = { 0, 1, 2, 3, 4, 4, 4, 4, 4, 4 }; ++ const s8 *tia_gainbits; ++ static const u16 rfseqA_init_gain_rev7[] = { 0x624f, 0x624f }; ++ const u16 *rfseq_init_gain; + u16 init_gaincode; + u16 clip1hi_gaincode; + u16 clip1md_gaincode = 0; +@@ -15310,10 +15310,9 @@ static void wlc_phy_workarounds_nphy_gainctrl_2057_rev6(struct brcms_phy *pi) + + if ((freq <= 5080) || (freq == 5825)) { + +- s8 lna1A_gain_db_rev7[] = { 11, 16, 20, 24 }; +- s8 lna1A_gain_db_2_rev7[] = { +- 11, 17, 22, 25}; +- s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; ++ static const s8 lna1A_gain_db_rev7[] = { 11, 16, 20, 24 }; ++ static const s8 lna1A_gain_db_2_rev7[] = { 11, 17, 22, 25}; ++ static const s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; + + crsminu_th = 0x3e; + lna1_gain_db = lna1A_gain_db_rev7; +@@ -15321,10 +15320,9 @@ static void wlc_phy_workarounds_nphy_gainctrl_2057_rev6(struct brcms_phy *pi) + lna2_gain_db = lna2A_gain_db_rev7; + } else if ((freq >= 5500) && (freq <= 5700)) { + +- s8 lna1A_gain_db_rev7[] = { 11, 17, 21, 25 }; +- s8 lna1A_gain_db_2_rev7[] = { +- 12, 18, 22, 26}; +- s8 lna2A_gain_db_rev7[] = { 1, 8, 12, 16 }; ++ static const s8 lna1A_gain_db_rev7[] = { 11, 17, 21, 25 }; ++ static const s8 lna1A_gain_db_2_rev7[] = { 12, 18, 22, 26}; ++ static const s8 lna2A_gain_db_rev7[] = { 1, 8, 12, 16 }; + + crsminu_th = 0x45; + clip1md_gaincode_B = 0x14; +@@ -15335,10 +15333,9 @@ static void wlc_phy_workarounds_nphy_gainctrl_2057_rev6(struct brcms_phy *pi) + lna2_gain_db = lna2A_gain_db_rev7; + } else { + +- s8 lna1A_gain_db_rev7[] = { 12, 18, 22, 26 }; +- s8 lna1A_gain_db_2_rev7[] = { +- 12, 18, 22, 26}; +- s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; ++ static const s8 lna1A_gain_db_rev7[] = { 12, 18, 22, 26 }; ++ static const s8 lna1A_gain_db_2_rev7[] = { 12, 18, 22, 26}; ++ static const s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; + + crsminu_th = 0x41; + lna1_gain_db = lna1A_gain_db_rev7; +@@ -15450,65 +15447,65 @@ static void wlc_phy_workarounds_nphy_gainctrl(struct brcms_phy *pi) + NPHY_RFSEQ_CMD_CLR_HIQ_DIS, + NPHY_RFSEQ_CMD_SET_HPF_BW + }; +- u8 rfseq_updategainu_dlys[] = { 10, 30, 1 }; +- s8 lna1G_gain_db[] = { 7, 11, 16, 23 }; +- s8 lna1G_gain_db_rev4[] = { 8, 12, 17, 25 }; +- s8 lna1G_gain_db_rev5[] = { 9, 13, 18, 26 }; +- s8 lna1G_gain_db_rev6[] = { 8, 13, 18, 25 }; +- s8 lna1G_gain_db_rev6_224B0[] = { 10, 14, 19, 27 }; +- s8 lna1A_gain_db[] = { 7, 11, 17, 23 }; +- s8 lna1A_gain_db_rev4[] = { 8, 12, 18, 23 }; +- s8 lna1A_gain_db_rev5[] = { 6, 10, 16, 21 }; +- s8 lna1A_gain_db_rev6[] = { 6, 10, 16, 21 }; +- s8 *lna1_gain_db = NULL; +- s8 lna2G_gain_db[] = { -5, 6, 10, 14 }; +- s8 lna2G_gain_db_rev5[] = { -3, 7, 11, 16 }; +- s8 lna2G_gain_db_rev6[] = { -5, 6, 10, 14 }; +- s8 lna2G_gain_db_rev6_224B0[] = { -5, 6, 10, 15 }; +- s8 lna2A_gain_db[] = { -6, 2, 6, 10 }; +- s8 lna2A_gain_db_rev4[] = { -5, 2, 6, 10 }; +- s8 lna2A_gain_db_rev5[] = { -7, 0, 4, 8 }; +- s8 lna2A_gain_db_rev6[] = { -7, 0, 4, 8 }; +- s8 *lna2_gain_db = NULL; +- s8 tiaG_gain_db[] = { ++ static const u8 rfseq_updategainu_dlys[] = { 10, 30, 1 }; ++ static const s8 lna1G_gain_db[] = { 7, 11, 16, 23 }; ++ static const s8 lna1G_gain_db_rev4[] = { 8, 12, 17, 25 }; ++ static const s8 lna1G_gain_db_rev5[] = { 9, 13, 18, 26 }; ++ static const s8 lna1G_gain_db_rev6[] = { 8, 13, 18, 25 }; ++ static const s8 lna1G_gain_db_rev6_224B0[] = { 10, 14, 19, 27 }; ++ static const s8 lna1A_gain_db[] = { 7, 11, 17, 23 }; ++ static const s8 lna1A_gain_db_rev4[] = { 8, 12, 18, 23 }; ++ static const s8 lna1A_gain_db_rev5[] = { 6, 10, 16, 21 }; ++ static const s8 lna1A_gain_db_rev6[] = { 6, 10, 16, 21 }; ++ const s8 *lna1_gain_db = NULL; ++ static const s8 lna2G_gain_db[] = { -5, 6, 10, 14 }; ++ static const s8 lna2G_gain_db_rev5[] = { -3, 7, 11, 16 }; ++ static const s8 lna2G_gain_db_rev6[] = { -5, 6, 10, 14 }; ++ static const s8 lna2G_gain_db_rev6_224B0[] = { -5, 6, 10, 15 }; ++ static const s8 lna2A_gain_db[] = { -6, 2, 6, 10 }; ++ static const s8 lna2A_gain_db_rev4[] = { -5, 2, 6, 10 }; ++ static const s8 lna2A_gain_db_rev5[] = { -7, 0, 4, 8 }; ++ static const s8 lna2A_gain_db_rev6[] = { -7, 0, 4, 8 }; ++ const s8 *lna2_gain_db = NULL; ++ static const s8 tiaG_gain_db[] = { + 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A }; +- s8 tiaA_gain_db[] = { ++ static const s8 tiaA_gain_db[] = { + 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13 }; +- s8 tiaA_gain_db_rev4[] = { ++ static const s8 tiaA_gain_db_rev4[] = { + 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d }; +- s8 tiaA_gain_db_rev5[] = { ++ static const s8 tiaA_gain_db_rev5[] = { + 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d }; +- s8 tiaA_gain_db_rev6[] = { ++ static const s8 tiaA_gain_db_rev6[] = { + 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d }; +- s8 *tia_gain_db; +- s8 tiaG_gainbits[] = { ++ const s8 *tia_gain_db; ++ static const s8 tiaG_gainbits[] = { + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03 }; +- s8 tiaA_gainbits[] = { ++ static const s8 tiaA_gainbits[] = { + 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06 }; +- s8 tiaA_gainbits_rev4[] = { ++ static const s8 tiaA_gainbits_rev4[] = { + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 }; +- s8 tiaA_gainbits_rev5[] = { ++ static const s8 tiaA_gainbits_rev5[] = { + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 }; +- s8 tiaA_gainbits_rev6[] = { ++ static const s8 tiaA_gainbits_rev6[] = { + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 }; +- s8 *tia_gainbits; +- s8 lpf_gain_db[] = { 0x00, 0x06, 0x0c, 0x12, 0x12, 0x12 }; +- s8 lpf_gainbits[] = { 0x00, 0x01, 0x02, 0x03, 0x03, 0x03 }; +- u16 rfseqG_init_gain[] = { 0x613f, 0x613f, 0x613f, 0x613f }; +- u16 rfseqG_init_gain_rev4[] = { 0x513f, 0x513f, 0x513f, 0x513f }; +- u16 rfseqG_init_gain_rev5[] = { 0x413f, 0x413f, 0x413f, 0x413f }; +- u16 rfseqG_init_gain_rev5_elna[] = { ++ const s8 *tia_gainbits; ++ static const s8 lpf_gain_db[] = { 0x00, 0x06, 0x0c, 0x12, 0x12, 0x12 }; ++ static const s8 lpf_gainbits[] = { 0x00, 0x01, 0x02, 0x03, 0x03, 0x03 }; ++ static const u16 rfseqG_init_gain[] = { 0x613f, 0x613f, 0x613f, 0x613f }; ++ static const u16 rfseqG_init_gain_rev4[] = { 0x513f, 0x513f, 0x513f, 0x513f }; ++ static const u16 rfseqG_init_gain_rev5[] = { 0x413f, 0x413f, 0x413f, 0x413f }; ++ static const u16 rfseqG_init_gain_rev5_elna[] = { + 0x013f, 0x013f, 0x013f, 0x013f }; +- u16 rfseqG_init_gain_rev6[] = { 0x513f, 0x513f }; +- u16 rfseqG_init_gain_rev6_224B0[] = { 0x413f, 0x413f }; +- u16 rfseqG_init_gain_rev6_elna[] = { 0x113f, 0x113f }; +- u16 rfseqA_init_gain[] = { 0x516f, 0x516f, 0x516f, 0x516f }; +- u16 rfseqA_init_gain_rev4[] = { 0x614f, 0x614f, 0x614f, 0x614f }; +- u16 rfseqA_init_gain_rev4_elna[] = { ++ static const u16 rfseqG_init_gain_rev6[] = { 0x513f, 0x513f }; ++ static const u16 rfseqG_init_gain_rev6_224B0[] = { 0x413f, 0x413f }; ++ static const u16 rfseqG_init_gain_rev6_elna[] = { 0x113f, 0x113f }; ++ static const u16 rfseqA_init_gain[] = { 0x516f, 0x516f, 0x516f, 0x516f }; ++ static const u16 rfseqA_init_gain_rev4[] = { 0x614f, 0x614f, 0x614f, 0x614f }; ++ static const u16 rfseqA_init_gain_rev4_elna[] = { + 0x314f, 0x314f, 0x314f, 0x314f }; +- u16 rfseqA_init_gain_rev5[] = { 0x714f, 0x714f, 0x714f, 0x714f }; +- u16 rfseqA_init_gain_rev6[] = { 0x714f, 0x714f }; +- u16 *rfseq_init_gain; ++ static const u16 rfseqA_init_gain_rev5[] = { 0x714f, 0x714f, 0x714f, 0x714f }; ++ static const u16 rfseqA_init_gain_rev6[] = { 0x714f, 0x714f }; ++ const u16 *rfseq_init_gain; + u16 initG_gaincode = 0x627e; + u16 initG_gaincode_rev4 = 0x527e; + u16 initG_gaincode_rev5 = 0x427e; +@@ -15538,10 +15535,10 @@ static void wlc_phy_workarounds_nphy_gainctrl(struct brcms_phy *pi) + u16 clip1mdA_gaincode_rev6 = 0x2084; + u16 clip1md_gaincode = 0; + u16 clip1loG_gaincode = 0x0074; +- u16 clip1loG_gaincode_rev5[] = { ++ static const u16 clip1loG_gaincode_rev5[] = { + 0x0062, 0x0064, 0x006a, 0x106a, 0x106c, 0x1074, 0x107c, 0x207c + }; +- u16 clip1loG_gaincode_rev6[] = { ++ static const u16 clip1loG_gaincode_rev6[] = { + 0x106a, 0x106c, 0x1074, 0x107c, 0x007e, 0x107e, 0x207e, 0x307e + }; + u16 clip1loG_gaincode_rev6_224B0 = 0x1074; +@@ -16066,7 +16063,7 @@ static void wlc_phy_workarounds_nphy_gainctrl(struct brcms_phy *pi) + + static void wlc_phy_workarounds_nphy(struct brcms_phy *pi) + { +- u8 rfseq_rx2tx_events[] = { ++ static const u8 rfseq_rx2tx_events[] = { + NPHY_RFSEQ_CMD_NOP, + NPHY_RFSEQ_CMD_RXG_FBW, + NPHY_RFSEQ_CMD_TR_SWITCH, +@@ -16076,7 +16073,7 @@ static void wlc_phy_workarounds_nphy(struct brcms_phy *pi) + NPHY_RFSEQ_CMD_EXT_PA + }; + u8 rfseq_rx2tx_dlys[] = { 8, 6, 6, 2, 4, 60, 1 }; +- u8 rfseq_tx2rx_events[] = { ++ static const u8 rfseq_tx2rx_events[] = { + NPHY_RFSEQ_CMD_NOP, + NPHY_RFSEQ_CMD_EXT_PA, + NPHY_RFSEQ_CMD_TX_GAIN, +@@ -16085,8 +16082,8 @@ static void wlc_phy_workarounds_nphy(struct brcms_phy *pi) + NPHY_RFSEQ_CMD_RXG_FBW, + NPHY_RFSEQ_CMD_CLR_HIQ_DIS + }; +- u8 rfseq_tx2rx_dlys[] = { 8, 6, 2, 4, 4, 6, 1 }; +- u8 rfseq_tx2rx_events_rev3[] = { ++ static const u8 rfseq_tx2rx_dlys[] = { 8, 6, 2, 4, 4, 6, 1 }; ++ static const u8 rfseq_tx2rx_events_rev3[] = { + NPHY_REV3_RFSEQ_CMD_EXT_PA, + NPHY_REV3_RFSEQ_CMD_INT_PA_PU, + NPHY_REV3_RFSEQ_CMD_TX_GAIN, +@@ -16096,7 +16093,7 @@ static void wlc_phy_workarounds_nphy(struct brcms_phy *pi) + NPHY_REV3_RFSEQ_CMD_CLR_HIQ_DIS, + NPHY_REV3_RFSEQ_CMD_END + }; +- u8 rfseq_tx2rx_dlys_rev3[] = { 8, 4, 2, 2, 4, 4, 6, 1 }; ++ static const u8 rfseq_tx2rx_dlys_rev3[] = { 8, 4, 2, 2, 4, 4, 6, 1 }; + u8 rfseq_rx2tx_events_rev3[] = { + NPHY_REV3_RFSEQ_CMD_NOP, + NPHY_REV3_RFSEQ_CMD_RXG_FBW, +@@ -16110,7 +16107,7 @@ static void wlc_phy_workarounds_nphy(struct brcms_phy *pi) + }; + u8 rfseq_rx2tx_dlys_rev3[] = { 8, 6, 6, 4, 4, 18, 42, 1, 1 }; + +- u8 rfseq_rx2tx_events_rev3_ipa[] = { ++ static const u8 rfseq_rx2tx_events_rev3_ipa[] = { + NPHY_REV3_RFSEQ_CMD_NOP, + NPHY_REV3_RFSEQ_CMD_RXG_FBW, + NPHY_REV3_RFSEQ_CMD_TR_SWITCH, +@@ -16121,15 +16118,15 @@ static void wlc_phy_workarounds_nphy(struct brcms_phy *pi) + NPHY_REV3_RFSEQ_CMD_INT_PA_PU, + NPHY_REV3_RFSEQ_CMD_END + }; +- u8 rfseq_rx2tx_dlys_rev3_ipa[] = { 8, 6, 6, 4, 4, 16, 43, 1, 1 }; +- u16 rfseq_rx2tx_dacbufpu_rev7[] = { 0x10f, 0x10f }; ++ static const u8 rfseq_rx2tx_dlys_rev3_ipa[] = { 8, 6, 6, 4, 4, 16, 43, 1, 1 }; ++ static const u16 rfseq_rx2tx_dacbufpu_rev7[] = { 0x10f, 0x10f }; + + s16 alpha0, alpha1, alpha2; + s16 beta0, beta1, beta2; + u32 leg_data_weights, ht_data_weights, nss1_data_weights, + stbc_data_weights; + u8 chan_freq_range = 0; +- u16 dac_control = 0x0002; ++ static const u16 dac_control = 0x0002; + u16 aux_adc_vmid_rev7_core0[] = { 0x8e, 0x96, 0x96, 0x96 }; + u16 aux_adc_vmid_rev7_core1[] = { 0x8f, 0x9f, 0x9f, 0x96 }; + u16 aux_adc_vmid_rev4[] = { 0xa2, 0xb4, 0xb4, 0x89 }; +@@ -16139,8 +16136,8 @@ static void wlc_phy_workarounds_nphy(struct brcms_phy *pi) + u16 aux_adc_gain_rev4[] = { 0x02, 0x02, 0x02, 0x00 }; + u16 aux_adc_gain_rev3[] = { 0x02, 0x02, 0x02, 0x00 }; + u16 *aux_adc_gain; +- u16 sk_adc_vmid[] = { 0xb4, 0xb4, 0xb4, 0x24 }; +- u16 sk_adc_gain[] = { 0x02, 0x02, 0x02, 0x02 }; ++ static const u16 sk_adc_vmid[] = { 0xb4, 0xb4, 0xb4, 0x24 }; ++ static const u16 sk_adc_gain[] = { 0x02, 0x02, 0x02, 0x02 }; + s32 min_nvar_val = 0x18d; + s32 min_nvar_offset_6mbps = 20; + u8 pdetrange; +@@ -16151,9 +16148,9 @@ static void wlc_phy_workarounds_nphy(struct brcms_phy *pi) + u16 rfseq_rx2tx_lpf_h_hpc_rev7 = 0x77; + u16 rfseq_tx2rx_lpf_h_hpc_rev7 = 0x77; + u16 rfseq_pktgn_lpf_h_hpc_rev7 = 0x77; +- u16 rfseq_htpktgn_lpf_hpc_rev7[] = { 0x77, 0x11, 0x11 }; +- u16 rfseq_pktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; +- u16 rfseq_cckpktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; ++ static const u16 rfseq_htpktgn_lpf_hpc_rev7[] = { 0x77, 0x11, 0x11 }; ++ static const u16 rfseq_pktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; ++ static const u16 rfseq_cckpktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; + u16 ipalvlshift_3p3_war_en = 0; + u16 rccal_bcap_val, rccal_scap_val; + u16 rccal_tx20_11b_bcap = 0; +@@ -24291,13 +24288,13 @@ static void wlc_phy_update_txcal_ladder_nphy(struct brcms_phy *pi, u16 core) + u16 bbmult; + u16 tblentry; + +- struct nphy_txiqcal_ladder ladder_lo[] = { ++ static const struct nphy_txiqcal_ladder ladder_lo[] = { + {3, 0}, {4, 0}, {6, 0}, {9, 0}, {13, 0}, {18, 0}, + {25, 0}, {25, 1}, {25, 2}, {25, 3}, {25, 4}, {25, 5}, + {25, 6}, {25, 7}, {35, 7}, {50, 7}, {71, 7}, {100, 7} + }; + +- struct nphy_txiqcal_ladder ladder_iq[] = { ++ static const struct nphy_txiqcal_ladder ladder_iq[] = { + {3, 0}, {4, 0}, {6, 0}, {9, 0}, {13, 0}, {18, 0}, + {25, 0}, {35, 0}, {50, 0}, {71, 0}, {100, 0}, {100, 1}, + {100, 2}, {100, 3}, {100, 4}, {100, 5}, {100, 6}, {100, 7} +@@ -25773,67 +25770,67 @@ wlc_phy_cal_txiqlo_nphy(struct brcms_phy *pi, struct nphy_txgains target_gain, + u16 cal_gain[2]; + struct nphy_iqcal_params cal_params[2]; + u32 tbl_len; +- void *tbl_ptr; ++ const void *tbl_ptr; + bool ladder_updated[2]; + u8 mphase_cal_lastphase = 0; + int bcmerror = 0; + bool phyhang_avoid_state = false; + +- u16 tbl_tx_iqlo_cal_loft_ladder_20[] = { ++ static const u16 tbl_tx_iqlo_cal_loft_ladder_20[] = { + 0x0300, 0x0500, 0x0700, 0x0900, 0x0d00, 0x1100, 0x1900, 0x1901, + 0x1902, + 0x1903, 0x1904, 0x1905, 0x1906, 0x1907, 0x2407, 0x3207, 0x4607, + 0x6407 + }; + +- u16 tbl_tx_iqlo_cal_iqimb_ladder_20[] = { ++ static const u16 tbl_tx_iqlo_cal_iqimb_ladder_20[] = { + 0x0200, 0x0300, 0x0600, 0x0900, 0x0d00, 0x1100, 0x1900, 0x2400, + 0x3200, + 0x4600, 0x6400, 0x6401, 0x6402, 0x6403, 0x6404, 0x6405, 0x6406, + 0x6407 + }; + +- u16 tbl_tx_iqlo_cal_loft_ladder_40[] = { ++ static const u16 tbl_tx_iqlo_cal_loft_ladder_40[] = { + 0x0200, 0x0300, 0x0400, 0x0700, 0x0900, 0x0c00, 0x1200, 0x1201, + 0x1202, + 0x1203, 0x1204, 0x1205, 0x1206, 0x1207, 0x1907, 0x2307, 0x3207, + 0x4707 + }; + +- u16 tbl_tx_iqlo_cal_iqimb_ladder_40[] = { ++ static const u16 tbl_tx_iqlo_cal_iqimb_ladder_40[] = { + 0x0100, 0x0200, 0x0400, 0x0700, 0x0900, 0x0c00, 0x1200, 0x1900, + 0x2300, + 0x3200, 0x4700, 0x4701, 0x4702, 0x4703, 0x4704, 0x4705, 0x4706, + 0x4707 + }; + +- u16 tbl_tx_iqlo_cal_startcoefs[] = { ++ static const u16 tbl_tx_iqlo_cal_startcoefs[] = { + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000 + }; + +- u16 tbl_tx_iqlo_cal_cmds_fullcal[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_fullcal[] = { + 0x8123, 0x8264, 0x8086, 0x8245, 0x8056, + 0x9123, 0x9264, 0x9086, 0x9245, 0x9056 + }; + +- u16 tbl_tx_iqlo_cal_cmds_recal[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_recal[] = { + 0x8101, 0x8253, 0x8053, 0x8234, 0x8034, + 0x9101, 0x9253, 0x9053, 0x9234, 0x9034 + }; + +- u16 tbl_tx_iqlo_cal_startcoefs_nphyrev3[] = { ++ static const u16 tbl_tx_iqlo_cal_startcoefs_nphyrev3[] = { + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000 + }; + +- u16 tbl_tx_iqlo_cal_cmds_fullcal_nphyrev3[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_fullcal_nphyrev3[] = { + 0x8434, 0x8334, 0x8084, 0x8267, 0x8056, 0x8234, + 0x9434, 0x9334, 0x9084, 0x9267, 0x9056, 0x9234 + }; + +- u16 tbl_tx_iqlo_cal_cmds_recal_nphyrev3[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_recal_nphyrev3[] = { + 0x8423, 0x8323, 0x8073, 0x8256, 0x8045, 0x8223, + 0x9423, 0x9323, 0x9073, 0x9256, 0x9045, 0x9223 + }; +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c +index 2cbef9647acc..1281ebe0c30a 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c +@@ -1128,7 +1128,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl_priv *rtlpriv, u16 addr) + } + if (0 == tmp) { + read_addr = REG_DBI_RDATA + addr % 4; +- ret = rtl_read_byte(rtlpriv, read_addr); ++ ret = rtl_read_word(rtlpriv, read_addr); + } + return ret; + } +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index f16491c25e73..ea20b2cc189f 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1773,6 +1773,9 @@ static const struct usb_device_id acm_ids[] = { + { USB_DEVICE(0xfff0, 0x0100), /* DATECS FP-2000 */ + .driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */ + }, ++ { USB_DEVICE(0x09d8, 0x0320), /* Elatec GmbH TWN3 */ ++ .driver_info = NO_UNION_NORMAL, /* has misplaced union descriptor */ ++ }, + + { USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */ + .driver_info = CLEAR_HALT_CONDITIONS, +diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c +index 11793386b4e9..5008f71fb08d 100644 +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -955,10 +955,12 @@ int usb_get_bos_descriptor(struct usb_device *dev) + for (i = 0; i < num; i++) { + buffer += length; + cap = (struct usb_dev_cap_header *)buffer; +- length = cap->bLength; + +- if (total_len < length) ++ if (total_len < sizeof(*cap) || total_len < cap->bLength) { ++ dev->bos->desc->bNumDeviceCaps = i; + break; ++ } ++ length = cap->bLength; + total_len -= length; + + if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 860108c46e9a..c8075eb3db26 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1577,11 +1577,7 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb + totlen += isopkt[u].length; + } + u *= sizeof(struct usb_iso_packet_descriptor); +- if (totlen <= uurb->buffer_length) +- uurb->buffer_length = totlen; +- else +- WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d", +- totlen, uurb->buffer_length); ++ uurb->buffer_length = totlen; + break; + + default: +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 8127f112958e..706b3d6a7614 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2704,13 +2704,16 @@ static int hub_port_wait_reset(struct usb_hub *hub, int port1, + if (!(portstatus & USB_PORT_STAT_CONNECTION)) + return -ENOTCONN; + +- /* bomb out completely if the connection bounced. A USB 3.0 +- * connection may bounce if multiple warm resets were issued, ++ /* Retry if connect change is set but status is still connected. ++ * A USB 3.0 connection may bounce if multiple warm resets were issued, + * but the device may have successfully re-connected. Ignore it. + */ + if (!hub_is_superspeed(hub->hdev) && +- (portchange & USB_PORT_STAT_C_CONNECTION)) +- return -ENOTCONN; ++ (portchange & USB_PORT_STAT_C_CONNECTION)) { ++ usb_clear_port_feature(hub->hdev, port1, ++ USB_PORT_FEAT_C_CONNECTION); ++ return -EAGAIN; ++ } + + if (!(portstatus & USB_PORT_STAT_ENABLE)) + return -EBUSY; +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 82806e311202..a6aaf2f193a4 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -221,6 +221,10 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Corsair Strafe RGB */ + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, + ++ /* MIDI keyboard WORLDE MINI */ ++ { USB_DEVICE(0x1c75, 0x0204), .driver_info = ++ USB_QUIRK_CONFIG_INTF_STRINGS }, ++ + /* Acer C120 LED Projector */ + { USB_DEVICE(0x1de1, 0xc102), .driver_info = USB_QUIRK_NO_LPM }, + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 82308af5801b..a7d239f5fc5f 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4855,7 +4855,8 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks) + */ + hcd->has_tt = 1; + } else { +- if (xhci->sbrn == 0x31) { ++ /* Some 3.1 hosts return sbrn 0x30, can't rely on sbrn alone */ ++ if (xhci->sbrn == 0x31 || xhci->usb3_rhub.min_rev >= 1) { + xhci_info(xhci, "Host supports USB 3.1 Enhanced SuperSpeed\n"); + hcd->speed = HCD_USB31; + hcd->self.root_hub->speed = USB_SPEED_SUPER_PLUS; +diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c +index a6b6b1cf1317..aac28d998073 100644 +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -890,7 +890,7 @@ static irqreturn_t musb_stage0_irq(struct musb *musb, u8 int_usb, + */ + if (int_usb & MUSB_INTR_RESET) { + handled = IRQ_HANDLED; +- if (devctl & MUSB_DEVCTL_HM) { ++ if (is_host_active(musb)) { + /* + * When BABBLE happens what we can depends on which + * platform MUSB is running, because some platforms +@@ -900,9 +900,7 @@ static irqreturn_t musb_stage0_irq(struct musb *musb, u8 int_usb, + * drop the session. + */ + dev_err(musb->controller, "Babble\n"); +- +- if (is_host_active(musb)) +- musb_recover_from_babble(musb); ++ musb_recover_from_babble(musb); + } else { + musb_dbg(musb, "BUS RESET as %s", + usb_otg_state_string(musb->xceiv->otg->state)); +diff --git a/drivers/usb/musb/sunxi.c b/drivers/usb/musb/sunxi.c +index 1408245be18e..3e1f3daa42f5 100644 +--- a/drivers/usb/musb/sunxi.c ++++ b/drivers/usb/musb/sunxi.c +@@ -313,6 +313,8 @@ static int sunxi_musb_exit(struct musb *musb) + if (test_bit(SUNXI_MUSB_FL_HAS_SRAM, &glue->flags)) + sunxi_sram_release(musb->controller->parent); + ++ devm_usb_put_phy(glue->dev, glue->xceiv); ++ + return 0; + } + +diff --git a/drivers/usb/serial/metro-usb.c b/drivers/usb/serial/metro-usb.c +index 39e683096e94..45182c65fa1f 100644 +--- a/drivers/usb/serial/metro-usb.c ++++ b/drivers/usb/serial/metro-usb.c +@@ -45,6 +45,7 @@ struct metrousb_private { + static const struct usb_device_id id_table[] = { + { USB_DEVICE(FOCUS_VENDOR_ID, FOCUS_PRODUCT_ID_BI) }, + { USB_DEVICE(FOCUS_VENDOR_ID, FOCUS_PRODUCT_ID_UNI) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x0c2e, 0x0730, 0xff) }, /* MS7820 */ + { }, /* Terminating entry. */ + }; + MODULE_DEVICE_TABLE(usb, id_table); +diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c +index bb4606368eb1..a755fa1a0017 100644 +--- a/fs/crypto/keyinfo.c ++++ b/fs/crypto/keyinfo.c +@@ -108,6 +108,11 @@ static int validate_user_key(struct fscrypt_info *crypt_info, + goto out; + } + ukp = user_key_payload(keyring_key); ++ if (!ukp) { ++ /* key was revoked before we acquired its semaphore */ ++ res = -EKEYREVOKED; ++ goto out; ++ } + if (ukp->datalen != sizeof(struct fscrypt_key)) { + res = -EINVAL; + goto out; +diff --git a/fs/fscache/object-list.c b/fs/fscache/object-list.c +index 5d5ddaa84b21..37e0c31d284f 100644 +--- a/fs/fscache/object-list.c ++++ b/fs/fscache/object-list.c +@@ -330,6 +330,13 @@ static void fscache_objlist_config(struct fscache_objlist_data *data) + rcu_read_lock(); + + confkey = user_key_payload(key); ++ if (!confkey) { ++ /* key was revoked */ ++ rcu_read_unlock(); ++ key_put(key); ++ goto no_config; ++ } ++ + buf = confkey->data; + + for (len = confkey->datalen - 1; len >= 0; len--) { +diff --git a/fs/xfs/libxfs/xfs_ag_resv.c b/fs/xfs/libxfs/xfs_ag_resv.c +index 33db69be4832..eed8f5867c46 100644 +--- a/fs/xfs/libxfs/xfs_ag_resv.c ++++ b/fs/xfs/libxfs/xfs_ag_resv.c +@@ -157,7 +157,8 @@ __xfs_ag_resv_free( + trace_xfs_ag_resv_free(pag, type, 0); + + resv = xfs_perag_resv(pag, type); +- pag->pag_mount->m_ag_max_usable += resv->ar_asked; ++ if (pag->pag_agno == 0) ++ pag->pag_mount->m_ag_max_usable += resv->ar_asked; + /* + * AGFL blocks are always considered "free", so whatever + * was reserved at mount time must be given back at umount. +@@ -217,7 +218,14 @@ __xfs_ag_resv_init( + return error; + } + +- mp->m_ag_max_usable -= ask; ++ /* ++ * Reduce the maximum per-AG allocation length by however much we're ++ * trying to reserve for an AG. Since this is a filesystem-wide ++ * counter, we only make the adjustment for AG 0. This assumes that ++ * there aren't any AGs hungrier for per-AG reservation than AG 0. ++ */ ++ if (pag->pag_agno == 0) ++ mp->m_ag_max_usable -= ask; + + resv = xfs_perag_resv(pag, type); + resv->ar_asked = ask; +diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c +index 9f06a211e157..c3702cda010a 100644 +--- a/fs/xfs/libxfs/xfs_alloc.c ++++ b/fs/xfs/libxfs/xfs_alloc.c +@@ -1579,6 +1579,10 @@ xfs_alloc_ag_vextent_small( + + bp = xfs_btree_get_bufs(args->mp, args->tp, + args->agno, fbno, 0); ++ if (!bp) { ++ error = -EFSCORRUPTED; ++ goto error0; ++ } + xfs_trans_binval(args->tp, bp); + } + args->len = 1; +@@ -2136,6 +2140,10 @@ xfs_alloc_fix_freelist( + if (error) + goto out_agbp_relse; + bp = xfs_btree_get_bufs(mp, tp, args->agno, bno, 0); ++ if (!bp) { ++ error = -EFSCORRUPTED; ++ goto out_agbp_relse; ++ } + xfs_trans_binval(tp, bp); + } + +diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c +index d2f4ab175096..7eb99701054f 100644 +--- a/fs/xfs/libxfs/xfs_bmap.c ++++ b/fs/xfs/libxfs/xfs_bmap.c +@@ -4057,6 +4057,17 @@ xfs_trim_extent( + } + } + ++/* trim extent to within eof */ ++void ++xfs_trim_extent_eof( ++ struct xfs_bmbt_irec *irec, ++ struct xfs_inode *ip) ++ ++{ ++ xfs_trim_extent(irec, 0, XFS_B_TO_FSB(ip->i_mount, ++ i_size_read(VFS_I(ip)))); ++} ++ + /* + * Trim the returned map to the required bounds + */ +diff --git a/fs/xfs/libxfs/xfs_bmap.h b/fs/xfs/libxfs/xfs_bmap.h +index db53ac7ff6df..f1446d127120 100644 +--- a/fs/xfs/libxfs/xfs_bmap.h ++++ b/fs/xfs/libxfs/xfs_bmap.h +@@ -196,6 +196,7 @@ void xfs_bmap_trace_exlist(struct xfs_inode *ip, xfs_extnum_t cnt, + + void xfs_trim_extent(struct xfs_bmbt_irec *irec, xfs_fileoff_t bno, + xfs_filblks_t len); ++void xfs_trim_extent_eof(struct xfs_bmbt_irec *, struct xfs_inode *); + int xfs_bmap_add_attrfork(struct xfs_inode *ip, int size, int rsvd); + void xfs_bmap_local_to_extents_empty(struct xfs_inode *ip, int whichfork); + void xfs_bmap_add_free(struct xfs_mount *mp, struct xfs_defer_ops *dfops, +diff --git a/fs/xfs/libxfs/xfs_log_format.h b/fs/xfs/libxfs/xfs_log_format.h +index 083cdd6d6c28..ce6958b1385c 100644 +--- a/fs/xfs/libxfs/xfs_log_format.h ++++ b/fs/xfs/libxfs/xfs_log_format.h +@@ -270,6 +270,7 @@ typedef struct xfs_inode_log_format { + __uint32_t ilf_fields; /* flags for fields logged */ + __uint16_t ilf_asize; /* size of attr d/ext/root */ + __uint16_t ilf_dsize; /* size of data/ext/root */ ++ __uint32_t ilf_pad; /* pad for 64 bit boundary */ + __uint64_t ilf_ino; /* inode number */ + union { + __uint32_t ilfu_rdev; /* rdev value for dev inode*/ +@@ -280,29 +281,17 @@ typedef struct xfs_inode_log_format { + __int32_t ilf_boffset; /* off of inode in buffer */ + } xfs_inode_log_format_t; + +-typedef struct xfs_inode_log_format_32 { +- __uint16_t ilf_type; /* inode log item type */ +- __uint16_t ilf_size; /* size of this item */ +- __uint32_t ilf_fields; /* flags for fields logged */ +- __uint16_t ilf_asize; /* size of attr d/ext/root */ +- __uint16_t ilf_dsize; /* size of data/ext/root */ +- __uint64_t ilf_ino; /* inode number */ +- union { +- __uint32_t ilfu_rdev; /* rdev value for dev inode*/ +- uuid_t ilfu_uuid; /* mount point value */ +- } ilf_u; +- __int64_t ilf_blkno; /* blkno of inode buffer */ +- __int32_t ilf_len; /* len of inode buffer */ +- __int32_t ilf_boffset; /* off of inode in buffer */ +-} __attribute__((packed)) xfs_inode_log_format_32_t; +- +-typedef struct xfs_inode_log_format_64 { ++/* ++ * Old 32 bit systems will log in this format without the 64 bit ++ * alignment padding. Recovery will detect this and convert it to the ++ * correct format. ++ */ ++struct xfs_inode_log_format_32 { + __uint16_t ilf_type; /* inode log item type */ + __uint16_t ilf_size; /* size of this item */ + __uint32_t ilf_fields; /* flags for fields logged */ + __uint16_t ilf_asize; /* size of attr d/ext/root */ + __uint16_t ilf_dsize; /* size of data/ext/root */ +- __uint32_t ilf_pad; /* pad for 64 bit boundary */ + __uint64_t ilf_ino; /* inode number */ + union { + __uint32_t ilfu_rdev; /* rdev value for dev inode*/ +@@ -311,7 +300,7 @@ typedef struct xfs_inode_log_format_64 { + __int64_t ilf_blkno; /* blkno of inode buffer */ + __int32_t ilf_len; /* len of inode buffer */ + __int32_t ilf_boffset; /* off of inode in buffer */ +-} xfs_inode_log_format_64_t; ++} __attribute__((packed)); + + + /* +diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c +index 7034e17535de..3354140de07e 100644 +--- a/fs/xfs/xfs_acl.c ++++ b/fs/xfs/xfs_acl.c +@@ -247,6 +247,8 @@ xfs_set_mode(struct inode *inode, umode_t mode) + int + xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type) + { ++ umode_t mode; ++ bool set_mode = false; + int error = 0; + + if (!acl) +@@ -257,16 +259,24 @@ xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type) + return error; + + if (type == ACL_TYPE_ACCESS) { +- umode_t mode; +- + error = posix_acl_update_mode(inode, &mode, &acl); + if (error) + return error; +- error = xfs_set_mode(inode, mode); +- if (error) +- return error; ++ set_mode = true; + } + + set_acl: +- return __xfs_set_acl(inode, acl, type); ++ error = __xfs_set_acl(inode, acl, type); ++ if (error) ++ return error; ++ ++ /* ++ * We set the mode after successfully updating the ACL xattr because the ++ * xattr update can fail at ENOSPC and we don't want to change the mode ++ * if the ACL update hasn't been applied. ++ */ ++ if (set_mode) ++ error = xfs_set_mode(inode, mode); ++ ++ return error; + } +diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c +index d23889e0bedc..d31cd1ebd8e9 100644 +--- a/fs/xfs/xfs_aops.c ++++ b/fs/xfs/xfs_aops.c +@@ -335,7 +335,8 @@ xfs_end_io( + error = xfs_reflink_end_cow(ip, offset, size); + break; + case XFS_IO_UNWRITTEN: +- error = xfs_iomap_write_unwritten(ip, offset, size); ++ /* writeback should never update isize */ ++ error = xfs_iomap_write_unwritten(ip, offset, size, false); + break; + default: + ASSERT(!xfs_ioend_is_append(ioend) || ioend->io_append_trans); +@@ -437,6 +438,19 @@ xfs_imap_valid( + { + offset >>= inode->i_blkbits; + ++ /* ++ * We have to make sure the cached mapping is within EOF to protect ++ * against eofblocks trimming on file release leaving us with a stale ++ * mapping. Otherwise, a page for a subsequent file extending buffered ++ * write could get picked up by this writeback cycle and written to the ++ * wrong blocks. ++ * ++ * Note that what we really want here is a generic mapping invalidation ++ * mechanism to protect us from arbitrary extent modifying contexts, not ++ * just eofblocks. ++ */ ++ xfs_trim_extent_eof(imap, XFS_I(inode)); ++ + return offset >= imap->br_startoff && + offset < imap->br_startoff + imap->br_blockcount; + } +@@ -725,6 +739,14 @@ xfs_vm_invalidatepage( + { + trace_xfs_invalidatepage(page->mapping->host, page, offset, + length); ++ ++ /* ++ * If we are invalidating the entire page, clear the dirty state from it ++ * so that we can check for attempts to release dirty cached pages in ++ * xfs_vm_releasepage(). ++ */ ++ if (offset == 0 && length >= PAGE_SIZE) ++ cancel_dirty_page(page); + block_invalidatepage(page, offset, length); + } + +@@ -1180,25 +1202,27 @@ xfs_vm_releasepage( + * mm accommodates an old ext3 case where clean pages might not have had + * the dirty bit cleared. Thus, it can send actual dirty pages to + * ->releasepage() via shrink_active_list(). Conversely, +- * block_invalidatepage() can send pages that are still marked dirty +- * but otherwise have invalidated buffers. ++ * block_invalidatepage() can send pages that are still marked dirty but ++ * otherwise have invalidated buffers. + * + * We want to release the latter to avoid unnecessary buildup of the +- * LRU, skip the former and warn if we've left any lingering +- * delalloc/unwritten buffers on clean pages. Skip pages with delalloc +- * or unwritten buffers and warn if the page is not dirty. Otherwise +- * try to release the buffers. ++ * LRU, so xfs_vm_invalidatepage() clears the page dirty flag on pages ++ * that are entirely invalidated and need to be released. Hence the ++ * only time we should get dirty pages here is through ++ * shrink_active_list() and so we can simply skip those now. ++ * ++ * warn if we've left any lingering delalloc/unwritten buffers on clean ++ * or invalidated pages we are about to release. + */ ++ if (PageDirty(page)) ++ return 0; ++ + xfs_count_page_state(page, &delalloc, &unwritten); + +- if (delalloc) { +- WARN_ON_ONCE(!PageDirty(page)); ++ if (WARN_ON_ONCE(delalloc)) + return 0; +- } +- if (unwritten) { +- WARN_ON_ONCE(!PageDirty(page)); ++ if (WARN_ON_ONCE(unwritten)) + return 0; +- } + + return try_to_free_buffers(page); + } +@@ -1532,6 +1556,21 @@ xfs_end_io_direct_write( + return 0; + } + ++ if (flags & XFS_DIO_FLAG_COW) ++ error = xfs_reflink_end_cow(ip, offset, size); ++ ++ /* ++ * Unwritten conversion updates the in-core isize after extent ++ * conversion but before updating the on-disk size. Updating isize any ++ * earlier allows a racing dio read to find unwritten extents before ++ * they are converted. ++ */ ++ if (flags & XFS_DIO_FLAG_UNWRITTEN) { ++ trace_xfs_end_io_direct_write_unwritten(ip, offset, size); ++ ++ return xfs_iomap_write_unwritten(ip, offset, size, true); ++ } ++ + /* + * We need to update the in-core inode size here so that we don't end up + * with the on-disk inode size being outside the in-core inode size. We +@@ -1548,13 +1587,6 @@ xfs_end_io_direct_write( + i_size_write(inode, offset + size); + spin_unlock(&ip->i_flags_lock); + +- if (flags & XFS_DIO_FLAG_COW) +- error = xfs_reflink_end_cow(ip, offset, size); +- if (flags & XFS_DIO_FLAG_UNWRITTEN) { +- trace_xfs_end_io_direct_write_unwritten(ip, offset, size); +- +- error = xfs_iomap_write_unwritten(ip, offset, size); +- } + if (flags & XFS_DIO_FLAG_APPEND) { + trace_xfs_end_io_direct_write_append(ip, offset, size); + +diff --git a/fs/xfs/xfs_attr_inactive.c b/fs/xfs/xfs_attr_inactive.c +index be0b79d8900f..c6643004e583 100644 +--- a/fs/xfs/xfs_attr_inactive.c ++++ b/fs/xfs/xfs_attr_inactive.c +@@ -302,6 +302,8 @@ xfs_attr3_node_inactive( + &bp, XFS_ATTR_FORK); + if (error) + return error; ++ node = bp->b_addr; ++ btree = dp->d_ops->node_tree_p(node); + child_fsb = be32_to_cpu(btree[i + 1].before); + xfs_trans_brelse(*trans, bp); + } +diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c +index 5ffefac081f7..cb62871fb91d 100644 +--- a/fs/xfs/xfs_bmap_util.c ++++ b/fs/xfs/xfs_bmap_util.c +@@ -84,6 +84,7 @@ xfs_zero_extent( + GFP_NOFS, true); + } + ++#ifdef CONFIG_XFS_RT + int + xfs_bmap_rtalloc( + struct xfs_bmalloca *ap) /* bmap alloc argument struct */ +@@ -195,6 +196,7 @@ xfs_bmap_rtalloc( + } + return 0; + } ++#endif /* CONFIG_XFS_RT */ + + /* + * Check if the endoff is outside the last extent. If so the caller will grow +@@ -1445,7 +1447,19 @@ xfs_shift_file_space( + return error; + + /* +- * The extent shiting code works on extent granularity. So, if ++ * Clean out anything hanging around in the cow fork now that ++ * we've flushed all the dirty data out to disk to avoid having ++ * CoW extents at the wrong offsets. ++ */ ++ if (xfs_is_reflink_inode(ip)) { ++ error = xfs_reflink_cancel_cow_range(ip, offset, NULLFILEOFF, ++ true); ++ if (error) ++ return error; ++ } ++ ++ /* ++ * The extent shifting code works on extent granularity. So, if + * stop_fsb is not the starting block of extent, we need to split + * the extent at stop_fsb. + */ +@@ -2094,11 +2108,31 @@ xfs_swap_extents( + ip->i_d.di_flags2 |= tip->i_d.di_flags2 & XFS_DIFLAG2_REFLINK; + tip->i_d.di_flags2 &= ~XFS_DIFLAG2_REFLINK; + tip->i_d.di_flags2 |= f & XFS_DIFLAG2_REFLINK; ++ } ++ ++ /* Swap the cow forks. */ ++ if (xfs_sb_version_hasreflink(&mp->m_sb)) { ++ xfs_extnum_t extnum; ++ ++ ASSERT(ip->i_cformat == XFS_DINODE_FMT_EXTENTS); ++ ASSERT(tip->i_cformat == XFS_DINODE_FMT_EXTENTS); ++ ++ extnum = ip->i_cnextents; ++ ip->i_cnextents = tip->i_cnextents; ++ tip->i_cnextents = extnum; ++ + cowfp = ip->i_cowfp; + ip->i_cowfp = tip->i_cowfp; + tip->i_cowfp = cowfp; +- xfs_inode_set_cowblocks_tag(ip); +- xfs_inode_set_cowblocks_tag(tip); ++ ++ if (ip->i_cowfp && ip->i_cnextents) ++ xfs_inode_set_cowblocks_tag(ip); ++ else ++ xfs_inode_clear_cowblocks_tag(ip); ++ if (tip->i_cowfp && tip->i_cnextents) ++ xfs_inode_set_cowblocks_tag(tip); ++ else ++ xfs_inode_clear_cowblocks_tag(tip); + } + + xfs_trans_log_inode(tp, ip, src_log_flags); +diff --git a/fs/xfs/xfs_bmap_util.h b/fs/xfs/xfs_bmap_util.h +index f1005393785c..ce330f06563e 100644 +--- a/fs/xfs/xfs_bmap_util.h ++++ b/fs/xfs/xfs_bmap_util.h +@@ -28,7 +28,20 @@ struct xfs_mount; + struct xfs_trans; + struct xfs_bmalloca; + ++#ifdef CONFIG_XFS_RT + int xfs_bmap_rtalloc(struct xfs_bmalloca *ap); ++#else /* !CONFIG_XFS_RT */ ++/* ++ * Attempts to allocate RT extents when RT is disable indicates corruption and ++ * should trigger a shutdown. ++ */ ++static inline int ++xfs_bmap_rtalloc(struct xfs_bmalloca *ap) ++{ ++ return -EFSCORRUPTED; ++} ++#endif /* CONFIG_XFS_RT */ ++ + int xfs_bmap_eof(struct xfs_inode *ip, xfs_fileoff_t endoff, + int whichfork, int *eof); + int xfs_bmap_punch_delalloc_range(struct xfs_inode *ip, +diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c +index ed7ee4e8af73..bcf72970ca6b 100644 +--- a/fs/xfs/xfs_error.c ++++ b/fs/xfs/xfs_error.c +@@ -167,7 +167,7 @@ xfs_verifier_error( + { + struct xfs_mount *mp = bp->b_target->bt_mount; + +- xfs_alert(mp, "Metadata %s detected at %pF, %s block 0x%llx", ++ xfs_alert(mp, "Metadata %s detected at %pS, %s block 0x%llx", + bp->b_error == -EFSBADCRC ? "CRC error" : "corruption", + __return_address, bp->b_ops->name, bp->b_bn); + +diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c +index 586b398f268d..362c6b4c1186 100644 +--- a/fs/xfs/xfs_file.c ++++ b/fs/xfs/xfs_file.c +@@ -92,7 +92,7 @@ xfs_zero_range( + xfs_off_t count, + bool *did_zero) + { +- return iomap_zero_range(VFS_I(ip), pos, count, NULL, &xfs_iomap_ops); ++ return iomap_zero_range(VFS_I(ip), pos, count, did_zero, &xfs_iomap_ops); + } + + int +diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c +index 9e795ab08a53..fe9a9a183b2d 100644 +--- a/fs/xfs/xfs_inode.c ++++ b/fs/xfs/xfs_inode.c +@@ -1632,10 +1632,12 @@ xfs_itruncate_extents( + goto out; + + /* +- * Clear the reflink flag if we truncated everything. ++ * Clear the reflink flag if there are no data fork blocks and ++ * there are no extents staged in the cow fork. + */ +- if (ip->i_d.di_nblocks == 0 && xfs_is_reflink_inode(ip)) { +- ip->i_d.di_flags2 &= ~XFS_DIFLAG2_REFLINK; ++ if (xfs_is_reflink_inode(ip) && ip->i_cnextents == 0) { ++ if (ip->i_d.di_nblocks == 0) ++ ip->i_d.di_flags2 &= ~XFS_DIFLAG2_REFLINK; + xfs_inode_clear_cowblocks_tag(ip); + } + +diff --git a/fs/xfs/xfs_inode_item.c b/fs/xfs/xfs_inode_item.c +index 94915747042c..d0a3c4bd2c38 100644 +--- a/fs/xfs/xfs_inode_item.c ++++ b/fs/xfs/xfs_inode_item.c +@@ -364,6 +364,9 @@ xfs_inode_to_log_dinode( + to->di_dmstate = from->di_dmstate; + to->di_flags = from->di_flags; + ++ /* log a dummy value to ensure log structure is fully initialised */ ++ to->di_next_unlinked = NULLAGINO; ++ + if (from->di_version == 3) { + to->di_changecount = inode->i_version; + to->di_crtime.t_sec = from->di_crtime.t_sec; +@@ -404,6 +407,11 @@ xfs_inode_item_format_core( + * the second with the on-disk inode structure, and a possible third and/or + * fourth with the inode data/extents/b-tree root and inode attributes + * data/extents/b-tree root. ++ * ++ * Note: Always use the 64 bit inode log format structure so we don't ++ * leave an uninitialised hole in the format item on 64 bit systems. Log ++ * recovery on 32 bit systems handles this just fine, so there's no reason ++ * for not using an initialising the properly padded structure all the time. + */ + STATIC void + xfs_inode_item_format( +@@ -412,8 +420,8 @@ xfs_inode_item_format( + { + struct xfs_inode_log_item *iip = INODE_ITEM(lip); + struct xfs_inode *ip = iip->ili_inode; +- struct xfs_inode_log_format *ilf; + struct xfs_log_iovec *vecp = NULL; ++ struct xfs_inode_log_format *ilf; + + ASSERT(ip->i_d.di_version > 1); + +@@ -425,7 +433,17 @@ xfs_inode_item_format( + ilf->ilf_boffset = ip->i_imap.im_boffset; + ilf->ilf_fields = XFS_ILOG_CORE; + ilf->ilf_size = 2; /* format + core */ +- xlog_finish_iovec(lv, vecp, sizeof(struct xfs_inode_log_format)); ++ ++ /* ++ * make sure we don't leak uninitialised data into the log in the case ++ * when we don't log every field in the inode. ++ */ ++ ilf->ilf_dsize = 0; ++ ilf->ilf_asize = 0; ++ ilf->ilf_pad = 0; ++ memset(&ilf->ilf_u.ilfu_uuid, 0, sizeof(ilf->ilf_u.ilfu_uuid)); ++ ++ xlog_finish_iovec(lv, vecp, sizeof(*ilf)); + + xfs_inode_item_format_core(ip, lv, &vecp); + xfs_inode_item_format_data_fork(iip, ilf, lv, &vecp); +@@ -745,7 +763,7 @@ xfs_iflush_done( + */ + iip = INODE_ITEM(blip); + if ((iip->ili_logged && blip->li_lsn == iip->ili_flush_lsn) || +- lip->li_flags & XFS_LI_FAILED) ++ (blip->li_flags & XFS_LI_FAILED)) + need_ail++; + + blip = next; +@@ -855,48 +873,30 @@ xfs_istale_done( + } + + /* +- * convert an xfs_inode_log_format struct from either 32 or 64 bit versions +- * (which can have different field alignments) to the native version ++ * convert an xfs_inode_log_format struct from the old 32 bit version ++ * (which can have different field alignments) to the native 64 bit version + */ + int + xfs_inode_item_format_convert( +- xfs_log_iovec_t *buf, +- xfs_inode_log_format_t *in_f) ++ struct xfs_log_iovec *buf, ++ struct xfs_inode_log_format *in_f) + { +- if (buf->i_len == sizeof(xfs_inode_log_format_32_t)) { +- xfs_inode_log_format_32_t *in_f32 = buf->i_addr; +- +- in_f->ilf_type = in_f32->ilf_type; +- in_f->ilf_size = in_f32->ilf_size; +- in_f->ilf_fields = in_f32->ilf_fields; +- in_f->ilf_asize = in_f32->ilf_asize; +- in_f->ilf_dsize = in_f32->ilf_dsize; +- in_f->ilf_ino = in_f32->ilf_ino; +- /* copy biggest field of ilf_u */ +- memcpy(in_f->ilf_u.ilfu_uuid.__u_bits, +- in_f32->ilf_u.ilfu_uuid.__u_bits, +- sizeof(uuid_t)); +- in_f->ilf_blkno = in_f32->ilf_blkno; +- in_f->ilf_len = in_f32->ilf_len; +- in_f->ilf_boffset = in_f32->ilf_boffset; +- return 0; +- } else if (buf->i_len == sizeof(xfs_inode_log_format_64_t)){ +- xfs_inode_log_format_64_t *in_f64 = buf->i_addr; +- +- in_f->ilf_type = in_f64->ilf_type; +- in_f->ilf_size = in_f64->ilf_size; +- in_f->ilf_fields = in_f64->ilf_fields; +- in_f->ilf_asize = in_f64->ilf_asize; +- in_f->ilf_dsize = in_f64->ilf_dsize; +- in_f->ilf_ino = in_f64->ilf_ino; +- /* copy biggest field of ilf_u */ +- memcpy(in_f->ilf_u.ilfu_uuid.__u_bits, +- in_f64->ilf_u.ilfu_uuid.__u_bits, +- sizeof(uuid_t)); +- in_f->ilf_blkno = in_f64->ilf_blkno; +- in_f->ilf_len = in_f64->ilf_len; +- in_f->ilf_boffset = in_f64->ilf_boffset; +- return 0; +- } +- return -EFSCORRUPTED; ++ struct xfs_inode_log_format_32 *in_f32 = buf->i_addr; ++ ++ if (buf->i_len != sizeof(*in_f32)) ++ return -EFSCORRUPTED; ++ ++ in_f->ilf_type = in_f32->ilf_type; ++ in_f->ilf_size = in_f32->ilf_size; ++ in_f->ilf_fields = in_f32->ilf_fields; ++ in_f->ilf_asize = in_f32->ilf_asize; ++ in_f->ilf_dsize = in_f32->ilf_dsize; ++ in_f->ilf_ino = in_f32->ilf_ino; ++ /* copy biggest field of ilf_u */ ++ memcpy(in_f->ilf_u.ilfu_uuid.__u_bits, ++ in_f32->ilf_u.ilfu_uuid.__u_bits, sizeof(uuid_t)); ++ in_f->ilf_blkno = in_f32->ilf_blkno; ++ in_f->ilf_len = in_f32->ilf_len; ++ in_f->ilf_boffset = in_f32->ilf_boffset; ++ return 0; + } +diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c +index 65740d1cbd92..f286f63c430c 100644 +--- a/fs/xfs/xfs_iomap.c ++++ b/fs/xfs/xfs_iomap.c +@@ -836,7 +836,8 @@ int + xfs_iomap_write_unwritten( + xfs_inode_t *ip, + xfs_off_t offset, +- xfs_off_t count) ++ xfs_off_t count, ++ bool update_isize) + { + xfs_mount_t *mp = ip->i_mount; + xfs_fileoff_t offset_fsb; +@@ -847,6 +848,7 @@ xfs_iomap_write_unwritten( + xfs_trans_t *tp; + xfs_bmbt_irec_t imap; + struct xfs_defer_ops dfops; ++ struct inode *inode = VFS_I(ip); + xfs_fsize_t i_size; + uint resblks; + int error; +@@ -906,7 +908,8 @@ xfs_iomap_write_unwritten( + i_size = XFS_FSB_TO_B(mp, offset_fsb + count_fsb); + if (i_size > offset + count) + i_size = offset + count; +- ++ if (update_isize && i_size > i_size_read(inode)) ++ i_size_write(inode, i_size); + i_size = xfs_new_eof(ip, i_size); + if (i_size) { + ip->i_d.di_size = i_size; +diff --git a/fs/xfs/xfs_iomap.h b/fs/xfs/xfs_iomap.h +index 6d45cf01fcff..d71703af5c76 100644 +--- a/fs/xfs/xfs_iomap.h ++++ b/fs/xfs/xfs_iomap.h +@@ -27,7 +27,7 @@ int xfs_iomap_write_direct(struct xfs_inode *, xfs_off_t, size_t, + struct xfs_bmbt_irec *, int); + int xfs_iomap_write_allocate(struct xfs_inode *, int, xfs_off_t, + struct xfs_bmbt_irec *); +-int xfs_iomap_write_unwritten(struct xfs_inode *, xfs_off_t, xfs_off_t); ++int xfs_iomap_write_unwritten(struct xfs_inode *, xfs_off_t, xfs_off_t, bool); + + void xfs_bmbt_to_iomap(struct xfs_inode *, struct iomap *, + struct xfs_bmbt_irec *); +diff --git a/fs/xfs/xfs_ondisk.h b/fs/xfs/xfs_ondisk.h +index 0c381d71b242..0492436a053f 100644 +--- a/fs/xfs/xfs_ondisk.h ++++ b/fs/xfs/xfs_ondisk.h +@@ -134,7 +134,7 @@ xfs_check_ondisk_structs(void) + XFS_CHECK_STRUCT_SIZE(struct xfs_icreate_log, 28); + XFS_CHECK_STRUCT_SIZE(struct xfs_ictimestamp, 8); + XFS_CHECK_STRUCT_SIZE(struct xfs_inode_log_format_32, 52); +- XFS_CHECK_STRUCT_SIZE(struct xfs_inode_log_format_64, 56); ++ XFS_CHECK_STRUCT_SIZE(struct xfs_inode_log_format, 56); + XFS_CHECK_STRUCT_SIZE(struct xfs_qoff_logformat, 20); + XFS_CHECK_STRUCT_SIZE(struct xfs_trans_header, 16); + } +diff --git a/fs/xfs/xfs_pnfs.c b/fs/xfs/xfs_pnfs.c +index 93a7aafa56d6..cecd37569ddb 100644 +--- a/fs/xfs/xfs_pnfs.c ++++ b/fs/xfs/xfs_pnfs.c +@@ -279,7 +279,7 @@ xfs_fs_commit_blocks( + (end - 1) >> PAGE_SHIFT); + WARN_ON_ONCE(error); + +- error = xfs_iomap_write_unwritten(ip, start, length); ++ error = xfs_iomap_write_unwritten(ip, start, length, false); + if (error) + goto out_drop_iolock; + } +diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c +index 0015c19c7455..17d3c964a2a2 100644 +--- a/fs/xfs/xfs_reflink.c ++++ b/fs/xfs/xfs_reflink.c +@@ -767,7 +767,13 @@ xfs_reflink_end_cow( + + /* If there is a hole at end_fsb - 1 go to the previous extent */ + if (eof || got.br_startoff > end_fsb) { +- ASSERT(idx > 0); ++ /* ++ * In case of racing, overlapping AIO writes no COW extents ++ * might be left by the time I/O completes for the loser of ++ * the race. In that case we are done. ++ */ ++ if (idx <= 0) ++ goto out_cancel; + xfs_bmbt_get_all(xfs_iext_get_ext(ifp, --idx), &got); + } + +@@ -841,6 +847,7 @@ xfs_reflink_end_cow( + + out_defer: + xfs_defer_cancel(&dfops); ++out_cancel: + xfs_trans_cancel(tp); + xfs_iunlock(ip, XFS_ILOCK_EXCL); + out: +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index d596a076da11..8cc99de27bc2 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -1521,11 +1521,11 @@ static inline void hv_signal_on_read(struct vmbus_channel *channel) + + cur_write_sz = hv_get_bytes_to_write(rbi); + +- if (cur_write_sz < pending_sz) ++ if (cur_write_sz <= pending_sz) + return; + + cached_write_sz = hv_get_cached_bytes_to_write(rbi); +- if (cached_write_sz < pending_sz) ++ if (cached_write_sz <= pending_sz) + vmbus_setevent(channel); + + return; +diff --git a/include/linux/key.h b/include/linux/key.h +index 6a544726903e..ed9b44fd9580 100644 +--- a/include/linux/key.h ++++ b/include/linux/key.h +@@ -126,6 +126,11 @@ static inline bool is_key_possessed(const key_ref_t key_ref) + return (unsigned long) key_ref & 1UL; + } + ++enum key_state { ++ KEY_IS_UNINSTANTIATED, ++ KEY_IS_POSITIVE, /* Positively instantiated */ ++}; ++ + /*****************************************************************************/ + /* + * authentication token / access credential / keyring +@@ -157,6 +162,7 @@ struct key { + * - may not match RCU dereferenced payload + * - payload should contain own length + */ ++ short state; /* Key state (+) or rejection error (-) */ + + #ifdef KEY_DEBUGGING + unsigned magic; +@@ -165,18 +171,16 @@ struct key { + #endif + + unsigned long flags; /* status flags (change with bitops) */ +-#define KEY_FLAG_INSTANTIATED 0 /* set if key has been instantiated */ +-#define KEY_FLAG_DEAD 1 /* set if key type has been deleted */ +-#define KEY_FLAG_REVOKED 2 /* set if key had been revoked */ +-#define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */ +-#define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */ +-#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ +-#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */ +-#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */ +-#define KEY_FLAG_BUILTIN 8 /* set if key is built in to the kernel */ +-#define KEY_FLAG_ROOT_CAN_INVAL 9 /* set if key can be invalidated by root without permission */ +-#define KEY_FLAG_KEEP 10 /* set if key should not be removed */ +-#define KEY_FLAG_UID_KEYRING 11 /* set if key is a user or user session keyring */ ++#define KEY_FLAG_DEAD 0 /* set if key type has been deleted */ ++#define KEY_FLAG_REVOKED 1 /* set if key had been revoked */ ++#define KEY_FLAG_IN_QUOTA 2 /* set if key consumes quota */ ++#define KEY_FLAG_USER_CONSTRUCT 3 /* set if key is being constructed in userspace */ ++#define KEY_FLAG_ROOT_CAN_CLEAR 4 /* set if key can be cleared by root without permission */ ++#define KEY_FLAG_INVALIDATED 5 /* set if key has been invalidated */ ++#define KEY_FLAG_BUILTIN 6 /* set if key is built in to the kernel */ ++#define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */ ++#define KEY_FLAG_KEEP 8 /* set if key should not be removed */ ++#define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */ + + /* the key type and key description string + * - the desc is used to match a key against search criteria +@@ -202,7 +206,6 @@ struct key { + struct list_head name_link; + struct assoc_array keys; + }; +- int reject_error; + }; + + /* This is set on a keyring to restrict the addition of a link to a key +@@ -343,17 +346,27 @@ extern void key_set_timeout(struct key *, unsigned); + #define KEY_NEED_SETATTR 0x20 /* Require permission to change attributes */ + #define KEY_NEED_ALL 0x3f /* All the above permissions */ + ++static inline short key_read_state(const struct key *key) ++{ ++ /* Barrier versus mark_key_instantiated(). */ ++ return smp_load_acquire(&key->state); ++} ++ + /** +- * key_is_instantiated - Determine if a key has been positively instantiated ++ * key_is_positive - Determine if a key has been positively instantiated + * @key: The key to check. + * + * Return true if the specified key has been positively instantiated, false + * otherwise. + */ +-static inline bool key_is_instantiated(const struct key *key) ++static inline bool key_is_positive(const struct key *key) ++{ ++ return key_read_state(key) == KEY_IS_POSITIVE; ++} ++ ++static inline bool key_is_negative(const struct key *key) + { +- return test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && +- !test_bit(KEY_FLAG_NEGATIVE, &key->flags); ++ return key_read_state(key) < 0; + } + + #define rcu_dereference_key(KEY) \ +diff --git a/include/linux/mbus.h b/include/linux/mbus.h +index 2931aa43dab1..f70420e65ad7 100644 +--- a/include/linux/mbus.h ++++ b/include/linux/mbus.h +@@ -31,8 +31,8 @@ struct mbus_dram_target_info + struct mbus_dram_window { + u8 cs_index; + u8 mbus_attr; +- u32 base; +- u32 size; ++ u64 base; ++ u64 size; + } cs[4]; + }; + +diff --git a/lib/digsig.c b/lib/digsig.c +index 55b8b2f41a9e..a876156503f0 100644 +--- a/lib/digsig.c ++++ b/lib/digsig.c +@@ -87,6 +87,12 @@ static int digsig_verify_rsa(struct key *key, + down_read(&key->sem); + ukp = user_key_payload(key); + ++ if (!ukp) { ++ /* key was revoked before we acquired its semaphore */ ++ err = -EKEYREVOKED; ++ goto err1; ++ } ++ + if (ukp->datalen < sizeof(*pkh)) + goto err1; + +diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c +index 8737412c7b27..e1d4d898a007 100644 +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -224,7 +224,7 @@ static int dns_resolver_match_preparse(struct key_match_data *match_data) + static void dns_resolver_describe(const struct key *key, struct seq_file *m) + { + seq_puts(m, key->description); +- if (key_is_instantiated(key)) { ++ if (key_is_positive(key)) { + int err = PTR_ERR(key->payload.data[dns_key_error]); + + if (err) +diff --git a/security/keys/big_key.c b/security/keys/big_key.c +index 47c6dcab1a8e..e6288173d99d 100644 +--- a/security/keys/big_key.c ++++ b/security/keys/big_key.c +@@ -245,7 +245,7 @@ void big_key_revoke(struct key *key) + + /* clear the quota */ + key_payload_reserve(key, 0); +- if (key_is_instantiated(key) && ++ if (key_is_positive(key) && + (size_t)key->payload.data[big_key_len] > BIG_KEY_FILE_THRESHOLD) + vfs_truncate(path, 0); + } +@@ -277,7 +277,7 @@ void big_key_describe(const struct key *key, struct seq_file *m) + + seq_puts(m, key->description); + +- if (key_is_instantiated(key)) ++ if (key_is_positive(key)) + seq_printf(m, ": %zu [%s]", + datalen, + datalen > BIG_KEY_FILE_THRESHOLD ? "file" : "buff"); +diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c +index 8d9330aba77e..a871159bf03c 100644 +--- a/security/keys/encrypted-keys/encrypted.c ++++ b/security/keys/encrypted-keys/encrypted.c +@@ -315,6 +315,13 @@ static struct key *request_user_key(const char *master_desc, const u8 **master_k + + down_read(&ukey->sem); + upayload = user_key_payload(ukey); ++ if (!upayload) { ++ /* key was revoked before we acquired its semaphore */ ++ up_read(&ukey->sem); ++ key_put(ukey); ++ ukey = ERR_PTR(-EKEYREVOKED); ++ goto error; ++ } + *master_key = upayload->data; + *master_keylen = upayload->datalen; + error: +@@ -867,7 +874,7 @@ static int encrypted_update(struct key *key, struct key_preparsed_payload *prep) + size_t datalen = prep->datalen; + int ret = 0; + +- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) ++ if (key_is_negative(key)) + return -ENOKEY; + if (datalen <= 0 || datalen > 32767 || !prep->data) + return -EINVAL; +diff --git a/security/keys/gc.c b/security/keys/gc.c +index 9cb4fe4478a1..1659094d684d 100644 +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -129,15 +129,15 @@ static noinline void key_gc_unused_keys(struct list_head *keys) + while (!list_empty(keys)) { + struct key *key = + list_entry(keys->next, struct key, graveyard_link); ++ short state = key->state; ++ + list_del(&key->graveyard_link); + + kdebug("- %u", key->serial); + key_check(key); + + /* Throw away the key data if the key is instantiated */ +- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && +- !test_bit(KEY_FLAG_NEGATIVE, &key->flags) && +- key->type->destroy) ++ if (state == KEY_IS_POSITIVE && key->type->destroy) + key->type->destroy(key); + + security_key_free(key); +@@ -151,7 +151,7 @@ static noinline void key_gc_unused_keys(struct list_head *keys) + } + + atomic_dec(&key->user->nkeys); +- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) ++ if (state != KEY_IS_UNINSTANTIATED) + atomic_dec(&key->user->nikeys); + + key_user_put(key->user); +diff --git a/security/keys/key.c b/security/keys/key.c +index 135e1eb7e468..7dc59069e8c7 100644 +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -400,6 +400,18 @@ int key_payload_reserve(struct key *key, size_t datalen) + } + EXPORT_SYMBOL(key_payload_reserve); + ++/* ++ * Change the key state to being instantiated. ++ */ ++static void mark_key_instantiated(struct key *key, int reject_error) ++{ ++ /* Commit the payload before setting the state; barrier versus ++ * key_read_state(). ++ */ ++ smp_store_release(&key->state, ++ (reject_error < 0) ? reject_error : KEY_IS_POSITIVE); ++} ++ + /* + * Instantiate a key and link it into the target keyring atomically. Must be + * called with the target keyring's semaphore writelocked. The target key's +@@ -423,14 +435,14 @@ static int __key_instantiate_and_link(struct key *key, + mutex_lock(&key_construction_mutex); + + /* can't instantiate twice */ +- if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { ++ if (key->state == KEY_IS_UNINSTANTIATED) { + /* instantiate the key */ + ret = key->type->instantiate(key, prep); + + if (ret == 0) { + /* mark the key as being instantiated */ + atomic_inc(&key->user->nikeys); +- set_bit(KEY_FLAG_INSTANTIATED, &key->flags); ++ mark_key_instantiated(key, 0); + + if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) + awaken = 1; +@@ -572,13 +584,10 @@ int key_reject_and_link(struct key *key, + mutex_lock(&key_construction_mutex); + + /* can't instantiate twice */ +- if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { ++ if (key->state == KEY_IS_UNINSTANTIATED) { + /* mark the key as being negatively instantiated */ + atomic_inc(&key->user->nikeys); +- key->reject_error = -error; +- smp_wmb(); +- set_bit(KEY_FLAG_NEGATIVE, &key->flags); +- set_bit(KEY_FLAG_INSTANTIATED, &key->flags); ++ mark_key_instantiated(key, -error); + now = current_kernel_time(); + key->expiry = now.tv_sec + timeout; + key_schedule_gc(key->expiry + key_gc_delay); +@@ -750,8 +759,8 @@ static inline key_ref_t __key_update(key_ref_t key_ref, + + ret = key->type->update(key, prep); + if (ret == 0) +- /* updating a negative key instantiates it */ +- clear_bit(KEY_FLAG_NEGATIVE, &key->flags); ++ /* Updating a negative key positively instantiates it */ ++ mark_key_instantiated(key, 0); + + up_write(&key->sem); + +@@ -935,6 +944,16 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, + */ + __key_link_end(keyring, &index_key, edit); + ++ key = key_ref_to_ptr(key_ref); ++ if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) { ++ ret = wait_for_key_construction(key, true); ++ if (ret < 0) { ++ key_ref_put(key_ref); ++ key_ref = ERR_PTR(ret); ++ goto error_free_prep; ++ } ++ } ++ + key_ref = __key_update(key_ref, &prep); + goto error_free_prep; + } +@@ -985,8 +1004,8 @@ int key_update(key_ref_t key_ref, const void *payload, size_t plen) + + ret = key->type->update(key, &prep); + if (ret == 0) +- /* updating a negative key instantiates it */ +- clear_bit(KEY_FLAG_NEGATIVE, &key->flags); ++ /* Updating a negative key positively instantiates it */ ++ mark_key_instantiated(key, 0); + + up_write(&key->sem); + +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index 1302cb398346..797edcf1d424 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -766,10 +766,9 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) + + key = key_ref_to_ptr(key_ref); + +- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { +- ret = -ENOKEY; +- goto error2; +- } ++ ret = key_read_state(key); ++ if (ret < 0) ++ goto error2; /* Negatively instantiated */ + + /* see if we can read it directly */ + ret = key_permission(key_ref, KEY_NEED_READ); +@@ -901,7 +900,7 @@ long keyctl_chown_key(key_serial_t id, uid_t user, gid_t group) + atomic_dec(&key->user->nkeys); + atomic_inc(&newowner->nkeys); + +- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { ++ if (key->state != KEY_IS_UNINSTANTIATED) { + atomic_dec(&key->user->nikeys); + atomic_inc(&newowner->nikeys); + } +diff --git a/security/keys/keyring.c b/security/keys/keyring.c +index a86d0ae1773c..32969f630438 100644 +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -407,7 +407,7 @@ static void keyring_describe(const struct key *keyring, struct seq_file *m) + else + seq_puts(m, "[anon]"); + +- if (key_is_instantiated(keyring)) { ++ if (key_is_positive(keyring)) { + if (keyring->keys.nr_leaves_on_tree != 0) + seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree); + else +@@ -546,7 +546,8 @@ static int keyring_search_iterator(const void *object, void *iterator_data) + { + struct keyring_search_context *ctx = iterator_data; + const struct key *key = keyring_ptr_to_key(object); +- unsigned long kflags = key->flags; ++ unsigned long kflags = READ_ONCE(key->flags); ++ short state = READ_ONCE(key->state); + + kenter("{%d}", key->serial); + +@@ -590,9 +591,8 @@ static int keyring_search_iterator(const void *object, void *iterator_data) + + if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { + /* we set a different error code if we pass a negative key */ +- if (kflags & (1 << KEY_FLAG_NEGATIVE)) { +- smp_rmb(); +- ctx->result = ERR_PTR(key->reject_error); ++ if (state < 0) { ++ ctx->result = ERR_PTR(state); + kleave(" = %d [neg]", ctx->skipped_ret); + goto skipped; + } +diff --git a/security/keys/proc.c b/security/keys/proc.c +index b9f531c9e4fa..036128682463 100644 +--- a/security/keys/proc.c ++++ b/security/keys/proc.c +@@ -182,6 +182,7 @@ static int proc_keys_show(struct seq_file *m, void *v) + unsigned long timo; + key_ref_t key_ref, skey_ref; + char xbuf[16]; ++ short state; + int rc; + + struct keyring_search_context ctx = { +@@ -240,17 +241,19 @@ static int proc_keys_show(struct seq_file *m, void *v) + sprintf(xbuf, "%luw", timo / (60*60*24*7)); + } + ++ state = key_read_state(key); ++ + #define showflag(KEY, LETTER, FLAG) \ + (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-') + + seq_printf(m, "%08x %c%c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ", + key->serial, +- showflag(key, 'I', KEY_FLAG_INSTANTIATED), ++ state != KEY_IS_UNINSTANTIATED ? 'I' : '-', + showflag(key, 'R', KEY_FLAG_REVOKED), + showflag(key, 'D', KEY_FLAG_DEAD), + showflag(key, 'Q', KEY_FLAG_IN_QUOTA), + showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT), +- showflag(key, 'N', KEY_FLAG_NEGATIVE), ++ state < 0 ? 'N' : '-', + showflag(key, 'i', KEY_FLAG_INVALIDATED), + atomic_read(&key->usage), + xbuf, +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index ce45c78cf0a2..2d35d71d7d9a 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -729,7 +729,7 @@ key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, + + ret = -EIO; + if (!(lflags & KEY_LOOKUP_PARTIAL) && +- !test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) ++ key_read_state(key) == KEY_IS_UNINSTANTIATED) + goto invalid_key; + + /* check the permissions */ +diff --git a/security/keys/request_key.c b/security/keys/request_key.c +index 43affcf10b22..5030fcf23681 100644 +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -594,10 +594,9 @@ int wait_for_key_construction(struct key *key, bool intr) + intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE); + if (ret) + return -ERESTARTSYS; +- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { +- smp_rmb(); +- return key->reject_error; +- } ++ ret = key_read_state(key); ++ if (ret < 0) ++ return ret; + return key_validate(key); + } + EXPORT_SYMBOL(wait_for_key_construction); +diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c +index 9db8b4a82787..ba74a0b4d1cb 100644 +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -73,7 +73,7 @@ static void request_key_auth_describe(const struct key *key, + + seq_puts(m, "key:"); + seq_puts(m, key->description); +- if (key_is_instantiated(key)) ++ if (key_is_positive(key)) + seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len); + } + +diff --git a/security/keys/trusted.c b/security/keys/trusted.c +index 90d61751ff12..f4db42e669e9 100644 +--- a/security/keys/trusted.c ++++ b/security/keys/trusted.c +@@ -1067,7 +1067,7 @@ static int trusted_update(struct key *key, struct key_preparsed_payload *prep) + char *datablob; + int ret = 0; + +- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) ++ if (key_is_negative(key)) + return -ENOKEY; + p = key->payload.data[0]; + if (!p->migratable) +diff --git a/security/keys/user_defined.c b/security/keys/user_defined.c +index 66b1840b4110..3dc2607211cc 100644 +--- a/security/keys/user_defined.c ++++ b/security/keys/user_defined.c +@@ -106,7 +106,7 @@ int user_update(struct key *key, struct key_preparsed_payload *prep) + + /* attach the new data, displacing the old */ + key->expiry = prep->expiry; +- if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags)) ++ if (key_is_positive(key)) + zap = rcu_dereference_key(key); + rcu_assign_keypointer(key, prep->payload.data[0]); + prep->payload.data[0] = NULL; +@@ -154,7 +154,7 @@ EXPORT_SYMBOL_GPL(user_destroy); + void user_describe(const struct key *key, struct seq_file *m) + { + seq_puts(m, key->description); +- if (key_is_instantiated(key)) ++ if (key_is_positive(key)) + seq_printf(m, ": %u", key->datalen); + } + +diff --git a/sound/core/seq/seq_lock.c b/sound/core/seq/seq_lock.c +index 12ba83367b1b..ba5752ee9af3 100644 +--- a/sound/core/seq/seq_lock.c ++++ b/sound/core/seq/seq_lock.c +@@ -23,8 +23,6 @@ + #include <sound/core.h> + #include "seq_lock.h" + +-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG) +- + /* wait until all locks are released */ + void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line) + { +@@ -42,5 +40,3 @@ void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line) + } + + EXPORT_SYMBOL(snd_use_lock_sync_helper); +- +-#endif +diff --git a/sound/core/seq/seq_lock.h b/sound/core/seq/seq_lock.h +index 54044bc2c9ef..ac38031c370e 100644 +--- a/sound/core/seq/seq_lock.h ++++ b/sound/core/seq/seq_lock.h +@@ -3,8 +3,6 @@ + + #include <linux/sched.h> + +-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG) +- + typedef atomic_t snd_use_lock_t; + + /* initialize lock */ +@@ -20,14 +18,4 @@ typedef atomic_t snd_use_lock_t; + void snd_use_lock_sync_helper(snd_use_lock_t *lock, const char *file, int line); + #define snd_use_lock_sync(lockp) snd_use_lock_sync_helper(lockp, __BASE_FILE__, __LINE__) + +-#else /* SMP || CONFIG_SND_DEBUG */ +- +-typedef spinlock_t snd_use_lock_t; /* dummy */ +-#define snd_use_lock_init(lockp) /**/ +-#define snd_use_lock_use(lockp) /**/ +-#define snd_use_lock_free(lockp) /**/ +-#define snd_use_lock_sync(lockp) /**/ +- +-#endif /* SMP || CONFIG_SND_DEBUG */ +- + #endif /* __SND_SEQ_LOCK_H */ +diff --git a/sound/hda/hdac_controller.c b/sound/hda/hdac_controller.c +index 0f41257d339e..8761877207ec 100644 +--- a/sound/hda/hdac_controller.c ++++ b/sound/hda/hdac_controller.c +@@ -284,6 +284,11 @@ int snd_hdac_bus_parse_capabilities(struct hdac_bus *bus) + dev_dbg(bus->dev, "HDA capability ID: 0x%x\n", + (cur_cap & AZX_CAP_HDR_ID_MASK) >> AZX_CAP_HDR_ID_OFF); + ++ if (cur_cap == -1) { ++ dev_dbg(bus->dev, "Invalid capability reg read\n"); ++ break; ++ } ++ + switch ((cur_cap & AZX_CAP_HDR_ID_MASK) >> AZX_CAP_HDR_ID_OFF) { + case AZX_ML_CAP_ID: + dev_dbg(bus->dev, "Found ML capability\n"); +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 9913be8532ab..e46c561a8c90 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -1755,7 +1755,7 @@ static int get_kctl_0dB_offset(struct hda_codec *codec, + return -1; + if (*step_to_check && *step_to_check != step) { + codec_err(codec, "Mismatching dB step for vmaster slave (%d!=%d)\n", +-- *step_to_check, step); ++ *step_to_check, step); + return -1; + } + *step_to_check = step; +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 286efc3a6116..7613b9e07b5c 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1352,6 +1352,7 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip, + case USB_ID(0x20b1, 0x2008): /* Matrix Audio X-Sabre */ + case USB_ID(0x20b1, 0x300a): /* Matrix Audio Mini-i Pro */ + case USB_ID(0x22d9, 0x0416): /* OPPO HA-1 */ ++ case USB_ID(0x2772, 0x0230): /* Pro-Ject Pre Box S2 Digital */ + if (fp->altsetting == 2) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + break;
