Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:4.4 commit in: /
Date: Wed, 21 Nov 2018 15:02:32
Message-Id: 1542812453.a2141b383ab8f5a8830f801ed013ff31aec1034b.mpagano@gentoo
1 commit: a2141b383ab8f5a8830f801ed013ff31aec1034b
2 Author: Alice Ferrazzi <alicef <AT> gentoo <DOT> org>
3 AuthorDate: Thu Jul 12 16:21:45 2018 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Wed Nov 21 15:00:53 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=a2141b38
7
8 linux kernel 4.4.140
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 4 +
13 1138_linux-4.4.140.patch | 1823 ++++++++++++++++++++++++++++++++++++++++++++++
14 2 files changed, 1827 insertions(+)
15
16 diff --git a/0000_README b/0000_README
17 index cfb7ea3..73e6c56 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -599,6 +599,10 @@ Patch: 1138_linux-4.4.139.patch
21 From: http://www.kernel.org
22 Desc: Linux 4.4.139
23
24 +Patch: 1139_linux-4.4.140.patch
25 +From: http://www.kernel.org
26 +Desc: Linux 4.4.140
27 +
28 Patch: 1500_XATTR_USER_PREFIX.patch
29 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
30 Desc: Support for namespace user.pax.* on tmpfs.
31
32 diff --git a/1138_linux-4.4.140.patch b/1138_linux-4.4.140.patch
33 new file mode 100644
34 index 0000000..a2e3d0e
35 --- /dev/null
36 +++ b/1138_linux-4.4.140.patch
37 @@ -0,0 +1,1823 @@
38 +diff --git a/Makefile b/Makefile
39 +index 20a11fd36656..b842298a5970 100644
40 +--- a/Makefile
41 ++++ b/Makefile
42 +@@ -1,6 +1,6 @@
43 + VERSION = 4
44 + PATCHLEVEL = 4
45 +-SUBLEVEL = 139
46 ++SUBLEVEL = 140
47 + EXTRAVERSION =
48 + NAME = Blurry Fish Butt
49 +
50 +diff --git a/arch/arm/boot/dts/imx6q.dtsi b/arch/arm/boot/dts/imx6q.dtsi
51 +index 399103b8e2c9..c81fb8fdc41f 100644
52 +--- a/arch/arm/boot/dts/imx6q.dtsi
53 ++++ b/arch/arm/boot/dts/imx6q.dtsi
54 +@@ -95,7 +95,7 @@
55 + clocks = <&clks IMX6Q_CLK_ECSPI5>,
56 + <&clks IMX6Q_CLK_ECSPI5>;
57 + clock-names = "ipg", "per";
58 +- dmas = <&sdma 11 7 1>, <&sdma 12 7 2>;
59 ++ dmas = <&sdma 11 8 1>, <&sdma 12 8 2>;
60 + dma-names = "rx", "tx";
61 + status = "disabled";
62 + };
63 +diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S
64 +index 5416d5d68308..4cad1adff16b 100644
65 +--- a/arch/s390/kernel/entry.S
66 ++++ b/arch/s390/kernel/entry.S
67 +@@ -1170,7 +1170,7 @@ cleanup_critical:
68 + jl 0f
69 + clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end
70 + jl .Lcleanup_load_fpu_regs
71 +-0: BR_EX %r14
72 ++0: BR_EX %r14,%r11
73 +
74 + .align 8
75 + .Lcleanup_table:
76 +@@ -1200,7 +1200,7 @@ cleanup_critical:
77 + ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE
78 + lctlg %c1,%c1,__LC_USER_ASCE # load primary asce
79 + larl %r9,sie_exit # skip forward to sie_exit
80 +- BR_EX %r14
81 ++ BR_EX %r14,%r11
82 + #endif
83 +
84 + .Lcleanup_system_call:
85 +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
86 +index 6edb9530d7e9..ddc9b8125918 100644
87 +--- a/arch/x86/kernel/cpu/mcheck/mce.c
88 ++++ b/arch/x86/kernel/cpu/mcheck/mce.c
89 +@@ -980,11 +980,12 @@ void do_machine_check(struct pt_regs *regs, long error_code)
90 + int i;
91 + int worst = 0;
92 + int severity;
93 ++
94 + /*
95 + * Establish sequential order between the CPUs entering the machine
96 + * check handler.
97 + */
98 +- int order;
99 ++ int order = -1;
100 + /*
101 + * If no_way_out gets set, there is no safe way to recover from this
102 + * MCE. If mca_cfg.tolerant is cranked up, we'll try anyway.
103 +@@ -1000,7 +1001,12 @@ void do_machine_check(struct pt_regs *regs, long error_code)
104 + char *msg = "Unknown";
105 + u64 recover_paddr = ~0ull;
106 + int flags = MF_ACTION_REQUIRED;
107 +- int lmce = 0;
108 ++
109 ++ /*
110 ++ * MCEs are always local on AMD. Same is determined by MCG_STATUS_LMCES
111 ++ * on Intel.
112 ++ */
113 ++ int lmce = 1;
114 +
115 + /* If this CPU is offline, just bail out. */
116 + if (cpu_is_offline(smp_processor_id())) {
117 +@@ -1039,17 +1045,23 @@ void do_machine_check(struct pt_regs *regs, long error_code)
118 + kill_it = 1;
119 +
120 + /*
121 +- * Check if this MCE is signaled to only this logical processor
122 ++ * Check if this MCE is signaled to only this logical processor,
123 ++ * on Intel only.
124 + */
125 +- if (m.mcgstatus & MCG_STATUS_LMCES)
126 +- lmce = 1;
127 +- else {
128 +- /*
129 +- * Go through all the banks in exclusion of the other CPUs.
130 +- * This way we don't report duplicated events on shared banks
131 +- * because the first one to see it will clear it.
132 +- * If this is a Local MCE, then no need to perform rendezvous.
133 +- */
134 ++ if (m.cpuvendor == X86_VENDOR_INTEL)
135 ++ lmce = m.mcgstatus & MCG_STATUS_LMCES;
136 ++
137 ++ /*
138 ++ * Local machine check may already know that we have to panic.
139 ++ * Broadcast machine check begins rendezvous in mce_start()
140 ++ * Go through all banks in exclusion of the other CPUs. This way we
141 ++ * don't report duplicated events on shared banks because the first one
142 ++ * to see it will clear it.
143 ++ */
144 ++ if (lmce) {
145 ++ if (no_way_out)
146 ++ mce_panic("Fatal local machine check", &m, msg);
147 ++ } else {
148 + order = mce_start(&no_way_out);
149 + }
150 +
151 +@@ -1128,12 +1140,17 @@ void do_machine_check(struct pt_regs *regs, long error_code)
152 + no_way_out = worst >= MCE_PANIC_SEVERITY;
153 + } else {
154 + /*
155 +- * Local MCE skipped calling mce_reign()
156 +- * If we found a fatal error, we need to panic here.
157 ++ * If there was a fatal machine check we should have
158 ++ * already called mce_panic earlier in this function.
159 ++ * Since we re-read the banks, we might have found
160 ++ * something new. Check again to see if we found a
161 ++ * fatal error. We call "mce_severity()" again to
162 ++ * make sure we have the right "msg".
163 + */
164 +- if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3)
165 +- mce_panic("Machine check from unknown source",
166 +- NULL, NULL);
167 ++ if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3) {
168 ++ mce_severity(&m, cfg->tolerant, &msg, true);
169 ++ mce_panic("Local fatal machine check!", &m, msg);
170 ++ }
171 + }
172 +
173 + /*
174 +diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
175 +index df9be5b91270..1f5c47a49e35 100644
176 +--- a/arch/x86/kernel/kprobes/core.c
177 ++++ b/arch/x86/kernel/kprobes/core.c
178 +@@ -411,25 +411,38 @@ void free_insn_page(void *page)
179 + module_memfree(page);
180 + }
181 +
182 ++/* Prepare reljump right after instruction to boost */
183 ++static void prepare_boost(struct kprobe *p, int length)
184 ++{
185 ++ if (can_boost(p->ainsn.insn, p->addr) &&
186 ++ MAX_INSN_SIZE - length >= RELATIVEJUMP_SIZE) {
187 ++ /*
188 ++ * These instructions can be executed directly if it
189 ++ * jumps back to correct address.
190 ++ */
191 ++ synthesize_reljump(p->ainsn.insn + length, p->addr + length);
192 ++ p->ainsn.boostable = 1;
193 ++ } else {
194 ++ p->ainsn.boostable = -1;
195 ++ }
196 ++}
197 ++
198 + static int arch_copy_kprobe(struct kprobe *p)
199 + {
200 +- int ret;
201 ++ int len;
202 +
203 + set_memory_rw((unsigned long)p->ainsn.insn & PAGE_MASK, 1);
204 +
205 + /* Copy an instruction with recovering if other optprobe modifies it.*/
206 +- ret = __copy_instruction(p->ainsn.insn, p->addr);
207 +- if (!ret)
208 ++ len = __copy_instruction(p->ainsn.insn, p->addr);
209 ++ if (!len)
210 + return -EINVAL;
211 +
212 + /*
213 + * __copy_instruction can modify the displacement of the instruction,
214 + * but it doesn't affect boostable check.
215 + */
216 +- if (can_boost(p->ainsn.insn, p->addr))
217 +- p->ainsn.boostable = 0;
218 +- else
219 +- p->ainsn.boostable = -1;
220 ++ prepare_boost(p, len);
221 +
222 + set_memory_ro((unsigned long)p->ainsn.insn & PAGE_MASK, 1);
223 +
224 +@@ -894,21 +907,6 @@ static void resume_execution(struct kprobe *p, struct pt_regs *regs,
225 + break;
226 + }
227 +
228 +- if (p->ainsn.boostable == 0) {
229 +- if ((regs->ip > copy_ip) &&
230 +- (regs->ip - copy_ip) + 5 < MAX_INSN_SIZE) {
231 +- /*
232 +- * These instructions can be executed directly if it
233 +- * jumps back to correct address.
234 +- */
235 +- synthesize_reljump((void *)regs->ip,
236 +- (void *)orig_ip + (regs->ip - copy_ip));
237 +- p->ainsn.boostable = 1;
238 +- } else {
239 +- p->ainsn.boostable = -1;
240 +- }
241 +- }
242 +-
243 + regs->ip += orig_ip - copy_ip;
244 +
245 + no_change:
246 +diff --git a/arch/x86/lib/cmdline.c b/arch/x86/lib/cmdline.c
247 +index a744506856b1..88ce150186c6 100644
248 +--- a/arch/x86/lib/cmdline.c
249 ++++ b/arch/x86/lib/cmdline.c
250 +@@ -21,12 +21,14 @@ static inline int myisspace(u8 c)
251 + * @option: option string to look for
252 + *
253 + * Returns the position of that @option (starts counting with 1)
254 +- * or 0 on not found.
255 ++ * or 0 on not found. @option will only be found if it is found
256 ++ * as an entire word in @cmdline. For instance, if @option="car"
257 ++ * then a cmdline which contains "cart" will not match.
258 + */
259 + int cmdline_find_option_bool(const char *cmdline, const char *option)
260 + {
261 + char c;
262 +- int len, pos = 0, wstart = 0;
263 ++ int pos = 0, wstart = 0;
264 + const char *opptr = NULL;
265 + enum {
266 + st_wordstart = 0, /* Start of word/after whitespace */
267 +@@ -37,11 +39,14 @@ int cmdline_find_option_bool(const char *cmdline, const char *option)
268 + if (!cmdline)
269 + return -1; /* No command line */
270 +
271 +- len = min_t(int, strlen(cmdline), COMMAND_LINE_SIZE);
272 +- if (!len)
273 ++ if (!strlen(cmdline))
274 + return 0;
275 +
276 +- while (len--) {
277 ++ /*
278 ++ * This 'pos' check ensures we do not overrun
279 ++ * a non-NULL-terminated 'cmdline'
280 ++ */
281 ++ while (pos < COMMAND_LINE_SIZE) {
282 + c = *(char *)cmdline++;
283 + pos++;
284 +
285 +@@ -58,17 +63,26 @@ int cmdline_find_option_bool(const char *cmdline, const char *option)
286 + /* fall through */
287 +
288 + case st_wordcmp:
289 +- if (!*opptr)
290 ++ if (!*opptr) {
291 ++ /*
292 ++ * We matched all the way to the end of the
293 ++ * option we were looking for. If the
294 ++ * command-line has a space _or_ ends, then
295 ++ * we matched!
296 ++ */
297 + if (!c || myisspace(c))
298 + return wstart;
299 + else
300 + state = st_wordskip;
301 +- else if (!c)
302 ++ } else if (!c) {
303 ++ /*
304 ++ * Hit the NULL terminator on the end of
305 ++ * cmdline.
306 ++ */
307 + return 0;
308 +- else if (c != *opptr++)
309 ++ } else if (c != *opptr++) {
310 + state = st_wordskip;
311 +- else if (!len) /* last word and is matching */
312 +- return wstart;
313 ++ }
314 + break;
315 +
316 + case st_wordskip:
317 +diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c
318 +index 5578c1477ba6..8bfd4fd7e9ec 100644
319 +--- a/drivers/block/drbd/drbd_worker.c
320 ++++ b/drivers/block/drbd/drbd_worker.c
321 +@@ -256,8 +256,8 @@ void drbd_request_endio(struct bio *bio)
322 + } else
323 + what = COMPLETED_OK;
324 +
325 +- bio_put(req->private_bio);
326 + req->private_bio = ERR_PTR(bio->bi_error);
327 ++ bio_put(bio);
328 +
329 + /* not req_mod(), we need irqsave here! */
330 + spin_lock_irqsave(&device->resource->req_lock, flags);
331 +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
332 +index 2886b645ced7..6c60f4b63d21 100644
333 +--- a/drivers/hid/hid-debug.c
334 ++++ b/drivers/hid/hid-debug.c
335 +@@ -1152,6 +1152,8 @@ copy_rest:
336 + goto out;
337 + if (list->tail > list->head) {
338 + len = list->tail - list->head;
339 ++ if (len > count)
340 ++ len = count;
341 +
342 + if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) {
343 + ret = -EFAULT;
344 +@@ -1161,6 +1163,8 @@ copy_rest:
345 + list->head += len;
346 + } else {
347 + len = HID_DEBUG_BUFSIZE - list->head;
348 ++ if (len > count)
349 ++ len = count;
350 +
351 + if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) {
352 + ret = -EFAULT;
353 +@@ -1168,7 +1172,9 @@ copy_rest:
354 + }
355 + list->head = 0;
356 + ret += len;
357 +- goto copy_rest;
358 ++ count -= len;
359 ++ if (count > 0)
360 ++ goto copy_rest;
361 + }
362 +
363 + }
364 +diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
365 +index 4c3ed078c6b9..a5fed668fde1 100644
366 +--- a/drivers/hid/i2c-hid/i2c-hid.c
367 ++++ b/drivers/hid/i2c-hid/i2c-hid.c
368 +@@ -413,7 +413,7 @@ static void i2c_hid_get_input(struct i2c_hid *ihid)
369 + return;
370 + }
371 +
372 +- if ((ret_size > size) || (ret_size <= 2)) {
373 ++ if ((ret_size > size) || (ret_size < 2)) {
374 + dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n",
375 + __func__, size, ret_size);
376 + return;
377 +diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
378 +index 700145b15088..b59b15d4caa9 100644
379 +--- a/drivers/hid/usbhid/hiddev.c
380 ++++ b/drivers/hid/usbhid/hiddev.c
381 +@@ -35,6 +35,7 @@
382 + #include <linux/hiddev.h>
383 + #include <linux/compat.h>
384 + #include <linux/vmalloc.h>
385 ++#include <linux/nospec.h>
386 + #include "usbhid.h"
387 +
388 + #ifdef CONFIG_USB_DYNAMIC_MINORS
389 +@@ -478,10 +479,14 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
390 +
391 + if (uref->field_index >= report->maxfield)
392 + goto inval;
393 ++ uref->field_index = array_index_nospec(uref->field_index,
394 ++ report->maxfield);
395 +
396 + field = report->field[uref->field_index];
397 + if (uref->usage_index >= field->maxusage)
398 + goto inval;
399 ++ uref->usage_index = array_index_nospec(uref->usage_index,
400 ++ field->maxusage);
401 +
402 + uref->usage_code = field->usage[uref->usage_index].hid;
403 +
404 +@@ -508,6 +513,8 @@ static noinline int hiddev_ioctl_usage(struct hiddev *hiddev, unsigned int cmd,
405 +
406 + if (uref->field_index >= report->maxfield)
407 + goto inval;
408 ++ uref->field_index = array_index_nospec(uref->field_index,
409 ++ report->maxfield);
410 +
411 + field = report->field[uref->field_index];
412 +
413 +@@ -761,6 +768,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
414 +
415 + if (finfo.field_index >= report->maxfield)
416 + break;
417 ++ finfo.field_index = array_index_nospec(finfo.field_index,
418 ++ report->maxfield);
419 +
420 + field = report->field[finfo.field_index];
421 + memset(&finfo, 0, sizeof(finfo));
422 +@@ -801,6 +810,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
423 +
424 + if (cinfo.index >= hid->maxcollection)
425 + break;
426 ++ cinfo.index = array_index_nospec(cinfo.index,
427 ++ hid->maxcollection);
428 +
429 + cinfo.type = hid->collection[cinfo.index].type;
430 + cinfo.usage = hid->collection[cinfo.index].usage;
431 +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c
432 +index 6f89484765e3..dfe1a53ce4ad 100644
433 +--- a/drivers/i2c/busses/i2c-rcar.c
434 ++++ b/drivers/i2c/busses/i2c-rcar.c
435 +@@ -484,6 +484,8 @@ static int rcar_i2c_master_xfer(struct i2c_adapter *adap,
436 +
437 + pm_runtime_get_sync(dev);
438 +
439 ++ rcar_i2c_init(priv);
440 ++
441 + ret = rcar_i2c_bus_barrier(priv);
442 + if (ret < 0)
443 + goto out;
444 +@@ -624,7 +626,6 @@ static int rcar_i2c_probe(struct platform_device *pdev)
445 + if (ret < 0)
446 + goto out_pm_put;
447 +
448 +- rcar_i2c_init(priv);
449 + pm_runtime_put(dev);
450 +
451 + irq = platform_get_irq(pdev, 0);
452 +diff --git a/drivers/md/dm-bufio.c b/drivers/md/dm-bufio.c
453 +index 969c815c90b6..b1d5fa0bc8f7 100644
454 +--- a/drivers/md/dm-bufio.c
455 ++++ b/drivers/md/dm-bufio.c
456 +@@ -813,12 +813,14 @@ enum new_flag {
457 + static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client *c, enum new_flag nf)
458 + {
459 + struct dm_buffer *b;
460 ++ bool tried_noio_alloc = false;
461 +
462 + /*
463 + * dm-bufio is resistant to allocation failures (it just keeps
464 + * one buffer reserved in cases all the allocations fail).
465 + * So set flags to not try too hard:
466 +- * GFP_NOIO: don't recurse into the I/O layer
467 ++ * GFP_NOWAIT: don't wait; if we need to sleep we'll release our
468 ++ * mutex and wait ourselves.
469 + * __GFP_NORETRY: don't retry and rather return failure
470 + * __GFP_NOMEMALLOC: don't use emergency reserves
471 + * __GFP_NOWARN: don't print a warning in case of failure
472 +@@ -828,7 +830,7 @@ static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client
473 + */
474 + while (1) {
475 + if (dm_bufio_cache_size_latch != 1) {
476 +- b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
477 ++ b = alloc_buffer(c, GFP_NOWAIT | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
478 + if (b)
479 + return b;
480 + }
481 +@@ -836,6 +838,15 @@ static struct dm_buffer *__alloc_buffer_wait_no_callback(struct dm_bufio_client
482 + if (nf == NF_PREFETCH)
483 + return NULL;
484 +
485 ++ if (dm_bufio_cache_size_latch != 1 && !tried_noio_alloc) {
486 ++ dm_bufio_unlock(c);
487 ++ b = alloc_buffer(c, GFP_NOIO | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
488 ++ dm_bufio_lock(c);
489 ++ if (b)
490 ++ return b;
491 ++ tried_noio_alloc = true;
492 ++ }
493 ++
494 + if (!list_empty(&c->reserved_buffers)) {
495 + b = list_entry(c->reserved_buffers.next,
496 + struct dm_buffer, lru_list);
497 +@@ -1563,19 +1574,11 @@ dm_bufio_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
498 + static unsigned long
499 + dm_bufio_shrink_count(struct shrinker *shrink, struct shrink_control *sc)
500 + {
501 +- struct dm_bufio_client *c;
502 +- unsigned long count;
503 +- unsigned long retain_target;
504 +-
505 +- c = container_of(shrink, struct dm_bufio_client, shrinker);
506 +- if (sc->gfp_mask & __GFP_FS)
507 +- dm_bufio_lock(c);
508 +- else if (!dm_bufio_trylock(c))
509 +- return 0;
510 ++ struct dm_bufio_client *c = container_of(shrink, struct dm_bufio_client, shrinker);
511 ++ unsigned long count = READ_ONCE(c->n_buffers[LIST_CLEAN]) +
512 ++ READ_ONCE(c->n_buffers[LIST_DIRTY]);
513 ++ unsigned long retain_target = get_retain_buffers(c);
514 +
515 +- count = c->n_buffers[LIST_CLEAN] + c->n_buffers[LIST_DIRTY];
516 +- retain_target = get_retain_buffers(c);
517 +- dm_bufio_unlock(c);
518 + return (count < retain_target) ? 0 : (count - retain_target);
519 + }
520 +
521 +diff --git a/drivers/media/i2c/cx25840/cx25840-core.c b/drivers/media/i2c/cx25840/cx25840-core.c
522 +index a47ab1947cc4..17d217c3585a 100644
523 +--- a/drivers/media/i2c/cx25840/cx25840-core.c
524 ++++ b/drivers/media/i2c/cx25840/cx25840-core.c
525 +@@ -467,8 +467,13 @@ static void cx23885_initialize(struct i2c_client *client)
526 + {
527 + DEFINE_WAIT(wait);
528 + struct cx25840_state *state = to_state(i2c_get_clientdata(client));
529 ++ u32 clk_freq = 0;
530 + struct workqueue_struct *q;
531 +
532 ++ /* cx23885 sets hostdata to clk_freq pointer */
533 ++ if (v4l2_get_subdev_hostdata(&state->sd))
534 ++ clk_freq = *((u32 *)v4l2_get_subdev_hostdata(&state->sd));
535 ++
536 + /*
537 + * Come out of digital power down
538 + * The CX23888, at least, needs this, otherwise registers aside from
539 +@@ -504,8 +509,13 @@ static void cx23885_initialize(struct i2c_client *client)
540 + * 50.0 MHz * (0xb + 0xe8ba26/0x2000000)/4 = 5 * 28.636363 MHz
541 + * 572.73 MHz before post divide
542 + */
543 +- /* HVR1850 or 50MHz xtal */
544 +- cx25840_write(client, 0x2, 0x71);
545 ++ if (clk_freq == 25000000) {
546 ++ /* 888/ImpactVCBe or 25Mhz xtal */
547 ++ ; /* nothing to do */
548 ++ } else {
549 ++ /* HVR1850 or 50MHz xtal */
550 ++ cx25840_write(client, 0x2, 0x71);
551 ++ }
552 + cx25840_write4(client, 0x11c, 0x01d1744c);
553 + cx25840_write4(client, 0x118, 0x00000416);
554 + cx25840_write4(client, 0x404, 0x0010253e);
555 +@@ -548,9 +558,15 @@ static void cx23885_initialize(struct i2c_client *client)
556 + /* HVR1850 */
557 + switch (state->id) {
558 + case CX23888_AV:
559 +- /* 888/HVR1250 specific */
560 +- cx25840_write4(client, 0x10c, 0x13333333);
561 +- cx25840_write4(client, 0x108, 0x00000515);
562 ++ if (clk_freq == 25000000) {
563 ++ /* 888/ImpactVCBe or 25MHz xtal */
564 ++ cx25840_write4(client, 0x10c, 0x01b6db7b);
565 ++ cx25840_write4(client, 0x108, 0x00000512);
566 ++ } else {
567 ++ /* 888/HVR1250 or 50MHz xtal */
568 ++ cx25840_write4(client, 0x10c, 0x13333333);
569 ++ cx25840_write4(client, 0x108, 0x00000515);
570 ++ }
571 + break;
572 + default:
573 + cx25840_write4(client, 0x10c, 0x002be2c9);
574 +@@ -577,7 +593,7 @@ static void cx23885_initialize(struct i2c_client *client)
575 + * 368.64 MHz before post divide
576 + * 122.88 MHz / 0xa = 12.288 MHz
577 + */
578 +- /* HVR1850 or 50MHz xtal */
579 ++ /* HVR1850 or 50MHz xtal or 25MHz xtal */
580 + cx25840_write4(client, 0x114, 0x017dbf48);
581 + cx25840_write4(client, 0x110, 0x000a030e);
582 + break;
583 +diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
584 +index c484ca8c909c..fb5a3052f144 100644
585 +--- a/drivers/mtd/chips/cfi_cmdset_0002.c
586 ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c
587 +@@ -42,7 +42,7 @@
588 + #define AMD_BOOTLOC_BUG
589 + #define FORCE_WORD_WRITE 0
590 +
591 +-#define MAX_WORD_RETRIES 3
592 ++#define MAX_RETRIES 3
593 +
594 + #define SST49LF004B 0x0060
595 + #define SST49LF040B 0x0050
596 +@@ -1645,7 +1645,7 @@ static int __xipram do_write_oneword(struct map_info *map, struct flchip *chip,
597 + map_write( map, CMD(0xF0), chip->start );
598 + /* FIXME - should have reset delay before continuing */
599 +
600 +- if (++retry_cnt <= MAX_WORD_RETRIES)
601 ++ if (++retry_cnt <= MAX_RETRIES)
602 + goto retry;
603 +
604 + ret = -EIO;
605 +@@ -2104,7 +2104,7 @@ retry:
606 + map_write(map, CMD(0xF0), chip->start);
607 + /* FIXME - should have reset delay before continuing */
608 +
609 +- if (++retry_cnt <= MAX_WORD_RETRIES)
610 ++ if (++retry_cnt <= MAX_RETRIES)
611 + goto retry;
612 +
613 + ret = -EIO;
614 +@@ -2239,6 +2239,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
615 + unsigned long int adr;
616 + DECLARE_WAITQUEUE(wait, current);
617 + int ret = 0;
618 ++ int retry_cnt = 0;
619 +
620 + adr = cfi->addr_unlock1;
621 +
622 +@@ -2256,6 +2257,7 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
623 + ENABLE_VPP(map);
624 + xip_disable(map, chip, adr);
625 +
626 ++ retry:
627 + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
628 + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL);
629 + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
630 +@@ -2292,12 +2294,13 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
631 + chip->erase_suspended = 0;
632 + }
633 +
634 +- if (chip_ready(map, adr))
635 ++ if (chip_good(map, adr, map_word_ff(map)))
636 + break;
637 +
638 + if (time_after(jiffies, timeo)) {
639 + printk(KERN_WARNING "MTD %s(): software timeout\n",
640 + __func__ );
641 ++ ret = -EIO;
642 + break;
643 + }
644 +
645 +@@ -2305,12 +2308,15 @@ static int __xipram do_erase_chip(struct map_info *map, struct flchip *chip)
646 + UDELAY(map, chip, adr, 1000000/HZ);
647 + }
648 + /* Did we succeed? */
649 +- if (!chip_good(map, adr, map_word_ff(map))) {
650 ++ if (ret) {
651 + /* reset on all failures. */
652 + map_write( map, CMD(0xF0), chip->start );
653 + /* FIXME - should have reset delay before continuing */
654 +
655 +- ret = -EIO;
656 ++ if (++retry_cnt <= MAX_RETRIES) {
657 ++ ret = 0;
658 ++ goto retry;
659 ++ }
660 + }
661 +
662 + chip->state = FL_READY;
663 +@@ -2329,6 +2335,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
664 + unsigned long timeo = jiffies + HZ;
665 + DECLARE_WAITQUEUE(wait, current);
666 + int ret = 0;
667 ++ int retry_cnt = 0;
668 +
669 + adr += chip->start;
670 +
671 +@@ -2346,6 +2353,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
672 + ENABLE_VPP(map);
673 + xip_disable(map, chip, adr);
674 +
675 ++ retry:
676 + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
677 + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL);
678 + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL);
679 +@@ -2382,7 +2390,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
680 + chip->erase_suspended = 0;
681 + }
682 +
683 +- if (chip_ready(map, adr)) {
684 ++ if (chip_good(map, adr, map_word_ff(map))) {
685 + xip_enable(map, chip, adr);
686 + break;
687 + }
688 +@@ -2391,6 +2399,7 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
689 + xip_enable(map, chip, adr);
690 + printk(KERN_WARNING "MTD %s(): software timeout\n",
691 + __func__ );
692 ++ ret = -EIO;
693 + break;
694 + }
695 +
696 +@@ -2398,12 +2407,15 @@ static int __xipram do_erase_oneblock(struct map_info *map, struct flchip *chip,
697 + UDELAY(map, chip, adr, 1000000/HZ);
698 + }
699 + /* Did we succeed? */
700 +- if (!chip_good(map, adr, map_word_ff(map))) {
701 ++ if (ret) {
702 + /* reset on all failures. */
703 + map_write( map, CMD(0xF0), chip->start );
704 + /* FIXME - should have reset delay before continuing */
705 +
706 +- ret = -EIO;
707 ++ if (++retry_cnt <= MAX_RETRIES) {
708 ++ ret = 0;
709 ++ goto retry;
710 ++ }
711 + }
712 +
713 + chip->state = FL_READY;
714 +diff --git a/drivers/mtd/nand/mxc_nand.c b/drivers/mtd/nand/mxc_nand.c
715 +index 136e73a3e07e..53fe795fd716 100644
716 +--- a/drivers/mtd/nand/mxc_nand.c
717 ++++ b/drivers/mtd/nand/mxc_nand.c
718 +@@ -49,7 +49,7 @@
719 + #define NFC_V1_V2_CONFIG (host->regs + 0x0a)
720 + #define NFC_V1_V2_ECC_STATUS_RESULT (host->regs + 0x0c)
721 + #define NFC_V1_V2_RSLTMAIN_AREA (host->regs + 0x0e)
722 +-#define NFC_V1_V2_RSLTSPARE_AREA (host->regs + 0x10)
723 ++#define NFC_V21_RSLTSPARE_AREA (host->regs + 0x10)
724 + #define NFC_V1_V2_WRPROT (host->regs + 0x12)
725 + #define NFC_V1_UNLOCKSTART_BLKADDR (host->regs + 0x14)
726 + #define NFC_V1_UNLOCKEND_BLKADDR (host->regs + 0x16)
727 +@@ -1034,6 +1034,9 @@ static void preset_v2(struct mtd_info *mtd)
728 + writew(config1, NFC_V1_V2_CONFIG1);
729 + /* preset operation */
730 +
731 ++ /* spare area size in 16-bit half-words */
732 ++ writew(mtd->oobsize / 2, NFC_V21_RSLTSPARE_AREA);
733 ++
734 + /* Unlock the internal RAM Buffer */
735 + writew(0x2, NFC_V1_V2_CONFIG);
736 +
737 +diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
738 +index 4dd0391d2942..c4a25c858c07 100644
739 +--- a/drivers/mtd/ubi/eba.c
740 ++++ b/drivers/mtd/ubi/eba.c
741 +@@ -350,6 +350,82 @@ out_unlock:
742 + return err;
743 + }
744 +
745 ++#ifdef CONFIG_MTD_UBI_FASTMAP
746 ++/**
747 ++ * check_mapping - check and fixup a mapping
748 ++ * @ubi: UBI device description object
749 ++ * @vol: volume description object
750 ++ * @lnum: logical eraseblock number
751 ++ * @pnum: physical eraseblock number
752 ++ *
753 ++ * Checks whether a given mapping is valid. Fastmap cannot track LEB unmap
754 ++ * operations, if such an operation is interrupted the mapping still looks
755 ++ * good, but upon first read an ECC is reported to the upper layer.
756 ++ * Normaly during the full-scan at attach time this is fixed, for Fastmap
757 ++ * we have to deal with it while reading.
758 ++ * If the PEB behind a LEB shows this symthom we change the mapping to
759 ++ * %UBI_LEB_UNMAPPED and schedule the PEB for erasure.
760 ++ *
761 ++ * Returns 0 on success, negative error code in case of failure.
762 ++ */
763 ++static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
764 ++ int *pnum)
765 ++{
766 ++ int err;
767 ++ struct ubi_vid_hdr *vid_hdr;
768 ++
769 ++ if (!ubi->fast_attach)
770 ++ return 0;
771 ++
772 ++ vid_hdr = ubi_zalloc_vid_hdr(ubi, GFP_NOFS);
773 ++ if (!vid_hdr)
774 ++ return -ENOMEM;
775 ++
776 ++ err = ubi_io_read_vid_hdr(ubi, *pnum, vid_hdr, 0);
777 ++ if (err > 0 && err != UBI_IO_BITFLIPS) {
778 ++ int torture = 0;
779 ++
780 ++ switch (err) {
781 ++ case UBI_IO_FF:
782 ++ case UBI_IO_FF_BITFLIPS:
783 ++ case UBI_IO_BAD_HDR:
784 ++ case UBI_IO_BAD_HDR_EBADMSG:
785 ++ break;
786 ++ default:
787 ++ ubi_assert(0);
788 ++ }
789 ++
790 ++ if (err == UBI_IO_BAD_HDR_EBADMSG || err == UBI_IO_FF_BITFLIPS)
791 ++ torture = 1;
792 ++
793 ++ down_read(&ubi->fm_eba_sem);
794 ++ vol->eba_tbl[lnum] = UBI_LEB_UNMAPPED;
795 ++ up_read(&ubi->fm_eba_sem);
796 ++ ubi_wl_put_peb(ubi, vol->vol_id, lnum, *pnum, torture);
797 ++
798 ++ *pnum = UBI_LEB_UNMAPPED;
799 ++ } else if (err < 0) {
800 ++ ubi_err(ubi, "unable to read VID header back from PEB %i: %i",
801 ++ *pnum, err);
802 ++
803 ++ goto out_free;
804 ++ }
805 ++
806 ++ err = 0;
807 ++
808 ++out_free:
809 ++ ubi_free_vid_hdr(ubi, vid_hdr);
810 ++
811 ++ return err;
812 ++}
813 ++#else
814 ++static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
815 ++ int *pnum)
816 ++{
817 ++ return 0;
818 ++}
819 ++#endif
820 ++
821 + /**
822 + * ubi_eba_read_leb - read data.
823 + * @ubi: UBI device description object
824 +@@ -381,7 +457,13 @@ int ubi_eba_read_leb(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
825 + return err;
826 +
827 + pnum = vol->eba_tbl[lnum];
828 +- if (pnum < 0) {
829 ++ if (pnum >= 0) {
830 ++ err = check_mapping(ubi, vol, lnum, &pnum);
831 ++ if (err < 0)
832 ++ goto out_unlock;
833 ++ }
834 ++
835 ++ if (pnum == UBI_LEB_UNMAPPED) {
836 + /*
837 + * The logical eraseblock is not mapped, fill the whole buffer
838 + * with 0xFF bytes. The exception is static volumes for which
839 +@@ -696,6 +778,14 @@ int ubi_eba_write_leb(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
840 + return err;
841 +
842 + pnum = vol->eba_tbl[lnum];
843 ++ if (pnum >= 0) {
844 ++ err = check_mapping(ubi, vol, lnum, &pnum);
845 ++ if (err < 0) {
846 ++ leb_write_unlock(ubi, vol_id, lnum);
847 ++ return err;
848 ++ }
849 ++ }
850 ++
851 + if (pnum >= 0) {
852 + dbg_eba("write %d bytes at offset %d of LEB %d:%d, PEB %d",
853 + len, offset, vol_id, lnum, pnum);
854 +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
855 +index d26cb37b1fbd..b32c47fe926d 100644
856 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
857 ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
858 +@@ -1166,6 +1166,7 @@ static void *ath10k_htt_rx_h_find_rfc1042(struct ath10k *ar,
859 + size_t hdr_len, crypto_len;
860 + void *rfc1042;
861 + bool is_first, is_last, is_amsdu;
862 ++ int bytes_aligned = ar->hw_params.decap_align_bytes;
863 +
864 + rxd = (void *)msdu->data - sizeof(*rxd);
865 + hdr = (void *)rxd->rx_hdr_status;
866 +@@ -1182,8 +1183,8 @@ static void *ath10k_htt_rx_h_find_rfc1042(struct ath10k *ar,
867 + hdr_len = ieee80211_hdrlen(hdr->frame_control);
868 + crypto_len = ath10k_htt_rx_crypto_param_len(ar, enctype);
869 +
870 +- rfc1042 += round_up(hdr_len, 4) +
871 +- round_up(crypto_len, 4);
872 ++ rfc1042 += round_up(hdr_len, bytes_aligned) +
873 ++ round_up(crypto_len, bytes_aligned);
874 + }
875 +
876 + if (is_amsdu)
877 +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
878 +index e86fcc9e9852..01f47b68b6e7 100644
879 +--- a/drivers/nvme/host/pci.c
880 ++++ b/drivers/nvme/host/pci.c
881 +@@ -1589,11 +1589,11 @@ static int nvme_create_queue(struct nvme_queue *nvmeq, int qid)
882 + if (result < 0)
883 + goto release_cq;
884 +
885 ++ nvme_init_queue(nvmeq, qid);
886 + result = queue_request_irq(dev, nvmeq, nvmeq->irqname);
887 + if (result < 0)
888 + goto release_sq;
889 +
890 +- nvme_init_queue(nvmeq, qid);
891 + return result;
892 +
893 + release_sq:
894 +@@ -1797,6 +1797,7 @@ static int nvme_configure_admin_queue(struct nvme_dev *dev)
895 + goto free_nvmeq;
896 +
897 + nvmeq->cq_vector = 0;
898 ++ nvme_init_queue(nvmeq, 0);
899 + result = queue_request_irq(dev, nvmeq, nvmeq->irqname);
900 + if (result) {
901 + nvmeq->cq_vector = -1;
902 +@@ -3165,7 +3166,6 @@ static void nvme_probe_work(struct work_struct *work)
903 + goto disable;
904 + }
905 +
906 +- nvme_init_queue(dev->queues[0], 0);
907 + result = nvme_alloc_admin_tags(dev);
908 + if (result)
909 + goto disable;
910 +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
911 +index 841f3fbec77c..4302880a20b3 100644
912 +--- a/drivers/scsi/sg.c
913 ++++ b/drivers/scsi/sg.c
914 +@@ -51,6 +51,7 @@ static int sg_version_num = 30536; /* 2 digits for each component */
915 + #include <linux/atomic.h>
916 + #include <linux/ratelimit.h>
917 + #include <linux/uio.h>
918 ++#include <linux/cred.h> /* for sg_check_file_access() */
919 +
920 + #include "scsi.h"
921 + #include <scsi/scsi_dbg.h>
922 +@@ -221,6 +222,33 @@ static void sg_device_destroy(struct kref *kref);
923 + sdev_prefix_printk(prefix, (sdp)->device, \
924 + (sdp)->disk->disk_name, fmt, ##a)
925 +
926 ++/*
927 ++ * The SCSI interfaces that use read() and write() as an asynchronous variant of
928 ++ * ioctl(..., SG_IO, ...) are fundamentally unsafe, since there are lots of ways
929 ++ * to trigger read() and write() calls from various contexts with elevated
930 ++ * privileges. This can lead to kernel memory corruption (e.g. if these
931 ++ * interfaces are called through splice()) and privilege escalation inside
932 ++ * userspace (e.g. if a process with access to such a device passes a file
933 ++ * descriptor to a SUID binary as stdin/stdout/stderr).
934 ++ *
935 ++ * This function provides protection for the legacy API by restricting the
936 ++ * calling context.
937 ++ */
938 ++static int sg_check_file_access(struct file *filp, const char *caller)
939 ++{
940 ++ if (filp->f_cred != current_real_cred()) {
941 ++ pr_err_once("%s: process %d (%s) changed security contexts after opening file descriptor, this is not allowed.\n",
942 ++ caller, task_tgid_vnr(current), current->comm);
943 ++ return -EPERM;
944 ++ }
945 ++ if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
946 ++ pr_err_once("%s: process %d (%s) called from kernel context, this is not allowed.\n",
947 ++ caller, task_tgid_vnr(current), current->comm);
948 ++ return -EACCES;
949 ++ }
950 ++ return 0;
951 ++}
952 ++
953 + static int sg_allow_access(struct file *filp, unsigned char *cmd)
954 + {
955 + struct sg_fd *sfp = filp->private_data;
956 +@@ -405,6 +433,14 @@ sg_read(struct file *filp, char __user *buf, size_t count, loff_t * ppos)
957 + struct sg_header *old_hdr = NULL;
958 + int retval = 0;
959 +
960 ++ /*
961 ++ * This could cause a response to be stranded. Close the associated
962 ++ * file descriptor to free up any resources being held.
963 ++ */
964 ++ retval = sg_check_file_access(filp, __func__);
965 ++ if (retval)
966 ++ return retval;
967 ++
968 + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
969 + return -ENXIO;
970 + SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp,
971 +@@ -592,9 +628,11 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
972 + struct sg_header old_hdr;
973 + sg_io_hdr_t *hp;
974 + unsigned char cmnd[SG_MAX_CDB_SIZE];
975 ++ int retval;
976 +
977 +- if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
978 +- return -EINVAL;
979 ++ retval = sg_check_file_access(filp, __func__);
980 ++ if (retval)
981 ++ return retval;
982 +
983 + if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
984 + return -ENXIO;
985 +diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c
986 +index ca15a87f6fd3..13a9b4c42b26 100644
987 +--- a/drivers/staging/android/ion/ion_heap.c
988 ++++ b/drivers/staging/android/ion/ion_heap.c
989 +@@ -38,7 +38,7 @@ void *ion_heap_map_kernel(struct ion_heap *heap,
990 + struct page **tmp = pages;
991 +
992 + if (!pages)
993 +- return NULL;
994 ++ return ERR_PTR(-ENOMEM);
995 +
996 + if (buffer->flags & ION_FLAG_CACHED)
997 + pgprot = PAGE_KERNEL;
998 +diff --git a/drivers/staging/comedi/drivers/quatech_daqp_cs.c b/drivers/staging/comedi/drivers/quatech_daqp_cs.c
999 +index e9e43139157d..769a94015117 100644
1000 +--- a/drivers/staging/comedi/drivers/quatech_daqp_cs.c
1001 ++++ b/drivers/staging/comedi/drivers/quatech_daqp_cs.c
1002 +@@ -642,7 +642,7 @@ static int daqp_ao_insn_write(struct comedi_device *dev,
1003 + /* Make sure D/A update mode is direct update */
1004 + outb(0, dev->iobase + DAQP_AUX_REG);
1005 +
1006 +- for (i = 0; i > insn->n; i++) {
1007 ++ for (i = 0; i < insn->n; i++) {
1008 + unsigned val = data[i];
1009 + int ret;
1010 +
1011 +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
1012 +index 190e5dc15738..b1ec202099b2 100644
1013 +--- a/drivers/tty/n_tty.c
1014 ++++ b/drivers/tty/n_tty.c
1015 +@@ -128,6 +128,8 @@ struct n_tty_data {
1016 + struct mutex output_lock;
1017 + };
1018 +
1019 ++#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1))
1020 ++
1021 + static inline size_t read_cnt(struct n_tty_data *ldata)
1022 + {
1023 + return ldata->read_head - ldata->read_tail;
1024 +@@ -145,6 +147,7 @@ static inline unsigned char *read_buf_addr(struct n_tty_data *ldata, size_t i)
1025 +
1026 + static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i)
1027 + {
1028 ++ smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */
1029 + return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)];
1030 + }
1031 +
1032 +@@ -322,9 +325,7 @@ static inline void put_tty_queue(unsigned char c, struct n_tty_data *ldata)
1033 + static void reset_buffer_flags(struct n_tty_data *ldata)
1034 + {
1035 + ldata->read_head = ldata->canon_head = ldata->read_tail = 0;
1036 +- ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0;
1037 + ldata->commit_head = 0;
1038 +- ldata->echo_mark = 0;
1039 + ldata->line_start = 0;
1040 +
1041 + ldata->erasing = 0;
1042 +@@ -645,12 +646,19 @@ static size_t __process_echoes(struct tty_struct *tty)
1043 + old_space = space = tty_write_room(tty);
1044 +
1045 + tail = ldata->echo_tail;
1046 +- while (ldata->echo_commit != tail) {
1047 ++ while (MASK(ldata->echo_commit) != MASK(tail)) {
1048 + c = echo_buf(ldata, tail);
1049 + if (c == ECHO_OP_START) {
1050 + unsigned char op;
1051 + int no_space_left = 0;
1052 +
1053 ++ /*
1054 ++ * Since add_echo_byte() is called without holding
1055 ++ * output_lock, we might see only portion of multi-byte
1056 ++ * operation.
1057 ++ */
1058 ++ if (MASK(ldata->echo_commit) == MASK(tail + 1))
1059 ++ goto not_yet_stored;
1060 + /*
1061 + * If the buffer byte is the start of a multi-byte
1062 + * operation, get the next byte, which is either the
1063 +@@ -662,6 +670,8 @@ static size_t __process_echoes(struct tty_struct *tty)
1064 + unsigned int num_chars, num_bs;
1065 +
1066 + case ECHO_OP_ERASE_TAB:
1067 ++ if (MASK(ldata->echo_commit) == MASK(tail + 2))
1068 ++ goto not_yet_stored;
1069 + num_chars = echo_buf(ldata, tail + 2);
1070 +
1071 + /*
1072 +@@ -756,7 +766,8 @@ static size_t __process_echoes(struct tty_struct *tty)
1073 + /* If the echo buffer is nearly full (so that the possibility exists
1074 + * of echo overrun before the next commit), then discard enough
1075 + * data at the tail to prevent a subsequent overrun */
1076 +- while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
1077 ++ while (ldata->echo_commit > tail &&
1078 ++ ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
1079 + if (echo_buf(ldata, tail) == ECHO_OP_START) {
1080 + if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB)
1081 + tail += 3;
1082 +@@ -766,6 +777,7 @@ static size_t __process_echoes(struct tty_struct *tty)
1083 + tail++;
1084 + }
1085 +
1086 ++ not_yet_stored:
1087 + ldata->echo_tail = tail;
1088 + return old_space - space;
1089 + }
1090 +@@ -776,6 +788,7 @@ static void commit_echoes(struct tty_struct *tty)
1091 + size_t nr, old, echoed;
1092 + size_t head;
1093 +
1094 ++ mutex_lock(&ldata->output_lock);
1095 + head = ldata->echo_head;
1096 + ldata->echo_mark = head;
1097 + old = ldata->echo_commit - ldata->echo_tail;
1098 +@@ -784,10 +797,12 @@ static void commit_echoes(struct tty_struct *tty)
1099 + * is over the threshold (and try again each time another
1100 + * block is accumulated) */
1101 + nr = head - ldata->echo_tail;
1102 +- if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK))
1103 ++ if (nr < ECHO_COMMIT_WATERMARK ||
1104 ++ (nr % ECHO_BLOCK > old % ECHO_BLOCK)) {
1105 ++ mutex_unlock(&ldata->output_lock);
1106 + return;
1107 ++ }
1108 +
1109 +- mutex_lock(&ldata->output_lock);
1110 + ldata->echo_commit = head;
1111 + echoed = __process_echoes(tty);
1112 + mutex_unlock(&ldata->output_lock);
1113 +@@ -838,7 +853,9 @@ static void flush_echoes(struct tty_struct *tty)
1114 +
1115 + static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata)
1116 + {
1117 +- *echo_buf_addr(ldata, ldata->echo_head++) = c;
1118 ++ *echo_buf_addr(ldata, ldata->echo_head) = c;
1119 ++ smp_wmb(); /* Matches smp_rmb() in echo_buf(). */
1120 ++ ldata->echo_head++;
1121 + }
1122 +
1123 + /**
1124 +@@ -1006,14 +1023,15 @@ static void eraser(unsigned char c, struct tty_struct *tty)
1125 + }
1126 +
1127 + seen_alnums = 0;
1128 +- while (ldata->read_head != ldata->canon_head) {
1129 ++ while (MASK(ldata->read_head) != MASK(ldata->canon_head)) {
1130 + head = ldata->read_head;
1131 +
1132 + /* erase a single possibly multibyte character */
1133 + do {
1134 + head--;
1135 + c = read_buf(ldata, head);
1136 +- } while (is_continuation(c, tty) && head != ldata->canon_head);
1137 ++ } while (is_continuation(c, tty) &&
1138 ++ MASK(head) != MASK(ldata->canon_head));
1139 +
1140 + /* do not partially erase */
1141 + if (is_continuation(c, tty))
1142 +@@ -1055,7 +1073,7 @@ static void eraser(unsigned char c, struct tty_struct *tty)
1143 + * This info is used to go back the correct
1144 + * number of columns.
1145 + */
1146 +- while (tail != ldata->canon_head) {
1147 ++ while (MASK(tail) != MASK(ldata->canon_head)) {
1148 + tail--;
1149 + c = read_buf(ldata, tail);
1150 + if (c == '\t') {
1151 +@@ -1332,7 +1350,7 @@ n_tty_receive_char_special(struct tty_struct *tty, unsigned char c)
1152 + finish_erasing(ldata);
1153 + echo_char(c, tty);
1154 + echo_char_raw('\n', ldata);
1155 +- while (tail != ldata->read_head) {
1156 ++ while (MASK(tail) != MASK(ldata->read_head)) {
1157 + echo_char(read_buf(ldata, tail), tty);
1158 + tail++;
1159 + }
1160 +@@ -1917,31 +1935,22 @@ static int n_tty_open(struct tty_struct *tty)
1161 + struct n_tty_data *ldata;
1162 +
1163 + /* Currently a malloc failure here can panic */
1164 +- ldata = vmalloc(sizeof(*ldata));
1165 ++ ldata = vzalloc(sizeof(*ldata));
1166 + if (!ldata)
1167 +- goto err;
1168 ++ return -ENOMEM;
1169 +
1170 + ldata->overrun_time = jiffies;
1171 + mutex_init(&ldata->atomic_read_lock);
1172 + mutex_init(&ldata->output_lock);
1173 +
1174 + tty->disc_data = ldata;
1175 +- reset_buffer_flags(tty->disc_data);
1176 +- ldata->column = 0;
1177 +- ldata->canon_column = 0;
1178 + ldata->minimum_to_wake = 1;
1179 +- ldata->num_overrun = 0;
1180 +- ldata->no_room = 0;
1181 +- ldata->lnext = 0;
1182 + tty->closing = 0;
1183 + /* indicate buffer work may resume */
1184 + clear_bit(TTY_LDISC_HALTED, &tty->flags);
1185 + n_tty_set_termios(tty, NULL);
1186 + tty_unthrottle(tty);
1187 +-
1188 + return 0;
1189 +-err:
1190 +- return -ENOMEM;
1191 + }
1192 +
1193 + static inline int input_available_p(struct tty_struct *tty, int poll)
1194 +@@ -2479,7 +2488,7 @@ static unsigned long inq_canon(struct n_tty_data *ldata)
1195 + tail = ldata->read_tail;
1196 + nr = head - tail;
1197 + /* Skip EOF-chars.. */
1198 +- while (head != tail) {
1199 ++ while (MASK(head) != MASK(tail)) {
1200 + if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) &&
1201 + read_buf(ldata, tail) == __DISABLED_CHAR)
1202 + nr--;
1203 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
1204 +index edd8ef4ee502..7ed30d0b5273 100644
1205 +--- a/drivers/usb/class/cdc-acm.c
1206 ++++ b/drivers/usb/class/cdc-acm.c
1207 +@@ -1698,6 +1698,9 @@ static const struct usb_device_id acm_ids[] = {
1208 + { USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */
1209 + .driver_info = SINGLE_RX_URB,
1210 + },
1211 ++ { USB_DEVICE(0x1965, 0x0018), /* Uniden UBC125XLT */
1212 ++ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
1213 ++ },
1214 + { USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */
1215 + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
1216 + },
1217 +diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
1218 +index e7a051386b32..73835027a7cc 100644
1219 +--- a/drivers/usb/serial/cp210x.c
1220 ++++ b/drivers/usb/serial/cp210x.c
1221 +@@ -91,6 +91,9 @@ static const struct usb_device_id id_table[] = {
1222 + { USB_DEVICE(0x10C4, 0x8156) }, /* B&G H3000 link cable */
1223 + { USB_DEVICE(0x10C4, 0x815E) }, /* Helicomm IP-Link 1220-DVM */
1224 + { USB_DEVICE(0x10C4, 0x815F) }, /* Timewave HamLinkUSB */
1225 ++ { USB_DEVICE(0x10C4, 0x817C) }, /* CESINEL MEDCAL N Power Quality Monitor */
1226 ++ { USB_DEVICE(0x10C4, 0x817D) }, /* CESINEL MEDCAL NT Power Quality Monitor */
1227 ++ { USB_DEVICE(0x10C4, 0x817E) }, /* CESINEL MEDCAL S Power Quality Monitor */
1228 + { USB_DEVICE(0x10C4, 0x818B) }, /* AVIT Research USB to TTL */
1229 + { USB_DEVICE(0x10C4, 0x819F) }, /* MJS USB Toslink Switcher */
1230 + { USB_DEVICE(0x10C4, 0x81A6) }, /* ThinkOptics WavIt */
1231 +@@ -108,6 +111,9 @@ static const struct usb_device_id id_table[] = {
1232 + { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */
1233 + { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */
1234 + { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */
1235 ++ { USB_DEVICE(0x10C4, 0x82EF) }, /* CESINEL FALCO 6105 AC Power Supply */
1236 ++ { USB_DEVICE(0x10C4, 0x82F1) }, /* CESINEL MEDCAL EFD Earth Fault Detector */
1237 ++ { USB_DEVICE(0x10C4, 0x82F2) }, /* CESINEL MEDCAL ST Network Analyzer */
1238 + { USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */
1239 + { USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */
1240 + { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */
1241 +@@ -120,7 +126,9 @@ static const struct usb_device_id id_table[] = {
1242 + { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
1243 + { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
1244 + { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
1245 ++ { USB_DEVICE(0x10C4, 0x851E) }, /* CESINEL MEDCAL PT Network Analyzer */
1246 + { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
1247 ++ { USB_DEVICE(0x10C4, 0x85B8) }, /* CESINEL ReCon T Energy Logger */
1248 + { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
1249 + { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
1250 + { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
1251 +@@ -130,17 +138,23 @@ static const struct usb_device_id id_table[] = {
1252 + { USB_DEVICE(0x10C4, 0x8857) }, /* CEL EM357 ZigBee USB Stick */
1253 + { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
1254 + { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
1255 ++ { USB_DEVICE(0x10C4, 0x88FB) }, /* CESINEL MEDCAL STII Network Analyzer */
1256 ++ { USB_DEVICE(0x10C4, 0x8938) }, /* CESINEL MEDCAL S II Network Analyzer */
1257 + { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
1258 + { USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */
1259 + { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */
1260 + { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
1261 ++ { USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */
1262 + { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
1263 + { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */
1264 + { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */
1265 + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
1266 + { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
1267 ++ { USB_DEVICE(0x10C4, 0xEA63) }, /* Silicon Labs Windows Update (CP2101-4/CP2102N) */
1268 + { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
1269 + { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */
1270 ++ { USB_DEVICE(0x10C4, 0xEA7A) }, /* Silicon Labs Windows Update (CP2105) */
1271 ++ { USB_DEVICE(0x10C4, 0xEA7B) }, /* Silicon Labs Windows Update (CP2108) */
1272 + { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */
1273 + { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */
1274 + { USB_DEVICE(0x10C4, 0xF003) }, /* Elan Digital Systems USBpulse100 */
1275 +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
1276 +index 8632380d2b94..63aea21e6298 100644
1277 +--- a/fs/cifs/cifssmb.c
1278 ++++ b/fs/cifs/cifssmb.c
1279 +@@ -150,8 +150,14 @@ cifs_reconnect_tcon(struct cifs_tcon *tcon, int smb_command)
1280 + * greater than cifs socket timeout which is 7 seconds
1281 + */
1282 + while (server->tcpStatus == CifsNeedReconnect) {
1283 +- wait_event_interruptible_timeout(server->response_q,
1284 +- (server->tcpStatus != CifsNeedReconnect), 10 * HZ);
1285 ++ rc = wait_event_interruptible_timeout(server->response_q,
1286 ++ (server->tcpStatus != CifsNeedReconnect),
1287 ++ 10 * HZ);
1288 ++ if (rc < 0) {
1289 ++ cifs_dbg(FYI, "%s: aborting reconnect due to a received"
1290 ++ " signal by the process\n", __func__);
1291 ++ return -ERESTARTSYS;
1292 ++ }
1293 +
1294 + /* are we still trying to reconnect? */
1295 + if (server->tcpStatus != CifsNeedReconnect)
1296 +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
1297 +index 807e989f436a..5f5ba807b414 100644
1298 +--- a/fs/cifs/smb2pdu.c
1299 ++++ b/fs/cifs/smb2pdu.c
1300 +@@ -158,7 +158,7 @@ out:
1301 + static int
1302 + smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
1303 + {
1304 +- int rc = 0;
1305 ++ int rc;
1306 + struct nls_table *nls_codepage;
1307 + struct cifs_ses *ses;
1308 + struct TCP_Server_Info *server;
1309 +@@ -169,10 +169,10 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
1310 + * for those three - in the calling routine.
1311 + */
1312 + if (tcon == NULL)
1313 +- return rc;
1314 ++ return 0;
1315 +
1316 + if (smb2_command == SMB2_TREE_CONNECT)
1317 +- return rc;
1318 ++ return 0;
1319 +
1320 + if (tcon->tidStatus == CifsExiting) {
1321 + /*
1322 +@@ -215,8 +215,14 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
1323 + return -EAGAIN;
1324 + }
1325 +
1326 +- wait_event_interruptible_timeout(server->response_q,
1327 +- (server->tcpStatus != CifsNeedReconnect), 10 * HZ);
1328 ++ rc = wait_event_interruptible_timeout(server->response_q,
1329 ++ (server->tcpStatus != CifsNeedReconnect),
1330 ++ 10 * HZ);
1331 ++ if (rc < 0) {
1332 ++ cifs_dbg(FYI, "%s: aborting reconnect due to a received"
1333 ++ " signal by the process\n", __func__);
1334 ++ return -ERESTARTSYS;
1335 ++ }
1336 +
1337 + /* are we still trying to reconnect? */
1338 + if (server->tcpStatus != CifsNeedReconnect)
1339 +@@ -234,7 +240,7 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon)
1340 + }
1341 +
1342 + if (!tcon->ses->need_reconnect && !tcon->need_reconnect)
1343 +- return rc;
1344 ++ return 0;
1345 +
1346 + nls_codepage = load_nls_default();
1347 +
1348 +diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
1349 +index c57a94f1c198..092da164bdc0 100644
1350 +--- a/fs/ext4/balloc.c
1351 ++++ b/fs/ext4/balloc.c
1352 +@@ -183,7 +183,6 @@ static int ext4_init_block_bitmap(struct super_block *sb,
1353 + unsigned int bit, bit_max;
1354 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1355 + ext4_fsblk_t start, tmp;
1356 +- int flex_bg = 0;
1357 + struct ext4_group_info *grp;
1358 +
1359 + J_ASSERT_BH(bh, buffer_locked(bh));
1360 +@@ -216,22 +215,19 @@ static int ext4_init_block_bitmap(struct super_block *sb,
1361 +
1362 + start = ext4_group_first_block_no(sb, block_group);
1363 +
1364 +- if (ext4_has_feature_flex_bg(sb))
1365 +- flex_bg = 1;
1366 +-
1367 + /* Set bits for block and inode bitmaps, and inode table */
1368 + tmp = ext4_block_bitmap(sb, gdp);
1369 +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
1370 ++ if (ext4_block_in_group(sb, tmp, block_group))
1371 + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
1372 +
1373 + tmp = ext4_inode_bitmap(sb, gdp);
1374 +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
1375 ++ if (ext4_block_in_group(sb, tmp, block_group))
1376 + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
1377 +
1378 + tmp = ext4_inode_table(sb, gdp);
1379 + for (; tmp < ext4_inode_table(sb, gdp) +
1380 + sbi->s_itb_per_group; tmp++) {
1381 +- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group))
1382 ++ if (ext4_block_in_group(sb, tmp, block_group))
1383 + ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data);
1384 + }
1385 +
1386 +@@ -454,7 +450,16 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
1387 + goto verify;
1388 + }
1389 + ext4_lock_group(sb, block_group);
1390 +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
1391 ++ if (ext4_has_group_desc_csum(sb) &&
1392 ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
1393 ++ if (block_group == 0) {
1394 ++ ext4_unlock_group(sb, block_group);
1395 ++ unlock_buffer(bh);
1396 ++ ext4_error(sb, "Block bitmap for bg 0 marked "
1397 ++ "uninitialized");
1398 ++ err = -EFSCORRUPTED;
1399 ++ goto out;
1400 ++ }
1401 + err = ext4_init_block_bitmap(sb, bh, block_group, desc);
1402 + set_bitmap_uptodate(bh);
1403 + set_buffer_uptodate(bh);
1404 +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
1405 +index c8ad14c697c4..f5d9f82b173a 100644
1406 +--- a/fs/ext4/ext4.h
1407 ++++ b/fs/ext4/ext4.h
1408 +@@ -1468,11 +1468,6 @@ static inline struct timespec ext4_current_time(struct inode *inode)
1409 + static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino)
1410 + {
1411 + return ino == EXT4_ROOT_INO ||
1412 +- ino == EXT4_USR_QUOTA_INO ||
1413 +- ino == EXT4_GRP_QUOTA_INO ||
1414 +- ino == EXT4_BOOT_LOADER_INO ||
1415 +- ino == EXT4_JOURNAL_INO ||
1416 +- ino == EXT4_RESIZE_INO ||
1417 + (ino >= EXT4_FIRST_INO(sb) &&
1418 + ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count));
1419 + }
1420 +diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h
1421 +index 3c9381547094..2d8e73793512 100644
1422 +--- a/fs/ext4/ext4_extents.h
1423 ++++ b/fs/ext4/ext4_extents.h
1424 +@@ -103,6 +103,7 @@ struct ext4_extent_header {
1425 + };
1426 +
1427 + #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a)
1428 ++#define EXT4_MAX_EXTENT_DEPTH 5
1429 +
1430 + #define EXT4_EXTENT_TAIL_OFFSET(hdr) \
1431 + (sizeof(struct ext4_extent_header) + \
1432 +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
1433 +index 4705c21f9d03..1708597659a1 100644
1434 +--- a/fs/ext4/extents.c
1435 ++++ b/fs/ext4/extents.c
1436 +@@ -876,6 +876,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
1437 +
1438 + eh = ext_inode_hdr(inode);
1439 + depth = ext_depth(inode);
1440 ++ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) {
1441 ++ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d",
1442 ++ depth);
1443 ++ ret = -EFSCORRUPTED;
1444 ++ goto err;
1445 ++ }
1446 +
1447 + if (path) {
1448 + ext4_ext_drop_refs(path);
1449 +diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
1450 +index 9fe55b7d4c2c..48d818eba9c3 100644
1451 +--- a/fs/ext4/ialloc.c
1452 ++++ b/fs/ext4/ialloc.c
1453 +@@ -152,7 +152,16 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
1454 + }
1455 +
1456 + ext4_lock_group(sb, block_group);
1457 +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) {
1458 ++ if (ext4_has_group_desc_csum(sb) &&
1459 ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) {
1460 ++ if (block_group == 0) {
1461 ++ ext4_unlock_group(sb, block_group);
1462 ++ unlock_buffer(bh);
1463 ++ ext4_error(sb, "Inode bitmap for bg 0 marked "
1464 ++ "uninitialized");
1465 ++ err = -EFSCORRUPTED;
1466 ++ goto out;
1467 ++ }
1468 + memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8);
1469 + ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb),
1470 + sb->s_blocksize * 8, bh->b_data);
1471 +@@ -919,7 +928,8 @@ got:
1472 +
1473 + /* recheck and clear flag under lock if we still need to */
1474 + ext4_lock_group(sb, group);
1475 +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
1476 ++ if (ext4_has_group_desc_csum(sb) &&
1477 ++ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
1478 + gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT);
1479 + ext4_free_group_clusters_set(sb, gdp,
1480 + ext4_free_clusters_after_init(sb, group, gdp));
1481 +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
1482 +index 3006b81c107f..e72f53a89764 100644
1483 +--- a/fs/ext4/inline.c
1484 ++++ b/fs/ext4/inline.c
1485 +@@ -434,6 +434,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle,
1486 +
1487 + memset((void *)ext4_raw_inode(&is.iloc)->i_block,
1488 + 0, EXT4_MIN_INLINE_DATA_SIZE);
1489 ++ memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE);
1490 +
1491 + if (ext4_has_feature_extents(inode->i_sb)) {
1492 + if (S_ISDIR(inode->i_mode) ||
1493 +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
1494 +index 30efeb656c1e..b507de0e4bbf 100644
1495 +--- a/fs/ext4/inode.c
1496 ++++ b/fs/ext4/inode.c
1497 +@@ -380,9 +380,9 @@ static int __check_block_validity(struct inode *inode, const char *func,
1498 + if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk,
1499 + map->m_len)) {
1500 + ext4_error_inode(inode, func, line, map->m_pblk,
1501 +- "lblock %lu mapped to illegal pblock "
1502 ++ "lblock %lu mapped to illegal pblock %llu "
1503 + "(length %d)", (unsigned long) map->m_lblk,
1504 +- map->m_len);
1505 ++ map->m_pblk, map->m_len);
1506 + return -EFSCORRUPTED;
1507 + }
1508 + return 0;
1509 +@@ -3991,7 +3991,8 @@ static int __ext4_get_inode_loc(struct inode *inode,
1510 + int inodes_per_block, inode_offset;
1511 +
1512 + iloc->bh = NULL;
1513 +- if (!ext4_valid_inum(sb, inode->i_ino))
1514 ++ if (inode->i_ino < EXT4_ROOT_INO ||
1515 ++ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count))
1516 + return -EFSCORRUPTED;
1517 +
1518 + iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb);
1519 +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
1520 +index d98ff184d94a..75f79ff29ce0 100644
1521 +--- a/fs/ext4/mballoc.c
1522 ++++ b/fs/ext4/mballoc.c
1523 +@@ -2445,7 +2445,8 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group,
1524 + * initialize bb_free to be able to skip
1525 + * empty groups without initialization
1526 + */
1527 +- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
1528 ++ if (ext4_has_group_desc_csum(sb) &&
1529 ++ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
1530 + meta_group_info[i]->bb_free =
1531 + ext4_free_clusters_after_init(sb, group, desc);
1532 + } else {
1533 +@@ -2966,7 +2967,8 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac,
1534 + #endif
1535 + ext4_set_bits(bitmap_bh->b_data, ac->ac_b_ex.fe_start,
1536 + ac->ac_b_ex.fe_len);
1537 +- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
1538 ++ if (ext4_has_group_desc_csum(sb) &&
1539 ++ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) {
1540 + gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT);
1541 + ext4_free_group_clusters_set(sb, gdp,
1542 + ext4_free_clusters_after_init(sb,
1543 +diff --git a/fs/ext4/super.c b/fs/ext4/super.c
1544 +index 0e0438b5ddbe..49af3c50b263 100644
1545 +--- a/fs/ext4/super.c
1546 ++++ b/fs/ext4/super.c
1547 +@@ -2102,6 +2102,7 @@ static int ext4_check_descriptors(struct super_block *sb,
1548 + struct ext4_sb_info *sbi = EXT4_SB(sb);
1549 + ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block);
1550 + ext4_fsblk_t last_block;
1551 ++ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1;
1552 + ext4_fsblk_t block_bitmap;
1553 + ext4_fsblk_t inode_bitmap;
1554 + ext4_fsblk_t inode_table;
1555 +@@ -2134,6 +2135,14 @@ static int ext4_check_descriptors(struct super_block *sb,
1556 + if (!(sb->s_flags & MS_RDONLY))
1557 + return 0;
1558 + }
1559 ++ if (block_bitmap >= sb_block + 1 &&
1560 ++ block_bitmap <= last_bg_block) {
1561 ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1562 ++ "Block bitmap for group %u overlaps "
1563 ++ "block group descriptors", i);
1564 ++ if (!(sb->s_flags & MS_RDONLY))
1565 ++ return 0;
1566 ++ }
1567 + if (block_bitmap < first_block || block_bitmap > last_block) {
1568 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1569 + "Block bitmap for group %u not in group "
1570 +@@ -2148,6 +2157,14 @@ static int ext4_check_descriptors(struct super_block *sb,
1571 + if (!(sb->s_flags & MS_RDONLY))
1572 + return 0;
1573 + }
1574 ++ if (inode_bitmap >= sb_block + 1 &&
1575 ++ inode_bitmap <= last_bg_block) {
1576 ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1577 ++ "Inode bitmap for group %u overlaps "
1578 ++ "block group descriptors", i);
1579 ++ if (!(sb->s_flags & MS_RDONLY))
1580 ++ return 0;
1581 ++ }
1582 + if (inode_bitmap < first_block || inode_bitmap > last_block) {
1583 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1584 + "Inode bitmap for group %u not in group "
1585 +@@ -2162,6 +2179,14 @@ static int ext4_check_descriptors(struct super_block *sb,
1586 + if (!(sb->s_flags & MS_RDONLY))
1587 + return 0;
1588 + }
1589 ++ if (inode_table >= sb_block + 1 &&
1590 ++ inode_table <= last_bg_block) {
1591 ++ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1592 ++ "Inode table for group %u overlaps "
1593 ++ "block group descriptors", i);
1594 ++ if (!(sb->s_flags & MS_RDONLY))
1595 ++ return 0;
1596 ++ }
1597 + if (inode_table < first_block ||
1598 + inode_table + sbi->s_itb_per_group - 1 > last_block) {
1599 + ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
1600 +@@ -2842,13 +2867,22 @@ static ext4_group_t ext4_has_uninit_itable(struct super_block *sb)
1601 + ext4_group_t group, ngroups = EXT4_SB(sb)->s_groups_count;
1602 + struct ext4_group_desc *gdp = NULL;
1603 +
1604 ++ if (!ext4_has_group_desc_csum(sb))
1605 ++ return ngroups;
1606 ++
1607 + for (group = 0; group < ngroups; group++) {
1608 + gdp = ext4_get_group_desc(sb, group, NULL);
1609 + if (!gdp)
1610 + continue;
1611 +
1612 +- if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)))
1613 ++ if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))
1614 ++ continue;
1615 ++ if (group != 0)
1616 + break;
1617 ++ ext4_error(sb, "Inode table for bg 0 marked as "
1618 ++ "needing zeroing");
1619 ++ if (sb->s_flags & MS_RDONLY)
1620 ++ return ngroups;
1621 + }
1622 +
1623 + return group;
1624 +@@ -3451,6 +3485,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
1625 + le32_to_cpu(es->s_log_block_size));
1626 + goto failed_mount;
1627 + }
1628 ++ if (le32_to_cpu(es->s_log_cluster_size) >
1629 ++ (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
1630 ++ ext4_msg(sb, KERN_ERR,
1631 ++ "Invalid log cluster size: %u",
1632 ++ le32_to_cpu(es->s_log_cluster_size));
1633 ++ goto failed_mount;
1634 ++ }
1635 +
1636 + if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
1637 + ext4_msg(sb, KERN_ERR,
1638 +@@ -3515,6 +3556,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
1639 + } else {
1640 + sbi->s_inode_size = le16_to_cpu(es->s_inode_size);
1641 + sbi->s_first_ino = le32_to_cpu(es->s_first_ino);
1642 ++ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) {
1643 ++ ext4_msg(sb, KERN_ERR, "invalid first ino: %u",
1644 ++ sbi->s_first_ino);
1645 ++ goto failed_mount;
1646 ++ }
1647 + if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) ||
1648 + (!is_power_of_2(sbi->s_inode_size)) ||
1649 + (sbi->s_inode_size > blocksize)) {
1650 +@@ -3591,13 +3637,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
1651 + "block size (%d)", clustersize, blocksize);
1652 + goto failed_mount;
1653 + }
1654 +- if (le32_to_cpu(es->s_log_cluster_size) >
1655 +- (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) {
1656 +- ext4_msg(sb, KERN_ERR,
1657 +- "Invalid log cluster size: %u",
1658 +- le32_to_cpu(es->s_log_cluster_size));
1659 +- goto failed_mount;
1660 +- }
1661 + sbi->s_cluster_bits = le32_to_cpu(es->s_log_cluster_size) -
1662 + le32_to_cpu(es->s_log_block_size);
1663 + sbi->s_clusters_per_group =
1664 +@@ -3618,10 +3657,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
1665 + }
1666 + } else {
1667 + if (clustersize != blocksize) {
1668 +- ext4_warning(sb, "fragment/cluster size (%d) != "
1669 +- "block size (%d)", clustersize,
1670 +- blocksize);
1671 +- clustersize = blocksize;
1672 ++ ext4_msg(sb, KERN_ERR,
1673 ++ "fragment/cluster size (%d) != "
1674 ++ "block size (%d)", clustersize, blocksize);
1675 ++ goto failed_mount;
1676 + }
1677 + if (sbi->s_blocks_per_group > blocksize * 8) {
1678 + ext4_msg(sb, KERN_ERR,
1679 +@@ -3675,6 +3714,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
1680 + ext4_blocks_count(es));
1681 + goto failed_mount;
1682 + }
1683 ++ if ((es->s_first_data_block == 0) && (es->s_log_block_size == 0) &&
1684 ++ (sbi->s_cluster_ratio == 1)) {
1685 ++ ext4_msg(sb, KERN_WARNING, "bad geometry: first data "
1686 ++ "block is 0 with a 1k block and cluster size");
1687 ++ goto failed_mount;
1688 ++ }
1689 ++
1690 + blocks_count = (ext4_blocks_count(es) -
1691 + le32_to_cpu(es->s_first_data_block) +
1692 + EXT4_BLOCKS_PER_GROUP(sb) - 1);
1693 +@@ -3710,6 +3756,14 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
1694 + ret = -ENOMEM;
1695 + goto failed_mount;
1696 + }
1697 ++ if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) !=
1698 ++ le32_to_cpu(es->s_inodes_count)) {
1699 ++ ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu",
1700 ++ le32_to_cpu(es->s_inodes_count),
1701 ++ ((u64)sbi->s_groups_count * sbi->s_inodes_per_group));
1702 ++ ret = -EINVAL;
1703 ++ goto failed_mount;
1704 ++ }
1705 +
1706 + bgl_lock_init(sbi->s_blockgroup_lock);
1707 +
1708 +@@ -4388,6 +4442,14 @@ static int ext4_commit_super(struct super_block *sb, int sync)
1709 +
1710 + if (!sbh || block_device_ejected(sb))
1711 + return error;
1712 ++
1713 ++ /*
1714 ++ * The superblock bh should be mapped, but it might not be if the
1715 ++ * device was hot-removed. Not much we can do but fail the I/O.
1716 ++ */
1717 ++ if (!buffer_mapped(sbh))
1718 ++ return error;
1719 ++
1720 + if (buffer_write_io_error(sbh)) {
1721 + /*
1722 + * Oh, dear. A previous attempt to write the
1723 +diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
1724 +index f3a31f55f372..bce343febb9e 100644
1725 +--- a/fs/jbd2/transaction.c
1726 ++++ b/fs/jbd2/transaction.c
1727 +@@ -1363,6 +1363,13 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh)
1728 + if (jh->b_transaction == transaction &&
1729 + jh->b_jlist != BJ_Metadata) {
1730 + jbd_lock_bh_state(bh);
1731 ++ if (jh->b_transaction == transaction &&
1732 ++ jh->b_jlist != BJ_Metadata)
1733 ++ pr_err("JBD2: assertion failure: h_type=%u "
1734 ++ "h_line_no=%u block_no=%llu jlist=%u\n",
1735 ++ handle->h_type, handle->h_line_no,
1736 ++ (unsigned long long) bh->b_blocknr,
1737 ++ jh->b_jlist);
1738 + J_ASSERT_JH(jh, jh->b_transaction != transaction ||
1739 + jh->b_jlist == BJ_Metadata);
1740 + jbd_unlock_bh_state(bh);
1741 +@@ -1382,11 +1389,11 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh)
1742 + * of the transaction. This needs to be done
1743 + * once a transaction -bzzz
1744 + */
1745 +- jh->b_modified = 1;
1746 + if (handle->h_buffer_credits <= 0) {
1747 + ret = -ENOSPC;
1748 + goto out_unlock_bh;
1749 + }
1750 ++ jh->b_modified = 1;
1751 + handle->h_buffer_credits--;
1752 + }
1753 +
1754 +diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
1755 +index 7fd6f5a26143..e212ec4cfb4e 100644
1756 +--- a/kernel/trace/trace_functions_graph.c
1757 ++++ b/kernel/trace/trace_functions_graph.c
1758 +@@ -768,6 +768,7 @@ print_graph_entry_leaf(struct trace_iterator *iter,
1759 + struct ftrace_graph_ret *graph_ret;
1760 + struct ftrace_graph_ent *call;
1761 + unsigned long long duration;
1762 ++ int cpu = iter->cpu;
1763 + int i;
1764 +
1765 + graph_ret = &ret_entry->ret;
1766 +@@ -776,7 +777,6 @@ print_graph_entry_leaf(struct trace_iterator *iter,
1767 +
1768 + if (data) {
1769 + struct fgraph_cpu_data *cpu_data;
1770 +- int cpu = iter->cpu;
1771 +
1772 + cpu_data = per_cpu_ptr(data->cpu_data, cpu);
1773 +
1774 +@@ -806,6 +806,9 @@ print_graph_entry_leaf(struct trace_iterator *iter,
1775 +
1776 + trace_seq_printf(s, "%ps();\n", (void *)call->func);
1777 +
1778 ++ print_graph_irq(iter, graph_ret->func, TRACE_GRAPH_RET,
1779 ++ cpu, iter->ent->pid, flags);
1780 ++
1781 + return trace_handle_return(s);
1782 + }
1783 +
1784 +diff --git a/mm/hugetlb.c b/mm/hugetlb.c
1785 +index 7294301d8495..a813b03021b7 100644
1786 +--- a/mm/hugetlb.c
1787 ++++ b/mm/hugetlb.c
1788 +@@ -2038,6 +2038,7 @@ static void __init gather_bootmem_prealloc(void)
1789 + */
1790 + if (hstate_is_gigantic(h))
1791 + adjust_managed_page_count(page, 1 << h->order);
1792 ++ cond_resched();
1793 + }
1794 + }
1795 +
1796 +diff --git a/mm/page_alloc.c b/mm/page_alloc.c
1797 +index a4c9cd80c7b6..fd75e27c9b40 100644
1798 +--- a/mm/page_alloc.c
1799 ++++ b/mm/page_alloc.c
1800 +@@ -3109,8 +3109,6 @@ retry:
1801 + * the allocation is high priority and these type of
1802 + * allocations are system rather than user orientated
1803 + */
1804 +- ac->zonelist = node_zonelist(numa_node_id(), gfp_mask);
1805 +-
1806 + page = __alloc_pages_high_priority(gfp_mask, order, ac);
1807 +
1808 + if (page) {
1809 +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
1810 +index 9d144cbd4e62..03ebff3950d8 100644
1811 +--- a/net/ipv4/fib_semantics.c
1812 ++++ b/net/ipv4/fib_semantics.c
1813 +@@ -980,7 +980,7 @@ fib_convert_metrics(struct fib_info *fi, const struct fib_config *cfg)
1814 + return -EINVAL;
1815 + } else {
1816 + if (nla_len(nla) != sizeof(u32))
1817 +- return false;
1818 ++ return -EINVAL;
1819 + val = nla_get_u32(nla);
1820 + }
1821 + if (type == RTAX_ADVMSS && val > 65535 - 40)
1822 +diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
1823 +index 2c89f90cd7bc..f94a2e1172f0 100644
1824 +--- a/net/netfilter/nf_log.c
1825 ++++ b/net/netfilter/nf_log.c
1826 +@@ -422,14 +422,17 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
1827 + rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
1828 + mutex_unlock(&nf_log_mutex);
1829 + } else {
1830 ++ struct ctl_table tmp = *table;
1831 ++
1832 ++ tmp.data = buf;
1833 + mutex_lock(&nf_log_mutex);
1834 + logger = nft_log_dereference(net->nf.nf_loggers[tindex]);
1835 + if (!logger)
1836 +- table->data = "NONE";
1837 ++ strlcpy(buf, "NONE", sizeof(buf));
1838 + else
1839 +- table->data = logger->name;
1840 +- r = proc_dostring(table, write, buffer, lenp, ppos);
1841 ++ strlcpy(buf, logger->name, sizeof(buf));
1842 + mutex_unlock(&nf_log_mutex);
1843 ++ r = proc_dostring(&tmp, write, buffer, lenp, ppos);
1844 + }
1845 +
1846 + return r;
1847 +diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
1848 +index f3695a497408..99bc2f87a974 100644
1849 +--- a/net/netfilter/nf_tables_core.c
1850 ++++ b/net/netfilter/nf_tables_core.c
1851 +@@ -167,7 +167,8 @@ next_rule:
1852 +
1853 + switch (regs.verdict.code) {
1854 + case NFT_JUMP:
1855 +- BUG_ON(stackptr >= NFT_JUMP_STACK_SIZE);
1856 ++ if (WARN_ON_ONCE(stackptr >= NFT_JUMP_STACK_SIZE))
1857 ++ return NF_DROP;
1858 + jumpstack[stackptr].chain = chain;
1859 + jumpstack[stackptr].rule = rule;
1860 + jumpstack[stackptr].rulenum = rulenum;
Report Message
Find on MARC Find on Google Groups